--- Day changed Wed Jan 01 2014
00:00 -!- tfox [~tfox@199.167.138.130] has joined #openvpn
00:02 -!- calcifea [~rasla@gateway/tor-sasl/gitsu-sa] has joined #openvpn
00:02 -!- [diecast] [~diecast@unaffiliated/diecast/x-4821952] has quit []
00:09 -!- Zarrsh [~Zarrsh@farari.paydayauto.biz] has quit [Ping timeout: 272 seconds]
00:09 -!- mitz [~mitz@KHP222227247006.ppp-bb.dion.ne.jp] has quit [Ping timeout: 245 seconds]
00:23 -!- mitz [~mitz@KHP222227247006.ppp-bb.dion.ne.jp] has joined #openvpn
00:24 -!- Zarrsh [~Zarrsh@198.167.138.150] has joined #openvpn
00:36 -!- JSharpe [~JSharpe@176.249.43.93] has quit [Ping timeout: 240 seconds]
00:44 -!- able [~able@gateway/tor-sasl/able] has joined #openvpn
00:53 -!- tfox [~tfox@199.167.138.130] has quit [Quit: tfox]
00:55 -!- takamichi [~takamichi@85.12.8.13] has joined #openvpn
00:56 -!- takamichi [~takamichi@85.12.8.13] has quit [Client Quit]
01:03 -!- dimm0k [~dimm0k@unaffiliated/dimm0k] has quit [Ping timeout: 252 seconds]
01:05 -!- dimm0k [~dimm0k@pool-96-246-33-134.nycmny.fios.verizon.net] has joined #openvpn
01:05 -!- dimm0k [~dimm0k@pool-96-246-33-134.nycmny.fios.verizon.net] has quit [Changing host]
01:05 -!- dimm0k [~dimm0k@unaffiliated/dimm0k] has joined #openvpn
01:28 -!- takamichi [~takamichi@85.12.8.14] has joined #openvpn
01:28 -!- able [~able@gateway/tor-sasl/able] has quit [Quit: able]
01:30 -!- able [~able@gateway/tor-sasl/able] has joined #openvpn
01:55 < able> anyone sitting on a great guide for handling routes pushed by a server through route.noexec and scripts?
02:04 -!- dimm0k [~dimm0k@unaffiliated/dimm0k] has quit [Ping timeout: 272 seconds]
02:05 -!- dimm0k [~dimm0k@pool-72-80-89-149.nycmny.fios.verizon.net] has joined #openvpn
02:05 -!- dimm0k [~dimm0k@pool-72-80-89-149.nycmny.fios.verizon.net] has quit [Changing host]
02:05 -!- dimm0k [~dimm0k@unaffiliated/dimm0k] has joined #openvpn
02:06 -!- Cy-Gor [~Brian@cpe-70-124-70-140.austin.res.rr.com] has quit [Quit: Leaving]
02:22 -!- jareth_ [~jareth_@2001:980:e1c0:1:219:66ff:fea0:a502] has quit [Ping timeout: 240 seconds]
02:24 -!- jareth_ [~jareth_@2001:980:e1c0:1:219:66ff:fea0:a502] has joined #openvpn
03:02 -!- mitz [~mitz@KHP222227247006.ppp-bb.dion.ne.jp] has quit [Remote host closed the connection]
03:14 -!- takamichi [~takamichi@85.12.8.14] has quit [Ping timeout: 245 seconds]
03:19 -!- takamichi [~takamichi@c107-107.i07-27.onvol.net] has joined #openvpn
03:43 -!- sailerboy [~sailerboy@2605:6400:2:fed5:22:3e62:d2e8:e4e1] has joined #openvpn
03:50 -!- jigglypuff is now known as lbft
03:51 -!- lbft is now known as ibft
03:51 -!- ibft is now known as lbft
04:12 -!- elfixit [~Icedove@77-58-251-72.dclient.hispeed.ch] has joined #openvpn
04:15 -!- takamichi [~takamichi@c107-107.i07-27.onvol.net] has quit [Quit: Computer has gone to sleep.]
04:34 -!- JSharpe2 [~jsharpe2@176.249.43.93] has joined #openvpn
04:56 -!- pepijndevos [~pepijndev@2a00:dcc0:eda:3754:247:55:9194:8ed6] has joined #openvpn
04:57 -!- JackSummer [~jack@241.Red-79-154-47.dynamicIP.rima-tde.net] has joined #openvpn
05:05 -!- able [~able@gateway/tor-sasl/able] has quit [Remote host closed the connection]
05:06 -!- able [~able@gateway/tor-sasl/able] has joined #openvpn
05:07 -!- JSharpe2 [~jsharpe2@176.249.43.93] has quit [Remote host closed the connection]
05:24 -!- JSharpe2 [~jsharpe2@176.249.43.93] has joined #openvpn
05:26 -!- Cybertinus [~Cybertinu@2001:828:405:30:83:96:177:42] has joined #openvpn
05:34 -!- elfixit [~Icedove@77-58-251-72.dclient.hispeed.ch] has quit [Ping timeout: 260 seconds]
05:41 -!- gffa [~unknown@unaffiliated/gffa] has joined #openvpn
05:55 -!- takamichi [~takamichi@c107-107.i07-27.onvol.net] has joined #openvpn
06:34 -!- SlutaTramsa [~SlutaTram@unaffiliated/slutatramsa] has quit [Ping timeout: 246 seconds]
06:35 -!- tempus_fol [~tempus@gateway/tor-sasl/tempusfol] has quit [Ping timeout: 240 seconds]
06:57 -!- takamichi [~takamichi@c107-107.i07-27.onvol.net] has quit [Quit: Computer has gone to sleep.]
06:57 -!- SlutaTramsa [~SlutaTram@unaffiliated/slutatramsa] has joined #openvpn
06:59 -!- able [~able@gateway/tor-sasl/able] has quit [Remote host closed the connection]
07:15 -!- calcifea [~rasla@gateway/tor-sasl/gitsu-sa] has quit [Ping timeout: 240 seconds]
07:23 -!- calcifea [~rasla@gateway/tor-sasl/gitsu-sa] has joined #openvpn
08:22 -!- smerz_ [~smerz@f168194.upc-f.chello.nl] has joined #openvpn
08:34 -!- able [~able@gateway/tor-sasl/able] has joined #openvpn
08:35 -!- tempus_fol [~tempus@gateway/tor-sasl/tempusfol] has joined #openvpn
08:38 -!- smerz [~smerz@f168194.upc-f.chello.nl] has joined #openvpn
09:02 -!- Cy-Gor [~Brian@cpe-70-124-70-140.austin.res.rr.com] has joined #openvpn
09:08 -!- acidicx [~acidicx@ip-176-199-140-255.unitymediagroup.de] has joined #openvpn
09:12 < acidicx> Hi everyone, I've got a question regarding an openvpn server on openwrt 12.09 (openvpn 2.2.2). My config seems to be fine (at least no typos), the openvpn deamon is running, but it won't open port 1194 (openvpn does not show up when I do 'netstat -tulpn')
09:14 < acidicx> nvm, I just noticed the server.crt is emtpy somehow.. that seems to be one problem at least
09:22 -!- debbie10t [~ma1com10t@host-92-20-1-125.as13285.net] has joined #openvpn
09:22 < debbie10t> HNY:)
09:24 < debbie10t> I have real server, client and bridge-vpn subnet 10.2.101/24 and no subnet conflict warning and it does not connect because of subnet conflict . . .
09:36 < debbie10t> HA .. bridge the client aswell !
09:36 < debbie10t> even programs the bridge interface correctly - sweet
09:37 -!- [diecast] [~diecast@unaffiliated/diecast/x-4821952] has joined #openvpn
09:38 -!- marlinc [~marlinc@ip565fa73c.direct-adsl.nl] has quit [Read error: Connection reset by peer]
09:40 -!- able [~able@gateway/tor-sasl/able] has quit [Quit: able]
09:44 -!- marlinc [~marlinc@ip565fa73c.direct-adsl.nl] has joined #openvpn
10:02 -!- tfox [~tfox@199.167.138.130] has joined #openvpn
10:17 -!- crus [~crusader@2001:44b8:319e:2900:9835:2f69:4e9b:963] has joined #openvpn
10:21 -!- crus` [~crusader@2001:44b8:319e:2900:20fe:8018:63ba:9b66] has quit [Ping timeout: 245 seconds]
10:31 -!- tfox [~tfox@199.167.138.130] has quit [Quit: tfox]
10:50 -!- able [~able@gateway/tor-sasl/able] has joined #openvpn
10:53 -!- goldkatze [~nobody@188-192-253-130-dynip.superkabel.de] has joined #openvpn
10:53 -!- goldkatze [~nobody@188-192-253-130-dynip.superkabel.de] has quit [Changing host]
10:53 -!- goldkatze [~nobody@unaffiliated/goldkatze] has joined #openvpn
10:57 < dimm0k> as soon as i initiate the openvpn connection on the linux client, my log file gets polluted with the following two lines
10:57 < dimm0k> IPv4: martian source 192.168.4.44 from 68.116.169.10, on dev eth0
10:57 < dimm0k> ll header: 00000000: f0 de f1 67 89 84 00 26 62 3e ac 72 08 00        ...g...&b>.r..
10:58 < dimm0k> is there something i'm missing in my openvpn configuration or is this a separate routing issue?
11:00 -!- smerz [~smerz@f168194.upc-f.chello.nl] has quit [Ping timeout: 252 seconds]
11:01 -!- smerz_ [~smerz@f168194.upc-f.chello.nl] has quit [Ping timeout: 272 seconds]
11:02 < debbie10t> maybe
11:03 -!- debbie10t is now known as aanteater
11:04 -!- aanteater is now known as Kung-Fu
11:04 -!- Kung-Fu is now known as Kung-Fu_Panda
11:12 -!- [diecast] [~diecast@unaffiliated/diecast/x-4821952] has quit []
11:15 -!- [diecast] [~diecast@unaffiliated/diecast/x-4821952] has joined #openvpn
11:19 < dimm0k> Kung-Fu_Panda: any idea how to troubleshoot this?
11:20 -!- tfox [~tfox@199.167.138.130] has joined #openvpn
11:31 < Kung-Fu_Panda> !paste
11:31 <@vpnHelper> "paste" is (#1) "pastebin" is (#1) please paste anything with more than 5 lines into a pastebin site or (#2) https://gist.github.com is recommended for fewest ads; try fpaste.org or paste.kde.org as backups or (#3) If you're pasting config files, see !configs for grep syntax to remove comments or (#2) gist allows multiple files per paste, useful if you have several files to show
11:33 < Kung-Fu_Panda> !config
11:33 <@vpnHelper> (config <name> [<value>]) -- If <value> is given, sets the value of <name> to <value>. Otherwise, returns the current value of <name>. You may omit the leading "supybot." in the name if you so choose.
11:34 < Kung-Fu_Panda> !configs
11:34 <@vpnHelper> "configs" is (#1) please pastebin your client and server configs (with comments removed, you can use `grep -vE '^#|^;|^$' server.conf`), also include which OS and version of openvpn. or (#2) dont forget to include any ccd entries or (#3) on pfSense, see http://www.secure-computing.net/wiki/index.php/OpenVPN/pfSense to obtain your config
11:34 -!- [diecast] [~diecast@unaffiliated/diecast/x-4821952] has quit []
11:38 < dimm0k> my client.conf, http://pastebin.com/iExy9bLx, server conf, http://pastebin.com/VSHjaugW
11:38 < dimm0k> running slackware 14.1 and openvpn 2.3.2
11:38 -!- takamichi [~takamichi@c107-107.i07-27.onvol.net] has joined #openvpn
11:39 -!- tfox [~tfox@199.167.138.130] has quit [Quit: tfox]
11:43 -!- JSharpe2 [~jsharpe2@176.249.43.93] has quit [Remote host closed the connection]
11:44 -!- tfox [~tfox@199.167.138.130] has joined #openvpn
11:45 -!- m01 [~quassel@gateway/shell/freebnc/x-tvrvvojpgoyuinuk] has quit [Remote host closed the connection]
11:46 -!- m01 [~quassel@gateway/shell/freebnc/x-kwktizfwtqbgrmbe] has joined #openvpn
11:46 -!- [diecast] [~diecast@unaffiliated/diecast/x-4821952] has joined #openvpn
11:48 -!- JSharpe2 [~jsharpe2@176.249.43.93] has joined #openvpn
11:51 -!- JSharpe [~JSharpe@176.249.43.93] has joined #openvpn
11:51 < dimm0k> wondering if i should just turn it off with `sysctl -w "net.ipv4.conf.eth0.rp_filter=0"` or is it something that needs to be addressed?
11:54 -!- Devastator [~devas@unaffiliated/devastator] has quit [Read error: Connection reset by peer]
11:54 -!- Devastator [~devas@177.99.154.140] has joined #openvpn
12:01 < Kung-Fu_Panda> is it a windows client ?
12:04 -!- [diecast] [~diecast@unaffiliated/diecast/x-4821952] has quit []
12:15 -!- |1li [~|1li@108-201-65-149.lightspeed.ftwotx.sbcglobal.net] has quit [Read error: Connection reset by peer]
12:15 -!- |1li [~|1li@108-201-65-149.lightspeed.ftwotx.sbcglobal.net] has joined #openvpn
12:17 < dimm0k> no, linux client and linux server...  both on slackware
12:22 < Kung-Fu_Panda> is  192.168.4.44 your client ?
12:22 < Kung-Fu_Panda> and can you verify the MAC address ?
12:30 < dimm0k> yes, that ip is the client's local ip
12:30 < dimm0k> and yes, that's the mac address
12:32 -!- s7r [~s7r@openvpn/user/s7r] has quit [Remote host closed the connection]
12:32 -!- s7r [~s7r@openvpn/user/s7r] has joined #openvpn
12:32 -!- mode/#openvpn [+v s7r] by ChanServ
12:33 < tfox> I missed the opener; what are you trying to do?
12:35 -!- JSharpe [~JSharpe@176.249.43.93] has quit [Ping timeout: 240 seconds]
12:35 -!- jareth_ [~jareth_@2001:980:e1c0:1:219:66ff:fea0:a502] has quit [Quit: ZNC - http://znc.in]
12:35 < dimm0k> tfox: i keep getting 'IPv4: martian source 192.168.4.44 from 68.116.169.10, on dev eth0' messages whenever i connect to the openvpn server
12:37 -!- jareth_ [~jareth_@bak.project-treadstone.nl] has joined #openvpn
12:49 -!- tfox [~tfox@199.167.138.130] has quit [Quit: tfox]
12:53 -!- smerz [~smerz@f168194.upc-f.chello.nl] has joined #openvpn
12:53 -!- smerz_ [~smerz@f168194.upc-f.chello.nl] has joined #openvpn
12:54 -!- acidicx [~acidicx@ip-176-199-140-255.unitymediagroup.de] has quit [Quit: Verlassend]
13:44 -!- p3rror [~mezgani@adsl196-115-110-217-196.adsl196-12.iam.net.ma] has joined #openvpn
13:46 -!- takamichi [~takamichi@c107-107.i07-27.onvol.net] has quit [Quit: Computer has gone to sleep.]
13:48 -!- mirco [~mirco@ip-109-91-244-100.unitymediagroup.de] has quit [Quit: mirco]
13:49 -!- [1]JPeterson [~JPeterson@81-233-152-121-no83.tbcn.telia.com] has joined #openvpn
13:55 -!- Guest63422 [~mikeym@184.70.65.118] has joined #openvpn
13:56 -!- Brando753-o_O_o [~Brando753@unaffiliated/brando753] has joined #openvpn
13:56 -!- Six6siX_ [~Devil@jasmine.sammybakar.com] has joined #openvpn
13:57 -!- Guest63422 [~mikeym@184.70.65.118] has quit [Client Quit]
13:57 -!- troj_ [~xxx@2001:470:1f15:107a::50f7] has joined #openvpn
13:57 -!- Fruckiwacki- [fruckiwack@5.135.190.66] has joined #openvpn
13:57 -!- bawki [bogie@2001:4ba0:fffd:65::101] has joined #openvpn
13:58 -!- jave [~jave@h-235-102.a149.priv.bahnhof.se] has joined #openvpn
13:58 -!- dvl [~dan@pdpc/supporter/active/dvl] has quit [Ping timeout: 240 seconds]
13:58 -!- Gasseus [~Rallias@unaffiliated/gasseus] has joined #openvpn
13:58 -!- Netsplit *.net <-> *.split quits: Rallias, +klaxa, Six6siX, Brando753, +Sorcier_FXK, jave_, xBytez, +lachesis, Fruckiwacki, +bogie,  (+2 more, use /NETSPLIT to show all of them)
13:58 -!- Brando753-o_O_o is now known as Brando753
13:58 -!- Six6siX_ is now known as Six6siX
13:59 -!- lachesis [~lachesis@2001:470:8:46f::3] has joined #openvpn
13:59 -!- lachesis [~lachesis@2001:470:8:46f::3] has quit [Changing host]
13:59 -!- lachesis [~lachesis@unaffiliated/lachesis] has joined #openvpn
13:59 -!- mmikeym [~mikeym@184.70.65.118] has quit [Ping timeout: 272 seconds]
13:59 -!- Netsplit over, joins: klaxa
14:00 -!- dvl [~dan@nyi.unixathome.org] has joined #openvpn
14:00 -!- xBytez [xBytez@unaffiliated/xbytez] has joined #openvpn
14:01 -!- Sorcier_FXK [~Sorcier_F@unaffiliated/sorcierfxk] has joined #openvpn
14:01 -!- mchou_ [~quassel@unaffiliated/mchou] has joined #openvpn
14:03 -!- Aketzu_ [akolehma@kelvin.aketzu.net] has joined #openvpn
14:03 -!- _b00b [~spunk@smurf.mmnetworks.se] has joined #openvpn
14:03 -!- i7c_ [~i7c@80-69-77-233.colo.transip.net] has joined #openvpn
14:03 -!- master_of_master [~master_of@p4FF24E7D.dip0.t-ipconnect.de] has joined #openvpn
14:04 -!- franks2 [~frank@frank2.net] has joined #openvpn
14:07 -!- akselii [~akselii@tsydeemi.eu] has quit [Ping timeout: 240 seconds]
14:07 -!- akselii [~akselii@tsydeemi.eu] has joined #openvpn
14:07 -!- Fruckiwacki [fruckiwack@5.135.190.66] has joined #openvpn
14:09 -!- Netsplit *.net <-> *.split quits: master_o1_master, mchou, +franks2_, @raidz, Haigha, +i7c, +rob0, Gasseus, +Aketzu, b00b,  (+2 more, use /NETSPLIT to show all of them)
14:09 -!- _b00b is now known as b00b
14:09 -!- Netsplit over, joins: mback2k_
14:10 -!- Netsplit over, joins: raidz
14:10 -!- mode/#openvpn [+o raidz] by ChanServ
14:11 -!- rob0 [rob0@harrier.slackbuilds.org] has joined #openvpn
14:11 -!- rob0 [rob0@harrier.slackbuilds.org] has quit [Changing host]
14:11 -!- rob0 [rob0@pdpc/valentine/postfixninja/rob0] has joined #openvpn
14:16 -!- Rallias [~Rallias@unaffiliated/gasseus] has joined #openvpn
14:31 -!- smerz_ [~smerz@f168194.upc-f.chello.nl] has quit [Ping timeout: 252 seconds]
14:31 -!- smerz [~smerz@f168194.upc-f.chello.nl] has quit [Ping timeout: 272 seconds]
14:38 -!- Devastator [~devas@177.99.154.140] has quit [Changing host]
14:38 -!- Devastator [~devas@unaffiliated/devastator] has joined #openvpn
14:43 -!- dvl [~dan@nyi.unixathome.org] has quit [Ping timeout: 240 seconds]
14:43 -!- dvl [~dan@nyi.unixathome.org] has joined #openvpn
14:48 -!- Haigha [~root@dovahkiin.xomg.net] has joined #openvpn
14:58 -!- JSharpe2 [~jsharpe2@176.249.43.93] has quit [Remote host closed the connection]
15:01 -!- able [~able@gateway/tor-sasl/able] has quit [Ping timeout: 240 seconds]
15:55 -!- goldkatze [~nobody@unaffiliated/goldkatze] has quit [Read error: Operation timed out]
16:00 -!- NP-Hardass [~NP-Hardas@unaffiliated/np-hardass] has joined #openvpn
16:00 -!- i7c_ [~i7c@80-69-77-233.colo.transip.net] has quit [Changing host]
16:00 -!- i7c_ [~i7c@unaffiliated/i7c] has joined #openvpn
16:01 -!- i7c_ is now known as i7c
16:04 -!- smerz_ [~smerz@f168194.upc-f.chello.nl] has joined #openvpn
16:04 -!- smerz [~smerz@f168194.upc-f.chello.nl] has joined #openvpn
16:15 -!- Gelos [uid17176@gateway/web/irccloud.com/x-lpdtwqyzwmpapdlw] has joined #openvpn
16:16 < Gelos> is there a way to redirect clients to another webpage (internal office web server) after successful vpn connection  ?
16:17 < Gelos> using access server
16:18 < pekster> !as
16:18 <@vpnHelper> "as" is please go to #OpenVPN-AS for help with Access-Server
16:19 < Gelos> sorry my bad (: thanks!
16:27 < dimm0k> whenever i connect to the openvpn server using a linux client, my /var/log/messages gets polluted with 'IPv4: martian source 192.168.4.44 from 68.116.169.10, on dev eth0' messages
16:27 < dimm0k> am i forgetting a route somewhere?
16:36 -!- Kung-Fu_Panda is now known as Sandfly
16:39 -!- JSharpe2 [~jsharpe2@176.249.43.93] has joined #openvpn
16:39 -!- JSharpe2 [~jsharpe2@176.249.43.93] has quit [Remote host closed the connection]
16:40 < dimm0k> for the most part everything works in terms of client and server seeing each other
16:40 < dimm0k> but that martian message is constant
16:46 -!- smerz_ [~smerz@f168194.upc-f.chello.nl] has quit [Read error: Operation timed out]
16:49 -!- smerz [~smerz@f168194.upc-f.chello.nl] has quit [Ping timeout: 245 seconds]
17:05 < pekster> dimm0k: read about the log_martians sysctl tunable. The kernel is complaining about an "impossible" source address for the network
17:19 -!- p3rror [~mezgani@adsl196-115-110-217-196.adsl196-12.iam.net.ma] has quit [Quit: Leaving]
17:24 -!- s7r [~s7r@openvpn/user/s7r] has quit [Remote host closed the connection]
17:24 -!- [diecast] [~diecast@unaffiliated/diecast/x-4821952] has joined #openvpn
17:24 < dimm0k> pekster: why the quotes around impossible?
17:25 < dimm0k> should these packets be ignored?
17:27 -!- s7r [~s7r@openvpn/user/s7r] has joined #openvpn
17:27 -!- mode/#openvpn [+v s7r] by ChanServ
17:30 -!- [diecast] [~diecast@unaffiliated/diecast/x-4821952] has quit []
17:37 -!- calcifea [~rasla@gateway/tor-sasl/gitsu-sa] has quit [Ping timeout: 240 seconds]
17:38 -!- calcifea [~rasla@gateway/tor-sasl/gitsu-sa] has joined #openvpn
17:48 -!- dvl [~dan@nyi.unixathome.org] has quit [Changing host]
17:48 -!- dvl [~dan@pdpc/supporter/active/dvl] has joined #openvpn
17:50 -!- Sandfly [~ma1com10t@host-92-20-1-125.as13285.net] has left #openvpn []
18:00 -!- heraclitus [~heraclitu@unaffiliated/heraclitis] has quit [Remote host closed the connection]
18:00 -!- heraclitus [~heraclitu@unaffiliated/heraclitis] has joined #openvpn
18:09 -!- tfox [~tfox@199.167.138.130] has joined #openvpn
18:12 -!- NP-Hardass [~NP-Hardas@unaffiliated/np-hardass] has quit [Ping timeout: 246 seconds]
18:25 -!- gffa [~unknown@unaffiliated/gffa] has quit [Quit: sleep]
18:35 -!- james41382 [~james@unaffiliated/james41382] has joined #openvpn
19:01 -!- master_o1_master [~master_of@p4FF24EB7.dip0.t-ipconnect.de] has joined #openvpn
19:04 -!- master_of_master [~master_of@p4FF24E7D.dip0.t-ipconnect.de] has quit [Ping timeout: 260 seconds]
19:20 -!- heraclitus [~heraclitu@unaffiliated/heraclitis] has quit [Remote host closed the connection]
19:20 -!- james41382 [~james@unaffiliated/james41382] has quit [Remote host closed the connection]
19:20 -!- heraclitus [~heraclitu@unaffiliated/heraclitis] has joined #openvpn
19:23 -!- tfox [~tfox@199.167.138.130] has quit [Ping timeout: 240 seconds]
19:26 -!- Nikon_ [~Nikon@d24-235-162-103.home1.cgocable.net] has joined #openvpn
19:26 < Nikon_> hey
19:27 < Nikon_> how much bandwidth would a openvpn server use if it was just transporting packets for a video game?
19:27 < Nikon_> assuming like 6 users max
19:32 -!- tfox [~tfox@50-47-86-141.evrt.wa.frontiernet.net] has joined #openvpn
19:47 -!- wrongplace [~leicht@gateway/tor-sasl/martinphone] has joined #openvpn
19:47 -!- JackSummer [~jack@241.Red-79-154-47.dynamicIP.rima-tde.net] has quit [Quit: Konversation terminated!]
19:49 -!- JackSummer [~jack@241.Red-79-154-47.dynamicIP.rima-tde.net] has joined #openvpn
19:49 -!- Carbon_Monoxide [~cmonxide@14.0.143.23] has joined #openvpn
19:49 -!- JackSummer [~jack@241.Red-79-154-47.dynamicIP.rima-tde.net] has quit [Client Quit]
19:52 -!- heraclitus [~heraclitu@unaffiliated/heraclitis] has quit [Remote host closed the connection]
19:53 -!- NP-Hardass [~NP-Hardas@unaffiliated/np-hardass] has joined #openvpn
19:58 -!- goldkatze [~nobody@unaffiliated/goldkatze] has joined #openvpn
19:58 -!- goldkatze [~nobody@unaffiliated/goldkatze] has quit [Client Quit]
20:00 -!- Carbon_Monoxide [~cmonxide@14.0.143.23] has left #openvpn ["Leaving"]
20:01 -!- mback2k_ [~freenode@89.238.84.46] has quit [Ping timeout: 272 seconds]
20:01 -!- Nikon_ [~Nikon@d24-235-162-103.home1.cgocable.net] has quit [Ping timeout: 245 seconds]
20:06 <@EugeneKay> As many packets as the game uses?
20:22 -!- wrongplace [~leicht@gateway/tor-sasl/martinphone] has quit [Quit: gone]
20:31 -!- NP-Hardass [~NP-Hardas@unaffiliated/np-hardass] has quit [Quit: WeeChat 0.4.1]
20:39 -!- heraclitus [~heraclitu@unaffiliated/heraclitis] has joined #openvpn
20:40 -!- heraclitus [~heraclitu@unaffiliated/heraclitis] has quit [Remote host closed the connection]
20:40 -!- heraclitus [~heraclitu@unaffiliated/heraclitis] has joined #openvpn
20:43 -!- mitz [~mitz@KHP222227247006.ppp-bb.dion.ne.jp] has joined #openvpn
20:53 -!- mitz [~mitz@KHP222227247006.ppp-bb.dion.ne.jp] has quit [Remote host closed the connection]
20:54 -!- mitz [~mitz@KHP222227247006.ppp-bb.dion.ne.jp] has joined #openvpn
21:11 -!- |1li [~|1li@108-201-65-149.lightspeed.ftwotx.sbcglobal.net] has quit [Read error: Connection reset by peer]
21:12 -!- |1li [~|1li@108-201-65-149.lightspeed.ftwotx.sbcglobal.net] has joined #openvpn
21:12 -!- mback2k_ [~freenode@89.238.84.46] has joined #openvpn
21:34 -!- Poster [~poster@cpe-184-57-112-154.columbus.res.rr.com] has quit [Quit: and in a dream i'm a different me, with a perfect you, we fit perfectly, and for once in my life i feel complete- and i still want to ruin it, afraid to look, as clear as day, this plan has long been underway, i hear them call, i cannot stay, the voice i]
21:43 -!- tfox [~tfox@50-47-86-141.evrt.wa.frontiernet.net] has quit [Quit: tfox]
21:45 -!- NP-Hardass [~NP-Hardas@unaffiliated/np-hardass] has joined #openvpn
21:45 -!- tfox [~tfox@50-47-86-141.evrt.wa.frontiernet.net] has joined #openvpn
21:47 -!- NP-Hardass [~NP-Hardas@unaffiliated/np-hardass] has quit [Client Quit]
21:55 -!- tfox [~tfox@50-47-86-141.evrt.wa.frontiernet.net] has quit [Quit: tfox]
22:01 -!- krzee [~k@openvpn/community/support/krzee] has quit [Excess Flood]
22:03 -!- krzee [~k@openvpn/community/support/krzee] has joined #openvpn
22:03 -!- mode/#openvpn [+o krzee] by ChanServ
22:16 -!- dimm0k [~dimm0k@unaffiliated/dimm0k] has quit [Ping timeout: 272 seconds]
22:17 -!- dimm0k [~dimm0k@pool-96-246-33-134.nycmny.fios.verizon.net] has joined #openvpn
22:17 -!- dimm0k [~dimm0k@pool-96-246-33-134.nycmny.fios.verizon.net] has quit [Changing host]
22:17 -!- dimm0k [~dimm0k@unaffiliated/dimm0k] has joined #openvpn
22:28 -!- mingdao [~mingdao@unaffiliated/mingdao] has joined #openvpn
22:28 < mingdao> !welcome
22:28 <@vpnHelper> "welcome" is (#1) Start by stating your goal, such as 'I would like to access the internet over my vpn' || new to IRC? see the link in !ask || we may need !logs and !configs and maybe !interface to help you. || See !howto for beginners. || See !route for lans behind openvpn. || !redirect for sending inet traffic through the server. || Also interesting: !man !/30 !topology !iporder !sample !forum
22:28 <@vpnHelper> !wiki !mitm or (#2) Don't use 192.168.1.0/24 or 192.168.0.0/24 (too much potential for conflict)
22:31 < mingdao> !howto
22:31 <@vpnHelper> "howto" is (#1) OpenVPN comes with a great howto, http://openvpn.net/howto PLEASE READ IT! or (#2) http://www.secure-computing.net/openvpn/howto.php for a mirror
22:32 -!- heraclitus [~heraclitu@unaffiliated/heraclitis] has quit [Remote host closed the connection]
22:39 -!- mitz [~mitz@KHP222227247006.ppp-bb.dion.ne.jp] has quit [Ping timeout: 245 seconds]
22:39 -!- tfox [~tfox@50-47-86-141.evrt.wa.frontiernet.net] has joined #openvpn
22:43 -!- tfox [~tfox@50-47-86-141.evrt.wa.frontiernet.net] has quit [Client Quit]
22:54 -!- mitz [~mitz@KHP222227247006.ppp-bb.dion.ne.jp] has joined #openvpn
23:01 -!- tfox [~tfox@50-47-86-141.evrt.wa.frontiernet.net] has joined #openvpn
23:04 < mingdao> !goal
23:04 <@vpnHelper> "goal" is Please clearly state your goal for your vpn: example, I would like to access the lan behind the server , I would like to access the internet over my vpn , I just want a secure connection between 2 computers , etc
23:14 -!- mitz [~mitz@KHP222227247006.ppp-bb.dion.ne.jp] has quit [Remote host closed the connection]
23:15 -!- mitz [~mitz@KHP222227247006.ppp-bb.dion.ne.jp] has joined #openvpn
23:17 < mingdao> My goal is to access NFS shares on server on my LAN from WAN, with router on the LAN being the openvpn server.
23:17 < mingdao> I've read and edited until I'm blue in the face.
23:18 < tfox> what can you tell us about your setup
23:18 < tfox> let me rephrase - I'd like to get a better idea what you're trying to get to from where
23:19 < tfox> it sounds to me like you want to VPN into your LAN from somewhere on the internet and get access to a NFS share?
23:19 < mingdao> YES
23:20 < mingdao> sorry
23:20 < mingdao> I have NFS setup on a server whose hostname is server on my LAN. Also, my Linux router (hostname router) is directing traffic on the LAN. I have setup openvpn on router.
23:21 < mingdao> This is the log on the client (baruch) and on router: http://pastie.org/8592757
23:21 < tfox> does the vpn work ok?
23:21 < mingdao> I think it might indeed be a firewall issue, and I'm not sure if I should be putting some IPs from the LAN into one of these conf files.
23:21 < tfox> apparently not
23:22 < mingdao> I can give you a diagram on my LAN if that would help.
23:22 < tfox> so NFS isn't even a concern right now, you need to get your VPN running first
23:22 < mingdao> yes
23:23 < mingdao> NFS works okay on the LAN.
23:23 < tfox> unfortunately that's not really my area of expertise, but what it sounds like is you have the port blocked on your WAN if on your 'router'
23:23 < mingdao> probably so
23:23 < tfox> if = interface
23:24 < mingdao> This is my LAN http://www.servantsofyeshua.org/HPC-network-2013-12-28.pdf
23:24 < tfox> do you have port 1194 open on your WAN IF on your linux router?
23:25 < mingdao> http://pastie.org/8592772
23:25 < mingdao> No, and I think that is what I need to fix.
23:26 < tfox> I'm really not a iptables guru either
23:26 < mingdao> From reading openvpn docs, I think maybe editing then adding a line like this: iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o eth0 -j MASQUERADE
23:26 < tfox> but you should get on that
23:26 < mingdao> I supposed trial and error isn't going to kill me.
23:26 < tfox> you don't want a NAT rule, just a firewall rule
23:26 < tfox> also, -N deny on the 4th line looks awfully suspicious
23:27 < tfox> again, not my wheelhouse
23:27 < mingdao> Not mine either.
23:28 < tfox> to the google machine!
23:28 < mingdao> Someone who is quite proficient has actually written my iptables ruleset.
23:28 < tfox> bangin
23:28 < mingdao> Okay, off I go to search people's data some more. :D
23:28 < tfox> too bad they're not on call
23:28 < mingdao> Yes, it is.
23:28 < mingdao> 6 timezones away, also
23:30 < mingdao> tfox: thanks for your help
23:30 < tfox> rubbish. I wasn't any help at all
23:48 -!- tfox [~tfox@50-47-86-141.evrt.wa.frontiernet.net] has quit [Ping timeout: 240 seconds]
23:48 -!- tfox_ [~tfox@50-47-86-141.evrt.wa.frontiernet.net] has joined #openvpn
23:50 -!- mitz [~mitz@KHP222227247006.ppp-bb.dion.ne.jp] has quit [Ping timeout: 252 seconds]
23:57 -!- propheticsquiddy [~Proph@unaffiliated/propheticsquiddy] has joined #openvpn
23:59 -!- propheticsquiddy [~Proph@unaffiliated/propheticsquiddy] has quit [Client Quit]
--- Day changed Thu Jan 02 2014
00:03 -!- Cy-Gor [~Brian@cpe-70-124-70-140.austin.res.rr.com] has quit [Quit: Leaving]
00:03 -!- mitz [~mitz@KHP222227247006.ppp-bb.dion.ne.jp] has joined #openvpn
00:09 -!- dimm0k [~dimm0k@unaffiliated/dimm0k] has quit [Ping timeout: 245 seconds]
00:10 -!- dimm0k [~dimm0k@unaffiliated/dimm0k] has joined #openvpn
00:29 -!- tfox_ is now known as tfox
00:47 -!- takamichi [~takamichi@c107-107.i07-27.onvol.net] has joined #openvpn
01:06 -!- mirco [~mirco@ip-109-91-244-100.unitymediagroup.de] has joined #openvpn
01:10 -!- mitz [~mitz@KHP222227247006.ppp-bb.dion.ne.jp] has quit [Ping timeout: 245 seconds]
01:25 -!- mitz [~mitz@KHP222227247006.ppp-bb.dion.ne.jp] has joined #openvpn
01:28 -!- alexxtasi [~alex@unaffiliated/alexxtasi] has joined #openvpn
01:33 -!- tfox [~tfox@50-47-86-141.evrt.wa.frontiernet.net] has quit [Quit: tfox]
01:35 -!- mitz [~mitz@KHP222227247006.ppp-bb.dion.ne.jp] has quit [Ping timeout: 240 seconds]
01:35 -!- smerz_ [~smerz@f168194.upc-f.chello.nl] has joined #openvpn
01:35 -!- smerz [~smerz@f168194.upc-f.chello.nl] has joined #openvpn
01:41 -!- smerz_ [~smerz@f168194.upc-f.chello.nl] has quit [Ping timeout: 240 seconds]
01:42 -!- smerz [~smerz@f168194.upc-f.chello.nl] has quit [Ping timeout: 245 seconds]
01:50 -!- mitz [~mitz@KHP222227247006.ppp-bb.dion.ne.jp] has joined #openvpn
02:08 -!- takamichi [~takamichi@c107-107.i07-27.onvol.net] has quit [Ping timeout: 252 seconds]
02:11 -!- takamichi [~takamichi@85.12.8.14] has joined #openvpn
02:30 -!- mitz [~mitz@KHP222227247006.ppp-bb.dion.ne.jp] has quit [Remote host closed the connection]
02:31 -!- mitz [~mitz@KHP222227247006.ppp-bb.dion.ne.jp] has joined #openvpn
02:33 -!- NP-Hardass [~NP-Hardas@unaffiliated/np-hardass] has joined #openvpn
03:35 -!- mattock_afk is now known as mattock
03:38 -!- mitz [~mitz@KHP222227247006.ppp-bb.dion.ne.jp] has quit [Ping timeout: 272 seconds]
03:51 -!- mitz [~mitz@KHP222227247006.ppp-bb.dion.ne.jp] has joined #openvpn
04:14 -!- elfixit [~Icedove@77-58-251-72.dclient.hispeed.ch] has joined #openvpn
04:22 -!- Eagleman7 [~Eagleman@546BCD9F.cm-12-4d.dynamic.ziggo.nl] has quit [Read error: Connection reset by peer]
04:23 -!- Eagleman [~Eagleman@546BCD9F.cm-12-4d.dynamic.ziggo.nl] has joined #openvpn
04:38 -!- takamichi [~takamichi@85.12.8.14] has quit [Ping timeout: 246 seconds]
04:41 -!- takamichi [~takamichi@c107-107.i07-27.onvol.net] has joined #openvpn
04:56 -!- Denial [Denial@2.217.201.230] has joined #openvpn
05:41 -!- dvl [~dan@pdpc/supporter/active/dvl] has quit [Ping timeout: 240 seconds]
05:42 -!- gffa [~unknown@unaffiliated/gffa] has joined #openvpn
06:00 -!- takamichi [~takamichi@c107-107.i07-27.onvol.net] has quit [Quit: Computer has gone to sleep.]
06:05 -!- takamichi [~takamichi@c107-107.i07-27.onvol.net] has joined #openvpn
06:06 -!- Sembei [~Sembei@unaffiliated/sembei] has joined #openvpn
06:09 -!- mitz [~mitz@KHP222227247006.ppp-bb.dion.ne.jp] has quit [Ping timeout: 252 seconds]
06:14 -!- nico__ [~nico@195.191.202.173] has joined #openvpn
06:16 -!- Sembei [~Sembei@unaffiliated/sembei] has quit [Quit: WeeChat 0.4.3-dev]
06:17 -!- Sembei [~Sembei@unaffiliated/sembei] has joined #openvpn
06:19 -!- schiesupport [~schiesupp@217.68.49.65] has joined #openvpn
06:22 < nico__> Newbee question: I'm trying to get a VPN server (VPS, Debian 6, kernel 2.6.32.6) working and have some problems with the firewall. Any suggestions? See http://pastebin.com/sNUhRF9N for details.
06:23 -!- mitz [~mitz@KHP222227247006.ppp-bb.dion.ne.jp] has joined #openvpn
06:24 < nico__> !welcome
06:24 <@vpnHelper> "welcome" is (#1) Start by stating your goal, such as 'I would like to access the internet over my vpn' || new to IRC? see the link in !ask || we may need !logs and !configs and maybe !interface to help you. || See !howto for beginners. || See !route for lans behind openvpn. || !redirect for sending inet traffic through the server. || Also interesting: !man !/30 !topology !iporder !sample !forum
06:24 <@vpnHelper> !wiki !mitm or (#2) Don't use 192.168.1.0/24 or 192.168.0.0/24 (too much potential for conflict)
06:24 < nico__> !howto
06:24 <@vpnHelper> "howto" is (#1) OpenVPN comes with a great howto, http://openvpn.net/howto PLEASE READ IT! or (#2) http://www.secure-computing.net/openvpn/howto.php for a mirror
06:28 < nico__> !route
06:28 <@vpnHelper> "route" is (#1) http://www.secure-computing.net/wiki/index.php/OpenVPN/Routing or https://community.openvpn.net/openvpn/wiki/RoutedLans (same page mirrored) if you have lans behind openvpn, read it DONT SKIM IT or (#2) READ IT DONT SKIM IT! or (#3) See !tcpip for a basic networking guide or (#4) See !serverlan or !clientlan for steps and troubleshooting flowcharts for LANs behind the server or
06:28 <@vpnHelper> client
06:29 < nico__> !redirect
06:29 <@vpnHelper> "redirect" is (#1) to make all inet traffic flow through the vpn, you will need --redirect-gateway (see !def1), as well as IP forwarding (see !ipforward) and NAT (see !nat) enabled on the server. or (#2) you may need to use a different dns server when redirecting gateway, see !dns or !pushdns or (#3) if using ipv6 try: route-ipv6 2000::/3 or (#4) Handy troubleshooting flowchart:
06:29 <@vpnHelper> http://ircpimps.org/redirect.png | http://pekster.sdf.org/misc/redirect.png
06:29 < nico__> !def1
06:29 <@vpnHelper> "def1" is (#1) used in redirect-gateway, Add the def1 flag to override the default gateway by using 0.0.0.0/1 and 128.0.0.0/1 rather than 0.0.0.0/0. This has the benefit of overriding but not wiping out the original default gateway. or (#2) please see --redirect-gateway in the man page ( !man ) to fully understand or (#3) push "redirect-gateway def1"
06:32 < nico__> !goal
06:32 <@vpnHelper> "goal" is Please clearly state your goal for your vpn: example, I would like to access the lan behind the server , I would like to access the internet over my vpn , I just want a secure connection between 2 computers , etc
06:34 -!- nico__ [~nico@195.191.202.173] has quit [Quit: Konversation terminated!]
06:35 -!- nico__ [~nico@195.191.202.173] has joined #openvpn
06:35 < schiesupport> quick question people (if anybody is ever alive in here) : i can get everything working perfectly when i connect from windows to linux vpn , but when i try from linux to linux vpn it just wont work , the connection goes up and if i dont use redirect-gateway i can ping / connect to the server , however if i add redirect-gateway my normal connection on linux becomes unresponsive / shells drop etc. and i got nothing internet wise. should i look at cli
06:35 < schiesupport> ent settings or more at the server?
06:39 -!- nico__ [~nico@195.191.202.173] has quit [Ping timeout: 272 seconds]
06:43 -!- nico__ [~nico@195.191.202.173] has joined #openvpn
06:44 -!- cpm [~Chip@pdpc/supporter/active/cpm] has joined #openvpn
06:44 -!- mitz [~mitz@KHP222227247006.ppp-bb.dion.ne.jp] has quit [Remote host closed the connection]
06:45 -!- mitz [~mitz@KHP222227247006.ppp-bb.dion.ne.jp] has joined #openvpn
06:46 < nico__> Newbee question: I'm setting up a VPS (Debian 6, kernel 2.6.32.60) to run openvpn and have a firewall problem. I'm stuck. Any suggestions? Details on http://pastebin.com/sNUhRF9N
06:47 -!- Cy-Gor [~Brian@cpe-70-124-70-140.austin.res.rr.com] has joined #openvpn
06:49 < schiesupport> ill have a look , but i dont kknow if i can help you nico , since this channel is kinda dead with exception of the bot
06:50 < nico__> :schiesupport Thank you!
06:51 -!- Stew-a [~Stewart@unaffiliated/stew-a/x-2962361] has quit [Ping timeout: 260 seconds]
06:51 < schiesupport> give me 2-3 minutes thou , im at work so need to look in between
06:52 -!- Stew-a [~Stewart@unaffiliated/stew-a/x-2962361] has joined #openvpn
06:52 < nico__> schiesupport: OK. I appreciate any help
06:56 -!- mchou_ [~quassel@unaffiliated/mchou] has quit [Remote host closed the connection]
07:10 -!- JSharpe2 [~jsharpe2@176.249.43.93] has joined #openvpn
07:10 -!- JSharpe2 [~jsharpe2@176.249.43.93] has quit [Remote host closed the connection]
07:10 -!- JSharpe2 [~jsharpe2@176.249.43.93] has joined #openvpn
07:22 -!- pluesch0r [~pluesch0r@chello084112018119.27.11.vie.surfer.at] has joined #openvpn
07:22 < pluesch0r> hi everybody. is there a way to use ccd stuff based on the username that's supplied and _not_ on the common name of the certificate used by the connecting client?
07:25 < pluesch0r> we're looking at rolling out 100+ openvpn client setups and the customer is a bit narrow-minded. it would be awesome if we could just differentiate supplied routes etc. based on the value that's been supplied as username (auth backend is LDAP/active directory)
07:25 < pluesch0r> .. so we could give one generic installation package to the customer and not have to worry about individual keys.
07:29 -!- Devastator [~devas@unaffiliated/devastator] has quit [Ping timeout: 252 seconds]
07:29 -!- Devastatr [~devas@177.99.153.206] has joined #openvpn
07:33 -!- Sembei [~Sembei@unaffiliated/sembei] has quit [Read error: Connection reset by peer]
07:33 -!- MyMind [~Sembei@unaffiliated/sembei] has joined #openvpn
07:39 -!- dvl [~dan@nyi.unixathome.org] has joined #openvpn
07:44 -!- takamichi [~takamichi@c107-107.i07-27.onvol.net] has quit [Ping timeout: 272 seconds]
07:44 -!- nico__ [~nico@195.191.202.173] has left #openvpn ["Konversation terminated!"]
07:47 -!- takamichi [~takamichi@85.12.8.107] has joined #openvpn
07:48 < mingdao> !iptable
07:49 < mingdao> !iptables
07:49 <@vpnHelper> "iptables" is (#1) To test if netfilter ("iptables rules") are your problem, disable all rules with an ACCEPT policy. See https://github.com/QueuingKoala/netfilter-samples/tree/master/reset-rules for a script to do this. or (#2) See also the manpage section on firewalls at this link: https://community.openvpn.net/openvpn/wiki/Openvpn23ManPage#lbBG or (#3) These are just the basics to get you
07:49 <@vpnHelper> started as firewall design is beyond this channel's scope; you can also see #netfilter
08:11 -!- Devastatr [~devas@177.99.153.206] has quit [Ping timeout: 240 seconds]
08:11 -!- Devastator [~devas@177.99.153.206] has joined #openvpn
08:37 -!- takamichi [~takamichi@85.12.8.107] has quit [Quit: Computer has gone to sleep.]
08:38 -!- dvl [~dan@nyi.unixathome.org] has quit [Ping timeout: 240 seconds]
08:39 -!- cpm [~Chip@pdpc/supporter/active/cpm] has quit [Ping timeout: 240 seconds]
08:39 -!- dvl [~dan@nyi.unixathome.org] has joined #openvpn
08:39 -!- schiesupport [~schiesupp@217.68.49.65] has quit [Quit: Leaving]
08:48 -!- takamichi [~takamichi@c107-107.i07-27.onvol.net] has joined #openvpn
08:48 < mingdao> bing bada bing!
08:48 -!- alexxtasi [~alex@unaffiliated/alexxtasi] has left #openvpn []
08:51 -!- mitz [~mitz@KHP222227247006.ppp-bb.dion.ne.jp] has quit [Ping timeout: 252 seconds]
08:58 -!- Cultist [~CultOfThe@c-24-12-53-28.hsd1.il.comcast.net] has quit [Ping timeout: 272 seconds]
08:59 -!- gffa [~unknown@unaffiliated/gffa] has quit [Ping timeout: 240 seconds]
09:00 -!- gffa [~unknown@unaffiliated/gffa] has joined #openvpn
09:07 -!- mitz [~mitz@KHP222227247006.ppp-bb.dion.ne.jp] has joined #openvpn
09:15 -!- dvl [~dan@nyi.unixathome.org] has quit [Ping timeout: 240 seconds]
09:23 -!- elfixit [~Icedove@77-58-251-72.dclient.hispeed.ch] has quit [Remote host closed the connection]
09:24 -!- elfixit [~Icedove@77-58-251-72.dclient.hispeed.ch] has joined #openvpn
09:27 -!- pluesch0r [~pluesch0r@chello084112018119.27.11.vie.surfer.at] has quit [Quit: leaving]
09:31 -!- Cultist [~CultOfThe@2601:d:9280:fc:8634:97ff:fe17:5dc3] has joined #openvpn
09:41 -!- calcifea [~rasla@gateway/tor-sasl/gitsu-sa] has quit [Remote host closed the connection]
09:42 -!- Devastator [~devas@177.99.153.206] has quit [Ping timeout: 265 seconds]
09:43 -!- calcifea [~rasla@gateway/tor-sasl/gitsu-sa] has joined #openvpn
09:43 <+surfmasta> hi, i have a question. it just came into my mind (but i am not a windows user): what happens if windows decides to lock a users desktop (so he still is logged in with a running openvpn connection) and another user on the machine logs in parallel with another account and want to connect to the same openvpn server?
09:44 <+surfmasta> is there a function that logs you out in openvpn on windows when a auto-locking occurs?
09:50 -!- hive-mind [pranq@unaffiliated/contempt] has quit [Read error: Connection reset by peer]
09:50 -!- Devastator [~devas@unaffiliated/devastator] has joined #openvpn
09:51 -!- hive-mind [pranq@unaffiliated/contempt] has joined #openvpn
09:55 -!- JSharpe2_ [~jsharpe2@176.249.43.93] has joined #openvpn
09:55 -!- JSharpe2 [~jsharpe2@176.249.43.93] has quit [Read error: No route to host]
09:59 -!- calcifea [~rasla@gateway/tor-sasl/gitsu-sa] has quit [Remote host closed the connection]
10:00 -!- calcifea [~rasla@gateway/tor-sasl/gitsu-sa] has joined #openvpn
10:04 -!- Devastator [~devas@unaffiliated/devastator] has quit []
10:05 -!- Devastator [~devas@186.214.110.207] has joined #openvpn
10:05 -!- Devastator [~devas@186.214.110.207] has quit [Changing host]
10:05 -!- Devastator [~devas@unaffiliated/devastator] has joined #openvpn
10:08 -!- bwallen [~brian@pool-72-86-34-19.clppva.fios.verizon.net] has joined #openvpn
10:20 -!- [diecast] [~diecast@unaffiliated/diecast/x-4821952] has joined #openvpn
10:26 < bwallen> I have a client that I can see triying to connect to my server but doesn't completely succeed. In my openvpn server's status it shows that it's connected, but I can't ping it. I don't see any errors in my server but I don't see the client do a PUSH_REQUEST. I don't have access to the client at the moment to look at its logs What can cause this sort of behaviour?
10:33 -!- p3rror [~mezgani@41.249.100.181] has joined #openvpn
10:37 -!- dvl [~dan@64.147.113.42] has joined #openvpn
10:41 -!- dvl [~dan@64.147.113.42] has quit [Changing host]
10:41 -!- dvl [~dan@pdpc/supporter/active/dvl] has joined #openvpn
10:47 -!- goldkatze [~nobody@unaffiliated/goldkatze] has joined #openvpn
10:49 -!- tfox [~tfox@50-47-86-141.evrt.wa.frontiernet.net] has joined #openvpn
10:51 < mingdao> tfox: I got connected to the VPN, and can ping it's tun IP.
10:51 < tfox> can this wait until both of my eyes are open?
10:51 < mingdao> :D
10:52 < mingdao> Just saying...
10:54 < tfox> oh
10:54 < tfox> so you're all set then
10:55 < mingdao> I have much more to do with NFS.
10:55 < mingdao> But at least I can connect to the vpn.
10:55 < tfox> NFS is a cakewalk
10:55 < mingdao> It *was* the need of firewall adjustment.
10:56 < tfox> what a curious expression
10:56 < mingdao> Well, I can mount the NFS shares on the LAN; but not here from outside the LAN.
10:56 < tfox> I wonder if it means "walk to get a cake"
10:56 < tfox> or something more like "walk on a cake"
10:57 < mingdao> Here we say "piece of cake".
10:57 < mingdao> something easily achieved.
10:57 < mingdao> "I never said that training him would be a piece of cake"
10:58 < tfox> anyway, I would think that you should be able to do whatever you want once you're inside the vpn
10:58 < tfox> piece of cake is common too, but I assume it refers to the eating of
10:58 < mingdao> More reading ... I can't reach the proper network from the vpn.
10:59 < tfox> I'm confused
10:59 < tfox> you dialed someone else's vpn?
10:59 < mingdao> nope
10:59 < mingdao> Since I don't know much about networking to begin with, I probably couldn't write things where you'd understand.
11:00 < mingdao> I only understand Layer 1. ;)
11:00 < mingdao> But ... I'm studying.
11:02 < tfox> if you're saying what I think you're saying, you probably need a rule that says "allow all from vpn to lan"
11:10 < mingdao> !iptables
11:10 <@vpnHelper> "iptables" is (#1) To test if netfilter ("iptables rules") are your problem, disable all rules with an ACCEPT policy. See https://github.com/QueuingKoala/netfilter-samples/tree/master/reset-rules for a script to do this. or (#2) See also the manpage section on firewalls at this link: https://community.openvpn.net/openvpn/wiki/Openvpn23ManPage#lbBG or (#3) These are just the basics to get you
11:10 <@vpnHelper> started as firewall design is beyond this channel's scope; you can also see #netfilter
11:19 -!- _manfred_ [~IceChat77@12.109.211.60] has joined #openvpn
11:20 < _manfred_> hey guys, im using the openvpn vmware template and im trying to configure ldap, its not going well, but im not able to find the ldap logs, anyone have any ideas on what im missing?
11:21 -!- JSharpe2_ [~jsharpe2@176.249.43.93] has quit [Remote host closed the connection]
11:23 -!- JSharpe2 [~jsharpe2@176.249.43.93] has joined #openvpn
11:24 -!- tfox [~tfox@50-47-86-141.evrt.wa.frontiernet.net] has quit [Ping timeout: 240 seconds]
11:25 -!- JackWinter [~jack@vodsl-4669.vo.lu] has joined #openvpn
11:25 -!- tfox [~tfox@50-47-86-141.evrt.wa.frontiernet.net] has joined #openvpn
11:31 < _manfred_> !welcome
11:31 <@vpnHelper> "welcome" is (#1) Start by stating your goal, such as 'I would like to access the internet over my vpn' || new to IRC? see the link in !ask || we may need !logs and !configs and maybe !interface to help you. || See !howto for beginners. || See !route for lans behind openvpn. || !redirect for sending inet traffic through the server. || Also interesting: !man !/30 !topology !iporder !sample !forum
11:31 <@vpnHelper> !wiki !mitm or (#2) Don't use 192.168.1.0/24 or 192.168.0.0/24 (too much potential for conflict)
11:31 < _manfred_> hello?
11:39 < bwallen> Sounds like that might be a better question for an ldap related channel.
11:40 < bwallen> At least the part about finding the logs
11:43 < _manfred_> i figured since it was in the openvpn vmware template that i dl'd from the openvpn site, maybe someone would have an idea about where the ldap logs for openvpn would be?
11:50 -!- tfox [~tfox@50-47-86-141.evrt.wa.frontiernet.net] has quit [Quit: tfox]
11:52 -!- takamichi [~takamichi@c107-107.i07-27.onvol.net] has quit [Quit: Computer has gone to sleep.]
11:57 -!- novaflash is now known as novaflash_away
11:58 -!- novaflash_away is now known as novaflash
12:22 -!- tfox [~tfox@50-47-86-141.evrt.wa.frontiernet.net] has joined #openvpn
12:25 -!- calcifea [~rasla@gateway/tor-sasl/gitsu-sa] has quit [Ping timeout: 240 seconds]
12:26 <@EugeneKay> The "vmware template" on openvpn.com is of the AS product, not the GPL OpenVPN
12:26 <@EugeneKay> !download
12:26 <@vpnHelper> "download" is (#1) http://openvpn.net/index.php/download/community-downloads.html to download openvpn or (#2) OpenVPN's Windows installer now includes OpenVPN GUI. Don't bother with http://openvpn.se anymore or (#3) Don't trust download.com at all. It provides an extremely old version with malware: http://insecure.org/news/download-com-fiasco.html or (#4) in the community version of openvpn (only
12:26 <@vpnHelper> thing supported here) there is no separate download for client/server, it is the same install with different configs
12:26 <@EugeneKay> That's what you want ^
12:31 < _manfred_> thank you!
12:34 -!- takamichi [~takamichi@c107-107.i07-27.onvol.net] has joined #openvpn
12:38 -!- takamichi [~takamichi@c107-107.i07-27.onvol.net] has quit [Ping timeout: 240 seconds]
12:39 -!- [diecast] [~diecast@unaffiliated/diecast/x-4821952] has quit []
12:44 -!- [diecast] [~diecast@unaffiliated/diecast/x-4821952] has joined #openvpn
12:48 -!- JSharpe2 [~jsharpe2@176.249.43.93] has quit [Remote host closed the connection]
12:49 -!- smerz_ [~smerz@f168194.upc-f.chello.nl] has joined #openvpn
12:49 -!- smerz [~smerz@f168194.upc-f.chello.nl] has joined #openvpn
12:59 -!- Netsplit *.net <-> *.split quits: Haseo, @dazo, jacob11, Cybertinus, HectorBarbossa, xBytez
13:01 -!- takamichi [~takamichi@c107-107.i07-27.onvol.net] has joined #openvpn
13:03 -!- takamichi [~takamichi@c107-107.i07-27.onvol.net] has quit [Client Quit]
13:05 -!- xBytez [xBytez@unaffiliated/xbytez] has joined #openvpn
13:05 -!- Cybertinus [~Cybertinu@2001:828:405:30:83:96:177:42] has joined #openvpn
13:05 -!- HectorBarbossa [uid7850@gateway/web/irccloud.com/x-dihouffwyokanuat] has joined #openvpn
13:05 -!- dazo [~dazo@openvpn/community/developer/dazo] has joined #openvpn
13:05 -!- jacob11 [uid22180@gateway/web/irccloud.com/x-kwyxiifgmaodkpwi] has joined #openvpn
13:05 -!- Haseo [~Haseo@2001:41d0:2:c0f::1] has joined #openvpn
13:05 -!- ServerMode/#openvpn [+o dazo] by holmes.freenode.net
13:09 -!- p3rror [~mezgani@41.249.100.181] has quit [Ping timeout: 240 seconds]
13:09 -!- tfox [~tfox@50-47-86-141.evrt.wa.frontiernet.net] has quit [Ping timeout: 272 seconds]
13:11 -!- p3rror [~mezgani@41.249.100.181] has joined #openvpn
13:13 -!- p3rror [~mezgani@41.249.100.181] has quit [Max SendQ exceeded]
13:18 -!- tfox [~tfox@50-47-86-141.evrt.wa.frontiernet.net] has joined #openvpn
13:20 -!- mitz [~mitz@KHP222227247006.ppp-bb.dion.ne.jp] has quit [Ping timeout: 245 seconds]
13:20 -!- p3rror [~mezgani@41.249.100.181] has joined #openvpn
13:24 -!- NP-Hardass [~NP-Hardas@unaffiliated/np-hardass] has quit [Quit: WeeChat 0.4.1]
13:24 -!- NP-Hardass [~NP-Hardas@unaffiliated/np-hardass] has joined #openvpn
13:27 -!- marlinc [~marlinc@ip565fa73c.direct-adsl.nl] has quit [Read error: Connection reset by peer]
13:32 -!- marlinc [~marlinc@ip565fa73c.direct-adsl.nl] has joined #openvpn
13:33 -!- tfox [~tfox@50-47-86-141.evrt.wa.frontiernet.net] has quit [Ping timeout: 264 seconds]
13:33 -!- smerz [~smerz@f168194.upc-f.chello.nl] has quit [Remote host closed the connection]
13:34 -!- smerz_ is now known as smerz
13:36 -!- tfox [~tfox@50-47-86-141.evrt.wa.frontiernet.net] has joined #openvpn
13:36 -!- mitz [~mitz@KHP222227247006.ppp-bb.dion.ne.jp] has joined #openvpn
13:44 -!- tfox [~tfox@50-47-86-141.evrt.wa.frontiernet.net] has quit [Ping timeout: 264 seconds]
13:49 -!- able [~able@gateway/tor-sasl/able] has joined #openvpn
13:49 -!- tfox [~tfox@50-47-86-141.evrt.wa.frontiernet.net] has joined #openvpn
14:11 -!- mattock is now known as mattock_afk
14:23 -!- able [~able@gateway/tor-sasl/able] has quit [Remote host closed the connection]
14:23 -!- s7r [~s7r@openvpn/user/s7r] has quit [Write error: Broken pipe]
14:24 -!- NP-Hardass [~NP-Hardas@unaffiliated/np-hardass] has quit [Ping timeout: 240 seconds]
14:25 -!- s7r [~s7r@openvpn/user/s7r] has joined #openvpn
14:25 -!- mode/#openvpn [+v s7r] by ChanServ
14:26 -!- [diecast] [~diecast@unaffiliated/diecast/x-4821952] has quit []
14:32 -!- NP-Hardass [~NP-Hardas@unaffiliated/np-hardass] has joined #openvpn
14:33 -!- NP-Hardass [~NP-Hardas@unaffiliated/np-hardass] has quit [Client Quit]
14:34 -!- NP-Hardass [~NP-Hardas@unaffiliated/np-hardass] has joined #openvpn
14:40 -!- NP-Hardass [~NP-Hardas@unaffiliated/np-hardass] has left #openvpn ["WeeChat 0.4.1"]
14:44 -!- JSharpe2 [~jsharpe2@176.249.43.93] has joined #openvpn
14:53 -!- smerz [~smerz@f168194.upc-f.chello.nl] has quit [Ping timeout: 240 seconds]
14:55 -!- smerz [~smerz@80.56.168.194] has joined #openvpn
14:56 -!- tfox [~tfox@50-47-86-141.evrt.wa.frontiernet.net] has quit [Ping timeout: 260 seconds]
15:11 -!- propheticsquiddy [~Proph@unaffiliated/propheticsquiddy] has joined #openvpn
15:17 -!- mike252 [~mmolnar@p4FFD3442.dip0.t-ipconnect.de] has joined #openvpn
15:17 -!- joshh20 [~joshh20@v-70-42-74-226.unman-vds.internap-nyc.nfoservers.com] has left #openvpn ["Textual IRC Client: www.textualapp.com"]
15:17 < mike252> hi guys
15:17 < mike252> can someone give me a hand?
15:20 -!- pluesch0r [~pluesch0r@213.143.107.234] has joined #openvpn
15:20 < pluesch0r> hi everybody. is there a way to gain ccd-like funcionality with openvpn based on the supplied username as opposed to the common name of the supplied certificate?
15:21 < pluesch0r> i.e. i'd like to be able to push different options to different users.
15:21 -!- p3rror [~mezgani@41.249.100.181] has quit [Quit: Leaving]
15:23 <@EugeneKay> Sure. --username-as-cn
15:23 <@EugeneKay> Wait, that's for verify, not ccd
15:24 < mike252> EugeneKay: do you have a minute?
15:25 < mike252> i have a stupid question.
15:25 <@EugeneKay> I have many minutes.
15:25 <@EugeneKay> !ask
15:25 <@vpnHelper> "ask" is (#1) don't ask to ask, just ask your question please, see this link for how to get help on IRC: http://workaround.org/getting-help-on-irc or (#2) See also, How to ask questions the smart way here: http://catb.org/~esr/faqs/smart-questions.html
15:25 < mike252> i have a VPS ... with eth0 =88.xxxxxxx and a tun0 with 10.9.8.0
15:26 < mike252> i have setup the openvpn ... i can connect to IT, BUT i think i am missing a route or smth between eth0 and tun0
15:26 <@EugeneKay> pluesch0r - under String Types and Remapping in the man page it suggests that the --client-config-dir filename is derived "from common name or username". I've not used the --username-as-common-name switch, but I /think/ it does do the ccd as well as user-pass-verify. Try it ;-)
15:26 < mike252> ... from the machine connected via vpn i can not access the internet
15:26 <@EugeneKay> !redirect
15:26 <@vpnHelper> "redirect" is (#1) to make all inet traffic flow through the vpn, you will need --redirect-gateway (see !def1), as well as IP forwarding (see !ipforward) and NAT (see !nat) enabled on the server. or (#2) you may need to use a different dns server when redirecting gateway, see !dns or !pushdns or (#3) if using ipv6 try: route-ipv6 2000::/3 or (#4) Handy troubleshooting flowchart:
15:26 <@vpnHelper> http://ircpimps.org/redirect.png | http://pekster.sdf.org/misc/redirect.png
15:26 <@EugeneKay> We have a chart for you to follow ;-) ^
15:26 -!- dazo is now known as dazo_afk
15:27 < mingdao> nice chart
15:27 < mike252> nice chart indeed
15:27 < mike252> !def1
15:27 <@vpnHelper> "def1" is (#1) used in redirect-gateway, Add the def1 flag to override the default gateway by using 0.0.0.0/1 and 128.0.0.0/1 rather than 0.0.0.0/0. This has the benefit of overriding but not wiping out the original default gateway. or (#2) please see --redirect-gateway in the man page ( !man ) to fully understand or (#3) push "redirect-gateway def1"
15:28 < mingdao> that last one is what got me from the server to the rest of my LAN
15:30 < pluesch0r> EugeneKay: oh, right. thanks. not like i haven't had a look at the manual, hah. :)
15:31 -!- JSharpe2 [~jsharpe2@176.249.43.93] has quit [Remote host closed the connection]
15:32 < mike252> i am confused... because i do not know if my problem is with routing or config ... damn...
15:34 < mike252> !nat
15:34 <@vpnHelper> "nat" is (#1) http://openvpn.net/howto.html#redirect for an explanation of NAT as it applies to openvpn or (#2) http://www.secure-computing.net/wiki/index.php/OpenVPN/FAQ#Traffic_forwarding_doesn.27t_work_when_using_client_specific_access_rules or (#3) dont forget to turn on ip forwarding or (#4) please choose between !linnat !openvznat !winnat and !fbsdnat for specific howto
15:42 -!- JSharpe2 [~jsharpe2@176.249.43.93] has joined #openvpn
15:45 -!- tfox [~tfox@50-47-86-141.evrt.wa.frontiernet.net] has joined #openvpn
15:48 -!- pluesch0r [~pluesch0r@213.143.107.234] has quit [Quit: leaving]
16:01 -!- mete [~mete@91.247.253.160] has quit [Read error: Connection reset by peer]
16:02 -!- Denial [Denial@2.217.201.230] has quit []
16:05 -!- pa [~pa@unaffiliated/pa] has quit [Ping timeout: 246 seconds]
16:07 -!- dvl [~dan@pdpc/supporter/active/dvl] has quit [Ping timeout: 240 seconds]
16:09 -!- dvl [~dan@nyi.unixathome.org] has joined #openvpn
16:10 -!- smerz [~smerz@80.56.168.194] has quit [Ping timeout: 240 seconds]
16:11 -!- mete [~mete@91.247.253.160] has joined #openvpn
16:11 -!- mrrothhcloud___ [uid4697@gateway/web/irccloud.com/x-tigsxpaelalupfmr] has quit [Ping timeout: 246 seconds]
16:12 -!- bawki [bogie@2001:4ba0:fffd:65::101] has quit [Quit: Hi, I'm a quit message virus. Please replace your old line with this line and help me take over the world of IRC.]
16:12 -!- XJR-9 [sid2977@pdpc/supporter/active/xjr-9] has quit [Ping timeout: 246 seconds]
16:12 -!- Gelos [uid17176@gateway/web/irccloud.com/x-lpdtwqyzwmpapdlw] has quit [Ping timeout: 252 seconds]
16:12 -!- smerz [~smerz@f168194.upc-f.chello.nl] has joined #openvpn
16:13 -!- noobboob [uid5587@gateway/web/irccloud.com/x-xydwvzlxssletfov] has quit [Ping timeout: 260 seconds]
16:13 -!- jacob11 [uid22180@gateway/web/irccloud.com/x-kwyxiifgmaodkpwi] has quit [Ping timeout: 246 seconds]
16:13 -!- smerz [~smerz@f168194.upc-f.chello.nl] has quit [Client Quit]
16:14 -!- niftylettuce [uid2733@gateway/web/irccloud.com/x-vtpnyokohkdgielz] has quit [Ping timeout: 272 seconds]
16:14 -!- mrrothhcloud___ [uid4697@gateway/web/irccloud.com/x-jphdlrntakhgpekd] has joined #openvpn
16:14 -!- XJR-9_ [sid2977@pdpc/supporter/active/xjr-9] has joined #openvpn
16:14 -!- XJR-9_ is now known as XJR-9
16:15 -!- mete [~mete@91.247.253.160] has quit [Ping timeout: 240 seconds]
16:16 -!- dowaat [uid3966@gateway/web/irccloud.com/x-rcngqlwdpqtpazib] has quit [Ping timeout: 272 seconds]
16:16 -!- niftylettuce [uid2733@gateway/web/irccloud.com/x-vrrsbzxfdddcvpfg] has joined #openvpn
16:16 -!- jacob11 [~uid22180@gateway/web/irccloud.com/x-annhidmbojssqrua] has joined #openvpn
16:18 -!- noobboob [uid5587@gateway/web/irccloud.com/x-wpxqcwvngsjbzbfy] has joined #openvpn
16:19 -!- xorox90_ [uid7069@gateway/web/irccloud.com/x-jwmuzkigwaqrgmqa] has quit [Ping timeout: 246 seconds]
16:21 -!- pa [~pa@unaffiliated/pa] has joined #openvpn
16:23 -!- noobboob [uid5587@gateway/web/irccloud.com/x-wpxqcwvngsjbzbfy] has quit [Ping timeout: 240 seconds]
16:24 -!- mike252 [~mmolnar@p4FFD3442.dip0.t-ipconnect.de] has left #openvpn []
16:27 -!- xorox90__ [uid7069@gateway/web/irccloud.com/x-wfxcbwnurepswijl] has joined #openvpn
16:28 -!- mitz [~mitz@KHP222227247006.ppp-bb.dion.ne.jp] has quit [Remote host closed the connection]
16:32 -!- niftylettuce [uid2733@gateway/web/irccloud.com/x-vrrsbzxfdddcvpfg] has quit [Ping timeout: 246 seconds]
16:33 -!- mrrothhcloud___ [uid4697@gateway/web/irccloud.com/x-jphdlrntakhgpekd] has quit [Ping timeout: 246 seconds]
16:36 -!- jacob11 [~uid22180@gateway/web/irccloud.com/x-annhidmbojssqrua] has quit [Ping timeout: 245 seconds]
16:36 -!- tfox [~tfox@50-47-86-141.evrt.wa.frontiernet.net] has quit [Quit: tfox]
16:37 -!- niftylettuce [uid2733@gateway/web/irccloud.com/x-kbtzmdbbfahuccqc] has joined #openvpn
16:40 -!- HectorBarbossa [uid7850@gateway/web/irccloud.com/x-dihouffwyokanuat] has quit [Ping timeout: 246 seconds]
16:45 -!- HectorBarbossa [uid7850@gateway/web/irccloud.com/x-stoucwqvbwzlgjrk] has joined #openvpn
16:47 -!- mitz [~mitz@KHP222227247006.ppp-bb.dion.ne.jp] has joined #openvpn
16:51 < Fetch> I want to use server-bridge, openvpn's dhcp. I can connect to ovpn server, ping ip on br0, but cannot ping router or hosts on eth1. From ovpn server I can ping hosts hanging off eth1. tcpdump shows arp (and icmp if arp is statically set) but doesn't show replies for requests from ovpn client
16:52 -!- HectorBarbossa [uid7850@gateway/web/irccloud.com/x-stoucwqvbwzlgjrk] has quit [Ping timeout: 245 seconds]
16:52 -!- xorox90__ [uid7069@gateway/web/irccloud.com/x-wfxcbwnurepswijl] has quit [Ping timeout: 245 seconds]
16:52 < Fetch> any ideas what might be up? I've confirmed a lack of filtering on the appropriate interfaces (tap0, br0, eth1)
16:53 -!- mitz [~mitz@KHP222227247006.ppp-bb.dion.ne.jp] has quit [Ping timeout: 240 seconds]
16:54 -!- mitz [~mitz@KHP222227247006.ppp-bb.dion.ne.jp] has joined #openvpn
16:55 < Fetch> ah I think I found it, virtualization trying to be clever
16:55 -!- Cpt-Oblivious [~chatzilla@31-151-87-204.dynamic.upc.nl] has joined #openvpn
16:56 -!- HectorBarbossa [uid7850@gateway/web/irccloud.com/x-wcofceathvnlwqvb] has joined #openvpn
16:58 < Cpt-Oblivious> If I have OpenVPN push the following route 'push "route 5.255.69.80 255.255.255.255"' would that work to have only the traffic meant for 5.255.69.10 go through the vpn? The ip of the vpn server is on an ACL for a service on 5.255.69.80, and I'd like to only have traffic meant for that ip go through the vpn.
16:59 -!- niftylettuce [uid2733@gateway/web/irccloud.com/x-kbtzmdbbfahuccqc] has quit [Ping timeout: 264 seconds]
17:00 < Fetch> Cpt-Oblivious: in your question, you say "would that work to have only the traffic meant for 5.255.69.10 go through the vpn"
17:00 < Fetch> assuming that was a typo for 5.255.69.80, then yes. sorta.
17:01 < Cpt-Oblivious> yes that's a typo indeed.
17:01 < Cpt-Oblivious> why sorta? :p
17:01 -!- NP-Hardass [~NP-Hardas@unaffiliated/np-hardass] has joined #openvpn
17:01 < Cpt-Oblivious> the reason i'm in doubt is because of me not pushing a redirect gateway, sure if you push a 10.x.x.x route it'll always work since the router won't say that's reachable.
17:02 < pekster> Unless youa re a customer of Serverius who has paid for that IP range, you shouldn't be using it, just FYI
17:02 < Fetch> openvpn won't push any other routes, but if the client manually adds routes for the rest of your network going through their tap device or going through the other end of tun0, then they will be able to route in
17:02 < Cpt-Oblivious> I am pekster.
17:02 < Cpt-Oblivious> I am moving my server into colocation with serverius tomorrow.
17:02 < pekster> Ah, then if that's your IP range, go for it
17:02 < Cpt-Oblivious> And I have a VPS with an ip, and the ip of that VPS is used on the ACL of my IPMI port
17:02 < pekster> You still need to push a route-gateway (or define one locally) but it's fine to push a /32 route
17:02 < Fetch> in other words, pushed routes are a suggestion, they don't form the basis for any acls
17:02 < Cpt-Oblivious> Since I didn't want my ipmi to be wide open.
17:03 < pekster> If you're doing that, you don't even need the netmask as a /32 is implied
17:03 < Cpt-Oblivious> oh I see
17:03 < Cpt-Oblivious> so just 'push "route 5.255.69.80"'
17:03 < pekster> Your other option is to avoid pushing the --route-gateway and supply the gateway manually, probably with the 'vpn_gateway' helper
17:06 < Cpt-Oblivious> I don't quite understand what that does, do you then push 2 gateways? 1 which is the 'net_gateway' which should be used for all ips and the other which is the 'vpn_gateway' which should only used for that 1 ip?
17:07 -!- dvl [~dan@nyi.unixathome.org] has quit [Changing host]
17:07 -!- dvl [~dan@pdpc/supporter/active/dvl] has joined #openvpn
17:11 < pekster> Oh, it does depend on topology; in tap or 'topology subnet' operational modes, you need to pass --route-gateway anyway to use vpn_gateway
17:11 -!- mete [~mete@91.247.253.160] has joined #openvpn
17:11 -!- niftylettuce [uid2733@gateway/web/irccloud.com/x-lbzhvxicvzzshdps] has joined #openvpn
17:13 < Cpt-Oblivious> I'm going to try some stuff, thanks :)
17:17 -!- mete- [~mete@91.247.253.160] has joined #openvpn
17:17 -!- mete [~mete@91.247.253.160] has quit [Read error: Connection reset by peer]
17:18 -!- mete- [~mete@91.247.253.160] has quit [Read error: Connection reset by peer]
17:20 -!- mete [~mete@91.247.253.160] has joined #openvpn
17:23 -!- mete- [~mete@91.247.253.160] has joined #openvpn
17:23 -!- mete [~mete@91.247.253.160] has quit [Read error: Connection reset by peer]
17:26 -!- mete- [~mete@91.247.253.160] has quit [Read error: Connection reset by peer]
17:27 -!- mete [~mete@91.247.253.160] has joined #openvpn
17:28 -!- dvl [~dan@pdpc/supporter/active/dvl] has quit [Ping timeout: 240 seconds]
17:28 -!- dvl [~dan@nyi.unixathome.org] has joined #openvpn
17:43 -!- dvl [~dan@nyi.unixathome.org] has quit [Changing host]
17:43 -!- dvl [~dan@pdpc/supporter/active/dvl] has joined #openvpn
17:45 -!- Cpt-Oblivious [~chatzilla@31-151-87-204.dynamic.upc.nl] has quit [Ping timeout: 240 seconds]
17:53 -!- dowaat [uid3966@gateway/web/irccloud.com/x-mstbttybevfpjnlt] has joined #openvpn
18:02 -!- JSharpe2 [~jsharpe2@176.249.43.93] has quit []
18:06 -!- NP-Hardass [~NP-Hardas@unaffiliated/np-hardass] has quit [Ping timeout: 240 seconds]
18:12 -!- NP-Hardass [~NP-Hardas@unaffiliated/np-hardass] has joined #openvpn
18:13 -!- XJR-9 [sid2977@pdpc/supporter/active/xjr-9] has quit [Read error: Connection reset by peer]
18:15 -!- XJR-9_ [sid2977@pdpc/supporter/active/xjr-9] has joined #openvpn
18:15 -!- XJR-9_ is now known as XJR-9
18:17 -!- jefferai [~quassel@kde/mitchell] has quit [Write error: Connection reset by peer]
18:17 -!- jefferai [~quassel@kde/mitchell] has joined #openvpn
18:30 -!- dvl [~dan@pdpc/supporter/active/dvl] has quit [Ping timeout: 240 seconds]
18:37 -!- niftylettuce [uid2733@gateway/web/irccloud.com/x-lbzhvxicvzzshdps] has quit [Ping timeout: 240 seconds]
18:40 -!- mitz [~mitz@KHP222227247006.ppp-bb.dion.ne.jp] has quit [Ping timeout: 264 seconds]
18:46 -!- niftylettuce [uid2733@gateway/web/irccloud.com/x-bqcbgiuwkrffetay] has joined #openvpn
18:50 -!- blarghlarghl [michael@efnet.math.uwaterloo.ca] has joined #openvpn
18:50 < blarghlarghl> Hi all.
18:50 < blarghlarghl> I'm trying to set up an openvpn server on my machine at home. It works insofar as I can actually connect and ssh to my server running openvpn on both the local and the virutal IPs, but I can't access any other machines on the local network. My local (physical) network is 10.0.0.x, and my VPN network is 10.9.0.x.
18:50 < blarghlarghl> My server config is https://gist.github.com/anonymous/95bdcf1308d483e33ccd
18:50 <@vpnHelper> Title: gist:95bdcf1308d483e33ccd (at gist.github.com)
18:51 < blarghlarghl> What am I missing to be able to connect to my local clients?
18:54 -!- tfox [~tfox@50-47-86-141.evrt.wa.frontiernet.net] has joined #openvpn
18:54 -!- mitz [~mitz@KHP222227247006.ppp-bb.dion.ne.jp] has joined #openvpn
18:54 < pekster> Why are you using tap? You can route over tap, but if you don't need it you should use tun instead
18:55 < pekster> Otherwise verify you've followed all the right steps in !serverlan for connecting to a LAN behind the server
18:55 < pekster> Also, 10.0.0.0/24 is a horrible network to use since it's quite common and likely to collide
18:55 < blarghlarghl> Why is tun better? I thought tap supported broadcast services...
18:56 < blarghlarghl> Yeah, but I'm not about to change my local network from a continent away. Something will definitely go wrong :)
18:56 < blarghlarghl> I can try using tun.
18:56 < blarghlarghl> !serverlan
18:56 <@vpnHelper> "serverlan" is (#1) for a lan behind a server, the server must have ip forwarding enabled (!ipforward), the server needs to push a route for its lan to clients, and the router of the lan the server is on needs a route added to it (!route_outside_openvpn) or (#2) see !route for a better explanation or (#3) Handy troubleshooting flowchart: http://ircpimps.org/serverlan.png |
18:56 <@vpnHelper> http://pekster.sdf.org/misc/serverlan.png
18:57 < blarghlarghl> pekster: hm, "router of the lan the server is on needs a route added to it" What if my router doesn't support that?
19:02 -!- wrongplace [~leicht@gateway/tor-sasl/martinphone] has joined #openvpn
19:02 -!- master_of_master [~master_of@p4FF24E6C.dip0.t-ipconnect.de] has joined #openvpn
19:02 < blarghlarghl> pekster: The flowchart says "Add a route to the lan machine so it knows how to reach the vpn subnet" - which machine is the 'target machine'? the one on the local LAN that I'm trying to ping?
19:05 < pekster> Then you buy a router that doesn't suck
19:05 < pekster> Most off-the-shelf routers let you add a static route
19:05 -!- master_o1_master [~master_of@p4FF24EB7.dip0.t-ipconnect.de] has quit [Ping timeout: 272 seconds]
19:05 < pekster> If not, spend $30 for one that does
19:06 -!- noobboob [uid5587@gateway/web/irccloud.com/x-dhcygzledqutdwjn] has joined #openvpn
19:07 -!- gffa [~unknown@unaffiliated/gffa] has quit [Quit: sleep]
19:10 -!- bogie [bogie@2001:4ba0:fffd:65::101] has joined #openvpn
19:14 -!- Cpt-Oblivious [~chatzilla@31-151-87-204.dynamic.upc.nl] has joined #openvpn
19:25 -!- wrongplace [~leicht@gateway/tor-sasl/martinphone] has quit [Quit: gone]
19:44 -!- tfox [~tfox@50-47-86-141.evrt.wa.frontiernet.net] has quit [Ping timeout: 264 seconds]
19:47 -!- peper [~peper@gentoo/developer/peper] has quit [Ping timeout: 246 seconds]
19:55 -!- jtrucks [jtrucks@freenode/staff/lopsa.foundingmember.jtrucks] has quit [Remote host closed the connection]
19:56 -!- jtrucks [~jtrucks@freenode/staff/lopsa.foundingmember.jtrucks] has joined #openvpn
19:57 -!- tfox [~tfox@50-47-92-123.evrt.wa.frontiernet.net] has joined #openvpn
20:01 -!- jtrucks_ [jtrucks@freenode/staff/lopsa.foundingmember.jtrucks] has joined #openvpn
20:03 -!- peper [~peper@gentoo/developer/peper] has joined #openvpn
20:05 -!- Cpt-Oblivious [~chatzilla@31-151-87-204.dynamic.upc.nl] has quit [Quit: ChatZilla 0.9.90.1-rdmsoft [XULRunner 22.0/20130619132145]]
20:07 -!- jtrucks [~jtrucks@freenode/staff/lopsa.foundingmember.jtrucks] has quit [Ping timeout: 612 seconds]
20:07 -!- jtrucks_ [jtrucks@freenode/staff/lopsa.foundingmember.jtrucks] has quit [Read error: Connection reset by peer]
20:07 -!- jtrucks [jtrucks@freenode/staff/lopsa.foundingmember.jtrucks] has joined #openvpn
20:12 -!- jtrucks [jtrucks@freenode/staff/lopsa.foundingmember.jtrucks] has quit [Remote host closed the connection]
20:13 -!- jtrucks [jtrucks@freenode/staff/lopsa.foundingmember.jtrucks] has joined #openvpn
20:18 -!- jtrucks [jtrucks@freenode/staff/lopsa.foundingmember.jtrucks] has quit [Read error: Connection reset by peer]
20:18 -!- jtrucks_ [jtrucks@freenode/staff/lopsa.foundingmember.jtrucks] has joined #openvpn
20:24 -!- jtrucks_ [jtrucks@freenode/staff/lopsa.foundingmember.jtrucks] has quit [Read error: Connection reset by peer]
20:25 -!- jtrucks [jtrucks@freenode/staff/lopsa.foundingmember.jtrucks] has joined #openvpn
20:30 -!- dvl [~dan@nyi.unixathome.org] has joined #openvpn
20:30 -!- jtrucks [jtrucks@freenode/staff/lopsa.foundingmember.jtrucks] has quit [Read error: Connection reset by peer]
20:30 -!- jtrucks [jtrucks@freenode/staff/lopsa.foundingmember.jtrucks] has joined #openvpn
20:36 -!- jtrucks [jtrucks@freenode/staff/lopsa.foundingmember.jtrucks] has quit [Read error: Connection reset by peer]
20:37 -!- jtrucks [jtrucks@freenode/staff/lopsa.foundingmember.jtrucks] has joined #openvpn
20:42 -!- jtrucks [jtrucks@freenode/staff/lopsa.foundingmember.jtrucks] has quit [Read error: Connection reset by peer]
20:42 -!- jtrucks [jtrucks@freenode/staff/lopsa.foundingmember.jtrucks] has joined #openvpn
20:43 -!- tfox [~tfox@50-47-92-123.evrt.wa.frontiernet.net] has quit [Ping timeout: 240 seconds]
20:48 -!- jtrucks [jtrucks@freenode/staff/lopsa.foundingmember.jtrucks] has quit [Read error: Connection reset by peer]
20:48 -!- jtrucks [jtrucks@freenode/staff/lopsa.foundingmember.jtrucks] has joined #openvpn
20:54 -!- jtrucks [jtrucks@freenode/staff/lopsa.foundingmember.jtrucks] has quit [Read error: Connection reset by peer]
20:55 -!- jtrucks [jtrucks@freenode/staff/lopsa.foundingmember.jtrucks] has joined #openvpn
20:55 -!- lbft is now known as jigglypuff
20:58 -!- jigglypuff is now known as lbft
21:01 -!- tfox [~tfox@50-47-92-123.evrt.wa.frontiernet.net] has joined #openvpn
21:10 -!- mitz [~mitz@KHP222227247006.ppp-bb.dion.ne.jp] has quit [Ping timeout: 264 seconds]
21:17 -!- tfox [~tfox@50-47-92-123.evrt.wa.frontiernet.net] has quit [Quit: tfox]
21:20 -!- dvl [~dan@nyi.unixathome.org] has quit [Ping timeout: 240 seconds]
21:20 -!- Lars_G [~Lars@unaffiliated/lars-g/x-000001] has joined #openvpn
21:20 -!- dvl [~dan@nyi.unixathome.org] has joined #openvpn
21:20 < Lars_G> Hello :) and help, trying to fix this once and for all: (typing).
21:21 < Lars_G> Let's say I use a vps as my open vpn hub, I have 3 networks i push routes for around, a b and c... now c is home... but I have two special clients, that are mobile (cell phone and laptop). which can eventually reside on networks a b or c
21:22 < Lars_G> Is there any way to avoid the network where they're at from being pushed to these clients other than creating four configuration files and names for the certs?
21:24 -!- mitz [~mitz@KHP222227247006.ppp-bb.dion.ne.jp] has joined #openvpn
21:25 <@EugeneKay> Don't turn on openvpn when your laptop is on your home network.
21:27 < Lars_G> EugeneKay: Thanks! then how do I access networks a and b??
21:27 < Lars_G> Or at work, how do i access b and c?
21:28 <@EugeneKay> Through the vpn client / router that the route for that network is being accessible?
21:28 <@EugeneKay> !route
21:28 <@vpnHelper> "route" is (#1) http://www.secure-computing.net/wiki/index.php/OpenVPN/Routing or https://community.openvpn.net/openvpn/wiki/RoutedLans (same page mirrored) if you have lans behind openvpn, read it DONT SKIM IT or (#2) READ IT DONT SKIM IT! or (#3) See !tcpip for a basic networking guide or (#4) See !serverlan or !clientlan for steps and troubleshooting flowcharts for LANs behind the server or
21:28 <@vpnHelper> client
21:28 < Lars_G> EugeneKay: Do you know an answer to my question dude?
21:28 <@EugeneKay> I.... just told you?
21:30 < Lars_G> ....
21:30 < Lars_G> I see
21:30 < Lars_G> sigh
21:31 < Lars_G> Not much fun, I'd have to setup routing tables/scripts for each location for these devices, but...
21:31 <@EugeneKay> Not really, no....
21:31 <@EugeneKay> If you're getting a route pushed for network B(attached to client B), then you ought to be able to reach network C(via client C) from net B
21:31 < Lars_G> well the routers in each locations are not the main network routers. and I could set up statics at home, but I wont at work.
21:32 < Lars_G> I'll try static routes at home
21:32 <@EugeneKay> Ahhhh this is a nathack
21:32 < Lars_G> Yep
21:32 <@EugeneKay> Yeah, then you're fucked.
21:32 < Lars_G> nat doesnt worry me much
21:33 < Lars_G> thanks
21:34 < Lars_G> Sigh
21:34 < Lars_G> at home I have an airport extreme. there is SO much I want to do and cant
21:34 < Lars_G> Starting with netflow
21:34 <@EugeneKay> !beer
21:34 <@vpnHelper> "beer" is what's for dinner (and occasionally breakfast)
21:35 < Lars_G> yeah
21:35 < Lars_G> I think I had enough beer on the 31 for a lifetime, still....
21:37 < Lars_G> Aaaand, no static routes on an airport... I give up
21:39 < Lars_G> I'm thinking on setting up a raspberry pi on the way as a service extender for the extreme
21:42 < Lars_G> Happy new year EugeneKay
21:45 < pekster> NAT is evil. Have some IPv6 ;)
21:46 < Lars_G> I'm trying to set ipv6 off to 2040 or so
21:46 < pekster> It's been here for over a decade ;)
21:48 < Lars_G> Yeah... it's not "here"
21:48 < Lars_G> I'm in the third world, believe me
21:48  * pekster shrugs. tunnelbroker.net or sixxs.net
21:49 < Lars_G> Forget beer, I need apple sider
21:50 < Lars_G> and vodka
21:55 -!- Lars_G [~Lars@unaffiliated/lars-g/x-000001] has quit [Quit: leaving]
21:58 -!- dvl [~dan@nyi.unixathome.org] has quit [Ping timeout: 240 seconds]
22:08 -!- tfox [~tfox@50-47-92-123.evrt.wa.frontiernet.net] has joined #openvpn
22:09 -!- tfox [~tfox@50-47-92-123.evrt.wa.frontiernet.net] has quit [Client Quit]
23:21 -!- MyMind [~Sembei@unaffiliated/sembei] has quit [Read error: Connection reset by peer]
23:23 -!- Pisuke [~Sembei@unaffiliated/sembei] has joined #openvpn
23:25 -!- guntha [~guntha@unaffiliated/guntha] has quit [Ping timeout: 252 seconds]
23:26 -!- mitz [~mitz@KHP222227247006.ppp-bb.dion.ne.jp] has quit [Remote host closed the connection]
23:28 -!- mitz_ [~mitz@KHP222227247006.ppp-bb.dion.ne.jp] has joined #openvpn
23:31 -!- fvalente [~fvalente@ts.node.pt] has quit [Ping timeout: 260 seconds]
23:32 -!- elfixit [~Icedove@77-58-251-72.dclient.hispeed.ch] has quit [Ping timeout: 260 seconds]
23:32 -!- guntha [~guntha@unaffiliated/guntha] has joined #openvpn
23:33 -!- mitz_ [~mitz@KHP222227247006.ppp-bb.dion.ne.jp] has quit [Remote host closed the connection]
23:33 -!- fvalente [~fvalente@ts.node.pt] has joined #openvpn
23:36 -!- mitz_ [~mitz@KHP222227247006.ppp-bb.dion.ne.jp] has joined #openvpn
23:47 -!- mchou [~quassel@unaffiliated/mchou] has joined #openvpn
23:56 -!- dvl [~dan@nyi.unixathome.org] has joined #openvpn
23:57 -!- Cy-Gor [~Brian@cpe-70-124-70-140.austin.res.rr.com] has quit [Quit: Leaving]
--- Day changed Fri Jan 03 2014
00:07 -!- dvl [~dan@nyi.unixathome.org] has quit [Ping timeout: 240 seconds]
00:08 -!- dvl [~dan@nyi.unixathome.org] has joined #openvpn
00:19 -!- mitz_ [~mitz@KHP222227247006.ppp-bb.dion.ne.jp] has quit [Ping timeout: 246 seconds]
00:33 -!- pppingme [~pppingme@unaffiliated/pppingme] has quit [Read error: Connection reset by peer]
00:34 -!- mitz_ [~mitz@KHP222227247006.ppp-bb.dion.ne.jp] has joined #openvpn
00:36 -!- dvl [~dan@nyi.unixathome.org] has quit [Ping timeout: 240 seconds]
00:37 -!- pppingme [~pppingme@unaffiliated/pppingme] has joined #openvpn
00:40 -!- mattock_afk is now known as mattock
00:53 -!- heraclitus [~heraclitu@unaffiliated/heraclitis] has joined #openvpn
00:53 -!- heraclitus [~heraclitu@unaffiliated/heraclitis] has quit [Remote host closed the connection]
00:54 -!- heraclitus [~heraclitu@unaffiliated/heraclitis] has joined #openvpn
00:59 -!- lbft [~lbft@unaffiliated/lbft] has quit [Ping timeout: 245 seconds]
01:03 -!- dimm0k [~dimm0k@unaffiliated/dimm0k] has quit [Ping timeout: 252 seconds]
01:05 -!- dimm0k [~dimm0k@unaffiliated/dimm0k] has joined #openvpn
01:05 -!- lbft [~lbft@unaffiliated/lbft] has joined #openvpn
01:22 -!- propheticsquiddy [~Proph@unaffiliated/propheticsquiddy] has quit [Quit: Leaving]
01:23 -!- alexxtasi [~alex@unaffiliated/alexxtasi] has joined #openvpn
01:24 -!- takamichi [~takamichi@c107-107.i07-27.onvol.net] has joined #openvpn
01:28 -!- takamichi [~takamichi@c107-107.i07-27.onvol.net] has quit [Ping timeout: 240 seconds]
01:30 -!- takamichi [~takamichi@c107-107.i07-27.onvol.net] has joined #openvpn
01:31 -!- Fetch [fetch@gimel.cepheid.org] has quit [Read error: Connection reset by peer]
01:37 -!- Fetch [fetch@gimel.cepheid.org] has joined #openvpn
01:55 -!- mitz_ [~mitz@KHP222227247006.ppp-bb.dion.ne.jp] has quit [Remote host closed the connection]
02:03 -!- dimm0k [~dimm0k@unaffiliated/dimm0k] has quit [Ping timeout: 246 seconds]
02:05 -!- dimm0k [~dimm0k@unaffiliated/dimm0k] has joined #openvpn
02:05 -!- \malex\ [vfcq0wjjbf@unaffiliated/malex/x-000000001] has joined #openvpn
02:11 -!- novaflash [~novaflash@openvpn/corp/support/novaflash] has quit [Ping timeout: 252 seconds]
02:23 -!- novaflash [~novaflash@its.novaflash.nl] has joined #openvpn
02:25 -!- schiesupport [~schiesupp@217.68.49.65] has joined #openvpn
02:27 < \malex\> i'm trying to setup ospf over openvpn in dev tun mode on an openbsd box. i can see ospf packets on the tun1 interface with tcpdump, but running openvpn with --verb 5 doesn't show openvpn ever receiving them. it's as if they are getting lost somewhere between the tun1 interface and openvpn. would anyone be able to point me in some direction where to troubleshoot this?
02:28 -!- novaflash [~novaflash@its.novaflash.nl] has quit [Changing host]
02:28 -!- novaflash [~novaflash@openvpn/corp/support/novaflash] has joined #openvpn
02:28 -!- mode/#openvpn [+o novaflash] by ChanServ
02:28 < \malex\> i also tried to ping -I tun1_ip 224.0.0.1, and the multicast ping packets are not reaching openvpn either, though tcpdump shows them
02:34 -!- VunKruz [~hhhh@24-205-18-142.dhcp.nrwl.ca.charter.com] has quit [Ping timeout: 272 seconds]
02:35 -!- dvl [~dan@nyi.unixathome.org] has joined #openvpn
03:09 -!- ade_b [~Ade@redhat/adeb] has joined #openvpn
03:14 -!- thecaptain2000 [~quassel@38.88.21.95.dynamic.jazztel.es] has joined #openvpn
03:15 -!- dazo_afk is now known as dazo
03:32 -!- Denial [Denial@2.217.201.230] has joined #openvpn
03:35 -!- Sorcier_FXK [~Sorcier_F@unaffiliated/sorcierfxk] has quit [Ping timeout: 245 seconds]
03:36 -!- thecaptain2000 [~quassel@38.88.21.95.dynamic.jazztel.es] has quit [Remote host closed the connection]
03:37 -!- nobit [nobit@unaffiliated/muska] has quit [Ping timeout: 252 seconds]
03:39 -!- nobit [nobit@unaffiliated/muska] has joined #openvpn
03:41 -!- Sorcier_FXK [~Sorcier_F@unaffiliated/sorcierfxk] has joined #openvpn
04:15 -!- s7r_e [~s7r@openvpn/user/s7r] has joined #openvpn
04:15 -!- mode/#openvpn [+v s7r_e] by ChanServ
04:15 -!- s7r [~s7r@openvpn/user/s7r] has quit [Remote host closed the connection]
04:26 -!- eliasp_ [~quassel@HSI-KBW-134-3-243-224.hsi14.kabel-badenwuerttemberg.de] has joined #openvpn
04:27 -!- eliasp [~quassel@HSI-KBW-134-3-243-224.hsi14.kabel-badenwuerttemberg.de] has quit [Ping timeout: 246 seconds]
04:33 -!- dvl [~dan@nyi.unixathome.org] has quit [Ping timeout: 240 seconds]
04:45 -!- takamichi [~takamichi@c107-107.i07-27.onvol.net] has quit [Quit: Computer has gone to sleep.]
04:56 -!- dazo is now known as dazo_afk
05:02 -!- mreithub [~mreithub@188-23-12-82.adsl.highway.telekom.at] has joined #openvpn
05:02 -!- takamichi [~takamichi@c107-107.i07-27.onvol.net] has joined #openvpn
05:02 -!- Eagleman [~Eagleman@546BCD9F.cm-12-4d.dynamic.ziggo.nl] has quit [Quit: ZNC - http://znc.in]
05:07 -!- Eagleman [~Eagleman@84.107.205.159] has joined #openvpn
05:08 -!- dazo_afk is now known as dazo
05:19 -!- Eagleman [~Eagleman@84.107.205.159] has quit [Ping timeout: 240 seconds]
05:19 -!- gffa [~unknown@unaffiliated/gffa] has joined #openvpn
05:22 -!- Eagleman [~Eagleman@546BCD9F.cm-12-4d.dynamic.ziggo.nl] has joined #openvpn
05:48 -!- Eagleman [~Eagleman@546BCD9F.cm-12-4d.dynamic.ziggo.nl] has quit [Ping timeout: 246 seconds]
06:22 -!- Gelos [sid17176@gateway/web/irccloud.com/x-ssptejhlzywqhrcq] has joined #openvpn
06:23 -!- Gelos [sid17176@gateway/web/irccloud.com/x-ssptejhlzywqhrcq] has quit [Client Quit]
06:23 -!- Gelos [sid17176@gateway/web/irccloud.com/x-bewrozhigkmhinfa] has joined #openvpn
06:31 -!- dvl [~dan@nyi.unixathome.org] has joined #openvpn
06:33 -!- schiesupport_ [~schiesupp@217.68.49.85] has joined #openvpn
06:33 -!- schiesupport [~schiesupp@217.68.49.65] has quit [Remote host closed the connection]
06:38 -!- gffa [~unknown@unaffiliated/gffa] has quit [Read error: Operation timed out]
06:39 -!- gffa [~unknown@unaffiliated/gffa] has joined #openvpn
06:47 -!- Cy-Gor [~Brian@cpe-70-124-70-140.austin.res.rr.com] has joined #openvpn
07:07 -!- eliasp_ is now known as eliasp
07:42 -!- takamichi [~takamichi@c107-107.i07-27.onvol.net] has quit [Ping timeout: 246 seconds]
07:46 -!- takamichi [~takamichi@85.12.8.105] has joined #openvpn
08:11 -!- Eagleman [~Eagleman@546BCD9F.cm-12-4d.dynamic.ziggo.nl] has joined #openvpn
08:16 -!- kirin` [telex@gateway/shell/anapnea.net/x-nsouwqcfyglwukkt] has quit [Quit: leaving]
08:17 -!- kirin` [telex@gateway/shell/anapnea.net/x-yreiixufiuvanzbr] has joined #openvpn
08:18 -!- mitz [~mitz@KHP222227247006.ppp-bb.dion.ne.jp] has joined #openvpn
08:18 -!- paul` [~user@cpe-69-203-87-179.nyc.res.rr.com] has joined #openvpn
08:22 -!- Eagleman [~Eagleman@546BCD9F.cm-12-4d.dynamic.ziggo.nl] has quit [Ping timeout: 252 seconds]
08:22 -!- dvl [~dan@nyi.unixathome.org] has quit [Changing host]
08:22 -!- dvl [~dan@pdpc/supporter/active/dvl] has joined #openvpn
08:28 -!- takamichi [~takamichi@85.12.8.105] has quit [Ping timeout: 240 seconds]
08:34 -!- goldkatze [~nobody@unaffiliated/goldkatze] has quit []
08:36 -!- goldkatze [~nobody@unaffiliated/goldkatze] has joined #openvpn
08:39 -!- takamichi [~takamichi@c107-107.i07-27.onvol.net] has joined #openvpn
08:42 -!- Eagleman [~Eagleman@546BCD9F.cm-12-4d.dynamic.ziggo.nl] has joined #openvpn
08:50 -!- Cpt-Oblivious [~chatzilla@31-151-87-204.dynamic.upc.nl] has joined #openvpn
08:52 -!- schiesupport_ [~schiesupp@217.68.49.85] has quit [Quit: Leaving]
08:53 -!- alexxtasi [~alex@unaffiliated/alexxtasi] has left #openvpn []
08:54 -!- paul`` [~user@cpe-69-203-87-179.nyc.res.rr.com] has joined #openvpn
08:55 -!- paul` [~user@cpe-69-203-87-179.nyc.res.rr.com] has quit [Ping timeout: 245 seconds]
09:05 -!- paul``` [~user@CSSTUPC11.CS.NYU.EDU] has joined #openvpn
09:07 -!- paul`` [~user@cpe-69-203-87-179.nyc.res.rr.com] has quit [Ping timeout: 272 seconds]
09:20 -!- defsdoor [~andy@cpc30-sutt4-2-0-cust155.19-1.cable.virginm.net] has joined #openvpn
09:21 -!- Thermi [~Thermi@unaffiliated/thermi] has quit [Quit: Meet your opposition - Profane and disciplined - Take back your pride - With a pounding hammer]
09:27 -!- pepijndevos [~pepijndev@2a00:dcc0:eda:3754:247:55:9194:8ed6] has quit [Ping timeout: 240 seconds]
09:30 -!- pepijndevos [pepijndevo@2a00:dcc0:eda:3754:247:55:9194:8ed6] has joined #openvpn
09:31 -!- calcifea [~rasla@gateway/tor-sasl/gitsu-sa] has joined #openvpn
09:40 -!- Thermi [~Thermi@unaffiliated/thermi] has joined #openvpn
09:52 -!- mitz [~mitz@KHP222227247006.ppp-bb.dion.ne.jp] has quit [Ping timeout: 245 seconds]
09:54 -!- APTX [APTX@unaffiliated/aptx] has quit [Ping timeout: 245 seconds]
09:58 -!- paul```` [~user@cpe-69-203-87-179.nyc.res.rr.com] has joined #openvpn
09:58 -!- paul``` [~user@CSSTUPC11.CS.NYU.EDU] has quit [Read error: Connection reset by peer]
10:01 -!- master_of_master [~master_of@p4FF24E6C.dip0.t-ipconnect.de] has quit [Read error: Operation timed out]
10:03 -!- paul```` [~user@cpe-69-203-87-179.nyc.res.rr.com] has quit [Read error: Connection reset by peer]
10:04 -!- JSharpe [~JSharpe@31.205.60.241] has joined #openvpn
10:07 -!- mitz [~mitz@KHP222227247006.ppp-bb.dion.ne.jp] has joined #openvpn
10:13 -!- elfixit [~Icedove@77-58-251-72.dclient.hispeed.ch] has joined #openvpn
10:19 -!- mattock is now known as mattock_afk
10:25 -!- mattock_afk is now known as mattock
10:36 -!- abd [~abd@213.178.230.126] has joined #openvpn
10:37 < abd> i have setup openvpn server ( comm edition ) in bridge mode
10:37 < abd> i can ping the server the client subnet
10:38 < abd> but i cannot do that from the client side
10:38 < abd> i can only ping the Openvpn server
10:38 < abd> can any one help me
10:43 -!- calcifea [~rasla@gateway/tor-sasl/gitsu-sa] has quit [Quit: calcifea]
10:48 -!- mrtnt_ [~martint@martint.data.ee] has quit [Ping timeout: 245 seconds]
10:49 <@ecrist> !whybridge
10:49 <@vpnHelper> "whybridge" is (#1) you only bridge if you want layer2 to the lan. if you want layer2 only between vpn nodes then routed tap is enough. if you only want layer3 use tun. or (#2) See this URL for a more in-depth discussion on bridging vs routing: https://community.openvpn.net/openvpn/wiki/BridgingAndRouting or (#3) See also !tunortap
11:03 -!- ade_b [~Ade@redhat/adeb] has quit [Ping timeout: 240 seconds]
11:06 < abd> i have two sites i need to be completly connected in both dircetions
11:06 < abd> i have tried routed
11:06 < abd> i get probelms when pinging from teh server's LAN
11:06 < abd> it can only see the Virtula LAn of teh clients
11:07 < abd> it cannot see the real LAN
11:07 < abd> while the client can ping the server's LAN
11:08 < abd> i just solved the problems with bridge setup
11:08 < abd> i have removed the route entry to teh server's LAN from the clients routing table
11:11 -!- mode/#openvpn [+v rob0] by ChanServ
11:11 <+rob0> "comm edition"? Does that mean OpenVPN-AS?
11:15 < abd> no
11:15 < abd> it mean community
11:15 < abd> sorry
11:16 < abd> now the bridge mode working fine
11:17 < abd> both the client and the server's LAN are accessible
11:17 < abd> from both sides
11:26 -!- klein [~klein@189-016-006-003.asselvi.edu.br] has joined #openvpn
11:26 -!- klein [~klein@189-016-006-003.asselvi.edu.br] has quit [Changing host]
11:26 -!- klein [~klein@unaffiliated/klein] has joined #openvpn
11:35 -!- Pisuke [~Sembei@unaffiliated/sembei] has quit [Read error: Connection reset by peer]
11:36 -!- Sembei [~Sembei@unaffiliated/sembei] has joined #openvpn
11:39 -!- takamichi [~takamichi@c107-107.i07-27.onvol.net] has quit [Ping timeout: 260 seconds]
11:41 -!- takamichi [~takamichi@85.12.8.106] has joined #openvpn
11:52 -!- Cpt-Oblivious [~chatzilla@31-151-87-204.dynamic.upc.nl] has quit [Quit: ChatZilla 0.9.90.1-rdmsoft [XULRunner 22.0/20130619132145]]
11:59 -!- dazo is now known as dazo_afk
11:59 -!- takamichi [~takamichi@85.12.8.106] has quit [Ping timeout: 260 seconds]
12:02 -!- takamichi [~takamichi@c107-107.i07-27.onvol.net] has joined #openvpn
12:05 -!- APTX [APTX@unaffiliated/aptx] has joined #openvpn
12:13 -!- calcifea [~rasla@gateway/tor-sasl/gitsu-sa] has joined #openvpn
12:13 -!- mreithub [~mreithub@188-23-12-82.adsl.highway.telekom.at] has quit [Ping timeout: 240 seconds]
12:17 -!- kantlivelong [~kantlivel@home.kantlivelong.com] has quit [Ping timeout: 245 seconds]
12:24 -!- kantlivelong [~kantlivel@home.kantlivelong.com] has joined #openvpn
12:27 -!- mreithub [~mreithub@188-23-3-36.adsl.highway.telekom.at] has joined #openvpn
12:28 -!- takamichi [~takamichi@c107-107.i07-27.onvol.net] has quit [Quit: Computer has gone to sleep.]
12:35 -!- NP-Hardass [~NP-Hardas@unaffiliated/np-hardass] has quit [Quit: WeeChat 0.4.1]
12:39 -!- NP-Hardass [~NP-Hardas@unaffiliated/np-hardass] has joined #openvpn
12:47 -!- cpt-oblivious [~chatzilla@31-151-87-204.dynamic.upc.nl] has joined #openvpn
12:49 -!- marlinc [~marlinc@ip565fa73c.direct-adsl.nl] has quit [Read error: Connection reset by peer]
12:51 -!- master_of_master [~master_of@p4FF241F6.dip0.t-ipconnect.de] has joined #openvpn
12:54 -!- ade_b [~Ade@redhat/adeb] has joined #openvpn
12:58 -!- marlinc [~marlinc@ip565fa73c.direct-adsl.nl] has joined #openvpn
12:58 < cpt-oblivious> Hmm i'm trying to figure out why my openvpn tunnel is so slow
12:59 < cpt-oblivious> I can download at 12-14 MB/s from my vpn server via http, but tunneling it through openvpn bottlenecks the performance.
12:59 < cpt-oblivious> I can't get much more than 800-900 KB/s through openvpn
12:59 < cpt-oblivious> cpu usage on both sides is <2%
13:00 < cpt-oblivious> I've tried changing MTU / mssfix values made no difference.
13:00 -!- sailerboy [~sailerboy@2605:6400:2:fed5:22:3e62:d2e8:e4e1] has quit [Quit: ZNC - http://znc.in]
13:00 < cpt-oblivious> I also changed the cipher to AES, but since cpu usage is < 2%, that didn't make any difference either.
13:01 -!- haasn [~nand@2a01:4f8:d13:5245::2] has quit [Excess Flood]
13:02 <@EugeneKay> !speed
13:02 <@vpnHelper> "speed" is Speed problems? Basic items to check include: 1) Prefer UDP over TCP (see !tcp) 2) MTU issues? Send max-size DF packets and watch for fragmentation/delivery issues 3) iface txqueuelen often needs to be >100 on fast and/or latent links 4) latenty/slow links don't magically get better with openvpn 5) less likely are issues with bad TCP window scaling or the sliding window; generally,
13:02 <@vpnHelper> don't 2nd guess TCP (in openvpn or ...
13:04 -!- haasn [~nand@2a01:4f8:d13:5245::2] has joined #openvpn
13:06 <@EugeneKay> IMO people usually overthink the problem - I get ~70mbit/s over a 100mbit/s 70ms link without even fiddling anything.
13:07 < cpt-oblivious> My server is on a 1 Gbit uplink, and the client has a 120 mbit link. 10 ms latency.
13:07 < cpt-oblivious> I get 10 mbit tops
13:09 < cpt-oblivious> EugeneKay: could you please show me your config? Then I can try what you've setup differently
13:10 <@ecrist> latency is not the same, or related to, bandwidth
13:11 <+__FBi> !dns
13:11 <@vpnHelper> "dns" is (#1) Level3 open recursive DNS server at 4.2.2.[1-6] or (#2) Google open recursive DNS server at 8.8.8.8 / 8.8.4.4 or (#3) you might be looking for !pushdns
13:11 <+__FBi> !pushdns
13:11 <@vpnHelper> "pushdns" is (#1) push dhcp-option DNS a.b.c.d to push dns to the client or (#2) For pushing DNS to a Windows client, see: !windns or (#3) Unix-alikes are required to process the env-var in an --up script; read about --dhcp-option in the manpage or (#4) For distros that use resolvconf you can try the update-resolv-conf script under the contrib/ source dir
13:11 <@EugeneKay> There aren't any tweaks. None. --server, a few --route / --push "route", and --remote-cert-eku. That's it.
13:11 <@ecrist> odds are, cpt-oblivious, your vpn server is processor bound on the encryption
13:11 < cpt-oblivious> ecrist: the processor uses < 2% on both sides
13:12 <@EugeneKay> Did you bother to read the bot's advice above
13:13 <@EugeneKay> Or are you just expecting us to shit out a solution onto a silver platter
13:14 < cpt-oblivious> yes I have, 1) I use UDP, 2) I've tried a bunch of different MTU sizes, 3) not yet, 4) it's a fast low latency link, 5) I doubt it's tcp window scaling as well.
13:15 <@EugeneKay> Trying != watching for fragmentation
13:18 <+__FBi> !windns
13:18 <@vpnHelper> "windns" is (#1) http://thread.gmane.org/gmane.network.openvpn.user/25139/focus=25147 see that mail archive for some info on pushing dns or (#2) http://article.gmane.org/gmane.network.openvpn.user/25149 for a perm fix via regedit or (#3) http://comments.gmane.org/gmane.network.openvpn.user/31975 reports --register-dns as fixing their problems pushing DNS to windows 7
13:19 -!- takamichi [~takamichi@c107-107.i07-27.onvol.net] has joined #openvpn
13:23 -!- tfox [~tfox@50-47-92-123.evrt.wa.frontiernet.net] has joined #openvpn
13:27 < cpt-oblivious> !tcp
13:27 <@vpnHelper> "tcp" is (#1) Sometimes you cannot avoid tunneling over tcp, but if you can avoid it, DO. http://sites.inka.de/~bigred/devel/tcp-tcp.html Why TCP Over TCP Is A Bad Idea. or (#2) http://www.openvpn.net/papers/BLUG-talk/14.html for a presentation by James Yonan (OpenVPN lead developer) or (#3) if you must use tcp, you likely want --tcp-nodelay
13:29 <@ecrist> cpt-oblivious: low-latency has nothing to do with bandwidth
13:29 < cpt-oblivious> Depends on the protocol that runs over the VPN.
13:30 < cpt-oblivious> If you're just doing Iperf testing, then sure low-latency makes no difference, if you're running SMB over it, then it does.
13:30 <@ecrist> cpt-oblivious: bandwidth is different than latency
13:30 < cpt-oblivious> I know
13:30 <@ecrist> your statements differ
13:31 < cpt-oblivious> SMB is a protocol that suffers a lot via throughput if the RTT is too high
13:31 <@ecrist> I can give you a low-latency serial connection.
13:31 < cpt-oblivious> so a high latency wll impact bandwidth for SMB
13:31 < tfox> what you're saying doesn't make sense, cap
13:32 < tfox> bandwidth is bandwidth
13:32 < tfox> if you request a file over the network, you're going to get x bandwidth and y latency
13:32 <@EugeneKay> Tell that to the piece of shit that is SMB
13:32 < cpt-oblivious> -^
13:32 <@EugeneKay> So your problem is really that SMB is giving you shitty throughput
13:32 < cpt-oblivious> SMB is way too chatty and suffers in throughput if the latency is too high
13:33 <@EugeneKay> We call this a XY problem, aka say that from the fucking beginning
13:33 < cpt-oblivious> EugeneKay: SMB is giving me 10 Mbps, but plain http is also only giving me 10 Mbps
13:33 < tfox> sounds like you have a bandwidth problem ;)
13:33 < cpt-oblivious> I started testing plain http because I know that troubleshooting openvpn performance with SMB speed is horrible :p
13:34 <@EugeneKay> iperf is the accepted way to test true link throughput
13:34 <@ecrist> *cough*
13:34 <@EugeneKay> But yeah, the above still applies. And unless I start charging an hourly rate that's as far as my advice goes on this subject
13:34 < tfox> something else to consider - vpn has a lot of overhead
13:34 < cpt-oblivious> understandable
13:34 <@EugeneKay> !beer
13:34 <@vpnHelper> "beer" is what's for dinner (and occasionally breakfast)
13:35 <@EugeneKay> Shit, it's 11:30. I think that makes it the forbidden lunch
13:36 < tfox> my rule is - if I'm eating lunch out of my home and/or with others who do not reside with me, beer is socially acceptable
13:36 < tfox> brunch is too early
13:36 <@ecrist> cpt-oblivious: you'd get a lot more help if you were easier to get along with
13:36 < cpt-oblivious> :O
13:37 < tfox> the universal truth of requests
13:37 < cpt-oblivious> and what part of what I did doesn't make me easy to get along with? the small discussion about smb?
13:38 < tfox> hammering your square opinions in a round... wait a second
13:40 -!- NP-Hardass [~NP-Hardas@unaffiliated/np-hardass] has quit [Read error: Connection reset by peer]
13:41 -!- Jofironses [~kvirc@189.123.200.25] has joined #openvpn
13:42 < Jofironses> !welcome
13:42 <@vpnHelper> "welcome" is (#1) Start by stating your goal, such as 'I would like to access the internet over my vpn' || new to IRC? see the link in !ask || we may need !logs and !configs and maybe !interface to help you. || See !howto for beginners. || See !route for lans behind openvpn. || !redirect for sending inet traffic through the server. || Also interesting: !man !/30 !topology !iporder !sample !forum
13:42 <@vpnHelper> !wiki !mitm or (#2) Don't use 192.168.1.0/24 or 192.168.0.0/24 (too much potential for conflict)
13:42 < Jofironses> !goal
13:43 <@vpnHelper> "goal" is Please clearly state your goal for your vpn: example, I would like to access the lan behind the server , I would like to access the internet over my vpn , I just want a secure connection between 2 computers , etc
13:45 < Jofironses> Hello, I need to access my computer over the network, but the problem is that I cannot listen on any port. That is the server (Internet computer rdesktop only access) would have to connect to the client (My local computer). Can openvpn do that? Or should I be looking for something else?
13:45 <@EugeneKay> You can build many network topologies with openvpn, but ultimately something needs to listen on a public IP:port
13:46 <@EugeneKay> It sounds like both of your computers are behind a NAT?
13:46 < Jofironses> I see, the client can listen
13:46 < tfox> the 'server' could act as a client and the local computer as a server
13:46 < Jofironses> The problem is only the server, which I need access to cannot listen
13:47 < tfox> right, but you could dial up from the 'server' to your computer
13:47 < Jofironses> Yeah, that is possible
13:47 < Jofironses> The server is behind a nat, which I do not have access to.
13:48 < tfox> you'll need vpn passthrough I think
13:48 < Jofironses> But I am going to need some services from the network, which is I think openvpn should be able to do it
13:48 < tfox> you don't have any access to the nat device?
13:48 < Jofironses> Unfortunately not
13:49 < Jofironses> As a matter of fact I do, but I would need to speak to lots of people just to set it up
13:49 < tfox> I would guess that whoever does isn't going to be keen on you getting outside access to the network, but that's purely speculation.
13:49 < Jofironses> So it is a matter of less trouble actually
13:49 < tfox> I'm pretty sure you'll need the nat box to be configured for vpn passthrough, but I think otherwise it should work.
13:50 < Jofironses> I see, I will have to check that out then. But anyway, could you point me out some website where I could read more about vpn passthrough
13:50 -!- takamichi [~takamichi@c107-107.i07-27.onvol.net] has quit [Quit: Computer has gone to sleep.]
13:51 -!- NP-Hardass [~NP-Hardas@unaffiliated/np-hardass] has joined #openvpn
13:53 < tfox> I'm sure google can do that for you
13:53 < Jofironses> Ok, thank you for the help
13:55 < tfox> ;)
13:55 -!- pagios [pagioss@gateway/shell/bnc4free/x-dtihrttqfkinmcaq] has quit [Remote host closed the connection]
14:10 -!- klein [~klein@unaffiliated/klein] has quit [Ping timeout: 260 seconds]
14:13 -!- mirco [~mirco@ip-109-91-244-100.unitymediagroup.de] has quit [Quit: mirco]
14:17 -!- mreithub [~mreithub@188-23-3-36.adsl.highway.telekom.at] has quit [Ping timeout: 272 seconds]
14:20 -!- occupant [~null@204.14.158.226] has joined #openvpn
14:21 < occupant> so I remember there being a "nicer" openvpn client for windows that you could download from openvpn.net - one that was made to for the commercial VPN service they sell, but wasn't actually tied to it - you could give it any confs.
14:21 < occupant> but it was easier for, um, "average users" to navigate. is this still available somewhere?
14:22 -!- VunKruz [~hhhh@24-205-8-187.dhcp.mtpk.ca.charter.com] has joined #openvpn
14:22 < cpt-oblivious> occupant: http://openvpn.net/index.php/access-server/download-openvpn-as-sw/357.html
14:22 <@vpnHelper> Title: Client Packages (at openvpn.net)
14:26 < occupant> ah, thank you!
14:32 -!- mreithub [~mreithub@188-23-3-36.adsl.highway.telekom.at] has joined #openvpn
14:32 < \malex\> i'm trying to setup an openvpn tunnel in dev tun mode. i can't seem to get any multicast packets through it. i can see them on the tun1 interface with tcpdump, but openvpn never receives them (confirmed by openvpn's debug logs and ktrace). i tried both with ospfd (my final goal is to run that) and with ping -I ip_of_tun1 224.0.0.1. in both cases tcpdump shows the packets but openvpn never receives them. could someone point me where to tr
14:36 -!- cpt-oblivious_ [~chatzilla@31-151-87-204.dynamic.upc.nl] has joined #openvpn
14:38 <@ecrist> multicast won't pass through tun
14:38 -!- mitz [~mitz@KHP222227247006.ppp-bb.dion.ne.jp] has quit [Ping timeout: 272 seconds]
14:38 <@ecrist> if you want multicast, you'll need to use tap
14:38 < \malex\> ecrist: it seems to pass on linux just fine. is this an openbsd issue?
14:38 -!- cpt-oblivious [~chatzilla@31-151-87-204.dynamic.upc.nl] has quit [Ping timeout: 272 seconds]
14:38 -!- cpt-oblivious_ is now known as cpt-oblivious
14:39 <@ecrist> it's a tun adapter issue
14:39 < \malex\> (i should have mentioned openbsd in my original question)
14:39 < \malex\> ecrist: on linux, when i setup a dev tun tunnel, i can pass multicast packets through it all day long
14:40 <@ecrist> \malex\: the tun driver on openbsd is different than linux
14:40 <@ecrist> also, check your firewall
14:40 < \malex\> ecrist: i'm starting to see that :)
14:40 <@ecrist> if you're going to do ospf, I recommend tap and point-to-point tunnels
14:40 <@ecrist> i.e. not a server/client model
14:41 < \malex\> i'm pretty sure it's not a firewall issue, as i have pass in/out quick for the interface
14:41 < \malex\> ecrist: i was hoping to avoid point to point, since i'd like to setup a mesh of nodes. client to server reduces the number of openvpn instances each node has to run
14:42 -!- Jofironses [~kvirc@189.123.200.25] has quit [Quit: KVIrc 4.2.0 Equilibrium http://www.kvirc.net/]
14:43 < \malex\> ecrist: would you have any pointers to why the openbsd tun device has this issue where linux doesn't?
14:44 <@ecrist> with a mesh of nodes, you will be better set up with point to point
14:45 < \malex\> why? my plan was to have each node run a server, and then run a client for each of the other nodes. it seems like that would be the most efficient way, no?
14:45 -!- Eagleman [~Eagleman@546BCD9F.cm-12-4d.dynamic.ziggo.nl] has quit [Ping timeout: 272 seconds]
14:45 -!- novaflash [~novaflash@openvpn/corp/support/novaflash] has quit [Quit: ABANDON SHIP! ABANDON SHIP!]
14:46 <@ecrist> no
14:47 -!- oc80z [~oc80z@blea.ch] has joined #openvpn
14:48 < \malex\> it means i only have to worry about a single server config per server, plus a single client config with varying --remote command line arguments when calling the client openvpn instances. it would also mean i only need as many openvpn processes on each node as there are nodes, instead of a square of that
14:48 < \malex\> what am i missing?
14:50 <@ecrist> you're not actually saving anything
14:50 < \malex\> i'm saving admin time :)
14:52 -!- mitz [~mitz@KHP222227247006.ppp-bb.dion.ne.jp] has joined #openvpn
14:53 <@ecrist> ok.  knock yourself out.  come here, ask for advice, then argue about it
14:53 < \malex\> ecrist: i'm sorry, i don't mean to argue. i was really here just to find out about the multicast issue on dev tun and openbsd
14:55 < \malex\> would you have any more info on that, and how it's different between linux and openbsd?
14:55 -!- blarghlarghl [michael@efnet.math.uwaterloo.ca] has left #openvpn []
15:12 -!- Ganymede [~Ganymede@pool-96-246-221-179.nycmny.fios.verizon.net] has joined #openvpn
15:17 -!- ade_b [~Ade@redhat/adeb] has quit [Ping timeout: 246 seconds]
15:20 -!- Sembei [~Sembei@unaffiliated/sembei] has quit [Quit: WeeChat 0.4.3-dev]
15:23 -!- Sembei [~Sembei@unaffiliated/sembei] has joined #openvpn
15:28 -!- dcajacob05work [~dan@static-173-73-108-122.washdc.fios.verizon.net] has joined #openvpn
15:30 -!- gardar [~gardar@bnc.giraffi.net] has joined #openvpn
15:30 < dcajacob05work> Hi all, first time here.  I have a network of computers all over the world that are tied together via openvpn.  I routinely ssh back and forth and copy files via rsync using the vpn between machines.  But I have noticed that the data-rate is much slower vi the VPN than if I were to access the computers directly.
15:31 -!- tfox [~tfox@50-47-92-123.evrt.wa.frontiernet.net] has quit [Quit: tfox]
15:31 < dcajacob05work> I imagine part of this is that all traffic is going through the openvpn server (is that correct?).  But I still feel like there shouldn't be as much of  speed hit s there is.
15:32 -!- Eagleman [~Eagleman@546BCD9F.cm-12-4d.dynamic.ziggo.nl] has joined #openvpn
15:32 < dcajacob05work> Can anyone offer some insight or suggesstions?
15:33 < cpt-oblivious> dcajacob05work: how much of a speed hit do you get?
15:34 <+rob0> Site1 is the server. Let's say it has 1.5Mb/s down and .5Mb/s up.
15:35 <+rob0> Site2, a client, has 5Mb/s down and 1Mb/s up.
15:35 <+rob0> Site3, a client, has 3Mb/s down and 1Mb/s up.
15:36 < dcajacob05work> Maybe 10x
15:36 <+rob0> The best you can do on any client is limited by the least of those links. In this example the server's .5Mb/s up.
15:39 < dcajacob05work> I'll come back when I have some better numbers
15:40 < dcajacob05work> The server is running in AWS and all nodes typically have good, high speed access
15:40 -!- novaflash_away [~novaflash@its.novaflash.nl] has joined #openvpn
15:40 -!- novaflash_away is now known as novaflash
15:42 -!- Sembei [~Sembei@unaffiliated/sembei] has quit [Quit: WeeChat 0.4.3-dev]
15:45 -!- elfixit [~Icedove@77-58-251-72.dclient.hispeed.ch] has quit [Quit: elfixit]
15:46 -!- tfox [~tfox@50-47-92-123.evrt.wa.frontiernet.net] has joined #openvpn
15:54 -!- novaflash [~novaflash@its.novaflash.nl] has quit [Changing host]
15:54 -!- novaflash [~novaflash@openvpn/corp/support/novaflash] has joined #openvpn
15:54 -!- mode/#openvpn [+o novaflash] by ChanServ
15:56 -!- mattock is now known as mattock_afk
15:56 -!- heraclitus [~heraclitu@unaffiliated/heraclitis] has quit [Remote host closed the connection]
15:58 -!- heraclitus [~heraclitu@unaffiliated/heraclitis] has joined #openvpn
15:59 -!- cpt-oblivious [~chatzilla@31-151-87-204.dynamic.upc.nl] has quit [Read error: Connection reset by peer]
16:00 -!- cpt-oblivious [~chatzilla@31-151-87-204.dynamic.upc.nl] has joined #openvpn
16:05 -!- Sembei [~Sembei@unaffiliated/sembei] has joined #openvpn
16:08 -!- heraclitus__ [~heraclitu@85.17.31.98] has joined #openvpn
16:08 -!- heraclitus [~heraclitu@unaffiliated/heraclitis] has quit [Ping timeout: 252 seconds]
16:09 -!- Cpt-Oblivious_ [~chatzilla@31-151-87-204.dynamic.upc.nl] has joined #openvpn
16:09 -!- VunKruz [~hhhh@24-205-8-187.dhcp.mtpk.ca.charter.com] has quit [Quit: Leaving]
16:10 -!- Cpt-Oblivious_ [~chatzilla@31-151-87-204.dynamic.upc.nl] has quit [Client Quit]
16:12 -!- VunKruz [~hhhh@24-205-8-187.dhcp.mtpk.ca.charter.com] has joined #openvpn
16:51 -!- kantlivelong [~kantlivel@home.kantlivelong.com] has quit [Ping timeout: 272 seconds]
16:52 -!- calcifea_ [~rasla@gateway/tor-sasl/gitsu-sa] has joined #openvpn
16:55 -!- calcifea [~rasla@gateway/tor-sasl/gitsu-sa] has quit [Ping timeout: 240 seconds]
17:09 -!- cpt-oblivious_ [~chatzilla@31-151-87-204.dynamic.upc.nl] has joined #openvpn
17:11 -!- cpt-oblivious [~chatzilla@31-151-87-204.dynamic.upc.nl] has quit [Ping timeout: 260 seconds]
17:11 -!- cpt-oblivious_ is now known as cpt-oblivious
17:15 -!- kantlivelong [~kantlivel@home.kantlivelong.com] has joined #openvpn
17:16 -!- defsdoor [~andy@cpc30-sutt4-2-0-cust155.19-1.cable.virginm.net] has quit [Quit: Ex-Chat]
17:17 -!- mitz [~mitz@KHP222227247006.ppp-bb.dion.ne.jp] has quit [Remote host closed the connection]
17:32 -!- tfox [~tfox@50-47-92-123.evrt.wa.frontiernet.net] has quit [Quit: tfox]
17:35 -!- mitz [~mitz@KHP222227247006.ppp-bb.dion.ne.jp] has joined #openvpn
17:40 -!- mirco [~mirco@ip-109-91-244-100.unitymediagroup.de] has joined #openvpn
17:48 -!- s7r_e is now known as s7r
17:48 -!- mirco [~mirco@ip-109-91-244-100.unitymediagroup.de] has quit [Quit: mirco]
17:50 -!- cpt-oblivious_ [~chatzilla@31-151-87-204.dynamic.upc.nl] has joined #openvpn
17:52 -!- cpt-oblivious [~chatzilla@31-151-87-204.dynamic.upc.nl] has quit [Ping timeout: 272 seconds]
17:52 -!- cpt-oblivious_ is now known as cpt-oblivious
17:58 -!- tfox [~tfox@50-47-92-123.evrt.wa.frontiernet.net] has joined #openvpn
18:07 -!- kantlivelong [~kantlivel@home.kantlivelong.com] has quit [Ping timeout: 245 seconds]
18:13 -!- kantlivelong [~kantlivel@home.kantlivelong.com] has joined #openvpn
18:31 -!- cpt-oblivious [~chatzilla@31-151-87-204.dynamic.upc.nl] has quit [Ping timeout: 252 seconds]
18:33 -!- cpt-oblivious [~chatzilla@31-151-87-204.dynamic.upc.nl] has joined #openvpn
18:34 -!- gffa [~unknown@unaffiliated/gffa] has quit [Quit: sleep]
18:36 -!- marlinc [~marlinc@ip565fa73c.direct-adsl.nl] has quit [Read error: Connection reset by peer]
18:41 -!- marlinc [~marlinc@ip565fa73c.direct-adsl.nl] has joined #openvpn
18:49 -!- mitz [~mitz@KHP222227247006.ppp-bb.dion.ne.jp] has quit [Remote host closed the connection]
18:50 -!- mitz [~mitz@KHP222227247006.ppp-bb.dion.ne.jp] has joined #openvpn
18:51 -!- mreithub [~mreithub@188-23-3-36.adsl.highway.telekom.at] has quit [Ping timeout: 252 seconds]
18:53 -!- al_nz1 [~Ali_nz1@118-92-11-42.dsl.dyn.ihug.co.nz] has joined #openvpn
18:53 < al_nz1> Hi All.
18:54 < al_nz1> I have a openvpn server runinning on a linux box on my lan. I can connect to VPN and SSH into it. Life is good. I have another Linux machine on the same LAN which I can ping, but not ssh into over the VPN. Anybody know why? IP forwarding is enabled
19:02 -!- mchou [~quassel@unaffiliated/mchou] has quit [Read error: Connection reset by peer]
19:04 -!- mchou [~quassel@unaffiliated/mchou] has joined #openvpn
19:08 <+P4k3> firewall on that machine?
19:09 < al_nz1> P4k3: which, the server or the machine on the lan I am trying to access?
19:09 < al_nz1> machine I am trying to access: http://pastebin.com/fzPFxtPa
19:09 <+P4k3> The machine you try to access
19:10 < al_nz1> acutally, this is machine I am trynig to access: http://pastebin.com/rR7Tm9Bz
19:10 -!- tfox [~tfox@50-47-92-123.evrt.wa.frontiernet.net] has quit [Quit: tfox]
19:10 < al_nz1> the one before was the server
19:10 < al_nz1> tun adapter
19:11 <+P4k3> I'm not really the right person to answer you.. but I would try disable the firewall entirely just to see if it works then. Just to get that out of the list off possible reasons why it doesn't work.
19:12 -!- tfox [~tfox@50-47-92-123.evrt.wa.frontiernet.net] has joined #openvpn
19:14 < al_nz1> perhaps a tcpdump analysis while trying to connect might help?
19:16 < cpt-oblivious> al_nz1: have you setup NAT rules with iptables?
19:17 -!- tfox [~tfox@50-47-92-123.evrt.wa.frontiernet.net] has quit [Quit: tfox]
19:22 -!- cpt-oblivious [~chatzilla@31-151-87-204.dynamic.upc.nl] has quit [Quit: ChatZilla 0.9.90-rdmsoft [XULRunner 18.0.2/20130201065344]]
19:23 < al_nz1> cpt-oblivious: no - only whats in the two pastebins
19:23 < al_nz1> does this help https://www.dropbox.com/s/oxiyew4zydnwzre/ssh
19:23 <@vpnHelper> Title: Dropbox - ssh (at www.dropbox.com)
19:24 < al_nz1> its a tcpdump during a connection on the server I am trying to access
19:42 -!- mitz [~mitz@KHP222227247006.ppp-bb.dion.ne.jp] has quit [Ping timeout: 245 seconds]
19:56 -!- mitz [~mitz@KHP222227247006.ppp-bb.dion.ne.jp] has joined #openvpn
20:14 < al_nz1> you about krzee?
20:15 <@krzee> "I have another Linux machine on the same LAN which I can ping, but not ssh into over the VPN"
20:15 <@krzee> firewall
20:15 <+__FBi> wrong port
20:15 <+__FBi> :D
20:15 <@krzee> sure, that too :D
20:16 < al_nz1> krzee: well the port is ok, its 22
20:16 <+__FBi> heya krzee
20:16 <+__FBi> netstat -l
20:16 <+__FBi> netstat -lpn
20:16 <@krzee> hey
20:16 <+__FBi> maybe it's not listening
20:17 <+__FBi> or not listening on the correct interface
20:17 < al_nz1> re firewall, these are the iptables on the machien I am trying to access: http://pastebin.com/rR7Tm9Bz
20:17 <@krzee> could also be on the vpn server
20:17 < al_nz1> __FBi: netstat on the OVPN server?
20:18 < al_nz1> this is the iptables for the vpn server : http://pastebin.com/fzPFxtPa
20:18 < al_nz1> hows things anyway krzee ?
20:18 <@krzee> are you using the iptables command or iptables-save?
20:19 <@krzee> !iptables-save
20:19 <@krzee> !factoids search iptables-save
20:19 <@vpnHelper> No keys matched that query.
20:19 < al_nz1> that output is from save
20:19 <@krzee> !factoids search
20:19 <@vpnHelper> (factoids search [<channel>] [--values] [--{regexp} <value>] [<glob> ...]) -- Searches the keyspace for keys matching <glob>. If --regexp is given, it associated value is taken as a regexp and matched against the keys. If --values is given, search the value space instead of the keyspace.
20:19 -!- tfox [~tfox@50-47-92-123.evrt.wa.frontiernet.net] has joined #openvpn
20:19 <@krzee> !factoids search --values iptables-save
20:19 <@vpnHelper> 'iptables-rules' and 'netfilter'
20:19 <@krzee> !iptables-rules
20:19 <@vpnHelper> "iptables-rules" is When posting iptables rules, please use the `iptables-save` syntax as it is easiest to read. While we try to be helpful, #netfilter may be more appropriate for complex netfilter issues
20:19 <+__FBi> al_nz1, on the computer you're trying to ssh too
20:19 -!- qwertyoruiop is now known as adaminusll
20:19 <@krzee> sorry for all that, just wanting to know which factoid for next time :D
20:19 -!- adaminusll is now known as adaminsull
20:20 <+__FBi> you've already forgotten
20:20 -!- adaminsull is now known as Guest14164
20:20 <@krzee> hmm but ping works over the vpn?
20:21 < al_nz1> netstat -lpn : http://pastebin.com/PfU5xyTK
20:21 -!- Guest14164 [~hax@1.shulgin.dc1.nl.tor.exit.node.qwertyoruiop.com] has left #openvpn []
20:21 < al_nz1> krzee: yeah
20:21 -!- adaminsuII [~hax@1.shulgin.dc1.nl.tor.exit.node.qwertyoruiop.com] has joined #openvpn
20:21 < al_nz1> thats what makes me think routing is ok
20:21 -!- adaminsuII [~hax@1.shulgin.dc1.nl.tor.exit.node.qwertyoruiop.com] has quit [Disconnected by services]
20:21 -!- qwertyoruiop [~hax@1.shulgin.dc1.nl.tor.exit.node.qwertyoruiop.com] has joined #openvpn
20:21 <@krzee> show me ifconfig on all machines, vpn client/server and target
20:22 < al_nz1> This is a tcpdump from the server : https://www.dropbox.com/s/7n7cwkhyfu064as/sshserver
20:22 <@vpnHelper> Title: Dropbox - sshserver (at www.dropbox.com)
20:22 < al_nz1> you can see the ssh banners
20:22 < al_nz1> target: http://pastebin.com/WXNQ74fs
20:23 < al_nz1> vpn server: http://pastebin.com/TJ6ytUER
20:24 -!- tfox [~tfox@50-47-92-123.evrt.wa.frontiernet.net] has quit [Client Quit]
20:25 <+__FBi> al_nz1, are you connecting throgh the VPN or your eth0
20:25 <+rob0> Forgotten what?
20:25 <@krzee> __FBi, its the vpn client that hes trying to ssh from
20:25 < al_nz1> krzee: yes
20:26 <@krzee> al_nz1, now ifconfig from vpn client, and then the log file from the server at verb 5
20:26 <@krzee> i want the log file to include the vpn client connecting, and then trying to ping, and then trying to ssh
20:26 < al_nz1> krzee: client is a adnroid phone, but heres the stats https://www.dropbox.com/s/2d4edjdge363ndx/Screenshot_2014-01-04-15-25-31.png
20:26 <@vpnHelper> Title: Dropbox - Screenshot_2014-01-04-15-25-31.png (at www.dropbox.com)
20:26 <@krzee> al_nz1, can you test this from a computer?
20:26 <@krzee> rule out it being an android problem
20:27 < al_nz1> krzee: sure, thats my plan, but havent got one at the moment
20:27 < al_nz1> changed verb to 5 (from 3) and restaring service now
20:28 <@krzee> well get one :D
20:29 <@krzee> tether another computer over your cellphone internet and make it a client or something
20:29 < al_nz1> krzee: yip.
20:29 < al_nz1> the log file being /etc/openvpn/openvpn-status.log or is there one somewhere else?
20:29 <@krzee> !logfile
20:29 <@vpnHelper> "logfile" is (#1) openvpn will log to syslog if started in daemon mode. You can manually specify a logfile with: log /path/to/logfile or (#2) verb 3 is good for everyday usage, verb 5 for debugging or (#3) see --daemon --log and --verb in the manual (!man) for more info or (#4) without any log-redirection options, openvpn sends output to stdout. Explicit logging is often more convenient
20:31 < al_nz1> ok, looking for log
20:31 < al_nz1> here is tcp dump on target: https://www.dropbox.com/s/oxiyew4zydnwzre/ssh
20:31 <@vpnHelper> Title: Dropbox - ssh (at www.dropbox.com)
20:31 <@krzee> not downloading that :D
20:31 < al_nz1> hmm, ok, I could screen shot it  :-)
20:32 <@krzee> server log at verb 5 will tell me what i need
20:32 <@krzee> or maybe i'll need it from the client
20:32 -!- tfox [~tfox@50-47-92-123.evrt.wa.frontiernet.net] has joined #openvpn
20:32 < al_nz1> you want the whole syslog?
20:33 <@krzee> not really, i want from when you start the vpn til what i asked for
20:34 < al_nz1> k
20:34 <@krzee> <krzee> i want the log file to include the vpn client connecting, and then trying to ping, and then trying to ssh
20:34 <@krzee> so start til then
20:36 < al_nz1> shit
20:36 < al_nz1> I deleted syslog to start clean
20:36 < al_nz1> did everything you said
20:36 < al_nz1> and syslog is still gone
20:41 <@EugeneKay> You probably need to restart rsyslogd....
20:42 < al_nz1> yeah, but that didnt do it
20:42 < al_nz1> unless the perms on my new syslog file are wrong
20:42 < al_nz1> I did touch syslog
20:42 <@EugeneKay> ....don't do that.
20:42 <@EugeneKay> syslog's init script will handle it
20:44 < al_nz1> ok ta
20:45 < al_nz1> syslog : http://pastebin.com/fRCcwUDq
20:45 -!- calcifea_ [~rasla@gateway/tor-sasl/gitsu-sa] has quit [Remote host closed the connection]
20:45 <@krzee> use --log
20:46 <@krzee> make a real logfile
20:46 < al_nz1> server.conf option
20:46 <@krzee> yes
20:46 <@krzee> and it needs to be at verb 5
20:47 -!- calcifea [~rasla@gateway/tor-sasl/gitsu-sa] has joined #openvpn
20:47 < al_nz1> so something like log-append /var/log/openvpn_server.log in server.conf?
20:48 <@ecrist> sup bitches
20:55 < al_nz1> krzee: ok - real log file
20:55 < al_nz1> http://pastebin.com/be84BFpk
20:56 -!- tfox [~tfox@50-47-92-123.evrt.wa.frontiernet.net] has quit [Quit: tfox]
20:59 < al_nz1> krzee: does that shed any light?
21:10 -!- mitz [~mitz@KHP222227247006.ppp-bb.dion.ne.jp] has quit [Ping timeout: 252 seconds]
21:20 -!- heraclitus__ [~heraclitu@85.17.31.98] has quit [Quit: Ping timeout: 221 seconds]
21:23 -!- mitz [~mitz@KHP222227247006.ppp-bb.dion.ne.jp] has joined #openvpn
21:32 <@krzee> the traffic is passing through the vpn fine
21:33 <@krzee> can you try something besides ssh?  whats running on 4444?
21:34 <@krzee> does ssh work direct over wifi?
21:40 -!- tfox [~tfox@50-47-92-123.evrt.wa.frontiernet.net] has joined #openvpn
21:40 <@krzee> (from the android)
21:41 -!- goldkatze [~nobody@unaffiliated/goldkatze] has quit []
21:48 -!- tfox [~tfox@50-47-92-123.evrt.wa.frontiernet.net] has quit [Quit: tfox]
21:59 -!- js_ [~js@js.madepeople.se] has quit [Ping timeout: 252 seconds]
22:00 -!- js_ [~js@js.madepeople.se] has joined #openvpn
22:00 -!- cyberspace- [20253@ninthfloor.org] has quit [Ping timeout: 252 seconds]
22:01 -!- cyberspace- [20253@ninthfloor.org] has joined #openvpn
22:03 -!- devdel [~d3vd3l@178.174.210.205] has joined #openvpn
22:03 -!- devdel [~d3vd3l@178.174.210.205] has quit [Client Quit]
22:06 -!- js_ [~js@js.madepeople.se] has quit [Ping timeout: 260 seconds]
22:12 -!- js_ [~js@js.madepeople.se] has joined #openvpn
22:31 -!- mitz [~mitz@KHP222227247006.ppp-bb.dion.ne.jp] has quit [Remote host closed the connection]
22:43 -!- hardc0de [~hardc0de@94.102.53.155] has joined #openvpn
22:44 < hardc0de> hi
22:44 < hardc0de> is there any way i can route openvpn server traffic connecting to the internet through a socks proxy?
22:44 < hardc0de> Like this:
22:44 < hardc0de> CLIENT ----- OPENVPN ----- SOCKS ------- INTERNET
22:45 <@ecrist> !man
22:45 <@vpnHelper> "man" is (#1) For man pages, see http://openvpn.net/index.php/open-source/documentation/manuals/ or (#2) the man pages are your friend! or (#3) Protip: you can search the manpage for a specific --option (with dashes) to find it quicker
22:46 < hardc0de> I tried looking in the manpages, but i was not able to find an answer. Could you point me into the right direction, please?
22:49 -!- mitz [~mitz@KHP222227247006.ppp-bb.dion.ne.jp] has joined #openvpn
22:51 <@EugeneKay> !routebyapp
22:51 <@vpnHelper> "routebyapp" is (#1) if you want to send only certain apps over the VPN you need to run a socks server on the internal VPN subnet (see !sockd) then get an app like proxifier (windows, osx) or tsocks (linux, BSD) to selectively route traffic over the socks proxy based on port/app/subnet or any combination. or (#2) Alternatively, read up about Policy Routing to make routing decisions based on
22:51 <@vpnHelper> defined policies you set. For Linux, read about !lartc
22:51 <@EugeneKay> !sockd
22:51 <@vpnHelper> "sockd" is if you want !routebyapp you can use this dante config www.ircpimps.org/sockd.conf but BE SURE TO ONLY RUN THIS ON THE INTERNAL VPN IP! otherwise you will be an open proxy. that config has no security because its expected to run inside openvpn
22:51 <@EugeneKay> Your client's applications must be configured to use the SOCKS proxy; there's nothing in openvpn for this.
22:52 < hardc0de> or i could route all openvpn traffic through this: http://dtbaker.net/random-linux-posts/redirect-all-traffic-through-transparent-socks5-proxy-in-linux/?
22:52 <@vpnHelper> Title: Redirect all (TCP) traffic through transparent socks5 proxy in Linux | dtbaker (at dtbaker.net)
22:52 <@EugeneKay> I'm guessing that's a iptables trick to force things through SOCKS? Sure. No different from any other setup wrt openvpn
22:56 < hardc0de> But this forces ALL traffic through redsocks, could I just do iptables -t nat - A OUTPUT -p tcp -s 10.9.0.0/24 -j REDSOCKS where 10.9.0.0/24 is my internal openvpn sub?
22:56 < hardc0de> i'm not very experienced with iptables, that's why im asking
23:13 -!- hardc0de_ [~hardc0de@d54C663D8.access.telenet.be] has joined #openvpn
23:16 -!- hardc0de_ [~hardc0de@d54C663D8.access.telenet.be] has quit [Client Quit]
23:17 -!- hardc0de [~hardc0de@94.102.53.155] has quit [Ping timeout: 252 seconds]
23:22 -!- propheticsquiddy [~Proph@unaffiliated/propheticsquiddy] has joined #openvpn
23:29 <@EugeneKay> !iptables
23:29 <@vpnHelper> "iptables" is (#1) To test if netfilter ("iptables rules") are your problem, disable all rules with an ACCEPT policy. See https://github.com/QueuingKoala/netfilter-samples/tree/master/reset-rules for a script to do this. or (#2) See also the manpage section on firewalls at this link: https://community.openvpn.net/openvpn/wiki/Openvpn23ManPage#lbBG or (#3) These are just the basics to get you
23:29 <@vpnHelper> started as firewall design is beyond this channel's scope; you can also see #netfilter
23:29 <@EugeneKay> I charge for my iptables experience. See #3 ;-)
23:40 <@krzee> hardc0de wanted:
23:40 <@krzee> !sockd
23:40 <@vpnHelper> "sockd" is if you want !routebyapp you can use this dante config www.ircpimps.org/sockd.conf but BE SURE TO ONLY RUN THIS ON THE INTERNAL VPN IP! otherwise you will be an open proxy. that config has no security because its expected to run inside openvpn
23:43 <@krzee> oh my mistake you said that
23:43 <@krzee> :D
--- Day changed Sat Jan 04 2014
00:20 -!- tfox [~tfox@50-47-92-123.evrt.wa.frontiernet.net] has joined #openvpn
00:20 -!- Cy-Gor [~Brian@cpe-70-124-70-140.austin.res.rr.com] has quit [Quit: Leaving]
00:30 -!- heraclitus [~heraclitu@unaffiliated/heraclitis] has joined #openvpn
00:35 -!- \malex\ [vfcq0wjjbf@unaffiliated/malex/x-000000001] has quit [Ping timeout: 252 seconds]
00:47 -!- Sembei [~Sembei@unaffiliated/sembei] has quit [Read error: Connection reset by peer]
00:48 -!- Sembei [~Sembei@unaffiliated/sembei] has joined #openvpn
00:54 -!- propheticsquiddy [~Proph@unaffiliated/propheticsquiddy] has quit [Ping timeout: 260 seconds]
01:02 -!- mirco [~mirco@ip-109-91-244-100.unitymediagroup.de] has joined #openvpn
01:02 -!- tfox [~tfox@50-47-92-123.evrt.wa.frontiernet.net] has quit [Quit: tfox]
01:03 -!- dimm0k [~dimm0k@unaffiliated/dimm0k] has quit [Ping timeout: 246 seconds]
01:03 -!- dimm0k [~dimm0k@pool-96-246-33-134.nycmny.fios.verizon.net] has joined #openvpn
01:03 -!- dimm0k [~dimm0k@pool-96-246-33-134.nycmny.fios.verizon.net] has quit [Changing host]
01:03 -!- dimm0k [~dimm0k@unaffiliated/dimm0k] has joined #openvpn
01:04 -!- kantlivelong [~kantlivel@home.kantlivelong.com] has quit [Ping timeout: 245 seconds]
01:13 -!- kantlivelong [~kantlivel@home.kantlivelong.com] has joined #openvpn
01:21 -!- tfox [~tfox@50-47-92-123.evrt.wa.frontiernet.net] has joined #openvpn
01:22 -!- takamichi [~takamichi@c107-107.i07-27.onvol.net] has joined #openvpn
01:38 -!- thumbs [1000@unaffiliated/thumbs] has quit [Ping timeout: 245 seconds]
01:39 -!- thumbs [1000@unaffiliated/thumbs] has joined #openvpn
02:18 -!- krzee was kicked from #openvpn by EugeneKay [incompetence well not be tolerated]
02:18 -!- krzee [~k@openvpn/community/support/krzee] has joined #openvpn
02:18 -!- mode/#openvpn [+o krzee] by ChanServ
02:41 -!- tfox [~tfox@50-47-92-123.evrt.wa.frontiernet.net] has quit [Quit: tfox]
02:49 -!- cyberspace- [20253@ninthfloor.org] has quit [Remote host closed the connection]
02:51 -!- cyberspace- [20253@ninthfloor.org] has joined #openvpn
02:58 -!- VunKruz [~hhhh@24-205-8-187.dhcp.mtpk.ca.charter.com] has quit [Quit: Leaving]
03:13 -!- Netsplit *.net <-> *.split quits: +stickpin_, Cybertinus, Sorcier_FXK, b00b, [1]JPeterson, Mike--, JackWinter, mete, +s0meone, Haigha,  (+196 more, use /NETSPLIT to show all of them)
03:16 -!- gardar [~gardar@bnc.giraffi.net] has joined #openvpn
03:16 -!- manitu [~manitu@static.88-198-15-112.clients.your-server.de] has joined #openvpn
03:26 -!- surfmasta [~surfmasta@80.92.88.10] has joined #openvpn
03:28 -!- Nothing4You [N4Y@w.tf-w.tf] has joined #openvpn
03:29 -!- TypoNe [~itsme@195.197.184.87] has joined #openvpn
03:29 -!- stickpin_ [~b@173.244.215.195] has joined #openvpn
03:29 -!- andi [~andi@unaffiliated/fr00d] has joined #openvpn
03:29 -!- KiNgMaR [~ingmar@2001:41d0:2:ba51::1] has joined #openvpn
03:29 -!- ServerMode/#openvpn [+vvvv TypoNe stickpin_ andi KiNgMaR] by holmes.freenode.net
03:29 -!- clu5ter [~staff@unaffiliated/clu5ter] has joined #openvpn
03:29 -!- P4k3 [~P4k3@c-5a34e255.026-8-6b6c7810.cust.bredbandsbolaget.se] has joined #openvpn
03:29 -!- EugeneKay [eugene@clockworkmod.org] has joined #openvpn
03:29 -!- sitaktif [~sitaktif@kollok.org] has joined #openvpn
03:29 -!- ibins [~ibins@cl-147.ham-02.de.sixxs.net] has joined #openvpn
03:29 -!- raidz [~raidz@openvpn/corp/admin/andrew] has joined #openvpn
03:29 -!- ServerMode/#openvpn [+vvoo clu5ter P4k3 EugeneKay raidz] by holmes.freenode.net
03:29 -!- |1li [~|1li@108-201-65-149.lightspeed.ftwotx.sbcglobal.net] has joined #openvpn
03:29 -!- Devastator [~devas@unaffiliated/devastator] has joined #openvpn
03:29 -!- JackWinter [~jack@vodsl-4669.vo.lu] has joined #openvpn
03:29 -!- Eagleman [~Eagleman@546BCD9F.cm-12-4d.dynamic.ziggo.nl] has joined #openvpn
03:29 -!- kantlivelong [~kantlivel@home.kantlivelong.com] has joined #openvpn
03:29 -!- takamichi [~takamichi@c107-107.i07-27.onvol.net] has joined #openvpn
03:29 -!- mreithub [~mreithub@188-23-3-36.adsl.highway.telekom.at] has joined #openvpn
03:29 -!- pnielsen [pnielsen@2a01:7e00::f03c:91ff:fedf:3a21] has joined #openvpn
03:29 -!- Chrisje [chris@2a03:f80:ed15:ed15:ed15:ed15:bc4c:4bfe] has joined #openvpn
03:29 -!- fred`` [fred@earthli.ng] has joined #openvpn
03:29 -!- MacGyver [~MacGyver@unaffiliated/macgyvernl] has joined #openvpn
03:29 -!- cali [~cali@unaffiliated/cali] has joined #openvpn
03:29 -!- mcp [~mcp@wolk-project.de] has joined #openvpn
03:29 -!- reiffert [~thomas@mail.reifferscheid.org] has joined #openvpn
03:29 -!- liriel [~liriel@198.154.114.106] has joined #openvpn
03:29 -!- kro[au] [~thatguy@kgovps.net] has joined #openvpn
03:29 -!- havoc [~havoc@neptune.chaillet.net] has joined #openvpn
03:29 -!- lowkey [lowkey@hydra-bom.aufbix.org] has joined #openvpn
03:29 -!- SlutaTramsa [~SlutaTram@unaffiliated/slutatramsa] has joined #openvpn
03:29 -!- crus [~crusader@2001:44b8:319e:2900:9835:2f69:4e9b:963] has joined #openvpn
03:29 -!- m01 [~quassel@gateway/shell/freebnc/x-kwktizfwtqbgrmbe] has joined #openvpn
03:29 -!- jareth_ [~jareth_@bak.project-treadstone.nl] has joined #openvpn
03:29 -!- Fruckiwacki [fruckiwack@5.135.190.66] has joined #openvpn
03:29 -!- Thermi [~Thermi@unaffiliated/thermi] has joined #openvpn
03:29 -!- Six6siX [~Devil@jasmine.sammybakar.com] has joined #openvpn
03:29 -!- marlinc_ [~marlinc@ip565fa73c.direct-adsl.nl] has joined #openvpn
03:29 -!- Olipro [~Olipro@d.e.r.p.6.a.1.0.d.d.0.7.2.0.1.0.a.2.ip6.arpa] has joined #openvpn
03:29 -!- ben1066 [~quassel@unaffiliated/ben1066] has joined #openvpn
03:29 -!- ServerMode/#openvpn [+vvvv pnielsen Chrisje fred`` ben1066] by holmes.freenode.net
03:29 -!- Champi [Champi@rootshell.fr] has joined #openvpn
03:29 -!- hgax_ [~hgax@162.243.112.153] has joined #openvpn
03:29 -!- Eryn_1983_FL [~Eryn_1983@72.238.104.100] has joined #openvpn
03:29 -!- kraut [~kraut@212.6.65.173] has joined #openvpn
03:29 -!- js_ [~js@js.madepeople.se] has joined #openvpn
03:29 -!- Ganymede [~Ganymede@pool-96-246-221-179.nycmny.fios.verizon.net] has joined #openvpn
03:29 -!- abd [~abd@213.178.230.126] has joined #openvpn
03:29 -!- ServerMode/#openvpn [+v Champi] by holmes.freenode.net
03:29 -!- _br_ [~bjoern_fr@213-239-215-232.clients.your-server.de] has joined #openvpn
03:29 -!- Aelius_ [~link@unaffiliated/aelius] has joined #openvpn
03:29 -!- grep0r [grep0r@bitcoinshell.mooo.com] has joined #openvpn
03:29 -!- noobboob [uid5587@gateway/web/irccloud.com/session] has joined #openvpn
03:29 -!- Gelos [sid17176@gateway/web/irccloud.com/x-bewrozhigkmhinfa] has joined #openvpn
03:29 -!- xBytez [xBytez@unaffiliated/xbytez] has joined #openvpn
03:29 -!- Cybertinus [~Cybertinu@2001:828:405:30:83:96:177:42] has joined #openvpn
03:29 -!- dazo_afk [~dazo@openvpn/community/developer/dazo] has joined #openvpn
03:29 -!- Haseo [~Haseo@2001:41d0:2:c0f::1] has joined #openvpn
03:29 -!- ServerMode/#openvpn [+o dazo_afk] by holmes.freenode.net
03:29 -!- keropok [~keropok@9W2JDY.peramah.org.my] has joined #openvpn
03:29 -!- kossy [a@kossy.org] has joined #openvpn
03:29 -!- WinstonSmith [~WinstonSm@unaffiliated/winstonsmith] has joined #openvpn
03:29 -!- Haigha [~root@dovahkiin.xomg.net] has joined #openvpn
03:29 -!- kirin` [telex@gateway/shell/anapnea.net/x-yreiixufiuvanzbr] has joined #openvpn
03:29 -!- JSharpe [~JSharpe@31.205.60.241] has joined #openvpn
03:29 -!- master_of_master [~master_of@p4FF241F6.dip0.t-ipconnect.de] has joined #openvpn
03:29 -!- NP-Hardass [~NP-Hardas@unaffiliated/np-hardass] has joined #openvpn
03:29 -!- dcajacob05work [~dan@static-173-73-108-122.washdc.fios.verizon.net] has joined #openvpn
03:29 -!- mchou [~quassel@unaffiliated/mchou] has joined #openvpn
03:29 -!- mitz [~mitz@KHP222227247006.ppp-bb.dion.ne.jp] has joined #openvpn
03:29 -!- Bretos1 [~Bretos@vps.tyborek.pl] has joined #openvpn
03:29 -!- ngharo_ [~ngharo@nexus.sypherz.com] has joined #openvpn
03:29 -!- juxta [~rootkit@ppp203-122-193-94.static.internode.on.net] has joined #openvpn
03:29 -!- Linmu [~Linmu@203.70.194.104] has joined #openvpn
03:29 -!- Fiouz [~Fiouz@2001:bc8:3068::dead:beef] has joined #openvpn
03:29 -!- Cr4zi3 [crazie@staff.xbins.org] has joined #openvpn
03:29 -!- niftylettuce [uid2733@gateway/web/irccloud.com/session] has joined #openvpn
03:29 -!- Aketzu [akolehma@kelvin.aketzu.net] has joined #openvpn
03:29 -!- krzee [~k@openvpn/community/support/krzee] has joined #openvpn
03:29 -!- dimm0k [~dimm0k@unaffiliated/dimm0k] has joined #openvpn
03:29 -!- mirco [~mirco@ip-109-91-244-100.unitymediagroup.de] has joined #openvpn
03:29 -!- heraclitus [~heraclitu@unaffiliated/heraclitis] has joined #openvpn
03:29 -!- occupant [~null@204.14.158.226] has joined #openvpn
03:29 -!- haasn [~nand@2a01:4f8:d13:5245::2] has joined #openvpn
03:29 -!- pepijndevos [pepijndevo@2a00:dcc0:eda:3754:247:55:9194:8ed6] has joined #openvpn
03:29 -!- dvl [~dan@pdpc/supporter/active/dvl] has joined #openvpn
03:29 -!- bogie [bogie@2001:4ba0:fffd:65::101] has joined #openvpn
03:29 -!- XJR-9 [sid2977@pdpc/supporter/active/xjr-9] has joined #openvpn
03:29 -!- dowaat [uid3966@gateway/web/irccloud.com/x-mstbttybevfpjnlt] has joined #openvpn
03:29 -!- Cultist [~CultOfThe@2601:d:9280:fc:8634:97ff:fe17:5dc3] has joined #openvpn
03:29 -!- lachesis [~lachesis@unaffiliated/lachesis] has joined #openvpn
03:29 -!- troj_ [~xxx@2001:470:1f15:107a::50f7] has joined #openvpn
03:29 -!- [1]JPeterson [~JPeterson@81-233-152-121-no83.tbcn.telia.com] has joined #openvpn
03:29 -!- moparisthebest [~quassel@mailer.moparscape.org] has joined #openvpn
03:29 -!- Hes [GVUQS1ZX@tunkki.fi] has joined #openvpn
03:29 -!- jgeboski [~jgeboski@unaffiliated/jgeboski] has joined #openvpn
03:29 -!- troyt [~troyt@2601:7:6d00:432:44dd:acff:fe85:9c8e] has joined #openvpn
03:29 -!- intricate [~xach@unaffiliated/intricate] has joined #openvpn
03:29 -!- tapout [~tapout@unaffiliated/tapout] has joined #openvpn
03:29 -!- dandy [~dandy@2a01:360:106::2] has joined #openvpn
03:29 -!- Gman32 [~Gman32@2607:5300:60:2b74::1] has joined #openvpn
03:29 -!- Martin` [martin@shell.ipv6.octocore.net] has joined #openvpn
03:29 -!- pekster [~rewt@openvpn/community/support/pekster] has joined #openvpn
03:29 -!- NChief2 [~nchief@unaffiliated/nchief] has joined #openvpn
03:29 -!- phreakocious [~phreakoci@aesoterica.phreakocious.net] has joined #openvpn
03:29 -!- ServerMode/#openvpn [+o krzee] by holmes.freenode.net
03:29 -!- aji [~alex@atheme/member/aji] has joined #openvpn
03:29 -!- GrecKo [~GrecKo@2001:41d0:1:cb16::1] has joined #openvpn
03:29 -!- oO0Oo [o_o@gateway/shell/elitebnc/x-sydkpidmlwgmexxp] has joined #openvpn
03:29 -!- saneki [~saneki@dedi2.ip1.zylongaming.com] has joined #openvpn
03:29 -!- maskedlua [~quassel@unaffiliated/themaskedlua] has joined #openvpn
03:29 -!- batrick [batrick@nmap/developer/batrick] has joined #openvpn
03:29 -!- sauce [sauce@unaffiliated/sauce] has joined #openvpn
03:29 -!- emid [~emid@192.241.162.156] has joined #openvpn
03:29 -!- lickalott [~lickalott@127.0.0.1.silentkiller.cc] has joined #openvpn
03:29 -!- dos-freak [leecher@zentarim.0wnz.at] has joined #openvpn
03:29 -!- ServerMode/#openvpn [+vvvv batrick emid lickalott dos-freak] by holmes.freenode.net
03:29 -!- GabrieleV [~GabrieleV@host190-79-static.230-95-b.business.telecomitalia.it] has joined #openvpn
03:29 -!- rkantos_ [robin@4e.fi] has joined #openvpn
03:29 -!- s0meone [someone@2600:3c01::f03c:91ff:fedf:feb8] has joined #openvpn
03:29 -!- simcop2387 [~simcop238@p3m/member/simcop2387] has joined #openvpn
03:29 -!- ServerMode/#openvpn [+vvvv GabrieleV rkantos_ s0meone simcop2387] by holmes.freenode.net
03:29 -!- _quadDamage [~EmperorTo@boom.blissfulidiot.com] has joined #openvpn
03:29 -!- pwrcycle [~pwrcycle@unaffiliated/pwrcycle] has joined #openvpn
03:29 -!- __bt [foobar@77.240.12.157] has joined #openvpn
03:29 -!- tharkun [~0@unaffiliated/tharkun] has joined #openvpn
03:29 -!- ServerMode/#openvpn [+vvvv _quadDamage pwrcycle __bt tharkun] by holmes.freenode.net
03:29 -!- namidark [~namidark@192.34.61.38] has joined #openvpn
03:29 -!- volnukhin [~ka4ok@141.0.170.169] has joined #openvpn
03:29 -!- thalweg [~quassel@198.211.102.196] has joined #openvpn
03:29 -!- davidmp [~davidmp@149.255.100.107] has joined #openvpn
03:29 -!- ServerMode/#openvpn [+vvvv namidark volnukhin thalweg davidmp] by holmes.freenode.net
03:29 -!- krphop [~krphop@watch.out.the.feds.are.rightbehind.us] has joined #openvpn
03:29 -!- levifig [~levifig@hakr.io] has joined #openvpn
03:29 -!- ServerMode/#openvpn [+vv krphop levifig] by holmes.freenode.net
03:30 -!- Cr4zi3 [crazie@staff.xbins.org] has quit [Excess Flood]
03:30 -!- Rallias [~Rallias@unaffiliated/gasseus] has joined #openvpn
03:30 -!- akselii [~akselii@tsydeemi.eu] has joined #openvpn
03:30 -!- i7c [~i7c@unaffiliated/i7c] has joined #openvpn
03:30 -!- tdreyer1 [~tdreyer1@unaffiliated/tdreyer1] has joined #openvpn
03:30 -!- digilink [~digilink@irc.stephennet.net] has joined #openvpn
03:30 -!- jzaw [~jzaw@loki.dzki.co.uk] has joined #openvpn
03:30 -!- kenyon [kenyon@darwin.kenyonralph.com] has joined #openvpn
03:30 -!- ketas [ketas@ketas6-sixxs.si.pri.ee] has joined #openvpn
03:30 -!- plaisthos [~arne@openvpn/community/developer/plaisthos] has joined #openvpn
03:30 -!- ServerMode/#openvpn [+vvvv jzaw kenyon ketas plaisthos] by holmes.freenode.net
03:30 -!- __FBi [~B@uwantmy.info] has joined #openvpn
03:30 -!- kloeri [~kloeri@freenode/staff/exherbo.kloeri] has joined #openvpn
03:30 -!- ServerMode/#openvpn [+vv __FBi kloeri] by holmes.freenode.net
03:30 -!- Cr4zi3 [killaz@staff.xbins.org] has joined #openvpn
03:30 -!- APTX [APTX@unaffiliated/aptx] has joined #openvpn
03:30 -!- Sorcier_FXK [~Sorcier_F@unaffiliated/sorcierfxk] has joined #openvpn
03:30 -!- nobit [nobit@unaffiliated/muska] has joined #openvpn
03:30 -!- Denial [Denial@2.217.201.230] has joined #openvpn
03:30 -!- pppingme [~pppingme@unaffiliated/pppingme] has joined #openvpn
03:30 -!- mete [~mete@91.247.253.160] has joined #openvpn
03:30 -!- pa [~pa@unaffiliated/pa] has joined #openvpn
03:30 -!- Fetch [fetch@gimel.cepheid.org] has joined #openvpn
03:30 -!- jtrucks [jtrucks@freenode/staff/lopsa.foundingmember.jtrucks] has joined #openvpn
03:30 -!- piem [~piem@coconut.piem.org] has joined #openvpn
03:30 -!- rooth [tomte@stuck.in.the.basement.at.fritzl.nu] has joined #openvpn
03:30 -!- lazzer [~mattias@213.132.98.41] has joined #openvpn
03:30 -!- caelian2 [~caelian@ovh.caelian.net] has joined #openvpn
03:30 -!- ServerMode/#openvpn [+vvvv piem rooth lazzer caelian2] by holmes.freenode.net
03:30 -!- mrrg [~notabot@delicious.sykosys.jp] has joined #openvpn
03:30 -!- ServerMode/#openvpn [+v mrrg] by holmes.freenode.net
03:30 -!- mgorbach [~mgorbach@pool-108-20-78-135.bstnma.fios.verizon.net] has joined #openvpn
03:30 -!- psycheye [~psycheye@93.49.16.11] has joined #openvpn
03:30 -!- nutron [~nutron@184.68.34.30] has joined #openvpn
03:30 -!- ppr [~peper@node.piotrj.org] has joined #openvpn
03:30 -!- thumbs [1000@unaffiliated/thumbs] has joined #openvpn
03:30 -!- calcifea [~rasla@gateway/tor-sasl/gitsu-sa] has joined #openvpn
03:30 -!- novaflash [~novaflash@openvpn/corp/support/novaflash] has joined #openvpn
03:30 -!- s7r [~s7r@openvpn/user/s7r] has joined #openvpn
03:30 -!- mback2k_ [~freenode@89.238.84.46] has joined #openvpn
03:30 -!- rob0 [rob0@pdpc/valentine/postfixninja/rob0] has joined #openvpn
03:30 -!- Brando753 [~Brando753@unaffiliated/brando753] has joined #openvpn
03:30 -!- tempus_fol [~tempus@gateway/tor-sasl/tempusfol] has joined #openvpn
03:30 -!- riddle [riddle@us.yunix.net] has joined #openvpn
03:30 -!- esde [~esde@unaffiliated/esde] has joined #openvpn
03:30 -!- Varazir [~mircwars@c-94-255-130-121.cust.bredband2.com] has joined #openvpn
03:30 -!- joshu_ [~joshu@62-20-176-238-no28.tbcn.telia.com] has joined #openvpn
03:30 -!- NP-Completeass [~NP-Hardas@unaffiliated/np-hardass] has joined #openvpn
03:30 -!- C-S-B [~C-S-B@host86-173-99-141.range86-173.btcentralplus.com] has joined #openvpn
03:30 -!- Mike-- [mad@mx.probie.nl] has joined #openvpn
03:30 -!- Serano [~serano@rooty.be] has joined #openvpn
03:30 -!- ServerMode/#openvpn [+ovv novaflash s7r rob0] by holmes.freenode.net
03:30 -!- niftylettuce [uid2733@gateway/web/irccloud.com/session] has quit [Changing host]
03:30 -!- niftylettuce [uid2733@gateway/web/irccloud.com/x-wsbvzznmfporkzph] has joined #openvpn
03:30 -!- noobboob [uid5587@gateway/web/irccloud.com/session] has quit [Changing host]
03:30 -!- noobboob [uid5587@gateway/web/irccloud.com/x-bivymlgvsznyvpty] has joined #openvpn
03:31 -!- jhp [~jhp@zeus.jhprins.org] has joined #openvpn
03:31 -!- ppr [~peper@node.piotrj.org] has quit [Max SendQ exceeded]
03:31 -!- ketas [ketas@ketas6-sixxs.si.pri.ee] has quit [Max SendQ exceeded]
03:31 -!- Cr4zi3 [killaz@staff.xbins.org] has quit [Excess Flood]
03:31 -!- peper [~peper@node.piotrj.org] has joined #openvpn
03:31 -!- Cr4zi3 [killaz@staff.xbins.org] has joined #openvpn
03:32 -!- ketas- [ketas@ketas6-sixxs.si.pri.ee] has joined #openvpn
03:35 -!- eliasp [~quassel@HSI-KBW-134-3-243-224.hsi14.kabel-badenwuerttemberg.de] has joined #openvpn
03:35 -!- lbft [~lbft@unaffiliated/lbft] has joined #openvpn
03:35 -!- fvalente [~fvalente@ts.node.pt] has joined #openvpn
03:35 -!- guntha [~guntha@unaffiliated/guntha] has joined #openvpn
03:35 -!- jefferai [~quassel@kde/mitchell] has joined #openvpn
03:35 -!- HectorBarbossa [uid7850@gateway/web/irccloud.com/x-wcofceathvnlwqvb] has joined #openvpn
03:35 -!- hive-mind [pranq@unaffiliated/contempt] has joined #openvpn
03:35 -!- klaxa [~klaxa@klaxa.eu] has joined #openvpn
03:35 -!- Zarrsh [~Zarrsh@198.167.138.150] has joined #openvpn
03:36 -!- jtrucks [jtrucks@freenode/staff/lopsa.foundingmember.jtrucks] has quit [Read error: Connection reset by peer]
03:36 -!- jtrucks [jtrucks@freenode/staff/lopsa.foundingmember.jtrucks] has joined #openvpn
03:39 -!- b00b [~spunk@smurf.mmnetworks.se] has joined #openvpn
03:44 -!- MeanderingCode [~Meanderin@palantir.aetherislands.net] has joined #openvpn
03:44 -!- franks2 [~frank@frank2.net] has joined #openvpn
03:44 -!- al_nz1 [~Ali_nz1@118-92-11-42.dsl.dyn.ihug.co.nz] has joined #openvpn
03:44 -!- _manfred_ [~IceChat77@12.109.211.60] has joined #openvpn
03:44 -!- bwallen [~brian@pool-72-86-34-19.clppva.fios.verizon.net] has joined #openvpn
03:44 -!- jave [~jave@h-235-102.a149.priv.bahnhof.se] has joined #openvpn
03:44 -!- kisom [~kisom@kisom.thr.kth.se] has joined #openvpn
03:44 -!- bersace [~bersace@sevin.cae.li] has joined #openvpn
03:44 -!- ServerMode/#openvpn [+vv kisom bersace] by holmes.freenode.net
03:48 -!- tfox [~tfox@50-47-92-123.evrt.wa.frontiernet.net] has joined #openvpn
03:53 -!- hazardous [~hz@openvpn/user/hazardous] has joined #openvpn
03:53 -!- qwertyoruiop_ [~hax@1.shulgin.dc1.nl.tor.exit.node.qwertyoruiop.com] has joined #openvpn
03:53 -!- MorgyN_ [~mig@island.morgyn.org] has joined #openvpn
03:53 -!- Guest35323 [~Sembei@62.57.118.216.dyn.user.ono.com] has joined #openvpn
03:53 -!- oc80z [~oc80z@blea.ch] has joined #openvpn
03:53 -!- mattock [~mattock@openvpn/corp/admin/mattock] has joined #openvpn
03:53 -!- codehero [codehero@irc.coding4coffee.org] has joined #openvpn
03:53 -!- sgiratch [~sgiratch@unaffiliated/sgiratch] has joined #openvpn
03:53 -!- EmLeX_ [~emx@37.46.193.18] has joined #openvpn
03:53 -!- pcdummy [~pcdummy@unaffiliated/pcdummy] has joined #openvpn
03:53 -!- AsadH [~AsadH@unaffiliated/asadh] has joined #openvpn
03:53 -!- ServerMode/#openvpn [+vovv hazardous mattock pcdummy AsadH] by holmes.freenode.net
03:53 -!- lamokie [~steve@li428-245.members.linode.com] has joined #openvpn
03:53 -!- Matir [~matir@ubuntu/member/matir] has joined #openvpn
03:53 -!- ServerMode/#openvpn [+vv lamokie Matir] by holmes.freenode.net
03:54 -!- mode/#openvpn [+o plaisthos] by ChanServ
03:55 -!- Guest35323 [~Sembei@62.57.118.216.dyn.user.ono.com] has quit [Max SendQ exceeded]
03:55 -!- jhp is now known as Guest10116
03:55 -!- nutron is now known as Guest10517
03:55 -!- jtrucks is now known as Guest37622
03:55 -!- Olipro is now known as Guest53562
03:55 -!- ex0a [~high@unaffiliated/ex0a] has joined #openvpn
03:56 -!- Guest35323 [~Sembei@62.57.118.216.dyn.user.ono.com] has joined #openvpn
03:56 -!- tfox [~tfox@50-47-92-123.evrt.wa.frontiernet.net] has quit [Quit: tfox]
04:08 -!- takamichi [~takamichi@c107-107.i07-27.onvol.net] has quit [Ping timeout: 245 seconds]
04:11 -!- takamichi [~takamichi@85.12.8.104] has joined #openvpn
04:23 -!- VunKruz [~hhhh@24-205-8-187.dhcp.mtpk.ca.charter.com] has joined #openvpn
04:24 -!- mitz [~mitz@KHP222227247006.ppp-bb.dion.ne.jp] has quit [Remote host closed the connection]
04:35 -!- caelian2 [~caelian@ovh.caelian.net] has quit [Quit: RUN FOR YOUR LIVES!]
04:49 -!- defsdoor [~andy@cpc30-sutt4-2-0-cust155.19-1.cable.virginm.net] has joined #openvpn
04:59 -!- NP-Hardass [~NP-Hardas@unaffiliated/np-hardass] has quit [Ping timeout: 272 seconds]
05:02 -!- gffa [~unknown@unaffiliated/gffa] has joined #openvpn
05:23 -!- defsdoor [~andy@cpc30-sutt4-2-0-cust155.19-1.cable.virginm.net] has quit [Quit: Ex-Chat]
05:31 -!- PhSnake [~PhSnake@pat-ip-195-91-13-167.gprs.as5628.telecom.sk] has joined #openvpn
05:33 -!- dimm0k [~dimm0k@unaffiliated/dimm0k] has quit [Ping timeout: 272 seconds]
05:35 -!- dimm0k [~dimm0k@unaffiliated/dimm0k] has joined #openvpn
05:35 -!- PhSnake_ [~PhSnake@dial-109-230-33-39.orange.sk] has joined #openvpn
05:35 -!- calcifea [~rasla@gateway/tor-sasl/gitsu-sa] has quit [Ping timeout: 240 seconds]
05:37 -!- calcifea [~rasla@gateway/tor-sasl/gitsu-sa] has joined #openvpn
05:38 -!- PhSnake [~PhSnake@pat-ip-195-91-13-167.gprs.as5628.telecom.sk] has quit [Ping timeout: 245 seconds]
05:40 -!- PhSnake_ [~PhSnake@dial-109-230-33-39.orange.sk] has quit [Read error: Connection reset by peer]
05:40 -!- PhSnake_ [~PhSnake@dial-109-230-33-39.orange.sk] has joined #openvpn
05:42 -!- Brando753 [~Brando753@unaffiliated/brando753] has quit [Read error: Connection reset by peer]
05:46 -!- PhSnake__ [~PhSnake@pat-ip-195-91-13-167.gprs.as5628.telecom.sk] has joined #openvpn
05:48 -!- PhSnake_ [~PhSnake@dial-109-230-33-39.orange.sk] has quit [Ping timeout: 246 seconds]
05:53 -!- PhSnake__ [~PhSnake@pat-ip-195-91-13-167.gprs.as5628.telecom.sk] has left #openvpn []
05:53 -!- Brando753 [~Brando753@unaffiliated/brando753] has joined #openvpn
06:01 -!- Bretos1 [~Bretos@vps.tyborek.pl] has quit [Quit: RUN FOR YOUR LIVES!]
06:01 -!- Bretos1 [~Bretos@vps.tyborek.pl] has joined #openvpn
06:01 -!- Steven_ [~deepstar@pegasus.singularity.be] has joined #openvpn
06:02 -!- elfixit [~Icedove@77-58-251-72.dclient.hispeed.ch] has joined #openvpn
06:05 -!- marmot21 [~marmot21@122-148-63-161.static.dsl.dodo.com.au] has joined #openvpn
06:06 < marmot21> hey
06:06 < marmot21> i had to figure out how to get a irc client so im not sure if this is working
06:07 < Steven_> hi
06:07 < Steven_> marmot21: irc seems to work for you
06:08 < marmot21> oh cool
06:08 < marmot21> had a quick question regarding the "GNU GPL" licence
06:08 < Steven_> I have a routed site-to-site VPN setup. Is it possible to log connections through the VPN? e.g. I want to see who connects where and keep a log
06:10 < marmot21> wikipedia lists you guys as GPL, yet on your site i see you must buy licences, I'm slightly confused
06:12 < Steven_> I think the software is GPL
06:13 < Steven_> and you are looking at an online service, with a different license
06:17 < marmot21> oh ok...
06:22 -!- klein [~klein@187.85.184.35] has joined #openvpn
06:22 -!- klein [~klein@187.85.184.35] has quit [Changing host]
06:22 -!- klein [~klein@unaffiliated/klein] has joined #openvpn
06:32 -!- marmot21 [~marmot21@122-148-63-161.static.dsl.dodo.com.au] has quit [Ping timeout: 272 seconds]
06:41 -!- takamichi [~takamichi@85.12.8.104] has quit [Quit: Computer has gone to sleep.]
06:46 -!- mreithub [~mreithub@188-23-3-36.adsl.highway.telekom.at] has quit [Ping timeout: 245 seconds]
06:55 -!- takamichi [~takamichi@85.12.8.15] has joined #openvpn
07:17 -!- Sandfly [~ma1com10t@host-92-20-1-125.as13285.net] has joined #openvpn
07:18 < Sandfly> is --nice impletemented under windows ?
07:18 -!- Guest35323 [~Sembei@62.57.118.216.dyn.user.ono.com] has quit [Read error: Connection reset by peer]
07:18 -!- Sembei [~Sembei@unaffiliated/sembei] has joined #openvpn
07:23 -!- PhSnake__ [~PhSnake@dial-109-230-33-39.orange.sk] has joined #openvpn
07:35 -!- Sandfly2 [~ma1com10t@host-92-20-1-125.as13285.net] has joined #openvpn
07:39 -!- Sandfly [~ma1com10t@host-92-20-1-125.as13285.net] has quit [Ping timeout: 260 seconds]
07:47 -!- Sandfly2 is now known as debbie10t
07:49 -!- debbie10t is now known as debbie10t|afk
07:49 < PhSnake__> Hi people, please is here anyone who can post working TUN config for drvr and client as well? I'd like to connect with my droid phone(app doesnt support TAP) and with my nbook but that way that I'll be able to connect to my samba shared hdd on router(the one running openvpn) or I can show my cfg, and if someone will be so kind and point me to errors...
07:53 -!- debbie10t|afk2 [~ma1com10t@host-92-20-1-125.as13285.net] has joined #openvpn
07:56 -!- debbie10t|afk [~ma1com10t@host-92-20-1-125.as13285.net] has quit [Ping timeout: 260 seconds]
08:19 -!- takamichi [~takamichi@85.12.8.15] has quit [Ping timeout: 252 seconds]
08:20 -!- Cy-Gor [~Brian@cpe-70-124-70-140.austin.res.rr.com] has joined #openvpn
08:22 -!- takamichi [~takamichi@c107-107.i07-27.onvol.net] has joined #openvpn
08:26 -!- mirco [~mirco@ip-109-91-244-100.unitymediagroup.de] has quit [Quit: mirco]
08:27 -!- mirco [~mirco@ip-109-91-244-100.unitymediagroup.de] has joined #openvpn
08:49 -!- debbie10t|afk2 is now known as debbie10t
09:08 -!- smerz_ [~smerz@f168194.upc-f.chello.nl] has joined #openvpn
09:15 -!- smerz_ [~smerz@f168194.upc-f.chello.nl] has quit [Quit: Ex-Chat]
09:23 -!- Cpt-Oblivious [~chatzilla@31-151-87-204.dynamic.upc.nl] has joined #openvpn
09:35 -!- Sidewinder [~de@unaffiliated/sidewinder] has joined #openvpn
09:36 -!- mattock is now known as mattock_afk
09:36 -!- calcifea [~rasla@gateway/tor-sasl/gitsu-sa] has quit [Quit: calcifea]
09:39 -!- marmot21 [~marmot21@122-148-63-161.static.dsl.dodo.com.au] has joined #openvpn
09:39 < marmot21> hey guys
09:40 < marmot21> do you need to run the dh script everytime you generate a new client key?
09:40 < marmot21> deffie hellman
09:40 <@krzee> no
09:40 <@krzee> dh params are only on the server
09:41 -!- propheticsquiddy [~Proph@unaffiliated/propheticsquiddy] has joined #openvpn
09:41 < marmot21> ok sweet
09:42 <@krzee> PhSnake__,
09:42 <@krzee> !sample
09:43 -!- Devastatr [~devas@186.214.14.38] has joined #openvpn
09:44 -!- Devastator [~devas@unaffiliated/devastator] has quit [Ping timeout: 245 seconds]
09:46 < marmot21> and how does the challange password work?
09:47 < marmot21> i set one on the main ca key, but when is it needed?
09:48 <@krzee> you using easy rsa 2 or 3?
09:48 <@krzee> !easy-rsa
09:48 <@krzee> heyyyyy
09:48  * krzee goes bot hunting
09:49 < marmot21> 2
09:49 < marmot21> the one that came with openvpn using apt
09:50 <+kisom> marmot21: That's a distro specific question. Go ask the debian developers.
09:50 < marmot21> haha, ok
09:52 <@krzee> ehh?
09:52 <@krzee> no its not :-p
09:52 -!- vpnHelper [~vpnHelper@openvpn/bot/vpnHelper] has joined #openvpn
09:52 -!- mode/#openvpn [+o vpnHelper] by ChanServ
09:52 <+kisom> Does the openvpn team write the configs that ships with Debian?
09:52 <+kisom> Last I checked, they did not.
09:52 <@krzee> !easy-rsa
09:52 <@vpnHelper> "easy-rsa" is (#1) easy-rsa is a certificate generation utility. or (#2) Download here: https://github.com/OpenVPN/easy-rsa/downloads or (#3) https://community.openvpn.net/openvpn/wiki/EasyRSA
09:52 <@krzee> kisom, hes just asking about easy-rsa dude
09:53 <+kisom> Yeah sorry
09:53 <+kisom> I'm a bit pissed atm :P
09:53 <+kisom> I'll AFK
09:53 <@krzee> =]
09:53 <@krzee> hope it gets better
09:54 -!- goldkatze [~nobody@unaffiliated/goldkatze] has joined #openvpn
10:02 -!- PhSnake__ [~PhSnake@dial-109-230-33-39.orange.sk] has quit [Read error: Connection reset by peer]
10:02 -!- PhSnake___ [~PhSnake@dial-109-230-33-39.orange.sk] has joined #openvpn
10:05 < marmot21> oh ok, so the password thing when generating keys?
10:07 <@krzee> well in v2 theres some part that sounds like a pass but is useless
10:07 <@krzee> im not sure what it was called, i dont use easy-rsa (although i plan on trying out 3 soon)
10:07 < marmot21> ah ok
10:07 <@krzee> just use 3 and follow the page
10:10 < marmot21> so i saw in the howto about generating a key locally, I'd there a more detailed guide somewhere?
10:10 < marmot21> (so you recommend using 3?)
10:13 -!- PhSnake____ [~PhSnake@pat-ip-195-91-13-167.gprs.as5628.telecom.sk] has joined #openvpn
10:13 -!- PhSnake____ is now known as PhSnake__
10:15 -!- PhSnake___ [~PhSnake@dial-109-230-33-39.orange.sk] has quit [Ping timeout: 252 seconds]
10:18 -!- PhSnake__ [~PhSnake@pat-ip-195-91-13-167.gprs.as5628.telecom.sk] has quit [Read error: Connection reset by peer]
10:23 < mingdao> marmot21: Do you mean creating the keys and certificates for the client on the client, rather than on the server?
10:24 < debbie10t> marmot21: EasyRSA 222 is the current version - V3 is a release candidate
10:24 < debbie10t> I use 222
10:25 -!- mreithub [~mreithub@188-23-3-36.adsl.highway.telekom.at] has joined #openvpn
10:25 < debbie10t> in order to include a password in your client cert use build-key-pass instead of build-key
10:26 -!- propheticsquiddy [~Proph@unaffiliated/propheticsquiddy] has quit [Read error: Connection reset by peer]
10:26 -!- propheticsquiddy [~Proph@unaffiliated/propheticsquiddy] has joined #openvpn
10:29 < debbie10t> marmot21: if you do include a password you will not be able to connect automatically
10:29 < debbie10t> a person will have to be present
10:31 -!- master_o1_master [~master_of@p4FF2463E.dip0.t-ipconnect.de] has joined #openvpn
10:34  * propheticsquiddy waves@ all, novaflash
10:34 <@novaflash> hi propheticsquiddy
10:34 -!- master_of_master [~master_of@p4FF241F6.dip0.t-ipconnect.de] has quit [Ping timeout: 272 seconds]
10:34 <@novaflash> any predictions for today?
10:35 <@novaflash> "we will have a lot of weather today" ?
10:36 < propheticsquiddy> yes! you must have the gift too
10:37 <@novaflash> yeah i'm a technical guy
10:37 <@novaflash> technically correct information, but useless
10:40 < propheticsquiddy> hehe
10:44 -!- PhSnake__ [~PhSnake@pat-ip-195-91-13-167.gprs.as5628.telecom.sk] has joined #openvpn
10:46 -!- marmot21 [~marmot21@122-148-63-161.static.dsl.dodo.com.au] has quit [Remote host closed the connection]
10:55 -!- Sidewinder [~de@unaffiliated/sidewinder] has quit [Quit: Leaving]
10:55 < PhSnake__> hi, plz can someone check whats wrong in my OpenVPN cfg? I get IP as I want to (192.168.2.xx) I can access some samba shares on 192.168.1.0/24 (router is 192.168.1.1)... but DNS doesnt work for some reasoon, or better said if I'm on VPN I cannot browse on internet :-( PLZ PLZ PLZ help - mi configs - srvr and client http://pastebin.com/bTJcpMnq & http://pastebin.com/a73PKV5z      THX
10:56 -!- doug[home] [~dbh@ool-44c45391.dyn.optonline.net] has joined #openvpn
10:56 < doug[home]> okay, i feel extremely stupid even asking this but i mtired and not thinking clearly.
10:56 < doug[home]> I want to use my PS3 to view my media server, but it's in a different location and I need DLNA to work for that
10:56  * doug[home] does have a workign s2s between them
10:57 < doug[home]> is there some any gangster stuff I could do to make it work
10:57 -!- PhSnake___ [~PhSnake@dial-109-230-33-39.orange.sk] has joined #openvpn
10:59  * doug[home] is leary of the acronym GRE
10:59 -!- fwilson [fwilson@wikipedia/Fox-Wilson] has joined #openvpn
11:00 -!- jeffjohnston12 [~jackbob@109.106.104.19] has joined #openvpn
11:00 -!- PhSnake__ [~PhSnake@pat-ip-195-91-13-167.gprs.as5628.telecom.sk] has quit [Ping timeout: 245 seconds]
11:00 < jeffjohnston12> hey.
11:01 < jeffjohnston12> I have clear os setup with open vpn on it and they are working
11:01 -!- fwilson [fwilson@wikipedia/Fox-Wilson] has left #openvpn ["WeeChat 0.4.1"]
11:01 < jeffjohnston12> i want to route all traffic through the vpn and allow access to lan
11:01 < jeffjohnston12> should i make a new config file in the /etc/ dir?
11:04 -!- PhSnake______ [~PhSnake@dial-109-230-33-39.orange.sk] has joined #openvpn
11:04 -!- PhSnake___ [~PhSnake@dial-109-230-33-39.orange.sk] has quit [Read error: Connection reset by peer]
11:05 -!- PhSnake______ is now known as PhSnake__
11:11 < PhSnake__> reboot
11:16 -!- [diecast] [~diecast@unaffiliated/diecast/x-4821952] has joined #openvpn
11:16 -!- jeffjohnston12 [~jackbob@109.106.104.19] has quit []
11:25 -!- calcifea [~rasla@gateway/tor-sasl/gitsu-sa] has joined #openvpn
11:27 -!- calcifea [~rasla@gateway/tor-sasl/gitsu-sa] has quit [Client Quit]
11:29 -!- calcifea [~rasla@gateway/tor-sasl/gitsu-sa] has joined #openvpn
11:38 -!- Sembei [~Sembei@unaffiliated/sembei] has quit [Read error: Connection reset by peer]
11:39 -!- MyMind [~Sembei@unaffiliated/sembei] has joined #openvpn
11:45 -!- Weasel_ [~kvuorine@a91-154-220-172.elisa-laajakaista.fi] has joined #openvpn
11:51 -!- Cpt-Oblivious [~chatzilla@31-151-87-204.dynamic.upc.nl] has quit [Quit: ChatZilla 0.9.90.1-rdmsoft [XULRunner 22.0/20130619132145]]
11:52 -!- MyMind [~Sembei@unaffiliated/sembei] has quit [Read error: Connection reset by peer]
11:53 -!- Pisuke [~Sembei@unaffiliated/sembei] has joined #openvpn
11:54 < Weasel_> is it possible to open already created macvlan device as openvpn tap device? in qemu it is possible by passing file descriptor as an argument, openvpn 2.2.1.
12:03 < PhSnake__> hi, plz can someone check whats wrong in my OpenVPN cfg? I get IP as I want to (192.168.2.xx) I can access some samba shares on 192.168.1.0/24 (router is 192.168.1.1)... but DNS doesnt work for some reasoon, or better said if I'm on VPN I cannot browse on internet :-( PLZ PLZ PLZ help - mi configs - srvr and client http://pastebin.com/bTJcpMnq & http://pastebin.com/a73PKV5z      THX
12:04 -!- abd [~abd@213.178.230.126] has quit [Read error: No route to host]
12:04 -!- simpleTon``` [~ck@109.161.148.60] has joined #openvpn
12:04 < simpleTon```> hi
12:05 < debbie10t> PhSnake__ for a start you have commented out your keys on the client
12:05 < simpleTon```> i m facing very slow speed connecting my openvpn windows client to my centos openvpn server..
12:06 < PhSnake__> debbie: i dont think so as i use pk12
12:06 < debbie10t> ok - didnt see that
12:06 < debbie10t> got any client log ?
12:07 < PhSnake__> you mean from openvpn gui?
12:08 < debbie10t> yes
12:09 < PhSnake__> http://pastebin.com/shNqVxMf
12:10 -!- Weasel_ [~kvuorine@a91-154-220-172.elisa-laajakaista.fi] has quit [Ping timeout: 252 seconds]
12:12 < debbie10t> PhSnake__ : Sat Jan 04 18:03:59 2014 Notified TAP-Windows driver to set a DHCP IP/netmask of 192.168.2.6/255.255.255.252 on interface {CF8CCFAB-8EC7-4168-A0BC-CD0B24D7E958} [DHCP-serv: 192.168.2.5, lease-time: 31536000]
12:13 < debbie10t> !/30
12:13 <@vpnHelper> "/30" is (#1) Default behaviour assigns a /30 subnet(4 addresses) to each peer. See http://goo.gl/6vemm for background or (#2) you can avoid this behavior by reading !topology or (#3) by default, first client is .6, then .10 .14 .18 etc or (#4) use openvpn --show-valid-subnets to see the subnets you can use in net30 or (#5) tl;dr Windows sucks, use --topology subnet in your server.conf
12:14 < PhSnake__> ? how to use that ---topology? where to put it plzz?
12:14 -!- simpleTon``` [~ck@109.161.148.60] has quit [Quit: time heals but i'm forever broken]
12:16 -!- mreithub_ [~mreithub@188-23-11-174.adsl.highway.telekom.at] has joined #openvpn
12:16 -!- mreithub [~mreithub@188-23-3-36.adsl.highway.telekom.at] has quit [Ping timeout: 265 seconds]
12:17 < debbie10t> your server .. which is not true openvpn server .. so read the documentation for your server
12:17 < debbie10t> or change your server & client to net30
12:20 < debbie10t> what is your server ?
12:21 < PhSnake__> openwrt, openvpn 2.2.2
12:33 -!- PhSnake__ [~PhSnake@dial-109-230-33-39.orange.sk] has quit [Read error: Connection reset by peer]
12:34 -!- PhSnake__ [~PhSnake@dial-109-230-33-39.orange.sk] has joined #openvpn
12:47 -!- takamichi [~takamichi@c107-107.i07-27.onvol.net] has quit [Quit: Computer has gone to sleep.]
12:48 < debbie10t> I don't think openwrt supports topology subnet
12:49 -!- PhSnake__ [~PhSnake@dial-109-230-33-39.orange.sk] has quit [Read error: Connection reset by peer]
12:50 -!- PhSnake__ [~PhSnake@dial-109-230-33-39.orange.sk] has joined #openvpn
12:50 < debbie10t> PhSnake__ you could try just push 'topology' 'subnet'  on the server
12:53 < PhSnake__> list 'push'      'topology subnet'
12:53 < pekster> openwrt does fine in subnet so long as you're using >2.0.9
12:56 -!- PhSnake___ [~PhSnake@pat-ip-195-91-13-167.gprs.as5628.telecom.sk] has joined #openvpn
12:59 -!- PhSnake__ [~PhSnake@dial-109-230-33-39.orange.sk] has quit [Ping timeout: 265 seconds]
13:01 -!- takamichi [~takamichi@c107-107.i07-27.onvol.net] has joined #openvpn
13:05 -!- Weasel_ [~kvuorine@a91-154-220-172.elisa-laajakaista.fi] has joined #openvpn
13:05 -!- PhSnake__ [~PhSnake@dial-109-230-33-39.orange.sk] has joined #openvpn
13:07 < PhSnake__> seems that it didnt help :-(, although that directive was recieved
13:07 < PhSnake__> Sat Jan 04 20:01:05 2014 PUSH: Received control message: 'PUSH_REPLY,route 192.168.1.0 255.255.255.0,redirect-gateway def1,dhcp-option DNS 192.168.1.1,dhcp-option DNS 8.8.8.8,route 192.168.2.1,topology net30,ping 10,ping-restart 120,ifconfig 192.168.2.6 192.168.2.5'
13:08 -!- PhSnake___ [~PhSnake@pat-ip-195-91-13-167.gprs.as5628.telecom.sk] has quit [Ping timeout: 260 seconds]
13:10 < pekster> topology net30 is what was pushed
13:10 < pekster> Both sides need the _same_ topology
13:17 < PhSnake__> so i need to put it somehow to client config?
13:17 < pekster> Normally the server will push it and the client will pull it
13:19 < PhSnake__> but anyway it didnt helped :-( i still can see samba on router(192.168.1.1) , i can ssh... but internet as such deosnt work when im on vpn
13:20 < pekster> What's the goal here?
13:20 < pekster> If you're trying to redirect Internet traffic, you need:
13:20 < pekster> !redirect
13:20 <@vpnHelper> "redirect" is (#1) to make all inet traffic flow through the vpn, you will need --redirect-gateway (see !def1), as well as IP forwarding (see !ipforward) and NAT (see !nat) enabled on the server. or (#2) you may need to use a different dns server when redirecting gateway, see !dns or !pushdns or (#3) if using ipv6 try: route-ipv6 2000::/3 or (#4) Handy troubleshooting flowchart:
13:20 <@vpnHelper> http://ircpimps.org/redirect.png | http://pekster.sdf.org/misc/redirect.png
13:20 < pekster> If you're also trying to get access to the server-LAN, the server network's gateway needs a return route to the VPN range
13:20 < pekster> Also, don't use common networks on your server. 192.168.1.0/24 is a horrible idea as that's used everywhere
13:31 < PhSnake__> !def1
13:31 <@vpnHelper> "def1" is (#1) used in redirect-gateway, Add the def1 flag to override the default gateway by using 0.0.0.0/1 and 128.0.0.0/1 rather than 0.0.0.0/0. This has the benefit of overriding but not wiping out the original default gateway. or (#2) please see --redirect-gateway in the man page ( !man ) to fully understand or (#3) push "redirect-gateway def1"
13:31 < PhSnake__> !ipforward
13:31 <@vpnHelper> "ipforward" is (#1) ip forwarding is needed any time you want packets to flow from 1 interface to another, so from tun to eth, eth to tun, tun to tun, etc etc. it must be enabled in the kernel AND allowed in the firewall or (#2) please choose between !linipforward !winipforward !osxipforward and !fbsdipforward
13:32 < PhSnake__> !linipforward
13:32 <@vpnHelper> "linipforward" is (#1) echo 1 > /proc/sys/net/ipv4/ip_forward for a temp solution (til reboot) or set net.ipv4.ip_forward = 1 in sysctl.conf for perm solution or (#2) chmod +x /etc/rc.d/rc.ip_forward for perm solution in slackware or (#3) you also must allow forwarding in your forward chain in iptables. iptables -I FORWARD -i tun+ -j ACCEPT
13:33 -!- Weasel_ [~kvuorine@a91-154-220-172.elisa-laajakaista.fi] has quit [Remote host closed the connection]
13:36 -!- takamichi [~takamichi@c107-107.i07-27.onvol.net] has quit [Quit: Computer has gone to sleep.]
13:38 -!- PhSnake____ [~PhSnake@pat-ip-195-91-7-167.gprs.as5628.telecom.sk] has joined #openvpn
13:38 -!- PhSnake__ [~PhSnake@dial-109-230-33-39.orange.sk] has quit [Read error: Connection reset by peer]
13:38 -!- PhSnake____ is now known as PhSnake__
13:39 -!- Guest37622 [jtrucks@freenode/staff/lopsa.foundingmember.jtrucks] has left #openvpn []
13:39 -!- jtrucks [jtrucks@freenode/staff/lopsa.foundingmember.jtrucks] has joined #openvpn
13:39 -!- PhSnake____ [~PhSnake@pat-ip-195-91-13-167.gprs.as5628.telecom.sk] has joined #openvpn
13:42 -!- jtrucks [jtrucks@freenode/staff/lopsa.foundingmember.jtrucks] has quit [Quit: BBL]
13:43 -!- PhSnake__ [~PhSnake@pat-ip-195-91-7-167.gprs.as5628.telecom.sk] has quit [Ping timeout: 272 seconds]
13:44 -!- PhSnake_____ [~PhSnake@dial-109-230-33-39.orange.sk] has joined #openvpn
13:44 -!- PhSnake_____ is now known as PhSnake__
13:44 -!- jtrucks [jtrucks@freenode/staff/lopsa.foundingmember.jtrucks] has joined #openvpn
13:44 -!- simpleTon``` [~ck@109.161.148.60] has joined #openvpn
13:45 < simpleTon```> i want to access my servers' network 192.168.0.XX..  i can access only acess the openvpn server 192.168.0.10 ....... whats rhte route add command?
13:47 -!- PhSnake____ [~PhSnake@pat-ip-195-91-13-167.gprs.as5628.telecom.sk] has quit [Ping timeout: 260 seconds]
13:47 < pekster> See !serverlan for info and a flowchart. This said, use a smarter network that's less-likely to collide with remote netwnorks
13:47 < simpleTon```> !serverlan
13:47 <@vpnHelper> "serverlan" is (#1) for a lan behind a server, the server must have ip forwarding enabled (!ipforward), the server needs to push a route for its lan to clients, and the router of the lan the server is on needs a route added to it (!route_outside_openvpn) or (#2) see !route for a better explanation or (#3) Handy troubleshooting flowchart: http://ircpimps.org/serverlan.png |
13:47 <@vpnHelper> http://pekster.sdf.org/misc/serverlan.png
13:47 <@krzee> pekster, been enjoying 30c3 yet?
13:47 < simpleTon```> !ipforward
13:47 <@vpnHelper> "ipforward" is (#1) ip forwarding is needed any time you want packets to flow from 1 interface to another, so from tun to eth, eth to tun, tun to tun, etc etc. it must be enabled in the kernel AND allowed in the firewall or (#2) please choose between !linipforward !winipforward !osxipforward and !fbsdipforward
13:47 -!- PhSnake___ [~PhSnake@pat-ip-195-91-13-167.gprs.as5628.telecom.sk] has joined #openvpn
13:50 -!- PhSnake____ [~PhSnake@dial-109-230-33-39.orange.sk] has joined #openvpn
13:51 -!- PhSnake__ [~PhSnake@dial-109-230-33-39.orange.sk] has quit [Ping timeout: 272 seconds]
13:52 < simpleTon```> !route
13:52 <@vpnHelper> "route" is (#1) http://www.secure-computing.net/wiki/index.php/OpenVPN/Routing or https://community.openvpn.net/openvpn/wiki/RoutedLans (same page mirrored) if you have lans behind openvpn, read it DONT SKIM IT or (#2) READ IT DONT SKIM IT! or (#3) See !tcpip for a basic networking guide or (#4) See !serverlan or !clientlan for steps and troubleshooting flowcharts for LANs behind the server or
13:52 <@vpnHelper> client
13:53 < PhSnake____> !serverlan
13:53 <@vpnHelper> "serverlan" is (#1) for a lan behind a server, the server must have ip forwarding enabled (!ipforward), the server needs to push a route for its lan to clients, and the router of the lan the server is on needs a route added to it (!route_outside_openvpn) or (#2) see !route for a better explanation or (#3) Handy troubleshooting flowchart: http://ircpimps.org/serverlan.png |
13:53 <@vpnHelper> http://pekster.sdf.org/misc/serverlan.png
13:54 -!- PhSnake___ [~PhSnake@pat-ip-195-91-13-167.gprs.as5628.telecom.sk] has quit [Ping timeout: 272 seconds]
14:00 -!- Weasel_ [~kvuorine@a91-154-220-172.elisa-laajakaista.fi] has joined #openvpn
14:00 -!- Cpt-Oblivious [~chatzilla@31-151-87-204.dynamic.upc.nl] has joined #openvpn
14:05 -!- simpleTon``` [~ck@109.161.148.60] has quit [Quit: in my mind i am everyone of you]
14:05 -!- simpleTon``` [~ck@109.161.148.60] has joined #openvpn
14:06 < simpleTon```> how o check the openvpn speeds? how to improve it
14:09 <@krzee> !gigabit
14:09 <@vpnHelper> "gigabit" is https://community.openvpn.net/openvpn/wiki/Gigabit_Networks_Linux for JJK's writeup on getting the most out of openvpn over gigabit
14:11 -!- Pisuke [~Sembei@unaffiliated/sembei] has quit [Read error: Connection reset by peer]
14:12 -!- Pisuke [~Sembei@unaffiliated/sembei] has joined #openvpn
14:15 -!- simpleTon``` [~ck@109.161.148.60] has quit [Quit: jennifer ever]
14:22 -!- [diecast] [~diecast@unaffiliated/diecast/x-4821952] has quit []
14:27 -!- marlinc_ [~marlinc@ip565fa73c.direct-adsl.nl] has quit [Read error: Connection reset by peer]
14:36 -!- klein [~klein@unaffiliated/klein] has quit [Ping timeout: 272 seconds]
14:37 -!- marlinc [~marlinc@ip565fa73c.direct-adsl.nl] has joined #openvpn
14:40 -!- Pisuke [~Sembei@unaffiliated/sembei] has quit [Read error: Connection reset by peer]
14:40 -!- Sembei [~Sembei@unaffiliated/sembei] has joined #openvpn
14:55 -!- NP-Hardass [~NP-Hardas@unaffiliated/np-hardass] has joined #openvpn
15:04 -!- moparisthebest [~quassel@mailer.moparscape.org] has quit [Read error: Connection reset by peer]
15:06 -!- PhSnake_____ [~PhSnake@pat-ip-195-91-13-167.gprs.as5628.telecom.sk] has joined #openvpn
15:06 -!- PhSnake_____ is now known as PhSnake__
15:08 -!- PhSnake____ [~PhSnake@dial-109-230-33-39.orange.sk] has quit [Ping timeout: 260 seconds]
15:11 -!- mirco [~mirco@ip-109-91-244-100.unitymediagroup.de] has quit [Quit: mirco]
15:11 -!- PhSnake___ [~PhSnake@dial-109-230-33-39.orange.sk] has joined #openvpn
15:15 -!- PhSnake__ [~PhSnake@pat-ip-195-91-13-167.gprs.as5628.telecom.sk] has quit [Ping timeout: 265 seconds]
15:15 -!- moparisthebest [~quassel@mailer.moparscape.org] has joined #openvpn
15:15 < PhSnake___> finaly I maged to have full conn thru OpenVPN - i had problem with firewal.user ( i had to change iptables -I OUTPUT -o tap+ -j ACCEPT to iptables -I OUTPUT -o tun+ -j ACCEPT - 2letters diferrent did the trick)
15:19 -!- dbdbdb [c0de811c@gateway/web/cgi-irc/kiwiirc.com/ip.192.222.129.28] has joined #openvpn
15:23 < dbdbdb> Hi. My company has an openvpn on an amazon server, and a webservice on another server on amazon that I need to access. If go to the vpn server webadresses I can download a  configuration file and then use it to connect to the vpn. However, even after doing so I cannot connect to the webservice! The webservice traffic does not seem to be being route
15:23 < dbdbdb> d through the vpn. How do I make the traffic to a certain IP go through the VPN?
15:23 < dbdbdb> I tried to do "sudo ip route add IPOFWEBSERVICE/32 dev tun0" on the client but it's not working
15:25 -!- moparisthebest [~quassel@mailer.moparscape.org] has quit [Read error: Connection reset by peer]
15:29 -!- moparisthebest [~quassel@mailer.moparscape.org] has joined #openvpn
15:46 -!- Devastatr [~devas@186.214.14.38] has quit [Read error: Connection reset by peer]
15:51 < pekster> dbdbdb: OpenVPN does not have a "webservice". Maybe you're looking for:
15:51 < pekster> !as
15:51 <@vpnHelper> "as" is please go to #OpenVPN-AS for help with Access-Server
15:51 < pekster> OpenVPN is a CLI program (though Windows does come with an officially-maintained GUI frontend as a tray icon agent)
16:00 -!- dbdbdb [c0de811c@gateway/web/cgi-irc/kiwiirc.com/ip.192.222.129.28] has quit [Quit: http://www.kiwiirc.com/ - A hand crafted IRC client]
16:03 -!- dazo_afk [~dazo@openvpn/community/developer/dazo] has quit [Ping timeout: 246 seconds]
16:03 -!- takamichi [~takamichi@c107-107.i07-27.onvol.net] has joined #openvpn
16:08 <@krzee> http://cdn.media.ccc.de/congress/2013/mp4/30c3-5478-en-de-Backdoors_Government_Hacking_and_The_Next_Crypto_Wars_h264-hq.mp4
16:09 -!- takamichi [~takamichi@c107-107.i07-27.onvol.net] has quit [Quit: Computer has gone to sleep.]
16:10 <@krzee> !ping
16:10 <@vpnHelper> pong
16:14 -!- Steven_ [~deepstar@pegasus.singularity.be] has quit [Quit: leaving]
16:18 -!- dazo_afk [~dazo@openvpn/community/developer/dazo] has joined #openvpn
16:18 -!- mode/#openvpn [+o dazo_afk] by ChanServ
16:18 -!- dazo_afk is now known as dazo
16:19 -!- PhSnake___ [~PhSnake@dial-109-230-33-39.orange.sk] has quit [Quit: ~ Trillian - www.trillian.im ~]
16:23 -!- bjh4 [~bjh4@ool-4354103f.dyn.optonline.net] has joined #openvpn
16:37 -!- [diecast] [~diecast@unaffiliated/diecast/x-4821952] has joined #openvpn
16:40 -!- msackett [~msackett@173-12-173-89-oregon.hfc.comcastbusiness.net] has joined #openvpn
16:40 < msackett> anyone want to help me troubleshoot a bridged site to site configuration?
16:42 < msackett> The VPN comes up, but I am unable to route over it.  I see ethernet traffic from the remote side, but I am unable to ping between the two connected IPs on the TAP interfaces.
16:46 < debbie10t> !5737
16:46 <@vpnHelper> "5737" is Clever readers may attempt to use RFC5737 to represent arbitrary public IPs one wishes to hide; unclever attempts may be ignored with prejudice.
16:47 < pekster> msackett: Sounds like a bridge setup problem. You don't "route" over a tap since it's L2
16:47 < pekster> You ought not to use tap/bridging anyway unless you actually need it. Physically-disjoined sites should be routed between, not bridged in almost all cases. More info at: !tunortap and !whybridge
16:48 < pekster> (fwiw, you can route over tap, but not between 2 endpoints of a bridged connection)
16:54 -!- propheticsquiddy [~Proph@unaffiliated/propheticsquiddy] has quit [Ping timeout: 252 seconds]
16:55 -!- propheticsquiddy [~Proph@unaffiliated/propheticsquiddy] has joined #openvpn
16:55 < msackett> Unfortunately, one side of the connection is a one-armed VM behind a NAT.
16:55 <+kisom> msackett: Just use bridge-utils (or similar depending on your O/S). There's no point in adding routes if it is just a bridged connection.
16:56 < msackett> According to the OpenVPN docs you can do routing using TAP.  I understand that it's a shared L2 connection, but routing should still be possible
16:56 < pekster> Not if you have an _actual_ bridge between them
16:56 < msackett> Also, we want to keep address space separate between the two locations.
16:57 < pekster> Then why use tap in the first placae?
16:57 <+kisom> OK, then you cant have a real bridge.
16:57 <+kisom> The DHCP has no way of knowing where the client is connecting from
16:57 < msackett> because of the one-armed side
16:57 < pekster> Do you need to transport something that's not unicast IP over it?
16:57 < pekster> NAT has nothing to do with this
16:57 < pekster> (though ideally you don't use NAT if you control the RFC1918 space involved, but that's for you to figure out from a topology standpoint)
16:57 < msackett> no, nat has nothing to do with this, aside from not having a way to create multiple addresses on teh client.
16:58 < pekster> Back up and describe your goal here
16:58 < msackett> yes, we'd like to have broadcast traffic visible over the VPN
16:58 < pekster> Then it needs to be on a _single_ network
16:59 < pekster> You can't have separate address space (separate networks) and broadcasts: they're mutually exclusive
16:59 < msackett> true point
16:59 < pekster> That's still generally a horrible idea for disjoined sites
16:59 < pekster> You end up with all sorts of issues like default gateway assignment, DHCP controls, what happens when the link goes down, etc, etc
16:59 < msackett> ideally, we'd like to share access to a DLNA server, but not needed.  unicast and good old DNS will work fine.
17:00 < pekster> You can do a bridged setup between 2 sites, but you're really better off looking at IP-level solutions
17:00 < msackett> I'll try it with a TUN device, but I didn't think that would work on device with a single interface
17:00 < pekster> Sure
17:00 < pekster> tun is the "other" interface in that setup
17:01 < pekster> Think of openvpn in tun mode as a "router with some security to talk to the remote VPN endpoint". That's all it is
17:01 < pekster> Treat the VPN link as a routed link just like any other gateway and you'll have a much better time of it. OpenVPN in tap is a "really long Ethernet cable"
17:03 < msackett> That is understood, and it is behaving as such.  I see the ethernet from the other side no problem.  However, even as ugly as it is, I can have multiple IP networks on the same broadcast domani.
17:04 < msackett> I'm thinking of the bridged connection as connecting two hubs together
17:04 < msackett> I know it's not recommended, I'm just wondering why the IP part isn't working.  Is it the TAP device, or OpenVPN itself?
17:05 < pekster> If you can't ping the IP on the far side of the VPN link, either there's an issue with the link itself, or your OS/distro-centric bridge setup isn't configured properly
17:06 < msackett> Anyhow, I'll try it with TUN devices.  That will allow our andriod users to connect also.
17:06 < msackett> pretty sure the bridge is set up correctly.  Pretty standard Linux bridged interface.
17:07 -!- mbff [~mbff@2605:6400:1:fed5:22:656:343:3e46] has joined #openvpn
17:08 < pekster> Toss up your !configs, !logs (verb 4 please, and config comments/blanks removed as described there), and the bridge/ip setup with `brctl show` and `ip addr show` somewhere, ideally as a gist so you can lump them together (see: !paste)
17:09 < mbff> hello I used https://github.com/Nyr/openvpn-install to create a openVPN install on a VPS. I can cannot via the openVPN android app and can setup my home router as a client of the vpn as well. However, on ubuntu I cannot get it to work.
17:09 <@vpnHelper> Title: Nyr/openvpn-install · GitHub (at github.com)
17:09 < mbff> I can connect via the android app*
17:10 < mbff> On linux/ubuntu via the gnome network manager, I can connect to the openVPN service, but after I cannot connect to the outside internet.
17:10 < mbff> any ideas?
17:11 < pekster> What's the goal? Why would you expect it to magically "connect to the outside" if you haven't configured it? If that's what you want, review the steps and handy flowchart at: !redirect
17:11 < mbff> I have configured it...
17:12 < mbff> and it works on the router level and via the android app.
17:12 < msackett> pekster: sorry, your reference links don't translate in my IRC client
17:12 < pekster> msackett: They're commands. Reivew this info:
17:12 < pekster> !new
17:12 <@vpnHelper> "new" is (#1) New here? Start by reading the /TOPIC and looking at basic info in !welcome, !ask, and !howto or (#2) You can type each of the !commands in this chat and our bot will provide useful references and info or (#3) you can see the full factoids list at !factoids
17:12 < msackett> gotch
17:12 < msackett> *a
17:12 < msackett> !configs
17:12 <@vpnHelper> "configs" is (#1) please pastebin your client and server configs (with comments removed, you can use `grep -vE '^#|^;|^$' server.conf`), also include which OS and version of openvpn. or (#2) dont forget to include any ccd entries or (#3) on pfSense, see http://www.secure-computing.net/wiki/index.php/OpenVPN/pfSense to obtain your config
17:13 < pekster> mbff: It's amazing how you claim to have done all the steps in resources you haven't even read yet
17:13 < pekster> !redirect
17:13 <@vpnHelper> "redirect" is (#1) to make all inet traffic flow through the vpn, you will need --redirect-gateway (see !def1), as well as IP forwarding (see !ipforward) and NAT (see !nat) enabled on the server. or (#2) you may need to use a different dns server when redirecting gateway, see !dns or !pushdns or (#3) if using ipv6 try: route-ipv6 2000::/3 or (#4) Handy troubleshooting flowchart:
17:13 <@vpnHelper> http://ircpimps.org/redirect.png | http://pekster.sdf.org/misc/redirect.png
17:13 < pekster> mbff: ^ review that, then see if it resolves your issue. The flowchart is most useful, and I didn't suggest it without thinking it would be of some help
17:13 < msackett> grep -vE '^#|^;|^$' server.conf
17:13 < msackett> gah
17:14 < Cpt-Oblivious> pekster: that's an excellent flow chart
17:14 < mbff> I have done the NAT redirect you speak of.
17:14 < pekster> It's useful, yea. I'm not the author, just a mirror
17:14 < mbff> I think it is a OS specific issue.
17:14 < mbff> Thought I would see if anyone else had troubles connecting.
17:14 < pekster> The flowchart will help tell you *where* the issue is
17:14 < pekster> Of course, that would require following it first
17:15 < Cpt-Oblivious> pekster: I'd suggest adding a step prior to being able to 'ping the vpn of the server' with looking at the log files / setting verb to a higher number.
17:15 < Cpt-Oblivious> But I suppose this only covers the networking side.
17:16 < mbff> ok, I can ping the vpn.
17:16 < mbff> However I don't know what you mean by "redirect gateway" on the client
17:17 < Cpt-Oblivious> Do you want all your internet traffic to go through the VPN? if so, you need to redirect the gateway option.
17:17 < mbff> i enabled ip masquerading on the server...
17:17 < pekster> It's a directive. See --redirect-gateway in the manpage (!man for more info)
17:17 < Cpt-Oblivious> !mtu
17:17 <@vpnHelper> "mtu" is (#1) see --mtu-test to learn how to test your MTU settings. Basically you just use --mtu-test in your normal client config or (#2) mtu debugging guide: http://www.secure-computing.net/wiki/index.php/OpenVPN/Troubleshooting
17:18 < pekster> How can you have set up your config without knowing about --redirect-gateway if you "already did it" ?
17:18 < mbff> I connect fine with the android app, and my ip is the server's ip.
17:18 < pekster> Then don't use n-m
17:18 < pekster> !netma
17:18 < pekster> !netman
17:18 <@vpnHelper> "netman" is (#1) if you are using network manager for linux to configure your vpn, dont! http://openvpn.net/archive/openvpn-users/2008-01/msg00046.html to read the same thing from the author of the openvpn 2 cookbook on the mail list or (#2) Have OpenVPN working but not NetworkManager? Ask the n-m folks for help: http://projects.gnome.org/NetworkManager/
17:19 < mbff> that is what I needed ^
17:19 < pekster> Use a _standard_ config file on your *nix client. If you get it working, only then try to import it. n-m fails in so many ways, and there's no sign of it getting better soon
17:20 < mbff> Is the offical openvpn client in the ubuntu repo?
17:20 < mbff> what do you suggest I use instead?
17:20 < pekster> /usr/sbin/openvpn (or wherever else your distro puts it)
17:21 < Cpt-Oblivious> just edit the /etc/openvpn/server.conf file on ubuntu, put your client config in there, and then do 'service openvpn start'
17:21 < Cpt-Oblivious> and install openvpn with 'apt-get install openvpn' if you haven't already.
17:21 < pekster> Personally, I'd suggest just running it from a prompt, then add in whatever other crap you want
17:21 < mbff> I would prefer a GUI... but thanks...
17:21 < pekster> !gui
17:21 <@vpnHelper> "gui" is (#1) The only official GUI is the OpenVPN-GUI for Windows (see https://community.openvpn.net/openvpn/wiki/OpenVPN-GUI .) While there are other 3rd party GUIs, they may cause unexpected issues or (#2) If you're having problems starting OpenVPN through an unoffiical GUI, try launching it on the command line; if that works, the GUI is your problem
17:21 < Cpt-Oblivious> the GUI on ubuntu sucks
17:21 < mbff> hmmm ok
17:22 < mbff> I guess I am stuck with the hardcore commandline
17:22 < mbff> I use it most the time anyway..
17:22 < pekster> If you want help here, start with the OpenVPN config. If you want to use a GUI, contact the maintainer of the GUI with problems. We can't support all GUIs
17:22 < mbff> fair enough mate. I wouldn't want to either
17:23 < pekster> fwiw, n-m could probably use the help of someone who knows both the gnome stuff and openvpn stuff with an interest in making it better, but none appear to exist ;)
17:34 -!- gffa [~unknown@unaffiliated/gffa] has quit [Quit: sleep]
17:50 -!- Volkswagner [~eric@cpe-24-161-55-139.hvc.res.rr.com] has joined #openvpn
17:51 < Volkswagner> Greetings
17:51 < al_nz1> krzee: dunno why but adding sudo iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o eth0 -j MASQUERADE to the vpn server fixed it
17:52 < pekster> Can't route RFC1918 upstream to the public Internet al_nz1; it's not globally-routable space
17:59 < Volkswagner> are there any protective measures one can take to limit traffic until tun connection is made?
17:59 < Volkswagner> I had possible traffic snooping from a client, when the server was rebooted.
18:00 < Volkswagner> Client is a router with LAN device behind it.
18:01 < pekster> Use a firewall
18:01 <@EugeneKay> You can route anything you like. Doesn't mean it'll work. :-p
18:02 < Volkswagner> Thanks pekster, I think you nailed it!
18:02 <@krzee> !linnat
18:02 <@vpnHelper> "linnat" is (#1) for a basic iptables NAT where 10.8.0.x is the vpn network: iptables -t nat -I POSTROUTING -s 10.8.0.0/24 -o eth0 -j MASQUERADE or (#2) to choose what IP address to NAT as, you can use iptables -t nat -I POSTROUTING -o eth0 -j SNAT --to <IP ADDRESS> or (#3) http://netfilter.org/documentation/HOWTO//NAT-HOWTO.html for more info or (#4) openvz see !openvzlinnat
18:02 <@krzee> hah
18:03 <@krzee> that command you used is for when a vpn client needs to access the internet over the vpn
18:03 < Volkswagner> I think I had put the vpnRouter client in a DMZ when testing, but never disabled it!
18:04 < al_nz1> krzee: remember the logs? there shoudnt have been anything there if the router in the router was missing/broken?
18:04 < pekster> If you're counting on sending sensitive plaintext over the VPN, it's not unreasonable to add support to preven that plaintext from going elsewhere if/when routes go down. Firewall or some use of --persist-* options might help here
18:04 <@krzee> nah the logs would have been the same
18:04 <@krzee> al_nz1, did you ever use my flowchart for troubleshooting server lan?
18:04 <@krzee> !serverlan
18:04 <@vpnHelper> "serverlan" is (#1) for a lan behind a server, the server must have ip forwarding enabled (!ipforward), the server needs to push a route for its lan to clients, and the router of the lan the server is on needs a route added to it (!route_outside_openvpn) or (#2) see !route for a better explanation or (#3) Handy troubleshooting flowchart: http://ircpimps.org/serverlan.png |
18:04 <@vpnHelper> http://pekster.sdf.org/misc/serverlan.png
18:05 <@krzee> i think i forgot to point you to it
18:05 -!- msackett [~msackett@173-12-173-89-oregon.hfc.comcastbusiness.net] has left #openvpn []
18:06 -!- [diecast] [~diecast@unaffiliated/diecast/x-4821952] has quit [Ping timeout: 272 seconds]
18:07 -!- calcifea [~rasla@gateway/tor-sasl/gitsu-sa] has quit [Ping timeout: 240 seconds]
18:08 -!- calcifea [~rasla@gateway/tor-sasl/gitsu-sa] has joined #openvpn
18:08 < Volkswagner> thanks pekster!
18:12 < al_nz1> krzee: let me see if I understand this right
18:12 < al_nz1> I will draw a picture
18:14 -!- calcifea [~rasla@gateway/tor-sasl/gitsu-sa] has quit [Ping timeout: 240 seconds]
18:15 -!- calcifea [~rasla@gateway/tor-sasl/gitsu-sa] has joined #openvpn
18:19 -!- propheticsquiddy [~Proph@unaffiliated/propheticsquiddy] has quit [Ping timeout: 246 seconds]
18:20 -!- propheticsquiddy [~Proph@unaffiliated/propheticsquiddy] has joined #openvpn
18:22 < al_nz1> krzee: my understanding of it : https://www.dropbox.com/s/3uqsqy0a5lfyxob/2014-01-05%2013.21.55.jpg
18:22 <@vpnHelper> Title: Dropbox - 2014-01-05 13.21.55.jpg (at www.dropbox.com)
18:23 < al_nz1> krzee: without the route added to the router all reply packets should be dropped at the router? Or maybe sent to wan interface then dropped
18:23 < al_nz1> so without the routing entry in the router then ovpn server should never see any reply packets?
18:24 -!- heraclitus [~heraclitu@unaffiliated/heraclitis] has quit [Ping timeout: 245 seconds]
18:25 -!- Volkswagner [~eric@cpe-24-161-55-139.hvc.res.rr.com] has quit [Quit: Leaving]
18:32 -!- heraclitus [~heraclitu@unaffiliated/heraclitis] has joined #openvpn
18:35 < pekster> al_nz1: Why are you doing any NAT in that setup? Are you unable to configure a return-route for your VPN network on the server LAN network?
18:47 < al_nz1> pekster: isnt puting a routing entry in the router avoiding NAT?
18:48 < al_nz1> 10.8.0.0/24 to 192.168.15.200 with 255.255.255.0
18:50 < pekster> Yes, but then why are you doing NAT in your example earlier? Or is eth0 the server's uplink and not the LAN iface?
18:50 < al_nz1> pekster: well for some reason the routing on the routers not working. Adding the NAT fixed it until I work out why router isnt doing its job
18:53 < al_nz1> pekster: my question, really was this, I cant understand why I was seeing any data/packets in reply yesterday (before I added the NAT rule) at the VPN server if the routing rule on the router wasnt working
18:57 < pekster> You wouldn't unless the VPN server is the LAN's gateway, or if you've added a return route on the target LAN system
18:57 < Cpt-Oblivious> So weird, I manage to get 10 Mbit over a UDP tunnel, but 40 mbit over a TCP openvpn tunnel.
18:59 < Cpt-Oblivious> Only reasonable explanation I can think of is traffic shaping on UDP by my ISP
19:02 < Cpt-Oblivious> but then it has to do it by tagging openvpn specifically, which is unlikely, since iperf with udp over the same port can push 100 Mbit.
19:04 < pekster> So try a !statickey tunnel, possibly also testing on a variety of ports
19:05 < Cpt-Oblivious> !statickey
19:05 <@vpnHelper> "statickey" is (#1) you can use static keys by using --secret </path/to/key> or (#2) static keys only work for ptp links, not client/server. They also do not provide forward encryption. A forward-secure encryption scheme (such as openvpn uses with certs) protects secret keys from exposure by evolving the keys with time. or (#3) see !forwardsecurity for more info
19:05 < Cpt-Oblivious> !forwardsecurity
19:05 <@vpnHelper> "forwardsecurity" is (#1) in server/client mode with certs your key renegotiates (changes) every hour (by default), so if someone captures your traffic, and then gets your key, they can only decrypt the traffic within the timeframe since last renegotiation or (#2) in ptp mode (static key) you do not have this, so if someone gets your key they can decrypt ANY past traffic that they captured
19:07 < Cpt-Oblivious> pekster: the way I understand that, is that this way no X509 / PKI is used and therefore it's not possible to detect that it's OpenVPN traffic, all you can detect network wise is that it are UDP or TCP packets flowing in some direction, correct?
19:12 < pekster> Yup exactly. Smart DPI/IDS style devices might still guess that it's some kind of encapsulation based on the flows themselves, but it won't have an "easily" identifiable fingerprint
19:12 < Cpt-Oblivious> ok, going to try that now. Thanks for the tip.
19:12 -!- elfixit [~Icedove@77-58-251-72.dclient.hispeed.ch] has quit [Ping timeout: 260 seconds]
19:22 < Cpt-Oblivious> hmm still only 10 mbit exactly. Was worth a shot :p
19:30 < Cpt-Oblivious> Sun Jan 05 02:27:49 2014 NOTE: Empirical MTU test completed [Tried,Actual] local->remote=[1557,1557] remote->local=[1557,1557]
19:30 < Cpt-Oblivious> Hmm... I'm not sure how to interpret that 1557. When I test the MTU size with ping (ping -n 1 -l 1472 -f 10.0.8.1) I find out that the maximum size is 1472.
19:33 < Cpt-Oblivious> well that's all normal and good apparently (https://forums.openvpn.net/topic8671.html)
19:33 <@vpnHelper> Title: OpenVPN Support Forum Mtu size for my network? : Server Administration (at forums.openvpn.net)
19:48 -!- mreithub_ [~mreithub@188-23-11-174.adsl.highway.telekom.at] has quit [Ping timeout: 272 seconds]
19:49 < debbie10t> Cpt-Oblivious : there is no way you are going to squeeze 30mbit/sec out using openvpn mtu ...
19:50 < Cpt-Oblivious> yea I've used the mtu-test and have pinged with specific packet sizes, everything points to mtu being excellent and not related.
19:51 < debbie10t> Cpt-Oblivious : if it was mtu your udp traffic would have to be mtu 400
19:51 < debbie10t> or less
19:52 < debbie10t> it is either beyond your control - ISP traffic policy - or perhaps (as an outside chance) 75% of your UDP traffic is not arriving
19:52 < pekster> huh? MTU problems manifest anywhere the required replies are dropped (usually due to brain-dead firewall admins without a clue, but sometimes more "legit" config problems) during a routing transition from a higher MTU to lower one
19:53 < Cpt-Oblivious> this is the information that I have so far, I'm still putting more into it to make it more complete. http://pastebin.com/UeeQ7hrz
19:53 < debbie10t> 10mbit udp vs 40mbit tcp ...
19:53 < pekster> The common example today is PPPoE used with many DSL providers causing a 1492 MTU due to 8-byte losses in the encapsulation
19:53 < Cpt-Oblivious> I'm still absolutely dumbfounded as to what the cause is.
19:53 < debbie10t> 10mbit udp vs 40mbit tcp ...
19:54 < Cpt-Oblivious> if I push UDP over the TCP openvpn tunnel, I can actually get 75 mbit.
19:54 < Cpt-Oblivious> TCP for OpenVPN is massively faster for me.
19:55 < pppingme> its highly improbable that you're getting better performance with tcp over udp.  If you are, its a strong indication that someone is messing with the traffic, most likely your isp is shaping traffic at the server or client end.
19:56 < Cpt-Oblivious> but if I run a plain Iperf test with UDP over the exact same ports, I can easily reach 120 mbit.
19:56 < debbie10t> are server and client on the same ISP ?
19:56 < Cpt-Oblivious> nope
19:57 < pppingme> maybe your isp is specifically picking on 1194/udp..
19:57 < debbie10t> one of the ISPs involved ...
19:57 < Cpt-Oblivious> I've tried ports 53 / 80 / 443/ 1194 / 60000
19:57 < Cpt-Oblivious> and iperf over 1194 with udp pushes 120 mbit
19:58 < debbie10t> performace tools often get enhanced performance to maximize sales
19:59 < debbie10t> bait 'n' switch
19:59 < Cpt-Oblivious> I don't think that's the case with iperf. I also see 12% network usage on my Nic in both Windows and on the FreeBSD server side.
20:00 < Cpt-Oblivious> (Gigabit nic)
20:00 < Cpt-Oblivious> So it's actually pushing 120 mbit
20:01 < debbie10t> perhaps your reporting tool is flakey
20:01 < Cpt-Oblivious> but then also the network usage the OS reports would be flakey, which would be both Windows and FreeBSD.
20:01 < Cpt-Oblivious> It's possible, but not very likely
20:01 < Cpt-Oblivious> Also my gateway (pfsense) reports 120 mbit.
20:02 < debbie10t> so you go from 10mbit to 120mbit with no apparent reason ?
20:03 < Cpt-Oblivious> none that I have figured out so far.
20:03 < debbie10t> whats the isp out of curiosity
20:03 < Cpt-Oblivious> upc (a Dutch ISP)
20:03 < debbie10t> isps
20:03 < debbie10t> both ends
20:03 < Cpt-Oblivious> And Serverius.com datacenter
20:06 < debbie10t> are both ends in holland ?
20:06 < Cpt-Oblivious> yes.
20:06 < Cpt-Oblivious> debbie10t: if you'd like you can have a look at this: http://pastebin.com/g6C7LCiE I have included everything I know there. Maybe you could draw a conclusion to the possible cause from that.
20:07 < debbie10t> how long can u push 120mbit ?
20:07 < Cpt-Oblivious> I've downloaded 20 GB files at that rate.
20:08 < Cpt-Oblivious> it does take a little bit to get started though, starts at roughly 80 mbit, then hovers between 110-120 mbit for the rest of the time.
20:08 < Cpt-Oblivious> sometimes dipping back to 80 mbit for 10-20 seconds
20:11 < debbie10t> what type of data are you using to send ? mpeg, zip etc ?
20:11 < Cpt-Oblivious> .bin files, .mkv files, the traffic iperf generates
20:13 < debbie10t> i have seen windows 7 cache a 750mb of avi .. SECOND transfer took less time than 100mbit ethernet could possibly handle .. just a thought
20:14 -!- propheticsquiddy [~Proph@unaffiliated/propheticsquiddy] has quit [Quit: Leaving]
20:14 < debbie10t> don't know how that would effect a VPN but using windows file share it lied outright
20:15 < Cpt-Oblivious> yea that's why I don't rely on 1 single thing to measure the speed, it's always an HTTP download + SMB download + Iperf test.
20:16 < Cpt-Oblivious> oh I should also mention, I've done a test towards a VPS of mine, that is also on gigabt at the same datacenter. Then I can push 400 mbit over the VPN tunnel.
20:17 < Cpt-Oblivious> So I'd guess the problem lies in the network between the clients and the server, or is in the windows implementation of openvpn with udp.
20:18 < debbie10t> <Cpt-Oblivious>oh I should also mention, .. Then I can push 400 mbit over the VPN tunnel.
20:18 < Cpt-Oblivious> so it's not bottlenecking serverside
20:18 < debbie10t> sounds like OVPN is working fine
20:19 < Cpt-Oblivious> Just not when I run it on UDP, then the max speed is 10-12 mbit. Running it on TCP and it's 30-75 mbit.
20:20 <@krzee> maybe your ISP throttles your UDP
20:20 < debbie10t> and here we go again
20:20 < Cpt-Oblivious> Yea I suspected that as well, but I've tried it on 2 ISPs
20:20 < Cpt-Oblivious> 2 clients on Cable isp with both 120/6, and 1 client on 100/100 fiber isp.
20:20 < Cpt-Oblivious> same results
20:20 <@krzee> maybe your server isp throttles udp
20:20 < debbie10t> there is obviously networking way beyond your control
20:21 < debbie10t> 10mbit vs 400mbit
20:21 < Cpt-Oblivious> krzee: all clients can download at 120 / 100 mbit when pushing UDP outside OpenVPN
20:21 < debbie10t> if ovpn can handle 400mbit then it is NOT OVPN
20:21 <@krzee> !gigabit
20:21 <@vpnHelper> "gigabit" is https://community.openvpn.net/openvpn/wiki/Gigabit_Networks_Linux for JJK's writeup on getting the most out of openvpn over gigabit
20:22 <@krzee> i assume you gave that a few reads too
20:22 < Cpt-Oblivious> yep
20:22 < Cpt-Oblivious> that 400 mbit is bottlenecked by the small VPS with 256 MB ram on CPU usage.
20:22 < Cpt-Oblivious> And I'm fine with that speed.
20:23 < Cpt-Oblivious> It's mostly the 10 mbit I can push over UDP towards the Windows clients over 120/100 mbit, that is the issue.
20:24 < debbie10t> ISPs are going to load balance
20:28 < Cpt-Oblivious> krzee: this explains the entire problem: http://pastebin.com/Aaj5dwV7 If you have a bit of time, I'd appreciate it a lot if you could have a look at it. Maybe you spot some pattern based on which you have a suggestion what I could try next.
20:29 <@krzee> actually i have never had a performance issue to play with
20:29 <@krzee> i can only suggest stuff thats helped others in the past
20:29 <@krzee> even on sat connections i get the expected bandwidth / latency
20:30 < Cpt-Oblivious> Windows clients?
20:30 < debbie10t> <debbie10t><Cpt-Oblivious>oh I should also mention, .. Then I can push 400 mbit over the VPN tunnel
20:30 < pekster> Windows doens't have some magic limigation that causes 10Mb/s, no
20:30 < Cpt-Oblivious> yea I know, windows can push 30-70 mbit over a TCP openvpn tunnel
20:30 < Cpt-Oblivious> just on UDP it gets stuck at 10-12 Mbit
20:31 < pekster> And I don't have that problem. Proof by counter-example
20:31 < Cpt-Oblivious> yep, so it's not likely to be the windows client.
20:31 < Cpt-Oblivious> But something network related.
20:34 < Cpt-Oblivious> I think i'm going to try it from Uni on Monday, there I have 200/200 mbit, completely different ISP again, see what kind of speed I get there.
20:35 < debbie10t> !learn
20:35 <@vpnHelper> Error: You don't have the factoids.learn capability. If you think that you should have this capability, be sure that you are identified before trying again. The 'whoami' command can tell you if you're identified.
20:35 < debbie10t> lol =]
20:35 < Cpt-Oblivious> On an IPsec vpn I can do 14 MB/s on the 120/6 Mbit connection, which is also UDP. So I don't think the ISP is really filtering UDP traffic
20:36 < Cpt-Oblivious> though that's an IPsec vpn to work, so not to the same server.
20:37 <@krzee> no i dont use windows
20:38 < Cpt-Oblivious> I did try from Ubuntu that I quickly installed, but that got similar performance.
20:39 < debbie10t> Time for a classic . . .
20:39 < debbie10t> !blame
20:39 <@vpnHelper> "blame" is (#1) According to Bushmills, it's always krzee's fault or (#2) According to krzee, it's always dazo's fault or (#3) and dazo will always blame EugeneKay, Bushmills, ecrist or any other sensible victims in the required moments or (#4) cron2 says its always d12fk's fault (and sometimes the customers)
20:40 < Cpt-Oblivious> haha :p
20:40 < debbie10t> =]
20:41 < debbie10t> 10mbit vs 400mbit over openvpn .. it is nothing to to with openvpn
20:41 < Cpt-Oblivious> that 400 mbit is on a 0.2 ms latency link, same rack / switch :p
20:41 < Cpt-Oblivious> But yea, not likely.
20:42 < Cpt-Oblivious> hmmm this is odd
20:42 < Cpt-Oblivious> when I put OpenVPN on UDP, and do an iperf test.
20:42 < Cpt-Oblivious> past 10-20% I get massive packet loss
20:42 < debbie10t> !ISP
20:42 < Cpt-Oblivious> when I push 100 Mbit through it from the server to the client.
20:42 < Cpt-Oblivious> The client and both server register 90% packet loss
20:42 < Cpt-Oblivious> but the client does see 100 mbps traffic on it's nic
20:42 < Cpt-Oblivious> so It's not actually losing 90% of it's traffic, but it thinks it is.
20:43 < debbie10t> so the reporting tool gets it wrong ?
20:43 < Cpt-Oblivious> in the case of UDP over UDP with OpenVPN that does appear to be the case.
20:43 < debbie10t> ...
20:44 < debbie10t> !blame
20:44 <@vpnHelper> "blame" is (#1) According to Bushmills, it's always krzee's fault or (#2) According to krzee, it's always dazo's fault or (#3) and dazo will always blame EugeneKay, Bushmills, ecrist or any other sensible victims in the required moments or (#4) cron2 says its always d12fk's fault (and sometimes the customers)
20:44 < Cpt-Oblivious> If I force the traffic through it by manually specifying the speed it needs to use, the nic does see all the traffic.
20:44 -!- debbie10t was kicked from #openvpn by EugeneKay [innanuts]
20:44 -!- debbie10t [~ma1com10t@host-92-20-1-125.as13285.net] has joined #openvpn
20:44 < Cpt-Oblivious> but running TCP over it, results in max 10 mbit, and iperf also thinks it doesn't push more than 10 mbit.
20:44 < Cpt-Oblivious> but the OS does show it's doing 100 mbit
20:44 < debbie10t> screw it .. i didnt know you were all interested .. i am leaving
20:44 < Cpt-Oblivious> very very strange
20:44 -!- debbie10t [~ma1com10t@host-92-20-1-125.as13285.net] has left #openvpn []
20:46 < Cpt-Oblivious> Somehow the OpenVPN client reports to the applications running on top of it, that it only has 10 Mbps when running UDP, and therefore all TCP applications don't go faster than 10 Mbit, but if you force more traffic over it by using UDP, iperf thinks it's losing all packets / trafffic but 10 mbit. But the OS does actually show it's receiving 100 Mbit on it's nic.
20:49 <@krzee> lol
20:49 <@krzee> like pekster said, that 10mbit display thing has NOTHING to do with reality
20:49 <@krzee> it is simply a display issue, nothing more
20:49 < Cpt-Oblivious> yes I know
20:49 <@krzee> it limits nothing
20:49 <@krzee> anywhere, ever
20:49 < Cpt-Oblivious> otherwise I wouldn't reach 50 mbit with TCP
20:50 < pekster> No, the OS thinks no such thing
20:50 < pekster> That's complete and utter bullshit (in case I haddn't made this point _painfully_ clear earlier
20:50 < Cpt-Oblivious> It's just that when running OpenVPN on UDP, if I do iperf on the link, I get max 10 mbit, if I push 100 mbit, iperf says 90% packet loss, so 10 mbit. If I do TCP, max 10 mbit. But the 100 mbit iperf does actually show up on the 1 gbit network nic in the OS.
20:50 < pekster> No, the "UDP Openvpn on Windows" is nonsense
20:51 < Cpt-Oblivious> I know
20:51 < Cpt-Oblivious> Can you think of a different explanation why I'm seeing that behavior?
20:51 < Cpt-Oblivious> I'm going to try a different UDP tool to run over the OpenVPN, see what that does.
20:51 < pekster> Without knowing every link in your setup, no. It's likely upstream of you, but you hvaen't actually done emperical testing on a local node (or say a node on the same ISP but not as far upstream) to clarify anything
20:51 -!- bovered [~ma1com10t@host-92-20-1-125.as13285.net] has joined #openvpn
20:52 <@EugeneKay> Two days in a run having the same "issue"....
20:52 <@EugeneKay> What's the record?
20:52 < Cpt-Oblivious> I have tested on a local node, with a different ISP
20:52 < pekster> I've gotten better performance from a home celeron box that does light duty with FTP over openvpn (yes, in UDP mode) and I get _far_ more than 10Mbps. Again, proof by counter-example (the best kind!)
20:52 < pekster> And that's a CPU limit of the junk celeron that thing has
20:53 < Cpt-Oblivious> yea understandably
20:57 -!- bovered [~ma1com10t@host-92-20-1-125.as13285.net] has left #openvpn []
20:58 -!- wrongplace [~leicht@gateway/tor-sasl/martinphone] has joined #openvpn
20:59 -!- bjh4 [~bjh4@ool-4354103f.dyn.optonline.net] has quit [Quit: Leaving]
21:03 -!- Ganymede [~Ganymede@pool-96-246-221-179.nycmny.fios.verizon.net] has left #openvpn []
21:10 -!- WinstonSmith [~WinstonSm@unaffiliated/winstonsmith] has quit [Ping timeout: 272 seconds]
21:11 -!- WinstonSmith [~WinstonSm@unaffiliated/winstonsmith] has joined #openvpn
21:53 -!- [1]JPeterson [~JPeterson@81-233-152-121-no83.tbcn.telia.com] has quit [Ping timeout: 245 seconds]
21:57 -!- JPeterson [~JPeterson@81-233-152-121-no83.tbcn.telia.com] has joined #openvpn
22:02 -!- dimitry7 [~antonello@189.179.57.92] has joined #openvpn
22:41 -!- Fiouz [~Fiouz@2001:bc8:3068::dead:beef] has quit [Quit: Lost terminal]
22:44 -!- Fiouz [~Fiouz@2001:bc8:3068::dead:beef] has joined #openvpn
23:03 -!- Rallias is now known as Gasseus
23:07 -!- wrongplace [~leicht@gateway/tor-sasl/martinphone] has quit [Quit: gone]
23:09 -!- Cpt-Oblivious [~chatzilla@31-151-87-204.dynamic.upc.nl] has quit [Ping timeout: 264 seconds]
23:16 -!- supergauntlet [~supergaun@unaffiliated/supergauntlet] has joined #openvpn
23:33 -!- simcop2387 [~simcop238@p3m/member/simcop2387] has quit [Quit: ZNC - http://znc.sourceforge.net]
23:34 -!- simcop2387 [~simcop238@p3m/member/simcop2387] has joined #openvpn
23:35 -!- heraclitus [~heraclitu@unaffiliated/heraclitis] has quit [Quit: Ping timeout: 221 seconds]
23:41 -!- qwertyoruiop_ is now known as qwertyoruiop
23:47 -!- Pei [~pei@thinks.outside.theb0x.org] has joined #openvpn
23:49 -!- mumixam [~m@unaffiliated/mumixam] has joined #openvpn
--- Day changed Sun Jan 05 2014
00:16 -!- lianj [~lianj@subtle/user/lianj] has joined #openvpn
00:17 < lianj> hello can auth-user-pass be inlined?
00:17 < pekster> lianj: Nope, you've got to use an external file today. That might change in the future
00:18 < lianj> thanks for the fast answer
00:18 < lianj> yea, having it optional to inline that one too would be nice
00:19 < lianj> any suggestion for a good cipher setting?
00:20 < pekster> BF/AES are fine
00:20 < lianj> using BF-CBC currently
00:20 -!- heraclitus [~heraclitu@unaffiliated/heraclitis] has joined #openvpn
00:20 < pekster> BF is faster on most systems in pure CPU; those that have AES hw-accel available might benefit from a speed boost when using it
00:20 < lianj> always get confused. bf + cbc is fine but aes not?
00:21 < pekster> No, they're both considered secure by modern standards
00:21 < lianj> hm ok. will stay with bf-cbc then. thanks and bye!
00:21 < pekster> So is Camellia, but make up your own mind what to use
00:22 -!- lianj [~lianj@subtle/user/lianj] has left #openvpn []
00:44 -!- Cy-Gor [~Brian@cpe-70-124-70-140.austin.res.rr.com] has quit [Quit: Leaving]
00:55 -!- NP-Hardass [~NP-Hardas@unaffiliated/np-hardass] has quit [Quit: WeeChat 0.4.1]
00:59 -!- NP-Hardass [~NP-Hardas@unaffiliated/np-hardass] has joined #openvpn
01:04 -!- dimm0k [~dimm0k@unaffiliated/dimm0k] has quit [Ping timeout: 272 seconds]
01:05 -!- marlinc [~marlinc@ip565fa73c.direct-adsl.nl] has quit [Read error: Connection reset by peer]
01:05 -!- dimm0k [~dimm0k@pool-96-246-33-134.nycmny.fios.verizon.net] has joined #openvpn
01:05 -!- dimm0k [~dimm0k@pool-96-246-33-134.nycmny.fios.verizon.net] has quit [Changing host]
01:05 -!- dimm0k [~dimm0k@unaffiliated/dimm0k] has joined #openvpn
01:10 -!- tfox [~tfox@50-47-92-123.evrt.wa.frontiernet.net] has joined #openvpn
01:10 -!- marlinc [~marlinc@ip565fa73c.direct-adsl.nl] has joined #openvpn
01:21 -!- tfox [~tfox@50-47-92-123.evrt.wa.frontiernet.net] has quit [Quit: tfox]
01:45 -!- NP-Hardass [~NP-Hardas@unaffiliated/np-hardass] has quit [Ping timeout: 260 seconds]
01:53 -!- propheticsquiddy [~Proph@unaffiliated/propheticsquiddy] has joined #openvpn
02:04 -!- dimm0k [~dimm0k@unaffiliated/dimm0k] has quit [Ping timeout: 272 seconds]
02:05 -!- takamichi [~takamichi@c107-107.i07-27.onvol.net] has joined #openvpn
02:05 -!- dimm0k [~dimm0k@pool-72-80-89-149.nycmny.fios.verizon.net] has joined #openvpn
02:05 -!- dimm0k [~dimm0k@pool-72-80-89-149.nycmny.fios.verizon.net] has quit [Changing host]
02:05 -!- dimm0k [~dimm0k@unaffiliated/dimm0k] has joined #openvpn
02:15 -!- dvl [~dan@pdpc/supporter/active/dvl] has quit [Ping timeout: 240 seconds]
02:15 -!- NP-Hardass [~NP-Hardas@unaffiliated/np-hardass] has joined #openvpn
02:17 -!- dvl [~dan@nyi.unixathome.org] has joined #openvpn
02:22 -!- NP-Hardass [~NP-Hardas@unaffiliated/np-hardass] has quit [Ping timeout: 252 seconds]
03:40 -!- propheticsquiddy [~Proph@unaffiliated/propheticsquiddy] has quit [Quit: Leaving]
03:55 -!- takamichi [~takamichi@c107-107.i07-27.onvol.net] has quit [Quit: Computer has gone to sleep.]
03:57 -!- Eagleman [~Eagleman@546BCD9F.cm-12-4d.dynamic.ziggo.nl] has quit [Quit: ZNC - http://znc.in]
04:00 -!- mirco [~mirco@ip-109-91-244-100.unitymediagroup.de] has joined #openvpn
04:05 -!- APTX [APTX@unaffiliated/aptx] has quit [Ping timeout: 264 seconds]
04:05 -!- APTX [APTX@unaffiliated/aptx] has joined #openvpn
04:09 -!- Eagleman [~Eagleman@546BCD9F.cm-12-4d.dynamic.ziggo.nl] has joined #openvpn
04:17 -!- gffa [~unknown@unaffiliated/gffa] has joined #openvpn
04:28 -!- Eagleman [~Eagleman@546BCD9F.cm-12-4d.dynamic.ziggo.nl] has quit [Ping timeout: 260 seconds]
04:34 -!- defsdoor [~andy@cpc30-sutt4-2-0-cust155.19-1.cable.virginm.net] has joined #openvpn
04:35 -!- Eagleman [~Eagleman@546BCD9F.cm-12-4d.dynamic.ziggo.nl] has joined #openvpn
04:52 -!- dimitry7 [~antonello@189.179.57.92] has quit [Remote host closed the connection]
04:58 -!- mreithub_ [~mreithub@188-23-11-174.adsl.highway.telekom.at] has joined #openvpn
05:17 -!- takamichi [~takamichi@c107-107.i07-27.onvol.net] has joined #openvpn
05:22 -!- Six6siX [~Devil@jasmine.sammybakar.com] has quit [Ping timeout: 246 seconds]
05:25 -!- Six6siX [~Devil@jasmine.sammybakar.com] has joined #openvpn
05:32 -!- mreithub_ [~mreithub@188-23-11-174.adsl.highway.telekom.at] has quit [Ping timeout: 245 seconds]
05:35 -!- Eagleman [~Eagleman@546BCD9F.cm-12-4d.dynamic.ziggo.nl] has quit [Read error: Connection reset by peer]
05:39 -!- Eagleman [~Eagleman@546BCD9F.cm-12-4d.dynamic.ziggo.nl] has joined #openvpn
06:00 -!- anthonym [~anthonym@pdpc/supporter/professional/anthonym] has joined #openvpn
06:00 < anthonym> How long would it take approximately to network 3 debian backend servers together so that memcached/mysql replication/backend data transfer is secure?
06:08 -!- Eagleman [~Eagleman@546BCD9F.cm-12-4d.dynamic.ziggo.nl] has quit [Ping timeout: 246 seconds]
06:10 -!- Eagleman [~Eagleman@546BCD9F.cm-12-4d.dynamic.ziggo.nl] has joined #openvpn
06:22 -!- ade_b [~Ade@redhat/adeb] has joined #openvpn
06:27 -!- JackWinter [~jack@vodsl-4669.vo.lu] has quit [Quit: Konversation terminated!]
06:36 -!- JackWinter [~jack@vodsl-4669.vo.lu] has joined #openvpn
06:48 -!- mback2k_ is now known as mback2k
06:48 -!- mback2k [~freenode@89.238.84.46] has quit [Quit: Reconnecting]
06:48 -!- mback2k [~freenode@89.238.84.46] has joined #openvpn
07:16 -!- takamichi [~takamichi@c107-107.i07-27.onvol.net] has quit [Quit: Computer has gone to sleep.]
07:20 -!- klein [~klein@unaffiliated/klein] has joined #openvpn
07:21 -!- anthonym [~anthonym@pdpc/supporter/professional/anthonym] has quit [Ping timeout: 260 seconds]
07:22 -!- mback2k is now known as mback2k_
07:28 -!- mback2k_ is now known as mback2k
07:30 -!- tfox [~tfox@50-47-92-123.evrt.wa.frontiernet.net] has joined #openvpn
07:31 -!- Netsplit *.net <-> *.split quits: noobboob, Gelos
07:31 -!- Netsplit *.net <-> *.split quits: Haseo, Cybertinus, xBytez
07:31 -!- Haseo [~Haseo@aufrinfo.net] has joined #openvpn
07:31 -!- xBytez [xBytez@libxbytez.so] has joined #openvpn
07:31 -!- xBytez [xBytez@libxbytez.so] has quit [Changing host]
07:31 -!- xBytez [xBytez@unaffiliated/xbytez] has joined #openvpn
07:31 -!- Gelos [sid17176@gateway/web/irccloud.com/x-wbktefgsdggmjudk] has joined #openvpn
07:32 -!- Netsplit over, joins: Cybertinus
07:33 -!- noobboob [uid5587@gateway/web/irccloud.com/x-pynwajcdwtgayxxb] has joined #openvpn
07:38 -!- Cy-Gor [~Brian@cpe-70-124-70-140.austin.res.rr.com] has joined #openvpn
07:50 -!- tfox [~tfox@50-47-92-123.evrt.wa.frontiernet.net] has quit [Quit: tfox]
07:59 -!- ade_b [~Ade@redhat/adeb] has quit [Ping timeout: 260 seconds]
08:13 -!- ade_b [~Ade@redhat/adeb] has joined #openvpn
08:14 -!- klein [~klein@unaffiliated/klein] has quit [Ping timeout: 264 seconds]
08:15 -!- mback2k is now known as mback2k_
08:17 -!- mback2k_ is now known as mback2k
08:22 -!- mback2k is now known as mback2k_
08:22 -!- mback2k_ is now known as mback2k
08:27 -!- calcifea [~rasla@gateway/tor-sasl/gitsu-sa] has quit [Quit: calcifea]
08:29 -!- calcifea [~rasla@gateway/tor-sasl/gitsu-sa] has joined #openvpn
08:31 -!- calcifea [~rasla@gateway/tor-sasl/gitsu-sa] has quit [Remote host closed the connection]
08:38 -!- Sembei [~Sembei@unaffiliated/sembei] has quit [Read error: Connection reset by peer]
08:39 -!- MyMind [~Sembei@unaffiliated/sembei] has joined #openvpn
08:41 -!- calcifea [~rasla@gateway/tor-sasl/gitsu-sa] has joined #openvpn
08:57 -!- takamichi [~takamichi@c107-107.i07-27.onvol.net] has joined #openvpn
09:06 -!- takamichi [~takamichi@c107-107.i07-27.onvol.net] has quit [Ping timeout: 246 seconds]
09:09 -!- takamichi [~takamichi@85.12.8.106] has joined #openvpn
09:09 -!- Gasseus is now known as Rallias
09:34 -!- takamichi [~takamichi@85.12.8.106] has quit [Ping timeout: 246 seconds]
09:36 -!- elfixit [~Icedove@27-157.61-188.cust.bluewin.ch] has joined #openvpn
09:44 -!- takamichi [~takamichi@c107-107.i07-27.onvol.net] has joined #openvpn
09:49 -!- azi [~azi@dslb-094-223-180-182.pools.arcor-ip.net] has joined #openvpn
09:53 < azi> is there any cross platform gui to simplify setup and connection? so there is no hassle setting up certificates and moving files between the user and the server?
09:55 < pekster> There's always the "hassle" of setting up your PKI (CA, your keypairs for each system, etc.) The whole idea is that the keypair+cert is unique to that system
09:56 < pekster> There are a few choices for ways to manage that though:
09:56 < pekster> !certman
09:56 <@vpnHelper> "certman" is (#1) Various frontends can help you manage your PKI (certs & keys.) !easy-rsa is the officially supported one for OpenVPN. or (#2) Other choices include: !xca, !ssladmin, and probably others online
09:56 <@plaisthos> also see
09:56 <@plaisthos> !inline
09:56 <@vpnHelper> "inline" is (#1) Inline files (e.g. <ca> ... </ca> are supported since OpenVPN 2.1rc1 and documented in the OpenVPN 2.3 man page at https://community.openvpn.net/openvpn/wiki/Openvpn23ManPage#lbAV or (#2) https://community.openvpn.net/openvpn/wiki/IOSinline for a writeup that includes how to use inline certs
09:57 < azi> couldn't it be like, at the first startup the client automatically generates his keys, then the user enters an IP to conenct to
09:57 < azi> the server then gets a new-user request and has to accept it
09:57 < azi> and afterwards the user can just connect
09:58 < pekster> That's not how asymettric encryption works: you need a trust path to validate that the cert is valid
09:58 < pekster> !intro_to_pki
09:58 < pekster> !factoids search intro
09:58 <@vpnHelper> No keys matched that query.
09:59 < pekster> !factoids search pki
09:59 <@vpnHelper> 'pki' and 'into-to-pki'
09:59 < Mike--> azi: There is no way for the server to check the client certificate
09:59 < pekster> azi: This document might explain the basics of PKI better for you:
09:59 < pekster> !into-to-pki
09:59 <@vpnHelper> "into-to-pki" is For an intro to PKI basics, see: https://github.com/OpenVPN/easy-rsa/blob/v3.0.0-rc1/doc/Intro-To-PKI.md
09:59 < Mike--> pekster: might be an idea to rename that to 'intro-to-pki'
09:59 < azi> i thought the server can sign the client certificate with the new-user-request
09:59 < Mike--> just my 2 cents ;)
09:59 -!- Cpt-Oblivious [~chatzilla@31-151-87-204.dynamic.upc.nl] has joined #openvpn
09:59 < pekster> Mike--: Yup ;)
10:00 < Mike--> azi: how about mitm ?
10:00 < pekster> azi: Yes, but it should never happen "automatically" -- the admin of the CA needs to ensure the request is legit before signing it
10:01 < azi> accepting the new-user-request could be done by hand
10:01 < Mike--> azi: in such a case a shared secret might be better
10:01 < Mike--> or use user/pass authentication
10:01 < Mike--> my openvpn server has AD checking of user/pass
10:01 < Mike--> so my clients only require the config and the ca of the server
10:01 < azi> i read that means only one client and one server
10:01 < Mike--> nah
10:02 < Mike--> I have 20+ clients connected at the same time
10:02 < pekster> static-key is limited to 2 endpoints, yes
10:02 < Mike--> I do not use static-key
10:02 < Mike--> my client does not have a certificate
10:02 < pekster> Yes, I know
10:02 < pekster> azi's comment was about PSK
10:02 < Mike--> right, sorry
10:09 -!- calcifea [~rasla@gateway/tor-sasl/gitsu-sa] has quit [Remote host closed the connection]
10:10 -!- calcifea [~rasla@gateway/tor-sasl/gitsu-sa] has joined #openvpn
10:12 -!- marlinc [~marlinc@ip565fa73c.direct-adsl.nl] has quit [Read error: Connection reset by peer]
10:17 -!- marlinc [~marlinc@ip565fa73c.direct-adsl.nl] has joined #openvpn
10:17 -!- clyons [~kvirc@46.7.192.26] has joined #openvpn
10:32 -!- master_of_master [~master_of@p4FF24DBB.dip0.t-ipconnect.de] has joined #openvpn
10:35 -!- master_o1_master [~master_of@p4FF2463E.dip0.t-ipconnect.de] has quit [Ping timeout: 272 seconds]
10:45 -!- mback2k is now known as mback2k_
10:50 -!- elfixit [~Icedove@27-157.61-188.cust.bluewin.ch] has quit [Ping timeout: 252 seconds]
11:00 -!- ade_b [~Ade@redhat/adeb] has quit [Quit: Too sexy for his shirt]
11:09 -!- joshh20 [~joshh20@v-70-42-74-226.unman-vds.internap-nyc.nfoservers.com] has joined #openvpn
11:09 < joshh20> When you are connected to the OpenVPN server, all traffic to a destination should be routed through the server and not directly from your home internet connection correct?
11:10 < Aketzu> only destinations you route through vpn
11:10 < joshh20> Ok
11:10 < joshh20> Is there a way to force them to all go through the VPN?
11:11 < Aketzu> redirect-gateway
11:12 < joshh20> Ok thank you
11:12 -!- vitilitigate [~vitilitig@46.21.151.107] has joined #openvpn
11:12 < Aketzu> also remember the return route
11:12 < vitilitigate> question: how much overhead is 2048 openvpn encryption?
11:13 < Aketzu> what kind of overhead (i.e. increased data or cpu or something else?)
11:13 < vitilitigate> so like, 1mb/sec actual data download rate = ?mb/sec data usage of isp
11:13 < vitilitigate> pure data.
11:13 < vitilitigate> not cpu overhead.
11:13 < Aketzu> encryption doesn't matter at all
11:13 < vitilitigate> i'm downloading a large file and wondering if i should just turn off my vpn to make it go faster
11:14 < Aketzu> there are extra udp and openvpn headers
11:14 < pekster> You're confusing encryption types here
11:14 < pekster> 2048 bit keys are used for the asymmetric encryption that is used only for the TLS channel. The data is encrypted with ephemeral (temporary) symmetric keys
11:14 < vitilitigate> can you guys just answer the question?
11:14 < vitilitigate> what is the data overhead for using encryption at 2048bit?
11:14 < pekster> Without hardware-acceleration, all the encryption is CPU-bound, and that's usually you're limiting factor
11:15 < vitilitigate> i have an i7 i'm ok
11:15 < pekster> vitilitigate: None, becuase the data isn't encrypted at 2048 bit
11:15 < pekster> Problem solved if that was your "only question"
11:15 < vitilitigate> airvpn claims it is.
11:15 < pekster> Then either you mis-interperted the answer, or (more likely) they're idiots
11:15 < pekster> !provider
11:15 <@vpnHelper> "provider" is (#1) We are not your provider's free tech support. We support the free open source app OpenVPN, not your provider. Just because they run openvpn does not mean we are their support team. or (#2) Please contact their support team.
11:15 < vitilitigate> lol you guys are pedantic faggots.  i'll google it.
11:15 < vitilitigate> fuck yourself niggers.
11:15 < vitilitigate> :D
11:15 -!- mode/#openvpn [+o pekster] by ChanServ
11:15 -!- vitilitigate [~vitilitig@46.21.151.107] has left #openvpn ["Leaving"]
11:16 < joshh20> What the hell
11:17 -!- mode/#openvpn [+b $a:vitilitigate] by pekster
11:17 -!- mode/#openvpn [-o pekster] by ChanServ
11:17 < joshh20> What a dick after you were nice enough to explain that all to him
11:17 < joshh20> You helped me out quite a lot with my problem pekster
11:17 < pekster> Yup. Some people just don't belong on community resources
11:17 < joshh20> Thank you for that
11:17 < Aketzu> as usual, some people just expect immediate perfect answer :)
11:18 < pekster> joshh20: If you haven't seen it, there's helpful redirection info/flowcharts at: !redirect too
11:20 < joshh20> !redirect
11:20 <@vpnHelper> "redirect" is (#1) to make all inet traffic flow through the vpn, you will need --redirect-gateway (see !def1), as well as IP forwarding (see !ipforward) and NAT (see !nat) enabled on the server. or (#2) you may need to use a different dns server when redirecting gateway, see !dns or !pushdns or (#3) if using ipv6 try: route-ipv6 2000::/3 or (#4) Handy troubleshooting flowchart:
11:20 <@vpnHelper> http://ircpimps.org/redirect.png | http://pekster.sdf.org/misc/redirect.png
11:26 -!- dazo [~dazo@openvpn/community/developer/dazo] has quit [Ping timeout: 264 seconds]
11:28 -!- dazo_afk [~dazo@openvpn/community/developer/dazo] has joined #openvpn
11:28 -!- mode/#openvpn [+o dazo_afk] by ChanServ
11:28 -!- dazo_afk is now known as dazo
12:31 -!- PackardBell [~Cor@eternalproject.org] has left #openvpn []
12:56 <+rob0> What an idiot. Generally, encryption also compresses data, so that wouldn't have the overhead he insists it does.
12:57 < Aketzu> no it doesn't
12:58 < Aketzu> openvpn has comp-lzo which does the compression
12:59 <+rob0> meh, very little
13:03 <+kisom> rob0: Encryption does not compress data.
13:03 <+rob0> gpg(1) disagrees with you, but whatever.
13:03 < MorgyN_> some does
13:03 <+kisom> OK, I don't use GPG
13:04 <+kisom> I'm talking about general ciphers
13:04 <+kisom> AES, RC4, etc
13:04 <+kisom> Neither of them will ever make the ciphertext smaller than the cleartext.
13:04 < pekster> It's not the crypto that does that; gpg(1) makes it clear that the zlib, bzip2, etc, algs are used to do that, and that not all programs implemenet them as it's optional by PGP standard
13:04 <+kisom> If GPG compresses the data, fine, but that's not the actual encryption algorithm in work then.
13:05 <+kisom> They probably run it trough an compression algorithm first.
13:05 -!- dvl [~dan@nyi.unixathome.org] has quit [Changing host]
13:05 -!- dvl [~dan@pdpc/supporter/active/dvl] has joined #openvpn
13:05 <+kisom> pekster: +1
13:05 < pekster> Yup, gpg's --compress-algo is basically the gpg way to do openvpn's --comp-lzo (or the newer --compress option)
13:06 <+kisom> I use one time pads, any ways.
13:09 < pekster> In general, compression in openvpn is only useful if the extra CPU used to compress (and thus unavailble to encrypt) saves more time than sending the saved size over the network link
13:09 < pekster> On embedded, that's often not the case, but it varies a lot
13:27 -!- Fetch_ [fetch@gimel.cepheid.org] has joined #openvpn
13:29 -!- lazzer_ [~mattias@213.132.98.41] has joined #openvpn
13:29 -!- rooth_ [tomte@stuck.in.the.basement.at.fritzl.nu] has joined #openvpn
13:29 -!- piem_ [~piem@coconut.piem.org] has joined #openvpn
13:30 -!- lazzer [~mattias@213.132.98.41] has quit [Ping timeout: 246 seconds]
13:30 -!- Fetch [fetch@gimel.cepheid.org] has quit [Ping timeout: 246 seconds]
13:31 -!- rooth [tomte@stuck.in.the.basement.at.fritzl.nu] has quit [Ping timeout: 246 seconds]
13:31 -!- piem [~piem@coconut.piem.org] has quit [Ping timeout: 246 seconds]
13:33 -!- dazo [~dazo@openvpn/community/developer/dazo] has quit [Ping timeout: 245 seconds]
13:35 -!- mrrg_ [~notabot@delicious.sykosys.jp] has joined #openvpn
13:39 -!- dazo_afk [~dazo@114.201.9.46.customer.cdi.no] has joined #openvpn
13:39 -!- dazo_afk [~dazo@114.201.9.46.customer.cdi.no] has quit [Changing host]
13:39 -!- dazo_afk [~dazo@openvpn/community/developer/dazo] has joined #openvpn
13:39 -!- mode/#openvpn [+o dazo_afk] by ChanServ
13:40 -!- Netsplit *.net <-> *.split quits: +mrrg
13:40 -!- dazo_afk is now known as dazo
13:52 -!- JackWinter_ [~jack@vodsl-4669.vo.lu] has joined #openvpn
13:52 -!- kraut_ [~kraut@blackhole.netzdeponie.de] has joined #openvpn
13:52 -!- b00b [~spunk@smurf.mmnetworks.se] has quit [Ping timeout: 248 seconds]
13:52 -!- APTX [APTX@unaffiliated/aptx] has quit [Ping timeout: 245 seconds]
13:52 -!- APTX [APTX@unaffiliated/aptx] has joined #openvpn
13:52 -!- b00b [~spunk@smurf.mmnetworks.se] has joined #openvpn
13:53 -!- Netsplit *.net <-> *.split quits: mumixam, dandy, tapout, pepijndevos, intricate, Cultist, Gelos, +s0meone, troyt, Gman32,  (+4 more, use /NETSPLIT to show all of them)
13:53 -!- heraclitus__ [~heraclitu@vpnus.planetcrypto.com] has joined #openvpn
13:53 -!- ketas [ketas@ketas6-sixxs.si.pri.ee] has joined #openvpn
13:53 -!- Pisuke [~Sembei@unaffiliated/sembei] has joined #openvpn
13:54 -!- master_o1_master [~master_of@p4FF24DBB.dip0.t-ipconnect.de] has joined #openvpn
13:54 -!- Six6siX_ [~Devil@jasmine.sammybakar.com] has joined #openvpn
13:55 -!- erin1983684 [~Eryn_1983@72.238.104.100] has joined #openvpn
13:57 -!- heraclitus [~heraclitu@unaffiliated/heraclitis] has quit [Remote host closed the connection]
13:57 -!- kraut [~kraut@212.6.65.173] has quit [Ping timeout: 260 seconds]
13:57 -!- MyMind [~Sembei@unaffiliated/sembei] has quit [Ping timeout: 260 seconds]
13:57 -!- JackWinter [~jack@vodsl-4669.vo.lu] has quit [Ping timeout: 260 seconds]
13:57 -!- master_of_master [~master_of@p4FF24DBB.dip0.t-ipconnect.de] has quit [Ping timeout: 260 seconds]
13:57 -!- Eryn_1983_FL [~Eryn_1983@72.238.104.100] has quit [Ping timeout: 260 seconds]
13:57 -!- Six6siX [~Devil@jasmine.sammybakar.com] has quit [Ping timeout: 260 seconds]
13:57 -!- kraut_ is now known as kraut
13:57 -!- Six6siX_ is now known as Six6siX
14:01 -!- [1]JPeterson [~JPeterson@81-233-152-121-no83.tbcn.telia.com] has joined #openvpn
14:01 -!- Weasel__ [kvuorine@a91-154-220-172.elisa-laajakaista.fi] has joined #openvpn
14:01 -!- Fetch [fetch@gimel.cepheid.org] has joined #openvpn
14:02 -!- kisom_ [~kisom@kisom.thr.kth.se] has joined #openvpn
14:02 -!- defsdoor_ [~andy@cpc30-sutt4-2-0-cust155.19-1.cable.virginm.net] has joined #openvpn
14:02 -!- Ali_nz2 [~Ali_nz1@118-92-11-42.dsl.dyn.ihug.co.nz] has joined #openvpn
14:02 -!- MeanderingCode_ [~Meanderin@palantir.aetherislands.net] has joined #openvpn
14:02 -!- _manfred__ [~IceChat77@12.109.211.60] has joined #openvpn
14:03 -!- Eryn_1983_FL [~Eryn_1983@72.238.104.100] has joined #openvpn
14:03 -!- brian__ [~brian@pool-72-86-34-19.clppva.fios.verizon.net] has joined #openvpn
14:04 -!- mrrg [~notabot@delicious.sykosys.jp] has joined #openvpn
14:04 -!- jave_ [~jave@h-235-102.a149.priv.bahnhof.se] has joined #openvpn
14:06 -!- SlutaTramsa [~SlutaTram@unaffiliated/slutatramsa] has quit [Ping timeout: 246 seconds]
14:08 -!- Weasel_ [~kvuorine@a91-154-220-172.elisa-laajakaista.fi] has quit [Read error: Operation timed out]
14:08 -!- defsdoor [~andy@cpc30-sutt4-2-0-cust155.19-1.cable.virginm.net] has quit [Read error: Operation timed out]
14:08 -!- bersace [~bersace@sevin.cae.li] has quit [Read error: Operation timed out]
14:08 -!- jave [~jave@h-235-102.a149.priv.bahnhof.se] has quit [Read error: Operation timed out]
14:08 -!- kisom [~kisom@kisom.thr.kth.se] has quit [Read error: Operation timed out]
14:08 -!- MeanderingCode [~Meanderin@palantir.aetherislands.net] has quit [Read error: Operation timed out]
14:08 -!- erin1983684 [~Eryn_1983@72.238.104.100] has quit [Read error: Operation timed out]
14:08 -!- Fetch_ [fetch@gimel.cepheid.org] has quit [Ping timeout: 265 seconds]
14:08 -!- JPeterson [~JPeterson@81-233-152-121-no83.tbcn.telia.com] has quit [Ping timeout: 265 seconds]
14:08 -!- franks2 [~frank@frank2.net] has quit [Ping timeout: 265 seconds]
14:08 -!- _manfred_ [~IceChat77@12.109.211.60] has quit [Ping timeout: 265 seconds]
14:08 -!- bwallen [~brian@pool-72-86-34-19.clppva.fios.verizon.net] has quit [Read error: Operation timed out]
14:08 -!- mrrg_ [~notabot@delicious.sykosys.jp] has quit [Ping timeout: 265 seconds]
14:08 -!- al_nz1 [~Ali_nz1@118-92-11-42.dsl.dyn.ihug.co.nz] has quit [Ping timeout: 265 seconds]
14:08 -!- bersace [~bersace@sevin.cae.li] has joined #openvpn
14:08 -!- MeanderingCode_ is now known as MeanderingCode
14:09 -!- SlutaTramsa [~SlutaTram@unaffiliated/slutatramsa] has joined #openvpn
14:09 -!- Fetch_ [fetch@gimel.cepheid.org] has joined #openvpn
14:10 -!- JPeterson [~JPeterson@81-233-152-121-no83.tbcn.telia.com] has joined #openvpn
14:10 -!- simcop2387_ [~simcop238@p3m/member/simcop2387] has joined #openvpn
14:11 -!- mrrg_ [~notabot@delicious.sykosys.jp] has joined #openvpn
14:12 -!- kisom [~kisom@kisom.thr.kth.se] has joined #openvpn
14:13 -!- simcop2387 [~simcop238@p3m/member/simcop2387] has quit [Ping timeout: 260 seconds]
14:13 -!- kisom_ [~kisom@kisom.thr.kth.se] has quit [Ping timeout: 260 seconds]
14:13 -!- simcop2387_ is now known as simcop2387
14:14 -!- franks2 [~frank@frank2.net] has joined #openvpn
14:15 -!- Weasel__ is now known as Weasel_
14:18 -!- Netsplit *.net <-> *.split quits: Fetch, mrrg, [1]JPeterson
14:19 -!- heraclitus__ [~heraclitu@vpnus.planetcrypto.com] has quit [Remote host closed the connection]
14:19 -!- heraclitus__ [~heraclitu@vpnus.planetcrypto.com] has joined #openvpn
14:20 -!- mirco__ [~mirco@ip-109-91-244-100.unitymediagroup.de] has joined #openvpn
14:21 -!- Denial- [Denial@2.217.201.230] has joined #openvpn
14:21 -!- Cpt-Oblivious_ [~chatzilla@31-151-87-204.dynamic.upc.nl] has joined #openvpn
14:24 -!- tapout [~tapout@unaffiliated/tapout] has joined #openvpn
14:24 -!- ben1066_ [~quassel@unaffiliated/ben1066] has joined #openvpn
14:25 -!- Fiouz [~Fiouz@2001:bc8:3068::dead:beef] has quit [Disconnected by services]
14:25 -!- Fiouz_ [~Fiouz@2001:bc8:3068::dead:beef] has joined #openvpn
14:25 -!- Guest10116 [~jhp@zeus.jhprins.org] has quit [Ping timeout: 260 seconds]
14:25 -!- ben1066 [~quassel@unaffiliated/ben1066] has quit [Ping timeout: 260 seconds]
14:25 -!- mrrg__ [~notabot@209.20.75.42] has joined #openvpn
14:25 -!- lazzer [~mattias@213.132.98.41] has joined #openvpn
14:26 -!- mirco [~mirco@ip-109-91-244-100.unitymediagroup.de] has quit [Ping timeout: 264 seconds]
14:26 -!- Denial [Denial@2.217.201.230] has quit [Ping timeout: 264 seconds]
14:26 -!- mete [~mete@91.247.253.160] has quit [Ping timeout: 264 seconds]
14:26 -!- mirco__ is now known as mirco
14:26 -!- Denial- is now known as Denial
14:26 -!- dazo [~dazo@openvpn/community/developer/dazo] has quit [Ping timeout: 264 seconds]
14:26 -!- Cpt-Oblivious [~chatzilla@31-151-87-204.dynamic.upc.nl] has quit [Ping timeout: 264 seconds]
14:26 -!- dimm0k [~dimm0k@unaffiliated/dimm0k] has quit [Ping timeout: 264 seconds]
14:26 -!- mrrg_ [~notabot@delicious.sykosys.jp] has quit [Ping timeout: 264 seconds]
14:26 -!- jave_ [~jave@h-235-102.a149.priv.bahnhof.se] has quit [Ping timeout: 264 seconds]
14:26 -!- brian__ [~brian@pool-72-86-34-19.clppva.fios.verizon.net] has quit [Ping timeout: 264 seconds]
14:26 -!- MeanderingCode [~Meanderin@palantir.aetherislands.net] has quit [Ping timeout: 264 seconds]
14:26 -!- ketas [ketas@ketas6-sixxs.si.pri.ee] has quit [Ping timeout: 264 seconds]
14:26 -!- APTX [APTX@unaffiliated/aptx] has quit [Ping timeout: 264 seconds]
14:26 -!- rooth_ [tomte@stuck.in.the.basement.at.fritzl.nu] has quit [Ping timeout: 264 seconds]
14:26 -!- lazzer_ [~mattias@213.132.98.41] has quit [Ping timeout: 264 seconds]
14:26 -!- Cybertinus [~Cybertinu@2001:828:405:30:83:96:177:42] has quit [Ping timeout: 264 seconds]
14:26 -!- Brando753 [~Brando753@unaffiliated/brando753] has quit [Ping timeout: 264 seconds]
14:26 -!- Sorcier_FXK [~Sorcier_F@unaffiliated/sorcierfxk] has quit [Ping timeout: 264 seconds]
14:26 -!- nobit [nobit@unaffiliated/muska] has quit [Ping timeout: 264 seconds]
14:26 -!- pppingme [~pppingme@unaffiliated/pppingme] has quit [Ping timeout: 264 seconds]
14:26 -!- pa [~pa@unaffiliated/pa] has quit [Ping timeout: 264 seconds]
14:26 -!- dazo_afk [~dazo@114.201.9.46.customer.cdi.no] has joined #openvpn
14:26 -!- jave [~jave@h-235-102.a149.priv.bahnhof.se] has joined #openvpn
14:27 -!- MeanderingCode [~Meanderin@palantir.aetherislands.net] has joined #openvpn
14:28 -!- brian__ [~brian@pool-72-86-34-19.clppva.fios.verizon.net] has joined #openvpn
14:28 -!- Pei [~pei@thinks.outside.theb0x.org] has quit [Ping timeout: 260 seconds]
14:29 -!- Brando753 [~Brando753@unaffiliated/brando753] has joined #openvpn
14:29 -!- mete [~mete@91.247.253.160] has joined #openvpn
14:29 -!- Sorcier_FXK [~Sorcier_F@unaffiliated/sorcierfxk] has joined #openvpn
14:29 -!- mrrg__ [~notabot@209.20.75.42] has quit [Ping timeout: 259 seconds]
14:29 -!- hgax_ [~hgax@162.243.112.153] has quit [Ping timeout: 259 seconds]
14:29 -!- volnukhin_ [~ka4ok@141.0.170.169] has joined #openvpn
14:29 -!- jhp [~jhp@zeus.jhprins.org] has joined #openvpn
14:30 -!- Weasel_ [kvuorine@a91-154-220-172.elisa-laajakaista.fi] has quit [Ping timeout: 260 seconds]
14:30 -!- dimm0k [~dimm0k@pool-72-80-89-149.nycmny.fios.verizon.net] has joined #openvpn
14:30 -!- dimm0k [~dimm0k@pool-72-80-89-149.nycmny.fios.verizon.net] has quit [Changing host]
14:30 -!- dimm0k [~dimm0k@unaffiliated/dimm0k] has joined #openvpn
14:31 -!- mrrg [~notabot@delicious.sykosys.jp] has joined #openvpn
14:34 -!- Pei [~pei@thinks.outside.theb0x.org] has joined #openvpn
14:35 -!- hgax [~hgax@162.243.112.153] has joined #openvpn
14:35 -!- saneki_ [~saneki@dedi2.ip1.zylongaming.com] has joined #openvpn
14:35 -!- davidmp_ [~davidmp@149.255.100.107] has joined #openvpn
14:35 -!- Netsplit *.net <-> *.split quits: dazo_afk
14:36 -!- levifig [~levifig@hakr.io] has quit [Write error: Connection reset by peer]
14:36 -!- Cr4zi3 [killaz@staff.xbins.org] has quit [Quit: changing servers]
14:36 -!- vpnHelper [~vpnHelper@openvpn/bot/vpnHelper] has quit [Write error: Broken pipe]
14:36 -!- davidmp [~davidmp@149.255.100.107] has quit [Write error: Connection reset by peer]
14:36 -!- jgeboski [~jgeboski@unaffiliated/jgeboski] has quit [Read error: Connection reset by peer]
14:36 -!- Netsplit *.net <-> *.split quits: +pwrcycle, +krphop, +__bt, Hes, +GabrieleV, Eagleman, maskedlua, +thalweg, Cpt-Oblivious_, +batrick,  (+2 more, use /NETSPLIT to show all of them)
14:36 -!- saneki [~saneki@dedi2.ip1.zylongaming.com] has quit [Read error: Connection reset by peer]
14:36 -!- volnukhin [~ka4ok@141.0.170.169] has quit [Write error: Connection reset by peer]
14:36 -!- davidmp_ is now known as davidmp
14:36 -!- Weasel__ [~kvuorine@a91-154-220-172.elisa-laajakaista.fi] has joined #openvpn
14:36 -!- nobit_ [nobit@ranger.animounted.net] has joined #openvpn
14:36 -!- rooth [tomte@stuck.in.the.basement.at.fritzl.nu] has joined #openvpn
14:37 -!- pa [~pa@unaffiliated/pa] has joined #openvpn
14:38 -!- Cr4zi3 [~killaz@76.74.171.253] has joined #openvpn
14:38 -!- vpnHelper [~vpnHelper@openvpn/bot/vpnHelper] has joined #openvpn
14:38 -!- nobit_ [nobit@ranger.animounted.net] has quit [Changing host]
14:38 -!- nobit_ [nobit@unaffiliated/muska] has joined #openvpn
14:38 -!- pppingme [~pppingme@unaffiliated/pppingme] has joined #openvpn
14:38 -!- mode/#openvpn [+o vpnHelper] by ChanServ
14:38 -!- Netsplit over, joins: Cpt-Oblivious_, Eagleman, VunKruz, Hes, maskedlua, +batrick, +dos-freak, +GabrieleV, +pwrcycle, +__bt (+2 more)
14:39 -!- nobit_ is now known as nobit
14:39 -!- levifig [~levifig@hakr.io] has joined #openvpn
14:39 -!- jgeboski [~jgeboski@unaffiliated/jgeboski] has joined #openvpn
14:39 -!- halcyon__ [~heraclitu@vpnus.planetcrypto.com] has joined #openvpn
14:39 -!- heraclitus__ [~heraclitu@vpnus.planetcrypto.com] has quit [Remote host closed the connection]
14:40 -!- halcyon__ [~heraclitu@vpnus.planetcrypto.com] has quit [Remote host closed the connection]
14:40 -!- halcyon__ [~heraclitu@vpnus.planetcrypto.com] has joined #openvpn
14:41 -!- halcyon__ [~heraclitu@vpnus.planetcrypto.com] has quit [Remote host closed the connection]
14:42 -!- halcyon__ [~heraclitu@vpnus.planetcrypto.com] has joined #openvpn
14:45 -!- tfox [~tfox@50-47-92-123.evrt.wa.frontiernet.net] has joined #openvpn
14:47 -!- tfox [~tfox@50-47-92-123.evrt.wa.frontiernet.net] has quit [Client Quit]
14:49 -!- NP-Hardass [~NP-Hardas@unaffiliated/np-hardass] has joined #openvpn
14:50 -!- dazo [~dazo@46.9.201.114] has joined #openvpn
14:52 -!- dazo [~dazo@46.9.201.114] has quit [Ping timeout: 264 seconds]
14:56 -!- dazo_afk [~dazo@114.201.9.46.customer.cdi.no] has joined #openvpn
14:56 -!- dazo_afk is now known as dazo
14:58 -!- maskedlua [~quassel@unaffiliated/themaskedlua] has quit [Read error: Connection reset by peer]
15:06 -!- dazo [~dazo@114.201.9.46.customer.cdi.no] has quit [Changing host]
15:06 -!- dazo [~dazo@openvpn/community/developer/dazo] has joined #openvpn
15:06 -!- mode/#openvpn [+o dazo] by ChanServ
15:06 -!- dazo is now known as Guest48730
15:06 -!- APTX [APTX@unaffiliated/aptx] has joined #openvpn
15:08 -!- maskedlua [~quassel@unaffiliated/themaskedlua] has joined #openvpn
15:24 -!- Cpt-Oblivious_ [~chatzilla@31-151-87-204.dynamic.upc.nl] has quit [Remote host closed the connection]
15:26 -!- APTX [APTX@unaffiliated/aptx] has quit [Ping timeout: 264 seconds]
15:26 -!- APTX [~APTX@unaffiliated/aptx] has joined #openvpn
15:32 -!- APTX [~APTX@unaffiliated/aptx] has quit [Ping timeout: 264 seconds]
15:33 -!- Cpt-Oblivious [~chatzilla@31-151-87-204.dynamic.upc.nl] has joined #openvpn
15:40 -!- APTX [APTX@unaffiliated/aptx] has joined #openvpn
15:44 -!- marlinc [~marlinc@ip565fa73c.direct-adsl.nl] has quit [Read error: Connection reset by peer]
15:45 -!- APTX [APTX@unaffiliated/aptx] has quit [Ping timeout: 264 seconds]
15:45 -!- APTX [APTX@unaffiliated/aptx] has joined #openvpn
15:47 -!- ben1066_ [~quassel@unaffiliated/ben1066] has quit [Quit: No Ping reply in 180 seconds.]
15:48 -!- ben1066 [~quassel@unaffiliated/ben1066] has joined #openvpn
15:52 -!- ben1066 [~quassel@unaffiliated/ben1066] has quit [Client Quit]
15:53 -!- marlinc [~marlinc@ip565fa73c.direct-adsl.nl] has joined #openvpn
15:53 -!- ben1066 [~quassel@unaffiliated/ben1066] has joined #openvpn
16:00 -!- smerz_ [~smerz@f168194.upc-f.chello.nl] has joined #openvpn
16:01 -!- smerz_ [~smerz@f168194.upc-f.chello.nl] has quit [Read error: Connection reset by peer]
16:03 -!- defsdoor_ [~andy@cpc30-sutt4-2-0-cust155.19-1.cable.virginm.net] has quit [Quit: Ex-Chat]
16:04 -!- smerz_ [~smerz@f168194.upc-f.chello.nl] has joined #openvpn
16:04 -!- smerz_ [~smerz@f168194.upc-f.chello.nl] has quit [Read error: Connection reset by peer]
16:20 -!- takamichi [~takamichi@c107-107.i07-27.onvol.net] has quit [Quit: Computer has gone to sleep.]
16:25 -!- tfox [~tfox@50-47-92-123.evrt.wa.frontiernet.net] has joined #openvpn
16:26 -!- gffa [~unknown@unaffiliated/gffa] has quit [Quit: sleep]
16:40 -!- tfox [~tfox@50-47-92-123.evrt.wa.frontiernet.net] has quit [Quit: tfox]
16:49 -!- mirco [~mirco@ip-109-91-244-100.unitymediagroup.de] has quit [Ping timeout: 245 seconds]
17:03 -!- Weasel__ is now known as Weasel_
17:12 -!- Pisuke [~Sembei@unaffiliated/sembei] has quit [Read error: Connection reset by peer]
17:13 -!- Pisuke [~Sembei@unaffiliated/sembei] has joined #openvpn
17:25 -!- noobboob [uid5587@gateway/web/irccloud.com/x-pynwajcdwtgayxxb] has quit []
17:30 -!- elfixit [~Icedove@77-58-251-72.dclient.hispeed.ch] has joined #openvpn
17:35 -!- haasn [~nand@2a01:4f8:d13:5245::2] has joined #openvpn
17:38 -!- haasn [~nand@2a01:4f8:d13:5245::2] has quit [Client Quit]
17:42 -!- haasn [~nand@2a01:4f8:d13:5245::2] has joined #openvpn
17:49 -!- esde [~esde@unaffiliated/esde] has quit [Ping timeout: 272 seconds]
17:52 -!- esde [~esde@107.150.1.2] has joined #openvpn
18:07 -!- s7r [~s7r@openvpn/user/s7r] has quit [Quit: Leaving]
18:23 -!- jgeboski [~jgeboski@unaffiliated/jgeboski] has quit [Quit: Leaving]
18:24 -!- jgeboski [~jgeboski@unaffiliated/jgeboski] has joined #openvpn
18:35 -!- halcyon__ [~heraclitu@vpnus.planetcrypto.com] has quit [Remote host closed the connection]
18:39 -!- heraclitus [~heraclitu@unaffiliated/heraclitis] has joined #openvpn
18:46 -!- Guest53562 [~Olipro@d.e.r.p.6.a.1.0.d.d.0.7.2.0.1.0.a.2.ip6.arpa] has quit [Quit: Don't flap your BGP at me sonny]
18:46 -!- Olipro [~Olipro@uncyclopedia/pdpc.21for7.olipro] has joined #openvpn
18:47 -!- JSharpe2 [~jsharpe2@31.205.60.241] has joined #openvpn
18:49 -!- frenchface [~jonathan@71-90-215-45.dhcp.spbg.sc.charter.com] has joined #openvpn
18:50 < frenchface> hey everyone, what options do I have for the openvpn unpdate-resolv-conf package for openbsd5.4?
18:56 -!- JSharpe2 [~jsharpe2@31.205.60.241] has quit [Remote host closed the connection]
18:56 -!- JSharpe2 [~jsharpe2@31.205.60.241] has joined #openvpn
18:56 -!- JSharpe2 [~jsharpe2@31.205.60.241] has quit [Remote host closed the connection]
18:58 -!- JSharpe2 [~jsharpe2@31.205.60.241] has joined #openvpn
18:58 -!- JSharpe2 [~jsharpe2@31.205.60.241] has quit [Remote host closed the connection]
19:15 -!- NP-Hardass [~NP-Hardas@unaffiliated/np-hardass] has quit [Ping timeout: 260 seconds]
19:15 -!- NP-Completeass [~NP-Hardas@unaffiliated/np-hardass] has quit [Ping timeout: 272 seconds]
19:34 -!- JSharpe2 [~jsharpe2@31.205.60.241] has joined #openvpn
19:38 -!- heraclitus [~heraclitu@unaffiliated/heraclitis] has quit [Quit: Ping timeout: 221 seconds]
19:38 -!- heraclitus [~heraclitu@unaffiliated/heraclitis] has joined #openvpn
20:12 -!- Linmu [~Linmu@203.70.194.104] has quit [Quit: leaving]
20:15 -!- JSharpe2 [~jsharpe2@31.205.60.241] has quit [Remote host closed the connection]
20:34 -!- noobboob [uid5587@gateway/web/irccloud.com/x-wlfpqvffklpdrqdp] has joined #openvpn
21:12 -!- APTX [APTX@unaffiliated/aptx] has quit [Ping timeout: 264 seconds]
21:13 -!- APTX [APTX@unaffiliated/aptx] has joined #openvpn
21:25 -!- raidz is now known as raidz_away
22:49 -!- Cpt-Oblivious [~chatzilla@31-151-87-204.dynamic.upc.nl] has quit [Remote host closed the connection]
23:18 -!- Linmu [~Linmu@203.70.194.104] has joined #openvpn
23:34 -!- elfixit [~Icedove@77-58-251-72.dclient.hispeed.ch] has quit [Remote host closed the connection]
23:34 -!- elfixit [~Icedove@77-58-251-72.dclient.hispeed.ch] has joined #openvpn
23:42 -!- Cy-Gor [~Brian@cpe-70-124-70-140.austin.res.rr.com] has quit [Quit: Leaving]
--- Day changed Mon Jan 06 2014
00:10 -!- heraclitus [~heraclitu@unaffiliated/heraclitis] has quit [Remote host closed the connection]
00:10 -!- heraclitus [~heraclitu@unaffiliated/heraclitis] has joined #openvpn
00:22 -!- takamichi [~takamichi@c107-107.i07-27.onvol.net] has joined #openvpn
00:24 -!- heraclitus [~heraclitu@unaffiliated/heraclitis] has quit [Remote host closed the connection]
00:24 -!- heraclitus [~heraclitu@unaffiliated/heraclitis] has joined #openvpn
00:25 -!- heraclitus [~heraclitu@unaffiliated/heraclitis] has quit [Remote host closed the connection]
00:30 -!- tfox [~tfox@50-47-92-123.evrt.wa.frontiernet.net] has joined #openvpn
00:48 -!- elfixit [~Icedove@77-58-251-72.dclient.hispeed.ch] has quit [Quit: elfixit]
00:51 -!- tfox [~tfox@50-47-92-123.evrt.wa.frontiernet.net] has quit [Quit: tfox]
01:04 -!- dimm0k [~dimm0k@unaffiliated/dimm0k] has quit [Ping timeout: 252 seconds]
01:06 -!- dimm0k [~dimm0k@pool-96-246-33-134.nycmny.fios.verizon.net] has joined #openvpn
01:06 -!- dimm0k [~dimm0k@pool-96-246-33-134.nycmny.fios.verizon.net] has quit [Changing host]
01:06 -!- dimm0k [~dimm0k@unaffiliated/dimm0k] has joined #openvpn
01:13 -!- C-S-B [~C-S-B@host86-173-99-141.range86-173.btcentralplus.com] has quit [Ping timeout: 272 seconds]
01:17 -!- C-S-B [~C-S-B@host86-171-109-77.range86-171.btcentralplus.com] has joined #openvpn
01:21 -!- tfox [~tfox@50-47-92-123.evrt.wa.frontiernet.net] has joined #openvpn
01:32 -!- Weasel_ [~kvuorine@a91-154-220-172.elisa-laajakaista.fi] has quit [Remote host closed the connection]
01:32 -!- Weasel_ [~kvuorine@a91-154-220-172.elisa-laajakaista.fi] has joined #openvpn
01:38 -!- Ali_nz2 [~Ali_nz1@118-92-11-42.dsl.dyn.ihug.co.nz] has quit [Ping timeout: 272 seconds]
01:38 -!- al_nz1 [~Ali_nz1@118-92-11-42.dsl.dyn.ihug.co.nz] has joined #openvpn
01:45 -!- JSharpe2 [~jsharpe2@31.205.60.241] has joined #openvpn
01:46 -!- JSharpe2 [~jsharpe2@31.205.60.241] has quit [Remote host closed the connection]
01:48 -!- Cybertinus [~Cybertinu@2001:828:405:30:83:96:177:42] has joined #openvpn
01:48 -!- ketas [ketas@ketas6-sixxs.si.pri.ee] has joined #openvpn
01:48 -!- Gelos [sid17176@gateway/web/irccloud.com/x-wbktefgsdggmjudk] has joined #openvpn
01:48 -!- mumixam [~m@unaffiliated/mumixam] has joined #openvpn
01:48 -!- mbff [~mbff@2605:6400:1:fed5:22:656:343:3e46] has joined #openvpn
01:48 -!- krzee [~k@openvpn/community/support/krzee] has joined #openvpn
01:48 -!- pepijndevos [pepijndevo@2a00:dcc0:eda:3754:247:55:9194:8ed6] has joined #openvpn
01:48 -!- Cultist [~CultOfThe@2601:d:9280:fc:8634:97ff:fe17:5dc3] has joined #openvpn
01:48 -!- troyt [~troyt@2601:7:6d00:432:44dd:acff:fe85:9c8e] has joined #openvpn
01:48 -!- intricate [~xach@unaffiliated/intricate] has joined #openvpn
01:48 -!- dandy [~dandy@2a01:360:106::2] has joined #openvpn
01:48 -!- Gman32 [~Gman32@2607:5300:60:2b74::1] has joined #openvpn
01:48 -!- s0meone [someone@2600:3c01::f03c:91ff:fedf:feb8] has joined #openvpn
01:48 -!- ServerMode/#openvpn [+ov krzee s0meone] by holmes.freenode.net
01:48 -!- Cr4zi3 [~killaz@76.74.171.253] has quit [Excess Flood]
01:48 -!- ketas [ketas@ketas6-sixxs.si.pri.ee] has quit [Max SendQ exceeded]
01:48 -!- Cybertinus [~Cybertinu@2001:828:405:30:83:96:177:42] has quit [Max SendQ exceeded]
01:48 -!- Cr4zi3 [killaz@staff.xbins.org] has joined #openvpn
01:48 -!- Cybertinus [~Cybertinu@2001:828:405:30:83:96:177:42] has joined #openvpn
01:49 -!- ketas [ketas@ketas6-sixxs.si.pri.ee] has joined #openvpn
02:03 -!- dimm0k [~dimm0k@unaffiliated/dimm0k] has quit [Ping timeout: 264 seconds]
02:05 -!- dimm0k [~dimm0k@pool-72-80-89-149.nycmny.fios.verizon.net] has joined #openvpn
02:05 -!- dimm0k [~dimm0k@pool-72-80-89-149.nycmny.fios.verizon.net] has quit [Changing host]
02:05 -!- dimm0k [~dimm0k@unaffiliated/dimm0k] has joined #openvpn
02:05 -!- tfox [~tfox@50-47-92-123.evrt.wa.frontiernet.net] has quit [Quit: tfox]
02:06 -!- tfox [~tfox@50-47-92-123.evrt.wa.frontiernet.net] has joined #openvpn
02:15 -!- tfox [~tfox@50-47-92-123.evrt.wa.frontiernet.net] has quit [Quit: tfox]
02:37 -!- marlinc [~marlinc@ip565fa73c.direct-adsl.nl] has quit [Read error: Connection reset by peer]
02:39 -!- mirco [~mirco@ip-109-91-244-100.unitymediagroup.de] has joined #openvpn
02:42 -!- marlinc [~marlinc@ip565fa73c.direct-adsl.nl] has joined #openvpn
02:55 -!- tfox [~tfox@50-47-92-123.evrt.wa.frontiernet.net] has joined #openvpn
03:04 -!- tfox_ [~tfox@199.21.149.182] has joined #openvpn
03:04 -!- tfox [~tfox@50-47-92-123.evrt.wa.frontiernet.net] has quit [Ping timeout: 276 seconds]
03:04 -!- tfox_ is now known as tfox
03:12 -!- takamichi [~takamichi@c107-107.i07-27.onvol.net] has quit [Quit: Computer has gone to sleep.]
03:15 -!- defswork [~andy@141.0.50.105] has joined #openvpn
03:15 -!- elfixit [~Icedove@27-157.61-188.cust.bluewin.ch] has joined #openvpn
03:20 -!- takamichi [~takamichi@c107-107.i07-27.onvol.net] has joined #openvpn
03:28 -!- anthonym [~anthonym@pdpc/supporter/professional/anthonym] has joined #openvpn
03:29 -!- tfox [~tfox@199.21.149.182] has quit [Quit: tfox]
03:30 -!- elfixit [~Icedove@27-157.61-188.cust.bluewin.ch] has quit [Ping timeout: 240 seconds]
03:31 -!- JSharpe2 [~jsharpe2@31.205.60.241] has joined #openvpn
03:32 -!- C-S-B [~C-S-B@host86-171-109-77.range86-171.btcentralplus.com] has quit [Ping timeout: 276 seconds]
03:37 -!- C-S-B [~C-S-B@host86-159-9-128.range86-159.btcentralplus.com] has joined #openvpn
03:40 -!- josefig [~josef@189.146.184.48] has joined #openvpn
03:40 -!- josefig [~josef@189.146.184.48] has quit [Changing host]
03:40 -!- josefig [~josef@unaffiliated/josefig] has joined #openvpn
03:40 -!- JPeterson [~JPeterson@81-233-152-121-no83.tbcn.telia.com] has quit [Read error: Connection reset by peer]
03:41 -!- JPeterson [~JPeterson@81-233-152-121-no83.tbcn.telia.com] has joined #openvpn
03:52 -!- josefig [~josef@unaffiliated/josefig] has quit [Quit: Computer has gone to sleep.]
04:06 -!- plaisthos [~arne@openvpn/community/developer/plaisthos] has quit [Remote host closed the connection]
04:06 -!- plaisthos [~arne@openvpn/community/developer/plaisthos] has joined #openvpn
04:06 -!- mode/#openvpn [+o plaisthos] by ChanServ
04:07 -!- mchou [~quassel@unaffiliated/mchou] has quit [Read error: Connection reset by peer]
04:13 -!- kirin` [telex@gateway/shell/anapnea.net/x-yreiixufiuvanzbr] has quit [Remote host closed the connection]
04:13 -!- kirin` [telex@gateway/shell/anapnea.net/x-ioxdfoqraenorwrp] has joined #openvpn
04:17 -!- Haigha [~root@dovahkiin.xomg.net] has quit [Ping timeout: 272 seconds]
04:19 -!- Haigha [~root@dovahkiin.xomg.net] has joined #openvpn
04:44 -!- JSharpe2 [~jsharpe2@31.205.60.241] has quit [Remote host closed the connection]
04:44 -!- JSharpe2 [~jsharpe2@31.205.60.241] has joined #openvpn
04:51 -!- dcajacob05work [~dan@static-173-73-108-122.washdc.fios.verizon.net] has quit [Ping timeout: 272 seconds]
04:55 -!- dcajacob05work [~dan@static-173-73-108-122.washdc.fios.verizon.net] has joined #openvpn
04:56 -!- tapout [~tapout@unaffiliated/tapout] has quit [Ping timeout: 272 seconds]
05:00 -!- pepijndevos [pepijndevo@2a00:dcc0:eda:3754:247:55:9194:8ed6] has left #openvpn ["Leaving"]
05:01 -!- tapout [~tapout@unaffiliated/tapout] has joined #openvpn
05:01 -!- Haigha [~root@dovahkiin.xomg.net] has quit [Ping timeout: 272 seconds]
05:04 -!- BtbN [btbn@btbn.de] has quit [Quit: Bye]
05:05 -!- BtbN [btbn@btbn.de] has joined #openvpn
05:08 -!- ex0a [~high@unaffiliated/ex0a] has quit [Ping timeout: 272 seconds]
05:13 -!- ex0a [~high@unaffiliated/ex0a] has joined #openvpn
05:18 -!- calcifea [~rasla@gateway/tor-sasl/gitsu-sa] has quit [Ping timeout: 240 seconds]
05:20 -!- calcifea [~rasla@gateway/tor-sasl/gitsu-sa] has joined #openvpn
05:28 -!- heraclitus [~heraclitu@unaffiliated/heraclitis] has joined #openvpn
05:30 -!- klein [~klein@unaffiliated/klein] has joined #openvpn
05:35 -!- BtbN [btbn@btbn.de] has quit [Quit: Bye]
05:36 -!- qwertyoruiop [~hax@1.shulgin.dc1.nl.tor.exit.node.qwertyoruiop.com] has quit [Ping timeout: 252 seconds]
05:36 -!- qwertyoruiop [~hax@1.shulgin.dc1.nl.tor.exit.node.qwertyoruiop.com] has joined #openvpn
05:37 -!- BtbN [btbn@btbn.de] has joined #openvpn
05:46 -!- C-S-B [~C-S-B@host86-159-9-128.range86-159.btcentralplus.com] has quit [Ping timeout: 248 seconds]
05:53 -!- C-S-B [~C-S-B@host109-154-103-0.range109-154.btcentralplus.com] has joined #openvpn
06:13 -!- Haigha [~root@dovahkiin.xomg.net] has joined #openvpn
06:27 -!- klein [~klein@unaffiliated/klein] has quit [Ping timeout: 264 seconds]
06:29 -!- JSharpe2 [~jsharpe2@31.205.60.241] has quit [Remote host closed the connection]
06:40 -!- marlinc [~marlinc@ip565fa73c.direct-adsl.nl] has quit [Read error: Connection reset by peer]
06:45 -!- marlinc [~marlinc@ip565fa73c.direct-adsl.nl] has joined #openvpn
06:48 -!- Cy-Gor [~Brian@cpe-70-124-70-140.austin.res.rr.com] has joined #openvpn
06:51 -!- crus [~crusader@2001:44b8:319e:2900:9835:2f69:4e9b:963] has quit [Ping timeout: 246 seconds]
06:52 -!- crus [~crusader@crus0r.soho.on.net] has joined #openvpn
06:54 -!- klein [~klein@unaffiliated/klein] has joined #openvpn
07:50 -!- franks2 [~frank@frank2.net] has quit [Ping timeout: 272 seconds]
07:51 -!- franks2 [~frank@frank2.net] has joined #openvpn
07:57 -!- APTX [APTX@unaffiliated/aptx] has quit [Ping timeout: 264 seconds]
07:58 -!- APTX [APTX@unaffiliated/aptx] has joined #openvpn
08:03 -!- ibins [~ibins@cl-147.ham-02.de.sixxs.net] has left #openvpn ["Verlassend"]
08:33 -!- APTX [APTX@unaffiliated/aptx] has quit [Ping timeout: 264 seconds]
08:35 -!- APTX [APTX@unaffiliated/aptx] has joined #openvpn
08:57 -!- lickalott [~lickalott@127.0.0.1.silentkiller.cc] has quit [Ping timeout: 245 seconds]
09:01 -!- lickalott [~lickalott@127.0.0.1.silentkiller.cc] has joined #openvpn
09:06 -!- |1li [~|1li@108-201-65-149.lightspeed.ftwotx.sbcglobal.net] has quit [Read error: Connection reset by peer]
09:07 -!- |1li [~|1li@108-201-65-149.lightspeed.ftwotx.sbcglobal.net] has joined #openvpn
09:10 -!- emid [~emid@192.241.162.156] has quit [Ping timeout: 245 seconds]
09:14 -!- emid [~emid@192.241.162.156] has joined #openvpn
09:15 -!- ade_b [~Ade@redhat/adeb] has joined #openvpn
09:28 -!- Aketzu [akolehma@kelvin.aketzu.net] has quit [Ping timeout: 245 seconds]
09:28 -!- Aketzu [akolehma@kelvin.aketzu.net] has joined #openvpn
09:40 -!- calcifea [~rasla@gateway/tor-sasl/gitsu-sa] has quit [Remote host closed the connection]
10:09 -!- takamichi [~takamichi@c107-107.i07-27.onvol.net] has quit [Ping timeout: 264 seconds]
10:10 -!- takamichi [~takamichi@85.12.8.14] has joined #openvpn
10:16 -!- ade_b [~Ade@redhat/adeb] has quit [Quit: Too sexy for his shirt]
10:20 -!- calcifea [~rasla@gateway/tor-sasl/gitsu-sa] has joined #openvpn
10:31 -!- master_of_master [~master_of@p4FF2487A.dip0.t-ipconnect.de] has joined #openvpn
10:35 -!- master_o1_master [~master_of@p4FF24DBB.dip0.t-ipconnect.de] has quit [Ping timeout: 276 seconds]
10:49 -!- calcifea [~rasla@gateway/tor-sasl/gitsu-sa] has quit [Remote host closed the connection]
10:49 -!- gardar [~gardar@bnc.giraffi.net] has quit [Ping timeout: 260 seconds]
10:51 -!- gffa [~unknown@unaffiliated/gffa] has joined #openvpn
10:52 -!- calcifea [~rasla@gateway/tor-sasl/gitsu-sa] has joined #openvpn
10:53 -!- jave [~jave@h-235-102.a149.priv.bahnhof.se] has quit [Quit: ZNC - http://znc.in]
10:53 -!- gardar [~gardar@bnc.giraffi.net] has joined #openvpn
10:59 -!- takamichi [~takamichi@85.12.8.14] has quit [Read error: Operation timed out]
11:03 -!- takamichi [~takamichi@c107-107.i07-27.onvol.net] has joined #openvpn
11:05 -!- raidz_away is now known as raidz
11:05 -!- Weasel_ [~kvuorine@a91-154-220-172.elisa-laajakaista.fi] has quit [Read error: Operation timed out]
11:08 -!- TypoNe [~itsme@195.197.184.87] has quit [Ping timeout: 245 seconds]
11:08 -!- Guest48730 is now known as dazo
11:08 -!- Weasel_ [~kvuorine@a91-154-220-172.elisa-laajakaista.fi] has joined #openvpn
11:09 -!- Guest10517 [~nutron@184.68.34.30] has quit [Quit: I must go eat my cheese!]
11:09 -!- tfox [~tfox@199.21.149.182] has joined #openvpn
11:09 -!- ngharo_ is now known as ngharo
11:11 -!- TypoNe [~itsme@195.197.184.87] has joined #openvpn
11:11 -!- Cultist [~CultOfThe@2601:d:9280:fc:8634:97ff:fe17:5dc3] has quit [Ping timeout: 240 seconds]
11:21 -!- calcifea [~rasla@gateway/tor-sasl/gitsu-sa] has quit [Remote host closed the connection]
11:21 -!- s7r [~s7r@openvpn/user/s7r] has joined #openvpn
11:21 -!- mode/#openvpn [+v s7r] by ChanServ
11:23 -!- davidmp [~davidmp@149.255.100.107] has quit [Ping timeout: 276 seconds]
11:24 -!- cyberspace- [20253@ninthfloor.org] has quit [Ping timeout: 260 seconds]
11:32 -!- cyberspace- [20253@ninthfloor.org] has joined #openvpn
11:34 -!- calcifea [~rasla@gateway/tor-sasl/gitsu-sa] has joined #openvpn
11:35 -!- csd199 [emilio_san@187.209.180.52] has joined #openvpn
11:36 -!- lbft [~lbft@unaffiliated/lbft] has quit [Ping timeout: 240 seconds]
11:40 -!- anthonym [~anthonym@pdpc/supporter/professional/anthonym] has quit [Ping timeout: 248 seconds]
11:42 < csd199> I have an OpenVPN CentOS 6 server in my main office and a CentOS 6 server as client in my branch office. I have the route option up and I can ping the servers each other. Now, I'm using an application (asterisk) and I see something very strange, I want to use the local IP's to connect the IAX channels from the asterisk, but they don't work. They work if I use the URL, but I want to send
11:42 < csd199> everything in the VPN, now, if I use the TUN IP's, the system works. This means, using the TUN IP's, works. If I use the local IP's, it does't work. The guys from asterisk tell me that there is a routing problem, but the OpenVPN is making the routing... right? that is my question, or do I have to declare a fixed route? Can you help?
11:45 -!- davidmp [~davidmp@149.255.100.107] has joined #openvpn
11:45 -!- lbft [~lbft@unaffiliated/lbft] has joined #openvpn
11:52 -!- davidmp [~davidmp@149.255.100.107] has quit [Ping timeout: 248 seconds]
11:53 < csd199> I have an OpenVPN CentOS 6 server in my main office and a CentOS 6 server as client in my branch office. I have the route option up and I can ping the servers each other. Now, I'm using an application (asterisk) and I see something very strange, I want to use the local IP's to connect the IAX channels from the asterisk, but they don't work. They work if I use the URL, but I want to send
11:53 < csd199> everything in the VPN, now, if I use the TUN IP's, the system works. This means, using the TUN IP's, works. If I use the local IP's, it does't work. The guys from asterisk tell me that there is a routing problem, but the OpenVPN is making the routing... right? that is my question, or do I have to declare a fixed route? Can you help?
11:54 -!- calcifea [~rasla@gateway/tor-sasl/gitsu-sa] has quit [Remote host closed the connection]
11:55 -!- calcifea [~rasla@gateway/tor-sasl/gitsu-sa] has joined #openvpn
11:57 -!- davidmp [~davidmp@149.255.100.107] has joined #openvpn
12:00 <@EugeneKay> You don't need to ask repeatedly
12:00 <@EugeneKay> !route
12:00 <@vpnHelper> "route" is (#1) http://www.secure-computing.net/wiki/index.php/OpenVPN/Routing or https://community.openvpn.net/openvpn/wiki/RoutedLans (same page mirrored) if you have lans behind openvpn, read it DONT SKIM IT or (#2) READ IT DONT SKIM IT! or (#3) See !tcpip for a basic networking guide or (#4) See !serverlan or !clientlan for steps and troubleshooting flowcharts for LANs behind the server or
12:00 <@vpnHelper> client
12:01 <@EugeneKay> Read ^
12:04 < csd199> ok, I'll read the documents. Thank you.
12:16 < _manfred__> !welcome
12:16 <@vpnHelper> "welcome" is (#1) Start by stating your goal, such as 'I would like to access the internet over my vpn' || new to IRC? see the link in !ask || we may need !logs and !configs and maybe !interface to help you. || See !howto for beginners. || See !route for lans behind openvpn. || !redirect for sending inet traffic through the server. || Also interesting: !man !/30 !topology !iporder !sample !forum
12:16 <@vpnHelper> !wiki !mitm or (#2) Don't use 192.168.1.0/24 or 192.168.0.0/24 (too much potential for conflict)
12:17 -!- _manfred__ is now known as _manfred_
12:23 -!- bjh4 [~bjh4@ool-4354103f.dyn.optonline.net] has joined #openvpn
12:23 -!- tfox [~tfox@199.21.149.182] has quit [Quit: tfox]
12:24 -!- calcifea [~rasla@gateway/tor-sasl/gitsu-sa] has quit [Remote host closed the connection]
12:26 -!- calcifea [~rasla@gateway/tor-sasl/gitsu-sa] has joined #openvpn
12:28 -!- calcifea [~rasla@gateway/tor-sasl/gitsu-sa] has quit [Remote host closed the connection]
12:29 -!- calcifea [~rasla@gateway/tor-sasl/gitsu-sa] has joined #openvpn
12:39 -!- EmLeX_ [~emx@37.46.193.18] has quit [Quit: Bye.]
12:39 -!- EmLeX [~emx@unaffiliated/emlex] has joined #openvpn
12:42 -!- C-S-B [~C-S-B@host109-154-103-0.range109-154.btcentralplus.com] has quit [Ping timeout: 276 seconds]
12:48 -!- C-S-B [~C-S-B@host86-166-155-46.range86-166.btcentralplus.com] has joined #openvpn
12:50 -!- frenchface [~jonathan@71-90-215-45.dhcp.spbg.sc.charter.com] has quit [Ping timeout: 252 seconds]
12:55 -!- mirco [~mirco@ip-109-91-244-100.unitymediagroup.de] has quit [Quit: mirco]
13:18 < csd199> !clientlan
13:18 <@vpnHelper> "clientlan" is (#1) for a lan behind a client, the client must have ip forwarding enabled (!ipforward), the server needs a route to the lan, the server needs to push a route for the lan to clients, the server needs a ccd (!ccd) file for the client with an iroute (!iroute) entry in it, and the router of the lan the client is on needs a route added to it (!route_outside_openvpn) or (#2) see !route for
13:18 <@vpnHelper> a better explanation or (#3) Handy troubleshooting flowchart: http://ircpimps.org/clientlan.png | http://pekster.sdf.org/misc/clientlan.png
13:21 < csd199> !route_outside_openvpn
13:21 <@vpnHelper> "route_outside_openvpn" is (#1) If your server is not the default gateway for the LAN, you will need to add routes to your gateway. See ROUTES TO ADD OUTSIDE OPENVPN in !route or (#2) Here are 2 diagrams that explain how this works: http://www.secure-computing.net/wiki/index.php/Graph http://i.imgur.com/BM9r1.png
13:26 -!- dazo is now known as dazo_afk
13:35 -!- tfox [~tfox@199.21.149.182] has joined #openvpn
13:38 -!- tfox [~tfox@199.21.149.182] has quit [Client Quit]
13:40 -!- josefig [~josef@unaffiliated/josefig] has joined #openvpn
13:43 -!- takamichi [~takamichi@c107-107.i07-27.onvol.net] has quit [Quit: Computer has gone to sleep.]
13:48 -!- defsdoor [~andy@cpc30-sutt4-2-0-cust155.19-1.cable.virginm.net] has joined #openvpn
13:53 -!- klein [~klein@unaffiliated/klein] has quit [Ping timeout: 264 seconds]
13:56 < csd199> is there a way to check the route made by openvpn?
13:57 < csd199> a command or something like that
13:58 < Aketzu> logs show what routes openvpn has added
13:59 < Aketzu> for all routes 'ip r' in linux, 'route print' in windows
14:02 < csd199> thank you
14:10 -!- josefig [~josef@unaffiliated/josefig] has quit [Quit: Computer has gone to sleep.]
14:11 -!- _manfred_ [~IceChat77@12.109.211.60] has left #openvpn []
14:12 -!- citrusfizz [~chatzilla@70.184.40.66] has joined #openvpn
14:18 -!- Cpt-Oblivious [~chatzilla@31-151-87-204.dynamic.upc.nl] has joined #openvpn
14:26 -!- takamichi [~takamichi@c107-107.i07-27.onvol.net] has joined #openvpn
14:41 -!- csd199 [emilio_san@187.209.180.52] has quit [Read error: Connection reset by peer]
14:41 -!- csd199 [~emilio_sa@187.209.180.52] has joined #openvpn
15:00 -!- takamichi [~takamichi@c107-107.i07-27.onvol.net] has quit [Quit: Computer has gone to sleep.]
15:02 -!- al_nz1 [~Ali_nz1@118-92-11-42.dsl.dyn.ihug.co.nz] has quit []
15:03 -!- Cultist [~CultOfThe@2601:d:9280:fc:8634:97ff:fe17:5dc3] has joined #openvpn
15:08 -!- josefig [~josef@unaffiliated/josefig] has joined #openvpn
15:15 -!- jave [~jave@h-235-102.a149.priv.bahnhof.se] has joined #openvpn
15:19 -!- josefig [~josef@unaffiliated/josefig] has quit [Quit: Computer has gone to sleep.]
15:24 -!- JSharpe2 [~jsharpe2@31.205.60.241] has joined #openvpn
15:37 -!- jbrhbr [~jrrrj@173-228-17-227.dsl.static.sonic.net] has joined #openvpn
15:37 -!- jbrhbr [~jrrrj@173-228-17-227.dsl.static.sonic.net] has left #openvpn []
15:40 -!- mirco [~mirco@ip-109-91-244-100.unitymediagroup.de] has joined #openvpn
15:50 -!- JSharpe2 [~jsharpe2@31.205.60.241] has quit [Remote host closed the connection]
15:55 -!- volnukhin_ [~ka4ok@141.0.170.169] has quit [Quit: No Ping reply in 180 seconds.]
16:00 -!- takamichi [~takamichi@c107-107.i07-27.onvol.net] has joined #openvpn
16:03 -!- kossy [a@kossy.org] has quit [Ping timeout: 272 seconds]
16:04 -!- davidmp [~davidmp@149.255.100.107] has quit [Ping timeout: 240 seconds]
16:11 -!- gffa [~unknown@unaffiliated/gffa] has quit [Quit: sleep]
16:11 -!- davidmp [~davidmp@149.255.100.107] has joined #openvpn
16:12 -!- kossy [a@kossy.org] has joined #openvpn
16:25 -!- takamichi [~takamichi@c107-107.i07-27.onvol.net] has quit [Quit: Computer has gone to sleep.]
17:03 -!- tfox [~tfox@199.21.149.182] has joined #openvpn
17:03 -!- fallout [~fallout@unaffiliated/fallout] has joined #openvpn
17:03 < fallout> !welcome
17:03 <@vpnHelper> "welcome" is (#1) Start by stating your goal, such as 'I would like to access the internet over my vpn' || new to IRC? see the link in !ask || we may need !logs and !configs and maybe !interface to help you. || See !howto for beginners. || See !route for lans behind openvpn. || !redirect for sending inet traffic through the server. || Also interesting: !man !/30 !topology !iporder !sample !forum
17:03 <@vpnHelper> !wiki !mitm or (#2) Don't use 192.168.1.0/24 or 192.168.0.0/24 (too much potential for conflict)
17:09 -!- csd199 [~emilio_sa@187.209.180.52] has quit []
17:10 -!- defsdoor [~andy@cpc30-sutt4-2-0-cust155.19-1.cable.virginm.net] has quit [Quit: Ex-Chat]
17:11 -!- defsdoor [~andy@cpc30-sutt4-2-0-cust155.19-1.cable.virginm.net] has joined #openvpn
17:16 -!- tfox [~tfox@199.21.149.182] has quit [Quit: tfox]
17:31 -!- rooth [tomte@stuck.in.the.basement.at.fritzl.nu] has quit [Ping timeout: 272 seconds]
17:31 -!- rooth [tomte@stuck.in.the.basement.at.fritzl.nu] has joined #openvpn
17:33 -!- jgeboski [~jgeboski@unaffiliated/jgeboski] has quit [Ping timeout: 245 seconds]
17:34 -!- jgeboski [~jgeboski@unaffiliated/jgeboski] has joined #openvpn
17:46 -!- defsdoor [~andy@cpc30-sutt4-2-0-cust155.19-1.cable.virginm.net] has quit [Quit: Ex-Chat]
17:52 -!- csd199 [emilio_san@187.209.180.52] has joined #openvpn
17:52 -!- tfox [~tfox@199.21.149.182] has joined #openvpn
17:53 < csd199> hello. How can I configure the clients to have a fixed TUN IP? that means, openvpn server provides an IP, but I want to have a fixed IP for each client, where do I have to configure that?
17:54 < pekster> csd199, read about:
17:54 < pekster> !static
17:54 <@vpnHelper> "static" is (#1) use --ifconfig-push in a ccd entry for a static ip for the vpn client or (#2) example in net30 (default): ifconfig-push 10.8.0.6 10.8.0.5 example in subnet (see !topology) or tap (see !tunortap): ifconfig-push 10.8.0.5 255.255.255.0 or (#3) also see !ccd and !iporder or (#4) when pushing static IPs, you should also limit your --ifconfig-pool to exclude the static range
17:58 -!- Sembei [~Sembei@unaffiliated/sembei] has joined #openvpn
17:58 -!- Cpt-Oblivious_ [~chatzilla@31-151-87-204.dynamic.upc.nl] has joined #openvpn
17:59 -!- Fetch [fetch@gimel.cepheid.org] has joined #openvpn
18:00 < pekster> !learn static as See also: !addressing
18:00 <@vpnHelper> Joo got it.
18:00 < pekster> !addressing
18:00 <@vpnHelper> "addressing" is For information about IP addressing in OpenVPN, see: https://community.openvpn.net/openvpn/wiki/Concepts-Addressing
18:01 -!- bersace_ [~bersace@sevin.cae.li] has joined #openvpn
18:02 -!- mrrg_ [~notabot@delicious.sykosys.jp] has joined #openvpn
18:02 -!- Netsplit *.net <-> *.split quits: C-S-B, dimm0k, hgax, mete, mrrg, tfox, Fetch_, Pisuke, MeanderingCode, Cpt-Oblivious,  (+1 more, use /NETSPLIT to show all of them)
18:02 -!- C_S_B [~C-S-B@host86-166-155-46.range86-166.btcentralplus.com] has joined #openvpn
18:02 -!- hgax_ [~hgax@162.243.112.153] has joined #openvpn
18:03 -!- Eryn_1983_FL [~Eryn_1983@72.238.104.100] has left #openvpn ["WeeChat 0.3.8"]
18:03 -!- C_S_B is now known as C-S-B
18:04 -!- Netsplit over, joins: mete
18:04 -!- Netsplit over, joins: MeanderingCode
18:06 -!- dimm0k [~dimm0k@pool-72-80-89-149.nycmny.fios.verizon.net] has joined #openvpn
18:07 < csd199> ok, tankyou very much! I'll read the document.
18:11 -!- |1li [~|1li@108-201-65-149.lightspeed.ftwotx.sbcglobal.net] has quit [Read error: Connection reset by peer]
18:12 -!- tfox [~tfox@199.21.149.182] has joined #openvpn
18:14 < csd199>  !static
18:15 < csd199> !static
18:15 <@vpnHelper> "static" is (#1) use --ifconfig-push in a ccd entry for a static ip for the vpn client or (#2) example in net30 (default): ifconfig-push 10.8.0.6 10.8.0.5 example in subnet (see !topology) or tap (see !tunortap): ifconfig-push 10.8.0.5 255.255.255.0 or (#3) also see !ccd and !iporder or (#4) when pushing static IPs, you should also limit your --ifconfig-pool to exclude the static range or (#5) See
18:15 <@vpnHelper> also: !addressing
18:15 < csd199> !addressing
18:15 <@vpnHelper> "addressing" is For information about IP addressing in OpenVPN, see: https://community.openvpn.net/openvpn/wiki/Concepts-Addressing
18:15 -!- Cpt-Oblivious_ is now known as Cpt-Oblivious
18:28 -!- tfox [~tfox@199.21.149.182] has quit [Quit: tfox]
18:37 -!- bjh4 [~bjh4@ool-4354103f.dyn.optonline.net] has quit [Quit: Leaving]
18:46 -!- tfox [~tfox@199.21.149.182] has joined #openvpn
19:03 -!- tfox [~tfox@199.21.149.182] has quit [Ping timeout: 240 seconds]
19:05 -!- tfox [~tfox@50-47-92-123.evrt.wa.frontiernet.net] has joined #openvpn
19:11 -!- tfox [~tfox@50-47-92-123.evrt.wa.frontiernet.net] has quit [Ping timeout: 260 seconds]
19:11 -!- tfox [~tfox@199.21.149.182] has joined #openvpn
19:14 -!- tfox_ [~tfox@50-47-92-123.evrt.wa.frontiernet.net] has joined #openvpn
19:16 -!- tfox [~tfox@199.21.149.182] has quit [Ping timeout: 260 seconds]
19:16 -!- tfox_ is now known as tfox
19:20 -!- tfox [~tfox@50-47-92-123.evrt.wa.frontiernet.net] has quit [Ping timeout: 240 seconds]
19:23 -!- tfox [~tfox@50-47-92-123.evrt.wa.frontiernet.net] has joined #openvpn
19:32 -!- csd199 [emilio_san@187.209.180.52] has quit []
19:33 -!- goldkatze [~nobody@unaffiliated/goldkatze] has quit [Ping timeout: 272 seconds]
19:34 -!- marlinc [~marlinc@ip565fa73c.direct-adsl.nl] has quit [Read error: Connection reset by peer]
19:44 -!- marlinc [~marlinc@ip565fa73c.direct-adsl.nl] has joined #openvpn
19:51 -!- digilink [~digilink@irc.stephennet.net] has quit [Changing host]
19:51 -!- digilink [~digilink@unaffiliated/digilink] has joined #openvpn
19:54 -!- klein [~klein@unaffiliated/klein] has joined #openvpn
19:58 -!- tfox [~tfox@50-47-92-123.evrt.wa.frontiernet.net] has quit [Quit: tfox]
19:59 -!- ketas [ketas@ketas6-sixxs.si.pri.ee] has quit [Ping timeout: 253 seconds]
20:05 -!- Martyn [~Martin@12.130.118.4] has joined #openvpn
20:09 -!- Martyn [~Martin@12.130.118.4] has quit [Client Quit]
20:16 -!- klein [~klein@unaffiliated/klein] has quit [Ping timeout: 276 seconds]
20:16 -!- JSharpe2 [~jsharpe2@31.205.60.241] has joined #openvpn
20:28 -!- tfox [~tfox@50-47-92-123.evrt.wa.frontiernet.net] has joined #openvpn
20:39 -!- JSharpe2 [~jsharpe2@31.205.60.241] has quit []
20:50 -!- novaflash is now known as novaflash_away
20:51 -!- novaflash_away is now known as novaflash
21:02 -!- WinstonSmith [~WinstonSm@unaffiliated/winstonsmith] has quit [Ping timeout: 245 seconds]
21:03 -!- |1li [~|1li@108-201-65-149.lightspeed.ftwotx.sbcglobal.net] has joined #openvpn
21:03 -!- WinstonSmith [~WinstonSm@unaffiliated/winstonsmith] has joined #openvpn
21:29 -!- crus [~crusader@crus0r.soho.on.net] has quit [Ping timeout: 276 seconds]
21:36 -!- mitz [~mitz@KHP222227247006.ppp-bb.dion.ne.jp] has joined #openvpn
21:48 -!- crus [~crusader@crus0r.soho.on.net] has joined #openvpn
22:07 -!- rob0 [rob0@pdpc/valentine/postfixninja/rob0] has quit [Ping timeout: 272 seconds]
22:29 -!- Martyn [~Martin@162-232-173-152.lightspeed.sntcca.sbcglobal.net] has joined #openvpn
22:48 -!- ljvb [~jason@us.vps.vanbrecht.com] has joined #openvpn
22:48 < ljvb> evening
22:51 < ljvb> my googling has come up empty.. I had to rebuild one of my vps/vpn hosts.. I kept the same config files, that worked previously, however now the static routes are not being pushed
22:51 < ljvb> I get ERROR: FreeBSD route add command failed: external program exited with error status: 1
22:52 < ljvb> cannot seem to find anything recent about the issue (the only difference between the old and new was FBSD 9.1RC and now FBSD 9.2 release)
22:54 < ljvb> the tunnel is up and works, it is just not pushing the static routes
22:58 -!- lickalott [~lickalott@127.0.0.1.silentkiller.cc] has quit [Ping timeout: 240 seconds]
22:59 -!- Cpt-Oblivious [~chatzilla@31-151-87-204.dynamic.upc.nl] has quit [Ping timeout: 240 seconds]
23:01 -!- lickalott [~lickalott@127.0.0.1.silentkiller.cc] has joined #openvpn
23:03 -!- citrusfizz [~chatzilla@70.184.40.66] has quit [Ping timeout: 248 seconds]
23:06 -!- ljvb [~jason@us.vps.vanbrecht.com] has quit [Quit: fix it later]
23:15 -!- bogie [bogie@2001:4ba0:fffd:65::101] has quit [Ping timeout: 245 seconds]
23:16 -!- dandy [~dandy@2a01:360:106::2] has quit [Ping timeout: 240 seconds]
23:16 -!- Cultist [~CultOfThe@2601:d:9280:fc:8634:97ff:fe17:5dc3] has quit [Ping timeout: 252 seconds]
23:21 -!- Cultist [~CultOfThe@2601:d:9280:fc:8634:97ff:fe17:5dc3] has joined #openvpn
23:22 -!- bogie [bogie@mail.b02.a01.ca] has joined #openvpn
23:23 -!- ketas [ketas@ketas6-sixxs.si.pri.ee] has joined #openvpn
23:25 -!- rob0 [rob0@pdpc/valentine/postfixninja/rob0] has joined #openvpn
23:26 -!- NP-Hardass [~NP-Hardas@unaffiliated/np-hardass] has joined #openvpn
23:28 -!- eliasp_ [~quassel@HSI-KBW-134-3-243-224.hsi14.kabel-badenwuerttemberg.de] has joined #openvpn
23:28 -!- jefferai_gone [~quassel@corkblock.jefferai.org] has joined #openvpn
23:28 -!- jefferai [~quassel@kde/mitchell] has quit [Write error: Broken pipe]
--- Log closed Mon Jan 06 23:31:56 2014
--- Log opened Mon Jan 06 23:32:14 2014
23:32 -!- ecrist_ [~ecrist@token-black.secure-computing.net] has joined #openvpn
23:32 -!- Irssi: #openvpn: Total of 217 nicks [9 ops, 0 halfops, 33 voices, 175 normal]
23:32 -!- mode/#openvpn [+o ecrist_] by ChanServ
23:32 -!- eliasp [~quassel@HSI-KBW-134-3-243-224.hsi14.kabel-badenwuerttemberg.de] has quit [Read error: Operation timed out]
23:32 -!- Irssi: Join to #openvpn was synced in 50 secs
23:34 -!- mingdao_ [~mingdao@unaffiliated/mingdao] has joined #openvpn
23:34 -!- azi_ [~azi@unaffiliated/aquana] has joined #openvpn
23:36 -!- Netsplit *.net <-> *.split quits: |1li, master_of_master, mrrg_, klaxa, guntha, hive-mind, kirin`, fvalente, Fetch, supergauntlet,  (+2 more, use /NETSPLIT to show all of them)
23:36 -!- Zarrsh [~Zarrsh@farari.paydayauto.biz] has joined #openvpn
23:36 -!- Netsplit over, joins: Fetch
23:36 -!- supergauntlet [~supergaun@v-216-52-148-234.unman-vds.internap-chicago.nfoservers.com] has joined #openvpn
23:36 -!- Netsplit over, joins: rooth, master_of_master
23:36 -!- supergauntlet [~supergaun@v-216-52-148-234.unman-vds.internap-chicago.nfoservers.com] has quit [Changing host]
23:36 -!- supergauntlet [~supergaun@unaffiliated/supergauntlet] has joined #openvpn
23:36 -!- mrrg [~notabot@delicious.sykosys.jp] has joined #openvpn
23:36 -!- kirin` [telex@gateway/shell/anapnea.net/x-jdfnhapskedzetbu] has joined #openvpn
23:36 -!- Netsplit over, joins: |1li
23:36 -!- hive-mind [pranq@unaffiliated/contempt] has joined #openvpn
23:37 -!- goldkatze [~nobody@unaffiliated/goldkatze] has quit [Excess Flood]
23:37 -!- Netsplit over, joins: fvalente
23:38 -!- goldkatze [~nobody@unaffiliated/goldkatze] has joined #openvpn
23:38 -!- marlinc_ [~marlinc@ip565fa73c.direct-adsl.nl] has joined #openvpn
23:39 -!- `Nothing4You [N4Y@Nothing4You.w.tf-w.tf] has joined #openvpn
23:39 -!- Netsplit *.net <-> *.split quits: meepmeep_, Nothing4You, +matsh, mingdao, clyons, Stew-a, marlinc, @ecrist, +kevinsky, manitu,  (+2 more, use /NETSPLIT to show all of them)
23:40 -!- Netsplit over, joins: Stew-a
23:41 -!- meepmeep [meepmeep@end.of.cylind.re] has joined #openvpn
23:41 -!- Netsplit over, joins: surfmasta
23:41 -!- klaxa [~klaxa@klaxa.eu] has joined #openvpn
23:41 -!- guntha_ [~guntha@guntha.thecagedog.com] has joined #openvpn
23:41 -!- `Nothing4You is now known as Nothing4You
23:48 -!- mingdao_ [~mingdao@unaffiliated/mingdao] has quit [Ping timeout: 265 seconds]
--- Log closed Mon Jan 06 23:53:04 2014
--- Log opened Mon Jan 06 23:53:20 2014
23:53 -!- ecrist [~ecrist@token-black.secure-computing.net] has joined #openvpn
23:53 -!- Irssi: #openvpn: Total of 210 nicks [8 ops, 0 halfops, 31 voices, 171 normal]
23:53 -!- mode/#openvpn [+o ecrist] by ChanServ
23:53 -!- jave [~jave@h-235-102.a149.priv.bahnhof.se] has joined #openvpn
23:54 -!- Irssi: Join to #openvpn was synced in 47 secs
23:54 -!- Stew-a [~Stewart@unaffiliated/stew-a/x-2962361] has joined #openvpn
23:55 -!- dimm0k [~dimm0k@pool-72-80-89-149.nycmny.fios.verizon.net] has joined #openvpn
23:55 -!- dimm0k [~dimm0k@pool-72-80-89-149.nycmny.fios.verizon.net] has quit [Changing host]
23:55 -!- dimm0k [~dimm0k@unaffiliated/dimm0k] has joined #openvpn
23:57 -!- fvalente [~fvalente@ts.node.pt] has joined #openvpn
23:57 -!- davidmp [~davidmp@149.255.100.107] has joined #openvpn
23:59 -!- Cy-Gor [~Brian@cpe-70-124-70-140.austin.res.rr.com] has quit [Quit: Leaving]
--- Day changed Tue Jan 07 2014
00:00 -!- crus [~crusader@crus0r.soho.on.net] has quit [Read error: Connection reset by peer]
00:06 -!- dandy [~dandy@2a01:360:106::2] has joined #openvpn
00:20 -!- Martyn [~Martin@162-232-173-152.lightspeed.sntcca.sbcglobal.net] has quit [Write error: Broken pipe]
01:03 -!- anthonym [~anthonym@pdpc/supporter/professional/anthonym] has quit []
01:20 -!- mattock_afk is now known as mattock
01:28 -!- takamichi [~takamichi@c107-107.i07-27.onvol.net] has joined #openvpn
01:32 -!- peper [~peper@node.piotrj.org] has quit [Ping timeout: 245 seconds]
01:39 -!- Eagleman77 [~Eagleman7@188.65.190.23] has joined #openvpn
01:39 -!- peper [~peper@gentoo/developer/peper] has joined #openvpn
01:39 < Eagleman77> Hi, any idea why i cant use the tray icon on windows server 2008 to open openvpn?
01:40 < Eagleman77> I am unable to connect to my vpn on windows server 2008
01:42 < reiffert> run as administrator.
01:42 < Eagleman77> i did
01:44 < Eagleman77> I can only right click the tray icon, not double clicking it
01:45 < Eagleman77> I can double click the mirc icon in the system tray, which then opens
01:47 -!- alexxtasi [~alex@unaffiliated/alexxtasi] has joined #openvpn
01:55 -!- Eagleman77 [~Eagleman7@188.65.190.23] has quit [Ping timeout: 260 seconds]
01:56 <@krzee> cause right click it, thats why
02:00 -!- dazo_afk [~dazo@openvpn/community/developer/dazo] has quit [Read error: Connection reset by peer]
02:01 -!- Eagleman77 [~Eagleman7@188.65.190.23] has joined #openvpn
02:01 < Eagleman77> ANy idea?
02:04 -!- dazo_afk [~dazo@openvpn/community/developer/dazo] has joined #openvpn
02:04 -!- mode/#openvpn [+o dazo_afk] by ChanServ
02:04 -!- dazo_afk is now known as dazo
02:15 <@krzee> just right click it
02:17 < Eagleman77> then i would only get settings
02:17 < Eagleman77> or exit
02:17 <@krzee> do you have an .ovpn file in the config dir?
02:18 < Eagleman77> yes
02:18 <@krzee> what happens when you go double click it
02:19 <@krzee> either the file isnt in the right place, is named wrong, or openvpn wasnt started as admin
02:19 <@krzee> !winadmin
02:30 -!- |1li__ [~|1li@108-201-65-149.lightspeed.ftwotx.sbcglobal.net] has joined #openvpn
02:31 -!- Eagleman77 [~Eagleman7@188.65.190.23] has quit [Ping timeout: 276 seconds]
02:33 -!- |1li [~|1li@108-201-65-149.lightspeed.ftwotx.sbcglobal.net] has joined #openvpn
02:34 -!- |1li_ [~|1li@108-201-65-149.lightspeed.ftwotx.sbcglobal.net] has quit [Ping timeout: 276 seconds]
02:35 -!- |1li__ [~|1li@108-201-65-149.lightspeed.ftwotx.sbcglobal.net] has quit [Ping timeout: 272 seconds]
02:41 -!- Eagleman77 [~Eagleman7@vpn.eagleman.net] has joined #openvpn
02:41 < Eagleman77> krzee, the openvpn config was missing, got it working now, thanks
02:42 <@krzee> yw
02:42 <@krzee> but when asked, check before answering
02:56 -!- defswork [~andy@141.0.50.105] has quit [Remote host closed the connection]
02:56 -!- Devastator [~devas@unaffiliated/devastator] has joined #openvpn
03:20 -!- Sembei [~Sembei@unaffiliated/sembei] has quit [Read error: Connection reset by peer]
03:38 -!- [diecast] [~diecast@unaffiliated/diecast/x-4821952] has joined #openvpn
03:40 -!- defswork [~andy@141.0.50.105] has joined #openvpn
03:42 -!- qwertyoruiop [~hax@1.shulgin.dc1.nl.tor.exit.node.qwertyoruiop.com] has quit [Ping timeout: 264 seconds]
03:51 -!- [diecast] [~diecast@unaffiliated/diecast/x-4821952] has quit [Ping timeout: 248 seconds]
04:22 -!- MorgyN_ is now known as MorgyN
04:24 -!- occup4nt [~null@204.14.158.226] has joined #openvpn
04:24 -!- lickalott [~lickalott@127.0.0.1.silentkiller.cc] has quit [Ping timeout: 245 seconds]
04:24 -!- lickalott [~lickalott@127.0.0.1.silentkiller.cc] has joined #openvpn
04:26 -!- lbft [~lbft@unaffiliated/lbft] has quit [Ping timeout: 245 seconds]
04:26 -!- occupant [~null@204.14.158.226] has quit [Ping timeout: 245 seconds]
04:32 -!- lbft [~lbft@unaffiliated/lbft] has joined #openvpn
04:38 -!- mitz [~mitz@KHP222227247006.ppp-bb.dion.ne.jp] has quit [Remote host closed the connection]
04:40 -!- occup4nt [~null@204.14.158.226] has quit [Read error: Connection reset by peer]
04:40 -!- occup4nt [~null@204.14.158.226] has joined #openvpn
04:43 -!- takamichi [~takamichi@c107-107.i07-27.onvol.net] has quit [Ping timeout: 276 seconds]
04:48 -!- takamichi [~takamichi@c261.adsl.inet-telecom.org] has joined #openvpn
04:51 -!- heraclitus [~heraclitu@unaffiliated/heraclitis] has quit [Read error: Connection reset by peer]
04:51 -!- heraclitus [~heraclitu@unaffiliated/heraclitis] has joined #openvpn
04:52 -!- bersace_ is now known as bersace
04:55 -!- marlinc_ [~marlinc@ip565fa73c.direct-adsl.nl] has quit [Read error: Connection reset by peer]
04:55 -!- mitz [~mitz@KHP222227247006.ppp-bb.dion.ne.jp] has joined #openvpn
04:56 -!- marlinc [~marlinc@ip565fa73c.direct-adsl.nl] has joined #openvpn
04:56 -!- Eagleman77 [~Eagleman7@vpn.eagleman.net] has quit [Ping timeout: 248 seconds]
04:59 -!- cyberspace- [20253@ninthfloor.org] has quit [Remote host closed the connection]
05:03 -!- cyberspace- [20253@ninthfloor.org] has joined #openvpn
05:38 -!- kalloc [~kalloc@h86-62-83-99.ln.rinet.ru] has joined #openvpn
05:38 < kalloc> hi
05:38 < kalloc> somebody writes extension for openvpn?
05:44 -!- Sembei [~Sembei@unaffiliated/sembei] has joined #openvpn
05:45 <@plaisthos> kalloc: see !goal
05:45 <@plaisthos> !goal
05:45 <@vpnHelper> "goal" is Please clearly state your goal for your vpn: example, I would like to access the lan behind the server , I would like to access the internet over my vpn , I just want a secure connection between 2 computers , etc
05:45 < kalloc> !goal
05:45 <@vpnHelper> "goal" is Please clearly state your goal for your vpn: example, I would like to access the lan behind the server , I would like to access the internet over my vpn , I just want a secure connection between 2 computers , etc
05:46 < kalloc> :D
05:57 -!- azi_ is now known as azi
06:10 -!- takamichi [~takamichi@c261.adsl.inet-telecom.org] has quit [Quit: Computer has gone to sleep.]
06:13 -!- novaflash [~novaflash@openvpn/corp/support/novaflash] has quit [Ping timeout: 272 seconds]
06:23 -!- takamichi [~takamichi@c107-107.i07-27.onvol.net] has joined #openvpn
06:25 -!- heraclitus [~heraclitu@unaffiliated/heraclitis] has quit [Remote host closed the connection]
06:26 -!- heraclitus__ [~heraclitu@vpn.planetcrypto.com] has joined #openvpn
06:27 -!- tdreyer1 [~tdreyer1@unaffiliated/tdreyer1] has quit [Quit: So long, meatbags!]
06:27 -!- tdreyer1 [~tdreyer1@unaffiliated/tdreyer1] has joined #openvpn
06:40 -!- klein [~klein@187.85.179.98] has joined #openvpn
06:40 -!- klein [~klein@187.85.179.98] has quit [Changing host]
06:40 -!- klein [~klein@unaffiliated/klein] has joined #openvpn
06:47 -!- Cy-Gor [~Brian@cpe-70-124-70-140.austin.res.rr.com] has joined #openvpn
07:03 -!- aemquo [~UN@unaffiliated/aemquo] has joined #openvpn
07:03 < aemquo> How does one make it so that one does not need to type in one's username and password when connecting to a vpn that requires it?
07:07 -!- aemquo [~UN@unaffiliated/aemquo] has quit [Client Quit]
07:15 -!- clyons [~kvirc@46.7.192.26] has joined #openvpn
08:08 -!- klein [~klein@unaffiliated/klein] has quit [Ping timeout: 264 seconds]
08:32 -!- tfox [~tfox@50-47-92-123.evrt.wa.frontiernet.net] has quit [Quit: tfox]
08:35 -!- azi [~azi@unaffiliated/aquana] has quit [Ping timeout: 260 seconds]
08:35 -!- azi [~azi@unaffiliated/aquana] has joined #openvpn
08:39 -!- wrongplace [~leicht@gateway/tor-sasl/martinphone] has joined #openvpn
08:55 -!- alexxtasi [~alex@unaffiliated/alexxtasi] has left #openvpn []
08:57 -!- kalloc [~kalloc@h86-62-83-99.ln.rinet.ru] has quit [Remote host closed the connection]
09:36 -!- wrongplace [~leicht@gateway/tor-sasl/martinphone] has quit [Quit: gone]
09:48 -!- takamichi [~takamichi@c107-107.i07-27.onvol.net] has quit [Ping timeout: 276 seconds]
09:51 -!- takamichi [~takamichi@85.12.8.15] has joined #openvpn
10:21 -!- elfixit [~Icedove@77-58-251-72.dclient.hispeed.ch] has joined #openvpn
10:31 -!- klein [~klein@unaffiliated/klein] has joined #openvpn
10:31 -!- master_o1_master [~master_of@p4FF24928.dip0.t-ipconnect.de] has joined #openvpn
10:35 -!- master_of_master [~master_of@p4FF2487A.dip0.t-ipconnect.de] has quit [Ping timeout: 248 seconds]
10:35 -!- heraclitus__ is now known as heraclitus
10:35 -!- heraclitus [~heraclitu@vpn.planetcrypto.com] has quit [Changing host]
10:35 -!- heraclitus [~heraclitu@unaffiliated/heraclitis] has joined #openvpn
10:36 -!- Linmu [~Linmu@203.70.194.104] has quit [Remote host closed the connection]
10:37 -!- Linmu [~Linmu@203.70.194.104] has joined #openvpn
10:39 -!- takamichi [~takamichi@85.12.8.15] has quit [Ping timeout: 260 seconds]
10:42 -!- takamichi [~takamichi@c107-107.i07-27.onvol.net] has joined #openvpn
10:49 -!- novaflash_away [~novaflash@its.novaflash.nl] has joined #openvpn
10:50 -!- novaflash_away is now known as novaflash
10:57 -!- gffa [~unknown@unaffiliated/gffa] has joined #openvpn
11:06 -!- takamichi [~takamichi@c107-107.i07-27.onvol.net] has quit []
11:13 -!- mitz [~mitz@KHP222227247006.ppp-bb.dion.ne.jp] has quit [Ping timeout: 248 seconds]
11:21 -!- dazo is now known as dazo_afk
11:22 -!- dcajacob05work [~dan@static-173-73-108-122.washdc.fios.verizon.net] has quit [Remote host closed the connection]
11:22 -!- jefferai [~quassel@kde/mitchell] has joined #openvpn
11:24 -!- jefferai_gone [~quassel@corkblock.jefferai.org] has quit [Ping timeout: 276 seconds]
11:27 -!- mitz [~mitz@KHP222227247006.ppp-bb.dion.ne.jp] has joined #openvpn
11:28 -!- gardar- [~gardar@bnc.giraffi.net] has joined #openvpn
11:29 -!- jtrucks_ [jtrucks@freenode/staff/lopsa.foundingmember.jtrucks] has joined #openvpn
11:30 -!- maskedlua_ [~quassel@unaffiliated/themaskedlua] has joined #openvpn
11:31 -!- kro[au]] [~thatguy@kgovps.net] has joined #openvpn
11:33 -!- marlinc_ [~marlinc@ip565fa73c.direct-adsl.nl] has joined #openvpn
11:34 -!- gardar [~gardar@bnc.giraffi.net] has quit [Ping timeout: 246 seconds]
11:34 -!- marlinc [~marlinc@ip565fa73c.direct-adsl.nl] has quit [Ping timeout: 246 seconds]
11:34 -!- maskedlua [~quassel@unaffiliated/themaskedlua] has quit [Ping timeout: 246 seconds]
11:34 -!- kro[au] [~thatguy@kgovps.net] has quit [Ping timeout: 246 seconds]
11:34 -!- mcp [~mcp@wolk-project.de] has quit [Ping timeout: 246 seconds]
11:34 -!- jtrucks [jtrucks@freenode/staff/lopsa.foundingmember.jtrucks] has quit [Ping timeout: 615 seconds]
11:34 -!- kro[au]] is now known as kro[au]
11:35 -!- dandy [~dandy@2a01:360:106::2] has quit [Ping timeout: 240 seconds]
11:35 -!- dandy [~dandy@2a01:360:106::2] has joined #openvpn
11:35 -!- jtrucks_ [jtrucks@freenode/staff/lopsa.foundingmember.jtrucks] has quit [Read error: Connection reset by peer]
11:35 -!- mcp [~mcp@wolk-project.de] has joined #openvpn
11:35 -!- jtrucks [jtrucks@freenode/staff/lopsa.foundingmember.jtrucks] has joined #openvpn
11:40 -!- jp [~jp@CPE-65-31-82-210.wi.res.rr.com] has joined #openvpn
11:40 < jp> !paste
11:40 <@vpnHelper> "paste" is (#1) "pastebin" is (#1) please paste anything with more than 5 lines into a pastebin site or (#2) https://gist.github.com is recommended for fewest ads; try fpaste.org or paste.kde.org as backups or (#3) If you're pasting config files, see !configs for grep syntax to remove comments or (#2) gist allows multiple files per paste, useful if you have several files to show
11:42 -!- jtrucks [jtrucks@freenode/staff/lopsa.foundingmember.jtrucks] has quit [Read error: Connection reset by peer]
11:42 -!- jtrucks [jtrucks@freenode/staff/lopsa.foundingmember.jtrucks] has joined #openvpn
11:43 -!- lickalott_ [~lickalott@127.0.0.1.silentkiller.cc] has joined #openvpn
11:46 -!- rooth_ [tomte@stuck.in.the.basement.at.fritzl.nu] has joined #openvpn
11:46 -!- mitz_ [~mitz@KHP222227247006.ppp-bb.dion.ne.jp] has joined #openvpn
11:48 -!- jtrucks [jtrucks@freenode/staff/lopsa.foundingmember.jtrucks] has quit [Read error: Connection reset by peer]
11:48 -!- jtrucks [jtrucks@freenode/staff/lopsa.foundingmember.jtrucks] has joined #openvpn
11:50 -!- lickalott [~lickalott@127.0.0.1.silentkiller.cc] has quit [Ping timeout: 240 seconds]
11:50 -!- troyt [~troyt@2601:7:6d00:432:44dd:acff:fe85:9c8e] has quit [Ping timeout: 240 seconds]
11:50 -!- mbff [~mbff@2605:6400:1:fed5:22:656:343:3e46] has quit [Ping timeout: 240 seconds]
11:50 -!- rooth [tomte@stuck.in.the.basement.at.fritzl.nu] has quit [Ping timeout: 240 seconds]
11:50 -!- tapout [~tapout@unaffiliated/tapout] has quit [Ping timeout: 240 seconds]
11:50 -!- Gelos [sid17176@gateway/web/irccloud.com/x-wbktefgsdggmjudk] has quit [Ping timeout: 240 seconds]
11:50 -!- dandy [~dandy@2a01:360:106::2] has quit [Ping timeout: 240 seconds]
11:50 -!- mitz [~mitz@KHP222227247006.ppp-bb.dion.ne.jp] has quit [Ping timeout: 240 seconds]
11:50 -!- jp [~jp@CPE-65-31-82-210.wi.res.rr.com] has quit [Ping timeout: 240 seconds]
11:50 -!- Stew-a [~Stewart@unaffiliated/stew-a/x-2962361] has quit [Ping timeout: 240 seconds]
11:50 -!- Cultist [~CultOfThe@2601:d:9280:fc:8634:97ff:fe17:5dc3] has quit [Ping timeout: 240 seconds]
11:50 -!- jgeboski [~jgeboski@unaffiliated/jgeboski] has quit [Ping timeout: 240 seconds]
11:51 -!- krzee [~k@openvpn/community/support/krzee] has quit [Ping timeout: 240 seconds]
11:51 -!- mumixam [~m@unaffiliated/mumixam] has quit [Ping timeout: 240 seconds]
11:51 -!- Gman32 [~Gman32@2607:5300:60:2b74::1] has quit [Ping timeout: 240 seconds]
11:51 -!- intricate [~xach@unaffiliated/intricate] has quit [Ping timeout: 240 seconds]
11:51 -!- s0meone [someone@2600:3c01::f03c:91ff:fedf:feb8] has quit [Ping timeout: 240 seconds]
11:51 -!- Gman32 [~Gman32@2607:5300:60:2b74::1] has joined #openvpn
11:51 -!- krzee [~k@openvpn/community/support/krzee] has joined #openvpn
11:51 -!- s0meone [someone@2600:3c01::f03c:91ff:fedf:feb8] has joined #openvpn
11:51 -!- Gelos [sid17176@gateway/web/irccloud.com/x-xvxqysdigdykzdqg] has joined #openvpn
11:51 -!- krzee [~k@openvpn/community/support/krzee] has left #openvpn []
11:51 -!- krzee [~k@openvpn/community/support/krzee] has joined #openvpn
11:51 -!- mbff_ [~mbff@2605:6400:1:fed5:22:656:343:3e46] has joined #openvpn
11:51 -!- Stew-a [~Stewart@host86-131-120-36.range86-131.btcentralplus.com] has joined #openvpn
11:51 -!- dandy [~dandy@2a01:360:106::2] has joined #openvpn
11:51 -!- jp [~jp@CPE-65-31-82-210.wi.res.rr.com] has joined #openvpn
11:51 -!- intricate [~xach@2607:5300:60:3d47::1] has joined #openvpn
11:51 -!- mode/#openvpn [+o krzee] by ChanServ
11:52 -!- Stew-a [~Stewart@host86-131-120-36.range86-131.btcentralplus.com] has quit [Changing host]
11:52 -!- Stew-a [~Stewart@unaffiliated/stew-a/x-2962361] has joined #openvpn
11:52 < jp> http://pastebin.com/3MkwsEG5
11:52 < jp> "failed to find GID for group openvpn
11:52 < jp> "
11:52 -!- intricate [~xach@2607:5300:60:3d47::1] has quit [Changing host]
11:52 -!- intricate [~xach@unaffiliated/intricate] has joined #openvpn
11:52 < jp> grrr
11:53 -!- jgeboski [~jgeboski@unaffiliated/jgeboski] has joined #openvpn
11:53 < jp> here is my config file too,
11:53 < jp> http://pastebin.com/GXE7d407
11:54 < jp> when starting from CLI it doesn't echo any errors but it also doesn't seem to be working., Thank god for syslog
11:54 <@krzee> you told it to run as group vpn but that group does not exist on your system
11:54 -!- jtrucks [jtrucks@freenode/staff/lopsa.foundingmember.jtrucks] has quit [Read error: Connection reset by peer]
11:54 <@krzee> change it to run as a group that exists, or make the group exist
11:54 -!- jtrucks [jtrucks@freenode/staff/lopsa.foundingmember.jtrucks] has joined #openvpn
11:55 <@krzee> s/vpn/openvpn/
11:56 -!- tapout [~tapout@unaffiliated/tapout] has joined #openvpn
11:56 -!- troyt [~troyt@2601:7:6d00:432:44dd:acff:fe85:9c8e] has joined #openvpn
11:56 <@krzee> and you actually specified your own auth method, and went with MD5...
11:56 <@krzee> and went with AES 256 for your cipher
11:56 < jp> krzee thanks but don't know how to do that (group)
11:56 <@krzee> interesting combo
11:56 < jp> I want AES 256 MD5 as that's what the server supports
11:56 < jp> "supports"
11:56 <@krzee> you dont run the server?
11:57 < jp> nope
11:57 < jp> I'm client side
11:57 <@krzee> do this:
11:57 <@krzee> finger openvpn
11:57 < jp> similar to RTFM?
11:57 <@krzee> no
11:57 <@krzee> i wanna know if the user exists
11:58 < jp> ok I have to install finger
11:58 <@krzee> nah nevermin
11:58 < jp> kk
11:58 <@krzee> grep openvpn /etc/passwd
11:58 <@krzee> does it exist?
11:59 < jp> jp@jpvault:/etc/openvpn$ sudo grep openvpn /etc/passwd
11:59 < jp> jp@jpvault:/etc/openvpn$
11:59 <@krzee> what os are you on?
11:59 <@krzee> linux?
11:59 < jp> doesn't appear to.... Ubuntu
11:59 < jp> 12.04 lts server version
11:59 < jp> sorry thought I specified that
11:59 <@krzee> grep nobody /etc/passwd
12:00 -!- mumixam [~m@unaffiliated/mumixam] has joined #openvpn
12:00 < jp> grep nobody /etc/passwd
12:00 < jp> jp@jpvault:/etc/openvpn$ grep nobody /etc/passwd
12:00 < jp> nobody:x:65534:65534:nobody:/nonexistent:/bin/sh
12:00 < jp> jp@jpvault:/etc/openvpn$
12:00 < jp> I need a user named nobody?
12:00 <@krzee> grep no /etc/group
12:01 <@krzee> jp...
12:03 -!- jtrucks [jtrucks@freenode/staff/lopsa.foundingmember.jtrucks] has quit [Read error: Connection reset by peer]
12:03 -!- jtrucks [jtrucks@freenode/staff/lopsa.foundingmember.jtrucks] has joined #openvpn
12:04 -!- jtrucks [jtrucks@freenode/staff/lopsa.foundingmember.jtrucks] has quit [Quit: Lost terminal]
12:04 -!- elfixit [~Icedove@77-58-251-72.dclient.hispeed.ch] has quit [Ping timeout: 272 seconds]
12:05 -!- jtrucks [jtrucks@freenode/staff/lopsa.foundingmember.jtrucks] has joined #openvpn
12:09 -!- tapout [~tapout@unaffiliated/tapout] has quit [Ping timeout: 240 seconds]
12:09 -!- s0meone [someone@2600:3c01::f03c:91ff:fedf:feb8] has quit [Ping timeout: 240 seconds]
12:09 -!- mumixam [~m@unaffiliated/mumixam] has quit [Ping timeout: 240 seconds]
12:09 -!- dandy [~dandy@2a01:360:106::2] has quit [Ping timeout: 240 seconds]
12:09 -!- troyt [~troyt@2601:7:6d00:432:44dd:acff:fe85:9c8e] has quit [Ping timeout: 240 seconds]
12:09 -!- intricate [~xach@unaffiliated/intricate] has quit [Ping timeout: 240 seconds]
12:09 -!- Gelos [sid17176@gateway/web/irccloud.com/x-xvxqysdigdykzdqg] has quit [Ping timeout: 240 seconds]
12:09 -!- Gman32 [~Gman32@2607:5300:60:2b74::1] has quit [Ping timeout: 240 seconds]
12:09 -!- jgeboski [~jgeboski@unaffiliated/jgeboski] has quit [Ping timeout: 240 seconds]
12:09 -!- jp [~jp@CPE-65-31-82-210.wi.res.rr.com] has quit [Ping timeout: 240 seconds]
12:09 -!- mbff_ [~mbff@2605:6400:1:fed5:22:656:343:3e46] has quit [Ping timeout: 240 seconds]
12:09 -!- krzee [~k@openvpn/community/support/krzee] has quit [Ping timeout: 240 seconds]
12:09 -!- intricate [~xach@2607:5300:60:3d47::1] has joined #openvpn
12:09 -!- s0meone [someone@2600:3c01::f03c:91ff:fedf:feb8] has joined #openvpn
12:09 -!- dandy [~dandy@2a01:360:106::2] has joined #openvpn
12:09 -!- krzee [~k@openvpn/community/support/krzee] has joined #openvpn
12:09 < krzee> !ping
12:09 <@vpnHelper> pong
12:10 -!- mode/#openvpn [+o krzee] by ChanServ
12:10 -!- mbff_ [~mbff@2605:6400:1:fed5:22:656:343:3e46] has joined #openvpn
12:10 -!- jp [~jp@CPE-65-31-82-210.wi.res.rr.com] has joined #openvpn
12:10 -!- Gelos [sid17176@gateway/web/irccloud.com/x-tsgzloraiwwyuajx] has joined #openvpn
12:11 <@krzee> in your openvpn config change "user openvpn" to "user nobody"     and change "group openvpn" to "group nogroup"
12:11 -!- intricate [~xach@2607:5300:60:3d47::1] has quit [Changing host]
12:11 -!- intricate [~xach@unaffiliated/intricate] has joined #openvpn
12:11 -!- jtrucks [jtrucks@freenode/staff/lopsa.foundingmember.jtrucks] has quit [Read error: Connection reset by peer]
12:11 -!- jp is now known as __JP__
12:11 -!- jgeboski [~jgeboski@unaffiliated/jgeboski] has joined #openvpn
12:11 -!- jtrucks [jtrucks@freenode/staff/lopsa.foundingmember.jtrucks] has joined #openvpn
12:11 < __JP__> sweet looking into that rt now
12:11 -!- tapout [~tapout@unaffiliated/tapout] has joined #openvpn
12:11 -!- Gman32 [~Gman32@2607:5300:60:2b74::1] has joined #openvpn
12:11 -!- troyt [~troyt@2601:7:6d00:432:44dd:acff:fe85:9c8e] has joined #openvpn
12:12 <@krzee> to sum it up, you can only run openvpn as a user/group that actually exists on the system
12:12 < __JP__> duh, that makes sence
12:12 < __JP__> cents
12:12 < __JP__> or even sense
12:12 <@krzee> sense
12:13 -!- mumixam [~m@unaffiliated/mumixam] has joined #openvpn
12:17 -!- jtrucks [jtrucks@freenode/staff/lopsa.foundingmember.jtrucks] has quit [Read error: Connection reset by peer]
12:17 -!- mode/#openvpn [+v rob0] by ChanServ
12:17 -!- jtrucks [jtrucks@freenode/staff/lopsa.foundingmember.jtrucks] has joined #openvpn
12:17 <+rob0> scents
12:17 -!- jp__ [~jp@79.141.170.8] has joined #openvpn
12:18 -!- mode/#openvpn [+o rob0] by ChanServ
12:18 < jp__> and I just picked up the IP I needed. Thanks krzee I would give you some reddit gold if I could
12:19 <@krzee> i dunno what it is but i actually have an account on reddit
12:21 -!- __JP__ [~jp@CPE-65-31-82-210.wi.res.rr.com] has quit [Ping timeout: 272 seconds]
12:23 -!- jtrucks [jtrucks@freenode/staff/lopsa.foundingmember.jtrucks] has quit [Read error: Connection reset by peer]
12:24 -!- keithzg [~quassel@184.70.164.246] has joined #openvpn
12:24 -!- jtrucks [jtrucks@freenode/staff/lopsa.foundingmember.jtrucks] has joined #openvpn
12:28 -!- jtrucks [jtrucks@freenode/staff/lopsa.foundingmember.jtrucks] has quit [Quit: Lost terminal]
12:30 -!- mode/#openvpn [-qo rob0!*@* rob0] by rob0
12:43 -!- Cpt-Oblivious [~chatzilla@31-151-87-204.dynamic.upc.nl] has joined #openvpn
12:47 -!- Netsplit *.net <-> *.split quits: dimm0k
12:47 -!- dimm0k [~dimm0k@pool-72-80-89-149.nycmny.fios.verizon.net] has joined #openvpn
12:47 -!- dimm0k [~dimm0k@pool-72-80-89-149.nycmny.fios.verizon.net] has quit [Changing host]
12:47 -!- dimm0k [~dimm0k@unaffiliated/dimm0k] has joined #openvpn
12:54 -!- Linmu [~Linmu@203.70.194.104] has quit [Ping timeout: 252 seconds]
13:01 -!- krzee [~k@openvpn/community/support/krzee] has quit [Read error: Connection reset by peer]
13:01 -!- troyt [~troyt@2601:7:6d00:432:44dd:acff:fe85:9c8e] has quit [Ping timeout: 240 seconds]
13:01 -!- s0meone [someone@2600:3c01::f03c:91ff:fedf:feb8] has quit [Ping timeout: 240 seconds]
13:01 -!- mumixam [~m@unaffiliated/mumixam] has quit [Ping timeout: 240 seconds]
13:01 -!- Gelos [sid17176@gateway/web/irccloud.com/x-tsgzloraiwwyuajx] has quit [Ping timeout: 240 seconds]
13:01 -!- mbff_ [~mbff@2605:6400:1:fed5:22:656:343:3e46] has quit [Ping timeout: 240 seconds]
13:01 -!- dandy [~dandy@2a01:360:106::2] has quit [Ping timeout: 240 seconds]
13:01 -!- intricate [~xach@unaffiliated/intricate] has quit [Ping timeout: 240 seconds]
13:01 -!- jp__ [~jp@79.141.170.8] has quit [Ping timeout: 240 seconds]
13:01 -!- Gman32 [~Gman32@2607:5300:60:2b74::1] has quit [Ping timeout: 240 seconds]
13:01 -!- tapout [~tapout@unaffiliated/tapout] has quit [Ping timeout: 240 seconds]
13:01 -!- jp__ [~jp@79.141.170.8] has joined #openvpn
13:04 -!- mumixam [~m@unaffiliated/mumixam] has joined #openvpn
13:06 -!- Gelos [sid17176@gateway/web/irccloud.com/x-wtrqpmkgpcjqvxdn] has joined #openvpn
13:06 -!- krzee [~k@2610:150:4002::3:1] has joined #openvpn
13:06 -!- Gman32 [~Gman32@2607:5300:60:2b74::1] has joined #openvpn
13:06 -!- mbff_ [~mbff@2605:6400:1:fed5:22:656:343:3e46] has joined #openvpn
13:06 -!- intricate [~xach@2607:5300:60:3d47::1] has joined #openvpn
13:06 -!- dandy [~dandy@2a01:360:106::2] has joined #openvpn
13:06 -!- s0meone [someone@2600:3c01::f03c:91ff:fedf:feb8] has joined #openvpn
13:06 -!- Linmu [~Linmu@203.70.194.104] has joined #openvpn
13:07 -!- intricate [~xach@2607:5300:60:3d47::1] has quit [Changing host]
13:07 -!- intricate [~xach@unaffiliated/intricate] has joined #openvpn
13:07 -!- tapout [~tapout@unaffiliated/tapout] has joined #openvpn
13:07 -!- troyt [~troyt@2601:7:6d00:432:44dd:acff:fe85:9c8e] has joined #openvpn
13:08 -!- Linmu [~Linmu@203.70.194.104] has quit [Remote host closed the connection]
13:08 -!- Linmu [~Linmu@203.70.194.104] has joined #openvpn
13:13 < krzee> what was my quit msg?
13:13 < krzee> !ping
13:13 <@vpnHelper> pong
13:14 <@ecrist> 13:01:18 -!- krzee [~k@openvpn/community/support/krzee] has quit [Read error: Connection reset by peer
13:14 < krzee> thx
13:20 <+rob0> Connection reset by beer
13:21 -!- jp__ [~jp@79.141.170.8] has quit [Ping timeout: 265 seconds]
13:21 <+rob0> Connection reset by peer (you have to pee after all that beer)
13:22 < krzee> !beer
13:22 <@vpnHelper> "beer" is what's for dinner (and occasionally breakfast)
13:23 < krzee> was nice of that guy to get me reddit gold =]
13:29 -!- sander__ [~sander@58.82.9.46.customer.cdi.no] has joined #openvpn
13:31 -!- maskedlua_ is now known as maskedlua
13:32 -!- klein [~klein@unaffiliated/klein] has quit [Read error: Operation timed out]
13:41 -!- jp__ [~jp@CPE-65-31-82-210.wi.res.rr.com] has joined #openvpn
13:47 -!- josefig [~josef@unaffiliated/josefig] has joined #openvpn
14:08 -!- mattock is now known as mattock_afk
14:23 < sander__> How do I generate a openvpn .crt?
14:23 < krzee> !easy-rsa
14:23 <@vpnHelper> "easy-rsa" is (#1) easy-rsa is a certificate generation utility. or (#2) Download here: https://github.com/OpenVPN/easy-rsa/downloads or (#3) https://community.openvpn.net/openvpn/wiki/EasyRSA
14:23 < krzee> !ssl-admin
14:23 <@vpnHelper> "ssl-admin" is (#1) if you use freebsd, it is in ports or (#2) svn co https://www.secure-computing.net/svn/trunk/ssl-admin to grab it from svn or (#3) A perl script for managing SSL certificates (being a CA). Makes a good replacement for easy-rsa
14:23 -!- Cultist [~CultOfThe@2601:d:9280:fc:8634:97ff:fe17:5dc3] has joined #openvpn
14:24 < krzee> ild say easy-rsa is most commonly used
14:24 -!- novaflash [~novaflash@its.novaflash.nl] has quit [Changing host]
14:24 -!- novaflash [~novaflash@openvpn/corp/support/novaflash] has joined #openvpn
14:24 -!- mode/#openvpn [+o novaflash] by ChanServ
14:27 < sander__> krzee, I installed easyrsa on ubuntu.. But I dont know how to invoke the commands. And the howto explains to do it from the github. Ive tried to locate the easyrsa command.. dosnt exist.
14:27 < krzee> see #3 above
14:29 < sander__> easyrsa contains the command make-cadir
15:06 -!- mattock_afk is now known as mattock
15:16 -!- atojs [~atojs@cpe-69-203-16-244.nyc.res.rr.com] has joined #openvpn
15:16 < atojs> hi
15:17 < atojs> trying to resolve the code 55, i am not pushing any routes and not using def gateway, could it be something else?
15:17 -!- mattock is now known as mattock_afk
15:18 < atojs> everything seems to work, just the server daemon spewing code 55
15:22 -!- calcifea [~rasla@gateway/tor-sasl/gitsu-sa] has quit [Remote host closed the connection]
15:28 -!- Cpt-Oblivious_ [chatzilla@v134.vpn.tue.nl] has joined #openvpn
15:29 -!- Cpt-Oblivious [~chatzilla@31-151-87-204.dynamic.upc.nl] has quit [Ping timeout: 252 seconds]
15:30 -!- mattock_afk [~mattock@openvpn/corp/admin/mattock] has quit [Quit: ZNC - http://znc.in]
15:30 -!- raidz [~raidz@openvpn/corp/admin/andrew] has quit [Quit: I shouldn't have left....]
15:31 -!- raidz [~raidz@openvpn/corp/admin/andrew] has joined #openvpn
15:31 -!- mode/#openvpn [+o raidz] by ChanServ
15:31 -!- occup4nt is now known as occupant
15:34 -!- written_direcon [~written_d@p200300624A07FD00A83DF33FD2225D68.dip0.t-ipconnect.de] has joined #openvpn
15:34 < written_direcon> hi, i got openvpn up and running. means, routing over the tunnel works.
15:35 < written_direcon> problem is, dns resolution isn't working
15:35 < written_direcon> any ideas?
15:35 < written_direcon> (it's on a linux system)
15:35 -!- raidz [~raidz@openvpn/corp/admin/andrew] has quit [Client Quit]
15:36 -!- raidz_away [~raidz@raidz.im] has joined #openvpn
15:36 -!- raidz_away is now known as raidz
15:36 -!- raidz [~raidz@raidz.im] has quit [Changing host]
15:36 -!- raidz [~raidz@openvpn/corp/admin/andrew] has joined #openvpn
15:36 -!- mode/#openvpn [+o raidz] by ChanServ
15:38 -!- jp__ [~jp@CPE-65-31-82-210.wi.res.rr.com] has quit [Ping timeout: 245 seconds]
15:39 -!- raidz [~raidz@openvpn/corp/admin/andrew] has quit [Client Quit]
15:40 -!- raidz_away [~raidz@raidz.im] has joined #openvpn
15:40 -!- raidz_away is now known as raidz
15:40 -!- raidz [~raidz@raidz.im] has quit [Changing host]
15:40 -!- raidz [~raidz@openvpn/corp/admin/andrew] has joined #openvpn
15:40 -!- mode/#openvpn [+o raidz] by ChanServ
15:41 -!- jtrucks [jtrucks@freenode/staff/lopsa.foundingmember.jtrucks] has joined #openvpn
15:44 -!- Cpt-Oblivious [~chatzilla@31-151-87-204.dynamic.upc.nl] has joined #openvpn
15:46 -!- raidz [~raidz@openvpn/corp/admin/andrew] has quit [Quit: I shouldn't have left....]
15:46 -!- jtrucks [jtrucks@freenode/staff/lopsa.foundingmember.jtrucks] has quit [Read error: Connection reset by peer]
15:46 -!- Cpt-Oblivious_ [chatzilla@v134.vpn.tue.nl] has quit [Ping timeout: 252 seconds]
15:47 -!- raidz [~raidz@openvpn/corp/admin/andrew] has joined #openvpn
15:47 -!- mode/#openvpn [+o raidz] by ChanServ
15:47 -!- jtrucks [jtrucks@freenode/staff/lopsa.foundingmember.jtrucks] has joined #openvpn
15:47 -!- raidz [~raidz@openvpn/corp/admin/andrew] has quit [Client Quit]
15:48 -!- raidz_away [~raidz@raidz.im] has joined #openvpn
15:48 -!- raidz_away is now known as raidz
15:48 -!- raidz [~raidz@raidz.im] has quit [Changing host]
15:48 -!- raidz [~raidz@openvpn/corp/admin/andrew] has joined #openvpn
15:48 -!- mode/#openvpn [+o raidz] by ChanServ
15:48 < atojs> written_direcon: do you control the dns on both end?
15:50 < written_direcon> atojs, no. only on the client side
15:50 < atojs> then add them to your host file
15:51 -!- jp__ [~jp@79.141.170.8] has joined #openvpn
15:52 < written_direcon> okie, thanks :-)
15:52 -!- jtrucks [jtrucks@freenode/staff/lopsa.foundingmember.jtrucks] has quit [Read error: Connection reset by peer]
15:53 -!- jtrucks [jtrucks@freenode/staff/lopsa.foundingmember.jtrucks] has joined #openvpn
15:55 <+rob0> !factoids search dns
15:55 <@vpnHelper> 'dns', 'splitdns', 'win-dns-vista-7', 'win-dns-xp', 'win-dns', 'opendns', 'nodns', 'pushdns', 'windns', 'dnsmasq', and 'dnsbind'
15:55 <+rob0> !dnsmasq
15:55 <@vpnHelper> "dnsmasq" is http://rob0.nodns4.us/dnsmasq.html for a writeup on how to handle DNS for lans shared with !route
15:58 -!- jtrucks [jtrucks@freenode/staff/lopsa.foundingmember.jtrucks] has quit [Read error: Connection reset by peer]
15:59 -!- jtrucks [jtrucks@freenode/staff/lopsa.foundingmember.jtrucks] has joined #openvpn
16:01 -!- krzee [~k@2610:150:4002::3:1] has left #openvpn []
16:01 -!- krzee [~k@2610:150:4002::3:1] has joined #openvpn
16:04 -!- jtrucks [jtrucks@freenode/staff/lopsa.foundingmember.jtrucks] has quit [Read error: Connection reset by peer]
16:04 -!- written_direcon [~written_d@p200300624A07FD00A83DF33FD2225D68.dip0.t-ipconnect.de] has left #openvpn ["Leaving"]
16:05 -!- jtrucks [jtrucks@freenode/staff/lopsa.foundingmember.jtrucks] has joined #openvpn
16:11 -!- jtrucks [jtrucks@freenode/staff/lopsa.foundingmember.jtrucks] has quit [Read error: Connection reset by peer]
16:11 -!- jtrucks [jtrucks@freenode/staff/lopsa.foundingmember.jtrucks] has joined #openvpn
16:17 -!- jtrucks [jtrucks@freenode/staff/lopsa.foundingmember.jtrucks] has quit [Read error: Connection reset by peer]
16:17 -!- jtrucks [jtrucks@freenode/staff/lopsa.foundingmember.jtrucks] has joined #openvpn
16:19 -!- supergauntlet_ [~supergaun@v-216-52-148-234.unman-vds.internap-chicago.nfoservers.com] has quit [Changing host]
16:19 -!- supergauntlet_ [~supergaun@unaffiliated/supergauntlet] has joined #openvpn
16:19 -!- supergauntlet_ is now known as supergauntlet
16:23 -!- jtrucks [jtrucks@freenode/staff/lopsa.foundingmember.jtrucks] has quit [Read error: Connection reset by peer]
16:23 -!- jtrucks [jtrucks@freenode/staff/lopsa.foundingmember.jtrucks] has joined #openvpn
16:29 -!- jtrucks [jtrucks@freenode/staff/lopsa.foundingmember.jtrucks] has quit [Read error: Connection reset by peer]
16:29 -!- jtrucks [jtrucks@freenode/staff/lopsa.foundingmember.jtrucks] has joined #openvpn
16:34 -!- Cultist [~CultOfThe@2601:d:9280:fc:8634:97ff:fe17:5dc3] has quit [Ping timeout: 252 seconds]
16:35 -!- calcifea [~rasla@gateway/tor-sasl/gitsu-sa] has joined #openvpn
16:35 -!- jtrucks [jtrucks@freenode/staff/lopsa.foundingmember.jtrucks] has quit [Read error: Connection reset by peer]
16:35 -!- jtrucks [jtrucks@freenode/staff/lopsa.foundingmember.jtrucks] has joined #openvpn
16:37 -!- heraclitus [~heraclitu@unaffiliated/heraclitis] has quit [Remote host closed the connection]
16:38 -!- heraclitus [~heraclitu@unaffiliated/heraclitis] has joined #openvpn
16:38 -!- jp__ [~jp@79.141.170.8] has quit [Ping timeout: 272 seconds]
16:41 -!- jtrucks [jtrucks@freenode/staff/lopsa.foundingmember.jtrucks] has quit [Read error: Connection reset by peer]
16:41 -!- jtrucks [jtrucks@freenode/staff/lopsa.foundingmember.jtrucks] has joined #openvpn
16:42 -!- heraclitus [~heraclitu@unaffiliated/heraclitis] has quit [Remote host closed the connection]
16:43 -!- heraclitus [~heraclitu@unaffiliated/heraclitis] has joined #openvpn
16:44 -!- heraclitus [~heraclitu@unaffiliated/heraclitis] has quit [Remote host closed the connection]
16:47 -!- jtrucks [jtrucks@freenode/staff/lopsa.foundingmember.jtrucks] has quit [Read error: Connection reset by peer]
16:47 -!- jtrucks [jtrucks@freenode/staff/lopsa.foundingmember.jtrucks] has joined #openvpn
16:48 -!- Cultist [~CultOfThe@67.186.111.33] has joined #openvpn
16:52 -!- heraclitus [~heraclitu@unaffiliated/heraclitis] has joined #openvpn
16:53 -!- jtrucks [jtrucks@freenode/staff/lopsa.foundingmember.jtrucks] has quit [Read error: Connection reset by peer]
16:53 -!- jtrucks [jtrucks@freenode/staff/lopsa.foundingmember.jtrucks] has joined #openvpn
16:54 -!- jp__ [~jp@CPE-65-31-82-210.wi.res.rr.com] has joined #openvpn
16:59 -!- jtrucks [jtrucks@freenode/staff/lopsa.foundingmember.jtrucks] has quit [Read error: Connection reset by peer]
16:59 -!- jtrucks [jtrucks@freenode/staff/lopsa.foundingmember.jtrucks] has joined #openvpn
16:59 -!- jtrucks [jtrucks@freenode/staff/lopsa.foundingmember.jtrucks] has quit [K-Lined]
17:02 -!- jtrucks [jtrucks@freenode/staff/lopsa.foundingmember.jtrucks] has joined #openvpn
17:07 -!- raidz [~raidz@openvpn/corp/admin/andrew] has quit [Quit: I shouldn't have left....]
17:08 -!- jtrucks [jtrucks@freenode/staff/lopsa.foundingmember.jtrucks] has quit [Read error: Connection reset by peer]
17:08 -!- jtrucks [jtrucks@freenode/staff/lopsa.foundingmember.jtrucks] has joined #openvpn
17:09 -!- p3rror [~mezgani@41.140.4.140] has joined #openvpn
17:10 -!- raidz_away [~raidz@raidz.im] has joined #openvpn
17:11 -!- raidz_away is now known as raidz
17:11 -!- raidz [~raidz@raidz.im] has quit [Changing host]
17:11 -!- raidz [~raidz@openvpn/corp/admin/andrew] has joined #openvpn
17:11 -!- mode/#openvpn [+o raidz] by ChanServ
17:13 -!- raidz [~raidz@openvpn/corp/admin/andrew] has quit [Client Quit]
17:14 -!- raidz_away [~raidz@raidz.im] has joined #openvpn
17:14 -!- raidz_away is now known as raidz
17:14 -!- raidz [~raidz@raidz.im] has quit [Changing host]
17:14 -!- raidz [~raidz@openvpn/corp/admin/andrew] has joined #openvpn
17:14 -!- mode/#openvpn [+o raidz] by ChanServ
17:14 -!- jtrucks [jtrucks@freenode/staff/lopsa.foundingmember.jtrucks] has quit [Read error: Connection reset by peer]
17:14 -!- jtrucks [jtrucks@freenode/staff/lopsa.foundingmember.jtrucks] has joined #openvpn
17:16 -!- p3rror [~mezgani@41.140.4.140] has quit [Quit: Leaving]
17:20 -!- raidz [~raidz@openvpn/corp/admin/andrew] has quit [Quit: I shouldn't have left....]
17:20 -!- jtrucks [jtrucks@freenode/staff/lopsa.foundingmember.jtrucks] has quit [Read error: Connection reset by peer]
17:21 -!- jtrucks [jtrucks@freenode/staff/lopsa.foundingmember.jtrucks] has joined #openvpn
17:25 -!- mirco [~mirco@ip-109-91-244-100.unitymediagroup.de] has quit [Quit: mirco]
17:36 -!- gffa [~unknown@unaffiliated/gffa] has quit [Quit: sleep]
17:44 -!- raidz [~raidz@openvpn/corp/admin/andrew] has joined #openvpn
17:44 -!- mode/#openvpn [+o raidz] by ChanServ
17:44 -!- mitz_ [~mitz@KHP222227247006.ppp-bb.dion.ne.jp] has quit [Ping timeout: 252 seconds]
17:47 -!- Fiouz_ [~Fiouz@2001:bc8:3068::dead:beef] has quit [Ping timeout: 252 seconds]
17:49 -!- Fiouz [~Fiouz@2001:bc8:3068::dead:beef] has joined #openvpn
17:57 -!- mitz_ [~mitz@KHP222227247006.ppp-bb.dion.ne.jp] has joined #openvpn
18:36 -!- james41382_ [~james@unaffiliated/james41382] has joined #openvpn
18:37 -!- james41382_ is now known as james41382
18:37 -!- azi [~azi@unaffiliated/aquana] has quit [Read error: Connection reset by peer]
18:37 -!- azi [~azi@unaffiliated/aquana] has joined #openvpn
19:35 -!- s7r [~s7r@openvpn/user/s7r] has left #openvpn []
20:00 -!- lachesis [~lachesis@unaffiliated/lachesis] has quit [Quit: ZNC - http://znc.in]
20:02 -!- heraclitus [~heraclitu@unaffiliated/heraclitis] has quit [Remote host closed the connection]
20:02 -!- heraclitus [~heraclitu@unaffiliated/heraclitis] has joined #openvpn
20:08 -!- lachesis [~lachesis@unaffiliated/lachesis] has joined #openvpn
20:10 -!- krzee [~k@2610:150:4002::3:1] has left #openvpn []
20:10 -!- krzee [~k@2610:150:4002::3:1] has joined #openvpn
20:10 -!- krzee [~k@2610:150:4002::3:1] has quit [Changing host]
20:10 -!- krzee [~k@openvpn/community/support/krzee] has joined #openvpn
20:10 -!- mode/#openvpn [+o krzee] by ChanServ
20:10 -!- mode/#openvpn [+v jp__] by krzee
20:27 -!- mirco [~mirco@ip-109-91-244-100.unitymediagroup.de] has joined #openvpn
20:27 -!- james41382 [~james@unaffiliated/james41382] has quit [Ping timeout: 252 seconds]
20:45 -!- mitz_ [~mitz@KHP222227247006.ppp-bb.dion.ne.jp] has quit [Remote host closed the connection]
20:48 -!- mitz_ [~mitz@KHP222227247006.ppp-bb.dion.ne.jp] has joined #openvpn
21:17 -!- jp__ [~jp@CPE-65-31-82-210.wi.res.rr.com] has quit [Ping timeout: 240 seconds]
21:30 -!- jp__ [~jp@79.141.170.6] has joined #openvpn
21:33 -!- peper [~peper@gentoo/developer/peper] has quit [Ping timeout: 264 seconds]
21:34 -!- peper [~peper@gentoo/developer/peper] has joined #openvpn
21:38 -!- mitz_ [~mitz@KHP222227247006.ppp-bb.dion.ne.jp] has quit [Remote host closed the connection]
21:55 -!- mitz_ [~mitz@KHP222227247006.ppp-bb.dion.ne.jp] has joined #openvpn
22:20 -!- tfox [~tfox@199.19.95.160] has joined #openvpn
22:21 -!- jp__ [~jp@79.141.170.6] has quit [Ping timeout: 240 seconds]
22:30 -!- james41382 [~james@unaffiliated/james41382] has joined #openvpn
22:32 -!- krphop [~krphop@watch.out.the.feds.are.rightbehind.us] has quit [Quit: Leaving]
22:36 < atojs> so dead
22:36 -!- atojs [~atojs@cpe-69-203-16-244.nyc.res.rr.com] has left #openvpn []
22:39 -!- jp__ [~jp@79.141.170.8] has joined #openvpn
22:44 -!- james41382 [~james@unaffiliated/james41382] has quit [Ping timeout: 240 seconds]
23:04 -!- esde [~esde@107.150.1.2] has quit [Excess Flood]
23:04 -!- esde [~esde@107.150.1.2] has joined #openvpn
23:04 -!- intricate [~xach@unaffiliated/intricate] has quit [Ping timeout: 240 seconds]
23:05 -!- Gman32 [~Gman32@2607:5300:60:2b74::1] has quit [Ping timeout: 240 seconds]
23:05 -!- raidz [~raidz@openvpn/corp/admin/andrew] has quit [Ping timeout: 240 seconds]
23:06 -!- intricate [~xach@unaffiliated/intricate] has joined #openvpn
23:06 -!- raidz [~raidz@openvpn/corp/admin/andrew] has joined #openvpn
23:06 -!- mode/#openvpn [+o raidz] by ChanServ
23:06 -!- Gman32 [~Gman32@2607:5300:60:2b74::1] has joined #openvpn
23:14 -!- Cy-Gor [~Brian@cpe-70-124-70-140.austin.res.rr.com] has quit [Quit: Leaving]
23:46 -!- heraclitus [~heraclitu@unaffiliated/heraclitis] has quit [Ping timeout: 252 seconds]
23:53 -!- heraclitus [~heraclitu@unaffiliated/heraclitis] has joined #openvpn
23:54 -!- heraclitus [~heraclitu@unaffiliated/heraclitis] has quit [Client Quit]
23:54 -!- heraclitus [~heraclitu@unaffiliated/heraclitis] has joined #openvpn
23:56 -!- heraclitus [~heraclitu@unaffiliated/heraclitis] has quit [Remote host closed the connection]
23:57 -!- heraclitus [~heraclitu@unaffiliated/heraclitis] has joined #openvpn
--- Day changed Wed Jan 08 2014
00:06 -!- dandy [~dandy@2a01:360:106::2] has quit [Ping timeout: 240 seconds]
00:06 -!- Gelos [sid17176@gateway/web/irccloud.com/x-wtrqpmkgpcjqvxdn] has quit [Ping timeout: 240 seconds]
00:07 -!- lachesis [~lachesis@unaffiliated/lachesis] has quit [Ping timeout: 240 seconds]
00:07 -!- s0meone [someone@2600:3c01::f03c:91ff:fedf:feb8] has quit [Ping timeout: 240 seconds]
00:07 -!- Gelos [sid17176@gateway/web/irccloud.com/x-yssucnafrqssnrvy] has joined #openvpn
00:07 -!- Gman32 [~Gman32@2607:5300:60:2b74::1] has quit [Ping timeout: 240 seconds]
00:07 -!- tapout [~tapout@unaffiliated/tapout] has quit [Ping timeout: 240 seconds]
00:07 -!- troyt [~troyt@2601:7:6d00:432:44dd:acff:fe85:9c8e] has quit [Ping timeout: 240 seconds]
00:08 -!- raidz [~raidz@openvpn/corp/admin/andrew] has quit [Ping timeout: 240 seconds]
00:08 -!- intricate [~xach@unaffiliated/intricate] has quit [Ping timeout: 240 seconds]
00:08 -!- mbff_ [~mbff@2605:6400:1:fed5:22:656:343:3e46] has quit [Ping timeout: 240 seconds]
00:27 -!- grep0r [grep0r@bitcoinshell.mooo.com] has quit [Ping timeout: 252 seconds]
00:29 -!- grep0r [grep0r@bitcoinshell.mooo.com] has joined #openvpn
01:01 -!- mbff [~mbff@2605:6400:1:fed5:22:656:343:3e46] has joined #openvpn
01:01 -!- Gman32 [~Gman32@2607:5300:60:2b74::1] has joined #openvpn
01:01 -!- intricate [~xach@unaffiliated/intricate] has joined #openvpn
01:01 -!- raidz [~raidz@openvpn/corp/admin/andrew] has joined #openvpn
01:01 -!- mode/#openvpn [+o raidz] by ChanServ
01:01 -!- troyt [~troyt@2601:7:6d00:432:44dd:acff:fe85:9c8e] has joined #openvpn
01:01 -!- s0meone [someone@2600:3c01::f03c:91ff:fedf:feb8] has joined #openvpn
01:01 -!- tapout [~tapout@unaffiliated/tapout] has joined #openvpn
01:01 -!- mbff is now known as Guest8854
01:01 -!- dandy [~dandy@2a01:360:106::2] has joined #openvpn
01:02 -!- lachesis [~lachesis@unaffiliated/lachesis] has joined #openvpn
01:04 -!- dimm0k [~dimm0k@unaffiliated/dimm0k] has quit [Ping timeout: 252 seconds]
01:11 -!- dimm0k [~dimm0k@unaffiliated/dimm0k] has joined #openvpn
01:16 -!- tfox [~tfox@199.19.95.160] has quit [Quit: tfox]
01:16 -!- dimm0k [~dimm0k@unaffiliated/dimm0k] has quit [Ping timeout: 240 seconds]
01:22 -!- Sembei [~Sembei@unaffiliated/sembei] has quit [Read error: Connection reset by peer]
01:22 -!- MyMind [~Sembei@unaffiliated/sembei] has joined #openvpn
01:25 -!- mattock [~mattock@openvpn/corp/admin/mattock] has joined #openvpn
01:25 -!- mode/#openvpn [+o mattock] by ChanServ
01:28 -!- dimm0k [~dimm0k@unaffiliated/dimm0k] has joined #openvpn
01:33 -!- dimm0k [~dimm0k@unaffiliated/dimm0k] has quit [Ping timeout: 240 seconds]
01:37 -!- alexxtasi [~alex@unaffiliated/alexxtasi] has joined #openvpn
01:38 -!- jp__ [~jp@79.141.170.8] has quit [Ping timeout: 240 seconds]
01:38 -!- jp__ [~jp@79.141.170.8] has joined #openvpn
02:05 -!- dimm0k [~dimm0k@unaffiliated/dimm0k] has joined #openvpn
02:12 -!- josefig [~josef@unaffiliated/josefig] has quit [Quit: Computer has gone to sleep.]
02:20 -!- qwertyoruiop [~hax@1.shulgin.dc1.nl.tor.exit.node.qwertyoruiop.com] has joined #openvpn
02:31 -!- marlinc_ [~marlinc@ip565fa73c.direct-adsl.nl] has quit [Read error: Connection reset by peer]
02:32 -!- marlinc [~marlinc@ip565fa73c.direct-adsl.nl] has joined #openvpn
02:47 -!- Cpt-Oblivious [~chatzilla@31-151-87-204.dynamic.upc.nl] has quit [Ping timeout: 272 seconds]
03:00 -!- mitz_ [~mitz@KHP222227247006.ppp-bb.dion.ne.jp] has quit [Ping timeout: 246 seconds]
03:14 -!- mitz_ [~mitz@KHP222227247006.ppp-bb.dion.ne.jp] has joined #openvpn
03:39 -!- sander__ [~sander@58.82.9.46.customer.cdi.no] has quit [Ping timeout: 245 seconds]
03:52 -!- sander__ [~sander@58.82.9.46.customer.cdi.no] has joined #openvpn
04:05 -!- Bretos1 [~Bretos@vps.tyborek.pl] has quit [Ping timeout: 246 seconds]
04:07 -!- Bretos1 [~Bretos@vps.tyborek.pl] has joined #openvpn
04:30 -!- takamichi [~takamichi@c107-107.i07-27.onvol.net] has joined #openvpn
04:38 -!- klein [~klein@unaffiliated/klein] has joined #openvpn
05:00 -!- wrongplace [~leicht@gateway/tor-sasl/martinphone] has joined #openvpn
05:06 -!- _KaszpiR_ [~kaszpir@unaffiliated/kaszpir/x-3157048] has joined #openvpn
05:07 < _KaszpiR_> hi
05:13 -!- takamichi [~takamichi@c107-107.i07-27.onvol.net] has quit [Quit: Computer has gone to sleep.]
05:21 -!- takamichi [~takamichi@c107-107.i07-27.onvol.net] has joined #openvpn
05:25 -!- jp__ [~jp@79.141.170.8] has quit [Ping timeout: 260 seconds]
05:31 -!- dazo_afk is now known as dazo
05:35 -!- NP-Hardass [~NP-Hardas@unaffiliated/np-hardass] has quit [Ping timeout: 264 seconds]
05:56 -!- mitz_ [~mitz@KHP222227247006.ppp-bb.dion.ne.jp] has quit [Read error: Connection reset by peer]
05:57 -!- mitz_ [~mitz@KHP222227247006.ppp-bb.dion.ne.jp] has joined #openvpn
05:59 -!- MyMind [~Sembei@unaffiliated/sembei] has quit [Read error: No route to host]
06:00 -!- MyMind [~Sembei@unaffiliated/sembei] has joined #openvpn
06:05 -!- marlinc [~marlinc@ip565fa73c.direct-adsl.nl] has quit [Read error: Connection reset by peer]
06:06 -!- mirco [~mirco@ip-109-91-244-100.unitymediagroup.de] has quit [Quit: mirco]
06:08 -!- mirco [~mirco@109.91.244.100] has joined #openvpn
06:10 -!- marlinc [~marlinc@ip565fa73c.direct-adsl.nl] has joined #openvpn
06:45 -!- mirco [~mirco@109.91.244.100] has quit [Ping timeout: 240 seconds]
06:46 -!- mitz_ [~mitz@KHP222227247006.ppp-bb.dion.ne.jp] has quit [Ping timeout: 246 seconds]
06:46 -!- Cy-Gor [~Brian@cpe-70-124-70-140.austin.res.rr.com] has joined #openvpn
06:50 -!- takamichi [~takamichi@c107-107.i07-27.onvol.net] has quit [Read error: Operation timed out]
06:51 -!- takamichi [~takamichi@85.12.8.15] has joined #openvpn
07:00 -!- mitz_ [~mitz@KHP222227247006.ppp-bb.dion.ne.jp] has joined #openvpn
07:39 -!- mitz_ [~mitz@KHP222227247006.ppp-bb.dion.ne.jp] has quit [Ping timeout: 265 seconds]
07:40 -!- takamichi [~takamichi@85.12.8.15] has quit [Ping timeout: 252 seconds]
07:42 -!- plm [~neo@200.175.61.1] has joined #openvpn
07:42 < plm> Hi all
07:42 < plm> people, how I do to create a openvpn tunnel for each ppp interface? I already has one tun0 running, but I have ppp0 and ppp1, So I would like one tun1 using ppp1, how I do?
07:43 -!- takamichi [~takamichi@c107-107.i07-27.onvol.net] has joined #openvpn
07:49 < defswork> run multiple openvpns
07:53 -!- mitz_ [~mitz@KHP222227247006.ppp-bb.dion.ne.jp] has joined #openvpn
07:55 -!- nixt [~nixt@103.1.153.195] has joined #openvpn
07:56 < nixt> !paste
07:56 <@vpnHelper> "paste" is (#1) "pastebin" is (#1) please paste anything with more than 5 lines into a pastebin site or (#2) https://gist.github.com is recommended for fewest ads; try fpaste.org or paste.kde.org as backups or (#3) If you're pasting config files, see !configs for grep syntax to remove comments or (#2) gist allows multiple files per paste, useful if you have several files to show
07:56 < nixt> !configs
07:56 <@vpnHelper> "configs" is (#1) please pastebin your client and server configs (with comments removed, you can use `grep -vE '^#|^;|^$' server.conf`), also include which OS and version of openvpn. or (#2) dont forget to include any ccd entries or (#3) on pfSense, see http://www.secure-computing.net/wiki/index.php/OpenVPN/pfSense to obtain your config
07:57 < plm> defswork: but in the client.conf how I do for to say what tun use what ppp? Here my client.conf in the openvpn client: http://dpaste.com/1542258/
08:11 -!- wrongplace [~leicht@gateway/tor-sasl/martinphone] has quit [Quit: gone]
08:13 -!- Brando753 [~Brando753@unaffiliated/brando753] has quit [Ping timeout: 272 seconds]
08:16 -!- Brando753 [~Brando753@unaffiliated/brando753] has joined #openvpn
08:21 < plm> I not understand. I need one client.conf for each tun (tun0, tun1, .. tun10)? or in just the client.conf I put all?
08:22 -!- Brando753 [~Brando753@unaffiliated/brando753] has quit [Ping timeout: 264 seconds]
08:28 -!- Brando753 [~Brando753@unaffiliated/brando753] has joined #openvpn
08:32 < plm> ohh ok, I create a client1.conf and start second client, but I need alwasys a different port connection to the server for each openvpn right?
08:40 -!- Netsplit *.net <-> *.split quits: troyt, @krzee, tapout, Guest8854, s0meone, @raidz, lachesis, Gman32, Cultist, dandy,  (+1 more, use /NETSPLIT to show all of them)
08:43 -!- Netsplit over, joins: @raidz, @krzee, lachesis, dandy, tapout, s0meone, troyt, intricate, Gman32, Guest8854 (+1 more)
08:53 -!- mitz_ [~mitz@KHP222227247006.ppp-bb.dion.ne.jp] has quit [Remote host closed the connection]
08:54 -!- mitz_ [~mitz@KHP222227247006.ppp-bb.dion.ne.jp] has joined #openvpn
08:58 -!- tfox [~tfox@199.19.95.160] has joined #openvpn
09:11 -!- tfox [~tfox@199.19.95.160] has quit [Quit: tfox]
09:13 -!- alexxtasi [~alex@unaffiliated/alexxtasi] has left #openvpn []
09:17 -!- tfox [~tfox@199.19.95.160] has joined #openvpn
09:20 -!- MyMind [~Sembei@unaffiliated/sembei] has quit [Max SendQ exceeded]
09:22 -!- MyMind [~Sembei@unaffiliated/sembei] has joined #openvpn
09:23 < nixt> hello
09:24 -!- tfox [~tfox@199.19.95.160] has quit [Quit: tfox]
09:37 -!- volnukhin [~ka4ok@141.0.170.169] has joined #openvpn
09:38 -!- nixt [~nixt@103.1.153.195] has quit [Ping timeout: 252 seconds]
09:44 -!- klein [~klein@unaffiliated/klein] has quit [Ping timeout: 246 seconds]
09:50 -!- elfixit [~Icedove@2001:1620:2777:11:3e97:eff:fe7f:f3ad] has joined #openvpn
09:53 -!- PhSnake [~phsnake78@dial-109-230-33-39.orange.sk] has joined #openvpn
09:53 -!- PhSnake [~phsnake78@dial-109-230-33-39.orange.sk] has quit [Client Quit]
09:55 -!- PhSnake [~phsnake78@dial-109-230-33-39.orange.sk] has joined #openvpn
10:01 -!- MyMind [~Sembei@unaffiliated/sembei] has quit [Read error: No route to host]
10:02 -!- Pisuke [~Sembei@unaffiliated/sembei] has joined #openvpn
10:08 < plm> hey, how in server.conf I listen in two ports? This not works: "port 1194, 1195" why?
10:09 <@ecrist> do two port lines
10:09 <@ecrist> port 1194
10:09 <@ecrist> port 1195
10:09 -!- sneak [~sneak@unaffiliated/sneak] has joined #openvpn
10:11 < sneak> hi guys. i'm doing a pretty standard config, bridging a tap interface on a remote machine to a local lan on the openvpn server. the client dhcps over the ethernet bridge to the remote machine and receives a default gateway from that dhcp server - which knocks it completely offline because it overrides the default gateway it already had, on its own lan, which it needs to reach the openvpn server itself.  is there any easy way to tell it to use the default 
10:11 -!- klein [~klein@unaffiliated/klein] has joined #openvpn
10:13 -!- gffa [~unknown@unaffiliated/gffa] has joined #openvpn
10:14 < sneak> http://openvpn.net/index.php/open-source/faq/community-software-server/323-i-want-to-set-up-an-ethernet-bridge-on-the-1921681024-subnet-existing-dhcp.html
10:14 <@vpnHelper> Title: I want to set up an ethernet bridge on the 192.168.1.0/24 subnet. existing DHCP. (at openvpn.net)
10:14 < sneak> this issue
10:14 -!- tfox [~tfox@199.19.95.160] has joined #openvpn
10:14 < plm> ecrist: How I set tun0 to ppp0, tun1 to ppp1, tun2 to ppp2 and so on? I need start ppp0, after start tun0, after ppp1 and after tun1, in sequence?
10:15 -!- bovered [~ma1com10t@host-92-20-34-44.as13285.net] has joined #openvpn
10:17 < bovered> if using --mode server --topology net30, does the server address have to be x.x.x.1 or could i use --ifconfig x.x.x.101 x.x.x.102 and manually setup routing wrc ?
10:17 < bovered> *etc
10:18 < plm> After I add that "port 1194 port 1195" (one each line) I have connection refused in the client:  ovpn-client[2400]: read UDPv4 [ECONNREFUSED]: Connection refused (code=111)
10:18 -!- eliasp_ is now known as eliasp
10:18 < plm> why?
10:19 -!- tfox [~tfox@199.19.95.160] has quit [Client Quit]
10:19 < bovered> plm: which port is your server listening on 1194 or 1195 ?
10:20 < plm> bovered: both: port 1194
10:20 < plm> port 1195
10:21 < plm> bovered: before I add second line (port 1195) connection was ok.
10:22 < bovered> so your server is only listening on 1194
10:22 < plm> bovered: But I need to create a tunnel for each ppp (ppp0 -> tun0 and ppp1 -> tun1)
10:22 < plm> bovered: so, how I listen in more than one port for have two tunnels?
10:23 < bovered> you need two server.conf
10:23 < plm> bovered: ohhh.. like as in the client...
10:23 < bovered> server1194.conf & server1195.conf
10:23 < plm> bovered: strange that in the client the /etc/init.d/openvpn start <tab> show all clients, with server not... why?
10:24 < plm> bovered: few minutes ago I just create a server2.conf and back ebcouse now show in tab =D
10:24 < bovered> don't know - don't use net-man
10:25 < bovered> if using --mode server --topology net30, does the server address have to be x.x.x.1 or could i use --ifconfig x.x.x.101 x.x.x.102 and manually setup routing wrc ?
10:26 < bovered> if using --mode server --topology net30, does the server address have to be x.x.x.1 or could i use --ifconfig x.x.x.101 x.x.x.102 and manually setup routing etc ?
10:32 -!- master_of_master [~master_of@p4FF248B4.dip0.t-ipconnect.de] has joined #openvpn
10:33 -!- master_o1_master [~master_of@p4FF24928.dip0.t-ipconnect.de] has quit [Read error: Operation timed out]
10:37 -!- nixt [~nixt@103.13.241.25] has joined #openvpn
10:37 < plm> bovered: I have two dongles 3g. I just not understand how to configure ppp0 -> tun0, ppp1 -> tun1? I need to do in sequence? like as start ppp0 after start openvpn0, and after start ppp1 and openvpn1?
10:38 < plm> bovered: I tryed that too, in the sequence, but after that, just tun1 ping to openvpn server..
10:41 < plm> bovered: ohh sorry, After a time tun0 back to ping...
10:41 < plm> =D
10:41 < plm> bovered: but just for clariry, I need always start that in the sequence to works?
10:43 < plm> bovered: ohh.. something is wrong, The tun0 and tun1 are using just the ppp1 :-(
10:44 < bovered> sorry - i cannot help with your network config
11:14 -!- Pei [~pei@thinks.outside.theb0x.org] has quit [Ping timeout: 245 seconds]
11:19 -!- citrusfizz [~chatzilla@70.184.40.66] has joined #openvpn
11:21 < citrusfizz> say i pushed a route to a client, and am using nat to allow them into a network. how might i firewall them to only a certain IP using iptables?
11:22 -!- marlinc [~marlinc@ip565fa73c.direct-adsl.nl] has quit [Read error: Connection reset by peer]
11:22 < citrusfizz> using openvpn of course, and not bridged mode
11:24 -!- PhSnake [~phsnake78@dial-109-230-33-39.orange.sk] has quit [Ping timeout: 252 seconds]
11:29 -!- PhSnake [~phsnake78@dial-109-230-33-39.orange.sk] has joined #openvpn
11:31 -!- marlinc [~marlinc@ip565fa73c.direct-adsl.nl] has joined #openvpn
11:42 -!- Pisuke [~Sembei@unaffiliated/sembei] has quit [Read error: Connection reset by peer]
11:42 -!- Sembei [~Sembei@unaffiliated/sembei] has joined #openvpn
11:45 -!- Pei [~pei@thinks.outside.theb0x.org] has joined #openvpn
11:55 -!- Pei [~pei@thinks.outside.theb0x.org] has quit [Ping timeout: 260 seconds]
11:56 -!- moparisthebest [~quassel@mailer.moparscape.org] has quit [Ping timeout: 245 seconds]
12:06 -!- Pei [~pei@thinks.outside.theb0x.org] has joined #openvpn
12:15 -!- Sembei [~Sembei@unaffiliated/sembei] has quit [Quit: WeeChat 0.4.3-dev]
12:19 -!- kloeri [~kloeri@freenode/staff/exherbo.kloeri] has quit [Ping timeout: 630 seconds]
12:22 -!- jp [~jp@79.141.170.7] has joined #openvpn
12:23 -!- kloeri [~kloeri@freenode/staff/exherbo.kloeri] has joined #openvpn
12:23 -!- PhSnake [~phsnake78@dial-109-230-33-39.orange.sk] has quit []
12:25 -!- _KaszpiR__ [~quassel@unaffiliated/kaszpir/x-3157048] has joined #openvpn
12:32 -!- Cpt-Oblivious [~chatzilla@31-151-87-204.dynamic.upc.nl] has joined #openvpn
12:38 -!- _KaszpiR_ is now known as _KaszpiR___
12:38 -!- _KaszpiR__ is now known as _KaszpiR_
13:01 -!- ade_b [~Ade@redhat/adeb] has joined #openvpn
13:09 -!- moparisthebest [~quassel@mailer.moparscape.org] has joined #openvpn
13:25 -!- klein [~klein@unaffiliated/klein] has quit [Ping timeout: 272 seconds]
13:38 -!- NP-Hardass [~NP-Hardas@unaffiliated/np-hardass] has joined #openvpn
13:41 -!- takamichi [~takamichi@c107-107.i07-27.onvol.net] has quit [Quit: Computer has gone to sleep.]
13:48 -!- jgeboski [~jgeboski@unaffiliated/jgeboski] has quit [Quit: Leaving]
13:50 -!- plm [~neo@200.175.61.1] has quit [Quit: leaving]
13:55 < bovered> if using --mode server --topology net30, does the server address have to be x.x.x.1 or could i use --ifconfig x.x.x.101 x.x.x.102 and manually setup routing etc ? i have tried but it seems either i am missing something or the server _MUST_ be x.x.x.1 (this is a simple vpn with no specific requirements other than custom server ip)
13:56 <@krzee> it is possible to recreate --server and manually use a different ip
13:58 <+rob0> um, I'd back up a bit and ask: why do you want to use net30?
13:58 <@krzee> ya that too
13:59 -!- Sembei [~Sembei@unaffiliated/sembei] has joined #openvpn
14:00 < bovered> hi krzee: i have a very simple config (no routing to extra subnets etc) if i user --server 10.2.0.0/24 it works but if i use ifconfig 10.2.0.101 10.2.0.102 (and manually specify routing for net30 subnet and tls and push etc it will not work .. even though the client connects etc)
14:00 <@krzee> you must duplicate everything you see in --server in the manual
14:00 <@krzee> !man
14:00 <@vpnHelper> "man" is (#1) For man pages, see http://openvpn.net/index.php/open-source/documentation/manuals/ or (#2) the man pages are your friend! or (#3) Protip: you can search the manpage for a specific --option (with dashes) to find it quicker
14:01 -!- bovered is now known as debbie10t
14:01 <@krzee> but really, what is the point?
14:01 <@krzee> what problem are you solving?
14:01 < debbie10t> i am trying to get to the absolute bottom of the net30 requirements
14:01 <@krzee> net30 only exists for backwards compatibility
14:01 < debbie10t> by manually setting everything and using custom server ip
14:02 < debbie10t> my next step is to look at source code to
14:02 < debbie10t> figure out dependancy
14:02 <@krzee> whats the actual POINT to what you are doing
14:03 < debbie10t> better support
14:03 <@krzee> cool, good luck to ya =]
14:03 < debbie10t> can i custom server ip or not .. if not i will not waste my time .. if it is poss i will sort it out myself
14:04 <@krzee> its possible, im not sure sure you can tho :-p
14:04 < debbie10t> ok - question answered .. thanks
14:04 <@krzee> all you have to do is correctly recreate what it says in --server
14:04 <@krzee> the entire thing
14:04 <+rob0> I'd consider anything involving use of net30 a wast of time. :)
14:04 <@krzee> yes ^
14:05 <+rob0> waist ... waste ... weighst
14:05 <@krzee> net30 literally has no purpose anymore other than backwards compatibility with a very outdated version of openvpn
14:05 < debbie10t> ok thanks back later
14:06 <@krzee> and really, if you run 2.0.9 i dont want your client connecting to my server anyways
14:06 <@krzee> echo "update your vpn!" ; exit 1
14:10 -!- jgeboski [~jgeboski@unaffiliated/jgeboski] has joined #openvpn
14:16 -!- mattock is now known as mattock_afk
14:19 -!- ade_b [~Ade@redhat/adeb] has quit [Quit: Too sexy for his shirt]
14:41 < debbie10t> echo does not work like that !
14:45 -!- nixt [~nixt@103.13.241.25] has quit [Ping timeout: 252 seconds]
14:46 -!- nixt [~nixt@103.1.153.219] has joined #openvpn
14:46 -!- Sembei [~Sembei@unaffiliated/sembei] has quit [Read error: Connection reset by peer]
14:47 -!- MyMind [~Sembei@unaffiliated/sembei] has joined #openvpn
14:54 -!- dazo is now known as dazo_afk
14:56 -!- mitz_ [~mitz@KHP222227247006.ppp-bb.dion.ne.jp] has quit [Ping timeout: 260 seconds]
15:01 -!- Fohlen [~Fohlen@static.196.152.46.78.clients.your-server.de] has joined #openvpn
15:01 < Fohlen> could I use http-proxy without using authentication files?
15:02 < debbie10t> FYI: git it .. i had a 0 where i should have had a 1 in my routing ! job done =]
15:10 -!- mitz_ [~mitz@KHP222227247006.ppp-bb.dion.ne.jp] has joined #openvpn
15:13 < Fohlen> someone has a guide how to setup simple name/password authentication?
15:15 < Fohlen> HOWTO tells about using script or shared plugins, but I dunno what would be a good choice to go for
15:16 -!- sailerboy [~sailerboy@2605:6400:2:fed5:22:3e62:d2e8:e4e1] has joined #openvpn
15:34 -!- elfixit [~Icedove@2001:1620:2777:11:3e97:eff:fe7f:f3ad] has quit [Quit: elfixit]
15:36 -!- JSharpe [~JSharpe@31.205.60.241] has quit [Read error: Connection reset by peer]
15:46 -!- Devastator [~devas@unaffiliated/devastator] has quit [Read error: Connection reset by peer]
15:48 -!- Devastator [~devas@186.214.15.180] has joined #openvpn
16:03 < debbie10t> TUN/TAP forwarding .. is this an artifact from an old version of OpenVPN on Linux .. as there appears to be much confusion about it ?
16:16 -!- josefig [~josef@189.146.247.210] has joined #openvpn
16:16 -!- josefig [~josef@189.146.247.210] has quit [Changing host]
16:16 -!- josefig [~josef@unaffiliated/josefig] has joined #openvpn
16:24 -!- goldkatze [~nobody@unaffiliated/goldkatze] has quit [Ping timeout: 248 seconds]
16:25 -!- gffa [~unknown@unaffiliated/gffa] has quit [Quit: sleep]
16:32 -!- clyons [~kvirc@46.7.192.26] has quit [Read error: Connection reset by peer]
16:41 -!- takamichi [~takamichi@c107-107.i07-27.onvol.net] has joined #openvpn
17:04 -!- lj [~l@192.241.174.169] has joined #openvpn
17:06 < lj> Anyone have any docs/reads/tips as to how one would go about implementing username/password authentication centrally, across multiple OpenVPN servers? In which one username/password would work to access any of them, without allowing for multiple signins. I.E. the user could be connected to one of the servers with their given credentials, but not two or more.
17:14 -!- takamichi [~takamichi@c107-107.i07-27.onvol.net] has quit [Quit: Computer has gone to sleep.]
17:16 < lj> !welcome
17:16 <@vpnHelper> "welcome" is (#1) Start by stating your goal, such as 'I would like to access the internet over my vpn' || new to IRC? see the link in !ask || we may need !logs and !configs and maybe !interface to help you. || See !howto for beginners. || See !route for lans behind openvpn. || !redirect for sending inet traffic through the server. || Also interesting: !man !/30 !topology !iporder !sample !forum !wiki
17:16 <@vpnHelper> !mitm or (#2) Don't use 192.168.1.0/24 or 192.168.0.0/24 (too much potential for conflict)
17:16 < lj> !goal
17:16 <@vpnHelper> "goal" is Please clearly state your goal for your vpn: example, I would like to access the lan behind the server , I would like to access the internet over my vpn , I just want a secure connection between 2 computers , etc
17:19 -!- clyons [~kvirc@46.7.192.26] has joined #openvpn
17:32 -!- citrusfizz [~chatzilla@70.184.40.66] has quit [Quit: ChatZilla 0.9.90.1 [Firefox 26.0/20131205075310]]
17:40 -!- elfixit [~Icedove@77-58-251-72.dclient.hispeed.ch] has joined #openvpn
17:41 -!- grep0r [grep0r@bitcoinshell.mooo.com] has quit [Ping timeout: 252 seconds]
17:42 -!- grep0r [grep0r@bitcoinshell.mooo.com] has joined #openvpn
18:20 -!- Eduard_Munteanu [~EduardMun@188.25.244.2] has joined #openvpn
18:21 < Eduard_Munteanu> Can a client connect to a server-mode server, with push/pull disabled, if both of them agree on connection parameters?
18:22 -!- nixt [~nixt@103.1.153.219] has quit [Ping timeout: 259 seconds]
18:22 < Eduard_Munteanu> (can I leave pushing on the server side enabled?)
18:30 -!- nixt [~nixt@103.1.153.250] has joined #openvpn
18:44 <@krzee> well you have contradicted yourself
18:44 <@krzee> your server may push, or not
18:44 <@krzee> your client may pull, or not
18:45 <@krzee> if you choose to not push/pull you must define a bunch of shit manually
18:45 <@krzee> is there a goal you have in mind?
18:45 <@krzee> Eduard_Munteanu, ^
18:45 < Eduard_Munteanu> krzee: yes, connecting to machines I don't trust.
18:46 <@krzee> whats your goal when you connect to them?
18:46 < Eduard_Munteanu> Or trust less than the machine that acts as a client.
18:46 <@krzee> they cant execute code on the client or anything
18:46 <@krzee> they can alter the routing table, but that is generally desired
18:47 < Eduard_Munteanu> krzee: yeah, I know, but they can still mess with my routing table arbitrarily
18:47 -!- mitz_ [~mitz@KHP222227247006.ppp-bb.dion.ne.jp] has quit [Ping timeout: 265 seconds]
18:47 < Eduard_Munteanu> krzee: this client is going to be used for testing purposes, and since it's my personal machine, I trust it the most :)
18:48 <@krzee> so what do you want to do when connecting?
18:48 < Eduard_Munteanu> krzee: open up some connections to the server, through the tunnel (tun mode, no client-to-client)
18:49 <@krzee> ONLY to the server?
18:49 < Eduard_Munteanu> Yes.
18:49 <@krzee> not to the internet through the server, not to the lan behind the server
18:49 < Eduard_Munteanu> Nope, just the server.
18:49 <@krzee> cool
18:49 <@krzee> use nopull
18:49 <@krzee> might be route-nopull, something like that
18:49 <@krzee> !nopull
18:49 <@vpnHelper> "nopull" is "route-nopull" is If you want to accept pushed options from the server but not apply the routes (including --redirect-gateway) you can use --route-nopull to ignore all pushed routes
18:50 <@krzee> then you'll manually need a route to the vpn server ip itself
18:50 <@krzee> (you can script it)
18:50 < Eduard_Munteanu> krzee: can I just not pull at all though? I have the server under my control as well, so I can pick a suitable configuration.
18:50 <@krzee> iof you own the server then just dont push options you dont want pushed
18:50 <@krzee> and why the hell dont you trust your own server
18:51 < Eduard_Munteanu> krzee: because it's not in my home, it isn't physically secure etc :)
18:51 < Eduard_Munteanu> It's not that I distrust it, I just trust it less than my personal machine :)
18:51 <@krzee> so you fear someone will phyiscally breakin to your server, configure NAT and ip forwarding on it, then configure your vpn client to route through it so they can sniff you via your server?
18:52 < Eduard_Munteanu> You can put it that way but really I'm just wondering if there's a nicer way to do this, just like people ask daemons to drop privileges because they can.
18:53 <@krzee> well ya, you can drop privs here too, even run it in a chroot
18:53 <@krzee> but do you really wanna disable pulling options from your own server out of fear that someone will reconfigure it on you?
18:53 -!- cali [~cali@unaffiliated/cali] has quit [Ping timeout: 246 seconds]
18:54 < Eduard_Munteanu> krzee: I configure it anyway, so it's less headache to just slap on a strict config.
18:54 <@krzee> cool, well now you know
18:54 < Eduard_Munteanu> I'd want a fixed IP anyway.
18:54 <@krzee> you can also just not use --client
18:55 -!- nixt [~nixt@103.1.153.250] has quit [Ping timeout: 252 seconds]
18:55 <@krzee> although nopull is prolly easier
18:55 < Eduard_Munteanu> krzee: yeah, that's what I'm wondering, can I just do 'tls-client' and add my own ifconfig directives on the client?
18:55 <@krzee> sure
18:55 < Eduard_Munteanu> Oh, alright... thanks.
18:55 <@krzee> in fact if you look carefully you'll see that --server is not necessary either
18:56 < Eduard_Munteanu> krzee: I know it's defined in terms of something else, just wasn't sure pushing didn't put the server in a mode that expects the client to act in a certain way.
18:56 <@krzee> well it does, but you can forcefully have the client act correctly without accepting the pushes
18:57 <@krzee> if you ifconfig to the wrong ip, it wont work
18:57 <@krzee> if you add the route wrong, it wont work
18:57 < Eduard_Munteanu> Sure, that's alright.
18:57 <@krzee> if you do everything manually just like the server would have, then it will work
18:57 <@krzee> "<krzee> in fact if you look carefully you'll see that --server is not necessary either"   <--- i meant to see --server in the manual
18:58 < Eduard_Munteanu> BTW, the Gentoo package has a 'down-root' useflag, is that accepted code upstream?
18:58 < Eduard_Munteanu> Yeah.
18:58 <@krzee> no, but its a plugin that allows you to use --down with --user/--group
18:59 <@krzee> normally the lowered priviledges of --user/--group prevent --down from executing with root which leads to most stuff not working
19:00 < Eduard_Munteanu> I suspect you don't really need root privs in server mode, since you can just spawn a tun and just drop privs after, no?
19:00 <@krzee> depends what you wanna do
19:00 < Eduard_Munteanu> I mean you don't need each connection to set up a device and go through all that privileged stuff.
19:00 <@krzee> you might have a client-connect script which you want running as root
19:01 < Eduard_Munteanu> Ah, fair.
19:01 -!- mitz_ [~mitz@KHP222227247006.ppp-bb.dion.ne.jp] has joined #openvpn
19:01 <@krzee> but in general root is not needed after startup is complete
19:02 < lj> krzee: Any ideas on my question? It seems like it'd be easier for me if I wanted to use certs rather than ldap.
19:04 < Eduard_Munteanu> LDAP and certs sound orthogonal.
19:06 <@krzee> lj, either way you will want a centralized database with the script, so it can read from the db to know if logged in on other servers, it can write to the db to say the client has logged in
19:06 <@krzee> its all handled via scripts which you write
19:06 <@krzee> !authpass
19:06 <@vpnHelper> "authpass" is (#1) please see --auth-user-pass-verify in the manual to learn how to force clients to use passwords in addition to certs or (#2) or to ONLY use passwords (no certs, highly NOT recommended) also use --client-cert-not-required or (#3) and if you want the login name to be used as the common-name for things like ccd entries, use --username-as-common-name
19:06 <@krzee> !client-connect
19:06 <@vpnHelper> "client-connect" is --client-connect <script>, runs script on client connection. This can be useful for generating firewall rules dynamicly, or for assigning static ips. This can do anything that a ccd (see !ccd) entry can do, but dynamicly... to use it that way, you should write your dynamic ccd commands to the file named by $1.
19:06 < lj> Ah I see. I was wondering whether or not there was a way built in that I hadn't noticed. :)
19:07 <@krzee> nope
19:07 < lj> Word. Much appreciated.
19:07 <@krzee> np man
19:07 <@krzee> !script
19:08 <@vpnHelper> "script" is See SCRIPTING AND ENVIRONMENTAL VARIALBES in the manual for a list of places that scripts can hook into openvpn. Online reference at: https://community.openvpn.net/openvpn/wiki/Openvpn23ManPage#lbAR
19:08 < Eduard_Munteanu> BTW, can you use the alternate name scheme rather than common name for identification purposes?
19:08 <@krzee> protip: env command dumps all env vars to stdout
19:09 <@krzee> Eduard_Munteanu, you can write a tls-auth script to do whatever you want, not sure why would would...
19:09 < Eduard_Munteanu> Ah, so it's not really hardcoded.
19:09 <@krzee> --tls-verify i mean
19:10 <@krzee> common-name is like "username" internally, but as for doing extra auth stuff based on the cert, --tls-verify can do whatever you tell it to do
19:10 <@krzee> openvpn comes with a very handy plugin/scripting interface, you can do tons through it
19:10 < Eduard_Munteanu> krzee: it's just CN is displayed to humans, so it's often a readable thing which needn't be unique. Recent SSL/TLS implementation let you define a server's domain some other way than CN, for instance.
19:11 <@krzee> for openvpn CN should ALWAYS be unique
19:11 <@krzee> if you didnt keep them unique, i say you did it wrong (?)
19:12 < Eduard_Munteanu> I did keep them unique, but if you want to use certs across different services, chances are unique CN might be icky.
19:12 < Eduard_Munteanu> Oh well, perhaps I shouldn't try to reuse certs.
19:12 <@krzee> my darknet has many entrance nodes and many clients, each client may connect to any entrance node (and does so randomly)
19:13 <@krzee> and they do not have "icky" common-names
19:13 <@krzee> oh you mean across different services like web abd jabber and stuff?
19:13 <@krzee> if so, i would not go out of my way to keep only 1 pki
19:14 < Eduard_Munteanu> krzee: yeah... and I was referring to apps often displaying CN prominently, e.g. "Google Internet Authority" might be such a name, at least on modern TLS.
19:14 <@krzee> in fact contrary i would not want my web pki anywhere near my vpn pki
19:15 <@krzee> you dont want google's CA anywhere near your vpn pki
19:15 < Eduard_Munteanu> Heh, fair.
19:15 <@krzee> especially someone like you who doesnt trust his own servers
19:16 < Eduard_Munteanu> Just saying the CN is no longer used to represent the domain name, not strictly.
19:16 <@krzee> i have never used CN as domain name for my vpns
19:16 <@krzee> not once
19:17 <@krzee> you *can*
19:17 < Eduard_Munteanu> krzee: they're equivalent notions, since in the web CA system certs identify domains (as opposed to machines).
19:17 <@krzee> thats fine and all, but this has nothing to do with web
19:18 <@krzee> your vpn PKI is 100% unrelated to the web and any ssl other than openvpn
19:18 -!- lj [~l@192.241.174.169] has quit [Quit: Leaving.]
19:18 < Eduard_Munteanu> krzee: sure... but TLS lets you use the CN for display purposes these days, and the domain name is specified in a different X.509 attribute.
19:18 <@krzee> cool
19:19 <@krzee> with openvpn CN is basically the "username"
19:19 <@krzee> unless of course you actually use login/pass auth and also use --username-as-common-name
19:20 <@krzee> so treat the CN field of your vpn PKI as if it were the username for the client using it
19:20 < Eduard_Munteanu> I guess it's a simpler model, since OpenVPN only cares about a CA cert per server.
19:20 < Eduard_Munteanu> (No actual hierarchical PKI, that is.)
19:21 <@krzee> well it can be done, but usually not needed
19:29 -!- cali [~cali@unaffiliated/cali] has joined #openvpn
19:30 -!- klein [~klein@unaffiliated/klein] has joined #openvpn
19:44 < joshh20> I am confused in how you go about making a .ovpn profile. I changed the .conf file on my computer to .ovpn just by renaming it and it seemed to work, but is that the proper way?
19:49 -!- klein [~klein@unaffiliated/klein] has quit [Ping timeout: 260 seconds]
19:55 <@krzee> yep
19:55 <@krzee> some linux distros like .conf
19:55 <@krzee> windows likes .ovpn
19:55 <@krzee> and openvpn doesnt care =]
19:58 < Eduard_Munteanu> joshh20, krzee: it cares about end-of-line conventions, IIRC, mind
19:58 <@krzee> i guess so
19:58 <@krzee> i dont really use windows
19:58 < joshh20> So in Windows do you need to include the .key and .crt?
19:58 < joshh20> It worked without them
19:58 <@krzee> but its more the OS which cares about that than the app
19:59  * Eduard_Munteanu doesn't either, he stumbled onto that trying to support some Win machines :)
19:59 < joshh20> All I gave it was the .ovpn file
19:59 <@krzee> joshh20, depends on the config
19:59 < Eduard_Munteanu> joshh20: I doubt it did, unless it was the wrong .key and .crt
19:59 < Eduard_Munteanu> Or if it used the inline certs stuff.
19:59 <@krzee> or if he didnt use certs
20:00 < joshh20> I used this during setup
20:00 < joshh20> https://github.com/Nyr/openvpn-install
20:00 <@vpnHelper> Title: Nyr/openvpn-install · GitHub (at github.com)
20:00 < Eduard_Munteanu> Minimally each client needs his own private key and the CA certificate.
20:00 <@krzee> im guessing it made you a static key setup, no certs needed
20:01 < Eduard_Munteanu> "wget ... --no-check-certificate" :(
20:01 < joshh20> Oh
20:02 < joshh20> Is that really bad?
20:02 < Eduard_Munteanu> Pre-shared keys, or not checking certs?
20:02 < Eduard_Munteanu> I'd say it is, in 2014.
20:02 < joshh20> Darn
20:03 < joshh20> So basically anyone can connect to my OpenVPN server?
20:03 < Eduard_Munteanu> joshh20: er, no
20:03 < Eduard_Munteanu> It's not nearly that bad, no. Shared keys are fine if long enough, for personal use.
20:04 < Eduard_Munteanu> I was more annoyed by the --no-check-certificate part. :)
20:06 < joshh20> Yeah it was just really confusing for me, so I was just really happy that I am able to connect and everything works
20:07 < Eduard_Munteanu> joshh20: are you confused by public key crypto in the usual howto / setup?
20:07 < joshh20> Yes
20:09 < Eduard_Munteanu> joshh20: are you more familiar with PGP stuff, perhaps?
20:09 < Eduard_Munteanu> Or generally, public key crypto is confusing to you?
20:09 -!- |1li_ [~|1li@108-201-65-149.lightspeed.ftwotx.sbcglobal.net] has joined #openvpn
20:09 < joshh20> Yes all public key cryptography confuses me
20:09 < joshh20> Im 17 and can't understand it well
20:10 < joshh20> Sad I know
20:10 -!- Mike3 [mad@mx.probie.nl] has joined #openvpn
20:11 < Eduard_Munteanu> joshh20: you don't have to understand why it works, just how it's meant to be used. Basically, you have two keys: what you sign/encrypt with one of them, can only be checked/decrypted with the other, and the other way around.
20:12 < Eduard_Munteanu> That and the fact that you arbitrarily keep one private and distribute the other should let you confirm that it indeed lets people establish secure channels.
20:13 -!- Varazir_ [~mircwars@c-94-255-130-121.cust.bredband2.com] has joined #openvpn
20:13 < joshh20> Oh
20:13 < Eduard_Munteanu> E.g. to send me a secret message, you encrypt it with my public key. I have the private key so only I can decrypt and read it.
20:14 < joshh20> So like are both keys equally strong?
20:14 -!- joshu [~joshu@62-20-176-238-no28.tbcn.telia.com] has joined #openvpn
20:14 -!- riddle [riddle@us.yunix.net] has quit [Disconnected by services]
20:14 < pekster> They're "like" related
20:14 < Eduard_Munteanu> joshh20: yeah
20:14 -!- frank-- [1000@unaffiliated/thumbs] has joined #openvpn
20:14 < joshh20> But you just need both of them, ok
20:14 < joshh20> That makes sense
20:14 < pekster> !intro-to-pki
20:14 -!- _psycheye [~psycheye@93.49.16.11] has joined #openvpn
20:14 < pekster> Ugh, forgot to fix that
20:14 < pekster> !into-to-pki
20:14 <@vpnHelper> "into-to-pki" is For an intro to PKI basics, see: https://github.com/OpenVPN/easy-rsa/blob/v3.0.0-rc1/doc/Intro-To-PKI.md
20:14 -!- riddle [riddle@us.yunix.net] has joined #openvpn
20:14 < pekster> !learn intro-to-pki as For an intro to PKI basics, see: https://github.com/OpenVPN/easy-rsa/blob/v3.0.0-rc1/doc/Intro-To-PKI.md
20:14 <@vpnHelper> Joo got it.
20:14 -!- tempus_fol [~tempus@gateway/tor-sasl/tempusfol] has quit [Ping timeout: 240 seconds]
20:14 -!- Serano [~serano@rooty.be] has quit [Ping timeout: 272 seconds]
20:14 -!- calcifea [~rasla@gateway/tor-sasl/gitsu-sa] has quit [Ping timeout: 240 seconds]
20:14 -!- mgorbach [~mgorbach@pool-108-20-78-135.bstnma.fios.verizon.net] has quit [Ping timeout: 272 seconds]
20:14 -!- thumbs [1000@unaffiliated/thumbs] has quit [Ping timeout: 272 seconds]
20:15 -!- Mike-- [mad@mx.probie.nl] has quit [Ping timeout: 272 seconds]
20:15 -!- |1li [~|1li@108-201-65-149.lightspeed.ftwotx.sbcglobal.net] has quit [Ping timeout: 272 seconds]
20:15 -!- psycheye [~psycheye@93.49.16.11] has quit [Ping timeout: 272 seconds]
20:15 -!- Varazir [~mircwars@c-94-255-130-121.cust.bredband2.com] has quit [Ping timeout: 272 seconds]
20:15 -!- joshu_ [~joshu@62-20-176-238-no28.tbcn.telia.com] has quit [Ping timeout: 272 seconds]
20:15 < pekster> !forget into-to-pki
20:15 <@vpnHelper> Joo got it.
20:15 -!- Serano [~serano@rooty.be] has joined #openvpn
20:15 -!- mgorbach_ [~mgorbach@pool-108-20-78-135.bstnma.fios.verizon.net] has joined #openvpn
20:15 -!- lj1 [~l@192.241.174.169] has joined #openvpn
20:15 < joshh20> ?
20:15 -!- mgorbach_ is now known as mgorbach
20:16 < Eduard_Munteanu> joshh20: the owner only needs the private key to decrypt, and his peers only need the public key to send him messages, mind. The owner usually has both because he generates them and wants to distribute the public one.
20:16 < joshh20> Neat
20:16 < joshh20> I am reading that link that pekster sent
20:16 < Eduard_Munteanu> Conceptually, for signatures it's the other way around: you sign with the private key and everyone else can check it with the public key.
20:17 <@krzee> well and in openvpn the client sends his cert to the server
20:17 <@krzee> so he needs both
20:17 <@krzee> !pki
20:17 <@vpnHelper> "pki" is (#1) http://openvpn.net/index.php/open-source/documentation/howto.html#pki for how to make your PKI stuff (ca, and certs) or (#2) Heres a basic rundown of how it works... The server, client, and ca certs are all signed by the same ca.key. The server and client use the ca.crt to check that eachother were signed by the right ca.key. Optionally, the client also checks that the server cert was
20:17 <@vpnHelper> signed specially as a server (see !servercert) or (#3) See !certman for various PKI management frontends
20:17 <@krzee> #2
20:18 < joshh20> But theoretically, you could do the same in the reverse right? Give clients the private key and authenticate it on the server with the public key? Calling them public or private is just to keep the two differentiated and has no large difference?
20:19 < joshh20> Will read that article
20:19 < pekster> Right
20:19 < pekster> What gets encrypted with one can be decrypted by the other
20:19 < Eduard_Munteanu> joshh20: you generate two identical keys, you pick which is private and which is public but you must be consistent, you should never leak the private key.
20:19 < pekster> But if your "private" key is public, you just call it a public key
20:20 < pekster> (or you call yourself screwed)
20:20 < joshh20> Ok
20:20 < joshh20> I understand that, then
20:20 < joshh20> Thought it was a lot more complicated but it really isnt
20:20 < Eduard_Munteanu> Well, even the math is rather simple for RSA.
20:21 < Eduard_Munteanu> (at least the basic idea)
20:22 < Eduard_Munteanu> https://en.wikipedia.org/wiki/Rsa_algorithm#A_working_example
20:22 <@vpnHelper> Title: RSA (cryptosystem) - Wikipedia, the free encyclopedia (at en.wikipedia.org)
20:23 < joshh20> Nope that is not easy
20:23 < joshh20> Math is not my forte
20:23 < joshh20> :)
20:23 < Eduard_Munteanu> It boils down to a few basic things involving primes and divisibility.
20:24 < Eduard_Munteanu> Wikipedia might make it sound like more than it actually is.
20:25 < Eduard_Munteanu> joshh20: anyway, there's no need to delve into those details, you can just use the concepts we talked about earlier
20:30 < joshh20> Thank you Eduard_Munteanu and pekster for helping me understand
20:32 <@ecrist> evening, bitches
20:32 <@krzee> facthacks is a good security talk that goes over rsa
20:33 <@krzee> wassup eric
20:35 <@ecrist> not much
20:35 <@ecrist> into my second can of Surly HELL
20:35 <@ecrist> (beer, local brewer)
20:42 -!- calcifea [~rasla@gateway/tor-sasl/gitsu-sa] has joined #openvpn
20:44 -!- debbie10t [~ma1com10t@host-92-20-34-44.as13285.net] has quit [Ping timeout: 260 seconds]
20:51 -!- heraclitus [~heraclitu@unaffiliated/heraclitis] has quit [Remote host closed the connection]
20:52 -!- heraclitus [~heraclitu@unaffiliated/heraclitis] has joined #openvpn
20:52 -!- heraclitus [~heraclitu@unaffiliated/heraclitis] has quit [Remote host closed the connection]
20:53 -!- heraclitus [~heraclitu@unaffiliated/heraclitis] has joined #openvpn
21:01 -!- lj1 [~l@192.241.174.169] has quit [Quit: Leaving.]
21:08 -!- josefig [~josef@unaffiliated/josefig] has quit [Quit: Computer has gone to sleep.]
21:09 -!- WinstonSmith [~WinstonSm@unaffiliated/winstonsmith] has quit [Ping timeout: 260 seconds]
21:11 -!- WinstonSmith [~WinstonSm@unaffiliated/winstonsmith] has joined #openvpn
21:14 -!- jhp [~jhp@zeus.jhprins.org] has quit [Ping timeout: 245 seconds]
21:15 -!- jhp [~jhp@zeus.jhprins.org] has joined #openvpn
21:17 -!- mitz_ [~mitz@KHP222227247006.ppp-bb.dion.ne.jp] has quit [Remote host closed the connection]
21:19 -!- frank-- is now known as thumbs
21:28 -!- heraclitus [~heraclitu@unaffiliated/heraclitis] has quit [Remote host closed the connection]
21:29 -!- heraclitus [~heraclitu@unaffiliated/heraclitis] has joined #openvpn
21:30 -!- heraclitus [~heraclitu@unaffiliated/heraclitis] has quit [Remote host closed the connection]
21:35 -!- mitz_ [~mitz@KHP222227247006.ppp-bb.dion.ne.jp] has joined #openvpn
21:44 -!- josefig [~josef@unaffiliated/josefig] has joined #openvpn
21:48 -!- tfox [~tfox@199.19.95.160] has joined #openvpn
21:53 -!- Eduard_Munteanu [~EduardMun@188.25.244.2] has quit [Read error: Operation timed out]
22:03 -!- awef [~Unknown@c-98-216-109-112.hsd1.ma.comcast.net] has joined #openvpn
22:03 < awef> hi i'm trying to forward all traffic from a dummy interface (which will always be up) to a openvpn interface (which may go down sometimes). Here are the steps I've taken (http://pastebin.com/kqh8RSL8). What am I missing? Thanks.
22:20 -!- qwertyoruiop [~hax@1.shulgin.dc1.nl.tor.exit.node.qwertyoruiop.com] has quit [Quit: ZNC - http://znc.in]
22:21 -!- qwertyoruiop [~hax@1.shulgin.dc1.nl.tor.exit.node.qwertyoruiop.com] has joined #openvpn
22:26 -!- qwertyoruiop [~hax@1.shulgin.dc1.nl.tor.exit.node.qwertyoruiop.com] has quit [Ping timeout: 260 seconds]
22:27 <@EugeneKay> !xy
22:27 <@vpnHelper> "xy" is http://mywiki.wooledge.org/XyProblem -- I want to do X, but I'm asking how to do Y...
22:28 -!- qwertyoruiop [~hax@1.shulgin.dc1.nl.tor.exit.node.qwertyoruiop.com] has joined #openvpn
22:46 -!- Pisuke [~Sembei@unaffiliated/sembei] has joined #openvpn
22:47 -!- Cygor [~Brian@70.124.70.140] has joined #openvpn
22:47 -!- |1li [~|1li@108-201-65-149.lightspeed.ftwotx.sbcglobal.net] has joined #openvpn
22:49 -!- tfox_ [~tfox@199.19.95.160] has joined #openvpn
22:49 -!- mgorbach_ [~mgorbach@pool-108-20-78-135.bstnma.fios.verizon.net] has joined #openvpn
22:49 -!- awef_ [~Unknown@c-98-216-109-112.hsd1.ma.comcast.net] has joined #openvpn
22:50 -!- frank-- [1000@unaffiliated/thumbs] has joined #openvpn
22:53 -!- NP-Hardass [~NP-Hardas@unaffiliated/np-hardass] has quit [Ping timeout: 252 seconds]
22:55 -!- Netsplit *.net <-> *.split quits: awef, thumbs, tfox, Cy-Gor, sander__, |1li_, MyMind, mgorbach
22:55 -!- Cygor [~Brian@70.124.70.140] has quit [Quit: Leaving]
22:55 -!- tfox_ is now known as tfox
22:56 -!- mgorbach_ is now known as mgorbach
23:02 -!- sander__ [~sander@58.82.9.46.customer.cdi.no] has joined #openvpn
23:06 -!- Guest8854 [~mbff@2605:6400:1:fed5:22:656:343:3e46] has quit [Ping timeout: 240 seconds]
23:17 -!- lj [~l@192.241.174.169] has joined #openvpn
23:21 -!- lj [~l@192.241.174.169] has quit [Client Quit]
23:22 -!- nixt [~nixt@27.122.57.14] has joined #openvpn
23:30 -!- nixt [~nixt@27.122.57.14] has quit [Ping timeout: 260 seconds]
23:34 -!- elfixit [~Icedove@77-58-251-72.dclient.hispeed.ch] has quit [Ping timeout: 260 seconds]
23:37 -!- |1li [~|1li@108-201-65-149.lightspeed.ftwotx.sbcglobal.net] has quit [Read error: Connection reset by peer]
23:46 -!- mitz_ [~mitz@KHP222227247006.ppp-bb.dion.ne.jp] has quit [Remote host closed the connection]
--- Day changed Thu Jan 09 2014
00:00 -!- goldkatze [~nobody@unaffiliated/goldkatze] has joined #openvpn
00:01 -!- booh [~ericg@modemcable122.73-130-66.mc.videotron.ca] has joined #openvpn
00:02 < booh> I installed openvpn client on windows7 64bits.  I have 2 servers to access (not at the same time).   I don't know how to configure both servers with tue gui ?
00:02 < booh> the* gui
00:04 -!- mitz_ [~mitz@KHP222227247006.ppp-bb.dion.ne.jp] has joined #openvpn
00:13 -!- josefig [~josef@unaffiliated/josefig] has quit [Quit: Computer has gone to sleep.]
00:16 -!- tfox [~tfox@199.19.95.160] has quit [Quit: tfox]
00:27 -!- booh [~ericg@modemcable122.73-130-66.mc.videotron.ca] has quit [Quit: Ex-Chat]
00:44 -!- lickalott_ is now known as lickalott
01:00 -!- hive-mind [pranq@unaffiliated/contempt] has quit [Ping timeout: 264 seconds]
01:12 -!- Devastator [~devas@186.214.15.180] has quit [Changing host]
01:12 -!- Devastator [~devas@unaffiliated/devastator] has joined #openvpn
01:13 -!- hive-mind [pranq@unaffiliated/contempt] has joined #openvpn
01:21 -!- alexxtasi [~alex@unaffiliated/alexxtasi] has joined #openvpn
01:22 -!- takamichi [~takamichi@c107-107.i07-27.onvol.net] has joined #openvpn
01:50 -!- aji [~alex@atheme/member/aji] has quit [Read error: Connection reset by peer]
01:51 -!- aji [~alex@atheme/member/aji] has joined #openvpn
01:54 -!- mattock_afk is now known as mattock
01:54 -!- schultza [~quassel@166.70.157.138] has joined #openvpn
02:00 < schultza> Im having problems setting up a PKI Certs for use with openvpn. I'm following a guide <https://help.ubuntu.com/10.04/serverguide/openvpn.html> and I'm getting the error "failed to update database. TXT_DB error number 2".
02:00 <@vpnHelper> Title: OpenVPN (at help.ubuntu.com)
02:07 < schultza> ok, is there an appriopriate channel for that?
02:24 -!- schultza [~quassel@166.70.157.138] has quit [Remote host closed the connection]
02:37 -!- mbff [~mbff@2605:6400:1:fed5:22:656:343:3e46] has joined #openvpn
02:37 -!- mbff is now known as Guest88655
02:40 -!- takamichi [~takamichi@c107-107.i07-27.onvol.net] has quit [Ping timeout: 252 seconds]
02:42 -!- takamichi [~takamichi@85.12.8.104] has joined #openvpn
02:58 -!- schultza [~quassel@166.70.157.138] has joined #openvpn
02:59 < schultza> if i have a dhcp server on the same computer as the openvpn server, do i have to declare some additional dhcp info on the openvpn configuration?
03:03 -!- schultza [~quassel@166.70.157.138] has quit [Remote host closed the connection]
03:17 -!- Cpt-Oblivious [~chatzilla@31-151-87-204.dynamic.upc.nl] has quit [Ping timeout: 272 seconds]
03:55 -!- takamichi [~takamichi@85.12.8.104] has quit [Ping timeout: 272 seconds]
04:01 -!- takamichi [~takamichi@c107-107.i07-27.onvol.net] has joined #openvpn
04:26 -!- dazo_afk is now known as dazo
04:36 -!- marlinc [~marlinc@ip565fa73c.direct-adsl.nl] has quit [Read error: Connection reset by peer]
04:41 -!- marlinc [~marlinc@ip565fa73c.direct-adsl.nl] has joined #openvpn
04:45 -!- takamichi [~takamichi@c107-107.i07-27.onvol.net] has quit [Quit: Computer has gone to sleep.]
04:57 -!- takamichi [~takamichi@c107-107.i07-27.onvol.net] has joined #openvpn
05:00 -!- klein [~klein@189-016-006-003.asselvi.edu.br] has joined #openvpn
05:00 -!- klein [~klein@189-016-006-003.asselvi.edu.br] has quit [Changing host]
05:00 -!- klein [~klein@unaffiliated/klein] has joined #openvpn
05:39 -!- Fohlen [~Fohlen@static.196.152.46.78.clients.your-server.de] has left #openvpn []
05:40 -!- sailerboy [~sailerboy@2605:6400:2:fed5:22:3e62:d2e8:e4e1] has quit [Ping timeout: 252 seconds]
05:54 -!- dazo [~dazo@openvpn/community/developer/dazo] has quit [Ping timeout: 264 seconds]
05:55 -!- dazo [~dazo@openvpn/community/developer/dazo] has joined #openvpn
05:55 -!- mode/#openvpn [+o dazo] by ChanServ
05:55 -!- Devastator [~devas@unaffiliated/devastator] has quit [Ping timeout: 265 seconds]
06:01 -!- jp [~jp@79.141.170.7] has quit [Ping timeout: 252 seconds]
06:10 -!- ade_b [~Ade@redhat/adeb] has joined #openvpn
06:22 -!- Eagleman [~Eagleman@546BCD9F.cm-12-4d.dynamic.ziggo.nl] has quit [Quit: ZNC - http://znc.in]
06:25 -!- __bt is now known as _bt
06:25 -!- _bt [foobar@77.240.12.157] has quit [Changing host]
06:25 -!- _bt [foobar@unaffiliated/bt/x-192343] has joined #openvpn
06:25 -!- ServerMode/#openvpn [+v _bt] by dickson.freenode.net
06:25 -!- mode/#openvpn [-v _bt] by ChanServ
06:43 -!- Cy-Gor [~Brian@cpe-70-124-70-140.austin.res.rr.com] has joined #openvpn
06:53 -!- jp [~jp@CPE-65-31-82-210.wi.res.rr.com] has joined #openvpn
06:56 -!- takamichi [~takamichi@c107-107.i07-27.onvol.net] has quit [Ping timeout: 272 seconds]
06:58 -!- jp [~jp@CPE-65-31-82-210.wi.res.rr.com] has quit [Ping timeout: 252 seconds]
07:06 -!- frank-- is now known as thumbs
07:11 -!- pablito [~chatzilla@194.90.149.21] has joined #openvpn
07:48 -!- Eagleman [~Eagleman@546BCD9F.cm-12-4d.dynamic.ziggo.nl] has joined #openvpn
07:57 -!- elfixit [~Icedove@2001:1620:2777:11:3e97:eff:fe7f:f3ad] has joined #openvpn
08:03 -!- klein [~klein@unaffiliated/klein] has quit [Ping timeout: 272 seconds]
08:18 -!- Eagleman [~Eagleman@546BCD9F.cm-12-4d.dynamic.ziggo.nl] has quit [Ping timeout: 264 seconds]
08:23 -!- Eagleman [~Eagleman@546BCD9F.cm-12-4d.dynamic.ziggo.nl] has joined #openvpn
08:28 -!- calcifea [~rasla@gateway/tor-sasl/gitsu-sa] has quit [Ping timeout: 240 seconds]
08:36 -!- calcifea [~rasla@gateway/tor-sasl/gitsu-sa] has joined #openvpn
08:44 -!- lj [~l@192.241.174.169] has joined #openvpn
08:45 -!- calcifea [~rasla@gateway/tor-sasl/gitsu-sa] has quit [Remote host closed the connection]
08:47 -!- calcifea [~rasla@gateway/tor-sasl/gitsu-sa] has joined #openvpn
08:51 < lj> !ccd
08:51 <@vpnHelper> "ccd" is (#1) entries that are basically included into server.conf, but only for the specified client based on common-name. use --client-config-dir <dir> to enable it, then put the config options for the client in <dir>/common-name or (#2) the ccd file is parsed each time the client connects.
09:04 -!- alexxtasi [~alex@unaffiliated/alexxtasi] has left #openvpn []
09:04 -!- mitz_ [~mitz@KHP222227247006.ppp-bb.dion.ne.jp] has quit [Ping timeout: 252 seconds]
09:18 -!- mitz_ [~mitz@KHP222227247006.ppp-bb.dion.ne.jp] has joined #openvpn
09:20 -!- tfox [~tfox@199.19.95.160] has joined #openvpn
09:37 -!- Devastator [~devas@unaffiliated/devastator] has joined #openvpn
09:37 -!- klein [~klein@unaffiliated/klein] has joined #openvpn
09:48 -!- tfox [~tfox@199.19.95.160] has quit [Quit: tfox]
09:53 -!- jtrucks [jtrucks@freenode/staff/lopsa.foundingmember.jtrucks] has quit [Remote host closed the connection]
10:12 -!- jtrucks [jtrucks@freenode/staff/lopsa.foundingmember.jtrucks] has joined #openvpn
10:13 -!- jtrucks [jtrucks@freenode/staff/lopsa.foundingmember.jtrucks] has quit [Quit: Lost terminal]
10:16 -!- jtrucks [jtrucks@freenode/staff/lopsa.foundingmember.jtrucks] has joined #openvpn
10:22 -!- jtrucks [jtrucks@freenode/staff/lopsa.foundingmember.jtrucks] has quit [Read error: Connection reset by peer]
10:23 -!- jtrucks [jtrucks@freenode/staff/lopsa.foundingmember.jtrucks] has joined #openvpn
10:23 -!- jtrucks [jtrucks@freenode/staff/lopsa.foundingmember.jtrucks] has quit [Quit: BBL]
10:24 -!- jtrucks [jtrucks@freenode/staff/lopsa.foundingmember.jtrucks] has joined #openvpn
10:25 -!- ade_b [~Ade@redhat/adeb] has quit [Quit: Too sexy for his shirt]
10:29 -!- jtrucks [jtrucks@freenode/staff/lopsa.foundingmember.jtrucks] has quit [Read error: Connection reset by peer]
10:30 -!- jtrucks [jtrucks@freenode/staff/lopsa.foundingmember.jtrucks] has joined #openvpn
10:32 -!- master_o1_master [~master_of@p4FF24525.dip0.t-ipconnect.de] has joined #openvpn
10:35 -!- clyons [~kvirc@46.7.192.26] has quit [Quit: KVIrc 4.2.0 Equilibrium http://www.kvirc.net/]
10:35 -!- master_of_master [~master_of@p4FF248B4.dip0.t-ipconnect.de] has quit [Ping timeout: 245 seconds]
10:36 -!- jtrucks [jtrucks@freenode/staff/lopsa.foundingmember.jtrucks] has quit [Read error: Connection reset by peer]
10:36 -!- jtrucks [jtrucks@freenode/staff/lopsa.foundingmember.jtrucks] has joined #openvpn
10:39 -!- takamichi [~takamichi@c107-107.i07-27.onvol.net] has joined #openvpn
10:42 -!- jtrucks [jtrucks@freenode/staff/lopsa.foundingmember.jtrucks] has quit [Read error: Connection reset by peer]
10:42 -!- jtrucks [jtrucks@freenode/staff/lopsa.foundingmember.jtrucks] has joined #openvpn
10:44 -!- jtrucks [jtrucks@freenode/staff/lopsa.foundingmember.jtrucks] has quit [Quit: Lost terminal]
10:48 -!- PhSnake [~phsnake78@dial-109-230-33-39.orange.sk] has joined #openvpn
10:51 -!- tempus_fol [~tempus@gateway/tor-sasl/tempusfol] has joined #openvpn
11:01 -!- mitz_ [~mitz@KHP222227247006.ppp-bb.dion.ne.jp] has quit [Ping timeout: 272 seconds]
11:06 -!- Pisuke [~Sembei@unaffiliated/sembei] has quit [Read error: Connection reset by peer]
11:06 -!- Sembei [~Sembei@unaffiliated/sembei] has joined #openvpn
11:17 -!- skyeyes [~chatzilla@host-5-58-28-215.la.net.ua] has joined #openvpn
11:17 < skyeyes> hi2all
11:17 < skyeyes> can anyone help?
11:18 < skyeyes> !vpngHelper
11:18 < skyeyes> @vpnHelper
11:19 < skyeyes> facing problem when connect to webserver which located at save place where openvpn server
11:19 < skyeyes> *same
11:22 -!- skyeyes [~chatzilla@host-5-58-28-215.la.net.ua] has left #openvpn []
11:23 -!- skyeyes [~chatzilla@host-5-58-28-215.la.net.ua] has joined #openvpn
11:23 -!- skyeyes is now known as TotalEvil
11:23 < TotalEvil> TotalEvil
11:24 < TotalEvil> hi2all
11:24 < TotalEvil> can anyone help?
11:25 < TotalEvil> !welcome
11:25 <@vpnHelper> "welcome" is (#1) Start by stating your goal, such as 'I would like to access the internet over my vpn' || new to IRC? see the link in !ask || we may need !logs and !configs and maybe !interface to help you. || See !howto for beginners. || See !route for lans behind openvpn. || !redirect for sending inet traffic through the server. || Also interesting: !man !/30 !topology !iporder !sample !forum
11:25 <@vpnHelper> !wiki !mitm or (#2) Don't use 192.168.1.0/24 or 192.168.0.0/24 (too much potential for conflict)
11:25 < TotalEvil> !logs
11:25 <@vpnHelper> "logs" is (#1) please pastebin your logfiles from both client and server with verb set to 4 (only use 5 if asked) or (#2) In the Windows client(OpenVPN-GUI) right-click the status icon and pick View Log or (#3) In the OS X client(Tunnelblick) right-click it and select Copy log text to clipboard or (#4) if you dont know how to find your logs, see !logfile
11:25 < TotalEvil> !goal
11:25 <@vpnHelper> "goal" is Please clearly state your goal for your vpn: example, I would like to access the lan behind the server , I would like to access the internet over my vpn , I just want a secure connection between 2 computers , etc
11:26 < TotalEvil> guys i have a next problem
11:27 < TotalEvil> vpn works internet in it also but when i accessing web server located on same server where located openvpn server traffic going not by vpn tunnel
11:27 < TotalEvil> any way to get tunnel work for server also?
11:36 -!- piece3 [~quassel@14.161.15.21] has joined #openvpn
11:37 -!- TotalEvil [~chatzilla@host-5-58-28-215.la.net.ua] has quit [Read error: Operation timed out]
11:41 < lj> o_O
11:49 -!- PhSnake [~phsnake78@dial-109-230-33-39.orange.sk] has quit [Read error: Connection reset by peer]
11:49 -!- PhSnake [~phsnake78@dial-109-230-33-39.orange.sk] has joined #openvpn
11:53 -!- awef_ [~Unknown@c-98-216-109-112.hsd1.ma.comcast.net] has quit [Quit: leaving]
12:10 -!- PhSnake [~phsnake78@dial-109-230-33-39.orange.sk] has quit []
12:17 < lj> krzee: Around?
12:20 -!- Eagleman [~Eagleman@546BCD9F.cm-12-4d.dynamic.ziggo.nl] has quit [Quit: ZNC - http://znc.in]
12:24 -!- janjust [~janjust@openvpn/community/support/janjust] has joined #openvpn
12:24 -!- janjust_ [~janjust@tevere.nikhef.nl] has joined #openvpn
12:26 <@krzee> not really, just ask your question and even if i dont get to it someone will
12:28 -!- janjust_ [~janjust@tevere.nikhef.nl] has quit [Client Quit]
12:32 -!- mitz_ [~mitz@KHP222227247006.ppp-bb.dion.ne.jp] has joined #openvpn
12:32 -!- gardar- [~gardar@bnc.giraffi.net] has quit [Quit: ZNC - http://znc.in]
12:33 -!- gardar [~gardar@bnc.giraffi.net] has joined #openvpn
12:35 -!- mitz_ [~mitz@KHP222227247006.ppp-bb.dion.ne.jp] has quit [Remote host closed the connection]
12:45 -!- TOTALEVIL [~TOTALEVIL@109.162.1.123] has joined #openvpn
12:45 < TOTALEVIL> hi2all
12:45 < TOTALEVIL> anyone alive?
12:49 <+_quadDamage> no, all dead.
12:50 < TOTALEVIL> )) seems not
12:50 < TOTALEVIL> have problem
12:50 < TOTALEVIL> vpn works internet work all fine but on openvpn server i have webserver databases etc
12:50 -!- mitz_ [~mitz@KHP222227247006.ppp-bb.dion.ne.jp] has joined #openvpn
12:51 < TOTALEVIL> and i need access them also with vpn ip but when i try it's routing with my regular internet
12:51 < TOTALEVIL> any way to fix this?
12:53 < TOTALEVIL> _quadDamage, any ideas?)
12:55 <+_quadDamage> really, I just wanted to let you know that we're all zombies. but since you asked, it sounds like whatever address you're trying to connect to the local services on doesn't have a route pointing at the tunnel.
12:56 <+_quadDamage> make sure the vpn is pushing the appropriate route to your client.
12:56 <@krzee> !factoids search route
12:56 <@vpnHelper> 'winroute', 'iroute', 'router', 'dlink_static_route', 'external_routes', 'route_override', 'splitroute', 'route_outside_openvpn', 'route_outside_ovpn', 'routebyapp', 'route', 'ppp_defaultroute', and 'route-nopull'
12:56 <@krzee> !route_override
12:56 <@vpnHelper> "route_override" is (#1) https://forums.openvpn.net/viewtopic.php?f=15&t=7161 for how to override --redirect-gateway for a certain subnet or (#2) to see how to make it so the client will still reply to requests to its public ip over the internet and not the vpn see !splitroute
12:56 < TOTALEVIL> redirect-gateway def1 only currently i have
12:56 <@krzee> oops
12:56 <@krzee> !splitroute
12:56 <@vpnHelper> "splitroute" is (#1) https://forums.openvpn.net/topic7175.html to see how to add a second routing table so you can use --redirect-gateway AND still serve things to the internet or (#2) see !route_override for how to override --redirect-gateway for a certain subnet
12:56 < TOTALEVIL> mm)
12:57 <@krzee> TOTALEVIL, you want that one ^^
12:57 < TOTALEVIL> let me see
12:57 < TOTALEVIL> thx) bro
12:57 <@krzee> yw
12:57 <@krzee> oh wait a sec here
12:57 <@krzee> i think i answered the wrong question
12:58 <+_quadDamage> krzee: was that your response to "anyone alive?"
12:59 < TOTALEVIL> ))
12:59 < TOTALEVIL> seems it's little diff
12:59 <@krzee> :D
12:59 < TOTALEVIL> _quadDamage, :) funny guys
12:59 <@krzee> so, let me try to find what the problem actually is...
13:00 <@krzee> you connect to the server and redirect internet over the server
13:00 < TOTALEVIL> yeap
13:00 < TOTALEVIL> internet works all works
13:00 <@krzee> but when you contact the server by its internet IP, it does not go over the vpn...?
13:00 <@krzee> is that the problem?
13:00 < TOTALEVIL> and everywhere i have vpn ip
13:00 < TOTALEVIL> yeap
13:00 < TOTALEVIL> ur right
13:00 <@krzee> ya well thats how it works? if you didnt have a direct route for the server you would not have the vpn connection open
13:01 <@krzee> the vpn server cant route over the vpn, it would be circular routing and would break both your internet and your vpn connection
13:01 <@krzee> you must reach the server by its VPN ip
13:01 <@krzee> which means your services need to listen on that ip as well
13:01 -!- fenris_kcf [~fenris@p579E6946.dip0.t-ipconnect.de] has joined #openvpn
13:01 < TOTALEVIL> but what if i have 2 ips
13:01 < TOTALEVIL> on server?
13:02 < TOTALEVIL> means 2 external ip
13:02 <@krzee> then the ip you connect to the vpn is off limits
13:02 <@krzee> and the other ip will route over the vpn
13:02 <@krzee> whatever ip the server listens on can NOT be routed over the vpn
13:02 <@krzee> all others can
13:02 < TOTALEVIL> so all problem appear due same ip only
13:02 < TOTALEVIL> right?
13:02 < pekster> It can be: policy routing
13:03 < TOTALEVIL> i googled something like that but didn't found anything
13:03 < pekster> !routebyapp
13:03 <@vpnHelper> "routebyapp" is (#1) if you want to send only certain apps over the VPN you need to run a socks server on the internal VPN subnet (see !sockd) then get an app like proxifier (windows, osx) or tsocks (linux, BSD) to selectively route traffic over the socks proxy based on port/app/subnet or any combination. or (#2) Alternatively, read up about Policy Routing to make routing decisions based on defined
13:03 <@vpnHelper> policies you set. For Linux, read about !lartc
13:04 <@krzee> pekster, the client cannot route to the server over the vpn by reaching the same ip that the vpn runs on
13:04 <@krzee> even with policy routing
13:04 <@krzee> if that is false, please explain
13:04 <@plaisthos> krzee: the android client does this
13:05 <@plaisthos> because only the socket connecting to the server is exempted from going through tun0
13:06 <@krzee> thats pretty cool, android specific stuff?
13:07 <@plaisthos> krzee: not really
13:07 <@plaisthos> the API just does bind the socket to the external interface
13:07 -!- Cpt-Oblivious [~chatzilla@31-151-87-204.dynamic.upc.nl] has joined #openvpn
13:07 <@plaisthos> could be impelmented in the normal OpenVPN for Linux
13:07 <@plaisthos> but nobody has done that so it is android specific
13:07 <@krzee> seems it would be better than the current method
13:08 <@krzee> can it be done from normal os config or only in real code?
13:09 < TOTALEVIL> hmm
13:09 < TOTALEVIL> interesting
13:10 < janjust> plaisthos: is this in the official openvpn connect client? I am curious how this is done
13:11 < fenris_kcf> is there some kind of documentation to the windows-desktop-client? a friend of mine has trouble configuring it
13:11 <@plaisthos> janjust: no in the android source code
13:11 <@krzee> fenris_kcf, you mean the client from here:
13:11 <@krzee> !download
13:11 <@vpnHelper> "download" is (#1) http://openvpn.net/index.php/download/community-downloads.html to download openvpn or (#2) OpenVPN's Windows installer now includes OpenVPN GUI. Don't bother with http://openvpn.se anymore or (#3) Don't trust download.com at all. It provides an extremely old version with malware: http://insecure.org/news/download-com-fiasco.html or (#4) in the community version of openvpn (only
13:11 <@vpnHelper> thing supported here) there is no separate download for client/server, it is the same install with different configs
13:11 < TOTALEVIL> fenris_kcf, almost all features crossplatformed
13:12 < janjust> that's opensource as well, plaisthos
13:12 <@plaisthos> janjust: the client just protect(socket_fd)
13:12 <@krzee> fenris_kcf, if you mean anything else, it is not opensource openvpn, and you must go to #openvpn-as for help with it
13:12 <@plaisthos> janjust: android figures out the external interface and binds the sockets to the interface by some ioctl
13:12 < janjust> fenris_kcf: which version of openvpn are you talking about? does your friend have problems with the GUI client?
13:12 < fenris_kcf> ah, thx. had it from http://openvpn.net/index.php/access-server/download-openvpn-as-sw/357.html
13:12 <@vpnHelper> Title: Client Packages (at openvpn.net)
13:12 <@krzee> !factoids
13:13 <@vpnHelper> "factoids" is A semi-regularly updated dump of factoids database is available at http://www.secure-computing.net/factoids.php
13:13 < janjust> ah do NOT use that client fenris_kcf , it's for the commercial access server version only
13:13 < fenris_kcf> ah, thx.
13:13 < fenris_kcf> nice to know
13:13 < fenris_kcf> and thx for the correct link
13:13 <@krzee> np
13:13 <@krzee> we deal with that same confusion often? the website could be clearer
13:14 < TOTALEVIL> plaisthos, do you have a link) for that piece of code?
13:15 <@plaisthos> TOTALEVIL: buried somewhere in the android source code
13:15 <@plaisthos> would have to search for it myself again
13:15 <@krzee> http://code.google.com/p/ics-openvpn/
13:15 <@vpnHelper> Title: ics-openvpn - Openvpn for Android 4.0+ - Google Project Hosting (at code.google.com)
13:15 <@plaisthos> start by grepping for vpn and protect
13:15 <@krzee> that one ^^
13:15 <@plaisthos> krzee: that binding stuff is in android itself ;)
13:15 < TOTALEVIL> )))
13:16 < TOTALEVIL> ty
13:17 -!- takamichi [~takamichi@c107-107.i07-27.onvol.net] has quit [Quit: Computer has gone to sleep.]
13:19 -!- TOTALEVIL [~TOTALEVIL@109.162.1.123] has quit [Quit: MegaIRC v4.06 http://ironfist.at.tut.by]
13:29 -!- Fohlen [~Fohlen@static.196.152.46.78.clients.your-server.de] has joined #openvpn
13:29 < Fohlen> anyone knows what "bad backslash" shit is on windows?
13:29 < Fohlen> http-proxy 192.168.2.1 800 "C:\\Programms\\OpenVPN\\conf\\chiimage.httpauthfile"
13:29 < Fohlen> that line keeps making me trouble
13:35 < janjust> folhen? backslashes are always a pain in the butt; for some openvpn config you can also use forward slashes on windows; I've never tested this with http-proxy myself, but I know single forward slashes work when specifying cert and key locations
13:37 -!- Eagleman [~Eagleman@546BCD9F.cm-12-4d.dynamic.ziggo.nl] has joined #openvpn
13:40 < Fohlen> what will windows route add command failed mean?
13:43 -!- pablito [~chatzilla@194.90.149.21] has quit [Quit: ChatZilla 0.9.90.1 [Firefox 26.0/20131205075310]]
13:46 -!- josefig [~josef@189.146.247.210] has joined #openvpn
13:46 < janjust> post the exact log line - most likely openvpn is not running with elevated privs on windows 7+
13:46 -!- josefig [~josef@189.146.247.210] has quit [Changing host]
13:46 -!- josefig [~josef@unaffiliated/josefig] has joined #openvpn
13:46 -!- calcifea [~rasla@gateway/tor-sasl/gitsu-sa] has quit [Remote host closed the connection]
13:48 -!- calcifea [~rasla@gateway/tor-sasl/gitsu-sa] has joined #openvpn
13:58 -!- klein [~klein@unaffiliated/klein] has quit [Ping timeout: 260 seconds]
14:11 -!- piece3 [~quassel@14.161.15.21] has quit [Read error: Connection reset by peer]
14:14 -!- piece3 [~quassel@14.161.15.21] has joined #openvpn
14:15 -!- piece3 [~quassel@14.161.15.21] has quit [Read error: Connection reset by peer]
14:15 -!- piece3 [~quassel@14.161.15.21] has joined #openvpn
14:16 -!- piece3 [~quassel@14.161.15.21] has quit [Remote host closed the connection]
14:20 -!- Irssi: #openvpn: Total of 217 nicks [9 ops, 0 halfops, 27 voices, 181 normal]
14:21 -!- |1li [~|1li@108-201-65-149.lightspeed.ftwotx.sbcglobal.net] has joined #openvpn
14:22 -!- Cpt-Oblivious [~chatzilla@31-151-87-204.dynamic.upc.nl] has quit [Ping timeout: 264 seconds]
14:33 -!- mitz_ [~mitz@KHP222227247006.ppp-bb.dion.ne.jp] has quit [Ping timeout: 264 seconds]
14:44 -!- piece3 [~quassel@14.161.15.21] has joined #openvpn
14:45 -!- piece3 [~quassel@14.161.15.21] has quit [Remote host closed the connection]
14:47 -!- mitz_ [~mitz@KHP222227247006.ppp-bb.dion.ne.jp] has joined #openvpn
14:47 < Fohlen> anyone knows if I'd be able to use one real server interface (IP) per user connecting?
14:50 -!- piece3 [~quassel@14.161.15.21] has joined #openvpn
14:50 -!- piece3 [~quassel@14.161.15.21] has quit [Remote host closed the connection]
14:51 -!- dazo is now known as dazo_afk
14:54 -!- piece3 [~quassel@14.161.15.21] has joined #openvpn
14:54 -!- penth [~rachel@c-68-81-92-61.hsd1.pa.comcast.net] has joined #openvpn
14:55 < penth> !welcome
14:55 <@vpnHelper> "welcome" is (#1) Start by stating your goal, such as 'I would like to access the internet over my vpn' || new to IRC? see the link in !ask || we may need !logs and !configs and maybe !interface to help you. || See !howto for beginners. || See !route for lans behind openvpn. || !redirect for sending inet traffic through the server. || Also interesting: !man !/30 !topology !iporder !sample !forum
14:55 <@vpnHelper> !wiki !mitm or (#2) Don't use 192.168.1.0/24 or 192.168.0.0/24 (too much potential for conflict)
14:55 -!- piece3 [~quassel@14.161.15.21] has quit [Remote host closed the connection]
14:56 -!- piece3 [~quassel@14.161.15.21] has joined #openvpn
14:58 < fenris_kcf> how to store the client-configuration for the windows-client to make it read automatically?
14:58 < fenris_kcf> is that possible?
14:58 < fenris_kcf> storing as "…\config\client.ovpn" does not seem to work
14:58 < penth> I'd like to know whether anyone has (successfully or not) connected an openvpn client to a Zywall 110. The zywall appears to only expect a proprietary ipsec client, and I have to know whether my boss should actually buy these to start phasing out our old netgears or run screaming in another direction.
14:58 < penth> !goal
14:58 <@vpnHelper> "goal" is Please clearly state your goal for your vpn: example, I would like to access the lan behind the server , I would like to access the internet over my vpn , I just want a secure connection between 2 computers , etc
14:59 -!- piece3 [~quassel@14.161.15.21] has quit [Remote host closed the connection]
14:59 -!- cj___ [~cjac@2607:ff08:f5:3a::3] has joined #openvpn
15:00 -!- piece3 [~quassel@14.161.15.21] has joined #openvpn
15:00 -!- piece3 [~quassel@14.161.15.21] has quit [Remote host closed the connection]
15:05 -!- elfixit [~Icedove@2001:1620:2777:11:3e97:eff:fe7f:f3ad] has quit [Quit: elfixit]
15:10 -!- mitz_ [~mitz@KHP222227247006.ppp-bb.dion.ne.jp] has quit [Ping timeout: 265 seconds]
15:22 -!- janjust [~janjust@openvpn/community/support/janjust] has quit [Quit: Leaving]
15:23 -!- mitz_ [~mitz@KHP222227247006.ppp-bb.dion.ne.jp] has joined #openvpn
15:28 -!- Eagleman [~Eagleman@546BCD9F.cm-12-4d.dynamic.ziggo.nl] has quit [Quit: ZNC - http://znc.in]
15:56 < fenris_kcf> hy. how to deal with the "Windows route add command failed"-error on windows?
16:20 <@krzee> !winroute
16:20 <@vpnHelper> "winroute" is (#1) in windows if the route cannot be added, try route-method exe in your config file or (#2) many users also report it helps to add route-delay to give the interface extra time to get up or (#3) you may need to turn off routing and remote acess in administrative tools - routing and remote access or (#4) make sure you are running openvpn as admin or (#5) you might also want to see that
16:20 <@vpnHelper> and use trial and error with these solutions: http://openvpn.net/index.php/open-source/faq/79-client/259-tap-win32-adapter-is-not-coming-up-qinitialization-sequence-completed-with-errorsq.html
16:29 < fenris_kcf> thx
16:41 -!- AsadH [~AsadH@unaffiliated/asadh] has quit [Excess Flood]
16:42 -!- AsadH [~AsadH@unaffiliated/asadh] has joined #openvpn
16:50 -!- jtrucks [jtrucks@freenode/staff/lopsa.foundingmember.jtrucks] has joined #openvpn
17:00 -!- goldkatze [~nobody@unaffiliated/goldkatze] has quit []
17:06 -!- Aelius_ is now known as Aelius
17:13 < pekster> krzee: It can if you policy route properly ;)
17:14 <@krzee> set the outgoing port and then mark it in the firewall?
17:16 < pekster> Yup
17:19 < pekster> Although realistically that's simple enough to do with u32 (in Netfilter) or route-to in PF if you don't want to mark/tag
17:21 <@krzee> i guess i havnt gone very far down the policy routing rabbit hole
17:21 < pekster> It's not too hard; the "tricky" part is just identifying the traffic correctly
17:24 <@krzee> well thats usually easy enough
17:57 -!- lj1 [~l@192.241.174.169] has joined #openvpn
18:00 -!- lj [~l@192.241.174.169] has quit [Read error: Operation timed out]
18:01 -!- Cpt-Oblivious [~chatzilla@31-151-87-204.dynamic.upc.nl] has joined #openvpn
18:04 -!- mitz_ [~mitz@KHP222227247006.ppp-bb.dion.ne.jp] has quit [Ping timeout: 252 seconds]
18:08 -!- Eagleman [~Eagleman@546BCD9F.cm-12-4d.dynamic.ziggo.nl] has joined #openvpn
18:18 -!- mitz_ [~mitz@KHP222227247006.ppp-bb.dion.ne.jp] has joined #openvpn
18:23 -!- Mike3 [mad@mx.probie.nl] has quit [Ping timeout: 252 seconds]
18:32 -!- Screech [~cott@69.146.16.131] has joined #openvpn
18:33 -!- Screech [~cott@69.146.16.131] has quit [Client Quit]
18:33 -!- Cpt-Oblivious [~chatzilla@31-151-87-204.dynamic.upc.nl] has quit [Ping timeout: 252 seconds]
18:39 -!- elfixit [~Icedove@77-58-251-72.dclient.hispeed.ch] has joined #openvpn
18:41 -!- fenris_kcf [~fenris@p579E6946.dip0.t-ipconnect.de] has quit [Remote host closed the connection]
18:53 -!- |1li [~|1li@108-201-65-149.lightspeed.ftwotx.sbcglobal.net] has quit [Quit: Leaving]
18:54 -!- lj1 [~l@192.241.174.169] has quit [Quit: Leaving.]
18:55 -!- james41382_ [~james@unaffiliated/james41382] has joined #openvpn
18:56 -!- james41382_ is now known as james41382
19:09 -!- james41382 [~james@unaffiliated/james41382] has quit [Ping timeout: 272 seconds]
19:10 -!- qwertyoruiop [~hax@1.shulgin.dc1.nl.tor.exit.node.qwertyoruiop.com] has quit [Read error: Operation timed out]
19:12 -!- qwertyoruiop [~hax@1.shulgin.dc1.nl.tor.exit.node.qwertyoruiop.com] has joined #openvpn
19:37 -!- Guest88655 [~mbff@2605:6400:1:fed5:22:656:343:3e46] has left #openvpn []
19:45 -!- Cpt-Oblivious [~chatzilla@31-151-87-204.dynamic.upc.nl] has joined #openvpn
19:51 -!- Cpt-Oblivious [~chatzilla@31-151-87-204.dynamic.upc.nl] has quit [Ping timeout: 272 seconds]
20:14 -!- mitz_ [~mitz@KHP222227247006.ppp-bb.dion.ne.jp] has quit [Ping timeout: 272 seconds]
20:15 -!- tfox [~tfox@199.19.95.160] has joined #openvpn
20:18 -!- he1kki [~heikki@border.bitcoinia.net] has joined #openvpn
20:20 -!- heraclitus [~heraclitu@unaffiliated/heraclitis] has joined #openvpn
20:22 -!- ccamachouy [~ccamacho@r186-52-201-214.dialup.adsl.anteldata.net.uy] has joined #openvpn
20:22 -!- ccamachouy [~ccamacho@r186-52-201-214.dialup.adsl.anteldata.net.uy] has quit [Client Quit]
20:23 -!- mitz_ [~mitz@KHP222227247006.ppp-bb.dion.ne.jp] has joined #openvpn
20:27 -!- ChrisUY [~ccamacho@r186-52-201-214.dialup.adsl.anteldata.net.uy] has joined #openvpn
20:30 -!- _psycheye [~psycheye@93.49.16.11] has quit [Quit: changing servers]
20:30 -!- psycheye [~psycheye@93.49.16.11] has joined #openvpn
20:31 -!- tfox [~tfox@199.19.95.160] has quit [Quit: tfox]
20:31 -!- propheticsquiddy [~Proph@unaffiliated/propheticsquiddy] has joined #openvpn
20:32 -!- tfox [~tfox@199.19.95.160] has joined #openvpn
20:33 < propheticsquiddy> hello all, novaflash
20:37 -!- tfox [~tfox@199.19.95.160] has quit [Client Quit]
20:39 -!- tfox [~tfox@199.19.95.160] has joined #openvpn
20:46 -!- tfox [~tfox@199.19.95.160] has quit [Quit: tfox]
20:51 < ChrisUY> Hola
20:52 < propheticsquiddy> what's new chrisuy
20:53 < ChrisUY> sorry, my english is bad
20:53 < ChrisUY> im speak spanish
20:53 < propheticsquiddy> que esta hombre
20:53 < ChrisUY> i have a problem with openvpn
20:54 < ChrisUY> its connect but no assign ip correctly
20:55 < ChrisUY> the gateway not configure
20:58 < ChrisUY> http://pastebin.com/K9i0V9vE
20:58 < ChrisUY> my openvpn.conf in my server
21:05 < pekster> ChrisUY: You haven't assigned your server any addressing. You should not use 192.168.1.0/24 for your VPN either as it is commonly used by home routers
21:06 -!- ChrisUY [~ccamacho@r186-52-201-214.dialup.adsl.anteldata.net.uy] has quit [Ping timeout: 264 seconds]
21:09 -!- tfox [~tfox@199.19.95.160] has joined #openvpn
21:19 -!- psycheye [~psycheye@93.49.16.11] has quit [Read error: Operation timed out]
21:19 -!- ChrisUY [~ccamacho@r186-52-250-37.dialup.adsl.anteldata.net.uy] has joined #openvpn
21:20 -!- psycheye [~psycheye@93.49.16.11] has joined #openvpn
21:20 < ChrisUY> can anyone help me?
21:22 < pekster> http://fpaste.org/67228/32411413/
21:22 < pekster> Reference the --server helper directive as you haven't expanded that correctly, and consider using a better network for your VPN
21:23 -!- losted [~losted@box.losted.net] has joined #openvpn
21:24 < ChrisUY> ok, what recomends?
21:25 < ChrisUY> this is a home network
21:25 < ChrisUY> no for business use
21:26 < pekster> And are you _sure_ you will _never_ need to connect from a matching network?
21:26 < pekster> If not, don't use such a common network
21:26 < ChrisUY> yes, sure
21:27 < ChrisUY> its only for connection smartphone to home
21:27 < ChrisUY> i need access a my home network only
21:28 < pekster> And what do you think happens when your phoone is on a wifi network owned by someone _ELSE_ ?
21:28 < pekster> Are you going to tell the rest of the world not to use 192.168.1.0/24? Everyone uses that
21:29 < ChrisUY> my idea is use a ip 10.x.x.x
21:29 < ChrisUY> but not working for me
21:30 < pekster> It doesn't matter what you use. Just don't use common networks
21:30 < pekster> !randomsubnet
21:30 <@vpnHelper> "randomsubnet" is (#1) http://scarydevilmonastery.net/subnet.cgi for a random !1918 subnet or (#2) If your shell has $RANDOM support, perhaps try this: `echo 10.$((RANDOM%256)).$((RANDOM%256)).0/24 `
21:30 < pekster> There's some shell code if your shell has $RANDOM support
21:31 < ChrisUY> ok, my idea is not using common networks
21:31 < ChrisUY> is only for try, but not working in few test
21:32 < pekster> It doesn't work becuase you didn't listen to the first part I said
21:32 < pekster> You have a broken config
21:32 < ChrisUY> no only common conf,  its a try and error
21:32 < pekster> !howto
21:32 <@vpnHelper> "howto" is (#1) OpenVPN comes with a great howto, http://openvpn.net/howto PLEASE READ IT! or (#2) http://www.secure-computing.net/openvpn/howto.php for a mirror
21:32 < pekster> Try starting there
21:33 < ChrisUY> i read this, but i dont know few text lines
21:33 < ChrisUY> my native language is spanish, my english is so bad
21:34 < ChrisUY> i need that vpn network assign ip address and gateway ip
21:34 -!- tfox [~tfox@199.19.95.160] has quit [Quit: tfox]
21:35 < ChrisUY> i not need any special ip address
21:35 < pekster> Then use --server and be done with it
21:36 < pekster> You have failed to set an IP for your server. Either read about --server in the manpage, or set addressing properly
21:36 < pekster> By doing neither it will remain broken
21:36 < pekster> You also shouldn't use tun
21:36 < pekster> You also have not ended your pool on a valid /30 network boundry
21:36 < ChrisUY> i use tun
21:36 < pekster> Erm, sorry, use tun. Don't use tcp
21:37  * pekster shrugs. A few problems you ought to clean up there. Addressing is your biggest problem
21:37 < pekster> THere are some examples depending on your topology you can read here:
21:37 < ChrisUY> i need use tcp but firewall provider
21:37 < pekster> !addressing
21:37 <@vpnHelper> "addressing" is For information about IP addressing in OpenVPN, see: https://community.openvpn.net/openvpn/wiki/Concepts-Addressing
21:37 -!- cj___ is now known as cjac
21:37 < pekster> Yea, if you have a firewall you don't control you're out of luck
21:38 < ChrisUY> my open port is 443 in my provider
21:38 < ChrisUY> TCP 443
21:38 < pekster> You're not listening
21:38 < pekster> You have no addressing on your server
21:38 < pekster> Your server thus has no address on the tun device
21:38 < pekster> Without an address, nothing useful happens
21:38 < pekster> Fix it. Add an --ifconfig directive or just use --server as the examples show you
21:39 < ChrisUY> right
21:39 < pekster> The manpage shows you exactly what --server is doing
21:39 < pekster> !man
21:39 <@vpnHelper> "man" is (#1) For man pages, see http://openvpn.net/index.php/open-source/documentation/manuals/ or (#2) the man pages are your friend! or (#3) Protip: you can search the manpage for a specific --option (with dashes) to find it quicker
21:40 < ChrisUY> right
21:40 < ChrisUY> add --server directive my server is assign any ip
21:40 < ChrisUY> sorry
21:42 < ChrisUY> Thanks pekster.
21:43 < pekster> See the !addressing URL I gave you earlier too. You can type that here for the URL again. It shows you examples for using a smaller pool, but you should not need to do that. You only need a reduced pool in tun when you are having the server do static addressing to some clients
21:44 < ChrisUY> yes, now i try this,
21:44 < ChrisUY> thanks for your valuable help
21:54 < losted> Since  you guys seem so helpful I think I'll ask right now : I just installed openvpn 2.3.2 and it seems like it doesn't come with easy-rsa... I downloaded it from github but I'm kind of lost right now following ( http://openvpn.net/index.php/open-source/documentation/howto.html#quick ) I'm stuck at building the CA ... I can't find the script that does it... any idea where I can find it?
21:54 <@vpnHelper> Title: HOWTO (at openvpn.net)
21:55 < pekster> losted: The howto there references the 2.x version of easyrsa, which is also available on github as a release package. For resources and a 3.x howto, see:
21:55 < pekster> !easyrsa
21:55 <@vpnHelper> "easyrsa" is (#1) easy-rsa is a certificate generation utility. or (#2) Download here: https://github.com/OpenVPN/easy-rsa/releases or (#3) Source checkouts available from the github project; current official release download is 2.2.2 with 3.x code in git-master.
21:55 < pekster> Either follow a 3.x procedure if you're using the 3.0.0-rc1 package, or use 2.x that the howto you're using applies to
21:56 < losted> yeah I'm looking for a 3.x procedure
21:56 < losted> any idea where I can find one?
21:56 < pekster> Oh, the wiki link was gone :\
21:57 < pekster> !learn easyrsa as Helpful wiki info about easyrsa at: https://community.openvpn.net/openvpn/wiki/EasyRSA
21:57 <@vpnHelper> Joo got it.
21:57 < pekster> losted: ^ see that URL (the info must be in another factoid)
21:58 < losted> nice thanks!
21:59 < pekster> losted: I need to update that page with a note, but be aware that nsCertType has been deprecated by the openssl folks for some time now. easyrsa 3 does _not_ include this by default. You have 3 options: 1) use --remote-cert-tls instead of --ns-cert-type, 2) enable the deprecated behavior by reading the vars.example file, 3) don't use MITM protection (bad idea)
22:00 < losted> i'll go with the first option ;)
22:00 < pekster> Yup, that's best
22:00 < pekster> The official howto on the openvpn site is just a bit out of date in some respects (uses the ancient net30 topology, uses "Netscape" cert extensions, etc)
22:01 < pekster> It works, just needs to be updated for modern times
22:01 < pekster> More info on net30 at !topology if you want more reading material :)
22:02 < losted> no thanks I already have too much to read :P
22:04 < losted> do I need to set a password to my CA ?
22:07 < pekster> It's up to you, but you probably should
22:07 < pekster> If security isn't important to you, do whatever (it's mostly only relevant if you suffer a compromise, but one doesn't generally "plan" on that happening)
22:08 < pekster> Assorted security recommendations, including a bunch for your PKI, can be found at: !hardening
22:08 < losted> yea if I get compromised I wipe the server and start again from scratch :P
22:08 < pekster> If your CA is compromised you have to re-issue _ALL_ keys it signed (ie: all of them, everywhere)
22:09 < losted> I'm a developper trying to be better at managing servers so I just use this vps to learn. and so far openvpn is my hardest challenge :P
22:09 < pekster> You might like to read about PKI basics too:
22:09 < pekster> !intro-to-pki
22:09 <@vpnHelper> "intro-to-pki" is For an intro to PKI basics, see: https://github.com/OpenVPN/easy-rsa/blob/v3.0.0-rc1/doc/Intro-To-PKI.md
22:09 < pekster> (that's one of the docs easyrsa v3 ships with)
22:10 < losted> nice thanks
22:10 -!- ChrisUY [~ccamacho@r186-52-250-37.dialup.adsl.anteldata.net.uy] has quit [Quit: Saliendo]
22:12 < losted> i think I'll be able to access my vpn by the end of the weekend :P
22:56 -!- pnielsen [pnielsen@2a01:7e00::f03c:91ff:fedf:3a21] has quit [Ping timeout: 246 seconds]
22:59 -!- pnielsen [~pnielsen@li301-93.members.linode.com] has joined #openvpn
23:01 -!- goldkatze [~nobody@unaffiliated/goldkatze] has joined #openvpn
23:21 -!- Cy-Gor [~Brian@cpe-70-124-70-140.austin.res.rr.com] has quit [Quit: Leaving]
23:31 -!- marlinc [~marlinc@ip565fa73c.direct-adsl.nl] has quit [Read error: Connection reset by peer]
23:33 -!- elfixit [~Icedove@77-58-251-72.dclient.hispeed.ch] has quit [Ping timeout: 246 seconds]
23:36 -!- propheticsquiddy [~Proph@unaffiliated/propheticsquiddy] has quit [Quit: Leaving]
23:37 -!- marlinc [~marlinc@ip565fa73c.direct-adsl.nl] has joined #openvpn
23:59 -!- nobit [nobit@unaffiliated/muska] has quit [Ping timeout: 272 seconds]
--- Day changed Fri Jan 10 2014
00:00 -!- josefig [~josef@unaffiliated/josefig] has quit [Quit: Computer has gone to sleep.]
00:15 -!- LightningW [~Lightning@unaffiliated/lightningw] has joined #openvpn
00:19 < he1kki> I'm about to build new openvpn subnet inside openvpn subnet. Is this generally idea?
00:20 -!- nobit [nobit@unaffiliated/muska] has joined #openvpn
00:21 -!- |1li [~|1li@108-201-65-149.lightspeed.ftwotx.sbcglobal.net] has joined #openvpn
00:23 -!- heraclitus__ [~heraclitu@vpn.planetcrypto.com] has joined #openvpn
00:23 -!- heraclitus [~heraclitu@unaffiliated/heraclitis] has quit [Ping timeout: 264 seconds]
00:33 -!- james41382 [~james@unaffiliated/james41382] has joined #openvpn
00:33 < he1kki> grhm. bad. is that generally bad idea.
00:39 < LightningW> !welcom
00:39 < LightningW> !welcome
00:39 <@vpnHelper> "welcome" is (#1) Start by stating your goal, such as 'I would like to access the internet over my vpn' || new to IRC? see the link in !ask || we may need !logs and !configs and maybe !interface to help you. || See !howto for beginners. || See !route for lans behind openvpn. || !redirect for sending inet traffic through the server. || Also interesting: !man !/30 !topology !iporder !sample !forum
00:39 <@vpnHelper> !wiki !mitm or (#2) Don't use 192.168.1.0/24 or 192.168.0.0/24 (too much potential for conflict)
00:40 < LightningW> so hi, i'm migrating an old setup and i can't get the NAT working
00:40 < LightningW> FW: http://pastebin.com/k8krdF9B OVPN: http://pastebin.com/Qg0EtWPJ
00:41 < LightningW> any help is much much appreciated, i'm lost, thanks
01:01 -!- lickalott [~lickalott@127.0.0.1.silentkiller.cc] has quit [Ping timeout: 245 seconds]
01:02 -!- takamichi [~takamichi@c107-107.i07-27.onvol.net] has joined #openvpn
01:03 -!- lickalott [~lickalott@127.0.0.1.silentkiller.cc] has joined #openvpn
01:03 -!- dimm0k [~dimm0k@unaffiliated/dimm0k] has quit [Read error: Operation timed out]
01:04 -!- dimm0k [~dimm0k@unaffiliated/dimm0k] has joined #openvpn
01:04 -!- lickalott [~lickalott@127.0.0.1.silentkiller.cc] has quit [Remote host closed the connection]
01:12 -!- mitz_ [~mitz@KHP222227247006.ppp-bb.dion.ne.jp] has quit [Ping timeout: 260 seconds]
01:20 -!- alexxtasi [~alex@unaffiliated/alexxtasi] has joined #openvpn
01:26 -!- mitz_ [~mitz@KHP222227247006.ppp-bb.dion.ne.jp] has joined #openvpn
01:28 -!- marlinc [~marlinc@ip565fa73c.direct-adsl.nl] has quit [Ping timeout: 246 seconds]
01:29 -!- heraclitus__ is now known as heraclitus
01:29 -!- heraclitus [~heraclitu@vpn.planetcrypto.com] has quit [Changing host]
01:29 -!- heraclitus [~heraclitu@unaffiliated/heraclitis] has joined #openvpn
01:35 -!- marlinc [~marlinc@a80-100-128-152.adsl.xs4all.nl] has joined #openvpn
01:44 -!- lachesis_ [~lachesis@unaffiliated/lachesis] has joined #openvpn
01:45 -!- lachesis [~lachesis@unaffiliated/lachesis] has quit [Max SendQ exceeded]
01:45 -!- troyt [~troyt@2601:7:6d00:432:44dd:acff:fe85:9c8e] has quit [Ping timeout: 240 seconds]
01:45 -!- lachesis_ is now known as lachesis
01:46 -!- troyt [~troyt@2601:7:6d00:432:44dd:acff:fe85:9c8e] has joined #openvpn
01:52 -!- takamichi [~takamichi@c107-107.i07-27.onvol.net] has quit [Read error: Operation timed out]
01:56 < LightningW> !goal
01:56 <@vpnHelper> "goal" is Please clearly state your goal for your vpn: example, I would like to access the lan behind the server , I would like to access the internet over my vpn , I just want a secure connection between 2 computers , etc
01:56 < LightningW> !configs
01:56 <@vpnHelper> "configs" is (#1) please pastebin your client and server configs (with comments removed, you can use `grep -vE '^#|^;|^$' server.conf`), also include which OS and version of openvpn. or (#2) dont forget to include any ccd entries or (#3) on pfSense, see http://www.secure-computing.net/wiki/index.php/OpenVPN/pfSense to obtain your config
01:57 < LightningW> !:C
02:00 -!- takamichi [~takamichi@c107-107.i07-27.onvol.net] has joined #openvpn
02:03 -!- dimm0k [~dimm0k@unaffiliated/dimm0k] has quit [Ping timeout: 252 seconds]
02:05 -!- james41382 [~james@unaffiliated/james41382] has quit [Ping timeout: 265 seconds]
02:05 -!- dimm0k [~dimm0k@unaffiliated/dimm0k] has joined #openvpn
02:06 -!- Weasel_ [~kvuorine@a91-154-220-172.elisa-laajakaista.fi] has quit [Remote host closed the connection]
02:10 -!- Weasel_ [kvuorine@a91-154-220-172.elisa-laajakaista.fi] has joined #openvpn
02:12 -!- occupant [~null@204.14.158.226] has quit [Read error: Connection reset by peer]
02:12 -!- occupant [~null@204.14.158.226] has joined #openvpn
02:13 -!- joshh20 [~joshh20@v-70-42-74-226.unman-vds.internap-nyc.nfoservers.com] has quit [Ping timeout: 245 seconds]
02:15 -!- joshh20 [~joshh20@v-70-42-74-226.unman-vds.internap-nyc.nfoservers.com] has joined #openvpn
02:23 -!- Weasel_ [kvuorine@a91-154-220-172.elisa-laajakaista.fi] has quit [Remote host closed the connection]
02:26 -!- lj1 [~l@192.241.174.169] has joined #openvpn
02:30 -!- Weasel_ [kvuorine@a91-154-220-172.elisa-laajakaista.fi] has joined #openvpn
02:39 -!- tfox [~tfox@199.19.95.160] has joined #openvpn
02:40 -!- Cpt-Oblivious [~chatzilla@31-151-87-204.dynamic.upc.nl] has joined #openvpn
02:43 -!- Weasel_ [kvuorine@a91-154-220-172.elisa-laajakaista.fi] has quit [Remote host closed the connection]
02:45 -!- Weasel_ [~kvuorine@a91-154-220-172.elisa-laajakaista.fi] has joined #openvpn
02:50 -!- azi [~azi@unaffiliated/aquana] has quit [Ping timeout: 272 seconds]
03:13 -!- GabrieleV [~GabrieleV@host190-79-static.230-95-b.business.telecomitalia.it] has quit [Ping timeout: 272 seconds]
03:14 -!- Mike-- [mad@mx.probie.nl] has joined #openvpn
03:15 -!- GabrieleV [~GabrieleV@host190-79-static.230-95-b.business.telecomitalia.it] has joined #openvpn
03:19 -!- jhp [~jhp@zeus.jhprins.org] has quit [Quit: leaving]
03:41 -!- Cpt-Oblivious [~chatzilla@31-151-87-204.dynamic.upc.nl] has quit [Ping timeout: 252 seconds]
04:28 -!- azi [~azi@unaffiliated/aquana] has joined #openvpn
04:32 -!- occupant [~null@204.14.158.226] has quit [Read error: Connection reset by peer]
04:33 -!- occupant [~null@204.14.158.226] has joined #openvpn
04:46 -!- ade_b [~Ade@redhat/adeb] has joined #openvpn
05:01 -!- tfox [~tfox@199.19.95.160] has quit [Quit: tfox]
05:10 -!- tfox [~tfox@199.19.95.160] has joined #openvpn
05:13 -!- dazo_afk is now known as dazo
05:14 -!- tfox [~tfox@199.19.95.160] has quit [Client Quit]
05:20 -!- Darkstar1_ [~Darkstar1@LMontsouris-656-01-04-149.w80-12.abo.wanadoo.fr] has joined #openvpn
05:21 < Darkstar1_> Hi all. I'm new to oppen vpn.
05:21 < Darkstar1_> !welcome
05:21 <@vpnHelper> "welcome" is (#1) Start by stating your goal, such as 'I would like to access the internet over my vpn' || new to IRC? see the link in !ask || we may need !logs and !configs and maybe !interface to help you. || See !howto for beginners. || See !route for lans behind openvpn. || !redirect for sending inet traffic through the server. || Also interesting: !man !/30 !topology !iporder !sample !forum
05:21 <@vpnHelper> !wiki !mitm or (#2) Don't use 192.168.1.0/24 or 192.168.0.0/24 (too much potential for conflict)
05:22 < Darkstar1_> !howto
05:22 <@vpnHelper> "howto" is (#1) OpenVPN comes with a great howto, http://openvpn.net/howto PLEASE READ IT! or (#2) http://www.secure-computing.net/openvpn/howto.php for a mirror
05:23 < Darkstar1_> !route
05:23 <@vpnHelper> "route" is (#1) http://www.secure-computing.net/wiki/index.php/OpenVPN/Routing or https://community.openvpn.net/openvpn/wiki/RoutedLans (same page mirrored) if you have lans behind openvpn, read it DONT SKIM IT or (#2) READ IT DONT SKIM IT! or (#3) See !tcpip for a basic networking guide or (#4) See !serverlan or !clientlan for steps and troubleshooting flowcharts for LANs behind the server or
05:23 <@vpnHelper> client
05:23 < Darkstar1_> !serverlan
05:23 <@vpnHelper> "serverlan" is (#1) for a lan behind a server, the server must have ip forwarding enabled (!ipforward), the server needs to push a route for its lan to clients, and the router of the lan the server is on needs a route added to it (!route_outside_openvpn) or (#2) see !route for a better explanation or (#3) Handy troubleshooting flowchart: http://ircpimps.org/serverlan.png |
05:23 <@vpnHelper> http://pekster.sdf.org/misc/serverlan.png
05:30 < Darkstar1_> !clentlan
05:31 -!- klein [~klein@unaffiliated/klein] has joined #openvpn
05:46 -!- LightningW [~Lightning@unaffiliated/lightningw] has left #openvpn ["Wee."]
06:11 -!- takamichi [~takamichi@c107-107.i07-27.onvol.net] has quit [Quit: Computer has gone to sleep.]
06:16 -!- takamichi [~takamichi@c107-107.i07-27.onvol.net] has joined #openvpn
06:26 -!- Sembei [~Sembei@unaffiliated/sembei] has quit [Remote host closed the connection]
06:27 -!- digilink [~digilink@unaffiliated/digilink] has quit [Ping timeout: 252 seconds]
06:28 -!- digilink [~digilink@irc.stephennet.net] has joined #openvpn
06:28 -!- digilink [~digilink@irc.stephennet.net] has quit [Changing host]
06:28 -!- digilink [~digilink@unaffiliated/digilink] has joined #openvpn
06:42 -!- Cy-Gor [~Brian@cpe-70-124-70-140.austin.res.rr.com] has joined #openvpn
06:48 -!- elfixit [~Icedove@2001:1620:2777:11:3e97:eff:fe7f:f3ad] has joined #openvpn
06:53 -!- ade_b [~Ade@redhat/adeb] has quit [Quit: Too sexy for his shirt]
07:16 -!- Eagleman [~Eagleman@546BCD9F.cm-12-4d.dynamic.ziggo.nl] has quit [Quit: ZNC - http://znc.in]
07:24 -!- cherwin [~cherwin@80.239.169.202] has joined #openvpn
07:29 -!- JackWinter_ [~jack@vodsl-4669.vo.lu] has quit [Quit: Konversation terminated!]
07:33 -!- cherwin [~cherwin@80.239.169.202] has quit [Quit: My MacBook Pro has gone to sleep. ZZZzzz…]
07:33 -!- klein [~klein@unaffiliated/klein] has quit [Ping timeout: 272 seconds]
07:36 -!- Denial [Denial@2.217.201.230] has quit []
07:36 -!- JackWinter [~jack@vodsl-4669.vo.lu] has joined #openvpn
07:46 -!- Denial [Denial@2.217.201.230] has joined #openvpn
08:05 -!- takamichi [~takamichi@c107-107.i07-27.onvol.net] has quit [Quit: Computer has gone to sleep.]
08:18 -!- nick4 [~nick4@213.16.176.8.dsl.dyn.forthnet.gr] has joined #openvpn
08:19 < nick4> I'm trying to use easyrsa to sign the client key. I'm reading this: https://github.com/OpenVPN/easy-rsa/blob/v3.0.0-rc1/README.quickstart.md and I'm on step 4, but I get this error: "Unknown cert type 'client'"
08:19 <@vpnHelper> Title: easy-rsa/README.quickstart.md at v3.0.0-rc1 · OpenVPN/easy-rsa · GitHub (at github.com)
08:21 -!- takamichi [~takamichi@c107-107.i07-27.onvol.net] has joined #openvpn
08:25 -!- master_of_master [~master_of@p4FD7B15B.dip0.t-ipconnect.de] has joined #openvpn
08:25 -!- master_o1_master [~master_of@p4FF24525.dip0.t-ipconnect.de] has quit [Ping timeout: 260 seconds]
08:27 <@krzee> nick4, wanna post your config?
08:27 <@krzee> oh nevermind its easy-rsa
08:27 <@krzee> you prolly aint using the openssl.conf that came with easy-rsa or something
08:28 <@krzee> im not sure, i havnt run easy-rsa in years
08:28 < Darkstar1_> verb 0 on a client file. Does this mean no logging?
08:28 <@krzee> basically. it'll have a logfile but no real info will make it in
08:29 <@krzee> just the fact that openvpn started, and maybe a warning or 2
08:29 <@krzee> wouldnt setting the config to verb 0 and looking answer that?
08:33 < Darkstar1_> krzee: I am new to openvpn and reading docs whilst trying to figure out an ex-admins' undocumented setup. on a disconnected client
08:44 < nick4> krzee I have the openssl-1.0.cnf from the easyrsa package: http://pastebin.com/raw.php?i=a3tk5M4s
08:44 < nick4> Unless it's in the wrong place?
08:46 <@krzee> Darkstar1_, haha good luck with that man, ya verb 0 was to disable logging
08:46 -!- marlinc [~marlinc@a80-100-128-152.adsl.xs4all.nl] has quit [Quit: Byebye]
08:47 -!- marlinc [~marlinc@a80-100-128-152.adsl.xs4all.nl] has joined #openvpn
08:47 <@krzee> nick4, i dont really use easy-rsa im sure someone who does will pop in, but you probably dont need the client to be specially signed as a client anyways? pekster wrote easy-rsa v3 so if nobody else pops up try to catch him
08:49 < nick4> okay, sounds good, thanks :)
08:50 -!- pablito [~chatzilla@194.90.149.21] has joined #openvpn
08:50 < Darkstar1_> krzee: advisable to turn it on for a tiny production client?
08:51 -!- takamichi [~takamichi@c107-107.i07-27.onvol.net] has quit [Ping timeout: 246 seconds]
08:51 <@krzee> depends on you, while trying to debug anything its definitely the first thing you wanna do
08:51 <@krzee> one of my production setups has no logging, the others do
08:52 < Darkstar1_> ok. so it'll stay on 0 then
08:54 -!- takamichi [~takamichi@85.12.8.104] has joined #openvpn
08:57 -!- Eagleman [~Eagleman@546BCD9F.cm-12-4d.dynamic.ziggo.nl] has joined #openvpn
08:58 -!- alexxtasi [~alex@unaffiliated/alexxtasi] has left #openvpn []
09:01 < pablito> hi
09:02 < pablito> has anyone here used openvpn to enable free calls between countries like MagicJack?
09:12 <@krzee> not like magicjack, but i have a voip darknet which can be used from any country with good internet
09:13 <@ecrist> I use magic jack
09:13 <@ecrist> works OK
09:13 <@krzee> privacy of the call is more the goal than getting around pricing, but i have a feeling the real question was "anyone use voip over vpn?"
09:13 <@ecrist> we do it at $work
09:13 <@krzee> $work uses magicjack!?
09:14 <@krzee> im surprised $work doesnt just have their own ATAs connect to their own pbx
09:14 <@ecrist> the boss does, I do at home
09:14 <@ecrist> krzee: we have our own voip stuff for $work
09:14 <@krzee> exactly
09:14 <@ecrist> a pair of freeswitch boxes and deployed polycoms
09:15 <@ecrist> each freeswitch box has it's own PRI
09:15 <@krzee> i remember the cool fax scripts you built
09:16 -!- i7c [~i7c@unaffiliated/i7c] has quit [Quit: oh no, why]
09:17 -!- i7c [~i7c@80-69-77-233.colo.transip.net] has joined #openvpn
09:18 -!- marlinc [~marlinc@a80-100-128-152.adsl.xs4all.nl] has quit [Ping timeout: 260 seconds]
09:20 <@ecrist> that stuff is FAR more advanced now
09:20 < Darkstar1_> I got the following warning : NOTE: the current --script-security setting may allow this configuration to call user defined scripts and searched online this. Turned up nothing I could use. what is this?
09:21 <@ecrist> look in the man page for --script-security
09:26 -!- klein [~klein@189-016-006-003.asselvi.edu.br] has joined #openvpn
09:26 -!- klein [~klein@189-016-006-003.asselvi.edu.br] has quit [Changing host]
09:26 -!- klein [~klein@unaffiliated/klein] has joined #openvpn
09:29 -!- i7c [~i7c@80-69-77-233.colo.transip.net] has quit [Changing host]
09:29 -!- i7c [~i7c@unaffiliated/i7c] has joined #openvpn
09:36 < Darkstar1_> krzee: sorry I should've thought about that. I hate reading the man and usually turn to google for help first :P
09:40 -!- takamichi [~takamichi@85.12.8.104] has quit [Read error: Connection reset by peer]
09:43 -!- takamichi [~takamichi@c107-107.i07-27.onvol.net] has joined #openvpn
09:48 -!- plm [~neo@200.175.61.1] has joined #openvpn
09:48 < plm> Hi
09:51 < plm> I have a box1 if ppp0 and ppp1. At now the default router is the ppp1. So I setup two tunnels: tun0 and tun1. How I do to have a specific route for the tunnels via their respective ppp-interface?
09:57 <@krzee> i dont understand the question
10:01 -!- tfox [~tfox@199.19.95.160] has joined #openvpn
10:04 < plm> krzee: ok sorry, in other words: I need a routes for the tunnels themselves, probably specific ones (either on destination) and no default ones, becouse after tunnel connected I need to remove the default route of ppp..
10:05 -!- tfox [~tfox@199.19.95.160] has quit [Client Quit]
10:06 -!- takamichi [~takamichi@c107-107.i07-27.onvol.net] has quit [Ping timeout: 272 seconds]
10:09 -!- takamichi [~takamichi@85.12.8.104] has joined #openvpn
10:10 -!- lj1 [~l@192.241.174.169] has quit [Quit: Leaving.]
10:16 -!- JSharpe2 [~jsharpe2@31.205.60.241] has joined #openvpn
10:17 -!- Darkstar1_ [~Darkstar1@LMontsouris-656-01-04-149.w80-12.abo.wanadoo.fr] has quit [Quit: Darkstar1_]
10:19 -!- Darkstar1_ [~Darkstar1@LMontsouris-656-01-04-149.w80-12.abo.wanadoo.fr] has joined #openvpn
10:37 -!- JSharpe2 [~jsharpe2@31.205.60.241] has quit [Remote host closed the connection]
10:59 -!- JSharpe2 [~jsharpe2@31.205.60.241] has joined #openvpn
11:02 -!- takamichi [~takamichi@85.12.8.104] has quit [Ping timeout: 272 seconds]
11:03 -!- takamichi [~takamichi@c107-107.i07-27.onvol.net] has joined #openvpn
11:04 -!- elfixit [~Icedove@2001:1620:2777:11:3e97:eff:fe7f:f3ad] has quit [Quit: elfixit]
11:08 -!- JSharpe2 [~jsharpe2@31.205.60.241] has quit [Remote host closed the connection]
11:19 -!- Fohlen [~Fohlen@static.196.152.46.78.clients.your-server.de] has left #openvpn []
11:31 -!- JSharpe2 [~jsharpe2@31.205.60.241] has joined #openvpn
11:32 -!- calcifea [~rasla@gateway/tor-sasl/gitsu-sa] has quit [Ping timeout: 240 seconds]
11:32 -!- gffa [~unknown@unaffiliated/gffa] has joined #openvpn
11:36 -!- calcifea [~rasla@gateway/tor-sasl/gitsu-sa] has joined #openvpn
11:54 -!- sneak [~sneak@unaffiliated/sneak] has left #openvpn []
11:54 -!- JSharpe2 [~jsharpe2@31.205.60.241] has quit [Remote host closed the connection]
12:21 < Haigha> hi, is there any way to change the default IPv6 gateway ?
12:27 <@EugeneKay> !def1
12:27 <@vpnHelper> "def1" is (#1) used in redirect-gateway, Add the def1 flag to override the default gateway by using 0.0.0.0/1 and 128.0.0.0/1 rather than 0.0.0.0/0. This has the benefit of overriding but not wiping out the original default gateway. or (#2) please see --redirect-gateway in the man page ( !man ) to fully understand or (#3) push "redirect-gateway def1"
12:27 <@EugeneKay> !redirect
12:27 <@vpnHelper> "redirect" is (#1) to make all inet traffic flow through the vpn, you will need --redirect-gateway (see !def1), as well as IP forwarding (see !ipforward) and NAT (see !nat) enabled on the server. or (#2) you may need to use a different dns server when redirecting gateway, see !dns or !pushdns or (#3) if using ipv6 try: route-ipv6 2000::/3 or (#4) Handy troubleshooting flowchart:
12:27 <@vpnHelper> http://ircpimps.org/redirect.png | http://pekster.sdf.org/misc/redirect.png
12:27 <@EugeneKay> I'm guessing that's what you're after? ^
12:29 < pekster> nick4: Still around? Sounds like you either are using a non-standard $EASYRSA_PKI dir, or your installation is incomplete and you don't have the x509-types/client file that easyrsa v3 ships with
12:32 < Haigha> thank you EugeneKay
12:33 -!- takamichi [~takamichi@c107-107.i07-27.onvol.net] has quit [Quit: Computer has gone to sleep.]
12:37 -!- JSharpe2 [~jsharpe2@31.205.60.241] has joined #openvpn
12:40 -!- JSharpe2 [~jsharpe2@31.205.60.241] has quit [Remote host closed the connection]
12:47 -!- KaiForce [~chatzilla@107-223-70-10.lightspeed.bcvloh.sbcglobal.net] has joined #openvpn
12:51 -!- cyberspace- [20253@ninthfloor.org] has quit [Remote host closed the connection]
12:52 -!- JackWinter [~jack@vodsl-4669.vo.lu] has quit [Quit: Konversation terminated!]
12:54 -!- cyberspace- [20253@ninthfloor.org] has joined #openvpn
12:54 -!- lj [~l@74.120.200.95] has joined #openvpn
12:55 -!- lj1 [~l@192.241.174.169] has joined #openvpn
12:58 -!- JackWinter [~jack@vodsl-4669.vo.lu] has joined #openvpn
12:58 -!- lj [~l@74.120.200.95] has quit [Ping timeout: 260 seconds]
13:01 -!- Darkstar1_ [~Darkstar1@LMontsouris-656-01-04-149.w80-12.abo.wanadoo.fr] has quit [Quit: Darkstar1_]
13:17 -!- marlinc [~marlinc@a80-100-128-152.adsl.xs4all.nl] has joined #openvpn
13:18 -!- JSharpe [~JSharpe@31.205.60.241] has joined #openvpn
13:33 -!- SlutaTramsa [~SlutaTram@unaffiliated/slutatramsa] has left #openvpn ["Leaving"]
13:37 -!- JackWinter [~jack@vodsl-4669.vo.lu] has quit [Quit: Konversation terminated!]
13:41 -!- JackWinter [~jack@vodsl-4669.vo.lu] has joined #openvpn
13:45 -!- Eagleman [~Eagleman@546BCD9F.cm-12-4d.dynamic.ziggo.nl] has quit [Quit: ZNC - http://znc.in]
13:59 -!- klein [~klein@unaffiliated/klein] has quit [Ping timeout: 272 seconds]
14:03 -!- pepijndevos [pepijndevo@2a00:dcc0:eda:3754:247:55:9194:8ed6] has joined #openvpn
14:06 -!- Weasel_ [~kvuorine@a91-154-220-172.elisa-laajakaista.fi] has quit [Ping timeout: 265 seconds]
14:19 -!- |1li [~|1li@108-201-65-149.lightspeed.ftwotx.sbcglobal.net] has quit [Read error: Connection reset by peer]
14:21 -!- JackWinter [~jack@vodsl-4669.vo.lu] has quit [Quit: Konversation terminated!]
14:23 -!- Cpt-Oblivious [~chatzilla@31-151-87-204.dynamic.upc.nl] has joined #openvpn
14:25 -!- JackWinter [~jack@vodsl-4669.vo.lu] has joined #openvpn
14:35 -!- digilink [~digilink@unaffiliated/digilink] has quit [Ping timeout: 246 seconds]
14:37 -!- lysobit [~musalbas@2001:1af8:4100:a031:2::] has joined #openvpn
14:39 -!- mattock is now known as mattock_afk
14:43 -!- digilink [~digilink@irc.stephennet.net] has joined #openvpn
14:43 -!- digilink [~digilink@irc.stephennet.net] has quit [Changing host]
14:43 -!- digilink [~digilink@unaffiliated/digilink] has joined #openvpn
14:46 -!- lbft [~lbft@unaffiliated/lbft] has quit [Quit: Bye]
14:47 -!- lbft [~lbft@unaffiliated/lbft] has joined #openvpn
14:48 < lysobit> How can I change the outgoing public IP address for OpenVPN clients? e.g. the OpenVPN client connects to public IP address A, but the server has multiple IPs and I want the client to access the internet with public IP B
14:51 -!- defsdoor [~andy@cpc30-sutt4-2-0-cust155.19-1.cable.virginm.net] has joined #openvpn
14:58 <@EugeneKay> !redirect
14:58 <@vpnHelper> "redirect" is (#1) to make all inet traffic flow through the vpn, you will need --redirect-gateway (see !def1), as well as IP forwarding (see !ipforward) and NAT (see !nat) enabled on the server. or (#2) you may need to use a different dns server when redirecting gateway, see !dns or !pushdns or (#3) if using ipv6 try: route-ipv6 2000::/3 or (#4) Handy troubleshooting flowchart:
14:58 <@vpnHelper> http://ircpimps.org/redirect.png | http://pekster.sdf.org/misc/redirect.png
14:58 <@EugeneKay> !linnat
14:58 <@vpnHelper> "linnat" is (#1) for a basic iptables NAT where 10.8.0.x is the vpn network: iptables -t nat -I POSTROUTING -s 10.8.0.0/24 -o eth0 -j MASQUERADE or (#2) to choose what IP address to NAT as, you can use iptables -t nat -I POSTROUTING -o eth0 -j SNAT --to <IP ADDRESS> or (#3) http://netfilter.org/documentation/HOWTO//NAT-HOWTO.html for more info or (#4) openvz see !openvzlinnat
14:58 <@EugeneKay> #2 ^
15:00 < lysobit> thank you
15:01 < lysobit> wouldn't that redirect all traffic, not just openvpn?
15:02 < lysobit> and what if the outgoing ip address is on interface eth0:0?
15:02 <@EugeneKay> Yup. You'll want a -s match for the int/subnet
15:02 < lysobit> thanks, and change eth0 to eth0:0?
15:02 <@EugeneKay> :0 is just a hack for ifconfig users to have multiple IPs; iptables doesn't see/care. It's all eth0.
15:03 < lysobit> oh, ok
15:03 -!- josefig [~josef@187.188.82.71] has joined #openvpn
15:03 -!- josefig [~josef@187.188.82.71] has quit [Changing host]
15:03 -!- josefig [~josef@unaffiliated/josefig] has joined #openvpn
15:13 -!- JackWinter [~jack@vodsl-4669.vo.lu] has quit [Quit: Konversation terminated!]
15:18 -!- JackWinter [~jack@vodsl-4669.vo.lu] has joined #openvpn
15:18 -!- Fohlen [~Fohlen@static.196.152.46.78.clients.your-server.de] has joined #openvpn
15:19 < Fohlen> Hey guys, is there some options in openvpn server to output user history (only by domain)
15:19 < Fohlen> I have no problem with people using my vpn, but I'd certainly like to have a look on some basic things of what they do ... for example if they access porn sites
15:19 < Fohlen> wouldnt be in my interest to provide a vpn for that kind of access
15:26 < plm> people, how I do for tun0 out via (use) ppp0 and tun1 out via (use) ppp1?
15:28 <@krzee> Fohlen, openvpn does not inspect the traffic it passes
15:28 < Fohlen> krzee, I did expected that, which is good :)
15:28 < Fohlen> but is there a possibility known to do so either? Maybe a script or whatever?
15:28 <@krzee> you would use a tool that inspects traffic for that, you can see the traffic on the tun device
15:28 < Fohlen> hmm
15:39 -!- JackWinter [~jack@vodsl-4669.vo.lu] has quit [Quit: Konversation terminated!]
15:41 -!- calcifea [~rasla@gateway/tor-sasl/gitsu-sa] has quit [Remote host closed the connection]
15:42 -!- calcifea [~rasla@gateway/tor-sasl/gitsu-sa] has joined #openvpn
15:42 -!- JackWinter [~jack@vodsl-4669.vo.lu] has joined #openvpn
15:45 < nick4> pekster it's probably the second. I haven't actually installed easyrsa, just took the script. I need to look at this first and I'll get back if I still have an issue. Thanks!
15:47 < plm> anyone?
15:49 < plm> krzee: do you know about that?
15:50 -!- JackWinter [~jack@vodsl-4669.vo.lu] has quit [Quit: Konversation terminated!]
15:50 <@krzee> i guess through the use of --local and policy routing
15:54 < pekster> nick4: Ah, gotcha. Yea, v3 relies on some external files to do its business correctly. The easiest is to just grab the release tarball, although if you do a source checkout the binary is in easyrsa3/ to use as well
15:56 < plm> krzee: please, look what ai tried: http://dpaste.com/1545747/
15:58 <@krzee> why are you removing your default routes?
15:59 < plm> krzee: becouse I need that tun0 go via ppp0 and tun1 via ppp1. with default route, both are going by ppp1, the last one dialed.
16:02 -!- lysobit [~musalbas@2001:1af8:4100:a031:2::] has quit [Ping timeout: 256 seconds]
16:03 -!- KaiForce [~chatzilla@107-223-70-10.lightspeed.bcvloh.sbcglobal.net] has quit [Quit: ChatZilla 0.9.90.1 [Firefox 26.0/20131205075310]]
16:04 -!- bakers [~bakers@bar-1.web-ster.com] has joined #openvpn
16:06 < bakers> I'm getting an error connecting to my OpenVPN server on the initial cert? What's the next step after this: http://www.fpaste.org/67519/89391564/\
16:07 < plm> bakers: tunnels are setup in the server?
16:08 <@krzee> !certverify
16:08 <@vpnHelper> "certverify" is (#1) verify your certs are signed correctly by running `openssl verify -CAfile <ca.crt> <client.crt>` for client.crt and server.crt or (#2) also make sure you use the same ca.crt on both sides by checking their md5
16:08 -!- JackWinter [~jack@vodsl-4669.vo.lu] has joined #openvpn
16:09 < bakers> krzee: I verified the certificates, both server/client come back OK
16:10 < bakers> md5sum of the ca.crt is the same on client and server
16:10 < bakers> plm: Tunnels setup on server how?
16:10 <@krzee> check the time on both machines and on the CA
16:10 < bakers> krzee: Time is NTP on both, and both are accurate
16:11 <@krzee> use verb 4 and get log from other side as well
16:11 < plm> bakers: It is if server tun is running, but I krzee told you what is possible to be wrong..
16:11 <@krzee> oph wait no
16:11 <@krzee> i see it
16:12 <@krzee> you have nscerttype server in the client config
16:12 -!- guy [~gajus@oftn/member/guy] has joined #openvpn
16:12 <@krzee> but the server cert doesnt have that bit set
16:12 <@krzee> maybe try the other way
16:12 < guy> can some recommend a fast VPN in UK?
16:12 <@krzee> !mitm
16:12 <@vpnHelper> "mitm" is (#1) http://openvpn.net/index.php/documentation/howto.html#mitm to know about stopping Man-in-the-Middle attacks by signing the server cert specially or (#2) use !servercert to generate the server cert manually or use the easy-rsa build-key-server script to build your server certificates or (#3) then use: remote-cert-tls server in the client config
16:12 <@krzee> change nscerttype server to    remote-cert-tls server
16:13 <@krzee> in the client config
16:13 <@krzee> guy, i have an account on a service i like that has 2 entrance nodes in the uk
16:13 -!- lj1 [~l@192.241.174.169] has quit [Quit: Leaving.]
16:14 <@krzee> but its not like i endorse them or anything
16:14 <@krzee> just that my experience using the service has been fine
16:14 -!- lysobit [~musalbas@2001:1af8:4100:a031:2::] has joined #openvpn
16:14 < bakers> krzee: Closer... Fri Jan 10 14:13:43 2014 Certificate does not have key usage extension
16:14 < bakers> VERIFY KU ERROR
16:14 <@krzee> bakers, then just remove that like all together
16:14 < plm> krzee: could you help with taht problem?
16:14 <@krzee> bakers, you didnt specially sign the server cert
16:15 <@krzee> either regenerate it, or remove that line
16:15 <@krzee> plm, not really, sorry
16:15 < bakers> krzee: That did it!
16:15 <@krzee> i stopped using ppp way before i started using openvpn
16:15 -!- defsdoor [~andy@cpc30-sutt4-2-0-cust155.19-1.cable.virginm.net] has quit [Quit: Ex-Chat]
16:15 <+rob0> pee pee pee
16:16 <+rob0> viepienne
16:17 < plm> krzee: not problem, but could you tell me if my logical is correct: without default route, but with tun0 using ppp0 and tun the ppp1? Becouse if I have a default route both will using just one ppp (ppp0 or ppp1).
16:17 -!- guy [~gajus@oftn/member/guy] has left #openvpn []
16:18 -!- dazo is now known as dazo_afk
16:18 <@krzee> oh ya, did you make a route to the server's ip over the right device?
16:20 < plm> krzee: yes, I did that I paste for you http://dpaste.com/1545747/
16:20 < plm> krzee: for tun0 out via ppp0 and tun1 via ppp1 in iproute, but that nor works.. :-( both out via default route, and when I remove default route both tunnels down
16:21 <@krzee> i dunno about any possible gotchyas with policy routing and ppp
16:21 <@krzee> sorry dude
16:21 < plm> krzee: ok, not problem
16:21 <@krzee> you are using --local too, right?
16:21 <@krzee> to bind to that specific ppp ip address
16:22 < plm> krzee: not, I never used --local, where and when I used that?
16:22 <@krzee> in the openvpn config
16:22 <@krzee> !man
16:22 <@vpnHelper> "man" is (#1) For man pages, see http://openvpn.net/index.php/open-source/documentation/manuals/ or (#2) the man pages are your friend! or (#3) Protip: you can search the manpage for a specific --option (with dashes) to find it quicker
16:22 <@krzee> !--
16:22 <@vpnHelper> "--" is OpenVPN allows any option to be placed either on the command line or in a configuration file. Though all command line options are preceded by a double-leading-dash ("--"), this prefix is usually omitted when an option is placed in a configuration file.
16:23 < plm> krzee: show jsut this: root@box2:/etc/openvpn# grep -i local client.conf
16:23 < plm> # a specific local port number.
16:23 < plm> root@box2:/etc/openvpn#
16:23 -!- lysobit [~musalbas@2001:1af8:4100:a031:2::] has quit [Read error: Connection reset by peer]
16:24 -!- lysobit [~musalbas@2001:1af8:4100:a031:2::] has joined #openvpn
16:24 <@krzee> see --local in the manual
16:24 < plm> krzee: ok
16:25 < plm>       --local host
16:25 < plm>               Local host name or IP address for bind.  If specified, OpenVPN will bind to this address only.  If unspecified, OpenVPN will bind to all interfaces.
16:25 < plm> I think is that i need =D
16:26 <@plaisthos> krzee: --<ca>
16:26 < bakers> krzee: I used easy-rsa to generate my certs, how would I set the 'nscerttype server' bit
16:26 < bakers> so I can use that
16:27 <@krzee> !easy-rsa
16:27 <@vpnHelper> "easy-rsa" is (#1) easy-rsa is a certificate generation utility. or (#2) Download here: https://github.com/OpenVPN/easy-rsa/downloads or (#3) https://community.openvpn.net/openvpn/wiki/EasyRSA
16:28 <@krzee> if you're using v3 then the link at #3 tells you
16:29 < bakers> Ah looks like my distro ships 2.0
16:30 <@krzee> ya, v3 is still rc
16:30 <@krzee> can get it at #2
16:31 <@krzee> its totally overhauled, i havnt used it yet (i havnt used easy-rsa in years) but from what i see its better
16:32 < plm> krzee: do you know where I start that --local? I tryed this "root@box2:/etc/openvpn# /etc/init.d/openvpn start client --local 179.114.44.73" but not works:
16:33 < plm> *   Starting VPN '--local': missing /etc/openvpn/--local.conf file ! *   Starting VPN '179.114.44.73': missing /etc/openvpn/179.114.44.73.conf file !
16:33 <@krzee> haha
16:33 <@krzee> local 179.114.44.73
16:33 -!- JackWinter [~jack@vodsl-4669.vo.lu] has quit [Quit: Konversation terminated!]
16:33 <@krzee> put that in the config
16:33 < plm> krzee: ohh sorry, but why the original config file dont have all possible params?
16:34 <@krzee> have you seen the manual?
16:34 <@plaisthos> plm: look at man openvpn and take a guess
16:34 <@krzee> i'ld like to see how big the manual would look in print form haha
16:35 <@krzee> "what novel are you reading?"
16:35 <@plaisthos> krzee: just print https://community.openvpn.net/openvpn/wiki/Openvpn23ManPage
16:35 <@plaisthos> :D
16:35 <@vpnHelper> Title: Openvpn23ManPage – OpenVPN Community (at community.openvpn.net)
16:35 < plm> yes, I did "man openvpn" =D
16:35 -!- JackWinter [~jack@vodsl-4669.vo.lu] has joined #openvpn
16:36 <@plaisthos> and some options are not documented in man openvpn :)
16:36 <@plaisthos> (and you should not use that options)
16:38 < plm> plaisthos: ohh comon.. I start my tunnels anot using local <ip> in the config and you say I should be not used?
16:38 <@plaisthos> plm: read again
16:38 <@plaisthos> plm: I said there are undocumented options and you should not use the undocumented options
16:38 <@plaisthos> --local is doucmented
16:39 < plm> plaisthos: ok
16:42 -!- arkandsaw [~ma1com10t@host-92-20-5-217.as13285.net] has joined #openvpn
16:47 -!- JackWinter [~jack@vodsl-4669.vo.lu] has quit [Ping timeout: 252 seconds]
16:47 -!- JackWinter [~jack@vodsl-4669.vo.lu] has joined #openvpn
16:49 -!- Sembei [~Sembei@unaffiliated/sembei] has joined #openvpn
16:50 -!- JSharpe2 [~jsharpe2@31.205.60.241] has joined #openvpn
16:57 -!- arkandsaw2 [~ma1com10t@host-92-20-5-217.as13285.net] has joined #openvpn
17:01 -!- arkandsaw [~ma1com10t@host-92-20-5-217.as13285.net] has quit [Ping timeout: 260 seconds]
17:02 -!- lysobit [~musalbas@2001:1af8:4100:a031:2::] has left #openvpn ["Leaving"]
17:13 -!- JackWinter [~jack@vodsl-4669.vo.lu] has quit [Quit: Konversation terminated!]
17:13 -!- heraclitus [~heraclitu@unaffiliated/heraclitis] has quit [Remote host closed the connection]
17:14 -!- heraclitus [~heraclitu@unaffiliated/heraclitis] has joined #openvpn
17:14 -!- heraclitus [~heraclitu@unaffiliated/heraclitis] has quit [Remote host closed the connection]
17:15 -!- heraclitus [~heraclitu@unaffiliated/heraclitis] has joined #openvpn
17:16 -!- JackWinter [~jack@vodsl-4669.vo.lu] has joined #openvpn
17:17 -!- heraclitus [~heraclitu@unaffiliated/heraclitis] has quit [Remote host closed the connection]
17:17 -!- heraclitus [~heraclitu@unaffiliated/heraclitis] has joined #openvpn
17:21 -!- JSharpe2 [~jsharpe2@31.205.60.241] has quit [Remote host closed the connection]
17:23 -!- keithzg [~quassel@184.70.164.246] has quit [Remote host closed the connection]
17:38 -!- gffa [~unknown@unaffiliated/gffa] has quit [Quit: sleep]
17:47 -!- josefig [~josef@unaffiliated/josefig] has quit [Ping timeout: 272 seconds]
17:48 -!- Brando753 [~Brando753@unaffiliated/brando753] has quit [Read error: Connection reset by peer]
17:49 -!- Brando753 [~Brando753@unaffiliated/brando753] has joined #openvpn
17:49 -!- Martyn [~Martin@216.38.134.150] has joined #openvpn
17:53 -!- plm [~neo@200.175.61.1] has quit [Ping timeout: 252 seconds]
17:55 -!- plm [~neo@200.175.61.1] has joined #openvpn
18:13 -!- JackWinter [~jack@vodsl-4669.vo.lu] has quit [Remote host closed the connection]
18:23 -!- mitz_ [~mitz@KHP222227247006.ppp-bb.dion.ne.jp] has quit [Ping timeout: 252 seconds]
18:24 -!- bakers [~bakers@bar-1.web-ster.com] has quit [Quit: Khhhaaannnnnnnn]
18:25 -!- EugeneKay [eugene@clockworkmod.org] has quit [Quit: ZNC - http://znc.sourceforge.net]
18:26 -!- JackWinter [~jack@vodsl-4669.vo.lu] has joined #openvpn
18:28 -!- EugeneKay [eugene@clockworkmod.org] has joined #openvpn
18:29 -!- mode/#openvpn [+o EugeneKay] by ChanServ
18:37 -!- mitz_ [~mitz@KHP222227247006.ppp-bb.dion.ne.jp] has joined #openvpn
18:50 -!- Cpt-Oblivious_ [~chatzilla@31-151-87-204.dynamic.upc.nl] has joined #openvpn
18:51 -!- Cpt-Oblivious [~chatzilla@31-151-87-204.dynamic.upc.nl] has quit [Ping timeout: 252 seconds]
18:52 -!- Cpt-Oblivious_ is now known as Cpt-Oblivious
19:11 -!- Martyn [~Martin@216.38.134.150] has quit [Quit: Computer has gone to sleep.]
19:20 -!- Eagleman7 [~Eagleman@546BCD9F.cm-12-4d.dynamic.ziggo.nl] has joined #openvpn
19:35 -!- plm [~neo@200.175.61.1] has quit [Quit: leaving]
19:36 -!- elfixit [~Icedove@77-58-251-72.dclient.hispeed.ch] has joined #openvpn
19:45 -!- goldkatze [~nobody@unaffiliated/goldkatze] has quit []
19:51 -!- lj [~l@c-98-215-110-122.hsd1.il.comcast.net] has joined #openvpn
19:52 -!- lj1 [~l@192.241.174.169] has joined #openvpn
19:56 -!- lj [~l@c-98-215-110-122.hsd1.il.comcast.net] has quit [Ping timeout: 276 seconds]
19:58 -!- pablito [~chatzilla@194.90.149.21] has quit [Quit: ChatZilla 0.9.90.1 [Firefox 26.0/20131205075310]]
20:09 <+__FBi> !dns
20:09 <@vpnHelper> "dns" is (#1) Level3 open recursive DNS server at 4.2.2.[1-6] or (#2) Google open recursive DNS server at 8.8.8.8 / 8.8.4.4 or (#3) you might be looking for !pushdns
20:09 <+__FBi> !pushdns
20:09 <@vpnHelper> "pushdns" is (#1) push dhcp-option DNS a.b.c.d to push dns to the client or (#2) For pushing DNS to a Windows client, see: !windns or (#3) Unix-alikes are required to process the env-var in an --up script; read about --dhcp-option in the manpage or (#4) For distros that use resolvconf you can try the update-resolv-conf script under the contrib/ source dir
20:26 <+__FBi> nice
20:26 <+__FBi> resolvconf fixed it
20:35 -!- arkandsaw2 [~ma1com10t@host-92-20-5-217.as13285.net] has left #openvpn []
20:38 -!- tfox [~tfox@199.19.95.160] has joined #openvpn
21:05 -!- lj1 [~l@192.241.174.169] has quit [Quit: Leaving.]
21:24 -!- mitz_ [~mitz@KHP222227247006.ppp-bb.dion.ne.jp] has quit [Remote host closed the connection]
21:30 -!- sgiratch [~sgiratch@unaffiliated/sgiratch] has quit [Remote host closed the connection]
21:43 -!- Martyn [~Martin@162-232-173-152.lightspeed.sntcca.sbcglobal.net] has joined #openvpn
21:48 -!- Martyn [~Martin@162-232-173-152.lightspeed.sntcca.sbcglobal.net] has quit [Client Quit]
22:08 -!- tfox_ [~tfox@cpe-199.21.149.243.ca.yorkinet.com] has joined #openvpn
22:09 -!- tfox [~tfox@199.19.95.160] has quit [Ping timeout: 272 seconds]
22:09 -!- tfox_ is now known as tfox
22:52 -!- |1li [~|1li@108-201-65-149.lightspeed.ftwotx.sbcglobal.net] has joined #openvpn
23:33 -!- elfixit [~Icedove@77-58-251-72.dclient.hispeed.ch] has quit [Ping timeout: 245 seconds]
--- Day changed Sat Jan 11 2014
00:08 -!- kaos01_ [~kaos01@12.186.233.220.static.exetel.com.au] has joined #openvpn
00:08 -!- kaos01_ [~kaos01@12.186.233.220.static.exetel.com.au] has quit [Quit: leaving]
00:19 -!- mattock_afk is now known as mattock
00:25 -!- goldkatze [~nobody@unaffiliated/goldkatze] has joined #openvpn
00:44 -!- calcifea [~rasla@gateway/tor-sasl/gitsu-sa] has quit [Ping timeout: 240 seconds]
00:52 -!- Cy-Gor [~Brian@cpe-70-124-70-140.austin.res.rr.com] has quit [Quit: Leaving]
00:52 -!- calcifea [~rasla@gateway/tor-sasl/gitsu-sa] has joined #openvpn
01:01 -!- dimm0k [~dimm0k@unaffiliated/dimm0k] has quit [Read error: Operation timed out]
01:02 -!- dimm0k [~dimm0k@unaffiliated/dimm0k] has joined #openvpn
01:37 -!- tfox [~tfox@cpe-199.21.149.243.ca.yorkinet.com] has quit [Quit: tfox]
01:46 -!- xorox90__ [uid7069@gateway/web/irccloud.com/x-kymzvfymijzorfdt] has joined #openvpn
01:53 -!- heraclitus [~heraclitu@unaffiliated/heraclitis] has quit [Quit: Ping timeout: 221 seconds]
01:57 -!- takamichi [~takamichi@c107-107.i07-27.onvol.net] has joined #openvpn
02:06 -!- heraclitus [~heraclitu@unaffiliated/heraclitis] has joined #openvpn
02:18 -!- lickalott [~lickalott@127.0.0.1.silentkiller.cc] has joined #openvpn
02:20 -!- pablito [~chatzilla@194.90.149.21] has joined #openvpn
02:21 -!- Cpt-Oblivious [~chatzilla@31-151-87-204.dynamic.upc.nl] has quit [Ping timeout: 252 seconds]
02:25 -!- mattock is now known as mattock_afk
02:39 -!- noobboob [uid5587@gateway/web/irccloud.com/x-wlfpqvffklpdrqdp] has quit [Ping timeout: 252 seconds]
02:40 -!- noobboob [uid5587@gateway/web/irccloud.com/x-lttupgrrtgbjtpxb] has joined #openvpn
02:50 -!- takamichi [~takamichi@c107-107.i07-27.onvol.net] has quit [Quit: Computer has gone to sleep.]
03:00 -!- takamichi [~takamichi@c107-107.i07-27.onvol.net] has joined #openvpn
03:00 -!- heraclitus [~heraclitu@unaffiliated/heraclitis] has quit [Quit: Ping timeout: 221 seconds]
03:03 -!- heraclitus [~heraclitu@unaffiliated/heraclitis] has joined #openvpn
03:16 -!- Gelos [sid17176@gateway/web/irccloud.com/x-yssucnafrqssnrvy] has quit [Ping timeout: 246 seconds]
03:16 -!- HectorBarbossa [uid7850@gateway/web/irccloud.com/x-bswofolajoanfseu] has quit [Ping timeout: 252 seconds]
03:17 -!- HectorBarbossa [uid7850@gateway/web/irccloud.com/x-oolywezulfjtmtdw] has joined #openvpn
03:18 -!- Gelos [sid17176@gateway/web/irccloud.com/x-xckierlaguffeurm] has joined #openvpn
03:24 -!- pablito [~chatzilla@194.90.149.21] has quit [Read error: Connection reset by peer]
03:58 -!- gffa [~unknown@unaffiliated/gffa] has joined #openvpn
04:58 -!- Eagleman7 is now known as Eagleman
05:02 -!- pablito [~chatzilla@194.90.149.21] has joined #openvpn
05:09 -!- Martyn [~Martin@162-232-173-152.lightspeed.sntcca.sbcglobal.net] has joined #openvpn
05:19 -!- Martyn [~Martin@162-232-173-152.lightspeed.sntcca.sbcglobal.net] has quit [Quit: Computer has gone to sleep.]
05:28 -!- Eagleman [~Eagleman@546BCD9F.cm-12-4d.dynamic.ziggo.nl] has quit [Quit: ZNC - http://znc.in]
05:36 -!- Eagleman [~Eagleman@546BCD9F.cm-12-4d.dynamic.ziggo.nl] has joined #openvpn
05:56 -!- Devastator [~devas@unaffiliated/devastator] has quit [Read error: Connection reset by peer]
05:57 -!- Varazir_ is now known as Varazir
05:58 -!- Devastator [~devas@177.99.154.39] has joined #openvpn
06:02 -!- dimm0k [~dimm0k@unaffiliated/dimm0k] has quit [Read error: Operation timed out]
06:05 -!- dimm0k [~dimm0k@unaffiliated/dimm0k] has joined #openvpn
06:14 -!- s7r [~s7r@openvpn/user/s7r] has joined #openvpn
06:14 -!- mode/#openvpn [+v s7r] by ChanServ
06:30 -!- Cpt-Oblivious [~chatzilla@31-151-87-204.dynamic.upc.nl] has joined #openvpn
06:41 -!- pablito [~chatzilla@194.90.149.21] has quit [Quit: ChatZilla 0.9.90.1 [Firefox 26.0/20131205075310]]
06:47 -!- digilink [~digilink@unaffiliated/digilink] has quit [Ping timeout: 272 seconds]
07:01 -!- Devastator [~devas@177.99.154.39] has quit [Changing host]
07:01 -!- Devastator [~devas@unaffiliated/devastator] has joined #openvpn
07:02 -!- mattock_afk is now known as mattock
07:07 -!- Eagleman [~Eagleman@546BCD9F.cm-12-4d.dynamic.ziggo.nl] has quit [Quit: ZNC - http://znc.in]
07:11 -!- Eagleman [~Eagleman@546BCD9F.cm-12-4d.dynamic.ziggo.nl] has joined #openvpn
07:22 -!- Denial [Denial@2.217.201.230] has quit []
07:30 -!- Denial [Denial@2.217.201.230] has joined #openvpn
07:36 -!- Weasel_ [~kvuorine@a91-154-220-172.elisa-laajakaista.fi] has joined #openvpn
07:50 -!- digilink [~digilink@unaffiliated/digilink] has joined #openvpn
07:54 -!- defsdoor [~andy@cpc30-sutt4-2-0-cust155.19-1.cable.virginm.net] has joined #openvpn
07:58 -!- Cy-Gor [~Brian@cpe-70-124-70-140.austin.res.rr.com] has joined #openvpn
08:01 -!- digilink [~digilink@unaffiliated/digilink] has quit [Ping timeout: 272 seconds]
08:28 -!- master_of_master [~master_of@p4FD7B15B.dip0.t-ipconnect.de] has quit [Ping timeout: 246 seconds]
08:29 -!- heraclitus__ [~heraclitu@cpe-72-181-248-94.tx.res.rr.com] has joined #openvpn
08:30 -!- heraclitus__ [~heraclitu@cpe-72-181-248-94.tx.res.rr.com] has quit [Remote host closed the connection]
08:30 -!- heraclitus [~heraclitu@unaffiliated/heraclitis] has quit [Remote host closed the connection]
08:30 -!- master_of_master [~master_of@p4FF246BA.dip0.t-ipconnect.de] has joined #openvpn
08:52 -!- digilink [~digilink@irc.stephennet.net] has joined #openvpn
08:52 -!- digilink [~digilink@irc.stephennet.net] has quit [Changing host]
08:52 -!- digilink [~digilink@unaffiliated/digilink] has joined #openvpn
09:04 -!- heraclitus [~heraclitu@unaffiliated/heraclitis] has joined #openvpn
09:14 -!- lj [~l@c-98-215-110-122.hsd1.il.comcast.net] has joined #openvpn
09:15 -!- lj1 [~l@192.241.174.169] has joined #openvpn
09:18 -!- lj [~l@c-98-215-110-122.hsd1.il.comcast.net] has quit [Ping timeout: 252 seconds]
09:29 -!- JackWinter [~jack@vodsl-4669.vo.lu] has quit [Read error: Connection reset by peer]
09:29 -!- lj1 [~l@192.241.174.169] has quit [Quit: Leaving.]
09:33 -!- JackWinter [~jack@vodsl-4669.vo.lu] has joined #openvpn
09:37 -!- calcifea_ [~rasla@gateway/tor-sasl/gitsu-sa] has joined #openvpn
09:37 -!- calcifea_ [~rasla@gateway/tor-sasl/gitsu-sa] has quit [Client Quit]
09:39 -!- calcifea [~rasla@gateway/tor-sasl/gitsu-sa] has quit [Ping timeout: 240 seconds]
09:39 -!- calcifea_ [~rasla@gateway/tor-sasl/gitsu-sa] has joined #openvpn
09:40 -!- Eagleman [~Eagleman@546BCD9F.cm-12-4d.dynamic.ziggo.nl] has quit [Quit: ZNC - http://znc.in]
09:40 -!- maskedlua_ [~quassel@unaffiliated/themaskedlua] has joined #openvpn
09:41 -!- maskedlua_ [~quassel@unaffiliated/themaskedlua] has quit [Read error: Connection reset by peer]
09:42 -!- maskedlua [~quassel@unaffiliated/themaskedlua] has quit [Ping timeout: 245 seconds]
09:43 -!- maskedlua [~quassel@unaffiliated/themaskedlua] has joined #openvpn
09:47 -!- maskedlua [~quassel@unaffiliated/themaskedlua] has quit [Read error: Connection reset by peer]
09:48 -!- maskedlua [~quassel@unaffiliated/themaskedlua] has joined #openvpn
09:49 -!- maskedlua [~quassel@unaffiliated/themaskedlua] has quit [Read error: Connection reset by peer]
09:49 -!- maskedlua [~quassel@unaffiliated/themaskedlua] has joined #openvpn
09:49 -!- maskedlua [~quassel@unaffiliated/themaskedlua] has quit [Read error: Connection reset by peer]
09:50 -!- maskedlua [~quassel@unaffiliated/themaskedlua] has joined #openvpn
09:50 -!- maskedlua [~quassel@unaffiliated/themaskedlua] has quit [Read error: Connection reset by peer]
09:50 -!- maskedlua [~quassel@unaffiliated/themaskedlua] has joined #openvpn
09:50 -!- maskedlua [~quassel@unaffiliated/themaskedlua] has quit [Read error: Connection reset by peer]
09:50 -!- maskedlua [~quassel@unaffiliated/themaskedlua] has joined #openvpn
09:53 -!- maskedlua [~quassel@unaffiliated/themaskedlua] has quit [Read error: Connection reset by peer]
09:55 -!- maskedlua [~quassel@unaffiliated/themaskedlua] has joined #openvpn
09:55 -!- maskedlua [~quassel@unaffiliated/themaskedlua] has quit [Read error: Connection reset by peer]
09:55 -!- maskedlua [~quassel@unaffiliated/themaskedlua] has joined #openvpn
09:55 -!- maskedlua [~quassel@unaffiliated/themaskedlua] has quit [Read error: Connection reset by peer]
09:58 -!- maskedlua [~quassel@unaffiliated/themaskedlua] has joined #openvpn
09:59 -!- josefig [~josef@unaffiliated/josefig] has joined #openvpn
10:00 -!- maskedlua [~quassel@unaffiliated/themaskedlua] has quit [Read error: Connection reset by peer]
10:00 -!- maskedlua [~quassel@unaffiliated/themaskedlua] has joined #openvpn
10:01 -!- maskedlua [~quassel@unaffiliated/themaskedlua] has quit [Remote host closed the connection]
10:02 -!- maskedlua [~quassel@unaffiliated/themaskedlua] has joined #openvpn
10:07 -!- takamichi [~takamichi@c107-107.i07-27.onvol.net] has quit [Ping timeout: 252 seconds]
10:10 -!- takamichi [~takamichi@85.12.8.14] has joined #openvpn
10:15 -!- moparisthebest [~quassel@mailer.moparscape.org] has quit [Remote host closed the connection]
10:21 -!- moparisthebest [~quassel@mailer.moparscape.org] has joined #openvpn
10:22 -!- josefig [~josef@unaffiliated/josefig] has quit [Quit: Computer has gone to sleep.]
10:25 -!- takamichi [~takamichi@85.12.8.14] has quit [Ping timeout: 272 seconds]
10:25 -!- tempus_fol [~tempus@gateway/tor-sasl/tempusfol] has quit [Remote host closed the connection]
10:26 -!- takamichi [~takamichi@c107-107.i07-27.onvol.net] has joined #openvpn
10:35 -!- nick4_ [~nick4@178.128.240.157.dsl.dyn.forthnet.gr] has joined #openvpn
10:35 -!- JackWinter [~jack@vodsl-4669.vo.lu] has quit [Quit: Konversation terminated!]
10:38 -!- nick4 [~nick4@213.16.176.8.dsl.dyn.forthnet.gr] has quit [Ping timeout: 245 seconds]
10:38 -!- nick4_ is now known as nick4
10:39 -!- JackWinter [~jack@vodsl-4669.vo.lu] has joined #openvpn
10:54 -!- nick4_ [~nick4@62.1.93.191.dsl.dyn.forthnet.gr] has joined #openvpn
10:54 -!- bigbob83 [bigbob@7.72.100.84.rev.sfr.net] has joined #openvpn
10:55 -!- nick4 [~nick4@178.128.240.157.dsl.dyn.forthnet.gr] has quit [Read error: Operation timed out]
10:55 -!- nick4_ is now known as nick4
10:57 -!- markus_ [~markus@mirkk.vpntunnel.com] has joined #openvpn
10:57 < bigbob83> Hello, i've read the manpage of openvpn for scripting but i've don't understand yet how to apply specific configuration like shaping for a given user, someone could help me please ?
10:59 < bigbob83> i know that i have to use client-connect script and it must return 0 for authentication success but i don't know how to do after authentication success for creating dynamic config for a given user
11:01 < markus_> i think u need to use ccd
11:01 -!- maskedlua [~quassel@unaffiliated/themaskedlua] has quit [Read error: Operation timed out]
11:03 < bigbob83> i'm checking a mysql database for user authentication and rights (like speed rate 128kbp/s)
11:04 -!- maskedlua [~quassel@unaffiliated/themaskedlua] has joined #openvpn
11:05 -!- maskedlua [~quassel@unaffiliated/themaskedlua] has quit [Read error: Connection reset by peer]
11:05 -!- maskedlua [~quassel@unaffiliated/themaskedlua] has joined #openvpn
11:05 -!- maskedlua [~quassel@unaffiliated/themaskedlua] has quit [Read error: Connection reset by peer]
11:08 < bigbob83> should i use --username-as-common-name  and
11:08 < bigbob83> --client-config-dir dir  ?
11:09 -!- maskedlua [~quassel@unaffiliated/themaskedlua] has joined #openvpn
11:09 < markus_> u want to use traffic shaping for each openvpn client?
11:10 -!- maskedlua [~quassel@unaffiliated/themaskedlua] has quit [Remote host closed the connection]
11:11 -!- maskedlua [~quassel@unaffiliated/themaskedlua] has joined #openvpn
11:13 < pekster> bigbob83: shaping is an OS/distro thing, so you'd either use static client addresing (see: !static for more info) and shape on the known IPs, or add your dynamic QoS rules to your OS when the client connects using --client-connect
11:18 -!- maskedlua [~quassel@unaffiliated/themaskedlua] has quit [Remote host closed the connection]
11:24 <+__FBi> !pushdns
11:24 <@vpnHelper> "pushdns" is (#1) push dhcp-option DNS a.b.c.d to push dns to the client or (#2) For pushing DNS to a Windows client, see: !windns or (#3) Unix-alikes are required to process the env-var in an --up script; read about --dhcp-option in the manpage or (#4) For distros that use resolvconf you can try the update-resolv-conf script under the contrib/ source dir
11:25 -!- Martyn [~Martin@162-232-173-152.lightspeed.sntcca.sbcglobal.net] has joined #openvpn
11:26 -!- maskedlua [~quassel@unaffiliated/themaskedlua] has joined #openvpn
11:26 -!- maskedlua [~quassel@unaffiliated/themaskedlua] has quit [Read error: Connection reset by peer]
11:31 -!- lj [~l@c-98-215-110-122.hsd1.il.comcast.net] has joined #openvpn
11:31 -!- maskedlua [~quassel@unaffiliated/themaskedlua] has joined #openvpn
11:33 -!- lj1 [~l@192.241.174.169] has joined #openvpn
11:33 -!- maskedlua [~quassel@unaffiliated/themaskedlua] has quit [Remote host closed the connection]
11:34 -!- maskedlua [~quassel@unaffiliated/themaskedlua] has joined #openvpn
11:35 -!- lj [~l@c-98-215-110-122.hsd1.il.comcast.net] has quit [Ping timeout: 245 seconds]
11:37 < bigbob83> my user will be able to subscribe to differents vpn plan, for exemple: plan 1: 128 kbps, plan2: 512kb/s ...The Qos rules will depend on the user's activ plan.
11:39 -!- maskedlua [~quassel@unaffiliated/themaskedlua] has quit [Read error: Operation timed out]
11:39 < bigbob83> Do you know a good point of start for learning this kind of Qos rules please?
11:40 < pekster> LARTC for Linux (see: !lartc) or OpenBSD docs on ALTQ for PF-based BSDs
11:41 < bigbob83> !lartc
11:41 <@vpnHelper> "lartc" is LARTC is the de-facto guide to policy routing and QoS (tc, or traffic control) on Linux. http://lartc.org/howto/ . Policy routing in Ch. 4, QoS in Ch. 9. Start at the beginning if you're new to advanced routing on Linux
11:42 < bigbob83> thank you :)
11:44 -!- maskedlua [~quassel@unaffiliated/themaskedlua] has joined #openvpn
11:45 -!- tfox [~tfox@cpe-199.21.149.243.ca.yorkinet.com] has joined #openvpn
11:49 -!- JackWinter [~jack@vodsl-4669.vo.lu] has quit [Quit: Konversation terminated!]
11:50 -!- s7r [~s7r@openvpn/user/s7r] has quit [Quit: Leaving]
11:51 -!- maskedlua [~quassel@unaffiliated/themaskedlua] has quit [Ping timeout: 265 seconds]
11:54 -!- JackWinter [~jack@vodsl-4669.vo.lu] has joined #openvpn
11:59 -!- takamichi [~takamichi@c107-107.i07-27.onvol.net] has quit [Quit: Computer has gone to sleep.]
12:01 -!- JackWinter [~jack@vodsl-4669.vo.lu] has quit [Remote host closed the connection]
12:02 <@krzee> !ping
12:02 <@vpnHelper> pong
12:02 -!- JackWinter [~jack@vodsl-4669.vo.lu] has joined #openvpn
12:11 -!- takamichi [~takamichi@c107-107.i07-27.onvol.net] has joined #openvpn
12:26 -!- Cpt-Oblivious [~chatzilla@31-151-87-204.dynamic.upc.nl] has quit [Ping timeout: 252 seconds]
12:29 -!- dgbaley27 [~matt@c-76-120-64-12.hsd1.co.comcast.net] has joined #openvpn
12:34 < dgbaley27> I'm noticing that while running as a client, the host address cannot be resolved (retry is at it's 'infinite' default). This continues even after the server address is resolvable. (v2.3.2 currently).
12:35 < dgbaley27> I've been working around this for the past few weeks but restarting the service, but it would be nice not to have to and allow openvpn to start normally at boot, which can be before the rest of my networking is setup.
12:35 < dgbaley27> by restarting*
12:38 < dgbaley27> The error string is "Name or service not known", so I guss EAI_NONAME
12:38 -!- fenris_kcf [~fenris@p549BC6CA.dip0.t-ipconnect.de] has joined #openvpn
12:41 < fenris_kcf> hy. i established a VPN with tun and in principle it's working fine. but it seems like i (the server) am the only one that is able to run a functioning lan-game-server. my server.conf has "client-to-client" activated. could it be some other option in the config or is it more likely a problem of the clients systems (they use Windows (7 and Vista))?
12:42 < fenris_kcf> oh, maybe important: clients can successfully ping the server but not the other way round
12:42 <+__FBi> has anyone tried OpenVPN on kitkat?
12:42 <+__FBi> fenris_kcf, do that have difference IPs?
12:43 < fenris_kcf> what do you mean?
12:43 < fenris_kcf> they have addresses out of my pool
12:43 <+__FBi> are they assigned different IPs?
12:43 < fenris_kcf> yes
12:43 <+__FBi> !windns
12:43 <@vpnHelper> "windns" is (#1) http://thread.gmane.org/gmane.network.openvpn.user/25139/focus=25147 see that mail archive for some info on pushing dns or (#2) http://article.gmane.org/gmane.network.openvpn.user/25149 for a perm fix via regedit or (#3) http://comments.gmane.org/gmane.network.openvpn.user/31975 reports --register-dns as fixing their problems pushing DNS to windows 7
12:44 < fenris_kcf> you think it's a DNS-problem?
12:44 <+__FBi> that was for me :)
12:44 < fenris_kcf> interesting
12:46 <+__FBi> !andriod
12:46 < fenris_kcf> !android
12:46 <@vpnHelper> "android" is (#1) an open source OpenVPN client for ICS is available in Google Play, look for OpenVPN for Android. FAQ is here: http://code.google.com/p/ics-openvpn/wiki/FAQ or (#2) If you do not have cyanogenmod or ICS, but your device is rooted, you can use android-openvpn-installer and openvpn-settings from the market or (#3) Direct Play link:
12:46 <@vpnHelper> https://play.google.com/store/apps/details?id=de.blinkt.openvpn
12:47 <+rob0> !tyopes
12:47 <+__FBi> :)
12:47 <+rob0> !serverlan
12:47 <@vpnHelper> "serverlan" is (#1) for a lan behind a server, the server must have ip forwarding enabled (!ipforward), the server needs to push a route for its lan to clients, and the router of the lan the server is on needs a route added to it (!route_outside_openvpn) or (#2) see !route for a better explanation or (#3) Handy troubleshooting flowchart: http://ircpimps.org/serverlan.png |
12:47 <@vpnHelper> http://pekster.sdf.org/misc/serverlan.png
12:48 -!- Eagleman [~Eagleman@546BCD9F.cm-12-4d.dynamic.ziggo.nl] has joined #openvpn
12:48 <+rob0> fenris_kcf, ^^ your flowchart. Sounds like firewall, I bet.
12:51 -!- takamichi [~takamichi@c107-107.i07-27.onvol.net] has quit [Quit: Computer has gone to sleep.]
12:53 -!- tempus_fol [~tempus@gateway/tor-sasl/tempusfol] has joined #openvpn
12:55 <@krzee> ya 1-way ping is firewall
12:55 <+rob0> We should have something about firewall in the /topic
12:55 <+rob0> ;)
12:56 <@krzee> haha
12:57 < tempus_fol> !goal
12:57 <@vpnHelper> "goal" is Please clearly state your goal for your vpn: example, I would like to access the lan behind the server , I would like to access the internet over my vpn , I just want a secure connection between 2 computers , etc
12:59 -!- lachesis [~lachesis@unaffiliated/lachesis] has quit [Ping timeout: 264 seconds]
13:03 -!- lachesis [~lachesis@unaffiliated/lachesis] has joined #openvpn
13:11 -!- Martyn [~Martin@162-232-173-152.lightspeed.sntcca.sbcglobal.net] has quit [Quit: Computer has gone to sleep.]
13:45 -!- maskedlua [~quassel@unaffiliated/themaskedlua] has joined #openvpn
13:45 -!- maskedlua [~quassel@unaffiliated/themaskedlua] has quit [Read error: Connection reset by peer]
13:58 -!- dgbaley27 [~matt@c-76-120-64-12.hsd1.co.comcast.net] has quit [Remote host closed the connection]
14:04 -!- josefig [~josef@unaffiliated/josefig] has joined #openvpn
14:06 -!- Sembei [~Sembei@unaffiliated/sembei] has quit [Max SendQ exceeded]
14:07 -!- Sembei [~Sembei@unaffiliated/sembei] has joined #openvpn
14:13 -!- defsdoor [~andy@cpc30-sutt4-2-0-cust155.19-1.cable.virginm.net] has quit [Quit: Ex-Chat]
14:16 -!- josefig [~josef@unaffiliated/josefig] has quit [Quit: Computer has gone to sleep.]
14:24 -!- tfox [~tfox@cpe-199.21.149.243.ca.yorkinet.com] has quit [Ping timeout: 276 seconds]
14:32 -!- Sembei [~Sembei@unaffiliated/sembei] has quit [Read error: Connection reset by peer]
14:33 -!- Sembei [~Sembei@unaffiliated/sembei] has joined #openvpn
14:35 -!- Sembei [~Sembei@unaffiliated/sembei] has quit [Read error: Connection reset by peer]
14:35 -!- MyMind [~Sembei@unaffiliated/sembei] has joined #openvpn
15:09 -!- Eagleman [~Eagleman@546BCD9F.cm-12-4d.dynamic.ziggo.nl] has quit [Quit: ZNC - http://znc.in]
16:00 -!- tfox [~tfox@cpe-199.21.149.243.ca.yorkinet.com] has joined #openvpn
16:05 -!- lj1 [~l@192.241.174.169] has quit [Quit: Leaving.]
16:30 -!- maskedlua [~quassel@unaffiliated/themaskedlua] has joined #openvpn
16:32 -!- lickalott [~lickalott@127.0.0.1.silentkiller.cc] has left #openvpn ["Leaving"]
16:35 -!- tfox [~tfox@cpe-199.21.149.243.ca.yorkinet.com] has quit [Ping timeout: 260 seconds]
16:36 -!- moparisthebest [~quassel@mailer.moparscape.org] has quit [Read error: Connection reset by peer]
16:40 -!- tfox [~tfox@50-47-92-123.evrt.wa.frontiernet.net] has joined #openvpn
16:45 -!- Eagleman [~Eagleman@546BCD9F.cm-12-4d.dynamic.ziggo.nl] has joined #openvpn
16:51 -!- grewapear [~ma1com10t@host-92-20-5-217.as13285.net] has joined #openvpn
16:53 -!- tfox [~tfox@50-47-92-123.evrt.wa.frontiernet.net] has quit [Ping timeout: 252 seconds]
16:55 -!- tfox [~tfox@cpe-199.21.149.243.ca.yorkinet.com] has joined #openvpn
17:04 -!- moparisthebest [~quassel@mailer.moparscape.org] has joined #openvpn
17:11 -!- dimitry7 [~antonello@187.208.177.39] has joined #openvpn
17:24 -!- josefig [~josef@unaffiliated/josefig] has joined #openvpn
17:27 -!- JSharpe2 [~jsharpe2@31.205.60.241] has joined #openvpn
17:34 -!- josefig [~josef@unaffiliated/josefig] has quit [Ping timeout: 272 seconds]
18:01 -!- grewapear [~ma1com10t@host-92-20-5-217.as13285.net] has left #openvpn []
18:32 -!- nick4_ [~nick4@62.1.92.100.dsl.dyn.forthnet.gr] has joined #openvpn
18:36 -!- nick4 [~nick4@62.1.93.191.dsl.dyn.forthnet.gr] has quit [Ping timeout: 276 seconds]
18:36 -!- nick4_ is now known as nick4
18:38 -!- tfox [~tfox@cpe-199.21.149.243.ca.yorkinet.com] has quit [Quit: tfox]
18:52 -!- tfox [~tfox@cpe-199.21.149.243.ca.yorkinet.com] has joined #openvpn
19:02 -!- tfox [~tfox@cpe-199.21.149.243.ca.yorkinet.com] has quit [Quit: tfox]
19:18 -!- bigbob83 [bigbob@7.72.100.84.rev.sfr.net] has quit []
20:01 -!- XJR-9 [sid2977@pdpc/supporter/active/xjr-9] has quit [Ping timeout: 245 seconds]
20:03 -!- XJR-9_ [sid2977@pdpc/supporter/active/xjr-9] has joined #openvpn
20:03 -!- XJR-9_ is now known as XJR-9
20:05 -!- s7r [~s7r@openvpn/user/s7r] has joined #openvpn
20:05 -!- mode/#openvpn [+v s7r] by ChanServ
20:10 -!- gffa [~unknown@unaffiliated/gffa] has quit [Quit: sleep]
20:22 -!- __FBi [~B@uwantmy.info] has quit [Ping timeout: 252 seconds]
20:25 -!- KaiForce [~chatzilla@107-223-70-10.lightspeed.bcvloh.sbcglobal.net] has joined #openvpn
20:34 -!- elfixit [~Icedove@77-58-251-72.dclient.hispeed.ch] has joined #openvpn
20:58 -!- __FBi [~B@uwantmy.info] has joined #openvpn
20:58 -!- _FBi [~B@Aircrack-NG/User] has joined #openvpn
21:05 -!- s7r [~s7r@openvpn/user/s7r] has quit [Remote host closed the connection]
21:05 -!- s7r [~s7r@openvpn/user/s7r] has joined #openvpn
21:05 -!- mode/#openvpn [+v s7r] by ChanServ
21:14 -!- mitz [~mitz@KHP222227247006.ppp-bb.dion.ne.jp] has joined #openvpn
21:37 -!- moparisthebest [~quassel@mailer.moparscape.org] has quit [Remote host closed the connection]
21:54 -!- moparisthebest [~quassel@mailer.moparscape.org] has joined #openvpn
22:00 -!- tfox [~tfox@cpe-199.21.149.243.ca.yorkinet.com] has joined #openvpn
22:13 -!- mitz [~mitz@KHP222227247006.ppp-bb.dion.ne.jp] has quit [Remote host closed the connection]
22:15 -!- mitz [~mitz@KHP222227247006.ppp-bb.dion.ne.jp] has joined #openvpn
22:28 -!- tfox_ [~tfox@cpe-199.21.149.243.ca.yorkinet.com] has joined #openvpn
22:29 -!- tfox [~tfox@cpe-199.21.149.243.ca.yorkinet.com] has quit [Read error: Connection reset by peer]
22:29 -!- tfox_ is now known as tfox
22:34 -!- KaiForce [~chatzilla@107-223-70-10.lightspeed.bcvloh.sbcglobal.net] has quit [Quit: ChatZilla 0.9.90.1 [Firefox 26.0/20131205075310]]
22:39 -!- bov3r3d [~ma1com10t@host-92-20-5-217.as13285.net] has joined #openvpn
22:39  * bov3r3d bovered
22:40 < bov3r3d> p2p or server .. that is the question
22:41 -!- dimitry7 [~antonello@187.208.177.39] has quit [Read error: Connection reset by peer]
22:44 < bov3r3d> doesany body know a Good lawyer ?
22:45 < bov3r3d> pm me please ..
22:48 -!- pekster [~rewt@openvpn/community/support/pekster] has quit [Ping timeout: 245 seconds]
22:50 -!- pekster [~rewt@openvpn/community/support/pekster] has joined #openvpn
23:15 -!- josefig [~josef@unaffiliated/josefig] has joined #openvpn
23:22 -!- mitz [~mitz@KHP222227247006.ppp-bb.dion.ne.jp] has quit [Remote host closed the connection]
23:22 -!- JSharpe2 [~jsharpe2@31.205.60.241] has quit [Remote host closed the connection]
23:33 -!- elfixit [~Icedove@77-58-251-72.dclient.hispeed.ch] has quit [Ping timeout: 245 seconds]
23:36 -!- mitz [~mitz@KHP222227247006.ppp-bb.dion.ne.jp] has joined #openvpn
23:49 -!- Thermi [~Thermi@unaffiliated/thermi] has quit [Ping timeout: 246 seconds]
23:49 -!- Thermi [~Thermi@unaffiliated/thermi] has joined #openvpn
23:54 -!- mode/#openvpn [+o EugeneKay] by ChanServ
23:54 -!- bov3r3d was kicked from #openvpn by EugeneKay [No]
23:54 -!- bov3r3d [~ma1com10t@host-92-20-5-217.as13285.net] has joined #openvpn
23:58 -!- josefig [~josef@unaffiliated/josefig] has quit [Ping timeout: 272 seconds]
--- Day changed Sun Jan 12 2014
00:21 -!- josefig [~josef@unaffiliated/josefig] has joined #openvpn
00:21 -!- josefig [~josef@unaffiliated/josefig] has left #openvpn []
00:40 -!- tfox [~tfox@cpe-199.21.149.243.ca.yorkinet.com] has quit [Quit: tfox]
00:40 -!- tfox [~tfox@cpe-199.21.149.243.ca.yorkinet.com] has joined #openvpn
00:42 -!- fenris_kcf1 [~fenris@p579E6AC1.dip0.t-ipconnect.de] has joined #openvpn
00:44 -!- fenris_kcf [~fenris@p549BC6CA.dip0.t-ipconnect.de] has quit [Ping timeout: 252 seconds]
00:58 -!- Martyn [~Martin@162-232-173-152.lightspeed.sntcca.sbcglobal.net] has joined #openvpn
01:03 -!- dimm0k [~dimm0k@unaffiliated/dimm0k] has quit [Ping timeout: 246 seconds]
01:05 -!- dimm0k [~dimm0k@unaffiliated/dimm0k] has joined #openvpn
01:07 -!- mitz [~mitz@KHP222227247006.ppp-bb.dion.ne.jp] has quit [Remote host closed the connection]
01:08 -!- mitz [~mitz@KHP222227247006.ppp-bb.dion.ne.jp] has joined #openvpn
01:15 -!- Sorcier_FXK [~Sorcier_F@unaffiliated/sorcierfxk] has quit [Ping timeout: 252 seconds]
01:23 -!- Cy-Gor [~Brian@cpe-70-124-70-140.austin.res.rr.com] has quit [Quit: Leaving]
01:30 -!- tfox [~tfox@cpe-199.21.149.243.ca.yorkinet.com] has quit [Quit: tfox]
01:43 -!- vince164 [~vince164@24-212-235-5.cable.teksavvy.com] has joined #openvpn
01:43 < vince164> hello
01:46 < vince164> i cant get openvpn to connect, status just says connecting and then fails, i turned iptables off but no difference
01:47 -!- vince164 [~vince164@24-212-235-5.cable.teksavvy.com] has quit [Remote host closed the connection]
01:47 -!- vince164 [~vince164@24-212-235-5.cable.teksavvy.com] has joined #openvpn
02:04 -!- dimm0k [~dimm0k@unaffiliated/dimm0k] has quit [Ping timeout: 272 seconds]
02:05 -!- dimm0k [~dimm0k@unaffiliated/dimm0k] has joined #openvpn
02:10 -!- fenris_kcf1 is now known as fenris_kcf
02:11 < fenris_kcf> vince164: try to start over console and see the output
02:12 < vince164> i disabled my firewall on my local pc and it gives me a differnt error no
02:12 < vince164> now
02:12 < vince164> but i think its becaus the client.crt didnt generate properly
02:20 < vince164> Im getting a TLS handshake error now
02:20 < vince164> TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity)
02:21 < vince164> not sure if its a issue on the server or my end
02:29 -!- zxd [~zxd@87.69.188.64] has joined #openvpn
02:29 < zxd> hi
02:30 < zxd> has anyone ran some performance tests with openvpn udp vs tcp
03:01 -!- Cpt-Oblivious [~chatzilla@31-151-87-204.dynamic.upc.nl] has joined #openvpn
03:11 < vince164> how do i solve this problem
03:11 < vince164> VERIFY ERROR: depth=1, error=certificate is not yet valid:
03:19 <@krzee> !time
03:20 <@krzee> !learn time as if you see VERIFY ERROR: depth=1, error=certificate is not yet valid:  then make sure you update the clocks of you client,server,ca via ntp
03:20 <@vpnHelper> Joo got it.
03:20 <@krzee> !forget time
03:20 <@vpnHelper> Joo got it.
03:20 <@krzee> !learn time as if you see VERIFY ERROR: depth=1, error=certificate is not yet valid:  then make sure you update the clocks of your client,server,ca via ntp
03:20 <@vpnHelper> Joo got it.
03:20 < vince164> humm
03:20  * krzee sleep
03:21 < vince164> have no idea what NTP is lol
03:21 <@krzee> your google broken?
03:22 -!- takamichi [~takamichi@c107-107.i07-27.onvol.net] has joined #openvpn
03:22 < vince164> nah reading about it now
03:23 < vince164> anyway to not make it check the time?
03:30 < vince164> ok i got it thanks krzee
03:32 -!- JSharpe2 [~jsharpe2@31.205.60.241] has joined #openvpn
03:42 -!- Eagleman [~Eagleman@546BCD9F.cm-12-4d.dynamic.ziggo.nl] has quit [Quit: ZNC - http://znc.in]
03:59 -!- calcifea_ is now known as calcifea
04:07 -!- gffa [~unknown@unaffiliated/gffa] has joined #openvpn
04:19 -!- takamichi [~takamichi@c107-107.i07-27.onvol.net] has quit [Quit: Computer has gone to sleep.]
04:21 -!- takamichi [~takamichi@c107-107.i07-27.onvol.net] has joined #openvpn
04:51 -!- MyMind [~Sembei@unaffiliated/sembei] has quit [Read error: No route to host]
04:51 -!- Pisuke [~Sembei@unaffiliated/sembei] has joined #openvpn
04:52 < Fohlen> hey guys, somehow a revoked certificate (with revoke-full) still seems to work, although it has an R entry in index.txt
04:52 < Fohlen> (using easy-rsa 2.0)
04:53 < Aketzu> do you use crl?
04:54 -!- Pisuke [~Sembei@unaffiliated/sembei] has quit [Read error: Connection reset by peer]
04:54 -!- Sembei [~Sembei@unaffiliated/sembei] has joined #openvpn
04:55 -!- takamichi [~takamichi@c107-107.i07-27.onvol.net] has quit [Quit: Computer has gone to sleep.]
04:55 -!- JSharpe2 [~jsharpe2@31.205.60.241] has quit [Remote host closed the connection]
04:55 < Fohlen> Aketzu, I'm using a plain installation, so I assume yes?
04:56 < Fohlen> not sure, how can I check that?
04:56 < Aketzu> do you have crl-verify in openvpn config?
04:56 < Fohlen> Aketzu, are you reffering to this link? http://www.hackerway.ch/2013/01/11/how-to-successfully-revoke-an-openvpn-certificate/
04:56 <@vpnHelper> Title: The Hacker Way | How To Successfully Revoke An OpenVPN Certificate (at www.hackerway.ch)
04:56 < Fohlen> gimme a second, I check that
04:59 < Fohlen> Aketzu, assuming I would use it (still not sure, but isnt that default in easy-rsa?) what would be a workaround? :)
04:59 < Aketzu> well... certificates are revoked by adding their id to .crl file
05:00 < Aketzu> and openvpn doesn't allow certificates in crl (but only if you have --crl-verify)
05:00 < Aketzu> another bad way is to add client-config with "disable"
05:02 < Fohlen> Aketzu just found the clr entry in openssl.cnf
05:02 < Fohlen> so, I'm using it
05:03 < Aketzu> openssl or openvpn config?
05:06 -!- lbft_ [~lbft@unaffiliated/lbft] has joined #openvpn
05:08 -!- Netsplit *.net <-> *.split quits: GabrieleV, @raidz, @krzee, +tharkun, tapout, Cr4zi3, intricate, ngharo, sauce, nobit,  (+42 more, use /NETSPLIT to show all of them)
05:08 -!- lbft_ is now known as lbft
05:08 -!- Netsplit over, joins: tapout
05:09 -!- gardar [~gardar@bnc.giraffi.net] has joined #openvpn
05:17 -!- calcifea [~rasla@gateway/tor-sasl/gitsu-sa] has quit [Quit: calcifea]
05:18 -!- calcifea [~rasla@gateway/tor-sasl/gitsu-sa] has joined #openvpn
05:43 -!- pepijndevos [pepijndevo@2a00:dcc0:eda:3754:247:55:9194:8ed6] has joined #openvpn
05:43 -!- dandy [~dandy@2a01:360:106::2] has joined #openvpn
05:43 -!- s0meone [someone@2600:3c01::f03c:91ff:fedf:feb8] has joined #openvpn
05:43 -!- raidz [~raidz@openvpn/corp/admin/andrew] has joined #openvpn
05:43 -!- intricate [~xach@unaffiliated/intricate] has joined #openvpn
05:43 -!- Gman32 [~Gman32@2607:5300:60:2b74::1] has joined #openvpn
05:43 -!- krzee [~k@openvpn/community/support/krzee] has joined #openvpn
05:43 -!- Cultist [~CultOfThe@67.186.111.33] has joined #openvpn
05:43 -!- ServerMode/#openvpn [+oo raidz krzee] by wolfe.freenode.net
05:46 -!- jgeboski [~jgeboski@unaffiliated/jgeboski] has joined #openvpn
05:47 -!- mitz [~mitz@KHP222227247006.ppp-bb.dion.ne.jp] has joined #openvpn
05:47 -!- __FBi [~B@uwantmy.info] has joined #openvpn
05:47 -!- occupant [~null@204.14.158.226] has joined #openvpn
05:47 -!- rooth_ [tomte@stuck.in.the.basement.at.fritzl.nu] has joined #openvpn
05:47 -!- novaflash [~novaflash@openvpn/corp/support/novaflash] has joined #openvpn
05:47 -!- simcop2387 [~simcop238@p3m/member/simcop2387] has joined #openvpn
05:47 -!- xBytez [xBytez@unaffiliated/xbytez] has joined #openvpn
05:47 -!- Haseo [~Haseo@aufrinfo.net] has joined #openvpn
05:47 -!- keropok [~keropok@9W2JDY.peramah.org.my] has joined #openvpn
05:47 -!- niftylettuce [uid2733@gateway/web/irccloud.com/x-wsbvzznmfporkzph] has joined #openvpn
05:47 -!- dowaat [uid3966@gateway/web/irccloud.com/x-mstbttybevfpjnlt] has joined #openvpn
05:47 -!- troj_ [~xxx@2001:470:1f15:107a::50f7] has joined #openvpn
05:47 -!- Martin` [martin@shell.ipv6.octocore.net] has joined #openvpn
05:47 -!- NChief2 [~nchief@unaffiliated/nchief] has joined #openvpn
05:47 -!- GrecKo [~GrecKo@2001:41d0:1:cb16::1] has joined #openvpn
05:47 -!- oO0Oo [o_o@gateway/shell/elitebnc/x-sydkpidmlwgmexxp] has joined #openvpn
05:47 -!- sauce [sauce@unaffiliated/sauce] has joined #openvpn
05:47 -!- rkantos_ [robin@4e.fi] has joined #openvpn
05:47 -!- _quadDamage [~EmperorTo@boom.blissfulidiot.com] has joined #openvpn
05:47 -!- tharkun [~0@unaffiliated/tharkun] has joined #openvpn
05:47 -!- ServerMode/#openvpn [+ovvv novaflash rkantos_ _quadDamage tharkun] by wolfe.freenode.net
05:47 -!- namidark [~namidark@192.34.61.38] has joined #openvpn
05:47 -!- ServerMode/#openvpn [+v namidark] by wolfe.freenode.net
05:51 -!- Martyn [~Martin@162-232-173-152.lightspeed.sntcca.sbcglobal.net] has joined #openvpn
05:51 -!- nick4 [~nick4@62.1.92.100.dsl.dyn.forthnet.gr] has joined #openvpn
05:51 -!- digilink [~digilink@unaffiliated/digilink] has joined #openvpn
05:51 -!- GabrieleV [~GabrieleV@host190-79-static.230-95-b.business.telecomitalia.it] has joined #openvpn
05:51 -!- joshh20 [~joshh20@v-70-42-74-226.unman-vds.internap-nyc.nfoservers.com] has joined #openvpn
05:51 -!- nobit [nobit@unaffiliated/muska] has joined #openvpn
05:51 -!- Stew-a [~Stewart@unaffiliated/stew-a/x-2962361] has joined #openvpn
05:51 -!- kro[au] [~thatguy@kgovps.net] has joined #openvpn
05:51 -!- fallout [~fallout@unaffiliated/fallout] has joined #openvpn
05:51 -!- kossy [a@kossy.org] has joined #openvpn
05:51 -!- levifig [~levifig@hakr.io] has joined #openvpn
05:51 -!- pppingme [~pppingme@unaffiliated/pppingme] has joined #openvpn
05:51 -!- mback2k_ [~freenode@89.238.84.46] has joined #openvpn
05:51 -!- juxta [~rootkit@ppp203-122-193-94.static.internode.on.net] has joined #openvpn
05:51 -!- ngharo [~ngharo@nexus.sypherz.com] has joined #openvpn
06:00 -!- local_AWAY [~local@HSI-KBW-095-208-246-238.hsi5.kabel-badenwuerttemberg.de] has joined #openvpn
06:01 < local_AWAY> hi all. I created a key for a client, but I wish to delete this key, because I used a wrong CN. I don't want to REVOKE the key, I want it completely delete from my server. I think it's not enough just to delete the 3 generated files "client1.key", "client1.csr" and "client1.crt", is it?
06:02 < local_AWAY> is it enough to delete these three files, and then manually edit index.txt and delete the last line with client1 information? and afterwards set serial to a number -1
06:02 < local_AWAY> ?
06:02 -!- local_AWAY is now known as local
06:03 < Aketzu> is it annoying to have extra entry in index.txt?
06:07 < local> Aketzu: yes
06:07 < local> Aketzu: I just want to know if there's a way/script which can do that and if I miss something in case I do it manually
06:07 < local> would it be enough to:
06:07 < local> - stop OpenVPN server
06:07 < local> - delete the three generated client files (.crt, .csr, .key)
06:08 < local> - remove the last updated line in serial.txt which contains information about the client which should be removed
06:08 < local> sorry, I did mean "index.txt" in my last line I posted
06:09 < local> - update the file "serial" and lower the number by -1
06:09 < local> - start OpenVPN server
06:09 < local> is that ok or do I miss anything?
06:09 < Aketzu> yes.. no need to stop/start openvpn
06:10 < Aketzu> and serial is just random number so no need to edit that either
06:12 < local> alright
06:22 -!- local is now known as local_AWAY
06:22 -!- local_AWAY [~local@HSI-KBW-095-208-246-238.hsi5.kabel-badenwuerttemberg.de] has left #openvpn []
06:26 -!- xBytez [xBytez@unaffiliated/xbytez] has quit [Ping timeout: 245 seconds]
06:27 -!- xBytez [xBytez@libxbytez.so] has joined #openvpn
06:27 -!- xBytez [xBytez@libxbytez.so] has quit [Changing host]
06:27 -!- xBytez [xBytez@unaffiliated/xbytez] has joined #openvpn
07:04 -!- s7r [~s7r@openvpn/user/s7r] has quit [Ping timeout: 240 seconds]
07:05 -!- s7r [~s7r@openvpn/user/s7r] has joined #openvpn
07:05 -!- mode/#openvpn [+v s7r] by ChanServ
07:31 -!- takamichi [~takamichi@c107-107.i07-27.onvol.net] has joined #openvpn
07:34 -!- Eagleman7 [~Eagleman@546BCD9F.cm-12-4d.dynamic.ziggo.nl] has joined #openvpn
07:48 -!- Sembei [~Sembei@unaffiliated/sembei] has quit [Read error: Connection reset by peer]
07:48 -!- MyMind [~Sembei@unaffiliated/sembei] has joined #openvpn
08:04 < _FBi> krzee, FYI.  KitKat is having OpenVPN problems
08:04 -!- Fohlen [~Fohlen@static.196.152.46.78.clients.your-server.de] has left #openvpn []
08:05 < _FBi> !kitkat
08:12 -!- takamichi [~takamichi@c107-107.i07-27.onvol.net] has quit [Quit: Computer has gone to sleep.]
08:12 -!- JSharpe2 [~jsharpe2@31.205.60.241] has joined #openvpn
08:13 -!- freeroute [~freeroute@77-173-107-81.ip.telfort.nl] has joined #openvpn
08:15 < freeroute> hi, I have never used OVPN this way so please bear with me. I want to connect to my home network from the Internet using OVPN, so I tried following this guide (http://www.howtogeek.com/60774/connect-to-your-home-network-from-anywhere-with-openvpn-and-tomato/) but I don't have a router which is capable of having OVPN. So could I install the OVPN server on a machine that I have in my home network?
08:15 < freeroute> so basically like it's in this pic, but instead of the router having OVPN (server?) installed on it, it would just be a PC inside the home LAN (which has a port forwarded for it?) - http://cdn.howtogeek.com/wp-content/uploads/2011/04/vpngraphic_final.png
08:16 < freeroute> would that be possible?
08:19 < freeroute> !welcome
08:20 < freeroute> ...
08:20 < freeroute> !goal
08:20 < freeroute> ...
08:20 < Aketzu> hmm... looks like vpnhelper bot has died again
08:20 < freeroute> RIP, I needed him the most :(
08:20 < Aketzu> yes, you can run vpn server with our home server
08:20 < Aketzu> yout
08:20 < Aketzu> your
08:21 < Aketzu> (writing is hard...)
08:21 < freeroute> indeed, especially when laptop keyboard :(
08:21 < Aketzu> in router configs forward some port to your home server so it can be reached from internet
08:22 < freeroute> Aketzu: cool, can you please give me the right keywords to search in google or otherwise documentation to read?
08:22 < Aketzu> erm... "I don't use documentation"
08:22 < freeroute> I've searched for "how to create openvpn server to connect to home network" but it gives me all the wrong articles it seems
08:22 < freeroute> lol
08:23 < freeroute> Aketzu: how did you learn to use OVPN then? trial and error?
08:23 < Aketzu> mostly
08:23 < Aketzu> and ~20 years playing around with computers and networks etc.
08:23 -!- JSharpe2 [~jsharpe2@31.205.60.241] has quit [Remote host closed the connection]
08:24 < Aketzu> I like openvpn since it actually does just a single thing and all the rest (e.g. routing) is left to operating system
08:24 < Aketzu> which uses standard ways
08:24 < Aketzu> freeroute: start by just getting the openvpn server running and being able to connect to it within your home network
08:24 < Aketzu> that's the easiest part
08:24 < Aketzu> then you can see how you can get there from internet
08:25 < Aketzu> (assuming you have public ip address and your ISP doesn't do NAT)
08:25 < freeroute> are there ISP's which do that? lol then you're basically on a huge home network haha
08:26 -!- master_o1_master [~master_of@p4FD7B9A1.dip0.t-ipconnect.de] has joined #openvpn
08:27 < freeroute> Aketzu: hmm, I will however have trouble of finding Internet spots to test if I can connect from the outside though.... but I could just as well use OVPN client to connect to a VPN server in a different country and then from there try to connect to my home box? Does that make any sense?
08:29 < Aketzu> if you run the vpn client on the other server then yes
08:29 -!- master_of_master [~master_of@p4FF246BA.dip0.t-ipconnect.de] has quit [Ping timeout: 248 seconds]
08:29 < Aketzu> otherwise you cannot route it properly
08:30 < Aketzu> altough if you have some other server then why not just telnet/netcat/whatever to your home and see whether you get the request
08:30 < Aketzu> (with tcpdump or something)
08:34 < freeroute> yeah I just realized that once I use OVPN to connect to a VPN provider, then how would I then specify to connect to my home network from there? I would have to have access to that server (and indeed have an OVPN client installed there).
08:35 < freeroute> I don't necessarily have a server myself, it's just a VPN provider from outside of the country. But you're saying I should just netcat the home router port listening on OVPN connections?
08:36 < freeroute> I... think I could do that but I have no idea how to do stuff in netcat as to be seen as a valid OVPN request. First I have to have at least 20yrs networking experience for that hehe :p
08:40 < freeroute> but it is very interesting, that for sure.
08:40 -!- jave [~jave@h-235-102.a149.priv.bahnhof.se] has quit [Ping timeout: 248 seconds]
08:42 -!- zxd [~zxd@87.69.188.64] has quit [Ping timeout: 245 seconds]
08:42 -!- jave [~jave@h-235-102.a149.priv.bahnhof.se] has joined #openvpn
08:44 < Aketzu> the thing is that it doesn't need to look like proper request... routers care about ip addresses and tcp/udp port numbers
08:45 < Aketzu> not what the packets contain
08:45 < Aketzu> (at least the non-NSA routers)
08:54 -!- Cy-Gor [~Brian@cpe-70-124-70-140.austin.res.rr.com] has joined #openvpn
08:59 < freeroute> lol
09:21 -!- cjac [~cjac@2607:ff08:f5:3a::3] has left #openvpn []
09:41 < Haigha> is it possible to get logs on OpenVPN Connect for iOS ?
09:46 -!- zxd [~zxd@87.69.188.64] has joined #openvpn
09:49 < JackWinter> can i make openvpn try to resolv dns on each connection attempt?  my problem is that systemd seems start it before the machine can resolve dns properly, and thus keeps failing to connect
09:52 < _FBi> someone fix KitKat! haha
09:54 -!- catern [~catern@catern.com] has joined #openvpn
09:54 < catern> !welcome
09:55  * catern shrugs
09:56 < mingdao> bot must be awol
09:56 < catern> i'm trying to assign static IPs to clients connecting to my openvpn server; i think i've got everything i need (client config dir with file named the same as the client with an ifconfig-push directive inside) but when the clients connect they don't get the IP I chose
09:57 < JackWinter> let me try --resolv-retry 1 instead of 0
09:58 < catern> should it show up in the logs if openvpn is actually reading the configs in the client-config-dir?
10:00 < _FBi> catern, it's server side
10:00 < catern> even if i put random garbage in the client-config-dir files, openvpn doesn't error - can I take this to mean that openvpn isn't reading the right config file?
10:00 < catern> _FBi: yes, i'm looking at the server side logs
10:00 < _FBi> in the .conf
10:00 < _FBi> of your vpn
10:01 < catern> i have client-config-dir ccd
10:01 < _FBi> oic
10:01 < JackWinter> no, that didn't fix it either
10:05 < vince164> hey dose openvpn encrypt connections out of the box or do i have to set it up so it uses encryption
10:09 -!- pekster [~rewt@openvpn/community/support/pekster] has joined #openvpn
10:14 -!- joshu [~joshu@62-20-176-238-no28.tbcn.telia.com] has quit [Quit: Computer has gone to sleep.]
10:16 -!- takamichi [~takamichi@c107-107.i07-27.onvol.net] has joined #openvpn
10:18 -!- Gman32 [~Gman32@2607:5300:60:2b74::1] has quit [Quit: Headin Out...]
10:30 -!- JSharpe2 [~jsharpe2@31.205.60.241] has joined #openvpn
10:35 -!- joshu [~joshu@62-20-176-238-no28.tbcn.telia.com] has joined #openvpn
10:43 -!- cali [~cali@unaffiliated/cali] has quit [Remote host closed the connection]
10:49 -!- Gman32 [~Gman32@2607:5300:60:2b74::1] has joined #openvpn
10:51 -!- JSharpe2 [~jsharpe2@31.205.60.241] has quit []
10:52 -!- |1li_ [~|1li@108-201-65-149.lightspeed.ftwotx.sbcglobal.net] has joined #openvpn
10:53 -!- takamichi [~takamichi@c107-107.i07-27.onvol.net] has quit [Read error: Operation timed out]
10:53 -!- takamichi [~takamichi@85.12.8.13] has joined #openvpn
10:54 -!- |1li [~|1li@108-201-65-149.lightspeed.ftwotx.sbcglobal.net] has quit [Ping timeout: 245 seconds]
11:01 -!- dazo_afk [~dazo@openvpn/community/developer/dazo] has quit [Read error: Connection reset by peer]
11:04 -!- dazo_afk [~dazo@openvpn/community/developer/dazo] has joined #openvpn
11:04 -!- mode/#openvpn [+o dazo_afk] by ChanServ
11:05 -!- dazo_afk is now known as dazo
11:18 -!- Martyn [~Martin@162-232-173-152.lightspeed.sntcca.sbcglobal.net] has quit []
11:26 < _FBi> vince164, I believe the default is BlowFish
11:30 -!- pekster [~rewt@openvpn/community/support/pekster] has quit [Quit: bouncing]
11:30 -!- pekster [~rewt@openvpn/community/support/pekster] has joined #openvpn
11:41 -!- takamichi [~takamichi@85.12.8.13] has quit [Ping timeout: 272 seconds]
11:43 -!- takamichi [~takamichi@c107-107.i07-27.onvol.net] has joined #openvpn
11:45 -!- bov3r3d [~ma1com10t@host-92-20-5-217.as13285.net] has quit [Ping timeout: 260 seconds]
11:46 < freeroute> vince164: listen to the _FBi , they're legit
11:51 -!- qwertyoruiop [~hax@1.shulgin.dc1.nl.tor.exit.node.qwertyoruiop.com] has quit [Ping timeout: 265 seconds]
11:54 -!- zxd [~zxd@87.69.188.64] has quit [Ping timeout: 272 seconds]
11:57 -!- qwertyoruiop [~hax@1.shulgin.dc1.nl.tor.exit.node.qwertyoruiop.com] has joined #openvpn
12:00 -!- xBytez [xBytez@unaffiliated/xbytez] has quit [Remote host closed the connection]
12:00 -!- xBytez [xBytez@libxbytez.so] has joined #openvpn
12:00 -!- xBytez [xBytez@libxbytez.so] has quit [Changing host]
12:00 -!- xBytez [xBytez@unaffiliated/xbytez] has joined #openvpn
12:14 -!- tfox [~tfox@cpe-199.21.149.243.ca.yorkinet.com] has joined #openvpn
12:35 -!- takamichi [~takamichi@c107-107.i07-27.onvol.net] has quit [Quit: Computer has gone to sleep.]
12:49 -!- qwertyoruiop [~hax@1.shulgin.dc1.nl.tor.exit.node.qwertyoruiop.com] has quit [Ping timeout: 245 seconds]
12:49 -!- eliasp [~quassel@HSI-KBW-134-3-243-224.hsi14.kabel-badenwuerttemberg.de] has quit [Ping timeout: 248 seconds]
12:51 -!- eliasp [~quassel@HSI-KBW-134-3-243-224.hsi14.kabel-badenwuerttemberg.de] has joined #openvpn
12:56 -!- evangeline [~evangelin@93.103.94.2] has joined #openvpn
12:56 -!- qwertyoruiop [~hax@1.shulgin.dc1.nl.tor.exit.node.qwertyoruiop.com] has joined #openvpn
12:56 < evangeline> hi, does anybody know why my gopenvpn client says "error launching openvpn subprocess"
13:00 <@krzee> try launching it yourself
13:01 -!- meepmeep [meepmeep@end.of.cylind.re] has quit [Quit: Yippee-kay-yay]
13:03 -!- Bretos1 is now known as bretos
13:03 -!- bretos is now known as Bretos
13:04 -!- meepmeep [meepmeep@end.of.cylind.re] has joined #openvpn
13:06 < evangeline> krzee, the openvpn ?
13:06 < evangeline> krzee, if I launch it under root, it works fine ... but gopenvpn doesn't
13:08 <@krzee> then you dont have an openvpn problem
13:08 <@krzee> =]
13:08 <@krzee> sorry, dunno anything about gopenvpn
13:11 -!- evangeline [~evangelin@93.103.94.2] has quit [Ping timeout: 252 seconds]
13:12 -!- evangeline [~evangelin@93-103-107-74.dynamic.t-2.net] has joined #openvpn
13:18 -!- APTX [APTX@unaffiliated/aptx] has quit [Ping timeout: 264 seconds]
13:18 -!- APTX [APTX@unaffiliated/aptx] has joined #openvpn
13:19 -!- tfox [~tfox@cpe-199.21.149.243.ca.yorkinet.com] has quit [Ping timeout: 252 seconds]
13:23 -!- tfox [~tfox@50-47-92-123.evrt.wa.frontiernet.net] has joined #openvpn
14:05 -!- tfox [~tfox@50-47-92-123.evrt.wa.frontiernet.net] has quit [Quit: tfox]
14:06 -!- APTX [APTX@unaffiliated/aptx] has quit [Ping timeout: 245 seconds]
14:06 -!- APTX [APTX@unaffiliated/aptx] has joined #openvpn
14:06 -!- evangeline [~evangelin@93-103-107-74.dynamic.t-2.net] has quit [Remote host closed the connection]
14:12 -!- m01 [~quassel@gateway/shell/freebnc/x-kwktizfwtqbgrmbe] has quit [Ping timeout: 246 seconds]
14:25 -!- calcifea_ [~rasla@gateway/tor-sasl/gitsu-sa] has joined #openvpn
14:26 -!- calcifea [~rasla@gateway/tor-sasl/gitsu-sa] has quit [Ping timeout: 240 seconds]
14:35 -!- m01 [~quassel@2a02:2658:1011:1::2:4044] has joined #openvpn
14:47 -!- hive-mind [pranq@unaffiliated/contempt] has quit [Ping timeout: 260 seconds]
14:49 -!- mattock is now known as mattock_afk
15:28 -!- goldkatze [~nobody@unaffiliated/goldkatze] has quit [Ping timeout: 248 seconds]
16:21 -!- mcp [~mcp@wolk-project.de] has quit [Ping timeout: 272 seconds]
16:22 -!- mcp [~mcp@wolk-project.de] has joined #openvpn
16:27 -!- buhman [~root@eurybia.buhman.org] has joined #openvpn
16:28 < buhman> I suspect I've calculated my MTU over a openvpn'ed tunnel is 1400, so I configure openvpn to fragment at 1200 on both sides.
16:28 < buhman> protocols like icmp and dns work fine, but http acts quite wonky
16:28 < buhman> 1) how can I determine if this really is the case 2) how might I fix this?
16:44 -!- calcifea_ [~rasla@gateway/tor-sasl/gitsu-sa] has quit [Quit: calcifea_]
16:51 < pekster> buhman: Test by sending various sized packets (ping works well) with the DF bit set. If you can't send across the tun device at the configured MTU, something has gone wrong. Best to test without compression as compression can make the transmitted packet "small enough" to hide MTU issues during tests
16:53 < buhman> oh
16:54 < pekster> Normally IP fragmentation just does the right thing, but lots of hosts break pMTU-discovery becuase the admins of the broken network haven't a clue
16:59 < buhman> pekster: I find it to be ~1472 with lzo compression off
17:00 < buhman> I set that, and wget is still broken
17:06 -!- tfox [~tfox@cpe-199.21.149.243.ca.yorkinet.com] has joined #openvpn
17:07 < buhman> tcpdump from server: http://ix.io/9PO client: http://ix.io/9PP
17:11 -!- gffa [~unknown@unaffiliated/gffa] has quit [Quit: sleep]
17:16 -!- moparisthebest [~quassel@mailer.moparscape.org] has quit [Remote host closed the connection]
17:20 -!- Guest3936 [~quassel@mailer.moparscape.org] has joined #openvpn
17:48 -!- Guest3936 [~quassel@mailer.moparscape.org] has quit [Read error: Connection reset by peer]
17:51 -!- zxd [~zxd@87.69.188.64] has joined #openvpn
17:55 -!- zxd [~zxd@87.69.188.64] has quit [Ping timeout: 248 seconds]
17:57 -!- moparisthebest_ [~quassel@mailer.moparscape.org] has joined #openvpn
18:10 -!- tfox [~tfox@cpe-199.21.149.243.ca.yorkinet.com] has quit [Quit: tfox]
18:10 -!- moparisthebest_ [~quassel@mailer.moparscape.org] has quit [Read error: Connection reset by peer]
18:19 -!- moparisthebest [~quassel@mailer.moparscape.org] has joined #openvpn
18:55 -!- elfixit [~Icedove@77-58-251-72.dclient.hispeed.ch] has joined #openvpn
19:06 -!- s7r [~s7r@openvpn/user/s7r] has quit [Quit: Leaving]
19:13 -!- joshu [~joshu@62-20-176-238-no28.tbcn.telia.com] has quit [Ping timeout: 248 seconds]
19:26 -!- joshu [~joshu@62-20-176-238-no28.tbcn.telia.com] has joined #openvpn
19:33 -!- tfox [~tfox@cpe-199.21.149.243.ca.yorkinet.com] has joined #openvpn
19:37 -!- tfox [~tfox@cpe-199.21.149.243.ca.yorkinet.com] has quit [Client Quit]
19:42 -!- mbrit [~mbrit@186.150.194.203] has joined #openvpn
19:42 -!- mbrit [~mbrit@186.150.194.203] has left #openvpn ["Saliendo"]
20:21 -!- tfox [~tfox@cpe-199.21.149.243.ca.yorkinet.com] has joined #openvpn
20:21 -!- sailerboy [~sailerboy@2605:6400:2:fed5:22:3e62:d2e8:e4e1] has joined #openvpn
20:59 -!- tfox [~tfox@cpe-199.21.149.243.ca.yorkinet.com] has quit [Quit: tfox]
21:00 -!- tfox [~tfox@cpe-199.21.149.243.ca.yorkinet.com] has joined #openvpn
21:10 -!- WinstonSmith [~WinstonSm@unaffiliated/winstonsmith] has quit [Ping timeout: 260 seconds]
21:12 -!- WinstonSmith [~WinstonSm@unaffiliated/winstonsmith] has joined #openvpn
21:46 -!- JerryT [~jerryt@ip72-198-214-190.om.om.cox.net] has joined #openvpn
21:46 < JerryT> When you connect to a VPN is there a way to only tunnel certain applications through it?
21:47 < buhman> yes
21:48 < buhman> that's the short answer
21:49 < buhman> also, for some value of 'application'
21:51 < buhman> JerryT: the handwaving long answer is you make some iptables rule that matches the type of traffic you want to shunt around, and -j MARK it
21:51 < buhman> JerryT: you can use that mark in some iproute2 rule to decide which route to send it on
21:53 < buhman> JerryT: this is probably dependent on 'certain applications' not overlapping in functionality
21:53 < buhman> if this is not the case, please revise your problem definition appropriately.
22:02 < JerryT> That sounds about right, I only want to route remote desktop over the vpn to connect to some windows machines on that network.
22:10 -!- catern [~catern@catern.com] has left #openvpn []
22:12 -!- Cpt-Oblivious [~chatzilla@31-151-87-204.dynamic.upc.nl] has quit [Ping timeout: 252 seconds]
22:16 -!- heraclitus [~heraclitu@unaffiliated/heraclitis] has quit [Read error: Connection reset by peer]
22:16 -!- heraclitus [~heraclitu@unaffiliated/heraclitis] has joined #openvpn
22:21 < buhman> http://tldp.org/HOWTO/Adv-Routing-HOWTO/lartc.netfilter.html
22:21 < buhman> JerryT: not so hard
22:40 <@krzee> !routebyapp
22:41 <@krzee> oh hmm
22:45 < JerryT> Thanks bushmon
22:45 < JerryT> *buhman
22:46 < buhman> JerryT: my pleasure
22:47 <@krzee> ecrist, can you see why vpnhelper cant connect?
22:50 -!- tfox [~tfox@cpe-199.21.149.243.ca.yorkinet.com] has quit [Quit: tfox]
22:51 <@krzee> seems to be a network issue on the box
22:51 <@krzee> or something
22:52 <@krzee> connecting to anything ipv6 gives me operation not permitted, when connecting to irc on ipv4 i get to no ident response, then it hangs til timeout
22:52 <@krzee> (when doing it in telnet)
22:54 -!- tfox [~tfox@cpe-199.21.149.243.ca.yorkinet.com] has joined #openvpn
22:59 -!- WinstonSmith [~WinstonSm@unaffiliated/winstonsmith] has quit [Ping timeout: 245 seconds]
23:02 -!- heraclitus [~heraclitu@unaffiliated/heraclitis] has quit [Remote host closed the connection]
23:03 -!- markus_ [~markus@mirkk.vpntunnel.com] has quit [Ping timeout: 265 seconds]
23:04 -!- heraclitus [~heraclitu@unaffiliated/heraclitis] has joined #openvpn
23:04 -!- heraclitus [~heraclitu@unaffiliated/heraclitis] has quit [Remote host closed the connection]
23:05 -!- heraclitus [~heraclitu@unaffiliated/heraclitis] has joined #openvpn
23:08 -!- Cy-Gor [~Brian@cpe-70-124-70-140.austin.res.rr.com] has quit [Quit: Leaving]
23:11 -!- tfox [~tfox@cpe-199.21.149.243.ca.yorkinet.com] has quit [Quit: tfox]
23:16 -!- markus_ [~markus@mirkk.vpntunnel.com] has joined #openvpn
23:31 -!- WinstonSmith [~WinstonSm@bl9-3-183.dsl.telepac.pt] has joined #openvpn
23:32 -!- WinstonSmith [~WinstonSm@bl9-3-183.dsl.telepac.pt] has quit [Changing host]
23:32 -!- WinstonSmith [~WinstonSm@unaffiliated/winstonsmith] has joined #openvpn
23:32 -!- elfixit [~Icedove@77-58-251-72.dclient.hispeed.ch] has quit [Ping timeout: 245 seconds]
23:53 -!- zxd [~zxd@87.69.188.64] has joined #openvpn
23:54 -!- Brando753 [~Brando753@unaffiliated/brando753] has quit [Quit: o_O_o]
23:57 -!- zxd [~zxd@87.69.188.64] has quit [Ping timeout: 260 seconds]
23:58 -!- Brando753 [~Brando753@unaffiliated/brando753] has joined #openvpn
--- Day changed Mon Jan 13 2014
00:00 -!- goldkatze [~nobody@unaffiliated/goldkatze] has joined #openvpn
00:07 -!- JerryT [~jerryt@ip72-198-214-190.om.om.cox.net] has quit [Remote host closed the connection]
00:08 -!- penth [~rachel@c-68-81-92-61.hsd1.pa.comcast.net] has quit [Ping timeout: 260 seconds]
00:16 -!- Shikieiki_ [~enma@63.142.161.17] has joined #openvpn
00:41 -!- Shikieiki_ [~enma@63.142.161.17] has quit [Read error: Operation timed out]
00:42 -!- fenris_kcf1 [~fenris@p549BC65A.dip0.t-ipconnect.de] has joined #openvpn
00:44 -!- fenris_kcf [~fenris@p579E6AC1.dip0.t-ipconnect.de] has quit [Ping timeout: 252 seconds]
00:49 -!- takamichi [~takamichi@c107-107.i07-27.onvol.net] has joined #openvpn
01:02 -!- Linmu [~Linmu@203.70.194.104] has quit [Quit: leaving]
01:03 -!- mattock_afk is now known as mattock
01:03 -!- dimm0k [~dimm0k@unaffiliated/dimm0k] has quit [Ping timeout: 246 seconds]
01:04 -!- Linmu [~Linmu@203.70.194.104] has joined #openvpn
01:05 -!- dimm0k [~dimm0k@unaffiliated/dimm0k] has joined #openvpn
01:17 -!- alexxtasi [~alex@unaffiliated/alexxtasi] has joined #openvpn
01:19 -!- fenris_kcf1 is now known as fenris_kcf
01:36 -!- |1li__ [~|1li@108-201-65-149.lightspeed.ftwotx.sbcglobal.net] has joined #openvpn
01:38 -!- |1li_ [~|1li@108-201-65-149.lightspeed.ftwotx.sbcglobal.net] has quit [Ping timeout: 245 seconds]
02:02 -!- dimm0k [~dimm0k@unaffiliated/dimm0k] has quit [Read error: Operation timed out]
02:04 -!- akselii [~akselii@tsydeemi.eu] has quit [Ping timeout: 252 seconds]
02:05 -!- dimm0k [~dimm0k@pool-72-80-89-149.nycmny.fios.verizon.net] has joined #openvpn
02:05 -!- dimm0k [~dimm0k@pool-72-80-89-149.nycmny.fios.verizon.net] has quit [Changing host]
02:05 -!- dimm0k [~dimm0k@unaffiliated/dimm0k] has joined #openvpn
02:06 -!- zxd [~zxd@87.69.188.64] has joined #openvpn
03:15 -!- Pei [~pei@thinks.outside.theb0x.org] has quit [Ping timeout: 260 seconds]
03:18 -!- Pei [~pei@thinks.outside.theb0x.org] has joined #openvpn
03:49 -!- Darkstar1 [~Darkstar1@LMontsouris-656-01-04-149.w80-12.abo.wanadoo.fr] has joined #openvpn
03:49 < Darkstar1> MOrning all. Hope you all had a good weekend
03:52 < Darkstar1> I have a qq. In the server.conf file of the vpn server I have the following line: ifconfig 10.34.100.1 10.34.100.2. Although not in the default http://openvpn.net/index.php/open-source/documentation/howto.html#server server.conf, what does this line ddo?
03:53 < Darkstar1> I guess it's something with allocating an address but not sure
03:53 -!- Carbon_Monoxide [~cmonxide@14.0.207.196] has joined #openvpn
03:54 -!- Carbon_Monoxide [~cmonxide@14.0.207.196] has left #openvpn []
03:58 -!- markus_ [~markus@mirkk.vpntunnel.com] has quit [Ping timeout: 252 seconds]
04:02 -!- markus_ [~markus@mirkk.vpntunnel.com] has joined #openvpn
04:24 -!- calcifea [~rasla@gateway/tor-sasl/gitsu-sa] has joined #openvpn
04:40 -!- takamichi [~takamichi@c107-107.i07-27.onvol.net] has quit [Quit: Computer has gone to sleep.]
04:55 -!- takamichi [~takamichi@c107-107.i07-27.onvol.net] has joined #openvpn
05:03 -!- klein [~klein@unaffiliated/klein] has joined #openvpn
05:22 -!- mirco [~mirco@ip-109-91-244-100.unitymediagroup.de] has joined #openvpn
05:46 -!- Linmu [~Linmu@203.70.194.104] has quit [Ping timeout: 245 seconds]
05:57 -!- heraclitus [~heraclitu@unaffiliated/heraclitis] has quit [Ping timeout: 260 seconds]
05:58 -!- Devastatr [~devas@177.99.155.113] has joined #openvpn
05:59 -!- Devastatr [~devas@177.99.155.113] has quit [Changing host]
05:59 -!- Devastatr [~devas@unaffiliated/devastator] has joined #openvpn
06:00 -!- Devastator [~devas@unaffiliated/devastator] has quit [Ping timeout: 252 seconds]
06:01 -!- heraclitus [~heraclitu@unaffiliated/heraclitis] has joined #openvpn
06:09 < freeroute> I think I have a fundamentally flawed understanding about what a VPN tunnel is. If my home router IP is 192.168.1.1, then if I connect from the outside to my home network using a VPN tunnel, shouldn't I be able to ping 192.168.1.1 and receive replies from my home router?
06:09 < freeroute> So if I connect with VPN to a computer on my home LAN from the outside, shouldn't my network environment be as if I were physically on my home LAN?
06:15 < freeroute> So I'm following this article - http://www.linux.com/learn/tutorials/743590-secure-remote-networking-with-openvpn-on-linux - but I'm finding it difficult to understand why is the command $ ssh carla@10.0.0.2 instead of $ ssh carla@localIP ?
06:19 -!- cpm [~Chip@pdpc/supporter/active/cpm] has joined #openvpn
06:30 -!- heraclitus [~heraclitu@unaffiliated/heraclitis] has quit [Quit: Ping timeout: 221 seconds]
06:33 -!- heraclitus [~heraclitu@unaffiliated/heraclitis] has joined #openvpn
06:36 -!- elfixit [~Icedove@77-58-251-72.dclient.hispeed.ch] has joined #openvpn
06:42 -!- Cy-Gor [~Brian@cpe-70-124-70-140.austin.res.rr.com] has joined #openvpn
06:43 -!- Irssi: #openvpn: Total of 219 nicks [8 ops, 0 halfops, 23 voices, 188 normal]
06:45 <@ecrist> krzee: looks like ipv6 is broken somehwere between me and freenode
06:49 -!- fenris_kcf [~fenris@p549BC65A.dip0.t-ipconnect.de] has quit [Remote host closed the connection]
07:01 -!- vpnHelper [~vpnHelper@openvpn/bot/vpnHelper] has joined #openvpn
07:01 -!- mode/#openvpn [+o vpnHelper] by ChanServ
07:03 -!- dan_j [~IceChat77@unaffiliated/danfromuk] has joined #openvpn
07:05 < dan_j> Hi. When using openvpn, is it possible to specify an ip address for 'server', rather than relying on DNS? When connected via openvpn, server should resolve to 10.8.0.1, but when using the laptop in the office (without openvpn), it should use DNS to find 192.168.11.1
07:05 <@ecrist> yes, you don't need to use DNS
07:05 <@ecrist> just use the IP
07:06 <@ecrist> alternatively, you can use DNS views to accomplish what you're doing, but that's a lesson for another channel
07:13 -!- scyld [~scyld@unaffiliated/wasyl] has joined #openvpn
07:15 < dan_j> I want to set it up with a name rather than an ip, because the user won't know how to change the ip.
07:20 -!- scyld [~scyld@unaffiliated/wasyl] has quit [Quit: Wychodzi]
07:35 < dan_j> All sorted. Use push DNS to make the laptop us a different dns server when connected via openvpn
07:36 -!- janjust [~janjust@ardeche.nikhef.nl] has joined #openvpn
07:36 -!- janjust [~janjust@ardeche.nikhef.nl] has quit [Changing host]
07:36 -!- janjust [~janjust@openvpn/community/support/janjust] has joined #openvpn
07:42 -!- elfixit [~Icedove@77-58-251-72.dclient.hispeed.ch] has quit [Quit: elfixit]
07:42 < freeroute> dan_j: you seem to know more than me about OVPN, I just want to connect to my home server running openvpn from the outside. Why? Because on the same home server there's a VM with a webserver which I don't want to put online (i.e. keep it locked down to my home LAN). But I still want to access that webserver from the outside.
07:43 < freeroute> I want to keep it simple and use a static key as encryption, but I'm confused about the --ifconfig part
07:43 -!- cpm [~Chip@pdpc/supporter/active/cpm] has quit [Ping timeout: 245 seconds]
07:44 < freeroute> as far as I understand it those 10.x addresses map to the interfaces of client and server, but my home server has an address of 192.168.1.53 (which is also running OVPN). What if I want to access the webserver hosted on that home network?
07:45 < dan_j> freeroute: I've got to go. But try this. https://community.openvpn.net/openvpn/wiki/Easy_Windows_Guide
07:46 <@vpnHelper> Title: Easy_Windows_Guide – OpenVPN Community (at community.openvpn.net)
07:46 -!- dan_j [~IceChat77@unaffiliated/danfromuk] has quit [Quit: Oops. My brain just hit a bad sector]
07:46 < freeroute> dan_j: oh sorry I'm running Ubuntu on my client and Debian Wheezy on my server :x
07:47 -!- takamichi [~takamichi@c107-107.i07-27.onvol.net] has quit [Ping timeout: 272 seconds]
07:49 -!- takamichi [~takamichi@85.12.8.15] has joined #openvpn
07:50 -!- kirin` [telex@gateway/shell/anapnea.net/x-jdfnhapskedzetbu] has quit [Ping timeout: 276 seconds]
07:57 -!- kirin` [telex@gateway/shell/anapnea.net/x-fbnroaaasckdqtvi] has joined #openvpn
08:02 -!- klein [~klein@unaffiliated/klein] has quit [Ping timeout: 252 seconds]
08:06 < janjust> freeroute? your question is 10% about openvpn and 90% about network setups and routing
08:06 < janjust> you can choose any 10.x range you want, e.g.  --ifconfig 10.10.10.1 10.10.10.2
08:06 < janjust> and the reverse on the other end; if your outside client can then reach the server then it's just a matter of routing
08:07 < janjust> (or NATting, depending on your preference)
08:07 < freeroute> janjust: yeah I was pretty confused about the virtual /dev/tun addresses
08:08 < janjust> in a 'default' setup a VPN is 'just another subnet' and you will need routing to access other networks
08:08 < freeroute> but I'm guessing that once I'm connected to the OVPN server I can just ping my home router like so - ping 192.168.1.1
08:08 < janjust> the VM with the webserver on it is a different network , from the point of view of the VPN
08:08 < janjust> freeroute:  nope, that won't work... unless the router is also the VPN server
08:09 < freeroute> oh, so herein lies my fundamental misunderstanding of how VPN's work
08:09 < janjust> the quick&dirty approach is to use NATting or masquerading on the server, e.g. try 'iptables -t nat -O POSTROUTING -o eth0 -j MASQUERADE
08:10 < janjust> that will make all traffic on your internal LAN appear as if it's coming from the debian server
08:10 < janjust> (if debian uses 'em<N>' for the network interface names then adjust accordingly)
08:11 < freeroute> janjust: so you mean using this method I won't be able to access my home webserver? - http://www.linux.com/learn/tutorials/743590-secure-remote-networking-with-openvpn-on-linux
08:11 <@vpnHelper> Title: How to Set Up Secure Remote Networking with OpenVPN on Linux, Part 1 | Linux.com (at www.linux.com)
08:12 < freeroute> (replace Studio with my Debian Wheezy server running a VM running a webserver)
08:13 < janjust> so the VPN server is running a VM which is hosting the webserver?
08:13 < freeroute> there's this machine (let's call it HTPC). It's running Debian Wheezy which is running OVPN server. But next to that, it's running a VM which is running a webserver.
08:14 < freeroute> So HTPC has OVPN + VM. The VM has webserver running.
08:14 < janjust> ok; the setup described in the link is quite basic and without some additional routing you will not be able to reach that vm
08:15 < freeroute> and HTPC = 192.168.1.53. I however configured the webserver to be reached on 192.168.1.53:11111/web
08:15 < freeroute> still can't be reached easily?
08:16 < freeroute> (I used the VM's port forwarding option)
08:20 < janjust> hmmm in that case it might work, as you're not leaving the HTPC box itself; you might have to enable forwarding
08:21 < janjust> (/etc/sysctl.conf + iptables)
08:21 -!- daniell_ [~daniell@sas1.ewi.utwente.nl] has joined #openvpn
08:22 < daniell_> hey there, I'm trying to setup an openvpn client, connecting to an openvpn server on windows configured using this guide: http://blog.defron.org/2013/01/openvpn-server-on-windows.html
08:22 <@vpnHelper> Title: OpenVPN Server on Windows ~ Defron.org: Technology, Security, Privacy (at blog.defron.org)
08:22 <@ecrist> we don't read guides other than our own
08:23 <@ecrist> what problem are you having?
08:23 < janjust> yo ecrist whassup
08:23 < daniell_> I can make a client connect under windows, but under linux I get an error it can't find my tun/tap device
08:23 < daniell_> which is true, as I haven't made one
08:23 < janjust> daniell_:  are you running as root on linux?
08:23 <@ecrist> how's it going, janjust?
08:23 < daniell_> but I don't know how to
08:24 < daniell_> janjust: yeah it's my own machine, I can do anything
08:24 < freeroute> janjust: but then to reach the webserver, should I then address the HTPC box by it's local IP or by it's tun address?
08:24 <@ecrist> are you running as root already?
08:24 < janjust> daniell_:  which version of openvpn; which version of Linux; which version of the linux kernel; what command are you using?
08:24 <@ecrist> you either 1) don't have permission to create the device, or, 2) you don't have the prerequisite kernel module installed
08:25 < daniell_> janjust: ubuntu 13.04, kernel 3.8.0-27, openvpn 2.2.1
08:25 <@ecrist> daniell_: upgrade your openvpn
08:25 <@ecrist> 2.2.1 is ancient
08:25 < daniell_> lsmod | grep tun gives nothing
08:25 <@ecrist> debian?
08:25 -!- master_of_master [~master_of@p4FF24175.dip0.t-ipconnect.de] has joined #openvpn
08:25 < janjust> freeroute:  you could do 2 things: make sure that HTPC_VPN_IP:1111 also forwards to the webserver VPN or you need to add a route on your VPN client so that it knows that the host 192.168.1.53 can be found via the VPN
08:25 < daniell_> ecrist: ubuntu is a debian derivative
08:26 -!- ade_b [~Ade@redhat/adeb] has joined #openvpn
08:26 < janjust> daniell_:  you should upgrade, but for what you're trying to achieve it shouldn't matter
08:26 < janjust> post your configs
08:27 < janjust> and make sure you're running as root (or are using sudo )
08:27 < daniell_> janjust: http://pastebin.com/TjqjgLQA client
08:27 < daniell_> janjust: client needs to run as root as well?
08:27 < daniell_> darn
08:28 < janjust> daniell_:  yep ; the client needs access to a 'tun' device; either run as root or use something like NetworkManager which has an openvpn plugin
08:29 < janjust> (note that NetworkManager itself also runs as a root process)
08:29 -!- phreakocious [~phreakoci@aesoterica.phreakocious.net] has joined #openvpn
08:29 <@ecrist> !ubuntu
08:29 <@vpnHelper> "ubuntu" is dont use network manager!
08:29 -!- master_o1_master [~master_of@p4FD7B9A1.dip0.t-ipconnect.de] has quit [Ping timeout: 272 seconds]
08:29 < janjust> lol ecrist, then what should you use on ubuntu?
08:29 < janjust> daniell_:  the client config you posted is a bit windows specified (route-method exe etc)
08:30 < daniell_> janjust: server config: pastebin.com/BGazAEQV
08:31 < daniell_> janjust: openvpn output: http://pastebin.com/r5EevnSs
08:31 < janjust> server config looks quite ordinary
08:31 < daniell_> janjust: I adapted the client-config from a windows client config
08:32 < janjust> daniell_:  ah right, you get "Cannot open TUN/TAP dev MyTap: No such file or directory (errno=2)"
08:32 < daniell_> what should I change there that is windows specific
08:32 < janjust> comment out the line 'dev-node MyTap' and try agian
08:32 < janjust> also comment out the line 'route-method exe'
08:34 < daniell_> janjust: oeh shiny it doesn't crash anymore
08:34 < janjust> see if you can now ping the VPN IP of the server from the client and vice versa
08:34 < daniell_> everything behind ; or # is a comment?
08:34 < janjust> yep
08:35 < daniell_> janjust: I'm on the same subnet as the server so testing is a bit hard =p
08:35 < daniell_> from the outside my IP is the same either with or without vpn
08:36 < daniell_> ah but I should be able to ping the 192.blabla if I have a VPN connection, is that what you mean?
08:37 < janjust> the VPN server should have the IP 192.168.137.1
08:37 < janjust> try pinging it from the client
08:37 < daniell_> janjust: awesome i can ping 192.bla!
08:37 < janjust> it could be that there's a Windows firewall blocking access
08:38 < daniell_> and irssi shows weird timeouts when I start the vpn connection, so I guess it works now :)
08:38 < janjust> daniell_:  ok so your basic VPN setup is working, the rest is down to routing
08:38 < janjust> !routing
08:43 -!- freeroute [~freeroute@77-173-107-81.ip.telfort.nl] has quit [Ping timeout: 246 seconds]
08:45 -!- freeroute [~freeroute@77-173-107-81.ip.telfort.nl] has joined #openvpn
08:45 -!- lj [~l@192.241.174.169] has joined #openvpn
08:46 <@dazo> !tcpip
08:46 <@vpnHelper> "tcpip" is http://www.redbooks.ibm.com/redbooks/pdfs/gg243376.pdf See chapter 3.1 for useful basic TCP/IP networking knowledge you should probably know
08:47 < freeroute> janjust: just tried connecting to my public IP:port from my laptop to the HTPC and http://10.0.0.1:11111/web timed out. It also seemed to me that I had no Internet connection at all. Is that normal?
08:47 -!- takamichi [~takamichi@85.12.8.15] has quit [Ping timeout: 272 seconds]
08:48 < janjust> freeroute:  if you're not setting any routes on client or server then internet access should remain functional
08:49 -!- takamichi [~takamichi@c107-107.i07-27.onvol.net] has joined #openvpn
08:49 -!- calcifea [~rasla@gateway/tor-sasl/gitsu-sa] has quit [Ping timeout: 240 seconds]
08:51 < freeroute> janjust: can you find any error in these configs and the server log? - http://ovpn.kpaste.net/fd58e6e
08:51 -!- calcifea [~rasla@gateway/tor-sasl/gitsu-sa] has joined #openvpn
08:55 < janjust> make sure the secret keys are identical, e.g. run 'md5sum /etc/openvpn/keys/HTPC_static.key' on both ends
08:55 < janjust> this looks like an encryption error
08:55 -!- elfixit [~Icedove@2001:1620:2777:11:3e97:eff:fe7f:f3ad] has joined #openvpn
08:56 < daniell_> janjust: thanks for the help :)
08:59 < janjust> no problem, twentenaar ;)
08:59 -!- sailerboy [~sailerboy@2605:6400:2:fed5:22:3e62:d2e8:e4e1] has quit [Ping timeout: 276 seconds]
09:00 < daniell_> hehe, did you come from there/study there as well?
09:02 < freeroute> janjust: I got a bit rebellious and ran sha256sum instead of md5sum. But on both ends they were the same. The only difference was that on the client side it could only be read by root and on the server side it could only be read by a user, but would that matter since I'm running the OVPN server as root?
09:02 < janjust> nope daniell_ , Utrecht
09:03 < freeroute> boelers allemaal, 020 represent! :p
09:03 < janjust> freeroute:  add '--verb 5' to the client config, reconnect client+server and post the client side log on pastebin
09:05 < freeroute> ok, brb
09:06 -!- daniell_ [~daniell@sas1.ewi.utwente.nl] has quit [Ping timeout: 260 seconds]
09:08 -!- daniell_ [~daniell@wlan224251.mobiel.utwente.nl] has joined #openvpn
09:11 < freeroute> ah crap, I forgot I have to go
09:11 < freeroute> damn
09:11 < freeroute> I still want to fix this issue though, so I'll definitely be back again
09:14 < janjust> you're almost there, freeroute
09:15 < janjust> come back tomorrow and we'll sort this one out
09:15 -!- calcifea [~rasla@gateway/tor-sasl/gitsu-sa] has quit [Ping timeout: 240 seconds]
09:16 < freeroute> janjust: thanks very much so far :)
09:16 -!- sailerboy [~sailerboy@2605:6400:2:fed5:22:3e62:d2e8:e4e1] has joined #openvpn
09:17 < freeroute> tomorrow hopefully I'll write down more coherently what I thought that VPN's did so you can understand where I'm coming from
09:17 < freeroute> turns out, nothing is what it seems :p
09:18 < janjust> just reconnect the client with --verb 5 added and post the log somewhere and perhaps I can tell you what your vpn is doing, regardless of what you thought it should be doing :p
09:23 -!- calcifea [~rasla@gateway/tor-sasl/gitsu-sa] has joined #openvpn
09:25 -!- alexxtasi [~alex@unaffiliated/alexxtasi] has left #openvpn []
09:30 < freeroute> will definitely do
09:33 -!- calcifea [~rasla@gateway/tor-sasl/gitsu-sa] has quit [Remote host closed the connection]
09:35 -!- calcifea [~rasla@gateway/tor-sasl/gitsu-sa] has joined #openvpn
09:38 -!- janjust [~janjust@openvpn/community/support/janjust] has quit [Quit: Leaving]
09:43 -!- mitz [~mitz@KHP222227247006.ppp-bb.dion.ne.jp] has quit [Ping timeout: 245 seconds]
09:44 -!- daniell_ [~daniell@wlan224251.mobiel.utwente.nl] has left #openvpn []
09:46 -!- sailerboy [~sailerboy@2605:6400:2:fed5:22:3e62:d2e8:e4e1] has quit [Ping timeout: 276 seconds]
09:47 -!- klein [~klein@unaffiliated/klein] has joined #openvpn
09:56 -!- freeroute [~freeroute@77-173-107-81.ip.telfort.nl] has quit [Read error: Connection timed out]
09:57 -!- mitz [~mitz@KHP222227247006.ppp-bb.dion.ne.jp] has joined #openvpn
10:01 -!- mitz [~mitz@KHP222227247006.ppp-bb.dion.ne.jp] has quit [Remote host closed the connection]
10:03 -!- mitz [~mitz@KHP222227247006.ppp-bb.dion.ne.jp] has joined #openvpn
10:04 -!- sailerboy [~sailerboy@2605:6400:2:fed5:22:3e62:d2e8:e4e1] has joined #openvpn
10:06 -!- pgib [~pgib@lmms/pgib] has joined #openvpn
10:11 -!- Ninpo [~ninpo@fsf/member/Ninpo] has joined #openvpn
10:15 < Ninpo> !welcome
10:15 <@vpnHelper> "welcome" is (#1) Start by stating your goal, such as 'I would like to access the internet over my vpn' || new to IRC? see the link in !ask || we may need !logs and !configs and maybe !interface to help you. || See !howto for beginners. || See !route for lans behind openvpn. || !redirect for sending inet traffic through the server. || Also interesting: !man !/30 !topology !iporder !sample !forum
10:15 <@vpnHelper> !wiki !mitm or (#2) Don't use 192.168.1.0/24 or 192.168.0.0/24 (too much potential for conflict)
10:16 < vince164> Hi is there away to see how many users are connected to the server, on linux centos?
10:16 < Ninpo> I would like to stop duplicate ping packets from coming back to my client.  When I ping the openvpn server, it's fine, if I ping anything else on the server's subnet, I get DUP! responses back.  The openvpn server is running on a vmware esxi guest
10:17 -!- mitz [~mitz@KHP222227247006.ppp-bb.dion.ne.jp] has quit [Remote host closed the connection]
10:18 -!- mitz [~mitz@KHP222227247006.ppp-bb.dion.ne.jp] has joined #openvpn
10:21 -!- Zap-W_ [~zxd@87.69.188.64] has joined #openvpn
10:22 -!- zxd [~zxd@87.69.188.64] has quit [Ping timeout: 272 seconds]
10:25 -!- Zap-W_ is now known as zxd
10:32 -!- piece3 [~quassel@14.161.15.21] has joined #openvpn
10:38 -!- Darkstar1 [~Darkstar1@LMontsouris-656-01-04-149.w80-12.abo.wanadoo.fr] has left #openvpn []
10:47 -!- mattock is now known as mattock_afk
10:51 -!- Rallias is now known as hypernet
10:54 -!- ade_b [~Ade@redhat/adeb] has quit [Quit: Too sexy for his shirt]
11:01 -!- gffa [~unknown@unaffiliated/gffa] has joined #openvpn
11:01 -!- Ninpo [~ninpo@fsf/member/Ninpo] has left #openvpn []
11:07 -!- dmanser [~dmanser@python2.cloud.tilaa.com] has joined #openvpn
11:08 < dmanser> Is there a way to create a routed OpenVPN service (tun device) on a server that is behind a stateful firewall (which acts as the default gw)?
11:09 < dmanser> as i understand, the openvpn server must route the traffic to the firewall, and the firewall must route the response back to the openvpn server
11:32 < pekster> dmanser: Yup, "routing as usual" basically. There's a helpful flowchart to cover all the steps here:
11:32 < pekster> !serverlan
11:32 <@vpnHelper> "serverlan" is (#1) for a lan behind a server, the server must have ip forwarding enabled (!ipforward), the server needs to push a route for its lan to clients, and the router of the lan the server is on needs a route added to it (!route_outside_openvpn) or (#2) see !route for a better explanation or (#3) Handy troubleshooting flowchart: http://ircpimps.org/serverlan.png |
11:32 <@vpnHelper> http://pekster.sdf.org/misc/serverlan.png
11:34 < dmanser> ok but can the server be in the same LAN as the router?
11:35 < dmanser> !route_outside_openvpn
11:35 <@vpnHelper> "route_outside_openvpn" is (#1) If your server is not the default gateway for the LAN, you will need to add routes to your gateway. See ROUTES TO ADD OUTSIDE OPENVPN in !route or (#2) Here are 2 diagrams that explain how this works: http://www.secure-computing.net/wiki/index.php/Graph http://i.imgur.com/BM9r1.png
11:36 -!- heraclitus [~heraclitu@unaffiliated/heraclitis] has quit [Remote host closed the connection]
11:36 < dmanser> !route
11:36 <@vpnHelper> "route" is (#1) http://www.secure-computing.net/wiki/index.php/OpenVPN/Routing or https://community.openvpn.net/openvpn/wiki/RoutedLans (same page mirrored) if you have lans behind openvpn, read it DONT SKIM IT or (#2) READ IT DONT SKIM IT! or (#3) See !tcpip for a basic networking guide or (#4) See !serverlan or !clientlan for steps and troubleshooting flowcharts for LANs behind the server or
11:36 <@vpnHelper> client
11:39 < pekster> dmanser: Sure, all routing occurs by forwarding traffic to something on the local link
11:40 < dmanser> what i don't get is this: on the openvpn server, i configure: server 1.1.1.0 255.255.255.0. the server then binds 1.1.1.1 to the tun0 device, but that is actually the ip address of a cisco router
11:41 <@ecrist> you part of the debogon project?
11:42 < dmanser> just a sample
11:42 < pekster> !factoids search 5737
11:42 <@vpnHelper> "5737" is Clever readers may attempt to use RFC5737 to represent arbitrary public IPs one wishes to hide; unclever attempts may be ignored with prejudice.
11:43 < pekster> Just add a route to your VPN space from the LAN's router. That's it (minus firewalls & routing)
11:44 -!- zxd [~zxd@87.69.188.64] has quit [Ping timeout: 276 seconds]
11:45 < dmanser> for me it just looks like an ip conflict if the router has the same ip address as the openvpn server
11:45 <@ecrist> !1918
11:45 <@vpnHelper> "1918" is (#1) RFC1918 makes three unique netblocks available for private use: 10.0.0.0/8, 172.16.0.0/12, and 192.168.0.0/16 or (#2) see also: http://en.wikipedia.org/wiki/Private_network or http://www.faqs.org/rfcs/rfc1918.html or (#3) Too lazy to find your own subnet? Try this one: http://scarydevilmonastery.net/subnet.cgi
11:46 <@ecrist> !learn 1918 as See !5737 for addresses to use for examples and documentation.
11:46 <@vpnHelper> Error: You don't have the factoids.learn capability. If you think that you should have this capability, be sure that you are identified before trying again. The 'whoami' command can tell you if you're identified.
11:46 <@ecrist> fucking bot
11:47 < pekster> !learn 1918 as See !5737 for addresses to use for examples and documentation
11:47 <@vpnHelper> Joo got it.
11:47 < dmanser> ok, we don't use any private netblocks here, all are public ip addresses
11:47 < pekster> dmanser: You can't overlap networks either way
11:47 < pekster> If your routed VPN network matches another network, that's an invalid choice
11:48 < dmanser> ok so i need two netblocks, of which one can be private. basically 1:1 NAT
11:53 <@EugeneKay> You /can/ run a publically routed netblock with openvpn just fine
11:54 <@EugeneKay> But it won't be "on-link"
11:54 <@EugeneKay> IOW, the netblock must be routed to oyur openvpn box
11:54 < dmanser> okay
11:55 < dmanser> i run a bridged openvpn configuration, that's easy basically because i do not have to care about routing within openvpn server
11:55 < dmanser> but some clients need routed mode, and i need to use the companies' router
12:14 -!- dmanser [~dmanser@python2.cloud.tilaa.com] has quit [Quit: Lost terminal]
12:15 <@ecrist> !tunortap
12:15 <@vpnHelper> "tunortap" is (#1) you ONLY want tap if you need to pass layer2 traffic over the vpn (traffic destined for a MAC address). If you are using IP traffic you want tun. or (#2) and if your reason for wanting tap is windows shares, see !wins or use DNS or (#3) remember layer2 has no security, arp poisoning works over tap vpns or (#4) lan gaming? use tap! or (#5) Normal Android/iOS devices (not
12:15 <@vpnHelper> rooted/jailbroken) support only tun
12:21 -!- pgib [~pgib@lmms/pgib] has quit [Ping timeout: 240 seconds]
12:25 -!- MyMind [~Sembei@unaffiliated/sembei] has quit [Remote host closed the connection]
12:26 -!- ultra [~mike@unaffiliated/ultra] has joined #openvpn
12:26 -!- pgib [~pgib@c-76-18-186-63.hsd1.tn.comcast.net] has joined #openvpn
12:26 < ultra> hi, is it possible to use IPv6 over OpenVPN Access Server ?
12:27 <+rob0> !as
12:27 <@vpnHelper> "as" is please go to #OpenVPN-AS for help with Access-Server
12:28 < ultra> ah pardon me, thank you.
12:38 -!- takamichi [~takamichi@c107-107.i07-27.onvol.net] has quit [Quit: Computer has gone to sleep.]
12:57 -!- zxd [~zxd@87.69.188.64] has joined #openvpn
13:01 -!- GrecKo [~GrecKo@2001:41d0:1:cb16::1] has quit [Quit: No Ping reply in 180 seconds.]
13:01 -!- GrecKo [~GrecKo@grecko.fr] has joined #openvpn
13:05 -!- Sorcier_FXK [~Sorcier_F@unaffiliated/sorcierfxk] has joined #openvpn
13:11 <+rob0> YW. I'd actually answer if I knew, but I don't.
13:32 -!- brian__ is now known as bwallen
13:32 < bwallen> I made a change to my server config and I have clients actively connected. Is there a way for openvpn to read the new config line without disconnecting everyone who is connected?
13:33 < bwallen> Is that what a SIGHUP does?
13:34 -!- zxd [~zxd@87.69.188.64] has quit [Ping timeout: 276 seconds]
13:35 <@EugeneKay> Only ccd entries, and clients still need a dis/connect.
13:35 < bwallen> Ok, thanks
13:37 -!- saneki_ [~saneki@dedi2.ip1.zylongaming.com] has quit [Quit: ZNC - http://znc.in]
13:40 -!- saneki [~saneki@dedi2.ip1.zylongaming.com] has joined #openvpn
13:42 -!- bwallen [~brian@pool-72-86-34-19.clppva.fios.verizon.net] has quit [Ping timeout: 246 seconds]
13:44 -!- Martyn [~Martin@12.130.118.31] has joined #openvpn
13:54 -!- saneki [~saneki@dedi2.ip1.zylongaming.com] has quit [Quit: ZNC - http://znc.in]
13:56 -!- julius_ [~julius_@141.41.92.61] has joined #openvpn
13:56 < julius_> hi
13:56 < julius_> i added    push "redirect-gateway def1" to my servers config, after restarting opnvpn on the server and reconnecting i can still see dns queries go to my local dns server...why=
13:56 < julius_> ?
13:58 -!- saneki [~saneki@dedi2.ip1.zylongaming.com] has joined #openvpn
13:59 < julius_> i mean the dns server that is in my 192.168.11.0 network, i was expecting all dns queries being routed through the openvpn server and answered from there?
14:02 < Aketzu> because redirect-gateway just redirects ip traffic there... it doesn't change your operating systems settings about dns
14:02 <@EugeneKay> !pushdns
14:02 <@vpnHelper> "pushdns" is (#1) push dhcp-option DNS a.b.c.d to push dns to the client or (#2) For pushing DNS to a Windows client, see: !windns or (#3) Unix-alikes are required to process the env-var in an --up script; read about --dhcp-option in the manpage or (#4) For distros that use resolvconf you can try the update-resolv-conf script under the contrib/ source dir
14:05 < julius_> !windns
14:05 <@vpnHelper> "windns" is (#1) http://thread.gmane.org/gmane.network.openvpn.user/25139/focus=25147 see that mail archive for some info on pushing dns or (#2) http://article.gmane.org/gmane.network.openvpn.user/25149 for a perm fix via regedit or (#3) http://comments.gmane.org/gmane.network.openvpn.user/31975 reports --register-dns as fixing their problems pushing DNS to windows 7
14:06 -!- jblack [~jblack@107.1.75.186] has joined #openvpn
14:06 -!- klein [~klein@unaffiliated/klein] has quit [Ping timeout: 252 seconds]
14:07 < julius_> ah thx, lets try that
14:18 < julius_> EugeneKay, that topic is from the end of 2008, windows 7 wasnt release until a half year later. maybe its not uptodate
14:18 < julius_> anyway, it looks like its working with the push option. but i did restart the dns client just because the thread suggested. cant say for sure if its needed
14:18 <@EugeneKay> worksforme.jpg
14:19 <@EugeneKay> And I'm on W8.1
14:19 < julius_> do you need to restart the dns daemon?
14:19 <@EugeneKay> Nope.
14:20 < julius_> then the quick tip should be changed to not confuse other users
14:33 -!- Martyn [~Martin@12.130.118.31] has quit [Remote host closed the connection]
14:33 -!- Martyn [~Martin@12.130.118.31] has joined #openvpn
14:42 -!- Martyn [~Martin@12.130.118.31] has quit [Quit: Computer has gone to sleep.]
14:43 -!- Martyn [~Martin@12.130.118.31] has joined #openvpn
14:44 < julius_> why does my client send dns requests to 224.0.0.252 when i ping a hostname from my local lan?
14:44 < julius_> i was expecting the lookup to fail because of "redirect-gateway"
14:45 < julius_> since the hostname can only be resolved from my local gateway which was changed with redirect-gateway
14:51 -!- Martyn [~Martin@12.130.118.31] has quit [Quit: Computer has gone to sleep.]
15:05 -!- dazo is now known as dazo_afk
15:15 -!- klein [~klein@unaffiliated/klein] has joined #openvpn
15:20 -!- Sembei [~Sembei@unaffiliated/sembei] has joined #openvpn
15:31 -!- jblack [~jblack@107.1.75.186] has quit [Read error: Connection reset by peer]
15:35 -!- heraclitus [~heraclitu@unaffiliated/heraclitis] has joined #openvpn
15:52 -!- elfixit [~Icedove@2001:1620:2777:11:3e97:eff:fe7f:f3ad] has quit [Quit: elfixit]
15:53 -!- cpm_ [~Chip@pdpc/supporter/active/cpm] has joined #openvpn
15:55 -!- plm [~neo@200.175.61.1] has joined #openvpn
15:57 < plm> I'm using local <ip> in my openvpn config. However, sometimes ppp down, reconnect and get a new IP, and I need edit openvpn config to change to new IP and restart. Are there way to config in openvpn client to get that new IP automatically?
15:57 <@EugeneKay> You don't need --local in a client context
15:58 < plm> EugeneKay: I need becouse I doing tun0 via ppp0 and tun1 via ppp1
15:58 <@EugeneKay> Multihoming?
15:58 < plm> EugeneKay: yes
15:59 < plm> are there how to do that I want?
15:59 <@EugeneKay> Ahhh gotcha. Not within openvpn, no.
15:59 < plm> :(
15:59 <@EugeneKay> You could fiddle with your init scripts so that it dynamically inserts "--local $PPP1_ADDR"
15:59 <@EugeneKay> And have your pppd do an openvpn restart whenever it restarts
16:00 <@EugeneKay> Or, --local does take a hostname ;-)
16:00 <@EugeneKay> Then you only need the scripting on pppd
16:01 < plm> EugeneKay: ohhh yes, hostname =D
16:01 < plm> hahah
16:02 < plm> EugeneKay: I need one script to update my /etc/hosts with new ip of ppp for the hostnames
16:02 <@EugeneKay> Or do it /properly with a nsupdate
16:03 < plm> EugeneKay: nsupdate?
16:04 <@EugeneKay> You know, of a DNS record.
16:05 < plm> EugeneKay: yes, I was thinking a script like as sed edit the /etc/hosts and put new ip pf ppp0 and ppp1 for respect hosts of openvpn clients..
16:05 <@EugeneKay> You could do it that way, sure. But I avoid fiddling with hosts files on principle
16:05 <@EugeneKay> They're bloody annoying to maintain across many machines even with Salt's help. This is why DNS exists.
16:07 < plm> EugeneKay: Sorry, I not just not uderstand how I did that with DNS, using bind9 for example?
16:07 <@EugeneKay> https://wiki.debian.org/DDNS
16:07 <@vpnHelper> Title: DDNS - Debian Wiki (at wiki.debian.org)
16:08 <@EugeneKay> https://madeitwor.se/scripts/blob/master/bash/nsupdater.sh
16:08 <@vpnHelper> Title: scripts/bash/nsupdater.sh at master · EugeneKay/scripts · GitHub (at madeitwor.se)
16:11 < plm> hmm
16:12 < plm> thats is good =D
16:17 < plm> EugeneKay: another question. Is possible to disable the encrypt of tunnel to be faster?
16:17 < plm> EugeneKay: I dont need security, I just need tunnels..
16:17 <@EugeneKay> !noenc
16:17 <@vpnHelper> "noenc" is (#1) if you're going to disable encryption, you might as well build a GRE tunnel or (#2) but you would use cipher none or (#3) Reference --cipher in the manpage (--auth may also be useful to review)
16:18 < plm> hmmm
16:18 <@EugeneKay> !gigabit
16:18 <@vpnHelper> "gigabit" is https://community.openvpn.net/openvpn/wiki/Gigabit_Networks_Linux for JJK's writeup on getting the most out of openvpn over gigabit
16:18 <@EugeneKay> Also worth a read
16:19 < plm> EugeneKay: yes, That is was thinking: I'm using just 50Mbps, is that be faster if I disable ecryption?
16:19 <@EugeneKay> Not enough to matter IMO. Just pick a cheap cipher and call it a day.
16:20 <@EugeneKay> More likely your performance tuning is gonna be spent on MTU stuff, if anywhere
16:20 < plm> right
16:21 -!- cpm_ [~Chip@pdpc/supporter/active/cpm] has quit [Ping timeout: 265 seconds]
16:24 < plm> EugeneKay: I think disable enryption is irrelevant. Cpu usage in the top show ~5%
16:24 < plm> EugeneKay: ok, if use GRE will be for 3%? =D
16:24  * EugeneKay shrugs
16:24 <@EugeneKay> An idle CPU is a wasted CPU
16:25 < plm> yes =D
16:25 < plm> the algoritm is very very faster to enrypt and decrypt many megabits per second...
16:25 < plm> *fast
16:28 -!- mingdao [~mingdao@unaffiliated/mingdao] has quit [Ping timeout: 260 seconds]
16:30 < plm> EugeneKay: are there a problem wo resolv dns via tunnels? I'm using UDP tunnels
16:31 < plm> EugeneKay: I have the bind in local machine where has the tunnels, it reach to the itnernet via tunel, and dns cache works, but I have somes erros in syslog that when I not using tunnels I dont have: like this: "named[3435]: error (network unreachable) resolving 'g-ns-928.awsdns-32.co.uk/AAAA/IN': 2001:7fe::53#53"
16:35 -!- Eagleman7 [~Eagleman@546BCD9F.cm-12-4d.dynamic.ziggo.nl] has quit [Quit: ZNC - http://znc.in]
16:37 <@EugeneKay> That sounds like IPv6 problems - can't get an AAAA record for that domain because there ain't one.
16:37 <@EugeneKay> Just the normal named noises; your tunnel is working correctly.
16:37 -!- gffa [~unknown@unaffiliated/gffa] has quit [Quit: sleep]
16:38 <@EugeneKay> Your DNS client is asking for AAAA and A records, but Amazon only provides A because they're stuck in the 1980s ;-)
16:41 -!- goldkatze [~nobody@unaffiliated/goldkatze] has quit [Read error: Operation timed out]
16:43 -!- julius_ [~julius_@141.41.92.61] has left #openvpn ["Verlassend"]
16:43 <+rob0> Amazon is not, more likely the system running named.
16:44 <+rob0> But you can start named with "-4" to prevent it from trying to use IPv6.
16:45 < plm> EugeneKay: thanks for clarify!
16:47 <@EugeneKay> Ah yeah; that error is technically a "can't get there via IPv6". But it's still the same problem - we're not dual-stack as a people yet
16:49 < plm> ok
16:49 -!- mirco [~mirco@ip-109-91-244-100.unitymediagroup.de] has quit [Remote host closed the connection]
16:51 -!- thoraxe [~thoraxe@50-73-95-6-static.hfc.comcastbusiness.net] has joined #openvpn
16:52 < thoraxe> is it possible to do openvpn with no ca certs (just user/password) ?
16:52 < vince164> hey if i use the local user authentication do i still need the certifications for the clients
16:52 < thoraxe> vince164: hah interesting timing
16:52 < vince164> lol yea
16:53 -!- plm [~neo@200.175.61.1] has quit [Quit: leaving]
16:53 < thoraxe> i would love to do openvpn+linotp with no certs
16:55 -!- lj [~l@192.241.174.169] has quit [Quit: Leaving.]
16:57 < vince164> what is linotp
16:58 < thoraxe> vince164: one-time password.  kinda like RSA tokens, but open source
16:58 < thoraxe> you can use yubikey, gemalto, or the google authenticator app
16:58 < thoraxe> etc
16:58 < vince164> ahh nice
16:58 < thoraxe> vince164: http://openvpn.net/index.php/open-source/documentation/miscellaneous/78-static-key-mini-howto.html this talks about doing it with static keys/no CA
16:58 <@vpnHelper> Title: Static Key Mini-HOWTO (at openvpn.net)
16:58 < thoraxe> but i don't think there's any user/password with that
17:00 < thoraxe> vince164: actually, look here:
17:00 < thoraxe> http://openvpn.net/index.php/open-source/documentation/howto.html#auth
17:00 <@vpnHelper> Title: HOWTO (at openvpn.net)
17:01 < thoraxe> still need a ca cert though
17:01 < thoraxe> in that 2nd example
17:02 < vince164> so you must use a ca cert even if you just want user authentication?
17:02 < thoraxe> seems so
17:02 < thoraxe> but that is simpler than ca cert + user certs + user keys
17:03 < vince164> wait i can add this in my config to disable certs
17:03 < vince164> client-cert-not-required
17:04 < thoraxe> vince164: read thd doc. you still need a ca cert
17:04 < thoraxe> just no client cert
17:04 < vince164> damn
17:06 < thoraxe> i mean, creating a ca cert is pretty easy, the docs even show you how
17:07 < vince164> yea i know how to create it
17:08 < vince164> i guess its not a bad thing to have it also verify the certs
17:08 < vince164> user auth + certs
17:10 -!- grewapear [~ma1com10t@host-92-20-5-217.as13285.net] has joined #openvpn
17:12 -!- Eagleman [~Eagleman@546BCD9F.cm-12-4d.dynamic.ziggo.nl] has joined #openvpn
17:17 < vince164> weird my openvpn dose not have the openvpn-auth-pam.so plugin
17:17 < grewapear> !paste
17:17 <@vpnHelper> "paste" is (#1) "pastebin" is (#1) please paste anything with more than 5 lines into a pastebin site or (#2) https://gist.github.com is recommended for fewest ads; try fpaste.org or paste.kde.org as backups or (#3) If you're pasting config files, see !configs for grep syntax to remove comments or (#2) gist allows multiple files per paste, useful if you have several files to show
17:18 < vince164> paste what
17:20 -!- ketas- [ketas@ketas6-sixxs.si.pri.ee] has joined #openvpn
17:22 -!- ketas [ketas@ketas6-sixxs.si.pri.ee] has quit [Ping timeout: 264 seconds]
17:24 < grewapear> vince164: i am working on my own problem
17:24 < grewapear> And here it is:
17:25 < grewapear> http://pastebin.com/tNApPj9S
17:25 -!- ketas- [ketas@ketas6-sixxs.si.pri.ee] has quit [Ping timeout: 252 seconds]
17:25 < grewapear> I would like to know if it possible to run two mode tap (layer 2) servers on one machine with one ethernet nic ?
17:26 -!- ketas [ketas@ketas6-sixxs.si.pri.ee] has joined #openvpn
17:27 < vince164> humm not sure but you can see if openvpn gives any error, start 2 open vpn with seperate configs
17:27 < grewapear> when i do this only server 1 gets a dhcp ip address .. the other defaults to 169.254.x.xz .. and if i set TAP adapter with fixed ip (10.2.101.105/24) it fails to assign ip
17:27 < vince164> openvpn --config server1.conf
17:28 < vince164> openvpn --config server2.conf
17:29 < grewapear> vince164: i am well aware of how to run openvpn .. i need expert advice on the capabilities/restrictions of running two OSI layer 2 servers on one machine ... it appears it is not possible .. i would like to know for sure before i waste anymore time on it
17:30 < vince164> oh ok
17:31 < vince164> hey grewapear dose your openvpn install come with the openvpn-auth-pam.so plugin
17:31 < grewapear> I point out - I would like both TAP adapters to appear on the same subnet - in this case 10.2.101.0/24
17:31 < vince164> i check /usr/lib/openvpn/ but there is nothing in there
17:31 -!- ad4 [~ad4@107-1-69-206-ip-static.hfc.comcastbusiness.net] has joined #openvpn
17:31 < grewapear> vince164 : what version are you using and what OS ?
17:32 < vince164> centos and the lastes version
17:32 < vince164> OpenVPN 2.3.2
17:33 -!- pgib [~pgib@c-76-18-186-63.hsd1.tn.comcast.net] has quit [Ping timeout: 240 seconds]
17:33 < grewapear> Vince164: check this out : https://forums.openvpn.net/topic12965.html
17:33 <@vpnHelper> Title: OpenVPN Support Forum openvpn-auth-pam.so missing? : Installation Help (at forums.openvpn.net)
17:33 < vince164> ok
17:34 < ad4> hello, I'm new to openvpn and I'm hoping someone can give me a bit of guidance. I have setup the server on a cloud host, setup the client, and everything appears to be running flowing, but its terribly slow. 10Mb pip on cloud hosting site, 40Mb async on the client side. Both the server and client are screaming fast on their own. Connect via the vpn and its slower than dial up. Thoughts?
17:36 < vince164> thanks grewapear it was in /usr/lib64/openvpn/plugins since i a x64 system it use lib64
17:36 < grewapear> np ;)
17:39 -!- pgib [~pgib@76.18.186.63] has joined #openvpn
17:41 < thoraxe> vince164: what OS are you using?
17:41 < thoraxe> oh
17:41 < thoraxe> rpm -ql openvpn ?
17:41 < vince164> ?
17:41 < vince164> using centos
17:41 < thoraxe> vince164: yeah i saw that from a few lines ago.  if you do "rpm -ql openvpnpackagename" you should see all the files that came with it
17:42 < thoraxe> i haven't yet installed the package on my system yet or i'd check
17:42 < vince164> ahh nice didnt know you could do that
17:43 -!- mirco [~mirco@ip-109-91-244-100.unitymediagroup.de] has joined #openvpn
17:45 < grewapear> http://pastebin.com/tNApPj9S
17:45 < grewapear> ===  I would like to know if it possible to run two mode tap (layer 2) servers on one machine with one ethernet nic ?  when i do this only server #1 gets a dhcp ip address .. the other defaults to 169.254.x.x .. and if i set TAP adapter with fixed ip (10.2.101.105/24) it fails to assign ip.
17:45 < grewapear> i need if running two OSI layer 2 servers on one machine is possible... it appears it is not .. i would like to know for surev - I point out - I would like both TAP adapters to appear on the same subnet - in this case 10.2.101.0/24 - thanks
17:47 -!- mingdao [~mingdao@66-208-231-133.ubr01a.rte20201.pa.hfc.comcastbusiness.net] has joined #openvpn
17:47 -!- mingdao [~mingdao@66-208-231-133.ubr01a.rte20201.pa.hfc.comcastbusiness.net] has quit [Changing host]
17:47 -!- mingdao [~mingdao@unaffiliated/mingdao] has joined #openvpn
17:50 < grewapear> ===  I would like to know if it possible to run two mode tap (layer 2) servers on one machine with one ethernet nic ?  when i do this only server #1 gets a dhcp ip address .. the other defaults to 169.254.x.x .. and if i set TAP adapter with fixed ip (10.2.101.105/24) it fails to assign ip.
17:50 < grewapear> i would like to know if running two OSI layer 2 servers on one machine is possible... it appears it is not .. i would like to know for sure - I point out - I am not using ethernet bridge & I would like both TAP adapters to appear on the same subnet - in this case 10.2.101.0/24 (The reason is for older certs which have not been updated, need to run at same time) - thanks
17:50 < grewapear> These are my configs:
17:50 < grewapear> http://pastebin.com/tNApPj9S
17:51 < grewapear> where is that pekster .. ?
17:53 < grewapear> rob0 ?
17:56 -!- volnukhin is now known as horry
17:56 -!- qwertyoruiop [~hax@1.shulgin.dc1.nl.tor.exit.node.qwertyoruiop.com] has quit [Ping timeout: 252 seconds]
17:57 -!- horry is now known as rustem
17:57 -!- grewapear is now known as slimjinny
17:59 -!- qwertyoruiop [~hax@1.shulgin.dc1.nl.tor.exit.node.qwertyoruiop.com] has joined #openvpn
18:02 -!- klein [~klein@unaffiliated/klein] has quit [Ping timeout: 272 seconds]
18:11 -!- nick4 [~nick4@62.1.92.100.dsl.dyn.forthnet.gr] has left #openvpn []
18:16 -!- ad4 [~ad4@107-1-69-206-ip-static.hfc.comcastbusiness.net] has quit [Remote host closed the connection]
18:19 -!- ketas [ketas@ketas6-sixxs.si.pri.ee] has quit [Ping timeout: 252 seconds]
18:22 -!- mitz [~mitz@KHP222227247006.ppp-bb.dion.ne.jp] has quit [Remote host closed the connection]
18:23 -!- mitz [~mitz@KHP222227247006.ppp-bb.dion.ne.jp] has joined #openvpn
18:24 -!- klein [~klein@177.101.118.7] has joined #openvpn
18:24 -!- klein [~klein@177.101.118.7] has quit [Changing host]
18:24 -!- klein [~klein@unaffiliated/klein] has joined #openvpn
18:24 -!- master_of_master [~master_of@p4FF24175.dip0.t-ipconnect.de] has quit [Ping timeout: 260 seconds]
18:37 -!- Cpt-Oblivious [~chatzilla@31-151-87-204.dynamic.upc.nl] has joined #openvpn
18:37 < slimjinny> ===  I would like to know if it possible to run two mode tap (layer 2) servers on one machine with one ethernet nic ?  when i do this only server #1 gets a dhcp ip address .. the other defaults to 169.254.x.x .. and if i set TAP adapter with fixed ip (10.2.101.105/24) it fails to assign ip.
18:37 < slimjinny> i would like to know if running two OSI layer 2 servers on one machine is possible... it appears it is not .. i would like to know for sure - I point out - I am not using ethernet bridge & I would like both TAP adapters to appear on the same subnet - in this case 10.2.101.0/24 (The reason is for older certs which have not been updated, need to run at same time) - thanks
18:37 < slimjinny> These are my configs:
18:37 < slimjinny> http://pastebin.com/tNApPj9S
18:38 -!- klein [~klein@unaffiliated/klein] has quit [Read error: Operation timed out]
18:47 -!- master_of_master [~master_of@p4FD7BE3B.dip0.t-ipconnect.de] has joined #openvpn
18:53 -!- nutron [~nutron@unaffiliated/nutron] has joined #openvpn
18:57 < slimjinny> <<== is that an unimplicit NO ?
19:04 < slimjinny> No .. it is a piss off and dont bother us with your delusional nonsense
19:05 < slimjinny> how art thou to instruct without instruction ?
19:08 -!- vince164 [~vince164@24-212-235-5.cable.teksavvy.com] has quit [Quit: Leaving]
19:10 < slimjinny> Having practically single handedly entertained the forum and pushed openvpn in every direction it can possibly be pushed .. and then some .. it just seems i never get an answer on this chaneel unless it is abuse from your growling dogs
19:10 -!- C-S-B [~C-S-B@host86-166-155-46.range86-166.btcentralplus.com] has quit [Ping timeout: 276 seconds]
19:11 < slimjinny> and then after I admit i may not know everything .. and admit that i stopped asking questions because i got unpleasant answers
19:11 < slimjinny> maliciuos communications act 1(1)(a)
19:11 < slimjinny> if you aint got noffin nice to say .. dont say anythin g ..
19:11 < slimjinny> open my arse
19:15 -!- slimjinny [~ma1com10t@host-92-20-5-217.as13285.net] has left #openvpn []
19:28 -!- heraclitus [~heraclitu@unaffiliated/heraclitis] has quit [Quit: Ping timeout: 221 seconds]
19:29 -!- heraclitus [~heraclitu@unaffiliated/heraclitis] has joined #openvpn
19:30 -!- zxd [~zxd@87.69.188.64] has joined #openvpn
19:31 -!- C-S-B [~C-S-B@host217-42-190-155.range217-42.btcentralplus.com] has joined #openvpn
19:39 <+rob0> Well, pardon me for having a JOB
19:40 <+rob0> and indeed, I hesitate to answer stupid questions, and two tap instances would be about four times as stupid as having one tap instance.
19:42 <+rob0> pekster,ecrist: you probably noticed that was debb10t (or whatever)
19:55 -!- klein [~klein@unaffiliated/klein] has joined #openvpn
19:57 -!- lj [~l@74.120.200.95] has joined #openvpn
20:01 -!- lj1 [~l@192.241.174.169] has joined #openvpn
20:01 -!- lj [~l@74.120.200.95] has quit [Ping timeout: 248 seconds]
20:02 -!- zxd [~zxd@87.69.188.64] has quit [Ping timeout: 245 seconds]
20:05 -!- luckied [~luckied@unaffiliated/luckied] has joined #openvpn
20:05 < luckied> can anyone help me with something I'm sure is basic but I'm pulling my hair out trying to get it done
20:06 < luckied> I got a site to site VPN setup but on Linux I cannot seem to find a way to add "persistent" entries that do not get NAT'd
20:09 -!- ketas [ketas@ketas6-sixxs.si.pri.ee] has joined #openvpn
20:10 -!- elfixit [~Icedove@77-58-251-72.dclient.hispeed.ch] has joined #openvpn
20:13 -!- lj1 [~l@192.241.174.169] has quit [Quit: Leaving.]
20:13 -!- elfixit [~Icedove@77-58-251-72.dclient.hispeed.ch] has quit [Client Quit]
20:16 < pekster> rob0: Yup, that last inquiry was deep into help-leech-land. Oh well. The usermask also made my perma-ban list for nick changes :\
20:18 < pekster> luckied: And no, not you. What do you want persistent?
20:37 < luckied> I want rules that bypass NAT
20:37 < luckied> on BSD I would define a persitent table in pf
20:39 < pekster> "bypass" ? You simply don't NAT if you don't want it (netfilter I presume, if you're using Linux?)
20:40 < pekster> You can use the ACCEPT target in the nat table -- it won't accept the packet, just end rule traversal
20:40 < pekster> There's also #Netfilter for netfilter-specific help that has more folks that focus on that specifically
20:42 <+rob0> As far as persistence goes, that's probably a question for #your-distro-here
20:42 < luckied> hmm...then maybe I got a routing problem cuz I tried just using the ACCEPT on postrouting (prior to my NAT rule) and it didn't work
20:42 <+rob0> what are you NATing, and why?
20:43 < pekster> Without seeing a complete ruleset I can't say, but remember that Netfilter only processes the nat table for new connections (which is more or less how PF works too since it "keeps state" for you automatically with NAT as well)
21:01 < luckied> shit, then I don't know how to do what I need...I basically want to forward traffic through my established VPN without NAT'ing it
21:01 < pekster> huh? So don't NAT it..
21:01 -!- klein [~klein@unaffiliated/klein] has quit [Read error: Operation timed out]
21:02 < pekster> #Netfilter might be more on-topic, but if you aren't dealing with RFC1918 (or other such unroutable IP space) you not only don't need NAT, but shouldn't be using it unless you have very specalized setups
21:03 <+rob0> NAT is for RFC1918 to Internet and vice versa.
21:04 <+rob0> If you're just routing a LAN over the VPN, you don't need it at all.
21:05 <+rob0> (well ... unless maybe you have a lame router you can't control, but there too, NAT is not the answer: a better router is.)
21:13 -!- ljvb [~jason@us.vps.vanbrecht.com] has joined #openvpn
21:13 < ljvb> evenin
21:36 < ljvb> grr.. wish iphone openvpn client supported bridging
21:39 <+rob0> That's funny, because support around here would be easier if openvpn didn't do bridging at all!
21:43 < ljvb> bridging serves a purpose
21:43 < ljvb> not too often, but sometimes, you want to be part of the same network
21:45 < pekster> By itself that's (usually) a bad reason. Broadcast/multicast might be a better one, but you rarely need that these-days
21:46 <+rob0> my point being that 99% of the folks who think they want/need to be part of the same network are wrong.
21:46 < ljvb> the only way to access my tivo is on the same network
21:47 < pekster> Then next time try buying technology that sucks less
21:47 < pekster> Freevo and Myth-TV would be some alternatives
21:47 < ljvb> I know it is a petty reason, but since I travel 5 days a week and live in a hotel
21:47 <+rob0> Papa was a rollin' stone ... wherever he laid his hat was his home.
21:47 < ljvb> I have used mythtv and xbmc, however it is not an acceptable option for my house
21:47 < ljvb> that and lack of cable card support
21:47 < ljvb> at least the last time I used it
21:48 -!- elfixit [~Icedove@77-58-251-72.dclient.hispeed.ch] has joined #openvpn
21:48 <+rob0> But when he died ... al he left us was aloo-ooo-oo-one
21:48 <+rob0> ahem
21:48 < pekster> Complain to the MPAA lobby that fucks general audiences over. "For your benefit" :)
21:48 < ljvb> I have the Roamio, which does support out of home streaming.. but it is pathetic, screen turns off, download pauses.. wtf
21:48 < pekster> Not much openvpn can do to fix $broken though
21:48 < ljvb> I completely agree, however I can only work with what I have..
21:49 <+rob0> so you're watching movies through hotel wifi through openvpn through home?
21:50 < ljvb> IOS restrictions are what f'd up the tivo app, no real time streaming for android yet
21:50 < ljvb> no movies, just TV shows and shit
21:50 < ljvb> nothing to do in Indianapolis,
21:50 < ljvb> and hotel TV sucks
21:50 <+rob0> I would think you'd hit a bottleneck along the way with streaming video
21:50 < ljvb> heh
21:50 < ljvb> I would download
21:50 < ljvb> vs stream, while I am in the office during the day
21:50 <+rob0> oh hey, I have friends in Indy
21:51 < ljvb> thats nice.. I still have nothing to do :)
21:51 <+rob0> go visit them!
21:51 <+rob0> one of them has nice booze
21:51 <+rob0> (You have to have nice booze in Indy, 'cuz there's nothing to do.)
21:52 < ljvb> I'd prefer nice boobs.. but booze would work heh
21:52 <+rob0> well, he has those too, but I doubt he'd share.
21:52 < ljvb> yeah, my wife would not be happy either
21:52 < ljvb> heh
21:52 <+rob0> He might share but his wofe wouldn't.
21:52 <+rob0> err, wife
21:53 <+rob0> wolf
21:53 < ljvb> I suppose I could buy the other streaming device which the name escapes me..
21:54 < ljvb> but that is an unneeded expense to duplicate technology
21:55 < ljvb> I do have an xbmc box.. guess I should figure out a way to pull shows form the tivo to that.. I have a tivo script on my mac that strips the drm and downloads it, but the mac is with me
21:55 < ljvb> yeah.. going through an awful lot of trouble just for TV.. heh
21:56 < ljvb> on the bright side.. with openvpn and some creative static routes to my UK vps, I can watch BBC :)
21:57 < ljvb> looking for a CA vps that is cheap and decent.. so far.. all in the $20+ a month range
22:10 -!- _quadDamage [~EmperorTo@boom.blissfulidiot.com] has quit [Read error: Connection reset by peer]
22:10 -!- _quadDamage [~EmperorTo@boom.blissfulidiot.com] has joined #openvpn
22:13 -!- tharkun [~0@unaffiliated/tharkun] has quit [Ping timeout: 245 seconds]
22:14 -!- tharkun [~0@187.188.94.182] has joined #openvpn
22:18 -!- takamichi [~takamichi@c107-107.i07-27.onvol.net] has joined #openvpn
22:20 -!- _quadDamage [~EmperorTo@boom.blissfulidiot.com] has quit [Read error: No route to host]
22:20 -!- _quadDamage [~EmperorTo@boom.blissfulidiot.com] has joined #openvpn
22:26 < buhman> ljvb: shame linode doesn't offer 512MB@$10/mo
22:27 < buhman> ljvb: but they would be well worth your $20
22:28 < buhman> ljvb: I get bills for a single amazon ec2.micro in the free-tier in the fractional-dollars-per-month range
22:28 < buhman> ljvb: and that's because I abuse it regularly ;p
22:28 < buhman> ljvb: they have a CA datacenter of course too
22:29 < ljvb> I have not tried amazon anything yet
22:29 < buhman> though depending on the definition of 'decent' a micro may or may not meet your requirements
22:29 < ljvb> all I use them for are routing options
22:29 < buhman> in that case ec2.micro is probably perfect
22:29 < buhman> try it
22:29 < ljvb> I setup static routes based on ASN blocks
22:30 < ljvb> all traffic destined to EU sites routes through UK, US based stuff through US VPS
22:30 < ljvb> had a DE one, but performance sucked and switched to UK
22:30 < buhman> interesting
22:30 < MorgyN> ljvb: you publish your routing table ever?
22:31 < MorgyN> I wish to do similar
22:31 < ljvb> it is more an expirement than trying to get around any particular spying agency
22:31 < ljvb> it is not so much a table as it is using static routes in openvpn config
22:31 < MorgyN> gchq and nsa are too in bed with each other ;D
22:31 < ljvb> added manually
22:32 < MorgyN> wonder if there is something out there
22:32 < buhman> ljvb: in that case it's probably more to your advantage to route through someone who is faster with respect to your transit time to them rather than transit time to the destination
22:32 < ljvb> I'm sure I could use ospf or something
22:32 < ljvb> but have not tried
22:32 -!- tfox [~tfox@cpe-199.21.149.243.ca.yorkinet.com] has joined #openvpn
22:35 < ljvb> bah, need to get a snack..
22:38 -!- Cr4zi3 [killaz@staff.xbins.org] has joined #openvpn
22:43 -!- tfox [~tfox@cpe-199.21.149.243.ca.yorkinet.com] has quit [Quit: tfox]
22:44 -!- tfox [~tfox@cpe-199.21.149.243.ca.yorkinet.com] has joined #openvpn
22:51 <@EugeneKay> !beer
22:51 <@vpnHelper> "beer" is what's for dinner (and occasionally breakfast)
22:53 -!- tfox [~tfox@cpe-199.21.149.243.ca.yorkinet.com] has quit [Quit: tfox]
23:00 -!- tfox [~tfox@cpe-199.21.149.243.ca.yorkinet.com] has joined #openvpn
23:07 < tfox> !beef
23:08 < tfox> curious
23:19 -!- tfox [~tfox@cpe-199.21.149.243.ca.yorkinet.com] has quit [Quit: tfox]
23:21 -!- josefig [~josef@unaffiliated/josefig] has joined #openvpn
23:21 < josefig> !welcome
23:21 <@vpnHelper> "welcome" is (#1) Start by stating your goal, such as 'I would like to access the internet over my vpn' || new to IRC? see the link in !ask || we may need !logs and !configs and maybe !interface to help you. || See !howto for beginners. || See !route for lans behind openvpn. || !redirect for sending inet traffic through the server. || Also interesting: !man !/30 !topology !iporder !sample !forum
23:21 <@vpnHelper> !wiki !mitm or (#2) Don't use 192.168.1.0/24 or 192.168.0.0/24 (too much potential for conflict)
23:23 -!- Fetch [fetch@gimel.cepheid.org] has quit [Remote host closed the connection]
23:25 -!- tempus_fol [~tempus@gateway/tor-sasl/tempusfol] has quit [Remote host closed the connection]
23:25 -!- tempus_fol [~tempus@gateway/tor-sasl/tempusfol] has joined #openvpn
23:27 < josefig> I have two offices with a LAN behind a router each, I would like to communicate them like if they are the same LAN and my users connect them from their homes to one office and access this LAN (the two offices included), is there a howto available ?
23:28 -!- Cy-Gor [~Brian@cpe-70-124-70-140.austin.res.rr.com] has quit [Quit: Leaving]
23:33 -!- elfixit [~Icedove@77-58-251-72.dclient.hispeed.ch] has quit [Ping timeout: 245 seconds]
23:36 -!- ljvb [~jason@us.vps.vanbrecht.com] has quit [Quit: My damn controlling terminal disappeared!]
23:42 <@EugeneKay> You can bridge the two networks, but it generally isn't needed/wise. When you say "communicate", what protocols are you talking about?
23:44 < josefig> EugeneKay, TCP only, I'm using it for http and database only. So, I would like to access these servers via SSH but in LAN.
23:44 <@EugeneKay> So you don't really need a shared broadcast domain(Layer 2), just TCP/UDP routed between(Layer 3).
23:45 <@EugeneKay> The normal howto for getting the basic tunnel up applies, and then
23:45 <@EugeneKay> !route
23:45 <@vpnHelper> "route" is (#1) http://www.secure-computing.net/wiki/index.php/OpenVPN/Routing or https://community.openvpn.net/openvpn/wiki/RoutedLans (same page mirrored) if you have lans behind openvpn, read it DONT SKIM IT or (#2) READ IT DONT SKIM IT! or (#3) See !tcpip for a basic networking guide or (#4) See !serverlan or !clientlan for steps and troubleshooting flowcharts for LANs behind the server or
23:45 <@vpnHelper> client
23:45 <@EugeneKay> You'll want to read through both !clientlan and !serverlan
23:47 < josefig> ok, in case I'd to communicate between both offices via SIP/H323 protocol would I need Layer 2 communication ?
23:47 <@EugeneKay> SIP runs over TCP/UDP, so no.
23:48 < josefig> EugeneKay, thanks :)
23:49 <@EugeneKay> About the only (sensible) thing that does require L2 is windows "workgroup" stuff, but you can just use WINS or get a real AD domain
23:49 <@EugeneKay> And that's just for name resolutin - the actual data is all TCP
23:50 < josefig> I understand, thanks.
23:54 -!- josefig_ [~josef@187.188.82.71] has joined #openvpn
23:55 -!- josefig [~josef@unaffiliated/josefig] has quit [Ping timeout: 272 seconds]
23:55 -!- josefig_ is now known as josefig
23:55 -!- josefig [~josef@187.188.82.71] has quit [Changing host]
23:55 -!- josefig [~josef@unaffiliated/josefig] has joined #openvpn
--- Day changed Tue Jan 14 2014
00:00 -!- goldkatze [~nobody@unaffiliated/goldkatze] has joined #openvpn
00:01 -!- josefig [~josef@unaffiliated/josefig] has quit [Ping timeout: 252 seconds]
00:08 -!- Aelius [~link@unaffiliated/aelius] has quit [Ping timeout: 252 seconds]
00:30 -!- tfox [~tfox@cpe-199.21.149.243.ca.yorkinet.com] has joined #openvpn
00:42 -!- Aelius [~link@unaffiliated/aelius] has joined #openvpn
00:53 -!- tfox [~tfox@cpe-199.21.149.243.ca.yorkinet.com] has quit [Quit: tfox]
00:56 -!- takamichi [~takamichi@c107-107.i07-27.onvol.net] has quit [Quit: Computer has gone to sleep.]
01:01 -!- pppingme [~pppingme@unaffiliated/pppingme] has quit [Excess Flood]
01:02 -!- pppingme [~pppingme@unaffiliated/pppingme] has joined #openvpn
01:10 -!- josefig [~josef@unaffiliated/josefig] has joined #openvpn
01:10 -!- takamichi [~takamichi@c107-107.i07-27.onvol.net] has joined #openvpn
01:11 -!- josefig [~josef@unaffiliated/josefig] has quit [Client Quit]
01:12 -!- ade_b [~Ade@redhat/adeb] has joined #openvpn
01:36 -!- alexxtasi [~alex@unaffiliated/alexxtasi] has joined #openvpn
01:41 -!- mirco [~mirco@ip-109-91-244-100.unitymediagroup.de] has quit [Remote host closed the connection]
01:42 -!- mirco [~mirco@ip-109-91-244-100.unitymediagroup.de] has joined #openvpn
01:59 -!- mitz [~mitz@KHP222227247006.ppp-bb.dion.ne.jp] has quit [Remote host closed the connection]
02:00 -!- zxd [~zxd@87.69.188.64] has joined #openvpn
02:01 -!- jeev [~j@unaffiliated/jeev] has joined #openvpn
02:01 < jeev> !bridge
02:01 <@vpnHelper> "bridge" is (#1) http://openvpn.net/index.php/documentation/miscellaneous/ethernet-bridging.html for the doc or (#2) http://openvpn.net/index.php/documentation/faq.html#bridge1 for info from the FAQ or (#3) also see !tunortap and !layer2 and read --server-bridge in the manual (!man) or (#4) also see !whybridge
02:01 < jeev> !whybridge
02:01 <@vpnHelper> "whybridge" is (#1) you only bridge if you want layer2 to the lan. if you want layer2 only between vpn nodes then routed tap is enough. if you only want layer3 use tun. or (#2) See this URL for a more in-depth discussion on bridging vs routing: https://community.openvpn.net/openvpn/wiki/BridgingAndRouting or (#3) See also !tunortap
02:05 -!- lj1 [~l@192.241.174.169] has joined #openvpn
02:21 -!- Olipro [~Olipro@uncyclopedia/pdpc.21for7.olipro] has quit [Read error: Connection reset by peer]
02:23 -!- tfox [~tfox@cpe-199.21.149.243.ca.yorkinet.com] has joined #openvpn
02:42 -!- tfox [~tfox@cpe-199.21.149.243.ca.yorkinet.com] has quit [Quit: tfox]
02:53 -!- Linmu [~Linmu@203.70.194.104] has joined #openvpn
02:56 -!- |1li__ [~|1li@108-201-65-149.lightspeed.ftwotx.sbcglobal.net] has quit [Read error: Connection reset by peer]
03:03 -!- mattock_afk is now known as mattock
03:09 -!- dogmatic69 [~dogmatic6@host-80-195-74-5.static.cable.virginmedia.com] has joined #openvpn
03:09 < dogmatic69> hi all
03:11 < dogmatic69> I installed openvpn and cant get it to generate the CA certs. Once I source the file and run the command it says 'make sure you source the file first'
03:11 < dogmatic69> I can echo the variables after sourcing the config so not sure why it does not work.. any ideas?
03:11 < dogmatic69> ubuntu 12.04 with 'apt-get install openvpn' so its like 2.2.x afaik
03:14 -!- mitz [~mitz@KHP222227247006.ppp-bb.dion.ne.jp] has joined #openvpn
03:17 -!- takamichi [~takamichi@c107-107.i07-27.onvol.net] has quit [Ping timeout: 272 seconds]
03:19 -!- takamichi [~takamichi@85.12.8.104] has joined #openvpn
03:44 -!- cyberspace- [20253@ninthfloor.org] has quit [Ping timeout: 272 seconds]
03:47 -!- cyberspace- [20253@ninthfloor.org] has joined #openvpn
03:49 -!- Olipro [~Olipro@uncyclopedia/pdpc.21for7.olipro] has joined #openvpn
03:52 -!- kossy [a@kossy.org] has quit [Read error: Connection reset by peer]
03:59 -!- kossy [a@kossy.org] has joined #openvpn
04:01 -!- kossy [a@kossy.org] has quit [Read error: Connection reset by peer]
04:02 -!- takamichi [~takamichi@85.12.8.104] has quit [Ping timeout: 272 seconds]
04:04 -!- takamichi [~takamichi@c107-107.i07-27.onvol.net] has joined #openvpn
04:07 -!- kro[au] [~thatguy@kgovps.net] has quit [Excess Flood]
04:09 -!- kossy [a@kossy.org] has joined #openvpn
04:10 -!- kro[au] [~thatguy@kgovps.net] has joined #openvpn
04:10 -!- ngharo [~ngharo@nexus.sypherz.com] has quit [Ping timeout: 272 seconds]
04:10 -!- kossy [a@kossy.org] has quit [Excess Flood]
04:13 -!- kossy [a@kossy.org] has joined #openvpn
04:14 -!- lj1 [~l@192.241.174.169] has quit [Quit: Leaving.]
04:17 -!- kossy [a@kossy.org] has quit [Read error: Connection reset by peer]
04:19 -!- kossy [~a@kossy.org] has joined #openvpn
04:21 -!- alexxtasi [~alex@unaffiliated/alexxtasi] has quit [Ping timeout: 272 seconds]
04:23 -!- mirco [~mirco@ip-109-91-244-100.unitymediagroup.de] has quit [Quit: mirco]
04:24 -!- mirco [~mirco@ip-109-91-244-100.unitymediagroup.de] has joined #openvpn
04:25 -!- alexxtasi [~alex@unaffiliated/alexxtasi] has joined #openvpn
04:41 -!- kossy [~a@kossy.org] has quit [Read error: Connection reset by peer]
04:50 -!- dazo_afk is now known as dazo
05:12 -!- takamichi [~takamichi@c107-107.i07-27.onvol.net] has quit [Quit: Computer has gone to sleep.]
05:14 -!- mirco [~mirco@ip-109-91-244-100.unitymediagroup.de] has quit [Remote host closed the connection]
05:16 -!- mirco [~mirco@ip-109-91-244-100.unitymediagroup.de] has joined #openvpn
05:26 -!- takamichi [~takamichi@c107-107.i07-27.onvol.net] has joined #openvpn
06:06 -!- champtar [~champtar@ns623510.ovh.net] has joined #openvpn
06:08 < champtar> !goal
06:08 <@vpnHelper> "goal" is Please clearly state your goal for your vpn: example, I would like to access the lan behind the server , I would like to access the internet over my vpn , I just want a secure connection between 2 computers , etc
06:09 < champtar> !welcome
06:09 <@vpnHelper> "welcome" is (#1) Start by stating your goal, such as 'I would like to access the internet over my vpn' || new to IRC? see the link in !ask || we may need !logs and !configs and maybe !interface to help you. || See !howto for beginners. || See !route for lans behind openvpn. || !redirect for sending inet traffic through the server. || Also interesting: !man !/30 !topology !iporder !sample !forum
06:09 <@vpnHelper> !wiki !mitm or (#2) Don't use 192.168.1.0/24 or 192.168.0.0/24 (too much potential for conflict)
06:17 < champtar> Hi, i'm having some fun with openvpn and ospf (bird). For now i'm using "mode p2p" with tun interface and everything is perfect. I tried using "mode server" + tun interface (so only 1port/1daemon on the server side) but i don't know how to dynamicly populate the internal routing table of openvpn (iroute …).
06:18 < champtar> Would it be possible to import the iroute from kernel routing table
06:18 < champtar> what would be the problems of such approach
06:19 < champtar> does anyone ever try this approach
06:23 -!- klein [~klein@unaffiliated/klein] has joined #openvpn
06:38 -!- nutron [~nutron@unaffiliated/nutron] has quit [Ping timeout: 276 seconds]
06:43 -!- Cy-Gor [~Brian@cpe-70-124-70-140.austin.res.rr.com] has joined #openvpn
06:50 -!- nutron [~nutron@unaffiliated/nutron] has joined #openvpn
07:10 -!- mapps [Mark@host86-171-168-130.range86-171.btcentralplus.com] has joined #openvpn
07:15 -!- heraclitus [~heraclitu@unaffiliated/heraclitis] has quit [Ping timeout: 260 seconds]
07:17 -!- nutron [~nutron@unaffiliated/nutron] has quit [Ping timeout: 245 seconds]
07:20 -!- nutron [~nutron@unaffiliated/nutron] has joined #openvpn
07:21 <@ecrist> champtar: you want to push routes in the kernel routing table to clients, or what do you mean?
07:26 < champtar> (i'm using tun so on the client side the iroute is simple, everything to the server) on the server side, scan (one of) the kernel routing table, and add every route with a next hop in the vpn in the openvpn routing table (iroute)
07:27 < champtar> i want an "iroute-import" option
07:28 <@ecrist> you could write a client connect script of some sort, I imagine
07:30 < champtar> it's only on the server side, and keep in mind that i'm using ospf, so route can change without any change in the connection
07:31 <@ecrist> if you're using ospf, you're best off using some point to point tunnels and propagating  your ospf routes
07:31 <@ecrist> we do the same thing for $work
07:31 <@ecrist> and client-connect scripts are server side
07:31 <@ecrist> they're executed when a client connects
07:31 < champtar> i'm using p2p tunnels
07:31 -!- mitz [~mitz@KHP222227247006.ppp-bb.dion.ne.jp] has quit [Ping timeout: 246 seconds]
07:32 <@ecrist> then why aren't you just using ospf for your routing?
07:33 < champtar> everything is working (as stated in my first message), it's just that for every new tunnel, you need to configure client and server side
07:34 -!- cpm_ [~Chip@pdpc/supporter/active/cpm] has joined #openvpn
07:34 <@ecrist> yup
07:35 < champtar> i was wondering if copiing the kernel routing table in the internal routing table would simplify openvpn (get rid of iroute)
07:39 -!- calcifea [~rasla@gateway/tor-sasl/gitsu-sa] has quit [Ping timeout: 240 seconds]
07:40 -!- calcifea [~rasla@gateway/tor-sasl/gitsu-sa] has joined #openvpn
07:49 -!- sync0pate [~sync@unaffiliated/sync0pate] has joined #openvpn
07:49 <@ecrist> no
07:50 < sync0pate> Can anyone help me with connecting to a VPN on startup in Ubuntu 12.04?
07:50 <@ecrist> sync0pate: the same way anything starts on boot
07:50 < sync0pate> I have it connecting as I need through networkmanager but..
07:50 <@ecrist> either 1) a startup script
07:50 < sync0pate> ecrist, /etc/rc.local or something?
07:50 <@ecrist> 2) @reboot crontab
07:50 <@ecrist> sync0pate: correct
07:51 < sync0pate> at the moment I'm using "sudo nmcli c up id VPNname"
07:51 <@ecrist> !ubuntu
07:51 <@vpnHelper> "ubuntu" is dont use network manager!
07:51 < sync0pate> ok.. what's the alternative?
07:52 <@ecrist> really, if it's working fine for you, feel free to keep using it
07:53 < sync0pate> well I can't put "sudo" in a startup script can I?
07:55 <@ecrist> sure you can, but why wouldn't you have the startup script run as root?
08:17 -!- cpm_ [~Chip@pdpc/supporter/active/cpm] has quit [Ping timeout: 272 seconds]
08:26 < sync0pate> OK sorry ecrist ,I had a vague memory that adding the command to /etc/rc.local didn't work
08:26 < sync0pate> but
08:26 < sync0pate> I've just tried it again and it works fine
08:26 < sync0pate> so thanks.
08:27 < sync0pate> any reason I shouldn't use networkmanager though? I've had problems with it in earlier versions, but it seems fine now?
08:30 <@ecrist> I've heard they've fixed the bugs, so like I said, use it if it works.
08:30 < sync0pate> ok thanks
08:36 -!- plm [~neo@200.175.61.1] has joined #openvpn
08:36 -!- mapps [Mark@host86-171-168-130.range86-171.btcentralplus.com] has quit [Ping timeout: 272 seconds]
08:36 < plm> hey, how I do for the client open two tunnels to just one tunnel in server and get a diferent ip for each tunnel?
08:37 < plm> I'm receiving in openvpn client in both tun0 and tun1 the same ip 10.8.0.6
08:49 -!- lj1 [~l@192.241.174.169] has joined #openvpn
08:56 -!- gavit [~gavit@190.98.16.61] has joined #openvpn
08:56 < gavit> I'm looking for a VPN router where I would get the same subnet when I log in remotely as when I would log in locally. Does openVPN support this?
09:01 -!- doug[home] [~dbh@ool-44c45391.dyn.optonline.net] has quit [Quit: leaving]
09:04 < defswork> bridging - yes
09:05 < defswork> https://community.openvpn.net/openvpn/wiki/BridgingAndRouting
09:05 <@vpnHelper> Title: BridgingAndRouting – OpenVPN Community (at community.openvpn.net)
09:09 < plm> defswork: do you know about how have a diferrent network/ip for each tunnel in the same machine? tun0 and tun1
09:20 -!- tfox [~tfox@cpe-199.21.149.243.ca.yorkinet.com] has joined #openvpn
09:24 -!- alexxtasi [~alex@unaffiliated/alexxtasi] has left #openvpn []
09:30 -!- Sidewinder [~de@unaffiliated/sidewinder] has joined #openvpn
09:33 < defswork> plm, you running multiple instances of openvpn ?
09:34 < defswork> or do you mean a single client connecting twice to the same server ?
09:45 -!- js_ [~js@js.madepeople.se] has quit [Remote host closed the connection]
09:45 -!- tfox [~tfox@cpe-199.21.149.243.ca.yorkinet.com] has quit [Quit: tfox]
09:54 -!- mirco [~mirco@ip-109-91-244-100.unitymediagroup.de] has quit [Quit: mirco]
09:57 -!- mirco [~mirco@ip-109-91-244-100.unitymediagroup.de] has joined #openvpn
10:01 -!- joshu [~joshu@62-20-176-238-no28.tbcn.telia.com] has quit [Ping timeout: 272 seconds]
10:03 -!- defswork [~andy@141.0.50.105] has quit [Quit: Ex-Chat]
10:06 < jeev> i'm trying to have multiple bridges set up to one server, for instance, in datacenter A) a bridge with the ip .240 on tap0, so i start another vpn, tap1 on that server, .241 ip, then i connect datacenter B to tap0 and datacenter C to tap1. everything is ok except datacenter B and C can't ping eachother, so i add a bridge on the main system bridging tap0 and tap1 then i can ping eachother
10:06 < jeev> however i can't ping .240 and .241 anymore from datacenter B and C.. any suggestions '?
10:15 < plm> Denial: multiple instances of openvpn. I have client.conf and client2.conf
10:16 < plm> Denial: sorry
10:16 -!- joshu [~joshu@62-20-176-238-no28.tbcn.telia.com] has joined #openvpn
10:29 <@EugeneKay> Stop bridging and do a proper routed setup.
10:30 <@EugeneKay> This is exactly why it "seems easy, but is hard"
10:31 -!- ngharo [~ngharo@2001:1af8:4400:a049::1337:fa6] has joined #openvpn
10:33 -!- ade_b [~Ade@redhat/adeb] has quit [Quit: Too sexy for his shirt]
10:37 -!- gavit_ [~gavit@190.98.16.61] has joined #openvpn
10:40 -!- gavit [~gavit@190.98.16.61] has quit [Ping timeout: 276 seconds]
10:43 < jeev> EugeneKay, me ? i need bridged
10:47 < plm> EugeneKay:  I have tun0: inet 10.8.0.6  netmask 255.255.255.255  destination 10.8.0.5 and tun1: inet 10.8.0.10  netmask 255.255.255.255  destination 10.8.0.9. But "ping -I tun1 10.8.0.1" show ping-pong, but the "ping -I tun0 10.8.0.1" I not have answer, but looking for tx/rx of repsctive ppp (tun0->ppp0) ppp are receiving/sending that pings.. why?
10:47 < plm> EugeneKay: that is routed setup
10:47 < plm> ^
10:58 -!- kalloc [~kalloc@stmdev.ru] has joined #openvpn
11:00 -!- gffa [~unknown@unaffiliated/gffa] has joined #openvpn
11:10 -!- pcdummy [~pcdummy@unaffiliated/pcdummy] has quit [Remote host closed the connection]
11:12 -!- pcdummy [~pcdummy@mx1.page4me.ch] has joined #openvpn
11:12 -!- pcdummy [~pcdummy@mx1.page4me.ch] has quit [Changing host]
11:12 -!- pcdummy [~pcdummy@unaffiliated/pcdummy] has joined #openvpn
11:17 -!- klein [~klein@unaffiliated/klein] has quit [Ping timeout: 272 seconds]
11:40 -!- freeroute [~freeroute@77-173-107-81.ip.telfort.nl] has joined #openvpn
11:45 -!- mndo [~mndo@bl17-64-202.dsl.telepac.pt] has joined #openvpn
11:46 -!- elfixit [~Icedove@77-58-251-72.dclient.hispeed.ch] has joined #openvpn
11:46 -!- pepijndevos [pepijndevo@2a00:dcc0:eda:3754:247:55:9194:8ed6] has left #openvpn ["Textual IRC Client: www.textualapp.com"]
12:07 -!- hypernet is now known as Rallias
12:09 -!- klein [~klein@189-016-006-003.asselvi.edu.br] has joined #openvpn
12:09 -!- klein [~klein@189-016-006-003.asselvi.edu.br] has quit [Changing host]
12:09 -!- klein [~klein@unaffiliated/klein] has joined #openvpn
12:09 -!- takamichi [~takamichi@c107-107.i07-27.onvol.net] has quit [Quit: Computer has gone to sleep.]
12:23 -!- takamichi [~takamichi@c107-107.i07-27.onvol.net] has joined #openvpn
12:25 -!- lazzer [~mattias@213.132.98.41] has quit [Remote host closed the connection]
12:27 -!- maxiepax [max@locke.misse.org] has joined #openvpn
12:28 < maxiepax> I've tried to grasp the different of using 1024bit keys vs 2048bit, am i correct in assuming that the initial establishing process might be more cpu intensive and bw intensive, but when transfering frames across the vpn it will be all the same?
12:29 <@EugeneKay> Yup.
12:29 <@EugeneKay> And might as well go for 4096 TBQH
12:29 <@EugeneKay> Or 16384 if your tooling supports it
12:31 < pekster> fwiw, keepalive traffic is TLS-protected too (that might matter if the server has a lot of clients and/or a low ping time
12:31 < maxiepax> okey so use 4096 for keys if tool supports it (using openssl 1.0), AES-256-BC instead of blowfish, SHA512 and tls-auth. Any different recommendations?
12:31 < pekster> !hardening
12:31 <@vpnHelper> "hardening" is https://community.openvpn.net/openvpn/wiki/Hardening
12:32 < maxiepax> ooh :)
13:00 -!- gavit_ [~gavit@190.98.16.61] has quit [Ping timeout: 245 seconds]
13:05 -!- MeanderingCode [~Meanderin@palantir.aetherislands.net] has quit [Remote host closed the connection]
13:06 -!- MeanderingCode [~Meanderin@palantir.aetherislands.net] has joined #openvpn
13:13 -!- maskedlua is now known as anyone
13:13 -!- anyone is now known as maskedlua
13:15 -!- mndo [~mndo@bl17-64-202.dsl.telepac.pt] has quit [Ping timeout: 276 seconds]
13:15 -!- gavit_ [~gavit@190.98.16.61] has joined #openvpn
13:17 -!- subway [~jrb@unaffiliated/subway] has joined #openvpn
13:23 -!- MeanderingCode [~Meanderin@palantir.aetherislands.net] has quit [Quit: Off the grid]
13:24 -!- MeanderingCode [~Meanderin@palantir.aetherislands.net] has joined #openvpn
13:25 -!- zxd [~zxd@87.69.188.64] has quit [Ping timeout: 248 seconds]
13:27 -!- teh3ck [~teh3ck@2a00:d880:0:10::6a3e:b565] has joined #openvpn
13:27 < teh3ck> hi
13:27 < teh3ck> i haven't add openvpn as daemon to my server
13:27 < teh3ck> and it rebooted
13:28 < teh3ck> i can rerun it as "openvpn config_file"?
13:34 -!- teh3ck [~teh3ck@2a00:d880:0:10::6a3e:b565] has quit [Quit: Byezzz]
13:40 -!- subway [~jrb@unaffiliated/subway] has left #openvpn []
13:40 -!- ade_b [~Ade@redhat/adeb] has joined #openvpn
13:40 -!- teh3ck [~teh3ck@2a00:d880:0:10::6a3e:b565] has joined #openvpn
13:47 -!- tharkun [~0@187.188.94.182] has quit [Changing host]
13:47 -!- tharkun [~0@unaffiliated/tharkun] has joined #openvpn
13:57 -!- Cpt-Oblivious [~chatzilla@31-151-87-204.dynamic.upc.nl] has quit [Ping timeout: 252 seconds]
13:59 -!- takamichi [~takamichi@c107-107.i07-27.onvol.net] has quit [Quit: Computer has gone to sleep.]
14:08 -!- klein [~klein@unaffiliated/klein] has quit [Ping timeout: 252 seconds]
14:14 -!- mattock is now known as mattock_afk
14:28 -!- cyberspace- [20253@ninthfloor.org] has quit [Remote host closed the connection]
14:29 -!- cyberspace- [20253@ninthfloor.org] has joined #openvpn
14:39 -!- joejack [~joejack@99-106-141-155.lightspeed.miamfl.sbcglobal.net] has joined #openvpn
14:41 < joejack> I understand how a tunnel is created between my computer and a vpn server, but how is that tunnel maintained between the vpn server and the webserver where a webpage is located that I am trying to retreive?
14:43 -!- ade_b [~Ade@redhat/adeb] has quit [Ping timeout: 246 seconds]
14:45 <@ecrist> it's not
14:45 <@ecrist> between the VPN server and that remote machine nothing special is done
14:47 < joejack> ecrist then how does the remote machine know how to handle a packet that has an encapsulation layer on it?
14:47 <@ecrist> the server deencapsulates it
14:48 <@ecrist> the VPN only secures traffic between the server and clients
14:48 < jeev> i'm trying to have multiple bridges set up to one server, for instance, in datacenter A) a bridge with the ip .240 on tap0, so i start another vpn, tap1 on that server, .241 ip, then i connect datacenter B to tap0 and datacenter C to tap1. everything is ok except datacenter B and C can't ping eachother, so i add a bridge on the main system bridging tap0 and tap1 then i can ping eachother
14:48 < jeev> however i can't ping .240 and .241 anymore from datacenter B and C.. any suggestions ?
14:49 <@ecrist> jeev: it's already been suggested you route things properly and don't use tap
14:49 < jeev> ecrist, i need to bridge a domain..
14:49 <@ecrist> you posted this exactly thing 6 hours ago
14:49 <@ecrist> !tunortap
14:49 <@vpnHelper> "tunortap" is (#1) you ONLY want tap if you need to pass layer2 traffic over the vpn (traffic destined for a MAC address). If you are using IP traffic you want tun. or (#2) and if your reason for wanting tap is windows shares, see !wins or use DNS or (#3) remember layer2 has no security, arp poisoning works over tap vpns or (#4) lan gaming? use tap! or (#5) Normal Android/iOS devices (not
14:49 < jeev> i thought he was talking to the other guy
14:49 <@vpnHelper> rooted/jailbroken) support only tun
14:50 < jeev> ok so i should go routed
14:50 < joejack> ecrist therefore am i correct to conclude that vpn is only effective if the machine you are trying to talk to, for example a web server, is also running a vpn server?
14:51 < jeev> ecrist, i've done it routed but not to this level but if you suggest it then i shall try it
14:51 <@ecrist> joejack: not at all, it depends on how you want to use the VPN
14:51 <@ecrist> jeev: bridged VPNs are generally a lazy way out of proper routing
14:52 < jeev> ecrist, i'm not trying to lazy anything out dude
14:54 < joejack> ecrist I am reading that to secure information, such as paying bills on a public wifi, one should use vpn.
14:56 <@ecrist> sure, that helps you maintain your privacy between you and a server you trust
14:56 <@ecrist> nothing special between the VPN server and the bill paying site, though.
14:56 < joejack> ecrist but from what you are telling me, one the info gets to the vpn servers, the server will send the info to the web server without a tunnel.
14:56 <@ecrist> correct
14:57 < joejack> ecrist so then it is missleading for someone to say using a vpn when on a public wifi hotspot solves the problem.
14:58 <@ecrist> no
14:58 <@ecrist> the "problem" is untrusted wifi, which is a local connection
14:59 <@ecrist> a VPN provides a secure tunnel between your machine and a remote trusted server, ultimately getting your traffic outside the hostile network.
14:59 < joejack> ah i see
14:59 < joejack> true
15:00 -!- kalloc [~kalloc@stmdev.ru] has quit [Remote host closed the connection]
15:01 -!- dazo is now known as dazo_afk
15:03 -!- joejack [~joejack@99-106-141-155.lightspeed.miamfl.sbcglobal.net] has quit [Quit: Leaving]
15:08 -!- plm [~neo@200.175.61.1] has quit [Quit: leaving]
15:17 -!- tpw_rules [~tpw_rules@li242-215.members.linode.com] has joined #openvpn
15:19 < tpw_rules> hey, i am having a little trouble setting up openvpn on my phone. i'm using guizmovpn and when i connect, i get three VERIFY OKs, no errors, and nothing else. after a few minutes of waiting, the log looks like http://pastie.org/8633714
15:19 < tpw_rules> on my PC connection, i woudl expect stuff about data channel initialization
15:20 < tpw_rules> oh, something more apparently: TLS Error: TLS Key negotiation failed to occur within 60 seconds, then it dies
15:23 -!- noobboob is now known as noobboob2
15:31 <@ecrist> tpw_rules: you should use the sanctioned openvpn mobile client
15:32 -!- rshade98 [rshade98@75.108.41.251] has joined #openvpn
15:40 < rshade98> I am having a problem where I get my tun0 up. It gets an ip then 1 minute later I get a timeout and restart. I have done some research and most people say its to many clients. I only have 1 client for testing. I can not even ping 192.168.1.1 from 192.168.1.6
15:41 < rshade98> i do get Tue Jan 14 21:38:24 2014 us=824906 Initialization Sequence Completed
15:41 < rshade98> is there a good place for me to start?
15:41 -!- Magiobiwan [IRC@unaffiliated/magiobiwan] has joined #openvpn
15:42 < Magiobiwan> Hey guys. Anyone able to help with, basically, a VPN Bridge?
15:43 < Magiobiwan> I have a PPtP VPN I need to connect to, but my current connection is behind a filter which blocks pptp connections
15:43 -!- kalloc [~kalloc@h86-62-83-99.ln.rinet.ru] has joined #openvpn
15:43 < Magiobiwan> I can do an OpenVPN connection however. I've set up OpenVPN on a Linux Server (Centos), and I've connected that server to the PPtP VPN
15:45 < Magiobiwan> I'm struggling to figure out how to set it up so that I can go to an IP located on the PPtP VPN from my computer
15:45 -!- Sidewinder [~de@unaffiliated/sidewinder] has quit [Quit: Leaving]
15:45 -!- gavit_ [~gavit@190.98.16.61] has quit [Ping timeout: 272 seconds]
15:49 -!- elfixit [~Icedove@77-58-251-72.dclient.hispeed.ch] has quit [Quit: elfixit]
15:53 < Magiobiwan> The PPtP VPN is a 10.0.0.0/8 network, and my OpenVPN network size is currently set as 192.168.128.0/24
15:54 < Magiobiwan> Basically, I THINK I just need to route 10.0.0.0/8 to ppp0
15:54 < Magiobiwan> I just can't find how...
15:54 < tpw_rules> i think you'll need to fiddle with iptables at that point
15:54 < tpw_rules> that's all i really know though
15:56 < Magiobiwan> Oh fun
15:56 <+rob0> Basic IP routing; no, all you can do with iptables is to block it. Don't block it.
15:56 <+rob0> !route
15:56 <@vpnHelper> "route" is (#1) http://www.secure-computing.net/wiki/index.php/OpenVPN/Routing or https://community.openvpn.net/openvpn/wiki/RoutedLans (same page mirrored) if you have lans behind openvpn, read it DONT SKIM IT or (#2) READ IT DONT SKIM IT! or (#3) See !tcpip for a basic networking guide or (#4) See !serverlan or !clientlan for steps and troubleshooting flowcharts for LANs behind the server or client
15:56 < Magiobiwan> I hate IPMI on servers. If it worked properly, I could have set my server up LAST NIGHT...
15:57 < Magiobiwan> Oh. I think it's probably important to mention I'm using openvpn-as
15:58  * Magiobiwan thinks it'll probably be more efficient to just wait until he can go home and NOT be on a filtered connection
15:58 <+rob0> not really, but indeed you're in the wrong channel.
15:59 <+rob0> !as
15:59 <@vpnHelper> "as" is please go to #OpenVPN-AS for help with Access-Server
15:59 < maxiepax> on a 2.66ghz xeon core, how long should i expect a 4096 dh key generation to take?
15:59 <+rob0> maxiepax, depends how much entropy the system has. Help it generate some.
16:00 < maxiepax> gooling howto generate entropy didn't leave me with much, any other term for it?
16:00 < Magiobiwan> If you're doing it on something headless
16:00 < Magiobiwan> Try installing haveged
16:00 < Magiobiwan> Much entropy :D
16:01 < Magiobiwan> On yum based systems "yum -y install haveged && service haveged start"
16:01 < tpw_rules> hey, i am having a little trouble setting up openvpn on my phone. i'm using guizmovpn and when i connect, i get three VERIFY OKs, no errors, and nothing else. after a few minutes of waiting, the log looks like http://pastie.org/8633714 . last i get is TLS Error: TLS Key negotiation failed to occur within 60 seconds, then it dies
16:01 < maxiepax> its a bsd system =/
16:01 < maxiepax> which i know little about
16:01 < maxiepax> any way to generate entropy using standard *nix cmds?
16:02 < Magiobiwan> plug in a keyboard/mouse?
16:02 < maxiepax> and then just have at it?
16:02 < Magiobiwan> Assuming *BSD uses the same methods for collecting entropy as normal Linux
16:03 -!- able [~able@gateway/tor-sasl/able] has joined #openvpn
16:03 < maxiepax> "hit some keys on the console to generate entropy" from a bsd manual
16:03 < maxiepax> gonna grab a keyboard
16:04 <+rob0> Software entropy is not real entropy. Might as well use /dev/urandom if you want bad entropy.
16:05 <+rob0> oh, I don't know if BSD has urandom.
16:05 < maxiepax> i should grab my friends cat, it seems to generate massive amounts of random garbish letters.
16:05 < tpw_rules> rob0: it generates real entropy measuring cpu jitter
16:07 < maxiepax> am i correct to assume that evertime a + appears its found enough random data to create a bit in the 4096 key?
16:09 <+rob0> oh, 4096 dhparam? I did that once also. Took an hour or so.
16:10 <+rob0> no, I don't think it's that bad, but I don't know exactly what each character signifiies.
16:11 < tpw_rules> oh oh my god i just realized my issue help
16:11 < tpw_rules> i was generating the keys on the wrong server :D
16:13  * tpw_rules shouldn't be allowed to do these things
16:14 -!- frenchface [~christine@us1x.mullvad.net] has joined #openvpn
16:15 -!- tpw_rules [~tpw_rules@li242-215.members.linode.com] has left #openvpn ["Evil will always triumph, because good is dumb."]
16:17 < frenchface> I have see docs on split tunneling on the server side, but is it possible to split the tunnel traffic on the client side, by only sending certain subnet thru the tunnel while the rest go thru the normal route?
16:18 <+rob0> Maybe you want policy routing, which might be a feature of your OS
16:19 -!- Magiobiwan [IRC@unaffiliated/magiobiwan] has quit [Excess Flood]
16:26 -!- Magiobiwan [IRC@unaffiliated/magiobiwan] has joined #openvpn
16:36 -!- lj1 [~l@192.241.174.169] has quit [Quit: Leaving.]
16:38 -!- EugeneKay [eugene@clockworkmod.org] has quit [Quit: ZNC - http://znc.sourceforge.net]
16:39 -!- EugeneKay [eugene@itvends.com] has joined #openvpn
16:39 < Magiobiwan> rob0, haveged generates fairly good entropy
16:39 -!- mode/#openvpn [+o EugeneKay] by ChanServ
16:39 < Magiobiwan> It works REALLY well on heavily loaded OpenVZ nodes
16:40 < Magiobiwan> The more processes running, the more CPU jitter and stuff
16:40 <+rob0> OpenVZ ... oh my. I only trust entropy on a physical machine.
16:41 <+rob0> You do what you want.
16:41 <@EugeneKay> OpenLOLZ
16:41 < Magiobiwan> Hey. I work for a hosting company. It works
16:41 < Magiobiwan> Though, all the containers feed off the host node's entropy pool
16:41 < Magiobiwan> So it's fed from a single hardware node
16:41 <+rob0> Yes, and you'll probably never be targeted by the NSA, and I probably won't either.
16:41 < Magiobiwan> OpenVZ is a big mess of bastardization and patches and stuff :(
16:42 <+rob0> !openvz
16:42 <@vpnHelper> "openvz" is (#1) http://wiki.openvz.org/VPN_via_the_TUN/TAP_device to learn bout openvz specific stuff with regards to openvpn or (#2) It is usually less painful to switch to a host with better virtualization technology, eg KVM or Xen
16:42 <@EugeneKay> I'm sorry to hear that.
16:42 -!- christine_ [~christine@us1x.mullvad.net] has joined #openvpn
16:42 < Magiobiwan> VPN Via TUN/TAP works well enough for the majority of our chinese clients
16:42 < Magiobiwan> So yueah
16:43 < thoraxe> if I just want to use user/pass as per http://openvpn.net/index.php/open-source/documentation/howto.html#auth -- but i want to use the pam module, do i still need auth-user-pass-verify or do i just use the plugin line?
16:43 <@vpnHelper> Title: HOWTO (at openvpn.net)
16:46 -!- frenchface [~christine@us1x.mullvad.net] has quit [Ping timeout: 260 seconds]
16:49 -!- teh3ck [~teh3ck@2a00:d880:0:10::6a3e:b565] has left #openvpn ["Byezzz..."]
16:54 < maxiepax> openvpn --show-tls shows TLS-DHE-RSA-WITH-AES-256-CBC-SHA , however when i start my server.conf it says Cipher algorithm 'TLS-DHE-RSA-WITH-AES-256-CBC-SHA' not found (OpenSSL).
17:04 < thoraxe> ok dumb routing question.  my openvpn network is server 192.168.42.0 255.255.255.0, and the server is also connected to a network 10.42.24.0/24.  I've added push "route 10.42.24.0 255.255.255.0"
17:04 < thoraxe> when trying to ping 10.42.24.3 from an openvpn client, the packets reach the openvpn server, but they don't appear to get sent to the remote system (10.42.24.3)
17:05 < thoraxe> the openvpn server can ping 10.42.24.3 directly
17:06 -!- buck911 [~buck911@184.151.61.74] has joined #openvpn
17:06 < thoraxe> i'm seeing ICMP host  unreachable - admin prohibited in the tcpdump
17:12 -!- calcifea [~rasla@gateway/tor-sasl/gitsu-sa] has quit [Ping timeout: 240 seconds]
17:13 -!- kalloc [~kalloc@h86-62-83-99.ln.rinet.ru] has quit [Remote host closed the connection]
17:16 < thoraxe> hmm it's definjitely a firewall issue
17:16 < thoraxe> just not sure what to fix.  i've tried adding -i tun0 -j ACCEPT but no dice
17:16 < thoraxe> disabling the firewall fixes it
17:16 < thoraxe> that's clearly not a solution, heh
17:17 -!- kalloc [~kalloc@h86-62-83-99.ln.rinet.ru] has joined #openvpn
17:20 -!- calcifea [~rasla@gateway/tor-sasl/gitsu-sa] has joined #openvpn
17:20 <+rob0> Firewall is what I would have guessed. It's also what the /topic guessed. :)
17:23 -!- gffa [~unknown@unaffiliated/gffa] has quit [Quit: sleep]
17:26 < thoraxe> yeah, i need some kind of forwarding rule or something, can't seem to figure it out
17:32 < thoraxe> any thoughts?
17:40 -!- kalloc [~kalloc@h86-62-83-99.ln.rinet.ru] has quit [Ping timeout: 245 seconds]
17:41 -!- christine_ [~christine@us1x.mullvad.net] has quit [Ping timeout: 245 seconds]
17:43 -!- frenchface [~christine@71-90-201-21.dhcp.stls.mo.charter.com] has joined #openvpn
17:48 -!- goldkatze [~nobody@unaffiliated/goldkatze] has quit [Ping timeout: 272 seconds]
17:56 -!- Olipro [~Olipro@uncyclopedia/pdpc.21for7.olipro] has quit [Ping timeout: 246 seconds]
17:56 -!- able [~able@gateway/tor-sasl/able] has quit [Quit: able]
17:59 -!- Olipro [~Olipro@uncyclopedia/pdpc.21for7.olipro] has joined #openvpn
18:07 -!- keithzg__ [~quassel@184.70.164.246] has joined #openvpn
18:07 -!- kalloc [~kalloc@h86-62-83-99.ln.rinet.ru] has joined #openvpn
18:10 -!- elfixit [~Icedove@77-58-251-72.dclient.hispeed.ch] has joined #openvpn
18:13 -!- able [~able@gateway/tor-sasl/able] has joined #openvpn
18:13 -!- keithzg__ [~quassel@184.70.164.246] has quit [Remote host closed the connection]
18:14 -!- keithzg [~quassel@184.70.164.246] has joined #openvpn
18:27 -!- buck911 [~buck911@184.151.61.74] has quit [Quit: Leaving]
18:29 -!- frenchface [~christine@71-90-201-21.dhcp.stls.mo.charter.com] has quit [Quit: Leaving]
18:40 -!- kalloc [~kalloc@h86-62-83-99.ln.rinet.ru] has quit [Ping timeout: 252 seconds]
18:41 -!- joejack [~joejack@99-106-141-155.lightspeed.miamfl.sbcglobal.net] has joined #openvpn
18:41 < joejack> can anyone recommend a free vpn service provider?
18:44 -!- master_o1_master [~master_of@p4FD7BC1C.dip0.t-ipconnect.de] has joined #openvpn
18:47 -!- able [~able@gateway/tor-sasl/able] has quit [Quit: netsplit or something]
18:47 -!- master_of_master [~master_of@p4FD7BE3B.dip0.t-ipconnect.de] has quit [Ping timeout: 272 seconds]
18:57 -!- schultza [~quassel@166.70.157.138] has joined #openvpn
18:57 < schultza> can i use the ips from the same network with a tun?
19:07 -!- kalloc [~kalloc@h86-62-83-99.ln.rinet.ru] has joined #openvpn
19:08 -!- joshh20 [~joshh20@v-70-42-74-226.unman-vds.internap-nyc.nfoservers.com] has quit [Quit: ZNC - http://znc.in]
19:09 -!- mapps [Mark@host86-171-168-130.range86-171.btcentralplus.com] has joined #openvpn
19:09 -!- joshh20 [~joshh20@v-70-42-74-226.unman-vds.internap-nyc.nfoservers.com] has joined #openvpn
19:13 -!- keithzg [~quassel@184.70.164.246] has quit [Remote host closed the connection]
19:15 < pekster> schultza: Routing needs to be unique within your routing domain
19:15 < schultza> What do you mean?
19:15 < pekster> All networks must be unique
19:15 < schultza> the network im openvpn to is 192.168.123.0.. i want to use the same ips.. can I do that with tun?
19:15 < schultza> ah
19:15 < pekster> "the same IPs" -- no. Dedicate a new network to the VPN
19:16 < pekster> Or bridge, but bridging is best avoided at all costs unless you are an expert and know why you need it
19:18 -!- Zarrsh [~Zarrsh@farari.paydayauto.biz] has quit [Quit: leaving]
19:18 < schultza> this will be fun with samba and two different networks.
19:19 < pekster> Why?
19:19 < pekster> CIFS is an IP protocol. It works _fine_ over "different" networks
19:20 < pekster> I suggest you learn to use DNS and stop relying on "put everything on a broadcast domain so crap like NBNS works"
19:20 < schultza> NBNS?
19:20 < pekster> NBNS is "the shit that makes Windows know what hosts are without having set up DNS properly"
19:20 < pekster> Solution: don't use crutches and learn to set DNS up properly
19:20 < schultza> ah, ok.
19:21 < pekster> EIther way, it's not an openvpn problem as much as poor network design if you rely on broadcast protocols for things we solved decades ago
19:21 < pekster> Hint: there's a reason the Internet isn't one big broadcast domain
19:21 < pekster> dnsmasq is worth looking into if you want a DHCP/DNS server without much work
19:21 < schultza> that will be my next project rather than trying to learn that wierd configuration of exim4.
19:22 < pekster> Then just push it to your VPN clients and it'll work like magic. Maybe read about: !pushdns too
19:22 < schultza> pekster: thats obvious.
19:22 -!- zxd [~zxd@87.69.188.64] has joined #openvpn
19:22 < schultza> !pushdns
19:22 <@vpnHelper> "pushdns" is (#1) push dhcp-option DNS a.b.c.d to push dns to the client or (#2) For pushing DNS to a Windows client, see: !windns or (#3) Unix-alikes are required to process the env-var in an --up script; read about --dhcp-option in the manpage or (#4) For distros that use resolvconf you can try the update-resolv-conf script under the contrib/ source dir
19:23 < schultza> !windns
19:23 <@vpnHelper> "windns" is (#1) http://thread.gmane.org/gmane.network.openvpn.user/25139/focus=25147 see that mail archive for some info on pushing dns or (#2) http://article.gmane.org/gmane.network.openvpn.user/25149 for a perm fix via regedit or (#3) http://comments.gmane.org/gmane.network.openvpn.user/31975 reports --register-dns as fixing their problems pushing DNS to windows 7
19:23 < pekster> Windows generally just works, but those notes are for special cases where they might not (and hints, etc)
19:27 -!- zxd [~zxd@87.69.188.64] has quit [Ping timeout: 272 seconds]
19:30 -!- mapp [Mark@host86-171-168-130.range86-171.btcentralplus.com] has joined #openvpn
19:30 -!- mapps [Mark@host86-171-168-130.range86-171.btcentralplus.com] has quit [Read error: Connection reset by peer]
19:36 -!- joejack [~joejack@99-106-141-155.lightspeed.miamfl.sbcglobal.net] has quit [Quit: This computer has gone to sleep]
19:38 -!- niel [niel@om.nom.nom.coooki.es] has joined #openvpn
19:39 < niel> hello if someone has time I just installed openvpn and ran this script on my server but when I connect it times out https://github.com/Nyr/openvpn-install
19:39 <@vpnHelper> Title: Nyr/openvpn-install · GitHub (at github.com)
19:40 < pekster> I'd file a bugreport with the author, "Nyr"
19:40 < pekster> That, or start with basic info that might help us get your problem fixed:
19:40 < pekster> !welcome
19:40 <@vpnHelper> "welcome" is (#1) Start by stating your goal, such as 'I would like to access the internet over my vpn' || new to IRC? see the link in !ask || we may need !logs and !configs and maybe !interface to help you. || See !howto for beginners. || See !route for lans behind openvpn. || !redirect for sending inet traffic through the server. || Also interesting: !man !/30 !topology !iporder !sample !forum
19:40 <@vpnHelper> !wiki !mitm or (#2) Don't use 192.168.1.0/24 or 192.168.0.0/24 (too much potential for conflict)
19:41 -!- kalloc [~kalloc@h86-62-83-99.ln.rinet.ru] has quit [Ping timeout: 265 seconds]
19:47 < niel> heh well I need to do this manually then
19:47 < niel> lets see cause last time was a failure
19:49 < pekster> !learn vauge as If you tell us you have an "error" or "failure" or "problem", we'll tell you no more than "something is wrong." You might want to review !ask for help learning how to ask questions to get more on-target answers
19:49 <@vpnHelper> Joo got it.
19:50 <@EugeneKay> Uhhh
19:50 <@EugeneKay> Vauge?
19:50 < schultza> I'm having a cert problem now. http://paste.ubuntu.com/6753796/
19:50 < pekster> EugeneKay: I took your advoice from #git and this is the result. Can I blame you? :)
19:51 <@EugeneKay> !blame
19:51 <@vpnHelper> "blame" is (#1) According to Bushmills, it's always krzee's fault or (#2) According to krzee, it's always dazo's fault or (#3) and dazo will always blame EugeneKay, Bushmills, ecrist or any other sensible victims in the required moments or (#4) cron2 says its always d12fk's fault (and sometimes the customers)
19:51 -!- luckied [~luckied@unaffiliated/luckied] has left #openvpn ["Leaving"]
19:51 <@EugeneKay> The error looks straightforward. The file system denied you
19:51 < pekster> !learn vague as If you tell us you have an "error" or "failure" or "problem", we'll tell you no more than "something is wrong." You might want to review !ask for help learning how to ask questions to get more on-target answers
19:51 <@vpnHelper> Joo got it.
19:51 < pekster> !forget vauge
19:51 <@vpnHelper> Joo got it.
19:52 <@EugeneKay> !learn vauge as Don't drink and bot, kiddies.
19:52 <@vpnHelper> Error: You don't have the factoids.learn capability. If you think that you should have this capability, be sure that you are identified before trying again. The 'whoami' command can tell you if you're identified.
19:52 <@EugeneKay> Oh that
19:52 < thoraxe> "The redirect-gateway option might prevent the client from reaching the local DHCP server (because DHCP messages would be routed over the VPN), causing it to lose its IP address lease."
19:52 < schultza> I've created the keys on the server. Rsync+ssh copied the keys directly. And appreantly it's denying me on the server certs. How can I fix?
19:52 < thoraxe> might?
19:52 < pekster> schultza: That's pretty self-explanitory. The user you're launching openvpn as doesn' have permission to the 'keys/allen.key' file. Fix your filesystem permissions or use a user that has access
19:52 < thoraxe> so how would i know, and, if so, how would i fix/prevent it?
19:52 <@EugeneKay> man chmod
19:52 < schultza> ah, thanks
19:53 < schultza> do I have to run openvpn from my user folder?
19:53 <@EugeneKay> And the closely related chown
19:53 < pekster> thoraxe: Only in cases where the DHCP server is off-link. That's somewhat rare, but some larger networks do that, usually with some DHCP relay agent
19:53 < thoraxe> pekster: which dhcp server?
19:53 < pekster> Your DHCP server
19:53 < pekster> "the one you're using"
19:53 < thoraxe> pekster: for example, my laptop connects to my wifi via dhcp, and i am connecting to opepvn
19:54 <@EugeneKay>  usually you put the configs etc into /etc/openvpn/ and run it as a system user, often root
19:54 < pekster> Then why don't you check and see if it's off-link
19:54 < thoraxe> i don't even know what that means
19:54 <@EugeneKay> I wish i could follow my own advice, peks. Stuck in a doctor's office waiting on somebody
19:55 <@EugeneKay> Then i still need to go get dinner
19:55 < pekster> drink there! problem solved
19:55 < pekster> thoraxe: off-link is off your network link
19:55 < pekster> https://en.wikipedia.org/wiki/Link_Layer
19:55 <@vpnHelper> Title: Link layer - Wikipedia, the free encyclopedia (at en.wikipedia.org)
19:56 < thoraxe> you lost me.
19:56 < pekster> Are you the network admin? If so, you really ought to know where your DHCP server is relative to your clients. If you're not the admin, I suggest you go speak to him/her
19:56 < thoraxe> the network admin for which network?
19:56 < pekster> The one your client is on that you think you need to worry about the DHCP server being off-link
19:57 < thoraxe> my wifi laptop (client) is attached to my dd-wrt wifi router, so yes, i guess that makes me the network admin
19:57 < thoraxe> and i don't know if i need to worry about off-link or not - you brought that up
19:57 < pekster> Then happily ignore it
19:57 < thoraxe> ok, sounds like a good first step ;)
19:58 < thoraxe> next weird question -- since using redirect-gateway overrides the default routes, traffic on my home network not on my client's subnet is also redirected through that
19:58 < pekster> That's how routing tables work
19:59 < thoraxe> for example, my laptop is on 192.168.1.0/24, but i have resources here at home on 172.16.0.0/24 as well as 192.168.142.0/24.
19:59 < thoraxe> other than manually re-defining the routes for those nets, is there some way to have openvpn send them?
19:59 < pekster> So add routes to those extra networks via the --route directive on your client. Read --route in the manpage, and pay special attention to the net_gateway macro
19:59 < thoraxe> hmm k
20:00 < pekster> Wait, you want to keep an openvpn client routing to networks on _it_ can already access, or expose extra server-side networks?
20:00 < thoraxe> so my laptop on 192.168.1.0/24 can already reach 172.16.0.0/24 here at my house
20:00 < schultza> im missing a ta. file. How do I fix this? (on the server side)
20:00 < schultza> be back
20:01 < thoraxe> but when i connect to openvpn with redirect-gateway, the default gateway is overridden, and i can no longer reach 172.16.0.0/24 because it tries to route it through the openvpn server
20:01 < thoraxe> normally my default gw is my wifi router, whcih passes the traffic here at my house
20:01 < pekster> Right, so add that route and send it to your existing gateway. No need to push it to the client since this sounds like something this "one" client needs. Just add --routeu directives
20:01 < pekster> Erm, --route
20:01 < thoraxe> ok so in my config file i can just have route blahblah ?
20:01 < thoraxe> client config
20:02 < pekster> --route 172.16.0.0 255.255.255.0 net_gateway
20:02 < pekster> See the manpage (!man) for details
20:02 < thoraxe> yeah i'm looking at http://openvpn.net/index.php/open-source/documentation/manuals/65-openvpn-20x-manpage.html
20:03 <@vpnHelper> Title: OpenVPN 2.0.x (at openvpn.net)
20:03 < pekster> That's 7 years out of date
20:03 < pekster> !man
20:03 <@vpnHelper> "man" is (#1) For man pages, see http://openvpn.net/index.php/open-source/documentation/manuals/ or (#2) the man pages are your friend! or (#3) Protip: you can search the manpage for a specific --option (with dashes) to find it quicker
20:03 < pekster> If you're using 2.0.x, upgrade. If not, use a manpage made this decade
20:03 < thoraxe> 2.3.2
20:03 < pekster> Then don't use the "20x" manpage. The protip is most helpful too
20:04 -!- buhman [~root@eurybia.buhman.org] has quit [Ping timeout: 276 seconds]
20:04 < thoraxe> https://community.openvpn.net/openvpn/wiki/Openvpn23ManPage there we go
20:04 <@vpnHelper> Title: Openvpn23ManPage – OpenVPN Community (at community.openvpn.net)
20:05 < niel> what do you guys suggest for a debian setup?
20:06 < pekster> Switching to Gentoo? Jesting aside, that's a meta-question and you might want to ask a more direct one for better answers
20:06 <@ecrist> Generally speaking, channel policy is that we only support the most recent version of OpenVPN
20:07 -!- kalloc [~kalloc@h86-62-83-99.ln.rinet.ru] has joined #openvpn
20:09 < thoraxe> --route 192.168.142.0 255.255.255.0 net_gateway -> ERROR: Linux route add command failed: external program exited with error status: 2
20:10 < thoraxe> oh wait
20:10 < thoraxe> i think i had manually added that earlier
20:10 < pekster> Then your OS is complaining it can't add a duplicate route
20:10 < niel> I think I am going to turn my old laptop into a proxy/vpn server arch linux a good distro for that
20:10 < pekster> You get the error message at verb 4 (see: !verb)
20:10 < pekster> !bestos
20:10 <@vpnHelper> "bestos" is the best os for openvpn is the one you are most comfortable with
20:11 < niel> arch it is
20:11 < pekster> For all it matters try Windows 2000 or ME (if you can get it to work)
20:11 < niel> windows ew
20:12  * niel secretly just likes installing arch
20:13 < thoraxe> ok now for the really fun stuff
20:13 < thoraxe> let's see what happens when i connect to two vpns at once
20:14  * pekster has connected to 1000 at once; even then, it was only the memory on the poor laptop that couldn't really handle more
20:14  * niel has never got one working
20:16 < thoraxe> trying to connect to this openvpn i'm setting up and my work/corp vpn simultaneously
20:16  * ecrist ardently recommends FREEBSD
20:16 <@ecrist> sorry about caps
20:17 < pekster> s/REE/ree/  FTFY
20:17 < niel> oh its already installed perfect
20:17 < thoraxe> ok, looks like if I connect to my work vpn first and then connect to this openvpn, things work
20:18 < pekster> Dunno about perfect. There's only "one" perfect network installation, and it's not very useful: http://www.forjoke.com/wp-content/uploads/2012/05/modem-condom.jpg
20:19 < niel> oh god
20:21 < pekster> Worry less about the OS and more about the implementation/design
20:21 < pekster> Holy wars can be had in ##linux or ##networking ;)
20:22 < thoraxe> niel: use whatever os you are most comfortable with that supports openvpn well.  centos6, for example, has a long life ahead of it
20:22 < niel> Ive heard
20:22 < niel> meh I like arch
20:22 < thoraxe> so then use arch.
20:22 < thoraxe> if you're comfortable and know it well and openvpn is packaged for it, you're all set
20:23 < thoraxe> pekster: thanks for the help.  looks like this is going well.  the only question really is whether or not I should bother with linotp/google authenticator
20:23 < pekster> If you want a physical token for authentication, sure. That's often more hassle than it's worth, but that depends on the value of information you're securing and your threat model
20:24 < thoraxe> well, we're trying to put a wiki with sensitive information behind the vpn.  right now i have openvpn set up for user/password with no certs
20:24 < thoraxe> google auth can use software token
20:25 < pekster> If someone with the right amount of funding ($local_govt, etc) wants your data that badly, they're probably going to get it anyway. And quite frankly you're (probably) not that interesting anyway. Taylor your paranoia to suit
20:25 < niel> so what would you guys suggest for an easy setup for a noob
20:25 < thoraxe> yes, there have been lots of conversations about tailoring paranoia to suit
20:25 < pekster> niel, same thing we point everyone too (and so does the /TOPIC!) ..
20:25 < pekster> !howto
20:25 <@vpnHelper> "howto" is (#1) OpenVPN comes with a great howto, http://openvpn.net/howto PLEASE READ IT! or (#2) http://www.secure-computing.net/openvpn/howto.php for a mirror
20:25 < thoraxe> i'm just trying to figure out a slightly more than trivial hack-proofing
20:26 < pekster> Then use X.509, username, and possibly also the Challenge/Response stuff you can read about in the management readme included with the sources for "3-factor" auth
20:26 < pekster> !hardening
20:26 <@vpnHelper> "hardening" is https://community.openvpn.net/openvpn/wiki/Hardening
20:26 < thoraxe> see OTP seems like it's way easier than certs, but maybe i'm thinking about it wrong
20:27 < pekster> OTP doesn't scale
20:28 < thoraxe> how so?
20:28 < thoraxe> RSA seems to be in the business of proving otherwise (compromises aside)
20:28 < thoraxe> i'm a newb to all of this so i'm entertaining any input
20:29 < pekster> ##security is probably more useful for something this abstract
20:30 < pekster> If you're this "new", OTP schemes really aren't something you ought to be worrying about. YMMV
20:38 < thoraxe> i guess i just like the cachet of google auth/otp/software token stuff
20:38 < thoraxe> certs is probably easier using easyrsa
20:39 < pekster> easyrsa deals wtih certs
20:39 -!- Carbon_Monoxide [~cmonxide@14.0.207.83] has joined #openvpn
20:39 < pekster> easyrsa is easier than dealing with openssl's frontend directly (as the author of easyrsa 3.x, I'm quite confident in that assertation)
20:39 -!- Carbon_Monoxide [~cmonxide@14.0.207.83] has left #openvpn []
20:40 < thoraxe> oh hell yes, easyrsa is definitely easy as pie
20:40 -!- kalloc [~kalloc@h86-62-83-99.ln.rinet.ru] has quit [Ping timeout: 260 seconds]
20:41 < pekster> Oh, I mis-read that. I read "easier than using" .. I blame EugeneKay again.
20:41 < thoraxe> ah no
20:42 < thoraxe> using easyrsa for certs really isn't that bad
20:42 < thoraxe> but it's not "cool"
20:42 < thoraxe> but i suppose it's sufficient for my needs, which are really pretty minimal.  it's pretty much me and another dude
20:44 -!- NP-Hardass [~NP-Hardas@unaffiliated/np-hardass] has joined #openvpn
20:47 < thoraxe> hmm how do i grep out all the blanks and comments
20:47 < thoraxe> fun with regexp
20:48 < pekster> !paste
20:48 <@vpnHelper> "paste" is (#1) "pastebin" is (#1) please paste anything with more than 5 lines into a pastebin site or (#2) https://gist.github.com is recommended for fewest ads; try fpaste.org or paste.kde.org as backups or (#3) If you're pasting config files, see !configs for grep syntax to remove comments or (#2) gist allows multiple files per paste, useful if you have several files to show
20:48 < pekster> !configs
20:48 <@vpnHelper> "configs" is (#1) please pastebin your client and server configs (with comments removed, you can use `grep -vE '^#|^;|^$' server.conf`), also include which OS and version of openvpn. or (#2) dont forget to include any ccd entries or (#3) on pfSense, see http://www.secure-computing.net/wiki/index.php/OpenVPN/pfSense to obtain your config
20:51 < thoraxe> alright, i'm far enough for this evening.  thanks all!
20:53 < lachesis> do i need a routed /48 for my IPv6 tunnel to set up ipv6 forwarding over openvpn?
20:55 < pekster> lachesis, check out:
20:55 < pekster> !ipv6
20:55 <@vpnHelper> "ipv6" is (#1) The wiki has IPv6 details: https://community.openvpn.net/openvpn/wiki/IPv6 or (#2) The manpage contains info about IPv6 features present in 2.3+: https://community.openvpn.net/openvpn/wiki/Openvpn23ManPage#lbAQ
20:55 < pekster> wiki page is most helpful
21:01 -!- elfixit [~Icedove@77-58-251-72.dclient.hispeed.ch] has quit [Quit: elfixit]
21:07 -!- dogmatic69 [~dogmatic6@host-80-195-74-5.static.cable.virginmedia.com] has quit [Remote host closed the connection]
21:07 -!- kalloc [~kalloc@h86-62-83-99.ln.rinet.ru] has joined #openvpn
21:20 -!- tempus_fol [~tempus@gateway/tor-sasl/tempusfol] has quit [Ping timeout: 240 seconds]
21:21 -!- tempus_fol [~tempus@gateway/tor-sasl/tempusfol] has joined #openvpn
21:37 -!- lachesis [~lachesis@unaffiliated/lachesis] has quit [Ping timeout: 276 seconds]
21:40 -!- kalloc [~kalloc@h86-62-83-99.ln.rinet.ru] has quit [Ping timeout: 248 seconds]
21:41 -!- lachesis [~lachesis@unaffiliated/lachesis] has joined #openvpn
22:02 -!- buhman [~root@eurybia.buhman.org] has joined #openvpn
22:07 -!- kalloc [~kalloc@h86-62-83-99.ln.rinet.ru] has joined #openvpn
22:27 < schultza> Ok. What am I doing wrong now? <http://paste.ubuntu.com/6754296/>
22:27 < schultza> Before, I had the wrong port, now I have the right port.
22:28 < schultza> do i have to run openvpn as root?
22:32 < lachesis> i'm getting weird problems with ipv6 connectivity over openvpn, probably due to a routing problem on the remote server
22:32 < lachesis> tcpdump shows that the packets are making it to tun0 on the remote host
22:33 < lachesis> but not to the interface providing ipv6 connectivity, "he-ipv6"
22:33 < lachesis> here's the routing table on that host
22:33 < lachesis> https://p.6core.net/p/AWigfZSzmoVPBV99wA2fCj0R
22:33 < lachesis> oh, and the ipv6 firewall is completely disabled - everything set to allow
22:41 -!- kalloc [~kalloc@h86-62-83-99.ln.rinet.ru] has quit [Ping timeout: 248 seconds]
22:45 -!- mattock_afk is now known as mattock
22:46 -!- schultza [~quassel@166.70.157.138] has quit [Remote host closed the connection]
22:57 -!- tfox [~tfox@cpe-199.21.149.243.ca.yorkinet.com] has joined #openvpn
23:07 -!- kalloc [~kalloc@h86-62-83-99.ln.rinet.ru] has joined #openvpn
23:13 -!- buhman [~root@eurybia.buhman.org] has left #openvpn ["WeeChat 0.4.2"]
23:28 -!- takamichi [~takamichi@c107-107.i07-27.onvol.net] has joined #openvpn
23:30 -!- Cy-Gor [~Brian@cpe-70-124-70-140.austin.res.rr.com] has quit [Quit: Leaving]
23:36 -!- msn [~kvirc@125.234.96.10] has joined #openvpn
23:39 < msn> i just setup openvpn on a vps and trying to route all my traffic through it, somehow the connnnection works but the traffic routing doesnt happen
23:40 -!- kalloc [~kalloc@h86-62-83-99.ln.rinet.ru] has quit [Ping timeout: 252 seconds]
23:45 < msn> here is my server and client config http://pastebin.ca/2541340
23:46 -!- tfox [~tfox@cpe-199.21.149.243.ca.yorkinet.com] has quit [Quit: tfox]
23:47 -!- Eagleman [~Eagleman@546BCD9F.cm-12-4d.dynamic.ziggo.nl] has quit [Quit: ZNC - http://znc.in]
--- Day changed Wed Jan 15 2014
00:07 -!- kalloc [~kalloc@h86-62-83-99.ln.rinet.ru] has joined #openvpn
00:08 -!- Eagleman [~Eagleman@546BCD9F.cm-12-4d.dynamic.ziggo.nl] has joined #openvpn
00:09 -!- NP-Hardass [~NP-Hardas@unaffiliated/np-hardass] has quit [Ping timeout: 252 seconds]
00:11 -!- Eagleman [~Eagleman@546BCD9F.cm-12-4d.dynamic.ziggo.nl] has quit [Client Quit]
00:20 -!- Eagleman [~Eagleman@546BCD9F.cm-12-4d.dynamic.ziggo.nl] has joined #openvpn
00:40 -!- kalloc [~kalloc@h86-62-83-99.ln.rinet.ru] has quit [Ping timeout: 245 seconds]
00:41 <@krzee> msn, sorry this took so long, please follow the flowchart here:
00:41 <@krzee> !redirect
00:41 <@vpnHelper> "redirect" is (#1) to make all inet traffic flow through the vpn, you will need --redirect-gateway (see !def1), as well as IP forwarding (see !ipforward) and NAT (see !nat) enabled on the server. or (#2) you may need to use a different dns server when redirecting gateway, see !dns or !pushdns or (#3) if using ipv6 try: route-ipv6 2000::/3 or (#4) Handy troubleshooting flowchart:
00:41 <@vpnHelper> http://ircpimps.org/redirect.png | http://pekster.sdf.org/misc/redirect.png
00:42 < msn> krzee:  noproblem i got it wokring
00:42 <@krzee> oh cool
00:42 <@krzee> even better =]
00:43 <@krzee> note, depending on the client os you may need additional effort to make pushing DNS work
00:44 <@krzee> some windows just work (some need tweaking of client config), some mac clients just do it, linux needs an --up script to make it work
00:44 <@krzee> !pushdns
00:44 <@vpnHelper> "pushdns" is (#1) push dhcp-option DNS a.b.c.d to push dns to the client or (#2) For pushing DNS to a Windows client, see: !windns or (#3) Unix-alikes are required to process the env-var in an --up script; read about --dhcp-option in the manpage or (#4) For distros that use resolvconf you can try the update-resolv-conf script under the contrib/ source dir
00:59 < msn> andriod
00:59 < msn> :D
01:03 -!- dimm0k [~dimm0k@unaffiliated/dimm0k] has quit [Ping timeout: 245 seconds]
01:05 -!- dimm0k [~dimm0k@unaffiliated/dimm0k] has joined #openvpn
01:07 -!- kalloc [~kalloc@h86-62-83-99.ln.rinet.ru] has joined #openvpn
01:21 -!- alexxtasi [~alex@unaffiliated/alexxtasi] has joined #openvpn
01:21 -!- goldkatze [~nobody@unaffiliated/goldkatze] has joined #openvpn
01:23 -!- APTX [APTX@unaffiliated/aptx] has quit [Ping timeout: 245 seconds]
01:23 -!- APTX [APTX@unaffiliated/aptx] has joined #openvpn
01:24 -!- zxd [~zxd@87.69.188.64] has joined #openvpn
01:26 -!- calcifea_ [~rasla@gateway/tor-sasl/gitsu-sa] has joined #openvpn
01:28 -!- lachesis [~lachesis@unaffiliated/lachesis] has quit [Quit: ZNC - http://znc.in]
01:29 -!- calcifea [~rasla@gateway/tor-sasl/gitsu-sa] has quit [Ping timeout: 240 seconds]
01:29 -!- zxd [~zxd@87.69.188.64] has quit [Ping timeout: 272 seconds]
01:31 -!- lachesis [~lachesis@unaffiliated/lachesis] has joined #openvpn
01:41 -!- kalloc [~kalloc@h86-62-83-99.ln.rinet.ru] has quit [Ping timeout: 265 seconds]
01:46 -!- mapp [Mark@host86-171-168-130.range86-171.btcentralplus.com] has quit [Read error: Connection reset by peer]
01:46 -!- mapps [~map@host86-171-168-130.range86-171.btcentralplus.com] has joined #openvpn
02:04 -!- dimm0k [~dimm0k@unaffiliated/dimm0k] has quit [Ping timeout: 272 seconds]
02:04 -!- Cpt-Oblivious [~chatzilla@31-151-87-204.dynamic.upc.nl] has joined #openvpn
02:05 -!- dimm0k [~dimm0k@unaffiliated/dimm0k] has joined #openvpn
02:06 -!- APTX [APTX@unaffiliated/aptx] has quit [Ping timeout: 245 seconds]
02:06 -!- APTX [APTX@unaffiliated/aptx] has joined #openvpn
02:07 -!- kalloc [~kalloc@h86-62-83-99.ln.rinet.ru] has joined #openvpn
02:14 -!- mattock is now known as mattock_afk
02:26 -!- zxd [~zxd@87.69.188.64] has joined #openvpn
02:28 -!- ade_b [~Ade@redhat/adeb] has joined #openvpn
02:41 -!- kalloc [~kalloc@h86-62-83-99.ln.rinet.ru] has quit [Ping timeout: 260 seconds]
02:43 -!- kalloc [~kalloc@h86-62-83-99.ln.rinet.ru] has joined #openvpn
03:03 -!- kalloc [~kalloc@h86-62-83-99.ln.rinet.ru] has quit [Ping timeout: 245 seconds]
03:04 -!- defswork [~andy@141.0.50.105] has joined #openvpn
03:08 -!- kalloc [~kalloc@h86-62-83-99.ln.rinet.ru] has joined #openvpn
03:43 -!- zxd [~zxd@87.69.188.64] has quit [Ping timeout: 252 seconds]
04:10 -!- zxd [~zxd@87.69.188.64] has joined #openvpn
04:17 -!- dazo_afk is now known as dazo
04:38 -!- Magiobiwan [IRC@unaffiliated/magiobiwan] has quit [Excess Flood]
04:38 -!- takamichi [~takamichi@c107-107.i07-27.onvol.net] has quit [Quit: Computer has gone to sleep.]
04:44 -!- Magiobiwan [IRC@unaffiliated/magiobiwan] has joined #openvpn
04:52 -!- msn [~kvirc@125.234.96.10] has quit [Quit: KVIrc 4.1.3 Equilibrium http://www.kvirc.net/]
04:53 -!- klein [~klein@189-016-006-003.asselvi.edu.br] has joined #openvpn
04:53 -!- klein [~klein@189-016-006-003.asselvi.edu.br] has quit [Changing host]
04:53 -!- klein [~klein@unaffiliated/klein] has joined #openvpn
04:53 -!- kalloc is now known as bla_
04:53 -!- bla_ is now known as kalloc
04:53 -!- kalloc [~kalloc@h86-62-83-99.ln.rinet.ru] has quit []
04:53 -!- kalloc [~kalloc@h86-62-83-99.ln.rinet.ru] has joined #openvpn
04:55 -!- kalloc [~kalloc@h86-62-83-99.ln.rinet.ru] has quit [Client Quit]
04:55 -!- kalloc [~kalloc@h86-62-83-99.ln.rinet.ru] has joined #openvpn
04:56 -!- kalloc [~kalloc@h86-62-83-99.ln.rinet.ru] has quit [Client Quit]
04:56 -!- kalloc [~kalloc@h86-62-83-99.ln.rinet.ru] has joined #openvpn
05:01 -!- kalloc [~kalloc@h86-62-83-99.ln.rinet.ru] has quit []
05:01 -!- kalloc [~kalloc@h86-62-83-99.ln.rinet.ru] has joined #openvpn
05:05 -!- ade_b [~Ade@redhat/adeb] has quit [Ping timeout: 272 seconds]
05:18 -!- ade_b [~Ade@redhat/adeb] has joined #openvpn
05:27 -!- seba [~seba@kratzbaum.someserver.de] has joined #openvpn
05:58 -!- Devastator [~devas@186.214.111.33] has joined #openvpn
05:59 -!- Devastatr [~devas@unaffiliated/devastator] has quit [Ping timeout: 260 seconds]
06:04 -!- takamichi [~takamichi@c107-107.i07-27.onvol.net] has joined #openvpn
06:05 -!- piece3 [~quassel@14.161.15.21] has quit [Quit: No Ping reply in 180 seconds.]
06:19 -!- elfixit [~Icedove@77-58-251-72.dclient.hispeed.ch] has joined #openvpn
06:29 -!- calcifea_ is now known as calcifea
06:32 -!- piece3 [~quassel@14.161.15.21] has joined #openvpn
06:38 -!- kalloc [~kalloc@h86-62-83-99.ln.rinet.ru] has quit [Remote host closed the connection]
06:40 -!- elfixit [~Icedove@77-58-251-72.dclient.hispeed.ch] has quit [Ping timeout: 248 seconds]
06:42 -!- Cy-Gor [~Brian@cpe-70-124-70-140.austin.res.rr.com] has joined #openvpn
06:43 -!- thecaptain2000 [~quassel@149.229.79.188.dynamic.jazztel.es] has joined #openvpn
06:45 -!- mattock_afk is now known as mattock
06:50 -!- cherwin [~cherwin@80.239.169.202] has joined #openvpn
06:58 -!- thecaptain2000 [~quassel@149.229.79.188.dynamic.jazztel.es] has quit [Remote host closed the connection]
07:06 -!- Eagleman [~Eagleman@546BCD9F.cm-12-4d.dynamic.ziggo.nl] has quit [Quit: ZNC - http://znc.in]
07:07 -!- Eagleman [~Eagleman@546BCD9F.cm-12-4d.dynamic.ziggo.nl] has joined #openvpn
07:07 -!- Eagleman [~Eagleman@546BCD9F.cm-12-4d.dynamic.ziggo.nl] has quit [Excess Flood]
07:10 -!- Eagleman [~Eagleman@546BCD9F.cm-12-4d.dynamic.ziggo.nl] has joined #openvpn
07:15 -!- cherwin [~cherwin@80.239.169.202] has quit [Quit: My MacBook Pro has gone to sleep. ZZZzzz…]
07:15 -!- kalloc [~kalloc@stmdev.ru] has joined #openvpn
07:30 -!- cherwin [~cherwin@80.239.169.202] has joined #openvpn
07:46 -!- cherwin [~cherwin@80.239.169.202] has quit [Quit: My MacBook Pro has gone to sleep. ZZZzzz…]
07:49 -!- lj [~l@192.241.174.169] has joined #openvpn
07:54 -!- gffa [~unknown@unaffiliated/gffa] has joined #openvpn
08:19 -!- elfixit [~Icedove@2001:1620:2777:11:3e97:eff:fe7f:f3ad] has joined #openvpn
08:30 -!- xBytez [xBytez@unaffiliated/xbytez] has quit [Ping timeout: 276 seconds]
08:31 -!- freeroute [~freeroute@77-173-107-81.ip.telfort.nl] has quit [Ping timeout: 276 seconds]
08:32 -!- xBytez [xBytez@libxbytez.so] has joined #openvpn
08:32 -!- xBytez [xBytez@libxbytez.so] has quit [Changing host]
08:32 -!- xBytez [xBytez@unaffiliated/xbytez] has joined #openvpn
08:32 -!- xBytez [xBytez@unaffiliated/xbytez] has quit [Read error: Connection reset by peer]
08:46 -!- xBytez [~xBytez@unaffiliated/xbytez] has joined #openvpn
08:54 -!- kalloc [~kalloc@stmdev.ru] has quit [Remote host closed the connection]
08:59 -!- kalloc [~kalloc@stmdev.ru] has joined #openvpn
08:59 -!- schnitzl [~schnitzl@dslb-188-098-007-058.pools.arcor-ip.net] has joined #openvpn
09:01 < schnitzl> hey. i got a vpn connection. i hav eno clue howto install that stuff. i am on windows 8.1. the zip files contains a file called client.conf. any idea which vpn client can deal with conf files and import *.rt files and *.key files?
09:01 < schnitzl> **and can use the .conf file.
09:13 < digilink> anyone have any suggestions for a good certificate management system? I'm using XCA at the moment, and it's decent, but would prefer something with a GUI that is client/server...
09:14 -!- alexxtasi [~alex@unaffiliated/alexxtasi] has left #openvpn []
09:26 -!- pgib [~pgib@76.18.186.63] has quit [Changing host]
09:26 -!- pgib [~pgib@lmms/pgib] has joined #openvpn
09:36 -!- Eagleman [~Eagleman@546BCD9F.cm-12-4d.dynamic.ziggo.nl] has quit [Quit: ZNC - http://znc.in]
09:36 -!- lj [~l@192.241.174.169] has quit [Quit: Leaving.]
09:38 -!- lj [~l@192.241.174.169] has joined #openvpn
09:52 -!- Magiobiwan [IRC@unaffiliated/magiobiwan] has quit [Excess Flood]
09:53 -!- Magiobiwan [IRC@unaffiliated/magiobiwan] has joined #openvpn
10:05 -!- Sembei [~Sembei@unaffiliated/sembei] has quit [Read error: No route to host]
10:06 -!- Sembei [~Sembei@unaffiliated/sembei] has joined #openvpn
10:14 -!- calcifea [~rasla@gateway/tor-sasl/gitsu-sa] has quit [Ping timeout: 240 seconds]
10:22 -!- calcifea [~rasla@gateway/tor-sasl/gitsu-sa] has joined #openvpn
10:28 -!- ade_b [~Ade@redhat/adeb] has quit [Quit: Too sexy for his shirt]
10:28 -!- mattock is now known as mattock_afk
10:35 -!- able [~able@gateway/tor-sasl/able] has joined #openvpn
10:50 -!- JackWinter [~jack@vodsl-4669.vo.lu] has quit [Remote host closed the connection]
10:53 -!- JackWinter [~jack@vodsl-4669.vo.lu] has joined #openvpn
10:54 -!- doug[work] [~doug@47.23.122.202] has joined #openvpn
10:54 < doug[work]> !tap
10:54 <@vpnHelper> "tap" is "bridge" is (#1) http://openvpn.net/index.php/documentation/faq.html#bridge1, or (#2) http://openvpn.net/index.php/documentation/miscellaneous/ethernet-bridging.html, or (#3) Bridging looks like a good choice to people who don't know how to set up IP routing, but to learn routing is generally far better., or (#4) useful for windows sharing (without wins server) and LAN gaming, anything
10:54 <@vpnHelper> where the protocol uses MAC addresses instead of IP addresses.
10:54 < doug[work]> !tcp
10:54 <@vpnHelper> "tcp" is (#1) Sometimes you cannot avoid tunneling over tcp, but if you can avoid it, DO. http://sites.inka.de/~bigred/devel/tcp-tcp.html Why TCP Over TCP Is A Bad Idea. or (#2) http://www.openvpn.net/papers/BLUG-talk/14.html for a presentation by James Yonan (OpenVPN lead developer) or (#3) if you must use tcp, you likely want --tcp-nodelay
10:55 -!- calcifea [~rasla@gateway/tor-sasl/gitsu-sa] has quit [Ping timeout: 240 seconds]
11:03 -!- calcifea [~rasla@gateway/tor-sasl/gitsu-sa] has joined #openvpn
11:15 -!- able [~able@gateway/tor-sasl/able] has quit [Quit: able]
11:20 -!- kalloc [~kalloc@stmdev.ru] has quit [Remote host closed the connection]
11:35 -!- freeroute [~freeroute@77-173-107-81.ip.telfort.nl] has joined #openvpn
11:44 -!- elfixit1 [~Icedove@2001:1620:2018:11:5e51:4fff:fec8:5b90] has joined #openvpn
11:47 -!- lj [~l@192.241.174.169] has quit [Quit: Leaving.]
11:47 -!- lj [~l@192.241.174.169] has joined #openvpn
11:47 -!- lj [~l@192.241.174.169] has quit [Client Quit]
11:48 -!- lj [~l@66.94.192.181] has joined #openvpn
11:56 -!- kalloc [~kalloc@h86-62-83-99.ln.rinet.ru] has joined #openvpn
12:01 -!- JackWinter [~jack@vodsl-4669.vo.lu] has quit [Quit: Konversation terminated!]
12:03 -!- JackWinter [~jack@vodsl-4669.vo.lu] has joined #openvpn
12:04 -!- elfixit1 [~Icedove@2001:1620:2018:11:5e51:4fff:fec8:5b90] has quit [Quit: elfixit1]
12:24 -!- zxd [~zxd@87.69.188.64] has quit [Ping timeout: 265 seconds]
12:25 -!- dazo is now known as dazo_afk
12:26 -!- niel- [niel@om.nom.nom.coooki.es] has joined #openvpn
12:27 -!- raidz_ [~raidz@2607:5300:60:d5a::2] has joined #openvpn
12:28 -!- niel [niel@om.nom.nom.coooki.es] has quit [Ping timeout: 240 seconds]
12:28 -!- raidz [~raidz@openvpn/corp/admin/andrew] has quit [Ping timeout: 240 seconds]
12:28 -!- pgib [~pgib@lmms/pgib] has quit [Ping timeout: 240 seconds]
12:28 -!- jgeboski [~jgeboski@unaffiliated/jgeboski] has quit [Ping timeout: 240 seconds]
12:28 -!- krzee [~k@openvpn/community/support/krzee] has quit [Ping timeout: 240 seconds]
12:28 -!- raidz_ is now known as raidz
12:28 -!- raidz [~raidz@2607:5300:60:d5a::2] has quit [Changing host]
12:28 -!- raidz [~raidz@openvpn/corp/admin/andrew] has joined #openvpn
12:28 -!- mode/#openvpn [+o raidz] by ChanServ
12:28 -!- pgib [~pgib@lmms/pgib] has joined #openvpn
12:30 -!- jgeboski [~jgeboski@unaffiliated/jgeboski] has joined #openvpn
12:30 -!- krzee [~k@openvpn/community/support/krzee] has joined #openvpn
12:31 -!- mode/#openvpn [+o krzee] by ChanServ
12:34 -!- rshade98 [rshade98@75.108.41.251] has quit [Read error: Connection reset by peer]
12:36 -!- rshade98 [rshade98@74.196.144.78] has joined #openvpn
12:47 -!- Eagleman7 [~Eagleman@546BCD9F.cm-12-4d.dynamic.ziggo.nl] has joined #openvpn
12:55 -!- Eagleman7 [~Eagleman@546BCD9F.cm-12-4d.dynamic.ziggo.nl] has quit [Quit: ZNC - http://znc.in]
12:55 -!- Eagleman7 [~Eagleman@546BCD9F.cm-12-4d.dynamic.ziggo.nl] has joined #openvpn
12:56 -!- Eagleman7 [~Eagleman@546BCD9F.cm-12-4d.dynamic.ziggo.nl] has quit [Read error: Connection reset by peer]
12:56 -!- Eagleman7 [~Eagleman@546BCD9F.cm-12-4d.dynamic.ziggo.nl] has joined #openvpn
13:03 -!- Eagleman7 [~Eagleman@546BCD9F.cm-12-4d.dynamic.ziggo.nl] has quit [Quit: ZNC - http://znc.in]
13:09 -!- kalloc [~kalloc@h86-62-83-99.ln.rinet.ru] has quit [Remote host closed the connection]
13:09 -!- kalloc [~kalloc@h86-62-83-99.ln.rinet.ru] has joined #openvpn
13:23 -!- joshh20 is now known as joshh20-Away
13:27 -!- able [~able@gateway/tor-sasl/able] has joined #openvpn
13:28 -!- sudoyum [ae61aee0@gateway/web/cgi-irc/kiwiirc.com/ip.174.97.174.224] has joined #openvpn
13:29 -!- batrick [batrick@nmap/developer/batrick] has quit [Quit: WeeChat 0.4.2]
13:30 < sudoyum> Windows question. I have a bridged vpn up and running. I have a folder shared on my network drive - it contains pdfs, etc. When I attempt to access it remotely, the performance is really bad and times out alot. Is this just a windows thing and is there a better way to do this?
13:31 -!- batrick [batrick@nmap/developer/batrick] has joined #openvpn
13:31 -!- jave [~jave@h-235-102.a149.priv.bahnhof.se] has quit [Quit: ZNC - http://znc.in]
13:35 -!- sudoyum [ae61aee0@gateway/web/cgi-irc/kiwiirc.com/ip.174.97.174.224] has quit [Quit: http://www.kiwiirc.com/ - A hand crafted IRC client]
13:35 -!- jave [~jave@h-235-102.a149.priv.bahnhof.se] has joined #openvpn
13:39 -!- Eagleman7 [~Eagleman@546BCD9F.cm-12-4d.dynamic.ziggo.nl] has joined #openvpn
13:40 -!- Eagleman7 [~Eagleman@546BCD9F.cm-12-4d.dynamic.ziggo.nl] has quit [Read error: Connection reset by peer]
13:42 -!- Eagleman7 [~Eagleman@546BCD9F.cm-12-4d.dynamic.ziggo.nl] has joined #openvpn
13:46 -!- takamichi [~takamichi@c107-107.i07-27.onvol.net] has quit [Quit: Computer has gone to sleep.]
13:54 -!- linuxnewb2 [~linuxnewb@unaffiliated/linuxnewb2] has joined #openvpn
13:54 < linuxnewb2> :)
14:01 -!- klein [~klein@unaffiliated/klein] has quit [Ping timeout: 252 seconds]
14:04 -!- able [~able@gateway/tor-sasl/able] has quit [Remote host closed the connection]
14:06 -!- lj1 [~l@192.241.174.169] has joined #openvpn
14:09 -!- lj [~l@66.94.192.181] has quit [Ping timeout: 272 seconds]
14:22 -!- akselii [~akselii@tsydeemi.eu] has joined #openvpn
14:43 -!- defsdoor [~andy@cpc30-sutt4-2-0-cust155.19-1.cable.virginm.net] has joined #openvpn
14:50 < rshade98> can you include extra files in the openvpn.conf
14:55 -!- klein [~klein@177.101.118.7] has joined #openvpn
14:55 -!- klein [~klein@177.101.118.7] has quit [Changing host]
14:55 -!- klein [~klein@unaffiliated/klein] has joined #openvpn
15:01 -!- Eagleman7 [~Eagleman@546BCD9F.cm-12-4d.dynamic.ziggo.nl] has quit [Quit: ZNC - http://znc.in]
15:05 < linuxnewb2> I am having such a difficult time with making a CA.cert to run with Openvpn. I do not want to be a bother but i need help, please.
15:07 < linuxnewb2> Using ubuntu and can't get easy-rsa to work, but i have tinca running but am honestly stuck right there.
15:14 -!- niel- is now known as niel
15:22 -!- klein [~klein@unaffiliated/klein] has quit [Ping timeout: 248 seconds]
15:41 -!- goldkatze [~nobody@unaffiliated/goldkatze] has quit [Ping timeout: 245 seconds]
15:43 -!- nutron [~nutron@unaffiliated/nutron] has quit [Remote host closed the connection]
15:47 < thoraxe> !paste
15:48 <@vpnHelper> "paste" is (#1) "pastebin" is (#1) please paste anything with more than 5 lines into a pastebin site or (#2) https://gist.github.com is recommended for fewest ads; try fpaste.org or paste.kde.org as backups or (#3) If you're pasting config files, see !configs for grep syntax to remove comments or (#2) gist allows multiple files per paste, useful if you have several files to show
15:51 < thoraxe> so i'm noticing that my client tends to randomly ask for user/pass every once in a while: https://gist.github.com/thoraxe/56c435d711157496c605 is that because i have auth-nocache set?
15:51 <@vpnHelper> Title: client.conf (at gist.github.com)
15:51 < thoraxe> as it results in frequent prompting for the user name and password
15:51 < thoraxe> ah
15:51 < thoraxe> look at that
15:54 < freeroute> hi, I want to do something relatively simple. In my home LAN I have a server (192.168.1.53) with running a VM. Inside that VM there's a webserver running, the port of which can be reached at 192.168.1.53:1111/web. But only from the LAN network. I want to keep it internal only. What I want to do is be able to connect from the outside to my LAN so that I can approach my webserver running on a VM. I can install openvpn on my server, but I
15:54 < freeroute> apparently I have a fundamentally flawed understanding of what a VPN is.
15:54 < freeroute> So my question would be the following: How can I achieve (using openvpn?) connecting to my home LAN network from the outside so as to reach the webserver running in my home LAN?
15:57 -!- takamichi [~takamichi@c107-107.i07-27.onvol.net] has joined #openvpn
16:00 -!- nutron [~nutron@unaffiliated/nutron] has joined #openvpn
16:06 -!- pronto [pronto@six.tasty.bagels.xxx] has joined #openvpn
16:06 < pronto> !welcome
16:06 <@vpnHelper> "welcome" is (#1) Start by stating your goal, such as 'I would like to access the internet over my vpn' || new to IRC? see the link in !ask || we may need !logs and !configs and maybe !interface to help you. || See !howto for beginners. || See !route for lans behind openvpn. || !redirect for sending inet traffic through the server. || Also interesting: !man !/30 !topology !iporder !sample !forum
16:06 <@vpnHelper> !wiki !mitm or (#2) Don't use 192.168.1.0/24 or 192.168.0.0/24 (too much potential for conflict)
16:09 -!- m01 [~quassel@2a02:2658:1011:1::2:4044] has quit [Quit: No Ping reply in 180 seconds.]
16:09 -!- m01 [~quassel@2a02:2658:1011:1::2:4044] has joined #openvpn
16:09 -!- lowkey [lowkey@hydra-bom.aufbix.org] has quit [Ping timeout: 246 seconds]
16:11 -!- darkdrgn2k [~darkdrgn2@69-165-131-20.dsl.teksavvy.com] has joined #openvpn
16:11 < darkdrgn2k> how do you choose UDP over TCP vpn?
16:11 -!- lowkey [lowkey@hydra-bom.aufbix.org] has joined #openvpn
16:12 < freeroute> darkdrgn2k: you have config files in /etc/openvpn/ and you can configure for both client and server usage
16:12 < darkdrgn2k> but how do oyu chose wich one to pick
16:12 < darkdrgn2k> why is tcp better then udp or vice versa
16:14 < freeroute> you can write in the confs file like "remote [IP ADDRESS] [port number] proto tcp" and then it chooses the protocol (if the server is configured that way too)
16:14 < freeroute> *conf
16:14 < darkdrgn2k> ok sorry.. question is more theory not how to
16:14 < darkdrgn2k> ie why would i use a TCP openvpn server instead of a UDP one
16:15 -!- lbft [~lbft@unaffiliated/lbft] has quit [Ping timeout: 252 seconds]
16:15 < freeroute> oh well that really depends on usage scenario, for example HTTPS ports (443) can only go through TCP
16:15 < darkdrgn2k> well no there is a UDP 443 port too just not used for HTTPS proxying :-P
16:16 < darkdrgn2k> i know they say that encapsulating VOIP (udp) traffic in TCP makes it more robust
16:16 < freeroute> right, but if you would use HTTPS then you should use TCP port 443
16:16 < darkdrgn2k> but what are the drawbacks of going tcp?  higher overhead
16:16 < freeroute> I would guess so
16:16 < freeroute> with UDP there is no handshaking
16:16 < darkdrgn2k> by https you mean https proxy right?
16:17 < darkdrgn2k> tcp connections drop easier too right?
16:17 < freeroute> no HTTPS traffic in general AFAIK
16:17 < freeroute> not sure, there was a guide posted here recently, just a sec
16:17 < darkdrgn2k> i thought "HTTPS" is just HTTP wrapped in SSL....
16:17 < freeroute> ah, here we go
16:17 < freeroute> !tcpip
16:17 <@vpnHelper> "tcpip" is http://www.redbooks.ibm.com/redbooks/pdfs/gg243376.pdf See chapter 3.1 for useful basic TCP/IP networking knowledge you should probably know
16:18 < freeroute> I don't know very much about protocols apart from that UDP is mostly used for streaming and that TCP is better at fault tolerance etc.
16:21 -!- linuxnewb2 [~linuxnewb@unaffiliated/linuxnewb2] has quit [Quit: linuxnewb2]
16:21 -!- lbft [~lbft@unaffiliated/lbft] has joined #openvpn
16:23 -!- kalloc [~kalloc@h86-62-83-99.ln.rinet.ru] has quit [Remote host closed the connection]
16:25 -!- Sembei [~Sembei@unaffiliated/sembei] has quit [Read error: Connection reset by peer]
16:25 -!- MyMind [~Sembei@unaffiliated/sembei] has joined #openvpn
16:29 -!- lj1 [~l@192.241.174.169] has quit [Quit: Leaving.]
16:30 -!- kirin` [telex@gateway/shell/anapnea.net/x-fbnroaaasckdqtvi] has quit [Ping timeout: 265 seconds]
16:30 -!- calcifea [~rasla@gateway/tor-sasl/gitsu-sa] has quit [Quit: calcifea]
16:31 -!- gffa [~unknown@unaffiliated/gffa] has quit [Quit: sleep]
16:31 -!- kirin` [telex@gateway/shell/anapnea.net/x-xvlgzcaxxgbhoisq] has joined #openvpn
16:31 -!- Eagleman7 [~Eagleman@546BCD9F.cm-12-4d.dynamic.ziggo.nl] has joined #openvpn
16:31 -!- Eagleman7 [~Eagleman@546BCD9F.cm-12-4d.dynamic.ziggo.nl] has quit [Read error: Connection reset by peer]
16:33 -!- Eagleman7 [~Eagleman@546BCD9F.cm-12-4d.dynamic.ziggo.nl] has joined #openvpn
16:34 -!- joshh20-Away is now known as joshh20
16:34 -!- takamichi [~takamichi@c107-107.i07-27.onvol.net] has quit [Quit: Computer has gone to sleep.]
16:45 -!- MyMind [~Sembei@unaffiliated/sembei] has quit [Quit: WeeChat 0.4.3-dev]
16:46 -!- Sembei [~Sembei@unaffiliated/sembei] has joined #openvpn
16:53 -!- kalloc [~kalloc@h86-62-83-99.ln.rinet.ru] has joined #openvpn
16:53 -!- mattock_afk is now known as mattock
16:55 -!- defsdoor [~andy@cpc30-sutt4-2-0-cust155.19-1.cable.virginm.net] has quit [Quit: Ex-Chat]
16:57 -!- elfixit1 [~Icedove@77-58-251-72.dclient.hispeed.ch] has joined #openvpn
16:58 -!- kalloc_ [~kalloc@h86-62-83-99.ln.rinet.ru] has joined #openvpn
16:58 -!- kalloc [~kalloc@h86-62-83-99.ln.rinet.ru] has quit [Read error: Connection reset by peer]
17:02 -!- kalloc_ [~kalloc@h86-62-83-99.ln.rinet.ru] has quit [Ping timeout: 245 seconds]
17:10 -!- krzie [~k@openvpn/community/support/krzee] has joined #openvpn
17:10 -!- mode/#openvpn [+o krzie] by ChanServ
17:11 -!- namidark_ [~namidark@192.34.61.38] has joined #openvpn
17:11 -!- Haseo- [~Haseo@aufrinfo.net] has joined #openvpn
17:13 -!- keropok_ [~keropok@9W2JDY.peramah.org.my] has joined #openvpn
17:14 -!- seebaer [~seba@kratzbaum.someserver.de] has joined #openvpn
17:14 -!- niftylettuce_ [uid2733@gateway/web/irccloud.com/x-yhcgnijrwamuhkol] has joined #openvpn
17:15 -!- pcdummy_ [~pcdummy@mx1.page4me.ch] has joined #openvpn
17:17 -!- krzee [~k@openvpn/community/support/krzee] has quit [Read error: Connection reset by peer]
17:17 -!- krzie is now known as krzee
17:17 -!- __FBi [~B@uwantmy.info] has quit [Ping timeout: 245 seconds]
17:17 -!- Haseo [~Haseo@aufrinfo.net] has quit [Ping timeout: 245 seconds]
17:17 -!- Haseo- is now known as Haseo
17:17 -!- namidark [~namidark@192.34.61.38] has quit [Ping timeout: 245 seconds]
17:17 -!- sauce [sauce@unaffiliated/sauce] has quit [Ping timeout: 245 seconds]
17:17 -!- Magiobiwan [IRC@unaffiliated/magiobiwan] has quit [Ping timeout: 245 seconds]
17:17 -!- troj_ [~xxx@2001:470:1f15:107a::50f7] has quit [Ping timeout: 245 seconds]
17:17 -!- moparisthebest [~quassel@mailer.moparscape.org] has quit [Ping timeout: 245 seconds]
17:17 -!- keropok [~keropok@9W2JDY.peramah.org.my] has quit [Ping timeout: 245 seconds]
17:17 -!- sauce_ [sauce@ool-ad02ad20.dyn.optonline.net] has joined #openvpn
17:17 -!- namidark_ is now known as namidark
17:17 -!- seba [~seba@kratzbaum.someserver.de] has quit [Ping timeout: 245 seconds]
17:17 -!- niftylettuce [uid2733@gateway/web/irccloud.com/x-wsbvzznmfporkzph] has quit [Ping timeout: 245 seconds]
17:17 -!- sailerboy [~sailerboy@2605:6400:2:fed5:22:3e62:d2e8:e4e1] has quit [Ping timeout: 245 seconds]
17:17 -!- moparisthebest [~quassel@mailer.moparscape.org] has joined #openvpn
17:17 -!- EugeneKay [eugene@itvends.com] has quit [Ping timeout: 245 seconds]
17:17 -!- lowkey [lowkey@hydra-bom.aufbix.org] has quit [Ping timeout: 245 seconds]
17:17 -!- pcdummy [~pcdummy@unaffiliated/pcdummy] has quit [Ping timeout: 245 seconds]
17:17 -!- Martin` [martin@shell.ipv6.octocore.net] has quit [Ping timeout: 245 seconds]
17:17 -!- Martin` [martin@shell.ipv6.octocore.net] has joined #openvpn
17:17 -!- pekster [~rewt@openvpn/community/support/pekster] has quit [Ping timeout: 245 seconds]
17:17 -!- sailerboy_ [~sailerboy@2605:6400:2:fed5:22:3e62:d2e8:e4e1] has joined #openvpn
17:17 -!- seebaer is now known as seba
17:17 -!- sauce_ is now known as sauce
17:17 -!- sauce [sauce@ool-ad02ad20.dyn.optonline.net] has quit [Changing host]
17:17 -!- sauce [sauce@unaffiliated/sauce] has joined #openvpn
17:17 -!- Gman32 [~Gman32@2607:5300:60:2b74::1] has quit [Ping timeout: 245 seconds]
17:17 -!- troj [~xxx@2001:470:1f15:107a::50f7] has joined #openvpn
17:17 -!- lowkey [lowkey@hydra-bom.aufbix.org] has joined #openvpn
17:17 -!- pekster [~rewt@openvpn/community/support/pekster] has joined #openvpn
17:18 -!- __FBi [~B@uwantmy.info] has joined #openvpn
17:18 -!- EugeneKay [eugene@itvends.com] has joined #openvpn
17:18 -!- niftylettuce_ is now known as niftylettuce
17:18 -!- Gman32 [~Gman32@2607:5300:60:2b74::1] has joined #openvpn
17:20 -!- Magiobiwan [IRC@unaffiliated/magiobiwan] has joined #openvpn
17:28 -!- Cpt-Oblivious [~chatzilla@31-151-87-204.dynamic.upc.nl] has quit [Ping timeout: 252 seconds]
17:29 -!- kalloc [~kalloc@h86-62-83-99.ln.rinet.ru] has joined #openvpn
17:29 -!- ljvb [~jason@us.vps.vanbrecht.com] has joined #openvpn
17:32 -!- mattock is now known as mattock_afk
17:34 -!- kalloc [~kalloc@h86-62-83-99.ln.rinet.ru] has quit [Ping timeout: 248 seconds]
17:47 -!- elfixit1 [~Icedove@77-58-251-72.dclient.hispeed.ch] has quit [Quit: elfixit1]
18:22 -!- zxd [~zxd@87.69.188.64] has joined #openvpn
18:30 -!- kalloc [~kalloc@h86-62-83-99.ln.rinet.ru] has joined #openvpn
18:36 -!- kalloc [~kalloc@h86-62-83-99.ln.rinet.ru] has quit [Ping timeout: 252 seconds]
18:43 -!- master_of_master [~master_of@p4FD7B7BC.dip0.t-ipconnect.de] has joined #openvpn
18:47 -!- master_o1_master [~master_of@p4FD7BC1C.dip0.t-ipconnect.de] has quit [Ping timeout: 252 seconds]
19:12 -!- elfixit1 [~Icedove@77-58-251-72.dclient.hispeed.ch] has joined #openvpn
19:17 -!- zxd [~zxd@87.69.188.64] has quit []
19:19 -!- kalloc [~kalloc@h86-62-83-99.ln.rinet.ru] has joined #openvpn
19:22 -!- kalloc_ [~kalloc@h86-62-83-99.ln.rinet.ru] has joined #openvpn
19:24 -!- kalloc [~kalloc@h86-62-83-99.ln.rinet.ru] has quit [Ping timeout: 248 seconds]
19:27 -!- kalloc_ [~kalloc@h86-62-83-99.ln.rinet.ru] has quit [Ping timeout: 248 seconds]
19:28 -!- slimjinny [~ma1com10t@host-92-20-5-217.as13285.net] has joined #openvpn
19:29 -!- kalloc [~kalloc@h86-62-83-99.ln.rinet.ru] has joined #openvpn
19:31 -!- slimjinny is now known as tap2tapnot
19:33 -!- tap2tapnot [~ma1com10t@host-92-20-5-217.as13285.net] has left #openvpn []
19:35 -!- kalloc [~kalloc@h86-62-83-99.ln.rinet.ru] has quit [Ping timeout: 276 seconds]
20:01 -!- Cpt-Oblivious [~chatzilla@31-151-87-204.dynamic.upc.nl] has joined #openvpn
20:03 -!- Sembei [~Sembei@unaffiliated/sembei] has quit [Read error: Connection reset by peer]
20:04 -!- MyMind [~Sembei@unaffiliated/sembei] has joined #openvpn
20:11 -!- DrCode [~DrCode@gateway/tor-sasl/drcode] has joined #openvpn
20:17 -!- Cpt-Oblivious [~chatzilla@31-151-87-204.dynamic.upc.nl] has quit [Remote host closed the connection]
20:29 -!- kalloc [~kalloc@h86-62-83-99.ln.rinet.ru] has joined #openvpn
20:34 -!- kalloc [~kalloc@h86-62-83-99.ln.rinet.ru] has quit [Ping timeout: 276 seconds]
20:40 -!- thumbs [1000@unaffiliated/thumbs] has quit [Quit: leaving]
20:48 -!- heraclitus [~heraclitu@unaffiliated/heraclitis] has joined #openvpn
20:48 -!- thumbs [1000@unaffiliated/thumbs] has joined #openvpn
21:00 -!- tfox [~tfox@cpe-199.21.149.243.ca.yorkinet.com] has joined #openvpn
21:29 -!- sailerboy_ [~sailerboy@2605:6400:2:fed5:22:3e62:d2e8:e4e1] has quit [Ping timeout: 276 seconds]
21:29 -!- kalloc [~kalloc@h86-62-83-99.ln.rinet.ru] has joined #openvpn
21:35 -!- kalloc [~kalloc@h86-62-83-99.ln.rinet.ru] has quit [Ping timeout: 272 seconds]
21:56 -!- schnitzl [~schnitzl@dslb-188-098-007-058.pools.arcor-ip.net] has quit [Ping timeout: 276 seconds]
21:56 -!- schnitzl [~schnitzl@dslb-178-007-167-189.pools.arcor-ip.net] has joined #openvpn
22:02 -!- sailerboy [~sailerboy@2605:6400:2:fed5:22:3e62:d2e8:e4e1] has joined #openvpn
22:22 -!- linuxnewb2 [~linuxnewb@unaffiliated/linuxnewb2] has joined #openvpn
22:23 -!- linuxnewb2 [~linuxnewb@unaffiliated/linuxnewb2] has quit [Max SendQ exceeded]
22:23 -!- linuxnewb2 [~linuxnewb@184.75.223.218] has joined #openvpn
22:23 -!- linuxnewb2 [~linuxnewb@184.75.223.218] has quit [Changing host]
22:23 -!- linuxnewb2 [~linuxnewb@unaffiliated/linuxnewb2] has joined #openvpn
22:29 -!- kalloc [~kalloc@h86-62-83-99.ln.rinet.ru] has joined #openvpn
22:32 -!- Cy-Gor [~Brian@cpe-70-124-70-140.austin.res.rr.com] has quit [Quit: Leaving]
22:35 -!- kalloc [~kalloc@h86-62-83-99.ln.rinet.ru] has quit [Ping timeout: 276 seconds]
22:37 -!- joshh20 is now known as joshh20-Away
23:20 -!- tfox [~tfox@cpe-199.21.149.243.ca.yorkinet.com] has quit [Quit: tfox]
23:21 -!- tfox [~tfox@cpe-199.21.149.243.ca.yorkinet.com] has joined #openvpn
23:29 -!- kalloc [~kalloc@h86-62-83-99.ln.rinet.ru] has joined #openvpn
23:33 -!- elfixit1 [~Icedove@77-58-251-72.dclient.hispeed.ch] has quit [Ping timeout: 272 seconds]
23:34 -!- kalloc [~kalloc@h86-62-83-99.ln.rinet.ru] has quit [Ping timeout: 260 seconds]
23:41 -!- tfox [~tfox@cpe-199.21.149.243.ca.yorkinet.com] has quit [Quit: tfox]
23:55 -!- NP-Hardass [~NP-Hardas@unaffiliated/np-hardass] has joined #openvpn
--- Day changed Thu Jan 16 2014
00:00 -!- goldkatze [~nobody@unaffiliated/goldkatze] has joined #openvpn
00:04 -!- NP-Hardass [~NP-Hardas@unaffiliated/np-hardass] has quit [Ping timeout: 245 seconds]
00:24 -!- rustem [~ka4ok@141.0.170.169] has quit [Remote host closed the connection]
00:24 -!- rustem [~ka4ok@141.0.170.169] has joined #openvpn
00:25 -!- surfmasta [~surfmasta@80.92.88.10] has quit [Ping timeout: 264 seconds]
00:25 -!- surfmasta [~surfmasta@80.92.88.10] has joined #openvpn
00:29 -!- kalloc [~kalloc@h86-62-83-99.ln.rinet.ru] has joined #openvpn
00:34 -!- kalloc [~kalloc@h86-62-83-99.ln.rinet.ru] has quit [Ping timeout: 252 seconds]
00:54 -!- takamichi [~takamichi@c107-107.i07-27.onvol.net] has joined #openvpn
01:09 -!- grep0r [grep0r@bitcoinshell.mooo.com] has quit [Ping timeout: 252 seconds]
01:10 -!- mattock_afk is now known as mattock
01:15 -!- lj [~l@192.241.174.169] has joined #openvpn
01:20 -!- alexxtasi [~alex@unaffiliated/alexxtasi] has joined #openvpn
01:29 -!- kalloc [~kalloc@h86-62-83-99.ln.rinet.ru] has joined #openvpn
01:34 -!- kalloc [~kalloc@h86-62-83-99.ln.rinet.ru] has quit [Ping timeout: 246 seconds]
01:36 -!- kalloc [~kalloc@h86-62-83-99.ln.rinet.ru] has joined #openvpn
02:05 -!- linuxnewb2 [~linuxnewb@unaffiliated/linuxnewb2] has quit [Ping timeout: 245 seconds]
02:25 -!- ade_b [~Ade@redhat/adeb] has joined #openvpn
02:26 -!- Xgates [~Xgates@unaffiliated/xgates] has joined #openvpn
02:26 < Xgates> hi guys
02:29 -!- mirco [~mirco@ip-109-91-244-100.unitymediagroup.de] has quit [Quit: mirco]
02:30 -!- mirco [~mirco@ip-109-91-244-100.unitymediagroup.de] has joined #openvpn
02:40 -!- Xgates [~Xgates@unaffiliated/xgates] has quit [Quit: Ping Timeout (0 Nano Seconds)]
02:56 -!- grep0r [grep0r@bitcoinshell.mooo.com] has joined #openvpn
03:17 -!- rshade98 [rshade98@74.196.144.78] has quit []
03:30 -!- Cpt-Oblivious [~chatzilla@31-151-87-204.dynamic.upc.nl] has joined #openvpn
03:36 -!- kalloc [~kalloc@h86-62-83-99.ln.rinet.ru] has quit [Read error: Connection reset by peer]
03:36 -!- kalloc [~kalloc@h86-62-83-99.ln.rinet.ru] has joined #openvpn
03:40 -!- darkdrgn2k [~darkdrgn2@69-165-131-20.dsl.teksavvy.com] has quit [Read error: Connection reset by peer]
03:40 -!- darkdrgn2k4 [~darkdrgn2@69-165-131-20.dsl.teksavvy.com] has joined #openvpn
03:42 -!- Rienzilla [rien@sinas.rename-it.nl] has joined #openvpn
04:01 -!- linuxnewb2 [~linuxnewb@unaffiliated/linuxnewb2] has joined #openvpn
04:05 -!- mgorbach [~mgorbach@pool-108-20-78-135.bstnma.fios.verizon.net] has quit [Ping timeout: 260 seconds]
04:05 -!- kalloc [~kalloc@h86-62-83-99.ln.rinet.ru] has quit [Read error: Connection reset by peer]
04:06 -!- kalloc [~kalloc@h86-62-83-99.ln.rinet.ru] has joined #openvpn
04:08 -!- mgorbach [~mgorbach@pool-108-20-78-135.bstnma.fios.verizon.net] has joined #openvpn
04:14 -!- Rienzilla [rien@sinas.rename-it.nl] has left #openvpn []
04:15 -!- rtur [~rtur@46.165.208.107] has joined #openvpn
04:15 -!- rtur [~rtur@46.165.208.107] has left #openvpn ["openvpn"]
04:22 -!- sailerboy [~sailerboy@2605:6400:2:fed5:22:3e62:d2e8:e4e1] has quit [Ping timeout: 276 seconds]
04:22 -!- Eagleman7 [~Eagleman@546BCD9F.cm-12-4d.dynamic.ziggo.nl] has quit [Ping timeout: 245 seconds]
04:27 -!- Eagleman [~Eagleman@546BCD9F.cm-12-4d.dynamic.ziggo.nl] has joined #openvpn
04:29 -!- tempus_fol [~tempus@gateway/tor-sasl/tempusfol] has quit [Ping timeout: 240 seconds]
04:33 -!- kalloc [~kalloc@h86-62-83-99.ln.rinet.ru] has quit [Remote host closed the connection]
04:35 -!- tempus_fol [~tempus@gateway/tor-sasl/tempusfol] has joined #openvpn
04:46 -!- kalloc [~kalloc@h86-62-83-99.ln.rinet.ru] has joined #openvpn
04:51 -!- sailerboy [~sailerboy@2605:6400:2:fed5:22:3e62:d2e8:e4e1] has joined #openvpn
04:59 -!- freeroute [~freeroute@77-173-107-81.ip.telfort.nl] has quit [Ping timeout: 252 seconds]
05:10 -!- lj [~l@192.241.174.169] has quit [Quit: Leaving.]
05:12 -!- freeroute [~freeroute@de3x.mullvad.net] has joined #openvpn
05:28 -!- klein [~klein@unaffiliated/klein] has joined #openvpn
05:40 -!- takamichi [~takamichi@c107-107.i07-27.onvol.net] has quit [Quit: Computer has gone to sleep.]
05:52 -!- kalloc [~kalloc@h86-62-83-99.ln.rinet.ru] has quit [Remote host closed the connection]
05:55 -!- MyMind [~Sembei@unaffiliated/sembei] has quit [Read error: Connection reset by peer]
05:56 -!- MyMind [~Sembei@unaffiliated/sembei] has joined #openvpn
06:19 -!- takamichi [~takamichi@c107-107.i07-27.onvol.net] has joined #openvpn
06:42 -!- kalloc [~kalloc@stmdev.ru] has joined #openvpn
06:43 -!- Cy-Gor [~Brian@cpe-70-124-70-140.austin.res.rr.com] has joined #openvpn
06:45 -!- JackWinter [~jack@vodsl-4669.vo.lu] has quit [Remote host closed the connection]
06:47 -!- JackWinter [~jack@vodsl-4669.vo.lu] has joined #openvpn
07:08 -!- freeroute [~freeroute@de3x.mullvad.net] has quit [Ping timeout: 252 seconds]
07:11 -!- lj [~l@na-ad-guest-lwap-ar01.cat.com] has joined #openvpn
07:12 -!- lj1 [~l@192.241.174.169] has joined #openvpn
07:14 -!- lj [~l@na-ad-guest-lwap-ar01.cat.com] has quit [Read error: Operation timed out]
07:29 -!- defswork [~andy@141.0.50.105] has quit [Remote host closed the connection]
07:29 -!- freeroute [~freeroute@77-173-107-81.ip.telfort.nl] has joined #openvpn
07:48 -!- piece3_ [~quassel@14.161.15.21] has joined #openvpn
07:49 -!- piece3 [~quassel@14.161.15.21] has quit [Ping timeout: 252 seconds]
07:53 -!- piece3_ [~quassel@14.161.15.21] has quit [Ping timeout: 245 seconds]
07:57 -!- linuxnewb2 [~linuxnewb@unaffiliated/linuxnewb2] has quit [Ping timeout: 260 seconds]
08:06 -!- klein [~klein@unaffiliated/klein] has quit [Ping timeout: 272 seconds]
08:10 -!- piece3 [~quassel@14.161.15.21] has joined #openvpn
08:16 -!- piece3 [~quassel@14.161.15.21] has quit [Read error: Operation timed out]
08:26 -!- piece3 [~quassel@14.161.15.21] has joined #openvpn
08:31 -!- pronto [pronto@six.tasty.bagels.xxx] has quit [Remote host closed the connection]
08:33 -!- piece3 [~quassel@14.161.15.21] has quit [Ping timeout: 245 seconds]
08:48 -!- able [~able@gateway/tor-sasl/able] has joined #openvpn
08:58 -!- able [~able@gateway/tor-sasl/able] has quit [Remote host closed the connection]
08:59 -!- able [~able@gateway/tor-sasl/able] has joined #openvpn
09:05 -!- able [~able@gateway/tor-sasl/able] has quit [Remote host closed the connection]
09:05 -!- able [~able@gateway/tor-sasl/able] has joined #openvpn
09:09 -!- SuperLag [~akulbe@unaffiliated/superlag] has joined #openvpn
09:12 -!- SuperLag [~akulbe@unaffiliated/superlag] has quit [Remote host closed the connection]
09:18 -!- lj1 [~l@192.241.174.169] has quit [Quit: Leaving.]
09:18 -!- lj [~l@192.241.174.169] has joined #openvpn
09:19 -!- mapp [Mark@host86-171-168-130.range86-171.btcentralplus.com] has joined #openvpn
09:19 -!- mapps [~map@host86-171-168-130.range86-171.btcentralplus.com] has quit [Read error: Connection reset by peer]
09:19 -!- mattock is now known as mattock_afk
09:22 -!- klein [~klein@unaffiliated/klein] has joined #openvpn
09:28 -!- freeroute [~freeroute@77-173-107-81.ip.telfort.nl] has quit [Quit: freeroute]
09:31 -!- alexxtasi [~alex@unaffiliated/alexxtasi] has left #openvpn []
09:42 <+rob0> !route
09:42 <@vpnHelper> "route" is (#1) http://www.secure-computing.net/wiki/index.php/OpenVPN/Routing or https://community.openvpn.net/openvpn/wiki/RoutedLans (same page mirrored) if you have lans behind openvpn, read it DONT SKIM IT or (#2) READ IT DONT SKIM IT! or (#3) See !tcpip for a basic networking guide or (#4) See !serverlan or !clientlan for steps and troubleshooting flowcharts for LANs behind the server or client
09:42 <+rob0> mingdao, ^^
09:43 <+rob0> probably the best intro resource I know of.
09:44 -!- calcifea [~rasla@gateway/tor-sasl/gitsu-sa] has joined #openvpn
09:57 -!- takamichi [~takamichi@c107-107.i07-27.onvol.net] has quit [Ping timeout: 272 seconds]
10:00 -!- takamichi [~takamichi@85.12.8.14] has joined #openvpn
10:24 -!- markus_ [~markus@mirkk.vpntunnel.com] has quit [Ping timeout: 248 seconds]
10:31 -!- markus_ [~markus@mirkk.vpntunnel.com] has joined #openvpn
10:37 -!- able [~able@gateway/tor-sasl/able] has quit [Remote host closed the connection]
10:43 -!- takamichi [~takamichi@85.12.8.14] has quit [Ping timeout: 272 seconds]
10:46 -!- takamichi [~takamichi@c107-107.i07-27.onvol.net] has joined #openvpn
10:53 -!- tempus_fol [~tempus@gateway/tor-sasl/tempusfol] has quit [Ping timeout: 240 seconds]
10:58 -!- ade_b [~Ade@redhat/adeb] has quit [Ping timeout: 246 seconds]
11:00 -!- tempus_fol [~tempus@gateway/tor-sasl/tempusfol] has joined #openvpn
11:19 -!- novaflash is now known as novaflash_away
11:30 -!- mapps [Mark@host86-171-168-130.range86-171.btcentralplus.com] has joined #openvpn
11:30 -!- mapp [Mark@host86-171-168-130.range86-171.btcentralplus.com] has quit [Read error: Connection reset by peer]
11:30 -!- joshu [~joshu@62-20-176-238-no28.tbcn.telia.com] has quit [Remote host closed the connection]
11:31 -!- joshu [~joshu@62-20-176-238-no28.tbcn.telia.com] has joined #openvpn
11:31 -!- mapp [Mark@host86-171-168-130.range86-171.btcentralplus.com] has joined #openvpn
11:31 -!- mapps [Mark@host86-171-168-130.range86-171.btcentralplus.com] has quit [Read error: Connection reset by peer]
11:40 -!- gffa [~unknown@unaffiliated/gffa] has joined #openvpn
11:42 -!- novaflash_away is now known as novaflash
11:47 -!- mattock_afk is now known as mattock
11:55 -!- he1kki [~heikki@border.bitcoinia.net] has quit [Ping timeout: 252 seconds]
11:57 -!- he1kki [~heikki@border.bitcoinia.net] has joined #openvpn
12:00 -!- KaiForce [~chatzilla@107-223-70-10.lightspeed.bcvloh.sbcglobal.net] has joined #openvpn
12:01 -!- pa [~pa@unaffiliated/pa] has quit [Ping timeout: 252 seconds]
12:09 -!- calcifea [~rasla@gateway/tor-sasl/gitsu-sa] has quit [Ping timeout: 240 seconds]
12:15 -!- pa [~pa@unaffiliated/pa] has joined #openvpn
12:16 -!- Cpt-Oblivious [~chatzilla@31-151-87-204.dynamic.upc.nl] has quit [Ping timeout: 276 seconds]
12:23 -!- calcifea [~rasla@gateway/tor-sasl/gitsu-sa] has joined #openvpn
12:25 -!- kalloc [~kalloc@stmdev.ru] has quit [Remote host closed the connection]
12:25 -!- joshh20-Away is now known as joshh20
12:27 -!- phreakocious [~phreakoci@aesoterica.phreakocious.net] has quit [Ping timeout: 252 seconds]
12:27 -!- piem_ [~piem@coconut.piem.org] has quit [Ping timeout: 252 seconds]
12:28 -!- piem [~piem@coconut.piem.org] has joined #openvpn
12:28 -!- klein [~klein@unaffiliated/klein] has quit [Ping timeout: 252 seconds]
12:28 -!- kirin` [telex@gateway/shell/anapnea.net/x-xvlgzcaxxgbhoisq] has quit [Ping timeout: 248 seconds]
12:29 -!- josefig_ [~josef@187.188.82.71] has joined #openvpn
12:29 -!- josefig_ [~josef@187.188.82.71] has quit [Client Quit]
12:37 -!- SuperLag [~akulbe@unaffiliated/superlag] has joined #openvpn
12:39 < SuperLag> When I connect to a customer VPN, the local internet connection gets cut off. From what I've seen in stdout, I'm guessing the default route gets changed. I know there is a --route option, but I'm having trouble getting the syntax right.
12:40 -!- klein [~klein@189-016-006-003.asselvi.edu.br] has joined #openvpn
12:41 -!- klein [~klein@189-016-006-003.asselvi.edu.br] has quit [Changing host]
12:41 -!- klein [~klein@unaffiliated/klein] has joined #openvpn
12:42 -!- kirin` [telex@gateway/shell/anapnea.net/session] has joined #openvpn
12:43 -!- phreakocious [~phreakoci@aesoterica.phreakocious.net] has joined #openvpn
12:43 -!- kirin` [telex@gateway/shell/anapnea.net/session] has quit [Changing host]
12:43 -!- kirin` [telex@gateway/shell/anapnea.net/x-byydoebfdhngtwid] has joined #openvpn
12:50 < EugeneKay> !def1
12:50 <@vpnHelper> "def1" is (#1) used in redirect-gateway, Add the def1 flag to override the default gateway by using 0.0.0.0/1 and 128.0.0.0/1 rather than 0.0.0.0/0. This has the benefit of overriding but not wiping out the original default gateway. or (#2) please see --redirect-gateway in the man page ( !man ) to fully understand or (#3) push "redirect-gateway def1"
12:50 < EugeneKay> !redirect
12:50 <@vpnHelper> "redirect" is (#1) to make all inet traffic flow through the vpn, you will need --redirect-gateway (see !def1), as well as IP forwarding (see !ipforward) and NAT (see !nat) enabled on the server. or (#2) you may need to use a different dns server when redirecting gateway, see !dns or !pushdns or (#3) if using ipv6 try: route-ipv6 2000::/3 or (#4) Handy troubleshooting flowchart:
12:50 <@vpnHelper> http://ircpimps.org/redirect.png | http://pekster.sdf.org/misc/redirect.png
12:59 -!- kalloc [~kalloc@h86-62-83-99.ln.rinet.ru] has joined #openvpn
13:00 < SuperLag> thank you
13:00 < SuperLag> I'll check that out.
13:01 -!- Magiobiwan [IRC@unaffiliated/magiobiwan] has quit [Excess Flood]
13:03 -!- Magiobiwan [IRC@unaffiliated/magiobiwan] has joined #openvpn
13:39 -!- schultza [~quassel@166.70.157.138] has joined #openvpn
13:50 -!- SuperLag [~akulbe@unaffiliated/superlag] has quit [Ping timeout: 272 seconds]
13:51 -!- SuperLag [~akulbe@unaffiliated/superlag] has joined #openvpn
13:52 -!- lbft [~lbft@unaffiliated/lbft] has quit [Quit: Bye]
13:52 -!- lbft [~lbft@unaffiliated/lbft] has joined #openvpn
13:53 -!- SuperLag [~akulbe@unaffiliated/superlag] has quit [Remote host closed the connection]
13:57 -!- JSharpe_ [~JSharpe@31.205.60.241] has joined #openvpn
14:03 -!- mattock is now known as mattock_afk
14:04 -!- joshh20 is now known as joshh20-Away
14:05 -!- joshh20-Away is now known as joshh20
14:08 -!- klein [~klein@unaffiliated/klein] has quit [Ping timeout: 260 seconds]
14:09 -!- JSharpe_ [~JSharpe@31.205.60.241] has quit [Quit: Leaving]
14:11 -!- joshh20 is now known as joshh20-Away
14:13 -!- elfixit1 [~Icedove@178-83-160-136.dynamic.hispeed.ch] has joined #openvpn
14:25 -!- elfixit1 [~Icedove@178-83-160-136.dynamic.hispeed.ch] has quit [Quit: elfixit1]
14:26 -!- ASUChander [~asuchande@cpe-071-070-224-227.nc.res.rr.com] has joined #openvpn
14:27 < ASUChander> If I use openvpn for a point-to-point config (with a shared secret for encryption) it always uses the same encryption key (there is no re-handshake like if I am using certificates)
14:30 -!- joshh20-Away is now known as joshh20
14:33 < EugeneKay> Correct.
14:34 < EugeneKay> You can use client-server TLS as a p2p link just fine - only issue two certs.
14:34 < jeev> EugeneKay, i'm not sure what i was thinking when i wanted to go bridge, i guess i was going off stupid documentation supplied by someone to use bridging. i actually do use openvpn in a routed env for a fiber ptp, works great.
14:35 < jeev> i mean i use it in other instances but the one that i've been doing for this one client has been rock solid
14:35 < EugeneKay> I'm glad you've seen the light
14:35 < EugeneKay> And my dog has seen my pizza
14:35 < jeev> you're screwed then
14:36 < jeev> mine was eating bbq last night
14:36 < EugeneKay> I gave her the crusts
14:37 < jeev> ahh
14:37 < ASUChander> EugeneKay: if I do that I need to designate one host the "server" and the other the "client", right?
14:37 < EugeneKay> Yup.
14:37 < ASUChander> k, that's what I thought.  thanks
14:38 -!- glotze [~dlaw@e178192202.adsl.alicedsl.de] has joined #openvpn
14:38 < glotze> !welcome
14:38 <@vpnHelper> "welcome" is (#1) Start by stating your goal, such as 'I would like to access the internet over my vpn' || new to IRC? see the link in !ask || we may need !logs and !configs and maybe !interface to help you. || See !howto for beginners. || See !route for lans behind openvpn. || !redirect for sending inet traffic through the server. || Also interesting: !man !/30 !topology !iporder !sample !forum
14:38 <@vpnHelper> !wiki !mitm or (#2) Don't use 192.168.1.0/24 or 192.168.0.0/24 (too much potential for conflict)
14:39 < glotze> !route
14:39 <@vpnHelper> "route" is (#1) http://www.secure-computing.net/wiki/index.php/OpenVPN/Routing or https://community.openvpn.net/openvpn/wiki/RoutedLans (same page mirrored) if you have lans behind openvpn, read it DONT SKIM IT or (#2) READ IT DONT SKIM IT! or (#3) See !tcpip for a basic networking guide or (#4) See !serverlan or !clientlan for steps and troubleshooting flowcharts for LANs behind the server or
14:39 <@vpnHelper> client
14:41 -!- kalloc [~kalloc@h86-62-83-99.ln.rinet.ru] has quit [Remote host closed the connection]
14:47 < glotze> any recommendation which router to buy with openvpn support
14:47 < glotze> !/30
14:47 <@vpnHelper> "/30" is (#1) Default behaviour assigns a /30 subnet(4 addresses) to each peer. See http://goo.gl/6vemm for background or (#2) you can avoid this behavior by reading !topology or (#3) by default, first client is .6, then .10 .14 .18 etc or (#4) use openvpn --show-valid-subnets to see the subnets you can use in net30 or (#5) tl;dr Windows sucks, use --topology subnet in your server.conf
14:48 < glotze> !topology
14:48 <@vpnHelper> "topology" is (#1) it is possible to avoid the !/30 behavior if you use 2.1+ with the option: topology subnet This will end up being default in later versions. or (#2) Clients will receive addresses ending in .2, .3, .4, etc, instead of being divided into 2-host subnets. or (#3) details and examples at: https://community.openvpn.net/openvpn/wiki/Topology
14:56 < glotze> a router which can support more than 5 connections not like linksys lrt214
15:09 -!- MyMind [~Sembei@unaffiliated/sembei] has quit [Remote host closed the connection]
15:26 -!- bigbob83 [~bigbob@7.72.100.84.rev.sfr.net] has joined #openvpn
15:30 < bigbob83> Hi all, i'm trying to customize openvpn windows client's opennvpn-gui in building it from sources;in the readme file i've seen that i need to use MinGW for building.I've installed it but i've an error when i'm doing a ./configure
15:30 -!- Sembei [~Sembei@unaffiliated/sembei] has joined #openvpn
15:31 < bigbob83> the error is: configure: error: no acceptable C compiler found in $PATH
15:33 < bigbob83> it tell me that i need C compiler but i don't know how install it; i've already checked some  gcc named package with graphical interface of minGW but it not correct this error
15:33 -!- joshh20 is now known as joshh20-Away
15:34 -!- sailerboy [~sailerboy@2605:6400:2:fed5:22:3e62:d2e8:e4e1] has quit [Excess Flood]
15:34 -!- sailerboy [~sailerboy@2605:6400:2:fed5:22:3e62:d2e8:e4e1] has joined #openvpn
15:34 -!- klein [~klein@unaffiliated/klein] has joined #openvpn
15:59 -!- bigbob83 [~bigbob@7.72.100.84.rev.sfr.net] has quit []
16:08 -!- takamichi [~takamichi@c107-107.i07-27.onvol.net] has quit [Quit: Computer has gone to sleep.]
16:10 -!- gffa [~unknown@unaffiliated/gffa] has quit [Quit: sleep]
16:11 -!- ASUChander [~asuchande@cpe-071-070-224-227.nc.res.rr.com] has quit []
16:15 -!- KaiForce [~chatzilla@107-223-70-10.lightspeed.bcvloh.sbcglobal.net] has quit [Quit: ChatZilla 0.9.90.1 [Firefox 26.0/20131205075310]]
16:28 -!- lj [~l@192.241.174.169] has quit [Quit: Leaving.]
16:30 < schultza> well. I installed network-manager-openvpn. Set up my vpn connection and it worked on connecting. But when I connected, my dns resolving starts getting "REFUSED". Is there some sort of firewall on dnsmasq?
16:30 < schultza> this is a combo openvpn and ubuntu issue. #ubuntu is not responding to this question.
16:31 < schultza> I'm trying to get DNS working with the information openvpn is pushing for the DNS server.
16:31 < schultza> I have access to the openvpn server.
16:36 < ngharo> !networkmanager
16:37 < ngharo> hmm
16:37 < ngharo> !ubuntu
16:37 <@vpnHelper> "ubuntu" is dont use network manager!
16:37 < ngharo> :)
16:37 < ngharo> schultza: use the openvpn init script or just launch it from the command line to start openvpn
16:37 < ngharo> then start looking at logs
16:37 < ngharo> !logs
16:37 <@vpnHelper> "logs" is (#1) please pastebin your logfiles from both client and server with verb set to 4 (only use 5 if asked) or (#2) In the Windows client(OpenVPN-GUI) right-click the status icon and pick View Log or (#3) In the OS X client(Tunnelblick) right-click it and select Copy log text to clipboard or (#4) if you dont know how to find your logs, see !logfile
16:38 < schultza> ngharo: ive tried that route, but dns through the vpn doesnt work there either.
16:38 < schultza> i think the logs are currently running verb 3. do i need to change them, connect and then paste logs?
16:39 < ngharo> 4 is more helpful as that is the level (iirc) that will show configuration too
16:39 < schultza> Ok. Give me a few.
16:41 < schultza> what log file are you guys looking for?
16:42 < ngharo> !logfile
16:42 <@vpnHelper> "logfile" is (#1) openvpn will log to syslog if started in daemon mode. You can manually specify a logfile with: log /path/to/logfile or (#2) verb 3 is good for everyday usage, verb 5 for debugging or (#3) see --daemon --log and --verb in the manual (!man) for more info or (#4) without any log-redirection options, openvpn sends output to stdout. Explicit logging is often more convenient
16:49 < schultza> Here is the requested information. client config <http://paste.ubuntu.com/6764589/>. server config <http://paste.debian.net/76686/>. client log <http://paste.ubuntu.com/6764617/>. server log <http://paste.debian.net/76688/>.
16:50 -!- glotze [~dlaw@e178192202.adsl.alicedsl.de] has quit [Quit: Leaving]
16:50 < schultza> otherwise, i cant find the logs for openvpn on the server.
16:53 < schultza> The server is running debian, while the client is in ubuntu with that new mockup dns situation with dnsmasq running off info from networkmanager.
16:54 < schultza> is there a way to test which dns server dnsmasq has in its list?
17:03 < pekster> Yes, look at the config file or CLI opts you started it with
17:03 < pekster> If you're using ubuntu+dnsmasq+dbus+networkmanager, probably not (you'd have to ask n-m instead if you're drinking the Conanical kool-aid)
17:03 -!- pcdummy_ is now known as pcdummy
17:03 -!- pcdummy [~pcdummy@mx1.page4me.ch] has quit [Changing host]
17:03 -!- pcdummy [~pcdummy@unaffiliated/pcdummy] has joined #openvpn
17:04 < schultza> pekster: i posted those configs up already with the pastebins.
17:05 < schultza> thats with the cli client and cli daemon server use.
17:05 < pekster> No, your dnsmasq config
17:05 < pekster> dnsmasq is not part of openvpn
17:05 < pekster> Thus you'd ask _its_ config file if you want to know what it's doing
17:06 < schultza> it's default. I havent changed it. so i guess it's using network manager. Any good guides you know of?
17:06 < pekster> Not using n-m
17:06 < pekster> Alternatively, learn to use/embrace n-m and ask _IT_ for the details of wtf it's doing
17:06 < schultza> What do you recommend for someone with ubuntu/wireless/openvpn?
17:06 < pekster> Try nm-tool
17:06 < schultza> for a network control.
17:06 < pekster> Start openvpn from a prompt; that's what I do
17:06 < pekster> Alternatively, look at a frontend that actually lets you see what it's doing
17:07 < pekster> n-m sometimes "magically works", but you really can't query things when you're that far down the dbus train
17:07 < schultza> nm-tool is a cli equiv of network manager?
17:07 < pekster> No, it spews config data
17:07 < pekster> Sort of
17:08 < pekster> Either way, learning to understand how your distro/OS/recursor works isn't really part of openvpn. #ubuntu or the web might be more helpful
17:09 < pekster> fun fact: with dbus, ubuntu doesn't show you _any_ detail of how dnsmasq is configured; you must rely on n-m in that case. Sometimes it works, but if not follow up with their support
17:10 < schultza> ok.
17:10 -!- joshh20-Away is now known as joshh20
17:12 -!- takamichi [~takamichi@c107-107.i07-27.onvol.net] has joined #openvpn
17:13 < pekster> http://fpaste.org/69162/13899140/
17:14 < pekster> Feel free to configure dnsmasq to suck less; n-m does give you fairly well-documented hooks if you go that route
17:14 < pekster> Or maybe that's the if-up stuff. Check the manpages and/or downstream
17:32 -!- elfixit1 [~Icedove@77-58-251-72.dclient.hispeed.ch] has joined #openvpn
17:38 -!- klein [~klein@unaffiliated/klein] has quit [Ping timeout: 245 seconds]
17:41 -!- mapp [Mark@host86-171-168-130.range86-171.btcentralplus.com] has quit []
17:49 -!- tempus_fol [~tempus@gateway/tor-sasl/tempusfol] has quit [Remote host closed the connection]
17:49 -!- calcifea [~rasla@gateway/tor-sasl/gitsu-sa] has quit [Remote host closed the connection]
17:49 -!- tempusfol [~tempus@gateway/tor-sasl/tempusfol] has joined #openvpn
17:49 -!- tempusfol is now known as tempus_fol
17:51 -!- calcifea [~rasla@gateway/tor-sasl/gitsu-sa] has joined #openvpn
17:51 -!- Cpt-Oblivious [~chatzilla@31-151-87-204.dynamic.upc.nl] has joined #openvpn
17:57 -!- Sembei [~Sembei@unaffiliated/sembei] has quit [Quit: WeeChat 0.4.3-dev]
17:57 -!- propheticsquiddy [~Proph@unaffiliated/propheticsquiddy] has joined #openvpn
18:07 -!- goldkatze [~nobody@unaffiliated/goldkatze] has quit [Ping timeout: 245 seconds]
18:20 < sync0pate> :(
18:27 -!- calcifea [~rasla@gateway/tor-sasl/gitsu-sa] has quit [Ping timeout: 240 seconds]
18:30 -!- calcifea [~rasla@gateway/tor-sasl/gitsu-sa] has joined #openvpn
18:44 -!- master_o1_master [~master_of@p4FD7B15B.dip0.t-ipconnect.de] has joined #openvpn
18:47 -!- master_of_master [~master_of@p4FD7B7BC.dip0.t-ipconnect.de] has quit [Ping timeout: 245 seconds]
18:54 -!- takamichi [~takamichi@c107-107.i07-27.onvol.net] has quit [Quit: Computer has gone to sleep.]
18:58 -!- elfixit1 [~Icedove@77-58-251-72.dclient.hispeed.ch] has quit [Quit: elfixit1]
19:06 -!- darkdrgn2k4 [~darkdrgn2@69-165-131-20.dsl.teksavvy.com] has quit [Read error: No route to host]
19:06 -!- darkdrgn2k4 [~darkdrgn2@69-165-131-20.dsl.teksavvy.com] has joined #openvpn
19:15 -!- Denial- [Denial@90.201.173.63] has joined #openvpn
19:15 -!- Denial [Denial@2.217.201.230] has quit [Ping timeout: 252 seconds]
19:15 -!- Denial- is now known as Denial
19:29 -!- joshh20 [~joshh20@v-70-42-74-226.unman-vds.internap-nyc.nfoservers.com] has quit [Quit: ZNC - http://znc.in]
19:29 -!- schultza [~quassel@166.70.157.138] has quit [Remote host closed the connection]
19:29 -!- joshh20-Away [~joshh20@v-70-42-74-226.unman-vds.internap-nyc.nfoservers.com] has joined #openvpn
19:29 -!- joshh20-Away is now known as joshh20
19:32 -!- takamichi [~takamichi@c107-107.i07-27.onvol.net] has joined #openvpn
20:06 -!- takamichi [~takamichi@c107-107.i07-27.onvol.net] has quit [Quit: Computer has gone to sleep.]
20:13 -!- elfixit1 [~Icedove@77-58-251-72.dclient.hispeed.ch] has joined #openvpn
20:18 -!- sailerboy [~sailerboy@2605:6400:2:fed5:22:3e62:d2e8:e4e1] has quit [Ping timeout: 276 seconds]
20:25 -!- Devastator [~devas@186.214.111.33] has quit []
20:32 -!- Cpt-Oblivious [~chatzilla@31-151-87-204.dynamic.upc.nl] has quit [Ping timeout: 245 seconds]
20:37 -!- sailerboy [~sailerboy@2605:6400:2:fed5:22:3e62:d2e8:e4e1] has joined #openvpn
20:43 -!- Devastator [~devas@unaffiliated/devastator] has joined #openvpn
20:45 -!- mgorbach [~mgorbach@pool-108-20-78-135.bstnma.fios.verizon.net] has quit [Read error: Connection reset by peer]
20:51 -!- mgorbach [~mgorbach@pool-108-20-78-135.bstnma.fios.verizon.net] has joined #openvpn
21:11 -!- WinstonSmith [~WinstonSm@unaffiliated/winstonsmith] has quit [Ping timeout: 248 seconds]
21:12 -!- WinstonSmith [~WinstonSm@unaffiliated/winstonsmith] has joined #openvpn
21:17 -!- heraclitus__ [~heraclitu@vpnus.planetcrypto.com] has joined #openvpn
21:17 -!- heraclitus [~heraclitu@unaffiliated/heraclitis] has quit [Disconnected by services]
21:17 -!- heraclitus__ is now known as heraclitus
21:17 -!- heraclitus [~heraclitu@vpnus.planetcrypto.com] has quit [Changing host]
21:17 -!- heraclitus [~heraclitu@unaffiliated/heraclitis] has joined #openvpn
21:55 -!- schnitzl [~schnitzl@dslb-178-007-167-189.pools.arcor-ip.net] has quit [Ping timeout: 245 seconds]
21:56 -!- schnitzl [~schnitzl@dslb-178-010-087-250.pools.arcor-ip.net] has joined #openvpn
22:02 -!- kirin` [telex@gateway/shell/anapnea.net/x-byydoebfdhngtwid] has quit [Ping timeout: 245 seconds]
22:07 -!- EugeneKay is now known as EuyeneKay
22:15 -!- kirin` [telex@gateway/shell/anapnea.net/x-xjyokggioubdzuqn] has joined #openvpn
22:31 -!- joshh20 is now known as joshh20-Away
22:32 -!- NP-Hardass [~NP-Hardas@unaffiliated/np-hardass] has joined #openvpn
22:42 -!- kalloc [~kalloc@h86-62-83-99.ln.rinet.ru] has joined #openvpn
22:49 -!- kalloc [~kalloc@h86-62-83-99.ln.rinet.ru] has quit [Remote host closed the connection]
22:57 -!- Cy-Gor [~Brian@cpe-70-124-70-140.austin.res.rr.com] has quit [Quit: Leaving]
23:04 -!- raidz [~raidz@openvpn/corp/admin/andrew] has quit [Ping timeout: 276 seconds]
23:05 -!- raidz [~raidz@openvpn/corp/admin/andrew] has joined #openvpn
23:05 -!- mode/#openvpn [+o raidz] by ChanServ
23:05 -!- Gman32 [~Gman32@2607:5300:60:2b74::1] has quit [Ping timeout: 276 seconds]
23:05 -!- Gman32 [~Gman32@2607:5300:60:2b74::1] has joined #openvpn
23:14 -!- kalloc [~kalloc@h86-62-83-99.ln.rinet.ru] has joined #openvpn
23:30 -!- mrrothhcloud___ [uid4697@gateway/web/irccloud.com/x-sauoycpeocthovup] has joined #openvpn
23:32 -!- elfixit1 [~Icedove@77-58-251-72.dclient.hispeed.ch] has quit [Ping timeout: 248 seconds]
23:48 < mingdao> !route
23:48 <@vpnHelper> "route" is (#1) http://www.secure-computing.net/wiki/index.php/OpenVPN/Routing or https://community.openvpn.net/openvpn/wiki/RoutedLans (same page mirrored) if you have lans behind openvpn, read it DONT SKIM IT or (#2) READ IT DONT SKIM IT! or (#3) See !tcpip for a basic networking guide or (#4) See !serverlan or !clientlan for steps and troubleshooting flowcharts for LANs behind the server or
23:48 <@vpnHelper> client
--- Day changed Fri Jan 17 2014
00:00 -!- goldkatze [~nobody@unaffiliated/goldkatze] has joined #openvpn
01:01 -!- propheticsquiddy [~Proph@unaffiliated/propheticsquiddy] has quit [Quit: lates.]
01:04 -!- dimm0k [~dimm0k@unaffiliated/dimm0k] has quit [Ping timeout: 248 seconds]
01:06 -!- dimm0k [~dimm0k@unaffiliated/dimm0k] has joined #openvpn
01:24 -!- ade_b [~Ade@redhat/adeb] has joined #openvpn
01:31 -!- kalloc [~kalloc@h86-62-83-99.ln.rinet.ru] has quit [Remote host closed the connection]
01:32 -!- Xgates [~Xgates@unaffiliated/xgates] has joined #openvpn
01:32 < Xgates> hey guys
01:33 < Xgates> Someone I know added a patch into OpenVPN they compiled against to add in xcloak support, SO with a patch added to OpenVPN how does that fall in lines with the GNU General Public License? Would they have to make the patch source available?
01:34 < EuyeneKay> The provisions of the GPL apply to software being distributed; if they do not give anybody else a copy of the software then there are no requirements to disseminate the source/patch.
01:34 < Xgates> Sorry it's being made public
01:35 < EuyeneKay> Then they need to post the full source used to compile
01:35 < Xgates> It's a VPN service and they are providing this for customers...
01:35 < Xgates> and the patch source too?
01:36 < EuyeneKay> Are they providing a binary to users?
01:36 < Xgates> yes
01:36 < EuyeneKay> Then those users are entitled to the source of the binary
01:36 < Xgates> they compiled it right now and starting providing that and I stepped in to remind them about the License they seemed to have forgotten about...
01:36 < EuyeneKay> If the "patch" is compiled directly into openvpn, then yes, those additions must be released.
01:37 < Xgates> Are DOCs suppose to be made that tell what has been done besides the source?
01:37 < EuyeneKay> Only the source is required.
01:37 < Xgates> yeah they patched it and released the binary into an rpm
01:37 < EuyeneKay> However, if they release their addition as a --plugin, then there are no requirements
01:38 < Xgates> Well it's for customers so I think they might compile it in and release it as a binary packaged rpm
01:38 < EuyeneKay> (if it works with a stock openvpn rpm, anyway. If they've modified core openvpn or even just compiled+distributed it then the requirements still apply)
01:38 < Xgates> Stock OpenVPN was patched and then released into an rpm
01:39 < Xgates> that's what they're doing...
01:39 < EuyeneKay> Yup, gotta give source.
01:39 < Xgates> ok
01:39 < EuyeneKay> Even(technically) for what they've already distributed.
01:39 < Xgates> but as plugin you mentioned then don't need anything?
01:40 < EuyeneKay> Not for their plugin, no.
01:40 < Xgates> like you make a plugin that can be released without source and be kept closed?
01:40 < EuyeneKay> Yup. It would be a good idea to also provide a Known Stable openvpn rpm, for which they do need to publish source(or point to the appropriate openvpn source tarball which was used)
01:41 < Xgates> ok
01:41 < Xgates> now getting back again to what they are doing, just so I'm clear here...
01:41 < EuyeneKay> Sure.
01:41  * EuyeneKay likes bending licenses
01:41 < Xgates> Stock OpenVPN was patched and then released into an rpm, THEN do they also need to have DOCS added telling what they did, or only need to include the source is all?
01:42 <@krzee> just source
01:42 < Xgates> ok thanks guys
01:42 < EuyeneKay> Sure.
01:44 < EuyeneKay> This sort of thing is why I like more permissive licenses whenever feasible, WTFPL being my favorite.
01:44 < Xgates> So this is what I typed to them; http://pastebin.com/Sf94Zr4b
01:45 < Xgates> I believe I got it right, sorry getting sleepy hehe
01:45 < EuyeneKay> Looks right & reasonable.
01:46 < Xgates> Or I meant to say the source and patch need to be released...
01:46 < Xgates> THANKS
01:46 < EuyeneKay> They're really the same thing, if you know what the upstream is, but yeah.
01:47 <@krzee> EuyeneKay,  would the patch and a link to ovpn's git be enough?
01:47 < EuyeneKay> Yup.
01:47 < EuyeneKay> (IANAL)
01:48 <@krzee> and if that link is in the patch as a comment, boom done
01:48 <@krzee> (i assume)
01:48 <@krzee> UANAL?
01:48 < EuyeneKay> But I do play one in court.
01:49 <@krzee> !git
01:49 <@vpnHelper> "git" is (#1) For the stable git tree: git clone git://openvpn.git.sourceforge.net/gitroot/openvpn/openvpn.git or (#2) For the development git tree: git clone git://openvpn.git.sourceforge.net/gitroot/openvpn/openvpn-testing.git or (#3) Browse the git repositories here: http://openvpn.git.sourceforge.net/git/gitweb-index.cgi or (#4) See !git-doc how to use git
01:55 < Xgates> later guys
01:55 -!- Xgates [~Xgates@unaffiliated/xgates] has quit [Quit: Ping Timeout (0 Nano Seconds)]
01:56 < EuyeneKay> But how much later
01:58 -!- EuyeneKay is now known as Eugene
01:58 -!- mode/#openvpn [+o Eugene] by ChanServ
02:04 -!- dimm0k [~dimm0k@unaffiliated/dimm0k] has quit [Ping timeout: 272 seconds]
02:06 -!- dimm0k [~dimm0k@pool-72-80-89-149.nycmny.fios.verizon.net] has joined #openvpn
02:06 -!- dimm0k [~dimm0k@pool-72-80-89-149.nycmny.fios.verizon.net] has quit [Changing host]
02:06 -!- dimm0k [~dimm0k@unaffiliated/dimm0k] has joined #openvpn
02:16 -!- GabrieleV [~GabrieleV@host190-79-static.230-95-b.business.telecomitalia.it] has quit [Ping timeout: 272 seconds]
02:18 -!- GabrieleV [~GabrieleV@host190-79-static.230-95-b.business.telecomitalia.it] has joined #openvpn
02:29 -!- mikkel [~mikkel@93.176.85.50] has joined #openvpn
02:39 -!- takamichi [~takamichi@c107-107.i07-27.onvol.net] has joined #openvpn
02:45 -!- calcifea [~rasla@gateway/tor-sasl/gitsu-sa] has quit [Ping timeout: 240 seconds]
02:52 -!- calcifea [~rasla@gateway/tor-sasl/gitsu-sa] has joined #openvpn
02:54 -!- kalloc [~kalloc@stmdev.ru] has joined #openvpn
02:55 -!- sailerboy [~sailerboy@2605:6400:2:fed5:22:3e62:d2e8:e4e1] has quit [Ping timeout: 276 seconds]
02:55 -!- troj [~xxx@2001:470:1f15:107a::50f7] has quit [Ping timeout: 276 seconds]
02:56 -!- kro[au] [~thatguy@kgovps.net] has quit [Excess Flood]
02:57 -!- sailerboy [~sailerboy@2605:6400:2:fed5:22:3e62:d2e8:e4e1] has joined #openvpn
02:58 -!- kro[au] [~thatguy@kgovps.net] has joined #openvpn
02:58 -!- troj [~xxx@2001:470:1f15:107a::50f7] has joined #openvpn
03:29 -!- DrCode [~DrCode@gateway/tor-sasl/drcode] has quit [Remote host closed the connection]
03:47 -!- kalloc [~kalloc@stmdev.ru] has quit [Remote host closed the connection]
03:53 -!- pcdummy [~pcdummy@unaffiliated/pcdummy] has quit [Read error: Connection reset by peer]
03:54 -!- pcdummy [~pcdummy@unaffiliated/pcdummy] has joined #openvpn
03:57 -!- kalloc [~kalloc@stmdev.ru] has joined #openvpn
04:21 -!- calcifea [~rasla@gateway/tor-sasl/gitsu-sa] has quit [Ping timeout: 240 seconds]
04:25 -!- klein [~klein@unaffiliated/klein] has joined #openvpn
04:31 -!- calcifea [~rasla@gateway/tor-sasl/gitsu-sa] has joined #openvpn
04:32 -!- goldkatze [~nobody@unaffiliated/goldkatze] has quit []
04:38 -!- takamichi [~takamichi@c107-107.i07-27.onvol.net] has quit [Quit: Computer has gone to sleep.]
04:58 -!- piece3 [~quassel@14.161.15.21] has joined #openvpn
05:02 -!- mikkel [~mikkel@93.176.85.50] has quit [Quit: Leaving]
05:06 -!- Cpt-Oblivious [chatzilla@31-151-87-204.dynamic.upc.nl] has joined #openvpn
05:38 -!- mattock_afk is now known as mattock
05:51 -!- azi [~azi@unaffiliated/aquana] has quit [Ping timeout: 272 seconds]
05:54 -!- schnitzl [~schnitzl@dslb-178-010-087-250.pools.arcor-ip.net] has quit [Ping timeout: 245 seconds]
05:55 -!- ade_b [~Ade@redhat/adeb] has quit [Quit: Too sexy for his shirt]
05:57 -!- Devastator [~devas@unaffiliated/devastator] has quit [Read error: Connection reset by peer]
05:58 -!- schnitzl [~schnitzl@dslb-178-010-087-250.pools.arcor-ip.net] has joined #openvpn
05:59 -!- Devastator [~devas@177.99.154.10] has joined #openvpn
05:59 -!- azi [~azi@unaffiliated/aquana] has joined #openvpn
06:25 -!- pcdummy [~pcdummy@unaffiliated/pcdummy] has quit [Remote host closed the connection]
06:35 -!- alexxtasi [~alex@unaffiliated/alexxtasi] has joined #openvpn
06:43 -!- Cy-Gor [~Brian@cpe-70-124-70-140.austin.res.rr.com] has joined #openvpn
06:50 -!- Cpt-Oblivious [chatzilla@31-151-87-204.dynamic.upc.nl] has quit [Ping timeout: 245 seconds]
06:51 -!- Cpt-Oblivious [~chatzilla@31-151-87-204.dynamic.upc.nl] has joined #openvpn
06:59 < mingdao> !tcpip
06:59 <@vpnHelper> "tcpip" is http://www.redbooks.ibm.com/redbooks/pdfs/gg243376.pdf See chapter 3.1 for useful basic TCP/IP networking knowledge you should probably know
07:07 -!- abique [~abique@static.214.97.63.178.clients.your-server.de] has joined #openvpn
07:07 < abique> Hi, which client do you recommand for windows and mac ?
07:07 < abique> something easy to use and free
07:14 <+rob0> There is one Windows package, so the choice there is easy. Get the latest version. Mac is Unix, so you can compile the source yourself if so inclined. There are various packaged binaries, though. Maybe ask in a Mac channel?
07:14 <+rob0> mingdao, o/
07:15 < abique> rob0, thanks
07:15 < abique> I found http://sourceforge.net/projects/securepoint/ and http://code.google.com/p/tunnelblick/
07:15 <@vpnHelper> Title: OpenVPN Client Windows | Free software downloads at SourceForge.net (at sourceforge.net)
07:16 <+rob0> for Windows, just get the one from the OpenVPN Community downloads.
07:21 -!- takamichi [~takamichi@c107-107.i07-27.onvol.net] has joined #openvpn
07:23 -!- darkdrgn2k4 [~darkdrgn2@69-165-131-20.dsl.teksavvy.com] has quit [Read error: Connection reset by peer]
07:29 < abique> rob0, is it easy to install and setup
07:30 < abique> because we did setup openvpn for our company, and it seems it will not be very easy to setup on everyone's laptop
07:31 <+rob0> I don't use Windows nor Mac.
07:31 < abique> So do I
07:31 < abique> with networkmanager, it is so easy
07:31 < abique> but on windows and mac, it seems complicated
07:31 <+rob0> I know some folks have made private Windows packages to automate things.
07:33 -!- calcifea [~rasla@gateway/tor-sasl/gitsu-sa] has quit [Ping timeout: 240 seconds]
07:35 < abique> We may end buying Viscosity
07:36 < abique> because it is the easiest client we can deploy
07:36 < abique> I wonder if Viscosity have to give the source code?
07:36 -!- qwertyoruiop [~hax@1.shulgin.dc1.nl.tor.exit.node.qwertyoruiop.com] has quit [Ping timeout: 272 seconds]
07:39 -!- qwertyoruiop [~hax@1.shulgin.dc1.nl.tor.exit.node.qwertyoruiop.com] has joined #openvpn
07:41 -!- calcifea [~rasla@gateway/tor-sasl/gitsu-sa] has joined #openvpn
07:44 -!- qwertyoruiop [~hax@1.shulgin.dc1.nl.tor.exit.node.qwertyoruiop.com] has quit [Ping timeout: 252 seconds]
07:48 -!- lj [~l@c-98-215-110-122.hsd1.il.comcast.net] has joined #openvpn
07:49 -!- lj1 [~l@192.241.174.169] has joined #openvpn
07:50 -!- qwertyoruiop [~hax@1.shulgin.dc1.nl.tor.exit.node.qwertyoruiop.com] has joined #openvpn
07:52 -!- qwertyoruiop [~hax@1.shulgin.dc1.nl.tor.exit.node.qwertyoruiop.com] has quit [Excess Flood]
07:52 -!- calcifea [~rasla@gateway/tor-sasl/gitsu-sa] has quit [Remote host closed the connection]
07:53 -!- lj [~l@c-98-215-110-122.hsd1.il.comcast.net] has quit [Ping timeout: 272 seconds]
07:53 -!- calcifea [~rasla@gateway/tor-sasl/gitsu-sa] has joined #openvpn
08:04 -!- qwertyoruiop [~hax@1.shulgin.dc1.nl.tor.exit.node.qwertyoruiop.com] has joined #openvpn
08:23 -!- takamichi [~takamichi@c107-107.i07-27.onvol.net] has quit [Ping timeout: 245 seconds]
08:26 -!- takamichi [~takamichi@85.12.8.106] has joined #openvpn
08:36 -!- mihok [~mihok@ec2-54-225-71-197.compute-1.amazonaws.com] has joined #openvpn
08:36 < mihok> !welcome
08:36 <@vpnHelper> "welcome" is (#1) Start by stating your goal, such as 'I would like to access the internet over my vpn' || new to IRC? see the link in !ask || we may need !logs and !configs and maybe !interface to help you. || See !howto for beginners. || See !route for lans behind openvpn. || !redirect for sending inet traffic through the server. || Also interesting: !man !/30 !topology !iporder !sample !forum
08:36 <@vpnHelper> !wiki !mitm or (#2) Don't use 192.168.1.0/24 or 192.168.0.0/24 (too much potential for conflict)
08:37 < mihok> !goal
08:37 <@vpnHelper> "goal" is Please clearly state your goal for your vpn: example, I would like to access the lan behind the server , I would like to access the internet over my vpn , I just want a secure connection between 2 computers , etc
08:38 < mihok> I have two remote servers acting as In/Out respectively, I would like to be able to connect to 1 VPN connection and be able to access both servers, I have the first server with vpn running a tun device. Can I just set the second server up as a client with a static IP?
08:46 -!- calcifea [~rasla@gateway/tor-sasl/gitsu-sa] has quit [Quit: calcifea]
09:11 -!- Jeeves_ [~Jeeves_@host01.tuxis.net] has joined #openvpn
09:11 < Jeeves_> Hi all
09:11 < Jeeves_> I'm having trouble disabling comp-lzo for a specific user.
09:11 < Jeeves_> "WARNING: 'comp-lzo' is present in local config but missing in remote config, local='comp-lzo'"
09:12 < Jeeves_> But, comp-lzo is not mentioned anywhere in the config file, but it is set to 'no' on the commandline..
09:12 < Jeeves_> Can anyone hit me with a cluebat?
09:13 <@plaisthos> comp-lzo no and no comp-lzo at all are _NOT_ the same
09:14 <@plaisthos> comp-lzo no means  "Use compression pcket format but do not compress"
09:19 -!- calcifea [~rasla@gateway/tor-sasl/gitsu-sa] has joined #openvpn
09:21 < Jeeves_> Oh, hmm.
09:22 < Jeeves_> So ehm. How DO i disable it? :)
09:22 -!- mihok [~mihok@ec2-54-225-71-197.compute-1.amazonaws.com] has quit [Ping timeout: 252 seconds]
09:22 -!- takamichi [~takamichi@85.12.8.106] has quit [Ping timeout: 260 seconds]
09:23 -!- mihok [~mihok@ec2-54-225-71-197.compute-1.amazonaws.com] has joined #openvpn
09:24 -!- takamichi [~takamichi@c107-107.i07-27.onvol.net] has joined #openvpn
09:25 -!- alexxtasi [~alex@unaffiliated/alexxtasi] has left #openvpn []
09:28 < mihok> 22
09:29 < mihok> How can I get my VPN to not route all my laptops traffic through the VPN just when I got to a specific IP
09:30 <@ecrist> do you control the server?
09:33 -!- glotze [~dlaw@e178211139.adsl.alicedsl.de] has joined #openvpn
09:44 -!- lj1 [~l@192.241.174.169] has quit [Quit: Leaving.]
09:58 -!- joshh20-Away is now known as joshh20
09:58 <@krzee> !route_override
09:58 <@vpnHelper> "route_override" is (#1) https://forums.openvpn.net/viewtopic.php?f=15&t=7161 for how to override --redirect-gateway for a certain subnet or (#2) to see how to make it so the client will still reply to requests to its public ip over the internet and not the vpn see !splitroute
10:01 < mihok> ecrist, I do!
10:05 <@plaisthos> Jeeves_: just don't include the option
10:06 < marlinc> !splitroute
10:06 <@vpnHelper> "splitroute" is (#1) https://forums.openvpn.net/topic7175.html to see how to add a second routing table so you can use --redirect-gateway AND still serve things to the internet or (#2) see !route_override for how to override --redirect-gateway for a certain subnet
10:09 -!- pcdummy [~pcdummy@unaffiliated/pcdummy] has joined #openvpn
10:09 < MacGyver> But sounds like he doesn't actually need --redirect-gateway at all, does it?
10:09 <@krzee> oh right, i read the question wrong
10:09 < MacGyver> Just a route for that specific subnet.
10:10 <@krzee> ya that ^
10:10 <@krzee> !redirect
10:10 <@vpnHelper> "redirect" is (#1) to make all inet traffic flow through the vpn, you will need --redirect-gateway (see !def1), as well as IP forwarding (see !ipforward) and NAT (see !nat) enabled on the server. or (#2) you may need to use a different dns server when redirecting gateway, see !dns or !pushdns or (#3) if using ipv6 try: route-ipv6 2000::/3 or (#4) Handy troubleshooting flowchart:
10:10 <@vpnHelper> http://ircpimps.org/redirect.png | http://pekster.sdf.org/misc/redirect.png
10:10 <@krzee> but instead of redirect-gateway, just use --route
10:10 <@krzee> you still need NAT and ip forwarding on the server
10:12 -!- lj [~l@c-98-215-110-122.hsd1.il.comcast.net] has joined #openvpn
10:14 < jeev> i'm having an extremely hard time with this routed set up, i've done it a ton of times before but this time it's a little bit different, the vpn server has (br0) which is bridging (eth0) and there is a virtual server on (tap0) which is NOT bridged. i can actually ping 10.0.0.1 (virtual on vpn server) from 10.0.1.1 (virtual on vpn client) however i can't do it in reverse, all my config matches.
10:14 < jeev> tcpdump shows a ping from 10.0.0.1 to 10.0.1.1 goes nowhere, never reaches tun0 on the other side. any suggestions ?
10:15 -!- lj1 [~l@192.241.174.169] has joined #openvpn
10:15 -!- qwertyoruiop [~hax@1.shulgin.dc1.nl.tor.exit.node.qwertyoruiop.com] has quit [Ping timeout: 272 seconds]
10:17 -!- lj [~l@c-98-215-110-122.hsd1.il.comcast.net] has quit [Ping timeout: 248 seconds]
10:17 -!- qwertyoruiop [~hax@1.shulgin.dc1.nl.tor.exit.node.qwertyoruiop.com] has joined #openvpn
10:19 -!- joshu [~joshu@62-20-176-238-no28.tbcn.telia.com] has quit [Ping timeout: 245 seconds]
10:20 -!- champtar [~champtar@ns623510.ovh.net] has quit [Ping timeout: 248 seconds]
10:21 -!- Devastator [~devas@177.99.154.10] has quit [Changing host]
10:21 -!- Devastator [~devas@unaffiliated/devastator] has joined #openvpn
10:22 -!- joshu [~joshu@62-20-176-238-no28.tbcn.telia.com] has joined #openvpn
10:23 -!- mihok [~mihok@ec2-54-225-71-197.compute-1.amazonaws.com] has quit [Ping timeout: 246 seconds]
10:27 < jeev> it has to be a masquerade issue hm
10:33 -!- joshu [~joshu@62-20-176-238-no28.tbcn.telia.com] has quit [Ping timeout: 248 seconds]
10:35 -!- joshu [~joshu@62-20-176-238-no28.tbcn.telia.com] has joined #openvpn
10:37 -!- `Ile` [~ile@37.19.108.18] has joined #openvpn
10:37 -!- `Ile` [~ile@37.19.108.18] has quit [Client Quit]
10:41 -!- troj [~xxx@2001:470:1f15:107a::50f7] has quit [Ping timeout: 245 seconds]
10:41 -!- joshu [~joshu@62-20-176-238-no28.tbcn.telia.com] has quit [Ping timeout: 246 seconds]
10:43 -!- glotze [~dlaw@e178211139.adsl.alicedsl.de] has quit [Ping timeout: 272 seconds]
10:46 -!- [diecast] [~diecast@unaffiliated/diecast/x-4821952] has joined #openvpn
10:48 -!- troj [~xxx@2001:470:1f15:107a::50f7] has joined #openvpn
10:55 -!- glotze [~dlaw@77.245.33.150] has joined #openvpn
10:55 -!- rooth_ is now known as rooth
10:59 -!- joejack [~joejack@99-106-141-155.lightspeed.miamfl.sbcglobal.net] has joined #openvpn
10:59 -!- troj [~xxx@2001:470:1f15:107a::50f7] has quit [Ping timeout: 276 seconds]
11:03 < joejack> my free vpn service allows me to connect in tcp80, tcp443, UDP53, or UDP4000. Does that mean for example if I connect with tcp80 that I can't get pages that have an https protocol?
11:04 < joejack> or does the tcp80 mean only how I talk to the vpn server?
11:11 -!- glotze [~dlaw@77.245.33.150] has quit [Read error: Operation timed out]
11:11 -!- troj [~xxx@2001:470:1f15:107a::50f7] has joined #openvpn
11:17 < BtbN> it's propably meant as a way to bypass highly restrictive firewalls which only allow http ports
11:20 -!- nlopez_ [~quassel@198.211.102.196] has joined #openvpn
11:20 -!- pwrcycle [~pwrcycle@unaffiliated/pwrcycle] has quit [Ping timeout: 272 seconds]
11:21 -!- VunKruz [~hhhh@24-205-8-187.dhcp.mtpk.ca.charter.com] has quit [Ping timeout: 272 seconds]
11:21 -!- thalweg [~quassel@198.211.102.196] has quit [Ping timeout: 272 seconds]
11:22 -!- pwrcycle [~pwrcycle@173.214.160.92] has joined #openvpn
11:26 -!- gffa [~unknown@unaffiliated/gffa] has joined #openvpn
11:29 -!- joejack [~joejack@99-106-141-155.lightspeed.miamfl.sbcglobal.net] has quit [Ping timeout: 252 seconds]
11:33 -!- [diecast] [~diecast@unaffiliated/diecast/x-4821952] has quit []
11:34 -!- VunKruz [~hhhh@24-205-8-187.dhcp.mtpk.ca.charter.com] has joined #openvpn
11:35 -!- [diecast] [~diecast@unaffiliated/diecast/x-4821952] has joined #openvpn
11:39 -!- takamichi [~takamichi@c107-107.i07-27.onvol.net] has quit [Quit: Computer has gone to sleep.]
11:49 < pekster> abique: If you're still around, Tunnelblick is super-easy from a deployment standpoint. You should read their deployment docs becuase you can ship a .app package with _everything_ a client needs to work out of the box
11:49 < pekster> Far easier than doing that same task in Windows
11:50 < abique> pekster, thanks!
11:50 < abique> maybe on my freetime I'll write a portable Qt5 client
11:51 < abique> which can do bundle for easy deployment
11:51 < pekster> For Windows you could either hack the official .nsi, but you might just want to do a 'layered' approach and check for/install openvpn if needed, then do your "site" config after
11:51 < pekster> YMMV, depends on needs, etc
11:51 -!- goldkatze [~nobody@unaffiliated/goldkatze] has joined #openvpn
11:59 -!- JackWinter [~jack@vodsl-4669.vo.lu] has quit [Quit: Konversation terminated!]
12:04 -!- JackWinter [~jack@vodsl-4669.vo.lu] has joined #openvpn
12:08 -!- [diecast] [~diecast@unaffiliated/diecast/x-4821952] has quit []
12:10 -!- takamichi [~takamichi@c107-107.i07-27.onvol.net] has joined #openvpn
12:21 -!- joshh20 is now known as joshh20-Away
12:26 -!- [diecast] [~diecast@unaffiliated/diecast/x-4821952] has joined #openvpn
12:48 -!- DRice7 [~eat@cpe-066-057-089-031.nc.res.rr.com] has joined #openvpn
12:48 < DRice7> hello all, I'm not a complete openvpn noob - but as far as applying it for my uses I am. Currently
12:49 < DRice7> I have an ASUS router handling my openvpn server - and it's setup as TUN - however I'm having problems accessing some of the remote IPs - should I be running TAP instead?
13:00 -!- takamichi [~takamichi@c107-107.i07-27.onvol.net] has quit [Quit: Computer has gone to sleep.]
13:08 -!- kalloc [~kalloc@stmdev.ru] has quit [Remote host closed the connection]
13:09 -!- abique [~abique@static.214.97.63.178.clients.your-server.de] has quit [Quit: Leaving]
13:16 -!- mnp [~mperilste@c-69-242-123-105.hsd1.pa.comcast.net] has joined #openvpn
13:16 < mnp> !goal
13:16 <@vpnHelper> "goal" is Please clearly state your goal for your vpn: example, I would like to access the lan behind the server , I would like to access the internet over my vpn , I just want a secure connection between 2 computers , etc
13:20 < mnp> hey all, dumb client question.  I'm trying to do something from a client's route-up script that involves traffic to the vpn server (10.8.0.1).  while the route-up script is running, but before "initialization complete", traffic can't flow to server.  Is there such a thing as a post-everything script?
13:21 < mnp> while in route-up, the route has been added okay, but 10.8.0.1 won't ping
13:21 < mnp> after initialization complete, ping and all other traffic to there are fine
13:21 < mnp> (eoq)
13:36 -!- kirin` [telex@gateway/shell/anapnea.net/x-xjyokggioubdzuqn] has quit [Ping timeout: 248 seconds]
13:37 -!- kirin` [telex@gateway/shell/anapnea.net/session] has joined #openvpn
13:38 -!- kirin` [telex@gateway/shell/anapnea.net/session] has quit [Changing host]
13:38 -!- kirin` [telex@gateway/shell/anapnea.net/x-busunsoyjixaztlo] has joined #openvpn
14:06 -!- C_Kode [~nunya@38.108.104.210] has joined #openvpn
14:06 -!- kalloc [~kalloc@h86-62-83-99.ln.rinet.ru] has joined #openvpn
14:07 < C_Kode> Would openvpn start named?  I shut named down and for some reason I found it running again
14:07 < C_Kode> This happen when I reloaded openvpn
14:07 < C_Kode> er, I noticed it running again after restarting openvpn
14:09 < C_Kode> Hmm.  I stopped it and it just started again. (was watching the messages file and saw it start up)
14:10 < doug[work]> very unlikeyl
14:11 < C_Kode> I have named disabled, yet something is starting it. :(
14:14 -!- joshh20-Away is now known as joshh20
14:17 -!- klein [~klein@unaffiliated/klein] has quit [Ping timeout: 260 seconds]
14:24 -!- joshh20 is now known as joshh20-Away
14:28 -!- joshh20-Away is now known as joshh20
14:29 -!- mnp [~mperilste@c-69-242-123-105.hsd1.pa.comcast.net] has left #openvpn []
14:33 -!- mattock is now known as mattock_afk
14:38 -!- takamichi [~takamichi@c107-107.i07-27.onvol.net] has joined #openvpn
14:41 -!- takamichi [~takamichi@c107-107.i07-27.onvol.net] has quit [Client Quit]
15:02 -!- C_Kode [~nunya@38.108.104.210] has quit [Quit: Leaving]
15:09 < DRice7> I would like to access the LAN behind the server. I am currently using openvpn server on an ASUS RT-N61. I would like to be able to ssh to my linux box once connected. Currently using 'dev tun'
15:12 < DRice7> http://pastebin.com/VccMszQ9
15:16 -!- tempus_fol [~tempus@gateway/tor-sasl/tempusfol] has quit [Remote host closed the connection]
15:16 -!- tempus_fol [~tempus@gateway/tor-sasl/tempusfol] has joined #openvpn
15:20 -!- oO0Oo [o_o@gateway/shell/elitebnc/x-sydkpidmlwgmexxp] has quit [Quit: EliteBNC - http://elitebnc.org (Auto-Removal: idle account/not being used)]
15:21 -!- joshu [~joshu@62-20-176-238-no28.tbcn.telia.com] has joined #openvpn
15:34 -!- elfixit1 [~Icedove@77-58-251-72.dclient.hispeed.ch] has joined #openvpn
15:37 -!- jeev [~j@unaffiliated/jeev] has left #openvpn []
15:59 < pekster> DRice7: Not nearly enough info. No server config, no logs from either end. Read the helpful refs in the /TOPIC, such as !welcome, !configs, !logs, and !paste
15:59 < pekster> See also: !serverlan for accessing server-side resources and a flowchart to help
16:02 <@krzee> !serverlan
16:02 <@vpnHelper> "serverlan" is (#1) for a lan behind a server, the server must have ip forwarding enabled (!ipforward), the server needs to push a route for its lan to clients, and the router of the lan the server is on needs a route added to it (!route_outside_openvpn) or (#2) see !route for a better explanation or (#3) Handy troubleshooting flowchart: http://ircpimps.org/serverlan.png |
16:02 <@vpnHelper> http://pekster.sdf.org/misc/serverlan.png
16:02 <@krzee> =]
16:02 < pekster> And in case using the bot was tricky:
16:02 < pekster> !new
16:02 <@vpnHelper> "new" is (#1) New here? Start by reading the /TOPIC and looking at basic info in !welcome, !ask, and !howto or (#2) You can type each of the !commands in this chat and our bot will provide useful references and info or (#3) you can see the full factoids list at !factoids
16:07 -!- JSharpe_ [~JSharpe@31.205.60.241] has joined #openvpn
16:07 < pekster> krzee: I need to shell `alias` this so I can call it from irssi:
16:07 < pekster> % printf "you gave us %s lines, when you should have given us %s lines\n" "$(wc -l a.conf)" "$(sed -E '/^#/d;/^;/d;/^$/d' a.conf | wc -l)"
16:07 < pekster> you gave us 123 a.conf lines, when you should have given us 14 lines
16:10 -!- Cpt-Oblivious [~chatzilla@31-151-87-204.dynamic.upc.nl] has quit [Ping timeout: 245 seconds]
16:15 -!- kalloc [~kalloc@h86-62-83-99.ln.rinet.ru] has quit [Remote host closed the connection]
16:37 -!- nfx [nughaud@gateway/shell/sh3lls.net/x-drlwuzpypvbkqnjf] has joined #openvpn
16:38 < nfx> Is there a way to run 2 instances of OpenVPN clients that belong to 2 different providers? Seems they want to keep reinstalling over each other
16:39 -!- kalloc [~kalloc@h86-62-83-99.ln.rinet.ru] has joined #openvpn
16:39 -!- kalloc [~kalloc@h86-62-83-99.ln.rinet.ru] has quit [Remote host closed the connection]
16:40 < pekster> nfx, we don't deal with "providers" here. OpenVPN can run as many instances as you want -- you simply call the openvpn program and point each invocation to a different (or even the same!) config file. I've launched over 1000 instances at once before during tests
16:40 < pekster> If you're having "provider installation" problems, I suggest you ask them
16:41 < nfx> pekster, I can probably figure it out, just wondered if it was something simply as creating additional TAP virtual ethernet adapters, so if I can't, then I'll contact the provider
16:41 < pekster> Windows? You'll need to create as many adapters as you're invoking instances, yea
16:42 < pekster> Any non-MS platform does that dynamically
16:42 < nfx> ok, i'll go play around with it, thanks
16:42 <@krzee> !addressing
16:42 <@vpnHelper> "addressing" is For information about IP addressing in OpenVPN, see: https://community.openvpn.net/openvpn/wiki/Concepts-Addressing
16:43 <@krzee> (Was for me)
16:46 -!- gffa [~unknown@unaffiliated/gffa] has quit [Quit: sleep]
16:49 < thoraxe> hmm, i can't seem to find an example of a linux resolv.conf up/down script setup.  everything seems to point to "resolvconf" which is a tool that doesn't exist in fedora
16:51 < pekster> Then find a different solution or build it for your preferred platform? Maybe look at what it would take to package it properly so others can benefit if you think it's more generally useful? http://packages.qa.debian.org/r/resolvconf.html
16:51 <@vpnHelper> Title: Debian Package Tracking System - resolvconf (at packages.qa.debian.org)
16:51 <@Eugene> When did Fedora nuke resolvconf o.O
16:51 <@Eugene> They're more and more insane all the time.
16:52 <@Eugene> I heard something about moving to rolling-release / back to the "Core" idea.
16:52 < pekster> Eugene: What, doesn't systemd make all that obsolete anyway? :P :(
16:52 -!- pekster was kicked from #openvpn by Eugene [HERETIC]
16:52 -!- pekster [~rewt@openvpn/community/support/pekster] has joined #openvpn
16:52 < pekster> Nah, systemd can burn. Maybe it'll be stable in 5 years. Maybe
16:53 <@Eugene> I like the idea, but yeah, fuck the implementation.
16:53 < pekster> I'm surprised there's no systemd-resolverd or such :P
16:53 < pekster> Unification is good, but a library with not even a solid API definition is silly
16:53 < thoraxe> Eugene: no idae, but "resolvconf" is not in Fedira 18
16:53 < thoraxe> wow spelling
16:54 < thoraxe> yum provides '*bin/resolvconf' comes back empty.
16:54 < pekster> https://admin.fedoraproject.org/pkgdb/acls/list/*resolv*
16:54 < pekster> Seems so
16:54 <@Eugene> Try this https://github.com/OpenVPN/openvpn/tree/master/contrib/pull-resolv-conf
16:54 < thoraxe> i'd be happy to use a simple bash script, but i'm not having much luck finding a good one
16:54 <@vpnHelper> Title: Fedora Package Database -- Packages Overview acls/name (at admin.fedoraproject.org)
16:54 <@vpnHelper> Title: openvpn/contrib/pull-resolv-conf at master · OpenVPN/openvpn · GitHub (at github.com)
16:55 <@Eugene> Pretty sure it's exactly what you want
16:56 < thoraxe> yeah looks like
16:56 < thoraxe> i'll give it a shot
16:56 < pekster> That contrib script attempts to use resolvconf if it can, otherwise it just blindly clobbers the system resolv.conf
16:56 < pekster> beware any local services that also try to "own" resolv.conf (like pretty much any DHCP client, or whatever backend IT'S using)
16:59 < thoraxe> yep
16:59 < thoraxe> WARNING: External program may not be called unless '--script-security 2' or higher is enabled. <- fun
16:59 < thoraxe> heh
17:02 < thoraxe> seems to have worked
17:02 < thoraxe> not pretty though, that's for sure
17:24 -!- [diecast] [~diecast@unaffiliated/diecast/x-4821952] has quit []
17:40 -!- kalloc [~kalloc@h86-62-83-99.ln.rinet.ru] has joined #openvpn
17:45 -!- kalloc [~kalloc@h86-62-83-99.ln.rinet.ru] has quit [Ping timeout: 260 seconds]
18:05 -!- bersace [~bersace@sevin.cae.li] has quit [Ping timeout: 260 seconds]
18:05 -!- bersace [~bersace@sevin.cae.li] has joined #openvpn
18:07 -!- vpnHelper [~vpnHelper@openvpn/bot/vpnHelper] has quit [Remote host closed the connection]
18:07 -!- vpnHelper [~vpnHelper@openvpn/bot/vpnHelper] has joined #openvpn
18:08 -!- mode/#openvpn [+o vpnHelper] by ChanServ
18:08 -!- james41382_ [~james@unaffiliated/james41382] has joined #openvpn
18:09 -!- james41382_ is now known as james41382
18:23 -!- losted [~losted@box.losted.net] has quit [Ping timeout: 252 seconds]
18:29 -!- james41382 [~james@unaffiliated/james41382] has quit [Quit: Leaving]
18:33 -!- jeev [~j@unaffiliated/jeev] has joined #openvpn
18:40 -!- kalloc [~kalloc@h86-62-83-99.ln.rinet.ru] has joined #openvpn
18:44 -!- master_of_master [~master_of@p4FD7B104.dip0.t-ipconnect.de] has joined #openvpn
18:45 -!- kalloc [~kalloc@h86-62-83-99.ln.rinet.ru] has quit [Ping timeout: 246 seconds]
18:46 -!- james41382 [~james@unaffiliated/james41382] has joined #openvpn
18:47 -!- master_o1_master [~master_of@p4FD7B15B.dip0.t-ipconnect.de] has quit [Ping timeout: 245 seconds]
18:56 -!- elfixit1 [~Icedove@77-58-251-72.dclient.hispeed.ch] has quit [Ping timeout: 272 seconds]
19:19 -!- kalloc [~kalloc@h86-62-83-99.ln.rinet.ru] has joined #openvpn
19:24 -!- kalloc [~kalloc@h86-62-83-99.ln.rinet.ru] has quit [Ping timeout: 252 seconds]
19:40 -!- kalloc [~kalloc@h86-62-83-99.ln.rinet.ru] has joined #openvpn
19:45 -!- kalloc [~kalloc@h86-62-83-99.ln.rinet.ru] has quit [Ping timeout: 272 seconds]
20:40 -!- kalloc [~kalloc@h86-62-83-99.ln.rinet.ru] has joined #openvpn
20:45 -!- kalloc [~kalloc@h86-62-83-99.ln.rinet.ru] has quit [Ping timeout: 252 seconds]
20:45 -!- lj1 [~l@192.241.174.169] has quit [Quit: Leaving.]
20:47 -!- lj [~l@c-98-215-110-122.hsd1.il.comcast.net] has joined #openvpn
20:48 -!- lj1 [~l@192.241.174.169] has joined #openvpn
20:49 -!- lj1 [~l@192.241.174.169] has quit [Client Quit]
20:50 -!- quantumkey [~ma1com10t@host-92-20-5-217.as13285.net] has joined #openvpn
20:51 -!- lj [~l@c-98-215-110-122.hsd1.il.comcast.net] has quit [Ping timeout: 265 seconds]
20:52 -!- mgorbach [~mgorbach@pool-108-20-78-135.bstnma.fios.verizon.net] has quit [Read error: Connection reset by peer]
20:53 < quantumkey> Other than --ECHO and --LOG everything works fine
20:53 -!- mgorbach [~mgorbach@pool-108-20-78-135.bstnma.fios.verizon.net] has joined #openvpn
20:56 < quantumkey> If i start from explorer "start openvpn on this config file" NO LOG
20:57 < quantumkey> v232 sucks
21:08 -!- quantumkey [~ma1com10t@host-92-20-5-217.as13285.net] has left #openvpn []
21:36 -!- joshh20 is now known as joshh20-Away
21:40 -!- kalloc [~kalloc@h86-62-83-99.ln.rinet.ru] has joined #openvpn
21:45 -!- kalloc [~kalloc@h86-62-83-99.ln.rinet.ru] has quit [Ping timeout: 264 seconds]
21:55 < pekster> ffs, that one just won't learn
21:55 < jeev> man
21:55 < jeev> i'm having such a weird problem, it has to do with routing.
21:55 -!- schnitzl [~schnitzl@dslb-178-010-087-250.pools.arcor-ip.net] has quit [Ping timeout: 248 seconds]
21:56 < jeev> i have tap0 without a bridge, on IP 10.0.0.1 for example, a virtual windows at 10.0.0.254, this is the openvpn server, the client is on 10.0.1.1/10.0.1.254.
21:56 < jeev> what's weird is, i can ping from windows, 10.0.0.1 from the client, i can ping .254 from the client, however, i can't ping from the server, it goes nowhere.
21:56 < jeev> so 10.0.1.1 (windows) can ping 10.0.0.1 but 10.0.0.1 can't reach 10.0.1.1
21:56 -!- schnitzl [~schnitzl@dslb-088-067-165-197.pools.arcor-ip.net] has joined #openvpn
21:57 < pekster> Firewall
21:57 < pekster> Obviously the return traffic gets sent properly, so it's a firewall (or maybe bad/improper use of NAT)
21:58 < jeev> it's the same firewall on both sides.
21:59 < jeev> so, for example. when i ping from the machine that can't get to th e other side, i never see that packet in tun0 when running tcpdump on the receiving side.
21:59 < jeev> so if i'm sending from one windows to another, i see the sender in tun0, i don't see it ever get to tun0 on the receiving side.
21:59 < jeev> it has to do with my routing table. i don't see an issue though.
22:00 < pekster> No, it's not the routing table
22:00 < jeev> i have no logs or anything i can show but soon i can, will you be around ?
22:00 < pekster> Your _RETURN_ packet gets there
22:00 < pekster> The ICMP echo-reply (aka "pong") gets back
22:00 < jeev> from one side.
22:00 < pekster> ie: routing is working, unless you're doing brain-dead NAT between RFC networks
22:01 < jeev> i'll brb, so sorry
22:01 < pekster> ICMP echo-reply has to be routed. Like anything else
22:01 < jeev> i know.
22:01 < jeev> brb
22:08 -!- james41382 [~james@unaffiliated/james41382] has quit [Remote host closed the connection]
22:35 -!- noobboob2 is now known as noobboob
22:40 -!- kalloc [~kalloc@h86-62-83-99.ln.rinet.ru] has joined #openvpn
22:41 < jeev> pekster
22:42 < jeev> the funny part is, exactly, ping replies when you ping A from B, but when i ping B from A, it never passes tun0
22:42 < jeev> i dont know.
22:42 < jeev> let me stare at the firewall again
22:46 -!- kalloc [~kalloc@h86-62-83-99.ln.rinet.ru] has quit [Ping timeout: 272 seconds]
22:50 < jeev> and also, earlier i was able to ping 10.0.1.254 (client tap0 ip) from 10.0.0.254 (server tap0 ip) but now i am not.
22:55 < jeev> http://pastebin.com/nkPL5Q3Q
23:02 -!- fp` [~mackdre@pool-108-35-2-108.nwrknj.fios.verizon.net] has joined #openvpn
23:03 < fp`> if im running an openvpn server (windows), is it possible to restrict clients from accessing urls/ip addresses?
23:05 < pekster> fp`: Yup, same way you would without a VPN: use a firewall
23:07 < fp`> id have to apply the firewall only to that vpn adapter right?
23:08 < pekster> Depends on your needs. The "Windows Advanced Firewall" control pannel (or w/e they call it these-days) is what you want
23:08 < pekster> ##windows will be of more help if you need assistance with distro-isms
23:10 < jeev> pekster, so when looking at ip route, it doesn't look off /
23:11 < pekster> I don't have any clue what 2 tables means without context
23:12 < pekster> I have no clue what has what IP
23:12 < pekster> I have no clue what your VPN setup is
23:12 < pekster> I have no clue what NAT is involved
23:12 < pekster> (hopefully none, but people do dumb things between RFC1918 sometimes)
23:13 < pekster> Start with:
23:13 < pekster> !welcome
23:13 <@vpnHelper> "welcome" is (#1) Start by stating your goal, such as 'I would like to access the internet over my vpn' || new to IRC? see the link in !ask || we may need !logs and !configs and maybe !interface to help you. || See !howto for beginners. || See !route for lans behind openvpn. || !redirect for sending inet traffic through the server. || Also interesting: !man !/30 !topology !iporder !sample !forum
23:13 <@vpnHelper> !wiki !mitm or (#2) Don't use 192.168.1.0/24 or 192.168.0.0/24 (too much potential for conflict)
23:14 < pekster> Try !configs, !logs, and please remove worthles crap as !paste informs
23:40 -!- Cy-Gor [~Brian@cpe-70-124-70-140.austin.res.rr.com] has quit [Quit: Leaving]
23:40 -!- kalloc [~kalloc@h86-62-83-99.ln.rinet.ru] has joined #openvpn
23:45 -!- kalloc [~kalloc@h86-62-83-99.ln.rinet.ru] has quit [Ping timeout: 272 seconds]
--- Day changed Sat Jan 18 2014
00:03 -!- fp` [~mackdre@pool-108-35-2-108.nwrknj.fios.verizon.net] has left #openvpn []
00:30 -!- supergauntlet [~supergaun@unaffiliated/supergauntlet] has quit [Ping timeout: 248 seconds]
00:31 -!- supergauntlet [~supergaun@unaffiliated/supergauntlet] has joined #openvpn
00:46 -!- DRice7 [~eat@cpe-066-057-089-031.nc.res.rr.com] has quit [Quit: XDCC Browser 4.52 .... www.XDCCBrowser.com]
00:47 -!- DRice7 [~eat@cpe-066-057-089-031.nc.res.rr.com] has joined #openvpn
01:04 -!- dimm0k [~dimm0k@unaffiliated/dimm0k] has quit [Ping timeout: 248 seconds]
01:06 -!- dimm0k [~dimm0k@unaffiliated/dimm0k] has joined #openvpn
01:06 -!- tfox [~tfox@198.144.156.122] has joined #openvpn
01:10 -!- mattock_afk is now known as mattock
01:23 -!- lj [~l@adsl-99-59-14-158.dsl.peoril.sbcglobal.net] has joined #openvpn
01:24 -!- lj1 [~l@192.241.174.169] has joined #openvpn
01:28 -!- lj [~l@adsl-99-59-14-158.dsl.peoril.sbcglobal.net] has quit [Ping timeout: 272 seconds]
01:29 -!- intricate_ [~xach@2607:5300:60:3d47::1] has joined #openvpn
01:30 -!- jgeboski [~jgeboski@unaffiliated/jgeboski] has quit [Ping timeout: 240 seconds]
01:30 -!- intricate [~xach@unaffiliated/intricate] has quit [Ping timeout: 240 seconds]
01:30 -!- Cultist [~CultOfThe@67.186.111.33] has quit [Ping timeout: 240 seconds]
01:30 -!- intricate_ is now known as intricate
01:30 -!- intricate [~xach@2607:5300:60:3d47::1] has quit [Changing host]
01:30 -!- intricate [~xach@unaffiliated/intricate] has joined #openvpn
01:31 -!- jgeboski [~jgeboski@unaffiliated/jgeboski] has joined #openvpn
01:32 -!- s0meone- [someone@2600:3c01::f03c:91ff:fedf:feb8] has joined #openvpn
01:35 -!- pgib [~pgib@lmms/pgib] has quit [Ping timeout: 240 seconds]
01:35 -!- s0meone [someone@2600:3c01::f03c:91ff:fedf:feb8] has quit [Ping timeout: 240 seconds]
01:35 -!- pgib [~pgib@76.18.186.63] has joined #openvpn
01:35 -!- s0meone- is now known as s0meone
01:40 -!- lj [~l@99.155.24.89] has joined #openvpn
01:42 -!- lj1 [~l@192.241.174.169] has quit [Ping timeout: 264 seconds]
01:48 -!- tfox [~tfox@198.144.156.122] has quit [Quit: tfox]
02:08 -!- pwrcycle [~pwrcycle@173.214.160.92] has quit [Ping timeout: 272 seconds]
02:10 -!- moparisthebest [~quassel@mailer.moparscape.org] has quit [Read error: Connection reset by peer]
02:10 -!- moparisthebest [~quassel@mailer.moparscape.org] has joined #openvpn
02:16 -!- tfox [~tfox@198.144.156.126] has joined #openvpn
02:22 -!- tfox [~tfox@198.144.156.126] has quit [Ping timeout: 252 seconds]
02:32 -!- tfox [~tfox@162.219.176.130] has joined #openvpn
02:32 -!- takamichi [~takamichi@c107-107.i07-27.onvol.net] has joined #openvpn
02:39 -!- tfox [~tfox@162.219.176.130] has quit [Quit: tfox]
02:49 -!- kalloc [~kalloc@h86-62-83-99.ln.rinet.ru] has joined #openvpn
02:53 -!- kalloc [~kalloc@h86-62-83-99.ln.rinet.ru] has quit [Ping timeout: 265 seconds]
02:57 -!- kalloc [~kalloc@h86-62-83-99.ln.rinet.ru] has joined #openvpn
03:34 -!- lj [~l@99.155.24.89] has quit [Quit: Leaving.]
03:35 -!- Cpt-Oblivious [~chatzilla@31-151-87-204.dynamic.upc.nl] has joined #openvpn
03:43 -!- mattock is now known as mattock_afk
03:53 -!- heraclitus__ [~heraclitu@cpe-72-181-248-94.tx.res.rr.com] has joined #openvpn
03:55 -!- heraclitus [~heraclitu@unaffiliated/heraclitis] has quit [Disconnected by services]
03:55 -!- heraclitus__ is now known as heraclitus
03:55 -!- heraclitus [~heraclitu@cpe-72-181-248-94.tx.res.rr.com] has quit [Changing host]
03:55 -!- heraclitus [~heraclitu@unaffiliated/heraclitis] has joined #openvpn
03:59 -!- heraclitus__ [~heraclitu@vpnus.planetcrypto.com] has joined #openvpn
03:59 -!- Cr4zi3 [killaz@staff.xbins.org] has quit [Read error: Connection reset by peer]
03:59 -!- Stew-a [~Stewart@unaffiliated/stew-a/x-2962361] has quit [Ping timeout: 272 seconds]
03:59 -!- levifig [~levifig@hakr.io] has quit [Ping timeout: 272 seconds]
04:00 -!- Cr4zi3 [killaz@staff.xbins.org] has joined #openvpn
04:00 -!- Magiobiwan [IRC@unaffiliated/magiobiwan] has quit [Ping timeout: 272 seconds]
04:01 -!- nobit [nobit@unaffiliated/muska] has quit [Ping timeout: 272 seconds]
04:01 -!- heraclitus [~heraclitu@unaffiliated/heraclitis] has quit [Disconnected by services]
04:01 -!- bersace [~bersace@sevin.cae.li] has quit [Ping timeout: 272 seconds]
04:01 -!- heraclitus__ is now known as heraclitus
04:02 -!- heraclitus [~heraclitu@vpnus.planetcrypto.com] has quit [Changing host]
04:02 -!- heraclitus [~heraclitu@unaffiliated/heraclitis] has joined #openvpn
04:02 -!- bersace [~bersace@sevin.cae.li] has joined #openvpn
04:02 -!- juxta [~rootkit@ppp203-122-193-94.static.internode.on.net] has quit [Remote host closed the connection]
04:03 -!- lbft [~lbft@unaffiliated/lbft] has quit [Ping timeout: 272 seconds]
04:03 -!- juxta [~rootkit@ppp203-122-193-94.static.internode.on.net] has joined #openvpn
04:03 -!- Stew-a [~Stewart@unaffiliated/stew-a/x-2962361] has joined #openvpn
04:04 -!- nobit [nobit@unaffiliated/muska] has joined #openvpn
04:06 -!- lbft [~lbft@unaffiliated/lbft] has joined #openvpn
04:07 -!- Magiobiwan [IRC@unaffiliated/magiobiwan] has joined #openvpn
04:08 -!- Stew-a [~Stewart@unaffiliated/stew-a/x-2962361] has quit [Ping timeout: 272 seconds]
04:08 -!- digilink [~digilink@unaffiliated/digilink] has quit [Ping timeout: 272 seconds]
04:12 -!- levifig [~levifig@hakr.io] has joined #openvpn
04:14 -!- Stew-a [~Stewart@unaffiliated/stew-a/x-2962361] has joined #openvpn
04:15 -!- sammm [~sam@c114-76-87-212.thoms3.vic.optusnet.com.au] has joined #openvpn
04:15 -!- digilink [~digilink@irc.stephennet.net] has joined #openvpn
04:17 < sammm> !paste
04:17 <@vpnHelper> "paste" is (#1) "pastebin" is (#1) please paste anything with more than 5 lines into a pastebin site or (#2) https://gist.github.com is recommended for fewest ads; try fpaste.org or paste.kde.org as backups or (#3) If you're pasting config files, see !configs for grep syntax to remove comments or (#2) gist allows multiple files per paste, useful if you have several files to show
04:18 < sammm> !configs
04:18 <@vpnHelper> "configs" is (#1) please pastebin your client and server configs (with comments removed, you can use `grep -vE '^#|^;|^$' server.conf`), also include which OS and version of openvpn. or (#2) dont forget to include any ccd entries or (#3) on pfSense, see http://www.secure-computing.net/wiki/index.php/OpenVPN/pfSense to obtain your config
04:25 -!- pwrcycle [~pwrcycle@173.214.160.92] has joined #openvpn
04:39 -!- ManjXfceUsr [~ManjXfceu@host86-172-53-183.range86-172.btcentralplus.com] has joined #openvpn
04:39 < ManjXfceUsr> Hello
04:39 < ManjXfceUsr> So I am currently trying to install Openvpn on Centos 6
04:40 < ManjXfceUsr> I have a problem
04:40 < ManjXfceUsr> I am following a guide online
04:40 -!- sammm [~sam@c114-76-87-212.thoms3.vic.optusnet.com.au] has quit [Remote host closed the connection]
04:40 < ManjXfceUsr> Which is probably out of date...
04:41 -!- kalloc [~kalloc@h86-62-83-99.ln.rinet.ru] has quit [Remote host closed the connection]
04:42 < ManjXfceUsr> I can't seem to locate easy-rsa folder
04:45 -!- kalloc [~kalloc@h86-62-83-99.ln.rinet.ru] has joined #openvpn
04:46 < ManjXfceUsr> any takers?
04:49 -!- takamichi [~takamichi@c107-107.i07-27.onvol.net] has quit [Ping timeout: 252 seconds]
04:52 -!- takamichi [~takamichi@85.12.8.104] has joined #openvpn
05:11 -!- gffa [~unknown@unaffiliated/gffa] has joined #openvpn
05:14 -!- mattock_afk is now known as mattock
05:15 -!- gffa [~unknown@unaffiliated/gffa] has quit [Client Quit]
05:16 -!- gffa [~unknown@unaffiliated/gffa] has joined #openvpn
05:19 -!- takamichi [~takamichi@85.12.8.104] has quit [Ping timeout: 252 seconds]
05:22 -!- takamichi [~takamichi@c107-107.i07-27.onvol.net] has joined #openvpn
05:22 -!- pablito [~chatzilla@194.90.149.21] has joined #openvpn
05:33 -!- dimm0k [~dimm0k@unaffiliated/dimm0k] has quit [Ping timeout: 272 seconds]
05:35 -!- dimm0k [~dimm0k@pool-72-80-89-149.nycmny.fios.verizon.net] has joined #openvpn
05:35 -!- dimm0k [~dimm0k@pool-72-80-89-149.nycmny.fios.verizon.net] has quit [Changing host]
05:35 -!- dimm0k [~dimm0k@unaffiliated/dimm0k] has joined #openvpn
05:46 -!- takamichi [~takamichi@c107-107.i07-27.onvol.net] has quit [Quit: Computer has gone to sleep.]
05:48 -!- takamichi [~takamichi@c107-107.i07-27.onvol.net] has joined #openvpn
05:52 -!- pablito [~chatzilla@194.90.149.21] has quit [Quit: ChatZilla 0.9.90.1 [Firefox 26.0/20131205075310]]
06:08 -!- ade_b [~Ade@redhat/adeb] has joined #openvpn
06:33 -!- bogie [bogie@mail.b02.a01.ca] has quit [Ping timeout: 264 seconds]
06:36 < heraclitus> ManjXfceUsr, you have to install easy-rsa
06:37 < heraclitus> it will install to /usr/share/easy-rsa
06:37 < heraclitus> then just copy the necessary files to your /etc/openvpn file
06:37 < heraclitus> s/file/directory
06:38 < heraclitus> it's in the epel repository, iirc
06:43 -!- bogie [bogie@mail.epow0.org] has joined #openvpn
06:45 -!- digilink [~digilink@irc.stephennet.net] has quit [Changing host]
06:45 -!- digilink [~digilink@unaffiliated/digilink] has joined #openvpn
06:52 < ManjXfceUsr> oh just noticed this
06:52 -!- elfixit1 [~Icedove@77-58-251-72.dclient.hispeed.ch] has joined #openvpn
06:52 < ManjXfceUsr> Well from what I have been reading easy-rsa does not come with openvpn anymore
06:52 < ManjXfceUsr> or something like that
06:53 < ManjXfceUsr> I've been at it for 2 hours I will try again soon.
06:53 -!- bogie [bogie@mail.epow0.org] has quit [Ping timeout: 245 seconds]
06:58 < heraclitus> that is correct, ManjXfceUsr, that's why you have to install it ;)
06:58 < heraclitus> or create your own CA
07:03 -!- bogie [bogie@mail.epow0.org] has joined #openvpn
07:06 -!- bertodsera [~quassel@97e48243.skybroadband.com] has joined #openvpn
07:08 < bertodsera> Hi all. I know close to nothing of networks, so excuse me if my questions sound stupid. I have created an openvpn based VPN to connect to my NAS, I would wish to use it ONLY for this, so that any other traffic is routed on the currently available connection (these are laptops) instead of passing through the vpn. Is these even possible?
07:08 < bertodsera> basically it should be used to access the NAS as a remote samba resource, no matter where I am
07:11 -!- julius_ [~julius_@141.41.92.61] has joined #openvpn
07:11 < julius_> hi
07:12 < julius_> im using redirect-gateway def1 on the server and most of my traffic goes over the vpn, but im still seeing traffic to 108.168.151.6, how is that possible?
07:12 < MacGyver> bertodsera: Yes. Just don't pass --redirect-gateway, but rather a route specifically for the NAS.
07:14 < bertodsera> MacGyver: thanks!
07:23 < bertodsera> MacGyver: hmmm my problem seems to be that the QNAP server pushes out routes that engulf all the possible traffic, so I probably need to ignore them and build my routes client sides, right?
07:25 < MacGyver> bertodsera: Oh, you don't have control over the server? Then yes, you'll need to fix that on the client side, but I'm not sure how that works tbh.
07:33 -!- Iain_ [~Iain@host31-48-65-231.range31-48.btcentralplus.com] has joined #openvpn
07:39 -!- marlinc [~marlinc@a80-100-128-152.adsl.xs4all.nl] has quit [Ping timeout: 260 seconds]
07:45 < bertodsera> yeap, the box is a debian based NAS that I can hardly touch, and it works fine with all android devices so I would rather not risk mesing it up for just 2 linux laptops. I seem to have found something called route-nopull, I will look for  an example
07:51 -!- elfixit [~Icedove@2001:1620:2777:11:3e97:eff:fe7f:f3ad] has quit [Remote host closed the connection]
07:53 -!- Cy-Gor [~Brian@cpe-70-124-70-140.austin.res.rr.com] has joined #openvpn
08:21 -!- diecast [~diecast@unaffiliated/diecast/x-4821952] has joined #openvpn
08:24 -!- EmLeX [~emx@unaffiliated/emlex] has quit [Ping timeout: 276 seconds]
08:26 -!- diecast [~diecast@unaffiliated/diecast/x-4821952] has quit [Ping timeout: 272 seconds]
08:35 -!- mattock is now known as mattock_afk
08:35 -!- bertodsera [~quassel@97e48243.skybroadband.com] has quit [Remote host closed the connection]
08:37 -!- bertodsera [~quassel@97e48243.skybroadband.com] has joined #openvpn
08:37 -!- ManjXfceUsr [~ManjXfceu@host86-172-53-183.range86-172.btcentralplus.com] has quit [Remote host closed the connection]
09:18 -!- troj [~xxx@2001:470:1f15:107a::50f7] has quit [Ping timeout: 276 seconds]
09:19 -!- troj [~xxx@2001:470:1f15:107a::50f7] has joined #openvpn
09:20 -!- bigbob83 [~bigbob@7.72.100.84.rev.sfr.net] has joined #openvpn
09:20 -!- troj [~xxx@2001:470:1f15:107a::50f7] has quit [Excess Flood]
09:21 -!- troj [~xxx@2001:470:1f15:107a::50f7] has joined #openvpn
09:29 -!- marlinc [~marlinc@a80-100-128-152.adsl.xs4all.nl] has joined #openvpn
09:35 -!- cyberspace- [20253@ninthfloor.org] has quit [Read error: Connection reset by peer]
09:35 -!- cyberspace- [20253@ninthfloor.org] has joined #openvpn
09:49 -!- Netsplit *.net <-> *.split quits: Mike--, heraclitus, bertodsera, __FBi, keropok_, Cpt-Oblivious
09:52 -!- Netsplit over, joins: bertodsera, heraclitus, Cpt-Oblivious, __FBi, keropok_, Mike--
09:56 -!- Netsplit *.net <-> *.split quits: Mike--, heraclitus, bertodsera, __FBi, keropok_, Cpt-Oblivious
09:56 -!- mattock_afk is now known as mattock
09:56 -!- i7c [~i7c@unaffiliated/i7c] has quit [Ping timeout: 272 seconds]
09:58 -!- Netsplit over, joins: bertodsera, heraclitus, Cpt-Oblivious, __FBi, keropok_, Mike--
09:59 -!- i7c [~i7c@unaffiliated/i7c] has joined #openvpn
10:23 -!- tfox [~tfox@162.219.176.130] has joined #openvpn
10:24 -!- joshu [~joshu@62-20-176-238-no28.tbcn.telia.com] has quit [Ping timeout: 265 seconds]
10:35 -!- ade_b [~Ade@redhat/adeb] has quit [Quit: Too sexy for his shirt]
10:51 -!- tfox [~tfox@162.219.176.130] has quit [Quit: tfox]
10:53 -!- tfox [~tfox@162.219.176.130] has joined #openvpn
11:06 -!- mattock is now known as mattock_afk
11:07 < jeev> pekster, i got it last night, i didn't have a ccd config set up with iroute for that client.
11:08 < jeev> and i didn't have 'route' without push in the server config also
11:13 <@krzee> did you use the flowchart? :)
11:13 -!- mode/#openvpn [+v jeev] by krzee
11:13 <@krzee> ltns
11:21 <+jeev> hey krzee
11:21 <+jeev> i went off old config man
11:22 <+jeev> i tend to keep doing this to myself and never fully understand the basics of this stuff, i am all over the place, it's really stressing me out
11:23 <@krzee> just read:
11:23 <@krzee> !route
11:23 <@vpnHelper> "route" is (#1) http://www.secure-computing.net/wiki/index.php/OpenVPN/Routing or https://community.openvpn.net/openvpn/wiki/RoutedLans (same page mirrored) if you have lans behind openvpn, read it DONT SKIM IT or (#2) READ IT DONT SKIM IT! or (#3) See !tcpip for a basic networking guide or (#4) See !serverlan or !clientlan for steps and troubleshooting flowcharts for LANs behind the server or client
11:23 <@krzee> a few times
11:24 <@krzee> dont read to gleen the config info, read for understanding
11:24 <@krzee> then if you want i can explain what you dont get
11:26 <+jeev> ugh yea
11:26 <+jeev> i wish i had run that command, i think i was trying a bridge first, that's why ;/
11:27 <+jeev> i actually was on routedlans page last night. i just didn't think the iroute part was important ;)
11:27 -!- elfixit1 [~Icedove@77-58-251-72.dclient.hispeed.ch] has quit [Ping timeout: 248 seconds]
11:27 <+jeev> that page is actually what convinced me to get a proper route in.
11:30 <+jeev> well, i excited now, i have to get a third machine connected now.
11:30 <+jeev> i'm building this for a stupid microsoft exchange network
11:31 -!- pgib [~pgib@76.18.186.63] has quit [Changing host]
11:31 -!- pgib [~pgib@lmms/pgib] has joined #openvpn
12:02 -!- sync0pate [~sync@unaffiliated/sync0pate] has quit [Excess Flood]
12:02 -!- sync0pate [~sync@109.169.46.200] has joined #openvpn
12:02 -!- sync0pate is now known as Guest51946
12:02 -!- Cybertinus [~Cybertinu@2001:828:405:30:83:96:177:42] has quit [Read error: Connection reset by peer]
12:02 -!- Cybertinus [~Cybertinu@2001:828:405:30:83:96:177:42] has joined #openvpn
12:35 -!- tempus_fol [~tempus@gateway/tor-sasl/tempusfol] has quit [Remote host closed the connection]
12:37 -!- marlinc [~marlinc@a80-100-128-152.adsl.xs4all.nl] has quit [Ping timeout: 260 seconds]
12:38 -!- joshu [~joshu@62-20-176-238-no28.tbcn.telia.com] has joined #openvpn
12:47 -!- DRice7 [~eat@cpe-066-057-089-031.nc.res.rr.com] has quit [Quit: XDCC Browser 4.52 .... www.XDCCBrowser.com]
12:47 -!- DRice7 [~eat@cpe-066-057-089-031.nc.res.rr.com] has joined #openvpn
12:55 -!- s0meone [someone@2600:3c01::f03c:91ff:fedf:feb8] has quit [Quit: ZNC - http://znc.in]
12:56 -!- kalloc [~kalloc@h86-62-83-99.ln.rinet.ru] has quit [Remote host closed the connection]
12:56 < julius_> im using redirect-gateway def1 on the server and most of my traffic goes over the vpn, but im still seeing traffic to 108.168.151.6, how is that possible?
12:56 -!- Iain_ [~Iain@host31-48-65-231.range31-48.btcentralplus.com] has quit [Read error: Connection reset by peer]
12:57 -!- s0meone [someone@2600:3c01::f03c:91ff:fedf:feb8] has joined #openvpn
12:58 -!- pwrcycle [~pwrcycle@173.214.160.92] has quit [Changing host]
12:58 -!- pwrcycle [~pwrcycle@unaffiliated/pwrcycle] has joined #openvpn
12:59 -!- kalloc [~kalloc@h86-62-83-99.ln.rinet.ru] has joined #openvpn
13:02 -!- m01 [~quassel@2a02:2658:1011:1::2:4044] has quit [Remote host closed the connection]
13:03 -!- m01 [~quassel@2a02:2658:1011:1::2:4044] has joined #openvpn
13:04 <@Eugene> Is that the ip of your vpn server?
13:09 -!- Guest51946 [~sync@109.169.46.200] has quit [Ping timeout: 248 seconds]
13:10 -!- sync0pate [~sync@109.169.46.200] has joined #openvpn
13:10 -!- sync0pate is now known as Guest96613
13:12 -!- nick4 [~nick4@46.246.254.182.dsl.dyn.forthnet.gr] has joined #openvpn
13:14 < nick4> This is my first time on OpenVPN. I've just configured the server on a Linux box and I'm trying to connect from a Windows client. The server log tells me things are okay, but the Windows client doesn't give any output - not even an error. Here are the two configs and the command I use to launch the client: http://pastebin.com/raw.php?i=sEWMDKbZ
13:26 -!- JSharpe_ [~JSharpe@31.205.60.241] has quit [Quit: Leaving]
13:38 -!- tempus_fol [~tempus@gateway/tor-sasl/tempusfol] has joined #openvpn
13:41 -!- APTX [APTX@unaffiliated/aptx] has quit [Ping timeout: 276 seconds]
13:42 -!- APTX [APTX@unaffiliated/aptx] has joined #openvpn
13:49 <@krzee> nick4, try using full paths
13:53 -!- Iain_ [~Iain@host31-48-65-231.range31-48.btcentralplus.com] has joined #openvpn
13:53 < nick4> in the windows batch file krzee ?
13:53 <@krzee> yep
13:53 <@krzee> also you can get a logfile in windows for debugging
13:54 <@krzee> --log /path/to/log
13:54 < pekster> There's always output. If you're "double-clicking" a batch file, you lose all the output when the prompt closes
13:54 < pekster> You don't have that problem if you start it _from_ a prompt, since openvpn logs to stdout unless modified
13:54 < pekster> !logs
13:54 <@vpnHelper> "logs" is (#1) please pastebin your logfiles from both client and server with verb set to 4 (only use 5 if asked) or (#2) In the Windows client(OpenVPN-GUI) right-click the status icon and pick View Log or (#3) In the OS X client(Tunnelblick) right-click it and select Copy log text to clipboard or (#4) if you dont know how to find your logs, see !logfile
13:54 < pekster> Oh, wrong one. See this one instead:
13:54 < pekster> !logfile
13:54 <@vpnHelper> "logfile" is (#1) openvpn will log to syslog if started in daemon mode. You can manually specify a logfile with: log /path/to/logfile or (#2) verb 3 is good for everyday usage, verb 5 for debugging or (#3) see --daemon --log and --verb in the manual (!man) for more info or (#4) without any log-redirection options, openvpn sends output to stdout. Explicit logging is often more convenient
13:54 < pekster> (#4) explains your current situation
13:55 < pekster> Also note that the Windows GUI keeps a full record of the last log in a text file, which is helpful
13:58 < nick4> thank you krzee! the --log option did it's work. I now know the problem.
14:01 -!- APTX_ [APTX@unaffiliated/aptx] has joined #openvpn
14:02 -!- APTX [APTX@unaffiliated/aptx] has quit [Read error: Connection reset by peer]
14:07 -!- quantumkey [~ma1com10t@host-92-20-5-217.as13285.net] has joined #openvpn
14:12 < lachesis> i'm having some weird problems with ipv6 support over openvpn. packets are getting routed to the tun interface on the remote server, but then they're not showing up on the HE ipv6 tunnel.
14:12 < lachesis> (according to tcpdump)
14:13 -!- Guest96613 [~sync@109.169.46.200] has quit [Ping timeout: 259 seconds]
14:13 -!- sync0pate [~sync@109.169.46.200] has joined #openvpn
14:13 < lachesis> !paste
14:13 <@vpnHelper> "paste" is (#1) "pastebin" is (#1) please paste anything with more than 5 lines into a pastebin site or (#2) https://gist.github.com is recommended for fewest ads; try fpaste.org or paste.kde.org as backups or (#3) If you're pasting config files, see !configs for grep syntax to remove comments or (#2) gist allows multiple files per paste, useful if you have several files to show
14:13 -!- sync0pate is now known as Guest37565
14:14 < lachesis> https://gist.github.com/anonymous/8495606
14:14 <@vpnHelper> Title: remote server routing table (at gist.github.com)
14:21 -!- Guest37565 [~sync@109.169.46.200] has quit [Ping timeout: 272 seconds]
14:22 -!- sync0pate_ [~sync@109.169.46.200] has joined #openvpn
14:26 < pekster> What's with the unreachable route?
14:29 < pekster> lachesis: At any rate, your default route looks fine, so check the routing table (try `ip route get` on your target) and verify the firewall config
14:30 < pekster> And forwarding, both the "all" and per-interface sysctl tunables
14:30 < pekster> `sysctl -a | grep ipv6` might be a good starting point
14:33 < lachesis> pekster: interesting, i don't have the all forwarding on, but i do have per-interface forwarding on
14:34 < pekster> You need both
14:35 < lachesis> kk lemme try that out
14:36 < pekster> The reference for that is ~linux/Documentation/networking/ip-sysctl.txt
14:36 < pekster> IOW, you have a "do we forward globally between interfaces?" and a "does _this_ particular interface forward?" setting
14:36 < pekster> Mind IPv6 netfilter rules too
14:39 -!- Pei [~pei@thinks.outside.theb0x.org] has quit [Ping timeout: 260 seconds]
14:40 < lachesis> pekster: thx, that did it
14:40 < lachesis> at least on one box
14:40 < lachesis> time to go look at the other :)
14:45 -!- mgorbach [~mgorbach@pool-108-20-78-135.bstnma.fios.verizon.net] has quit [Max SendQ exceeded]
14:45 -!- mgorbach [~mgorbach@pool-108-20-78-135.bstnma.fios.verizon.net] has joined #openvpn
14:46 < lachesis> hmm so the other box already has all the forwarding stuff set up
14:47 < lachesis> much harder to test, though, as i'm currently at that site
14:51 -!- Ghormoon [~Ghormoon@61.2.broadband3.iol.cz] has joined #openvpn
14:53 < Ghormoon> hi, is there any easy way to limit clients by name in certificate? I wan't to have two separate network, I sign both with my CA, so i do hostname.vpn.domain.tld and hostname.gaming.domain.tld, any easy fix to filter it? :)
14:54 -!- pr0t [~pr0t@69-26-152-240.mt9.aerioconnect.net] has joined #openvpn
14:55 < pr0t> Hi, I currently have openvpn using tun running, but only me and one other employee connect to it, I want to allow all employees to connect to it though we have roughly 250 employees
14:55 < pr0t> I was wondering the best way to go about this so that I don't run into performance issues or hit any limits that would make it so users couldn't connect to the vpn
14:56 < Ghormoon> pr0t: I don't know much about performance, but I think key would be how much traffic do you expect and how strong is the server and it's bandwith ...
14:57 < pekster> CPU tends to be the first practical limit people hit; since openvpn is single-threaded, you only get 1 core for the entire instance
14:57 < pekster> Ensure you're using a large enough network and connecting 250 at once is doable; at that point you might want to load-balance between more instances though to spread the core load out
14:58 < pekster> TLS traffic (which is _quite_ CPU intense) becomes a question too since the keepalive traffic is TLS
14:59 < pekster> Ghormoon: Take a look at --ccd-exclusive. Alternatively use a --client-connect script and take action based on the $common_name env-var (see !scripts for manapge refs)
15:00 < pr0t> pekster right
15:01 < pr0t> I was googling how to do some type of load balancing between two openvpn servers
15:01 < pr0t> also i am a bit worried cause where i currently have openvpn setup is a virtual machine
15:01 < pr0t> hopefully it can handle it
15:01 < pr0t> my other question would be right now I use keys to connect to the vpn
15:01 < pr0t> is there an easier way to set this up so users just use a password?
15:01 < Ghormoon> thanks, I'll have a look, only point is that I want only *.vpn.domain.tld being able to connect to the "core" network, I don't really care about the gaming one (I just need a hamachi replacement, that thing sucks) :)
15:04 < pekster> So write a script that checks the common_name
15:04 < pekster> As I said above
15:05 -!- sync0pate_ is now known as sync0pate
15:05 -!- sync0pate [~sync@109.169.46.200] has quit [Changing host]
15:05 -!- sync0pate [~sync@unaffiliated/sync0pate] has joined #openvpn
15:08 < pr0t> hrmm so you can run multiple openvpn instances on one machine and bind them to different CPUs?
15:08 < pr0t> oh they have to be in different subnets :-/
15:08 < pekster> If your OS allows that, sure. Why do you care about mandating OS-level CPU-affinity though?
15:09 < pekster> Is your OS not good enough to figure it out on its own?
15:09 < pekster> Either way that's not an #openvpn problem, but a #yourdistro problem if you want process affinity
15:09 < pr0t> it should be I use Linux
15:09 <+jeev> pekster, see my solution ?
15:09 < pekster> Then you don't "bind" instances to CPUs, no
15:09 < pr0t> so default how many connections can openvpn take
15:09 < pr0t> ballpark
15:09 < pekster> Over 1000 on shitty hardware
15:10 < pr0t> oh so I really don't have to worry
15:10 < pr0t> heh
15:10 < pekster> But it doesn't scale on a single instance
15:10 <+jeev> pekster, i got it last night, i didn't have a ccd config set up with iroute for that client. and i didn't have 'route' without push in the server config also
15:10 < pr0t> pekster: so I should probably spin up another instance on a different machine?
15:10 < pr0t> would that work?
15:10 < pekster> pr0t: you're really not listening, but I've lost interest. It _is_ a problem if you want to do more than idle those 1000 connections with keepalive traffic
15:10 < pr0t> I understand
15:10 < pekster> No need for another machine if you have one with >1 core
15:10 < pekster> Just run >1 instance on 1 OS
15:11 < pekster> jeev: And if you'd explained your goals better you would have recieved !clientlan refs sooner
15:12 < pr0t> I understand but what about redundancy (openvpn problem) and the single OS networking being bogged down by all the traffic (an OS/hardware issue)
15:12 < pekster> So run a 2nd server if you want redundancy. That's not really openvpn at all besides perhaps including a 2nd --remote stanza
15:13 < pekster> Neither is your OS limits
15:13 < pr0t> gotcha
15:13 < pr0t> I am also reading and many people say openvpn has a 250 client limit, is that true?
15:13 < pekster> Stop asking questions I already answered
15:13 < pekster> 15:09:52 < pekster> Over 1000 on shitty hardware
15:13 < pr0t> gotcha
15:13 < pekster> That's with an ~8 year old Celeron
15:13 < pr0t> but why do so many people say 250?
15:13 < pr0t> oh wow
15:13 < pekster> Becuase they're idiots
15:13 < pr0t> okay gotcha sir
15:14 < pr0t> now one more stupid question
15:14 < pr0t> authentication
15:14 < pr0t> should i continue to use keys or is there a better method (by better ri really mean easier for end users)
15:14 < pekster> It's only "stupid" if I can scroll up 1 page on my screen and paste the answer ;)
15:14 < pr0t> :)
15:14 < pekster> !authentication
15:14 < pekster> !learn authentication as https://community.openvpn.net/openvpn/wiki/Concepts-Authentication
15:14 <@vpnHelper> Joo got it.
15:15 < pr0t> nice
15:15 < pr0t> can I ask you one more question?
15:16 < pr0t> Could we make sweet love together on a bear skin rug while listening to Kenny G?
15:16 < pr0t> Guess that is a no
15:19 -!- Netsplit *.net <-> *.split quits: pwrcycle, mingdao, digilink, GabrieleV, kro[au], xBytez, psycheye, i7c, MeanderingCode, dimm0k,  (+4 more, use /NETSPLIT to show all of them)
15:20 -!- Netsplit over, joins: tempus_fol, tfox, i7c, dimm0k, pwrcycle, digilink, calcifea, kro[au]
15:20 -!- GabrieleV [~GabrieleV@host190-79-static.230-95-b.business.telecomitalia.it] has joined #openvpn
15:20 -!- Netsplit over, joins: MeanderingCode, xBytez, mingdao, psycheye, aji
15:22 -!- pr0t [~pr0t@69-26-152-240.mt9.aerioconnect.net] has quit [Quit: Leaving]
15:24 -!- sync0pate [~sync@unaffiliated/sync0pate] has quit [Excess Flood]
15:24 -!- sync0pate [~sync@109.169.46.200] has joined #openvpn
15:25 -!- sync0pate is now known as Guest67343
15:42 < Ghormoon> how exactly does the external script thing works? added script-security 2 on the server, made the script owned by vpn user and still nope :(
15:42 < Ghormoon> external program fork failed
15:42 -!- Guest67343 [~sync@109.169.46.200] has left #openvpn []
15:43 < Ghormoon> sometimes "could not execute external program" instead
15:47 < pekster> Paste your config and the script
15:47 < pekster> (on a pastebin. ie: !paste)
15:48 < quantumkey> or read this : https://community.openvpn.net/openvpn/wiki/Openvpn23ManPage
15:48 <@vpnHelper> Title: Openvpn23ManPage – OpenVPN Community (at community.openvpn.net)
15:48 < pekster> That, or the reference you apparently failed to use that I gave you earlier:
15:48 < pekster> !scripts
15:48 <@vpnHelper> "scripts" is "script" is See SCRIPTING AND ENVIRONMENTAL VARIALBES in the manual for a list of places that scripts can hook into openvpn. Online reference at: https://community.openvpn.net/openvpn/wiki/Openvpn23ManPage#lbAR
15:48 < pekster> Ghormoon: These !things are not here for MY enjoyment; they're here to help YOU
15:48 < pekster> !new
15:48 <@vpnHelper> "new" is (#1) New here? Start by reading the /TOPIC and looking at basic info in !welcome, !ask, and !howto or (#2) You can type each of the !commands in this chat and our bot will provide useful references and info or (#3) you can see the full factoids list at !factoids
15:51 < Ghormoon> http://pastebin.com/pruiNy0F config, added only that 2 lines (script-security and tls-verify)
15:52 < Ghormoon> script http://pastebin.com/QcRQnQVN but I think it doesn't even run it
15:56 < pekster> The 'fork failed' and 'could not execute' are error messages returned by the OS when attempting to invoke the external script
15:57 < quantumkey> !scripts
15:57 <@vpnHelper> "scripts" is "script" is See SCRIPTING AND ENVIRONMENTAL VARIALBES in the manual for a list of places that scripts can hook into openvpn. Online reference at: https://community.openvpn.net/openvpn/wiki/Openvpn23ManPage#lbAR
15:57 < pekster> Maybe it's not marked executable, or maybe there's some problem with your interperter
15:58 < quantumkey> what about --script-security ?
15:58 < Ghormoon> damn, I'm so stupid, I've made it +x, but didn't check the interpreter, the path is wrong :D
15:58 < pekster> That's one benefit to using POSIX sh since it's almost always available at /bin/sh
16:00 < pekster> Not that anything in particular is wrong with python, but it seems a waste when an awfuly simple (and more portable) shell script does the same thing in a neater way: http://pastebin.kde.org/p3rxtvtbg/xoyudj
16:01 < Ghormoon> schouldn't it also check for the depth?
16:01 < pekster> I'd call that out of --client-connect personally, but there's lots of variations on the theme
16:02 < pekster> --tls-auth is more intended for when you want to check the certificate itself, not simply the common_name that you get exposed everywhere
16:09 -!- Ghormoon__ [~Ghormoon@61.2.broadband3.iol.cz] has joined #openvpn
16:10 -!- Ghormoon [~Ghormoon@61.2.broadband3.iol.cz] has quit [Ping timeout: 246 seconds]
16:11 < bigbob83> Hello
16:12 < bigbob83> i need help about open vpn gui com^piling for windows with mingw
16:14 < pekster> bigbob83: Have you seen https://community.openvpn.net/openvpn/wiki/BuildingUsingGenericBuildsystem ? openvpn-build just magically does all the steps you require for a usable build
16:14 <@vpnHelper> Title: BuildingUsingGenericBuildsystem – OpenVPN Community (at community.openvpn.net)
16:15 < Ghormoon__> anyway, gotta go for a bus, thanks :)
16:15 -!- Ghormoon__ [~Ghormoon@61.2.broadband3.iol.cz] has quit [Quit: Kicked out my uplink cable ... again ...]
16:25 < bigbob83> i only want to build the gui from sources;get the source from http://openvpn.se/download.html
16:25 <@vpnHelper> Title: OpenVPN GUI for Windows (at openvpn.se)
16:39 < pekster> No, that GUI is super-outdated
16:39 < pekster> Plaese don't use it
16:39 < pekster> Years out of date
16:40 < pekster> All of the active devs use the openvpn-build project to do source builds for Windows, and you should too
16:40 < pekster> It's not all that hard to see what it's doing and build "only" the GUI if that's really what you want, but for the trouble you might as well just build the full installer to go with it
16:43 < pekster> https://github.com/OpenVPN/openvpn-build/blob/master/generic/build#L298
16:43 <@vpnHelper> Title: openvpn-build/generic/build at master · OpenVPN/openvpn-build · GitHub (at github.com)
16:53 -!- elfixit [~Icedove@77-58-251-72.dclient.hispeed.ch] has joined #openvpn
17:03 -!- lj [~l@c-98-215-110-122.hsd1.il.comcast.net] has joined #openvpn
17:09 < bigbob83> Sorry but i really don't know what i have to do with this file (i'm newbie in  dev/compiling), could you give me a point of start please ?
17:10 < bigbob83> i know only know the basis of dev in .net
17:17 -!- lj [~l@c-98-215-110-122.hsd1.il.comcast.net] has quit [Quit: Leaving.]
17:41 -!- taylorbyte2013 [~cyberninj@203-174-86-88.rev.ne.com.sg] has joined #openvpn
17:44 -!- joshh20-Away is now known as joshh20
17:44 -!- EmLeX [~emx@unaffiliated/emlex] has joined #openvpn
17:50 -!- kalloc [~kalloc@h86-62-83-99.ln.rinet.ru] has quit [Remote host closed the connection]
17:51 -!- NP-Hardass [~NP-Hardas@unaffiliated/np-hardass] has quit [Ping timeout: 252 seconds]
18:13 -!- DRice7 [~eat@cpe-066-057-089-031.nc.res.rr.com] has quit [Ping timeout: 252 seconds]
18:14 -!- goldkatze [~nobody@unaffiliated/goldkatze] has quit [Ping timeout: 252 seconds]
18:15 -!- pr0t [~pr0t@69-26-152-240.mt9.aerioconnect.net] has joined #openvpn
18:18 -!- DRice7 [~eat@cpe-066-057-089-031.nc.res.rr.com] has joined #openvpn
18:30 -!- tfox [~tfox@162.219.176.130] has quit [Quit: tfox]
18:39 -!- Cpt-Oblivious [~chatzilla@31-151-87-204.dynamic.upc.nl] has quit [Ping timeout: 252 seconds]
18:43 -!- HumpyDumpy [~eXcALiBuR@173.242.219.42] has joined #openvpn
18:43 -!- master_o1_master [~master_of@p4FD7B33F.dip0.t-ipconnect.de] has joined #openvpn
18:43 < HumpyDumpy> can openvpn be launched and connected automaticly from a client on computer boot - windows 7
18:44 < HumpyDumpy> !welcome
18:44 <@vpnHelper> "welcome" is (#1) Start by stating your goal, such as 'I would like to access the internet over my vpn' || new to IRC? see the link in !ask || we may need !logs and !configs and maybe !interface to help you. || See !howto for beginners. || See !route for lans behind openvpn. || !redirect for sending inet traffic through the server. || Also interesting: !man !/30 !topology !iporder !sample !forum
18:44 <@vpnHelper> !wiki !mitm or (#2) Don't use 192.168.1.0/24 or 192.168.0.0/24 (too much potential for conflict)
18:44 < HumpyDumpy> !goal
18:44 <@vpnHelper> "goal" is Please clearly state your goal for your vpn: example, I would like to access the lan behind the server , I would like to access the internet over my vpn , I just want a secure connection between 2 computers , etc
18:45 < quantumkey>  can openvpn be launched and connected automaticly from a client on computer boot - windows 7
18:45 < quantumkey> yes
18:45 < HumpyDumpy> wonderful
18:45 -!- NP-Hardass [~NP-Hardas@unaffiliated/np-hardass] has joined #openvpn
18:46 < quantumkey> http://openvpn.net/index.php/open-source/documentation/howto.html#startup
18:46 <@vpnHelper> Title: HOWTO (at openvpn.net)
18:46 < HumpyDumpy> is openVPN better than VPN server running on windows Server 2012?
18:46 < quantumkey> do bears sh*T in the woods ?
18:46 -!- gffa [~unknown@unaffiliated/gffa] has quit [Quit: sleep]
18:47 < HumpyDumpy> ummmm
18:47 < HumpyDumpy> maybe?
18:47 -!- master_of_master [~master_of@p4FD7B104.dip0.t-ipconnect.de] has quit [Ping timeout: 272 seconds]
18:51 -!- tfox [~tfox@162.219.176.130] has joined #openvpn
18:55 -!- Sembei [~Sembei@unaffiliated/sembei] has joined #openvpn
18:55 -!- Shikieiki_ [~enma@63.142.161.4] has joined #openvpn
18:55 < Shikieiki_> !goal
18:55 <@vpnHelper> "goal" is Please clearly state your goal for your vpn: example, I would like to access the lan behind the server , I would like to access the internet over my vpn , I just want a secure connection between 2 computers , etc
18:55 < Shikieiki_> hm
18:55 -!- Shikieiki_ [~enma@63.142.161.4] has left #openvpn []
18:57 -!- bertodsera [~quassel@97e48243.skybroadband.com] has quit [Remote host closed the connection]
18:59 -!- bertodsera [~quassel@97e48243.skybroadband.com] has joined #openvpn
19:06 -!- HumpyDumpy [~eXcALiBuR@173.242.219.42] has quit []
19:10 -!- Magiobiwan [IRC@unaffiliated/magiobiwan] has quit [Ping timeout: 260 seconds]
19:17 -!- Magiobiwan [IRC@unaffiliated/magiobiwan] has joined #openvpn
19:21 < quantumkey> sup ?
19:24 -!- tfox [~tfox@162.219.176.130] has quit [Quit: tfox]
19:25 -!- tfox [~tfox@162.219.176.130] has joined #openvpn
19:30 < nick4> Is it generally a bad idea to have the key unecrypted? Having it encrypted means I have to type the passphrase every time the server and client start.
19:34 < quantumkey> keep your ca on a private system and let openvpn do the rest
19:34 < quantumkey> !pki
19:34 <@vpnHelper> "pki" is (#1) http://openvpn.net/index.php/open-source/documentation/howto.html#pki for how to make your PKI stuff (ca, and certs) or (#2) Heres a basic rundown of how it works... The server, client, and ca certs are all signed by the same ca.key. The server and client use the ca.crt to check that eachother were signed by the right ca.key. Optionally, the client also checks that the server cert
19:34 <@vpnHelper> was signed specially as a server (see !servercert) or (#3) See !certman for various PKI management frontends
19:37 < nick4> so you're telling me that the CA key should be in a different system (and password-protected) but it's okay to have the server.key and client.key without password?
19:39 -!- _quadDamage [~EmperorTo@boom.blissfulidiot.com] has quit [Read error: Connection reset by peer]
19:39 -!- _quadDamage [~EmperorTo@boom.blissfulidiot.com] has joined #openvpn
19:39 -!- matsh_ [divine@nanogene.org] has joined #openvpn
19:41 < quantumkey> if you are fed up of password authentication then yes
19:42 -!- matsh [divine@nanogene.org] has quit [Ping timeout: 260 seconds]
19:42 -!- matsh_ is now known as matsh
19:43 < nick4> thanks
19:43 -!- tfox [~tfox@162.219.176.130] has quit [Quit: tfox]
19:44 < nick4> I'm googling on how to do this, but if there is a handy link with straightforward directions, I would check it out.
19:44 < quantumkey> !easyrsa
19:44 <@vpnHelper> "easyrsa" is (#1) easy-rsa is a certificate generation utility. or (#2) Download here: https://github.com/OpenVPN/easy-rsa/releases or (#3) Source checkouts available from the github project; current official release download is 2.2.2 with 3.x code in git-master. or (#4) Helpful wiki info about easyrsa at: https://community.openvpn.net/openvpn/wiki/EasyRSA
19:45 < quantumkey> quite franklyit couldnotbe any easier then easy rsa
19:45 < pekster> nick4: Most of the time servers use unencrypted keys, otherwise you have to supply it ever boot or service restart
19:45 < nick4> yes pekster
19:45 < pekster> The obvious drawback is that if the file is ever copied or accessed by someone who shouldn't it, they can impersonate that host/system
19:45 < nick4> I think I've got it: http://www.linuxsysadmintutorials.com/change-the-passphrase-on-an-openvpn-key/
19:45 <@vpnHelper> Title: Change the passphrase on an OpenVPN key (at www.linuxsysadmintutorials.com)
19:46 < nick4> yes pekster, it makes sense
19:46 < nick4> thanks :D
19:46 <@krzee> !factoids search phrase
19:46 <@vpnHelper> 'strip-passphrase' and 'change-passphrase'
19:47 < pekster> I think I did add a passphrase change feature to easyrsa v3, but I forget if that's -master or part of my more sweeping changes I'm keeping local until a 3.1 branch
19:48 < pekster> master, apparently: https://github.com/OpenVPN/easy-rsa/commit/89f369c
19:48 <@vpnHelper> Title: Add support to change private key passphrases · 89f369c · OpenVPN/easy-rsa · GitHub (at github.com)
19:51 < nick4> Ah. Well, the version I have doesn't have that command. The way I removed the passphrase (from that link) is okay?
19:53 < nick4> Or do I need to grab the latest easyrsa and use that?
19:53 < quantumkey> 222-1
19:54 < quantumkey> https://github.com/OpenVPN/easy-rsa/releases
19:54 <@vpnHelper> Title: Releases · OpenVPN/easy-rsa · GitHub (at github.com)
19:58 -!- bertodsera_ [~quassel@97e48243.skybroadband.com] has joined #openvpn
19:58 -!- bertodsera [~quassel@97e48243.skybroadband.com] has quit [Read error: Connection reset by peer]
19:59 < nick4> That one worked.
20:00 < quantumkey> justread
20:01 < nick4> no wait... it didn't worked
20:01 < pekster> NOpe, you can remove the passpharse by openssl too
20:01 < quantumkey> readmore
20:01 < nick4> oh, okay
20:02 < pekster> easyrsa just calls openssl to do it without all the ugly commands
20:02 < nick4> oh okay, I think I managed to remove the passphrase but now I'm stuck in this: http://pastebin.com/raw.php?i=7R8QvEEg
20:03 < nick4> maybe I didn't actually remove the passphrase?
20:04 < quantumkey> !paste
20:04 <@vpnHelper> "paste" is (#1) "pastebin" is (#1) please paste anything with more than 5 lines into a pastebin site or (#2) https://gist.github.com is recommended for fewest ads; try fpaste.org or paste.kde.org as backups or (#3) If you're pasting config files, see !configs for grep syntax to remove comments or (#2) gist allows multiple files per paste, useful if you have several files to show
20:04 < pekster> As cool as "Netscape" was a decade ago, we've moved past it. Don't rely on deprected constructs in your openvpn configs
20:05 < nick4> Netscape? Hm. I don't get it.
20:05 < pekster> Don't use --ns-cer-type
20:05 < nick4> oh
20:05 < pekster> IT's old, the X509 extension itself is deprecated, and it's bad form
20:05 < pekster> !mitm
20:05 <@vpnHelper> "mitm" is (#1) http://openvpn.net/index.php/documentation/howto.html#mitm to know about stopping Man-in-the-Middle attacks by signing the server cert specially or (#2) use !servercert to generate the server cert manually or use the easy-rsa build-key-server script to build your server certificates or (#3) then use: remote-cert-tls server in the client config
20:05 < pekster> See (#3) above
20:06 < nick4> I really don't know what this was. I either missed this option, or the config must have 'recommented' to leave it enabled.
20:06 < nick4> let me check that
20:06 < pekster> The config in the official howto does (I'm looking to replace that, but first I need to wait on copyright status)
20:07 < pekster> The text you should have read that goes with it indicates the --remote-cert-tls option
20:09 < nick4> Thank you. I will need to pick this up again tomorrow. I'll google this option to see what it does. Bye for now.
20:10 -!- elfixit [~Icedove@77-58-251-72.dclient.hispeed.ch] has quit [Quit: elfixit]
20:10 < pekster> Actually _READ_ the MITM link I gave you
20:10 < pekster> It's part of the howto, and you need to read it a few times to review some of this
20:10 < pekster> Start there when you pick this up
20:12 < quantumkey> !joo got it
20:21 < quantumkey> http://www.youtube.com/watch?v=4wNknGIKkoA
20:21 <@vpnHelper> Title: Lou Reed- Walk on the Wild Side - YouTube (at www.youtube.com)
20:22 < pekster> So, first you wander in, claim the latest release sucks, then quit. Then you post youtube links. Why?
20:22 < quantumkey> because of you
20:22 -!- mode/#openvpn [+o pekster] by ChanServ
20:22 -!- quantumkey was kicked from #openvpn by pekster [Come back when you can be less hostile]
20:22 -!- quantumkey [~ma1com10t@host-92-20-5-217.as13285.net] has joined #openvpn
20:22 <@pekster> And autojoin. Cute.
20:23 -!- tfox [~tfox@162.219.176.130] has joined #openvpn
20:23 < quantumkey> hostile ...
20:23 -!- quantumkey [~ma1com10t@host-92-20-5-217.as13285.net] has left #openvpn []
20:23 -!- mode/#openvpn [-o pekster] by ChanServ
20:25 -!- quantumkey [~ma1com10t@host-92-20-5-217.as13285.net] has joined #openvpn
20:25 < quantumkey> i don't like auto join either
20:25 < pekster> Try and behave. Claiming things "suck" when you probably just needed to review log options isn't productive. Neither is quitting before asking a proper question
20:26 < quantumkey> like +O
20:27 < quantumkey> he log options on v232 seem to be a bit confused
20:28 < pekster> I assure you it's not "because of me"
20:28 < quantumkey> no prob
20:28 < pekster> Logs work fine on Windows for me; perhaps you're missing some relevant options?
20:29 < quantumkey> i doubt it
20:29 < pekster> In fact, just this past week at $work I got quite on-target logs when using the "start openvpn on this config" feature, so I'm very confident in what I say
20:29 < pekster> Do what we ask everyone else to do:
20:29 < pekster> !configs
20:29 <@vpnHelper> "configs" is (#1) please pastebin your client and server configs (with comments removed, you can use `grep -vE '^#|^;|^$' server.conf`), also include which OS and version of openvpn. or (#2) dont forget to include any ccd entries or (#3) on pfSense, see http://www.secure-computing.net/wiki/index.php/OpenVPN/pfSense to obtain your config
20:29 < pekster> !paste
20:29 <@vpnHelper> "paste" is (#1) "pastebin" is (#1) please paste anything with more than 5 lines into a pastebin site or (#2) https://gist.github.com is recommended for fewest ads; try fpaste.org or paste.kde.org as backups or (#3) If you're pasting config files, see !configs for grep syntax to remove comments or (#2) gist allows multiple files per paste, useful if you have several files to show
20:29 < quantumkey> i will try to explain .. if you have time
20:30 < quantumkey> just kill your hostility
20:30 < pekster> I'd rather you provided a way to reproduce the issue; that's how you identify problems to developers so they can confirm problems and then work to fix them
20:31 < pekster> And no, asking you to provide a useful bugreport is hardly hostile
20:31 < quantumkey> exactly ..
20:32 < pekster> Claiming things suck and then claiming it's "becuase of me" isn't productive. I'm trying very hard (and patiently, I think) to encourage you to do things that will help get your issue resolved, and fix any possible problems that might exist in the codebase that are related
20:32 < quantumkey> fair play with the bug report re: Logs
20:32 < quantumkey> i sense morehostility in thepipeline
20:33 < quantumkey> however
20:34 < quantumkey> as far as code base goes : I am not atthat level yet
20:35 < quantumkey> yes you are patient and yes i have been a little short
20:36 < quantumkey> i apologies for my frustration
20:39 < quantumkey> IN General my issues are ridiculously insignificant
20:39 < quantumkey> and i do not want to call you out
20:40 < quantumkey> in fact i would like to engage you and contribute effectively
20:40 < quantumkey> but you do not make it easy
20:40 < julius_> quantumkey, men, get your life together
20:41 < quantumkey> sugar
20:41 < quantumkey> for example : SNAT/dnat
20:42 < quantumkey> i got it working .. but no thanks to anyone here
20:42 < pekster> Becuase most of us 1) don't use NAT in general between RFC1918 networks and 2) use the preferred OS methods to do it when we do
20:43 < quantumkey> is it an optionof openvpn
20:43 < pekster> I'm aware of what it is, and I told you before I have zero interest in learning how it works
20:44 < pekster> Apparently no one else present when you asked knew (or cared to find out) either. It happens. Try the mailing list for a bit wider audience
20:44 < quantumkey> pekster : all I have tried to do is learn .. if i am learning something you consider to be irrelevant .. what can i do
20:44 < quantumkey> and by the way
20:45 < pekster> No, my recent problem was with you claiming 2.3.2 sucks, then leaving the channel 15 minutes later
20:45 < pekster> I have _no_ clue what you hoped to gain by that
20:46 < quantumkey> --echo and --log do not work as documented
20:49 < pekster> They haven't bee in the log for some time: see commit https://github.com/OpenVPN/openvpn/commit/429ab79
20:49 <@vpnHelper> Title: Redact "echo" directive strings from log, since · 429ab79 · OpenVPN/openvpn · GitHub (at github.com)
20:49 -!- tfox [~tfox@162.219.176.130] has quit [Quit: tfox]
20:49 < quantumkey> --log also misbahaves ..
20:50 < pekster> How? WHat have you done? What were your results? What did you expect? http://catb.org/~esr/faqs/smart-questions.html#beprecise
20:50 <@vpnHelper> Title: How To Ask Questions The Smart Way (at catb.org)
20:51 < pekster> "Describe the symptoms of your problem or bug carefully and clearly." -- you haven't don this yet. "If at all possible, provide a way to reproduce the problem in a controlled environment" -- I haven't seen any reasonable way for me to try this on my end either.
20:53 < quantumkey> all steps i a willing to undertake given one iota of respect
20:56 < quantumkey> -O permaban
20:57 < quantumkey> gtg
20:57 -!- quantumkey [~ma1com10t@host-92-20-5-217.as13285.net] has left #openvpn []
20:58  * pekster sighs. And still nothing productive. What an utter waste
20:59 -!- red_racer12 [sid20963@gateway/web/irccloud.com/x-jyuhglcxinczedwd] has joined #openvpn
21:00 < red_racer12> how does a vpn work? between two networks in two different locations? do they share IP addresses?
21:03 -!- bertodsera_ [~quassel@97e48243.skybroadband.com] has quit [Read error: Operation timed out]
21:03 -!- troj [~xxx@2001:470:1f15:107a::50f7] has quit [Ping timeout: 264 seconds]
21:04 -!- troj [~xxx@2001:470:1f15:107a::50f7] has joined #openvpn
21:04 -!- bertodsera [~quassel@97e48243.skybroadband.com] has joined #openvpn
21:16 < pekster> red_racer12: that's what a VPN is: a Virtual Private Network. Perhaps the wikipedia entry or google could have explained that
21:16 < red_racer12> yes i tried, but for example, i have two routers, and they create a vpn, which one is the dhcp server?
21:16 < red_racer12> do i end up with two networks?
21:16 < pekster> What's your goal?
21:16 < pekster> !goal
21:16 < red_racer12> i guess both can't be 192.168.1.1, right?
21:16 <@vpnHelper> "goal" is Please clearly state your goal for your vpn: example, I would like to access the lan behind the server , I would like to access the internet over my vpn , I just want a secure connection between 2 computers , etc
21:17 < pekster> It's a very bad idea to use such common networks across a VPN
21:17 < red_racer12> okay my goal is i have wifi thermostats that i want to access remotly
21:17 < pekster> So you have these appliances behind a location you want a VPN server, and then you plan to connect to it externally?
21:18 < red_racer12> right, i see in my router, i can create a ipsec vpn connection, i also have a tomato router and it, i wanted to put a server in my office, write some scripts to access those wifi thermostats ( i dont want to port forward the routers for the thermostats)
21:19 < red_racer12> i want to have htose thermostats (192.168.x.x) accessible offsite, like that, rather than dealing with dynamic dns stuff, or port forarding
21:19 < pekster> First off, re-number your server side network because common SOHO networks are horribie ideas
21:20 < red_racer12> so like, 10.0.x.x.
21:20 < pekster> !randomsubnet
21:20 <@vpnHelper> "randomsubnet" is (#1) http://scarydevilmonastery.net/subnet.cgi for a random !1918 subnet or (#2) If your shell has $RANDOM support, perhaps try this: `echo 10.$((RANDOM%256)).$((RANDOM%256)).0/24 `
21:20 < pekster> Try #2 if you have a modern-ish shell
21:20 -!- tfox [~tfox@162.219.176.130] has joined #openvpn
21:21 < pekster> After you have a range that won't conflict with the physical address of clients, just set up a VPN and route normally
21:22 < pekster> Try !serverlan for some hints/flowcharts to get you started
21:22 < red_racer12> !serverlan
21:22 <@vpnHelper> "serverlan" is (#1) for a lan behind a server, the server must have ip forwarding enabled (!ipforward), the server needs to push a route for its lan to clients, and the router of the lan the server is on needs a route added to it (!route_outside_openvpn) or (#2) see !route for a better explanation or (#3) Handy troubleshooting flowchart: http://ircpimps.org/serverlan.png |
21:22 <@vpnHelper> http://pekster.sdf.org/misc/serverlan.png
21:22 < red_racer12> yeah that makes sense
21:22 < pekster> And the !howto for a basic setup ( you need that first before you can do the !serverlan stuff)
21:22 < red_racer12> so i should setup a vpn right? does that mean all my trafic goes to the vpn?
21:26 < pekster> "all your traffic"
21:26 < pekster> Routing works the same as it always has: via your routing table
21:26 < pekster> Maybe you should reivew the basics of routing before you attempt to work with a VPN which is advanced routing
21:26 < pekster> Some review can be had at:
21:26 < pekster> !tcpip
21:26 <@vpnHelper> "tcpip" is http://www.redbooks.ibm.com/redbooks/pdfs/gg243376.pdf See chapter 3.1 for useful basic TCP/IP networking knowledge you should probably know
21:27 < red_racer12> ah, so thats what static routes are for
21:35 -!- taylorbyte2013 [~cyberninj@203-174-86-88.rev.ne.com.sg] has quit [Read error: Connection reset by peer]
21:37 -!- taylorbyte2013 [~cyberninj@203-174-86-88.rev.ne.com.sg] has joined #openvpn
21:38 -!- heraclitus [~heraclitu@unaffiliated/heraclitis] has quit [Quit: Ping timeout: 221 seconds]
21:44 -!- genericpersona [~generic@gateway/tor-sasl/genericpersona] has joined #openvpn
21:54 -!- schnitzl [~schnitzl@dslb-088-067-165-197.pools.arcor-ip.net] has quit [Ping timeout: 260 seconds]
21:56 -!- schnitzl [~schnitzl@dslb-094-217-204-167.pools.arcor-ip.net] has joined #openvpn
21:57 -!- taylorbyte2013 [~cyberninj@203-174-86-88.rev.ne.com.sg] has quit [Ping timeout: 265 seconds]
21:59 -!- taylorbyte2013 [~cyberninj@203-174-86-88.rev.ne.com.sg] has joined #openvpn
22:02 -!- joshh20 is now known as joshh20-Away
22:20 -!- tfox [~tfox@162.219.176.130] has quit [Quit: tfox]
22:43 -!- NP-Hardass [~NP-Hardas@unaffiliated/np-hardass] has quit [Quit: WeeChat 0.4.1]
23:06 -!- Pei [~pei@thinks.outside.theb0x.org] has joined #openvpn
23:23 -!- PickledBarrelAss [~PickledBa@gateway/tor-sasl/pickledbarrelass] has joined #openvpn
23:25 < PickledBarrelAss> yo, I'm trying to connect to a vpn, which works but the shell script I'm using which is on the arch wiki for openvpn: https://wiki.archlinux.org/index.php/OpenVPN#DNS isn't actually changing resolv.conf.
23:25 <@vpnHelper> Title: OpenVPN - ArchWiki (at wiki.archlinux.org)
23:26 < PickledBarrelAss> was wondering if anyone might have any clue as to how I can fix that?
23:26 -!- taylorbyte2013 [~cyberninj@203-174-86-88.rev.ne.com.sg] has quit [Ping timeout: 246 seconds]
23:33 <@krzee> install resolvconf
23:33 <@krzee> if that is an option
23:34 < PickledBarrelAss> already have it installed
23:34 <@krzee> is it at /usr/bin/resolvconf ?
23:34 < PickledBarrelAss> yeah
23:34 <@krzee> type: which resolvconf
23:34 < PickledBarrelAss> gives /usr/bin/resolvconf
23:35 <@krzee> k
23:35 <@krzee> export foreign_option_1='dhcp-option DNS 8.8.8.8'
23:36 <@krzee> bash -x update-resolv-conf
23:36 <@krzee> (pastebin)
23:36 <@krzee> oh wait
23:36 <@krzee> export script_type=up
23:36 <@krzee> you are running this from the client config as --up /path/to/script
23:37 <@krzee> right?
23:38 < PickledBarrelAss> I'm just running as: openvpn path to config.  In the config I have script-security set to 2 and the line: up /path/to/update-resolv-conf
23:38 <@krzee> cool
23:39 <@krzee> export foreign_option_1='dhcp-option DNS 8.8.8.8'
23:39 <@krzee> export script_type=up
23:39 <@krzee> bash -x /path/to/update-resolv-conf
23:39 <@krzee> pastebin me the output
23:39 < PickledBarrelAss> alright hold up
23:42 < PickledBarrelAss> http://pastebin.com/WhtrTNd7
23:43 -!- taylorbyte2013 [~cyberninj@203-174-86-88.rev.ne.com.sg] has joined #openvpn
23:43 -!- Cy-Gor [~Brian@cpe-70-124-70-140.austin.res.rr.com] has quit [Quit: Leaving]
23:43 < PickledBarrelAss> I was fucking around with the path to resolvconf to see if it made a difference and forgot to change it back to /usr/bin/resolvconf, so that's why it has /usr/sbin
23:47 <@krzee> show me your script exactly via pastebin
23:47 < PickledBarrelAss> alright
23:48 <@krzee>  option='dhcpc-option DNS 8.8.8.8'
23:48 <@krzee> you typo'ed
23:49 < PickledBarrelAss> http://pastebin.com/g7edBYMB
23:50 <@krzee> ok
23:50 <@krzee> it was because of your typo
23:50 <@krzee> type the things i said to again, but no typo's
23:50 <@krzee> copy/paste if possible
23:51 <@krzee> in the pastebin please include the commands typed
23:52 <@krzee> oh in fact i have 1 more
23:52 <@krzee> are you connect to the vpn now?
23:52 <@krzee> connected*
23:52 <@krzee> if so, what device is this vpn? tun0?
23:53 < PickledBarrelAss> http://pastebin.com/0iPtvP0z
23:53 < PickledBarrelAss> no
23:53 < PickledBarrelAss> but yeah
23:53 < PickledBarrelAss> it's tun0
23:54 <@krzee> oh i see a problem in the script
23:54 <@krzee> lines 12 and 13
23:54 <@krzee> say option
23:54 <@krzee> but need to be $option
23:54 <@krzee> biiiiiig problem :D
23:54 <@krzee> fix that and try openvpn again
23:55 <@krzee> you will note that on the wiki they are $option
23:55 <@krzee> only in your copy they are not
23:57 -!- PickledBarrelAss [~PickledBa@gateway/tor-sasl/pickledbarrelass] has quit [Ping timeout: 240 seconds]
23:59 -!- PickledBarrelAss [~PickledBa@gateway/tor-sasl/pickledbarrelass] has joined #openvpn
--- Day changed Sun Jan 19 2014
00:00 <@krzee> saw the fix?
00:04 -!- PickledBarrelAss [~PickledBa@gateway/tor-sasl/pickledbarrelass] has quit [Ping timeout: 240 seconds]
00:18 -!- james41382 [~james@unaffiliated/james41382] has joined #openvpn
00:32 -!- sammm [~sam@c114-76-87-212.thoms3.vic.optusnet.com.au] has joined #openvpn
00:33 < sammm> hey I set up openvpn and have a client connected with no errors from either the server/client but we cannot ping eachother (10.8.0.1/10.8.0.10) he has disabled his firewall (windows 7) and I have forwarded 1194 UDP too. any ideas?
01:00 -!- goldkatze [~nobody@unaffiliated/goldkatze] has joined #openvpn
01:04 -!- dimm0k [~dimm0k@unaffiliated/dimm0k] has quit [Ping timeout: 272 seconds]
01:06 -!- dimm0k [~dimm0k@unaffiliated/dimm0k] has joined #openvpn
01:15 -!- sammm [~sam@c114-76-87-212.thoms3.vic.optusnet.com.au] has quit [Remote host closed the connection]
01:24 -!- pnielsen_ [pnielsen@2a01:7e00::f03c:91ff:fedf:3a21] has joined #openvpn
01:25 -!- dazo_afk [~dazo@openvpn/community/developer/dazo] has quit [Ping timeout: 264 seconds]
01:25 -!- bersace [~bersace@sevin.cae.li] has quit [Ping timeout: 264 seconds]
01:25 -!- Brando753 [~Brando753@unaffiliated/brando753] has quit [Ping timeout: 264 seconds]
01:25 -!- guntha_ [~guntha@guntha.thecagedog.com] has quit [Ping timeout: 264 seconds]
01:25 -!- klaxa [~klaxa@klaxa.eu] has quit [Ping timeout: 264 seconds]
01:25 -!- mrrg [~notabot@delicious.sykosys.jp] has quit [Ping timeout: 264 seconds]
01:25 -!- hgax_ [~hgax@162.243.112.153] has quit [Ping timeout: 264 seconds]
01:25 -!- _KaszpiR___ [~kaszpir@unaffiliated/kaszpir/x-3157048] has quit [Ping timeout: 264 seconds]
01:26 -!- pr0t [~pr0t@69-26-152-240.mt9.aerioconnect.net] has quit [Ping timeout: 264 seconds]
01:26 -!- Iain_ [~Iain@host31-48-65-231.range31-48.btcentralplus.com] has quit [Ping timeout: 264 seconds]
01:26 -!- pnielsen [~pnielsen@li301-93.members.linode.com] has quit [Ping timeout: 264 seconds]
01:26 -!- emid [~emid@192.241.162.156] has quit [Ping timeout: 264 seconds]
01:26 -!- hgax [~hgax@162.243.112.153] has joined #openvpn
01:26 -!- Iain_ [~Iain@host31-48-65-231.range31-48.btcentralplus.com] has joined #openvpn
01:26 -!- bersace [~bersace@sevin.cae.li] has joined #openvpn
01:26 -!- _KaszpiR__ [~kaszpir@unaffiliated/kaszpir/x-3157048] has joined #openvpn
01:26 -!- dazo_afk [~dazo@114.201.9.46.customer.cdi.no] has joined #openvpn
01:26 -!- Brando753 [~Brando753@unaffiliated/brando753] has joined #openvpn
01:26 -!- mrrg [~notabot@delicious.sykosys.jp] has joined #openvpn
01:26 -!- dazo_afk is now known as dazo
01:27 -!- emid [~emid@192.241.162.156] has joined #openvpn
01:27 -!- dazo [~dazo@114.201.9.46.customer.cdi.no] has quit [Changing host]
01:27 -!- dazo [~dazo@openvpn/community/developer/dazo] has joined #openvpn
01:27 -!- mode/#openvpn [+o dazo] by ChanServ
01:27 -!- dazo is now known as Guest17603
01:28 -!- guntha_ [~guntha@guntha.thecagedog.com] has joined #openvpn
01:28 -!- Olipro [~Olipro@uncyclopedia/pdpc.21for7.olipro] has quit [Ping timeout: 246 seconds]
01:30 -!- klaxa [~klaxa@klaxa.eu] has joined #openvpn
01:30 -!- pablito [~chatzilla@194.90.149.21] has joined #openvpn
01:31 -!- Olipro [~Olipro@uncyclopedia/pdpc.21for7.olipro] has joined #openvpn
01:31 -!- Fruckiwacki [fruckiwack@5.135.190.66] has quit [Ping timeout: 246 seconds]
01:34 -!- heraclitus [~heraclitu@unaffiliated/heraclitis] has joined #openvpn
01:46 -!- pablito [~chatzilla@194.90.149.21] has quit [Quit: ChatZilla 0.9.90.1 [Firefox 26.0/20131205075310]]
02:01 -!- dimm0k [~dimm0k@unaffiliated/dimm0k] has quit [Read error: Operation timed out]
02:06 -!- dimm0k [~dimm0k@pool-72-80-89-149.nycmny.fios.verizon.net] has joined #openvpn
02:06 -!- dimm0k [~dimm0k@pool-72-80-89-149.nycmny.fios.verizon.net] has quit [Changing host]
02:06 -!- dimm0k [~dimm0k@unaffiliated/dimm0k] has joined #openvpn
02:34 -!- takamichi [~takamichi@c107-107.i07-27.onvol.net] has quit []
02:38 -!- takamichi [~takamichi@c107-107.i07-27.onvol.net] has joined #openvpn
02:46 -!- taylorbyte2013 [~cyberninj@203-174-86-88.rev.ne.com.sg] has quit [Read error: Connection reset by peer]
02:47 -!- taylorbyte2013 [~cyberninj@203-174-86-88.rev.ne.com.sg] has joined #openvpn
03:19 -!- kalloc [~kalloc@h86-62-83-99.ln.rinet.ru] has joined #openvpn
03:29 -!- mattock_afk is now known as mattock
03:53 -!- taylorbyte20131 [~cyberninj@203-174-86-88.rev.ne.com.sg] has joined #openvpn
03:54 -!- taylorbyte2013 [~cyberninj@203-174-86-88.rev.ne.com.sg] has quit [Ping timeout: 264 seconds]
03:57 -!- taylorbyte2013 [~cyberninj@203-174-86-88.rev.ne.com.sg] has joined #openvpn
03:57 -!- taylorbyte20131 [~cyberninj@203-174-86-88.rev.ne.com.sg] has quit [Ping timeout: 272 seconds]
04:06 -!- heraclitus__ [~heraclitu@vpn.planetcrypto.com] has joined #openvpn
04:06 -!- heraclitus [~heraclitu@unaffiliated/heraclitis] has quit [Disconnected by services]
04:07 -!- heraclitus__ is now known as heraclitus
04:07 -!- heraclitus [~heraclitu@vpn.planetcrypto.com] has quit [Changing host]
04:07 -!- heraclitus [~heraclitu@unaffiliated/heraclitis] has joined #openvpn
04:10 -!- taylorbyte20131 [~cyberninj@203-174-86-88.rev.ne.com.sg] has joined #openvpn
04:11 -!- taylorbyte2013 [~cyberninj@203-174-86-88.rev.ne.com.sg] has quit [Ping timeout: 272 seconds]
04:16 -!- gffa [~unknown@unaffiliated/gffa] has joined #openvpn
04:18 < taylorbyte20131> is there a way to make the default routes pushed from the server go into a custom routing table ?
04:57 -!- goldkatze [~nobody@unaffiliated/goldkatze] has quit []
05:09 -!- taylorbyte20131 [~cyberninj@203-174-86-88.rev.ne.com.sg] has quit [Read error: Connection reset by peer]
05:11 -!- taylorbyte2013 [~cyberninj@203-174-86-88.rev.ne.com.sg] has joined #openvpn
05:14 -!- goldkatze [~nobody@unaffiliated/goldkatze] has joined #openvpn
05:19 < nick4> got it pekster - that's useful
05:30 -!- APTX_ [APTX@unaffiliated/aptx] has quit [Read error: Connection reset by peer]
05:58 -!- Devastatr [~devas@177.99.152.68] has joined #openvpn
05:59 -!- Devastator [~devas@unaffiliated/devastator] has quit [Ping timeout: 252 seconds]
06:04 -!- Cpt-Oblivious [~chatzilla@31-151-87-204.dynamic.upc.nl] has joined #openvpn
06:14 < bigbob83> Hello all , earlier pekster gave me this link https://github.com/OpenVPN/openvpn-build/blob/master/generic/build#L298  because i would like to customize my openvpn gui icons and i need to build it from sources
06:14 <@vpnHelper> Title: openvpn-build/generic/build at master · OpenVPN/openvpn-build · GitHub (at github.com)
06:15 < bigbob83> but i really don't know how can i do this with this file  (i'm nwbie in building/dev , i only know the basis of dev in .net)
06:17 < nick4> hmmm.. this seems like a build script for linux
06:17 < pekster> My actual suggestion was to follow the openvpn-build process and use the build-complete script
06:17 < pekster> If you really want to do "only part" of the build job that's actually far more complex, and likely not what you want to jump into if you're new to compiling
06:18 -!- DRice7 [~eat@cpe-066-057-089-031.nc.res.rr.com] has quit [Quit: XDCC Browser 4.52 .... www.XDCCBrowser.com]
06:18 -!- DRice7 [ada@cpe-066-057-089-031.nc.res.rr.com] has joined #openvpn
06:18 < pekster> What did you learn from the _other_ link I sent you that explains in great detail how to set up and use a cross-compile environment?
06:18 < pekster> How far did you get?
06:28 < bigbob83> okay, i had misunderstood for this link, thank you :)
06:36 -!- APTX [~APTX@unaffiliated/aptx] has joined #openvpn
06:56 -!- calcifea [~rasla@gateway/tor-sasl/gitsu-sa] has quit [Ping timeout: 240 seconds]
07:05 -!- ketas [ketas@ketas6-sixxs.si.pri.ee] has quit [Remote host closed the connection]
07:06 -!- ketas [ketas@ketas6-sixxs.si.pri.ee] has joined #openvpn
07:07 -!- bogie [bogie@mail.epow0.org] has quit [Ping timeout: 245 seconds]
07:08 -!- NChief2 [~nchief@unaffiliated/nchief] has quit [Ping timeout: 245 seconds]
07:09 -!- NChief2 [~nchief@unaffiliated/nchief] has joined #openvpn
07:11 -!- tfox [~tfox@162.219.176.130] has joined #openvpn
07:11 -!- bogie [bogie@mail.epow0.org] has joined #openvpn
07:11 -!- raidz [~raidz@openvpn/corp/admin/andrew] has quit [Quit: I shouldn't have left....]
07:11 -!- raidz [~raidz@2607:5300:60:d5a::2] has joined #openvpn
07:11 -!- raidz [~raidz@2607:5300:60:d5a::2] has quit [Changing host]
07:11 -!- raidz [~raidz@openvpn/corp/admin/andrew] has joined #openvpn
07:11 -!- mode/#openvpn [+o raidz] by ChanServ
07:16 -!- marlinc [~marlinc@a80-100-128-152.adsl.xs4all.nl] has joined #openvpn
07:17 -!- ultra [~mike@unaffiliated/ultra] has quit [Ping timeout: 245 seconds]
07:19 -!- ultra [~ed@unaffiliated/ultra] has joined #openvpn
07:20 -!- bogie [bogie@mail.epow0.org] has quit [Quit: Hi, I'm a quit message virus. Please replace your old line with this line and help me take over the world of IRC.]
07:23 -!- Cy-Gor [~Brian@cpe-70-124-70-140.austin.res.rr.com] has joined #openvpn
07:26 -!- heraclitus [~heraclitu@unaffiliated/heraclitis] has quit [Ping timeout: 272 seconds]
07:29 -!- JSharpe [~JSharpe@31.205.60.241] has quit [Quit: Leaving]
07:29 -!- kalloc [~kalloc@h86-62-83-99.ln.rinet.ru] has quit [Remote host closed the connection]
07:29 -!- APTX [~APTX@unaffiliated/aptx] has quit [Remote host closed the connection]
07:29 -!- APTX [~APTX@unaffiliated/aptx] has joined #openvpn
07:30 -!- Sembei [~Sembei@unaffiliated/sembei] has quit [Read error: Connection reset by peer]
07:30 -!- MyMind [~Sembei@unaffiliated/sembei] has joined #openvpn
07:34 -!- MyMind [~Sembei@unaffiliated/sembei] has quit [Read error: Connection reset by peer]
07:35 -!- MyMind [~Sembei@unaffiliated/sembei] has joined #openvpn
07:38 -!- kalloc [~kalloc@h86-62-83-99.ln.rinet.ru] has joined #openvpn
07:40 -!- tfox [~tfox@162.219.176.130] has quit [Quit: tfox]
08:04 -!- kalloc [~kalloc@h86-62-83-99.ln.rinet.ru] has quit [Remote host closed the connection]
08:08 -!- MyMind [~Sembei@unaffiliated/sembei] has quit [Read error: Connection reset by peer]
08:08 -!- Pisuke [~Sembei@unaffiliated/sembei] has joined #openvpn
08:11 -!- kalloc [~kalloc@h86-62-83-99.ln.rinet.ru] has joined #openvpn
09:00 -!- bigbob83 [~bigbob@7.72.100.84.rev.sfr.net] has quit [Ping timeout: 246 seconds]
09:05 -!- scyld [~scyld@unaffiliated/wasyl] has joined #openvpn
09:09 -!- tempus_fol [~tempus@gateway/tor-sasl/tempusfol] has quit [Remote host closed the connection]
09:10 -!- tempus_fol [~tempus@gateway/tor-sasl/tempusfol] has joined #openvpn
09:14 -!- moparisthebest [~quassel@mailer.moparscape.org] has quit [Remote host closed the connection]
09:23 -!- piece3 [~quassel@14.161.15.21] has quit [Read error: Connection reset by peer]
09:28 -!- mattock is now known as mattock_afk
09:50 -!- elfixit [~Icedove@77-58-251-72.dclient.hispeed.ch] has joined #openvpn
10:36 -!- lj [~l@99.155.24.89] has joined #openvpn
10:36 -!- bish00p [~tomek@46.238.225.80] has joined #openvpn
10:38 < bish00p> Hi. I've got question about security of key files. How can I improve key file security on the client side? I'm using debian.
10:46 < pekster> Keep your private key encrypted (with a good passphrase,) set it with a restrictive file access mode, and enforce good system security (updates, physical security, etc)
10:51 -!- lj [~l@99.155.24.89] has quit [Quit: Leaving.]
10:52 < bish00p> So I should've set chmod to read key file just for me and make sure that my encryption is strong enough and system is updated?
11:02 -!- calcifea [~rasla@gateway/tor-sasl/gitsu-sa] has joined #openvpn
11:03 <@krzee> !change-passphrase
11:03 <@vpnHelper> "change-passphrase" is see http://openvpn.net/archive/openvpn-users/2005-03/msg00230.html for how to change (or add) a key's passphrase
11:07 -!- lj [~l@c-98-215-110-122.hsd1.il.comcast.net] has joined #openvpn
11:16 -!- takamichi [~takamichi@c107-107.i07-27.onvol.net] has quit [Ping timeout: 260 seconds]
11:19 -!- takamichi [~takamichi@85.12.8.107] has joined #openvpn
11:26 -!- tfox [~tfox@162.219.176.130] has joined #openvpn
11:28 -!- bish00p [~tomek@46.238.225.80] has quit [Quit: leaving]
11:28 -!- kalloc [~kalloc@h86-62-83-99.ln.rinet.ru] has quit [Remote host closed the connection]
11:29 -!- kalloc [~kalloc@188.227.167.74] has joined #openvpn
11:30 -!- pgib [~pgib@lmms/pgib] has quit [Ping timeout: 240 seconds]
11:30 -!- dandy [~dandy@2a01:360:106::2] has quit [Ping timeout: 240 seconds]
11:30 -!- pgib [~pgib@c-76-18-186-63.hsd1.tn.comcast.net] has joined #openvpn
11:30 -!- dandy [~dandy@2a01:360:106::2] has joined #openvpn
11:32 -!- s7r [~s7r@openvpn/user/s7r] has joined #openvpn
11:32 -!- mode/#openvpn [+v s7r] by ChanServ
11:37 -!- kalloc_ [~kalloc@h86-62-83-99.ln.rinet.ru] has joined #openvpn
11:41 -!- kalloc [~kalloc@188.227.167.74] has quit [Ping timeout: 260 seconds]
11:47 -!- tfox [~tfox@162.219.176.130] has quit [Quit: tfox]
11:48 -!- joshh20-Away is now known as joshh20
11:50 -!- takamichi [~takamichi@85.12.8.107] has quit [Ping timeout: 260 seconds]
11:50 -!- bigbob83 [~bigbob@7.72.100.84.rev.sfr.net] has joined #openvpn
11:52 -!- takamichi [~takamichi@c107-107.i07-27.onvol.net] has joined #openvpn
12:09 -!- calcifea [~rasla@gateway/tor-sasl/gitsu-sa] has quit [Ping timeout: 240 seconds]
12:15 -!- calcifea [~rasla@gateway/tor-sasl/gitsu-sa] has joined #openvpn
12:20 -!- Fruckiwacki [fruckiwack@5.135.190.66] has joined #openvpn
12:36 -!- lj [~l@c-98-215-110-122.hsd1.il.comcast.net] has quit [Quit: Leaving.]
12:38 -!- JSharpe [~JSharpe@31.205.60.241] has joined #openvpn
12:40 -!- tfox [~tfox@162.219.176.130] has joined #openvpn
12:52 -!- joshh20 is now known as joshh20-Away
13:06 -!- APTX [~APTX@unaffiliated/aptx] has quit [Remote host closed the connection]
13:13 -!- takamichi [~takamichi@c107-107.i07-27.onvol.net] has quit [Quit: Computer has gone to sleep.]
13:14 -!- pgib [~pgib@c-76-18-186-63.hsd1.tn.comcast.net] has quit [Changing host]
13:14 -!- pgib [~pgib@lmms/pgib] has joined #openvpn
13:27 -!- lachesis [~lachesis@unaffiliated/lachesis] has quit [Ping timeout: 276 seconds]
13:58 -!- elfixit [~Icedove@77-58-251-72.dclient.hispeed.ch] has quit [Quit: elfixit]
14:06 -!- kalloc_ is now known as kalloc
14:14 -!- APTX [~APTX@unaffiliated/aptx] has joined #openvpn
14:15 -!- takamichi [~takamichi@c107-107.i07-27.onvol.net] has joined #openvpn
14:18 -!- bogie [bogie@mail.epow0.org] has joined #openvpn
14:28 -!- joshh20-Away is now known as joshh20
14:32 -!- genericpersona [~generic@gateway/tor-sasl/genericpersona] has left #openvpn ["Take care of yourselves, and each other"]
14:36 -!- dimm0k [~dimm0k@unaffiliated/dimm0k] has quit [Ping timeout: 264 seconds]
14:36 <+jeev> krzee, around ?
14:37 <+jeev> tap0 is the primary domain controller @ 10.0.1.1, tap2 is now a cas server, 10.0.1.10. i can ping one another, tap0 has 10.0.1.254 ip, tap2 has no ip, i have them bridged @ br5, i'm wondering if it's a firewall issue on my slack machine, lets see
14:37 -!- dimm0k [~dimm0k@unaffiliated/dimm0k] has joined #openvpn
14:45  * jeev keeps forgetting about the iptables logging
14:47 < pekster> Sounds to me like you're doing bridging wrong. taps don't hold the IPs under Linux: your _bridges_ do
14:48 < pekster> You simply add interfaces as bridge members if you're gluing multiple together, although that's not something one usually does (though there are cases for that)
14:48 < pekster> Why don't you route instead?
14:48 <+jeev> i am routing between datacenters.
14:49 -!- takamichi [~takamichi@c107-107.i07-27.onvol.net] has quit [Quit: Computer has gone to sleep.]
14:49 <+jeev> this is a linux machine with two windows servers on it, server 1 is tap0, server 2 is tap2.
14:49 <+jeev> i want those two to speak.
14:49 <+jeev> when i bridge tap0/tap2 together, it logs it as a martian
14:49 <+jeev> i am then unable to ping the gateway from either machine, if i kill the bridge, i can ping the gateway but i can't ping the two machines.
14:49 <+jeev> i wonder if i need to give tap2 an ip also
14:51 < pekster> pastebin `ip addr show` and `brctl show` somewhere
14:51 < pekster> And then while I'm looking over that, explain why you aren't routing
14:52 <+jeev> one sec pek, so tap0 has .254, tap2 now has .253, i have them bridged and set the gw for tap2's windows server to .253 and it works now.
14:52 <+jeev> hm i need to look more carefully, i can't ping the gw's but i can ping the other machine, one sec
14:52 < pekster> I have no idea what you're doing, but I'm quite confident you're going about it all wrong
14:52 <+jeev> pekster, why would i route two virtual machines on the same server?
14:53 < pekster> 1) don't bridge unless you _actually_ need Ethernet frame transport support (including broadcast/multicast traffic.)
14:53 < pekster> 2) bridging "multiple" taps is (almost) always the wrong approach
14:54 < pekster> If things are on the same network, you just add more IPs to a single Ethernet-style Interface. That's how networking has worked in both Linux and most Unixes for many years now
14:55 < pekster> So, _why_ are you using tap in the first place?
14:55 <+jeev> pekster, sorry. this isn't an openvpn concern, this is a qemu concern, i dont know why i voiced it in here.
14:55 <+jeev> openvpn is routing, it is working just fine.
14:56 -!- scyld [~scyld@unaffiliated/wasyl] has quit [Quit: Wychodzi]
14:56 -!- Guest17603 [~dazo@openvpn/community/developer/dazo] has quit [Ping timeout: 264 seconds]
14:57 -!- bigbob83 [~bigbob@7.72.100.84.rev.sfr.net] has quit []
14:58 -!- mode/#openvpn [-o plaisthos] by plaisthos
14:58 -!- dazo_afk [~dazo@openvpn/community/developer/dazo] has joined #openvpn
14:58 -!- mode/#openvpn [+o dazo_afk] by ChanServ
14:58 -!- dazo_afk is now known as dazo
15:12 -!- moshin_ [~mo@166.170.51.180] has joined #openvpn
15:13 < moshin_> Hello everyone
15:13 < moshin_> I was hoping someone could assist me with what I hope is a simple, foolish problem
15:14 < moshin_> I am mostly setup, but can't connect due to what I thought was a TLS handshake issue
15:14 < moshin_> but then I noticed this in the logs
15:14 < moshin_>  VERIFY ERROR: depth=0, error=unable to get local issuer certificate:
15:14 < moshin_> right before the TLS issues.
15:14 < moshin_> 1) is the TLS due to the Verify Error?
15:14 < moshin_> 2) is this easily remedied?
15:14 < moshin_> I generated all my certs from the command line with easy-rsa
15:15 < moshin_> openssl x509 -subject -issuer -noout -in     shows the right issuer on the client side
15:16 < moshin_> also
15:16 < moshin_> openssl verify ca.crt
15:16 < moshin_> ca.crt: C = US, ST = HI, L = LanaiCity, O = LakesideSystems, OU = NetworkOperations, CN = LakesideSystems CA, name = EasyRSA, emailAddress = mo@lakeside-systems.net
15:16 < moshin_> error 18 at 0 depth lookup:self signed certificate
15:16 < moshin_> error 18, self signed?
15:16 < moshin_> they both say 0 depth
15:20 < pekster> To verify, you need to pass the _recieved_ cert and compare aginast the CA cert
15:21 < pekster> The 'VERIFY ERROR' is generally when the cert OpenVPN received isn't signed by the referenced ca cert (with --ca) that openvpn is checking
15:21 < pekster> Either you didn't put the right cert in the right place, or that CA didn't sign that cert
15:22 < sailerboy> hey, i'm trying to download a torrent over an openvpn connection, and i'm getting rather low speeds compared to link speed. I tried playing around with the MTUs and the cipher settings, with no major differences. looking at htop, i notice that openvpn on the server side takes up a lot of CPU resources
15:22 < moshin_> and this is on the client, or on the server?
15:22 -!- dimm0k [~dimm0k@unaffiliated/dimm0k] has quit [Ping timeout: 260 seconds]
15:22 < pekster> Both sides verify each other
15:22 < sailerboy> i'm also unable to "wget" on the client, it hangs at HTTP request sent, awaiting response...
15:23 < pekster> The cert the client presents to the server is checked on the server against the server's referenced CA, and the cert the server presents to the client is checked by the client against the client's copy of the CA
15:23 < pekster> Maybe you should read:
15:23 < pekster> !intro-to-pki
15:23 <@vpnHelper> "intro-to-pki" is For an intro to PKI basics, see: https://github.com/OpenVPN/easy-rsa/blob/v3.0.0-rc1/doc/Intro-To-PKI.md
15:23 -!- kossy [a@kossy.org] has joined #openvpn
15:23 < moshin_> hmm when I verify my certs for the server and client i always get this
15:23 < moshin_> error 20 at 0 depth lookup:unable to get local issuer certificate
15:23 -!- dimm0k [~dimm0k@unaffiliated/dimm0k] has joined #openvpn
15:24 < pekster> Then transport the remote peer cert and verify it locally
15:24 < moshin_> hmm okay
15:24 < pekster> If it fails, you either have the wrong cert somewhere, or it isn't signed by the CA you think it is
15:24 < moshin_> ok
15:24 < moshin_> i generated all the certs on my server
15:24 < moshin_> then copied them down locally
15:25 < pekster> openssl verify -verbose -CAfile ca.crt client1.crt
15:25 < pekster> Make _sure_ you're doing that on each end using the ca.crt file that end is using, and checking the file the remote end is sending
15:26 < moshin_> ok thank you so much for your help
15:27 < moshin_> both the client, and server.crt reply:  OK
15:27 < moshin_> if only my laptop was linux too sigh
15:27 < moshin_> my client in this case is my macbook... having grief finding a legit easy-rsa tool
15:28 < moshin_> for ISX
15:28 < moshin_> OSX
15:28 < pekster> easy-rsa works on any POSIX-compliant system, including OS X
15:32 < moshin_> ahhh
15:32 < moshin_> and tunnelblick installed it
15:35 < moshin_> error 20 at depth 0 from my client
15:35 < moshin_> hmmm
15:35 < moshin_> so should I copy the certs back from the server again?
15:36 < pekster> I have no clue what "error 20" is. Out of context messages aren't helpful
15:36 < pekster> Either the cert is properly signed by the CA or not. If it's not, either you have the wrong CA, the wrong entity cert (or both)
15:37 < pekster> Certs not signed by the CA fail validity
15:37 < moshin_> on the server
15:37 < moshin_> root@bouncer:/opt/etc/easy-rsa/keys# openssl verify -verbose -CAfile ca.crt boun
15:37 < moshin_> cer.crt
15:37 < moshin_> bouncer.crt: OK
15:38 < moshin_> on the client
15:38 < moshin_> chimbp:keys mo$ openssl verify -verbose -CAfile ca.crt bouncer.crt
15:38 < moshin_> bouncer.crt: /C=US/ST=HI/L=LanaiCity/O=LakesideSystems/OU=NetworkOperations/CN=bouncer/name=EasyRSA/emailAddress=mo@lakeside-systems.net
15:38 < moshin_> error 20 at 0 depth lookup:unable to get local issuer certificate
15:38 -!- elfixit [~Icedove@77-58-251-72.dclient.hispeed.ch] has joined #openvpn
15:39 < moshin_> does that indicate an issue with the cert itself?
15:39 < moshin_> on the client side
15:39 < pekster> That cert isn't signed by that CA
15:39 < moshin_> e.g., maybe they didn't copy correctly?
15:39 < pekster> Validity can't be checked as a result
15:39 < moshin_> interesting
15:39 < pekster> Usually people either put the wrong file in the wrong plaace, or re-did part of their CA and neglected to send the right cert (often the CA cert) to the right place
15:40 < pekster> It's like changing the house locks and "forgetting" to give your roommate a new copy
15:41 < moshin_> HAh
15:41 < moshin_> I think it was the latter
15:42 < moshin_> Just retransferred the certs to my client
15:42 < moshin_> and the command returns OK now
15:42 < moshin_> so, Im mostly an idiot, but that's okay hahaha
15:43 < moshin_> good decisions come from wisdom, wisdom comes from experience, experience comes from bad decisions
15:50 < moshin_> thanks bro
15:50 < moshin_> Copied clean certs from the server after you helped me verify
15:50 < moshin_> both to the client
15:50 < moshin_> as well as stopped the service and ensured the server was using the right set
15:51 < moshin_> restarted, and connected :-)
15:51 < moshin_> so it works, but  that won't stop me from reading up on PKI :-D
15:52 < moshin_> if I may ask another question
15:52 < moshin_> how can I create a .ovpn client configuration file?
15:52 < moshin_> id like to be able to vpn in from iOS, and the only client I was able to find seems to only want .ovpn
15:57 -!- Nikon__ [~Nikon@d24-235-161-50.home1.cgocable.net] has joined #openvpn
15:57 < Nikon__> hey there
15:57 < Nikon__> so uhh
15:57 < Nikon__> the management line
15:57 < Nikon__> how can i have it bind to the servers address like 10.8.0.1
15:57 < Nikon__> because mine wont start
15:58 < pekster> Read about the "tunnel" option
15:58 < pekster> Under --management
16:00 < Nikon__> http://openvpn.net/index.php/open-source/documentation/miscellaneous/79-management-interface.html
16:00 <@vpnHelper> Title: Management Interface (at openvpn.net)
16:00 < Nikon__> that doc?
16:00 -!- james41382_ [~james@c-71-227-171-20.hsd1.wa.comcast.net] has joined #openvpn
16:01 < pekster> !man
16:01 <@vpnHelper> "man" is (#1) For man pages, see http://openvpn.net/index.php/open-source/documentation/manuals/ or (#2) the man pages are your friend! or (#3) Protip: you can search the manpage for a specific --option (with dashes) to find it quicker
16:01 -!- moshin_ [~mo@166.170.51.180] has quit [Ping timeout: 260 seconds]
16:01 -!- james41382__ [~james@209.188.5.218] has joined #openvpn
16:03 -!- james41382 [~james@unaffiliated/james41382] has quit [Ping timeout: 252 seconds]
16:04 < Nikon__> excellent
16:04 < Nikon__> thank you c:
16:05 <+jeev> pekster, anyway, i figured it out./j netfilter
16:05 <+jeev> woops
16:05 -!- james41382_ [~james@c-71-227-171-20.hsd1.wa.comcast.net] has quit [Ping timeout: 252 seconds]
16:05 <+jeev> io gave tap0 the ip instead of the bridge.
16:05 <+jeev> dork.
16:07 -!- JSharpe [~JSharpe@31.205.60.241] has quit [Ping timeout: 260 seconds]
16:08 -!- moshin [~mo@udp001682uds.hawaiiantel.net] has joined #openvpn
16:24 -!- tdreyer1 [~tdreyer1@unaffiliated/tdreyer1] has quit [Quit: So long, meatbags!]
16:24 -!- goldkatze [~nobody@unaffiliated/goldkatze] has quit [Ping timeout: 252 seconds]
16:25 -!- tdreyer1 [~tdreyer1@unaffiliated/tdreyer1] has joined #openvpn
16:27 -!- gffa [~unknown@unaffiliated/gffa] has quit [Quit: sleep]
16:41 -!- Nikon__ [~Nikon@d24-235-161-50.home1.cgocable.net] has quit [Ping timeout: 260 seconds]
16:42 -!- DRice7 [ada@cpe-066-057-089-031.nc.res.rr.com] has quit [Quit: XDCC Browser 4.52 .... www.XDCCBrowser.com]
16:49 -!- speaker1234 [~user@c-50-176-19-86.hsd1.ma.comcast.net] has joined #openvpn
17:09 -!- register [~able@gateway/tor-sasl/able] has joined #openvpn
17:09 -!- register is now known as Guest91963
17:10 < speaker1234> I've been struggling with this for a while but for some reason I can't get open VPN on Windows to recognize configuration file. It's in the right directory according to documentation (c:\Program Files\OpenVpn\config\...)
17:10 -!- Guest91963 [~able@gateway/tor-sasl/able] has quit [Client Quit]
17:10 < speaker1234> but I'm seeing nothing a log file and nothing in the pop-ups from the system service telling it sees my configuration file.
17:12 -!- nick4 [~nick4@46.246.254.182.dsl.dyn.forthnet.gr] has left #openvpn []
17:13 -!- sammm [~sam@c114-76-87-212.thoms3.vic.optusnet.com.au] has joined #openvpn
17:13 -!- tempnick [~able@gateway/tor-sasl/able] has joined #openvpn
17:13 < sammm> hey
17:13 < speaker1234> hey
17:13 -!- tempnick is now known as able
17:14 < sammm> I'm having some weird problem where openvpn won't load on boot (using systemd) but will run fine when I stop and start the service with systemctl stop open.. etc
17:14 < sammm> any ideas?
17:15 -!- able [~able@gateway/tor-sasl/able] has quit [Client Quit]
17:15 < speaker1234> have you change the default startup permissions to administrative?
17:15 -!- able [~able@gateway/tor-sasl/able] has joined #openvpn
17:17 < sammm> you don't need to do that with systemd, I'm on archlinux by the way.
17:24 < speaker1234> sorry, I've been beating my head against Windows problems with open VPN all day and most of yesterday
17:25 < speaker1234> I think it's time to rebuild my Windows partition
17:30 -!- sammm [~sam@c114-76-87-212.thoms3.vic.optusnet.com.au] has quit [Remote host closed the connection]
17:31 -!- james41382__ [~james@209.188.5.218] has quit [Changing host]
17:31 -!- james41382__ [~james@unaffiliated/james41382] has joined #openvpn
17:31 -!- james41382__ is now known as james41382
17:41 -!- kalloc [~kalloc@h86-62-83-99.ln.rinet.ru] has quit [Remote host closed the connection]
17:42 -!- kalloc [~kalloc@h86-62-83-99.ln.rinet.ru] has joined #openvpn
17:47 -!- kalloc [~kalloc@h86-62-83-99.ln.rinet.ru] has quit [Ping timeout: 260 seconds]
17:49 -!- able [~able@gateway/tor-sasl/able] has quit [Quit: able]
17:53 -!- taylorbyte2013 [~cyberninj@203-174-86-88.rev.ne.com.sg] has quit [Quit: Leaving.]
17:54 -!- speaker1234 [~user@c-50-176-19-86.hsd1.ma.comcast.net] has quit [Remote host closed the connection]
17:54 -!- Cpt-Oblivious [~chatzilla@31-151-87-204.dynamic.upc.nl] has quit [Ping timeout: 252 seconds]
18:15 -!- moshin [~mo@udp001682uds.hawaiiantel.net] has quit [Read error: Connection reset by peer]
18:15 -!- moshin [~mo@udp001682uds.hawaiiantel.net] has joined #openvpn
18:35 -!- kalloc [~kalloc@h86-62-83-99.ln.rinet.ru] has joined #openvpn
18:37 -!- franks2 [~frank@frank2.net] has quit [Ping timeout: 248 seconds]
18:39 -!- kalloc [~kalloc@h86-62-83-99.ln.rinet.ru] has quit [Ping timeout: 260 seconds]
18:47 -!- master_o1_master [~master_of@p4FD7B33F.dip0.t-ipconnect.de] has quit [Ping timeout: 246 seconds]
18:48 -!- s7r [~s7r@openvpn/user/s7r] has quit [Quit: Leaving]
18:48 -!- s7r [~s7r@openvpn/user/s7r] has joined #openvpn
18:48 -!- mode/#openvpn [+v s7r] by ChanServ
18:49 -!- master_of_master [~master_of@p4FD7B26E.dip0.t-ipconnect.de] has joined #openvpn
19:00 -!- s7r [~s7r@openvpn/user/s7r] has quit [Remote host closed the connection]
19:00 -!- s7r [~s7r@openvpn/user/s7r] has joined #openvpn
19:00 -!- mode/#openvpn [+v s7r] by ChanServ
19:05 -!- heraclitus [~heraclitu@unaffiliated/heraclitis] has joined #openvpn
19:19 -!- kalloc [~kalloc@h86-62-83-99.ln.rinet.ru] has joined #openvpn
19:24 -!- kalloc [~kalloc@h86-62-83-99.ln.rinet.ru] has quit [Ping timeout: 248 seconds]
19:28 -!- s7r [~s7r@openvpn/user/s7r] has quit [Quit: Leaving]
19:35 -!- kalloc [~kalloc@h86-62-83-99.ln.rinet.ru] has joined #openvpn
19:37 -!- kalloc_ [~kalloc@h86-62-83-99.ln.rinet.ru] has joined #openvpn
19:38 -!- kalloc [~kalloc@h86-62-83-99.ln.rinet.ru] has quit [Read error: Connection reset by peer]
19:39 -!- niftylettuce [uid2733@gateway/web/irccloud.com/x-yhcgnijrwamuhkol] has quit [Ping timeout: 276 seconds]
19:40 -!- niftylettuce_ [uid2733@gateway/web/irccloud.com/x-qczgeqllxsyrnyqk] has joined #openvpn
19:42 -!- kalloc_ [~kalloc@h86-62-83-99.ln.rinet.ru] has quit [Ping timeout: 264 seconds]
19:44 -!- moshin [~mo@udp001682uds.hawaiiantel.net] has quit [Quit: moshin]
19:49 -!- moshin [~mo@udp001682uds.hawaiiantel.net] has joined #openvpn
19:56 -!- Mike-- [mad@mx.probie.nl] has quit [Ping timeout: 252 seconds]
19:57 -!- Mike-- [mad@mx.probie.nl] has joined #openvpn
20:01 -!- moshin [~mo@udp001682uds.hawaiiantel.net] has quit [Quit: moshin]
20:02 -!- moshin [~mo@udp001682uds.hawaiiantel.net] has joined #openvpn
20:18 -!- julius_ [~julius_@141.41.92.61] has left #openvpn ["Leaving"]
20:18 -!- moshin [~mo@udp001682uds.hawaiiantel.net] has quit [Quit: moshin]
20:20 -!- moshin [~mo@udp001682uds.hawaiiantel.net] has joined #openvpn
20:26 -!- pnielsen_ is now known as pnielsen
20:36 -!- kalloc [~kalloc@h86-62-83-99.ln.rinet.ru] has joined #openvpn
20:40 -!- kalloc [~kalloc@h86-62-83-99.ln.rinet.ru] has quit [Ping timeout: 246 seconds]
20:43 -!- Cultist [~CultOfThe@c-67-186-111-33.hsd1.il.comcast.net] has joined #openvpn
20:52 -!- lachesis [~lachesis@unaffiliated/lachesis] has joined #openvpn
20:56 -!- dradec [~dradec@unaffiliated/dradec] has joined #openvpn
20:57 -!- lachesis [~lachesis@unaffiliated/lachesis] has quit [Read error: Connection reset by peer]
20:57 -!- lachesis [~lachesis@unaffiliated/lachesis] has joined #openvpn
21:00 -!- lj [~l@c-98-215-110-122.hsd1.il.comcast.net] has joined #openvpn
21:00 -!- lj [~l@c-98-215-110-122.hsd1.il.comcast.net] has quit [Client Quit]
21:12 -!- dradec [~dradec@unaffiliated/dradec] has quit [Quit: Running from the NSA]
21:18 -!- moshin [~mo@udp001682uds.hawaiiantel.net] has quit [Quit: moshin]
21:26 -!- moshin [~mo@udp001682uds.hawaiiantel.net] has joined #openvpn
21:27 -!- Devastatr [~devas@177.99.152.68] has quit [Changing host]
21:27 -!- Devastatr [~devas@unaffiliated/devastator] has joined #openvpn
21:27 -!- Devastatr is now known as Devastator
21:29 -!- lachesis [~lachesis@unaffiliated/lachesis] has quit [Read error: Connection reset by peer]
21:35 -!- kalloc [~kalloc@h86-62-83-99.ln.rinet.ru] has joined #openvpn
21:38 -!- lachesis [~lachesis@74.83.29.16] has joined #openvpn
21:38 -!- lachesis [~lachesis@74.83.29.16] has quit [Changing host]
21:38 -!- lachesis [~lachesis@unaffiliated/lachesis] has joined #openvpn
21:40 -!- kalloc [~kalloc@h86-62-83-99.ln.rinet.ru] has quit [Ping timeout: 252 seconds]
21:43 -!- lachesis [~lachesis@unaffiliated/lachesis] has quit [Read error: Connection reset by peer]
21:46 -!- moshin [~mo@udp001682uds.hawaiiantel.net] has quit [Quit: moshin]
21:52 -!- lachesis [~lachesis@unaffiliated/lachesis] has joined #openvpn
21:55 -!- schnitzl [~schnitzl@dslb-094-217-204-167.pools.arcor-ip.net] has quit [Ping timeout: 248 seconds]
21:57 -!- schnitzl [~schnitzl@dslb-178-010-089-070.pools.arcor-ip.net] has joined #openvpn
21:57 -!- joshh20 is now known as joshh20-Away
22:24 -!- moshin [~mo@udp001682uds.hawaiiantel.net] has joined #openvpn
22:35 -!- kalloc [~kalloc@h86-62-83-99.ln.rinet.ru] has joined #openvpn
22:40 -!- kalloc [~kalloc@h86-62-83-99.ln.rinet.ru] has quit [Ping timeout: 264 seconds]
22:42 -!- joshu [~joshu@62-20-176-238-no28.tbcn.telia.com] has quit [Quit: Bye.]
22:52 -!- joshu [~joshu@62-20-176-238-no28.tbcn.telia.com] has joined #openvpn
22:52 -!- joshu [~joshu@62-20-176-238-no28.tbcn.telia.com] has quit [Remote host closed the connection]
22:53 -!- joshu [~joshu@62-20-176-238-no28.tbcn.telia.com] has joined #openvpn
23:27 -!- Cy-Gor [~Brian@cpe-70-124-70-140.austin.res.rr.com] has quit [Quit: Leaving]
23:33 -!- elfixit [~Icedove@77-58-251-72.dclient.hispeed.ch] has quit [Ping timeout: 252 seconds]
23:35 -!- kalloc [~kalloc@h86-62-83-99.ln.rinet.ru] has joined #openvpn
23:37 -!- moshin [~mo@udp001682uds.hawaiiantel.net] has quit [Quit: moshin]
23:40 -!- kalloc [~kalloc@h86-62-83-99.ln.rinet.ru] has quit [Ping timeout: 252 seconds]
23:43 -!- tfox [~tfox@162.219.176.130] has quit [Quit: tfox]
23:43 -!- tfox [~tfox@162.219.176.130] has joined #openvpn
23:46 -!- james41382_ [~james@c-71-227-171-20.hsd1.wa.comcast.net] has joined #openvpn
23:50 -!- james41382 [~james@unaffiliated/james41382] has quit [Ping timeout: 260 seconds]
23:58 -!- james41382_ [~james@c-71-227-171-20.hsd1.wa.comcast.net] has quit [Quit: Leaving]
--- Day changed Mon Jan 20 2014
00:16 -!- mattock_afk is now known as mattock
00:24 -!- heraclitus [~heraclitu@unaffiliated/heraclitis] has quit [Remote host closed the connection]
00:27 -!- rustem [~ka4ok@141.0.170.169] has quit [Quit: No Ping reply in 180 seconds.]
00:27 -!- rustem [~ka4ok@141.0.170.169] has joined #openvpn
00:27 -!- heraclitus [~heraclitu@unaffiliated/heraclitis] has joined #openvpn
00:28 -!- jareth_ [~jareth_@bak.project-treadstone.nl] has quit [Ping timeout: 246 seconds]
00:28 -!- JSharpe [~JSharpe@31.205.60.241] has joined #openvpn
00:29 -!- heraclitus__ [~heraclitu@vpn.planetcrypto.com] has joined #openvpn
00:30 -!- heraclitus [~heraclitu@unaffiliated/heraclitis] has quit [Disconnected by services]
00:30 -!- heraclitus__ is now known as heraclitus
00:30 -!- heraclitus [~heraclitu@vpn.planetcrypto.com] has quit [Changing host]
00:30 -!- heraclitus [~heraclitu@unaffiliated/heraclitis] has joined #openvpn
00:31 -!- jareth_ [~jareth_@2001:980:e1c0:1:219:66ff:fea0:a502] has joined #openvpn
00:32 -!- propheticsquiddy [~Proph@unaffiliated/propheticsquiddy] has joined #openvpn
00:35 -!- kalloc [~kalloc@h86-62-83-99.ln.rinet.ru] has joined #openvpn
00:40 -!- kalloc [~kalloc@h86-62-83-99.ln.rinet.ru] has quit [Ping timeout: 272 seconds]
00:52 -!- tfox [~tfox@162.219.176.130] has quit [Quit: tfox]
01:00 -!- goldkatze [~nobody@unaffiliated/goldkatze] has joined #openvpn
01:03 -!- dimm0k [~dimm0k@unaffiliated/dimm0k] has quit [Ping timeout: 248 seconds]
01:03 -!- JSharpe [~JSharpe@31.205.60.241] has quit [Ping timeout: 260 seconds]
01:05 -!- dimm0k [~dimm0k@pool-96-246-33-134.nycmny.fios.verizon.net] has joined #openvpn
01:05 -!- dimm0k [~dimm0k@pool-96-246-33-134.nycmny.fios.verizon.net] has quit [Changing host]
01:05 -!- dimm0k [~dimm0k@unaffiliated/dimm0k] has joined #openvpn
01:31 -!- heraclitus [~heraclitu@unaffiliated/heraclitis] has quit [Remote host closed the connection]
01:32 -!- heraclitus [~heraclitu@unaffiliated/heraclitis] has joined #openvpn
01:32 -!- heraclitus [~heraclitu@unaffiliated/heraclitis] has quit [Remote host closed the connection]
01:35 -!- kalloc [~kalloc@h86-62-83-99.ln.rinet.ru] has joined #openvpn
01:39 -!- mitz [~mitz@KHP222227247006.ppp-bb.dion.ne.jp] has joined #openvpn
01:40 -!- kalloc [~kalloc@h86-62-83-99.ln.rinet.ru] has quit [Ping timeout: 272 seconds]
01:49 -!- mitz [~mitz@KHP222227247006.ppp-bb.dion.ne.jp] has quit [Remote host closed the connection]
01:50 -!- mitz [~mitz@KHP222227247006.ppp-bb.dion.ne.jp] has joined #openvpn
01:55 -!- mitz [~mitz@KHP222227247006.ppp-bb.dion.ne.jp] has quit [Remote host closed the connection]
01:58 -!- mitz [~mitz@KHP222227247006.ppp-bb.dion.ne.jp] has joined #openvpn
02:00 -!- alice|wl [~helo@m5.notomorrow.de] has joined #openvpn
02:04 -!- dimm0k [~dimm0k@unaffiliated/dimm0k] has quit [Ping timeout: 272 seconds]
02:05 -!- dimm0k [~dimm0k@unaffiliated/dimm0k] has joined #openvpn
02:07 < alice|wl> hey, can I set a mac address in the client openvpn config? I want to recieve the same ip from dnsmasq every time
02:10 -!- heraclitus [~heraclitu@unaffiliated/heraclitis] has joined #openvpn
02:25 -!- alexxtasi [~alex@unaffiliated/alexxtasi] has joined #openvpn
02:28 -!- james41382 [~james@unaffiliated/james41382] has joined #openvpn
02:35 -!- kalloc [~kalloc@h86-62-83-99.ln.rinet.ru] has joined #openvpn
02:37 -!- kalloc_ [~kalloc@h86-62-83-99.ln.rinet.ru] has joined #openvpn
02:38 -!- takamichi [~takamichi@c107-107.i07-27.onvol.net] has joined #openvpn
02:39 -!- kalloc [~kalloc@h86-62-83-99.ln.rinet.ru] has quit [Read error: Connection reset by peer]
02:41 -!- JSharpe [~JSharpe@31.205.60.241] has joined #openvpn
02:42 -!- propheticsquiddy [~Proph@unaffiliated/propheticsquiddy] has quit [Quit: Leaving]
02:42 -!- james41382 [~james@unaffiliated/james41382] has quit [Ping timeout: 260 seconds]
02:43 -!- heraclitus [~heraclitu@unaffiliated/heraclitis] has quit [Quit: Ping timeout: 221 seconds]
02:45 -!- heraclitus [~heraclitu@unaffiliated/heraclitis] has joined #openvpn
02:47 -!- ACKNAK [~poni@79.133.97.154] has joined #openvpn
02:52 < ACKNAK> Hello! Anybody knows is it possible to make on openvpn this: 1) Network behind server accessible from clients 2) network behind each client accessible from server 3) several instances for multithreading
02:52 -!- Jeeves_ [~Jeeves_@host01.tuxis.net] has left #openvpn []
02:52 < Iain_> I am trying to get openvpn working with IPv6 as the transport. I can get IPv6 working inside an IPv4 tunnel but I am struggling to get IPv6 in IPv6 working. Can anyone point me to a howto for this please ?
02:52 < ACKNAK> routing becomes quite complicated ^^
02:57 < Iain_> I guess I should mention I'm using CentOS both as client and server
02:58 -!- james41382 [~james@unaffiliated/james41382] has joined #openvpn
02:58 -!- abique [~abique@static.214.97.63.178.clients.your-server.de] has joined #openvpn
03:06 -!- defswork [~andy@141.0.50.105] has joined #openvpn
03:08 < ACKNAK> grrr why "route" works only in main config but not in CCD
03:09 -!- mitz [~mitz@KHP222227247006.ppp-bb.dion.ne.jp] has quit [Remote host closed the connection]
03:09 < ACKNAK> it so inconvenient for multiple instances
03:09 -!- mitz [~mitz@KHP222227247006.ppp-bb.dion.ne.jp] has joined #openvpn
03:23 < ACKNAK> ehm server do not learn routes from client route-pushes?
03:33 -!- HyperGlide [~HyperGlid@li634-159.members.linode.com] has joined #openvpn
03:37 -!- JSharpe [~JSharpe@31.205.60.241] has quit [Read error: Operation timed out]
03:59 -!- mitz [~mitz@KHP222227247006.ppp-bb.dion.ne.jp] has quit [Ping timeout: 246 seconds]
04:08 -!- HyperGlide [~HyperGlid@li634-159.members.linode.com] has quit [Quit: Leaving...]
04:12 -!- mitz [~mitz@KHP222227247006.ppp-bb.dion.ne.jp] has joined #openvpn
04:27 -!- champtar [~champtar@ns623510.ovh.net] has joined #openvpn
04:29 -!- klein [~klein@unaffiliated/klein] has joined #openvpn
04:41 -!- abique [~abique@static.214.97.63.178.clients.your-server.de] has quit [Ping timeout: 272 seconds]
04:44 -!- kalloc_ is now known as kalloc
04:44 -!- kalloc [~kalloc@h86-62-83-99.ln.rinet.ru] has quit []
04:44 -!- kalloc [~kalloc@h86-62-83-99.ln.rinet.ru] has joined #openvpn
04:56 -!- abique [~abique@static.214.97.63.178.clients.your-server.de] has joined #openvpn
05:30 -!- yoavz [yoavz@yoavz.net] has joined #openvpn
05:45 < ACKNAK> uuuh I dont get what defines when route should be deleted after connection is broken? I'm using [keepalive 2 10] but delete happens only after 2 minutes
06:05 < ACKNAK> 2 minutes for peer ip itself and then 2 minutes more for route behind it, thats so much!
06:22 -!- Cpt-Oblivious [~chatzilla@31-151-87-204.dynamic.upc.nl] has joined #openvpn
06:35 < Iain_> !welcome
06:35 <@vpnHelper> "welcome" is (#1) Start by stating your goal, such as 'I would like to access the internet over my vpn' || new to IRC? see the link in !ask || we may need !logs and !configs and maybe !interface to help you. || See !howto for beginners. || See !route for lans behind openvpn. || !redirect for sending inet traffic through the server. || Also interesting: !man !/30 !topology !iporder !sample !forum
06:35 <@vpnHelper> !wiki !mitm or (#2) Don't use 192.168.1.0/24 or 192.168.0.0/24 (too much potential for conflict)
06:39 < Iain_> !howto
06:39 <@vpnHelper> "howto" is (#1) OpenVPN comes with a great howto, http://openvpn.net/howto PLEASE READ IT! or (#2) http://www.secure-computing.net/openvpn/howto.php for a mirror
06:40 < Iain_> !route
06:40 <@vpnHelper> "route" is (#1) http://www.secure-computing.net/wiki/index.php/OpenVPN/Routing or https://community.openvpn.net/openvpn/wiki/RoutedLans (same page mirrored) if you have lans behind openvpn, read it DONT SKIM IT or (#2) READ IT DONT SKIM IT! or (#3) See !tcpip for a basic networking guide or (#4) See !serverlan or !clientlan for steps and troubleshooting flowcharts for LANs behind the server or client
06:43 -!- Cy-Gor [~Brian@cpe-70-124-70-140.austin.res.rr.com] has joined #openvpn
06:48 -!- ade_b [~Ade@redhat/adeb] has joined #openvpn
06:51 -!- Pisuke [~Sembei@unaffiliated/sembei] has quit [Read error: Connection reset by peer]
06:51 -!- Sembei [~Sembei@unaffiliated/sembei] has joined #openvpn
06:54 -!- takamichi [~takamichi@c107-107.i07-27.onvol.net] has quit [Ping timeout: 272 seconds]
06:56 -!- Sembei [~Sembei@unaffiliated/sembei] has quit [Read error: Connection reset by peer]
06:56 -!- Sembei [~Sembei@unaffiliated/sembei] has joined #openvpn
06:58 -!- takamichi [~takamichi@85.12.8.104] has joined #openvpn
07:03 <@ecrist>  ACKNAK the routes are deleted as soon as the connection drops
07:03 < ACKNAK> thank you!
07:05 < ACKNAK> seems like its [learn-address] script is almost what I need (multiple instances with roadwarriors)
07:06 < ACKNAK> but I'm not sure how if it would be tiresome for server to constantly add/delete direct routes
07:06 < ACKNAK> there should be like several hunderts clients ^^
07:10 -!- Cpt-Oblivious [~chatzilla@31-151-87-204.dynamic.upc.nl] has quit [Quit: ChatZilla 0.9.90.1-rdmsoft [XULRunner 22.0/20130619132145]]
07:39 -!- yoavz [yoavz@yoavz.net] has quit [Ping timeout: 245 seconds]
07:41 -!- yoavz [yoavz@yoavz.net] has joined #openvpn
07:50 -!- quantumkey [~ma1com10t@host-92-20-5-217.as13285.net] has joined #openvpn
07:51 < quantumkey> Hi - do we mind someone advertising Softether VPN on the openVPN forum : See this example https://forums.openvpn.net/topic14109.html#p37068
07:51 <@vpnHelper> Title: OpenVPN Support Forum Is OpenVPN connect open source? : OpenVPN Connect (Android) (at forums.openvpn.net)
07:59 -!- JackWinter [~jack@vodsl-4669.vo.lu] has quit [Remote host closed the connection]
08:09 -!- JackWinter [~jack@vodsl-4669.vo.lu] has joined #openvpn
08:15 -!- JackWinter [~jack@vodsl-4669.vo.lu] has quit [Quit: Konversation terminated!]
08:17 -!- JackWinter [~jack@vodsl-4669.vo.lu] has joined #openvpn
08:22 < Iain_> !redirect
08:22 <@vpnHelper> "redirect" is (#1) to make all inet traffic flow through the vpn, you will need --redirect-gateway (see !def1), as well as IP forwarding (see !ipforward) and NAT (see !nat) enabled on the server. or (#2) you may need to use a different dns server when redirecting gateway, see !dns or !pushdns or (#3) if using ipv6 try: route-ipv6 2000::/3 or (#4) Handy troubleshooting flowchart:
08:22 <@vpnHelper> http://ircpimps.org/redirect.png | http://pekster.sdf.org/misc/redirect.png
08:40 -!- abique [~abique@static.214.97.63.178.clients.your-server.de] has quit [Ping timeout: 252 seconds]
08:52 -!- schnitzl [~schnitzl@dslb-178-010-089-070.pools.arcor-ip.net] has quit [Quit: _]
08:53 -!- jzaw [~jzaw@loki.dzki.co.uk] has quit [Ping timeout: 252 seconds]
08:54 -!- schnitzl [~schnitzl@dslb-178-010-089-070.pools.arcor-ip.net] has joined #openvpn
08:55 -!- abique [~abique@static.214.97.63.178.clients.your-server.de] has joined #openvpn
08:55 -!- jzaw [~jzaw@loki.dzki.co.uk] has joined #openvpn
09:03 -!- ACKNAK [~poni@79.133.97.154] has quit [Quit: Leaving]
09:04 -!- james41382 [~james@unaffiliated/james41382] has quit [Remote host closed the connection]
09:11 -!- kubbing [~kubbing@ip-94-113-130-229.net.upcbroadband.cz] has joined #openvpn
09:12 -!- james41382 [~james@unaffiliated/james41382] has joined #openvpn
09:17 -!- alexxtasi [~alex@unaffiliated/alexxtasi] has left #openvpn []
09:19 -!- abique [~abique@static.214.97.63.178.clients.your-server.de] has quit [Quit: Leaving]
09:29 -!- MAbeeTT [~MAbeeTT@190.179.250.213] has joined #openvpn
09:49 -!- joshh20-Away is now known as joshh20
09:53 -!- takamichi [~takamichi@85.12.8.104] has quit [Ping timeout: 264 seconds]
09:55 -!- takamichi [~takamichi@c107-107.i07-27.onvol.net] has joined #openvpn
10:00 -!- joshh20 is now known as joshh20-Away
10:14 -!- dimm0k [~dimm0k@unaffiliated/dimm0k] has quit [Ping timeout: 260 seconds]
10:14 -!- dimm0k [~dimm0k@unaffiliated/dimm0k] has joined #openvpn
10:18 -!- ade_b [~Ade@redhat/adeb] has quit [Quit: Too sexy for his shirt]
10:23 -!- sunwind [~paradox@cpc21-brmb8-2-0-cust749.1-3.cable.virginm.net] has joined #openvpn
10:24 < sunwind> !goal
10:24 <@vpnHelper> "goal" is Please clearly state your goal for your vpn: example, I would like to access the lan behind the server , I would like to access the internet over my vpn , I just want a secure connection between 2 computers , etc
10:26 -!- cato [cato@i.xnis.de] has joined #openvpn
10:31 -!- james41382 [~james@unaffiliated/james41382] has quit [Read error: Connection reset by peer]
10:40 < cato> Hi, I have some trouble with strange routes be set on a debian wheezy client: https://dpaste.de/kOk8 (I have anonymized the IPs 3* is server-side and 4* is client side)
10:41 < cato> line 43 and 44 are strange
10:41 <@Eugene> "Anonymising" your IPs is the a good way for us to not bother looking at what you pasted
10:42 <@Eugene> !configs
10:42 <@vpnHelper> "configs" is (#1) please pastebin your client and server configs (with comments removed, you can use `grep -vE '^#|^;|^$' server.conf`), also include which OS and version of openvpn. or (#2) dont forget to include any ccd entries or (#3) on pfSense, see http://www.secure-computing.net/wiki/index.php/OpenVPN/pfSense to obtain your config
10:42 <@Eugene> !logs
10:42 <@vpnHelper> "logs" is (#1) please pastebin your logfiles from both client and server with verb set to 4 (only use 5 if asked) or (#2) In the Windows client(OpenVPN-GUI) right-click the status icon and pick View Log or (#3) In the OS X client(Tunnelblick) right-click it and select Copy log text to clipboard or (#4) if you dont know how to find your logs, see !logfile
10:42 <@Eugene> !secret
10:42 <@vpnHelper> "secret" is funny that people use free programs, consult free help for them, run a business with them, but are restricted to say what they do.
10:42 < cato> Eugene: I changed the first two numbers, other stuff is original
10:42 <@Eugene> !topsecret
10:42 <@vpnHelper> "topsecret" is (#1) if your setup is so top secret that you cant post your configs or logs, please leave now and go find support you trust. or (#2) Clever readers may attempt to use RFC5737/RFC3849 to represent arbitrary public IPs one wishes to hide. Unclever attempts may be ignored with prejudice.
10:42 <@Eugene> I don't care; you change it, I stop reading.
10:42 -!- wallbroken [~wallbroke@unaffiliated/wallbroken] has joined #openvpn
10:42 < wallbroken> hi guys
10:43 <@Eugene> This includes if you go back and un-change it now - I've already formed my opinion of you. Not even sorry.
10:44 < wallbroken> i want to ask you an off-topic question: do you think is better to use nfs over openvpn, or another solution like sshfs or sftp?
10:44 < wallbroken> if you cannot answer, never mind.
10:46 < cato> Eugene: I just wait, maybe someone else is willing to find the bug in your code
10:47 <@Eugene> If you can find the code then you're more than welcome to provide a patch
10:53 -!- MAbeeTT [~MAbeeTT@190.179.250.213] has quit [Read error: Connection reset by peer]
10:53 <@ecrist> wallbroken: generally NFS will work fine, but WAN links are problematic
10:53 <@ecrist> if you're local, running NFS over an openvpn link should be OK
10:54 < wallbroken> i need to share resources also over internet
10:54 -!- gffa [~unknown@unaffiliated/gffa] has joined #openvpn
10:55 < wallbroken> and NFS doesn't provide a sort of authentication system, so, i need to allow access only to lan and openvpn pool and access over internet in this way
10:55 <@ecrist> any type of mounted system is crap over the internet
10:55 <@ecrist> NFS DOES provide authentication
10:55 <@ecrist> NFSv4, anyhow
10:55 <@ecrist> CIFS would probably be better over the WAN
10:55 < wallbroken> what kind of authentication?
10:55 <@ecrist> sshfs is a horrible hack
10:56 -!- [diecast] [~diecast@unaffiliated/diecast/x-4821952] has joined #openvpn
10:56 < wallbroken> the fact is that sshfs asks user and password when i try to access to the resource. nfs do not
10:57 <@ecrist> depends on how you have NFS deployed
10:57 <@ecrist> short story, don't use it over the internet, use something else
10:57 <@ecrist> you obviously don't care about performance and other low-level stuff
10:57 -!- aji` [~alex@atheme/member/aji] has joined #openvpn
10:58 < wallbroken> use something else = sshfs ?
10:58 < wallbroken> you said that is horrible :)
10:59 < wallbroken> but why is horrible? it also provides encryption
11:01 <@ecrist> !notovpn
11:01 <@vpnHelper> "notovpn" is (#1) "notopenvpn" is your problem is not about openvpn, and while we try to be helpful, you may have a better chance of finding your answer if you ask your question in a channel related to your problem or (#2) sorry, but we dont care. this channel is only for help with openvpn.
11:01 <@ecrist> :)
11:02 < wallbroken> ok, never mind
11:05 -!- aji [~alex@atheme/member/aji] has quit [Quit: Segmentation fault (aji dumped)]
11:07 -!- aji` is now known as aji
11:08 < wallbroken> ecrist, do you know some on-topic channel on this? in #networking they said that is off-topic too
11:13 < quantumkey> Hi - do we mind someone advertising Softether VPN on the openVPN forum : See this example https://forums.openvpn.net/topic14109.html#p37068
11:13 <@vpnHelper> Title: OpenVPN Support Forum Is OpenVPN connect open source? : OpenVPN Connect (Android) (at forums.openvpn.net)
11:15 -!- cato [cato@i.xnis.de] has left #openvpn []
11:25 -!- kalloc [~kalloc@h86-62-83-99.ln.rinet.ru] has quit [Remote host closed the connection]
11:27 -!- kalloc_ [~kalloc@h86-62-83-99.ln.rinet.ru] has joined #openvpn
11:28 < pekster> This is a GPL channel; we don't tend to care at all what happens on the non-free forums/issues/reports/etc
11:28  * pekster stops caring
11:29 -!- kalloc_ is now known as kalloc
11:33 -!- moshin [~mo@udp001682uds.hawaiiantel.net] has joined #openvpn
11:35 -!- wallbroken [~wallbroke@unaffiliated/wallbroken] has left #openvpn []
11:46 -!- takamichi [~takamichi@c107-107.i07-27.onvol.net] has quit [Quit: Computer has gone to sleep.]
11:55 -!- [diecast] [~diecast@unaffiliated/diecast/x-4821952] has quit []
11:56 -!- troyt [~troyt@2601:7:6d00:432:44dd:acff:fe85:9c8e] has quit [Ping timeout: 264 seconds]
11:57 -!- ade_b [~Ade@redhat/adeb] has joined #openvpn
11:58 -!- troyt [~troyt@2601:7:6d00:432:44dd:acff:fe85:9c8e] has joined #openvpn
12:02 <@ecrist> quantumkey: we do not permit advertising on the forum.
12:03 <+rob0> isn't debbie10t a forum moderator?
12:04 -!- kro[au] [~thatguy@kgovps.net] has quit [Excess Flood]
12:06 -!- kro[au] [~thatguy@kgovps.net] has joined #openvpn
12:06 -!- [diecast] [~diecast@unaffiliated/diecast/x-4821952] has joined #openvpn
12:06 -!- kro[au] [~thatguy@kgovps.net] has quit [Excess Flood]
12:07 -!- kro[au] [~thatguy@kgovps.net] has joined #openvpn
12:16 -!- elfixit [~Icedove@77-58-251-72.dclient.hispeed.ch] has joined #openvpn
12:17 < Iain_> I am trying to get an OpenVPN tunnel working with IPv6 as a transport for both IPv6 and IPv4. The configuration I have works in that IPv4 uses the IPv6 tunnel and I can ping6 both ends of the tunnel. However if I ping6 google.com (or anywhere else) it exits via my normal IPv6 address. How can I make IPv6 traffic use the tunnel ? Here is my config and logs https://gist.github.com/IainDouglas/8525744
12:17 <@vpnHelper> Title: OpenVPN information (at gist.github.com)
12:20 < plaisthos> Iain_: you have no default routes for IPv6 in your VPN configuration
12:20 < plaisthos> and beware that there is no redirect-gateway for IPv6 yet
12:20 < plaisthos> so configuring a VPN client to a v6 host might be a bit more tricky
12:22 < Iain_> plaisthos, if I set push "route-ipv6 2000::/3" then I get neither IPv4 or IPv6 going over the tunnel
12:22 -!- takamichi [~takamichi@c107-107.i07-27.onvol.net] has joined #openvpn
12:23 < plaisthos> Iain_: yeah because the traffic to your vpn server is also routed over the tun interface
12:24 < Iain_> plaisthos, Yes, I saw that when watching tcpdump - what's the best solution for me ?
12:25 < plaisthos> do something like add route to your vpn server pointing directly at your ipv6 hop on eth0
12:28 < Iain_> I'm sorry I'm being entirely thick atm - what info can I provide so you can show me a command ?
12:36 -!- quantumkey is now known as debbie10t
12:36 < debbie10t> Thanks for your answer - I will delete the posts if that is what is prefered.
12:37 < debbie10t> ecrist: Thanks for your answer - I will delete the posts if that is what is prefered.
12:37 -!- debbie10t is now known as quantumkey
12:39 < quantumkey> Well . as the post has received answers I am not going to delete it.
12:45 -!- takamichi [~takamichi@c107-107.i07-27.onvol.net] has quit [Quit: Computer has gone to sleep.]
12:46 -!- takamichi [~takamichi@c107-107.i07-27.onvol.net] has joined #openvpn
12:49 < plaisthos> Iain_: sorry I don't know the syntax for LInux
12:49 < plaisthos> something like route add v6ipserver ipv6routerip
13:02 < Iain_> plaisthos, thanks but I'm still confused. Anyone else who can help ?
13:02 -!- jacob11 [uid22180@gateway/web/irccloud.com/x-whcshbgsjqajlkov] has joined #openvpn
13:16 -!- takamichi [~takamichi@c107-107.i07-27.onvol.net] has quit [Quit: Computer has gone to sleep.]
13:18 -!- Adda11 [~SNakebbb@cpc5-pmth10-2-0-cust162.6-1.cable.virginm.net] has joined #openvpn
13:18 -!- toastedpenguin [~David_Chr@99-128-202-69.lightspeed.okpkil.sbcglobal.net] has joined #openvpn
13:19 < Adda11> hi all, I tried to do an ifconfig-push server side config which I configured by setting up the server to look for client-specific configs and naming the configs by the clients common name
13:19 -!- toastedpenguin [~David_Chr@99-128-202-69.lightspeed.okpkil.sbcglobal.net] has left #openvpn []
13:19 < Adda11> this worked fine for the openvpn client on my android phone, however on a debian package install the client does not connect
13:19 < Adda11> does anyone know a reason why a debian openvpn install might not connect with client specific configs defined on the server?
13:22 -!- ade_b [~Ade@redhat/adeb] has quit [Ping timeout: 272 seconds]
13:23 <@ecrist> rob0: yes
13:24 <@ecrist> quantumkey: please send me a link to the post.
13:25 < quantumkey> ecrist: i split off the post like so : https://forums.openvpn.net/topic14826.html
13:25 <@vpnHelper> Title: OpenVPN Support Forum SoftetherVPN : Off Topic, Related (at forums.openvpn.net)
13:27 < quantumkey> Blacklogic's comment was originally the last post in this thread : https://forums.openvpn.net/topic14109.html#p37068
13:27 <@vpnHelper> Title: OpenVPN Support Forum Is OpenVPN connect open source? : OpenVPN Connect (Android) (at forums.openvpn.net)
13:30 -!- Sembei [~Sembei@unaffiliated/sembei] has quit [Read error: Connection reset by peer]
13:31 -!- MyMind [~Sembei@unaffiliated/sembei] has joined #openvpn
13:42 -!- moshin [~mo@udp001682uds.hawaiiantel.net] has quit [Quit: moshin]
13:51 -!- joshh20-Away is now known as joshh20
13:58 <@ecrist> quantumkey: probably should have left that thread alone
13:59 -!- aji is now known as aji_
13:59 -!- moshin [~mo@udp001682uds.hawaiiantel.net] has joined #openvpn
13:59 -!- aji [~alex@atheme/member/aji] has joined #openvpn
14:04 -!- aji_ [~alex@atheme/member/aji] has quit [Quit: Segmentation fault (aji dumped)]
14:05 < quantumkey> ecrist: you want me to re-unite the threads ?
14:06 <@ecrist> nope, just leave it now, it's fine.
14:06 -!- kalloc [~kalloc@h86-62-83-99.ln.rinet.ru] has quit [Remote host closed the connection]
14:06 <@ecrist> before you split it, though, the two following replies were from mods that outrank you, and neither of them saw fit to split it
14:08 -!- kalloc_ [~kalloc@h86-62-83-99.ln.rinet.ru] has joined #openvpn
14:10 -!- klein [~klein@unaffiliated/klein] has quit [Ping timeout: 252 seconds]
14:12 < quantumkey> ok
14:13 -!- kalloc_ [~kalloc@h86-62-83-99.ln.rinet.ru] has quit [Ping timeout: 264 seconds]
14:14 < quantumkey> the post by blacklogic did not really have much to do with the OP .. even if you read it now it just looks like a plug for softether
14:14 <@ecrist> oh, I agree with you
14:14 <@ecrist> but I'd have left it alone
14:14 < quantumkey> ok
14:14 -!- alice|wl [~helo@m5.notomorrow.de] has left #openvpn []
14:36 -!- monoxyde` [~monoxyde@unaffiliated/monoxyde] has joined #openvpn
14:36 -!- JSharpe [~JSharpe@31.205.60.241] has joined #openvpn
14:37 < Adda11> hi all, I tried to do an ifconfig-push server side config which I configured by setting up the server to look for client-specific configs and naming the configs by the clients common name
14:37 < Adda11> does anyone know a reason why a debian openvpn install might not connect with client specific configs defined on the server?
14:38 < monoxyde`> i setup an OpenVPN server on debian as described on https://wiki.debian.org/OpenVPN . I can connect my Windows 8 computer to it. I can ping my computer from the server, and I can ping my server from the computer... and even ssh into the private IP (10.9.8.1), but it is not routing all my traffic via OpenVPN, does anyone have any ideas or suggestions?
14:38 <@vpnHelper> Title: OpenVPN - Debian Wiki (at wiki.debian.org)
14:39 -!- kalloc [~kalloc@h86-62-83-99.ln.rinet.ru] has joined #openvpn
14:41 -!- MyMind [~Sembei@unaffiliated/sembei] has quit [Read error: Connection reset by peer]
14:42 -!- MyMind [~Sembei@unaffiliated/sembei] has joined #openvpn
14:44 -!- kalloc [~kalloc@h86-62-83-99.ln.rinet.ru] has quit [Ping timeout: 260 seconds]
14:49 -!- qpls [~qpls@69-165-173-171.dsl.teksavvy.com] has joined #openvpn
14:50 < qpls> hey guys, I am having some trouble creating a  working client configuration
14:50 -!- mattock is now known as mattock_afk
14:50 < qpls> I managed to get most things set up, but I can't seem to get the client to use the dynamically allocated ip of the server
14:50 < qpls> i have to manually assign it each time
14:52 < qpls> I am using ifconfig-pool-persist on the server, and I can see the ip assigned in the server logs, however the client (presently a linux machine) doesn't automatically configure the ip
14:52 < qpls> I have looked through the man pages, but can't seem to figure out why this is the case
15:00 -!- monoxyde` [~monoxyde@unaffiliated/monoxyde] has quit []
15:02 < qpls> !welcome
15:02 <@vpnHelper> "welcome" is (#1) Start by stating your goal, such as 'I would like to access the internet over my vpn' || new to IRC? see the link in !ask || we may need !logs and !configs and maybe !interface to help you. || See !howto for beginners. || See !route for lans behind openvpn. || !redirect for sending inet traffic through the server. || Also interesting: !man !/30 !topology !iporder !sample !forum !wiki
15:02 <@vpnHelper> !mitm or (#2) Don't use 192.168.1.0/24 or 192.168.0.0/24 (too much potential for conflict)
15:06 -!- elfixit [~Icedove@77-58-251-72.dclient.hispeed.ch] has quit [Quit: elfixit]
15:06 < qpls> My goal is to have my openvpn server dynamically distribute ips to clients, I have configured this bhaviour using ifconfig-pool-persist and as far as the server is concerned it appears to work, however the clients (linux based) do not configure themselves to use the allocated ips
15:07 < qpls> a copy of my client config is here http://qpls.devio.us/client.conf
15:10 -!- takamichi [~takamichi@c107-107.i07-27.onvol.net] has joined #openvpn
15:13 -!- klein [~klein@unaffiliated/klein] has joined #openvpn
15:13 -!- moshin [~mo@udp001682uds.hawaiiantel.net] has quit [Quit: moshin]
15:14 -!- takamichi [~takamichi@c107-107.i07-27.onvol.net] has quit [Client Quit]
15:15 -!- JSharpe [~JSharpe@31.205.60.241] has quit [Ping timeout: 252 seconds]
15:17 < quantumkey> qpls: how about your server.config ?
15:18 < quantumkey> addall: !paste
15:19 < quantumkey> Adda11 !paste
15:19 < Adda11> quantumkey, one sec
15:20 < Adda11> quantumkey, http://pastebin.ca/2566120
15:20 < Adda11> I want to give clients static IPs
15:21 < quantumkey> Adda11 - have a read of this : http://openvpn.net/index.php/open-source/documentation/howto.html#scope
15:21 <@vpnHelper> Title: HOWTO (at openvpn.net)
15:22 < qpls> quantumkey: http://qpls.devio.us/server.conf
15:22 < qpls> I'm pretty sure my server is configured correctly
15:22 < Adda11> quantumkey, I followed this: client-config-dir /blah
15:22 < qpls> because in the log it claims to assign the ip address to the client
15:22 < Adda11> and in each clients config file I had ifconfig-push ip mask
15:23 < Adda11> and it worked fine for my android ovpn client (it took on the specified IP) but my debian client refused to connect
15:23 < Adda11> in the logs it said something about script-security
15:23 < quantumkey> Adda11 - there is nothing in your server config regarding these settings - that you just pasted
15:25 < Adda11> no i know quantumkey but it's a simple two set of lines as I just described
15:25 < quantumkey> Adda11 - ifconfig-push MUST be used in a client-connect-dir/client_cn_script
15:25 < Adda11> they WERE present, I have removed them now so that debian clients connect succesfully
15:25 < Adda11> that is how I implemented it quantumkey
15:26 < Adda11> again, it worked OK for my android clients, but not my debian ones
15:26 < Adda11> I believe the issue is with the client not liking the directives
15:26 < Adda11> can you think of why? is script-security relevant?
15:29 < quantumkey> Adda11 - ifconfig-push MUST be used in a client-connect-dir/client_cn_script - you cannot use ifconfig-push in the server.conf .. so if you do not have client specific connections scripts you cannot ifconfig-push to them ... script security is mainly for executing scripts outside of openvpn - client-connect-dir/scripts are within openvpn and require only the default (1) setting
15:31 < Adda11> quantumkey, my set up was this
15:32 < Adda11> client-connect-dir /jffs/openvpn/staticclients in server conf
15:32 < Adda11> /jffs/openvpn/staticclients/android contained the single line
15:32 < quantumkey> addall - as you have not specified a topology you will be using net30 and so your client will inherit the next available net30 ip address
15:32 < Adda11> ifconfig-push 10.8.0.6 255.255.255.252
15:32 < Adda11> and /jffs/openvpn/staticclients/terminal3
15:32 < Adda11> contained ifconfig-push 10.8.0.10 255.255.255.252
15:33 < Adda11> terminal3 is a debian machine running openvpn default package for debian arm
15:33 < Adda11> this is a raspberry pi
15:33 < Adda11> the pi connected fine WITHOUT the client-connect-dir direvtive
15:33 < quantumkey> adda11 - in net30 it is ifconfig-push 10.8.0.6 10.8.0.5 - you log will show you the error
15:33 < quantumkey> otherwise read about topology
15:33 < quantumkey> !topology
15:33 <@vpnHelper> "topology" is (#1) it is possible to avoid the !/30 behavior if you use 2.1+ with the option: topology subnet This will end up being default in later versions. or (#2) Clients will receive addresses ending in .2, .3, .4, etc, instead of being divided into 2-host subnets. or (#3) details and examples at: https://community.openvpn.net/openvpn/wiki/Topology
15:33 < Adda11> net30?
15:34 < Adda11> in the server or client log?
15:34 < quantumkey> client
15:35 < Adda11> under verb 3?
15:35 < quantumkey> yep - but have a read of topology aswell
15:36 < quantumkey> qpls - sorry - i am trying to work out your problem aswell ---
15:37 < quantumkey> qpls - REMOVE THIS : mtu-disc yes
15:40 < qpls> quantumkey: is that related to my ip allocation issue?
15:40 -!- kalloc [~kalloc@h86-62-83-99.ln.rinet.ru] has joined #openvpn
15:40 < qpls> that was automatically set by my router, the wiki for my firmware said not to mess with it
15:42 < quantumkey> qpls - they probably meant "don't mess with mtu settings" --mtu-disc is going to mess .. disable it for now and see what happens.
15:43 < qpls> ok
15:43 < quantumkey> qpls - probably worth pasting your server.log aswel
15:43 -!- moshin [~mo@udp001682uds.hawaiiantel.net] has joined #openvpn
15:45 -!- kalloc [~kalloc@h86-62-83-99.ln.rinet.ru] has quit [Ping timeout: 246 seconds]
16:18 < qpls> quantumkey: that does not seem to have made a difference
16:18 < qpls> I am working on retrieving the server logs
16:18 -!- Poster [~poster@cpe-184-57-112-154.columbus.res.rr.com] has joined #openvpn
16:18 -!- moparisthebest_ [~quassel@cpe-184-57-167-162.cinci.res.rr.com] has joined #openvpn
16:21 -!- joshh20 is now known as joshh20-Away
16:21 -!- moparisthebest_ [~quassel@cpe-184-57-167-162.cinci.res.rr.com] has quit [Read error: Connection reset by peer]
16:22 -!- gffa [~unknown@unaffiliated/gffa] has quit [Quit: sleep]
16:24 < quantumkey> qpls - what operating systems are your serv/cli ?
16:29 -!- moparisthebest [~quassel@cpe-184-57-167-162.cinci.res.rr.com] has joined #openvpn
16:39 -!- kalloc [~kalloc@h86-62-83-99.ln.rinet.ru] has joined #openvpn
16:44 -!- kalloc [~kalloc@h86-62-83-99.ln.rinet.ru] has quit [Ping timeout: 260 seconds]
16:48 -!- pcdummy is now known as Fast[BDC]
16:48 < qpls> quantumkey: dd-wrt
16:48 < qpls> and debian for client
16:58 < quantumkey> qpls - are you running openvpn as root on your client ?
16:58 < quantumkey> su or sudo
16:59 -!- nobit [nobit@unaffiliated/muska] has quit [Read error: Operation timed out]
17:01 -!- nobit [nobit@unaffiliated/muska] has joined #openvpn
17:04 -!- klein [~klein@unaffiliated/klein] has quit [Ping timeout: 260 seconds]
17:04 < Adda11> quantumkey, i've had a read about topology
17:05 < quantumkey> qpls - try pasting the client log for now
17:05 < quantumkey> Adda11 - hi
17:05 < Adda11> since I have a server 10.8.0.0 255.255.255.0 directive does this imply i am using subnet topology?
17:05 < quantumkey> no
17:05 < quantumkey> net30 is default unless otherwise specified
17:06 < Adda11> ah
17:06 < pekster> Adda11: All you want are static IPs?
17:06 < pekster> !static
17:06 <@vpnHelper> "static" is (#1) use --ifconfig-push in a ccd entry for a static ip for the vpn client or (#2) example in net30 (default): ifconfig-push 10.8.0.6 10.8.0.5 example in subnet (see !topology) or tap (see !tunortap): ifconfig-push 10.8.0.5 255.255.255.0 or (#3) also see !ccd and !iporder or (#4) when pushing static IPs, you should also limit your --ifconfig-pool to exclude the static range or (#5) See
17:06 <@vpnHelper> also: !addressing
17:06 < pekster> (#5) has helpful samples depending on your topology (and go use the 'subnet' topology unless you _actually_ have 7+ year old clients you're supporting)
17:06 < Adda11> nice
17:07 < Adda11> thanks guys
17:10 -!- Adda11 [~SNakebbb@cpc5-pmth10-2-0-cust162.6-1.cable.virginm.net] has quit [Quit: Leaving]
17:31 -!- Cybertinus [~Cybertinu@2001:828:405:30:83:96:177:42] has quit [Ping timeout: 264 seconds]
17:37 -!- lj [~l@74.120.200.95] has joined #openvpn
17:39 -!- Cybertinus [~Cybertinu@2001:828:405:30:83:96:177:42] has joined #openvpn
17:39 -!- kalloc [~kalloc@h86-62-83-99.ln.rinet.ru] has joined #openvpn
17:44 -!- kalloc [~kalloc@h86-62-83-99.ln.rinet.ru] has quit [Ping timeout: 260 seconds]
17:53 -!- elfixit [~Icedove@77-58-251-72.dclient.hispeed.ch] has joined #openvpn
18:12 < qpls> quantumkey: http://qpls.devio.us/clilog.txt
18:12 < qpls> nothing in the log seems to suggest it's even attempting to configure the ip
18:12 < pekster> What are you doing?
18:12 < qpls> I know the connection is fine, since if I manually bring tun0 up and configure it, stuff works
18:12 < pekster> (attempting to do?)
18:13 < qpls> it's in my backlog
18:13 < qpls> once sec
18:13 < qpls> My goal is to have my openvpn server dynamically distribute ips to clients, I have configured this bhaviour using ifconfig-pool-persist and as  far as the server is concerned it appears to work, however the clients (linux based) do not configure themselves to use the allocated ips
18:13 < pekster> ipp isn't static
18:13 < pekster> !static
18:13 <@vpnHelper> "static" is (#1) use --ifconfig-push in a ccd entry for a static ip for the vpn client or (#2) example in net30 (default): ifconfig-push 10.8.0.6 10.8.0.5 example in subnet (see !topology) or tap (see !tunortap): ifconfig-push 10.8.0.5 255.255.255.0 or (#3) also see !ccd and !iporder or (#4) when pushing static IPs, you should also limit your --ifconfig-pool to exclude the static range or (#5) See
18:13 <@vpnHelper> also: !addressing
18:13 < qpls> I know it isn't static
18:13 < pekster> ^ that's how you do static IPs. Either do it properly static, or write a script. ipp works a bit like the ISC dhcpd leases file remembering old history
18:14 < qpls> I'm trying to get the clients to acknowledge the dynamic ips of the server
18:14 < qpls> I don't want static
18:14 < pekster> You push them from the server
18:14 < quantumkey> pekster - qpls is not getting any ip assigned to the tun device
18:14 < pekster> Then post a _complete_ log
18:14 < pekster> That's woefully incomplete
18:14 < quantumkey> qpls - are you running as root
18:14 < qpls> quantumkey: yes
18:14 < qpls> pekster: incomplete how?
18:14 < pekster> It's not a full log
18:15 < qpls> nothing above it is useful
18:15 < qpls> there are only five lines missing
18:15 < pekster> The pull request is there
18:15 < pekster> No, LOTS is missing
18:15 < pekster> !logs
18:15 <@vpnHelper> "logs" is (#1) please pastebin your logfiles from both client and server with verb set to 4 (only use 5 if asked) or (#2) In the Windows client(OpenVPN-GUI) right-click the status icon and pick View Log or (#3) In the OS X client(Tunnelblick) right-click it and select Copy log text to clipboard or (#4) if you dont know how to find your logs, see !logfile
18:15 < pekster> !logfile
18:15 <@vpnHelper> "logfile" is (#1) openvpn will log to syslog if started in daemon mode. You can manually specify a logfile with: log /path/to/logfile or (#2) verb 3 is good for everyday usage, verb 5 for debugging or (#3) see --daemon --log and --verb in the manual (!man) for more info or (#4) without any log-redirection options, openvpn sends output to stdout. Explicit logging is often more convenient
18:15 -!- vinise [~vinise@78-23-152-207.access.telenet.be] has joined #openvpn
18:15 < pekster> verb 4 spews hundreds of lines
18:15 < pekster> Not a dozen
18:15 < pekster> Try again
18:15 < qpls> oh
18:15 < qpls> I was using verb 3
18:15 < qpls> ok
18:16 -!- tempu [~able@gateway/tor-sasl/able] has joined #openvpn
18:17 -!- tempu is now known as able
18:17 < quantumkey> pekster - these are the configs posted by qpls ( i was going to suggest verb 4 but was waiting for his reply)
18:17 < pekster> So, what you _should_ so is go to gist.github.com, past _both_ your configs, and _both_ your logs, then give the link here
18:17 < quantumkey> http://qpls.devio.us/client.conf
18:17 -!- able [~able@gateway/tor-sasl/able] has quit [Client Quit]
18:17 < quantumkey> http://qpls.devio.us/server.conf
18:17 -!- able [~able@gateway/tor-sasl/able] has joined #openvpn
18:17 < pekster> Well, if you have the links elsewhere that works too
18:17 < vinise> hi all i'm trying to make an openvpn config as bridge but without success network config : http://pastebin.com/eZpzUvrm
18:18 < pekster> qpls: Are these current?
18:18 < pekster> Or have you changed them? I don't like 3rd hand into
18:18 < pekster> info*
18:18 < pekster> vinise: Don't bridge unless you know what you're doing: see: !tunortap
18:19 < quantumkey> qpls - are those configs current still ?????
18:19 < pekster> How about the OP asks questions
18:19 < pekster> I hardly need an intermediary
18:19  * pekster shrugs. Too much work
18:20 < vinise> pekster: beter do a forward aff all between 2 interfaces eth1 and tap0?
18:20 < pekster> Don't use tap at all
18:20 < pekster> Why do you want to transport Ethernet (OSI L2) frames?
18:20 < pekster> Are you using a non-IP protocol?
18:20 < qpls> pekster: current
18:21 < pekster> Then it should work fine. Without /proper/ logs, we can't really say why it doesn't
18:21 < qpls> I'm getting those now
18:21 < qpls> sorry for the delay
18:21 < qpls> http://qpls.devio.us/clilog.txt
18:22 < vinise> pekster: no tap??
18:23 < vinise> what do you sugest? tun?
18:23 < qpls> quantumkey: verbose log is up
18:23  * quantumkey is looking
18:23 < qpls> still doesn't seem to allocate the ip anywhere
18:23 < pekster> vinise: Yup, route. Don't bridge. Bridging is for _ethernet_ traffic. Are you sending Ethernet frames?
18:23 < qpls> or rather obtain it
18:24 < quantumkey> qpls - there is no push/pull
18:24 < qpls> what do I need to push?
18:24 < pekster> --server and --client already do the push/pull thing. Looks like that's not the same config
18:24 < qpls> I just ran the config I posted
18:24 < qpls> that was the result
18:24 < pekster> Or logs are getting lost somewhere
18:25 < pekster> --client implies PULL
18:25 < quantumkey> qpls - did you get rid of mtu-disc ?
18:25 < qpls> yes
18:25 < qpls> forgot to mention that is the one thing I changed
18:25 < pekster> That's pointless
18:25 < vinise> pekster: i've got a network with one front server on witch i'm setting up openvpn i was thinking on staying on same ip range for vpn to access all other servers... may be not the best think to do :/what do you recomand?
18:25 < pekster> removing it
18:25 < quantumkey> pekster - qpls is using dd-wrt
18:25 < pekster> Keeping it is fine, anad in fact preferred if your OS supports it
18:26 < pekster> I don't care
18:26 < qpls> lol
18:26 < pekster> The suggestion to remove mtu-disc before even looking at logs was pointless
18:26 < pekster> :(
18:26 < pekster> dd-wrt is shit, but I'm hardly going to talk people out of it
18:26 < qpls> do you recommend a different embeded firmware?
18:26 < pekster> vinise: I have no clue what your goals are, but you almost always wantn routing
18:26 < pekster> openwrt
18:26 < pekster> dd-wrt sucks oh so much
18:26 < pekster> !ddwrt
18:26 < pekster> !dd-wrt
18:26 <@vpnHelper> "dd-wrt" is (#1) While some users have success with dd-wrt, the build system isn't very accessible to users and there have been security issues with the distro. Consider carefully if this is the platform you want to use for OpenVPN or (#2) Firewall oopsie : http://www.dd-wrt.com/phpBB2/viewtopic.php?t=35783 or (#3) more issues: http://www.dd-wrt.com/phpBB2/viewtopic.php?t=84536
18:27 < vinise> pekster: ok ;) so dev tun with separate iprange and iptable to forward? seems what you'll do?
18:27 < qpls> thanks
18:27 < quantumkey> qpls - it would help if you could extract a full server log - your server is not pushing
18:27 < pekster> vinise: Yup. Why would you use tap if you didn't need it?
18:28 < pekster> PULL_REQUEST is what triggers the PUSH_REPLY
18:28 < pekster> You don't get the latter without the former
18:28 < quantumkey> pekster - as you said before --client implies pull
18:28 < qpls> ok
18:29 < qpls> out of curiousity what rule should it be pushing?
18:29 < qpls> does it generate a rule specific to the ip it has allocated?
18:29 < pekster> "rule"? No, it pushes lots of things
18:29 < qpls> i.e ifconfig <generated ip> <server ip>
18:29 < quantumkey> ifconfig/ping/ping-restart etc
18:29 < pekster> the topology, the addressing, any routes,
18:29 < pekster> Yea
18:29 < qpls> I see
18:30 -!- kirin` [telex@gateway/shell/anapnea.net/x-busunsoyjixaztlo] has quit [Ping timeout: 272 seconds]
18:30 < pekster> client and pull are disabled
18:31 < pekster> That's why you have problems. How are you launching openvpn?
18:31 < vinise> pekster : i thought it was easier than forwarding
18:31 -!- kirin` [telex@gateway/shell/anapnea.net/x-krlecnzozptqxhfv] has joined #openvpn
18:31 < pekster> No, bridging is more complexl than forwarding
18:32 < pekster> Next time don't refuse to read reference you're given:
18:32 < pekster> !tunortap
18:32 <@vpnHelper> "tunortap" is (#1) you ONLY want tap if you need to pass layer2 traffic over the vpn (traffic destined for a MAC address). If you are using IP traffic you want tun. or (#2) and if your reason for wanting tap is windows shares, see !wins or use DNS or (#3) remember layer2 has no security, arp poisoning works over tap vpns or (#4) lan gaming? use tap! or (#5) Normal Android/iOS devices (not
18:32 <@vpnHelper> rooted/jailbroken) support only tun
18:32 < pekster> I don't give them for my own amusement
18:32 < qpls> dd-wrt automatically launches it, though checking ps suggests it is being launched in the standard way (i.e openvpn --config <cfgfile> --route-up somefile --down-pre somefile)
18:33 < pekster> Then go whine to dd-wrt
18:33 < qpls> I posted cfgfile earlier
18:33 < pekster> THta's your client?
18:33 < vinise> thanks pekster ;)
18:33 < qpls> I don't think it should be dd-wrt specified
18:33 < qpls> *specific
18:33 < pekster> Your logs do _NOT_ match that config
18:33 < qpls> I posted the config exactly as it was
18:33 < pekster> Yea, and I don't care
18:33 < pekster> Lines 212-213 of your client log are the problem
18:34 < pekster> Either show me _exactly_ how you're starting the client, or go whine to your $platform people if you're using magic you don't understand and can't explain
18:35 < quantumkey> qpls - your configs are not exact as you have disabled mtu-disc as you sad .. but your server.log would help a LOT
18:35 < pekster> That's also horrible advice now
18:35 < qpls> ok
18:35 < qpls> I'm getting it
18:35 < pekster> The client has values that do not match the config
18:35 < pekster> That is the current problem
18:35 < pekster> Whatever, spin wheels some more. I'm not going to argue with bad advice. I have better ways to spend my evening
18:37 -!- lj [~l@74.120.200.95] has quit [Quit: Leaving.]
18:37 < quantumkey> qpls - listen to pekster .. he really does know this stuff inside out -- basically post totally upto date configs and logs (verb 4)
18:37 <@Eugene> !beer
18:37 <@vpnHelper> "beer" is what's for dinner (and occasionally breakfast)
18:37 < qpls> ok, I will start from the beginning and post fresh logs
18:37 <@Eugene> pekster ^
18:37 < pekster> Oh, I have beer
18:37 < quantumkey> cheee-arse
18:38 < pekster> qpls: The problem is your client is not using the config you pasted. Why is anyone's guess
18:38 < pekster> Either show us how it's done or I can't help you, and the only other people helping you aren't going to get you anywhere useful
18:38 < qpls> I'm running my client on a linux desktop as root with openvpn --config <client>
18:38 < pekster> Oh, lines 222-223
18:38 < qpls> dd-wrt is the server
18:38 < pekster> Then that's not the client config
18:38 < pekster> Mon Jan 20 19:17:58 2014 us=766096   client = DISABLED
18:39 < pekster> That means it's not using --client
18:39 < pekster> Your config has that, so it's not the same config
18:39 < qpls> hmm
18:39 -!- kalloc [~kalloc@h86-62-83-99.ln.rinet.ru] has joined #openvpn
18:39 < quantumkey> qpls --wrong file maybe ?
18:39 < qpls> I'm checking
18:40 < qpls> ahh
18:40 < pekster> Pretty sure this is the 3rd time I've said that too
18:40 < qpls> you're right
18:40 < vinise> is it normal that i cant ping server with dev tun??
18:40 < qpls> this one has tls-client rather than client
18:40 < pekster> Then WTF tell me that's your current config?
18:40 < pekster> :(
18:40 < pekster> I guess having a 3rd party "do it for you" didn't help either
18:41 < qpls> the third party is running the server
18:41 < qpls> client was me
18:41 < qpls> so I apologize for the mistake
18:41 < pekster> No, the 3rd party is the idiot who posted your configs on your behalf
18:41 < qpls> anyway http://qpls.devio.us/client.conf is 100%
18:41 < qpls> what I am using now
18:42 < quantumkey> pekster - I was helping qpls earlier but he took long time to reply
18:43 < pekster> Yea, again, I don't care
18:43  * quantumkey never help again .....
18:43 < pekster> qpls: Should be fine, although I wouldn't mess with --tun-mtu like that on the server (thought that is the default, and I guess your "appliance" does this crap for you..)
18:44 < qpls> yeah yeah
18:44 -!- kalloc [~kalloc@h86-62-83-99.ln.rinet.ru] has quit [Ping timeout: 252 seconds]
18:44 < qpls> ok, it's working now
18:44 < qpls> I am an idiot
18:44 < qpls> somehow client got changed to "tls-client"
18:44 -!- master_o1_master [~master_of@p4FD7B2D4.dip0.t-ipconnect.de] has joined #openvpn
18:44  * quantumkey drinks that beeer
18:45 < qpls> thanks for all your help guys
18:45 < qpls> you have been immensely helpful
18:45 < quantumkey> cheers :)
18:48 -!- master_of_master [~master_of@p4FD7B26E.dip0.t-ipconnect.de] has quit [Ping timeout: 260 seconds]
18:49  * Eugene puts laundry in his appliances
18:50 < pekster> And yet they're still more open than dd-wrt
18:50 < qpls> vinise: you should be able to ping the server
18:50 < pekster> Surely more secure too!
18:50 < qpls> lol
18:51 < qpls> what makes openwrt more secure?
18:51 < vinise> qpls, yes sory forget to change dev type on clinet -_- not good to work at 1.51Am -_-
18:51 < pekster> qpls: read:
18:51 < pekster> !dd-wrt
18:51 <@vpnHelper> "dd-wrt" is (#1) While some users have success with dd-wrt, the build system isn't very accessible to users and there have been security issues with the distro. Consider carefully if this is the platform you want to use for OpenVPN or (#2) Firewall oopsie : http://www.dd-wrt.com/phpBB2/viewtopic.php?t=35783 or (#3) more issues: http://www.dd-wrt.com/phpBB2/viewtopic.php?t=84536
18:51 < pekster> I frankly don't care what you run
18:55 -!- kirin` [telex@gateway/shell/anapnea.net/x-krlecnzozptqxhfv] has quit [Ping timeout: 252 seconds]
18:55 -!- sunwind [~paradox@cpc21-brmb8-2-0-cust749.1-3.cable.virginm.net] has quit [Quit: sunwind]
18:56 -!- kirin` [telex@gateway/shell/anapnea.net/x-bmhqmjrshdyszhcm] has joined #openvpn
18:58 < vinise> pekster: cant successfuly forward everithing between eth1 and tun0 ... do you have correct iptables instruction in mind?
18:58 < qpls> the first has been fixed as far as I can tell
18:58 < qpls> and the latter would apply to openwrt too no?
18:58 < qpls> vinise: what does your route output look like?
18:58 < pekster> vinise: #Netfilter if you need netfilter help
18:59 < pekster> With tun you simply routing and firewall as you would on any other router
18:59 < pekster> route*
18:59 < pekster> Um, no. openwrt doesn't suck like dd-wrt does there
18:59 < red_racer12> what was the !command for newbies guide
19:00 < pekster> !howto or !new
19:00 < qpls> doesn't the ssl key have to be embeded in the firmware
19:00 < pekster> NO
19:00 < pekster> FFS no
19:00 < red_racer12> !howto red_racer12
19:00 < qpls> how does the server authenticate then?
19:00 < pekster> Non-fucked OSes _generate_ a unique key on boot
19:00 < red_racer12> !new red_racer12
19:00 < qpls> oh
19:00 < qpls> right
19:00 < pekster> Shitty systems are part of the little black box project
19:00 < qpls> that would make sense
19:00 < pekster> ANd they're fucking stupid as a result
19:00  * pekster shrugs
19:00 < red_racer12> !howto
19:00 <@vpnHelper> "howto" is (#1) OpenVPN comes with a great howto, http://openvpn.net/howto PLEASE READ IT! or (#2) http://www.secure-computing.net/openvpn/howto.php for a mirror
19:01 < vinise> pekster: http://pastebin.com/ee4ZGYvE
19:01 < pekster> I have no clue what you're doing
19:01 < pekster> A routing table out of context is silly
19:01 < pekster> !goal
19:01 <@vpnHelper> "goal" is Please clearly state your goal for your vpn: example, I would like to access the lan behind the server , I would like to access the internet over my vpn , I just want a secure connection between 2 computers , etc
19:03 < vinise> i have a couple of servers and only one front server with vpn... need to access all other server behind that one=> secure only between my computer and front server
19:04 < pekster> !serverlan
19:04 <@vpnHelper> "serverlan" is (#1) for a lan behind a server, the server must have ip forwarding enabled (!ipforward), the server needs to push a route for its lan to clients, and the router of the lan the server is on needs a route added to it (!route_outside_openvpn) or (#2) see !route for a better explanation or (#3) Handy troubleshooting flowchart: http://ircpimps.org/serverlan.png |
19:04 <@vpnHelper> http://pekster.sdf.org/misc/serverlan.png
19:05 < qpls> what is the black box project?
19:06 < pekster> list of all private keys on every dd-wrt device on the planet (minus users who change them, but people that security-concious don't run shitty OSes in the first place)
19:06 < vinise> !route_outside_openvpn
19:06 <@vpnHelper> "route_outside_openvpn" is (#1) If your server is not the default gateway for the LAN, you will need to add routes to your gateway. See ROUTES TO ADD OUTSIDE OPENVPN in !route or (#2) Here are 2 diagrams that explain how this works: http://www.secure-computing.net/wiki/index.php/Graph http://i.imgur.com/BM9r1.png
19:06 < pekster> tl;dr: ddrt is crap
19:06 < pekster> ddwrt*
19:06 < pekster> Use it anyway. I'm sick of bashing them here. Go ask ##security how smart pre-generated keys are in your own appliances
19:07 < qpls> where is this blackbox project?
19:07 < qpls> I can't find it via google
19:08 < pekster> Then you search poorly
19:08 < pekster> https://duckduckgo.com/?q=little+black+box+ssh+keys
19:08 <@vpnHelper> Title: little black box ssh keys at DuckDuckGo (at duckduckgo.com)
19:08 < vinise> !route
19:08 <@vpnHelper> "route" is (#1) http://www.secure-computing.net/wiki/index.php/OpenVPN/Routing or https://community.openvpn.net/openvpn/wiki/RoutedLans (same page mirrored) if you have lans behind openvpn, read it DONT SKIM IT or (#2) READ IT DONT SKIM IT! or (#3) See !tcpip for a basic networking guide or (#4) See !serverlan or !clientlan for steps and troubleshooting flowcharts for LANs behind the server or
19:08 <@vpnHelper> client
19:08 < qpls> thanks, it was buried under the xbmc project
19:17 -!- klein [~klein@unaffiliated/klein] has joined #openvpn
19:17 < vinise> pekster, thanks for your explaination :) i've add client-to-client to my server and route to network => got access to all network ;) (hope is the right way to do it)
19:18 -!- [diecast] [~diecast@unaffiliated/diecast/x-4821952] has quit [Ping timeout: 264 seconds]
19:19 < pekster> If that's what your goals are, then sure
19:19 -!- kalloc [~kalloc@h86-62-83-99.ln.rinet.ru] has joined #openvpn
19:20 < vinise> ok i've lost one day thinking tap was better -_- 3 lines and i was good with tun -_- ... i'm gonna stop computer and sell french fries
19:24 -!- kalloc [~kalloc@h86-62-83-99.ln.rinet.ru] has quit [Ping timeout: 252 seconds]
19:25 -!- goldkatze [~nobody@unaffiliated/goldkatze] has quit [Ping timeout: 264 seconds]
19:26 -!- able [~able@gateway/tor-sasl/able] has quit [Quit: able]
19:28 -!- vinise [~vinise@78-23-152-207.access.telenet.be] has quit [Quit: Quitte]
19:37 <@Eugene> Mmmmm french fries
19:39 -!- kalloc [~kalloc@h86-62-83-99.ln.rinet.ru] has joined #openvpn
19:43 -!- aji [~alex@atheme/member/aji] has quit [Remote host closed the connection]
19:43 -!- MyMind [~Sembei@unaffiliated/sembei] has quit [Read error: Connection reset by peer]
19:43 -!- aji [~alex@atheme/member/aji] has joined #openvpn
19:43 -!- aji [~alex@atheme/member/aji] has quit [Client Quit]
19:44 -!- kalloc [~kalloc@h86-62-83-99.ln.rinet.ru] has quit [Ping timeout: 246 seconds]
19:44 -!- MyMind [~Sembei@unaffiliated/sembei] has joined #openvpn
19:45 -!- aji [~alex@atheme/member/aji] has joined #openvpn
19:52 -!- quantumkey [~ma1com10t@host-92-20-5-217.as13285.net] has left #openvpn []
20:31 -!- klein [~klein@unaffiliated/klein] has quit [Ping timeout: 252 seconds]
20:38 -!- dimm0k [~dimm0k@unaffiliated/dimm0k] has quit [Ping timeout: 246 seconds]
20:39 -!- kalloc [~kalloc@h86-62-83-99.ln.rinet.ru] has joined #openvpn
20:40 -!- dimm0k [~dimm0k@unaffiliated/dimm0k] has joined #openvpn
20:44 -!- kalloc [~kalloc@h86-62-83-99.ln.rinet.ru] has quit [Ping timeout: 265 seconds]
20:48 -!- MyMind [~Sembei@unaffiliated/sembei] has quit [Read error: Connection reset by peer]
20:49 -!- MyMind [~Sembei@unaffiliated/sembei] has joined #openvpn
21:08 -!- dimm0k [~dimm0k@unaffiliated/dimm0k] has quit [Ping timeout: 272 seconds]
21:08 -!- WinstonSmith [~WinstonSm@unaffiliated/winstonsmith] has quit [Read error: Operation timed out]
21:09 -!- dimm0k [~dimm0k@pool-108-21-230-13.nycmny.fios.verizon.net] has joined #openvpn
21:09 -!- dimm0k [~dimm0k@pool-108-21-230-13.nycmny.fios.verizon.net] has quit [Changing host]
21:09 -!- dimm0k [~dimm0k@unaffiliated/dimm0k] has joined #openvpn
21:12 -!- WinstonSmith [~WinstonSm@unaffiliated/winstonsmith] has joined #openvpn
21:39 -!- kalloc [~kalloc@h86-62-83-99.ln.rinet.ru] has joined #openvpn
21:44 -!- kalloc [~kalloc@h86-62-83-99.ln.rinet.ru] has quit [Ping timeout: 246 seconds]
21:52 -!- lj [~l@99.155.24.89] has joined #openvpn
21:55 -!- schnitzl [~schnitzl@dslb-178-010-089-070.pools.arcor-ip.net] has quit [Ping timeout: 248 seconds]
21:56 -!- schnitzl [~schnitzl@dslb-188-105-166-050.pools.arcor-ip.net] has joined #openvpn
22:22 -!- moshin [~mo@udp001682uds.hawaiiantel.net] has quit [Quit: moshin]
22:37 -!- heraclitus [~heraclitu@unaffiliated/heraclitis] has quit [Remote host closed the connection]
22:39 -!- heraclitus [~heraclitu@unaffiliated/heraclitis] has joined #openvpn
22:39 -!- heraclitus [~heraclitu@unaffiliated/heraclitis] has quit [Max SendQ exceeded]
22:39 -!- kalloc [~kalloc@h86-62-83-99.ln.rinet.ru] has joined #openvpn
22:39 -!- heraclitus [~heraclitu@unaffiliated/heraclitis] has joined #openvpn
22:44 -!- kalloc [~kalloc@h86-62-83-99.ln.rinet.ru] has quit [Ping timeout: 264 seconds]
22:57 -!- Eagleman [~Eagleman@546BCD9F.cm-12-4d.dynamic.ziggo.nl] has quit [Read error: Connection reset by peer]
22:57 -!- tfox [~tfox@184.75.213.90] has joined #openvpn
23:01 -!- Eagleman [~Eagleman@546BCD9F.cm-12-4d.dynamic.ziggo.nl] has joined #openvpn
23:11 -!- Poster [~poster@cpe-184-57-112-154.columbus.res.rr.com] has quit [Ping timeout: 246 seconds]
23:19 -!- Poster [~poster@cpe-184-57-112-154.columbus.res.rr.com] has joined #openvpn
23:20 -!- Cy-Gor [~Brian@cpe-70-124-70-140.austin.res.rr.com] has quit [Quit: Leaving]
23:27 -!- tfox [~tfox@184.75.213.90] has quit [Quit: tfox]
23:32 -!- elfixit [~Icedove@77-58-251-72.dclient.hispeed.ch] has quit [Ping timeout: 252 seconds]
23:39 -!- kalloc [~kalloc@h86-62-83-99.ln.rinet.ru] has joined #openvpn
23:40 -!- tfox [~tfox@184.75.213.90] has joined #openvpn
23:44 -!- kalloc [~kalloc@h86-62-83-99.ln.rinet.ru] has quit [Ping timeout: 264 seconds]
--- Day changed Tue Jan 21 2014
00:10 -!- kj5t [~steve@cpe-72-179-50-54.austin.res.rr.com] has joined #openvpn
00:16 < kj5t> Hello All, I could use some input on configuring OpenVPN on my server which is behind a NAT router if anyone is awake
00:18 < kj5t> I have set-up dynDNS, and port forwarding on my router to forward traffic on port 1194 to the IP of the server running OpenVPN
00:20 -!- lj [~l@99.155.24.89] has quit [Ping timeout: 260 seconds]
00:20 -!- lj1 [~l@99.155.24.89] has joined #openvpn
00:21 < Hes> Hi Steve, do you have a specific question? How far did you get in the setup? de OH7LZB
00:23 -!- mattock_afk is now known as mattock
00:25 < kj5t> At this point I have the server "running", and the client I think configured correctly.  But the client just hangs at waiting for the server response.
00:26 < kj5t> I am in the process of reviewing my configuration.  I presume that the "local" ip in the server conf should be the ip of eth0?  And that I should forward my WAN IP traffic to that NAT'ed address with my router as I am doing?
00:26 < kj5t> I am checking logs on client side now
00:31 < kj5t> looks like a possible cert issue -- getting "expected remote options hash" error
00:37 -!- tfox [~tfox@184.75.213.90] has quit [Quit: tfox]
00:37 -!- moshin [~mo@udp001682uds.hawaiiantel.net] has joined #openvpn
00:40 -!- JSharpe [~JSharpe@31.205.60.241] has joined #openvpn
00:46 -!- JSharpe [~JSharpe@31.205.60.241] has quit [Ping timeout: 272 seconds]
00:54 -!- sunwind [~paradox@cpc21-brmb8-2-0-cust749.1-3.cable.virginm.net] has joined #openvpn
00:54 < kj5t> Okay updated my certs I am connected
00:55 < kj5t> Time to test my routing ;)
01:00 -!- goldkatze [~nobody@unaffiliated/goldkatze] has joined #openvpn
01:01 < kj5t> All looks good
01:01 < kj5t> thanks guys
01:01 -!- kj5t [~steve@cpe-72-179-50-54.austin.res.rr.com] has quit [Quit: leaving]
01:01 -!- lj1 [~l@99.155.24.89] has quit [Quit: Leaving.]
01:04 -!- lj [~l@99.155.24.89] has joined #openvpn
01:10 -!- moshin [~mo@udp001682uds.hawaiiantel.net] has quit [Quit: moshin]
01:11 -!- mitz [~mitz@KHP222227247006.ppp-bb.dion.ne.jp] has quit [Remote host closed the connection]
01:13 -!- mitz [~mitz@KHP222227247006.ppp-bb.dion.ne.jp] has joined #openvpn
01:16 -!- lj [~l@99.155.24.89] has quit [Read error: Connection reset by peer]
01:18 -!- lj [~l@99.155.24.89] has joined #openvpn
01:38 -!- takamichi [~takamichi@c107-107.i07-27.onvol.net] has joined #openvpn
01:40 -!- blarghlarghl [michael@efnet.math.uwaterloo.ca] has joined #openvpn
01:41 < blarghlarghl> Hi all. I was in here once and someone gave me a flowchart to troubleshoot my openvpn and router setup.
01:41 < blarghlarghl> Via an ! command
01:41 < blarghlarghl> Anyone know what I'm talking about? I can't remember the relevant bot command.
01:48 -!- ade_b [~Ade@redhat/adeb] has joined #openvpn
01:52 -!- gael [~gael@LMontsouris-656-01-131-131.w193-253.abo.wanadoo.fr] has joined #openvpn
01:53 -!- gael [~gael@LMontsouris-656-01-131-131.w193-253.abo.wanadoo.fr] has quit [Read error: Connection reset by peer]
01:54 -!- gael [~gael@LMontsouris-656-01-131-131.w193-253.abo.wanadoo.fr] has joined #openvpn
02:04 -!- calcifea [~rasla@gateway/tor-sasl/gitsu-sa] has quit [Ping timeout: 240 seconds]
02:54 -!- gael [~gael@LMontsouris-656-01-131-131.w193-253.abo.wanadoo.fr] has quit [Ping timeout: 252 seconds]
02:55 -!- gael [~gael@LMontsouris-656-01-131-131.w193-253.abo.wanadoo.fr] has joined #openvpn
03:03 -!- heraclitus [~heraclitu@unaffiliated/heraclitis] has quit [Ping timeout: 246 seconds]
03:03 -!- calcifea [~rasla@gateway/tor-sasl/gitsu-sa] has joined #openvpn
03:10 -!- heraclitus [~heraclitu@unaffiliated/heraclitis] has joined #openvpn
03:17 -!- gael [~gael@LMontsouris-656-01-131-131.w193-253.abo.wanadoo.fr] has quit [Ping timeout: 272 seconds]
03:19 -!- gael [~gael@LMontsouris-656-01-131-131.w193-253.abo.wanadoo.fr] has joined #openvpn
03:24 < reiffert> b;
03:24 < reiffert> !welcome
03:24 <@vpnHelper> "welcome" is (#1) Start by stating your goal, such as 'I would like to access the internet over my vpn' || new to IRC? see the link in !ask || we may need !logs and !configs and maybe !interface to help you. || See !howto for beginners. || See !route for lans behind openvpn. || !redirect for sending inet traffic through the server. || Also interesting: !man !/30 !topology !iporder !sample !forum
03:24 <@vpnHelper> !wiki !mitm or (#2) Don't use 192.168.1.0/24 or 192.168.0.0/24 (too much potential for conflict)
03:25 < reiffert> blarghlarghl: see above
03:29 -!- gael [~gael@LMontsouris-656-01-131-131.w193-253.abo.wanadoo.fr] has quit [Ping timeout: 248 seconds]
03:31 -!- gael [~gael@LMontsouris-656-01-131-131.w193-253.abo.wanadoo.fr] has joined #openvpn
03:41 -!- gael [~gael@LMontsouris-656-01-131-131.w193-253.abo.wanadoo.fr] has quit [Quit: Quitte]
03:46 -!- kalloc [~kalloc@stmdev.ru] has joined #openvpn
03:52 -!- fvalente [~fvalente@ts.node.pt] has quit [Read error: Operation timed out]
04:13 -!- alexxtasi [~alex@unaffiliated/alexxtasi] has joined #openvpn
04:14 -!- krzee [~k@openvpn/community/support/krzee] has quit [Ping timeout: 276 seconds]
04:15 -!- krzee [~k@openvpn/community/support/krzee] has joined #openvpn
04:15 -!- mode/#openvpn [+o krzee] by ChanServ
04:16 -!- paradoxum [c2420b2b@gateway/web/cgi-irc/kiwiirc.com/ip.194.66.11.43] has joined #openvpn
04:17 < paradoxum> Hi guys. Trying to openvpn using my android (openvpn connect app) using college wifi to my openvpn server on my tomato router, thread with lots of info here: https://forums.openvpn.net/post37231.html
04:17 <@vpnHelper> Title: OpenVPN Support Forum [Support Request] Bypassing firewall/proxy : OpenVPN Connect (Android) (at forums.openvpn.net)
04:17 < paradoxum> Could anyone help? latest post is most relevant
04:24 -!- takamichi [~takamichi@c107-107.i07-27.onvol.net] has quit []
04:26 -!- krzee [~k@openvpn/community/support/krzee] has quit [Ping timeout: 272 seconds]
04:31 < alexxtasi> hi to all!! I want to use openvpn with ldap authentication (I have ldap-auth plugin already installed). Can I disable tls-server mode and just pull ldap credentials in openvpn server without the need of certificates between server and client? (just "auth-user-pass" in client config - no certificates) - my purpose is to find out whether I have certificate or plugin erros
04:31 < alexxtasi> thanks in advance
04:33 -!- dandy [~dandy@2a01:360:106::2] has quit [Ping timeout: 240 seconds]
04:33 -!- dandy [~dandy@2a01:360:106::2] has joined #openvpn
04:33 -!- krzee [~k@openvpn/community/support/krzee] has joined #openvpn
04:33 -!- mode/#openvpn [+o krzee] by ChanServ
04:36 -!- takamichi [~takamichi@c107-107.i07-27.onvol.net] has joined #openvpn
04:47 < paradoxum> if anyone has any ideas, please reply to the topic, or just say here - i'm idling here from home
04:49 -!- krzee [~k@openvpn/community/support/krzee] has quit [Ping timeout: 272 seconds]
04:49 < paradoxum> https://forums.openvpn.net/post37231.html
04:50 <@vpnHelper> Title: OpenVPN Support Forum [Support Request] Bypassing firewall/proxy : OpenVPN Connect (Android) (at forums.openvpn.net)
04:50 -!- paradoxum [c2420b2b@gateway/web/cgi-irc/kiwiirc.com/ip.194.66.11.43] has quit [Quit: http://www.kiwiirc.com/ - A hand crafted IRC client]
04:50 -!- dandy [~dandy@2a01:360:106::2] has quit [Ping timeout: 240 seconds]
04:54 -!- mitz [~mitz@KHP222227247006.ppp-bb.dion.ne.jp] has quit [Quit: WeeChat 0.4.2]
04:54 -!- dandy [~dandy@2a01:360:106::2] has joined #openvpn
04:55 -!- mitz [~mitz@rt.miraclelinux.com] has joined #openvpn
04:56 -!- krzee [~k@openvpn/community/support/krzee] has joined #openvpn
04:56 -!- mode/#openvpn [+o krzee] by ChanServ
05:05 -!- klein [~klein@unaffiliated/klein] has joined #openvpn
05:06 -!- master_o1_master [~master_of@p4FD7B2D4.dip0.t-ipconnect.de] has quit [Read error: Operation timed out]
05:06 -!- master_of_master [~master_of@p4FD7B2D4.dip0.t-ipconnect.de] has joined #openvpn
05:11 -!- dandy [~dandy@2a01:360:106::2] has quit [Ping timeout: 240 seconds]
05:12 -!- dandy [~dandy@2a01:360:106::2] has joined #openvpn
05:26 -!- JSharpe [~JSharpe@31.205.60.241] has joined #openvpn
05:59 -!- Devastatr [~devas@177.99.154.132] has joined #openvpn
05:59 -!- Devastatr [~devas@177.99.154.132] has quit [Changing host]
05:59 -!- Devastatr [~devas@unaffiliated/devastator] has joined #openvpn
05:59 -!- Devastator [~devas@unaffiliated/devastator] has quit [Ping timeout: 265 seconds]
06:10 -!- mikkel [~mikkel@93.176.85.50] has joined #openvpn
06:10 -!- Cybertinus [~Cybertinu@2001:828:405:30:83:96:177:42] has quit [Remote host closed the connection]
06:11 -!- MyMind [~Sembei@unaffiliated/sembei] has quit [Read error: Connection reset by peer]
06:12 -!- Pisuke [~Sembei@unaffiliated/sembei] has joined #openvpn
06:16 -!- wallbroken [~wallbroke@unaffiliated/wallbroken] has joined #openvpn
06:16 < wallbroken> hi
06:17 < wallbroken> i need an easy-rsa 3 howto to revoke certs, do you have it?
06:17 -!- pa [~pa@unaffiliated/pa] has quit [Quit: Sto andando via]
06:40 -!- Pisuke [~Sembei@unaffiliated/sembei] has quit [Read error: Connection reset by peer]
06:40 -!- Sembei [~Sembei@unaffiliated/sembei] has joined #openvpn
06:47 < reiffert> !recok
06:47 < reiffert> !revoke
06:47 < reiffert> !factoids search revoke
06:47 <@vpnHelper> No keys matched that query.
06:47 < reiffert> !help
06:47 <@vpnHelper> (help [<plugin>] [<command>]) -- This command gives a useful description of what <command> does. <plugin> is only necessary if the command is in more than one plugin.
06:47 < reiffert> !factoids search --content recoke
06:47 <@vpnHelper> (factoids search [<channel>] [--values] [--{regexp} <value>] [<glob> ...]) -- Searches the keyspace for keys matching <glob>. If --regexp is given, it associated value is taken as a regexp and matched against the keys. If --values is given, search the value space instead of the keyspace.
06:47 < reiffert> !factoids search --values recoke
06:47 <@vpnHelper> No keys matched that query.
06:47 < reiffert> !factoids search --values revoke
06:47 <@vpnHelper> "crl" is (#1) --crl-verify <crl> A CRL (certificate revocation list) is used when a particular key is compromised but when the overall PKI is still intact. The only time when it would be necessary to rebuild the entire PKI from scratch would be if the root certificate key itself was compromised. or (#2) you can make use of CRL by using the revoke-full script in easy-rsa (packaged with openvpn)
06:47 < reiffert> come on ..
06:47 <@vpnHelper> that will create the CRL file for you. ssl-admin will also build a crl for you or (#3) openssl ca -config openssl-1.0.0.cnf -gencrl -out keys/crl.pem
06:48 < reiffert> there you go
07:01 -!- Cy-Gor [~Brian@cpe-70-124-70-140.austin.res.rr.com] has joined #openvpn
07:05 -!- Nothing4You [N4Y@Nothing4You.w.tf-w.tf] has quit [Quit: Gone...]
07:25 -!- tempus_fol [~tempus@gateway/tor-sasl/tempusfol] has quit [Remote host closed the connection]
07:26 -!- tempus_fol [~tempus@gateway/tor-sasl/tempusfol] has joined #openvpn
07:47 -!- tempus_fol [~tempus@gateway/tor-sasl/tempusfol] has quit [Ping timeout: 240 seconds]
07:50 -!- fvalente [~fvalente@ts.node.pt] has joined #openvpn
07:56 -!- tempus_fol [~tempus@gateway/tor-sasl/tempusfol] has joined #openvpn
08:01 -!- Cybertinus [~Cybertinu@2a00:6960:1:1::2442] has joined #openvpn
08:02 -!- lj [~l@99.155.24.89] has quit [Quit: Leaving.]
08:02 -!- raidz is now known as raidz_away
08:05 -!- Cybertinus [~Cybertinu@2a00:6960:1:1::2442] has quit [Remote host closed the connection]
08:06 -!- Cybertinus [~Cybertinu@2a00:6960:1:1::2442] has joined #openvpn
08:09 -!- takamichi [~takamichi@c107-107.i07-27.onvol.net] has quit [Ping timeout: 272 seconds]
08:12 -!- takamichi [~takamichi@85.12.8.13] has joined #openvpn
08:13 -!- joshh20-Away is now known as joshh20
08:17 -!- ruben231 [~OpenDial@112.198.79.165] has joined #openvpn
08:18 -!- klein [~klein@unaffiliated/klein] has quit [Ping timeout: 272 seconds]
08:32 -!- Goatman [~bronco51@pptp-212-201-78-253.pptp.stw-bonn.de] has joined #openvpn
08:34 < Goatman> I just compiled openvpn from git. and I cant get the auth-user-pass parameter to function correctly when reading the username and password credentials from a file.  Authentication fails when connecting to the remote server.  Typing the username and password in works fine when input from the terminal
08:34 -!- Engin [~e@ea.tl] has joined #openvpn
08:35 -!- BtbN [btbn@btbn.de] has quit [Quit: Bye]
08:35 < Engin> I've set up a openvpn server in my server and connected to it with my Mac... but this is far from ideal. I want to use it as my gateway to the internet. Any recommended documentation about it? Server is ubuntu 12.04
08:35 -!- BtbN [btbn@btbn.de] has joined #openvpn
08:49 -!- kalloc [~kalloc@stmdev.ru] has quit [Remote host closed the connection]
08:50 < Engin> hmm ok, i got it with two more iterations. sweet.
08:55 -!- kubbing_ [~kubbing@ip-94-113-130-229.net.upcbroadband.cz] has joined #openvpn
08:56 -!- kubbing [~kubbing@ip-94-113-130-229.net.upcbroadband.cz] has quit [Ping timeout: 265 seconds]
08:58 -!- Goatman [~bronco51@pptp-212-201-78-253.pptp.stw-bonn.de] has quit [Ping timeout: 246 seconds]
08:59 -!- joshh20 is now known as joshh20-Away
09:00 -!- tfox [~tfox@184.75.213.90] has joined #openvpn
09:05 -!- takamichi [~takamichi@85.12.8.13] has quit [Ping timeout: 272 seconds]
09:07 -!- takamichi [~takamichi@c107-107.i07-27.onvol.net] has joined #openvpn
09:07 -!- takamichi [~takamichi@c107-107.i07-27.onvol.net] has quit [Max SendQ exceeded]
09:08 -!- takamichi [~takamichi@c107-107.i07-27.onvol.net] has joined #openvpn
09:10 -!- Iain_ [~Iain@host31-48-65-231.range31-48.btcentralplus.com] has quit [Ping timeout: 265 seconds]
09:11 -!- Iain_ [~Iain@host31-48-65-231.range31-48.btcentralplus.com] has joined #openvpn
09:15 -!- kalloc [~kalloc@stmdev.ru] has joined #openvpn
09:15 -!- ruben231 [~OpenDial@112.198.79.165] has quit [Ping timeout: 272 seconds]
09:16 -!- elfixit [~Icedove@77-58-251-72.dclient.hispeed.ch] has joined #openvpn
09:24 -!- alexxtasi [~alex@unaffiliated/alexxtasi] has left #openvpn []
09:27 -!- tfox [~tfox@184.75.213.90] has quit [Ping timeout: 246 seconds]
09:28 -!- klein [~klein@unaffiliated/klein] has joined #openvpn
09:29 -!- lj [~l@192.241.174.169] has joined #openvpn
09:29 -!- kalloc [~kalloc@stmdev.ru] has quit []
09:29 -!- tfox [~tfox@27.122.12.70] has joined #openvpn
09:30 -!- klein [~klein@unaffiliated/klein] has quit [Remote host closed the connection]
09:38 -!- lj [~l@192.241.174.169] has quit [Quit: Leaving.]
09:40 -!- juxta [~rootkit@ppp203-122-193-94.static.internode.on.net] has quit [Ping timeout: 265 seconds]
09:41 -!- juxta [~rootkit@ppp203-122-193-94.static.internode.on.net] has joined #openvpn
09:51 -!- klein [~klein@189-016-006-003.asselvi.edu.br] has joined #openvpn
09:51 -!- klein [~klein@189-016-006-003.asselvi.edu.br] has quit [Changing host]
09:51 -!- klein [~klein@unaffiliated/klein] has joined #openvpn
09:53 -!- Magiobiwan [IRC@unaffiliated/magiobiwan] has quit [Excess Flood]
09:54 -!- klein [~klein@unaffiliated/klein] has quit [Remote host closed the connection]
09:58 -!- klein [~klein@189-016-006-003.asselvi.edu.br] has joined #openvpn
09:59 -!- klein [~klein@189-016-006-003.asselvi.edu.br] has quit [Changing host]
09:59 -!- klein [~klein@unaffiliated/klein] has joined #openvpn
09:59 -!- Magiobiwan [IRC@unaffiliated/magiobiwan] has joined #openvpn
10:07 -!- juxta [~rootkit@ppp203-122-193-94.static.internode.on.net] has quit [Ping timeout: 265 seconds]
10:09 -!- juxta [~rootkit@ppp203-122-193-94.static.internode.on.net] has joined #openvpn
10:09 -!- tfox [~tfox@27.122.12.70] has quit [Quit: tfox]
10:17 -!- soapee01 [~soapee01@24-155-219-177.dyn.grandenetworks.net] has joined #openvpn
10:17 -!- soapee01 [~soapee01@24-155-219-177.dyn.grandenetworks.net] has left #openvpn []
10:28 -!- juxta [~rootkit@ppp203-122-193-94.static.internode.on.net] has quit [Ping timeout: 265 seconds]
10:28 < akselii> so
10:30 -!- juxta [~rootkit@ppp203-122-193-94.static.internode.on.net] has joined #openvpn
10:31 -!- lj1 [~l@192.241.174.169] has joined #openvpn
10:33 -!- elfixit [~Icedove@77-58-251-72.dclient.hispeed.ch] has quit [Quit: elfixit]
10:35 -!- mikkel [~mikkel@93.176.85.50] has quit [Quit: Leaving]
10:38 -!- [diecast] [~diecast@unaffiliated/diecast/x-4821952] has joined #openvpn
10:41 -!- mitz [~mitz@rt.miraclelinux.com] has quit [Quit: WeeChat 0.4.2]
10:42 -!- mitz [~mitz@rt.miraclelinux.com] has joined #openvpn
10:44 -!- [diecast] [~diecast@unaffiliated/diecast/x-4821952] has quit [Ping timeout: 264 seconds]
10:48 -!- [diecast] [~diecast@unaffiliated/diecast/x-4821952] has joined #openvpn
11:06 -!- lj [~l@192.241.174.169] has joined #openvpn
11:08 -!- jefferai_gone [~quassel@corkblock.jefferai.org] has joined #openvpn
11:09 -!- Linmu_ [~Linmu@203.70.194.104] has joined #openvpn
11:09 -!- piem_ [~piem@coconut.piem.org] has joined #openvpn
11:09 -!- joshu [~joshu@62-20-176-238-no28.tbcn.telia.com] has quit [Ping timeout: 260 seconds]
11:09 -!- lj1 [~l@192.241.174.169] has quit [Ping timeout: 260 seconds]
11:09 -!- jefferai [~quassel@kde/mitchell] has quit [Read error: Connection reset by peer]
11:09 -!- matsh [divine@nanogene.org] has quit [Ping timeout: 260 seconds]
11:09 -!- piem [~piem@coconut.piem.org] has quit [Ping timeout: 260 seconds]
11:09 -!- Linmu [~Linmu@203.70.194.104] has quit [Ping timeout: 260 seconds]
11:09 -!- pppingme [~pppingme@unaffiliated/pppingme] has quit [Ping timeout: 260 seconds]
11:10 -!- pppingme [~pppingme@unaffiliated/pppingme] has joined #openvpn
11:10 -!- kloeri [~kloeri@freenode/staff/exherbo.kloeri] has quit [Read error: Connection reset by peer]
11:10 -!- DrCode [~DrCode@gateway/tor-sasl/drcode] has joined #openvpn
11:11 -!- kloeri [~kloeri@freenode/staff/exherbo.kloeri] has joined #openvpn
11:11 -!- joshu [~joshu@62-20-176-238-no28.tbcn.telia.com] has joined #openvpn
11:13 -!- matsh [divine@nanogene.org] has joined #openvpn
11:16 -!- ade_b [~Ade@redhat/adeb] has quit [Ping timeout: 260 seconds]
11:20 -!- raidz_away is now known as raidz
11:33 -!- [diecast] [~diecast@unaffiliated/diecast/x-4821952] has quit []
11:33 -!- gffa [~unknown@unaffiliated/gffa] has joined #openvpn
11:44 -!- [diecast] [~diecast@unaffiliated/diecast/x-4821952] has joined #openvpn
11:48 < pekster> wallbroken: The docs easyrsa v3 comes with, perhaps? https://github.com/OpenVPN/easy-rsa/blob/v3.0.0-rc1/doc/EasyRSA-Readme.md#revoking-and-publishing-crls
11:48 <@vpnHelper> Title: easy-rsa/doc/EasyRSA-Readme.md at v3.0.0-rc1 · OpenVPN/easy-rsa · GitHub (at github.com)
11:52 -!- niftylettuce_ [uid2733@gateway/web/irccloud.com/x-qczgeqllxsyrnyqk] has quit [Ping timeout: 264 seconds]
11:54 -!- niftylettuce_ [uid2733@gateway/web/irccloud.com/x-mizyuzaxpksghfix] has joined #openvpn
11:57 -!- u0m3 [~u0m3@109.96.138.24] has joined #openvpn
12:05 -!- Poster [~poster@cpe-184-57-112-154.columbus.res.rr.com] has quit [Ping timeout: 264 seconds]
12:05 -!- Magiobiwan [IRC@unaffiliated/magiobiwan] has quit [Excess Flood]
12:07 -!- Eugene is now known as EugeneKay
12:08 -!- Magiobiwan [IRC@unaffiliated/magiobiwan] has joined #openvpn
12:08 -!- EugeneKay is now known as Eugene
12:10 -!- Poster [~poster@cpe-184-57-112-154.columbus.res.rr.com] has joined #openvpn
12:18 -!- raidz is now known as raidz_away
12:18 -!- raidz_away is now known as raidz
12:25 -!- elfixit [~Icedove@77-58-251-72.dclient.hispeed.ch] has joined #openvpn
12:29 -!- hive-mind [pranq@unaffiliated/contempt] has joined #openvpn
12:29 -!- Magiobiwan [IRC@unaffiliated/magiobiwan] has quit [Excess Flood]
12:34 -!- Magiobiwan [IRC@unaffiliated/magiobiwan] has joined #openvpn
12:34 -!- kubbing_ [~kubbing@ip-94-113-130-229.net.upcbroadband.cz] has quit [Remote host closed the connection]
12:34 -!- kubbing [~kubbing@ip-94-113-130-229.net.upcbroadband.cz] has joined #openvpn
12:36 -!- pa [~pa@unaffiliated/pa] has joined #openvpn
12:39 -!- kubbing [~kubbing@ip-94-113-130-229.net.upcbroadband.cz] has quit [Ping timeout: 252 seconds]
12:46 -!- takamichi [~takamichi@c107-107.i07-27.onvol.net] has quit [Quit: Computer has gone to sleep.]
12:46 < wallbroken> pekster: ok, thank you
12:54 -!- [diecast] [~diecast@unaffiliated/diecast/x-4821952] has quit [Ping timeout: 265 seconds]
13:03 -!- [diecast] [~diecast@unaffiliated/diecast/x-4821952] has joined #openvpn
13:07 -!- dazo is now known as dazo_afk
13:10 -!- KaiForce [~chatzilla@107-223-70-10.lightspeed.bcvloh.sbcglobal.net] has joined #openvpn
13:10 -!- calcifea_ [~rasla@gateway/tor-sasl/gitsu-sa] has joined #openvpn
13:12 -!- calcifea [~rasla@gateway/tor-sasl/gitsu-sa] has quit [Ping timeout: 240 seconds]
13:32 -!- [diecast] [~diecast@unaffiliated/diecast/x-4821952] has quit [Ping timeout: 252 seconds]
13:42 -!- mzat [~marc@dynamic-adsl-78-12-187-236.clienti.tiscali.it] has joined #openvpn
13:45 -!- able [~able@gateway/tor-sasl/able] has joined #openvpn
13:46 -!- mzat [~marc@dynamic-adsl-78-12-187-236.clienti.tiscali.it] has quit [Client Quit]
13:53 -!- [diecast] [~diecast@unaffiliated/diecast/x-4821952] has joined #openvpn
13:53 -!- [diecast] [~diecast@unaffiliated/diecast/x-4821952] has quit [Max SendQ exceeded]
13:55 -!- [diecast] [~diecast@unaffiliated/diecast/x-4821952] has joined #openvpn
13:56 -!- arnaud-cyphomax [~arnaud@APointe-a-Pitre-551-1-76-125.w90-43.abo.wanadoo.fr] has joined #openvpn
13:56 < arnaud-cyphomax> !welcome
13:56 <@vpnHelper> "welcome" is (#1) Start by stating your goal, such as 'I would like to access the internet over my vpn' || new to IRC? see the link in !ask || we may need !logs and !configs and maybe !interface to help you. || See !howto for beginners. || See !route for lans behind openvpn. || !redirect for sending inet traffic through the server. || Also interesting: !man !/30 !topology !iporder !sample
13:56 <@vpnHelper> !forum !wiki !mitm or (#2) Don't use 192.168.1.0/24 or 192.168.0.0/24 (too much potential for conflict)
13:58 < arnaud-cyphomax> !goal
13:58 <@vpnHelper> "goal" is Please clearly state your goal for your vpn: example, I would like to access the lan behind the server , I would like to access the internet over my vpn , I just want a secure connection between 2 computers , etc
13:59 < arnaud-cyphomax> !goal I would like to connect to two distinct vpn and launch a process twice, each one using a different connection
14:04 -!- angrybit [~angrybit@74.8.8.206] has joined #openvpn
14:06 < angrybit> A couple questions about setting up an OpenVPN server.  I'm rebuilding my current OVPN server and am playing with some new config options.  I have a single NIC box on a private network.  The firewall forwards port 1194 to the box.
14:06 < angrybit> I want clients who connect to the VPN to have access to all devices on the same private network as the VPN box.
14:07 < angrybit> Previously, I accomplished this with a tun interface.  The server was running DHCP serving out IP's from a different private network and then NATed between that network and the primary network.
14:08 < angrybit> (192.168.10.0 for the main network and 192.168.5.0 for the VPN network.)  Is this still the best appraoch?  I feels overly complicated.
14:08 <+rob0> you can do it with tun with proper routes
14:09 < angrybit> Ok.  So don't bother with the local DHCP server on the box, but just push some routes to the client?
14:09 <+rob0> actually I think you only need the route on your router; it should use ICMP redirect messages to point to the VPN host as nexthop.
14:10 <+rob0> (I know that works with a Linux router.)
14:10 < angrybit> Hmm.  Well, here's my current server.conf.
14:10 < angrybit> http://pastebin.com/EwLybZB9
14:11 < angrybit> Right now, the client is unable to ping or connect to any 192.168.10.0 device.
14:11 <+rob0> NAT is for RFC1918 networks to reach the Internet and vice versa. It is not for RFC1918-to-RFC1918.
14:11 <+rob0> !route
14:11 <@vpnHelper> "route" is (#1) http://www.secure-computing.net/wiki/index.php/OpenVPN/Routing or https://community.openvpn.net/openvpn/wiki/RoutedLans (same page mirrored) if you have lans behind openvpn, read it DONT SKIM IT or (#2) READ IT DONT SKIM IT! or (#3) See !tcpip for a basic networking guide or (#4) See !serverlan or !clientlan for steps and troubleshooting flowcharts for LANs behind the server or client
14:12 <+rob0> This is just basic IP routing stuff.
14:13 < angrybit> I'm just confused as I'm used to the client being assigned an IP when connecting.  Right now when the client connects I get nothing but an empty bridge and tun.  http://pastebin.com/HE2ZC0iX
14:13 < angrybit> That doesn't seem right to me.
14:16 -!- klein [~klein@unaffiliated/klein] has quit [Ping timeout: 260 seconds]
14:19 <+rob0> You use a different IP subnet for your server address pool than what you have on the LAN.
14:19 <+rob0> You set a route on the router to that subnet via the VPN server's LAN IP address.
14:20 <+rob0> LAN clients hit the router when they try to reach a VPN client. The router replies with ICMP redirect messages.
14:21 < angrybit> Thanks.  That makes sense.
14:22 -!- arnaud-cyphomax [~arnaud@APointe-a-Pitre-551-1-76-125.w90-43.abo.wanadoo.fr] has quit [Quit: arnaud-cyphomax]
14:23 -!- angrybit [~angrybit@74.8.8.206] has left #openvpn []
14:25 -!- elfixit [~Icedove@77-58-251-72.dclient.hispeed.ch] has quit [Quit: elfixit]
14:26 < blarghlarghl> !redirect
14:26 <@vpnHelper> "redirect" is (#1) to make all inet traffic flow through the vpn, you will need --redirect-gateway (see !def1), as well as IP forwarding (see !ipforward) and NAT (see !nat) enabled on the server. or (#2) you may need to use a different dns server when redirecting gateway, see !dns or !pushdns or (#3) if using ipv6 try: route-ipv6 2000::/3 or (#4) Handy troubleshooting flowchart:
14:26 <@vpnHelper> http://ircpimps.org/redirect.png | http://pekster.sdf.org/misc/redirect.png
14:26 < blarghlarghl> !route
14:26 <@vpnHelper> "route" is (#1) http://www.secure-computing.net/wiki/index.php/OpenVPN/Routing or https://community.openvpn.net/openvpn/wiki/RoutedLans (same page mirrored) if you have lans behind openvpn, read it DONT SKIM IT or (#2) READ IT DONT SKIM IT! or (#3) See !tcpip for a basic networking guide or (#4) See !serverlan or !clientlan for steps and troubleshooting flowcharts for LANs behind the server or
14:26 <@vpnHelper> client
14:42 < wallbroken> pekster: http://openvpn.net/index.php/open-source/documentation/howto.html#revoke
14:42 <@vpnHelper> Title: HOWTO (at openvpn.net)
14:42 < wallbroken> this is valid also with easy-rsa 3?
14:44 -!- arnaud-cyphomax [~arnaud@APointe-a-Pitre-551-1-76-125.w90-43.abo.wanadoo.fr] has joined #openvpn
14:45 -!- mattock is now known as mattock_afk
14:52 -!- batrick [batrick@nmap/developer/batrick] has quit [Quit: WeeChat 0.4.2]
14:53 -!- arnaud-cyphomax [~arnaud@APointe-a-Pitre-551-1-76-125.w90-43.abo.wanadoo.fr] has quit [Quit: arnaud-cyphomax]
14:57 -!- batrick [batrick@nmap/developer/batrick] has joined #openvpn
15:11 -!- quantumkey [~ma1com10t@host-92-20-5-217.as13285.net] has joined #openvpn
15:11 -!- quantumkey [~ma1com10t@host-92-20-5-217.as13285.net] has left #openvpn []
15:21 -!- pablito [~chatzilla@194.90.149.21] has joined #openvpn
15:35 -!- able [~able@gateway/tor-sasl/able] has quit [Remote host closed the connection]
15:41 -!- mzat [~marc@dynamic-adsl-94-36-212-74.clienti.tiscali.it] has joined #openvpn
15:42 < mzat> hi! if I want that the clients of the openvpn be in the same subnet of the server itself, should I use tap device?
15:43 -!- Weasel_ [~kvuorine@a91-154-220-172.elisa-laajakaista.fi] has quit [Remote host closed the connection]
15:45 < mzat> !welcome
15:45 <@vpnHelper> "welcome" is (#1) Start by stating your goal, such as 'I would like to access the internet over my vpn' || new to IRC? see the link in !ask || we may need !logs and !configs and maybe !interface to help you. || See !howto for beginners. || See !route for lans behind openvpn. || !redirect for sending inet traffic through the server. || Also interesting: !man !/30 !topology !iporder !sample !forum !wiki
15:45 <@vpnHelper> !mitm or (#2) Don't use 192.168.1.0/24 or 192.168.0.0/24 (too much potential for conflict)
15:46 < mzat> !/30
15:46 <@vpnHelper> "/30" is (#1) Default behaviour assigns a /30 subnet(4 addresses) to each peer. See http://goo.gl/6vemm for background or (#2) you can avoid this behavior by reading !topology or (#3) by default, first client is .6, then .10 .14 .18 etc or (#4) use openvpn --show-valid-subnets to see the subnets you can use in net30 or (#5) tl;dr Windows sucks, use --topology subnet in your server.conf
15:47 -!- [diecast] [~diecast@unaffiliated/diecast/x-4821952] has quit []
15:49 -!- klein [~klein@unaffiliated/klein] has joined #openvpn
15:50 -!- JSharpe [~JSharpe@31.205.60.241] has quit [Quit: Leaving]
15:58 <+rob0> mzat, why does that matter? With proper routes, it does not.
15:59 < mzat> rob0, so I can have the same result using tun? I mean if I have a service running on the client of the vpn could it be accessible from a computer in the subnet of the vpn server? portforwarding will be the way?
16:00 <+rob0> !serverlan
16:00 -!- Gnonim0 [~joe@us1x.mullvad.net] has joined #openvpn
16:00 <@vpnHelper> "serverlan" is (#1) for a lan behind a server, the server must have ip forwarding enabled (!ipforward), the server needs to push a route for its lan to clients, and the router of the lan the server is on needs a route added to it (!route_outside_openvpn) or (#2) see !route for a better explanation or (#3) Handy troubleshooting flowchart: http://ircpimps.org/serverlan.png |
16:00 <@vpnHelper> http://pekster.sdf.org/misc/serverlan.png
16:01 < mzat> ok I think I get it, I was makin' it too complicated
16:01 < Gnonim0> Hi Ya'll. I'm trying to host a web server behind a VPN. My VPN service provides ports,  but runing apache on one of those ports does not do the trick.
16:03 < Gnonim0> I'm looking for help and i can tip you in BTC
16:10 -!- KaiForce [~chatzilla@107-223-70-10.lightspeed.bcvloh.sbcglobal.net] has quit [Quit: ChatZilla 0.9.90.1 [Firefox 26.0/20131205075310]]
16:12 -!- elfixit [~Icedove@77-58-251-72.dclient.hispeed.ch] has joined #openvpn
16:26 -!- mzat [~marc@dynamic-adsl-94-36-212-74.clienti.tiscali.it] has quit [Quit: Leaving]
16:38 -!- wallbroken [~wallbroke@unaffiliated/wallbroken] has quit [Read error: Connection reset by peer]
16:41 -!- takamichi [~takamichi@c107-107.i07-27.onvol.net] has joined #openvpn
16:41 -!- takamichi [~takamichi@c107-107.i07-27.onvol.net] has quit [Max SendQ exceeded]
16:41 -!- takamichi [~takamichi@c107-107.i07-27.onvol.net] has joined #openvpn
16:42 -!- lj [~l@192.241.174.169] has quit [Quit: Leaving.]
17:01 < pekster> Gnonim0: "provides ports?" If you're using RFC1918 VPN space then you need NAT upstream. If you don't control that NAT you should speak to who does. Check all involved firewalls too
17:30 -!- takamichi [~takamichi@c107-107.i07-27.onvol.net] has quit [Quit: Computer has gone to sleep.]
17:41 -!- joshh20-Away is now known as joshh20
17:43 < Gnonim0> pekster: Thanks for the reply. The ports provided by my VPN are for advertised for bittorrent, so they are globally accessable. But, I think there is a firewall issue.
17:50 < pekster> Then you should fix it
17:51 < Gnonim0> I fix i. Thanks pekster\
18:07 -!- [diecast] [~diecast@unaffiliated/diecast/x-4821952] has joined #openvpn
18:07 -!- [diecast] [~diecast@unaffiliated/diecast/x-4821952] has quit [Max SendQ exceeded]
18:10 -!- [diecast] [~diecast@unaffiliated/diecast/x-4821952] has joined #openvpn
18:10 -!- [diecast] [~diecast@unaffiliated/diecast/x-4821952] has quit [Max SendQ exceeded]
18:17 -!- winsoff [~foo@216.117.236.64] has joined #openvpn
18:17 < winsoff> Trying to get openvpn working on Linux (Kali Linux), but I do not have a CA cert right now.  Why is it not built immediate during install?
18:18 <+rob0> why would it be?
18:18 <+rob0> !easyrsa
18:18 <@vpnHelper> "easyrsa" is (#1) easy-rsa is a certificate generation utility. or (#2) Download here: https://github.com/OpenVPN/easy-rsa/releases or (#3) Source checkouts available from the github project; current official release download is 2.2.2 with 3.x code in git-master. or (#4) Helpful wiki info about easyrsa at: https://community.openvpn.net/openvpn/wiki/EasyRSA
18:20 < winsoff> Just makes sense to automate it to me.
18:20 < Gnonim0> OMG, I love easy rsa.
18:21 <+rob0> no, not really. You should not even have your CA on the same machine as the VPN server.
18:22 < winsoff> rob0: Looks like the process to setting it up is "set the right environment variables and then ./build-ca," so how is that hard to implement?  Do package managers not know how to set environment variables? =P
18:23 -!- joshh20 is now known as joshh20-Away
18:23 <+rob0> You should not even have your CA on the same machine as the VPN server.
18:23 < winsoff> Oh, I see what you mean, now.
18:24 <+rob0> OpenVPN is a security-oriented project. It should not do things in insecure ways.
18:24 < Gnonim0> rob0 is right, but it one less machine means you reducde your carbon footprint i'd say go for it.
18:24 < winsoff> Wait a second, so I need to download the CA from the server I am connecting to?
18:24 -!- pablito [~chatzilla@194.90.149.21] has quit [Quit: ChatZilla 0.9.90.1 [Firefox 26.0/20131205075310]]
18:24 <+rob0> A good way to maintain a CA is on a USB drive kept in a safe.
18:25 <+rob0> !pki
18:25 <@vpnHelper> "pki" is (#1) http://openvpn.net/index.php/open-source/documentation/howto.html#pki for how to make your PKI stuff (ca, and certs) or (#2) Heres a basic rundown of how it works... The server, client, and ca certs are all signed by the same ca.key. The server and client use the ca.crt to check that eachother were signed by the right ca.key. Optionally, the client also checks that the server cert was
18:25 <@vpnHelper> signed specially as a server (see !servercert) or (#3) See !certman for various PKI management frontends
18:25 < winsoff> I am just trying to connect to a VPN, and the .ovpn I downloaded is all it gives me.  That is all I can get from it.
18:25 < pekster> If you don't need "separate systems" you might consider just putting the CA in a locked down account with restrictive access controls, umask in your .profile, etc
18:26 < pekster> Define your own security needs and scale your practices to suit
18:26 <+rob0> what goes from server or client to CA signer does not require security. Only the keys do, and you never email those.
18:26 < pekster> private keys should ideally never be transferred anywhere, unless they're going onto embedded hardware
18:27 < pekster> Generate your keys _on_ the systems that use them. Would you want your locksmith to change your house keys, then send you the physical copies by postal mail? Or would you rather he just give them to you?
18:27 -!- gffa [~unknown@unaffiliated/gffa] has quit [Quit: sleep]
18:27 < Gnonim0> I donno pekster i dont have a locksmith
18:29 <@Eugene> I had my last locksmith murdered so he couldn't reveal what the shape of my keys are
18:30 <+rob0> That's the key.
18:30 <+rob0> The EugeneKey, even.
18:31 <@Eugene> Badum-tish.
18:37 -!- winsoff [~foo@216.117.236.64] has left #openvpn ["Channel Departure"]
18:39 < Gnonim0> How to use a GPG email key to sign as the CA?
18:41 < pekster> You don't. RSA (or EC) keys aren't GPG keys
18:41 < pekster> Neither are ssh keys
18:41 < pekster> RSA keys are RSA keys, and OpenVPN uses the X.509 standard for PKI certificates
18:42 < pekster> !intro-to-pki
18:42 <@vpnHelper> "intro-to-pki" is For an intro to PKI basics, see: https://github.com/OpenVPN/easy-rsa/blob/v3.0.0-rc1/doc/Intro-To-PKI.md
18:42 -!- josefig [~josef@unaffiliated/josefig] has joined #openvpn
18:42 < Gnonim0> What do i get if i figure out how to do it?
18:42 <+rob0> a * star
18:42 -!- aldaek [~quassel@166.70.157.138] has joined #openvpn
18:42 < pekster> How about you follow the howto for the version you're using and ask a question that shows you did more than 2 minutes of reading first?
18:42 < pekster> !easyrsa
18:42 <@vpnHelper> "easyrsa" is (#1) easy-rsa is a certificate generation utility. or (#2) Download here: https://github.com/OpenVPN/easy-rsa/releases or (#3) Source checkouts available from the github project; current official release download is 2.2.2 with 3.x code in git-master. or (#4) Helpful wiki info about easyrsa at: https://community.openvpn.net/openvpn/wiki/EasyRSA
18:43 < pekster> Links & wiki refs for you there ^
18:43  * Gnonim0 thinks about the star
18:44 -!- elfixit [~Icedove@77-58-251-72.dclient.hispeed.ch] has quit [Quit: elfixit]
18:45 -!- master_o1_master [~master_of@p4FF240BD.dip0.t-ipconnect.de] has joined #openvpn
18:45 -!- gardar [~gardar@bnc.giraffi.net] has quit [Read error: Operation timed out]
18:45 -!- gardar [~gardar@bnc.giraffi.net] has joined #openvpn
18:48 -!- master_of_master [~master_of@p4FD7B2D4.dip0.t-ipconnect.de] has quit [Ping timeout: 252 seconds]
18:51 -!- esde [~esde@107.150.1.2] has quit [Ping timeout: 252 seconds]
18:54 -!- esde [~esde@107.150.1.2] has joined #openvpn
18:59 -!- josefig_ [~josef@189.146.247.210] has joined #openvpn
19:00 -!- josefig [~josef@unaffiliated/josefig] has quit [Ping timeout: 248 seconds]
19:00 -!- josefig_ is now known as josefig
19:00 -!- josefig [~josef@189.146.247.210] has quit [Changing host]
19:00 -!- josefig [~josef@unaffiliated/josefig] has joined #openvpn
19:04 -!- joshh20-Away is now known as joshh20
19:08 -!- josefig [~josef@unaffiliated/josefig] has quit [Quit: Computer has gone to sleep.]
19:10 -!- klein [~klein@unaffiliated/klein] has quit [Ping timeout: 252 seconds]
19:29 -!- elfixit [~Icedove@77-58-251-72.dclient.hispeed.ch] has joined #openvpn
20:01 -!- u0m3 [~u0m3@109.96.138.24] has quit [Quit: Leaving]
20:02 -!- aldaek [~quassel@166.70.157.138] has quit [Remote host closed the connection]
20:03 -!- tfox [~tfox@27.122.12.75] has joined #openvpn
20:07 -!- tfox [~tfox@27.122.12.75] has quit [Client Quit]
20:40 -!- lj [~l@192.241.174.169] has joined #openvpn
20:56 -!- lj [~l@192.241.174.169] has quit [Ping timeout: 264 seconds]
20:58 -!- lj [~l@192.241.174.169] has joined #openvpn
21:09 -!- lj [~l@192.241.174.169] has quit [Quit: Leaving.]
21:22 -!- tfox [~tfox@27.122.12.75] has joined #openvpn
21:54 -!- schnitzl [~schnitzl@dslb-188-105-166-050.pools.arcor-ip.net] has quit [Read error: Operation timed out]
22:01 -!- schnitzl [~schnitzl@dslb-188-110-238-027.pools.arcor-ip.net] has joined #openvpn
22:08 -!- joshh20 is now known as joshh20-Away
22:19 -!- lj [~l@c-50-158-105-68.hsd1.il.comcast.net] has joined #openvpn
22:24 -!- lj [~l@c-50-158-105-68.hsd1.il.comcast.net] has quit [Ping timeout: 264 seconds]
22:46 -!- tfox [~tfox@27.122.12.75] has quit [Quit: tfox]
22:50 -!- krzee [~k@openvpn/community/support/krzee] has quit [Excess Flood]
22:53 -!- krzee [~k@openvpn/community/support/krzee] has joined #openvpn
22:53 -!- mode/#openvpn [+o krzee] by ChanServ
23:13 -!- Pei [~pei@thinks.outside.theb0x.org] has quit [Ping timeout: 248 seconds]
23:14 -!- Cy-Gor [~Brian@cpe-70-124-70-140.austin.res.rr.com] has quit [Quit: Leaving]
23:16 -!- Pei [~pei@thinks.outside.theb0x.org] has joined #openvpn
23:18 -!- josefig [~josef@unaffiliated/josefig] has joined #openvpn
23:32 -!- elfixit [~Icedove@77-58-251-72.dclient.hispeed.ch] has quit [Ping timeout: 272 seconds]
23:54 -!- NetEcho [NetEcho@unaffiliated/netecho] has joined #openvpn
23:55 < NetEcho> I'm wondering if with DD-WRT I can use OpenVPN to bridge an external connection to an internal lan, or multiple I.e. External router connected to WAN port, Port 1 connected to 192.168.23.1 router, Port 2 connected to 192.168.0.1 router
--- Day changed Wed Jan 22 2014
00:00 -!- sunwind [~paradox@cpc21-brmb8-2-0-cust749.1-3.cable.virginm.net] has quit [Read error: Connection reset by peer]
00:01 -!- sunwind [~paradox@cpc21-brmb8-2-0-cust749.1-3.cable.virginm.net] has joined #openvpn
00:04 -!- mattock_afk is now known as mattock
00:06 -!- lj1 [~l@192.241.174.169] has joined #openvpn
00:14 -!- cyberspace- [20253@ninthfloor.org] has quit [Remote host closed the connection]
00:27 -!- tharkun [~0@unaffiliated/tharkun] has quit [Ping timeout: 245 seconds]
00:38 -!- mikkel [~mikkel@93.176.85.50] has joined #openvpn
00:48 -!- NetEcho [NetEcho@unaffiliated/netecho] has quit []
00:53 -!- tharkun [~0@187.188.94.182] has joined #openvpn
01:00 -!- josefig [~josef@unaffiliated/josefig] has quit [Quit: Computer has gone to sleep.]
01:01 -!- takamichi [~takamichi@c107-107.i07-27.onvol.net] has joined #openvpn
01:04 -!- dimm0k [~dimm0k@unaffiliated/dimm0k] has quit [Ping timeout: 272 seconds]
01:06 -!- dimm0k [~dimm0k@unaffiliated/dimm0k] has joined #openvpn
01:17 -!- alexxtasi [~alex@unaffiliated/alexxtasi] has joined #openvpn
01:36 -!- bertodsera [~quassel@97e48243.skybroadband.com] has quit [Remote host closed the connection]
01:38 -!- kubbing [~kubbing@ip-89-176-242-54.net.upcbroadband.cz] has joined #openvpn
01:47 -!- heraclitus [~heraclitu@unaffiliated/heraclitis] has quit [Remote host closed the connection]
01:51 -!- heraclitus [~heraclitu@unaffiliated/heraclitis] has joined #openvpn
01:52 -!- heraclitus [~heraclitu@unaffiliated/heraclitis] has quit [Remote host closed the connection]
01:52 -!- heraclitus [~heraclitu@unaffiliated/heraclitis] has joined #openvpn
02:04 -!- dimm0k [~dimm0k@unaffiliated/dimm0k] has quit [Ping timeout: 260 seconds]
02:06 -!- dimm0k [~dimm0k@unaffiliated/dimm0k] has joined #openvpn
02:38 -!- kubbing [~kubbing@ip-89-176-242-54.net.upcbroadband.cz] has quit [Remote host closed the connection]
02:38 -!- kubbing [~kubbing@ip-89-176-242-54.net.upcbroadband.cz] has joined #openvpn
02:43 -!- kubbing [~kubbing@ip-89-176-242-54.net.upcbroadband.cz] has quit [Ping timeout: 260 seconds]
03:10 -!- bertodsera [~quassel@212.36.61.26] has joined #openvpn
03:24 -!- eliasp [~quassel@HSI-KBW-134-3-243-224.hsi14.kabel-badenwuerttemberg.de] has quit [Ping timeout: 252 seconds]
03:44 -!- calcifea_ is now known as calcifea
03:56 -!- evoked [~ev0k3d@c27-253-126-127.blktn7.nsw.optusnet.com.au] has joined #openvpn
03:56 < evoked> hello
03:57 < evoked> i have setup openvpn on ubuntu and logged in through the ip address/admin
03:57 < evoked> how to i start using it for my overall connection
03:59 <@krzee> !redirect
03:59 <@vpnHelper> "redirect" is (#1) to make all inet traffic flow through the vpn, you will need --redirect-gateway (see !def1), as well as IP forwarding (see !ipforward) and NAT (see !nat) enabled on the server. or (#2) you may need to use a different dns server when redirecting gateway, see !dns or !pushdns or (#3) if using ipv6 try: route-ipv6 2000::/3 or (#4) Handy troubleshooting flowchart:
03:59 <@vpnHelper> http://ircpimps.org/redirect.png | http://pekster.sdf.org/misc/redirect.png
04:00 < evoked> krzee, cheers
04:01 <@krzee> cheers mate
04:01 < evoked> !def1
04:01 <@vpnHelper> "def1" is (#1) used in redirect-gateway, Add the def1 flag to override the default gateway by using 0.0.0.0/1 and 128.0.0.0/1 rather than 0.0.0.0/0. This has the benefit of overriding but not wiping out the original default gateway. or (#2) please see --redirect-gateway in the man page ( !man ) to fully understand or (#3) push "redirect-gateway def1"
04:01 -!- calcifea [~rasla@gateway/tor-sasl/gitsu-sa] has quit [Remote host closed the connection]
04:03 -!- calcifea [~rasla@gateway/tor-sasl/gitsu-sa] has joined #openvpn
04:05 < evoked> !man
04:05 <@vpnHelper> "man" is (#1) For man pages, see http://openvpn.net/index.php/open-source/documentation/manuals/ or (#2) the man pages are your friend! or (#3) Protip: you can search the manpage for a specific --option (with dashes) to find it quicker
04:05 -!- JackWinter [~jack@vodsl-4669.vo.lu] has quit [Remote host closed the connection]
04:08 -!- JackWinter [~jack@vodsl-4669.vo.lu] has joined #openvpn
04:21 -!- piem_ [~piem@coconut.piem.org] has quit [Ping timeout: 248 seconds]
04:26 -!- cyberspace- [20253@ninthfloor.org] has joined #openvpn
04:44 -!- eliasp [~quassel@HSI-KBW-134-3-243-224.hsi14.kabel-badenwuerttemberg.de] has joined #openvpn
04:57 -!- cyberspace- [20253@ninthfloor.org] has quit [Quit: leaving]
04:58 -!- cyberspace- [20253@ninthfloor.org] has joined #openvpn
05:02 -!- GabrieleV [~GabrieleV@host190-79-static.230-95-b.business.telecomitalia.it] has quit [Ping timeout: 272 seconds]
05:03 -!- troj [~xxx@2001:470:1f15:107a::50f7] has quit [Ping timeout: 264 seconds]
05:04 -!- troj [~xxx@2001:470:1f15:107a::50f7] has joined #openvpn
05:05 -!- klein [~klein@unaffiliated/klein] has joined #openvpn
05:21 -!- takamichi [~takamichi@c107-107.i07-27.onvol.net] has quit [Quit: Computer has gone to sleep.]
05:38 -!- kro[au] [~thatguy@kgovps.net] has quit [Ping timeout: 248 seconds]
05:53 -!- kro[au] [~thatguy@kgovps.net] has joined #openvpn
06:03 -!- takamichi [~takamichi@c107-107.i07-27.onvol.net] has joined #openvpn
06:05 -!- kro[au] [~thatguy@kgovps.net] has quit [Excess Flood]
06:16 -!- takamich_ [~takamichi@c107-107.i07-27.onvol.net] has joined #openvpn
06:17 -!- takamichi [~takamichi@c107-107.i07-27.onvol.net] has quit [Ping timeout: 264 seconds]
06:27 -!- wallbroken [~wallbroke@unaffiliated/wallbroken] has joined #openvpn
06:27 < wallbroken> hi
06:27 < wallbroken> can you tell me where crl file will be putted?
06:27 < wallbroken> /keys ?
06:35 -!- GabrieleV [~GabrieleV@host190-79-static.230-95-b.business.telecomitalia.it] has joined #openvpn
06:41 -!- kubbing [~kubbing@ip-94-113-130-229.net.upcbroadband.cz] has joined #openvpn
06:43 -!- gffa [~unknown@unaffiliated/gffa] has joined #openvpn
06:43 -!- Cy-Gor [~Brian@cpe-70-124-70-140.austin.res.rr.com] has joined #openvpn
06:46 -!- kro[au] [~thatguy@kgovps.net] has joined #openvpn
06:48 <@ecrist> wallbroken: where ever you like
06:50 -!- bjh4 [~bjh4@ool-4354103f.dyn.optonline.net] has joined #openvpn
06:50 < wallbroken> ecrist: easyrsa gen-crl
06:51 < wallbroken> it generates the file in the current directory?
07:01 -!- kubbing_ [~kubbing@ip-94-113-130-229.net.upcbroadband.cz] has joined #openvpn
07:01 -!- kubbing [~kubbing@ip-94-113-130-229.net.upcbroadband.cz] has quit [Read error: Connection reset by peer]
07:03 <@ecrist> I think so
07:06 -!- elfixit [~Icedove@2001:1620:2777:11:3e97:eff:fe7f:f3ad] has joined #openvpn
07:10 -!- lj1 [~l@192.241.174.169] has quit [Quit: Leaving.]
07:13 -!- dazo_afk is now known as dazo
07:20 -!- Zordrak [~jaz@87-194-137-223.bethere.co.uk] has joined #openvpn
07:21 < Zordrak> I'm getting my openvpn service murdered by https://community.openvpn.net/openvpn/ticket/201 quite frequently. Anyone know any more than is on the ticket?
07:21 <@vpnHelper> Title: #201 (auth-pam leaves file descriptors open) – OpenVPN Community (at community.openvpn.net)
07:24 -!- Iain_ [~Iain@host31-48-65-231.range31-48.btcentralplus.com] has quit [Ping timeout: 252 seconds]
07:25 -!- Iain_ [~Iain@host31-48-65-231.range31-48.btcentralplus.com] has joined #openvpn
07:25 < alexxtasi> !plugin
07:26 < alexxtasi> !help
07:26 <@vpnHelper> (help [<plugin>] [<command>]) -- This command gives a useful description of what <command> does. <plugin> is only necessary if the command is in more than one plugin.
07:26 < alexxtasi> !help ldap
07:26 <@vpnHelper> Error: There is no command "ldap".
07:28 < alexxtasi> hi to all!! where can I find some help for the openvpn-auth-ldap plugin? In the plugin's home page found no issue for my question... is this channel the right place?
07:30 -!- Iain_ [~Iain@host31-48-65-231.range31-48.btcentralplus.com] has quit [Ping timeout: 264 seconds]
07:31 < Zordrak> !welcome
07:31 <@vpnHelper> "welcome" is (#1) Start by stating your goal, such as 'I would like to access the internet over my vpn' || new to IRC? see the link in !ask || we may need !logs and !configs and maybe !interface to help you. || See !howto for beginners. || See !route for lans behind openvpn. || !redirect for sending inet traffic through the server. || Also interesting: !man !/30 !topology !iporder !sample !forum
07:31 <@vpnHelper> !wiki !mitm or (#2) Don't use 192.168.1.0/24 or 192.168.0.0/24 (too much potential for conflict)
07:31 < Zordrak> !ask
07:31 <@vpnHelper> "ask" is (#1) don't ask to ask, just ask your question please, see this link for how to get help on IRC: http://workaround.org/getting-help-on-irc or (#2) See also, How to ask questions the smart way here: http://catb.org/~esr/faqs/smart-questions.html
07:37 -!- sailerboy [~sailerboy@2605:6400:2:fed5:22:3e62:d2e8:e4e1] has quit [Ping timeout: 276 seconds]
07:37 < alexxtasi> Zordrak: thank you
07:40 < alexxtasi> I am using openvpn 2.3.2-2 on centos-6. I want to authenticate users on an ldap and have installed for this purpose openvpn-auth-ldap 2.0.3-6 from epel repo. Even though my ldap.conf is ok ("equal" ldapsearch commands works well) log files have errors like "LDAP search failed: No such object" and "No remote address supplied to OpenVPN LDAP Plugin (OPENVPN_PLUGIN_CLIENT_CONNECT).". When I provide wrong password it shows "LDAP bind failed: Invalid cr
07:41 -!- joshh20-Away is now known as joshh20
07:44 < alexxtasi> more to this.... installed from the epel repository, the plugin is located in /usr/lib/openvpn/plugin/lib/openvpn-auth-ldap.so , but in the plugin's homepage they say in /usr/local/lib/openvpn-auth-ldap.so .... does it suggest a problem in the epel's repo plugin ? or I have done something very stupid ?
07:44 -!- lj [~l@192.241.174.169] has joined #openvpn
07:47 -!- lj [~l@192.241.174.169] has quit [Client Quit]
07:48 < Zordrak> alexxtasi: The plugin location isn't an issue. The openvpn package in EPEL is configured for the correct plugin location for RHEL and the LDAP plugin is too.
07:50 < Zordrak> alexxtasi: As for the problem itself I'm no expert and not currently using the LDAP plugin, so I hope someone else will speak up for you. But in the least the default plugin configuration seems pretty clear on what information is needed and in what format; so long as the information is correct it ought to work. Perhaps providing your !configs might help.
07:51 < Zordrak> !configs
07:51 <@vpnHelper> "configs" is (#1) please pastebin your client and server configs (with comments removed, you can use `grep -vE '^#|^;|^$' server.conf`), also include which OS and version of openvpn. or (#2) dont forget to include any ccd entries or (#3) on pfSense, see http://www.secure-computing.net/wiki/index.php/OpenVPN/pfSense to obtain your config
07:52 -!- lj [~l@192.241.174.169] has joined #openvpn
07:53 < alexxtasi> Zordrak: thank you Zordrak.... so I have to focus in the configuration I provide to the plugin... and... I 'll try to use you bot ;-)
07:56 -!- sailerboy [~sailerboy@2605:6400:2:fed5:22:3e62:d2e8:e4e1] has joined #openvpn
07:57 -!- klein [~klein@unaffiliated/klein] has quit [Ping timeout: 252 seconds]
08:05 -!- bertodsera [~quassel@212.36.61.26] has quit [Ping timeout: 252 seconds]
08:09 -!- klein [~klein@189-016-006-003.asselvi.edu.br] has joined #openvpn
08:09 -!- klein [~klein@189-016-006-003.asselvi.edu.br] has quit [Changing host]
08:09 -!- klein [~klein@unaffiliated/klein] has joined #openvpn
08:19 < alexxtasi> so... I have openvpn 2.3.2-2 on centos 6 with openvpn-auth-ldap 2.0.3-6 installed. I configured just a simple tunnel to test ldap connectivity... server: http://pastebin.com/2SrXb9SX client:http://pastebin.com/Gsr7S8Pz and auth-ldap:http://pastebin.com/LENLHMxQ ...
08:20 < alexxtasi> I suppose the server-client setting are ok, since disabling the auth-user-pass the tunnel comes up!
08:22 < wallbroken> and notification of "error 23" will be showing also in easyrsa 3?
08:24 < alexxtasi> the problem is that authentication fails with "LDAP search failed: No such object" and then "No remote address supplied to OpenVPN LDAP Plugin (OPENVPN_PLUGIN_CLIENT_CONNECT)."
08:24 -!- kirin` [telex@gateway/shell/anapnea.net/x-bmhqmjrshdyszhcm] has quit [Ping timeout: 272 seconds]
08:25 -!- kirin` [telex@gateway/shell/anapnea.net/x-inczsnmlogqgclxf] has joined #openvpn
08:37 -!- bjh4 [~bjh4@ool-4354103f.dyn.optonline.net] has quit [Quit: Leaving]
08:39 -!- Engin [~e@ea.tl] has quit [Quit: WeeChat 0.3.7]
08:47 -!- bertodsera [~quassel@212.36.61.26] has joined #openvpn
08:47 -!- lj [~l@192.241.174.169] has quit [Quit: Leaving.]
08:50 -!- yulimoto [~yulimoto@gateway/tor-sasl/yulimoto] has joined #openvpn
08:51 -!- kalloc [~kalloc@stmdev.ru] has joined #openvpn
08:53 -!- ACKNAK [~poni@79.133.97.154] has joined #openvpn
08:54 < ACKNAK> Hello! Could anybody check my config? it works in general but I'm not sure how "optimal" is that solution...
08:55 -!- evoked [~ev0k3d@c27-253-126-127.blktn7.nsw.optusnet.com.au] has quit [Ping timeout: 265 seconds]
08:55 < ACKNAK> Main-Site->OpenVPN->Roadwarriors->Sub-Office-Sites
08:56 -!- lj [~l@192.241.174.169] has joined #openvpn
08:57 <+rob0> I don't have time to review yours, but maybe you'll want to look at this:
08:57 <+rob0> !dnsmasq
08:57 <@vpnHelper> "dnsmasq" is http://rob0.nodns4.us/dnsmasq.html for a writeup on how to handle DNS for lans shared with !route
08:58 < ACKNAK> :O
08:59 < ACKNAK> my config http://pastebin.com/YwmKRvrf
09:06 < ACKNAK> I'll be back in 30 minutes
09:06 -!- ACKNAK [~poni@79.133.97.154] has quit [Quit: Leaving]
09:28 -!- Iain_ [~Iain@host31-48-65-231.range31-48.btcentralplus.com] has joined #openvpn
09:30 -!- ACKNAK [~Celestial@broadband-5-228-253-169.nationalcablenetworks.ru] has joined #openvpn
09:30 < ACKNAK> wooot
09:30 -!- lj [~l@192.241.174.169] has quit [Quit: Leaving.]
09:35 -!- evoked [~ev0k3d@101.164.101.194] has joined #openvpn
09:36 -!- Sembei [~Sembei@unaffiliated/sembei] has quit [Ping timeout: 272 seconds]
09:39 -!- Sembei [~Sembei@unaffiliated/sembei] has joined #openvpn
09:41 -!- Sembei [~Sembei@unaffiliated/sembei] has quit [Read error: Connection reset by peer]
09:42 -!- MyMind [~Sembei@unaffiliated/sembei] has joined #openvpn
09:48 -!- yulimoto [~yulimoto@gateway/tor-sasl/yulimoto] has left #openvpn []
09:49 -!- Cpt-Oblivious [~chatzilla@31-151-87-204.dynamic.upc.nl] has joined #openvpn
09:56 -!- mikkel [~mikkel@93.176.85.50] has quit [Quit: Leaving]
09:58 < ACKNAK> If somebody could check my config, it would be nice ^^ https://forums.openvpn.net/topic14841.html
09:58 <@vpnHelper> Title: OpenVPN Support Forum Help to optimise site-to-multisite (roadwarriors) : Server Administration (at forums.openvpn.net)
10:05 -!- klein [~klein@unaffiliated/klein] has quit [Ping timeout: 245 seconds]
10:09 -!- tfox [~tfox@c-50-181-202-179.hsd1.wa.comcast.net] has joined #openvpn
10:21 -!- tfox [~tfox@c-50-181-202-179.hsd1.wa.comcast.net] has quit [Quit: tfox]
10:22 -!- liriel [~liriel@198.154.114.106] has quit [Ping timeout: 246 seconds]
10:23 -!- michaelhart [~michaelha@192.237.177.15] has joined #openvpn
10:27 -!- tfox [~tfox@27.122.12.75] has joined #openvpn
10:29 -!- liriel [~liriel@198.154.114.106] has joined #openvpn
10:30 -!- MyMind [~Sembei@unaffiliated/sembei] has quit [Read error: Connection reset by peer]
10:31 -!- Pisuke [~Sembei@unaffiliated/sembei] has joined #openvpn
10:32 -!- tfox [~tfox@27.122.12.75] has quit [Quit: tfox]
10:33 -!- niel [niel@om.nom.nom.coooki.es] has quit [Ping timeout: 245 seconds]
10:39 -!- niel [niel@om.nom.nom.coooki.es] has joined #openvpn
10:44 -!- klein [~klein@unaffiliated/klein] has joined #openvpn
10:49 -!- klein [~klein@unaffiliated/klein] has quit [Ping timeout: 260 seconds]
11:04 -!- calcifea [~rasla@gateway/tor-sasl/gitsu-sa] has quit [Ping timeout: 240 seconds]
11:08 -!- joshh20 is now known as joshh20-Away
11:11 -!- calcifea [~rasla@gateway/tor-sasl/gitsu-sa] has joined #openvpn
11:12 -!- klein [~klein@unaffiliated/klein] has joined #openvpn
11:14 -!- bertodsera [~quassel@212.36.61.26] has quit [Remote host closed the connection]
11:17 -!- lj [~l@192.241.174.169] has joined #openvpn
11:27 -!- lj [~l@192.241.174.169] has left #openvpn []
11:30 < lachesis> well here's a weird one
11:30 < lachesis> i'm getting the common TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity)
11:30 < lachesis> but
11:30 < lachesis> i'm seeing the initial packet on both the server and the client
11:31 < lachesis> definitely not a firewall on the client side, as i can connect to another vpn at a different ip (same port)
11:33 < lachesis> hmm i take it back, i'm not seeing the reply from the server in my tcpdump
11:34 < lachesis> i do clearly have full tcp connectivity to the server, and the server's outbound firewall rule chain is empty and set to ACCEPT
11:40 -!- Bam_Bam [~bam_bam@unaffiliated/bambam/x-942313] has joined #openvpn
11:40 <@krzee> !timeout
11:40 <@vpnHelper> "timeout" is if you see TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity) then your problem is likely one of the following: either the server isnt running, your client is connecting to the wrong ip/port/protocol, the server's firewall/nat has an issue, or the client's isp blocks it
11:41 < Bam_Bam> I need to route trafic from workstation (on the server subnet) to the clients behind the server. I've added a static route on my workstation to the vpn server and can now ping the VPN gateway IP, but can't reach the clients.
11:41 < wallbroken> krzee notification of "error 23" when generating a revoke cert will be showing also in easyrsa 3?
11:41 < Bam_Bam> I think it's an iptables issue, but I don't know how to forward traffic. eth0 to tun0?
11:42 <@krzee> Bam_Bam, did you push the route to those clients too...?
11:43 <@krzee> !linipforward
11:43 <@vpnHelper> "linipforward" is (#1) echo 1 > /proc/sys/net/ipv4/ip_forward for a temp solution (til reboot) or set net.ipv4.ip_forward = 1 in sysctl.conf for perm solution or (#2) chmod +x /etc/rc.d/rc.ip_forward for perm solution in slackware or (#3) you also must allow forwarding in your forward chain in iptables. iptables -I FORWARD -i tun+ -j ACCEPT
11:43 < Bam_Bam> krzee: I set the ip_forward
11:43 < Bam_Bam> I'll check the routes on the client
11:43 <@krzee> Bam_Bam, you'[ll notice an iptables rule as well
11:43 <@krzee> wallbroken, i dunno i havnt used easy-rsa in years
11:44 < Bam_Bam> I read the rest of it and just noticed that
11:44 < wallbroken> oh ok
11:44 <@krzee> i do hear easy-rsa3 is good tho, but im not the one to specifically ask about that
11:58 -!- takamichi [~takamichi@85.12.8.107] has joined #openvpn
12:00 -!- takamich_ [~takamichi@c107-107.i07-27.onvol.net] has quit [Ping timeout: 252 seconds]
12:12 < wallbroken> krzee, you know how to kill a client?
12:12 < wallbroken> the howto said to do it with management interface, what is it?
12:17 < Bam_Bam> wallbroken: there's the cli for permission management, afaik only openvpn access server has the management interface
12:18 < Bam_Bam> wallbroken: which "how to" are you using?
12:20 < Bam_Bam> krzee: it doesn't seem like linipforward is the issue as the routes are pushed to the client and even if they weren't my workstation IP is publically routed
12:20 < Bam_Bam> but I really don't have a good understanding of routing
12:32 -!- Blashyrkh1 [~michaeld@043-054-094-081.as39912.net] has joined #openvpn
12:34 < Blashyrkh1> i have a openvpn server setup on openwrt, and when i start the config with openvpn server.conf it goes all through to the initialization sequence complete, but when i try to connect i get only dialing... terminating ..., is there any way to turn on some debugging on the serverside?
12:34 < Blashyrkh1> !
12:36 < Blashyrkh1> my .conf looks like this
12:37 < Blashyrkh1> http://pastebin.com/Umf984UG
12:37 < Bam_Bam> did you open that port on the firewall?
12:38 < Blashyrkh1> i opened the firewall for the whole client adress
12:38 < Blashyrkh1> address
12:39 < Blashyrkh1> what is the diference if i take tcp or udp?
12:39 < Bam_Bam> for client > openvpn server on 192.168.1.1?
12:40 < Blashyrkh1> sry i didnt quite understand your question
12:40 < Bam_Bam> I had some luck following this guide yesterday
12:40 < Bam_Bam> http://wiki.openwrt.org/doc/howto/vpn.server.openvpn.tun?s%5B%5D=openvpn&s%5B%5D=client
12:40 < Bam_Bam> but my openwrt router is configured as a client
12:41 -!- tharkun [~0@187.188.94.182] has quit [Changing host]
12:41 -!- tharkun [~0@unaffiliated/tharkun] has joined #openvpn
12:41 < Blashyrkh1> the problem is that the other side is a mikrotik
12:41 -!- Phog1 [~fluid@pat.westrope.com] has joined #openvpn
12:41 -!- Phog1 [~fluid@pat.westrope.com] has left #openvpn []
12:42 < Blashyrkh1> i tried the same yesterday but there is a nasty bug in the openvpn server
12:42 < Blashyrkh1> on routerOS
12:42 < Bam_Bam> what bug?
12:43 < Blashyrkh1> its only writing unknown auth-alg
12:44 < Blashyrkh1> okay as always it was a firewall thing
12:44 < Blashyrkh1> but now i got hte unknown auth alg warning n the lient again
12:48 -!- josefig [~josef@unaffiliated/josefig] has joined #openvpn
12:49 < Blashyrkh1> http://pastebin.com/zw8b8Phb
12:49 < Blashyrkh1> the server is only giving out this
12:55 < _FBi> too slow?
12:55 -!- kro[au] [~thatguy@kgovps.net] has quit [Excess Flood]
12:56 -!- kro[au] [~thatguy@kgovps.net] has joined #openvpn
13:02 -!- Blashyrkh1 [~michaeld@043-054-094-081.as39912.net] has left #openvpn []
13:03 -!- `Ile` [~ile@77.243.20.78] has joined #openvpn
13:08 -!- `Ile`_ [~ile@77.243.20.78] has joined #openvpn
13:11 -!- `Ile` [~ile@77.243.20.78] has quit [Ping timeout: 264 seconds]
13:11 < lachesis> krzee: server is running, client is connecting to the right ip/port/protocol, server's inbound nat and firewall allow traffic on the port & outbound firewall allows everything, and client ISP is not blocking (can connect to another vpn serveR)
13:12 <@krzee> ok, maybe server isp firewall
13:13 < lachesis> 's possible, but it's on a non-standard port 1196
13:13 < lachesis> traffic is getting to the server
13:13 < lachesis> b/c i see a "first packet from (my client ip address)" message
13:14 < lachesis> but nothing is getting back from the server to my client
13:14 <@krzee> you say its on a non-standard port, are you connecting to other servers on THAT port on THAT protocol?
13:15 <@krzee> cause if not "and client ISP is not blocking (can connect to another vpn serveR)"  means nothing
13:15 < lachesis> yes
13:15 < lachesis> furthermore, i tried on a standard port as well
13:15 <@krzee> check your logs
13:15 <@krzee> in fact, post both sides with verb 4
13:15 <@krzee> and do NOT alter anything such as IP
13:16 < lachesis> !paste
13:16 <@vpnHelper> "paste" is (#1) "pastebin" is (#1) please paste anything with more than 5 lines into a pastebin site or (#2) https://gist.github.com is recommended for fewest ads; try fpaste.org or paste.kde.org as backups or (#3) If you're pasting config files, see !configs for grep syntax to remove comments or (#2) gist allows multiple files per paste, useful if you have several files to show
13:16 -!- u0m3 [~u0m3@92.80.105.67] has joined #openvpn
13:16 -!- kalloc [~kalloc@stmdev.ru] has quit [Remote host closed the connection]
13:16 < wallbroken> krzee, do you know some way to kill a client?
13:17 <@krzee> the command in unix is kill
13:17 <@krzee> haha
13:17 < lachesis> https://gist.github.com/lachesis/823d928436382d64f10c'
13:17 <@krzee> unless you mean from the server
13:17 < lachesis> https://gist.github.com/lachesis/1cf1996157c18954cebe
13:17 <@vpnHelper> Title: server log (at gist.github.com)
13:17 < lachesis> https://gist.github.com/lachesis/823d928436382d64f10c
13:17 <@vpnHelper> Title: client log (at gist.github.com)
13:17 < wallbroken> yes, from the server, without disturbing other clients
13:17 < lachesis> verb 5, sorry
13:17 <@krzee> 5 is better actually
13:17 <@krzee> so thanks =]
13:18 -!- kalloc [~kalloc@stmdev.ru] has joined #openvpn
13:18 <@krzee> but the server was verb 3 or something
13:18 <@krzee> or you cut some out
13:18 < lachesis> hmm let me double check
13:18 <@krzee> start both processes over again, and get me a full attempt/fail on each
13:18 < lachesis> that's all that made it into my syslog
13:18 < lachesis> let me run it in foreground
13:18 <@krzee> verb 5 on the server and use --log
13:18 <@krzee> !logfile
13:18 <@vpnHelper> "logfile" is (#1) openvpn will log to syslog if started in daemon mode. You can manually specify a logfile with: log /path/to/logfile or (#2) verb 3 is good for everyday usage, verb 5 for debugging or (#3) see --daemon --log and --verb in the manual (!man) for more info or (#4) without any log-redirection options, openvpn sends output to stdout. Explicit logging is often more convenient
13:18 <@krzee> log /path/to/logfile
13:19 < lachesis> does foreground work instead?
13:19 <@krzee> sure, verb 5
13:20 < lachesis> https://gist.github.com/lachesis/d81e6b1cc9a33b60cd3e
13:20 <@vpnHelper> Title: client log try 2 (at gist.github.com)
13:20 < lachesis> https://gist.github.com/lachesis/446572ecd7318ad07ff6
13:20 <@vpnHelper> Title: server log (try 2) (at gist.github.com)
13:20 < wallbroken> \o/
13:20 <@krzee> i dont see the fail in your serverlog
13:21 <@krzee> looks like it got stopped early
13:21 <@krzee> i do see a firewall issue though
13:21 <@krzee> i bet your client needs a firewall rule, show me the firewall on your client, iptables-save
13:22 < lachesis> client iptables are empty
13:22 <@krzee> iptables-save
13:22 <@krzee> dont tell me, show me
13:22 < lachesis> https://gist.github.com/lachesis/283f0400b3ba01e568d3
13:22 <@vpnHelper> Title: gist:283f0400b3ba01e568d3 (at gist.github.com)
13:23 <@krzee> (you must understand, too many people say that and then get proven wrong)
13:23 <@krzee> ok now show me iptables-save from the server
13:24 < lachesis> pm ok? i'd rather not publically paste my entire firewall config :)
13:24 <@krzee> thats fine
13:24 <@krzee> but im not the best with iptables in here, i know a few who are better
13:24 < lachesis> can you connect to that server?
13:27 < wallbroken> the only way to kill a client from server is the management interface?
13:29 -!- scyld [~scyld@unaffiliated/wasyl] has joined #openvpn
13:30 < lachesis> http://www.firstdata.com/gg/apply_test_account.htm
13:30 <@vpnHelper> Title: Apply for First Data Global Gateway Test Account (at www.firstdata.com)
13:30 < lachesis> sorry
13:30 < lachesis> not spam
13:30 < lachesis> wrong window
13:34 -!- mirco [~mirco@ip-109-91-244-100.unitymediagroup.de] has quit [Ping timeout: 272 seconds]
13:41 -!- klein [~klein@unaffiliated/klein] has quit [Ping timeout: 272 seconds]
13:45 -!- mattock is now known as mattock_afk
13:46 -!- mirco_ [~mirco@ip-109-91-244-100.unitymediagroup.de] has joined #openvpn
13:49 < wallbroken> is there an equivalent of "openvpn reload" in windows?
13:58 <+rob0> uh .. is there an "openvpn reload" at all? Not in my man page.
13:59 <+rob0> "openvpn reload" would look for a file named "reload" in the current directory, and try to open it as if it was a config file.
13:59 < wallbroken> sorry
14:00 < wallbroken> /etc/init.d/openvpn reload
14:03 -!- mirco_ [~mirco@ip-109-91-244-100.unitymediagroup.de] has quit [Remote host closed the connection]
14:05 -!- mirco_ [~mirco@ip-109-91-244-100.unitymediagroup.de] has joined #openvpn
14:05 -!- Pisuke [~Sembei@unaffiliated/sembei] has quit [Remote host closed the connection]
14:22 -!- dazo is now known as dazo_afk
14:27 -!- Nothing4You [N4Y@w.tf-w.tf] has joined #openvpn
14:28 -!- qwertyoruiop [~hax@1.shulgin.dc1.nl.tor.exit.node.qwertyoruiop.com] has quit [Ping timeout: 252 seconds]
14:29 -!- qwertyoruiop [~hax@1.shulgin.dc1.nl.tor.exit.node.qwertyoruiop.com] has joined #openvpn
14:31 -!- Nothing4You [N4Y@w.tf-w.tf] has quit [Ping timeout: 260 seconds]
14:34 -!- `Ile`_ [~ile@77.243.20.78] has quit [Quit: leaving]
14:36 -!- qwertyoruiop [~hax@1.shulgin.dc1.nl.tor.exit.node.qwertyoruiop.com] has quit [Excess Flood]
14:36 -!- qwertyoruiop [~hax@1.shulgin.dc1.nl.tor.exit.node.qwertyoruiop.com] has joined #openvpn
14:43 -!- takamichi [~takamichi@85.12.8.107] has quit [Ping timeout: 248 seconds]
14:44 -!- qwertyoruiop [~hax@1.shulgin.dc1.nl.tor.exit.node.qwertyoruiop.com] has quit [Read error: Operation timed out]
14:46 -!- takamichi [~takamichi@85.12.8.104] has joined #openvpn
14:48 -!- grep0r [grep0r@bitcoinshell.mooo.com] has quit [Ping timeout: 252 seconds]
14:50 -!- qwertyoruiop [~hax@1.shulgin.dc1.nl.tor.exit.node.qwertyoruiop.com] has joined #openvpn
14:53 -!- kalloc [~kalloc@stmdev.ru] has quit [Remote host closed the connection]
14:54 -!- toastedpenguin1 [~David_Chr@99-128-202-69.lightspeed.okpkil.sbcglobal.net] has joined #openvpn
14:54 -!- qwertyoruiop [~hax@1.shulgin.dc1.nl.tor.exit.node.qwertyoruiop.com] has quit [Excess Flood]
14:54 -!- qwertyoruiop [~hax@1.shulgin.dc1.nl.tor.exit.node.qwertyoruiop.com] has joined #openvpn
14:55 < toastedpenguin1> is the openvpn AS supposed to configure iptables when it starts up?
14:55 < toastedpenguin1> AS 2.x
14:56 < toastedpenguin1> my bad wrong room/window
14:57 -!- grep0r [grep0r@bitcoinshell.mooo.com] has joined #openvpn
15:08 -!- JackWinter [~jack@vodsl-4669.vo.lu] has quit [Quit: Konversation terminated!]
15:13 -!- JackWinter [~jack@vodsl-4669.vo.lu] has joined #openvpn
15:15 -!- JackWinter [~jack@vodsl-4669.vo.lu] has quit [Read error: Connection reset by peer]
15:16 -!- JackWinter [~jack@vodsl-4669.vo.lu] has joined #openvpn
15:18 -!- joshh20-Away is now known as joshh20
15:23 -!- lj1 [~l@192.241.174.169] has joined #openvpn
15:28 -!- lj1 [~l@192.241.174.169] has left #openvpn []
15:36 -!- Irssi: #openvpn: Total of 239 nicks [8 ops, 0 halfops, 16 voices, 215 normal]
15:42 -!- nertil [~nertil@95.156.18.17] has joined #openvpn
15:48 -!- Eagleman [~Eagleman@546BCD9F.cm-12-4d.dynamic.ziggo.nl] has quit [Read error: Connection reset by peer]
15:48 -!- nertil [~nertil@95.156.18.17] has quit [Changing host]
15:48 -!- nertil [~nertil@openvpn/user/nertil] has joined #openvpn
15:48 -!- mode/#openvpn [+v nertil] by ChanServ
15:49 -!- michaelhart [~michaelha@192.237.177.15] has quit [Quit: michaelhart]
15:50 <+nertil> thx
15:50 <@ecrist> np
15:52 -!- Eagleman [~Eagleman@546BCD9F.cm-12-4d.dynamic.ziggo.nl] has joined #openvpn
15:55 -!- Ximerian [~3ec@173-163-3-81-cpennsylvania.hfc.comcastbusiness.net] has joined #openvpn
15:55 < Ximerian> Hey, anyone have a build of openvpn client that will work on windows 8 RT?
15:59 -!- klein [~klein@177.101.109.161] has joined #openvpn
15:59 -!- klein [~klein@177.101.109.161] has quit [Changing host]
15:59 -!- klein [~klein@unaffiliated/klein] has joined #openvpn
16:01 -!- bertodsera [~quassel@97e48243.skybroadband.com] has joined #openvpn
16:10 -!- nertil [~nertil@openvpn/user/nertil] has quit []
16:18 <@Eugene> My understanding of the RT ecosystem is that openvpn would not work in it at all. So no.
16:19 <@Eugene> It's more of a iOS style walled garden, the access to the underlying subsystems just isn't there.
16:20 -!- gffa [~unknown@unaffiliated/gffa] has quit [Quit: sleep]
16:22 -!- ACKNAK [~Celestial@broadband-5-228-253-169.nationalcablenetworks.ru] has quit [Ping timeout: 252 seconds]
16:43 -!- klein [~klein@unaffiliated/klein] has quit [Remote host closed the connection]
16:47 -!- Nothing4You [N4Y@w.tf-w.tf] has joined #openvpn
16:58 <@krzee> lachesis, ever get it fixed?
16:58 <@krzee> im back for now
16:58 -!- occupant [~null@204.14.158.226] has quit [Read error: Connection reset by peer]
16:59 < pekster> fwiw, there's also #Netfilter for more direct/specific help with Netfilter tasks
16:59 <@krzee> true, and it legitimately *is* a firewall issue
16:59 <@krzee> the configs proved that
17:00 <@krzee> i mean the logs proved it
17:03 <@krzee> anyways, the problem is that packets leaving the server dont get to the client inside tun0, you likely just need to blindly allow tun0, iptables -I FORWARD -i tun+ -j ACCEPT ; iptables -I INPUT -i tun+ -j ACCEPT ; iptables -I OUTPUT -i tun+ -j ACCEPT
17:03 <@krzee> and get rid of all rules referencing br0, especially the one that is natting your vpn subnet out of br0 when the vpn is really tun0
17:04 <@krzee> unless br0 is referring to a real bridge interface, not openvpn related
17:04 <@krzee> without ifconfig im not sure
17:04 < pekster> Linux and ifconfig? Need a resupply of stone tablets too? :)
17:05 <@krzee> :-p
17:05 <@krzee> yes pls
17:07 -!- u0m3 [~u0m3@92.80.105.67] has quit [Read error: Connection reset by peer]
17:08 -!- u0m3 [~u0m3@92.80.105.67] has joined #openvpn
17:21 -!- raidz is now known as raidz_away
17:22 -!- elfixit1 [~Icedove@77-58-251-72.dclient.hispeed.ch] has joined #openvpn
17:26 -!- raidz_away is now known as raidz
17:30 -!- quantumkey [~ma1com10t@host-92-20-78-128.as13285.net] has joined #openvpn
17:34 < quantumkey> is OPENVPNPortable part of the OpenVPN repertoire ?
17:34 -!- AsadH [~AsadH@unaffiliated/asadh] has quit [Quit: Leaving..]
17:35 -!- AsadH [~AsadH@176.56.230.80] has joined #openvpn
17:35 -!- AsadH [~AsadH@176.56.230.80] has quit [Excess Flood]
17:36 -!- AsadH [~AsadH@176.56.230.80] has joined #openvpn
17:36 -!- AsadH [~AsadH@176.56.230.80] has quit [Excess Flood]
17:37 -!- AsadH [~AsadH@176.56.230.80] has joined #openvpn
17:37 -!- AsadH [~AsadH@176.56.230.80] has quit [Excess Flood]
17:37 -!- JSharpe [~JSharpe@31.205.60.241] has joined #openvpn
17:37 -!- AsadH [~AsadH@176.56.230.80] has joined #openvpn
17:37 -!- AsadH [~AsadH@176.56.230.80] has quit [Excess Flood]
17:38 -!- AsadH [~AsadH@176.56.230.80] has joined #openvpn
17:38 -!- AsadH [~AsadH@176.56.230.80] has quit [Excess Flood]
17:38 -!- AsadH [~AsadH@176.56.230.80] has joined #openvpn
17:38 -!- AsadH [~AsadH@176.56.230.80] has quit [Excess Flood]
17:39 -!- AsadH [~AsadH@176.56.230.80] has joined #openvpn
17:39 -!- AsadH [~AsadH@176.56.230.80] has quit [Excess Flood]
17:39 -!- AsadH [~AsadH@176.56.230.80] has joined #openvpn
17:39 -!- AsadH [~AsadH@176.56.230.80] has quit [Excess Flood]
17:40 -!- AsadH [~AsadH@176.56.230.80] has joined #openvpn
17:40 -!- quantumkey is now known as debbie10t
17:40 < pekster> A 13-month-old PAF version? And that's complete rubbish anyway since you can't make drivers "portable"
17:41 < pekster> 1) dead project 2) no, not official 3) not at all portable besides perhaps the configs themselves and the GUI. That's quite silly
17:41 <@krzee> whats PAF?
17:41 < debbie10t> ok - thanks pekster
17:41 < pekster> krzee: portable apps framework
17:41 <@krzee> ahh
17:42 < pekster> Think portableFirefox & friends
17:42 < pekster> (USB stick apps for Windows platforms)
17:42 <@krzee> gotchya, like portable putty
17:42 <@krzee> just didnt know what it stood for
17:42 -!- AsadH [~AsadH@176.56.230.80] has quit [Client Quit]
17:47 -!- joshh20 is now known as joshh20-Away
17:48 -!- raidz [~raidz@openvpn/corp/admin/andrew] has left #openvpn []
17:50 -!- raidz [~raidz@openvpn/corp/admin/andrew] has joined #openvpn
17:50 -!- mode/#openvpn [+o raidz] by ChanServ
17:50 -!- AsadH [~AsadH@znc.hopped.co.uk] has joined #openvpn
17:50 -!- AsadH [~AsadH@znc.hopped.co.uk] has quit [Excess Flood]
17:51 -!- AsadH [~AsadH@znc.hopped.co.uk] has joined #openvpn
17:51 -!- AsadH [~AsadH@znc.hopped.co.uk] has quit [Excess Flood]
17:52 -!- AsadH [~AsadH@znc.hopped.co.uk] has joined #openvpn
17:52 -!- AsadH [~AsadH@znc.hopped.co.uk] has quit [Excess Flood]
18:02 -!- AsadH [~AsadH@znc.hopped.co.uk] has joined #openvpn
18:02 -!- AsadH [~AsadH@znc.hopped.co.uk] has quit [Excess Flood]
18:10 -!- elfixit1 [~Icedove@77-58-251-72.dclient.hispeed.ch] has quit [Ping timeout: 240 seconds]
18:17 -!- james41382 [~james@unaffiliated/james41382] has joined #openvpn
18:17 -!- [diecast] [~diecast@unaffiliated/diecast/x-4821952] has joined #openvpn
18:20 -!- joshh20-Away is now known as joshh20
18:25 -!- tfox [~tfox@27.122.12.75] has joined #openvpn
18:35 -!- tfox [~tfox@27.122.12.75] has quit [Quit: tfox]
18:44 -!- master_of_master [~master_of@p4FD7B5C1.dip0.t-ipconnect.de] has joined #openvpn
18:48 -!- master_o1_master [~master_of@p4FF240BD.dip0.t-ipconnect.de] has quit [Ping timeout: 260 seconds]
18:53 -!- scyld [~scyld@unaffiliated/wasyl] has quit [Quit: Wychodzi]
18:54 -!- AsadH [~AsadH@znc.hopped.co.uk] has joined #openvpn
18:56 -!- rabelais [~blank@unaffiliated/rabelais] has joined #openvpn
18:59 < rabelais> This is probably a strange routing question. Is there a way to setup something like an openvpn server/negotiator that sets up encrypted sessions? Where, let's say two clients want to set up an encrypted tunnel to each other, but connect first to a known common server that then negotiates and sets up the tunnel?
18:59 -!- raidz [~raidz@openvpn/corp/admin/andrew] has left #openvpn []
18:59 < rabelais> Sorta like the way SIP redirection works, where a common SIP server manages a connection, but then points the two clients to each other and they send traffic directly to each other instead of passing it through the SIP server itself
19:00 < pekster> Nothing stops you from implementing that, but openvpn won't do it "out of the box"
19:00 -!- raidz [~raidz@openvpn/corp/admin/andrew] has joined #openvpn
19:00 -!- mode/#openvpn [+o raidz] by ChanServ
19:00 < pekster> You have a small issue of getting the 2 "ends" to trust each other unless you work out some trust model where the central core signs cert requests from the ends, but that's "just implementation detail"
19:01 < pekster> Same problem gpg has basically: even if it's secure, you don't know what it's secure _to_
19:02 < rabelais> Agreed, the assumption is that if you can connect to the central server, then you must implicitly trust anything that the server points you to trust, I'd be ok with that.
19:03 < pekster> No, I mean that's the bulk of why the implementation is complex, becuase you need to deal with that (and how exactly you set up an X.509 model to allow for it -- maybe consider temporary intermediate CAs or something) but you _also_ need to get the traffic between the actual endpoints
19:03 < pekster> Maybe STUN or something, but openvpn simply won't work if you can't get a connection to a known host on a specific port
19:03 < pekster> (say, un-cooperative NAT, or even generic firewalls if the clients do have public IPs)
19:04 < pekster> At the end of the day, this has almost nothing to do with openvpn, and more to do with coming up with a high-level design for an implementation
19:06 -!- raidz is now known as raidz_away
19:06 < rabelais> it's more than an implementation...the idea I was curious about was whether tunnels between clients could be setup on the fly with a central server in charge of all authentication and connection setup
19:07 -!- raidz_away is now known as raidz
19:07 < debbie10t> I am trying to get dhcp server working over TAP/server-bridge : http://pastebin.com/QKDCSN34
19:07 <@krzee> why?
19:08 <@krzee> it can be done, usually shouldnt, and theres plenty of gotchyas
19:08 < pekster> Right, don't do that unless you're an expert and 1) know why you're doing it and 2) are able to handle them
19:08 <@krzee> tl;dr, dont do that
19:08 < pekster> Default router list is probably the most obvious problem with that, but there are a few other issues
19:08 < pekster> Handle that and you might be fine, but it's a real PITA
19:08 <@krzee> and theres rarely an actual benefity
19:09 < debbie10t> i have my router setup to NOT pass default gateway
19:09 <@krzee> (like if you need tftp over dhcp, or something)
19:09 < debbie10t> but the server simply appears to drop dhcp discovery
19:09 < pekster> You can tftp with a _local_ dhcp instance and target a tftp server that's off-link just fine
19:09 <@krzee> but really, you're probably just doing it wrong
19:09 < pekster> (that's how I've done VoIP deployments in the field before with openvpn)
19:09 <@krzee> good point
19:09 <@krzee> i was trying to think up a valid reason to do it
19:09 <@krzee> hard to come up with one
19:10 <@krzee> debbie10t, what is the problem you're trying to solve?
19:10 < debbie10t> why is the server dropping DHCP discovery ?
19:10 < debbie10t> http://pastebin.com/QKDCSN34
19:11 <@krzee> thats not what i mean
19:11 <@krzee> what is the problem you are trying to solve by implimenting a) tap and b) dhcp over tap
19:12 < debbie10t> well ... if you want the long answer .. how about the documentation seems to say --server-bridge on some pages and --server on others for the same solution
19:12 <@krzee> no
19:12 <@krzee> not the same
19:12 <@krzee> !tunortap
19:12 <@vpnHelper> "tunortap" is (#1) you ONLY want tap if you need to pass layer2 traffic over the vpn (traffic destined for a MAC address). If you are using IP traffic you want tun. or (#2) and if your reason for wanting tap is windows shares, see !wins or use DNS or (#3) remember layer2 has no security, arp poisoning works over tap vpns or (#4) lan gaming? use tap! or (#5) Normal Android/iOS devices (not
19:12 <@vpnHelper> rooted/jailbroken) support only tun
19:12 <@krzee> !whybridge
19:12 <@vpnHelper> "whybridge" is (#1) you only bridge if you want layer2 to the lan. if you want layer2 only between vpn nodes then routed tap is enough. if you only want layer3 use tun. or (#2) See this URL for a more in-depth discussion on bridging vs routing: https://community.openvpn.net/openvpn/wiki/BridgingAndRouting or (#3) See also !tunortap
19:13 < debbie10t> --server http://openvpn.net/index.php/open-source/faq/community-software-server/323-i-want-to-set-up-an-ethernet-bridge-on-the-1921681024-subnet-existing-dhcp.html
19:13 <@krzee> if you dont know what you're doing, use tun
19:13 <@vpnHelper> Title: I want to set up an ethernet bridge on the 192.168.1.0/24 subnet. existing DHCP. (at openvpn.net)
19:14 <@krzee> <krzee> what is the problem you are trying to solve by implimenting a) tap and b) dhcp over tap
19:14 <@krzee> do NOT point me to documentationm, answer the question
19:14 <@krzee> which is about YOU not about the website
19:15 < debbie10t> if the documentation says it is possible I would like to implement it for test purposes and possible try improving the documentation
19:15 <@krzee> heh i had a feeliong youd say that, you have no reason
19:16 <@krzee> sounds like a waste of time to help with something that has no purpose
19:16 < debbie10t> hey whatever .. its no biggie
19:16 <@krzee> stick to doing things that make sense
19:16 -!- evoked [~ev0k3d@101.164.101.194] has quit [Ping timeout: 260 seconds]
19:16 <@krzee> instead of doing it wrong for education purposes
19:16 -!- raidz [~raidz@openvpn/corp/admin/andrew] has quit [Quit: I shouldn't have left....]
19:16 -!- mattock_afk [~mattock@openvpn/corp/admin/mattock] has quit [Quit: ZNC - http://znc.in]
19:17 -!- raidz_away [~raidz@2607:5300:60:d5a::2] has joined #openvpn
19:17 < debbie10t> i had a feeling you would say that . . . . . .
19:17 -!- raidz_away is now known as raidz
19:17 -!- raidz [~raidz@2607:5300:60:d5a::2] has quit [Changing host]
19:17 -!- raidz [~raidz@openvpn/corp/admin/andrew] has joined #openvpn
19:17 -!- mode/#openvpn [+o raidz] by ChanServ
19:17 < debbie10t> i'll just figure it out myself .. like snat/dnat
19:17 <@krzee> yep, its kinda a permanent answer for those who do it wrong for no reason
19:18 -!- raidz is now known as raidz_away
19:18 -!- raidz_away is now known as raidz
19:18 < debbie10t> your sense is your pov not mine
19:19 <@krzee> and which of us do you think knows what hes talking about?
19:19 -!- rabelais [~blank@unaffiliated/rabelais] has left #openvpn []
19:20 -!- u0m3 [~u0m3@92.80.105.67] has quit [Read error: Connection reset by peer]
19:21 < debbie10t> <krzee>stick to doing things that make sense
19:21 <@krzee> yes
19:21 <@krzee> try that
19:21 < debbie10t> your sense is your pov not mine
19:21 <@krzee> i saw that the first time you said it
19:22 <@krzee> then i replied
19:24 < debbie10t> call that a reply ?
19:24 < debbie10t> ok .. no help found here
19:24 < debbie10t> thanks
19:24 -!- debbie10t [~ma1com10t@host-92-20-78-128.as13285.net] has left #openvpn []
19:29 -!- debbie10t [~ma1com10t@host-92-20-78-128.as13285.net] has joined #openvpn
19:29 < debbie10t> Thu Jan 23 00:40:49 2014 us=215593 Initialization Sequence Completed With Errors ( see http://openvpn.net/faq.html#dhcpclientserv )
19:29 <@vpnHelper> Title: FAQ Community Software (at openvpn.net)
19:29 < debbie10t> LOL
19:29 -!- debbie10t [~ma1com10t@host-92-20-78-128.as13285.net] has left #openvpn []
19:30 -!- michaelhart [~michaelha@162.209.54.120] has joined #openvpn
19:34 -!- [diecast] [~diecast@unaffiliated/diecast/x-4821952] has quit []
19:34 -!- [diecast] [~diecast@unaffiliated/diecast/x-4821952] has joined #openvpn
19:52 -!- elfixit1 [~Icedove@77-58-251-72.dclient.hispeed.ch] has joined #openvpn
20:18 -!- michaelhart [~michaelha@162.209.54.120] has quit [Quit: michaelhart]
20:25 -!- evoked [~ev0k3d@c27-253-126-127.blktn7.nsw.optusnet.com.au] has joined #openvpn
20:27 -!- __FBi [~B@uwantmy.info] has quit [Read error: Operation timed out]
20:27 -!- joshh20 is now known as joshh20-Away
20:36 -!- ex0a [~high@unaffiliated/ex0a] has quit [Quit: peace]
20:47 -!- [1]JPeterson [~JPeterson@81-233-152-121-no83.tbcn.telia.com] has joined #openvpn
20:49 -!- JPeterson [~JPeterson@81-233-152-121-no83.tbcn.telia.com] has quit [Ping timeout: 248 seconds]
20:57 -!- evoked [~ev0k3d@c27-253-126-127.blktn7.nsw.optusnet.com.au] has quit [Ping timeout: 252 seconds]
21:14 -!- evoked [~ev0k3d@c27-253-126-127.blktn7.nsw.optusnet.com.au] has joined #openvpn
21:25 -!- evoked [~ev0k3d@c27-253-126-127.blktn7.nsw.optusnet.com.au] has quit [Ping timeout: 245 seconds]
21:34 -!- dren [dren@69.163.43.34] has joined #openvpn
21:42 -!- evoked [~ev0k3d@c27-253-126-127.blktn7.nsw.optusnet.com.au] has joined #openvpn
21:47 -!- evoked [~ev0k3d@c27-253-126-127.blktn7.nsw.optusnet.com.au] has quit [Ping timeout: 248 seconds]
21:47 -!- kieppie [~jaco@ip-58-28-154-35.static-xdsl.xnet.co.nz] has joined #openvpn
21:47 < kieppie> hi folks
21:48 < kieppie> getting onto openvpn. I have a functional server up on my pfsense, & I've connected using the generated config file from my android mobile. I want to set up the connection on my Ubuntu desktop.
21:49 < kieppie> is anyone able to assist me please? how can I load the OpenVPN config file in Ubuntu
21:50 < pekster> kieppie: Try reviewing the first couple of sentences in the manpage under the heading 'OPTIONS'
21:51 < kieppie> tanks pekster: manpages under `openvpn`?
21:51 < pekster> You typically use a config file and invoke openvpn and reference it. Some frontends exist, but only Windows ships with an "official" one. See: !gui (here) for details
21:51 < pekster> Yes, manpage
21:51 < pekster> !man
21:51 <@vpnHelper> "man" is (#1) For man pages, see http://openvpn.net/index.php/open-source/documentation/manuals/ or (#2) the man pages are your friend! or (#3) Protip: you can search the manpage for a specific --option (with dashes) to find it quicker
21:51 < kieppie> gotch, thanks
21:51 < pekster> If you're not familiar with manpages, type `man man` at your prompt
21:53 -!- tfox [~tfox@27.122.12.80] has joined #openvpn
21:55 -!- schnitzl [~schnitzl@dslb-188-110-238-027.pools.arcor-ip.net] has quit [Ping timeout: 252 seconds]
21:57 -!- schnitzl [~schnitzl@dslb-178-010-084-086.pools.arcor-ip.net] has joined #openvpn
22:03 -!- james41382 [~james@unaffiliated/james41382] has quit [Ping timeout: 260 seconds]
22:03 -!- evoked [~ev0k3d@c27-253-126-127.blktn7.nsw.optusnet.com.au] has joined #openvpn
22:04 -!- tfox [~tfox@27.122.12.80] has quit [Quit: tfox]
22:07 -!- tfox [~tfox@27.122.12.80] has joined #openvpn
22:12 -!- tfox [~tfox@27.122.12.80] has quit [Ping timeout: 264 seconds]
22:16 -!- evoked [~ev0k3d@c27-253-126-127.blktn7.nsw.optusnet.com.au] has quit [Ping timeout: 252 seconds]
22:19 -!- james41382 [~james@unaffiliated/james41382] has joined #openvpn
22:30 -!- kieppie1 [~jaco@118.148.165.155] has joined #openvpn
22:33 -!- kieppie [~jaco@ip-58-28-154-35.static-xdsl.xnet.co.nz] has quit [Read error: Connection reset by peer]
22:34 -!- qwertyoruiop [~hax@1.shulgin.dc1.nl.tor.exit.node.qwertyoruiop.com] has quit [Ping timeout: 248 seconds]
22:34 -!- evoked [~ev0k3d@c27-253-126-127.blktn7.nsw.optusnet.com.au] has joined #openvpn
22:35 -!- kieppie1 [~jaco@118.148.165.155] has quit [Ping timeout: 264 seconds]
22:43 -!- evoked [~ev0k3d@c27-253-126-127.blktn7.nsw.optusnet.com.au] has quit [Ping timeout: 272 seconds]
22:47 -!- sunwind [~paradox@cpc21-brmb8-2-0-cust749.1-3.cable.virginm.net] has quit [Quit: sunwind]
22:49 -!- AsadH [~AsadH@znc.hopped.co.uk] has quit [Changing host]
22:49 -!- AsadH [~AsadH@unaffiliated/asadh] has joined #openvpn
22:50 -!- sunwind [~paradox@cpc21-brmb8-2-0-cust749.1-3.cable.virginm.net] has joined #openvpn
22:51 -!- sunwind [~paradox@cpc21-brmb8-2-0-cust749.1-3.cable.virginm.net] has quit [Client Quit]
22:52 -!- qwertyoruiop [~hax@1.shulgin.dc1.nl.tor.exit.node.qwertyoruiop.com] has joined #openvpn
22:52 -!- sunwind [~paradox@cpc21-brmb8-2-0-cust749.1-3.cable.virginm.net] has joined #openvpn
22:53 -!- kieppie [~jaco@118.148.165.155] has joined #openvpn
22:56 -!- kieppie [~jaco@118.148.165.155] has quit [Read error: Connection reset by peer]
22:57 -!- takamichi [~takamichi@85.12.8.104] has quit [Ping timeout: 240 seconds]
22:57 -!- kieppie [~jaco@118.148.165.155] has joined #openvpn
22:58 -!- kieppie [~jaco@118.148.165.155] has quit [Client Quit]
22:58 -!- kieppie [~jaco@118.148.165.155] has joined #openvpn
22:58 -!- takamichi [~takamichi@c107-107.i07-27.onvol.net] has joined #openvpn
22:59 -!- evoked [~ev0k3d@c27-253-126-127.blktn7.nsw.optusnet.com.au] has joined #openvpn
23:05 -!- kieppie [~jaco@118.148.165.155] has quit [Ping timeout: 240 seconds]
23:13 -!- evoked [~ev0k3d@c27-253-126-127.blktn7.nsw.optusnet.com.au] has quit [Ping timeout: 252 seconds]
23:16 -!- Cy-Gor [~Brian@cpe-70-124-70-140.austin.res.rr.com] has quit [Quit: Leaving]
23:20 -!- lj1 [~l@192.241.174.169] has joined #openvpn
23:25 -!- lj1 [~l@192.241.174.169] has left #openvpn []
23:30 -!- evoked [~ev0k3d@c27-253-126-127.blktn7.nsw.optusnet.com.au] has joined #openvpn
23:31 -!- NAK [~Celestial@broadband-5-228-253-77.nationalcablenetworks.ru] has joined #openvpn
23:31 -!- Cultist [~CultOfThe@c-67-186-111-33.hsd1.il.comcast.net] has quit [Read error: Connection reset by peer]
23:32 -!- Cultist [~CultOfThe@c-67-186-111-33.hsd1.il.comcast.net] has joined #openvpn
23:33 -!- [diecast] [~diecast@unaffiliated/diecast/x-4821952] has quit []
23:34 -!- elfixit1 [~Icedove@77-58-251-72.dclient.hispeed.ch] has quit [Read error: Operation timed out]
23:35 <@Eugene> man women
23:36 -!- Bam_Bam [~bam_bam@unaffiliated/bambam/x-942313] has quit [Ping timeout: 272 seconds]
23:38 -!- evoked [~ev0k3d@c27-253-126-127.blktn7.nsw.optusnet.com.au] has quit [Ping timeout: 252 seconds]
23:39 -!- Aelius [~link@unaffiliated/aelius] has quit [Ping timeout: 245 seconds]
23:41 -!- Aelius_ [~link@unaffiliated/aelius] has joined #openvpn
23:44 -!- Cpt-Oblivious [~chatzilla@31-151-87-204.dynamic.upc.nl] has quit [Ping timeout: 245 seconds]
23:45 -!- evoked [~ev0k3d@pa49-195-146-115.pa.nsw.optusnet.com.au] has joined #openvpn
23:53 -!- Bam_Bam [~bam_bam@58.149.128.131.dhcp.uri.edu] has joined #openvpn
23:54 -!- Bam_Bam is now known as Guest10357
23:54 -!- NAK is now known as ACKNAK
23:57 -!- [diecast] [~diecast@unaffiliated/diecast/x-4821952] has joined #openvpn
--- Day changed Thu Jan 23 2014
00:00 -!- sunwind` [~paradox@cpc21-brmb8-2-0-cust749.1-3.cable.virginm.net] has joined #openvpn
00:04 -!- sunwind [~paradox@cpc21-brmb8-2-0-cust749.1-3.cable.virginm.net] has quit [Ping timeout: 260 seconds]
00:17 -!- josefig [~josef@unaffiliated/josefig] has quit [Quit: Computer has gone to sleep.]
00:18 -!- Aelius_ [~link@unaffiliated/aelius] has quit [Read error: Connection reset by peer]
00:18 -!- Aelius [~link@unaffiliated/aelius] has joined #openvpn
00:25 -!- james41382 [~james@unaffiliated/james41382] has quit [Read error: Operation timed out]
00:26 -!- evoked [~ev0k3d@pa49-195-146-115.pa.nsw.optusnet.com.au] has quit [Ping timeout: 252 seconds]
00:30 -!- [diecast] [~diecast@unaffiliated/diecast/x-4821952] has quit []
00:33 -!- takamichi [~takamichi@c107-107.i07-27.onvol.net] has quit [Quit: Computer has gone to sleep.]
00:37 -!- evoked [~ev0k3d@c27-253-126-127.blktn7.nsw.optusnet.com.au] has joined #openvpn
00:37 -!- zhulikas [~zhulikas@78-56-205-230.static.zebra.lt] has joined #openvpn
00:37 < zhulikas> sup fellas
00:37 < zhulikas> is there a way to run multiple openvpn connections on windows?
00:37 < zhulikas> to share a TAP interface
00:37 < zhulikas> or have multiple TAPs
00:37 < zhulikas> whatever works
00:40 < reiffert> one tap device, multiple interfaces are bound to it
00:40 < reiffert> multiple interfaces can be: virtual interfaces that openvpn creates and physical ones
00:41 -!- james41382 [~james@unaffiliated/james41382] has joined #openvpn
00:42 < zhulikas> I seriously have no idea how it works :)
00:42  * zhulikas noob at networking stuff
00:43 -!- ACKNAK [~Celestial@broadband-5-228-253-77.nationalcablenetworks.ru] has quit [Read error: Connection reset by peer]
00:44 -!- Haigha [~root@dovahkiin.xomg.net] has quit [K-Lined]
00:48 -!- Haigha [~root@dovahkiin.xomg.net] has joined #openvpn
01:01 <@krzee> !factoids search win
01:01 <@vpnHelper> 'winroute', 'winpass', 'win_noadmin', 'winipforward', '2.1-winpass-script', 'wintaphide', 'wins', 'win_ipfail', 'win2k8', 'sudowin', 'win_tcplimit', 'winnat', 'winscript', 'win_rollup', 'winpath', 'winsudo', 'windows_mobile', 'win_build', 'new_win_gui', 'win7', 'win-dns-vista-7', 'win-dns-xp', 'win-dns', 'winshortcut', 'windows_problems', 'windows', and 'windns'
01:02 <@krzee> https://community.openvpn.net/openvpn/wiki/ManagingWindowsTAPDrivers
01:02 <@vpnHelper> Title: ManagingWindowsTAPDrivers – OpenVPN Community (at community.openvpn.net)
01:03 <@krzee> zhulikas, ^
01:03 <@krzee> you'll add a second one
01:03 -!- mattock [~mattock@openvpn/corp/admin/mattock] has joined #openvpn
01:03 -!- mode/#openvpn [+o mattock] by ChanServ
01:03 <@krzee> read that well
01:04 <@krzee> actually i guess you dont need to read it that well :D
01:04 <@krzee> OpenVPN installers come bundled with a command-line tool called <tap-windows-install-dir>\bin\devcon.exe for managing the TAP-driver. Two wrapper scripts, addtap.bat and deltapall.bat are also available in the same directory.
01:32 -!- alexxtasi [~alex@unaffiliated/alexxtasi] has left #openvpn []
01:37 -!- alexxtasi [~alex@unaffiliated/alexxtasi] has joined #openvpn
01:42 -!- kalloc [~kalloc@stmdev.ru] has joined #openvpn
01:42 -!- bertodsera [~quassel@97e48243.skybroadband.com] has quit [Remote host closed the connection]
01:45 -!- kalloc [~kalloc@stmdev.ru] has quit [Remote host closed the connection]
01:45 -!- kalloc [~kalloc@stmdev.ru] has joined #openvpn
01:45 -!- ben1066 [~quassel@unaffiliated/ben1066] has quit [Remote host closed the connection]
01:45 -!- ben1066 [~quassel@unaffiliated/ben1066] has joined #openvpn
01:48 -!- takamichi [~takamichi@c107-107.i07-27.onvol.net] has joined #openvpn
01:58 -!- james41382 [~james@unaffiliated/james41382] has quit [Quit: Leaving]
02:03 <@krzee> !ssl-admin
02:03 <@vpnHelper> "ssl-admin" is (#1) if you use freebsd, it is in ports or (#2) svn co https://www.secure-computing.net/svn/trunk/ssl-admin to grab it from svn or (#3) A perl script for managing SSL certificates (being a CA). Makes a good replacement for easy-rsa
02:09 -!- heraclitus [~heraclitu@unaffiliated/heraclitis] has quit [Remote host closed the connection]
02:09 -!- heraclitus [~heraclitu@unaffiliated/heraclitis] has joined #openvpn
02:20 <@krzee> !dh
02:20 <@vpnHelper> "dh" is build-dh from easy-rsa and option dh in ssl-admin, creates a file which is a prime number the size of bits you defined (1024 default) which is used in the diffie-hellman algorithm to provide a method to negotiate a secure connection over an insecure channel. just one of the layers of encryption available to you in your VPN
02:21 -!- heraclitus__ [~heraclitu@vpnus.planetcrypto.com] has joined #openvpn
02:24 -!- heraclitus [~heraclitu@unaffiliated/heraclitis] has quit [Ping timeout: 264 seconds]
02:26 -!- manne [~fulinlong@222.73.239.14] has joined #openvpn
02:26 < manne> hi anyone there?
02:31 -!- kossy [a@kossy.org] has quit [Changing host]
02:31 -!- kossy [a@unaffiliated/kossy] has joined #openvpn
02:32 <@krzee> just ask your question
02:37 -!- manne1 [~fulinlong@218.202.239.238] has joined #openvpn
02:40 -!- manne [~fulinlong@222.73.239.14] has quit [Ping timeout: 240 seconds]
02:43 -!- manne1 [~fulinlong@218.202.239.238] has left #openvpn []
03:06 -!- Netsplit *.net <-> *.split quits: pgib, dandy, Cultist
03:09 -!- bertodsera [~quassel@212.36.61.26] has joined #openvpn
03:11 -!- Cultist [~CultOfThe@c-67-186-111-33.hsd1.il.comcast.net] has joined #openvpn
03:11 -!- dandy [~dandy@2a01:360:106::2] has joined #openvpn
03:11 -!- pgib [~pgib@lmms/pgib] has joined #openvpn
03:13 -!- Netsplit *.net <-> *.split quits: pgib, dandy, Cultist
03:14 -!- Cultist [~CultOfThe@c-67-186-111-33.hsd1.il.comcast.net] has joined #openvpn
03:18 -!- krzee [~k@openvpn/community/support/krzee] has quit [Read error: Connection reset by peer]
03:20 -!- krzee [~k@openvpn/community/support/krzee] has joined #openvpn
03:20 -!- mode/#openvpn [+o krzee] by ChanServ
03:21 -!- mumixam [~m@unaffiliated/mumixam] has quit [Ping timeout: 260 seconds]
03:22 -!- mumixam [~m@unaffiliated/mumixam] has joined #openvpn
03:40 -!- dandy [~dandy@2a01:360:106::2] has joined #openvpn
03:41 -!- pgib [~pgib@76.18.186.63] has joined #openvpn
03:53 -!- surfmasta [~surfmasta@80.92.88.10] has quit [Ping timeout: 252 seconds]
04:03 < alexxtasi> !help
04:03 <@vpnHelper> (help [<plugin>] [<command>]) -- This command gives a useful description of what <command> does. <plugin> is only necessary if the command is in more than one plugin.
04:04 < alexxtasi> !config
04:04 <@vpnHelper> (config <name> [<value>]) -- If <value> is given, sets the value of <name> to <value>. Otherwise, returns the current value of <name>. You may omit the leading "supybot." in the name if you so choose.
04:06 -!- surfmasta [~surfmasta@80.92.88.10] has joined #openvpn
04:19 -!- kalloc [~kalloc@stmdev.ru] has quit [Remote host closed the connection]
04:19 -!- kalloc [~kalloc@stmdev.ru] has joined #openvpn
04:25 -!- davidmp [~davidmp@149.255.100.107] has quit [Ping timeout: 265 seconds]
04:30 -!- davidmp [~davidmp@149.255.100.107] has joined #openvpn
04:37 -!- davidmp [~davidmp@149.255.100.107] has quit [Ping timeout: 245 seconds]
04:37 -!- davidmp [~davidmp@149.255.100.107] has joined #openvpn
04:46 -!- Iain_ [~Iain@host31-48-65-231.range31-48.btcentralplus.com] has quit [Ping timeout: 245 seconds]
04:48 -!- Iain_ [~Iain@host31-49-27-80.range31-49.btcentralplus.com] has joined #openvpn
05:05 -!- ACKNAK [~poni@79.133.97.154] has joined #openvpn
05:16 < ACKNAK> Hey, could anybody help me with config? It's working but I have not tested it in real environment yet
05:16 < ACKNAK> https://forums.openvpn.net/topic14841.html
05:16 <@vpnHelper> Title: OpenVPN Support Forum Help to optimise site-to-multisite (roadwarriors) : Server Administration (at forums.openvpn.net)
05:16 < ACKNAK> oh cool number!
05:17 < ACKNAK> its like... like UNITIИU!
05:17 < ACKNAK> but 4 is not mirrored =(
05:27 < ACKNAK> I do not like "learn-address" scripting because it adds routes to each host
05:30 < ACKNAK> for example I have site behind client, I learn about that site from "learn-address" so my VPN server learn that there is a 192.168.11.0/24 network behind it
05:31 < ACKNAK> I have in route dst 192.168.11.0/24 gw * if tun1, but when I try to ping 192.168.11.2 server learns route to 192.168.11.2/32
05:33 < ACKNAK> is it possible to turn off learning routes to hosts somehow?
05:41 < ACKNAK> I wish it were possible to add routes in ccd directory =(
05:41 -!- kalloc [~kalloc@stmdev.ru] has quit [Remote host closed the connection]
05:55 -!- evoked [~ev0k3d@c27-253-126-127.blktn7.nsw.optusnet.com.au] has left #openvpn ["Leaving"]
05:59 -!- Devastator [~devas@177.99.154.125] has joined #openvpn
06:01 -!- Devastatr [~devas@unaffiliated/devastator] has quit [Ping timeout: 264 seconds]
06:02 -!- Devastator [~devas@177.99.154.125] has quit [Changing host]
06:02 -!- Devastator [~devas@unaffiliated/devastator] has joined #openvpn
06:04 -!- anew [~anew@unaffiliated/anew] has joined #openvpn
06:05 -!- kalloc [~kalloc@stmdev.ru] has joined #openvpn
06:05 < anew> wow didnt think there would be a popular channel for this
06:05 < anew> so if i have openvpn running on my server, and my ssh connection drops
06:05 < anew> after i connect
06:05 < anew> can i just exclude ip's in the ccd file
06:05 < anew> for my home computer and will that keep my connection live ?
06:17 < ACKNAK> is it possible to exclude ip's in ccd? :O
06:18 < ACKNAK> is this channel popular?
06:25 -!- evoked [~ev0k3d@c27-253-126-127.blktn7.nsw.optusnet.com.au] has joined #openvpn
06:25 < evoked>  hello
06:26 < evoked> trying to setup open vpn with xchat
06:26 < evoked> what proxy type do i select
06:29 < ACKNAK> is openvpn proxy? :O
06:29 < ACKNAK> or xchat :O
06:30 < anew> acknak i just asked the same thing
06:30 < anew> where is your ccd file?
06:30 < ACKNAK> andi, openvpn/ccd :O
06:30 < ACKNAK> its directory
06:31 < anew> yeah i dont have that dir
06:31 < anew> /etc/openvpn
06:31 < anew> nothing in there
06:31 < ACKNAK> I've created it
06:31 < anew> ah
06:31 < anew> i will also
06:31 < anew> then what are you putting inside it ?
06:32 < ACKNAK> then you have to add "client-config-dir path/to/your ccd" in openvpn.config
06:34 < ACKNAK> as far as I know you can put in ccd 1) push options to client, like dns or route 2) ifconfig for fixed ip 3) iroute (route to site behind client)
06:34 < anew> https://forums.openvpn.net/topic7065.html
06:34 <@vpnHelper> Title: OpenVPN Support Forum Excluding an IP range from redirect gateway : Braggin' Rights (at forums.openvpn.net)
06:34 < anew> ACKNAK, have you seen this link?
06:34 < wallbroken> what difference is between "/etc/init.d/openvpn reload" and "/etc/init.d/openvpn restart"
06:35 < ACKNAK> ah yeah you are pushing route in this case
06:36 < ACKNAK> and default route
06:37 < ACKNAK> thats not direct exclusion imho
06:37 < anew> not direct?
06:37 < anew> should work tho shouldnt it
06:38 < ACKNAK> I mean what if just do not want to mess up with default gw or other routes
06:38 < ACKNAK> what if client pc have complicated routing
06:38 < anew> hmmm
06:38 < anew> not sure
06:38 < anew> wish there were some people in here
06:38 < ACKNAK> thats kinda exclusion :)
06:38 < ACKNAK> I'm noob
06:38 < anew> me too
06:40 -!- dazo_afk is now known as dazo
06:41 < ACKNAK> if you have only default gw, that should work
06:42 < anew> where is openvpn.config at ?
06:42 -!- azi [~azi@unaffiliated/aquana] has quit [Ping timeout: 245 seconds]
06:42 < anew> i cant find it
06:43 < ACKNAK> I mean default server config
06:43 < ACKNAK> I've created mine :O
06:43 -!- Cy-Gor [~Brian@cpe-70-124-70-140.austin.res.rr.com] has joined #openvpn
06:44 < ACKNAK> it was server.conf
06:44 < anew> ah
06:44 < anew> so inside server.conf you added "client-config-dir path/to/your ccd"
06:44 < ACKNAK> right now I have server.1.conf and server.2.conf
06:44 < anew> why 2?
06:44 < ACKNAK> there should be your openvpn config
06:45 < ACKNAK> because I have 2 instances of openvpn
06:45 < ACKNAK> for kind of multi-threading
06:45 -!- azi [~azi@unaffiliated/aquana] has joined #openvpn
06:46 < ACKNAK> https://forums.openvpn.net/topic14841.html this is mine config
06:46 <@vpnHelper> Title: OpenVPN Support Forum Help to optimise site-to-multisite (roadwarriors) : Server Administration (at forums.openvpn.net)
06:46 < ACKNAK> xD
06:46 < anew> hhmmmm ok
06:46 < anew> damn so hard to exclude an ip ...
06:46 < anew> should just be a simple thing in the .conf
06:48 < ACKNAK> if i have openvpn running on my server, and my ssh connection drops <- ssh connection between what and what?
06:49 < ACKNAK> do you get default gw from openvpn server?
06:49 < anew> for example, my server address is 1.1.1.1, when i run openvpn and a vpn script, my server address changes to 2.2.2.2
06:49 < anew> i need my home computer to still 'see' 1.1.1.1
06:49 < anew> does that make sense
06:50 < ACKNAK> why does it changes? you'd better post your config :O
06:51 < anew> i mean the vpn my server is connecting to, changes the ip of the server...
06:51 < anew> isnt that what the vpn is supposed to do
06:51 -!- azi_ [~azi@unaffiliated/aquana] has joined #openvpn
06:53 < wallbroken> what difference is between "/etc/init.d/openvpn reload" and "/etc/init.d/openvpn restart"
06:54 -!- Stew-a [~Stewart@unaffiliated/stew-a/x-2962361] has quit [Ping timeout: 260 seconds]
06:54 -!- azi [~azi@unaffiliated/aquana] has quit [Ping timeout: 272 seconds]
06:57 < ACKNAK> anew, it doesnt changes, it gives you new
06:58 < anew> i mean the server is the client
06:58 < anew> i surf the web with the server
06:58 < anew> so i use lynx on my server
06:58 < anew> i connect my server to vpn
06:58 -!- kalloc_ [~kalloc@stmdev.ru] has joined #openvpn
06:58 -!- kalloc [~kalloc@stmdev.ru] has quit [Read error: No route to host]
06:58 < anew> use lynx to go to google, my ip changes
06:58 < anew> this is good, it works how i want... but
06:58 < anew> i need for my home computer to still 'see' the old ip of my server
07:00 -!- Stew-a [~Stewart@unaffiliated/stew-a/x-2962361] has joined #openvpn
07:01 -!- wallbroken [~wallbroke@unaffiliated/wallbroken] has quit []
07:01 < ACKNAK> check your routing
07:02 < anew> where?
07:02 < ACKNAK> client
07:02 < anew> but what file should i edit
07:02 < ACKNAK> try to traceroute to your server
07:03 < ACKNAK> check how your traffic goes
07:08 -!- anew [~anew@unaffiliated/anew] has quit [Read error: Connection reset by peer]
07:20  * ecrist awaits the shit show
07:22 -!- wallbroken [~wallbroke@unaffiliated/wallbroken] has joined #openvpn
07:22 -!- heraclitus__ is now known as heraclitus
07:22 -!- heraclitus [~heraclitu@vpnus.planetcrypto.com] has quit [Changing host]
07:22 -!- heraclitus [~heraclitu@unaffiliated/heraclitis] has joined #openvpn
07:23 < ACKNAK> ecrist, there would be? :O
07:24 -!- takamichi [~takamichi@c107-107.i07-27.onvol.net] has quit [Ping timeout: 245 seconds]
07:30 -!- azi_ is now known as azi
07:31 -!- takamichi [~takamichi@c107-107.i07-27.onvol.net] has joined #openvpn
07:32 -!- michaelhart [~michaelha@192.237.177.15] has joined #openvpn
07:38 -!- takamichi [~takamichi@c107-107.i07-27.onvol.net] has quit [Ping timeout: 252 seconds]
07:39 < wallbroken> openvpn {start|stop|restart|condrestart|reload|reopen|status}"
07:39 < wallbroken> where i cen get a detailed description of each one
07:39 < wallbroken> ?
07:39 < wallbroken> *can
07:40 <@ecrist> read the script
07:40 -!- takamichi [~takamichi@85.12.8.13] has joined #openvpn
07:41 <@ecrist> we don't provide support for init scripts because they're not written by us.  They're written by the maintainer of whatever package manager you're using
07:41 < wallbroken> ok
07:41 < wallbroken> so, "stop" kills the process
07:42 <@ecrist> probably, but you really need to read the init script
07:42 < wallbroken> "reload" indeed "kill -HUP"
07:42 < wallbroken> yeah i'm doing it right now
07:42 < wallbroken> http://openvpn.net/index.php/open-source/documentation/miscellaneous/88-1xhowto.html
07:42 <@vpnHelper> Title: 1xHOWTO (at openvpn.net)
07:42 < wallbroken> it's here
07:43 <@ecrist> I'm not going to read it
07:43 < wallbroken> so, if i modify openvpn.conf, i just need to do "reload", and not "restart"
07:43 < wallbroken> right?
07:44 <@ecrist> that depends on your script
07:44 < wallbroken> you are talking about init script?
07:45 <@ecrist> yes
07:45 -!- markus_ [~markus@mirkk.vpntunnel.com] has quit [Ping timeout: 252 seconds]
07:45 < wallbroken> yes, i just told you the difference between restard and reload
07:45 < wallbroken> restart just kill, sleep 2, and start the process
07:46 -!- markus_ [~markus@mirkk.vpntunnel.com] has joined #openvpn
07:46 <@ecrist> SIGHUB will reload the config and disconnect all the clients
07:46 < wallbroken> reload just kill -HUP the process, so, basing on this, if i modify openvpn.conf, which one do i need to use?
07:46 <@ecrist> SGIHUP even
07:51 < ACKNAK> uhm sorry could anybody explain me p2p topology?  is it possible to use it to connect sites? say 192.168.1.0/24 for main site and various 192.168.2+.0/29 sites for clients? :O
07:52 -!- bertodsera [~quassel@212.36.61.26] has quit [Ping timeout: 252 seconds]
07:53 < ACKNAK> uhm but I'd have to go give ip for local interface of vpnclient to route his small /29 local net
07:53 < ACKNAK> which would make that network directly attached
07:55 <@ecrist> !route
07:55 <@vpnHelper> "route" is (#1) http://www.secure-computing.net/wiki/index.php/OpenVPN/Routing or https://community.openvpn.net/openvpn/wiki/RoutedLans (same page mirrored) if you have lans behind openvpn, read it DONT SKIM IT or (#2) READ IT DONT SKIM IT! or (#3) See !tcpip for a basic networking guide or (#4) See !serverlan or !clientlan for steps and troubleshooting flowcharts for LANs behind the server or
07:55 <@vpnHelper> client
07:55 <@ecrist> !iroute
07:55 <@vpnHelper> "iroute" is does not bypass or alter the kernel's routing table, it allows openvpn to know it should handle the routing when the kernel points to it but the network is not one that openvpn knows about. This is only needed when connecting a LAN which is behind a client, and therefor belongs in a ccd entry. Also see !route and !ccd
07:55 <@ecrist> read those
07:56 < ACKNAK> oookay
07:57 < ACKNAK> ecrist, yeah I'm using scheme like this
07:57 < ACKNAK> but I cannot use "route" command because I have several instances
07:58 <@ecrist> do it all with one instance
07:58 <@ecrist> and you can use route with several
07:58 < ACKNAK> I do not think that one instance would be good idea, I'd have several hundreds clients
07:59 <@ecrist> so, do mulitple and route them properly
07:59 <@ecrist> or use tap and a proper routing daemon
07:59 <@ecrist> like IGRP or BGP
07:59 < ACKNAK> its working like this right now https://forums.openvpn.net/topic14841.html :D
08:00 <@vpnHelper> Title: OpenVPN Support Forum Help to optimise site-to-multisite (roadwarriors) : Server Administration (at forums.openvpn.net)
08:00 < ACKNAK> with help of "learn-address"
08:01 < ACKNAK> but thanks for tap+dynamic routing idea
08:01  * ACKNAK googles
08:02 < ACKNAK> much derp!
08:04 < ACKNAK> but BGP for local routing
08:04 < ACKNAK> that's like nuke-bombing insect :O
08:04 <@ecrist> effective.
08:04 <@ecrist> that's why I first suggested IGRP
08:05 < ACKNAK> ^^
08:05 < ACKNAK> sorry could you a little bit explain "do mulitple and route them properly" ? ^^
08:05 < ACKNAK> that means tun interface?
08:05 < wallbroken> ecrist, ok, the first one sends SIGHUP signal, the second one sends SIGTERM signal, but i haven't understood what SIGHUP does
08:06 <@ecrist> wallbroken: look at the man page for signals
08:06 < ACKNAK> RTFM? :D
08:08 < wallbroken> ecrist, ok, SIGHUP forces openvpn to read configuration file, so, this mieans that i do not need to restart openvpn anymore?
08:08 -!- takamichi [~takamichi@85.12.8.13] has quit [Ping timeout: 248 seconds]
08:10 -!- namidark [~namidark@192.34.61.38] has quit [Excess Flood]
08:11 -!- takamichi [~takamichi@c107-107.i07-27.onvol.net] has joined #openvpn
08:14 -!- ade_b [~Ade@193.202.255.218] has joined #openvpn
08:14 -!- ade_b [~Ade@193.202.255.218] has quit [Changing host]
08:14 -!- ade_b [~Ade@redhat/adeb] has joined #openvpn
08:19 -!- Monotoko_ [~Monotoko@67-196-85-153.static.systembs.com] has joined #openvpn
08:20 < Monotoko_> don't suppose anyone knows how I would get a box behind the chinese firewall?
08:21 <@ecrist> take her on a nice date, buy her family a goat?
08:22 -!- takamichi [~takamichi@c107-107.i07-27.onvol.net] has quit [Ping timeout: 252 seconds]
08:24 -!- calcifea [~rasla@gateway/tor-sasl/gitsu-sa] has quit [Quit: calcifea]
08:25 -!- takamichi [~takamichi@c107-107.i07-27.onvol.net] has joined #openvpn
08:27 < Monotoko_> .....
08:27 -!- bertodsera [~quassel@212.36.61.26] has joined #openvpn
08:27 < Monotoko_> ecrist: I mean a VPS >.>
08:27 < Monotoko_> or a server
08:31 < ACKNAK> ecrist, sorry I do not understand how could dynamic routing could learn which network is behind which host on which instance, it could learn IP addresses they get, but behind client...
08:33 < ACKNAK> is that really possible?
08:35 < ACKNAK> Monotoko_, where cyphered tunnel could be prohibited by law? :D
08:41 < ACKNAK> ecrist or do you mean that I have to install quagga on clients too?
08:42 < ACKNAK> to share routes :S
08:43 < ACKNAK> sounds bulky
08:47 <@ecrist> you're not very easy to work with
08:47 <@ecrist> sounds like your current solution is the only thing you'll accept.
08:57 < ACKNAK> but but I want to read about other solutions =(
08:59 -!- master_o1_master [~master_of@p4FF240B1.dip0.t-ipconnect.de] has joined #openvpn
09:00 -!- master_of_master [~master_of@p4FD7B5C1.dip0.t-ipconnect.de] has quit [Ping timeout: 264 seconds]
09:01 -!- lj1 [~l@192.241.174.169] has joined #openvpn
09:02 -!- eliasp [~quassel@HSI-KBW-134-3-243-224.hsi14.kabel-badenwuerttemberg.de] has quit [Ping timeout: 272 seconds]
09:03 < ACKNAK> I'm just using cheap tp-link routers for clients, and I'm not sure if it would be enough for both quagga and encryption :/
09:04 -!- narcos [~narcos@dsl4.leasingoptions.co.uk] has joined #openvpn
09:05 < narcos> Hi all. How can I check the IPs of connected clients from my server?
09:05 < narcos> (the vpn IP that is)
09:06 < narcos> I see some info in openvpn-status.log, but only the interface's IP, not the tun IP
09:09 -!- kubbing_ [~kubbing@ip-94-113-130-229.net.upcbroadband.cz] has quit [Remote host closed the connection]
09:09 -!- ACKNAK [~poni@79.133.97.154] has quit [Ping timeout: 245 seconds]
09:09 -!- kubbing [~kubbing@ip-94-113-130-229.net.upcbroadband.cz] has joined #openvpn
09:10 -!- alexxtasi [~alex@unaffiliated/alexxtasi] has left #openvpn []
09:12 -!- lj1 [~l@192.241.174.169] has quit [Quit: Leaving.]
09:13 -!- eliasp [~quassel@HSI-KBW-134-3-243-224.hsi14.kabel-badenwuerttemberg.de] has joined #openvpn
09:14 -!- kubbing [~kubbing@ip-94-113-130-229.net.upcbroadband.cz] has quit [Ping timeout: 252 seconds]
09:19 < narcos> nm, box is back up
09:19 -!- narcos [~narcos@dsl4.leasingoptions.co.uk] has quit [Quit: Leaving]
09:23 -!- kalloc_ [~kalloc@stmdev.ru] has quit [Remote host closed the connection]
09:32 -!- kalloc [~kalloc@stmdev.ru] has joined #openvpn
09:33 -!- lj1 [~l@192.241.174.169] has joined #openvpn
09:33 -!- [diecast] [~diecast@unaffiliated/diecast/x-4821952] has joined #openvpn
09:37 -!- anew [~anew@unaffiliated/anew] has joined #openvpn
09:44 -!- bertodsera [~quassel@212.36.61.26] has quit [Ping timeout: 265 seconds]
09:47 -!- tfox [~tfox@c-50-181-202-179.hsd1.wa.comcast.net] has joined #openvpn
09:48 -!- lj1 [~l@192.241.174.169] has quit [Quit: Leaving.]
09:49 -!- [diecast] [~diecast@unaffiliated/diecast/x-4821952] has quit []
09:50 -!- [diecast] [~diecast@unaffiliated/diecast/x-4821952] has joined #openvpn
09:50 < anew> how the hell can i ssh into a machine that is connected via openvpn without the connection dropping
09:50 -!- yoavz [yoavz@yoavz.net] has quit [Remote host closed the connection]
09:51 -!- bertodsera [~quassel@212.36.61.26] has joined #openvpn
09:52 -!- [diecast] [~diecast@unaffiliated/diecast/x-4821952] has quit [Client Quit]
09:55 -!- yoavz [yoavz@yoavz.net] has joined #openvpn
10:00 <+rob0> Why is your connection dropping? I type at you through ssh through openvpn, a connection which has been active 10 days.
10:00 -!- tfox [~tfox@c-50-181-202-179.hsd1.wa.comcast.net] has quit [Quit: tfox]
10:02 < anew> rob0 thanks for answering
10:02 < anew> if i am ssh into 1.1.1.1 and start my openvpn connection
10:02 < anew> the ip changes to 2.2.2.2 and the ssh drops
10:02 < anew> how can i keep this connection active even if the ip changes?
10:04 <+rob0> If you're redirecting the gateway or otherwise changing the route to 1.1.1.1, this is what happens.
10:10 -!- RLOCK_ [~chatzilla@host81-148-6-123.in-addr.btopenworld.com] has joined #openvpn
10:10 -!- [diecast] [~diecast@unaffiliated/diecast/x-4821952] has joined #openvpn
10:11 -!- pgib [~pgib@76.18.186.63] has quit [Changing host]
10:11 -!- pgib [~pgib@lmms/pgib] has joined #openvpn
10:11 < RLOCK_> sorry had a whole host of services running
10:12 < anew> rob0, is openvpn set up to redirect the gateway?
10:12 < anew> how can is ee or change these settings?
10:13 -!- evoked [~ev0k3d@c27-253-126-127.blktn7.nsw.optusnet.com.au] has quit [Ping timeout: 252 seconds]
10:13 <@krzee> !redirect
10:13 <@vpnHelper> "redirect" is (#1) to make all inet traffic flow through the vpn, you will need --redirect-gateway (see !def1), as well as IP forwarding (see !ipforward) and NAT (see !nat) enabled on the server. or (#2) you may need to use a different dns server when redirecting gateway, see !dns or !pushdns or (#3) if using ipv6 try: route-ipv6 2000::/3 or (#4) Handy troubleshooting flowchart:
10:14 <@vpnHelper> http://ircpimps.org/redirect.png | http://pekster.sdf.org/misc/redirect.png
10:14 <+rob0> I didn't set yours up, so I wouldn't know.
10:14 <@krzee> if it is configured for that it is likely that is why you use the vpn
10:14 < anew> but i dont want all traffic
10:14 < anew> only one specific ip address
10:14 -!- RLOCK_ [~chatzilla@host81-148-6-123.in-addr.btopenworld.com] has left #openvpn []
10:14 <@krzee> !splitroute
10:14 <@vpnHelper> "splitroute" is (#1) https://forums.openvpn.net/topic7175.html to see how to add a second routing table so you can use --redirect-gateway AND still serve things to the internet or (#2) see !route_override for how to override --redirect-gateway for a certain subnet
10:14 <@krzee> err no
10:14 <@krzee> !route_override
10:14 <@vpnHelper> "route_override" is (#1) https://forums.openvpn.net/viewtopic.php?f=15&t=7161 for how to override --redirect-gateway for a certain subnet or (#2) to see how to make it so the client will still reply to requests to its public ip over the internet and not the vpn see !splitroute
10:14 <@krzee> ^ that one
10:15 <+rob0> still ambiguous
10:16 <@krzee> whats ambiguous about it?
10:16 <@krzee> that post explains what he wants (to override redirect-gateway for a single ip/subnet)
10:17 < anew> http://pastebin.com/k3LXpULb
10:17 < anew> so looks like i just need to add this in my config ?
10:17 <+rob0> I mean the goal is ambiguous ... "only [want] one specific ip address [through the VPN]", perhaps just use the VPN IP address?
10:17 <@krzee> anew, no, you will also need to THINK
10:17 < anew> i am bad at that
10:17 <@krzee> you really gunna blindly use the ip/subnet from the forum?
10:18 < anew> ummm no obv, i just did it for the syntax
10:18 <@krzee> oh well that was not quite obvious ;]
10:18 <@krzee> yes, modify if for your needs and then use it
10:18 < anew> sorry
10:18 < anew> i am a total noob tho
10:19 <@krzee> that will add a route for the subnet given to skip the vpn
10:19 < anew> so... just to be clear
10:19 < anew> my server is running apache2
10:19 <+rob0> What is the purpose/goal of the VPN?
10:19 < anew> i connect to openvpn , website disappears... because the ip of the server changes
10:19 <@krzee> is that the only problem? or a new problem you did not mention until now
10:19 < anew> if i add my ip like the pastebin... i will be the only one able to see the 'old' website correct
10:20 <@krzee> because those 2 things you just mentioned are very different from eachother
10:20 < anew> well i think it's all bundled together, this one ip i add to the config will be able to contact the machine any way it wants (ssh or www-date)
10:20 <@krzee> first of all the IP of the server does not change
10:20 -!- joshh20-Away is now known as joshh20
10:21 <@krzee> ok heres what we're going to need to do with you
10:21 <@krzee> !configs
10:21 <@vpnHelper> "configs" is (#1) please pastebin your client and server configs (with comments removed, you can use `grep -vE '^#|^;|^$' server.conf`), also include which OS and version of openvpn. or (#2) dont forget to include any ccd entries or (#3) on pfSense, see http://www.secure-computing.net/wiki/index.php/OpenVPN/pfSense to obtain your config
10:21 <@krzee> !goal
10:21 <@vpnHelper> "goal" is Please clearly state your goal for your vpn: example, I would like to access the lan behind the server , I would like to access the internet over my vpn , I just want a secure connection between 2 computers , etc
10:21 <@krzee> follow both of those before continuing
10:21 <@krzee> pls
10:21 < anew> k
10:22 < anew> grep: server.conf: No such file or directory
10:22 <@krzee> no kidding, use your config
10:23 <@krzee> we couldnt guess the filename of every single users config, so we had to make it generic
10:23 < anew> but where is this file located ...
10:23 < anew> /etc/openvpn ?
10:24 <@krzee> if you cant think before pasting commands from IRC you wont make it long on IRC and you are lucky you didnt find efnet first or someone would have gotten you to rm -rf / by now
10:24 <@krzee> i dunno, whereever YOU put the file
10:24 <@krzee> i have some in /root i have some in ~krzee/ i have some in /etc/openvpn it all depends what i feel like doing
10:24 <@krzee> your responsibility as an admin to know what you did
10:25 < anew> i never created this file ...
10:25 <@krzee> then how do you have a vpn?
10:25 <@krzee> are you using openvpn-AS ?
10:25 <@krzee> was there a web config involved?
10:25 < anew> think i have it
10:25 -!- [diecast] [~diecast@unaffiliated/diecast/x-4821952] has quit []
10:26 < anew> 3rd party
10:26 <@krzee> what 3rd party
10:26 < anew> hidemyass if you're at all familiar with it
10:26 <@krzee> they installed files in your OS?
10:26 <@krzee> you gave them root and they ssh'ed in?
10:26 < anew> ... the sarcasm is strong
10:26 <@krzee> or they gave you files which YOU put on your machine?
10:26 < anew> let me pastebin the config
10:26 <@krzee> well, if its hidemyass you put them there
10:27 <@krzee> and also you dont run the server so you belong at THEIR tech support
10:27 <@krzee> !provider
10:27 <@vpnHelper> "provider" is (#1) We are not your provider's free tech support. We support the free open source app OpenVPN, not your provider. Just because they run openvpn does not mean we are their support team. or (#2) Please contact their support team.
10:27 < anew> http://pastebin.com/u5UNKshi
10:27 <@krzee> nice direction following
10:28 < anew> is this the config ?
10:28 <@krzee> except you have over 100 lines of comments
10:28 < anew> ah
10:28 < anew> ok one moment
10:28 < anew> plz
10:28 <@krzee> a client config without a server config means very very little
10:29 <@krzee> the server is able to override most of the client config if it wishes
10:29 < anew> hmmm, so my machine is the client ?
10:29 <@krzee> yes
10:29 <@krzee> the server belongs to "hidemyass"
10:29 < anew> so is there any way to keep the ssh up when my client ip changes after i'm connected to the vpn ?
10:29 < anew> ssh/www-data
10:29 <+rob0> And generally a service like that exists for redirection of the gateway.
10:30 <@krzee> yes, and we told it to you
10:30 <@krzee> except
10:30 <@krzee> 1 other thing
10:30 <@krzee> <anew> my server is running apache2
10:30 <@krzee> you HAD to have meant client
10:30 < anew> i guess my client
10:30 <@krzee> since you dont even run a server
10:30 < anew> yes
10:30 < anew> so the client is running apache2
10:30 <@krzee> OHHHH
10:30 <@krzee> the CLIENT is running sshd as well
10:31 < anew> and i need the client to be able to keep one connection open (my ip)
10:31 <@krzee> and someone else is SSH'd in
10:31 -!- calcifea [~rasla@gateway/tor-sasl/gitsu-sa] has joined #openvpn
10:31 <@krzee> and THAT disconnects
10:31 < anew> with ssh/www-data
10:31 <@krzee> right?
10:31 < anew> someone else = me
10:31 < anew> so when the client connects to hidemyass vpn... the client ip changes
10:31 -!- lj1 [~l@192.241.174.169] has joined #openvpn
10:33 < anew> yes?
10:33 < anew> does that all make sense ...
10:35 <@krzee> you are SSH'ed into the client from another machine?   or from the client TO another machine?
10:35 <@krzee> that is the important question
10:36 < anew> ( i need www-data also ) ... i am ssh'ed into the client from another machine (me at home)
10:36 <@krzee> ahh there we go
10:36 <@krzee> so i gave the wrong answer because the question sounded very different
10:36 <@krzee> and the answer is advanced networking
10:36 < anew> fml
10:36 < anew> i am beginner
10:36 <@krzee> i really dont think you're up for it, but here it goes
10:36 <@krzee> !splitroute
10:36 <@vpnHelper> "splitroute" is (#1) https://forums.openvpn.net/topic7175.html to see how to add a second routing table so you can use --redirect-gateway AND still serve things to the internet or (#2) see !route_override for how to override --redirect-gateway for a certain subnet
10:37 -!- evoked [~ev0k3d@101.164.101.194] has joined #openvpn
10:37 <@krzee> its called policy routing, and it is outside the scope of #openvpn for the most part, because it actually has nothing to do with openvpn
10:37 -!- jzaw [~jzaw@loki.dzki.co.uk] has quit [Ping timeout: 245 seconds]
10:37 <@krzee> if you do not have a firm grasp of how routing works, do not even bother
10:38 < anew> that difficult ??
10:38 <@krzee> its not that it is especially difficult
10:38 <@krzee> it is that it requires understanding
10:38 <@krzee> and if you are remote you may lock yourself out during the learning process
10:39 < anew> argh not sure what i should do then
10:39 < plaisthos> most experience people avoid policy routing if they can
10:39 < anew> what do they do if they dont policy route
10:39 <@Eugene> The rest of us are insane
10:39 -!- [diecast] [~diecast@unaffiliated/diecast/x-4821952] has joined #openvpn
10:39 -!- kalloc [~kalloc@stmdev.ru] has quit [Remote host closed the connection]
10:40 <@krzee> anew, they would policy route to solve your issue, since it is the only fix
10:40 <@krzee> but they would prefer to not have your issue
10:40 < anew> ok, and before i start this journey
10:40 < anew> this will cover www-data also correct
10:40 <@krzee> it will allow traffic going to your real ip to work
10:40 <@krzee> its not about processes like ssh/www
10:41 < anew> you mean *from dont you?
10:41 < anew> from/to
10:41 < anew> both right
10:41 <@krzee> TO is the problem
10:41 <@krzee> you reply to it, but you reply over the vpn
10:41 < anew> TO ?
10:42 -!- kalloc [~kalloc@stmdev.ru] has joined #openvpn
10:42 <@krzee> you get the traffic as it goes to old_ip, but you reply from new_ip
10:42 -!- takamichi [~takamichi@c107-107.i07-27.onvol.net] has quit [Quit: Computer has gone to sleep.]
10:42 < anew> this forum post seems incomplete...
10:42 <@krzee> the solution is to add a second routing table and basically say "anything headed to $old_ip should use routing routing table X"
10:42 < anew> man this sounds like a nightmare
10:42 <@krzee> advanced networking
10:43 <@krzee> (vpns are advanced networking as well)
10:43 < anew> besides this channel, any other ones i can go to for help ?
10:44 <@krzee> this channel just gave you the push in the right direction, i think ##networking would be more help now, you need help with policy routing not with openvpn
10:44 < anew> (not that you're not helping me, just in case no one is here in the future)
10:44 <@krzee> no no you were right anyways
10:44 <@krzee> you do not desire openvpn knowledge
10:44 < anew> i desire
10:44 <@krzee> you desire understanding of how policy routing works
10:44 <@krzee> (that will solve your problem)
10:44 < plaisthos> anew: yeah. That is why network professionals have a good salary in average
10:44 <@krzee> ^^
10:45 < anew> ok, so .. what i need is...'policy routing' from my ip to a client ip that is connecting to a server via vpn
10:45 < anew> correct?
10:45 <@krzee> <anew> ok, so .. what i need is...'policy routing'
10:45 <@krzee> correct
10:45 < anew> lol
10:45 < anew> thumbs up
10:45 <@krzee> the rest was kinda gibberish
10:45 < anew> will go ask in there
10:45 < anew> thanks
10:45 <@krzee> hehe
10:45 <@krzee> np
10:46 <@krzee> oh and that forum post was complete after the second post
10:46 <@krzee> then people hijacked it with questions
10:46 <@krzee> the OP answered himself in post 2
10:46 < anew> ah
10:46 < anew> so if i just follow the forum post i'll be ok ?
10:47 <@krzee> no, learn what you're doing first
10:47 <@krzee> lol
10:47 < anew> if i learn what i'm doing would the link be enough ?
10:47 <@krzee> sure
10:47 <@krzee> if you knew policy routing youd look at that and go OHHHH RIGHHHHT
10:48 <@krzee> cause you would understand what was stopping it from working upon seeing that
10:48 <@krzee> and if you already knew what was stopping it, you probably wouldnt look at the post
10:49 <@krzee> and now i understand that you are running the client process on a machine you call a server, but in this context remember to call it the openvpn client and web/ssh server
10:49 < anew> argh lost the link obv
10:49 <@krzee> !splitroute
10:49 <@vpnHelper> "splitroute" is (#1) https://forums.openvpn.net/topic7175.html to see how to add a second routing table so you can use --redirect-gateway AND still serve things to the internet or (#2) see !route_override for how to override --redirect-gateway for a certain subnet
10:50 < anew> ah
10:50 <+rob0> thumbs, up?
10:50 <@krzee> rob0, (y)
10:50 <@krzee> hahah
10:50  * thumbs ignores rob0 
10:50 < anew> lol he's in here also
10:51 <@krzee> hes everywhere
10:51 < anew> he really is
10:51  * krzee ignores thumbs
10:51 < anew> how much do networking guys make ?
10:52 <@krzee> https://www.youtube.com/watch?v=-vohNUTTx3A
10:52 <@vpnHelper> Title: Dr Evil - Why make trillions when we can make... Billions - YouTube (at www.youtube.com)
10:52 < anew> lol
10:52 <@krzee> https://www.youtube.com/watch?v=cf7uJDhVZIE
10:52 <@vpnHelper> Title: Dr. Evil 100 Billion Dollars - YouTube (at www.youtube.com)
10:55 -!- kalloc [~kalloc@stmdev.ru] has quit [Remote host closed the connection]
10:56 -!- jzaw [~jzaw@loki.dzki.co.uk] has joined #openvpn
10:56 -!- raidz [~raidz@openvpn/corp/admin/andrew] has left #openvpn []
10:58 <@krzee> hey rob0, https://github.com/freebsd/freebsd/blob/master/sbin/shutdown/shutdown.c#L352
10:58 <@vpnHelper> Title: freebsd/sbin/shutdown/shutdown.c at master · freebsd/freebsd · GitHub (at github.com)
11:12 < plaisthos> anew: iirc a CCIE certified person has an average salery of 150k$
11:13 -!- bertodsera [~quassel@212.36.61.26] has quit [Remote host closed the connection]
11:13 < plaisthos> ah not that much
11:13 < plaisthos> more like 100k$
11:16 <@ecrist> WAY back in the day CCIE was a guaranteed job at Cisco
11:17 <@ecrist> and a 200k salary
11:17 <@krzee> i didnt know that changed
11:17 <@ecrist> the whole supply/demand thing screwed that all up
11:18 <@krzee> haha
11:18 <@krzee> i guess too many people wanted cushy 200k jobs at cisco
11:18 <@krzee> hard to blame them, especially in this economy
11:18 <@krzee> i have a friend with a phd (he studyed brains at a UC in california) who cant find work
11:19 <+rob0> mmmm, brains
11:20 <@krzee> i could go for $200k/yr, but i dont wanna work at cisco (or anything corporate really)
11:20 <@krzee> as i take my 2.5 month vacation right now i am reminded that a corporate job would fire me for this
11:21 <@krzee> so screw them, im going to asia :D
11:21 <@krzee> i vacation like 4 months / yr
11:22 <@krzee> when you can tell your job "see you in april" during january, it's a keeper!
11:22 <@ecrist> for sure
11:22 <+rob0> haha, die_you_gravy_sucking_pig_dog(void)
11:22 <@krzee> rob0, hahaha i thought youd like that one :D
11:22 <@ecrist> especially if that job pays you enough while you're there to vacation in Asia for 2.5 months
11:22 <@krzee> ecrist, did you see that? youd like it too :D
11:24 < anew> what the hell is your job that you vacation 4 months a year ...
11:24 <@krzee> my job is basically to sit there and look like im working while my shell scripts do everything i was tasked with
11:25 <@krzee> turns out i do that pretty well from anywhere, since they instant message me as needed
11:26 <@krzee> and really my scripts do half of the others peoples work too
11:26 <@krzee> hahah
11:27 <+rob0> when I get a little better established in my job, I'll be able to work on the road.
11:27 <@krzee> cause i get bored and continuously automate stuff
11:27 <@krzee> rob0, im thinking thats in my future too, prolly a year or 2 out though
11:28 <@krzee> if this were the corporate world ild get fired for automating my job, where im at i get a bonus for it
11:29 <@krzee> haha
11:29 <@ecrist> I've begun working from vacation spots last year both while taking vacation as well as for long holidays
11:29 -!- zhulikas [~zhulikas@78-56-205-230.static.zebra.lt] has quit [Ping timeout: 272 seconds]
11:29 <@ecrist> no big deal to sit at the extended family's home and working from 0700 to 1500 when 90% of them won't be awake before noon anyhow
11:29 < anew> well congratulations guys
11:29 < anew> looks like you guys hit the jackpot
11:29 < anew> if you dont mind can i ask you a question
11:30 <@krzee> i told them "i can do anything remotely that i can do here, except talk to you, so heres a secure phone to call me when you need me, see you in april"
11:31 -!- u0m3 [~u0m3@92.80.105.67] has joined #openvpn
11:32 < anew> https://forums.openvpn.net/topic7175.html from this forum post... the second anser, in what file do i put these lines ?
11:32 <@vpnHelper> Title: OpenVPN Support Forum OpenVPN with redirect-gateway renders public ip inaccessable : Configuration (at forums.openvpn.net)
11:32 -!- takamichi [~takamichi@c107-107.i07-27.onvol.net] has joined #openvpn
11:33 -!- [diecast] [~diecast@unaffiliated/diecast/x-4821952] has quit []
11:36 -!- Fruckiwacki [fruckiwack@5.135.190.66] has quit [Ping timeout: 260 seconds]
11:36 -!- mete [~mete@91.247.253.160] has quit [Ping timeout: 260 seconds]
11:37 -!- sander__ [~sander@58.82.9.46.customer.cdi.no] has quit [Ping timeout: 259 seconds]
11:37 < anew> wait
11:38 < anew> so i just type these two lines of commands and i have my home machine ssh into the client working fine?
11:38 < anew> krzee ^ ?
11:38 -!- Fruckiwacki [fruckiwack@5.135.190.66] has joined #openvpn
11:38 -!- mete [~mete@91.247.253.160] has joined #openvpn
11:50 -!- sander__ [~sander@58.82.9.46.customer.cdi.no] has joined #openvpn
11:51 -!- [diecast] [~diecast@unaffiliated/diecast/x-4821952] has joined #openvpn
11:51 -!- [diecast] [~diecast@unaffiliated/diecast/x-4821952] has quit [Max SendQ exceeded]
11:52 -!- [diecast] [~diecast@unaffiliated/diecast/x-4821952] has joined #openvpn
11:53 -!- Gnonim0 [~joe@us1x.mullvad.net] has quit [Read error: Connection reset by peer]
11:59 -!- ade_b [~Ade@redhat/adeb] has quit [Ping timeout: 248 seconds]
12:09 -!- eKKiM [~eKKiM@d5152D9EA.static.telenet.be] has joined #openvpn
12:10 < eKKiM> Hi
12:10 < eKKiM> anyone has any experience with your router letting connect to openvpn server
12:10 < eKKiM> and make all traffic from the lan clients go over VPN?
12:10 <@krzee> your router will need to be configured like:
12:10 <@krzee> !redirect
12:11 <@vpnHelper> "redirect" is (#1) to make all inet traffic flow through the vpn, you will need --redirect-gateway (see !def1), as well as IP forwarding (see !ipforward) and NAT (see !nat) enabled on the server. or (#2) you may need to use a different dns server when redirecting gateway, see !dns or !pushdns or (#3) if using ipv6 try: route-ipv6 2000::/3 or (#4) Handy troubleshooting flowchart:
12:11 <@vpnHelper> http://ircpimps.org/redirect.png | http://pekster.sdf.org/misc/redirect.png
12:12 < eKKiM> i think i did all that
12:12 < eKKiM> !def1
12:12 <@vpnHelper> "def1" is (#1) used in redirect-gateway, Add the def1 flag to override the default gateway by using 0.0.0.0/1 and 128.0.0.0/1 rather than 0.0.0.0/0. This has the benefit of overriding but not wiping out the original default gateway. or (#2) please see --redirect-gateway in the man page ( !man ) to fully understand or (#3) push "redirect-gateway def1"
12:13 < eKKiM> !ipforward
12:13 <@vpnHelper> "ipforward" is (#1) ip forwarding is needed any time you want packets to flow from 1 interface to another, so from tun to eth, eth to tun, tun to tun, etc etc. it must be enabled in the kernel AND allowed in the firewall or (#2) please choose between !linipforward !winipforward !osxipforward and !fbsdipforward
12:13 < eKKiM> !linipforward
12:13 <@vpnHelper> "linipforward" is (#1) echo 1 > /proc/sys/net/ipv4/ip_forward for a temp solution (til reboot) or set net.ipv4.ip_forward = 1 in sysctl.conf for perm solution or (#2) chmod +x /etc/rc.d/rc.ip_forward for perm solution in slackware or (#3) you also must allow forwarding in your forward chain in iptables. iptables -I FORWARD -i tun+ -j ACCEPT
12:15 < eKKiM> i can ping my remote vpn server
12:15 < eKKiM> but cant ping anything else
12:15 < eKKiM> or visit anything else
12:15 < eKKiM> just my vpn server
12:16 < eKKiM> !nat
12:16 <@vpnHelper> "nat" is (#1) http://openvpn.net/howto.html#redirect for an explanation of NAT as it applies to openvpn or (#2) http://www.secure-computing.net/wiki/index.php/OpenVPN/FAQ#Traffic_forwarding_doesn.27t_work_when_using_client_specific_access_rules or (#3) dont forget to turn on ip forwarding or (#4) please choose between !linnat !openvznat !winnat and !fbsdnat for specific howto
12:16 <@krzee> try testing it from a normal machine first
12:16 <@krzee> instead of the router
12:16 < eKKiM> it works on the router
12:16 <@krzee> just to make testing easier
12:16 < eKKiM> on the router i can visit all urls
12:16 < eKKiM> did wget to check ip
12:16 <@krzee> and they report the right IP?
12:16 < eKKiM> and its vpn server ip
12:16 <@krzee> cool
12:16 <@krzee> ok then nevermind on that ;]
12:17 < eKKiM> router doesnt forward the ip packets somehow
12:17 <@krzee> ild guess firewall
12:17 < eKKiM> i would guess it to
12:17 < eKKiM> but cant find anything weird in iptables
12:17 <@krzee> the topic would too ;]
12:18 <@krzee> ohhh one more thing is needed
12:18 <@krzee> almost forgot
12:18 <@krzee> you must do 1 of 2 things:
12:18 < eKKiM> http://pastebin.com/BSWHZPMZ
12:18 < eKKiM> thats the ip tables
12:18 < eKKiM> whats needed more?
12:18 <@krzee> you must NAT the lan to the vpn address (on the router) OR you must NAT the lan ips on the server and setup routing to the client lan
12:18 -!- able [~able@gateway/tor-sasl/able] has joined #openvpn
12:18 <@krzee> first option is easier, second option allows the server to see which lan machine does what
12:19 < eKKiM> and how do i NAT the lan to vpn address on the router?
12:19 <@krzee> currently if you look at server logs you will see MULTI errors
12:19 < eKKiM> no
12:19 < eKKiM> no errors
12:19 <@krzee> yes
12:19 <@krzee> on the server log
12:19 <@krzee> !multi
12:19 <@krzee> !iroute
12:19 <@vpnHelper> "iroute" is does not bypass or alter the kernel's routing table, it allows openvpn to know it should handle the routing when the kernel points to it but the network is not one that openvpn knows about. This is only needed when connecting a LAN which is behind a client, and therefor belongs in a ccd entry. Also see !route and !ccd
12:19 <@krzee> hmm
12:19 <@krzee> !factoids
12:19 <@vpnHelper> "factoids" is A semi-regularly updated dump of factoids database is available at http://www.secure-computing.net/factoids.php
12:20 < anew> http://pastebin.com/JyuabJd3 when i try to run this command i get this error ?
12:20 <@krzee> anew, wrong channel, try ##networking for help with policy routing
12:21 < eKKiM> krzee
12:21 < eKKiM> openvpn log
12:21 < eKKiM> http://pastebin.com/CRkaG7kg
12:21 <@krzee> i said SERVER
12:21 < eKKiM> oh
12:22 < eKKiM> sry, that might be possible
12:22 <@krzee> because your server cant route packets from clients with source addresses it doesnt know
12:22 < eKKiM> !route
12:22 <@vpnHelper> "route" is (#1) http://www.secure-computing.net/wiki/index.php/OpenVPN/Routing or https://community.openvpn.net/openvpn/wiki/RoutedLans (same page mirrored) if you have lans behind openvpn, read it DONT SKIM IT or (#2) READ IT DONT SKIM IT! or (#3) See !tcpip for a basic networking guide or (#4) See !serverlan or !clientlan for steps and troubleshooting flowcharts for LANs behind the server or client
12:22 -!- heraclitus [~heraclitu@unaffiliated/heraclitis] has quit [Quit: Ping timeout: 221 seconds]
12:22 < eKKiM> !ccd
12:22 <@vpnHelper> "ccd" is (#1) entries that are basically included into server.conf, but only for the specified client based on common-name. use --client-config-dir <dir> to enable it, then put the config options for the client in <dir>/common-name or (#2) the ccd file is parsed each time the client connects.
12:22 <@krzee> it wouldnt know where to return the return packets to
12:22 <@krzee> eKKiM, you dont need to do all that
12:22 <@krzee> you can simply NAT the lan to the vpn interface
12:23 < eKKiM> how would i do that the easy way?
12:23 <@krzee> iptables -t nat -I POSTROUTING -s $lan_subnet/24 -o $tun_interface -j MASQUERADE
12:23 <@krzee> assuming your lan subnet is /24
12:24 < eKKiM> ive done that
12:24 <@krzee> no, im talking about on the router
12:24 <@krzee> you did something similar on the server
12:24 < eKKiM> yes
12:24 < eKKiM> no
12:24 < eKKiM> i did that on the server
12:24 < eKKiM> eurm
12:24 < eKKiM> router
12:24 < eKKiM> sry
12:24 <@krzee> iptables-save on the router
12:24 <@krzee> and show me the server openvpn log
12:25 < eKKiM> router iptables
12:25 < eKKiM> http://pastebin.com/fBsQxdDt
12:26 -!- heraclitus [~heraclitu@unaffiliated/heraclitis] has joined #openvpn
12:26 <@krzee> -A POSTROUTING -o tun+ -j ACCEPT
12:26 <@krzee> -A POSTROUTING -o eth0 -j MASQUERADE
12:26 <@krzee> you dont think you should clarify WHICH packets to nat?
12:27 <@krzee> i dunno this firewall hurts my eyes to look at, haha
12:27 < anew> simple, in your openvpn setup make a route for your home ip via the eth0 default gateway ip
12:27 < anew> this is the answer i got in #networking
12:28 < eKKiM> krzee i know its way to complicated for what it does
12:28 < eKKiM> its ClearOS default setup -_-
12:28 <@krzee> anew, they misunderstood your question, in the exact same way i did when you tried asking it the first time
12:28 <@krzee> i had to dig to figure out what you really wanted
12:28 <@krzee> im guessing you mis-used "server" again while talking
12:29 <@krzee> eKKiM, ya man openwrt and ddwrt do even worse
12:29 <@krzee> i clear them and start over, personally
12:29 <@krzee> but your methods of firewall admin are upto you =]
12:30 < eKKiM> its just in my vmware lab
12:30 < eKKiM> so can fuck it up if i want
12:30 < anew> ip route add yourhomeipaddress via gatwayforeth0 so this is not what i want to do? they misunderstood?
12:30 <@krzee> or you can try short circuiting stuff too
12:30 < eKKiM> but rather not too :p
12:30 <@krzee> like adding rules with -I instead of -A
12:30 < eKKiM> i just tried
12:30 <@krzee> like the tun+ allow rules and stuff
12:30 < eKKiM> iptables -t nat -I POSTROUTING -s 192.168.0.0/24 -o tun0 -j MASQUERADE
12:31 < eKKiM> but nothing changed
12:31 <@krzee> also -I on the FORWARD INPUT and OUTPUT tun+ rules
12:32 <@krzee> -I makes the rule first instead of last (insert versus append)
12:34 <@krzee> bout time for me to run for a bit, but keep playing around in the firewall and you should get it
12:35 <@krzee> OHHH
12:35 <@krzee> you must also NOT nat the packets to the server over tun0
12:35 <@krzee> those must get NAT'ed over eth0
12:35 < eKKiM> whut?
12:35 <@krzee> forgot about that
12:35 < eKKiM> eth0 = wan
12:35 < eKKiM> eth1 = lan
12:35 < eKKiM> just to be sure
12:36 <@krzee> the packets to the vpn server itself must get natted out eth0, the packets from the lan must get natted out tun0
12:36 < eKKiM> nat then from tun0 to eth1?
12:36 <@krzee> get what i mean?
12:36 < eKKiM> hmm
12:36 < eKKiM> why is that exactly?
12:37 <@krzee> the connection from the router to the server must go over the internet
12:37 < eKKiM> ah
12:37 < eKKiM> now i see
12:37 < eKKiM> indeed
12:37 < eKKiM> tyvm
12:37 <@krzee> not sure if thats the issue, but its something to look at while playing in there
12:37 < eKKiM> indeed
12:37 <@krzee> also do what i said with making the allow rules -I
12:37 < eKKiM> trying that atm
12:37 <@krzee> -A INPUT -i tun+ -j ACCEPT   <-- like that one, -I
12:38 <@krzee> and OUTPUT and FORWARD
12:38 <@krzee> that way its before anything else that might wanna do something besides accept
12:38 <@krzee> goodluck, keep playing in there and you'll get it
12:40 < anew> they said you're wrong... i dunno who to believe
12:40 < anew> i explained the problem twice
12:40 <@krzee> anew, tell them that your client runs sshd and apache, and when your client uses redirect-gateway it can no longer serve things on its internet IP, so you want policy routing configured to allow your outbound traffic to use the vpn but your traffic to the machines sshd to reply over the internet without VPN
12:40 <@krzee> anew, you likely explained it wrong twice
12:41 <@ecrist> !linnat
12:41 <@vpnHelper> "linnat" is (#1) for a basic iptables NAT where 10.8.0.x is the vpn network: iptables -t nat -I POSTROUTING -s 10.8.0.0/24 -o eth0 -j MASQUERADE or (#2) to choose what IP address to NAT as, you can use iptables -t nat -I POSTROUTING -o eth0 -j SNAT --to <IP ADDRESS> or (#3) http://netfilter.org/documentation/HOWTO//NAT-HOWTO.html for more info or (#4) openvz see !openvzlinnat
12:42 <@krzee> ecrist, eKKiM is configuring his router to redirect-gateway for his entire lan
12:42 <@krzee> so he needs to NAT from lan to VPN on his router (the client)
12:43 <@ecrist> same idea, just swapping some vars around
12:43 <@krzee> yep
12:44 <@krzee> subnet and interface
12:44 -!- joshh20 is now known as joshh20-Away
12:45 -!- takamichi [~takamichi@c107-107.i07-27.onvol.net] has quit [Quit: Computer has gone to sleep.]
12:48 <@krzee> !route_override
12:48 <@vpnHelper> "route_override" is (#1) https://forums.openvpn.net/viewtopic.php?f=15&t=7161 for how to override --redirect-gateway for a certain subnet or (#2) to see how to make it so the client will still reply to requests to its public ip over the internet and not the vpn see !splitroute
12:48 < wallbroken> how do openvpn react on sighup signal?
12:50 <@krzee> wallbroken, its in the manual under SIGNALS section
12:50 -!- bertodsera [~quassel@97e48243.skybroadband.com] has joined #openvpn
12:50 < wallbroken> SIGHUP -- Hard restart
12:51 < wallbroken> what does it mean "hard restart" ?
12:51 < anew> route home_ip 255.255.252.255 net_gateway krzee this is a bash command ?
12:52 <@krzee> no, try reading what i said
12:52 <@krzee> bbl, leaving the house
12:52 < anew> thats an internal openvpn variable
12:52 < anew> meh ok will do his way
13:07 < anew> where do i change internal openvpn variables at ?
13:10 < anew> where is openvpn.conf ?
13:11 -!- gffa [~unknown@unaffiliated/gffa] has joined #openvpn
13:13 -!- able [~able@gateway/tor-sasl/able] has quit [Remote host closed the connection]
13:13 -!- schnitzl [~schnitzl@dslb-178-010-084-086.pools.arcor-ip.net] has quit [Read error: Operation timed out]
13:15 -!- ade_b [~Ade@redhat/adeb] has joined #openvpn
13:21 -!- schnitzl [~schnitzl@dslb-188-098-012-067.pools.arcor-ip.net] has joined #openvpn
13:26 < wallbroken> is there some problem:
13:26 < wallbroken> F1 -- Conditional restart (doesn't close/reopen TAP adapter)
13:26 < wallbroken> F2 -- Show connection statistics
13:26 < wallbroken> F3 -- Hard restart
13:26 < wallbroken> F4 -- Exit
13:26 < wallbroken> no one works
13:27 <@ecrist> where do you see that?
13:27 < wallbroken> http://openvpn.net/index.php/open-source/documentation/howto.html#revoke
13:27 <@vpnHelper> Title: HOWTO (at openvpn.net)
13:27 < wallbroken> ops
13:27 < wallbroken> openvpn.net/index.php/open-source/documentation/howto.html
13:27 -!- yoavz [yoavz@yoavz.net] has quit [Ping timeout: 245 seconds]
13:27 <@dazo> wallbroken: IIRC, that's only visible if you run openvpn from cmd.exe on Windows
13:28 -!- ade_b [~Ade@redhat/adeb] has quit [Quit: Too sexy for his shirt]
13:29 <@dazo> wallbroken: openvpn probably tackles SIGHUP with SIG_DFL ... as I don't recall any signal hooks on SIGHUP
13:30 -!- yoavz [yoavz@yoavz.net] has joined #openvpn
13:30 < wallbroken> dazo, if i change some config in .conf file, i shoud send sigterm or sighup?
13:30 <@dazo> wallbroken: you need to restart openvpn (SIGTERM/SIGINT) when the config changes
13:31 < wallbroken> debian uses etc/rc.d/openvpn reload
13:31 < wallbroken> it's in the init script
13:31 < wallbroken> and it's sighup
13:31  * dazo checks the code
13:31 < wallbroken> when should i use it?
13:31 < wallbroken> http://openvpn.net/index.php/open-source/documentation/miscellaneous/88-1xhowto.html
13:31 <@vpnHelper> Title: 1xHOWTO (at openvpn.net)
13:32 < wallbroken> you can see it here
13:32 <@ecrist> wallbroken: I've been trying to answer this question for you since yesterday
13:32 <@ecrist> SIGHUP isn't really special to openvpn 
13:32 <@ecrist> you cannot change the config and reload openvpn and not have your connected clients lose their connections
13:33 < wallbroken> ecrist, yes, but now i asked another thing: when should i need to use "reload" init ?
13:33 <@dazo> wallbroken: from the man page:
13:33 < wallbroken> you can't answer because probably you don't use a debian like
13:33 <@dazo>        SIGHUP Cause OpenVPN to close  all  TUN/TAP  and  network  connections,
13:33 <@dazo>               restart,  re-read  the  configuration  file (if any), and reopen
13:33 <@dazo>               TUN/TAP and network connections.
13:34 < wallbroken> yeah
13:34 <@ecrist> SIGHUP is just a macro for restart
13:34 < wallbroken> so, it's the same thing as restart
13:34 <@ecrist> yes
13:34 <@ecrist> yes
13:34 <@ecrist> yes
13:35 <@Eugene> kill -SIGHUP `pidof ecrist`
13:35 -!- Eugene was kicked from #openvpn by ecrist [process terminated]
13:35 -!- Eugene [eugene@itvends.com] has joined #openvpn
13:36 < wallbroken> debian openvpn mantainer are stupid, they implements the same thing many times, if restart=reload
13:36 -!- eKKiM [~eKKiM@d5152D9EA.static.telenet.be] has quit [Ping timeout: 252 seconds]
13:37 < Eugene> openvpn doesn't really have a 'reload', so.... yeah, Debian is stupid.
13:38 < wallbroken> i was thinking that reload simply reads configuration without loosing connection of clients
13:39 <@ecrist> I told you yesterday that wouldn't work.
13:45 < wallbroken> SIGUSR1 -- Conditional restart, designed to restart without root privileges
13:45 < wallbroken> what does it mean that there are not "root privileges" ?
13:47 -!- joshh20-Away is now known as joshh20
13:54 -!- josefig [~josef@unaffiliated/josefig] has joined #openvpn
14:16 -!- dazo is now known as dazo_afk
14:16 -!- lj1 [~l@192.241.174.169] has quit [Quit: Leaving.]
14:16 -!- lj [~l@192.241.174.169] has joined #openvpn
14:20 -!- josefig [~josef@unaffiliated/josefig] has quit [Quit: Textual app]
14:29 -!- xBytez [~xBytez@unaffiliated/xbytez] has quit [Remote host closed the connection]
14:29 -!- xBytez [~xBytez@unaffiliated/xbytez] has joined #openvpn
14:47 -!- jacob11 [uid22180@gateway/web/irccloud.com/x-whcshbgsjqajlkov] has left #openvpn []
14:51 -!- fenris_kcf [~fenris@p4FFE4854.dip0.t-ipconnect.de] has joined #openvpn
15:06 -!- elfixit1 [~Icedove@77-58-251-72.dclient.hispeed.ch] has joined #openvpn
15:10 <@krzee> back for a few
15:11 < wallbroken> SIGUSR1 -- Conditional restart, designed to restart without root privileges
15:11 <@krzee> it means it still works even if you drop priviledges with --user --group
15:12 <@krzee> because openvpn must be started as root, but using --user and --group drops root priviledges after it starts
15:17 -!- Ximerian [~3ec@173-163-3-81-cpennsylvania.hfc.comcastbusiness.net] has quit [Quit: Leaving.]
15:20 -!- APTX_ [~APTX@unaffiliated/aptx] has joined #openvpn
15:21 -!- APTX [~APTX@unaffiliated/aptx] has quit [Ping timeout: 264 seconds]
15:21 < wallbroken> "condrestart" very stupid, restarts openvpn only is already running
15:22 -!- DRice7 [~eat@cpe-066-057-089-031.nc.res.rr.com] has joined #openvpn
15:23 < DRice7> !welcome
15:23 <@vpnHelper> "welcome" is (#1) Start by stating your goal, such as 'I would like to access the internet over my vpn' || new to IRC? see the link in !ask || we may need !logs and !configs and maybe !interface to help you. || See !howto for beginners. || See !route for lans behind openvpn. || !redirect for sending inet traffic through the server. || Also interesting: !man !/30 !topology !iporder !sample !forum
15:23 <@vpnHelper> !wiki !mitm or (#2) Don't use 192.168.1.0/24 or 192.168.0.0/24 (too much potential for conflict)
15:23 < DRice7> !goal
15:23 <@vpnHelper> "goal" is Please clearly state your goal for your vpn: example, I would like to access the lan behind the server , I would like to access the internet over my vpn , I just want a secure connection between 2 computers , etc
15:24 < DRice7> I have an RT-N66U running custom firmware with an OpenVPN server running. I would like to access the LAN behind the server. I do not need to access the internet over my vpn and would rather not use the extra bandwidth. I would like to be able to access a linux server that runs ssh and Plex Media Server behind the openvpn server
15:26 < DRice7> http://pastebin.com/Y1CR5kin (CLient) ----- http://pastebin.com/WVUdZQX0 (Server)
15:28 < DRice7> Currently I can only ssh to the two routers on the remote network, and access their http config pages - but I cannot directly ssh to my linux box
15:28 < DRice7> !sample
15:28 <@vpnHelper> "sample" is (#1) http://www.ircpimps.org/openvpn.configs for a working sample config or (#2) DO NOT use these configs until you understand the commands in them, read up on each first column of the configs in the manpage (see !man) or (#3) these configs are for a basic multi-user vpn, which you can then build upon to add lans or internet redirecting
15:29 < DRice7> !man
15:29 <@vpnHelper> "man" is (#1) For man pages, see http://openvpn.net/index.php/open-source/documentation/manuals/ or (#2) the man pages are your friend! or (#3) Protip: you can search the manpage for a specific --option (with dashes) to find it quicker
15:42 -!- gffa [~unknown@unaffiliated/gffa] has quit [Quit: sleep]
15:54 -!- goldkatze [~nobody@unaffiliated/goldkatze] has quit [Read error: Operation timed out]
15:57 -!- Gnonim0 [~joe@us1x.mullvad.net] has joined #openvpn
15:58 -!- mattock is now known as mattock_afk
16:03 -!- scyld [~scyld@unaffiliated/wasyl] has joined #openvpn
16:05 -!- pgib [~pgib@lmms/pgib] has quit [Ping timeout: 265 seconds]
16:07 -!- michaelhart [~michaelha@192.237.177.15] has quit [Quit: michaelhart]
16:09 -!- kossy [a@unaffiliated/kossy] has quit [Quit: ZNC - http://znc.in]
16:10 -!- kossy [dirty@unaffiliated/kossy] has joined #openvpn
16:11 -!- calcifea [~rasla@gateway/tor-sasl/gitsu-sa] has quit [Remote host closed the connection]
16:12 -!- calcifea [~rasla@gateway/tor-sasl/gitsu-sa] has joined #openvpn
16:16 -!- able [~able@gateway/tor-sasl/able] has joined #openvpn
16:16 -!- able [~able@gateway/tor-sasl/able] has quit [Remote host closed the connection]
16:17 -!- able [~able@gateway/tor-sasl/able] has joined #openvpn
16:17 -!- able [~able@gateway/tor-sasl/able] has quit [Remote host closed the connection]
16:18 -!- able [~able@gateway/tor-sasl/able] has joined #openvpn
16:21 -!- kossy [dirty@unaffiliated/kossy] has quit [Quit: ZNC - http://znc.in]
16:22 -!- kossy [a@unaffiliated/kossy] has joined #openvpn
16:23 -!- qwertyoruiop [~hax@1.shulgin.dc1.nl.tor.exit.node.qwertyoruiop.com] has quit [Ping timeout: 245 seconds]
16:31 -!- Ximerian [~3ec@c-98-237-9-126.hsd1.pa.comcast.net] has joined #openvpn
16:33 -!- Ximerian [~3ec@c-98-237-9-126.hsd1.pa.comcast.net] has quit [Read error: Connection reset by peer]
16:37 -!- lj [~l@192.241.174.169] has quit [Quit: Leaving.]
16:39 -!- lj [~l@192.241.174.169] has joined #openvpn
16:43 -!- lj [~l@192.241.174.169] has quit [Ping timeout: 245 seconds]
16:43 -!- joevandyk [~ubuntu@ec2-54-235-235-220.compute-1.amazonaws.com] has joined #openvpn
16:46 < joevandyk> i'm a moron when it comes to vpns. i setup a vpn on ec2. there's one machine that i want clients to be able to connect to. (say it's 10.165.33.33). that's all i need. what would my openvpn server conf look like?
16:46 < joevandyk> i can connect to the vpn fine, but i can't seem to access 10.165.33.33 at all
16:46 <@krzee> the lan is behind the server?
16:47 <@krzee> is 10.165.33.33 the real ip or is the real ip on the internet?
16:47 < joevandyk> krzee: 10.165.33.33 is the private ip address
16:47 <@krzee> ok, and that is behind the server or behind a client?
16:47 < joevandyk> krzee: i'm not sure what you mean by "behind a client".
16:48 <@krzee> who can access it without a vpn?
16:48 <@krzee> the vpn client or the vpn server?
16:48 < joevandyk> krzee: vpn server
16:48 <@krzee> ok
16:48 <@krzee> !serverlan
16:48 <@vpnHelper> "serverlan" is (#1) for a lan behind a server, the server must have ip forwarding enabled (!ipforward), the server needs to push a route for its lan to clients, and the router of the lan the server is on needs a route added to it (!route_outside_openvpn) or (#2) see !route for a better explanation or (#3) Handy troubleshooting flowchart: http://ircpimps.org/serverlan.png |
16:48 <@vpnHelper> http://pekster.sdf.org/misc/serverlan.png
16:48 < joevandyk> thanks for the pointers, i'll check that out
16:48 -!- able [~able@gateway/tor-sasl/able] has quit [Quit: able]
16:48 < joevandyk> i thought all i had to do was push the route
16:48 <@krzee> np
16:48 < joevandyk> maybe i just needed ipforwarding
16:49 <@krzee> ya, push the route and enable ip forwarding
16:49 <@krzee> and possibly enable it in the firewaall
16:49 <@krzee> depending on how permissive your firewall is
16:49 <@krzee> im not sure if ec2 has anything special about it
16:50 <@krzee> !factoids search ec2
16:50 <@vpnHelper> No keys matched that query.
16:50 <@krzee> !factoids search
16:50 <@vpnHelper> (factoids search [<channel>] [--values] [--{regexp} <value>] [<glob> ...]) -- Searches the keyspace for keys matching <glob>. If --regexp is given, it associated value is taken as a regexp and matched against the keys. If --values is given, search the value space instead of the keyspace.
16:50 <@krzee> !factoids search ec2 --values ec2
16:50 <@vpnHelper> No keys matched that query.
16:50 <@krzee> !factoids search --values ec2
16:50 <@vpnHelper> No keys matched that query.
16:50 <@krzee> vpnHelper is also not sure
16:51 <@krzee> oh and the flowchart may help ya
16:51 <@krzee> i made it so it can walk you through the tests we would ask you to do
16:51 <@krzee> then you can tell us where you get stuck and we can more effectively help ya
16:52 -!- kossy [a@unaffiliated/kossy] has quit [Quit: ZNC - http://znc.in]
16:52 -!- kossy [a@kossy.org] has joined #openvpn
16:54 < joevandyk> krzee: if my server line is: server 10.8.0.0 255.255.255.0, will the server take 10.8.0.1? netstat -rn is reporting 10.8.0.5 is the gateway
16:55 <@krzee> 10.8.0.6 is the client's ip
16:55 <@krzee> it reports that gateway because
16:55 <@krzee> !net30
16:55 <@vpnHelper> "net30" is "/30" is (#1) http://openvpn.net/index.php/documentation/faq.html#slash30 explains why routed clients each use 4 ips, or (#2) you can avoid this behavior with by reading !topology
16:56 <@krzee> oh damn
16:56 <@krzee> the CMS ate the link
16:56 <@krzee> !forget /30 all
16:56 <@vpnHelper> Error: There is no such factoid.
16:56 <@krzee> !forget /30 *
16:56 <@vpnHelper> Joo got it.
16:56 -!- kossy [a@kossy.org] has quit [Changing host]
16:56 -!- kossy [a@unaffiliated/kossy] has joined #openvpn
16:56 < Eugene> Content munging system
16:56 <@krzee> !learn /30 as http://openvpn.net/index.php/open-source/faq/community-software-server/273-qifconfig-poolq-option-use-a-30-subnet-4-private-ip-addresses-per-client-when-used-in-tun-mode.html explains why routed clients each use 4 ips
16:56 <@vpnHelper> Joo got it.
16:56 < Eugene> Holy fuck that's an ugly link.
16:56 <@krzee> !learn /30 as you can avoid this behavior with by reading !topology
16:56 <@vpnHelper> Joo got it.
16:57 <@krzee> ya it is *elbow nudge mattock_afk*
16:57 < Eugene> http://goo.gl/SbKrT5
16:57 <@vpnHelper> Title: "ifconfig-pool" option use a /30 subnet (4 private IP addresses per client) when used in TUN mode? (at goo.gl)
16:57 <@krzee> Eugene, will that remain forever?
16:57 < Eugene> Yup.
16:57 <@krzee> !forget /30 *
16:57 <@vpnHelper> Joo got it.
16:57 < wallbroken> guys, to kill some client without restarting server, the only way is management interface?
16:57 < joevandyk> krzee: i should be able to ping 10.8.0.5?
16:58 <@krzee> !learn /30 as http://goo.gl/SbKrT5 explains why routed clients each use 4 ips
16:58 <@vpnHelper> Joo got it.
16:58 <@krzee> joevandyk, no, 10.8.0.1 for server and 10.8.0.6 for that client
16:58 <@krzee> !learn /30 as you can avoid this behavior with by reading !topology
16:58 <@vpnHelper> Joo got it.
16:58 < joevandyk> ah, ok. continuing with flow chart
16:58 <@krzee> joevandyk, btw, you probably just want topology subnet in the server config
16:58 <@krzee> and then the first client is .2 with gw .1
16:59 -!- AsadH [~AsadH@unaffiliated/asadh] has quit [Excess Flood]
16:59 <@krzee> if that link was tl;dr then know that topology net30 (the default, and what you have, why its .5 but nonexistant) is only a workaround for windows lameness, and they found a better way years ago (topology subnet)
16:59 < joevandyk> i cannot ping the lan ip address of the server
16:59 <@krzee> net30 is only default for backwards compat
16:59 < joevandyk> (from the client)
17:00 <@krzee> im sure you want topology subnet ;]
17:00 <@krzee> everyone does really, i wish we could just break old shit and make it default
17:00 < joevandyk> krzee: hm, ok. https://help.ubuntu.com/12.04/serverguide/openvpn.html didn't mention it. i'll look iit up.
17:00 <@vpnHelper> Title: OpenVPN (at help.ubuntu.com)
17:00 <@krzee> anyways, if you cant ping server lan ip you have a problem with ip forwarding
17:00 <@krzee> ya
17:00 <@krzee> !walkthrough
17:00 <@vpnHelper> "walkthrough" is if you are using some walkthrough and now you are here cause you have problems and dont understand your setup, type !howto and !man and try to actually learn what you're doing. most those docs about openvpn from google SUCK.
17:01 <@krzee> i hate those things
17:01 <@krzee> but we'll continue on your setup
17:02 <@krzee> add "topology subnet" to your server config, restart both sides.  also show me iptables-save
17:02 <@krzee> !linipforward
17:02 <@vpnHelper> "linipforward" is (#1) echo 1 > /proc/sys/net/ipv4/ip_forward for a temp solution (til reboot) or set net.ipv4.ip_forward = 1 in sysctl.conf for perm solution or (#2) chmod +x /etc/rc.d/rc.ip_forward for perm solution in slackware or (#3) you also must allow forwarding in your forward chain in iptables. iptables -I FORWARD -i tun+ -j ACCEPT
17:02 <@krzee> also show me:  cat /proc/sys/net/ipv4/ip_forward   it will be 1 or 0
17:02 <+jeev> hey krzee
17:03 <@krzee> sup jeev
17:03 < joevandyk> krzee: it's 1
17:03 -!- Cpt-Oblivious [~chatzilla@31-151-87-204.dynamic.upc.nl] has joined #openvpn
17:03 <@krzee> cool, iptables-save
17:04 < joevandyk> nothing
17:04 <@krzee> (pastebin or similar)
17:04 < joevandyk> no output
17:04 <@krzee> absolutely nothing?
17:04 < joevandyk> krzee: yes
17:04 <@krzee> thats weird
17:04 <@krzee> it should have the default rules
17:04 < joevandyk> i haven't done anything with iptables on it
17:04 <@krzee> doesnt matter, should still have ACCEPT
17:05 <@krzee> for each chain
17:05 <@krzee> produces quite a bit of output no matter what
17:05 <@krzee> absolutely nothing makes me thing we cant add rules of our own, which we may need to do
17:06 < joevandyk> krzee: i tried iptables-save on a couple different vm's running different versions of ubuntu, all of them report nothing
17:07 <@krzee> oh ya nothing from my ubuntu vm either
17:07 <@krzee> 1sec this is for me
17:07 <@krzee> !linnat
17:07 <@vpnHelper> "linnat" is (#1) for a basic iptables NAT where 10.8.0.x is the vpn network: iptables -t nat -I POSTROUTING -s 10.8.0.0/24 -o eth0 -j MASQUERADE or (#2) to choose what IP address to NAT as, you can use iptables -t nat -I POSTROUTING -o eth0 -j SNAT --to <IP ADDRESS> or (#3) http://netfilter.org/documentation/HOWTO//NAT-HOWTO.html for more info or (#4) openvz see !openvzlinnat
17:07 < joevandyk> krzee: this is the ping error: https://gist.github.com/joevandyk/b435a72e2b956ee6724b/raw/895445eab3b985f622ef886c312f88319534dbec/gistfile1.txt
17:09 <@krzee> whats the vpn subnet? show me ifconfig -a (and dont tell pekster i used ifconfig)
17:09 <@krzee> vpn subnet is 10.8.0.0/24 right?
17:10 < joevandyk> krzee: https://gist.github.com/joevandyk/e403b5c1c1b7b30bafa2/raw/4ef764fefa0ff408c8b72246f06c1263b4e01ac7/gistfile1.txt
17:11 <@krzee> iptables -t nat -I POSTROUTING -s 10.8.0.0/24 -o eth0 -j MASQUERADE
17:12 < joevandyk> YES
17:12 < joevandyk> i can connect to the machine that i want to connect to.
17:12 < joevandyk> thanks!
17:12 < joevandyk> i still can't ping the server's ip though
17:12 < joevandyk> the lan ip
17:13 < pekster> joevandyk: Need to run `iptables-save` as root
17:14 < pekster> Upstream has a fix in to yell at you if you don't, but otherwise it'll spew nothing with an exit code of 0
17:14 -!- lj [~l@99.155.24.89] has joined #openvpn
17:14 < joevandyk> pekster: i am root
17:15 < joevandyk> there's stuff in iptables-save now, btw
17:15 < joevandyk> https://gist.github.com/joevandyk/db97aceeb8180902ce15/raw/a05bcc053c83202c6ce7282c50262cf5c8009f97/gistfile1.txt
17:16 < joevandyk> what's the best way to learn about openvpn, iptables, subnets, all this?
17:17 < joevandyk> oh, i shouldn't be able to ping the lan ip address of the server, i don't have a route for it.
17:18 < pekster> You reviewed the !serverlan info? It covers routing, IP forwarding, and firewalls
17:18 -!- lj1 [~l@192.241.174.169] has joined #openvpn
17:18 -!- lj [~l@99.155.24.89] has quit [Ping timeout: 245 seconds]
17:21 -!- calcifea [~rasla@gateway/tor-sasl/gitsu-sa] has quit [Quit: calcifea]
17:24 < wallbroken> pekster, you are using a debian like distribution?
17:25 -!- qwertyoruiop [~hax@1.shulgin.dc1.nl.tor.exit.node.qwertyoruiop.com] has joined #openvpn
17:33 <@krzee> joevandyk, np
17:40 -!- nfx [nughaud@gateway/shell/sh3lls.net/x-drlwuzpypvbkqnjf] has left #openvpn []
17:46 -!- AsadH [~AsadH@unaffiliated/asadh] has joined #openvpn
17:48 -!- debbie10t [~ma1com10t@host-92-20-78-128.as13285.net] has joined #openvpn
17:49 -!- exa [~exa@unaffiliated/exa] has joined #openvpn
17:50 < exa> when using "tls-auth", is there any other option i have to set?
17:50 <@krzee> !man
17:50 <@vpnHelper> "man" is (#1) For man pages, see http://openvpn.net/index.php/open-source/documentation/manuals/ or (#2) the man pages are your friend! or (#3) Protip: you can search the manpage for a specific --option (with dashes) to find it quicker
17:52 < exa> krzee: that's it as far as i know. my client outputs "TLS Error: cannot locate HMAC in incoming packet from..."
17:52 <@krzee> that is not it
17:53 <@krzee> read the manual for --tls-auth
17:53 <@krzee> it wont bite you
17:53 < debbie10t> unlike IRC
17:57 < exa> alright, reading the manual didn't reveal anything new.
17:58 < exa> server: http://pastebin.com/qg3YHNip  client: http://pastebin.com/bn1CB7Y3
17:59 -!- [diecast] [~diecast@unaffiliated/diecast/x-4821952] has quit []
17:59 <@krzee> that is not an openvpn server config
17:59 <@krzee> but tls-auth looks ok
17:59 < exa> it's openwrt-style ;)
17:59 <@krzee> check the md5 of ta.key on each side
17:59 <@krzee> ahh its UCI
17:59 <@krzee> i hate that
17:59 < exa> yep
18:00 < exa> and yep
18:00 <@krzee> haha
18:00 <@krzee> but ya, check md5 on both sides, that could be the hmac issue
18:00 <@krzee> it should be =
18:01 < exa> identical
18:01 <@krzee> you have comp-lzo no in the server
18:01 <@krzee> but not in the client
18:02 <@krzee> default is adaptive, and without *something* in the client config, the server cannot change the clients comp-lzo config
18:02 < exa> comp_lzo is explicitly disabled in the server config
18:02 <@krzee> yes but not in the client
18:02 <@krzee> disable it in the client too.
18:05 < exa> that didn't help :(
18:05 -!- plaisthos [~arne@openvpn/community/developer/plaisthos] has quit [Ping timeout: 252 seconds]
18:05 -!- plaisthos [~arne@openvpn/community/developer/plaisthos] has joined #openvpn
18:05 -!- mode/#openvpn [+o plaisthos] by ChanServ
18:05 <@krzee> how does the client even start with dh in the config??
18:06 <@krzee> also, why are you bridging?
18:06 < exa> why shouldn't it? and why not?
18:06 < exa> if i disable tls-auth, everything works
18:06 <@krzee> because dh is a server-only option
18:08 < exa> ...no longer
18:09 -!- scyld [~scyld@unaffiliated/wasyl] has quit [Quit: Wychodzi]
18:10 < exa> re bridging; all i want is to access other devices in my LAN and to use my internet connection
18:11 < pekster> You don't need bridging for that
18:11 < pekster> !tunortap
18:11 <@vpnHelper> "tunortap" is (#1) you ONLY want tap if you need to pass layer2 traffic over the vpn (traffic destined for a MAC address). If you are using IP traffic you want tun. or (#2) and if your reason for wanting tap is windows shares, see !wins or use DNS or (#3) remember layer2 has no security, arp poisoning works over tap vpns or (#4) lan gaming? use tap! or (#5) Normal Android/iOS devices (not
18:11 <@vpnHelper> rooted/jailbroken) support only tun
18:11 < pekster> !whybridge
18:11 <@vpnHelper> "whybridge" is (#1) you only bridge if you want layer2 to the lan. if you want layer2 only between vpn nodes then routed tap is enough. if you only want layer3 use tun. or (#2) See this URL for a more in-depth discussion on bridging vs routing: https://community.openvpn.net/openvpn/wiki/BridgingAndRouting or (#3) See also !tunortap
18:11 < pekster> exa: There's some reading material for you. Decide if you really need OSI L2 transport
18:12 < pekster> Further reading on exposing a server-side network can be found at: !serverlan
18:12 <@krzee> hell, !redirect actually works for that too
18:12 <@krzee> as well as your goal of internet over the vpn
18:13 <@krzee> i take it back theres 1 extra step to the server lan if you are not running openvpn on the router for its lan
18:14 < exa> well, i'll happily use then tun then.
18:14 < exa> but my tls-auth problem still persists :/
18:15 < exa> -then*
18:15 <@krzee> show me the logs from both sides
18:15 <@krzee> with verb 5
18:17 < pekster> krzee: openwrt does create a "real" config file from the UCI stuff
18:17 < pekster> At least as of 12.x
18:17 <@krzee> oh cool, tell him where to find it i guess
18:17 <@krzee> i just use a real config
18:18 <@krzee> do we have a factoid for telling people how to find it?
18:18 < pekster> I'm digging it up now
18:18 <@krzee> !factoids search wrt
18:18 <@vpnHelper> "dd-wrt" is (#1) While some users have success with dd-wrt, the build system isn't very accessible to users and there have been security issues with the distro. Consider carefully if this is the platform you want to use for OpenVPN or (#2) Firewall oopsie : http://www.dd-wrt.com/phpBB2/viewtopic.php?t=35783 or (#3) more issues: http://www.dd-wrt.com/phpBB2/viewtopic.php?t=84536
18:19 < exa> client: http://pastebin.com/ZJhY0xTk
18:20 < pekster> krzee: Oh, I was mistaken (must have been some other distro that did that.) openwrt is just as bad as ever, but users are able to pass `option config /etc/openvpn/whatever.conf` as the only UCI option and do it properly
18:20 <@krzee> hey good idea
18:20 < pekster> I mean, UCI itself isn't evil, but abstracting away the real config is painful unless _they_ want to support it
18:20 <@krzee> right
18:21 < pekster> Same BS n-m has :(
18:21 < exa> srv: http://pastebin.com/KCyAQ0AZ
18:21 <@krzee> personally i never bothered, easy enough to just treat it as a linux box, i dont even have a web config on my wrt boxes
18:21 <@krzee> i remove it when compiling my image
18:21 < pekster> I do unless a client might make use of the status info
18:22 -!- Iain_ [~Iain@host31-49-27-80.range31-49.btcentralplus.com] has quit [Ping timeout: 272 seconds]
18:23 -!- Iain_ [~Iain@host31-49-27-80.range31-49.btcentralplus.com] has joined #openvpn
18:30 < exa> krzee: something too obvious? :D
18:30 <@krzee> i got stuck on the funny dd-wrt links
18:30 <@krzee> their messups
18:30 <@krzee> hahah
18:31 <@krzee> oh i see, the client simply ignores the dh option now
18:31 <@krzee> thats good
18:31 <@krzee> i think i requested that awhile back even
18:32 <@krzee> you didnt make the server verb 5
18:33 <@krzee> also, this is going to be painful for you when the connection works
18:33 <@krzee> lol
18:33 <@krzee> since they are in the same lan and you are bridging
18:33 < exa> > option 'verb' '5'
18:34 <@krzee> well it skipped all the output it should start with
18:34 <@krzee> the config dump
18:34 < exa> meh...
18:36 < exa> uh, it doesn't generate the config dump..
18:36 <@krzee> oh i wonder if they ripped that out
18:36 <@krzee> openvpn --version
18:37 < pekster> Embedded is build with enable_small=true
18:37 <@krzee> "they" being whoever compiled it for your openwrt
18:37 < pekster> fyi
18:37 <@krzee> ahh that removes the config dump i take it
18:37 < exa> at least it's not my fault..
18:38 < pekster> The irony here is that openwrt doesn't want to support openvpn themselves, but makes it hard to get support from upstream
18:38 <@krzee> exa, how did you make the ta.key?
18:39 < exa> krzee: openvpn --genkey --secret ta.key
18:39 <@krzee> hmm
18:40 < pekster> krzee: Yup, hidden for "small" builds: https://github.com/OpenVPN/openvpn/blob/master/src/openvpn/options.c#L899
18:40 <@vpnHelper> Title: openvpn/src/openvpn/options.c at master · OpenVPN/openvpn · GitHub (at github.com)
18:40 <@krzee> same md5 and key direction 0 on one side, 1 on the other? should work
18:40 <@krzee> comp-lzo is set to none on both sides, so thats not it
18:41 < pekster> Looking at the code, I'm not sure anything is really saved by not showing the config output :\
18:42 < pekster> SHOW_PARM() is hardly a size problem, and msg() exists already. I dunno
18:42 <@krzee> Fri Jan 24 01:17:46 2014 us=46617   lzo = 1
18:42 <@krzee> im not convinced you put comp-lzo no in your client config
18:42 < exa> reposting it ;)
18:42 <@krzee> Fri Jan 24 01:17:46 2014 us=116704 LZO compression initialized
18:42 < exa> http://pastebin.com/9sia4ZXG
18:43 <@krzee> Fri Jan 24 01:17:46 2014 us=116704 Local Options String: 'V4,dev-type tap,link-mtu 1590,tun-mtu 1532,proto UDPv4,comp-lzo,keydir 1,cipher AES-256-CBC,auth SHA1,keysize 256,tls-auth,key-method 2,tls-client'
18:43 <@krzee> your client is using comp-lzo.
18:43 <@krzee> your CLIENT
18:44 < exa> "comp-lzo no" server- AND client-side
18:47 < exa> so? :(
18:47 <@krzee> it was not set in the last log you posted
18:47 <@krzee> thats all i know
18:47 <@krzee> maybe you're running the wrong config
18:48 <@krzee> feel free to post another log when its fixed
18:48 < exa> i'm pretty sure i had it disabled
18:48 < pekster> krzee: lzo = 1 is "no". "yes" is 3
18:48 <@krzee> i GUARUNTEE you did not
18:48 <@krzee> Fri Jan 24 01:17:46 2014 us=116704 LZO compression initialized
18:48 <@krzee> Fri Jan 24 01:17:46 2014 us=116704 Local Options String: 'V4,dev-type tap,link-mtu 1590,tun-mtu 1532,proto UDPv4,comp-lzo,keydir 1,cipher AES-256-CBC,auth SHA1,keysize 256,tls-auth,key-method 2,tls-client'
18:50 < pekster> krzee: Again, normal. http://fpaste.org/71188/05246331/
18:50 <@krzee> pekster, you saying it gives those ^ when its set to be off?
18:51 < pekster> it's not a 0/1 flag. It's more complex
18:51 <@krzee> wow, does "LZO compression initialized" make any context when it is forcefully disabled and also disabled in the server?
18:52 <@krzee> asking your opinion before i file that in trac as a bug
18:52 < pekster> https://github.com/OpenVPN/openvpn/blob/master/src/openvpn/comp.h#L39
18:52 <@vpnHelper> Title: openvpn/src/openvpn/comp.h at master · OpenVPN/openvpn · GitHub (at github.com)
18:52 < pekster> It means it was built as a compile time option
18:52 < pekster> So, yes, kind of
18:53 <@krzee> "LZO compression initialized" when running does not sound like its simply saying it was built with the option, which is disabled
18:53 <@krzee> it sounds like its saying it is initialized
18:53 < pekster> You should grep for it and find out ;)
18:54 < pekster> Nope, lzo = 1 tells you it's off
18:54 <@krzee> regardless of intention, i think it is wrong to say it is initialized when it is disabled
18:54 < pekster> #define COMP_ALG_STUB   1 /* support compression command byte and framing without actual compression */
18:54 < pekster> ie: allow server to override, but turn the actual compression off
18:54 < pekster> The server-can-override-client is critical to how the options get pushed
18:54 < pekster> (hence the bitmask I linked you to)
18:54 <@krzee> i get that
18:55 < pekster> THe options output is just dumb; it's showing what the value in the options struct has
18:55 <@krzee> but its not happening here, the server has no as well
18:55 <@krzee> and really its still never being initialized
18:55 <@krzee> im gunna file a ticket and see if the other guys think it makes sense to call it initialized when not used
18:57 < pekster> Well, you can follow along with the code if you'd like
18:58 < pekster> Grep for "LZO compression init" (curent sources changed the phrasing a bit to initializing, not -ized) and you can start in lzo.c
18:58 <@krzee> im not asking a question about code
18:58 <@krzee> nor intent of code
18:58 <@krzee> im talking about what MAKES SENSE
18:58 <@krzee> if its just about build, leave it in --version
19:00 <@krzee> https://community.openvpn.net/openvpn/ticket/367#ticket
19:00 <@vpnHelper> Title: #367 (LZO compression initialized message displays based on built, not config) – OpenVPN Community (at community.openvpn.net)
19:01 < pekster> In theory it's useful to have that output if the ASSERT() that follows fails
19:01 < pekster> Otherwise you just get a really un-helpful "Assertation failed at lzo.c:106" message
19:01 < pekster> Having the LZO compression initializing first at least gives you a hint _why_ an assertion failed
19:01 <@krzee> on every verb?
19:02 < pekster> msg (D_INIT_MEDIUM, "LZO compression initializing");
19:02 < pekster> So no, not every verb
19:02 < pekster> D_INIT_MEDIUM or higher
19:02 <@krzee> ya like 3 or 4, seems more like a 7+ type of message
19:02 < pekster> 4 or more
19:02 < pekster> So I'd say leave it
19:03 < pekster> If users hate the spam, they should run at <=3 anyway
19:03 < pekster> src/openvpn/errlevel.h:106:#define D_INIT_MEDIUM        LOGLEV(4, 60, 0)        /* show medium frequency init messages */
19:03 <@krzee> its jjust that its misleading as it is
19:03 <@krzee> it says its initializing lzo, but its not
19:03 < pekster> So offer a 1-line patch to make the log text better? "Loading LZO library support" or something?
19:03 < pekster> It _IS_ initializing
19:03 < pekster> if (lzo_init () != LZO_E_OK)
19:03 < pekster> That's how you init the lzo support ;)
19:04 < pekster> It happens _EVEN_ if you don't enable frame compression on the actual packets
19:04 <@krzee> ya, "Loading LZO library support" would be better i think
19:04 < pekster> lzo.c:105
19:04 < pekster> "patches welcome"
19:04 < pekster> Removing it completely isn't helpful, and IMO it already is at a sane verb level for what it does
19:05 -!- u0m3 [~u0m3@92.80.105.67] has quit [Quit: Leaving]
19:05 <@krzee> Changed 2 seconds ago by krzee
19:05 <@krzee>  
19:05 <@krzee>  
19:05 <@krzee>  a possible suggestion if desired to keep the message, "Loading LZO library support" instead so its clear its just a marker in the code execution and not a note that lzo is active
19:05 -!- mirco_ [~mirco@ip-109-91-244-100.unitymediagroup.de] has quit [Ping timeout: 245 seconds]
19:06 <@krzee> ild expect code flow execution markers (for bughunting) to be above verb 6
19:06 < pekster> >=6 is stpuid without enable_debug=yes
19:06 <@krzee> but either way it would be better with different language as you suggested
19:06 < pekster> And since ASSERT()s will fail at any verb, that's probably a poor idea
19:07 < pekster> I regret that a format patch I had that yells at people trying to use >6 should have tested >5 instead
19:07 < pekster> There isn't really anything helpful at 6, but there "might have been". In any event, that message _is__ useful for non-devs at non-debug builds if the lzo library is actually bad on the running OS
19:08 < pekster> ie: you get an obscure failed assert message that doesn't help. If you turn to verb 4 (or more) you get helpful clues as to why
19:08 < pekster> Encouraging users to use >5 is bad
19:08 <@krzee> oh, so is it commonplace that before an assert you output a marker in verb 4?
19:08 < pekster> Maybe, depends
19:09 <@krzee> either way, i like just changing the language slightly
19:09 < pekster> If it's about to load an external library, that's really helpful
19:09 <@krzee> really easy and much clearer IMO
19:09 < pekster> For things like "this buffer shouldn't have overflowed" a log message would be quite silly
19:09 <@krzee> mbuf errors instead =]
19:09 < pekster> like: ASSERT (buf_safe (&work, zlen));
19:09 < pekster> A log for that would pring crap on every lzo decompression :P
19:10 <@krzee> werd
19:10 <@krzee> so ya, language mod works there
19:16 <@krzee> <krzee> i GUARUNTEE you did not   <--- well, i take THAT back
19:16 <@krzee> hahah
19:17  * debbie10t chuckles
19:17 -!- anew [~anew@unaffiliated/anew] has quit [Read error: Connection reset by peer]
19:20 < exa> thanks
19:31 -!- wallbroken_q [~wallbroke@unaffiliated/wallbroken] has joined #openvpn
19:32 -!- joshu_ [~joshu@62-20-176-238-no28.tbcn.telia.com] has joined #openvpn
19:32 -!- wallbroken [~wallbroke@unaffiliated/wallbroken] has quit [Ping timeout: 252 seconds]
19:32 -!- joshu [~joshu@62-20-176-238-no28.tbcn.telia.com] has quit [Ping timeout: 252 seconds]
19:41 <@krzee> but unfortunately i do not know what the problem is
19:41 <@krzee> if md5 matches, and i believe you that it does
19:41 -!- __FBi [~B@uwantmy.info] has joined #openvpn
19:42 <@krzee> but also fyi, with your versions of openvpn theres a bug that would leak the HMAC to a third party over time anyways
19:42 -!- debbie10t [~ma1com10t@host-92-20-78-128.as13285.net] has quit [Ping timeout: 260 seconds]
19:42 <@krzee> (fixed in 2.3)
19:48 -!- julius_ [~julius_@141.41.92.61] has joined #openvpn
19:48 < julius_> hi
19:48 < julius_> need infos about securing a openvpn server that does "redirect-gateway" on the clinents. will this work?  http://www.linuxforums.org/forum/networking/200013-securing-openvpn-server-iptables-forward.html#post943470
19:49 <@krzee> thats a #netfilter question
19:50 <@krzee> (iptables question, not openvpn)
19:50 -!- mirco [~mirco@ip-109-91-244-100.unitymediagroup.de] has joined #openvpn
20:06 <@ecrist> sup bitches?
20:07 <@ecrist> julius_: that's easy, threaten to shoot anyone that misbehaves, then shoot the person directly in front of you to set the tone.
20:07 <@ecrist> people will behave, server secure
20:07 <@ecrist> every 16 to 19 weeks, shoot one other user, just to keep people on their toes
20:12 -!- mode/#openvpn [+b $a:m10t] by ecrist
20:17 -!- schnitzl [~schnitzl@dslb-188-098-012-067.pools.arcor-ip.net] has quit [Read error: Operation timed out]
20:18 <@ecrist> wow, we have a lengthy ban list 
20:19 < pekster> If I remember, I'll try and whois some of the IPs this weekend (over wine, probably) and remove the dynamic ones that have been there a while
20:19 < pekster> It'll be like a new-aged russian roulette!
20:20 -!- schnitzl [~schnitzl@dslb-088-067-161-156.pools.arcor-ip.net] has joined #openvpn
20:22 < julius_> krzee, thx, just wanted a second opinion
20:24 -!- [diecast] [~diecast@unaffiliated/diecast/x-4821952] has joined #openvpn
20:25 <@krzee> lol @ russian roulette
20:25 -!- tfox [~tfox@c-50-181-202-179.hsd1.wa.comcast.net] has joined #openvpn
20:26 <@ecrist> pekster: most of them are not dynamic IPs
20:27 <@ecrist> we have some quite specific bans in place that should likely be converted to auto-kickbans in chanserv
20:27 <@ecrist> i.e. probably never will join again, but let's make sure they don't
20:27 <@ecrist> keep +b temporary
20:27 -!- joshh20 is now known as joshh20-Away
20:29 <@ecrist> i'll convert it now
20:30 -ChanServ:#openvpn- ecrist added CoolGurl13!*@* to the AKICK list.
20:30 -!- mode/#openvpn [-vvvv Matir lamokie kenyon stickpin_] by ChanServ
20:30 -!- mode/#openvpn [-vvvv andi KiNgMaR clu5ter P4k3] by ChanServ
20:30 -!- mode/#openvpn [-vvvv Chrisje fred`` Champi dos-freak] by ChanServ
20:30 -!- mode/#openvpn [-vv rkantos_ jeev] by ChanServ
20:30 <@ecrist> da fuk?
20:32 -ChanServ:#openvpn- ecrist disabled the VERBOSE flag
20:33 -!- [diecast] [~diecast@unaffiliated/diecast/x-4821952] has quit []
20:37 -!- jefferai_gone is now known as fejjerai
20:39 -!- mirco [~mirco@ip-109-91-244-100.unitymediagroup.de] has quit [Ping timeout: 248 seconds]
20:40 -!- [diecast] [~diecast@unaffiliated/diecast/x-4821952] has joined #openvpn
20:44 -!- mode/#openvpn [-b *!root@*] by ChanServ
20:49 <@ecrist> mode -b *
20:49 -!- mode/#openvpn [-b *!*@*] by ecrist
20:49 -!- mode/#openvpn [-bbbb *!*@static.88-198-57-152.clients.your-server.de *!*@209.124.51.200 *!massivedi@* *!*@176.67.84.12] by ChanServ
20:49 -!- mode/#openvpn [-bbbb *!*@31-151-115-29.dynamic.upc.nl *!*@gateway/web/freenode/* *!*@unaffiliated/ivenkys *!*Zimsky@rozznet.net] by ChanServ
20:49 -!- mode/#openvpn [-bbbb *!09dkqaz32@2001:470:d:1eb:* *!*tortib@*.ph.ph.cox.net *!*@173-164-48-24*-colorado.hfc.comcastbusiness.net *rommel*!*@*] by ChanServ
20:49 -!- mode/#openvpn [-bbbb *!*brads@*.members.linode.com *!*Rhomber@*.static.tpgi.com.au *!*lol2@*.ip179.fastwebnet.it *!*mis7er@*.ock.in] by ChanServ
20:49 -!- mode/#openvpn [-bbbb *!*@fedcirc.net *!*@dumbhead.net *!*d@64.111.123.163 pants!*@*] by ChanServ
20:49 -!- mode/#openvpn [-bbbb *!*kieron-la@2.29.141.* *!*@office.exabyte.be *!*@Hairypotte@90.200.193.145 *!*@unaffiliated/l0uis] by ChanServ
20:49 -!- mode/#openvpn [-bbbb *!*@151.72.29.* $a:vaillor *!*Liber@liber.in CoolGurl13!*@*] by ChanServ
20:49 -!- mode/#openvpn [-bb $a:vitilitigate $a:m10t] by ChanServ
20:50 -!- mode/#openvpn [+bbb $a:vitilitigate $a:m10t $a:vaillor] by ecrist
20:50 -!- lj1 [~l@192.241.174.169] has quit [Quit: Leaving.]
20:51 -!- hahahahaha [ada5ea75@gateway/web/freenode/ip.173.165.234.117] has joined #openvpn
20:51 -!- mode/#openvpn [+b *!*@gateway/web/freenode/*] by ChanServ
20:51 -!- hahahahaha was kicked from #openvpn by ChanServ [Banned: No web users.  You're dirty.]
20:52 -!- lj [~l@99.155.24.89] has joined #openvpn
20:52 <@ecrist> ok, so chanserv doesn't support extban syntax, so those bans will stay in the channel ban list.  everything else has been moved
20:53 <@ecrist> going forward, future bans should go to akick in chanserv
20:53 <@ecrist>  /msg chanserv help akick for syntax
20:54 -!- lj1 [~l@192.241.174.169] has joined #openvpn
20:56 -ChanServ:#openvpn- ecrist enabled the VERBOSE flag
20:57 -!- lj [~l@99.155.24.89] has quit [Ping timeout: 260 seconds]
20:58 -!- michaelhart [~michaelha@162.209.54.120] has joined #openvpn
21:04 <+rob0> Buhweet say Oh-TAY.
21:05 -!- tfox [~tfox@c-50-181-202-179.hsd1.wa.comcast.net] has quit [Quit: tfox]
21:07 -!- mirco [~mirco@ip-109-90-231-36.unitymediagroup.de] has joined #openvpn
21:08 <@ecrist> ?
21:09 -!- tfox [~tfox@c-50-181-202-179.hsd1.wa.comcast.net] has joined #openvpn
21:09 <+rob0> <-- dated humor
21:20 <@ecrist> was he cute?
21:22 -!- [diecast] [~diecast@unaffiliated/diecast/x-4821952] has quit []
21:25 <+rob0> Billie "Buckwheat" Thomas was adorable as a kid. He died in 1980, only 49, poor guy.
21:27 <+rob0> Actually Eddie Murphy made the "Buhweet say Oh-TAY" a trademark, on SNL.
21:28 <@krzee> !netman
21:28 <@vpnHelper> "netman" is (#1) if you are using network manager for linux to configure your vpn, dont! http://openvpn.net/archive/openvpn-users/2008-01/msg00046.html to read the same thing from the author of the openvpn 2 cookbook on the mail list or (#2) Have OpenVPN working but not NetworkManager? Ask the n-m folks for help: http://projects.gnome.org/NetworkManager/
21:29 -!- dandy [~dandy@2a01:360:106::2] has quit [Quit: ZNC - http://znc.in]
21:38 < joevandyk> !serverlan
21:38 <@vpnHelper> "serverlan" is (#1) for a lan behind a server, the server must have ip forwarding enabled (!ipforward), the server needs to push a route for its lan to clients, and the router of the lan the server is on needs a route added to it (!route_outside_openvpn) or (#2) see !route for a better explanation or (#3) Handy troubleshooting flowchart: http://ircpimps.org/serverlan.png |
21:38 <@vpnHelper> http://pekster.sdf.org/misc/serverlan.png
21:39 < joevandyk> !ipforward
21:39 <@vpnHelper> "ipforward" is (#1) ip forwarding is needed any time you want packets to flow from 1 interface to another, so from tun to eth, eth to tun, tun to tun, etc etc. it must be enabled in the kernel AND allowed in the firewall or (#2) please choose between !linipforward !winipforward !osxipforward and !fbsdipforward
21:40 < joevandyk> !route
21:40 <@vpnHelper> "route" is (#1) http://www.secure-computing.net/wiki/index.php/OpenVPN/Routing or https://community.openvpn.net/openvpn/wiki/RoutedLans (same page mirrored) if you have lans behind openvpn, read it DONT SKIM IT or (#2) READ IT DONT SKIM IT! or (#3) See !tcpip for a basic networking guide or (#4) See !serverlan or !clientlan for steps and troubleshooting flowcharts for LANs behind the server or
21:40 <@vpnHelper> client
21:40 < joevandyk> krzee: thanks for your help earlier today.
21:41 <@krzee> you're welcome
21:41 <@krzee> more issues?
21:41 <@krzee> or just reading up for fun?
21:42 < joevandyk> just learning, i'll probably need to do more of this type of stuff.
21:42 <@krzee> nice
21:42 < joevandyk> !tcpip
21:42 <@vpnHelper> "tcpip" is http://www.redbooks.ibm.com/redbooks/pdfs/gg243376.pdf See chapter 3.1 for useful basic TCP/IP networking knowledge you should probably know
21:42 -!- Gnonim0 [~joe@us1x.mullvad.net] has quit [Read error: Connection reset by peer]
21:42 <@krzee> !route is a really good one for understanding lans behind openvpn
21:42 <@krzee> you were the EC2 setup, right?
21:43 -!- tfox [~tfox@c-50-181-202-179.hsd1.wa.comcast.net] has quit [Quit: tfox]
21:44 -!- Gnonim0 [~joe@us1x.mullvad.net] has joined #openvpn
21:45 < joevandyk> krzee: yes
21:46 < pekster> rob0: I remember watching that skit
21:46 <@krzee> joevandyk, im not sure why it seemed that forwarding wasnt working without NAT, but i feel it was EC2's fault
21:46 < pekster> There was the one where he was doing lines from well-known songs that was fantastic
21:46 <@krzee> when you run non ec2 servers it is easier to do "right"
21:46 <@krzee> the nathack we used is a last resort
21:47 <@krzee> thats why the flowchart has a :( next to it =]
21:47 < joevandyk> huh. for what it's worth, iptables-save didn't return any data on a vanilla ubuntu 12.04 vm on my local machine
21:47 <@krzee> ya i did not realize ubuntu outputs nothing an empty ruleset with iptables-save
21:47 < pekster> rob0: https://www.youtube.com/watch?v=CxXhH1zIXcQ
21:47 <@vpnHelper> Title: Eddie Murphy - Una PanoonahBanka Bubblerock - HD - YouTube (at www.youtube.com)
21:47 <@krzee> (until i tried it on my own ubuntu vm as well)
21:47 -!- evoked [~ev0k3d@101.164.101.194] has quit [Ping timeout: 252 seconds]
21:48 < pekster> "Wookin' Pa Nub"
21:49 < pekster> "Fee Tinnes a MayDay"
21:52 -!- genericpersona [~generic@gateway/tor-sasl/genericpersona] has joined #openvpn
21:54 -!- genericpersona [~generic@gateway/tor-sasl/genericpersona] has left #openvpn ["Take care of yourselves, and each other"]
21:55 < pekster> krzee: You'll get no output at all (even as root) if you have no netfilter tables loaded; that's a netfilter thing, not an Ubuntu thing
21:57 -!- Carbon_Monoxide [~cmonxide@14.0.207.205] has joined #openvpn
21:57 <@krzee> interesting, i guess i have never actually had an empty ruleset until i tried on that VM today
21:59 < pekster> Not just empty, but no modules loaded
21:59 < pekster> It's the same reason using the -L flag is so dumb: it _loads_ unloaded tables
22:00 < pekster> Try it yourself with this: `for table in filter mangle raw nat security; do iptables -L $table; done` and check iptables-save again -- extra modules you have but weren't loaded will be loaded
22:00 <+rob0> pekster, lol, that was hilarious
22:03 -!- WinstonSmith [~WinstonSm@unaffiliated/winstonsmith] has quit [Ping timeout: 246 seconds]
22:05 -!- michaelhart_ [~michaelha@192-0-240-20.cpe.teksavvy.com] has joined #openvpn
22:06 -!- WinstonSmith [~WinstonSm@unaffiliated/winstonsmith] has joined #openvpn
22:07 -!- michaelhart [~michaelha@162.209.54.120] has quit [Ping timeout: 252 seconds]
22:07 -!- michaelhart_ is now known as michaelhart
22:25 -!- michaelhart [~michaelha@192-0-240-20.cpe.teksavvy.com] has quit [Quit: michaelhart]
22:34 -!- kalloc [~kalloc@109.188.127.165] has joined #openvpn
22:34 -!- mback2k_ [~freenode@89.238.84.46] has quit [Ping timeout: 272 seconds]
22:34 -!- ketas [ketas@ketas6-sixxs.si.pri.ee] has quit [Ping timeout: 264 seconds]
22:34 -!- Gnonim0 [~joe@us1x.mullvad.net] has quit [Read error: Connection reset by peer]
22:35 -!- Gnonim0 [~joe@us1x.mullvad.net] has joined #openvpn
22:58 -!- pgib [~pgib@lmms/pgib] has joined #openvpn
23:10 -!- evoked [~ev0k3d@c27-253-126-127.blktn7.nsw.optusnet.com.au] has joined #openvpn
23:11 -!- pppingme [~pppingme@unaffiliated/pppingme] has quit [Read error: Connection reset by peer]
23:17 -!- pppingme [~pppingme@unaffiliated/pppingme] has joined #openvpn
23:33 -!- elfixit1 [~Icedove@77-58-251-72.dclient.hispeed.ch] has quit [Ping timeout: 252 seconds]
--- Day changed Fri Jan 24 2014
00:00 -!- sunwind` [~paradox@cpc21-brmb8-2-0-cust749.1-3.cable.virginm.net] has quit [Read error: Connection reset by peer]
00:00 -!- sunwind` [~paradox@cpc21-brmb8-2-0-cust749.1-3.cable.virginm.net] has joined #openvpn
00:08 -!- Cy-Gor [~Brian@cpe-70-124-70-140.austin.res.rr.com] has quit [Quit: Leaving]
00:09 -!- kalloc [~kalloc@109.188.127.165] has quit [Remote host closed the connection]
00:09 -!- kalloc [~kalloc@109.188.127.165] has joined #openvpn
00:14 -!- kalloc [~kalloc@109.188.127.165] has quit [Ping timeout: 252 seconds]
00:27 -!- DRice7 [~eat@cpe-066-057-089-031.nc.res.rr.com] has quit [Quit: XDCC Browser 4.52 .... www.XDCCBrowser.com]
00:28 -!- DRice7 [~eat@cpe-066-057-089-031.nc.res.rr.com] has joined #openvpn
00:42 -!- fenris_kcf1 [~fenris@p4FFE4E76.dip0.t-ipconnect.de] has joined #openvpn
00:43 -!- fenris_kcf [~fenris@p4FFE4854.dip0.t-ipconnect.de] has quit [Ping timeout: 252 seconds]
00:44 -!- Carbon_Monoxide [~cmonxide@14.0.207.205] has left #openvpn ["Leaving"]
00:53 -!- mattock_afk is now known as mattock
01:00 -!- goldkatze [~nobody@unaffiliated/goldkatze] has joined #openvpn
01:03 -!- dimm0k [~dimm0k@unaffiliated/dimm0k] has quit [Ping timeout: 264 seconds]
01:05 -!- dimm0k [~dimm0k@unaffiliated/dimm0k] has joined #openvpn
01:27 -!- ade_b [~Ade@redhat/adeb] has joined #openvpn
01:29 -!- GrecKo [~GrecKo@grecko.fr] has quit [Read error: Operation timed out]
01:29 -!- ade_b [~Ade@redhat/adeb] has quit [Client Quit]
01:30 -!- ade_b [~Ade@redhat/adeb] has joined #openvpn
01:30 -!- alexxtasi [~alex@unaffiliated/alexxtasi] has joined #openvpn
01:31 -!- ade_b [~Ade@redhat/adeb] has quit [Remote host closed the connection]
01:33 -!- ade_b [~Ade@redhat/adeb] has joined #openvpn
01:33 -!- ade_b [~Ade@redhat/adeb] has quit [Remote host closed the connection]
01:33 -!- kalloc [~kalloc@stmdev.ru] has joined #openvpn
01:33 -!- ACKNAK [~poni@79.133.97.154] has joined #openvpn
01:33 -!- kalloc [~kalloc@stmdev.ru] has quit [Remote host closed the connection]
01:34 -!- ade_b [~Ade@redhat/adeb] has joined #openvpn
01:36 -!- kalloc [~kalloc@stmdev.ru] has joined #openvpn
01:57 -!- GrecKo [~GrecKo@2001:41d0:1:cb16::1] has joined #openvpn
02:02 -!- takamichi [~takamichi@c107-107.i07-27.onvol.net] has joined #openvpn
02:03 -!- dimm0k [~dimm0k@unaffiliated/dimm0k] has quit [Ping timeout: 240 seconds]
02:05 -!- dimm0k [~dimm0k@pool-108-21-230-13.nycmny.fios.verizon.net] has joined #openvpn
02:05 -!- dimm0k [~dimm0k@pool-108-21-230-13.nycmny.fios.verizon.net] has quit [Changing host]
02:05 -!- dimm0k [~dimm0k@unaffiliated/dimm0k] has joined #openvpn
02:14 -!- fenris_kcf1 is now known as fenris_kcf
02:14 -!- evoked [~ev0k3d@c27-253-126-127.blktn7.nsw.optusnet.com.au] has quit [Ping timeout: 272 seconds]
02:39 -!- wallbroken_q [~wallbroke@unaffiliated/wallbroken] has left #openvpn []
02:45 -!- Iain_ [~Iain@host31-49-27-80.range31-49.btcentralplus.com] has quit [Ping timeout: 272 seconds]
02:47 -!- Iain_ [~Iain@host81-147-78-70.range81-147.btcentralplus.com] has joined #openvpn
03:00 < defswork> State Reconnecting.... TLS Error
03:05 -!- Iain_ [~Iain@host81-147-78-70.range81-147.btcentralplus.com] has quit [Ping timeout: 253 seconds]
03:07 -!- Iain_ [~Iain@host81-147-78-70.range81-147.btcentralplus.com] has joined #openvpn
03:17 -!- kalloc [~kalloc@stmdev.ru] has quit [Remote host closed the connection]
03:29 -!- scyld [~scyld@unaffiliated/wasyl] has joined #openvpn
03:29 -!- kalloc [~kalloc@stmdev.ru] has joined #openvpn
03:55 -!- doonie [~doonie@unaffiliated/doonie] has joined #openvpn
03:56 -!- ACKNAK [~poni@79.133.97.154] has quit [Ping timeout: 245 seconds]
04:01 < doonie> Shouldn't the vpn server be able to telnet to a client if the port on the client is open? Do I have to enable anything for this to be enabled? Or is this an iptables task? I have enabled client-to-client which works fine, my next mission is for the server to be able to reach the ports as well
04:13 -!- ACKNAK [~poni@79.133.97.154] has joined #openvpn
04:14 -!- dazo_afk is now known as dazo
04:19 -!- ketas [ketas@ketas6-sixxs.si.pri.ee] has joined #openvpn
04:53 -!- DrCode [~DrCode@gateway/tor-sasl/drcode] has quit [Remote host closed the connection]
04:55 -!- DrCode [~DrCode@gateway/tor-sasl/drcode] has joined #openvpn
04:55 -!- akselii [~akselii@tsydeemi.eu] has quit [Ping timeout: 245 seconds]
04:55 -!- sitaktif [~sitaktif@kollok.org] has quit [Ping timeout: 245 seconds]
04:55 -!- akselii [~akselii@tsydeemi.eu] has joined #openvpn
04:57 -!- sitaktif [~sitaktif@kollok.org] has joined #openvpn
04:58 < doonie> ok now I can access the client from server as well, next thing is to get a forward working from external ip, port:12000 to forward to client port 22
05:01 -!- tempus_fol [~tempus@gateway/tor-sasl/tempusfol] has quit [Ping timeout: 240 seconds]
05:03 -!- DrCode [~DrCode@gateway/tor-sasl/drcode] has quit [Ping timeout: 240 seconds]
05:06 -!- Cpt-Oblivious [~chatzilla@31-151-87-204.dynamic.upc.nl] has quit [Ping timeout: 245 seconds]
05:10 -!- tempus_fol [~tempus@gateway/tor-sasl/tempusfol] has joined #openvpn
05:14 -!- DrCode [~DrCode@gateway/tor-sasl/drcode] has joined #openvpn
05:32 -!- kossy [a@unaffiliated/kossy] has quit [Ping timeout: 272 seconds]
05:33 < blarghlarghl> anyone home? i'm wondering, is there a way to not configure a static route on my router for openvpn to work behind a nat router, and instead configure the routes on the openvpn server somehow?
05:34 -!- kossy [a@kossy.org] has joined #openvpn
05:37 -!- fenris_kcf [~fenris@p4FFE4E76.dip0.t-ipconnect.de] has quit [Ping timeout: 252 seconds]
05:37 -!- fenris_kcf [~fenris@p579E6E57.dip0.t-ipconnect.de] has joined #openvpn
06:05 -!- novaflash is now known as novaflash_away
06:09 -!- jzaw [~jzaw@loki.dzki.co.uk] has quit [Excess Flood]
06:15 -!- jzaw [~jzaw@loki.dzki.co.uk] has joined #openvpn
06:23 -!- jzaw [~jzaw@loki.dzki.co.uk] has quit [Ping timeout: 245 seconds]
06:32 -!- doonie [~doonie@unaffiliated/doonie] has quit [Quit: Leaving.]
06:34 -!- kubbing [~kubbing@ip-94-113-130-229.net.upcbroadband.cz] has joined #openvpn
06:34 -!- kossy [a@kossy.org] has quit [Excess Flood]
06:34 -!- jzaw [~jzaw@loki.dzki.co.uk] has joined #openvpn
06:34 -!- kossy [a@kossy.org] has joined #openvpn
06:42 -!- Cy-Gor [~Brian@cpe-70-124-70-140.austin.res.rr.com] has joined #openvpn
06:44 -!- Fohlen [~Fohlen@134.255.220.119] has joined #openvpn
06:45 < Fohlen> what does "ovpn-server: RESOLVE: Cannot parse IP address:" mean or is caused by?
06:45 < Fohlen> I'm pretty sure I've not misspelled the ip adress
06:46 < ACKNAK> or your DNS server is broken xD
06:46 < ACKNAK> have you tried to at least ping that address?
06:48 < Fohlen> well it's my own server and it has physical access to bind the ip adress
06:48 < Fohlen> so I pressume no, absolutly
06:48 < Fohlen> :D
06:51 -!- lj1 [~l@192.241.174.169] has quit [Quit: Leaving.]
06:54 < Fohlen> oh I got it
06:54 < Fohlen> nvm, my fault
06:54 < ACKNAK> what was there? :)
06:58 -!- janjust [~janjust@tevere.nikhef.nl] has joined #openvpn
06:58 -!- janjust [~janjust@tevere.nikhef.nl] has quit [Changing host]
06:58 -!- janjust [~janjust@openvpn/community/support/janjust] has joined #openvpn
07:01 -!- surfmasta [~surfmasta@80.92.88.10] has quit [Read error: Operation timed out]
07:03 -!- janjust [~janjust@openvpn/community/support/janjust] has quit [Quit: Leaving]
07:05 -!- janjust [~janjust@tevere.nikhef.nl] has joined #openvpn
07:05 -!- janjust [~janjust@tevere.nikhef.nl] has quit [Changing host]
07:05 -!- janjust [~janjust@openvpn/community/support/janjust] has joined #openvpn
07:06 -!- janjust [~janjust@openvpn/community/support/janjust] has quit [Client Quit]
07:21 -!- ade_b [~Ade@redhat/adeb] has quit [Quit: Too sexy for his shirt]
07:30 -!- donvito [~nertil@unaffiliated/donvito] has joined #openvpn
07:34 -!- michaelhart [~michaelha@192.237.177.15] has joined #openvpn
07:37 -!- yoavz [yoavz@yoavz.net] has quit [Ping timeout: 240 seconds]
07:40 -!- [1]JPeterson [~JPeterson@81-233-152-121-no83.tbcn.telia.com] has quit [Read error: Connection reset by peer]
07:40 -!- Cygor [~Brian@cpe-70-124-70-140.austin.res.rr.com] has joined #openvpn
07:40 -!- yoavz [yoavz@yoavz.net] has joined #openvpn
07:41 -!- JPeterson [~JPeterson@81-233-152-121-no83.tbcn.telia.com] has joined #openvpn
07:42 -!- emid [~emid@192.241.162.156] has quit [Ping timeout: 246 seconds]
07:42 -!- phreakocious [~phreakoci@aesoterica.phreakocious.net] has quit [Ping timeout: 246 seconds]
07:42 -!- [oc80z] [~oc80z@blea.ch] has joined #openvpn
07:43 -!- nobit [nobit@unaffiliated/muska] has quit [Ping timeout: 246 seconds]
07:43 -!- nlopez_ [~quassel@198.211.102.196] has quit [Ping timeout: 246 seconds]
07:43 -!- ljvb [~jason@us.vps.vanbrecht.com] has quit [Ping timeout: 246 seconds]
07:43 -!- dvl [~dan@pdpc/supporter/active/dvl] has quit [Ping timeout: 252 seconds]
07:43 -!- oc80z [~oc80z@blea.ch] has quit [Ping timeout: 252 seconds]
07:43 -!- [oc80z] is now known as oc80z
07:43 -!- aji [~alex@atheme/member/aji] has quit [Ping timeout: 246 seconds]
07:43 -!- Cy-Gor [~Brian@cpe-70-124-70-140.austin.res.rr.com] has quit [Ping timeout: 245 seconds]
07:44 -!- rooth [tomte@stuck.in.the.basement.at.fritzl.nu] has quit [Ping timeout: 245 seconds]
07:44 -!- moparisthebest [~quassel@cpe-184-57-167-162.cinci.res.rr.com] has quit [Ping timeout: 260 seconds]
07:44 -!- Matir [~matir@ubuntu/member/matir] has quit [Ping timeout: 252 seconds]
07:44 -!- kantlivelong [~kantlivel@home.kantlivelong.com] has quit [Ping timeout: 245 seconds]
07:45 -!- jave [~jave@h-235-102.a149.priv.bahnhof.se] has quit [Ping timeout: 245 seconds]
07:45 -!- rkantos_ [robin@4e.fi] has quit [Ping timeout: 245 seconds]
07:45 -!- rooth [tomte@stuck.in.the.basement.at.fritzl.nu] has joined #openvpn
07:45 -!- __H__ [~root@vm1.pappkopp.com] has joined #openvpn
07:45 -!- emid [~emid@192.241.162.156] has joined #openvpn
07:45 -!- rkantos [robin@4e.fi] has joined #openvpn
07:45 < __H__> anyone know how to only use certificate and tls-auth on an OpenVPN client?
07:45 -!- thalweg [~quassel@198.211.102.196] has joined #openvpn
07:45 < __H__> in pfsense
07:45 -!- mrrg [~notabot@delicious.sykosys.jp] has quit [Ping timeout: 246 seconds]
07:46 -!- Matir [~matir@ubuntu/member/matir] has joined #openvpn
07:46 -!- mrrg [~notabot@delicious.sykosys.jp] has joined #openvpn
07:46 -!- moparisthebest [~quassel@cpe-184-57-167-162.cinci.res.rr.com] has joined #openvpn
07:46 -!- aji [~alex@atheme/member/aji] has joined #openvpn
07:48 -!- havoc [~havoc@neptune.chaillet.net] has quit [Ping timeout: 246 seconds]
07:48 -!- nobit [nobit@unaffiliated/muska] has joined #openvpn
07:49 -!- jave [~jave@h-235-102.a149.priv.bahnhof.se] has joined #openvpn
07:50 -!- kantlivelong [~kantlivel@home.kantlivelong.com] has joined #openvpn
07:50 -!- havoc [~havoc@neptune.chaillet.net] has joined #openvpn
07:53 < Fohlen> somehow my openvpn server only works partly ... I can get it to send traffic, get dns and so on like normally, but it does not receive from internet, even though I use nat/POSTROUTING
07:55 < Fohlen> using ping it resolves the host just fine, but receive 0 bytes
07:55 < Fohlen> like it's not even destination host unreachable, it just doesnt work
07:55 < Fohlen> what could cause that?
07:59 < __H__> anyone know how to only use certificate and tls-auth on an OpenVPN client?
07:59 < __H__> in pfsense
08:02 -!- phreakocious [~phreakoci@aesoterica.phreakocious.net] has joined #openvpn
08:07 -!- wrongplace [~leicht@gateway/tor-sasl/martinphone] has joined #openvpn
08:13 -!- DrCode [~DrCode@gateway/tor-sasl/drcode] has quit [Ping timeout: 240 seconds]
08:16 -!- DrCode [~DrCode@gateway/tor-sasl/drcode] has joined #openvpn
08:41 -!- kalloc [~kalloc@stmdev.ru] has quit [Remote host closed the connection]
08:42 < manitu> hi ho
08:42 < manitu> i have multiple public ips and i wrote "local 0.0.0.0"
08:43 < manitu> Incoming packet rejected from [AF_INET]ip1:port[2], expected peer address: [AF_INET]ip2:port << that i get now.. i try to connect to ip2
08:44 < manitu> do it have to be like that, or can openvpn also answer from ip2?
08:54 <@plaisthos> manitu: udp?
08:54 <@plaisthos> try multihome
08:55 -!- Fohlen [~Fohlen@134.255.220.119] has left #openvpn []
08:59 -!- master_of_master [~master_of@p4FF2434E.dip0.t-ipconnect.de] has joined #openvpn
09:01 -!- bigbob83 [~bigbob@7.72.100.84.rev.sfr.net] has joined #openvpn
09:03 -!- master_o1_master [~master_of@p4FF240B1.dip0.t-ipconnect.de] has quit [Ping timeout: 252 seconds]
09:03 < fenris_kcf> hy. i'm successfully running a tun-openvpn. but since i want to use the vpn for gaming i would like to adjust it to handle broadcasts and such. beside switching to tap what do i have to do for that?
09:04 < fenris_kcf> (games where one can manually enter the IP work like charm)
09:05 -!- kalloc [~kalloc@stmdev.ru] has joined #openvpn
09:08 -!- lj1 [~l@192.241.174.169] has joined #openvpn
09:13 -!- ACKNAK [~poni@79.133.97.154] has quit [Ping timeout: 264 seconds]
09:23 -!- jzaw [~jzaw@loki.dzki.co.uk] has quit [Ping timeout: 272 seconds]
09:27 -!- jzaw [~jzaw@loki.dzki.co.uk] has joined #openvpn
09:32 -!- klein [~klein@189-016-006-003.asselvi.edu.br] has joined #openvpn
09:32 -!- klein [~klein@189-016-006-003.asselvi.edu.br] has quit [Changing host]
09:32 -!- klein [~klein@unaffiliated/klein] has joined #openvpn
09:32 -!- alexxtasi [~alex@unaffiliated/alexxtasi] has left #openvpn []
09:33 -!- jzaw [~jzaw@loki.dzki.co.uk] has quit [Excess Flood]
09:39 -!- wrongplace [~leicht@gateway/tor-sasl/martinphone] has quit [Quit: gone]
09:40 -!- jzaw [~jzaw@loki.dzki.co.uk] has joined #openvpn
09:40 -!- jzaw [~jzaw@loki.dzki.co.uk] has quit [Excess Flood]
09:42 -!- [diecast] [~diecast@unaffiliated/diecast/x-4821952] has joined #openvpn
09:43 -!- dvl [~dan@nyi.unixathome.org] has joined #openvpn
09:48 -!- jzaw [~jzaw@loki.dzki.co.uk] has joined #openvpn
09:49 -!- DRice7 [~eat@cpe-066-057-089-031.nc.res.rr.com] has quit [Quit: XDCC Browser 4.52 .... www.XDCCBrowser.com]
09:51 -!- lj1 [~l@192.241.174.169] has quit [Quit: Leaving.]
09:51 -!- lj [~l@192.241.174.169] has joined #openvpn
09:51 -!- bigbob83 [~bigbob@7.72.100.84.rev.sfr.net] has quit []
09:52 -!- jzaw [~jzaw@loki.dzki.co.uk] has quit [Excess Flood]
09:52 -!- ljvb [~jason@us.vps.vanbrecht.com] has joined #openvpn
09:53 -!- mgorbach [~mgorbach@pool-108-20-78-135.bstnma.fios.verizon.net] has quit [Ping timeout: 248 seconds]
09:54 -!- tfox [~tfox@c-50-181-202-179.hsd1.wa.comcast.net] has joined #openvpn
09:54 -!- mgorbach [~mgorbach@pool-108-20-78-135.bstnma.fios.verizon.net] has joined #openvpn
09:58 -!- lj [~l@192.241.174.169] has quit [Quit: Leaving.]
09:59 -!- lj [~l@192.241.174.169] has joined #openvpn
10:00 <@krzee> exa, see --server in the manual
10:01 <@krzee> you dont have to use --server, if you want to set a different sized pool or whatever, you would use the commands that --server expands to and mod them as you wish
10:01 <@krzee> but dont miss any commands!
10:05 -!- jzaw [~jzaw@loki.dzki.co.uk] has joined #openvpn
10:07 < exa> is a transition from tap -> tun really worth the hassle in my case? most guides on openwrt.org use tap
10:07 <@krzee> those guides also use UCI, howd that go for ya? ;]
10:07 <@krzee> yes it is, but theres no reason to build your own --server, you can just use --server
10:08 <@krzee> and topology subnet
10:08 < exa> valid point, but what advantages do i have from switching to tun?
10:09 <@krzee> less overhead, not vuln to layer2 attacks over the vpn, can grow bigger, that warm fuzzy feeling of knowing you did it right
10:09 <@krzee> !tunortap
10:09 <@vpnHelper> "tunortap" is (#1) you ONLY want tap if you need to pass layer2 traffic over the vpn (traffic destined for a MAC address). If you are using IP traffic you want tun. or (#2) and if your reason for wanting tap is windows shares, see !wins or use DNS or (#3) remember layer2 has no security, arp poisoning works over tap vpns or (#4) lan gaming? use tap! or (#5) Normal Android/iOS devices (not
10:09 <@vpnHelper> rooted/jailbroken) support only tun
10:09 <@krzee> oh right, and can use android/ios devices
10:09 < exa> performance improvements?
10:10 <@krzee> yes, every single packet will be a little smaller
10:11  * exa *sigh*
10:11 < exa> agreed..
10:11 <@krzee> oh and its easier
10:11 <@krzee> (to configure correctly)
10:12 <@krzee> no mucking around with brctl and whatnot
10:14 < exa> besides proto and server_bridge, what else has to be changed? http://pastebin.com/zKZNGHvQ
10:14 < exa> * dev, not proto
10:16 <@krzee> i refuse to look at that UCI config
10:16 <@krzee> at least for understanding
10:16 <@krzee> thats not an openvpn config
10:16 <@krzee> pekster told you yesterday how you can use a normal openvpn config
10:16 <@krzee> by using the config option --config from within UCI to reference a normal openvpn config
10:17 <@krzee> i didnt know it would fix your hmac problem, but i would never have had the hmac problem because i would always use a normal openvpn config file
10:19 <@krzee>  <pekster> krzee: Oh, I was mistaken (must have been some other distro that did that.) openwrt is just as bad as ever, but users are able to pass `option config /etc/openvpn/whatever.conf` as the only UCI option and do it properly
10:20 <@krzee> thats how you can use a normal openvpn config
10:20 < exa> will do
10:20 <@krzee> (while still using UCI)
10:25 -!- tfox [~tfox@c-50-181-202-179.hsd1.wa.comcast.net] has quit [Ping timeout: 264 seconds]
10:38 < exa> works perfectly
10:38 <@krzee> =]
10:38 < exa> UCI is the best tool ever
10:39  * krzee smells sarcasm
10:39 <@krzee> haha
10:40 -!- [diecast] [~diecast@unaffiliated/diecast/x-4821952] has quit [Remote host closed the connection]
10:41 -!- lj [~l@192.241.174.169] has quit [Quit: Leaving.]
10:41 < exa> here's my server config http://pastebin.com/kACBGBYJ
10:41 < exa> but thanks to UCI, nothings works
10:42 <@krzee> remove line 17
10:42 <@krzee> the ipp.txt
10:42 <@krzee> prolly doesnt do what you think
10:42 <@krzee> !ipp
10:42 <@vpnHelper> "ipp" is (#1) the option --ifconfig-pool-persist ipp.txt does NOT create static ips or (#2) Note that the entries in this file are treated by OpenVPN as suggestions only, based on past associations between a common name and IP address. They do not guarantee that the given common name will always receive the given IP address. If you want guaranteed assignment, see !iporder and !static
10:42 <@krzee> even if you want it, rm the file when you change to tun
10:43 <@krzee> tls-auth isnt tls_auth
10:43 <@krzee> im sure any other weird things leftover from UCI will be pointed out by openvpn when it starts
10:43 -!- lj [~l@192.241.174.169] has joined #openvpn
10:43 <@krzee> start it in the foreground and see errors
10:43 < exa> the point is, it doesn't even start
10:43 <@krzee> ya, cause you have an invalid config
10:43 <@krzee> at least tls_auth for sure makes it invalid
10:44 <@krzee> when you start openvpn it'll tell you whats wrong
10:44 < exa> http://pastebin.com/eQg9Ghb7
10:44 < exa> should be correct, right?
10:44 <@krzee> the openvpn config itself
10:44 <@krzee> the conf file
10:44 < exa> the UCI config
10:44 <@krzee> NO THE OPENVPN CONFIG!
10:44 -!- Devastatr [~devas@177.99.154.125] has joined #openvpn
10:45 -!- Devastatr [~devas@177.99.154.125] has quit [Changing host]
10:45 -!- Devastatr [~devas@unaffiliated/devastator] has joined #openvpn
10:45 < exa> first of all, i wanted to know whether at least my UCI config is correct or not
10:45 <@krzee> i dunno, but your openvpn config IS NOT
10:45 < exa> i got that
10:45 <@krzee> k, well fix that
10:46 <@krzee> get it working with openvpn </path/to/config>
10:46 <@krzee> see errors in the foreground
10:46 <@krzee> THEN when it works get UCI starting it
10:46 < exa> k
10:47 <@krzee> because in the end if only uci is broke you'll be in #openwrt with people who understand whats wrong, but for now you're in #openvpn so lets get that working first
10:47 <@krzee> =]
10:47 -!- lj [~l@192.241.174.169] has quit [Ping timeout: 240 seconds]
10:48 < exa> well, it works
10:48 <@krzee> umm it shouldnt
10:48 <@krzee> tls_auth isnt a valid config option
10:48 -!- Devastator [~devas@unaffiliated/devastator] has quit [Ping timeout: 240 seconds]
10:48 < exa> after changing it
10:48 < exa> of course
10:48 <@krzee> and server_bridge?
10:48 < exa> was wrong too, like persist-key
10:49 <@krzee> =]
10:49 < exa> * persist_key
10:49 < exa> i fixed that automagically :)
10:49 <@krzee> :D
10:49 <@krzee> so, rm the ipp.txt
10:49 < exa> done
10:49 <@krzee> server 10.8.0.0 255.255.255.0 instead of server-bridge
10:49 <@krzee> and dev tun
10:50 <@krzee> can remove tls-server, as its already part of --server
10:50 -!- Devastatr is now known as Devastator
10:50 <@krzee> same with mode server
10:50 <@krzee> good job using full paths, everything should be good
10:50 < exa> okay
10:50 <@krzee> dev tun on the client
10:51 <@krzee> then, what was the goal again?
10:51 <@krzee> is there a lan behind server or client that the other side needs access to?
10:51 < exa> only the LAN my router manages
10:51 <@krzee> cool
10:52 <@krzee> crazy easy because its on the router
10:52 <@krzee> just push a route from the server config for the servers lan subnet
10:52 <@krzee> so like push "route 192.168.0.0 255.255.255.0"
10:52 <@krzee> i think in your case thats 192.168.1.0 255.255.255.0 but ya
10:53 < exa> and what's the meaning of 10.8.0.0 then? :3
10:53 <@krzee> vpn subnet
10:53 <@krzee> add this to your server config:
10:53 <@krzee> topology subnet
10:54 <@krzee> o shit you already redirect gateway, you dont even need the push route for then lan
10:54 <@krzee> you should just for your own benefit in case you remove redirect-gateway some day
10:55 < exa> what does redirect-gateway actually do? i just included it because it was used in the tutorial...oh gosh
10:55 <@krzee> also, if you have a client already on the very common subnet 192.168.1.x then he will have problems reaching your lan
10:55 <@krzee> you may wanna make your lan subnet less common for that reason
10:55 <@krzee> !man
10:55 <@vpnHelper> "man" is (#1) For man pages, see http://openvpn.net/index.php/open-source/documentation/manuals/ or (#2) the man pages are your friend! or (#3) Protip: you can search the manpage for a specific --option (with dashes) to find it quicker
10:55 <@krzee> see --redirect-gateway in there
10:57 < exa> well, okay
10:57 <@krzee> !redirect
10:57 <@vpnHelper> "redirect" is (#1) to make all inet traffic flow through the vpn, you will need --redirect-gateway (see !def1), as well as IP forwarding (see !ipforward) and NAT (see !nat) enabled on the server. or (#2) you may need to use a different dns server when redirecting gateway, see !dns or !pushdns or (#3) if using ipv6 try: route-ipv6 2000::/3 or (#4) Handy troubleshooting flowchart:
10:57 <@vpnHelper> http://ircpimps.org/redirect.png | http://pekster.sdf.org/misc/redirect.png
10:58 -!- [diecast] [~diecast@unaffiliated/diecast/x-4821952] has joined #openvpn
10:58 < exa> seems like i want to keep redirect-gateway
11:01 -!- lj [~l@192.241.174.169] has joined #openvpn
11:01 <@krzee> k, then you need to:
11:01 <@krzee> !linnat
11:01 <@vpnHelper> "linnat" is (#1) for a basic iptables NAT where 10.8.0.x is the vpn network: iptables -t nat -I POSTROUTING -s 10.8.0.0/24 -o eth0 -j MASQUERADE or (#2) to choose what IP address to NAT as, you can use iptables -t nat -I POSTROUTING -o eth0 -j SNAT --to <IP ADDRESS> or (#3) http://netfilter.org/documentation/HOWTO//NAT-HOWTO.html for more info or (#4) openvz see !openvzlinnat
11:02 <@krzee> iptables -t nat -I POSTROUTING -s 10.8.0.0/24 -o eth0 -j MASQUERADE   (assuming internet interface was eth0, which it wont be in openwrt i dont think)
11:02 < exa> secondary issue: will clients get an IP like 192.168.1.x or 10.8.0.x?
11:03 -!- kalloc [~kalloc@stmdev.ru] has quit [Remote host closed the connection]
11:04 -!- takamichi [~takamichi@c107-107.i07-27.onvol.net] has quit [Quit: Computer has gone to sleep.]
11:05 <@krzee> if you used topology subnet. they will get 10.8.0.2 .3 .4 .5 etc
11:06 <@krzee> if you didnt, they will be 10.8.0.6   .10  .14  .18
11:07 < exa> would it be weird/dangerous/incorrect to put them in 192.168.1.[200-209] similar to the approach with server-bridge?
11:09 <@krzee> it would be what we're in the process of fixing
11:09 <@krzee> theres no advantage for you to do it that way
11:09 <@krzee> you just need proper routing
11:09 < exa> alright then, sorry :P
11:10 <@krzee> nah i get that it seems right when you're kinda new to networking
11:13 < exa> thanks for that ;)
11:13 -!- gffa [~unknown@unaffiliated/gffa] has joined #openvpn
11:14 < exa> what about these rules here? http://wiki.openwrt.org/doku.php?id=oldwiki:vpn.server.openvpn.tun#firewall
11:15 -!- donvito [~nertil@unaffiliated/donvito] has quit [Write error: Connection reset by peer]
11:19 <@krzee> so basically, the tun+ -j ACCEPT rules?
11:19 <@krzee> ya those are good, i would make them -I instead of -A but ya
11:21 < exa> what's the difference? iptables is a monster :D
11:23 <@krzee> see iptables manual
11:23 <@krzee> headed to california, good luck man
11:23 <@krzee> i think i told you everything
11:24 < exa> okay, thanks a lot :)
11:33 -!- tempus_fol [~tempus@gateway/tor-sasl/tempusfol] has quit [Ping timeout: 240 seconds]
11:35 -!- tempus_fol [~tempus@gateway/tor-sasl/tempusfol] has joined #openvpn
11:37 -!- [diecast] [~diecast@unaffiliated/diecast/x-4821952] has quit []
11:40 -!- [diecast] [~diecast@unaffiliated/diecast/x-4821952] has joined #openvpn
11:46 < fenris_kcf> hy. i'm successfully running a tun-openvpn. but since i want to use the vpn for gaming i would like to adjust it to handle broadcasts and such (games where one can manually enter the IP work like charm). beside switching to tap what do i have to do for that?
11:48 -!- kalloc [~kalloc@h86-62-83-99.ln.rinet.ru] has joined #openvpn
11:48 -!- Guest17574 [~julian@202.66.238.89.in-addr.arpa.manitu.net] has joined #openvpn
11:50 -!- lj [~l@192.241.174.169] has quit [Quit: Leaving.]
11:50 -!- Guest17574 [~julian@202.66.238.89.in-addr.arpa.manitu.net] has quit [Client Quit]
11:50 -!- julianoliver [~julian@202.66.238.89.in-addr.arpa.manitu.net] has joined #openvpn
11:51 < julianoliver> hi. i am trying to use an IPv6 address in the 'remote' entry of my GNU/Linux client's openvpn.conf and OpenVPN complains that the remote host address cannot be found. is there something I'm missing?
11:55 -!- kalloc [~kalloc@h86-62-83-99.ln.rinet.ru] has quit []
11:56 < julianoliver> the client can ping6 the server just fine and is otherwise network transparent to the client on a fully functional IPv6 network.
11:57 < julianoliver> using the server's hostname in the 'remote' field of the client conf also fails, with the same reason given,.
12:03 -!- scyld [~scyld@unaffiliated/wasyl] has quit [Quit: Wychodzi]
12:08 < Eugene> julianoliver - 'proto udp6'
12:08 < Eugene> (no, it's not in the man page. Sigh)
12:10 < julianoliver> Eugene: hehe many thanks ;)
12:10  * julianoliver stops scratching his head raw
12:10 -!- dandy [~dandy@2a01:360:106::2] has joined #openvpn
12:10 < Eugene> I expect that --proto udp will become smarter with 2.4, but I'm not actually in on the -dev channel
12:11 < Eugene> If it doesn't I'll just throttle somebody
12:11 < julianoliver> rofl
12:12 < Eugene> Note that your server needs it do
12:12 < Eugene> s/do/too
12:13  * Eugene brain not turn on
12:16 < julianoliver> yes, i'd guessed so. and it works very well. many thanks again!
12:24 -!- takamichi [~takamichi@c107-107.i07-27.onvol.net] has joined #openvpn
12:25 -!- michaelhart [~michaelha@192.237.177.15] has quit [Quit: michaelhart]
12:47 -!- toli [~toli@ip-62-235-237-38.dsl.scarlet.be] has joined #openvpn
12:47 < toli> hello, I have a small issue with routing a subnet with openvpn
12:48 < toli> here is a small diagram I made http://postimg.org/image/lq6utimjz/
12:48 <@vpnHelper> Title: View image: VPN (at postimg.org)
12:49 < toli> able to ping my vpn, with client1 and able to ping client2, but not the home network subnet
12:51 < toli> this is my server.conf
12:51 < toli> http://pastebin.com/bUPe7J3F
12:51 -!- Gelos [sid17176@gateway/web/irccloud.com/x-xckierlaguffeurm] has left #openvpn []
12:52 < toli> and this is what I put in the ccd client1: push "route 192.168.2.0 255.255.255.0"
12:52 < toli> any clue ?
12:59 -!- kossy [a@kossy.org] has quit [Changing host]
12:59 -!- kossy [a@unaffiliated/kossy] has joined #openvpn
13:00 -!- dandy [~dandy@2a01:360:106::2] has quit [Quit: ZNC - http://znc.in]
13:07 < toli> !clientlan
13:07 <@vpnHelper> "clientlan" is (#1) for a lan behind a client, the client must have ip forwarding enabled (!ipforward), the server needs a route to the lan, the server needs to push a route for the lan to clients, the server needs a ccd (!ccd) file for the client with an iroute (!iroute) entry in it, and the router of the lan the client is on needs a route added to it (!route_outside_openvpn) or (#2) see !route for a
13:07 <@vpnHelper> better explanation or (#3) Handy troubleshooting flowchart: http://ircpimps.org/clientlan.png | http://pekster.sdf.org/misc/clientlan.png
13:18 -!- scyld [~scyld@unaffiliated/wasyl] has joined #openvpn
13:23 -!- toli [~toli@ip-62-235-237-38.dsl.scarlet.be] has quit [Ping timeout: 245 seconds]
13:29 -!- toli [~toli@ip-62-235-237-38.dsl.scarlet.be] has joined #openvpn
13:29 < toli> !ccd
13:29 <@vpnHelper> "ccd" is (#1) entries that are basically included into server.conf, but only for the specified client based on common-name. use --client-config-dir <dir> to enable it, then put the config options for the client in <dir>/common-name or (#2) the ccd file is parsed each time the client connects.
13:32 < toli> !iroute
13:32 <@vpnHelper> "iroute" is does not bypass or alter the kernel's routing table, it allows openvpn to know it should handle the routing when the kernel points to it but the network is not one that openvpn knows about. This is only needed when connecting a LAN which is behind a client, and therefor belongs in a ccd entry. Also see !route and !ccd
13:36 -!- dazo is now known as dazo_afk
13:38 -!- takamichi [~takamichi@c107-107.i07-27.onvol.net] has quit [Quit: Computer has gone to sleep.]
13:41 < toli> ok, so I had to add iroute to the router client, and I am now able to ping the router from vpn clients, but not the internal pc's
13:44 < toli> the routing in my lan seems to be ok too, as I can ping the vpn server and its clients
13:47 -!- mback2k_ [~freenode@2a00:1828:2000:378:1337:0:59ee:5431] has joined #openvpn
13:55 -!- ManjXfceUsr [~ManjXfceu@host86-133-146-74.range86-133.btcentralplus.com] has joined #openvpn
14:06 -!- toli [~toli@ip-62-235-237-38.dsl.scarlet.be] has quit [Read error: Connection reset by peer]
14:09 -!- ManjXfceUsr [~ManjXfceu@host86-133-146-74.range86-133.btcentralplus.com] has quit [Quit: Leaving]
14:09 -!- klein [~klein@unaffiliated/klein] has quit [Ping timeout: 245 seconds]
14:22 -!- [diecast] [~diecast@unaffiliated/diecast/x-4821952] has quit []
14:24 -!- toli [~toli@ip-62-235-237-38.dsl.scarlet.be] has joined #openvpn
14:25 -!- gffa [~unknown@unaffiliated/gffa] has quit [Quit: sleep]
14:26 -!- toli [~toli@ip-62-235-237-38.dsl.scarlet.be] has quit [Read error: Connection reset by peer]
14:29 -!- lj1 [~l@192.241.174.169] has joined #openvpn
14:29 -!- Aelius [~link@unaffiliated/aelius] has quit []
14:31 -!- takamichi [~takamichi@c107-107.i07-27.onvol.net] has joined #openvpn
14:35 -!- Cpt-Oblivious [~chatzilla@31-151-87-204.dynamic.upc.nl] has joined #openvpn
14:42 -!- mattock is now known as mattock_afk
15:06 -!- klein [~klein@unaffiliated/klein] has joined #openvpn
15:07 -!- takamichi [~takamichi@c107-107.i07-27.onvol.net] has quit [Quit: Computer has gone to sleep.]
15:19 -!- punkunity [~punkunity@162.222.216.18] has joined #openvpn
15:19 < punkunity> hello community
15:23 -!- kenyon [kenyon@darwin.kenyonralph.com] has quit [Ping timeout: 252 seconds]
15:24 -!- kenyon [kenyon@darwin.kenyonralph.com] has joined #openvpn
15:27 -!- obesd [~obsed@ppp121-45-219-214.lns20.cbr1.internode.on.net] has joined #openvpn
15:37 -!- debbie10t [~ma1com10t@host-92-20-78-128.as13285.net] has joined #openvpn
15:40 -!- debbie10t [~ma1com10t@host-92-20-78-128.as13285.net] has left #openvpn []
15:43 -!- [diecast] [~diecast@unaffiliated/diecast/x-4821952] has joined #openvpn
15:49 -!- punkunity [~punkunity@162.222.216.18] has quit [Quit: Leaving]
15:54 -!- schnitzl [~schnitzl@dslb-088-067-161-156.pools.arcor-ip.net] has quit [Ping timeout: 265 seconds]
15:56 -!- schnitzl [~schnitzl@dslb-178-010-091-156.pools.arcor-ip.net] has joined #openvpn
16:01 -!- calcifea [~rasla@gateway/tor-sasl/gitsu-sa] has joined #openvpn
16:09 -!- kubbing [~kubbing@ip-94-113-130-229.net.upcbroadband.cz] has quit [Remote host closed the connection]
16:09 -!- kubbing [~kubbing@ip-94-113-130-229.net.upcbroadband.cz] has joined #openvpn
16:14 -!- kubbing [~kubbing@ip-94-113-130-229.net.upcbroadband.cz] has quit [Ping timeout: 245 seconds]
17:07 -!- thalweg [~quassel@198.211.102.196] has quit [Ping timeout: 245 seconds]
17:07 -!- nlopez_ [~quassel@198.211.102.196] has joined #openvpn
17:07 -!- azi [~azi@unaffiliated/aquana] has quit [Quit: Lost terminal]
17:11 -!- portage [~synamics@unaffiliated/synamics] has joined #openvpn
17:13 < portage> Hi, how can I make openvpn to use a proxy SOCKS5? No need to encrypt, I just want to use tun/tap of openvpn
17:13 < portage> ?
17:14 -!- [diecast] [~diecast@unaffiliated/diecast/x-4821952] has quit []
17:16 -!- heraclitus [~heraclitu@unaffiliated/heraclitis] has quit [Remote host closed the connection]
17:17 -!- heraclitus [~heraclitu@unaffiliated/heraclitis] has joined #openvpn
17:20 < Eugene> !man
17:20 <@vpnHelper> "man" is (#1) For man pages, see http://openvpn.net/index.php/open-source/documentation/manuals/ or (#2) the man pages are your friend! or (#3) Protip: you can search the manpage for a specific --option (with dashes) to find it quicker
17:20 < Eugene> !noenc
17:20 <@vpnHelper> "noenc" is (#1) if you're going to disable encryption, you might as well build a GRE tunnel or (#2) but you would use cipher none or (#3) Reference --cipher in the manpage (--auth may also be useful to review)
17:21 < Eugene> See --socks-proxy and --cipher
17:22 -!- davidmp [~davidmp@149.255.100.107] has quit [Ping timeout: 272 seconds]
17:23 -!- davidmp [~davidmp@149.255.100.107] has joined #openvpn
17:30 -!- [diecast] [~diecast@unaffiliated/diecast/x-4821952] has joined #openvpn
17:30 -!- [diecast] [~diecast@unaffiliated/diecast/x-4821952] has quit [Client Quit]
17:31 < portage> already tried
17:31 < portage> but
17:31 < portage> I had an strange error, I'm trying to reproduce
17:32 < portage> look, openvpn --socks-proxy 127.0.0.1 6697 --dev tun
17:32 < portage> Options error: --nobind doesn't make sense unless used with --remote
17:32 < portage> Use --help for more information.
17:33 < portage> if I set remote to 127.0.0.1 I get
17:33 < portage> 2014 ERROR: Cannot ioctl TUNSETIFF tun: Operation not permitted (errno=1)
17:41 -!- kubbing [~kubbing@ip-89-176-242-54.net.upcbroadband.cz] has joined #openvpn
17:47 -!- portage [~synamics@unaffiliated/synamics] has left #openvpn []
17:53 -!- scyld [~scyld@unaffiliated/wasyl] has quit [Remote host closed the connection]
18:47 -!- takamichi [~takamichi@c107-107.i07-27.onvol.net] has joined #openvpn
19:19 -!- goldkatze [~nobody@unaffiliated/goldkatze] has quit [Ping timeout: 272 seconds]
19:41 -!- takamichi [~takamichi@c107-107.i07-27.onvol.net] has quit [Quit: Computer has gone to sleep.]
19:47 -!- kubbing [~kubbing@ip-89-176-242-54.net.upcbroadband.cz] has quit [Remote host closed the connection]
19:47 -!- kubbing [~kubbing@ip-89-176-242-54.net.upcbroadband.cz] has joined #openvpn
19:50 -!- elfixit1 [~Icedove@77-58-251-72.dclient.hispeed.ch] has joined #openvpn
19:52 -!- kubbing [~kubbing@ip-89-176-242-54.net.upcbroadband.cz] has quit [Ping timeout: 245 seconds]
20:01 -!- josefig [~josef@unaffiliated/josefig] has joined #openvpn
20:11 -!- lj1 [~l@192.241.174.169] has quit [Quit: Leaving.]
20:12 -!- dimitry7 [~antonello@38.124.174.31] has joined #openvpn
20:23 -!- schnitzl [~schnitzl@dslb-178-010-091-156.pools.arcor-ip.net] has quit [Ping timeout: 272 seconds]
20:24 -!- hiyo [~Puppy@unaffiliated/hiyo] has joined #openvpn
20:24 -!- schnitzl [~schnitzl@dslb-094-217-193-080.pools.arcor-ip.net] has joined #openvpn
20:26 < hiyo> Hello I am trying to setup an OpenVPN server but I need to configure the subnet mask on my server conf file to fit this subnet: 10.5.0.0
20:30 < hiyo> !welcome
20:30 <@vpnHelper> "welcome" is (#1) Start by stating your goal, such as 'I would like to access the internet over my vpn' || new to IRC? see the link in !ask || we may need !logs and !configs and maybe !interface to help you. || See !howto for beginners. || See !route for lans behind openvpn. || !redirect for sending inet traffic through the server. || Also interesting: !man !/30 !topology !iporder !sample !forum !wiki
20:30 <@vpnHelper> !mitm or (#2) Don't use 192.168.1.0/24 or 192.168.0.0/24 (too much potential for conflict)
20:31 < hiyo> !howto
20:31 <@vpnHelper> "howto" is (#1) OpenVPN comes with a great howto, http://openvpn.net/howto PLEASE READ IT! or (#2) http://www.secure-computing.net/openvpn/howto.php for a mirror
20:39 -!- klein [~klein@unaffiliated/klein] has quit [Ping timeout: 272 seconds]
20:45 < hiyo> !configs
20:45 <@vpnHelper> "configs" is (#1) please pastebin your client and server configs (with comments removed, you can use `grep -vE '^#|^;|^$' server.conf`), also include which OS and version of openvpn. or (#2) dont forget to include any ccd entries or (#3) on pfSense, see http://www.secure-computing.net/wiki/index.php/OpenVPN/pfSense to obtain your config
20:47 < hiyo> !configs http://pastebin.com/f39wruSZ
20:48 < hiyo> !goal be able to tunnel through my server
20:49 < hiyo> server OS: Debian 7 vpn version: 2.2.1
20:55 -!- jzaw [~jzaw@loki.dzki.co.uk] has quit [Ping timeout: 245 seconds]
20:56 -!- jzaw [~jzaw@loki.dzki.co.uk] has joined #openvpn
21:09 -!- dimitry7 [~antonello@38.124.174.31] has quit [Quit: Leaving]
21:11 -!- WinstonSmith [~WinstonSm@unaffiliated/winstonsmith] has quit [Ping timeout: 248 seconds]
21:13 -!- WinstonSmith [~WinstonSm@unaffiliated/winstonsmith] has joined #openvpn
21:13 -!- dvl [~dan@nyi.unixathome.org] has quit [Changing host]
21:13 -!- dvl [~dan@pdpc/supporter/active/dvl] has joined #openvpn
21:25 -!- jzaw [~jzaw@loki.dzki.co.uk] has quit [Ping timeout: 272 seconds]
21:27 -!- jzaw [~jzaw@loki.dzki.co.uk] has joined #openvpn
21:34 -!- nutron [~nutron@unaffiliated/nutron] has quit [Quit: I must go eat my cheese!]
21:42 -!- fenris_kcf1 [~fenris@p4FFE4FB8.dip0.t-ipconnect.de] has joined #openvpn
21:43 -!- fenris_kcf [~fenris@p579E6E57.dip0.t-ipconnect.de] has quit [Ping timeout: 252 seconds]
22:12 -!- jzaw [~jzaw@loki.dzki.co.uk] has quit [Ping timeout: 252 seconds]
22:20 -!- hiyo [~Puppy@unaffiliated/hiyo] has left #openvpn []
22:38 -!- jzaw [~jzaw@loki.dzki.co.uk] has joined #openvpn
22:44 -!- emid [~emid@192.241.162.156] has quit [Read error: Operation timed out]
22:46 -!- emid [~emid@192.241.162.156] has joined #openvpn
22:48 -!- jzaw [~jzaw@loki.dzki.co.uk] has quit [Ping timeout: 245 seconds]
23:03 -!- jzaw [~jzaw@loki.dzki.co.uk] has joined #openvpn
23:07 -!- DrCode [~DrCode@gateway/tor-sasl/drcode] has quit [Remote host closed the connection]
23:08 -!- DrCode [~DrCode@gateway/tor-sasl/drcode] has joined #openvpn
23:17 -!- DrCode [~DrCode@gateway/tor-sasl/drcode] has quit [Remote host closed the connection]
23:18 -!- Cygor [~Brian@cpe-70-124-70-140.austin.res.rr.com] has quit [Quit: Leaving]
23:19 -!- DrCode [~DrCode@gateway/tor-sasl/drcode] has joined #openvpn
23:22 -!- DrCode [~DrCode@gateway/tor-sasl/drcode] has quit [Remote host closed the connection]
23:26 -!- heraclitus [~heraclitu@unaffiliated/heraclitis] has quit [Remote host closed the connection]
23:26 -!- heraclitus [~heraclitu@unaffiliated/heraclitis] has joined #openvpn
23:27 -!- DrCode [~DrCode@gateway/tor-sasl/drcode] has joined #openvpn
23:34 -!- heraclitus [~heraclitu@unaffiliated/heraclitis] has quit [Remote host closed the connection]
23:34 -!- elfixit1 [~Icedove@77-58-251-72.dclient.hispeed.ch] has quit [Ping timeout: 240 seconds]
23:34 -!- heraclitus [~heraclitu@unaffiliated/heraclitis] has joined #openvpn
23:41 -!- heraclitus [~heraclitu@unaffiliated/heraclitis] has quit [Remote host closed the connection]
23:41 -!- heraclitus [~heraclitu@unaffiliated/heraclitis] has joined #openvpn
23:46 -!- heraclitus [~heraclitu@unaffiliated/heraclitis] has quit [Remote host closed the connection]
23:46 -!- heraclitus [~heraclitu@unaffiliated/heraclitis] has joined #openvpn
23:46 -!- heraclitus [~heraclitu@unaffiliated/heraclitis] has quit [Client Quit]
--- Day changed Sat Jan 25 2014
00:44 -!- mattock_afk is now known as mattock
00:52 -!- josefig [~josef@unaffiliated/josefig] has quit [Quit: Computer has gone to sleep.]
01:00 -!- goldkatze [~nobody@unaffiliated/goldkatze] has joined #openvpn
01:03 -!- dimm0k [~dimm0k@unaffiliated/dimm0k] has quit [Ping timeout: 241 seconds]
01:05 -!- dimm0k [~dimm0k@unaffiliated/dimm0k] has joined #openvpn
01:25 -!- Cpt-Oblivious_ [~chatzilla@31-151-87-204.dynamic.upc.nl] has joined #openvpn
01:25 -!- Cpt-Oblivious [~chatzilla@31-151-87-204.dynamic.upc.nl] has quit [Ping timeout: 245 seconds]
01:26 -!- Cpt-Oblivious_ [~chatzilla@31-151-87-204.dynamic.upc.nl] has quit [Client Quit]
02:08 -!- paradox`` [~paradox@cpc21-brmb8-2-0-cust749.1-3.cable.virginm.net] has joined #openvpn
02:10 -!- pnielsen [pnielsen@2a01:7e00::f03c:91ff:fedf:3a21] has quit [Remote host closed the connection]
02:11 -!- sunwind` [~paradox@cpc21-brmb8-2-0-cust749.1-3.cable.virginm.net] has quit [Ping timeout: 248 seconds]
02:11 -!- pnielsen [pnielsen@2a01:7e00::f03c:91ff:fedf:3a21] has joined #openvpn
02:59 -!- fenris_kcf1 is now known as fenris_kcf
03:12 -!- booo [~booo__@p54BD8069.dip0.t-ipconnect.de] has joined #openvpn
03:12 < booo> hi, we have a openvpn instance that creates a lot of context switches and a high load
03:12 < booo> some ideas what the reason could be?
03:13 < booo> i can paste a dstat log if needed
03:16 -!- gffa [~unknown@unaffiliated/gffa] has joined #openvpn
03:41 -!- fred`` [fred@earthli.ng] has quit [Ping timeout: 246 seconds]
03:42 -!- fred`` [fred@earthli.ng] has joined #openvpn
04:11 -!- lj1 [~l@192.241.174.169] has joined #openvpn
04:19 -!- kubbing [~kubbing@ip-89-176-242-54.net.upcbroadband.cz] has joined #openvpn
05:19 -!- lj1 [~l@192.241.174.169] has quit [Quit: Leaving.]
05:33 -!- dimm0k [~dimm0k@unaffiliated/dimm0k] has quit [Ping timeout: 260 seconds]
05:35 -!- dimm0k [~dimm0k@pool-108-21-230-13.nycmny.fios.verizon.net] has joined #openvpn
05:35 -!- dimm0k [~dimm0k@pool-108-21-230-13.nycmny.fios.verizon.net] has quit [Changing host]
05:35 -!- dimm0k [~dimm0k@unaffiliated/dimm0k] has joined #openvpn
05:59 -!- Devastatr [~devas@177.99.155.146] has joined #openvpn
06:00 -!- Devastator [~devas@unaffiliated/devastator] has quit [Ping timeout: 245 seconds]
06:05 -!- takamichi [~takamichi@c107-107.i07-27.onvol.net] has joined #openvpn
06:38 -!- Devastatr [~devas@177.99.155.146] has quit [Changing host]
06:38 -!- Devastatr [~devas@unaffiliated/devastator] has joined #openvpn
06:38 -!- Devastatr is now known as Devastator
06:57 -!- Cy-Gor [~Brian@cpe-70-124-70-140.austin.res.rr.com] has joined #openvpn
07:12 -!- Thermi [~Thermi@unaffiliated/thermi] has quit [Quit: Meet your opposition - Profane and disciplined - Take back your pride - With a pounding hammer]
07:14 -!- rkantos [robin@4e.fi] has quit [Ping timeout: 252 seconds]
07:24 -!- rkantos [robin@4e.fi] has joined #openvpn
07:26 -!- jzaw [~jzaw@loki.dzki.co.uk] has quit [Ping timeout: 276 seconds]
07:28 -!- rtur [~rtur@212.224.92.143] has joined #openvpn
07:29 -!- jzaw [~jzaw@loki.dzki.co.uk] has joined #openvpn
07:29 -!- rkantos [robin@4e.fi] has quit [Ping timeout: 245 seconds]
07:30 -!- rkantos [robin@4e.fi] has joined #openvpn
07:32 < rtur> Hi guys. Here is what I want to setup: couple of clients -> myVpnServer which in turn is an openvpn client to an openvpn server. Is it as simple as setting up the server/client on my server or do I need to "push route something" for it to work (not keen to experiment because I am not physically at the server and don't want to lose connection because of some misconfiguration)
07:36 -!- rkantos [robin@4e.fi] has quit [Ping timeout: 252 seconds]
07:38 -!- rkantos [robin@4e.fi] has joined #openvpn
07:42 -!- Thermi [~Thermi@unaffiliated/thermi] has joined #openvpn
07:46 -!- rkantos [robin@4e.fi] has quit [Ping timeout: 272 seconds]
07:46 -!- rkantos [robin@4e.fi] has joined #openvpn
07:47 -!- bigbob83 [~bigbob@7.72.100.84.rev.sfr.net] has joined #openvpn
07:50 < rtur> How would it be routed with such a setup ? Will myServer try to route answers to client through his server ? Like client->myServer->Server->myServer->Server->client  ? I rather want it to do this : client->myServer->Server->myServer->client.
07:56 < bigbob83> Hello, i'm trying to build openvpn from sources generic sources with mingw; i've got an error when i try to do this: IMAGEROOT=`pwd`/image-win64 CHOST=x86_64-w64-mingw32 \
07:56 < bigbob83>     CBUILD=x86_64-pc-linux-gnu ./build  .  The error is : "FATAL make openssl". This error not appear when i'm trying to build nativebintary like this:  IMAGEROOT=`pwd`/image-native ./build but the build is stoping after a moment at "entering in the directory xxxxxxxx"...
07:57 -!- joshu_ [~joshu@62-20-176-238-no28.tbcn.telia.com] has quit [Ping timeout: 260 seconds]
07:58 < __H__> bigbob83: no need to ask here, nobody is ansvering anyway
07:58 < __H__> bigbob83: try the forums
07:59 -!- joshu [~joshu@62-20-176-238-no28.tbcn.telia.com] has joined #openvpn
07:59 <@plaisthos> bigbob83: iirc there is an howto on the wiki how to build for windows
08:01 < bigbob83> i've followed this howto but i've these errors
08:02 <@plaisthos> __H__: I never seen you here before yet you have strong opion about the people here
08:02 <@plaisthos> bigbob83: sorry, I never build it on/for windows :/
08:02 <@plaisthos> But I know that building openvpn for/on windows isn't for the faint heart
08:04 -!- klein [~klein@unaffiliated/klein] has joined #openvpn
08:04 < bigbob83> pekster who said me to start with this howto for building a customized openvpn-gui.
08:05 < bigbob83> i just need to customize openvpn-gui icon's.
08:06 < bigbob83> but pekster said me that i have to follow this howto and build the generic sources of openvpn.
08:07 -!- kubbing [~kubbing@ip-89-176-242-54.net.upcbroadband.cz] has quit [Remote host closed the connection]
08:08 -!- kubbing [~kubbing@ip-89-176-242-54.net.upcbroadband.cz] has joined #openvpn
08:11 -!- cyberspace- [20253@ninthfloor.org] has quit [Remote host closed the connection]
08:12 -!- rkantos [robin@4e.fi] has quit [Remote host closed the connection]
08:12 -!- cyberspace- [20253@ninthfloor.org] has joined #openvpn
08:12 -!- rkantos [robin@4e.fi] has joined #openvpn
08:12 -!- kubbing [~kubbing@ip-89-176-242-54.net.upcbroadband.cz] has quit [Ping timeout: 265 seconds]
08:15 -!- klein [~klein@unaffiliated/klein] has quit [Read error: Operation timed out]
08:19 -!- rkantos [robin@4e.fi] has quit [Ping timeout: 265 seconds]
08:20 -!- rkantos [robin@4e.fi] has joined #openvpn
08:20 -!- calcifea [~rasla@gateway/tor-sasl/gitsu-sa] has quit [Remote host closed the connection]
08:24 -!- calcifea [~rasla@gateway/tor-sasl/gitsu-sa] has joined #openvpn
08:27 -!- rkantos [robin@4e.fi] has quit [Remote host closed the connection]
08:27 -!- rkantos [~Name@4e.fi] has joined #openvpn
08:34 -!- rkantos [~Name@4e.fi] has quit [Ping timeout: 248 seconds]
08:35 -!- jzaw [~jzaw@loki.dzki.co.uk] has quit [Ping timeout: 245 seconds]
08:36 -!- rkantos [robin@4e.fi] has joined #openvpn
08:36 -!- jzaw [~jzaw@loki.dzki.co.uk] has joined #openvpn
08:37 -!- obesd [~obsed@ppp121-45-219-214.lns20.cbr1.internode.on.net] has quit [Quit: obesd]
08:51 -!- calcifea [~rasla@gateway/tor-sasl/gitsu-sa] has quit [Remote host closed the connection]
08:51 -!- jzaw [~jzaw@loki.dzki.co.uk] has quit [Excess Flood]
08:56 -!- calcifea [~rasla@gateway/tor-sasl/gitsu-sa] has joined #openvpn
08:59 -!- master_o1_master [~master_of@p4FF244E1.dip0.t-ipconnect.de] has joined #openvpn
09:01 -!- calcifea [~rasla@gateway/tor-sasl/gitsu-sa] has quit [Remote host closed the connection]
09:01 -!- calcifea [~rasla@gateway/tor-sasl/gitsu-sa] has joined #openvpn
09:03 -!- master_of_master [~master_of@p4FF2434E.dip0.t-ipconnect.de] has quit [Ping timeout: 272 seconds]
09:05 -!- calcifea [~rasla@gateway/tor-sasl/gitsu-sa] has quit [Remote host closed the connection]
09:06 -!- calcifea [~rasla@gateway/tor-sasl/gitsu-sa] has joined #openvpn
09:12 -!- donvito [~nertil@unaffiliated/donvito] has joined #openvpn
09:13 -!- calcifea [~rasla@gateway/tor-sasl/gitsu-sa] has quit [Remote host closed the connection]
09:14 -!- calcifea [~rasla@gateway/tor-sasl/gitsu-sa] has joined #openvpn
09:21 -!- kalloc [~kalloc@109.188.125.229] has joined #openvpn
09:41 -!- jzaw [~jzaw@loki.dzki.co.uk] has joined #openvpn
09:41 -!- calcifea [~rasla@gateway/tor-sasl/gitsu-sa] has quit [Quit: calcifea]
09:45 -!- jzaw [~jzaw@loki.dzki.co.uk] has quit [Ping timeout: 245 seconds]
09:48 -!- calcifea [~rasla@gateway/tor-sasl/gitsu-sa] has joined #openvpn
10:04 -!- calcifea [~rasla@gateway/tor-sasl/gitsu-sa] has quit [Quit: calcifea]
10:06 -!- calcifea [~rasla@gateway/tor-sasl/gitsu-sa] has joined #openvpn
10:15 -!- mgorbach [~mgorbach@pool-108-20-78-135.bstnma.fios.verizon.net] has quit [Read error: Connection reset by peer]
10:16 -!- mgorbach [~mgorbach@pool-108-20-78-135.bstnma.fios.verizon.net] has joined #openvpn
10:17 < __H__> plaisthos: i was just informing him, i have been her for e week or two and not many people get an answer here :)
10:18 -!- kalloc [~kalloc@109.188.125.229] has quit [Ping timeout: 248 seconds]
10:23 <@plaisthos> __H__: yeah. It sounded very rude.
10:25 <+rob0> ? We have answered lots of people here.
10:25 <+rob0> I agree, sounds very rude. With that attitude, indeed, just quit here and go to the forums.
10:26 <+rob0> Comments like that do not help. We have a term for it: "trolling".
10:26 -!- mgorbach [~mgorbach@pool-108-20-78-135.bstnma.fios.verizon.net] has quit [Read error: Connection reset by peer]
10:27 <+rob0> Anyway, speaking of questions that won't get answered, I think I've made a policy routing mistake.
10:28 -!- mgorbach [~mgorbach@pool-108-20-78-135.bstnma.fios.verizon.net] has joined #openvpn
10:29 <+rob0> My company's openvpn (I don't control the server, sadly) redirects gateway, and I don't want to do that, so I used --route-nopull and set routes in an --up script.
10:31 <+rob0> It's Linux on my end, and the company has a non-NAT VPN, so I get a "real" (non-RFC1918) IP address from them.
10:34 <+rob0> I set a route to the VPN server through my normal gateway in the main route table.
10:36 <+rob0> The also in that table I have a route to the company /16 through tun0, via $route_vpn_gateway
10:37 <+rob0> and I have a VPN table with default via $route_vpn_gateway src $ifconfig_local
10:38 <+rob0> Seems like before I added the company/16 route in main, I could get out.
10:39 <+rob0> (oh, I forgot to mention "ip rule from $ifconfig_local lookup VPN")
10:41 <+rob0> Anyway, I want to be able to select the VPN by binding the VPN IP (such as ssh(1) and others' "-b hostname" options can do.)
10:41 <+rob0> I can reach the company resources through the VPN just fine.
10:43 -!- josefig [~josef@187.188.82.71] has joined #openvpn
10:43 -!- josefig [~josef@187.188.82.71] has quit [Changing host]
10:43 -!- josefig [~josef@unaffiliated/josefig] has joined #openvpn
10:50 -!- calcifea [~rasla@gateway/tor-sasl/gitsu-sa] has quit [Quit: calcifea]
10:53 -!- calcifea [~rasla@gateway/tor-sasl/gitsu-sa] has joined #openvpn
10:53 <+rob0> I suspect that the problem might be that my VPN IP and/or the VPN peer is within that /16
10:55 <+rob0> so maybe the better way to do this is with an "ip rule add to company/16 lookup VPN" rather than the route in the main table.
10:55 <+rob0> But that will be harder to maintain automatically; the route will go away automatically when the VPN is down.
10:56 <+rob0> oh, and I'd also need a single host rule for the VPN server, lookup main
11:08 -!- rkantos [robin@4e.fi] has quit [Ping timeout: 245 seconds]
11:09 -!- rkantos [robin@4e.fi] has joined #openvpn
11:13 -!- kalloc [~kalloc@h86-62-83-99.ln.rinet.ru] has joined #openvpn
11:15 -!- rkantos [robin@4e.fi] has quit [Ping timeout: 265 seconds]
11:16 -!- rkantos [robin@4e.fi] has joined #openvpn
11:18 -!- jzaw [~jzaw@loki.dzki.co.uk] has joined #openvpn
11:20 -!- joshh20-Away is now known as joshh20
11:23 -!- jzaw [~jzaw@loki.dzki.co.uk] has quit [Ping timeout: 272 seconds]
11:35 -!- bertodsera [~quassel@97e48243.skybroadband.com] has quit [Ping timeout: 264 seconds]
11:36 -!- rkantos [robin@4e.fi] has quit [Ping timeout: 245 seconds]
11:36 -!- rkantos [robin@4e.fi] has joined #openvpn
11:40 < thumbs> rob0: umm, hold on
11:41 <+rob0> NO I am testing
11:41  * rob0 twiddles thumbs
11:42 -!- rkantos [robin@4e.fi] has quit [Ping timeout: 252 seconds]
11:44 -!- mode/#openvpn [+o Eugene] by ChanServ
11:44 -!- rkantos [robin@4e.fi] has joined #openvpn
11:46 <+rob0> hmm, the "ip rule to company/16 lookup VPN" is not working, stays in main.
11:46 <+rob0> fwmark won't work either, because that's after the bind() call
11:47 -!- heraclitus [~heraclitu@unaffiliated/heraclitis] has joined #openvpn
11:50 -!- rkantos [robin@4e.fi] has quit [Ping timeout: 265 seconds]
11:54 -!- kubbing [~kubbing@ip-89-176-242-54.net.upcbroadband.cz] has joined #openvpn
11:59 -!- bigbob83 [~bigbob@7.72.100.84.rev.sfr.net] has quit []
12:00 -!- rkantos [robin@4e.fi] has joined #openvpn
12:01 < pekster> rob0: You're trying to route just select networks across your network? Why not --route-noexec and have your --route-up script add the ones you _do_ want? No policy routing to worry about that way
12:02 < pekster> Unless you need more fine-grained controll than that (like routing non-VPN-traffic to the same IP holding the VPN endpoint)
12:05 <+rob0> well, I want to be able to use the VPN for company/16, yes. But I also want to select use of VPN via the bind() call. Have cake, eat cake.
12:06 <+rob0> and I thought "to" was a valid selector for ip-rule(8), but that's not working at all.
12:07 -!- rkantos [robin@4e.fi] has quit [Ping timeout: 245 seconds]
12:14 -!- rkantos [robin@4e.fi] has joined #openvpn
12:14 -!- joshh20 is now known as joshh20-Away
12:19 < pekster> Sure, a single 'vpn' table that you create/populate on-connect allows you to policy route "other, arbitrary" traffic to it
12:22 < pekster> rob0: Wait, "to" as a selector? That's what you get in the route itself :P
12:22 <+rob0> Any "ip rule" added in the --up or --route-up would remain at openvpn shuutdown, unless I do some sudo ugliness for --down scripting.
12:24 < pekster> Not if you target it via vpn gateway
12:24 < pekster> Those go down when the link does
12:27 <+rob0> I thought rule only selects the table
12:27 < pekster> I'm saying you don't need policy routing at all
12:27 < pekster> If you want to route by destination, that's what vanilla routing tables do already
12:28 < pekster> Consider this sequence I did after connecting to a VPN: http://fpaste.org/71599/90674480/
12:28 <+rob0> yes, but I also want to route by source
12:29 < pekster> Ah, then yea, do a down script of your preference that does something like `ip route flush table vpn` (or use a numbered table if you haven't added a named table to your system)
12:29  * rob0 is a greedy little device node
12:29 < pekster> I guess it'll need to remove the rule too
12:30 -!- donvito [~nertil@unaffiliated/donvito] has quit [Ping timeout: 265 seconds]
12:30 <+rob0> oh duh. Seems my VPN table got flushed somehow
12:31 -!- klein [~klein@unaffiliated/klein] has joined #openvpn
12:32 <+rob0> I think it will work now
12:36 -!- able [~able@gateway/tor-sasl/able] has joined #openvpn
12:42 <+rob0> pekster, yes! And it's easier than we thought. The rules can stay in place forever. The --up script adds the default route for VPN table. That route goes away when the openvpn is down.
12:43 <+rob0> It's harmless to do a lookup in an empty table; the stack knows to go on until it gets an actual nexthop.
12:57 -!- scyld [~scyld@unaffiliated/wasyl] has joined #openvpn
13:10 -!- donvito [~nertil@unaffiliated/donvito] has joined #openvpn
13:22 -!- able [~able@gateway/tor-sasl/able] has quit [Remote host closed the connection]
13:27 -!- joshh20-Away is now known as joshh20
13:40 < fenris_kcf> hy. i'm successfully running a tun-openvpn. but since i want to use the vpn for gaming i would like to adjust it to handle broadcasts and such (games where one can manually enter the IP work like charm). beside switching to tap what do i have to do for that?
13:41 -!- psycheye [~psycheye@93.49.16.11] has quit [Quit: changing servers]
13:41 -!- psycheye [~psycheye@93.49.16.11] has joined #openvpn
13:41 < pekster> tap should do it. So long as you don't need to actually bridge the VPN to a physical network, there's no extra complication with DHCP range conflicts, security, setc
13:42 < pekster> Anytime you require link-broadcasts you need tap since tun only sends IP packets, not Ethernet frames
13:47 < fenris_kcf> ok, so changing to "dev tap" in server and client should suffice, pekster?
13:47 -!- kro[au] [~thatguy@kgovps.net] has quit [Read error: Operation timed out]
13:47 -!- lbft [~lbft@unaffiliated/lbft] has quit [Ping timeout: 240 seconds]
13:47 -!- sailerboy [~sailerboy@2605:6400:2:fed5:22:3e62:d2e8:e4e1] has quit [Ping timeout: 272 seconds]
13:48 < pekster> Depends on the rest of your setup, but possibly
13:48 < pekster> There's no --topology in tap since it's always "subnet" by definition
13:48 -!- kro[au] [~thatguy@kgovps.net] has joined #openvpn
13:49 <@Eugene> !xy
13:49 <@vpnHelper> "xy" is http://mywiki.wooledge.org/XyProblem -- I want to do X, but I'm asking how to do Y...
13:49 -!- sailerboy [~sailerboy@2605:6400:2:fed5:22:3e62:d2e8:e4e1] has joined #openvpn
13:49 -!- lbft [~lbft@unaffiliated/lbft] has joined #openvpn
13:51 -!- mattock is now known as mattock_afk
14:08 < fenris_kcf> pekster: does not seem to work :(
14:09 < fenris_kcf> the connection can still be established
14:09 < fenris_kcf> but broadcasts still don't seem to work
14:15 -!- jzaw [~jzaw@loki.dzki.co.uk] has joined #openvpn
14:15 < fenris_kcf> i've read sth. about setting a static route
14:16 < fenris_kcf> is that necessary?
14:16 -!- donvito [~nertil@unaffiliated/donvito] has quit [Ping timeout: 248 seconds]
14:19 -!- jzaw [~jzaw@loki.dzki.co.uk] has quit [Excess Flood]
14:24 -!- jzaw [~jzaw@loki.dzki.co.uk] has joined #openvpn
14:25 < pekster> Broadcasts work fine over a tap (provided everthing you want to broadcast between is also on the VPN)
14:26 < pekster> Maybe your software is only using the physical interface, not the tap for the broadcast destination. Try wireshark/tcpdump/tshark.exe
14:28 < fenris_kcf> wireshark shows many broadcasts
14:28 < fenris_kcf> (i think)
14:28 < fenris_kcf> x.x.x.255
14:28 < fenris_kcf> in destination should be a broadcast
14:28 < fenris_kcf> right?
14:28 < fenris_kcf> (my net is x.x.x.0/24)
14:31 < fenris_kcf> hmm, ARP is also showing up
14:31 < fenris_kcf> and it shows "BROADCAST" as destination
14:34 -!- lbft [~lbft@unaffiliated/lbft] has quit [Ping timeout: 252 seconds]
14:35 -!- sailerboy [~sailerboy@2605:6400:2:fed5:22:3e62:d2e8:e4e1] has quit [Ping timeout: 272 seconds]
14:35 < pekster> Yes, as I said, broadcasts work over tap. Whether your specific application is sending them is another issue (for you to figure out)
14:36 < pekster> See what ports it usually uses, then try `tshark.exe -i #' where # is a number from `tshark.exe -L`
14:37 < fenris_kcf> you mean i should tell the clients that use windows to fire this command?
14:38 < pekster> You should use whatever your typical tools are to identify if traffic goes the right places
14:38 < pekster> I don't have any care in the world to help you with $some_application
14:38 < pekster> That's _your_ job
14:38 < pekster> openvpn simply delivers Ethernet frames in tap mode. What your OS/application/whatever sends is up to it
14:39 -!- kro[au] [~thatguy@kgovps.net] has quit [Excess Flood]
14:39 < fenris_kcf> i didn't say anything about a specific application
14:40 < Aketzu> does the game even support multiple network adapters
14:40 -!- lbft [~lbft@unaffiliated/lbft] has joined #openvpn
14:40 < Aketzu> i.e. can it send broadcasts to anything else than first lan
14:40 <@krzee> without a specific application sending broadcasts, there are no broadcasts
14:40 <@krzee> openvpn doesnt send broadcasts
14:40 <@krzee> yes, you would need a bridge for that
14:41 < fenris_kcf> arp uses broadcasts, doesn't it?
14:41 -!- kro[au] [~thatguy@kgovps.net] has joined #openvpn
14:41 < Aketzu> yes
14:42 < fenris_kcf> ok, it seems it's working properly in some applications
14:42 < fenris_kcf> so as you say: the rest is up to me
14:42 <@krzee> !whybridge
14:42 <@vpnHelper> "whybridge" is (#1) you only bridge if you want layer2 to the lan. if you want layer2 only between vpn nodes then routed tap is enough. if you only want layer3 use tun. or (#2) See this URL for a more in-depth discussion on bridging vs routing: https://community.openvpn.net/openvpn/wiki/BridgingAndRouting or (#3) See also !tunortap
14:42 < Aketzu> applications don't send arp... operating system does that
14:43 < Aketzu> and os knows to which interface send those packets
14:44 < fenris_kcf> ok, thank you very much!
14:56 -!- psycheye [~psycheye@93.49.16.11] has quit [Quit: changing servers]
14:56 -!- psycheye [~psycheye@93.49.16.11] has joined #openvpn
15:08 -!- Sembei [~Sembei@unaffiliated/sembei] has joined #openvpn
15:15 -!- Guest24837 [d@2600:3c01::f03c:91ff:feae:3d2b] has joined #openvpn
15:15 -!- Guest24837 [d@2600:3c01::f03c:91ff:feae:3d2b] has left #openvpn []
15:17 -!- dextro_ [d@2600:3c01::f03c:91ff:feae:3d2b] has joined #openvpn
15:17 < dextro_> iv been setting up vpns over satellite links which are unstable
15:18 < dextro_> when the connection drops openvpn doesnt seem to try and reconnect
15:22 < Aketzu> do you have keepalive in openvpn config?
15:22 < pekster> !keepalive
15:22 <@vpnHelper> "keepalive" is (#1) see --keepalive in the manual for how to make clients retry connecting if they get disconnected. or (#2) basically it is a wrapper for managing --ping and --ping-restart in server/client mode or (#3) if you use this, don't use --tls-exit and also avoid --single-session and --inactive or (#4) Also beware of --auth-nocache for automated reconnects
15:23 <@krzee> !keepalive
15:23 <@vpnHelper> "keepalive" is (#1) see --keepalive in the manual for how to make clients retry connecting if they get disconnected. or (#2) basically it is a wrapper for managing --ping and --ping-restart in server/client mode or (#3) if you use this, don't use --tls-exit and also avoid --single-session and --inactive or (#4) Also beware of --auth-nocache for automated reconnects
15:24 -!- mode/#openvpn [+v Aketzu] by krzee
15:27 -!- maskedlua [~quassel@unaffiliated/themaskedlua] has quit [Ping timeout: 248 seconds]
15:28 < dextro_> i do
15:28 -!- EmLeX [~emx@unaffiliated/emlex] has quit [Quit: Bye.]
15:28 < dextro_> keepalive 10 120
15:29 < pekster> Then after ~120 seconds of no inbound keepalive from the server, the client will initiate a reconnect
15:29 < pekster> (the server will terminate the client instance after twice that)
15:30 < dextro_> no way to keep retrying?
15:31 <+Aketzu> umm?
15:32 <+Aketzu> it retries keepalive every 10 seconds
15:32 < dextro_> it gives up
15:32 <+Aketzu> and after disconnection tries to reconnect
15:32 < dextro_> i have online machines i have to manually reboot openvpn to get them back on the vpn
15:32 <+Aketzu> .. unless you have some other fubar in the config that prevents reconnect
15:33 <+Aketzu> e.g. using --user nobody or something similar
15:34 < dextro_> user nobody
15:34 < dextro_> group nobody
15:34 < dextro_> nailed it :D
15:36 < dextro_> hopyfully commenting those out fixes it! :D:D
15:36 < dextro_> now for my second problem
15:36 -!- krzee [~k@openvpn/community/support/krzee] has quit [Excess Flood]
15:36 < dextro_> i am using the vpn to call home from my virtual machine
15:36 < dextro_> problem is when customers clone the vm
15:36 < dextro_> the certs are dupes
15:37 -!- krzee [~k@openvpn/community/support/krzee] has joined #openvpn
15:38 -!- mode/#openvpn [+o krzee] by ChanServ
15:38 -!- Sembei [~Sembei@unaffiliated/sembei] has quit [Read error: Connection reset by peer]
15:39 -!- Sembei [~Sembei@unaffiliated/sembei] has joined #openvpn
15:41 -!- lj1 [~l@192.241.174.169] has joined #openvpn
15:42 -!- klein [~klein@unaffiliated/klein] has quit [Ping timeout: 272 seconds]
15:47 <+Aketzu> --duplicate-cn
15:48 < pekster> Or just issue unique certs
15:52 <+Aketzu> more likely needs automatic cert enrollment after machine name changes or something
15:52 <@krzee> eh?
15:53 < dextro_> nothing in the vm will change
15:53 < dextro_> thats the problem
15:53 < dextro_> network ip might even be the same
15:53 < pekster> Sounds like a $vm_software issue
15:54 <+Aketzu> bios uuid might differ
16:02 <@krzee> !ping
16:02 <@vpnHelper> pong
16:02 <@krzee> woot finally no lagg on the train
16:08 <+Aketzu> then the train probably breaks in the next stop
16:08 -!- calcifea [~rasla@gateway/tor-sasl/gitsu-sa] has quit [Remote host closed the connection]
16:09 <+Aketzu> I was once in a train that the driver tried to reboot three times and then announced "this isn't going to work, take the next train in 30 minutes"
16:09 -!- calcifea [~rasla@gateway/tor-sasl/gitsu-sa] has joined #openvpn
16:11 -!- fenris_kcf [~fenris@p4FFE4FB8.dip0.t-ipconnect.de] has left #openvpn ["ISON NickServ"]
16:16 -!- donvito [~nertil@unaffiliated/donvito] has joined #openvpn
16:23 <@krzee> powered by windows?
16:23 <@krzee> hah
16:39 -!- lj1 [~l@192.241.174.169] has quit [Quit: Leaving.]
16:47 -!- __FBi [~B@uwantmy.info] has quit [Ping timeout: 248 seconds]
16:47 -!- donvito [~nertil@unaffiliated/donvito] has quit [Ping timeout: 264 seconds]
16:54 -!- scyld [~scyld@unaffiliated/wasyl] has quit [Quit: Wychodzi]
16:58 -!- __FBi [~B@uwantmy.info] has joined #openvpn
17:15 -!- gedO [~Thunderbi@78.62.255.17] has joined #openvpn
17:15 < gedO> Hello, I'm running Debian 7 and I ca'nt create tun device
17:15 < gedO> can someone help me?
17:19 < pekster> Missing tun support in your kernel perhaps?
17:20 < pekster> If your iproute2 is decently up to date, try `ip tuntap add dev tun-test mode tun` and see what your kernel log complains about
17:24 < gedO> pekster: okey, one sec
17:25 < gedO> pekster: output is: open: No such file or directory
17:26 -!- gffa [~unknown@unaffiliated/gffa] has quit [Quit: sleep]
17:34 -!- kalloc [~kalloc@h86-62-83-99.ln.rinet.ru] has quit [Remote host closed the connection]
17:42 < exa> !ping
17:42 <@vpnHelper> pong
17:43 < gedO> how I could check if kernel supports tap device?
17:44 < pekster> Check for CONFIG_TUN in your kernel config
17:44 < gedO> pekster: can you say full command?
17:44 < pekster> Depends on where you kernel config is, which varies by distro and config options
17:44 < pekster> So, no
17:45 < gedO> pekster: debian 7
17:45 < pekster> Then ask #debian how you find out
17:45 < pekster> /proc/config.gz is IIRC missing on debian (why I have no clue.. that's a dumb thing to leave out)
17:45 < pekster> Try a google search?
17:45 < pekster> Or debian forums/channels?
17:46 < pekster> Maybe look in /boot/ for clues?
17:46 < pekster> etc, etc
17:46 < gedO> pekster: one sec, I will find
17:48 < pekster> Also, that "output" you gave earlier isn't from the _kernel_ log like I asked
17:49 < gedO> pekster: outpur is from command openvpn <config file>
17:50  * pekster sighs
17:50 < pekster> If your OS is misconfigured, fix it. If not, review !configs and !logs
17:50 < pekster> !new
17:50 <@vpnHelper> "new" is (#1) New here? Start by reading the /TOPIC and looking at basic info in !welcome, !ask, and !howto or (#2) You can type each of the !commands in this chat and our bot will provide useful references and info or (#3) you can see the full factoids list at !factoids
17:56 -!- gedO [~Thunderbi@78.62.255.17] has quit [Quit: gedO]
17:59 -!- donvito [~nertil@46.217.227.12] has joined #openvpn
18:00 -!- donvito [~nertil@46.217.227.12] has quit [Changing host]
18:00 -!- donvito [~nertil@unaffiliated/donvito] has joined #openvpn
18:04 -!- goldkatze [~nobody@unaffiliated/goldkatze] has quit [Ping timeout: 260 seconds]
18:05 -!- kalloc [~kalloc@h86-62-83-99.ln.rinet.ru] has joined #openvpn
18:08 -!- BtbN [btbn@btbn.de] has quit [Quit: Bye]
18:09 -!- BtbN [btbn@btbn.de] has joined #openvpn
18:13 -!- sailerboy [~sailerboy@2605:6400:2:fed5:22:3e62:d2e8:e4e1] has joined #openvpn
18:14 -!- kro[au] [~thatguy@kgovps.net] has quit [Excess Flood]
18:14 -!- Shikieiki_ [~enma@unaffiliated/shikieiki/x-6321105] has joined #openvpn
18:15 -!- kro[au] [~thatguy@kgovps.net] has joined #openvpn
18:21 < Shikieiki_> how do i force dns queries through openvpn?  i've looked all over online and all results are either people saying "why not just use google DNS", or guides that require scripts which do not exist on gentoo (which is what i'm using).  if my resolv.conf file is set with "nameserver 192.168.1.1" (my router), there's a long waiting period before the DNS lookup fails, and if i set it to "127.0.1.1" it fails instantly.  in the mean time i have 
18:22 < MacGyver> Shikieiki_: Your message got cut off at "in the mean time i have...". IRC has a character limit of around 500 characters.
18:22 < pekster> 512 exactly including the PRIVMSG command
18:22 < MacGyver> pekster: I know, but that's unnecessary detail :P
18:23 < pekster> The obvious answer here is that you set a DNS server across the VPN link
18:23 < pekster> If you aren't using the "resolvconf" package, you'll need to do that as defined in: !pushdns
18:23 < MacGyver> (And the 512 also includes the \r\n at the end, iirc)
18:23 < Shikieiki_> "im the mean time i have changed my DNS server to an anonymous one in germany
18:23 < Shikieiki_> i do have the resolvconf package (from openresolv)
18:23 < pekster> Then read the reference I handed you above for details
18:23 < Shikieiki_> but running /etc/openvpn/up.sh does nothing
18:23 < Shikieiki_> (it supposedly should edit resolv.conf)
18:24 < Shikieiki_> !pushdns
18:24 <@vpnHelper> "pushdns" is (#1) push dhcp-option DNS a.b.c.d to push dns to the client or (#2) For pushing DNS to a Windows client, see: !windns or (#3) Unix-alikes are required to process the env-var in an --up script; read about --dhcp-option in the manpage or (#4) For distros that use resolvconf you can try the update-resolv-conf script under the contrib/ source dir
18:24 < pekster> Read the gentoo specific comments too in /etc/conf.d/openvpn as IIRC they do some magic there
18:25 < pekster> I haven't used the initscript as a client in a long time, but they do some goofyness
18:25 < Shikieiki_> i don't have an update-resolv-conf script
18:26 < pekster> Right, gentoo's "up.sh" does magic
18:26 < Shikieiki_> i tried running it, it does nothing.  even with "bash -x /etc/openvpn/up.sh" it shows very little, mainly a few if statments then exit 0
18:26 -!- sailerboy [~sailerboy@2605:6400:2:fed5:22:3e62:d2e8:e4e1] has quit [Ping timeout: 272 seconds]
18:27 < pekster> Did you set the env-vars openvpn did?
18:27 < pekster> !scripts
18:27 < Shikieiki_> as for /etc/conf.d/openvpn, PEER_DNS="yes"
18:27 <@vpnHelper> "scripts" is "script" is See SCRIPTING AND ENVIRONMENTAL VARIALBES in the manual for a list of places that scripts can hook into openvpn. Online reference at: https://community.openvpn.net/openvpn/wiki/Openvpn23ManPage#lbAR
18:27 -!- calcifea [~rasla@gateway/tor-sasl/gitsu-sa] has quit [Ping timeout: 240 seconds]
18:27  * pekster sighs
18:27 < Shikieiki_> i'm not sure what env-vars openvpn sets?
18:27 < pekster> Then read the manpage I linked and figure it out
18:27 -!- kro[au] [~thatguy@kgovps.net] has quit [Ping timeout: 272 seconds]
18:28 < pekster> tl;dr is that you don't call up.sh yourself
18:28 < pekster> If you don't call it with the right env-vars at the right time, it's worthless
18:28 < pekster> if [ "${opt}" != "${opt#dhcp-option DOMAIN *}" ] ; then
18:28 < pekster> etc, etc
18:28 < pekster> It does lots of things
18:28 < Shikieiki_> ok
18:29 < Shikieiki_> i'm reading https://community.openvpn.net/openvpn/wiki/Openvpn23ManPage#lbAR now
18:29 <@vpnHelper> Title: Openvpn23ManPage – OpenVPN Community (at community.openvpn.net)
18:29 < pekster> But _only_ if you set --dhcp-option (or have it pushed from the server)
18:29 < pekster> Again, this is all worthless if you're not _actually_ pushing/setting values
18:30 < Shikieiki_> does the server have to support --dhcp-option?
18:31 < pekster> It's a client-only thing
18:31 < pekster> So, no, unless you expected it to push it
18:32 < pekster> openvpn does very little here. If you set (or pull, which is an implicit way to set) that option, it sets the env-var as listed in the documentation. What you do with that is entierly up to you
18:34 < Shikieiki_> i'm not quite sure what i'm suppose to do.  just add --dhcp-option to the command line?
18:34 -!- calcifea [~rasla@gateway/tor-sasl/gitsu-sa] has joined #openvpn
18:34 < Shikieiki_> or, --dhcp-option /etc/openvpn/up.sh?
18:35 -!- lbft [~lbft@unaffiliated/lbft] has quit [Ping timeout: 265 seconds]
18:38 -!- kalloc [~kalloc@h86-62-83-99.ln.rinet.ru] has quit [Ping timeout: 240 seconds]
18:38 -!- Eduard_Munteanu [~EduardMun@188.26.138.31] has joined #openvpn
18:38 < pekster> Have you read the manpage?
18:38 < pekster> Becuase it explains fairly clearly how you use that option
18:38 -!- sailerboy [~sailerboy@2605:6400:2:fed5:22:3e62:d2e8:e4e1] has joined #openvpn
18:39 < Eduard_Munteanu> Does guest-to-guest simply push a route, but otherwise the clients could talk to each other?
18:39 < pekster> --dhcp-option type [parm]
18:39 < pekster> Here's a hint: /etc/openvpn/up.sh is not a valid 'type'. Perhaps you should review the documentation and show that you spent at least 2 minutes reading it
18:39 < Eduard_Munteanu> Er, client-to-client.
18:40 < pekster> Eduard_Munteanu: Routing is no differnet, althoug the --server helper-directive does act "differently" in that case. The key point is that it won't hit your OS firewall (ie: PF or Netfilter) and gets routed "in-openvpn" between clients on the same VPN network
18:41 < Shikieiki_> --dhcp-option DNS /etc/openvpn/up.sh ?
18:42 < Eduard_Munteanu> pekster: so I can't really prevent that, unless I use the older, non-server mode?
18:42 < pekster> You want to set a DNS server of "/etc/openvpn/up.sh" ?
18:42 < pekster> I rather doubt that
18:42 < pekster> It's a DHCP option like you'd set in your DHCP server
18:42 < pekster> So, DNS would be something like dns.companydomain.com or 8.8.8.8 or 4.2.2.1
18:42 < Shikieiki_> but that's under windows-specific options.  and no i don't want to set as the dns server, i want to route whatever my current dns server is through the vpn
18:42 < pekster> DOMAIN mgiht be mycompany.com, or google.com, or whatever your internal domain is
18:42 -!- lbft [~lbft@unaffiliated/lbft] has joined #openvpn
18:43 < pekster> Try dhcp-options(5)
18:43 < pekster> Shikieiki_: FFS man, read the manual
18:43 < pekster> "Note that if --dhcp-option is pushed via --push to a non-windows client, the option will be saved in the client's environment before the up script  is  called,  under  the  name "foreign_option_{n}"."
18:44 < pekster> I didn't paste those bot references for my own amusement
18:45 < Shikieiki_> i'm sorry, i know very little about networking, and i know maybe half of what the man page is refering to, though i am trying to read it.  as for dhcp-options(5), i can't find that man page.
18:46 < Eduard_Munteanu> Shikieiki_: man 5 dhcp-options
18:46 < Eduard_Munteanu> Or google for it,
18:46 < Shikieiki_> "No entry for dhcp-options in section 5 of the manual"
18:46 < Shikieiki_> ah, yeah i'll google it then
18:46 < Shikieiki_> .w 2
18:47 < pekster> OpenVPN is an advanced networking tool, so you should be preapred to do an awful lot of reading on the basics if you're lacking now
18:47 < Shikieiki_> i only recently switched away from ubuntu, where networking and the vpn just werked(tm), yeah, i will have to do a lot of reading
18:49 < pekster> IIRC if you want the default resolvconf integration (and have installed resolvconf and are using it, of course) the Gentoo initscript magic tries to also Just Work™. YMMV, and I haven't used it in years. #gentoo if you find bugs that they need to fix in their initscript
18:49 < Shikieiki_> from what i can see, it's "--dns-option DNS [my chosen dns]", but i don't want to hardcode the DNS server for openvpn, i want it to automatically use what resolv.conf specifies. the manpage isn't saying anything about that
18:49 < pekster> huh?
18:49 < pekster> Then don't _do_ anything!
18:49 < pekster> If you don't wnat to change your DNS, then don't do anything and your DNS won't change
18:49 < Shikieiki_> but then my dns leaks?
18:49 < pekster> "leaks" ?
18:50 < Shikieiki_> no, i wan't my dns to go through openvpn
18:50 < pekster> Then set it to
18:50 < pekster> Just use a public DNS and be done with this
18:50 < Shikieiki_> that's what i asked when i first came in
18:50 < pekster> You're making life way hard on yourself
18:50 < Shikieiki_> ;_;
18:50 < pekster> And I told you a solution to that long ago
18:50 < Eduard_Munteanu> Shikieiki_: one of the redirect-gateway options only lets the openvpn traffic go the normal way, IIRC
18:51 < Eduard_Munteanu> The rest goes through the VPN.
18:51 < Shikieiki_> the normal way?
18:51 < Eduard_Munteanu> Well, except machines in your subnets.
18:51 < pekster> Minus link-local of course
18:51 < pekster> Yea
18:51 < Eduard_Munteanu> Shikieiki_: outside the openvpn connection
18:51 < Shikieiki_> ah
18:51 < pekster> What's wrong with `echo "nameserver 8.8.8.8" > /etc/resolv.conf` in an --up script
18:51 < pekster> Done
18:52 < pekster> One line (sans shebang) and that's it
18:52 < pekster> Mind your DHCP client so that it won't try to clobber it when it renews
18:52 < Shikieiki_> i have no idea how to do that
18:52 < pekster> !google how to write a shell script
18:52 <@vpnHelper> LinuxCommand.org: Writing shell scripts.: <http://linuxcommand.org/writing_shell_scripts.php>; Writing shell scripts - Lesson 1: Writing your first script and getting it ...: <http://linuxcommand.org/wss0010.php>; Writing a Shell Script From Scratch | Nettuts+: <http://net.tutsplus.com/tutorials/tools-and-tips/writing-a-shell-script-from-scratch/>
18:52 < pekster> This is the wrong place to learn this level of OS basics
18:53 < Shikieiki_> the default seems to have been set to --up /usr/libexec/nm-openvpn-service-openvpn-helper
18:53 < Shikieiki_> i do know how to make shell scripts...
18:54 < Eduard_Munteanu> Shikieiki_: you just need to set your DHCP client not to use advertised nameservers, perhaps part of your distro config scripts.
18:54 < pekster> Or honestly, just set google DNS as a "static" nameserver
18:54 < pekster> n-m has its way of doing that, or you pass your dhcp client the option not to do that
18:54 < pekster> read your dhcp client's manpage for details
18:54 -!- kubbing [~kubbing@ip-89-176-242-54.net.upcbroadband.cz] has quit [Remote host closed the connection]
18:55 -!- kubbing [~kubbing@ip-89-176-242-54.net.upcbroadband.cz] has joined #openvpn
18:55 < pekster> We also don't really recommend n-m for openvpn here
18:55 < Shikieiki_> if i set google dns as a "static" nameserver or set the nameserver in resolv.conf, will it go through openvpn automatically?
18:55 < pekster> It tries to "magically" work, and often doesn't
18:55 < pekster> So I have zero clue wtf happens if you use n-m
18:55 < pekster> Ask the Gnome folks
18:55 < Shikieiki_> i'm on kde
18:55 < Eduard_Munteanu> Shikieiki_: resolv.conf might be rewritten by network scripts
18:55 < pekster> No, networkmanager is gnome
18:55 < pekster> https://wiki.gnome.org/Projects/NetworkManager
18:56 <@vpnHelper> Title: Projects/NetworkManager - GNOME Wiki! (at wiki.gnome.org)
18:56 < pekster> KDE has "widgets" for it, but the _gnome_ project maintains NetworkManager
18:56 < Shikieiki_> oh, maybe they maintain it, yeah
18:56 < pekster> !networkmanager
18:56 < pekster> !nm
18:56 < Eduard_Munteanu> Shikieiki_: however look for the resolvconf service, which is different and can be configured to ignore the DHCP ones, if you have it.
18:56 < pekster> !factoids search manager
18:56 <@vpnHelper> No keys matched that query.
18:56 < pekster> !factoids search --values manager
18:56 <@vpnHelper> 'ubuntu', 'netman', 'win2k8', and 'netman'
18:56 < pekster> !netman
18:56 <@vpnHelper> "netman" is (#1) if you are using network manager for linux to configure your vpn, dont! http://openvpn.net/archive/openvpn-users/2008-01/msg00046.html to read the same thing from the author of the openvpn 2 cookbook on the mail list or (#2) Have OpenVPN working but not NetworkManager? Ask the n-m folks for help: http://projects.gnome.org/NetworkManager/
18:56 < Shikieiki_> i have installed openresolv
18:57 < pekster> Yea, I stopped paying any real attention when you said n-m is doing your DNS
18:57 < pekster> Use n-m to make your DNS suck less
18:57 < pekster> Or just set resolv.conf like a normal OS
18:57 < Shikieiki_> ...
18:57 < pekster> I have ZERO clue what is so hard about "set a DNS off your network"
18:58 < pekster> I suggest you, ya know, set a DNS that is off your network for things to work
18:58 < pekster> If you want openvpn/resolvconf/whatever to do it, use --dhcp-option and pass DNS and let the automagic detection scripts do it. If you want to do it yourself, do it yourself
18:58 < pekster> If you think this is all too complex, tell your DHCP client _NOT_ to mess with your DNS and maintain it yourself
18:58 < Shikieiki_> uuugh, i don't want to just set my dns, i simply want it to go through openvpn
18:59 < pekster> And your lack of basic routing is why it doesn't now
18:59 < Shikieiki_> i know how to change my dns
18:59 < pekster> !tcpip
18:59 <@vpnHelper> "tcpip" is http://www.redbooks.ibm.com/redbooks/pdfs/gg243376.pdf See chapter 3.1 for useful basic TCP/IP networking knowledge you should probably know
18:59 < pekster> !101
18:59 <@vpnHelper> "101" is This channel is not a '101' replacement for any of the following topics or others: Networking, Firewalls, Routing, Your OS, Security, etc etc
18:59 < pekster> I'm sick of explaining basics to you
18:59 < pekster> Your problem is a simple fix: use off-link DNS
18:59 < pekster> Done.
18:59 < Eduard_Munteanu> Is there any way to really isolate clients in server mode?
18:59 -!- kubbing [~kubbing@ip-89-176-242-54.net.upcbroadband.cz] has quit [Ping timeout: 240 seconds]
19:00 < Shikieiki_> i don't even know what off-link DNS is, and a google search is just showing me ads for routers
19:00 < Eduard_Munteanu> Shikieiki_: is your DNS on the same subnet as the normal gateway?
19:00 < Eduard_Munteanu> Or your own subnet, same thing.
19:00 < Shikieiki_> i think it's set to some german DNS, otherwise i use 8.8.8.8
19:01 < Eduard_Munteanu> So is it or not?
19:01 < Shikieiki_> i don't have it set to 192.168.1.1 (for my router) because it never resolves, even though that's what networkmanager says it should be
19:01 < Shikieiki_> i don't think it is anymore, no
19:02 < Eduard_Munteanu> Shikieiki_: then if you route most traffic through openvpn using 'redirect-gateway', so should your DNS queries.
19:02 < pekster> Eduard_Munteanu: Fireall
19:03 < pekster> firewall* (and DON'T use --client-to-client as that bypasses your firewall for client-sourced, client-bound traffic)
19:03 < pekster> Eduard_Munteanu: If it helps, think of openvpn as nothing more than an IP route (yes, with some cool security features, but it's "just a router.") Firewall/route as you normally would
19:04 < Eduard_Munteanu> pekster: I'm not sure I understand. AFAICT, --client-to-client merely pushes a route, but clients could add it themselves, no?
19:04 < pekster> No, the route is magic from the "helper directives" and I'd discourage you from using them until you understand what thtey do
19:04 < pekster> --client-to-client BYPASSES yoru OS routing for traffic both to/from the VPN network
19:04 < Shikieiki_> what flag would i add to --redirect-gateway?
19:04 < Shikieiki_> local?
19:05 < Eduard_Munteanu> pekster: oh, I've been reading the server directive help and saw that client-to-client... I guess client-to-client itself allows that traffic.
19:06 < Eduard_Munteanu> pekster: so if I do *not* set it, clients shouldn't be able to talk to each other no matter what (assume they can be malicious)?
19:06 < pekster> Right, --client-to-client does nothing more than "directly" routed client-to-client traffic. The routing is still your responsisbility, but --server _does_ do things differently in net30 topology
19:06 < pekster> Right, so don't set it and firewall "as usual"
19:06 < Eduard_Munteanu> Oh, ok, thanks.
19:06 < pekster> Also, net30 sucks. Read the wiki link in !topology for details
19:07 < Shikieiki_> the openvpn manpage is giving me very little information about --redirect-gateway, i'm not sure which flag to use (though i know some not to use)
19:07 < pekster> You really should be using subnet, and that exposes it all as a single-subnet anyway
19:07 < pekster> Shikieiki_: None, unless you need them
19:07 < Eduard_Munteanu> pekster: well, is it possible to forward traffic even without --client-to-client?
19:07 < Shikieiki_> oh, i didn't know flags were optional, ty
19:07 < Eduard_Munteanu> def3 is fine usually
19:07 < pekster> Oh, def1, yea
19:07 < pekster> Do use that
19:07 < pekster> !def1
19:07 <@vpnHelper> "def1" is (#1) used in redirect-gateway, Add the def1 flag to override the default gateway by using 0.0.0.0/1 and 128.0.0.0/1 rather than 0.0.0.0/0. This has the benefit of overriding but not wiping out the original default gateway. or (#2) please see --redirect-gateway in the man page ( !man ) to fully understand or (#3) push "redirect-gateway def1"
19:08  * Eduard_Munteanu doesn't know where he got the 3 digit from :)
19:08 < Shikieiki_> oh, use def1?
19:08 < Shikieiki_> ok
19:08 < pekster> I would, unless you like the idea of DHCP renewals clobbering the 0/0 route
19:08 -!- kalloc [~kalloc@h86-62-83-99.ln.rinet.ru] has joined #openvpn
19:08 < Eduard_Munteanu> Shikieiki_: it prevents shooting yourself in the foot in some situations
19:08 < pekster> s/some/most/
19:09 < _FBi> if all my VPN traffic is pushed through my VPN and my VN has 17 IPs, how do I get my VPN to use all 17?
19:09 -!- psycheye [~psycheye@93.49.16.11] has quit [Max SendQ exceeded]
19:10 -!- psycheye [~psycheye@93.49.16.11] has joined #openvpn
19:10 < pekster> _FBi: Yea, none of that made any sense
19:10 -!- schnitzl [~schnitzl@dslb-094-217-193-080.pools.arcor-ip.net] has quit [Ping timeout: 265 seconds]
19:11 < _FBi> heh, dang
19:11 < _FBi> proof reading is key
19:12 -!- schnitzl [~schnitzl@dslb-094-217-193-080.pools.arcor-ip.net] has joined #openvpn
19:12 < pekster> If your "VPN server" has the 17 IPs, you don't use them anywhere but the VPN server. Maybe you play games with NAT, but that's not an openvpn problem at that point
19:12 < _FBi> 10-4
19:13 < _FBi> sounds like a load balancer
19:13 < _FBi> or something to that affect
19:14 < Eduard_Munteanu> pekster: hmmm... in absence of client-to-client, clients could still use the server for IP forwarding, just that the input and output interfaces are the same, right? It is a tad bit weird, but if I got that right, I suspect I want to make sure I don't do IP forwarding in and out of the same tun/tap interface.
19:15 -!- maskedlua [~quassel@unaffiliated/themaskedlua] has joined #openvpn
19:15 -!- EmLeX [~emx@unaffiliated/emlex] has joined #openvpn
19:15 < Eduard_Munteanu> Well, a strict firewall that drops by default would cover that case I suppose.
19:16 < pekster> Right
19:16 -!- Shikieiki_ [~enma@unaffiliated/shikieiki/x-6321105] has quit [Quit: leaving]
19:16 < Eduard_Munteanu> Thanks, makes sense now.
19:17 < pekster> Any 'production' firewall really should drop inbound and forwarded traffic by default anyway
19:18 < pekster> That's the "firewall as usual" bit I noted above ;)
19:19 < Eduard_Munteanu> Yeah, I do that as well, now that I think about it.
19:19 -!- EmLeX [~emx@unaffiliated/emlex] has quit [Read error: Connection reset by peer]
19:19 -!- EmLeX [~emx@unaffiliated/emlex] has joined #openvpn
19:20 -!- Shikieiki_ [~enma@unaffiliated/shikieiki/x-6321105] has joined #openvpn
19:21 < Shikieiki_> gah, how do i set default options for openvpn that are used whenever it's run?
19:22 < Eduard_Munteanu> Shikieiki_: use a distro service, don't run it manually
19:22 < Shikieiki_> i'm not running it manually, i'm using networkmanager.  when i did "import" on the .conf file (after adding "redirect-gateway def1" to it) and started that VPN, the running vpn process doesn't have --redirect-gateway def1 in it (which i checked with htop)
19:23 < Eduard_Munteanu> Shikieiki_: what distro are you using?
19:23 < Shikieiki_> gentoo
19:23 < Eduard_Munteanu> Shikieiki_: oh, you can just create a config in /etc/openvpn
19:24 < Shikieiki_> called openvpn.conf?
19:24 < Shikieiki_> aw dammit, networkmanager overwrote resolv.conf again -_-
19:25 < Eduard_Munteanu> Shikieiki_: no... connection_name.conf, and you make a symlink /etc/init.d/connection_name -> openvpn.
19:25 < Shikieiki_> oh, i already have that
19:26 < pekster> Yes, n-m is a pile of shit
19:26 < Shikieiki_> it's the only option i have currently
19:26 < pekster> We don't recommend it becuase it tends to either Magically Work or break-a-lot
19:26 < pekster> Um, no
19:26 < pekster> You can `openvpn --config /path/to/your.conf` and openvp works fine
19:27 < Shikieiki_> how do i set nm to display when my vpn is connected then?
19:27 < pekster> No idea. https://wiki.gnome.org/Projects/NetworkManager#Getting_in_Touch
19:27 <@vpnHelper> Title: Projects/NetworkManager - GNOME Wiki! (at wiki.gnome.org)
19:27 < pekster> (hint: that was on the project page I linked you to a while back)
19:27 < Shikieiki_> i tried that once, and two days later realised my vpn had disconnected and i had no idea because the lock icon was never there
19:28 < pekster> Yea, sounds to me like you want some "magic" solution that gives you the proverbial kitchen sink. Here we deal in plumbing
19:29 < Shikieiki_> i don't want a magic solution, i just want to find out how to add a default option so that openvpn will use it, regardless of what config file it uses
19:29 < Eduard_Munteanu> Shikieiki_: edit your init script
19:30 < pekster> Why not just put it in your config files?
19:30 < pekster> I suppose you could muck with the initscript, but that gets ugly when you upgrade
19:30 < pekster> The "gentoo way" would be to do a local overlay ebuild, mask it to your version (so newer upstream don't clobber yours) and patch the initscript
19:30 < Shikieiki_> i did put it in the config files, and then imported them with networkmanager.  when i started the vpn and ran "ps -Af | grep openvpn" i didn't see redirect-gateway in it
19:30 < pekster> Again, n-m sounds like your problem
19:31 < pekster> If you can't reproduce your issue here for us with !configs and !logs, it's !notovpn
19:31 < Shikieiki_> so, is there no way to tell openvpn to use certain default options?
19:31 < pekster> You add them to a confnig or the CLI
19:31 < Eduard_Munteanu> I just told you.
19:31 < pekster> THat's the ONLY way to configure openvpn
19:31 < pekster> And that is also in the manpage
19:31 < Shikieiki_> i read the manpage
19:31 < pekster> Re-read the `OPTIONS` section then
19:32 < pekster> First paragraph
19:33 < pekster> First sentence even. "OpenVPN allows any option to be placed either on the command line or in a  configuration  file."
19:33 < Shikieiki_> that must not contain all the options, because /etc/conf.d/openvpn exists and it says nothing about that
19:33 < pekster> Your CONFIG file
19:33 < pekster> I'm not sure you understand how openvpn works
19:33 < pekster> !howto
19:33 <@vpnHelper> "howto" is (#1) OpenVPN comes with a great howto, http://openvpn.net/howto PLEASE READ IT! or (#2) http://www.secure-computing.net/openvpn/howto.php for a mirror
19:33 < pekster> Maybe you should start there?
19:33 < pekster> #gentoo if you need conf.d help
19:34 < pekster> (that's got nothing to do with openvpn, and everything to do with now your distro configures the initscript that then configures openvpn)
19:34 < pekster> You're about 3 steps removed from openvpn, so I'm not sure why you want #openvpn to help you with your distro and/or n-m
19:34 < pekster> Want to pass openvpn options? Great, add them to the CLI command you use to start it or put them in the config file you reference with --config. Easy.
19:35 < Shikieiki_> i don't see how "how do i tell openvpn to use redirect-gateway even if the .conf file doesn't specify it" isn't openvpn related?
19:35 < pekster> PUT IT IN THE FUCKING .CONF
19:35 < pekster> Is this really so hard?
19:35 < pekster> Is the concept of adding things to a config file hard?
19:35 < Shikieiki_> AS I SAID BEFORE, i can't put it in the .conf because nm (sure, it sucks, but it's being used) somehow strips it
19:35 < pekster> !notovpn
19:35 <@vpnHelper> "notovpn" is (#1) "notopenvpn" is your problem is not about openvpn, and while we try to be helpful, you may have a better chance of finding your answer if you ask your question in a channel related to your problem or (#2) sorry, but we dont care. this channel is only for help with openvpn.
19:36 < pekster> You're wating time here
19:36 < pekster> Unless someone well-versed in n-m jumps in, you _CANNOT_ get help for n-m here
19:36 < Shikieiki_> i am not ASKING for help with n-m
19:36 < pekster> Yes, you are
19:37 < pekster> You said "i can't do <x> becuase nm <y>"
19:37 < pekster> Obvously your problem has nothing to do with openvpn
19:37 < pekster> If it does, give me:
19:37 < pekster> !configs
19:37 <@vpnHelper> "configs" is (#1) please pastebin your client and server configs (with comments removed, you can use `grep -vE '^#|^;|^$' server.conf`), also include which OS and version of openvpn. or (#2) dont forget to include any ccd entries or (#3) on pfSense, see http://www.secure-computing.net/wiki/index.php/OpenVPN/pfSense to obtain your config
19:37 < pekster> !logs
19:37 <@vpnHelper> "logs" is (#1) please pastebin your logfiles from both client and server with verb set to 4 (only use 5 if asked) or (#2) In the Windows client(OpenVPN-GUI) right-click the status icon and pick View Log or (#3) In the OS X client(Tunnelblick) right-click it and select Copy log text to clipboard or (#4) if you dont know how to find your logs, see !logfile
19:37 < pekster> If not, stop wasting my time
19:38 < Shikieiki_> just tell me, is there a way to set openvpn to append options to the command line, regardless of the .conf file it reads from, or is there not?  that's all i'm looking for
19:38 < pekster> You add them to the command line
19:38 < pekster> "set openvpn to append" ??
19:38 < pekster> That makes zero sense
19:38 < pekster> Openvpn doesn't append anything: YOU add them
19:38 < pekster> OPTIONS OpenVPN allows any option to be placed either on the command line or in a  configuration  file. Though  all  command line options are preceded by a double-leading-dash ("--"), this prefix can be removed when an option is placed in a configuration file.
19:39 < pekster> Is that confusing?
19:39 < Shikieiki_> no, you i already know that
19:39 < pekster> Great. Then go do it. Or if you "can't becuase n-m" then go whine to them. Or stop using shitty frontends
19:40 < Shikieiki_> you're not answering my question. maybe another way to phrase it is, is there a way to have a universal .conf file that's used along with whatever .conf file i specify on the command line, as if i did "cat universal.conf vpn.conf > vpn.conf && openvpn vpn.conf"
19:40 < pekster> Nope
19:40 < pekster> fwiw you can call --config in a config file
19:40 < Shikieiki_> OK, that's all i was asking... was that really so hard?
19:41 < pekster> Then ask it next time
19:41 < pekster> Not "whine whine n-m can't let me do what you ask.."
19:41 < Shikieiki_> i was trying, you kept assuming i was talkin about n-m
19:41 < pekster> You were
19:41 < pekster> 19:35:48 < Shikieiki_> AS I SAID BEFORE, i can't put it in the .conf because nm (sure, it sucks, but it's being used) somehow strips it
19:42 < Shikieiki_> and i wasn't asking how to change networkmanager to work with openvpn, i was asking how to use a workaround using openvpn
19:42 -!- kalloc [~kalloc@h86-62-83-99.ln.rinet.ru] has quit [Ping timeout: 265 seconds]
19:42 < Shikieiki_> anyways, i'm done arguing, you finally answered my question and i can go on
19:49 -!- josefig [~josef@unaffiliated/josefig] has quit [Quit: Computer has gone to sleep.]
19:51 -!- kubbing [~kubbing@ip-89-176-242-54.net.upcbroadband.cz] has joined #openvpn
19:55 -!- kubbing [~kubbing@ip-89-176-242-54.net.upcbroadband.cz] has quit [Ping timeout: 248 seconds]
19:58 -!- Shikieiki_ [~enma@unaffiliated/shikieiki/x-6321105] has quit [Quit: leaving]
20:08 -!- kalloc [~kalloc@h86-62-83-99.ln.rinet.ru] has joined #openvpn
20:16 -!- Cybertinus [~Cybertinu@2a00:6960:1:1::2442] has quit [Ping timeout: 252 seconds]
20:18 -!- donvito [~nertil@unaffiliated/donvito] has quit [Ping timeout: 272 seconds]
20:23 -!- schnitzl [~schnitzl@dslb-094-217-193-080.pools.arcor-ip.net] has quit [Ping timeout: 248 seconds]
20:24 -!- schnitzl [~schnitzl@dslb-178-007-138-229.pools.arcor-ip.net] has joined #openvpn
20:25 -!- Shikieiki_ [~enma@unaffiliated/shikieiki/x-6321105] has joined #openvpn
20:28 -!- takamichi [~takamichi@c107-107.i07-27.onvol.net] has quit [Quit: Computer has gone to sleep.]
20:34 -!- takamichi [~takamichi@c107-107.i07-27.onvol.net] has joined #openvpn
20:41 -!- Cybertinus [~Cybertinu@2a00:6960:1:1::2442] has joined #openvpn
20:41 -!- kalloc [~kalloc@h86-62-83-99.ln.rinet.ru] has quit [Ping timeout: 252 seconds]
20:48 -!- elfixit1 [~Icedove@77-58-251-72.dclient.hispeed.ch] has joined #openvpn
20:48 < Shikieiki_> what will happen if i add openvpn to the default runlevel so it starts at boot, but networking doesn't turn on until later?  will openvpn connect automatically when network is enabled?
20:49 < pekster> Then you file a bugreport with your distro that screwed up dependency resolution
20:49 -!- elfixit1 [~Icedove@77-58-251-72.dclient.hispeed.ch] has quit [Client Quit]
20:50 < pekster> OpenVPN normally attempts to connect persistently
20:52 < Shikieiki_> so, i'm trying to take your advice and not use networkmanager, i'm reading up on using openvpn without n-m, and trying to learn how to connect to my wifi without n-m as well.  it appears to be working so far
20:53 < pekster> On my ubuntu-based laptop I let n-m do its thing (normally) for my wired/wireless, but just handle openvpn myself
20:53 < pekster> Sometimes I need to do some non-standard networking, and I just tell n-m to ignore the interfaces in question so it "gets out of my way"
20:53 < pekster> That's baiscally the way to go for openvpn -- do it with your distro's init (if you like what it does) or with your own methods
20:56 < Shikieiki_> hm, so it's best to use n-m for networking instead of using wpa_supplicant directly? ok
20:56 < pekster> Whatever you want
20:56 < pekster> Again, that's a "not openvpn's problem" -- use what you like for networking
20:57 < Shikieiki_> ok, just wondering
20:59 -!- takamichi [~takamichi@c107-107.i07-27.onvol.net] has quit [Quit: Computer has gone to sleep.]
21:08 -!- kalloc [~kalloc@h86-62-83-99.ln.rinet.ru] has joined #openvpn
21:15 -!- Shikieiki_ [~enma@unaffiliated/shikieiki/x-6321105] has quit [Ping timeout: 264 seconds]
21:20 -!- joshh20 is now known as joshh20-Away
21:21 -!- Shikieiki_ [~enma@unaffiliated/shikieiki/x-6321105] has joined #openvpn
21:23 -!- booo [~booo__@p54BD8069.dip0.t-ipconnect.de] has quit [Ping timeout: 240 seconds]
21:25 -!- booo [~booo__@p54BD82F1.dip0.t-ipconnect.de] has joined #openvpn
21:28 -!- dimm0k [~dimm0k@unaffiliated/dimm0k] has quit [Ping timeout: 240 seconds]
21:35 -!- dimm0k [~dimm0k@unaffiliated/dimm0k] has joined #openvpn
21:38 -!- dimm0k [~dimm0k@unaffiliated/dimm0k] has quit [Read error: Operation timed out]
21:39 -!- kubbing [~kubbing@ip-89-176-242-54.net.upcbroadband.cz] has joined #openvpn
21:41 -!- kalloc [~kalloc@h86-62-83-99.ln.rinet.ru] has quit [Ping timeout: 240 seconds]
21:42 -!- dimm0k [~dimm0k@unaffiliated/dimm0k] has joined #openvpn
21:44 -!- kubbing [~kubbing@ip-89-176-242-54.net.upcbroadband.cz] has quit [Ping timeout: 272 seconds]
21:47 -!- dimm0k [~dimm0k@unaffiliated/dimm0k] has quit [Read error: No route to host]
21:49 -!- dimm0k [~dimm0k@unaffiliated/dimm0k] has joined #openvpn
21:55 -!- pppingme [~pppingme@unaffiliated/pppingme] has quit [Ping timeout: 245 seconds]
22:06 -!- pppingme [~pppingme@unaffiliated/pppingme] has joined #openvpn
22:08 -!- kalloc [~kalloc@h86-62-83-99.ln.rinet.ru] has joined #openvpn
22:09 -!- CR1T1C4L718 [~Ebony_Ald@c-67-163-118-38.hsd1.va.comcast.net] has joined #openvpn
22:09 < CR1T1C4L718> hello
22:12 < CR1T1C4L718> Help?
22:14 -!- CR1T1C4L7181 [~Ebony_Ald@c-67-163-118-38.hsd1.va.comcast.net] has joined #openvpn
22:14 -!- CR1T1C4L718 [~Ebony_Ald@c-67-163-118-38.hsd1.va.comcast.net] has quit [Read error: Connection reset by peer]
22:15 < pekster> !new
22:15 <@vpnHelper> "new" is (#1) New here? Start by reading the /TOPIC and looking at basic info in !welcome, !ask, and !howto or (#2) You can type each of the !commands in this chat and our bot will provide useful references and info or (#3) you can see the full factoids list at !factoids
22:17 < CR1T1C4L7181> huh
22:17 < pekster> http://catb.org/~esr/faqs/smart-questions.html#beprecise
22:17 <@vpnHelper> Title: How To Ask Questions The Smart Way (at catb.org)
22:17 < pekster> More info at: !ask
22:19 -!- CR1T1C4L7181 [~Ebony_Ald@c-67-163-118-38.hsd1.va.comcast.net] has left #openvpn []
22:22 -!- Shikieiki_ [~enma@unaffiliated/shikieiki/x-6321105] has quit [Ping timeout: 252 seconds]
22:30 -!- vpnHelper [~vpnHelper@openvpn/bot/vpnHelper] has quit [Disconnected by services]
22:31 -!- vpnHelper [~vpnHelper@openvpn/bot/vpnHelper] has joined #openvpn
22:31 -!- mode/#openvpn [+o vpnHelper] by ChanServ
22:32 -!- vpnHelper is now known as 23LAAYVV6
22:32 -!- 23LAAYVV6 is now known as vpnHelper
22:37 -!- Cy-Gor [~Brian@cpe-70-124-70-140.austin.res.rr.com] has quit [Excess Flood]
22:38 -!- Cy-Gor [~Brian@cpe-70-124-70-140.austin.res.rr.com] has joined #openvpn
22:42 -!- kalloc [~kalloc@h86-62-83-99.ln.rinet.ru] has quit [Ping timeout: 265 seconds]
22:42 -!- Cr4zi3 [killaz@staff.xbins.org] has quit [Quit: changing servers]
22:42 -!- aji [~alex@atheme/member/aji] has quit [Excess Flood]
22:43 -!- cyberspace- [20253@ninthfloor.org] has quit [Disconnected by services]
22:43 -!- cyberspace- [20253@ninthfloor.org] has joined #openvpn
22:44 -!- aji [~alex@atheme/member/aji] has joined #openvpn
23:03 -!- Eduard_Munteanu [~EduardMun@188.26.138.31] has quit [Ping timeout: 245 seconds]
23:08 -!- kalloc [~kalloc@h86-62-83-99.ln.rinet.ru] has joined #openvpn
23:27 -!- kubbing [~kubbing@ip-89-176-242-54.net.upcbroadband.cz] has joined #openvpn
23:32 -!- kubbing [~kubbing@ip-89-176-242-54.net.upcbroadband.cz] has quit [Ping timeout: 272 seconds]
23:41 -!- kalloc [~kalloc@h86-62-83-99.ln.rinet.ru] has quit [Ping timeout: 252 seconds]
23:48 -!- Cy-Gor [~Brian@cpe-70-124-70-140.austin.res.rr.com] has quit [Quit: Leaving]
23:58 -!- Guest10357 [~bam_bam@58.149.128.131.dhcp.uri.edu] has quit [Quit: Lost terminal]
--- Day changed Sun Jan 26 2014
00:08 -!- kalloc [~kalloc@h86-62-83-99.ln.rinet.ru] has joined #openvpn
00:41 -!- kalloc [~kalloc@h86-62-83-99.ln.rinet.ru] has quit [Ping timeout: 248 seconds]
01:00 -!- goldkatze [~nobody@188-192-253-130-dynip.superkabel.de] has joined #openvpn
01:00 -!- goldkatze [~nobody@188-192-253-130-dynip.superkabel.de] has quit [Changing host]
01:00 -!- goldkatze [~nobody@unaffiliated/goldkatze] has joined #openvpn
01:01 -!- Shikieiki_ [~enma@unaffiliated/shikieiki/x-6321105] has joined #openvpn
01:04 -!- dimm0k [~dimm0k@unaffiliated/dimm0k] has quit [Ping timeout: 260 seconds]
01:05 < Shikieiki_> i've uninstalled networkmanager for now, and just have wpa_supplicant and openvpn running.  i've added "redirect-gateway def1" to the config file, and have specified the correct up/down scripts.  now, when i start openvpn, it doesn't automatically change the nameserver to 10.8.0.2 like it should, although if i change it manually, down.sh does manage to change it back to 192.168.1.1 (for my router).
01:06 -!- dimm0k [~dimm0k@pool-96-246-33-134.nycmny.fios.verizon.net] has joined #openvpn
01:06 -!- dimm0k [~dimm0k@pool-96-246-33-134.nycmny.fios.verizon.net] has quit [Changing host]
01:06 -!- dimm0k [~dimm0k@unaffiliated/dimm0k] has joined #openvpn
01:06 < Shikieiki_> how do i allow openvpn to connect to my VPN, then change the nameserver so everything is forced through it?
01:07 < Shikieiki_> i've been looking it up online for the past hour or so, and all the guides told me to do things i already have, like specify the correct up/down scripts, or add redirect-gateway
01:08 -!- kalloc [~kalloc@h86-62-83-99.ln.rinet.ru] has joined #openvpn
01:13 < Shikieiki_> the KDE version is 4.12.1 and kwin is 4.11.5
01:15 -!- kubbing [~kubbing@ip-89-176-242-54.net.upcbroadband.cz] has joined #openvpn
01:20 < Shikieiki_> er, wrong window, ignore that last line
01:20 -!- kubbing [~kubbing@ip-89-176-242-54.net.upcbroadband.cz] has quit [Ping timeout: 272 seconds]
01:32 -!- lordnikkon [~marme@li388-49.members.linode.com] has joined #openvpn
01:33 < lordnikkon> can anyone help figure out how i need to configure my openvpn client config on mint so that it routes all traffic and not just web traffic?
01:42 -!- kalloc [~kalloc@h86-62-83-99.ln.rinet.ru] has quit [Ping timeout: 272 seconds]
01:48 < lordnikkon> !welcome
01:48 <@vpnHelper> "welcome" is (#1) Start by stating your goal, such as 'I would like to access the internet over my vpn' || new to IRC? see the link in !ask || we may need !logs and !configs and maybe !interface to help you. || See !howto for beginners. || See !route for lans behind openvpn. || !redirect for sending inet traffic through the server. || Also interesting: !man !/30 !topology !iporder !sample !forum
01:48 <@vpnHelper> !wiki !mitm or (#2) Don't use 192.168.1.0/24 or 192.168.0.0/24 (too much potential for conflict)
01:48 < lordnikkon> !redirect
01:48 <@vpnHelper> "redirect" is (#1) to make all inet traffic flow through the vpn, you will need --redirect-gateway (see !def1), as well as IP forwarding (see !ipforward) and NAT (see !nat) enabled on the server. or (#2) you may need to use a different dns server when redirecting gateway, see !dns or !pushdns or (#3) if using ipv6 try: route-ipv6 2000::/3 or (#4) Handy troubleshooting flowchart:
01:49 <@vpnHelper> http://ircpimps.org/redirect.png | http://pekster.sdf.org/misc/redirect.png
02:03 -!- dimm0k [~dimm0k@unaffiliated/dimm0k] has quit [Ping timeout: 252 seconds]
02:05 -!- ikrabbe [ingo@pdpc/supporter/professional/ikrabbe] has joined #openvpn
02:05 -!- dimm0k [~dimm0k@unaffiliated/dimm0k] has joined #openvpn
02:08 -!- kalloc [~kalloc@h86-62-83-99.ln.rinet.ru] has joined #openvpn
02:21 < Shikieiki_> anyone?
02:24 < lordnikkon> seems like no one is really here
02:25 < Shikieiki_> ;_;
02:27 -!- kalloc [~kalloc@h86-62-83-99.ln.rinet.ru] has quit [Remote host closed the connection]
02:27 -!- kalloc [~kalloc@h86-62-83-99.ln.rinet.ru] has joined #openvpn
02:40 -!- simpleTon``` [~ck@109.63.110.144] has joined #openvpn
02:41 -!- simpleTon``` [~ck@109.63.110.144] has left #openvpn []
02:42 -!- kubbing [~kubbing@ip-89-176-242-54.net.upcbroadband.cz] has joined #openvpn
02:43 -!- kalloc [~kalloc@h86-62-83-99.ln.rinet.ru] has quit [Remote host closed the connection]
02:51 -!- takamichi [~takamichi@c107-107.i07-27.onvol.net] has joined #openvpn
02:55 < ikrabbe> good morning lordnikkon
03:02 < lordnikkon> it is afternoon in my part of the world actually
03:03 < ikrabbe> irc rules say that its morning when entering a chat, to resolve that issue.
03:04 < lordnikkon> haha well good morning then
03:06 < ikrabbe> https://www.freenode.net/faq.shtml#fst (about freenode standard time) ;)
03:06 <@vpnHelper> Title: freenode: frequently-asked questions (at www.freenode.net)
03:06 < lordnikkon> dont supposed you would be able to help me to configure my openvpn client to route all traffic
03:06 < ikrabbe> that's not part of your openvpn client, how traffic is routed through your system, actually
03:07 < ikrabbe> first you have to tell you system to route traffic over an ip
03:07 < ikrabbe> openvpn binds a tun/tap device on an ip, so you can route your traffic through this ip
03:08 < lordnikkon> so how do i do that. when connect to the vpn some traffic seems to be routed and others not
03:08 < ikrabbe> (roughly spoken, not for technical correctness)
03:08 < ikrabbe> are you sure you want all traffic go through openvpn?
03:09 < ikrabbe> or just the traffic for a private network
03:10 < lordnikkon> yes i am in china, i am trying to be able to just access sites on the outside. even some repos are blocked so i need apt-get traffic to go through vpn also
03:13 < ikrabbe> then you would set your default route to use the vpn device
03:13 < ikrabbe> do you use linux, or what system?
03:14 -!- kalloc [~kalloc@h86-62-83-99.ln.rinet.ru] has joined #openvpn
03:14 < lordnikkon> i am running mint
03:15 < ikrabbe> that's a linux distribution, right?
03:15 < lordnikkon> yes debian based
03:16 < ikrabbe> ok, assumed you have a tunnel 10.1.2.2 -> 10.1.2.1/32
03:17 < ikrabbe> then you would set your default route through 10.1.2.1
03:18 < lordnikkon> i shoudl just run something like ip route add default via 10.1.2.1 ?
03:19 < ikrabbe> you need to delete your old default route first
03:19 < ikrabbe> but then yes
03:19 < ikrabbe> you might need to set some masquerading too
03:20 < ikrabbe> and be prepared to switch your routing back to what it is now, if you loose connection
03:20 < ikrabbe> (if that's on your main box)
03:21 < ikrabbe> I'm not sure right now, if you need to set masquerading on the other vpn endpoint
03:21 < lordnikkon> how can i make it setup the route automatically when openvpn connects?
03:23 < ikrabbe> first try it by hand, but then you can add scripts to vpn config, see man
03:24 < ikrabbe> there are special routing options. I don't know if they deal with default routing too, though, they are more fit for private network routing.
03:25 < lordnikkon> ok i will try it out and see how it goes
03:33 -!- paradox`` [~paradox@cpc21-brmb8-2-0-cust749.1-3.cable.virginm.net] has quit [Quit: paradox``]
03:36 -!- sunwind [~paradox@cpc21-brmb8-2-0-cust749.1-3.cable.virginm.net] has joined #openvpn
03:42 < ikrabbe> lordnikkon, are you still there
03:42 < ikrabbe> I just tried it over one of my tunnel for an ip range (I used 8.8.8.0/24)
03:44 -!- jgeboski [~jgeboski@unaffiliated/jgeboski] has quit [Ping timeout: 240 seconds]
03:47 -!- kalloc [~kalloc@h86-62-83-99.ln.rinet.ru] has quit [Ping timeout: 265 seconds]
03:48 -!- Sembei [~Sembei@unaffiliated/sembei] has quit [Read error: Connection reset by peer]
03:48 -!- jgeboski [~jgeboski@unaffiliated/jgeboski] has joined #openvpn
03:48 -!- kalloc [~kalloc@h86-62-83-99.ln.rinet.ru] has joined #openvpn
03:49 -!- Sembei [~Sembei@unaffiliated/sembei] has joined #openvpn
03:58 < lordnikkon> what happened when you tried it?
03:59 < ikrabbe> it worked, after I set up masquerading for my packages from my private ip
03:59 < lordnikkon> how to setup masquerading?
04:00 < ikrabbe> for that to work, you also have to sysctl net.ipv4.ip_forward 1
04:00 < ikrabbe> with a = in between
04:00 < ikrabbe> hmm
04:00 -!- kalloc [~kalloc@h86-62-83-99.ln.rinet.ru] has quit [Remote host closed the connection]
04:00 < ikrabbe> and then you have to add a iptables rule:
04:00 -!- kalloc [~kalloc@h86-62-83-99.ln.rinet.ru] has joined #openvpn
04:01 < ikrabbe> iptables -t nat -A POSTROUTING -s "PRIVATE IP" -j MASQUERADE
04:01 < ikrabbe> that makes all packages from your "PRIVATE IP" to be translated on your openvpn router
04:02 < ikrabbe> (that you have to do on the remote end-point, not on your client machine!")
04:02 -!- calcifea [~rasla@gateway/tor-sasl/gitsu-sa] has quit [Remote host closed the connection]
04:05 < lordnikkon> so the PRIVATE IP should be the ip that the vpn is assigning me? like in your example before it was 10.1.2.2?
04:06 < ikrabbe> yes
04:06 < ikrabbe> to be more save you can also set a "PRIVATE NET" such as 10.1.2.0/24
04:07 < ikrabbe> or even 10.1.0.0/16 to the whole ip range to be translated
04:08 < ikrabbe> (save with regards to: it shoule work, not more secure)
04:11 < lordnikkon> ok i guess i will to see how i do this with the vpn server
04:11 < ikrabbe> do you have a root account there?
04:11 < ikrabbe> then it should be no problem. Otherwise you don't have a chance
04:12 -!- gffa [~unknown@unaffiliated/gffa] has joined #openvpn
04:12 < Shikieiki_> if anyone is available now to help me with my problem, i'd appreciate it
04:12 < Shikieiki_> i'm trying to get openvpn to automatically update resolv.conf.  i've added "redirect-gateway def1" to the config file and have specified the correct up.sh and down.sh scripts, but when i start openvpn with "/etc/init.d/openvpn start", it doesn't change the nameserver to one that's able to resolve my VPN's IP, i have to do it manually (and then i have to change it again manually to go through the VPN). down.sh seems to work however
04:46 -!- elfixit1 [~Icedove@77-58-251-72.dclient.hispeed.ch] has joined #openvpn
04:48 < ikrabbe> @lordnikkon: tell me if it worked
04:48 < ikrabbe> /msg lordnikkon ikrabbe dot ask at gmail dot com
04:57 -!- DrCode [~DrCode@gateway/tor-sasl/drcode] has quit [Remote host closed the connection]
05:00 -!- kalloc [~kalloc@h86-62-83-99.ln.rinet.ru] has quit [Remote host closed the connection]
05:01 -!- kalloc [~kalloc@h86-62-83-99.ln.rinet.ru] has joined #openvpn
05:05 -!- kalloc [~kalloc@h86-62-83-99.ln.rinet.ru] has quit [Ping timeout: 245 seconds]
05:11 -!- gedO [~Thunderbi@78.62.255.17] has joined #openvpn
05:11 -!- calcifea [~rasla@gateway/tor-sasl/gitsu-sa] has joined #openvpn
05:11 < gedO> Hello, I can't load openvpn tunnel
05:12 < gedO> it says Need hold release from management interface, waitting...
05:15 -!- kalloc [~kalloc@h86-62-83-99.ln.rinet.ru] has joined #openvpn
05:15 -!- calcifea [~rasla@gateway/tor-sasl/gitsu-sa] has quit [Client Quit]
05:16 -!- calcifea [~rasla@gateway/tor-sasl/gitsu-sa] has joined #openvpn
05:26 -!- gedO [~Thunderbi@78.62.255.17] has quit [Read error: Connection reset by peer]
05:29 -!- marlinc [~marlinc@a80-100-128-152.adsl.xs4all.nl] has quit [Quit: Byebye]
05:30 -!- gedO [~Thunderbi@78.62.255.17] has joined #openvpn
05:48 < ikrabbe> gedO somehow this sounds to me like operating on wlan, right?
05:49 < gedO> ikrabbe: I'm on VPS
05:49 < gedO> ikrabbe: and unable to load tun how I understand
05:50 -!- marlinc [~marlinc@a80-100-128-152.adsl.xs4all.nl] has joined #openvpn
05:50 < ikrabbe> hmm, there is a management interface to openvpn. Best read the docs, you can hold/unhold there.
05:56 < ikrabbe> on a virtual server you often have no access to the kernel. So if you don't have a tun module there you might be lost there
05:56 < gedO> ikrabbe: okey, thank you for help. I will contact support
05:57 < ikrabbe> on my virtual server there is a tun module directly compiled into the kernel
06:04 -!- DrCode [~DrCode@gateway/tor-sasl/drcode] has joined #openvpn
06:22 -!- DrCode [~DrCode@gateway/tor-sasl/drcode] has quit [Ping timeout: 240 seconds]
06:27 -!- mzat [~marc@dynamic-adsl-94-36-210-147.clienti.tiscali.it] has joined #openvpn
06:28 -!- jzaw [~jzaw@loki.dzki.co.uk] has quit [Quit: really? must I leave? aw pls let me stay!]
06:28 -!- jzaw [~jzaw@loki.dzki.co.uk] has joined #openvpn
06:29 < mzat> hello I'm trying to config my vpn server to be a client of a vpn external provider. my vpn server can reach the internet but if I connect to it with my pc I'm not able to reach internet. The problem is probably on iptables or in the fact that maybe the vpn provider block this kind of setup
06:33 -!- marc_ [~marc@dynamic-adsl-94-36-210-147.clienti.tiscali.it] has joined #openvpn
06:33 -!- mzat [~marc@dynamic-adsl-94-36-210-147.clienti.tiscali.it] has quit [Read error: Connection reset by peer]
06:33 -!- marc_ is now known as Guest2856
06:33 -!- Guest2856 [~marc@dynamic-adsl-94-36-210-147.clienti.tiscali.it] has quit [Client Quit]
06:34 -!- mzat [~marc@dynamic-adsl-94-36-210-147.clienti.tiscali.it] has joined #openvpn
06:37 -!- kubbing [~kubbing@ip-89-176-242-54.net.upcbroadband.cz] has quit [Remote host closed the connection]
06:38 -!- kubbing [~kubbing@ip-89-176-242-54.net.upcbroadband.cz] has joined #openvpn
06:42 -!- kubbing [~kubbing@ip-89-176-242-54.net.upcbroadband.cz] has quit [Ping timeout: 240 seconds]
06:43 -!- s7r [~s7r@openvpn/user/s7r] has joined #openvpn
06:43 -!- mode/#openvpn [+v s7r] by ChanServ
06:45 -!- gedO [~Thunderbi@78.62.255.17] has quit [Quit: gedO]
06:52 < mzat> hello I'm trying to config my vpn server to be a client of a vpn external provider. my vpn server can reach the internet but if I connect to it with my pc I'm not able to reach internet. The problem is probably on iptables or in the fact that maybe the vpn provider block this kind of setup
06:56 -!- Cy-Gor [~Brian@cpe-70-124-70-140.austin.res.rr.com] has joined #openvpn
07:12 -!- JackWinter [~jack@vodsl-4669.vo.lu] has quit [Quit: Konversation terminated!]
07:15 -!- JackWinter [~jack@vodsl-4669.vo.lu] has joined #openvpn
07:21 -!- mzat [~marc@dynamic-adsl-94-36-210-147.clienti.tiscali.it] has quit [Quit: Leaving]
07:23 -!- supermat [mat@gateway/shell/cadoth.net/x-ftcemjglsyiahfpa] has joined #openvpn
07:24 -!- supermat [mat@gateway/shell/cadoth.net/x-ftcemjglsyiahfpa] has left #openvpn []
07:25 -!- CR1T1C4L718 [~Ebony_Ald@c-67-163-118-38.hsd1.va.comcast.net] has joined #openvpn
07:25 < CR1T1C4L718> help??
07:30 < CR1T1C4L718> I have a DDWRT router and I want to use it as a VPN server and I feel like the guides out are missing some key parts
07:41 -!- Shikieiki_ [~enma@unaffiliated/shikieiki/x-6321105] has quit [Read error: Connection reset by peer]
07:43 -!- calcifea [~rasla@gateway/tor-sasl/gitsu-sa] has quit [Ping timeout: 240 seconds]
07:49 -!- calcifea [~rasla@gateway/tor-sasl/gitsu-sa] has joined #openvpn
07:51 < CR1T1C4L718> anyone care to help with the setup?
08:01 -!- wrongplace [~leicht@gateway/tor-sasl/martinphone] has joined #openvpn
08:07 -!- MindfulMonk [~MindfulMo@5.63.151.92] has joined #openvpn
08:07 -!- MindfulMonk [~MindfulMo@5.63.151.92] has left #openvpn ["Leaving"]
08:23 < CR1T1C4L718> help?
08:40 -!- jzaw [~jzaw@loki.dzki.co.uk] has quit [Quit: really? must I leave? aw pls let me stay!]
08:41 -!- jzaw [~jzaw@loki.dzki.co.uk] has joined #openvpn
08:46 < reiffert> !factoids search ddwrt
08:46 <@vpnHelper> No keys matched that query.
08:46 < reiffert> !factoids search wrt
08:46 <@vpnHelper> "dd-wrt" is (#1) While some users have success with dd-wrt, the build system isn't very accessible to users and there have been security issues with the distro. Consider carefully if this is the platform you want to use for OpenVPN or (#2) Firewall oopsie : http://www.dd-wrt.com/phpBB2/viewtopic.php?t=35783 or (#3) more issues: http://www.dd-wrt.com/phpBB2/viewtopic.php?t=84536
08:47 -!- mirco [~mirco@ip-109-90-231-36.unitymediagroup.de] has quit [Ping timeout: 272 seconds]
08:50 < CR1T1C4L718> is someone there?
08:54 -!- kalloc [~kalloc@h86-62-83-99.ln.rinet.ru] has quit [Remote host closed the connection]
08:55 -!- kalloc [~kalloc@h86-62-83-99.ln.rinet.ru] has joined #openvpn
08:59 -!- master_of_master [~master_of@p4FD7B880.dip0.t-ipconnect.de] has joined #openvpn
08:59 -!- kalloc [~kalloc@h86-62-83-99.ln.rinet.ru] has quit [Ping timeout: 245 seconds]
09:03 -!- master_o1_master [~master_of@p4FF244E1.dip0.t-ipconnect.de] has quit [Ping timeout: 248 seconds]
09:03 -!- elfixit1 [~Icedove@77-58-251-72.dclient.hispeed.ch] has quit [Quit: elfixit1]
09:03 -!- kalloc [~kalloc@h86-62-83-99.ln.rinet.ru] has joined #openvpn
09:15 -!- kubbing [~kubbing@ip-94-113-130-229.net.upcbroadband.cz] has joined #openvpn
09:17 -!- takamichi [~takamichi@c107-107.i07-27.onvol.net] has quit []
09:20 < pekster> You haven't asked a real question. Yes, lots of people are here
09:34 < CR1T1C4L718> ok
09:34 < CR1T1C4L718> I need help, i cannot seem to get my router to work as a vpn server
09:34 < CR1T1C4L718> using openvpn
09:35 < CR1T1C4L718> even now while watching the video and doing EXCATLY what is being done in the video it is still not working
09:36 < CR1T1C4L718> The real question is can someone help me please set this up, I am having trouble as the guides are not that clear in giving directions
09:37 < pekster> !howto
09:37 <@vpnHelper> "howto" is (#1) OpenVPN comes with a great howto, http://openvpn.net/howto PLEASE READ IT! or (#2) http://www.secure-computing.net/openvpn/howto.php for a mirror
09:37 < pekster> That's our de-facto guide
09:38 < CR1T1C4L718> and it does not work
09:38 < CR1T1C4L718> trust me I have tried
09:38 < CR1T1C4L718> for the past 3 days
09:38 < pekster> You haven't expalined anything that you've tried
09:38 < pekster> http://catb.org/~esr/faqs/smart-questions.html#beprecise
09:38 <@vpnHelper> Title: How To Ask Questions The Smart Way (at catb.org)
09:38 < pekster> That might help you ask a question that will get you answered
09:38 < CR1T1C4L718> I have followed the guide you posted and the end result is it does not work, cannot connect to router
09:39 < CR1T1C4L718> The question is can someone help me set up my DD-WRT as a VPN server using OpenVPN
09:39 < CR1T1C4L718> apperently different builds have different guides when it comes to OpenVPN
09:39 < pekster> We support openvpn here, not dd-wrt
09:39 < CR1T1C4L718> I understand
09:39 < pekster> If you'd like openvpn help, start by doing what we ask everyone else to do: read !paste, !configs, and !logs
09:39 < pekster> Then provide a link to the requested resources
09:40 < CR1T1C4L718> I cannot seem to get my OpenVPN working
09:40 < pekster> That's a bummer
09:40 < CR1T1C4L718> I am stuck on the part where you type "build-ca"
09:40 < pekster> Do your PKI on a real PC
09:40 < pekster> Don't do key generation on embedded hardware (_especially_ not dd-wrt)
09:41 < CR1T1C4L718> Ok let me put this in perspective for you Pek
09:41 < CR1T1C4L718> if I were to come to you and say something like "Hey your off dither by 3 degrees and your AZEL is not locked in"
09:41 < CR1T1C4L718> would you know what I am talking about?
09:42 < pekster> !intro-to-pki
09:42 <@vpnHelper> "intro-to-pki" is For an intro to PKI basics, see: https://github.com/OpenVPN/easy-rsa/blob/v3.0.0-rc1/doc/Intro-To-PKI.md
09:42 < pekster> Sounds to me like you haven't even really tried to learn how to set up a PKI
09:42 < CR1T1C4L718> Ok
09:42 < CR1T1C4L718> you are jumping to conclusions
09:42 < CR1T1C4L718> I have set up a VPN using windows server and windows 7
09:42 < CR1T1C4L718> it wasent this difficult
09:43 < pekster> So maybe show us what you've done?
09:43 < pekster> Show us what step you got stuck on?
09:43 < pekster> At least pretend to try?
09:43 < CR1T1C4L718> step 1
09:43 < CR1T1C4L718> flash router (done)
09:43 < CR1T1C4L718> step 2. install OpenVPN
09:43 < pekster> Yea, I don't care about your OS
09:43 < pekster> Apparently you're "stuck" doing your PKI, but haven't a clue how it works
09:43 < CR1T1C4L718> here
09:43 < CR1T1C4L718> this is where I am stuck
09:44 < CR1T1C4L718> http://youtu.be/cYZAXLgTJsc?t=2m28s
09:44 <@vpnHelper> Title: IST 648 - How to install OpenVPN on DD-WRT - YouTube (at youtu.be)
09:44 < CR1T1C4L718> I am getting an "location not found file not valid" error
09:44 < CR1T1C4L718> on the build-ca
09:45 < pekster> I'm not watching a video
09:45 < pekster> We have a guide, and you apparently don't want to follow it
09:45 < CR1T1C4L718> you dont have to watch the video
09:45 < CR1T1C4L718> I am really trying my best to be calm and paitent
09:45 < CR1T1C4L718> I have read your guid
09:45 < CR1T1C4L718> guide
09:45 < CR1T1C4L718> and followed it
09:45 < pekster> https://community.openvpn.net/openvpn/wiki/EasyRSA
09:45 < CR1T1C4L718> and it does not work
09:45 <@vpnHelper> Title: EasyRSA – OpenVPN Community (at community.openvpn.net)
09:45 < CR1T1C4L718> yes
09:45 < pekster> Pick the easyrsa version you're using and follow the link
09:45 < pekster> Then show me HOW
09:45 < pekster> Honestly, this isn't hard
09:46 < pekster> Did you read the "how to ask questions the smart way" link? Because you're asking very BAD questions
09:46 < CR1T1C4L718> apperently there is a step missing that would more than likely be something taylored tomy situation
09:46 < CR1T1C4L718> and that is just my best guess
09:46 < pekster> Either you're clueless, or you don't really want help. I'm not going to care unless you can provide useful information
09:46 < CR1T1C4L718> there is no such thing as a bad question
09:47 < CR1T1C4L718> I feel like you are just trying to belittle me
09:47 < pekster> http://catb.org/~esr/faqs/smart-questions.html#beprecise
09:47 <@vpnHelper> Title: How To Ask Questions The Smart Way (at catb.org)
09:47 < CR1T1C4L718> posting a link that I have already been to and told you is not working for me is not helping
09:47 < pekster> I'm trying to get info that will help me help you. If you can't be "bothered" to do that, my time is better spent elsewhere. Best of luck
09:47 < CR1T1C4L718> bye
09:47 < CR1T1C4L718> wow
09:48 < CR1T1C4L718> such a jerk
09:48 < CR1T1C4L718> If I tell you I have tried it and I am getting an error why would you keep telling me to do it again?
09:48 < CR1T1C4L718> that is not helping me to understand it nor figure out what is wrong
09:49 < CR1T1C4L718> clearly no one here is helpful so fuck this shit im out
09:49 -!- CR1T1C4L718 [~Ebony_Ald@c-67-163-118-38.hsd1.va.comcast.net] has left #openvpn []
09:51 -!- able [~able@gateway/tor-sasl/able] has joined #openvpn
09:59 -!- Iain_ [~Iain@host81-147-78-70.range81-147.btcentralplus.com] has quit [Ping timeout: 252 seconds]
10:00 -!- Eagleman [~Eagleman@546BCD9F.cm-12-4d.dynamic.ziggo.nl] has quit [Read error: Operation timed out]
10:00 -!- Iain_ [~Iain@host31-50-25-215.range31-50.btcentralplus.com] has joined #openvpn
10:05 -!- Eagleman [~Eagleman@546BBFCD.cm-12-4c.dynamic.ziggo.nl] has joined #openvpn
10:05 -!- DrCode [~DrCode@gateway/tor-sasl/drcode] has joined #openvpn
10:06 -!- Eagleman [~Eagleman@546BBFCD.cm-12-4c.dynamic.ziggo.nl] has quit [Read error: Connection reset by peer]
10:12 -!- able [~able@gateway/tor-sasl/able] has quit [Quit: able]
10:15 -!- Eagleman [~Eagleman@546BBFCD.cm-12-4c.dynamic.ziggo.nl] has joined #openvpn
10:18 < pekster> !learn cmdhelp as If you have problems with a command it's best to show us exactly what you did. Try a !paste of your command history that shows the issue.
10:18 <@vpnHelper> Joo got it.
10:21 -!- Eagleman [~Eagleman@546BBFCD.cm-12-4c.dynamic.ziggo.nl] has quit [Ping timeout: 264 seconds]
10:23 -!- brabo [brabo@globalshellz/owner/brabo] has joined #openvpn
10:23 < brabo> hi, i'm trying to help a friend connect to openvpn server.. the issue is that he's behind a proxy that seems to detect the 'CONNECT' and disallows it.. any idea how we can get past this?
10:23 -!- Eagleman [~Eagleman@546BCD9F.cm-12-4d.dynamic.ziggo.nl] has joined #openvpn
10:24 < pekster> Depends on the proxy and/or IDS at work. Sometimes changing the port works (for bad/crappy "filtering" solutions) otherwise see !obfs for obfuscation options
10:25 < pekster> Or consider a !statickey tunnel, but you give up the benefits of TLS (multiple clients, forward-secrecy, etc)
10:25 < brabo> only outgoing port 80 works
10:25 < brabo> !obfs
10:25 <@vpnHelper> "obfs" is (#1) if you are looking to obfuscate your traffic to get through a firewall that recognizes and blocks openvpn, try using this proxy: obfsproxy https://www.torproject.org/projects/obfsproxy.html.en to encapsulate your packets in other protocols or (#2) http://community.openvpn.net/openvpn/wiki/TrafficObfuscation or (#3) in client/server mode an admin can know that openvpn is being used. in
10:25 <@vpnHelper> static-key mode they only know that it is some encrypted data, but not specifically openvpn; however with static-key you lose forward security (!forwardsecurity)
10:25 < pekster> Then it's probably not going to work if they run it through a web proxy
10:25 < brabo> !statickey
10:25 <@vpnHelper> "statickey" is (#1) you can use static keys by using --secret </path/to/key> or (#2) static keys only work for ptp links, not client/server. They also do not provide forward encryption. A forward-secure encryption scheme (such as openvpn uses with certs) protects secret keys from exposure by evolving the keys with time. or (#3) see !forwardsecurity for more info
10:26 < pekster> YMMV, but if you can't send pure UDP (or TCP in tcp modes) packets over the Internet, openvpn can't work
10:26 < pekster> Maybe obfs can obfuscate your traffic "as web traffic", but I don't have much experience with that project
10:26 < brabo> pekster: mmm yeah, we tried proxying over squid, and on m end works perfectly, but on his end not, the proxy on his end blocks it
10:27 < pekster> Yup. Maybe see the --http-proxy option in the manpage, but it's completely up to the proxy what it does with traffic
10:27 < brabo> okay, we'll attempt obfuscating and static-keys
10:27 < brabo> pekster: used that, works fine for me, not for him
10:27 < pekster> If you use obfs you can still do TLS, which is preferred
10:28 < brabo> aha yeah, i'm aware of tls being preferred, thanks for the info, we'll try this out ;)
10:28 < pekster> If you don't see any connect attempt in your server logs, the packets aren't even making it that far. Fix your Internet access (or hack around obpressive filtering) first
10:28 < pekster> opressive*
10:34 -!- takamichi [~takamichi@c107-107.i07-27.onvol.net] has joined #openvpn
10:36 < brabo> pekster: hmm now he says it's an http proxy which can't do connect..
10:36 < pekster> Then you're hosed. obfs or bust
10:36 < pekster> Or get Internet service, not "web proxy service"
10:37 < pekster> What he has isn't actually Internet access, so using non-web protocols simply won't work.
10:39 -!- Eagleman [~Eagleman@546BCD9F.cm-12-4d.dynamic.ziggo.nl] has quit [Read error: Connection reset by peer]
10:41 < brabo> pekster: yeah it's a hotel free wifi
10:41 < brabo> he's on holidays so
10:43 -!- Eagleman [~Eagleman@546BCD9F.cm-12-4d.dynamic.ziggo.nl] has joined #openvpn
10:53 -!- joshh20-Away is now known as joshh20
10:59 -!- klein [~klein@unaffiliated/klein] has joined #openvpn
11:19 -!- jgeboski [~jgeboski@unaffiliated/jgeboski] has quit [Ping timeout: 265 seconds]
11:21 -!- Eagleman [~Eagleman@546BCD9F.cm-12-4d.dynamic.ziggo.nl] has quit [Read error: Connection reset by peer]
11:27 -!- Eagleman [~Eagleman@546BCD9F.cm-12-4d.dynamic.ziggo.nl] has joined #openvpn
11:42 -!- __FBi [~B@uwantmy.info] has quit [Ping timeout: 248 seconds]
11:42 -!- bertodsera [~quassel@97e48243.skybroadband.com] has joined #openvpn
11:52 -!- __FBi [~B@uwantmy.info] has joined #openvpn
11:57 -!- mirco [~mirco@ip-109-90-231-36.unitymediagroup.de] has joined #openvpn
12:02 -!- klein [~klein@unaffiliated/klein] has quit [Ping timeout: 272 seconds]
12:24 -!- jigen [~MeTA-LAbS@2-224-249-115.ip173.fastwebnet.it] has joined #openvpn
12:24 < jigen> !welcome
12:24 <@vpnHelper> "welcome" is (#1) Start by stating your goal, such as 'I would like to access the internet over my vpn' || new to IRC? see the link in !ask || we may need !logs and !configs and maybe !interface to help you. || See !howto for beginners. || See !route for lans behind openvpn. || !redirect for sending inet traffic through the server. || Also interesting: !man !/30 !topology !iporder !sample !forum
12:24 <@vpnHelper> !wiki !mitm or (#2) Don't use 192.168.1.0/24 or 192.168.0.0/24 (too much potential for conflict)
12:25 < jigen> hi there
12:26 < jigen> anyone up for help building openvpn statically?
12:26 < jigen> I've spent 3 hours with no result
12:26 < jigen> really I can't figure out what's wrong with that
12:27 < jigen> !goal
12:27 <@vpnHelper> "goal" is Please clearly state your goal for your vpn: example, I would like to access the lan behind the server , I would like to access the internet over my vpn , I just want a secure connection between 2 computers , etc
12:35 -!- Eugene [eugene@itvends.com] has quit [Ping timeout: 245 seconds]
12:35 < jigen> I've tried with LDFLAGS=-static -gcc-static, --enable-static, --disable-shared,  but i always obtain a dinamcally linked exec
12:35 -!- kenyon [kenyon@darwin.kenyonralph.com] has quit [Ping timeout: 245 seconds]
12:35 -!- Eagleman [~Eagleman@546BCD9F.cm-12-4d.dynamic.ziggo.nl] has quit [Read error: Connection reset by peer]
12:35 -!- kenyon [kenyon@darwin.kenyonralph.com] has joined #openvpn
12:35 < jigen> i'm working on NetBSD, but it should be the same on any *nix
12:36 -!- EugeneKay [eugene@itvends.com] has joined #openvpn
12:39 -!- Eagleman [~Eagleman@546BCD9F.cm-12-4d.dynamic.ziggo.nl] has joined #openvpn
12:45 -!- Eagleman [~Eagleman@546BCD9F.cm-12-4d.dynamic.ziggo.nl] has quit [Read error: Connection reset by peer]
12:46 -!- Eagleman [~Eagleman@546BCD9F.cm-12-4d.dynamic.ziggo.nl] has joined #openvpn
12:55 -!- mchou [~quassel@c-67-180-190-241.hsd1.ca.comcast.net] has joined #openvpn
13:07 -!- qwertyoruiop [~hax@1.shulgin.dc1.nl.tor.exit.node.qwertyoruiop.com] has quit [Read error: Operation timed out]
13:10 -!- Eagleman7 [~Eagleman@546BBFCD.cm-12-4c.dynamic.ziggo.nl] has joined #openvpn
13:11 -!- Eagleman [~Eagleman@546BCD9F.cm-12-4d.dynamic.ziggo.nl] has quit [Ping timeout: 272 seconds]
13:15 -!- qwertyoruiop [~hax@1.shulgin.dc1.nl.tor.exit.node.qwertyoruiop.com] has joined #openvpn
13:28 -!- joshh20 is now known as joshh20-Away
13:39 -!- Eagleman7 [~Eagleman@546BBFCD.cm-12-4c.dynamic.ziggo.nl] has quit [Quit: ZNC - http://znc.in]
13:41 -!- Eagleman [~Eagleman@546BBFCD.cm-12-4c.dynamic.ziggo.nl] has joined #openvpn
13:42 -!- Eagleman [~Eagleman@546BBFCD.cm-12-4c.dynamic.ziggo.nl] has quit [Read error: Connection reset by peer]
13:43 -!- Eagleman [~Eagleman@546BBFCD.cm-12-4c.dynamic.ziggo.nl] has joined #openvpn
13:48 -!- kalloc [~kalloc@h86-62-83-99.ln.rinet.ru] has quit [Remote host closed the connection]
13:49 -!- kalloc [~kalloc@h86-62-83-99.ln.rinet.ru] has joined #openvpn
13:53 -!- kalloc [~kalloc@h86-62-83-99.ln.rinet.ru] has quit [Ping timeout: 245 seconds]
13:55 -!- jgeboski [~jgeboski@unaffiliated/jgeboski] has joined #openvpn
14:03 -!- fenris_kcf [~fenris@p579E66D6.dip0.t-ipconnect.de] has joined #openvpn
14:04 -!- gffa [~unknown@unaffiliated/gffa] has quit [Quit: sleep]
14:04 -!- jgeboski [~jgeboski@unaffiliated/jgeboski] has quit [Ping timeout: 265 seconds]
14:04 -!- boyscout [~boyscout@c-68-82-37-6.hsd1.pa.comcast.net] has joined #openvpn
14:05 < boyscout> !welcome
14:05 <@vpnHelper> "welcome" is (#1) Start by stating your goal, such as 'I would like to access the internet over my vpn' || new to IRC? see the link in !ask || we may need !logs and !configs and maybe !interface to help you. || See !howto for beginners. || See !route for lans behind openvpn. || !redirect for sending inet traffic through the server. || Also interesting: !man !/30 !topology !iporder !sample !forum
14:05 <@vpnHelper> !wiki !mitm or (#2) Don't use 192.168.1.0/24 or 192.168.0.0/24 (too much potential for conflict)
14:05 -!- digilink [~digilink@unaffiliated/digilink] has quit [Ping timeout: 272 seconds]
14:06 < boyscout> !goal
14:06 <@vpnHelper> "goal" is Please clearly state your goal for your vpn: example, I would like to access the lan behind the server , I would like to access the internet over my vpn , I just want a secure connection between 2 computers , etc
14:10 -!- digilink [~digilink@irc.stephennet.net] has joined #openvpn
14:12 -!- fenris_kcf [~fenris@p579E66D6.dip0.t-ipconnect.de] has quit [Ping timeout: 252 seconds]
14:19 -!- kalloc [~kalloc@h86-62-83-99.ln.rinet.ru] has joined #openvpn
14:22 -!- boyscout [~boyscout@c-68-82-37-6.hsd1.pa.comcast.net] has left #openvpn []
14:28 -!- boyscout [~boyscout@c-68-82-37-6.hsd1.pa.comcast.net] has joined #openvpn
14:29 -!- kalloc [~kalloc@h86-62-83-99.ln.rinet.ru] has quit [Ping timeout: 260 seconds]
14:29 -!- ManjXfceUsr [~ManjXfceu@host86-133-146-74.range86-133.btcentralplus.com] has joined #openvpn
14:31 -!- nortel [~qssl_fnod@qw3rty.org] has joined #openvpn
14:34 -!- nortel [~qssl_fnod@qw3rty.org] has left #openvpn []
14:36 -!- __FBi [~B@uwantmy.info] has quit [Quit: ZNC - http://znc.in]
14:43 -!- boyscout [~boyscout@c-68-82-37-6.hsd1.pa.comcast.net] has quit []
14:46 -!- __FBi [B@omg.uwantmy.info] has joined #openvpn
14:55 -!- kalloc [~kalloc@h86-62-83-99.ln.rinet.ru] has joined #openvpn
14:58 -!- ManjXfceUsr [~ManjXfceu@host86-133-146-74.range86-133.btcentralplus.com] has left #openvpn ["Leaving"]
14:59 -!- xBytez [~xBytez@unaffiliated/xbytez] has quit [Read error: Connection reset by peer]
15:03 -!- xBytez [~xBytez@2a00:f48:1025:feed:b00b:feed:7ae9:4cde] has joined #openvpn
15:03 -!- xBytez [~xBytez@2a00:f48:1025:feed:b00b:feed:7ae9:4cde] has quit [Changing host]
15:03 -!- xBytez [~xBytez@unaffiliated/xbytez] has joined #openvpn
15:08 -!- xBytez [~xBytez@unaffiliated/xbytez] has quit [Ping timeout: 252 seconds]
15:09 -!- xBytez [~xBytez@unaffiliated/xbytez] has joined #openvpn
15:15 -!- joshh20-Away is now known as joshh20
15:17 -!- rtur [~rtur@212.224.92.143] has quit [Quit: WeeChat 0.4.2]
15:22 -!- jgeboski [~jgeboski@unaffiliated/jgeboski] has joined #openvpn
15:28 < sailerboy> hey, i'm having trouble with openvpn. the connection seems to cap out at 1 MB/s, even though both sides are able to saturate a 100 mbit connection when the vpn is off. I've tried all the stuff in https://community.openvpn.net/openvpn/wiki/Gigabit_Networks_Linux, but none of it seemed to help. My client is an old netbook with an atom processor, while the server is a VPS with better specs. The load average on both hovers at around
15:28 < sailerboy> .50 when the vpn is in use, and I'm behind a router running dd-wrt on the client side. Any ideas?
15:28 -!- kalloc [~kalloc@h86-62-83-99.ln.rinet.ru] has quit [Ping timeout: 252 seconds]
15:28 < sailerboy> even setting the cipher to "none" didn't speed it up
15:30 -!- __H__ [~root@vm1.pappkopp.com] has quit [Quit: Lost terminal]
15:37 -!- Iain_ [~Iain@host31-50-25-215.range31-50.btcentralplus.com] has quit [Ping timeout: 240 seconds]
15:37 < pekster> sailerboy: Nevermind the load average; if you are saturating 1 core that's openvpn capping out at CPU since the process is single-threaded
15:38 < sailerboy> according to htop, i'm not saturating a core
15:38 -!- Iain_ [~Iain@host31-50-25-215.range31-50.btcentralplus.com] has joined #openvpn
15:38 < sailerboy> on either client or server
15:38 -!- kubbing [~kubbing@ip-94-113-130-229.net.upcbroadband.cz] has quit [Remote host closed the connection]
15:39 -!- kubbing [~kubbing@ip-94-113-130-229.net.upcbroadband.cz] has joined #openvpn
15:42 < pekster> htop by default hides helpful info about the CPU unless you explicitly turn it on. Quite frankly, 'top' is better about show things right out of the box
15:42 < pekster> It's a checkbox burried in the setup options IIRC, but it doesn't work well unless you have an extra-wide terminal
15:43 -!- kubbing [~kubbing@ip-94-113-130-229.net.upcbroadband.cz] has quit [Ping timeout: 245 seconds]
15:43 < pekster> Could be some issue with contexts or interrupts too, especially if you're running the kernel at 100 Hz jiffies
15:44 < sailerboy> pekster, i didn't do anything special with the kernel
15:44 -!- lj [~l@74.120.200.95] has joined #openvpn
15:44 < sailerboy> it's just stock debian kernels
15:46 -!- lj1 [~l@192.241.174.169] has joined #openvpn
15:48 -!- lj [~l@74.120.200.95] has quit [Ping timeout: 240 seconds]
15:49 -!- Iain_ [~Iain@host31-50-25-215.range31-50.btcentralplus.com] has quit [Ping timeout: 272 seconds]
15:49 -!- Iain_ [~Iain@host31-50-25-215.range31-50.btcentralplus.com] has joined #openvpn
15:52 -!- klein [~klein@unaffiliated/klein] has joined #openvpn
15:55 -!- kalloc [~kalloc@h86-62-83-99.ln.rinet.ru] has joined #openvpn
16:04 -!- Eagleman [~Eagleman@546BBFCD.cm-12-4c.dynamic.ziggo.nl] has quit [Read error: Connection reset by peer]
16:08 -!- kubbing [~kubbing@ip-89-176-242-54.net.upcbroadband.cz] has joined #openvpn
16:10 -!- Eagleman [~Eagleman@546BBFCD.cm-12-4c.dynamic.ziggo.nl] has joined #openvpn
16:12 < pekster> If you determine interrupt frequency is a potential issue, rebuild your kernle with CONFIG_HZ_1000=y instead of the (IIRC) default of 250
16:12 < pekster> Depends a bit on how you're using openvpn too and things like average packet sizes
16:16 -!- [diecast] [~diecast@unaffiliated/diecast/x-4821952] has joined #openvpn
16:17 < _FBi> !kitkat
16:18 < _FBi> !help kitkat
16:18 <@vpnHelper> Error: There is no command "kitkat".
16:18 < _FBi> !winwdns
16:18 < _FBi> doh
16:18 < _FBi> !howto
16:18 <@vpnHelper> "howto" is (#1) OpenVPN comes with a great howto, http://openvpn.net/howto PLEASE READ IT! or (#2) http://www.secure-computing.net/openvpn/howto.php for a mirror
16:18 < _FBi> !android
16:18 <@vpnHelper> "android" is (#1) an open source OpenVPN client for ICS is available in Google Play, look for OpenVPN for Android. FAQ is here: http://code.google.com/p/ics-openvpn/wiki/FAQ or (#2) If you do not have cyanogenmod or ICS, but your device is rooted, you can use android-openvpn-installer and openvpn-settings from the market or (#3) Direct Play link:
16:18 <@vpnHelper> https://play.google.com/store/apps/details?id=de.blinkt.openvpn
16:20 -!- qwertyoruiop [~hax@1.shulgin.dc1.nl.tor.exit.node.qwertyoruiop.com] has quit [Quit: ZNC - http://znc.in]
16:21 -!- qwertyoruiop [~hax@1.shulgin.dc1.nl.tor.exit.node.qwertyoruiop.com] has joined #openvpn
16:22 -!- [diecast] [~diecast@unaffiliated/diecast/x-4821952] has quit []
16:24 < sailerboy> pekster, how would I determine that?
16:25 < sailerboy> and i primarily use openvpn for torrents, linux distributions and such
16:26 -!- mchou [~quassel@c-67-180-190-241.hsd1.ca.comcast.net] has quit [Ping timeout: 248 seconds]
16:27 -!- Latrina [~Latrina@adsl-ull-215-206.50-151.net24.it] has joined #openvpn
16:28 < EugeneKay> Ah yes, the vital linux distributions.
16:28 < EugeneKay> Got to have those.
16:28 < Latrina> hello folks.. I need a little help here.. first time setting up an openvpn bridged server
16:28 < Latrina> and upon starting openvpn I get this message
16:28 < Latrina> Options error: Unrecognized option or missing parameter(s) in /etc/openvpn/server.conf:4: ca
16:28 < EugeneKay> The first to setting up a Bridged server is to stop, because you're doing it wrong
16:28 < EugeneKay> !whybridge
16:28 <@vpnHelper> "whybridge" is (#1) you only bridge if you want layer2 to the lan. if you want layer2 only between vpn nodes then routed tap is enough. if you only want layer3 use tun. or (#2) See this URL for a more in-depth discussion on bridging vs routing: https://community.openvpn.net/openvpn/wiki/BridgingAndRouting or (#3) See also !tunortap
16:28 < EugeneKay> !tunortap
16:28 <@vpnHelper> "tunortap" is (#1) you ONLY want tap if you need to pass layer2 traffic over the vpn (traffic destined for a MAC address). If you are using IP traffic you want tun. or (#2) and if your reason for wanting tap is windows shares, see !wins or use DNS or (#3) remember layer2 has no security, arp poisoning works over tap vpns or (#4) lan gaming? use tap! or (#5) Normal Android/iOS devices (not
16:28 <@vpnHelper> rooted/jailbroken) support only tun
16:29 -!- kalloc [~kalloc@h86-62-83-99.ln.rinet.ru] has quit [Ping timeout: 252 seconds]
16:29 < EugeneKay> pekster - do you know if we have a page/factoid on throughput floating around? I don't know of one
16:29 < Latrina> thanks
16:29 < Latrina> I will give it a read .. however whether I will be going with tap or tun my problem will remain
16:33 < Latrina> an easy question here, if I go with tun "routed" will I be able to access my SMB / AFP / NFS shared drives and machines ?
16:33 -!- EugeneKay is now known as Eugene
16:34 -!- mode/#openvpn [+o Eugene] by ChanServ
16:34 <@Eugene> Depends on what your problem is; that error sounds like a typo in your config file
16:34 <@Eugene> I don't know about AFP, but SMB and NFS work fine via a routed network, yes.
16:34 < Latrina> thanks Eugene
16:35 <@Eugene> You need to set up a non-broadcast-based name resolution scheme(DNS or AD or WINS or such), or just use IPs
16:36 < Latrina> here's my config file if u don't mind taking a quick look at it
16:36 < Latrina> http://pastebin.com/2PNTzfnF
16:37 < Latrina> cool no problem with that
16:38 <@Eugene> Looks correct. How are you invoking it?
16:39 < Latrina> openvpn --config /etc/openvpn/server.conf --up
16:39 <@Eugene> Well, --up is invalid without a script named
16:40 < Latrina> I get the same error even without --up
16:42 <@Eugene> To ask a silly question, does the user invoking openvpn have permissions to read that file
16:42 < Latrina> yes it does
16:45 < _FBi> is anyone using kitkat?
16:46 <@Eugene> Yes.
16:46 < Latrina> I do use kitkat as well
16:46 -!- [diecast] [~diecast@unaffiliated/diecast/x-4821952] has joined #openvpn
16:46 <@Eugene> Latrina - interesting. Could you set --verb 5 and pastebin
16:46 <@Eugene> !logs
16:46 <@vpnHelper> "logs" is (#1) please pastebin your logfiles from both client and server with verb set to 4 (only use 5 if asked) or (#2) In the Windows client(OpenVPN-GUI) right-click the status icon and pick View Log or (#3) In the OS X client(Tunnelblick) right-click it and select Copy log text to clipboard or (#4) if you dont know how to find your logs, see !logfile
16:46 <@Eugene> Full output, not just the line
16:46 < Latrina> sure thanks Eugene
16:47 < Latrina> seems like it doesn't like --verb 5
16:48 <@Eugene> o.O
16:48 <@Eugene> wtf?
16:48 <@Eugene> Hang on, backpedal a sec. How did you get your openvpn binary?
16:49 <@Eugene> And what does the first line of output from `openvpn --version` say
16:49 < Latrina> compiled it from the OpenWrt buildroot
16:49 < Latrina> should be latest
16:50 < Latrina> OpenVPN 2.3.2 mips-openwrt-linux-gnu [LZO] [EPOLL] [MH] [IPv6] built on Jan 24 2014
16:50 <@Eugene> Ahahaha, you did it yourself?
16:50 < Latrina> ehm yes.. why?
16:51 <@Eugene> IIRC you need --with-pkcs11 or such as a flag
16:52 < Latrina> oh actually I am getting confused
16:52 <@Eugene> My guess? You built it without crypto stuff.
16:52 < Latrina> I have compiled the kmod-tun module
16:52 < Latrina> than installed the openvpn package from the repository
16:52 < Latrina> sorry my bad ..
16:52 -!- mchou [~quassel@c-67-180-190-241.hsd1.ca.comcast.net] has joined #openvpn
16:52 <@Eugene> Well that isn't the same thing at ALL.
16:52 < Latrina> Yeah I know .. like I said I have gotten confused for a sec
16:53 <@Eugene> Getting "unrecognised option" on --ca is something I've never even heard of. That's just bizarre.
16:53 <@Eugene> But when you build it yourself *cough* Gento USEFLAGS *cough* all bets are off
16:53 < Latrina> so are u trying to say that it's something wrong with the openvpn binary itself ?
16:54 <@Eugene> Sounds like it; I avoid building things from source because it's insanity.
16:54 < Latrina> no I didn't build it.. I only built the kmod-tun module
16:54 <@Eugene> Hm. Interesting.
16:54 < Latrina> than installed the openvpn package from the repo
16:54 <@Eugene> Well, still no clue why --ca would fail like that
16:55 <@Eugene> Try something like `touch foo.crt; openvpn --ca foo.crt`
16:55 <@Eugene> It should throw an error, but not about unrecognized opt
16:55 -!- kalloc [~kalloc@h86-62-83-99.ln.rinet.ru] has joined #openvpn
16:55 -!- lj1 [~l@192.241.174.169] has quit [Quit: Leaving.]
16:57 < Latrina> let me have a look . thanks for now :)
17:04 < pekster> FYI, openDNS is bad
17:04 < pekster> !opendns
17:04 <@vpnHelper> "opendns" is You should avoid using OpenDNS for pushed DNS servers as they violate spec and send you to ad/search domains for mistyped URLs. Use GoogleDNS instead. See !dns for more info.
17:28 -!- [diecast] [~diecast@unaffiliated/diecast/x-4821952] has quit []
17:29 -!- kalloc [~kalloc@h86-62-83-99.ln.rinet.ru] has quit [Ping timeout: 272 seconds]
17:33 -!- mchou [~quassel@c-67-180-190-241.hsd1.ca.comcast.net] has quit [Ping timeout: 260 seconds]
17:36 -!- Shikieiki_ [~enma@unaffiliated/shikieiki/x-6321105] has joined #openvpn
17:40 -!- jigen [~MeTA-LAbS@2-224-249-115.ip173.fastwebnet.it] has quit [Quit: quit]
17:42 -!- sunwind [~paradox@cpc21-brmb8-2-0-cust749.1-3.cable.virginm.net] has quit [Read error: Connection reset by peer]
17:43 -!- sunwind [~paradox@cpc21-brmb8-2-0-cust749.1-3.cable.virginm.net] has joined #openvpn
17:55 -!- kalloc [~kalloc@h86-62-83-99.ln.rinet.ru] has joined #openvpn
18:16 -!- Cpt-Oblivious [~chatzilla@31-151-87-204.dynamic.upc.nl] has joined #openvpn
18:29 -!- kalloc [~kalloc@h86-62-83-99.ln.rinet.ru] has quit [Ping timeout: 264 seconds]
18:41 -!- takamichi [~takamichi@c107-107.i07-27.onvol.net] has quit [Quit: Computer has gone to sleep.]
18:42 -!- calcifea [~rasla@gateway/tor-sasl/gitsu-sa] has quit [Ping timeout: 240 seconds]
18:42 < _FBi> is anyone using OpenVPN with KitKat?
18:47 -!- mchou [~quassel@c-67-180-190-241.hsd1.ca.comcast.net] has joined #openvpn
18:50 -!- calcifea [~rasla@gateway/tor-sasl/gitsu-sa] has joined #openvpn
18:53 -!- mchou [~quassel@c-67-180-190-241.hsd1.ca.comcast.net] has quit [Ping timeout: 260 seconds]
18:55 -!- kalloc [~kalloc@h86-62-83-99.ln.rinet.ru] has joined #openvpn
19:28 -!- kalloc [~kalloc@h86-62-83-99.ln.rinet.ru] has quit [Ping timeout: 240 seconds]
19:29 -!- calcifea [~rasla@gateway/tor-sasl/gitsu-sa] has quit [Quit: calcifea]
19:30 -!- goldkatze [~nobody@unaffiliated/goldkatze] has quit [Ping timeout: 252 seconds]
19:50 -!- hgax [~hgax@162.243.112.153] has quit [Read error: Operation timed out]
19:52 -!- Latrina [~Latrina@adsl-ull-215-206.50-151.net24.it] has quit [Remote host closed the connection]
19:53 -!- emid [~emid@192.241.162.156] has quit [Ping timeout: 260 seconds]
19:55 -!- kalloc [~kalloc@h86-62-83-99.ln.rinet.ru] has joined #openvpn
19:56 -!- emid [~emid@192.241.162.156] has joined #openvpn
19:56 -!- hgax [~hgax@162.243.112.153] has joined #openvpn
20:07 -!- manne [~fulinlong@218.202.239.238] has joined #openvpn
20:09 < manne> hi .. I have a trouble:
20:13 -!- joshh20 is now known as joshh20-Away
20:15 -!- mitz [~mitz@rt.miraclelinux.com] has quit [Read error: Connection reset by peer]
20:16 -!- mitz [~mitz@rt.miraclelinux.com] has joined #openvpn
20:17 < manne> openvpn server ip:
20:17 < manne> eth0: 192.168.23.23/24
20:17 < manne> eth1: 192.168.200.23/24
20:17 < manne> eth2: 10.1.0.23/16
20:17 < manne> (the openvpn sevrer have my static route; just like this:
20:17 < manne> 10.2.0.0        10.1.0.254      255.255.0.0     UG    0      0        0 eth2
20:17 < manne> 10.3.0.0        10.1.0.254      255.255.0.0     UG    0      0        0 eth2
20:17 < manne> 10.1.0.0        0.0.0.0         255.255.0.0     U     0      0        0 eth2
20:17 < manne> 10.4.0.0        10.1.0.254      255.255.0.0     UG    0      0        0 eth2 )
20:17 < manne> The clinet assigned ip from openvpn server is 172.16.0.0/16 network
20:17 < manne> now a clinet's  ip is 172.16.160.2
20:17 < manne> whatever I select NAT or Routing in OpenVPN Server's Configure, The clinet always cannot ping 10.1.0.23
20:17 < manne> what should I do ?
20:18 -!- __FBi [B@omg.uwantmy.info] has quit [Quit: ZNC - http://znc.in]
20:18 -!- __FBi [B@what.are.you.doing.plzdonthack.us] has joined #openvpn
20:19 < pekster> What is "select NAT or Routing in OpenVPN Server's Configure" ??
20:19  * pekster can't parse that
20:21 < manne> In VPN setting
20:21 < manne> Should VPN clients have access to private subnets (non-public networks on the server side)?
20:22 -!- schnitzl [~schnitzl@dslb-178-007-138-229.pools.arcor-ip.net] has quit [Read error: Operation timed out]
20:22 < manne> no
20:22 < manne> Yes, using NAT
20:22 < manne> Yes, using routing (advanced)
20:22 < pekster> You're making no sense
20:23 < manne> eh..... So ?
20:24 < pekster> What are you trying to do?
20:24 < pekster> "should" is relative to what you want
20:24 < pekster> !goal
20:24 <@vpnHelper> "goal" is Please clearly state your goal for your vpn: example, I would like to access the lan behind the server , I would like to access the internet over my vpn , I just want a secure connection between 2 computers , etc
20:24 < pekster> If you want to expose the server-side networks (private or not, it doesn't matter) then do it. See: !serverlan if you want that
20:28 < manne> yeah, but I want to the client can access 10.1.0.0/16,  10.2.0.0/16  and so on...
20:28 < manne> the vpn server can access 10.X.0.0/16 subnet . and I hope the clinet can do it
20:28 -!- schnitzl [~schnitzl@dslb-088-067-170-198.pools.arcor-ip.net] has joined #openvpn
20:29 -!- kalloc [~kalloc@h86-62-83-99.ln.rinet.ru] has quit [Ping timeout: 264 seconds]
20:32 -!- dextro_ [d@2600:3c01::f03c:91ff:feae:3d2b] has left #openvpn []
20:32 < pekster> Okay, so follow the flowchart
20:33 < pekster> That's !serverlan if you want clients to access server-side LANs, or !clientlan if you want the server (or its LANs) to access LANs behind your client
20:33 < manne> !serverlan
20:33 <@vpnHelper> "serverlan" is (#1) for a lan behind a server, the server must have ip forwarding enabled (!ipforward), the server needs to push a route for its lan to clients, and the router of the lan the server is on needs a route added to it (!route_outside_openvpn) or (#2) see !route for a better explanation or (#3) Handy troubleshooting flowchart: http://ircpimps.org/serverlan.png |
20:33 <@vpnHelper> http://pekster.sdf.org/misc/serverlan.png
20:35 < manne> Okay.. I try it...  thanks pekster very much  :-*:)
20:35 < manne>  !clientlan
20:36 < manne> !route_outside_openvpn
20:36 <@vpnHelper> "route_outside_openvpn" is (#1) If your server is not the default gateway for the LAN, you will need to add routes to your gateway. See ROUTES TO ADD OUTSIDE OPENVPN in !route or (#2) Here are 2 diagrams that explain how this works: http://www.secure-computing.net/wiki/index.php/Graph http://i.imgur.com/BM9r1.png
20:43 < manne> It works..... thank pekster again. ;-)
20:43 -!- dextro_ [d@2600:3c01::f03c:91ff:feae:3d2b] has joined #openvpn
20:43 < dextro_> [6, 10, 14, 18, 22, 26, 30, 34, 38, 42, 46, 50, 54, 58, 62, 66, 70, 74, 78, 82, 86, 90, 94, 98, 102, 106, 110, 114, 118, 122, 126, 130, 134, 138, 142, 146, 150, 154, 158, 162, 166, 170, 174, 178, 182, 186, 190, 194, 198, 202, 206, 210, 214, 218, 222, 226, 230, 234, 238, 242, 246, 250, 254]
20:43 < dextro_> i have read those are the only last octets i can use
20:45 < pekster> Don't use net30
20:45 < pekster> It's old. It's pointless. It's dated
20:45 < pekster> !topology
20:45 <@vpnHelper> "topology" is (#1) it is possible to avoid the !/30 behavior if you use 2.1+ with the option: topology subnet This will end up being default in later versions. or (#2) Clients will receive addresses ending in .2, .3, .4, etc, instead of being divided into 2-host subnets. or (#3) details and examples at: https://community.openvpn.net/openvpn/wiki/Topology
20:45 < pekster> Read the wiki link and stop using net30
20:45 < dextro_> <3
20:55 -!- kalloc [~kalloc@h86-62-83-99.ln.rinet.ru] has joined #openvpn
20:55 -!- Cy-Gor [~Brian@cpe-70-124-70-140.austin.res.rr.com] has left #openvpn ["Leaving"]
20:57 -!- klein [~klein@unaffiliated/klein] has quit [Ping timeout: 272 seconds]
21:11 -!- mchou [~quassel@c-67-180-190-241.hsd1.ca.comcast.net] has joined #openvpn
21:14 -!- mchou [~quassel@c-67-180-190-241.hsd1.ca.comcast.net] has quit [Remote host closed the connection]
21:22 -!- booo [~booo__@p54BD82F1.dip0.t-ipconnect.de] has quit [Ping timeout: 240 seconds]
21:24 -!- booo [~booo__@p54BD88E5.dip0.t-ipconnect.de] has joined #openvpn
21:28 -!- hgax [~hgax@162.243.112.153] has quit [Ping timeout: 245 seconds]
21:28 -!- kalloc [~kalloc@h86-62-83-99.ln.rinet.ru] has quit [Ping timeout: 252 seconds]
21:30 -!- hgax [~hgax@162.243.112.153] has joined #openvpn
21:37 -!- Shikieiki_ [~enma@unaffiliated/shikieiki/x-6321105] has quit [Quit: leaving]
21:55 -!- kalloc [~kalloc@h86-62-83-99.ln.rinet.ru] has joined #openvpn
22:05 -!- grep0r [grep0r@bitcoinshell.mooo.com] has quit [Ping timeout: 252 seconds]
22:08 -!- grep0r [grep0r@bitcoinshell.mooo.com] has joined #openvpn
22:16 -!- grep0r [grep0r@bitcoinshell.mooo.com] has quit [Ping timeout: 252 seconds]
22:20 -!- grep0r [grep0r@bitcoinshell.mooo.com] has joined #openvpn
22:29 -!- kalloc [~kalloc@h86-62-83-99.ln.rinet.ru] has quit [Ping timeout: 272 seconds]
22:49 -!- kubbing [~kubbing@ip-89-176-242-54.net.upcbroadband.cz] has quit [Remote host closed the connection]
22:49 -!- kubbing [~kubbing@ip-89-176-242-54.net.upcbroadband.cz] has joined #openvpn
22:53 < dextro_> !paste
22:53 <@vpnHelper> "paste" is (#1) "pastebin" is (#1) please paste anything with more than 5 lines into a pastebin site or (#2) https://gist.github.com is recommended for fewest ads; try fpaste.org or paste.kde.org as backups or (#3) If you're pasting config files, see !configs for grep syntax to remove comments or (#2) gist allows multiple files per paste, useful if you have several files to show
22:54 < dextro_> https://gist.github.com/anonymous/22f74b67512ac06f49a7
22:54 <@vpnHelper> Title: gist:22f74b67512ac06f49a7 (at gist.github.com)
22:54 -!- kubbing [~kubbing@ip-89-176-242-54.net.upcbroadband.cz] has quit [Ping timeout: 272 seconds]
22:54 < dextro_> getting those errors now that im trying topology subnet
23:18 -!- plaisthos [~arne@openvpn/community/developer/plaisthos] has quit [Ping timeout: 252 seconds]
23:21 -!- plaisthos [~arne@openvpn/community/developer/plaisthos] has joined #openvpn
23:21 -!- mode/#openvpn [+o plaisthos] by ChanServ
23:54 -!- kalloc [~kalloc@stmdev.ru] has joined #openvpn
23:57 -!- kalloc [~kalloc@stmdev.ru] has quit [Remote host closed the connection]
23:57 -!- kalloc [~kalloc@stmdev.ru] has joined #openvpn
--- Day changed Mon Jan 27 2014
00:00 -!- sunwind` [~paradox@cpc21-brmb8-2-0-cust749.1-3.cable.virginm.net] has joined #openvpn
00:01 -!- kubbing [~kubbing@ip-89-176-242-54.net.upcbroadband.cz] has joined #openvpn
00:02 -!- esde [~esde@107.150.1.2] has quit [Quit: ZNC - http://znc.in]
00:04 -!- sunwind [~paradox@cpc21-brmb8-2-0-cust749.1-3.cable.virginm.net] has quit [Ping timeout: 252 seconds]
00:05 -!- kubbing [~kubbing@ip-89-176-242-54.net.upcbroadband.cz] has quit [Ping timeout: 272 seconds]
00:44 -!- nrgskill [~nrgskill@bba192820.alshamil.net.ae] has joined #openvpn
00:45 < nrgskill> hi guys, a quick question: I am using Openvpn over pppoe, on pppoe I have MTU 1492 (with 8 bit for PPPoE is 1500), what MTU sould I use for Openvpn?
00:50 -!- Cpt-Oblivious [~chatzilla@31-151-87-204.dynamic.upc.nl] has quit [Ping timeout: 260 seconds]
01:00 -!- goldkatze [~nobody@unaffiliated/goldkatze] has joined #openvpn
01:01 -!- aji [~alex@atheme/member/aji] has quit [Ping timeout: 265 seconds]
01:02 -!- nrgskill [~nrgskill@bba192820.alshamil.net.ae] has quit [Quit: Leaving]
01:03 -!- dimm0k [~dimm0k@unaffiliated/dimm0k] has quit [Ping timeout: 252 seconds]
01:04 -!- dimm0k [~dimm0k@unaffiliated/dimm0k] has joined #openvpn
01:06 -!- aji [~alex@atheme/member/aji] has joined #openvpn
01:19 -!- ACKNAK [~poni@79.133.97.154] has joined #openvpn
01:19 -!- mikkel [~mikkel@93.176.85.50] has joined #openvpn
01:21 -!- nunim [nunim@unaffiliated/nunim] has joined #openvpn
01:22 < nunim> Anyone able to point me to a tutorial or post about using OpenVPN as an IPv6 tunnel?
01:22 < nunim> Everything I've found is pre-official IPv6 support.
01:23 -!- alexxtasi [~alex@unaffiliated/alexxtasi] has joined #openvpn
01:37 -!- kalloc [~kalloc@stmdev.ru] has quit [Remote host closed the connection]
01:37 -!- kalloc [~kalloc@109.188.125.161] has joined #openvpn
01:42 -!- kalloc_ [~kalloc@stmdev.ru] has joined #openvpn
01:46 -!- kalloc [~kalloc@109.188.125.161] has quit [Ping timeout: 252 seconds]
01:49 -!- kubbing [~kubbing@ip-89-176-242-54.net.upcbroadband.cz] has joined #openvpn
01:53 -!- kubbing [~kubbing@ip-89-176-242-54.net.upcbroadband.cz] has quit [Read error: Operation timed out]
02:00 -!- fvalente [~fvalente@ts.node.pt] has quit [Quit: ZNC - http://znc.in]
02:00 < ikrabbe> «nrgskill»: Hey, I found this article about mtu quite helpfull once: http://community.openvpn.net/openvpn/wiki/Gigabit_Networks_Linux
02:00 < ikrabbe> Though its about Gigabit networks you can learn from it, that mtu is about performance on high speed networks. Over pppoe you should choose a stable package size. What's best depends greatly on you line quality, I think.
02:00 <@vpnHelper> Title: Gigabit_Networks_Linux – OpenVPN Community (at community.openvpn.net)
02:03 < ikrabbe> the worse the line the lower the mtu should be chosen. If you have a very good line you can try with larger mtu s but it won't affect performance much over pppoe, if you have an mtu that is >> the pppoe mtu.
02:04 -!- dimm0k [~dimm0k@unaffiliated/dimm0k] has quit [Ping timeout: 272 seconds]
02:05 -!- dimm0k [~dimm0k@pool-108-21-230-13.nycmny.fios.verizon.net] has joined #openvpn
02:05 -!- dimm0k [~dimm0k@pool-108-21-230-13.nycmny.fios.verizon.net] has quit [Changing host]
02:05 -!- dimm0k [~dimm0k@unaffiliated/dimm0k] has joined #openvpn
02:05 -!- takamichi [~takamichi@c107-107.i07-27.onvol.net] has joined #openvpn
02:06 -!- kalloc_ is now known as kalloc
02:06 -!- kubbing [~kubbing@ip-89-176-242-54.net.upcbroadband.cz] has joined #openvpn
02:20 -!- Iain_ [~Iain@host31-50-25-215.range31-50.btcentralplus.com] has quit [Read error: Connection reset by peer]
02:31 -!- JackWinter [~jack@vodsl-4669.vo.lu] has quit [Ping timeout: 260 seconds]
02:42 -!- __FBi [B@what.are.you.doing.plzdonthack.us] has quit [Ping timeout: 252 seconds]
02:42 -!- ACKNAK [~poni@79.133.97.154] has quit [Ping timeout: 245 seconds]
02:42 -!- EmLeX [~emx@unaffiliated/emlex] has quit [Read error: Operation timed out]
02:42 -!- rooth [tomte@stuck.in.the.basement.at.fritzl.nu] has quit [Read error: Operation timed out]
02:42 -!- EmLeX [~emx@unaffiliated/emlex] has joined #openvpn
02:42 -!- rooth [tomte@stuck.in.the.basement.at.fritzl.nu] has joined #openvpn
02:42 -!- hgax [~hgax@162.243.112.153] has quit [Read error: Operation timed out]
02:43 -!- Matir [~matir@ubuntu/member/matir] has quit [Read error: Operation timed out]
02:43 -!- ACKNAK [~poni@79.133.97.154] has joined #openvpn
02:43 -!- Matir [~matir@ubuntu/member/matir] has joined #openvpn
02:43 -!- hgax [~hgax@162.243.112.153] has joined #openvpn
03:21 -!- dazo_afk is now known as dazo
03:34 -!- pa [~pa@unaffiliated/pa] has quit [Read error: Operation timed out]
03:50 -!- pa [~pa@unaffiliated/pa] has joined #openvpn
04:01 -!- AsadH- [~AsadH@176.56.230.80] has joined #openvpn
04:08 -!- DrCode [~DrCode@gateway/tor-sasl/drcode] has quit [Remote host closed the connection]
04:20 -!- rtur [~rtur@212.224.92.143] has joined #openvpn
04:37 -!- JackWinter [~jack@vodsl-9074.vo.lu] has joined #openvpn
05:06 -!- klein [~klein@unaffiliated/klein] has joined #openvpn
05:10 -!- Linmu_ [~Linmu@203.70.194.104] has quit [Quit: leaving]
05:38 -!- Linmu [~Linmu@203.70.194.104] has joined #openvpn
05:56 -!- forbajato [~quassel@h69-21-138-223.cncrtn.dsl.dynamic.tds.net] has joined #openvpn
05:59 -!- Devastatr [~devas@177.18.199.46] has joined #openvpn
06:01 -!- Devastator [~devas@unaffiliated/devastator] has quit [Ping timeout: 272 seconds]
06:16 -!- forbajato [~quassel@h69-21-138-223.cncrtn.dsl.dynamic.tds.net] has quit [Remote host closed the connection]
06:30 -!- calcifea [~rasla@gateway/tor-sasl/gitsu-sa] has joined #openvpn
06:54 -!- elfixit1 [~Icedove@77-58-251-72.dclient.hispeed.ch] has joined #openvpn
06:59 -!- kalloc [~kalloc@stmdev.ru] has quit [Remote host closed the connection]
07:00 -!- kalloc [~kalloc@151.236.19.161] has joined #openvpn
07:01 -!- elfixit1 [~Icedove@77-58-251-72.dclient.hispeed.ch] has quit [Quit: elfixit1]
07:03 -!- kalloc_ [~kalloc@stmdev.ru] has joined #openvpn
07:05 -!- adac [~adac@c703-fwngw.uibk.ac.at] has joined #openvpn
07:05 -!- schnitzl [~schnitzl@dslb-088-067-170-198.pools.arcor-ip.net] has quit [Ping timeout: 240 seconds]
07:05 < adac> is there by default a speed limit set on the openvpn server?
07:06 -!- kalloc [~kalloc@151.236.19.161] has quit [Ping timeout: 240 seconds]
07:06 -!- schnitzl [~schnitzl@dslb-092-074-152-211.pools.arcor-ip.net] has joined #openvpn
07:11 <@ecrist> nope
07:11 <@ecrist> there is no real limit
07:11 <@ecrist> the only limit is determined by your server and client internet connection speeds coupled with each systems ability to encrypt/decrypt the traffic
07:12 < adac> ecrist, kk thanks!
07:14 < adac> ecrist, Me and my budy we are just triyng to connect to each other via vnc server/viewer and it doesn't seem to work for some reasons.
07:15 <@ecrist> no idea what that has to do with VNC
07:28 < adac> ecrist, I thought that might vnc has a troughput error. But I think now that just the adsl lines are to slow probably
07:29 -!- calcifea [~rasla@gateway/tor-sasl/gitsu-sa] has quit [Remote host closed the connection]
07:35 -!- esde [~esde@unaffiliated/esde] has joined #openvpn
07:37 -!- klein [~klein@unaffiliated/klein] has quit [Ping timeout: 260 seconds]
07:48 -!- Fohlen [~Fohlen@134.255.220.143] has joined #openvpn
07:48 <@ecrist> adac: my guess is your routing for firewall aren't working correctly
07:50 < Fohlen> anyone knows of a server-side caching module for openvpn? For example something that speeds up watching videos with pre-loading traffic in the cache and sending it to the client (assuming the server has a prefferable bandwith) ?
07:51 < Fohlen> or you think "pre-loading" content to a tunneled server will boost up speed? (again, assuming the server has prefferable bandwith)
07:54 < adac> ecrist, you mean my local firewall?
08:04 < _FBi> dumb question: can you connect to openvpn via ipv6
08:06 -!- KaiForce [~chatzilla@107-223-70-10.lightspeed.bcvloh.sbcglobal.net] has joined #openvpn
08:08 -!- Cpt-Oblivious [~chatzilla@31-151-87-204.dynamic.upc.nl] has joined #openvpn
08:14 <@ecrist> adac: yes.  or you're trying to connect to the wrong address
08:14 <@ecrist> let's start here: 
08:14 <@ecrist> !goal
08:14 <@vpnHelper> "goal" is Please clearly state your goal for your vpn: example, I would like to access the lan behind the server , I would like to access the internet over my vpn , I just want a secure connection between 2 computers , etc
08:14 -!- schnitzl [~schnitzl@dslb-092-074-152-211.pools.arcor-ip.net] has left #openvpn []
08:18 -!- lbft [~lbft@unaffiliated/lbft] has quit [Quit: Bye]
08:18 -!- lbft [~lbft@unaffiliated/lbft] has joined #openvpn
08:20 < Fohlen> anyone knows whar "Enter Management Password" means?
08:20 < Fohlen> Some of my clients just dropped that issue to my, now I have absolutly no clue
08:21 -!- takamichi [~takamichi@c107-107.i07-27.onvol.net] has quit [Ping timeout: 260 seconds]
08:22 <@ecrist> see the man page for management interface
08:22 -!- michaelhart [~michaelha@192-0-240-20.cpe.teksavvy.com] has joined #openvpn
08:24 -!- takamichi [~takamichi@85.12.8.106] has joined #openvpn
08:24 < Fohlen> ecrist, I did send him the config without and I see no reason why it should have been enabled
08:24 < Fohlen> otherwise, how can I disable it? Using OpenVPN Windows GUI
08:26 <@ecrist> the GUI depends on it
08:26 <@ecrist> but it should all be handled automatically
08:26 <@ecrist> !logs
08:26 <@vpnHelper> "logs" is (#1) please pastebin your logfiles from both client and server with verb set to 4 (only use 5 if asked) or (#2) In the Windows client(OpenVPN-GUI) right-click the status icon and pick View Log or (#3) In the OS X client(Tunnelblick) right-click it and select Copy log text to clipboard or (#4) if you dont know how to find your logs, see !logfile
08:49 -!- wrongplace [~leicht@gateway/tor-sasl/martinphone] has quit [Quit: gone]
08:54 -!- makara [~makara@41.164.22.218] has joined #openvpn
08:55 < makara> what company produce OpenVPN firewall proxies? (UTM)
08:56 <@plaisthos> UTM is Sophos
08:56 <@plaisthos> previously known as Astaro
09:00 -!- master_o1_master [~master_of@p4FF2441F.dip0.t-ipconnect.de] has joined #openvpn
09:04 -!- master_of_master [~master_of@p4FD7B880.dip0.t-ipconnect.de] has quit [Ping timeout: 272 seconds]
09:04 -!- takamichi [~takamichi@85.12.8.106] has quit [Ping timeout: 272 seconds]
09:05 -!- KaiForce [~chatzilla@107-223-70-10.lightspeed.bcvloh.sbcglobal.net] has quit [Ping timeout: 245 seconds]
09:05 -!- KaiForce_ [~chatzilla@107-223-70-10.lightspeed.bcvloh.sbcglobal.net] has joined #openvpn
09:06 -!- ACKNAK [~poni@79.133.97.154] has quit [Ping timeout: 240 seconds]
09:06 -!- lj [~l@192.241.174.169] has joined #openvpn
09:07 -!- takamichi [~takamichi@c107-107.i07-27.onvol.net] has joined #openvpn
09:09 -!- KaiForce_ is now known as KaiForce
09:11 -!- makara [~makara@41.164.22.218] has quit [Ping timeout: 272 seconds]
09:20 -!- alexxtasi [~alex@unaffiliated/alexxtasi] has left #openvpn []
09:23 -!- mikkel [~mikkel@93.176.85.50] has quit [Quit: Leaving]
09:37 -!- KaiForce [~chatzilla@107-223-70-10.lightspeed.bcvloh.sbcglobal.net] has quit [Quit: ChatZilla 0.9.90.1 [Firefox 26.0/20131205075310]]
09:38 -!- KaiForce [~chatzilla@107-223-70-10.lightspeed.bcvloh.sbcglobal.net] has joined #openvpn
09:48 -!- klein [~klein@189-016-006-003.asselvi.edu.br] has joined #openvpn
09:48 -!- klein [~klein@189-016-006-003.asselvi.edu.br] has quit [Changing host]
09:48 -!- klein [~klein@unaffiliated/klein] has joined #openvpn
09:55 -!- vvinothkumar [~vinothkum@122.167.94.67] has joined #openvpn
09:56 -!- User203 [~User@143.87.46.176.dyn.estpak.ee] has joined #openvpn
09:56 -!- User203 [~User@143.87.46.176.dyn.estpak.ee] has quit [Client Quit]
09:56 -!- [diecast] [~diecast@unaffiliated/diecast/x-4821952] has joined #openvpn
09:58 < vvinothkumar> I am setting primary dns and secondary dns through openvpn server user interface. But on dialling openvpn client, none of the clients is getting the dns I set in the user interface. In the openvpn dialling log, "dhcp-option DNS x.x.x.x,dhcp-option DNS 8.8.8.8". But in client machine, the domain name is not resolving.
10:00 -!- __FBi [B@what.are.you.doing.plzdonthack.us] has joined #openvpn
10:01 -!- [diecast] [~diecast@unaffiliated/diecast/x-4821952] has quit [Client Quit]
10:03 -!- adac [~adac@c703-fwngw.uibk.ac.at] has quit [Quit: Leaving]
10:06 <@krzee> vvinothkumar, what OS is the client?
10:06 < _FBi> morning krzee
10:07 < _FBi> !windns
10:07 <@krzee> g'mornin
10:07 <@vpnHelper> "windns" is (#1) http://thread.gmane.org/gmane.network.openvpn.user/25139/focus=25147 see that mail archive for some info on pushing dns or (#2) http://article.gmane.org/gmane.network.openvpn.user/25149 for a perm fix via regedit or (#3) http://comments.gmane.org/gmane.network.openvpn.user/31975 reports --register-dns as fixing their problems pushing DNS to windows 7
10:07 < vvinothkumar> krzee, saucy
10:07 <@krzee> saucy is a OS?
10:07 < vvinothkumar> krzee, sorry. ubuntu 13.10
10:07 <@krzee> ahh werd
10:07 <@krzee> so are you using the up script?
10:07 <@krzee> !pushdns
10:07 <@vpnHelper> "pushdns" is (#1) push dhcp-option DNS a.b.c.d to push dns to the client or (#2) For pushing DNS to a Windows client, see: !windns or (#3) Unix-alikes are required to process the env-var in an --up script; read about --dhcp-option in the manpage or (#4) For distros that use resolvconf you can try the update-resolv-conf script under the contrib/ source dir
10:08 <@krzee> #3 / #4
10:09 < vvinothkumar> krzee, I am newbie to openvpn. I don think so. But I do pass --route-noexec while dialling client connection
10:10 <@krzee> well go do it
10:11 < vvinothkumar> krzee, does the dns from openvpn server will update /etc/resolv.conf or what?
10:11 < vvinothkumar> where can I find the dns from openvpn server?
10:11 <@krzee> the script changes the nameservers on the client, openvpn does not
10:12 <@krzee> but openvpn calls the script if you told it to
10:13 < _FBi> vvinothkumar, check out apt-cache search resolveconf
10:14 < _FBi> vvinothkumar, resolveconf is a manager, not to be confused with resolv.conf
10:14 < _FBi> you can add dns-nameserver to your network interfaces
10:14 < _FBi> /etc/networking/interfaces
10:17 -!- KaiForce [~chatzilla@107-223-70-10.lightspeed.bcvloh.sbcglobal.net] has quit [Read error: Connection reset by peer]
10:19 -!- calcifea [~rasla@gateway/tor-sasl/gitsu-sa] has joined #openvpn
10:22 < _FBi> is there a way to limit a users bandwidth, monthly?
10:24 <@krzee> _FBi, just like if it were a lan machine, iptables
10:24 < _FBi> 10-4
10:24 <@krzee> (prolly wanna either store values in a db to count, or be sure to use static ips for the clients
10:24 < _FBi> I don't have set IPs, nor do I monitor those coming in :/
10:25 <@krzee> !static
10:25 <@vpnHelper> "static" is (#1) use --ifconfig-push in a ccd entry for a static ip for the vpn client or (#2) example in net30 (default): ifconfig-push 10.8.0.6 10.8.0.5 example in subnet (see !topology) or tap (see !tunortap): ifconfig-push 10.8.0.5 255.255.255.0 or (#3) also see !ccd and !iporder or (#4) when pushing static IPs, you should also limit your --ifconfig-pool to exclude the static range or (#5) See
10:25 <@vpnHelper> also: !addressing
10:26 < _FBi> yea, I don't want static, but it might be the only option
10:26 <@krzee> its not the only option...
10:27 <@krzee> client-connect and client-disconnect? you could lookup the month's data in the DB and then make the rule in the fw when he connects, store the info back into the db upon disconnect
10:27 <@krzee> !script
10:27 <@vpnHelper> "script" is See SCRIPTING AND ENVIRONMENTAL VARIALBES in the manual for a list of places that scripts can hook into openvpn. Online reference at: https://community.openvpn.net/openvpn/wiki/Openvpn23ManPage#lbAR
10:27 <@krzee> !factoids search limit
10:27 <@vpnHelper> "win_tcplimit" is see http://readlist.com/lists/lists.sourceforge.net/openvpn-users/0/2383.html to know why windows TCP servers can only handle 60 clients
10:27 <@krzee> !factoids search bw
10:27 <@vpnHelper> No keys matched that query.
10:27 <@krzee> !factoids search bandwidth
10:27 <@vpnHelper> No keys matched that query.
10:27 <@krzee> !factoids search monitor
10:27 <@vpnHelper> No keys matched that query.
10:27 <@krzee> heh
10:27 <@krzee> !qos
10:27 <@krzee> *shrug*
10:28 -!- vvinothkumar [~vinothkum@122.167.94.67] has quit [Read error: Operation timed out]
10:28 < _FBi> heh
10:29 <@krzee> !factoids
10:29 <@vpnHelper> "factoids" is A semi-regularly updated dump of factoids database is available at http://www.secure-computing.net/factoids.php
10:29 <@krzee> !lartc
10:30 <@vpnHelper> "lartc" is LARTC is the de-facto guide to policy routing and QoS (tc, or traffic control) on Linux. http://lartc.org/howto/ . Policy routing in Ch. 4, QoS in Ch. 9. Start at the beginning if you're new to advanced routing on Linux
10:30 <@krzee> fyi, it is not really openvpn related, you'll want to get help with it in linux channels. i recommend trying to play with it manually then making the script after you have it figured out
10:31 <@krzee> note, you can make things easier on yourself by using static ips for clients
10:39 < _FBi> sounds like it, yea.  Thanks kraut
10:39 < _FBi> ...
10:39 < _FBi> krzee,
10:39 < _FBi> same krzee from Aircrack years ago?
10:39 <@krzee> yep =]
10:40 <@krzee> i thought i recognized ya!
10:40 -!- mode/#openvpn [+v _FBi] by krzee
10:40 <+_FBi> haha, how goes it?
10:40 <@krzee> good man, you
10:40 <@krzee> ?
10:40 <+_FBi> life is god
10:40 <+_FBi> ...
10:40 <+_FBi> good
10:40 <+_FBi> I suck at morning, fyi
10:41 <+_FBi> I'm off work today, paid to stay home because all the roads are closed
10:41 <+_FBi> where's life got you now?
10:48 -!- toastedpenguin1 [~David_Chr@99-128-202-69.lightspeed.okpkil.sbcglobal.net] has quit [Read error: Connection reset by peer]
10:48 <@krzee> right now im visiting california
10:48 <@krzee> getting ready to check out asia
10:59 <+_FBi> fyi, california isn't in any part of asia :)
11:00 <@krzee> yep, thats why inm getting ready to check it out
11:00 <@krzee> if it was in cali ild already be there =]
11:09 -!- gffa [~unknown@unaffiliated/gffa] has joined #openvpn
11:09 -!- calcifea [~rasla@gateway/tor-sasl/gitsu-sa] has quit [Ping timeout: 240 seconds]
11:16 -!- calcifea [~rasla@gateway/tor-sasl/gitsu-sa] has joined #openvpn
11:30 -!- ade_b [~Ade@redhat/adeb] has joined #openvpn
11:33 -!- Fohlen [~Fohlen@134.255.220.143] has left #openvpn []
11:45 -!- Cpt-Oblivious [~chatzilla@31-151-87-204.dynamic.upc.nl] has quit [Ping timeout: 260 seconds]
11:46 -!- heraclitus [~heraclitu@unaffiliated/heraclitis] has quit [Read error: Connection reset by peer]
11:48 -!- heraclitus [~heraclitu@unaffiliated/heraclitis] has joined #openvpn
11:53 < dextro_> https://gist.github.com/anonymous/22f74b67512ac06f49a7
11:53 < dextro_> getting those errors now that im trying topology subnet
11:53 <@vpnHelper> Title: gist:22f74b67512ac06f49a7 (at gist.github.com)
12:10 -!- elfixit [~Icedove@2001:1620:2777:11:3e97:eff:fe7f:f3ad] has quit [Quit: elfixit]
12:11 -!- able [~able@gateway/tor-sasl/able] has joined #openvpn
12:12 -!- able [~able@gateway/tor-sasl/able] has quit [Remote host closed the connection]
12:21 -!- conroe [~ro@46.246.47.192] has joined #openvpn
12:23 -!- joshh20-Away is now known as joshh20
12:24 -!- __FBi [B@what.are.you.doing.plzdonthack.us] has quit [Ping timeout: 252 seconds]
12:24 < pekster> dextro_: That's usually from mis-matched encryption or compression settings
12:24 < pekster> You didn't include your !configs with that
12:24 < pekster> And that's an incomplete log
12:24 < pekster> !logs
12:24 <@vpnHelper> "logs" is (#1) please pastebin your logfiles from both client and server with verb set to 4 (only use 5 if asked) or (#2) In the Windows client(OpenVPN-GUI) right-click the status icon and pick View Log or (#3) In the OS X client(Tunnelblick) right-click it and select Copy log text to clipboard or (#4) if you dont know how to find your logs, see !logfile
12:24 -!- Rallias [~Rallias@unaffiliated/gasseus] has quit [Quit: ZNC - http://znc.in]
12:25 < pekster> But do check your compression/encryption settings for issues (that includes any --tls-auth)
12:25 -!- Rallias [~Rallias@unaffiliated/gasseus] has joined #openvpn
12:28 -!- conroe [~ro@46.246.47.192] has quit [Quit: conroe]
12:31 -!- conroe [~conroe@gateway/tor-sasl/conroe] has joined #openvpn
12:35 -!- julius_ [~julius_@141.41.92.61] has left #openvpn ["Verlassend"]
12:48 -!- [diecast] [~diecast@unaffiliated/diecast/x-4821952] has joined #openvpn
12:52 -!- dazo is now known as dazo_afk
13:02 -!- takamichi [~takamichi@c107-107.i07-27.onvol.net] has quit [Quit: Computer has gone to sleep.]
13:11 -!- DrCode [~DrCode@gateway/tor-sasl/drcode] has joined #openvpn
13:13 -!- DrCode [~DrCode@gateway/tor-sasl/drcode] has quit [Remote host closed the connection]
13:13 -!- conroe [~conroe@gateway/tor-sasl/conroe] has quit [Remote host closed the connection]
13:24 -!- DrCode [~DrCode@gateway/tor-sasl/drcode] has joined #openvpn
13:26 -!- conroe [~conroe@gateway/tor-sasl/conroe] has joined #openvpn
13:30 -!- DrCode [~DrCode@gateway/tor-sasl/drcode] has quit [Remote host closed the connection]
13:33 -!- swenr [~swenr@d54c298cb.access.telenet.be] has joined #openvpn
13:34 -!- DrCode [~DrCode@gateway/tor-sasl/drcode] has joined #openvpn
13:34 < swenr> hello OpenVPN group. I'm testing OpenVPN. the client is getting an tun IP but the ping to the tun-server-ip isn"t working. the routes are pushed ed. But something isn't working. I don't find something in the logs that can help me. SOmeone an idea?
13:36 -!- DrCode [~DrCode@gateway/tor-sasl/drcode] has quit [Remote host closed the connection]
13:41 -!- DrCode [~DrCode@gateway/tor-sasl/drcode] has joined #openvpn
13:45 -!- DrCode [~DrCode@gateway/tor-sasl/drcode] has quit [Remote host closed the connection]
13:48 -!- DrCode [~DrCode@gateway/tor-sasl/drcode] has joined #openvpn
13:51 -!- soapee01 [~soapee01@24-155-219-177.dyn.grandenetworks.net] has joined #openvpn
13:54 -!- DrCode [~DrCode@gateway/tor-sasl/drcode] has quit [Remote host closed the connection]
14:00 -!- swenr [~swenr@d54c298cb.access.telenet.be] has quit [Ping timeout: 245 seconds]
14:01 -!- swenr [~swenr@d54C298CB.access.telenet.be] has joined #openvpn
14:07 -!- joshh20 is now known as joshh20-Away
14:07 -!- swenr [~swenr@d54C298CB.access.telenet.be] has quit [Ping timeout: 248 seconds]
14:09 -!- klein [~klein@unaffiliated/klein] has quit [Ping timeout: 265 seconds]
14:14 -!- conroe [~conroe@gateway/tor-sasl/conroe] has quit [Remote host closed the connection]
14:22 -!- klaxa [~klaxa@klaxa.eu] has quit [Quit: May Luna watch over me.]
14:22 -!- klaxa [~klaxa@klaxa.eu] has joined #openvpn
14:24 -!- xBytez [~xBytez@unaffiliated/xbytez] has quit [Ping timeout: 252 seconds]
14:27 -!- kalloc_ [~kalloc@stmdev.ru] has quit [Remote host closed the connection]
14:28 -!- kalloc [~kalloc@stmdev.ru] has joined #openvpn
14:30 -!- moparisthebest [~quassel@cpe-184-57-167-162.cinci.res.rr.com] has quit [Read error: Connection reset by peer]
14:31 -!- xBytez [~xBytez@unaffiliated/xbytez] has joined #openvpn
14:33 -!- kalloc [~kalloc@stmdev.ru] has quit [Ping timeout: 248 seconds]
14:37 -!- moparisthebest [~quassel@cpe-184-57-167-162.cinci.res.rr.com] has joined #openvpn
14:38 -!- takamichi [~takamichi@c107-107.i07-27.onvol.net] has joined #openvpn
14:45 -!- takamichi [~takamichi@c107-107.i07-27.onvol.net] has quit [Quit: Computer has gone to sleep.]
14:46 -!- exa [~exa@unaffiliated/exa] has quit [Quit: exa]
14:50 -!- APTX_ [~APTX@unaffiliated/aptx] has quit [Ping timeout: 245 seconds]
14:55 -!- exa [~exa@unaffiliated/exa] has joined #openvpn
14:57 -!- diecast [~diecast@unaffiliated/diecast/x-4821952] has joined #openvpn
14:57 -!- [diecast] [~diecast@unaffiliated/diecast/x-4821952] has quit [Read error: Connection reset by peer]
15:05 -!- APTX [~APTX@unaffiliated/aptx] has joined #openvpn
15:25 -!- pr0t [~pr0t@PSDNCABTNS001.cpe.twtelecom.net] has joined #openvpn
15:25 -!- joshh20-Away is now known as joshh20
15:25 < pr0t> is there anything wrong with using a verified issue certificate with openvpn say one issued from verisign?
15:28 < pr0t> I like in the topic how "Your problem is probably firewall, Really", is followed by "Not a native English speak? say so!"
15:28 < pr0t> I don't think the person who set the topic was a native English speaker (or typer) :)
15:28 < phreakocious> pr0t: the certificate verification is making sure that the client key was signed by your CA
15:29 < pr0t> ahh
15:29 < pr0t> so that be a no
15:29 < phreakocious> pretty sure that makes it a no
15:29 < pr0t> Yes, it does.
15:29 < pr0t> thank you :)
15:29 < phreakocious> np
15:29 < pr0t> One more question, are you as sexy as your name sounds?
15:30 < phreakocious> client certificate, rather
15:30 -!- diecast [~diecast@unaffiliated/diecast/x-4821952] has quit [Ping timeout: 245 seconds]
15:30 < phreakocious> lol
15:30 < pr0t> I'll take that as a no as well
15:30 < pr0t> Thank you for your time and the help
15:30 -!- pr0t [~pr0t@PSDNCABTNS001.cpe.twtelecom.net] has quit [Quit: Ex-Chat]
15:32 -!- joshu [~joshu@62-20-176-238-no28.tbcn.telia.com] has quit [Remote host closed the connection]
15:33 -!- joshu [~joshu@62-20-176-238-no28.tbcn.telia.com] has joined #openvpn
15:33 -!- s7r [~s7r@openvpn/user/s7r] has quit [Remote host closed the connection]
15:33 -!- [diecast] [~diecast@unaffiliated/diecast/x-4821952] has joined #openvpn
15:33 -!- s7r [~s7r@openvpn/user/s7r] has joined #openvpn
15:33 -!- mode/#openvpn [+v s7r] by ChanServ
15:34 -!- sunwind` [~paradox@cpc21-brmb8-2-0-cust749.1-3.cable.virginm.net] has quit [Quit: sunwind`]
15:35 -!- expert [~expert@unaffiliated/expert] has joined #openvpn
15:36 -!- sunwind [~paradox@cpc21-brmb8-2-0-cust749.1-3.cable.virginm.net] has joined #openvpn
15:39 -!- DrCode [~DrCode@gateway/tor-sasl/drcode] has joined #openvpn
15:50 -!- gffa [~unknown@unaffiliated/gffa] has quit [Quit: sleep]
15:51 -!- klein [~klein@unaffiliated/klein] has joined #openvpn
16:12 -!- ade_b [~Ade@redhat/adeb] has quit [Quit: Too sexy for his shirt]
16:20 -!- expert [~expert@unaffiliated/expert] has left #openvpn ["Leaving"]
16:23 -!- swenr [~swenr@d54C298CB.access.telenet.be] has joined #openvpn
16:25 < swenr> hey, is it possible having openvpn to function without a firewall?
16:26 < pekster> Sure, why not
16:28 < swenr> that's what I though also, but on Internet I read a lot about firewall that is FORWARDing the packages, but if forwarding=1 and the routing table is OK. Forwarding is normally working. But you confirmed this. Thanks. So my problem is not the FireWall. THANKS.
16:28 < pekster> Firewalling a routing are separate (but related) concepts
16:28 < pekster> You ought to understand both fairly well before you'll have much lick with openvpn
16:29 < swenr> I have this:
16:31 < swenr> copy past not working :-(
16:36 < swenr> is it possible to "send"/"upload" .png files?
16:41 -!- lj [~l@192.241.174.169] has quit [Quit: Leaving.]
16:48 < pekster> !factoids search image
16:48 <@vpnHelper> No keys matched that query.
16:48 < pekster> !factoids search photo
16:48 <@vpnHelper> No keys matched that query.
16:49 < pekster> Any of "the usual" sites that take them. But since openvpn is a command-line program, isn't a pastebin sufficient?
16:49 < swenr> http://www.2shared.com/photo/wBBUZDgC/VPN-server.html the server routing table
16:49 <@vpnHelper> Title: VPN-server.png download - 2shared (at www.2shared.com)
16:49 < swenr> http://www.2shared.com/photo/J3ylkT9r/VPN-client.html the client routing table
16:49 <@vpnHelper> Title: VPN-client.png download - 2shared (at www.2shared.com)
16:50 < pekster> You might want to learn to use ssh in the future
16:52 < reiffert> ssh comes with a excellent vpn features
16:53 < swenr> Indeed ssh is great, but I need to use vpn for this solution.
16:53 < pekster> And that's the sound of the point being missed
16:53 < reiffert> again, ssh comes with vpn solutions
16:53 < pekster> No, ssh has a crummy "bolt-on" VPN additon
16:53 < pekster> It's not a VPN, but packet-transport-over-ssh (something quite different)
16:54 < reiffert> I like it.
16:54 < pekster> swenr: 1) start ssh. 2) connect to ssh. 3) you have copy/paste support
16:54 < pekster> THis can't be that complicated
16:54 < pekster> !new
16:54 <@vpnHelper> "new" is (#1) New here? Start by reading the /TOPIC and looking at basic info in !welcome, !ask, and !howto or (#2) You can type each of the !commands in this chat and our bot will provide useful references and info or (#3) you can see the full factoids list at !factoids
16:54 < pekster> Try the /TOPIC and !configs, !logs, and !paste for starters. Probably !goal too
16:55 < swenr> ok thanks.
16:55 < swenr> !welcome
16:55 <@vpnHelper> "welcome" is (#1) Start by stating your goal, such as 'I would like to access the internet over my vpn' || new to IRC? see the link in !ask || we may need !logs and !configs and maybe !interface to help you. || See !howto for beginners. || See !route for lans behind openvpn. || !redirect for sending inet traffic through the server. || Also interesting: !man !/30 !topology !iporder !sample !forum
16:55 <@vpnHelper> !wiki !mitm or (#2) Don't use 192.168.1.0/24 or 192.168.0.0/24 (too much potential for conflict)
16:56 < swenr> !route
16:56 <@vpnHelper> "route" is (#1) http://www.secure-computing.net/wiki/index.php/OpenVPN/Routing or https://community.openvpn.net/openvpn/wiki/RoutedLans (same page mirrored) if you have lans behind openvpn, read it DONT SKIM IT or (#2) READ IT DONT SKIM IT! or (#3) See !tcpip for a basic networking guide or (#4) See !serverlan or !clientlan for steps and troubleshooting flowcharts for LANs behind the server or client
16:58 < swenr> !config
16:58 <@vpnHelper> (config <name> [<value>]) -- If <value> is given, sets the value of <name> to <value>. Otherwise, returns the current value of <name>. You may omit the leading "supybot." in the name if you so choose.
16:59 < pekster> !configs
16:59 <@vpnHelper> "configs" is (#1) please pastebin your client and server configs (with comments removed, you can use `grep -vE '^#|^;|^$' server.conf`), also include which OS and version of openvpn. or (#2) dont forget to include any ccd entries or (#3) on pfSense, see http://www.secure-computing.net/wiki/index.php/OpenVPN/pfSense to obtain your config
16:59 < pekster> You want that
16:59 <@Eugene> I want candy
17:00 < swenr> !configs
17:00 <@vpnHelper> "configs" is (#1) please pastebin your client and server configs (with comments removed, you can use `grep -vE '^#|^;|^$' server.conf`), also include which OS and version of openvpn. or (#2) dont forget to include any ccd entries or (#3) on pfSense, see http://www.secure-computing.net/wiki/index.php/OpenVPN/pfSense to obtain your config
17:00 < pekster> And I'd love for allocated address not to be used. 20/8 is _NOT_ available for public (or private) consumption
17:00 < pekster> But hey, they're only standards
17:03 < swenr> !logs
17:03 <@vpnHelper> "logs" is (#1) please pastebin your logfiles from both client and server with verb set to 4 (only use 5 if asked) or (#2) In the Windows client(OpenVPN-GUI) right-click the status icon and pick View Log or (#3) In the OS X client(Tunnelblick) right-click it and select Copy log text to clipboard or (#4) if you dont know how to find your logs, see !logfile
17:11 < swenr> !factoids
17:11 <@vpnHelper> "factoids" is A semi-regularly updated dump of factoids database is available at http://www.secure-computing.net/factoids.php
17:20 < swenr> !wiki
17:20 <@vpnHelper> "wiki" is (#1) http://www.secure-computing.net/wiki/index.php/OpenVPN for the Unofficial wiki or (#2) https://community.openvpn.net/openvpn/wiki for the Official wiki
17:22 < swenr> !tcpip
17:22 <@vpnHelper> "tcpip" is http://www.redbooks.ibm.com/redbooks/pdfs/gg243376.pdf See chapter 3.1 for useful basic TCP/IP networking knowledge you should probably know
17:23 < swenr> !clientlan
17:23 <@vpnHelper> "clientlan" is (#1) for a lan behind a client, the client must have ip forwarding enabled (!ipforward), the server needs a route to the lan, the server needs to push a route for the lan to clients, the server needs a ccd (!ccd) file for the client with an iroute (!iroute) entry in it, and the router of the lan the client is on needs a route added to it (!route_outside_openvpn) or (#2) see !route for
17:23 <@vpnHelper> a better explanation or (#3) Handy troubleshooting flowchart: http://ircpimps.org/clientlan.png | http://pekster.sdf.org/misc/clientlan.png
17:24 < swenr> !route
17:24 <@vpnHelper> "route" is (#1) http://www.secure-computing.net/wiki/index.php/OpenVPN/Routing or https://community.openvpn.net/openvpn/wiki/RoutedLans (same page mirrored) if you have lans behind openvpn, read it DONT SKIM IT or (#2) READ IT DONT SKIM IT! or (#3) See !tcpip for a basic networking guide or (#4) See !serverlan or !clientlan for steps and troubleshooting flowcharts for LANs behind the server or client
17:33 -!- [diecast] [~diecast@unaffiliated/diecast/x-4821952] has quit [Ping timeout: 272 seconds]
17:39 -!- troyt [~troyt@2601:7:6d00:432:44dd:acff:fe85:9c8e] has quit [Ping timeout: 272 seconds]
17:40 -!- james41382 [~james@unaffiliated/james41382] has joined #openvpn
17:42 -!- sunwind` [~paradox@cpc21-brmb8-2-0-cust749.1-3.cable.virginm.net] has joined #openvpn
17:43 < swenr> thanks pekster
17:44 -!- swenr [~swenr@d54C298CB.access.telenet.be] has quit [Remote host closed the connection]
17:46 -!- he1kki_ [~heikki@border.bitcoinia.net] has joined #openvpn
17:47 -!- master_of_master [~master_of@p4FF2441F.dip0.t-ipconnect.de] has joined #openvpn
17:48 -!- kubbing [~kubbing@ip-89-176-242-54.net.upcbroadband.cz] has quit [Remote host closed the connection]
17:48 -!- kubbing [~kubbing@ip-89-176-242-54.net.upcbroadband.cz] has joined #openvpn
17:48 -!- fallout [~fallout@unaffiliated/fallout] has quit [Ping timeout: 272 seconds]
17:48 -!- sunwind [~paradox@cpc21-brmb8-2-0-cust749.1-3.cable.virginm.net] has quit [Ping timeout: 272 seconds]
17:48 -!- exa [~exa@unaffiliated/exa] has quit [Ping timeout: 272 seconds]
17:48 -!- he1kki [~heikki@border.bitcoinia.net] has quit [Ping timeout: 272 seconds]
17:48 -!- james41382 [~james@unaffiliated/james41382] has quit [Ping timeout: 272 seconds]
17:48 -!- EmLeX [~emx@unaffiliated/emlex] has quit [Ping timeout: 272 seconds]
17:48 -!- Cultist [~CultOfThe@c-67-186-111-33.hsd1.il.comcast.net] has quit [Ping timeout: 272 seconds]
17:48 -!- sauce [sauce@unaffiliated/sauce] has quit [Ping timeout: 272 seconds]
17:48 -!- eliasp_ [~quassel@134.3.243.224] has joined #openvpn
17:48 -!- master_o1_master [~master_of@p4FF2441F.dip0.t-ipconnect.de] has quit [Ping timeout: 272 seconds]
17:48 -!- eliasp [~quassel@HSI-KBW-134-3-243-224.hsi14.kabel-badenwuerttemberg.de] has quit [Ping timeout: 272 seconds]
17:48 -!- klein [~klein@unaffiliated/klein] has quit [Ping timeout: 272 seconds]
17:48 -!- klein_ [~klein@177.101.109.161] has joined #openvpn
17:48 -!- _KaszpiR__ [~kaszpir@unaffiliated/kaszpir/x-3157048] has quit [Ping timeout: 272 seconds]
17:48 -!- klein_ [~klein@177.101.109.161] has quit [Changing host]
17:48 -!- klein_ [~klein@unaffiliated/klein] has joined #openvpn
17:49 -!- exa [~exa@unaffiliated/exa] has joined #openvpn
17:49 -!- EmLeX [~emx@unaffiliated/emlex] has joined #openvpn
17:49 -!- klaxa [~klaxa@klaxa.eu] has quit [Ping timeout: 272 seconds]
17:49 -!- psycheye [~psycheye@93.49.16.11] has quit [Ping timeout: 272 seconds]
17:49 -!- Cultist [~CultOfThe@c-67-186-111-33.hsd1.il.comcast.net] has joined #openvpn
17:50 -!- klaxa [~klaxa@klaxa.eu] has joined #openvpn
17:50 -!- psycheye [~psycheye@93.49.16.11] has joined #openvpn
17:50 -!- james41382 [~james@unaffiliated/james41382] has joined #openvpn
17:50 -!- _KaszpiR__ [~kaszpir@unaffiliated/kaszpir/x-3157048] has joined #openvpn
17:51 -!- fallout [~fallout@unaffiliated/fallout] has joined #openvpn
17:53 -!- kubbing [~kubbing@ip-89-176-242-54.net.upcbroadband.cz] has quit [Ping timeout: 264 seconds]
18:08 -!- [diecast] [~diecast@unaffiliated/diecast/x-4821952] has joined #openvpn
18:23 -!- kubbing [~kubbing@ip-89-176-242-54.net.upcbroadband.cz] has joined #openvpn
18:24 -!- kloeri [~kloeri@freenode/staff/exherbo.kloeri] has quit [Ping timeout: 620 seconds]
18:24 -!- joshh20 is now known as joshh20-Away
18:25 -!- kloeri [~kloeri@freenode/staff/exherbo.kloeri] has joined #openvpn
18:28 -!- schultza [~quassel@ut1.rcherbals.com] has joined #openvpn
18:28 -!- kubbing [~kubbing@ip-89-176-242-54.net.upcbroadband.cz] has quit [Ping timeout: 264 seconds]
18:30 -!- [diecast] [~diecast@unaffiliated/diecast/x-4821952] has quit [Ping timeout: 265 seconds]
18:31 -!- Sembei [~Sembei@unaffiliated/sembei] has quit [Ping timeout: 245 seconds]
18:37 -!- __FBi [B@what.are.you.doing.plzdonthack.us] has joined #openvpn
18:49 -!- kloeri [~kloeri@freenode/staff/exherbo.kloeri] has quit [Read error: Operation timed out]
18:54 -!- schultza [~quassel@ut1.rcherbals.com] has quit [Read error: Connection reset by peer]
18:59 -!- kloeri [~kloeri@freenode/staff/exherbo.kloeri] has joined #openvpn
19:03 -!- kloeri [~kloeri@freenode/staff/exherbo.kloeri] has quit [Quit: leaving]
19:03 -!- crus [~crusader@2001:44b8:319e:2900:9840:5142:6522:6fe3] has joined #openvpn
19:08 -!- __FBi [B@what.are.you.doing.plzdonthack.us] has quit [Ping timeout: 252 seconds]
19:28 -!- manne [~fulinlong@218.202.239.238] has left #openvpn []
19:39 -!- Devastatr [~devas@177.18.199.46] has quit [Changing host]
19:39 -!- Devastatr [~devas@unaffiliated/devastator] has joined #openvpn
19:40 -!- elfixit [~Icedove@77-58-251-72.dclient.hispeed.ch] has joined #openvpn
19:40 -!- Devastatr is now known as Devastator
19:48 -!- calcifea [~rasla@gateway/tor-sasl/gitsu-sa] has quit [Ping timeout: 240 seconds]
19:49 -!- calcifea [~rasla@gateway/tor-sasl/gitsu-sa] has joined #openvpn
20:11 -!- klein_ [~klein@unaffiliated/klein] has quit [Read error: Operation timed out]
20:11 -!- kubbing [~kubbing@ip-89-176-242-54.net.upcbroadband.cz] has joined #openvpn
20:16 -!- kubbing [~kubbing@ip-89-176-242-54.net.upcbroadband.cz] has quit [Ping timeout: 240 seconds]
20:23 -!- goldkatze [~nobody@unaffiliated/goldkatze] has quit [Ping timeout: 245 seconds]
20:25 -!- lj [~l@192.241.174.169] has joined #openvpn
20:54 -!- NP-Hardass [~NP-Hardas@unaffiliated/np-hardass] has joined #openvpn
21:05 < joevandyk> is it common to host an internal dns server on the vpn server? i'm switching from using an external dns and connecting to servers directly to connecting via a vpn and connecting to the internal ip addresses. but i'd need to setup another dns server for the internal ip addresses, right?
21:06 -!- michaelhart [~michaelha@192-0-240-20.cpe.teksavvy.com] has quit [Quit: michaelhart]
21:18 -!- NP-Hardass [~NP-Hardas@unaffiliated/np-hardass] has quit [Quit: WeeChat 0.4.1]
21:22 -!- booo [~booo__@p54BD88E5.dip0.t-ipconnect.de] has quit [Ping timeout: 260 seconds]
21:23 -!- dradec [~dradec@unaffiliated/dradec] has joined #openvpn
21:24 -!- booo [~booo__@p54BD845C.dip0.t-ipconnect.de] has joined #openvpn
21:30 -!- dradec [~dradec@unaffiliated/dradec] has quit [Quit: My name is Inigo Montoya. You killed my father. Prepare to die]
21:30 -!- dradec [~dradec@unaffiliated/dradec] has joined #openvpn
21:52 < dextro_> !logfile
21:52 <@vpnHelper> "logfile" is (#1) openvpn will log to syslog if started in daemon mode. You can manually specify a logfile with: log /path/to/logfile or (#2) verb 3 is good for everyday usage, verb 5 for debugging or (#3) see --daemon --log and --verb in the manual (!man) for more info or (#4) without any log-redirection options, openvpn sends output to stdout. Explicit logging is often more convenient
21:54 -!- kloeri [~kloeri@freenode/staff/exherbo.kloeri] has joined #openvpn
22:00 -!- kubbing [~kubbing@ip-89-176-242-54.net.upcbroadband.cz] has joined #openvpn
22:01 < dextro_> https://gist.github.com/anonymous/2e324fd67f034b6ed274
22:01 <@vpnHelper> Title: client (at gist.github.com)
22:02 < dextro_> configs and logfiles for my "Authenticate/Decrypt packet error: bad packet ID (may be a replay)" issue
22:04 -!- kubbing [~kubbing@ip-89-176-242-54.net.upcbroadband.cz] has quit [Ping timeout: 248 seconds]
23:02 -!- DrCode [~DrCode@gateway/tor-sasl/drcode] has quit [Remote host closed the connection]
23:48 -!- kubbing [~kubbing@ip-89-176-242-54.net.upcbroadband.cz] has joined #openvpn
23:53 -!- kubbing [~kubbing@ip-89-176-242-54.net.upcbroadband.cz] has quit [Ping timeout: 252 seconds]
--- Day changed Tue Jan 28 2014
00:01 -!- paradox`` [~paradox@cpc21-brmb8-2-0-cust749.1-3.cable.virginm.net] has joined #openvpn
00:04 -!- sunwind` [~paradox@cpc21-brmb8-2-0-cust749.1-3.cable.virginm.net] has quit [Ping timeout: 252 seconds]
00:07 -!- takamichi [~takamichi@c107-107.i07-27.onvol.net] has joined #openvpn
00:25 -!- mikkel [~mikkel@93.176.85.50] has joined #openvpn
00:43 -!- makara [~makara@41.164.22.218] has joined #openvpn
00:49 -!- Cpt-Oblivious [~chatzilla@31-151-87-204.dynamic.upc.nl] has joined #openvpn
00:54 -!- vvinothkumar [~vinothkum@122.167.94.67] has joined #openvpn
00:58 -!- bertodsera [~quassel@97e48243.skybroadband.com] has quit [Remote host closed the connection]
01:00 -!- goldkatze [~nobody@unaffiliated/goldkatze] has joined #openvpn
01:03 -!- james41382 [~james@unaffiliated/james41382] has quit [Remote host closed the connection]
01:08 -!- mattock_afk is now known as mattock
01:13 -!- NoobSaibot [~NoobSaibo@cpe-65-25-238-185.new.res.rr.com] has joined #openvpn
01:13 < NoobSaibot> !welcome
01:13 <@vpnHelper> "welcome" is (#1) Start by stating your goal, such as 'I would like to access the internet over my vpn' || new to IRC? see the link in !ask || we may need !logs and !configs and maybe !interface to help you. || See !howto for beginners. || See !route for lans behind openvpn. || !redirect for sending inet traffic through the server. || Also interesting: !man !/30 !topology !iporder !sample !forum
01:13 <@vpnHelper> !wiki !mitm or (#2) Don't use 192.168.1.0/24 or 192.168.0.0/24 (too much potential for conflict)
01:14 < NoobSaibot> !goal
01:14 <@vpnHelper> "goal" is Please clearly state your goal for your vpn: example, I would like to access the lan behind the server , I would like to access the internet over my vpn , I just want a secure connection between 2 computers , etc
01:20 < NoobSaibot> I want to reach the network behind a remote site running a pfSense firewall and OpenVPN. This would be a site-to-site or network-to-network link I've tried both the newest 64 and 32-bit versions on a Win7 x64 machine.
01:21 < NoobSaibot> I'm receiving what looks like a DHCP error, the offered IP address won't stick to the TAP interface.
01:21 -!- ade_b [~Ade@redhat/adeb] has joined #openvpn
01:21 < NoobSaibot> Tue Jan 28 01:20:12 2014 TAP-WIN32 device [Local Area Connection 3] opened: \\.\Global\{0FAA4C8E-231A-4B4F-831D-DAFCF9D568AD}.tap
01:21 < NoobSaibot> Tue Jan 28 01:20:12 2014 Notified TAP-Windows driver to set a DHCP IP/netmask of 10.37.5.6/255.255.255.252 on interface {0FAA4C8E-231A-4B4F-831D-DAFCF9D568AD} [DHCP-serv: 10.37.5.5, lease-time: 31536000]
01:21 < NoobSaibot> Tue Jan 28 01:20:12 2014 Successful ARP Flush on interface [21] {0FAA4C8E-231A-4B4F-831D-DAFCF9D568AD}
01:21 < NoobSaibot> Tue Jan 28 01:20:47 2014 Warning: route gateway is not reachable on any active network adapters: 10.37.5.5
01:22 < NoobSaibot> Tue Jan 28 01:20:47 2014 SYSTEM ADAPTER LIST
01:22 < NoobSaibot> Tue Jan 28 01:20:47 2014 TAP-Windows Adapter V9
01:22 < NoobSaibot> Tue Jan 28 01:20:47 2014   Index = 21
01:22 < NoobSaibot> Tue Jan 28 01:20:47 2014   GUID = {0FAA4C8E-231A-4B4F-831D-DAFCF9D568AD}
01:22 < NoobSaibot> Tue Jan 28 01:20:47 2014   IP = 169.254.153.152/255.255.0.0
01:22 < NoobSaibot> Tue Jan 28 01:20:47 2014   MAC = 00:ff:0f:aa:4c:8e
01:22 < NoobSaibot> Tue Jan 28 01:20:47 2014   GATEWAY = 0.0.0.0/255.255.255.255
01:22 < NoobSaibot> Tue Jan 28 01:20:47 2014   DHCP SERV = 0.0.0.0/255.255.255.255
01:22 < NoobSaibot> Tue Jan 28 01:20:47 2014   DHCP LEASE OBTAINED = Tue Jan 28 01:20:47 2014
01:22 < NoobSaibot> Tue Jan 28 01:20:47 2014   DHCP LEASE EXPIRES  = Tue Jan 28 01:20:47 2014
01:22 < NoobSaibot> Tue Jan 28 01:20:47 2014   DNS SERV =
01:22 < NoobSaibot> Tue Jan 28 01:20:47 2014 Initialization Sequence Completed With Errors ( see http://openvpn.net/faq.html#dhcpclientserv )
01:22 <@vpnHelper> Title: FAQ Community Software (at openvpn.net)
01:23 < NoobSaibot> I've visited the link but it's either troubleshooting for XP, or I have already tried it.
01:25 -!- alexxtasi [~alex@unaffiliated/alexxtasi] has joined #openvpn
01:28 -!- ACKNAK [~poni@79.133.97.154] has joined #openvpn
01:34 -!- james41382 [~james@unaffiliated/james41382] has joined #openvpn
01:34 < NoobSaibot> And I"m sorry, I'm doing a single client connecting to a remote LAN, not a LAN-to-LAN or site-to-site.
01:36 -!- kubbing [~kubbing@ip-89-176-242-54.net.upcbroadband.cz] has joined #openvpn
01:41 -!- kubbing [~kubbing@ip-89-176-242-54.net.upcbroadband.cz] has quit [Ping timeout: 272 seconds]
01:49 -!- takamichi [~takamichi@c107-107.i07-27.onvol.net] has quit [Ping timeout: 240 seconds]
01:50 -!- kubbing [~kubbing@ip-89-176-242-54.net.upcbroadband.cz] has joined #openvpn
01:51 -!- bertodsera [~quassel@97e48243.skybroadband.com] has joined #openvpn
01:52 -!- takamichi [~takamichi@c107-107.i07-27.onvol.net] has joined #openvpn
01:52 < NoobSaibot> After automatic configuration, the TAP interface reports no packets being received. If I assign the /30 IP to the TAP interface, I can ping it. But I cannot ping the ovpn gateway/other end of the /32.
01:53 < NoobSaibot> And, the TAP interface shows packets being received after I manually assign the /30 IP.
01:55 -!- bertodsera [~quassel@97e48243.skybroadband.com] has quit [Remote host closed the connection]
01:58 -!- ACKNAK [~poni@79.133.97.154] has quit [Ping timeout: 240 seconds]
02:00 -!- mirco [~mirco@ip-109-90-231-36.unitymediagroup.de] has quit [Quit: mirco]
02:01 -!- kalloc [~kalloc@stmdev.ru] has joined #openvpn
02:01 -!- mirco [~mirco@ip-109-90-231-36.unitymediagroup.de] has joined #openvpn
02:09 -!- kubbing [~kubbing@ip-89-176-242-54.net.upcbroadband.cz] has quit [Remote host closed the connection]
02:13 -!- s7r [~s7r@openvpn/user/s7r] has quit [Quit: Leaving]
02:13 -!- levifig [~levifig@hakr.io] has quit [Read error: Operation timed out]
02:16 -!- levifig [~levifig@hakr.io] has joined #openvpn
02:16 -!- Serano [~serano@rooty.be] has quit [Read error: Operation timed out]
02:16 -!- Serano [~serano@rooty.be] has joined #openvpn
02:17 -!- sunwind` [~paradox@cpc21-brmb8-2-0-cust749.1-3.cable.virginm.net] has joined #openvpn
02:17 -!- Bretos [~Bretos@vps.tyborek.pl] has quit [Read error: Operation timed out]
02:18 -!- paradox`` [~paradox@cpc21-brmb8-2-0-cust749.1-3.cable.virginm.net] has quit [Read error: Operation timed out]
02:18 -!- kalloc_ [~kalloc@stmdev.ru] has joined #openvpn
02:19 -!- julianoliver [~julian@202.66.238.89.in-addr.arpa.manitu.net] has quit [Read error: Operation timed out]
02:19 -!- julianoliver [~julian@202.66.238.89.in-addr.arpa.manitu.net] has joined #openvpn
02:19 -!- VunKruz [~hhhh@24-205-8-187.dhcp.mtpk.ca.charter.com] has quit [Read error: Operation timed out]
02:20 -!- VunKruz [~hhhh@24-205-8-187.dhcp.mtpk.ca.charter.com] has joined #openvpn
02:20 -!- kalloc [~kalloc@stmdev.ru] has quit [Ping timeout: 265 seconds]
02:21 -!- Bretos [~Bretos@vps.tyborek.pl] has joined #openvpn
02:40 -!- kubbing [~kubbing@gprs27.vodafone.cz] has joined #openvpn
02:46 -!- kubbing [~kubbing@gprs27.vodafone.cz] has quit [Read error: Connection reset by peer]
02:51 -!- Sembei [~Sembei@unaffiliated/sembei] has joined #openvpn
03:06 -!- APTX [~APTX@unaffiliated/aptx] has quit [Quit: No Ping reply in 180 seconds.]
03:11 -!- APTX [~APTX@unaffiliated/aptx] has joined #openvpn
03:14 -!- APTX [~APTX@unaffiliated/aptx] has quit [Client Quit]
03:18 -!- bertodsera [~quassel@212.36.61.26] has joined #openvpn
03:25 -!- bertodsera_ [~quassel@212.36.61.26] has joined #openvpn
03:26 -!- bertodsera [~quassel@212.36.61.26] has quit [Remote host closed the connection]
03:28 -!- APTX [~APTX@unaffiliated/aptx] has joined #openvpn
03:32 -!- APTX [~APTX@unaffiliated/aptx] has quit [Client Quit]
03:36 -!- APTX [~APTX@unaffiliated/aptx] has joined #openvpn
03:40 -!- APTX_ [~APTX@unaffiliated/aptx] has joined #openvpn
03:42 -!- APTX [~APTX@unaffiliated/aptx] has quit [Ping timeout: 245 seconds]
03:45 -!- APTX_ [~APTX@unaffiliated/aptx] has quit [Ping timeout: 245 seconds]
03:49 -!- APTX [~APTX@unaffiliated/aptx] has joined #openvpn
04:04 -!- kubbing [~kubbing@ip-94-113-130-229.net.upcbroadband.cz] has joined #openvpn
04:35 -!- dazo_afk is now known as dazo
04:47 -!- kalloc_ is now known as kalloc
04:51 -!- sailerboy [~sailerboy@2605:6400:2:fed5:22:3e62:d2e8:e4e1] has quit [Ping timeout: 272 seconds]
04:55 -!- sailerboy [~sailerboy@2605:6400:2:fed5:22:3e62:d2e8:e4e1] has joined #openvpn
05:00 -!- calcifea [~rasla@gateway/tor-sasl/gitsu-sa] has quit [Remote host closed the connection]
05:01 -!- calcifea [~rasla@gateway/tor-sasl/gitsu-sa] has joined #openvpn
05:09 -!- dradec [~dradec@unaffiliated/dradec] has quit [Ping timeout: 248 seconds]
05:10 -!- klein_ [~klein@unaffiliated/klein] has joined #openvpn
--- Log closed Tue Jan 28 05:31:03 2014
--- Log opened Tue Jan 28 05:31:22 2014
05:31 -!- ecrist_ [~ecrist@token-black.secure-computing.net] has joined #openvpn
05:31 -!- Irssi: #openvpn: Total of 236 nicks [8 ops, 0 halfops, 4 voices, 224 normal]
05:31 -!- mode/#openvpn [+o ecrist_] by ChanServ
05:31 -!- Irssi: Join to #openvpn was synced in 42 secs
05:33 -!- ecrist [~ecrist@freebsd/contributor/openvpn.community.support.ecrist] has quit [Read error: Connection reset by peer]
05:40 -!- bertodsera_ [~quassel@212.36.61.26] has quit [Remote host closed the connection]
05:42 -!- bertodsera [~quassel@212.36.61.26] has joined #openvpn
06:21 -!- Sembei [~Sembei@unaffiliated/sembei] has quit [Read error: Connection reset by peer]
06:21 -!- MyMind [~Sembei@unaffiliated/sembei] has joined #openvpn
06:36 -!- calcifea [~rasla@gateway/tor-sasl/gitsu-sa] has quit [Remote host closed the connection]
06:41 -!- kalloc [~kalloc@stmdev.ru] has quit [Remote host closed the connection]
06:41 -!- kalloc [~kalloc@stmdev.ru] has joined #openvpn
06:46 -!- mikkel [~mikkel@93.176.85.50] has quit [Quit: Leaving]
06:46 -!- kalloc [~kalloc@stmdev.ru] has quit [Ping timeout: 245 seconds]
06:52 -!- drew442 [dce9112b@gateway/web/cgi-irc/kiwiirc.com/ip.220.233.17.43] has joined #openvpn
06:56 -!- kalloc [~kalloc@stmdev.ru] has joined #openvpn
07:11 -!- michaelhart [~michaelha@192.237.177.15] has joined #openvpn
07:20 -!- lj [~l@192.241.174.169] has quit [Quit: Leaving.]
07:42 -!- lj [~l@192.241.174.169] has joined #openvpn
08:01 -!- klein_ [~klein@unaffiliated/klein] has quit [Ping timeout: 272 seconds]
08:06 -!- vvinothkumar [~vinothkum@122.167.94.67] has quit [Read error: Connection reset by peer]
08:06 -!- lj1 [~l@192.241.174.169] has joined #openvpn
08:06 -!- intricate [~xach@unaffiliated/intricate] has quit [Ping timeout: 272 seconds]
08:08 -!- lj [~l@192.241.174.169] has quit [Ping timeout: 264 seconds]
08:08 -!- intricate [~xach@unaffiliated/intricate] has joined #openvpn
08:12 -!- Devastator [~devas@unaffiliated/devastator] has quit [Ping timeout: 240 seconds]
08:40 -!- takamichi [~takamichi@c107-107.i07-27.onvol.net] has quit [Ping timeout: 272 seconds]
08:42 -!- takamichi [~takamichi@85.12.8.14] has joined #openvpn
08:42 -!- kisom [~kisom@kisom.thr.kth.se] has quit [Ping timeout: 246 seconds]
08:46 -!- Noob5aibot [~NoobSaibo@24-213-19-74.static.mrqt.mi.charter.com] has joined #openvpn
08:47 -!- drew442 [dce9112b@gateway/web/cgi-irc/kiwiirc.com/ip.220.233.17.43] has quit [Quit: http://www.kiwiirc.com/ - A hand crafted IRC client]
08:49 -!- NoobSaibot [~NoobSaibo@cpe-65-25-238-185.new.res.rr.com] has quit [Ping timeout: 260 seconds]
08:51 -!- Cpt-Oblivious [~chatzilla@31-151-87-204.dynamic.upc.nl] has quit [Ping timeout: 260 seconds]
08:59 -!- master_o1_master [~master_of@p4FF24B95.dip0.t-ipconnect.de] has joined #openvpn
09:02 -!- ACKNAK [~poni@79.133.97.154] has joined #openvpn
09:02 -!- master_of_master [~master_of@p4FF2441F.dip0.t-ipconnect.de] has quit [Ping timeout: 260 seconds]
09:04 -!- makara [~makara@41.164.22.218] has quit [Quit: Leaving]
09:13 -!- goldkatze [~nobody@unaffiliated/goldkatze] has quit []
09:19 -!- alexxtasi [~alex@unaffiliated/alexxtasi] has left #openvpn []
09:22 -!- kisom [~kisom@kisom.thr.kth.se] has joined #openvpn
09:25 -!- ACKNAK [~poni@79.133.97.154] has quit [Quit: Leaving]
09:26 -!- pgib [~pgib@lmms/pgib] has quit [Ping timeout: 265 seconds]
09:35 -!- takamichi [~takamichi@85.12.8.14] has quit [Ping timeout: 265 seconds]
09:37 -!- takamichi [~takamichi@c107-107.i07-27.onvol.net] has joined #openvpn
09:38 -!- [diecast] [~diecast@unaffiliated/diecast/x-4821952] has joined #openvpn
09:55 -!- sauce [sauce@unaffiliated/sauce] has joined #openvpn
10:00 -!- pgib [~pgib@lmms/pgib] has joined #openvpn
10:01 -!- troyt [~troyt@2601:7:6d00:432:44dd:acff:fe85:9c8e] has joined #openvpn
10:10 -!- lbft [~lbft@unaffiliated/lbft] has quit [Ping timeout: 240 seconds]
10:26 -!- Chrisje [chris@2a03:f80:ed15:ed15:ed15:ed15:bc4c:4bfe] has quit [Ping timeout: 246 seconds]
10:32 -!- ade_b [~Ade@redhat/adeb] has quit [Quit: Too sexy for his shirt]
10:34 -!- levifig [~levifig@hakr.io] has left #openvpn ["444 Server returns no information and closes the connection"]
10:35 -!- Chrisje [chris@2a03:f80:ed15:ed15:ed15:ed15:bc4c:4bfe] has joined #openvpn
10:43 -!- conroe [~conroe@gateway/tor-sasl/conroe] has joined #openvpn
10:44 -!- Mayumi [~ircuser@unaffiliated/mayumi] has joined #openvpn
10:45 < Mayumi> um, from the client side does anyone know how to override DNS settings?
10:45 < Mayumi> i dont want the ones assigned to me
10:45 < Mayumi> (upon connecting)
10:45 -!- MyMind [~Sembei@unaffiliated/sembei] has quit [Read error: Connection reset by peer]
10:46 -!- Pisuke [~Sembei@unaffiliated/sembei] has joined #openvpn
11:05 -!- conroe [~conroe@gateway/tor-sasl/conroe] has quit [Ping timeout: 240 seconds]
11:07 <@ecrist_> --no-pull
11:07 -!- You're now known as ecrist
11:09 < Mayumi> won't that disable the routes that i need
11:13 -!- bertodsera [~quassel@212.36.61.26] has quit [Remote host closed the connection]
11:13 <@ecrist> yup, but you can manually add those back in
11:14 <@ecrist> and it's --route-nopull, not --no-pull
11:15 < Mayumi> i know the routes, byt i have no idea how to add them back in.
11:15 <@ecrist> add each one to your client config as:
11:15 <@ecrist> route "a.b.c.d gateway"
11:15 < Mayumi> that seems easy
11:16 < Mayumi> can i put the route no pull in the client config also?
11:16 <@ecrist> that's where it goes
11:16 <@ecrist> or on the command line
11:16 < Mayumi> ok
11:16 < Mayumi> im using the openvpn gui for windows and it lets you edit the client config
11:16 < Mayumi> no command line arguments though
11:17 -!- gffa [~unknown@unaffiliated/gffa] has joined #openvpn
11:17 -!- takamichi [~takamichi@c107-107.i07-27.onvol.net] has quit [Ping timeout: 245 seconds]
11:19 -!- takamichi [~takamichi@83.170.117.176] has joined #openvpn
11:21 -!- elfixit [~Icedove@77-58-251-72.dclient.hispeed.ch] has quit [Remote host closed the connection]
11:21 -!- conroe [~conroe@gateway/tor-sasl/conroe] has joined #openvpn
11:40 -!- lbft [~lbft@unaffiliated/lbft] has joined #openvpn
11:44 -!- joshu [~joshu@62-20-176-238-no28.tbcn.telia.com] has quit [Quit: Computer has gone to sleep.]
11:48 -!- joshu [~joshu@62-20-176-238-no28.tbcn.telia.com] has joined #openvpn
11:52 -!- pgib [~pgib@lmms/pgib] has quit [Ping timeout: 265 seconds]
11:57 -!- pgib [~pgib@c-76-18-186-63.hsd1.tn.comcast.net] has joined #openvpn
11:57 -!- dazo is now known as dazo_afk
11:59 -!- takamichi [~takamichi@83.170.117.176] has quit [Ping timeout: 252 seconds]
12:01 -!- takamichi [~takamichi@c107-107.i07-27.onvol.net] has joined #openvpn
12:07 -!- [diecast] [~diecast@unaffiliated/diecast/x-4821952] has quit [Read error: Connection reset by peer]
12:12 -!- bogie [bogie@mail.epow0.org] has quit [Ping timeout: 245 seconds]
12:14 -!- bogie [bogie@mail.epow0.org] has joined #openvpn
12:16 -!- [diecast] [~diecast@unaffiliated/diecast/x-4821952] has joined #openvpn
12:20 -!- pgib [~pgib@c-76-18-186-63.hsd1.tn.comcast.net] has quit [Changing host]
12:20 -!- pgib [~pgib@lmms/pgib] has joined #openvpn
12:40 -!- ben1066 [~quassel@unaffiliated/ben1066] has quit [Ping timeout: 245 seconds]
12:42 -!- conroe [~conroe@gateway/tor-sasl/conroe] has quit [Quit: conroe]
12:51 -!- kenyon [kenyon@darwin.kenyonralph.com] has quit [Ping timeout: 245 seconds]
12:51 -!- ngharo [~ngharo@2001:1af8:4400:a049::1337:fa6] has quit [Ping timeout: 245 seconds]
12:52 -!- ben1066 [~quassel@unaffiliated/ben1066] has joined #openvpn
12:52 -!- klein_ [~klein@unaffiliated/klein] has joined #openvpn
12:53 -!- [diecast] [~diecast@unaffiliated/diecast/x-4821952] has quit [Read error: Connection reset by peer]
12:53 -!- kenyon [kenyon@darwin.kenyonralph.com] has joined #openvpn
12:53 -!- ngharo [~ngharo@nexus.sypherz.com] has joined #openvpn
12:53 -!- mumixam [~m@unaffiliated/mumixam] has quit [Ping timeout: 260 seconds]
12:57 -!- mumixam [~m@unaffiliated/mumixam] has joined #openvpn
12:57 -!- pgib [~pgib@lmms/pgib] has quit [Ping timeout: 265 seconds]
13:03 -!- sunwind` [~paradox@cpc21-brmb8-2-0-cust749.1-3.cable.virginm.net] has quit [Read error: Connection reset by peer]
13:03 -!- sunwind [~paradox@cpc21-brmb8-2-0-cust749.1-3.cable.virginm.net] has joined #openvpn
13:04 -!- CatKiller [~catkiller@unaffiliated/catkiller] has joined #openvpn
13:04 < CatKiller> Hi there! I've got a small question: Let's say I've got two OpenVPN servers with different users in each
13:04 < CatKiller> I've got a single CA certificate who signed users of both VPN servers
13:05 < CatKiller> is there a way to restrict access on one to users of the other vpn server?
13:05 < CatKiller> maybe by not only verifying that the certificate is valid but that it was issued for the "correct" VPN server?
13:05 < CatKiller> Maybe the VPN server's DNS or something
13:06 < CatKiller> does that make sense?
13:07 -!- kubbing [~kubbing@ip-94-113-130-229.net.upcbroadband.cz] has quit [Remote host closed the connection]
13:07 -!- kubbing [~kubbing@ip-94-113-130-229.net.upcbroadband.cz] has joined #openvpn
13:07 -!- Pisuke [~Sembei@unaffiliated/sembei] has quit [Read error: Connection reset by peer]
13:08 -!- Pisuke [~Sembei@unaffiliated/sembei] has joined #openvpn
13:10 -!- kubbing [~kubbing@ip-94-113-130-229.net.upcbroadband.cz] has quit [Read error: Operation timed out]
13:14 -!- bertodsera [~quassel@97e48243.skybroadband.com] has joined #openvpn
13:15 -!- conroe [~conroe@gateway/tor-sasl/conroe] has joined #openvpn
13:15 -!- Pisuke [~Sembei@unaffiliated/sembei] has quit [Write error: Connection reset by peer]
13:15 -!- Sembei [~Sembei@unaffiliated/sembei] has joined #openvpn
13:16 -!- pgib [~pgib@76.18.186.63] has joined #openvpn
13:16 -!- pgib [~pgib@76.18.186.63] has quit [Changing host]
13:16 -!- pgib [~pgib@lmms/pgib] has joined #openvpn
13:21 -!- ultra [~ed@unaffiliated/ultra] has quit [Remote host closed the connection]
13:25 -!- Sembei [~Sembei@unaffiliated/sembei] has quit [Read error: Connection reset by peer]
13:25 -!- MyMind [~Sembei@unaffiliated/sembei] has joined #openvpn
13:30 -!- goldkatze [~nobody@unaffiliated/goldkatze] has joined #openvpn
13:38 -!- soapee01 [~soapee01@24-155-219-177.dyn.grandenetworks.net] has quit [Ping timeout: 245 seconds]
13:45 <@ecrist> CatKiller: you can require the presence of a ccd file to allow logins to one server
13:46 <@ecrist> the file can be empty, but the openvpn server will deny access to anyone without a ccd file
14:10 -!- klein_ [~klein@unaffiliated/klein] has quit [Ping timeout: 260 seconds]
14:27 -!- joshh20-Away is now known as joshh20
14:38 -!- kalloc [~kalloc@stmdev.ru] has quit [Remote host closed the connection]
14:38 -!- kalloc [~kalloc@stmdev.ru] has joined #openvpn
14:39 -!- ultra [~ed@unaffiliated/ultra] has joined #openvpn
14:43 -!- kalloc [~kalloc@stmdev.ru] has quit [Ping timeout: 272 seconds]
14:47 < joevandyk> if i have a laptop and desktop, can they both use the same cert to connect to openvpn at the same time?
14:47 < joevandyk> or do i need to have one per machine?
14:47 < joevandyk> i seem to get disconnected once the second one connects
14:47 < phreakocious> there is an option you can enable to allow both to be connected
14:47 < phreakocious> which it mentions in the openvpn.log on the server
14:49 < joevandyk> phreakocious: any clue to what option i want? the log doesn't seem helpful
14:50 < phreakocious> "Remember to use the --duplicate-cn option if you want multiple clients using the same certificate or username to concurrently connect."
14:52 -!- goldkatze [~nobody@unaffiliated/goldkatze] has quit []
15:14 -!- mattock is now known as mattock_afk
15:18 -!- [diecast] [~diecast@unaffiliated/diecast/x-4821952] has joined #openvpn
15:18 -!- conroe [~conroe@gateway/tor-sasl/conroe] has quit [Quit: conroe]
15:34 -!- goldkatze [~nobody@unaffiliated/goldkatze] has joined #openvpn
15:44 -!- pgib [~pgib@lmms/pgib] has quit [Ping timeout: 265 seconds]
15:44 -!- michaelhart [~michaelha@192.237.177.15] has quit [Quit: michaelhart]
15:49 -!- pgib [~pgib@lmms/pgib] has joined #openvpn
16:00 -!- jave [~jave@h-235-102.a149.priv.bahnhof.se] has quit [Quit: ZNC - http://znc.in]
16:00 -!- klein_ [~klein@177.101.109.161] has joined #openvpn
16:01 -!- klein_ [~klein@177.101.109.161] has quit [Changing host]
16:01 -!- klein_ [~klein@unaffiliated/klein] has joined #openvpn
16:01 < joevandyk> do people usually use one cert per device?
16:02 < joevandyk> phreakocious: do you know if that option can be specified in the config file? or does it have to specified as a command-line argument?
16:02 -!- jave [~jave@h-235-102.a149.priv.bahnhof.se] has joined #openvpn
16:03 < reiffert> one cert per device.
16:04 < reiffert> --foo is indicating an argument usually just "foo" in the config file
16:04 -!- genericpersona [~generic@gateway/tor-sasl/genericpersona] has joined #openvpn
16:04 < genericpersona> www.google.com
16:04 < genericpersona> http://www.google.com
16:04 <@vpnHelper> Title: Google (at www.google.com)
16:04 < reiffert> !g 2+3
16:04 < reiffert> !help google
16:04 <@vpnHelper> (google <search> [--{filter,language} <value>]) -- Searches google.com for the given string. As many results as can fit are included. --language accepts a language abbreviation; --filter accepts a filtering level ('active', 'moderate', 'off').
16:05 < reiffert> !google 3+2
16:05 <@vpnHelper> 3/2 Applicants - Caltech Caltech Undergraduate Admissions: <https://www.admissions.caltech.edu/applying/32>; 3+2 (band) - Wikipedia, the free encyclopedia: <http://en.wikipedia.org/wiki/3%2B2_(band)>; 3-2-5 - Wikipedia, the free encyclopedia: <http://en.wikipedia.org/wiki/3-2-5>
16:05 < reiffert> !google calc 3+2
16:05 <@vpnHelper> Google's calculator didn't come up with anything.
16:05 < genericpersona> reiffert: i'm thinking about making a url bot and i wondered if vpnHelper parsed URLs w/o an explicit http://
16:06 < reiffert> genericpersona: "",no
16:06 < genericpersona> is vpnHelper a completely custom bot or is it based on any of the well known ones, e.g., supybot?
16:07 < reiffert> ecrist knows
16:08 < genericpersona> word
16:12 -!- drew442 [cb595a64@gateway/web/cgi-irc/kiwiirc.com/ip.203.89.90.100] has joined #openvpn
16:12 -!- drew442 [cb595a64@gateway/web/cgi-irc/kiwiirc.com/ip.203.89.90.100] has quit [Client Quit]
16:12 <+rob0> !version
16:12 <@vpnHelper> The current (running) version of this Supybot is 0.83.4.1.  The newest version available online is 0.83.4.1.
16:16 -!- genericpersona [~generic@gateway/tor-sasl/genericpersona] has quit [Ping timeout: 240 seconds]
16:17 < reiffert> enough for coming back with a hacker attack?
16:18 -!- dradec [~dradec@unaffiliated/dradec] has joined #openvpn
16:44 -!- lj1 [~l@192.241.174.169] has quit [Quit: Leaving.]
17:00 -!- sunwind [~paradox@cpc21-brmb8-2-0-cust749.1-3.cable.virginm.net] has quit [Quit: sunwind]
17:02 -!- sunwind [~paradox@cpc21-brmb8-2-0-cust749.1-3.cable.virginm.net] has joined #openvpn
17:13 -!- gffa [~unknown@unaffiliated/gffa] has quit [Quit: sleep]
17:52 -!- james41382 [~james@unaffiliated/james41382] has quit [Ping timeout: 272 seconds]
18:03 -!- dradec [~dradec@unaffiliated/dradec] has quit [Quit: My name is Inigo Montoya. You killed my father. Prepare to die]
18:11 -!- michaelhart [~michaelha@162.209.54.120] has joined #openvpn
18:16 -!- klein_ [~klein@unaffiliated/klein] has quit [Read error: Operation timed out]
18:30 -!- pr0t [~pr0t@PSDNCABTNS001.cpe.twtelecom.net] has joined #openvpn
18:32 -!- [diecast] [~diecast@unaffiliated/diecast/x-4821952] has quit []
18:35 < pr0t> So, I setup openvpn servers before and no problems, but this time I can't figure out what's wrong, when I connect my client to the server all goes fine, but when I attempt to ping ips or connect to services via the openvpn I get nothing
18:35 < pr0t> here is my config - http://pastebin.com/G2cXineD
18:36 < pr0t> I checked firewalls, port forwarding, made sure the routes are there, basically everything
18:36 < pr0t> not sure what's going on here
18:40 -!- ketas [ketas@ketas6-sixxs.si.pri.ee] has quit [Ping timeout: 252 seconds]
18:42 -!- sunwind [~paradox@cpc21-brmb8-2-0-cust749.1-3.cable.virginm.net] has quit [Quit: sunwind]
18:43 < pekster> No !goal, no client configs, no logs. Tough to say
18:43 < pr0t> gah sorry
18:43 < pr0t> well my goal is obvious, there are no logs
18:43 < pr0t> but i can provide the client config
18:46 < pr0t> http://pastebin.com/wJs7R12d that is my client config
18:47 < pr0t> there aren't any logs but I can give you output from the client and tcpdumps if you'd like
18:50 < pekster> Then go get logs
18:50 < pekster> !logfile
18:50 <@vpnHelper> "logfile" is (#1) openvpn will log to syslog if started in daemon mode. You can manually specify a logfile with: log /path/to/logfile or (#2) verb 3 is good for everyday usage, verb 5 for debugging or (#3) see --daemon --log and --verb in the manual (!man) for more info or (#4) without any log-redirection options, openvpn sends output to stdout. Explicit logging is often more convenient
18:51 -!- michaelhart [~michaelha@162.209.54.120] has quit [Quit: michaelhart]
19:10 -!- Cpt-Oblivious [~chatzilla@31-151-87-204.dynamic.upc.nl] has joined #openvpn
19:25 -!- ketas [ketas@ketas6-sixxs.si.pri.ee] has joined #openvpn
19:26 < pr0t> so the log just shows the connection and that it was successful
19:26 < pr0t> not really anything else after that
19:27 < pr0t> pekster so i started the daemon with the log-append
19:28 < pr0t> I see the handshake and the certificate exchange and all that goodness then it pushes the route
19:28 < pr0t> am I looking for anything else?
19:31 -!- Zarrsh [~Zarrsh@198.167.138.150] has joined #openvpn
19:32 < pekster> "push" in a client config makes no sense
19:32 < pekster> 192.168.1.0/24 is a horrible choice for your server-side network unless you can gaurantee that all clients will never connect from that (it's the single most common RFC1918 LAN)
19:33 < pekster> You really don't want persist-tun as a client
19:33 < pekster> You probably don't want persist-key either, but that's your call
19:34 < pekster> max-clients 150 is valid, but pointless since you're operating in net30 topology (the default) which only allows up to 63 clients. Consider removing that directive, and probably using subnet topology. Read the wiki link in !topology
19:34 < pekster> Finally, for server-side LANs, read/follow the info (and most helpful flowchart) in !serverlan
19:37 < pr0t> those are all great tips, and I really do appreciate the info
19:37 < pr0t> but none of those tips will not break or fix the issue I am having...
19:37 < pr0t> s/not//
19:37 < pr0t> :P
19:38 < pr0t> in other words everything you mentioned has absolutely nothing to do with my problem
19:41 < pekster> Then you've done a bad idea describing your needs
19:41 < pekster> In fact you didn't do that at all
19:41 < pekster> !serverlan
19:41 <@vpnHelper> "serverlan" is (#1) for a lan behind a server, the server must have ip forwarding enabled (!ipforward), the server needs to push a route for its lan to clients, and the router of the lan the server is on needs a route added to it (!route_outside_openvpn) or (#2) see !route for a better explanation or (#3) Handy troubleshooting flowchart: http://ircpimps.org/serverlan.png |
19:41 < pekster> !topology
19:41 <@vpnHelper> http://pekster.sdf.org/misc/serverlan.png
19:41 < pekster> !new
19:41 <@vpnHelper> "topology" is (#1) it is possible to avoid the !/30 behavior if you use 2.1+ with the option: topology subnet This will end up being default in later versions. or (#2) Clients will receive addresses ending in .2, .3, .4, etc, instead of being divided into 2-host subnets. or (#3) details and examples at: https://community.openvpn.net/openvpn/wiki/Topology
19:41 <@vpnHelper> "new" is (#1) New here? Start by reading the /TOPIC and looking at basic info in !welcome, !ask, and !howto or (#2) You can type each of the !commands in this chat and our bot will provide useful references and info or (#3) you can see the full factoids list at !factoids
19:41 < pekster> !welcome
19:41 <@vpnHelper> "welcome" is (#1) Start by stating your goal, such as 'I would like to access the internet over my vpn' || new to IRC? see the link in !ask || we may need !logs and !configs and maybe !interface to help you. || See !howto for beginners. || See !route for lans behind openvpn. || !redirect for sending inet traffic through the server. || Also interesting: !man !/30 !topology !iporder !sample !forum
19:41 <@vpnHelper> !wiki !mitm or (#2) Don't use 192.168.1.0/24 or 192.168.0.0/24 (too much potential for conflict)
19:41 < pekster> Try that
19:41 < pekster> (which the /TOPIC should really have encouraged you to do anyway)
19:41 < pekster> If you're still stuck, I haven't seen your:
19:41 < pekster> !logs
19:41 <@vpnHelper> "logs" is (#1) please pastebin your logfiles from both client and server with verb set to 4 (only use 5 if asked) or (#2) In the Windows client(OpenVPN-GUI) right-click the status icon and pick View Log or (#3) In the OS X client(Tunnelblick) right-click it and select Copy log text to clipboard or (#4) if you dont know how to find your logs, see !logfile
19:41 < pekster> Or:
19:41 < pekster> !goal
19:41 <@vpnHelper> "goal" is Please clearly state your goal for your vpn: example, I would like to access the lan behind the server , I would like to access the internet over my vpn , I just want a secure connection between 2 computers , etc
19:41 < pekster> Try that
19:43 < pekster> Remove --mute for posted logs too, in addition to the info !logs has
19:43 -!- blarghlarghl [michael@efnet.math.uwaterloo.ca] has left #openvpn []
19:50 < pr0t> okay sure
19:50 < pr0t> ill try that and my goal is to have openvpn function :)
19:50 < pr0t> and I did describe my issue.
19:50 < pr0t> maybe you overlooked it
19:54 < pekster> "ping ips" isn't a de-fact function of openvpn
19:54 < pekster> OpenVPN can function just fine accessing a _single_ IP of the peer
19:54 < pr0t> read the rest
19:55 < pr0t> I just didn't say "ping ips"
19:57 < pekster> 18:35:40 < pr0t> [..] but when I attempt to ping ips or connect to services via the openvpn I get nothing
19:57 < pekster> If you can't be bothered to describe your goal, I can't be bothered to help. Best of luck
19:58 -!- sunwind [~paradox@cpc21-brmb8-2-0-cust749.1-3.cable.virginm.net] has joined #openvpn
19:58 < pr0t> understood
19:58 < pr0t> my goal is to be able to access the network that the vpn service is providing
19:58 < pr0t> is that a good goal?
20:00 < pekster> Yes, and that's much more than having openvpn "function"
20:01 < pekster> (some people really just want a PtP link)
20:01 < pekster> You want:
20:01 < pekster> !serverlan
20:01 <@vpnHelper> "serverlan" is (#1) for a lan behind a server, the server must have ip forwarding enabled (!ipforward), the server needs to push a route for its lan to clients, and the router of the lan the server is on needs a route added to it (!route_outside_openvpn) or (#2) see !route for a better explanation or (#3) Handy troubleshooting flowchart: http://ircpimps.org/serverlan.png |
20:01 <@vpnHelper> http://pekster.sdf.org/misc/serverlan.png
20:01 < pekster> The flowchart is what you should start with, provided you have "basic" connectivity working. That is in fact the first flowchart box
20:04 -!- joshh20 [~joshh20@v-70-42-74-226.unman-vds.internap-nyc.nfoservers.com] has quit [Quit: ZNC - http://znc.in]
20:04 < pr0t> you are awesome!
20:04 < pr0t> that flow chart is EXACTLY what I needed, thank you
20:04 -!- joshh20-Away [~joshh20@v-70-42-74-226.unman-vds.internap-nyc.nfoservers.com] has joined #openvpn
20:04 -!- joshh20-Away is now known as joshh20
20:04 < pr0t> even if you were a tad bit douchey about the entire thing
20:05 < pekster> I gave you that reference 30 minutes ago
20:05 < pekster> !read
20:05 <@vpnHelper> "read" is <krzee> ive been known to overreact when people look for 2 minutes and ask me to explain it to them
20:06 < pr0t> hey I did say a tad bit, just like you're being right now :)
20:06 < pekster> Rudeness isn't intended: it's a perceived side-effect of how IRC works: http://catb.org/~esr/faqs/smart-questions.html#keepcool
20:06 < pr0t> maybe you guys need a
20:06 <@vpnHelper> Title: How To Ask Questions The Smart Way (at catb.org)
20:06 < pr0t> !douchey
20:06 < pekster> And yes, that's par for the course
20:06 < pr0t> that may help :)
20:06 < pekster> !learn douchey as http://catb.org/~esr/faqs/smart-questions.html#keepcool
20:06 <@vpnHelper> Joo got it.
20:07 -!- michaelhart [~michaelha@192-0-240-20.cpe.teksavvy.com] has joined #openvpn
20:07 < pekster> Done. Next?
20:07 < pr0t> !douchy
20:07 < pr0t> !douchey
20:07 <@vpnHelper> "douchey" is http://catb.org/~esr/faqs/smart-questions.html#keepcool
20:07 < pekster> !learn douchy as [douchey]
20:07 <@vpnHelper> Joo got it.
20:07 < pr0t> lol
20:07 < pr0t> OK, you're awesome in my book :)
20:07 < pr0t> Thank you again sir.
20:07 -!- pr0t [~pr0t@PSDNCABTNS001.cpe.twtelecom.net] has quit [Quit: Ex-Chat]
20:11 -!- klein_ [~klein@177.101.109.161] has joined #openvpn
20:11 -!- klein_ [~klein@177.101.109.161] has quit [Changing host]
20:11 -!- klein_ [~klein@unaffiliated/klein] has joined #openvpn
20:12 -!- lj1 [~l@192.241.174.169] has joined #openvpn
20:21 -!- goldkatze [~nobody@unaffiliated/goldkatze] has quit []
20:21 -!- heraclitus [~heraclitu@unaffiliated/heraclitis] has quit [Ping timeout: 245 seconds]
20:24 -!- joshh20 is now known as joshh20-Away
20:30 -!- michaelhart [~michaelha@192-0-240-20.cpe.teksavvy.com] has quit [Quit: michaelhart]
20:32 -!- soapee01 [~soapee01@24-155-219-177.dyn.grandenetworks.net] has joined #openvpn
20:37 -!- dradec [~Inigo@unaffiliated/dradec] has joined #openvpn
20:38 -!- klein_ [~klein@unaffiliated/klein] has quit [Ping timeout: 252 seconds]
20:46 -!- heraclitus [~heraclitu@unaffiliated/heraclitis] has joined #openvpn
20:53 -!- elfixit [~Icedove@77-58-251-72.dclient.hispeed.ch] has joined #openvpn
21:09 -!- qwertyoruiop [~hax@1.shulgin.dc1.nl.tor.exit.node.qwertyoruiop.com] has quit [Ping timeout: 245 seconds]
21:11 -!- WinstonSmith [~WinstonSm@unaffiliated/winstonsmith] has quit [Ping timeout: 245 seconds]
21:12 -!- WinstonSmith [~WinstonSm@unaffiliated/winstonsmith] has joined #openvpn
21:17 -!- Leonassan [4c7a0894@vivo/development/Leonassan] has joined #openvpn
21:17 -!- Leonassan was kicked from #openvpn by ChanServ [Banned: No web users.  You're dirty.]
21:18 -!- Leonassan [~Leonassan@vivo/development/Leonassan] has joined #openvpn
21:18 -!- booo [~booo__@p54BD845C.dip0.t-ipconnect.de] has quit [Read error: Operation timed out]
21:19 < Leonassan> Good evening. My openvpn server seems to be ignoring iroute directives in the client configuration directives and is pushing out inappropriate routes.
21:26 -!- booo [~booo__@p54BD8951.dip0.t-ipconnect.de] has joined #openvpn
21:28 -!- qwertyoruiop [~hax@1.shulgin.dc1.nl.tor.exit.node.qwertyoruiop.com] has joined #openvpn
21:28 < pekster> iroute is for servers in ccd files, not clients. Perhaps I mis-read your statement, so do you have a pastebin of your server configs including the ccd files?
21:30 < Leonassan> I can create one, and the iroute entries are in the /ccd/<client> files on the server.
21:30 < Leonassan> !paste
21:30 <@vpnHelper> "paste" is (#1) "pastebin" is (#1) please paste anything with more than 5 lines into a pastebin site or (#2) https://gist.github.com is recommended for fewest ads; try fpaste.org or paste.kde.org as backups or (#3) If you're pasting config files, see !configs for grep syntax to remove comments or (#2) gist allows multiple files per paste, useful if you have several files to show
21:33 < Leonassan> http://pastebin.com/dDpD5Qhx
21:34 < Leonassan> With that config when the client connects it gets a route for 10.0.1.0/24 via 10.10.0.1 dev tun0, which as far as I understand it shouldn't be.
21:44 < pekster> Then your CN doesn't match the ccd filename
21:44 < Leonassan> How can I check that? Because it auto-created the ccd file
21:44 < pekster> It's case-sensitive and must match, _exactly_ , your X.509 CN attribute
21:44 < pekster> "it" ?
21:44 < Leonassan> The openvpn server software
21:44 < Leonassan> The first time that client connected
21:45 < pekster> There is no "server software"
21:45 < pekster> Nothing is auto-created with OpenVPN. Maybe you're using the closed-source "Access Server" product, but that's not openvpn
21:45 < pekster> !as
21:45 <@vpnHelper> "as" is please go to #OpenVPN-AS for help with Access-Server
21:45 < Leonassan> The OpenVPN software that is running on the computer that is currently set as the server
21:46 < pekster> No clue what you're using, but openvpn will _never_ auto-create CCD files; _you_ must do that
21:46 < Leonassan> Well I didn't create the ccd file manually, and there are ccd files in the ccd directory
21:46 < Leonassan> I'm running OpenVPN 2.2.1 as installed via aptitude.
21:47 < Leonassan> On Debian 7
21:48 < pekster> Then you'd best consult the authors of this "frontend" you're using
21:49 <+rob0> ... with some kind of frontend that creates CCD files ...
21:49 < Leonassan> I do not recall stating that I am using any sort of front end. The only software related to openvpn I have installed is that package
21:49 <+rob0> openvpn does not autocreate CCD files
21:50 < pekster> !ccd
21:50 <@vpnHelper> "ccd" is (#1) entries that are basically included into server.conf, but only for the specified client based on common-name. use --client-config-dir <dir> to enable it, then put the config options for the client in <dir>/common-name or (#2) the ccd file is parsed each time the client connects.
21:50 < pekster> Maybe you should review the manpage and your X.509 CN (review your PKI setup and the CN you assigned when you created the CSR and should have verified when you signed it)
21:50 < Leonassan> Well to answer my own question the command is "openssl x509 -in cert.file -text"
21:51 < pekster> That'll spit your CN, sure. Compare that to the _exact_ name of the ccd file. Use verb 4 on your server and paste full logs from startup through the client connect if you're still confused
21:53 < Leonassan> That was my question. You said the CN does not match the ccd filename, I asked how to check that, you decided to go off on a tangent. I was not able to check that information until I found that command.
21:54 < pekster> You seem to be confused as to your own setup, which is a big red flag. People come here using all sorts of silly (and usually broken) frontends
21:54 < Leonassan> I'm not sure why you believe I am confused, I believe you are assuming I am an idiot, being deliberately pedantic because it allows you to feel superior, or may not speak english natively, as indicated by your nearly deliberate misunderstanding of my first sentence in this channel.
21:55 <+rob0> wow
21:55 -!- mode/#openvpn [+o pekster] by ChanServ
21:55 <@pekster> Enough.
21:56 <@pekster> Would you like to insult me, or provide assistance that might help fix your issue?
21:56 < Leonassan> I am not trying to insult you, I am stating I feel you are trying to insult me, and I'm not sure why you took a hostile attitude from the moment I came in here.
21:57 <+rob0> There is an attitude problem here, with that much I'll agree. Good luck.
21:57 <@pekster> ".. seems to be ignoring iroute directives in the client configuration directives" isn't quite right
21:57 -!- sunwind [~paradox@cpc21-brmb8-2-0-cust749.1-3.cable.virginm.net] has quit [Quit: sunwind]
21:57 <@pekster> What is an "iroute direcives in the client configuration directives" ? Seems to be you miss-typed that, although I fully offered I may have mis-interperted what you wrote
21:57 <@pekster> Drop it please
21:57 <@pekster> Moving _forward_, if you'd like help, let's work with what we have
21:59 < Leonassan> Anyway, I have changed the CN to match (capitalization issue) and it is respecting iroute entries now.
21:59 <@pekster> There we go
21:59 -!- mode/#openvpn [-o pekster] by ChanServ
21:59 < pekster> I suggested that 15 minutes ago, so I'm glad that was the issue
22:00 < pekster> (and no, not only becuase I'm right, but becuase it actually lead to the solution)
22:00 < pekster> Try not to read so much into tone on IRC: http://catb.org/~esr/faqs/smart-questions.html#keepcool
22:00 <@vpnHelper> Title: How To Ask Questions The Smart Way (at catb.org)
22:02 < Leonassan> So the setup is network 10.0.0.0/24 (which is running openvpn as the server) is accepting a connection from network 10.0.1.0/24. The computer running openvpn as a client (10.0.1.1) can ping 10.0.0.1, but 10.0.0.1 cannot ping 10.0.1.1, and none of the computers on either network can ping across the link created by openvpn.
22:04 < pekster> Firewall problem for the return ping
22:05 < pekster> Obviously the echo-reply gets back, so routing is fine. That means you have a firewall issue for the VPN link
22:05 < pekster> As to the LAN access, see either !serverlan or !clientlan depending on what LAN you wish to expose
22:05 < pekster> You'll find the flowcharts very helpful
22:08 -!- sunwind [~paradox@cpc21-brmb8-2-0-cust749.1-3.cable.virginm.net] has joined #openvpn
22:08 -!- Leonassan [~Leonassan@vivo/development/Leonassan] has left #openvpn []
22:35 -!- pgib [~pgib@lmms/pgib] has left #openvpn ["00 PC LOAD LETTER"]
23:07 -!- raidz [~raidz@openvpn/corp/admin/andrew] has joined #openvpn
23:07 -!- mode/#openvpn [+o raidz] by ChanServ
23:32 -!- elfixit [~Icedove@77-58-251-72.dclient.hispeed.ch] has quit [Ping timeout: 245 seconds]
--- Day changed Wed Jan 29 2014
00:00 -!- sunwind` [~paradox@cpc21-brmb8-2-0-cust749.1-3.cable.virginm.net] has joined #openvpn
00:02 -!- sunwind [~paradox@cpc21-brmb8-2-0-cust749.1-3.cable.virginm.net] has quit [Read error: Operation timed out]
00:12 -!- mikkel [~mikkel@93.176.85.50] has joined #openvpn
00:28 -!- kalloc [~kalloc@stmdev.ru] has joined #openvpn
00:28 -!- mikkel [~mikkel@93.176.85.50] has quit [Read error: Operation timed out]
00:32 -!- tempus_fol [~tempus@gateway/tor-sasl/tempusfol] has quit [Ping timeout: 240 seconds]
00:34 -!- tempus_fol [~tempus@gateway/tor-sasl/tempusfol] has joined #openvpn
00:35 -!- lj1 [~l@192.241.174.169] has quit [Ping timeout: 252 seconds]
00:37 -!- mikkel [~mikkel@93.176.85.50] has joined #openvpn
00:40 -!- Cpt-Oblivious [~chatzilla@31-151-87-204.dynamic.upc.nl] has quit [Ping timeout: 260 seconds]
00:58 -!- mattock_afk is now known as mattock
00:58 -!- cyberspace- [20253@ninthfloor.org] has quit [Remote host closed the connection]
01:00 -!- cyberspace- [20253@ninthfloor.org] has joined #openvpn
01:03 -!- dimm0k [~dimm0k@unaffiliated/dimm0k] has quit [Ping timeout: 245 seconds]
01:06 -!- dimm0k [~dimm0k@unaffiliated/dimm0k] has joined #openvpn
01:11 -!- makara [~makara@41.164.22.218] has joined #openvpn
01:25 -!- bertodsera [~quassel@97e48243.skybroadband.com] has quit [Remote host closed the connection]
02:00 -!- alexxtasi [~alex@unaffiliated/alexxtasi] has joined #openvpn
02:03 -!- dimm0k [~dimm0k@unaffiliated/dimm0k] has quit [Ping timeout: 252 seconds]
02:05 -!- dimm0k [~dimm0k@unaffiliated/dimm0k] has joined #openvpn
02:17 -!- keropok_ [~keropok@9W2JDY.peramah.org.my] has quit [Read error: Operation timed out]
02:23 -!- keropok [~keropok@9W2JDY.peramah.org.my] has joined #openvpn
02:40 -!- mm_bureau [~milch@HSI-KBW-46-237-205-89.hsi.kabel-badenwuerttemberg.de] has joined #openvpn
02:41 < mm_bureau> hi there
02:41 < mm_bureau> when using --tls-cipher TLS-ECDHE-ECDSA-WITH-AES-256-GCM-SHA384, is there any point in using --auth?
02:42 <@plaisthos> mm_bureau: tls-cipher != cipher
02:42 -!- mode/#openvpn [-o plaisthos] by plaisthos
02:42 < plaisthos> the data packets are not encrypted with the tls cipher
02:43 < mm_bureau> plaisthos: does that mean that there are separate control and data channels or something along those lines?
02:44 < plaisthos> mm_bureau: yes
02:45 < mm_bureau> ok, so what are my choices then?
02:46 < mm_bureau> the manpage lists only "SHA1" and "none", and both are rather unfortunate
02:46 < plaisthos> read the documentation about --auth and --cipher
02:49 < mm_bureau> --show-digests (the documentation for --auth did not reference it)
02:49 -!- gffa [~unknown@unaffiliated/gffa] has joined #openvpn
02:52 < mm_bureau> what's the difference between X and RSA-X?  and is there a way to construct the truncated variant of SHA512?
02:53 < plaisthos> mm_bureau: you mean like sha256?!
02:53 < mm_bureau> plaisthos: like SHA512/256
02:54 < plaisthos> normally you just use sha1 or sha256 or sha384 or sha512
02:55 < mm_bureau> well, there are SHA512/224 and SHA512/256 variants, which are just truncated SHA512…  because SHA512 is faster than SHA256 on 64 bit architectures
02:55 < mm_bureau> anyway, i'll go with SHA256 for now
02:58 -!- Linmu [~Linmu@203.70.194.104] has quit [Quit: leaving]
03:02 -!- bertodsera [~quassel@212.36.61.26] has joined #openvpn
03:05 -!- mirco [~mirco@ip-109-90-231-36.unitymediagroup.de] has quit [Ping timeout: 252 seconds]
03:23 -!- dazo_afk is now known as dazo
03:55 -!- takamichi [~takamichi@c107-107.i07-27.onvol.net] has quit []
04:39 -!- tempus_fol [~tempus@gateway/tor-sasl/tempusfol] has quit [Ping timeout: 240 seconds]
04:41 -!- tempus_fol [~tempus@gateway/tor-sasl/tempusfol] has joined #openvpn
05:11 -!- cm_ [cm@datura.ielf.org] has joined #openvpn
05:23 -!- dradec [~Inigo@unaffiliated/dradec] has quit [Ping timeout: 264 seconds]
05:50 -!- klein_ [~klein@189-016-006-003.asselvi.edu.br] has joined #openvpn
05:50 -!- klein_ [~klein@189-016-006-003.asselvi.edu.br] has quit [Changing host]
05:50 -!- klein_ [~klein@unaffiliated/klein] has joined #openvpn
05:57 -!- wrongplace [~leicht@gateway/tor-sasl/martinphone] has joined #openvpn
06:09 -!- Devastator [~devas@unaffiliated/devastator] has joined #openvpn
06:18 -!- dradec [~Inigo@unaffiliated/dradec] has joined #openvpn
06:30 -!- m1h0 [~yavor@94.155.134.12] has joined #openvpn
06:34 < m1h0> hi when i try to connect to openvpn server i get the following in the log what is of my concern are the uppercase letters
06:34 < m1h0> why are they there ?
06:34 < m1h0> http://pastie.org/8678464
06:36 < manitu> hi ho.. is it possible to assign an ip-address to a host by ccd, which is not in the actual server-range? and if it's possible, what i need to do except ifconfig-push? do i need a "route" command?
06:41 < manitu> ah okay.. i just tried it.. that was the point, the "route" command
06:43 < manitu> i would have one more question.. is there any good tutorial or book, which tells me something about more security in the openvpn? i don't really have a good feeling, if someone can just add a route and reaches a client he shouldn't reach.. and iptables also doesn't catch the traffic. if it's sent to another openvpn-client it seems :/
06:44 -!- joshh20-Away is now known as joshh20
07:05 -!- mm_bureau [~milch@HSI-KBW-46-237-205-89.hsi.kabel-badenwuerttemberg.de] has left #openvpn []
07:12 -!- jtrucks [jtrucks@freenode/staff/lopsa.foundingmember.jtrucks] has quit [Remote host closed the connection]
07:13 -!- jtrucks [jtrucks@freenode/staff/lopsa.foundingmember.jtrucks] has joined #openvpn
07:14 -!- MyMind [~Sembei@unaffiliated/sembei] has quit [Read error: Connection reset by peer]
07:14 -!- Pisuke [~Sembei@unaffiliated/sembei] has joined #openvpn
07:17 < manitu> okay, now i learnt that i shouldn't use client-to-client then.. but the first one didn't work as it should.. i had a "server 172.16.0.0 255.255.0.0" and because 172.16.1.0/24 is used on another interface now, i needed to make it to "server 172.16.2.0 255.255.254.0", but i have also clients using the 172.16.20.0/24 network, which are no more known by the openvpn now.. if i ping the client, on the client i see that the ping is c
07:17 < manitu> oming in and it answers to the ping, but the openvpn server does not get the response it seems
07:17 < manitu> so: server -> client: OK, client -> server: rejected
07:18 < manitu> since the client has the server-ip it answers to in the routes over tun0 there shouldn't be a problem
07:21 <+rob0> --client-to-client bypasses your firewall, yes. It's a tiny bit more efficient if you know you don't plan to interfere with that traffic.
07:22 <+rob0> Another thing you might do: use multiple server instances with different privilege levels.
07:22 < manitu> rob0, i thought that would define the topology at the first look, thank you
07:23 < manitu> and i know now why i can't reach the server with that client which isn't in the range.. that client is catched by iptables now
07:24 < manitu> just in the moment you wrote i found it out x_x
07:24 <+rob0> So if you have some clients which you plan to allow unrestricted access, you give them the privileged server to connect to, --client-to-client and unrestricted in the FORWARD table.
07:25 < manitu> rob0, but if i have a restriction in the FORWARD table it doesn't look for them as long as --client-to-client is activated, right?
07:25 <+rob0> --client-to-client bypasses your firewall, yes. It's a tiny bit more efficient if you know you don't plan to interfere with that traffic.
07:26 < manitu> thank you :)
07:26 < manitu> so i have to get my iptables right and then i can remove --client-to-client .. that sounds pretty good
07:29 -!- ade_b [~Ade@redhat/adeb] has joined #openvpn
07:49 -!- goldkatze [~nobody@unaffiliated/goldkatze] has joined #openvpn
08:04 -!- wrongplace [~leicht@gateway/tor-sasl/martinphone] has quit [Quit: gone]
08:09 -!- klein_ [~klein@unaffiliated/klein] has quit [Ping timeout: 272 seconds]
08:10 < Martin`> !goal
08:10 <@vpnHelper> "goal" is Please clearly state your goal for your vpn: example, I would like to access the lan behind the server , I would like to access the internet over my vpn , I just want a secure connection between 2 computers , etc
08:15 -!- dazo [~dazo@openvpn/community/developer/dazo] has quit [Ping timeout: 264 seconds]
08:16 -!- joshh20 is now known as joshh20-Away
08:16 -!- dazo [~dazo@openvpn/community/developer/dazo] has joined #openvpn
08:16 -!- mode/#openvpn [+o dazo] by ChanServ
08:19 -!- __FBi [B@what.are.you.doing.plzdonthack.us] has joined #openvpn
08:20 -!- lj [~l@192.241.174.169] has joined #openvpn
08:27 -!- michaelhart [~michaelha@192.237.177.15] has joined #openvpn
08:35 -!- dradec [~Inigo@unaffiliated/dradec] has quit [Ping timeout: 245 seconds]
08:38 -!- JackWinter [~jack@vodsl-9074.vo.lu] has quit [Quit: Konversation terminated!]
08:46 -!- JackWinter [~jack@vodsl-9074.vo.lu] has joined #openvpn
08:48 -!- lj [~l@192.241.174.169] has quit [Quit: Leaving.]
08:49 -!- takamichi [~takamichi@85.12.8.106] has joined #openvpn
08:54 -!- mikkel [~mikkel@93.176.85.50] has quit [Quit: Leaving]
08:55 -!- lj [~l@192.241.174.169] has joined #openvpn
09:00 -!- master_of_master [~master_of@p4FF243BF.dip0.t-ipconnect.de] has joined #openvpn
09:03 -!- master_o1_master [~master_of@p4FF24B95.dip0.t-ipconnect.de] has quit [Ping timeout: 272 seconds]
09:15 -!- alexxtasi [~alex@unaffiliated/alexxtasi] has left #openvpn []
09:23 -!- CatKiller [~catkiller@unaffiliated/catkiller] has left #openvpn ["Leaving"]
09:27 -!- dradec [~Inigo@unaffiliated/dradec] has joined #openvpn
09:39 -!- lj1 [~l@192.241.174.169] has joined #openvpn
09:40 -!- lj [~l@192.241.174.169] has quit [Ping timeout: 245 seconds]
09:49 -!- lj1 [~l@192.241.174.169] has quit [Quit: Leaving.]
09:55 -!- makara [~makara@41.164.22.218] has quit [Ping timeout: 272 seconds]
10:10 -!- klein_ [~klein@189-016-006-004.asselvi.edu.br] has joined #openvpn
10:10 -!- klein_ [~klein@189-016-006-004.asselvi.edu.br] has quit [Changing host]
10:10 -!- klein_ [~klein@unaffiliated/klein] has joined #openvpn
10:22 -!- Mayumi [~ircuser@unaffiliated/mayumi] has left #openvpn []
10:33 -!- ade_b [~Ade@redhat/adeb] has quit [Quit: Too sexy for his shirt]
10:33 -!- elfixit [~Icedove@2001:1620:2777:11:3e97:eff:fe7f:f3ad] has joined #openvpn
10:44 -!- psycheye [~psycheye@93.49.16.11] has quit [Ping timeout: 272 seconds]
10:46 -!- psycheye [~psycheye@93.49.16.11] has joined #openvpn
10:47 -!- klein_ [~klein@unaffiliated/klein] has quit [Ping timeout: 252 seconds]
10:54 -!- s7r [~s7r@openvpn/user/s7r] has joined #openvpn
10:54 -!- mode/#openvpn [+v s7r] by ChanServ
10:58 -!- lj [~l@192.241.174.169] has joined #openvpn
11:04 -!- klein_ [~klein@unaffiliated/klein] has joined #openvpn
11:11 -!- takamichi [~takamichi@85.12.8.106] has quit [Ping timeout: 265 seconds]
11:13 -!- KiNgMaR [~ingmar@2001:41d0:2:ba51::1] has quit [Ping timeout: 245 seconds]
11:14 -!- takamichi [~takamichi@c107-107.i07-27.onvol.net] has joined #openvpn
11:15 -!- bertodsera [~quassel@212.36.61.26] has quit [Remote host closed the connection]
11:16 -!- dazo is now known as dazo_afk
11:17 -!- KiNgMaR [~ingmar@2001:41d0:2:ba51::1] has joined #openvpn
11:38 -!- Cpt-Oblivious [~chatzilla@31-151-87-204.dynamic.upc.nl] has joined #openvpn
11:38 -!- elfixit [~Icedove@2001:1620:2777:11:3e97:eff:fe7f:f3ad] has quit [Quit: elfixit]
11:42 -!- Denial [Denial@90.201.173.63] has quit []
11:43 -!- klein_ [~klein@unaffiliated/klein] has quit [Ping timeout: 240 seconds]
11:50 -!- lj [~l@192.241.174.169] has quit [Quit: Leaving.]
11:51 -!- NChief2 [~nchief@unaffiliated/nchief] has quit [Ping timeout: 276 seconds]
11:53 -!- Denial [Denial@90.201.173.63] has joined #openvpn
11:55 -!- klein_ [~klein@unaffiliated/klein] has joined #openvpn
12:01 -!- [diecast] [~diecast@unaffiliated/diecast/x-4821952] has joined #openvpn
12:03 -!- dradec [~Inigo@unaffiliated/dradec] has quit [Quit: My name is Inigo Montoya. You killed my father. Prepare to die]
12:04 -!- dradec [~Inigo@unaffiliated/dradec] has joined #openvpn
12:23 -!- feelsbad [~sandwiche@94.242.228.140] has joined #openvpn
12:24 < feelsbad> Hi, I can't get more than 10mib/s, I change it all, mtu, fragment, mssfix, ciphers, tls ciphers
12:24 < feelsbad> dh
12:24 < feelsbad> and I always get the same amount of speed, it is a dedicated hardware, 8x 3'4ghz 128GB DDR3
12:25 -!- conroe [~conroe@gateway/tor-sasl/conroe] has joined #openvpn
12:26 < feelsbad> PD: UDP
12:32 < pekster> Check processing core utilization and system resource/IO usage to identify the bottleneck
12:32 -!- conroe [~conroe@gateway/tor-sasl/conroe] has quit [Remote host closed the connection]
12:33 < pekster> OpenVPN is single-threaded, so "8x" is no better than 1x for that thread
12:33 -!- xBytez [~xBytez@unaffiliated/xbytez] has quit [Quit: ._. I may have pressed the wrong button.]
12:34 < feelsbad> pekster, 5% utilisation, and a SSD
12:36 -!- xBytez [~xBytez@2a00:f48:1025:feed:b00b:feed:7ae9:4cde] has joined #openvpn
12:36 -!- xBytez [~xBytez@2a00:f48:1025:feed:b00b:feed:7ae9:4cde] has quit [Changing host]
12:36 -!- xBytez [~xBytez@unaffiliated/xbytez] has joined #openvpn
12:38 -!- NChief2 [~nchief@unaffiliated/nchief] has joined #openvpn
12:40 -!- Cpt-Oblivious [~chatzilla@31-151-87-204.dynamic.upc.nl] has quit [Ping timeout: 260 seconds]
12:44 -!- conroe [~conroe@gateway/tor-sasl/conroe] has joined #openvpn
12:44 -!- feelsbad [~sandwiche@94.242.228.140] has quit [Quit: Leaving]
12:51 -!- conroe [~conroe@gateway/tor-sasl/conroe] has quit [Ping timeout: 240 seconds]
12:52 -!- KiNgMaR [~ingmar@2001:41d0:2:ba51::1] has quit [Quit: ZNC - http://znc.sourceforge.net]
12:54 -!- KiNgMaR [~ingmar@2001:41d0:2:ba51::1] has joined #openvpn
12:59 -!- klein_ [~klein@unaffiliated/klein] has quit [Ping timeout: 260 seconds]
13:03 -!- klein_ [~klein@unaffiliated/klein] has joined #openvpn
13:04 -!- conroe [~conroe@gateway/tor-sasl/conroe] has joined #openvpn
13:12 -!- NChief2 [~nchief@unaffiliated/nchief] has quit [Ping timeout: 245 seconds]
13:24 -!- eliasp_ is now known as eliasp
13:24 -!- s7r_p [~s7r@openvpn/user/s7r] has joined #openvpn
13:24 -!- mode/#openvpn [+v s7r_p] by ChanServ
13:25 -!- dradec [~Inigo@unaffiliated/dradec] has quit [Ping timeout: 248 seconds]
13:25 -!- s7r [~s7r@openvpn/user/s7r] has quit [Ping timeout: 240 seconds]
13:31 -!- dradec [~Inigo@unaffiliated/dradec] has joined #openvpn
13:31 -!- conroe [~conroe@gateway/tor-sasl/conroe] has quit [Ping timeout: 240 seconds]
13:32 -!- Valduare [~Valduare@108-198-116-80.lightspeed.mdsnwi.sbcglobal.net] has joined #openvpn
13:32 < Valduare> hi guys - I am trying to setup my first VPN connection
13:34 -!- NChief2 [~nchief@unaffiliated/nchief] has joined #openvpn
13:47 -!- bertodsera [~quassel@97e48243.skybroadband.com] has joined #openvpn
13:58 -!- takamichi [~takamichi@c107-107.i07-27.onvol.net] has quit [Quit: Computer has gone to sleep.]
14:00 -!- NChief2 [~nchief@unaffiliated/nchief] has quit [Ping timeout: 245 seconds]
14:00 -!- dazo_afk [~dazo@openvpn/community/developer/dazo] has quit [Ping timeout: 264 seconds]
14:03 < Valduare> !welcome
14:03 <@vpnHelper> "welcome" is (#1) Start by stating your goal, such as 'I would like to access the internet over my vpn' || new to IRC? see the link in !ask || we may need !logs and !configs and maybe !interface to help you. || See !howto for beginners. || See !route for lans behind openvpn. || !redirect for sending inet traffic through the server. || Also interesting: !man !/30 !topology !iporder !sample !forum
14:03 <@vpnHelper> !wiki !mitm or (#2) Don't use 192.168.1.0/24 or 192.168.0.0/24 (too much potential for conflict)
14:10 -!- klein_ [~klein@unaffiliated/klein] has quit [Ping timeout: 240 seconds]
14:27 -!- NChief2 [~nchief@unaffiliated/nchief] has joined #openvpn
14:44 -!- klein_ [~klein@177.101.109.161] has joined #openvpn
14:44 -!- klein_ [~klein@177.101.109.161] has quit [Changing host]
14:44 -!- klein_ [~klein@unaffiliated/klein] has joined #openvpn
14:57 -!- joshh20-Away is now known as joshh20
14:58 -!- pinchmesh [~tom@198.14.231.242] has joined #openvpn
14:59 -!- Valduare [~Valduare@108-198-116-80.lightspeed.mdsnwi.sbcglobal.net] has quit [Quit: Valduare]
14:59 < pinchmesh> bah!!! easy-rsa is NOT a directory. Tried several downloads, but all the same. Directions??
15:00 < pinchmesh> this is something new
15:03 < pinchmesh> no documentation
15:04 < pinchmesh> linux mint 16 / xfce
15:05 <@ecrist> !easy-rsa
15:05 <@vpnHelper> "easy-rsa" is (#1) easy-rsa is a certificate generation utility. or (#2) Download here: https://github.com/OpenVPN/easy-rsa/downloads or (#3) https://community.openvpn.net/openvpn/wiki/EasyRSA
15:06 < pinchmesh> problem is, it comes up as a file. directions (and last time used) made a n easy-directory
15:06 -!- u0m3 [~u0m3@92.80.65.6] has joined #openvpn
15:07 < pinchmesh> k, thanks... maybe i got page instead of downloads. will do
15:08 -!- ketas [ketas@ketas6-sixxs.si.pri.ee] has quit [Ping timeout: 264 seconds]
15:11 < pinchmesh> bad connection here, so use wget -c --read-timeout=7 with paste links. maybe why it's a file
15:13 -!- qwertyoruiop [~hax@1.shulgin.dc1.nl.tor.exit.node.qwertyoruiop.com] has quit [Ping timeout: 248 seconds]
15:16 -!- qwertyoruiop [~hax@1.shulgin.dc1.nl.tor.exit.node.qwertyoruiop.com] has joined #openvpn
15:21 -!- ketas [ketas@ketas6-sixxs.si.pri.ee] has joined #openvpn
15:26 -!- lj [~l@192.241.174.169] has joined #openvpn
15:49 -!- michaelhart [~michaelha@192.237.177.15] has quit [Quit: michaelhart]
15:53 -!- lj [~l@192.241.174.169] has quit [Quit: Leaving.]
15:54 -!- s7r_p is now known as s7r
15:59 -!- mattock is now known as mattock_afk
16:09 -!- dazo_afk [~dazo@openvpn/community/developer/dazo] has joined #openvpn
16:09 -!- mode/#openvpn [+o dazo_afk] by ChanServ
16:09 -!- dazo_afk is now known as dazo
16:09 -!- gffa [~unknown@unaffiliated/gffa] has quit [Quit: sleep]
16:23 -!- [diecast] [~diecast@unaffiliated/diecast/x-4821952] has quit []
16:30 -!- [diecast] [~diecast@unaffiliated/diecast/x-4821952] has joined #openvpn
16:34 -!- elfixit [~Icedove@77-58-251-72.dclient.hispeed.ch] has joined #openvpn
16:35 -!- dazo [~dazo@openvpn/community/developer/dazo] has quit [Ping timeout: 264 seconds]
16:36 -!- elfixit [~Icedove@77-58-251-72.dclient.hispeed.ch] has quit [Client Quit]
16:36 -!- dazo_afk [~dazo@openvpn/community/developer/dazo] has joined #openvpn
16:36 -!- mode/#openvpn [+o dazo_afk] by ChanServ
16:37 -!- dazo_afk is now known as dazo
16:52 -!- pinchmesh [~tom@198.14.231.242] has quit [Read error: Connection reset by peer]
17:06 -!- elfixit [~Icedove@77-58-251-72.dclient.hispeed.ch] has joined #openvpn
17:13 -!- goldkatze [~nobody@unaffiliated/goldkatze] has quit [Read error: Operation timed out]
17:18 -!- kalloc [~kalloc@stmdev.ru] has quit [Remote host closed the connection]
17:18 -!- kalloc [~kalloc@stmdev.ru] has joined #openvpn
17:23 -!- kalloc [~kalloc@stmdev.ru] has quit [Ping timeout: 260 seconds]
17:28 -!- __FBi [B@what.are.you.doing.plzdonthack.us] has quit [Read error: Connection reset by peer]
17:29 -!- __FBi [B@what.are.you.doing.plzdonthack.us] has joined #openvpn
17:44 -!- Mike-- [mad@mx.probie.nl] has quit [Ping timeout: 252 seconds]
17:46 -!- Mike-- [mad@mx.probie.nl] has joined #openvpn
17:48 -!- dradec [~Inigo@unaffiliated/dradec] has quit [Quit: My name is Inigo Montoya. You killed my father. Prepare to die]
17:51 -!- dradec [~Inigo@unaffiliated/dradec] has joined #openvpn
18:09 -!- mndo [~mndo@bl17-100-95.dsl.telepac.pt] has joined #openvpn
18:16 -!- mndo [~mndo@bl17-100-95.dsl.telepac.pt] has quit [Remote host closed the connection]
18:19 < qwertyoruiop> so hey, i have a fully working openvpn setup w/ routing, but for some reason SNAT only masquerades to the ip address of eth0
18:19 < qwertyoruiop> can't go with virtual ifs
18:19 < qwertyoruiop> any tip?
18:20 -!- klein_ [~klein@unaffiliated/klein] has quit [Ping timeout: 264 seconds]
18:22 < pekster> "virtual ifs" ?
18:22 < pekster> SNAT allows you to pick an IP. If you have secondary IPs on an interface, you can SNAT to any one of them
18:23 < pekster> ref: iptables-extensions(8)
18:25 -!- elfixit [~Icedove@77-58-251-72.dclient.hispeed.ch] has quit [Quit: elfixit]
18:25 < qwertyoruiop> pekster: yeah, that's what i thought
18:25 < qwertyoruiop> -o eth1 -j SNAT --to IP_2 => data still goes to IP_1
18:29 < pekster> pastebin `ip -4 a` and `iptables-save -t nat`
18:30 < qwertyoruiop> -t nat has been flushed correctly
18:30 < qwertyoruiop> (iptables-save -t nat confirms)
18:31 < qwertyoruiop> pm'd you ip -4 a
18:31 < pekster> Without seeing the NAT table you're not going to get help
18:31 <@ecrist> !topsecret
18:31 <@vpnHelper> "topsecret" is (#1) if your setup is so top secret that you cant post your configs or logs, please leave now and go find support you trust. or (#2) Clever readers may attempt to use RFC5737/RFC3849 to represent arbitrary public IPs one wishes to hide. Unclever attempts may be ignored with prejudice.
18:31 < qwertyoruiop> http://pastebin.com/nL3EEwT2
18:31 < pekster> And stop using "aliases." They're years out of date. I know the 2.4 kernels were cool, but we're past that point. Don't use ifconfig on Linux as the backends aren't maintained
18:32 -!- dazo [~dazo@openvpn/community/developer/dazo] has quit [Ping timeout: 264 seconds]
18:32 < pekster> !ifconfig_linux
18:32 <@vpnHelper> "ifconfig_linux" is Avoid use of 'ifconfig' and 'route' commands on modern Linux distros. It's old, deprecated, and often misleading/wrong. Use the 'ip a' and 'ip r' commands instead. More info: http://inai.de/2008/0219-ifconfig-sucks.php
18:32 < qwertyoruiop> specifically i want traffic to exit on 93.174.90.32
18:32 < qwertyoruiop> instead, it's going to 89.248.169.6
18:33 < pekster> Line 8 never gets hit becuase line 7 is a terminating target
18:33 < pekster> Remove the one you don't want since they have the same source range
18:33 < qwertyoruiop> ah thank you
18:33 < qwertyoruiop> yeah, it works now
18:37 -!- dazo_afk [~dazo@openvpn/community/developer/dazo] has joined #openvpn
18:37 -!- mode/#openvpn [+o dazo_afk] by ChanServ
18:37 -!- dazo_afk is now known as dazo
18:48 -!- michaelhart [~michaelha@162.209.54.120] has joined #openvpn
18:57 -!- Synthead [~max@172.56.33.172] has joined #openvpn
19:03 -!- Synthead [~max@172.56.33.172] has quit [Ping timeout: 240 seconds]
19:05 -!- Mike-- [mad@mx.probie.nl] has quit [Ping timeout: 245 seconds]
19:07 -!- Mike-- [mad@mx.probie.nl] has joined #openvpn
19:10 -!- michaelhart [~michaelha@162.209.54.120] has quit [Quit: michaelhart]
19:18 -!- Poster [~poster@cpe-184-57-112-154.columbus.res.rr.com] has quit [Ping timeout: 272 seconds]
19:26 -!- u0m3 [~u0m3@92.80.65.6] has quit [Read error: Connection reset by peer]
19:38 -!- [oc80z] [~oc80z@blea.ch] has joined #openvpn
19:39 -!- oc80z [~oc80z@blea.ch] has quit [Ping timeout: 252 seconds]
19:39 -!- [oc80z] is now known as oc80z
19:50 -!- JohnGalt1 [~user@ip72-207-127-163.sd.sd.cox.net] has joined #openvpn
19:53 -!- qpls [~qpls@69-165-173-171.dsl.teksavvy.com] has quit [Changing host]
19:53 -!- qpls [~qpls@unaffiliated/qpls] has joined #openvpn
20:14 -!- klein_ [~klein@177.101.109.161] has joined #openvpn
20:14 -!- klein_ [~klein@177.101.109.161] has quit [Changing host]
20:14 -!- klein_ [~klein@unaffiliated/klein] has joined #openvpn
20:24 <+_FBi> heh thanks pekster
20:24 <+_FBi> I still use ifconfig, but I shall change my evil ways :)
20:31 < pekster> Not evil, just outdated; Same reason few of us ride horse-drawn-cariges carriages to the office
20:31 < pekster> {Free,Net,Mir}BSD kept their ifconfig current, while Linux distros migrated to iproute2 for the new features
20:53 -!- klein_ [~klein@unaffiliated/klein] has quit [Ping timeout: 264 seconds]
21:04 -!- joshh20 is now known as joshh20-Away
21:05 -!- troj [~xxx@2001:470:1f15:107a::50f7] has quit [Ping timeout: 264 seconds]
21:09 -!- troj [~xxx@2001:470:1f15:107a::50f7] has joined #openvpn
21:19 -!- booo [~booo__@p54BD8951.dip0.t-ipconnect.de] has quit [Ping timeout: 252 seconds]
21:19 -!- lj [~l@c-50-158-105-68.hsd1.il.comcast.net] has joined #openvpn
21:21 -!- lj1 [~l@192.241.174.169] has joined #openvpn
21:21 -!- lj1 [~l@192.241.174.169] has quit [Client Quit]
21:22 -!- booo [~booo__@p54BD8628.dip0.t-ipconnect.de] has joined #openvpn
21:23 -!- [diecast] [~diecast@unaffiliated/diecast/x-4821952] has quit []
21:23 -!- lj [~l@c-50-158-105-68.hsd1.il.comcast.net] has quit [Ping timeout: 240 seconds]
21:57 -!- Gnonim0 [~joe@us1x.mullvad.net] has quit [Read error: Connection reset by peer]
22:47 -!- dradec [~Inigo@unaffiliated/dradec] has quit [Quit: My name is Inigo Montoya. You killed my father. Prepare to die]
23:10 <@ecrist> _FBi: it's OK.  Those of us on *real* UNIX boxes still use ifconfig. ;)
23:16 < pekster> They're not the same ioctls
23:16 < pekster> frontends notwithstanding, it's really all about the C code :P
23:16 < pekster> (and yes, there's the "but it's _really_ all just ASM" comment dangling out there if someone wants it :D
23:19 <@ecrist> I really hate having to code a website where I am not familiar with the rest of the site.
23:20 <@ecrist> I know the functions/calls/etc at $work, but not for this off-hours thing I'm working on
23:20 <@ecrist> I could code it in 1/4 the time if it used my code base. :\
23:21 < pekster> Picking up new APIs (especially poorly written ones) takes time, yea. Just ask any of the devs for OpenVPN where got suck in OpenSSL-land
23:22 < pekster> Or win32 :(
23:22 < pekster> It could always be worse ;)
23:28 <@ecrist> for sure.
23:31 -!- Noob5aibot [~NoobSaibo@24-213-19-74.static.mrqt.mi.charter.com] has quit [Ping timeout: 265 seconds]
23:33 -!- NoobSaibot [~NoobSaibo@cpe-65-25-238-185.new.res.rr.com] has joined #openvpn
23:44 -!- lj [~l@c-50-158-105-68.hsd1.il.comcast.net] has joined #openvpn
--- Day changed Thu Jan 30 2014
00:11 -!- mikkel [~mikkel@93.176.85.50] has joined #openvpn
00:13 -!- takamichi [~takamichi@c107-107.i07-27.onvol.net] has joined #openvpn
00:25 -!- pablito [~chatzilla@194.90.149.21] has joined #openvpn
00:26 < pablito> !welcome
00:26 <@vpnHelper> "welcome" is (#1) Start by stating your goal, such as 'I would like to access the internet over my vpn' || new to IRC? see the link in !ask || we may need !logs and !configs and maybe !interface to help you. || See !howto for beginners. || See !route for lans behind openvpn. || !redirect for sending inet traffic through the server. || Also interesting: !man !/30 !topology !iporder !sample !forum
00:26 <@vpnHelper> !wiki !mitm or (#2) Don't use 192.168.1.0/24 or 192.168.0.0/24 (too much potential for conflict)
00:27 < pablito> I would like to allow access to my vpn server via both certificate and password, that is, the user can either connect with their certicate/key or by using a username/password
00:28 < pablito> I already have the certificate authentication working
00:28 < pablito> I just need to enable password authentication
00:28 < pablito> how would I go about doing this?
00:29 < pablito> !howto
00:29 <@vpnHelper> "howto" is (#1) OpenVPN comes with a great howto, http://openvpn.net/howto PLEASE READ IT! or (#2) http://www.secure-computing.net/openvpn/howto.php for a mirror
00:34 -!- lj [~l@c-50-158-105-68.hsd1.il.comcast.net] has quit [Ping timeout: 272 seconds]
00:38 -!- makara [~makara@41.164.22.218] has joined #openvpn
01:00 -!- goldkatze [~nobody@unaffiliated/goldkatze] has joined #openvpn
01:03 -!- lj [~l@99.155.24.89] has joined #openvpn
01:11 -!- mattock_afk is now known as mattock
01:24 -!- crus` [~crusader@2001:44b8:319e:2900:ddf6:6088:44aa:379c] has joined #openvpn
01:26 -!- crus [~crusader@2001:44b8:319e:2900:9840:5142:6522:6fe3] has quit [Ping timeout: 264 seconds]
01:34 -!- ade_b [~Ade@redhat/adeb] has joined #openvpn
01:39 -!- alexxtasi [~alex@unaffiliated/alexxtasi] has joined #openvpn
02:26 -!- Carbon_Monoxide [~cmonxide@14.0.207.215] has joined #openvpn
02:37 -!- Carbon_Monoxide [~cmonxide@14.0.207.215] has quit [Quit: Leaving]
03:04 -!- pablito [~chatzilla@194.90.149.21] has quit [Ping timeout: 272 seconds]
03:07 -!- pablito [~chatzilla@194.90.149.21] has joined #openvpn
03:29 -!- takamichi [~takamichi@c107-107.i07-27.onvol.net] has quit [Quit: Computer has gone to sleep.]
03:30 -!- pablito [~chatzilla@194.90.149.21] has quit [Ping timeout: 272 seconds]
03:36 -!- kalloc [~kalloc@h86-62-83-99.ln.rinet.ru] has joined #openvpn
04:05 -!- sunwind` [~paradox@cpc21-brmb8-2-0-cust749.1-3.cable.virginm.net] has quit [Quit: sunwind`]
04:07 -!- sunwind [~paradox@cpc21-brmb8-2-0-cust749.1-3.cable.virginm.net] has joined #openvpn
04:30 -!- pa [~pa@unaffiliated/pa] has quit [Remote host closed the connection]
04:31 -!- pa [~pa@host229-135-dynamic.60-82-r.retail.telecomitalia.it] has joined #openvpn
04:31 -!- pa [~pa@host229-135-dynamic.60-82-r.retail.telecomitalia.it] has quit [Changing host]
04:31 -!- pa [~pa@unaffiliated/pa] has joined #openvpn
04:43 -!- takamichi [~takamichi@c107-107.i07-27.onvol.net] has joined #openvpn
04:43 -!- takamichi [~takamichi@c107-107.i07-27.onvol.net] has quit [Max SendQ exceeded]
04:44 -!- takamichi [~takamichi@c107-107.i07-27.onvol.net] has joined #openvpn
04:51 -!- takamich_ [~takamichi@c107-107.i07-27.onvol.net] has joined #openvpn
04:54 -!- takamichi [~takamichi@c107-107.i07-27.onvol.net] has quit [Ping timeout: 272 seconds]
04:54 -!- sunwind [~paradox@cpc21-brmb8-2-0-cust749.1-3.cable.virginm.net] has quit [Quit: sunwind]
05:23 -!- klein_ [~klein@189-016-006-003.asselvi.edu.br] has joined #openvpn
05:23 -!- klein_ [~klein@189-016-006-003.asselvi.edu.br] has quit [Changing host]
05:23 -!- klein_ [~klein@unaffiliated/klein] has joined #openvpn
05:29 -!- sunwind [~paradox@cpc21-brmb8-2-0-cust749.1-3.cable.virginm.net] has joined #openvpn
05:38 -!- elfixit [~Icedove@77-58-251-72.dclient.hispeed.ch] has joined #openvpn
05:49 -!- mikkel [~mikkel@93.176.85.50] has quit [Quit: Leaving]
05:50 -!- klein_ [~klein@unaffiliated/klein] has quit [Ping timeout: 245 seconds]
05:56 -!- swenr [~swenr@193.190.138.250] has joined #openvpn
05:59 -!- elfixit [~Icedove@77-58-251-72.dclient.hispeed.ch] has quit [Quit: elfixit]
06:08 -!- klein_ [~klein@189-016-006-003.asselvi.edu.br] has joined #openvpn
06:08 -!- klein_ [~klein@189-016-006-003.asselvi.edu.br] has quit [Changing host]
06:08 -!- klein_ [~klein@unaffiliated/klein] has joined #openvpn
06:26 -!- digilink [~digilink@irc.stephennet.net] has quit [Ping timeout: 252 seconds]
07:00 -!- lj [~l@99.155.24.89] has quit [Quit: Leaving.]
07:03 -!- shwaiil [~shwaiil@host86-149-13-181.range86-149.btcentralplus.com] has joined #openvpn
07:03 < shwaiil> hi
07:03 < shwaiil> I never used vpn before, so I've installed to test it. I've got openVPN on my ubuntu 12.04
07:04 < shwaiil> installed openVPN client for Mac
07:04 < shwaiil> and I can select to connect to my ubuntu server ip address
07:04 < shwaiil> I'm just wondering, where does my client know that address from ?
07:04 < shwaiil> What if I want to connect to a different address ?
07:05 <@ecrist> through the openvpn client config
07:05 <@ecrist> you can have multiple config files in the config dir and the openvpn GUI on windows will list them in the task tray
07:05 < shwaiil> Testing by connecting my mac through thetering and I didn't found a way to change the address
07:05 < shwaiil> ecrist: thanks for looking
07:05 <@ecrist> what address are you trying to change?
07:05 < shwaiil> openvpn client config, ok I'll try to find that
07:05 < shwaiil> ecrist: the one I connect too
07:05 < shwaiil> the server address
07:05 <@ecrist> !man
07:05 <@vpnHelper> "man" is (#1) For man pages, see http://openvpn.net/index.php/open-source/documentation/manuals/ or (#2) the man pages are your friend! or (#3) Protip: you can search the manpage for a specific --option (with dashes) to find it quicker
07:06 <@ecrist> check out the man page and look for the --remote line
07:06 < shwaiil> ecrist:
07:06 < shwaiil> ok
07:06 < shwaiil> ecrist: but client need to use the command line ?
07:07 <@ecrist> no
07:08 < shwaiil> Ok, I'm checking the docs to check how clients can change the address they want to connect too. As the one I currently see is hardtyped and in preferences there's no option to change it.
07:08 <@ecrist> it's in the config file
07:08 <@ecrist> c:\program files (x86)\openvpn\config
07:09 < shwaiil> ecrist: clients here are mac os x and linux :T
07:09 <@ecrist> it's just a text file with all the config options
07:09 <@ecrist> are you using tunnelblick, or what for your mac?
07:09 < shwaiil> so I need to provide with a good solution for the mac users (designers) and they'll start laughing if I tell them they need to edit config files or use the command line. otherwise they'll stick with sftp instead
07:10 < shwaiil> I'm doing some tests, so we can try Vpn instead.
07:10 < shwaiil> ecrist:  I've installed the OpenVPN Connect
07:10 < shwaiil> and installed OpenVPN server on my ubuntu 12.04
07:12 <@ecrist> use tunnelblick on the mac
07:14 < shwaiil> ecrist: I'll try that, thanks ecrist :)
07:14 -!- elfixit [~Icedove@2001:1620:2777:11:3e97:eff:fe7f:f3ad] has joined #openvpn
07:31 -!- pablito [~chatzilla@194.90.149.21] has joined #openvpn
07:37 -!- michaelhart [~michaelha@192.237.177.15] has joined #openvpn
07:42 -!- s7r [~s7r@openvpn/user/s7r] has quit [Ping timeout: 240 seconds]
07:42 -!- tempus_fol [~tempus@gateway/tor-sasl/tempusfol] has quit [Ping timeout: 240 seconds]
07:43 -!- tempus_fol [~tempus@gateway/tor-sasl/tempusfol] has joined #openvpn
07:43 -!- s7r [~s7r@openvpn/user/s7r] has joined #openvpn
07:43 -!- mode/#openvpn [+v s7r] by ChanServ
08:13 -!- conroe [~conroe@gateway/tor-sasl/conroe] has joined #openvpn
08:17 -!- takamichi [~takamichi@85.12.8.14] has joined #openvpn
08:17 -!- takamich_ [~takamichi@c107-107.i07-27.onvol.net] has quit [Read error: Operation timed out]
08:19 -!- conroe [~conroe@gateway/tor-sasl/conroe] has quit [Quit: conroe]
08:20 -!- fejjerai [~quassel@corkblock.jefferai.org] has quit [Read error: Operation timed out]
08:21 -!- Serano [~serano@rooty.be] has quit [Read error: Operation timed out]
08:22 -!- codehero [codehero@irc.coding4coffee.org] has quit [Ping timeout: 252 seconds]
08:22 -!- MorgyN [~mig@island.morgyn.org] has quit [Ping timeout: 252 seconds]
08:22 -!- MorgyN [~mig@island.morgyn.org] has joined #openvpn
08:22 -!- guntha_ [~guntha@guntha.thecagedog.com] has quit [Ping timeout: 252 seconds]
08:22 -!- reiffert [~thomas@mail.reifferscheid.org] has quit [Ping timeout: 246 seconds]
08:23 <@dazo> rob0: you around?  I think I've overlooked something obvious in a tun + DNAT setup
08:23 -!- mcp [~mcp@wolk-project.de] has quit [Ping timeout: 246 seconds]
08:23 -!- _br_ [~bjoern_fr@213-239-215-232.clients.your-server.de] has quit [Ping timeout: 252 seconds]
08:23 -!- fejjerai [~quassel@corkblock.jefferai.org] has joined #openvpn
08:23 -!- Nothing4You [N4Y@w.tf-w.tf] has quit [Ping timeout: 260 seconds]
08:23 -!- manitu [~manitu@static.88-198-15-112.clients.your-server.de] has quit [Ping timeout: 260 seconds]
08:24 -!- _br_ [~bjoern_fr@213-239-215-232.clients.your-server.de] has joined #openvpn
08:24 <+rob0> dazo, yes
08:24 <@dazo> dazo: I see the packet arriving correctly on the tun device ... it hits the PREROUTING DNAT rule ... and then the packet seems to disappear ... not to be found in FORWARD at all, where I would expect it
08:24 -!- manitu [~manitu@static.88-198-15-112.clients.your-server.de] has joined #openvpn
08:24 -!- codehero [codehero@irc.coding4coffee.org] has joined #openvpn
08:24 -!- conroe [~conroe@gateway/tor-sasl/conroe] has joined #openvpn
08:24 <@dazo> rob0: ^^
08:24 <+rob0> ipv4 forwarding is enabled?
08:24 <@dazo> yeah
08:25 -!- Nothing4You [N4Y@w.tf-w.tf] has joined #openvpn
08:25 -!- guntha_ [~guntha@guntha.thecagedog.com] has joined #openvpn
08:25 -!- mcp [~mcp@wolk-project.de] has joined #openvpn
08:27 <+rob0> 'iptables-save -c'
08:28 -!- reiffert [~thomas@mail.reifferscheid.org] has joined #openvpn
08:31 <@dazo> rob0: http://www.fpaste.org/73088/39109226/
08:31 -!- Serano [~serano@rooty.be] has joined #openvpn
08:33 -!- phuzion [~phuzion@ipv6.irc.teh-server.com] has joined #openvpn
08:35 -!- cyberspace- [20253@ninthfloor.org] has quit [Ping timeout: 272 seconds]
08:36 <@dazo> rob0: I would definitely expect to see log entries, or at least the DROP counter in FORWARD to increase ... but no packets reaches FORWARD, which confuses me
08:38 <@ecrist> !verify
08:38 <@vpnHelper> "verify" is (#1) If you receive certificate-based 'VERIFY ERROR' messages, you can manually verify the remote cert against a local CA using openssl: `openssl verify -verbose -CAfile /local/ca.crt /remote/copy/of/other.crt` or (#2) Note that this requires you to manually transfer the remote certificate to the local system for testing or (#3) You can also manually check issuer fingerprints with
08:38 <@vpnHelper> detailed cert output: `openssl x509 -in /some/cert.crt -noout -text` and compare against the CA cert fingerprint
08:38 <@dazo> rob0: Or is it troubles when using DNAT with tun devices?  That I'll have to use tap?
08:38 <+rob0> dazo, it sure does look like you have NOT enabled ipv4 forwarding
08:39 <@ecrist> rob0++
08:39 <@ecrist> dazo: rtfm v00b
08:40 <@dazo> rob0: you know what ... that's right ... I checked /etc/sysctl.conf on the wrong box
08:40  * dazo palmfaces
08:40 <+rob0> haha, these things happen
08:40 <@dazo> rob0: I told you, it was something bloody obvious!
08:40 -!- mode/#openvpn [-o dazo] by ecrist
08:40 < dazo> hahaha
08:41 -!- mode/#openvpn [+o dazo] by ecrist
08:41 <@dazo> oh, I see I get a second chance ....
08:41 <@ecrist> second set of eyes often helps find simple problems.
08:41  * dazo steps carefully
08:41 -!- kalloc [~kalloc@h86-62-83-99.ln.rinet.ru] has quit [Remote host closed the connection]
08:41 <@dazo> yeah
08:42 <+rob0> Packet counters FTW. Look at what hits the FORWARD chain. When no packets go there at all, it means either of these: 1: you didn't enable forwarding; or 2. no one is routing their traffic through you.
08:42 -!- losted [~losted@box.losted.net] has joined #openvpn
08:43 <@dazo> rob0: yeah ... but I looked at sysctl.conf 3 times before asking you ... without noticing the wrong hostname :/
08:43 <@dazo> the devil is in the detail
08:43 -!- calcifea [~rasla@gateway/tor-sasl/gitsu-sa] has joined #openvpn
08:43 -!- kalloc [~kalloc@h86-62-83-99.ln.rinet.ru] has joined #openvpn
08:44 -!- calcifea [~rasla@gateway/tor-sasl/gitsu-sa] has quit [Client Quit]
08:45 -!- kalloc [~kalloc@h86-62-83-99.ln.rinet.ru] has quit [Read error: Connection reset by peer]
08:45 -!- kalloc_ [~kalloc@h86-62-83-99.ln.rinet.ru] has joined #openvpn
08:48 <@Eugene> That's a common misconception - it's minor demons and satyrs.
08:49 <@Eugene> The devil prefers to hide in enterprise design documentation
08:49 <@dazo> hehehe ... you might be right there, Eugene
08:50 -!- kalloc_ [~kalloc@h86-62-83-99.ln.rinet.ru] has quit [Ping timeout: 245 seconds]
08:53 -!- kalloc [~kalloc@h86-62-83-99.ln.rinet.ru] has joined #openvpn
08:59 -!- losted [~losted@box.losted.net] has quit [Quit: ZNC - http://znc.in]
09:00 -!- master_o1_master [~master_of@p4FD7BDA1.dip0.t-ipconnect.de] has joined #openvpn
09:01 -!- losted [~losted@box.losted.net] has joined #openvpn
09:03 -!- master_of_master [~master_of@p4FF243BF.dip0.t-ipconnect.de] has quit [Ping timeout: 248 seconds]
09:06 -!- losted [~losted@box.losted.net] has quit [Ping timeout: 264 seconds]
09:07 -!- losted [~losted@box.losted.net] has joined #openvpn
09:07 < shwaiil> For openVPN to work we need SSL ?
09:10 <@dazo> shwaiil: well, VPN requires encryption ... and openvpn uses the SSL/TLS protocol for the encryption between the openvpn end points ... so, yeah ...
09:10 < shwaiil> dazo: sure, thanks
09:12 -!- takamichi [~takamichi@85.12.8.14] has quit [Ping timeout: 272 seconds]
09:14 -!- takamichi [~takamichi@c107-107.i07-27.onvol.net] has joined #openvpn
09:14 -!- takamichi [~takamichi@c107-107.i07-27.onvol.net] has quit [Max SendQ exceeded]
09:14 -!- takamichi [~takamichi@c107-107.i07-27.onvol.net] has joined #openvpn
09:14 -!- takamichi [~takamichi@c107-107.i07-27.onvol.net] has quit [Max SendQ exceeded]
09:15 -!- takamichi [~takamichi@c107-107.i07-27.onvol.net] has joined #openvpn
09:15 -!- losted [~losted@box.losted.net] has quit [Ping timeout: 272 seconds]
09:16 -!- losted [~losted@box.losted.net] has joined #openvpn
09:19 -!- losted_ [~losted@box.losted.net] has joined #openvpn
09:21 -!- losted [~losted@box.losted.net] has quit [Ping timeout: 264 seconds]
09:21 -!- losted_ is now known as losted
09:25 -!- conroe [~conroe@gateway/tor-sasl/conroe] has quit [Remote host closed the connection]
09:27 -!- qwertyoruiop [~hax@1.shulgin.dc1.nl.tor.exit.node.qwertyoruiop.com] has quit [Quit: ZNC - http://znc.in]
09:27 -!- qwertyoruiop [~hax@93.174.90.32] has joined #openvpn
09:36 -!- takamichi [~takamichi@c107-107.i07-27.onvol.net] has quit [Quit: Computer has gone to sleep.]
09:40 -!- makara [~makara@41.164.22.218] has quit [Ping timeout: 240 seconds]
09:41 -!- lj [~l@192.241.174.169] has joined #openvpn
09:41 -!- lj [~l@192.241.174.169] has quit [Client Quit]
09:44 -!- dradec [~Inigo@unaffiliated/dradec] has joined #openvpn
10:01 -!- swenr [~swenr@193.190.138.250] has quit [Remote host closed the connection]
10:04 -!- Cr4zi3 [killaz@staff.xbins.org] has joined #openvpn
10:06 -!- klein_ [~klein@unaffiliated/klein] has quit [Ping timeout: 252 seconds]
10:09 -!- [diecast] [~diecast@unaffiliated/diecast/x-4821952] has joined #openvpn
10:11 < shwaiil> I don't know nothing about VPN, but isn't it possible to skip ssl and just have a user/pw ?
10:11 < shwaiil> I found about PPTP, but not sure if that's what it means
10:15 -!- klein_ [~klein@189-016-006-003.asselvi.edu.br] has joined #openvpn
10:15 -!- klein_ [~klein@189-016-006-003.asselvi.edu.br] has quit [Changing host]
10:15 -!- klein_ [~klein@unaffiliated/klein] has joined #openvpn
10:17 <+rob0> Why is SSL/TLS a problem?
10:17 <+rob0> !pptp
10:17 <@vpnHelper> "pptp" is (#1) PPTP is known to be a faulty protocol. The designers of the protocol, Microsoft, recommend not to use it due to the inherent risks. Lots of people use PPTP anyway due to ease of use, but that doesn't mean it is any less hazardous. The maintainers of PPTP Client and Poptop recommend using OpenVPN (SSL based) or IPSec instead. http://pptpclient.sourceforge.net/protocol-security.phtml to
10:17 <@vpnHelper> read about why to not use pptp or (#2) Why not to use it: http://en.wikipedia.org/wiki/Pptp#Security or (#3) https://www.cloudcracker.com/blog/2012/07/29/cracking-ms-chap-v2/
10:18 <+rob0> If you don't care about the security of your tunnel, yes, PPTP can use password authentication.
10:19 <+rob0> Note that we do NOT support it here.
10:24 -!- wrongplace [~leicht@gateway/tor-sasl/martinphone] has joined #openvpn
10:42 -!- ade_b [~Ade@redhat/adeb] has quit [Quit: Too sexy for his shirt]
10:43 < ketas> damn, i hate mtu issues
10:44 -!- Pisuke [~Sembei@unaffiliated/sembei] has quit [Read error: Connection reset by peer]
10:44 -!- Sembei [~Sembei@unaffiliated/sembei] has joined #openvpn
10:48 -!- takamichi [~takamichi@c107-107.i07-27.onvol.net] has joined #openvpn
10:56 -!- elfixit [~Icedove@2001:1620:2777:11:3e97:eff:fe7f:f3ad] has quit [Remote host closed the connection]
10:58 -!- dradec [~Inigo@unaffiliated/dradec] has quit [Quit: My name is Inigo Montoya. You killed my father. Prepare to die]
11:11 -!- joshh20-Away is now known as joshh20
11:31 -!- gffa [~unknown@unaffiliated/gffa] has joined #openvpn
11:35 -!- lj [~l@192.241.174.169] has joined #openvpn
11:35 -!- cpuguy83 [uid22274@gateway/web/irccloud.com/x-rcliorsiezgkagae] has joined #openvpn
11:36 < cpuguy83> Hi.  I'm trying to get openvpn installed on Windows7 Pro silently.  I got the /S switch for the installer but the stupid TAP driver install confirmation box pops up.  Anyone know a way around this?
11:36 < cpuguy83> Even though the driver is signed it's still popping this up
11:37 <@Eugene> !rollup
11:37 <@vpnHelper> "rollup" is See !win_rollup
11:38 <@Eugene> !win_rollup
11:38 <@vpnHelper> "win_rollup" is please see http://www.secure-computing.net/wiki/index.php/OpenVPN/HowTo_for_Windows_2 for dazo's writeup on making unattended windows installers for openvpn
11:40 <@Eugene> !learn fruit_rollup as Om nom nom
11:40 <@vpnHelper> Error: You don't have the factoids.learn capability. If you think that you should have this capability, be sure that you are identified before trying again. The 'whoami' command can tell you if you're identified.
11:40 <@Eugene> Oh, you.
11:47 -!- dazo is now known as dazo_afk
11:48 -!- dazo_afk is now known as dazo
11:52 < pekster> cpuguy83: Probably becuase your local security policy is set to "ask" for al driver installations
11:52 < pekster> You should review the MS resources on adjusting your local policies
11:53 -!- grendal_prime [~sgraham@173-166-255-77-stockton.hfc.comcastbusiness.net] has joined #openvpn
11:54 < grendal_prime> hey i got  a situation where there are a bunch of diff types of clients, is there an http client that all of these varrious diff clients can use ?
11:57 <+rob0> http? This is #openvpn
11:57 <@Eugene> What? No.
12:02 < grendal_prime> hmm bummer
12:03 < grendal_prime> i just knoticed that there was one for the Access server so thought maybe there was one for...you know...osc
12:15 < cpuguy83> pekster: Thanks... looks like I may need to explicitly import the cert first
12:23 -!- shwaiil [~shwaiil@host86-149-13-181.range86-149.btcentralplus.com] has quit [Remote host closed the connection]
12:54 -!- StephenS [~StephenS@xshellz/founder/StephenS] has joined #openvpn
12:54 -!- losted [~losted@box.losted.net] has quit [Ping timeout: 252 seconds]
12:57 -!- losted [~losted@box.losted.net] has joined #openvpn
12:59 -!- wrongplace [~leicht@gateway/tor-sasl/martinphone] has quit [Quit: gone]
13:04 -!- cyberspace- [20253@ninthfloor.org] has joined #openvpn
13:14 < grendal_prime> how about windows 8?
13:14 < grendal_prime> client?
13:20 <@ecrist> the windows client for openvpn works fine on windows 8
13:27 -!- [diecast] [~diecast@unaffiliated/diecast/x-4821952] has quit [Read error: Connection reset by peer]
13:35 -!- michaelhart [~michaelha@192.237.177.15] has quit [Quit: michaelhart]
13:37 -!- michaelhart [~michaelha@192.237.177.15] has joined #openvpn
13:51 -!- Devastatr [~devas@177.99.153.166] has joined #openvpn
13:51 -!- Devastator [~devas@unaffiliated/devastator] has quit [Ping timeout: 245 seconds]
13:56 -!- pablito [~chatzilla@194.90.149.21] has quit [Ping timeout: 272 seconds]
14:00 -!- [diecast] [~diecast@unaffiliated/diecast/x-4821952] has joined #openvpn
14:10 -!- michaelhart [~michaelha@192.237.177.15] has quit [Quit: michaelhart]
14:11 -!- michaelhart [~michaelha@192.237.177.15] has joined #openvpn
14:15 -!- michaelhart [~michaelha@192.237.177.15] has quit [Client Quit]
14:17 -!- michaelhart [~michaelha@192.237.177.15] has joined #openvpn
14:17 -!- [diecast] [~diecast@unaffiliated/diecast/x-4821952] has quit []
14:23 -!- [diecast] [~diecast@unaffiliated/diecast/x-4821952] has joined #openvpn
14:27 -!- klein_ [~klein@unaffiliated/klein] has quit [Ping timeout: 245 seconds]
14:30 -!- grendal_prime [~sgraham@173-166-255-77-stockton.hfc.comcastbusiness.net] has quit [Ping timeout: 248 seconds]
14:35 -!- joshh20 is now known as joshh20-Away
14:42 -!- elfixit [~Icedove@77-58-251-72.dclient.hispeed.ch] has joined #openvpn
14:54 -!- kalloc [~kalloc@h86-62-83-99.ln.rinet.ru] has quit [Remote host closed the connection]
14:55 -!- kalloc [~kalloc@h86-62-83-99.ln.rinet.ru] has joined #openvpn
14:56 -!- kalloc [~kalloc@h86-62-83-99.ln.rinet.ru] has quit [Remote host closed the connection]
14:56 -!- kalloc [~kalloc@h86-62-83-99.ln.rinet.ru] has joined #openvpn
15:01 -!- kalloc [~kalloc@h86-62-83-99.ln.rinet.ru] has quit [Ping timeout: 252 seconds]
15:21 -!- heraclitus [~heraclitu@unaffiliated/heraclitis] has quit [Remote host closed the connection]
15:21 -!- heraclitus [~heraclitu@vpnus.planetcrypto.com] has joined #openvpn
15:22 -!- heraclitus [~heraclitu@vpnus.planetcrypto.com] has quit [Changing host]
15:22 -!- heraclitus [~heraclitu@unaffiliated/heraclitis] has joined #openvpn
15:22 -!- dazo is now known as dazo_afk
15:41 -!- michaelhart [~michaelha@192.237.177.15] has quit [Quit: michaelhart]
15:42 -!- kalloc [~kalloc@h86-62-83-99.ln.rinet.ru] has joined #openvpn
15:44 -!- kalloc_ [~kalloc@h86-62-83-99.ln.rinet.ru] has joined #openvpn
15:44 -!- kalloc [~kalloc@h86-62-83-99.ln.rinet.ru] has quit [Read error: Connection reset by peer]
15:49 -!- kalloc_ [~kalloc@h86-62-83-99.ln.rinet.ru] has quit [Ping timeout: 264 seconds]
15:53 -!- elfixit [~Icedove@77-58-251-72.dclient.hispeed.ch] has quit [Quit: elfixit]
16:10 -!- pablito [~chatzilla@194.90.149.21] has joined #openvpn
16:11 -!- pablito [~chatzilla@194.90.149.21] has quit [Client Quit]
16:18 -!- lbft [~lbft@unaffiliated/lbft] has quit [Ping timeout: 265 seconds]
16:19 -!- sauce [sauce@unaffiliated/sauce] has quit [Ping timeout: 265 seconds]
16:19 -!- lbft [~lbft@unaffiliated/lbft] has joined #openvpn
16:20 -!- mattock is now known as mattock_afk
16:36 -!- joshh20-Away is now known as joshh20
16:39 -!- gffa [~unknown@unaffiliated/gffa] has quit [Quit: sleep]
16:43 -!- kalloc [~kalloc@h86-62-83-99.ln.rinet.ru] has joined #openvpn
16:47 -!- lj [~l@192.241.174.169] has quit [Quit: Leaving.]
16:48 -!- kalloc [~kalloc@h86-62-83-99.ln.rinet.ru] has quit [Ping timeout: 252 seconds]
16:53 -!- kirin` [telex@gateway/shell/anapnea.net/x-inczsnmlogqgclxf] has quit [Remote host closed the connection]
16:55 -!- sauce [sauce@173.2.173.32] has joined #openvpn
16:56 -!- jgeboski [~jgeboski@unaffiliated/jgeboski] has quit [Ping timeout: 265 seconds]
16:56 -!- sauce [sauce@173.2.173.32] has quit [Read error: Connection reset by peer]
16:57 -!- sauce [sauce@ool-ad02ad20.dyn.optonline.net] has joined #openvpn
16:57 -!- sauce [sauce@ool-ad02ad20.dyn.optonline.net] has quit [Changing host]
16:57 -!- sauce [sauce@unaffiliated/sauce] has joined #openvpn
16:57 -!- sauce [sauce@unaffiliated/sauce] has quit [Excess Flood]
16:59 -!- jgeboski [~jgeboski@unaffiliated/jgeboski] has joined #openvpn
17:03 -!- JSharpe [~JSharpe@31.205.60.241] has quit [Ping timeout: 252 seconds]
17:07 -!- Cybertinus [~Cybertinu@2a00:6960:1:1::2442] has quit [Remote host closed the connection]
17:10 -!- Cybertinus [~Cybertinu@2a00:6960:1:1::2442] has joined #openvpn
17:16 -!- JSharpe [~JSharpe@31.205.60.241] has joined #openvpn
17:24 -!- joshu_ [~joshu@62-20-176-238-no28.tbcn.telia.com] has joined #openvpn
17:25 -!- joshu [~joshu@62-20-176-238-no28.tbcn.telia.com] has quit [Ping timeout: 245 seconds]
17:26 -!- joshu_ [~joshu@62-20-176-238-no28.tbcn.telia.com] has quit [Client Quit]
17:28 -!- JSharpe [~JSharpe@31.205.60.241] has quit [Ping timeout: 240 seconds]
17:43 -!- kalloc [~kalloc@h86-62-83-99.ln.rinet.ru] has joined #openvpn
17:48 -!- kalloc [~kalloc@h86-62-83-99.ln.rinet.ru] has quit [Ping timeout: 245 seconds]
17:50 -!- joshu [~joshu@62-20-176-238-no28.tbcn.telia.com] has joined #openvpn
17:51 -!- JSharpe [~JSharpe@31.205.60.241] has joined #openvpn
17:55 -!- JSharpe [~JSharpe@31.205.60.241] has quit [Ping timeout: 245 seconds]
18:08 -!- bigbob83 [~bigbob@7.72.100.84.rev.sfr.net] has joined #openvpn
18:14 < bigbob83> Hello, i've an error when i'm trying to authenticate my user:    WARNING: Failed running command (--auth-user-pass-verify): external program exited with error status: 1
18:14 < bigbob83> login script: authentication.sh :   http://pastebin.com/UhzSGPiE
18:14 < bigbob83> server config:  http://pastebin.com/Mc2qTThE
18:14 < bigbob83> client.conf:	http://pastebin.com/pK8H1Jyx
18:26 -!- boyscout [~boyscout@c-68-82-37-6.hsd1.pa.comcast.net] has joined #openvpn
18:41 -!- boyscout [~boyscout@c-68-82-37-6.hsd1.pa.comcast.net] has quit [Remote host closed the connection]
18:43 -!- kalloc [~kalloc@h86-62-83-99.ln.rinet.ru] has joined #openvpn
18:43 -!- tempus_fol [~tempus@gateway/tor-sasl/tempusfol] has quit [Ping timeout: 240 seconds]
18:44 -!- tempus_fol [~tempus@gateway/tor-sasl/tempusfol] has joined #openvpn
18:45 -!- goldkatze [~nobody@unaffiliated/goldkatze] has quit []
18:48 -!- kalloc [~kalloc@h86-62-83-99.ln.rinet.ru] has quit [Ping timeout: 245 seconds]
18:52 -!- davidmp [~davidmp@149.255.100.107] has quit [Ping timeout: 272 seconds]
18:55 -!- davidmp [~davidmp@149.255.100.107] has joined #openvpn
19:05 -!- p3rror [~mezgani@41.248.193.42] has joined #openvpn
19:07 -!- lj1 [~l@192.241.174.169] has joined #openvpn
19:08 -!- mezgani [~mezgani@41.140.16.93] has joined #openvpn
19:11 -!- p3rror [~mezgani@41.248.193.42] has quit [Ping timeout: 252 seconds]
19:28 -!- u0m3 [~u0m3@109.96.139.13] has joined #openvpn
19:31 -!- mezgani [~mezgani@41.140.16.93] has quit [Ping timeout: 252 seconds]
19:43 -!- kalloc [~kalloc@h86-62-83-99.ln.rinet.ru] has joined #openvpn
19:45 -!- mezgani [~mezgani@196.201.78.139] has joined #openvpn
19:46 -!- Valduare [~Valduare@108-198-116-80.lightspeed.mdsnwi.sbcglobal.net] has joined #openvpn
19:46 < Valduare> hi guys
19:47 < Valduare> I need some help figuring this out- I just setup an openVPN virtual machine at my office - and connected to it fine at home this morning
19:47 < Valduare> but it put me on a different ip address range and i couldn't access my servers at the office
19:48 -!- kalloc [~kalloc@h86-62-83-99.ln.rinet.ru] has quit [Ping timeout: 240 seconds]
19:53 -!- cpuguy83 [uid22274@gateway/web/irccloud.com/x-rcliorsiezgkagae] has left #openvpn []
19:57 -!- Wheelz [~Wheelz@pool-71-166-108-39.bltmmd.east.verizon.net] has joined #openvpn
19:58 < Wheelz> !welcome
19:58 <@vpnHelper> "welcome" is (#1) Start by stating your goal, such as 'I would like to access the internet over my vpn' || new to IRC? see the link in !ask || we may need !logs and !configs and maybe !interface to help you. || See !howto for beginners. || See !route for lans behind openvpn. || !redirect for sending inet traffic through the server. || Also interesting: !man !/30 !topology !iporder !sample !forum
19:58 <@vpnHelper> !wiki !mitm or (#2) Don't use 192.168.1.0/24 or 192.168.0.0/24 (too much potential for conflict)
19:59 < Wheelz> Hello. Has anybody had success with integrating OpenVPN to do RADIUS authentication with a Windows Server?
20:07 < pekster> Sure, IIRC there's a radius plugin you can use with the --plugin support, although you can just as easily use an --auth-user-pass-verify script that calls a radius supplicant (like radiusclient) or PAM, if you already have PAM integration with your RADIUS backend
20:21 < bigbob83> Hello, i have an error when i try to authenticate with a auth-user-pass-verify script;
20:21 < bigbob83> Failed running command (--auth-user-pass-verify): external program exited with error status: 1
20:22 < bigbob83> my script work well, it return 0 when i'm tesing it with env args
20:23 < bigbob83> it does not work when i'm trying with openvpn client
20:25 < Wheelz> I tried the radiusplugin http://www.nongnu.org/radiusplugin/ but my RADIUS server rejects it.
20:25 <@vpnHelper> Title: Radiusplugin for OpenVPN (at www.nongnu.org)
20:26 < Wheelz> Do you know a script I can use with --auth-user-pass-verify?
20:26 < pekster> Yea, no clue; I've used radiusclient-ng and freeradius with a shell script wrapper with succes
20:27 < pekster> Any executable program that your OS recoganizes Wheelz
20:30 <@krzee> bigbob83, check your shbang, check permissions
20:31 < Valduare> i got my openvpn working but its giving me a 10.xx ip instead of 192 so I can't connect to my servers at the office - how can I re-configure openVPN
20:31 < bigbob83> there is the shbang and the perm are 777 for the login script
20:34 < bigbob83> http://pastebin.com/Pg9yP9Ng
20:35 <@krzee> 777 is bad
20:35 <@krzee> how about 555
20:36 <@krzee> and is your password really md5?
20:36 <@krzee> cause md5 is bad
20:36 <@krzee> !md5
20:36 <@krzee> !google md5 broken
20:36 <@vpnHelper> MD5 - Wikipedia, the free encyclopedia: <http://en.wikipedia.org/wiki/MD5>; Why do people still use/recommend MD5 if it is cracked since 1996?: <http://security.stackexchange.com/questions/15790/why-do-people-still-use-recommend-md5-if-it-is-cracked-since-1996>; MD5 – The hash algorithm is now Broken!!! - CRYPTOcrats: <http://cryptocrats.com/crypto/md5-the-hash-algorithm-is-now-broken/>
20:39 -!- joshh20 is now known as joshh20-Away
20:39 <@krzee> and where do HOST PORT USER PASS get set?
20:39 < bigbob83> server conf :   http://pastebin.com/rrR5Kg9z
20:40 <@krzee> why tcp?
20:41 < bigbob83> random, just for test purpose
20:41 < bigbob83> need to change to udp ?
20:41 <@krzee> !tcp
20:41 <@vpnHelper> "tcp" is (#1) Sometimes you cannot avoid tunneling over tcp, but if you can avoid it, DO. http://sites.inka.de/~bigred/devel/tcp-tcp.html Why TCP Over TCP Is A Bad Idea. or (#2) http://www.openvpn.net/papers/BLUG-talk/14.html for a presentation by James Yonan (OpenVPN lead developer) or (#3) if you must use tcp, you likely want --tcp-nodelay
20:41 < bigbob83> ^^
20:41 < bigbob83> thank you
20:42 <@krzee> use the env command to dump the environment to get variables from
20:42 <@krzee> so in the script you can just env > /path/to/env_dump
20:43 <@krzee> then you can double check that HOST PORT USER PASS are what you want, or you need to set them in the script
20:43 <@krzee> oh and $DB
20:43 -!- kalloc [~kalloc@h86-62-83-99.ln.rinet.ru] has joined #openvpn
20:44 < bigbob83> db tests are ok
20:44 <@krzee> oh no i missed the sourcing the vars in on line 2, i presume those are all set in there
20:44 < bigbob83> when i try with   ./authentication username password     it work fine
20:45 < bigbob83> but chen i try with the openvpn client it does not work :/
20:48 -!- kalloc [~kalloc@h86-62-83-99.ln.rinet.ru] has quit [Ping timeout: 252 seconds]
20:52 -!- Wheelz [~Wheelz@pool-71-166-108-39.bltmmd.east.verizon.net] has quit [Ping timeout: 252 seconds]
20:59 -!- [diecast] [~diecast@unaffiliated/diecast/x-4821952] has quit []
21:00 -!- Valduare [~Valduare@108-198-116-80.lightspeed.mdsnwi.sbcglobal.net] has quit [Quit: Valduare]
21:10 < pekster> salted, hashed md5-crypted passwords aren't horrible, but there are better standards out there. Collisions are less important than implementation flaws, usually (in terms of severity)
21:10 < pekster> Also, openvpn isn't pasing the user/pass as arguments; it'll use either env-vars or an external file for that
21:11 < pekster> Reference the openvpn manpage for details
21:12 < pekster> That example appears to be using unsalted md5. Anyone remember linkedin at all? ;)
21:18 -!- booo [~booo__@p54BD8628.dip0.t-ipconnect.de] has quit [Ping timeout: 252 seconds]
21:19 -!- Valduare [~Valduare@99-72-244-110.lightspeed.mdsnwi.sbcglobal.net] has joined #openvpn
21:19 -!- booo [~booo__@p54BD8623.dip0.t-ipconnect.de] has joined #openvpn
21:23 -!- mezgani [~mezgani@196.201.78.139] has quit [Quit: Leaving]
21:26 < bigbob83> thank you krzee
21:26 < bigbob83> and thank you pekster it work fine :)
21:31 -!- APTX [~APTX@unaffiliated/aptx] has quit [Ping timeout: 245 seconds]
21:35 -!- bigbob83 [~bigbob@7.72.100.84.rev.sfr.net] has quit [Ping timeout: 272 seconds]
21:36 -!- APTX [~APTX@unaffiliated/aptx] has joined #openvpn
21:40 -!- APTX_ [~APTX@unaffiliated/aptx] has joined #openvpn
21:41 -!- APTX [~APTX@unaffiliated/aptx] has quit [Ping timeout: 264 seconds]
21:43 -!- kalloc [~kalloc@h86-62-83-99.ln.rinet.ru] has joined #openvpn
21:48 -!- kalloc [~kalloc@h86-62-83-99.ln.rinet.ru] has quit [Ping timeout: 264 seconds]
22:14 -!- ketas [ketas@ketas6-sixxs.si.pri.ee] has quit [Ping timeout: 272 seconds]
22:41 -!- dradec [~Inigo@unaffiliated/dradec] has joined #openvpn
22:43 -!- kalloc [~kalloc@h86-62-83-99.ln.rinet.ru] has joined #openvpn
22:49 -!- kalloc [~kalloc@h86-62-83-99.ln.rinet.ru] has quit [Ping timeout: 272 seconds]
23:09 -!- Valduare [~Valduare@99-72-244-110.lightspeed.mdsnwi.sbcglobal.net] has quit [Quit: Valduare]
23:09 -!- Devastatr [~devas@177.99.153.166] has quit [Changing host]
23:09 -!- Devastatr [~devas@unaffiliated/devastator] has joined #openvpn
23:09 -!- Devastatr is now known as Devastator
23:43 -!- kalloc [~kalloc@h86-62-83-99.ln.rinet.ru] has joined #openvpn
23:48 -!- kalloc [~kalloc@h86-62-83-99.ln.rinet.ru] has quit [Ping timeout: 252 seconds]
23:59 -!- lj1 [~l@192.241.174.169] has quit [Quit: Leaving.]
--- Day changed Fri Jan 31 2014
00:01 -!- sunwind` [~paradox@cpc21-brmb8-2-0-cust749.1-3.cable.virginm.net] has joined #openvpn
00:03 -!- sunwind [~paradox@cpc21-brmb8-2-0-cust749.1-3.cable.virginm.net] has quit [Ping timeout: 240 seconds]
00:14 -!- kalloc [~kalloc@h86-62-83-99.ln.rinet.ru] has joined #openvpn
00:17 -!- bigbob83 [bigbob@7.72.100.84.rev.sfr.net] has joined #openvpn
00:17 -!- kcodyjr [~kc@c-24-61-134-125.hsd1.ma.comcast.net] has joined #openvpn
00:18 -!- mikkel [~mikkel@93.176.85.50] has joined #openvpn
00:18 < kcodyjr> is tap=bridge and tun=route a strict association? if so, is there a supported way to get broadcasts across the tun connection?
00:19 -!- kalloc [~kalloc@h86-62-83-99.ln.rinet.ru] has quit [Remote host closed the connection]
00:20 -!- kalloc [~kalloc@h86-62-83-99.ln.rinet.ru] has joined #openvpn
00:25 -!- kalloc [~kalloc@h86-62-83-99.ln.rinet.ru] has quit [Ping timeout: 245 seconds]
00:35 -!- makara [~makara@41.164.22.218] has joined #openvpn
00:48 -!- lbft [~lbft@unaffiliated/lbft] has quit [Quit: Bye]
00:49 <@Eugene> You can run tap devices with a routed layout if you need to pass L2 traffic between endpoints
00:49 <@Eugene> But it's not recommended because of the additional overhead
00:52 -!- lbft [~lbft@unaffiliated/lbft] has joined #openvpn
00:56 -!- rooth [tomte@stuck.in.the.basement.at.fritzl.nu] has quit [Ping timeout: 252 seconds]
01:02 -!- takamichi [~takamichi@c107-107.i07-27.onvol.net] has quit [Quit: Computer has gone to sleep.]
01:04 -!- dimm0k [~dimm0k@unaffiliated/dimm0k] has quit [Ping timeout: 272 seconds]
01:04 -!- alexxtasi [~alex@unaffiliated/alexxtasi] has left #openvpn []
01:06 -!- dimm0k [~dimm0k@unaffiliated/dimm0k] has joined #openvpn
01:12 -!- alexxtasi [~alex@unaffiliated/alexxtasi] has joined #openvpn
01:14 < kcodyjr> i was hoping for the other way around. running a tun device in a bridged configuration. not happening?
01:20 -!- bertodsera [~quassel@97e48243.skybroadband.com] has quit [Remote host closed the connection]
01:25 -!- ade_b [~Ade@redhat/adeb] has joined #openvpn
01:43 -!- goldkatze [~nobody@unaffiliated/goldkatze] has joined #openvpn
01:55 < BtbN> a tun device operates at ip layer.
01:55 < BtbN> a tap device at mac layer.
01:55 < BtbN> That's the only real difference
01:59 < kcodyjr> does that mean it would work if i added a tunN device to a bridge in the up.sh script?
02:00 < BtbN> "a bridge" means it operates on mac layer...
02:00 < kcodyjr> so, no.
02:01 < kcodyjr> so how can i have a hardware ethernet backplane between a pair of redundant openvpn servers that are constrained to run in tun mode?
02:02 < kcodyjr> and have them run active-active, that is. wouldn't need a backplane for a failover setup.
02:02 < BtbN> you don't.
02:02 < BtbN> mac layer requires a tap device.
02:03 -!- dimm0k [~dimm0k@unaffiliated/dimm0k] has quit [Ping timeout: 272 seconds]
02:05 -!- dimm0k [~dimm0k@unaffiliated/dimm0k] has joined #openvpn
02:06 < kcodyjr> ok, that strategy dies. how would an openvpn server behave under virtualization? if it's going to be a failover design, may as well punt to the virtualization layer if it'll behave well.
03:17 < ikrabbe> i think you should use tun devices for openvpn, while using tap devices is reserved for virtual hardware you add (like an emulated client system). I can't think of a means to use tap devices for openvpn.
03:20 < ikrabbe> you don't need to add a tun device to the bridge, and its not really usefull to add a openvpn tunnel to a bridge, as its better to control traffic behind the bridge not in front of it (where front are the big dangerous lands of the internet).
03:22 -!- troyt [~troyt@2601:7:6d00:432:44dd:acff:fe85:9c8e] has quit [Ping timeout: 272 seconds]
03:22 < ikrabbe> btw. a tun device is controlled by ip configuration and routing, while a tap device is controlled by its location in the network (the bridge it is added to). So configuration of tun devices fit more the infrastucture of the vpn traffic.
03:28 -!- bertodsera [~quassel@212.36.61.26] has joined #openvpn
03:32 -!- Cybertinus [~Cybertinu@2a00:6960:1:1::2442] has quit [Ping timeout: 252 seconds]
03:53 -!- takamichi [~takamichi@c107-107.i07-27.onvol.net] has joined #openvpn
03:55 -!- ade_b [~Ade@redhat/adeb] has quit [Read error: Connection timed out]
03:56 -!- ade_b [~Ade@redhat/adeb] has joined #openvpn
04:03 -!- Cybertinus [~Cybertinu@2a00:6960:1:1::2442] has joined #openvpn
04:14 -!- makara [~makara@41.164.22.218] has quit [Ping timeout: 272 seconds]
04:15 -!- makara [~makara@41.164.22.218] has joined #openvpn
04:35 -!- elfixit [~Icedove@77-58-251-72.dclient.hispeed.ch] has joined #openvpn
04:37 -!- makara [~makara@41.164.22.218] has quit [Read error: Operation timed out]
04:47 -!- spacen00b [~root@in.sinc.ro] has joined #openvpn
04:48 < spacen00b> hi guys
04:49 < spacen00b> is there a way to avoid typing the certificate password when starting an OVPN connection in Linux?
04:50 -!- takamichi [~takamichi@c107-107.i07-27.onvol.net] has quit [Ping timeout: 245 seconds]
04:50 -!- champtar [~champtar@ns623510.ovh.net] has left #openvpn []
04:50 < spacen00b> I was looking at --auth-user-pass-verify, but it's only available in server mode
04:50 < spacen00b> I am dealing with a client config here
04:53 -!- takamichi [~takamichi@85.12.8.105] has joined #openvpn
04:55 -!- kirin` [telex@gateway/shell/anapnea.net/x-pybhwdelvuvhxevk] has joined #openvpn
05:17 -!- makara [~makara@41.164.22.218] has joined #openvpn
05:17 -!- ade_b [~Ade@redhat/adeb] has quit [Ping timeout: 245 seconds]
05:28 -!- klein_ [~klein@unaffiliated/klein] has joined #openvpn
05:32 -!- dazo_afk is now known as dazo
05:37 -!- bigbob83 [bigbob@7.72.100.84.rev.sfr.net] has quit [Ping timeout: 245 seconds]
05:46 -!- lbft is now known as joepie95
05:49 -!- kalloc [~kalloc@stmdev.ru] has joined #openvpn
05:49 -!- joepie95 is now known as joepie9l
05:49 -!- StephenS [~StephenS@xshellz/founder/StephenS] has left #openvpn ["Leaving"]
05:49 -!- kalloc [~kalloc@stmdev.ru] has quit [Remote host closed the connection]
05:50 -!- kalloc [~kalloc@stmdev.ru] has joined #openvpn
05:50 -!- joepie9l is now known as lbft
05:56 -!- ade_b [~Ade@redhat/adeb] has joined #openvpn
06:04 -!- bigbob83 [bigbob@7.72.100.84.rev.sfr.net] has joined #openvpn
06:17 -!- takamichi [~takamichi@85.12.8.105] has quit [Ping timeout: 240 seconds]
06:19 -!- takamichi [~takamichi@c107-107.i07-27.onvol.net] has joined #openvpn
06:30 -!- ade_b [~Ade@redhat/adeb] has quit [Ping timeout: 245 seconds]
06:33 -!- kalloc [~kalloc@stmdev.ru] has quit [Remote host closed the connection]
06:33 -!- kalloc [~kalloc@stmdev.ru] has joined #openvpn
06:38 -!- kalloc [~kalloc@stmdev.ru] has quit [Ping timeout: 252 seconds]
06:39 -!- kirin` [telex@gateway/shell/anapnea.net/x-pybhwdelvuvhxevk] has quit [Ping timeout: 252 seconds]
06:40 -!- kirin` [telex@gateway/shell/anapnea.net/x-qcnyzimskqvexzfz] has joined #openvpn
06:43 -!- Cpt-Oblivious [~chatzilla@31-151-87-204.dynamic.upc.nl] has joined #openvpn
06:50 < ikrabbe> spacen00b: when you use your certificate you can make a private rsa key without a password from it. Of course you should put that key into a save location, where it can't be stolen!
06:52 < ikrabbe> This is the command line I use for that: openssl rsa -passin stdin -in key -out rsa
06:53 < ikrabbe> key is the private certificate key, secured by a password, rsa is the same without a password.
06:53 < ikrabbe> better use umask 077 before doing such things!
06:53 -!- kalloc [~kalloc@stmdev.ru] has joined #openvpn
06:55 -!- kalloc [~kalloc@stmdev.ru] has quit [Read error: Connection reset by peer]
06:55 -!- kalloc_ [~kalloc@stmdev.ru] has joined #openvpn
06:55 -!- kalloc_ [~kalloc@stmdev.ru] has quit [Remote host closed the connection]
06:55 -!- kalloc [~kalloc@stmdev.ru] has joined #openvpn
07:14 -!- wickwire [~wickwire@a81-84-184-53.cpe.netcabo.pt] has joined #openvpn
07:14 < wickwire> hi guys, another issue with vpn client failing to reach openvpn lan hosts
07:14 < wickwire> I've gathered most of the information here
07:14 < wickwire> http://pastebin.com/QeQgsRP8
07:14 < wickwire> can anyone help...?
07:15 < wickwire> I've also confirmed that all 3 systems (openvpn server, openvpn lan machine and openvpn client) are ubuntu linux
07:15 < wickwire> and to the best of my abilities, I've managed to disable the firewalls
07:15 < wickwire> on each system
07:16 < wickwire> I'm able to connect to the vpn with the client,
07:16 < wickwire> and I'm able to reach the openvpn server on both the openvpn ip and the LAN ip
07:16 < wickwire> from the server, I'm also able to reach the client
07:17 < wickwire> I'm not being able, however, to reach the client from the openvpn LAN machine
07:17 < wickwire> and vice-versa
07:17 < wickwire> when I try to tracepath the client request to the openvpn LAN machine,
07:18 < wickwire> it seems that somehow the openvpn server isn't routing the data through its own interfaces 1.1.1.1 and 172.16.0.7
07:19 < wickwire> I've stopped the firewalls I hope with ufw disable per the ubuntu documentation
07:19 < wickwire> I still see iptables modules loaded
07:29 < ikrabbe> wickwire:I don't know about ufw firewalls, but I assume they are based on iptables. A very usefull command to see active firewalls is iptables-save, which just dumps the firewall configuration to stdout and the lines can be used as options to iptables commands again.
07:30 < wickwire> ikrabbe: is there a sure way for me to know if iptables is disabled, or at best, not blocking any traffic?
07:30 < ikrabbe> just check the output of iptables-save
07:31 -!- bigbob83 [bigbob@7.72.100.84.rev.sfr.net] has quit []
07:31 < ikrabbe> it should be installed as a part of iptables
07:31 -!- michaelhart [~michaelha@192.237.177.15] has joined #openvpn
07:32 < ikrabbe> an even more sure way is to -L(ist) the iptables status.
07:33 < wickwire> I've issued the commands and they do work, but I admit I don't know most of what I'm seeing here
07:33 < ikrabbe> that's not that easy to read a/o use, but its a quite direct way to see what the kernel thinks about firewalls (at least iptables based one)
07:33 < wickwire> ok...
07:34 < ikrabbe> what Do you mean, they do not work?
07:34 < ikrabbe> maybe they are just dislocated by ubuntu freaks
07:36 < ikrabbe> and sorry: iptables -L is very good to read but not that good to edit and reuse the rules
07:36 < wickwire> they do work
07:36 < ikrabbe> ah they do... ok :D
07:37 < wickwire> yes, from -L,
07:37 < wickwire> at least I'm not seeing any references to the openvpn ip range anywhere - 1.1.1.0
07:38 < ikrabbe> so if the default policy is to accept, the packages should be forwarded
07:38 < ikrabbe> btw. tcpdump is a great tool to see the packages flowing through your interfaces
07:39 < ikrabbe> what disturbs me from your paste is the different ip addresses on client and server. It looks (on the first look) as if the server uses 1.1.1.1<->1.1.1.2 and the client uses 1.1.1.5<->1.1.1.6
07:40 < wickwire> yes, I'm also seeing this
07:40 < wickwire> and I don't know why that is
07:40 < wickwire> since server is 1.1.1.1
07:40 < wickwire> and client is 1.1.1.6
07:41 < wickwire> I can't even find 1.1.1.2 and 1.1.1.5 anywhere in my settings
07:41 -!- elfixit1 [~Icedove@2001:1620:2777:11:3e97:eff:fe7f:f3ad] has joined #openvpn
07:42 < wickwire> but similar is happening here > https://help.ubuntu.com/13.04/serverguide/openvpn.html
07:42 <@vpnHelper> Title: OpenVPN (at help.ubuntu.com)
07:43 < ikrabbe> I wouldn't trust ubuntu guide if I haven't wrote them myself.
07:44 < wickwire> LOL
07:44 < wickwire> ok ok
07:44 < ikrabbe> but yes it might be ok, of course these interfaces are set automatically
07:45 < ikrabbe> I generally use specific ip addresses for the Certificates CN
07:45 < ikrabbe> which can be set through a "client-config-dir" option in the server configuration
07:47 < ikrabbe> the filenames in this directory must match the CN (depending on the openvpn version and compile time options some characters are replaced, just try around a bit).
07:49 < wickwire> it's just annoying because I've seen many "tips"
07:49 < ikrabbe> you just say "ifconfig-push IP-OF-THE-CLIENT-tun-DEVICE serverendpoint"
07:49 < wickwire> like setting ipv4 forwarding
07:49 < wickwire> and setting routes on the openvpn lan hosts
07:49 < ikrabbe> yes you can set routes for the clients there too
07:49 <+rob0> "Ubuntu" is Swahili for "blind leading the blind"
07:50 < wickwire> but it seems that somehow, the server isn't translating the packets from one network to the other
07:50 < wickwire> I saw gentoo guides, but those didn't help either
07:51 < ikrabbe> whats your exact problem (you can ping the server ip from the client, and the clients ip from the server? (I mean the tun's ips).
07:52 < wickwire> I can ping server <> client
07:52 < wickwire> I can't reach any machine behind the server, from the client end
07:53 < wickwire> and I can't reach the client, from any of the machines behind the server
07:53 <+rob0> !serverlan
07:53 <@vpnHelper> "serverlan" is (#1) for a lan behind a server, the server must have ip forwarding enabled (!ipforward), the server needs to push a route for its lan to clients, and the router of the lan the server is on needs a route added to it (!route_outside_openvpn) or (#2) see !route for a better explanation or (#3) Handy troubleshooting flowchart: http://ircpimps.org/serverlan.png |
07:53 <@vpnHelper> http://pekster.sdf.org/misc/serverlan.png
07:53 < ikrabbe> ah, you need to masquerade the packages on the server, I think (by iptables -t nat -A -s 1.1.1.0/24 -j MASQUERADE) <- care with that its just a fast guess
07:53 <+rob0> no
07:54 <+rob0> flowchart
07:55 <+rob0> Masquerade is for RFC1918 networks to reach the Internet. In any other case, proper routing is all you need.
07:55 < ikrabbe> yes, I might have mixed that
07:56 -!- Valduare [~Valduare@99-72-244-110.lightspeed.mdsnwi.sbcglobal.net] has joined #openvpn
07:58 < ikrabbe> what's the exact ip you try from your client? somehow it looks as if it should work.
07:59 <+rob0> Usually, working through that flowchart does the job, or at least helps pinpoint the problem.
08:00 < ikrabbe> the only thing that I find is that the netmask for the lan is different in the push route, but it should still work for your /24 hosts.
08:09 < spacen00b> is there a way to read the username and password from a file in 'client' mode on Linux?
08:09 -!- p3rror [~mezgani@41.250.237.10] has joined #openvpn
08:10 < ikrabbe> a user+password in a file is a private key, essentially
08:11 <@Eugene> yes; --auth-user-pass in the man page.
08:11 <@Eugene> Note that most public builds of openvpn do NOT have the ENABLE_PASSWORD_SAVE config option turned on to discourage this behaviour
08:12 <@Eugene> So you'll need to recompile to prove you want it
08:16 < spacen00b> thanks Eugene
08:18 <+rob0> Why do so many people here think they need user+password authentication?
08:19 <@Eugene> !cuz
08:19 <+rob0> I guess so.
08:19 <@Eugene> "Because fuck you, that's why."
08:41 -!- p3rror [~mezgani@41.250.237.10] has quit [Quit: Leaving]
08:42 -!- ketas [ketas@ketas6-sixxs.si.pri.ee] has joined #openvpn
08:48 < ikrabbe> what is that a function here !cuz
08:48 < ikrabbe> !cuz
08:48 < ikrabbe> hmm
08:49 -!- makara [~makara@41.164.22.218] has quit [Quit: Leaving]
08:50 < Valduare> morning guys - I setup openvpn server couple days ago and I can successfully connect to my office now from home - but its giving me a 10.xx ip instead of 192 like at the office I need some clues how to change this so I can access my servers from home
08:52 -!- mikkel [~mikkel@93.176.85.50] has quit [Quit: Leaving]
08:59 -!- master_of_master [~master_of@p4FD7B5C5.dip0.t-ipconnect.de] has joined #openvpn
09:03 -!- master_o1_master [~master_of@p4FD7BDA1.dip0.t-ipconnect.de] has quit [Ping timeout: 245 seconds]
09:07 < Valduare> no ideas? :P
09:09 -!- dradec [~Inigo@unaffiliated/dradec] has quit [Quit: My name is Inigo Montoya. You killed my father. Prepare to die]
09:10 -!- dradec [~Inigo@unaffiliated/dradec] has joined #openvpn
09:14 -!- xBytez [~xBytez@unaffiliated/xbytez] has quit [Ping timeout: 252 seconds]
09:15 -!- shwaiil [~shwaiil@host86-149-13-181.range86-149.btcentralplus.com] has joined #openvpn
09:15 < shwaiil> hi
09:16 -!- xBytez [~xBytez@2a00:f48:1025:feed:b00b:feed:7ae9:4cde] has joined #openvpn
09:16 -!- xBytez [~xBytez@2a00:f48:1025:feed:b00b:feed:7ae9:4cde] has quit [Changing host]
09:16 -!- xBytez [~xBytez@unaffiliated/xbytez] has joined #openvpn
09:16 < shwaiil> Q: trying to understand how vpn works, so installed openvpn, followed a tutorial on how to configure it. Installed Viscosity. because has an import from server feature. I've got the public address foo.com forwarding to my internal machine 1.1.1.1 network port 943
09:16 < shwaiil> but this does seem to work, as apparently in the configuration opens
09:16 < shwaiil> there's
09:17 < shwaiil> 1194
09:17 -!- alexxtasi [~alex@unaffiliated/alexxtasi] has left #openvpn []
09:27 -!- sauce [sauce@unaffiliated/sauce] has joined #openvpn
09:31 < wickwire> rob0: about the issue with the serverlan, I had already added a route on the LAN machine behind the openvpn server, but it still hasn't solved it
09:32 < wickwire> it is detailed in the pastebin as well
09:32 < wickwire> http://pastebin.com/QeQgsRP8
09:32 < ikrabbe> wickwire: have you seen your difference between the netmasks of your push route and the lan route
09:33 < wickwire> ikrabbe: no, let me check
09:34 < wickwire> on the lan machine I added a route like so: route add -net 1.1.1.0 netmask 255.255.255.0 gw 172.16.0.7
09:34 < ikrabbe> one reason why I prefer the /nbits notation
09:35 < wickwire> where 172.16.0.7 is the LAN ip for the interface the openvpn server
09:35 < wickwire> which also has tun0 1.1.1.1
09:36 < wickwire> and on the openvpn server config, I have push "route 172.16.0.0 255.255.255.0"
09:36 < ikrabbe> yes, its the interface that is configured with 172.16.0.0 * 255.254.0.0 U 0 0 0 eth0
09:36 < wickwire> the client seems to receive the route being pushed
09:36 < wickwire> is it misconfigured then?
09:37 < wickwire> at the client,
09:37 < wickwire> when I try to ping/ssh the LAN machine,
09:37 < ikrabbe> it should not hurt, but I would try to set another interface route
09:37 < wickwire> or when I check with tracepath
09:37 < wickwire> I can see that the client knows which interface to use
09:37 < wickwire> to get to the LAN machine
09:38 < wickwire> and it does reach the openvpn server at 1.1.1.1
09:39 < wickwire> ikrabbe: could you be a little bit more specific sorry
09:39 < ikrabbe> yes of course. I would try a tcpdump on your server to see what happens with the packages that should be forwarded to 172.16.0.X
09:39 < wickwire> and also, thanks in advance for trying to help
09:39 < wickwire> ok I can do that
09:41 < wickwire> ok I'm running tcpdump -i eth0|grep 1.1.1.6 on the openvpn server
09:41 < wickwire> where eth0 is the LAN interface 172.16.0.x
09:41 < wickwire> now on the client, I started a ping to the LAN machine at 172.16.0.43
09:41 < wickwire> and tcpdump reports activity on the server
09:42 < wickwire> 15:41:26.938323 IP 1.1.1.6 > 172.16.0.43: ICMP echo request, id 10640, seq 59, length 64
09:43 < wickwire> and when I try to connect with ssh from the vpn client to the LAN machine:
09:43 < wickwire> 15:42:43.302331 IP 1.1.1.6.50312 > 172.16.0.43.ssh: Flags [S], seq 4125544623, win 29200, options [mss 1366,sackOK,TS val 5251763 ecr 0,nop,wscale 7], length 0
09:43 -!- kcodyjr [~kc@c-24-61-134-125.hsd1.ma.comcast.net] has quit [Ping timeout: 240 seconds]
09:44 < wickwire> but the connection doesn't happen
09:44 < shwaiil> How to expose my VPN publicly ? I've got my domain server.public.foo, and I've setup my router to forward the public port server.public.foo:1194 to the machine that have openvpn, but my openvpn client can't reach it. Any tips or advice ? so i can put my head on this
09:44 < shwaiil> not even sure if this are the right port
09:45 -!- shwaiil [~shwaiil@host86-149-13-181.range86-149.btcentralplus.com] has quit [Remote host closed the connection]
09:46 -!- rooth [tomte@stuck.in.the.basement.at.fritzl.nu] has joined #openvpn
09:50 -!- fejjerai [~quassel@corkblock.jefferai.org] has quit [Remote host closed the connection]
09:52 -!- [diecast] [~diecast@unaffiliated/diecast/x-4821952] has joined #openvpn
09:57 -!- batrick [batrick@nmap/developer/batrick] has quit [Ping timeout: 253 seconds]
09:58 -!- batrick [batrick@nmap/developer/batrick] has joined #openvpn
10:02 < wickwire> ikrabbe, rob0: on this pastebin http://pastebin.com/52GnRQHF could these settings be causing the issues? I got this from the openvpn server, following a thread online
10:03 < wickwire> in my case, those variables are always = 1, regardless of openvpn service being up or down
10:04 -!- [diecast] [~diecast@unaffiliated/diecast/x-4821952] has quit [Ping timeout: 272 seconds]
10:08 -!- dradec [~Inigo@unaffiliated/dradec] has quit [Quit: My name is Inigo Montoya. You killed my father. Prepare to die]
10:08 -!- dradec [~Inigo@unaffiliated/dradec] has joined #openvpn
10:19 -!- kalloc [~kalloc@stmdev.ru] has quit [Remote host closed the connection]
10:20 -!- kalloc_ [~kalloc@stmdev.ru] has joined #openvpn
10:21 < wickwire> ok I've set those variables to 0 as well, no change
10:21 < wickwire> restarted as well
10:31 -!- rkantos [robin@4e.fi] has quit [Ping timeout: 252 seconds]
10:40 -!- sHockz [~shockz@zenofex.com] has joined #openvpn
10:59 -!- [diecast] [~diecast@unaffiliated/diecast/x-4821952] has joined #openvpn
11:02 -!- Poster [~poster@cpe-184-57-112-154.columbus.res.rr.com] has joined #openvpn
11:03 -!- gffa [~unknown@unaffiliated/gffa] has joined #openvpn
11:07 -!- kalloc_ [~kalloc@stmdev.ru] has quit [Remote host closed the connection]
11:12 -!- Fira [artix@unaffiliated/fira] has joined #openvpn
11:13 -!- elfixit1 [~Icedove@2001:1620:2777:11:3e97:eff:fe7f:f3ad] has quit [Quit: elfixit1]
11:22 -!- bertodsera [~quassel@212.36.61.26] has quit [Remote host closed the connection]
11:36 -!- doug[work] [~doug@47.23.122.202] has quit []
11:49 -!- sailerboy [~sailerboy@2605:6400:2:fed5:22:3e62:d2e8:e4e1] has quit [Ping timeout: 272 seconds]
11:58 -!- dradec [~Inigo@unaffiliated/dradec] has quit [Read error: Operation timed out]
12:00 -!- batrick [batrick@nmap/developer/batrick] has quit [Quit: WeeChat 0.4.2]
12:01 -!- takamichi [~takamichi@c107-107.i07-27.onvol.net] has quit [Quit: Computer has gone to sleep.]
12:05 -!- batrick [batrick@nmap/developer/batrick] has joined #openvpn
12:05 -!- sailerboy [~sailerboy@2605:6400:2:fed5:22:3e62:d2e8:e4e1] has joined #openvpn
12:09 -!- kalloc [~kalloc@h86-62-83-99.ln.rinet.ru] has joined #openvpn
12:10 -!- mumixam [~m@unaffiliated/mumixam] has quit [Ping timeout: 265 seconds]
12:31 -!- takamichi [~takamichi@c107-107.i07-27.onvol.net] has joined #openvpn
12:53 -!- dradec [~Inigo@unaffiliated/dradec] has joined #openvpn
12:56 -!- rkantos [robin@4e.fi] has joined #openvpn
12:57 -!- dradec [~Inigo@unaffiliated/dradec] has quit [Remote host closed the connection]
12:58 -!- dazo is now known as dazo_afk
12:58 -!- dradec [~Inigo@unaffiliated/dradec] has joined #openvpn
13:02 -!- pjschmitt [~parker@209.141.56.12] has joined #openvpn
13:03 < pjschmitt> hi, I have a dumb question, but it's been killing me, I log on to the vpn, I can see the vpn server (a pfsense box) but can't hit hte lan
13:03 -!- dradec [~Inigo@unaffiliated/dradec] has quit [Read error: Connection reset by peer]
13:04 -!- dradec [~Inigo@unaffiliated/dradec] has joined #openvpn
13:04 -!- takamichi [~takamichi@c107-107.i07-27.onvol.net] has quit [Quit: Computer has gone to sleep.]
13:08 < pekster> pjschmitt: review/follow:
13:09 < pekster> !serverlan
13:09 <@vpnHelper> "serverlan" is (#1) for a lan behind a server, the server must have ip forwarding enabled (!ipforward), the server needs to push a route for its lan to clients, and the router of the lan the server is on needs a route added to it (!route_outside_openvpn) or (#2) see !route for a better explanation or (#3) Handy troubleshooting flowchart: http://ircpimps.org/serverlan.png |
13:09 <@vpnHelper> http://pekster.sdf.org/misc/serverlan.png
13:09 -!- rkantos [robin@4e.fi] has quit [Read error: Operation timed out]
13:10 -!- scyld [~scyld@unaffiliated/wasyl] has joined #openvpn
13:15 -!- Cpt-Oblivious [~chatzilla@31-151-87-204.dynamic.upc.nl] has quit [Ping timeout: 245 seconds]
13:17 -!- rkantos [robin@4e.fi] has joined #openvpn
13:24 -!- scyld [~scyld@unaffiliated/wasyl] has quit [Quit: Wychodzi]
13:31 -!- raidz [~raidz@openvpn/corp/admin/andrew] has left #openvpn []
13:32 -!- raidz [~raidz@openvpn/corp/admin/andrew] has joined #openvpn
13:32 -!- mode/#openvpn [+o raidz] by ChanServ
13:36 -!- lj [~l@na-ad-guest-lwap-ar01.cat.com] has joined #openvpn
13:37 -!- dradec [~Inigo@unaffiliated/dradec] has quit [Remote host closed the connection]
13:37 -!- dradec [~Inigo@unaffiliated/dradec] has joined #openvpn
13:41 -!- bertodsera [~quassel@97e48243.skybroadband.com] has joined #openvpn
14:00 -!- JohnGalt1 [~user@ip72-207-127-163.sd.sd.cox.net] has quit [Remote host closed the connection]
14:02 -!- klein_ [~klein@unaffiliated/klein] has quit [Ping timeout: 240 seconds]
14:06 -!- mumixam [~m@unaffiliated/mumixam] has joined #openvpn
14:15 -!- lj1 [~l@192.241.174.169] has joined #openvpn
14:17 -!- lj [~l@na-ad-guest-lwap-ar01.cat.com] has quit [Ping timeout: 248 seconds]
14:20 -!- Cpt-Oblivious [~chatzilla@31.220.42.40] has joined #openvpn
14:36 -!- dextro_ is now known as djshotglass
14:40 -!- kalloc [~kalloc@h86-62-83-99.ln.rinet.ru] has quit [Remote host closed the connection]
14:41 -!- wickwire [~wickwire@a81-84-184-53.cpe.netcabo.pt] has quit [Remote host closed the connection]
14:44 -!- kalloc [~kalloc@h86-62-83-99.ln.rinet.ru] has joined #openvpn
14:49 -!- kalloc [~kalloc@h86-62-83-99.ln.rinet.ru] has quit [Ping timeout: 265 seconds]
14:51 -!- joshh20-Away is now known as joshh20
15:00 -!- joshh20 is now known as joshh20-Away
15:08 -!- goldkatze [~nobody@unaffiliated/goldkatze] has quit []
15:09 -!- michaelhart [~michaelha@192.237.177.15] has quit [Quit: michaelhart]
15:09 -!- goldkatze [~nobody@unaffiliated/goldkatze] has joined #openvpn
15:10 -!- kalloc [~kalloc@h86-62-83-99.ln.rinet.ru] has joined #openvpn
15:14 -!- goldkatze [~nobody@unaffiliated/goldkatze] has quit [Ping timeout: 245 seconds]
15:15 -!- kalloc [~kalloc@h86-62-83-99.ln.rinet.ru] has quit [Ping timeout: 245 seconds]
15:17 -!- klein_ [~klein@177.101.109.161] has joined #openvpn
15:17 -!- klein_ [~klein@177.101.109.161] has quit [Changing host]
15:17 -!- klein_ [~klein@unaffiliated/klein] has joined #openvpn
15:19 -!- u0m3_ [~u0m3@92.80.113.181] has joined #openvpn
15:21 -!- u0m3 [~u0m3@109.96.139.13] has quit [Ping timeout: 240 seconds]
15:50 -!- takamichi [~takamichi@c107-107.i07-27.onvol.net] has joined #openvpn
16:02 -!- michaelhart [~michaelha@162.209.54.120] has joined #openvpn
16:03 -!- markus_ [~markus@mirkk.vpntunnel.com] has quit [Ping timeout: 260 seconds]
16:03 -!- markus_ [~markus@mirkk.vpntunnel.com] has joined #openvpn
16:07 -!- michaelhart [~michaelha@162.209.54.120] has quit [Ping timeout: 252 seconds]
16:08 -!- klein_ [~klein@unaffiliated/klein] has quit [Ping timeout: 272 seconds]
16:11 -!- kalloc [~kalloc@h86-62-83-99.ln.rinet.ru] has joined #openvpn
16:16 -!- kalloc [~kalloc@h86-62-83-99.ln.rinet.ru] has quit [Ping timeout: 272 seconds]
16:20 -!- tefla [~Thunderbi@cpc9-brig18-2-0-cust190.3-3.cable.virginm.net] has joined #openvpn
16:21 < tefla> !paste
16:21 <@vpnHelper> "paste" is (#1) "pastebin" is (#1) please paste anything with more than 5 lines into a pastebin site or (#2) https://gist.github.com is recommended for fewest ads; try fpaste.org or paste.kde.org as backups or (#3) If you're pasting config files, see !configs for grep syntax to remove comments or (#2) gist allows multiple files per paste, useful if you have several files to show
16:23 -!- takamichi [~takamichi@c107-107.i07-27.onvol.net] has quit [Quit: Computer has gone to sleep.]
16:26 -!- Valduare [~Valduare@99-72-244-110.lightspeed.mdsnwi.sbcglobal.net] has quit [Ping timeout: 260 seconds]
16:31 < tefla> Hi All! I have purchased a bunch of credentials and host information for VPN servers (Proxy.sh). When i start an OpenVPN session, everything works fine (because 'route-method exe' in my config file is adding 0.0.0.0 to the correct gateway?) and my IP has changed.
16:31 < tefla> Question: I am writing a script in Ruby, and only want that script to use the VPN, and the rest of the system to use the default gateway?
16:33 < tefla> ovpn client config https://gist.github.com/tefla/b4dc7840657b78696a78
16:33 <@vpnHelper> Title: Client config (at gist.github.com)
16:34 -!- lj1 [~l@192.241.174.169] has quit [Quit: Leaving.]
16:36 < tefla> https://gist.github.com/tefla/5f92560a88bcce3758c4
16:36 <@vpnHelper> Title: Socat experiments (obviously didnt work) (at gist.github.com)
16:36 < pekster> 0/0 is the wrong thing to change. Fix your server to not do things that will eventually break. Read about !redirect and !def1 for details
16:37 -!- Valduare [~Valduare@99-72-244-110.lightspeed.mdsnwi.sbcglobal.net] has joined #openvpn
16:38 -!- boyscout [~boyscout@c-68-82-37-6.hsd1.pa.comcast.net] has joined #openvpn
16:38 < tefla> pekster: I don't run the server right? Proxy.sh run them?
16:38 -!- Valduare [~Valduare@99-72-244-110.lightspeed.mdsnwi.sbcglobal.net] has quit [Client Quit]
16:38 < tefla> !redirect
16:38 <@vpnHelper> "redirect" is (#1) to make all inet traffic flow through the vpn, you will need --redirect-gateway (see !def1), as well as IP forwarding (see !ipforward) and NAT (see !nat) enabled on the server. or (#2) you may need to use a different dns server when redirecting gateway, see !dns or !pushdns or (#3) if using ipv6 try: route-ipv6 2000::/3 or (#4) Handy troubleshooting flowchart:
16:38 <@vpnHelper> http://ircpimps.org/redirect.png | http://pekster.sdf.org/misc/redirect.png
16:39 < pekster> Then you should find people who have more of a clue, IMO
16:39 < tefla> Ok, i'm trying to learn here
16:40 < pekster> If you aren't getting /1 routes you could ignore the pushed routes and "handle it yourself", but there's a bit of a learning curve there
16:40 < pekster> As for your app issue, you need some form of policy routing for that
16:40 < pekster> !routebyapp
16:40 <@vpnHelper> "routebyapp" is (#1) if you want to send only certain apps over the VPN you need to run a socks server on the internal VPN subnet (see !sockd) then get an app like proxifier (windows, osx) or tsocks (linux, BSD) to selectively route traffic over the socks proxy based on port/app/subnet or any combination. or (#2) Alternatively, read up about Policy Routing to make routing decisions based on defined
16:40 <@vpnHelper> policies you set. For Linux, read about !lartc
16:40 < pekster> #2 is what you want unless there's an established SOCKS proxy at the remote end of your tunnel
16:40 -!- Cybertinus [~Cybertinu@2a00:6960:1:1::2442] has quit [Remote host closed the connection]
16:42 < tefla> Ok, routebyapp looks like what i need to look at. There isn't any service on the other side. Just an 'anonymised' IP to make connections from
16:43 < pekster> policy routing specifically. If you're on Windows, "good luck."
16:43 < tefla> No! linux
16:43 < pekster> Yea, start at the lartc resources then. You basically need to treat it as a multiple-uplink situation and get routing rules/tables defined to do what you want
16:44 < tefla> Thanks for the pointers pekster! I was starting to run out of Google searches. I was thinking i could just use socat to create a local socket to the device description file, but ... that didn't work :)
16:45 < pekster> policy routing isn't "that" bad, but you've got some new concepts to learn. Focus on learning how multiple routing tables work, how you send traffic to an alternative table, and how you can leverage Netfilter to mark traffic to treat differently so that you can identify it later with `ip rule`
16:46 < pekster> lartc teaches you most of that, and shows you how to key off per-packet nfmark details
16:46 < pekster> #Netfilter is a good resource too for most of this, and Netfilter especially
16:48 < tefla> Thanks again pekster, I have never dealt in low(ish) level networking stuff at all. Mostly built webapps until now
16:55 -!- boyscout [~boyscout@c-68-82-37-6.hsd1.pa.comcast.net] has quit [Remote host closed the connection]
17:01 -!- michaelhart [~michaelha@162.209.54.120] has joined #openvpn
17:04 -!- Valduare [~Valduare@99-72-244-110.lightspeed.mdsnwi.sbcglobal.net] has joined #openvpn
17:09 -!- michaelhart [~michaelha@162.209.54.120] has quit [Ping timeout: 264 seconds]
17:11 -!- kalloc [~kalloc@h86-62-83-99.ln.rinet.ru] has joined #openvpn
17:16 -!- kalloc [~kalloc@h86-62-83-99.ln.rinet.ru] has quit [Ping timeout: 265 seconds]
17:35 < Valduare> hey guys
17:35 < Valduare> hows it going tonight
17:37 -!- [diecast] [~diecast@unaffiliated/diecast/x-4821952] has quit []
17:42 -!- tefla [~Thunderbi@cpc9-brig18-2-0-cust190.3-3.cable.virginm.net] has quit [Quit: tefla]
17:44 -!- gffa [~unknown@unaffiliated/gffa] has quit [Quit: sleep]
18:00 -!- Cybertinus [~Cybertinu@2a00:6960:1:1::2442] has joined #openvpn
18:03 -!- klein_ [~klein@unaffiliated/klein] has joined #openvpn
18:03 -!- michaelhart [~michaelha@162.209.54.120] has joined #openvpn
18:07 -!- Cpt-Oblivious [~chatzilla@31.220.42.40] has quit [Ping timeout: 245 seconds]
18:11 -!- kalloc [~kalloc@h86-62-83-99.ln.rinet.ru] has joined #openvpn
18:16 -!- kalloc [~kalloc@h86-62-83-99.ln.rinet.ru] has quit [Ping timeout: 260 seconds]
18:23 -!- klein_ [~klein@unaffiliated/klein] has quit [Ping timeout: 240 seconds]
18:24 -!- klein_ [~klein@unaffiliated/klein] has joined #openvpn
18:30 -!- mchou [~quassel@unaffiliated/mchou] has joined #openvpn
18:33 -!- klein_ [~klein@unaffiliated/klein] has quit [Ping timeout: 252 seconds]
18:51 -!- sudormrf [~pineapple@12.235.42.129] has joined #openvpn
18:52 < sudormrf> hello all.  I have a quick question.  I have an openVPN tunnel setup, but my computer will randomly disconnect from it.  this usually occurs when the screen locks and then I go to unlock it.  I am not sure if this is an OpenVPN feature or not.  Does anyone know the answer?
18:57 -!- u0m3__ [~u0m3@92.80.113.181] has joined #openvpn
19:00 -!- u0m3_ [~u0m3@92.80.113.181] has quit [Ping timeout: 245 seconds]
19:04 <@krzee> sounds like your network disconnects when it sleeps
19:08 -!- bigbob83 [bigbob@7.72.100.84.rev.sfr.net] has joined #openvpn
19:11 -!- kalloc [~kalloc@h86-62-83-99.ln.rinet.ru] has joined #openvpn
19:11 -!- sudormrf is now known as sudormrf|away
19:12 -!- Valduare [~Valduare@99-72-244-110.lightspeed.mdsnwi.sbcglobal.net] has quit [Quit: Valduare]
19:12 -!- nutron [~nutron@unaffiliated/nutron] has joined #openvpn
19:15 -!- kalloc [~kalloc@h86-62-83-99.ln.rinet.ru] has quit [Ping timeout: 241 seconds]
19:17 <@ecrist> bonjour
19:23 -!- james41382_ [~james@unaffiliated/james41382] has joined #openvpn
19:30 -!- james41382__ [~james@173.192.170.96] has joined #openvpn
19:30 -!- james41382__ [~james@173.192.170.96] has quit [Changing host]
19:30 -!- james41382__ [~james@unaffiliated/james41382] has joined #openvpn
19:34 -!- james41382__ [~james@unaffiliated/james41382] has quit [Client Quit]
19:45 -!- pinchmesh [~tom@198.14.224.137] has joined #openvpn
19:45 < pinchmesh> hi
19:46 -!- u0m3__ is now known as u0m3
19:47 -!- james41382__ [~james@unaffiliated/james41382] has joined #openvpn
19:47 < pinchmesh> how do i set "route-gateway" in the config file??? server will not accept dhcp
19:47 < pinchmesh> (or so it seems)
19:47 <@ecrist> what are you trying to do, really/
19:48 < pinchmesh> just establish openvpn... configured correctly
19:48 -!- james41382__ [~james@unaffiliated/james41382] has quit [Read error: Connection reset by peer]
19:49 < pinchmesh> it works ok, but keep getting errors when run of needing ifconfig and route-gateway
19:49 -!- james41382__ [~james@unaffiliated/james41382] has joined #openvpn
19:49 < pinchmesh> the man page does not have the info i need
19:49 < pinchmesh> what's the syntax
19:50 < pinchmesh> ???
19:50 < pinchmesh> ifconfig 10.8.0.2 255.255.255.0
19:50 < pinchmesh> route-gateway 'dhcp'
19:52 < pinchmesh> asus router
19:52 < pinchmesh> linux mint16 / xfce
19:53 < pinchmesh> openvpn is anti netem!!!
19:54 < pinchmesh> at least, with a bridge, it is
19:56 < pinchmesh> netem --> http://www.linuxforu.com/2012/06/bandwidth-throttling-netem-network-emulation/
19:56 <@vpnHelper> Title: Bandwidth Throttling with NetEM Network Emulation - LINUX For You (at www.linuxforu.com)
19:59 < pinchmesh> soooo cool
20:03 -!- pinchmesh [~tom@198.14.224.137] has quit [Quit: Leaving]
20:04 <@ecrist> pinchmesh: are you trying to route your entire internet traffic through openvpn?
20:04 <@ecrist> never mind
20:08 -!- pinchmesh [~tom@198.14.224.137] has joined #openvpn
20:08 -!- sander__ [~sander@58.82.9.46.customer.cdi.no] has quit [Ping timeout: 272 seconds]
20:08 < pinchmesh> sorry. xchat died
20:08 <@ecrist> pinchmesh: are you trying to route your entire internet traffic through openvpn?
20:08 < pinchmesh> yep
20:08 <@krzee> !redirect
20:08 <@vpnHelper> "redirect" is (#1) to make all inet traffic flow through the vpn, you will need --redirect-gateway (see !def1), as well as IP forwarding (see !ipforward) and NAT (see !nat) enabled on the server. or (#2) you may need to use a different dns server when redirecting gateway, see !dns or !pushdns or (#3) if using ipv6 try: route-ipv6 2000::/3 or (#4) Handy troubleshooting flowchart:
20:08 <@vpnHelper> http://ircpimps.org/redirect.png | http://pekster.sdf.org/misc/redirect.png
20:08 <@ecrist> !def1
20:08 <@vpnHelper> "def1" is (#1) used in redirect-gateway, Add the def1 flag to override the default gateway by using 0.0.0.0/1 and 128.0.0.0/1 rather than 0.0.0.0/0. This has the benefit of overriding but not wiping out the original default gateway. or (#2) please see --redirect-gateway in the man page ( !man ) to fully understand or (#3) push "redirect-gateway def1"
20:09 <@ecrist> hey krzee
20:09 <@ecrist> did you see my pm?
20:09 <@krzee> yep
20:09 <@krzee> thats a lot
20:09 <@ecrist> that's what I thought.
20:09 < pinchmesh> yes, thanks
20:10 < pinchmesh> it works ok, and my wife can use the tunnel with just a bridge
20:10 < pinchmesh> as long as the tunnel is up
20:10 <@ecrist> pinchmesh: you need to also make sure your vpn server or network are natting traffic if needed, and that your openvpn server has ip_forwarding enabled in the kernel
20:11 < pinchmesh> ip_fordwarding is enabled in sysctl.conf
20:11 <@ecrist> is it enabled in the kernel now?
20:11 <@krzee> if it works then whats the problem?
20:11 -!- kalloc [~kalloc@h86-62-83-99.ln.rinet.ru] has joined #openvpn
20:11 < pinchmesh> ahh, what module is it?
20:12 <@ecrist> sysctl -a | grep forwar
20:12 < pinchmesh> krzee... maybe it would work better???
20:12 < pinchmesh> sec
20:12 <@krzee> is there something wrong?
20:13 < pinchmesh> getting errors about ifconfig and route-gateway
20:13 <@ecrist> !logs
20:13 <@vpnHelper> "logs" is (#1) please pastebin your logfiles from both client and server with verb set to 4 (only use 5 if asked) or (#2) In the Windows client(OpenVPN-GUI) right-click the status icon and pick View Log or (#3) In the OS X client(Tunnelblick) right-click it and select Copy log text to clipboard or (#4) if you dont know how to find your logs, see !logfile
20:14 < pinchmesh> ecrist... in /var/log?
20:15 <@krzee> !logfile
20:15 <@vpnHelper> "logfile" is (#1) openvpn will log to syslog if started in daemon mode. You can manually specify a logfile with: log /path/to/logfile or (#2) verb 3 is good for everyday usage, verb 5 for debugging or (#3) see --daemon --log and --verb in the manual (!man) for more info or (#4) without any log-redirection options, openvpn sends output to stdout. Explicit logging is often more convenient
20:15 < pinchmesh> looks like everything ! is set to forward
20:15 < pinchmesh> in the kernel
20:16 -!- klein [~klein@177.101.109.161] has joined #openvpn
20:16 -!- klein [~klein@177.101.109.161] has quit [Changing host]
20:16 -!- klein [~klein@unaffiliated/klein] has joined #openvpn
20:16  * ecrist gives up, goes drinking
20:16 -!- kalloc [~kalloc@h86-62-83-99.ln.rinet.ru] has quit [Ping timeout: 265 seconds]
20:17 <@krzee> you have me for a few more minutes, im smoking before i go out
20:17 <@krzee> !krzee
20:17 <@vpnHelper> "krzee" is (#1) krzee says happy 4/20 or (#2) http://www.ircpimps.org/pics/krzee/blunt.jpg or (#3) location: moon base where he smokes moonajuana
20:19 -!- james41382__ [~james@unaffiliated/james41382] has quit [Ping timeout: 265 seconds]
20:19 -!- james41382__ [~james@unaffiliated/james41382] has joined #openvpn
20:19 <@Eugene> !eugenekay
20:19 <@vpnHelper> "eugenekay" is right because EugeneKay is always right.
20:19 <@Eugene> Where's the flight attendant. I need a drink.
20:21 -!- sander__ [~sander@58.82.9.46.customer.cdi.no] has joined #openvpn
20:21 -!- klein [~klein@unaffiliated/klein] has quit [Ping timeout: 264 seconds]
20:27 < pinchmesh> k, off to play some more... thanks
20:28 -!- sander__ [~sander@58.82.9.46.customer.cdi.no] has quit [Ping timeout: 260 seconds]
20:30 -!- pinchmesh [~tom@198.14.224.137] has quit [Quit: Leaving]
20:30 -!- sander__ [~sander@58.82.9.46.customer.cdi.no] has joined #openvpn
20:31 < kossy> wat
20:32 < kossy> oops
20:32 -!- troyt [~troyt@2601:7:6200:1132:44dd:acff:fe85:9c8e] has joined #openvpn
20:46 -!- michaelhart [~michaelha@162.209.54.120] has quit [Quit: michaelhart]
21:10 -!- elfixit [~Icedove@77-58-251-72.dclient.hispeed.ch] has quit [Quit: elfixit]
21:11 -!- kalloc [~kalloc@h86-62-83-99.ln.rinet.ru] has joined #openvpn
21:13 -!- bigbob83 [bigbob@7.72.100.84.rev.sfr.net] has quit [Ping timeout: 272 seconds]
21:16 -!- kalloc [~kalloc@h86-62-83-99.ln.rinet.ru] has quit [Ping timeout: 260 seconds]
21:18 -!- booo [~booo__@p54BD8623.dip0.t-ipconnect.de] has quit [Ping timeout: 264 seconds]
21:19 -!- booo [~booo__@p54BDB8CF.dip0.t-ipconnect.de] has joined #openvpn
21:19 -!- michaelhart [~michaelha@192-0-240-20.cpe.teksavvy.com] has joined #openvpn
21:29 -!- dradec [~Inigo@unaffiliated/dradec] has quit [Quit: My name is Inigo Montoya. You killed my father. Prepare to die]
21:40 -!- dradec [~Inigo@unaffiliated/dradec] has joined #openvpn
21:41 -!- michaelhart [~michaelha@192-0-240-20.cpe.teksavvy.com] has quit [Quit: michaelhart]
22:03 -!- dradec [~Inigo@unaffiliated/dradec] has quit [Quit: nil]
22:04 -!- dradec [~Inigo@unaffiliated/dradec] has joined #openvpn
22:08 -!- sander__ [~sander@58.82.9.46.customer.cdi.no] has quit [Ping timeout: 272 seconds]
22:10 -!- sander__ [~sander@58.82.9.46.customer.cdi.no] has joined #openvpn
22:10 -!- moparisthebest [~quassel@cpe-184-57-167-162.cinci.res.rr.com] has quit [Read error: Connection reset by peer]
22:11 -!- kalloc [~kalloc@h86-62-83-99.ln.rinet.ru] has joined #openvpn
22:15 -!- lj [~l@c-50-158-105-68.hsd1.il.comcast.net] has joined #openvpn
22:16 -!- kalloc [~kalloc@h86-62-83-99.ln.rinet.ru] has quit [Ping timeout: 264 seconds]
22:18 -!- lj1 [~l@192.241.174.169] has joined #openvpn
22:20 -!- lj [~l@c-50-158-105-68.hsd1.il.comcast.net] has quit [Ping timeout: 264 seconds]
22:20 -!- moparisthebest [~quassel@2001:470:1f11:88c::2] has joined #openvpn
23:02 -!- lj [~l@c-50-158-105-68.hsd1.il.comcast.net] has joined #openvpn
23:02 -!- sander__ [~sander@58.82.9.46.customer.cdi.no] has quit [Ping timeout: 253 seconds]
23:04 -!- lj1 [~l@192.241.174.169] has quit [Ping timeout: 272 seconds]
23:11 -!- kalloc [~kalloc@h86-62-83-99.ln.rinet.ru] has joined #openvpn
23:14 -!- sander__ [~sander@58.82.9.46.customer.cdi.no] has joined #openvpn
23:16 -!- kalloc [~kalloc@h86-62-83-99.ln.rinet.ru] has quit [Ping timeout: 264 seconds]
23:18 -!- james41382_ [~james@unaffiliated/james41382] has quit [Remote host closed the connection]
23:37 -!- sander__ [~sander@58.82.9.46.customer.cdi.no] has quit [Ping timeout: 240 seconds]
--- Day changed Sat Feb 01 2014
00:00 -!- paradox`` [~paradox@cpc21-brmb8-2-0-cust749.1-3.cable.virginm.net] has joined #openvpn
00:03 -!- sunwind` [~paradox@cpc21-brmb8-2-0-cust749.1-3.cable.virginm.net] has quit [Ping timeout: 252 seconds]
00:08 -!- dradec [~Inigo@unaffiliated/dradec] has quit [Quit: nil]
00:11 -!- kalloc [~kalloc@h86-62-83-99.ln.rinet.ru] has joined #openvpn
00:13 -!- mdim [~user@c-98-202-215-47.hsd1.ut.comcast.net] has joined #openvpn
00:14 < mdim> hi all
00:14 < mdim> I'm setting up a vpn, and I'm having a trouble with adding firewall rules
00:14 < mdim> in particular, iptables reports an error for the following rule: -t nat -A POSTROUTING -s 10.0.5.0/24 -o eth0 -j MASQUERADE
00:15 -!- dradec [~Inigo@unaffiliated/dradec] has joined #openvpn
00:15 < mdim> in particular, it says: Applying iptables firewall rules:iptables-restore v1.4.14: Line 72 seems to have a -t table option.
00:15 -!- kalloc [~kalloc@h86-62-83-99.ln.rinet.ru] has quit [Ping timeout: 245 seconds]
00:22 -!- takamichi [~takamichi@c107-107.i07-27.onvol.net] has joined #openvpn
00:24 -!- makara [~makara@105-208-249-198.access.mtnbusiness.co.za] has joined #openvpn
01:00 -!- goldkatze [~nobody@unaffiliated/goldkatze] has joined #openvpn
01:02 -!- mdim [~user@c-98-202-215-47.hsd1.ut.comcast.net] has quit [Read error: Connection reset by peer]
01:03 -!- mdim [~user@c-98-202-215-47.hsd1.ut.comcast.net] has joined #openvpn
01:04 -!- mdim [~user@c-98-202-215-47.hsd1.ut.comcast.net] has quit [Remote host closed the connection]
01:04 -!- mdim` [~user@c-98-202-215-47.hsd1.ut.comcast.net] has joined #openvpn
01:04 -!- dimm0k [~dimm0k@unaffiliated/dimm0k] has quit [Ping timeout: 272 seconds]
01:05 -!- mdim` is now known as mdim
01:06 -!- dimm0k [~dimm0k@unaffiliated/dimm0k] has joined #openvpn
01:11 -!- kalloc [~kalloc@h86-62-83-99.ln.rinet.ru] has joined #openvpn
01:13 -!- u0m3_ [~u0m3@92.80.120.254] has joined #openvpn
01:14 -!- he1kki_ [~heikki@border.bitcoinia.net] has quit [Read error: Operation timed out]
01:15 -!- u0m3 [~u0m3@92.80.113.181] has quit [Ping timeout: 252 seconds]
01:16 -!- kalloc [~kalloc@h86-62-83-99.ln.rinet.ru] has quit [Ping timeout: 245 seconds]
01:24 -!- pjschmitt [~parker@209.141.56.12] has quit [Changing host]
01:24 -!- pjschmitt [~parker@unaffiliated/schmitt953] has joined #openvpn
01:26 -!- lj [~l@c-50-158-105-68.hsd1.il.comcast.net] has quit [Quit: Leaving.]
01:35 -!- bmoriarty [~bmoriarty@yt.acm.uiuc.edu] has joined #openvpn
01:52 -!- takamich_ [~takamichi@85.12.8.105] has joined #openvpn
01:53 -!- takamichi [~takamichi@c107-107.i07-27.onvol.net] has quit [Ping timeout: 245 seconds]
02:10 -!- makara [~makara@105-208-249-198.access.mtnbusiness.co.za] has quit [Quit: Leaving]
02:11 -!- kalloc [~kalloc@h86-62-83-99.ln.rinet.ru] has joined #openvpn
02:16 -!- kalloc [~kalloc@h86-62-83-99.ln.rinet.ru] has quit [Ping timeout: 272 seconds]
02:46 -!- takamich_ [~takamichi@85.12.8.105] has quit [Ping timeout: 240 seconds]
02:49 -!- takamichi [~takamichi@c107-107.i07-27.onvol.net] has joined #openvpn
02:50 -!- lj [~l@99.155.24.89] has joined #openvpn
02:55 -!- marlinc [~marlinc@a80-100-128-152.adsl.xs4all.nl] has quit [Ping timeout: 260 seconds]
02:55 -!- sailerboy [~sailerboy@2605:6400:2:fed5:22:3e62:d2e8:e4e1] has quit [Ping timeout: 272 seconds]
02:57 -!- marlinc [~marlinc@a80-100-128-152.adsl.xs4all.nl] has joined #openvpn
02:57 < reiffert> mdim: trying to edit the iptables save and restore file manually?
02:57 -!- mdim [~user@c-98-202-215-47.hsd1.ut.comcast.net] has quit [Ping timeout: 240 seconds]
02:59 -!- nlopez_ [~quassel@198.211.102.196] has quit [Read error: Connection reset by peer]
02:59 -!- thalweg [~quassel@198.211.102.196] has joined #openvpn
03:01 -!- ngharo [~ngharo@nexus.sypherz.com] has quit [Ping timeout: 260 seconds]
03:01 -!- ngharo [~ngharo@nexus.sypherz.com] has joined #openvpn
03:08 -!- sailerboy [~sailerboy@2605:6400:2:fed5:22:3e62:d2e8:e4e1] has joined #openvpn
03:11 -!- kalloc [~kalloc@h86-62-83-99.ln.rinet.ru] has joined #openvpn
03:17 -!- kalloc [~kalloc@h86-62-83-99.ln.rinet.ru] has quit [Ping timeout: 245 seconds]
03:20 -!- supergauntlet_ [~supergaun@v-216-52-148-234.unman-vds.internap-chicago.nfoservers.com] has joined #openvpn
03:26 -!- Firartix [artix@unaffiliated/fira] has joined #openvpn
03:26 -!- `Nothing4You [N4Y@w.tf-w.tf] has joined #openvpn
03:27 -!- [1]JPeterson [~JPeterson@81-233-152-121-no83.tbcn.telia.com] has joined #openvpn
03:30 -!- Netsplit *.net <-> *.split quits: Monotoko_, brabo, Fira, bmoriarty, Mike--, aji, matsh, Nothing4You, gardar, JPeterson,  (+3 more, use /NETSPLIT to show all of them)
03:30 -!- Firartix is now known as Fira
03:30 -!- `Nothing4You is now known as Nothing4You
03:34 -!- Netsplit over, joins: bmoriarty, Mike--, aji, brabo, Monotoko_, gardar, matsh, peper, kevinsky
03:34 -!- dren [dren@69.163.43.34] has quit [Ping timeout: 252 seconds]
03:34 -!- Olipro [~Olipro@uncyclopedia/pdpc.21for7.olipro] has quit [Ping timeout: 246 seconds]
03:36 -!- Olipro [~Olipro@uncyclopedia/pdpc.21for7.olipro] has joined #openvpn
03:40 -!- Olipro [~Olipro@uncyclopedia/pdpc.21for7.olipro] has quit [Read error: Connection reset by peer]
03:41 -!- kevinsky [~kevin@senna.rosendaal.net] has quit [Ping timeout: 260 seconds]
03:41 -!- kevinsky [~kevin@senna.rosendaal.net] has joined #openvpn
03:41 -!- peper [~peper@gentoo/developer/peper] has quit [Max SendQ exceeded]
03:42 -!- peper [~peper@gentoo/developer/peper] has joined #openvpn
03:42 -!- Cpt-Oblivious [chatzilla@31-151-71-109.dynamic.upc.nl] has joined #openvpn
03:48 -!- sander_ [~sander@58.82.9.46.customer.cdi.no] has joined #openvpn
03:56 -!- sailerboy [~sailerboy@2605:6400:2:fed5:22:3e62:d2e8:e4e1] has quit [Ping timeout: 272 seconds]
04:01 -!- takamichi [~takamichi@c107-107.i07-27.onvol.net] has quit [Quit: Computer has gone to sleep.]
04:10 -!- defsdoor [~andy@cpc30-sutt4-2-0-cust155.19-1.cable.virginm.net] has joined #openvpn
04:11 -!- kalloc [~kalloc@h86-62-83-99.ln.rinet.ru] has joined #openvpn
04:12 -!- m01 [~quassel@2a02:2658:1011:1::2:4044] has quit [Remote host closed the connection]
04:13 -!- m01 [~quassel@2a02:2658:1011:1::2:4044] has joined #openvpn
04:17 -!- kalloc [~kalloc@h86-62-83-99.ln.rinet.ru] has quit [Ping timeout: 265 seconds]
04:20 -!- sailerboy [~sailerboy@2605:6400:2:fed5:22:3e62:d2e8:e4e1] has joined #openvpn
04:30 -!- spacen00b [~root@in.sinc.ro] has quit [Quit: Lost terminal]
04:37 -!- Olipro [~Olipro@uncyclopedia/pdpc.21for7.olipro] has joined #openvpn
04:38 < rtur> Hi, I'm trying to setup an iptables firewall. I know enough to read iptable rules but next to no experience in writing them, so I was wondering if there is a more or less complete vpn aware firewall I could use ?
04:39 -!- newbie|2 [kvirc@conference/fosdem/x-cbagonvjnklxdgvq] has joined #openvpn
04:40 < newbie|2> Any people live at FOSDEM at the moment?
04:40 -!- newbie|2 is now known as testie
04:50 -!- elfixit [~Icedove@77-58-251-72.dclient.hispeed.ch] has joined #openvpn
05:00 -!- kalloc [~kalloc@h86-62-83-99.ln.rinet.ru] has joined #openvpn
05:00 -!- gffa [~unknown@unaffiliated/gffa] has joined #openvpn
05:15 -!- testie [kvirc@conference/fosdem/x-cbagonvjnklxdgvq] has quit [Ping timeout: 265 seconds]
05:16 -!- kloeri is now known as kloeri|fosdem
05:19 -!- kalloc [~kalloc@h86-62-83-99.ln.rinet.ru] has quit [Remote host closed the connection]
05:21 -!- klein [~klein@189.72.111.57] has joined #openvpn
05:21 -!- klein [~klein@189.72.111.57] has quit [Changing host]
05:21 -!- klein [~klein@unaffiliated/klein] has joined #openvpn
05:21 -!- newbie|2 [kvirc@conference/fosdem/x-ebsmyjszgmmfdgyg] has joined #openvpn
05:34 -!- dimm0k [~dimm0k@unaffiliated/dimm0k] has quit [Ping timeout: 252 seconds]
05:36 -!- dimm0k [~dimm0k@unaffiliated/dimm0k] has joined #openvpn
05:37 -!- newbie|2 is now known as polarssl
05:46 -!- dren [dren@69.163.43.34] has joined #openvpn
05:52 -!- polarssl [kvirc@conference/fosdem/x-ebsmyjszgmmfdgyg] has quit [Ping timeout: 260 seconds]
05:58 -!- kalloc [~kalloc@h86-62-83-99.ln.rinet.ru] has joined #openvpn
06:11 -!- newbie [kvirc@conference/fosdem/x-ntqjgssrsuennyim] has joined #openvpn
06:11 -!- newbie is now known as polarssl
06:27 -!- klein [~klein@unaffiliated/klein] has quit [Ping timeout: 265 seconds]
06:27 -!- klein [~klein@189.72.111.57] has joined #openvpn
06:27 -!- klein [~klein@189.72.111.57] has quit [Changing host]
06:27 -!- klein [~klein@unaffiliated/klein] has joined #openvpn
06:46 -!- klein [~klein@unaffiliated/klein] has quit [Ping timeout: 252 seconds]
07:09 -!- polarssl [kvirc@conference/fosdem/x-ntqjgssrsuennyim] has quit [Ping timeout: 252 seconds]
07:25 -!- Cpt-Oblivious [chatzilla@31-151-71-109.dynamic.upc.nl] has quit [Ping timeout: 245 seconds]
07:28 -!- kirin` [telex@gateway/shell/anapnea.net/x-qcnyzimskqvexzfz] has quit [Ping timeout: 248 seconds]
07:29 -!- kirin` [telex@gateway/shell/anapnea.net/x-duatfcqmlvlojzma] has joined #openvpn
07:37 -!- kevinsky [~kevin@senna.rosendaal.net] has quit [Ping timeout: 260 seconds]
07:37 -!- kevinsky [~kevin@senna.rosendaal.net] has joined #openvpn
07:53 -!- jinnko [jinnko@conference/fosdem/x-xhlibearjpaolovw] has joined #openvpn
07:54 < jinnko> hey folks. can anyone tell me how to make a working openvpn 2.3 also listen for clients connecting via ipv6?  have seen http://www.greenie.net/ipv6/openvpn.html but can't get the right combo of config.
07:54 <@vpnHelper> Title: Gert Döring - IPv6 Payload Patch for OpenVPN (at www.greenie.net)
07:55 -!- Valduare [~Valduare@99-72-244-110.lightspeed.mdsnwi.sbcglobal.net] has joined #openvpn
08:05 < jinnko> current config is at http://pastebin.com/frwC0snr if anyone can provide any suggestions
08:08 -!- polarssl [kvirc@conference/fosdem/x-cjgubzxyfsslrkaz] has joined #openvpn
08:18 -!- jinnko [jinnko@conference/fosdem/x-xhlibearjpaolovw] has quit [Quit: Leaving...]
08:18 -!- jinnko` [~jinnko@2a01:4f8:192:1204::2] has joined #openvpn
08:22 -!- jinnko` is now known as jinnko
08:22 -!- Sidewinder [~de@unaffiliated/sidewinder] has joined #openvpn
08:29 -!- boyscout [~boyscout@c-68-82-37-6.hsd1.pa.comcast.net] has joined #openvpn
08:33 -!- bigbob83 [bigbob@7.72.100.84.rev.sfr.net] has joined #openvpn
08:33 -!- Sidewinder [~de@unaffiliated/sidewinder] has quit [Quit: Leaving]
08:36 -!- crus` [~crusader@2001:44b8:319e:2900:ddf6:6088:44aa:379c] has quit [Ping timeout: 264 seconds]
08:43 -!- sumolananas [~chatzilla@cm12.sigma68.maxonline.com.sg] has joined #openvpn
08:45 < sumolananas> Hey guys, I'm having problems with DNS when connecting to a companies openVPN server. I can access all the IPs inside the company, but everything that needs a DNS is busted. Is there a way I can "fix" this on the client side? (Windows 8.1)
08:51 -!- boyscout [~boyscout@c-68-82-37-6.hsd1.pa.comcast.net] has quit [Remote host closed the connection]
08:56 < ikrabbe> sumolananas: I bet you want the companies DNS over public DNS?
08:56 < sumolananas> looking at the logs
08:56 < sumolananas> it looks like part of the commands are for linux
08:56 < sumolananas> part are for windows
08:56 < sumolananas> (push cmds)
08:56 < ikrabbe> see you systems documentation about setting a DNS interface or use an operatin system you can control
08:57 < sumolananas> I'm pretty sure it is possible to control, but as for lack of knowledge thats why I'm here
08:57 < sumolananas> changing the OS would put me on the same spot
08:57 < ikrabbe> Windows has been very resistent against configuring several (virtual) network interfaces
08:58 < ikrabbe> and they change the api's to control that with every (minor) version
08:59 < ikrabbe> so noone who does professional system administration really cares about gaming station operation systems
08:59 < sumolananas> well no need
08:59 < sumolananas> I guess I can stick to my gaming station
09:00 < sumolananas> as it was as simple as go to the adapter and put googles DNS servers
09:00 < sumolananas> back to business, but thanks for the insight
09:00 -!- master_o1_master [~master_of@p4FF24C59.dip0.t-ipconnect.de] has joined #openvpn
09:00 < sumolananas> exit
09:00 -!- sumolananas [~chatzilla@cm12.sigma68.maxonline.com.sg] has left #openvpn []
09:03 -!- master_of_master [~master_of@p4FD7B5C5.dip0.t-ipconnect.de] has quit [Ping timeout: 240 seconds]
09:09 -!- jinnko is now known as jinnko`
09:13 -!- kalloc [~kalloc@h86-62-83-99.ln.rinet.ru] has quit [Remote host closed the connection]
09:15 -!- kalloc [~kalloc@h86-62-83-99.ln.rinet.ru] has joined #openvpn
09:17 -!- kalloc_ [~kalloc@h86-62-83-99.ln.rinet.ru] has joined #openvpn
09:17 -!- jinnko` is now known as jinnko
09:17 -!- kalloc [~kalloc@h86-62-83-99.ln.rinet.ru] has quit [Read error: Connection reset by peer]
09:19 -!- polarssl [kvirc@conference/fosdem/x-cjgubzxyfsslrkaz] has quit [Quit: KVIrc 4.2.0 Equilibrium http://www.kvirc.net/]
09:22 -!- kalloc_ [~kalloc@h86-62-83-99.ln.rinet.ru] has quit [Ping timeout: 248 seconds]
09:24 -!- sailerboy [~sailerboy@2605:6400:2:fed5:22:3e62:d2e8:e4e1] has quit [Ping timeout: 272 seconds]
09:29 -!- conroe [~conroe@gateway/tor-sasl/conroe] has joined #openvpn
09:42 -!- kalloc [~kalloc@h86-62-83-99.ln.rinet.ru] has joined #openvpn
09:44 -!- sailerboy [~sailerboy@2605:6400:2:fed5:22:3e62:d2e8:e4e1] has joined #openvpn
09:55 -!- jinnko is now known as jinnko`
09:56 -!- boyscout [~boyscout@c-68-82-37-6.hsd1.pa.comcast.net] has joined #openvpn
10:02 -!- jinnko` is now known as jinnko
10:04 < boyscout> Hi, I'm hoping someone can help me troubleshoot my OpenVPN server. I'm running OpenVPN 2.2.1 on a raspberry pi, and am able to connect via an ios client external to the Lan. From a machine on the LAN, I can ping the server at both 192.168.0.8 and 10.8.0.1, it's LAN and VPN subnet addresses respectively, but can't ping 10.8.0.6 which is the connected iOS client. From the iOS client, I can ping 192.168.0.8 and 10.8.0.1., bu
10:04 < boyscout> t not 192.168.0.3 which is the other machine on the LAN. I'm using push "route 192.168.0.0 255.255.255.0" in the server.conf file.
10:04 < boyscout> Any thoughts on what may be preventing me from pinging other items on the LAN from the iOS client, and vise versa?
10:05 < Valduare> I just setup openevpn server myself for the first time - i can connect fine at home but its giving me 10.xx ip address and won't let me ping the servers local to the vpn server on 192
10:05 < Valduare> how can I configure this
10:08 -!- takamichi [~takamichi@c107-107.i07-27.onvol.net] has joined #openvpn
10:12 < boyscout> I can provide my server and client config files if that will help.
10:20 -!- conroe [~conroe@gateway/tor-sasl/conroe] has quit [Remote host closed the connection]
10:30 -!- jinnko is now known as jinnko`
10:42 -!- joshh20-Away is now known as joshh20
10:44 -!- Valduare [~Valduare@99-72-244-110.lightspeed.mdsnwi.sbcglobal.net] has quit [Quit: Valduare]
10:54 -!- donvito [~nertil@unaffiliated/donvito] has joined #openvpn
10:59 -!- djshotglass [d@2600:3c01::f03c:91ff:feae:3d2b] has left #openvpn []
11:06 -!- donvlto [~nertil@212.158.180.13] has joined #openvpn
11:08 -!- donvito [~nertil@unaffiliated/donvito] has quit [Ping timeout: 252 seconds]
11:08 < boyscout> Ah, problem solved. If others are having a similar issue, it turns out I needed to add the following line to my sysctl.conf file: net.ipv4.ip_forward = 1
11:09 < boyscout> You can check this setting with the command cat /proc/sys/net/ipv4/ip_forward on a linux shell
11:10 -!- donvlto [~nertil@212.158.180.13] has quit [Read error: Connection reset by peer]
11:13 -!- _bt [foobar@unaffiliated/bt/x-192343] has quit [Ping timeout: 272 seconds]
11:17 -!- kalloc [~kalloc@h86-62-83-99.ln.rinet.ru] has quit [Remote host closed the connection]
11:19 -!- mdim [~user@c-98-202-215-47.hsd1.ut.comcast.net] has joined #openvpn
11:25 -!- Valduare [~Valduare@108-198-116-80.lightspeed.mdsnwi.sbcglobal.net] has joined #openvpn
11:34 -!- boyscout [~boyscout@c-68-82-37-6.hsd1.pa.comcast.net] has left #openvpn []
11:37 -!- ile_ [~ile@109-92-70-216.dynamic.isp.telekom.rs] has joined #openvpn
11:37 -!- ile_ [~ile@109-92-70-216.dynamic.isp.telekom.rs] has quit [Client Quit]
11:37 -!- Zordrak [~jaz@87-194-137-223.bethere.co.uk] has quit [Ping timeout: 252 seconds]
11:48 -!- elfixit [~Icedove@77-58-251-72.dclient.hispeed.ch] has quit [Quit: elfixit]
11:53 -!- bertodsera [~quassel@97e48243.skybroadband.com] has quit [Remote host closed the connection]
11:59 -!- Sembei [~Sembei@unaffiliated/sembei] has quit [Read error: Connection reset by peer]
11:59 -!- Sembei [~Sembei@unaffiliated/sembei] has joined #openvpn
12:03 -!- kalloc [~kalloc@stmdev.ru] has joined #openvpn
12:27 -!- joshh20 is now known as joshh20-Away
12:27 -!- losted [~losted@box.losted.net] has quit [Ping timeout: 252 seconds]
12:29 -!- losted [~losted@box.losted.net] has joined #openvpn
12:34 -!- dimm0k [~dimm0k@unaffiliated/dimm0k] has quit [Read error: Operation timed out]
12:34 -!- dimm0k [~dimm0k@unaffiliated/dimm0k] has joined #openvpn
12:37 -!- takamichi [~takamichi@c107-107.i07-27.onvol.net] has quit [Ping timeout: 240 seconds]
12:38 -!- calcifea [~rasla@gateway/tor-sasl/gitsu-sa] has joined #openvpn
12:40 -!- takamichi [~takamichi@c107-107.i07-27.onvol.net] has joined #openvpn
12:47 -!- takamichi [~takamichi@c107-107.i07-27.onvol.net] has quit [Ping timeout: 272 seconds]
12:48 -!- joshh20-Away is now known as joshh20
12:48 -!- lj [~l@99.155.24.89] has quit [Quit: Leaving.]
12:49 -!- takamichi [~takamichi@108.170.1.166] has joined #openvpn
12:54 -!- takamichi [~takamichi@108.170.1.166] has quit [Ping timeout: 260 seconds]
12:58 -!- takamichi [~takamichi@c107-107.i07-27.onvol.net] has joined #openvpn
13:01 -!- elfixit [~Icedove@77-58-251-72.dclient.hispeed.ch] has joined #openvpn
13:19 -!- dradec [~Inigo@unaffiliated/dradec] has quit [Quit: nil]
13:29 -!- dradec [~Inigo@unaffiliated/dradec] has joined #openvpn
13:30 -!- supergauntlet_ [~supergaun@v-216-52-148-234.unman-vds.internap-chicago.nfoservers.com] has quit [Changing host]
13:30 -!- supergauntlet_ [~supergaun@unaffiliated/supergauntlet] has joined #openvpn
13:30 -!- supergauntlet_ is now known as supergauntlet
13:38 -!- takamichi [~takamichi@c107-107.i07-27.onvol.net] has quit [Quit: Computer has gone to sleep.]
13:39 -!- Noob5aibot [~NoobSaibo@24-213-19-74.static.mrqt.mi.charter.com] has joined #openvpn
13:40 -!- NoobSaibot [~NoobSaibo@cpe-65-25-238-185.new.res.rr.com] has quit [Ping timeout: 252 seconds]
13:45 -!- Brando753 [~Brando753@unaffiliated/brando753] has quit [Ping timeout: 272 seconds]
13:47 -!- Brando753 [~Brando753@unaffiliated/brando753] has joined #openvpn
13:51 -!- Devastatr [~devas@177.99.152.207] has joined #openvpn
13:52 -!- Devastator [~devas@unaffiliated/devastator] has quit [Ping timeout: 272 seconds]
14:02 -!- joshh20 is now known as joshh20-Away
14:07 -!- takamichi [~takamichi@c107-107.i07-27.onvol.net] has joined #openvpn
14:08 -!- JustSighDudes [~Anon@unaffiliated/justsighdudes] has joined #openvpn
14:08 < JustSighDudes> Hi. Where can I find the installation package that works with windows 8,1?
14:33 -!- dimm0k [~dimm0k@unaffiliated/dimm0k] has quit [Ping timeout: 264 seconds]
14:35 -!- dimm0k [~dimm0k@unaffiliated/dimm0k] has joined #openvpn
14:39 -!- calcifea_ [~rasla@gateway/tor-sasl/gitsu-sa] has joined #openvpn
14:40 -!- calcifea [~rasla@gateway/tor-sasl/gitsu-sa] has quit [Ping timeout: 240 seconds]
15:06 -!- takamichi [~takamichi@c107-107.i07-27.onvol.net] has quit [Quit: Computer has gone to sleep.]
15:07 -!- Valduare [~Valduare@108-198-116-80.lightspeed.mdsnwi.sbcglobal.net] has quit [Quit: Valduare]
15:11 -!- Valduare [~Valduare@108-198-116-80.lightspeed.mdsnwi.sbcglobal.net] has joined #openvpn
15:15 -!- Valduare [~Valduare@108-198-116-80.lightspeed.mdsnwi.sbcglobal.net] has quit [Ping timeout: 264 seconds]
15:31 -!- fejjerai [~quassel@corkblock.jefferai.org] has joined #openvpn
15:38 -!- fejjerai [~quassel@corkblock.jefferai.org] has quit [Ping timeout: 260 seconds]
15:38 <@ecrist> JustSighDudes: it's on the download page
15:38 <@ecrist> !download
15:38 <@vpnHelper> "download" is (#1) http://openvpn.net/index.php/download/community-downloads.html to download openvpn or (#2) OpenVPN's Windows installer now includes OpenVPN GUI. Don't bother with http://openvpn.se anymore or (#3) Don't trust download.com at all. It provides an extremely old version with malware: http://insecure.org/news/download-com-fiasco.html or (#4) in the community version of openvpn (only
15:39 <@vpnHelper> thing supported here) there is no separate download for client/server, it is the same install with different configs
15:39 -!- fejjerai [~quassel@corkblock.jefferai.org] has joined #openvpn
15:39 < JustSighDudes> I tried that but didn't work on my Win7 install. Had to by viscosity or something.
15:40 <@ecrist> I use that install on my windows 7 system now
15:40 <@ecrist> and a coworker uses it on windows 8.1
15:41 <@ecrist> I'd suggest trying harder
15:41 <@ecrist> viscosity is mac os x
15:42 -!- digilink [~digilink@irc.stephennet.net] has joined #openvpn
15:42 -!- digilink [~digilink@irc.stephennet.net] has quit [Changing host]
15:42 -!- digilink [~digilink@unaffiliated/digilink] has joined #openvpn
15:42 < JustSighDudes> Windows also.
15:42 < JustSighDudes> Alright I guess I'll try it.
15:43 <@ecrist> you asked a question and got an answer. :)
15:46 < JustSighDudes> Yep.
15:46 < JustSighDudes> ecrist: I remember the last time I tried it I had to boot to bios or something and disable signed driver checking or something. Is that still the case?
15:50 -!- lj1 [~l@99.155.24.89] has joined #openvpn
15:50 <@ecrist> don't think so.  easy enough for you to figure out though...
16:10 -!- Devastatr [~devas@177.99.152.207] has quit [Changing host]
16:10 -!- Devastatr [~devas@unaffiliated/devastator] has joined #openvpn
16:10 -!- Devastatr is now known as Devastator
16:31 -!- boyscout [~boyscout@c-68-82-37-6.hsd1.pa.comcast.net] has joined #openvpn
16:38 -!- defsdoor [~andy@cpc30-sutt4-2-0-cust155.19-1.cable.virginm.net] has quit [Quit: Ex-Chat]
16:40 -!- map|work [~515ed518@94-193-78-219.zone7.bethere.co.uk] has joined #openvpn
16:40 < map|work> g'day
16:49 -!- lj1 [~l@99.155.24.89] has quit [Quit: Leaving.]
16:57 -!- mdim [~user@c-98-202-215-47.hsd1.ut.comcast.net] has quit [Read error: Operation timed out]
16:58 -!- boyscout [~boyscout@c-68-82-37-6.hsd1.pa.comcast.net] has quit [Remote host closed the connection]
17:01 -!- kalloc [~kalloc@stmdev.ru] has quit [Remote host closed the connection]
17:06 -!- kalloc [~kalloc@stmdev.ru] has joined #openvpn
17:15 -!- mdim [~user@c-98-202-213-82.hsd1.ut.comcast.net] has joined #openvpn
17:27 -!- Jediman [~Brian@cpe-24-58-240-166.twcny.res.rr.com] has joined #openvpn
17:27 < Jediman> hello, I have a question about DD-WRT and OpenVPN, I get this error once I try and connect to my vpn, any help would be appricated TCP/UDP: Incoming packet rejected from [AF_INET]192.168.1.1:1194[2], expected peer address: [AF_INET]24.58.240.166:1194 (allow this incoming source address/port by removing --remote or adding --float)
17:30 -!- hive-mind [pranq@unaffiliated/contempt] has quit [Ping timeout: 264 seconds]
17:31 -!- hive-mind [pranq@unaffiliated/contempt] has joined #openvpn
17:33 -!- heraclitus__ [~heraclitu@vpnus.planetcrypto.com] has joined #openvpn
17:33 -!- heraclitus [~heraclitu@unaffiliated/heraclitis] has quit [Disconnected by services]
17:33 -!- heraclitus__ is now known as heraclitus
17:33 -!- heraclitus [~heraclitu@vpnus.planetcrypto.com] has quit [Changing host]
17:33 -!- heraclitus [~heraclitu@unaffiliated/heraclitis] has joined #openvpn
17:36 < Thermi> Jediman: What's your config? Post it, please.
17:44 -!- Cpt-Oblivious [chatzilla@31-151-71-109.dynamic.upc.nl] has joined #openvpn
17:45 < Jediman> one sec Therm
17:45 < map|work> would it not be best to pastebin it
17:45 < map|work> =]
17:46 < Jediman> http://pastebin.com/isPhE4Rm
17:46 < Jediman> yea :), dont want to spam the channel
17:47 < map|work> ya thats what i was thinking :D  what router you using? I need to get a new modem/router and get DD/Openwrt on it:)
17:47 < Jediman> e1200
17:48 < map|work> most of the time ive read up on it thy seem to be routers only..id prefer modem/router in one:)
17:49 < Jediman> yea, mine is straight router, I haven't forked out the money to buy my own and not use the one from Time warner
17:49 < pekster> !dd-wrt
17:49 <@vpnHelper> "dd-wrt" is (#1) While some users have success with dd-wrt, the build system isn't very accessible to users and there have been security issues with the distro. Consider carefully if this is the platform you want to use for OpenVPN or (#2) Firewall oopsie : http://www.dd-wrt.com/phpBB2/viewtopic.php?t=35783 or (#3) more issues: http://www.dd-wrt.com/phpBB2/viewtopic.php?t=84536
17:49 < pekster> Your call if that's the right OS to be using
17:52 < Jediman> you not a fan of dd wrt pekster?
17:52 < pekster> Jediman: Sounds like you messed up your NAT and the reply from the server is having source-NAT translation
17:52 < pekster> Read the forum links and decide for yourself. Lots of people are happy with it, but I wouldn't ever use or recommend it
17:53 -!- mdim [~user@c-98-202-213-82.hsd1.ut.comcast.net] has quit [Ping timeout: 272 seconds]
17:54 < Thermi> Yep, looks like screwed up SNAT
17:54 < Thermi> To forward traffic from the router to LAN boxes, you have to DNAT, not SNAT
17:54 < Jediman> I will give it a read pekster
17:56 < Jediman> In reference to Dynamic vs Static NAT?
17:56 < map|work> ive always heard ddwrt is nice !
17:57 < Jediman> sorry for the lack of knowledge, trying to learn :)
17:57 < Thermi> SNAT = Source Network Address Translation
17:57 < Thermi> DNAT = Destination Network Address Translation
17:58 -!- takamichi [~takamichi@85.12.8.15] has joined #openvpn
17:58 < Thermi> SNAT is for masquerading your private address space on the LAN side, so you don't leak RFC1918 addresses to the internet
17:58 < Thermi> DNAT is for forwarding specific traffic to LAN side boxes
17:58 < pekster> map|work: You mean the "accidental" addition of private client rules into public firmwares, or maybe the inclusion of all their keys into the little back box project? Or maybe how their build system doesn't release the build tools they use (which is a violation of both the GPLv2 and v3)? It's a horrible project
17:58 < Thermi> Like forwarding port 80 of your local webserver to the internet, so it can be reached.
17:59 < pekster> Lots of people like it, and technically both run openvpn, though I have no idea how well with dd-wrt. openwrt lets you do the whole thing in a standard config file with a `config` directive
17:59 -!- joshu_ [~joshu@62-20-176-238-no28.tbcn.telia.com] has joined #openvpn
17:59 < map|work> i didnt know all that pekster  i just thought it worked well with routers and allowed people to do lots more than the normal fw allows
18:00 < Thermi> Only few people are aware of how much netter OpenWRT is compared to DD-WRT, because that topic rarely goes through their mind, when they make the decision.
18:01 -!- joshu [~joshu@62-20-176-238-no28.tbcn.telia.com] has quit [Ping timeout: 245 seconds]
18:01 < pekster> Buy the time you buy ill-supported hardware, it's too late
18:01 < pekster> Smart people research it ahead of time. The rest just buy what's on sale and encourage mfgr's to sell junk hardware
18:02 -!- joshu [~joshu@62-20-176-238-no28.tbcn.telia.com] has joined #openvpn
18:02 < map|work> ive used openWRT many years back-hadnt actually used DD-WRT just seen it mentioned a lot!
18:02 < pekster> I have a broadcom device that can only run the 2.4 Linux kernel if you want wifi becuase the wifi chipset mfgr never released 2.6-compat kernels
18:02 < Jediman> brb Thermi, dorked the router up, can't access it, going to fix it :)
18:02 < Jediman> thanks for the help
18:02 < Thermi> Jediman: Well, happened to me, too. Good effort!
18:05 -!- joshu__ [~joshu@62-20-176-238-no28.tbcn.telia.com] has joined #openvpn
18:05 -!- joshu_ [~joshu@62-20-176-238-no28.tbcn.telia.com] has quit [Ping timeout: 245 seconds]
18:07 -!- joshu [~joshu@62-20-176-238-no28.tbcn.telia.com] has quit [Ping timeout: 264 seconds]
18:07 -!- Jediman [~Brian@cpe-24-58-240-166.twcny.res.rr.com] has quit [Ping timeout: 252 seconds]
18:11 -!- gffa [~unknown@unaffiliated/gffa] has quit [Quit: sleep]
18:14 -!- Valduare [~Valduare@99-72-244-110.lightspeed.mdsnwi.sbcglobal.net] has joined #openvpn
18:22 -!- Cpt-Oblivious_ [~chatzilla@31.220.42.40] has joined #openvpn
18:23 -!- Cpt-Oblivious [chatzilla@31-151-71-109.dynamic.upc.nl] has quit [Ping timeout: 245 seconds]
18:24 -!- Jediman [~Brian@cpe-24-58-240-166.twcny.res.rr.com] has joined #openvpn
18:24 < Jediman> ok, now that I un messed my router :p
18:24 < Jediman> Thermi you still around?
18:28 < Thermi> yep
18:28 < Thermi> :D
18:29 < Thermi> (Sorry for the smiley. I've just had a moment of joy)
18:29 < Jediman> haha, alls good
18:30 -!- joshh20-Away is now known as joshh20
18:31 < Jediman> had to reset router, re entering the certs now, trying to figure out the DNAT, am I correct in saying that I can still use the 192.168.1.0 subet so the remote clients can connect to my NAS drives?
18:35 < Thermi> What do you need to do actually?
18:36 -!- takamichi [~takamichi@85.12.8.15] has quit [Ping timeout: 272 seconds]
18:37 < Jediman> 1 sec, kid issues :)
18:37 < Thermi> SNAT/masquerade is the correct way to connect boxes in RFC1918 networks to the internet.
18:37 < Thermi> Yes. you can of course still use that subnet.
18:37 < Thermi> There's no issue with that
18:38 < Thermi> There's only the issue that there is one or several firewall rules that SNAT some traffic, that is not supposed to be SNATed
18:46 < Jediman> I find setting this up so much harder than the Concertators that I've set up lol
18:46 < Thermi> CISCO VPN concentrators?
18:46 < Thermi> IPSEC?
18:47 < Jediman> yea, did it for my schooling, had to set up a network
18:47 < Jediman> equipment was a little dated though :p
18:51 < Thermi> IMHO Most CISCO setups are ... outdated and missmanaged anyways
18:51 < Thermi> *mismanaged
18:51 < Thermi> No offense to you, but that's just the way it feels.
18:52 < Jediman> none taken, its what the military paid for :p
18:52 < Thermi> Oh well.
18:54 -!- lj [~l@99.155.24.89] has joined #openvpn
19:03 < map|work> does anyone here have much experience with using openVPN and ios ipad/phone?using in line certs and it works..but then it will sudden;ly say pause (network unavaliable) and its not..if i disconnect/reconnect works right away
19:03 < map|work> cant see how to fix it..i did post on forum/tweet @ openvpn -
19:14 -!- Andy_xpc [~madandyxp@cpc2-nmal1-0-0-cust159.19-2.cable.virginm.net] has joined #openvpn
19:15 -!- Andy_xpc [~madandyxp@cpc2-nmal1-0-0-cust159.19-2.cable.virginm.net] has left #openvpn []
19:19 -!- james41382__ is now known as james41382
19:29 -!- lj [~l@99.155.24.89] has quit [Quit: Leaving.]
19:36 -!- kcodyjr [~kcodyjr@c-24-61-134-125.hsd1.ma.comcast.net] has joined #openvpn
19:38 -!- digilink [~digilink@unaffiliated/digilink] has quit [Ping timeout: 264 seconds]
19:40 < kcodyjr> in what circumstances would openvpn call "learn-address update"?
19:40 < pekster> When a routed setup sends a packet with a new source address, or when a tap setup does the same for a new L2 (MAC) address
19:41 < kcodyjr> including or excluding the first address that came up when the tunnel was first opened?
19:41 < pekster> Or did you mean update comapred to add?
19:41 -!- map|work [~515ed518@94-193-78-219.zone7.bethere.co.uk] has quit [Quit: CGI:IRC (EOF)]
19:41 < kcodyjr> yes.
19:42 < kcodyjr> add/delete are obvious enough. run the nsupdate script to either insert or remove. but what's the "update" mode for?
19:43 < pekster> Let's see what the source says about that
19:43 < kcodyjr> hey luke. use the source. ;) let me go pull a copy.
19:44 < pekster> As messy as it is, it's still one-step better than msdn ;)
19:44 < kcodyjr> 2.3.2 source tree (gentoo ebuild) be handy in a moment.
19:44 < pekster> Yup. openvpn is on github too if you prefer that
19:45 < pekster> The magic begins at src/openvpn/options.c to set the struct that holds the scripts, but the magic to do the real work will be elsewhere
19:45 < kcodyjr> i'll deal with github if i wind up generating a patch. "ebuild <filename> unpack" is just too easy. ;)
19:46 < kcodyjr> my gut says look into magic.c (and grep says too.)
19:47 < pekster> It'll probably be part of multi.c
19:47 < kcodyjr> hm, what's this? learn-address plugins? methinks i'll be retooling my script once i've verified it behaves. cool feature. :)
19:47 < pekster> If you're playing along at home ;) you can see options.c:5697 (as of git-master anyway, your lines might be different at 2.3.2) the options->learn_address_script element is set
19:48 < pekster> The only src files referencing that member are in multi.c
19:48 < kcodyjr> and it's suggesting i look for learn_address with the underbar
19:49 < pekster> Yup, so if you `grep -nR learn_address_script *` from the src root, only multi.c references that member
19:49 < pekster> mutli.c:961 is the only place where "update" is also included, so it's a good bet that's the only invocation that does updates
19:49 < kcodyjr> thank you. you're a bit more deft with deep trees than i am, it seems. it's in multi_learn_addr.
19:50 < kcodyjr> gets called when *oldroute is not null
19:50 < pekster> Yup
19:50 < kcodyjr> i'm glad i asked, this looks important. the update call has to do something and say whether it succeeded or failed.
19:51 < pekster> So, the beginning with `he = hash_lookup_fast` seems to start the whole thing off
19:51 < pekster> If the lookup succeeds, it'll set the oldroute multi_route struct based on the value of the owning instance
19:51 < kcodyjr> yes. and that's where things are getting opaque to the point i'd truly need to grok the software architecture to answer this myself.
19:52 < pekster> But if that fails (and I haven't looked at those called funcs to see why) it'll be an "update" instead of an "add"
19:52 < pekster> Erm, sorry, other way around
19:53 < pekster> I suspect that's rare in practice, but maybe there's a corner case I haven't considered
19:53 < pekster> Maybe if a client times out and reconnects while the server thinks the "old" instance is still active (but now it's on a new connection) that'll cause an update?
19:53 < pekster> That's the best senario I can think of
19:54 < kcodyjr> i downloaded someone's cheesy nsupdate.sh script and inserted a "echo $0 $* >> /tmp/log.txt" at the beginning as well as a "set > log.env". an update happened. i didn't catch it happening so i didn't get to save the env, or see what was happening.
19:54 < kcodyjr> hm now that might make sense
19:54 < kcodyjr> maybe a sigkill on the client might test that
19:54 < pekster> Well, with --duplicate-cn enabled too. I don't actually know what happens if you allow --duplicate-cn with a ccd that includes --iroute
19:54 < pekster> Without --duplicate-cn you'd never end up with "two" live instance owning a network
19:55 < kcodyjr> --duplicate-cn sounds like a retarded thing to do, and at the moment this is a one-client installation. no ccd contents.
19:55 < kcodyjr> by "owning a network" we are in fact talking about a routing table entry, right?
19:55 < pekster> You don't usually need --learn-address without client-side LANs
19:55 -!- elfixit [~Icedove@77-58-251-72.dclient.hispeed.ch] has quit [Quit: elfixit]
19:55 < pekster> So, the use-case here is typically (in a routed setup anyway) to do something (often firewall rules, but whatever really) when a "new" address is seen from the VPN per
19:55 < pekster> By address I mean the inside address, or the IP being transported inside the tunnel
19:56 < kcodyjr> i'm using it to accomplish dynamic dns updating
19:56 < pekster> You're not doing LANs at the client side?
19:56 < pekster> If so, you probably want --client-connect and --client-disconnect instead
19:56 < pekster> --learn-address is when you care about the IP of the tunneled packet
19:56 < pekster> (or MAC, if you're using tap)
19:56 < kcodyjr> it's entirely possible there will be at some point, but, not yet.
19:57 < pekster> If you are, you really ought to do DNS at the far side, but that's an implementation choice I suppose
19:57 < pekster> s/are/someday do/
19:57 < kcodyjr> near-far is getting fuzzy in a peer-peer architecture.
19:57 < kcodyjr> let's define "server" as the one at the office and "client" as the laptop
19:57 < pekster> Either way
19:58 < pekster> far is just "the other" side in openvpn since you only have 2 peers (per instance)
19:58 < pekster> Erm, per connection let's say (instance is a bad choice)
19:59 < pekster> So if You have [server] --> [INTERNET] --> [client] --> [LAN] and route to the client-LAN, then the [client] really should be the one doing DNS-updates for that network
19:59 < kcodyjr> actually (tangent rant) the whole peer-peer hippitry ticks me off. in practice, one of them is a client and the other is a server. the client asks for a connection and the server sits waiting to accept one. (end tangent rant)
19:59 < pekster> ie: you probably don't want --learn-address to be doing that "on the fly" for packets sourced from new addresses that the [sever] sees
19:59 < pekster> That's really only true as far as TLS is concerned, or p2mp
20:00 < kcodyjr> i'm talking about the point where a person asks the machine to do something useful, not any sort of implementation architecture. it makes terminology easier to look at it from a people point of view.
20:00 < kcodyjr> we're talking about laptops connecting to an office, and the ddns updating happens at the office.
20:01 < pekster> Sure, and in that case you'll never be adding the "home LANs PCs" (say your smartTV you turned on) to the office's DNS
20:01 < kcodyjr> a learn-address directive in the config file invokes a script which sends signed DDNS packets to the local internal master nameserver, in the same manner that dhcpd would.
20:01 < pekster> No, use --client-connect for that
20:01 < pekster> --learn-address is the wrong tool here
20:02 < kcodyjr> interesting. ok. that's what some yahoo picked for his script i googled to, and it appeared to work.
20:02 < pekster> It'll work I suppose, but I don't really think it's the 'correct' solution. At any rate you would treat update/add as the same operation if you do it
20:02 < kcodyjr> i have to give it a connect and a disconnect though apparently
20:02 < pekster> You could still use one script
20:03 < kcodyjr> well it seems to me that update might actually be a no-op for dns, unless there's some characteristic that changes that would need to be recorded in a TXT record or something.
20:03 < pekster> --client-connect '/etc/openvpn/scripts/ddns.sh connect' for eample
20:04 < kcodyjr> oh yes, not a problem, i'm sure i can figure out how to glue it in that way. question is what's the difference in behaviors REALLY
20:04 -!- kalloc [~kalloc@stmdev.ru] has quit [Remote host closed the connection]
20:04 < kcodyjr> does client-connect close the connection if the script returns nonzero?
20:05 < pekster> Yup
20:05 < pekster> Keep in mind you've already passed TLS checks by then, so it's a way to "deny the client anyway" based on other checks
20:05 < kcodyjr> yes. such as the forward domain name being occupied by a static address.
20:06 < kcodyjr> whereas if it's occupied by another interface from the same host at the same time (contrived example some idiot vpn's in from the inside) then it should react by appending some randomness
20:06 < pekster> I don't get your usecase there
20:07 < pekster> No idea where the leftmost part of a DNS entry comes from if not the X.509 or username, which you've already verified by that point
20:07 < pekster> Reverse I get (the openvpn server issues IPs in P2MP ("server") setups), but not forward
20:07 < kcodyjr> i'm using the x.509 common name as the short hostname
20:08 < pekster> So why worry if it's taken? Your PKI process simply shouldn't issue CNs that match static hosts and you'll never have to worry
20:08 < pekster> Or just use a VPN specific zone
20:08 < pekster> VpnCnGoesHere.vpn.example.net
20:08 < kcodyjr> and sensing the domain name from a reverse lookup on the server-side tunnel address (.2, not the .1 that responds to pings) which i'd previously statically set.
20:09 < kcodyjr> the domain is shared with dhcp for the wired and wireless subnets.
20:09 < pekster> Oh, mixing all 3? :\
20:09 < kcodyjr> someone could come in with a phone whose hostname was set to the name of an existing vpn client.
20:09 < pekster> I'd really use separate zones, but it's your network :P
20:09 < kcodyjr> yep. not running the bridged tap configuration though. i tried, it worked, but not supported on android.
20:10 < kcodyjr> in my particular personal use case i can indeed hand-massage it and make it work. nobody else will mess with it besides me, except for wifi users attaching and the occasional desktop replacement, or home laptops coming in.
20:10 < kcodyjr> but that's not the point. i've taken it upon myself to write a proper ddnsupdate script for openvpn because i don't want to have to re-dick with this the next time his network changes, or i do this somewhere else.
20:11 -!- lj [~l@99.155.24.89] has joined #openvpn
20:12 < pekster> Yea, I like to call that "proactive lazyness" -- putting in a bit more work now to save time later
20:12 < pekster> Use that next time someone says you're working too hard :D
20:13 < kcodyjr> starting with implementing rfc4703 update semantics and almost-rfc-4701-compliant DHCID RR's, along with dhcpd compatible TXT handling to the extent possible. true compliance means the openvpn client-side would need to supply the DUID generated the same way DHCP would. i've yet to dig up that particular document.
20:14 < kcodyjr> i've got a proof of concept working, semantics aren't correct but it does the updates.
20:14 < pekster> Things change a bit with openvpn since anything past auth is already "trusted & verified"
20:14 < kcodyjr> i was just wondering what event the "update" indicated and whether i should be accounting for it.
20:14 < pekster> Seems to be just "it's already in the table and we're changing it" vs "this is new and I haven't seen it before"
20:14 < kcodyjr> trusted and verified, but not necessarily idiot proof, particularly where it interacts with other software. besides, isn't rfc compliance for its own sake a good reason?
20:15 < pekster> Mostly. Depending on the use-case, it becomes pedantic
20:15 < kcodyjr> ok. be nice to know the nature of the change, but i can just write in some logging and see if/when it happens.
20:15 < pekster> In some RFCs, NAT is still a violation ;)
20:15 < kcodyjr> fair enough. and very true. but 4703 and 4701 look like damn good ideas.
20:15 < pekster> But aren't we all on IPb6 anyway?
20:15 < pekster> s/b/v/
20:15 -!- Cpt-Oblivious_ [~chatzilla@31.220.42.40] has quit [Quit: ChatZilla 0.9.90.1-rdmsoft [XULRunner 22.0/20130619132145]]
20:16 < kcodyjr> ipv6 is an even better reason to write this. dual-stack introduces some nasty nightmares with dynamic dns updates especially when the stacks are served separately.
20:17 < kcodyjr> but tell ya what, i'm gonna write this because i'm a stubborn SOB, and if you like, i can do my best to tailor it to the project's needs, if any
20:18 < kcodyjr> looked at another way, there must be a reason people keep googling and forum-posting for answers about ddns updates with openvpn, especially in this P2MP case.
20:18 < pekster> If you think it's a nicely polished bit of code when you're done, maybe shoot a message to the openvpn-users ML with a FOSS link somewhere (assuming you intend this to be open) if it hasn't been done elsewhere
20:18 < kcodyjr> i do intend it to be open.
20:18 < pekster> Since it's archived, someone will eventually run into it on search engines, so that's often a good way to go
20:19 < pekster> openvpn has a plugin struture too if you do C programming, but there's definitely a bit of a learning curve depending on what you're integrating with and the plugin API
20:19 < kcodyjr> i could also try talking someone at gentoo into adding it as a vendor patch. i can figure that part out too. the questions i came here with all boil down to, what does openvpn need in a ddnsupdate module, as a network element and as a software element
20:20 < kcodyjr> i do C, but imho the prototype belongs in perl until i've got the behaviors perfected. this is surprisingly complex territory. i've been reading rfc's for days.
20:21 < kcodyjr> and the prototype is written with lots of self-initializing config accessors so i can refactor easily. it will get polished for efficiency before i submit.
20:21 < pekster> And really, the only reason to use a C plugin is for either features you can't get as an external process, or performance
20:21 < pekster> Having to recompile for changes is just a pain ;)
20:22 < pekster> I never got people that would write 400 LoC when a 50 line shell script did the same thing
20:22 < kcodyjr> exactly. performance is reason enough once the spec sheet is carved in stone. until then, perl's flexibility rules the day. having Net::DNS doesn't suck either.
20:23 < kcodyjr> and going plugin would obviate the need for a config statement. there could be a "ddns-updates on/off" that defaults to on if it finds a workable configuration.
20:23 < kcodyjr> right now the only thing i have to hack into it is the bind tsig update key. everything else i needed was either in the learn-address shell environment, or in dns itself already.
20:24 < pekster> You can pass plugins arguments
20:24 < pekster> IIRC plugins can't impact the options processing
20:24 < pekster> (you'd need to muck with options.c to do that, and general concensus from the active devs is that we have enough of them already, unles we really need more)
20:24 < kcodyjr> yeah i'd have to add a config directive separately, no doubt. all that integration stuff is still a bit down the road.
20:25 < kcodyjr> i would humbly suggest that rfc compliant ddns handling cleanly integrated into openvpn would do the internet, and private internal networks particularly, a considerable service.
20:25 < pekster> But maybe the plugin can use a config file that has the BIND/whatever configs for keys, or even supply the key as an option itself
20:26 < pekster> That's probably the cleanest solution, since the plugin can then directly do whatever it needs with the input
20:27 < kcodyjr> i was thinking to start with trying to auto-detect along standard paths, and then fight the political battle about config options at a later date. :)
20:27 < pekster> At this point, a lot of it boils down to "is this something openvpn itself cares about, or an external process"
20:27 < kcodyjr> i could, for example, simply dictate that a "ddns.key" file as generated by dnssec-keygen be placed in the "cd <path>" directory.
20:28 < pekster> If it's the latter, the plugin ought to have its own way to send config values to the child process
20:28 < pekster> Oh, the plugin has access to that too
20:29 < kcodyjr> right. although it might be fair game to say that openvpn should be prepared to pass along critical arguments so that 3rd party tools can invoke openvpn without a config file, like the way NetworkManager does on the client side.
20:29 < pekster> If you're giving f.ex a tsig key to the ddns-openvpn plugin, that's IMHO belongs as an argument (or config file) the plugin knows about
20:29 < pekster> Not an openvpn option
20:29 < kcodyjr> this totally kicks ass by the way. vpn on my centos 5 laptop "just working" with a gui button to turn it on and off.
20:30 < kcodyjr> is there a generic mechanism for passing along options from the command line into the plugin without openvpn core having to care? i really am not at all familiar with the internals yet.
20:31 < pekster> The plugin gets whatever you pass it as arguments, which could be a tsig argument, or simply a path to the ddns-openvpn specific config file
20:31 < kcodyjr> so the plugin sees the entire command line, and openvpn ignores options it doesn't know about?
20:31 < pekster> f.ex, `--plugin /usr/local/lib/openvpn-ddns.so tsig=abcd1234`
20:31 < pekster> Or w/e
20:31 < kcodyjr> oh. i see.
20:31 < kcodyjr> so that could be done within the config file as well.
20:32 < pekster> The README in the plugin/ dir of the sources has some details
20:32 < kcodyjr> plugin openvpn-ddns.so tsig=/path/to/file
20:32 < kcodyjr> the above (pathing excluded) being a valid openvpn.conf directive?
20:32 < pekster> Well, you'll probably be better off giving the plugin a config argument than convincing the devs that we need _more_ options
20:32 < pekster> ddns isn't "an openvpn problem"
20:32 < pekster> Yup
20:32 < pekster> See --plugin in the manpage
20:33 < kcodyjr> i like to address technical merits from political merits separately, although that certainly looks more than adequate to me.
20:33 < pekster> Think `--plugin /usr/local/lib/openvpn-ddns.so config=/usr/local/etc/openvpn-ddns.conf` or something
20:33 < kcodyjr> i would argue that one of its use cases (bridged P2MP) actually does have a DDNS problem
20:33 < pekster> Then your plugin pulls anything it needs (tsig, host name/IP, etc) from that config
20:35 < pekster> Knowing the tsig really isn't an openvpn concern, so having an openvpn --ddns-bind-tsig argument is really silly
20:35 < kcodyjr> i'll be thorough about it and make sure that a plugin specific config file is available but optional. "polished code." but that's future concern. :)
20:35 < pekster> Yea, just tossing ideas out really
20:35 < kcodyjr> right. the openvpn concern is the possibility of itself and the dhcp server butting heads during updates.
20:35 < kcodyjr> oh i appreciate. toss all you like.
20:35 < pekster> tl;dr is we don't want more options or #ifdefs in the core codebase without a _realy_ good reason
20:36 < pekster> fwiw, you'll also find both the mailing-lists and #openvpn-devel (for development-specific chatter) useful
20:36 < kcodyjr> i don't see any reason i'd have to mess with the core codebase
20:36 -!- fejjerai [~quassel@corkblock.jefferai.org] has quit [Ping timeout: 245 seconds]
20:37 < pekster> Oh, right. Sorry if I mis-understood that, but it sounded like you mean "options" as openvpn config options
20:37 < kcodyjr> unless the thing got so popular that there was demand to default-on, in which case, the political problem solves itself.
20:37 < pekster> If you meant plugin options, then by all means do what you think is right if you eventually go that route
20:37 < kcodyjr> the code itself has minimum but definite need for "configurables". i don't personally give a f*ck how it gets them so long as it's easy for the hand-tweaked config users and the 3rd party tool users.
20:38 < pekster> Yea, that's where plugins (or even just interperted scripts) are so powerful
20:38 < kcodyjr> short term, i'll come up with some external config file driven from within the script. but i'll not hesitate to call that a hack.
20:38 < pekster> Nah, I've written Windows auth-code that gets passed arguments via params, so this is far better :P
20:39 < pekster> (though at least my auth code is AGPL, so I am trying..)
20:40 < kcodyjr> so the answer to my original question is that update happens when "something" changes to an existing connection, possibly an asymmetric hangup, and my strategy would be to try and log conditions when it happens.
20:42 < kcodyjr> i'm still fuzzy on the merits of learn-address vs client-connect/disconnect. if it turns out that nothing i care about changes during an update, it can be an option, but i'd like to really understand how they behave differently before making the call. long term, it won't matter if i go with a plugin. the goal is to get the behaviors as objectively correct in as many situations as possible.
20:44 < pekster> learn-address is when you care about the IP (tun) or MAC (tap) being sent across the tunnel
20:44 < pekster> that's only relevant in client-LAN setups, or client-bridged tap setups
20:45 < pekster> If all you care about is the IP provided to the client, use --client-connect
20:45 < pekster> IOW, if you're not using --iroute or a client-side bridge (including the tap device), --learn-address is probably worthless
20:47 < kcodyjr> i also care about the tunnel address on the client side
20:47 -!- digilink [~digilink@irc.stephennet.net] has joined #openvpn
20:47 < kcodyjr> which granted i could calculate with reasonable probability of getting it right. but taking it as an input is more reliable.
20:47 < pekster> client-connect knowso that
20:47 -!- digilink [~digilink@irc.stephennet.net] has quit [Changing host]
20:47 -!- digilink [~digilink@unaffiliated/digilink] has joined #openvpn
20:47 < pekster> It's _only_ when you have a LAN behind the client that you care about --learn-address
20:48 < pekster> !scipts
20:48 < pekster> !scripts
20:48 <@vpnHelper> "scripts" is "script" is See SCRIPTING AND ENVIRONMENTAL VARIALBES in the manual for a list of places that scripts can hook into openvpn. Online reference at: https://community.openvpn.net/openvpn/wiki/Openvpn23ManPage#lbAR
20:48 < kcodyjr> i haven't yet evaluated this for bridge mode but i'll get to that eventually.
20:48 < pekster> The environment vars section there has helpful hints, and `env` in a shell script will show you some undocumented stuff too ;)
20:49 < kcodyjr> i'm relying entirely on `env` info up to this point. i've near zero knowledge of the documented config points beyond what turned up perusing the manpages and samples it came with.
20:53 < kcodyjr> that link is a good read, but it doesn't tell me where learn-address is in the pecking order
20:53 < kcodyjr> if it's after route-up, it's preferable. some abnormal conditions can slow down dns updating.
20:53 < kcodyjr> when it's a real plugin i can just launch a thread.
20:53 < pekster> openvpn is single-threaded
20:54 < kcodyjr> nevermind then ha
20:54 < pekster> It's on the long-term wishlist, but not something "soon"
20:55 < kcodyjr> then script or real plugin, i'd rather have the route come up and then be destroyed a moment later in the normal/occupied condition, than get hung up waiting in the abnormal dns condition.
20:55 < pekster> The plugin (or script) can fork itself though
20:56 < pekster> You loose the ability to give feedback to the exit code, but then you can take a long as you want to do whatever
20:56 < pekster> lose*
20:56 < kcodyjr> sorry. i don't mean to be difficult. i'm just OCD about seeing things happen that shouldn't, such as an update happening on my laptop-lan setup.
20:56 < kcodyjr> yeah it might be viable to fork after performing the forward update.
20:57 < pekster> Even if not, do you really want to reject the client if the update fails?
20:57 < kcodyjr> that's a site policy decision, not a programmer decision.
20:57 < pekster> Sure, being complete and all ;)
20:58 < kcodyjr> but, ultimately, yes, that's what rfc4703 specifies. if the forward domain is occupied, and the DHCID RR doesn't match, it's supposed to either fail or pick another hostname.
20:59 < kcodyjr> the only reason it should fail is if another host is actually, or potentially, occuping that domain name, in which case the newcomer shouldn't be allowed to.
20:59 < kcodyjr> whether or how to attempt mangling or tell-the-client-to-try-again is up to the implementor
21:00 < kcodyjr> tell-the-client-to-try-again in this case means booting the connection and making the sysadmin issue a new cert with another name, or clean up the old dirty dns record he forgot about, as the case may be.
21:00 < pekster> My suggestion would be to avoid trying to implement every corner-case upfront
21:00 < pekster> Those who care can contribute once you have some initial function :P
21:01 < kcodyjr> i'm going to implement what's specified in 4703 up front. it dictates the decision flow of doing the update.
21:01 < pekster> At some point you have to assume "admins" aren't clueless (despite the fact that some are)
21:01 < kcodyjr> yeah. but our clues come from somewhere. usually log messages, alert emails, and bitchy users. :)
21:02 -!- Valduare [~Valduare@99-72-244-110.lightspeed.mdsnwi.sbcglobal.net] has quit [Quit: Valduare]
21:04 < kcodyjr> while i'm at it, i may well patch isc-dhcpd (locally) for true compliance to test the two of them interacting. i don't see any reason why openvpn in --server or --server-bridge mode shouldn't be considered a de-facto dhcp server, even if its messaging isn't remotely related.
21:04 < kcodyjr> the changes are actually minimal, i was noticing when i dug in to figure out the format of their TXT record as compared to rfc4701 DHCID's.
21:05 < pekster> Yea, and you don't realy have defined DHCIDs in an openvpn context
21:06 < pekster> It's not after all a DHCP client, but a pre-authorized connection
21:06 < kcodyjr> right. they bear many similarities but coming up with the "proper" client identifier is a challenge.
21:07 < kcodyjr> i could "make it work" with the common name using a type 1 DHCID, which allows an arbitrary blob to serve as identifier, but it wouldn't be 1:1 compatible with any dhcp implementation except by chance.
21:07 < kcodyjr> but then isc-dhcpd isn't using proper DHCID either, so that's a moot point for now.
21:07 < kcodyjr> whatever value i pick, a type 1 DHCID would allow two load balanced openvpn servers to not step on each others' toes.
21:08 < kcodyjr> there is nothing available to serve as a hardware address so a type 0 DHCID is out. it would be idiotic and meaningless to try and patch openvpn to send that datum along from the client side.
21:10 < pekster> Right, in tun you don't get/care about it
21:10 < pekster> It's a PtP transport
21:10 -!- WinstonSmith [~WinstonSm@unaffiliated/winstonsmith] has quit [Ping timeout: 252 seconds]
21:10 < kcodyjr> right, though in tap --server-bridge <address> mode it might be just what the doctor ordered.
21:10 < pekster> Right. In tun, it's silly to try and integrate with an exsting DNS zone, generally
21:11 < kcodyjr> redundant in bridge with real DHCP server mode but who's really using that since only MS supports it without client side tinkering.
21:11 < pekster> Just tack on a .vpn to your base zone and call it good
21:11 < kcodyjr> i wouldn't say silly at all. i don't want to have to maintain two sets of ACL entries for each internal subdomain. i suppose i could nest, but really, this behavior is supposed to work according to current published unimplemented standards.
21:12 < pekster> fwiw, you _can_ use a server-side DHCP server, but it's non-trivial as I'm sure you're aware since things like router options mess up remote clients
21:12 < pekster> Just throw in a 2nd zone and you don't need any ACL mess
21:12 < kcodyjr> yeah i took that configuration to its logical conclusion. fully working. but then found out android doesn't support it.
21:12 < kcodyjr> you mean a nested zone.
21:12 < kcodyjr> vpn.in.example.com and use in.example.com (itself dynamic) as the acl entry.
21:12 < kcodyjr> i could do that.
21:13 < pekster> It's far easier to go that route
21:13 -!- WinstonSmith [~WinstonSm@unaffiliated/winstonsmith] has joined #openvpn
21:13 < pekster> IMO
21:14 < kcodyjr> easier, perhaps, but there's no objective reason things have to be done that way, and that only helps with wildcard acl's.
21:14 -!- booo [~booo__@p54BDB8CF.dip0.t-ipconnect.de] has quit [Read error: Operation timed out]
21:15 < kcodyjr> sysadminlaptop.in.example.com and sysadmin.vpn.in.example.com can't both be safely covered with a single rule most of the time
21:15 < kcodyjr> depending how the software in question handles acl's
21:15 < kcodyjr> besides, copping out just feels wrong when i'm doing design thinking. i may well cop out for implementation but it'll be documented in the code that i did so.
21:17 < pekster> Well, best of luck. Do feel free to pop back, or leverage the ML or -devel (for dev-specific stuff) as needed
21:17 -!- booo [~booo__@p54BD9A30.dip0.t-ipconnect.de] has joined #openvpn
21:17 < kcodyjr> thank you. (for the luck and the thoughts). i'll make my presence and progress known as i get places with it.
21:18 < pekster> It's an interesting project, just tough to do while respecting "every" RFC and "every" usecase. My suggestion if that seems tough is to go for a subset and see where interest is to polish unfinished bits
21:19 < kcodyjr> yes.
21:19 < pekster> Nothing like feedback (or better, contributions/patches) to help :P
21:19 < kcodyjr> the subset i wish to focus on is to make openvpn and isc-dhcpd behave happily together when sharing the same domain name space.
21:21 < kcodyjr> 2nd phase, if it gets that far, would be to make it fully 4703 compliant so that openvpn and isc-dhcpd can both dish out *ip addresses* in the same range, allowing a laptop to assume its usual internal IP when it's remote.
21:21 < kcodyjr> just because that seems cool. phase 1 will be useful enough i'm sure.
21:22 < kcodyjr> i do believe that's possible, by the way. assuming named handles a single update packet atomically, which is the presumptive purpose of prerequisite conditions that it does support, the DNS database itself can be used as a mandatory-locking scheme to synchronize between the two issuers of the same pool.
21:23 < kcodyjr> actually that summarizes my desired use case well. have the laptop assume its usual internal identity. in tun mode, that means having the same fqdn. in tap mode, that means having the same IP as well. :)
21:37 -!- goldkatze [~nobody@unaffiliated/goldkatze] has quit [Ping timeout: 245 seconds]
21:38 -!- lj [~l@99.155.24.89] has quit [Quit: Leaving.]
21:40 -!- Brian__ [~Brian@cpe-24-58-240-166.twcny.res.rr.com] has joined #openvpn
21:44 -!- Jediman [~Brian@cpe-24-58-240-166.twcny.res.rr.com] has quit [Ping timeout: 248 seconds]
21:55 -!- Poster [~poster@cpe-184-57-112-154.columbus.res.rr.com] has quit [Ping timeout: 252 seconds]
21:57 -!- james41382 [~james@unaffiliated/james41382] has quit [Ping timeout: 253 seconds]
22:28 -!- elfixit [~Icedove@77-58-251-72.dclient.hispeed.ch] has joined #openvpn
22:29 -!- Jediman [~Brian@cpe-24-58-240-166.twcny.res.rr.com] has joined #openvpn
22:31 -!- kcodyjr [~kcodyjr@c-24-61-134-125.hsd1.ma.comcast.net] has quit [Excess Flood]
22:32 -!- Brian__ [~Brian@cpe-24-58-240-166.twcny.res.rr.com] has quit [Ping timeout: 245 seconds]
22:32 -!- kcodyjr [~kcodyjr@c-24-61-134-125.hsd1.ma.comcast.net] has joined #openvpn
22:35 -!- kirin` [telex@gateway/shell/anapnea.net/x-duatfcqmlvlojzma] has quit [Ping timeout: 272 seconds]
22:35 -!- kirin` [telex@gateway/shell/anapnea.net/x-daoppwytrngeogwf] has joined #openvpn
22:41 -!- crus [~crusader@crus0r.soho.on.net] has joined #openvpn
22:53 -!- dradec [~Inigo@unaffiliated/dradec] has quit [Ping timeout: 245 seconds]
22:54 -!- dradec [~Inigo@unaffiliated/dradec] has joined #openvpn
22:56 -!- pekster [~rewt@openvpn/community/support/pekster] has quit [Ping timeout: 276 seconds]
22:57 -!- lj [~l@99.155.24.89] has joined #openvpn
23:02 -!- joshh20 is now known as joshh20-Away
23:03 -!- pekster [~rewt@openvpn/community/support/pekster] has joined #openvpn
23:05 -!- Cultist_ [~CultOfThe@c-67-186-111-33.hsd1.il.comcast.net] has joined #openvpn
23:05 -!- Cultist [~CultOfThe@c-67-186-111-33.hsd1.il.comcast.net] has quit [Excess Flood]
23:19 -!- Jediman [~Brian@cpe-24-58-240-166.twcny.res.rr.com] has quit [Ping timeout: 245 seconds]
23:32 -!- elfixit [~Icedove@77-58-251-72.dclient.hispeed.ch] has quit [Ping timeout: 245 seconds]
23:45 -!- ketas- [ketas@ketas6-sixxs.si.pri.ee] has joined #openvpn
23:47 -!- ketas [ketas@ketas6-sixxs.si.pri.ee] has quit [Ping timeout: 245 seconds]
23:47 -!- calcifea_ [~rasla@gateway/tor-sasl/gitsu-sa] has quit [Remote host closed the connection]
23:48 -!- calcifea_ [~rasla@gateway/tor-sasl/gitsu-sa] has joined #openvpn
23:50 -!- ketas- [ketas@ketas6-sixxs.si.pri.ee] has quit [Ping timeout: 245 seconds]
23:53 -!- ketas [ketas@ketas6-sixxs.si.pri.ee] has joined #openvpn
23:56 -!- ketas [ketas@ketas6-sixxs.si.pri.ee] has quit [Remote host closed the connection]
23:57 -!- ketas [ketas@ketas6-sixxs.si.pri.ee] has joined #openvpn
23:57 -!- Cultist_ is now known as Cultist
--- Day changed Sun Feb 02 2014
00:04 -!- AsadH- [~AsadH@176.56.230.80] has quit [Quit: Leaving..]
00:07 -!- Jediman [~Brian@cpe-24-58-240-166.twcny.res.rr.com] has joined #openvpn
00:26 -!- crus [~crusader@crus0r.soho.on.net] has quit [Quit: ( www.nnscript.com :: NoNameScript 4.22 :: www.esnation.com )]
00:34 -!- gewt [~gewt@192.252.217.13] has joined #openvpn
00:35 < gewt> okay, so.
00:36 < gewt> i've got openvpn rolling. peer-to-peer
00:36 < gewt> comnnections are up
00:36 < gewt> the client side can ping 172.16.6.1 (remote)
00:36 < gewt> but the server side cannot ping the client side.
00:36 < gewt> what step did I miss?
00:37 < gewt> OH
00:37 < gewt> i know what I missed
00:38 < gewt> problem was firewall rules
00:51 -!- Jediman [~Brian@cpe-24-58-240-166.twcny.res.rr.com] has quit [Ping timeout: 248 seconds]
00:57 -!- gewt [~gewt@192.252.217.13] has left #openvpn ["WeeChat 0.4.2"]
00:58 -!- dradec [~Inigo@unaffiliated/dradec] has quit [Ping timeout: 245 seconds]
01:04 -!- dimm0k [~dimm0k@unaffiliated/dimm0k] has quit [Ping timeout: 245 seconds]
01:06 -!- dimm0k [~dimm0k@unaffiliated/dimm0k] has joined #openvpn
01:17 -!- jacob11 [uid22180@gateway/web/irccloud.com/x-whcshbgsjqajlkov] has joined #openvpn
01:17 < jacob11> hello guys, can I see traffic logs from openvpn clients? I am using openvpn in ubuntu
01:22 < reiffert> what are traffic logs?
01:26 < jacob11> I meant logs on what URL's clients hit etc
01:26 < reiffert> openvpn doesnt have such a thing.
01:27 < jacob11> so basically every openvpn provider including my own private server can be used to surf completely anonymously?
01:28 < MacGyver> No.
01:29 < reiffert> I wouldn't say yes to your statement.
01:30 < jacob11> how that can be true if the server doesn't have any logs on clients activity?
01:30 < MacGyver> OpenVPN does nothing to anonimize you. The only thing reiffert just said is that openvpn itself does not keep logs on what URLs clients hit. This guarantees nothing about what other people do to log your traffic, one could even go so far as to patch openvpn to do it.
01:31 < reiffert> which would be nonsense.
01:31 < reiffert> I have some assumptions of how jacob11 sees and understand openvpn
01:32 < jacob11> please tell me I may got it wrong
01:32 < reiffert> jacob11: if browsing is the only thing that matters for you go and install a proxy.
01:33 < jacob11> why? it won't encrypt my traffic
01:33 < reiffert> jacob11: why do you think should openvpn log http traffic then?
01:33 < reiffert> what about ftp traffi?
01:33 < reiffert> e-mail?
01:33 < reiffert> ssh?
01:34 < jacob11> I don't think it should, I am curious if it does do that
01:34 < reiffert> encrypted traffic in an encrypted traffic tunnel?
01:34 < reiffert> it does not.
01:35 < jacob11> now can you explain me how it does nothing to anonimize you? but let's say we are talking about other vpn provider, not my vps which is bought on my name
01:40 < MacGyver> Well, exactly like I said. OpenVPN itself does not take any steps to anonymize you. That's not its goal, either. And many of those so-called "anonymous VPN providers" in fact do log their clients' activity.
01:40 < MacGyver> Traffic exits the tunnel -> traffic is logged -> traffic is forwarded onto the big bad internet.
01:40 < MacGyver> Police come calling -> police get handed logs.
01:41 < reiffert> jacob11: it simply forwards packets. It doesn't do anything actively to anonimize your traffic.
01:41 < MacGyver> If you are concerned about anonimizing traffic, you can still use openvpn, but keep in mind that it's not a complete solution to anonimize your traffic. You may want to look into TOR, among other things, if that's what you need.
01:42 < jacob11> yeah but if the server has lots of clients and the server was not logging for real, there should be no way in recognizing which client did certain thing, once the traffic exited the tunnel, right?
01:42 < jacob11> I am aware of tor, I just want to understand openvpn better
01:43 < MacGyver> Unfortunate choice of words... there are obviously still ways, e.g. if the client sends certain identifying information s.t. it can be snooped, but that's true for TOR as well.
01:44 < jacob11> yeah I understand that, let's say you use clean browser without js or plugins with fake useragent
01:45 < reiffert> MacGyver: we don't have enough information to make such assumptions.
01:45 < reiffert> MacGyver: so far we are talking about clients. Clients do traffic
01:46 < reiffert> jacob11: openvpn offers vpn. period. nothing more.
01:47 < MacGyver> jacob11: Even then there's still ways. There's a lot of literature on this subject, how to de-anonymize traffic in fun and unexpected ways.
01:49 < MacGyver> jacob11: What I'm saying is that there isn't really a straightforward answer to your question.
01:49 < jacob11> ok but you said this: traffic exits tunnel > traffic is logged? logged where?
01:50 < jacob11> on the isp level?
01:50 < MacGyver> jacob11: Under certain assumptions, yes, openvpn is enough to anonymize you to some people. Depending on who you care about finding out who you are, VPN is enough.
01:51 < MacGyver> jacob11: But those are *dangerous* assumptions unless you're absolutely sure and clear about them.
01:51 < MacGyver> jacob11: And there I was talking about many of those so-called anonymous VPN providers.
01:52 < MacGyver> jacob11: You understand that they see the encrypted traffic coming in, unencrypt it, then forward it to the internet, right? That's how VPN works.
01:52 < MacGyver> jacob11: Well, turns out many of them just keep traffic logs.
01:53 < jacob11> I was thinking about my own openvpn server, but to some extent to on so called anonymous vpn providers
01:54 < MacGyver> Well the VPN part on your server won't keep logs.
01:54 < MacGyver> Maybe other software you have installed does. I have no way to tell.
01:55 < MacGyver> That's what reiffert means by "openvpn offers VPN. Nothing more".
01:55 < jacob11> but my VPS provider may or may not keep them. Could other software keep OpenVPN traffic logs?
01:58 < reiffert> there are no OpenVPN traffic logs.
01:59 < jacob11> thanks
01:59 < jacob11> I do understand it better!
02:00  * reiffert doubts
02:01 -!- heraclitus [~heraclitu@unaffiliated/heraclitis] has quit [Remote host closed the connection]
02:01 < jacob11> lol I really do. I was just wondering how people use vpn for anonymity so I was snooping on my openvpn server for traffic logs and there were none, so I decided to talk to you guys :)
02:01 -!- heraclitus [~heraclitu@unaffiliated/heraclitis] has joined #openvpn
02:01 -!- dimm0k [~dimm0k@unaffiliated/dimm0k] has quit [Read error: Operation timed out]
02:05 -!- dimm0k [~dimm0k@pool-108-21-230-13.nycmny.fios.verizon.net] has joined #openvpn
02:05 -!- dimm0k [~dimm0k@pool-108-21-230-13.nycmny.fios.verizon.net] has quit [Changing host]
02:05 -!- dimm0k [~dimm0k@unaffiliated/dimm0k] has joined #openvpn
02:06 < MacGyver> jacob11: If I were a malicious provider who wanted to keep traffic logs, I'd install a piece of software on the VPN server which logs the traffic *after* it exits the VPN device when it gets forwarded to the internet. So those aren't OpenVPN traffic logs. But it's not impossible to log traffic after exiting the VPN. Just to make sure you understand the distinction.
02:07 < jacob11> I know but if you log traffic once it exits OpenVPN, you won't be able to tell source IP, right?
02:11 < reiffert> I would just install hardware to log the whole datacenter. Whoever is suspect to a crime .. first thing the police would call is the server owner.
02:12 < MacGyver> Well no, but openvpn can also log e.g. which clients connect, and when. See if that's in your syslog.
02:12 < reiffert> MacGyver: irrelevant.
02:12 < jacob11> and if the owner says the server is unable to keep logs what happens?
02:12 < reiffert> MacGyver: it's the server owner that gets caught
02:13 < reiffert> MacGyver: unless he can proove that traffic at a certain time and date originates from one of his customers.
02:13 < reiffert> MacGyver: which he can't.
02:13 < MacGyver> reiffert: And he can, with the combination of syslog and logged traffic.
02:13 < jacob11> yeah using timestamps
02:13 < reiffert> MacGyver: full dump of every single packet.
02:13 < jacob11> so in order to cover himself server owner will do the steps necessary. I get it
02:14 < jacob11> so anonymity is best achieved with vpn+tor then
02:14 < MacGyver> reiffert: Not necessary, that combination is enough to make you as a *user* suspicious and will be used to come after you. It's not a matter of "Oh we're not 100% sure so we can't go after this guy".
02:14 < jacob11> or if you have anonymous server bought with bitcoins
02:18 < MacGyver> jacob11: Well some service provider claim they do in fact not keep any logs at all, but legally that's still foggy territory afaik. I'm not a lawyer, though. Thing is, you can't check whether that's true.
02:18 < MacGyver> jacob11: Anonymity isn't a binary thing.
02:19 < MacGyver> jacob11: You have to decide who you care about finding out, then take appropriate steps.
02:19 < jacob11> well big part of it is
02:20 < jacob11> I am aware of that, I am actually not trying to hide myself I was just curious.
02:20 < jacob11> actually I don't like the idea that my isp is logging traffic. Can vpn help with this kind of anonymity_
02:20 < MacGyver> Yes, definitely.
02:21 < MacGyver> If you have a VPN server outside your ISP's network, to the ISP it will all look like random data to a single endpoint.
02:21 < MacGyver> So all they have to log is the fact that you're communicating with that endpoint. You should, however, also not use your ISP's DNS server when doing that.
02:21 < reiffert> :)
02:24 < jacob11> sure, I ditched their dns long time ago in favor of opendns
02:37 -!- moparisthebest [~quassel@2001:470:1f11:88c::2] has quit [Ping timeout: 245 seconds]
02:38 -!- Jediman [~Brian@cpe-24-58-240-166.twcny.res.rr.com] has joined #openvpn
02:57 -!- Guest96123 [~quassel@2001:470:1f11:88c::2] has joined #openvpn
03:02 -!- Guest96123 [~quassel@2001:470:1f11:88c::2] has quit [Ping timeout: 264 seconds]
03:05 -!- takamichi [~takamichi@c107-107.i07-27.onvol.net] has joined #openvpn
03:05 -!- moparisthebest_ [~quassel@2001:470:1f11:88c::2] has joined #openvpn
03:09 -!- n00bSaibot [~NoobSaibo@24-213-19-74.static.mrqt.mi.charter.com] has joined #openvpn
03:11 -!- Noob5aibot [~NoobSaibo@24-213-19-74.static.mrqt.mi.charter.com] has quit [Ping timeout: 245 seconds]
03:13 -!- u0m3_ [~u0m3@92.80.120.254] has quit [Read error: Connection reset by peer]
03:15 -!- u0m3_ [~u0m3@92.80.120.254] has joined #openvpn
03:17 -!- defsdoor [~andy@cpc30-sutt4-2-0-cust155.19-1.cable.virginm.net] has joined #openvpn
03:29 -!- takamichi [~takamichi@c107-107.i07-27.onvol.net] has quit [Ping timeout: 272 seconds]
03:31 -!- takamichi [~takamichi@85.12.8.105] has joined #openvpn
03:38 -!- gffa [~unknown@unaffiliated/gffa] has joined #openvpn
04:04 -!- Sembei [~Sembei@unaffiliated/sembei] has quit [Read error: Connection reset by peer]
04:05 -!- MyMind [~Sembei@unaffiliated/sembei] has joined #openvpn
04:08 -!- takamichi [~takamichi@85.12.8.105] has quit [Read error: Operation timed out]
04:11 -!- takamichi [~takamichi@c107-107.i07-27.onvol.net] has joined #openvpn
04:24 < kcodyjr> what's the chances of a single openvpn tun link carrying ipv4 and ipv6 simultaneously, present or future?
04:32 -!- kossy_ [a@kossy.org] has joined #openvpn
04:33 -!- _Cr4zi3 [killaz@staff.xbins.org] has joined #openvpn
04:34 -!- eliasp_ [~quassel@HSI-KBW-134-3-243-224.hsi14.kabel-badenwuerttemberg.de] has joined #openvpn
04:34 -!- kalloc [~kalloc@h86-62-83-99.ln.rinet.ru] has joined #openvpn
04:34 <@krzee> kcodyjr, no problem in 2.3+
04:34 <@krzee> !ipv6
04:34 <@vpnHelper> "ipv6" is (#1) The wiki has IPv6 details: https://community.openvpn.net/openvpn/wiki/IPv6 or (#2) The manpage contains info about IPv6 features present in 2.3+: https://community.openvpn.net/openvpn/wiki/Openvpn23ManPage#lbAQ
04:35 -!- ngharo_ [~ngharo@nexus.sypherz.com] has joined #openvpn
04:36 -!- _psycheye [~psycheye@93.49.16.11] has joined #openvpn
04:39 -!- ikrabbe- [ingo@coop.ikrabbe-ask.de] has joined #openvpn
04:39 -!- joshh20z [~joshh20@v-70-42-74-226.unman-vds.internap-nyc.nfoservers.com] has joined #openvpn
04:39 -!- joshh20z is now known as joshh20
04:40 -!- lbft_ [~lbft@unaffiliated/lbft] has joined #openvpn
04:40 -!- Netsplit *.net <-> *.split quits: ikrabbe, ngharo, VunKruz, yoavz, kossy, joshh20-Away, m1h0, lbft, Cr4zi3, psycheye,  (+3 more, use /NETSPLIT to show all of them)
04:40 -!- ikrabbe- is now known as ikrabbe
04:41 -!- lbft_ is now known as lbft
04:41 -!- Netsplit over, joins: bigbob83
04:47 -!- m1h0 [~yavor@94.155.134.12] has joined #openvpn
04:48 -!- VunKruz [~hhhh@24-205-8-187.dhcp.mtpk.ca.charter.com] has joined #openvpn
05:06 -!- jinnko` is now known as jinnko
05:11 -!- ikrabbe [ingo@coop.ikrabbe-ask.de] has quit [Changing host]
05:11 -!- ikrabbe [ingo@pdpc/supporter/professional/ikrabbe] has joined #openvpn
05:15 < kalloc> Hi
05:16 < kalloc> Whether there openvpn developers?
05:22 -!- kossy_ [a@kossy.org] has quit [Quit: ZNC - http://znc.in]
05:23 -!- kossy [a@kossy.org] has joined #openvpn
05:28 -!- kossy [a@kossy.org] has quit [Changing host]
05:28 -!- kossy [a@unaffiliated/kossy] has joined #openvpn
05:51 -!- jinnko is now known as jinnko`
05:52 -!- jinnko` is now known as jinnko
06:02 < plaisthos> !ask
06:02 <@vpnHelper> "ask" is (#1) don't ask to ask, just ask your question please, see this link for how to get help on IRC: http://workaround.org/getting-help-on-irc or (#2) See also, How to ask questions the smart way here: http://catb.org/~esr/faqs/smart-questions.html
06:10 -!- bigbob83 [bigbob@7.72.100.84.rev.sfr.net] has quit [Ping timeout: 252 seconds]
06:24 -!- jinnko is now known as jinnko`
06:24 -!- jinnko` is now known as jinnko
06:42 -!- jinnko is now known as jinnko`
06:45 -!- MyMind [~Sembei@unaffiliated/sembei] has quit [Read error: Connection reset by peer]
06:50 -!- MyMind [~Sembei@unaffiliated/sembei] has joined #openvpn
06:52 < kalloc> plaisthos: it's hard for me
07:13 -!- MyMind [~Sembei@unaffiliated/sembei] has quit [Read error: Connection reset by peer]
07:13 -!- Pisuke [~Sembei@unaffiliated/sembei] has joined #openvpn
07:13 -!- Cpt-Oblivious [chatzilla@31-151-71-109.dynamic.upc.nl] has joined #openvpn
07:13 -!- jinnko` is now known as jinnko
07:14 < kalloc> I'm writing some code, based on openvpn and I want to use time scheduler, but scheduler which I found uses  seconds for set period
07:14 < kalloc> plaisthos:
07:27 -!- jinnko is now known as jinnko`
07:27 < plaisthos> kalloc: yeah. I have not deeply looked into the scheduler
07:27 < plaisthos> but you /might/ be right, that the scheduler cannot do sub second scheduling
07:28 < kalloc> i want to set ms/us
07:30 -!- sailerboy [~sailerboy@2605:6400:2:fed5:22:3e62:d2e8:e4e1] has quit [Ping timeout: 272 seconds]
07:30 < plaisthos> kalloc: then you might have to touch the scheduler itself
07:30 < plaisthos> iirc there is no need for subsecond schedling in OpenVPN at the moment, so it is not implemented
07:31 < plaisthos> I am afraid that is probably not the answer you are looking
07:35 -!- sailerboy [~sailerboy@2605:6400:2:fed5:22:3e62:d2e8:e4e1] has joined #openvpn
07:41 -!- calcifea_ [~rasla@gateway/tor-sasl/gitsu-sa] has quit [Quit: calcifea_]
07:42 -!- calcifea [~rasla@gateway/tor-sasl/gitsu-sa] has joined #openvpn
07:42 -!- goldkatze [~nobody@unaffiliated/goldkatze] has joined #openvpn
07:46 -!- oc80z [~oc80z@blea.ch] has quit [Ping timeout: 252 seconds]
07:47 -!- jinnko` is now known as jinnko
08:33 -!- bigbob83 [~bigbob@7.72.100.84.rev.sfr.net] has joined #openvpn
08:45 -!- jinnko is now known as jinnko`
08:46 -!- dradec [~Inigo@unaffiliated/dradec] has joined #openvpn
08:54 -!- kirin` [telex@gateway/shell/anapnea.net/x-daoppwytrngeogwf] has quit [Ping timeout: 252 seconds]
08:55 -!- kirin` [telex@gateway/shell/anapnea.net/x-efllpyzfdnusdnnt] has joined #openvpn
08:58 -!- Lars_G [~Lars@unaffiliated/lars-g/x-000001] has joined #openvpn
08:58 < Lars_G> Hello
09:00 -!- master_of_master [~master_of@p4FD7B211.dip0.t-ipconnect.de] has joined #openvpn
09:00 < Lars_G> Nevermin
09:00 < Lars_G> d
09:00 < Lars_G> thanks
09:00 -!- moparisthebest_ [~quassel@2001:470:1f11:88c::2] has quit [Ping timeout: 264 seconds]
09:02 -!- master_o1_master [~master_of@p4FF24C59.dip0.t-ipconnect.de] has quit [Read error: Operation timed out]
09:03 < Lars_G> Well maybe I'm not crazy? ho humm
09:04 < Lars_G> I've hooked a new client on my vpn network. It has a real ip but behind a pretty odd and strict firewall of which I have no control.
09:05 < Lars_G> the firewall seems configured to let amost everything out, but inbound connections are filtered.
09:05 < Lars_G> so, the system does connect to my network. if I enter the system another way (via another client in the same space), I can ping other clients in my network from it. and I can ping it from other clients...
09:06 < Lars_G> but ti seems to me (seems, haven't done rigurous testing), that when I'm not inside the client, or for a good time, I can't ping it or access it via the vpn....
09:06 < Lars_G> afaik all traffict to the client shoudl go thorough the openvpn pipe, which was setup outbound so the firewall should allow "responses" to that conenction...
09:07 < Lars_G> my worry is, maybe this has an expiry? does openvpn client have a heartbeat? do I need/can activate one so the firewall doesn't consider the outbout connection closed?
09:18 < pekster> Read about:
09:18 < pekster> !keepalive
09:18 <@vpnHelper> "keepalive" is (#1) see --keepalive in the manual for how to make clients retry connecting if they get disconnected. or (#2) basically it is a wrapper for managing --ping and --ping-restart in server/client mode or (#3) if you use this, don't use --tls-exit and also avoid --single-session and --inactive or (#4) Also beware of --auth-nocache for automated reconnects
09:20 -!- novaflash_away is now known as novaflash
09:23 -!- losted [~losted@box.losted.net] has quit [Ping timeout: 248 seconds]
09:26 -!- losted [~losted@box.losted.net] has joined #openvpn
09:28 < kcodyjr> sounds to me like the oddball firewall is closing the logical connection
09:28 < kcodyjr> are you using udp or tcp?
09:32 < kcodyjr> i have had luck running a constant ping along the same path as the tunnel, but if i'm going through a screwy firewall, first thing i do i switch to tcp mode. it has real state, as opposed to UDP connection tracking where the kernel basically has to guess if there's another packet coming. primitive implementations used plain timeouts, usually with overly short timeout values.
09:34 < pekster> Use keepalive, not hacks like pinging
09:40 < Lars_G> kcodyjr: Good idea
09:40 < Lars_G> I'll read keepalive too
09:41 < kcodyjr> what pekster said. try the tcp mode and keepalive. i said pinging occasionally worked, not that it was a good idea.
09:42 < pekster> Don't use tcp unless you must
09:42 < pekster> I didn't suggest tcp. I suggested doing what !keepalive said
09:58 < kcodyjr> agreed, but a screwy firewall is usually exactly that kind of "musty". forgive the pun.
09:58 < kcodyjr> and i meant, what you said about not doing pings
10:21 -!- moparisthebest [~quassel@cpe-184-57-167-162.cinci.res.rr.com] has joined #openvpn
10:58 -!- lbft is now known as jigglypuff
11:08 -!- jigglypuff is now known as lbft
11:09 -!- bigbob83 [~bigbob@7.72.100.84.rev.sfr.net] has quit []
11:23 -!- L0RE [~chatzilla@ppp-188-174-64-232.dynamic.mnet-online.de] has joined #openvpn
11:25 < L0RE> Hi, i have a question. I have an Server with an free ip, i want to route this ip to an client is it possible?
11:28 < pekster> L0RE: If I understand what you want, you might be better off setting up a 1:1 NAT to your client if it's using an RFC1918 IP as its assigned VPN range
11:32 < L0RE> pekster: my problem is a little bit tricker (i have an dslite ipv6 + nat ipv4), i want to connect via ssh to home, with ipv4.  I have an ipv6 and IPV4 Server in the Internet. So i thought i make an openvpn connect from home to my server via ipv6, and use the official ip for the client
11:32 -!- Jediman [~Brian@cpe-24-58-240-166.twcny.res.rr.com] has quit [Ping timeout: 272 seconds]
11:33 < pekster> The problem is that openvpn needs to _assign_ any IPs you want the client to use
11:33 < L0RE> pekster: i tried make an ipv4 over ipv6 tunnel has worked, but i must define the source and dest ip on the tunnel on both sites. Since i have an dynamic ipv6 ip its problematic. so i thought openvpn would be more dynamic
11:33 -!- Jediman [~Brian@162.219.176.106] has joined #openvpn
11:34 < pekster> If you have some arbitrary single IP you want to assign to a client you'd need to use the p2p topology
11:34 < pekster> Windows won't work with that, but Linux/Unix will. You can't use the subnet topology with just a single IP
11:35 < L0RE> its all linux
11:36 < pekster> p2p topology or 1:1 NAT are your best bets. You can try and do goofy things like leave the client on RFC1918 space, set an --iroute for the client with this "extra floating" IP you have, and then somehow get the client to add that IP onto the tun device as a secondary IP, but that's really messy
11:38 < L0RE> hmm, sounds like it will work moste of the time not, because of the errors....
11:39 < pekster> No idea what that means. "errors" aren't supposed to happen
11:39 < L0RE> p2p or 1:1 is also dificult since i need ipv4 over ipv6 ...
11:39 < pekster> OpenVPN supports dual-stack across the link
11:39 < pekster> It does not (currently) support dual-stack for the transport, but that's nto your problem
11:40 -!- Brian__ [~Brian@cpe-24-58-240-166.twcny.res.rr.com] has joined #openvpn
11:40 < pekster> NAT is easy. You just blindly send anything to this "extra" IP to the client, and anything from the client gets that IP as it gets sent out
11:40 < pekster> Done.
11:40 < pekster> Far easier than doing dumb things like a special "vendor" DHCP option (see: --dhcp-option in the manpage) and client-side script trickery to get it to add this IP to its own tun device
11:40 < pekster> You can do it, but it's really ugly
11:41 < L0RE> o.k so openvpn with an 10.X ip an then nat the official ip to the client
11:41 < pekster> Yup
11:41 < pekster> That's the easiest way to go
11:42 < pekster> Normally I discourage NAT, but it really is the cleanest way here. p2p is an option if you really wanted, but since you only have the "1" IP, you'd need to creating a peering between that and some RFC1918 IP
11:42 < pekster> Nothing wrong with f.ex, 203.0.113.7 peering with 10.50.7.0 or something, but that's also a bit goofy
11:43 -!- Jediman [~Brian@162.219.176.106] has quit [Ping timeout: 272 seconds]
11:44 < pekster> (and you  have to use NAT anyway if this "1" IP is on-link at your server side)
11:44 < pekster> That should be obvious, but it's worth clarifying
11:46 < L0RE> no the server has 2 ips and one ip is not in use at the moment
11:48 < L0RE> o.k 5 ips , with 5 virtual server, nated together on 4 ips, so i have an free ip for the tunnel
11:48 < pekster> Presumably on the same subnet? Ethernet network?
11:48 < pekster> You _cannot_ just willy-nilly put IPs on systems that are part of an existing subnet
11:48 < pekster> That's now how routing works
11:49 < L0RE> 4 are on the same network, one is in another net
11:50 < pekster> You're routed a /32?
11:50 < pekster> If that's really what's going on, then either NAT or p2p with direct assignment of that IP to the client works (so long as you peer with an RFC1918 IP)
11:51 -!- raidz is now known as raidz_away
11:56 -!- raidz_away is now known as raidz
11:58 < L0RE> ip /32
12:00 < L0RE> i try it with nat,  , lets see how fast it is , the ipv4overipv6 lost 20-30 ms when using ping
12:04 -!- moparisthebest [~quassel@cpe-184-57-167-162.cinci.res.rr.com] has quit [Remote host closed the connection]
12:22 -!- takamichi [~takamichi@c107-107.i07-27.onvol.net] has quit [Quit: Computer has gone to sleep.]
12:26 -!- slikts [~reinis@wikipedia/reinis] has joined #openvpn
12:27 < slikts> I'm following the instructions here: http://openvpn.net/index.php/open-source/documentation/howto.html#redirect
12:27 <@vpnHelper> Title: HOWTO (at openvpn.net)
12:27 < slikts> I want to route all traffic through the vpn, and I can connect to it and access the lan, but I can't access the wan
12:28 < slikts> the same config was working before until I restarted my server and the iptables rules got reset
12:47 -!- joshh20 is now known as joshh20-Away
12:47 -!- fallout [~fallout@unaffiliated/fallout] has joined #openvpn
12:53 -!- sauce_ [sauce@ool-ad02ad20.dyn.optonline.net] has joined #openvpn
12:55 -!- sauce [sauce@unaffiliated/sauce] has quit [Remote host closed the connection]
12:58 -!- mumixam_ [~m@unaffiliated/mumixam] has joined #openvpn
13:00 -!- Cpt-Oblivious [chatzilla@31-151-71-109.dynamic.upc.nl] has quit [Quit: ChatZilla 0.9.90.1-rdmsoft [XULRunner 22.0/20130619132145]]
13:04 -!- L0RE [~chatzilla@ppp-188-174-64-232.dynamic.mnet-online.de] has quit [Quit: ChatZilla 0.9.90.1 [Firefox 26.0/20131205075310]]
13:06 -!- Netsplit *.net <-> *.split quits: mumixam
13:14 -!- moparisthebest [~quassel@2001:470:1f11:88c::2] has joined #openvpn
13:37 -!- s0meone [someone@2600:3c01::f03c:91ff:fedf:feb8] has quit [Quit: ZNC - http://znc.in]
13:40 -!- s0meone [someone@2600:3c01::f03c:91ff:fedf:feb8] has joined #openvpn
14:00 -!- kalloc [~kalloc@h86-62-83-99.ln.rinet.ru] has quit [Remote host closed the connection]
14:17 -!- ManjXfceUsr [~ManjXfceu@host86-133-146-152.range86-133.btcentralplus.com] has joined #openvpn
14:19 -!- u0m3_ is now known as u0m3
14:23 -!- u0m3_ [~u0m3@92.80.86.111] has joined #openvpn
14:26 -!- u0m3 [~u0m3@92.80.120.254] has quit [Ping timeout: 272 seconds]
14:26 -!- u0m3_ is now known as u0m3
14:31 -!- kalloc [~kalloc@h86-62-83-99.ln.rinet.ru] has joined #openvpn
14:36 -!- kalloc [~kalloc@h86-62-83-99.ln.rinet.ru] has quit [Ping timeout: 260 seconds]
14:37 -!- mumixam_ is now known as mumixam
14:39 -!- kalloc [~kalloc@h86-62-83-99.ln.rinet.ru] has joined #openvpn
14:40 -!- kalloc [~kalloc@h86-62-83-99.ln.rinet.ru] has quit [Read error: Connection reset by peer]
14:41 -!- kalloc [~kalloc@h86-62-83-99.ln.rinet.ru] has joined #openvpn
14:42 -!- conroe [~conroe@gateway/tor-sasl/conroe] has joined #openvpn
14:46 -!- kalloc [~kalloc@h86-62-83-99.ln.rinet.ru] has quit [Ping timeout: 265 seconds]
14:49 -!- ManjXfceUsr [~ManjXfceu@host86-133-146-152.range86-133.btcentralplus.com] has quit [Remote host closed the connection]
14:53 -!- Jediman [~Brian@184.75.214.90] has joined #openvpn
14:56 -!- Brian__ [~Brian@cpe-24-58-240-166.twcny.res.rr.com] has quit [Ping timeout: 252 seconds]
15:13 -!- defsdoor [~andy@cpc30-sutt4-2-0-cust155.19-1.cable.virginm.net] has quit [Quit: Ex-Chat]
15:24 -!- crus [~crusader@crus0r.soho.on.net] has joined #openvpn
15:28 -!- gffa [~unknown@unaffiliated/gffa] has quit [Quit: sleep]
15:41 -!- kalloc [~kalloc@h86-62-83-99.ln.rinet.ru] has joined #openvpn
15:46 -!- kalloc [~kalloc@h86-62-83-99.ln.rinet.ru] has quit [Ping timeout: 240 seconds]
15:53 -!- conroe [~conroe@gateway/tor-sasl/conroe] has quit [Remote host closed the connection]
16:01 -!- Brian__ [~Brian@cpe-24-58-240-166.twcny.res.rr.com] has joined #openvpn
16:05 -!- Jediman [~Brian@184.75.214.90] has quit [Ping timeout: 264 seconds]
16:11 -!- joshh20-Away is now known as joshh20
16:30 -!- joshh20 is now known as joshh20-Away
16:34 -!- joshh20-Away is now known as joshh20
16:38 -!- kloeri|fosdem is now known as kloeri
16:39 -!- kalloc [~kalloc@h86-62-83-99.ln.rinet.ru] has joined #openvpn
16:44 -!- kalloc [~kalloc@h86-62-83-99.ln.rinet.ru] has quit [Ping timeout: 272 seconds]
16:53 -!- heraclitus [~heraclitu@unaffiliated/heraclitis] has quit [Remote host closed the connection]
16:53 -!- heraclitus [~heraclitu@unaffiliated/heraclitis] has joined #openvpn
17:00 -!- heraclitus [~heraclitu@unaffiliated/heraclitis] has quit [Remote host closed the connection]
17:00 -!- lj [~l@99.155.24.89] has quit [Ping timeout: 245 seconds]
17:01 -!- heraclitus [~heraclitu@unaffiliated/heraclitis] has joined #openvpn
17:03 -!- heraclitus [~heraclitu@unaffiliated/heraclitis] has quit [Remote host closed the connection]
17:04 -!- lj [~l@adsl-99-74-1-11.dsl.peoril.sbcglobal.net] has joined #openvpn
17:04 -!- heraclitus [~heraclitu@unaffiliated/heraclitis] has joined #openvpn
17:04 -!- heraclitus [~heraclitu@unaffiliated/heraclitis] has quit [Remote host closed the connection]
17:05 -!- heraclitus [~heraclitu@unaffiliated/heraclitis] has joined #openvpn
17:15 -!- heraclitus [~heraclitu@unaffiliated/heraclitis] has quit [Remote host closed the connection]
17:16 -!- heraclitus [~heraclitu@unaffiliated/heraclitis] has joined #openvpn
17:17 < slikts> why doesn't someone shut down that stupid openvpn.se site!!!
17:17 < slikts> it's just a time wasting trap
17:18 < slikts> the downloads there are outdated and don't work, but it comes up as the first result in google if you look for openvpn gui
17:18 < slikts> it's total crap
17:18 < slikts> I tried emailing them, but the address provided on the page doesn't work
17:18 -!- heraclitus [~heraclitu@unaffiliated/heraclitis] has quit [Remote host closed the connection]
17:19 -!- heraclitus [~heraclitu@unaffiliated/heraclitis] has joined #openvpn
17:31 -!- fejjerai [~quassel@corkblock.jefferai.org] has joined #openvpn
17:39 -!- kalloc [~kalloc@h86-62-83-99.ln.rinet.ru] has joined #openvpn
17:43 -!- kalloc [~kalloc@h86-62-83-99.ln.rinet.ru] has quit [Ping timeout: 240 seconds]
18:04 -!- Cpt-Oblivious [chatzilla@31-151-71-109.dynamic.upc.nl] has joined #openvpn
18:11 -!- dradec [~Inigo@unaffiliated/dradec] has quit [Quit: nil]
18:14 -!- goldkatze [~nobody@unaffiliated/goldkatze] has quit [Ping timeout: 264 seconds]
18:17 -!- dradec [~Inigo@unaffiliated/dradec] has joined #openvpn
--- Log closed Sun Feb 02 18:23:57 2014
--- Log opened Sun Feb 02 18:49:10 2014
18:49 -!- ecrist [~ecrist@token-black.secure-computing.net] has joined #openvpn
18:49 -!- Irssi: #openvpn: Total of 127 nicks [4 ops, 0 halfops, 3 voices, 120 normal]
18:49 -!- plaisthos [~arne@openvpn/community/developer/plaisthos] has quit [Ping timeout: 272 seconds]
18:50 -!- xBytez [~xBytez@unaffiliated/xbytez] has quit [Ping timeout: 272 seconds]
18:50 -!- intricate [~xach@unaffiliated/intricate] has quit [Ping timeout: 272 seconds]
18:50 -!- pnielsen [pnielsen@2a01:7e00::f03c:91ff:fedf:3a21] has quit [Ping timeout: 272 seconds]
18:50 -!- vpnHelper [~vpnHelper@openvpn/bot/vpnHelper] has quit [Remote host closed the connection]
18:51 -!- m01_ [~quassel@2a02:2658:1011:1::2:4044] has quit [Read error: Connection reset by peer]
18:51 -!- intricate [~xach@2607:5300:60:3d47::1] has joined #openvpn
18:51 -!- Irssi: Join to #openvpn was synced in 122 secs
18:51 -!- sailerboy [~sailerboy@2605:6400:2:fed5:22:3e62:d2e8:e4e1] has quit [Ping timeout: 272 seconds]
18:51 -!- mattock_afk [~mattock@2607:5300:60:d5a::2] has joined #openvpn
18:53 -!- mattock_afk is now known as mattock
18:53 -!- master_of_master [~master_of@p4FD7B211.dip0.t-ipconnect.de] has quit [Ping timeout: 272 seconds]
18:53 -!- lowkey [lowkey@hydra-bom.aufbix.org] has quit [Ping timeout: 272 seconds]
18:53 -!- sHockz [~shockz@zenofex.com] has quit [Ping timeout: 272 seconds]
18:53 -!- Fiouz [~Fiouz@2001:bc8:3068::dead:beef] has quit [Remote host closed the connection]
18:53 -!- joevandyk [~ubuntu@ec2-54-235-235-220.compute-1.amazonaws.com] has quit [Ping timeout: 272 seconds]
18:53 -!- mgorbach [~mgorbach@pool-108-20-78-135.bstnma.fios.verizon.net] has joined #openvpn
18:54 -!- plaisthos [~arne@kamera.blinkt.de] has joined #openvpn
18:54 -!- pa [~pa@host229-135-dynamic.60-82-r.retail.telecomitalia.it] has joined #openvpn
18:54 -!- sailerboy [~sailerboy@2605:6400:2:fed5:22:3e62:d2e8:e4e1] has joined #openvpn
18:55 -!- niel [niel@om.nom.nom.coooki.es] has quit [Ping timeout: 272 seconds]
18:56 -!- reiffert [~thomas@mail.reifferscheid.org] has joined #openvpn
18:56 -!- dos-freak [leecher@zentarim.0wnz.at] has quit [Quit: Serverwechsel]
18:57 -!- niel [niel@om.nom.nom.coooki.es] has joined #openvpn
18:58 -!- Netsplit *.net <-> *.split quits: manitu, kloeri, kossy, mingdao, nutron, _KaszpiR__, Matir, saneki, sander_, thalweg,  (+5 more, use /NETSPLIT to show all of them)
18:59 -!- Netsplit *.net <-> *.split quits: Denial, APTX, psycheye, XJR-9, WinstonSmith, mcp, Brando753, thumbs, codehero, Zarrsh,  (+43 more, use /NETSPLIT to show all of them)
--- Log closed Sun Feb 02 19:02:56 2014
--- Log opened Sun Feb 02 19:04:46 2014
19:04 -!- ecrist [~ecrist@token-black.secure-computing.net] has joined #openvpn
19:04 -!- Irssi: #openvpn: Total of 8 nicks [0 ops, 0 halfops, 0 voices, 8 normal]
19:04 -!- dos-freak [leecher@zentarim.0wnz.at] has joined #openvpn
19:05 -!- clu5ter [~staff@stealth.server.cybscripts.com] has quit [Ping timeout: 245 seconds]
19:09 -!- Fiouz [~Fiouz@2001:bc8:3068::dead:beef] has quit [Ping timeout: 245 seconds]
19:09 -!- maxiepax [max@locke.misse.org] has quit [Ping timeout: 245 seconds]
19:09 -!- KiNgMaR [~ingmar@2001:41d0:2:ba51::1] has quit [Ping timeout: 245 seconds]
19:09 -!- ecrist [~ecrist@token-black.secure-computing.net] has quit [Ping timeout: 245 seconds]
--- Log closed Sun Feb 02 19:09:18 2014
--- Log opened Sun Feb 02 19:57:40 2014
19:57 -!- ecrist [~ecrist@199.102.77.84] has joined #openvpn
19:57 -!- Irssi: #openvpn: Total of 15 nicks [0 ops, 0 halfops, 0 voices, 15 normal]
19:57 -!- Bretos [~Bretos@vps.tyborek.pl] has quit [Ping timeout: 272 seconds]
19:58 -!- akselii [~akselii@91.121.193.41] has quit [Ping timeout: 272 seconds]
19:58 -!- kisom [~kisom@kisom.thr.kth.se] has quit [Ping timeout: 272 seconds]
19:58 -!- klaxa [~klaxa@klaxa.eu] has quit [Ping timeout: 272 seconds]
19:58 -!- joevandyk [~ubuntu@ec2-54-235-235-220.compute-1.amazonaws.com] has quit [Ping timeout: 272 seconds]
19:59 -!- fallout [~fallout@firestorm.cs.duke.edu] has quit [Remote host closed the connection]
19:59 -!- fallout [~fallout@firestorm.cs.duke.edu] has joined #openvpn
20:01 -!- JPeterson [~JPeterson@81-233-152-121-no83.tbcn.telia.com] has quit [Ping timeout: 272 seconds]
20:01 -!- juxta [~rootkit@ppp203-122-193-94.static.internode.on.net] has quit [Ping timeout: 272 seconds]
20:01 -!- rtur [~rtur@212.224.92.143] has quit [Ping timeout: 272 seconds]
20:01 -!- Irssi: Join to #openvpn was synced in 243 secs
20:01 -!- lj1 [~l@adsl-99-74-1-11.dsl.peoril.sbcglobal.net] has joined #openvpn
20:01 -!- i7c [~i7c@80-69-77-233.colo.transip.net] has joined #openvpn
20:02 -!- pwrcycle [~pwrcycle@173.214.160.92] has quit [Remote host closed the connection]
20:02 -!- pwrcycle [~pwrcycle@173.214.160.92] has joined #openvpn
20:02 -!- julianoliver [~julian@202.66.238.89.in-addr.arpa.manitu.net] has quit [Ping timeout: 272 seconds]
20:03 -!- Cultist [~CultOfThe@c-67-186-111-33.hsd1.il.comcast.net] has joined #openvpn
20:03 -!- digilink [~digilink@irc.stephennet.net] has joined #openvpn
20:04 -!- lj [~l@adsl-99-74-1-11.dsl.peoril.sbcglobal.net] has quit [Ping timeout: 272 seconds]
20:05 -!- lordnikkon [~marme@li388-49.members.linode.com] has joined #openvpn
20:09 -!- juxta [~rootkit@ppp203-122-193-94.static.internode.on.net] has joined #openvpn
20:09 -!- digilink [~digilink@irc.stephennet.net] has quit [Ping timeout: 272 seconds]
20:09 -!- Cultist [~CultOfThe@c-67-186-111-33.hsd1.il.comcast.net] has quit [Ping timeout: 272 seconds]
20:09 -!- sander [~sander@58.82.9.46.customer.cdi.no] has joined #openvpn
--- Log closed Sun Feb 02 20:15:41 2014
--- Log opened Sun Feb 02 20:16:12 2014
20:16 -!- ecrist [~ecrist@token-black.secure-computing.net] has joined #openvpn
20:16 -!- Irssi: #openvpn: Total of 120 nicks [2 ops, 0 halfops, 2 voices, 116 normal]
20:16 !card.freenode.net [freenode-info] if you're at a conference and other people are having trouble connecting, please mention it to staff: http://freenode.net/faq.shtml#gettinghelp
20:16 -!- mode/#openvpn [+o ecrist] by ChanServ
20:16 -!- Cultist [~CultOfThe@c-67-186-111-33.hsd1.il.comcast.net] has joined #openvpn
20:16 -!- manitu [~manitu@static.88-198-15-112.clients.your-server.de] has joined #openvpn
20:16 -!- Irssi: Join to #openvpn was synced in 51 secs
20:17 -!- jgeboski [~jgeboski@unaffiliated/jgeboski] has joined #openvpn
20:18 -!- reiffert [~thomas@mail.reifferscheid.org] has joined #openvpn
20:19 -!- Rallias [~Rallias@unaffiliated/gasseus] has joined #openvpn
20:19 -!- sHockz [~shockz@zenofex.com] has joined #openvpn
20:19 -!- guntha_ [~guntha@guntha.thecagedog.com] has joined #openvpn
20:20 -!- thalweg [~quassel@198.211.102.196] has quit [Ping timeout: 252 seconds]
20:20 -!- _FBi [~B@Aircrack-NG/User] has joined #openvpn
20:20 -!- sudormrf [~pineapple@12.235.42.129] has joined #openvpn
20:21 -!- slikts [~reinis@79.132.67.157] has joined #openvpn
20:21 -!- slikts [~reinis@79.132.67.157] has quit [Changing host]
20:21 -!- slikts [~reinis@wikipedia/reinis] has joined #openvpn
20:23 -!- KiNgMaR [~ingmar@2001:41d0:2:ba51::1] has quit [Ping timeout: 245 seconds]
20:23 -!- thoraxe [~thoraxe@50-73-95-6-static.hfc.comcastbusiness.net] has joined #openvpn
20:23 -!- thoraxe [~thoraxe@50-73-95-6-static.hfc.comcastbusiness.net] has quit [Ping timeout: 245 seconds]
20:23 -!- P4k3 [~P4k3@c-5a34e255.026-8-6b6c7810.cust.bredbandsbolaget.se] has joined #openvpn
20:24 -!- Netsplit *.net <-> *.split quits: Hes
20:27 -!- Bretos [~Bretos@vps.tyborek.pl] has quit [Ping timeout: 252 seconds]
20:27 -!- Netsplit *.net <-> *.split quits: P4k3
20:28 -!- Netsplit *.net <-> *.split quits: TypoNe
20:28 -!- Netsplit *.net <-> *.split quits: _FBi
20:29 -!- Netsplit *.net <-> *.split quits: phreakocious, guntha_, kirin`
20:29 -!- Netsplit *.net <-> *.split quits: digilink, MeanderingCode, saneki
20:29 -!- Netsplit *.net <-> *.split quits: Guest81679, julianoliver, maxiepax
20:29 -!- Netsplit *.net <-> *.split quits: mitz, stickpin
20:30 -!- Netsplit *.net <-> *.split quits: mingdao_, pjschmitt
20:30 -!- Netsplit *.net <-> *.split quits: mgorbach
20:30 -!- Netsplit *.net <-> *.split quits: bersace
20:30 -!- Netsplit *.net <-> *.split quits: lamokie
20:31 -!- Netsplit *.net <-> *.split quits: Matir
20:32 -!- Bretos [~Bretos@vps.tyborek.pl] has joined #openvpn
20:32 -!- mete [~mete@91.247.253.160] has joined #openvpn
20:32 -!- davidmp [~davidmp@149.255.100.107] has joined #openvpn
20:33 -!- mete [~mete@91.247.253.160] has quit [Ping timeout: 252 seconds]
20:33 -!- Netsplit *.net <-> *.split quits: sHockz
20:33 -!- Netsplit *.net <-> *.split quits: matsh
--- Log closed Sun Feb 02 20:33:51 2014
--- Log opened Sun Feb 02 20:35:05 2014
20:35 -!- ecrist [~ecrist@token-black.secure-computing.net] has joined #openvpn
20:35 -!- Irssi: #openvpn: Total of 9 nicks [0 ops, 0 halfops, 0 voices, 9 normal]
20:35 -!- s0meone [someone@2600:3c01::f03c:91ff:fedf:feb8] has joined #openvpn
20:38 -!- sailerboy [~sailerboy@2605:6400:2:fed5:22:3e62:d2e8:e4e1] has quit [Ping timeout: 272 seconds]
20:38 -!- intricate [~xach@2607:5300:60:3d47::1] has quit [Ping timeout: 272 seconds]
20:38 -!- raidz [~raidz@2607:5300:60:d5a::2] has joined #openvpn
20:38 -!- mattock_afk [~mattock@2607:5300:60:d5a::2] has quit [Ping timeout: 272 seconds]
20:38 -!- pa [~pa@82.60.135.229] has quit [Ping timeout: 272 seconds]
20:39 -!- mattock_afk [~mattock@2607:5300:60:d5a::2] has joined #openvpn
20:39 -!- intricate [~xach@2607:5300:60:3d47::1] has joined #openvpn
20:39 -!- mattock_afk is now known as mattock
20:40 -!- s0meone [someone@2600:3c01::f03c:91ff:fedf:feb8] has quit [Ping timeout: 272 seconds]
20:40 -!- s0meone [someone@2600:3c01::f03c:91ff:fedf:feb8] has joined #openvpn
--- Log closed Sun Feb 02 20:44:49 2014
--- Log opened Sun Feb 02 21:09:00 2014
21:09 -!- ecrist [~ecrist@token-black.secure-computing.net] has joined #openvpn
21:09 -!- Irssi: #openvpn: Total of 7 nicks [0 ops, 0 halfops, 0 voices, 7 normal]
21:09 -!- fallout [~fallout@firestorm.cs.duke.edu] has joined #openvpn
21:10 -!- Irssi: Join to #openvpn was synced in 95 secs
21:11 -!- kossy [~a@kossy.org] has joined #openvpn
21:13 -!- akselii [~akselii@91.121.193.41] has quit [Ping timeout: 272 seconds]
21:15 -!- kossy [~a@kossy.org] has quit [Excess Flood]
21:19 -!- kossy [~a@kossy.org] has joined #openvpn
21:20 -!- guntha_ [~guntha@guntha.thecagedog.com] has joined #openvpn
21:22 -!- Bretos [~Bretos@188.116.15.100] has joined #openvpn
21:22 -!- pppingme [~pppingme@cpe-24-94-191-245.kc.res.rr.com] has joined #openvpn
21:22 -!- slikts [~reinis@79.132.67.157] has quit [Ping timeout: 272 seconds]
21:23 -!- kossy [~a@kossy.org] has quit [Read error: Connection reset by peer]
21:27 -!- akselii [~akselii@91.121.193.41] has joined #openvpn
21:27 -!- Bretos [~Bretos@188.116.15.100] has quit [Ping timeout: 272 seconds]
21:28 -!- guntha_ [~guntha@guntha.thecagedog.com] has quit [Ping timeout: 272 seconds]
21:29 -!- kisom [~kisom@kisom.thr.kth.se] has quit [Ping timeout: 272 seconds]
21:29 -!- guntha_ [~guntha@guntha.thecagedog.com] has joined #openvpn
21:29 -!- kossy [a@kossy.org] has joined #openvpn
21:30 -!- kossy [a@kossy.org] has quit [Excess Flood]
21:32 -!- bmoriarty [~bmoriarty@yt.acm.uiuc.edu] has quit [Ping timeout: 272 seconds]
21:32 -!- kossy [a@kossy.org] has joined #openvpn
21:35 -!- kossy [a@kossy.org] has quit [Read error: Connection reset by peer]
21:35 -!- guntha_ [~guntha@guntha.thecagedog.com] has quit [Ping timeout: 272 seconds]
21:36 -!- Bretos [~Bretos@vps.tyborek.pl] has joined #openvpn
--- Log closed Sun Feb 02 21:38:28 2014
--- Log opened Sun Feb 02 22:43:49 2014
22:43 -!- ecrist [~ecrist@199.102.77.84] has joined #openvpn
22:43 -!- Irssi: #openvpn: Total of 124 nicks [3 ops, 0 halfops, 3 voices, 118 normal]
22:45 -!- kirin` [telex@gateway/shell/anapnea.net/session] has quit [Ping timeout: 245 seconds]
22:45 -!- pppingme [~pppingme@2001:470:1f11:160:223:8bff:fe6d:bad4] has joined #openvpn
22:45 -!- kalloc [~kalloc@stmdev.ru] has joined #openvpn
22:48 -!- maxiepax [max@locke.misse.org] has quit [Ping timeout: 245 seconds]
22:48 -!- Eagleman [~Eagleman@546BBFCD.cm-12-4c.dynamic.ziggo.nl] has quit [Ping timeout: 245 seconds]
22:48 -!- P4k3 [~P4k3@c-5a34e255.026-8-6b6c7810.cust.bredbandsbolaget.se] has joined #openvpn
22:48 -!- ecrist [~ecrist@199.102.77.84] has quit [Ping timeout: 245 seconds]
--- Log closed Sun Feb 02 22:48:28 2014
--- Log opened Sun Feb 02 22:55:35 2014
22:55 -!- ecrist [~ecrist@token-black.secure-computing.net] has joined #openvpn
22:55 -!- Irssi: #openvpn: Total of 9 nicks [0 ops, 0 halfops, 0 voices, 9 normal]
22:55 -!- slikts [~reinis@79.132.67.157] has joined #openvpn
22:56 -!- kisom [~kisom@130.237.41.249] has quit [Ping timeout: 272 seconds]
22:57 -!- stickpin [~b@173.244.215.195] has joined #openvpn
--- Log closed Sun Feb 02 22:59:37 2014
--- Log opened Mon Feb 03 00:58:48 2014
00:58 -!- ecrist [~ecrist@token-black.secure-computing.net] has joined #openvpn
00:58 -!- Irssi: #openvpn: Total of 2 nicks [0 ops, 0 halfops, 0 voices, 2 normal]
01:03 -!- simcop2387 [~simcop238@simcop2387.info] has joined #openvpn
01:03 -!- ecrist [~ecrist@token-black.secure-computing.net] has quit [Ping timeout: 260 seconds]
--- Log closed Mon Feb 03 01:03:27 2014
--- Log opened Mon Feb 03 01:10:23 2014
01:10 -!- ecrist [~ecrist@199.102.77.84] has joined #openvpn
01:10 -!- Irssi: #openvpn: Total of 8 nicks [0 ops, 0 halfops, 0 voices, 8 normal]
01:11 -!- Irssi: Join to #openvpn was synced in 96 secs
01:12 -!- intricate [~xach@2607:5300:60:3d47::1] has joined #openvpn
01:14 -!- pwrcycle [~pwrcycle@173.214.160.92] has quit [Remote host closed the connection]
01:16 -!- kirin` [telex@gateway/shell/anapnea.net/session] has quit [Ping timeout: 272 seconds]
01:16 -!- niel [niel@om.nom.nom.coooki.es] has joined #openvpn
01:18 -!- Eagleman [~Eagleman@546BBFCD.cm-12-4c.dynamic.ziggo.nl] has joined #openvpn
01:21 -!- niel [niel@om.nom.nom.coooki.es] has quit [Ping timeout: 272 seconds]
01:24 -!- intricate [~xach@2607:5300:60:3d47::1] has quit [Ping timeout: 272 seconds]
01:24 -!- raidz [~raidz@2607:5300:60:d5a::2] has quit [Ping timeout: 272 seconds]
01:26 -!- Eagleman [~Eagleman@546BBFCD.cm-12-4c.dynamic.ziggo.nl] has quit [Ping timeout: 272 seconds]
01:28 -!- mattock [~mattock@2607:5300:60:d5a::2] has quit [Ping timeout: 272 seconds]
01:30 -!- intricate [~xach@2607:5300:60:3d47::1] has joined #openvpn
01:32 -!- rustem [~ka4ok@141.0.170.169] has joined #openvpn
01:32 -!- raidz [~raidz@2607:5300:60:d5a::2] has joined #openvpn
01:32 -!- mattock_afk [~mattock@2607:5300:60:d5a::2] has joined #openvpn
01:32 -!- mattock_afk is now known as mattock
01:32 -!- lordnikk1n [~marme@li388-49.members.linode.com] has quit [Ping timeout: 272 seconds]
01:35 -!- s0meone [someone@2600:3c01::f03c:91ff:fedf:feb8] has quit [Ping timeout: 272 seconds]
01:38 -!- intricate [~xach@2607:5300:60:3d47::1] has quit [Ping timeout: 272 seconds]
01:42 -!- intricate [~xach@2607:5300:60:3d47::1] has joined #openvpn
01:43 -!- mingdao [~mingdao@66-208-231-133.ubr01a.rte20201.pa.hfc.comcastbusiness.net] has joined #openvpn
01:44 -!- rustem [~ka4ok@141.0.170.169] has quit [Ping timeout: 272 seconds]
01:46 -!- s0meone [someone@2600:3c01::f03c:91ff:fedf:feb8] has joined #openvpn
01:46 -!- niel [niel@om.nom.nom.coooki.es] has joined #openvpn
01:46 -!- mattock [~mattock@2607:5300:60:d5a::2] has quit [Ping timeout: 272 seconds]
01:48 -!- intricate [~xach@2607:5300:60:3d47::1] has quit [Ping timeout: 272 seconds]
01:48 -!- mattock_afk [~mattock@2607:5300:60:d5a::2] has joined #openvpn
01:48 -!- mattock_afk is now known as mattock
01:50 -!- intricate [~xach@2607:5300:60:3d47::1] has joined #openvpn
01:52 -!- raidz [~raidz@2607:5300:60:d5a::2] has quit [Ping timeout: 272 seconds]
01:53 -!- mingdao [~mingdao@66-208-231-133.ubr01a.rte20201.pa.hfc.comcastbusiness.net] has quit [Ping timeout: 272 seconds]
01:53 -!- raidz [~raidz@2607:5300:60:d5a::2] has joined #openvpn
02:00 -!- intricate [~xach@2607:5300:60:3d47::1] has quit [Ping timeout: 272 seconds]
02:00 -!- niel [niel@om.nom.nom.coooki.es] has quit [Ping timeout: 272 seconds]
02:00 -!- krzee [~k@2610:150:4002::3:1] has quit [Read error: Connection reset by peer]
02:00 -!- mattock [~mattock@2607:5300:60:d5a::2] has quit [Ping timeout: 272 seconds]
02:00 -!- ecrist [~ecrist@199.102.77.84] has quit [Ping timeout: 272 seconds]
--- Log closed Mon Feb 03 02:00:37 2014
--- Log opened Mon Feb 03 03:24:10 2014
03:24 -!- ecrist [~ecrist@199.102.77.84] has joined #openvpn
03:24 -!- Irssi: #openvpn: Total of 10 nicks [0 ops, 0 halfops, 0 voices, 10 normal]
03:24 -!- Irssi: Join to #openvpn was synced in 37 secs
03:28 -!- BtbN [btbn@btbn.de] has quit [Ping timeout: 260 seconds]
03:28 -!- Champi [Champi@rootshell.fr] has quit [Ping timeout: 260 seconds]
03:33 -!- Nothing4You [N4Y@w.tf-w.tf] has quit [Excess Flood]
--- Log closed Mon Feb 03 03:59:41 2014
--- Log opened Mon Feb 03 03:59:58 2014
03:59 -!- ecrist [~ecrist@token-black.secure-computing.net] has joined #openvpn
03:59 -!- Irssi: #openvpn: Total of 153 nicks [3 ops, 0 halfops, 3 voices, 147 normal]
03:59 -!- mode/#openvpn [+o ecrist] by ChanServ
04:00 -!- pppingme [~pppingme@unaffiliated/pppingme] has quit [Ping timeout: 276 seconds]
04:00 -!- crus [~crusader@crus0r.soho.on.net] has joined #openvpn
04:00 -!- Irssi: Join to #openvpn was synced in 35 secs
04:00 -!- Haigha [~root@dovahkiin.xomg.net] has joined #openvpn
04:00 -!- raidz [~raidz@2607:5300:60:d5a::2] has joined #openvpn
04:00 -!- krzee [~k@2610:150:4002::3:1] has joined #openvpn
04:00 -!- mattock [~mattock@2607:5300:60:d5a::2] has joined #openvpn
04:00 -!- niel [niel@om.nom.nom.coooki.es] has joined #openvpn
04:00 -!- s0meone [someone@2600:3c01::f03c:91ff:fedf:feb8] has joined #openvpn
04:00 -!- intricate [~xach@2607:5300:60:3d47::1] has joined #openvpn
04:01 -!- fred`` [fred@earthli.ng] has joined #openvpn
04:01 -!- Olipro [~Olipro@uncyclopedia/pdpc.21for7.olipro] has quit [Ping timeout: 246 seconds]
04:01 -!- Varazir [~mircwars@c-94-255-130-121.cust.bredband2.com] has joined #openvpn
04:02 -!- Olipro [~Olipro@d.e.r.p.6.a.1.0.d.d.0.7.2.0.1.0.a.2.ip6.arpa] has joined #openvpn
04:03 -!- Olipro [~Olipro@d.e.r.p.6.a.1.0.d.d.0.7.2.0.1.0.a.2.ip6.arpa] has quit [Changing host]
04:03 -!- Olipro [~Olipro@uncyclopedia/pdpc.21for7.olipro] has joined #openvpn
04:03 -!- mikkel [~mikkel@93.176.85.50] has joined #openvpn
04:03 -!- intricate [~xach@2607:5300:60:3d47::1] has quit [Changing host]
04:03 -!- intricate [~xach@unaffiliated/intricate] has joined #openvpn
04:03 -!- mattock [~mattock@2607:5300:60:d5a::2] has quit [Changing host]
04:03 -!- mattock [~mattock@openvpn/corp/admin/mattock] has joined #openvpn
04:03 -!- raidz [~raidz@2607:5300:60:d5a::2] has quit [Changing host]
04:03 -!- raidz [~raidz@openvpn/corp/admin/andrew] has joined #openvpn
04:03 -!- mode/#openvpn [+o mattock] by ChanServ
04:04 -!- mode/#openvpn [+o raidz] by ChanServ
04:05 -!- C-S-B [~C-S-B@217.42.190.155] has joined #openvpn
04:05 < lvv> kalloc: it works fine but i was interested in making it tighter
04:05 -!- hazardous [~hz@openvpn/user/hazardous] has quit [Ping timeout: 276 seconds]
04:05 -!- pekster [~rewt@openvpn/community/support/pekster] has quit [Ping timeout: 276 seconds]
04:05 -!- pekster [~rewt@cl-466.chi-03.us.sixxs.net] has joined #openvpn
04:06 -!- pppingme [~pppingme@2001:470:1f11:160:223:8bff:fe6d:bad4] has joined #openvpn
04:06 -!- pekster [~rewt@cl-466.chi-03.us.sixxs.net] has quit [Changing host]
04:06 -!- pekster [~rewt@openvpn/community/support/pekster] has joined #openvpn
04:06 -!- pppingme [~pppingme@2001:470:1f11:160:223:8bff:fe6d:bad4] has quit [Changing host]
04:06 -!- pppingme [~pppingme@unaffiliated/pppingme] has joined #openvpn
04:06 -!- kirin` [telex@gateway/shell/anapnea.net/session] has joined #openvpn
04:08 -!- jinnko [~jinnko@2a01:4f8:192:1204::2] has left #openvpn ["Leaving..."]
04:08 -!- raidz [~raidz@openvpn/corp/admin/andrew] has quit [Ping timeout: 272 seconds]
04:08 -!- intricate [~xach@unaffiliated/intricate] has quit [Ping timeout: 272 seconds]
04:08 -!- hazardous [~hz@openvpn/user/hazardous] has joined #openvpn
04:09 -!- mode/#openvpn [+v hazardous] by ChanServ
04:09 -!- raidz [~raidz@2607:5300:60:d5a::2] has joined #openvpn
04:10 -!- intricate [~xach@2607:5300:60:3d47::1] has joined #openvpn
04:10 -!- mikkel [~mikkel@93.176.85.50] has quit [Ping timeout: 272 seconds]
04:10 -!- pppingme [~pppingme@unaffiliated/pppingme] has quit [Quit: Leaving]
04:10 -!- mikkel [~mikkel@93.176.85.50] has joined #openvpn
04:11 -!- raidz [~raidz@2607:5300:60:d5a::2] has quit [Changing host]
04:11 -!- raidz [~raidz@openvpn/corp/admin/andrew] has joined #openvpn
04:11 -!- mode/#openvpn [+o raidz] by ChanServ
04:11 -!- intricate [~xach@2607:5300:60:3d47::1] has quit [Changing host]
04:11 -!- intricate [~xach@unaffiliated/intricate] has joined #openvpn
04:11 -!- defswork [~andy@141.0.50.105] has joined #openvpn
04:11 -!- pppingme [~pppingme@unaffiliated/pppingme] has joined #openvpn
04:11 -!- troyt [~troyt@2601:7:6200:1132:44dd:acff:fe85:9c8e] has joined #openvpn
04:14 -!- niel [niel@om.nom.nom.coooki.es] has quit [Ping timeout: 272 seconds]
04:17 -!- ferai [~quassel@kde/mitchell] has joined #openvpn
04:17 -!- Guest16113 [~fallout@firestorm.cs.duke.edu] has quit [Ping timeout: 272 seconds]
04:18 -!- fallout_ [~fallout@firestorm.cs.duke.edu] has joined #openvpn
04:18 -!- mrrg_ [~notabot@delicious.sykosys.jp] has joined #openvpn
04:19 -!- eliasp_ [~quassel@HSI-KBW-134-3-243-224.hsi14.kabel-badenwuerttemberg.de] has joined #openvpn
04:19 -!- Aketzu_ [akolehma@kelvin.aketzu.net] has joined #openvpn
04:19 -!- keropok_ [~keropok@9W2JDY.peramah.org.my] has joined #openvpn
04:20 -!- 45PABCS5X [~andi@unaffiliated/fr00d] has quit [Ping timeout: 272 seconds]
04:20 -!- novaflash [~novaflash@openvpn/corp/support/novaflash] has quit [Read error: Operation timed out]
04:22 -!- krzie [~k@openvpn/community/support/krzee] has joined #openvpn
04:22 -!- mode/#openvpn [+o krzie] by ChanServ
04:22 -!- intricate [~xach@unaffiliated/intricate] has quit [Ping timeout: 272 seconds]
04:22 -!- Netsplit *.net <-> *.split quits: +hazardous, pppingme, @plai, 31NAAEEG9, tapout, Six6siX, thumbs, keropok, Haseo, lowkey,  (+30 more, use /NETSPLIT to show all of them)
04:22 -!- troyt [~troyt@2601:7:6200:1132:44dd:acff:fe85:9c8e] has quit [Ping timeout: 272 seconds]
04:22 -!- krzee [~k@2610:150:4002::3:1] has quit [Ping timeout: 272 seconds]
04:22 -!- krzie is now known as krzee
04:22 -!- GabrieleV [~GabrieleV@host190-79-static.230-95-b.business.telecomitalia.it] has joined #openvpn
04:22 -!- andi_ [~andi@shell.sixhop.net] has joined #openvpn
04:22 -!- niel [niel@om.nom.nom.coooki.es] has joined #openvpn
04:23 -!- mattock [~mattock@openvpn/corp/admin/mattock] has quit [Ping timeout: 272 seconds]
04:23 -!- intricate [~xach@2607:5300:60:3d47::1] has joined #openvpn
04:25 -!- Olipro [~Olipro@uncyclopedia/pdpc.21for7.olipro] has quit [Ping timeout: 246 seconds]
04:26 -!- Thermi_ [~Thermi@unaffiliated/thermi] has joined #openvpn
04:27 -!- pcdummy [~pcdummy@unaffiliated/pcdummy] has joined #openvpn
04:28 -!- Zarrsh [~Zarrsh@198.167.138.150] has joined #openvpn
04:28 -!- i7c_ [~i7c@80-69-77-233.colo.transip.net] has joined #openvpn
04:29 -!- mrrg_ [~notabot@delicious.sykosys.jp] has quit [Write error: Broken pipe]
04:30 -!- Olipro [~Olipro@uncyclopedia/pdpc.21for7.olipro] has joined #openvpn
04:30 -!- rob0_ [rob0@207.223.116.211] has joined #openvpn
04:30 -!- Netsplit *.net <-> *.split quits: matsh, _bt, rkantos, Thermi, Nothing4You, BtbN, kevinsky
04:30 -!- Thermi_ is now known as Thermi
04:30 -!- rob0_ [rob0@207.223.116.211] has quit [Changing host]
04:30 -!- rob0_ [rob0@pdpc/valentine/postfixninja/rob0] has joined #openvpn
04:30 -!- fallout_ [~fallout@firestorm.cs.duke.edu] has quit [Ping timeout: 272 seconds]
04:30 -!- jgeboski [~jgeboski@unaffiliated/jgeboski] has quit [Ping timeout: 565 seconds]
04:30 -!- i7c_ [~i7c@80-69-77-233.colo.transip.net] has quit [Changing host]
04:30 -!- i7c_ [~i7c@unaffiliated/i7c] has joined #openvpn
04:31 -!- brabo [brabo@globalshellz/owner/brabo] has quit [Remote host closed the connection]
04:31 -!- keropok_ [~keropok@9W2JDY.peramah.org.my] has quit [Remote host closed the connection]
04:31 -!- vpnHelper [~vpnHelper@openvpn/bot/vpnHelper] has joined #openvpn
04:31 -!- mode/#openvpn [+o vpnHelper] by ChanServ
04:31 -!- i7c_ is now known as i7c
04:31 -!- Nothing4You [N4Y@Nothing4You.w.tf-w.tf] has joined #openvpn
04:32 -!- jgeboski [~jgeboski@unaffiliated/jgeboski] has joined #openvpn
04:35 -!- Netsplit over, joins: BtbN
04:39 -!- C_S_B [~C-S-B@host217-42-190-155.range217-42.btcentralplus.com] has joined #openvpn
04:40 -!- mattock [~mattock@2607:5300:60:d5a::2] has joined #openvpn
04:40 -!- vpnHelper [~vpnHelper@openvpn/bot/vpnHelper] has quit [Write error: Broken pipe]
04:41 -!- brabo [brabo@globalshellz/owner/brabo] has joined #openvpn
04:41 -!- keropok [~keropok@9W2JDY.peramah.org.my] has joined #openvpn
04:43 -!- _bt [foobar@77.240.12.157] has joined #openvpn
04:44 -!- jerryc [~pppingme@24.94.191.245] has joined #openvpn
04:47 -!- jerryc [~pppingme@24.94.191.245] has quit [Excess Flood]
04:49 -!- pppingme [~pppingme@unaffiliated/pppingme] has joined #openvpn
04:49 -!- Netsplit *.net <-> *.split quits: C_S_B, mikkel, rob0_, s0meone, @krzee, @raidz, andi_, mattock, intricate, niel
04:53 -!- pppingme [~pppingme@unaffiliated/pppingme] has quit [Max SendQ exceeded]
04:53 -!- EmLeX [~emx@unaffiliated/emlex] has joined #openvpn
04:53 -!- manitu [~manitu@static.88-198-15-112.clients.your-server.de] has joined #openvpn
04:53 -!- WinstonSmith [~WinstonSm@unaffiliated/winstonsmith] has joined #openvpn
04:53 -!- Fruckiwacki [fruckiwack@5.135.190.66] has joined #openvpn
04:54 -!- Six6siX [~Devil@jasmine.sammybakar.com] has joined #openvpn
04:54 -!- mcp [~mcp@wolk-project.de] has joined #openvpn
04:57 -!- davidmp [~davidmp@149.255.100.107] has joined #openvpn
04:57 -!- liriel [~liriel@198.154.114.106] has joined #openvpn
05:04 -!- niel [niel@om.nom.nom.coooki.es] has joined #openvpn
05:04 -!- krzee [~k@2610:150:4002::3:1] has joined #openvpn
05:04 -!- intricate [~xach@2607:5300:60:3d47::1] has joined #openvpn
05:04 -!- s0meone [someone@2600:3c01::f03c:91ff:fedf:feb8] has joined #openvpn
05:04 -!- mattock [~mattock@2607:5300:60:d5a::2] has joined #openvpn
05:04 -!- rkantos_ [robin@4e.fi] has joined #openvpn
05:04 -!- raidz [~raidz@2607:5300:60:d5a::2] has joined #openvpn
05:06 -!- sunwind [~paradox@cpc21-brmb8-2-0-cust749.1-3.cable.virginm.net] has quit [Ping timeout: 247 seconds]
05:11 -!- Cultist [~CultOfThe@c-67-186-111-33.hsd1.il.comcast.net] has quit [Ping timeout: 249 seconds]
05:11 -!- mgorbach [~mgorbach@pool-108-20-78-135.bstnma.fios.verizon.net] has joined #openvpn
05:11 -!- intricate [~xach@2607:5300:60:3d47::1] has quit [Ping timeout: 272 seconds]
05:11 -!- intricate [~xach@2607:5300:60:3d47::1] has joined #openvpn
05:11 -!- digilink [~digilink@irc.stephennet.net] has joined #openvpn
05:12 -!- losted [~losted@box.losted.net] has joined #openvpn
05:12 -!- mgorbach [~mgorbach@pool-108-20-78-135.bstnma.fios.verizon.net] has quit [Excess Flood]
05:12 -!- mgorbach [~mgorbach@pool-108-20-78-135.bstnma.fios.verizon.net] has joined #openvpn
05:12 -!- krzee [~k@2610:150:4002::3:1] has quit [Ping timeout: 272 seconds]
05:12 -!- mattock [~mattock@2607:5300:60:d5a::2] has quit [Ping timeout: 272 seconds]
05:12 -!- mgorbach [~mgorbach@pool-108-20-78-135.bstnma.fios.verizon.net] has quit [Ping timeout: 272 seconds]
05:12 -!- digilink [~digilink@irc.stephennet.net] has quit [Ping timeout: 272 seconds]
05:13 -!- XJR-9 [sid2977@gateway/web/irccloud.com/session] has joined #openvpn
05:15 -!- XJR-9 [sid2977@gateway/web/irccloud.com/session] has quit [Changing host]
05:15 -!- XJR-9 [sid2977@pdpc/supporter/active/xjr-9] has joined #openvpn
05:19 -!- vinothkumar_ [~vinothkum@122.167.94.67] has quit [Ping timeout: 245 seconds]
05:21 -!- MeanderingCode [~Meanderin@192.241.150.232] has joined #openvpn
05:21 -!- intricate [~xach@2607:5300:60:3d47::1] has quit [Ping timeout: 272 seconds]
05:21 -!- MeanderingCode [~Meanderin@192.241.150.232] has quit [Excess Flood]
05:21 -!- digilink [~digilink@irc.stephennet.net] has joined #openvpn
05:21 -!- pppingme [~pppingme@24.94.191.245] has joined #openvpn
05:21 -!- losted [~losted@box.losted.net] has quit [Ping timeout: 272 seconds]
05:22 -!- krzee [~k@2610:150:4002::3:1] has joined #openvpn
05:22 -!- niel [niel@om.nom.nom.coooki.es] has quit [Ping timeout: 272 seconds]
05:22 -!- s0meone [someone@2600:3c01::f03c:91ff:fedf:feb8] has quit [Ping timeout: 272 seconds]
05:22 -!- krzee [~k@2610:150:4002::3:1] has quit [Changing host]
05:22 -!- krzee [~k@openvpn/community/support/krzee] has joined #openvpn
05:22 -!- 23LAA1KDQ [~andi@shell.sixhop.net] has joined #openvpn
05:22 -!- rkantos_ [robin@4e.fi] has quit [Remote host closed the connection]
05:23 -!- mode/#openvpn [+o krzee] by ChanServ
05:23 -!- s0meone [someone@2600:3c01::f03c:91ff:fedf:feb8] has joined #openvpn
05:24 -!- pppingme [~pppingme@24.94.191.245] has quit [Ping timeout: 272 seconds]
05:24 -!- raidz [~raidz@2607:5300:60:d5a::2] has quit [Ping timeout: 272 seconds]
05:24 -!- digilink [~digilink@irc.stephennet.net] has quit [Ping timeout: 272 seconds]
05:25 -!- raidz [~raidz@2607:5300:60:d5a::2] has joined #openvpn
05:25 -!- Devastator [~devas@177.18.199.20] has joined #openvpn
05:25 -!- Devastator [~devas@177.18.199.20] has quit [Changing host]
05:25 -!- Devastator [~devas@unaffiliated/devastator] has joined #openvpn
05:28 -!- lbft [~lbft@unaffiliated/lbft] has quit [Excess Flood]
05:33 -!- 23LAA1KDQ [~andi@shell.sixhop.net] has quit [Ping timeout: 272 seconds]
05:34 -!- keropok [~keropok@9W2JDY.peramah.org.my] has quit [Remote host closed the connection]
05:34 -!- gardar [~gardar@82.221.78.13] has joined #openvpn
05:34 -!- Gman32 [~Gman32@2607:5300:60:2b74::1] has joined #openvpn
05:34 -!- mattock_afk [~mattock@2607:5300:60:d5a::2] has joined #openvpn
05:34 -!- mattock_afk is now known as mattock
05:34 -!- AsadH [~AsadH@znc.asadhaider.co.uk] has joined #openvpn
05:35 -!- mgorbach [~mgorbach@pool-108-20-78-135.bstnma.fios.verizon.net] has joined #openvpn
05:35 -!- losted [~losted@box.losted.net] has joined #openvpn
05:35 -!- thoraxe [~thoraxe@50-73-95-6-static.hfc.comcastbusiness.net] has joined #openvpn
05:35 -!- niel [niel@om.nom.nom.coooki.es] has joined #openvpn
05:35 -!- Rallias [~Rallias@bnc.ubernerd.us] has joined #openvpn
05:35 -!- mgorbach [~mgorbach@pool-108-20-78-135.bstnma.fios.verizon.net] has quit [Ping timeout: 272 seconds]
05:35 -!- thoraxe [~thoraxe@50-73-95-6-static.hfc.comcastbusiness.net] has quit [Ping timeout: 272 seconds]
05:35 -!- Rallias [~Rallias@bnc.ubernerd.us] has quit [Excess Flood]
05:35 -!- AsadH [~AsadH@znc.asadhaider.co.uk] has quit [Ping timeout: 272 seconds]
05:36 -!- Gman32 [~Gman32@2607:5300:60:2b74::1] has quit [Ping timeout: 272 seconds]
05:36 -!- C-S-B [~C-S-B@217.42.190.155] has joined #openvpn
05:36 -!- dazo_afk is now known as dazo
05:39 -!- digilink [~digilink@70.90.228.194] has joined #openvpn
05:43 -!- liriel [~liriel@198.154.114.106] has quit [Ping timeout: 259 seconds]
05:43 -!- davidmp [~davidmp@149.255.100.107] has quit [Ping timeout: 259 seconds]
05:43 -!- Fruckiwacki [fruckiwack@5.135.190.66] has quit [Ping timeout: 259 seconds]
05:43 -!- manitu [~manitu@static.88-198-15-112.clients.your-server.de] has quit [Ping timeout: 259 seconds]
05:43 -!- WinstonSmith [~WinstonSm@unaffiliated/winstonsmith] has quit [Ping timeout: 259 seconds]
05:44 -!- MeanderingCode [~Meanderin@palantir.aetherislands.net] has joined #openvpn
05:44 -!- Gman32 [~Gman32@2607:5300:60:2b74::1] has joined #openvpn
05:44 -!- Rallias [~Rallias@bnc.ubernerd.us] has joined #openvpn
05:44 -!- Rallias [~Rallias@bnc.ubernerd.us] has quit [Changing host]
05:44 -!- Rallias [~Rallias@unaffiliated/gasseus] has joined #openvpn
05:45 -!- niel [niel@om.nom.nom.coooki.es] has quit [Ping timeout: 272 seconds]
05:45 -!- Rallias [~Rallias@unaffiliated/gasseus] has quit [Ping timeout: 272 seconds]
05:45 -!- MeanderingCode [~Meanderin@palantir.aetherislands.net] has quit [Ping timeout: 272 seconds]
05:45 -!- raidz [~raidz@2607:5300:60:d5a::2] has quit [Ping timeout: 272 seconds]
05:45 -!- krzee [~k@openvpn/community/support/krzee] has quit [Ping timeout: 272 seconds]
05:45 -!- Gman32 [~Gman32@2607:5300:60:2b74::1] has quit [Ping timeout: 272 seconds]
05:45 -!- esde [~esde@107.150.1.2] has joined #openvpn
05:45 -!- raidz [~raidz@2607:5300:60:d5a::2] has joined #openvpn
05:45 -!- Gman32 [~Gman32@2607:5300:60:2b74::1] has joined #openvpn
05:45 -!- C-S-B [~C-S-B@217.42.190.155] has quit [Ping timeout: 272 seconds]
05:45 -!- gardar [~gardar@82.221.78.13] has quit [Ping timeout: 272 seconds]
05:45 -!- liriel [~liriel@198.154.114.106] has joined #openvpn
05:45 -!- digilink [~digilink@70.90.228.194] has quit [Ping timeout: 272 seconds]
05:49 -!- Cultist [~CultOfThe@c-67-186-111-33.hsd1.il.comcast.net] has joined #openvpn
05:53 -!- liriel_ [~liriel@198.154.114.106] has joined #openvpn
06:00 -!- booo [~booo__@p54BD8C12.dip0.t-ipconnect.de] has joined #openvpn
06:01 -!- Fruckiwacki- [fruckiwack@5.135.190.66] has joined #openvpn
06:01 -!- Netsplit *.net <-> *.split quits: s0meone, raidz, mattock, liriel, esde, Gman32
06:01 -!- kalloc [~kalloc@stmdev.ru] has quit [Read error: Connection reset by peer]
06:13 -!- liriel_ is now known as liriel
06:13 -!- liriel [~liriel@198.154.114.106] has quit [Excess Flood]
06:13 -!- C-S-B [~C-S-B@host217-42-190-155.range217-42.btcentralplus.com] has joined #openvpn
06:14 -!- Netsplit *.net <-> *.split quits: booo, Fruckiwacki-, mumixam, C-S-B
06:21 -!- Cultist [~CultOfThe@c-67-186-111-33.hsd1.il.comcast.net] has quit [Ping timeout: 344 seconds]
06:21 -!- jgeboski [~jgeboski@unaffiliated/jgeboski] has quit [Ping timeout: 344 seconds]
06:21 -!- mete [~mete@91.247.253.160] has quit [Ping timeout: 344 seconds]
06:22 -!- jgeboski [~jgeboski@unaffiliated/jgeboski] has joined #openvpn
06:23 -!- joshu [~joshu@62-20-176-238-no28.tbcn.telia.com] has joined #openvpn
06:24 -!- MeanderingCode [~Meanderin@palantir.aetherislands.net] has joined #openvpn
06:25 -!- Netsplit over, joins: esde
06:25 -!- lbft [~lbft@unaffiliated/lbft] has joined #openvpn
06:26 -!- Denial is now known as 21WACCAAE
06:27 -!- mattock [~mattock@2607:5300:60:d5a::2] has joined #openvpn
06:27 -!- mgorbach [~mgorbach@pool-108-20-78-135.bstnma.fios.verizon.net] has joined #openvpn
06:27 -!- ernetas [~Ernestas@162.243.113.169] has joined #openvpn
06:27 -!- krzee [~k@2610:150:4002::3:1] has joined #openvpn
06:27 -!- emid [~emid@192.241.162.156] has joined #openvpn
06:27 -!- Denial [Denial@90.201.173.63] has joined #openvpn
06:27 -!- raidz [~raidz@2607:5300:60:d5a::2] has joined #openvpn
06:27 -!- Gman32 [~Gman32@2607:5300:60:2b74::1] has joined #openvpn
06:27 -!- s0meone [someone@2600:3c01::f03c:91ff:fedf:feb8] has joined #openvpn
06:27 -!- Gman32 [~Gman32@2607:5300:60:2b74::1] has quit [Ping timeout: 272 seconds]
06:28 -!- _FBi [~B@199.241.189.120] has joined #openvpn
06:28 -!- mgorbach [~mgorbach@pool-108-20-78-135.bstnma.fios.verizon.net] has quit [Ping timeout: 272 seconds]
06:28 -!- Gman32 [~Gman32@2607:5300:60:2b74::1] has joined #openvpn
06:29 -!- mgorbach [~mgorbach@pool-108-20-78-135.bstnma.fios.verizon.net] has joined #openvpn
06:29 -!- thumbs [1000@modemcable026.116-81-70.mc.videotron.ca] has joined #openvpn
06:29 -!- _FBi [~B@199.241.189.120] has quit [Changing host]
06:29 -!- _FBi [~B@Aircrack-NG/User] has joined #openvpn
06:30 -!- thumbs [1000@modemcable026.116-81-70.mc.videotron.ca] has quit [Changing host]
06:30 -!- thumbs [1000@unaffiliated/thumbs] has joined #openvpn
06:31 -!- havoc__ [~havoc@neptune.chaillet.net] has joined #openvpn
06:32 -!- havoc__ [~havoc@neptune.chaillet.net] has quit [Client Quit]
06:33 -!- Cultist [~CultOfThe@c-67-186-111-33.hsd1.il.comcast.net] has joined #openvpn
06:38 -!- raidz [~raidz@2607:5300:60:d5a::2] has quit [Changing host]
06:38 -!- raidz [~raidz@openvpn/corp/admin/andrew] has joined #openvpn
06:38 -!- mode/#openvpn [+o raidz] by ChanServ
06:38 -!- mattock [~mattock@2607:5300:60:d5a::2] has quit [Changing host]
06:38 -!- mattock [~mattock@openvpn/corp/admin/mattock] has joined #openvpn
06:38 -!- mode/#openvpn [+o mattock] by ChanServ
06:38 -!- qwertyoruiop [~hax@93.174.90.32] has joined #openvpn
06:39 -!- havoc [~havoc@neptune.chaillet.net] has joined #openvpn
06:39 -!- maskedlua [~quassel@unaffiliated/themaskedlua] has quit [Quit: http://quassel-irc.org - Chat comfortably. Anywhere.]
06:44 -!- vpnHelper [~vpnHelper@openvpn/bot/vpnHelper] has joined #openvpn
06:45 -!- mode/#openvpn [+o vpnHelper] by ChanServ
06:46 -!- ernetas [~Ernestas@162.243.113.169] has quit [Remote host closed the connection]
06:57 -!- lj [~l@adsl-99-74-1-11.dsl.peoril.sbcglobal.net] has quit [Quit: Leaving.]
06:59 -!- novaflash_away [~novaflash@its.novaflash.nl] has joined #openvpn
06:59 -!- novaflash_away is now known as novaflash
07:09 -!- mattock [~mattock@openvpn/corp/admin/mattock] has quit [Ping timeout: 272 seconds]
07:10 -!- mattock_afk [~mattock@2607:5300:60:d5a::2] has joined #openvpn
07:10 -!- mattock_afk is now known as mattock
07:12 -!- plaisthos [~arne@kamera.blinkt.de] has joined #openvpn
07:14 -!- ade_b [~Ade@193.202.255.218] has joined #openvpn
07:14 -!- AsadH [~AsadH@2605:6400:1:fed5:22:1728:e497:b33d] has joined #openvpn
07:14 -!- Haigha [~root@2001:41d0:1:d4e5:dead::42] has joined #openvpn
07:14 -!- ultra [~ed@unaffiliated/ultra] has joined #openvpn
07:14 -!- niftylettuce_ [uid2733@gateway/web/irccloud.com/session] has joined #openvpn
07:14 -!- lowkey [lowkey@hydra-bom.aufbix.org] has joined #openvpn
07:14 -!- lvv [~loganaden@2001:4290:10:250:1d46:2d49:b8e3:af44] has joined #openvpn
07:14 -!- 31NAAEEJO [uid22180@gateway/web/irccloud.com/x-iatlgovsntwvoabv] has joined #openvpn
07:14 -!- 31NAAEEG9 [uid4697@gateway/web/irccloud.com/x-cigaxlbyrluetdze] has joined #openvpn
07:14 -!- jzaw [~jzaw@loki.dzki.co.uk] has joined #openvpn
07:14 -!- dowaat [uid3966@gateway/web/irccloud.com/x-iyptbirtrtyowtbj] has joined #openvpn
07:14 -!- seba [~seba@kratzbaum.someserver.de] has joined #openvpn
07:14 -!- NChief2 [~nchief@unaffiliated/nchief] has joined #openvpn
07:14 -!- nunim [nunim@unaffiliated/nunim] has joined #openvpn
07:14 -!- GrecKo [~GrecKo@2001:41d0:1:cb16::1] has joined #openvpn
07:14 -!- Haseo [~Haseo@aufrinfo.net] has joined #openvpn
07:14 -!- HectorBarbossa [uid7850@gateway/web/irccloud.com/x-oolywezulfjtmtdw] has joined #openvpn
07:14 -!- noobboob [uid5587@gateway/web/irccloud.com/x-lttupgrrtgbjtpxb] has joined #openvpn
07:14 -!- xorox90__ [uid7069@gateway/web/irccloud.com/x-kymzvfymijzorfdt] has joined #openvpn
07:14 -!- haasn [~nand@2a01:4f8:d13:5245::2] has joined #openvpn
07:14 -!- xorox90__ [uid7069@gateway/web/irccloud.com/x-kymzvfymijzorfdt] has quit [Max SendQ exceeded]
07:14 -!- mikkel [~mikkel@93.176.85.50] has joined #openvpn
07:16 -!- plaisthos [~arne@kamera.blinkt.de] has quit [Changing host]
07:16 -!- plaisthos [~arne@openvpn/community/developer/plaisthos] has joined #openvpn
07:16 -!- mode/#openvpn [+o plaisthos] by ChanServ
07:17 -!- mattock is now known as mattock_afk
07:21 -!- xorox90__ [uid7069@gateway/web/irccloud.com/session] has joined #openvpn
07:24 -!- makara [~makara@41.164.22.218] has joined #openvpn
07:24 -!- AsadH [~AsadH@2605:6400:1:fed5:22:1728:e497:b33d] has quit [Changing host]
07:24 -!- AsadH [~AsadH@unaffiliated/asadh] has joined #openvpn
07:25 -!- vpnHelper [~vpnHelper@openvpn/bot/vpnHelper] has quit [Write error: Broken pipe]
07:26 -!- keropok [~keropok@9W2JDY.peramah.org.my] has joined #openvpn
07:28 -!- vpnHelper [~vpnHelper@openvpn/bot/vpnHelper] has joined #openvpn
07:29 -!- mode/#openvpn [+o vpnHelper] by ChanServ
07:29 -!- hazardous [~hz@openvpn/user/hazardous] has joined #openvpn
07:29 -!- mode/#openvpn [+v hazardous] by ChanServ
07:30 -!- lbft_ [~lbft@unaffiliated/lbft] has joined #openvpn
07:31 -!- lbft [~lbft@unaffiliated/lbft] has quit [Disconnected by services]
07:31 -!- lbft_ is now known as lbft
07:33 -!- makara [~makara@41.164.22.218] has quit [Max SendQ exceeded]
07:33 -!- vpnHelper [~vpnHelper@openvpn/bot/vpnHelper] has quit [Write error: Broken pipe]
07:33 -!- thumbs [1000@unaffiliated/thumbs] has quit [Ping timeout: 272 seconds]
07:34 -!- makara [~makara@41.164.22.218] has joined #openvpn
07:34 -!- havoc [~havoc@neptune.chaillet.net] has quit [Ping timeout: 272 seconds]
07:41 -!- thumbs [1000@modemcable026.116-81-70.mc.videotron.ca] has joined #openvpn
07:41 -!- krzee [~k@2610:150:4002::3:1] has quit [Changing host]
07:41 -!- krzee [~k@openvpn/community/support/krzee] has joined #openvpn
07:41 -!- mode/#openvpn [+o krzee] by ChanServ
07:42 -!- kirin` [telex@gateway/shell/anapnea.net/session] has quit [Quit: leaving]
07:43 -!- vpnHelper [~vpnHelper@openvpn/bot/vpnHelper] has joined #openvpn
07:43 -!- lvv [~loganaden@2001:4290:10:250:1d46:2d49:b8e3:af44] has quit [Quit: lvv]
07:44 -!- mode/#openvpn [+o vpnHelper] by krzee
07:44 -!- kirin` [telex@gateway/shell/anapnea.net/session] has joined #openvpn
07:48 -!- thumbs [1000@modemcable026.116-81-70.mc.videotron.ca] has quit [Changing host]
07:48 -!- thumbs [1000@unaffiliated/thumbs] has joined #openvpn
07:50 -!- mode/#openvpn [+o vpnHelper] by ChanServ
07:52 -!- rkantos [robin@109.169.7.197] has joined #openvpn
07:52 -!- mrrg [~notabot@209.20.75.42] has joined #openvpn
07:52 -!- joshh20 [~joshh20@v-70-42-74-226.unman-vds.internap-nyc.nfoservers.com] has joined #openvpn
07:52 -!- WinstonSmith [~WinstonSm@bl9-3-79.dsl.telepac.pt] has joined #openvpn
07:52 -!- digilink [~digilink@70.90.228.194] has joined #openvpn
07:52 -!- Rallias [~Rallias@bnc.ubernerd.us] has joined #openvpn
07:52 -!- thoraxe [~thoraxe@50.73.95.6] has joined #openvpn
07:52 -!- kubbing [~kubbing@ip-94-113-130-229.net.upcbroadband.cz] has joined #openvpn
07:52 -!- andi_ [~andi@212.224.83.70] has joined #openvpn
07:52 -!- kalloc [~kalloc@stmdev.ru] has joined #openvpn
07:52 -!- mani2 [~manitu@static.88-198-15-112.clients.your-server.de] has joined #openvpn
07:52 -!- davidmp [~davidmp@149.255.100.107] has joined #openvpn
07:52 -!- C-S-B [~C-S-B@host217-42-190-155.range217-42.btcentralplus.com] has joined #openvpn
07:52 -!- Fruckiwacki- [fruckiwack@5.135.190.66] has joined #openvpn
07:52 -!- booo [~booo__@p54BD8C12.dip0.t-ipconnect.de] has joined #openvpn
08:04 -!- plai [~arne@kamera.blinkt.de] has joined #openvpn
08:04 -!- Gman32 [~Gman32@2607:5300:60:2b74::1] has quit [Ping timeout: 272 seconds]
08:04 -!- thumbs [1000@unaffiliated/thumbs] has quit [Ping timeout: 272 seconds]
08:04 -!- plaisthos [~arne@openvpn/community/developer/plaisthos] has quit [Ping timeout: 272 seconds]
08:04 -!- Denial [Denial@90.201.173.63] has quit [Ping timeout: 272 seconds]
08:04 -!- 21WACCAAE is now known as Denial
08:04 -!- Gman32 [~Gman32@2607:5300:60:2b74::1] has joined #openvpn
08:04 -!- makara [~makara@41.164.22.218] has quit [Excess Flood]
08:04 -!- krzee [~k@openvpn/community/support/krzee] has quit [Read error: Connection reset by peer]
08:04 -!- mikkel [~mikkel@93.176.85.50] has quit [Ping timeout: 272 seconds]
08:06 -!- havoc [~havoc@neptune.chaillet.net] has joined #openvpn
08:07 -!- Rallias [~Rallias@bnc.ubernerd.us] has quit [Ping timeout: 254 seconds]
08:08 -!- red_racer12_ [sid20963@gateway/web/irccloud.com/session] has quit [Changing host]
08:08 -!- red_racer12_ [sid20963@gateway/web/irccloud.com/x-sjtfwxoveqummuwx] has joined #openvpn
08:08 -!- niftylettuce_ [uid2733@gateway/web/irccloud.com/session] has quit [Changing host]
08:08 -!- niftylettuce_ [uid2733@gateway/web/irccloud.com/x-vtlfnqaleerxzatr] has joined #openvpn
08:08 -!- xorox90__ [uid7069@gateway/web/irccloud.com/session] has quit [Changing host]
08:08 -!- xorox90__ [uid7069@gateway/web/irccloud.com/x-wmdizircldzgzdts] has joined #openvpn
08:08 -!- kirin` [telex@gateway/shell/anapnea.net/session] has quit [Changing host]
08:08 -!- kirin` [telex@gateway/shell/anapnea.net/x-qacybxojuklptoaf] has joined #openvpn
08:09 -!- mani2 [~manitu@static.88-198-15-112.clients.your-server.de] has quit [Excess Flood]
08:09 -!- manitu- [~manitu@static.88-198-15-112.clients.your-server.de] has joined #openvpn
08:09 -!- mrrg [~notabot@209.20.75.42] has quit [Write error: Broken pipe]
08:11 -!- kalloc [~kalloc@stmdev.ru] has quit [Remote host closed the connection]
08:12 -!- novaflash [~novaflash@its.novaflash.nl] has quit [Ping timeout: 272 seconds]
08:12 -!- krzie [~k@2610:150:4002::3:1] has joined #openvpn
08:13 -!- krzie is now known as krzee
08:13 -!- kalloc_ [~kalloc@stmdev.ru] has joined #openvpn
08:13 -!- mrrg_ [~notabot@delicious.sykosys.jp] has joined #openvpn
08:13 -!- makara [~makara@41.164.22.218] has joined #openvpn
08:14 -!- Rallias [~Rallias@bnc.ubernerd.us] has joined #openvpn
08:15 -!- lj [~l@192.241.174.169] has joined #openvpn
08:15 -!- thumbs [1000@modemcable026.116-81-70.mc.videotron.ca] has joined #openvpn
08:17 -!- plai [~arne@kamera.blinkt.de] has quit [Changing host]
08:17 -!- plai [~arne@openvpn/community/developer/plaisthos] has joined #openvpn
08:17 -!- mode/#openvpn [+o plai] by ChanServ
08:20 -!- Denial- [Denial@90.201.173.63] has joined #openvpn
08:21 -!- raidz [~raidz@openvpn/corp/admin/andrew] has quit [Ping timeout: 272 seconds]
08:21 -!- kalloc_ [~kalloc@stmdev.ru] has quit [Ping timeout: 272 seconds]
08:21 -!- s0meone [someone@2600:3c01::f03c:91ff:fedf:feb8] has quit [Ping timeout: 272 seconds]
08:21 -!- mattock_afk [~mattock@2607:5300:60:d5a::2] has quit [Ping timeout: 272 seconds]
08:21 -!- krzee [~k@2610:150:4002::3:1] has quit [Ping timeout: 272 seconds]
08:21 -!- Gman32 [~Gman32@2607:5300:60:2b74::1] has quit [Ping timeout: 272 seconds]
08:22 -!- emid [~emid@192.241.162.156] has quit [Ping timeout: 272 seconds]
08:22 -!- pppingme [~pppingme@cpe-24-94-191-245.kc.res.rr.com] has joined #openvpn
08:22 -!- raidz [~raidz@2607:5300:60:d5a::2] has joined #openvpn
08:22 -!- krzee [~k@2610:150:4002::3:1] has joined #openvpn
08:22 -!- mattock_afk [~mattock@2607:5300:60:d5a::2] has joined #openvpn
08:22 -!- mattock_afk is now known as mattock
08:22 -!- Gman32 [~Gman32@2607:5300:60:2b74::1] has joined #openvpn
08:24 -!- kubbing_ [~kubbing@ip-94-113-130-229.net.upcbroadband.cz] has joined #openvpn
08:24 -!- emid [~emid@192.241.162.156] has joined #openvpn
08:24 -!- mikkel [~mikkel@93.176.85.50] has joined #openvpn
08:26 -!- rkantos_ [robin@4e.fi] has joined #openvpn
08:26 -!- krzee [~k@2610:150:4002::3:1] has quit [Read error: Connection reset by peer]
08:27 -!- pi______4 [~pi@d24-235-162-103.home1.cgocable.net] has joined #openvpn
08:27 < pi______4> Hello Chaps
08:27 -!- Rallias [~Rallias@bnc.ubernerd.us] has quit [Changing host]
08:27 -!- Rallias [~Rallias@unaffiliated/gasseus] has joined #openvpn
08:28 -!- pi______4 is now known as Nikon_Pi
08:28 -!- rkantos [robin@109.169.7.197] has quit [Ping timeout: 261 seconds]
08:28 < Nikon_Pi> So, I've got a problem
08:28 -!- joshh20 [~joshh20@v-70-42-74-226.unman-vds.internap-nyc.nfoservers.com] has quit [Ping timeout: 261 seconds]
08:28 -!- WinstonSmith [~WinstonSm@bl9-3-79.dsl.telepac.pt] has quit [Ping timeout: 261 seconds]
08:28 -!- digilink [~digilink@70.90.228.194] has quit [Ping timeout: 261 seconds]
08:28 -!- thoraxe [~thoraxe@50.73.95.6] has quit [Ping timeout: 261 seconds]
08:28 < Nikon_Pi> My vpn has a disconnect problem
08:28 -!- andi_ [~andi@212.224.83.70] has quit [Ping timeout: 261 seconds]
08:28 -!- thumbs [1000@modemcable026.116-81-70.mc.videotron.ca] has quit [Changing host]
08:28 -!- thumbs [1000@unaffiliated/thumbs] has joined #openvpn
08:28 -!- davidmp [~davidmp@149.255.100.107] has quit [Ping timeout: 261 seconds]
08:29 -!- booo [~booo__@p54BD8C12.dip0.t-ipconnect.de] has quit [Ping timeout: 261 seconds]
08:29 -!- Fruckiwacki- [fruckiwack@5.135.190.66] has quit [Ping timeout: 261 seconds]
08:29 < Nikon_Pi> like every few minutes it'll prune the active connections
08:29 < Nikon_Pi> so if im connected to a peer
08:29 < Nikon_Pi> ill disconnect from them every few minutes
08:29 < Nikon_Pi> but i wont d/c from the server
08:29 -!- kubbing [~kubbing@ip-94-113-130-229.net.upcbroadband.cz] has quit [Ping timeout: 486 seconds]
08:29 -!- C-S-B [~C-S-B@host217-42-190-155.range217-42.btcentralplus.com] has quit [Ping timeout: 486 seconds]
08:29 < Nikon_Pi> Ideas?
08:30 -!- krzee [~k@2610:150:4002::3:1] has joined #openvpn
08:30 -!- C-S-B [~C-S-B@host217-42-190-155.range217-42.btcentralplus.com] has joined #openvpn
08:32 -!- novaflash [~novaflash@its.novaflash.nl] has joined #openvpn
08:33 -!- pppingme [~pppingme@cpe-24-94-191-245.kc.res.rr.com] has quit [Changing host]
08:33 -!- pppingme [~pppingme@unaffiliated/pppingme] has joined #openvpn
08:35 -!- digilink [~digilink@irc.stephennet.net] has joined #openvpn
08:36 -!- WinstonSmith [~WinstonSm@bl9-3-79.dsl.telepac.pt] has joined #openvpn
08:36 -!- Fruckiwacki [fruckiwack@5.135.190.66] has joined #openvpn
08:36 -!- davidmp [~davidmp@149.255.100.107] has joined #openvpn
08:37 -!- jzaw [~jzaw@loki.dzki.co.uk] has quit [Quit: really? must I leave? aw pls let me stay!]
08:43 -!- krzee [~k@2610:150:4002::3:1] has quit [Changing host]
08:43 -!- krzee [~k@openvpn/community/support/krzee] has joined #openvpn
08:44 -!- mode/#openvpn [+o krzee] by ChanServ
08:44 -!- thoraxe [~thoraxe@50-73-95-6-static.hfc.comcastbusiness.net] has joined #openvpn
08:47 -!- Netsplit *.net <-> *.split quits: davidmp, WinstonSmith, digilink, rkantos_, mikkel, Fruckiwacki, @krzee, kubbing_, raidz, mattock,  (+3 more, use /NETSPLIT to show all of them)
08:50 -!- moparisthebest [~quassel@2001:470:1f11:88c::2] has quit [Remote host closed the connection]
08:51 -!- Guest19117 [jtrucks@freenode/staff/lopsa.foundingmember.jtrucks] has quit [Quit: leaving]
08:52 -!- lj [~l@192.241.174.169] has quit [Quit: Leaving.]
08:52 -!- vpnHelper [~vpnHelper@openvpn/bot/vpnHelper] has quit [Write error: Broken pipe]
08:52 -!- mrrg_ [~notabot@delicious.sykosys.jp] has quit [Ping timeout: 253 seconds]
08:52 -!- joshu [~joshu@62-20-176-238-no28.tbcn.telia.com] has quit [Ping timeout: 253 seconds]
08:52 -!- losted [~losted@box.losted.net] has quit [Ping timeout: 253 seconds]
08:52 -!- klaxa [~klaxa@klaxa.eu] has quit [Ping timeout: 253 seconds]
08:52 -!- thumbs [1000@unaffiliated/thumbs] has quit [Write error: Broken pipe]
08:54 -!- makara [~makara@41.164.22.218] has quit [Ping timeout: 249 seconds]
08:54 -!- pekster [~rewt@openvpn/community/support/pekster] has quit [Ping timeout: 264 seconds]
08:57 -!- guntha` [~guntha@guntha.thecagedog.com] has quit [Ping timeout: 249 seconds]
08:57 -!- jtrucks [jtrucks@freenode/staff/lopsa.foundingmember.jtrucks] has joined #openvpn
08:58 -!- novaflash [~novaflash@its.novaflash.nl] has quit [Ping timeout: 266 seconds]
08:58 -!- Cultist [~CultOfThe@c-67-186-111-33.hsd1.il.comcast.net] has quit [Ping timeout: 266 seconds]
08:58 -!- Netsplit over, joins: WinstonSmith
08:58 -!- guntha` [~guntha@guntha.thecagedog.com] has joined #openvpn
09:00 -!- Cultist [~CultOfThe@c-67-186-111-33.hsd1.il.comcast.net] has joined #openvpn
09:01 -!- klaxa [~klaxa@klaxa.eu] has joined #openvpn
09:01 -!- lj [~l@192.241.174.169] has joined #openvpn
09:03 -!- master_of_master [~master_of@p4FD7B211.dip0.t-ipconnect.de] has quit [Ping timeout: 245 seconds]
09:05 -!- mikkel [~mikkel@93.176.85.50] has joined #openvpn
09:05 -!- kubbing [~kubbing@ip-94-113-130-229.net.upcbroadband.cz] has joined #openvpn
09:05 -!- davidmp [~davidmp@149.255.100.107] has joined #openvpn
09:06 -!- krzee [~k@2610:150:4002::3:1] has joined #openvpn
09:06 -!- kalloc [~kalloc@stmdev.ru] has joined #openvpn
09:06 -!- Fruckiwacki [fruckiwack@5.135.190.66] has joined #openvpn
09:06 -!- raidz [~raidz@2607:5300:60:d5a::2] has joined #openvpn
09:06 -!- Gman32 [~Gman32@2607:5300:60:2b74::1] has joined #openvpn
09:06 -!- mattock_afk [~mattock@2607:5300:60:d5a::2] has joined #openvpn
09:06 -!- mattock_afk is now known as mattock
09:06 -!- pppingme [~pppingme@cpe-24-94-191-245.kc.res.rr.com] has joined #openvpn
09:06 -!- jtrucks is now known as Guest97859
09:06 -!- makara [~makara@41.164.22.218] has joined #openvpn
09:07 -!- novaflash_away [~novaflash@its.novaflash.nl] has joined #openvpn
09:07 -!- novaflash_away is now known as novaflash
09:07 -!- pekster [~rewt@cl-466.chi-03.us.sixxs.net] has joined #openvpn
09:12 -!- krzee [~k@2610:150:4002::3:1] has quit [Changing host]
09:12 -!- krzee [~k@openvpn/community/support/krzee] has joined #openvpn
09:12 -!- mode/#openvpn [+o krzee] by ChanServ
09:13 -!- pppingme [~pppingme@cpe-24-94-191-245.kc.res.rr.com] has quit [Changing host]
09:13 -!- pppingme [~pppingme@unaffiliated/pppingme] has joined #openvpn
09:13 -!- pekster [~rewt@cl-466.chi-03.us.sixxs.net] has quit [Ping timeout: 264 seconds]
09:13 -!- andi_ [~andi@shell.sixhop.net] has joined #openvpn
09:14 -!- pekster [~rewt@cl-466.chi-03.us.sixxs.net] has joined #openvpn
09:14 -!- jtrucks_ [jtrucks@freenode/staff/lopsa.foundingmember.jtrucks] has joined #openvpn
09:15 -!- digilink [~digilink@irc.stephennet.net] has joined #openvpn
09:16 -!- WinstonSmith [~WinstonSm@bl9-3-79.dsl.telepac.pt] has quit [Changing host]
09:16 -!- WinstonSmith [~WinstonSm@unaffiliated/winstonsmith] has joined #openvpn
09:17 -!- Guest97859 [jtrucks@freenode/staff/lopsa.foundingmember.jtrucks] has quit [Quit: leaving]
09:18 -!- WinstonSmith [~WinstonSm@unaffiliated/winstonsmith] has quit [Ping timeout: 330 seconds]
09:19 -!- novaflash [~novaflash@its.novaflash.nl] has quit [Ping timeout: 297 seconds]
09:20 -!- MeanderingCode [~Meanderin@palantir.aetherislands.net] has quit [Ping timeout: 297 seconds]
09:20 -!- sudormrf [~pineapple@12.235.42.129] has quit [Ping timeout: 297 seconds]
09:20 -!- jgeboski [~jgeboski@unaffiliated/jgeboski] has quit [Ping timeout: 244 seconds]
09:20 -!- Denial- [Denial@90.201.173.63] has quit [Ping timeout: 315 seconds]
09:20 -!- klaxa [~klaxa@klaxa.eu] has quit [Ping timeout: 247 seconds]
09:20 -!- MeanderingCode [~Meanderin@palantir.aetherislands.net] has joined #openvpn
09:20 -!- novaflash_away [~novaflash@its.novaflash.nl] has joined #openvpn
09:20 -!- novaflash_away is now known as novaflash
09:20 -!- MeanderingCode [~Meanderin@palantir.aetherislands.net] has quit [Excess Flood]
09:20 -!- joshh20-Away [~joshh20@v-70-42-74-226.unman-vds.internap-nyc.nfoservers.com] has joined #openvpn
09:20 -!- joshh20-Away is now known as joshh20
09:20 -!- losted [~losted@box.losted.net] has joined #openvpn
09:20 -!- thumbs [1000@modemcable026.116-81-70.mc.videotron.ca] has joined #openvpn
09:21 -!- alexxtasi [~alex@unaffiliated/alexxtasi] has left #openvpn []
09:21 -!- klaxa [~klaxa@klaxa.eu] has joined #openvpn
09:21 -!- WinstonSmith [~WinstonSm@bl9-3-79.dsl.telepac.pt] has joined #openvpn
09:23 -!- MeanderingCode [~Meanderin@palantir.aetherislands.net] has joined #openvpn
09:23 -!- makara [~makara@41.164.22.218] has quit [Quit: Leaving]
09:24 -!- pekster [~rewt@cl-466.chi-03.us.sixxs.net] has quit [Changing host]
09:24 -!- pekster [~rewt@openvpn/community/support/pekster] has joined #openvpn
09:24 -!- jtrucks_ is now known as Guest29556
09:26 -!- phreakocious [~phreakoci@aesoterica.phreakocious.net] has joined #openvpn
09:26 -!- rkantos [robin@4e.fi] has joined #openvpn
09:31 -!- Guest29556 [jtrucks@freenode/staff/lopsa.foundingmember.jtrucks] has left #openvpn []
09:34 -!- joshh20-Away [~joshh20@v-70-42-74-226.unman-vds.internap-nyc.nfoservers.com] has joined #openvpn
09:35 -!- thumbs [1000@modemcable026.116-81-70.mc.videotron.ca] has quit [Changing host]
09:35 -!- thumbs [1000@unaffiliated/thumbs] has joined #openvpn
09:37 -!- phreakocious [~phreakoci@aesoterica.phreakocious.net] has quit [Ping timeout: 244 seconds]
09:40 -!- mattock [~mattock@2607:5300:60:d5a::2] has quit [Ping timeout: 272 seconds]
09:40 -!- Gman32 [~Gman32@2607:5300:60:2b74::1] has quit [Ping timeout: 272 seconds]
09:40 -!- losted [~losted@box.losted.net] has quit [Ping timeout: 272 seconds]
09:40 -!- joshh20 [~joshh20@v-70-42-74-226.unman-vds.internap-nyc.nfoservers.com] has quit [Ping timeout: 272 seconds]
09:40 -!- rkantos [robin@4e.fi] has quit [Ping timeout: 272 seconds]
09:40 -!- digilink [~digilink@irc.stephennet.net] has quit [Ping timeout: 272 seconds]
09:40 -!- andi_ [~andi@shell.sixhop.net] has quit [Ping timeout: 272 seconds]
09:40 -!- raidz [~raidz@2607:5300:60:d5a::2] has quit [Ping timeout: 272 seconds]
09:40 -!- krzee [~k@openvpn/community/support/krzee] has quit [Ping timeout: 272 seconds]
09:40 -!- kubbing [~kubbing@ip-94-113-130-229.net.upcbroadband.cz] has quit [Ping timeout: 272 seconds]
09:40 -!- thumbs [1000@unaffiliated/thumbs] has quit [Ping timeout: 272 seconds]
09:40 -!- Fruckiwacki [fruckiwack@5.135.190.66] has quit [Ping timeout: 272 seconds]
09:40 -!- kalloc [~kalloc@stmdev.ru] has quit [Ping timeout: 272 seconds]
09:40 -!- rkantos [robin@4e.fi] has joined #openvpn
09:40 -!- kalloc [~kalloc@195.94.251.74] has joined #openvpn
09:40 -!- krzee [~k@2610:150:4002::3:1] has joined #openvpn
09:40 -!- raidz [~raidz@2607:5300:60:d5a::2] has joined #openvpn
09:40 -!- andi [~andi@shell.sixhop.net] has joined #openvpn
09:40 -!- kubbing [~kubbing@ip-94-113-130-229.net.upcbroadband.cz] has joined #openvpn
09:40 -!- Fruckiwacki [fruckiwack@5.135.190.66] has joined #openvpn
09:40 -!- Gman32 [~Gman32@2607:5300:60:2b74::1] has joined #openvpn
09:40 -!- mattock_afk [~mattock@2607:5300:60:d5a::2] has joined #openvpn
09:40 -!- mattock_afk is now known as mattock
09:40 -!- losted [~losted@box.losted.net] has joined #openvpn
09:41 -!- joshh20-Away is now known as joshh20
09:41 -!- digilink [~digilink@irc.stephennet.net] has joined #openvpn
09:41 -!- thumbs [1000@modemcable026.116-81-70.mc.videotron.ca] has joined #openvpn
09:42 -!- Olipro [~Olipro@uncyclopedia/pdpc.21for7.olipro] has quit [Ping timeout: 246 seconds]
09:44 -!- phreakocious [~phreakoci@aesoterica.phreakocious.net] has joined #openvpn
09:45 -!- Olipro [~Olipro@d.e.r.p.6.a.1.0.d.d.0.7.2.0.1.0.a.2.ip6.arpa] has joined #openvpn
09:45 -!- ernetas [~Ernestas@162.243.113.169] has joined #openvpn
09:45 < ernetas> Hey guys.
09:45 -!- ferai [~quassel@kde/mitchell] has quit [Ping timeout: 252 seconds]
09:45 < ernetas> http://pastebin.com/YzybbQZk - what could be the problem?
09:46 < ernetas> I'm trying to bridge two subnet networks.
09:46 < ernetas> I can access the client which connected, but not his subnet...
09:46 < ernetas> (not other machines on his subnet)
09:49 -!- lj [~l@192.241.174.169] has quit [Quit: Leaving.]
09:50 -!- novaflash [~novaflash@its.novaflash.nl] has quit [Changing host]
09:50 -!- novaflash [~novaflash@openvpn/corp/support/novaflash] has joined #openvpn
09:51 -!- mode/#openvpn [+o novaflash] by ChanServ
09:51 -!- defswork [~andy@141.0.50.105] has quit [Remote host closed the connection]
09:52 -!- mikkel [~mikkel@93.176.85.50] has quit [Quit: Leaving]
09:53 -!- i7c_ [~i7c@80-69-77-233.colo.transip.net] has joined #openvpn
09:54 -!- __bt [foobar@77.240.12.157] has joined #openvpn
09:56 -!- mrrg [~notabot@delicious.sykosys.jp] has joined #openvpn
09:59 -!- sauce [sauce@ool-ad02ad20.dyn.optonline.net] has joined #openvpn
09:59 -!- Netsplit *.net <-> *.split quits: MacGyver, Guest48705, dren, _bt, Chrisje, i7c, Olipro, Thermi, fred``
09:59 -!- i7c_ is now known as i7c
10:00 -!- kalloc [~kalloc@195.94.251.74] has quit [Remote host closed the connection]
10:01 -!- jtrucks [jtrucks@freenode/staff/lopsa.foundingmember.jtrucks] has joined #openvpn
10:02 -!- manitu- is now known as manitu
10:05 < EugeneKay> Step 1) don't bridge; route.
10:05 < EugeneKay> !route
10:05 < EugeneKay> Oh, bot's dead of course.
10:11 -!- Netsplit over, joins: Thermi, fred``, dren, Guest48705, Chrisje, MacGyver
10:13 -!- XJR-9 [sid2977@pdpc/supporter/active/xjr-9] has quit [Ping timeout: 245 seconds]
10:14 -!- Olipro [~Olipro@d.e.r.p.6.a.1.0.d.d.0.7.2.0.1.0.a.2.ip6.arpa] has joined #openvpn
10:17 -!- XJR-9 [sid2977@gateway/web/irccloud.com/x-defomjsscbqlzgxw] has joined #openvpn
10:21 -!- joshu [~joshu@62-20-176-238-no28.tbcn.telia.com] has joined #openvpn
10:22 -!- jtrucks is now known as Guest88262
10:22 -!- Olipro is now known as Guest7961
10:22 -!- tempus_fol [~tempus@gateway/tor-sasl/tempusfol] has joined #openvpn
10:23 -!- Guest7961 [~Olipro@d.e.r.p.6.a.1.0.d.d.0.7.2.0.1.0.a.2.ip6.arpa] has quit [Changing host]
10:23 -!- Guest7961 [~Olipro@uncyclopedia/pdpc.21for7.olipro] has joined #openvpn
10:24 -!- Guest7961 [~Olipro@uncyclopedia/pdpc.21for7.olipro] has quit [Quit: Don't flap your BGP at me sonny]
10:24 -!- WinstonSmith [~WinstonSm@bl9-3-79.dsl.telepac.pt] has quit [Changing host]
10:24 -!- WinstonSmith [~WinstonSm@unaffiliated/winstonsmith] has joined #openvpn
10:24 -!- Olipro [~Olipro@uncyclopedia/pdpc.21for7.olipro] has joined #openvpn
10:26 -!- losted [~losted@box.losted.net] has quit [Ping timeout: 272 seconds]
10:26 -!- thumbs [1000@modemcable026.116-81-70.mc.videotron.ca] has quit [Ping timeout: 272 seconds]
10:26 -!- rkantos [robin@4e.fi] has quit [Ping timeout: 272 seconds]
10:26 -!- rkantos [robin@4e.fi] has joined #openvpn
10:27 -!- Guest88262 [jtrucks@freenode/staff/lopsa.foundingmember.jtrucks] has left #openvpn []
10:27 -!- Fruckiwacki [fruckiwack@5.135.190.66] has quit [Ping timeout: 272 seconds]
10:27 -!- ernetas [~Ernestas@162.243.113.169] has quit [Remote host closed the connection]
10:28 -!- jtrucks [jtrucks@freenode/staff/lopsa.foundingmember.jtrucks] has joined #openvpn
10:28 -!- jerryc [~pppingme@24.94.191.245] has joined #openvpn
10:29 -!- sauce [sauce@ool-ad02ad20.dyn.optonline.net] has quit [Changing host]
10:29 -!- sauce [sauce@unaffiliated/sauce] has joined #openvpn
10:32 -!- takamichi [~takamichi@c107-107.i07-27.onvol.net] has joined #openvpn
10:35 -!- keropok_ [~keropok@9W2JDY.peramah.org.my] has joined #openvpn
10:36 -!- Netsplit *.net <-> *.split quits: rkantos, Gman32, davidmp, krzee, raidz, mattock, mrrg, kubbing, andi, pppingme
10:42 -!- keropok [~keropok@9W2JDY.peramah.org.my] has quit [Remote host closed the connection]
10:45 -!- master_of_master [~master_of@p4FF24E35.dip0.t-ipconnect.de] has joined #openvpn
10:47 -!- i7c [~i7c@80-69-77-233.colo.transip.net] has quit [Changing host]
10:47 -!- i7c [~i7c@unaffiliated/i7c] has joined #openvpn
10:51 -!- plai [~arne@openvpn/community/developer/plaisthos] has left #openvpn []
10:51 -!- plai [~arne@openvpn/community/developer/plaisthos] has joined #openvpn
10:51 -!- mode/#openvpn [+o plai] by ChanServ
10:52 -!- pcdummy is now known as Fast[BDC]
10:52 -!- jerryc [~pppingme@24.94.191.245] has quit [Max SendQ exceeded]
10:52 -!- esde [~esde@107.150.1.2] has quit [Excess Flood]
10:52 -!- _FBi [~B@Aircrack-NG/User] has quit [Excess Flood]
10:52 -!- MeanderingCode [~Meanderin@palantir.aetherislands.net] has quit [Excess Flood]
10:55 -!- gffa [~unknown@524895DD.cm-4-1c.dynamic.ziggo.nl] has joined #openvpn
10:57 -!- gffa is now known as Guest39803
10:58 -!- Guest39803 [~unknown@524895DD.cm-4-1c.dynamic.ziggo.nl] has quit [Changing host]
10:58 -!- Guest39803 [~unknown@unaffiliated/gffa] has joined #openvpn
10:59 -!- MeanderingCode [~Meanderin@palantir.aetherislands.net] has joined #openvpn
10:59 -!- ferai [~quassel@kde/mitchell] has joined #openvpn
10:59 -!- esde [~esde@107.150.1.2] has joined #openvpn
10:59 -!- MeanderingCode [~Meanderin@palantir.aetherislands.net] has quit [Excess Flood]
10:59 -!- ferai [~quassel@kde/mitchell] has quit [Client Quit]
11:00 -!- fejjerai [~quassel@kde/mitchell] has joined #openvpn
11:00 -!- krzee [~k@2610:150:4002::3:1] has joined #openvpn
11:00 -!- mattock [~mattock@2607:5300:60:d5a::2] has joined #openvpn
11:00 -!- kubbing_ [~kubbing@ip-94-113-130-229.net.upcbroadband.cz] has joined #openvpn
11:00 -!- Gman32 [~Gman32@2607:5300:60:2b74::1] has joined #openvpn
11:00 -!- thumbs [1000@modemcable026.116-81-70.mc.videotron.ca] has joined #openvpn
11:00 -!- kalloc [~kalloc@195.94.251.74] has joined #openvpn
11:00 -!- pr0t [~pr0t@PSDNCABTNS001.cpe.twtelecom.net] has joined #openvpn
11:00 -!- booo [~booo__@84.189.140.18] has joined #openvpn
11:00 -!- Fruckiwacki [fruckiwack@5.135.190.66] has joined #openvpn
11:00 -!- losted [~losted@box.losted.net] has joined #openvpn
11:00 -!- raidz [~raidz@2607:5300:60:d5a::2] has joined #openvpn
11:00 -!- liriel [~liriel@198.154.114.106] has joined #openvpn
11:00 -!- lj [~l@192.241.174.169] has joined #openvpn
11:00 -!- MeanderingCode [~Meanderin@palantir.aetherislands.net] has joined #openvpn
11:00 -!- jerryc [~pppingme@24.94.191.245] has joined #openvpn
11:00 -!- vpnHelper [~vpnHelper@openvpn/bot/vpnHelper] has joined #openvpn
11:01 -!- ade_b [~Ade@193.202.255.218] has quit [Quit: Too sexy for his shirt]
11:01 -!- _FBi [~B@199.241.189.120] has joined #openvpn
11:01 -!- dvl [~dan@nyi.unixathome.org] has joined #openvpn
11:02 -!- davidmp [~davidmp@149.255.100.107] has joined #openvpn
11:02 -!- mode/#openvpn [+o vpnHelper] by ChanServ
11:02 -!- andi [~andi@shell.sixhop.net] has joined #openvpn
11:03 -!- g0z [gauze@bitchx/distort/g0z] has joined #openvpn
11:04 < g0z> !welcome
11:04 <@vpnHelper> "welcome" is (#1) Start by stating your goal, such as 'I would like to access the internet over my vpn' || new to IRC? see the link in !ask || we may need !logs and !configs and maybe !interface to help you. || See !howto for beginners. || See !route for lans behind openvpn. || !redirect for sending inet traffic through the server. || Also interesting: !man !/30 !topology !iporder !sample !forum !wiki
11:04 <@vpnHelper> !mitm or (#2) Don't use 192.168.1.0/24 or 192.168.0.0/24 (too much potential for conflict)
11:05 -!- dvl [~dan@nyi.unixathome.org] has quit [Changing host]
11:05 -!- dvl [~dan@pdpc/supporter/active/dvl] has joined #openvpn
11:05 -!- thumbs is now known as Guest21481
11:05 -!- rkantos [robin@4e.fi] has joined #openvpn
11:05 -!- moparisthebest [~quassel@2001:470:1f11:88c::2] has joined #openvpn
11:06 -!- andi [~andi@shell.sixhop.net] has quit [Changing host]
11:06 -!- andi [~andi@unaffiliated/fr00d] has joined #openvpn
11:06 -!- ernetas [~Ernestas@162.243.113.169] has joined #openvpn
11:07 < g0z> on the server side I have a machine with a public and a private interface, from the client I would like to be able to reach a set of subnets. I am confused as to what the settings on the internal interface should be. for example if I have a virtual subnet of 10.10.10.0/24 for VPN clients what would the interfaces ip be? on my IOS router I assume I have to set a gateway for this internal interface as well ...
11:08 < pr0t> if i have a network with the address 192.168.1.x and the vpn i want to connect to has the address of 192.168.1.x can I get around this obstacle by using a bridge instead of routing?
11:08 < g0z> I'm trying to use access server package btw
11:08 -!- TheSov [~TheSov4@50-76-75-45-static.hfc.comcastbusiness.net] has joined #openvpn
11:09 -!- raidz [~raidz@2607:5300:60:d5a::2] has quit [Changing host]
11:09 -!- raidz [~raidz@openvpn/corp/admin/andrew] has joined #openvpn
11:09 -!- mode/#openvpn [+o raidz] by ChanServ
11:09 -!- mattock [~mattock@2607:5300:60:d5a::2] has quit [Changing host]
11:09 -!- mattock [~mattock@openvpn/corp/admin/mattock] has joined #openvpn
11:09 -!- mode/#openvpn [+o mattock] by ChanServ
11:09 -!- _FBi [~B@199.241.189.120] has quit [Changing host]
11:09 -!- _FBi [~B@Aircrack-NG/User] has joined #openvpn
11:09 < TheSov> is there any intent in the future to go back to a multithreaded system?
11:10 -!- mrrg [~notabot@delicious.sykosys.jp] has joined #openvpn
11:10 < lj> TheSov: See http://community.openvpn.net/openvpn/wiki/RoadMap#Threading
11:10 <@vpnHelper> Title: RoadMap – OpenVPN Community (at community.openvpn.net)
11:12 < TheSov> lj: is this done automatically or do i have to setup the multiple process's and ??LAGG the connects?
11:12 -!- raidz [~raidz@openvpn/corp/admin/andrew] has left #openvpn []
11:14 < lj> "??LAGG" ?
11:14 < lj> TheSov: http://openvpn.net/index.php/open-source/faq/79-client/283-can-i-run-multiple-openvpn-tunnels-on-a-single-machine.html
11:14 < TheSov> link aggregate
11:14 <@vpnHelper> Title: Can I run multiple OpenVPN tunnels on a single machine? (at openvpn.net)
11:15 < TheSov> lj: I know i can run multiple tunnels but what i am asking is if i have to create multiple tunnels or will openvpn scale itself on SMP systems?
11:15 < lj> Oh.
11:15 < lj> TheSov: I'm unsure.
11:16 -!- raidz [~raidz@openvpn/corp/admin/andrew] has joined #openvpn
11:17 < TheSov> i have a point to point setup for a connection here, we have a 45 megabit pipe right now and i can do max throughput, however we are upgrading the pipe to 1 gig, im sure that i wont be able to do that with both crypto and compression on
11:17 < TheSov> I want to scale our openvpn to be able to cope at that speed
11:19 -!- Guest21481 [1000@modemcable026.116-81-70.mc.videotron.ca] has quit [Changing host]
11:19 -!- Guest21481 [1000@unaffiliated/thumbs] has joined #openvpn
11:19 <@ecrist> if the processor can support it, you'll be fine
11:19 < pr0t> Hi ecrist
11:19 < pr0t> if i have a network with the address 192.168.1.x and the vpn i want to connect to has the address of 192.168.1.x can I get around this obstacle by using a bridge instead of routing?
11:20 -!- kalloc [~kalloc@195.94.251.74] has quit [Remote host closed the connection]
11:20 -!- mete [~mete@91.247.253.160] has joined #openvpn
11:20 < TheSov> from what ive seen theres no way any modern processor will do openvpn at 1 gigabit
11:21 <@ecrist> pr0t: you'll need to fix the conflict
11:21 <@ecrist> things will be broken until you do
11:21 < pr0t> that's what it thought
11:21 < pr0t> there is no way around it right?
11:21 < pr0t> not even using a bridge?
11:21 <@ecrist> TheSov: I don't think you're correct
11:21 < TheSov> ecrist: in my testing with the fastest xeon processor available the fastest i could do was 600 meg
11:22 <@ecrist> jumbo frames enabled?
11:22 < TheSov> i was thinking about using 2 openvpn connections since it would use a different core and internally link aggregating the connections
11:22 <@ecrist> you could try that
11:26 -!- bertodsera [~quassel@97e48243.skybroadband.com] has joined #openvpn
11:26 -!- sunwind [~paradox@cpc21-brmb8-2-0-cust749.1-3.cable.virginm.net] has joined #openvpn
11:26 -!- kalloc [~kalloc@stmdev.ru] has joined #openvpn
11:27 < kcodyjr> TheSov, you might want to consider a hardware card to accelerate openssl?
11:27 -!- pr0t [~pr0t@PSDNCABTNS001.cpe.twtelecom.net] has quit [Quit: Ex-Chat]
11:28 -!- mode/#openvpn [+o raidz] by ChanServ
11:29 < kcodyjr> but yeah, you might be able to set up an openvpn process on each core, or on some subset of cores, and use multipath routing to load balance them. you'll need to pin the processes to the given cpu and you'd be well served to prevent swapping. make sure you're using udp mode, and i'd probably turn compression off.
11:29 < kcodyjr> this is probably not going to place nice with stateful firewalling.
11:30 <@ecrist> link aggregation should work fine, too, without multipath routing
11:30 <@ecrist> both links will need to be on TAP devices, however
11:31 < kcodyjr> really? why?
11:31 < TheSov> kcodyjr: what hardware will do that?
11:32 <@ecrist> link aggregation gets you around the firewall state issues as state is tracked on the lagg
11:32 <@ecrist> lagg requires ethernet transport, so TAP is needed
11:33 < TheSov> i already do tap
11:33 < TheSov> contrary to what openvpn recommends setting up a router is much easier when you have an IP on the remote side
11:33 < TheSov> bgp is practically instantaneous
11:34 < kcodyjr> the kernel supports a HIFN 795x crypto adapter chip for in-kernel operations. you'd have to check the openssl docs for what hardware crypto cards it supports.
11:35 < kcodyjr> yet fewer operational problems arise when you don't try to extend a layer 2 network across what amounts to a serial link.
11:36 < kcodyjr> just means you have to allocate addresses oneself at config-time (range argument to server directive, or ifconfig statement for 1:1 tunnels) as opposed to punting to whomever set up the DHCP server. besides, tap+dhcp only works for windows.
11:38 < g0z> if I'm setting up a 10.* network where should the gateway address be assigned, on the openvpn server or on a port on my router?
11:39 < TheSov> i understand the problems that are inherent to that set but my tap interface doesnt extend to the lan on the remote side, it sits on the router alone. and i use that remote system as a border
11:39 -!- Olipro [~Olipro@uncyclopedia/pdpc.21for7.olipro] has quit [Remote host closed the connection]
11:39 < TheSov> only the local tap interface is bridged
11:40 < TheSov> not a supported setup but it works very well
11:40 < kcodyjr> you're definitely losing bandwith to extra encapsulation
11:40 -!- Olipro [~Olipro@d.e.r.p.6.a.1.0.d.d.0.7.2.0.1.0.a.2.ip6.arpa] has joined #openvpn
11:41 < TheSov> a few k isnt a problem, like i said we are going to a gigabit line very soon
11:41 < TheSov> and ipsec double encapsulates anyway
11:42 < kcodyjr> what makes you think it's a few K as opposed to some chunk of that 400 megabits between your head and the ceiling?
11:42 < kcodyjr> and wait, what? tell me you're not running ipsec and openvpn at the same time.
11:42 < TheSov>  that 600 megabits was a 1 gig line test
11:42 < TheSov> on the 45 meg line we saturate it.
11:42 < TheSov> no im not
11:42 < kcodyjr> right. so your config is fine for a 45 meg line, and probably would be fine for a lagg of two 100mb ethernets.
11:43 < kcodyjr> ok. *whew*. just checking.
11:43 < TheSov> im running openvpn in leiu of ipsec
11:43 -!- Sembei [~Sembei@unaffiliated/sembei] has quit [Read error: No route to host]
11:43 < kcodyjr> i'd agree with that. we're talking about a private point-to-point fiber line beween the office and the datacenter, or something like that, right?
11:43 < TheSov> correct
11:43 < TheSov> my problem was that i could not route via ipsec
11:44 < TheSov> our offices are connected in a star pattern
11:44 < TheSov> not hub and spoke
11:44 -!- Sembei [~Sembei@62.57.118.216.dyn.user.ono.com] has joined #openvpn
11:44 < TheSov> dont ask me why, i didnt architect it. but suffice it to say i had to find a way to connect remote office C via B to A
11:44 < kcodyjr> you should be running in tun mode, over udp, using the stateless p2p topology, and then using route statements in the openvpn.conf on each end.
11:45 < kcodyjr> oh, ipsec actually requires that the full address range be specified in the tunnel creation. you can't just make a tunnel and route over it.
11:45 < kcodyjr> in the ipsec paradigm, each tunnel would have to account for the address space of all the other tunnels. big pain in the butt. openvpn is much better for what you're doing.
11:45 < TheSov> exactly what i have found to the case
11:46 < kcodyjr> i introduced my head to that brick wall about 8 years ago.
11:46 < kcodyjr> the hard way, as i imagine you did.
11:46 < TheSov> so i have created openvpn routers with tap interfaces to the datacenter
11:46 -!- kalloc [~kalloc@stmdev.ru] has quit [Remote host closed the connection]
11:46 < TheSov> but i dont bridge the remote networks
11:46 < TheSov> thus allowing me to route with ease
11:46 < kcodyjr> which makes it utterly pointless to be in tap mode.
11:46 < kcodyjr> except perhaps to avoid figuring out your routing issues.
11:46 < TheSov> well in tun mode bgp wasnt showing all connections
11:47 -!- kalloc [~kalloc@stmdev.ru] has joined #openvpn
11:47 -!- lj1 [~l@192.241.174.169] has joined #openvpn
11:47 < TheSov> when i swtiched to tap bgp can assemble the whole thing in seconds
11:47 < kcodyjr> then you have a bgp problem, not  a connectivity problem.
11:47 < TheSov> i would agree
11:47 < TheSov> but i putted a bandaid on it :)
11:48 < kcodyjr> that ain't a band aid. it's a piece of masking tape. not even duct tape. scotch tape maybe. or an old audio tape from the 80's. but it ain't any form of medicine.
11:48 < kcodyjr> i'm thinking two possible strategies
11:48 < TheSov> im all ears
11:48 < kcodyjr> either figure out the bgp issues to make it peer properly, or use openvpn to push the routes across the tunnels and let bgp pick them up as AS-external, or whatever bgp calls it. that's an ospf designation.
11:49 < kcodyjr> disclaimer: i'm a career sysadmin with a network specialty, and a major nerd, but i am not a member of the openvpn team.
11:49 < TheSov> hmmm i use pfsense boxes as routers i wonder if the fault is in pfsense's bgp implementation
11:50 -!- lj [~l@192.241.174.169] has quit [Ping timeout: 272 seconds]
11:50 < kcodyjr> hm. entirely possible. or in its configuration.
11:50 < TheSov> thats possible too, ive been known to fatfinger, but why does it work so well with tap interfaces
11:51 -!- lj1 [~l@192.241.174.169] has quit [Client Quit]
11:51 -!- kalloc [~kalloc@stmdev.ru] has quit [Ping timeout: 252 seconds]
11:51 < kcodyjr> without having a real diagram of your topology, i can only guess that bgp isn't really peering, it's only dealing with locally attached networks
11:51 < kcodyjr> there is no good reason you need to bridge your lan to the remote router.
11:52 < TheSov> yeah... i think i will go examine that really quick
11:52 < TheSov> thanks for advice
11:52 < kcodyjr> np. i'll be lurking here. let me know how it goes.
11:52 < TheSov> will do
11:52 < TheSov> though if i find a problem i will have to fill out a mountain of paperwork to undo all the taps into tuns
11:52 < TheSov> sigh
11:52 < TheSov> such life
11:52 < TheSov> brb
11:53 -!- digilink [~digilink@irc.stephennet.net] has quit [Ping timeout: 240 seconds]
11:59 -!- aji` is now known as aji
12:11 -!- Olipro [~Olipro@d.e.r.p.6.a.1.0.d.d.0.7.2.0.1.0.a.2.ip6.arpa] has quit [Changing host]
12:11 -!- Olipro [~Olipro@uncyclopedia/pdpc.21for7.olipro] has joined #openvpn
12:18 -!- Sembei is now known as Guest96783
12:20 -!- kantlivelong [~kantlivel@home.kantlivelong.com] has joined #openvpn
12:24 -!- ultra [~ed@unaffiliated/ultra] has quit [Remote host closed the connection]
12:28 -!- Guest96783 [~Sembei@62.57.118.216.dyn.user.ono.com] has quit [Max SendQ exceeded]
12:29 -!- Guest96783 [~Sembei@62.57.118.216.dyn.user.ono.com] has joined #openvpn
12:35 < kcodyjr> also occurs to me, bgp might not be the right choice. this is a private link between private address spaces, right? ospf might be more suitable. and i have used it in this context, and it acts like you'd seem to intuitively want, aware of all its directly connected interfaces
12:36 -!- Guest21481 [1000@unaffiliated/thumbs] has left #openvpn []
12:36 -!- thumbs [1000@unaffiliated/thumbs] has joined #openvpn
12:37 -!- kubbing_ [~kubbing@ip-94-113-130-229.net.upcbroadband.cz] has quit [Remote host closed the connection]
12:37 -!- kubbing [~kubbing@ip-94-113-130-229.net.upcbroadband.cz] has joined #openvpn
12:42 -!- kubbing [~kubbing@ip-94-113-130-229.net.upcbroadband.cz] has quit [Ping timeout: 265 seconds]
13:06 -!- Cybertinus [~Cybertinu@2a00:6960:1:1::2442] has quit [Ping timeout: 245 seconds]
13:06 -!- _KaszpiR_ [~quassel@unaffiliated/kaszpir/x-3157048] has joined #openvpn
13:06 -!- tapout [~tapout@unaffiliated/tapout] has joined #openvpn
13:06 -!- troyt [~troyt@2601:7:6200:1132:44dd:acff:fe85:9c8e] has joined #openvpn
13:06 -!- eliasp_ is now known as eliasp
13:06 -!- mumixam [~m@unaffiliated/mumixam] has joined #openvpn
13:09 -!- visavi- [~visavi@46.246.129.127.dsl.dyn.forthnet.gr] has joined #openvpn
13:10 -!- jerryc [~pppingme@24.94.191.245] has quit [Quit: Leaving]
13:10 -!- pppingme [~pppingme@unaffiliated/pppingme] has joined #openvpn
13:10 < visavi-> I'd like an review/opinion on my config file. It works fine but I'd like someone to take a look and tell me I haven't done something stupid, or I haven't forgoten something important. Does this sound like a job for the forum or the mailing list?
13:13 < EugeneKay> !configs
13:13 <@vpnHelper> "configs" is (#1) please pastebin your client and server configs (with comments removed, you can use `grep -vE '^#|^;|^$' server.conf`), also include which OS and version of openvpn. or (#2) dont forget to include any ccd entries or (#3) on pfSense, see http://www.secure-computing.net/wiki/index.php/OpenVPN/pfSense to obtain your config
13:13 < EugeneKay> Post & be patient ;-)
13:13 < EugeneKay> The fact that it's working indicates you're on the right track
13:13 -!- visavi- is now known as visavi
13:16 -!- nutron [~nutron@unaffiliated/nutron] has joined #openvpn
13:18 < visavi> You mean I should skip the forum and the list and post it here? This is the best place for that?
13:19 < kcodyjr> i think i remember saying something about a rule about not asking for permission to ask.
13:19 < kcodyjr> *err, seeing something.
13:20 < kcodyjr> i don't have any say around here and don't care for any. :)
13:21 -!- jzaw [~jzaw@loki.dzki.co.uk] has joined #openvpn
13:21 -!- soapee01 [~soapee01@24-155-219-177.dyn.grandenetworks.net] has joined #openvpn
13:22 <@ecrist> !ask
13:22 <@vpnHelper> "ask" is (#1) don't ask to ask, just ask your question please, see this link for how to get help on IRC: http://workaround.org/getting-help-on-irc or (#2) See also, How to ask questions the smart way here: http://catb.org/~esr/faqs/smart-questions.html
13:23 < kcodyjr> thanks. that. :)
13:26 <@ecrist> and if you haven't seen the link, kcodyjr: 
13:26 <@ecrist> !factoids
13:26 <@vpnHelper> "factoids" is A semi-regularly updated dump of factoids database is available at http://www.secure-computing.net/factoids.php
13:27 < kcodyjr> thanks, ecrist
13:27 < g0z> what could cause Connectivity Test in Access Server to fail besides firewall stuff? I get IP Address Test: (not founc) but its FQDNis in DNS and resolves properly on client and server
13:27 -!- ultra [~ed@unaffiliated/ultra] has joined #openvpn
13:30 < g0z> actually "current Server Network Settings" has the IP Address listed as "eth0" :S
13:31 < EugeneKay> !as
13:31 <@vpnHelper> "as" is please go to #OpenVPN-AS for help with Access-Server
13:31 < g0z> k
13:31 < g0z> thanks
13:31 < EugeneKay> And visavi, just
13:31 < EugeneKay> !ask
13:32 <@vpnHelper> "ask" is (#1) don't ask to ask, just ask your question please, see this link for how to get help on IRC: http://workaround.org/getting-help-on-irc or (#2) See also, How to ask questions the smart way here: http://catb.org/~esr/faqs/smart-questions.html
13:32 < EugeneKay> Oh, beaten
13:32 -!- mode/#openvpn [+o EugeneKay] by ChanServ
13:32 -!- EugeneKay was kicked from #openvpn by EugeneKay [incompetence]
13:32 -!- EugeneKay [eugene@itvends.com] has joined #openvpn
13:32 -!- mode/#openvpn [+o EugeneKay] by ChanServ
13:33 -!- Guest39803 [~unknown@unaffiliated/gffa] has left #openvpn []
13:34 -!- gffa [~unknown@unaffiliated/gffa] has joined #openvpn
13:38 -!- lj [~l@192.241.174.169] has joined #openvpn
13:38 <@ecrist> the factoids web script now outputs stats at the top, in this case we currently have 400 keys with 629 factoids
13:40 < kcodyjr> feel good, EugeneKay ?
13:41 <@EugeneKay> !whaomi
13:41 <@EugeneKay> !whoami
13:41 <@vpnHelper> I don't recognize you.
13:41 -!- EmLeX [~emx@unaffiliated/emlex] has quit [Ping timeout: 252 seconds]
13:41 < visavi> Then the answer is in all 3 of them.
13:44 -!- digilink [~digilink@irc.stephennet.net] has joined #openvpn
13:46 -!- maskedlua [~quassel@unaffiliated/themaskedlua] has joined #openvpn
13:54 -!- EugeneKay is now known as Eugene
13:55 -!- lj [~l@192.241.174.169] has quit [Quit: Leaving.]
13:55 -!- lj [~l@192.241.174.169] has joined #openvpn
14:00 -!- lj [~l@192.241.174.169] has quit [Ping timeout: 252 seconds]
14:08 -!- EmLeX [~emx@unaffiliated/emlex] has joined #openvpn
14:12 -!- ManjXfceUsr [~ManjXfceu@host86-133-146-152.range86-133.btcentralplus.com] has joined #openvpn
14:18 -!- lj [~l@192.241.174.169] has joined #openvpn
14:27 -!- kalloc [~kalloc@h86-62-83-99.ln.rinet.ru] has joined #openvpn
14:48 -!- ManjXfceUsr [~ManjXfceu@host86-133-146-152.range86-133.btcentralplus.com] has quit [Read error: Connection reset by peer]
14:48 -!- u0m3_ [~u0m3@92.80.122.174] has joined #openvpn
14:49 -!- u0m3_ [~u0m3@92.80.122.174] has quit [Read error: Connection reset by peer]
14:50 -!- ManjXfceUsr [~ManjXfceu@host86-133-146-152.range86-133.btcentralplus.com] has joined #openvpn
14:51 -!- u0m3 [~u0m3@92.80.86.111] has quit [Ping timeout: 264 seconds]
14:54 -!- u0m3 [~u0m3@92.80.115.60] has joined #openvpn
14:54 -!- Cr4zi3 [killaz@staff.xbins.org] has joined #openvpn
14:54 -!- yoavz [yoavz@yoavz.net] has joined #openvpn
14:54 -!- Cr4zi3 [killaz@staff.xbins.org] has quit [Excess Flood]
14:55 -!- tempus_fol [~tempus@gateway/tor-sasl/tempusfol] has quit [Remote host closed the connection]
14:56 -!- tempus_fol [~tempus@gateway/tor-sasl/tempusfol] has joined #openvpn
14:56 -!- Cr4zi3 [killaz@staff.xbins.org] has joined #openvpn
15:15 -!- jzaw [~jzaw@loki.dzki.co.uk] has quit [Quit: really? must I leave? aw pls let me stay!]
15:16 -!- jzaw [~jzaw@loki.dzki.co.uk] has joined #openvpn
15:18 -!- kalloc [~kalloc@h86-62-83-99.ln.rinet.ru] has quit [Remote host closed the connection]
15:18 -!- kalloc [~kalloc@h86-62-83-99.ln.rinet.ru] has joined #openvpn
15:21 -!- lj [~l@192.241.174.169] has quit [Quit: Leaving.]
15:23 -!- kalloc [~kalloc@h86-62-83-99.ln.rinet.ru] has quit [Ping timeout: 248 seconds]
15:31 -!- Guest96783 [~Sembei@62.57.118.216.dyn.user.ono.com] has quit [Max SendQ exceeded]
15:32 -!- Guest96783 [~Sembei@62.57.118.216.dyn.user.ono.com] has joined #openvpn
15:35 -!- ManjXfceUsr [~ManjXfceu@host86-133-146-152.range86-133.btcentralplus.com] has quit [Remote host closed the connection]
15:35 -!- XJR-9_ [sid2977@pdpc/supporter/active/xjr-9] has joined #openvpn
15:35 -!- XJR-9 [sid2977@gateway/web/irccloud.com/x-defomjsscbqlzgxw] has quit [Killed (morgan.freenode.net (Nickname regained by services))]
15:35 -!- XJR-9_ is now known as XJR-9
15:36 -!- rustem [~ka4ok@141.0.170.169] has joined #openvpn
15:37 -!- Martin`_ [martin@shell.ipv6.octocore.net] has joined #openvpn
15:37 -!- lordnikkon [~marme@li388-49.members.linode.com] has joined #openvpn
15:37 -!- Fiouz [~Fiouz@2001:bc8:3068::dead:beef] has quit [Disconnected by services]
15:37 -!- Fiouz_ [~Fiouz@2001:bc8:3068::dead:beef] has joined #openvpn
15:38 -!- kisom_ [~kisom@kisom.thr.kth.se] has joined #openvpn
15:38 -!- lordnikkon is now known as Guest40499
15:38 -!- JustSigh1udes [~Anon@184.73.255.80] has joined #openvpn
15:38 -!- pjschmit1 [~parker@209.141.56.12] has joined #openvpn
15:38 -!- crus` [~crusader@crus0r.soho.on.net] has joined #openvpn
15:39 -!- goldkatze [~nobody@unaffiliated/goldkatze] has joined #openvpn
15:39 -!- lj [~l@63.sub-70-194-76.myvzw.com] has joined #openvpn
15:39 -!- lj [~l@63.sub-70-194-76.myvzw.com] has quit [Client Quit]
15:40 -!- Guest96783 [~Sembei@62.57.118.216.dyn.user.ono.com] has quit [Max SendQ exceeded]
15:40 -!- Guest96783 [~Sembei@62.57.118.216.dyn.user.ono.com] has joined #openvpn
15:40 -!- P4k3_ [~P4k3@c-5a34e255.026-8-6b6c7810.cust.bredbandsbolaget.se] has joined #openvpn
15:41 -!- rtur2 [~rtur@212.224.92.143] has joined #openvpn
15:41 -!- Bretos1 [~Bretos@vps.tyborek.pl] has joined #openvpn
15:42 -!- Eagleman7 [~Eagleman@546BBFCD.cm-12-4c.dynamic.ziggo.nl] has joined #openvpn
15:42 -!- crus [~crusader@crus0r.soho.on.net] has quit [Ping timeout: 245 seconds]
15:42 -!- mback2k_ [~freenode@2a00:1828:2000:378:1337:0:59ee:5431] has quit [Ping timeout: 245 seconds]
15:42 -!- red_racer12_ [sid20963@gateway/web/irccloud.com/x-sjtfwxoveqummuwx] has quit [Ping timeout: 245 seconds]
15:42 -!- Eagleman [~Eagleman@546BBFCD.cm-12-4c.dynamic.ziggo.nl] has quit [Ping timeout: 245 seconds]
15:42 -!- Champi [Champi@rootshell.fr] has quit [Ping timeout: 245 seconds]
15:42 -!- P4k3 [~P4k3@c-5a34e255.026-8-6b6c7810.cust.bredbandsbolaget.se] has quit [Ping timeout: 245 seconds]
15:42 -!- Martin` [martin@shell.ipv6.octocore.net] has quit [Ping timeout: 245 seconds]
15:42 -!- Bretos [~Bretos@vps.tyborek.pl] has quit [Ping timeout: 245 seconds]
15:42 -!- kisom [~kisom@kisom.thr.kth.se] has quit [Ping timeout: 245 seconds]
15:42 -!- rtur1 [~rtur@212.224.92.143] has quit [Ping timeout: 245 seconds]
15:42 -!- TypoNe [~itsme@195.197.184.87] has quit [Ping timeout: 245 seconds]
15:42 -!- lordnikk1n [~marme@li388-49.members.linode.com] has quit [Ping timeout: 245 seconds]
15:42 -!- maxiepax [max@locke.misse.org] has quit [Ping timeout: 245 seconds]
15:42 -!- gffa [~unknown@unaffiliated/gffa] has quit [Ping timeout: 245 seconds]
15:42 -!- qwertyoruiop [~hax@93.174.90.32] has quit [Ping timeout: 245 seconds]
15:42 -!- Sorcier_FXK [~Sorcier_F@unaffiliated/sorcierfxk] has quit [Ping timeout: 245 seconds]
15:42 -!- aji [~alex@dirt.ajitek.net] has quit [Ping timeout: 245 seconds]
15:42 -!- JustSighDudes [~Anon@184.73.255.80] has quit [Ping timeout: 245 seconds]
15:42 -!- pjschmitt [~parker@209.141.56.12] has quit [Ping timeout: 245 seconds]
15:42 -!- Guest27054 [~exa@unaffiliated/exa] has quit [Ping timeout: 245 seconds]
15:42 -!- kraut [~kraut@blackhole.netzdeponie.de] has quit [Ping timeout: 245 seconds]
15:42 -!- Guest43740 [~nobody@188-192-253-130-dynip.superkabel.de] has quit [Ping timeout: 245 seconds]
15:42 -!- jzaw [~jzaw@loki.dzki.co.uk] has quit [Ping timeout: 245 seconds]
15:42 -!- volnukhin [~ka4ok@141.0.170.169] has quit [Ping timeout: 245 seconds]
15:42 -!- qwertyoruiop [~hax@93.174.90.32] has joined #openvpn
15:42 -!- qwertyoruiop [~hax@93.174.90.32] has quit [Excess Flood]
15:42 -!- Martin`_ is now known as Martin`
15:42 -!- mback2k_ [~freenode@2a00:1828:2000:378:1337:0:59ee:5431] has joined #openvpn
15:43 -!- maxiepax [max@locke.misse.org] has joined #openvpn
15:43 -!- P4k3_ is now known as P4k3
15:43 -!- Champi [Champi@rootshell.fr] has joined #openvpn
15:43 -!- Sorcier_FXK [~Sorcier_F@unaffiliated/sorcierfxk] has joined #openvpn
15:43 -!- jzaw [~jzaw@loki.dzki.co.uk] has joined #openvpn
15:43 -!- qwertyoruiop [~hax@1.shulgin.dc1.nl.tor.exit.node.qwertyoruiop.com] has joined #openvpn
15:43 -!- red_racer12_ [sid20963@gateway/web/irccloud.com/x-bxzxijdmuowgdqsc] has joined #openvpn
15:43 -!- TypoNe [~itsme@195.197.184.87] has joined #openvpn
15:44 -!- kraut [~kraut@blackhole.netzdeponie.de] has joined #openvpn
15:45 -!- Guest27054 [~exa@v22013091132414614.yourvserver.net] has joined #openvpn
15:45 -!- gffa [~unknown@524895DD.cm-4-1c.dynamic.ziggo.nl] has joined #openvpn
15:45 -!- rustem [~ka4ok@141.0.170.169] has quit [Quit: No Ping reply in 180 seconds.]
15:46 -!- gffa is now known as Guest66097
15:46 -!- Guest66097 [~unknown@524895DD.cm-4-1c.dynamic.ziggo.nl] has quit [Client Quit]
15:46 -!- rustem [~ka4ok@141.0.170.169] has joined #openvpn
15:46 -!- aji [~alex@dirt.ajitek.net] has joined #openvpn
15:54 -!- visavi- [~visavi@77.49.139.58.dsl.dyn.forthnet.gr] has joined #openvpn
15:55 -!- visavi [~visavi@46.246.129.127.dsl.dyn.forthnet.gr] has quit [Ping timeout: 252 seconds]
15:55 -!- visavi- is now known as visavi
15:55 -!- dazo is now known as dazo_afk
16:11 -!- kcodyjr [~kcodyjr@c-50-169-2-213.hsd1.ma.comcast.net] has quit [Ping timeout: 252 seconds]
16:11 -!- kcodyjr [~kcodyjr@c-24-61-134-125.hsd1.ma.comcast.net] has joined #openvpn
16:17 -!- ManjXfceUsr [~ManjXfceu@host86-133-146-152.range86-133.btcentralplus.com] has joined #openvpn
16:25 -!- ManjXfceUsr [~ManjXfceu@host86-133-146-152.range86-133.btcentralplus.com] has quit [Quit: Leaving]
16:29 -!- ManjXfceUsr [~ManjXfceu@host86-133-146-152.range86-133.btcentralplus.com] has joined #openvpn
16:31 -!- ManjXfceUsr [~ManjXfceu@host86-133-146-152.range86-133.btcentralplus.com] has quit [Client Quit]
16:56 -!- dradec [~Inigo@unaffiliated/dradec] has joined #openvpn
17:15 -!- maxiepax_ [max@locke.misse.org] has joined #openvpn
17:18 -!- Champi_ [Champi@rootshell.fr] has joined #openvpn
17:18 -!- qwertyoruiop_ [~hax@1.shulgin.dc1.nl.tor.exit.node.qwertyoruiop.com] has joined #openvpn
17:19 -!- Netsplit *.net <-> *.split quits: qwertyoruiop, Champi, kraut, maxiepax
17:19 -!- Champi_ is now known as Champi
17:24 -!- Netsplit over, joins: kraut
17:42 -!- jgeboski [~jgeboski@unaffiliated/jgeboski] has joined #openvpn
17:43 -!- __FBi [B@what.are.you.doing.plzdonthack.us] has joined #openvpn
17:54 -!- krzee [~k@2610:150:4002::3:1] has quit [Changing host]
17:54 -!- krzee [~k@openvpn/community/support/krzee] has joined #openvpn
17:54 -!- mode/#openvpn [+o krzee] by ChanServ
17:56 -!- goldkatze [~nobody@unaffiliated/goldkatze] has quit [Ping timeout: 272 seconds]
17:57 -!- digilink [~digilink@irc.stephennet.net] has quit [Ping timeout: 252 seconds]
18:01 -!- sunwind` [~paradox@cpc21-brmb8-2-0-cust749.1-3.cable.virginm.net] has joined #openvpn
18:03 -!- digilink [~digilink@irc.stephennet.net] has joined #openvpn
18:04 -!- sunwind [~paradox@cpc21-brmb8-2-0-cust749.1-3.cable.virginm.net] has quit [Ping timeout: 248 seconds]
18:24 -!- novaflash is now known as novaflash_away
18:25 -!- Cybertinus [~Cybertinu@2a00:6960:1:1::2442] has joined #openvpn
18:37 -!- Guest27054 [~exa@v22013091132414614.yourvserver.net] has quit [Quit: Guest27054]
18:38 -!- exa [~exa@v22013091132414614.yourvserver.net] has joined #openvpn
18:38 -!- exa is now known as Guest46427
18:38 -!- Guest46427 [~exa@v22013091132414614.yourvserver.net] has quit [Client Quit]
18:40 -!- exa_ [~exa@v22013091132414614.yourvserver.net] has joined #openvpn
19:39 -!- visavi [~visavi@77.49.139.58.dsl.dyn.forthnet.gr] has left #openvpn []
20:02 -!- dradec [~Inigo@unaffiliated/dradec] has quit [Ping timeout: 265 seconds]
20:03 -!- dradec [~Inigo@unaffiliated/dradec] has joined #openvpn
20:03 -!- Stew-a [~Stewart@unaffiliated/stew-a/x-2962361] has quit [Ping timeout: 264 seconds]
20:05 -!- 31NAAEEJO is now known as jacob11
20:06 < jacob11> hello guys I have a problem connecting to my OpenVPN server using tun driver. here is the log http://pastie.org/8696200
20:07 < jacob11> I think the problem is in ROUTE_GATEWAY as it is not public
20:08 -!- delete [~delete@fedora/delete] has joined #openvpn
20:08 < delete> hi, I need some help
20:08 < delete> I am traying to route trough an openvpn server and I cannot get it to work
20:09 < delete> traceroute gets to the other side of the VPN and dies
20:09 < delete> this is the routing table of the client
20:09 < delete> http://pastebin.com/TDFR7gLU
20:10 -!- Stew-a [~Stewart@unaffiliated/stew-a/x-2962361] has joined #openvpn
20:11 < delete> the openvpn server has port forwarding enabled
20:11 < delete> firewall is off
20:15 -!- u0m3 [~u0m3@92.80.115.60] has quit [Read error: Connection reset by peer]
20:16 <@ecrist> jacob11: 
20:16 <@ecrist> !goal
20:16 <@vpnHelper> "goal" is Please clearly state your goal for your vpn: example, I would like to access the lan behind the server , I would like to access the internet over my vpn , I just want a secure connection between 2 computers , etc
20:17 < jacob11> i would like to route traffic through vpn tunnel ecrist
20:17 <@ecrist> delete: generally, to route internet traffic through openvpn, your vpn server needs to NAT the vpn traffic out to the internet
20:17 <@ecrist> jacob11: that's way too vague
20:17 <@ecrist> that's the whole point of EVERY vpn
20:18 <@ecrist> jacob11: your log seems to indicate you're to running openvpn as an admin
20:18 <@ecrist> or root, in this case, despite the sudo
20:18 < jacob11> i want to be able to route my clients internet traffic through vpn, is that more clear?
20:18 <@ecrist> turn up the verbosity on your logs to 4
20:18 <@ecrist> jacob11: ah, that's very clear
20:19 < delete> ecrist: I just added 'iptables -t nat -A POSTROUTING -s 10.9.0.0/24 -o eth0 -j MASQUERADE'
20:19 < delete> that is my network
20:19 < delete> eth0 is the internet
20:19 < delete> still no luck
20:19 < jacob11> ecrist: if I try to run it as user (without sudo) I get Options error: --key fails with '/etc/openvpn/server.key': Permission denied
20:20 -!- pjschmit1 [~parker@209.141.56.12] has quit [Changing host]
20:20 -!- pjschmit1 [~parker@unaffiliated/schmitt953] has joined #openvpn
20:20 <@ecrist> delete: you need to enable the ip_foward sysctl
20:20 < delete> ecrist: yes, it is in 1
20:20 <@ecrist> !configs
20:20 <@vpnHelper> "configs" is (#1) please pastebin your client and server configs (with comments removed, you can use `grep -vE '^#|^;|^$' server.conf`), also include which OS and version of openvpn. or (#2) dont forget to include any ccd entries or (#3) on pfSense, see http://www.secure-computing.net/wiki/index.php/OpenVPN/pfSense to obtain your config
20:21 <@ecrist> that configs line applies to both of you
20:21 < delete> ok
20:22 < pekster> jacob11: If you haven't seen it:
20:22 < pekster> !redirect
20:23 <@vpnHelper> "redirect" is (#1) to make all inet traffic flow through the vpn, you will need --redirect-gateway (see !def1), as well as IP forwarding (see !ipforward) and NAT (see !nat) enabled on the server. or (#2) you may need to use a different dns server when redirecting gateway, see !dns or !pushdns or (#3) if using ipv6 try: route-ipv6 2000::/3 or (#4) Handy troubleshooting flowchart:
20:23 <@vpnHelper> http://ircpimps.org/redirect.png | http://pekster.sdf.org/misc/redirect.png
20:23 <@ecrist> hola, pekster 
20:23 < jacob11> here you go with verbose 4 http://pastie.org/8696221 , here is my client ovpn: http://pastie.org/8696218 and here is server.conf http://pastie.org/8696223
20:23 < delete> ecrist: http://pastebin.com/VUMABTbb
20:24 <@ecrist> jacob11: you don't follow directions well
20:24 < jacob11> sorry I pasted it before I saw "with comments removed"
20:24 <@ecrist> please fix. :)
20:25 < jacob11> here you go server.conf http://pastie.org/8696226
20:26 <@ecrist> delete: logs?
20:26 < jacob11> I cannot even see client hits in openvpn logs
20:26 < jacob11> log is here http://pastie.org/8696221
20:27 <@ecrist> jacob11: with the server running, I need to see a client connection for the log to be useful
20:27 < jacob11> ROUTE_GATEWAY is set to private IP. on my other server I have the same config but it is set on public IP, I am not sure if that has something to do with it
20:28 < jacob11> as I told you I cannot see clients trying to connect in logs!
20:28 <@ecrist> then they're not connecting. :)
20:28 <@ecrist> make sure your firewall is allowing the connections
20:28 < delete> ecrist: http://pastebin.com/Z8fRfMAq
20:29 <@ecrist> delete: it looks like your client config used to be a server config and you just started mashing config options together
20:29 <@ecrist> use jacob11's server config as an example to start
20:29 <@ecrist> and create a coinciding client config
20:29 <@ecrist> also
20:29 <@ecrist> !tcp
20:29 <@vpnHelper> "tcp" is (#1) Sometimes you cannot avoid tunneling over tcp, but if you can avoid it, DO. http://sites.inka.de/~bigred/devel/tcp-tcp.html Why TCP Over TCP Is A Bad Idea. or (#2) http://www.openvpn.net/papers/BLUG-talk/14.html for a presentation by James Yonan (OpenVPN lead developer) or (#3) if you must use tcp, you likely want --tcp-nodelay
20:30 < jacob11> try using tun instead of tap delete
20:30 < delete> I cannot avoid tcp
20:30 <@ecrist> that's just a device, as long as it's the same on both ends, it'll work, but mobile devices don't have tap at all
20:31 < delete> what options should I remove?
20:31 <@ecrist> start with jacob11's server config as a comparison
20:32 < jacob11> I checked my firewall and it allows all traffic I am not sure why it is not connecting. I just have to use "remote IP PORT" in clients ovpn?
20:33 <@ecrist> make sure your clients are using the right protocol
20:33 <@ecrist> udp/tcp
20:33 <@ecrist> and address class (ipv4/ipv6)
20:33 < pekster> tcpdump on the server to see if the destination (your server) is even getting packets. If not it's either a misconfiguration (bad port/proto/host) or a firewall
20:34  * ecrist poofs
20:35 < jacob11> tcpdump on tun0 or eth iface?
20:37 < jacob11> tried tcpdump port 1194 and still no hits
20:39 < jacob11> can I use numeral IP with "remote" line in client's ovpn?
20:40 < pekster> Sure, but if your DNS is screwed up you should fix it
20:40 -!- propheticsquiddy [~Proph@unaffiliated/propheticsquiddy] has joined #openvpn
20:40 < pekster> If you have "no success" tcpdumping, then you've done it wrong. Maybe you got no results, which is different (see above)
20:40 < pekster> !tcpdump
20:40 <@vpnHelper> "tcpdump" is (#1) tcpdump is a great troubleshooting tool (Wireshark or the tshark.exe CLI tools for Windows.) To start, try a syntax like `tcpdump -pni ifWhatever` or (#2) You can also add filters to the command, like 'icmp' or 'udp port 1194' and the like. Consult the tcpdump docs for details.
20:43 < jacob11> well the IP is live, I connected to the VPS via ssh so ovpn should recognize it
20:43  * pekster sighs
20:43 < pekster> Then you clearly have things under contol. Go fix whatever is broken.
20:44 < jacob11> I would but I am not sure what is broken, that's what I am trying to figure out
20:44 < pekster> So maybe do what I asked instead of telling me about worthless things like ssh
20:45 < pekster> Watch for the _VPN_ traffic on your physical interface
20:45 < pekster> If you don't see it, your client is not sending data that reaches your server
20:45 < pekster> If you do (but get no openvpn logs) then you've misconfigured your firewall
20:45 < pekster> This distinction is _important_, and you're more interested in telling me about how "live" the IP is and how ssh works. None of that is helpful
20:47 < jacob11> I already told you the client does not hit the server
20:47 < jacob11> I also told you I added firewall rule which allows all traffic on the server
20:48 < jacob11> it looks like the client does not see IP as "live" but it is obviously since I can connect on ssh. that was what I meant
20:51 < pekster> No clue what "seeing the IP as live" means
20:52 < pekster> Either packets are being sent to the wrong IP (or protocol) or there is some firewall between the client and server (inclusive) that is at fault
20:52 < pekster> Try nmap with the --trace flag for hints. ref nmap(1) for details
20:54 < jacob11> that's strange, there is no openvpn port in nmap
20:59 -!- novaflash_away is now known as novaflash
21:00 < jacob11> on my other server, where openvpn is running fine I get 1194/tcp closed unknown
21:02 < pekster> That's not how trace works
21:02  * pekster shrugs
21:03 < pekster> Maybe `nmap -sU -p 1194 -P0 --trace -n your.host.here`
21:03 < pekster> nmap(1) is your friend if you're new to standard network diagnostic tools
21:05 -!- dradec [~Inigo@unaffiliated/dradec] has quit [Quit: nil]
21:05 -!- Neytiri [~The_Acid_@2001:470:860d:127::219] has joined #openvpn
21:06 < jacob11> hmm I couldn't find --trace in --help, but I got 1194/udp open|filtered openvpn
21:06 -!- dradec [~Inigo@unaffiliated/dradec] has joined #openvpn
21:07 < pekster> You're not trying very hard
21:07 < pekster>      --traceroute (Trace path to host) .
21:07 < pekster>            Traceroutes are performed post-scan using information from the scan results to
21:07 < pekster>            determine the port and protocol most likely to reach the target. It works with all
21:07 < pekster>            scan types except connect scans (-sT) and idle scans (-sI). All traces use Nmap's
21:07 < pekster>            dynamic timing model and are performed in parallel.
21:07 < pekster> !read
21:07 <@vpnHelper> "read" is <krzee> ive been known to overreact when people look for 2 minutes and ask me to explain it to them
21:09 < jacob11> obviously, i suspected traceroute was same as trace
21:10 < pekster> And if you tried the _exact_ command I gave you (replacing the host) you'd see it works
21:11 < pekster> I don't have time to play these games. Maybe someone else has time to deal with it tongiht
21:13 -!- booo [~booo__@84.189.140.18] has quit [Ping timeout: 272 seconds]
21:14 < jacob11> this is log on client size http://pastie.org/8696325
21:14 <@Eugene> pekster - I don't even have the time to determine which of my /ignores the guy matches. I'm guessing gateway/*
21:14 <@Eugene> I /do/ have time for
21:14 <@Eugene> !beer
21:14 <@vpnHelper> "beer" is what's for dinner (and occasionally breakfast)
21:15 -!- booo [~booo__@p54BD8CF9.dip0.t-ipconnect.de] has joined #openvpn
21:15 < pekster> Well no shit dude
21:16 < pekster> Tue Feb 04 04:13:40 2014 Cannot load inline certificate file: error:0906D06C:PEM routines:PEM_read_bio:no start line
21:17 -!- jeev [~j@162.248.241.234] has joined #openvpn
21:17 -!- jeev [~j@162.248.241.234] has quit [Client Quit]
21:17 < pekster> Apparenly Yet Another "average" web gateway user Eugene: uid22180@gateway/web/irccloud.com/x-iatlgovsntwvoabv
21:18 <@Eugene> Yup, definitely not worth caring about.
21:18 < jacob11> whats wrong with that?
21:18 < pekster> YOUR FUCKING INLINE CERT CAN'T BE READ
21:18 < jacob11> with web gateway user?
21:18 < pekster> Is this RAELLY so hard?
21:18 < pekster> Well, your reading comprehension for one
21:18 < jacob11> no pekster i wasnt referring to that
21:18 -!- jeev [~j@unaffiliated/jeev] has joined #openvpn
21:18 < pekster> Your inability to read a 10 line log file
21:18 < pekster> And probably others
21:18 < jacob11> I posted client config it does not have inline cert
21:18 < jacob11> take a look at it
21:18 < pekster> Oh, and the topic
21:18 < pekster> !as
21:18 <@vpnHelper> "as" is please go to #OpenVPN-AS for help with Access-Server
21:18 < pekster> You're in the wrong channel for AS stuff
21:19 < pekster> This is a FOSS support channel; we don't support commercial products
21:19 < jacob11> I cannot connect from other vps either with your FOSS
21:20 < pekster> OpenVPNAS 2.1.1oOAS Win32-MSVC++ [SSL] [LZO2] built on Jul 29 2010
21:20 < pekster> No clue what you want #openvpn to do about that
21:21 < pekster> !download
21:21 <@vpnHelper> "download" is (#1) http://openvpn.net/index.php/download/community-downloads.html to download openvpn or (#2) OpenVPN's Windows installer now includes OpenVPN GUI. Don't bother with http://openvpn.se anymore or (#3) Don't trust download.com at all. It provides an extremely old version with malware: http://insecure.org/news/download-com-fiasco.html or (#4) in the community version of openvpn (only
21:21 <@vpnHelper> thing supported here) there is no separate download for client/server, it is the same install with different configs
21:21 < jacob11> that's the client I am currently trying to connect to openvpn
21:21 < pekster> Then use a client we support
21:21 < jacob11> i am also trying to connect from my other vps
21:21 < jacob11> and no luck
21:23 < jacob11> here you go, same from the FOSS openvpn http://pastie.org/8696337
21:23 < pekster> Bad cert file
21:23 < pekster> It's not a PEM x.509 file
21:24 < pekster> And no, that's not the same thing
21:24 < delete> ecrist: thanks, got it working after recreating configs from scratch
21:25 < jacob11> I'll try with new ones
21:25 < pekster> It's not even a cert file is the problem
21:25 < pekster> `openvpn x509 -in yourCertHere.crt -noout -text` will return the same code. It's missing the ASCII-armored start line for PEM files
21:27 < Neytiri> hi i am havinga issue getting a open vpn client setup on a debain box, the server side is a pfsense2.1 box
21:28 < jacob11> pekster: openssl*
21:28 < pekster> Yes, that
21:29 < Neytiri> can someone guide me to the right way to setup the client side
21:32 -!- elfixit [~Icedove@77-58-251-72.dclient.hispeed.ch] has joined #openvpn
21:32 < pekster> Neytiri: You should have used the official !howto samples as the basis for your configs and match your client directives to your server setup
21:33 < Neytiri> where can i find those
21:33 < pekster> !howto
21:33 <@vpnHelper> "howto" is (#1) OpenVPN comes with a great howto, http://openvpn.net/howto PLEASE READ IT! or (#2) http://www.secure-computing.net/openvpn/howto.php for a mirror
21:33 -!- g0z [gauze@bitchx/distort/g0z] has left #openvpn []
21:33 < Neytiri> i iwll look it over and come back if i have questions
21:34 < pekster> The included samples have many comments you should find most helpful
21:36 < Neytiri> jsut glancing that over leaves me more confused then i was before hand
21:40 < Neytiri> here is the log and the configuration file
21:40 < Neytiri> http://pastebin.com/1rNEknNq
21:41 -!- joshh20 is now known as joshh20-Away
21:41 < pekster> !configs
21:41 <@vpnHelper> "configs" is (#1) please pastebin your client and server configs (with comments removed, you can use `grep -vE '^#|^;|^$' server.conf`), also include which OS and version of openvpn. or (#2) dont forget to include any ccd entries or (#3) on pfSense, see http://www.secure-computing.net/wiki/index.php/OpenVPN/pfSense to obtain your config
21:41 < pekster> You're missing the "other" config
21:41 < Neytiri> other config?
21:42 < Neytiri> i dont have access to the server config
21:43 < pekster> Then you should contact the vendor of the appliance you're using for support
21:43 < Neytiri> the server side is strup and fucntioning propelrt
21:44 < Neytiri> and i can connect if i use the client on my pfsense router, but i dontwant ot use my pfsense router as the client
22:34 < Neytiri> ok. i managed to get my client connected, how do i get it to send all its traffc EXCEPT the traffic connecting it to the vpns server through te link
23:28 -!- lj [~l@adsl-99-74-1-11.dsl.peoril.sbcglobal.net] has joined #openvpn
23:32 <@Eugene> !redirect
23:32 <@vpnHelper> "redirect" is (#1) to make all inet traffic flow through the vpn, you will need --redirect-gateway (see !def1), as well as IP forwarding (see !ipforward) and NAT (see !nat) enabled on the server. or (#2) you may need to use a different dns server when redirecting gateway, see !dns or !pushdns or (#3) if using ipv6 try: route-ipv6 2000::/3 or (#4) Handy troubleshooting flowchart:
23:32 <@vpnHelper> http://ircpimps.org/redirect.png | http://pekster.sdf.org/misc/redirect.png
23:33 -!- elfixit [~Icedove@77-58-251-72.dclient.hispeed.ch] has quit [Ping timeout: 252 seconds]
23:35 -!- elfixit [~Icedove@77-58-251-72.dclient.hispeed.ch] has joined #openvpn
23:41 -!- propheticsquiddy [~Proph@unaffiliated/propheticsquiddy] has quit [Read error: No route to host]
23:41 -!- propheticsquiddy [~Proph@unaffiliated/propheticsquiddy] has joined #openvpn
23:53 < Neytiri> thanks the isuse was the ip fowatrding
--- Day changed Tue Feb 04 2014
00:01 -!- lvv [~loganaden@ITE-INF3.dhcp.mu.afrinic.net] has joined #openvpn
00:01 -!- lvv [~loganaden@ITE-INF3.dhcp.mu.afrinic.net] has quit [Client Quit]
00:03 -!- lvv [~loganaden@196.1.0.29] has joined #openvpn
00:12 -!- mikkel [~mikkel@93.176.85.50] has joined #openvpn
00:17 -!- lj [~l@adsl-99-74-1-11.dsl.peoril.sbcglobal.net] has quit [Quit: Leaving.]
00:32 -!- volnukhin [~ka4ok@141.0.170.169] has joined #openvpn
00:32 -!- bertodsera_ [~quassel@97e48243.skybroadband.com] has joined #openvpn
00:32 -!- maskedlua_ [~quassel@unaffiliated/themaskedlua] has joined #openvpn
00:32 -!- ferai [~quassel@kde/mitchell] has joined #openvpn
00:33 -!- vvinothkumar [~vinothkum@122.167.94.67] has joined #openvpn
00:33 -!- lordnikkon [~marme@li388-49.members.linode.com] has joined #openvpn
00:33 -!- kisom [~kisom@kisom.thr.kth.se] has joined #openvpn
00:34 -!- lordnikkon is now known as Guest86291
00:34 -!- kirin` [telex@gateway/shell/anapnea.net/x-qacybxojuklptoaf] has quit [Disconnected by services]
00:34 -!- ernetas_ [~Ernestas@162.243.113.169] has joined #openvpn
00:34 -!- thoraxe_ [~thoraxe@50-73-95-6-static.hfc.comcastbusiness.net] has joined #openvpn
00:34 -!- pjschmitt [~parker@209.141.56.12] has joined #openvpn
00:34 -!- kirin` [telex@gateway/shell/anapnea.net/x-hitjonswetkfufno] has joined #openvpn
00:37 -!- liriel_ [~liriel@198.154.114.106] has joined #openvpn
00:37 -!- i7c_ [~i7c@80-69-77-233.colo.transip.net] has joined #openvpn
00:38 -!- Netsplit *.net <-> *.split quits: thoraxe, Eagleman7, kantlivelong, ernetas, rkantos, Bretos1, rustem, pjschmit1, i7c, fejjerai,  (+7 more, use /NETSPLIT to show all of them)
00:38 -!- i7c_ is now known as i7c
00:38 -!- liriel_ is now known as liriel
00:39 -!- Netsplit over, joins: kantlivelong
00:42 -!- rkantos [robin@4e.fi] has joined #openvpn
00:44 -!- Eagleman [~Eagleman@546BBFCD.cm-12-4c.dynamic.ziggo.nl] has joined #openvpn
00:45 -!- rtur2 [~rtur@212.224.92.143] has joined #openvpn
00:45 -!- Bretos1 [~Bretos@vps.tyborek.pl] has joined #openvpn
00:48 -!- bertodsera_ [~quassel@97e48243.skybroadband.com] has quit [Remote host closed the connection]
00:53 -!- TheSov [~TheSov4@50-76-75-45-static.hfc.comcastbusiness.net] has joined #openvpn
01:05 -!- Neytiri [~The_Acid_@2001:470:860d:127::219] has quit [Quit: Leaving]
01:13 -!- mikkel [~mikkel@93.176.85.50] has quit [Ping timeout: 265 seconds]
01:17 -!- alexxtasi [~alex@unaffiliated/alexxtasi] has joined #openvpn
01:25 -!- mikkel [~mikkel@93.176.85.50] has joined #openvpn
01:26 -!- goldkatze [~nobody@unaffiliated/goldkatze] has joined #openvpn
01:34 -!- dradec [~Inigo@unaffiliated/dradec] has quit [Ping timeout: 272 seconds]
01:55 < vvinothkumar> Why openvpn clients and server has two ip addresses, local and peer?
01:56 < vvinothkumar> http://pastebin.com/KJm6Ueru
01:58 -!- visavi [~visavi@77.49.139.58.dsl.dyn.forthnet.gr] has joined #openvpn
02:07 <@plai> !p2p
02:07 <@vpnHelper> "p2p" is "statickey" is (#1) you can use static keys by using --secret </path/to/key> or (#2) static keys only work for ptp links, not client/server. They also do not provide forward encryption. A forward-secure encryption scheme (such as openvpn uses with certs) protects secret keys from exposure by evolving the keys with time. or (#3) see !forwardsecurity for more info
02:07 <@plai> hm
02:07 <@plai> !topology
02:07 <@vpnHelper> "topology" is (#1) it is possible to avoid the !/30 behavior if you use 2.1+ with the option: topology subnet This will end up being default in later versions. or (#2) Clients will receive addresses ending in .2, .3, .4, etc, instead of being divided into 2-host subnets. or (#3) details and examples at: https://community.openvpn.net/openvpn/wiki/Topology
02:08 <@plai> look at the url
02:08 -!- mattock1 [~mattock@openvpn/corp/admin/mattock] has joined #openvpn
02:08 -!- mode/#openvpn [+o mattock1] by ChanServ
02:15 -!- kirin` [telex@gateway/shell/anapnea.net/x-hitjonswetkfufno] has quit [Ping timeout: 272 seconds]
02:15 -!- ade_b [~Ade@redhat/adeb] has joined #openvpn
02:16 -!- kirin` [telex@gateway/shell/anapnea.net/x-yndpqrlhcisanjty] has joined #openvpn
02:32 -!- mike25ro [~mmolnar@217.110.231.246] has joined #openvpn
02:33 < mike25ro> hey guys ... i have a small favour to ask: can anyone tell me if it is possible to make a custom install + GUI of OpenVPN? I want to use Autoit(since i am used to it) and create a custom GUI with my logo and some extra options (download keys etc) Can anyone put me on the right direction? THANKS GUYS
02:39 -!- i7c [~i7c@80-69-77-233.colo.transip.net] has quit [Changing host]
02:39 -!- i7c [~i7c@unaffiliated/i7c] has joined #openvpn
02:43 -!- kalloc [~kalloc@stmdev.ru] has joined #openvpn
02:46 -!- visavi [~visavi@77.49.139.58.dsl.dyn.forthnet.gr] has left #openvpn []
02:48 -!- kalloc [~kalloc@stmdev.ru] has quit [Read error: Connection reset by peer]
02:48 -!- kalloc [~kalloc@stmdev.ru] has joined #openvpn
02:49 -!- kalloc [~kalloc@stmdev.ru] has quit [Remote host closed the connection]
02:49 -!- kalloc_ [~kalloc@stmdev.ru] has joined #openvpn
02:50 -!- cdown [~chris@chrisdown.name] has joined #openvpn
02:57 < cdown> I have set up OpenVPN 2.2.1 on Debian Wheezy. It works just fine, except DNS queries do not work, even when pushing DNS servers through the configuration. I have even set up a forwarder listening on the TUN interface of the server and configured the client to query it, but this also times out, despite working for queries made from localhost. What might I be doing wrong?
02:57 < cdown> Config: http://sprunge.us/caYU
02:58 < cdown> Status: http://sprunge.us/ZJBH
02:59 < cdown> Demonstration that the DNS forwarder works: http://sprunge.us/PYii
03:00 -!- propheticsquiddy [~Proph@unaffiliated/propheticsquiddy] has quit [Quit: Leaving]
03:08 <@plai> you need some extra scripts or such to really have dns configured from teh VPN
03:08 <@plai> !resolvconf
03:08 <@plai> !search resolvconf
03:08 <@vpnHelper> There were no matching configuration variables.
03:09 <@plai> !search resolv
03:09 <@vpnHelper> There were no matching configuration variables.
03:09 < cdown> resolv.conf is populated correctly on the client
03:09 <@plai> err, no idea about Debian
03:09 -!- bertodsera [~quassel@212.36.61.26] has joined #openvpn
03:09 < cdown> It gets the correct DNS server on the client, at least. I tried with external DNS, and the forwarder on the same server hosting OpenVPN, and both time out.
03:09 < cdown> Despite being able to ping the machines serving both.
03:12 < cdown> '/whois plai
03:12 < cdown> Er, whoops.
03:12 < cdown> That'll teach me to /whois everyone...
03:12 < cdown> Sorry.
03:12 <@plai> Cr4zi3: that is me!
03:12 -!- mode/#openvpn [-o plai] by plai
03:13 < plai> try using tcpdump to figure out what is going on
03:13 < cdown> Annoyingly, the client is a Chromebook
03:13 < plai> try tcpdump on the server at least
03:14 < cdown> Yeah, sure
03:15 < cdown> 0 packets shown
03:15 < cdown> So I guess they don't even get there.
03:17 < cdown> Hmm.
03:17 < cdown> I see packets going to the OpenVPN port when that happens. The client contacts port 1194, which responds.
03:17 < cdown> But nothing goes to port 53.
03:20 < cdown> Here's the dump: http://sprunge.us/aWOi
03:20 < cdown> It doesn't look very informational.
03:29 -!- mitz_ [~mitz@rt.miraclelinux.com] has quit [Quit: WeeChat 0.4.2]
03:31 < plai> yeah
03:31 < plai> look inside the tunnel
03:31 < plai> tcpdump -i tunwhatever
03:33 < cdown> One moment, the guy has run off with the client...
03:36 -!- mitz [~mitz@rt.miraclelinux.com] has joined #openvpn
03:37 -!- kalloc_ [~kalloc@stmdev.ru] has quit [Remote host closed the connection]
03:38 -!- kalloc [~kalloc@stmdev.ru] has joined #openvpn
03:40 -!- kalloc_ [~kalloc@stmdev.ru] has joined #openvpn
03:40 -!- kalloc [~kalloc@stmdev.ru] has quit [Read error: Connection reset by peer]
03:42 -!- dimm0k [~dimm0k@unaffiliated/dimm0k] has quit [Read error: Operation timed out]
03:45 -!- bertodsera [~quassel@212.36.61.26] has quit [Read error: Connection reset by peer]
03:51 < cdown> plai: http://sprunge.us/DNEY
03:52 < cdown> That is while attempting to resolve freenode.net
03:52 < cdown> That looks like it contacts :53, right?
03:52 < cdown> (I really should have used -n.)
03:53 < cdown> Looks like 10.8.0.1 never responds?
03:54 -!- kalloc_ is now known as kalloc
03:54 < plai> yeah
03:55 -!- kalloc [~kalloc@stmdev.ru] has quit []
03:55 < cdown> That's odd. dnsmasq is definitely listening there.
03:55 < plai> figure that out :)
03:55 -!- kalloc [~kalloc@stmdev.ru] has joined #openvpn
03:55 < plai> why it does not respond
03:55 < cdown> I can do another with external DNS, if that would help?
03:55 < cdown> Since that also does not work
03:55 < cdown> (And was the reason for trying dnsmasq locally in the first place)
03:55 < plai> yeah
03:55 < plai> that is some nat/firewall/routing problem you have
03:56 < plai> !routing
03:56 < plai> !nat
03:56 <@vpnHelper> "nat" is (#1) http://openvpn.net/howto.html#redirect for an explanation of NAT as it applies to openvpn or (#2) http://www.secure-computing.net/wiki/index.php/OpenVPN/FAQ#Traffic_forwarding_doesn.27t_work_when_using_client_specific_access_rules or (#3) dont forget to turn on ip forwarding or (#4) please choose between !linnat !openvznat !winnat and !fbsdnat for specific howto
03:56 < plai> hm
03:56 < cdown> That would not surprise me, this is running inside a virtualized container
03:56 < cdown> But I thought I set up PRE/POSTROUTING tables correctly, huh.
03:57 < cdown> Surely if it was a NAT problem I wouldn't be able to access the Internet at all, though?
03:57 < cdown> As it is, I can ping Internet addresses just fine, just not resolve DNS
03:57 < cdown> HTTP also works when no DNS resolution is performed
03:57 < plai> check that with tcpdump on your interfaces
03:58 < plai> All I am saying is that openvpn probably works fine and your problem is elsewhere
03:58 < cdown> Yeah, I don't doubt that much.
03:58 < cdown> :-)
03:59 < plai> And I have no idea about these linxu virtualized containers
03:59 < cdown> They're a mess, sadly.
03:59 < cdown> I just am confused that other things can traverse the NAT, just not DNS.
04:02 < cdown> aha! http://sprunge.us/WEGA
04:03 < cdown> "udp port 53 unreachable"
04:06 -!- bertodsera [~quassel@212.36.61.26] has joined #openvpn
04:06 < cdown> That looks like a NAT problem of some kind, indeed...
04:14 -!- bs0d [~bs0d@84.50.244.39] has joined #openvpn
04:15 < bs0d> Hello. Is it possible to configure openvpn's dhcp server to assign IP addresses which are somehow bound to user authentication certs? I need to assign each user a dedicated IP, which could be derived somehow from the auth cert he is using. Is such a feature possible?
04:16 < mike25ro> hey guys ... i have a small favour to ask: can anyone tell me if it is possible to make a custom install + GUI of OpenVPN? I want to use Autoit(since i am used to it) and create a custom GUI with my logo and some extra options (download keys etc) Can anyone put me on the right direction? THANKS GUYS
04:24 < cdown> !openvznat
04:24 <@vpnHelper> "openvznat" is (#1) a user reported success with this command: iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -j SNAT --to <PUBLIC-IP> or (#2) someone else got it working with: iptables -t nat -A POSTROUTING -s <vpn_subnet>/<netmask> -o eth<public> -j SNAT --to <public ip>
04:37 < cdown> plai: !openvznat #1 works great. I should have read that factoid, I guess :-)
04:38 < cdown> Thanks for the help :-)
04:48 -!- bs0d [~bs0d@84.50.244.39] has quit [Quit: KVIrc 4.2.0 Equilibrium http://www.kvirc.net/]
05:03 -!- mchou [~quassel@unaffiliated/mchou] has quit [Remote host closed the connection]
05:03 <@mattock1> mike25ro: yes, it's possible, check out https://github.com/OpenVPN/openvpn-build
05:03 <@vpnHelper> Title: OpenVPN/openvpn-build · GitHub (at github.com)
05:04 <@mattock1> instructions here: https://community.openvpn.net/openvpn/wiki/BuildingUsingGenericBuildsystem
05:04 <@vpnHelper> Title: BuildingUsingGenericBuildsystem – OpenVPN Community (at community.openvpn.net)
05:11 -!- mattock1 [~mattock@openvpn/corp/admin/mattock] has quit [Ping timeout: 245 seconds]
05:23 -!- cdown [~chris@chrisdown.name] has quit []
05:45 -!- dazo_afk is now known as dazo
05:46 -!- kevinsky [~kevin@senna.rosendaal.net] has joined #openvpn
05:46 -!- matsh [divine@nanogene.org] has joined #openvpn
05:56 -!- Guest96783 [~Sembei@62.57.118.216.dyn.user.ono.com] has quit [Read error: No route to host]
05:57 -!- Guest96783 [~Sembei@62.57.118.216.dyn.user.ono.com] has joined #openvpn
06:07 -!- bertodsera [~quassel@212.36.61.26] has quit [Read error: Connection reset by peer]
06:07 -!- bertodsera_ [~quassel@212.36.61.26] has joined #openvpn
06:13 -!- mattock1 [~mattock@openvpn/corp/admin/mattock] has joined #openvpn
06:13 -!- mode/#openvpn [+o mattock1] by ChanServ
06:19 -!- s0meone [someone@2600:3c01::f03c:91ff:fedf:feb8] has joined #openvpn
06:21 -!- niel [niel@om.nom.nom.coooki.es] has joined #openvpn
06:24 -!- omri [~omrib@unaffiliated/omri] has joined #openvpn
06:25 < omri> is there a way to get the status file show usernames? I'm not using client certificates
06:29 -!- soapee01 [~soapee01@24-155-219-177.dyn.grandenetworks.net] has quit [Ping timeout: 252 seconds]
06:29 -!- elfixit [~Icedove@77-58-251-72.dclient.hispeed.ch] has quit [Quit: elfixit]
06:29 -!- soapee01_ [~soapee01@24-155-219-177.dyn.grandenetworks.net] has joined #openvpn
06:41 -!- mirco [~mirco@ip-109-90-231-36.unitymediagroup.de] has joined #openvpn
06:54 -!- Guest96783 [~Sembei@62.57.118.216.dyn.user.ono.com] has quit [Read error: Connection reset by peer]
06:55 -!- dimm0k [~dimm0k@unaffiliated/dimm0k] has joined #openvpn
06:55 -!- takamichi [~takamichi@c107-107.i07-27.onvol.net] has quit [Ping timeout: 252 seconds]
06:55 -!- Guest43033 [~Sembei@62.57.118.216.dyn.user.ono.com] has joined #openvpn
06:59 -!- takamichi [~takamichi@85.12.8.104] has joined #openvpn
07:22 -!- JackWinter_ [~jack@vodsl-9074.vo.lu] has quit [Quit: Konversation terminated!]
07:24 -!- dextro_ [d179e1f7@gateway/web/cgi-irc/kiwiirc.com/ip.209.121.225.247] has joined #openvpn
07:25 < dextro_> Tue Feb  4 06:24:57 2014 us=255926 client-hs/209.121.225.247:15365 MULTI: bad source address from client [fe80::751e:8a8:bd27:9cd2], packet dropped
07:25 < dextro_> Tue Feb  4 06:24:57 2014 us=255926 client-hs/209.121.225.247:15365 MULTI: bad source address from client [fe80::751e:8a8:bd27:9cd2], packet dropped
07:25 < dextro_> Tue Feb  4 06:24:57 2014 us=255926 client-hs/209.121.225.247:15365 MULTI: bad source address from client [fe80::751e:8a8:bd27:9cd2], packet dropped
07:25 < dextro_> Tue Feb  4 06:24:57 2014 us=255926 client-hs/209.121.225.247:15365 MULTI: bad source address from client [fe80::751e:8a8:bd27:9cd2], packet dropped
07:25 < dextro_> Tue Feb  4 06:24:57 2014 us=255926 client-hs/209.121.225.247:15365 MULTI: bad source address from client [fe80::751e:8a8:bd27:9cd2], packet dropped
07:26 < dextro_> sorry this irc client is retarded
07:26 < dextro_> one of my clients is load balancing over 6 wans
07:26 < dextro_> how do i stop these messages and allow 'bad source addresses'
07:27 -!- bogie [bogie@mail.epow0.org] has joined #openvpn
07:27 -!- JackWinter [~jack@vodsl-9074.vo.lu] has joined #openvpn
07:37 < dextro_> does --float work on server sounds like a client option
07:37 -!- vvinothkumar [~vinothkum@122.167.94.67] has quit [Ping timeout: 272 seconds]
07:41 -!- vvinothkumar [~vinothkum@122.167.94.67] has joined #openvpn
07:50 < plai> dextro_: it is only client
07:51 < plai> openvpn multi client server cannot handle clients with changing ips without reconnect
07:54 -!- Darkstar1 [~lanre@LMontsouris-656-01-04-149.w80-12.abo.wanadoo.fr] has joined #openvpn
07:57 -!- elfixit [~Icedove@2001:1620:2777:11:3e97:eff:fe7f:f3ad] has joined #openvpn
07:58 -!- gardar [~gardar@bnc.giraffi.net] has joined #openvpn
08:02 -!- vvinothkumar [~vinothkum@122.167.94.67] has quit [Ping timeout: 250 seconds]
08:03 -!- takamichi [~takamichi@85.12.8.104] has quit [Read error: Connection reset by peer]
08:06 -!- takamichi [~takamichi@c107-107.i07-27.onvol.net] has joined #openvpn
08:10 < dextro_> so i should use tcp
08:10 < dextro_> not udp
08:11 < dextro_> udp gets send out random wan
08:11 < dextro_> is it all over one tcp connection?
08:11 -!- dextro_ [d179e1f7@gateway/web/cgi-irc/kiwiirc.com/ip.209.121.225.247] has quit [Quit: http://www.kiwiirc.com/ - A hand crafted IRC client]
08:15 < mike25ro> mattock thanks
08:26 -!- Darkstar1 [~lanre@LMontsouris-656-01-04-149.w80-12.abo.wanadoo.fr] has quit [Quit: Darkstar1]
08:26 -!- esde [~esde@107.150.1.2] has quit [Ping timeout: 240 seconds]
08:27 -!- kalloc [~kalloc@stmdev.ru] has quit [Remote host closed the connection]
08:27 -!- kalloc [~kalloc@stmdev.ru] has joined #openvpn
08:32 -!- kalloc [~kalloc@stmdev.ru] has quit [Ping timeout: 250 seconds]
08:33 -!- mikkel [~mikkel@93.176.85.50] has quit [Quit: Leaving]
08:40 < kcodyjr> dextro_ has an ipv6 problem, not an openvpn problem. fe80:: shouldn't be getting routed. those error messages are legit.
08:51 < plai> oh right
08:51 < plai> I was too focused on the float for server question
09:00 -!- lvv [~loganaden@196.1.0.29] has quit [Quit: lvv]
09:00 -!- master_o1_master [~master_of@p4FF248A9.dip0.t-ipconnect.de] has joined #openvpn
09:03 -!- kalloc [~kalloc@stmdev.ru] has joined #openvpn
09:04 -!- master_of_master [~master_of@p4FF24E35.dip0.t-ipconnect.de] has quit [Ping timeout: 252 seconds]
09:04 -!- lj [~l@192.241.174.169] has joined #openvpn
09:10 -!- lj [~l@192.241.174.169] has quit [Ping timeout: 246 seconds]
09:17 -!- lj [~l@192.241.174.169] has joined #openvpn
09:36 -!- xBytez [~xBytez@unaffiliated/xbytez] has quit [Ping timeout: 264 seconds]
09:37 -!- alexxtasi [~alex@unaffiliated/alexxtasi] has left #openvpn []
09:37 -!- Bretos1 is now known as Bretos
09:38 -!- ferai [~quassel@kde/mitchell] has quit [Ping timeout: 252 seconds]
09:38 -!- xBytez [~xBytez@unaffiliated/xbytez] has joined #openvpn
09:46 -!- lj [~l@192.241.174.169] has quit [Ping timeout: 246 seconds]
10:00 -!- mike25ro [~mmolnar@217.110.231.246] has quit [Quit: Leaving.]
10:02 -!- JustSigh1udes [~Anon@184.73.255.80] has left #openvpn []
10:11 <@krzee> dextro seems to have left, but ya his problem was some misconfigured app was sending stuff out with the wrong source
10:14 -!- tharkun [~0@unaffiliated/tharkun] has joined #openvpn
10:16 -!- delete [~delete@fedora/delete] has left #openvpn []
10:19 -!- ngharo_ is now known as ngharo
10:28 -!- EmperorTom [~EmperorTo@boom.blissfulidiot.com] has joined #openvpn
10:29 -!- EmperorTom is now known as _quadDamage
10:37 -!- exa_ [~exa@v22013091132414614.yourvserver.net] has quit [Quit: exa_]
10:38 -!- exa [~exa@v22013091132414614.yourvserver.net] has joined #openvpn
10:38 -!- exa [~exa@v22013091132414614.yourvserver.net] has quit [Changing host]
10:38 -!- exa [~exa@unaffiliated/exa] has joined #openvpn
10:41 -!- fejjerai [~quassel@kde/mitchell] has joined #openvpn
10:43 -!- gffa [~unknown@unaffiliated/gffa] has joined #openvpn
10:50 -!- kirin` [telex@gateway/shell/anapnea.net/x-yndpqrlhcisanjty] has quit [Ping timeout: 272 seconds]
10:52 -!- fejjerai [~quassel@kde/mitchell] has quit [Read error: Connection reset by peer]
11:02 -!- kirin` [telex@gateway/shell/anapnea.net/x-zqlvekzdpspvkpqe] has joined #openvpn
11:09 -!- ade_b [~Ade@redhat/adeb] has quit [Ping timeout: 245 seconds]
11:19 -!- ade_b [~Ade@redhat/adeb] has joined #openvpn
11:21 -!- JackWinter [~jack@vodsl-9074.vo.lu] has quit [Excess Flood]
11:21 -!- JackWinter [~jack@vodsl-9074.vo.lu] has joined #openvpn
11:34 -!- lj [~l@192.241.174.169] has joined #openvpn
11:40 -!- ade_b [~Ade@redhat/adeb] has quit [Ping timeout: 272 seconds]
11:45 -!- stickpin_ [~b@173.244.215.195] has quit [Read error: Connection reset by peer]
11:45 -!- simcop2387 [~simcop238@p3m/member/simcop2387] has quit [Read error: Operation timed out]
11:45 -!- dos-freak [leecher@zentarim.0wnz.at] has quit [Read error: Operation timed out]
11:45 -!- sHockz_ [~shockz@zenofex.com] has quit [Read error: Operation timed out]
11:46 -!- ljvb_ [~jason@us.vps.vanbrecht.com] has quit [Ping timeout: 252 seconds]
11:46 -!- bertodsera_ [~quassel@212.36.61.26] has quit [Ping timeout: 245 seconds]
11:46 -!- lamokie [~steve@li428-245.members.linode.com] has quit [Read error: Operation timed out]
11:46 -!- stickpin [~b@173.244.215.195] has joined #openvpn
11:46 -!- sHockz [~shockz@zenofex.com] has joined #openvpn
11:46 -!- lamokie [~steve@li428-245.members.linode.com] has joined #openvpn
11:47 -!- dos-freak [leecher@zentarim.0wnz.at] has joined #openvpn
11:48 -!- ljvb_ [~jason@us.vps.vanbrecht.com] has joined #openvpn
11:48 -!- simcop2387 [~simcop238@p3m/member/simcop2387] has joined #openvpn
11:53 -!- JackWinter [~jack@vodsl-9074.vo.lu] has quit [Excess Flood]
11:55 -!- JackWinter [~jack@vodsl-9074.vo.lu] has joined #openvpn
11:56 -!- fejjerai [~quassel@kde/mitchell] has joined #openvpn
12:09 -!- kalloc [~kalloc@stmdev.ru] has quit [Read error: Connection reset by peer]
12:10 -!- kalloc_ [~kalloc@stmdev.ru] has joined #openvpn
12:10 -!- kwork [~georg@unaffiliated/kwork] has joined #openvpn
12:10 < kwork> hello, anyone noticed that udp based openvpn server doesnot check expiration of ssl cert ?
12:11 <@Eugene> It definitely does.....
12:11 <@Eugene> !logs
12:11 <@vpnHelper> "logs" is (#1) please pastebin your logfiles from both client and server with verb set to 4 (only use 5 if asked) or (#2) In the Windows client(OpenVPN-GUI) right-click the status icon and pick View Log or (#3) In the OS X client(Tunnelblick) right-click it and select Copy log text to clipboard or (#4) if you dont know how to find your logs, see !logfile
12:11 < kwork> by default ?
12:11 <@Eugene> If you're doing cert checking, yes.
12:12 < kwork> so if i have ca/cert/key/crl-verify set that should be all ?
12:12 < pekster> revocation & expiration are different concepts
12:12 < kwork> so what should my configuration include to include expiration aswell ?
12:12 < pekster> Nothing; you get that for free with openssl. Just set your local clock correctly (ntp is recommended)
12:13 < kwork> okey ty, guess i messed something up with the cerst then
12:13 < pekster> `openssl x509 -in your-cert-here.crt -noout -text` should give clues
12:13 < kwork> the cert was expired alright, no idea how it worked with udpb
12:13 < kwork> but ill doublecheck the cert used on the udp
12:14 < kwork> most likely just mixed the certs and took some old one
12:24 -!- kalloc_ is now known as kalloc
12:27 < kcodyjr> possibly there's systemwide defaults being applied to openssl?
12:58 -!- soapee01_ is now known as soapee01
12:59 -!- zakfield [~zakfield@unaffiliated/zakfield] has joined #openvpn
13:00 < zakfield> Hello there, please can anyone tell me how can i bind to a local udp port ?
13:02 <@krzee> i believe its --lport
13:02 <@krzee> or --port depending on exactly what you want
13:03 <@krzee> !man
13:03 <@vpnHelper> "man" is (#1) For man pages, see http://openvpn.net/index.php/open-source/documentation/manuals/ or (#2) the man pages are your friend! or (#3) Protip: you can search the manpage for a specific --option (with dashes) to find it quicker
13:05 < zakfield> krzee, vpnHelper thank you even though i've already tried that, i'm definitely missing smth
13:06 <@krzee> you looking to set the outbound port of the client?
13:07 < zakfield> krzee: yes exactly
13:07 <@krzee> post your client config'
13:07 <@krzee> !configs
13:07 <@vpnHelper> "configs" is (#1) please pastebin your client and server configs (with comments removed, you can use `grep -vE '^#|^;|^$' server.conf`), also include which OS and version of openvpn. or (#2) dont forget to include any ccd entries or (#3) on pfSense, see http://www.secure-computing.net/wiki/index.php/OpenVPN/pfSense to obtain your config
13:07 <@krzee> no comments like that ^
13:09 < zakfield> unfortunately i don't have access to it right now, but the thing is i want to use a UDP port to pass through all of my trafic. this is it
13:14 < zakfield> !goal
13:14 <@vpnHelper> "goal" is Please clearly state your goal for your vpn: example, I would like to access the lan behind the server , I would like to access the internet over my vpn , I just want a secure connection between 2 computers , etc
13:27 -!- Guest43033 [~Sembei@62.57.118.216.dyn.user.ono.com] has quit [Read error: Connection reset by peer]
13:28 -!- Guest62667 [~Sembei@62.57.118.216.dyn.user.ono.com] has joined #openvpn
13:30 -!- JackWinter [~jack@vodsl-9074.vo.lu] has quit [Excess Flood]
13:31 -!- JackWinter [~jack@vodsl-9074.vo.lu] has joined #openvpn
13:32 -!- zakfield [~zakfield@unaffiliated/zakfield] has quit [Excess Flood]
13:32 -!- zakfield [~zakfield@41.104.199.164] has joined #openvpn
13:47 -!- elfixit [~Icedove@2001:1620:2777:11:3e97:eff:fe7f:f3ad] has quit [Ping timeout: 264 seconds]
13:50 -!- elfixit [~Icedove@dhcp-129-154.office.init7.net] has joined #openvpn
13:50 -!- zakfield [~zakfield@41.104.199.164] has quit [Changing host]
13:50 -!- zakfield [~zakfield@unaffiliated/zakfield] has joined #openvpn
13:51 -!- zakfield [~zakfield@unaffiliated/zakfield] has left #openvpn ["Leaving"]
13:52 -!- bertodsera [~quassel@97e48243.skybroadband.com] has joined #openvpn
13:54 -!- Guest62667 [~Sembei@62.57.118.216.dyn.user.ono.com] has quit [Read error: No route to host]
14:03 -!- elfixit1 [~Icedove@77-58-251-72.dclient.hispeed.ch] has joined #openvpn
14:04 -!- fred`` [fred@earthli.ng] has quit [Ping timeout: 258 seconds]
14:04 -!- Chrisje [chris@2a03:f80:ed15:ed15:ed15:ed15:bc4c:4bfe] has quit [Ping timeout: 258 seconds]
14:05 -!- fred`` [fred@earthli.ng] has joined #openvpn
14:05 -!- Chrisje [chris@2a03:f80:ed15:ed15:ed15:ed15:bc4c:4bfe] has joined #openvpn
14:08 -!- kalloc [~kalloc@stmdev.ru] has quit [Remote host closed the connection]
14:09 -!- kalloc [~kalloc@stmdev.ru] has joined #openvpn
14:20 -!- defsdoor [~andy@cpc30-sutt4-2-0-cust155.19-1.cable.virginm.net] has joined #openvpn
14:20 -!- kalloc [~kalloc@stmdev.ru] has quit []
14:25 -!- elfixit [~Icedove@dhcp-129-154.office.init7.net] has quit [Ping timeout: 272 seconds]
14:27 -!- elfixit [~Icedove@dhcp-129-154.office.init7.net] has joined #openvpn
14:48 -!- ade_b [~Ade@redhat/adeb] has joined #openvpn
14:54 -!- dradec [~Inigo@unaffiliated/dradec] has joined #openvpn
14:55 -!- esde [~esde@unaffiliated/esde] has joined #openvpn
14:55 -!- joshh20-Away is now known as joshh20
15:00 -!- dradec [~Inigo@unaffiliated/dradec] has quit [Ping timeout: 272 seconds]
15:01 -!- dradec [~Inigo@unaffiliated/dradec] has joined #openvpn
15:11 -!- dradec [~Inigo@unaffiliated/dradec] has quit [Ping timeout: 242 seconds]
15:12 -!- ade_b [~Ade@redhat/adeb] has quit [Ping timeout: 246 seconds]
15:20 -!- ferai [~quassel@kde/mitchell] has joined #openvpn
15:20 -!- fejjerai [~quassel@kde/mitchell] has quit [Ping timeout: 246 seconds]
15:24 -!- ade_b [~Ade@redhat/adeb] has joined #openvpn
15:26 -!- fejjerai [~quassel@kde/mitchell] has joined #openvpn
15:29 -!- fejjerai [~quassel@kde/mitchell] has quit [Excess Flood]
15:29 -!- ferai [~quassel@kde/mitchell] has quit [Ping timeout: 245 seconds]
15:30 -!- dazo is now known as dazo_afk
15:31 -!- fejjerai [~quassel@kde/mitchell] has joined #openvpn
15:32 -!- keithzg [~keithzg@184.70.164.246] has joined #openvpn
15:33 < keithzg> !paste
15:33 -!- ade_b [~Ade@redhat/adeb] has quit [Ping timeout: 272 seconds]
15:33 <@vpnHelper> "paste" is (#1) "pastebin" is (#1) please paste anything with more than 5 lines into a pastebin site or (#2) https://gist.github.com is recommended for fewest ads; try fpaste.org or paste.kde.org as backups or (#3) If you're pasting config files, see !configs for grep syntax to remove comments or (#2) gist allows multiple files per paste, useful if you have several files to show
15:37 -!- ade_b [~Ade@redhat/adeb] has joined #openvpn
15:47 -!- ade_b [~Ade@redhat/adeb] has quit [Ping timeout: 250 seconds]
15:52 < keithzg> *sigh* this Chromebook is giving me a hell of a time trying to get it on OpenVPN. ChromeOS via the GUI insists I need to enter a password (and when I created new credentails that do have one, it insisted I was wrong), and via the shell it complains about tun0 not existing: http://pastebin.kde.org/pdoiuc4ga
15:54 < keithzg> Booting into Kubuntu instead it just...does nothing when trying to connect via the GUI (but hell, I'm willing to blame that entirely on the NetworkManager frontend being used) and then via the commandline it seems to connect fine (and indeed shows up as connected on the server side) but cannot resolve anything anywhere.
15:57 -!- ferai [~quassel@kde/mitchell] has joined #openvpn
15:59 < kcodyjr> just a random thought. did you forget the "route" directive on the server that installs the vpn's namespace into the server's kernel routing table?
15:59 -!- fejjerai [~quassel@kde/mitchell] has quit [Ping timeout: 272 seconds]
16:00 -!- ferai [~quassel@kde/mitchell] has quit [Excess Flood]
16:00 -!- fejjerai [~quassel@kde/mitchell] has joined #openvpn
16:00 -!- ade_b [~Ade@redhat/adeb] has joined #openvpn
16:01 -!- dradec [~Inigo@unaffiliated/dradec] has joined #openvpn
16:03 < keithzg> kcodyjr: Just checked, naw, | push "route 10.1.0.0 255.255.0.0" | is there. Worth mentioning that not only does the VPN work generally for other folks, it in fact works perfectly fine with the exact same config file (and keys and certs) if I use the Android client.
16:04 < keithzg> And I've gotten it working on desktop Linux before, just haven't bothered with that in a while (didn't really have a laptop and mostly I just ssh/mosh in when I'm at home).
16:06 < kcodyjr> no. not the push.
16:06 < kcodyjr> but that it works for others is telling.
16:07 < kcodyjr> sounds like a local firewall issue, though. does "ifconfig -a" reveal the tunnel interface is calling itself something other than tun0?
16:08 < keithzg> Naw, just eth0, lo and wlan0 (on ChromeOS, which is what I'm booted into right now).
16:10 -!- takamichi [~takamichi@c107-107.i07-27.onvol.net] has quit [Quit: Computer has gone to sleep.]
16:16 < keithzg> Not to confuse matters but here's the output of openvpn in the shell on Kubuntu 13.10, alongside the output of ifconfig (which in this case DOES show tun0---only problem here seems to be resolution, since I just tried pinging one of the servers while connected on Kubuntu 13.10 and I get a response using the actual IP). http://pastebin.kde.org/pezskqmwn
16:16 -!- mattock1 [~mattock@openvpn/corp/admin/mattock] has quit [Ping timeout: 246 seconds]
16:18 < keithzg> So two very different problems, I guess; on ChromeOS unable to create and/or use tun0 for some reason, and on Kubuntu 13.10 the more prosaic issue of name resolution only.
16:18 -!- ferai [~quassel@kde/mitchell] has joined #openvpn
16:19 -!- fejjerai [~quassel@kde/mitchell] has quit [Ping timeout: 250 seconds]
16:21 -!- dradec [~Inigo@unaffiliated/dradec] has quit [Ping timeout: 246 seconds]
16:22 -!- maskedlua_ is now known as maskedlua
16:26 -!- ade_b [~Ade@redhat/adeb] has quit [Ping timeout: 245 seconds]
16:32 -!- [diecast] [~diecast@unaffiliated/diecast/x-4821952] has joined #openvpn
16:47 < keithzg> So . . . is there a way to specify *just* the nameserver in the client config without having specify the gateway and netmask and such? (which all seem to be working fine).
16:47 < keithzg> I'll admit I'm a bit confused by the format of the manual page.
16:48 < pekster> nameserver? You can't (directly) specify the nameserver period. Read about --dhcp-option for pushing "DHCP" style extensions, and !pushdns for how you need to handle them on non-Windows
16:50 < keithzg> pekster: Okay, then, so what is *supposed* to happen when connecting? How is the nameserver negotiated and set on the client? I mean, clearly something's going wrong somwhere along the line in that regard for me.
16:50 < pekster> That would be explained in the reference you haven't yet read
16:50 < pekster> !pushdns
16:50 <@vpnHelper> "pushdns" is (#1) push dhcp-option DNS a.b.c.d to push dns to the client or (#2) For pushing DNS to a Windows client, see: !windns or (#3) Unix-alikes are required to process the env-var in an --up script; read about --dhcp-option in the manpage or (#4) For distros that use resolvconf you can try the update-resolv-conf script under the contrib/ source dir
16:51 < keithzg> Yeah, I had just read the --dhcp-option entry in the man page.
16:51 < keithzg> And I've tried calling the up script in /etc/openvpn/update-resolv-conf, and it results in no change to /etc/resolv.conf.
16:54 < pekster> All that magic is at best a "contrib" script, or something your local distro provides
16:54 < pekster> The actual "resolvconf" contrib script is designed for systems that use resolvconf(8) to abstract the namserver. YMMV depending on how you have set up DNS
16:55 < keithzg> Well, "I" haven't set up anything other than trying to set up OpenVPN, heh. Literally the first thing I'm trying to do on this install.
16:56 < keithzg> I was assuming the /etc/openvpn/update-resolv-conf script was indeed teh contrib script referenced by #4 above.
16:56 < pekster> Sounds right
16:57 < pekster> !forget pushdns 4
16:57 <@vpnHelper> Joo got it.
16:57 < pekster> !learn pushdns as For distros that use resolvconf(8) you can try the pull-resolv-conf script under the contrib/ source dir
16:57 <@vpnHelper> Joo got it.
16:58 < pekster> https://github.com/OpenVPN/openvpn/tree/master/contrib/pull-resolv-conf
16:58 <@vpnHelper> Title: openvpn/contrib/pull-resolv-conf at master · OpenVPN/openvpn · GitHub (at github.com)
16:59 < pekster> It's not really official, but it's provided by users and may be useful to a large set of interested people. "Some hacking may be required" if it doesn't do what you need
17:00 < keithzg> Well, in fact, it DOES seem to do what I want it to do, as soon as I stopped and actually read it, heh. Durrr.
17:04 -!- aji [~alex@dirt.ajitek.net] has quit [Changing host]
17:04 -!- aji [~alex@atheme/member/aji] has joined #openvpn
17:05 < keithzg> My copy looks a bit different, and mentions adding the script as both the up and the down script in my client config, which (once also enabling script-security 2) finally does the trick.
17:07 < pekster> Right, you need hooks to the --up & --down openvpn bits so the glue to do the OS-specific DNS tasks can go do what it needs
17:07 < pekster> Simple setups might know they can clobber resolv.conf, but that's rare these-days for almost 100% of clients (at the very least a DHCP client will compete for access.) That's why various abstraction methods exist to do the right thing
17:07 < pekster> resolvconf, dnsmasq, or (for mac) dnsctl are just some examples
17:10 -!- lj [~l@192.241.174.169] has quit [Quit: Leaving.]
17:35 < pekster> My lab PC parts just got dropped off. Nice and cold too given the weather :\
17:36 -!- GrecKo [~GrecKo@2001:41d0:1:cb16::1] has quit [Remote host closed the connection]
17:46 -!- Burgundy [~burgundy@188.25.138.38] has joined #openvpn
17:47 < pekster> #frozenstate :(
17:47 < pekster> keithzg: Get everything working?
17:47 -!- Burgundy [~burgundy@188.25.138.38] has quit [Remote host closed the connection]
17:52 < keithzg> pekster: In Kubuntu using the commandline openvpn, yeah; no luck yet with Kubuntu GUI or ChromeOS GUI or CLI.
17:52 -!- gffa [~unknown@unaffiliated/gffa] has quit [Quit: sleep]
17:53 -!- Burgundy [~burgundy@188.25.138.38] has joined #openvpn
17:54 < pekster> n-m does its own thing much of the time
17:55 < keithzg> Yeahhh. I've never been a huge fan of NetworkManager for that very reason.
17:55 < pekster> It's one of those tools that "magically works." Unless it doesn't
17:55 < Burgundy> Hello! Is there an option to specify which tap adapter a certain openvpn connection should use, from the client side? I'm running the windows client and would like to have several connections running at the same time and know which one is running on which adapter.
17:56 < pekster> fwiw, be careful with how it deals with DNS (not just with openvpn, in general I mean.) n-m as ubuntu sets it up uses a combination of resolvconf + dnsmasq + dbus, and that means you "must" use n-m to get your DNS settings. You cannot even query dnsmasq for it becuase there is no runtime config file or temporary files
17:56 -!- defsdoor [~andy@cpc30-sutt4-2-0-cust155.19-1.cable.virginm.net] has quit [Quit: Ex-Chat]
17:56 < pekster> Burgundy: For Windows, you want --dev-node
17:56 < pekster> Note that the device (by name or CLSID) must have been created previously for this to work
17:57 < Burgundy> pekster: awesome, thanks, I'll look into the details of --dev-node
17:58 < pekster> IMO it's nicer to rename persistent taps to a name you know like tap_vpn1, but you can use "Local Area Connection 5" or w/e it gets created as (or the CLSID, if you like long strings of digits)
17:58 < pekster> --show-adapters is helpful on win32 too
17:58 < Burgundy> I've already done that, thanks for the suggetstion anyway.
18:01 -!- goldkatze [~nobody@unaffiliated/goldkatze] has quit []
18:05 -!- freeroute [~freeroute@de2x.mullvad.net] has joined #openvpn
18:07 -!- APTX [~APTX@unaffiliated/aptx] has quit [Ping timeout: 264 seconds]
18:08 -!- freeroute [~freeroute@de2x.mullvad.net] has left #openvpn []
18:17 -!- codile [codehero@irc.coding4coffee.org] has joined #openvpn
18:19 -!- GrecKo [~GrecKo@2001:41d0:1:cb16::1] has joined #openvpn
18:24 -!- tessier_ [~treed@kernel-panic/copilotco] has joined #openvpn
18:25 < tessier_> Hello all! I've inherited an OpenVPN setup and currently all of the users can connect without having to enter a password. How does OpenVPN normally handle passwords? Is there a hash kept on the server side or is it via encrypted private keys similar to ssh?
18:26 < pekster> What auth method are you using? Client-issued cert+key, username+password, or both?
18:38 -!- Auctus [~Auctus@unaffiliated/auctus] has joined #openvpn
18:39 < tessier_> Looks like just client-issued cert+key at the moment.
18:40 < tessier_> I don't see anything about authentication in /etc/openvpn/server.conf
18:42 -!- cyberspace- [20253@ninthfloor.org] has joined #openvpn
18:46 < pekster> Then encrypt your client keys
18:47 < pekster> Once a client has a key the key can be re-encrypted (to set or re-set the passphrase) or remove the passphrase completely
18:48 -!- GrecKo [~GrecKo@2001:41d0:1:cb16::1] has quit [Remote host closed the connection]
18:48 -!- GrecKo [~GrecKo@2001:41d0:1:cb16::1] has joined #openvpn
18:50 -!- thoraxe_ is now known as thoraxe
18:55 -!- peper [~peper@gentoo/developer/peper] has joined #openvpn
18:57 -!- jave [~jave@h-235-102.a149.priv.bahnhof.se] has joined #openvpn
19:01 -!- paradox`` [~paradox@cpc21-brmb8-2-0-cust749.1-3.cable.virginm.net] has joined #openvpn
19:03 -!- qwertyoruiop_ is now known as qwertyoruiop
19:04 -!- sunwind` [~paradox@cpc21-brmb8-2-0-cust749.1-3.cable.virginm.net] has quit [Ping timeout: 265 seconds]
19:19 -!- [diecast] [~diecast@unaffiliated/diecast/x-4821952] has quit []
19:33 -!- Linmu [~Linmu@203.70.194.104] has joined #openvpn
19:34 -!- sunwind` [~paradox@cpc21-brmb8-2-0-cust749.1-3.cable.virginm.net] has joined #openvpn
19:35 -!- sunwind` [~paradox@cpc21-brmb8-2-0-cust749.1-3.cable.virginm.net] has quit [Read error: Connection reset by peer]
19:35 -!- dradec [~Inigo@unaffiliated/dradec] has joined #openvpn
19:35 -!- sunwind` [~paradox@cpc21-brmb8-2-0-cust749.1-3.cable.virginm.net] has joined #openvpn
19:37 -!- paradox`` [~paradox@cpc21-brmb8-2-0-cust749.1-3.cable.virginm.net] has quit [Ping timeout: 250 seconds]
19:42 -!- [diecast] [~diecast@unaffiliated/diecast/x-4821952] has joined #openvpn
20:12 -!- Gman32 [~Gman32@2607:5300:60:2b74::1] has quit [Quit: Headin Out...]
20:24 -!- sunwind [~paradox@cpc21-brmb8-2-0-cust749.1-3.cable.virginm.net] has joined #openvpn
20:25 -!- sunwind [~paradox@cpc21-brmb8-2-0-cust749.1-3.cable.virginm.net] has quit [Read error: Connection reset by peer]
20:26 -!- sunwind [~paradox@cpc21-brmb8-2-0-cust749.1-3.cable.virginm.net] has joined #openvpn
20:27 -!- sunwind` [~paradox@cpc21-brmb8-2-0-cust749.1-3.cable.virginm.net] has quit [Ping timeout: 245 seconds]
20:39 -!- lj [~l@c-50-158-105-68.hsd1.il.comcast.net] has joined #openvpn
20:41 -!- lj1 [~l@192.241.174.169] has joined #openvpn
20:43 -!- lj [~l@c-50-158-105-68.hsd1.il.comcast.net] has quit [Ping timeout: 245 seconds]
20:50 -!- [diecast] [~diecast@unaffiliated/diecast/x-4821952] has quit []
20:50 -!- keithzg [~keithzg@184.70.164.246] has quit [Remote host closed the connection]
20:53 -!- dradec [~Inigo@unaffiliated/dradec] has quit [Quit: nil]
21:04 -!- fred`` [fred@earthli.ng] has quit [Ping timeout: 246 seconds]
21:07 -!- fred`` [fred@earthli.ng] has joined #openvpn
21:12 -!- Burgundy [~burgundy@188.25.138.38] has quit [Ping timeout: 250 seconds]
21:13 -!- booo [~booo__@p54BD8CF9.dip0.t-ipconnect.de] has quit [Ping timeout: 272 seconds]
21:13 -!- booo_ [~booo__@p54BD8B8E.dip0.t-ipconnect.de] has joined #openvpn
21:14 -!- booo_ is now known as booo
21:16 -!- lj1 [~l@192.241.174.169] has quit [Quit: Leaving.]
21:19 -!- lj [~l@c-50-158-105-68.hsd1.il.comcast.net] has joined #openvpn
21:20 -!- Gman32 [~Gman32@2607:2200:0:3400::5616:cdbc] has joined #openvpn
21:21 -!- lj1 [~l@192.241.174.169] has joined #openvpn
21:23 -!- lj [~l@c-50-158-105-68.hsd1.il.comcast.net] has quit [Ping timeout: 272 seconds]
21:27 -!- dradec [~Inigo@unaffiliated/dradec] has joined #openvpn
21:40 -!- dos-freak [leecher@zentarim.0wnz.at] has quit [Ping timeout: 272 seconds]
21:41 -!- dos-freak [leecher@zentarim.0wnz.at] has joined #openvpn
21:41 -!- ferai [~quassel@kde/mitchell] has quit [Read error: Connection reset by peer]
21:41 -!- fejjerai [~quassel@kde/mitchell] has joined #openvpn
21:42 -!- klein [~klein@187.85.164.120] has joined #openvpn
21:42 -!- klein [~klein@187.85.164.120] has quit [Changing host]
21:42 -!- klein [~klein@unaffiliated/klein] has joined #openvpn
21:47 -!- joshh20 is now known as joshh20-Away
21:47 -!- klein [~klein@unaffiliated/klein] has quit [Ping timeout: 250 seconds]
22:02 -!- KiNgMaR [~ingmar@2001:41d0:2:ba51::1] has joined #openvpn
22:20 -!- heraclitus [~heraclitu@unaffiliated/heraclitis] has quit [Remote host closed the connection]
22:20 -!- heraclitus [~heraclitu@unaffiliated/heraclitis] has joined #openvpn
22:21 -!- mback2k_ [~freenode@2a00:1828:2000:378:1337:0:59ee:5431] has quit [Ping timeout: 252 seconds]
22:22 -!- Thermi [~Thermi@unaffiliated/thermi] has quit [Ping timeout: 246 seconds]
22:22 -!- MacGyver [~MacGyver@unaffiliated/macgyvernl] has quit [Ping timeout: 246 seconds]
22:22 -!- guntha` [~guntha@guntha.thecagedog.com] has quit [Ping timeout: 252 seconds]
22:23 -!- guntha` [~guntha@guntha.thecagedog.com] has joined #openvpn
22:23 -!- MacGyver [~MacGyver@sog.polvanaubel.com] has joined #openvpn
22:23 -!- MacGyver [~MacGyver@sog.polvanaubel.com] has quit [Changing host]
22:23 -!- MacGyver [~MacGyver@unaffiliated/macgyvernl] has joined #openvpn
22:24 -!- mback2k_ [~freenode@89.238.84.46] has joined #openvpn
22:26 -!- dradec [~Inigo@unaffiliated/dradec] has quit [Ping timeout: 250 seconds]
22:28 -!- Thermi [~Thermi@unaffiliated/thermi] has joined #openvpn
22:48 -!- Devastatr [~devas@177.18.198.183] has joined #openvpn
22:48 -!- Devastatr [~devas@177.18.198.183] has quit [Changing host]
22:48 -!- Devastatr [~devas@unaffiliated/devastator] has joined #openvpn
22:50 -!- Devastator [~devas@unaffiliated/devastator] has quit [Ping timeout: 252 seconds]
22:51 -!- Devastatr is now known as Devastator
23:04 -!- lj1 [~l@192.241.174.169] has quit [Quit: Leaving.]
23:10 -!- [diecast] [~diecast@unaffiliated/diecast/x-4821952] has joined #openvpn
23:31 -!- josefig [~josef@unaffiliated/josefig] has joined #openvpn
23:34 -!- elfixit1 [~Icedove@77-58-251-72.dclient.hispeed.ch] has quit [Ping timeout: 272 seconds]
23:37 -!- Thermi [~Thermi@unaffiliated/thermi] has quit [Read error: Operation timed out]
23:37 -!- Thermi [~Thermi@unaffiliated/thermi] has joined #openvpn
23:38 -!- tempus_fol [~tempus@gateway/tor-sasl/tempusfol] has quit [Ping timeout: 240 seconds]
23:38 -!- Cybertinus [~Cybertinu@2a00:6960:1:1::2442] has quit [Remote host closed the connection]
23:38 -!- Cybertinus [~Cybertinu@2a00:6960:1:1::2442] has joined #openvpn
23:39 -!- tempus_fol [~tempus@gateway/tor-sasl/tempusfol] has joined #openvpn
--- Day changed Wed Feb 05 2014
00:08 -!- mikkel [~mikkel@93.176.85.50] has joined #openvpn
00:11 -!- sauce [sauce@unaffiliated/sauce] has quit [Ping timeout: 265 seconds]
00:16 -!- josefig [~josef@unaffiliated/josefig] has quit [Quit: Computer has gone to sleep.]
00:20 -!- NoobSaibot [~NoobSaibo@24-213-19-74.static.mrqt.mi.charter.com] has joined #openvpn
00:21 -!- lvv [~loganaden@2001:4290:10:250:2597:fcfc:9bac:25d] has joined #openvpn
00:23 -!- Noob5aibot [~NoobSaibo@24-213-19-74.static.mrqt.mi.charter.com] has quit [Ping timeout: 264 seconds]
01:03 -!- dimm0k [~dimm0k@unaffiliated/dimm0k] has quit [Ping timeout: 245 seconds]
01:05 -!- dimm0k [~dimm0k@pool-96-246-33-134.nycmny.fios.verizon.net] has joined #openvpn
01:05 -!- dimm0k [~dimm0k@pool-96-246-33-134.nycmny.fios.verizon.net] has quit [Changing host]
01:05 -!- dimm0k [~dimm0k@unaffiliated/dimm0k] has joined #openvpn
01:20 -!- mattock1 [~mattock@openvpn/corp/admin/mattock] has joined #openvpn
01:20 -!- mode/#openvpn [+o mattock1] by ChanServ
01:22 -!- alexxtasi [~alex@unaffiliated/alexxtasi] has joined #openvpn
01:26 -!- ultra [~ed@unaffiliated/ultra] has quit [Ping timeout: 276 seconds]
01:31 -!- [diecast] [~diecast@unaffiliated/diecast/x-4821952] has quit []
01:31 -!- [diecast] [~diecast@unaffiliated/diecast/x-4821952] has joined #openvpn
01:31 -!- [diecast] [~diecast@unaffiliated/diecast/x-4821952] has quit [Client Quit]
02:03 -!- dimm0k [~dimm0k@unaffiliated/dimm0k] has quit [Ping timeout: 245 seconds]
02:05 -!- dimm0k [~dimm0k@unaffiliated/dimm0k] has joined #openvpn
02:06 -!- takamichi [~takamichi@c107-107.i07-27.onvol.net] has joined #openvpn
02:08 -!- ade_b [~Ade@redhat/adeb] has joined #openvpn
02:28 -!- xBytez [~xBytez@unaffiliated/xbytez] has quit [Ping timeout: 246 seconds]
02:28 -!- dazo_afk is now known as dazo
02:49 -!- xBytez [~xBytez@unaffiliated/xbytez] has joined #openvpn
03:03 -!- maskedlua_ [~quassel@unaffiliated/themaskedlua] has joined #openvpn
03:04 -!- maskedlua [~quassel@unaffiliated/themaskedlua] has quit [Ping timeout: 265 seconds]
03:13 -!- marlinc [~marlinc@a80-100-128-152.adsl.xs4all.nl] has quit [Ping timeout: 252 seconds]
03:21 -!- marlinc [~marlinc@a80-100-128-152.adsl.xs4all.nl] has joined #openvpn
03:54 -!- sunta [~cw@ip-37-201-155-37.unitymediagroup.de] has joined #openvpn
03:57 < sunta> good morning
04:01 < sunta> I am running openvpn-bridge to connect networkA and networkB. In addition I want to bridge another networkC with networkA. I cannot find examples and tried to add new tap1 to br0 and start the bridge without real success. are there anytutorials or caveats for such setup?
04:15 < sunta> seems i need to setup another bridge tap1->eth1=br1
04:19 -!- psycheye [~psycheye@93.49.16.11] has quit [Ping timeout: 264 seconds]
04:21 -!- psycheye [~psycheye@93.49.16.11] has joined #openvpn
04:39 -!- gffa [~unknown@unaffiliated/gffa] has joined #openvpn
05:04 -!- goldkatze [~nobody@unaffiliated/goldkatze] has joined #openvpn
05:14 -!- takamichi [~takamichi@c107-107.i07-27.onvol.net] has quit [Ping timeout: 272 seconds]
05:17 -!- mingdao [~mingdao@unaffiliated/mingdao] has quit [Quit: leaving]
05:19 -!- mattock1 [~mattock@openvpn/corp/admin/mattock] has quit [Ping timeout: 250 seconds]
05:21 -!- goldkatze [~nobody@unaffiliated/goldkatze] has quit []
05:23 -!- sunwind` [~paradox@cpc21-brmb8-2-0-cust749.1-3.cable.virginm.net] has joined #openvpn
05:24 -!- paradox`` [~paradox@cpc21-brmb8-2-0-cust749.1-3.cable.virginm.net] has joined #openvpn
05:26 -!- goldkatze [~nobody@unaffiliated/goldkatze] has joined #openvpn
05:27 -!- sunwind [~paradox@cpc21-brmb8-2-0-cust749.1-3.cable.virginm.net] has quit [Ping timeout: 245 seconds]
05:27 -!- sunwind [~paradox@cpc21-brmb8-2-0-cust749.1-3.cable.virginm.net] has joined #openvpn
05:28 -!- sunwind` [~paradox@cpc21-brmb8-2-0-cust749.1-3.cable.virginm.net] has quit [Ping timeout: 246 seconds]
05:29 -!- paradox`` [~paradox@cpc21-brmb8-2-0-cust749.1-3.cable.virginm.net] has quit [Read error: Operation timed out]
05:30 -!- klein [~klein@189-016-006-003.asselvi.edu.br] has joined #openvpn
05:30 -!- klein [~klein@189-016-006-003.asselvi.edu.br] has quit [Changing host]
05:30 -!- klein [~klein@unaffiliated/klein] has joined #openvpn
05:54 -!- takamichi [~takamichi@c107-107.i07-27.onvol.net] has joined #openvpn
05:54 -!- JackWinter [~jack@vodsl-9074.vo.lu] has quit [Quit: Konversation terminated!]
05:55 -!- JackWinter [~jack@vodsl-9074.vo.lu] has joined #openvpn
06:15 -!- sunwind [~paradox@cpc21-brmb8-2-0-cust749.1-3.cable.virginm.net] has quit [Quit: sunwind]
06:21 -!- takamichi [~takamichi@c107-107.i07-27.onvol.net] has quit [Ping timeout: 260 seconds]
06:25 -!- takamichi [~takamichi@85.12.8.107] has joined #openvpn
07:03 -!- lvv [~loganaden@2001:4290:10:250:2597:fcfc:9bac:25d] has quit [Quit: lvv]
07:08 -!- sunwind [~paradox@cpc21-brmb8-2-0-cust749.1-3.cable.virginm.net] has joined #openvpn
07:13 -!- dradec [~Inigo@unaffiliated/dradec] has joined #openvpn
07:16 -!- takamichi [~takamichi@85.12.8.107] has quit [Read error: Operation timed out]
07:16 -!- sunwind [~paradox@cpc21-brmb8-2-0-cust749.1-3.cable.virginm.net] has quit [Quit: sunwind]
07:19 -!- sunwind [~paradox@cpc21-brmb8-2-0-cust749.1-3.cable.virginm.net] has joined #openvpn
07:20 -!- takamichi [~takamichi@c107-107.i07-27.onvol.net] has joined #openvpn
07:21 -!- dradec [~Inigo@unaffiliated/dradec] has quit [Quit: nil]
07:21 <@ecrist> sunta: you really shouldn't be bridging those networks, and should route them instead
07:23 -!- dradec [~Inigo@unaffiliated/dradec] has joined #openvpn
07:25 -!- Ulrar [~Ulrar@luwin.ulrar.net] has joined #openvpn
07:26 -!- takamichi [~takamichi@c107-107.i07-27.onvol.net] has quit [Read error: Operation timed out]
07:26 < sunta> ecrist, thx. so far i used to bridge 2networks and route road-warriors. didn route 2networks so far
07:27 < Ulrar> Hi, I never used OpenVPN yet. I have a dedicated server with a single IPv4 and a /64 IPv6 on it, and I'd like to put OpenVPN to avoid the port restrictions I have here, and to get IPv6 at home. Is there a good tutorial somewhere to configure that ? All the things I find requires a /64 dedicated to OpenVPN, but I don't get why, that's just for my personal use, I don't need a lot of IPs
07:30 -!- takamichi [~takamichi@c107-107.i07-27.onvol.net] has joined #openvpn
07:31 -!- guntha` [~guntha@guntha.thecagedog.com] has quit [Ping timeout: 250 seconds]
07:33 -!- elfixit1 [~Icedove@77-58-251-72.dclient.hispeed.ch] has joined #openvpn
07:34 < sunta> think i chose bridging once to have SIP-phones work on all sides
07:35 -!- defswork [~andy@141.0.50.105] has joined #openvpn
07:38 -!- mikkel [~mikkel@93.176.85.50] has quit [Quit: Leaving]
07:56 <@ecrist> you don't need bridging for SIP to function
07:58 -!- guntha` [~guntha@guntha.thecagedog.com] has joined #openvpn
07:59 < sunta> ecrist, I used routing for road-warrios so far only.
08:00 -!- rkantos [robin@4e.fi] has quit [Ping timeout: 252 seconds]
08:01 -!- rkantos [~Name@4e.fi] has joined #openvpn
08:05 < sunta> ecrist, am I right to have openwrt connect my openvpn-server as road-warrior
08:10 -!- elfixit1 [~Icedove@77-58-251-72.dclient.hispeed.ch] has quit [Quit: elfixit1]
08:22 -!- dazo is now known as dazo_afk
08:23 -!- sunta [~cw@ip-37-201-155-37.unitymediagroup.de] has quit [Quit: Verlassend]
08:33 -!- moparisthebest [~quassel@2001:470:1f11:88c::2] has left #openvpn ["http://quassel-irc.org - Chat comfortably. Anywhere."]
08:34 -!- mattock1 [~mattock@gprs-internet-bceee8-5.dhcp.inet.fi] has joined #openvpn
08:34 -!- mattock1 [~mattock@gprs-internet-bceee8-5.dhcp.inet.fi] has quit [Changing host]
08:34 -!- mattock1 [~mattock@openvpn/corp/admin/mattock] has joined #openvpn
08:34 -!- mode/#openvpn [+o mattock1] by ChanServ
08:48 -!- Bretos [~Bretos@vps.tyborek.pl] has quit [Ping timeout: 265 seconds]
09:00 -!- master_of_master [~master_of@p4FF24A8B.dip0.t-ipconnect.de] has joined #openvpn
09:02 -!- sauce [sauce@unaffiliated/sauce] has joined #openvpn
09:03 -!- master_o1_master [~master_of@p4FF248A9.dip0.t-ipconnect.de] has quit [Ping timeout: 245 seconds]
09:05 -!- alexxtasi [~alex@unaffiliated/alexxtasi] has left #openvpn []
09:17 -!- Bretos [~Bretos@vps.tyborek.pl] has joined #openvpn
09:19 -!- Cpt-Oblivious [chatzilla@31-151-71-109.dynamic.upc.nl] has joined #openvpn
09:23 -!- elfixit1 [~Icedove@77-58-251-72.dclient.hispeed.ch] has joined #openvpn
09:25 -!- maskedlua_ [~quassel@unaffiliated/themaskedlua] has quit [Ping timeout: 272 seconds]
09:48 -!- kalloc [~kalloc@109.188.127.245] has joined #openvpn
09:50 -!- Bretos [~Bretos@vps.tyborek.pl] has quit [Ping timeout: 260 seconds]
09:53 -!- mattock1 [~mattock@openvpn/corp/admin/mattock] has quit [Ping timeout: 245 seconds]
09:55 -!- rkantos [~Name@4e.fi] has quit [Remote host closed the connection]
09:56 -!- rkantos [robin@4e.fi] has joined #openvpn
10:10 -!- kalloc_ [~kalloc@195.94.251.75] has joined #openvpn
10:12 -!- kalloc_ [~kalloc@195.94.251.75] has quit [Read error: Connection reset by peer]
10:13 -!- kalloc_ [~kalloc@195.94.251.75] has joined #openvpn
10:14 -!- kalloc [~kalloc@109.188.127.245] has quit [Ping timeout: 245 seconds]
10:15 -!- kalloc_ [~kalloc@195.94.251.75] has quit [Read error: Operation timed out]
10:17 -!- kalloc [~kalloc@109.188.127.180] has joined #openvpn
10:20 -!- Bretos [~Bretos@vps.tyborek.pl] has joined #openvpn
10:28 -!- julianoliver [~julian@202.66.238.89.in-addr.arpa.manitu.net] has quit [Quit: leaving]
10:44 < kcodyjr> Ulrar, i think i remember reading that it's Debian causing an interoperability problem if you pick something besides a /64. i can think of no reason, good or otherwise, that you couldn't delegate some subset of that.
10:46 < Ulrar> kcodyjr: Well I'm using gentoo, shouldn't be a problem
10:46 < kcodyjr> no, shouldn't. at this level just treat it like ipv4 and cut it in half.
10:47 < kcodyjr> that /64 is properly delegated to your dedicated server? then install it on the box as a /65 and give the other /65 to openvpn and call it a day.
10:47 < kcodyjr> if the dedicated server runs dynamic routing software you might think about adding a summary route just to be nice to your neighbors.
10:49 < kcodyjr> i haven't had a chance to play with ipv6 on openvpn yet personally, nowhere that i'm doing work has native ipv6 and i don't really want to get HE tunnels and such involved.
10:51 < Ulrar> I did that yeah, I'm trying with radvd
10:52 < kcodyjr> radvd would indeed have to run over bridging. don't play with that.
10:52 -!- Cpt-Oblivious [chatzilla@31-151-71-109.dynamic.upc.nl] has quit [Ping timeout: 245 seconds]
10:53 < kcodyjr> since i don't know personally... guys, does ipv6 use a net30 style subnet or does it use straight p2p over the tunnel?
10:55 -!- Sidewinder [~de@unaffiliated/sidewinder] has joined #openvpn
10:56 < kcodyjr> anyway. you need at least 3 distinct subnet ranges. we can talk in a minute about the best way to carve up your /64 to achieve it. you need a normal ipv6 subnet for the dedicated server itself, a smaller one for the openvpn tunnel address space, and another for the subnet behind your home gateway.
10:56 -!- Sidewinder [~de@unaffiliated/sidewinder] has quit [Client Quit]
10:56 < kcodyjr> if there is a real physical subnet behind the dedicated subnet, you will need a 4th.
10:57 < Ulrar> Just two /65 wouldn't work ?
10:58 < Ulrar> I read a howto where he uses just two subnet
11:01 < plai> subnets smaller than /64 loose the autoconf ability
11:02 < Ulrar> So I have to put static IPs somewhere ?
11:02 < Ulrar> I have no problem with that, just don't understand where
11:03 -!- brabo [brabo@globalshellz/owner/brabo] has quit [Quit: Lost terminal]
11:04 < Ulrar> I believe I can configure a script per user to give him his IP ?
11:07 < kcodyjr> nah. let openvpn deal with that. there's scripts out there for updating dynamic dns entries and i'm working on a better one.
11:07 < kcodyjr> ok here's one possible allocation plan. assuming you're willing to give up autoconf.
11:08 < kcodyjr> carve your /64 into four /66 blocks.
11:08 < kcodyjr> the first one, assign on the dedicated server as a real interface. not in openvpn.
11:09 < kcodyjr> the second, assign to the openvpn server. this is the tunnel space. use the "server-ipv6" or "ifconfig-ipv6" directives.
11:10 < kcodyjr> the 3rd, assign to your home subnet. in the openvpn server. assign it to your internal lan normally and then pretend you don't have it in the client side configuration file from now on.
11:11 < kcodyjr> on the openvpn server, use the client-config-dir option. in this client's config file, use an "iroute" directive. do not bother trying to assign it a static client ip.
11:11 < kcodyjr> oh. pardon me. i've made the assumptions that you're running the server in multi mode and have a client with a dynamic ip, and using certificate auth.
11:12 < kcodyjr> that said, your 4th /66 block is left open for other remote subnet(s). other non-routing clients can get what they need automatically from the tunnel space.
11:13 < Ulrar> If you are speaking about the IPv4 of the client, it's static almost everywhere but I guess it could be dynamic someday, some people still have that at home I guess
11:13 < Ulrar> But I generated certificates yeah
11:14 < kcodyjr> personally i prefer to treat almost-static like you get from the cable company as still being dialup-grade dynamic. that's being a pedant, yes, but it's the strict truth. for a geek's own home network, playing fast and loose is fine though.
11:15 < kcodyjr> and if one does not have a truly static ip at both ends, certificate auth becomes a necessity, and you might as well run the server in multi mode so it has room for your laptop to dial in from starbucks.
11:15 < Ulrar> ISP here almost all give static IPs now, but I guess best planning for the worst
11:15 < kcodyjr> a truly static ip at both ends lets you treat openvpn as a straight peer-peer encryptor, like other types of tunneling
11:16 < kcodyjr> simplifies the configuration drastically. but, you'd have to run another instance for your laptop. not worth it imo except in certain dedicated back-end situations.
11:16 < Ulrar> Okay, so my server now have a /66
11:17 < Ulrar> Let me look at the documentation for server-ipv6
11:20 < Ulrar> kcodyjr: Do you have a good tool or website to easly calculate the different subnets ?
11:24 -!- kalloc_ [~kalloc@195.94.251.75] has joined #openvpn
11:24 -!- ade_b [~Ade@redhat/adeb] has quit [Ping timeout: 246 seconds]
11:26 < kcodyjr> there must be a version of ipcalc for v6
11:26 < kcodyjr> lemme go emerge that
11:26 < Ulrar> found that : http://www.gestioip.net/cgi-bin/subnet_calculator.cgi
11:26 <@vpnHelper> Title: IPv4/IPv6 subnet calculator and addressing planner (at www.gestioip.net)
11:27 -!- kalloc [~kalloc@109.188.127.180] has quit [Ping timeout: 245 seconds]
11:27 < Ulrar> kcodyjr: What do you meant by "assign to your home subnet", you mean in the server configuration ?
11:27 < kcodyjr> no. i mean in your home router's internal interface config.
11:27 < kcodyjr> just as though there was no tunnel involved.
11:28 < Ulrar> Ho, yeah I don't have that
11:28 < kcodyjr> what do you mean. what is the nature of the client system? i thought you were connecting your home LAN to a dedicated server over a tunnel.
11:28 < Ulrar> Well, I do have a home router but it's an old netgear provided by my ISP, not even sure it supports IPv6
11:29 < Ulrar> Hopping to get it on OpenWRT some day
11:29 < kcodyjr> openwrt surely will support v6. i do heartily recommend it.
11:29 < Ulrar> I mostly want to connect my laptop, but yeah would be cool to connect my whole network
11:29 < kcodyjr> and it'll make a very happy client system with openvpn on it.
11:29 < kcodyjr> well your laptop doesn't need a whole subnet
11:30 < kcodyjr> it just needs the one automatic ip provided by the openvpn server.
11:30 < Ulrar> I don't remember the model of my router and I'm not at home right now, but I believe it is not realy supported by OpenWRT but some people says it works anyway
11:30 -!- GrecKo [~GrecKo@2001:41d0:1:cb16::1] has quit [Remote host closed the connection]
11:30 < Ulrar> So for the laptop I just don't use the two other subnets for now, right ?
11:30 < kcodyjr> correct.
11:31 < kcodyjr> consider them reserved for when you get your home router straightened out.
11:31 < Ulrar> Okay, great
11:31 -!- GrecKo [~GrecKo@2001:41d0:1:cb16::1] has joined #openvpn
11:31 < kcodyjr> for the laptop, you'll want some form of redirect-gateway on the server config. OR, if you're using NetworkManager through your gui on the client side, it'll have a checkbox to do that for you.
11:32 < Ulrar> I'm using network manager on linux
11:32 < Ulrar> For the windows part, I should add that on the config file ?
11:32 < kcodyjr> for the home router, just remember the key detail is that it wants two "iroute" statements in its server-side client-specific config file. one for the v4 subnet, one for the v6 subnet.
11:33 < kcodyjr> oh, and add the "route-ipv6 <whole_/64> to the global server config file.
11:33 < kcodyjr> hm. i'm not sure how windows will behave. personally i'd choose to rely on the client side behavior anyway. :)
11:33 < kcodyjr> *server side behavior. misspoke.
11:33 < kcodyjr> that means i need another cup of coffee when i mix my words like that. one sec.
11:36 < Ulrar> If I add a redirect-gateway to my conf, it will only affect the IPv6 traffic, right ?
11:36 < Ulrar> And for IPv4 (to bypass blocked port) I'll just add some route, right ?
11:41 < Ulrar> I guess the best would be to leave the route directive in the client conf, nothing to do with the server
11:41 < Ulrar> at least for IPv4
11:46 -!- kalloc_ [~kalloc@195.94.251.75] has quit [Remote host closed the connection]
11:47 -!- kalloc [~kalloc@109.188.124.29] has joined #openvpn
11:54 < kcodyjr> sorry, i was off drinking coffee.
11:55 < kcodyjr> your goal is to use it when you've got no other ipv6 connectivity, right? i'd think you want a v6-only default gateway pushed to the client.
11:55 < Ulrar> That's right
11:55 < kcodyjr> but if you think that's likely to be situation-specific, as in sometimes you'll have a native ipv6 address but still want to tunnel in, then you'd want it to be a client-side config
11:56 < kcodyjr> is there any reason to access the dedicated server? or is it really truly dedicated to vpn?
11:56 < Ulrar> As of now I don't have v6 anywhere
11:56 < Ulrar> It's not dedicated to VPN, I use it for lots of things
11:56 < kcodyjr> so you'd presumably appreciate a secure connection to it, whether you're trying to get to the v6 internet or not.
11:57 < kcodyjr> i'd leave it client-side then.
11:57 < kcodyjr> since the long term goal *is* to have a fixed tunnel with v6 to home, right?
11:57 < Ulrar> It is
11:58 < Ulrar> So I can push a v6 gateway, and leave all the v4 client side ?
11:58 < kcodyjr> yes.
11:58 < kcodyjr> !ipv6
11:58 <@vpnHelper> "ipv6" is (#1) The wiki has IPv6 details: https://community.openvpn.net/openvpn/wiki/IPv6 or (#2) The manpage contains info about IPv6 features present in 2.3+: https://community.openvpn.net/openvpn/wiki/Openvpn23ManPage#lbAQ
11:58 < kcodyjr> that has the exact line you need somewhere in it.
11:59 -!- visavi [~visavi@46.246.164.190.dsl.dyn.forthnet.gr] has joined #openvpn
11:59 < kcodyjr> read up about how the "server" and "server-ipv6" directives are really just macros. you might want to do the expansion to more smoothly integrate things.
11:59 < visavi> In a WinXP machine that acts as a client of a bridged VPN, I need to manually bridge the physical interface with the virtual one. Can I have OpenVPN do that for me?
12:00 < kcodyjr> visavi, you don't do that on the client, you do it on the server.
12:00 < kcodyjr> unless you have a non-openvpn-related reason to be bridging on the client.
12:00 < kcodyjr> in which case no, it's not openvpn's scope.
12:01 < kcodyjr> by the way, i really like those old linksys wrt54gl boxes for a home wan router, in addition to a modern wireless access point (with the wap dhcp and firewall turned off).
12:01 -!- kalloc [~kalloc@109.188.124.29] has quit [Remote host closed the connection]
12:02 < Ulrar> kcodyjr: Okay thanks a lot for your help ! I think my configuration is okay, I'll just get home and I'll try it
12:02 < kcodyjr> i know for a fact they have enough juice to run an ip phone over openvpn, and you've also got an antenna to search for neighbors' networks if the cable goes down, hehe
12:02 -!- kalloc [~kalloc@195.94.251.75] has joined #openvpn
12:02 < kcodyjr> Ulrar, you're welcome. fingers crossed for you. and that comment about those old smurf routers was aimed at you.
12:02 -!- cyberspace- [20253@ninthfloor.org] has quit [Ping timeout: 250 seconds]
12:03 -!- cyberspace- [20253@ninthfloor.org] has joined #openvpn
12:07 -!- kalloc [~kalloc@195.94.251.75] has quit [Ping timeout: 265 seconds]
12:09 < Ulrar> Well I might just buy something yeah, but my ISP gave me a netgear so if I can use it, might aswell do
12:09 < Ulrar> If I can't get it to work I'll look into your advice, thanks :)
12:17 < kcodyjr> those smurfs are cheap.
12:18 < kcodyjr> there is the other road: give the public ip to a gentoo box, and still run their netgear as a pure wap.
12:18 < kcodyjr> you sound like the kind of geek who'd like the latest kernel on his home firewall ;)
12:36 -!- APTX [~APTX@unaffiliated/aptx] has joined #openvpn
12:38 -!- CatKiller [~catkiller@unaffiliated/catkiller] has joined #openvpn
12:38 -!- CatKiller [~catkiller@unaffiliated/catkiller] has left #openvpn ["Leaving"]
12:38 -!- CatKiller [~catkiller@unaffiliated/catkiller] has joined #openvpn
12:38 -!- CatKiller [~catkiller@unaffiliated/catkiller] has left #openvpn ["Leaving"]
12:38 -!- CatKiller [~catkiller@unaffiliated/catkiller] has joined #openvpn
12:39 -!- CatKiller [~catkiller@unaffiliated/catkiller] has left #openvpn ["Leaving"]
12:39 -!- CatKiller [~catkiller@unaffiliated/catkiller] has joined #openvpn
12:39 < CatKiller> Hi there! I was wondering if there was any equivalent to Mac OS X keychain way of storing private key passphrases for OpenVPN on Windows?
12:39 < CatKiller> Maybe somebody knows if 1password is compatible
12:39 < CatKiller> or something similar
12:40 < plai> you can use the windows certificate api to store certificates
12:40 < CatKiller> Just to be able to avoid having to input a passphrase to decrypt the key while keeping it encrypted on disk
12:40 < CatKiller> plai: Will that work with OpenVPN?
12:40 < CatKiller> i.e. OpenVPN will be able to grab it from there?
12:40 < plai> CatKiller: see cryptoapicert in the man page
12:41 < CatKiller> plai: Thanks!
12:48 -!- CatKiller [~catkiller@unaffiliated/catkiller] has left #openvpn ["Leaving"]
12:51 -!- joevandyk [~ubuntu@ec2-54-235-235-220.compute-1.amazonaws.com] has quit [Read error: Operation timed out]
12:52 -!- joevandyk [~ubuntu@ec2-54-235-235-220.compute-1.amazonaws.com] has joined #openvpn
13:19 -!- elfixit1 [~Icedove@77-58-251-72.dclient.hispeed.ch] has quit [Quit: elfixit1]
13:21 < Ulrar> kcodyjr: Ha ha, I am, you are right. Can't afford that for now unfortunatly, but that's something I wanted to do for a long time. May be in a few months when I'll move
13:22 < kcodyjr> go looking for a junky box. it needs two nic's and either an hdd or and ssd.
13:24 < Ulrar> Well I need either a big place or something silent
13:24 < Ulrar> I'm planning to move to a big place :)
13:25 -!- kalloc [~kalloc@h86-62-83-99.ln.rinet.ru] has joined #openvpn
13:28 -!- losted [~losted@box.losted.net] has quit [Ping timeout: 272 seconds]
13:30 -!- losted [~losted@box.losted.net] has joined #openvpn
13:40 -!- losted [~losted@box.losted.net] has quit [Ping timeout: 245 seconds]
13:41 -!- lj1 [~l@192.241.174.169] has joined #openvpn
13:42 -!- conroe [~conroe@gateway/tor-sasl/conroe] has joined #openvpn
13:44 -!- losted [~losted@box.losted.net] has joined #openvpn
13:50 -!- DrCode [~DrCode@gateway/tor-sasl/drcode] has joined #openvpn
13:55 -!- dradec [~Inigo@unaffiliated/dradec] has quit [Ping timeout: 245 seconds]
13:57 -!- DrCode [~DrCode@gateway/tor-sasl/drcode] has quit [Max SendQ exceeded]
14:01 < Ulrar> kcodyjr: So I just tested, I do get a v6 on my client, and I can ping the first adresse of the second block, and when I do a traceroute I see that the packet is sent though the tunnel, but it never comes back
14:01 < Ulrar> On the server I enabled IPv6 forwarding, was there some other step I missed ?
14:01 < kcodyjr> what's the routing table on the server look like
14:02 < kcodyjr> do you see the tunnel block with your laptop's address range in it
14:02 < Ulrar> Oh yeah, no routing of the second block
14:02 < Ulrar> But I do see the v4 block I use with OpenVPN
14:03 < Ulrar> I have a route-ipv6 of the /64 in the config file
14:05 -!- klein [~klein@unaffiliated/klein] has quit [Ping timeout: 245 seconds]
14:06 -!- pwrcycle [~pwrcycle@173.214.160.92] has quit [Ping timeout: 252 seconds]
14:07 -!- pwrcycle [~pwrcycle@173.214.160.92] has joined #openvpn
14:10 -!- wrongplace [~leicht@gateway/tor-sasl/martinphone] has joined #openvpn
14:12 -!- dradec [~Inigo@unaffiliated/dradec] has joined #openvpn
14:12 -!- pwrcycle [~pwrcycle@173.214.160.92] has quit [Ping timeout: 252 seconds]
14:13 -!- conroe [~conroe@gateway/tor-sasl/conroe] has quit [Remote host closed the connection]
14:17 < kcodyjr> sorry, got distracted.
14:17 < kcodyjr> the /64 should not be specified anywhere
14:17 < kcodyjr> your server's /etc/conf.d/net file (gentoo also?) should contain that first /66 block
14:18 < kcodyjr> the openvpn config file should contain a "route <2nd_66_block>" statement
14:18 < kcodyjr> we'll worry about the other two /66's when your home router is ready. for now just disregard them.
14:42 -!- dradec [~Inigo@unaffiliated/dradec] has quit [Read error: Connection reset by peer]
14:44 -!- dradec [~Inigo@unaffiliated/dradec] has joined #openvpn
14:46 -!- dradec [~Inigo@unaffiliated/dradec] has quit [Client Quit]
14:46 -!- dradec [~Inigo@unaffiliated/dradec] has joined #openvpn
14:49 < Ulrar> kcodyjr: Okay, corrected that but it's still not showing up in my routes
14:51 < kcodyjr> i need pastebins showing your routing table and server side config
14:55 -!- ade_b [~Ade@redhat/adeb] has joined #openvpn
14:55 -!- kalloc [~kalloc@h86-62-83-99.ln.rinet.ru] has quit [Remote host closed the connection]
14:57 -!- mattock1 [~mattock@openvpn/corp/admin/mattock] has joined #openvpn
14:57 -!- mode/#openvpn [+o mattock1] by ChanServ
15:04 -!- DrCode [~DrCode@gateway/tor-sasl/drcode] has joined #openvpn
15:07 -!- maskedlua [~quassel@unaffiliated/themaskedlua] has joined #openvpn
15:09 -!- visavi [~visavi@46.246.164.190.dsl.dyn.forthnet.gr] has quit [Ping timeout: 260 seconds]
15:10 -!- Noob5aibot [~NoobSaibo@24-213-19-74.static.mrqt.mi.charter.com] has joined #openvpn
15:12 -!- ade_b [~Ade@redhat/adeb] has quit [Ping timeout: 260 seconds]
15:13 -!- dradec [~Inigo@unaffiliated/dradec] has quit [Quit: nil]
15:13 -!- NoobSaibot [~NoobSaibo@24-213-19-74.static.mrqt.mi.charter.com] has quit [Ping timeout: 250 seconds]
15:14 -!- lj1 [~l@192.241.174.169] has quit [Ping timeout: 260 seconds]
15:15 -!- lj [~l@192.241.174.169] has joined #openvpn
15:33 -!- mattock1 [~mattock@openvpn/corp/admin/mattock] has quit [Ping timeout: 245 seconds]
15:44 -!- [diecast] [~diecast@unaffiliated/diecast/x-4821952] has joined #openvpn
15:48 -!- plai [~arne@openvpn/community/developer/plaisthos] has quit [Ping timeout: 252 seconds]
15:50 -!- plaisthos [~arne@openvpn/community/developer/plaisthos] has joined #openvpn
15:50 -!- mode/#openvpn [+o plaisthos] by ChanServ
15:52 -!- pwrcycle [~pwrcycle@173.214.160.92] has joined #openvpn
15:57 -!- pwrcycle [~pwrcycle@173.214.160.92] has quit [Ping timeout: 245 seconds]
15:58 -!- lj [~l@192.241.174.169] has quit [Quit: Leaving.]
16:01 -!- wrongplace [~leicht@gateway/tor-sasl/martinphone] has quit [Remote host closed the connection]
16:01 -!- DrCode [~DrCode@gateway/tor-sasl/drcode] has quit [Remote host closed the connection]
16:02 -!- pwrcycle [~pwrcycle@173.214.160.92] has joined #openvpn
16:02 -!- wrongplace [~leicht@gateway/tor-sasl/martinphone] has joined #openvpn
16:05 -!- Cpt-Oblivious [chatzilla@31-151-71-109.dynamic.upc.nl] has joined #openvpn
16:17 -!- dradec [~Inigo@unaffiliated/dradec] has joined #openvpn
16:27 -!- gffa [~unknown@unaffiliated/gffa] has quit [Quit: sleep]
16:27 -!- DrCode [~DrCode@gateway/tor-sasl/drcode] has joined #openvpn
16:33 -!- dradec [~Inigo@unaffiliated/dradec] has quit [Ping timeout: 245 seconds]
16:33 -!- [diecast] [~diecast@unaffiliated/diecast/x-4821952] has quit []
16:34 -!- elfixit1 [~Icedove@77-58-251-72.dclient.hispeed.ch] has joined #openvpn
16:38 -!- p3rror [~mezgani@41.140.179.192] has joined #openvpn
16:52 -!- lj [~l@2602:306:39b1:1cb9:1d71:372b:31cd:41d8] has joined #openvpn
16:52 -!- lj [~l@2602:306:39b1:1cb9:1d71:372b:31cd:41d8] has quit [Client Quit]
16:56 -!- dradec [~Inigo@unaffiliated/dradec] has joined #openvpn
17:22 -!- conroe [~conroe@gateway/tor-sasl/conroe] has joined #openvpn
17:27 < kcodyjr> off the wall question (to cover the corner case in my script) is there any such thing in openvpn, as a v6-only tunnel?
17:32 -!- nunim [nunim@unaffiliated/nunim] has quit [Ping timeout: 276 seconds]
17:32 -!- nunim [nunim@unaffiliated/nunim] has joined #openvpn
17:35 < pekster> For the inside transport? Not currently as the codebase assumes/relies on IPv4. It's on the todo list, but for now just use some arbitrary RFC1918 even if you don't want/need it
17:37 -!- conroe [~conroe@gateway/tor-sasl/conroe] has quit [Quit: conroe]
17:40 <@krzee> !random
17:40 <@vpnHelper> "blame": and dazo will always blame EugeneKay, Bushmills, ecrist or any other sensible victims in the required moments; "git-doc": For a very quick git crash course, see https://community.openvpn.net/openvpn/wiki/GitCrashCourse; "eurephia": http://www.eurephia.net/
17:41 <@krzee> hah
17:41 <@krzee> !subnet
17:41 <@vpnHelper> "subnet" is (#1) http://www.subnet-calculator.com/ or http://en.wikipedia.org/wiki/Subnetwork or (#2) Want a random subnet generator? See: !randomsubnet
17:41 <@krzee> !factoids search rand
17:41 <@vpnHelper> "randomsubnet" is (#1) http://scarydevilmonastery.net/subnet.cgi for a random !1918 subnet or (#2) If your shell has $RANDOM support, perhaps try this: `echo 10.$((RANDOM%256)).$((RANDOM%256)).0/24 `
17:41 <@krzee> i think i like !random :D
17:46 < kcodyjr> pekster, ok thanks. i will allow my script to make the same assumption (that there will always be an ipv4 peer address).
17:46 < kcodyjr> but i'll make my usual point of sanity checking that
17:50 < kcodyjr> will a statically assigned client address still show up in $ENV{ifconfig_pool_remote_ip} ?
17:50 -!- p3rror [~mezgani@41.140.179.192] has quit [Remote host closed the connection]
17:52 < pekster> By static you mean by ccd or --client-connect using --ifconfig-push? If so, then yes
17:54 -!- elfixit1 [~Icedove@77-58-251-72.dclient.hispeed.ch] has quit [Quit: elfixit1]
17:55 < kcodyjr> yes, that kind of static.
17:57 < kcodyjr> how about if it's p2p mode instead of net30, will all the variables still be populated, but ifconfig_pool_local_ip equals ifconfig_local ? or will there be empties in that configuration?
17:59 < pekster> p2p topology works basically the same. --mode p2p (which is different from --mode server) has no pool at all
17:59 < kcodyjr> i don't imagine --mode p2p having any need for dynamic dns at all
17:59 < kcodyjr> i did mean p2p topology.
18:00 < pekster> --mode p2p is "just a Point-to-Point link"
18:00 < kcodyjr> yup. i've used that to encrypt private fiber links between datacenters.
18:00 < pekster> Right, if you just have 2 endpoints it's a bit simplier config, and you can still do it under TLS if you want the security benefits
18:01 < pekster> (plus you can technically do goofyness like asymmetric IP assignment, although that gets confusing fast
18:01 < kcodyjr> by suppressing ospf broadcasts over the raw device and permitting them over the tunnel device, with one openvpn process per cpu at each end, relying on the kernel for multipath load balancing, with simple stateless acl's for a firewall
18:01 < kcodyjr> worked pissa actually
18:02 < pekster> Yup, PtP is convenient if you know you don't need Windows support
18:02 < kcodyjr> until we got bought and the new network department INSISTED we replace the switches with their L3 types immediately.
18:02 < kcodyjr> but that's another story.
18:14 -!- Cpt-Oblivious [chatzilla@31-151-71-109.dynamic.upc.nl] has quit [Ping timeout: 245 seconds]
18:18 -!- wrongplace [~leicht@gateway/tor-sasl/martinphone] has quit [Quit: gone]
18:24 -!- dradec [~Inigo@unaffiliated/dradec] has quit [Ping timeout: 260 seconds]
18:42 -!- elfixit1 [~Icedove@77-58-251-72.dclient.hispeed.ch] has joined #openvpn
18:48 -!- elfixit1 [~Icedove@77-58-251-72.dclient.hispeed.ch] has quit [Quit: elfixit1]
19:01 -!- Aelius [~Aelius@unaffiliated/aelius] has joined #openvpn
19:01 < Aelius> What entries could i add to the client.ovpn to get it to timeout and retry the connection faster?
19:02 < Aelius> my friend's laptop doesnt seem to be connecting after he wakes it up from sleep, until he restarts the openvpn service
19:06 < pekster> Read about:
19:06 < pekster> !keepalive
19:06 <@vpnHelper> "keepalive" is (#1) see --keepalive in the manual for how to make clients retry connecting if they get disconnected. or (#2) basically it is a wrapper for managing --ping and --ping-restart in server/client mode or (#3) if you use this, don't use --tls-exit and also avoid --single-session and --inactive or (#4) Also beware of --auth-nocache for automated reconnects
19:06 < pekster> The client can specify its own values, although be sure to put it after --pull (or --client, which implies that one) as otherwise anything pushed will over-ride
19:08 < Aelius> thanks. yeah since only he is having these issues I think ill just tell him to add keepalive to his config
19:09 < Aelius> although i dont see a --pull in the sample config anywhere- would i have to add it to get the pull functionality? or is adding it merely an order-of-execution
19:10 < pekster> --pull is implied by --client as I stated above. Reference the manpage for the expansion of such "helper" directives
19:11 < Aelius> the syntax in the client config is just 'client', --xyz is a lauch argument right?
19:11 < pekster> !--
19:11 <@vpnHelper> "--" is OpenVPN allows any option to be placed either on the command line or in a configuration file. Though all command line options are preceded by a double-leading-dash ("--"), this prefix is usually omitted when an option is placed in a configuration file.
19:11 < pekster> Read about --config in the manpage for details
19:12 < pekster> See also:
19:12 < pekster> !man
19:12 <@vpnHelper> "man" is (#1) For man pages, see http://openvpn.net/index.php/open-source/documentation/manuals/ or (#2) the man pages are your friend! or (#3) Protip: you can search the manpage for a specific --option (with dashes) to find it quicker
19:12 < pekster> protip on #3 is helpful if you're new to manpages
19:12 < Aelius> not new to manpages, just using this for windows
19:12 < Aelius> where there is no man
19:12 < pekster> Web URL, or install cygwin or some other manpage parser
19:19 -!- joshh20-Away is now known as joshh20
19:22 -!- dradec [~Inigo@unaffiliated/dradec] has joined #openvpn
19:41 -!- raidz is now known as raidz_away
19:47 -!- raidz_away is now known as raidz
19:48 -!- lj [~l@192.241.174.169] has joined #openvpn
20:01 -!- lbft [~lbft@unaffiliated/lbft] has quit [Ping timeout: 276 seconds]
20:02 -!- lbft [~lbft@unaffiliated/lbft] has joined #openvpn
20:11 -!- james41382_ [~james@unaffiliated/james41382] has joined #openvpn
20:29 -!- lj [~l@192.241.174.169] has quit [Ping timeout: 252 seconds]
20:36 -!- lj [~l@c-50-158-105-68.hsd1.il.comcast.net] has joined #openvpn
20:40 -!- hfp [~hfp@MTRLPQ0736W-LP130-01-2925269307.dsl.bell.ca] has joined #openvpn
20:41 < hfp> !welcome
20:41 <@vpnHelper> "welcome" is (#1) Start by stating your goal, such as 'I would like to access the internet over my vpn' || new to IRC? see the link in !ask || we may need !logs and !configs and maybe !interface to help you. || See !howto for beginners. || See !route for lans behind openvpn. || !redirect for sending inet traffic through the server. || Also interesting: !man !/30 !topology !iporder !sample !forum !wiki
20:41 <@vpnHelper> !mitm or (#2) Don't use 192.168.1.0/24 or 192.168.0.0/24 (too much potential for conflict)
20:43 < hfp> Hi, I have a VPS that I setup OpenVPN on to access the internet when using public wifi etc. I cannot fathom why using `/usr/sbin/openvpn --config /etc/openvpn/server.conf` launches OpenVPN fine and allows me to connect etc like I intend but if I do `service openvpn start` then I am getting `Starting virtual private network daemon: server failed!`... Using OpenVPN 2.2.1 on Debian 7 x64with an OpenVZ Ramnode.
20:43 < hfp> !logs
20:43 <@vpnHelper> "logs" is (#1) please pastebin your logfiles from both client and server with verb set to 4 (only use 5 if asked) or (#2) In the Windows client(OpenVPN-GUI) right-click the status icon and pick View Log or (#3) In the OS X client(Tunnelblick) right-click it and select Copy log text to clipboard or (#4) if you dont know how to find your logs, see !logfile
20:44 -!- goldkatze [~nobody@unaffiliated/goldkatze] has quit [Ping timeout: 272 seconds]
20:45 < hfp> This is the log http://pastie.org/private/qo2grah5x99lj6pudupsew
20:45 < hfp> It says it cannot access dh1024.pem but only when I use the service. If I don't use the service and manually launch the OpenVPN server then no complaints re dh1024.pem
20:55 < pekster> You should consult your distro support methods
20:55 < pekster> If you can use the openvpn binary from the prompt the problem is your distro service
20:55 < pekster> Consider what it's using for a default CWD (your $PATH) and relative files, especially if you have file access issues
21:02 < hfp> I was wondering, if I want to move my OpenVPN server to another physical machine, I cannot reuse the clients keys and certificates nor the server's, right? I would have to create new ones altogether, correct?
21:03 < pekster> You can share keypairs, but you ought not to
21:03 < pekster> !dupe
21:03 <@vpnHelper> "dupe" is (#1) see --duplicate-cn in the manual (!man) to see how to allow multiple clients to use the same key (NOT recommended) or (#2) instead, use !pki to make a cert for each user
21:06 -!- Fast[BDC] is now known as pcdummy
21:10 -!- booo [~booo__@p54BD8B8E.dip0.t-ipconnect.de] has quit [Ping timeout: 245 seconds]
21:12 -!- booo [~booo__@p54BD8D46.dip0.t-ipconnect.de] has joined #openvpn
21:12 -!- WinstonSmith [~WinstonSm@unaffiliated/winstonsmith] has quit [Ping timeout: 240 seconds]
21:13 -!- WinstonSmith [~WinstonSm@unaffiliated/winstonsmith] has joined #openvpn
21:34 < hfp> pekster: It was actually an odd one, I was launching the service from the directory where the dh1024.pem and keys were in so it worked. But because I put relative paths in the server.conf then the service wouldn't find them. Same if I launched the binary manually but from another directory. I fixed it by putting absolute paths in the conf file for the crt, keys and dh1024.pem files.
21:35 < hfp> pekster: About the keys, I have one keypair per client. But I need to migrate the server and was wondering if I could just copy over all the keys, ca.crt etc and still have the OpenVPN server function properly or if I needed to recreate the server's certificate etc.
21:35 < pekster> Most "service" scripts (ie: your distro init) have a predefined CWD, either per service or a global one
21:35 < pekster> This varies a lot by distro and you'd need to ask "them" how services work
21:39 -!- lj [~l@c-50-158-105-68.hsd1.il.comcast.net] has quit [Quit: Leaving.]
21:41 < hfp> pekster: In my case, it worked with an absolute path in the server.conf
21:43 < pekster> You can share the server key wherever you like with the obvious drawback that a compromise of 1 compromises them all
21:45 -!- joshh20 is now known as joshh20-Away
21:45 -!- Linmu [~Linmu@203.70.194.104] has quit [Quit: leaving]
22:04 < aji> $chan
22:08 -!- lj [~l@c-50-158-105-68.hsd1.il.comcast.net] has joined #openvpn
22:36 -!- granger915 [~granger@pool-108-52-175-247.phlapa.fios.verizon.net] has joined #openvpn
22:43 -!- novaflash is now known as novaflash_away
22:57 -!- Auctus [~Auctus@unaffiliated/auctus] has quit [Quit: Only $19.95 for a custom quit message? What a deal!]
23:00 < _FBi> heya pekster
23:00 -!- Pei [~pei@thinks.outside.theb0x.org] has quit [Remote host closed the connection]
23:00 -!- Rallias [~Rallias@unaffiliated/gasseus] has quit [Ping timeout: 240 seconds]
23:28 -!- hfp [~hfp@MTRLPQ0736W-LP130-01-2925269307.dsl.bell.ca] has left #openvpn []
23:31 -!- lj [~l@c-50-158-105-68.hsd1.il.comcast.net] has quit [Quit: Leaving.]
23:32 -!- lj [~l@c-50-158-105-68.hsd1.il.comcast.net] has joined #openvpn
23:35 < kcodyjr> bug. i'm not getting the peer ipv6 address in the environment to client-connect. i'm getting the 2nd argument to ifconfig_ipv6 (one-time tunnel address) instead. it is however assigning the ip appropriately. but this of course breaks ddns.
--- Day changed Thu Feb 06 2014
00:06 -!- lj [~l@c-50-158-105-68.hsd1.il.comcast.net] has quit [Quit: Leaving.]
00:07 -!- lj [~l@c-50-158-105-68.hsd1.il.comcast.net] has joined #openvpn
00:12 -!- lj [~l@c-50-158-105-68.hsd1.il.comcast.net] has quit [Ping timeout: 265 seconds]
00:13 -!- mikkel [~mikkel@93.176.85.50] has joined #openvpn
00:35 -!- kalloc [~kalloc@h86-62-83-99.ln.rinet.ru] has joined #openvpn
00:50 -!- kalloc [~kalloc@h86-62-83-99.ln.rinet.ru] has quit [Remote host closed the connection]
00:55 -!- Mike-- [mad@mx.probie.nl] has quit [Read error: Connection reset by peer]
00:56 -!- mikkel [~mikkel@93.176.85.50] has quit [Read error: Operation timed out]
00:56 -!- Mike3 [mad@mx.probie.nl] has joined #openvpn
00:56 -!- james41382__ [~james@unaffiliated/james41382] has joined #openvpn
00:56 -!- james41382_ [~james@unaffiliated/james41382] has quit [Read error: Connection reset by peer]
01:00 -!- goldkatze [~nobody@unaffiliated/goldkatze] has joined #openvpn
01:01 -!- james41382__ is now known as james41382
01:04 -!- kalloc [~kalloc@h86-62-83-99.ln.rinet.ru] has joined #openvpn
01:06 -!- takamichi [~takamichi@c107-107.i07-27.onvol.net] has quit []
01:08 -!- granger915 [~granger@pool-108-52-175-247.phlapa.fios.verizon.net] has left #openvpn []
01:08 -!- takamichi [~takamichi@c107-107.i07-27.onvol.net] has joined #openvpn
01:10 -!- mikkel [~mikkel@93.176.85.50] has joined #openvpn
01:11 -!- alexxtasi [~alex@unaffiliated/alexxtasi] has joined #openvpn
01:12 -!- b00gz___ [uid6869@gateway/web/irccloud.com/x-emiwsnkktztsbaig] has joined #openvpn
01:26 -!- kalloc [~kalloc@h86-62-83-99.ln.rinet.ru] has quit [Remote host closed the connection]
01:26 -!- kalloc [~kalloc@h86-62-83-99.ln.rinet.ru] has joined #openvpn
01:40 < manitu> hi ho.. i tried to change a ccd without restarting, reconnecting the client and see if the new config works, but it does not.. do you know why this could be?
01:40 < manitu> it's version 2.3.2
01:41 < manitu> that is how my ccd looks like: http://pastebin.com/VKibAg0J .. i added the first and the last route
01:42 <@krzee> you're still using net30? sure you dont wanna use topology subnet so you can number your clients .2 .3 .4 .5 etc etc?
01:43 <@krzee> and your issue is unrelated to changing your ccd, can you post the server's log of the client connecting?
01:44 < kcodyjr> does topology subnet work for all clients?
01:45 <@krzee> if they are 2.1 or above, and if they are below 2.1 you really should upgrade them
01:48 < manitu> krzee, one moment.. and yea, actually i do
01:49 <@krzee> !topology
01:49 <@vpnHelper> "topology" is (#1) it is possible to avoid the !/30 behavior if you use 2.1+ with the option: topology subnet This will end up being default in later versions. or (#2) Clients will receive addresses ending in .2, .3, .4, etc, instead of being divided into 2-host subnets. or (#3) details and examples at: https://community.openvpn.net/openvpn/wiki/Topology
01:49 <@krzee> !static
01:49 <@vpnHelper> "static" is (#1) use --ifconfig-push in a ccd entry for a static ip for the vpn client or (#2) example in net30 (default): ifconfig-push 10.8.0.6 10.8.0.5 example in subnet (see !topology) or tap (see !tunortap): ifconfig-push 10.8.0.5 255.255.255.0 or (#3) also see !ccd and !iporder or (#4) when pushing static IPs, you should also limit your --ifconfig-pool to exclude the static range or (#5) See
01:49 <@vpnHelper> also: !addressing
01:49 <@krzee> so your ifconfig-push will change
01:53 -!- makara [~makara@41.164.22.218] has joined #openvpn
01:54 < manitu> krzee, http://pastebin.com/Y1vZxkLS that should be all
01:54 <@krzee> show me the server config
01:56 -!- stickpin [~b@173.244.215.195] has quit [Ping timeout: 272 seconds]
01:56 < manitu> krzee, http://pastebin.com/XGa07qTn
01:56 <@krzee> change verbosity to 4 on server, restart, connect client, gimme server log
01:57 < manitu> isn't it already?
01:57 < manitu> with "verb 4"?
01:57 <@krzee> hmm ya
01:57 < kcodyjr> anyone think of a reason why "push route-ipv6 2000::/3 <serverv6addr>" isn't doing anything on the client?
01:57 <@krzee> oh you cut out most the log manually
01:57 <@krzee> !push
01:57 <@vpnHelper> "push" is usage: push <command> , goes in the server config and makes the command act as if it was in the client config, can be used in ccd entries
01:57 <@krzee> push only works on the server
01:58 < manitu> krzee, yes.. i have many connections, because we have many gprs clients which reconnects over and over
01:58 < manitu> oh, you wanted the client config?
01:59 <@krzee> manitu, sorry that piece was for kcodyjr
01:59 < kcodyjr> krzee, yep, got that part. the route isn't showing up on the client.
01:59 < manitu> krzee, ah okay.. i was a little bit confused xD
02:00 < manitu> krzee, i just wonder why it doesn't see the change of the ccd until the server is reloaded (all clients disconnects) or restarted
02:01 <@krzee> it does
02:02 <@krzee> but your log doesnt show the server loading the ccd file
02:02 <@krzee> probably because you chopped it out of the log file
02:03 < kcodyjr> hrm. NetworkManager is setting --route-noexec. i bet it's just not installing any v6 routes.
02:04 < kcodyjr> yeah. nevermind. works fine when i launch openvpn as a system service. broken when i launch via NM. cute.
02:04 <@krzee> oh ya, NM sux
02:04 <@krzee> !netman
02:04 <@vpnHelper> "netman" is (#1) if you are using network manager for linux to configure your vpn, dont! http://openvpn.net/archive/openvpn-users/2008-01/msg00046.html to read the same thing from the author of the openvpn 2 cookbook on the mail list or (#2) Have OpenVPN working but not NetworkManager? Ask the n-m folks for help: http://projects.gnome.org/NetworkManager/
02:05 -!- stickpin [~b@173.244.215.195] has joined #openvpn
02:05 <@krzee> !ubuntu
02:05 <@vpnHelper> "ubuntu" is dont use network manager!
02:05 <@krzee> :D
02:07 <@krzee> !logfilew
02:07 <@krzee> !logfile
02:07 <@vpnHelper> "logfile" is (#1) openvpn will log to syslog if started in daemon mode. You can manually specify a logfile with: log /path/to/logfile or (#2) verb 3 is good for everyday usage, verb 5 for debugging or (#3) see --daemon --log and --verb in the manual (!man) for more info or (#4) without any log-redirection options, openvpn sends output to stdout. Explicit logging is often more convenient
02:07 <@krzee> manitu, get the entire log
02:07 < manitu> krzee, that should be it
02:07 <@krzee> --log
02:07 <@krzee> i want startup stuff too
02:08 <@krzee> the whole thing
02:08 < manitu> oh.. moment, i didn't restart the server at that point
02:09 < kcodyjr> actually, it worked just fine until i tried to go dual stack through the tunnel.
02:12 < manitu> krzee, sent you the new log
02:14 -!- nutron [~nutron@unaffiliated/nutron] has quit [Ping timeout: 272 seconds]
02:14 <@krzee> no you didnt
02:17 < manitu> krzee, did you recieve it now (query)?
02:18 < manitu> Feb  6 08:51:35 vvpnsrv1 openvpn[26410]: DevelWerner/my_ip:24593 OPTIONS IMPORT: reading client specific options from: ccd//DevelWerner << it says that
02:19 < manitu> but if i close the connection and connect again it doesn't show this line again
02:19 < manitu> just the very first connection after restart
02:21 < kcodyjr> hrm. i even just found the TODO for the missing feature i just smacked into.
02:21 <@krzee> hmm so now its working
02:22 <@krzee> oh hmm
02:22 <@krzee> so if you reconnect, do you have all the same routes?
02:22 -!- pjschmitt [~parker@209.141.56.12] has quit [Changing host]
02:22 -!- pjschmitt [~parker@unaffiliated/schmitt953] has joined #openvpn
02:23 <@krzee> also you wont need such a big server subnet when you start using topology subnet
02:24 < manitu> krzee, it's just so big because we hat client-to-client before
02:24 <@krzee> umm, so?
02:24 <@krzee> i dont see the relation
02:24 -!- dradec [~Inigo@unaffiliated/dradec] has quit [Quit: nil]
02:25 < manitu> krzee, was more easy to handle, because client-to-client just works in the server range
02:25 <@krzee> whats that have to do with having such a large server subnet?
02:26 <@krzee> !c2c
02:26 <@vpnHelper> "c2c" is "client-to-client" is with this option packets from 1 client to another are routed inside the server process. without it packets leave the server process, hit the kernel (firewall, routing table) and if allowed by firewall and routed back to server process, they go to the client. you use this option when you do not want to use selective firewall rules on what clients can access things behind
02:26 <@vpnHelper> other clients
02:26 < manitu> it's not soooo large with 2x class C
02:27 <@krzee> client-to-client only has to do with the path packets take inside the server itself
02:27 <@krzee> how does that influence the server subnet size in any way?
02:28 < manitu> krzee, but if you have a server range 172.16.0.0/24 and give a client the 172.16.1.1, then you need to use iptables
02:28 < manitu> with forward and stuff
02:28 <@krzee> and i know you meant 2x /24, and once you switch to topology subnet you will have 2x the number of client addresses available in a /24 than you do in your current subnet
02:28 <@krzee> umm no
02:29 <@krzee> you would simply need to configure routing properly
02:29 <@krzee> in fact they do that in the howto
02:29 <@krzee> !polocy
02:29 <@krzee> !policy
02:29 <@vpnHelper> "policy" is (#1) http://openvpn.net/howto.html#policy for Configuring client-specific rules and access policies or (#2) http://www.secure-computing.net/wiki/index.php/OpenVPN/FAQ#Traffic_forwarding_doesn.27t_work_when_using_client_specific_access_rules for a lil writeup by mario or (#3) dynamic OpenVPN policy github project: https://github.com/QueuingKoala/openvpn-dynamic
02:29 <@krzee> there at link #1 they do it ^
02:30 < manitu> krzee, using "route" to add the client didn't help.. the packages was delivered and received, but the packages was dropped before the openvpn-server handled them.. i debugged a bit there
02:31 < manitu> still i really want to change something at the network.. since there is ipsec and openvpn running in the network
02:32 <@krzee> in fact with giving an IP outside the server subnet pool you dont even need special routing
02:32 <@krzee> simply cannot use a subnet that is already being used
02:32 < manitu> krzee, in the future i don't know if i really need a server range.. there are no clients with dynamic ips at all, so..
02:32 <@krzee> oh i see
02:33 <@krzee> so ya may as well just use the entire subnet then
02:33 <@krzee> i see now, they are all static so you're just cheating for automation :D
02:34 <@krzee> so when you reconnected, was the client missing routes?
02:34 < manitu> krzee, i'm going to change the topology if all clients support it, but i'm not at that step yet.. if i would have more time for the servers i would be pretty happy :/
02:34 < manitu> krzee, the new rules was added after restarting.. i try to add one more route now, just a moment
02:34 <@krzee> well i mean
02:35 <@krzee> kill the client and connect again, does it get all those same routes from the ccd?
02:35 <@krzee> before you even change the ccd file
02:35 <@krzee> if so, it must still be getting them from the ccd, then go ahead and change it and see again
02:35 < manitu> yes.. if i restart the server everything works well, but then all the ~90 clients reconnect
02:35 <@krzee> kill the client, not the server
02:37 < manitu> i now did: kill my local client (ctrl + c), change the ccd, reconnect.. the new rule "10.132.182.0/24" was not added, but the routes i added before restarting the server are there
02:37 <@krzee> weird ive made many changes to ccds on running servers and they always apply for me
02:37 <@krzee> dunno whats different for you
02:38 <@krzee> but ccd is read when the client connects
02:38 < manitu> i wish i would know.. at startup it says persist_mode = 1 i think
02:38 < manitu> what does that mean?
02:39 < manitu> i also use the rpm from yast, so i don't know if they put any configuration flags which could make it that way
02:41 <@krzee> nah theres no config flag for changing that even
02:41 <@krzee> the ccd file is read every time the client connects
02:42 <@krzee> if that is not happening for you, i have no idea why not
02:42 < manitu> krzee, do i need to close the client-connection on the server somehow?
02:42 < manitu> that it maybe thinks the old connection is still opened and so he can't change the configs?
02:43 <@krzee> oh actually maybe yes
02:44 < manitu> i don't know how to handle the clients with the server
02:45 <@krzee> just disconnect long enough that the server knows, in your case 240 seconds should do it
02:54 -!- ade_b [~Ade@redhat/adeb] has joined #openvpn
02:57 -!- kirin` [telex@gateway/shell/anapnea.net/x-zqlvekzdpspvkpqe] has quit [Ping timeout: 272 seconds]
03:02 < manitu> krzee, tried again now and it has the route
03:03 < manitu> can i "kill" the connection somehow?.. because some of the systems aren't meaned to be offline that long
03:21 -!- kalloc [~kalloc@h86-62-83-99.ln.rinet.ru] has quit [Remote host closed the connection]
03:22 -!- kalloc [~kalloc@h86-62-83-99.ln.rinet.ru] has joined #openvpn
03:27 -!- kalloc [~kalloc@h86-62-83-99.ln.rinet.ru] has quit [Ping timeout: 260 seconds]
03:28 -!- kalloc [~kalloc@h86-62-83-99.ln.rinet.ru] has joined #openvpn
03:34 -!- talf [~quassel@109.232.228.5] has joined #openvpn
03:35 < kcodyjr> patch submitted to expose the ipv6 peer address to the client-connect script et al.
03:40 < manitu> krzee, and thank you :)
03:40 -!- Pang [~chatzilla@94-225-162-11.access.telenet.be] has joined #openvpn
03:41 <@krzee> !management
03:41 <@vpnHelper> "management" is (#1) see http://openvpn.net/management for doc on management interface or (#2) read https://github.com/OpenVPN/openvpn/blob/release/2.3/doc/management-notes.txt if you are a programmer making a GUI that will interact with OpenVPN or (#3) Enable with `--management 127.0.0.1 1234` (adjust port to taste.) See the manpage for pw and socket options
03:41 <@krzee> you can kill it from the management interface
03:53 < Pang> Hello! I am using for the first time open vpn .I try to instal for several times on my virtual machine Win Server 2012.I do not know how is working .Now  I have this error"Error Creating HKLM\Software\OpenVPN-GUI key"I have nothing in the ''config''  a
03:53 < Pang> and the log file is empty
03:55 < Pang> I have downloaded and install it this file openvpn-install-2.3.2-I003-x86_64.exe
03:55 < Pang> I am not a native english speaker
03:59 < ikrabbe> good morning. I want to bridge one or mor tap devices and a failover bond of two netork cards. When I do this I loose connectivity. Actually I can add the bond0 to the bridge br0 but when I add tap1 I cannot talk to the outside anymore. Any ideas?
04:00 < ikrabbe> !paste
04:00 <@vpnHelper> "paste" is (#1) "pastebin" is (#1) please paste anything with more than 5 lines into a pastebin site or (#2) https://gist.github.com is recommended for fewest ads; try fpaste.org or paste.kde.org as backups or (#3) If you're pasting config files, see !configs for grep syntax to remove comments or (#2) gist allows multiple files per paste, useful if you have several files to show
04:07 < ikrabbe> https://gist.github.com/ikrabbe/8841488 ← here is a demonstration of what happens to me
04:07 <@vpnHelper> Title: What happens when I add tap1 to a bridge through a bond (at gist.github.com)
04:25 < MacGyver> Running openvpn as listener on both IPv6 and IPv4 requires to distinct TUN or TAP devices, right?
04:25 < MacGyver> s/to/two/
04:34 -!- nutron [~nutron@unaffiliated/nutron] has joined #openvpn
04:38 -!- klein [~klein@unaffiliated/klein] has joined #openvpn
04:38 -!- kalloc [~kalloc@h86-62-83-99.ln.rinet.ru] has quit [Read error: Connection reset by peer]
04:39 -!- kalloc [~kalloc@h86-62-83-99.ln.rinet.ru] has joined #openvpn
04:50 -!- klein [~klein@unaffiliated/klein] has quit [Ping timeout: 250 seconds]
05:02 -!- master_of_master [~master_of@p4FF24A8B.dip0.t-ipconnect.de] has quit [Read error: Operation timed out]
05:02 -!- s7r [~s7r@openvpn/user/s7r] has joined #openvpn
05:02 -!- mode/#openvpn [+v s7r] by ChanServ
05:02 -!- s7r [~s7r@openvpn/user/s7r] has quit [Max SendQ exceeded]
05:06 -!- master_of_master [~master_of@p4FF24299.dip0.t-ipconnect.de] has joined #openvpn
05:07 -!- Cpt-Oblivious [chatzilla@31-151-71-109.dynamic.upc.nl] has joined #openvpn
05:17 -!- elfixit1 [~Icedove@77-58-251-72.dclient.hispeed.ch] has joined #openvpn
05:20 -!- klein [~klein@187.85.164.120] has joined #openvpn
05:20 -!- klein [~klein@187.85.164.120] has quit [Changing host]
05:20 -!- klein [~klein@unaffiliated/klein] has joined #openvpn
05:21 -!- makara [~makara@41.164.22.218] has quit [Ping timeout: 260 seconds]
05:23 -!- makara [~makara@41.164.22.218] has joined #openvpn
05:25 -!- klein [~klein@unaffiliated/klein] has quit [Ping timeout: 245 seconds]
05:25 -!- kalloc [~kalloc@h86-62-83-99.ln.rinet.ru] has quit []
05:35 -!- talf [~quassel@109.232.228.5] has quit [Remote host closed the connection]
05:37 -!- klein [~klein@187.85.164.120] has joined #openvpn
05:37 -!- klein [~klein@187.85.164.120] has quit [Changing host]
05:37 -!- klein [~klein@unaffiliated/klein] has joined #openvpn
05:43 -!- nutron [~nutron@unaffiliated/nutron] has quit [Ping timeout: 272 seconds]
05:47 < Ulrar> Hi, on my client I put some route like "route 202.9.66.0 255.255.0.0", the first one works fine but all the others get a false gateway (172.129.8.5 instead of 172.129.8.1), any idea of what could cause that ?
05:49 -!- nutron [~nutron@unaffiliated/nutron] has joined #openvpn
05:52 -!- mirco [~mirco@ip-109-90-231-36.unitymediagroup.de] has quit [Quit: mirco]
05:52 -!- klein [~klein@unaffiliated/klein] has quit [Ping timeout: 250 seconds]
05:53 < Ulrar> If I use route-gateway 172.129.8.1, the first one stays fine and all the others routes get the right gateway but the wrong interface instead
05:56 <@plaisthos> kcodyjr: It would be better to submit the patch to #openvpn-devel
05:57 <@plaisthos> kcodyjr: and on quick look it seems you overlooked env_filter_match
05:59 -!- n00bSaibot [~NoobSaibo@24-213-19-74.static.mrqt.mi.charter.com] has joined #openvpn
05:59 <@plaisthos> kcodyjr: And I am not sure what happens if there is no IPv6 configured
06:00 <@plaisthos> kcodyjr: also changes to the man page are missing
06:02 -!- Noob5aibot [~NoobSaibo@24-213-19-74.static.mrqt.mi.charter.com] has quit [Ping timeout: 265 seconds]
06:02 -!- mode/#openvpn [-o plaisthos] by plaisthos
06:25 -!- guntha` [~guntha@guntha.thecagedog.com] has quit [Read error: Operation timed out]
06:25 -!- cyberspace- [20253@ninthfloor.org] has quit [Read error: Operation timed out]
06:26 -!- guntha` [~guntha@guntha.thecagedog.com] has joined #openvpn
06:27 -!- cyberspace- [20253@ninthfloor.org] has joined #openvpn
06:31 -!- Pang [~chatzilla@94-225-162-11.access.telenet.be] has quit [Ping timeout: 260 seconds]
06:34 -!- psycheye [~psycheye@93.49.16.11] has quit [Ping timeout: 245 seconds]
06:36 -!- psycheye [~psycheye@93.49.16.11] has joined #openvpn
06:54 -!- Linmu [~Linmu@203.70.194.104] has joined #openvpn
07:12 -!- Stew-a [~Stewart@unaffiliated/stew-a/x-2962361] has quit [Ping timeout: 272 seconds]
07:16 < Ulrar> Okay, now I got it to work but the tunnel collapse in like 30 seconds each time
07:17 -!- Stew-a [~Stewart@unaffiliated/stew-a/x-2962361] has joined #openvpn
07:25 -!- Xeph [~Xeph@leonardo.netwichtig.de] has joined #openvpn
07:35 -!- illusion [~illusion@188.52.28.61] has joined #openvpn
07:36 < illusion> hi , i want to forward port 80 of my vpn server ip to my client , how to do this ?
07:42 < Xeph> hello, i'd like to connect a windows 7 machine to an openvpn-service. the connection is established, a network interface is created. how do i route the traffic through the new network interface?
07:48 -!- illusion_ [~illusion@188.52.28.61] has joined #openvpn
07:51 -!- illusion [~illusion@188.52.28.61] has quit [Ping timeout: 245 seconds]
07:52 -!- Noob5aibot [~NoobSaibo@24-213-19-74.static.mrqt.mi.charter.com] has joined #openvpn
07:52 -!- bs0d [~bs0d@84.50.244.39] has joined #openvpn
07:54 -!- illusion__ [~illusion@188.52.28.61] has joined #openvpn
07:54 < bs0d> Hello. When is the bridged tap interface created in the client machine -- before establishing an initial connection to the server of after?
07:55 -!- n00bSaibot [~NoobSaibo@24-213-19-74.static.mrqt.mi.charter.com] has quit [Ping timeout: 272 seconds]
07:57 -!- illusion_ [~illusion@188.52.28.61] has quit [Ping timeout: 252 seconds]
08:03 -!- illusion_ [~illusion@188.52.28.61] has joined #openvpn
08:04 -!- illusion_ [~illusion@188.52.28.61] has quit [Read error: Connection reset by peer]
08:04 -!- illusion_ [~illusion@188.52.28.61] has joined #openvpn
08:05 -!- mikkel [~mikkel@93.176.85.50] has quit [Quit: Leaving]
08:07 -!- illusion__ [~illusion@188.52.28.61] has quit [Ping timeout: 272 seconds]
08:07 -!- illusion__ [~illusion@188.52.28.61] has joined #openvpn
08:09 -!- bs0d [~bs0d@84.50.244.39] has quit [Quit: KVIrc 4.2.0 Equilibrium http://www.kvirc.net/]
08:10 -!- illusion_ [~illusion@188.52.28.61] has quit [Ping timeout: 252 seconds]
08:16 -!- illusion__ [~illusion@188.52.28.61] has quit [Ping timeout: 248 seconds]
08:25 -!- u0m3 [~u0m3@109.96.173.42] has joined #openvpn
08:25 -!- makara [~makara@41.164.22.218] has quit [Read error: Operation timed out]
08:40 -!- kirin` [telex@gateway/shell/anapnea.net/x-aajmmacveusfclrf] has joined #openvpn
08:45 -!- takamichi [~takamichi@c107-107.i07-27.onvol.net] has quit [Ping timeout: 260 seconds]
08:47 -!- takamichi [~takamichi@85.12.8.107] has joined #openvpn
09:05 -!- elfixit1 [~Icedove@77-58-251-72.dclient.hispeed.ch] has quit [Quit: elfixit1]
09:18 -!- 31NAAEEG9 is now known as itaddercloud
09:29 -!- alexxtasi [~alex@unaffiliated/alexxtasi] has left #openvpn []
09:52 -!- visavi [~visavi@46.246.183.102.dsl.dyn.forthnet.gr] has joined #openvpn
10:03 -!- takamichi [~takamichi@85.12.8.107] has quit [Read error: Connection reset by peer]
10:03 -!- ade_b [~Ade@redhat/adeb] has quit [Quit: Too sexy for his shirt]
10:07 -!- takamichi [~takamichi@c107-107.i07-27.onvol.net] has joined #openvpn
10:23 -!- Radical_Edward [~ed@2001:41d0:2:ada5::245] has joined #openvpn
10:28 < kcodyjr> plaisthos, thanks for the feedback. you're right, it deserves further testing, i just wanted to get the meat of the changes out there for review. i'll tackle that hopefully this evening.
10:35 -!- klein [~klein@189-016-006-003.asselvi.edu.br] has joined #openvpn
10:36 -!- klein [~klein@189-016-006-003.asselvi.edu.br] has quit [Changing host]
10:36 -!- klein [~klein@unaffiliated/klein] has joined #openvpn
10:55 -!- dradec [~Inigo@unaffiliated/dradec] has joined #openvpn
10:56 -!- batrick [batrick@nmap/developer/batrick] has quit [Ping timeout: 264 seconds]
10:56 -!- dradec [~Inigo@unaffiliated/dradec] has quit [Client Quit]
10:59 -!- ljvb_ [~jason@us.vps.vanbrecht.com] has quit [Ping timeout: 250 seconds]
11:00 -!- dradec [~Inigo@unaffiliated/dradec] has joined #openvpn
11:06 -!- elfixit1 [~Icedove@77-58-251-72.dclient.hispeed.ch] has joined #openvpn
11:20 -!- gffa [~unknown@unaffiliated/gffa] has joined #openvpn
11:22 -!- lj [~l@192.241.174.169] has joined #openvpn
11:29 -!- Pang [~chatzilla@94-225-162-11.access.telenet.be] has joined #openvpn
11:29 -!- takamichi [~takamichi@c107-107.i07-27.onvol.net] has quit [Quit: Computer has gone to sleep.]
11:30 -!- takamichi [~takamichi@c107-107.i07-27.onvol.net] has joined #openvpn
11:52 -!- Cpt-Oblivious [chatzilla@31-151-71-109.dynamic.upc.nl] has quit [Ping timeout: 245 seconds]
11:59 -!- Pei [~pei@thinks.outside.theb0x.org] has joined #openvpn
12:00 -!- kcodyjr [~kcodyjr@c-24-61-134-125.hsd1.ma.comcast.net] has quit [Ping timeout: 252 seconds]
12:00 -!- kcodyjr [~kcodyjr@2002:32a9:2d5:8000::100] has joined #openvpn
12:03 -!- lights_rage [~jpalmer31@216.106.51.165.reverse.socket.net] has joined #openvpn
12:04 -!- wrongplace [~leicht@gateway/tor-sasl/martinphone] has joined #openvpn
12:06 < lights_rage> Hello, We are running windows eight, and having issues installing the TAP driver for the open vpn client 2.0.9 gui version 1.0.3 It refuses to install on a sixty four bit system however, the rest of the program installs the account on the system is an admin and we run the installer as admin can you help us figure out what might cause the issue and try to help us resolve it?
12:08 <@Eugene> I don't think I've ever seen somebody spell out "eight" or "sixty four"
12:09 < lights_rage> I am uncommon
12:09 <@Eugene> The usual problem is GPOs forbidding third-party drivers
12:09 < lights_rage> is what or who what are those?
12:10 < lights_rage> I am unfamiliar with that term
12:10 <@Eugene> Group Policy
12:10 < lights_rage> How can i fix it?
12:11 <@Eugene> I have no idea; I'm not gonna debug your Windows domain. That's just the usual reason for failure.
12:11 <@Eugene> If you have this configured, it would be something like this: http://msdn.microsoft.com/en-us/library/bb530324.aspx#grouppolicydeviceinstall_topic5
12:11 <@vpnHelper> Title: Step-By-Step Guide to Controlling Device Installation Using Group Policy (at msdn.microsoft.com)
12:11 <@Eugene> Also, you said 2.0.9? Uh, that's old.
12:11 <@Eugene> !download
12:11 <@vpnHelper> "download" is (#1) http://openvpn.net/index.php/download/community-downloads.html to download openvpn or (#2) OpenVPN's Windows installer now includes OpenVPN GUI. Don't bother with http://openvpn.se anymore or (#3) Don't trust download.com at all. It provides an extremely old version with malware: http://insecure.org/news/download-com-fiasco.html or (#4) in the community version of openvpn (only
12:11 <@vpnHelper> thing supported here) there is no separate download for client/server, it is the same install with different configs
12:12 <@Eugene> It sounds like you grapped it from the .se site mentioned, which is waaaaay out of date
12:13 < lights_rage> Thank you for your information
12:16 <@ecrist> lights_rage: you cannot run 2.0.x on windows 8
12:16 <@ecrist> you cannot run 2.1.x reliably on windows 8, either.
12:16 < lights_rage> oh no!!!! how sad indeed!
12:17 <@ecrist> run 2.3.2, which is current
12:17 <@ecrist> we don't support the other versions any longer
12:17 < lights_rage> thats what we are getting
12:27 -!- Bretos [~Bretos@vps.tyborek.pl] has quit [Quit: RUN FOR YOUR LIVES!]
12:33 -!- dradec [~Inigo@unaffiliated/dradec] has quit [Quit: nil]
12:34 -!- mapps [~Mark@94-193-78-219.zone7.bethere.co.uk] has joined #openvpn
12:34 < mapps> hi
12:35 < mapps> if i set the http_proxy option in my server conf file -- would that mean clients using the VPN would be restricted by acls on the squid http proxy when theyre browsing the web?
12:35 < kcodyjr> don't believe so. means the outbound tunnel connection will be proxied.
12:40 < mapps> hm
12:40 < mapps> so it would just mean the connection from server to client goes through the proxy but it wouldnt enforce acls
12:40 < mapps> argh
12:47 -!- joshh20-Away is now known as joshh20
12:47 -!- arader [~andrew@0x666.tk] has joined #openvpn
12:52 < arader> is it possible to use an openvpn connection to a server without adding any routes to your routing table?
12:53 < arader> obviously my "default" traffic won't use the VPN tunnel, but shouldn't I be able to bind a process to the tunnel interface and use it that way?
12:57 -!- ljvb_ [~jason@us.vps.vanbrecht.com] has joined #openvpn
12:58 -!- batrick [batrick@nmap/developer/batrick] has joined #openvpn
13:02 -!- kalloc [~kalloc@h86-62-83-99.ln.rinet.ru] has joined #openvpn
13:07 <@krzee> no
13:07 < jeev> sup krz
13:08 <@krzee> sup jeev
13:08 <@krzee> my "no" was to arader
13:08 < arader> krzee: seems that way from my testing, but what's the reason?
13:08 <@krzee> only the traffic with a route to go over the vpn will go over it
13:09 < arader> ah, that makes sense. even if my processes is opening a connection on the tunnel if, there isn't any route info to tell that connection to actually go over the tunnel
13:31 -!- noob42 [~noob42@91-66-231-26-dynip.superkabel.de] has joined #openvpn
13:33 -!- gffa [~unknown@unaffiliated/gffa] has quit [Ping timeout: 245 seconds]
13:44 -!- cyberspace- [20253@ninthfloor.org] has quit [Ping timeout: 250 seconds]
13:46 -!- f0cker [~f0cker@unaffiliated/f0cker] has joined #openvpn
13:46 < arader> so I guess my next question: what does the address translation for outgoing connections? the openvpn server?
13:50 -!- cyberspace- [20253@ninthfloor.org] has joined #openvpn
13:55 -!- takamichi [~takamichi@c107-107.i07-27.onvol.net] has quit [Quit: Computer has gone to sleep.]
14:03 -!- klein [~klein@unaffiliated/klein] has quit [Ping timeout: 245 seconds]
14:11 -!- pcdummy is now known as Fast[BDC]
14:13 -!- APTX [~APTX@unaffiliated/aptx] has quit [Remote host closed the connection]
14:17 -!- APTX [~APTX@unaffiliated/aptx] has joined #openvpn
14:18 -!- APTX [~APTX@unaffiliated/aptx] has quit [Client Quit]
14:19 -!- APTX [~APTX@unaffiliated/aptx] has joined #openvpn
14:19 <@krzee> NAT is done in the firewall
14:20 <@krzee> !redirect
14:20 <@vpnHelper> "redirect" is (#1) to make all inet traffic flow through the vpn, you will need --redirect-gateway (see !def1), as well as IP forwarding (see !ipforward) and NAT (see !nat) enabled on the server. or (#2) you may need to use a different dns server when redirecting gateway, see !dns or !pushdns or (#3) if using ipv6 try: route-ipv6 2000::/3 or (#4) Handy troubleshooting flowchart:
14:20 <@vpnHelper> http://ircpimps.org/redirect.png | http://pekster.sdf.org/misc/redirect.png
14:30 -!- kalloc [~kalloc@h86-62-83-99.ln.rinet.ru] has quit [Remote host closed the connection]
14:31 -!- kalloc [~kalloc@h86-62-83-99.ln.rinet.ru] has joined #openvpn
14:35 -!- roentgen [~irc@openvpn/community/support/roentgen] has joined #openvpn
14:43 -!- conroe [~conroe@gateway/tor-sasl/conroe] has joined #openvpn
14:44 -!- ljvb_ [~jason@us.vps.vanbrecht.com] has quit [Ping timeout: 272 seconds]
14:55 -!- conroe [~conroe@gateway/tor-sasl/conroe] has quit [Quit: conroe]
14:57 -!- megaTherion [~therion@unix.io] has joined #openvpn
14:58 < megaTherion> Hi, Im having trouble with OVPN 2.3.2 @ netBSD 6.0: Could not retrieve default gateway from route socket:: Invalid argument (errno=22)
15:04 -!- takamichi [~takamichi@c107-107.i07-27.onvol.net] has joined #openvpn
15:06 -!- kalloc [~kalloc@h86-62-83-99.ln.rinet.ru] has quit [Ping timeout: 245 seconds]
15:08 -!- raidz [~raidz@openvpn/corp/admin/andrew] has left #openvpn []
15:10 -!- Radical_Edward [~ed@2001:41d0:2:ada5::245] has quit [Quit: Servers? check out these guys at http://www.viciousvps.com]
15:10 -!- Radical_Edward [~ed@2001:41d0:2:ada5::245] has joined #openvpn
15:10 -!- raidz [~raidz@openvpn/corp/admin/andrew] has joined #openvpn
15:10 -!- mode/#openvpn [+o raidz] by ChanServ
15:10 -!- Radical_Edward [~ed@2001:41d0:2:ada5::245] has quit [Client Quit]
15:11 -!- ultra [~ed@unaffiliated/ultra] has joined #openvpn
15:12 -!- joshh20 is now known as joshh20-Away
15:17 -!- wrongplace [~leicht@gateway/tor-sasl/martinphone] has quit [Quit: gone]
15:28 -!- Martyn [~Martin@216.38.134.150] has joined #openvpn
15:29 -!- raidz [~raidz@openvpn/corp/admin/andrew] has quit [Quit: I shouldn't have left....]
15:29 -!- mattock [~mattock@openvpn/corp/admin/mattock] has quit [Quit: ZNC - http://znc.in]
15:31 -!- raidz_away [~raidz@2607:5300:60:d5a::2] has joined #openvpn
15:31 -!- raidz_away is now known as raidz
15:31 -!- raidz [~raidz@2607:5300:60:d5a::2] has quit [Changing host]
15:31 -!- raidz [~raidz@openvpn/corp/admin/andrew] has joined #openvpn
15:31 -!- mode/#openvpn [+o raidz] by ChanServ
15:31 -!- Sembei [~Sembei@62.57.118.216.dyn.user.ono.com] has joined #openvpn
15:32 -!- Eagleman [~Eagleman@546BBFCD.cm-12-4c.dynamic.ziggo.nl] has quit [Ping timeout: 265 seconds]
15:32 -!- Sembei is now known as Guest68154
15:33 -!- Guest68154 [~Sembei@62.57.118.216.dyn.user.ono.com] has quit [Client Quit]
15:33 -!- Guest35590 [~Sembei@62.57.118.216.dyn.user.ono.com] has joined #openvpn
15:33 -!- elfixit1 [~Icedove@77-58-251-72.dclient.hispeed.ch] has quit [Quit: elfixit1]
15:34 -!- roentgen [~irc@openvpn/community/support/roentgen] has quit [Remote host closed the connection]
15:35 -!- kalloc [~kalloc@h86-62-83-99.ln.rinet.ru] has joined #openvpn
15:36 -!- klein [~klein@unaffiliated/klein] has joined #openvpn
15:37 -!- Pang [~chatzilla@94-225-162-11.access.telenet.be] has quit [Ping timeout: 260 seconds]
15:38 -!- raidz [~raidz@openvpn/corp/admin/andrew] has quit [Quit: I shouldn't have left....]
15:39 -!- Guest35590 [~Sembei@62.57.118.216.dyn.user.ono.com] has quit [Quit: WeeChat 0.4.3-rc2]
15:39 -!- raidz [~raidz@openvpn/corp/admin/andrew] has joined #openvpn
15:39 -!- mode/#openvpn [+o raidz] by ChanServ
15:39 -!- Guest85997 [~Sembei@62.57.118.216.dyn.user.ono.com] has joined #openvpn
15:39 -!- novaflash_away is now known as novaflash
15:40 -!- Guest85997 [~Sembei@62.57.118.216.dyn.user.ono.com] has quit [Client Quit]
15:43 -!- Sembei_ [~Sembei@62.57.118.216.dyn.user.ono.com] has joined #openvpn
15:45 -!- Sembei_ is now known as Sembei
15:45 -!- Sembei is now known as Guest67448
15:49 -!- takamichi [~takamichi@c107-107.i07-27.onvol.net] has quit [Quit: Computer has gone to sleep.]
15:52 -!- roentgen [~irc@openvpn/community/support/roentgen] has joined #openvpn
15:53 -!- arader [~andrew@0x666.tk] has quit [Quit: gone]
15:54 -!- Guest67448 [~Sembei@62.57.118.216.dyn.user.ono.com] has quit [Quit: WeeChat 0.4.3-rc2]
15:54 -!- Sembei_ [~Sembei@62.57.118.216.dyn.user.ono.com] has joined #openvpn
15:57 -!- Sembei_ is now known as Sembei
15:57 -!- Sembei [~Sembei@62.57.118.216.dyn.user.ono.com] has quit [Changing host]
15:57 -!- Sembei [~Sembei@unaffiliated/sembei] has joined #openvpn
16:00 -!- noob42 [~noob42@91-66-231-26-dynip.superkabel.de] has quit [Quit: Leaving]
16:03 -!- [diecast] [~diecast@unaffiliated/diecast/x-4821952] has joined #openvpn
16:08 -!- kalloc [~kalloc@h86-62-83-99.ln.rinet.ru] has quit [Ping timeout: 260 seconds]
16:35 -!- kalloc [~kalloc@h86-62-83-99.ln.rinet.ru] has joined #openvpn
16:40 -!- ljvb_ [~jason@us.vps.vanbrecht.com] has joined #openvpn
16:43 -!- lj [~l@192.241.174.169] has quit [Quit: Leaving.]
16:50 -!- megaTherion [~therion@unix.io] has quit [Read error: Connection reset by peer]
16:52 -!- wrongplace [~leicht@gateway/tor-sasl/martinphone] has joined #openvpn
16:53 -!- megaTherion [~therion@unix.io] has joined #openvpn
17:00 -!- gowned [~leicht@gateway/tor-sasl/martinphone] has joined #openvpn
17:01 -!- wrongplace [~leicht@gateway/tor-sasl/martinphone] has quit [Remote host closed the connection]
17:05 -!- lj1 [~l@192.241.174.169] has joined #openvpn
17:08 -!- kalloc [~kalloc@h86-62-83-99.ln.rinet.ru] has quit [Ping timeout: 265 seconds]
17:22 -!- Cpt-Oblivious [chatzilla@31-151-71-109.dynamic.upc.nl] has joined #openvpn
17:25 -!- kirin` [telex@gateway/shell/anapnea.net/x-aajmmacveusfclrf] has quit [Ping timeout: 245 seconds]
17:25 -!- cyberspace- [20253@ninthfloor.org] has quit [Ping timeout: 260 seconds]
17:25 -!- hive-mind [pranq@unaffiliated/contempt] has quit [Ping timeout: 264 seconds]
17:26 -!- cyberspace- [20253@ninthfloor.org] has joined #openvpn
17:26 -!- hive-mind [pranq@unaffiliated/contempt] has joined #openvpn
17:30 -!- elfixit1 [~Icedove@77-58-251-72.dclient.hispeed.ch] has joined #openvpn
17:34 -!- kirin` [telex@gateway/shell/anapnea.net/x-tfyziozpzqyedfjh] has joined #openvpn
17:35 -!- kalloc [~kalloc@h86-62-83-99.ln.rinet.ru] has joined #openvpn
17:41 -!- conroe [~conroe@gateway/tor-sasl/conroe] has joined #openvpn
17:46 -!- FreshDumbledore [~FreshDumb@unaffiliated/freshdumbledore] has joined #openvpn
17:46 -!- lights_rage [~jpalmer31@216.106.51.165.reverse.socket.net] has quit [Quit: bye, i shall return]
17:46 < FreshDumbledore> hi. any way to tell openvpn to not try to use the 'ip' program as i dont have it on my slackware machine? x) or any source for that program?
17:47 < pekster> iproute2? That's how you do network config on Linux since the 2.4 kernel
17:47 < pekster> (some distro's userlands have left the really-old stuff in place.) See the ./configure flag for --enable-iproute2. If you don't enable it at compile time, it won't be used
17:48 < pekster> fwiw, you really _should_ be using iproute2 unless you really don't have it. If slackware doesn't have it, go file a bugreport to get it
17:48 < pekster> Even CentOS has iproute2 ;)
17:48 < FreshDumbledore> i see, there is a flag to tell what to use instead of 'ip'
17:49 < FreshDumbledore> yeah there is a slackbuild for iproute2, installing it :)
17:49 < pekster> Oh, yea, the path itself you mean?
17:49 < FreshDumbledore> ah it includes the ip program
17:49 < pekster> So both ifconfig and ip's path are defined at build time. Only ip can be changed at runtime via config (without a recompile)
17:49 < FreshDumbledore> should be solved then
17:49 < pekster> That's really "yet another" reason to use iproute2 ;)
17:49 < FreshDumbledore> no i thought u mean i get iproute2 and use it instead of 'ip' but actually ip comes with iproute so..
17:49 < FreshDumbledore> :D
17:50 < FreshDumbledore> ok route adding worked fine now x)
17:50 < pekster> Some reading on background for you:
17:50 < pekster> !ifconfig_linux
17:50 <@vpnHelper> "ifconfig_linux" is Avoid use of 'ifconfig' and 'route' commands on modern Linux distros. It's old, deprecated, and often misleading/wrong. Use the 'ip a' and 'ip r' commands instead. More info: http://inai.de/2008/0219-ifconfig-sucks.php
17:51  * pekster especially likes all the worthless zeros you get for tun devices
17:51 < FreshDumbledore> slackware is old :D it still offers LILO, what can i say ^^
17:52 < FreshDumbledore> one main update a year, next  coming soon :)
17:52 < pekster> Oh, ifconfig isn't going anywhere thanks to people using decade-old frontend (and backend) references to the userland or kernel ioctls involved
17:53 < FreshDumbledore> evrything working fine now x)
17:53 < FreshDumbledore> thanks!
17:54 < pekster> Yup
17:54 < pekster> http://fpaste.org/75157/13917308/ (line 5 is especially fun)
17:54 -!- FreshDumbledore [~FreshDumb@unaffiliated/freshdumbledore] has quit [Quit: Leaving]
18:05 -!- pekster [~rewt@openvpn/community/support/pekster] has quit [Quit: Abandon ship! This server is (slowly) sinking]
18:06 -!- pekster [~rewt@openvpn/community/support/pekster] has joined #openvpn
18:08 -!- kalloc [~kalloc@h86-62-83-99.ln.rinet.ru] has quit [Ping timeout: 265 seconds]
18:10 -!- joshh20-Away is now known as joshh20
18:17 -!- klein [~klein@unaffiliated/klein] has quit [Ping timeout: 272 seconds]
18:23 -!- conroe [~conroe@gateway/tor-sasl/conroe] has quit [Quit: conroe]
18:25 -!- maskedlua [~quassel@unaffiliated/themaskedlua] has quit [Ping timeout: 245 seconds]
18:35 -!- kalloc [~kalloc@h86-62-83-99.ln.rinet.ru] has joined #openvpn
18:46 < kcodyjr> is topology=subnet compatible with all currently supported platforms?
18:47 < pekster> Yes. Further reading at:
18:47 < pekster> !topology
18:47 <@vpnHelper> "topology" is (#1) it is possible to avoid the !/30 behavior if you use 2.1+ with the option: topology subnet This will end up being default in later versions. or (#2) Clients will receive addresses ending in .2, .3, .4, etc, instead of being divided into 2-host subnets. or (#3) details and examples at: https://community.openvpn.net/openvpn/wiki/Topology
18:47 < pekster> wiki link is helpful
18:47 < kcodyjr> i remember reading about what the change was, just didn't know if it'd shoot down windows or android or god only knows whatever else someone tries
18:47 < pekster> 7 year old (or more) Windows clients won't work
18:48 < pekster> If you're running those, you should go fix that
18:48 < kcodyjr> that one is out of my hands. so long as it can still access gmail, and doesn't clank or groan or whine or eject smoke from the back, the boss doesn't see a need to replace it.
18:49 < kcodyjr> though i think the last of the win2k have finally died.
18:49 < kcodyjr> but those aren't mobile.
18:49 < pekster> About 1 month left of official XP support too :P
18:49 < kcodyjr> i think M$ is going to continue seeing a lot of "go F yourself" on that one.
18:50 < pekster> It'll still boot, but they all become progressively worse honeypots without security updates: http://windows.microsoft.com/en-us/windows/end-support-help
18:50 <@vpnHelper> Title: Support is ending for Windows XP - Microsoft Windows (at windows.microsoft.com)
18:51 < kcodyjr> first they try to EOL the first and only actual operating system they ever sold (XP) in order to jam DRM down our throats, then they try to do it again so they can have a walled garden cash cow like apple and google. if i had my druthers we'd patch up the xp boxes one last time and the s**tcan the rest, including 7 and 8, and especially vista.
18:52 < kcodyjr> thta's assuming the XP box is deployed in anything like a risky scenario. and realistically, most of the vulnerability is in the browser. that won't become a problem until chrome and firefox both drop support.
18:53 < pekster> The footprint of the system APIs is larger than that
18:54 < kcodyjr> but anyway. question answered. all current clients, and legacy going back 7 years.
18:54 < pekster> Most browsers support TrueType fonts, for instnace, and those have been a consistent vulnerability vector
18:54 < kcodyjr> true enough, but in the final analysis, windows 98 is, today, exactly as secure as windows 7 when aggregated over any significant length of time.
18:55 < kcodyjr> just because the *exploits* stop being a moving target doesn't make the system any more insanely vulnerable than it was in the first place.
18:56 < kcodyjr> all MS platforms are subject to frequent 0-day exploits getting into the wild long before a fix even begins to be developed. their strategy has always been to stick their heads in the sand and say "nobody but us chickens here" until they have a fix to announce along with admitting the problem existed.
18:58 < kcodyjr> they can scoop it up and re-press it into a new shape every few years but it's still the same turd it's always been, and it's not possible to change the nature of a turd no matter how many layers of lacquer one pours over it.
18:59 < kcodyjr> anyway. rant over. i feel better now. :)
19:00 < kcodyjr> oh, summary behind the rant: one upgrades MS platforms when others report a stability improvement, and when compatibility finally forces the issue, but certainly not for any alleged security factor.
19:08 -!- kalloc [~kalloc@h86-62-83-99.ln.rinet.ru] has quit [Ping timeout: 265 seconds]
19:18 -!- Martyn [~Martin@216.38.134.150] has quit []
19:26 -!- elfixit1 [~Icedove@77-58-251-72.dclient.hispeed.ch] has quit [Quit: elfixit1]
19:31 -!- lj1 [~l@192.241.174.169] has quit [Ping timeout: 252 seconds]
19:33 -!- gowned [~leicht@gateway/tor-sasl/martinphone] has quit [Quit: gone]
19:35 -!- kalloc [~kalloc@h86-62-83-99.ln.rinet.ru] has joined #openvpn
19:58 < kcodyjr> interestingly, my pushed routes require a gateway in the config now, and didn't in net30. also, worse and even more oddly, it seems to have assigned 192.160/11 instead of 192.168.100/22. any theories?
20:02 < pekster> Screwed up netmasks it sounds like. Post the:
20:02 < pekster> !configs
20:02 <@vpnHelper> "configs" is (#1) please pastebin your client and server configs (with comments removed, you can use `grep -vE '^#|^;|^$' server.conf`), also include which OS and version of openvpn. or (#2) dont forget to include any ccd entries or (#3) on pfSense, see http://www.secure-computing.net/wiki/index.php/OpenVPN/pfSense to obtain your config
20:09 -!- kalloc [~kalloc@h86-62-83-99.ln.rinet.ru] has quit [Ping timeout: 265 seconds]
20:16 -!- NoobSaibot [~NoobSaibo@24-213-19-74.static.mrqt.mi.charter.com] has joined #openvpn
20:17 -!- kcodyjr [~kcodyjr@2002:32a9:2d5:8000::100] has quit [Ping timeout: 245 seconds]
20:18 -!- Noob5aibot [~NoobSaibo@24-213-19-74.static.mrqt.mi.charter.com] has quit [Ping timeout: 248 seconds]
20:24 -!- u0m3 [~u0m3@109.96.173.42] has quit [Read error: Connection reset by peer]
20:29 -!- kcodyjr [~kcodyjr@c-24-61-134-125.hsd1.ma.comcast.net] has joined #openvpn
20:35 -!- kalloc [~kalloc@h86-62-83-99.ln.rinet.ru] has joined #openvpn
20:36 -!- [diecast] [~diecast@unaffiliated/diecast/x-4821952] has quit []
20:36 < kcodyjr> pekster, sorry, was yanking and cranking with it and cut myself off and reconnected without realizing.
20:37 < kcodyjr> seems i've been connecting to freenode through the tunnelled 6to4 address.
20:38 < kcodyjr> and i changed it back to net30 and the misbehavior goes away. the netmask field is getting mangled and it looks like the fields are getting mixed up too.
20:38 < kcodyjr> i thought things didn't look right where i added those stanzas.
20:38 < kcodyjr> let me go take a break and then i'll pull together configs. but unless it's expecting something other than 255.255.255.0 format then the subnet masks are correct.
20:39 < kcodyjr> for all that, the client did function just fine in subnet mode, unless i tried to access something on the public 192.16{0..7} that it was eclipsing.
20:45 -!- goldkatze [~nobody@unaffiliated/goldkatze] has quit [Ping timeout: 260 seconds]
20:46 < kcodyjr> by "strip comments" do you mean the big ugly blocks they ship with or do you mean *ANY* comments and whitespace. i stripped the .man.conf file down and left one-liners.
20:46 < kcodyjr> i'd like to leave them because they'll point out if i misunderstand a directive.
20:47 < pekster> It's easier without any TBH
20:49 < kcodyjr> want the whitespace?
20:50 < pekster> !configs
20:50 <@vpnHelper> "configs" is (#1) please pastebin your client and server configs (with comments removed, you can use `grep -vE '^#|^;|^$' server.conf`), also include which OS and version of openvpn. or (#2) dont forget to include any ccd entries or (#3) on pfSense, see http://www.secure-computing.net/wiki/index.php/OpenVPN/pfSense to obtain your config
20:50 < pekster> grep syntax provided
20:51 < kcodyjr> thanks. that's a no you don't want whitespace.
20:51 < kcodyjr> i don't know how you guys read like that but okay
20:52 < pekster> Most of the regular help here is familiar enough with the directives we just want the actual config, not the "human bits." Too many different ideas what's helpful: https://xkcd.com/927/
20:52 <@vpnHelper> Title: xkcd: Standards (at xkcd.com)
20:57 < kcodyjr> i don't even need to pull it up. the title is sufficient.
20:57 < kcodyjr> i'm not full time enough to have recognized it by number these days though.
20:58 < kcodyjr> http://pastebin.com/xFsnt9p9
20:58 < kcodyjr> it's back in net30 mode. the only changes were the two topology lines.
20:59 < pekster> That doesn't work
20:59 < pekster> 192.168.103.2 isn't a valid netmask
21:00 < kcodyjr> thought it was expecting a peer endpoint there
21:00 < pekster> Not in subnet
21:00 < kcodyjr> ahh. so the semantics of that directive change.
21:01 < kcodyjr> let me take a wild stab. because the code surrounding the internal storage of the config directives is a *&^&*&^&* nightmare. amiclose?
21:01 < pekster> Nope, simply becuase the tun driver sets an IP+mask like any traditional interface
21:02 < kcodyjr> rather than setting a peer address. right.
21:03 < kcodyjr> that's why its peer was set to itself in ifconfig.
21:04 < pekster> Under Linux? No, that's just ifconfig being deprecated and stupid
21:04 < kcodyjr> looks to have perfectly valid values in net30 mode
21:05 -!- Martyn [~Martin@216.38.134.150] has joined #openvpn
21:06 < pekster> No, that's ifconfig blowing chunks becuase net-tools is dead
21:06 < pekster> !linux_ifconfig
21:06 < pekster> Stop using old shit
21:06 < pekster> http://fpaste.org/75177/74240713/
21:07 < kcodyjr> for whatever reason they keep it in the system profile.
21:07 < kcodyjr> if iproute2 has an expanded human-readable view like that, i haven't seen it
21:07 < pekster> Again, ifconfig is worthless on modern Linux. Don't rely on it. Don't use it. It lies, it's dumb, it's broken, and it relies on the archaic 2.2 kernel. Unless you're actually _using_ a 2.2 kernel,mve on
21:07 < kcodyjr> i can grok it, slowly, but it seems like iproute2 was written to be comfortable for Data to read.
21:07 < pekster> Oh, and lots of zeros (line 9 in that paste)
21:08 < pekster> Just in case you wanted to know that your "hardware address" on that virtual device is: 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00 . Or something
21:08 -!- booo [~booo__@p54BD8D46.dip0.t-ipconnect.de] has quit [Read error: Operation timed out]
21:08 -!- klein [~klein@unaffiliated/klein] has joined #openvpn
21:08 < pekster> "wait, could you repeat the 13th byte again? I thought you might have said hero, not zero"
21:08 < kcodyjr> ha.
21:08 < kcodyjr> i did notice that when i was digging around for parameters that might be usable for a dhcid.
21:09 -!- kalloc [~kalloc@h86-62-83-99.ln.rinet.ru] has quit [Ping timeout: 260 seconds]
21:09 < kcodyjr> thus far, without modifications, all i could do is a DUID-ET or dhcp-client-identifier derived from the common_name, which will not achieve database compatibility with isc-dhcpd, but will suffice otherwise. for some reason, the push-peer-info data doesn't make it into the scripts.
21:11 < kcodyjr> http://pastebin.com/RdyTuRHc
21:11 < kcodyjr> not seeing this brokenness you refer to in net30 mode. really.
21:12 < pekster> Right, ifconfig is less broken there becuase the old ioctls it references still work
21:12 < pekster> Well, minus the HWaddr stupidity
21:12 < kcodyjr> well, it doesn't *have* a hwaddr, zeros seems like a perfectly sane response to me
21:13 < pekster> Not displaying it is smarter than worthless info
21:13 < pekster> ifconfig is dead
21:13 < kcodyjr> i disagree about it being worthless info
21:13 < pekster> Unless you're personally going to recode net-utils, it's not worth caring about
21:13 < kcodyjr> probably it *should* be providing a falsified hardwrae address
21:13 < pekster> Then go file a bugreport with tun
21:13 < pekster> ifconfig is dead on Linux. This is the wrong place to discuss that topic
21:14 < kcodyjr> i don't care if it's dead or alive. why is it on my box if it does NOTHING but spew lies?
21:14 < kcodyjr> i'm not the distro maintainer.
21:14 < pekster> Becuase people "rely" on it still
21:14 < pekster> For reasons of continuing to rely on broken tools. "Becuase change sucks" or something
21:14 < pekster> (same reason the world's not on IPv6 yet.)
21:15 < kcodyjr> no actually i think it's something different. i think it's the same phenomenon that DOOMS the medical community to never ever ever actually stamping out smoking.
21:15 < kcodyjr> the notion that if it's bad, there can't be anything good about it. smoking kills therefore there's NO reason to smoke except the smoker being stupid. Bullshit. if the reward circuit wasn't being fired, they wouldn't be smoking.
21:15 < pekster> ifconfig _is_ using old API interfaces
21:16 < kcodyjr> likewise, if ifconfig wasn't somehow handier, people wouldn't be using it same with ipv4.
21:16 < pekster> There is nothing you can do to say it's worth using. People just don't know better
21:16 < kcodyjr> nobody cares what api interface it uses, or whether they're syscalls or smoke signals or blinking lights across a meadow
21:16 < pekster> They do when it lies
21:16 < kcodyjr> no, the iproute2 developers do not know better.
21:16 < kcodyjr> they do not know enough to provide a human-friendly mode, when it should be the default
21:16 < pekster> ifconfig doesn't work in many cases. I gave you a link about why. Go stick your head in the sand if you want
21:16 -!- booo [~booo__@p54BD8E56.dip0.t-ipconnect.de] has joined #openvpn
21:16 < pekster> THEN GO FUCKING DO SOMETHING ABOUT IT
21:16 < pekster> FFS
21:16 < pekster> iproute2 dev is not here
21:17 < kcodyjr> same complaint about ipv6. it's such a pain in the arse to get working, why bother?
21:18 < kcodyjr> i did, to keep my skills sharp, but i usually keep it turned off. second rule set to mess with, and the reward is still far over the horizon.
21:19 < pekster> Easy way to kick the habit (on Linux only, don't try this on BSD ;). `alias ifconfig='echo "ifconfig is deprecated. Use ip instead."'`
21:19 < pekster> Do that in your interactive user (and maybe root too) and it won't break things that still "require" ifconfig
21:19 < pekster> It's still there if you use the full path, but it's a nice reminder not to use old tools unless you "really need to"
21:21 -!- dradec [~Inigo@unaffiliated/dradec] has joined #openvpn
21:22 < kcodyjr> actually i think my personal preferences are better served if i go rail at whomever is currently responsible for the ifconfig and iproute2 code bases. they each deserve a corner ripped off their geek cards, a noted loss of professional respect, and a serious red-ass spanking
21:23 < pekster> And none of this helps #opevpn at all
21:23 -!- Cpt-Oblivious [chatzilla@31-151-71-109.dynamic.upc.nl] has quit [Quit: ChatZilla 0.9.90.1-rdmsoft [XULRunner 22.0/20130619132145]]
21:23 < pekster> Take it to ##distro-bitching or something
21:24 -!- p3rror [~mezgani@41.140.2.95] has joined #openvpn
21:24 < p3rror> please I can not access remote lan
21:24 < p3rror> I get this error
21:24 < p3rror> http://paste.debian.net/80592/
21:24 < p3rror> That I can not add route to local box
21:25 < p3rror> can you help
21:30 < pekster> When you're not connected, what is the output of `ip route get 192.168.1.1` ?
21:32 -!- dradec [~Inigo@unaffiliated/dradec] has quit [Quit: nil]
21:32 -!- klein [~klein@unaffiliated/klein] has quit [Ping timeout: 250 seconds]
21:32 < p3rror> 192.168.1.1 via 10.8.0.5 dev tun0  src 10.8.0.6
21:32 < p3rror>     cache  ipid 0xf3db rtt 46ms rttvar 35ms cwnd 10
21:32 < p3rror> pekster, what could be the problem
21:32 < pekster> That's not in a disconnected state
21:32 < p3rror> no
21:32 < p3rror> the connection is initialized
21:32 < pekster> Then read harder and give me what I asked for
21:33 < p3rror> but I can not access the remove LAN
21:33 < p3rror> 192.168.1.1 via 10.8.0.5 dev tun0  src 10.8.0.6
21:33 < p3rror>     cache  ipid 0xf3db rtt 46ms rttvar 35ms cwnd 10
21:33 < pekster> You shouldn't be using --redirect-gateway if your goal is simply server-side LAN access. Read/follow !serverlan (here) for info and a flowchart
21:34 < p3rror> !serverlan
21:34 <@vpnHelper> "serverlan" is (#1) for a lan behind a server, the server must have ip forwarding enabled (!ipforward), the server needs to push a route for its lan to clients, and the router of the lan the server is on needs a route added to it (!route_outside_openvpn) or (#2) see !route for a better explanation or (#3) Handy troubleshooting flowchart: http://ircpimps.org/serverlan.png |
21:34 <@vpnHelper> http://pekster.sdf.org/misc/serverlan.png
21:34 < pekster> There's something else screwed up, but without knowing the pre-existing route selection _before_ you muck with /1 routes it's impossible to say
21:34 < pekster> Crystal ball says "you goofed something routing related up"
21:35 < p3rror> pekster, it's worked before
21:35 < pekster> Cute. Then go fix it. Or give me what I asked
21:35 < p3rror> pekster, ok
21:35 < p3rror> pekster, ask ?
21:35 -!- kalloc [~kalloc@h86-62-83-99.ln.rinet.ru] has joined #openvpn
21:35 -!- dradec [~Inigo@unaffiliated/dradec] has joined #openvpn
21:36 < kcodyjr> you turned an opinion about a standardized tool into a personal attack. actually, you railed at me for not sharing your (Linux-centric) opinion about it. i just spent the last handful of minutes rereading the openvpn man page. under the --toplogy subnet section, it says one needs a sufficiently recent _ifconfig_ command. how ironic. and it took me that long to determine that the change in ifconfig behavior isn't documented, only hin
21:36 < kcodyjr> ted at; the closest real reference is in the expansion of the server directive. it should be mentioned in the --topology and --ifconfig sections; that's a serious subtle change that's got to be driving more people than just me in here. and back on point, if you want me to stop thinking about the ifconfig command, take it out of your manpages.
21:36 < kcodyjr> there. it's out of my system now.
21:37 < p3rror> pekster, please what information you need
21:37 -!- mode/#openvpn [+o pekster] by ChanServ
21:37 <@pekster> Not helpful kcodyjr, especially not when other conversations are going on
21:37 < kcodyjr> i'm done.
21:37 -!- mode/#openvpn [+q $a:kcodyjr] by pekster
21:38 <@pekster> Yes, you are. That will go away in a bit
21:38 -!- mode/#openvpn [-o pekster] by ChanServ
21:38 < pekster> p3rror: You need to be disconnected from the VPN for that route command to give the expected results
21:39 < p3rror> pekster, 192.168.1.1 dev wlan0  src 192.168.1.100
21:39 < p3rror>     cache  ipid 0xf3db rtt 46ms rttvar 35ms cwnd 10
21:40 < pekster> Weird. Somehow connecting to the VPN is causing the route to be sent via the tun device, which is why the /32 route fails
21:40 < pekster> Can you pastebin the configs you're using, via:
21:40 < pekster> !configs
21:40 <@vpnHelper> "configs" is (#1) please pastebin your client and server configs (with comments removed, you can use `grep -vE '^#|^;|^$' server.conf`), also include which OS and version of openvpn. or (#2) dont forget to include any ccd entries or (#3) on pfSense, see http://www.secure-computing.net/wiki/index.php/OpenVPN/pfSense to obtain your config
21:40 -!- joshh20 is now known as joshh20-Away
21:43 < p3rror> pekster, here is the server.conf http://pastebin.com/WdpDdmWb
21:44 < p3rror> pekster, here is the client http://pastebin.com/0051kZwY
21:45 < pekster> Don't use --tun-mtu-extra asymmetrically like that
21:45 < pekster> That's the cause of the mtu warning, and you shouldn't miss-match params like that (not likely the case of the problem here, but it's an issue anyway)
21:46 < p3rror> pekster, OK I remove it
21:46 < pekster> An, and you have two redirect-gateway directives, one being pushed, and the other on the client
21:46 < pekster> Don't do that. Use one or the other, and the client omits the 'def1' flag. That likely _is_ the cause of your problem
21:47 < pekster> Remove it from the client
21:47 < pekster> Leave def1 on the one you push (that's recommended and effectively required not to risk breaking things)
21:50 < p3rror> Fri Feb  7 03:49:28 2014 /sbin/route add -net 14.104.201.20 netmask 255.255.255.255 gw 192.168.1.1
21:50 < p3rror> SIOCADDRT: No such process
21:50 < p3rror> Fri Feb  7 03:49:28 2014 ERROR: Linux route add command failed: external program exited with error status: 7
21:50 -!- crus` [~crusader@crus0r.soho.on.net] has quit [Ping timeout: 252 seconds]
21:50 -!- dextro_ [d@2600:3c01::f03c:91ff:feae:3d2b] has joined #openvpn
21:50 < p3rror> pekster, again I can not connect
21:51 < pekster> The openvpn connection is succeeding; it's the routing that's not playing nice. Can you pastebin client logs at --verb 4 (including all the spewing of vars at the beginning)
21:52 -!- crus [~crusader@2001:0:9d38:90d7:2438:3e0:c458:154d] has joined #openvpn
21:52 -!- chrisb [~chrisb@li482-205.members.linode.com] has joined #openvpn
21:52 < dextro_> getting lots of MULTI: bad source address from client [fe80::751e:8a8:bd27:9cd2], packet dropped
21:52 < dextro_> i have a couple clients behind wan load balancers
21:53 < dextro_> so the packets are sent from 1 of 6 ips
21:53 < pekster> fe80 is valid on link-local only dextro_. OpenVPN is (rightfully) dropping bogusly source traffic
21:53 < pekster> It's ultimately a client problem becuase it's sending data with an illegal source address down the tun device
21:53 < p3rror> pekster, http://paste.debian.net/80593/
21:54 < pekster> Windows is especially bad, but as I recall there was someone in here months back with some Linux kernel storage driver of some sort that was misbehaving in a similar way. You're best bet if you want to stop it is tcpdump the tun device and get hints as to what is sourcing the offending traffic
22:01 < pekster> p3rror: Seems like that should be expected to work. Let's test it 1 step at a time by doing the redirection manually and see if it breaks the same way. For now, remove the redirect-gateway push from the server, restart your server, then restart the client
22:02 -!- crus` [~crusader@2001:44b8:319e:2900:7df0:eb44:682d:c4b2] has joined #openvpn
22:03 -!- crus [~crusader@2001:0:9d38:90d7:2438:3e0:c458:154d] has quit [Ping timeout: 272 seconds]
22:04 < pekster> p3rror: After you get reconnected, verify the basic routes added fine. Then add them in 1 at a time with: 1) `ip route add 194.204.201.20 via 192.168.1.1` 2) `ip route add 0/1 via 10.8.0.5` 3) `ip route add 128/1 via 10.8.0.5` . See if any of them hurl warnings
22:08 < p3rror> pekster, when I add the first route I get
22:08 < p3rror> RTNETLINK answers: No such process
22:09 -!- kalloc [~kalloc@h86-62-83-99.ln.rinet.ru] has quit [Ping timeout: 260 seconds]
22:09 -!- ljvb_ [~jason@us.vps.vanbrecht.com] has quit [Ping timeout: 260 seconds]
22:11 < pekster> Remove the other 2 if you added them (without #1, #2/#3 won't work properly and will sever your VPN connection)
22:11 < pekster> Pastebin `ip r` both before and after connecting to the VPN (leave the redirect disabled for now)
22:12 -!- ljvb_ [~jason@us.vps.vanbrecht.com] has joined #openvpn
22:13 < p3rror> pekster, http://paste.debian.net/ client route before connection
22:14 < p3rror> pekster, http://paste.debian.net/80595/ client route after connection
22:14 < pekster> Your before paste didn't work
22:15 < pekster> Right off the bat I can tell you that you're missing your link-local route in that "after" paste
22:15 < pekster> Without a 'scope link' route for your /24 LAN, that failure to add the /32 route will fail
22:17 < p3rror> pekster, I did not really understand sorry
22:17 < p3rror> pekster, Please what I have to do now
22:18 < pekster> I have not seen your 'before VPN connection' paste
22:18 < pekster> Your paste failed
22:18 < p3rror> pekster, default via 192.168.1.1 dev wlan0  proto static
22:18 < p3rror> pekster, I have only one rule
22:18 < pekster> THat's your problem
22:18 < pekster> You must have a link route for subnet connections. Fix your local networking
22:19 < pekster> No clue what tool you used to set up your addressing on wlan0, but it failed to add a local route
22:20 < p3rror> pekster, I have a route to default gw
22:20 < pekster> Not good enough. You need a LINK route
22:20 < pekster> 192.168.1.0/24 dev wlan0  proto kernel  scope link  src 192.168.1.100
22:20 < p3rror> pekster, link route ?
22:20 < pekster> It need to look like that
22:20 < pekster> Yes, a route for your link
22:20 < pekster> You have failed to set up proper local networking, so adding routes to a network that is not considered on-link will fail
22:20 < pekster> You have a static route, which is treated differently
22:21 < pekster> IOW, fix your broken client
22:21 < p3rror> pekster, OK done
22:21 -!- Martyn [~Martin@216.38.134.150] has quit []
22:23 < p3rror> pekster, may I restart openvpn client
22:23 < pekster> With proper link routes, your /32 route should work. Once that gets added, the /1's can be added without harming the VPN connection itself
22:23 < pekster> You can manually test it as before, then add back in the redirect-gateway push when you confirm everything is properly configured
22:24 < pekster> You should look into why your distro or wifi tooling left out your link route though
22:25 < p3rror> pekster, right
22:25 < p3rror> it is worked
22:26 -!- Aelius [~Aelius@unaffiliated/aelius] has left #openvpn []
22:27 -!- lj [~l@192.241.174.169] has joined #openvpn
22:33 -!- codile is now known as codehero
22:33 -!- p3rror [~mezgani@41.140.2.95] has quit [Ping timeout: 250 seconds]
22:34 -!- p3rror [~mezgani@41.140.2.95] has joined #openvpn
22:35 -!- kalloc [~kalloc@h86-62-83-99.ln.rinet.ru] has joined #openvpn
22:35 < p3rror> pekster, route are added dynamically
22:36 < p3rror> p3rror, but I can not connect to remote LAN
22:36 < pekster> Firewall or return routing problem on that end
22:36 < pekster> You still need to follow the !serverlan flowchart (you just already have the route pushed for it covered in the two /1 routes)
22:48 -!- Devastatr [~devas@186.214.15.126] has joined #openvpn
22:50 -!- Devastator [~devas@unaffiliated/devastator] has quit [Ping timeout: 253 seconds]
22:52 -!- Devastatr [~devas@186.214.15.126] has quit [Changing host]
22:52 -!- Devastatr [~devas@unaffiliated/devastator] has joined #openvpn
22:52 -!- Devastatr is now known as Devastator
22:55 -!- chrisb [~chrisb@li482-205.members.linode.com] has quit [Ping timeout: 250 seconds]
23:08 -!- kalloc [~kalloc@h86-62-83-99.ln.rinet.ru] has quit [Ping timeout: 248 seconds]
23:25 -!- maskedlua [~quassel@unaffiliated/themaskedlua] has joined #openvpn
23:27 -!- makara [~makara@41.164.22.218] has joined #openvpn
23:27 -!- lvv [~loganaden@ITE-INF3.dhcp.mu.afrinic.net] has joined #openvpn
23:27 -!- lj [~l@192.241.174.169] has quit [Quit: Leaving.]
23:28 -!- roentgen [~irc@openvpn/community/support/roentgen] has quit [Remote host closed the connection]
23:35 -!- kalloc [~kalloc@h86-62-83-99.ln.rinet.ru] has joined #openvpn
23:50 -!- p3rror [~mezgani@41.140.2.95] has quit [Ping timeout: 245 seconds]
23:55 -!- p3rror [~mezgani@41.140.2.95] has joined #openvpn
--- Day changed Fri Feb 07 2014
00:00 -!- sunwind [~paradox@cpc21-brmb8-2-0-cust749.1-3.cable.virginm.net] has quit [Read error: Connection reset by peer]
00:00 -!- chrisb [~chrisb@li482-205.members.linode.com] has joined #openvpn
00:00 -!- sunwind [~paradox@cpc21-brmb8-2-0-cust749.1-3.cable.virginm.net] has joined #openvpn
00:05 -!- p3rror [~mezgani@41.140.2.95] has quit [Ping timeout: 248 seconds]
00:09 -!- kalloc [~kalloc@h86-62-83-99.ln.rinet.ru] has quit [Ping timeout: 252 seconds]
00:11 -!- kalloc [~kalloc@h86-62-83-99.ln.rinet.ru] has joined #openvpn
00:27 -!- kalloc [~kalloc@h86-62-83-99.ln.rinet.ru] has quit [Remote host closed the connection]
00:34 -!- vvinothkumar [~vinothkum@ec2-54-255-22-70.ap-southeast-1.compute.amazonaws.com] has joined #openvpn
00:41 -!- rewsky [~rewsky@97-93-63-99.static.mtpk.ca.charter.com] has joined #openvpn
00:41 < rewsky> has anyone seen this type of error - IP packet with unknown IP version=15 seen
00:42 -!- mode/#openvpn [+o pekster] by ChanServ
00:42 -!- mode/#openvpn [-q $a:kcodyjr] by pekster
00:42 -!- mode/#openvpn [-o pekster] by ChanServ
00:48 -!- takamichi [~takamichi@c107-107.i07-27.onvol.net] has joined #openvpn
00:53 -!- kalloc [~kalloc@h86-62-83-99.ln.rinet.ru] has joined #openvpn
00:57 -!- kalloc [~kalloc@h86-62-83-99.ln.rinet.ru] has quit [Ping timeout: 248 seconds]
01:00 -!- goldkatze [~nobody@unaffiliated/goldkatze] has joined #openvpn
01:03 -!- dimm0k [~dimm0k@unaffiliated/dimm0k] has quit [Ping timeout: 245 seconds]
01:05 -!- dimm0k [~dimm0k@unaffiliated/dimm0k] has joined #openvpn
01:08 -!- rewsky [~rewsky@97-93-63-99.static.mtpk.ca.charter.com] has quit [Quit: Leaving]
01:09 -!- dradec [~Inigo@unaffiliated/dradec] has quit [Ping timeout: 260 seconds]
01:15 -!- bertodsera [~quassel@97e48243.skybroadband.com] has quit [Remote host closed the connection]
01:17 -!- mikkel [~mikkel@93.176.85.50] has joined #openvpn
01:19 -!- alexxtasi [~alex@unaffiliated/alexxtasi] has joined #openvpn
01:24 -!- Xeph [~Xeph@leonardo.netwichtig.de] has left #openvpn []
01:38 -!- crus [~crusader@crus0r.soho.on.net] has joined #openvpn
01:39 -!- crus` [~crusader@2001:44b8:319e:2900:7df0:eb44:682d:c4b2] has quit [Ping timeout: 265 seconds]
01:55 -!- kalloc [~kalloc@stmdev.ru] has joined #openvpn
01:57 -!- lvv [~loganaden@ITE-INF3.dhcp.mu.afrinic.net] has quit [Read error: Connection reset by peer]
01:57 -!- lvv_ [~loganaden@2001:4290:10:250:c136:7d72:93cd:d562] has joined #openvpn
02:04 -!- dimm0k [~dimm0k@unaffiliated/dimm0k] has quit [Ping timeout: 272 seconds]
02:05 -!- dimm0k [~dimm0k@pool-108-21-230-13.nycmny.fios.verizon.net] has joined #openvpn
02:05 -!- dimm0k [~dimm0k@pool-108-21-230-13.nycmny.fios.verizon.net] has quit [Changing host]
02:05 -!- dimm0k [~dimm0k@unaffiliated/dimm0k] has joined #openvpn
02:11 -!- takamichi [~takamichi@c107-107.i07-27.onvol.net] has quit [Quit: Computer has gone to sleep.]
02:26 -!- Eagleman [~Eagleman@546BBFCD.cm-12-4c.dynamic.ziggo.nl] has joined #openvpn
02:32 -!- vvinothkumar [~vinothkum@ec2-54-255-22-70.ap-southeast-1.compute.amazonaws.com] has quit [Ping timeout: 250 seconds]
02:45 -!- kossy [a@unaffiliated/kossy] has joined #openvpn
03:02 -!- klein [~klein@187.85.164.120] has joined #openvpn
03:02 -!- klein [~klein@187.85.164.120] has quit [Changing host]
03:02 -!- klein [~klein@unaffiliated/klein] has joined #openvpn
03:08 -!- vvinothkumar [~vinothkum@ec2-54-255-22-70.ap-southeast-1.compute.amazonaws.com] has joined #openvpn
03:18 -!- ade_b [~Ade@redhat/adeb] has joined #openvpn
03:19 -!- chrisb [~chrisb@li482-205.members.linode.com] has quit [Ping timeout: 260 seconds]
03:27 -!- novaflash is now known as novaflash_away
03:27 -!- Eagleman [~Eagleman@546BBFCD.cm-12-4c.dynamic.ziggo.nl] has quit [Quit: ZNC - http://znc.in]
03:27 -!- novaflash_away is now known as novaflash
03:31 -!- GabrieleV [~GabrieleV@host190-79-static.230-95-b.business.telecomitalia.it] has quit [Ping timeout: 252 seconds]
03:33 -!- GabrieleV [~GabrieleV@host190-79-static.230-95-b.business.telecomitalia.it] has joined #openvpn
03:34 -!- Eagleman [~Eagleman@546BBFCD.cm-12-4c.dynamic.ziggo.nl] has joined #openvpn
03:34 -!- bertodsera [~quassel@212.36.61.26] has joined #openvpn
03:46 -!- takamichi [~takamichi@c107-107.i07-27.onvol.net] has joined #openvpn
03:51 -!- klein [~klein@unaffiliated/klein] has quit [Ping timeout: 252 seconds]
04:06 -!- kalloc [~kalloc@stmdev.ru] has quit [Remote host closed the connection]
04:07 -!- takamichi [~takamichi@c107-107.i07-27.onvol.net] has quit [Ping timeout: 248 seconds]
04:08 -!- takamichi [~takamichi@85.12.8.106] has joined #openvpn
04:22 -!- mingdao [~mingdao@unaffiliated/mingdao] has joined #openvpn
04:24 -!- mingdao [~mingdao@unaffiliated/mingdao] has quit [Quit: leaving]
04:26 -!- mingdao [~mingdao@unaffiliated/mingdao] has joined #openvpn
04:36 -!- DrCode [~DrCode@gateway/tor-sasl/drcode] has quit [Ping timeout: 240 seconds]
04:36 -!- kalloc [~kalloc@stmdev.ru] has joined #openvpn
04:50 -!- DrCode [~DrCode@gateway/tor-sasl/drcode] has joined #openvpn
04:50 -!- dradec [~Inigo@unaffiliated/dradec] has joined #openvpn
04:56 -!- Pang [~chatzilla@94-225-162-11.access.telenet.be] has joined #openvpn
04:58 -!- takamichi [~takamichi@85.12.8.106] has quit [Ping timeout: 272 seconds]
05:01 -!- takamichi [~takamichi@c107-107.i07-27.onvol.net] has joined #openvpn
05:02 -!- klein [~klein@189-016-006-003.asselvi.edu.br] has joined #openvpn
05:02 -!- klein [~klein@189-016-006-003.asselvi.edu.br] has quit [Changing host]
05:02 -!- klein [~klein@unaffiliated/klein] has joined #openvpn
05:04 -!- master_o1_master [~master_of@p4FD7B17E.dip0.t-ipconnect.de] has joined #openvpn
05:08 -!- master_of_master [~master_of@p4FF24299.dip0.t-ipconnect.de] has quit [Ping timeout: 272 seconds]
05:08 -!- mikkel [~mikkel@93.176.85.50] has quit [Ping timeout: 260 seconds]
05:08 -!- kalloc_ [~kalloc@stmdev.ru] has joined #openvpn
05:09 -!- kalloc [~kalloc@stmdev.ru] has quit [Read error: Connection reset by peer]
05:11 -!- pa [~pa@unaffiliated/pa] has quit [Quit: Sto andando via]
05:11 -!- ade_b [~Ade@redhat/adeb] has quit [Quit: Too sexy for his shirt]
05:12 -!- pa [~pa@unaffiliated/pa] has joined #openvpn
05:16 -!- mikkel [~mikkel@93.176.85.50] has joined #openvpn
05:46 -!- mikkel [~mikkel@93.176.85.50] has quit [Ping timeout: 260 seconds]
06:02 -!- mikkel [~mikkel@93.176.85.50] has joined #openvpn
06:06 -!- kalloc_ is now known as kalloc
06:10 < takamichi> When configuring ovpn to use a sock proxy, does it force TCP mode even if UDP is configured? Is it not SOCKS5 compatible?
06:26 <@krzee> a socks proxy cannot listen on udp
06:26 <@krzee> a socks proxy may pass udp traffic, but always listens on tcp
06:27 <@krzee> as far as i know at least, if that is wrong let me know
06:27 < takamichi> @krzee, that would explain the results we're getting
06:27 < takamichi> much appreciated
06:27 <@krzee> well i mean you should know what your service listens on
06:28 <@krzee> np
06:29 < takamichi> @krzee, do you have any idea why a socks5 proxy cannot listen on udp? Does it rely on some TCP connection related information before it can relay the UDP packets?
06:30 <@krzee> no, i simply have never seen a socks implimentation which listens on UDP
06:30 <@krzee> if you find one, or make one, then that changes things
06:31 <@krzee> but until your socks5 server listens on UDP you will not be able to reach it on UDP
06:32 <@krzee> also, some socks servers do not pass udp traffic either
06:33 <@krzee> for example, openssh when using it as a socks server
06:48 -!- novaflash [~novaflash@openvpn/corp/support/novaflash] has quit [Ping timeout: 240 seconds]
06:54 < omri> how can I inject username & password dynamically without using an agent? I'm looking for a plugin/script solution
06:55 -!- adac [~adac@chello080109174123.tirol.surfer.at] has joined #openvpn
06:57 <@krzee> only way i can think of is if you have a wrapper call openvpn and have it update a flat file with the login/pass
06:57 < adac> Guys, Im trying to connect to a friend of mine.via vnc  over vpn It is working fine when he is at home. However when he is at work It just doesn't work. I get a black screen and the message:  "vncviewer: read: Connection reset by peer". We ried it now without the vpn connectionand it worked. Any ideas what might be wrong?
06:57 < adac> I read that this could probably be an MTU problem
06:58 <@krzee> so you tested mtu?
06:59 < omri> krzee: I want to use it with existing agents (OpenVPN GUI on Windows, Tunnelblick on Mac and Network Manager on Ubuntu)
06:59 <@krzee> ya thats not how it works
06:59 <@krzee> you'd have to mod openvpn
07:00 < omri> if I'd add support for getting username & password from a script, would it be merged?
07:00 < omri> I don't want to maintain a fork
07:00 <@krzee> no idea, sounds like a dev question
07:00 <@krzee> oh it looks like a plugin would be able
07:01 <@krzee> someone just said so in the dev channel
07:01 < omri> If I understood correctly, it's only applicable for server side
07:02 <@krzee> then i guess its a good time to ask your question about if it would be merged
07:03 < adac> krzee, I have no clue how to test that? can you give me a hint? Can the MTU be set on the vpn server?
07:04 <@krzee> adac, i have never messed with mtu either, but here ya go
07:04 <@krzee> !mtu
07:04 <@vpnHelper> "mtu" is (#1) see --mtu-test to learn how to test your MTU settings. Basically you just use --mtu-test in your normal client config or (#2) mtu debugging guide: http://www.secure-computing.net/wiki/index.php/OpenVPN/Troubleshooting
07:04 < omri> krzee: doing that right now. thanks
07:04 < takamichi> @krzee, thanks for your help.
07:04 <@krzee> yw x2
07:05 < takamichi> @krzee, will be looking to the wrapper solution.
07:05 < Martin`> oi
07:05 <@krzee> takamichi, the wrapper idea was for omri
07:05 < Martin`> oi
07:05 <@krzee> OI OI OI
07:05 < Martin`> :P
07:05 < takamichi> @krzee hah! oh right, I was thinking of a socks5 wrapper for openvpn but that wouldn't make any difference.
07:06 < takamichi> ok cheers!
07:07 < adac> krzee, wow awesome howto! Thank you so much!
07:07 <@krzee> yw =]
07:09 -!- novaflash_away [~novaflash@its.novaflash.nl] has joined #openvpn
07:10 -!- novaflash_away is now known as novaflash
07:10 -!- JackWinter [~jack@vodsl-9074.vo.lu] has quit [Quit: Konversation terminated!]
07:15 -!- JackWinter [~jack@vodsl-9074.vo.lu] has joined #openvpn
07:17 -!- novaflash [~novaflash@its.novaflash.nl] has quit [Changing host]
07:17 -!- novaflash [~novaflash@openvpn/corp/support/novaflash] has joined #openvpn
07:17 -!- mode/#openvpn [+o novaflash] by ChanServ
07:30 -!- visavi [~visavi@46.246.183.102.dsl.dyn.forthnet.gr] has quit [Read error: Operation timed out]
07:30 -!- visavi [~visavi@213.16.187.192.dsl.dyn.forthnet.gr] has joined #openvpn
07:34 -!- vvinothkumar_ [~vvinothku@122.167.247.232] has joined #openvpn
07:36 -!- kalloc [~kalloc@stmdev.ru] has quit [Remote host closed the connection]
07:36 -!- kalloc [~kalloc@stmdev.ru] has joined #openvpn
07:40 -!- kalloc [~kalloc@stmdev.ru] has quit [Ping timeout: 245 seconds]
07:41 -!- kalloc [~kalloc@stmdev.ru] has joined #openvpn
07:41 -!- kalloc [~kalloc@stmdev.ru] has quit [Read error: Connection reset by peer]
07:42 -!- kalloc_ [~kalloc@stmdev.ru] has joined #openvpn
07:42 -!- vvinothkumar [~vinothkum@ec2-54-255-22-70.ap-southeast-1.compute.amazonaws.com] has quit [Ping timeout: 260 seconds]
08:00 -!- klein [~klein@unaffiliated/klein] has quit [Ping timeout: 245 seconds]
08:02 -!- e-ndy [~e-ndy@fantomas.bestit.cz] has joined #openvpn
08:02 -!- makara [~makara@41.164.22.218] has quit [Read error: Operation timed out]
08:08 -!- lj [~l@192.241.174.169] has joined #openvpn
08:25 -!- mikkel [~mikkel@93.176.85.50] has quit [Quit: Leaving]
08:26 -!- Sembei [~Sembei@unaffiliated/sembei] has quit [Ping timeout: 245 seconds]
08:27 -!- Guest78908 [~Sembei@62.57.118.216.dyn.user.ono.com] has joined #openvpn
08:43 -!- marlinc [~marlinc@a80-100-128-152.adsl.xs4all.nl] has quit [Quit: Byebye]
08:44 -!- mattock [~mattock@openvpn/corp/admin/mattock] has joined #openvpn
08:44 -!- mode/#openvpn [+o mattock] by ChanServ
08:45 -!- lj [~l@192.241.174.169] has quit [Quit: Leaving.]
08:49 -!- vvinothkumar [~vinothkum@ec2-54-255-22-70.ap-southeast-1.compute.amazonaws.com] has joined #openvpn
08:53 -!- lj [~l@192.241.174.169] has joined #openvpn
08:56 -!- alexxtasi [~alex@unaffiliated/alexxtasi] has left #openvpn []
08:57 -!- vvinothkumar [~vinothkum@ec2-54-255-22-70.ap-southeast-1.compute.amazonaws.com] has quit [Ping timeout: 250 seconds]
09:07 -!- marlinc [~marlinc@a80-100-128-152.adsl.xs4all.nl] has joined #openvpn
09:14 -!- vvinothkumar [~vinothkum@122.167.247.232] has joined #openvpn
09:17 -!- lvv_ [~loganaden@2001:4290:10:250:c136:7d72:93cd:d562] has quit [Quit: lvv_]
09:19 -!- e-ndy is now known as indy
09:19 -!- lvv [~loganaden@ite-inf3.dhcp.mu.afrinic.net] has joined #openvpn
09:19 -!- kalloc_ is now known as kalloc
09:20 -!- takamichi [~takamichi@c107-107.i07-27.onvol.net] has quit [Quit: Computer has gone to sleep.]
09:21 -!- dlinares [~dlinares@90.216.134.193] has joined #openvpn
09:21 < dlinares> Hi everyone. I am currently trying to connect to my company's VPN using openvpn and a smartcard. I got as far as reading the serialized ID of my smartcard, so I am now ready to try connecting to the actual VPN. Could anybody tell me if I really need to indicate a certificate with the "ca" parameter, even if I am using a smartcard to authenticate?
09:22 < dlinares> Thanks a lot in advance
09:28 -!- [diecast] [~diecast@unaffiliated/diecast/x-4821952] has joined #openvpn
09:54 -!- DrCode [~DrCode@gateway/tor-sasl/drcode] has quit [Remote host closed the connection]
09:58 -!- DrCode [~DrCode@gateway/tor-sasl/drcode] has joined #openvpn
10:02 -!- fission6 [~fission6@199.47.74.246] has joined #openvpn
10:03 < fission6> is this channel OK to ask tunnelblick questions?
10:04 -!- DrCode [~DrCode@gateway/tor-sasl/drcode] has quit [Remote host closed the connection]
10:11 -!- lj [~l@192.241.174.169] has quit [Quit: Leaving.]
10:15 -!- klein [~klein@189-016-006-003.asselvi.edu.br] has joined #openvpn
10:15 -!- klein [~klein@189-016-006-003.asselvi.edu.br] has quit [Changing host]
10:15 -!- klein [~klein@unaffiliated/klein] has joined #openvpn
10:17 -!- visavi [~visavi@213.16.187.192.dsl.dyn.forthnet.gr] has quit [Ping timeout: 245 seconds]
10:18 -!- visavi [~visavi@178.128.2.246.dsl.dyn.forthnet.gr] has joined #openvpn
10:19 -!- DrCode [~DrCode@gateway/tor-sasl/drcode] has joined #openvpn
10:20 -!- vvinothkumar [~vinothkum@122.167.247.232] has quit [Ping timeout: 245 seconds]
10:30 -!- Guest78908 [~Sembei@62.57.118.216.dyn.user.ono.com] has quit [Read error: Operation timed out]
10:31 -!- vvinothkumar_ [~vvinothku@122.167.247.232] has quit [Ping timeout: 248 seconds]
10:34 -!- DrCode [~DrCode@gateway/tor-sasl/drcode] has quit [Remote host closed the connection]
10:34 -!- visavi [~visavi@178.128.2.246.dsl.dyn.forthnet.gr] has quit [Ping timeout: 260 seconds]
10:36 -!- visavi [~visavi@77.49.138.27.dsl.dyn.forthnet.gr] has joined #openvpn
10:40 -!- takamichi [~takamichi@c107-107.i07-27.onvol.net] has joined #openvpn
10:53 -!- b00gz___ [uid6869@gateway/web/irccloud.com/x-emiwsnkktztsbaig] has quit [Read error: Connection reset by peer]
10:55 -!- b00gz___ [uid6869@gateway/web/irccloud.com/x-mbrtpiflhkdkyaeg] has joined #openvpn
10:57 -!- visavi [~visavi@77.49.138.27.dsl.dyn.forthnet.gr] has quit [Ping timeout: 260 seconds]
10:59 -!- visavi [~visavi@62.1.50.253.dsl.dyn.forthnet.gr] has joined #openvpn
11:03 -!- lj [~l@192.241.174.169] has joined #openvpn
11:06 -!- DrCode [~DrCode@gateway/tor-sasl/drcode] has joined #openvpn
11:11 <@krzee> dlinares, your provider/company needs to answer that
11:12 <@krzee> fission6, sure give it a shot
11:12 < fission6> i keep getting an issue that says … does not appear to contain a 'dev tun' or 'dev tap' option
11:12 < fission6> and then i can not connect successfully
11:12 < fission6> not sure if the dev tun message has anything at all to do with things
11:14 < dlinares> krzee, Thanks. In the meantime, I have made some progress and realized that actually, it's a Cisco Any Connect VPN :-( Therefore, I would need to use openconnect as I guess I can't use openvpn.
11:14 <@krzee> yep
11:16 -!- DrCode [~DrCode@gateway/tor-sasl/drcode] has quit [Remote host closed the connection]
11:18 -!- DrCode [~DrCode@gateway/tor-sasl/drcode] has joined #openvpn
11:19 -!- DrCode [~DrCode@gateway/tor-sasl/drcode] has quit [Remote host closed the connection]
11:20 -!- Guest78908 [~Sembei@62.57.118.216.dyn.user.ono.com] has joined #openvpn
11:21 < dlinares> krzee, thanks a lot for confirming.
11:21 <@krzee> np
11:22 <@krzee> !notcompat
11:22 <@vpnHelper> "notcompat" is (#1) IPsec, PPTP, & L2TP are _not_ compatible with OpenVPN. OpenVPN uses SSL whereas PPTP and IPSEC use their own protocols and therefore cannot be compatible. or (#2) OpenVPN connects only to OpenVPN
11:22 -!- bertodsera [~quassel@212.36.61.26] has quit [Remote host closed the connection]
11:22 -!- Holos [~cosmond@216.168.111.227] has joined #openvpn
11:23 -!- DrCode [~DrCode@gateway/tor-sasl/drcode] has joined #openvpn
11:24 < Holos> Hi, I have an openvpn Lan-to-lan setup between two sites, one pfsense (server)  and one mikrotik (client). When it establishes, the pfSense adds a route to the remote gateway to my tunnel network (10.0.11.0/24) and points the next host to be 10.0.11.2 but my mikrotik actually gets an ip of 10.0.11.6 breaking the routing.
11:24 < Holos> Why is the mikrotik grabbing the ip address of 10.0.11.6 and not 10.0.11.2?
11:26 -!- kalloc [~kalloc@stmdev.ru] has quit [Remote host closed the connection]
11:26 -!- kalloc [~kalloc@stmdev.ru] has joined #openvpn
11:28 -!- kalloc [~kalloc@stmdev.ru] has quit [Read error: Connection reset by peer]
11:28 -!- kalloc [~kalloc@stmdev.ru] has joined #openvpn
11:29 -!- lvv [~loganaden@ite-inf3.dhcp.mu.afrinic.net] has quit [Quit: lvv]
11:30 < fission6> anyone else using tunnlebblick on macos?
11:31 < phreakocious> yup
11:32 -!- DrCode [~DrCode@gateway/tor-sasl/drcode] has quit [Remote host closed the connection]
11:32 -!- [diecast] [~diecast@unaffiliated/diecast/x-4821952] has quit []
11:32 -!- [diecast] [~diecast@unaffiliated/diecast/x-4821952] has joined #openvpn
11:33 < fission6> phreakocious: i am having some issues connecting and i am trying to debug - are you in a position to maybe help me probe?
11:33 < lj> What's the problem you're having Fiouz_?
11:33 < lj> s/Fiouz/fission6/
11:34 < fission6> well simply put i have a config file "server-locked", i can install it in tunnelblick but then can't connect - i don't see anything meaningful in the logs lj
11:35 < fission6> i do get a message when installing but it seems "harmless" does not appear to contain a 'dev tun' or 'dev tap' option
11:35 < lj> Paste the config somewhere.
11:38 <@krzee> Holos,
11:38 <@krzee> !/30
11:38 <@vpnHelper> "/30" is (#1) http://goo.gl/SbKrT5 explains why routed clients each use 4 ips or (#2) you can avoid this behavior with by reading !topology
11:38 <@krzee> !topology
11:38 <@vpnHelper> "topology" is (#1) it is possible to avoid the !/30 behavior if you use 2.1+ with the option: topology subnet This will end up being default in later versions. or (#2) Clients will receive addresses ending in .2, .3, .4, etc, instead of being divided into 2-host subnets. or (#3) details and examples at: https://community.openvpn.net/openvpn/wiki/Topology
11:39 <@krzee> !addressing
11:39 <@vpnHelper> "addressing" is For information about IP addressing in OpenVPN, see: https://community.openvpn.net/openvpn/wiki/Concepts-Addressing
11:39 <@krzee> fission6, you likely need help from the server provider
11:39 < fission6> old thanks krzee
11:40 <@krzee> its often hard to tell blind (without access to server logs / configs) which is why the bot knows this one:
11:40 <@krzee> !provider
11:40 <@vpnHelper> "provider" is (#1) We are not your provider's free tech support. We support the free open source app OpenVPN, not your provider. Just because they run openvpn does not mean we are their support team. or (#2) Please contact their support team.
11:41 -!- DrCode [~DrCode@gateway/tor-sasl/drcode] has joined #openvpn
11:41 -!- DrCode [~DrCode@gateway/tor-sasl/drcode] has quit [Remote host closed the connection]
11:47 < Holos> krzee: : so I changed that, and I don't see a route on the pfSense being created for the 192.168.34.0/24 via 10.0.11.2
11:48 <@krzee> show the rest of the server config (without commented lines)
11:51 -!- gffa [~unknown@unaffiliated/gffa] has joined #openvpn
11:52 -!- lj [~l@192.241.174.169] has quit [Quit: Leaving.]
11:54 < Holos> krzee: http://pastebin.ca/2634051
11:54 -!- [diecast] [~diecast@unaffiliated/diecast/x-4821952] has quit []
11:57 -!- DrCode [~DrCode@gateway/tor-sasl/drcode] has joined #openvpn
11:57 <@krzee> your config does not even have a pool for clients
11:57 -!- DrCode [~DrCode@gateway/tor-sasl/drcode] has quit [Remote host closed the connection]
11:57 <@krzee> look in your /var/etc/openvpn-csc/
11:58 <@krzee> you probably give static ips to every client
11:58 <@krzee> and those files are probably for net30
11:58 <@krzee> topology subnet would require the ifconfig-push statements to change
11:58 <@krzee> !static
11:58 <@vpnHelper> "static" is (#1) use --ifconfig-push in a ccd entry for a static ip for the vpn client or (#2) example in net30 (default): ifconfig-push 10.8.0.6 10.8.0.5 example in subnet (see !topology) or tap (see !tunortap): ifconfig-push 10.8.0.5 255.255.255.0 or (#3) also see !ccd and !iporder or (#4) when pushing static IPs, you should also limit your --ifconfig-pool to exclude the static range or (#5) See
11:58 <@vpnHelper> also: !addressing
12:00 -!- dlinares [~dlinares@90.216.134.193] has quit [Quit: Leaving]
12:00 -!- DrCode [~DrCode@gateway/tor-sasl/drcode] has joined #openvpn
12:07 -!- DrCode [~DrCode@gateway/tor-sasl/drcode] has quit [Remote host closed the connection]
12:08 -!- takamichi [~takamichi@c107-107.i07-27.onvol.net] has quit [Quit: Computer has gone to sleep.]
12:12 -!- dradec [~Inigo@unaffiliated/dradec] has quit [Quit: nil]
12:13 -!- xMopxShell [~xMopxShel@pa1.trolls.lv] has joined #openvpn
12:13 < xMopxShell> hey, when i'm using push "dhcp-option DOMAIN <domain>", is there supposed to be a trailing . after <domain>?
12:31 < Holos> krzee: So if I want to have 5 sites connecting to our DC, I should switch to topology subnet, assign a static to each, and assign the define the subnet for the far side so it adds the route? That make sense?
12:47 -!- Cpt-Oblivious [chatzilla@31-151-71-109.dynamic.upc.nl] has joined #openvpn
13:01 -!- DrCode [~DrCode@gateway/tor-sasl/drcode] has joined #openvpn
13:06 -!- bertodsera [~quassel@97e48243.skybroadband.com] has joined #openvpn
13:19 -!- lj [~l@192.241.174.169] has joined #openvpn
13:28 -!- GabrieleV [~GabrieleV@host190-79-static.230-95-b.business.telecomitalia.it] has quit [Ping timeout: 260 seconds]
13:29 -!- GabrieleV [~GabrieleV@host190-79-static.230-95-b.business.telecomitalia.it] has joined #openvpn
13:32 -!- nutron [~nutron@unaffiliated/nutron] has quit [Remote host closed the connection]
13:40 <@ecrist> Holos: yes
13:40 <@ecrist> !iroute
13:40 <@vpnHelper> "iroute" is does not bypass or alter the kernel's routing table, it allows openvpn to know it should handle the routing when the kernel points to it but the network is not one that openvpn knows about. This is only needed when connecting a LAN which is behind a client, and therefor belongs in a ccd entry. Also see !route and !ccd
13:42 -!- [diecast] [~diecast@unaffiliated/diecast/x-4821952] has joined #openvpn
13:49 -!- goldkatze [~nobody@unaffiliated/goldkatze] has quit []
14:05 -!- Protected [~Join@bl13-100-5.dsl.telepac.pt] has joined #openvpn
14:05 -!- klein [~klein@unaffiliated/klein] has quit [Ping timeout: 245 seconds]
14:06 -!- grep0r [grep0r@bitcoinshell.mooo.com] has quit [Ping timeout: 252 seconds]
14:06 < Protected> Hey there. Sorry if this is a silly question, but what exactly is easyrsa doing when it 'commits' a key?
14:13 -!- grep0r [grep0r@bitcoinshell.mooo.com] has joined #openvpn
14:17 < kcodyjr> it keeps a database (see index.txt) of all the certs it's signed
14:22 -!- mattock is now known as mattock_afk
14:25 < Protected> Oh, but it's non authoritative?
14:25 < Protected> I never did openvpn without easy-rsa, but I'm trying to figure out how it works so I can stop using it and integrate with some other stuff
14:45 -!- Guest78908 [~Sembei@62.57.118.216.dyn.user.ono.com] has quit [Quit: WeeChat 0.4.3-rc2]
14:46 -!- Guest2315 [~Sembei@62.57.118.216.dyn.user.ono.com] has joined #openvpn
14:47 -!- Guest2315 is now known as Sembei
14:47 -!- Sembei [~Sembei@62.57.118.216.dyn.user.ono.com] has quit [Changing host]
14:47 -!- Sembei [~Sembei@unaffiliated/sembei] has joined #openvpn
14:50 -!- gffa [~unknown@unaffiliated/gffa] has quit [Quit: sleep]
15:03 -!- elfixit1 [~Icedove@77-58-251-72.dclient.hispeed.ch] has joined #openvpn
15:24 -!- DrCode [~DrCode@gateway/tor-sasl/drcode] has quit [Remote host closed the connection]
15:29 -!- DrCode [~DrCode@gateway/tor-sasl/drcode] has joined #openvpn
15:31 -!- gffa [~unknown@unaffiliated/gffa] has joined #openvpn
15:41 <@Eugene> !xca
15:41 <@vpnHelper> "xca" is (#1) XCA is a GUI to create/manage a PKI, much more user-friendly than easy-rsa. or (#2) Example XCA PKI for OpenVPN(writeup pending): https://community.openvpn.net/openvpn/wiki/XCA
15:42 <@Eugene> easy-rsa is just a set of wrapper scripts for openssl to make it friendly for key management
15:42 <@Eugene> Dig through the openssl.cnf for the options you need to set, or there's an example XCA database there
15:43 <@Eugene> All you really need is a x509 CA cert to check against, and then each server/client needs a x509 cert(signed as a server/client)
15:57 -!- dimitry7 [~antonello@gate.aaamerica.com.mx] has joined #openvpn
16:01 -!- APTX [~APTX@unaffiliated/aptx] has quit [Remote host closed the connection]
16:03 -!- APTX [~APTX@unaffiliated/aptx] has joined #openvpn
16:08 < Pang> Hello! I have a problem I can not connect my openvpn from the client windows 7 virtual machine to my opnevpn server on win server 2012
16:09 < Pang> log file:
16:09 < Pang> Options error: --cert fails with 'C:\Program Files\OpenVPN\config\iulian-laptop.crt': No such file or directory
16:09 < Pang> Options error: --key fails with 'C:\Program Files\OpenVPN\config\iulian-laptop.key': No such file or directory
16:09 < Pang> Options error: Please correct these errors.
16:09 < Pang> Use --help for more information.
16:11 < Pang> config file:
16:11 < Pang> ############################################### Sample client-side OpenVPN 2.0 config file ## for connecting to multi-client server.     ##                                            ## This configuration can be used by multiple ## clients, however each client should have   ## its own cert and key files.                ##                                            ## On Windows, you might...
16:11 < Pang> ...want to rename this  ## file so it has a .ovpn extension           ################################################ Specify that we are a client and that we# will be pulling certain config file directives# from the server.client# Use the same setting as you are using on# the server.# On most systems, the VPN will not function# unless you partially or fully disable# the firewall for the...
16:11 < Pang> ...TUN/TAP interface.;dev tapdev tun# Windows needs the TAP-Win32 adapter name# from the Network Connections panel# if you have more than one.  On XP SP2,# you may need to disable the firewall# for the TAP adapter.;dev-node MyTap# Are we connecting to a TCP or# UDP server?  Use the same setting as# on the server.;proto tcpproto udp# The hostname/IP and port of the server.# You can have...
16:11 < Pang> ...multiple remote entries# to load balance between the servers.remote 169.254.144.155 1194;remote my-server-2 1194# Choose a random host from the remote# list for load-balancing.  Otherwise# try hosts in the order specified.;remote-random# Keep trying indefinitely to resolve the# host name of the OpenVPN server.  Very useful# on machines which are not permanently connected# to the internet...
16:11 < Pang> ...such as laptops.resolv-retry infinite# Most clients don't need to bind to# a specific local port number.nobind# Downgrade privileges after initialization (non-Windows only);user nobody;group nobody# Try to preserve some state across restarts.persist-keypersist-tun# If you are connecting through an# HTTP proxy to reach the actual OpenVPN# server, put the proxy server/IP and# port number...
16:11 < Pang> ...here.  See the man page# if your proxy server requires# authentication.;http-proxy-retry # retry on connection failures;http-proxy [proxy server] [proxy port #]# Wireless networks often produce a lot# of duplicate packets.  Set this flag# to silence duplicate packet warnings.;mute-replay-warnings# SSL/TLS parms.# See the server config file for more# description.  It's best to use# a...
16:11 < Pang> ...separate .crt/.key file pair# for each client.  A single ca# file can be used for all clients.ca "C:\\Program Files\\OpenVPN\\config\\ca.crt"cert "C:\\Program Files\\OpenVPN\\config\\iulian-laptop.crt"key "C:\\Program Files\\OpenVPN\\config\\iulian-laptop.key"# Verify server certificate by checking# that the certicate has the nsCertType# field set to "server".  This is an# important...
16:11 < Pang> ...precaution to protect against# a potential attack discussed here:#  http://openvpn.net/howto.html#mitm## To use this feature, you will need to generate# your server certificates with the nsCertType# field set to "server".  The build-key-server# script in the easy-rsa folder will do this.ns-cert-type server# If a tls-auth key is used on the server# then every client must also have the...
16:11 < Pang> ...key.;tls-auth ta.key 1# Select a cryptographic cipher.# If the cipher option is used on the server# then you must also specify it here.;cipher x# Enable compression on the VPN link.# Don't enable this unless it is also# enabled in the server config file.comp-lzo# Set log file verbosity.verb 3# Silence repeating messages;mute 20
16:13 < pekster> Yuck.
16:13 < pekster> !configs
16:13 <@vpnHelper> "configs" is (#1) please pastebin your client and server configs (with comments removed, you can use `grep -vE '^#|^;|^$' server.conf`), also include which OS and version of openvpn. or (#2) dont forget to include any ccd entries or (#3) on pfSense, see http://www.secure-computing.net/wiki/index.php/OpenVPN/pfSense to obtain your config
16:14 < pekster> Your paths are not matching: Windows needs to quote paths with spaces, and either double-up backslashes (they're escape chars) or simply use forward slashes (Unix-style)
16:16 < pekster> Protected: easyrsa is just a shell wrapper to openssl's userland calls. You can use any similar frontend (xca, ssladmin, even MS Cert Services if you _really_ want) or even call openssl or the C API yourself. OpenVPN simply needs certs that validate under your PKI (and of course the clients need the private keys)
16:16 < pekster> s/clients/peers/
16:50 < mapps> !linnat
16:50 <@vpnHelper> "linnat" is (#1) for a basic iptables NAT where 10.8.0.x is the vpn network: iptables -t nat -I POSTROUTING -s 10.8.0.0/24 -o eth0 -j MASQUERADE or (#2) to choose what IP address to NAT as, you can use iptables -t nat -I POSTROUTING -o eth0 -j SNAT --to <IP ADDRESS> or (#3) http://netfilter.org/documentation/HOWTO//NAT-HOWTO.html for more info or (#4) openvz see !openvzlinnat
16:51 < mapps> !ipfroward
16:51 < mapps> oops
16:51 < mapps> !ipforward
16:51 <@vpnHelper> "ipforward" is (#1) ip forwarding is needed any time you want packets to flow from 1 interface to another, so from tun to eth, eth to tun, tun to tun, etc etc. it must be enabled in the kernel AND allowed in the firewall or (#2) please choose between !linipforward !winipforward !osxipforward and !fbsdipforward
16:51 < mapps> !linipforward
16:51 <@vpnHelper> "linipforward" is (#1) echo 1 > /proc/sys/net/ipv4/ip_forward for a temp solution (til reboot) or set net.ipv4.ip_forward = 1 in sysctl.conf for perm solution or (#2) chmod +x /etc/rc.d/rc.ip_forward for perm solution in slackware or (#3) you also must allow forwarding in your forward chain in iptables. iptables -I FORWARD -i tun+ -j ACCEPT
16:54 -!- elfixit1 [~Icedove@77-58-251-72.dclient.hispeed.ch] has quit [Quit: elfixit1]
16:54 -!- Fast[BDC] is now known as Fastdeath
16:54 -!- Fastdeath is now known as pcdummy
16:58 -!- [diecast] [~diecast@unaffiliated/diecast/x-4821952] has quit []
16:58 -!- digilink [~digilink@irc.stephennet.net] has quit [Changing host]
16:58 -!- digilink [~digilink@unaffiliated/digilink] has joined #openvpn
16:59 -!- [diecast] [~diecast@unaffiliated/diecast/x-4821952] has joined #openvpn
16:59 -!- [diecast] [~diecast@unaffiliated/diecast/x-4821952] has quit [Max SendQ exceeded]
17:03 -!- Pang [~chatzilla@94-225-162-11.access.telenet.be] has quit [Ping timeout: 260 seconds]
17:05 -!- nutron [~nutron@unaffiliated/nutron] has joined #openvpn
17:06 -!- kalloc [~kalloc@stmdev.ru] has quit [Remote host closed the connection]
17:06 -!- kalloc [~kalloc@stmdev.ru] has joined #openvpn
17:11 -!- kalloc [~kalloc@stmdev.ru] has quit [Ping timeout: 272 seconds]
17:15 -!- gffa [~unknown@unaffiliated/gffa] has quit [Quit: quit]
17:15 < Protected> Eugene: Thanks for the hints, I'll be looking into that ASAP
17:15 < Protected> pekster: Using openssl directly would probably do
17:15 < pekster> It works, it's just painful
17:16 < pekster> Especially if you want too do something like subjectAltName or the like that requires manual hacking of the openssl.cfg file every time
17:22 -!- lj [~l@192.241.174.169] has quit [Quit: Leaving.]
17:38 -!- [diecast] [~diecast@unaffiliated/diecast/x-4821952] has joined #openvpn
17:58 -!- crus` [~crusader@2001:0:9d38:90d7:308a:32db:c458:154d] has joined #openvpn
17:59 -!- crus [~crusader@crus0r.soho.on.net] has quit [Ping timeout: 272 seconds]
18:03 -!- crus [~crusader@2001:44b8:319e:2900:c42f:974d:48c1:36fa] has joined #openvpn
18:04 -!- [diecast] [~diecast@unaffiliated/diecast/x-4821952] has quit []
18:05 -!- crus` [~crusader@2001:0:9d38:90d7:308a:32db:c458:154d] has quit [Ping timeout: 265 seconds]
18:06 -!- jacob11 [uid22180@gateway/web/irccloud.com/x-iatlgovsntwvoabv] has quit [Ping timeout: 276 seconds]
18:06 -!- HectorBarbossa [uid7850@gateway/web/irccloud.com/x-oolywezulfjtmtdw] has quit [Ping timeout: 276 seconds]
18:10 -!- jacob11 [uid22180@gateway/web/irccloud.com/x-vknnibjumqhzkajr] has joined #openvpn
18:11 -!- HectorBarbossa [uid7850@gateway/web/irccloud.com/x-dyniweiteoujzbnf] has joined #openvpn
18:14 -!- fission6 [~fission6@199.47.74.246] has quit [Quit: fission6]
18:41 -!- adac [~adac@chello080109174123.tirol.surfer.at] has quit [Read error: Operation timed out]
19:25 -!- XJR-9 [sid2977@pdpc/supporter/active/xjr-9] has quit [Ping timeout: 265 seconds]
19:27 -!- pppingme [~pppingme@unaffiliated/pppingme] has quit [Excess Flood]
19:27 -!- XJR-9 [sid2977@pdpc/supporter/active/xjr-9] has joined #openvpn
19:28 -!- pppingme [~pppingme@unaffiliated/pppingme] has joined #openvpn
19:42 -!- propheticsquiddy [~Proph@unaffiliated/propheticsquiddy] has joined #openvpn
19:42 -!- elfixit1 [~Icedove@77-58-251-72.dclient.hispeed.ch] has joined #openvpn
20:31 -!- elfixit1 [~Icedove@77-58-251-72.dclient.hispeed.ch] has quit [Quit: elfixit1]
20:42 -!- lj [~l@74.120.200.95] has joined #openvpn
20:43 -!- lj1 [~l@192.241.174.169] has joined #openvpn
20:46 -!- lj [~l@74.120.200.95] has quit [Ping timeout: 248 seconds]
21:07 -!- booo [~booo__@p54BD8E56.dip0.t-ipconnect.de] has quit [Read error: Operation timed out]
21:12 -!- propheticsquiddy [~Proph@unaffiliated/propheticsquiddy] has quit [Quit: Leaving]
21:15 -!- booo [~booo__@p54BDBFD3.dip0.t-ipconnect.de] has joined #openvpn
21:22 -!- clu5ter [~staff@unaffiliated/clu5ter] has quit [Ping timeout: 256 seconds]
21:25 -!- lj1 [~l@192.241.174.169] has quit [Quit: Leaving.]
21:26 -!- clu5ter [~staff@unaffiliated/clu5ter] has joined #openvpn
21:29 -!- mdim [~user@c-98-202-215-47.hsd1.ut.comcast.net] has joined #openvpn
21:30 < mdim> do you have any high-level recommendations/things to be aware of when setting up OpenVPN on an OpenWRT device?
21:53 -!- cyberspace- [20253@ninthfloor.org] has quit [Remote host closed the connection]
21:53 -!- dimitry7 [~antonello@gate.aaamerica.com.mx] has quit [Quit: Leaving]
21:54 -!- cyberspace- [20253@ninthfloor.org] has joined #openvpn
22:19 -!- DrCode [~DrCode@gateway/tor-sasl/drcode] has quit [Remote host closed the connection]
22:21 -!- DrCode [~DrCode@gateway/tor-sasl/drcode] has joined #openvpn
22:21 -!- DrCode [~DrCode@gateway/tor-sasl/drcode] has quit [Remote host closed the connection]
22:21 -!- Cpt-Oblivious [chatzilla@31-151-71-109.dynamic.upc.nl] has quit [Ping timeout: 246 seconds]
23:16 -!- arader [~andrew@0x666.tk] has joined #openvpn
23:47 < mdim> can someone help me configure openvpn on an openwrt device in the client mode?
23:48 < mdim> in particular, I've been trying to have a bridged/tap device to connect to my VPS where an OpenVPN server is
23:52 < mdim> I've already set up the server and one client (my laptop)
23:52 < mdim> so, now I "just" need to set up the OpenWRT
23:53 -!- heraclitus [~heraclitu@unaffiliated/heraclitis] has quit [Remote host closed the connection]
23:53 -!- heraclitus [~heraclitu@unaffiliated/heraclitis] has joined #openvpn
--- Day changed Sat Feb 08 2014
00:00 -!- sunwind [~paradox@cpc21-brmb8-2-0-cust749.1-3.cable.virginm.net] has quit [Read error: Connection reset by peer]
00:00 -!- sunwind [~paradox@cpc21-brmb8-2-0-cust749.1-3.cable.virginm.net] has joined #openvpn
00:09 -!- vvinothkumar [~vvinothku@122.167.247.232] has joined #openvpn
00:10 -!- vvinothkumar [~vvinothku@122.167.247.232] has quit [Read error: Connection reset by peer]
00:13 -!- heraclitus [~heraclitu@unaffiliated/heraclitis] has quit [Remote host closed the connection]
00:13 -!- mdim [~user@c-98-202-215-47.hsd1.ut.comcast.net] has quit [Read error: Connection reset by peer]
00:13 -!- mdim [~user@c-98-202-215-47.hsd1.ut.comcast.net] has joined #openvpn
00:13 -!- heraclitus [~heraclitu@unaffiliated/heraclitis] has joined #openvpn
00:37 < mdim> seems like I have it all set up (in logread I see 'Initialization Sequence Completed'), but I can't ping the server nor the server can ping the OpenWRT
00:39 -!- mdim [~user@c-98-202-215-47.hsd1.ut.comcast.net] has quit [Read error: Connection reset by peer]
00:40 -!- mdim [~user@c-98-202-215-47.hsd1.ut.comcast.net] has joined #openvpn
00:56 -!- mdim [~user@c-98-202-215-47.hsd1.ut.comcast.net] has quit [Read error: Connection reset by peer]
00:57 -!- mdim [~user@c-98-202-215-47.hsd1.ut.comcast.net] has joined #openvpn
00:58 -!- mdim [~user@c-98-202-215-47.hsd1.ut.comcast.net] has quit [Read error: Connection reset by peer]
00:58 -!- mdim [~user@c-98-202-215-47.hsd1.ut.comcast.net] has joined #openvpn
01:02 -!- mdim [~user@c-98-202-215-47.hsd1.ut.comcast.net] has quit [Read error: Connection reset by peer]
01:02 -!- mdim [~user@c-98-202-215-47.hsd1.ut.comcast.net] has joined #openvpn
01:03 -!- dimm0k [~dimm0k@unaffiliated/dimm0k] has quit [Ping timeout: 246 seconds]
01:05 -!- dimm0k [~dimm0k@unaffiliated/dimm0k] has joined #openvpn
01:20 -!- takamichi [~takamichi@c107-107.i07-27.onvol.net] has joined #openvpn
01:28 -!- james41382_ [~james@unaffiliated/james41382] has joined #openvpn
01:31 -!- james41382 [~james@unaffiliated/james41382] has quit [Ping timeout: 245 seconds]
01:33 -!- kenyon [kenyon@darwin.kenyonralph.com] has quit [Ping timeout: 264 seconds]
01:56 -!- kalloc [~kalloc@h86-62-83-99.ln.rinet.ru] has joined #openvpn
02:13 -!- kalloc [~kalloc@h86-62-83-99.ln.rinet.ru] has quit [Remote host closed the connection]
02:13 -!- kalloc [~kalloc@h86-62-83-99.ln.rinet.ru] has joined #openvpn
02:17 -!- simcop2387 [~simcop238@p3m/member/simcop2387] has quit [Excess Flood]
02:17 -!- kalloc [~kalloc@h86-62-83-99.ln.rinet.ru] has quit [Ping timeout: 245 seconds]
02:17 -!- simcop2387 [~simcop238@p3m/member/simcop2387] has joined #openvpn
02:18 -!- mdim [~user@c-98-202-215-47.hsd1.ut.comcast.net] has quit [Ping timeout: 260 seconds]
02:21 -!- kalloc [~kalloc@h86-62-83-99.ln.rinet.ru] has joined #openvpn
02:23 -!- vvinothkumar [~vvinothku@122.167.247.232] has joined #openvpn
02:31 -!- jackbrown [~se@93-44-54-187.ip95.fastwebnet.it] has joined #openvpn
03:03 -!- jackbrown [~se@93-44-54-187.ip95.fastwebnet.it] has quit [Ping timeout: 246 seconds]
03:06 -!- kalloc [~kalloc@h86-62-83-99.ln.rinet.ru] has quit [Remote host closed the connection]
03:07 -!- kalloc [~kalloc@h86-62-83-99.ln.rinet.ru] has joined #openvpn
03:12 -!- kalloc [~kalloc@h86-62-83-99.ln.rinet.ru] has quit [Ping timeout: 250 seconds]
03:14 -!- kalloc [~kalloc@h86-62-83-99.ln.rinet.ru] has joined #openvpn
03:15 -!- takamichi [~takamichi@c107-107.i07-27.onvol.net] has quit [Quit: Computer has gone to sleep.]
03:30 -!- gffa [~unknown@unaffiliated/gffa] has joined #openvpn
03:57 -!- dradec [~Inigo@unaffiliated/dradec] has joined #openvpn
04:30 -!- takamichi [~takamichi@c107-107.i07-27.onvol.net] has joined #openvpn
04:58 -!- takamich_ [~takamichi@85.12.8.107] has joined #openvpn
04:59 -!- takamichi [~takamichi@c107-107.i07-27.onvol.net] has quit [Ping timeout: 246 seconds]
05:03 -!- master_of_master [~master_of@p4FD7B0A8.dip0.t-ipconnect.de] has joined #openvpn
05:07 -!- master_o1_master [~master_of@p4FD7B17E.dip0.t-ipconnect.de] has quit [Ping timeout: 265 seconds]
05:12 < omri> is it just me, or is the client's username not printed to the status file?
05:34 -!- dimm0k [~dimm0k@unaffiliated/dimm0k] has quit [Ping timeout: 272 seconds]
05:35 -!- dimm0k [~dimm0k@unaffiliated/dimm0k] has joined #openvpn
05:50 -!- novaflash is now known as novaflash_away
05:51 -!- Pang [~chatzilla@94-225-162-11.access.telenet.be] has joined #openvpn
05:54 -!- novaflash_away is now known as novaflash
06:06 -!- takamich_ [~takamichi@85.12.8.107] has quit [Read error: Connection reset by peer]
06:10 -!- takamichi [~takamichi@c107-107.i07-27.onvol.net] has joined #openvpn
06:28 -!- Mimiko [~Mimiko@89.28.88.177] has joined #openvpn
06:42 -!- indy [~e-ndy@fantomas.bestit.cz] has quit [Remote host closed the connection]
06:58 -!- dextro_ [d@2600:3c01::f03c:91ff:feae:3d2b] has left #openvpn []
07:03 -!- [diecast] [~diecast@unaffiliated/diecast/x-4821952] has joined #openvpn
07:09 -!- adac [~adac@host68-217-static.10-188-b.business.telecomitalia.it] has joined #openvpn
07:15 -!- goldkatze [~nobody@unaffiliated/goldkatze] has joined #openvpn
07:19 -!- elfixit1 [~Icedove@77-58-251-72.dclient.hispeed.ch] has joined #openvpn
07:29 -!- takamichi [~takamichi@c107-107.i07-27.onvol.net] has quit [Quit: Computer has gone to sleep.]
07:50 -!- APTX [~APTX@unaffiliated/aptx] has quit [Quit: Farewell]
07:50 -!- APTX [~APTX@unaffiliated/aptx] has joined #openvpn
07:50 -!- ausek [~ausek@gateway/tor-sasl/ausek] has joined #openvpn
07:53 -!- kalloc [~kalloc@h86-62-83-99.ln.rinet.ru] has quit [Remote host closed the connection]
07:53 -!- kalloc [~kalloc@h86-62-83-99.ln.rinet.ru] has joined #openvpn
07:57 -!- kalloc [~kalloc@h86-62-83-99.ln.rinet.ru] has quit [Ping timeout: 245 seconds]
08:09 -!- elfixit1 [~Icedove@77-58-251-72.dclient.hispeed.ch] has quit [Quit: elfixit1]
08:14 -!- takamichi [~takamichi@c107-107.i07-27.onvol.net] has joined #openvpn
08:16 -!- JackWinter [~jack@vodsl-9074.vo.lu] has quit [Quit: Konversation terminated!]
08:24 -!- kalloc [~kalloc@h86-62-83-99.ln.rinet.ru] has joined #openvpn
08:26 -!- JackWinter [~jack@vodsl-9074.vo.lu] has joined #openvpn
08:39 -!- KrissO [~krisso@46.109-247-25.customer.lyse.net] has joined #openvpn
08:41 -!- Yesh [~Yesh_adiu@D4CCABA1.cm-2.dynamic.ziggo.nl] has joined #openvpn
08:41 -!- ausek [~ausek@gateway/tor-sasl/ausek] has quit [Quit: Leaving]
08:42 < Yesh> !welcome
08:42 <@vpnHelper> "welcome" is (#1) Start by stating your goal, such as 'I would like to access the internet over my vpn' || new to IRC? see the link in !ask || we may need !logs and !configs and maybe !interface to help you. || See !howto for beginners. || See !route for lans behind openvpn. || !redirect for sending inet traffic through the server. || Also interesting: !man !/30 !topology !iporder !sample !forum !wiki
08:42 <@vpnHelper> !mitm or (#2) Don't use 192.168.1.0/24 or 192.168.0.0/24 (too much potential for conflict)
08:42 < Yesh> !howto
08:42 <@vpnHelper> "howto" is (#1) OpenVPN comes with a great howto, http://openvpn.net/howto PLEASE READ IT! or (#2) http://www.secure-computing.net/openvpn/howto.php for a mirror
08:43 -!- APTX [~APTX@unaffiliated/aptx] has quit [Quit: Farewell]
08:43 -!- APTX [~APTX@unaffiliated/aptx] has joined #openvpn
08:43 < Yesh> !goal OpenVPN crashes on client connection (Client: windows, Server: OpenVPN  @ Ubuntu 12.04 LTS)
08:44 -!- APTX [~APTX@unaffiliated/aptx] has quit [Client Quit]
08:44 < Yesh> !logs
08:44 -!- APTX [~APTX@unaffiliated/aptx] has joined #openvpn
08:44 <@vpnHelper> "logs" is (#1) please pastebin your logfiles from both client and server with verb set to 4 (only use 5 if asked) or (#2) In the Windows client(OpenVPN-GUI) right-click the status icon and pick View Log or (#3) In the OS X client(Tunnelblick) right-click it and select Copy log text to clipboard or (#4) if you dont know how to find your logs, see !logfile
08:44 < Yesh> !logs http://pastebin.com/NV79PWRY
08:45 < Yesh> !route
08:45 <@vpnHelper> "route" is (#1) http://www.secure-computing.net/wiki/index.php/OpenVPN/Routing or https://community.openvpn.net/openvpn/wiki/RoutedLans (same page mirrored) if you have lans behind openvpn, read it DONT SKIM IT or (#2) READ IT DONT SKIM IT! or (#3) See !tcpip for a basic networking guide or (#4) See !serverlan or !clientlan for steps and troubleshooting flowcharts for LANs behind the server or client
08:47 < Yesh> Could anybody help me out on what information I need to provide to get help from one of you with my problem :)?
08:50 -!- [diecast] [~diecast@unaffiliated/diecast/x-4821952] has quit []
08:51 -!- ernetas_ [~Ernestas@162.243.113.169] has left #openvpn []
08:52 -!- wrongplace [~leicht@gateway/tor-sasl/martinphone] has joined #openvpn
08:57 -!- kalloc [~kalloc@h86-62-83-99.ln.rinet.ru] has quit [Ping timeout: 245 seconds]
09:13 < Protected> Probably server config and log
09:15 < Protected> Well, server config now
09:24 -!- kalloc [~kalloc@h86-62-83-99.ln.rinet.ru] has joined #openvpn
09:29 -!- u0m3 [~u0m3@109.96.173.42] has joined #openvpn
09:35 < Yesh> !logs http://pastebin.com/1iqwxeDq
09:35 -!- ade_b [~Ade@redhat/adeb] has joined #openvpn
09:36 < Yesh> !config http://pastebin.com/aDEBuHxm
09:36 <@vpnHelper> Error: 'supybot.http://pastebin.com/aDEBuHxm' is not a valid configuration variable.
09:36 < Yesh> !config
09:36 <@vpnHelper> (config <name> [<value>]) -- If <value> is given, sets the value of <name> to <value>. Otherwise, returns the current value of <name>. You may omit the leading "supybot." in the name if you so choose.
09:36 < Yesh> Configuration: http://pastebin.com/aDEBuHxm
09:37 < Yesh> Is that sufficient Protected?
09:38 < Yesh> now got
09:38 < Yesh> Sat Feb  8 16:36:25 2014 yayvpn_client/212.204.171.161:49767 [yayvpn_client] Inactivity timeout (--ping-restart), restarting
09:50 < Yesh> seems like the client isn't sending back any responses anymore
09:50 < Yesh> after send_push_reply(): safe_cap=960
09:51 < Yesh> is that a networking problem?
09:57 -!- kalloc [~kalloc@h86-62-83-99.ln.rinet.ru] has quit [Ping timeout: 245 seconds]
10:02 -!- ade_b [~Ade@redhat/adeb] has quit [Quit: Too sexy for his shirt]
10:03 < pekster> Yesh: inactivity timeout froom --ping-restart is because that peer got no --ping packets from the other side
10:08 < Yesh> i fixed it!!
10:09 < Yesh> the cipher bugged
10:09 < Yesh> so i changed it to AES
10:09 < Yesh> after changing it, i had to regenerate everything
10:09 < Yesh> and now i magically works!
10:11 -!- takamichi [~takamichi@c107-107.i07-27.onvol.net] has quit [Quit: Computer has gone to sleep.]
10:13 -!- adac [~adac@host68-217-static.10-188-b.business.telecomitalia.it] has quit [Ping timeout: 272 seconds]
10:23 -!- jacob11 [uid22180@gateway/web/irccloud.com/x-vknnibjumqhzkajr] has left #openvpn []
10:24 -!- mdim [~user@c-98-202-215-47.hsd1.ut.comcast.net] has joined #openvpn
10:24 -!- kalloc [~kalloc@h86-62-83-99.ln.rinet.ru] has joined #openvpn
10:26 -!- kenyon [kenyon@darwin.kenyonralph.com] has joined #openvpn
10:28 -!- Pang [~chatzilla@94-225-162-11.access.telenet.be] has quit [Read error: Connection reset by peer]
10:28 -!- elfixit1 [~Icedove@77-58-251-72.dclient.hispeed.ch] has joined #openvpn
10:36 -!- takamichi [~takamichi@c107-107.i07-27.onvol.net] has joined #openvpn
10:40 < mdim> I've setup my OpenWRT to be an OpenVPN client. The connection is established successfully, at least according to what I can see in OpenWRT's logread. However, even when firewalls on both ends are down, I can't ping an OpenVPN server. Any clue what might be going wrong?
10:40 <@krzee> !logs
10:40 <@vpnHelper> "logs" is (#1) please pastebin your logfiles from both client and server with verb set to 4 (only use 5 if asked) or (#2) In the Windows client(OpenVPN-GUI) right-click the status icon and pick View Log or (#3) In the OS X client(Tunnelblick) right-click it and select Copy log text to clipboard or (#4) if you dont know how to find your logs, see !logfile
10:41 < Protected> Are you using the VPN IP address?
10:41 < Protected> Question of my own: What fields in the server and client certificates must match for openvpn not to refuse connection?
10:41 < mdim> Protected: yes, it's in the 10.111.0.0/16 range
10:42 < Protected> So you try to ping 10.x.x.x, which is your server's address in the VPN, and the server doesn't respond? Could be a routing issue
10:42 -!- Yesh [~Yesh_adiu@D4CCABA1.cm-2.dynamic.ziggo.nl] has left #openvpn []
10:43 < Protected> I think krzee was requesting your logs
10:43 <@krzee> yep, and please use verb 5
10:43 <@krzee> sorry i forgot to say that :D
10:43 <@krzee> oh and,
10:43 <@krzee> !logfile
10:43 <@vpnHelper> "logfile" is (#1) openvpn will log to syslog if started in daemon mode. You can manually specify a logfile with: log /path/to/logfile or (#2) verb 3 is good for everyday usage, verb 5 for debugging or (#3) see --daemon --log and --verb in the manual (!man) for more info or (#4) without any log-redirection options, openvpn sends output to stdout. Explicit logging is often more convenient
10:43 <@krzee> in case you cant find logs on your openwrt ;]
10:45 < mdim> Protected: right
10:45 < mdim> let me get this log files somewhere only so you can take a look
10:46 <@krzee> Protected, more likely a firewall issue than routing issue =]
10:47 < Protected> Well, he did say the firewalls were down
10:47 <@krzee> if i only had a nickle for each time
10:47 < mdim> here's the output on OpenWRT: http://paste.debian.net/80866/
10:48 <@krzee> a) i need the entire log, b) i need verb 5
10:48 <@krzee> c) pls seperate from syslog, see !logfile above and use --log
10:48 < mdim> krzee: ok, let me put that to verb 5. This is the entire log after resetting to a new verb level
10:50 -!- mgorbach [~mgorbach@pool-108-20-78-135.bstnma.fios.verizon.net] has quit [Quit: ZNC - http://znc.in]
10:50 < pekster> You're bridging? Were there configs that I missed?
10:51 < pekster> You shouldn't be doing address setting on your bridge slave interfaces
10:51 <@krzee> nah i went straight to asking for the logs, hadnt asked for configs, if hes bridging im running away
10:51 < mdim> pekster: how can I statically set IP addresses?
10:51 < pekster> Not the way you're doing it
10:51 <@krzee> !whybridge
10:51 < mdim> I do have bridging
10:51 < pekster> You set bridge IPs on the _bridge_ in Linux, not the slave members
10:51 <@vpnHelper> "whybridge" is (#1) you only bridge if you want layer2 to the lan. if you want layer2 only between vpn nodes then routed tap is enough. if you only want layer3 use tun. or (#2) See this URL for a more in-depth discussion on bridging vs routing: https://community.openvpn.net/openvpn/wiki/BridgingAndRouting or (#3) See also !tunortap
10:51 < pekster> And yes, don't bridge unless you _actually_ need it
10:52 < pekster> IP traffic does not require bridging
10:52 < pekster> !goal
10:52 <@vpnHelper> "goal" is Please clearly state your goal for your vpn: example, I would like to access the lan behind the server , I would like to access the internet over my vpn , I just want a secure connection between 2 computers , etc
10:52 <@krzee> 99% of people who come here asking for help bridging do not need bridging, and should not use it.
10:52 < mdim> I want to have multiple clients in a VPN
10:52 < mdim> can I do it with tun devices?
10:52 < pekster> Yes
10:52 <@krzee> what sort of traffic will those clients use? IP traffic?
10:52 <@krzee> ip addresses, not mac addresses...
10:53 < mdim> krzee: yes, I guess it will be IP only
10:53 <@krzee> then you dont need a bridge
10:53 < mdim> ok, let me change that to tun then
10:53 <@krzee> after you make the changes post your configs
10:53 <@krzee> always happy to help someone get off bridging :D
10:53 < mdim> what else do I need to to other than replacing "dev tap" with "dev tun"?
10:53 < pekster> Rip out the bridge setup for br-lan
10:54 <@krzee> prolly need to replace --seerver-bridge with --server
10:54 <@krzee> stop the bridging scripts
10:55 < mdim> what I'm also confused about is where I should place openvpn config on my OpenWRT. Is it /etc/openvpn/some-file.conf?
10:55 <@krzee> !openwrt
10:56 <@krzee> !luci
10:56 <@krzee> pekster, did you save your luci tip to the bot last time?  that tip was a very good idea
10:57 -!- mdim [~user@c-98-202-215-47.hsd1.ut.comcast.net] has quit [Read error: Connection reset by peer]
10:57 -!- kalloc [~kalloc@h86-62-83-99.ln.rinet.ru] has quit [Ping timeout: 245 seconds]
10:58 < pekster> !factoids search wrt
10:58 <@vpnHelper> "dd-wrt" is (#1) While some users have success with dd-wrt, the build system isn't very accessible to users and there have been security issues with the distro. Consider carefully if this is the platform you want to use for OpenVPN or (#2) Firewall oopsie : http://www.dd-wrt.com/phpBB2/viewtopic.php?t=35783 or (#3) more issues: http://www.dd-wrt.com/phpBB2/viewtopic.php?t=84536
10:58 < pekster> Not that one :P
10:58 -!- mdim [~user@c-98-202-215-47.hsd1.ut.comcast.net] has joined #openvpn
10:58 < pekster> !factoids search uci
10:58 <@vpnHelper> No keys matched that query.
10:58 < pekster> !factoids search openwrt
10:58 <@vpnHelper> No keys matched that query.
10:58 < pekster> Guess not
10:59 < Protected> As my understanding of certificates improves, I'm left wondering how exactly you can revoke a certificate before it expires without changing the CA
10:59 < pekster> !learn openwrt as In OpenWRT, the easiest way to supply configs with the stock init is to use the `option config /path/to/your/openvpn.conf` in your UCI stanza. This allows you to maintain a "standard" config file that OpenWRT can launch for you.
10:59 <@vpnHelper> Joo got it.
10:59 < pekster> !learn uci as [openwrt]
10:59 <@vpnHelper> Joo got it.
10:59 <@krzee> Protected, you must sign the new CRL with the CA
11:00 < pekster> mdim: ^ That's the best way to avoid all the layers of UCI file parsed by initscript that gets processed into runtime flags. That's like the telephone game, and you might consider a "standard" config file which is what we generally stick with supporting here
11:00 < Protected> Googling "CRL" yields clues :) No wonder CAs charge for revocation
11:01 < pekster> !revoke
11:01 < mdim> here's my debian server openvpn config: http://paste.debian.net/80871/
11:01 < mdim> that doesn't work now that I changed to dev tun_dim
11:01 <@krzee> mdim,
11:01 <@krzee> !tcp
11:01 <@vpnHelper> "tcp" is (#1) Sometimes you cannot avoid tunneling over tcp, but if you can avoid it, DO. http://sites.inka.de/~bigred/devel/tcp-tcp.html Why TCP Over TCP Is A Bad Idea. or (#2) http://www.openvpn.net/papers/BLUG-talk/14.html for a presentation by James Yonan (OpenVPN lead developer) or (#3) if you must use tcp, you likely want --tcp-nodelay
11:02 <@krzee> how do you plan on handling addressing?
11:02 <@krzee> you have no address pool
11:02 < pekster> mdim: You need subnet topology to use an IP/mask like that (read the wiki link in !topology -- you probably want the subnet one anyway)
11:02 <@krzee> the laziest way is to:  change ifconfig to server 10.111.0.1 255.255.255.0
11:03 <@krzee> 10.111.0/24 is not already in use, right?
11:03 < mdim> krzee: right, it's not used for anything else
11:04 < mdim> here's my openwrt config: http://paste.debian.net/80873/
11:04 <@krzee> ok so make updates and post again
11:04 <@krzee> !openwrt
11:04 <@vpnHelper> "openwrt" is In OpenWRT, the easiest way to supply configs with the stock init is to use the `option config /path/to/your/openvpn.conf` in your UCI stanza. This allows you to maintain a standard config file that OpenWRT can launch for you.
11:04 <@krzee> Protected, ok so you were right, it was a routing issue :-p
11:05 <@krzee> but only cause he tried to do his own addressing, if he just used --server it would just work
11:05 < pekster> The only thing missing from the "manual" config is a pool; otherwise it's fine
11:05 < pekster> And it's more obvious what is happening (just a few lines longer)
11:05 <@krzee> and a route
11:06 <@krzee> he has client-to-client enabled
11:06 < mdim> ok, so on the server side, I've changed ifconfig to server. Also, let me change tcp to udp? That's it when it comes to the server so far, right?
11:06 <@krzee> yep
11:06 < pekster> Right. Also, if you're using --server (a helper-directive) you should remove what are (in your prior paste) lines 5, & 6
11:06 < Protected> krzee: My guess simply mirrored my own experience. Back then, you were the one who helped me fix them, too
11:07 < pekster> Those are implicitly provided by --server (and may cause you problems if you leave them in a "second" time)
11:07 -!- mgorbach [~mgorbach@pool-108-20-78-135.bstnma.fios.verizon.net] has joined #openvpn
11:07 < Protected> pekster: I'm still trying to generate my certificates using raw openssl... I'm getting this error right now: "WARNING: No server certificate verification method has been enabled.  See http://openvpn.net/howto.html#mitm for more info." URL states: "You can build your server certificates with the build-key-server script (see the easy-rsa documentation for more info). This will designate the
11:07 < Protected> certificate as a server-only certificate by setting the right attributes."
11:07 < Protected> Any idea what "the right attributes" are?
11:08 <@Eugene> Look at the openssl.cnf used by easy rsa
11:08 < mdim> is this ok: http://paste.debian.net/80876/
11:08 < pekster> easyrsa v3 has easy to reference extensions sections ;)
11:08 <@krzee> !servercert
11:08 <@vpnHelper> "servercert" is (#1) openssl req -days 3650 -nodes -new -keyout server.key -out server.csr -extensions server -config ./openssl.cnf && openssl ca -days 3650 -out server.crt -in server.csr -extensions server -config ./openssl.cnf && chmod 0600 server.key or (#2) or just use build-key-server in easy-rsa or (#3) this will help with !mitm
11:08 < mdim> or do I remove line 6 as well?
11:08 < pekster> mdim: --tls-server is implied by --server
11:09 < pekster> Thus you don't need it when using the "helper" directives. IMO the helpers just make it less-obvious what is going on, but it's "easier"
11:09 < Protected> Eugene: Will I not be able to use command line arguments only for generating the whole thing?
11:09 < mdim> http://paste.debian.net/80877/
11:09 <@krzee> mdim, if you read --server in the manual it will make a TON more sense
11:09 < pekster> Protected: You need an openssl.cnf file, yes
11:09 <@krzee> please do
11:09 <@krzee> !man
11:09 <@vpnHelper> "man" is (#1) For man pages, see http://openvpn.net/index.php/open-source/documentation/manuals/ or (#2) the man pages are your friend! or (#3) Protip: you can search the manpage for a specific --option (with dashes) to find it quicker
11:10 < pekster> This is why easyrsa was written: to stop the foul nonsense of pain and suffering that occurs when using openssl manually :P
11:10 <@Eugene> You can, but the cnf is easier
11:10 < pekster> extensions can't be given at the CLI, no
11:10 < pekster> You can references an "extensions file" but that's still not "at the CLI" (completely)
11:10 -!- adac [~adac@host68-217-static.10-188-b.business.telecomitalia.it] has joined #openvpn
11:11 < pekster> Protected: v3 defines the various types of certs and their respective extensions needed: https://github.com/OpenVPN/easy-rsa/tree/master/easyrsa3/x509-types
11:11 <@vpnHelper> Title: easy-rsa/easyrsa3/x509-types at master · OpenVPN/easy-rsa · GitHub (at github.com)
11:11 <@krzee> Protected, even if rolling your own cert generator you will want a openssl.cnf
11:11 <@krzee> for sure
11:11 <@krzee> (which is why you'll notice all our cert generators come with one)
11:12 < Protected> Thanks, let me look into that
11:12 < pekster> This is handled in easyrsa v3 by dynamically putting the contents of that file (and some optional extensiosn for deprecated stuff) starting here: https://github.com/OpenVPN/easy-rsa/blob/master/easyrsa3/easyrsa#L598
11:12 <@vpnHelper> Title: easy-rsa/easyrsa3/easyrsa at master · OpenVPN/easy-rsa · GitHub (at github.com)
11:12 < pekster> The actual command is at line 628 in that code, and the magic is the -extfile that is used as the direct extensions to include
11:12 < pekster> tl;dr: openssl is a PITA sometimes
11:12 <@krzee> sometimes, heh
11:13 <@krzee> manually calling openssl causes cancer
11:13 < pekster> Indirectly; it might cause stress, which might be linked to cancer :x
11:13 < mdim> krzee: I've just read about --server. If I want to have multiple clients, can I still have static IP addresses?
11:13 < pekster> mdim: Yup, see:
11:13 < pekster> !static
11:13 <@vpnHelper> "static" is (#1) use --ifconfig-push in a ccd entry for a static ip for the vpn client or (#2) example in net30 (default): ifconfig-push 10.8.0.6 10.8.0.5 example in subnet (see !topology) or tap (see !tunortap): ifconfig-push 10.8.0.5 255.255.255.0 or (#3) also see !ccd and !iporder or (#4) when pushing static IPs, you should also limit your --ifconfig-pool to exclude the static range or (#5) See
11:13 <@vpnHelper> also: !addressing
11:14 < mdim> so, the server will push these addresses, i.e. clients are not going to set them themselves?
11:15 <@krzee> right
11:15 <@krzee> otherwise cant the client just change his address?
11:15 < pekster> It can't in tun, no
11:15 < pekster> The server will reject it
11:15 < pekster> (need --iroute to do that)
11:15 <@krzee> pekster, hes thinking each client config sets its own address
11:16 <@krzee> in which case what i said would apply
11:16 < pekster> In theory it can, but the server _also_ needs to psuh that same IP :P
11:16 -!- novaflash [~novaflash@openvpn/corp/support/novaflash] has quit [Read error: Operation timed out]
11:16 <@krzee> oh tru
11:16 <@krzee> gotta get in the iroute table either way
11:16 -!- novaflash [~novaflash@its.novaflash.nl] has joined #openvpn
11:17 < mdim> so, will the same client always get the same IP?
11:17 < pekster> That's rather the point of !static
11:17 <@krzee> if you make it so by using !static
11:18 <@krzee> oh you probably want to add this to your server:   topology subnet
11:23 < mdim> folks, I really appreciate your help. However, have to leave now... I'll be back in about 9 hours. If you'll be here, I'll have many more questions
11:23 < mdim> cu
11:23 <@krzee> gl
11:24 <@krzee> enjoy work
11:24 -!- kalloc [~kalloc@h86-62-83-99.ln.rinet.ru] has joined #openvpn
11:53 -!- Cpt-Oblivious [chatzilla@31-151-71-109.dynamic.upc.nl] has joined #openvpn
11:57 -!- kalloc [~kalloc@h86-62-83-99.ln.rinet.ru] has quit [Ping timeout: 245 seconds]
12:05 < Protected> Added the extensions, but it got worse - "Cannot load private key file server.key: error:0B080074:x509 certificate routines:X509_check_private_key:key values mismatch"
12:05 < Protected> Any ideas?
12:05 -!- s7r [~s7r@openvpn/user/s7r] has joined #openvpn
12:05 -!- mode/#openvpn [+v s7r] by ChanServ
12:06 < Protected> I'm wondering what exactly it's checking against
12:07 -!- mdim [~user@c-98-202-215-47.hsd1.ut.comcast.net] has quit [Ping timeout: 246 seconds]
12:09 < pekster> Sounds like your private key is malformed
12:09 < Protected> Which one? server.key?
12:09 < pekster> Read the error and find out?
12:10 -!- dradec [~Inigo@unaffiliated/dradec] has quit [Quit: nil]
12:11 < Protected> It tells me that "key values mismatch" - which values? What mismatches what?
12:12 < Protected> That's a server side error
12:12 < pekster> The error says "file server.key"
12:12 < Protected> It pops up when I start the server
12:12 < pekster> So, surprise, it applies to server.key
12:12 < pekster> Right, and I'm telling you your key is apparently bad
12:13 < pekster> Maybe re-export it with `openssl rsa -in server.key -out new-server.key` or something
12:13 < pekster> If that fails, your key is simply bogus
12:13 < Protected> I made it like this: openssl genrsa -out server.key 4096
12:13 -!- wrongplace [~leicht@gateway/tor-sasl/martinphone] has quit [Quit: gone]
12:14 < pekster> No, that's not right unless you generated a CSR _from_ that key
12:14 < pekster> Stop trying to do things the hard way. Use `openssl req` unless you're an expert and know what you're doing
12:14 < pekster> A private key file contains _both_ the private+public pairs. Your pairs don't match, which causes problem
12:15 < Protected> I generated a csr from that key, though
12:16 < Protected> I tried your suggestion
12:16 < pekster> Then verify things are proper. Maybe play with the -check and -pubout options
12:16 < Protected> Still no good, just for thee record
12:16 < pekster> I'm not really interested in helping you do manually what I worked fairly hard to write a frontend that works with no deps beyond openssl
12:17 < Protected> I just want to understand how it works under the hood
12:17 < Protected> I'm not going to be doing this manually
12:17 < pekster> --use-the-source-luke
12:17 < pekster> v3 is less wall-of-code and more broken down by functions and well-commented
12:18 < pekster> If there's functionality missing, I'd like to know about it, either here or with a well-written issue opened against it so it can be looked at for a 3.1 release
12:24 -!- kalloc [~kalloc@h86-62-83-99.ln.rinet.ru] has joined #openvpn
12:25 -!- klein [~klein@187.85.164.120] has joined #openvpn
12:25 -!- klein [~klein@187.85.164.120] has quit [Changing host]
12:25 -!- klein [~klein@unaffiliated/klein] has joined #openvpn
12:26 < Protected> Passwords are required now?
12:27 < pekster> Of coruse not. Add the 'nopass' argument. try `./easyrsa help` for details
12:27 < pekster> !easyrsa
12:27 <@vpnHelper> "easyrsa" is (#1) easy-rsa is a certificate generation utility. or (#2) Download here: https://github.com/OpenVPN/easy-rsa/releases or (#3) Source checkouts available from the github project; current official release download is 2.2.2 with 3.x code in git-master. or (#4) Helpful wiki info about easyrsa at: https://community.openvpn.net/openvpn/wiki/EasyRSA
12:27 < pekster> wiki has some openvpn-centric howtos
12:46 -!- takamichi [~takamichi@c107-107.i07-27.onvol.net] has quit [Quit: Computer has gone to sleep.]
12:49 -!- kirin` [telex@gateway/shell/anapnea.net/x-tfyziozpzqyedfjh] has quit [Ping timeout: 260 seconds]
12:50 -!- kirin` [telex@gateway/shell/anapnea.net/x-kmcgfetwemibtzxw] has joined #openvpn
12:53 -!- visavi [~visavi@62.1.50.253.dsl.dyn.forthnet.gr] has quit [Ping timeout: 245 seconds]
12:54 -!- p3rror [~mezgani@41.249.27.151] has joined #openvpn
12:54 -!- visavi [~visavi@46.246.173.111.dsl.dyn.forthnet.gr] has joined #openvpn
12:58 -!- kalloc [~kalloc@h86-62-83-99.ln.rinet.ru] has quit [Ping timeout: 272 seconds]
13:03 -!- tdreyer1 [~tdreyer1@unaffiliated/tdreyer1] has quit [Read error: Connection reset by peer]
13:04 -!- tdreyer1 [~tdreyer1@unaffiliated/tdreyer1] has joined #openvpn
13:09 -!- Devastator [~devas@unaffiliated/devastator] has quit []
13:15 -!- master_o1_master [~master_of@p4FD7BE4F.dip0.t-ipconnect.de] has joined #openvpn
13:17 -!- Protected [~Join@bl13-100-5.dsl.telepac.pt] has quit [Quit: Gone.]
13:18 -!- Devastator [~devas@unaffiliated/devastator] has joined #openvpn
13:19 -!- master_of_master [~master_of@p4FD7B0A8.dip0.t-ipconnect.de] has quit [Ping timeout: 250 seconds]
13:24 -!- kalloc [~kalloc@h86-62-83-99.ln.rinet.ru] has joined #openvpn
13:26 -!- adac [~adac@host68-217-static.10-188-b.business.telecomitalia.it] has quit [Ping timeout: 246 seconds]
13:48 -!- s7r [~s7r@openvpn/user/s7r] has quit [Remote host closed the connection]
13:49 -!- s7r [~s7r@openvpn/user/s7r] has joined #openvpn
13:49 -!- mode/#openvpn [+v s7r] by ChanServ
13:54 -!- klein [~klein@unaffiliated/klein] has quit [Ping timeout: 272 seconds]
13:57 -!- kalloc [~kalloc@h86-62-83-99.ln.rinet.ru] has quit [Ping timeout: 250 seconds]
13:58 -!- kalloc [~kalloc@h86-62-83-99.ln.rinet.ru] has joined #openvpn
14:01 -!- mdim [~user@line-marko.cs.utah.edu] has joined #openvpn
14:12 -!- p3rror [~mezgani@41.249.27.151] has quit [Quit: Leaving]
14:15 -!- kenyon [kenyon@darwin.kenyonralph.com] has quit [Quit: rebooting]
14:21 -!- propheticsquiddy [~Proph@unaffiliated/propheticsquiddy] has joined #openvpn
14:31 -!- kalloc [~kalloc@h86-62-83-99.ln.rinet.ru] has quit [Ping timeout: 245 seconds]
14:32 -!- kenyon [kenyon@darwin.kenyonralph.com] has joined #openvpn
15:12 -!- Mimiko [~Mimiko@89.28.88.177] has quit []
15:22 -!- adac [~adac@host68-217-static.10-188-b.business.telecomitalia.it] has joined #openvpn
15:24 -!- kalloc [~kalloc@h86-62-83-99.ln.rinet.ru] has joined #openvpn
15:30 -!- takamichi [~takamichi@c107-107.i07-27.onvol.net] has joined #openvpn
15:41 -!- dazo_afk [~dazo@openvpn/community/developer/dazo] has quit [Ping timeout: 264 seconds]
15:43 -!- dazo_afk [~dazo@openvpn/community/developer/dazo] has joined #openvpn
15:43 -!- mode/#openvpn [+o dazo_afk] by ChanServ
15:43 -!- joshh20-Away is now known as joshh20
15:44 -!- dazo_afk is now known as dazo
15:49 -!- gffa [~unknown@unaffiliated/gffa] has quit [Ping timeout: 272 seconds]
15:51 -!- gffa [~unknown@unaffiliated/gffa] has joined #openvpn
15:57 -!- kalloc [~kalloc@h86-62-83-99.ln.rinet.ru] has quit [Ping timeout: 248 seconds]
15:59 -!- u0m3_ [~u0m3@92.80.106.27] has joined #openvpn
16:02 -!- u0m3 [~u0m3@109.96.173.42] has quit [Ping timeout: 246 seconds]
16:03 -!- mdim [~user@line-marko.cs.utah.edu] has quit [Ping timeout: 245 seconds]
16:08 -!- ade_b [~Ade@redhat/adeb] has joined #openvpn
16:21 -!- takamichi [~takamichi@c107-107.i07-27.onvol.net] has quit [Quit: Computer has gone to sleep.]
16:24 -!- kalloc [~kalloc@h86-62-83-99.ln.rinet.ru] has joined #openvpn
16:48 -!- pdobrogost [~quassel@77-255-240-191.adsl.inetia.pl] has joined #openvpn
16:57 -!- pdobrogost [~quassel@77-255-240-191.adsl.inetia.pl] has quit [Quit: http://quassel-irc.org - Chat comfortably. Anywhere.]
16:57 -!- kalloc [~kalloc@h86-62-83-99.ln.rinet.ru] has quit [Ping timeout: 245 seconds]
16:58 -!- pdobrogost [~quassel@77-255-240-191.adsl.inetia.pl] has joined #openvpn
17:00 -!- ade_b [~Ade@redhat/adeb] has quit [Quit: Too sexy for his shirt]
17:24 -!- kalloc [~kalloc@h86-62-83-99.ln.rinet.ru] has joined #openvpn
17:42 -!- pdobrogost [~quassel@77-255-240-191.adsl.inetia.pl] has quit [Remote host closed the connection]
17:57 -!- kalloc [~kalloc@h86-62-83-99.ln.rinet.ru] has quit [Ping timeout: 245 seconds]
18:03 -!- gffa [~unknown@unaffiliated/gffa] has quit [Quit: sleep]
18:24 -!- kalloc [~kalloc@h86-62-83-99.ln.rinet.ru] has joined #openvpn
18:29 -!- goldkatze [~nobody@unaffiliated/goldkatze] has quit [Read error: Connection reset by peer]
18:57 -!- kalloc [~kalloc@h86-62-83-99.ln.rinet.ru] has quit [Ping timeout: 245 seconds]
19:05 -!- lj [~l@ip-64-134-165-53.public.wayport.net] has joined #openvpn
19:10 -!- lj [~l@ip-64-134-165-53.public.wayport.net] has quit [Ping timeout: 250 seconds]
19:10 -!- lj [~l@192.241.174.169] has joined #openvpn
19:11 -!- lj [~l@192.241.174.169] has quit [Client Quit]
19:13 -!- lj [~l@ip-64-134-165-53.public.wayport.net] has joined #openvpn
19:17 -!- lj [~l@ip-64-134-165-53.public.wayport.net] has quit [Ping timeout: 246 seconds]
19:21 -!- Mike-- [mad@mx.probie.nl] has joined #openvpn
19:21 -!- TauZero [~user@c-76-121-215-240.hsd1.wa.comcast.net] has joined #openvpn
19:21 < TauZero> Can some one explain how a client and server cert differ?
19:23 -!- maskedlua_ [~quassel@unaffiliated/themaskedlua] has joined #openvpn
19:23 -!- sauce_ [sauce@ool-ad02ad20.dyn.optonline.net] has joined #openvpn
19:24 -!- kalloc [~kalloc@h86-62-83-99.ln.rinet.ru] has joined #openvpn
19:26 < pekster> TauZero: Just in the extensions added. Most useful is for clients to verify the cert of the peer they're connected to are a designated server, otherwise 1 valid client can MITM another
19:27 < pekster> You can read about the implementation of this protection at:
19:27 < pekster> !mitm
19:27 <@vpnHelper> "mitm" is (#1) http://openvpn.net/index.php/documentation/howto.html#mitm to know about stopping Man-in-the-Middle attacks by signing the server cert specially or (#2) use !servercert to generate the server cert manually or use the easy-rsa build-key-server script to build your server certificates or (#3) then use: remote-cert-tls server in the client config
19:28 -!- Eagleman7 [~Eagleman@546BBFCD.cm-12-4c.dynamic.ziggo.nl] has joined #openvpn
19:30 -!- Netsplit *.net <-> *.split quits: Mike3, Eagleman, vvinothkumar, maskedlua, pa, guntha`, sauce, adac
19:32 -!- Olipro [~Olipro@uncyclopedia/pdpc.21for7.olipro] has quit [Ping timeout: 241 seconds]
19:34 -!- Olipro [~Olipro@uncyclopedia/pdpc.21for7.olipro] has joined #openvpn
19:36 -!- vvinothkumar [~vvinothku@122.167.247.232] has joined #openvpn
19:37 -!- guntha` [~guntha@guntha.thecagedog.com] has joined #openvpn
19:37 -!- pa [~pa@unaffiliated/pa] has joined #openvpn
19:43 -!- p3rror [~mezgani@41.248.172.26] has joined #openvpn
19:47 -!- maskedlua_ is now known as maskedlua
19:49 -!- TauZero [~user@c-76-121-215-240.hsd1.wa.comcast.net] has quit [Quit: Leaving]
19:58 -!- kalloc [~kalloc@h86-62-83-99.ln.rinet.ru] has quit [Ping timeout: 265 seconds]
20:08 -!- james41382_ [~james@unaffiliated/james41382] has quit [Quit: Leaving]
20:16 -!- james41382 [~james@unaffiliated/james41382] has joined #openvpn
20:24 -!- kalloc [~kalloc@h86-62-83-99.ln.rinet.ru] has joined #openvpn
20:32 -!- simcop2387 [~simcop238@p3m/member/simcop2387] has quit [Excess Flood]
20:33 -!- grep0r [grep0r@bitcoinshell.mooo.com] has quit [Ping timeout: 252 seconds]
20:35 -!- Sorcier_FXK [~Sorcier_F@unaffiliated/sorcierfxk] has quit [Ping timeout: 265 seconds]
20:36 -!- codehero [codehero@irc.coding4coffee.org] has quit [Remote host closed the connection]
20:36 -!- simcop2387 [~simcop238@p3m/member/simcop2387] has joined #openvpn
20:37 -!- visavi [~visavi@46.246.173.111.dsl.dyn.forthnet.gr] has left #openvpn []
20:37 -!- grep0r [grep0r@bitcoinshell.mooo.com] has joined #openvpn
20:39 -!- codehero [codehero@irc.coding4coffee.org] has joined #openvpn
20:40 -!- Sorcier_FXK [~Sorcier_F@unaffiliated/sorcierfxk] has joined #openvpn
20:45 -!- grep0r [grep0r@bitcoinshell.mooo.com] has quit [Ping timeout: 252 seconds]
20:56 -!- elfixit1 [~Icedove@77-58-251-72.dclient.hispeed.ch] has quit [Quit: elfixit1]
20:58 -!- kalloc [~kalloc@h86-62-83-99.ln.rinet.ru] has quit [Ping timeout: 250 seconds]
21:06 -!- booo [~booo__@p54BDBFD3.dip0.t-ipconnect.de] has quit [Read error: Operation timed out]
21:14 -!- booo [~booo__@p54BDA459.dip0.t-ipconnect.de] has joined #openvpn
21:15 -!- tempus_fol [~tempus@gateway/tor-sasl/tempusfol] has quit [Ping timeout: 240 seconds]
21:16 -!- rtur2 [~rtur@212.224.92.143] has quit [Quit: WeeChat 0.4.2]
21:17 -!- rtur [~rtur@212.224.92.143] has joined #openvpn
21:20 -!- grep0r [grep0r@bitcoinshell.mooo.com] has joined #openvpn
21:22 -!- joshh20 is now known as joshh20-Away
21:24 -!- kalloc [~kalloc@h86-62-83-99.ln.rinet.ru] has joined #openvpn
21:31 -!- p3rror [~mezgani@41.248.172.26] has quit [Ping timeout: 272 seconds]
21:45 -!- p3rror [~mezgani@41.248.172.26] has joined #openvpn
21:50 -!- Pei [~pei@thinks.outside.theb0x.org] has quit [Ping timeout: 272 seconds]
21:51 -!- elfixit1 [~Icedove@77-58-251-72.dclient.hispeed.ch] has joined #openvpn
21:58 -!- kalloc [~kalloc@h86-62-83-99.ln.rinet.ru] has quit [Ping timeout: 252 seconds]
22:09 -!- elfixit1 [~Icedove@77-58-251-72.dclient.hispeed.ch] has quit [Remote host closed the connection]
22:20 -!- p3rror [~mezgani@41.248.172.26] has quit [Quit: Leaving]
22:24 -!- kalloc [~kalloc@h86-62-83-99.ln.rinet.ru] has joined #openvpn
22:49 -!- Devastator [~devas@unaffiliated/devastator] has quit [Ping timeout: 252 seconds]
22:50 -!- Devastator [~devas@177.18.196.146] has joined #openvpn
22:58 -!- kalloc [~kalloc@h86-62-83-99.ln.rinet.ru] has quit [Ping timeout: 248 seconds]
23:12 -!- james41382_ [~james@unaffiliated/james41382] has joined #openvpn
23:15 -!- james41382 [~james@unaffiliated/james41382] has quit [Ping timeout: 248 seconds]
23:24 -!- kalloc [~kalloc@h86-62-83-99.ln.rinet.ru] has joined #openvpn
23:44 -!- dradec [~Inigo@unaffiliated/dradec] has joined #openvpn
23:53 -!- slicktown [~ircguy@162-205-241-33.lightspeed.tulsok.sbcglobal.net] has joined #openvpn
23:54 < slicktown> hail guys, having trouble with full tunneling in openvpn (free)
23:54 < slicktown> I specified "redirect-gateway def1" in my client config, but I can't reach anything outside of the local network at the server's location
23:57 -!- kalloc [~kalloc@h86-62-83-99.ln.rinet.ru] has quit [Ping timeout: 246 seconds]
--- Day changed Sun Feb 09 2014
00:01 -!- sammm [~sam@c114-76-87-212.thoms3.vic.optusnet.com.au] has joined #openvpn
00:01 < sammm> hi, does anyone here have experience installing openvpn on openwrt?
00:06 < pekster> slicktown: sounds like firewall/routing issues on your server. Follow the info in !redirect
00:12 -!- slicktown [~ircguy@162-205-241-33.lightspeed.tulsok.sbcglobal.net] has quit [Remote host closed the connection]
00:24 -!- kalloc [~kalloc@h86-62-83-99.ln.rinet.ru] has joined #openvpn
00:31 < sammm> hi, I can't seem to connect to my openwrt openvpn server, I am getting the error message: [ECONNREFUSED]: Connection refused
00:31 < sammm> (code=111)
00:31 < sammm> I've followed all the firewall steps so I don't know what to do now
00:40 < sammm> anyone? i'm desperate here
00:52 -!- Pei [~pei@thinks.outside.theb0x.org] has joined #openvpn
00:53 -!- sammm [~sam@c114-76-87-212.thoms3.vic.optusnet.com.au] has quit [Read error: Connection reset by peer]
00:53 -!- sammm [~sam@c114-76-87-212.thoms3.vic.optusnet.com.au] has joined #openvpn
00:56 -!- Pei [~pei@thinks.outside.theb0x.org] has quit [Ping timeout: 250 seconds]
00:57 -!- kalloc [~kalloc@h86-62-83-99.ln.rinet.ru] has quit [Ping timeout: 250 seconds]
01:04 -!- dimm0k [~dimm0k@unaffiliated/dimm0k] has quit [Ping timeout: 250 seconds]
01:06 -!- dimm0k [~dimm0k@unaffiliated/dimm0k] has joined #openvpn
01:11 -!- jtrucks [jtrucks@freenode/staff/lopsa.foundingmember.jtrucks] has quit [Remote host closed the connection]
01:12 -!- jtrucks [jtrucks@freenode/staff/lopsa.foundingmember.jtrucks] has joined #openvpn
01:13 -!- dren [dren@69.163.43.34] has quit [Ping timeout: 246 seconds]
01:22 -!- mapps [~Mark@94-193-78-219.zone7.bethere.co.uk] has quit [Ping timeout: 246 seconds]
01:22 -!- dren [dren@69.163.43.34] has joined #openvpn
01:24 -!- kalloc [~kalloc@h86-62-83-99.ln.rinet.ru] has joined #openvpn
01:50 -!- propheticsquiddy [~Proph@unaffiliated/propheticsquiddy] has quit [Quit: laters]
01:52 < sammm> hi!
01:58 -!- kalloc [~kalloc@h86-62-83-99.ln.rinet.ru] has quit [Ping timeout: 272 seconds]
02:01 -!- dimm0k [~dimm0k@unaffiliated/dimm0k] has quit [Read error: Operation timed out]
02:05 -!- dimm0k [~dimm0k@unaffiliated/dimm0k] has joined #openvpn
02:06 -!- meepmeep [meepmeep@end.of.cylind.re] has joined #openvpn
02:08 < sammm> is it generally favorable to use tun or tap ?
02:12 < mumixam> it depends on your appilcation
02:14 < mumixam> tap is used for bridging networks
02:16 < mumixam> https://community.openvpn.net/openvpn/wiki/BridgingAndRouting
02:16 -!- sammm [~sam@c114-76-87-212.thoms3.vic.optusnet.com.au] has quit [Read error: Connection reset by peer]
02:16 <@vpnHelper> Title: BridgingAndRouting – OpenVPN Community (at community.openvpn.net)
02:16 -!- sammm [~sam@c114-76-87-212.thoms3.vic.optusnet.com.au] has joined #openvpn
02:20 -!- sammm [~sam@c114-76-87-212.thoms3.vic.optusnet.com.au] has quit [Read error: Connection reset by peer]
02:20 -!- sammm [~sam@c114-76-87-212.thoms3.vic.optusnet.com.au] has joined #openvpn
02:22 < sammm> do you think you could look at my config files and tell me why my android client is spitting out a connection refused error?
02:23 < sammm> http://pastie.org/8714208
02:24 -!- kalloc [~kalloc@h86-62-83-99.ln.rinet.ru] has joined #openvpn
02:28 -!- Pei [~pei@thinks.outside.theb0x.org] has joined #openvpn
02:31 < sammm> connection is also refused when I try to connect to 192.168.1.1:1194 rather than the external IP
02:33 -!- takamichi [~takamichi@c107-107.i07-27.onvol.net] has joined #openvpn
02:36 -!- gffa [~unknown@unaffiliated/gffa] has joined #openvpn
02:40 -!- Cpt-Oblivious_ [chatzilla@31-151-71-109.dynamic.upc.nl] has joined #openvpn
02:40 -!- n2deep [n2deep@odin.sdf-eu.org] has joined #openvpn
02:40 -!- Cpt-Oblivious [chatzilla@31-151-71-109.dynamic.upc.nl] has quit [Ping timeout: 246 seconds]
02:58 -!- kalloc [~kalloc@h86-62-83-99.ln.rinet.ru] has quit [Ping timeout: 246 seconds]
03:02 -!- sammm [~sam@c114-76-87-212.thoms3.vic.optusnet.com.au] has quit [Read error: Connection reset by peer]
03:03 -!- sammm [~sam@c114-76-87-212.thoms3.vic.optusnet.com.au] has joined #openvpn
03:11 -!- Noob5aibot [~NoobSaibo@24-213-19-74.static.mrqt.mi.charter.com] has joined #openvpn
03:11 < pppingme> sammm what OS is the vpn server?
03:12 < sammm> openwrt
03:12 < pppingme> firewall rule blocking it possibly?
03:12 < sammm> openwrt has such terrible logging capabilities I can't really tell what's going on
03:13 < sammm> I don't think so, I've checked it a billion times by now. Did you see my config files?
03:13 < pppingme> yeah
03:13 -!- NoobSaibot [~NoobSaibo@24-213-19-74.static.mrqt.mi.charter.com] has quit [Ping timeout: 248 seconds]
03:14 < sammm> ifconfig -a isn't showing my tun interface either
03:15 < sammm> so I'm not sure that openvpn is running properly
03:15 < pppingme> what is in the log of the client??
03:16 < pppingme> you shouldn't havel the tls or the pkcs stuff in there
03:16 < sammm> well on my arch client it hangs on "UDPv4 link remote: [AF_INET]114.76.87.212:1194"
03:18 < pppingme> if it never gets a response back, thats either firewall, or the service simply isn't running
03:20 < pppingme> on the server_bridge line, why are you giving an ip range thats out of context?
03:21 < sammm> i was following a guide and they were using the same settings
03:21 < pppingme> well, that won't work..
03:21 < pppingme> but you aren't even making it that far..   that might be why openvpn isn't starting..
03:21 < pppingme> I rarely bridge, so I'm not sure how much of a sanity check it does, but thats not valid.
03:22 < sammm> reckon I should use the tap method then?
03:22 < pppingme> that IS tap..
03:22 < sammm> sorry i mean tun
03:22 < pppingme> do you have a reason you are using tap instead of tun?
03:23 < sammm> I do not, it was what this guide was using so I followed it
03:24 < pppingme> first, do all of these files exist in /etc/openvpn/    ca.crt, server.crt, server.key and dh2048.pem ??
03:24 -!- kalloc [~kalloc@h86-62-83-99.ln.rinet.ru] has joined #openvpn
03:25 -!- mumixam [~m@unaffiliated/mumixam] has quit [Ping timeout: 260 seconds]
03:25 < sammm> yes they do
03:25 -!- jeev [~j@unaffiliated/jeev] has quit [Ping timeout: 265 seconds]
03:25 < pppingme> next, lets adjust your server_bridge line..
03:25 < pppingme> what ip range are you using?
03:29 < sammm> 0 - 50 for VPN
03:29 < sammm> 50 - 150 for lan
03:29 < sammm> 192.168.1.x
03:29 < pppingme> were do you get 0 to 50??
03:30 < sammm> I edited my dhcp settings in the router
03:31 < pppingme> paste what you edited
03:32 < sammm> http://pastie.org/8714406
03:33 < pppingme> that has your lan going from 50 to 200, not 150..
03:33 < pppingme> edit the server_bridge line to read:
03:34 < pppingme> 192.168.1.1 255.255.255.0 192.168.1.201 192.168.1.254
03:34 < sammm> sure
03:35 < pppingme> then try to restart openvpn and see if its running
03:37 < sammm> alright! it's getting somewhere
03:37 < sammm> thank you, im getting a cannot locate HMAC in incoming packet file now
03:37 < sammm> on the client
03:37 < pppingme> did you make the changes I said?
03:37 < sammm> yes
03:38 < pppingme> paste your current client config
03:38 < sammm> i'm actually connecting/seeing the server now
03:38 < sammm> http://pastie.org/8714420
03:40 < pppingme> does that error line start with TLS Error ??
03:40 < sammm> ah! no I forgot to disable the wifi (testing with phone) but now it's working through 3g!
03:41 < sammm> thank you
03:44 < sammm> not getting any WAN connection via the VPN only LAN though
03:44 < sammm> I can ping the gateway/client via 10.0.0.x but no internet connection
03:47 < pppingme> where's this 10.x.x.x ip coming from??
03:47 < sammm> its the ip assigned to me via the openvpn server
03:47 < sammm> the server is on 10.0.0.1 and the client on 10.0.0.10
03:48 -!- Captain_Harlock [~Captain_H@ppp079166041162.access.hol.gr] has joined #openvpn
03:51 < pppingme> thats not even close to what it should be assigning, based on the config you pasted
03:51 -!- adac [~adac@host68-217-static.10-188-b.business.telecomitalia.it] has joined #openvpn
03:58 -!- kalloc [~kalloc@h86-62-83-99.ln.rinet.ru] has quit [Ping timeout: 265 seconds]
04:08 -!- sammm [~sam@c114-76-87-212.thoms3.vic.optusnet.com.au] has quit [Read error: Connection reset by peer]
04:12 -!- Captain_Harlock [~Captain_H@ppp079166041162.access.hol.gr] has left #openvpn ["Leaving"]
04:21 -!- takamichi [~takamichi@c107-107.i07-27.onvol.net] has quit [Quit: Computer has gone to sleep.]
04:24 -!- kalloc [~kalloc@h86-62-83-99.ln.rinet.ru] has joined #openvpn
04:49 -!- Devastator [~devas@177.18.196.146] has quit [Changing host]
04:49 -!- Devastator [~devas@unaffiliated/devastator] has joined #openvpn
04:54 -!- Cpt-Oblivious_ [chatzilla@31-151-71-109.dynamic.upc.nl] has quit [Ping timeout: 252 seconds]
04:57 -!- kalloc [~kalloc@h86-62-83-99.ln.rinet.ru] has quit [Ping timeout: 245 seconds]
05:12 -!- Fiouz_ [~Fiouz@2001:bc8:3068::dead:beef] has quit [Quit: Changing server]
05:14 -!- Cpt-Oblivious [chatzilla@31-151-71-109.dynamic.upc.nl] has joined #openvpn
05:24 -!- kalloc [~kalloc@h86-62-83-99.ln.rinet.ru] has joined #openvpn
05:26 -!- mumixam [~m@unaffiliated/mumixam] has joined #openvpn
05:33 -!- pdobrogost [~quassel@213-238-77-167.adsl.inetia.pl] has joined #openvpn
05:33 -!- elfixit1 [~Icedove@77-58-251-72.dclient.hispeed.ch] has joined #openvpn
05:43 -!- 16WAANWC2 [~Ade@redhat/adeb] has joined #openvpn
05:43 -!- 65MAAKY6V [~Ade@redhat/adeb] has joined #openvpn
05:46 -!- takamichi [~takamichi@c107-107.i07-27.onvol.net] has joined #openvpn
05:47 -!- 16WAANWC2 is now known as adeb
05:47 -!- adeb is now known as ade_b
05:49 -!- ade_b [~Ade@redhat/adeb] has quit [Quit: Too sexy for his shirt]
05:49 -!- 65MAAKY6V is now known as ade_b
05:53 -!- JackWinter [~jack@vodsl-9074.vo.lu] has quit [Quit: Konversation terminated!]
05:54 -!- Bretos1 [~Bretos@vps.tyborek.pl] has joined #openvpn
05:54 -!- Bretos1 [~Bretos@vps.tyborek.pl] has left #openvpn []
05:57 -!- kalloc [~kalloc@h86-62-83-99.ln.rinet.ru] has quit [Ping timeout: 245 seconds]
06:05 -!- adac [~adac@host68-217-static.10-188-b.business.telecomitalia.it] has quit [Ping timeout: 245 seconds]
06:24 -!- JackWinter [~jack@vodsl-9074.vo.lu] has joined #openvpn
06:24 -!- kalloc [~kalloc@h86-62-83-99.ln.rinet.ru] has joined #openvpn
06:31 -!- xrosnight [~quassel@113.83.84.164] has joined #openvpn
06:31 -!- JackWinter [~jack@vodsl-9074.vo.lu] has quit [Quit: Konversation terminated!]
06:32 -!- JackWinter [~jack@vodsl-9074.vo.lu] has joined #openvpn
06:34 -!- JackWinter [~jack@vodsl-9074.vo.lu] has quit [Read error: Connection reset by peer]
06:35 -!- JackWinter_ [~jack@vodsl-9074.vo.lu] has joined #openvpn
06:41 -!- s7r_m [~s7r@openvpn/user/s7r] has joined #openvpn
06:41 -!- mode/#openvpn [+v s7r_m] by ChanServ
06:43 -!- s7r_m [~s7r@openvpn/user/s7r] has quit [Client Quit]
06:44 -!- s7r [~s7r@openvpn/user/s7r] has quit [Ping timeout: 240 seconds]
06:49 -!- xrosnight [~quassel@113.83.84.164] has quit [Ping timeout: 265 seconds]
06:56 -!- vvinothkumar [~vvinothku@122.167.247.232] has quit [Remote host closed the connection]
06:58 -!- kalloc [~kalloc@h86-62-83-99.ln.rinet.ru] has quit [Ping timeout: 265 seconds]
07:02 -!- joshh20-Away is now known as joshh20
07:05 -!- JackWinter_ [~jack@vodsl-9074.vo.lu] has quit [Remote host closed the connection]
07:07 -!- JackWinter [~jack@vodsl-9074.vo.lu] has joined #openvpn
07:24 -!- kalloc [~kalloc@h86-62-83-99.ln.rinet.ru] has joined #openvpn
07:41 -!- elfixit1 [~Icedove@77-58-251-72.dclient.hispeed.ch] has quit [Quit: elfixit1]
07:48 -!- tapout [~tapout@unaffiliated/tapout] has quit [Ping timeout: 265 seconds]
07:51 -!- dazo [~dazo@openvpn/community/developer/dazo] has quit [Ping timeout: 264 seconds]
07:57 -!- goldkatze [~nobody@unaffiliated/goldkatze] has joined #openvpn
07:57 -!- kalloc [~kalloc@h86-62-83-99.ln.rinet.ru] has quit [Ping timeout: 260 seconds]
08:14 -!- kalloc_ [~kalloc@h86-62-83-99.ln.rinet.ru] has joined #openvpn
08:30 -!- Devastator [~devas@unaffiliated/devastator] has quit [Read error: Connection reset by peer]
08:31 -!- kalloc_ [~kalloc@h86-62-83-99.ln.rinet.ru] has quit [Remote host closed the connection]
08:31 -!- Devastator [~devas@177.18.196.146] has joined #openvpn
08:31 -!- kalloc [~kalloc@h86-62-83-99.ln.rinet.ru] has joined #openvpn
08:36 -!- kalloc [~kalloc@h86-62-83-99.ln.rinet.ru] has quit [Ping timeout: 246 seconds]
08:36 -!- kalloc [~kalloc@h86-62-83-99.ln.rinet.ru] has joined #openvpn
09:05 -!- xrosnight [~quassel@113.83.84.164] has joined #openvpn
09:24 -!- Sidewinder [~de@unaffiliated/sidewinder] has joined #openvpn
09:36 -!- xrosnight [~quassel@113.83.84.164] has quit [Ping timeout: 248 seconds]
09:37 -!- Sidewinder [~de@unaffiliated/sidewinder] has quit [Quit: Leaving]
09:43 -!- dradec [~Inigo@unaffiliated/dradec] has quit [Remote host closed the connection]
09:45 -!- dradec [~Inigo@unaffiliated/dradec] has joined #openvpn
09:56 -!- elfixit1 [~Icedove@77-58-251-72.dclient.hispeed.ch] has joined #openvpn
09:57 -!- dradec [~Inigo@unaffiliated/dradec] has quit [Remote host closed the connection]
09:58 -!- dradec [~Inigo@unaffiliated/dradec] has joined #openvpn
10:12 -!- Yesh [~Yesh_adiu@yayscripting.nl] has joined #openvpn
10:14 -!- Yesh [~Yesh_adiu@yayscripting.nl] has left #openvpn []
10:20 -!- [diecast] [~diecast@unaffiliated/diecast/x-4821952] has joined #openvpn
10:35 -!- Devastator [~devas@177.18.196.146] has quit [Changing host]
10:35 -!- Devastator [~devas@unaffiliated/devastator] has joined #openvpn
10:49 -!- [diecast] [~diecast@unaffiliated/diecast/x-4821952] has quit []
10:58 -!- takamichi [~takamichi@c107-107.i07-27.onvol.net] has quit [Ping timeout: 245 seconds]
10:59 -!- [diecast] [~diecast@unaffiliated/diecast/x-4821952] has joined #openvpn
11:02 -!- takamichi [~takamichi@85.12.8.105] has joined #openvpn
11:17 -!- takamichi [~takamichi@85.12.8.105] has quit [Ping timeout: 245 seconds]
11:18 -!- Devastator [~devas@unaffiliated/devastator] has quit [Remote host closed the connection]
11:19 -!- Devastator [~devas@177.18.196.146] has joined #openvpn
11:19 -!- Devastator [~devas@177.18.196.146] has quit [Changing host]
11:19 -!- Devastator [~devas@unaffiliated/devastator] has joined #openvpn
11:22 -!- takamichi [~takamichi@c107-107.i07-27.onvol.net] has joined #openvpn
11:29 -!- xBytez [~xBytez@unaffiliated/xbytez] has quit [Ping timeout: 246 seconds]
11:37 -!- digilink [~digilink@unaffiliated/digilink] has quit [Ping timeout: 272 seconds]
11:41 -!- digilink [~digilink@irc.stephennet.net] has joined #openvpn
11:42 -!- [diecast] [~diecast@unaffiliated/diecast/x-4821952] has quit []
11:42 -!- digilink [~digilink@irc.stephennet.net] has quit [Changing host]
11:42 -!- digilink [~digilink@unaffiliated/digilink] has joined #openvpn
11:44 -!- ade_b [~Ade@redhat/adeb] has quit [Quit: Too sexy for his shirt]
11:45 -!- xBytez [~xBytez@unaffiliated/xbytez] has joined #openvpn
11:56 -!- xBytez [~xBytez@unaffiliated/xbytez] has quit [Ping timeout: 246 seconds]
11:59 -!- xBytez [~xBytez@unaffiliated/xbytez] has joined #openvpn
12:06 -!- kcodyjr [~kcodyjr@c-24-61-134-125.hsd1.ma.comcast.net] has quit [Ping timeout: 250 seconds]
12:18 -!- mattock_afk is now known as mattock
12:31 -!- mattock is now known as mattock_afk
12:36 -!- takamichi [~takamichi@c107-107.i07-27.onvol.net] has quit [Quit: Computer has gone to sleep.]
12:49 -!- SquareRoot{away} [~Alec@pool-72-92-228-150.prvdri.fios.verizon.net] has joined #openvpn
12:51 -!- MRX [MRX@unaffiliated/mrx] has joined #openvpn
12:51 -!- MRX [MRX@unaffiliated/mrx] has left #openvpn ["Leaving"]
12:56 -!- kirin` [telex@gateway/shell/anapnea.net/x-kmcgfetwemibtzxw] has quit [Ping timeout: 248 seconds]
12:57 -!- kirin` [telex@gateway/shell/anapnea.net/x-oczxqaulsiiwaxce] has joined #openvpn
13:17 -!- joshh20 is now known as joshh20-Away
13:19 -!- master_o1_master [~master_of@p4FD7BE4F.dip0.t-ipconnect.de] has quit [Ping timeout: 246 seconds]
13:21 -!- master_of_master [~master_of@p4FD7B7BB.dip0.t-ipconnect.de] has joined #openvpn
13:38 -!- takamichi [~takamichi@c107-107.i07-27.onvol.net] has joined #openvpn
13:43 -!- gffa [~unknown@unaffiliated/gffa] has quit [Quit: sleep]
14:00 -!- dradec [~Inigo@unaffiliated/dradec] has quit [Quit: nil]
14:01 -!- dradec [~Inigo@unaffiliated/dradec] has joined #openvpn
14:22 -!- takamichi [~takamichi@c107-107.i07-27.onvol.net] has quit [Quit: Computer has gone to sleep.]
14:22 -!- adac [~adac@host68-217-static.10-188-b.business.telecomitalia.it] has joined #openvpn
14:39 -!- joshh20-Away is now known as joshh20
15:24 -!- lj [~l@192.241.174.169] has joined #openvpn
15:41 -!- kalloc [~kalloc@h86-62-83-99.ln.rinet.ru] has quit [Remote host closed the connection]
15:41 -!- kalloc [~kalloc@h86-62-83-99.ln.rinet.ru] has joined #openvpn
15:46 -!- kalloc [~kalloc@h86-62-83-99.ln.rinet.ru] has quit [Ping timeout: 265 seconds]
15:47 -!- Cultist [~CultOfThe@c-67-186-111-33.hsd1.il.comcast.net] has quit [Ping timeout: 265 seconds]
16:11 -!- dradec [~Inigo@unaffiliated/dradec] has quit [Quit: nil]
16:12 -!- kalloc [~kalloc@h86-62-83-99.ln.rinet.ru] has joined #openvpn
16:16 -!- dradec [~Inigo@unaffiliated/dradec] has joined #openvpn
16:31 -!- Sembei [~Sembei@unaffiliated/sembei] has quit [Max SendQ exceeded]
16:32 -!- Guest44404 [~Sembei@62.57.118.216.dyn.user.ono.com] has joined #openvpn
16:52 -!- Cultist [~CultOfThe@67.186.111.33] has joined #openvpn
16:53 -!- SquareRoot{away} is now known as SquareRoot
16:54 -!- SquareRoot [~Alec@pool-72-92-228-150.prvdri.fios.verizon.net] has left #openvpn []
16:55 -!- elfixit1 [~Icedove@77-58-251-72.dclient.hispeed.ch] has quit [Quit: elfixit1]
16:56 -!- pdobrogost [~quassel@213-238-77-167.adsl.inetia.pl] has quit [Remote host closed the connection]
17:01 -!- dradec [~Inigo@unaffiliated/dradec] has quit [Quit: nil]
17:03 -!- KrissO [~krisso@46.109-247-25.customer.lyse.net] has quit [Ping timeout: 272 seconds]
17:05 -!- mdim [~user@c-98-202-215-47.hsd1.ut.comcast.net] has joined #openvpn
17:12 -!- KrissO [~krisso@46.109-247-25.customer.lyse.net] has joined #openvpn
17:14 -!- mdim [~user@c-98-202-215-47.hsd1.ut.comcast.net] has quit [Read error: No route to host]
17:23 -!- Cr4zi3 [killaz@staff.xbins.org] has quit [Remote host closed the connection]
17:24 -!- Cr4zi3 [killaz@staff.xbins.org] has joined #openvpn
17:24 -!- adac [~adac@host68-217-static.10-188-b.business.telecomitalia.it] has quit [Quit: Leaving]
17:38 -!- elfixit1 [~Icedove@77-58-251-72.dclient.hispeed.ch] has joined #openvpn
17:42 -!- Cr4zi3 [killaz@staff.xbins.org] has quit [Read error: Connection reset by peer]
17:43 -!- Cr4zi3 [~killaz@staff.xbins.org] has joined #openvpn
17:47 -!- joshh20 is now known as joshh20-Away
17:51 -!- joshh20-Away is now known as joshh20
17:53 -!- maxiepax_ [max@locke.misse.org] has quit [Ping timeout: 252 seconds]
17:55 -!- maxiepax [max@locke.misse.org] has joined #openvpn
18:03 -!- lj [~l@192.241.174.169] has quit [Quit: Leaving.]
18:06 -!- joshh20 is now known as joshh20-Away
18:06 -!- Cr4zi3 [~killaz@staff.xbins.org] has quit [Ping timeout: 240 seconds]
18:08 -!- Cr4zi3 [h3inrich@staff.xbins.org] has joined #openvpn
18:12 -!- digilink [~digilink@unaffiliated/digilink] has quit [Ping timeout: 248 seconds]
18:18 -!- digilink [~digilink@irc.stephennet.net] has joined #openvpn
18:18 -!- dradec [~Inigo@unaffiliated/dradec] has joined #openvpn
18:18 -!- digilink [~digilink@irc.stephennet.net] has quit [Changing host]
18:18 -!- digilink [~digilink@unaffiliated/digilink] has joined #openvpn
18:19 -!- Cr4zi3 [h3inrich@staff.xbins.org] has quit [Ping timeout: 250 seconds]
18:19 -!- _Cr4zi3 [h3inrich@staff.xbins.org] has joined #openvpn
18:28 -!- joshh20-Away is now known as joshh20
18:31 -!- _Cr4zi3 [h3inrich@staff.xbins.org] has quit [Ping timeout: 245 seconds]
18:33 -!- elfixit1 [~Icedove@77-58-251-72.dclient.hispeed.ch] has quit [Quit: elfixit1]
18:46 -!- Cr4zi3 [~killaz@staff.xbins.org] has joined #openvpn
18:50 -!- Cr4zi3 [~killaz@staff.xbins.org] has quit [Client Quit]
18:52 -!- Cr4zi3 [killaz@staff.xbins.org] has joined #openvpn
19:07 -!- tapout_ [~tapout@unaffiliated/tapout] has joined #openvpn
19:12 -!- maxiepax [max@locke.misse.org] has quit [Ping timeout: 245 seconds]
19:14 -!- taylorbyte2013 [~cyberninj@203-174-86-88.rev.ne.com.sg] has joined #openvpn
19:15 -!- [diecast] [~diecast@unaffiliated/diecast/x-4821952] has joined #openvpn
19:16 -!- [diecast] [~diecast@unaffiliated/diecast/x-4821952] has quit [Max SendQ exceeded]
19:16 -!- [diecast] [~diecast@unaffiliated/diecast/x-4821952] has joined #openvpn
19:16 -!- [diecast] [~diecast@unaffiliated/diecast/x-4821952] has quit [Max SendQ exceeded]
19:25 -!- maxiepax [max@locke.misse.org] has joined #openvpn
19:27 -!- Cr4zi3 [killaz@staff.xbins.org] has quit [Remote host closed the connection]
19:27 -!- _Cr4zi3 [~killaz@staff.xbins.org] has joined #openvpn
19:41 -!- goldkatze [~nobody@unaffiliated/goldkatze] has quit [Ping timeout: 248 seconds]
19:48 -!- Guest44404 [~Sembei@62.57.118.216.dyn.user.ono.com] has quit [Remote host closed the connection]
19:52 -!- _Cr4zi3 [~killaz@staff.xbins.org] has quit [Read error: Connection reset by peer]
19:52 -!- u0m3_ [~u0m3@92.80.106.27] has quit [Read error: Operation timed out]
19:53 -!- Cr4zi3 [killaz@staff.xbins.org] has joined #openvpn
20:01 -!- Cr4zi3 [killaz@staff.xbins.org] has quit [Ping timeout: 245 seconds]
20:03 -!- Cr4zi3 [~killaz@staff.xbins.org] has joined #openvpn
20:18 -!- C-S-B [~C-S-B@host217-42-190-155.range217-42.btcentralplus.com] has quit [Remote host closed the connection]
20:27 -!- dradec [~Inigo@unaffiliated/dradec] has quit [Quit: nil]
20:27 -!- dradec [~Inigo@unaffiliated/dradec] has joined #openvpn
20:57 -!- joshh20 is now known as joshh20-Away
21:06 -!- booo [~booo__@p54BDA459.dip0.t-ipconnect.de] has quit [Read error: Operation timed out]
21:08 -!- dradec [~Inigo@unaffiliated/dradec] has quit [Quit: nil]
21:12 -!- WinstonSmith [~WinstonSm@unaffiliated/winstonsmith] has quit [Ping timeout: 260 seconds]
21:12 -!- booo [~booo__@p54BD8BC6.dip0.t-ipconnect.de] has joined #openvpn
21:13 -!- WinstonSmith [~WinstonSm@unaffiliated/winstonsmith] has joined #openvpn
21:18 -!- Mike3 [mad@mx.probie.nl] has joined #openvpn
21:18 -!- Matir [~matir@ubuntu/member/matir] has quit [Read error: Operation timed out]
21:19 -!- Matir [~matir@ubuntu/member/matir] has joined #openvpn
21:19 -!- tempus_fol [~tempus@gateway/tor-sasl/tempusfol] has joined #openvpn
21:20 -!- Mike-- [mad@mx.probie.nl] has quit [Read error: Connection reset by peer]
21:26 -!- Cr4zi3 [~killaz@staff.xbins.org] has quit [Ping timeout: 240 seconds]
21:28 -!- Cr4zi3 [killaz@staff.xbins.org] has joined #openvpn
21:35 -!- sammm [~sam@c114-76-87-212.thoms3.vic.optusnet.com.au] has joined #openvpn
21:35 < sammm> hi, I have got openvpn up and running and I can connect to my server, but the client cannot access WAN through it.
21:36 < sammm> I'm pretty sure it's my firewall, but I'll post my configs
21:37 < sammm> http://pastie.org/8717158
21:52 -!- genericpersona [~generic@gateway/tor-sasl/genericpersona] has joined #openvpn
22:02 -!- kcodyjr [~kcodyjr@2002:32a9:2d5:8000::100] has joined #openvpn
22:04 -!- kcodyjr1 [~kcodyjr@c-24-61-134-125.hsd1.ma.comcast.net] has joined #openvpn
22:04 -!- kcodyjr [~kcodyjr@2002:32a9:2d5:8000::100] has quit [Disconnected by services]
22:04 -!- kcodyjr1 is now known as kcodyjr
22:12 -!- dradec [~Inigo@unaffiliated/dradec] has joined #openvpn
22:14 -!- genericpersona [~generic@gateway/tor-sasl/genericpersona] has left #openvpn ["Take care of yourselves, and each other"]
22:21 -!- Cr4zi3 [killaz@staff.xbins.org] has quit [Remote host closed the connection]
22:22 -!- Cr4zi3 [killaz@staff.xbins.org] has joined #openvpn
22:28 -!- mdim [~user@c-98-202-215-47.hsd1.ut.comcast.net] has joined #openvpn
22:28 < mdim> hi all
22:29 -!- Cr4zi3 [killaz@staff.xbins.org] has quit [Ping timeout: 245 seconds]
22:29 < mdim> I was here to ask for help about 36 hours ago, but then had to leave at some point. Anyone willing to continue helping me to setup a multi-client setup over tap?
22:31 -!- Cr4zi3 [~killaz@staff.xbins.org] has joined #openvpn
22:43 -!- Devastator [~devas@unaffiliated/devastator] has quit [Ping timeout: 252 seconds]
22:46 -!- Devastator [~devas@177.18.196.146] has joined #openvpn
22:49 -!- Cr4zi3 [~killaz@staff.xbins.org] has quit [Ping timeout: 240 seconds]
22:51 -!- Cr4zi3 [killaz@staff.xbins.org] has joined #openvpn
22:57 -!- taylorbyte2013 [~cyberninj@203-174-86-88.rev.ne.com.sg] has quit [Ping timeout: 245 seconds]
22:57 -!- Cr4zi3 [killaz@staff.xbins.org] has quit [Ping timeout: 250 seconds]
23:01 -!- Cr4zi3 [~killaz@staff.xbins.org] has joined #openvpn
23:03 -!- kalloc [~kalloc@h86-62-83-99.ln.rinet.ru] has quit [Remote host closed the connection]
23:03 -!- kalloc [~kalloc@h86-62-83-99.ln.rinet.ru] has joined #openvpn
23:10 -!- dradec [~Inigo@unaffiliated/dradec] has quit [Quit: nil]
23:15 -!- Cr4zi3 [~killaz@staff.xbins.org] has quit [Read error: Connection reset by peer]
23:15 -!- Cr4zi3 [~killaz@staff.xbins.org] has joined #openvpn
23:20 -!- makara [~makara@41.164.22.218] has joined #openvpn
23:23 -!- sammm [~sam@c114-76-87-212.thoms3.vic.optusnet.com.au] has quit [Remote host closed the connection]
23:24 -!- _Cr4zi3 [killaz@staff.xbins.org] has joined #openvpn
23:25 -!- dradec [~Inigo@unaffiliated/dradec] has joined #openvpn
23:27 -!- Cr4zi3 [~killaz@staff.xbins.org] has quit [Ping timeout: 265 seconds]
23:36 -!- taylorbyte2013 [~cyberninj@203-174-86-88.rev.ne.com.sg] has joined #openvpn
23:41 -!- _Cr4zi3 [killaz@staff.xbins.org] has quit [Ping timeout: 245 seconds]
23:42 -!- kcodyjr [~kcodyjr@c-24-61-134-125.hsd1.ma.comcast.net] has quit [Remote host closed the connection]
23:43 -!- Cr4zi3 [~killaz@staff.xbins.org] has joined #openvpn
23:50 -!- elfixit [~Icedove@dhcp-129-154.office.init7.net] has quit [Remote host closed the connection]
--- Day changed Mon Feb 10 2014
00:04 -!- crus [~crusader@2001:44b8:319e:2900:c42f:974d:48c1:36fa] has quit [Remote host closed the connection]
00:04 -!- Cr4zi3 [~killaz@staff.xbins.org] has quit [Ping timeout: 245 seconds]
00:04 -!- crus [~crusader@2001:44b8:319e:2900:c42f:974d:48c1:36fa] has joined #openvpn
00:05 -!- Cr4zi3 [killaz@staff.xbins.org] has joined #openvpn
00:06 -!- Devastator [~devas@177.18.196.146] has quit [Read error: Connection reset by peer]
00:07 -!- mikkel [~mikkel@93.176.85.50] has joined #openvpn
00:07 -!- Devastator [~devas@177.18.196.146] has joined #openvpn
00:11 -!- Cr4zi3 [killaz@staff.xbins.org] has quit [Ping timeout: 240 seconds]
00:17 -!- Cr4zi3 [guessswh0@staff.xbins.org] has joined #openvpn
00:17 -!- kalloc [~kalloc@h86-62-83-99.ln.rinet.ru] has quit [Remote host closed the connection]
00:18 -!- kalloc [~kalloc@h86-62-83-99.ln.rinet.ru] has joined #openvpn
00:22 -!- kalloc [~kalloc@h86-62-83-99.ln.rinet.ru] has quit [Ping timeout: 248 seconds]
00:34 -!- genericpersona [~generic@gateway/tor-sasl/genericpersona] has joined #openvpn
00:34 < genericpersona> http://www.google.com
00:34 <@vpnHelper> Title: Google (at www.google.com)
00:35 -!- genericpersona [~generic@gateway/tor-sasl/genericpersona] has left #openvpn ["Take care of yourselves, and each other"]
00:38 -!- Cr4zi3 [guessswh0@staff.xbins.org] has quit [Ping timeout: 240 seconds]
00:39 -!- lvv [~loganaden@ITE-INF3.dhcp.mu.afrinic.net] has joined #openvpn
00:39 -!- marlinc [~marlinc@a80-100-128-152.adsl.xs4all.nl] has quit [Ping timeout: 246 seconds]
00:43 -!- james41382_ [~james@unaffiliated/james41382] has quit [Ping timeout: 265 seconds]
00:45 -!- Cr4zi3 [killaz@staff.xbins.org] has joined #openvpn
00:48 -!- kalloc [~kalloc@h86-62-83-99.ln.rinet.ru] has joined #openvpn
00:50 < mdim> I've setup a server and a client (laptop). I can't figure out how to setup an OpenWRT router as a client
01:00 -!- Cr4zi3 [killaz@staff.xbins.org] has quit [Read error: Connection reset by peer]
01:01 -!- dimm0k [~dimm0k@unaffiliated/dimm0k] has quit [Read error: Operation timed out]
01:02 -!- dimm0k [~dimm0k@unaffiliated/dimm0k] has joined #openvpn
01:04 -!- Cr4zi3 [killaz@staff.xbins.org] has joined #openvpn
01:13 -!- james41382_ [~james@unaffiliated/james41382] has joined #openvpn
01:17 -!- takamichi [~takamichi@c107-107.i07-27.onvol.net] has joined #openvpn
01:20 -!- e-ndy [~e-ndy@fantomas.bestit.cz] has joined #openvpn
01:23 -!- Cr4zi3 [killaz@staff.xbins.org] has quit [Remote host closed the connection]
01:23 -!- Cpt-Oblivious [chatzilla@31-151-71-109.dynamic.upc.nl] has quit [Ping timeout: 265 seconds]
01:26 -!- james41382_ [~james@unaffiliated/james41382] has quit [Ping timeout: 246 seconds]
01:30 -!- goldkatze [~nobody@unaffiliated/goldkatze] has joined #openvpn
01:31 -!- Cr4zi3 [killaz@staff.xbins.org] has joined #openvpn
01:36 -!- mdim [~user@c-98-202-215-47.hsd1.ut.comcast.net] has quit [Ping timeout: 250 seconds]
01:40 -!- alexxtasi [~alex@unaffiliated/alexxtasi] has joined #openvpn
01:55 -!- taylorbyte2013 [~cyberninj@203-174-86-88.rev.ne.com.sg] has quit [Ping timeout: 245 seconds]
02:00 -!- taylorbyte2013 [~cyberninj@203-174-86-88.rev.ne.com.sg] has joined #openvpn
02:03 -!- lvv_ [~loganaden@ite-inf3.dhcp.mu.afrinic.net] has joined #openvpn
02:03 -!- lvv [~loganaden@ITE-INF3.dhcp.mu.afrinic.net] has quit [Read error: Connection reset by peer]
02:03 -!- lvv_ is now known as lvv
02:03 -!- dimm0k [~dimm0k@unaffiliated/dimm0k] has quit [Ping timeout: 272 seconds]
02:05 -!- dimm0k [~dimm0k@unaffiliated/dimm0k] has joined #openvpn
02:09 -!- takamichi [~takamichi@c107-107.i07-27.onvol.net] has quit [Quit: Computer has gone to sleep.]
02:12 -!- e-ndy [~e-ndy@fantomas.bestit.cz] has quit [Ping timeout: 260 seconds]
02:14 -!- e-ndy [~e-ndy@fantomas.bestit.cz] has joined #openvpn
02:19 -!- batrick [batrick@nmap/developer/batrick] has quit [Ping timeout: 246 seconds]
02:23 -!- lamokie [~steve@li428-245.members.linode.com] has quit [Remote host closed the connection]
02:23 -!- lamokie [~steve@li428-245.members.linode.com] has joined #openvpn
02:29 -!- pa [~pa@unaffiliated/pa] has quit [Remote host closed the connection]
02:42 -!- _jareth_ [~jareth_@2001:980:e1c0:1:219:66ff:fea0:a502] has quit [Quit: ZNC - http://znc.in]
02:44 -!- jareth_ [~jareth_@2001:980:e1c0:1:219:66ff:fea0:a502] has joined #openvpn
02:48 -!- kalloc [~kalloc@h86-62-83-99.ln.rinet.ru] has quit [Remote host closed the connection]
02:48 -!- kalloc [~kalloc@h86-62-83-99.ln.rinet.ru] has joined #openvpn
03:01 -!- Cr4zi3 [killaz@staff.xbins.org] has quit [Ping timeout: 250 seconds]
03:14 -!- Cr4zi3 [killaz@staff.xbins.org] has joined #openvpn
03:27 -!- james41382_ [~james@unaffiliated/james41382] has joined #openvpn
03:29 -!- Cr4zi3 [killaz@staff.xbins.org] has quit [Ping timeout: 245 seconds]
03:35 -!- sunwind [~paradox@cpc21-brmb8-2-0-cust749.1-3.cable.virginm.net] has quit [Quit: sunwind]
03:36 -!- sunwind [~paradox@cpc21-brmb8-2-0-cust749.1-3.cable.virginm.net] has joined #openvpn
03:37 -!- takamichi [~takamichi@c107-107.i07-27.onvol.net] has joined #openvpn
03:38 -!- Cr4zi3 [killaz@staff.xbins.org] has joined #openvpn
03:46 -!- Cr4zi3 [killaz@staff.xbins.org] has quit [Ping timeout: 240 seconds]
04:00 -!- taylorbyte20131 [~cyberninj@203-174-86-88.rev.ne.com.sg] has joined #openvpn
04:02 -!- taylorbyte2013 [~cyberninj@203-174-86-88.rev.ne.com.sg] has quit [Ping timeout: 245 seconds]
04:03 -!- Cr4zi3 [killaz@staff.xbins.org] has joined #openvpn
04:05 -!- taylorbyte2013 [~cyberninj@203-174-86-88.rev.ne.com.sg] has joined #openvpn
04:06 -!- taylorbyte20131 [~cyberninj@203-174-86-88.rev.ne.com.sg] has quit [Ping timeout: 250 seconds]
04:11 -!- Cr4zi3 [killaz@staff.xbins.org] has quit [Quit: changing servers]
04:17 -!- Cr4zi3 [killaz@staff.xbins.org] has joined #openvpn
04:18 -!- mattock_afk is now known as mattock
04:19 -!- batrick [batrick@nmap/developer/batrick] has joined #openvpn
04:21 -!- Cr4zi3 [killaz@staff.xbins.org] has quit [Ping timeout: 250 seconds]
04:24 -!- Cr4zi3 [~killaz@staff.xbins.org] has joined #openvpn
04:29 -!- mattock is now known as mattock_afk
04:29 -!- Cr4zi3 [~killaz@staff.xbins.org] has quit [Ping timeout: 240 seconds]
04:42 -!- Cr4zi3 [killaz@staff.xbins.org] has joined #openvpn
04:52 -!- elfixit [~Icedove@77-58-251-72.dclient.hispeed.ch] has joined #openvpn
05:12 -!- vvinothkumar [~vinothkum@122.167.247.232] has joined #openvpn
05:13 -!- vvinothkumar [~vinothkum@122.167.247.232] has quit [Read error: Connection reset by peer]
05:14 -!- vvinothkumar [~vinothkum@122.167.247.232] has joined #openvpn
05:15 -!- vvinothkumar [~vinothkum@122.167.247.232] has quit [Read error: Connection reset by peer]
05:16 -!- vvinothkumar [~vinothkum@122.167.247.232] has joined #openvpn
05:16 -!- vvinothkumar [~vinothkum@122.167.247.232] has quit [Read error: Connection reset by peer]
05:23 -!- klein [~klein@unaffiliated/klein] has joined #openvpn
05:25 -!- Cr4zi3 [killaz@staff.xbins.org] has quit [Ping timeout: 245 seconds]
05:32 -!- kalloc [~kalloc@h86-62-83-99.ln.rinet.ru] has quit [Remote host closed the connection]
05:33 -!- mattock_afk is now known as mattock
05:33 -!- kalloc [~kalloc@h86-62-83-99.ln.rinet.ru] has joined #openvpn
05:40 -!- Devastator [~devas@177.18.196.146] has quit [Changing host]
05:40 -!- Devastator [~devas@unaffiliated/devastator] has joined #openvpn
05:54 -!- davidmp [~davidmp@149.255.100.107] has quit [Ping timeout: 252 seconds]
05:57 -!- davidmp [~davidmp@149.255.100.107] has joined #openvpn
06:00 -!- simcop2387 [~simcop238@p3m/member/simcop2387] has quit [Quit: ZNC - http://znc.sourceforge.net]
06:01 -!- lamokie [~steve@li428-245.members.linode.com] has quit [Ping timeout: 260 seconds]
06:04 -!- kirin` [telex@gateway/shell/anapnea.net/x-oczxqaulsiiwaxce] has quit [Ping timeout: 260 seconds]
06:06 -!- simcop2387 [~simcop238@simcop2387.info] has joined #openvpn
06:06 -!- simcop2387 [~simcop238@simcop2387.info] has quit [Client Quit]
06:06 -!- kirin` [telex@gateway/shell/anapnea.net/x-tqjchrrhnegtvfsv] has joined #openvpn
06:07 -!- batrick [batrick@nmap/developer/batrick] has quit [Ping timeout: 265 seconds]
06:09 -!- lamokie [~steve@li428-245.members.linode.com] has joined #openvpn
06:10 -!- simcop2387 [~simcop238@p3m/member/simcop2387] has joined #openvpn
06:27 -!- kalloc [~kalloc@h86-62-83-99.ln.rinet.ru] has quit [Remote host closed the connection]
06:27 -!- kalloc [~kalloc@h86-62-83-99.ln.rinet.ru] has joined #openvpn
06:34 -!- Cr4zi3 [crazie@staff.xbins.org] has joined #openvpn
06:37 -!- takamichi [~takamichi@c107-107.i07-27.onvol.net] has quit [Read error: Operation timed out]
06:38 -!- takamichi [~takamichi@85.12.8.13] has joined #openvpn
06:42 -!- _Cr4zi3 [killaz@staff.xbins.org] has joined #openvpn
06:42 -!- Cr4zi3 [crazie@staff.xbins.org] has quit [Ping timeout: 240 seconds]
06:46 -!- ayaka [~ayaka@2001:470:b30d:2:225:11ff:fe0e:302c] has joined #openvpn
06:47 -!- _Cr4zi3 [killaz@staff.xbins.org] has quit [Ping timeout: 265 seconds]
06:55 < ayaka> I have a problem with ccd, for example if I have client which is 192.168.0.0/25 and there is a subroute which is 192.168.0.128/25
06:55 < ayaka> how to set the ccd file, I don't use it has the via function
07:12 -!- takamichi [~takamichi@85.12.8.13] has quit [Read error: Connection reset by peer]
07:16 -!- takamichi [~takamichi@c107-107.i07-27.onvol.net] has joined #openvpn
07:18 -!- phuzion [~phuzion@ipv6.irc.teh-server.com] has quit [Ping timeout: 264 seconds]
07:20 -!- elfixit [~Icedove@77-58-251-72.dclient.hispeed.ch] has quit [Quit: elfixit]
07:24 -!- ade_b [~Ade@redhat/adeb] has joined #openvpn
07:26 -!- lvv [~loganaden@ite-inf3.dhcp.mu.afrinic.net] has quit [Read error: Connection reset by peer]
07:26 -!- lvv_ [~loganaden@2001:4290:10:250:15b9:3d14:3521:f605] has joined #openvpn
07:30 -!- phuzion [~phuzion@ipv6.irc.teh-server.com] has joined #openvpn
07:45 -!- cpm [~Chip@216.169.175.102] has joined #openvpn
07:45 -!- cpm [~Chip@216.169.175.102] has quit [Changing host]
07:45 -!- cpm [~Chip@pdpc/supporter/active/cpm] has joined #openvpn
07:45 -!- lj [~l@192.241.174.169] has joined #openvpn
07:48 -!- Cr4zi3 [killaz@staff.xbins.org] has joined #openvpn
07:48 -!- lj [~l@192.241.174.169] has quit [Client Quit]
07:55 -!- lj [~l@192.241.174.169] has joined #openvpn
07:57 -!- mingdao [~mingdao@unaffiliated/mingdao] has quit [Ping timeout: 248 seconds]
07:58 -!- mingdao [~mingdao@unaffiliated/mingdao] has joined #openvpn
07:58 -!- Cr4zi3 [killaz@staff.xbins.org] has quit [Ping timeout: 245 seconds]
08:01 -!- klein [~klein@unaffiliated/klein] has quit [Ping timeout: 260 seconds]
08:04 -!- batrick [batrick@nmap/developer/batrick] has joined #openvpn
08:16 -!- makara [~makara@41.164.22.218] has quit [Ping timeout: 260 seconds]
08:18 -!- elfixit [~Icedove@2001:1620:2777:11:3e97:eff:fe7f:f3ad] has joined #openvpn
08:22 -!- cpm [~Chip@pdpc/supporter/active/cpm] has quit [Quit: cpm]
08:29 -!- kalloc [~kalloc@h86-62-83-99.ln.rinet.ru] has quit [Remote host closed the connection]
08:30 -!- kalloc [~kalloc@h86-62-83-99.ln.rinet.ru] has joined #openvpn
08:32 -!- mikkel [~mikkel@93.176.85.50] has quit [Quit: Leaving]
08:38 -!- lvv_ [~loganaden@2001:4290:10:250:15b9:3d14:3521:f605] has quit [Quit: lvv_]
08:46 -!- lj [~l@192.241.174.169] has quit [Quit: Leaving.]
08:46 -!- DelphiWorld [~TayebMeft@openvpn/user/DelphiWorld] has joined #openvpn
08:46 -!- mode/#openvpn [+v DelphiWorld] by ChanServ
08:46 <+DelphiWorld> hi guys!
08:46  * DelphiWorld blow up ecrist
08:47 <+DelphiWorld> guys, if using OpenVPN. it's pocible to specify  route on client side and not on server side?
08:52 <@ecrist> yup
08:52 -!- lj [~l@192.241.174.169] has joined #openvpn
08:53 -!- lj [~l@192.241.174.169] has quit [Client Quit]
08:54 -!- lj [~l@192.241.174.169] has joined #openvpn
08:56 -!- lj [~l@192.241.174.169] has quit [Client Quit]
08:56 -!- kalloc [~kalloc@h86-62-83-99.ln.rinet.ru] has quit [Remote host closed the connection]
08:56 -!- kalloc_ [~kalloc@h86-62-83-99.ln.rinet.ru] has joined #openvpn
08:59 <+DelphiWorld> guys, if using OpenVPN. it's pocible to specify  route on client side and not on server side?
08:59 <+DelphiWorld> ecrist, the openvpn router i use dont support pushing route sadly
08:59 <@ecrist> I said yup
09:00 < Aketzu_> "YUP is a Finnish rock-music group"
09:00 <@ecrist> in the client config, just add "route <ip> <netmask>
09:00 <@ecrist> https://www.youtube.com/watch?v=TStPNqex3uA
09:00 <@vpnHelper> Title: Sesame Street: Martians Discover a Book - YouTube (at www.youtube.com)
09:05 -!- Cr4zi3 [killaz@staff.xbins.org] has joined #openvpn
09:09 -!- DelphiWorld [~TayebMeft@openvpn/user/DelphiWorld] has quit [Read error: Connection reset by peer]
09:10 -!- fission6 [~fission6@199.47.74.246] has joined #openvpn
09:11 -!- grep0r [grep0r@bitcoinshell.mooo.com] has quit [Ping timeout: 252 seconds]
09:18 -!- alexxtasi [~alex@unaffiliated/alexxtasi] has left #openvpn []
09:19 -!- Cr4zi3 [killaz@staff.xbins.org] has quit [Quit: changing servers]
09:30 -!- Cr4zi3 [~killaz@staff.xbins.org] has joined #openvpn
09:32 -!- grep0r [grep0r@bitcoinshell.mooo.com] has joined #openvpn
09:36 -!- elfixit [~Icedove@2001:1620:2777:11:3e97:eff:fe7f:f3ad] has quit [Ping timeout: 264 seconds]
09:38 -!- dazo_afk [~dazo@openvpn/community/developer/dazo] has joined #openvpn
09:38 -!- mode/#openvpn [+o dazo_afk] by ChanServ
09:38 -!- dazo_afk is now known as dazo
09:59 -!- grep0r [grep0r@bitcoinshell.mooo.com] has quit [Ping timeout: 252 seconds]
10:01 -!- Cr4zi3 [~killaz@staff.xbins.org] has quit [Ping timeout: 245 seconds]
10:06 -!- Cr4zi3 [~killaz@staff.xbins.org] has joined #openvpn
10:09 -!- fejjerai [~quassel@kde/mitchell] has quit [Quit: No Ping reply in 180 seconds.]
10:09 -!- fejjerai [~quassel@kde/mitchell] has joined #openvpn
10:13 -!- gffa [~unknown@unaffiliated/gffa] has joined #openvpn
10:15 -!- Cr4zi3 [~killaz@staff.xbins.org] has quit [Ping timeout: 250 seconds]
10:18 -!- pa [~pa@unaffiliated/pa] has joined #openvpn
10:22 -!- Cr4zi3 [~killaz@staff.xbins.org] has joined #openvpn
10:22 -!- Cr4zi3 [~killaz@staff.xbins.org] has quit [Remote host closed the connection]
10:26 -!- jeev [~j@unaffiliated/jeev] has joined #openvpn
10:26 -!- mattock is now known as mattock_afk
10:36 -!- grep0r [grep0r@bitcoinshell.mooo.com] has joined #openvpn
10:40 -!- u0m3 [~u0m3@92.80.106.31] has joined #openvpn
10:46 -!- ade_b [~Ade@redhat/adeb] has quit [Quit: Too sexy for his shirt]
10:47 -!- Thermi [~Thermi@unaffiliated/thermi] has quit [Quit: Meet your opposition - Profane and disciplined - Take back your pride - With a pounding hammer]
10:48 -!- joshh20-Away is now known as joshh20
10:51 -!- Thermi [~Thermi@unaffiliated/thermi] has joined #openvpn
10:59 -!- grep0r [grep0r@bitcoinshell.mooo.com] has quit [Ping timeout: 252 seconds]
11:02 -!- Cr4zi3 [wario@staff.xbins.org] has joined #openvpn
11:04 -!- lj [~l@192.241.174.169] has joined #openvpn
11:04 -!- roentgen [~irc@89.46.129.178] has joined #openvpn
11:04 -!- roentgen [~irc@89.46.129.178] has quit [Changing host]
11:04 -!- roentgen [~irc@openvpn/community/support/roentgen] has joined #openvpn
11:04 -!- grep0r [grep0r@bitcoinshell.mooo.com] has joined #openvpn
11:07 -!- takamichi [~takamichi@c107-107.i07-27.onvol.net] has quit [Ping timeout: 245 seconds]
11:08 -!- Cr4zi3 [wario@staff.xbins.org] has quit [Ping timeout: 240 seconds]
11:09 -!- GrecKo [~GrecKo@2001:41d0:1:cb16::1] has quit [Ping timeout: 276 seconds]
11:11 -!- takamichi [~takamichi@c107-107.i07-27.onvol.net] has joined #openvpn
11:11 -!- GrecKo [~GrecKo@2001:41d0:1:cb16::1] has joined #openvpn
11:14 -!- Cr4zi3 [killaz@staff.xbins.org] has joined #openvpn
11:14 -!- grep0r [grep0r@bitcoinshell.mooo.com] has quit [Ping timeout: 252 seconds]
11:18 -!- Cr4zi3 [killaz@staff.xbins.org] has quit [Remote host closed the connection]
11:21 -!- grep0r [grep0r@bitcoinshell.mooo.com] has joined #openvpn
11:27 -!- Cr4zi3 [killaz@staff.xbins.org] has joined #openvpn
11:33 -!- josefig [~josef@unaffiliated/josefig] has joined #openvpn
11:39 -!- _KaszpiR_ [~quassel@unaffiliated/kaszpir/x-3157048] has quit [Quit: No Ping reply in 180 seconds.]
11:39 -!- _KaszpiR_ [~quassel@unaffiliated/kaszpir/x-3157048] has joined #openvpn
11:41 -!- Thermi [~Thermi@unaffiliated/thermi] has quit [Quit: Meet your opposition - Profane and disciplined - Take back your pride - With a pounding hammer]
11:43 -!- Thermi [~Thermi@unaffiliated/thermi] has joined #openvpn
11:45 -!- joshh20 is now known as joshh20-Away
11:50 -!- lj [~l@192.241.174.169] has quit [Quit: Leaving.]
11:51 -!- klein__ [~klein@189-016-006-003.asselvi.edu.br] has joined #openvpn
11:54 -!- Cpt-Oblivious [chatzilla@31-151-71-109.dynamic.upc.nl] has joined #openvpn
11:55 -!- fejjerai [~quassel@kde/mitchell] has quit [Read error: Connection reset by peer]
11:55 -!- fejjerai [~quassel@kde/mitchell] has joined #openvpn
12:00 -!- [diecast] [~diecast@unaffiliated/diecast/x-4821952] has joined #openvpn
12:13 -!- kcodyjr [~kcodyjr@c-24-61-134-125.hsd1.ma.comcast.net] has joined #openvpn
12:15 -!- kossy [a@unaffiliated/kossy] has quit [Ping timeout: 252 seconds]
12:17 -!- kossy [a@kossy.org] has joined #openvpn
12:31 -!- lj [~l@2602:306:bcc2:a560:60ad:2abd:78a2:fe57] has joined #openvpn
12:43 -!- tempus_fol [~tempus@gateway/tor-sasl/tempusfol] has quit [Ping timeout: 240 seconds]
12:45 -!- tempus_fol [~tempus@gateway/tor-sasl/tempusfol] has joined #openvpn
12:51 -!- mattock_afk is now known as mattock
12:52 -!- takamichi [~takamichi@c107-107.i07-27.onvol.net] has quit [Quit: Computer has gone to sleep.]
12:53 -!- lj [~l@2602:306:bcc2:a560:60ad:2abd:78a2:fe57] has quit [Remote host closed the connection]
12:55 -!- lj [~l@2602:306:bcc2:a560:ac61:4fb6:2cf:4587] has joined #openvpn
12:55 -!- haasn [~nand@2a01:4f8:d13:5245::2] has quit [Quit: nand]
12:55 -!- Haigha [~root@2001:41d0:1:d4e5:dead::42] has quit [Quit: WeeChat 0.3.8]
12:55 -!- haasn [~nand@2a01:4f8:d13:5245::2] has joined #openvpn
12:55 -!- lj [~l@2602:306:bcc2:a560:ac61:4fb6:2cf:4587] has quit [Client Quit]
12:55 -!- Haigha [~root@dovahkiin.xomg.net] has joined #openvpn
12:56 -!- TheSov [~TheSov4@50-76-75-45-static.hfc.comcastbusiness.net] has quit [Quit: Leaving]
12:56 -!- takamichi [~takamichi@c107-107.i07-27.onvol.net] has joined #openvpn
12:57 -!- josefig [~josef@unaffiliated/josefig] has quit [Quit: Computer has gone to sleep.]
13:08 -!- heraclitus [~heraclitu@unaffiliated/heraclitis] has quit [Ping timeout: 252 seconds]
13:09 -!- heraclitus [~heraclitu@unaffiliated/heraclitis] has joined #openvpn
13:11 -!- heraclitus__ [~heraclitu@cpe-72-181-248-94.tx.res.rr.com] has joined #openvpn
13:12 -!- fission6 [~fission6@199.47.74.246] has quit [Quit: fission6]
13:14 -!- heraclitus [~heraclitu@unaffiliated/heraclitis] has quit [Ping timeout: 252 seconds]
13:16 -!- fission6 [~fission6@199.47.74.246] has joined #openvpn
13:16 -!- master_o1_master [~master_of@p4FF24397.dip0.t-ipconnect.de] has joined #openvpn
13:19 -!- Cpt-Oblivious [chatzilla@31-151-71-109.dynamic.upc.nl] has quit [Ping timeout: 265 seconds]
13:19 -!- master_of_master [~master_of@p4FD7B7BB.dip0.t-ipconnect.de] has quit [Ping timeout: 260 seconds]
13:24 -!- heraclitus [~heraclitu@unaffiliated/heraclitis] has joined #openvpn
13:28 -!- heraclitus__ [~heraclitu@cpe-72-181-248-94.tx.res.rr.com] has quit [Ping timeout: 252 seconds]
13:41 -!- lj [~l@2602:306:bcc2:a560:e9ba:4b2a:f742:ea6b] has joined #openvpn
13:43 -!- pdobrogost [~quassel@213-238-69-1.adsl.inetia.pl] has joined #openvpn
13:46 -!- mdim [~user@line-marko.cs.utah.edu] has joined #openvpn
13:47 -!- lj [~l@2602:306:bcc2:a560:e9ba:4b2a:f742:ea6b] has quit [Quit: Leaving.]
14:02 -!- Netsplit *.net <-> *.split quits: itaddercloud, Haseo, AsadH, NChief2, noobboob, ultra, dowaat, lowkey, seba, +hazardous,  (+1 more, use /NETSPLIT to show all of them)
14:02 -!- NChief2 [~nchief@ircimg.net] has joined #openvpn
14:02 -!- Netsplit over, joins: Haseo
14:02 -!- Netsplit over, joins: seba
14:02 -!- Netsplit over, joins: ultra
14:03 -!- Netsplit over, joins: lowkey
14:03 -!- noobboob [uid5587@gateway/web/irccloud.com/x-bfwztqxvmixtqoey] has joined #openvpn
14:03 -!- dowaat [uid3966@gateway/web/irccloud.com/x-ruusjgshbhttsdni] has joined #openvpn
14:05 -!- niftylettuce_ [uid2733@gateway/web/irccloud.com/x-vvngeupgfdkksolv] has joined #openvpn
14:07 -!- simcop2387 [~simcop238@p3m/member/simcop2387] has quit [Excess Flood]
14:09 -!- sauce_ [sauce@ool-ad02ad20.dyn.optonline.net] has quit [Quit: sauce]
14:09 -!- sauce [sauce@ool-ad02ad20.dyn.optonline.net] has joined #openvpn
14:09 -!- sauce [sauce@ool-ad02ad20.dyn.optonline.net] has quit [Changing host]
14:09 -!- sauce [sauce@unaffiliated/sauce] has joined #openvpn
14:10 -!- bmoriart1 [~bmoriarty@yt.acm.uiuc.edu] has left #openvpn []
14:11 -!- simcop2387 [~simcop238@p3m/member/simcop2387] has joined #openvpn
14:11 -!- klein__ [~klein@189-016-006-003.asselvi.edu.br] has quit [Ping timeout: 246 seconds]
14:17 -!- mdim [~user@line-marko.cs.utah.edu] has quit [Read error: Operation timed out]
14:21 -!- AsadH [~AsadH@unaffiliated/asadh] has joined #openvpn
14:29 -!- lj [~l@99.155.26.93] has joined #openvpn
14:30 -!- lj1 [~l@192.241.174.169] has joined #openvpn
14:33 -!- lj [~l@99.155.26.93] has quit [Ping timeout: 250 seconds]
14:47 -!- mattock is now known as mattock_afk
14:49 -!- lj1 [~l@192.241.174.169] has quit [Quit: Leaving.]
15:06 -!- xBytez [~xBytez@unaffiliated/xbytez] has quit [Ping timeout: 246 seconds]
15:10 -!- ayaka [~ayaka@2001:470:b30d:2:225:11ff:fe0e:302c] has left #openvpn ["离开"]
15:21 -!- xBytez [~xBytez@unaffiliated/xbytez] has joined #openvpn
15:23 -!- roentgen [~irc@openvpn/community/support/roentgen] has quit [Remote host closed the connection]
15:28 -!- taylorbyte2013 [~cyberninj@203-174-86-88.rev.ne.com.sg] has quit [Read error: Connection reset by peer]
15:29 -!- xBytez [~xBytez@unaffiliated/xbytez] has quit [Ping timeout: 246 seconds]
15:30 -!- gffa [~unknown@unaffiliated/gffa] has quit [Quit: sleep]
15:30 -!- u0m3_ [~u0m3@92.80.106.31] has joined #openvpn
15:30 -!- taylorbyte2013 [~cyberninj@203-174-86-88.rev.ne.com.sg] has joined #openvpn
15:33 -!- u0m3 [~u0m3@92.80.106.31] has quit [Ping timeout: 248 seconds]
15:37 -!- xBytez [~xBytez@unaffiliated/xbytez] has joined #openvpn
15:40 -!- xBytez [~xBytez@unaffiliated/xbytez] has quit [Client Quit]
15:41 -!- u0m3__ [~u0m3@92.80.106.31] has joined #openvpn
15:43 -!- u0m3_ [~u0m3@92.80.106.31] has quit [Ping timeout: 272 seconds]
16:10 -!- defsdoor [~andy@cpc30-sutt4-2-0-cust155.19-1.cable.virginm.net] has joined #openvpn
16:10 -!- peper [~peper@gentoo/developer/peper] has quit [Ping timeout: 272 seconds]
16:11 -!- peper [~peper@gentoo/developer/peper] has joined #openvpn
16:21 -!- pentiumone133 [~will@173.243.115.75] has joined #openvpn
16:22 < pentiumone133> hey everyone, i have a openvpn-as appliance setup out on the internet, and i have a local network that i want to force all thraffic through this openvpn appliance.  whats the best way to do it?  pfsense?  something else ?
16:28 <@Eugene> !as
16:28 <@vpnHelper> "as" is please go to #OpenVPN-AS for help with Access-Server
16:31 -!- taylorbyte20131 [~cyberninj@203-174-86-88.rev.ne.com.sg] has joined #openvpn
16:33 -!- taylorbyte2013 [~cyberninj@203-174-86-88.rev.ne.com.sg] has quit [Ping timeout: 260 seconds]
16:36 -!- lj [~l@192.241.174.169] has joined #openvpn
16:37 -!- lj [~l@192.241.174.169] has quit [Client Quit]
16:40 -!- lj [~l@192.241.174.169] has joined #openvpn
16:40 -!- defsdoor [~andy@cpc30-sutt4-2-0-cust155.19-1.cable.virginm.net] has quit [Quit: Ex-Chat]
16:46 -!- pdobrogost [~quassel@213-238-69-1.adsl.inetia.pl] has quit [Remote host closed the connection]
16:48 -!- elfixit [~Icedove@77-58-251-72.dclient.hispeed.ch] has joined #openvpn
16:50 -!- joshh20-Away is now known as joshh20
16:51 -!- kalloc_ [~kalloc@h86-62-83-99.ln.rinet.ru] has quit [Remote host closed the connection]
16:51 -!- kalloc [~kalloc@h86-62-83-99.ln.rinet.ru] has joined #openvpn
17:00 -!- dimitry7 [~antonello@38.124.174.31] has joined #openvpn
17:00 -!- [diecast] [~diecast@unaffiliated/diecast/x-4821952] has quit [Ping timeout: 245 seconds]
17:06 -!- lj [~l@192.241.174.169] has quit [Quit: Leaving.]
17:06 -!- goldkatze [~nobody@unaffiliated/goldkatze] has quit [Ping timeout: 260 seconds]
17:07 -!- fission6 [~fission6@199.47.74.246] has quit [Quit: fission6]
17:12 -!- [diecast] [~diecast@unaffiliated/diecast/x-4821952] has joined #openvpn
17:18 -!- conroe [~conroe@gateway/tor-sasl/conroe] has joined #openvpn
17:20 -!- taylorbyte20131 [~cyberninj@203-174-86-88.rev.ne.com.sg] has quit [Ping timeout: 250 seconds]
17:26 -!- lj [~l@192.241.174.169] has joined #openvpn
17:43 -!- NP-Hardass [~NP-Hardas@unaffiliated/np-hardass] has joined #openvpn
17:55 -!- elfixit [~Icedove@77-58-251-72.dclient.hispeed.ch] has quit [Ping timeout: 272 seconds]
17:59 -!- pa [~pa@unaffiliated/pa] has quit [Ping timeout: 260 seconds]
18:09 -!- Sembei [~Sembei@62.57.118.216.dyn.user.ono.com] has joined #openvpn
18:09 -!- Sembei is now known as Guest88740
18:10 -!- Guest88740 is now known as Sembei
18:11 -!- Sembei [~Sembei@62.57.118.216.dyn.user.ono.com] has quit [Changing host]
18:11 -!- Sembei [~Sembei@unaffiliated/sembei] has joined #openvpn
18:13 -!- pa [~pa@unaffiliated/pa] has joined #openvpn
18:14 -!- sepeck [~sepeck@drupal.org/user/5195/view] has joined #openvpn
18:14 -!- sepeck [~sepeck@drupal.org/user/5195/view] has left #openvpn []
18:21 -!- conroe [~conroe@gateway/tor-sasl/conroe] has quit [Quit: conroe]
18:34 -!- thumbs is now known as httpd
18:34 -!- httpd is now known as thumbs
18:40 -!- takamichi [~takamichi@c107-107.i07-27.onvol.net] has quit [Quit: Computer has gone to sleep.]
18:54 -!- [diecast] [~diecast@unaffiliated/diecast/x-4821952] has quit []
18:56 -!- Gman32 [~Gman32@2607:2200:0:3400::5616:cdbc] has quit [Ping timeout: 265 seconds]
18:56 -!- Gman32 [~Gman32@2607:2200:0:3400::5616:cdbc] has joined #openvpn
19:01 -!- ben1066 [~quassel@unaffiliated/ben1066] has quit [Quit: No Ping reply in 180 seconds.]
19:02 -!- NP-Hardass [~NP-Hardas@unaffiliated/np-hardass] has quit [Ping timeout: 250 seconds]
19:03 -!- ben1066 [~quassel@unaffiliated/ben1066] has joined #openvpn
19:14 -!- ben1066 [~quassel@unaffiliated/ben1066] has quit [Quit: No Ping reply in 180 seconds.]
19:14 -!- ben1066 [~quassel@unaffiliated/ben1066] has joined #openvpn
19:16 -!- heraclitus [~heraclitu@unaffiliated/heraclitis] has quit [Quit: Ping timeout: 221 seconds]
19:20 -!- josefig [~josef@unaffiliated/josefig] has joined #openvpn
19:20 -!- hazardous [~hz@openvpn/user/hazardous] has joined #openvpn
19:20 -!- mode/#openvpn [+v hazardous] by ChanServ
19:21 -!- josefig [~josef@unaffiliated/josefig] has left #openvpn []
19:22 -!- heraclitus [~heraclitu@unaffiliated/heraclitis] has joined #openvpn
19:27 -!- Denial [Denial@90.201.173.63] has quit [Ping timeout: 264 seconds]
19:28 -!- Denial [Denial@90.201.173.63] has joined #openvpn
19:28 -!- Holos [~cosmond@216.168.111.227] has quit [Ping timeout: 245 seconds]
19:28 -!- KiNgMaR [~ingmar@2001:41d0:2:ba51::1] has quit [Ping timeout: 245 seconds]
19:29 -!- m01_ [~quassel@2a02:2658:1011:1::2:4044] has joined #openvpn
19:29 -!- Holos [~cosmond@216.168.111.227] has joined #openvpn
19:29 -!- pnielsen_ [pnielsen@2a01:7e00::f03c:91ff:fedf:3a21] has joined #openvpn
19:29 -!- Holos is now known as Guest92970
19:29 -!- NChief2 [~nchief@ircimg.net] has quit [Ping timeout: 264 seconds]
19:29 -!- m01 [~quassel@2a02:2658:1011:1::2:4044] has quit [Ping timeout: 264 seconds]
19:30 -!- pnielsen [pnielsen@2a01:7e00::f03c:91ff:fedf:3a21] has quit [Ping timeout: 264 seconds]
19:30 -!- ben1066 [~quassel@unaffiliated/ben1066] has quit [Ping timeout: 245 seconds]
19:30 -!- NChief2 [~nchief@ircimg.net] has joined #openvpn
19:31 -!- ben1066 [~quassel@unaffiliated/ben1066] has joined #openvpn
19:34 -!- ljvb_ [~jason@us.vps.vanbrecht.com] has quit [Ping timeout: 252 seconds]
19:35 -!- KiNgMaR [~ingmar@2001:41d0:2:ba51::1] has joined #openvpn
19:36 -!- ljvb_ [~jason@uk.vps.vanbrecht.com] has joined #openvpn
19:39 -!- sunwind` [~paradox@cpc21-brmb8-2-0-cust749.1-3.cable.virginm.net] has joined #openvpn
19:41 -!- dren [dren@69.163.43.34] has quit [Ping timeout: 260 seconds]
19:41 -!- ben1066 [~quassel@unaffiliated/ben1066] has quit [Quit: No Ping reply in 180 seconds.]
19:42 -!- sunwind [~paradox@cpc21-brmb8-2-0-cust749.1-3.cable.virginm.net] has quit [Ping timeout: 250 seconds]
19:44 -!- KiNgMaR [~ingmar@2001:41d0:2:ba51::1] has quit [Ping timeout: 245 seconds]
19:46 -!- ben1066 [~quassel@unaffiliated/ben1066] has joined #openvpn
19:50 -!- KiNgMaR [~ingmar@2001:41d0:2:ba51::1] has joined #openvpn
19:50 -!- VbA [~admin@2405:4200:203::17f2:40d0] has joined #openvpn
19:51 < VbA> hello, i connect to my openvpn server, but no connection internet. can help fix this issue ?
19:56 -!- lj [~l@192.241.174.169] has quit [Quit: Leaving.]
20:05 -!- VbA [~admin@2405:4200:203::17f2:40d0] has quit []
20:06 -!- dimitry7 [~antonello@38.124.174.31] has quit [Remote host closed the connection]
20:27 -!- rob0 [rob0@pdpc/valentine/postfixninja/rob0] has joined #openvpn
20:43 -!- joshh20 is now known as joshh20-Away
20:44 -!- fission6 [~fission6@cpe-67-244-5-228.nyc.res.rr.com] has joined #openvpn
20:46 -!- kalloc [~kalloc@h86-62-83-99.ln.rinet.ru] has quit [Read error: Connection reset by peer]
20:48 -!- VsioZashibis [~VsioZashi@unaffiliated/vsiozashibis] has joined #openvpn
20:51 -!- kalloc [~kalloc@h86-62-83-99.ln.rinet.ru] has joined #openvpn
20:59 -!- Mike-- [mad@mx.probie.nl] has joined #openvpn
21:01 -!- Mike3 [mad@mx.probie.nl] has quit [Ping timeout: 250 seconds]
21:01 -!- tempus_fol [~tempus@gateway/tor-sasl/tempusfol] has quit [Remote host closed the connection]
21:01 -!- troj [~xxx@2001:470:1f15:107a::50f7] has quit [Ping timeout: 264 seconds]
21:01 -!- ben1066 [~quassel@unaffiliated/ben1066] has quit [Quit: No Ping reply in 180 seconds.]
21:02 -!- arader [~andrew@0x666.tk] has quit [Ping timeout: 265 seconds]
21:03 -!- ben1066 [~quassel@unaffiliated/ben1066] has joined #openvpn
21:03 -!- peper [~peper@gentoo/developer/peper] has quit [Ping timeout: 265 seconds]
21:03 -!- troj [~xxx@2001:470:1f15:107a::50f7] has joined #openvpn
21:04 -!- booo [~booo__@p54BD8BC6.dip0.t-ipconnect.de] has quit [Read error: Operation timed out]
21:05 -!- arader [~andrew@0x666.tk] has joined #openvpn
21:07 -!- tempus_fol [~tempus@gateway/tor-sasl/tempusfol] has joined #openvpn
21:08 -!- yoavz [yoavz@yoavz.net] has quit [Ping timeout: 250 seconds]
21:09 -!- peper [~peper@gentoo/developer/peper] has joined #openvpn
21:10 -!- yoavz [yoavz@yoavz.net] has joined #openvpn
21:10 -!- arader [~andrew@0x666.tk] has quit [Ping timeout: 265 seconds]
21:11 -!- lj [~l@c-50-158-105-68.hsd1.il.comcast.net] has joined #openvpn
21:11 -!- gardar [~gardar@bnc.giraffi.net] has quit [Ping timeout: 250 seconds]
21:11 -!- booo [~booo__@p54BD8C96.dip0.t-ipconnect.de] has joined #openvpn
21:13 -!- arader [~andrew@0x666.tk] has joined #openvpn
21:15 -!- lj [~l@c-50-158-105-68.hsd1.il.comcast.net] has quit [Ping timeout: 250 seconds]
21:15 -!- lj [~l@192.241.174.169] has joined #openvpn
21:17 -!- Devastator [~devas@unaffiliated/devastator] has quit [Read error: Connection reset by peer]
21:18 -!- Devastator [~devas@177.18.196.146] has joined #openvpn
21:19 -!- gardar [~gardar@bnc.giraffi.net] has joined #openvpn
21:21 -!- pvpimp [~mahollows@pool-108-48-23-100.washdc.fios.verizon.net] has joined #openvpn
21:22 < VsioZashibis> hi. I am able to rdp to the client installed in a windows vm. I was wondering, if there is a way to make the VM's host adapter gateway, accessable from another VPN client.
21:30 -!- gardar [~gardar@bnc.giraffi.net] has quit [Read error: Operation timed out]
21:37 -!- dren [dren@69.163.43.34] has joined #openvpn
21:38 -!- gardar [~gardar@bnc.giraffi.net] has joined #openvpn
21:46 -!- gardar [~gardar@bnc.giraffi.net] has quit [Ping timeout: 250 seconds]
21:58 -!- gardar [~gardar@bnc.giraffi.net] has joined #openvpn
22:13 < _FBi> VsioZashibis, you can give your VM it's own IP on your network
22:15 < VsioZashibis> _FBi: the VM grabs the ip address from the same gateway as the host.
22:16 < VsioZashibis> so its the same submnet
22:16 < _FBi> yes it is.  I must've missunderstood something
22:18 < VsioZashibis> let me try to explain. a remote win 7 VM is a vpn client,
22:18 < VsioZashibis> it is connected to the same VPN server as my local win 7 VM client
22:19 < VsioZashibis> I am able to RDP to it just fine, using OpenVPN's network
22:20 < VsioZashibis> my question: is it possible to ping remote win 7 VM's gateway from my local win 7 client?
22:21 -!- VsioZashibis [~VsioZashi@unaffiliated/vsiozashibis] has quit [Read error: Connection reset by peer]
22:21 -!- VsioZashibis [~VsioZashi@unaffiliated/vsiozashibis] has joined #openvpn
22:29 < pekster> VsioZashibis: You're asking how to access resources behind your VPN server? Read about routing that with the info/flowchart at: !serverlan
22:30 < VsioZashibis> !serverlan
22:30 <@vpnHelper> "serverlan" is (#1) for a lan behind a server, the server must have ip forwarding enabled (!ipforward), the server needs to push a route for its lan to clients, and the router of the lan the server is on needs a route added to it (!route_outside_openvpn) or (#2) see !route for a better explanation or (#3) Handy troubleshooting flowchart: http://ircpimps.org/serverlan.png |
22:30 <@vpnHelper> http://pekster.sdf.org/misc/serverlan.png
22:33 < VsioZashibis> pekster: no, not the resources behind the VPN server.
22:35 -!- dradec [~Inigo@unaffiliated/dradec] has quit [Quit: nil]
22:41 -!- levifig [~levifig@205.186.144.152] has joined #openvpn
22:45 -!- dradec [~Inigo@unaffiliated/dradec] has joined #openvpn
22:49 -!- Devastatr [~devas@177.18.197.229] has joined #openvpn
22:51 -!- Devastator [~devas@177.18.196.146] has quit [Ping timeout: 252 seconds]
22:59 -!- fission6 [~fission6@cpe-67-244-5-228.nyc.res.rr.com] has quit [Quit: fission6]
23:14 -!- lj [~l@192.241.174.169] has quit [Quit: Leaving.]
23:15 -!- jeev [~j@unaffiliated/jeev] has quit [Ping timeout: 245 seconds]
23:20 -!- makara [~makara@41.164.22.218] has joined #openvpn
23:50 -!- lj [~l@c-50-158-105-68.hsd1.il.comcast.net] has joined #openvpn
23:53 -!- lj1 [~l@192.241.174.169] has joined #openvpn
23:55 -!- lj [~l@c-50-158-105-68.hsd1.il.comcast.net] has quit [Ping timeout: 260 seconds]
23:56 -!- orutest|2 [~VsioZashi@ool-45727391.dyn.optonline.net] has joined #openvpn
23:56 -!- mdim [~user@c-98-202-215-47.hsd1.ut.comcast.net] has joined #openvpn
23:57 -!- orutest|2 [~VsioZashi@ool-45727391.dyn.optonline.net] has quit [Client Quit]
23:57 < mdim> I have OpenVPN set up on my server with dev tun. Can someone help me set it up as a client on my OpenWRT router?
23:58 < mdim> The server configuration works; I tested it with my laptop as a client
23:58 -!- VsioZashibis [~VsioZashi@unaffiliated/vsiozashibis] has quit [Ping timeout: 245 seconds]
23:59 < kcodyjr> 1st, set it up the same way, so your router gets an ip just like your laptop does.
23:59 < kcodyjr> then, look up the "iroute" command and use it on the server in the client-specific file for your router.
23:59 < mdim> I'm unsure where I should put a config file - should it be /etc/config/openvpn or /etc/openvpn/some-file?
--- Day changed Tue Feb 11 2014
00:00 < kcodyjr> i think that depends whether you're going to use luci to configure the openvpn client, or whether you're going to do it by hand.
00:00 < kcodyjr> i'm a little rusty, you'll have to look through the packages for luci to see if it has an openvpn plugin.
00:01 < mdim> I have to do it by hand, because the stable version (12.09) doesn't have a package for openvpn in luci
00:01 < mdim> I mean, the plugin package doesn't exist
00:01 < mdim> but of course, a package for openvpn in general does
00:02 < kcodyjr> then do it by hand in /etc/openvpn/ just like you did on your laptop.
00:03 < mdim> ok, that's the same syntax then. /etc/config/openvpn has a slightly different one
00:03 < kcodyjr> yeah, /etc/config/openvpn would be luci's config file.
00:05 -!- lj1 [~l@192.241.174.169] has quit [Quit: Leaving.]
00:07 < mdim> I have a file /etc/openvpn/buffalo.conf on my OpenWRT (available at http://paste.debian.net/81308/ ). However, when I do "/etc/init.d/openvpn restart", nothing changes in "logread"
00:12 -!- mikkel [~mikkel@93.176.85.50] has joined #openvpn
00:15 < kcodyjr> is the openvpn process running?
00:20 < mdim> nope
00:25 < mdim> do I need to do any interface configuration beyond what I have in the config file?
00:27 -!- mdim [~user@c-98-202-215-47.hsd1.ut.comcast.net] has quit [Read error: Connection reset by peer]
00:27 -!- mdim [~user@c-98-202-215-47.hsd1.ut.comcast.net] has joined #openvpn
00:30 < kcodyjr> i'm not at all sure.
00:30 < kcodyjr> but i wonder if maybe the init script is expecting luci to drive the configuration?
00:30 -!- mdim [~user@c-98-202-215-47.hsd1.ut.comcast.net] has quit [Read error: Connection reset by peer]
00:30 -!- mdim [~user@c-98-202-215-47.hsd1.ut.comcast.net] has joined #openvpn
00:31 < kcodyjr> but i wonder if maybe the init script is expecting luci to drive the configuration?
00:31 < kcodyjr> go ask the openwrt guys what's up.
00:31 < kcodyjr> if the process isn't running and there's nothing in the logs, it didn't start.
00:35 < mdim> thx. I've posted a question in #openwrt
00:38 -!- losted [~losted@box.losted.net] has quit [Read error: Operation timed out]
00:45 -!- losted [~losted@box.losted.net] has joined #openvpn
00:52 < mdim> kcodyjr: got it working! A lesson learned - always try with a given sample/example first :)
00:53 < mdim> kcodyjr: after all, it is through luci, i.e. I've put all the configuration in /etc/config/openvpn
00:53 < kcodyjr> excellent.
00:53 < mdim> finally got it :)
00:54 < mdim> I am planning to mount disk drives over the vpn I've just set up. Hopefully that will work smoothly
00:55 -!- kalloc [~kalloc@h86-62-83-99.ln.rinet.ru] has quit [Remote host closed the connection]
00:55 -!- kalloc_ [~kalloc@h86-62-83-99.ln.rinet.ru] has joined #openvpn
01:07 -!- HyperGlide [~HyperGlid@78.157.205.159] has joined #openvpn
01:11 -!- makara [~makara@41.164.22.218] has quit [Remote host closed the connection]
01:16 -!- bertodsera [~quassel@97e48243.skybroadband.com] has quit [Remote host closed the connection]
01:18 -!- jeev [~j@unaffiliated/jeev] has joined #openvpn
01:19 -!- alexxtasi [~alex@unaffiliated/alexxtasi] has joined #openvpn
01:30 -!- goldkatze [~nobody@unaffiliated/goldkatze] has joined #openvpn
01:42 -!- mattock_afk is now known as mattock
01:54 -!- mdim [~user@c-98-202-215-47.hsd1.ut.comcast.net] has quit [Ping timeout: 272 seconds]
01:59 -!- takamichi [~takamichi@c107-107.i07-27.onvol.net] has joined #openvpn
02:33 -!- JackWinter_ [~jack@vodsl-8317.vo.lu] has joined #openvpn
02:33 -!- JackWinter [~jack@vodsl-9074.vo.lu] has quit [Ping timeout: 260 seconds]
02:42 -!- HyperGlide [~HyperGlid@78.157.205.159] has quit [Remote host closed the connection]
02:48 -!- kloeri_ [~kloeri@freenode/staff/exherbo.kloeri] has joined #openvpn
02:49 -!- lvv [~loganaden@196.1.0.29] has joined #openvpn
03:14 -!- batrick [batrick@nmap/developer/batrick] has quit [Ping timeout: 246 seconds]
03:19 -!- bertodsera [~quassel@212.36.61.26] has joined #openvpn
04:35 -!- Cpt-Oblivious [chatzilla@31-151-71-109.dynamic.upc.nl] has joined #openvpn
04:44 -!- heraclitus [~heraclitu@unaffiliated/heraclitis] has quit [Read error: Connection reset by peer]
04:44 -!- heraclitus [~heraclitu@unaffiliated/heraclitis] has joined #openvpn
04:49 -!- Devastatr [~devas@177.18.197.229] has quit [Changing host]
04:49 -!- Devastatr [~devas@unaffiliated/devastator] has joined #openvpn
04:49 -!- Devastatr is now known as Devastator
04:59 -!- james41382_ [~james@unaffiliated/james41382] has quit [Ping timeout: 265 seconds]
05:11 -!- batrick [batrick@nmap/developer/batrick] has joined #openvpn
05:17 -!- heraclitus__ [~heraclitu@108.59.11.225] has joined #openvpn
05:18 -!- heraclitus [~heraclitu@unaffiliated/heraclitis] has quit [Remote host closed the connection]
05:20 -!- Aketzu_ [akolehma@kelvin.aketzu.net] has quit [Ping timeout: 252 seconds]
05:20 -!- rooth [tomte@stuck.in.the.basement.at.fritzl.nu] has quit [Ping timeout: 252 seconds]
05:20 -!- Aketzu [akolehma@kelvin.aketzu.net] has joined #openvpn
05:20 -!- rooth [tomte@stuck.in.the.basement.at.fritzl.nu] has joined #openvpn
05:22 -!- sunwind` [~paradox@cpc21-brmb8-2-0-cust749.1-3.cable.virginm.net] has quit [Quit: sunwind`]
05:23 -!- sunwind [~paradox@cpc21-brmb8-2-0-cust749.1-3.cable.virginm.net] has joined #openvpn
05:28 -!- elfixit [~Icedove@77-58-251-72.dclient.hispeed.ch] has joined #openvpn
05:29 -!- inch [mijutu@ellipsis.fi] has joined #openvpn
05:35 -!- bertodsera [~quassel@212.36.61.26] has quit [Remote host closed the connection]
05:35 -!- bertodsera_ [~quassel@212.36.61.26] has joined #openvpn
05:48 -!- b00gz___ [uid6869@gateway/web/irccloud.com/x-mbrtpiflhkdkyaeg] has quit [Ping timeout: 245 seconds]
05:49 -!- b00gz___ [uid6869@gateway/web/irccloud.com/x-zfytxdmaiucmgynh] has joined #openvpn
05:50 -!- heraclitus [~heraclitu@unaffiliated/heraclitis] has joined #openvpn
05:50 -!- mattock is now known as mattock_afk
05:51 -!- heraclitus__ [~heraclitu@108.59.11.225] has quit [Ping timeout: 252 seconds]
05:53 -!- pekster [~rewt@openvpn/community/support/pekster] has quit [Ping timeout: 245 seconds]
06:14 -!- Sembei [~Sembei@unaffiliated/sembei] has quit [Read error: Connection reset by peer]
06:14 -!- Sembei [~Sembei@62.57.118.216.dyn.user.ono.com] has joined #openvpn
06:15 -!- Sembei is now known as Guest94690
06:32 -!- AL13N_work [~alien@91.183.52.232] has joined #openvpn
06:32 -!- dradec [~Inigo@unaffiliated/dradec] has quit [Quit: nil]
06:34 < AL13N_work> we recently got a 50/6 ISP connection, but via openvpn, the resulting bandwidth is a lot less... we end up with 12/5 ... i would have expected nearing the 40mbit...
06:34 < AL13N_work> the server endpoint is 100/100
06:34 < AL13N_work> this is over TCP
06:35 < AL13N_work> there is a second tunnel over a different port (but it doesn't have much traffic)
06:35 < AL13N_work> CPU on both ends is very slow
06:35 <@Eugene> !gigabit
06:35 <@vpnHelper> "gigabit" is https://community.openvpn.net/openvpn/wiki/Gigabit_Networks_Linux for JJK's writeup on getting the most out of openvpn over gigabit
06:35 <@Eugene> !tcp
06:35 <@vpnHelper> "tcp" is (#1) Sometimes you cannot avoid tunneling over tcp, but if you can avoid it, DO. http://sites.inka.de/~bigred/devel/tcp-tcp.html Why TCP Over TCP Is A Bad Idea. or (#2) http://www.openvpn.net/papers/BLUG-talk/14.html for a presentation by James Yonan (OpenVPN lead developer) or (#3) if you must use tcp, you likely want --tcp-nodelay
06:36 < AL13N_work> thanks for the links
06:36 < AL13N_work> i meant earlier that CPU load is negligable...
06:36 <@Eugene> s/slow/low ? :-p
06:36 < AL13N_work> even with the known slowness, i still had expected at least 30
06:36 < AL13N_work> Eugene: yes
06:36 < AL13N_work> freudian slip, as it were
06:37 <@Eugene> Usualy things to fidle with are UDP, not TCP, and stop fuckng with the MTU stuff.
06:40 < AL13N_work> i didn't touch the MTU, i swear
06:41 <@Eugene> Good, you're ahead of most people who have this question.
06:42 -!- bertodsera [~quassel@212.36.61.26] has joined #openvpn
06:43 < AL13N_work> (yet)
06:43 -!- bertodsera [~quassel@212.36.61.26] has quit [Remote host closed the connection]
06:44 -!- mattock_afk is now known as mattock
06:44 -!- bertodsera_ [~quassel@212.36.61.26] has quit [Remote host closed the connection]
06:44 -!- bertodsera [~quassel@212.36.61.26] has joined #openvpn
06:44 < AL13N_work> i read the first link and i get it... but this is a quite a reliable link, and not congested at all... so, it's a bit odd
06:45 < AL13N_work> well, we'll have to do some tests
06:45 -!- Guest94690 [~Sembei@62.57.118.216.dyn.user.ono.com] has quit [Read error: Connection reset by peer]
06:46 -!- Guest94690 [~Sembei@62.57.118.216.dyn.user.ono.com] has joined #openvpn
06:54 -!- Guest92970 [~cosmond@216.168.111.227] has left #openvpn []
06:54 -!- takamichi [~takamichi@c107-107.i07-27.onvol.net] has quit [Ping timeout: 246 seconds]
06:57 -!- takamichi [~takamichi@85.12.8.104] has joined #openvpn
06:58 -!- puchu [~u@unaffiliated/puchu] has joined #openvpn
06:58 < puchu> gi
06:58 < puchu> hi
06:59 < puchu> i installed openvpn on debian - and it works fine - except allthough the tap interface shows traffic the device is shown as down in ifconfig - what could be the cause that it is "down"?
06:59 < puchu> tcpdump shows traffic - so i don'T get, how this can happen
07:02 -!- AL13N_work [~alien@91.183.52.232] has left #openvpn []
07:19 -!- pablito [~chatzilla@194.90.149.21] has joined #openvpn
07:20 -!- elfixit [~Icedove@77-58-251-72.dclient.hispeed.ch] has quit [Quit: elfixit]
07:20 -!- klein__ [~klein@189-016-006-003.asselvi.edu.br] has joined #openvpn
07:21 -!- dradec [~Inigo@unaffiliated/dradec] has joined #openvpn
07:29 -!- bertodsera [~quassel@212.36.61.26] has quit [Remote host closed the connection]
07:30 -!- bertodsera [~quassel@212.36.61.26] has joined #openvpn
07:36 -!- kalloc_ [~kalloc@h86-62-83-99.ln.rinet.ru] has quit [Remote host closed the connection]
07:37 -!- kalloc [~kalloc@h86-62-83-99.ln.rinet.ru] has joined #openvpn
07:38 -!- kalloc [~kalloc@h86-62-83-99.ln.rinet.ru] has quit [Read error: Connection reset by peer]
07:38 -!- takamichi [~takamichi@85.12.8.104] has quit [Read error: Connection reset by peer]
07:38 -!- kalloc [~kalloc@h86-62-83-99.ln.rinet.ru] has joined #openvpn
07:39 -!- ade_b [~Ade@redhat/adeb] has joined #openvpn
07:42 -!- takamichi [~takamichi@c107-107.i07-27.onvol.net] has joined #openvpn
07:52 -!- klein__ [~klein@189-016-006-003.asselvi.edu.br] has quit [Ping timeout: 248 seconds]
07:57 -!- losted [~losted@box.losted.net] has quit [Ping timeout: 248 seconds]
07:58 -!- Noob5aibot [~NoobSaibo@24-213-19-74.static.mrqt.mi.charter.com] has quit [Ping timeout: 250 seconds]
07:59 -!- losted [~losted@box.losted.net] has joined #openvpn
08:05 -!- takamichi [~takamichi@c107-107.i07-27.onvol.net] has quit [Quit: Computer has gone to sleep.]
08:09 -!- losted [~losted@box.losted.net] has quit [Ping timeout: 260 seconds]
08:09 -!- losted_ [~losted@box.losted.net] has joined #openvpn
08:09 -!- dazo [~dazo@openvpn/community/developer/dazo] has quit [Ping timeout: 264 seconds]
08:10 -!- losted_ is now known as losted
08:10 -!- kalloc_ [~kalloc@h86-62-83-99.ln.rinet.ru] has joined #openvpn
08:10 -!- qwertyoruiop [~hax@1.shulgin.dc1.nl.tor.exit.node.qwertyoruiop.com] has quit [Ping timeout: 252 seconds]
08:10 -!- kalloc [~kalloc@h86-62-83-99.ln.rinet.ru] has quit [Read error: Connection reset by peer]
08:14 -!- kalloc_ [~kalloc@h86-62-83-99.ln.rinet.ru] has quit [Remote host closed the connection]
08:14 -!- kalloc [~kalloc@h86-62-83-99.ln.rinet.ru] has joined #openvpn
08:14 -!- dazo [~dazo@openvpn/community/developer/dazo] has joined #openvpn
08:14 -!- mode/#openvpn [+o dazo] by ChanServ
08:15 -!- qwertyoruiop [~hax@1.shulgin.dc1.nl.tor.exit.node.qwertyoruiop.com] has joined #openvpn
08:16 -!- vitorio [~vitorio@201.20.44.2] has joined #openvpn
08:17 -!- james41382_ [~james@unaffiliated/james41382] has joined #openvpn
08:27 -!- mattock is now known as mattock_afk
08:33 -!- novaflash [~novaflash@its.novaflash.nl] has quit [Quit: ABANDON SHIP! ABANDON SHIP!]
08:33 -!- elfixit [~Icedove@77-58-251-72.dclient.hispeed.ch] has joined #openvpn
08:40 -!- xBytez [~xBytez@unaffiliated/xbytez] has joined #openvpn
08:44 -!- xBytez [~xBytez@unaffiliated/xbytez] has left #openvpn []
08:46 -!- mikkel [~mikkel@93.176.85.50] has quit [Quit: Leaving]
08:50 -!- goldkatze [~nobody@unaffiliated/goldkatze] has quit [Read error: Operation timed out]
08:52 -!- pablito [~chatzilla@194.90.149.21] has quit [Quit: ChatZilla 0.9.90.1 [Firefox 26.0/20131205075310]]
08:53 -!- goldkatze [~nobody@unaffiliated/goldkatze] has joined #openvpn
08:59 -!- jzaw [~jzaw@loki.dzki.co.uk] has quit [Ping timeout: 265 seconds]
09:02 -!- goldkatze [~nobody@unaffiliated/goldkatze] has quit [Ping timeout: 250 seconds]
09:04 -!- puchu [~u@unaffiliated/puchu] has quit [Quit: leaving]
09:08 -!- Guest2691 [~jtrucks@freenode/staff/lopsa.foundingmember.jtrucks] has joined #openvpn
09:09 -!- lvv [~loganaden@196.1.0.29] has quit [Quit: lvv]
09:10 -!- lvv [~loganaden@ITE-INF3.dhcp.mu.afrinic.net] has joined #openvpn
09:11 -!- jtrucks [jtrucks@freenode/staff/lopsa.foundingmember.jtrucks] has quit [Ping timeout: 608 seconds]
09:12 -!- jzaw [~jzaw@loki.dzki.co.uk] has joined #openvpn
09:12 -!- Guest2691 [~jtrucks@freenode/staff/lopsa.foundingmember.jtrucks] has left #openvpn []
09:12 -!- novaflash_away [~novaflash@its.novaflash.nl] has joined #openvpn
09:12 -!- novaflash_away is now known as novaflash
09:12 -!- goldkatze [~nobody@unaffiliated/goldkatze] has joined #openvpn
09:16 -!- jtrucks [jtrucks@freenode/staff/lopsa.foundingmember.jtrucks] has joined #openvpn
09:16 -!- jtrucks [jtrucks@freenode/staff/lopsa.foundingmember.jtrucks] has quit [Quit: leaving]
09:19 -!- alexxtasi [~alex@unaffiliated/alexxtasi] has left #openvpn []
09:20 -!- jtrucks [~jtrucks@freenode/staff/lopsa.foundingmember.jtrucks] has joined #openvpn
09:22 -!- lvv [~loganaden@ITE-INF3.dhcp.mu.afrinic.net] has quit [Quit: lvv]
09:23 -!- wrongplace [~leicht@gateway/tor-sasl/martinphone] has joined #openvpn
09:31 -!- goldkatze [~nobody@unaffiliated/goldkatze] has quit [Read error: Connection reset by peer]
09:32 -!- goldkatze [~nobody@unaffiliated/goldkatze] has joined #openvpn
09:35 -!- wrongplace [~leicht@gateway/tor-sasl/martinphone] has quit [Quit: gone]
09:35 < vitorio> !welcome
09:35 <@vpnHelper> "welcome" is (#1) Start by stating your goal, such as 'I would like to access the internet over my vpn' || new to IRC? see the link in !ask || we may need !logs and !configs and maybe !interface to help you. || See !howto for beginners. || See !route for lans behind openvpn. || !redirect for sending inet traffic through the server. || Also interesting: !man !/30 !topology !iporder !sample !forum
09:35 <@vpnHelper> !wiki !mitm or (#2) Don't use 192.168.1.0/24 or 192.168.0.0/24 (too much potential for conflict)
09:35 -!- bertodsera [~quassel@212.36.61.26] has quit [Read error: Connection reset by peer]
09:36 -!- bertodsera [~quassel@212.36.61.26] has joined #openvpn
09:43 -!- [diecast] [~diecast@unaffiliated/diecast/x-4821952] has joined #openvpn
09:51 -!- mattock_afk is now known as mattock
09:52 -!- losted [~losted@box.losted.net] has quit [Ping timeout: 245 seconds]
09:53 -!- losted [~losted@box.losted.net] has joined #openvpn
09:53 < _FBi> !mitm
09:53 <@vpnHelper> "mitm" is (#1) http://openvpn.net/index.php/documentation/howto.html#mitm to know about stopping Man-in-the-Middle attacks by signing the server cert specially or (#2) use !servercert to generate the server cert manually or use the easy-rsa build-key-server script to build your server certificates or (#3) then use: remote-cert-tls server in the client config
09:55 -!- Eagleman7 [~Eagleman@546BBFCD.cm-12-4c.dynamic.ziggo.nl] has quit [Quit: ZNC - http://znc.in]
09:59 -!- Eagleman [~Eagleman@546BBFCD.cm-12-4c.dynamic.ziggo.nl] has joined #openvpn
10:00 -!- Guest94690 [~Sembei@62.57.118.216.dyn.user.ono.com] has quit [Ping timeout: 260 seconds]
10:06 -!- Linmu [~Linmu@203.70.194.104] has quit [Ping timeout: 272 seconds]
10:07 -!- Guest94690 [~Sembei@62.57.118.216.dyn.user.ono.com] has joined #openvpn
10:07 -!- Linmu [~Linmu@203.70.194.104] has joined #openvpn
10:13 -!- dimitry7 [~antonello@38.124.174.31] has joined #openvpn
10:21 -!- ade_b [~Ade@redhat/adeb] has quit [Quit: Too sexy for his shirt]
10:34 -!- fission6 [~fission6@199.47.74.246] has joined #openvpn
10:41 -!- [diecast] [~diecast@unaffiliated/diecast/x-4821952] has quit [Ping timeout: 260 seconds]
10:41 -!- KaiForce [~chatzilla@107-223-70-10.lightspeed.bcvloh.sbcglobal.net] has joined #openvpn
10:44 -!- pa [~pa@unaffiliated/pa] has quit [Ping timeout: 260 seconds]
10:45 -!- [diecast] [~diecast@unaffiliated/diecast/x-4821952] has joined #openvpn
10:47 < vitorio> \q
10:47 -!- vitorio [~vitorio@201.20.44.2] has left #openvpn ["Leaving"]
10:48 -!- klein__ [~klein@189-016-006-003.asselvi.edu.br] has joined #openvpn
10:52 -!- takamichi [~takamichi@c107-107.i07-27.onvol.net] has joined #openvpn
11:09 -!- kalloc [~kalloc@h86-62-83-99.ln.rinet.ru] has quit [Remote host closed the connection]
11:09 -!- elfixit [~Icedove@77-58-251-72.dclient.hispeed.ch] has quit [Quit: elfixit]
11:11 -!- kalloc_ [~kalloc@h86-62-83-99.ln.rinet.ru] has joined #openvpn
11:16 -!- kalloc_ [~kalloc@h86-62-83-99.ln.rinet.ru] has quit [Remote host closed the connection]
11:16 -!- kalloc [~kalloc@h86-62-83-99.ln.rinet.ru] has joined #openvpn
11:24 -!- cyberspace- [20253@ninthfloor.org] has quit [Remote host closed the connection]
11:26 -!- cyberspace- [20253@ninthfloor.org] has joined #openvpn
11:37 -!- gffa [~unknown@unaffiliated/gffa] has joined #openvpn
11:42 -!- pa [~pa@unaffiliated/pa] has joined #openvpn
12:03 -!- lj [~l@192.241.174.169] has joined #openvpn
12:07 -!- pekster [~rewt@openvpn/community/support/pekster] has joined #openvpn
12:09 -!- JackWinter_ [~jack@vodsl-8317.vo.lu] has quit [Quit: Konversation terminated!]
12:10 -!- JackWinter [~jack@vodsl-8317.vo.lu] has joined #openvpn
12:12 -!- pekster_ [~rewt@openvpn/community/support/pekster] has joined #openvpn
12:14 -!- pekster_ [~rewt@openvpn/community/support/pekster] has quit [Client Quit]
12:14 -!- elfixit [~Icedove@77-58-251-72.dclient.hispeed.ch] has joined #openvpn
12:20 -!- bertodsera [~quassel@212.36.61.26] has quit [Remote host closed the connection]
12:23 -!- klein__ [~klein@189-016-006-003.asselvi.edu.br] has quit [Quit: Leaving]
12:24 -!- klein [~klein@unaffiliated/klein] has joined #openvpn
12:30 -!- Eagleman [~Eagleman@546BBFCD.cm-12-4c.dynamic.ziggo.nl] has quit [Read error: Connection reset by peer]
12:36 -!- Eagleman [~Eagleman@546BBFCD.cm-12-4c.dynamic.ziggo.nl] has joined #openvpn
12:42 -!- justaguy [~n@unaffiliated/justaguy] has joined #openvpn
12:43 < justaguy> I'm looking for the latest .deb for an access server
12:43 < justaguy> http://swupdate.openvpn.org/as/openvpn-as-1.8.5-Ubuntu10.amd_64.deb is this the latest?
12:43 < rob0> !as
12:43 <@vpnHelper> "as" is please go to #OpenVPN-AS for help with Access-Server
12:44 < justaguy> rob0: ok
12:44 -!- justaguy [~n@unaffiliated/justaguy] has left #openvpn []
12:46 -!- JackWinter_ [~jack@vodsl-8317.vo.lu] has joined #openvpn
12:47 -!- Eagleman [~Eagleman@546BBFCD.cm-12-4c.dynamic.ziggo.nl] has quit [Read error: Connection reset by peer]
12:48 -!- JackWinter [~jack@vodsl-8317.vo.lu] has quit [Ping timeout: 260 seconds]
12:49 -!- fission6 [~fission6@199.47.74.246] has left #openvpn []
12:52 -!- Eagleman [~Eagleman@546BBFCD.cm-12-4c.dynamic.ziggo.nl] has joined #openvpn
12:56 -!- Eagleman [~Eagleman@546BBFCD.cm-12-4c.dynamic.ziggo.nl] has quit [Read error: Connection reset by peer]
13:02 -!- Eagleman [~Eagleman@546BBFCD.cm-12-4c.dynamic.ziggo.nl] has joined #openvpn
13:16 -!- master_of_master [~master_of@p4FF2477E.dip0.t-ipconnect.de] has joined #openvpn
13:16 <@krzee> !tcp
13:16 <@vpnHelper> "tcp" is (#1) Sometimes you cannot avoid tunneling over tcp, but if you can avoid it, DO. http://sites.inka.de/~bigred/devel/tcp-tcp.html Why TCP Over TCP Is A Bad Idea. or (#2) http://www.openvpn.net/papers/BLUG-talk/14.html for a presentation by James Yonan (OpenVPN lead developer) or (#3) if you must use tcp, you likely want --tcp-nodelay
13:19 -!- master_o1_master [~master_of@p4FF24397.dip0.t-ipconnect.de] has quit [Ping timeout: 250 seconds]
13:34 -!- linuxthefish [~linuxthef@linuxthefish.net] has joined #openvpn
13:34 < linuxthefish> why does OpenVPN say failed to connect with nothing in the log?
13:34 -!- Cpt-Oblivious [chatzilla@31-151-71-109.dynamic.upc.nl] has quit [Quit: ChatZilla 0.9.90.1-rdmsoft [XULRunner 22.0/20130619132145]]
13:35 < linuxthefish> ok, it's connected but now the internet won't work!
13:35 < linuxthefish> can't ping any ip...
13:36 -!- jtrucks [~jtrucks@freenode/staff/lopsa.foundingmember.jtrucks] has quit [Remote host closed the connection]
13:42 -!- takamichi [~takamichi@c107-107.i07-27.onvol.net] has quit [Quit: Computer has gone to sleep.]
13:44 -!- klein [~klein@unaffiliated/klein] has quit [Quit: Leaving]
13:46 -!- klein [~klein@unaffiliated/klein] has joined #openvpn
13:49 < linuxthefish> GRR, stupid openvpn won't work on windows 8
13:50 -!- Guest36648 [jtrucks@freenode/staff/lopsa.foundingmember.jtrucks] has joined #openvpn
13:52 -!- pdobrogost [~quassel@77-255-245-159.adsl.inetia.pl] has joined #openvpn
13:53 -!- kcodyjr [~kcodyjr@c-24-61-134-125.hsd1.ma.comcast.net] has quit [Ping timeout: 260 seconds]
14:00 -!- joshh20-Away is now known as joshh20
14:07 < linuxthefish> is there any openvpn alternative that dosn't keep disconnecting?
14:13 -!- Guest36648 [jtrucks@freenode/staff/lopsa.foundingmember.jtrucks] has quit [Quit: leaving]
14:15 -!- Guest99715 [jtrucks@freenode/staff/lopsa.foundingmember.jtrucks] has joined #openvpn
14:17 -!- Guest99715 [jtrucks@freenode/staff/lopsa.foundingmember.jtrucks] has quit [Quit: leaving]
14:17 -!- joshh20 is now known as joshh20-Away
14:18 -!- klein [~klein@unaffiliated/klein] has quit [Ping timeout: 260 seconds]
14:19 -!- carlf [~carlf@pool-108-47-138-237.lsanca.fios.verizon.net] has joined #openvpn
14:19 <@Eugene> openvpn works just fine with Windows 8 for me
14:19 <@Eugene> !download
14:19 <@vpnHelper> "download" is (#1) http://openvpn.net/index.php/download/community-downloads.html to download openvpn or (#2) OpenVPN's Windows installer now includes OpenVPN GUI. Don't bother with http://openvpn.se anymore or (#3) Don't trust download.com at all. It provides an extremely old version with malware: http://insecure.org/news/download-com-fiasco.html or (#4) in the community version of openvpn (only
14:19 <@vpnHelper> thing supported here) there is no separate download for client/server, it is the same install with different configs
14:19 < carlf> !welcome
14:19 <@vpnHelper> "welcome" is (#1) Start by stating your goal, such as 'I would like to access the internet over my vpn' || new to IRC? see the link in !ask || we may need !logs and !configs and maybe !interface to help you. || See !howto for beginners. || See !route for lans behind openvpn. || !redirect for sending inet traffic through the server. || Also interesting: !man !/30 !topology !iporder !sample !forum
14:19 <@Eugene> Are you sure you're using a current version? .se's 2.0.9 dun work anymore ;-)
14:19 <@vpnHelper> !wiki !mitm or (#2) Don't use 192.168.1.0/24 or 192.168.0.0/24 (too much potential for conflict)
14:20 -!- bertodsera [~quassel@97e48243.skybroadband.com] has joined #openvpn
14:21 -!- kantlivelong [~kantlivel@home.kantlivelong.com] has quit [Ping timeout: 252 seconds]
14:21 < rob0> Eugene, o/
14:21 <@Eugene> \o
14:21 < rob0> I was in a DNS training class last week, your dad was mentioned. :)
14:23 -!- jtrucks [jtrucks@freenode/staff/lopsa.foundingmember.jtrucks] has joined #openvpn
14:24 <@Eugene> Shiny. What class?
14:25 < rob0> ISC basic+advanced, Alan Clegg.
14:26 <@Eugene> Ah, so people who should actually know what they're talking about.
14:27 <@Eugene> This guy? http://www.linkedin.com/in/aclegg
14:28 <@Eugene> Hahahah, wow. ALSO a volunteer firefighter, ALSO at a department named Fairview.
14:28 <@Eugene> It's a small world after all.
14:28 < rob0> So I said, "Hey! I know his son! And ... he's a firefighter!"
14:28 < rob0> :)
14:29  * Eugene ponders dinner
14:31 <@Eugene> Any chance you're ALSO in atlanta this week? :v
14:31 < rob0> nah, I had to get home
14:31 <@Eugene> So.... you were?
14:32 < rob0> no, I came straight home from DC/NoVa
14:32 <@Eugene> Ah.
14:32 <@Eugene> Popular neighborhood, that.
14:34 -!- jtrucks [jtrucks@freenode/staff/lopsa.foundingmember.jtrucks] has quit [Quit: leaving]
14:35 -!- jtrucks [jtrucks@freenode/staff/lopsa.foundingmember.jtrucks] has joined #openvpn
14:36 < linuxthefish> no but OpenVPN works on other windows 7 and this is version 2.3.2 x86_64-w64-mingw32
14:36 < linuxthefish> also it's not working on my friend's windows 8...
14:39 < _FBi> !blackberry
14:40 -!- dazo is now known as dazo_afk
14:54 -!- qwertyoruiop [~hax@1.shulgin.dc1.nl.tor.exit.node.qwertyoruiop.com] has quit [Ping timeout: 245 seconds]
15:00 -!- conroe [~conroe@gateway/tor-sasl/conroe] has joined #openvpn
15:07 -!- qwertyoruiop [~hax@1.shulgin.dc1.nl.tor.exit.node.qwertyoruiop.com] has joined #openvpn
15:15 <@krzee> !qnx
15:15 <@vpnHelper> "qnx" is https://forums.openvpn.net/topic2449.html for the qnx6 port of openvpn
15:16 <@krzee> _FBi, very old, but thats the only thing i ever seen
15:19 -!- mdim [~user@line-marko.cs.utah.edu] has joined #openvpn
15:24 -!- kantlivelong [~kantlivel@home.kantlivelong.com] has joined #openvpn
15:32 -!- klein [~klein@unaffiliated/klein] has joined #openvpn
15:34 -!- conroe [~conroe@gateway/tor-sasl/conroe] has quit [Quit: conroe]
15:35 -!- mattock is now known as mattock_afk
15:39 -!- mapps [~Mark@94-193-78-219.zone7.bethere.co.uk] has joined #openvpn
15:40 -!- carlf [~carlf@pool-108-47-138-237.lsanca.fios.verizon.net] has left #openvpn ["WeeChat 0.4.2"]
15:55 -!- lj [~l@192.241.174.169] has quit [Quit: Leaving.]
16:01 -!- qwertyoruiop is now known as xXx_1337masterqw
16:01 -!- xXx_1337masterqw is now known as xXx1337swagqw3r7
16:01 -!- xXx1337swagqw3r7 is now known as x1337swagqw3r7y0
16:10 -!- elfixit [~Icedove@77-58-251-72.dclient.hispeed.ch] has quit [Quit: elfixit]
16:14 -!- MatthewsFace [~mspah@50-78-45-146-static.hfc.comcastbusiness.net] has joined #openvpn
16:14 -!- x1337swagqw3r7y0 is now known as qwertyoruiop
16:15 -!- KaiForce [~chatzilla@107-223-70-10.lightspeed.bcvloh.sbcglobal.net] has quit [Quit: ChatZilla 0.9.90.1 [Firefox 26.0/20131205075310]]
16:19 -!- gffa [~unknown@unaffiliated/gffa] has quit [Quit: sleep]
16:23 -!- pvpimp [~mahollows@pool-108-48-23-100.washdc.fios.verizon.net] has quit [Ping timeout: 260 seconds]
16:27 -!- pvpimp [~mahollows@pool-108-48-23-100.washdc.fios.verizon.net] has joined #openvpn
16:30 -!- kalloc [~kalloc@h86-62-83-99.ln.rinet.ru] has quit [Remote host closed the connection]
16:31 -!- kalloc [~kalloc@h86-62-83-99.ln.rinet.ru] has joined #openvpn
16:31 -!- kalloc [~kalloc@h86-62-83-99.ln.rinet.ru] has quit [Read error: Connection reset by peer]
16:32 -!- kalloc [~kalloc@h86-62-83-99.ln.rinet.ru] has joined #openvpn
16:33 -!- kloeri_ is now known as kloeri
16:37 -!- Devastator [~devas@unaffiliated/devastator] has quit [Ping timeout: 252 seconds]
16:57 -!- kloeri [~kloeri@freenode/staff/exherbo.kloeri] has quit [Quit: leaving]
16:58 -!- kloeri [~kloeri@freenode/staff/exherbo.kloeri] has joined #openvpn
16:59 -!- f0cker [~f0cker@unaffiliated/f0cker] has quit [Ping timeout: 272 seconds]
17:05 -!- NChief2 is now known as NChief
17:05 -!- NChief [~nchief@ircimg.net] has quit [Changing host]
17:05 -!- NChief [~nchief@unaffiliated/nchief] has joined #openvpn
17:06 -!- kalloc [~kalloc@h86-62-83-99.ln.rinet.ru] has quit [Ping timeout: 260 seconds]
17:08 -!- NChief [~nchief@unaffiliated/nchief] has quit [Quit: leaving]
17:09 -!- NChief [~nchief@unaffiliated/nchief] has joined #openvpn
17:10 -!- pekster [~rewt@openvpn/community/support/pekster] has quit [Quit: bouncy bouncy]
17:11 -!- pekster [~rewt@openvpn/community/support/pekster] has joined #openvpn
17:14 -!- [diecast] [~diecast@unaffiliated/diecast/x-4821952] has quit []
17:21 -!- klein [~klein@unaffiliated/klein] has quit [Read error: Operation timed out]
17:23 -!- dimitry7 [~antonello@38.124.174.31] has quit [Ping timeout: 260 seconds]
17:25 -!- dimitry7 [~antonello@38.124.174.31] has joined #openvpn
17:26 -!- kalloc [~kalloc@h86-62-83-99.ln.rinet.ru] has joined #openvpn
17:33 -!- klein [~klein@187.85.164.120] has joined #openvpn
17:33 -!- klein [~klein@187.85.164.120] has quit [Changing host]
17:33 -!- klein [~klein@unaffiliated/klein] has joined #openvpn
17:35 -!- joshh20-Away is now known as joshh20
17:35 -!- xorox90__ [uid7069@gateway/web/irccloud.com/x-wmdizircldzgzdts] has quit [Ping timeout: 264 seconds]
17:37 -!- xorox90__ [uid7069@gateway/web/irccloud.com/x-rglydlehvypssbnb] has joined #openvpn
17:42 -!- pdobrogost [~quassel@77-255-245-159.adsl.inetia.pl] has quit [Remote host closed the connection]
17:51 -!- goldkatze [~nobody@unaffiliated/goldkatze] has quit [Ping timeout: 248 seconds]
17:59 -!- elfixit [~Icedove@77-58-251-72.dclient.hispeed.ch] has joined #openvpn
18:00 -!- kalloc [~kalloc@h86-62-83-99.ln.rinet.ru] has quit [Ping timeout: 250 seconds]
18:04 < _FBi> thanks
18:12 -!- pjschmitt [~parker@unaffiliated/schmitt953] has quit [Ping timeout: 252 seconds]
18:13 -!- pjschmitt [~parker@209.141.56.12] has joined #openvpn
18:19 -!- joshh20 is now known as joshh20-Away
18:25 -!- joshh20-Away is now known as joshh20
18:45 -!- mdim [~user@line-marko.cs.utah.edu] has quit [Ping timeout: 260 seconds]
18:48 -!- MatthewsFace [~mspah@50-78-45-146-static.hfc.comcastbusiness.net] has quit [Quit: Leaving]
18:52 -!- kalloc [~kalloc@h86-62-83-99.ln.rinet.ru] has joined #openvpn
19:08 -!- joshh20 is now known as joshh20-Away
19:17 -!- jgeboski [~jgeboski@unaffiliated/jgeboski] has quit [Ping timeout: 265 seconds]
19:17 -!- jgeboski [~jgeboski@unaffiliated/jgeboski] has joined #openvpn
19:18 -!- klein [~klein@unaffiliated/klein] has quit [Ping timeout: 272 seconds]
19:25 -!- kalloc [~kalloc@h86-62-83-99.ln.rinet.ru] has quit [Ping timeout: 250 seconds]
19:33 -!- dimitry7 [~antonello@38.124.174.31] has quit [Quit: Leaving]
19:52 -!- kalloc [~kalloc@h86-62-83-99.ln.rinet.ru] has joined #openvpn
19:55 -!- tempus_fol [~tempus@gateway/tor-sasl/tempusfol] has quit [Ping timeout: 240 seconds]
19:56 -!- tempus_fol [~tempus@gateway/tor-sasl/tempusfol] has joined #openvpn
20:07 -!- pjschmitt [~parker@209.141.56.12] has quit [Remote host closed the connection]
20:13 -!- pjschmitt [~parker@209.141.56.12] has joined #openvpn
20:22 -!- mdim [~user@c-98-202-215-47.hsd1.ut.comcast.net] has joined #openvpn
20:26 -!- kalloc [~kalloc@h86-62-83-99.ln.rinet.ru] has quit [Ping timeout: 260 seconds]
20:43 -!- lj [~l@c-50-158-105-68.hsd1.il.comcast.net] has joined #openvpn
20:45 -!- elfixit [~Icedove@77-58-251-72.dclient.hispeed.ch] has quit [Quit: elfixit]
20:45 -!- VsioZashibis [~VsioZashi@unaffiliated/vsiozashibis] has joined #openvpn
20:45 < VsioZashibis> hello again all
20:45 < VsioZashibis> I come with the same question again, as yesterday )
20:46 < VsioZashibis> I wonder if there is a way to bridge the network of a vmware workstation host's vm, with an openvpn adapter installed in a windos 7 vm guest of that host.
20:48 -!- joshh20-Away is now known as joshh20
20:49 <@Eugene> What?
20:49 -!- joshh20 is now known as joshh20-Away
20:49 <@Eugene> Just route it properly
20:50 < VsioZashibis> lol how
20:50 < VsioZashibis> I don't understand
20:51 <@Eugene> !clientlan
20:51 <@vpnHelper> "clientlan" is (#1) for a lan behind a client, the client must have ip forwarding enabled (!ipforward), the server needs a route to the lan, the server needs to push a route for the lan to clients, the server needs a ccd (!ccd) file for the client with an iroute (!iroute) entry in it, and the router of the lan the client is on needs a route added to it (!route_outside_openvpn) or (#2) see !route for
20:51 <@vpnHelper> a better explanation or (#3) Handy troubleshooting flowchart: http://ircpimps.org/clientlan.png | http://pekster.sdf.org/misc/clientlan.png
20:51 <@Eugene> !route
20:51 <@vpnHelper> "route" is (#1) http://www.secure-computing.net/wiki/index.php/OpenVPN/Routing or https://community.openvpn.net/openvpn/wiki/RoutedLans (same page mirrored) if you have lans behind openvpn, read it DONT SKIM IT or (#2) READ IT DONT SKIM IT! or (#3) See !tcpip for a basic networking guide or (#4) See !serverlan or !clientlan for steps and troubleshooting flowcharts for LANs behind the server or
20:51 <@vpnHelper> client
20:51 <@Eugene> Magic.
20:52 -!- kalloc [~kalloc@h86-62-83-99.ln.rinet.ru] has joined #openvpn
21:02 -!- booo [~booo__@p54BD8C96.dip0.t-ipconnect.de] has quit [Read error: Operation timed out]
21:03 -!- james41382_ [~james@unaffiliated/james41382] has quit [Ping timeout: 245 seconds]
21:08 < VsioZashibis> Eugene:
21:09 <@Eugene> Me!
21:09 < VsioZashibis> Eugene: so wich is it ? clientlan or route ?
21:09 <@Eugene> Both. Read.
21:09 < VsioZashibis> !clientlan
21:09 <@vpnHelper> "clientlan" is (#1) for a lan behind a client, the client must have ip forwarding enabled (!ipforward), the server needs a route to the lan, the server needs to push a route for the lan to clients, the server needs a ccd (!ccd) file for the client with an iroute (!iroute) entry in it, and the router of the lan the client is on needs a route added to it (!route_outside_openvpn) or (#2) see
21:09 <@vpnHelper> !route for a better explanation or (#3) Handy troubleshooting flowchart: http://ircpimps.org/clientlan.png | http://pekster.sdf.org/misc/clientlan.png
21:10 < VsioZashibis> errr
21:10 < VsioZashibis> hard to anderstand for me (
21:11 -!- booo [~booo__@p54BD8F96.dip0.t-ipconnect.de] has joined #openvpn
21:11 < VsioZashibis> wow many things need to be done
21:26 -!- kalloc [~kalloc@h86-62-83-99.ln.rinet.ru] has quit [Ping timeout: 250 seconds]
21:41 -!- VsioZashibis [~VsioZashi@unaffiliated/vsiozashibis] has quit [Quit: closing IRC]
21:46 -!- JackWinter_ [~jack@vodsl-8317.vo.lu] has quit [Ping timeout: 272 seconds]
21:52 < sunwind> heh.. virgin media, UK ISP has blocked imgur
21:52 -!- kalloc [~kalloc@h86-62-83-99.ln.rinet.ru] has joined #openvpn
21:54 < sunwind> along with torrentz.eu
21:54 < sunwind> time to really think about getting an offsite vpn..
22:01 -!- booo [~booo__@p54BD8F96.dip0.t-ipconnect.de] has quit [Ping timeout: 245 seconds]
22:04 -!- booo [~booo__@p54BDBFEC.dip0.t-ipconnect.de] has joined #openvpn
22:06 -!- VsioZashibis [~VsioZashi@unaffiliated/vsiozashibis] has joined #openvpn
22:10 -!- kcodyjr [~kcodyjr@c-24-61-134-125.hsd1.ma.comcast.net] has joined #openvpn
22:14 < BtbN> sunwind, can't you just opt-out of the filter?
22:15 < sunwind> that's the porn filter
22:15 < BtbN> i wouldn't be surprised of they put imgur on there
22:26 -!- kalloc [~kalloc@h86-62-83-99.ln.rinet.ru] has quit [Ping timeout: 272 seconds]
22:29 -!- james41382_ [~james@unaffiliated/james41382] has joined #openvpn
22:37 -!- VsioZashibis [~VsioZashi@unaffiliated/vsiozashibis] has quit [Quit: closing IRC]
22:47 -!- kalloc [~kalloc@h86-62-83-99.ln.rinet.ru] has joined #openvpn
22:59 -!- peper [~peper@gentoo/developer/peper] has quit [Ping timeout: 245 seconds]
23:05 -!- jtrucks [jtrucks@freenode/staff/lopsa.foundingmember.jtrucks] has quit [Read error: Operation timed out]
23:06 -!- jtrucks [jtrucks@freenode/staff/lopsa.foundingmember.jtrucks] has joined #openvpn
23:11 -!- makara [~makara@41.164.22.218] has joined #openvpn
23:28 -!- JackWinter [~jack@vodsl-8317.vo.lu] has joined #openvpn
23:32 -!- JackWinter_ [~jack@vodsl-8317.vo.lu] has joined #openvpn
23:33 -!- JackWinter [~jack@vodsl-8317.vo.lu] has quit [Read error: Connection reset by peer]
--- Day changed Wed Feb 12 2014
00:03 -!- lj [~l@c-50-158-105-68.hsd1.il.comcast.net] has quit [Quit: Leaving.]
00:08 -!- lvv [~loganaden@ITE-INF3.dhcp.mu.afrinic.net] has joined #openvpn
00:19 -!- mikkel [~mikkel@93.176.85.50] has joined #openvpn
00:27 -!- heraclitus [~heraclitu@unaffiliated/heraclitis] has quit [Remote host closed the connection]
00:27 -!- heraclitus [~heraclitu@unaffiliated/heraclitis] has joined #openvpn
00:33 -!- kalloc [~kalloc@h86-62-83-99.ln.rinet.ru] has quit [Remote host closed the connection]
00:33 -!- kalloc [~kalloc@h86-62-83-99.ln.rinet.ru] has joined #openvpn
00:34 -!- mdim [~user@c-98-202-215-47.hsd1.ut.comcast.net] has quit [Read error: Connection reset by peer]
00:34 -!- mdim [~user@c-98-202-215-47.hsd1.ut.comcast.net] has joined #openvpn
00:34 -!- kalloc [~kalloc@h86-62-83-99.ln.rinet.ru] has quit [Read error: Connection reset by peer]
00:35 -!- kalloc [~kalloc@h86-62-83-99.ln.rinet.ru] has joined #openvpn
00:51 -!- mattock_afk is now known as mattock
01:03 -!- dimm0k [~dimm0k@unaffiliated/dimm0k] has quit [Ping timeout: 245 seconds]
01:06 -!- dimm0k [~dimm0k@pool-96-246-33-134.nycmny.fios.verizon.net] has joined #openvpn
01:06 -!- dimm0k [~dimm0k@pool-96-246-33-134.nycmny.fios.verizon.net] has quit [Changing host]
01:06 -!- dimm0k [~dimm0k@unaffiliated/dimm0k] has joined #openvpn
01:08 -!- kalloc [~kalloc@h86-62-83-99.ln.rinet.ru] has quit [Ping timeout: 248 seconds]
01:10 -!- kalloc [~kalloc@h86-62-83-99.ln.rinet.ru] has joined #openvpn
01:17 -!- Sorcier_FXK [~Sorcier_F@unaffiliated/sorcierfxk] has quit [Ping timeout: 252 seconds]
01:18 -!- makara [~makara@41.164.22.218] has quit [Remote host closed the connection]
01:20 -!- ade_b [~Ade@redhat/adeb] has joined #openvpn
01:25 -!- sunwind [~paradox@cpc21-brmb8-2-0-cust749.1-3.cable.virginm.net] has quit [Read error: Connection reset by peer]
01:27 -!- sunwind [~paradox@cpc21-brmb8-2-0-cust749.1-3.cable.virginm.net] has joined #openvpn
01:28 -!- s0urse [~s0urse@66-215-64-70.static.lsan.ca.charter.com] has joined #openvpn
01:29 < s0urse> anyone around that can help take a look at my config?
01:29 < s0urse> here is the server config #################################################
01:29 < s0urse> # Sample OpenVPN 2.0 config file for            #
01:29 < s0urse> # multi-client server.                          #
01:29 < s0urse> #                                               #
01:29 < s0urse> # This file is for the server side              #
01:29 < s0urse> # of a many-clients <-> one-server              #
01:29 < s0urse> # OpenVPN configuration.                        #
01:29 < s0urse> #                                               #
01:30 < s0urse> # OpenVPN also supports                         #
01:30 < s0urse> # single-machine <-> single-machine             #
01:30 < s0urse> # configurations (See the Examples page         #
01:30 < s0urse> # on the web site for more info).               #
01:30 < s0urse> #                                               #
01:30 < s0urse> # This config should work on Windows            #
01:30 < s0urse> # or Linux/BSD systems.  Remember on            #
01:30 < s0urse> # Windows to quote pathnames and use            #
01:30 < s0urse> # double backslashes, e.g.:                     #
01:30 < s0urse> # "C:\\Program Files\\OpenVPN\\config\\foo.key" #
01:30 < s0urse> #                                               #
01:30 < s0urse> # Comments are preceded with '#' or ';'         #
01:30 < s0urse> #################################################
01:30 < s0urse> # Which local IP address should OpenVPN
01:30 < s0urse> # listen on? (optional)
01:30 -!- alexxtasi [~alex@unaffiliated/alexxtasi] has joined #openvpn
01:30 < s0urse> ;local a.b.c.d
01:30 < s0urse> # Which TCP/UDP port should OpenVPN listen on?
01:30 < s0urse> # If you want to run multiple OpenVPN instances
01:30 < kraut> s0meone: use pastebin!
01:30 < s0urse> # on the same machine, use a different port
01:30 < s0urse> # number for each one.  You will need to
01:30 < s0urse> # open up this port on your firewall.
01:30 < s0urse> port 1194
01:30 < s0urse> # TCP or UDP server?
01:30 < s0urse> ;proto tcp
01:30 < s0urse> proto udp
01:30 < s0urse> # "dev tun" will create a routed IP tunnel,
01:30 < s0urse> # "dev tap" will create an ethernet tunnel.
01:30 < s0urse> # Use "dev tap0" if you are ethernet bridging
01:31 < s0urse> # and have precreated a tap0 virtual interface
01:31 < s0urse> # and bridged it with your ethernet interface.
01:31 < s0urse> # If you want to control access policies
01:31 < s0urse> # over the VPN, you must create firewall
01:31 < s0urse> # rules for the the TUN/TAP interface.
01:31 < s0urse> # On non-Windows systems, you can give
01:31 < s0urse> # an explicit unit number, such as tun0.
01:31 < s0urse> # On Windows, use "dev-node" for this.
01:31 < s0urse> # On most systems, the VPN will not function
01:31 < s0urse> # unless you partially or fully disable
01:31 < s0urse> # the firewall for the TUN/TAP interface.
01:31 < s0urse> ;dev tap
01:31 < s0urse> ;dev tun
01:31 < s0urse> dev ta
01:31 < s0urse> here is the client ##############################################
01:31 < s0urse> # Sample client-side OpenVPN 2.0 config file #
01:31 < s0urse> # for connecting to multi-client server.     #
01:31 < s0urse> #                                            #
01:31 < s0urse> # This configuration can be used by multiple #
01:31 < s0urse> # clients, however each client should have   #
01:31 < s0urse> # its own cert and key files.                #
01:31 < s0urse> #                                            #
01:31 < s0urse> # On Windows, you might want to rename this  #
01:31 < s0urse> # file so it has a .ovpn extension           #
01:31 < s0urse> ##############################################
01:31 < s0urse> # Specify that we are a client and that we
01:31 < s0urse> # will be pulling certain config file directives
01:31 < s0urse> # from the server.
01:32 < s0urse> client
01:32 < s0urse> # Use the same setting as you are using on
01:32 < s0urse> # the server.
01:32 < s0urse> # On most systems, the VPN will not function
01:32 < s0urse> # unless you partially or fully disable
01:32 < s0urse> # the firewall for the TUN/TAP interface.
01:32 < s0urse> dev tap
01:32 < s0urse> ;dev tun
01:32 < s0urse> # Windows needs the TAP-Win32 adapter name
01:32 < s0urse> # from the Network Connections panel
01:32 < s0urse> # if you have more than one.  On XP SP2,
01:32 < s0urse> # you may need to disable the firewall
01:32 < s0urse> # for the TAP adapter.
01:32 < s0urse> ;dev-node MyTap
01:32 < s0urse> # Are we connecting to a TCP or
01:32 < s0urse> # UDP server?  Use the same setting as
01:32 < s0urse> # on the server.
01:32 < s0urse> ;proto tcp
01:32 < s0urse> proto udp
01:32 < s0urse> # The hostname/IP and port of the server.
01:32 < s0urse> # You can have multiple remote entries
01:32 < s0urse> # to load balance between the servers.
01:32 < s0urse> remote 66.214.240.103 1194
01:32 < s0urse> ;remote my-server-2 1194
01:32 < s0urse> # Choose a random host from the remote
01:32 < s0urse> # list for load-balancing.  Otherwise
01:32 < s0urse> # try hosts in the order specified.
01:32 < s0urse> ;remote-random
01:33 < s0urse> # Keep trying indefinitely to resolve the
01:33 < s0urse> # host name of the OpenVPN server.  Very useful
01:33 < s0urse> # on machines which are not permanently connected
01:33 < s0urse> # to the internet such as laptops.
01:33 < s0urse> resolv-retry infinite
01:33 < s0urse> # Most clients don't need to bind to
01:33 < s0urse> # a specific local port number.
01:33 < s0urse> nobind
01:33 < s0urse> # Downgrade privileges after initialization (non-Windows only)
01:33 < s0urse> ;user nobody
01:33 < s0urse> ;group nobody
01:33 < s0urse> # Try to preserve some state across restarts.
01:33 < s0urse> persist-key
01:33 < s0urse> persist-tun
01:33 < s0urse> # If you are connecting through an
01:33 < s0urse> # HTTP proxy to reach the actual OpenVPN
01:33 < s0urse> # server, put the proxy server/IP and
01:33 < s0urse> # port number here.  See th
01:33 < s0urse> trying to do a bridged vpn with windows 7 machine as server and client, the error im getting is P_CONTROL_HARD_RESET_CLIENT_V2
01:33 < s0urse> oh shit, sorry
01:33 < s0urse> server http://pastebin.com/aVK2Rpka
01:33 < s0urse> client http://pastebin.com/dw8rQmN3
01:33 < s0urse> firewall is off on the server
01:33 -!- map [~Mark@94-193-78-219.zone7.bethere.co.uk] has joined #openvpn
01:34 -!- map is now known as Guest57880
01:36 -!- mapps [~Mark@94-193-78-219.zone7.bethere.co.uk] has quit [Ping timeout: 265 seconds]
01:49 -!- Kottizen [~martin@trekweb/supporter/kottizen] has joined #openvpn
01:50 -!- Sorcier_FXK [~Sorcier_F@unaffiliated/sorcierfxk] has joined #openvpn
01:53 -!- takamichi [~takamichi@c107-107.i07-27.onvol.net] has joined #openvpn
02:03 -!- dimm0k [~dimm0k@unaffiliated/dimm0k] has quit [Ping timeout: 250 seconds]
02:05 -!- dimm0k [~dimm0k@pool-108-21-230-13.nycmny.fios.verizon.net] has joined #openvpn
02:05 -!- dimm0k [~dimm0k@pool-108-21-230-13.nycmny.fios.verizon.net] has quit [Changing host]
02:05 -!- dimm0k [~dimm0k@unaffiliated/dimm0k] has joined #openvpn
02:07 -!- kalloc [~kalloc@h86-62-83-99.ln.rinet.ru] has quit [Remote host closed the connection]
02:07 -!- kalloc [~kalloc@h86-62-83-99.ln.rinet.ru] has joined #openvpn
02:09 -!- kalloc [~kalloc@h86-62-83-99.ln.rinet.ru] has quit [Read error: Connection reset by peer]
02:09 -!- kalloc [~kalloc@h86-62-83-99.ln.rinet.ru] has joined #openvpn
02:18 -!- mdim [~user@c-98-202-215-47.hsd1.ut.comcast.net] has quit [Ping timeout: 245 seconds]
02:20 -!- crus [~crusader@2001:44b8:319e:2900:c42f:974d:48c1:36fa] has quit [Remote host closed the connection]
02:20 -!- crus [~crusader@2001:44b8:319e:2900:c42f:974d:48c1:36fa] has joined #openvpn
02:25 -!- soapee01_ [~soapee01@24-155-219-177.dyn.grandenetworks.net] has joined #openvpn
02:25 -!- soapee01 [~soapee01@24-155-219-177.dyn.grandenetworks.net] has quit [Read error: Connection reset by peer]
02:33 -!- JackWinter_ [~jack@vodsl-8317.vo.lu] has quit [Read error: Connection reset by peer]
02:34 -!- JackWinter [~jack@vodsl-8317.vo.lu] has joined #openvpn
02:41 -!- mitz [~mitz@rt.miraclelinux.com] has quit [Quit: WeeChat 0.4.2]
02:42 -!- kalloc [~kalloc@h86-62-83-99.ln.rinet.ru] has quit [Ping timeout: 248 seconds]
02:42 -!- JackWinter [~jack@vodsl-8317.vo.lu] has quit [Ping timeout: 245 seconds]
02:45 -!- JackWinter [~jack@vodsl-8317.vo.lu] has joined #openvpn
02:48 -!- jtrucks [jtrucks@freenode/staff/lopsa.foundingmember.jtrucks] has quit [Read error: Operation timed out]
02:55 -!- jtrucks [jtrucks@freenode/staff/lopsa.foundingmember.jtrucks] has joined #openvpn
03:07 -!- tempus_fol [~tempus@gateway/tor-sasl/tempusfol] has quit [Ping timeout: 240 seconds]
03:08 -!- tempus_fol [~tempus@gateway/tor-sasl/tempusfol] has joined #openvpn
03:22 -!- kalloc [~kalloc@h86-62-83-99.ln.rinet.ru] has joined #openvpn
03:34 -!- JackWinter [~jack@vodsl-8317.vo.lu] has quit [Quit: Konversation terminated!]
03:39 -!- JackWinter [~jack@vodsl-8317.vo.lu] has joined #openvpn
03:46 -!- ketas [ketas@ketas6-sixxs.si.pri.ee] has quit [Excess Flood]
03:47 -!- ketas [ketas@ketas6-sixxs.si.pri.ee] has joined #openvpn
03:49 -!- alexxtasi [~alex@unaffiliated/alexxtasi] has quit [Quit: Leaving.]
03:49 -!- kalloc [~kalloc@h86-62-83-99.ln.rinet.ru] has quit [Remote host closed the connection]
03:49 -!- kalloc [~kalloc@h86-62-83-99.ln.rinet.ru] has joined #openvpn
03:51 -!- alexxtasi [~alex@unaffiliated/alexxtasi] has joined #openvpn
04:00 -!- klein [~klein@187.85.164.120] has joined #openvpn
04:00 -!- klein [~klein@187.85.164.120] has quit [Changing host]
04:00 -!- klein [~klein@unaffiliated/klein] has joined #openvpn
04:01 -!- liriel [~liriel@198.154.114.106] has quit [Ping timeout: 252 seconds]
04:01 -!- liriel [~liriel@198.154.114.106] has joined #openvpn
04:14 -!- klein [~klein@unaffiliated/klein] has quit [Ping timeout: 265 seconds]
04:15 -!- JackWinter [~jack@vodsl-8317.vo.lu] has quit [Quit: Konversation terminated!]
04:17 -!- JackWinter [~jack@vodsl-8317.vo.lu] has joined #openvpn
04:26 -!- f0cker [~f0cker@unaffiliated/f0cker] has joined #openvpn
04:36 -!- klein [~klein@unaffiliated/klein] has joined #openvpn
04:45 -!- mattock is now known as mattock_afk
04:49 -!- Eagleman [~Eagleman@546BBFCD.cm-12-4c.dynamic.ziggo.nl] has quit [Read error: Connection reset by peer]
04:54 -!- Eagleman [~Eagleman@546BBFCD.cm-12-4c.dynamic.ziggo.nl] has joined #openvpn
04:57 -!- sammm [~sam@c114-76-87-212.thoms3.vic.optusnet.com.au] has joined #openvpn
05:00 < sammm> hey! I'm wondering; what's the best way to have a client connect to my LAN but not tunnel my WAN?
05:00 -!- dazo_afk is now known as dazo
05:00 < sammm> I want my client to simply have access to my LAN
05:00 < sammm> not my WAN
05:01 -!- sammm [~sam@c114-76-87-212.thoms3.vic.optusnet.com.au] has quit [Remote host closed the connection]
05:10 < lvv> hoi
05:10 < lvv> i have a small patch for openvpn
05:10 < lvv> any committer around who would be willing to discuss it ?
05:13 -!- Eagleman [~Eagleman@546BBFCD.cm-12-4c.dynamic.ziggo.nl] has quit [Read error: Connection reset by peer]
05:20 -!- Eagleman [~Eagleman@546BBFCD.cm-12-4c.dynamic.ziggo.nl] has joined #openvpn
05:25 -!- klein [~klein@unaffiliated/klein] has quit [Ping timeout: 250 seconds]
05:36 -!- mattock_afk is now known as mattock
05:38 -!- rondile [4425c418@gateway/web/cgi-irc/kiwiirc.com/ip.68.37.196.24] has joined #openvpn
05:38 -!- Eagleman [~Eagleman@546BBFCD.cm-12-4c.dynamic.ziggo.nl] has quit [Read error: Connection reset by peer]
05:44 -!- Eagleman [~Eagleman@546BBFCD.cm-12-4c.dynamic.ziggo.nl] has joined #openvpn
05:49 -!- rondile [4425c418@gateway/web/cgi-irc/kiwiirc.com/ip.68.37.196.24] has quit [Quit: http://www.kiwiirc.com/ - A hand crafted IRC client]
05:55 -!- takamichi [~takamichi@c107-107.i07-27.onvol.net] has quit [Ping timeout: 260 seconds]
05:58 -!- takamichi [~takamichi@85.12.8.104] has joined #openvpn
05:58 -!- takamichi [~takamichi@85.12.8.104] has quit [Max SendQ exceeded]
05:59 -!- takamichi [~takamichi@85.12.8.104] has joined #openvpn
06:09 -!- Eagleman [~Eagleman@546BBFCD.cm-12-4c.dynamic.ziggo.nl] has quit [Read error: Connection reset by peer]
06:10 -!- klein [~klein@189-016-006-003.asselvi.edu.br] has joined #openvpn
06:10 -!- klein [~klein@189-016-006-003.asselvi.edu.br] has quit [Changing host]
06:10 -!- klein [~klein@unaffiliated/klein] has joined #openvpn
06:14 -!- Eagleman [~Eagleman@546BBFCD.cm-12-4c.dynamic.ziggo.nl] has joined #openvpn
06:20 -!- Guest94690 [~Sembei@62.57.118.216.dyn.user.ono.com] has quit [Read error: No route to host]
06:21 -!- Guest94690 [~Sembei@unaffiliated/sembei] has joined #openvpn
06:23 -!- elfixit [~Icedove@77-58-251-72.dclient.hispeed.ch] has joined #openvpn
06:25 -!- elfixit [~Icedove@77-58-251-72.dclient.hispeed.ch] has quit [Client Quit]
06:27 -!- Guest94690 [~Sembei@unaffiliated/sembei] has quit [Read error: Connection reset by peer]
06:27 -!- Guest40671 [~Sembei@62.57.118.216.dyn.user.ono.com] has joined #openvpn
06:41 -!- sammm [~samamanja@c114-76-87-212.thoms3.vic.optusnet.com.au] has joined #openvpn
06:41 < sammm> hey guys
06:42 <@ecrist> sup?
06:42 < sammm> what is the best way to connect a client to my LAN via VPN, but still have them use their own internet for WAN
06:50 < pekster> Once you have a basic VPN running and can ping between the endpoints (follow: !howto for that) you can get that with !serverlan
06:59 -!- Eagleman [~Eagleman@546BBFCD.cm-12-4c.dynamic.ziggo.nl] has quit [Read error: Connection reset by peer]
07:04 -!- Eagleman [~Eagleman@546BBFCD.cm-12-4c.dynamic.ziggo.nl] has joined #openvpn
07:05 -!- goldkatze [~nobody@unaffiliated/goldkatze] has joined #openvpn
07:05 -!- f0cker [~f0cker@unaffiliated/f0cker] has quit [Ping timeout: 250 seconds]
07:05 < sammm> thank you pekster
07:06 < sammm> !serverlan
07:06 <@vpnHelper> "serverlan" is (#1) for a lan behind a server, the server must have ip forwarding enabled (!ipforward), the server needs to push a route for its lan to clients, and the router of the lan the server is on needs a route added to it (!route_outside_openvpn) or (#2) see !route for a better explanation or (#3) Handy troubleshooting flowchart: http://ircpimps.org/serverlan.png |
07:06 <@vpnHelper> http://pekster.sdf.org/misc/serverlan.png
07:17 -!- Eagleman [~Eagleman@546BBFCD.cm-12-4c.dynamic.ziggo.nl] has quit [Read error: Connection reset by peer]
07:19 -!- lvv_ [~loganaden@ITE-INF3.dhcp.mu.afrinic.net] has joined #openvpn
07:19 -!- lvv [~loganaden@ITE-INF3.dhcp.mu.afrinic.net] has quit [Read error: Connection reset by peer]
07:19 -!- lvv_ is now known as lvv
07:20 -!- phatphreak [phatphreak@115-64-52-172.static.tpgi.com.au] has joined #openvpn
07:20 < phatphreak> !welcome
07:20 <@vpnHelper> "welcome" is (#1) Start by stating your goal, such as 'I would like to access the internet over my vpn' || new to IRC? see the link in !ask || we may need !logs and !configs and maybe !interface to help you. || See !howto for beginners. || See !route for lans behind openvpn. || !redirect for sending inet traffic through the server. || Also interesting: !man !/30 !topology !iporder !sample !forum
07:20 <@vpnHelper> !wiki !mitm or (#2) Don't use 192.168.1.0/24 or 192.168.0.0/24 (too much potential for conflict)
07:20 < phatphreak> !goal
07:20 <@vpnHelper> "goal" is Please clearly state your goal for your vpn: example, I would like to access the lan behind the server , I would like to access the internet over my vpn , I just want a secure connection between 2 computers , etc
07:22 < phatphreak> Hey all, I have installed OpenVPN on my server. I have opened both tcp and udp 1194 ports in IPTables and according to ping.eu and yougetsignal the port is still closed. however I have tested other open ports and they show a green light.
07:22 < phatphreak> Anyone have any ideas as to how i can get this working?
07:23 -!- Eagleman [~Eagleman@546BBFCD.cm-12-4c.dynamic.ziggo.nl] has joined #openvpn
07:24 < phatphreak> hey Eagleman
07:26 <@Eugene> You need to do more than just install openvpn to get a working VPN tunnel
07:27 <@Eugene> "is my port open" tools typically establish a TCP session, and maybe do some protocol-aware stuff. It's recommended to use UDP with openvpn, so that won't do you any good at all
07:29 < phatphreak> What do you recommend, Eugene? I have checked the configs on both the server and client and everything appears to match.
07:30 <@Eugene> !configs
07:30 <@vpnHelper> "configs" is (#1) please pastebin your client and server configs (with comments removed, you can use `grep -vE '^#|^;|^$' server.conf`), also include which OS and version of openvpn. or (#2) dont forget to include any ccd entries or (#3) on pfSense, see http://www.secure-computing.net/wiki/index.php/OpenVPN/pfSense to obtain your config
07:30 <@Eugene> !logs
07:30 <@vpnHelper> "logs" is (#1) please pastebin your logfiles from both client and server with verb set to 4 (only use 5 if asked) or (#2) In the Windows client(OpenVPN-GUI) right-click the status icon and pick View Log or (#3) In the OS X client(Tunnelblick) right-click it and select Copy log text to clipboard or (#4) if you dont know how to find your logs, see !logfile
07:31 < phatphreak> http://pastebin.com/2Lg3rgxw
07:31 < phatphreak> that's the server conf
07:32 -!- sammm [~samamanja@c114-76-87-212.thoms3.vic.optusnet.com.au] has quit [Read error: Connection reset by peer]
07:32 -!- Eagleman [~Eagleman@546BBFCD.cm-12-4c.dynamic.ziggo.nl] has quit [Read error: Connection reset by peer]
07:32 < phatphreak> http://pastebin.com/XDb2F8PD
07:32 < phatphreak> thats the client.ovpn file
07:33 < phatphreak> I am running CentOS 6.5 x86_64 minimal
07:34 < phatphreak> !logfile
07:34 <@vpnHelper> "logfile" is (#1) openvpn will log to syslog if started in daemon mode. You can manually specify a logfile with: log /path/to/logfile or (#2) verb 3 is good for everyday usage, verb 5 for debugging or (#3) see --daemon --log and --verb in the manual (!man) for more info or (#4) without any log-redirection options, openvpn sends output to stdout. Explicit logging is often more convenient
07:38 < phatphreak> http://pastebin.com/wXTmBNRB
07:38 < phatphreak> That's the server log file
07:39 -!- Eagleman [~Eagleman@546BBFCD.cm-12-4c.dynamic.ziggo.nl] has joined #openvpn
07:41 -!- sammm [~samamanja@c114-76-87-212.thoms3.vic.optusnet.com.au] has joined #openvpn
07:42 < sammm> !route
07:42 <@vpnHelper> "route" is (#1) http://www.secure-computing.net/wiki/index.php/OpenVPN/Routing or https://community.openvpn.net/openvpn/wiki/RoutedLans (same page mirrored) if you have lans behind openvpn, read it DONT SKIM IT or (#2) READ IT DONT SKIM IT! or (#3) See !tcpip for a basic networking guide or (#4) See !serverlan or !clientlan for steps and troubleshooting flowcharts for LANs behind the server or client
07:42 < sammm> !tcpip
07:42 <@vpnHelper> "tcpip" is http://www.redbooks.ibm.com/redbooks/pdfs/gg243376.pdf See chapter 3.1 for useful basic TCP/IP networking knowledge you should probably know
07:42 < sammm> !clientlan
07:42 < phatphreak> my client log is on the way, too big for pastebin, uploading to my web server.
07:42 <@vpnHelper> "clientlan" is (#1) for a lan behind a client, the client must have ip forwarding enabled (!ipforward), the server needs a route to the lan, the server needs to push a route for the lan to clients, the server needs a ccd (!ccd) file for the client with an iroute (!iroute) entry in it, and the router of the lan the client is on needs a route added to it (!route_outside_openvpn) or (#2) see !route for
07:42 <@vpnHelper> a better explanation or (#3) Handy troubleshooting flowchart: http://ircpimps.org/clientlan.png | http://pekster.sdf.org/misc/clientlan.png
07:44 <@Eugene> phatphreak - no PMs, please
07:45 < phatphreak> i simply PMed the client log files which contains info I prefer most people not see if I can help it.
07:45 <@Eugene> !secret
07:45 <@vpnHelper> "secret" is funny that people use free programs, consult free help for them, run a business with them, but are restricted to say what they do.
07:45 -!- takamichi [~takamichi@85.12.8.104] has quit [Ping timeout: 272 seconds]
07:45 <@Eugene> !topsecret
07:45 <@vpnHelper> "topsecret" is (#1) if your setup is so top secret that you cant post your configs or logs, please leave now and go find support you trust. or (#2) Clever readers may attempt to use RFC5737/RFC3849 to represent arbitrary public IPs one wishes to hide. Unclever attempts may be ignored with prejudice.
07:45 <@Eugene> That's the one.
07:45 < phatphreak> http://180.200.247.114/client_log.txt
07:45 < phatphreak> There.
07:47 < Thermi> Thu Feb 13 00:11:45 2014 VERIFY ERROR: depth=1, error=certificate is not yet valid: /C=AU/ST=NSW/L=Beverly_Hills/O=Eternal_Internet_Hosting/OU=Intranet/CN=gateway.eq-syd3.eternalhost.com.au/name=Intranet/emailAddress=christopherh@eternalhost.com.au
07:47 -!- takamichi [~takamichi@c107-107.i07-27.onvol.net] has joined #openvpn
07:47 < phatphreak> How do I "make it" valid?
07:47 -!- elfixit [~Icedove@2001:1620:2777:11:3e97:eff:fe7f:f3ad] has joined #openvpn
07:48 < phatphreak> afaik, you create a CSR, submit it to a certificate issuer and they send you the certificate.
07:48 <@Eugene> !time
07:48 <@vpnHelper> "time" is if you see VERIFY ERROR: depth=1, error=certificate is not yet valid: then make sure you update the clocks of your client,server,ca via ntp
07:48 <@Eugene> Your certificate was signed in the future.
07:48 < Thermi> A certificate has a validity time frame from a certain date to a certain date. The point in time you are trying to use it currently, is not in that time frame.
07:49 < Thermi> Possibly just a time error on your box
07:49 < Thermi> Update the time on your box and it should be good
07:50 -!- mattock is now known as mattock_afk
07:51 < phatphreak> ok lemme see...
07:54 < phatphreak> Thu Feb 13 00:54:14 2014 VERIFY ERROR: depth=1, error=certificate is not yet valid: /C=AU/ST=NSW/L=Beverly_Hills/O=Eternal_Internet_Hosting/OU=Intranet/CN=gateway.eq-syd3.eternalhost.com.au/name=Intranet/emailAddress=christopherh@eternalhost.com.au
07:55 < phatphreak> I ran "date 011300552014"
07:55 < phatphreak> and "hwclock --systohc"
07:55 < phatphreak> still same error
07:56 < phatphreak> i also restarted the openvpn server daemon.
07:57 -!- WinstonSmith [~WinstonSm@unaffiliated/winstonsmith] has quit [Ping timeout: 245 seconds]
07:58 -!- WinstonSmith [~WinstonSm@unaffiliated/winstonsmith] has joined #openvpn
07:59 < sammm> !serverlan
07:59 <@vpnHelper> "serverlan" is (#1) for a lan behind a server, the server must have ip forwarding enabled (!ipforward), the server needs to push a route for its lan to clients, and the router of the lan the server is on needs a route added to it (!route_outside_openvpn) or (#2) see !route for a better explanation or (#3) Handy troubleshooting flowchart: http://ircpimps.org/serverlan.png |
07:59 <@vpnHelper> http://pekster.sdf.org/misc/serverlan.png
08:07 < phatphreak> Thermi, Eugene: Any ideas why it's still not behaving?
08:10 < Thermi> The valid from - to fields aren't correct for your usage
08:10 <@dazo> phatphreak: you need to check the date stamps in the certificate ... openssl x509 -noout -dates -in <cert-file>
08:10 < Thermi> look at them with openssl
08:12 < phatphreak> eb 12 23:27:54 2014 GMT
08:13 < phatphreak> its 1413hrs.
08:13 <@dazo> that's your problem
08:13 < phatphreak> damn i hate this certificate regen crap...
08:13 < phatphreak> :p
08:15 -!- soapee01_ is now known as soapee01
08:16 -!- Cpt-Oblivious [chatzilla@31-151-71-109.dynamic.upc.nl] has joined #openvpn
08:18 < phatphreak> [root@gateway 2.0]# openssl x509 -noout -dates -in /var/www/html/ca.crt
08:18 < phatphreak> notBefore=Jan 12 14:15:10 2014 GMT
08:18 < phatphreak> notAfter=Jan 10 14:15:10 2024 GMT
08:19 < phatphreak> that's better...
08:20 < phatphreak> Thu Feb 13 01:20:11 2014 VERIFY ERROR: depth=1, error=self signed certificate in certificate chain: /C=AU/ST=NSW/L=Beverly_Hills/O=Eternal_Internet_Hosting/OU=Intranet/CN=gateway.eq-syd3.eternalhost.com.au/name=Intranet/emailAddress=christopherh@eternalhost.com.au
08:21 < phatphreak> i'm now getting that error.
08:27 < phatphreak> i'm going to restart my machine, brb.
08:27 -!- phatphreak [phatphreak@115-64-52-172.static.tpgi.com.au] has quit []
08:27 -!- andrewjs18 [~andrew@pool-108-2-13-163.phlapa.east.verizon.net] has joined #openvpn
08:29 < andrewjs18> is anyone familiar with openvpn on a raspberry pi?
08:29 < andrewjs18> although I guess it doesn't really matter which platform the server is on..
08:29 -!- mattock_afk is now known as mattock
08:39 <@Eugene> Not directly, but if you're runnian a linux distro on the pi it should behave normally, if a bit slow.
08:39 <@Eugene> And I can't type.
08:39 -!- f0cker [~f0cker@host86-144-134-118.range86-144.btcentralplus.com] has joined #openvpn
08:40 -!- f0cker [~f0cker@host86-144-134-118.range86-144.btcentralplus.com] has quit [Changing host]
08:40 -!- f0cker [~f0cker@unaffiliated/f0cker] has joined #openvpn
08:40 < andrewjs18> Eugene, it seems that not all of my traffic is hitting the vpn
08:41 <@Eugene> !redirect
08:41 <@vpnHelper> "redirect" is (#1) to make all inet traffic flow through the vpn, you will need --redirect-gateway (see !def1), as well as IP forwarding (see !ipforward) and NAT (see !nat) enabled on the server. or (#2) you may need to use a different dns server when redirecting gateway, see !dns or !pushdns or (#3) if using ipv6 try: route-ipv6 2000::/3 or (#4) Handy troubleshooting flowchart:
08:41 <@vpnHelper> http://ircpimps.org/redirect.png | http://pekster.sdf.org/misc/redirect.png
08:41 <@Eugene> Is that what you want ^ ?
08:41 < andrewjs18> I'll explain what appears to be going on
08:42 -!- mikkel [~mikkel@93.176.85.50] has quit [Quit: Leaving]
08:42 < andrewjs18> I have a web server on the same network as the pi server running openvpn.  the web server runs on a 173.X.X.X IP address.  if I do a tracert to my domain that goes to my web server, it appears to go out over the internet rather than the vpn.  if I do a tracert to google with a 74.X.X.X IP, it goes out over the vpn
08:43 < andrewjs18> so if I do a route print, it shows this:
08:43 < andrewjs18>   0.0.0.0        128.0.0.0         10.8.0.5         10.8.0.6     30
08:43 < andrewjs18> Eugene, ^
08:45 -!- digilink [~digilink@unaffiliated/digilink] has quit [Ping timeout: 260 seconds]
08:48 -!- sammm [~samamanja@c114-76-87-212.thoms3.vic.optusnet.com.au] has quit [Ping timeout: 260 seconds]
08:59 -!- gffa [~unknown@unaffiliated/gffa] has joined #openvpn
09:00 -!- kalloc [~kalloc@h86-62-83-99.ln.rinet.ru] has quit [Read error: Connection reset by peer]
09:01 -!- kalloc [~kalloc@h86-62-83-99.ln.rinet.ru] has joined #openvpn
09:02 -!- elfixit [~Icedove@2001:1620:2777:11:3e97:eff:fe7f:f3ad] has quit [Remote host closed the connection]
09:08 -!- Guest57880 [~Mark@94-193-78-219.zone7.bethere.co.uk] has left #openvpn []
09:10 -!- sammm [~samamanja@c114-76-87-212.thoms3.vic.optusnet.com.au] has joined #openvpn
09:19 -!- alexxtasi [~alex@unaffiliated/alexxtasi] has left #openvpn []
09:24 -!- mdim [~user@c-98-202-215-47.hsd1.ut.comcast.net] has joined #openvpn
09:35 -!- Thermi [~Thermi@unaffiliated/thermi] has quit [Quit: Meet your opposition - Profane and disciplined - Take back your pride - With a pounding hammer]
09:36 -!- Eagleman [~Eagleman@546BBFCD.cm-12-4c.dynamic.ziggo.nl] has quit [Read error: Connection reset by peer]
09:37 -!- Thermi [~Thermi@unaffiliated/thermi] has joined #openvpn
09:44 -!- Eagleman [~Eagleman@546BBFCD.cm-12-4c.dynamic.ziggo.nl] has joined #openvpn
09:46 -!- lvv [~loganaden@ITE-INF3.dhcp.mu.afrinic.net] has quit [Quit: lvv]
09:46 -!- mattock is now known as mattock_afk
09:48 -!- Cpt-Oblivious_ [chatzilla@31-151-71-109.dynamic.upc.nl] has joined #openvpn
09:49 -!- _KaszpiR___ [~quassel@unaffiliated/kaszpir/x-3157048] has joined #openvpn
09:50 -!- soapee01_ [~soapee01@24-155-219-177.dyn.grandenetworks.net] has joined #openvpn
09:51 -!- Linmu_ [~Linmu@203.70.194.104] has joined #openvpn
09:51 -!- rooth_ [tomte@stuck.in.the.basement.at.fritzl.nu] has joined #openvpn
09:52 -!- pjschmit1 [~parker@209.141.56.12] has joined #openvpn
09:52 -!- master_o1_master [~master_of@p4FF2477E.dip0.t-ipconnect.de] has joined #openvpn
09:52 -!- Eagleman [~Eagleman@546BBFCD.cm-12-4c.dynamic.ziggo.nl] has quit [Read error: Connection reset by peer]
09:54 -!- f0cker [~f0cker@unaffiliated/f0cker] has quit [Remote host closed the connection]
09:54 -!- digilink [~digilink@irc.stephennet.net] has joined #openvpn
09:55 -!- Pei_ [~pei@thinks.outside.theb0x.org] has joined #openvpn
09:55 -!- gardar- [~gardar@bnc.giraffi.net] has joined #openvpn
09:55 -!- novaflash_ [~novaflash@its.novaflash.nl] has joined #openvpn
09:56 -!- qwertyoruiop_ [~hax@1.shulgin.dc1.nl.tor.exit.node.qwertyoruiop.com] has joined #openvpn
09:56 -!- Netsplit *.net <-> *.split quits: pjschmitt, master_of_master, davidmp, cyberspace-, soapee01, Linmu, qwertyoruiop, Pei, rooth, pvpimp,  (+5 more, use /NETSPLIT to show all of them)
09:56 -!- novaflash_ is now known as novaflash
09:57 -!- Netsplit over, joins: pvpimp
09:57 -!- dimm0k [~dimm0k@pool-108-21-230-13.nycmny.fios.verizon.net] has joined #openvpn
09:57 -!- dimm0k [~dimm0k@pool-108-21-230-13.nycmny.fios.verizon.net] has quit [Changing host]
09:57 -!- dimm0k [~dimm0k@unaffiliated/dimm0k] has joined #openvpn
09:57 -!- Eagleman [~Eagleman@546BBFCD.cm-12-4c.dynamic.ziggo.nl] has joined #openvpn
09:57 -!- qwertyoruiop_ is now known as qwertyoruiop
09:58 -!- cyberspace- [20253@ninthfloor.org] has joined #openvpn
09:58 -!- davidmp [~davidmp@149.255.100.107] has joined #openvpn
10:05 -!- novaflash [~novaflash@its.novaflash.nl] has quit [Changing host]
10:05 -!- novaflash [~novaflash@openvpn/corp/support/novaflash] has joined #openvpn
10:05 -!- mode/#openvpn [+o novaflash] by ChanServ
10:09 -!- mapps [~Mark@94-193-78-219.zone7.bethere.co.uk] has joined #openvpn
10:09 < mapps> !linnat
10:09 <@vpnHelper> "linnat" is (#1) for a basic iptables NAT where 10.8.0.x is the vpn network: iptables -t nat -I POSTROUTING -s 10.8.0.0/24 -o eth0 -j MASQUERADE or (#2) to choose what IP address to NAT as, you can use iptables -t nat -I POSTROUTING -o eth0 -j SNAT --to <IP ADDRESS> or (#3) http://netfilter.org/documentation/HOWTO//NAT-HOWTO.html for more info or (#4) openvz see !openvzlinnat
10:09 < mapps> !ipforward
10:09 <@vpnHelper> "ipforward" is (#1) ip forwarding is needed any time you want packets to flow from 1 interface to another, so from tun to eth, eth to tun, tun to tun, etc etc. it must be enabled in the kernel AND allowed in the firewall or (#2) please choose between !linipforward !winipforward !osxipforward and !fbsdipforward
10:09 -!- michaelhart [~michaelha@192.237.177.15] has joined #openvpn
10:09 < mapps> !linipforward
10:09 <@vpnHelper> "linipforward" is (#1) echo 1 > /proc/sys/net/ipv4/ip_forward for a temp solution (til reboot) or set net.ipv4.ip_forward = 1 in sysctl.conf for perm solution or (#2) chmod +x /etc/rc.d/rc.ip_forward for perm solution in slackware or (#3) you also must allow forwarding in your forward chain in iptables. iptables -I FORWARD -i tun+ -j ACCEPT
10:13 -!- [diecast] [~diecast@unaffiliated/diecast/x-4821952] has joined #openvpn
10:18 -!- crus [~crusader@2001:44b8:319e:2900:c42f:974d:48c1:36fa] has quit [Read error: Connection reset by peer]
10:19 -!- sammm [~samamanja@c114-76-87-212.thoms3.vic.optusnet.com.au] has quit [Ping timeout: 272 seconds]
10:23 -!- ade_b [~Ade@redhat/adeb] has quit [Ping timeout: 260 seconds]
10:31 -!- sammm [~samamanja@c114-76-87-212.thoms3.vic.optusnet.com.au] has joined #openvpn
11:04 -!- sammm [~samamanja@c114-76-87-212.thoms3.vic.optusnet.com.au] has quit [Ping timeout: 245 seconds]
11:08 -!- [diecast] [~diecast@unaffiliated/diecast/x-4821952] has quit []
11:11 -!- andrewjs18 [~andrew@pool-108-2-13-163.phlapa.east.verizon.net] has quit [Ping timeout: 260 seconds]
11:13 -!- mirco_ [~mirco@ip-109-90-231-36.unitymediagroup.de] has joined #openvpn
11:14 -!- ade_b [~Ade@redhat/adeb] has joined #openvpn
11:21 -!- soapee01_ is now known as soapee01
11:26 -!- sammm [~samamanja@c114-76-87-212.thoms3.vic.optusnet.com.au] has joined #openvpn
11:26 -!- lj [~l@192.241.174.169] has joined #openvpn
11:29 -!- freeone3000 [~temp@Syncleus/dev/freeone3000] has joined #openvpn
11:30 < freeone3000> If I have two subnets, 10.0.1.0/24 and 10.0.2.0/24, and I'd like them connected such that 10.0.1.6 can connect to 10.0.2.9 via VPN (10.0.1.20 and 10.0.2.20, for instance) - do I want "routing" or "bridging"?
11:31 < freeone3000> Ideally, it'd go 10.0.1.6 -> 10.0.1.20 -> Internet -> 10.0.2.20 -> 10.0.2.9, and neither 10.0.1.6 nor 10.0.2.9 have to "know about" the VPN.
11:39 -!- f0cker [~f0cker@unaffiliated/f0cker] has joined #openvpn
11:42 -!- [diecast] [~diecast@unaffiliated/diecast/x-4821952] has joined #openvpn
11:42 -!- [diecast] [~diecast@unaffiliated/diecast/x-4821952] has quit [Max SendQ exceeded]
11:49 < kcodyjr> freeone3000, you want routing.
11:49 < freeone3000> kcodyjr: Awesome, thanks.
11:49 < kcodyjr> in fact, it sounds to me like you want a p2p tun between 1.20 and 2.20.
11:49 < freeone3000> Indeed I do. And possibly seven to ten others, if that's doable. I can do multi-tier if it's not.
11:50 < kcodyjr> depends whether you want them to really consider themselves peers, or if one location is the "main" and each other dials into it.
11:50 < kcodyjr> if one location can serve as concentrator, then one instance can do it. otherwise, for true peer-to-peer mode, you'll need a separate openvpn process for each tunnel.
11:50 < freeone3000> They really are peers. It's a distributed network.
11:51 < kcodyjr> then you'll need to allocate a process for each tunnel.
11:51 -!- sunwind [~paradox@cpc21-brmb8-2-0-cust749.1-3.cable.virginm.net] has quit [Quit: sunwind]
11:51 < kcodyjr> each with its own port number.
11:51 < freeone3000> Okay. If I allocate a centralized "dial-in" location that each peer dials into, and enable client-to-client visibility, would that be an alternate solution?
11:51 -!- f0cker [~f0cker@unaffiliated/f0cker] has quit [Remote host closed the connection]
11:51 < kcodyjr> yes.
11:51 < kcodyjr> but that one location better have pissa connectivity.
11:52 < kcodyjr> like, say, a dedicated box in a datacenter with multiple backbone connections, such as Internap used to be, though scuttlebutt says they suck now.
11:52 -!- lj [~l@192.241.174.169] has quit [Quit: Leaving.]
11:52 < kcodyjr> well, depending how big your network is and how much traffic you're talking about.
11:52 -!- sunwind [~paradox@cpc21-brmb8-2-0-cust749.1-3.cable.virginm.net] has joined #openvpn
11:53 < kcodyjr> i think it really comes down to how the workflow (and thus traffic) is distributed between locations
11:53 < kcodyjr> if one of them can sensibly be considered the center of it all, then that location would intuitively make for an efficient concentrator.
11:53 < kcodyjr> if there's really a lot of direct remote-to-remote traffic, then maybe you are better off with multiple tunnels.
11:54 < freeone3000> It's mongodb sharding cross-talk.
11:54 < freeone3000> So it looks like multiple tunnels it is.
11:54 < kcodyjr> i would also submit that each time you add a new office/datacenter, you'll have to touch every router, unless you run a dynamic link-state routing protocol such as ospf.
11:54 < kcodyjr> yeah for what you're doing, i'd go with multiple tunnels.
11:54 < kcodyjr> gotta run.
11:55 < freeone3000> Thanks for the help.
12:00 -!- sammm [~samamanja@c114-76-87-212.thoms3.vic.optusnet.com.au] has quit [Ping timeout: 250 seconds]
12:00 -!- batrick [batrick@nmap/developer/batrick] has quit [Ping timeout: 272 seconds]
12:01 -!- simcop2387 [~simcop238@p3m/member/simcop2387] has quit [Excess Flood]
12:02 -!- bertodsera [~quassel@97e48243.skybroadband.com] has quit [Remote host closed the connection]
12:03 -!- bertodsera [~quassel@97e48243.skybroadband.com] has joined #openvpn
12:03 -!- heraclitus__ [~heraclitu@208.64.66.92] has joined #openvpn
12:04 -!- lamokie [~steve@li428-245.members.linode.com] has quit [Ping timeout: 250 seconds]
12:05 -!- simcop2387 [~simcop238@p3m/member/simcop2387] has joined #openvpn
12:05 -!- lamokie [~steve@li428-245.members.linode.com] has joined #openvpn
12:06 < thoraxe> dumb question - is there any way to do dns-based routing? for example, i don't want any pandora stuff to go through the vpn tunnel (because my tunnel endpoint is not in the US)
12:06 -!- heraclitus [~heraclitu@unaffiliated/heraclitis] has quit [Ping timeout: 252 seconds]
12:07 <@Eugene> !routebyapp
12:07 <@vpnHelper> "routebyapp" is (#1) if you want to send only certain apps over the VPN you need to run a socks server on the internal VPN subnet (see !sockd) then get an app like proxifier (windows, osx) or tsocks (linux, BSD) to selectively route traffic over the socks proxy based on port/app/subnet or any combination. or (#2) Alternatively, read up about Policy Routing to make routing decisions based on defined
12:07 <@vpnHelper> policies you set. For Linux, read about !lartc
12:08 <@Eugene> That's as close as it comes. Run browser1 through the proxy app to the vpn, and only visit Pandora etc in that browser ;-)
12:15 -!- Cpt-Oblivious_ [chatzilla@31-151-71-109.dynamic.upc.nl] has quit [Ping timeout: 260 seconds]
12:16 -!- [diecast] [~diecast@unaffiliated/diecast/x-4821952] has joined #openvpn
12:17 -!- lj [~l@192.241.174.169] has joined #openvpn
12:18 < thoraxe> um
12:18 < thoraxe> i think i want the opposite
12:18 < thoraxe> i *do not* want to send pandora traffic to the vpn
12:18 < thoraxe> so setting up a socks server on the vpn doesn't fix my problem, because the vpn server location is the problem :)
12:18 < thoraxe> !lartc
12:18 <@vpnHelper> "lartc" is LARTC is the de-facto guide to policy routing and QoS (tc, or traffic control) on Linux. http://lartc.org/howto/ . Policy routing in Ch. 4, QoS in Ch. 9. Start at the beginning if you're new to advanced routing on Linux
12:35 -!- sammm [~samamanja@c114-76-87-212.thoms3.vic.optusnet.com.au] has joined #openvpn
12:36 -!- andrewjs18 [~andrew@pool-108-2-13-163.phlapa.east.verizon.net] has joined #openvpn
12:48 -!- dazo is now known as dazo_afk
12:54 -!- mdim [~user@c-98-202-215-47.hsd1.ut.comcast.net] has quit [Ping timeout: 245 seconds]
12:55 -!- ben1066 [~quassel@unaffiliated/ben1066] has quit [Quit: No Ping reply in 180 seconds.]
12:55 -!- ben1066 [~quassel@unaffiliated/ben1066] has joined #openvpn
12:57 -!- [diecast] [~diecast@unaffiliated/diecast/x-4821952] has quit []
12:58 -!- batrick [batrick@nmap/developer/batrick] has joined #openvpn
12:58 -!- [diecast] [~diecast@unaffiliated/diecast/x-4821952] has joined #openvpn
13:05 -!- peper [~peper@gentoo/developer/peper] has joined #openvpn
13:05 -!- takamichi [~takamichi@c107-107.i07-27.onvol.net] has quit [Quit: Computer has gone to sleep.]
13:08 < freeone3000> thoraxe: So you want a socks proxy that you funnel all traffic *except* pandora from.
13:09 -!- sammm [~samamanja@c114-76-87-212.thoms3.vic.optusnet.com.au] has quit [Ping timeout: 260 seconds]
13:14 -!- freeone3000 [~temp@Syncleus/dev/freeone3000] has quit [Quit: Konversation terminated!]
13:16 -!- [diecast] [~diecast@unaffiliated/diecast/x-4821952] has quit []
13:16 -!- master_of_master [~master_of@p4FD7BDBE.dip0.t-ipconnect.de] has joined #openvpn
13:17 -!- master_o1_master [~master_of@p4FF2477E.dip0.t-ipconnect.de] has quit [Read error: Operation timed out]
13:18 -!- phunyguy_ [~plorpian@unaffiliated/phunyguy] has joined #openvpn
13:20 -!- s7r [~s7r@openvpn/user/s7r] has joined #openvpn
13:20 -!- mode/#openvpn [+v s7r] by ChanServ
13:20 < phunyguy_> quick question... I am using a learn-address script, and at first I thought maybe there was a syntax error in the script, causing it to exit with a non-zero status, this making the client not work correctly.  So I put as the first command in the script to dump some output to a file, which it didn't, so that makes me think that the script isn't even attempting to run.  Any ideas?
13:20 < phunyguy_> permissions look good, it just won't run it.
13:21 -!- phunyguy_ is now known as phunyguy
13:23 -!- sammm [~samamanja@c114-76-87-212.thoms3.vic.optusnet.com.au] has joined #openvpn
13:23 < Thermi> phunyguy: Did you set the security stuff in openvpn?
13:23 < phunyguy> ahh wait, script-security?
13:23 < Thermi> yep
13:23 < phunyguy> I just saw that in the config as you said it.
13:23 < phunyguy> this is on a pfsensew box so I will have to see if there is an option to change that
13:23 < phunyguy> pfsense*
13:24 < Thermi> just change that setting and you should be fine
13:24 < phunyguy> right but after a reboot, pfsense will overwrite the config with its internal values
13:24 < phunyguy> there is a spot for "additional arguments" so I will change it there to see if it sticks.
13:26 < phunyguy> it is currently set to script-security 3
13:27 < Thermi> I'm not familiar with the settings, so I can't tell you if that is correct. Sorry. :/
13:27 < phunyguy> seems to be the most relaxed
13:44 -!- dren [dren@69.163.43.34] has quit [Ping timeout: 252 seconds]
13:44 -!- dren [dren@69.163.43.34] has joined #openvpn
13:46 < phunyguy> so that script-security setting isn't the problem.  Any other ideas?
13:46 -!- lachesis [~lachesis@unaffiliated/lachesis] has quit [Ping timeout: 264 seconds]
13:48 -!- mback2k_ [~freenode@89.238.84.46] has quit [Ping timeout: 245 seconds]
13:59 -!- mback2k_ [~freenode@89.238.84.46] has joined #openvpn
14:17 -!- phunyguy_ [~plorpian@unaffiliated/phunyguy] has joined #openvpn
14:17 -!- klein [~klein@unaffiliated/klein] has quit [Ping timeout: 250 seconds]
14:18 -!- phunyguy [~plorpian@unaffiliated/phunyguy] has quit [Ping timeout: 272 seconds]
14:18 -!- phunyguy_ is now known as phunyguy
14:19 -!- arader [~andrew@0x666.tk] has quit [Quit: bye]
14:22 -!- defsdoor [~andy@cpc30-sutt4-2-0-cust155.19-1.cable.virginm.net] has joined #openvpn
14:25 -!- pixel13 [~pixelated@75-162-198-230.slkc.qwest.net] has joined #openvpn
14:25 -!- lj [~l@192.241.174.169] has quit [Quit: Leaving.]
14:26 -!- sammm [~samamanja@c114-76-87-212.thoms3.vic.optusnet.com.au] has quit [Ping timeout: 245 seconds]
14:27 < pixel13> hello, curious if anyone here has any experience troubleshooting openvpn segfaults as a result of incoming client / TLS handshake
14:27 < pixel13> (Incoming Ciphertext -> TLS)
14:28 < pixel13> CentOS 5.9 / OpenVPN 2.1.2, has been used daily for years without issue, this morning (seemingly out of the blue), openvpn daemon seg faults the second a client attempts to establish the tunnel
14:28 < pixel13> !welcome
14:28 <@vpnHelper> "welcome" is (#1) Start by stating your goal, such as 'I would like to access the internet over my vpn' || new to IRC? see the link in !ask || we may need !logs and !configs and maybe !interface to help you. || See !howto for beginners. || See !route for lans behind openvpn. || !redirect for sending inet traffic through the server. || Also interesting: !man !/30 !topology !iporder !sample !forum
14:28 <@vpnHelper> !wiki !mitm or (#2) Don't use 192.168.1.0/24 or 192.168.0.0/24 (too much potential for conflict)
14:29 < pixel13> !goal
14:29 <@vpnHelper> "goal" is Please clearly state your goal for your vpn: example, I would like to access the lan behind the server , I would like to access the internet over my vpn , I just want a secure connection between 2 computers , etc
14:30 < pixel13> I would like to determine what could be causing the segmentation fault on the OpenVPN server as soon as the client attempts connections. This is not a new configuration, has been working reliably for a few years till this morning.
14:31 < defsdoor> pixel13, strace it
14:31 < pixel13> I have increased verbosity to 9 (FYI)
14:31 < pixel13> strace openvpn —config /path/to/server.conf ?
14:31 < defsdoor> strace -p
14:31 < defsdoor> and existing pid - either way
14:32 < defsdoor> does server do anything else ?
14:32 < defsdoor> run a memtest on it
14:33 < pixel13> yeah, it's fully responsive, other services are performing fine
14:33 < pixel13> disk space checks out, etc
14:33 < pixel13> ok, strace installed
14:34 < pixel13> ok, seeing the output
14:34 < pixel13> events=POLLIN|POLLPRI
14:34 < pixel13> turning on the client now to invoke the segfault
14:34 < pixel13> ok
14:35 < pixel13> ok, confirmed:
14:35 < pixel13> --- SIGSEGV (Segmentation fault) @ 0 (0) ---
14:35 < pixel13> Process 4724 detached
14:35 < pixel13> I could paste in the output if that could help?
14:39 < pixel13> fwiw, confirmed expiry of certificates (e.g. not till 2022, etc)
14:40 -!- sammm [~samamanja@c114-76-87-212.thoms3.vic.optusnet.com.au] has joined #openvpn
14:40 < pixel13> output from the strace before SIGSEGV:
14:40 < pixel13> time(NULL)                              = 1392237481
14:40 < pixel13> time(NULL)                              = 1392237481
14:40 < pixel13> time(NULL)                              = 1392237481
14:42 <@ecrist> no pasting here
14:42 <@ecrist> !paste
14:42 <@vpnHelper> "paste" is (#1) "pastebin" is (#1) please paste anything with more than 5 lines into a pastebin site or (#2) https://gist.github.com is recommended for fewest ads; try fpaste.org or paste.kde.org as backups or (#3) If you're pasting config files, see !configs for grep syntax to remove comments or (#2) gist allows multiple files per paste, useful if you have several files to show
14:43 < pixel13> my apologies
14:46 -!- MadTBone [~MadTBone@160.39.238.196] has joined #openvpn
14:46 -!- s7r [~s7r@openvpn/user/s7r] has quit [Ping timeout: 240 seconds]
14:47 < pixel13> http://pastebin.com/fmxeYtF1
14:47 -!- s7r [~s7r@openvpn/user/s7r] has joined #openvpn
14:47 -!- mode/#openvpn [+v s7r] by ChanServ
14:47 -!- ssf82 [~ssf@unaffiliated/ssf82] has joined #openvpn
14:48 < pixel13> I only see one call to mmap2() after incoming connection from the client > first occurrence of inet_addr("x.x.x.x")
14:49 -!- ssf82 [~ssf@unaffiliated/ssf82] has left #openvpn []
14:49 < pixel13> the rest all looks very similar to me, I was not able to determine much else and have run out of ideas
14:50 -!- lachesis [~lachesis@unaffiliated/lachesis] has joined #openvpn
14:51 -!- ade_b [~Ade@redhat/adeb] has quit [Quit: Too sexy for his shirt]
14:58 -!- joshh20-Away is now known as joshh20
15:09 -!- marlinc [~marlinc@a80-100-128-152.adsl.xs4all.nl] has joined #openvpn
15:10 -!- pdobrogost [~quassel@77-255-255-119.adsl.inetia.pl] has joined #openvpn
15:26 -!- jzaw [~jzaw@loki.dzki.co.uk] has quit [Ping timeout: 252 seconds]
15:30 -!- jzaw [~jzaw@loki.dzki.co.uk] has joined #openvpn
15:37 -!- klein [~klein@unaffiliated/klein] has joined #openvpn
15:42 -!- michaelhart [~michaelha@192.237.177.15] has quit [Ping timeout: 250 seconds]
15:43 -!- mdim [~user@line-marko.cs.utah.edu] has joined #openvpn
15:44 -!- pixel13 [~pixelated@75-162-198-230.slkc.qwest.net] has left #openvpn []
15:47 -!- michaelhart [~michaelha@192.237.177.15] has joined #openvpn
15:50 -!- michaelhart [~michaelha@192.237.177.15] has quit [Client Quit]
15:50 -!- Cpt-Oblivious [chatzilla@31-151-71-109.dynamic.upc.nl] has joined #openvpn
15:50 -!- [diecast] [~diecast@unaffiliated/diecast/x-4821952] has joined #openvpn
15:56 -!- sammm [~samamanja@c114-76-87-212.thoms3.vic.optusnet.com.au] has quit [Read error: Connection reset by peer]
15:57 -!- [diecast] [~diecast@unaffiliated/diecast/x-4821952] has quit [Read error: Connection reset by peer]
15:58 -!- br4ndon [~br4ndon@2a01:e35:2e28:400:225:d3ff:fe44:1329] has joined #openvpn
15:59 < br4ndon> hi there
16:00 < br4ndon> is 4096 bits dh really make it slower on a everyday use?
16:00 < br4ndon> « it » being key processing by openvpn server & client
16:00 <@Eugene> Not really.
16:00 -!- simcop2387 [~simcop238@p3m/member/simcop2387] has quit [Excess Flood]
16:02 < br4ndon> So one should rather go with 4096?
16:02 < br4ndon> Why is the default 2048?
16:03 < _FBi> I thought default was 1024 :/
16:03 <@Eugene> Because it takes a lot logner to make 4096 than 2048
16:03 < _FBi> hey Eugene
16:04 < br4ndon> _FBi: default is 2048 using git ver of easyrsa
16:04 < _FBi> sure, no argueing from me :)
16:05 < br4ndon> So the only « real » sensible difference when it comes to performance is during the creation process of the key
16:07 <@Eugene> It can take a few extra seconds to establish a TLS connection, but meh. WOrth it.
16:07 < br4ndon> Let it be done!
16:08 -!- simcop2387 [~simcop238@p3m/member/simcop2387] has joined #openvpn
16:09 -!- [diecast] [~diecast@unaffiliated/diecast/x-4821952] has joined #openvpn
16:10 -!- gffa [~unknown@unaffiliated/gffa] has quit [Quit: sleep]
16:11 -!- kalloc [~kalloc@h86-62-83-99.ln.rinet.ru] has quit [Remote host closed the connection]
16:16 -!- andrewjs18 [~andrew@pool-108-2-13-163.phlapa.east.verizon.net] has quit [Quit: Leaving]
16:18 -!- elfixit [~Icedove@125-224.197-178.cust.bluewin.ch] has joined #openvpn
16:22 -!- svg [~svg@hydargos.ginsys.net] has joined #openvpn
16:27 -!- phunyguy_ [~plorpian@unaffiliated/phunyguy] has joined #openvpn
16:27 -!- phunyguy [~plorpian@unaffiliated/phunyguy] has quit [Ping timeout: 260 seconds]
16:33 -!- elfixit [~Icedove@125-224.197-178.cust.bluewin.ch] has quit [Quit: elfixit]
16:35 < pvpimp> hello, I am setting up openVPN on my VPS running Debian. I am uncertian what files to copy from the server and put in the config folder on my client. thanks
16:35 < svg> Hello openvpn community. I'm looking for info on how to implement different user vpn profiles based on ldap group membership. Seems like somthing that is badly documented, or am i missing something?
16:36 -!- br4ndon [~br4ndon@2a01:e35:2e28:400:225:d3ff:fe44:1329] has quit [Quit: Ciao]
16:37 < svg> pvpimp: depends on how you configure things, in ost cases you at least need the public key of your CA you use on the openvpn server, then eitehr need a user/client specific certificate, and/or a username/password.
16:37 < pvpimp> https://www.digitalocean.com/community/articles/how-to-setup-and-configure-an-openvpn-server-on-debian-6
16:37 <@vpnHelper> Title: How to Setup and Configure an OpenVPN Server on Debian 6 | DigitalOcean (at www.digitalocean.com)
16:37 < pvpimp> I'm using that TUT if it helps
16:41 -!- defsdoor [~andy@cpc30-sutt4-2-0-cust155.19-1.cable.virginm.net] has quit [Quit: Ex-Chat]
16:47 <@Eugene> !howto
16:47 <@vpnHelper> "howto" is (#1) OpenVPN comes with a great howto, http://openvpn.net/howto PLEASE READ IT! or (#2) http://www.secure-computing.net/openvpn/howto.php for a mirror
16:47 <@Eugene> There's even a table telling you what files are needed where
16:52 -!- dyer_ [~dyer@ec2-107-21-15-145.compute-1.amazonaws.com] has joined #openvpn
16:54 < pvpimp> k thanks
16:57 < dyer_> helloHey guys... I am having an problem getting a pam module to work... hoping someone can help me
16:57 < dyer_> https://gist.github.com/johntdyer/550d3a10c8e70214e17f
16:57 <@vpnHelper> Title: auth.log (at gist.github.com)
16:58 < dyer_> if you check auth.log you can see that my module ( #3 / pam_google ) is logging that it got the correct password, and successfully authenticated
16:58 < dyer_> but the openvpn.log says it failed
16:58 < dyer_> AUTH-PAM: BACKGROUND: user 'jdyer@XXXXXXXXX.com' failed to authenticate: Authentication failure
17:03 -!- s7r [~s7r@openvpn/user/s7r] has quit [Remote host closed the connection]
17:03 -!- crus [~crusader@2001:44b8:319e:2900:a12d:1c15:24a3:9fc] has joined #openvpn
17:03 -!- s7r [~s7r@openvpn/user/s7r] has joined #openvpn
17:03 -!- mode/#openvpn [+v s7r] by ChanServ
17:06 -!- [diecast] [~diecast@unaffiliated/diecast/x-4821952] has quit []
17:07 -!- Cybertinus [~Cybertinu@2a00:6960:1:1::2442] has quit [Remote host closed the connection]
17:08 -!- jzaw [~jzaw@loki.dzki.co.uk] has quit [Ping timeout: 245 seconds]
17:08 -!- jzaw [~jzaw@loki.dzki.co.uk] has joined #openvpn
17:09 < pekster> dyer_: The plugin return a '1' status is ultimately openvpn's reason to reject it. Your timestamps don't match, so that batch of 'SUCCESS' doesn't mean much. OpenVPN doesn't care what the plugin does (you do!) just the return code
17:11 -!- pvpimp [~mahollows@pool-108-48-23-100.washdc.fios.verizon.net] has quit [Ping timeout: 260 seconds]
17:11 -!- Cybertinus [~Cybertinu@cybertinus.customer.cloud.nl] has joined #openvpn
17:13 < dyer_> the timestamps not matching dont matter in this case
17:13 -!- pvpimp [~mahollows@pool-108-48-23-100.washdc.fios.verizon.net] has joined #openvpn
17:13 < dyer_> I just reproduced again to get a copy of openvpn.log
17:13 < dyer_> behavior is always the same
17:14 < dyer_> my app says "SUCCESS" and does an exit 0
17:17 < pekster> It's the plugin function that matters
17:17 < pekster> It's _not_ returning 0 (your openvpn log says so)
17:19 -!- jzaw [~jzaw@loki.dzki.co.uk] has quit [Ping timeout: 246 seconds]
17:19 < dyer_> I am though...
17:19 < dyer_> my code is pretty clear on that
17:20 < dyer_> https://gist.github.com/johntdyer/550d3a10c8e70214e17f#file-pam_google-L10-L11
17:20 <@vpnHelper> Title: auth.log (at gist.github.com)
17:20 < pekster> Plugin
17:20 < pekster> The _PLUGIN_ is what matters here
17:20 < dyer_> I am not sure I understand
17:20 < pekster> Openvpn doesn't care one bit about your code becuase (afaict) it's only referenced from PAM. OpenVPN doesn't even really care about PAM
17:20 < pekster> All it cares about is openvpn-auth-pam.so
17:20 < pekster> That's it
17:22 < dyer_> ok, this is what I have in server.conf
17:22 < dyer_> plugin /opt/lib/openvpn/plugins/openvpn-plugin-auth-pam.so "openvpn"
17:22 -!- pdobrogost [~quassel@77-255-255-119.adsl.inetia.pl] has quit [Remote host closed the connection]
17:22 -!- pvpimp [~mahollows@pool-108-48-23-100.washdc.fios.verizon.net] has quit [Ping timeout: 250 seconds]
17:22 < pekster> auth-pam.c:668 (in git-master anyway) is where your failure occurs
17:22 -!- Haseo [~Haseo@aufrinfo.net] has quit [Ping timeout: 245 seconds]
17:22 < pekster> Line 678 is the exact error you get
17:22 < pekster> 678           fprintf (stderr, "AUTH-PAM: BACKGROUND: user '%s' failed to authenticate: %s\n",
17:23 < pekster> That's caused by the return code to pam_authenticate() not being PAM_SUCCESS. In other words, your PAM stack has denied the user
17:23 -!- Haigha [~root@dovahkiin.xomg.net] has quit [Ping timeout: 245 seconds]
17:25 < dyer_> ok, i thought pam_exec would run my script and then auth or deny based on the exit code
17:25 -!- pvpimp [~mahollows@pool-108-48-23-100.washdc.fios.verizon.net] has joined #openvpn
17:25 < dyer_> auth sufficient pam_exec.so expose_authtok quiet /etc/openvpn/pam_google
17:25 -!- Haseo [~Haseo@aufrinfo.net] has joined #openvpn
17:28 -!- kalloc [~kalloc@h86-62-83-99.ln.rinet.ru] has joined #openvpn
17:30 < pekster> #define PAM_OPEN_ERR 1          /* dlopen() failure when dynamically */ /* loading a service module */
17:31 < pekster> from _pam_types.h
17:31 < pekster> That's what the "status" argument is
17:32 < dyer_> ok, I dont follow
17:33 -!- kalloc [~kalloc@h86-62-83-99.ln.rinet.ru] has quit [Ping timeout: 265 seconds]
17:33 < pekster> Oh, I'm mistaken on that
17:33 -!- pvpimp [~mahollows@pool-108-48-23-100.washdc.fios.verizon.net] has quit [Ping timeout: 245 seconds]
17:33 < pekster> the 'status' is from the plugin failing. The 'Authentication failure' is the string representation of the error returned by pam_authenticate(3)
17:34 -!- jzaw [~jzaw@loki.dzki.co.uk] has joined #openvpn
17:34 < pekster> Generic "pam doesn't like you" value it seems
17:34 < pekster> PAM_AUTH_ERR (which is actually code 7, not that it matters)
17:38 < dyer_> any idea what it doesnt like exactly ?
17:40 < pekster> Nope. Try enabling the debug features of pam_exec (section 6.7.1 of the PAM reference guide)
17:40 < pekster> Or just don't use so many layers of abstraction if you want your perl script to do auth anyway
17:40 < dyer_> yea, I just tried this...
17:40 < pekster> I'm not quite sure why you're having openvpn load a shared library that calls PAM that calls your script
17:40 < dyer_> auth sufficient pam_exec.so expose_authtok /tmp/superLameAuth.sh
17:41 < dyer_> [root@vpn1 plugins]# cat /tmp/superLameAuth.sh
17:41 < dyer_> #!/bin/bash
17:41 < dyer_> exit 0
17:41 < pekster> debug != expose_authok
17:41 < dyer_> I'll play around w/ it
17:41 < pekster> You really need to read the PAM guide
17:41 < dyer_> thanks for your help
17:41 < dyer_> must appreciated
17:41 < dyer_> s/must/much
17:41 < pekster> I'm just curious why not use --auth-user-pass-verify instead?
17:42 < dyer_> docs seem to imply that its unsafe
17:42 < pekster> Less "pieces" to debug, and all interperted verses C code that gets harder to debug
17:43 < pekster> Not really. On modern unxes only root can see the environment (env-vars make life easy.) You can use a temporary file, but if you do you should use dedicated RAM-backed storage, or an encrypted volume to prevent it from being put on disk
17:43 < pekster> unixes*
17:43 < pekster> Well, root or the user itself of course, but if either is owned, so is openvpn
17:43 < pekster> Also, you're actually hitting google's imap server for your auth? Not sure that's such a great idea, but YMMV
17:46 < dyer_> well the original script uses our google apps domain, so the idea is that we can user that for a directory of sorts
17:46 < dyer_>   gmail.login("#{ENV['PAM_USER']}@tropo.com",STDIN.first.strip)
17:46 < dyer_> so they need to be active user in our google apps domain
17:47 < pekster> That makes slightly more sense than what's written
17:48 < dyer_> yea, I was just trying to make it as simple as possible to troubleshoot, so I striped a ton of stuff out
17:48 < pekster> I'd just call your script directly and not mess with the PAM stuff unless you actually want to use PAM as more than a glorified script wrapper
17:48 < pekster> _that_ is making it simple ;)
17:48 < dyer_> yea, I am starting to agree :)
17:48 < pekster> Your're not really using PAM for anything except making your real error obscure
17:48 < dyer_> already have it working that way
17:48 < dyer_> I just thought I would try it w/ PAM for shits and giggles
17:49 < dyer_> time to move on I think :)
17:49 < dyer_> again, appreciate your help !
17:49 < pekster> Now if you find a PAM module to do google auth directly, that'd be different
17:50 -!- ronnocol [~lance@mail.ronnoco.net] has joined #openvpn
17:51 < ronnocol> Hey all. Just stopped by to say I'm very happy with the performance of OpenVPN. great job: TOTALS|nclients=24622,bytesin=32042022688456,bytesout=1416890203679
17:51 < dyer_> https://github.com/mogorman/pam_gmail
17:51 <@vpnHelper> Title: mogorman/pam_gmail · GitHub (at github.com)
17:51 < dyer_> couldnt get it to work for me though
17:53 < pekster> 24.6k clients? That'll eat some RAM
17:53 < pekster> dyer_: Yea, my motto is usually "don't use giant C programs when a dozen-line script does the same task" -- unless of course there's some benefit
17:54 < pekster> PAM is convenient when it's either already used, or authenticating to a complex or abstract backend part of an already existing codebase
17:55 < ronnocol> pekster: machine is just happy as can be. I have 10 total instances on 2 machines (so 5 per machine), uses about 20gb of RAM on each machine.
18:02 -!- phunyguy_ is now known as phunyguy
18:14 -!- jzaw [~jzaw@loki.dzki.co.uk] has quit [Ping timeout: 265 seconds]
18:18 -!- jzaw [~jzaw@loki.dzki.co.uk] has joined #openvpn
18:24 -!- klein [~klein@unaffiliated/klein] has quit [Ping timeout: 272 seconds]
18:25 -!- digilink [~digilink@irc.stephennet.net] has quit [Ping timeout: 260 seconds]
18:25 -!- jzaw [~jzaw@loki.dzki.co.uk] has quit [Ping timeout: 245 seconds]
18:26 -!- u0m3__ [~u0m3@92.80.106.31] has quit [Read error: Connection reset by peer]
18:28 -!- kalloc [~kalloc@h86-62-83-99.ln.rinet.ru] has joined #openvpn
18:29 -!- goldkatze [~nobody@unaffiliated/goldkatze] has quit []
18:29 -!- s7r [~s7r@openvpn/user/s7r] has quit [Quit: Leaving]
18:30 -!- kalloc [~kalloc@h86-62-83-99.ln.rinet.ru] has quit [Read error: Connection reset by peer]
18:30 -!- kalloc_ [~kalloc@h86-62-83-99.ln.rinet.ru] has joined #openvpn
18:31 -!- mdim [~user@line-marko.cs.utah.edu] has quit [Read error: Operation timed out]
18:31 -!- jzaw [~jzaw@loki.dzki.co.uk] has joined #openvpn
18:35 -!- kalloc_ [~kalloc@h86-62-83-99.ln.rinet.ru] has quit [Ping timeout: 260 seconds]
18:54 -!- riddle [riddle@us.yunix.net] has quit [Ping timeout: 252 seconds]
18:57 -!- klein [~klein@187.85.164.120] has joined #openvpn
18:57 -!- klein [~klein@187.85.164.120] has quit [Changing host]
18:57 -!- klein [~klein@unaffiliated/klein] has joined #openvpn
19:00 -!- Gman32 [~Gman32@2607:2200:0:3400::5616:cdbc] has quit [Ping timeout: 265 seconds]
19:08 -!- raidz [~raidz@openvpn/corp/admin/andrew] has quit [Quit: I shouldn't have left....]
19:08 -!- mattock_afk [~mattock@openvpn/corp/admin/mattock] has quit [Quit: ZNC - http://znc.in]
19:09 -!- raidz_away [~raidz@2607:5300:60:d5a::2] has joined #openvpn
19:09 -!- raidz_away is now known as raidz
19:09 -!- raidz [~raidz@2607:5300:60:d5a::2] has quit [Changing host]
19:09 -!- raidz [~raidz@openvpn/corp/admin/andrew] has joined #openvpn
19:09 -!- mode/#openvpn [+o raidz] by ChanServ
19:20 -!- Haigha [~root@dovahkiin.xomg.net] has joined #openvpn
19:25 -!- mirco_ [~mirco@ip-109-90-231-36.unitymediagroup.de] has quit [Quit: mirco_]
19:30 -!- kalloc [~kalloc@h86-62-83-99.ln.rinet.ru] has joined #openvpn
19:31 -!- Gman32 [~Gman32@2607:2200:0:3400::5616:cdbc] has joined #openvpn
19:32 -!- riddle [riddle@us.yunix.net] has joined #openvpn
19:35 -!- kalloc [~kalloc@h86-62-83-99.ln.rinet.ru] has quit [Ping timeout: 260 seconds]
19:53 -!- jzaw [~jzaw@loki.dzki.co.uk] has quit [Ping timeout: 245 seconds]
19:54 -!- klein [~klein@unaffiliated/klein] has quit [Ping timeout: 245 seconds]
19:55 -!- maskedlua [~quassel@unaffiliated/themaskedlua] has quit [Ping timeout: 265 seconds]
20:00 -!- jzaw [~jzaw@loki.dzki.co.uk] has joined #openvpn
20:09 -!- busch [~busch@mail.datenschleuder.com] has joined #openvpn
20:11 -!- map [~Mark@94-193-78-219.zone7.bethere.co.uk] has joined #openvpn
20:11 -!- Mike3 [mad@mx.probie.nl] has joined #openvpn
20:11 -!- _quadDam1ge [~EmperorTo@boom.blissfulidiot.com] has joined #openvpn
20:11 -!- Cpt-Oblivious_ [chatzilla@31-151-71-109.dynamic.upc.nl] has joined #openvpn
20:11 -!- map is now known as Guest40664
20:11 -!- _KaszpiR_ [~quassel@unaffiliated/kaszpir/x-3157048] has joined #openvpn
20:12 -!- xorox90___ [uid7069@gateway/web/irccloud.com/session] has joined #openvpn
20:12 -!- sourse [~s0urse@66-215-64-70.static.lsan.ca.charter.com] has joined #openvpn
20:13 < sourse> ping s0urse
20:13 -!- bertodsera_ [~quassel@97e48243.skybroadband.com] has joined #openvpn
20:13 -!- Eagleman [~Eagleman@546BBFCD.cm-12-4c.dynamic.ziggo.nl] has quit [Ping timeout: 260 seconds]
20:13 -!- james41382__ [~james@unaffiliated/james41382] has joined #openvpn
20:13 < sourse> can anyone help with error message P_CONTROL_HARD_RESET_CLIENT_V2 kid=0 [ ] pid=0 DATA len=0
20:13 < sourse> server http://pastebin.com/aVK2Rpka
20:13 < sourse> client http://pastebin.com/dw8rQmN3
20:14 -!- phunyguy_ [~plorpian@unaffiliated/phunyguy] has joined #openvpn
20:14 -!- Cpt-Oblivious__ [chatzilla@31-151-71-109.dynamic.upc.nl] has joined #openvpn
20:14 -!- pjschmit1 [~parker@209.141.56.12] has quit [Ping timeout: 260 seconds]
20:14 -!- s0urse [~s0urse@66-215-64-70.static.lsan.ca.charter.com] has quit [Ping timeout: 260 seconds]
20:14 -!- maskedlua [~quassel@unaffiliated/themaskedlua] has joined #openvpn
20:15 -!- xorox90__ [uid7069@gateway/web/irccloud.com/x-rglydlehvypssbnb] has quit [Ping timeout: 260 seconds]
20:15 -!- losted [~losted@box.losted.net] has quit [Ping timeout: 260 seconds]
20:15 -!- phunyguy [~plorpian@unaffiliated/phunyguy] has quit [Ping timeout: 260 seconds]
20:15 -!- MadTBone [~MadTBone@160.39.238.196] has quit [Ping timeout: 260 seconds]
20:15 -!- _KaszpiR___ [~quassel@unaffiliated/kaszpir/x-3157048] has quit [Ping timeout: 260 seconds]
20:15 -!- kcodyjr [~kcodyjr@c-24-61-134-125.hsd1.ma.comcast.net] has quit [Ping timeout: 260 seconds]
20:15 -!- matsh [divine@nanogene.org] has quit [Ping timeout: 260 seconds]
20:15 -!- mapps [~Mark@94-193-78-219.zone7.bethere.co.uk] has quit [Ping timeout: 260 seconds]
20:15 -!- kirin` [telex@gateway/shell/anapnea.net/x-tqjchrrhnegtvfsv] has quit [Ping timeout: 260 seconds]
20:15 -!- marlinc [~marlinc@a80-100-128-152.adsl.xs4all.nl] has quit [Ping timeout: 260 seconds]
20:15 -!- Cpt-Oblivious [chatzilla@31-151-71-109.dynamic.upc.nl] has quit [Ping timeout: 260 seconds]
20:15 -!- defswork [~andy@141.0.50.105] has quit [Ping timeout: 260 seconds]
20:15 -!- ljvb_ [~jason@uk.vps.vanbrecht.com] has quit [Ping timeout: 260 seconds]
20:15 -!- kevinsky [~kevin@senna.rosendaal.net] has quit [Ping timeout: 260 seconds]
20:15 -!- matsh [divine@nanogene.org] has joined #openvpn
20:15 -!- pjschmitt [~parker@209.141.56.12] has joined #openvpn
20:15 -!- kevinsky [~kevin@senna.rosendaal.net] has joined #openvpn
20:15 -!- marlinc [~marlinc@a80-100-128-152.adsl.xs4all.nl] has joined #openvpn
20:16 -!- mapps [~Mark@94-193-78-219.zone7.bethere.co.uk] has joined #openvpn
20:17 -!- xorox90___ is now known as xorox90__
20:17 -!- codile [codehero@irc.coding4coffee.org] has joined #openvpn
20:17 -!- master_o1_master [~master_of@p4FD7BDBE.dip0.t-ipconnect.de] has joined #openvpn
20:17 -!- Aketzu_ [akolehma@kelvin.aketzu.net] has joined #openvpn
20:18 -!- Eagleman [~Eagleman@546BBFCD.cm-12-4c.dynamic.ziggo.nl] has joined #openvpn
20:18 -!- Sembei [~Sembei@unaffiliated/sembei] has joined #openvpn
20:18 -!- _bt [foobar@77.240.12.157] has joined #openvpn
20:18 -!- defswork_ [~andy@141.0.50.105] has joined #openvpn
20:18 -!- Guest40671 [~Sembei@62.57.118.216.dyn.user.ono.com] has quit [Max SendQ exceeded]
20:18 -!- MadTBone_ [~MadTBone@160.39.238.196] has joined #openvpn
20:18 -!- kloeri_ [~kloeri@freenode/staff/exherbo.kloeri] has joined #openvpn
20:18 -!- Linmu_ [~Linmu@203.70.194.104] has quit [Ping timeout: 260 seconds]
20:18 -!- Netsplit *.net <-> *.split quits: pa, guntha`, Pei_, peper, mingdao, _quadDamage, bertodsera, Matir, __bt, dos-freak,  (+7 more, use /NETSPLIT to show all of them)
20:18 -!- codile is now known as codehero
20:19 -!- kcodyjr [~kcodyjr@c-24-61-134-125.hsd1.ma.comcast.net] has joined #openvpn
20:19 -!- dren [dren@69.163.43.34] has quit [Read error: Operation timed out]
20:19 -!- lamokie [~steve@li428-245.members.linode.com] has quit [Ping timeout: 260 seconds]
20:19 -!- mgorbach [~mgorbach@pool-108-20-78-135.bstnma.fios.verizon.net] has quit [Ping timeout: 260 seconds]
20:20 -!- kossy_ [a@kossy.org] has joined #openvpn
20:21 -!- Pei [~pei@thinks.outside.theb0x.org] has joined #openvpn
20:22 -!- Netsplit *.net <-> *.split quits: svg, master_of_master, _quadDam1ge, Guest40664, kossy, booo, Cpt-Oblivious_, NChief, james41382_, liriel,  (+3 more, use /NETSPLIT to show all of them)
20:22 -!- gardar [~gardar@bnc.giraffi.net] has joined #openvpn
20:22 -!- Sembei [~Sembei@unaffiliated/sembei] has quit [Max SendQ exceeded]
20:22 -!- kloeri [~kloeri@freenode/staff/exherbo.kloeri] has quit [Ping timeout: 608 seconds]
20:23 -!- davidmp [~davidmp@149.255.100.107] has quit [Ping timeout: 260 seconds]
20:23 -!- Linmu [~Linmu@203.70.194.104] has joined #openvpn
20:24 -!- mgorbach [~mgorbach@pool-108-20-78-135.bstnma.fios.verizon.net] has joined #openvpn
20:24 -!- Eagleman7 [~Eagleman@546BBFCD.cm-12-4c.dynamic.ziggo.nl] has joined #openvpn
20:24 -!- rkantos [robin@4e.fi] has quit [Ping timeout: 260 seconds]
20:26 -!- davidmp [~davidmp@149.255.100.107] has joined #openvpn
20:26 -!- guntha` [~guntha@guntha.thecagedog.com] has joined #openvpn
20:27 -!- codehero [codehero@irc.coding4coffee.org] has quit [Ping timeout: 265 seconds]
20:27 -!- pjschmit1 [~parker@209.141.56.12] has joined #openvpn
20:27 -!- kloeri_ [~kloeri@freenode/staff/exherbo.kloeri] has quit [Ping timeout: 608 seconds]
20:28 -!- _KaszpiR_ [~quassel@unaffiliated/kaszpir/x-3157048] has joined #openvpn
20:28 -!- kloeri [~kloeri@freenode/staff/exherbo.kloeri] has joined #openvpn
20:29 -!- dimm0k [~dimm0k@unaffiliated/dimm0k] has quit [Ping timeout: 265 seconds]
20:29 -!- Linmu [~Linmu@203.70.194.104] has quit [Ping timeout: 260 seconds]
20:29 -!- crus [~crusader@2001:44b8:319e:2900:a12d:1c15:24a3:9fc] has quit [Read error: Connection reset by peer]
20:30 -!- hive-mind [pranq@unaffiliated/contempt] has quit [Remote host closed the connection]
20:30 -!- Aketzu [akolehma@kelvin.aketzu.net] has joined #openvpn
20:30 -!- catsup [d@64.111.123.163] has joined #openvpn
20:31 -!- davidmp [~davidmp@149.255.100.107] has quit [Ping timeout: 260 seconds]
20:32 -!- maskedlua [~quassel@unaffiliated/themaskedlua] has quit [Ping timeout: 265 seconds]
20:32 -!- guntha` [~guntha@guntha.thecagedog.com] has quit [Ping timeout: 260 seconds]
20:33 -!- Netsplit *.net <-> *.split quits: pjschmitt, master_o1_master, Eagleman, matsh, Aketzu_, kevinsky
20:33 -!- NChief [~nchief@unaffiliated/nchief] has joined #openvpn
20:34 -!- mback2k_ [~freenode@89.238.84.46] has joined #openvpn
20:34 -!- _quadDamage [~EmperorTo@boom.blissfulidiot.com] has joined #openvpn
20:35 -!- rob0_ [rob0@harrier.slackbuilds.org] has joined #openvpn
20:35 -!- rob0_ [rob0@harrier.slackbuilds.org] has quit [Changing host]
20:35 -!- rob0_ [rob0@pdpc/valentine/postfixninja/rob0] has joined #openvpn
20:35 -!- dimm0k [~dimm0k@pool-108-21-230-13.nycmny.fios.verizon.net] has joined #openvpn
20:35 -!- dimm0k [~dimm0k@pool-108-21-230-13.nycmny.fios.verizon.net] has quit [Changing host]
20:35 -!- dimm0k [~dimm0k@unaffiliated/dimm0k] has joined #openvpn
20:35 -!- dos-freak [~leecher@zentarim.0wnz.at] has joined #openvpn
20:35 -!- rob0 [rob0@pdpc/valentine/postfixninja/rob0] has quit [Ping timeout: 260 seconds]
20:36 -!- master_of_master [~master_of@p4FD7BDBE.dip0.t-ipconnect.de] has joined #openvpn
20:37 -!- kirin` [telex@gateway/shell/anapnea.net/session] has joined #openvpn
20:37 -!- crus [~crusader@2001:44b8:319e:2900:a12d:1c15:24a3:9fc] has joined #openvpn
20:37 -!- hive-mind [pranq@unaffiliated/contempt] has joined #openvpn
20:37 -!- Sembei [~Sembei@unaffiliated/sembei] has joined #openvpn
20:38 -!- matsh [~divine@109.236.85.166] has joined #openvpn
20:38 -!- kevinsky [~kevin@senna.rosendaal.net] has joined #openvpn
20:38 -!- mgorbach [~mgorbach@pool-108-20-78-135.bstnma.fios.verizon.net] has quit [Ping timeout: 260 seconds]
20:38 -!- dos-freak [~leecher@zentarim.0wnz.at] has quit [Ping timeout: 260 seconds]
20:38 -!- pa [~pa@82.60.135.41] has joined #openvpn
20:38 -!- codehero [codehero@irc.coding4coffee.org] has joined #openvpn
20:38 -!- dos-freak [leecher@zentarim.0wnz.at] has joined #openvpn
20:38 -!- booo [~booo__@p54BDBFEC.dip0.t-ipconnect.de] has joined #openvpn
20:39 -!- svg [~svg@213.138.109.172] has joined #openvpn
20:39 -!- peper [~peper@74.207.249.249] has joined #openvpn
20:39 -!- riddle [riddle@us.yunix.net] has joined #openvpn
20:39 -!- losted [~losted@box.losted.net] has joined #openvpn
20:39 -!- lamokie [~steve@li428-245.members.linode.com] has joined #openvpn
20:40 -!- MyMind [~Sembei@unaffiliated/sembei] has joined #openvpn
20:41 -!- defswork_ [~andy@141.0.50.105] has quit [Ping timeout: 260 seconds]
20:41 -!- liriel [~liriel@198.154.114.106] has joined #openvpn
20:41 -!- Linmu [~Linmu@203.70.194.104] has joined #openvpn
20:42 -!- cyberspace- [20253@ninthfloor.org] has joined #openvpn
20:42 -!- defswork_ [~andy@141.0.50.105] has joined #openvpn
20:42 -!- Olipro [~Olipro@uncyclopedia/pdpc.21for7.olipro] has quit [Max SendQ exceeded]
20:42 -!- mingdao_ [~mingdao@unaffiliated/mingdao] has joined #openvpn
20:43 -!- simcop2387_ [~simcop238@simcop2387.info] has joined #openvpn
20:43 -!- simcop2387_ [~simcop238@simcop2387.info] has quit [Changing host]
20:43 -!- simcop2387_ [~simcop238@p3m/member/simcop2387] has joined #openvpn
20:43 -!- Mike-- [mad@mx.probie.nl] has joined #openvpn
20:43 -!- ronnocol [~lance@mail.ronnoco.net] has joined #openvpn
20:44 -!- Matir [~matir@ubuntu/member/matir] has joined #openvpn
20:44 -!- GabrieleV_ [~GabrieleV@host190-79-static.230-95-b.business.telecomitalia.it] has joined #openvpn
20:45 -!- phunyguy [~plorpian@unaffiliated/phunyguy] has joined #openvpn
20:45 -!- novaflash_ [~novaflash@its.novaflash.nl] has joined #openvpn
20:45 -!- mgorbach_ [~mgorbach@pool-108-20-78-135.bstnma.fios.verizon.net] has joined #openvpn
20:47 -!- Olipro [~Olipro@uncyclopedia/pdpc.21for7.olipro] has joined #openvpn
20:47 -!- Aketzu_ [akolehma@81.22.244.161] has joined #openvpn
20:47 -!- mgorbach [~mgorbach@pool-108-20-78-135.bstnma.fios.verizon.net] has joined #openvpn
20:47 -!- pa [~pa@82.60.135.41] has quit [Ping timeout: 260 seconds]
20:47 -!- mgorbach [~mgorbach@pool-108-20-78-135.bstnma.fios.verizon.net] has quit [Max SendQ exceeded]
20:47 -!- mgorbach_ is now known as mgorbach
20:48 -!- Pei_ [~pei@thinks.outside.theb0x.org] has joined #openvpn
20:48 -!- rkantos [robin@4e.fi] has joined #openvpn
20:48 -!- ppr [~peper@gentoo/developer/peper] has joined #openvpn
20:48 -!- kevinsky [~kevin@senna.rosendaal.net] has quit [Ping timeout: 260 seconds]
20:48 -!- peper [~peper@74.207.249.249] has quit [Ping timeout: 260 seconds]
20:49 -!- hive-mind [pranq@unaffiliated/contempt] has quit [Ping timeout: 265 seconds]
20:49 -!- kloeri_ [~kloeri@freenode/staff/exherbo.kloeri] has joined #openvpn
20:50 -!- Netsplit *.net <-> *.split quits: Pei, kloeri, pppingme, Mike3, dradec, phunyguy_, Sembei, simcop2387, @novaflash, Aketzu,  (+1 more, use /NETSPLIT to show all of them)
20:50 -!- simcop2387_ is now known as simcop2387
20:50 -!- GabrieleV_ is now known as GabrieleV
20:50 -!- hive-mind [pranq@unaffiliated/contempt] has joined #openvpn
20:50 -!- novaflash_ is now known as novaflash
20:51 -!- guntha` [~guntha@guntha.thecagedog.com] has joined #openvpn
20:54 -!- WinstonSmith [~WinstonSm@unaffiliated/winstonsmith] has quit [Ping timeout: 265 seconds]
20:54 -!- busch is now known as busch_off
20:55 -!- maskedlua [~quassel@unaffiliated/themaskedlua] has joined #openvpn
20:57 -!- matsh [~divine@109.236.85.166] has quit [Ping timeout: 260 seconds]
20:57 -!- svg [~svg@213.138.109.172] has quit [Ping timeout: 260 seconds]
20:57 -!- pa [~pa@unaffiliated/pa] has joined #openvpn
20:59 -!- kevinsky [~kevin@senna.rosendaal.net] has joined #openvpn
21:01 -!- elfixit [~Icedove@77-58-251-72.dclient.hispeed.ch] has joined #openvpn
21:01 -!- matsh [divine@nanogene.org] has joined #openvpn
21:01 -!- pppingme [~pppingme@unaffiliated/pppingme] has joined #openvpn
21:02 -!- Olipro [~Olipro@uncyclopedia/pdpc.21for7.olipro] has quit [Max SendQ exceeded]
21:03 -!- bertodsera [~quassel@97e48243.skybroadband.com] has joined #openvpn
21:03 -!- svg [~svg@hydargos.ginsys.net] has joined #openvpn
21:04 -!- guntha` [~guntha@guntha.thecagedog.com] has quit [Ping timeout: 260 seconds]
21:04 -!- bertodsera_ [~quassel@97e48243.skybroadband.com] has quit [Ping timeout: 260 seconds]
21:05 -!- WinstonSmith [~WinstonSm@unaffiliated/winstonsmith] has joined #openvpn
21:05 -!- Olipro [~Olipro@uncyclopedia/pdpc.21for7.olipro] has joined #openvpn
21:08 -!- Aketzu_ [akolehma@81.22.244.161] has quit [Ping timeout: 260 seconds]
21:08 -!- Aketzu [akolehma@kelvin.aketzu.net] has joined #openvpn
21:15 -!- busch_off is now known as busch
21:18 -!- michaelhart [~michaelha@192-0-240-20.cpe.teksavvy.com] has joined #openvpn
21:25 -!- guntha` [~guntha@guntha.thecagedog.com] has joined #openvpn
21:26 -!- joshu [~joshu@62-20-176-238-no28.tbcn.telia.com] has quit [Ping timeout: 264 seconds]
21:26 -!- mingdao_ is now known as mingdao
21:28 -!- kalloc [~kalloc@h86-62-83-99.ln.rinet.ru] has joined #openvpn
21:28 < sourse> can anyone help with error message P_CONTROL_HARD_RESET_CLIENT_V2 kid=0 [ ] pid=0 DATA len=0
21:28 < sourse> server http://pastebin.com/aVK2Rpka
21:28 < sourse> client http://pastebin.com/dw8rQmN3
21:29 -!- davidmp [~davidmp@149.255.100.107] has joined #openvpn
21:30 -!- xorox90__ [uid7069@gateway/web/irccloud.com/session] has quit [Changing host]
21:30 -!- xorox90__ [uid7069@gateway/web/irccloud.com/x-bvbgqizlpkqjxwpd] has joined #openvpn
21:30 -!- kirin` [telex@gateway/shell/anapnea.net/session] has quit [Changing host]
21:30 -!- kirin` [telex@gateway/shell/anapnea.net/x-hajxxpdrrpmywcbf] has joined #openvpn
21:30 -!- tempus_fol [~tempus@unaffiliated/tempusfol] has joined #openvpn
21:30 -!- tempus_fol [~tempus@unaffiliated/tempusfol] has quit [Changing host]
21:30 -!- tempus_fol [~tempus@gateway/tor-sasl/tempusfol] has joined #openvpn
21:33 -!- kalloc [~kalloc@h86-62-83-99.ln.rinet.ru] has quit [Ping timeout: 260 seconds]
21:33 -!- joshu [~joshu@62-20-176-238-no28.tbcn.telia.com] has joined #openvpn
21:33 -!- joshu [~joshu@62-20-176-238-no28.tbcn.telia.com] has quit [Max SendQ exceeded]
21:34 -!- joshu [~joshu@62-20-176-238-no28.tbcn.telia.com] has joined #openvpn
22:01 -!- elfixit [~Icedove@77-58-251-72.dclient.hispeed.ch] has quit [Quit: elfixit]
22:02 -!- booo [~booo__@p54BDBFEC.dip0.t-ipconnect.de] has quit [Ping timeout: 272 seconds]
22:03 -!- booo [~booo__@p54BDA464.dip0.t-ipconnect.de] has joined #openvpn
22:14 -!- Olipro [~Olipro@uncyclopedia/pdpc.21for7.olipro] has quit [Remote host closed the connection]
22:18 -!- Olipro [~Olipro@uncyclopedia/pdpc.21for7.olipro] has joined #openvpn
22:19 -!- dren [dren@69.163.43.34] has joined #openvpn
22:21 -!- busch is now known as busch_off
22:22 -!- ljvb__ [~jason@us.vps.vanbrecht.com] has joined #openvpn
22:28 -!- kalloc [~kalloc@h86-62-83-99.ln.rinet.ru] has joined #openvpn
22:33 -!- kalloc [~kalloc@h86-62-83-99.ln.rinet.ru] has quit [Ping timeout: 260 seconds]
22:41 -!- joshh20 is now known as joshh20-Away
22:46 -!- dradec [~Inigo@unaffiliated/dradec] has joined #openvpn
22:49 -!- michaelhart [~michaelha@192-0-240-20.cpe.teksavvy.com] has quit [Quit: michaelhart]
23:03 < sourse> can anyone help with error message P_CONTROL_HARD_RESET_CLIENT_V2 kid=0 [ ] pid=0 DATA len=0
23:03 < sourse> server http://pastebin.com/aVK2Rpka
23:03 < sourse> client http://pastebin.com/MrqYMSkj
23:09 -!- sourse [~s0urse@66-215-64-70.static.lsan.ca.charter.com] has quit [Quit: Leaving]
23:14 -!- lj [~l@c-50-158-105-68.hsd1.il.comcast.net] has joined #openvpn
23:16 -!- lj1 [~l@192.241.174.169] has joined #openvpn
23:17 -!- Cpt-Oblivious__ [chatzilla@31-151-71-109.dynamic.upc.nl] has quit [Ping timeout: 265 seconds]
23:18 -!- lj [~l@c-50-158-105-68.hsd1.il.comcast.net] has quit [Ping timeout: 245 seconds]
23:23 -!- james41382_ [~james@unaffiliated/james41382] has joined #openvpn
23:23 -!- Samopotamus [~IRCIdent@2607:5300:60:a0d::1] has joined #openvpn
23:23 -!- james41382__ [~james@unaffiliated/james41382] has quit [Read error: Connection reset by peer]
23:28 -!- raidz [~raidz@openvpn/corp/admin/andrew] has quit [Ping timeout: 265 seconds]
23:28 -!- kalloc [~kalloc@h86-62-83-99.ln.rinet.ru] has joined #openvpn
23:33 -!- kalloc [~kalloc@h86-62-83-99.ln.rinet.ru] has quit [Ping timeout: 260 seconds]
23:48 -!- lj1 [~l@192.241.174.169] has quit [Quit: Leaving.]
23:48 -!- lj [~l@192.241.174.169] has joined #openvpn
23:59 -!- lvv [~loganaden@ITE-INF3.dhcp.mu.afrinic.net] has joined #openvpn
--- Day changed Thu Feb 13 2014
00:08 -!- halcyon__ [~heraclitu@108.59.11.225] has joined #openvpn
00:08 -!- halcyon__ is now known as Guest25208
00:12 -!- heraclitus__ [~heraclitu@208.64.66.92] has quit [Ping timeout: 252 seconds]
00:14 -!- busch_off is now known as busch
00:28 -!- kalloc [~kalloc@h86-62-83-99.ln.rinet.ru] has joined #openvpn
00:33 -!- kalloc [~kalloc@h86-62-83-99.ln.rinet.ru] has quit [Ping timeout: 272 seconds]
00:38 -!- makara [~makara@41.164.22.218] has joined #openvpn
00:39 -!- makara [~makara@41.164.22.218] has quit [Max SendQ exceeded]
00:40 -!- makara [~makara@41.164.22.218] has joined #openvpn
00:55 -!- lj1 [~l@c-50-158-105-68.hsd1.il.comcast.net] has joined #openvpn
00:56 -!- lj [~l@192.241.174.169] has quit [Ping timeout: 272 seconds]
00:57 -!- dradec [~Inigo@unaffiliated/dradec] has quit [Ping timeout: 245 seconds]
01:03 -!- bertodsera [~quassel@97e48243.skybroadband.com] has quit [Remote host closed the connection]
01:27 -!- Guest25208 [~heraclitu@108.59.11.225] has left #openvpn []
01:28 -!- heraclitus [~heraclitu@unaffiliated/heraclitis] has joined #openvpn
01:28 -!- kalloc [~kalloc@h86-62-83-99.ln.rinet.ru] has joined #openvpn
01:36 -!- kalloc [~kalloc@h86-62-83-99.ln.rinet.ru] has quit [Ping timeout: 272 seconds]
01:41 -!- takamichi [~takamichi@c107-107.i07-27.onvol.net] has joined #openvpn
01:46 -!- takamichi [~takamichi@c107-107.i07-27.onvol.net] has quit [Ping timeout: 245 seconds]
01:46 -!- takamichi [~takamichi@c107-107.i07-27.onvol.net] has joined #openvpn
01:55 -!- kalloc [~kalloc@h86-62-83-99.ln.rinet.ru] has joined #openvpn
02:02 -!- lvv_ [~loganaden@2001:4290:10:250:2936:8f92:7f35:44b8] has joined #openvpn
02:02 -!- lvv [~loganaden@ITE-INF3.dhcp.mu.afrinic.net] has quit [Read error: Connection reset by peer]
02:02 -!- lvv_ is now known as lvv
02:11 -!- alexxtasi [~alex@unaffiliated/alexxtasi] has joined #openvpn
02:12 -!- Eugene [eugene@itvends.com] has quit [Ping timeout: 264 seconds]
02:13 -!- simcop2387 [~simcop238@p3m/member/simcop2387] has quit [Ping timeout: 245 seconds]
02:14 -!- kenyon [kenyon@darwin.kenyonralph.com] has quit [Ping timeout: 245 seconds]
02:14 -!- MyMind [~Sembei@unaffiliated/sembei] has quit [Max SendQ exceeded]
02:14 -!- qwertyoruiop [~hax@1.shulgin.dc1.nl.tor.exit.node.qwertyoruiop.com] has quit [Ping timeout: 245 seconds]
02:16 -!- VunKruz [~hhhh@24-205-8-187.dhcp.mtpk.ca.charter.com] has quit [Ping timeout: 264 seconds]
02:16 -!- kenyon [kenyon@darwin.kenyonralph.com] has joined #openvpn
02:17 -!- simcop2387 [~simcop238@p3m/member/simcop2387] has joined #openvpn
02:18 -!- _quadDamage [~EmperorTo@boom.blissfulidiot.com] has quit [Ping timeout: 245 seconds]
02:18 -!- MyMind [~Sembei@unaffiliated/sembei] has joined #openvpn
02:19 -!- EugeneKay [eugene@itvends.com] has joined #openvpn
02:19 -!- EugeneKay [eugene@itvends.com] has quit [Excess Flood]
02:19 -!- _quadDamage [~EmperorTo@boom.blissfulidiot.com] has joined #openvpn
02:20 -!- lj1 [~l@c-50-158-105-68.hsd1.il.comcast.net] has quit [Quit: Leaving.]
02:21 -!- lamokie [~steve@li428-245.members.linode.com] has quit [Ping timeout: 245 seconds]
02:21 -!- lamokie [~steve@li428-245.members.linode.com] has joined #openvpn
02:21 -!- qwertyoruiop [~hax@1.shulgin.dc1.nl.tor.exit.node.qwertyoruiop.com] has joined #openvpn
02:26 -!- EugeneKay [eugene@itvends.com] has joined #openvpn
02:27 -!- VunKruz [~hhhh@24-205-8-187.dhcp.mtpk.ca.charter.com] has joined #openvpn
02:40 -!- jgeboski [~jgeboski@unaffiliated/jgeboski] has quit [Ping timeout: 240 seconds]
02:42 -!- jgeboski [~jgeboski@unaffiliated/jgeboski] has joined #openvpn
02:43 -!- goldkatze [~nobody@unaffiliated/goldkatze] has joined #openvpn
02:51 -!- lj [~l@c-50-158-105-68.hsd1.il.comcast.net] has joined #openvpn
03:00 -!- ade_b [~Ade@redhat/adeb] has joined #openvpn
03:07 -!- bertodsera [~quassel@212.36.61.26] has joined #openvpn
03:19 -!- f0cker [~f0cker@host86-144-134-118.range86-144.btcentralplus.com] has joined #openvpn
03:19 -!- f0cker [~f0cker@host86-144-134-118.range86-144.btcentralplus.com] has quit [Changing host]
03:19 -!- f0cker [~f0cker@unaffiliated/f0cker] has joined #openvpn
03:19 -!- alexxtasi [~alex@unaffiliated/alexxtasi] has quit [Ping timeout: 260 seconds]
03:24 -!- f0cker [~f0cker@unaffiliated/f0cker] has quit [Client Quit]
03:38 -!- alexxtasi [~alex@150.140.12.90] has joined #openvpn
03:39 -!- alexxtasi [~alex@150.140.12.90] has quit [Changing host]
03:39 -!- alexxtasi [~alex@unaffiliated/alexxtasi] has joined #openvpn
03:47 -!- lvv [~loganaden@2001:4290:10:250:2936:8f92:7f35:44b8] has quit [Quit: lvv]
04:08 -!- lvv [~loganaden@ITE-INF3.dhcp.mu.afrinic.net] has joined #openvpn
04:12 -!- _bt [foobar@77.240.12.157] has quit [Changing host]
04:12 -!- _bt [foobar@unaffiliated/bt/x-192343] has joined #openvpn
04:13 -!- lvv_ [~loganaden@ITE-INF3.dhcp.mu.afrinic.net] has joined #openvpn
04:13 -!- lvv [~loganaden@ITE-INF3.dhcp.mu.afrinic.net] has quit [Read error: Connection reset by peer]
04:14 -!- lvv_ is now known as lvv
04:16 -!- kloeri_ is now known as kloeri
04:24 -!- klein [~klein@unaffiliated/klein] has joined #openvpn
04:31 -!- klein [~klein@unaffiliated/klein] has quit [Ping timeout: 260 seconds]
04:33 -!- catsup [d@64.111.123.163] has quit [Read error: Operation timed out]
04:33 -!- catsup [d@64.111.123.163] has joined #openvpn
04:38 -!- catsup [d@64.111.123.163] has quit [Ping timeout: 248 seconds]
04:39 -!- catsup [d@64.111.123.163] has joined #openvpn
04:44 -!- catsup [d@64.111.123.163] has quit [Ping timeout: 260 seconds]
04:44 -!- catsup [d@64.111.123.163] has joined #openvpn
05:14 -!- dazo_afk is now known as dazo
05:19 -!- makara [~makara@41.164.22.218] has quit [Ping timeout: 272 seconds]
05:30 -!- meepmeep [meepmeep@end.of.cylind.re] has quit [Ping timeout: 272 seconds]
05:32 -!- meepmeep [meepmeep@end.of.cylind.re] has joined #openvpn
05:35 -!- heraclitus [~heraclitu@unaffiliated/heraclitis] has quit [Remote host closed the connection]
05:35 -!- heraclitus [~heraclitu@unaffiliated/heraclitis] has joined #openvpn
05:43 -!- takamich_ [~takamichi@85.12.8.14] has joined #openvpn
05:44 -!- takamichi [~takamichi@c107-107.i07-27.onvol.net] has quit [Ping timeout: 260 seconds]
05:58 -!- crus [~crusader@2001:44b8:319e:2900:a12d:1c15:24a3:9fc] has quit [Ping timeout: 252 seconds]
06:07 -!- takamich_ [~takamichi@85.12.8.14] has quit [Ping timeout: 252 seconds]
06:13 -!- takamichi [~takamichi@c107-107.i07-27.onvol.net] has joined #openvpn
06:34 -!- wood_quinn [~quinn@67-3-69-28.desm.qwest.net] has joined #openvpn
06:35 < wood_quinn> If I wanted to use OpenVPN as a layer 2 tunnel, would I have to worry about MTUs for my newfangled layer 3 protocol?
06:35 < wood_quinn> I know with L2TP this is a concern
06:47 < lvv> hoi
06:48 -!- XJR-9 [sid2977@pdpc/supporter/active/xjr-9] has quit [Ping timeout: 265 seconds]
06:49 -!- dvl [~dan@pdpc/supporter/active/dvl] has quit [Ping timeout: 265 seconds]
06:50 -!- XJR-9 [sid2977@pdpc/supporter/active/xjr-9] has joined #openvpn
06:51 -!- lj [~l@c-50-158-105-68.hsd1.il.comcast.net] has quit [Quit: Leaving.]
06:53 -!- elfixit [~Icedove@77-58-251-72.dclient.hispeed.ch] has joined #openvpn
07:06 -!- elfixit [~Icedove@77-58-251-72.dclient.hispeed.ch] has quit [Quit: elfixit]
07:13 -!- f0cker [~f0cker@host86-144-134-118.range86-144.btcentralplus.com] has joined #openvpn
07:13 -!- f0cker [~f0cker@host86-144-134-118.range86-144.btcentralplus.com] has quit [Changing host]
07:13 -!- f0cker [~f0cker@unaffiliated/f0cker] has joined #openvpn
07:18 -!- map [~Mark@94-193-78-219.zone7.bethere.co.uk] has joined #openvpn
07:18 -!- map is now known as Guest57934
07:20 -!- wood_quinn [~quinn@67-3-69-28.desm.qwest.net] has left #openvpn []
07:20 -!- mapps [~Mark@94-193-78-219.zone7.bethere.co.uk] has quit [Ping timeout: 265 seconds]
07:27 -!- klein [~klein@187.85.179.98] has joined #openvpn
07:27 -!- klein [~klein@187.85.179.98] has quit [Changing host]
07:27 -!- klein [~klein@unaffiliated/klein] has joined #openvpn
07:32 -!- michaelhart [~michaelha@192.237.177.15] has joined #openvpn
07:36 -!- klein [~klein@unaffiliated/klein] has quit [Ping timeout: 252 seconds]
07:38 -!- klein [~klein@187.85.179.98] has joined #openvpn
07:38 -!- klein [~klein@187.85.179.98] has quit [Changing host]
07:38 -!- klein [~klein@unaffiliated/klein] has joined #openvpn
07:46 -!- kalloc [~kalloc@h86-62-83-99.ln.rinet.ru] has quit [Remote host closed the connection]
07:47 -!- kalloc [~kalloc@h86-62-83-99.ln.rinet.ru] has joined #openvpn
07:51 -!- Haseo [~Haseo@aufrinfo.net] has quit [Ping timeout: 245 seconds]
07:52 -!- kalloc [~kalloc@h86-62-83-99.ln.rinet.ru] has quit [Ping timeout: 252 seconds]
07:52 -!- Haseo [~Haseo@aufrinfo.net] has joined #openvpn
07:52 -!- GrecKo [~GrecKo@2001:41d0:1:cb16::1] has quit [Read error: Connection reset by peer]
07:53 -!- GrecKo [~GrecKo@2001:41d0:1:cb16::1] has joined #openvpn
07:58 -!- kalloc [~kalloc@h86-62-83-99.ln.rinet.ru] has joined #openvpn
08:01 -!- klein [~klein@unaffiliated/klein] has quit [Ping timeout: 260 seconds]
08:13 -!- psycheye [~psycheye@93.49.16.11] has quit [Ping timeout: 265 seconds]
08:13 -!- psycheye [~psycheye@93.49.16.11] has joined #openvpn
08:33 -!- joshu_ [~joshu@62-20-176-238-no28.tbcn.telia.com] has joined #openvpn
08:37 -!- joshu [~joshu@62-20-176-238-no28.tbcn.telia.com] has quit [Ping timeout: 264 seconds]
08:40 -!- joshu [~joshu@62-20-176-238-no28.tbcn.telia.com] has joined #openvpn
08:40 -!- joshu [~joshu@62-20-176-238-no28.tbcn.telia.com] has quit [Max SendQ exceeded]
08:40 -!- lvv [~loganaden@ITE-INF3.dhcp.mu.afrinic.net] has quit [Quit: lvv]
08:40 -!- joshu [~joshu@62-20-176-238-no28.tbcn.telia.com] has joined #openvpn
08:43 -!- joshu_ [~joshu@62-20-176-238-no28.tbcn.telia.com] has quit [Ping timeout: 264 seconds]
08:44 -!- jzaw [~jzaw@loki.dzki.co.uk] has quit [Ping timeout: 251 seconds]
08:47 -!- dvl [~dan@nyi.unixathome.org] has joined #openvpn
08:50 -!- jzaw [~jzaw@loki.dzki.co.uk] has joined #openvpn
08:50 -!- joshu_ [~joshu@62-20-176-238-no28.tbcn.telia.com] has joined #openvpn
08:51 -!- joshu_ [~joshu@62-20-176-238-no28.tbcn.telia.com] has quit [Max SendQ exceeded]
08:51 -!- joshu_ [~joshu@62-20-176-238-no28.tbcn.telia.com] has joined #openvpn
08:53 -!- joshu [~joshu@62-20-176-238-no28.tbcn.telia.com] has quit [Ping timeout: 264 seconds]
08:54 -!- jzaw [~jzaw@loki.dzki.co.uk] has quit [Ping timeout: 246 seconds]
09:00 -!- jzaw [~jzaw@loki.dzki.co.uk] has joined #openvpn
09:02 -!- elfixit [~Icedove@77-58-251-72.dclient.hispeed.ch] has joined #openvpn
09:05 -!- u0m3 [~u0m3@92.80.106.31] has joined #openvpn
09:08 -!- dvl [~dan@nyi.unixathome.org] has quit [Changing host]
09:08 -!- dvl [~dan@pdpc/supporter/active/dvl] has joined #openvpn
09:09 -!- alexxtasi [~alex@unaffiliated/alexxtasi] has left #openvpn []
09:11 -!- f0cker [~f0cker@unaffiliated/f0cker] has quit [Remote host closed the connection]
09:15 -!- takamichi [~takamichi@c107-107.i07-27.onvol.net] has quit [Quit: Computer has gone to sleep.]
09:18 -!- jzaw [~jzaw@loki.dzki.co.uk] has quit [Ping timeout: 252 seconds]
09:23 -!- jzaw [~jzaw@loki.dzki.co.uk] has joined #openvpn
09:28 -!- takamichi [~takamichi@c107-107.i07-27.onvol.net] has joined #openvpn
09:33 -!- takamichi [~takamichi@c107-107.i07-27.onvol.net] has quit [Ping timeout: 272 seconds]
09:35 -!- takamichi [~takamichi@85.12.8.13] has joined #openvpn
09:36 -!- lj [~l@192.241.174.169] has joined #openvpn
09:40 -!- Cpt-Oblivious [chatzilla@31-151-71-109.dynamic.upc.nl] has joined #openvpn
09:43 -!- kantlivelong [~kantlivel@home.kantlivelong.com] has quit [Ping timeout: 265 seconds]
09:46 -!- elfixit [~Icedove@77-58-251-72.dclient.hispeed.ch] has quit [Quit: elfixit]
09:47 -!- lj [~l@192.241.174.169] has quit [Quit: Leaving.]
09:47 -!- lj [~l@192.241.174.169] has joined #openvpn
09:48 -!- jzaw [~jzaw@loki.dzki.co.uk] has quit [Ping timeout: 246 seconds]
09:49 -!- kantlivelong [~kantlivel@home.kantlivelong.com] has joined #openvpn
09:50 -!- kossy_ [a@kossy.org] has quit [Excess Flood]
09:51 -!- lj [~l@192.241.174.169] has quit [Ping timeout: 248 seconds]
09:52 -!- f0cker [~f0cker@host86-144-134-118.range86-144.btcentralplus.com] has joined #openvpn
09:52 -!- f0cker [~f0cker@host86-144-134-118.range86-144.btcentralplus.com] has quit [Changing host]
09:52 -!- f0cker [~f0cker@unaffiliated/f0cker] has joined #openvpn
09:52 -!- jzaw [~jzaw@loki.dzki.co.uk] has joined #openvpn
09:53 -!- pjschmit1 [~parker@209.141.56.12] has quit [Ping timeout: 265 seconds]
09:54 -!- kossy [a@kossy.org] has joined #openvpn
09:54 -!- pjschmitt [~parker@209.141.56.12] has joined #openvpn
10:09 -!- f0cker [~f0cker@unaffiliated/f0cker] has quit [Read error: Connection reset by peer]
10:17 -!- takamichi [~takamichi@85.12.8.13] has quit [Ping timeout: 260 seconds]
10:19 -!- takamichi [~takamichi@c107-107.i07-27.onvol.net] has joined #openvpn
10:22 -!- ade_b [~Ade@redhat/adeb] has quit [Ping timeout: 248 seconds]
10:24 -!- bogie [bogie@mail.epow0.org] has quit [Ping timeout: 245 seconds]
10:27 -!- bogie [bogie@mail.epow0.org] has joined #openvpn
10:30 -!- Kottizen [~martin@trekweb/supporter/kottizen] has quit [Read error: Connection reset by peer]
10:42 -!- kesroesweyth [~an0@unaffiliated/kesroesweyth] has joined #openvpn
10:42 -!- f0cker [~f0cker@host86-144-134-118.range86-144.btcentralplus.com] has joined #openvpn
10:42 -!- f0cker [~f0cker@host86-144-134-118.range86-144.btcentralplus.com] has quit [Changing host]
10:42 -!- f0cker [~f0cker@unaffiliated/f0cker] has joined #openvpn
10:43 < kesroesweyth> I've got a CentOS server that someone is torrenting through using OpenVPN and I could use a hand discovering which user is responsible. Could anyone help point me in the right direction?
10:44 -!- rondile [44279bff@gateway/web/cgi-irc/kiwiirc.com/ip.68.39.155.255] has joined #openvpn
10:45 -!- f0cker [~f0cker@unaffiliated/f0cker] has quit [Remote host closed the connection]
10:46 <@ecrist> openvpn status
10:46 < kesroesweyth> I believe I have the IP of the user, just not the username.
10:47 < kesroesweyth> No output.
10:47 < kesroesweyth> ecrist: I ran it with --config and the path to the configuration file that is currently in use.
10:47 <@ecrist> do you have a management service enabled?
10:48 < kesroesweyth> Not that I know of, but this is a client's server, so I'm not intimately familiar with its setup.
10:48 -!- rondile [44279bff@gateway/web/cgi-irc/kiwiirc.com/ip.68.39.155.255] has quit [Client Quit]
10:48 <@dazo> kesroesweyth: block that VPN IP address ... and watch who complains ;-)
10:48 <@ecrist> heh
10:48 < kesroesweyth> dazo: I like your style.
10:48 <@dazo> kesroesweyth: also ... if you have the VPN IP address ... grep your log files
10:48 <@ecrist> kesroesweyth: look at the config file
10:48 < kesroesweyth> Did that already. Only one line, no username.
10:48 <@ecrist> see if there's a management option
10:49 < kesroesweyth> <date> UDPv4 link local (bound): <ip>
10:49 < kesroesweyth> That was my output, but with the date and IP obviously. Just the one line.
10:49 < kesroesweyth> Hm. I can try to find something like that.
10:50 <@ecrist> add a line to the config like this:  management 127.0.0.1 1194
10:50 <@ecrist> and restart openvpn
10:50 < kesroesweyth> Wait, I'm wrong. I don't have an IP.
10:50 <@ecrist> their client should reconnect in a few minutes
10:50 <@ecrist> then, telnet localhost 1194
10:51 <@ecrist> once connected, type "status" sans quotes
10:51 -!- Guest57934 [~Mark@94-193-78-219.zone7.bethere.co.uk] has left #openvpn []
10:51 -!- lj [~l@192.241.174.169] has joined #openvpn
10:52 -!- ronnocol [~lance@mail.ronnoco.net] has left #openvpn []
10:52 < kesroesweyth> Pfft. Server doesn't have telnet. One sec.
10:52 < kesroesweyth> Okay, got the status.
10:53 <@dazo> kesroesweyth: ssh -L1194:localhost:1194 <openvpn server>
10:53 < kesroesweyth> Nice! Users and their local and remote IPs!
10:53 <@ecrist> AND their traffic
10:53 < kesroesweyth> Thanks dazo, I installed telnet.
10:53 <@ecrist> Common Name,Real Address,Bytes Received,Bytes Sent,Connected Since
10:53 < kesroesweyth> And their traffic..
10:53 < kesroesweyth> Yeah I'm looking at that now.
10:54 < kesroesweyth> Very cool. This is immensely helpful.
10:54 <@ecrist> fwiw, see --status-log in the man page
10:54 <@ecrist> you can setup a client disconnect script that puts that info in a database or other log to track usage
10:54 <@ecrist> across connections
10:56 -!- michaelhart [~michaelha@192.237.177.15] has quit [Quit: michaelhart]
10:57 -!- cyberspace- [20253@ninthfloor.org] has quit [Ping timeout: 272 seconds]
10:58 < kesroesweyth> Trying to find details on the status format.
10:58 < kesroesweyth> Looks like user,remoteIP:port,###,###,date
10:58 < kesroesweyth> Note sure what the ###'s are
10:59 < kesroesweyth> Traffic, I'm sure, but what are they exactly.
10:59 -!- dyer_ is now known as dyer
10:59 -!- rondile [44279bff@gateway/web/cgi-irc/kiwiirc.com/ip.68.39.155.255] has joined #openvpn
10:59 -!- dyer [~dyer@ec2-107-21-15-145.compute-1.amazonaws.com] has quit [Changing host]
10:59 -!- dyer [~dyer@unaffiliated/dyer] has joined #openvpn
10:59 < kesroesweyth> Oh god. I need a coffee.
10:59 < kesroesweyth> You already read me the headers. Sorry =\
11:00 < kesroesweyth> I think I have what I need. Thanks a ton! afk
11:01 < rondile> I have a question regarding openvpn and Windows 8.1.  I have connected from my 8.1 comp to a dd-wrt router running openvpn and am able to access my file shares.  The issue is that Windows is showing the vpn connection as an "unidentified network" that is public.  Is this a Windows issue or an openvpn issue and is there a fix so that it can be a pri
11:01 < rondile> vate network so that I don't have to change my file sharing settings to enable them on public networks?  Thanks.
11:02 -!- bertodsera [~quassel@212.36.61.26] has quit [Remote host closed the connection]
11:02 -!- cyberspace- [20253@ninthfloor.org] has joined #openvpn
11:07 -!- wrongplace [~leicht@gateway/tor-sasl/martinphone] has joined #openvpn
11:07 -!- raidz [~raidz@2607:5300:60:d5a::2] has joined #openvpn
11:07 -!- raidz [~raidz@2607:5300:60:d5a::2] has quit [Changing host]
11:07 -!- raidz [~raidz@openvpn/corp/admin/andrew] has joined #openvpn
11:07 -!- mode/#openvpn [+o raidz] by ChanServ
11:12 -!- rondile [44279bff@gateway/web/cgi-irc/kiwiirc.com/ip.68.39.155.255] has quit [Quit: http://www.kiwiirc.com/ - A hand crafted IRC client]
11:18 -!- rondile [4425c418@gateway/web/cgi-irc/kiwiirc.com/ip.68.37.196.24] has joined #openvpn
11:19 -!- novaflash [~novaflash@its.novaflash.nl] has quit [Changing host]
11:19 -!- novaflash [~novaflash@openvpn/corp/support/novaflash] has joined #openvpn
11:19 -!- mode/#openvpn [+o novaflash] by ChanServ
11:21 -!- cktsoi [~cktsoi@n119237108167.netvigator.com] has joined #openvpn
11:25 -!- cktsoi [~cktsoi@n119237108167.netvigator.com] has quit [Remote host closed the connection]
11:27 -!- rondile [4425c418@gateway/web/cgi-irc/kiwiirc.com/ip.68.37.196.24] has quit [Quit: http://www.kiwiirc.com/ - A hand crafted IRC client]
11:31 -!- cktsoi [~cktsoi@n119237108167.netvigator.com] has joined #openvpn
11:35 -!- gffa [~unknown@unaffiliated/gffa] has joined #openvpn
11:35 < linuxthefish> iio/j firefox
11:36 -!- ade_b [~Ade@redhat/adeb] has joined #openvpn
11:39 -!- calcifea [~rasla@gateway/tor-sasl/gitsu-sa] has joined #openvpn
11:49 -!- KaiForce [~chatzilla@107-223-70-10.lightspeed.bcvloh.sbcglobal.net] has joined #openvpn
11:49 -!- Fiouz [~Fiouz@2001:bc8:3068::dead:beef] has joined #openvpn
11:52 -!- joshh20-Away is now known as joshh20
12:01 -!- mastershake [~mastersha@gateway/tor-sasl/mastershake] has joined #openvpn
12:01 -!- cktsoi [~cktsoi@n119237108167.netvigator.com] has quit [Remote host closed the connection]
12:04 < mastershake> hey guys im trying to install an openvpn server into ubuntu 13.10
12:04 < mastershake> and im following the instructions here > ubuntuguide.org/wiki/OpenVPN_server
12:05 < mastershake> however, i dont seem to have a folder where there should be one according to this guide
12:05 < mastershake> is that a problem?
12:05 <@krzee> !walkthrough
12:05 <@vpnHelper> "walkthrough" is if you are using some walkthrough and now you are here cause you have problems and dont understand your setup, type !howto and !man and try to actually learn what you're doing. most those docs about openvpn from google SUCK.
12:06 < mastershake> wow
12:06 < mastershake> im getting real tired of linux
12:06 <@krzee> !bestos
12:06 <@vpnHelper> "bestos" is the best os for openvpn is the one you are most comfortable with
12:06 < mastershake> !howto
12:06 <@vpnHelper> "howto" is (#1) OpenVPN comes with a great howto, http://openvpn.net/howto PLEASE READ IT! or (#2) http://www.secure-computing.net/openvpn/howto.php for a mirror
12:07 <@krzee> for the record, openvpn is basically the same config on any OS
12:07 -!- Cpt-Oblivious [chatzilla@31-151-71-109.dynamic.upc.nl] has quit [Ping timeout: 265 seconds]
12:08 < mastershake> woah woah woah! whats all this about?? "Secret key must exist in plaintext form on each VPN peer
12:09 -!- wrongplace [~leicht@gateway/tor-sasl/martinphone] has quit [Quit: gone]
12:09 < mastershake> if im to do static.. i want 100% security, is there anyway around that?
12:09 <@krzee> dont use it then, use PKI
12:09 <@krzee> !statickey
12:09 <@vpnHelper> "statickey" is (#1) you can use static keys by using --secret </path/to/key> or (#2) static keys only work for ptp links, not client/server. They also do not provide forward encryption. A forward-secure encryption scheme (such as openvpn uses with certs) protects secret keys from exposure by evolving the keys with time. or (#3) see !forwardsecurity for more info
12:10 <@krzee> if you use PKI you can passphrase your private key so it requires a passphrase to decrypt and use the private key
12:10 <@krzee> PKI is more secure than statickey, because you can encrypt the passphrase (assuming you actually do it) and because of forward security
12:10 <@krzee> !forwardsecurity
12:10 <@vpnHelper> "forwardsecurity" is (#1) in server/client mode with certs your key renegotiates (changes) every hour (by default), so if someone captures your traffic, and then gets your key, they can only decrypt the traffic within the timeframe since last renegotiation or (#2) in ptp mode (static key) you do not have this, so if someone gets your key they can decrypt ANY past traffic that they captured
12:11 < mastershake> so if i just want to setup a server for 1-5 users at most, i should use PKI?
12:12 <@krzee> if you want more than 1 user and 1 server, you MUST use pki
12:12 <@krzee> statickey is for 2 peers, no clients no servers
12:20 < mastershake> !KEY_OU
12:20 < mastershake> do i need to assign that a variable?
12:22 -!- dazo is now known as dazo_afk
12:23 <@krzee> !pki
12:23 <@vpnHelper> "pki" is (#1) http://openvpn.net/index.php/open-source/documentation/howto.html#pki for how to make your PKI stuff (ca, and certs) or (#2) Heres a basic rundown of how it works... The server, client, and ca certs are all signed by the same ca.key. The server and client use the ca.crt to check that eachother were signed by the right ca.key. Optionally, the client also checks that the server cert was
12:23 <@vpnHelper> signed specially as a server (see !servercert) or (#3) See !certman for various PKI management frontends
12:23 <@krzee> !easy-rsa
12:23 <@vpnHelper> "easy-rsa" is (#1) easy-rsa is a certificate generation utility. or (#2) Download here: https://github.com/OpenVPN/easy-rsa/downloads or (#3) https://community.openvpn.net/openvpn/wiki/EasyRSA
12:24 <@krzee> try that last one, the new easy-rsa
12:24 <@krzee> download it at #2 and use the link at #3 for using it
12:26 -!- klein [~klein@189-016-006-003.asselvi.edu.br] has joined #openvpn
12:26 -!- klein [~klein@189-016-006-003.asselvi.edu.br] has quit [Changing host]
12:26 -!- klein [~klein@unaffiliated/klein] has joined #openvpn
12:28 -!- wrongplace [~leicht@gateway/tor-sasl/martinphone] has joined #openvpn
12:32 < sunwind> http://www.housetrip.com/content/local-food-guide/amsterdam.htm
12:32 <@vpnHelper> Title: Local food guide to Amsterdam – The Best in Local Cuisine – HouseTrip (at www.housetrip.com)
12:38 <@krzee> sunwind, wRong chan?
12:38 < sunwind> my bad, sorry
12:38 <@krzee> np
12:38 <@krzee> assumed it was a misfire =]
12:39 < sunwind> oh, while i'm here. I accidentally deleted and lost my damn .cert files. And I have completely forgotten how in the hell I set them up in the first place
12:39 <@krzee> !easy-rsa
12:39 <@vpnHelper> "easy-rsa" is (#1) easy-rsa is a certificate generation utility. or (#2) Download here: https://github.com/OpenVPN/easy-rsa/downloads or (#3) https://community.openvpn.net/openvpn/wiki/EasyRSA
12:39 <@krzee> re-issue or re-do pki all together if you dont have the pki saved to re-issue from
12:40 < sunwind> yeah.. I don't remember using that, and I tried that.. but it's not so /easy/ as it claims
12:40 < sunwind> http://i.imgur.com/sbx1Ww8.png
12:41 < sunwind> I need to redo all of those
12:41 < sunwind> It was only like, 2 months ago, and I have completely forgotten how I did it
12:41 < sunwind> I may have used puttygen? Is it possible to make all those with that?
12:42 < sunwind> God, I wish I had the website I used for this.
12:43 < sunwind> stupid question, but can I manually make the key files since I still have the key data in my router? or are the client files different and it won't work at all
12:44 -!- johnfg [johnfg@host-174-45-92-254.bzm-mt.client.bresnan.net] has joined #openvpn
12:44 < johnfg> hi folks
12:45 < johnfg> I'm having a difficult time keeping my vpn up, and not sure what's wrong.
12:45 <@krzee> its VERY EASY compared to using openssl directly
12:45 <@krzee> sunwind, try using the openssl command instead for awhile, then you'll love easy-rsa
12:45 < johnfg> The openvpn server is debian-wheezy; clients are gentoo and windows 7.
12:46 < johnfg> Is there any way, unless it's the actual cable, or dsl, to make the connections more robust?
12:47 -!- f0cker [~f0cker@host86-144-134-118.range86-144.btcentralplus.com] has joined #openvpn
12:47 -!- f0cker [~f0cker@host86-144-134-118.range86-144.btcentralplus.com] has quit [Changing host]
12:47 -!- f0cker [~f0cker@unaffiliated/f0cker] has joined #openvpn
12:54 -!- calcifea [~rasla@gateway/tor-sasl/gitsu-sa] has quit [Quit: calcifea]
12:54 -!- raidz [~raidz@openvpn/corp/admin/andrew] has left #openvpn []
12:56 -!- raidz [~raidz@openvpn/corp/admin/andrew] has joined #openvpn
12:56 -!- mode/#openvpn [+o raidz] by ChanServ
12:58 < sunwind> krzee: so, since I have the certificate data still on my router, can I not just make cert.ca files and paste that info in? or would a client use different data?
12:58 -!- ade_b [~Ade@redhat/adeb] has quit [Ping timeout: 260 seconds]
12:59 <@krzee> whats a cert.ca file?
12:59 <@krzee> and you need to have the EXACT files you deleted, or re-make stuff
13:00 < sunwind> ca.crt, key.key etc
13:00 <@krzee> if you have copies of those EXACT files, then fine restore from backup
13:00 <@krzee> whats key.key?
13:00 <@krzee> haha
13:00 <@krzee> sunwind, how many clients do you have?
13:00 < sunwind> I'm using openvpn on android, when I load my profile, it asks for ca.crt, AndroidKey.crt, and AndroidKey.key
13:00 < sunwind> those are the files I lost
13:01 <@krzee> ok, and do you still have the PKI saved on the CA machine (where you made the certs) ?
13:02 -!- troj [~xxx@2001:470:1f15:107a::50f7] has quit [Ping timeout: 264 seconds]
13:02 <@krzee> and look, if you have only 1 or 2 clients just start over on your PKI
13:02 <@krzee> if you have a bunch then ok go ahead and try to save it
13:02 < sunwind> but I can't figure out how I made all this crap :(
13:02 <@krzee> that's why it'll be much easier to start over
13:02 -!- makara [~makara@105-208-241-64.access.mtnbusiness.co.za] has joined #openvpn
13:02 <@krzee> following directions
13:02 <@krzee> instead of trying to pickup in the middle while having no clue what you did
13:02 < sunwind> I tried.. but it's so uneccessarily convoluted
13:03 <@krzee> then maybe you arent at the correct skill level to run a vpn?
13:03 <@krzee> its all in !pki and !easy-rsa
13:03 < sunwind> I'm mega skilled, bro
13:03 <@krzee> although !pki is for easy-rsa 2 and !easy-rsa is for easy-rsa 3
13:03 <@krzee> if you're mega skilled you must be able to make a pki
13:04 <@krzee> especially with step-by-step directions
13:04 < sunwind> I think it's because I probably learnt all this shit when I first did it, then when I was done I promptly forgot, expecting to not have to do it again
13:04 < sunwind> and now I don't want to learn it all again
13:04 <@krzee> theres really nothing to learn, just follow one of those walkthroughs provided by the easy-rsa devs
13:05 <@krzee> theres 2 for 2 versions, i suggest easy-rsa3 and !easy-rsa 's walkthrough
13:05 < sunwind> I started following one last night and ran into an error that I couldn't find a solution to
13:05 <@krzee> well give up or try again
13:05 <@krzee> those are your options
13:05 -!- troj [~xxx@2001:470:1f15:107a::50f7] has joined #openvpn
13:06 <@krzee> if you choose to try again, following directions from the bot, then feel free to ask questions here when you get stuck =]
13:06 -!- troj [~xxx@2001:470:1f15:107a::50f7] has quit [Max SendQ exceeded]
13:06 < sunwind> 78KB · Uploaded 2 years ago
13:06 <@krzee> if you choose to give up, you can probably pay to use a vpn instead, theres a ton of those
13:06 -!- troj [~xxx@2001:470:1f15:107a::50f7] has joined #openvpn
13:07 < sunwind> nobody has made a simple GUI to do this stuff? blech
13:07 <@krzee> !certman
13:07 <@vpnHelper> "certman" is (#1) Various frontends can help you manage your PKI (certs & keys.) !easy-rsa is the officially supported one for OpenVPN. or (#2) Other choices include: !xca, !ssladmin, and probably others online
13:07 <@krzee> !xca'
13:07 <@krzee> !xca
13:07 <@vpnHelper> "xca" is (#1) XCA is a GUI to create/manage a PKI, much more user-friendly than easy-rsa. or (#2) Example XCA PKI for OpenVPN(writeup pending): https://community.openvpn.net/openvpn/wiki/XCA
13:07 < sunwind> there we go
13:07 <@krzee> most of us have no chance to help you with that
13:07 <@krzee> so you're on your own there
13:08 -!- troj [~xxx@2001:470:1f15:107a::50f7] has quit [Max SendQ exceeded]
13:08 <@krzee> which means you get a gui but no help
13:08 -!- mastershake [~mastersha@gateway/tor-sasl/mastershake] has quit [Quit: Lost terminal]
13:08 <@krzee> instead of a walkthrough and help using it
13:08 <@krzee> lol
13:08 -!- michaelhart [~michaelha@192.237.177.15] has joined #openvpn
13:08 -!- troj [~xxx@2001:470:1f15:107a::50f7] has joined #openvpn
13:09 -!- APTX [~APTX@unaffiliated/aptx] has quit [Ping timeout: 264 seconds]
13:09 -!- p3rror [~mezgani@41.249.3.208] has joined #openvpn
13:11 -!- johnfg [johnfg@host-174-45-92-254.bzm-mt.client.bresnan.net] has quit [Read error: Connection reset by peer]
13:11 -!- ade_b [~Ade@redhat/adeb] has joined #openvpn
13:11 -!- mastershake [~mastersha@gateway/tor-sasl/mastershake] has joined #openvpn
13:11 < EugeneKay> If you ask nicely I'll tell you  what buttons to click
13:12 < EugeneKay> There's the example xdb i nthe wiki you can base from
13:12 < mastershake> is there a GUI for setting up openvpn?
13:12 -!- EugeneKay is now known as Eugene
13:12 < Eugene> Not officially, no. It's config-file based
13:12 <@krzee> mastershake, not GPL openvpn, but you can pay for that
13:12 <@krzee> !as
13:12 <@vpnHelper> "as" is please go to #OpenVPN-AS for help with Access-Server
13:12 < Eugene> Tools like NetworkManager have that function, but they don't pick good options.
13:12 <@krzee> ^ that is totally GUI driven
13:13 < mastershake> cool, thank krzee
13:13 <@krzee> np
13:13 < mastershake> im getting real sick and tired of all this configuration on linux in general... i love linux, but this is getting ridiclous
13:14 <@krzee> ya AS could be right for you
13:14 -!- takamichi [~takamichi@c107-107.i07-27.onvol.net] has quit [Quit: Computer has gone to sleep.]
13:16 < sunwind> signature algorithm: sha 1 - sha 512 / ripemd 160
13:16 < sunwind> higher number = more secure or something?
13:16 -!- johnfg [johnfg@host-174-45-92-254.bzm-mt.client.bresnan.net] has joined #openvpn
13:16 -!- master_o1_master [~master_of@p4FF24B95.dip0.t-ipconnect.de] has joined #openvpn
13:17 <@krzee> different algorythms
13:18 <@krzee> !google ripemd-160 versus sha-256
13:18 <@vpnHelper> hash - RIPEMD versus SHA-x, what are the main pros and cons ...: <http://crypto.stackexchange.com/questions/957/ripemd-versus-sha-x-what-are-the-main-pros-and-cons>; REWARD offered for hash collisions for SHA1, SHA256, RIPEMD160 and ...: <https://bitcointalk.org/index.php?topic=293382.0>; RIPEMD - Wikipedia, the free encyclopedia: <http://en.wikipedia.org/wiki/RIPEMD>
13:18 <@krzee> !google ripemd-160 versus sha-512
13:18 <@vpnHelper> osx - TrueCrypt, RIPEMD-160 vs SHA-512 vs Whirlpool - Super User: <http://superuser.com/questions/383333/truecrypt-ripemd-160-vs-sha-512-vs-whirlpool>; hash - RIPEMD versus SHA-x, what are the main pros and cons ...: <http://crypto.stackexchange.com/questions/957/ripemd-versus-sha-x-what-are-the-main-pros-and-cons>; RIPEMD - Wikipedia, the free encyclopedia:
13:18 <@vpnHelper> <http://en.wikipedia.org/wiki/RIPEMD>
13:18 <@krzee> theres a TON to learn down that rabbit hole
13:18 <@krzee> tl;dr they work differently, the math is 100% different
13:19 < sunwind> i'll just use sha2 512
13:19 -!- master_of_master [~master_of@p4FD7BDBE.dip0.t-ipconnect.de] has quit [Ping timeout: 245 seconds]
13:19 -!- APTX [~APTX@unaffiliated/aptx] has joined #openvpn
13:19 <@krzee> sha 512 is strong
13:20 <@krzee> in fact if sha512 gets broken, you WILL KNOW. because bitcoin theft will be in the news BIG TIME
13:21 <@krzee> err it seems they use sha256 from my googling
13:21 -!- ade_ [~Ade@redhat/adeb] has joined #openvpn
13:24 -!- ade_b [~Ade@redhat/adeb] has quit [Ping timeout: 248 seconds]
13:25 < kesroesweyth> Is there a way to disconnect and delete a user account in OpenVPN without having to restart the service?
13:25 < kesroesweyth> This is on CentOS 6
13:26 <@krzee> !crl
13:26 <@vpnHelper> "crl" is (#1) --crl-verify <crl> A CRL (certificate revocation list) is used when a particular key is compromised but when the overall PKI is still intact. The only time when it would be necessary to rebuild the entire PKI from scratch would be if the root certificate key itself was compromised. or (#2) you can make use of CRL by using the revoke-full script in easy-rsa (packaged with openvpn) that
13:26 <@vpnHelper> will create the CRL file for you. ssl-admin will also build a crl for you or (#3) openssl ca -config openssl-1.0.0.cnf -gencrl -out keys/crl.pem
13:26 <@krzee> you need the management interface to disconnect a logged in user
13:26 <@krzee> !management
13:26 <@vpnHelper> "management" is (#1) see http://openvpn.net/management for doc on management interface or (#2) read https://github.com/OpenVPN/openvpn/blob/release/2.3/doc/management-notes.txt if you are a programmer making a GUI that will interact with OpenVPN or (#3) Enable with `--management 127.0.0.1 1234` (adjust port to taste.) See the manpage for pw and socket options
13:27 < kesroesweyth> Thanks
13:27 -!- bertodsera [~quassel@97e48243.skybroadband.com] has joined #openvpn
13:31 < kesroesweyth> Is there a list somewhere of the management interface commands?
13:31 < sunwind> if I use a DNS name in place of my IP in the .ovpn file, will that work?
13:32 < mastershake> do i need 2 network cards to sucessfully route clients through an openvpn server?
13:32 < sunwind> provided of course the DNS points to my IP
13:34 -!- ade_ is now known as ade_b
13:36 <@ecrist> kesroesweyth: iirc, you need to look in source, or type ? or help
13:36 <@ecrist> in the cli
13:36 < Eugene> sunwind - yes
13:36 < sunwind> thanks
13:36 < Eugene> sunwind - also look up --resolv-retry
13:37 < Eugene> kesroesweyth - https://github.com/OpenVPN/openvpn/blob/master/doc/management-notes.txt
13:37 < kesroesweyth> ecrist: Found the help command. So obvious lol thanks
13:37 <@vpnHelper> Title: openvpn/doc/management-notes.txt at master · OpenVPN/openvpn · GitHub (at github.com)
13:41 -!- kalloc [~kalloc@h86-62-83-99.ln.rinet.ru] has quit [Remote host closed the connection]
13:41 -!- johnfg [johnfg@host-174-45-92-254.bzm-mt.client.bresnan.net] has quit [Read error: Connection reset by peer]
13:42 -!- kalloc [~kalloc@h86-62-83-99.ln.rinet.ru] has joined #openvpn
13:43 -!- kalloc [~kalloc@h86-62-83-99.ln.rinet.ru] has quit [Read error: Connection reset by peer]
13:43 -!- kalloc [~kalloc@h86-62-83-99.ln.rinet.ru] has joined #openvpn
13:44 -!- kalloc [~kalloc@h86-62-83-99.ln.rinet.ru] has quit [Read error: Connection reset by peer]
13:44 -!- kalloc [~kalloc@h86-62-83-99.ln.rinet.ru] has joined #openvpn
13:46 -!- johnfg [johnfg@host-174-45-92-254.bzm-mt.client.bresnan.net] has joined #openvpn
13:49 -!- kalloc [~kalloc@h86-62-83-99.ln.rinet.ru] has quit [Ping timeout: 252 seconds]
13:57 -!- mastershake [~mastersha@gateway/tor-sasl/mastershake] has quit [Ping timeout: 240 seconds]
14:02 -!- klein [~klein@unaffiliated/klein] has quit [Ping timeout: 245 seconds]
14:05 -!- dradec [~Inigo@unaffiliated/dradec] has joined #openvpn
14:05 -!- crus [~crusader@crus0r.soho.on.net] has joined #openvpn
14:11 -!- johnfg [johnfg@host-174-45-92-254.bzm-mt.client.bresnan.net] has quit [Read error: Connection reset by peer]
14:11 -!- johnfg_ [johnfg@host-174-45-92-254.bzm-mt.client.bresnan.net] has joined #openvpn
14:12 -!- qwertyoruiop [~hax@1.shulgin.dc1.nl.tor.exit.node.qwertyoruiop.com] has quit [Read error: Connection reset by peer]
14:13 -!- qwertyoruiop [~hax@1.shulgin.dc1.nl.tor.exit.node.qwertyoruiop.com] has joined #openvpn
14:15 -!- kalloc [~kalloc@h86-62-83-99.ln.rinet.ru] has joined #openvpn
14:16 < sunwind> yeah. I give up with xca
14:17 < sunwind> so where is the best guide to creating a CA, server cert, server key, DH-params, and client files for my .ovpn android profile, again? D:
14:18 -!- ade_b [~Ade@redhat/adeb] has quit [Ping timeout: 248 seconds]
14:18 -!- pdobrogost [~quassel@77-255-53-20.adsl.inetia.pl] has joined #openvpn
14:20 -!- kalloc [~kalloc@h86-62-83-99.ln.rinet.ru] has quit [Ping timeout: 252 seconds]
14:31 -!- ade_b [~Ade@redhat/adeb] has joined #openvpn
14:41 -!- johnfg_ [johnfg@host-174-45-92-254.bzm-mt.client.bresnan.net] has quit [Read error: Connection reset by peer]
14:41 -!- johnfg [johnfg@host-174-45-92-254.bzm-mt.client.bresnan.net] has joined #openvpn
14:45 -!- johnfg [johnfg@host-174-45-92-254.bzm-mt.client.bresnan.net] has left #openvpn []
14:45 -!- makara [~makara@105-208-241-64.access.mtnbusiness.co.za] has quit [Ping timeout: 272 seconds]
14:45 -!- kalloc [~kalloc@h86-62-83-99.ln.rinet.ru] has joined #openvpn
14:46 -!- p3rror [~mezgani@41.249.3.208] has quit [Quit: Leaving]
14:50 -!- kalloc [~kalloc@h86-62-83-99.ln.rinet.ru] has quit [Ping timeout: 248 seconds]
14:52 -!- qwertyoruiop [~hax@1.shulgin.dc1.nl.tor.exit.node.qwertyoruiop.com] has quit [Excess Flood]
14:52 -!- qwertyoruiop [~hax@1.shulgin.dc1.nl.tor.exit.node.qwertyoruiop.com] has joined #openvpn
14:53 -!- mastershake [~mastersha@gateway/tor-sasl/mastershake] has joined #openvpn
15:01 -!- ade_b [~Ade@redhat/adeb] has quit [Quit: Too sexy for his shirt]
15:08 -!- maskedlua [~quassel@unaffiliated/themaskedlua] has quit [Quit: No Ping reply in 180 seconds.]
15:09 -!- maskedlua [~quassel@unaffiliated/themaskedlua] has joined #openvpn
15:18 < svg> so it seems if one wants to work with "user profiles", we need to config that in a ccd file per user, if I understand the docs correctly;
15:18 < svg> there is no way to have e.g. a ccd file that maps to say an ldap group?
15:18 < svg> basically I want to be able to have a couple of profiles that put certai users in a certain subnet
15:19 < svg> so i was wondering if there is a way to avoid having to make a confi file for every separate user?
15:21 -!- conroe [~conroe@gateway/tor-sasl/conroe] has joined #openvpn
15:24 -!- qwertyoruiop [~hax@1.shulgin.dc1.nl.tor.exit.node.qwertyoruiop.com] has quit [Remote host closed the connection]
15:25 -!- qwertyoruiop [~hax@1.shulgin.dc1.nl.tor.exit.node.qwertyoruiop.com] has joined #openvpn
15:26 -!- qwertyoruiop [~hax@1.shulgin.dc1.nl.tor.exit.node.qwertyoruiop.com] has quit [Max SendQ exceeded]
15:26 -!- qwertyoruiop [~hax@1.shulgin.dc1.nl.tor.exit.node.qwertyoruiop.com] has joined #openvpn
15:28 -!- takamichi [~takamichi@c107-107.i07-27.onvol.net] has joined #openvpn
15:29 <@krzee> svg,
15:29 <@krzee> !client-connect
15:29 <@vpnHelper> "client-connect" is --client-connect <script>, runs script on client connection. This can be useful for generating firewall rules dynamicly, or for assigning static ips. This can do anything that a ccd (see !ccd) entry can do, but dynamicly... to use it that way, you should write your dynamic ccd commands to the file named by $1.
15:30 < svg> thx krzee, didn't encounter that; will look that up
15:30 <@krzee> np
15:39 -!- michaelhart [~michaelha@192.237.177.15] has quit [Quit: michaelhart]
15:45 -!- kalloc [~kalloc@h86-62-83-99.ln.rinet.ru] has joined #openvpn
15:48 -!- kalloc_ [~kalloc@h86-62-83-99.ln.rinet.ru] has joined #openvpn
15:50 -!- kalloc [~kalloc@h86-62-83-99.ln.rinet.ru] has quit [Ping timeout: 252 seconds]
15:52 -!- conroe [~conroe@gateway/tor-sasl/conroe] has quit [Remote host closed the connection]
15:52 -!- conroe [~conroe@gateway/tor-sasl/conroe] has joined #openvpn
15:52 -!- kalloc_ [~kalloc@h86-62-83-99.ln.rinet.ru] has quit [Ping timeout: 252 seconds]
15:54 -!- raidz is now known as raidz_away
15:58 < pekster> sunwind: Links to both the easy-rsa v2 howto and the v3 openvpn walkthrough are at: !easyrsa . For alternatives, see: !certman
16:03 < sunwind> thanks
16:06 -!- KaiForce [~chatzilla@107-223-70-10.lightspeed.bcvloh.sbcglobal.net] has quit [Quit: ChatZilla 0.9.90.1 [Firefox 26.0/20131205075310]]
16:09 -!- joshh20 is now known as joshh20-Away
16:12 -!- qwertyoruiop [~hax@1.shulgin.dc1.nl.tor.exit.node.qwertyoruiop.com] has quit [Excess Flood]
16:13 -!- dradec [~Inigo@unaffiliated/dradec] has quit [Remote host closed the connection]
16:13 -!- raidz_away is now known as raidz
16:14 -!- dradec [~Inigo@unaffiliated/dradec] has joined #openvpn
16:14 -!- takamichi [~takamichi@c107-107.i07-27.onvol.net] has quit [Quit: Computer has gone to sleep.]
16:15 -!- lj [~l@192.241.174.169] has quit [Quit: Leaving.]
16:25 -!- rmckee [~rmckee@175.45.105.33] has joined #openvpn
16:31 -!- gffa [~unknown@unaffiliated/gffa] has quit [Quit: sleep]
16:31 -!- qwertyoruiop [~hax@1.shulgin.dc1.nl.tor.exit.node.qwertyoruiop.com] has joined #openvpn
16:42 -!- JackWinter [~jack@vodsl-8317.vo.lu] has quit [Quit: Konversation terminated!]
16:47 -!- kalloc [~kalloc@h86-62-83-99.ln.rinet.ru] has joined #openvpn
16:50 -!- JackWinter [~jack@vodsl-8317.vo.lu] has joined #openvpn
16:53 -!- kalloc [~kalloc@h86-62-83-99.ln.rinet.ru] has quit [Ping timeout: 260 seconds]
17:08 -!- f0cker [~f0cker@unaffiliated/f0cker] has quit [Remote host closed the connection]
17:22 -!- joshh20-Away is now known as joshh20
17:23 -!- goldkatze [~nobody@unaffiliated/goldkatze] has quit []
17:36 -!- Cpt-Oblivious [chatzilla@31-151-71-109.dynamic.upc.nl] has joined #openvpn
17:46 -!- kalloc [~kalloc@h86-62-83-99.ln.rinet.ru] has joined #openvpn
17:51 -!- kalloc [~kalloc@h86-62-83-99.ln.rinet.ru] has quit [Ping timeout: 252 seconds]
17:54 -!- dradec [~Inigo@unaffiliated/dradec] has quit [Quit: nil]
17:58 -!- dradec [~Inigo@unaffiliated/dradec] has joined #openvpn
17:59 -!- pdobrogost [~quassel@77-255-53-20.adsl.inetia.pl] has quit [Ping timeout: 248 seconds]
18:05 -!- f0cker [~f0cker@unaffiliated/f0cker] has joined #openvpn
18:07 -!- digilink [~digilink@irc.stephennet.net] has joined #openvpn
18:09 -!- Devastator [~devas@unaffiliated/devastator] has joined #openvpn
18:09 < digilink> hi, I had a question concerning an OpenVPN site-to-site connection. We have a /30 built for the tunnel. Are the packets encrypted inside of that, or are they encrypted/decrypted as the enter/leave the tunnel?
18:11 < pekster> Only transport between the 2 involved openvpn peers is ever encrypted, and only when you use the openvpn tunnel
18:12 < pekster> No need for a /30 either unless you're doing tun with non-Windows
18:15 < digilink> tnx pekster... devices are both Vyatta based on either end. I've got this stuffed behind (with the appropriate DNAT'ing) a Juniper router and it's not working as intended and we are struggling as to why.
18:15 < pekster> Without knowing what you're doing and your goals, crystal ball says something is wrong
18:16 < pekster> fwiw you can fit at least 2 PtP tunnels in a /30, and more if you don't care about symmetric addressing (You could theoretically do a PtP star topology with 4 hosts each with a tunnel to the other in that address space)
18:17 < pekster> /30 is for Etherent (or other broadcast) links that "require" them
18:17 < digilink> tunnel is up, and can ping bi-directionally, and we have static routes built for both networks, but for whatever reason some traffic will pass, while other traffic won't. An example of what we've tested is SSH, ICMP, and IAX2 traffic, but DNS queries, RDP, and MS Lync will not
18:17 -!- jzaw [~jzaw@loki.dzki.co.uk] has quit [Ping timeout: 272 seconds]
18:18 < pekster> If you can ping across the tunnel, anything else boils down to local firewall or routing issues
18:18 < digilink> hmm ok those were my thoughts as well. I've got a case open with juniper on this as well, but they haven't been much help so far :(
18:19 < pekster> I suspect you're looking in the wrong place unless your've managed to do DPI or something on your switch
18:20 < digilink> been there too :( It's a really strange situation, I was mainly curious as to where exactly the encrypt/decrypt takes place on the packets to aid in my troubleshooting efforts.
18:20 < pekster> "between the tun devices"
18:21 < digilink> ok, so say I have a /30 of 10.99.99.1 and 10.99.99.2, am I to assume correctly that the encryption is between those two endpoints?
18:21 -!- jzaw [~jzaw@loki.dzki.co.uk] has joined #openvpn
18:22 < pekster> [kerenl on system A] -> [openvpn on A] -> {encrypt} -> [network transport of encrypted payload] -> [kernel on system B] -> [openvpn on B] -> {decrypt}
18:22 < pekster> Are you using that as your VPN network?
18:22 < pekster> And why this facination with /30? OpenVPN doesn't need it unless you're using Windows as one of your endpoints
18:22 < digilink> Vyatta required it for a site-to-site setup
18:22 < pekster> Lovely
18:22 < pekster> I suggest you speak to them. That or show some actual !configs
18:23 < pekster> Maybe read !new, !welcome, !configs, !logs, and !paste too
18:24 -!- Cultist [~CultOfThe@67.186.111.33] has quit [Ping timeout: 265 seconds]
18:33 -!- u0m3 [~u0m3@92.80.106.31] has quit [Read error: Connection reset by peer]
18:40 -!- Cultist [~CultOfThe@c-67-186-111-33.hsd1.il.comcast.net] has joined #openvpn
18:46 -!- kalloc [~kalloc@h86-62-83-99.ln.rinet.ru] has joined #openvpn
18:51 -!- kalloc [~kalloc@h86-62-83-99.ln.rinet.ru] has quit [Ping timeout: 245 seconds]
18:53 -!- cktsoi [~cktsoi@203.145.79.52] has joined #openvpn
18:59 -!- michaelhart [~michaelha@192-0-240-20.cpe.teksavvy.com] has joined #openvpn
19:00 -!- Andy_xpc [~madandyxp@cpc2-nmal1-0-0-cust159.19-2.cable.virginm.net] has joined #openvpn
19:02 -!- cktsoi [~cktsoi@203.145.79.52] has quit [Remote host closed the connection]
19:04 -!- Andy_xpc [~madandyxp@cpc2-nmal1-0-0-cust159.19-2.cable.virginm.net] has left #openvpn []
19:07 -!- cktsoi [~cktsoi@203.145.79.52] has joined #openvpn
19:10 -!- cktsoi [~cktsoi@203.145.79.52] has quit [Remote host closed the connection]
19:13 -!- mastershake [~mastersha@gateway/tor-sasl/mastershake] has quit [Ping timeout: 240 seconds]
19:20 -!- cktsoi [~cktsoi@203.145.79.52] has joined #openvpn
19:20 -!- lachesis [~lachesis@unaffiliated/lachesis] has left #openvpn ["Leaving"]
19:24 -!- cktsoi [~cktsoi@203.145.79.52] has quit [Ping timeout: 260 seconds]
19:29 -!- michaelhart [~michaelha@192-0-240-20.cpe.teksavvy.com] has quit [Quit: michaelhart]
19:31 -!- michaelhart [~michaelha@192.0.240.20] has joined #openvpn
19:32 -!- lachesis [~lachesis@unaffiliated/lachesis] has joined #openvpn
19:46 -!- kalloc [~kalloc@h86-62-83-99.ln.rinet.ru] has joined #openvpn
19:51 -!- kalloc [~kalloc@h86-62-83-99.ln.rinet.ru] has quit [Ping timeout: 246 seconds]
19:59 -!- conroe [~conroe@gateway/tor-sasl/conroe] has quit [Quit: conroe]
20:00 -!- ngharo [~ngharo@nexus.sypherz.com] has quit [Ping timeout: 264 seconds]
20:02 -!- losted [~losted@box.losted.net] has quit [Ping timeout: 260 seconds]
20:16 -!- losted [~losted@box.losted.net] has joined #openvpn
20:26 -!- MyMind [~Sembei@unaffiliated/sembei] has quit [Max SendQ exceeded]
20:27 -!- MyMind [~Sembei@unaffiliated/sembei] has joined #openvpn
20:27 < kcodyjr> why does openvpn connect android have no "import profile from http url" option, and where can i read up more about that?
20:27 -!- losted [~losted@box.losted.net] has quit [Ping timeout: 272 seconds]
20:27 < Eugene> !as
20:27 <@vpnHelper> "as" is please go to #OpenVPN-AS for help with Access-Server
20:28 < pekster> Connect isn't an openvpn application; it's closed-source designed to play with AS. Read about !android for the OpenVPN clients
20:28 < pekster> OpenVPN has no "URL provisioning" scheme unless you write your own (or find a project that does it)
20:30 < kcodyjr> oh. go on google play and it calls itself the "official openvpn client for android" or somesuch to that effect
20:30 < kcodyjr> !android
20:30 <@vpnHelper> "android" is (#1) an open source OpenVPN client for ICS is available in Google Play, look for OpenVPN for Android. FAQ is here: http://code.google.com/p/ics-openvpn/wiki/FAQ or (#2) If you do not have cyanogenmod or ICS, but your device is rooted, you can use android-openvpn-installer and openvpn-settings from the market or (#3) Direct Play link:
20:30 < Eugene> OpenVPN Technologies, Inc ;-)
20:30 <@vpnHelper> https://play.google.com/store/apps/details?id=de.blinkt.openvpn
20:30 < pekster> Yea, marketing FUD for you
20:30 < pekster> It's an AS client that speaks the openvpn wire-protocol, but is not open-source software
20:30 < kcodyjr> uhh, i think that crosses the line from fud to genuine non-trolling infringement
20:31 < Eugene> Not when the same company is the one that releases the GPL product.....
20:31 < pekster> THey own the copyright to the name
20:31 < kcodyjr> point.
20:31 < kcodyjr> but i think they've given themselves standing to sue themselves.
20:31 < Eugene> I totally agree, and don't like it either.
20:31 < kcodyjr> and anyway it is a bit misleading
20:31 < pekster> The codebases are 100% different, but the name is (obviously) used to steer traffic/downloads/users/payments to them. I don't mind the business side, but I'm annoyed that innocent users end up getting the wrong thing without knwoing
20:31 < Eugene> I wish AS was called "Access Server by OpenVPN"
20:31 < pekster> Yes, that.
20:32 < Eugene> Marketingy AND users get what they're really after.
20:32 < kcodyjr> on the bright side, now i get to go nuke something off my galaxy.
20:32 < kcodyjr> same wire protocol. will they successfully negotiate with each other? if not, that's really shitty.
20:33 < Eugene> Never tried, but "yes"
20:34 < kcodyjr> but it appears only the open client connecting to the as server? i didn't see a way to manually provision connect.
20:36 < Eugene> Pretty sure the OpenVPN Connect client will speak to an openvpn server, but, never tried.
20:37 < kcodyjr> my gut feeling is that it can be done if you don't mind configuring the client in machine code with a flippin' morse key and a quartz crystal jammed in one's ******* for timing sync.
20:37 < kcodyjr> but that's just a hunch.
20:37 < pekster> AS is "just a pretty wrapper around openvpn"
20:38 < pekster> Connect is a complete code re-write to avoid GPL restrictions (becuase there are many contributors, using it as non-GPL would require all of them to release their code to them, which simply won't happen)
20:38 < kcodyjr> but it's an ecosystem. the beauty is in going all-commercial. not much use downloading the shiny client for an open server.
20:38 < kcodyjr> oh, i get it, and i don't object in principle.
20:38 < kcodyjr> what i don't appreciate is finding a minefield of mixed open and closed names in the same spaces with neither obvious differentiation nor a convenient central cross reference.
20:38 < kcodyjr> and i blame the marketing weenies.
20:39 < kcodyjr> and i'm sure it wasn't an accident
20:40 < kcodyjr> of course, there's nothing stopping someone else from going and writing their own shiny, right? open or otherwise.
20:40 < kcodyjr> for my part i'm not diving into another code tangle until i wrap up the one i'm already keester-deep in.
20:40 < pekster> Sure. "Anyone" could write a frontend without too much overhead, and (so long as you don't actively link against GPL libs) you could do it open or closed
20:41 < pekster> Doing a complete client re-write from scratch really isn't feasible unless you wanted to enter the market with a "3rd" client option ;)
20:41 < pekster> Call it NotOpenVPN :P
20:41 < kcodyjr> if that 3rd option was free as in beer, and catered to open server operators, and got smooth integration including autoprovision without having to root, there is absolutely room for a 3rd codebase in that market.
20:42 < pekster> Security and "autoprovision" don't generally go well together
20:42 < pekster> Not unless you have a pre-existing framework for trusted auth (kerberos, or similar) which android clients generally won't have
20:43 < kcodyjr> i was thinking certificate auth was the way to go. there's ca's out there that can hande getting the cert on the target; say, dogtag or ejbca
20:44 < pekster> Sure, but openvpn doesn't generally use public certs (it's actually far more complex becuase you don't want anything with a Verisign cert on your personal VPN.)
20:44 < kcodyjr> and if i were to allow autoprovision at this particular office network, i'd require the user to authenticate to the domain over a wire, install such a cert, and then download the client config under that cert auth
20:44 < kcodyjr> i wouldn't touch a public cert for this
20:44 < kcodyjr> i'm talking about a private trusted root setup
20:45 < kcodyjr> with a sub-CA dedicated to authenticating hosts, via openvpn and 802.1X
20:45 < pekster> You could possibly send the untrusted (but valid) CA over a known-secure channel to avoid the need to manually verify the fingerprint, but that's not an openvpn conern ("only" a design implementation)
20:45 < pekster> That's left as an excersize to the reader
20:45 < kcodyjr> yes. in my case the known-secure channel would be walking over to the server rack and plugging in via the wire i left dangling there for the purpose.
20:46 -!- kalloc [~kalloc@h86-62-83-99.ln.rinet.ru] has joined #openvpn
20:47 < kcodyjr> anyway. i'm really easy to get off on a tangent, aren't i...
20:48 < kcodyjr> i'm just about wrapped up with my 3rd refactoring of the ddns code, and it's back together except for the part about not having access to the dhcp-client-identifier or hwaddr or duid. once i've written the hack to pull that in from a text file, i think i'll be ready for a first alpha release
20:49 < kcodyjr> and, thought. how common a use case would it be to have openvpn running on a single-box firewall that also happens to be the dhcp server?
20:50 < Eugene> Very.
20:50 < Eugene> My networks are centered around such boxen
20:50 < Eugene> Firewall, router, VPN, DHCP, DNS, yum/apt cache....
20:51 < kcodyjr> that's my thought too. so are mine, i don't really care for the L3-switch-as-gateway approach.. it wouldn't be a huge stretch at all to parse the leases file and snarf the uid field from there.
20:51 -!- kalloc [~kalloc@h86-62-83-99.ln.rinet.ru] has quit [Ping timeout: 260 seconds]
20:51 < kcodyjr> that would make the assumption that the openvpn client cert common_name is equal to the client's locally configured short hostname.
20:53 -!- lj [~l@192.241.174.169] has joined #openvpn
20:54 < kcodyjr> it also opens up the worm-can of how many different leases formats are out there, and how many dhcp daemons are popular besides ISC
20:55 < Eugene> Who cares? Assume ISC and screw the rest of 'em
21:02 < kcodyjr> then i get to guess where the blazes to find it. i don't really wanna write a distro recognizer. what i can do is make that a config variable in /etc/openvpn/ddns/update. which is all that file is; documented config variables, and a launch into the library.
21:03 < kcodyjr> if the variable is not commented out, it'll parse the leases.
21:03 < kcodyjr> which i found insanely easy to parse. i already wrote a quickie that goes through the leases and reports the proper TXT record, and compared them to what I saw in DNS.
21:05 < kcodyjr> so with your blessing, i'll proceed assuming ISC and screw the rest. ;)
21:11 -!- cktsoi [~cktsoi@236-013.netfront.net] has joined #openvpn
21:12 -!- WinstonSmith [~WinstonSm@unaffiliated/winstonsmith] has quit [Ping timeout: 245 seconds]
21:13 -!- WinstonSmith [~WinstonSm@unaffiliated/winstonsmith] has joined #openvpn
21:22 -!- cktsoi [~cktsoi@236-013.netfront.net] has quit [Remote host closed the connection]
21:46 -!- kalloc [~kalloc@h86-62-83-99.ln.rinet.ru] has joined #openvpn
21:47 -!- yoavz [yoavz@yoavz.net] has quit [Ping timeout: 265 seconds]
21:47 -!- nunim [nunim@unaffiliated/nunim] has quit [Ping timeout: 265 seconds]
21:48 -!- raidz [~raidz@openvpn/corp/admin/andrew] has quit [Ping timeout: 265 seconds]
21:48 -!- HectorBarbossa [uid7850@gateway/web/irccloud.com/x-dyniweiteoujzbnf] has quit [Ping timeout: 265 seconds]
21:48 -!- raidz [~raidz@openvpn/corp/admin/andrew] has joined #openvpn
21:48 -!- mode/#openvpn [+o raidz] by ChanServ
21:48 -!- nunim [nunim@unaffiliated/nunim] has joined #openvpn
21:48 -!- yoavz [yoavz@yoavz.net] has joined #openvpn
21:49 -!- AsadH [~AsadH@unaffiliated/asadh] has quit [Ping timeout: 265 seconds]
21:49 -!- mumixam [~m@unaffiliated/mumixam] has quit [Ping timeout: 265 seconds]
21:50 -!- HectorBarbossa [uid7850@gateway/web/irccloud.com/x-asztochgfmudmrzt] has joined #openvpn
21:50 -!- mumixam [~m@unaffiliated/mumixam] has joined #openvpn
21:51 -!- kalloc [~kalloc@h86-62-83-99.ln.rinet.ru] has quit [Ping timeout: 246 seconds]
21:56 -!- wrongplace [~leicht@gateway/tor-sasl/martinphone] has quit [Quit: gone]
21:56 -!- AsadH [~AsadH@unaffiliated/asadh] has joined #openvpn
22:00 -!- booo [~booo__@p54BDA464.dip0.t-ipconnect.de] has quit [Ping timeout: 272 seconds]
22:02 -!- booo [~booo__@p54BDBDBF.dip0.t-ipconnect.de] has joined #openvpn
22:24 -!- ngharo [~ngharo@nexus.sypherz.com] has joined #openvpn
22:44 -!- lj [~l@192.241.174.169] has quit [Quit: Leaving.]
22:46 -!- kalloc [~kalloc@h86-62-83-99.ln.rinet.ru] has joined #openvpn
22:50 -!- joshh20 is now known as joshh20-Away
22:51 -!- kalloc [~kalloc@h86-62-83-99.ln.rinet.ru] has quit [Ping timeout: 260 seconds]
23:01 -!- lj [~l@74.120.200.95] has joined #openvpn
23:02 -!- lj [~l@74.120.200.95] has quit [Remote host closed the connection]
23:03 -!- lj [~l@74.120.200.95] has joined #openvpn
23:06 -!- lj1 [~l@192.241.174.169] has joined #openvpn
23:07 -!- lj [~l@74.120.200.95] has quit [Read error: Operation timed out]
23:17 -!- elfixit [~Icedove@77-58-251-72.dclient.hispeed.ch] has joined #openvpn
23:23 -!- elfixit [~Icedove@77-58-251-72.dclient.hispeed.ch] has quit [Quit: elfixit]
23:26 -!- rmckee [~rmckee@175.45.105.33] has quit [Quit: Leaving]
23:38 -!- lvv [~loganaden@196.1.0.58] has joined #openvpn
23:38 -!- makara [~makara@41.164.22.218] has joined #openvpn
23:42 -!- cktsoi [~cktsoi@236-013.netfront.net] has joined #openvpn
23:46 -!- kalloc [~kalloc@h86-62-83-99.ln.rinet.ru] has joined #openvpn
23:49 -!- dradec [~Inigo@unaffiliated/dradec] has quit [Quit: nil]
23:51 -!- kalloc [~kalloc@h86-62-83-99.ln.rinet.ru] has quit [Ping timeout: 245 seconds]
23:52 -!- enbergj [~enbergj@ec2-54-246-148-207.eu-west-1.compute.amazonaws.com] has joined #openvpn
23:54 < enbergj> I've got openvpn clients running windows, mac os x, and linux .. I added to the server conf: push "dhcp-option DNS 10.0.0.1" .. this works fine for win & mac clients, but the linux machines seem to ignore this completely .. any ideas?
23:54 -!- cktsoi [~cktsoi@236-013.netfront.net] has quit [Remote host closed the connection]
23:55 -!- cktsoi [~cktsoi@236-013.netfront.net] has joined #openvpn
23:58 -!- raidz_away [~raidz@2607:5300:60:d5a::2] has joined #openvpn
23:58 -!- raidz [~raidz@openvpn/corp/admin/andrew] has quit [Read error: Connection reset by peer]
23:58 -!- raidz_away is now known as raidz
23:58 -!- raidz [~raidz@2607:5300:60:d5a::2] has quit [Changing host]
23:58 -!- raidz [~raidz@openvpn/corp/admin/andrew] has joined #openvpn
23:58 -!- mode/#openvpn [+o raidz] by ChanServ
--- Day changed Fri Feb 14 2014
00:03 < Eugene> !resolvconf
00:03 < Eugene> !pushdns
00:03 <@vpnHelper> "pushdns" is (#1) push dhcp-option DNS a.b.c.d to push dns to the client or (#2) For pushing DNS to a Windows client, see: !windns or (#3) Unix-alikes are required to process the env-var in an --up script; read about --dhcp-option in the manpage or (#4) For distros that use resolvconf(8) you can try the pull-resolv-conf script under the contrib/ source dir
00:04 < Eugene> enbergj - the openvpn client natively does not deal with this; the Windows DHCP driver picks up on it, and I udnno about mac.
00:04 < Eugene> For linux, use that script which will read the options & update appropriately
00:04 -!- cktsoi [~cktsoi@236-013.netfront.net] has quit [Remote host closed the connection]
00:11 < enbergj> well yeah, I said win & mac work, and thanks
00:16 -!- max__ [~max@c-67-170-96-239.hsd1.wa.comcast.net] has joined #openvpn
00:30 -!- kcodyjr [~kcodyjr@c-24-61-134-125.hsd1.ma.comcast.net] has quit [Remote host closed the connection]
00:38 -!- max__ [~max@c-67-170-96-239.hsd1.wa.comcast.net] has quit [Ping timeout: 240 seconds]
00:46 -!- kalloc [~kalloc@h86-62-83-99.ln.rinet.ru] has joined #openvpn
00:51 -!- kalloc [~kalloc@h86-62-83-99.ln.rinet.ru] has quit [Ping timeout: 248 seconds]
00:52 -!- kcodyjr [~kcodyjr@c-24-61-134-125.hsd1.ma.comcast.net] has joined #openvpn
01:02 -!- dimm0k [~dimm0k@unaffiliated/dimm0k] has quit [Read error: Operation timed out]
01:02 -!- dimm0k [~dimm0k@pool-96-246-33-134.nycmny.fios.verizon.net] has joined #openvpn
01:02 -!- dimm0k [~dimm0k@pool-96-246-33-134.nycmny.fios.verizon.net] has quit [Changing host]
01:02 -!- dimm0k [~dimm0k@unaffiliated/dimm0k] has joined #openvpn
01:06 -!- takamichi [~takamichi@c107-107.i07-27.onvol.net] has joined #openvpn
01:20 -!- alexxtasi [~alex@unaffiliated/alexxtasi] has joined #openvpn
01:20 -!- kirin` [telex@gateway/shell/anapnea.net/x-hajxxpdrrpmywcbf] has quit [Ping timeout: 245 seconds]
01:21 -!- lachesis [~lachesis@unaffiliated/lachesis] has quit [Ping timeout: 264 seconds]
01:22 -!- bertodsera [~quassel@97e48243.skybroadband.com] has quit [Remote host closed the connection]
01:24 -!- mikkel [~mikkel@93.176.85.50] has joined #openvpn
01:26 -!- lachesis [~lachesis@unaffiliated/lachesis] has joined #openvpn
01:33 -!- kirin` [telex@gateway/shell/anapnea.net/x-ojhqlhusrompfguy] has joined #openvpn
01:46 -!- kalloc [~kalloc@h86-62-83-99.ln.rinet.ru] has joined #openvpn
01:51 -!- kalloc [~kalloc@h86-62-83-99.ln.rinet.ru] has quit [Ping timeout: 246 seconds]
01:52 -!- MyMind [~Sembei@unaffiliated/sembei] has quit [Read error: Connection reset by peer]
01:53 -!- Pisuke [~Sembei@unaffiliated/sembei] has joined #openvpn
02:03 -!- dimm0k [~dimm0k@unaffiliated/dimm0k] has quit [Ping timeout: 248 seconds]
02:05 -!- dimm0k [~dimm0k@pool-108-21-230-13.nycmny.fios.verizon.net] has joined #openvpn
02:05 -!- dimm0k [~dimm0k@pool-108-21-230-13.nycmny.fios.verizon.net] has quit [Changing host]
02:05 -!- dimm0k [~dimm0k@unaffiliated/dimm0k] has joined #openvpn
02:05 -!- ade_b [~Ade@redhat/adeb] has joined #openvpn
02:14 -!- kalloc [~kalloc@h86-62-83-99.ln.rinet.ru] has joined #openvpn
02:17 -!- Devastatr [~devas@177.99.152.98] has joined #openvpn
02:18 -!- Devastator [~devas@unaffiliated/devastator] has quit [Ping timeout: 252 seconds]
03:03 -!- kalloc [~kalloc@h86-62-83-99.ln.rinet.ru] has quit [Remote host closed the connection]
03:03 -!- kalloc [~kalloc@h86-62-83-99.ln.rinet.ru] has joined #openvpn
03:08 -!- kalloc [~kalloc@h86-62-83-99.ln.rinet.ru] has quit [Ping timeout: 260 seconds]
03:13 -!- kirin` [telex@gateway/shell/anapnea.net/x-ojhqlhusrompfguy] has quit [Ping timeout: 248 seconds]
03:16 -!- kirin` [telex@gateway/shell/anapnea.net/x-erncwgrskbphozul] has joined #openvpn
03:23 -!- Cpt-Oblivious [chatzilla@31-151-71-109.dynamic.upc.nl] has quit [Ping timeout: 252 seconds]
03:41 -!- bertodsera [~quassel@212.36.61.26] has joined #openvpn
03:47 -!- kalloc [~kalloc@h86-62-83-99.ln.rinet.ru] has joined #openvpn
03:56 -!- dazo_afk is now known as dazo
04:01 -!- bertodsera [~quassel@212.36.61.26] has quit [Remote host closed the connection]
04:02 -!- bertodsera [~quassel@212.36.61.26] has joined #openvpn
04:02 -!- Devastatr [~devas@177.99.152.98] has quit [Changing host]
04:02 -!- Devastatr [~devas@unaffiliated/devastator] has joined #openvpn
04:09 -!- sunwind [~paradox@cpc21-brmb8-2-0-cust749.1-3.cable.virginm.net] has quit [Quit: sunwind]
04:10 -!- sunwind [~paradox@cpc21-brmb8-2-0-cust749.1-3.cable.virginm.net] has joined #openvpn
04:17 -!- takamichi [~takamichi@c107-107.i07-27.onvol.net] has quit [Quit: Computer has gone to sleep.]
04:17 -!- takamichi [~takamichi@c107-107.i07-27.onvol.net] has joined #openvpn
04:17 -!- takamichi [~takamichi@c107-107.i07-27.onvol.net] has quit [Client Quit]
04:17 -!- takamichi [~takamichi@c107-107.i07-27.onvol.net] has joined #openvpn
04:25 -!- kalloc [~kalloc@h86-62-83-99.ln.rinet.ru] has quit [Remote host closed the connection]
04:27 -!- br4ndon [~br4ndon@2a01:e35:2e28:400:225:d3ff:fe44:1329] has joined #openvpn
04:34 -!- busch is now known as busch_off
04:35 -!- busch_off is now known as busch
04:44 -!- busch is now known as busch_off
04:54 < Haigha> hi, i have a problem with openvpn and tunnelblick
04:54 < Haigha> http://pastebin.com/jdgQJV0t
04:54 < Haigha> it just stops there
04:58 -!- kalloc [~kalloc@h86-62-83-99.ln.rinet.ru] has joined #openvpn
04:58 -!- takamichi [~takamichi@c107-107.i07-27.onvol.net] has quit [Quit: Computer has gone to sleep.]
05:05 -!- busch_off is now known as busch
05:19 -!- wrongplace [~leicht@gateway/tor-sasl/martinphone] has joined #openvpn
05:22 -!- busch is now known as busch_off
05:31 -!- klein [~klein@unaffiliated/klein] has joined #openvpn
05:52 -!- wrongplace [~leicht@gateway/tor-sasl/martinphone] has quit [Quit: gone]
06:02 -!- takamichi [~takamichi@c107-107.i07-27.onvol.net] has joined #openvpn
06:04 -!- busch_off is now known as busch
06:06 -!- br4ndon [~br4ndon@2a01:e35:2e28:400:225:d3ff:fe44:1329] has quit [Ping timeout: 246 seconds]
06:07 -!- michaelhart [~michaelha@192.0.240.20] has quit [Quit: michaelhart]
06:14 -!- busch is now known as busch_off
06:16 -!- klaxa [~klaxa@klaxa.eu] has quit [Ping timeout: 240 seconds]
06:27 -!- klaxa [~klaxa@klaxa.eu] has joined #openvpn
06:54 -!- makara [~makara@41.164.22.218] has quit [Ping timeout: 260 seconds]
06:55 -!- makara [~makara@41.164.22.218] has joined #openvpn
07:00 -!- goldkatze [~nobody@unaffiliated/goldkatze] has joined #openvpn
07:03 -!- michaelhart [~michaelha@192.237.177.15] has joined #openvpn
07:05 -!- lj1 [~l@192.241.174.169] has quit [Quit: Leaving.]
07:05 -!- busch_off is now known as busch
07:10 -!- takamichi [~takamichi@c107-107.i07-27.onvol.net] has quit [Quit: Computer has gone to sleep.]
07:15 -!- busch is now known as busch_off
07:27 -!- elfixit [~Icedove@77-58-251-72.dclient.hispeed.ch] has joined #openvpn
07:34 -!- takamichi [~takamichi@c107-107.i07-27.onvol.net] has joined #openvpn
07:37 -!- mikkel [~mikkel@93.176.85.50] has quit [Quit: Leaving]
07:40 -!- crus [~crusader@crus0r.soho.on.net] has quit [Ping timeout: 272 seconds]
07:41 <@ecrist> Haigha: you'll need to talk to the tunnelblick folks
07:41 <@ecrist> at the last point in that log, openvpn hasn't even started yet
07:41 <@ecrist> also, you're using a beta
07:42 <@ecrist> if you don't know how to fix that sort of thing, or troubleshoot it, you should avoid beta software
07:42 < Haigha> i also tried with the stable version
07:42 < Haigha> but it has the same problem, so i tried the beta
07:42 < Haigha> *had
07:46 <@ecrist> fwiw, I use tunnelblick without a problem
07:48 -!- crus [~crusader@crus0r.soho.on.net] has joined #openvpn
07:49 -!- lachesis [~lachesis@unaffiliated/lachesis] has left #openvpn ["Leaving"]
08:02 -!- makara [~makara@41.164.22.218] has quit [Quit: Leaving]
08:02 -!- phunyguy [~plorpian@unaffiliated/phunyguy] has quit [Quit: Goodbye cruel world!]
08:03 -!- phunyguy [~plorpian@unaffiliated/phunyguy] has joined #openvpn
08:06 -!- busch_off is now known as busch
08:15 -!- busch is now known as busch_off
08:16 -!- kossy [a@kossy.org] has quit [Ping timeout: 245 seconds]
08:17 -!- bertodsera [~quassel@212.36.61.26] has quit [Read error: Connection reset by peer]
08:24 -!- pa [~pa@unaffiliated/pa] has quit [Quit: Sto andando via]
08:25 -!- pa [~pa@unaffiliated/pa] has joined #openvpn
08:28 < _FBi> !iphone
08:28 <@vpnHelper> "iphone" is (#1) OpenVPN Connect is now available for iOS in the App Store (see also: !connect) or (#2) https://community.openvpn.net/openvpn/wiki/IOSinline
08:30 -!- bertodsera [~quassel@212.36.61.26] has joined #openvpn
08:42 -!- Cultist [~CultOfThe@c-67-186-111-33.hsd1.il.comcast.net] has quit [Ping timeout: 265 seconds]
08:42 -!- lvv [~loganaden@196.1.0.58] has quit [Ping timeout: 252 seconds]
08:44 -!- conroe [~conroe@gateway/tor-sasl/conroe] has joined #openvpn
08:47 -!- lvv [~loganaden@ITE-INF3.dhcp.mu.afrinic.net] has joined #openvpn
09:01 -!- lvv [~loganaden@ITE-INF3.dhcp.mu.afrinic.net] has quit [Quit: lvv]
09:02 -!- Pei_ [~pei@thinks.outside.theb0x.org] has quit [Read error: Connection reset by peer]
09:07 -!- busch_off is now known as busch
09:14 -!- elfixit [~Icedove@77-58-251-72.dclient.hispeed.ch] has quit [Quit: elfixit]
09:16 -!- busch is now known as busch_off
09:21 -!- alexxtasi [~alex@unaffiliated/alexxtasi] has left #openvpn []
09:25 -!- Cultist [~CultOfThe@c-67-186-111-33.hsd1.il.comcast.net] has joined #openvpn
09:26 -!- cyberspace- [20253@ninthfloor.org] has quit [Remote host closed the connection]
09:28 -!- cyberspace- [20253@ninthfloor.org] has joined #openvpn
09:40 -!- kalloc [~kalloc@h86-62-83-99.ln.rinet.ru] has quit [Remote host closed the connection]
09:41 -!- kalloc [~kalloc@h86-62-83-99.ln.rinet.ru] has joined #openvpn
09:45 -!- kalloc [~kalloc@h86-62-83-99.ln.rinet.ru] has quit [Ping timeout: 260 seconds]
09:49 -!- kalloc [~kalloc@h86-62-83-99.ln.rinet.ru] has joined #openvpn
10:07 -!- busch_off is now known as busch
10:14 -!- takamichi [~takamichi@c107-107.i07-27.onvol.net] has quit [Ping timeout: 245 seconds]
10:17 -!- busch is now known as busch_off
10:18 -!- takamichi [~takamichi@67.213.212.245] has joined #openvpn
10:23 -!- takamichi [~takamichi@67.213.212.245] has quit [Ping timeout: 260 seconds]
10:26 -!- takamichi [~takamichi@67.213.212.243] has joined #openvpn
10:28 -!- elfixit [~Icedove@2001:1620:2018:11:5e51:4fff:fec8:5b90] has joined #openvpn
10:33 -!- takamichi [~takamichi@67.213.212.243] has quit [Ping timeout: 260 seconds]
10:35 -!- gffa [~unknown@unaffiliated/gffa] has joined #openvpn
10:37 -!- takamichi [~takamichi@c107-107.i07-27.onvol.net] has joined #openvpn
10:38 -!- elfixit [~Icedove@2001:1620:2018:11:5e51:4fff:fec8:5b90] has quit [Ping timeout: 245 seconds]
10:43 -!- takamichi [~takamichi@c107-107.i07-27.onvol.net] has quit [Ping timeout: 244 seconds]
10:46 -!- takamichi [~takamichi@85.12.8.107] has joined #openvpn
10:46 -!- kossy [a@kossy.org] has joined #openvpn
10:59 -!- sunwind` [~paradox@cpc21-brmb8-2-0-cust749.1-3.cable.virginm.net] has joined #openvpn
11:01 -!- sunwind [~paradox@cpc21-brmb8-2-0-cust749.1-3.cable.virginm.net] has quit [Ping timeout: 248 seconds]
11:03 -!- lj [~l@192.241.174.169] has joined #openvpn
11:05 < dyer> Question, if I have two VPN servers is there a way to make connecting to them "mutually exclusive" ?
11:06 <@krzee> !script
11:06 <@vpnHelper> "script" is See SCRIPTING AND ENVIRONMENTAL VARIALBES in the manual for a list of places that scripts can hook into openvpn. Online reference at: https://community.openvpn.net/openvpn/wiki/Openvpn23ManPage#lbAR
11:07 <@krzee> either tls-verify or client-connect, i havnt had to do that before but i would guess tls-verify would be better assuming it gets all needed info
11:08 -!- busch_off is now known as busch
11:08 <@krzee> actually, it has to have all the needed info, you have access to the entire cert at that point
11:08 <@krzee> so ya, tls-verify script can check a central database to see if that user is logged in
11:09 <@krzee> if it is logged in already, then you either refuse or disconnect the other client from the other server
11:09 <@krzee> if not, you write to the DB that the user logged in, so you can know when he logs into the other server
11:09 <@krzee> dyer, ^^
11:11 -!- bertodsera [~quassel@212.36.61.26] has quit [Remote host closed the connection]
11:16 -!- takamichi [~takamichi@85.12.8.107] has quit [Ping timeout: 272 seconds]
11:16 -!- VunKruz [~hhhh@24-205-8-187.dhcp.mtpk.ca.charter.com] has quit [Ping timeout: 272 seconds]
11:18 -!- busch is now known as busch_off
11:18 -!- [diecast] [~diecast@unaffiliated/diecast/x-4821952] has joined #openvpn
11:19 -!- Eagleman7 [~Eagleman@546BBFCD.cm-12-4c.dynamic.ziggo.nl] has quit [Quit: ZNC - http://znc.in]
11:21 -!- takamichi [~takamichi@141.255.164.68] has joined #openvpn
11:25 -!- takamichi [~takamichi@141.255.164.68] has quit [Ping timeout: 252 seconds]
11:26 -!- kalloc [~kalloc@h86-62-83-99.ln.rinet.ru] has quit [Remote host closed the connection]
11:26 -!- kalloc [~kalloc@h86-62-83-99.ln.rinet.ru] has joined #openvpn
11:26 -!- joshh20-Away is now known as joshh20
11:27 < dyer> yea, only question I have is how to I know if a user is still connected...
11:27 < dyer> for example, he is working on vpn1 and closes his laptop and goes how ( not disconnecting "cleanly" before he leaves )
11:27 -!- kalloc [~kalloc@h86-62-83-99.ln.rinet.ru] has quit [Read error: Connection reset by peer]
11:27 -!- kalloc_ [~kalloc@h86-62-83-99.ln.rinet.ru] has joined #openvpn
11:27 < dyer> so whatever I am using to track connections may see him as online when in fact he isnt
11:27 <@krzee> client-disconnect should remove him from the db
11:28 <@krzee> you'll need a centralized database to keep track of it
11:28 < dyer> its not that big of a deal..
11:28 < dyer> figured I would ask if there was a faculty, I am not going to go nuts setting up some db to do thi
11:28 < dyer> s
11:29 < dyer> I'll just educate my users, I don't have that many :)
11:29 <@krzee> =]
11:29 -!- kalloc_ [~kalloc@h86-62-83-99.ln.rinet.ru] has quit [Read error: Connection reset by peer]
11:29 -!- kalloc [~kalloc@h86-62-83-99.ln.rinet.ru] has joined #openvpn
11:29 -!- takamichi [~takamichi@c107-107.i07-27.onvol.net] has joined #openvpn
11:33 -!- kalloc_ [~kalloc@h86-62-83-99.ln.rinet.ru] has joined #openvpn
11:33 -!- [diecast] [~diecast@unaffiliated/diecast/x-4821952] has quit []
11:34 -!- kalloc [~kalloc@h86-62-83-99.ln.rinet.ru] has quit [Ping timeout: 245 seconds]
11:35 -!- takamichi [~takamichi@c107-107.i07-27.onvol.net] has quit [Quit: Computer has gone to sleep.]
11:40 -!- Cpt-Oblivious [chatzilla@31-151-71-109.dynamic.upc.nl] has joined #openvpn
11:43 -!- Eagleman [~Eagleman@546BBFCD.cm-12-4c.dynamic.ziggo.nl] has joined #openvpn
11:46 -!- lj [~l@192.241.174.169] has quit [Quit: Leaving.]
11:55 -!- goldkatze [~nobody@unaffiliated/goldkatze] has quit []
11:55 -!- goldkatze [~nobody@unaffiliated/goldkatze] has joined #openvpn
12:05 -!- kalloc_ [~kalloc@h86-62-83-99.ln.rinet.ru] has quit []
12:05 -!- kalloc_ [~kalloc@h86-62-83-99.ln.rinet.ru] has joined #openvpn
12:23 -!- kalloc_ [~kalloc@h86-62-83-99.ln.rinet.ru] has quit []
12:31 -!- phuzion [~phuzion@ipv6.irc.teh-server.com] has quit [Read error: Connection reset by peer]
12:33 -!- phuzion [~phuzion@ipv6.irc.teh-server.com] has joined #openvpn
12:34 -!- ade_b [~Ade@redhat/adeb] has quit [Ping timeout: 260 seconds]
12:41 -!- phuzion [~phuzion@ipv6.irc.teh-server.com] has quit [Read error: Connection reset by peer]
12:42 -!- phuzion [~phuzion@ipv6.irc.teh-server.com] has joined #openvpn
12:49 -!- kalloc_ [~kalloc@h86-62-83-99.ln.rinet.ru] has joined #openvpn
13:01 -!- Pisuke [~Sembei@unaffiliated/sembei] has quit [Read error: Connection reset by peer]
13:01 -!- Sembei [~Sembei@unaffiliated/sembei] has joined #openvpn
13:08 -!- lj [~l@192.241.174.169] has joined #openvpn
13:10 -!- kalloc_ [~kalloc@h86-62-83-99.ln.rinet.ru] has quit []
13:12 -!- Sembei [~Sembei@unaffiliated/sembei] has quit [Read error: Connection reset by peer]
13:12 -!- MyMind [~Sembei@unaffiliated/sembei] has joined #openvpn
13:14 -!- ade_b [~Ade@redhat/adeb] has joined #openvpn
13:17 -!- master_of_master [~master_of@p4FF24E7F.dip0.t-ipconnect.de] has joined #openvpn
13:20 -!- master_o1_master [~master_of@p4FF24B95.dip0.t-ipconnect.de] has quit [Ping timeout: 260 seconds]
13:59 -!- u0m3 [~u0m3@92.80.106.31] has joined #openvpn
14:05 -!- klein [~klein@unaffiliated/klein] has quit [Ping timeout: 260 seconds]
14:19 -!- APTX [~APTX@unaffiliated/aptx] has quit [Remote host closed the connection]
14:29 -!- APTX [~APTX@unaffiliated/aptx] has joined #openvpn
14:34 -!- pdobrogost [~quassel@87-205-153-132.adsl.inetia.pl] has joined #openvpn
14:39 -!- rob0_ is now known as rob0
14:46 -!- exa [~exa@unaffiliated/exa] has quit [Ping timeout: 246 seconds]
14:48 -!- exa [~exa@v22013091132414614.yourvserver.net] has joined #openvpn
14:49 -!- exa is now known as Guest44485
14:55 -!- ade_b [~Ade@redhat/adeb] has quit [Ping timeout: 246 seconds]
14:56 -!- ade_b [~Ade@redhat/adeb] has joined #openvpn
15:09 -!- michaelhart [~michaelha@192.237.177.15] has quit [Quit: michaelhart]
15:11 -!- joshh20 is now known as joshh20-Away
15:26 -!- lj [~l@192.241.174.169] has quit [Quit: Leaving.]
15:27 -!- lj [~l@192.241.174.169] has joined #openvpn
15:27 -!- lj [~l@192.241.174.169] has quit [Client Quit]
15:28 -!- br4ndon [~br4ndon@2a01:e35:2e35:e9c0:225:d3ff:fe44:1329] has joined #openvpn
15:41 -!- p3rror [~mezgani@41.248.181.161] has joined #openvpn
15:46 -!- _Spoon [uid22146@gateway/web/irccloud.com/x-svknpgwbwohefeqz] has joined #openvpn
15:51 -!- ade_b [~Ade@redhat/adeb] has quit [Read error: Operation timed out]
16:20 -!- elfixit [~Icedove@77-58-251-72.dclient.hispeed.ch] has joined #openvpn
16:29 -!- br4ndon [~br4ndon@2a01:e35:2e35:e9c0:225:d3ff:fe44:1329] has quit [Ping timeout: 246 seconds]
16:31 -!- nutron [~nutron@unaffiliated/nutron] has quit [Quit: I must go eat my cheese!]
16:34 -!- elfixit [~Icedove@77-58-251-72.dclient.hispeed.ch] has quit [Ping timeout: 272 seconds]
16:35 -!- nutron [~nutron@unaffiliated/nutron] has joined #openvpn
16:36 -!- joshu [~joshu@62-20-176-238-no28.tbcn.telia.com] has joined #openvpn
16:37 -!- e-ndy [~e-ndy@fantomas.bestit.cz] has quit [Ping timeout: 252 seconds]
16:40 -!- joshu_ [~joshu@62-20-176-238-no28.tbcn.telia.com] has quit [Ping timeout: 264 seconds]
16:40 -!- joshu__ [~joshu@62-20-176-238-no28.tbcn.telia.com] has joined #openvpn
16:42 -!- br4ndon [~br4ndon@2a01:e35:2e28:400:225:d3ff:fe44:1329] has joined #openvpn
16:44 -!- joshu [~joshu@62-20-176-238-no28.tbcn.telia.com] has quit [Ping timeout: 264 seconds]
16:50 -!- elitecoder [~liq@198.199.111.15] has joined #openvpn
16:51 < elitecoder> Hello. I would like to configure a client to setup a tunnel, but not set it as the default gateway. If traffic leaves on the VPN, then I would like it to return on the VPN. So that an app can use it, but others use the main interface.
16:52 < elitecoder> I use a service that probably pushes the default gw.
16:53 -!- e-ndy [~e-ndy@194.213.226.242] has joined #openvpn
17:03 < elitecoder> I looked through the docs a lot but yeaaaa didn't get anywhere haha
17:14 < _Spoon> hello, this is the first time have used openVPN, I have my server up and running with no errors but it does not show up as listening with netstat -a, when i attempt to telnet to the port 1194 i get a connection refused ufw is disabled and i am using hosts.allow /hosts.deny with the following ALL EXCEPT in.fingerd: 10.69.69.0/30
17:14 < _Spoon> with also an allow in the allows
17:15 -!- u0m3 [~u0m3@92.80.106.31] has quit [Read error: Connection reset by peer]
17:15 < _Spoon> i am running ubuntu 13.10 i can supply my configs as well as my log upon request
17:17 < _Spoon> Also, when i try to connect my client no connection is made.
17:17 < _Spoon> that kinda goes without saying..
17:21 -!- p3rror [~mezgani@41.248.181.161] has quit [Ping timeout: 246 seconds]
17:29 < elitecoder> Well, I'll be back later.
17:29  * elitecoder is away
17:32 -!- yoavz [yoavz@yoavz.net] has quit [Ping timeout: 245 seconds]
17:32 -!- raidz [~raidz@openvpn/corp/admin/andrew] has left #openvpn []
17:33 -!- raidz [~raidz@openvpn/corp/admin/andrew] has joined #openvpn
17:33 -!- mode/#openvpn [+o raidz] by ChanServ
17:37 -!- yoavz [yoavz@yoavz.net] has joined #openvpn
17:42 -!- pdobrogost [~quassel@87-205-153-132.adsl.inetia.pl] has quit [Read error: Operation timed out]
17:47 -!- dazo is now known as dazo_afk
17:52 -!- michaelhart [~michaelha@162.209.54.120] has joined #openvpn
17:54 -!- gffa [~unknown@unaffiliated/gffa] has quit [Quit: sleep]
17:55 -!- michaelhart_ [~michaelha@192-0-240-20.cpe.teksavvy.com] has joined #openvpn
17:57 -!- michaelhart [~michaelha@162.209.54.120] has quit [Ping timeout: 246 seconds]
17:57 -!- michaelhart_ is now known as michaelhart
18:09 -!- klein [~klein@unaffiliated/klein] has joined #openvpn
18:17 -!- joshh20-Away is now known as joshh20
18:19 -!- br4ndon [~br4ndon@2a01:e35:2e28:400:225:d3ff:fe44:1329] has quit [Quit: Ciao]
18:23 -!- klein [~klein@unaffiliated/klein] has quit [Ping timeout: 246 seconds]
18:31 -!- prettyrobots [~prettyrob@do.inputrc.com] has joined #openvpn
18:47 -!- u0m3 [~u0m3@92.80.106.31] has joined #openvpn
18:51 -!- conroe [~conroe@gateway/tor-sasl/conroe] has quit [Quit: conroe]
18:53 -!- lachesis [~lachesis@unaffiliated/lachesis] has joined #openvpn
18:58 -!- raidz is now known as raidz_away
18:59 -!- raidz_away is now known as raidz
19:15 -!- JPeterson [~JPeterson@81-233-152-121-no83.tbcn.telia.com] has joined #openvpn
19:27 -!- Cultist [~CultOfThe@c-67-186-111-33.hsd1.il.comcast.net] has quit [Read error: Connection reset by peer]
19:28 -!- Cultist [~CultOfThe@c-67-186-111-33.hsd1.il.comcast.net] has joined #openvpn
19:46 -!- conroe [~conroe@gateway/tor-sasl/conroe] has joined #openvpn
19:53 -!- heraclitus [~heraclitu@unaffiliated/heraclitis] has quit [Remote host closed the connection]
19:53 -!- heraclitus [~heraclitu@unaffiliated/heraclitis] has joined #openvpn
19:55 -!- heraclitus [~heraclitu@unaffiliated/heraclitis] has quit [Remote host closed the connection]
19:56 -!- heraclitus [~heraclitu@unaffiliated/heraclitis] has joined #openvpn
19:56 -!- heraclitus [~heraclitu@unaffiliated/heraclitis] has quit [Remote host closed the connection]
19:57 -!- heraclitus [~heraclitu@unaffiliated/heraclitis] has joined #openvpn
20:06 -!- heraclitus [~heraclitu@unaffiliated/heraclitis] has quit [Remote host closed the connection]
20:06 -!- heraclitus [~heraclitu@unaffiliated/heraclitis] has joined #openvpn
20:07 -!- heraclitus [~heraclitu@unaffiliated/heraclitis] has quit [Remote host closed the connection]
20:07 -!- heraclitus [~heraclitu@unaffiliated/heraclitis] has joined #openvpn
20:12 -!- heraclitus [~heraclitu@unaffiliated/heraclitis] has quit [Ping timeout: 252 seconds]
20:21 -!- heraclitus [~heraclitu@unaffiliated/heraclitis] has joined #openvpn
20:22 -!- heraclitus [~heraclitu@unaffiliated/heraclitis] has quit [Remote host closed the connection]
20:22 -!- heraclitus [~heraclitu@unaffiliated/heraclitis] has joined #openvpn
21:02 -!- ljvb__ is now known as ljvb
21:03 -!- goldkatze [~nobody@unaffiliated/goldkatze] has quit [Ping timeout: 260 seconds]
21:05 -!- conroe [~conroe@gateway/tor-sasl/conroe] has quit [Quit: conroe]
21:16 -!- Cpt-Oblivious [chatzilla@31-151-71-109.dynamic.upc.nl] has quit [Ping timeout: 246 seconds]
21:37 -!- busch_off is now known as busch
21:38 -!- sammm [~sam@c114-76-87-212.thoms3.vic.optusnet.com.au] has joined #openvpn
21:40 < sammm> hi, I have successfully set up openvpn and my client can connect to my server and access WAN and LAN, how can they configure it so they connect to my LAN but not my WAN, or at least have their NIC prioritized for WAN over the virtual adapter?
21:41 < Eugene> !route
21:41 <@vpnHelper> "route" is (#1) http://www.secure-computing.net/wiki/index.php/OpenVPN/Routing or https://community.openvpn.net/openvpn/wiki/RoutedLans (same page mirrored) if you have lans behind openvpn, read it DONT SKIM IT or (#2) READ IT DONT SKIM IT! or (#3) See !tcpip for a basic networking guide or (#4) See !serverlan or !clientlan for steps and troubleshooting flowcharts for LANs behind the server or
21:41 <@vpnHelper> client
21:41 < Eugene> !redirect
21:41 <@vpnHelper> "redirect" is (#1) to make all inet traffic flow through the vpn, you will need --redirect-gateway (see !def1), as well as IP forwarding (see !ipforward) and NAT (see !nat) enabled on the server. or (#2) you may need to use a different dns server when redirecting gateway, see !dns or !pushdns or (#3) if using ipv6 try: route-ipv6 2000::/3 or (#4) Handy troubleshooting flowchart:
21:41 <@vpnHelper> http://ircpimps.org/redirect.png | http://pekster.sdf.org/misc/redirect.png
21:41 < Eugene> You'r probably doing redirect, when you really just want !serverlan
21:43 < pekster> "but not the WAN" doesn't make much sense. Routers have at least 2 interface. If you want to provide acces to just the inside interface, don't forward (or use a firewall to prevent it.) If you don't want to allow forwarded traffic, firewall it
21:43 < pekster> You can avoid pushing routes, but clever/abusive users will try to do it anyway. A firewall is the proper way to lock traffic down based on access needs
21:43 < Eugene> That's not how I translated it
21:43 < pekster> Dunno, needs clarification
21:43 < Eugene> Indeed. Hence I guessed.
21:43 < pekster> (or another beer, I dunno. More beer it is!)
21:44 < Eugene> And usually it's not "prevent from happening" but "stop this behaviour on my trusted client" ;-)
21:44 < sammm> thanks for the replies, I'll get reading. I'm not very knowledgeable on networking but I know if I disable WAN forwarding in the firewall all of my clients wan requests and what not will just time out, I want them to use a different adapter to access the internet. Plus haha I trust all of my clients, my one client that is.
21:45 < Eugene> So... you do want your VPN Client's traffic to go via the VPN Server? or don't?
21:47 < sammm> I do, but for this one client I want him to be able to access my LAN but his WAN when needed. It's not practical for this client to access WAN. Sorry if I don't know what I'm talking about because I probably don't.
21:48 < pekster> What is "his WAN" ?
21:48 < Eugene> Ohhh so you want it EXCEPT for this one client
21:48 < sammm> Yes Eugene, sorry, I'm a tad tired!
21:48 < sammm> His WAN being his connection to the internet
21:48 < Eugene> !factoids search reset
21:48 <@vpnHelper> "push-reset" is Don't inherit the global push list for a specific client instance. Specify this option in a client-specific context such as with a --client-config-dir configuration file. This option will ignore --push options at the global config file level.
21:48 < Eugene> We call that "redirect" here, after the option name ;-)
21:48 < sammm> Hahahaha
21:48 < sammm> Sorry for the confusion
21:49 < Eugene> Anyway, go read the man page on those options ^
21:49 < pekster> You can push-reset, or add ccd (or --client-connect entires) for the ones you _do_ want to add the redirection (which boils down to two /1 routes and a little extra magic)
21:49 < pekster> All these methods basically do the same thing; it's a matter of implementation preference
21:52 < sammm> Thank you!
21:57 -!- booo [~booo__@p54BDBDBF.dip0.t-ipconnect.de] has quit [Read error: Operation timed out]
22:00 -!- conroe [~conroe@gateway/tor-sasl/conroe] has joined #openvpn
22:05 -!- lvv [~loganaden@41.136.76.156] has joined #openvpn
22:05 -!- booo [~booo__@p54BDBFDB.dip0.t-ipconnect.de] has joined #openvpn
22:18 -!- busch is now known as busch_off
22:24 < sammm> okay I got it! All I had to do was add push-reset as you guys said and then add a new route to 192.168.1.0/24 (my routers lan route)
22:25 < sammm> so when I check my ip with whatsmyip it is my 3g ip (using phone as a test) but I can still access my router / lan devices!
22:27 -!- joshh20 is now known as joshh20-Away
22:28 < sammm> and upon further googling, what I was really asking for was 'split tunnelling'
22:43 -!- dradec [~Inigo@unaffiliated/dradec] has joined #openvpn
22:59 < sammm> what happens when a pushed route such as 192.168.1.0 255.255.255.0 conflicts with the clients router / lan using the same subdomain ?
23:08 -!- heraclitus__ [~heraclitu@208.64.66.92] has joined #openvpn
23:11 < pekster> Bad things. Don't use such common networks for the side you control
23:11 -!- heraclitus [~heraclitu@unaffiliated/heraclitis] has quit [Ping timeout: 252 seconds]
23:11 < pekster> It's a horrible network choice where you'll ever expose it to another uncontrolled RFC1918 LAN
23:11 < pekster> !randomsubnet
23:11 <@vpnHelper> "randomsubnet" is (#1) http://scarydevilmonastery.net/subnet.cgi for a random !1918 subnet or (#2) If your shell has $RANDOM support, perhaps try this: `echo 10.$((RANDOM%256)).$((RANDOM%256)).0/24 `
23:14 -!- sammm [~sam@c114-76-87-212.thoms3.vic.optusnet.com.au] has quit [Remote host closed the connection]
23:14 -!- conroe [~conroe@gateway/tor-sasl/conroe] has quit [Ping timeout: 240 seconds]
23:19 -!- dradec [~Inigo@unaffiliated/dradec] has quit [Quit: nil]
23:19 -!- dradec [~Inigo@unaffiliated/dradec] has joined #openvpn
23:26 -!- heraclitus__ is now known as heraclitus
23:26 -!- heraclitus [~heraclitu@208.64.66.92] has quit [Changing host]
23:26 -!- heraclitus [~heraclitu@unaffiliated/heraclitis] has joined #openvpn
23:30 < kcodyjr> hell, doesn't have to be random, just not .1, .0, .2, or .10
23:30 < kcodyjr> i notice lots of new routers coming with 10. as a default, and comcast is too now
23:30 < pekster> truely random (avoiding obvoiusly common stuff) is a better bet
23:31 < kcodyjr> no, it's merely slightly less of a loser of a bet.
23:31 < kcodyjr> but that's the charliefoxtrot that is ipv4 nat.
23:31 < kcodyjr> i notice comcast doing 10.'s a lot now, presumably they're trying to wrest dollars from their customers' employers to stop messing with their vpn
23:33 < kcodyjr> it had become common practice to use 10.'s at the office because people tended to be on 192.168.{0,1,2,10} at home.
23:34 < kcodyjr> give it a few more years and you could host the biggest kegger there ever was in the 192.168 space without bumping into anybody.
23:34 < kcodyjr> but, if i'm not mistaken, the conflict can still be solved with a host-specific route to the real upstream router out the real interface
23:35 < kcodyjr> the local lan would become invisible but if you're on someone's uncontrolled network, who cares
23:35 < kcodyjr> oh, and whatever host on the other end has your router's ip would also be invisible.
23:37 < pekster> Humans have bad entropy. Ignore that at your peril
23:38 < kcodyjr> point well taken. which is why the problem is best left to the IP address registration authorities, and why ipv4 can't be phased out fast enough.
23:39 < pekster> ULA isn't registered or allocated, although places like sixxs attempt to create a registry of part of it
23:39 < pekster> IPv6 doesn't solve the problem. There's still (the possibility) of NAT, and there's still explicitly private space that can be used. Think the backend of load balancing or anycast, or that kind of thing
23:40 < pekster> "same shit, bigger space." If we all pick lots of zeros becuase fcd::1234 is easy to write, we have the same problem
23:41 < kcodyjr> honestly i don't see why the backend of load balancing should be in private space if the admin expects to ever have remote admin access to it
23:42 < kcodyjr> either he gives it a public ip on one interface or another, or suffers without being able to reach it
23:42 < pekster> Point lost
23:42 < pekster> I don't care to argue it
23:43 < kcodyjr> no, i don't think i'm missing it; you're arguing that users can still pick something stupid even in ipv6, and i'm arguing that one of the points of ipv6 is that users shouldn't be choosing addresses period, their whole lan would be allocated by their isp
23:43 < pekster> ULA
23:43 < pekster> ULA is NOT ALLOCATED
23:43 < pekster> https://en.wikipedia.org/wiki/Unique_local_address
23:43 <@vpnHelper> Title: Unique local address - Wikipedia, the free encyclopedia (at en.wikipedia.org)
23:44 < pekster> You can use ULA for whatever the fuck you want, and your ISP will never give it to you
23:44  * pekster shrugs
23:44 < pekster> I'm not talking idealistic "perfect world." I'm talking real world
23:44 < pekster> Attempting to apply utopian logic will fail here.
23:45 < kcodyjr> right, the equivalent of the private spaces we have now.
23:45 < kcodyjr> real world, under ipv6 users with ula-only networks wanting to vpn in should be told to piss off.
23:45 < kcodyjr> thus solving the problem with an axe to the neck
23:45 < pekster> You're still focused too narrow
23:46 < kcodyjr> you mean i should expect, encourage, and embrace the fact that end-users always want to break the rules
23:46 < pekster> Say Acme Widgets and Acme BarBaz LTD merge. They both use ULA for internal-only tasks (never routed publically, thus an allowed use.) They try to route between then, and both admins picked "20" and "30" as suffixes with no more entropy
23:46 -!- dradec [~Inigo@unaffiliated/dradec] has quit [Ping timeout: 272 seconds]
23:46 < pekster> By your logic, that chance of problems is small. Sucks to be them
23:47 < pekster> Do things properly from the beginnign and not waste time later is far smarter
23:47 < kcodyjr> no, by my logic they must keep their existing internal-only tasks networks separate.
23:47 < pekster> merging isn't separate
23:47 < pekster> WHat a stupid conversation
23:47 < kcodyjr> it isn't mashing them together either
23:47 < pekster> That's how routing works
23:47 < pekster> If you can't route to a network, you can't reach it
23:47 < kcodyjr> i've gone through mergers, it usually takes the form of deprecating one while the actual work is transferred to the other's systems
23:47 < pekster> If you have duplicate networks (except in very specific cases) it breaks
23:47 < pekster> Very simple
23:48 < kcodyjr> yes, it does, which is why they really shouldn't have been using 100% ULA in the first place
23:48 < pekster> Sure, stick to your "usually" and "chance of fuckups is small." I'm going to stick with sane practices
23:49 < pekster> fe20::/32 can be all yours. I won't touch it.
23:49 < pekster> "What are the odds someone else picks 20?!"
23:50 < pekster> Erm, /16
23:50 < kcodyjr> i won't touch it either. at the very least i'll go reserve a tunnel address from HE and then not use the tunnel.
23:51 < kcodyjr> my view is still that both companies did something stupid pre-merger, and therefore richly deserve all the I.T. overtime they'll have to pay out to stitch their networks together.
23:51 < pekster> Or follow RFC4086
23:51 < pekster> helpfully referenced from RFC4193
23:51 < pekster> QED.
23:56 < kcodyjr> interesting. it specifies a 40-bit address space to be filled with randomness backed by entropy collection.
23:56 < kcodyjr> as distinct from the 8-bit space represented by X 192.168.X.1
23:57 < kcodyjr> which brings me back to, ipv4 can't be phased out fast enough.
23:57 < kcodyjr> QED.
23:57 < pekster> If 256^2 is a realistic collision frame for you, your paradigm is flawed.
23:57 < kcodyjr> isn't ^2
23:57 < kcodyjr> it's just 256
23:57 < pekster> There are 256^2 /24's in a /8
23:57 < pekster> Your bitmath suck
23:58 < kcodyjr> no, my bitmath is right on.
23:58 < kcodyjr> the space is defined by 192.168.0.0/16
23:58 < kcodyjr> people invariably pick a /24
23:58 < pekster> use a /8
23:58 < kcodyjr> leaving 8 bits in the middle, the 3rd octet.
23:58 < pekster> Yes, if you do stpuid things, you get to suffer
23:58 < kcodyjr> i thought we were talking about the stupid users that just go with what comes on their little blue smurf router
23:59 < pekster> I'm talking about avoiding collisions in general
23:59 < pekster> You seem to try and suggest everything I'm saying is somehow unnecessary
23:59 < kcodyjr> no, i'm saying the non-routable addresses behind people's home routers shouldn't be a valid concern for vpn design.
--- Day changed Sat Feb 15 2014
00:00 < pekster> It is when they conflict, moreso when they have a more specific mask
00:00 < kcodyjr> yes, but do you seriously think everyone's going to set an RFC4193 address on their home router?
00:00 < pekster> I run a /25 for my home LAN (with the remaining /25 in the /24 supernet a variety of VPNs and purpose-tasks.) If your company happens to pick the same /24 supernet, my /25 takes priority and "breaks." The better that can be avoided the less shit admins have to fix
00:01 < pekster> Everying using ULA intentionally, yes.
00:01 < pekster> If they don't they're clueless, or doing things in a lab and just don't care
00:01 < kcodyjr> which amounts to what, 1%? 0.1%? 0.0001%? i mean really, no insult to anyone intended, but how many remote users are really that clueful?
00:01 < pekster> Since ULA is an advanced topic, I epxect people to be non-stupid about it
00:01 -!- dradec [~Inigo@unaffiliated/dradec] has joined #openvpn
00:02 < pekster> "If I buy a gun and my 4 year old gets shot, who do I blame?" is about what this amounts to
00:02 < kcodyjr> now there i'll correct you. *SHOULD* be an advanced topic. but it's silently rammed down the throats of everyone that has a comcast/verizon box in their home.
00:02 < kcodyjr> hm.
00:03 < pekster> Comcast is using ULA for customer-visible things? Where the hell do you come up with the bullshit?
00:03 < pekster> I explicitly drop RFC1918 and the full bogons list published by Team Cyrmu to no ill effect
00:03 < kcodyjr> kid you not, they're giving out 10.X.X.0/24 at the moment, haven't seen the distribution, and i have indeed seen 10. destinations
00:04 < Eugene> 10.x on external interfaces should be ignored with prejudice
00:05 < pekster> Your information is flawed. Comcast is neither out of public v4 IPs nor are they stupid enough to use RFC1918 when RFC6598 is availble
00:05 < Eugene> As a Comcast customer, I am not getting a RFC1918 address.
00:05 < pekster> I have no idea what you're drinking/smoking, but it makes as much sense as a babble-generator
00:05 < kcodyjr> information was gleaned with tcpdump on my laptop right here in my home.
00:05 < pekster> Just becuse it's routed to you doesn't mean they are using or allocating it to customers
00:06 < Eugene> Most likely is you're clueless and picking up on a second level of NAT from your "modem/router"
00:06 < pekster> It just means the next-hop firewall is spraying shit at you
00:06 < kcodyjr> or someone else on the same subnet spraying shit maybe?
00:06 < pekster> (or a customer on the LAN is an idiot and they don't have filtering at the CMTS)
00:06 < pekster> Right
00:06 < pekster> Your attempt to say otherwise suggest you're not well-versed in these issues
00:06 < pekster> Certainly suggesting it's comcast sourcing the connecitons is utter and complete bullshit
00:06 < kcodyjr> and yet i've got a career of solving those sorts of issues more behind me than in front of me.
00:07 < Eugene> Cool story br0
00:07 < kcodyjr> actually i distinctly recall saying the destination was in the 10. range
00:07 < pekster> Cool story. Shall we compare epeen now?
00:07 < pekster> Eugene++
00:07 < Eugene> Mine is hueeeeeg
00:07 < kcodyjr> unimpressed.
00:08 < kcodyjr> i can well believe there's idiots on my local comcast subnet.
00:08 -!- ade_b [~Ade@redhat/adeb] has joined #openvpn
00:08 < pekster> 1) bogon filter or black-hole route bogons. 2) drink some beer. 3) profit. 4) drink more beer. Just in case.
00:08 < kcodyjr> but i know a browser being redirected to a 10. address when i see it happening in a dump before my eyes. either comcast has customer-facing servers on 10. addresses, or someone was hijacking, and it was ssl so i dont' see how
00:08 < Eugene> Definitely beer.
00:09  * Eugene awaits ferry eagerly
00:10 < kcodyjr> you guys enjoy ya beers. i'll stick with this here bottle of oyster bay.
00:10 < kcodyjr> beer makes me fart for days
00:11 < pekster> http://pekster.sdf.org/misc/redirect-omg-hijack-oneoneeleventy.html
00:11 -!- ade_b [~Ade@redhat/adeb] has quit [Client Quit]
00:11 < pekster> OMG HAX REDIRECT to 10/8. MUST BE COMCAST
00:12 < pekster> You know, or just stillyness
00:12 < kcodyjr> cute
00:14 < kcodyjr> look, i was running the trace on the back side of comcast's nat device. there isn't a snowball's chance in hell i was picking up anyone else's packets but my own.
00:15 < kcodyjr> and nothing was going on except working with comcast trying to un-f*ck their wireless that nothing in the house was suddenly able to connect to. just this laptop that wifi's into a smurf that's wired to comcast's box.
00:16 < kcodyjr> and there wasn't jack squat open on the laptop, centos by the way, except the browser to comcast
00:16 < kcodyjr> so disbelieve all you want. i saw it, and i've been around the block enough times to know it couldn't have been anything else. comcast had servers talking back to me from 10. addresses.
00:17 < pekster> Then block bogons instead of making such a big deal about it
00:17 < pekster> https://lmddgtfy.net/?q=cymru%20bogons
00:17 < kcodyjr> i could actually care less whether they fly through or not. as far as i'm concerned the security perimiter is on the laptop itself.
00:17 < pekster> Problem solved
00:17 <@vpnHelper> Title: Let Me DuckDuckGo That For You (at lmddgtfy.net)
00:18 < kcodyjr> how did we even get to talking about bogons? weren't we talking about idiot home users that pick retarded network numbers?
00:18 < kcodyjr> or were we still talking about beer?
00:30 -!- sammm [~sam@c114-76-87-212.thoms3.vic.optusnet.com.au] has joined #openvpn
00:33 < sammm> hey guys, one quick question, i've set up a client config to not pull routing info from the server and to define their own route as 192.168.1.0 255.255.255.0, this works fine except the problem is my client's own LAN uses the routing info. Can I still make this route but define it as 192.168.2.0 255.255.255.0?
00:33 < sammm> the same routing info ^
00:33 < pekster> You have duplicate networks? Why have you used such a common network on both sides of your link?
00:33 < kcodyjr> *facepalm*
00:33 < pekster> Fix that. Alternatively do really stupid and hack-ish bi-directional mapping
00:34 < pekster> I won't help you shot yourself in the eye though. Renumber one or the other side to avoid this.
00:34 < sammm> i've only delved into networking and vpn recently so I don't know much at all as you can obviously tell.
00:34 < pekster> Nothing to do with VPN; this is basic routing
00:34 < pekster> If you don't know that, a VPN won't really help youl
00:35 < pekster> https://layer3.wordpress.com/2011/04/10/justsaynoto-19216810/
00:35 <@vpnHelper> Title: Just Say No To 192.168.1.0/24 « Layer3 (at layer3.wordpress.com)
00:35 < pekster> 192.168.1.0/24 is horrible. Avoid it.
00:36 < pekster> Then go spend some time learning how basic routing works. Maybe the link at !tcp (type that here for a link) will give you some basic reading on routing
00:37 < kcodyjr> until home routers come out of the box prepared to randomly generate according to rfc4193, this problem isn't going away. it isn't a wetware problem, except to the extent the wetware never actually boots.
00:37 < sammm> okay, i'm going to ask another very basic question so brace yourselves, how can I not use 192.168.1.0/24 but have my client access the servers shared devices and what not? I'll read that PDF now
00:37 < sammm> !tcp
00:37 <@vpnHelper> "tcp" is (#1) Sometimes you cannot avoid tunneling over tcp, but if you can avoid it, DO. http://sites.inka.de/~bigred/devel/tcp-tcp.html Why TCP Over TCP Is A Bad Idea. or (#2) http://www.openvpn.net/papers/BLUG-talk/14.html for a presentation by James Yonan (OpenVPN lead developer) or (#3) if you must use tcp, you likely want --tcp-nodelay
00:37 < pekster> Erm, wrong link I gave you :\
00:37 < pekster> !tcpip
00:37 <@vpnHelper> "tcpip" is http://www.redbooks.ibm.com/redbooks/pdfs/gg243376.pdf See chapter 3.1 for useful basic TCP/IP networking knowledge you should probably know
00:38 < sammm> thanks
00:38 < pekster> If you have the same network on both sides, renumber one of them
00:38 < pekster> Ideally your server side, otherwise "any" client will have this problem
00:42 -!- lvv [~loganaden@41.136.76.156] has quit [Quit: lvv]
00:43 -!- sammm [~sam@c114-76-87-212.thoms3.vic.optusnet.com.au] has quit [Read error: Connection reset by peer]
01:01 -!- sammm [~sam@c114-76-87-212.thoms3.vic.optusnet.com.au] has joined #openvpn
01:02 -!- dimm0k [~dimm0k@unaffiliated/dimm0k] has quit [Read error: Operation timed out]
01:04 < sammm> alright, i've taken your advice and my network is now using 192.168.10.0/24
01:05 -!- dimm0k [~dimm0k@pool-96-246-33-134.nycmny.fios.verizon.net] has joined #openvpn
01:05 -!- dimm0k [~dimm0k@pool-96-246-33-134.nycmny.fios.verizon.net] has quit [Changing host]
01:05 -!- dimm0k [~dimm0k@unaffiliated/dimm0k] has joined #openvpn
01:18 -!- sammm [~sam@c114-76-87-212.thoms3.vic.optusnet.com.au] has quit [Remote host closed the connection]
01:26 < kcodyjr> {0,1,2,10}.
01:26 < kcodyjr> there's that way awesome human entropy at work for ya.
01:44 < _Spoon> hello, this is the first time have used openVPN, I have my server up and running with no errors but it does not show up as listening with netstat -a, when i attempt to telnet to the port 1194 i get a connection refused ufw is disabled and i am using hosts.allow /hosts.deny with the following ALL EXCEPT in.fingerd: 10.69.69.0/30
01:44 < _Spoon> with also an allow in the allows
01:47 <@krzee> !randomsubnet
01:47 <@vpnHelper> "randomsubnet" is (#1) http://scarydevilmonastery.net/subnet.cgi for a random !1918 subnet or (#2) If your shell has $RANDOM support, perhaps try this: `echo 10.$((RANDOM%256)).$((RANDOM%256)).0/24 `
03:04 -!- ade_b [~Ade@redhat/adeb] has joined #openvpn
03:30 -!- goldkatze [~nobody@unaffiliated/goldkatze] has joined #openvpn
03:31 -!- busch_off is now known as busch
03:41 -!- busch is now known as busch_off
03:43 -!- takamichi [~takamichi@c107-107.i07-27.onvol.net] has joined #openvpn
04:05 -!- calcifea [~rasla@gateway/tor-sasl/gitsu-sa] has joined #openvpn
04:05 -!- sauce [sauce@unaffiliated/sauce] has quit [Remote host closed the connection]
04:07 -!- sauce [sauce@unaffiliated/sauce] has joined #openvpn
04:16 -!- Scar3cr0w [~Scar3cr0w@ec2-54-244-252-160.us-west-2.compute.amazonaws.com] has joined #openvpn
04:16 -!- Scar3cr0w [~Scar3cr0w@ec2-54-244-252-160.us-west-2.compute.amazonaws.com] has left #openvpn []
04:19 -!- MyMind [~Sembei@unaffiliated/sembei] has quit [Read error: Connection reset by peer]
04:20 -!- Guest850 [~Sembei@62.57.118.216.dyn.user.ono.com] has joined #openvpn
04:21 -!- Guest850 [~Sembei@62.57.118.216.dyn.user.ono.com] has quit [Max SendQ exceeded]
04:22 -!- Pisuke [~Sembei@unaffiliated/sembei] has joined #openvpn
04:34 -!- james41382_ [~james@unaffiliated/james41382] has quit [Quit: Leaving]
04:51 -!- james41382_ [~james@unaffiliated/james41382] has joined #openvpn
04:52 -!- takamichi [~takamichi@c107-107.i07-27.onvol.net] has quit [Ping timeout: 260 seconds]
04:55 -!- takamichi [~takamichi@85.12.8.107] has joined #openvpn
05:12 -!- busch_off is now known as busch
05:23 -!- br4ndon [~br4ndon@2a01:e35:2e35:e9c0:225:d3ff:fe44:1329] has joined #openvpn
05:24 -!- Thermi [~Thermi@unaffiliated/thermi] has quit [Ping timeout: 246 seconds]
05:28 -!- gffa [~unknown@unaffiliated/gffa] has joined #openvpn
05:32 -!- dimm0k [~dimm0k@unaffiliated/dimm0k] has quit [Read error: Operation timed out]
05:35 -!- takamichi [~takamichi@85.12.8.107] has quit [Ping timeout: 245 seconds]
05:35 -!- dimm0k [~dimm0k@pool-108-21-230-13.nycmny.fios.verizon.net] has joined #openvpn
05:35 -!- dimm0k [~dimm0k@pool-108-21-230-13.nycmny.fios.verizon.net] has quit [Changing host]
05:35 -!- dimm0k [~dimm0k@unaffiliated/dimm0k] has joined #openvpn
05:38 -!- takamichi [~takamichi@c107-107.i07-27.onvol.net] has joined #openvpn
05:41 -!- Six6siX [~Devil@jasmine.sammybakar.com] has quit [Remote host closed the connection]
05:43 -!- riddle [riddle@us.yunix.net] has quit [Ping timeout: 245 seconds]
05:45 -!- br4ndon [~br4ndon@2a01:e35:2e35:e9c0:225:d3ff:fe44:1329] has quit [Quit: Ciao]
05:50 -!- Six6siX [~Devil@jasmine.sammybakar.com] has joined #openvpn
05:56 -!- james41382_ [~james@unaffiliated/james41382] has quit [Ping timeout: 248 seconds]
05:57 -!- Six6siX [~Devil@jasmine.sammybakar.com] has quit [Quit: ZNC - http://znc.in]
05:57 -!- james41382_ [~james@unaffiliated/james41382] has joined #openvpn
05:59 -!- Six6siX [~Devil@jasmine.sammybakar.com] has joined #openvpn
06:20 -!- kcodyjr [~kcodyjr@c-24-61-134-125.hsd1.ma.comcast.net] has quit [Ping timeout: 252 seconds]
06:29 -!- pdobrogost [~quassel@77-255-40-99.adsl.inetia.pl] has joined #openvpn
06:46 -!- bertodsera [~quassel@97e48243.skybroadband.com] has joined #openvpn
07:02 -!- elfixit [~Icedove@77-58-251-72.dclient.hispeed.ch] has joined #openvpn
07:24 -!- elfixit [~Icedove@77-58-251-72.dclient.hispeed.ch] has quit [Quit: elfixit]
07:29 -!- APTX [~APTX@unaffiliated/aptx] has quit [Ping timeout: 264 seconds]
07:43 -!- APTX [~APTX@unaffiliated/aptx] has joined #openvpn
08:00 -!- Cpt-Oblivious [chatzilla@31-151-71-109.dynamic.upc.nl] has joined #openvpn
08:00 -!- levifig [~levifig@205.186.144.152] has quit [Ping timeout: 265 seconds]
08:04 -!- levifig [~levifig@hakr.io] has joined #openvpn
08:15 -!- elfixit [~Icedove@77-58-251-72.dclient.hispeed.ch] has joined #openvpn
08:19 -!- Cpt-Oblivious [chatzilla@31-151-71-109.dynamic.upc.nl] has quit [Ping timeout: 252 seconds]
08:33 -!- br4ndon [~br4ndon@2a01:e35:2e28:400:225:d3ff:fe44:1329] has joined #openvpn
08:39 -!- br4ndon [~br4ndon@2a01:e35:2e28:400:225:d3ff:fe44:1329] has quit [Quit: Ciao]
08:45 -!- br4ndon [~br4ndon@2a01:e35:2e35:e9c0:225:d3ff:fe44:1329] has joined #openvpn
08:47 -!- br4ndon [~br4ndon@2a01:e35:2e35:e9c0:225:d3ff:fe44:1329] has quit [Remote host closed the connection]
08:48 -!- Guest44485 [~exa@v22013091132414614.yourvserver.net] has quit [Quit: Guest44485]
08:48 -!- exa [~exa@unaffiliated/exa] has joined #openvpn
08:51 -!- pdobrogost [~quassel@77-255-40-99.adsl.inetia.pl] has quit [Read error: Operation timed out]
08:51 -!- wrongplace [~leicht@gateway/tor-sasl/martinphone] has joined #openvpn
09:04 < pekster> _Spoon: it'll show up in `netstat -an` but you can't telnet to UDP ports (telnet is for tcp)
09:05 < _Spoon> pekster: its not listed.
09:06 < pekster> Then it's not listening
09:06 < pekster> Post your !configs and !logs per the info at !paste
09:07 < _Spoon> ok, one moment please. it is difficult to get the long configs out via terminal since you cannot scroll while selecting
09:08 < pekster> scp?
09:08 < pekster> grep out the comments?
09:08 < pekster> !paste
09:08 <@vpnHelper> "paste" is (#1) "pastebin" is (#1) please paste anything with more than 5 lines into a pastebin site or (#2) https://gist.github.com is recommended for fewest ads; try fpaste.org or paste.kde.org as backups or (#3) If you're pasting config files, see !configs for grep syntax to remove comments or (#2) gist allows multiple files per paste, useful if you have several files to show
09:08 < pekster> !configs
09:08 <@vpnHelper> "configs" is (#1) please pastebin your client and server configs (with comments removed, you can use `grep -vE '^#|^;|^$' server.conf`), also include which OS and version of openvpn. or (#2) dont forget to include any ccd entries or (#3) on pfSense, see http://www.secure-computing.net/wiki/index.php/OpenVPN/pfSense to obtain your config
09:08 < pekster> !logs
09:08 <@vpnHelper> "logs" is (#1) please pastebin your logfiles from both client and server with verb set to 4 (only use 5 if asked) or (#2) In the Windows client(OpenVPN-GUI) right-click the status icon and pick View Log or (#3) In the OS X client(Tunnelblick) right-click it and select Copy log text to clipboard or (#4) if you dont know how to find your logs, see !logfile
09:08 < pekster> I don't tell you to look at things for my own amusement
09:09 -!- cktsoi [~cktsoi@n119237108167.netvigator.com] has joined #openvpn
09:09 < _Spoon> oh, i know.
09:09 < _Spoon> but going from windows to linux via putty
09:10 -!- calcifea [~rasla@gateway/tor-sasl/gitsu-sa] has quit [Quit: calcifea]
09:10 < _Spoon> not relivent for the openvpn though
09:10 < pekster> wtf does that have to do with anything?
09:10 < pekster> Sounds like you need some basic OS lessons (which is not what this channel is for)
09:10 < pekster> filezilla or pscp.exe (part of putty) can both use scp
09:10 < pekster> using openvpn assumes you are apt at both networking and working with your OS/distro selections. You'll have a hard time of it otherwise
09:11 < _Spoon> pekster:
09:11 < _Spoon> shut the hell up man
09:11 < pekster> !101
09:11 <@vpnHelper> "101" is This channel is not a '101' replacement for any of the following topics or others: Networking, Firewalls, Routing, Your OS, Security, etc etc
09:11 < _Spoon> im using putty and the config file is longer than my page
09:11 < _Spoon> there for i cannot fucking copy and paste it
09:11 < pekster> Then scp it over
09:11 < pekster> FFS man
09:11 < _Spoon> i will manage this task on my own you cock gobler
09:12 -!- mode/#openvpn [+o pekster] by ChanServ
09:12 < _Spoon> yeah to windows
09:12 -!- _Spoon [uid22146@gateway/web/irccloud.com/x-svknpgwbwohefeqz] has left #openvpn []
09:13 -!- cktsoi [~cktsoi@n119237108167.netvigator.com] has quit [Remote host closed the connection]
09:13 -!- mode/#openvpn [+b *!*@gateway/web/irccloud.com/*] by pekster
09:13 -!- mode/#openvpn [-o pekster] by ChanServ
09:14 < pekster> Bloody web users
09:15 -!- elfixit [~Icedove@77-58-251-72.dclient.hispeed.ch] has quit [Quit: elfixit]
09:16 -!- deever [~deever@78.46.68.172] has joined #openvpn
09:17 < deever> hi
09:19 < deever> ifconfig-push seems not to work. the file in the ccd is recognized and the ifconfig seems sent to the client, but the tap ifaces is not given the ip and netmask of the ifconfig-push directive
09:19 < deever> s/ifaces/iface/
09:20 < pekster> Do you have logs (see: !logs) at verb 4 from the server-side? That'll show what the ccd proccessing is doing
09:20 < pekster> Also, why use tap? In nearly every case you want tun instead (reasons at: !tunortap )
09:22 < deever> lol...after restarting the server it works...! :)
09:23 < pekster> ccd files can be edited at runtime, but addition of the --client-config-dir directive requires a restart
09:24 < deever> pekster: that's what i thought, too
09:25 < deever> pekster: changing a parameter in a ccd file's ifconfig-push directive also requiered a restart of the server
09:25 < pekster> No, just a reconnect of the client
09:26 < pekster> Changing the directive itself requires a restart, but the ccd file is re-read each time a client connects (and I think re-auths too, but I'm not positive on that)
09:27 < deever> pekster: and my case is not a "nearly every" case...;)
09:27 < pekster> There are valid reasons (just most people don't have them.) If you're already aware of this, then happily ignore it
09:29 -!- takamichi [~takamichi@c107-107.i07-27.onvol.net] has quit [Quit: Computer has gone to sleep.]
09:30 -!- takamichi [~takamichi@c107-107.i07-27.onvol.net] has joined #openvpn
09:33 -!- pdobrogost [~quassel@77-255-40-99.adsl.inetia.pl] has joined #openvpn
09:36 -!- thumbs [1000@unaffiliated/thumbs] has quit [Changing host]
09:36 -!- thumbs [1000@freenode/staff/thumbs] has joined #openvpn
09:37 -!- thumbs [1000@freenode/staff/thumbs] has quit [Changing host]
09:37 -!- thumbs [1000@unaffiliated/thumbs] has joined #openvpn
09:39 -ChanServ:#openvpn- pekster set flags +b on baitnfatty.
09:52 -!- Thermi [~Thermi@unaffiliated/thermi] has joined #openvpn
10:14 -!- dradec [~Inigo@unaffiliated/dradec] has quit [Quit: nil]
10:18 -!- elfixit [~Icedove@77-58-251-72.dclient.hispeed.ch] has joined #openvpn
10:28 -!- tdreyer1 [~tdreyer1@unaffiliated/tdreyer1] has quit [Remote host closed the connection]
10:31 -!- michaelhart [~michaelha@192-0-240-20.cpe.teksavvy.com] has quit [Quit: michaelhart]
10:45 -!- riddle [riddle@us.yunix.net] has joined #openvpn
11:00 -!- tdreyer1 [~tdreyer1@unaffiliated/tdreyer1] has joined #openvpn
11:06 -!- kcodyjr [~kcodyjr@c-24-61-134-125.hsd1.ma.comcast.net] has joined #openvpn
11:07 -!- kraut [~kraut@blackhole.netzdeponie.de] has quit [Ping timeout: 245 seconds]
11:12 -!- tdreyer1 [~tdreyer1@unaffiliated/tdreyer1] has quit [Remote host closed the connection]
11:33 -!- tdreyer1 [~tdreyer1@unaffiliated/tdreyer1] has joined #openvpn
11:34 -!- kraut [~kraut@blackhole.netzdeponie.de] has joined #openvpn
11:39 -!- kraut [~kraut@blackhole.netzdeponie.de] has quit [Ping timeout: 245 seconds]
11:46 -!- kraut [~kraut@blackhole.netzdeponie.de] has joined #openvpn
12:00 -!- ade_b [~Ade@redhat/adeb] has quit [Read error: Operation timed out]
12:10 -!- elfixit [~Icedove@77-58-251-72.dclient.hispeed.ch] has quit [Quit: elfixit]
12:14 -!- ade_b [~Ade@redhat/adeb] has joined #openvpn
12:15 -!- takamichi [~takamichi@c107-107.i07-27.onvol.net] has quit [Quit: Computer has gone to sleep.]
12:20 -!- Pei [~pei@thinks.outside.theb0x.org] has joined #openvpn
12:24 -!- busch is now known as busch_off
12:29 -!- ender| [krneki@2a01:260:4094:1:42:42:42:42] has joined #openvpn
12:29 -!- s7r [~s7r@openvpn/user/s7r] has joined #openvpn
12:29 -!- mode/#openvpn [+v s7r] by ChanServ
12:29 -!- s7r [~s7r@openvpn/user/s7r] has left #openvpn []
12:30 -!- p3rror [~mezgani@41.140.175.33] has joined #openvpn
12:38 -ChanServ:#openvpn- pekster set flags +b on *!uid22146@gateway/web/irccloud.com/*.
12:38 -!- mode/#openvpn [+o plaisthos] by ChanServ
12:38 -!- mode/#openvpn [+o pekster] by ChanServ
12:38 -!- mode/#openvpn [-b *!*@gateway/web/irccloud.com/*] by pekster
12:38 -!- mode/#openvpn [-o pekster] by ChanServ
12:38 <+hazardous> ok i saw the notice and just had to scroll up
12:38 <+hazardous> <_Spoon> im using putty and the config file is longer than my page <_Spoon> there for i cannot fucking copy and paste it
12:38 <+hazardous> lol
12:39 < ender|> any ideas why setting IP on the interface sometimes fails when OpenVPN is running as service on Windows 8.1?
12:39 < pekster> Right. Then when I try and help I get insulted. I'm tempted to ban all webclients in the future but when I looked we do have some lurkers using them
12:39 < pekster> It doesn't happen "that" often, but it's always the lousy web users :(
12:39 <+hazardous> i really just
12:39 <+hazardous> laughed my ass off at his last line
12:39 < pekster> Yea, I can deal with clueless, but not abusive
12:39 <+hazardous> do you get a lot of the 'is openvpn a free vpn i can use for torrentz'
12:40 < pekster> ender|: If there's a problem setting network details, the logs on the client should show you. Ensure you're using --verb 4 (see: !verb) and check the logs for any failures
12:40 < ender|> ok, let me set that and reboot the vm
12:40 < pekster> ender|: Also see the windows-specific options in the manpage; openvpn has a couple different win32-api methods to use, although the default 'dynamic' one is usually fairly smart
12:41 < ender|> i've got verb 3 log right now
12:41 < pekster> verb 4 has more detail you probably want if you have issues
12:41 < ender|> i'm aware of those, but when i was trying them, the results were worse
12:41 < pekster> It'll specifically spew more info from OS commands (netsh.exe, etc) that might be relevant
12:42 < pekster> Yea, depends on setup, but either the faked DHCP server or netsh are usually the best bets
12:42 < ender|> (of course, according to murphy, everything'll work fine now)
12:42 < pekster> AFAIR netsh requires you to use an explicit device adapter
12:42 < pekster> But maybe that was only IPv6, I forget now
12:42 < pekster> ie: --dev-node
12:43 < ender|> i think i also found a bug: netsh failed when i left the default adapter name, becuase that had spaces in it (and openvpn didn't seem to quote the adapter name)
12:43 < pekster> hazardous: Nah, we have !provider for that ;). We deal with openvpn here, not people who pay a company that happens to use openvpn :P
12:43 < ender|> (i haven't used dev-node though - just let openvpn find the adapter on it's own)
12:43 -!- busch_off is now known as busch
12:43 < pekster> That shouldn't be the case today
12:44 < pekster> A really old version had that problem, but 2.3.2 works fine with spaces
12:44 < pekster> International names have problems, and there's a fix in git-master; if you need that, I also have a custom windows compile that includes that commit
12:44 < ender|> i'm running 2.3.2
12:44 < ender|> ...and of course, it reconnected fine now
12:45 -!- wrongplace [~leicht@gateway/tor-sasl/martinphone] has quit [Quit: gone]
12:45 < ender|> right, rebooted twice, it reconnected both times
12:46 < ender|> i hate heisenbugs
12:46 < pekster> The git-commit for non-ASCII names in devices even does all UTF-8: http://pekster.sdf.org/misc/ovpn-music-interface.png
12:46 < pekster> (Yes, the device is really named that)
12:47 < ender|> hm, that might have been the problem - i'm using Slovenian windows, and the default interface name is "Povezava lokalnega omrežja"
12:47 < pekster> Ah, yes indeed. If you want to try netsh, you need a special build. Let me get you my custom downloads link
12:47 < ender|> nah, it's easier to rename the interface to OpenVPN
12:47 < pekster> https://bitbucket.org/QueuingKoala/openvpn-previews/wiki/Releases
12:47 <@vpnHelper> Title: QueuingKoala / OpenVPN Previews / wiki / Releases Bitbucket (at bitbucket.org)
12:47 < pekster> Oh, whatever works
12:48 < pekster> That's the fix, which is using the same versions as 2.3.2 with that one commit
12:49 < pekster> !factoids search previews
12:49 <@vpnHelper> "previews" is Unofficial bleeding-edge feature previews for Windows can be found at this project page: https://bitbucket.org/QueuingKoala/openvpn-previews/wiki
12:49 < pekster> Ah, I did add that
12:50 < ender|> looks like it fails with spaces even if there's no national characters: http://p.0au.de/3bcfde13/
12:51 < pekster> Curious. I'm actually slightly interested if that f2e4008 commit fixes it
12:51 < ender|> let's see
12:51 < pekster> If not, since you're on 2.3.2, I should poke at that. I _thought_ that worked fine
12:52 -!- Cpt-Oblivious [chatzilla@31-151-71-109.dynamic.upc.nl] has joined #openvpn
12:52 < pekster> Does this have admin rights under UAC?
12:52 < ender|> it's running as service
12:53 < pekster> Ah, that should work then with the defaults
12:55 < ender|> no netsh errors were logged this time, but the interface didn't seem to have been configured properly (it got autoconfiguration IP)
12:55 < ender|> the log doesn't show that interface name was quoted
12:56 < pekster> It won't
12:56 < ender|> http://p.0au.de/812f0514/
12:58 < pekster> Are you using --ip-win32 netsh in your config?
12:58 < ender|> i am
12:58 < ender|> btw, i just renamed the interface to ČŠŽ, and it now connected fine
12:59 < pekster> Yea, that's the git-commit thing
12:59 < pekster> (can't do that with 2.3.2 today)
13:00 < ender|> hm, it also succeedded with interface renamed to X Y now
13:00 < pekster> Maybe add a delay? Might be some screwy race condition
13:00 < pekster> Try --tap-sleep 5 (or 10 or whatever)
13:01 < ender|> hopefully that'll help
13:01 < pekster> Since it's intermitent that might be the ultimate cause. Never question Redmond's networking ;)
13:01 < ender|> haha
13:06 -!- Cpt-Oblivious [chatzilla@31-151-71-109.dynamic.upc.nl] has quit [Ping timeout: 252 seconds]
13:06 -!- conroe [~conroe@gateway/tor-sasl/conroe] has joined #openvpn
13:06 < ender|> then again, IIRC, adding delay didn't help me when i was setting up a temporary openvpn server on SBS2003 for a client - i had to start openvpn from task scheduler there to get it to work (set it to run a batch file at startup, the batch file would sleep for 2 minutes, then start the service - it was the only way the server would run successfully; but i've never had such problems with clients)
13:08 < ender|> luckily i've been able to set up pfSense there, and that SBS has finally been decommissioned (only 4-5 years too late)
13:09 -!- conroe [~conroe@gateway/tor-sasl/conroe] has quit [Client Quit]
13:09 -!- conroe [~conroe@gateway/tor-sasl/conroe] has joined #openvpn
13:12 -!- mythos [~mythos@unaffiliated/mythos] has joined #openvpn
13:13 < mythos> hello there. i have a routing problem. openvpn crates a tun0 device. i can reach a 10.8.0.6 if a openvpn client is connected. that client is also a router for the 10.53.2.0/24 network. so how do i add a static route for 10.53.2.0/24 via 10.8.0.6? "ip route add 10.53.2.0/24 via 10.8.0.6 dev tun0" does not work. output of 'ip ro show': http://nopaste.euirc.net/index.php?id=f4789e87e0
13:14 < ender|> mythos: look at the route and iroute options of openvpn
13:15 < mythos> ender|, hmm... but fully 10.8.0.6 is reachable from the server. why is it not possible to add a static route?
13:15 < mythos> *but 10.8.0.6 is fully…
13:15 < ender|> you should let openvpn configure the routes
13:16 -!- busch is now known as busch_off
13:17 < ender|> http://openvpn.net/index.php/open-source/documentation/howto.html#scope
13:17 <@vpnHelper> Title: HOWTO (at openvpn.net)
13:17 < mythos> ender|, but you unerstand, that i want to add that route to the server
13:17 -!- master_o1_master [~master_of@p4FD7B5F5.dip0.t-ipconnect.de] has joined #openvpn
13:18 < ender|> it'll work if you let openvpn configure the routes - read what i linked
13:18 < mythos> ender|, i don't want to push a route to the client. i want to add a route to the server. so he knows that a network is reachable through a client ;)
13:19 < ender|> keep reading - that's explained as well
13:19 < mythos> ok!
13:19 < ender|> "Including multiple machines on the client side when using a routed VPN (dev tun)"
13:20 -!- master_of_master [~master_of@p4FF24E7F.dip0.t-ipconnect.de] has quit [Ping timeout: 260 seconds]
13:22 < mythos> i'm reading
13:24 -!- lord4163 [~lord4163@81-232-61-81-no226.tbcn.telia.com] has joined #openvpn
13:25 < lord4163> My client seems only be able to use the internal network, how to fix that?
13:34 -!- lord4163 [~lord4163@81-232-61-81-no226.tbcn.telia.com] has quit [Quit: lord4163]
13:35 -!- conroe [~conroe@gateway/tor-sasl/conroe] has quit [Quit: conroe]
13:40 -!- conroe [~conroe@gateway/tor-sasl/conroe] has joined #openvpn
13:41 -!- busch_off is now known as busch
13:41 -!- conroe [~conroe@gateway/tor-sasl/conroe] has quit [Remote host closed the connection]
13:42 -!- busch is now known as busch_off
13:42 -!- conroe [~conroe@gateway/tor-sasl/conroe] has joined #openvpn
13:45 -!- Pisuke is now known as Sembei
14:00 < pekster> mythos: Trying to expose a client-side network? If so, you want the info (and helpful flowchcart) at: !clientlan
14:01 -!- wrongplace [~leicht@gateway/tor-sasl/martinphone] has joined #openvpn
14:04 < ender|> !clientlan
14:04 <@vpnHelper> "clientlan" is (#1) for a lan behind a client, the client must have ip forwarding enabled (!ipforward), the server needs a route to the lan, the server needs to push a route for the lan to clients, the server needs a ccd (!ccd) file for the client with an iroute (!iroute) entry in it, and the router of the lan the client is on needs a route added to it (!route_outside_openvpn) or (#2) see !route for
14:04 <@vpnHelper> a better explanation or (#3) Handy troubleshooting flowchart: http://ircpimps.org/clientlan.png | http://pekster.sdf.org/misc/clientlan.png
14:04 -!- mythos [~mythos@unaffiliated/mythos] has quit [Ping timeout: 252 seconds]
14:05 -!- mythos [~mythos@unaffiliated/mythos] has joined #openvpn
14:06 < mythos> omg. that really works
14:06 < mythos> thank you so much
14:06 < mythos> and i think, i understand now the problem with my approach to reach that goal
14:15 -!- Cpt-Oblivious [chatzilla@31-151-71-109.dynamic.upc.nl] has joined #openvpn
14:15 <@krzee> wow that was quick =]
14:15 <@krzee> just needed a small small nudge
14:21 < mythos> so awesome that it is working now
14:22 -!- ade_b [~Ade@redhat/adeb] has quit [Quit: Too sexy for his shirt]
14:24 -!- jgeboski is now known as FreeKayla
14:31 -!- dwirc [~irc@d118-75-58-50.col.wideopenwest.com] has joined #openvpn
14:31 < dwirc> Howdy.
14:31 < dwirc> I have what unfortunately is likely a n00bish question, but I'm not finding a way to resolve the issue...  The basis is this:
14:34 < dwirc> Three hosts:    [web] server with a file   <---- [VPN] server (openvpn, tun) <----- [client] machine
14:35 < dwirc> Downlaoding the file directly ON the VPN server console from the web hosts results in 5Mbit.  Downloading directly on the client fromthe web server WITHOUT the vpn results in 5Mbit.
14:35 < dwirc> Downloading on the client from the VPN server, acting as a web serer WITHOUT VPN active results in 5Mbit.
14:36 < dwirc> However, with the VPN active as depicted above, the client downloading the flie through the VPN only gets around 1Mbit, sometimes 1.2Mbit.
14:36 < dwirc> The VPN server is on a dedicated 100mbit port on a tier 1 provider.  The bandwidth is available, and I've tested iit separately from the VPN...
14:36 < dwirc> What could cause this sort of slowdown through the VPN, and are there any settings I should check in general?
14:37 < dwirc> It's not CPU - the devices barely hit one or two percent usage...
14:39 < ender|> might be MTU issue? look at --mssfix
14:39 -!- joshu [~joshu@62-20-176-238-no28.tbcn.telia.com] has joined #openvpn
14:42 -!- FreeKayla is now known as jgeboski
14:44 < dwirc> ender|: roger that, thanks.
14:44 -!- joshu__ [~joshu@62-20-176-238-no28.tbcn.telia.com] has quit [Ping timeout: 264 seconds]
14:44 < dwirc> taking a look.
14:53 -!- jackbrown [~se@93-44-54-187.ip95.fastwebnet.it] has joined #openvpn
14:54 -!- jackbrown [~se@93-44-54-187.ip95.fastwebnet.it] has quit [Read error: Connection reset by peer]
15:04 -!- fenris_kcf [~fenris@p4FFE591D.dip0.t-ipconnect.de] has joined #openvpn
15:05 < fenris_kcf> hy. can a missing static route in the router cause that broadcast-based games work just sometimes?
15:05 < fenris_kcf> * games that need broadcast
15:06 -!- gowned [~leicht@gateway/tor-sasl/martinphone] has joined #openvpn
15:09 -!- wrongplace [~leicht@gateway/tor-sasl/martinphone] has quit [Ping timeout: 240 seconds]
15:13 -!- desltree [~leicht@gateway/tor-sasl/martinphone] has joined #openvpn
15:15 -!- gowned [~leicht@gateway/tor-sasl/martinphone] has quit [Remote host closed the connection]
15:18 -!- gowned [~leicht@gateway/tor-sasl/martinphone] has joined #openvpn
15:20 -!- wrongplace [~leicht@gateway/tor-sasl/martinphone] has joined #openvpn
15:20 -!- desltree [~leicht@gateway/tor-sasl/martinphone] has quit [Ping timeout: 240 seconds]
15:23 -!- gowned [~leicht@gateway/tor-sasl/martinphone] has quit [Ping timeout: 240 seconds]
15:25 -!- gowned [~leicht@gateway/tor-sasl/martinphone] has joined #openvpn
15:26 -!- HectorBarbossa [uid7850@gateway/web/irccloud.com/x-asztochgfmudmrzt] has quit [Quit: Updating details, brb]
15:26 -!- XJR-9 [sid2977@pdpc/supporter/active/xjr-9] has quit [Ping timeout: 245 seconds]
15:27 -!- HectorBarbossa [uid7850@gateway/web/irccloud.com/x-hvhqsxxivtralnfg] has joined #openvpn
15:28 -!- wrongplace [~leicht@gateway/tor-sasl/martinphone] has quit [Ping timeout: 240 seconds]
15:29 -!- XJR-9 [sid2977@pdpc/supporter/active/xjr-9] has joined #openvpn
15:29 -!- wrongplace [~leicht@gateway/tor-sasl/martinphone] has joined #openvpn
15:31 -!- gowned [~leicht@gateway/tor-sasl/martinphone] has quit [Ping timeout: 240 seconds]
15:33 -!- gowned [~leicht@gateway/tor-sasl/martinphone] has joined #openvpn
15:36 -!- wrongplace [~leicht@gateway/tor-sasl/martinphone] has quit [Ping timeout: 240 seconds]
15:40 -!- desltree [~leicht@gateway/tor-sasl/martinphone] has joined #openvpn
15:42 -!- smerz [~smerz@2001:470:1f15:1e5::58] has joined #openvpn
15:43 -!- gowned [~leicht@gateway/tor-sasl/martinphone] has quit [Ping timeout: 240 seconds]
15:45 -!- wrongplace [~leicht@gateway/tor-sasl/martinphone] has joined #openvpn
15:46 -!- desltree [~leicht@gateway/tor-sasl/martinphone] has quit [Ping timeout: 240 seconds]
15:51 -!- wrongplace [~leicht@gateway/tor-sasl/martinphone] has quit [Ping timeout: 240 seconds]
16:11 -!- ska_ [~ska@cpe-24-27-47-58.austin.res.rr.com] has joined #openvpn
16:11 < ska_> I have a config.zip with (.ovpn, .p12, .key) files. Are those all I need to setup my client?
16:11 < ska_> For Windows7 client...
16:13 <@krzee> depends on your setup, if your provider gave you those i would hope they told you what to do as well
16:14 <@krzee> but you should probably assume that it is yes
16:34 < fenris_kcf> ska_: don't know about the servers setup, but here 3(4) files are needed: ca.crt, user.crt, user.key (and the configuration-file — your .ovpn-file)
16:34 < fenris_kcf> dunno what .p12 does
16:36 <@krzee> p12 is a single file that contains the others
16:36 <@krzee> !p12
16:36 <@vpnHelper> "p12" is openssl pkcs12 -export -out filename.p12 -inkey filename.key -in filename.crt -certfile ca.crt
16:52 -!- conroe [~conroe@gateway/tor-sasl/conroe] has quit [Ping timeout: 240 seconds]
17:13 -!- novaflash is now known as novaflash_away
17:18 < ska_> Why is this information not so easy to find?
17:28 < pekster> Not looking in the right place I guess. https://en.wikipedia.org/wiki/.p12
17:28 <@vpnHelper> Title: PKCS 12 - Wikipedia, the free encyclopedia (at en.wikipedia.org)
17:29 < pekster> First paragraph should help explain what it's for at a high level (it's just a conatiner)
17:31 -!- pdobrogost [~quassel@77-255-40-99.adsl.inetia.pl] has quit [Remote host closed the connection]
17:48 -!- conroe [~conroe@gateway/tor-sasl/conroe] has joined #openvpn
17:56 -!- Cybertinus [~Cybertinu@cybertinus.customer.cloud.nl] has quit [Ping timeout: 246 seconds]
17:57 -!- gffa [~unknown@unaffiliated/gffa] has quit [Quit: sleep]
18:12 -!- smerz [~smerz@2001:470:1f15:1e5::58] has quit [Ping timeout: 245 seconds]
18:22 < ska_> Does OpenVPN not read that type of file? I can't extract it.
18:23 -!- ska_ is now known as ska
18:24 < pekster> See --pkcs12 in the manpage
18:24 -!- ska is now known as Guest19658
18:25 -!- Guest19658 [~ska@cpe-24-27-47-58.austin.res.rr.com] has quit [Quit: Leaving]
19:06 -!- mezgani [~mezgani@41.248.144.75] has joined #openvpn
19:07 -!- p3rror [~mezgani@41.140.175.33] has quit [Ping timeout: 260 seconds]
19:14 -!- mezgani [~mezgani@41.248.144.75] has quit [Ping timeout: 245 seconds]
19:22 -!- qwertyoruiop [~hax@1.shulgin.dc1.nl.tor.exit.node.qwertyoruiop.com] has quit [Quit: ZNC - http://znc.in]
19:23 -!- qwertyoruiop [~hax@1.shulgin.dc1.nl.tor.exit.node.qwertyoruiop.com] has joined #openvpn
19:27 -!- qwertyoruiop [~hax@1.shulgin.dc1.nl.tor.exit.node.qwertyoruiop.com] has quit [Remote host closed the connection]
19:28 -!- qwertyoruiop [~hax@1.shulgin.dc1.nl.tor.exit.node.qwertyoruiop.com] has joined #openvpn
19:30 -!- p3rror [~mezgani@41.140.1.239] has joined #openvpn
19:33 -!- p3rror [~mezgani@41.140.1.239] has quit [Client Quit]
19:40 -!- conroe [~conroe@gateway/tor-sasl/conroe] has quit [Ping timeout: 240 seconds]
19:49 -!- conroe [~conroe@gateway/tor-sasl/conroe] has joined #openvpn
20:18 -!- mastershake [~mastersha@gateway/tor-sasl/mastershake] has joined #openvpn
20:20 -!- joshh20-Away is now known as joshh20
20:35 -!- conroe [~conroe@gateway/tor-sasl/conroe] has quit [Remote host closed the connection]
20:40 -!- conroe [~conroe@gateway/tor-sasl/conroe] has joined #openvpn
20:45 -!- conroe [~conroe@gateway/tor-sasl/conroe] has quit [Quit: conroe]
20:54 -!- michaelhart [~michaelha@192-0-240-20.cpe.teksavvy.com] has joined #openvpn
21:12 -!- noobboob [uid5587@gateway/web/irccloud.com/x-bfwztqxvmixtqoey] has quit [Ping timeout: 272 seconds]
21:13 -!- mythos [~mythos@unaffiliated/mythos] has quit [Ping timeout: 252 seconds]
21:13 -!- mastershake is now known as mastershake_AFK
21:14 -!- noobboob [uid5587@gateway/web/irccloud.com/x-dfkiuwbimiaxogsn] has joined #openvpn
21:15 -!- dowaat [uid3966@gateway/web/irccloud.com/x-ruusjgshbhttsdni] has quit [Ping timeout: 272 seconds]
21:15 -!- HectorBarbossa [uid7850@gateway/web/irccloud.com/x-hvhqsxxivtralnfg] has quit [Ping timeout: 264 seconds]
21:16 -!- b00gz___ [uid6869@gateway/web/irccloud.com/x-zfytxdmaiucmgynh] has quit [Ping timeout: 272 seconds]
21:17 -!- HectorBarbossa [uid7850@gateway/web/irccloud.com/x-rxydvvaacspyimwi] has joined #openvpn
21:17 -!- dowaat [uid3966@gateway/web/irccloud.com/x-jkxatvdrbvgstcam] has joined #openvpn
21:19 -!- b00gz___ [uid6869@gateway/web/irccloud.com/x-kikxzczzzstylskf] has joined #openvpn
21:40 -!- pjschmitt [~parker@209.141.56.12] has quit [Changing host]
21:40 -!- pjschmitt [~parker@unaffiliated/schmitt953] has joined #openvpn
21:41 -!- fenris_kcf1 [~fenris@p579E7D68.dip0.t-ipconnect.de] has joined #openvpn
21:44 -!- fenris_kcf [~fenris@p4FFE591D.dip0.t-ipconnect.de] has quit [Ping timeout: 252 seconds]
21:48 -!- Samopotamus [~IRCIdent@2607:5300:60:a0d::1] has quit [Quit: ZNC - http://znc.in]
21:54 -!- Samopotamus [~IRCIdent@2607:5300:60:a0d::1] has joined #openvpn
21:56 -!- booo [~booo__@p54BDBFDB.dip0.t-ipconnect.de] has quit [Read error: Operation timed out]
22:01 -!- mythos [~mythos@unaffiliated/mythos] has joined #openvpn
22:04 -!- booo [~booo__@p54BDBF47.dip0.t-ipconnect.de] has joined #openvpn
22:10 -!- joshh20 is now known as joshh20-Away
22:18 -!- Cpt-Oblivious [chatzilla@31-151-71-109.dynamic.upc.nl] has quit [Ping timeout: 252 seconds]
22:23 -!- dradec [~Inigo@unaffiliated/dradec] has joined #openvpn
22:30 -!- michaelhart [~michaelha@192-0-240-20.cpe.teksavvy.com] has quit [Quit: michaelhart]
22:31 -!- goldkatze [~nobody@unaffiliated/goldkatze] has quit []
22:35 -!- elfixit [~Icedove@77-58-251-72.dclient.hispeed.ch] has joined #openvpn
22:39 -!- cheesenbiscuits [~cheesenbi@103.4.18.65] has joined #openvpn
22:40 -!- lvv [~loganaden@197.226.30.42] has joined #openvpn
22:41 -!- pekster [~rewt@openvpn/community/support/pekster] has quit [Remote host closed the connection]
22:42 < cheesenbiscuits> Hi Everybody, I was wondering if I could get some help with a OpenVPN issue I'm having
22:43 < cheesenbiscuits> I have my dd-wrt router configured in client OpenVPN mode running with an incomming PPPOE connection to a bridged ADSL modem
22:47 < cheesenbiscuits> Which all works fine. The problem I'm having is that when I tunnel through the clientvpn router using my pc running openvpn to another vpn located I get a routing error.
22:48 < cheesenbiscuits> ie: the website I'm accessing says that I'm in country 'A' not country 'B'
22:52 < cheesenbiscuits> The fault I'm getting from the OpenVPN log is: ROUTE: route addition failed using CreateipForwardEntry: The object already exists.
22:56 < cheesenbiscuits> The command: route print (in windows) from the client trying to connect the secound OpenVPN router shows that their are two default routes
22:59 < cheesenbiscuits> any idea's how to correct this problem?
23:00 -!- troyt [~troyt@2601:7:6200:1132:44dd:acff:fe85:9c8e] has quit [Ping timeout: 265 seconds]
23:03 -!- f0cker [~f0cker@unaffiliated/f0cker] has quit [Ping timeout: 260 seconds]
23:06 -!- pekster [~rewt@openvpn/community/support/pekster] has joined #openvpn
23:15 -!- f0cker [~f0cker@host86-160-157-149.range86-160.btcentralplus.com] has joined #openvpn
23:15 -!- f0cker [~f0cker@host86-160-157-149.range86-160.btcentralplus.com] has quit [Changing host]
23:15 -!- f0cker [~f0cker@unaffiliated/f0cker] has joined #openvpn
23:22 < kcodyjr> pekster, wild guess here, do you know of any handy web tools to generate those compliant 40-bit random fields for ULA ipv6?
23:23 < kcodyjr> i'm going to try it your way and continue using isp-independent address space.
23:33 -!- elfixit [~Icedove@77-58-251-72.dclient.hispeed.ch] has quit [Ping timeout: 248 seconds]
23:34 < Samopotamus> Once I have connected a client to my OpenVPN server, I should be able to ping the client from the server by hostname, correct?
23:35 -!- b00gz___ [uid6869@gateway/web/irccloud.com/x-kikxzczzzstylskf] has quit [Ping timeout: 246 seconds]
23:35 < Samopotamus> I can ping 10.8.0.1 from the client, but I can't ping [hostname] from the server
23:36 -!- b00gz___ [uid6869@gateway/web/irccloud.com/x-ktjpkzlrifaljcms] has joined #openvpn
23:37 -!- tessier_ [~treed@kernel-panic/copilotco] has quit [Ping timeout: 252 seconds]
23:38 -!- tessier [~treed@kernel-panic/copilotco] has joined #openvpn
23:45 -!- Samopotamus [~IRCIdent@2607:5300:60:a0d::1] has quit [Quit: ZNC - http://znc.in]
23:47 -!- Samopotamus [~IRCIdent@2607:5300:60:a0d::1] has joined #openvpn
--- Day changed Sun Feb 16 2014
00:04 -!- Rallias [~Rallias@i.am.lacking.clothing] has joined #openvpn
00:04 < Rallias> Wierd question... if I create an OpenVPN session and then move the network interface into a different network namespace, will OpenVPN still be able to use it or will it be borked?
00:28 -!- Samopotamus [~IRCIdent@2607:5300:60:a0d::1] has quit [Quit: ZNC - http://znc.in]
00:46 -!- Samopotamus [~IRCIdent@2607:5300:60:a0d::1] has joined #openvpn
01:02 -!- dimm0k [~dimm0k@unaffiliated/dimm0k] has quit [Read error: Operation timed out]
01:02 -!- dimm0k [~dimm0k@pool-96-246-33-134.nycmny.fios.verizon.net] has joined #openvpn
01:02 -!- dimm0k [~dimm0k@pool-96-246-33-134.nycmny.fios.verizon.net] has quit [Changing host]
01:02 -!- dimm0k [~dimm0k@unaffiliated/dimm0k] has joined #openvpn
01:23 < pekster> Rallias, as a client it'll reconnect from the new net if you use keepalive (see !keepalive). there is --float for the server, but it doesn't work in TLS up to 2.3.2
01:24 < Rallias> I'm too tired to comprehend what you're saying right now...
01:25 -!- dradec [~Inigo@unaffiliated/dradec] has quit [Ping timeout: 248 seconds]
01:26 < pekster> !new
01:26 <@vpnHelper> "new" is (#1) New here? Start by reading the /TOPIC and looking at basic info in !welcome, !ask, and !howto or (#2) You can type each of the !commands in this chat and our bot will provide useful references and info or (#3) you can see the full factoids list at !factoids
01:27 < pekster> bot has info on !keepalive feature, or read --keepalive in the manpage
01:35 -!- max_ [~max@c-67-170-96-239.hsd1.wa.comcast.net] has joined #openvpn
01:35 -!- max_ is now known as Synthead
01:52 -!- cheesenbiscuits [~cheesenbi@103.4.18.65] has quit [Ping timeout: 260 seconds]
01:52 -!- cheesenbiscuits [~cheesenbi@103.4.18.65] has joined #openvpn
02:00 -!- Synthead [~max@c-67-170-96-239.hsd1.wa.comcast.net] has quit [Ping timeout: 240 seconds]
02:08 -!- mastershake_AFK [~mastersha@gateway/tor-sasl/mastershake] has quit [Ping timeout: 240 seconds]
02:14 -!- Synthead [~max@c-67-170-96-239.hsd1.wa.comcast.net] has joined #openvpn
02:18 -!- Devastator [~devas@186.214.15.65] has joined #openvpn
02:20 -!- Devastatr [~devas@unaffiliated/devastator] has quit [Ping timeout: 252 seconds]
02:28 -!- takamichi [~takamichi@c107-107.i07-27.onvol.net] has joined #openvpn
02:51 -!- Synthead [~max@c-67-170-96-239.hsd1.wa.comcast.net] has quit [Ping timeout: 240 seconds]
03:01 -!- lvv [~loganaden@197.226.30.42] has quit [Quit: lvv]
03:04 -!- Synthead [~max@c-67-170-96-239.hsd1.wa.comcast.net] has joined #openvpn
03:12 -!- fenris_kcf1 is now known as fenris_kcf
03:20 -!- max_ [~max@c-67-170-96-239.hsd1.wa.comcast.net] has joined #openvpn
03:22 -!- Synthead [~max@c-67-170-96-239.hsd1.wa.comcast.net] has quit [Ping timeout: 240 seconds]
03:23 -!- takamichi [~takamichi@c107-107.i07-27.onvol.net] has quit [Quit: Computer has gone to sleep.]
03:25 -!- max_ [~max@c-67-170-96-239.hsd1.wa.comcast.net] has quit [Ping timeout: 240 seconds]
03:27 -!- max_ [~max@c-67-170-96-239.hsd1.wa.comcast.net] has joined #openvpn
03:28 -!- max_ [~max@c-67-170-96-239.hsd1.wa.comcast.net] has quit [Read error: Connection reset by peer]
03:28 -!- Synthead [~max@c-67-170-96-239.hsd1.wa.comcast.net] has joined #openvpn
03:40 -!- Synthead [~max@c-67-170-96-239.hsd1.wa.comcast.net] has quit [Ping timeout: 240 seconds]
03:42 -!- nullie [~nullie@46.48.73.216] has joined #openvpn
03:44 -!- Synthead [~max@c-67-170-96-239.hsd1.wa.comcast.net] has joined #openvpn
03:46 < nullie> I get "RESOLVE: Cannot resolve host address: xxx.net: Name or service not known" in log, while xxx.net resolves ok in console. Where should I look?
03:49 < cheesenbiscuits> are you specifying the port correctly?
03:49 < nullie> remote xxx.net 1197
03:52 -!- Synthead [~max@c-67-170-96-239.hsd1.wa.comcast.net] has quit [Ping timeout: 240 seconds]
03:54 < pekster> Are you mucking with DNS via --dhcp-option and --redirect-gateway where the new DNS is unreachable when the link dies?
03:54 < pekster> That's a common cause
03:54 < pekster> Or, not even --redirect-gateway, but simply DNS over the link where it breaks
03:55 -!- wrongplace [~leicht@gateway/tor-sasl/martinphone] has joined #openvpn
03:56 < nullie> it can't resolve server address
03:56 < nullie> it did when I added server to hosts
03:57 < nullie> apparently openvpn uses some internal dns resolver and it fails
03:58 < pekster> gethostbyname()
03:58 < pekster> If that's broken, fix your OS.
03:59 -!- Synthead [~max@c-67-170-96-239.hsd1.wa.comcast.net] has joined #openvpn
04:00 < nullie> gethostbyname works too
04:06 -!- Eagleman [~Eagleman@546BBFCD.cm-12-4c.dynamic.ziggo.nl] has quit [Quit: ZNC - http://znc.in]
04:06 -!- Synthead [~max@c-67-170-96-239.hsd1.wa.comcast.net] has quit [Ping timeout: 240 seconds]
04:08 -!- Eagleman [~Eagleman@546BBFCD.cm-12-4c.dynamic.ziggo.nl] has joined #openvpn
04:10 -!- Eagleman [~Eagleman@546BBFCD.cm-12-4c.dynamic.ziggo.nl] has quit [Client Quit]
04:12 -!- Eagleman [~Eagleman@546BBFCD.cm-12-4c.dynamic.ziggo.nl] has joined #openvpn
04:13 -!- Eagleman [~Eagleman@546BBFCD.cm-12-4c.dynamic.ziggo.nl] has quit [Client Quit]
04:13 -!- Synthead [~max@c-67-170-96-239.hsd1.wa.comcast.net] has joined #openvpn
04:17 -!- Synthead [~max@c-67-170-96-239.hsd1.wa.comcast.net] has quit [Ping timeout: 240 seconds]
04:18 -!- Eagleman [~Eagleman@546BBFCD.cm-12-4c.dynamic.ziggo.nl] has joined #openvpn
04:34 -!- pdobrogost [~quassel@77-255-245-193.adsl.inetia.pl] has joined #openvpn
04:36 -!- br4ndon_ [~br4ndon@2a01:e35:2e28:400:225:d3ff:fe44:1329] has joined #openvpn
04:44 -!- pdobrogost_ [~quassel@77-255-245-193.adsl.inetia.pl] has joined #openvpn
04:46 -!- pdobrogost [~quassel@77-255-245-193.adsl.inetia.pl] has quit [Ping timeout: 245 seconds]
04:54 -!- gffa [~unknown@unaffiliated/gffa] has joined #openvpn
04:54 -!- br4ndon [~br4ndon@mic92-6-82-226-128-64.fbx.proxad.net] has joined #openvpn
04:58 -!- smerz [~smerz@2001:470:1f15:1e5::58] has joined #openvpn
04:58 -!- br4ndon [~br4ndon@mic92-6-82-226-128-64.fbx.proxad.net] has quit [Client Quit]
04:59 -!- br4ndon [~br4ndon@mic92-6-82-226-128-64.fbx.proxad.net] has joined #openvpn
05:00 -!- br4ndon [~br4ndon@mic92-6-82-226-128-64.fbx.proxad.net] has quit [Client Quit]
05:02 -!- br4ndon [~br4ndon@mic92-6-82-226-128-64.fbx.proxad.net] has joined #openvpn
05:02 -!- br4ndon [~br4ndon@mic92-6-82-226-128-64.fbx.proxad.net] has quit [Client Quit]
05:03 -!- br4ndon [~br4ndon@mic92-6-82-226-128-64.fbx.proxad.net] has joined #openvpn
05:26 -!- Cybertinus [~Cybertinu@cybertinus.customer.cloud.nl] has joined #openvpn
05:29 -!- br4ndon [~br4ndon@mic92-6-82-226-128-64.fbx.proxad.net] has quit [Quit: Lorem ipsum dolor sit amet]
05:32 -!- br4ndon_ [~br4ndon@2a01:e35:2e28:400:225:d3ff:fe44:1329] has quit [Quit: Ciao]
05:33 -!- br4ndon [~br4ndon@mic92-6-82-226-128-64.fbx.proxad.net] has joined #openvpn
05:34 -!- i7c is now known as i7c_foxxx0
05:36 -!- i7c_foxxx0 is now known as i7c_foxxx0_Rasi_
05:38 -!- i7c_foxxx0_Rasi_ is now known as beadert
05:41 -!- beadert is now known as i7c
05:46 -!- mythos [~mythos@unaffiliated/mythos] has quit [Ping timeout: 252 seconds]
05:47 -!- br4ndon [~br4ndon@mic92-6-82-226-128-64.fbx.proxad.net] has quit [Ping timeout: 272 seconds]
05:47 -!- smerz [~smerz@2001:470:1f15:1e5::58] has quit [Ping timeout: 264 seconds]
05:48 -!- MatToufoutu [~MaT@unaffiliated/mattoufoutu] has joined #openvpn
05:49 -!- dradec [~Inigo@unaffiliated/dradec] has joined #openvpn
05:50 < MatToufoutu> hi there
05:51 < MatToufoutu> I'm having an issue with user auth scripts, I've got an openvn server (latest version) running on windows 2008 r2, and a python script to check user authentication, python.exe is set to handle .py files
05:52 < MatToufoutu> but whatever I do, I get a "%1 is not a valid Win32 application"
05:52 < MatToufoutu> I tried putting "python.exe C:\\path\\script.py", but this was worse, the server didn't even start with this
05:52 < MatToufoutu> and now I dunno what else to try ^^
05:59 -!- mythos [~mythos@unaffiliated/mythos] has joined #openvpn
06:00 -!- robert83a1 [~robert83a@ip-176-198-139-205.unitymediagroup.de] has joined #openvpn
06:00 < robert83a1> hi all, got here CentOS with openvpn , I've revodek a lot of my client certificates... can I now just delete
06:00 < robert83a1> the crt,cs,key files for the users
06:01 < robert83a1> under /etc/openvpn/easy-rsa/keys
06:01 < robert83a1> revoked sorry
06:04 -!- ron_ [~ron@ppp14-2-46-46.lns21.adl2.internode.on.net] has joined #openvpn
06:07 < ron_> hi.  I wonder if somebody can toss me the clue I'm missing about what might have changed with PMTU discovery between 2.1.3 and 2.2.1 (Debian squeeze and wheezy).  I'm in the process of mining openvpn git, but I'm not seeing that anything significant has changed there.
06:08 < ron_> the system on wheezy is getting warnings about "read UDPv4 [EMSGSIZE Path-MTU=1472]: Message too long (code=90)", that the system on squeeze isn't -- but they're both otherwise set up the same (and have been running well for years now)
06:09 < ron_> it looks like this has triggered a bug in some patch to the kernel in the recent update for wheezy, and I'm trying to untangle which part of what we're seeing is the kernel, and which might be some change in openvpn.
06:10 < ron_> the tunnels have an MTU of 1500, and the DSL links that carry them are slightly lower than that.  and there's no explicit configuration of the openvpn MTU options for either of them.
06:11 < ron_> so it's not all that surprising from what I'm seeing in the code that one of them is warning.  but that leaves me without an explanation for why the other one isn't :)  both are at verb 3.
06:12 < ron_> ideally, we'd like to hunt down the kernel bug that makes this break completely -- and be sure there isn't some other bug in openvpn in debian that this is a canary for.
06:23 < ron_> hmm, and if I explicitly set 'mtu-disc yes', then it fails, reports that error -- but *doesn't* appear to fix the MTU, which isn't what I'm reading that the code should do.  so I'm clearly missing something important.
06:38 -!- goldkatze [~nobody@unaffiliated/goldkatze] has joined #openvpn
06:40 -!- pdobrogost_ [~quassel@77-255-245-193.adsl.inetia.pl] has quit [Ping timeout: 248 seconds]
06:42 -!- dradec [~Inigo@unaffiliated/dradec] has quit [Ping timeout: 260 seconds]
06:47 -!- lord4163 [~lord4163@81-232-61-81-no226.tbcn.telia.com] has joined #openvpn
06:48 -!- sammm [~sam@c114-76-87-212.thoms3.vic.optusnet.com.au] has joined #openvpn
06:51 < lord4163> I managed to setup openvpn, but I am only able to connect to the internal network. I can't find the option to change that?
06:52 < sammm> hey, i'm having a little issue, mostly due to my lack of networking knowledge I reckon. What's happening is I want my VPN client (who is using windows 8) to connect to me and have access to my samba shares. At the moment we have had no such luck but he can see my lan web servers and my router login page and what not. what is going on?
06:53 < robert83a1> samm : use ip addresses
06:54 < robert83a1> samm : or even simpler use hosts file
06:54 < robert83a1> samm : specify samba server ip address name there , and he can access by name
06:54 < robert83a1> samm : but I went ahead of myself ...from windows 8 in exploer \\ip_of_samba_server\  ... should show shares...
06:54 < sammm> we are, I don't know if it's due to my friends incompetency or just windows 8 being windows 8. he can't explore them in map network drives
06:55 < sammm> but i'll tell him that
06:55 < sammm> thanks
06:57 -!- qwertyoruiop is now known as tjk9357
06:58 -!- e-ndy [~e-ndy@194.213.226.242] has quit [Remote host closed the connection]
07:00 < robert83a1> samm : netbios over VPN does not work out of box
07:01 < robert83a1> samm : you can only ping machines by name thanks to WINS or nowdays Active Directory DNS thingie (but I did not use that yet...unfortunately :( )
07:02 < robert83a1> samm : I wonder, google probably knows...maybe there is a way to send over to client WINS address , then you got it solved
07:02 -!- busch_off is now known as busch
07:02 < robert83a1> samm : or not sure maybe he can override just WINS address for VPN connection (but maybe that won't work)
07:02 -!- cheesenbiscuits [~cheesenbi@103.4.18.65] has quit [Ping timeout: 260 seconds]
07:02 -!- cheesenbiscuits [~cheesenbi@103.4.18.65] has joined #openvpn
07:08 -!- conroe [~conroe@gateway/tor-sasl/conroe] has joined #openvpn
07:09 < sammm> robert83a1: it works! i guess he had no idea what he was doing so it's all good now!
07:09 < robert83a1> samm : using WINS or hosts?
07:10 < ron_> hmm, so it looks like the code which calls frame_set_mtu_dynamic(), is just never being called at all ...
07:11 < ron_> but there's no debug symbols for the packaged version, so finding out why with gdb, is going to be a whole new level of commitment here.
07:14 -!- eliasp [~quassel@HSI-KBW-134-3-243-224.hsi14.kabel-badenwuerttemberg.de] has quit [Ping timeout: 252 seconds]
07:19 -!- takamichi [~takamichi@c107-107.i07-27.onvol.net] has joined #openvpn
07:20 -!- tjk9357 is now known as qwertyoruiop
07:30 -!- fremo_ [~fred@gw-salamandre.liazo.net] has joined #openvpn
07:31 < fremo_> hi, I cant find a way to setup openvpn to act as a pure L2 VPN without IP address allocation, is it possible ?
07:33 -!- cheesenbiscuits [~cheesenbi@103.4.18.65] has quit [Ping timeout: 260 seconds]
07:39 -!- conroe [~conroe@gateway/tor-sasl/conroe] has quit [Quit: conroe]
07:43 -!- goldkatze [~nobody@unaffiliated/goldkatze] has quit []
07:49 < sammm> hosts
08:00 -!- goldkatze [~nobody@188-192-253-130-dynip.superkabel.de] has joined #openvpn
08:00 -!- goldkatze [~nobody@188-192-253-130-dynip.superkabel.de] has quit [Changing host]
08:00 -!- goldkatze [~nobody@unaffiliated/goldkatze] has joined #openvpn
08:16 < ron_> NOTE: Empirical MTU test completed [Tried,Actual] local->remote=[1541,1541] remote->local=[1541,1541]
08:16 < ron_> maybe someone can explain to me how that is possible, when the link carrying the tunnel has a MTU of 1472 ;?
08:18 -!- wrongplace [~leicht@gateway/tor-sasl/martinphone] has quit [Quit: gone]
08:29 -!- lord4163 [~lord4163@81-232-61-81-no226.tbcn.telia.com] has left #openvpn []
08:33 < ron_> ah, because the kernel is happily fragmenting them and the test doesn't notice.
08:33 < ron_> if I set mtu-disc yes, then it returns: NOTE: Empirical MTU test completed [Tried,Actual] local->remote=[1437,1541] remote->local=[1541,1541]
08:33 < ron_> which is now only 3/4 broken :)
08:35 < ron_> so something about the normal MTU discovery for openvpn on linux is broken -- since it's correctly getting EMSGSIZE Path-MTU=1472 from the socket, but just never acting on that.
08:36 < ron_> which means there's either something obvious I'm missing, or a bug that nobody seems to have noticed yet.
08:45 -!- ska [~ska@unaffiliated/ska] has joined #openvpn
08:46 < ska> Is c:\openvpn\config\ the default location for Windows client configuration files?
09:05 -!- robert83a1 [~robert83a@ip-176-198-139-205.unitymediagroup.de] has quit []
09:20 < ska> I installed the Client on Win7, but I don't see a config folder . Where do I put my config-xxx.zip ?
09:20 < ska> Unfortunately this system has both "Program Files" and "Program Files <x86>"
09:27 < ron_> Ok ...  so I think I finally understand why it looks like nothing has changed in openvpn that would affect this.  Because nothing has.  What I think has changed is that at Some Point relatively recently, the MTU on the link to my ISP has changed from 1492 to 1472.  And while I've been imagining all this time that PMTU discovery in openvpn did actually work, that was a lie, and it only ever worked because the mssfix default of 1450 was 
09:28 < ron_> and this only came to light because of the kernel bug that implicitly set the DF bit on every packet.
09:28 -!- ade_b [~Ade@redhat/adeb] has joined #openvpn
09:29 < ron_> Thanks to everyone who listened to me talk to myself while I figured that out :)
09:30 < ron_> But I am still interested in knowing whether the PMTU discovery in openvpn being broken is an accident, or a known bug.  The code for that looks like it Should Work, it's just never ever being actually called.
09:34 -!- Gasseus [~Rallias@172.245.13.83] has joined #openvpn
09:37 -!- sammm [~sam@c114-76-87-212.thoms3.vic.optusnet.com.au] has quit [Ping timeout: 246 seconds]
09:39 -!- sammm [~sam@c114-76-87-212.thoms3.vic.optusnet.com.au] has joined #openvpn
09:39 -!- Gasseus [~Rallias@172.245.13.83] has quit [Ping timeout: 245 seconds]
09:43 -!- Cpt-Oblivious [chatzilla@31-151-71-109.dynamic.upc.nl] has joined #openvpn
09:55 -!- smerz [~smerz@2001:470:1f15:1e5::58] has joined #openvpn
10:17 -!- br4ndon [~br4ndon@mic92-6-82-227-94-156.fbx.proxad.net] has joined #openvpn
10:23 -!- Sembei [~Sembei@unaffiliated/sembei] has quit [Remote host closed the connection]
10:24 -!- Sembei [~Sembei@unaffiliated/sembei] has joined #openvpn
10:26 -!- Sembei [~Sembei@unaffiliated/sembei] has quit [Remote host closed the connection]
10:26 -!- Sembei [~Sembei@unaffiliated/sembei] has joined #openvpn
10:26 -!- br4ndon [~br4ndon@mic92-6-82-227-94-156.fbx.proxad.net] has quit [Quit: Lorem ipsum dolor sit amet]
10:30 -!- br4ndon [~br4ndon@mic92-6-82-226-128-64.fbx.proxad.net] has joined #openvpn
10:37 < pekster> ron_: You need to ask for pMTUd. Does it not work when you set --pmtu-disc yes during a connection?
10:40 -!- Sembei [~Sembei@unaffiliated/sembei] has quit [Remote host closed the connection]
10:42 -!- Sembei [~Sembei@unaffiliated/sembei] has joined #openvpn
10:42 -!- Sembei [~Sembei@unaffiliated/sembei] has quit [Remote host closed the connection]
10:43 -!- rkantos [robin@4e.fi] has quit [Remote host closed the connection]
10:43 -!- rkantos [robin@4e.fi] has joined #openvpn
10:45 < ron_> pekster: I don't have a pmtu-disc option?  I tried mtu-disc, but that didn't really arrive at the right answer.
10:46 < pekster> --test-mtu uses units that aren't quite what you'll expect (there's a some mailing-list or forum post on that, I forget where now)
10:46 < pekster> I was inquiring if the connection works when you use `--mtu-disc yes` in your config
10:47 < ron_> ah, sorry I confused those yeah.  mtu-disc yes actually just made it fail completely, always.
10:47 < pekster> Maybe broken pMTUd on your link?
10:47 < ron_> it sets the DF bit, but still sends packets that are too large to be carried.
10:47 -!- ben1066 [~quassel@unaffiliated/ben1066] has quit [Quit: No Ping reply in 180 seconds.]
10:47 < pekster> tcpdump the traffic (including icmp.) Do you see the expected ICMP error?
10:48 < ron_> I don't think so.  I can run tracepath and get the right answer.  and even openvpn sees the right answer.
10:48 -!- ben1066 [~quassel@unaffiliated/ben1066] has joined #openvpn
10:48 < ron_> EMSGSIZE Path-MTU=1472
10:48 < ron_> that number is correct.
10:48 < ron_> and from what I see in the source, it stores that for 'dynamic MTU adjustment'.  but the code that uses it never seems to get called.
10:49 < pekster> Interesting. Have a source line?
10:49 < ron_> frame_set_mtu_dynamic in mtu.c
10:49 < ron_> if I crank the verbosity up, that never gets called.
10:50 < pekster> FYI, debug >5 requires with_debug=yes during the compile to be useful
10:50 < ron_> x_check_status  in error.c is where it catches the error and stores the reported mtu
10:50 -!- Sembei [~Sembei@unaffiliated/sembei] has joined #openvpn
10:51 < ron_> oh.  yeah, that might be the problem.  though verb 9 still seemed noisier than verb 7, so maybe the package does do that.
10:51 < pekster> Nope, debug=off is the default
10:51 -!- keropok_ [~keropok@9W2JDY.peramah.org.my] has quit [Ping timeout: 252 seconds]
10:51 < pekster> Just "some" of the noise is not between #ifdef DEBUG lines
10:51 < ron_> in the debian package?  (it might override it)
10:51 < pekster> Check with --version
10:52 -!- keropok [~keropok@9W2JDY.peramah.org.my] has joined #openvpn
10:52 < ron_> enable_debug=yes ?
10:52 < pekster> I guess so :)
10:52 < pekster> Just figured I'd verify you're getting the debug logs you think you are :D
10:52 < ron_> cool.  because otherwise this was going to get even more confusing again :)
10:52 < ron_> yeah, that was good to check.
10:53 < ron_> I'd have no idea why it wasn't working if it did get called though.
10:53 < pekster> Older releases (pre-2.3 IIRC) enabled debug by default, and there was some minor fallout when that changed
10:53 < ron_> I'm now on 2.3.2 from wheezy backports.  and same behaviour.
10:53 < pekster> I'll poke a bit at the functions, but do feel free to search for and open a bug on the tracker at this point
10:54 < ron_> I figured it was easier to update to that then to dig back through git to find what was different to the source I was looking at.
10:54 < pekster> You've looked into this enough it sounds like a legit bug (and it's easy enough to close as NOTABUG ;)
10:55 < ron_> yeah, it should be easy enough to reproduce, just bump your mssfix up a bit and it will probably do the same as what I'm seeing for large packets.
10:57 < ron_> the interesting question that was hard to trace just by eye, seemed to be why check_fragment(_dowork) weren't being called.
10:58 < ron_> I'm not quite sure what schedules that, and under what conditions.  but that seemed like something to test on a box that didn't need to up as a live link :)
11:01 -!- JackWinter_ [~jack@vodsl-8317.vo.lu] has joined #openvpn
11:01 < pekster> Right, or at least a router for testing that was able to reduce MTU on the VPN traffic
11:04 -!- Aketzu_ [akolehma@kelvin.aketzu.net] has joined #openvpn
11:08 -!- Netsplit *.net <-> *.split quits: JackWinter, Aketzu, cyberspace-, matsh, kevinsky, ade_b, pppingme
11:10 -!- Netsplit over, joins: cyberspace-
11:15 -!- ade_b [~Ade@redhat/adeb] has joined #openvpn
11:16 -!- pppingme [~pppingme@unaffiliated/pppingme] has joined #openvpn
11:23 -!- Devastator [~devas@186.214.15.65] has quit [Changing host]
11:23 -!- Devastator [~devas@unaffiliated/devastator] has joined #openvpn
11:27 -!- novaflash_away is now known as novaflash
11:29 -!- ade_b [~Ade@redhat/adeb] has quit [Quit: Too sexy for his shirt]
11:30 -!- joshh20-Away is now known as joshh20
11:37 -!- michaelhart [~michaelha@192-0-240-20.cpe.teksavvy.com] has joined #openvpn
11:39 -!- keropok [~keropok@9W2JDY.peramah.org.my] has left #openvpn []
11:40 -!- lj [~l@107.19.88.101] has joined #openvpn
11:42 -!- lj1 [~l@192.241.174.169] has joined #openvpn
11:45 -!- lj [~l@107.19.88.101] has quit [Ping timeout: 265 seconds]
11:50 -!- booo [~booo__@p54BDBF47.dip0.t-ipconnect.de] has left #openvpn ["WeeChat 0.4.3"]
11:55 -!- takamichi [~takamichi@c107-107.i07-27.onvol.net] has quit [Quit: Computer has gone to sleep.]
11:57 -!- matsh [divine@nanogene.org] has joined #openvpn
11:57 -!- kevinsky [~kevin@senna.rosendaal.net] has joined #openvpn
12:06 -!- conroe [~conroe@gateway/tor-sasl/conroe] has joined #openvpn
12:10 -!- lj1 [~l@192.241.174.169] has quit [Quit: Leaving.]
12:19 -!- takamichi [~takamichi@c107-107.i07-27.onvol.net] has joined #openvpn
12:20 -!- br4ndon [~br4ndon@mic92-6-82-226-128-64.fbx.proxad.net] has quit [Ping timeout: 272 seconds]
13:00 -!- takamichi [~takamichi@c107-107.i07-27.onvol.net] has quit [Quit: Computer has gone to sleep.]
13:03 -!- pdobrogost [~quassel@77-255-245-193.adsl.inetia.pl] has joined #openvpn
13:05 -!- u0m3 [~u0m3@92.80.106.31] has quit [Read error: Connection reset by peer]
13:09 -!- u0m3 [~u0m3@92.80.90.121] has joined #openvpn
13:17 -!- master_of_master [~master_of@p4FD7BE80.dip0.t-ipconnect.de] has joined #openvpn
13:20 -!- master_o1_master [~master_of@p4FD7B5F5.dip0.t-ipconnect.de] has quit [Ping timeout: 245 seconds]
13:20 -!- lvv [~loganaden@197.226.30.42] has joined #openvpn
13:26 -!- conroe [~conroe@gateway/tor-sasl/conroe] has quit [Quit: conroe]
13:26 -!- smerz [~smerz@2001:470:1f15:1e5::58] has quit [Ping timeout: 245 seconds]
13:31 -!- joshh20 is now known as joshh20-Away
13:33 -!- Samopotamus [~IRCIdent@2607:5300:60:a0d::1] has quit [Quit: ZNC - http://znc.in]
13:35 -!- Samopotamus [~IRCIdent@2607:5300:60:a0d::1] has joined #openvpn
13:44 -!- Samopotamus [~IRCIdent@2607:5300:60:a0d::1] has quit [Quit: ZNC - http://znc.in]
13:46 -!- Samopotamus [~IRCIdent@2607:5300:60:a0d::1] has joined #openvpn
13:50 -!- elfixit [~Icedove@77-58-251-72.dclient.hispeed.ch] has joined #openvpn
14:24 -!- eliasp [~quassel@HSI-KBW-134-3-243-224.hsi14.kabel-badenwuerttemberg.de] has joined #openvpn
14:25 < elitecoder> morning guys
14:26 < elitecoder> rrr, afternoon.
14:26 < elitecoder> !welcome
14:26 <@vpnHelper> "welcome" is (#1) Start by stating your goal, such as 'I would like to access the internet over my vpn' || new to IRC? see the link in !ask || we may need !logs and !configs and maybe !interface to help you. || See !howto for beginners. || See !route for lans behind openvpn. || !redirect for sending inet traffic through the server. || Also interesting: !man !/30 !topology !iporder !sample !forum
14:26 <@vpnHelper> !wiki !mitm or (#2) Don't use 192.168.1.0/24 or 192.168.0.0/24 (too much potential for conflict)
14:30 < elitecoder> I have a ubuntu box and a VPN service. I would like the VPN interface to be optional, not default.
14:31 < elitecoder> (For the cilent)
14:31 < elitecoder> The server is preconfigured, by the service.
14:31 -!- lvv [~loganaden@197.226.30.42] has quit [Quit: lvv]
14:33 -!- mastershake_AFK [~mastersha@gateway/tor-sasl/mastershake] has joined #openvpn
14:47 < pekster> That is the default
14:48 < pekster> You have to ask for redirection (read about: !redirect.) If you don't control the server, that makes life harder. Read about !nopull, or in the manapge for --route-nopull or --route-exec (the latter required when you wish to accept "some but not all" of the routes pushed)
14:49 < elitecoder> :)
14:49 < pekster> You also have complications if you want to "route by application"
14:49 < pekster> !route-by-app
14:49 < elitecoder> Yeah, no control of the server.
14:49 < pekster> !routebyapp
14:49 <@vpnHelper> "routebyapp" is (#1) if you want to send only certain apps over the VPN you need to run a socks server on the internal VPN subnet (see !sockd) then get an app like proxifier (windows, osx) or tsocks (linux, BSD) to selectively route traffic over the socks proxy based on port/app/subnet or any combination. or (#2) Alternatively, read up about Policy Routing to make routing decisions based on defined
14:49 <@vpnHelper> policies you set. For Linux, read about !lartc
14:49 < elitecoder> Omg you have that written already, awesome.
14:49 < pekster> You probably need policy routing. LARTC has helpful tutorials, but be warned this is squarely in the category of advanced networking
14:50 -!- joshh20-Away is now known as joshh20
14:50 < elitecoder> ooo
14:50 < pekster> #Netfilter losely tries to help with iproute2-related things, including policy routing. They're more on-topic if that component is what you need help with
14:52 < elitecoder> Hm k
14:52 < elitecoder> Well, the program I intend to use has an option to bind to a specific ip
14:53 < elitecoder> so long as i can prevent the default gateway from being pushed, it may just work
14:59 < pekster> Possibly. Try It And See™
15:05 -!- elfixit [~Icedove@77-58-251-72.dclient.hispeed.ch] has quit [Quit: elfixit]
15:05 < elitecoder> Is there a way I can see what the server is pushing exactly?
15:08 -!- fenris_kcf [~fenris@p579E7D68.dip0.t-ipconnect.de] has left #openvpn ["PRIVMSG ##folksprak :hy Jimmy_Wynn"]
15:10 < pekster> --verb 4
15:10 < pekster> (see: !verb and !logfile if you need help with that)
15:13 < elitecoder> ty
15:15 -!- br4ndon [~br4ndon@mic92-6-82-227-94-156.fbx.proxad.net] has joined #openvpn
15:29 < kcodyjr> hey pekster, about ula/rfc4193 and its randomness properties.
15:29 < kcodyjr> the rfc specifies what i'd describe as a scavenger hunt algorithm
15:29 < kcodyjr> but that's just a sample, really it's just asking for good pseudorandomness
15:30 < kcodyjr> would you think 5 bytes drawn from a well charged /dev/random would suffice?
15:31 -!- JackWinter_ [~jack@vodsl-8317.vo.lu] has quit [Quit: Konversation terminated!]
15:38 -!- JackWinter [~jack@vodsl-8317.vo.lu] has joined #openvpn
15:40 -!- joshu_ [~joshu@62-20-176-238-no28.tbcn.telia.com] has joined #openvpn
15:40 -!- bigbob83 [~bigbob@62-210-206-123.rev.poneytelecom.eu] has joined #openvpn
15:40 -!- joshu__ [~joshu@62-20-176-238-no28.tbcn.telia.com] has joined #openvpn
15:42 < bigbob83> Hello, someone know how to retrieve $ifconfig_remote, $dev  env vars (for current connecting/disconnecting user) in the connect and disconnect script ??
15:43 < bigbob83> i need to apply tc filters in the connect/disconnect scripts but i need information like  device and remote ip address...
15:44 -!- joshu [~joshu@62-20-176-238-no28.tbcn.telia.com] has quit [Ping timeout: 264 seconds]
15:44 -!- joshu_ [~joshu@62-20-176-238-no28.tbcn.telia.com] has quit [Ping timeout: 264 seconds]
15:55 < pekster> bigbob83: See:
15:55 < pekster> !scripts
15:55 <@vpnHelper> "scripts" is "script" is See SCRIPTING AND ENVIRONMENTAL VARIALBES in the manual for a list of places that scripts can hook into openvpn. Online reference at: https://community.openvpn.net/openvpn/wiki/Openvpn23ManPage#lbAR
15:56 < pekster> The vars you want are listed there. Try `env > /tmp/openvpn-vars-dump.log' from any script hook to get a full listing too
15:59 -!- catsup [d@64.111.123.163] has quit [Ping timeout: 248 seconds]
16:00 -!- catsup [d@64.111.123.163] has joined #openvpn
16:00 -!- bigbob83 [~bigbob@62-210-206-123.rev.poneytelecom.eu] has quit [Ping timeout: 245 seconds]
16:01 -!- bigbob83 [bigbob@7.72.100.84.rev.sfr.net] has joined #openvpn
16:01 < bigbob83> hmmm
16:03 < bigbob83> Can i use $dev and $ifconfig_remote env vars only in the -up/down script?
16:03 -!- joshh20 is now known as joshh20-Away
16:03 < bigbob83> because i need these vars in --client-connect/disconnect  scripts
16:05 -!- busch is now known as busch_off
16:05 -!- busch_off is now known as busch
16:05 -!- catsup [d@64.111.123.163] has quit [Ping timeout: 245 seconds]
16:06 -!- catsup [d@64.111.123.163] has joined #openvpn
16:09 -!- bigbob83 [bigbob@7.72.100.84.rev.sfr.net] has quit []
16:09 -!- elfixit [~Icedove@77-58-251-72.dclient.hispeed.ch] has joined #openvpn
16:11 < pekster> You probably want ifconfig_pool_remote_ip
16:11 < pekster> But depends on what you're doing
16:11 < pekster> Go dump them as I suggested; it'll become painfully obvious
16:11 -!- catsup [d@64.111.123.163] has quit [Ping timeout: 264 seconds]
16:12 -!- catsup [d@64.111.123.163] has joined #openvpn
16:13 -!- gffa [~unknown@unaffiliated/gffa] has quit [Quit: sleep]
16:15 -!- busch is now known as busch_off
16:17 -!- catsup [d@64.111.123.163] has quit [Ping timeout: 260 seconds]
16:18 -!- catsup [d@64.111.123.163] has joined #openvpn
16:23 -!- catsup [d@64.111.123.163] has quit [Ping timeout: 252 seconds]
16:24 -!- catsup [d@64.111.123.163] has joined #openvpn
16:30 -!- catsup [d@64.111.123.163] has quit [Ping timeout: 264 seconds]
16:30 -!- catsup [d@64.111.123.163] has joined #openvpn
16:33 -!- conroe [~conroe@gateway/tor-sasl/conroe] has joined #openvpn
16:36 -!- catsup [d@64.111.123.163] has quit [Ping timeout: 245 seconds]
16:36 -!- catsup [d@64.111.123.163] has joined #openvpn
16:37 -!- toobluesc [~nitro@2001:558:6045:7b:3d70:c3df:18a:884] has joined #openvpn
16:58 -!- mastershake_AFK [~mastersha@gateway/tor-sasl/mastershake] has quit [Ping timeout: 240 seconds]
17:02 -!- Sembei [~Sembei@unaffiliated/sembei] has quit [Read error: Connection reset by peer]
17:02 -!- MyMind [~Sembei@unaffiliated/sembei] has joined #openvpn
17:09 -!- joshh20-Away is now known as joshh20
17:11 -!- s7r [~s7r@openvpn/user/s7r] has joined #openvpn
17:11 -!- mode/#openvpn [+v s7r] by ChanServ
17:27 -!- conroe [~conroe@gateway/tor-sasl/conroe] has quit [Remote host closed the connection]
17:28 -!- conroe [~conroe@gateway/tor-sasl/conroe] has joined #openvpn
17:38 -!- kirin` [telex@gateway/shell/anapnea.net/x-erncwgrskbphozul] has quit [Ping timeout: 246 seconds]
17:39 -!- kirin` [telex@gateway/shell/anapnea.net/x-lagihfvawllocrui] has joined #openvpn
17:43 -!- br4ndon [~br4ndon@mic92-6-82-227-94-156.fbx.proxad.net] has quit [Quit: Lorem ipsum dolor sit amet]
17:56 < Samopotamus> I haven't done any kind of OpenVPN configuration on a RPi in my house, but it can ping the 10.x.x.x address of the router which is a client to a remote server.  Do I need to configure that RPi further to be part of the 10.x.x.x IP family?  Or should it have a VPN IP already?
17:56 < Samopotamus> Clarification:  I can ping the router from the Pi
17:57 -!- linuxdog [~adam@pool-108-34-55-34.bltmmd.east.verizon.net] has joined #openvpn
17:57 < linuxdog> I need help configuring my CyberGhost VPN.
17:57 < linuxdog> Can anyonel help?
17:57 < linuxdog> ???
17:57 < pekster> .x.x.x ? Samopotamus, I really hope you're not using a /8. That would be highly inadvisable
17:58 < pekster> Not likely linuxdog. #openvpn supports OpenVPN, not things/companies/software/etc that uses OpenVPN
17:58 < linuxdog> Argh
17:58 < pekster> If you're paying someone for this service, why aren't they providing support for it?
17:59 < pekster> Seems like a raw deal for you if they don't, and a raw deal for me if I help support their systems for free.
17:59 < Samopotamus> It is not /8, I was just shortening.  The IP of the router is 10.8.0.10
17:59 < linuxdog> pekster, Emailed them haven't heard back
17:59 < pekster> Samopotamus: So sure, if you're routing and that's the dedicated network range for your VPN, any clients will be allocated addresses out of that range
18:00 < pekster> Effectively, that makes it a "part of" that virtual network. From there you just route to/from that network as you would any physical network
18:00 < linuxdog> pekster, New to using VPN bit confused about setting up. Want to watch Olympics! :)
18:00 -!- pdobrogost [~quassel@77-255-245-193.adsl.inetia.pl] has quit [Ping timeout: 260 seconds]
18:00 < Samopotamus> Ok, should it show up in netstat?
18:00 < pekster> Should what?
18:01 < Samopotamus> When I go to the Raspberry Pi, and run netstat, shouldn't it give me a 10-series IP address in addition to the 198?
18:02 < pekster> Wrong tool. netstat shows _connections_, not _addresses_
18:02 < pekster> You want `ip`
18:02 < pekster> `man 8 ip`
18:09 -!- linuxdog [~adam@pool-108-34-55-34.bltmmd.east.verizon.net] has quit [Quit: Leaving]
18:15 -!- conroe [~conroe@gateway/tor-sasl/conroe] has quit [Quit: conroe]
18:56 -!- goldkatze [~nobody@unaffiliated/goldkatze] has quit [Ping timeout: 248 seconds]
19:00 -!- elitecoder [~liq@198.199.111.15] has left #openvpn []
19:03 -!- s7r [~s7r@openvpn/user/s7r] has quit [Quit: Leaving]
19:06 -!- Gman32 [~Gman32@2607:2200:0:3400::5616:cdbc] has quit [Ping timeout: 265 seconds]
19:29 -!- kirin` [telex@gateway/shell/anapnea.net/x-lagihfvawllocrui] has quit [Ping timeout: 265 seconds]
19:29 -!- joshh20 is now known as joshh20-Away
19:29 -!- joshh20-Away is now known as joshh20
19:29 -!- kirin` [telex@gateway/shell/anapnea.net/x-fupkxuushstwztkc] has joined #openvpn
19:32 -!- mastershake_AFK [~mastersha@gateway/tor-sasl/mastershake] has joined #openvpn
19:34 -!- eliasp [~quassel@HSI-KBW-134-3-243-224.hsi14.kabel-badenwuerttemberg.de] has quit [Remote host closed the connection]
19:36 -!- eliasp [~quassel@HSI-KBW-134-3-243-224.hsi14.kabel-badenwuerttemberg.de] has joined #openvpn
19:37 -!- eliasp [~quassel@HSI-KBW-134-3-243-224.hsi14.kabel-badenwuerttemberg.de] has quit [Remote host closed the connection]
19:38 -!- mastershake_AFK [~mastersha@gateway/tor-sasl/mastershake] has quit [Ping timeout: 240 seconds]
19:46 -!- eliasp [~quassel@HSI-KBW-134-3-243-224.hsi14.kabel-badenwuerttemberg.de] has joined #openvpn
19:54 -!- u0m3 [~u0m3@92.80.90.121] has quit [Read error: Connection reset by peer]
20:01 -!- mastershake_AFK [~mastersha@gateway/tor-sasl/mastershake] has joined #openvpn
20:05 -!- conroe [~conroe@gateway/tor-sasl/conroe] has joined #openvpn
20:08 -!- mastershake_AFK is now known as mastershake
20:19 -!- klein [~klein@189.45.197.34] has joined #openvpn
20:19 -!- klein [~klein@189.45.197.34] has quit [Changing host]
20:19 -!- klein [~klein@unaffiliated/klein] has joined #openvpn
20:21 -!- dradec [~Inigo@unaffiliated/dradec] has joined #openvpn
20:42 -!- Xtrivity [~Insanity@S0106602ad096ef86.va.shawcable.net] has joined #openvpn
20:43 < Xtrivity> Hi guys. I've been trying to get openvpn working forever  using centos. All i keep getting is [FAILED] status when trying to start openvpn as a service.
20:43 < Xtrivity> I can't find any logs in regards to the issue. I can't find any logs in regards to openvpn in general.
20:50 -!- psilocide [~unknown@c-76-101-85-239.hsd1.fl.comcast.net] has joined #openvpn
20:52 -!- dazo_afk [~dazo@openvpn/community/developer/dazo] has quit [Ping timeout: 264 seconds]
20:52 -!- lj1 [~l@192.241.174.169] has joined #openvpn
20:53 < nullie> Xtrivity, do you use systemd?
20:56 < Xtrivity> nullie,  im using myhosting.com with a VPS. they Linux vps-1137330-17320.manage.myhosting.com 2.6.32-042stab084.20 #1 SMP Mon Jan 27 00:40:08 MSK 2014 x86_64 x86_64 x86_64 GNU/Linux is the machine
20:56 -!- dazo_afk [~dazo@openvpn/community/developer/dazo] has joined #openvpn
20:56 -!- mode/#openvpn [+o dazo_afk] by ChanServ
20:56 -!- catsup [d@64.111.123.163] has quit [Ping timeout: 252 seconds]
20:56 < Xtrivity> not sure if i'll have control to actually setup the VPN. Not sure if the hardware has to be changed of if i can do it all through root
20:56 -!- dazo_afk is now known as dazo
20:57 < nullie> Xtrivity, cat /etc/issua
20:57 < nullie> Xtrivity, cat /etc/issue
20:57 < nullie> you can do almost anything in vps
20:57 < Xtrivity> CentOS release 6.5 (Final)
20:57 < Xtrivity> Kernel \r on an \m
20:58 < nullie> logs should be in /var/logs
20:58 -!- catsup [d@64.111.123.163] has joined #openvpn
20:58 < nullie> /var/log even
20:58 < Xtrivity> nullie,  nothing in regards to openvpn
20:58 < nullie> try grepping
20:59 < Xtrivity> not sure how to do that.
20:59 < nullie> or find openvpn service file and check what it does
20:59 < nullie> somewhere in /etc
20:59 < nullie> grep is 'grep openvpn /var/log/*'
20:59  * Xtrivity *nix junior. 
21:00 < nullie> that's ok
21:00 < nullie> we all were
21:00 < Xtrivity> did grep openvpn /var/log/*.
21:01 < nullie> did it show up?
21:01 < Xtrivity> only thing that showed up was new user: name=openvpn, UID=498, GID=499, home=/etc/openvpn, shell=/sbin/nologin
21:01 < Xtrivity> /var/log/yum.log:Feb 16 20:08:27 Installed: openvpn-2.3.2-2.el6.x86_64
21:01 < nullie> hm
21:01 < Xtrivity> group added to /etc/group: name=openvpn, GID=499
21:01 < Xtrivity> /var/log/secure:Feb 16 20:08:27 vps-1137330-17320 groupadd[30231]: group added to /etc/gshadow: name=openvpn
21:01 < Xtrivity> /var/log/secure:Feb 16 20:08:27 vps-1137330-17320 groupadd[30231]: new group: name=openvpn, GID=499
21:02 < nullie> does it show anything besides [FAILED] when you try to start it?
21:02 < Xtrivity> nope :S
21:03 < nullie> dunno then
21:03 < Xtrivity> nullie,  think u'd be willing to remote on to my machien and check it out?
21:03 < nullie> did you follow something like https://www.digitalocean.com/community/articles/how-to-setup-and-configure-an-openvpn-server-on-centos-6 ?
21:03 -!- catsup [d@64.111.123.163] has quit [Ping timeout: 260 seconds]
21:03 <@vpnHelper> Title: How to Setup and Configure an OpenVPN Server on CentOS 6 | DigitalOcean (at www.digitalocean.com)
21:03 < nullie> no, I'm not willing to do that
21:03 < Xtrivity> nullie,  i've tried 4 different tutorials. feel they are all pretty similar.
21:04 < nullie> try "openvpn --config /etc/openvpn/server.conf" from console
21:05 < Xtrivity> Options error: --dh fails with 'dh1024.pem': No such file or directory
21:05 < Xtrivity> Options error: --ca fails with 'ca.crt': No such file or directory
21:05 < Xtrivity> Options error: --cert fails with 'server.crt': No such file or directory
21:05 < Xtrivity> Options error: --key fails with 'server.key': No such file or directory
21:05 < Xtrivity> Options error: Please correct these errors.
21:05 < Xtrivity> Use --help for more information.
21:05 < nullie> here you go
21:06 < Xtrivity> all of those files are sitting in /etc/openvpn
21:09 < Xtrivity> iconfig file is set to grab all the files in the same directory as the .conf file
21:15 -!- joevandyk [~ubuntu@ec2-54-235-235-220.compute-1.amazonaws.com] has quit [Ping timeout: 245 seconds]
21:16 -!- joevandyk [~ubuntu@ec2-54-235-235-220.compute-1.amazonaws.com] has joined #openvpn
21:23 -!- catsup [d@64.111.123.163] has joined #openvpn
21:28 -!- erin [~erin@c-24-130-13-242.hsd1.ca.comcast.net] has joined #openvpn
21:29 -!- catsup [d@64.111.123.163] has quit [Read error: Connection reset by peer]
21:29 -!- catsup [d@64.111.123.163] has joined #openvpn
21:30 -!- sammm [~sam@c114-76-87-212.thoms3.vic.optusnet.com.au] has quit [Remote host closed the connection]
21:31 -!- erin [~erin@c-24-130-13-242.hsd1.ca.comcast.net] has quit [Remote host closed the connection]
21:37 -!- psilocide [~unknown@c-76-101-85-239.hsd1.fl.comcast.net] has quit [Read error: Connection reset by peer]
21:38 -!- klein [~klein@unaffiliated/klein] has quit [Ping timeout: 264 seconds]
21:53 -!- mythos [~mythos@unaffiliated/mythos] has quit [Read error: Connection reset by peer]
21:54 -!- conroe [~conroe@gateway/tor-sasl/conroe] has quit [Quit: conroe]
21:56 -!- joshh20 is now known as joshh20-Away
22:01 <@krzee> !path
22:01 -!- _quadDamage [~EmperorTo@boom.blissfulidiot.com] has quit [Ping timeout: 248 seconds]
22:01 <@krzee> !fullpath
22:01 <@krzee> !ping
22:04 -!- _quadDamage [~EmperorTo@boom.blissfulidiot.com] has joined #openvpn
22:04 -!- vpnHelper [~vpnHelper@openvpn/bot/vpnHelper] has quit [Remote host closed the connection]
22:04 -!- vpnHelper [~vpnHelper@openvpn/bot/vpnHelper] has joined #openvpn
22:04 -!- mode/#openvpn [+o vpnHelper] by ChanServ
22:04 -!- Xtrivity [~Insanity@S0106602ad096ef86.va.shawcable.net] has quit [Quit: Leaving]
22:15 -!- APTX [~APTX@unaffiliated/aptx] has quit [Quit: No Ping reply in 180 seconds.]
22:16 -!- APTX [~APTX@unaffiliated/aptx] has joined #openvpn
22:19 -!- elfixit [~Icedove@77-58-251-72.dclient.hispeed.ch] has quit [Quit: elfixit]
22:47 -!- michaelhart [~michaelha@192-0-240-20.cpe.teksavvy.com] has quit [Quit: michaelhart]
23:29 -!- lvv [~loganaden@2001:4290:10:250:58aa:5442:b3e4:ff69] has joined #openvpn
23:30 -!- goldkatze [~nobody@unaffiliated/goldkatze] has joined #openvpn
23:46 < kcodyjr> hm. does openvpn have a happy way of dealing with the fact that ipv6 hosts usually have several addresses?
23:46 < Eugene> In what way? Your traffic will only originate from one address
23:47 < kcodyjr> admit i'm a little behind the times, my openvpn ddns work led me to playing with ipv6, now setting up a location fully and i see that the router will be broadcasting 3 prefixes into each subnet; one from the ULA space (equivalent to 192.168), one from the 6to4 space because there's no native comcast yet, and one from a hurricane electric tunnel to allow a stable incoming address space.
23:47 < kcodyjr> all that because nat is supposed to be avoided.
23:48 < kcodyjr> to ignore that means i can only use my tunnel for one purpose or another
23:48 < kcodyjr> either to participate in the internal network, or to get a public incoming address, or to get a public outgoing address, but never more than one at a time per server instance
23:49 < kcodyjr> workaround, sure; issue the internal address and let it use a proxy to get outbound and what's a vpn client doing receiving public connections anyway. that aside, seems like a serious limitation
23:51 -!- lj1 [~l@192.241.174.169] has quit [Ping timeout: 245 seconds]
23:51 -!- lj [~l@192.241.174.169] has joined #openvpn
--- Day changed Mon Feb 17 2014
00:00 -!- paradox`` [~paradox@cpc21-brmb8-2-0-cust749.1-3.cable.virginm.net] has joined #openvpn
00:04 -!- sunwind` [~paradox@cpc21-brmb8-2-0-cust749.1-3.cable.virginm.net] has quit [Ping timeout: 252 seconds]
00:05 < kcodyjr> take it that's a no, not really addressed.
00:06 < kcodyjr> really wish i hadn't bumped heads with pekster while drinking the other night, i don't think he's talking to me anymore. i think he'd know if anyone would.
00:35 -!- takamichi [~takamichi@c107-107.i07-27.onvol.net] has joined #openvpn
01:05 -!- bithash [~bithash@192.241.175.218] has joined #openvpn
01:08 -!- takamichi [~takamichi@c107-107.i07-27.onvol.net] has quit [Quit: Computer has gone to sleep.]
01:17 -!- alexxtasi [~alex@unaffiliated/alexxtasi] has joined #openvpn
01:18 -!- takamichi [~takamichi@c107-107.i07-27.onvol.net] has joined #openvpn
01:21 -!- bithash [~bithash@192.241.175.218] has quit [Quit: leaving]
02:03 -!- dimm0k [~dimm0k@unaffiliated/dimm0k] has quit [Ping timeout: 245 seconds]
02:05 -!- dimm0k [~dimm0k@pool-108-21-230-13.nycmny.fios.verizon.net] has joined #openvpn
02:05 -!- dimm0k [~dimm0k@pool-108-21-230-13.nycmny.fios.verizon.net] has quit [Changing host]
02:05 -!- dimm0k [~dimm0k@unaffiliated/dimm0k] has joined #openvpn
02:06 -!- dradec [~Inigo@unaffiliated/dradec] has quit [Ping timeout: 245 seconds]
02:17 -!- mirco [~mirco@ip-109-90-231-36.unitymediagroup.de] has joined #openvpn
02:22 -!- ade_b [~Ade@redhat/adeb] has joined #openvpn
02:41 -!- mastershake [~mastersha@gateway/tor-sasl/mastershake] has quit [Quit: Lost terminal]
02:48 -!- dradec [~Inigo@unaffiliated/dradec] has joined #openvpn
03:00 -!- Cpt-Oblivious [chatzilla@31-151-71-109.dynamic.upc.nl] has quit [Ping timeout: 252 seconds]
03:02 -!- Cpt-Oblivious [chatzilla@31-151-71-109.dynamic.upc.nl] has joined #openvpn
03:02 -!- MatToufoutu [~MaT@unaffiliated/mattoufoutu] has quit [Excess Flood]
03:05 -!- MatToufoutu [~MaT@nl.h6r.org] has joined #openvpn
03:05 -!- MatToufoutu [~MaT@nl.h6r.org] has quit [Excess Flood]
03:07 -!- Cpt-Oblivious [chatzilla@31-151-71-109.dynamic.upc.nl] has quit [Ping timeout: 252 seconds]
03:11 -!- Mat_Toufoutu [~MaT@nl.h6r.org] has joined #openvpn
03:20 -!- Mat_Toufoutu is now known as MatToufoutu
03:20 -!- MatToufoutu [~MaT@nl.h6r.org] has quit [Changing host]
03:20 -!- MatToufoutu [~MaT@unaffiliated/mattoufoutu] has joined #openvpn
03:55 -!- busch_off is now known as busch
03:56 -!- nullie [~nullie@46.48.73.216] has left #openvpn ["Leaving"]
03:57 -!- Zordrak [~jaz@87-194-137-223.bethere.co.uk] has joined #openvpn
03:59 -!- lj [~l@192.241.174.169] has quit [Ping timeout: 264 seconds]
04:00 < Zordrak> I would appreciate some advice on determining the cause of OpenVPN core cumps. I'm using openvpn-2.3.2-2.el6.x86_64 on CentOS 6.5 on a physical server that's also a FreeIPA master server. Authentication is Cert+UserPW where UserPW auth is via PAM (and therefore SSSD). It started a few weeks ago with authentication failures due to too many open file handles; now it has changed to core dumps.
04:01 < Zordrak> At the moment the limit of the information I have was from the syslog when it happened which was that a client tried to connect. It started the connect with: TLS: tls_process: killed expiring key, followed by a CRL check and verify on the server and client certs.. then immediately followed by a core dump and program termination.
04:02 < ron_> core dump are good, you can get a backtrace from those.
04:02 < Zordrak> Approx 5 clients use the server across multiple platforms.
04:02 -!- lj [~l@192.241.174.169] has joined #openvpn
04:02 < ron_> without that there's probably not much anyone can tell you.
04:02 < Zordrak> ron_: yar.. if abrtd didnt whinge about the package being unsigned and deleting the directory
04:02 < ron_> ah yeah.  centos rocks for that.
04:03 < Zordrak> Package 'openvpn' isn't signed with proper key; Deleting problem directory '/var/spool/abrt/ccpp-2014-02-16-13:46:59-32697'
04:03 < ron_> maybe start with a better distro then, and solve both your problems at once :)
04:03 < Zordrak> I wish
04:03 < Zordrak> My desktop is Slackware, but the server infra is CentOS to track client RHEL boxes
04:04 < ron_> well, the story is kind of still the same then, without a backtrace "it coredumps" doesn't really tell anyone much.
04:04 < Zordrak> *nod*
04:04 < ron_> you might be able to kill the abrtd abomination somehow.
04:05 < ron_> but get a better distro is what I told our last customer who was fighting that thing :)  and they did.
04:05 < Zordrak> Just trying to work my way backwards. I will work on abrtd - but having never had problems such as these with openvpn before, I was hoping perhaps there were some known issues people run into with a CentOS/PAM config
04:05 < Zordrak> ron_: I would if I could, but in this case I can't.
04:06 < ron_> I'll bet you could if the tunnel is down long enough!  but yeah ...
04:07 < Zordrak> I think I have found an identical problem: https://forums.openvpn.net/topic14846.html
04:07 <@vpnHelper> Title: OpenVPN Support Forum OpenVPN 2.3.2 stability issue on CentOS 6.5 : Server Administration (at forums.openvpn.net)
04:07 < ron_> anyhow, I'm just lurking here because of a separate issue.  maybe someone else has seen this, but it doesn't seem like something that would escape notice for long if it's a General Problem.
04:07 < Zordrak> I definitely think PAM is involved here.
04:08 < Zordrak> Not just OpenVPN failing off its own back.
04:21 -!- busch [~busch@mail.datenschleuder.com] has quit [Quit: ZNC - http://znc.in]
05:11 < Zordrak> ugh a coredump's gonna be useless anyway i reckon.. there's no openvpn-debuginfo
05:23 -!- makara [~makara@41-134-154-221.dsl.mweb.co.za] has joined #openvpn
05:25 -!- e-ndy [~e-ndy@fantomas.bestit.cz] has joined #openvpn
05:27 -!- e-ndy is now known as indy
05:40 -!- klein [~klein@189-016-006-003.asselvi.edu.br] has joined #openvpn
05:40 -!- klein [~klein@189-016-006-003.asselvi.edu.br] has quit [Changing host]
05:40 -!- klein [~klein@unaffiliated/klein] has joined #openvpn
05:48 < Zordrak> hokai so i found a dodgy 3rd party debuginfo package that looks like its for the exact build i have.. and i've added the gpg keys to abrt. sit back and wait i guess
06:12 -!- elfixit [~Icedove@77-58-251-72.dclient.hispeed.ch] has joined #openvpn
06:13 -!- makara [~makara@41-134-154-221.dsl.mweb.co.za] has quit [Ping timeout: 260 seconds]
06:16 -!- michaelhart [~michaelha@192-0-240-20.cpe.teksavvy.com] has joined #openvpn
06:29 -!- makara [~makara@41-134-154-221.dsl.mweb.co.za] has joined #openvpn
06:31 -!- makara [~makara@41-134-154-221.dsl.mweb.co.za] has quit [Max SendQ exceeded]
06:32 -!- makara [~makara@41-134-154-221.dsl.mweb.co.za] has joined #openvpn
06:34 -!- makara [~makara@41-134-154-221.dsl.mweb.co.za] has quit [Max SendQ exceeded]
06:35 -!- makara [~makara@41-134-154-221.dsl.mweb.co.za] has joined #openvpn
06:53 -!- JackWinter [~jack@vodsl-8317.vo.lu] has quit [Quit: Konversation terminated!]
07:03 -!- MrHeisenberg [~MrHeisenb@ip-178-200-129-199.unitymediagroup.de] has joined #openvpn
07:03 -!- makara [~makara@41-134-154-221.dsl.mweb.co.za] has quit [Ping timeout: 260 seconds]
07:04 < MrHeisenberg> hello, just one thing about the float option. if only my clients have changing ips, eg. wlan, umts, is the float option the only thing i need serverside?
07:04 < MrHeisenberg> or is this option nessassery on the client to?
07:16 -!- makara [~makara@41.164.22.218] has joined #openvpn
07:18 -!- MrHeisenberg [~MrHeisenb@ip-178-200-129-199.unitymediagroup.de] has quit [Quit: leaving]
07:31 -!- lj [~l@192.241.174.169] has quit [Quit: Leaving.]
07:44 -!- JackWinter [~jack@vodsl-8317.vo.lu] has joined #openvpn
07:46 -!- lvv [~loganaden@2001:4290:10:250:58aa:5442:b3e4:ff69] has quit [Quit: lvv]
07:51 -!- kcodyjr [~kcodyjr@c-24-61-134-125.hsd1.ma.comcast.net] has quit [Ping timeout: 252 seconds]
08:15 -!- makara [~makara@41.164.22.218] has quit [Ping timeout: 260 seconds]
08:36 -!- klein [~klein@unaffiliated/klein] has quit [Ping timeout: 265 seconds]
08:43 -!- f0cker [~f0cker@unaffiliated/f0cker] has quit [Ping timeout: 248 seconds]
09:15 -!- f0cker [~f0cker@host86-160-157-149.range86-160.btcentralplus.com] has joined #openvpn
09:15 -!- f0cker [~f0cker@host86-160-157-149.range86-160.btcentralplus.com] has quit [Changing host]
09:15 -!- f0cker [~f0cker@unaffiliated/f0cker] has joined #openvpn
09:16 -!- ron_ [~ron@ppp14-2-46-46.lns21.adl2.internode.on.net] has quit [Ping timeout: 248 seconds]
09:17 -!- _Tass4dar [~tassadar@tassadar.xs4all.nl] has joined #openvpn
09:17 < _Tass4dar> hi
09:17 < _Tass4dar> i am having MTU issues, somewhere in the path between two openvpn nodes there is a smaller MTU in one direction only
09:18 < _Tass4dar> i am trying to configure openvpn to cope with that
09:18 < _Tass4dar> the --mtu-test option sounded like the right thing to do, to figure out what the right setting was
09:18 -!- ron_ [~ron@ppp118-210-184-246.lns20.adl6.internode.on.net] has joined #openvpn
09:18 < _Tass4dar> however after a minute or two, one end starts saying "TLS Error: local/remote TLS keys are out of sync"
09:18 < _Tass4dar> the other end doesn't say anything
09:19 < _Tass4dar> then after a short while they both agree that "NOTE: failed to empirically measure MTU (requires OpenVPN 1.5 or higher at other end of connection)."
09:19 -!- alexxtasi [~alex@unaffiliated/alexxtasi] has left #openvpn []
09:19 < _Tass4dar> both are openvpn 2.3.2 by the way
09:20 < _Tass4dar> so i'd say the empirical testing definately hit the mtu limit there, but openvpn doesn't seem to recognize it, possibly because the mtu is only limited in one direction?
09:21 -!- lj [~l@192.241.174.169] has joined #openvpn
09:25 -!- heraclitus [~heraclitu@unaffiliated/heraclitis] has quit [Quit: Ping timeout: 221 seconds]
09:35 -!- br4ndon [~br4ndon@mic92-6-82-226-128-64.fbx.proxad.net] has joined #openvpn
09:38 -!- br4ndon [~br4ndon@mic92-6-82-226-128-64.fbx.proxad.net] has quit [Client Quit]
09:38 -!- br4ndon [~br4ndon@mic92-6-82-226-128-64.fbx.proxad.net] has joined #openvpn
09:41 -!- lj [~l@192.241.174.169] has quit [Quit: Leaving.]
09:44 -!- s7r [~s7r@openvpn/user/s7r] has joined #openvpn
09:44 -!- mode/#openvpn [+v s7r] by ChanServ
09:44 -!- Minnebo [~Minnebo@213.211.135.88.static.edpnet.net] has joined #openvpn
09:44 < Minnebo> Mon Feb 17 16:44:09 2014 TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity)
09:44 < Minnebo> Mon Feb 17 16:44:09 2014 TLS Error: TLS handshake failed
09:44 < Minnebo> Mon Feb 17 16:44:09 2014 SIGUSR1[soft,tls-error] received, process restarting
09:45 < Minnebo> any idea? :(
09:48 -!- kcodyjr [~kcodyjr@c-24-61-134-125.hsd1.ma.comcast.net] has joined #openvpn
09:50 -!- br4ndon [~br4ndon@mic92-6-82-226-128-64.fbx.proxad.net] has quit [Read error: Operation timed out]
09:55 -!- br4ndon [~br4ndon@mic92-6-82-227-94-156.fbx.proxad.net] has joined #openvpn
09:56 -!- ade_b [~Ade@redhat/adeb] has quit [Quit: Too sexy for his shirt]
09:56 < br4ndon> Hi there
10:01 -!- Nothing4You [N4Y@Nothing4You.w.tf-w.tf] has quit [Quit: Gone...]
10:02 -!- esde [~esde@unaffiliated/esde] has quit [Ping timeout: 246 seconds]
10:02 -!- tempus_fol [~tempus@gateway/tor-sasl/tempusfol] has quit [Remote host closed the connection]
10:03 -!- tempus_fol [~tempus@gateway/tor-sasl/tempusfol] has joined #openvpn
10:04 -!- Nothing4You [N4Y@Nothing4You.w.tf-w.tf] has joined #openvpn
10:05 -!- esde [~esde@107.150.1.2] has joined #openvpn
10:12 -!- michaelhart [~michaelha@192-0-240-20.cpe.teksavvy.com] has quit [Quit: michaelhart]
10:14 <@ecrist> Minnebo: you aren't connecting to the openvpn server
10:14 <@ecrist> bad address in your config or a firewall is blocking the connection
10:16 < Minnebo> well, i can see the incoming conn in my openvpn server : /
10:17 < Minnebo> meh
10:17 < Minnebo> on TCP it works
10:17 < Minnebo> on UDP it doenst :p
10:17 < rob0> firewall
10:17 < Eugene> Classic firewall issue.
10:17 < Minnebo> k
10:20 < br4ndon> Problem: TLS Handshake error, no matching cipher. Here are pastes: Client - l4p.me/teq, Server - https://l4p.me/y0i, Vars used with easyrsa - https://l4p.me/7wf.
10:20 < br4ndon> Could someone help me with that please?
10:22 -!- tempus_fol [~tempus@gateway/tor-sasl/tempusfol] has quit [Ping timeout: 240 seconds]
10:24 -!- tempus_fol [~tempus@gateway/tor-sasl/tempusfol] has joined #openvpn
10:29 < br4ndon> Oh, and the server log about the error: https://l4p.me/tng
10:29 <@vpnHelper> Title: ZeroBin (at l4p.me)
10:31 -!- ade_b [~Ade@redhat/adeb] has joined #openvpn
10:31 < br4ndon> The client says nothing interesting about that error
10:33 -!- klein [~klein@unaffiliated/klein] has joined #openvpn
10:38 -!- mirco [~mirco@ip-109-90-231-36.unitymediagroup.de] has quit [Ping timeout: 252 seconds]
10:39 -!- u0m3 [~u0m3@92.80.90.121] has joined #openvpn
10:41 -!- Minnebo [~Minnebo@213.211.135.88.static.edpnet.net] has quit [Ping timeout: 264 seconds]
10:58 -!- takamichi [~takamichi@c107-107.i07-27.onvol.net] has quit [Ping timeout: 272 seconds]
11:00 -!- takamichi [~takamichi@85.12.8.15] has joined #openvpn
11:13 <@krzee> !magic
11:13 <@vpnHelper> "magic" is For a story about magic read http://www.catb.org/jargon/html/magic-story.html
11:20 -!- rooth_ [tomte@stuck.in.the.basement.at.fritzl.nu] has quit [Read error: Operation timed out]
11:21 -!- rooth [tomte@stuck.in.the.basement.at.fritzl.nu] has joined #openvpn
11:25 -!- ade_b [~Ade@redhat/adeb] has quit [Ping timeout: 272 seconds]
11:26 -!- dradec [~Inigo@unaffiliated/dradec] has quit [Quit: nil]
11:36 -!- paradox`` [~paradox@cpc21-brmb8-2-0-cust749.1-3.cable.virginm.net] has quit [Quit: paradox``]
11:38 -!- ade_b [~Ade@redhat/adeb] has joined #openvpn
11:38 -!- smerz [~smerz@2001:470:1f15:1e5::58] has joined #openvpn
11:41 -!- sunwind [~paradox@cpc21-brmb8-2-0-cust749.1-3.cable.virginm.net] has joined #openvpn
11:42 -!- ska [~ska@unaffiliated/ska] has quit [Ping timeout: 246 seconds]
11:43 -!- sunwind [~paradox@cpc21-brmb8-2-0-cust749.1-3.cable.virginm.net] has quit [Client Quit]
11:45 -!- sunwind [~paradox@cpc21-brmb8-2-0-cust749.1-3.cable.virginm.net] has joined #openvpn
12:03 -!- takamichi [~takamichi@85.12.8.15] has quit [Ping timeout: 245 seconds]
12:07 -!- takamichi [~takamichi@c107-107.i07-27.onvol.net] has joined #openvpn
12:12 -!- Cultist [~CultOfThe@c-67-186-111-33.hsd1.il.comcast.net] has quit [Ping timeout: 265 seconds]
12:14 -!- Cultist [~CultOfThe@c-67-186-111-33.hsd1.il.comcast.net] has joined #openvpn
12:27 -!- br4ndon_ [~br4ndon@mic92-6-82-226-128-64.fbx.proxad.net] has joined #openvpn
12:30 -!- br4ndon [~br4ndon@mic92-6-82-227-94-156.fbx.proxad.net] has quit [Ping timeout: 245 seconds]
12:33 -!- br4ndon_ [~br4ndon@mic92-6-82-226-128-64.fbx.proxad.net] has quit [Quit: Lorem ipsum dolor sit amet]
12:37 -!- mirco_ [~mirco@pd95b6029.dip0.t-ipconnect.de] has joined #openvpn
12:45 -!- mirco_ [~mirco@pd95b6029.dip0.t-ipconnect.de] has quit [Quit: mirco_]
12:55 -!- conroe [~conroe@gateway/tor-sasl/conroe] has joined #openvpn
12:56 -!- f0cker [~f0cker@unaffiliated/f0cker] has quit [Ping timeout: 264 seconds]
13:07 -!- conroe [~conroe@gateway/tor-sasl/conroe] has quit [Ping timeout: 240 seconds]
13:08 -!- f0cker [~f0cker@host109-151-224-166.range109-151.btcentralplus.com] has joined #openvpn
13:08 -!- f0cker [~f0cker@host109-151-224-166.range109-151.btcentralplus.com] has quit [Changing host]
13:08 -!- f0cker [~f0cker@unaffiliated/f0cker] has joined #openvpn
13:17 -!- master_o1_master [~master_of@p4FD7B834.dip0.t-ipconnect.de] has joined #openvpn
13:20 -!- master_of_master [~master_of@p4FD7BE80.dip0.t-ipconnect.de] has quit [Ping timeout: 260 seconds]
13:21 -!- pdobrogost [~quassel@77-255-241-218.adsl.inetia.pl] has joined #openvpn
13:35 -!- jave [~jave@h-235-102.a149.priv.bahnhof.se] has quit [Quit: ZNC - http://znc.in]
13:37 -!- jave [~jave@h-235-102.a149.priv.bahnhof.se] has joined #openvpn
13:44 -!- ade_b [~Ade@redhat/adeb] has quit [Read error: Operation timed out]
13:44 -!- ade_b [~Ade@redhat/adeb] has joined #openvpn
13:47 -!- MoeMorox [moe@2a03:4000:2:1fa::1] has joined #openvpn
13:50 < MoeMorox> Hey, is it possible to disable the forwarding of traffic through the VPN client-side?
13:51 -!- lj1 [~l@192.241.174.169] has joined #openvpn
13:55 -!- dazo is now known as dazo_afk
13:56 <@krzee> !nopull
13:56 <@vpnHelper> "nopull" is "route-nopull" is If you want to accept pushed options from the server but not apply the routes (including --redirect-gateway) you can use --route-nopull to ignore all pushed routes
14:00 -!- wrongplace [~leicht@gateway/tor-sasl/martinphone] has joined #openvpn
14:05 -!- tempus_fol [~tempus@gateway/tor-sasl/tempusfol] has quit [Ping timeout: 240 seconds]
14:09 -!- tempus_fol [~tempus@gateway/tor-sasl/tempusfol] has joined #openvpn
14:17 -!- takamichi [~takamichi@c107-107.i07-27.onvol.net] has quit [Quit: Computer has gone to sleep.]
14:24 -!- wrongplace [~leicht@gateway/tor-sasl/martinphone] has quit [Quit: gone]
14:33 -!- SupaYoshi [~SupaYoshi@ip4da5d319.direct-adsl.nl] has joined #openvpn
14:37 -!- takamichi [~takamichi@c107-107.i07-27.onvol.net] has joined #openvpn
14:41 < MoeMorox> krzee: if I use that, I can't ping my server anymore, do I need to set any options manually now?
14:41 <@krzee> remove the option and view every route added
14:41 <@krzee> then use the option and add back any routes you need to make the vpn operational
14:41 <@krzee> since you are ignoring *all* routes
14:44 -!- Cybertinus [~Cybertinu@cybertinus.customer.cloud.nl] has quit [Ping timeout: 246 seconds]
14:44 -!- n5 [~me@78-56-17-98.static.zebra.lt] has joined #openvpn
14:46 < MoeMorox> krzee: Okay thanks, it works now!
14:49 <@krzee> np =]
14:56 -!- joshh20-Away is now known as joshh20
14:58 -!- Cybertinus [~Cybertinu@cybertinus.customer.cloud.nl] has joined #openvpn
14:59 -!- br4ndon [~br4ndon@mic92-6-82-227-94-156.fbx.proxad.net] has joined #openvpn
15:05 -!- ade_b [~Ade@redhat/adeb] has quit [Ping timeout: 245 seconds]
15:06 -!- lj1 [~l@192.241.174.169] has quit [Quit: Leaving.]
15:08 -!- klein [~klein@unaffiliated/klein] has quit [Ping timeout: 252 seconds]
15:24 -!- Cpt-Oblivious [chatzilla@31-151-71-109.dynamic.upc.nl] has joined #openvpn
15:26 -!- bigbob83 [~bigbob@62-210-206-123.rev.poneytelecom.eu] has joined #openvpn
15:28 -!- hive-mind [pranq@unaffiliated/contempt] has quit [Ping timeout: 248 seconds]
15:29 -!- catsup [d@64.111.123.163] has quit [Ping timeout: 272 seconds]
15:30 -!- catsup [d@64.111.123.163] has joined #openvpn
15:30 < bigbob83> Hello all, i'm trying to apply tc filters in my --client-connect script but i don't understand a thing: how can i specify a persistent qdisc; because when i'm connecting to my openvpn server the qdisc that i've just created disapear and my tc filter add command does not work; why this qdisc disapear? Thanks a lot for your awnsers :)
15:31 -!- hive-mind [pranq@unaffiliated/contempt] has joined #openvpn
15:32 <@krzee> !notovpn
15:32 <@vpnHelper> "notovpn" is (#1) "notopenvpn" is your problem is not about openvpn, and while we try to be helpful, you may have a better chance of finding your answer if you ask your question in a channel related to your problem or (#2) sorry, but we dont care. this channel is only for help with openvpn.
15:35 -!- bigbob83 [~bigbob@62-210-206-123.rev.poneytelecom.eu] has quit []
15:35 -!- catsup [d@64.111.123.163] has quit [Ping timeout: 252 seconds]
15:36 -!- bigbob83 [~bigbob@62-210-206-123.rev.poneytelecom.eu] has joined #openvpn
15:36 -!- bigbob83 [~bigbob@62-210-206-123.rev.poneytelecom.eu] has left #openvpn []
15:36 -!- catsup [d@64.111.123.163] has joined #openvpn
15:41 -!- catsup [d@64.111.123.163] has quit [Ping timeout: 248 seconds]
15:42 -!- catsup [d@64.111.123.163] has joined #openvpn
15:45 -!- takamichi [~takamichi@c107-107.i07-27.onvol.net] has quit [Quit: Computer has gone to sleep.]
15:47 -!- catsup [d@64.111.123.163] has quit [Ping timeout: 245 seconds]
15:48 -!- catsup [d@64.111.123.163] has joined #openvpn
15:52 -!- mirco [~mirco@ip-109-90-231-36.unitymediagroup.de] has joined #openvpn
15:54 -!- catsup [d@64.111.123.163] has quit [Ping timeout: 252 seconds]
15:54 -!- catsup [d@64.111.123.163] has joined #openvpn
16:00 -!- catsup [d@64.111.123.163] has quit [Ping timeout: 252 seconds]
16:00 -!- catsup [d@64.111.123.163] has joined #openvpn
16:06 -!- catsup [d@64.111.123.163] has quit [Ping timeout: 272 seconds]
16:06 -!- catsup [d@64.111.123.163] has joined #openvpn
16:11 -!- lachesis [~lachesis@unaffiliated/lachesis] has quit [Quit: ZNC - http://znc.in]
16:12 -!- catsup [d@64.111.123.163] has quit [Ping timeout: 260 seconds]
16:12 -!- lachesis [~lachesis@unaffiliated/lachesis] has joined #openvpn
16:12 -!- catsup [d@64.111.123.163] has joined #openvpn
16:16 -!- smerz [~smerz@2001:470:1f15:1e5::58] has quit [Ping timeout: 245 seconds]
16:17 -!- catsup [d@64.111.123.163] has quit [Ping timeout: 245 seconds]
16:18 -!- catsup [d@64.111.123.163] has joined #openvpn
16:23 -!- conroe [~conroe@gateway/tor-sasl/conroe] has joined #openvpn
16:24 -!- catsup [d@64.111.123.163] has quit [Ping timeout: 248 seconds]
16:24 -!- catsup [d@64.111.123.163] has joined #openvpn
16:27 -!- Cybertinus [~Cybertinu@cybertinus.customer.cloud.nl] has quit [Read error: Connection reset by peer]
16:29 -!- catsup [d@64.111.123.163] has quit [Ping timeout: 245 seconds]
16:30 -!- catsup [d@64.111.123.163] has joined #openvpn
16:39 -!- s7r [~s7r@openvpn/user/s7r] has quit [Ping timeout: 240 seconds]
16:40 -!- s7r [~s7r@openvpn/user/s7r] has joined #openvpn
16:40 -!- mode/#openvpn [+v s7r] by ChanServ
16:46 -!- br4ndon [~br4ndon@mic92-6-82-227-94-156.fbx.proxad.net] has quit [Quit: Lorem ipsum dolor sit amet]
17:01 -!- Cybertinus [~Cybertinu@83.96.177.35] has joined #openvpn
17:08 -!- klein [~klein@177.101.109.136] has joined #openvpn
17:08 -!- klein [~klein@177.101.109.136] has quit [Changing host]
17:08 -!- klein [~klein@unaffiliated/klein] has joined #openvpn
17:19 -!- conroe [~conroe@gateway/tor-sasl/conroe] has quit [Quit: conroe]
17:35 -!- pdobrogost [~quassel@77-255-241-218.adsl.inetia.pl] has quit [Read error: Operation timed out]
17:36 -!- jzaw [~jzaw@loki.dzki.co.uk] has quit [Ping timeout: 265 seconds]
17:38 -!- jzaw [~jzaw@loki.dzki.co.uk] has joined #openvpn
17:43 -!- jzaw [~jzaw@loki.dzki.co.uk] has quit [Ping timeout: 265 seconds]
17:49 -!- Cybertinus [~Cybertinu@83.96.177.35] has quit [Remote host closed the connection]
17:50 -!- Cybertinus [~Cybertinu@cybertinus.customer.cloud.nl] has joined #openvpn
17:51 -!- jzaw [~jzaw@loki.dzki.co.uk] has joined #openvpn
17:54 -!- ender| [krneki@2a01:260:4094:1:42:42:42:42] has quit [Ping timeout: 246 seconds]
18:02 -!- Wheelz [~Wheelz@209-253-157-229.ip.mcleodusa.net] has joined #openvpn
18:04 < Wheelz> Hello all. I wanted to know if anyone has had any success in doing packet prioritization/QoS within an OpenVPN tunnel?
18:04 < Wheelz> Maybe via IPTables or tc?
18:15 -!- ender| [krneki@2a01:260:4094:1:42:42:42:42] has joined #openvpn
18:41 < pekster> Nothing stops you; a tun device is "just another interface"
18:41 < pekster> You might need to play with --pass-tos if you expect the encapsulated packet to be handled with the same priority by your physical egress
18:43 < Wheelz> I'm doing some testing on it. Thanks for the info as always pekster.
18:45 < pekster> kcodyjr: Just busy; stop reading into it. Multiple addresses are not at all common on tun, and if you do it you're expected to know what you're doing anyway
18:46 < kcodyjr> okay; thanks, and, sorry.
18:46 < pekster> In tap OpenVPN isn't really doing anything with your addresses (though it can) and is really just providing the link-layer transport
18:46 < pekster> How that fits into your project is for you to determine
18:46 < kcodyjr> that crossed my mind; tap would act more "naturally" and just pick up ipv6 via ra's, but i also remember the efficiency loss
18:47 < pekster> I think tap with IPv6 is silly
18:47 < kcodyjr> far as my project goes, its scope is situations when openvpn gives out an address, so no big deal
18:47 < kcodyjr> i've just been trying to clue myself up with ipv6 by properly configuring a network for dual stack
18:47 < kcodyjr> prompted by discussions we had, some of which i only 1/2 remember
18:47 < kcodyjr> i did settle on using a ULA as the "canonical" internal network
18:48 < pekster> !ipv6
18:48 <@vpnHelper> "ipv6" is (#1) The wiki has IPv6 details: https://community.openvpn.net/openvpn/wiki/IPv6 or (#2) The manpage contains info about IPv6 features present in 2.3+: https://community.openvpn.net/openvpn/wiki/Openvpn23ManPage#lbAQ
18:50 < kcodyjr> already got through that much, and had the tunnel receiving a 6to4 address and successfully browsing via ipv6, then reconfigured to make the tunnel part of the ULA space
18:50 < pekster> Don't route ULA
18:51 < kcodyjr> meaning don't let the tunnel client with a ULA address try to reach the internet. right. at the moment, it would have to use the proxy.
18:51 < pekster> Really, don't do that either
18:51 < pekster> tunnelbroker.net or sixxs.net
18:51 < pekster> Free & simple
18:51 < kcodyjr> i've got an he tunnel space i could use, sure
18:52 < kcodyjr> so then what's the useful scope of ULA if i shouldn't give it out to a vpn client?
18:55 < kcodyjr> clearly there's something here i'm not grokking, i'm reaching for it
18:56 < pekster> If you're using a proxy anyway, what on earth is the point of doing the client to proxy connection over IPv6 ULA?
18:56 < pekster> It's utterly pointless
18:56  * pekster shrugs
18:56 < pekster> It's not "wrong", just adds nothing but complexity for no gain
18:57 < kcodyjr> haven't made any final decisions what to use. there simply happens to be a proxy available on the firewall box.
18:57 -!- lj1 [~l@192.241.174.169] has joined #openvpn
18:58 < kcodyjr> but, answering as asked, the "point" is simply to support all common operating modes including possible ipv6-only hosts. i'm just trying to figure out what's the right way to go about it.
18:58 -!- dowaat [uid3966@gateway/web/irccloud.com/x-jkxatvdrbvgstcam] has quit [Ping timeout: 245 seconds]
18:59 -!- dowaat [uid3966@gateway/web/irccloud.com/x-yjdwrngsuxftimyx] has joined #openvpn
18:59 < pekster> You can't today dual-stack the transport
18:59 < pekster> Only the insisde tunnel (there's active work to fix that)
19:00 < kcodyjr> no, but the hypothetical v6-only laptop would probably be able to use that ::a.b.c.d syntax if the kung-fu has been set up right
19:01 < kcodyjr> not saying it's efficient, and yeah that's really a daemon shortcoming, and i can well be patient. i don't need everything working now. i just need to learn what the finished puzzle is supposed to look like.
19:30 -!- s7r [~s7r@openvpn/user/s7r] has quit [Quit: Leaving]
19:31 -!- lj1 [~l@192.241.174.169] has quit [Quit: Leaving.]
19:35 -!- Wheelz [~Wheelz@209-253-157-229.ip.mcleodusa.net] has quit []
19:47 -!- phunyguy [~plorpian@unaffiliated/phunyguy] has quit [Read error: Operation timed out]
19:48 -!- phunyguy [~plorpian@unaffiliated/phunyguy] has joined #openvpn
19:49 -!- joshh20 is now known as joshh20-Away
20:02 -!- michaelhart [~michaelha@192-0-240-20.cpe.teksavvy.com] has joined #openvpn
20:07 -!- VsioZashibis [~VsioZashi@unaffiliated/vsiozashibis] has joined #openvpn
20:38 -!- klein [~klein@unaffiliated/klein] has quit [Ping timeout: 264 seconds]
20:55 -!- batrick [batrick@nmap/developer/batrick] has quit [Quit: WeeChat 0.4.2]
20:56 -!- batrick [batrick@nmap/developer/batrick] has joined #openvpn
20:57 -!- lj1 [~l@192.241.174.169] has joined #openvpn
21:01 -!- lj1 [~l@192.241.174.169] has quit [Client Quit]
21:02 -!- lj [~l@192.241.174.169] has joined #openvpn
21:11 -!- WinstonSmith [~WinstonSm@unaffiliated/winstonsmith] has quit [Read error: Operation timed out]
21:18 -!- WinstonSmith [~WinstonSm@unaffiliated/winstonsmith] has joined #openvpn
21:33 -!- VunKruz [~hhhh@24-205-8-187.dhcp.mtpk.ca.charter.com] has joined #openvpn
21:33 -!- VunKruz [~hhhh@24-205-8-187.dhcp.mtpk.ca.charter.com] has quit [Read error: Connection reset by peer]
21:34 -!- VunKruz [~hhhh@24-205-8-187.dhcp.mtpk.ca.charter.com] has joined #openvpn
21:49 -!- SupaYoshi [~SupaYoshi@ip4da5d319.direct-adsl.nl] has quit []
22:15 -!- ron_ [~ron@ppp118-210-184-246.lns20.adl6.internode.on.net] has quit [Ping timeout: 265 seconds]
22:16 -!- michaelhart [~michaelha@192-0-240-20.cpe.teksavvy.com] has quit [Quit: michaelhart]
22:24 -!- goldkatze [~nobody@unaffiliated/goldkatze] has quit [Ping timeout: 245 seconds]
22:26 -!- pnielsen_ [pnielsen@2a01:7e00::f03c:91ff:fedf:3a21] has quit [Read error: Connection reset by peer]
22:27 -!- pnielsen [pnielsen@2a01:7e00::f03c:91ff:fedf:3a21] has joined #openvpn
22:27 -!- ben1066 [~quassel@unaffiliated/ben1066] has quit [Read error: Connection reset by peer]
22:27 -!- ben1066 [~quassel@unaffiliated/ben1066] has joined #openvpn
22:34 -!- dradec [~Inigo@unaffiliated/dradec] has joined #openvpn
22:55 -!- dradec [~Inigo@unaffiliated/dradec] has quit [Quit: nil]
22:58 -!- dradec [~Inigo@unaffiliated/dradec] has joined #openvpn
23:13 -!- dradec [~Inigo@unaffiliated/dradec] has quit [Read error: Operation timed out]
23:14 -!- makara [~makara@41.164.22.218] has joined #openvpn
23:23 -!- ade_b [~Ade@redhat/adeb] has joined #openvpn
23:24 -!- Synthead [~max@c-67-170-96-239.hsd1.wa.comcast.net] has joined #openvpn
23:32 -!- elfixit [~Icedove@77-58-251-72.dclient.hispeed.ch] has quit [Ping timeout: 245 seconds]
23:37 -!- ade_b [~Ade@redhat/adeb] has quit [Ping timeout: 264 seconds]
23:50 -!- ade_b [~Ade@redhat/adeb] has joined #openvpn
--- Day changed Tue Feb 18 2014
00:03 -!- Cpt-Oblivious [chatzilla@31-151-71-109.dynamic.upc.nl] has quit [Remote host closed the connection]
00:06 -!- mikkel [~mikkel@93.176.85.50] has joined #openvpn
00:10 -!- Cpt-Oblivious [chatzilla@31-151-71-109.dynamic.upc.nl] has joined #openvpn
00:14 -!- lvv [~loganaden@2001:4290:10:250:9559:3f04:7da7:817a] has joined #openvpn
00:20 -!- makara [~makara@41.164.22.218] has quit [Quit: Leaving]
00:21 -!- makara [~makara@41.164.22.218] has joined #openvpn
00:43 -!- ender| [krneki@2a01:260:4094:1:42:42:42:42] has quit [Ping timeout: 246 seconds]
00:50 -!- rtur [~rtur@212.224.92.143] has quit [Ping timeout: 246 seconds]
00:50 -!- ender| [krneki@2a01:260:4094:1:42:42:42:42] has joined #openvpn
00:52 -!- andi [~andi@unaffiliated/fr00d] has quit [Ping timeout: 252 seconds]
00:53 -!- andi [~andi@unaffiliated/fr00d] has joined #openvpn
01:07 -!- ade_b [~Ade@redhat/adeb] has quit [Ping timeout: 240 seconds]
01:22 -!- alexxtasi [~alex@unaffiliated/alexxtasi] has joined #openvpn
01:27 -!- takamichi [~takamichi@c107-107.i07-27.onvol.net] has joined #openvpn
01:40 -!- ade_b [~Ade@redhat/adeb] has joined #openvpn
01:40 -!- ade_b [~Ade@redhat/adeb] has quit [Remote host closed the connection]
01:42 -!- ade_b [~Ade@redhat/adeb] has joined #openvpn
01:49 -!- ron__ [~ron@ppp118-210-178-141.lns20.adl6.internode.on.net] has joined #openvpn
02:11 -!- lvv [~loganaden@2001:4290:10:250:9559:3f04:7da7:817a] has quit [Ping timeout: 245 seconds]
02:11 -!- takamichi [~takamichi@c107-107.i07-27.onvol.net] has quit [Quit: Computer has gone to sleep.]
02:16 -!- lvv [~loganaden@ITE-INF3.dhcp.mu.afrinic.net] has joined #openvpn
02:17 -!- Devastator [~devas@unaffiliated/devastator] has quit [Read error: Connection reset by peer]
02:18 -!- cyberspace- [20253@ninthfloor.org] has quit [Remote host closed the connection]
02:18 -!- Devastator [~devas@186.214.15.65] has joined #openvpn
02:20 -!- cyberspace- [20253@ninthfloor.org] has joined #openvpn
02:22 <+hazardous> question: how suited is ovpn to ultra-high-latency environments
02:22 <+hazardous> like avg/min of 800ms 600ms
02:23 <@plaisthos> hazardous: intial setup probably takes longer
02:24 <@plaisthos> after that OpenVPN is more or less a dump pipe
02:24 <@plaisthos> try to avoid tcp over tcp
02:24 -!- mode/#openvpn [-o plaisthos] by plaisthos
02:24 <+hazardous> lol
02:24 <+hazardous> TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity)
02:24 <+hazardous> it takes maybe 10 minutes to connect, maybe longer
02:24 <+hazardous> and a couple tries
02:25 < plaisthos> hm
02:25 < plaisthos> that sounds like an awful lot of time
02:25 < plaisthos> are you losing packets additionally?
02:25 <+hazardous> 8-10 min with udp, fails 100% as tcp
02:25 <+hazardous> 33 packets transmitted, 33 received, 0% packet loss, time 32038ms
02:25 <+hazardous> rtt min/avg/max/mdev = 214.109/327.763/903.039/162.526 ms
02:27 < plaisthos> that is strange.
02:28 < plaisthos> No idea at the moment
02:28 <+hazardous> mmm. it's done when it hits 'Initialization Sequence Completed' right?
02:28 < plaisthos> connecting over GPRS works fine
02:28 < plaisthos> yes
02:28 <+hazardous> Tue Feb 18 00:20:05 2014 OpenVPN 2.2.1 i686-linux-gnu [SSL] [LZO2] [EPOLL] [PKCS11] [eurephia
02:28 <+hazardous> Feb 18 00:26:23 2014 Initialization Sequence Completed
02:28 <+hazardous> yea this is gonna be fun to figure out for me i guess
02:29 < plaisthos> tcpdump should give you some hints
02:36 -!- ron___ [~ron@ppp118-210-226-109.lns20.adl6.internode.on.net] has joined #openvpn
02:39 -!- ron__ [~ron@ppp118-210-178-141.lns20.adl6.internode.on.net] has quit [Ping timeout: 265 seconds]
02:57 -!- rtur [~rtur@212.224.92.143] has joined #openvpn
03:02 -!- kcodyjr [~kcodyjr@c-24-61-134-125.hsd1.ma.comcast.net] has quit [Ping timeout: 252 seconds]
03:09 -!- takamichi [~takamichi@c107-107.i07-27.onvol.net] has joined #openvpn
03:30 -!- goldkatze [~nobody@unaffiliated/goldkatze] has joined #openvpn
03:34 -!- m01_ [~quassel@2a02:2658:1011:1::2:4044] has quit [Remote host closed the connection]
03:35 -!- m01 [~quassel@2a02:2658:1011:1::2:4044] has joined #openvpn
03:45 -!- ron___ is now known as ron_
03:56 -!- f0cker [~f0cker@unaffiliated/f0cker] has quit [Remote host closed the connection]
04:00 -!- Gman32 [~Gman32@2607:2200:0:3400::5616:cdbc] has joined #openvpn
04:11 -!- conroe [~conroe@gateway/tor-sasl/conroe] has joined #openvpn
04:21 -!- NChief [~nchief@unaffiliated/nchief] has quit [Read error: Operation timed out]
04:21 -!- cyberspace- [20253@ninthfloor.org] has quit [Read error: Operation timed out]
04:21 -!- Rallias [~Rallias@i.am.lacking.clothing] has quit [Read error: Operation timed out]
04:22 -!- Rallias [~Rallias@i.am.lacking.clothing] has joined #openvpn
04:22 -!- NChief [~nchief@unaffiliated/nchief] has joined #openvpn
04:22 -!- conroe [~conroe@gateway/tor-sasl/conroe] has quit [Quit: conroe]
04:22 -!- cyberspace- [20253@ninthfloor.org] has joined #openvpn
04:27 -!- _Tass4dar [~tassadar@tassadar.xs4all.nl] has left #openvpn []
04:32 -!- takamichi [~takamichi@c107-107.i07-27.onvol.net] has quit [Read error: Operation timed out]
04:33 -!- f0cker [~f0cker@unaffiliated/f0cker] has joined #openvpn
04:34 -!- takamichi [~takamichi@85.12.8.14] has joined #openvpn
04:34 -!- takamichi [~takamichi@85.12.8.14] has quit [Max SendQ exceeded]
04:35 -!- takamichi [~takamichi@85.12.8.14] has joined #openvpn
04:35 -!- takamichi [~takamichi@85.12.8.14] has quit [Max SendQ exceeded]
04:37 -!- takamichi [~takamichi@85.12.8.13] has joined #openvpn
04:44 < rtur> Hi. I can't get openvpn-plugin-down-root.so to work. Here is my client conf http://pastebin.com/yumZtkrA , start log http://pastebin.com/yAqx6L2d , stop log http://pastebin.com/Xy4bCERj . It starts fine, but on stopping there are permission errors for the "ip route del" commands and some problems with the down-root plugin. I tried to run it without the "user/group nobody" options but it produced the same
04:44 < rtur> problem, except the perm. errors for the ip route del commands.
05:03 -!- Cybert1nus [~Cybertinu@2a00:6960:1:1::2442] has joined #openvpn
05:10 -!- takamichi [~takamichi@85.12.8.13] has quit [Read error: Operation timed out]
05:13 -!- Cybert1nus [~Cybertinu@2a00:6960:1:1::2442] has quit [Remote host closed the connection]
05:16 -!- takamichi [~takamichi@c107-107.i07-27.onvol.net] has joined #openvpn
05:19 -!- dazo_afk is now known as dazo
05:26 -!- elfixit [~Icedove@77-58-251-72.dclient.hispeed.ch] has joined #openvpn
05:37 -!- u0m3 [~u0m3@92.80.90.121] has quit [Read error: Connection reset by peer]
05:40 -!- u0m3 [~u0m3@109.96.128.122] has joined #openvpn
05:51 -!- CircleCode [~Matthieu@hoaproject/contributor/CircleCode] has joined #openvpn
05:51 < CircleCode> Hi guys, please can you confirm `DOMAIN-SEARCH` is a directive that should be interpreted by the client?
05:52 < CircleCode> allowing to add entries to resolv.conf's `search` filed without modifying `domain` field
05:52 -!- Haseo [~Haseo@aufrinfo.net] has quit [Read error: Connection reset by peer]
05:56 -!- Haseo [~Haseo@aufrinfo.net] has joined #openvpn
06:06 -!- MyMind [~Sembei@unaffiliated/sembei] has quit [Read error: Connection reset by peer]
06:07 -!- Pisuke [~Sembei@unaffiliated/sembei] has joined #openvpn
06:19 -!- klein [~klein@unaffiliated/klein] has joined #openvpn
06:19 -!- n5 [~me@78-56-17-98.static.zebra.lt] has quit []
07:07 -!- br4ndon [~br4ndon@195.33.51.31] has joined #openvpn
07:11 -!- xTz [~xTz@DeathStar.Techn0.eu] has joined #openvpn
07:13 -!- br4ndon [~br4ndon@195.33.51.31] has quit [Ping timeout: 260 seconds]
07:18 < plaisthos> CircleCode: I don't think openvpn has implemented that
07:24 -!- jgeboski [~jgeboski@unaffiliated/jgeboski] has quit [Ping timeout: 265 seconds]
07:26 -!- jgeboski [~jgeboski@unaffiliated/jgeboski] has joined #openvpn
07:26 < CircleCode> plaisthos: that woul explain why I can't find this in openvpn documentation…
07:26 < CircleCode> btw, I'm sure I've read this somewhere…
07:33 -!- michaelhart [~michaelha@192-0-240-20.cpe.teksavvy.com] has joined #openvpn
07:42 -!- lvv [~loganaden@ITE-INF3.dhcp.mu.afrinic.net] has quit [Quit: lvv]
07:44 -!- Devastator [~devas@186.214.15.65] has quit [Changing host]
07:44 -!- Devastator [~devas@unaffiliated/devastator] has joined #openvpn
07:52 -!- makara [~makara@41.164.22.218] has quit [Quit: Leaving]
08:05 -!- lj [~l@192.241.174.169] has quit [Quit: Leaving.]
08:12 -!- mikkel [~mikkel@93.176.85.50] has quit [Quit: Leaving]
08:20 -!- Pisuke [~Sembei@unaffiliated/sembei] has quit [Read error: No route to host]
08:20 -!- Sembei [~Sembei@unaffiliated/sembei] has joined #openvpn
08:52 -!- wrongplace [~leicht@gateway/tor-sasl/martinphone] has joined #openvpn
08:53 -!- elfixit [~Icedove@77-58-251-72.dclient.hispeed.ch] has quit [Quit: elfixit]
08:56 -!- elfixit [~Icedove@77-58-251-72.dclient.hispeed.ch] has joined #openvpn
08:57 -!- mirco [~mirco@ip-109-90-231-36.unitymediagroup.de] has quit [Remote host closed the connection]
08:58 -!- elfixit [~Icedove@77-58-251-72.dclient.hispeed.ch] has quit [Client Quit]
08:59 -!- alexxtasi [~alex@unaffiliated/alexxtasi] has left #openvpn []
09:00 -!- wrongplace [~leicht@gateway/tor-sasl/martinphone] has quit [Remote host closed the connection]
09:00 -!- wrongplace [~leicht@gateway/tor-sasl/martinphone] has joined #openvpn
09:06 -!- klein [~klein@unaffiliated/klein] has quit [Ping timeout: 252 seconds]
09:11 -!- Cpt-Oblivious [chatzilla@31-151-71-109.dynamic.upc.nl] has quit [Ping timeout: 260 seconds]
09:15 -!- Minnebo [~Minnebo@213.211.135.88.static.edpnet.net] has joined #openvpn
09:38 -!- shoerain [ehtesh@2600:3c03::f03c:91ff:feae:8f] has joined #openvpn
09:38 < shoerain> !welcome
09:38 <@vpnHelper> "welcome" is (#1) Start by stating your goal, such as 'I would like to access the internet over my vpn' || new to IRC? see the link in !ask || we may need !logs and !configs and maybe !interface to help you. || See !howto for beginners. || See !route for lans behind openvpn. || !redirect for sending inet traffic through the server. || Also interesting: !man !/30 !topology !iporder !sample !forum
09:38 <@vpnHelper> !wiki !mitm or (#2) Don't use 192.168.1.0/24 or 192.168.0.0/24 (too much potential for conflict)
09:39 < shoerain> !goal
09:39 <@vpnHelper> "goal" is Please clearly state your goal for your vpn: example, I would like to access the lan behind the server , I would like to access the internet over my vpn , I just want a secure connection between 2 computers , etc
09:39 -!- shoerain [ehtesh@2600:3c03::f03c:91ff:feae:8f] has left #openvpn ["WeeChat 0.4.2-dev"]
09:39 -!- shoerain [ehtesh@2600:3c03::f03c:91ff:feae:8f] has joined #openvpn
09:58 -!- kcodyjr [~kcodyjr@c-24-61-134-125.hsd1.ma.comcast.net] has joined #openvpn
10:39 -!- Minnebo [~Minnebo@213.211.135.88.static.edpnet.net] has quit [Ping timeout: 265 seconds]
10:40 -!- wrongplace [~leicht@gateway/tor-sasl/martinphone] has quit [Quit: gone]
10:45 -!- ade_b [~Ade@redhat/adeb] has quit [Read error: Operation timed out]
11:05 -!- gffa [~unknown@unaffiliated/gffa] has joined #openvpn
11:14 -!- br4ndon [~br4ndon@195.33.51.31] has joined #openvpn
11:15 -!- br4ndon [~br4ndon@195.33.51.31] has quit [Client Quit]
11:20 -!- s7r [~s7r@openvpn/user/s7r] has joined #openvpn
11:20 -!- mode/#openvpn [+v s7r] by ChanServ
11:22 -!- CircleCode [~Matthieu@hoaproject/contributor/CircleCode] has quit [Quit: Il y a deux types de personnes dans le monde : ceux qui finissent leur histoire]
11:23 -!- elfixit [~Icedove@77-58-251-72.dclient.hispeed.ch] has joined #openvpn
11:33 -!- ade_b [~Ade@redhat/adeb] has joined #openvpn
11:34 -!- lj [~l@192.241.174.169] has joined #openvpn
11:36 -!- pdobrogost [~quassel@213-238-67-151.adsl.inetia.pl] has joined #openvpn
11:40 -!- ade_b [~Ade@redhat/adeb] has quit [Ping timeout: 260 seconds]
11:40 -!- takamichi [~takamichi@c107-107.i07-27.onvol.net] has quit [Quit: Computer has gone to sleep.]
11:56 -!- takamichi [~takamichi@c107-107.i07-27.onvol.net] has joined #openvpn
11:56 -!- takamichi [~takamichi@c107-107.i07-27.onvol.net] has quit [Max SendQ exceeded]
11:57 -!- takamichi [~takamichi@c107-107.i07-27.onvol.net] has joined #openvpn
11:57 -!- takamichi [~takamichi@c107-107.i07-27.onvol.net] has quit [Remote host closed the connection]
11:57 -!- takamichi [~takamichi@c107-107.i07-27.onvol.net] has joined #openvpn
12:07 -!- qwertyoruiop is now known as BigBIitz
12:07 -!- BigBIitz is now known as qwertyoruiop
12:10 -!- fremo_ [~fred@gw-salamandre.liazo.net] has quit [Ping timeout: 265 seconds]
12:17 -!- fremo [~fred@gw-salamandre.liazo.net] has joined #openvpn
12:24 -!- s7r [~s7r@openvpn/user/s7r] has quit [Remote host closed the connection]
12:25 -!- s7r [~s7r@openvpn/user/s7r] has joined #openvpn
12:25 -!- mode/#openvpn [+v s7r] by ChanServ
12:44 -!- JackWinter [~jack@vodsl-8317.vo.lu] has quit [Quit: Konversation terminated!]
12:46 -!- kossy [a@kossy.org] has quit [Excess Flood]
12:50 -!- kossy [a@kossy.org] has joined #openvpn
12:52 -!- JackWinter [~jack@vodsl-8317.vo.lu] has joined #openvpn
13:14 -!- mehonoshin [~mexx@5.57.217.44.bba.joxnet.ru] has joined #openvpn
13:15 < mehonoshin> hi folks
13:15 < jeev> krzee, you around ?
13:15 < mehonoshin> did anyone built chains of openvpn servers dynamicly?
13:16 < mehonoshin> when clients selects a list of servers in web interface, and we built such chain for him
13:16 -!- Sembei [~Sembei@unaffiliated/sembei] has quit [Read error: Connection reset by peer]
13:17 -!- MyMind [~Sembei@unaffiliated/sembei] has joined #openvpn
13:17 -!- master_of_master [~master_of@p4FF248DA.dip0.t-ipconnect.de] has joined #openvpn
13:18 -!- mehonoshin is now known as vic736
13:18 -!- master_o1_master [~master_of@p4FD7B834.dip0.t-ipconnect.de] has quit [Read error: Operation timed out]
13:21 -!- KaiForce [~chatzilla@107-223-70-10.lightspeed.bcvloh.sbcglobal.net] has joined #openvpn
13:28 -!- vic736 [~mexx@5.57.217.44.bba.joxnet.ru] has quit [Quit: leaving]
13:29 -!- lvv [~loganaden@197.226.3.171] has joined #openvpn
13:32 -!- takamichi [~takamichi@c107-107.i07-27.onvol.net] has quit [Quit: Computer has gone to sleep.]
13:41 -!- vic736 [~vic736@5.57.217.44.bba.joxnet.ru] has joined #openvpn
13:44 -!- lvv [~loganaden@197.226.3.171] has quit [Quit: lvv]
13:47 -!- smerz [~smerz@2001:470:1f15:1e5::58] has joined #openvpn
13:49 -!- webtroll [~chatzilla@c-24-14-55-11.hsd1.il.comcast.net] has joined #openvpn
13:50 -!- sHockz [~shockz@zenofex.com] has quit [Quit: Lost terminal]
13:54 -!- stillaftermath [~chris@65.191.90.86] has joined #openvpn
13:54 -!- vic736 [~vic736@5.57.217.44.bba.joxnet.ru] has quit [Ping timeout: 265 seconds]
14:03 -!- mattock [~mattock@openvpn/corp/admin/mattock] has joined #openvpn
14:03 -!- mode/#openvpn [+o mattock] by ChanServ
14:04 -!- takamichi [~takamichi@c107-107.i07-27.onvol.net] has joined #openvpn
14:04 < stillaftermath> Could somebody glance at my configs and see if there's anything obviously wrong? http://pastebin.com/NYVtGV9p for the server, http://pastebin.com/032BAp3Y for the client. Both an Ubuntu 12.04 client and a Windows client connect with no reported errors, but no TCP traffic across the tunnel
14:04 -!- s7r_h [~s7r@openvpn/user/s7r] has joined #openvpn
14:04 -!- mode/#openvpn [+v s7r_h] by ChanServ
14:05 -!- s7r [~s7r@openvpn/user/s7r] has quit [Ping timeout: 240 seconds]
14:06 -!- Thermi [~Thermi@unaffiliated/thermi] has quit [Read error: Connection reset by peer]
14:15 -!- Thermi [~Thermi@unaffiliated/thermi] has joined #openvpn
14:20 -!- sauce [sauce@unaffiliated/sauce] has quit [Ping timeout: 245 seconds]
14:21 -!- sauce [sauce@unaffiliated/sauce] has joined #openvpn
14:22 -!- sauce [sauce@unaffiliated/sauce] has quit [Excess Flood]
14:24 -!- sauce [sauce@ool-ad02ad20.dyn.optonline.net] has joined #openvpn
14:24 -!- sauce [sauce@ool-ad02ad20.dyn.optonline.net] has quit [Changing host]
14:24 -!- sauce [sauce@unaffiliated/sauce] has joined #openvpn
14:24 -!- sauce [sauce@unaffiliated/sauce] has quit [Excess Flood]
14:24 -!- sauce [sauce@ool-ad02ad20.dyn.optonline.net] has joined #openvpn
14:24 -!- sauce [sauce@ool-ad02ad20.dyn.optonline.net] has quit [Changing host]
14:24 -!- sauce [sauce@unaffiliated/sauce] has joined #openvpn
14:24 -!- sauce [sauce@unaffiliated/sauce] has quit [Excess Flood]
14:25 -!- sauce [sauce@ool-ad02ad20.dyn.optonline.net] has joined #openvpn
14:25 -!- sauce [sauce@ool-ad02ad20.dyn.optonline.net] has quit [Changing host]
14:25 -!- sauce [sauce@unaffiliated/sauce] has joined #openvpn
14:25 -!- sauce [sauce@unaffiliated/sauce] has quit [Excess Flood]
14:26 -!- sauce [sauce@ool-ad02ad20.dyn.optonline.net] has joined #openvpn
14:26 -!- sauce [sauce@ool-ad02ad20.dyn.optonline.net] has quit [Changing host]
14:26 -!- sauce [sauce@unaffiliated/sauce] has joined #openvpn
14:26 -!- pdobrogost [~quassel@213-238-67-151.adsl.inetia.pl] has quit [Read error: Connection reset by peer]
14:26 -!- sauce [sauce@unaffiliated/sauce] has quit [Excess Flood]
14:27 -!- sauce [sauce@unaffiliated/sauce] has joined #openvpn
14:27 -!- sauce [sauce@unaffiliated/sauce] has quit [Excess Flood]
14:28 -!- sauce [sauce@unaffiliated/sauce] has joined #openvpn
14:28 -!- pdobrogost [~quassel@213-238-67-151.adsl.inetia.pl] has joined #openvpn
14:31 -!- volnukhin [~ka4ok@141.0.170.169] has quit [Remote host closed the connection]
14:32 -!- rustem [~ka4ok@141.0.170.169] has joined #openvpn
14:37 -!- Minnebo [~Minnebo@78-21-120-85.access.telenet.be] has joined #openvpn
14:40 -!- rustem [~ka4ok@141.0.170.169] has quit [Remote host closed the connection]
14:40 -!- rustem [~ka4ok@141.0.170.169] has joined #openvpn
14:41 -!- rustem [~ka4ok@141.0.170.169] has quit [Remote host closed the connection]
14:42 -!- rustem [~ka4ok@141.0.170.169] has joined #openvpn
14:46 -!- SherlockHomeless [~SherlockH@rrcs-70-63-10-98.central.biz.rr.com] has joined #openvpn
14:46 < SherlockHomeless> how do i actually go about using the new easy-rsa
14:47 < SherlockHomeless> I am confused
14:51 < SherlockHomeless> hello?
14:52 < SherlockHomeless> everytime i type ./easyrsa it just tells me there is no such file or directory
14:53 < SherlockHomeless> nvm
14:53 < SherlockHomeless> assholes
14:53 < SherlockHomeless> fucking dicks
14:53 < SherlockHomeless> bags of cunts
14:53 < SherlockHomeless> fuck you dazo
14:53 < SherlockHomeless> fuck you ecrist
14:53 < rob0> [[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[
14:53 < rob0> oops
14:53 < SherlockHomeless> fuck you rob)
14:54 < SherlockHomeless> fuck you krzee
14:54 -!- mode/#openvpn [+o rob0] by ChanServ
14:54 < SherlockHomeless> fuck you rob)
14:54 <@rob0> mode +q SherlockHomeless
14:54 < SherlockHomeless> fuck you rob0
14:54 -!- mode/#openvpn [+q SherlockHomeless!*@*] by rob0
14:54 -!- SherlockHomeless [~SherlockH@rrcs-70-63-10-98.central.biz.rr.com] has quit [Quit: Leaving]
14:55 <@rob0> People who are too stupid to use either IRC or a VPN do not belong here.
14:55 < phreakocious> cuz help should be available 24/7 for free!
14:55 -!- mode/#openvpn [+b *!*@rrcs-70-63-10-98.central.biz.rr.com] by rob0
14:57 -!- ron__ [~ron@ppp118-210-128-218.lns20.adl6.internode.on.net] has joined #openvpn
14:57 -!- raidz is now known as raidz_away
14:57 <@rob0> meh, no account to ban
14:58 -!- mode/#openvpn [-qo SherlockHomeless!*@* rob0] by rob0
14:59 -!- raidz_away is now known as raidz
15:00 -!- ron_ [~ron@ppp118-210-226-109.lns20.adl6.internode.on.net] has quit [Ping timeout: 245 seconds]
15:01 -!- br4ndon [~br4ndon@mic92-6-82-226-128-64.fbx.proxad.net] has joined #openvpn
15:01 <@ecrist> heh
15:01 -!- vic736 [~vic736@5.57.217.44.bba.joxnet.ru] has joined #openvpn
15:02 -!- gffa [~unknown@unaffiliated/gffa] has quit [Quit: sleep]
15:02 < rob0> At least that's a static IP. He's paying RR for business-class service. But as noted, he's entitled to free professional help 24x7.
15:05 -!- sunwind` [~paradox@cpc21-brmb8-2-0-cust749.1-3.cable.virginm.net] has joined #openvpn
15:06 <@dazo> wow
15:06 <@dazo> Now I've seen this too
15:06 -!- vic736 [~vic736@5.57.217.44.bba.joxnet.ru] has quit [Ping timeout: 272 seconds]
15:08 -!- dazo is now known as dazo_afk
15:09 -!- sunwind [~paradox@cpc21-brmb8-2-0-cust749.1-3.cable.virginm.net] has quit [Ping timeout: 272 seconds]
15:19 -!- elfixit [~Icedove@77-58-251-72.dclient.hispeed.ch] has quit [Quit: elfixit]
15:20 -!- joshh20-Away is now known as joshh20
15:22 -!- mattock is now known as mattock_afk
15:26 -!- mnathani [~mnathani@umbozero.winvive.com] has joined #openvpn
15:26 < mnathani> what is the syntax for specifying encryption algorithm
15:28 < Aketzu_> openvpn --show-ciphers
15:28 < mnathani> I am trying to use pfSense as the client with a linux openvpn serer
15:28 < mnathani> s/serer/server
15:29 < mnathani> Aketzu_: thanks
15:29 -!- mode/#openvpn [+o Eugene] by ChanServ
15:32 -!- br4ndon [~br4ndon@mic92-6-82-226-128-64.fbx.proxad.net] has quit [Ping timeout: 260 seconds]
15:33 < mnathani> ok, cool I got the vpn up.
15:33 -!- br4ndon [~br4ndon@mic92-6-82-226-128-64.fbx.proxad.net] has joined #openvpn
15:38 -!- takamichi [~takamichi@c107-107.i07-27.onvol.net] has quit [Quit: Computer has gone to sleep.]
15:51 -!- pdobrogost [~quassel@213-238-67-151.adsl.inetia.pl] has quit [Remote host closed the connection]
15:52 -!- ron__ is now known as ron_
15:54 -!- Minnebo [~Minnebo@78-21-120-85.access.telenet.be] has quit [Ping timeout: 260 seconds]
16:05 -!- webtroll_ [~chatzilla@c-24-14-55-11.hsd1.il.comcast.net] has joined #openvpn
16:06 -!- tempus_fol [~tempus@gateway/tor-sasl/tempusfol] has quit [Ping timeout: 240 seconds]
16:07 -!- tempus_fol [~tempus@gateway/tor-sasl/tempusfol] has joined #openvpn
16:08 -!- webtroll [~chatzilla@c-24-14-55-11.hsd1.il.comcast.net] has quit [Ping timeout: 248 seconds]
16:10 -!- stillaftermath [~chris@65.191.90.86] has quit [Quit: Leaving]
16:16 -!- KaiForce [~chatzilla@107-223-70-10.lightspeed.bcvloh.sbcglobal.net] has quit [Quit: ChatZilla 0.9.90.1 [Firefox 27.0.1/20140212131424]]
16:30 -!- lj [~l@192.241.174.169] has quit [Quit: Leaving.]
16:34 -!- s7r_h is now known as s7r
16:44 -!- Protected [~Join@bl13-122-173.dsl.telepac.pt] has joined #openvpn
16:48 < Protected> Hey there. Can I get some clarifications about http://openvpn.net/index.php/open-source/documentation/howto.html#mitm ?
16:48 <@vpnHelper> Title: HOWTO (at openvpn.net)
16:48 < Protected> I think I followed the instructions, but I'm still getting the error
16:57 < Protected> More specifically, by following the first solution, I currently get "TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity)" logged on both client and server
16:57 < Protected> The server can clearly see the packets, and turning off the firewall doesn't seem to help, so I doubt it's a firewall issue
16:57 < Protected> I'm using 2.2
16:58 < Protected> And on debian wheezy
17:05 -!- joevandyk [~ubuntu@ec2-54-235-235-220.compute-1.amazonaws.com] has quit [Ping timeout: 260 seconds]
17:05 -!- MatToufoutu [~MaT@unaffiliated/mattoufoutu] has quit [Ping timeout: 260 seconds]
17:06 -!- joevandyk [~ubuntu@ec2-54-235-235-220.compute-1.amazonaws.com] has joined #openvpn
17:09 -!- MatToufoutu [~MaT@unaffiliated/mattoufoutu] has joined #openvpn
17:09 -!- MatToufoutu [~MaT@unaffiliated/mattoufoutu] has quit [Excess Flood]
17:10 <@krzee> !timeout
17:10 <@vpnHelper> "timeout" is if you see TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity) then your problem is likely one of the following: either the server isnt running, your client is connecting to the wrong ip/port/protocol, the server's firewall/nat has an issue, or the client's isp blocks it
17:10 <@krzee> did you also check the server log?
17:11 <@krzee> could be getting HMAC errors if tls-auth is set wrong...
17:12 < Protected> Not using it
17:12 < Protected> I think I just figured it out
17:12 < Protected> dns may be resolving to the wrong server
17:12 < Protected> Let me try cleaning that up
17:14 -!- master_o1_master [~master_of@p4FF248DA.dip0.t-ipconnect.de] has joined #openvpn
17:14 -!- fremo [~fred@gw-salamandre.liazo.net] has quit [Ping timeout: 272 seconds]
17:14 -!- fremo [~fred@gw-salamandre.liazo.net] has joined #openvpn
17:15 -!- Mat_Toufoutu [~MaT@nl.h6r.org] has joined #openvpn
17:15 -!- Mat_Toufoutu [~MaT@nl.h6r.org] has quit [Excess Flood]
17:16 -!- Mat_Toufoutu [~MaT@nl.h6r.org] has joined #openvpn
17:16 -!- Netsplit *.net <-> *.split quits: matsh, kevinsky, NChief, master_of_master
17:18 -!- Netsplit over, joins: NChief, matsh
17:23 -!- kevinsky [~kevin@senna.rosendaal.net] has joined #openvpn
17:26 -!- webtroll_ [~chatzilla@c-24-14-55-11.hsd1.il.comcast.net] has quit [Ping timeout: 248 seconds]
17:28 < Protected> krzee: Seems I can connect now that I'm pointed at the correct server
17:28 < Protected> Just need to untangle the firewall nightmare
17:33 -!- p3rror [~mezgani@196.201.78.139] has joined #openvpn
17:35 -!- Protected [~Join@bl13-122-173.dsl.telepac.pt] has quit [Ping timeout: 252 seconds]
17:38 -!- AsadH is now known as malaparte
17:40 -!- malaparte is now known as AsadH
17:41 -!- smerz [~smerz@2001:470:1f15:1e5::58] has quit [Ping timeout: 264 seconds]
17:42 -!- br4ndon [~br4ndon@mic92-6-82-226-128-64.fbx.proxad.net] has quit [Quit: Lorem ipsum dolor sit amet]
17:44 -!- Mat_Toufoutu is now known as MatToufoutu
17:44 -!- MatToufoutu [~MaT@nl.h6r.org] has quit [Changing host]
17:44 -!- MatToufoutu [~MaT@unaffiliated/mattoufoutu] has joined #openvpn
17:45 -!- pppingme [~pppingme@unaffiliated/pppingme] has quit [Quit: Leaving]
17:59 -!- dradec [~Inigo@unaffiliated/dradec] has joined #openvpn
18:15 -!- p3rror [~mezgani@196.201.78.139] has quit [Ping timeout: 246 seconds]
18:28 -!- p3rror [~mezgani@41.249.87.235] has joined #openvpn
18:32 -!- p3rror [~mezgani@41.249.87.235] has quit [Ping timeout: 241 seconds]
18:44 -!- p3rror [~mezgani@196.201.78.139] has joined #openvpn
18:49 -!- mumixam [~m@unaffiliated/mumixam] has quit [Remote host closed the connection]
18:50 -!- mumixam [~m@unaffiliated/mumixam] has joined #openvpn
19:20 -!- s7r [~s7r@openvpn/user/s7r] has quit [Quit: Leaving]
19:24 -!- diamond187 [adda48d1@gateway/web/cgi-irc/kiwiirc.com/ip.173.218.72.209] has joined #openvpn
19:27 < diamond187> Ok, trying to help a vendor out here, but figured I'd fish for any known gotchas if anyone has anything to share.. Have two backup "Appliances" running CentOS that need to talk to each other at two sites connected by 1Gbit fiber and Cisco 5540 ASAs that are setup and working great using a VPN to tunnel between sites (this is a highly secure offline
19:27 < diamond187>  lan).  The appliances aren't replicating between each other (one at each site) correctly, and come to find out they are using OpenVPN between the two boxes to create a VPN between themselves to do the replication.  Has anyone seen any issues with this inception-style VPN-within-VPN before?  Details on the appliances are EXTREMELY scarce, as the ve
19:27 < diamond187> ndor is troubleshooting their OpenVPN, but otherwise claim as an "appliance", they will do any reconfigs there.  Mainly looking for any insight to give to the poor guy who is onsite working on the issues so he can get back home to his family!
19:30 < _FBi> I don't get using two vpns
19:31 < _FBi> but that's not your question, I apologize
19:35 < diamond187> The site to site VPN is for the whole place, the appliance vendor uses their 'own' between their boxes... Doesn't make a lot of sense, no, but that's how their box works
19:36 < _FBi> Oh I see
19:36 < _FBi> I here some ISPs are now throttling the OpenVPN UDP port
19:41 < diamond187> This isn't ISP based, as we own the fiber at both sites and in between; it's a corporate installation
19:42 < diamond187> I just didn't know if there would be any routing or DNS issues that could be caused by the tunnel-in-a-tunnel effect; can't say I've ever had the need to VPN my VPN before personally. :)
19:43 < _FBi> I think of it like proxy-chains(TM)
19:43 < _FBi> should work. :D
19:47 < _FBi> are you view the debug level?  are you seeing what the problem is?
19:47 < diamond187> yeah, it really should as it is setup like Appliance A VPN ->    Cisco 5540A ------ Cisco 5540B  -> Appliance B VPN
19:48 < diamond187> no, no direct access to box unfortunately, as it's controlled by the appliance manufacturer.   More of a check for inception-style VPN capability or known issues to relay to them so they can get wrapped up, as they were working on it all day today.
19:48 < _FBi> yikes
19:49 < diamond187> (which I know insanely drops the percentage of 'helpfulness' in this case, but IRC is often a place to find the guys and gals who have seen a ton of random one-offs over the years and can recall how things got fixes)
19:49 < _FBi> there's a lot smarter guys in here than me -- I don't set the bar very high.  I hope someone is around that can help you
19:50 < diamond187> lol - I know, I've setup quite a few Lan-to-Lan and roadwarrior OpenVPN setups in the past, but never felt the need to route the VPN traffic over another VPN.  In theory it should take the encrypted packet and throw a wrapper on it on one side and remove it on the other, making performance pretty slow due to small datagram size, but otherwise shoul
19:50 < diamond187> d work just fine.
19:50 < diamond187> But, theory and reality are often two different beasts!
19:51 < _FBi> yup
20:03 -!- VunKruz [~hhhh@24-205-8-187.dhcp.mtpk.ca.charter.com] has quit [Quit: Leaving]
20:04 -!- michaelhart [~michaelha@192-0-240-20.cpe.teksavvy.com] has quit [Quit: michaelhart]
20:05 -!- Cpt-Oblivious [chatzilla@31-151-71-109.dynamic.upc.nl] has joined #openvpn
20:24 -!- VunKruz [~hhhh@24-205-8-187.dhcp.mtpk.ca.charter.com] has joined #openvpn
20:27 -!- joshh20 is now known as joshh20-Away
21:03 -!- lj [~l@99.155.25.195] has joined #openvpn
21:05 -!- lj1 [~l@192.241.174.169] has joined #openvpn
21:06 -!- dradec [~Inigo@unaffiliated/dradec] has quit [Quit: nil]
21:06 -!- dradec [~Inigo@unaffiliated/dradec] has joined #openvpn
21:07 -!- dradec [~Inigo@unaffiliated/dradec] has quit [Client Quit]
21:07 -!- lbft [~lbft@unaffiliated/lbft] has quit [Ping timeout: 265 seconds]
21:08 -!- lj [~l@99.155.25.195] has quit [Ping timeout: 245 seconds]
21:10 -!- lbft [~lbft@unaffiliated/lbft] has joined #openvpn
21:12 -!- NP-Hardass [~NP-Hardas@unaffiliated/np-hardass] has joined #openvpn
21:13 -!- lj1 [~l@192.241.174.169] has quit [Quit: Leaving.]
21:20 -!- lj [~l@99.155.25.195] has joined #openvpn
21:21 -!- dradec [~Inigo@unaffiliated/dradec] has joined #openvpn
21:24 -!- lj [~l@99.155.25.195] has quit [Ping timeout: 252 seconds]
21:30 -!- lj [~l@c-50-158-105-68.hsd1.il.comcast.net] has joined #openvpn
21:34 -!- lj1 [~l@192.241.174.169] has joined #openvpn
21:35 -!- lj [~l@c-50-158-105-68.hsd1.il.comcast.net] has quit [Ping timeout: 272 seconds]
22:04 -!- phunyguy [~plorpian@unaffiliated/phunyguy] has quit [Quit: Goodbye cruel world!]
22:06 -!- phunyguy [~plorpian@unaffiliated/phunyguy] has joined #openvpn
22:09 -!- Cpt-Oblivious [chatzilla@31-151-71-109.dynamic.upc.nl] has quit [Quit: ChatZilla 0.9.90.1-rdmsoft [XULRunner 22.0/20130619132145]]
22:15 -!- gardar [~gardar@bnc.giraffi.net] has quit [Read error: Operation timed out]
22:15 -!- phunyguy [~plorpian@unaffiliated/phunyguy] has quit [Quit: Goodbye cruel world!]
22:17 -!- Cpt-Oblivious [chatzilla@31-151-71-109.dynamic.upc.nl] has joined #openvpn
22:17 -!- gardar [~gardar@bnc.giraffi.net] has joined #openvpn
22:17 -!- phunyguy [~plorpian@unaffiliated/phunyguy] has joined #openvpn
22:22 -!- phunyguy [~plorpian@unaffiliated/phunyguy] has quit [Client Quit]
22:24 -!- Cpt-Oblivious [chatzilla@31-151-71-109.dynamic.upc.nl] has quit [Quit: ChatZilla 0.9.90.1-rdmsoft [XULRunner 22.0/20130619132145]]
22:35 -!- phunyguy [~plorpian@gateway/tor-sasl/phunyguy] has joined #openvpn
22:46 -!- NP-Hardass [~NP-Hardas@unaffiliated/np-hardass] has quit [Ping timeout: 260 seconds]
23:06 -!- pppingme [~pppingme@unaffiliated/pppingme] has joined #openvpn
23:08 -!- s0meone [someone@2600:3c01::f03c:91ff:fedf:feb8] has quit [Quit: ZNC - http://znc.in]
23:11 -!- s0meone [someone@2600:3c01::f03c:91ff:fedf:feb8] has joined #openvpn
23:31 -!- lj [~l@c-50-158-105-68.hsd1.il.comcast.net] has joined #openvpn
23:33 -!- lj [~l@c-50-158-105-68.hsd1.il.comcast.net] has quit [Client Quit]
23:33 -!- lj1 [~l@192.241.174.169] has quit [Ping timeout: 245 seconds]
23:44 -!- lj [~l@99.155.25.195] has joined #openvpn
23:48 -!- lj1 [~l@192.241.174.169] has joined #openvpn
23:49 -!- lj [~l@99.155.25.195] has quit [Ping timeout: 265 seconds]
--- Day changed Wed Feb 19 2014
00:03 -!- xTz [~xTz@DeathStar.Techn0.eu] has quit [Read error: Operation timed out]
00:05 -!- AsadH [~AsadH@unaffiliated/asadh] has quit [Ping timeout: 265 seconds]
00:18 -!- phreakocious [~phreakoci@aesoterica.phreakocious.net] has quit [Ping timeout: 240 seconds]
00:22 -!- phreakocious [~phreakoci@aesoterica.phreakocious.net] has joined #openvpn
00:26 -!- AsadH [~AsadH@unaffiliated/asadh] has joined #openvpn
00:33 -!- lvv [~loganaden@196.1.0.54] has joined #openvpn
00:35 -!- mikkel [~mikkel@93.176.85.50] has joined #openvpn
00:36 -!- vic736 [~vic736@5.57.217.44.bba.joxnet.ru] has joined #openvpn
00:42 -!- Synthead [~max@c-67-170-96-239.hsd1.wa.comcast.net] has quit [Quit: p33 ba115]
00:43 -!- Synthead [~max@c-67-170-96-239.hsd1.wa.comcast.net] has joined #openvpn
00:57 -!- br4ndon [~br4ndon@195.33.51.31] has joined #openvpn
00:57 -!- xTz [~xTz@DeathStar.Techn0.eu] has joined #openvpn
00:58 -!- xTz is now known as Guest67243
00:58 -!- mattock_afk is now known as mattock
01:04 -!- dimm0k [~dimm0k@unaffiliated/dimm0k] has quit [Ping timeout: 252 seconds]
01:06 -!- dimm0k [~dimm0k@pool-96-246-33-134.nycmny.fios.verizon.net] has joined #openvpn
01:06 -!- dimm0k [~dimm0k@pool-96-246-33-134.nycmny.fios.verizon.net] has quit [Changing host]
01:06 -!- dimm0k [~dimm0k@unaffiliated/dimm0k] has joined #openvpn
01:14 -!- bertodsera [~quassel@97e48243.skybroadband.com] has quit [Remote host closed the connection]
01:16 -!- nunim [nunim@unaffiliated/nunim] has quit [Ping timeout: 265 seconds]
01:18 -!- nunim [nunim@unaffiliated/nunim] has joined #openvpn
01:26 -!- alexxtasi [~alex@unaffiliated/alexxtasi] has joined #openvpn
01:28 -!- takamichi [~takamichi@c107-107.i07-27.onvol.net] has joined #openvpn
01:29 -!- [diecast] [~diecast@unaffiliated/diecast/x-4821952] has joined #openvpn
01:31 -!- mattock is now known as mattock_afk
01:34 -!- Minnebo [~Minnebo@213.211.135.88.static.edpnet.net] has joined #openvpn
01:41 -!- mattock_afk is now known as mattock
01:46 -!- KrissO [~krisso@46.109-247-25.customer.lyse.net] has quit [Quit: - nbs-irc 2.39 - www.nbs-irc.net -]
01:50 -!- ade_b [~Ade@redhat/adeb] has joined #openvpn
01:57 -!- [diecast] [~diecast@unaffiliated/diecast/x-4821952] has quit [Read error: Connection reset by peer]
02:03 -!- dimm0k [~dimm0k@unaffiliated/dimm0k] has quit [Ping timeout: 245 seconds]
02:05 -!- dimm0k [~dimm0k@pool-108-21-230-13.nycmny.fios.verizon.net] has joined #openvpn
02:05 -!- dimm0k [~dimm0k@pool-108-21-230-13.nycmny.fios.verizon.net] has quit [Changing host]
02:05 -!- dimm0k [~dimm0k@unaffiliated/dimm0k] has joined #openvpn
02:10 -!- CircleCode [~Matthieu@hoaproject/contributor/CircleCode] has joined #openvpn
02:24 -!- br4ndon [~br4ndon@195.33.51.31] has quit [Read error: Operation timed out]
02:27 < CircleCode> Hi, is there a way to make openvpn declare dns to dnsmasq rather than /etc/resolv.conf?
02:32 -!- VunKruz [~hhhh@24-205-8-187.dhcp.mtpk.ca.charter.com] has quit [Quit: Leaving]
02:32 -!- takamichi [~takamichi@c107-107.i07-27.onvol.net] has quit [Quit: Computer has gone to sleep.]
02:37 -!- VunKruz [~hhhh@24-205-8-187.dhcp.mtpk.ca.charter.com] has joined #openvpn
02:40 -!- Synthead [~max@c-67-170-96-239.hsd1.wa.comcast.net] has quit [Ping timeout: 240 seconds]
02:49 -!- phunyguy [~plorpian@gateway/tor-sasl/phunyguy] has quit [Remote host closed the connection]
02:52 -!- phunyguy [~plorpian@gateway/tor-sasl/phunyguy] has joined #openvpn
02:53 -!- br4ndon [~br4ndon@ns301087.ip-91-121-68.eu] has joined #openvpn
03:10 -!- bertodsera [~quassel@212.36.61.26] has joined #openvpn
03:17 -!- kantlivelong [~kantlivel@home.kantlivelong.com] has quit [Ping timeout: 245 seconds]
03:19 -!- br4ndon [~br4ndon@ns301087.ip-91-121-68.eu] has quit [Ping timeout: 260 seconds]
03:29 -!- nutron [~nutron@unaffiliated/nutron] has quit [Ping timeout: 252 seconds]
03:32 -!- br4ndon [~br4ndon@ns301087.ip-91-121-68.eu] has joined #openvpn
03:33 -!- fred`` [fred@earthli.ng] has quit [Ping timeout: 246 seconds]
03:35 -!- makara [~makara@41.164.22.218] has joined #openvpn
03:36 -!- fred`` [fred@earthli.ng] has joined #openvpn
03:41 -!- takamichi [~takamichi@c107-107.i07-27.onvol.net] has joined #openvpn
03:55 -!- diamond187 [adda48d1@gateway/web/cgi-irc/kiwiirc.com/ip.173.218.72.209] has quit [Quit: http://www.kiwiirc.com/ - A hand crafted IRC client]
04:14 -!- br4ndon [~br4ndon@ns301087.ip-91-121-68.eu] has quit [Ping timeout: 265 seconds]
04:19 -!- Ananya [Ananya@182.70.149.118] has joined #openvpn
04:22 < Ananya> !welcome
04:22 <@vpnHelper> "welcome" is (#1) Start by stating your goal, such as 'I would like to access the internet over my vpn' || new to IRC? see the link in !ask || we may need !logs and !configs and maybe !interface to help you. || See !howto for beginners. || See !route for lans behind openvpn. || !redirect for sending inet traffic through the server. || Also interesting: !man !/30 !topology !iporder !sample !forum
04:22 <@vpnHelper> !wiki !mitm or (#2) Don't use 192.168.1.0/24 or 192.168.0.0/24 (too much potential for conflict)
04:22 < Ananya> !goal
04:22 <@vpnHelper> "goal" is Please clearly state your goal for your vpn: example, I would like to access the lan behind the server , I would like to access the internet over my vpn , I just want a secure connection between 2 computers , etc
04:24 -!- br4ndon [~br4ndon@ns301087.ip-91-121-68.eu] has joined #openvpn
04:25 < Ananya> I've got a question. Is it possible to connect to a linux server with openVPN installed using a windows client?
04:31 -!- mattock is now known as mattock_afk
04:38 -!- Ananya [Ananya@182.70.149.118] has quit []
04:52 -!- br4ndon [~br4ndon@ns301087.ip-91-121-68.eu] has quit [Quit: Lorem ipsum dolor sit amet]
04:57 -!- f0cker [~f0cker@unaffiliated/f0cker] has quit [Quit: Leaving]
04:59 -!- wrongplace [~leicht@gateway/tor-sasl/martinphone] has joined #openvpn
05:08 -!- br4ndon [~br4ndon@195.33.51.31] has joined #openvpn
05:12 -!- br4ndon [~br4ndon@195.33.51.31] has quit [Ping timeout: 248 seconds]
05:14 -!- mattock_afk is now known as mattock
05:22 -!- dazo_afk is now known as dazo
05:25 -!- br4ndon [~br4ndon@ns301087.ip-91-121-68.eu] has joined #openvpn
05:41 -!- sunwind` [~paradox@cpc21-brmb8-2-0-cust749.1-3.cable.virginm.net] has quit [Quit: sunwind`]
05:43 -!- sunwind [~paradox@cpc21-brmb8-2-0-cust749.1-3.cable.virginm.net] has joined #openvpn
05:44 -!- elfixit [~Icedove@77-58-251-72.dclient.hispeed.ch] has joined #openvpn
05:50 -!- br4ndon [~br4ndon@ns301087.ip-91-121-68.eu] has quit [Ping timeout: 245 seconds]
05:52 -!- elfixit [~Icedove@77-58-251-72.dclient.hispeed.ch] has quit [Quit: elfixit]
05:59 -!- ron_ [~ron@ppp118-210-128-218.lns20.adl6.internode.on.net] has quit [Ping timeout: 272 seconds]
06:06 -!- br4ndon [~br4ndon@195.33.51.31] has joined #openvpn
06:12 -!- lj1 [~l@192.241.174.169] has quit [Quit: Leaving.]
06:15 -!- wrongplace [~leicht@gateway/tor-sasl/martinphone] has quit [Quit: gone]
06:29 -!- klein [~klein@unaffiliated/klein] has joined #openvpn
06:30 -!- cpm [~Chip@pdpc/supporter/active/cpm] has joined #openvpn
06:36 -!- br4ndon [~br4ndon@195.33.51.31] has quit [Ping timeout: 252 seconds]
06:38 -!- plaisthos [~arne@openvpn/community/developer/plaisthos] has quit [Remote host closed the connection]
06:39 -!- phunyguy_ [~plorpian@gateway/tor-sasl/phunyguy] has joined #openvpn
06:40 -!- phunyguy [~plorpian@gateway/tor-sasl/phunyguy] has quit [Ping timeout: 240 seconds]
06:40 -!- klein [~klein@unaffiliated/klein] has quit [Ping timeout: 260 seconds]
06:44 -!- lj [~l@192.241.174.169] has joined #openvpn
06:49 -!- plaisthos [~arne@openvpn/community/developer/plaisthos] has joined #openvpn
06:49 -!- mode/#openvpn [+o plaisthos] by ChanServ
06:50 -!- takamichi [~takamichi@c107-107.i07-27.onvol.net] has quit [Ping timeout: 252 seconds]
06:52 -!- takamichi [~takamichi@85.12.8.106] has joined #openvpn
07:09 -!- mode/#openvpn [-o plaisthos] by plaisthos
07:15 -!- elfixit [~Icedove@77-58-251-72.dclient.hispeed.ch] has joined #openvpn
07:27 -!- VsioZashibis [~VsioZashi@unaffiliated/vsiozashibis] has quit [Read error: Connection reset by peer]
07:31 -!- Minnebo_ [~Minnebo@213.211.135.88.static.edpnet.net] has joined #openvpn
07:32 -!- Minnebo [~Minnebo@213.211.135.88.static.edpnet.net] has quit [Ping timeout: 245 seconds]
07:40 -!- dradec [~Inigo@unaffiliated/dradec] has quit [Ping timeout: 248 seconds]
07:41 -!- vic736 [~vic736@5.57.217.44.bba.joxnet.ru] has quit [Quit: leaving]
07:41 -!- Minnebo_ [~Minnebo@213.211.135.88.static.edpnet.net] has quit [Ping timeout: 252 seconds]
07:42 -!- cpm [~Chip@pdpc/supporter/active/cpm] has quit [Ping timeout: 260 seconds]
07:44 -!- bertodsera_ [~quassel@212.36.61.26] has joined #openvpn
07:45 -!- bertodsera [~quassel@212.36.61.26] has quit [Remote host closed the connection]
07:46 -!- gffa [~unknown@unaffiliated/gffa] has joined #openvpn
07:47 -!- elfixit [~Icedove@77-58-251-72.dclient.hispeed.ch] has quit [Quit: elfixit]
07:50 -!- takamichi [~takamichi@85.12.8.106] has quit [Read error: Connection reset by peer]
07:52 -!- lj [~l@192.241.174.169] has quit [Quit: Leaving.]
07:54 -!- takamichi [~takamichi@c107-107.i07-27.onvol.net] has joined #openvpn
07:57 -!- phunyguy_ is now known as phunyguy
07:59 -!- lvv [~loganaden@196.1.0.54] has quit [Quit: lvv]
08:03 -!- br4ndon [~br4ndon@195.33.51.31] has joined #openvpn
08:06 -!- michaelhart [~michaelha@192.237.177.15] has joined #openvpn
08:09 -!- br4ndon [~br4ndon@195.33.51.31] has quit [Ping timeout: 260 seconds]
08:10 -!- br4ndon [~br4ndon@195.33.51.31] has joined #openvpn
08:12 -!- makara [~makara@41.164.22.218] has quit [Ping timeout: 252 seconds]
08:14 -!- klein [~klein@189-016-006-003.asselvi.edu.br] has joined #openvpn
08:14 -!- klein [~klein@189-016-006-003.asselvi.edu.br] has quit [Changing host]
08:14 -!- klein [~klein@unaffiliated/klein] has joined #openvpn
08:14 -!- danielsw [~dmanser@python2.cloud.tilaa.com] has joined #openvpn
08:15 -!- br4ndon [~br4ndon@195.33.51.31] has quit [Ping timeout: 246 seconds]
08:16 -!- br4ndon [~br4ndon@195.33.51.31] has joined #openvpn
08:17 -!- webtroll [~chatzilla@c-24-14-55-11.hsd1.il.comcast.net] has joined #openvpn
08:17 < danielsw> i'm trying to set up a L3 (routed) openvpn connection. let's say 192.168.12.1 is the gateway from my router. if i add "server 192.168.0.0 255.255.255.0" to the server's config, it binds the ip address 192.168.12.1 to its tun interface - but that is already the ip address of my router
08:20 -!- sunwind [~paradox@cpc21-brmb8-2-0-cust749.1-3.cable.virginm.net] has quit [Quit: sunwind]
08:21 -!- sunwind [~paradox@cpc21-brmb8-2-0-cust749.1-3.cable.virginm.net] has joined #openvpn
08:27 -!- Minnebo [~Minnebo@213.211.135.88.static.edpnet.net] has joined #openvpn
08:30 -!- br4ndon [~br4ndon@195.33.51.31] has quit [Quit: Lorem ipsum dolor sit amet]
08:33 -!- br4ndon [~br4ndon@195.33.51.31] has joined #openvpn
08:37 -!- tempus_fol [~tempus@gateway/tor-sasl/tempusfol] has quit [Ping timeout: 240 seconds]
08:37 -!- lj [~l@192.241.174.169] has joined #openvpn
08:37 -!- phunyguy [~plorpian@gateway/tor-sasl/phunyguy] has quit [Quit: No Ping reply in 180 seconds.]
08:38 -!- phunyguy [~plorpian@gateway/tor-sasl/phunyguy] has joined #openvpn
08:43 -!- tempus_fol [~tempus@gateway/tor-sasl/tempusfol] has joined #openvpn
08:46 -!- Cpt-Oblivious [chatzilla@31-151-71-109.dynamic.upc.nl] has joined #openvpn
08:49 -!- br4ndon [~br4ndon@195.33.51.31] has quit [Quit: Lorem ipsum dolor sit amet]
08:49 -!- conroe [~conroe@gateway/tor-sasl/conroe] has joined #openvpn
08:51 -!- br4ndon [~br4ndon@195.33.51.31] has joined #openvpn
08:53 -!- br4ndon [~br4ndon@195.33.51.31] has quit [Client Quit]
08:54 -!- lj [~l@192.241.174.169] has quit [Ping timeout: 245 seconds]
08:57 -!- br4ndon [~br4ndon@195.33.51.31] has joined #openvpn
08:59 -!- psycheye [~psycheye@93.49.16.11] has quit [Quit: changing servers]
09:01 -!- br4ndon_ [~br4ndon@ns301087.ip-91-121-68.eu] has joined #openvpn
09:01 -!- mikkel [~mikkel@93.176.85.50] has quit [Quit: Leaving]
09:02 -!- Austin___ [~austin@cpc19-hudd9-2-0-cust366.4-1.cable.virginm.net] has joined #openvpn
09:02 -!- br4ndon [~br4ndon@195.33.51.31] has quit [Ping timeout: 248 seconds]
09:02 < Austin___> hi all, excuse me if im asking in a unrelated channel. I've got a remote server that i administer over ssh and want to connect it to a VPN and then restore the SSH connection, but when i make the VPN connection, my SSH connection times out and i've got no idea what the new IP is. is there an easy way of getting that new IP address to me so i can just SSH to the new address, or maybe an even more elegant way of achieving thi
09:03 -!- psycheye [~psycheye@93.49.16.11] has joined #openvpn
09:04 -!- lj [~l@192.241.174.169] has joined #openvpn
09:06 -!- Minnebo [~Minnebo@213.211.135.88.static.edpnet.net] has quit [Ping timeout: 252 seconds]
09:08 -!- openvpnusr [~anonymous@ip-90-186-157-191.web.vodafone.de] has joined #openvpn
09:11 -!- openvpnusr [~anonymous@ip-90-186-157-191.web.vodafone.de] has left #openvpn []
09:11 -!- Minnebo [~Minnebo@78-20-137-111.access.telenet.be] has joined #openvpn
09:15 -!- br4ndon_ [~br4ndon@ns301087.ip-91-121-68.eu] has quit [Quit: Lorem ipsum dolor sit amet]
09:15 -!- Minnebo [~Minnebo@78-20-137-111.access.telenet.be] has quit [Ping timeout: 252 seconds]
09:16 < Austin___> anyone help me out?
09:25 -!- Minnebo [~Minnebo@213.211.135.88.static.edpnet.net] has joined #openvpn
09:27 -!- bertodsera_ [~quassel@212.36.61.26] has quit [Remote host closed the connection]
09:30 -!- bertodsera [~quassel@212.36.61.26] has joined #openvpn
09:32 <@krzee> Austin___, you can make a second routing table so that traffic to your servers ssh server bypasses your vpn
09:32 <@krzee> !splitroute
09:32 <@vpnHelper> "splitroute" is (#1) https://forums.openvpn.net/topic7175.html to see how to add a second routing table so you can use --redirect-gateway AND still serve things to the internet or (#2) see !route_override for how to override --redirect-gateway for a certain subnet
09:36 -!- NP-Hardass [~NP-Hardas@unaffiliated/np-hardass] has joined #openvpn
09:39 < Austin___> krzee: the remote server is a client to a paid-for VPN service does your solution still apply?
09:41 <@krzee> yes, i assumed that was the case
09:42 < Austin___> ok, it literally just allows traffic from a specific ip access through the original IP
09:42 < Austin___> apologies for lack of technical jargon
09:42 < Austin___> ?
09:42 <@krzee> no
09:43 <@krzee> it literally makes 2 routing tables and configures policy routing to say that traffic that came in looking for your normal IP goes out your normal IP
09:43 < Austin___> ah, ok
09:43 < Austin___> gotcha, thanks :)
09:43 <@krzee> np
09:43 < havoc> !route_override
09:43 <@vpnHelper> "route_override" is (#1) https://forums.openvpn.net/viewtopic.php?f=15&t=7161 for how to override --redirect-gateway for a certain subnet or (#2) to see how to make it so the client will still reply to requests to its public ip over the internet and not the vpn see !splitroute
09:43 <@krzee> ^^^ THAT ONE does what you said orig
09:44 <@krzee> but thats not what you wanted (unless your client is always coming from the same IP, in which case that is a lazier solution)
09:44 < Austin___> yer, sounds like the first option is what im after
09:44 < Austin___> thanks again
09:45 <@krzee> yw
09:46 -!- webtroll [~chatzilla@c-24-14-55-11.hsd1.il.comcast.net] has quit [Quit: ChatZilla 0.9.90.1 [Firefox 27.0.1/20140212131424]]
09:57 -!- conroe [~conroe@gateway/tor-sasl/conroe] has quit [Quit: conroe]
09:59 -!- lj [~l@192.241.174.169] has quit [Quit: Leaving.]
10:08 -!- mattock is now known as mattock_afk
10:11 < danielsw> if i use "server 192.168.12.0 255.255.255.0" in routed mode (tun driver), is it required that the gateway ip is 192.168.12.1?
10:11 < danielsw> because that is the ip address of the router in the network
10:12 < danielsw> i basically want to route the client subnet to another router
10:15 <@ecrist> in routed mode, your VPN IP space should be different than the local LAN IP space.
10:16 <@krzee> ^ that, and then you simply configure routing
10:16 <@krzee> !clientlan
10:16 <@vpnHelper> "clientlan" is (#1) for a lan behind a client, the client must have ip forwarding enabled (!ipforward), the server needs a route to the lan, the server needs to push a route for the lan to clients, the server needs a ccd (!ccd) file for the client with an iroute (!iroute) entry in it, and the router of the lan the client is on needs a route added to it (!route_outside_openvpn) or (#2) see !route for
10:16 <@vpnHelper> a better explanation or (#3) Handy troubleshooting flowchart: http://ircpimps.org/clientlan.png | http://pekster.sdf.org/misc/clientlan.png
10:18 -!- NP-Hardass [~NP-Hardas@unaffiliated/np-hardass] has quit [Ping timeout: 248 seconds]
10:18 < danielsw> well, the server has two networks. one is accessible from outside, the other one is connected to a firewall. what i want is that external clients connect to the server (using the externally accessible ip) and get an ip address from that 192.168.12.0/24 subnet. but their traffic should be routed through 192.168.12.1 (the firewall)
10:20 < danielsw> now i think i need something like a transit network between the openvpn server and the firewall
10:23 -!- MoeMorox [moe@2a03:4000:2:1fa::1] has left #openvpn []
10:24 -!- dradec [~Inigo@unaffiliated/dradec] has joined #openvpn
10:27 < Austin___> krzee: im really struggling to understand how to setup split tunnelling from the link shown by the IRCbot
10:27 -!- cyberspace- [20253@ninthfloor.org] has quit [Ping timeout: 252 seconds]
10:28 < Austin___> is the format 'ip route add "localIP" "Localsubnetmask" gw "remoteServerIP"'?
10:29 < Austin___> i'll be honest, this is a quick fix that i will only need to do once
10:30 -!- cyberspace- [20253@ninthfloor.org] has joined #openvpn
10:33 < Austin___> reading more about it, is splittunnelling correct if the remote server is not on my LAN?
10:33 -!- Olipro [~Olipro@uncyclopedia/pdpc.21for7.olipro] has quit [Ping timeout: 246 seconds]
10:34 -!- Olipro [~Olipro@uncyclopedia/pdpc.21for7.olipro] has joined #openvpn
10:38 -!- Minnebo [~Minnebo@213.211.135.88.static.edpnet.net] has quit [Ping timeout: 246 seconds]
10:48 -!- dradec [~Inigo@unaffiliated/dradec] has quit [Ping timeout: 248 seconds]
10:48 -!- Denial [Denial@90.201.173.63] has quit []
10:49 -!- dradec [~Inigo@unaffiliated/dradec] has joined #openvpn
10:54 -!- dradec [~Inigo@unaffiliated/dradec] has quit [Quit: nil]
10:58 -!- Denial [Denial@90.201.173.63] has joined #openvpn
11:05 -!- lj [~l@192.241.174.169] has joined #openvpn
11:10 -!- br4ndon [~br4ndon@ns301087.ip-91-121-68.eu] has joined #openvpn
11:19 -!- JackWinter [~jack@vodsl-8317.vo.lu] has quit [Remote host closed the connection]
11:21 -!- br4ndon [~br4ndon@ns301087.ip-91-121-68.eu] has quit [Quit: Lorem ipsum dolor sit amet]
11:30 -!- bertodsera [~quassel@212.36.61.26] has quit [Remote host closed the connection]
11:30 -!- JackWinter [~jack@vodsl-8317.vo.lu] has joined #openvpn
11:37 -!- alexxtasi [~alex@unaffiliated/alexxtasi] has left #openvpn []
11:39 -!- Minnebo [~Minnebo@78-21-120-85.access.telenet.be] has joined #openvpn
11:39 -!- ade_b [~Ade@redhat/adeb] has quit [Ping timeout: 252 seconds]
11:51 -!- lj [~l@192.241.174.169] has quit [Quit: Leaving.]
12:00 -!- danielsw [~dmanser@python2.cloud.tilaa.com] has quit [Quit: Lost terminal]
12:01 -!- br4ndon [~br4ndon@ns301087.ip-91-121-68.eu] has joined #openvpn
12:01 -!- Cpt-Oblivious [chatzilla@31-151-71-109.dynamic.upc.nl] has quit [Read error: Connection reset by peer]
12:02 -!- br4ndon [~br4ndon@ns301087.ip-91-121-68.eu] has quit [Client Quit]
12:03 -!- br4ndon [~br4ndon@ns301087.ip-91-121-68.eu] has joined #openvpn
12:04 -!- Minnebo [~Minnebo@78-21-120-85.access.telenet.be] has quit [Ping timeout: 245 seconds]
12:31 -!- ade_b [~Ade@redhat/adeb] has joined #openvpn
12:33 -!- u0m3 [~u0m3@109.96.128.122] has quit [Read error: Connection reset by peer]
12:34 -!- takamichi [~takamichi@c107-107.i07-27.onvol.net] has quit [Quit: Computer has gone to sleep.]
12:37 -!- kesroesweyth [~an0@unaffiliated/kesroesweyth] has quit [Ping timeout: 245 seconds]
12:38 -!- u0m3 [~u0m3@109.96.184.215] has joined #openvpn
12:40 -!- u0m3 [~u0m3@109.96.184.215] has quit [Read error: Connection reset by peer]
12:43 -!- u0m3 [~u0m3@92.80.94.155] has joined #openvpn
12:48 -!- smerz [~smerz@2001:470:1f15:1e5::58] has joined #openvpn
12:48 -!- smerz_ [~smerz@2001:470:1f15:1e5::58] has joined #openvpn
12:48 -!- trumee [~parul@c-98-199-151-246.hsd1.tx.comcast.net] has joined #openvpn
12:56 -!- br4ndon [~br4ndon@ns301087.ip-91-121-68.eu] has quit [Ping timeout: 260 seconds]
12:58 -!- takamichi [~takamichi@c107-107.i07-27.onvol.net] has joined #openvpn
13:16 -!- jackbrown [~se@93-44-54-187.ip95.fastwebnet.it] has joined #openvpn
13:17 -!- VsioZashibis [~VsioZashi@unaffiliated/vsiozashibis] has joined #openvpn
13:18 -!- master_o1_master [~master_of@p4FF248DA.dip0.t-ipconnect.de] has quit [Read error: Operation timed out]
13:18 < VsioZashibis> hi. I am connected to a remove openvpn server
13:19 < VsioZashibis> I was hoping it will let me bypass the local router's closed ports
13:19 < VsioZashibis> but the port is still closed
13:19 -!- pdobrogost [~quassel@77-255-32-122.adsl.inetia.pl] has joined #openvpn
13:19 -!- troyt [~troyt@2601:7:6200:1382:44dd:acff:fe85:9c8e] has joined #openvpn
13:20 -!- Protected [~Join@from.myshelter.net] has joined #openvpn
13:20 < Protected> Hey there... I'm having a problem that's probably firewall, really. Can I still ask for help here?
13:21 < VsioZashibis> ask
13:22 < Protected> I want to block communications from a subnet to any destination outside a wider subnet using iptables
13:22 -!- master_of_master [~master_of@p4FF24AB8.dip0.t-ipconnect.de] has joined #openvpn
13:22 < Protected> I have this rule which came from my old server:
13:22 < Protected> iptables -t filter -A INPUT -s 10.10.0.128/25 ! -d 10.10.0.0/24 -j DROP
13:22 -!- kantlivelong [~kantlivel@home.kantlivelong.com] has joined #openvpn
13:23 < Protected> However, it's no longer working - that is, people in that subnet can send packets to destinations outside
13:23 < Protected> How can I find out why? The rule lists correctly in iptables - could openvpn be circumventing it in someway? Or could the rule be overridden by something else?
13:24 < rob0> we don't know how openvpn figures in
13:24 < Protected> That's my openmvpn range, 10.10.0.0/24
13:25 < Protected> The users in that range are connected through openvpn
13:25 < rob0> is 10.10.0.0/24 your server's ... ah. Did you set --client-to-client ?
13:25 < Protected> Yes
13:25 < rob0> bingo
13:25 < Protected> But I want them to be able to talk to each other, just not to IPs outside the range
13:25 < rob0> and no, this was actually an openvpn problem, not a firewall one. :)
13:26 < rob0> Look up --client-to-client in the manual.
13:26 < Protected> I mean, I want to simulate a closed LAN
13:26 < Protected> Ok
13:26 < Protected> 1sec :)
13:26 < Protected> "Don't use this option if you want to firewall tunnel traffic using custom, per-client rules."
13:26 < Protected> Well shit
13:27 < Protected> So this firewall rule never actually worked and my users were just too dumb to notice. Awesome
13:27 < rob0> --client-to-client means the traffic remains within openvpn
13:27 < Protected> So, if I remove that, will they still be able to talk to each other?
13:28 < rob0> unset, it means your kernel routes it as your routing and firewall rules may allow (or not.)
13:28 < Protected> I just enabled forwarding and added the maskerade rule; then there are a bunch of rules that deal with internet IPs
13:29 < Protected> I assume it should work by default?
13:29 < Protected> I don't see why not
13:29 -!- JPeterson [~JPeterson@81-233-152-121-no83.tbcn.telia.com] has quit [Read error: Connection reset by peer]
13:32 < VsioZashibis> how would I apply a port forward rule to one of the vpn clients ?
13:32 < VsioZashibis> if there is a way
13:32 < Protected> Forward to where from where?
13:33 < VsioZashibis> forward from public interface, to tun interface
13:33 < rob0> Could get ugly. Are you using --redirect-gateway?
13:34 < VsioZashibis> I have this in server.conf push "redirect-gateway def1 bypass-dhcp"
13:36 < VsioZashibis> I was under the impression that all ports on server's tun interface will correspond to ports of the public interface.
13:36 < rob0> So it depends on destination NAT functionality in your server's OS.
13:37 < rob0> If the server is Linux, see the iptables DNAT target.
13:37 < VsioZashibis> server's OS is Debian
13:38 -!- takamichi [~takamichi@c107-107.i07-27.onvol.net] has quit [Quit: Computer has gone to sleep.]
13:40 -!- jackbrown [~se@93-44-54-187.ip95.fastwebnet.it] has quit [Quit: Sto andando via]
13:48 -!- trumee [~parul@c-98-199-151-246.hsd1.tx.comcast.net] has quit [Read error: Connection reset by peer]
13:50 -!- bertodsera [~quassel@97e48243.skybroadband.com] has joined #openvpn
13:50 -!- Protected [~Join@from.myshelter.net] has quit [Disconnected by services]
13:52 -!- Prott [~Join@from.myshelter.net] has joined #openvpn
13:52 -!- Prott is now known as Protected
13:52 < VsioZashibis> rob0: I have been looking into DNAT, need some more specific help
13:53 < Protected> My port forwarding rules look like this:
13:53 < Protected> iptables -t nat -A PREROUTING -p tcp --dport 17011 -j DNAT --to-destination 10.10.0.10:17011
13:53 < Protected> (That one's for worms:armageddon)
13:53 < VsioZashibis> heh
13:54 -!- trumee [~parul@c-98-199-151-246.hsd1.tx.comcast.net] has joined #openvpn
13:54 < VsioZashibis> thanks , let me try it
13:55 < rob0> and if there is a blocking rule in filter/FORWARD, you might need to accept 10.10.0.10:17011/tcp traffic there.
13:56 < rob0> Or, my favorite, -m conntrack --ctstate DNAT -j ACCEPT
13:57 < rob0> (one rule can accept all DNAT connections)
13:57 -!- ade_b [~Ade@redhat/adeb] has quit [Ping timeout: 260 seconds]
13:59 < Protected> I must get going, thanks for the help rob0
13:59 -!- Protected [~Join@from.myshelter.net] has quit [Quit: Gone.]
14:00 -!- ade_b [~Ade@80.72.60.71] has joined #openvpn
14:00 -!- ade_b [~Ade@80.72.60.71] has quit [Changing host]
14:00 -!- ade_b [~Ade@redhat/adeb] has joined #openvpn
14:03 -!- Zumochi [ghosty@535402F6.cm-6-5a.dynamic.ziggo.nl] has joined #openvpn
14:04 < VsioZashibis> iptables -t nat -A PREROUTING -p tcp --dport 8621 -j DNAT --to-destination 10.8.0.42:8621
14:04 < VsioZashibis> still closed
14:05 < VsioZashibis> I mean, still not forwarding
14:05 < VsioZashibis> ))
14:06 < VsioZashibis> rob0: ideas ?
14:08 < VsioZashibis> rob0: not sure what you mean by -m conntrack --ctstate DNAT -j ACCEPT
14:13 -!- phunyguy [~plorpian@gateway/tor-sasl/phunyguy] has quit [Remote host closed the connection]
14:14 -!- phunyguy [~plorpian@gateway/tor-sasl/phunyguy] has joined #openvpn
14:32 -!- JPeterson [~JPeterson@81-233-152-121-no83.tbcn.telia.com] has joined #openvpn
14:47 -!- VsioZashibis [~VsioZashi@unaffiliated/vsiozashibis] has quit [Ping timeout: 245 seconds]
14:54 -!- JSharpe [~JSharpe@31.205.60.241] has joined #openvpn
14:57 -!- pdobrogost [~quassel@77-255-32-122.adsl.inetia.pl] has quit [Remote host closed the connection]
14:57 -!- james12343 [~james1234@93.114.45.13] has joined #openvpn
14:58 < james12343> !welcome
14:58 <@vpnHelper> "welcome" is (#1) Start by stating your goal, such as 'I would like to access the internet over my vpn' || new to IRC? see the link in !ask || we may need !logs and !configs and maybe !interface to help you. || See !howto for beginners. || See !route for lans behind openvpn. || !redirect for sending inet traffic through the server. || Also interesting: !man !/30 !topology !iporder !sample !forum
14:58 <@vpnHelper> !wiki !mitm or (#2) Don't use 192.168.1.0/24 or 192.168.0.0/24 (too much potential for conflict)
14:59 < james12343> !goal
14:59 <@vpnHelper> "goal" is Please clearly state your goal for your vpn: example, I would like to access the lan behind the server , I would like to access the internet over my vpn , I just want a secure connection between 2 computers , etc
14:59 -!- davidmp [~davidmp@149.255.100.107] has quit [Ping timeout: 272 seconds]
14:59 -!- pdobrogost [~quassel@77-255-32-122.adsl.inetia.pl] has joined #openvpn
14:59 < james12343> NAT in windows
15:00 <@krzee> !factoids search nat
15:00 <@vpnHelper> 'nat', 'pfnat', 'freebsdnat', 'bsdnat', 'donate', 'winnat', 'nathack', 'openvznat', 'fbsdnat', 'openbsdnat', 'obsdnat', and 'linnat'
15:00 <@krzee> !winnat
15:00 <@vpnHelper> "winnat" is (#1) http://www.windowsnetworking.com/articles_tutorials/NAT_Windows_2003_Setup_Configuration.html for a guide on setting up NAT in windows or (#2) http://www.nanodocumet.com/?p=14 for windows XP or (#3) https://community.openvpn.net/openvpn/wiki/NatOverWindows2008 for 2k8
15:00 < james12343> i would like to NAT the tap/tun interface in windows8
15:00 <@krzee> looks like door #3
15:01 < james12343> i would like to NAT the tap/tun interface to internet in windows8
15:02 <@krzee> didnt you see i answered you?
15:02 <@krzee> =]
15:02 < james12343> !winnat
15:02 <@vpnHelper> "winnat" is (#1) http://www.windowsnetworking.com/articles_tutorials/NAT_Windows_2003_Setup_Configuration.html for a guide on setting up NAT in windows or (#2) http://www.nanodocumet.com/?p=14 for windows XP or (#3) https://community.openvpn.net/openvpn/wiki/NatOverWindows2008 for 2k8
15:03 < james12343> i want in windows8 not windows server
15:03 <@krzee> was it really that hard to read the entire answer from the bot?
15:04 -!- smerz_ [~smerz@2001:470:1f15:1e5::58] has quit [Ping timeout: 245 seconds]
15:04 < james12343> is winant will work on windows8
15:05 -!- smerz [~smerz@2001:470:1f15:1e5::58] has quit [Ping timeout: 264 seconds]
15:05 -!- james12343 was kicked from #openvpn by krzee [(#3) https://community.openvpn.net/openvpn/wiki/NatOverWindows2008 for 2k8]
15:05 <@krzee> im sorry but that was too much
15:05 -!- davidmp [~davidmp@149.255.100.107] has joined #openvpn
15:06 -!- james12343 [~james1234@93.114.45.13] has joined #openvpn
15:14 -!- klein [~klein@unaffiliated/klein] has quit [Read error: Operation timed out]
15:17 < plaisthos> krzee: err I don't think that windows 8 has a ServerManager where you can install Server Roles
15:19 -!- gffa [~unknown@unaffiliated/gffa] has quit [Quit: sleep]
15:21 <@krzee> they specifically wrote https://community.openvpn.net/openvpn/wiki/NatOverWindows2008 for 2k8, i dont use windows so i cant verify
15:21 <@vpnHelper> Title: NatOverWindows2008 – OpenVPN Community (at community.openvpn.net)
15:23 -!- pdobrogost [~quassel@77-255-32-122.adsl.inetia.pl] has quit [Remote host closed the connection]
15:27 -!- br4ndon [~br4ndon@mic92-6-82-227-94-156.fbx.proxad.net] has joined #openvpn
15:44 -!- Zumochi [ghosty@535402F6.cm-6-5a.dynamic.ziggo.nl] has quit [Ping timeout: 240 seconds]
15:46 -!- troj [~xxx@2001:470:1f15:107a::50f7] has quit [Ping timeout: 245 seconds]
15:46 -!- michaelhart [~michaelha@192.237.177.15] has quit [Quit: michaelhart]
15:47 -!- troj [~xxx@2001:470:1f15:107a::50f7] has joined #openvpn
15:51 -!- joshh20-Away is now known as joshh20
15:53 -!- james12343 [~james1234@93.114.45.13] has quit [Ping timeout: 252 seconds]
16:07 -!- jackbrown [~se@93-44-54-187.ip95.fastwebnet.it] has joined #openvpn
16:09 -!- elfixit [~Icedove@77.58.251.72] has joined #openvpn
16:27 -!- jackbrown [~se@93-44-54-187.ip95.fastwebnet.it] has quit [Quit: Sto andando via]
16:29 -!- phunyguy_ [~plorpian@gateway/tor-sasl/phunyguy] has joined #openvpn
16:30 -!- phunyguy [~plorpian@gateway/tor-sasl/phunyguy] has quit [Ping timeout: 240 seconds]
16:33 -!- br4ndon [~br4ndon@mic92-6-82-227-94-156.fbx.proxad.net] has quit [Quit: Lorem ipsum dolor sit amet]
16:44 -!- phunyguy_ is now known as phunyguy
16:46 -!- ade_b [~Ade@redhat/adeb] has quit [Ping timeout: 252 seconds]
16:49 -!- crus [~crusader@crus0r.soho.on.net] has quit [Ping timeout: 260 seconds]
17:10 -!- b100dy_b1y [~root@static.58.41.40.188.clients.your-server.de] has joined #openvpn
17:11 -!- beefman [~darin@c-24-3-208-2.hsd1.pa.comcast.net] has joined #openvpn
17:11 < beefman> !configs
17:11 <@vpnHelper> "configs" is (#1) please pastebin your client and server configs (with comments removed, you can use `grep -vE '^#|^;|^$' server.conf`), also include which OS and version of openvpn. or (#2) dont forget to include any ccd entries or (#3) on pfSense, see http://www.secure-computing.net/wiki/index.php/OpenVPN/pfSense to obtain your config
17:12 < beefman> hi.  i need to connect to a vpn.  all i know at the moment is the remote hostname & my login.  they have had me use a juniper client, but i need to access from another host via ssh.  is this possible, or do i need more information, a certificate, something else?
17:13 < beefman> oh, i also know my remote ip
17:16 -!- p3rror [~mezgani@196.201.78.139] has quit [Read error: Connection reset by peer]
17:27 -!- beefman [~darin@c-24-3-208-2.hsd1.pa.comcast.net] has quit [Quit: Ex-Chat]
17:31 -!- elfixit [~Icedove@77.58.251.72] has quit [Read error: Operation timed out]
17:34 -!- dazo is now known as dazo_afk
17:44 -!- maps|wrk [~maps@94-193-78-219.zone7.bethere.co.uk] has joined #openvpn
17:44 < maps|wrk> !linforward
17:44 < maps|wrk> hmpf
17:44 < maps|wrk> !ipforward
17:44 <@vpnHelper> "ipforward" is (#1) ip forwarding is needed any time you want packets to flow from 1 interface to another, so from tun to eth, eth to tun, tun to tun, etc etc. it must be enabled in the kernel AND allowed in the firewall or (#2) please choose between !linipforward !winipforward !osxipforward and !fbsdipforward
17:45 < maps|wrk> !linipforward
17:45 <@vpnHelper> "linipforward" is (#1) echo 1 > /proc/sys/net/ipv4/ip_forward for a temp solution (til reboot) or set net.ipv4.ip_forward = 1 in sysctl.conf for perm solution or (#2) chmod +x /etc/rc.d/rc.ip_forward for perm solution in slackware or (#3) you also must allow forwarding in your forward chain in iptables. iptables -I FORWARD -i tun+ -j ACCEPT
17:45 < maps|wrk> !linnat
17:45 <@vpnHelper> "linnat" is (#1) for a basic iptables NAT where 10.8.0.x is the vpn network: iptables -t nat -I POSTROUTING -s 10.8.0.0/24 -o eth0 -j MASQUERADE or (#2) to choose what IP address to NAT as, you can use iptables -t nat -I POSTROUTING -o eth0 -j SNAT --to <IP ADDRESS> or (#3) http://netfilter.org/documentation/HOWTO//NAT-HOWTO.html for more info or (#4) openvz see !openvzlinnat
17:50 -!- Mathias [M@unaffiliated/mathias] has joined #openvpn
17:54 -!- michaelhart [~michaelha@192.0.240.20] has joined #openvpn
18:01 -!- maps|wrk [~maps@94-193-78-219.zone7.bethere.co.uk] has quit [Quit: Page closed]
18:18 -!- pwrcycle [~pwrcycle@173.214.160.92] has quit [Quit: Lost terminal]
18:28 -!- joshh20 is now known as joshh20-Away
18:38 -!- Latrina [~Latrina@201.141.23.73] has joined #openvpn
19:05 -!- klein [~klein@unaffiliated/klein] has joined #openvpn
19:05 -!- conroe [~conroe@gateway/tor-sasl/conroe] has joined #openvpn
19:08 -!- conroe [~conroe@gateway/tor-sasl/conroe] has quit [Client Quit]
19:15 -!- klein [~klein@unaffiliated/klein] has quit [Ping timeout: 241 seconds]
19:16 -!- conroe [~conroe@gateway/tor-sasl/conroe] has joined #openvpn
20:18 -!- trumee [~parul@c-98-199-151-246.hsd1.tx.comcast.net] has quit [Read error: Connection reset by peer]
20:23 -!- trumee [~parul@c-98-199-151-246.hsd1.tx.comcast.net] has joined #openvpn
20:27 -!- lj [~l@c-50-158-105-68.hsd1.il.comcast.net] has joined #openvpn
20:29 -!- lj1 [~l@192.241.174.169] has joined #openvpn
20:31 -!- lj [~l@c-50-158-105-68.hsd1.il.comcast.net] has quit [Ping timeout: 248 seconds]
20:32 -!- trumee [~parul@c-98-199-151-246.hsd1.tx.comcast.net] has quit [Read error: Connection reset by peer]
20:32 -!- conroe [~conroe@gateway/tor-sasl/conroe] has quit [Quit: conroe]
20:37 -!- trumee [~parul@c-98-199-151-246.hsd1.tx.comcast.net] has joined #openvpn
20:45 -!- VsioZashibis [~VsioZashi@unaffiliated/vsiozashibis] has joined #openvpn
20:49 -!- trumee [~parul@c-98-199-151-246.hsd1.tx.comcast.net] has quit [Read error: Connection reset by peer]
20:54 -!- trumee [~parul@c-98-199-151-246.hsd1.tx.comcast.net] has joined #openvpn
20:56 -!- trumee [~parul@c-98-199-151-246.hsd1.tx.comcast.net] has quit [Read error: Connection reset by peer]
20:57 -!- dimm0k [~dimm0k@unaffiliated/dimm0k] has quit [Ping timeout: 245 seconds]
20:58 -!- dimm0k [~dimm0k@unaffiliated/dimm0k] has joined #openvpn
21:02 -!- trumee [~parul@c-98-199-151-246.hsd1.tx.comcast.net] has joined #openvpn
21:12 -!- goldkatze [~nobody@unaffiliated/goldkatze] has quit [Ping timeout: 272 seconds]
21:15 -!- p3rror [~mezgani@196.201.78.139] has joined #openvpn
21:28 -!- lj1 [~l@192.241.174.169] has quit [Ping timeout: 252 seconds]
21:35 -!- lj [~l@c-50-158-105-68.hsd1.il.comcast.net] has joined #openvpn
21:39 -!- dradec [~Inigo@unaffiliated/dradec] has joined #openvpn
21:39 -!- trumee [~parul@c-98-199-151-246.hsd1.tx.comcast.net] has quit [Quit: ZNC - http://znc.sourceforge.net]
21:41 -!- trumee [~parul@c-98-199-151-246.hsd1.tx.comcast.net] has joined #openvpn
21:43 -!- trumee [~parul@c-98-199-151-246.hsd1.tx.comcast.net] has quit [Client Quit]
21:45 -!- trumee [~parul@c-98-199-151-246.hsd1.tx.comcast.net] has joined #openvpn
21:55 -!- p3rror [~mezgani@196.201.78.139] has quit [Quit: Leaving]
21:55 < aji> #openvpn
21:58 -!- heraclitus [~heraclitu@unaffiliated/heraclitis] has joined #openvpn
22:03 -!- VsioZashibis [~VsioZashi@unaffiliated/vsiozashibis] has quit [Quit: closing IRC]
22:19 <@ecrist> you're already here
22:42 -!- max_ [~max@c-67-170-96-239.hsd1.wa.comcast.net] has joined #openvpn
22:43 -!- max_ is now known as Synthead
22:45 -!- phunyguy [~plorpian@gateway/tor-sasl/phunyguy] has quit [Ping timeout: 240 seconds]
22:45 -!- axum [~ase1590@cpe-76-92-227-128.kc.res.rr.com] has joined #openvpn
22:45 -!- phunyguy [~plorpian@gateway/tor-sasl/phunyguy] has joined #openvpn
22:47 -!- Latrina [~Latrina@201.141.23.73] has quit [Remote host closed the connection]
22:50 -!- Synthead [~max@c-67-170-96-239.hsd1.wa.comcast.net] has quit [Ping timeout: 260 seconds]
22:54 -!- jeev [~j@unaffiliated/jeev] has quit [Ping timeout: 245 seconds]
23:03 -!- Synthead [~max@c-67-170-96-239.hsd1.wa.comcast.net] has joined #openvpn
23:06 -!- jeev [~j@unaffiliated/jeev] has joined #openvpn
23:08 -!- Thib [~thibaud@87.239.184.86] has joined #openvpn
23:09 < Thib> !welcome
23:09 <@vpnHelper> "welcome" is (#1) Start by stating your goal, such as 'I would like to access the internet over my vpn' || new to IRC? see the link in !ask || we may need !logs and !configs and maybe !interface to help you. || See !howto for beginners. || See !route for lans behind openvpn. || !redirect for sending inet traffic through the server. || Also interesting: !man !/30 !topology !iporder !sample !forum !wiki
23:09 <@vpnHelper> !mitm or (#2) Don't use 192.168.1.0/24 or 192.168.0.0/24 (too much potential for conflict)
23:10 < Thib> Hi guys, I'd like to know if there is any routing restrictions with OpenVPN.
23:10 < Thib> I have a tunnel between the US (server) and HK (client)
23:10 -!- jeev [~j@unaffiliated/jeev] has quit [Ping timeout: 245 seconds]
23:11 < Thib> I have another tunnel going from HK(server) to JP(client)
23:11 < Thib> No NAT is enabled on these 2 OpenVPN tunnels
23:11 < Thib> If I try to ping JP from the US, it doesn't work
23:12 < Thib> If I NAT all tun interfaces, it works
23:12 < Thib> Now, the weird thing is, from US if I try to ping JP, I can see ICMP packets leaving through the tun interface
23:13 < Thib> But they are never received on HK
23:13 < Thib> US to HK/HK to JP pings are fine
23:13 < Thib> Any idea ?
23:13 < Thib> !topology
23:13 <@vpnHelper> "topology" is (#1) it is possible to avoid the !/30 behavior if you use 2.1+ with the option: topology subnet This will end up being default in later versions. or (#2) Clients will receive addresses ending in .2, .3, .4, etc, instead of being divided into 2-host subnets. or (#3) details and examples at: https://community.openvpn.net/openvpn/wiki/Topology
23:17 -!- genericpersona [~generic@gateway/tor-sasl/genericpersona] has joined #openvpn
23:17 < genericpersona> http://www.google.com
23:17 <@vpnHelper> Title: Google (at www.google.com)
23:18 < genericpersona> http://www.yahoo.com
23:18 <@vpnHelper> Title: Yahoo (at www.yahoo.com)
23:18 -!- genericpersona [~generic@gateway/tor-sasl/genericpersona] has left #openvpn ["Take care of yourselves, and each other"]
23:19 -!- genericpersona [~generic@gateway/tor-sasl/genericpersona] has joined #openvpn
23:19 -!- genericpersona [~generic@gateway/tor-sasl/genericpersona] has left #openvpn ["Take care of yourselves, and each other"]
23:20 -!- genericpersona [~generic@gateway/tor-sasl/genericpersona] has joined #openvpn
23:20 -!- lvv [~loganaden@197.226.7.190] has joined #openvpn
23:20 -!- genericpersona [~generic@gateway/tor-sasl/genericpersona] has left #openvpn ["Take care of yourselves, and each other"]
23:22 < axum> I've been attempting to set up an OpenVPN server on linux, however I cannot seem to route all of my traffic through it properly. I can connect to my VPN and ping my VPN address (10.8.0.1) however I cannot seem to ping something such as facebook.com. here is my server.conf file. http://hastebin.com/sesuxukabu.hs
23:22 <@vpnHelper> Title: hastebin (at hastebin.com)
23:23 < Thib> axum : Have you enabled NAT on your OpenVPN interface ?
23:25 < axum> Thib: i entered in "iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o wlan0 -j MASQUERADE" and also enabled Ip fowarding.
23:28 < Thib> axum : try without the -s
23:30 < Thib> is wlan0 the name of your ovpn tunnel ?
23:30 -!- lvv [~loganaden@197.226.7.190] has quit [Quit: lvv]
23:32 -!- makara [~makara@41.164.22.218] has joined #openvpn
23:32 < axum> wlan0 is how i normally connect to the internet, tun0 is what OpenVPN added. Forgive me if I'm not as detailed as I should be. iptables and vpn are a bit new to me still.
23:35 -!- genericpersona [~generic@gateway/tor-sasl/genericpersona] has joined #openvpn
23:35 < genericpersona> http://vincent.bernat.im/en/blog/2011-ssl-perfect-forward-secrecy.html
23:35 <@vpnHelper> Title: SSL/TLS & Perfect Forward Secrecy | Vincent Bernat (at vincent.bernat.im)
23:35 -!- genericpersona [~generic@gateway/tor-sasl/genericpersona] has left #openvpn ["Take care of yourselves, and each other"]
23:36 < Thib> axum : Try this "iptables -t nat -A POSTROUTING -o tun0 -j MASQUERADE"
23:41 < axum> Thib: still the same result
23:43 < axum> connected to my server using my tablet, and can still only ping 10.x.x.x addresses.
23:45 < Thib> axum : You gonna need to enable NAT on the tun0 interface of the client, but also on the eth0 (whatever interface you are using) of the server as well
23:45 < Thib> The interface the server will use to send traffic
23:53 -!- makara [~makara@41.164.22.218] has quit [Read error: Connection reset by peer]
23:54 -!- dradec [~Inigo@unaffiliated/dradec] has quit [Ping timeout: 252 seconds]
23:57 < axum> Thib: how would I go about this? my knowledge of iptables is limited.
23:57 -!- ron_ [~ron@ppp118-210-240-52.lns20.adl6.internode.on.net] has joined #openvpn
23:59 < axum> thib: would I just repeat the command twice, changing it for each interface?
--- Day changed Thu Feb 20 2014
00:00 < Thib> axum : You have access to 2 devices right ? Your ovpn server, and your ovpn client
00:00 < axum> yes
00:01 < Thib> You tried to access facebook from the client, but it didn't work
00:01 < axum> correct.
00:01 < Thib> which interface is being used to access the internet from the server ?
00:01 < Mathias> possible to automate openvpn on windows a little? so i don't have to launch it, and fill in the certificate password at boot
00:01 < axum> wlan0 is being used to acces the internet from the server.
00:02 -!- lj [~l@c-50-158-105-68.hsd1.il.comcast.net] has quit [Quit: Leaving.]
00:02 < Thib> then, on the server type "iptables -t nat -A POSTROUTING -o wlan0 -j MASQUERADE"
00:03 < Thib> delete the previous one you created
00:03 < axum> alright. I'll try that.
00:07 -!- Thib [~thibaud@87.239.184.86] has quit [Ping timeout: 252 seconds]
00:08 -!- Synthead [~max@c-67-170-96-239.hsd1.wa.comcast.net] has quit [Ping timeout: 260 seconds]
00:11 -!- toobluesc [~nitro@2001:558:6045:7b:3d70:c3df:18a:884] has quit [Quit: Ex-Chat]
00:14 -!- ron__ [~ron@ppp118-210-182-40.lns20.adl6.internode.on.net] has joined #openvpn
00:16 -!- Guest86291 [~marme@li388-49.members.linode.com] has quit [Ping timeout: 252 seconds]
00:17 -!- ron_ [~ron@ppp118-210-240-52.lns20.adl6.internode.on.net] has quit [Ping timeout: 265 seconds]
00:17 -!- lordnikkon [~marme@li388-49.members.linode.com] has joined #openvpn
00:18 -!- lordnikkon is now known as Guest12716
00:21 -!- ade_b [~Ade@redhat/adeb] has joined #openvpn
00:27 -!- mattock_afk is now known as mattock
00:28 -!- ron__ is now known as ron_
00:31 -!- Thib [~thibaud@87.239.184.86] has joined #openvpn
00:35 -!- ade_b [~Ade@redhat/adeb] has quit [Ping timeout: 248 seconds]
00:36 -!- takamichi [~takamichi@c107-107.i07-27.onvol.net] has joined #openvpn
00:45 -!- axum [~ase1590@cpe-76-92-227-128.kc.res.rr.com] has left #openvpn ["Leaving"]
00:46 -!- mikkel [~mikkel@93.176.85.50] has joined #openvpn
00:47 -!- Synthead [~max@c-50-181-246-100.hsd1.wa.comcast.net] has joined #openvpn
00:48 -!- ade_b [~Ade@redhat/adeb] has joined #openvpn
00:53 -!- Synthead [~max@c-50-181-246-100.hsd1.wa.comcast.net] has quit [Ping timeout: 248 seconds]
00:56 -!- ade_b [~Ade@redhat/adeb] has quit [Ping timeout: 245 seconds]
01:08 -!- Synthead [~max@c-50-181-246-100.hsd1.wa.comcast.net] has joined #openvpn
01:34 -!- bertodsera [~quassel@97e48243.skybroadband.com] has quit [Remote host closed the connection]
01:44 -!- makara [~makara@41.164.22.218] has joined #openvpn
02:00 -!- alexxtasi [~alex@unaffiliated/alexxtasi] has joined #openvpn
02:01 -!- Eagleman [~Eagleman@546BBFCD.cm-12-4c.dynamic.ziggo.nl] has quit [Read error: Connection reset by peer]
02:02 -!- Eagleman7 [~Eagleman@546BBFCD.cm-12-4c.dynamic.ziggo.nl] has joined #openvpn
02:16 -!- ade_b [~Ade@redhat/adeb] has joined #openvpn
02:19 -!- Devastatr [~devas@186.214.14.190] has joined #openvpn
02:21 -!- Devastator [~devas@unaffiliated/devastator] has quit [Ping timeout: 252 seconds]
02:21 -!- rtur [~rtur@212.224.92.143] has quit [Remote host closed the connection]
02:29 -!- Minnebo [~Minnebo@ip-88-82-32-210.reverse.destiny.be] has joined #openvpn
02:36 -!- Minnebo_ [~Minnebo@ip-88-82-32-210.reverse.destiny.be] has joined #openvpn
02:37 -!- Minnebo [~Minnebo@ip-88-82-32-210.reverse.destiny.be] has quit [Ping timeout: 248 seconds]
02:47 -!- goldkatze [~nobody@unaffiliated/goldkatze] has joined #openvpn
02:50 -!- Austin___ [~austin@cpc19-hudd9-2-0-cust366.4-1.cable.virginm.net] has left #openvpn []
03:02 -!- Synthead [~max@c-50-181-246-100.hsd1.wa.comcast.net] has quit [Ping timeout: 260 seconds]
03:07 -!- Devastatr [~devas@186.214.14.190] has quit [Changing host]
03:07 -!- Devastatr [~devas@unaffiliated/devastator] has joined #openvpn
03:14 < Gman32> I'm having some issues w/ SSH and port forwarding
03:14 < Gman32> 1) Trying to access my Ubuntu server when the VPN is on, it won't let me
03:14 < Gman32> 2) trying to port forward via CLI
03:15 < Gman32> Anyone have some wisdom? :)
03:15 -!- Minnebo [~Minnebo@ip-88-82-32-210.reverse.destiny.be] has joined #openvpn
03:15 -!- Minnebo_ [~Minnebo@ip-88-82-32-210.reverse.destiny.be] has quit [Read error: Connection reset by peer]
03:15 -!- dazo_afk is now known as dazo
03:22 -!- bertodsera [~quassel@212.36.61.26] has joined #openvpn
03:27 -!- Aketzu_ [akolehma@kelvin.aketzu.net] has quit [Ping timeout: 246 seconds]
03:31 -!- f0cker [~f0cker@unaffiliated/f0cker] has joined #openvpn
03:32 -!- Aketzu [akolehma@kelvin.aketzu.net] has joined #openvpn
03:35 -!- Minnebo [~Minnebo@ip-88-82-32-210.reverse.destiny.be] has quit [Ping timeout: 245 seconds]
03:36 -!- Minnebo [~Minnebo@ip-88-82-32-210.reverse.destiny.be] has joined #openvpn
03:43 -!- Minnebo [~Minnebo@ip-88-82-32-210.reverse.destiny.be] has quit [Ping timeout: 260 seconds]
03:45 -!- Devastatr [~devas@unaffiliated/devastator] has quit [Read error: Connection reset by peer]
03:47 -!- Devastator [~devas@177.99.152.210] has joined #openvpn
03:47 -!- Devastator [~devas@177.99.152.210] has quit [Changing host]
03:47 -!- Devastator [~devas@unaffiliated/devastator] has joined #openvpn
03:47 -!- takamichi [~takamichi@c107-107.i07-27.onvol.net] has quit [Ping timeout: 246 seconds]
03:50 -!- qwertyoruiop [~hax@1.shulgin.dc1.nl.tor.exit.node.qwertyoruiop.com] has quit [Ping timeout: 248 seconds]
03:51 -!- takamichi [~takamichi@85.12.8.15] has joined #openvpn
03:51 -!- Minnebo [~Minnebo@ip-88-82-32-210.reverse.destiny.be] has joined #openvpn
03:52 -!- qwertyoruiop [~hax@1.shulgin.dc1.nl.tor.exit.node.qwertyoruiop.com] has joined #openvpn
04:01 -!- qwertyoruiop [~hax@1.shulgin.dc1.nl.tor.exit.node.qwertyoruiop.com] has quit [Ping timeout: 245 seconds]
04:03 -!- qwertyoruiop [~hax@1.shulgin.dc1.nl.tor.exit.node.qwertyoruiop.com] has joined #openvpn
04:12 -!- VunKruz [~hhhh@24-205-8-187.dhcp.mtpk.ca.charter.com] has quit [Ping timeout: 248 seconds]
04:13 -!- br4ndon [~br4ndon@195.33.51.31] has joined #openvpn
04:17 -!- br4ndon [~br4ndon@195.33.51.31] has quit [Ping timeout: 260 seconds]
04:25 -!- bertodsera [~quassel@212.36.61.26] has quit [Read error: Connection reset by peer]
04:28 -!- VunKruz [~hhhh@24-205-8-187.dhcp.mtpk.ca.charter.com] has joined #openvpn
04:32 -!- bertodsera [~quassel@212.36.61.26] has joined #openvpn
04:33 -!- VunKruz [~hhhh@24-205-8-187.dhcp.mtpk.ca.charter.com] has quit [Client Quit]
04:36 -!- VunKruz [~hhhh@24-205-8-187.dhcp.mtpk.ca.charter.com] has joined #openvpn
04:45 -!- VunKruz [~hhhh@24-205-8-187.dhcp.mtpk.ca.charter.com] has quit [Quit: Leaving]
04:52 -!- Synthead [~max@c-50-181-246-100.hsd1.wa.comcast.net] has joined #openvpn
04:53 -!- mattock is now known as mattock_afk
04:53 -!- VunKruz [~hhhh@24-205-8-187.dhcp.mtpk.ca.charter.com] has joined #openvpn
05:01 -!- takamichi [~takamichi@85.12.8.15] has quit [Ping timeout: 248 seconds]
05:03 -!- takamichi [~takamichi@c107-107.i07-27.onvol.net] has joined #openvpn
05:12 -!- VunKruz [~hhhh@24-205-8-187.dhcp.mtpk.ca.charter.com] has quit [Ping timeout: 240 seconds]
05:17 -!- jzaw [~jzaw@loki.dzki.co.uk] has quit [Ping timeout: 252 seconds]
05:30 -!- Synthead [~max@c-50-181-246-100.hsd1.wa.comcast.net] has quit [Ping timeout: 260 seconds]
05:32 <@dazo> Gman32: if your SSH connection stops working when you start your VPN ... then it's most likely a routing or firewall issue
05:47 < Gman32> dazo, that server is a client connecting to another (Paid) VPN service
05:48 < Gman32> so its Home PC(PuTTY)-->Server---->Private Paid VPN
05:48 < Gman32> so its routing all the traffic thru the last server
05:49 <@dazo> okay ... I see the a few keywords here ... "Private Paid VPN" .... so ask your provider
05:49 < Gman32> I'm trying to make an exception(s) to allow a few things thru, such as SSH
05:49 < Gman32> Said they don't deal w/ headless/remote
05:49 < Gman32> :-/
05:51 <@dazo> For us to be able to help you here ... you often need to have control of the VPN server side too ...
05:51 <@dazo> !notovpn
05:51 <@vpnHelper> "notovpn" is (#1) "notopenvpn" is your problem is not about openvpn, and while we try to be helpful, you may have a better chance of finding your answer if you ask your question in a channel related to your problem or (#2) sorry, but we dont care. this channel is only for help with openvpn.
05:52 < Gman32> Makes sense. Thanks though dazo :)
05:56 -!- klein [~klein@unaffiliated/klein] has joined #openvpn
05:58 -!- Minnebo [~Minnebo@ip-88-82-32-210.reverse.destiny.be] has quit [Ping timeout: 272 seconds]
06:00 -!- elfixit [~Icedove@77-58-251-72.dclient.hispeed.ch] has joined #openvpn
06:02 -!- elfixit [~Icedove@77-58-251-72.dclient.hispeed.ch] has quit [Client Quit]
06:06 -!- br4ndon [~br4ndon@ns301087.ip-91-121-68.eu] has joined #openvpn
06:09 -!- michaelhart [~michaelha@192.0.240.20] has quit [Quit: michaelhart]
06:13 -!- sunwind [~paradox@cpc21-brmb8-2-0-cust749.1-3.cable.virginm.net] has quit [Quit: sunwind]
06:21 -!- VunKruz [~hhhh@24-205-8-187.dhcp.mtpk.ca.charter.com] has joined #openvpn
06:25 -!- pacop [~foo@fenix.cloud.tilaa.com] has joined #openvpn
06:25 -!- ACKNAK [~regolith@79.133.97.154] has joined #openvpn
06:29 < ACKNAK> o hai, I have kinda dumb question. I'm using init script from RHEL, openvpn starts, clients able to join, but I see no traffic in tun interface
06:29 < ACKNAK> everything works fine if I start openvpn from directory like "openvpn server.conf"
06:32 < ACKNAK> its weird!
06:33 < ACKNAK> aha found it!
06:33 < ACKNAK> WARNING: Failed running command (--learn-address): external program exited with error status: 1
06:33 < ACKNAK> nvm
06:52 -!- Thib_ [~thibaud@87.239.184.86] has joined #openvpn
06:54 -!- pacop [~foo@fenix.cloud.tilaa.com] has quit [Remote host closed the connection]
06:56 -!- Thib [~thibaud@87.239.184.86] has quit [Ping timeout: 265 seconds]
06:57 -!- sunwind [~paradox@cpc21-brmb8-2-0-cust749.1-3.cable.virginm.net] has joined #openvpn
06:59 -!- br4ndon [~br4ndon@ns301087.ip-91-121-68.eu] has quit [Quit: Lorem ipsum dolor sit amet]
07:00 -!- Zumochi [ghosty@535402F6.cm-6-5a.dynamic.ziggo.nl] has joined #openvpn
07:00 -!- ACKNAK [~regolith@79.133.97.154] has quit [Read error: Connection reset by peer]
07:16 -!- mikkel [~mikkel@93.176.85.50] has quit [Ping timeout: 245 seconds]
07:18 -!- ACKNAK [~regolith@79.133.97.154] has joined #openvpn
07:21 -!- mikkel [~mikkel@93.176.85.50] has joined #openvpn
07:24 -!- Stew-a [~Stewart@unaffiliated/stew-a/x-2962361] has quit [Read error: Operation timed out]
07:27 -!- VunKruz [~hhhh@24-205-8-187.dhcp.mtpk.ca.charter.com] has quit [Quit: Leaving]
07:31 -!- VunKruz [~hhhh@24-205-8-187.dhcp.mtpk.ca.charter.com] has joined #openvpn
07:32 -!- regolith_ [~regolith@79.133.97.154] has joined #openvpn
07:32 -!- ACKNAK [~regolith@79.133.97.154] has quit [Read error: Connection reset by peer]
07:32 -!- regolith_ [~regolith@79.133.97.154] has quit [Read error: Connection reset by peer]
07:32 -!- ade_b [~Ade@redhat/adeb] has quit [Ping timeout: 245 seconds]
07:32 -!- Stew-a [~Stewart@unaffiliated/stew-a/x-2962361] has joined #openvpn
07:33 -!- b100dy_b1y [~root@static.58.41.40.188.clients.your-server.de] has quit [Remote host closed the connection]
07:46 -!- michaelhart [~michaelha@192.237.177.15] has joined #openvpn
07:52 -!- Stew_a [~Stewart@unaffiliated/stew-a/x-2962361] has joined #openvpn
07:53 -!- _f0cker_ [~f0cker@host109-151-224-166.range109-151.btcentralplus.com] has joined #openvpn
07:53 -!- _f0cker_ [~f0cker@host109-151-224-166.range109-151.btcentralplus.com] has quit [Changing host]
07:53 -!- _f0cker_ [~f0cker@unaffiliated/f0cker] has joined #openvpn
07:54 -!- bertodsera_ [~quassel@212.36.61.26] has joined #openvpn
07:55 -!- _psycheye [~psycheye@93.49.16.11] has joined #openvpn
07:55 -!- dradec [~Inigo@unaffiliated/dradec] has joined #openvpn
07:55 -!- lordnikkon [~marme@li388-49.members.linode.com] has joined #openvpn
07:55 -!- lordnikkon is now known as Guest47559
07:59 -!- Netsplit *.net <-> *.split quits: Ulrar, dyer, Nothing4You, Chrisje, Guest48705, Guest12716, fred``, f0cker, Stew-a, psycheye,  (+9 more, use /NETSPLIT to show all of them)
07:59 -!- Stew_a is now known as Stew-a
07:59 -!- dyer [~dyer@ec2-107-21-15-145.compute-1.amazonaws.com] has joined #openvpn
08:00 -!- i7c [~i7c@rliz.org] has joined #openvpn
08:01 -!- JackWinter [~jack@vodsl-8317.vo.lu] has quit [Excess Flood]
08:01 -!- JackWinter [~jack@85.93.199.125] has joined #openvpn
08:02 -!- TypoNe [~itsme@195.197.184.87] has joined #openvpn
08:04 -!- JSharpe_ [~JSharpe@31.205.60.241] has joined #openvpn
08:07 -!- goldkatze_ [~nobody@unaffiliated/goldkatze] has joined #openvpn
08:08 -!- joevandy1 [~ubuntu@ec2-54-235-235-220.compute-1.amazonaws.com] has joined #openvpn
08:09 -!- Nothing4You [N4Y@Nothing4You.w.tf-w.tf] has joined #openvpn
08:09 -!- jzaw [~jzaw@loki.dzki.co.uk] has joined #openvpn
08:09 -!- fred`` [fred@earthli.ng] has joined #openvpn
08:09 -!- ender| [krneki@2a01:260:4094:1:42:42:42:42] has joined #openvpn
08:09 -!- pnielsen [pnielsen@2a01:7e00::f03c:91ff:fedf:3a21] has joined #openvpn
08:09 -!- niftylettuce_ [uid2733@gateway/web/irccloud.com/x-vvngeupgfdkksolv] has joined #openvpn
08:09 -!- haasn [~nand@2a01:4f8:d13:5245::2] has joined #openvpn
08:09 -!- Ulrar [~Ulrar@luwin.ulrar.net] has joined #openvpn
08:09 -!- Chrisje [chris@2a03:f80:ed15:ed15:ed15:ed15:bc4c:4bfe] has joined #openvpn
08:09 -!- Guest48705 [~reinis@79.132.67.157] has joined #openvpn
08:09 -!- Olipro [~Olipro@d.e.r.p.6.a.1.0.d.d.0.7.2.0.1.0.a.2.ip6.arpa] has joined #openvpn
08:10 -!- Olipro [~Olipro@d.e.r.p.6.a.1.0.d.d.0.7.2.0.1.0.a.2.ip6.arpa] has quit [Max SendQ exceeded]
08:10 -!- takamich_ [~takamichi@c107-107.i07-27.onvol.net] has joined #openvpn
08:10 -!- vpnHelper [~vpnHelper@openvpn/bot/vpnHelper] has quit [Read error: Connection reset by peer]
08:10 -!- Cr4zi3 [killaz@staff.xbins.org] has quit [Quit: changing servers]
08:11 -!- Zumochi [ghosty@535402F6.cm-6-5a.dynamic.ziggo.nl] has quit [Ping timeout: 570 seconds]
08:11 -!- kcodyjr [~kcodyjr@c-24-61-134-125.hsd1.ma.comcast.net] has quit [Excess Flood]
08:12 -!- TypoNe [~itsme@195.197.184.87] has quit [Quit: I shouldn't really be here - dircproxy 1.1.0]
08:12 -!- TypoNe [~itsme@195.197.184.87] has joined #openvpn
08:14 -!- sauce_ [sauce@ool-ad02ad20.dyn.optonline.net] has joined #openvpn
08:14 -!- _Cr4zi3 [killaz@staff.xbins.org] has joined #openvpn
08:15 -!- jgeboski [~jgeboski@unaffiliated/jgeboski] has quit [Excess Flood]
08:15 -!- goldkatze [~nobody@unaffiliated/goldkatze] has quit [Ping timeout: 367 seconds]
08:15 -!- JSharpe [~JSharpe@31.205.60.241] has quit [Ping timeout: 367 seconds]
08:15 -!- sauce [sauce@unaffiliated/sauce] has quit [Ping timeout: 367 seconds]
08:16 -!- kcodyjr [~kcodyjr@c-24-61-134-125.hsd1.ma.comcast.net] has joined #openvpn
08:16 -!- vpnHelper [~vpnHelper@openvpn/bot/vpnHelper] has joined #openvpn
08:16 -!- mode/#openvpn [+o vpnHelper] by ChanServ
08:16 -!- jgeboski [~jgeboski@unaffiliated/jgeboski] has joined #openvpn
08:17 -!- takamichi [~takamichi@c107-107.i07-27.onvol.net] has quit [Ping timeout: 255 seconds]
08:17 -!- joevandyk [~ubuntu@ec2-54-235-235-220.compute-1.amazonaws.com] has quit [Ping timeout: 255 seconds]
08:20 -!- mattock_afk is now known as mattock
08:20 -!- Netsplit *.net <-> *.split quits: jzaw, pnielsen, Guest48705, niftylettuce_, haasn, Ulrar, ender|, Nothing4You, Chrisje, fred``
08:23 -!- br4ndon [~br4ndon@ns301087.ip-91-121-68.eu] has joined #openvpn
08:27 -!- james41382__ [~james@unaffiliated/james41382] has joined #openvpn
08:27 -!- Pisuke [~Sembei@unaffiliated/sembei] has joined #openvpn
08:27 -!- james41382_ [~james@unaffiliated/james41382] has quit [Read error: Connection reset by peer]
08:28 -!- dradec [~Inigo@unaffiliated/dradec] has quit [Ping timeout: 248 seconds]
08:28 -!- Netsplit over, joins: haasn
08:28 -!- Six6siX_ [~Devil@jasmine.sammybakar.com] has joined #openvpn
08:31 -!- dradec [~Inigo@unaffiliated/dradec] has joined #openvpn
08:31 -!- Cr4zi3 [killaz@staff.xbins.org] has joined #openvpn
08:32 -!- cyberspace- [20253@ninthfloor.org] has quit [Disconnected by services]
08:32 -!- cyberspace- [20253@109.74.194.224] has joined #openvpn
08:33 -!- Olipro [~Olipro@d.e.r.p.6.a.1.0.d.d.0.7.2.0.1.0.a.2.ip6.arpa] has joined #openvpn
08:33 -!- Nothing4You [N4Y@Nothing4You.w.tf-w.tf] has joined #openvpn
08:33 -!- jzaw [~jzaw@loki.dzki.co.uk] has joined #openvpn
08:33 -!- fred`` [fred@earthli.ng] has joined #openvpn
08:33 -!- ender| [krneki@2a01:260:4094:1:42:42:42:42] has joined #openvpn
08:33 -!- pnielsen [pnielsen@2a01:7e00::f03c:91ff:fedf:3a21] has joined #openvpn
08:33 -!- niftylettuce_ [uid2733@gateway/web/irccloud.com/x-vvngeupgfdkksolv] has joined #openvpn
08:33 -!- Ulrar [~Ulrar@luwin.ulrar.net] has joined #openvpn
08:33 -!- Chrisje [chris@2a03:f80:ed15:ed15:ed15:ed15:bc4c:4bfe] has joined #openvpn
08:33 -!- Guest48705 [~reinis@79.132.67.157] has joined #openvpn
08:34 -!- kossy_ [a@kossy.org] has joined #openvpn
08:34 -!- Olipro [~Olipro@d.e.r.p.6.a.1.0.d.d.0.7.2.0.1.0.a.2.ip6.arpa] has quit [Max SendQ exceeded]
08:34 -!- sauce [sauce@unaffiliated/sauce] has joined #openvpn
08:35 -!- Olipro [~Olipro@uncyclopedia/pdpc.21for7.olipro] has joined #openvpn
08:37 -!- tdreyer1_ [~tdreyer1@70.94.46.11] has joined #openvpn
08:37 -!- Cultist_ [~CultOfThe@c-67-186-111-33.hsd1.il.comcast.net] has joined #openvpn
08:38 -!- Six6siX [~Devil@jasmine.sammybakar.com] has quit [Ping timeout: 245 seconds]
08:38 -!- kantlivelong [~kantlivel@home.kantlivelong.com] has quit [Ping timeout: 245 seconds]
08:38 -!- MyMind [~Sembei@unaffiliated/sembei] has quit [Ping timeout: 245 seconds]
08:38 -!- mikkel [~mikkel@93.176.85.50] has quit [Ping timeout: 245 seconds]
08:38 -!- pjschmit1 [~parker@209.141.56.12] has joined #openvpn
08:38 -!- Netsplit *.net <-> *.split quits: kossy, jave, tdreyer1, pjschmitt, _Cr4zi3, alexxtasi, sauce_, Cultist, andi
08:38 -!- jave [~jave@85.24.235.102] has joined #openvpn
08:38 -!- kantlive- [~kantlivel@home.kantlivelong.com] has joined #openvpn
08:41 -!- VsioZashibis [~VsioZashi@unaffiliated/vsiozashibis] has joined #openvpn
08:42 -!- andi [~andi@unaffiliated/fr00d] has joined #openvpn
09:02 -!- james41382_ [~james@unaffiliated/james41382] has joined #openvpn
09:05 -!- james41382__ [~james@unaffiliated/james41382] has quit [Ping timeout: 260 seconds]
09:19 -!- makara [~makara@105-208-245-75.access.mtnbusiness.co.za] has joined #openvpn
09:28 -!- br4ndon [~br4ndon@ns301087.ip-91-121-68.eu] has quit [Quit: Lorem ipsum dolor sit amet]
09:36 -!- conroe [~conroe@gateway/tor-sasl/conroe] has joined #openvpn
09:39 -!- wildcat [~tomh@ssh.espix.net] has joined #openvpn
09:44 < wildcat> Hi, is it supported to have two instance of openvpn, one tcp and udp, using the same IP range and same ssl keys, asuming the client is not connected to both instance at the same time?
09:45 -!- phunyguy [~plorpian@gateway/tor-sasl/phunyguy] has quit [Remote host closed the connection]
09:45 -!- phunyguy [~plorpian@gateway/tor-sasl/phunyguy] has joined #openvpn
09:54 -!- makara [~makara@105-208-245-75.access.mtnbusiness.co.za] has quit [Ping timeout: 260 seconds]
09:55 -!- indy [~e-ndy@fantomas.bestit.cz] has quit [Ping timeout: 264 seconds]
10:00 -!- conroe [~conroe@gateway/tor-sasl/conroe] has quit [Quit: conroe]
10:08 -!- e-ndy [~e-ndy@fantomas.bestit.cz] has joined #openvpn
10:15 -!- troyt [~troyt@2601:7:6200:1382:44dd:acff:fe85:9c8e] has quit [Ping timeout: 265 seconds]
10:16 <@ecrist> yes
10:19 <@krzee> not the same ip range, but you can route them to eachother
10:23 <@ecrist> just bridge the entire network across both links
10:23  * ecrist ducks
10:26 <@krzee> haha
10:26 -!- jackbrown [~se@93-44-54-187.ip95.fastwebnet.it] has joined #openvpn
10:33 -!- conroe [~conroe@gateway/tor-sasl/conroe] has joined #openvpn
10:41 < wildcat> ecrist: was tun not tap so cannot bridge
10:41 < wildcat> but I found an hacky way to make that happen using the same net
10:41 < wildcat> and a learn-address script
10:41 -!- jackbrown [~se@93-44-54-187.ip95.fastwebnet.it] has quit [Quit: Sto andando via]
10:42 -!- dyer [~dyer@ec2-107-21-15-145.compute-1.amazonaws.com] has quit [Changing host]
10:42 -!- dyer [~dyer@unaffiliated/dyer] has joined #openvpn
10:43 <@krzee> wildcat, you dont want bridge he was making a joke
10:43 <@krzee> cause we always have to tell people to stop bridging
10:43 <@krzee> and probably specifically because it especially bothers me :D
10:44 <@ecrist> ++
10:44 <@krzee> wildcat, interesting, would make a decent writeup if you feel like it
10:44 <@krzee> (your solution would)
10:44 -!- mattock is now known as mattock_afk
10:44 <@krzee> !wiki
10:44 <@vpnHelper> "wiki" is (#1) http://www.secure-computing.net/wiki/index.php/OpenVPN for the Unofficial wiki or (#2) https://community.openvpn.net/openvpn/wiki for the Official wiki
10:46 -!- troyt [~troyt@2601:7:6200:1382:44dd:acff:fe85:9c8e] has joined #openvpn
10:47 < wildcat> krzee: yeah sure
10:47 < wildcat> krzee: basically I have a learn-address script which use ip ro (add|del) ${2} ${dev}
10:48 < wildcat> krzee: so that when a client connect to whatever instance, the specific route for its IP is added into the kernel's table
10:48 < wildcat> krzee: and also added an iroute into each CN's ccd
10:49 < wildcat> I also noticed that openvpn was not calling the learn-address delete script when the client disconnect
10:49 < wildcat> but anyway it call that delete just after it connects, before calling it again with the add switch
10:49 < wildcat> which is good enough.
10:49 < wildcat> will write about it later today if time allows it
10:50 <@krzee> --client-disconnect
10:51 <@krzee> !script
10:51 <@vpnHelper> "script" is See SCRIPTING AND ENVIRONMENTAL VARIALBES in the manual for a list of places that scripts can hook into openvpn. Online reference at: https://community.openvpn.net/openvpn/wiki/Openvpn23ManPage#lbAR
11:02 -!- bertodsera_ [~quassel@212.36.61.26] has quit [Read error: Connection reset by peer]
11:04 -!- gffa [~unknown@unaffiliated/gffa] has joined #openvpn
11:08 -!- bertodsera [~quassel@212.36.61.26] has joined #openvpn
11:09 -!- shoerain [ehtesh@2600:3c03::f03c:91ff:feae:8f] has left #openvpn ["WeeChat 0.4.2-dev"]
11:10 -!- mattock_afk is now known as mattock
11:14 -!- joshh20-Away is now known as joshh20
11:23 -!- e-ndy [~e-ndy@fantomas.bestit.cz] has quit [Ping timeout: 248 seconds]
11:28 -!- JSharpe_ [~JSharpe@31.205.60.241] has quit [Ping timeout: 260 seconds]
11:33 -!- bertodsera [~quassel@212.36.61.26] has quit [Remote host closed the connection]
11:35 -!- ron__ [~ron@ppp118-210-221-172.lns20.adl6.internode.on.net] has joined #openvpn
11:36 -!- wrongplace [~leicht@gateway/tor-sasl/martinphone] has joined #openvpn
11:38 -!- ron_ [~ron@ppp118-210-182-40.lns20.adl6.internode.on.net] has quit [Ping timeout: 252 seconds]
11:39 -!- e-ndy [~e-ndy@194.213.226.242] has joined #openvpn
11:40 -!- JSharpe [~JSharpe@31.205.60.241] has joined #openvpn
11:42 -!- Cpt-Oblivious [chatzilla@31-151-71-109.dynamic.upc.nl] has joined #openvpn
11:49 -!- Cpt-Oblivious [chatzilla@31-151-71-109.dynamic.upc.nl] has quit [Ping timeout: 272 seconds]
11:51 -!- lj [~l@192.241.174.169] has joined #openvpn
11:53 -!- defswork_ [~andy@141.0.50.105] has quit [Ping timeout: 245 seconds]
11:53 -!- conroe [~conroe@gateway/tor-sasl/conroe] has quit [Ping timeout: 240 seconds]
11:53 -!- e-ndy [~e-ndy@194.213.226.242] has quit [Ping timeout: 240 seconds]
11:54 -!- dradec [~Inigo@unaffiliated/dradec] has quit [Remote host closed the connection]
11:55 -!- Cpt-Oblivious [chatzilla@31-151-71-109.dynamic.upc.nl] has joined #openvpn
11:55 -!- dradec [~Inigo@unaffiliated/dradec] has joined #openvpn
11:55 -!- hjohnson [~hans@S0106000db917e89a.vc.shawcable.net] has joined #openvpn
11:57 -!- KaiForce [~chatzilla@107-223-70-10.lightspeed.bcvloh.sbcglobal.net] has joined #openvpn
11:59 -!- p3rror [~mezgani@196.201.78.139] has joined #openvpn
12:01 -!- Cpt-Oblivious [chatzilla@31-151-71-109.dynamic.upc.nl] has quit [Ping timeout: 272 seconds]
12:02 -!- CircleCode [~Matthieu@hoaproject/contributor/CircleCode] has quit [Quit: Il y a deux types de personnes dans le monde : ceux qui finissent leur histoire]
12:05 -!- defswork_ [~andy@141.0.50.105] has joined #openvpn
12:20 -!- defswork_ [~andy@141.0.50.105] has quit [Remote host closed the connection]
12:27 -!- novaflash is now known as novaflash_away
12:28 -!- novaflash_away is now known as novaflash
12:30 -!- tempus_fol [~tempus@gateway/tor-sasl/tempusfol] has quit [Ping timeout: 240 seconds]
12:32 -!- tempus_fol [~tempus@gateway/tor-sasl/tempusfol] has joined #openvpn
12:41 -!- KaiForce [~chatzilla@107-223-70-10.lightspeed.bcvloh.sbcglobal.net] has quit [Quit: ChatZilla 0.9.90.1 [Firefox 26.0/20131205075310]]
12:52 -!- wrongplace [~leicht@gateway/tor-sasl/martinphone] has quit [Quit: gone]
13:01 -!- kcodyjr [~kcodyjr@c-24-61-134-125.hsd1.ma.comcast.net] has quit [Ping timeout: 240 seconds]
13:06 -!- makara [~makara@105-208-245-75.access.mtnbusiness.co.za] has joined #openvpn
13:13 -!- joshh20 is now known as joshh20-Away
13:18 -!- master_of_master [~master_of@p4FF24AB8.dip0.t-ipconnect.de] has quit [Read error: Operation timed out]
13:22 -!- master_of_master [~master_of@p4FF248B3.dip0.t-ipconnect.de] has joined #openvpn
13:25 -!- oO0Oo [Elite9018@gateway/shell/elitebnc/x-cxoecnwqiiqkidts] has joined #openvpn
13:26 -!- elfixit [~Icedove@2001:1620:2777:11:3e97:eff:fe7f:f3ad] has joined #openvpn
13:31 -!- qwertyoruiop is now known as MagicaITux
13:44 -!- jeev [~j@unaffiliated/jeev] has joined #openvpn
13:52 -!- takamich_ [~takamichi@c107-107.i07-27.onvol.net] has quit [Quit: Computer has gone to sleep.]
13:53 -!- dazo is now known as dazo_afk
14:00 -!- tempus_fol [~tempus@gateway/tor-sasl/tempusfol] has quit [Ping timeout: 240 seconds]
14:04 -!- tempus_fol [~tempus@gateway/tor-sasl/tempusfol] has joined #openvpn
14:07 -!- makara [~makara@105-208-245-75.access.mtnbusiness.co.za] has quit [Ping timeout: 260 seconds]
14:10 -!- MagicaITux is now known as qwertyoruiop
14:15 -!- joshh20-Away is now known as joshh20
14:30 -!- bertodsera [~quassel@97e48243.skybroadband.com] has joined #openvpn
14:30 -!- mattock is now known as mattock_afk
14:38 -!- maskedlua [~quassel@unaffiliated/themaskedlua] has quit [Read error: Operation timed out]
14:40 -!- esde [~esde@107.150.1.2] has quit [Read error: Operation timed out]
14:43 -!- br4ndon [~br4ndon@mic92-6-82-226-128-64.fbx.proxad.net] has joined #openvpn
14:51 -!- venkatesh [~venkatesh@117.202.107.53] has joined #openvpn
14:52 < venkatesh> Need some help on open with duo security
14:52 -!- Pang [~chatzilla@94-225-162-11.access.telenet.be] has joined #openvpn
14:52 -!- esde [~esde@107.150.1.2] has joined #openvpn
14:53 < venkatesh> I am using ubuntu 12.04
14:53 < venkatesh> I am trying openvpn --config client.ovpn --auth-retry interact
14:53 < venkatesh> it does ask for a secondary pass
14:53 < venkatesh> shows connected
14:54 < venkatesh> but not able to access anything on the network
14:54 < venkatesh> not able to access internet on my local box as well
14:54 < venkatesh> no idea what's the issue
14:54 < venkatesh> any pointers?
14:58 -!- bertodsera_ [~quassel@97e48243.skybroadband.com] has joined #openvpn
15:04 -!- Netsplit *.net <-> *.split quits: jzaw, pnielsen, Guest48705, niftylettuce_, Ulrar, ender|, Nothing4You, Olipro, Chrisje, fred``
15:04 < Pang> Hello! I also have a problem .I have instaled openvpn server on Windows Server 2012 and the openvpn client on windows 7 booth of them on vmware .I disabled the firewall on the server 2012 .Openvpn it is working on them I can conect the client vpn to the server vpn I can ping but no conection to the internet.
15:04 -!- Nothing4You [N4Y@w.tf-w.tf] has joined #openvpn
15:04 < Pang> I have no conection to the internet
15:05 -!- Netsplit *.net <-> *.split quits: MeanderingCode, @krzee, b00gz___, Fruckiwacki, clu5ter, red_racer12_, Gman32, jgeboski, noobboob, lowkey,  (+62 more, use /NETSPLIT to show all of them)
15:06 -!- Netsplit over, joins: troyt, sauce, @vpnHelper, nunim, AsadH, s0meone, @mattock_afk, Gman32, Samopotamus, b00gz___ (+6 more)
15:06 -!- yoavz- [yoavz@yoavz.net] has joined #openvpn
15:06 -!- _Cr4zi3 [killaz@staff.xbins.org] has joined #openvpn
15:06 -!- Netsplit over, joins: venkatesh, master_of_master, dradec, gffa
15:06 -!- Netsplit over, joins: emid
15:06 -!- Cultist [~CultOfThe@c-67-186-111-33.hsd1.il.comcast.net] has joined #openvpn
15:06 -!- Netsplit over, joins: soapee01, jeev, lbft, Haseo, dowaat, prettyrobots, bogie, GrecKo, lamokie, dren (+8 more)
15:06 -!- joshh20-Away [~joshh20@v-70-42-74-226.unman-vds.internap-nyc.nfoservers.com] has joined #openvpn
15:06 -!- joshh20-Away is now known as joshh20
15:06 < Pang> I tout that is a problem of compatibility between windows server 2012 and openvpn. I am write?
15:07 -!- Netsplit over, joins: mumixam
15:07 -!- Netsplit over, joins: phuzion
15:07 -!- tapout [~tapout@unaffiliated/tapout] has joined #openvpn
15:07 -!- Netsplit over, joins: jgeboski
15:08 -!- Netsplit over, joins: catsup
15:08 -!- Netsplit over, joins: @krzee, wildcat, haasn, mnathani, HectorBarbossa, simcop2387, ljvb, @novaflash, dos-freak, xorox90__ (+11 more)
15:08 -!- xorox90__ [uid7069@gateway/web/irccloud.com/x-bvbgqizlpkqjxwpd] has quit [Max SendQ exceeded]
15:08 < Pang> if you have an answer please give me
15:08 -!- yoavz- [yoavz@yoavz.net] has quit [Remote host closed the connection]
15:08 < Pang> thanks
15:09 < wildcat> krzee: http://thomas.gouverneur.name/2014/02/openvpn-listen-on-tcp-and-udp-with-tun/
15:10 -!- xorox90___ [uid7069@gateway/web/irccloud.com/x-lionomiwgeplzonq] has joined #openvpn
15:10 -!- levifig [~levifig@hakr.io] has joined #openvpn
15:10 -!- yoavz [yoavz@yoavz.net] has joined #openvpn
15:12 -!- catsup [d@64.111.123.163] has quit [Ping timeout: 245 seconds]
15:13 -!- catsup [d@64.111.123.163] has joined #openvpn
15:15 -!- jzaw [~jzaw@loki.dzki.co.uk] has joined #openvpn
15:15 -!- fred`` [fred@earthli.ng] has joined #openvpn
15:15 -!- ender| [krneki@2a01:260:4094:1:42:42:42:42] has joined #openvpn
15:15 -!- pnielsen [pnielsen@2a01:7e00::f03c:91ff:fedf:3a21] has joined #openvpn
15:15 -!- niftylettuce_ [uid2733@gateway/web/irccloud.com/x-vvngeupgfdkksolv] has joined #openvpn
15:15 -!- Ulrar [~Ulrar@luwin.ulrar.net] has joined #openvpn
15:15 -!- Chrisje [chris@2a03:f80:ed15:ed15:ed15:ed15:bc4c:4bfe] has joined #openvpn
15:15 -!- Guest48705 [~reinis@79.132.67.157] has joined #openvpn
15:17 -!- smerz [~smerz@2001:470:1f15:1e5::58] has joined #openvpn
15:17 -!- smerz_ [~smerz@2001:470:1f15:1e5::58] has joined #openvpn
15:18 -!- Olipro [~Olipro@uncyclopedia/pdpc.21for7.olipro] has joined #openvpn
15:19 -!- yoavz [yoavz@yoavz.net] has quit [Ping timeout: 245 seconds]
15:21 -!- klein [~klein@unaffiliated/klein] has quit [Ping timeout: 260 seconds]
15:23 -!- dradec [~Inigo@unaffiliated/dradec] has quit [Ping timeout: 245 seconds]
15:23 -!- mgorbach [~mgorbach@pool-108-20-78-135.bstnma.fios.verizon.net] has quit [Ping timeout: 245 seconds]
15:23 -!- a_ [d@64.111.123.163] has joined #openvpn
15:23 -!- tharkun [~0@unaffiliated/tharkun] has quit [Ping timeout: 245 seconds]
15:23 -!- a_ is now known as Guest95727
15:24 -!- yoavz [yoavz@yoavz.net] has joined #openvpn
15:24 -!- master_o1_master [~master_of@p4FF248B3.dip0.t-ipconnect.de] has joined #openvpn
15:25 -!- mgorbach [~mgorbach@pool-108-20-78-135.bstnma.fios.verizon.net] has joined #openvpn
15:27 -!- heraclitus [~heraclitu@unaffiliated/heraclitis] has quit [Remote host closed the connection]
15:28 -!- peper [~peper@gentoo/developer/peper] has joined #openvpn
15:29 -!- dowaat_ [uid3966@gateway/web/irccloud.com/session] has joined #openvpn
15:30 -!- dowaat_ [uid3966@gateway/web/irccloud.com/session] has quit [Changing host]
15:30 -!- dowaat_ [uid3966@gateway/web/irccloud.com/x-mpzplxwgmpjboogw] has joined #openvpn
15:30 -!- lamokie_ [~steve@li428-245.members.linode.com] has joined #openvpn
15:32 -!- haasn [~nand@2a01:4f8:d13:5245::2] has quit [Disconnected by services]
15:32 -!- soapee01_ [~soapee01@24-155-219-177.dyn.grandenetworks.net] has joined #openvpn
15:32 -!- marlinc [~marlinc@a80-100-128-152.adsl.xs4all.nl] has quit [Ping timeout: 252 seconds]
15:32 -!- gffa_ [~unknown@unaffiliated/gffa] has joined #openvpn
15:33 -!- marlinc [~marlinc@a80-100-128-152.adsl.xs4all.nl] has joined #openvpn
15:34 -!- linlin [will@173.243.115.75] has joined #openvpn
15:35 -!- kloeri_ [~kloeri@freenode/staff/exherbo.kloeri] has joined #openvpn
15:35 -!- venkatesh_ [~venkatesh@117.202.97.121] has joined #openvpn
15:36 -!- haasn [~nand@2a01:4f8:d13:5245::2] has joined #openvpn
15:37 -!- catsup [d@64.111.123.163] has quit [Ping timeout: 245 seconds]
15:37 -!- venkatesh [~venkatesh@117.202.107.53] has quit [Ping timeout: 245 seconds]
15:37 -!- master_of_master [~master_of@p4FF248B3.dip0.t-ipconnect.de] has quit [Ping timeout: 245 seconds]
15:40 -!- Netsplit *.net <-> *.split quits: thumbs, @novaflash, wildcat, HectorBarbossa, MacGyver, mnathani, mrrg, kisom, simcop2387, ljvb,  (+10 more, use /NETSPLIT to show all of them)
15:40 -!- _Cr4zi3 [killaz@staff.xbins.org] has quit [Quit: changing servers]
15:40 -!- gffa [~unknown@unaffiliated/gffa] has quit [Ping timeout: 245 seconds]
15:40 -!- Netsplit *.net <-> *.split quits: dren, ppr, bogie, kloeri, Haseo, soapee01, lbft, lamokie, Cultist, Linmu,  (+7 more, use /NETSPLIT to show all of them)
15:40 -!- kloeri_ is now known as kloeri
15:41 -!- dowaat_ is now known as dowaat
15:41 -!- Netsplit over, joins: GrecKo
15:41 -!- Netsplit over, joins: Fruckiwacki
15:44 -!- Olipro [~Olipro@uncyclopedia/pdpc.21for7.olipro] has quit [Ping timeout: 246 seconds]
15:47 -!- lbft [~lbft@unaffiliated/lbft] has joined #openvpn
15:47 -!- Cr4zi3 [killaz@staff.xbins.org] has joined #openvpn
15:47 -!- Linmu [~Linmu@203.70.194.104] has joined #openvpn
15:48 -!- Olipro [~Olipro@uncyclopedia/pdpc.21for7.olipro] has joined #openvpn
15:49 -!- michaelhart [~michaelha@192.237.177.15] has quit [Quit: michaelhart]
15:51 -!- Denial- [Denial@90.201.173.63] has joined #openvpn
15:53 -!- XJR-9_ [sid2977@pdpc/supporter/active/xjr-9] has joined #openvpn
15:53 -!- XJR-9 [sid2977@pdpc/supporter/active/xjr-9] has quit [Killed (morgan.freenode.net (Nickname regained by services))]
15:53 -!- XJR-9_ is now known as XJR-9
15:53 -!- joshh20_ [~joshh20@v-70-42-74-226.unman-vds.internap-nyc.nfoservers.com] has joined #openvpn
15:53 -!- m01_ [~quassel@2a02:2658:1011:1::2:4044] has joined #openvpn
15:55 -!- kwork_ [~georg@no.life.ee] has joined #openvpn
15:55 -!- dimm0k_ [~dimm0k@pool-108-21-230-13.nycmny.fios.verizon.net] has joined #openvpn
15:55 -!- andi__ [~andi@shell.sixhop.net] has joined #openvpn
15:55 -!- andi [~andi@unaffiliated/fr00d] has quit [Disconnected by services]
15:55 -!- dimm0k_ [~dimm0k@pool-108-21-230-13.nycmny.fios.verizon.net] has quit [Changing host]
15:55 -!- dimm0k_ [~dimm0k@unaffiliated/dimm0k] has joined #openvpn
15:55 -!- catsup [d@64.111.123.163] has joined #openvpn
15:55 -!- oO0Oo- [Elite9018@gateway/shell/elitebnc/x-gsphfvqbxqoyujlc] has joined #openvpn
15:58 -!- joshh20_ is now known as joshh20-Away
15:58 -!- br4ndon [~br4ndon@mic92-6-82-226-128-64.fbx.proxad.net] has quit [Quit: Lorem ipsum dolor sit amet]
15:59 -!- EmLeX_ [~emx@37.46.193.2] has joined #openvpn
15:59 -!- gardar- [~gardar@bnc.giraffi.net] has joined #openvpn
15:59 -!- Fruckiwacki- [fruckiwack@5.135.190.66] has joined #openvpn
16:00 -!- Netsplit *.net <-> *.split quits: Denial, Six6siX_, Devastator, EmLeX, Guest95727, Sorcier_FXK, emid, gardar, kwork, _bt,  (+14 more, use /NETSPLIT to show all of them)
16:00 -!- Denial- is now known as Denial
16:00 -!- _jareth_ [~jareth_@2001:980:e1c0:1:219:66ff:fea0:a502] has joined #openvpn
16:00 -!- joshh20-Away is now known as joshh20
16:00 -!- Netsplit over, joins: manitu
16:00 -!- venkatesh_ [~venkatesh@117.202.97.121] has quit [Ping timeout: 252 seconds]
16:00 -!- _bt [foobar@77.240.12.157] has joined #openvpn
16:01 -!- Six6siX [~Devil@jasmine.sammybakar.com] has joined #openvpn
16:01 -!- Netsplit over, joins: havoc
16:01 -!- dowaat_ [uid3966@gateway/web/irccloud.com/x-oulrijsrbhjnkwrk] has joined #openvpn
16:02 -!- Netsplit over, joins: VunKruz
16:02 -!- Olipro [~Olipro@uncyclopedia/pdpc.21for7.olipro] has quit [Ping timeout: 244 seconds]
16:02 -!- Netsplit over, joins: exa
16:02 -!- Netsplit over, joins: emid
16:03 -!- mete [~mete@91.247.253.160] has joined #openvpn
16:03 -!- Devastator [~devas@177.99.152.210] has joined #openvpn
16:04 -!- Netsplit over, joins: Sorcier_FXK
16:06 -!- Martin` [martin@shell.ipv6.octocore.net] has joined #openvpn
16:06 -!- kenyon [kenyon@darwin.kenyonralph.com] has joined #openvpn
16:06 -!- tharkun [~0@187.188.94.182] has joined #openvpn
16:06 -!- bogie [bogie@mail.epow0.org] has joined #openvpn
16:06 -!- prettyrobots [~prettyrob@do.inputrc.com] has joined #openvpn
16:06 -!- jeev [~j@162.248.241.234] has joined #openvpn
16:06 -!- Haseo [~Haseo@aufrinfo.net] has joined #openvpn
16:06 -!- ultra [~ed@2001:41d0:2:ada5::245] has joined #openvpn
16:06 -!- Cultist [~CultOfThe@c-67-186-111-33.hsd1.il.comcast.net] has joined #openvpn
16:06 -!- xorox90___ [uid7069@gateway/web/irccloud.com/x-lionomiwgeplzonq] has joined #openvpn
16:06 -!- wildcat [~tomh@ssh.espix.net] has joined #openvpn
16:06 -!- mnathani [~mnathani@umbozero.winvive.com] has joined #openvpn
16:06 -!- HectorBarbossa [uid7850@gateway/web/irccloud.com/x-rxydvvaacspyimwi] has joined #openvpn
16:06 -!- simcop2387 [~simcop238@p3m/member/simcop2387] has joined #openvpn
16:06 -!- ljvb [~jason@us.vps.vanbrecht.com] has joined #openvpn
16:06 -!- novaflash [~novaflash@openvpn/corp/support/novaflash] has joined #openvpn
16:06 -!- dos-freak [leecher@zentarim.0wnz.at] has joined #openvpn
16:06 -!- seba [~seba@kratzbaum.someserver.de] has joined #openvpn
16:06 -!- clu5ter [~staff@unaffiliated/clu5ter] has joined #openvpn
16:06 -!- MacGyver [~MacGyver@unaffiliated/macgyvernl] has joined #openvpn
16:06 -!- thoraxe [~thoraxe@50-73-95-6-static.hfc.comcastbusiness.net] has joined #openvpn
16:06 -!- kisom [~kisom@kisom.thr.kth.se] has joined #openvpn
16:06 -!- aji [~alex@atheme/member/aji] has joined #openvpn
16:06 -!- thumbs [1000@unaffiliated/thumbs] has joined #openvpn
16:06 -!- mrrg [~notabot@delicious.sykosys.jp] has joined #openvpn
16:06 -!- _FBi [~B@Aircrack-NG/User] has joined #openvpn
16:06 -!- MeanderingCode [~Meanderin@palantir.aetherislands.net] has joined #openvpn
16:06 -!- krzee [~k@openvpn/community/support/krzee] has joined #openvpn
16:06 -!- ServerMode/#openvpn [+oo novaflash krzee] by sendak.freenode.net
16:06 -!- xorox90___ [uid7069@gateway/web/irccloud.com/x-lionomiwgeplzonq] has quit [Max SendQ exceeded]
16:07 -!- kenyon is now known as Guest58769
16:07 -!- conroe [~conroe@gateway/tor-sasl/conroe] has joined #openvpn
16:07 -!- tharkun [~0@187.188.94.182] has quit [Max SendQ exceeded]
16:07 -!- jeev [~j@162.248.241.234] has quit [Changing host]
16:07 -!- jeev [~j@unaffiliated/jeev] has joined #openvpn
16:07 -!- ultra [~ed@2001:41d0:2:ada5::245] has quit [Changing host]
16:07 -!- ultra [~ed@unaffiliated/ultra] has joined #openvpn
16:07 -!- Olipro [~Olipro@uncyclopedia/pdpc.21for7.olipro] has joined #openvpn
16:07 -!- tharkun [~0@187.188.94.182] has joined #openvpn
16:08 -!- prettyrobots is now known as Guest69840
16:12 -!- xorox90___ [uid7069@gateway/web/irccloud.com/x-ujvhklbborqhutho] has joined #openvpn
16:13 -!- venkatesh [~venkatesh@117.202.111.35] has joined #openvpn
16:17 -!- ron__ is now known as ron_
16:17 -!- VsioZashibis [~VsioZashi@unaffiliated/vsiozashibis] has quit [Quit: closing IRC]
16:20 -!- venkatesh [~venkatesh@117.202.111.35] has quit [Ping timeout: 260 seconds]
16:21 -!- kantlive- [~kantlivel@home.kantlivelong.com] has quit [Ping timeout: 260 seconds]
16:25 -!- Denial- [Denial@90.201.173.63] has joined #openvpn
16:26 -!- lj [~l@192.241.174.169] has quit [Quit: Leaving.]
16:27 -!- Netsplit *.net <-> *.split quits: jeev, Haseo, tharkun, Guest69840, bogie, Cultist, ultra
16:27 -!- maskedlua [~quassel@unaffiliated/themaskedlua] has joined #openvpn
16:28 -!- andi [~andi@unaffiliated/fr00d] has joined #openvpn
16:31 -!- gffa_ [~unknown@unaffiliated/gffa] has quit [Quit: sleep]
16:32 -!- gardar [~gardar@bnc.giraffi.net] has joined #openvpn
16:32 -!- venkatesh [~venkatesh@117.202.108.9] has joined #openvpn
16:33 -!- Netsplit *.net <-> *.split quits: Denial, @krzee, MeanderingCode, Cr4zi3, _FBi, thumbs, mnathani, exa, seba, MacGyver,  (+16 more, use /NETSPLIT to show all of them)
16:33 -!- Denial- is now known as Denial
16:35 -!- Olipro [~Olipro@uncyclopedia/pdpc.21for7.olipro] has quit [Ping timeout: 246 seconds]
16:36 -!- _Cr4zi3 [killaz@staff.xbins.org] has joined #openvpn
16:36 -!- Netsplit over, joins: @krzee, xorox90___, tharkun, Martin`, Guest58769, MeanderingCode, _FBi, mrrg, thumbs, aji (+18 more)
16:36 -!- VunKruz [~hhhh@24-205-8-187.dhcp.mtpk.ca.charter.com] has quit [Quit: Leaving]
16:38 -!- Olipro [~Olipro@uncyclopedia/pdpc.21for7.olipro] has joined #openvpn
16:39 -!- tharkun [~0@187.188.94.182] has quit [Changing host]
16:39 -!- tharkun [~0@unaffiliated/tharkun] has joined #openvpn
16:40 -!- exa [~exa@unaffiliated/exa] has joined #openvpn
16:41 -!- EmLeX_ [~emx@37.46.193.2] has quit [Read error: Operation timed out]
16:42 -!- Haigha [~root@dovahkiin.xomg.net] has joined #openvpn
16:44 -!- VunKruz [~hhhh@24-205-8-187.dhcp.mtpk.ca.charter.com] has joined #openvpn
16:45 -!- elfixit1 [~Icedove@77-58-251-72.dclient.hispeed.ch] has joined #openvpn
16:45 -!- pnielsen [pnielsen@2a01:7e00::f03c:91ff:fedf:3a21] has quit [Ping timeout: 246 seconds]
16:46 -!- Netsplit *.net <-> *.split quits: _Cr4zi3, thumbs, @novaflash, wildcat, HectorBarbossa, MacGyver, mnathani, mrrg, kisom, simcop2387,  (+12 more, use /NETSPLIT to show all of them)
16:46 -!- EmLeX [~emx@unaffiliated/emlex] has joined #openvpn
16:46 -!- cyberspace- [20253@109.74.194.224] has quit [Ping timeout: 265 seconds]
16:47 -!- Netsplit over, joins: @krzee, _Cr4zi3, xorox90___, Martin`, Guest58769, MeanderingCode, _FBi, mrrg, thumbs, aji (+12 more)
16:47 -!- cyberspace- [20253@ninthfloor.org] has joined #openvpn
16:48 -!- Pang [~chatzilla@94-225-162-11.access.telenet.be] has quit [Ping timeout: 252 seconds]
16:48 -!- pnielsen [pnielsen@2a01:7e00::f03c:91ff:fedf:3a21] has joined #openvpn
16:51 -!- Guest69840 is now known as prettyrobots
16:51 -!- Olipro [~Olipro@uncyclopedia/pdpc.21for7.olipro] has quit [Max SendQ exceeded]
16:51 -!- Olipro [~Olipro@uncyclopedia/pdpc.21for7.olipro] has joined #openvpn
16:58 -!- Cpt-Oblivious [chatzilla@31-151-71-109.dynamic.upc.nl] has joined #openvpn
17:06 -!- lj [~l@75-145-156-241-Illinois.hfc.comcastbusiness.net] has joined #openvpn
17:07 -!- qwertyoruiop [~hax@1.shulgin.dc1.nl.tor.exit.node.qwertyoruiop.com] has quit [Disconnected by services]
17:08 -!- joshh20 is now known as joshh20-Away
17:09 -!- qwertyoruiop_ [~hax@89.248.169.6] has joined #openvpn
17:09 -!- lj [~l@75-145-156-241-Illinois.hfc.comcastbusiness.net] has quit [Read error: Connection reset by peer]
17:09 -!- lj [~l@75-145-156-241-Illinois.hfc.comcastbusiness.net] has joined #openvpn
17:20 -!- VsioZashibis [~VsioZashi@unaffiliated/vsiozashibis] has joined #openvpn
17:27 -!- smerz_ [~smerz@2001:470:1f15:1e5::58] has quit [Ping timeout: 245 seconds]
17:27 -!- dren [dren@69.163.43.34] has joined #openvpn
17:27 -!- smerz [~smerz@2001:470:1f15:1e5::58] has quit [Ping timeout: 264 seconds]
17:31 -!- grep0r [grep0r@bitcoinshell.mooo.com] has quit [Ping timeout: 252 seconds]
17:32 -!- dowaat_ is now known as dowaat
17:40 -!- grep0r [grep0r@bitcoinshell.mooo.com] has joined #openvpn
17:45 -!- conroe [~conroe@gateway/tor-sasl/conroe] has quit [Quit: conroe]
17:57 -!- qpls [~qpls@unaffiliated/qpls] has quit [Ping timeout: 252 seconds]
17:57 -!- havoc [~havoc@neptune.chaillet.net] has quit [Ping timeout: 272 seconds]
17:58 -!- havoc [~havoc@neptune.chaillet.net] has joined #openvpn
17:58 -!- qpls [~qpls@69-165-173-171.dsl.teksavvy.com] has joined #openvpn
18:03 -!- kantlivelong [~kantlivel@home.kantlivelong.com] has joined #openvpn
18:04 -!- joshh20-Away is now known as joshh20
18:08 -!- goldkatze_ [~nobody@unaffiliated/goldkatze] has quit [Ping timeout: 248 seconds]
18:27 -!- qwertyoruiop_ is now known as qwertyoruiop
18:29 -!- i7c [~i7c@rliz.org] has quit [Quit: oh no, why]
18:29 -!- VunKruz [~hhhh@24-205-8-187.dhcp.mtpk.ca.charter.com] has quit [Quit: Leaving]
18:29 -!- i7c [~i7c@rliz.org] has joined #openvpn
18:30 -!- i7c [~i7c@rliz.org] has quit [Changing host]
18:30 -!- i7c [~i7c@unaffiliated/i7c] has joined #openvpn
18:40 -!- venkatesh [~venkatesh@117.202.108.9] has quit [Ping timeout: 272 seconds]
--- Log closed Thu Feb 20 18:47:55 2014
--- Log opened Thu Feb 20 18:49:07 2014
18:49 -!- ecrist_ [~ecrist@freebsd/contributor/openvpn.community.support.ecrist] has joined #openvpn
18:49 -!- Irssi: #openvpn: Total of 228 nicks [8 ops, 0 halfops, 1 voices, 219 normal]
18:49 -!- mode/#openvpn [+o ecrist_] by ChanServ
18:49 -!- Hes_ [D4kV9@tunkki.fi] has joined #openvpn
18:50 -!- Irssi: Join to #openvpn was synced in 63 secs
18:50 -!- psycheye [~psycheye@93.49.16.11] has joined #openvpn
18:50 -!- xTz [~xTz@DeathStar.Techn0.eu] has joined #openvpn
18:50 -!- xTz is now known as Guest91129
18:51 -!- lamokie [~steve@li428-245.members.linode.com] has joined #openvpn
18:54 -!- hazard0us [~hz@openvpn/user/hazardous] has joined #openvpn
18:54 -!- mode/#openvpn [+v hazard0us] by ChanServ
18:54 -!- digilink- [~digilink@irc.stephennet.net] has joined #openvpn
18:55 -!- digilink- [~digilink@irc.stephennet.net] has quit [Client Quit]
18:55 -!- Mat_Toufoutu [~MaT@nl.h6r.org] has joined #openvpn
18:55 -!- Mat_Toufoutu [~MaT@nl.h6r.org] has quit [Excess Flood]
18:55 -!- Netsplit *.net <-> *.split quits: +hazardous, _psycheye, kantlivelong, linlin, MatToufoutu, u0m3, elfixit1, emid, Linmu, digilink,  (+10 more, use /NETSPLIT to show all of them)
18:55 -!- hazard0us is now known as hazardous
18:56 -!- digilink- [~digilink@irc.stephennet.net] has joined #openvpn
18:56 -!- digilink- [~digilink@irc.stephennet.net] has quit [Remote host closed the connection]
18:56 -!- kantlive- [~kantlivel@home.kantlivelong.com] has joined #openvpn
18:56 -!- Netsplit over, joins: emid
18:57 -!- Aketzu [akolehma@kelvin.aketzu.net] has joined #openvpn
18:57 -!- Zordrak [~jaz@87-194-137-223.bethere.co.uk] has joined #openvpn
18:57 -!- elfixit1 [~Icedove@77-58-251-72.dclient.hispeed.ch] has joined #openvpn
18:57 -!- Linmu [~Linmu@203.70.194.104] has joined #openvpn
18:57 -!- ron_ [~ron@ppp118-210-221-172.lns20.adl6.internode.on.net] has joined #openvpn
18:58 -!- Guest58769 [kenyon@darwin.kenyonralph.com] has left #openvpn []
18:59 -!- kossy [a@kossy.org] has joined #openvpn
18:59 -!- Olipro [~Olipro@uncyclopedia/pdpc.21for7.olipro] has quit [Ping timeout: 246 seconds]
18:59 -!- kenyon [kenyon@darwin.kenyonralph.com] has joined #openvpn
18:59 -!- MatToufoutu [~MaT@unaffiliated/mattoufoutu] has joined #openvpn
18:59 -!- MatToufoutu [~MaT@unaffiliated/mattoufoutu] has quit [Excess Flood]
19:00 -!- MatToufoutu [~MaT@unaffiliated/mattoufoutu] has joined #openvpn
19:00 -!- MatToufoutu [~MaT@unaffiliated/mattoufoutu] has quit [Excess Flood]
19:01 -!- VunKruz [~hhhh@24-205-8-187.dhcp.mtpk.ca.charter.com] has joined #openvpn
19:02 -!- Netsplit *.net <-> *.split quits: Linmu, elfixit1, kossy, Zordrak, ron_, Aketzu
19:02 -!- Netsplit over, joins: Aketzu, Zordrak, elfixit1, Linmu, ron_
19:02 -!- Olipro [~Olipro@uncyclopedia/pdpc.21for7.olipro] has joined #openvpn
19:05 -!- Mat_Toufoutu [~MaT@nl.h6r.org] has joined #openvpn
19:05 -!- Mat_Toufoutu [~MaT@nl.h6r.org] has quit [Excess Flood]
19:07 -!- Mat_Toufoutu [~MaT@nl.h6r.org] has joined #openvpn
19:07 -!- Mat_Toufoutu [~MaT@nl.h6r.org] has quit [Excess Flood]
19:07 -!- kossy [a@kossy.org] has joined #openvpn
19:15 -!- Mat_Toufoutu [~MaT@nl.h6r.org] has joined #openvpn
19:15 -!- Mat_Toufoutu [~MaT@nl.h6r.org] has quit [Excess Flood]
19:16 -!- Mat_Toufoutu [~MaT@nl.h6r.org] has joined #openvpn
19:16 -!- Mat_Toufoutu [~MaT@nl.h6r.org] has quit [Excess Flood]
19:18 -!- Mat_Toufoutu [~MaT@nl.h6r.org] has joined #openvpn
19:18 -!- Mat_Toufoutu [~MaT@nl.h6r.org] has quit [Excess Flood]
19:22 -!- digilink [~digilink@unaffiliated/digilink] has joined #openvpn
19:24 -!- Mat_Toufoutu [~MaT@nl.h6r.org] has joined #openvpn
19:24 -!- Mat_Toufoutu [~MaT@nl.h6r.org] has quit [Excess Flood]
19:25 -!- Mat_Toufoutu [~MaT@nl.h6r.org] has joined #openvpn
19:25 -!- Mat_Toufoutu [~MaT@nl.h6r.org] has quit [Excess Flood]
19:26 -!- Mat_Toufoutu [~MaT@nl.h6r.org] has joined #openvpn
19:26 -!- Mat_Toufoutu [~MaT@nl.h6r.org] has quit [Excess Flood]
19:40 -!- Thib_ [~thibaud@87.239.184.86] has quit [Quit: Ex-Chat]
19:42 -!- Mat_Toufoutu [~MaT@nl.h6r.org] has joined #openvpn
19:42 -!- Mat_Toufoutu [~MaT@nl.h6r.org] has quit [Excess Flood]
19:43 -!- Mat_Toufoutu [~MaT@nl.h6r.org] has joined #openvpn
19:43 -!- Mat_Toufoutu [~MaT@nl.h6r.org] has quit [Excess Flood]
19:43 -!- Mat_Toufoutu [~MaT@nl.h6r.org] has joined #openvpn
19:43 -!- Mat_Toufoutu [~MaT@nl.h6r.org] has quit [Excess Flood]
19:45 -!- Mat_Toufoutu [~MaT@nl.h6r.org] has joined #openvpn
19:45 -!- Mat_Toufoutu [~MaT@nl.h6r.org] has quit [Excess Flood]
19:46 -!- Mat_Toufoutu [~MaT@nl.h6r.org] has joined #openvpn
19:46 -!- Mat_Toufoutu [~MaT@nl.h6r.org] has quit [Excess Flood]
19:54 -!- Mat_Toufoutu [~MaT@nl.h6r.org] has joined #openvpn
19:54 -!- Mat_Toufoutu [~MaT@nl.h6r.org] has quit [Excess Flood]
20:01 -!- joshh20 is now known as joshh20-Away
20:08 -!- Mat_Toufoutu [~MaT@nl.h6r.org] has joined #openvpn
20:08 -!- Mat_Toufoutu [~MaT@nl.h6r.org] has quit [Excess Flood]
20:09 -!- Mat_Toufoutu [~MaT@nl.h6r.org] has joined #openvpn
20:09 -!- Mat_Toufoutu [~MaT@nl.h6r.org] has quit [Excess Flood]
20:10 -!- Mat_Toufoutu [~MaT@nl.h6r.org] has joined #openvpn
20:10 -!- Mat_Toufoutu [~MaT@nl.h6r.org] has quit [Excess Flood]
20:13 -!- MACscr2 [~MACscr2@c-98-214-103-56.hsd1.il.comcast.net] has joined #openvpn
20:13 < MACscr2> any advice here for this error that i am getting on my dev mode enabled chromebook when trying to connect to my openvpn enabled pfsense router? http://hastebin.com/yajonajepi.coffee
20:13 <@vpnHelper> Title: hastebin (at hastebin.com)
20:19 -!- phunyguy [~plorpian@gateway/tor-sasl/phunyguy] has quit [Quit: Goodbye cruel world!]
20:20 -!- Mat_Toufoutu [~MaT@nl.h6r.org] has joined #openvpn
20:20 -!- Mat_Toufoutu [~MaT@nl.h6r.org] has quit [Excess Flood]
20:21 -!- nutron [~nutron@unaffiliated/nutron] has joined #openvpn
20:21 < pekster> MACscr2: line 49 claims to have opened the tun device, but the error suggests it isn't created. Maybe try manually creating a tun device ahead of time and using that explicit named device instead?
20:21 -!- Mat_Toufoutu [~MaT@nl.h6r.org] has joined #openvpn
20:21 -!- Mat_Toufoutu [~MaT@nl.h6r.org] has quit [Excess Flood]
20:21 < pekster> You can use a number, or just use a more useful name, like tun_myvpn or whatever
20:22 < MACscr2> hmm, not sure if that option is available on a chromebook
20:22 < pekster> See --mktun in the manpage. Optionally, use non-deprecated networking on Linux which is (and has been for about a decade now) provided by the `ip` utility of the iproute2 package
20:22 < pekster> !ifconfig_linux
20:22 <@vpnHelper> "ifconfig_linux" is Avoid use of 'ifconfig' and 'route' commands on modern Linux distros. It's old, deprecated, and often misleading/wrong. Use the 'ip a' and 'ip r' commands instead. More info: http://inai.de/2008/0219-ifconfig-sucks.php
20:23 < pekster> ip can create tun devices. ifconfig can't.
20:23 < pekster> No clue what userland your platform uses though
20:25 -!- Olipro [~Olipro@uncyclopedia/pdpc.21for7.olipro] has quit [Ping timeout: 246 seconds]
20:27 < MACscr2> yep, ip command isnt available =(
20:27 -!- Mat_Toufoutu [~MaT@nl.h6r.org] has joined #openvpn
20:27 -!- Mat_Toufoutu [~MaT@nl.h6r.org] has quit [Excess Flood]
20:29 -!- lj [~l@75-145-156-241-Illinois.hfc.comcastbusiness.net] has quit [Quit: Leaving.]
20:29 -!- Mat_Toufoutu [~MaT@nl.h6r.org] has joined #openvpn
20:29 -!- Mat_Toufoutu [~MaT@nl.h6r.org] has quit [Excess Flood]
20:29 < pekster> Use --mktun then which will interface directly with the tun API
20:29 -!- Mat_Toufoutu [~MaT@nl.h6r.org] has joined #openvpn
20:29 -!- Mat_Toufoutu [~MaT@nl.h6r.org] has quit [Excess Flood]
20:30 -!- lj [~l@75-145-156-241-Illinois.hfc.comcastbusiness.net] has joined #openvpn
20:30 -!- Mat_Toufoutu [~MaT@nl.h6r.org] has joined #openvpn
20:30 -!- Mat_Toufoutu [~MaT@nl.h6r.org] has quit [Excess Flood]
20:30 -!- Cpt-Oblivious [chatzilla@31-151-71-109.dynamic.upc.nl] has quit [Ping timeout: 272 seconds]
20:36 -!- Mat_Toufoutu [~MaT@nl.h6r.org] has joined #openvpn
20:36 -!- Mat_Toufoutu [~MaT@nl.h6r.org] has quit [Excess Flood]
20:38 < MACscr2> hmm, no difference. even i manually create one and it says its persistent, then run the openvpn config, it tries to use a different one
20:40 -!- lj [~l@75-145-156-241-Illinois.hfc.comcastbusiness.net] has quit [Quit: Leaving.]
20:48 -!- phunyguy [~vortex@neverserio.us] has joined #openvpn
20:52 -!- phunyguy [~vortex@neverserio.us] has quit [Client Quit]
20:52 -!- MatToufoutu [~MaT@unaffiliated/mattoufoutu] has joined #openvpn
20:52 -!- MatToufoutu [~MaT@unaffiliated/mattoufoutu] has quit [Excess Flood]
20:53 -!- MatToufoutu [~MaT@unaffiliated/mattoufoutu] has joined #openvpn
20:53 -!- MatToufoutu [~MaT@unaffiliated/mattoufoutu] has quit [Excess Flood]
20:54 -!- phunyguy [~vortex@unaffiliated/phunyguy] has joined #openvpn
20:57 -!- phunyguy [~vortex@unaffiliated/phunyguy] has quit [Client Quit]
21:00 -!- Mat_Toufoutu [~MaT@nl.h6r.org] has joined #openvpn
21:00 -!- Mat_Toufoutu [~MaT@nl.h6r.org] has quit [Excess Flood]
21:00 -!- ron_ [~ron@ppp118-210-221-172.lns20.adl6.internode.on.net] has quit [Ping timeout: 252 seconds]
21:02 -!- ron_ [~ron@ppp121-45-51-97.lns20.adl2.internode.on.net] has joined #openvpn
21:03 -!- phunyguy [~plorpian@unaffiliated/phunyguy] has joined #openvpn
21:05 -!- Mat_Toufoutu [~MaT@nl.h6r.org] has joined #openvpn
21:05 -!- Mat_Toufoutu [~MaT@nl.h6r.org] has quit [Excess Flood]
21:06 -!- Mat_Toufoutu [~MaT@nl.h6r.org] has joined #openvpn
21:06 -!- Mat_Toufoutu [~MaT@nl.h6r.org] has quit [Excess Flood]
21:10 -!- Mat_Toufoutu [~MaT@nl.h6r.org] has joined #openvpn
21:10 -!- Mat_Toufoutu [~MaT@nl.h6r.org] has quit [Excess Flood]
21:11 -!- Mat_Toufoutu [~MaT@nl.h6r.org] has joined #openvpn
21:11 -!- Mat_Toufoutu [~MaT@nl.h6r.org] has quit [Excess Flood]
21:14 -!- Mat_Toufoutu [~MaT@nl.h6r.org] has joined #openvpn
21:14 -!- Mat_Toufoutu [~MaT@nl.h6r.org] has quit [Excess Flood]
21:15 < pekster> MACscr2: You need to specify the device in your config
21:15 < pekster> Otherwise what you did is moot
21:15 < pekster> read --dev in the manpage
21:18 < MACscr2> i have, it doesnt mention anything about the config
21:18 < MACscr2> i dont see anythign more than dev tun in the config
21:19 -!- Mat_Toufoutu [~MaT@nl.h6r.org] has joined #openvpn
21:19 -!- Mat_Toufoutu [~MaT@nl.h6r.org] has quit [Excess Flood]
21:20 -!- Mat_Toufoutu [~MaT@nl.h6r.org] has joined #openvpn
21:20 -!- Mat_Toufoutu [~MaT@nl.h6r.org] has quit [Excess Flood]
21:20 -!- Mat_Toufoutu [~MaT@nl.h6r.org] has joined #openvpn
21:20 -!- Mat_Toufoutu [~MaT@nl.h6r.org] has quit [Excess Flood]
21:22 < _FBi> heya pekster
21:22 < MACscr2> nvm, got it. Thanks!
21:24 -!- Mat_Toufoutu [~MaT@nl.h6r.org] has joined #openvpn
21:24 -!- Mat_Toufoutu [~MaT@nl.h6r.org] has quit [Excess Flood]
21:25 -!- lj [~l@adsl-99-155-23-209.dsl.peoril.sbcglobal.net] has joined #openvpn
21:25 -!- Mat_Toufoutu [~MaT@nl.h6r.org] has joined #openvpn
21:25 -!- Mat_Toufoutu [~MaT@nl.h6r.org] has quit [Excess Flood]
21:26 -!- MACscr2_ [~MACscr2@c-98-214-103-56.hsd1.il.comcast.net] has joined #openvpn
21:26 -!- pentiumone133 [will@173.243.115.75] has quit [Ping timeout: 260 seconds]
21:26 -!- Mat_Toufoutu [~MaT@nl.h6r.org] has joined #openvpn
21:26 -!- Mat_Toufoutu [~MaT@nl.h6r.org] has quit [Excess Flood]
21:27 -!- MACscr2 [~MACscr2@c-98-214-103-56.hsd1.il.comcast.net] has quit [Ping timeout: 260 seconds]
21:27 -!- Mat_Toufoutu [~MaT@nl.h6r.org] has joined #openvpn
21:27 -!- Mat_Toufoutu [~MaT@nl.h6r.org] has quit [Excess Flood]
21:27 -!- pentiumone133 [will@173.243.115.75] has joined #openvpn
21:33 -!- Mat_Toufoutu [~MaT@nl.h6r.org] has joined #openvpn
21:33 -!- Mat_Toufoutu [~MaT@nl.h6r.org] has quit [Excess Flood]
21:33 -!- Mat_Toufoutu [~MaT@nl.h6r.org] has joined #openvpn
21:33 -!- Mat_Toufoutu [~MaT@nl.h6r.org] has quit [Excess Flood]
21:37 -!- lj [~l@adsl-99-155-23-209.dsl.peoril.sbcglobal.net] has quit [Ping timeout: 248 seconds]
21:37 -!- lj [~l@192.241.174.169] has joined #openvpn
21:38 -!- Mat_Toufoutu [~MaT@nl.h6r.org] has joined #openvpn
21:38 -!- Mat_Toufoutu [~MaT@nl.h6r.org] has quit [Excess Flood]
21:40 -!- Mat_Toufoutu [~MaT@nl.h6r.org] has joined #openvpn
21:40 -!- Mat_Toufoutu [~MaT@nl.h6r.org] has quit [Excess Flood]
21:44 -!- Mat_Toufoutu [~MaT@nl.h6r.org] has joined #openvpn
21:44 -!- Mat_Toufoutu [~MaT@nl.h6r.org] has quit [Excess Flood]
21:45 -!- Mat_Toufoutu [~MaT@nl.h6r.org] has joined #openvpn
21:45 -!- Mat_Toufoutu [~MaT@nl.h6r.org] has quit [Excess Flood]
21:46 -!- Mat_Toufoutu [~MaT@nl.h6r.org] has joined #openvpn
21:46 -!- Mat_Toufoutu [~MaT@nl.h6r.org] has quit [Excess Flood]
21:49 < MACscr2_> hmm, so i got openvpn to work on my chromebook to an extent. I can connect to ip's on my vpn through the browser, but if i try to ssh to that same ip, it times out
21:50 < MACscr2_> nvm, its just slow as hell
21:50 -!- lbft [~lbft@unaffiliated/lbft] has quit [Quit: Bye]
21:50 -!- Mat_Toufoutu [~MaT@nl.h6r.org] has joined #openvpn
21:50 -!- Mat_Toufoutu [~MaT@nl.h6r.org] has quit [Excess Flood]
21:51 -!- lbft [~lbft@unaffiliated/lbft] has joined #openvpn
21:53 < MACscr2_> weird, the browser stuff is fast
21:53 < MACscr2_> but its been a few minutes and the ssh connection hasnt even finished completing
21:54 -!- heraclitus [~heraclitu@unaffiliated/heraclitis] has joined #openvpn
21:56 < MACscr2_> hmm, canceled the ssh connect, reconnect fast. lol
21:56 -!- Linmu [~Linmu@203.70.194.104] has quit [Quit: leaving]
21:56 -!- MatToufoutu [~MaT@unaffiliated/mattoufoutu] has joined #openvpn
21:56 -!- MatToufoutu [~MaT@unaffiliated/mattoufoutu] has quit [Excess Flood]
22:07 -!- qwertyoruiop [~hax@89.248.169.6] has quit [Remote host closed the connection]
22:08 -!- qwertyoruiop [~hax@1.shulgin.dc1.nl.tor.exit.node.qwertyoruiop.com] has joined #openvpn
22:08 -!- Mat_Toufoutu [~MaT@nl.h6r.org] has joined #openvpn
22:08 -!- Mat_Toufoutu [~MaT@nl.h6r.org] has quit [Excess Flood]
22:18 -!- Mat_Toufoutu [~MaT@nl.h6r.org] has joined #openvpn
22:18 -!- Mat_Toufoutu [~MaT@nl.h6r.org] has quit [Excess Flood]
22:19 -!- Mat_Toufoutu [~MaT@nl.h6r.org] has joined #openvpn
22:19 -!- Mat_Toufoutu [~MaT@nl.h6r.org] has quit [Excess Flood]
22:24 -!- dimm0k_ is now known as dimm0k
22:30 -!- Mat_Toufoutu [~MaT@nl.h6r.org] has joined #openvpn
22:30 -!- Mat_Toufoutu [~MaT@nl.h6r.org] has quit [Excess Flood]
22:31 -!- Mat_Toufoutu [~MaT@nl.h6r.org] has joined #openvpn
22:31 -!- Mat_Toufoutu [~MaT@nl.h6r.org] has quit [Excess Flood]
22:32 -!- Mat_Toufoutu [~MaT@nl.h6r.org] has joined #openvpn
22:32 -!- Mat_Toufoutu [~MaT@nl.h6r.org] has quit [Excess Flood]
22:36 -!- Mat_Toufoutu [~MaT@nl.h6r.org] has joined #openvpn
22:36 -!- Mat_Toufoutu [~MaT@nl.h6r.org] has quit [Excess Flood]
22:36 -!- Mat_Toufoutu [~MaT@nl.h6r.org] has joined #openvpn
22:36 -!- Mat_Toufoutu [~MaT@nl.h6r.org] has quit [Excess Flood]
22:42 -!- lj [~l@192.241.174.169] has quit [Quit: Leaving.]
22:43 -!- Mat_Toufoutu [~MaT@nl.h6r.org] has joined #openvpn
22:43 -!- Mat_Toufoutu [~MaT@nl.h6r.org] has quit [Excess Flood]
22:43 -!- Mat_Toufoutu [~MaT@nl.h6r.org] has joined #openvpn
22:43 -!- Mat_Toufoutu [~MaT@nl.h6r.org] has quit [Excess Flood]
22:44 -!- takamichi [~takamichi@c107-107.i07-27.onvol.net] has joined #openvpn
22:53 -!- Mat_Toufoutu [~MaT@nl.h6r.org] has joined #openvpn
22:53 -!- Mat_Toufoutu [~MaT@nl.h6r.org] has quit [Excess Flood]
22:53 -!- Mat_Toufoutu [~MaT@nl.h6r.org] has joined #openvpn
22:53 -!- Mat_Toufoutu [~MaT@nl.h6r.org] has quit [Excess Flood]
22:56 -!- qwertyoruiop [~hax@1.shulgin.dc1.nl.tor.exit.node.qwertyoruiop.com] has quit [Disconnected by services]
22:56 -!- qwertyoruiop [~hax@1.shulgin.dc1.nl.tor.exit.node.qwertyoruiop.com] has joined #openvpn
23:01 -!- Mat_Toufoutu [~MaT@nl.h6r.org] has joined #openvpn
23:01 -!- Mat_Toufoutu [~MaT@nl.h6r.org] has quit [Excess Flood]
23:04 -!- Mat_Toufoutu [~MaT@nl.h6r.org] has joined #openvpn
23:04 -!- Mat_Toufoutu [~MaT@nl.h6r.org] has quit [Excess Flood]
23:04 -!- Mat_Toufoutu [~MaT@nl.h6r.org] has joined #openvpn
23:04 -!- Mat_Toufoutu [~MaT@nl.h6r.org] has quit [Excess Flood]
23:05 -!- Mat_Toufoutu [~MaT@nl.h6r.org] has joined #openvpn
23:05 -!- Mat_Toufoutu [~MaT@nl.h6r.org] has quit [Excess Flood]
23:06 -!- Mat_Toufoutu [~MaT@nl.h6r.org] has joined #openvpn
23:06 -!- Mat_Toufoutu [~MaT@nl.h6r.org] has quit [Excess Flood]
23:09 -!- Mat_Toufoutu [~MaT@nl.h6r.org] has joined #openvpn
23:09 -!- Mat_Toufoutu [~MaT@nl.h6r.org] has quit [Excess Flood]
23:10 -!- Mat_Toufoutu [~MaT@nl.h6r.org] has joined #openvpn
23:10 -!- Mat_Toufoutu [~MaT@nl.h6r.org] has quit [Excess Flood]
23:11 -!- Mat_Toufoutu [~MaT@nl.h6r.org] has joined #openvpn
23:11 -!- Mat_Toufoutu [~MaT@nl.h6r.org] has quit [Excess Flood]
23:24 -!- Mat_Toufoutu [~MaT@nl.h6r.org] has joined #openvpn
23:24 -!- Mat_Toufoutu [~MaT@nl.h6r.org] has quit [Excess Flood]
23:25 -!- lj [~l@adsl-99-155-23-209.dsl.peoril.sbcglobal.net] has joined #openvpn
23:27 -!- lj1 [~l@192.241.174.169] has joined #openvpn
23:29 -!- lj [~l@adsl-99-155-23-209.dsl.peoril.sbcglobal.net] has quit [Ping timeout: 260 seconds]
23:32 -!- elfixit1 [~Icedove@77-58-251-72.dclient.hispeed.ch] has quit [Ping timeout: 253 seconds]
23:38 -!- makara [~makara@41.164.22.218] has joined #openvpn
23:39 -!- Mat_Toufoutu [~MaT@nl.h6r.org] has joined #openvpn
23:39 -!- Mat_Toufoutu [~MaT@nl.h6r.org] has quit [Excess Flood]
23:50 -!- VsioZashibis [~VsioZashi@unaffiliated/vsiozashibis] has quit [Read error: Connection reset by peer]
23:50 -!- Mat_Toufoutu [~MaT@nl.h6r.org] has joined #openvpn
23:50 -!- Mat_Toufoutu [~MaT@nl.h6r.org] has quit [Excess Flood]
23:51 -!- Mat_Toufoutu [~MaT@nl.h6r.org] has joined #openvpn
23:51 -!- Mat_Toufoutu [~MaT@nl.h6r.org] has quit [Excess Flood]
23:52 -!- p3rror [~mezgani@196.201.78.139] has quit [Ping timeout: 260 seconds]
23:56 -!- p3rror [~mezgani@196.201.78.139] has joined #openvpn
23:58 -!- Mat_Toufoutu [~MaT@nl.h6r.org] has joined #openvpn
23:58 -!- Mat_Toufoutu [~MaT@nl.h6r.org] has quit [Excess Flood]
23:59 -!- tdreyer1_ [~tdreyer1@70.94.46.11] has quit [Ping timeout: 260 seconds]
--- Day changed Fri Feb 21 2014
00:00 -!- sunwind [~paradox@cpc21-brmb8-2-0-cust749.1-3.cable.virginm.net] has quit [Read error: Connection reset by peer]
00:00 -!- sunwind [~paradox@cpc21-brmb8-2-0-cust749.1-3.cable.virginm.net] has joined #openvpn
00:01 -!- dradec [~Inigo@unaffiliated/dradec] has joined #openvpn
00:01 -!- MatToufoutu [~MaT@unaffiliated/mattoufoutu] has joined #openvpn
00:01 -!- MatToufoutu [~MaT@unaffiliated/mattoufoutu] has quit [Excess Flood]
00:02 -!- tdreyer1 [~tdreyer1@unaffiliated/tdreyer1] has joined #openvpn
00:06 -!- dradec [~Inigo@unaffiliated/dradec] has quit [Read error: Connection reset by peer]
00:15 -!- Mat_Toufoutu [~MaT@nl.h6r.org] has joined #openvpn
00:15 -!- Mat_Toufoutu [~MaT@nl.h6r.org] has quit [Excess Flood]
00:22 -!- Mat_Toufoutu [~MaT@nl.h6r.org] has joined #openvpn
00:22 -!- Mat_Toufoutu [~MaT@nl.h6r.org] has quit [Excess Flood]
00:38 -!- Mat_Toufoutu [~MaT@nl.h6r.org] has joined #openvpn
00:38 -!- Mat_Toufoutu [~MaT@nl.h6r.org] has quit [Excess Flood]
00:45 -!- Mat_Toufoutu [~MaT@nl.h6r.org] has joined #openvpn
00:45 -!- Mat_Toufoutu [~MaT@nl.h6r.org] has quit [Excess Flood]
00:50 -!- goldkatze_ [~nobody@unaffiliated/goldkatze] has joined #openvpn
00:55 -!- Mat_Toufoutu [~MaT@nl.h6r.org] has joined #openvpn
00:55 -!- Mat_Toufoutu [~MaT@nl.h6r.org] has quit [Excess Flood]
00:55 -!- Mat_Toufoutu [~MaT@nl.h6r.org] has joined #openvpn
00:55 -!- Mat_Toufoutu [~MaT@nl.h6r.org] has quit [Excess Flood]
00:56 -!- Mat_Toufoutu [~MaT@nl.h6r.org] has joined #openvpn
00:56 -!- Mat_Toufoutu [~MaT@nl.h6r.org] has quit [Excess Flood]
00:57 -!- Mat_Toufoutu [~MaT@nl.h6r.org] has joined #openvpn
00:57 -!- Mat_Toufoutu [~MaT@nl.h6r.org] has quit [Excess Flood]
01:04 -!- dimm0k [~dimm0k@unaffiliated/dimm0k] has quit [Ping timeout: 248 seconds]
01:04 -!- Linmu [~Linmu@203.70.194.104] has joined #openvpn
01:05 -!- dimm0k [~dimm0k@unaffiliated/dimm0k] has joined #openvpn
01:06 -!- MatToufoutu [~MaT@unaffiliated/mattoufoutu] has joined #openvpn
01:06 -!- MatToufoutu [~MaT@unaffiliated/mattoufoutu] has quit [Excess Flood]
01:11 -!- e-ndy [~e-ndy@fantomas.bestit.cz] has joined #openvpn
01:11 -!- e-ndy is now known as indy
01:15 -!- Mat_Toufoutu [~MaT@nl.h6r.org] has joined #openvpn
01:15 -!- Mat_Toufoutu [~MaT@nl.h6r.org] has quit [Excess Flood]
01:17 -!- alexxtasi [~alex@unaffiliated/alexxtasi] has joined #openvpn
01:17 -!- Mat_Toufoutu [~MaT@nl.h6r.org] has joined #openvpn
01:18 -!- Mat_Toufoutu [~MaT@nl.h6r.org] has quit [Excess Flood]
01:20 -!- Mat_Toufoutu [~MaT@nl.h6r.org] has joined #openvpn
01:20 -!- Mat_Toufoutu [~MaT@nl.h6r.org] has quit [Excess Flood]
01:24 -!- Mat_Toufoutu [~MaT@nl.h6r.org] has joined #openvpn
01:24 -!- Mat_Toufoutu [~MaT@nl.h6r.org] has quit [Excess Flood]
01:32 -!- Mat_Toufoutu [~MaT@nl.h6r.org] has joined #openvpn
01:32 -!- Mat_Toufoutu [~MaT@nl.h6r.org] has quit [Excess Flood]
01:33 -!- Mat_Toufoutu [~MaT@nl.h6r.org] has joined #openvpn
01:34 -!- Mat_Toufoutu [~MaT@nl.h6r.org] has quit [Excess Flood]
01:34 -!- Mat_Toufoutu [~MaT@nl.h6r.org] has joined #openvpn
01:34 -!- Mat_Toufoutu [~MaT@nl.h6r.org] has quit [Excess Flood]
01:35 -!- Mat_Toufoutu [~MaT@nl.h6r.org] has joined #openvpn
01:35 -!- Mat_Toufoutu [~MaT@nl.h6r.org] has quit [Excess Flood]
01:36 -!- Mat_Toufoutu [~MaT@nl.h6r.org] has joined #openvpn
01:36 -!- Mat_Toufoutu [~MaT@nl.h6r.org] has quit [Excess Flood]
01:44 -!- Mat_Toufoutu [~MaT@nl.h6r.org] has joined #openvpn
01:44 -!- Mat_Toufoutu [~MaT@nl.h6r.org] has quit [Excess Flood]
01:57 -!- Mat_Toufoutu [~MaT@nl.h6r.org] has joined #openvpn
01:57 -!- Mat_Toufoutu [~MaT@nl.h6r.org] has quit [Excess Flood]
02:04 -!- dimm0k [~dimm0k@unaffiliated/dimm0k] has quit [Ping timeout: 272 seconds]
02:05 -!- mattock_afk is now known as mattock
02:05 -!- dimm0k [~dimm0k@pool-108-21-230-13.nycmny.fios.verizon.net] has joined #openvpn
02:05 -!- dimm0k [~dimm0k@pool-108-21-230-13.nycmny.fios.verizon.net] has quit [Changing host]
02:05 -!- dimm0k [~dimm0k@unaffiliated/dimm0k] has joined #openvpn
02:13 -!- Mat_Toufoutu [~MaT@nl.h6r.org] has joined #openvpn
02:13 -!- Mat_Toufoutu [~MaT@nl.h6r.org] has quit [Excess Flood]
02:17 -!- ade_b [~Ade@redhat/adeb] has joined #openvpn
02:22 -!- Mat_Toufoutu [~MaT@nl.h6r.org] has joined #openvpn
02:22 -!- Mat_Toufoutu [~MaT@nl.h6r.org] has quit [Excess Flood]
02:23 -!- Mat_Toufoutu [~MaT@nl.h6r.org] has joined #openvpn
02:23 -!- Mat_Toufoutu [~MaT@nl.h6r.org] has quit [Excess Flood]
02:26 -!- Mat_Toufoutu [~MaT@nl.h6r.org] has joined #openvpn
02:26 -!- Mat_Toufoutu [~MaT@nl.h6r.org] has quit [Excess Flood]
02:27 -!- Mat_Toufoutu [~MaT@nl.h6r.org] has joined #openvpn
02:27 -!- Mat_Toufoutu [~MaT@nl.h6r.org] has quit [Excess Flood]
02:32 -!- Mat_Toufoutu [~MaT@nl.h6r.org] has joined #openvpn
02:32 -!- Mat_Toufoutu [~MaT@nl.h6r.org] has quit [Excess Flood]
02:35 -!- Mat_Toufoutu [~MaT@nl.h6r.org] has joined #openvpn
02:35 -!- Mat_Toufoutu [~MaT@nl.h6r.org] has quit [Excess Flood]
02:40 -!- ade_b [~Ade@redhat/adeb] has quit [Read error: Operation timed out]
02:49 -!- sunwind [~paradox@cpc21-brmb8-2-0-cust749.1-3.cable.virginm.net] has quit [Quit: sunwind]
02:52 -!- Mat_Toufoutu [~MaT@nl.h6r.org] has joined #openvpn
02:52 -!- Mat_Toufoutu [~MaT@nl.h6r.org] has quit [Excess Flood]
02:52 -!- cyberspace- [20253@ninthfloor.org] has quit [Remote host closed the connection]
02:54 -!- cyberspace- [20253@ninthfloor.org] has joined #openvpn
02:58 -!- dazo_afk is now known as dazo
03:01 -!- sunwind [~paradox@cpc21-brmb8-2-0-cust749.1-3.cable.virginm.net] has joined #openvpn
03:01 -!- takamichi [~takamichi@c107-107.i07-27.onvol.net] has quit [Quit: Computer has gone to sleep.]
03:08 -!- MatToufoutu [~MaT@unaffiliated/mattoufoutu] has joined #openvpn
03:16 -!- takamichi [~takamichi@c107-107.i07-27.onvol.net] has joined #openvpn
03:22 -!- Olipro [~Olipro@uncyclopedia/pdpc.21for7.olipro] has joined #openvpn
03:22 -!- br4ndon [~br4ndon@ns301087.ip-91-121-68.eu] has joined #openvpn
03:35 -!- _f0cker_ [~f0cker@unaffiliated/f0cker] has quit [Read error: Operation timed out]
03:36 -!- br4ndon [~br4ndon@ns301087.ip-91-121-68.eu] has quit [Quit: Lorem ipsum dolor sit amet]
03:41 -!- svg [~svg@hydargos.ginsys.net] has quit [Quit: leaving]
03:48 -!- davidmp [~davidmp@149.255.100.107] has quit [Ping timeout: 260 seconds]
03:49 -!- f0cker [~f0cker@unaffiliated/f0cker] has joined #openvpn
03:54 -!- mattock is now known as mattock_afk
03:57 -!- davidmp [~davidmp@149.255.100.107] has joined #openvpn
04:27 -!- MACscr2_ [~MACscr2@c-98-214-103-56.hsd1.il.comcast.net] has quit [Ping timeout: 252 seconds]
04:42 -!- wrongplace [~leicht@gateway/tor-sasl/martinphone] has joined #openvpn
04:54 -!- y4h0 [~yavor@94.155.134.12] has joined #openvpn
04:54 < y4h0> hi
05:00 -!- wrongplace [~leicht@gateway/tor-sasl/martinphone] has quit [Remote host closed the connection]
05:00 -!- wrongplace [~leicht@gateway/tor-sasl/martinphone] has joined #openvpn
05:19 -!- exa [~exa@unaffiliated/exa] has quit [Ping timeout: 272 seconds]
05:20 -!- makara [~makara@41.164.22.218] has quit [Ping timeout: 272 seconds]
05:32 -!- makara [~makara@41.164.22.218] has joined #openvpn
05:33 -!- klein [~klein@unaffiliated/klein] has joined #openvpn
05:50 -!- davidmp [~davidmp@149.255.100.107] has quit [Ping timeout: 252 seconds]
05:53 -!- davidmp [~davidmp@149.255.100.107] has joined #openvpn
05:56 -!- nutron [~nutron@unaffiliated/nutron] has quit [Read error: Operation timed out]
05:57 -!- nutron [~nutron@unaffiliated/nutron] has joined #openvpn
05:57 -!- davidmp [~davidmp@149.255.100.107] has quit [Ping timeout: 252 seconds]
06:04 -!- makara [~makara@41.164.22.218] has quit [Ping timeout: 252 seconds]
06:04 -!- mcp [~mcp@wolk-project.de] has quit [Remote host closed the connection]
06:06 -!- takamichi [~takamichi@c107-107.i07-27.onvol.net] has quit [Ping timeout: 252 seconds]
06:08 -!- takamichi [~takamichi@85.12.8.106] has joined #openvpn
06:16 -!- makara [~makara@41.164.22.218] has joined #openvpn
06:19 -!- Pang [~chatzilla@94-225-162-11.access.telenet.be] has joined #openvpn
06:21 -!- wrongplace [~leicht@gateway/tor-sasl/martinphone] has quit [Quit: gone]
06:41 < y4h0> i have an openvpn setup client and server
06:42 -!- JSharpe [~JSharpe@31.205.60.241] has quit [Ping timeout: 245 seconds]
06:43 -!- mcp [~mcp@wolk-project.de] has joined #openvpn
06:43 < y4h0> when i try to connect to server the client log says this http://pastie.org/8755346
06:44 < y4h0> on the server side no traffic is coming
06:44 < y4h0> what could be the cause for that ?
06:44 -!- Guest91129 [~xTz@DeathStar.Techn0.eu] has quit [Ping timeout: 252 seconds]
06:56 -!- mattock_afk is now known as mattock
07:00 -!- takamichi [~takamichi@85.12.8.106] has quit [Ping timeout: 252 seconds]
07:02 -!- takamichi [~takamichi@c107-107.i07-27.onvol.net] has joined #openvpn
07:12 -!- Cpt-Oblivious [chatzilla@31-151-71-109.dynamic.upc.nl] has joined #openvpn
07:14 -!- michaelhart [~michaelha@192.237.177.15] has joined #openvpn
07:15 -!- exa [~exa@unaffiliated/exa] has joined #openvpn
07:18 -!- michaelhart [~michaelha@192.237.177.15] has quit [Ping timeout: 252 seconds]
07:19 -!- lj1 [~l@192.241.174.169] has quit [Quit: Leaving.]
07:19 -!- michaelhart [~michaelha@69-165-175-193.dsl.teksavvy.com] has joined #openvpn
07:40 -!- Haigha [~root@dovahkiin.xomg.net] has quit [Quit: WeeChat 0.3.8]
07:40 -!- Haigha [~root@dovahkiin.xomg.net] has joined #openvpn
07:49 -!- hdkiller [~hdkiller@unaffiliated/hdkiller] has joined #openvpn
07:50 < hdkiller> hello, i am kinda stuck, i have an existing openvpn setup working like a charm, but i want to set up a roadwarior windows 7
07:50 < hdkiller> i don't want to change the server config, so i don't want to push the default gw option
07:50 < hdkiller> but i want to set up routes on windows.. how do i do that? :/ i feel kinda noob
08:00 -!- hdkiller [~hdkiller@unaffiliated/hdkiller] has left #openvpn []
08:15 -!- makara [~makara@41.164.22.218] has quit [Ping timeout: 248 seconds]
08:18 -!- instigator [~instigato@ti-225-26-191.telkomadsl.co.za] has joined #openvpn
08:19 < instigator> Greetings. I was wondering..in which situation would you use PPTP instead of normal vpn like openvpn?
08:19 <@ecrist_> if you're retarded
08:19 -!- You're now known as ecrist
08:20 <@ecrist> or don't care at all about security
08:28 -!- br4ndon [~br4ndon@ns301087.ip-91-121-68.eu] has joined #openvpn
08:31 -!- _jareth_ is now known as jareth_
08:31 -!- br4ndon [~br4ndon@ns301087.ip-91-121-68.eu] has quit [Client Quit]
08:35 -!- Devastator [~devas@177.99.152.210] has quit [Changing host]
08:35 -!- Devastator [~devas@unaffiliated/devastator] has joined #openvpn
08:44 -!- fred`` [fred@earthli.ng] has quit [Ping timeout: 246 seconds]
08:45 < Pang> Hello! I also have a problem .I have instaled openvpn server on Windows Server 2012 and the openvpn client on windows 7 booth of them on vmware .I disabled the firewall on the server 2012 .Openvpn it is working on them I can conect the client vpn to the server vpn I can ping from client to server but I have no conection to the internet and I can not ping 8.8.8.8.
08:51 -!- lj [~l@192.241.174.169] has joined #openvpn
08:51 -!- fred`` [fred@earthli.ng] has joined #openvpn
09:01 <@ecrist> Pang: don't PM me
09:09 -!- alexxtasi [~alex@unaffiliated/alexxtasi] has left #openvpn []
09:09 <@dazo> ecrist: He did the same to me ... and I sent him here again
09:13 <@ecrist> people do it on the forum all the time, as wel
09:13 <@ecrist> well*
09:19 < Pang> sorry
09:32 -!- noobboob [uid5587@gateway/web/irccloud.com/x-dfkiuwbimiaxogsn] has quit [Quit: Connection closed for inactivity]
09:37 < instigator> where would you go to increase key size in openvpn? I changed export KEY_SIZE=2048 in vars file, but it still using 1024 when creating key
09:38 -!- JuriadoBalzac [~cpe@www.badcode.net] has joined #openvpn
09:39 < JuriadoBalzac> Hi all! I was wondering, is there a way to deny a client access? Trying to google it but it's easier said than done.
09:41 <@krzee> sure there is
09:41 <@krzee> !crl
09:41 <@vpnHelper> "crl" is (#1) --crl-verify <crl> A CRL (certificate revocation list) is used when a particular key is compromised but when the overall PKI is still intact. The only time when it would be necessary to rebuild the entire PKI from scratch would be if the root certificate key itself was compromised. or (#2) you can make use of CRL by using the revoke-full script in easy-rsa (packaged with openvpn) that
09:41 <@vpnHelper> will create the CRL file for you. ssl-admin will also build a crl for you or (#3) openssl ca -config openssl-1.0.0.cnf -gencrl -out keys/crl.pem
09:41 <@krzee> !ccd
09:41 <@vpnHelper> "ccd" is (#1) entries that are basically included into server.conf, but only for the specified client based on common-name. use --client-config-dir <dir> to enable it, then put the config options for the client in <dir>/common-name or (#2) the ccd file is parsed each time the client connects.
09:42 <@krzee> CRL is permanent, you can use disable in a ccd entry (which can later be commented) for temporary
09:42 -!- HectorBarbossa [uid7850@gateway/web/irccloud.com/x-rxydvvaacspyimwi] has quit [Quit: Connection closed for inactivity]
09:42 <@krzee> you could also do it in various scripts if you had a reason to
09:42 -!- xorox90___ [uid7069@gateway/web/irccloud.com/x-ujvhklbborqhutho] has quit [Quit: Connection closed for inactivity]
09:42 < JuriadoBalzac> Hm, thank you! I'm just worried we're put in a spot where we have to create all new certs, but it appears that wont be the case.
09:42 <@krzee> you can do it manually from the management interface
09:42 -!- b00gz___ [uid6869@gateway/web/irccloud.com/x-ktjpkzlrifaljcms] has quit [Quit: Connection closed for inactivity]
09:42 <@krzee> (for a 1-time thing)
09:44 -!- dowaat [uid3966@gateway/web/irccloud.com/x-oulrijsrbhjnkwrk] has quit [Quit: Connection closed for inactivity]
09:44 <@krzee> you should only need to recreate * if you lost your CA
09:44 <@krzee> (or if it was breached)
09:44 -!- niftylettuce_ [uid2733@gateway/web/irccloud.com/x-vvngeupgfdkksolv] has quit [Quit: Connection closed for inactivity]
09:46 <@krzee> pang, before i put you on my ignore list for the unsoliticed msg (to all ops it seems), have a look at this flowchart
09:46 < JuriadoBalzac> krzee: Ah, yes, that makes sense. Thanks for your help!
09:46 <@krzee> !redirect
09:47 <@vpnHelper> "redirect" is (#1) to make all inet traffic flow through the vpn, you will need --redirect-gateway (see !def1), as well as IP forwarding (see !ipforward) and NAT (see !nat) enabled on the server. or (#2) you may need to use a different dns server when redirecting gateway, see !dns or !pushdns or (#3) if using ipv6 try: route-ipv6 2000::/3 or (#4) Handy troubleshooting flowchart:
09:47 <@vpnHelper> http://ircpimps.org/redirect.png | http://pekster.sdf.org/misc/redirect.png
09:47 <@krzee> JuriadoBalzac, no problem =]
09:49 -!- Pang [~chatzilla@94-225-162-11.access.telenet.be] has quit [Ping timeout: 272 seconds]
09:54 <@krzee> y4h0, did you get your setup working?
09:54 <@krzee> instigator:
09:55 <@krzee> !easy-rsa
09:55 <@vpnHelper> "easy-rsa" is (#1) easy-rsa is a certificate generation utility. or (#2) Download here: https://github.com/OpenVPN/easy-rsa/downloads or (#3) https://community.openvpn.net/openvpn/wiki/EasyRSA
09:55 <@krzee> its not an openvpn thing, its a cert generation thing
09:56 < instigator> krzee: i figured it out. I forgot to source var and run clean-all
09:56 <@krzee> ahh good =]
09:56 < instigator> after I did that new key value took effect
09:56 < instigator> i got another question...what is the challenge password used for? is it important?
09:57 <@krzee> "challenge password" during easy-rsa version 2's cert generation?
09:57 <@krzee> nothing, and that does not exist in easy-rsa version 3
09:58 < instigator> yes during version 2
09:58 -!- lj [~l@192.241.174.169] has quit [Quit: Leaving.]
09:58 < instigator> it was showing in plain text as i typed so doesnt seem encrypted
10:00 -!- br4ndon [~br4ndon@ns301087.ip-91-121-68.eu] has joined #openvpn
10:04 -!- br4ndon [~br4ndon@ns301087.ip-91-121-68.eu] has quit [Client Quit]
10:06 -!- lj [~l@192.241.174.169] has joined #openvpn
10:20 -!- mattock is now known as mattock_afk
10:22 <@krzee> !certinfo
10:22 <@vpnHelper> "certinfo" is run `openssl x509 -in <file> -noout -text` for info from your cert file
10:22 < JuriadoBalzac> Hm, can't really make heads or tails of this, think I should sleep on it.
10:32 <@krzee> !factoids
10:32 <@vpnHelper> "factoids" is A semi-regularly updated dump of factoids database is available at http://www.secure-computing.net/factoids.php
10:32 <@krzee> JuriadoBalzac, certinfo was for me, what are you not able to make heads or tails of?
10:32 <@krzee> <krzee> nothing, and that does not exist in easy-rsa version 3
10:32 <@krzee> that was the answer to your last question...
10:33 <@krzee> if you have more questions, just ask =]
10:41 <@krzee> !shotgun
10:41 <@vpnHelper> "shotgun" is (#1) the most effective form of physical security or (#2) <hyper_ch> shotgun security? <EugeneKay> If you try to physically attack my network, I chase you with a shotgun.
10:41 <@dazo> instigator: challenge-password is only used by very few external CAs ... it's a way for the CA to have a way to authenticate the CSR requester
10:42 <@krzee> and that fills my quota for "learning something new every day"
10:42  * krzee ignores life for the rest of the day
10:42 <@dazo> heh
10:43 < instigator> dazo: i see thanks
10:43 <@dazo> you're welcome!
10:44 <@krzee> if you use easy-rsa 3 it will not ask for that
10:45 -!- lj [~l@192.241.174.169] has quit [Quit: Leaving.]
10:56 -!- sunwind [~paradox@cpc21-brmb8-2-0-cust749.1-3.cable.virginm.net] has quit [Quit: sunwind]
11:00 -!- sunwind [~paradox@cpc21-brmb8-2-0-cust749.1-3.cable.virginm.net] has joined #openvpn
11:06 -!- GabrieleV [~GabrieleV@host190-79-static.230-95-b.business.telecomitalia.it] has quit [Ping timeout: 245 seconds]
11:06 -!- sunwind [~paradox@cpc21-brmb8-2-0-cust749.1-3.cable.virginm.net] has quit [Quit: sunwind]
11:07 -!- gffa [~unknown@unaffiliated/gffa] has joined #openvpn
11:10 -!- GabrieleV [~GabrieleV@host190-79-static.230-95-b.business.telecomitalia.it] has joined #openvpn
11:14 -!- sunwind [~paradox@cpc21-brmb8-2-0-cust749.1-3.cable.virginm.net] has joined #openvpn
11:23 -!- lj [~l@192.241.174.169] has joined #openvpn
11:23 -!- lj [~l@192.241.174.169] has quit [Client Quit]
11:31 -!- pentiumone133 [will@173.243.115.75] has quit [Read error: Connection reset by peer]
11:32 -!- pentiumone133 [will@173.243.115.75] has joined #openvpn
11:39 -!- elfixit [~Icedove@2001:1620:2777:11:3e97:eff:fe7f:f3ad] has quit [Remote host closed the connection]
11:39 -!- elfixit [~Icedove@2001:1620:2777:11:3e97:eff:fe7f:f3ad] has joined #openvpn
11:43 -!- MACscr2 [~MACscr2@c-98-214-103-56.hsd1.il.comcast.net] has joined #openvpn
11:48 -!- pentiumone133 [will@173.243.115.75] has quit [Remote host closed the connection]
11:48 -!- pentiumone133 [will@173.243.115.75] has joined #openvpn
11:51 -!- smerz [~smerz@2001:470:1f15:1e5::58] has joined #openvpn
11:52 -!- smerz_ [~smerz@2001:470:1f15:1e5::58] has joined #openvpn
11:53 -!- pentiumone133 [will@173.243.115.75] has quit [Remote host closed the connection]
11:53 -!- pentiumone133 [will@173.243.115.75] has joined #openvpn
12:01 -!- takamichi [~takamichi@c107-107.i07-27.onvol.net] has quit [Quit: Computer has gone to sleep.]
12:02 -!- qwertyoruiop [~hax@1.shulgin.dc1.nl.tor.exit.node.qwertyoruiop.com] has quit [Disconnected by services]
12:02 -!- qwertyoruiop_ [~hax@1.shulgin.dc1.nl.tor.exit.node.qwertyoruiop.com] has joined #openvpn
12:06 -!- instigator [~instigato@ti-225-26-191.telkomadsl.co.za] has left #openvpn []
12:17 -!- Pang [~chatzilla@d51530CB1.static.telenet.be] has joined #openvpn
12:21 -!- makara [~makara@105-208-240-232.access.mtnbusiness.co.za] has joined #openvpn
12:22 -!- MACscr2 [~MACscr2@c-98-214-103-56.hsd1.il.comcast.net] has quit [Ping timeout: 260 seconds]
12:39 -!- Sembei [~Sembei@unaffiliated/sembei] has quit [Read error: Connection reset by peer]
12:40 -!- MyMind [~Sembei@unaffiliated/sembei] has joined #openvpn
12:58 -!- phuzion [~phuzion@ipv6.irc.teh-server.com] has quit [Ping timeout: 265 seconds]
13:08 -!- kirin` [telex@gateway/shell/anapnea.net/x-fupkxuushstwztkc] has quit [Ping timeout: 260 seconds]
13:09 -!- kirin` [telex@gateway/shell/anapnea.net/x-yukqlgzhoqpceste] has joined #openvpn
13:12 -!- dowaat [uid3966@gateway/web/irccloud.com/x-ghbwvmztxtcqszkq] has joined #openvpn
13:13 -!- phuzion [~phuzion@ipv6.irc.teh-server.com] has joined #openvpn
13:14 -!- instigator [~instigato@ti-225-26-191.telkomadsl.co.za] has joined #openvpn
13:15 < instigator> is it possible to run openvpn server on your pc which uses a wifi adapter or dongle?
13:17 -!- master_of_master [~master_of@p4FF2494D.dip0.t-ipconnect.de] has joined #openvpn
13:18 < Aketzu> why not
13:18 < Aketzu> can you run web server on the sama machine
13:18 < Aketzu> or web browser
13:20 -!- raidz [~raidz@openvpn/corp/admin/andrew] has quit [Quit: I shouldn't have left....]
13:20 -!- mattock_afk [~mattock@openvpn/corp/admin/mattock] has quit [Quit: ZNC - http://znc.in]
13:21 -!- master_o1_master [~master_of@p4FF248B3.dip0.t-ipconnect.de] has quit [Ping timeout: 245 seconds]
13:21 -!- raidz [~raidz@openvpn/corp/admin/andrew] has joined #openvpn
13:21 -!- mode/#openvpn [+o raidz] by ChanServ
13:22 < instigator> Aketzu: cause my openvpn server running on my raspberry pi and when I start the openvpn server (daemon) the wifi dongle stops working
13:22 < Aketzu> ehm
13:23 < instigator> but if i disable openvpn server and restart it, my wifi adapter works again
13:23 < Aketzu> "impossible"
13:23 < Aketzu> does it make some weird routes that just make it look like it stopped working?
13:24 < Aketzu> or are you bridging the network
13:26 -!- Thermi_ [~Thermi@unaffiliated/thermi] has joined #openvpn
13:27 < instigator> its not bridged. when openvpn server is off, wifi dongle is flashing and working. as soon as i start open server then wifi dongle goes off. Wifi dongle only works if I disable openvpn server and restart
13:27 < instigator> can bridging fix this?
13:28 -!- Thermi [~Thermi@unaffiliated/thermi] has quit [Ping timeout: 260 seconds]
13:28 -!- Thermi_ is now known as Thermi
13:30 -!- Pang [~chatzilla@d51530CB1.static.telenet.be] has quit [Read error: Connection reset by peer]
13:32 < Aketzu> goes off?
13:32 < Aketzu> openvpn itself doesn't control other network adapters
13:33 < Aketzu> so either you have some very strange scripts/configs or then there is something really wrong with the hardware/kernel
13:34 <@krzee> instigator, you have an issue in your OS and should try to find why the usb goes down
13:34 <@krzee> !notovpn
13:34 <@vpnHelper> "notovpn" is (#1) "notopenvpn" is your problem is not about openvpn, and while we try to be helpful, you may have a better chance of finding your answer if you ask your question in a channel related to your problem or (#2) sorry, but we dont care. this channel is only for help with openvpn.
13:34 <@krzee> aka, exactly what Aketzu said =]
13:34 < instigator> oh ok thanks
13:42 -!- DrCode [~DrCode@gateway/tor-sasl/drcode] has joined #openvpn
13:46 -!- rooth [tomte@stuck.in.the.basement.at.fritzl.nu] has quit [Ping timeout: 260 seconds]
13:47 -!- rooth [~rooth@stuck.in.the.basement.at.fritzl.nu] has joined #openvpn
13:48 -!- JSharpe [~JSharpe@31.205.60.241] has joined #openvpn
14:08 -!- takamichi [~takamichi@c107-107.i07-27.onvol.net] has joined #openvpn
14:09 -!- makara [~makara@105-208-240-232.access.mtnbusiness.co.za] has quit [Ping timeout: 252 seconds]
14:11 -!- conroe [~conroe@gateway/tor-sasl/conroe] has joined #openvpn
14:21 -!- mattock [~mattock@openvpn/corp/admin/mattock] has joined #openvpn
14:21 -!- mode/#openvpn [+o mattock] by ChanServ
14:22 -!- kantlive- [~kantlivel@home.kantlivelong.com] has quit [Read error: Operation timed out]
14:36 -!- kantlivelong [~kantlivel@home.kantlivelong.com] has joined #openvpn
14:41 -!- takamichi [~takamichi@c107-107.i07-27.onvol.net] has quit [Quit: Computer has gone to sleep.]
14:52 -!- NChief [~nchief@unaffiliated/nchief] has quit [Ping timeout: 260 seconds]
14:53 -!- NChief [~nchief@unaffiliated/nchief] has joined #openvpn
15:01 -!- conroe [~conroe@gateway/tor-sasl/conroe] has quit [Ping timeout: 240 seconds]
15:04 -!- klein [~klein@unaffiliated/klein] has quit [Ping timeout: 252 seconds]
15:06 -!- phuzion [~phuzion@ipv6.irc.teh-server.com] has quit [Read error: Connection reset by peer]
15:07 -!- p3rror [~mezgani@196.201.78.139] has quit [Quit: Leaving]
15:08 -!- lj [~l@192.241.174.169] has joined #openvpn
15:16 -!- dazo is now known as dazo_afk
15:17 -!- instigator [~instigato@ti-225-26-191.telkomadsl.co.za] has quit [Quit: Leaving.]
15:23 -!- phuzion [~phuzion@ipv6.irc.teh-server.com] has joined #openvpn
15:23 -!- michaelhart [~michaelha@69-165-175-193.dsl.teksavvy.com] has quit [Quit: michaelhart]
15:30 -!- elfixit [~Icedove@2001:1620:2777:11:3e97:eff:fe7f:f3ad] has quit [Quit: elfixit]
15:42 -!- phuzion [~phuzion@ipv6.irc.teh-server.com] has quit [Ping timeout: 265 seconds]
15:43 -!- rooth [~rooth@stuck.in.the.basement.at.fritzl.nu] has quit [Ping timeout: 252 seconds]
15:44 -!- rooth [tomte@stuck.in.the.basement.at.fritzl.nu] has joined #openvpn
15:50 -!- Cpt-Oblivious [chatzilla@31-151-71-109.dynamic.upc.nl] has quit [Ping timeout: 272 seconds]
15:52 -!- phuzion [~phuzion@ipv6.irc.teh-server.com] has joined #openvpn
15:52 -!- HectorBarbossa [uid7850@gateway/web/irccloud.com/x-ilgudbfocozicbry] has joined #openvpn
16:19 -!- mattock is now known as mattock_afk
16:32 -!- kossy [a@kossy.org] has quit [Read error: Operation timed out]
16:38 -!- joshh20-Away is now known as joshh20
16:44 -!- kantlivelong [~kantlivel@home.kantlivelong.com] has quit [Ping timeout: 260 seconds]
16:51 -!- kantlivelong [~kantlivel@home.kantlivelong.com] has joined #openvpn
17:01 -!- lj [~l@192.241.174.169] has quit [Quit: Leaving.]
17:08 -!- soapee01_ is now known as soapee01
17:14 -!- smerz [~smerz@2001:470:1f15:1e5::58] has quit [Ping timeout: 245 seconds]
17:14 -!- smerz_ [~smerz@2001:470:1f15:1e5::58] has quit [Ping timeout: 264 seconds]
17:23 -!- Fusl [~Fusl@unaffiliated/fusl] has joined #openvpn
17:27 -!- sudormf [~ali@one.music-blaster.com] has joined #openvpn
17:27 < sudormf> Can anyone help me diagnose a strange issue?
17:28 < sudormf> youtube is blocked in my country, so when i connect via openvpn, i'm able to access it, but i can't load up gmail while on vpn (which normally loads ok).
17:30 -!- Guest47559 [~marme@li388-49.members.linode.com] has quit [Ping timeout: 260 seconds]
17:30 < sudormf> also, can't access many https urls.
17:31 -!- qwertyoruiop_ is now known as qwertyoruiop
17:34 < sudormf> anyone?
17:40 -!- qwertyoruiop [~hax@1.shulgin.dc1.nl.tor.exit.node.qwertyoruiop.com] has quit [Disconnected by services]
17:41 -!- qwertyoruiop_ [~hax@1.shulgin.dc1.nl.tor.exit.node.qwertyoruiop.com] has joined #openvpn
17:43 -!- michaelhart [~michaelha@192-0-240-20.cpe.teksavvy.com] has joined #openvpn
17:54 -!- sudormf [~ali@one.music-blaster.com] has quit [Ping timeout: 265 seconds]
17:58 -!- lordnikk1n [~marme@li388-49.members.linode.com] has joined #openvpn
18:03 -!- elfixit [~Icedove@77-58-251-72.dclient.hispeed.ch] has joined #openvpn
18:04 -!- dowaat [uid3966@gateway/web/irccloud.com/x-ghbwvmztxtcqszkq] has quit [Quit: Connection closed for inactivity]
18:14 -!- joshh20 is now known as joshh20-Away
18:20 -!- Olipro [~Olipro@uncyclopedia/pdpc.21for7.olipro] has quit [Ping timeout: 246 seconds]
18:23 -!- lj [~l@192.241.174.169] has joined #openvpn
18:23 -!- joshh20-Away is now known as joshh20
18:32 -!- HectorBarbossa [uid7850@gateway/web/irccloud.com/x-ilgudbfocozicbry] has quit [Quit: Connection closed for inactivity]
18:38 -!- VsioZashibis [~VsioZashi@unaffiliated/vsiozashibis] has joined #openvpn
18:43 -!- ikla [~lbz@c-71-237-62-220.hsd1.co.comcast.net] has joined #openvpn
18:43 < ikla> how do I generate my crl.pem
18:43 < ikla> file is missing
18:47 -!- JSharpe [~JSharpe@31.205.60.241] has quit [Ping timeout: 260 seconds]
18:48 -!- conroe [~conroe@gateway/tor-sasl/conroe] has joined #openvpn
18:51 -!- JSharpe [~JSharpe@31.205.60.241] has joined #openvpn
18:55 -!- gffa [~unknown@unaffiliated/gffa] has quit [Quit: sleep]
19:01 <@krzee> !crl
19:01 <@vpnHelper> "crl" is (#1) --crl-verify <crl> A CRL (certificate revocation list) is used when a particular key is compromised but when the overall PKI is still intact. The only time when it would be necessary to rebuild the entire PKI from scratch would be if the root certificate key itself was compromised. or (#2) you can make use of CRL by using the revoke-full script in easy-rsa (packaged with openvpn) that
19:01 <@vpnHelper> will create the CRL file for you. ssl-admin will also build a crl for you or (#3) openssl ca -config openssl-1.0.0.cnf -gencrl -out keys/crl.pem
19:02 -!- sudormf [~ali@one.music-blaster.com] has joined #openvpn
19:03 < sudormf> my openvpn can't open a lot of https urls. anyone able to assist me?
19:03 < pekster> You left too quick last time
19:04 < sudormf> sorry. what did i miss?
19:04 < pekster> If you can ping your remote peer, openvpn is delivering packets
19:04 < pekster> Nothing; no one replied because you left ;)
19:04 < sudormf> all right. pinging does work
19:04 < pekster> If you're routing packets through the server (with --redirect-gateway or similar) then you should probably start looking there for clues why
19:05 < sudormf> i have a pretty vanilla server config, nothing out of ordinary.
19:05 < pekster> Maybe start by tcpdumping the tun then the egress interfaces and see what sequence of packets you see; do you see the TCP handshake, TLS exchange, etc
19:05 -!- conroe [~conroe@gateway/tor-sasl/conroe] has quit [Quit: conroe]
19:05 < pekster> If you are redirecting, maybe verify your redirect setup is working by the flowchart at: !redirect
19:06 < sudormf> not redirecting. its a very strange issue. only some https sites don't work, and sometimes, submitting forms doesn't work.
19:07 < pekster> If you're not redirecting then openvpn isn't doing anything with your packets
19:08 < pekster> review your routing and maybe DNS settings if you're modifying/pushing them
19:08 < sudormf> but why would it only affect https sites and form posts?
19:08 < pekster> Crystal ball says "too cloudy, try again"
19:08 < pekster> Maybe,
19:08 < pekster> !configs
19:09 <@vpnHelper> "configs" is (#1) please pastebin your client and server configs (with comments removed, you can use `grep -vE '^#|^;|^$' server.conf`), also include which OS and version of openvpn. or (#2) dont forget to include any ccd entries or (#3) on pfSense, see http://www.secure-computing.net/wiki/index.php/OpenVPN/pfSense to obtain your config
19:09 < sudormf> 1 sec
19:10 -!- conroe [~conroe@gateway/tor-sasl/conroe] has joined #openvpn
19:12 < sudormf> http://pastebin.com/dd1GujYu
19:16 < sudormf> using ubuntu 13.xx, open vpn 2.0
19:16 < sudormf> 2.x*
19:18 < pekster> There's los of "2.x", including a 7 year old version
19:18 -!- esde [~esde@107.150.1.2] has quit [Ping timeout: 260 seconds]
19:20 < pekster> Outside of the /23 you're routing across the VPN, that looks simple enough, but the client could in theory also adjust routing with local --route or --redirect-gateway statements
19:21 -!- esde [~esde@107.150.1.2] has joined #openvpn
19:21 < pekster> No reason that would mess with traffic not being routed across the VPN at all
19:21 < sudormf> i have government censorship in my country, its possible they are interfering with it? but on windows, vpns work flawlessly.
19:21 < sudormf> i'm using network manager on client, pretty straightforward as well.
19:22 < pekster> Yup, that is possible. OpenVPN makes no attempt to hide itself, so if you're on an ISP that actively monitors it's possible what you're experiencing is a countermeasure
19:22 < pekster> If you want to hide what openvpn is, you need an obfuscation layer: maybe read about: !obfs
19:22 < sudormf> !obfs
19:22 <@vpnHelper> "obfs" is (#1) if you are looking to obfuscate your traffic to get through a firewall that recognizes and blocks openvpn, try using this proxy: obfsproxy https://www.torproject.org/projects/obfsproxy.html.en to encapsulate your packets in other protocols or (#2) http://community.openvpn.net/openvpn/wiki/TrafficObfuscation or (#3) in client/server mode an admin can know that openvpn is being used.
19:23 <@vpnHelper> in static-key mode they only know that it is some encrypted data, but not specifically openvpn; however with static-key you lose forward security (!forwardsecurity)
19:23 < pekster> Optionally, if your openvpn link works, do full redirection (!redirect) and access the sites over the VPN tunnel
19:23 < pekster> It will be apparent to someone who knows what they're looking at that openvpn is used, but not what is being sent across it
19:23 < sudormf> !redirect
19:23 <@vpnHelper> "redirect" is (#1) to make all inet traffic flow through the vpn, you will need --redirect-gateway (see !def1), as well as IP forwarding (see !ipforward) and NAT (see !nat) enabled on the server. or (#2) you may need to use a different dns server when redirecting gateway, see !dns or !pushdns or (#3) if using ipv6 try: route-ipv6 2000::/3 or (#4) Handy troubleshooting flowchart:
19:23 <@vpnHelper> http://ircpimps.org/redirect.png | http://pekster.sdf.org/misc/redirect.png
19:23 < sudormf> I definitely need redirect. That must be what's happening on windows.
19:24 < sudormf> !def1
19:24 <@vpnHelper> "def1" is (#1) used in redirect-gateway, Add the def1 flag to override the default gateway by using 0.0.0.0/1 and 128.0.0.0/1 rather than 0.0.0.0/0. This has the benefit of overriding but not wiping out the original default gateway. or (#2) please see --redirect-gateway in the man page ( !man ) to fully understand or (#3) push "redirect-gateway def1"
19:24 < sudormf> !man
19:24 <@vpnHelper> "man" is (#1) For man pages, see http://openvpn.net/index.php/open-source/documentation/manuals/ or (#2) the man pages are your friend! or (#3) Protip: you can search the manpage for a specific --option (with dashes) to find it quicker
19:26 < sudormf> so i should just add push "redirect-gateway def1" to server config?
19:28 -!- sudormf [~ali@one.music-blaster.com] has quit [Quit: Leaving]
19:28 -!- sudormf [~ali@one.music-blaster.com] has joined #openvpn
19:29 < sudormf> adding push "redirect-gateway def1" to server.conf didn't have any effect..
19:32 < pekster> Did you bounce the server then the client?
19:32 < pekster> Verify the options got pushed, verify your local routing table..
19:33 < sudormf> i did restart openvpn on server, disconnected and reconnected on client
19:34 < pekster> You should have two /1 routes across the VPN
19:34 < pekster> Could be DNS too
19:34 < pekster> Ideally use a DNS that's off-link (not your local router since you have a link-route and that probably goes to your ISP, not across the VPN.)
19:34 < pekster> Try googleDNS
19:40 < conroe> offtopic sure, but why are people using googles DNS resolvers?
19:40 -!- sudormf [~ali@one.music-blaster.com] has quit [Remote host closed the connection]
19:41 < pekster> They suck the least. And they're fast
19:41 < conroe> i mean, you might as well just *tell* them what you are doing online?
19:41 < pekster> opendns is shit (they violate spec for ad money, and it breaks lots of things. many corp VPNs, for instance.) ISPs have traditionally done the same thing until customers get outraged enough to complain or switch
19:41 < pekster> They have sane privacy policies around it
19:42 < conroe> riiight
19:42 < pekster> DNS isn't private
19:42 < pekster> If that bugs you, anonymize your queries. It's generally pointless
19:43 < pekster> Also, google has generally been open/honest about their privacy policies, by general wisdom. Not that everyone is happy about some of the recent changes, but they open about it
19:43 < conroe> crypted queries towards non-logging resolvers
19:43 < pekster> "crypted" ?
19:43 < pekster> And you never know if they log or not
19:43 < pekster> You can DNS over tor, but the latency will be horrible
19:43 < pekster> Most people don't care. It's like saying that traffic cameras are a civil rights violation
19:43 < conroe> dnscrypt?
19:44 < pekster> They have to _go_ somewhere
19:44 < conroe> sure
19:44 < pekster> If you proxy it, fine, but all you can do for the actual DNS resolution is send a query
19:44 < pekster> Where you do that is up to you
19:44 < pekster> I'm telling you it doesn't matter
19:45 < pekster> https://developers.google.com/speed/public-dns/privacy
19:45 <@vpnHelper> Title: Your Privacy - Public DNS Google Developers (at developers.google.com)
19:45 < pekster> The important bit is that by deleting IPs within 48 hours, they're not a honeypot for other Well Funded Agencies™
19:46 < conroe> the new stasi agency you mean?
19:47 < pekster> Any of them
19:48 < conroe> but if you are already using chrome, maybe even signed into your google account they already own you so why bother about the resolver, sure
19:49 -!- goldkatze_ [~nobody@unaffiliated/goldkatze] has quit [Read error: Operation timed out]
19:50 < pekster> I'm saying the data isn't shared
19:50 < pekster> The DNS isn't part of the "one google privacy policy"
19:50 < pekster> Take the tin-foil hat theroies elsewhere
19:51 < conroe> well, i dont worry about google sharing squat. i worry about google *getting* any data
19:51 < pekster> It's not tied to your accounts
19:52 < pekster> Unless you think google is lying, that's what's happening. If you do, go start some campaign to do something about it. This probably isn't the place
19:52 < conroe> no, i suppose it just comes in handy when collating against other tracking methods. anywa
19:52 < conroe> y
19:52 < pekster> "in handy"? The part where they don't do it?
19:52 < pekster> This is silly
19:52 < pekster> FUD elsewhere. Google is not using DNS queries to spy on you, your account, your googleVoice, your gmail, or your G+
19:53 < conroe> i have/use neither ;). but offtopic as said :)
19:54 -!- lj [~l@192.241.174.169] has quit [Quit: Leaving.]
19:58 -!- kossy [a@kossy.org] has joined #openvpn
20:00 -!- Matir [~matir@ubuntu/member/matir] has quit [Remote host closed the connection]
20:05 -!- Matir [~matir@ubuntu/member/matir] has joined #openvpn
20:09 -!- phunyguy [~plorpian@unaffiliated/phunyguy] has quit [Read error: Connection reset by peer]
20:09 -!- phunyguy [~vortex@unaffiliated/phunyguy] has joined #openvpn
20:13 -!- esde [~esde@107.150.1.2] has quit [Changing host]
20:13 -!- esde [~esde@unaffiliated/esde] has joined #openvpn
20:41 -!- dowaat [uid3966@gateway/web/irccloud.com/x-dtmaxrlwacmiabgq] has joined #openvpn
20:44 <@ecrist> happy friday, bitches!
20:45 < pekster> There's a domain name idea for the new gTLDs
20:45 < pekster> fudfriday
21:03 -!- joshh20 is now known as joshh20-Away
21:05 -!- conroe [~conroe@gateway/tor-sasl/conroe] has quit [Quit: conroe]
21:11 -!- elfixit [~Icedove@77-58-251-72.dclient.hispeed.ch] has quit [Quit: elfixit]
21:12 -!- WinstonSmith [~WinstonSm@unaffiliated/winstonsmith] has quit [Ping timeout: 260 seconds]
21:12 -!- lordnikk1n [~marme@li388-49.members.linode.com] has quit [Ping timeout: 265 seconds]
21:13 -!- lordnikkon [~marme@li388-49.members.linode.com] has joined #openvpn
21:13 -!- lordnikkon is now known as Guest49797
21:14 -!- WinstonSmith [~WinstonSm@unaffiliated/winstonsmith] has joined #openvpn
21:22 -!- tapout [~tapout@unaffiliated/tapout] has quit [Quit: ZNC - http://znc.sourceforge.net]
21:42 -!- max_ [~max@c-50-181-246-100.hsd1.wa.comcast.net] has joined #openvpn
21:43 -!- max_ is now known as Synthead
21:46 -!- tapout [~tapout@unaffiliated/tapout] has joined #openvpn
21:47 -!- dradec [~Inigo@unaffiliated/dradec] has joined #openvpn
21:52 -!- elfixit [~Icedove@77-58-251-72.dclient.hispeed.ch] has joined #openvpn
22:04 -!- ice9 [~ice9@gateway/tor-sasl/ice9] has joined #openvpn
22:05 < ice9> I lose internet connectivity after some time from the initiation of the vpn connection, that period of time is not constant and even can be very long
22:05 < ice9> but it happen everytime
22:06 <@krzee> do you have a question about openvpn or just want to share connection problems?
22:07 < ice9> yeah I want to know the reason for this issue and how to solve it
22:10 < ice9> so can you krzee?
22:10 < ice9> help*
22:10 <@krzee> not openvpn's fault
22:11 <@krzee> i cannot help
22:11 < ice9> krzee: then who's fault? and how would you know?
22:11 <@krzee> !crystal
22:11 <@vpnHelper> "crystal" is Our crystal ball is out of service. Try explaining your !goal, a description of your problem, and relevant !configs and !logs. See also: !welcome.
22:11 <@krzee> i dont know whose fault, troubleshoot the network and figure that out
22:12 <@krzee> crystal ball is out of service
22:12 <@krzee> maybe ##networking
22:13 -!- dowaat is now known as dogewaat
22:13 < ice9> krzee: alright, I didn't come for the crystal ball but if I could to troubleshoot everything, then I could have knew my problem and solved it and I wouldn't be here!
22:13 < ice9> so I'm seeking help to do so;  also it's not my vpn server but just a service I'm connecting to!
22:13 <@krzee> !provider
22:13 <@vpnHelper> "provider" is (#1) We are not your provider's free tech support. We support the free open source app OpenVPN, not your provider. Just because they run openvpn does not mean we are their support team. or (#2) Please contact their support team.
22:13 <@krzee> =]
22:13 -!- Synthead [~max@c-50-181-246-100.hsd1.wa.comcast.net] has quit [Ping timeout: 272 seconds]
22:14 <@krzee> its either their issue, or your isp's or something in between
22:14 <@krzee> not the application openvpn's
22:14 < ice9> krzee: got ya
22:15 < ice9> but if it's on the ISP's side, what they might be doing?
22:15 <@krzee> sucking
22:15 <@krzee> i wonder if #apache gets all sorts of web provider questions
22:16 <@krzee> im gunna go ask them :D
22:16 < ice9> :D
22:16 <@krzee> <thumbs> krzee: too often.
22:16 <@krzee> excellent
22:17 < ice9> krzee: are you form the OpenVPN developers?
22:17 < ice9> fomr*
22:17 <@krzee> i am not a dev
22:17 -!- mode/#openvpn [+v thumbs] by krzee
22:23 < ice9> is it true that openvpn connection can be attacked by MITM during the initiation?
22:25 <@krzee> !mitm
22:25 <@vpnHelper> "mitm" is (#1) http://openvpn.net/index.php/documentation/howto.html#mitm to know about stopping Man-in-the-Middle attacks by signing the server cert specially or (#2) use !servercert to generate the server cert manually or use the easy-rsa build-key-server script to build your server certificates or (#3) then use: remote-cert-tls server in the client config
22:51 -!- trumee [~parul@c-98-199-151-246.hsd1.tx.comcast.net] has left #openvpn ["Konversation terminated!"]
23:32 -!- elfixit [~Icedove@77-58-251-72.dclient.hispeed.ch] has quit [Quit: elfixit]
23:50 -!- jareth_ [~jareth_@2001:980:e1c0:1:219:66ff:fea0:a502] has quit [Ping timeout: 264 seconds]
23:52 -!- jareth_ [~jareth_@2001:980:e1c0:1:219:66ff:fea0:a502] has joined #openvpn
23:57 -!- jareth_ [~jareth_@2001:980:e1c0:1:219:66ff:fea0:a502] has quit [Ping timeout: 245 seconds]
23:59 -!- jareth_ [~jareth_@2001:980:e1c0:1:219:66ff:fea0:a502] has joined #openvpn
--- Day changed Sat Feb 22 2014
00:00 -!- sunwind [~paradox@cpc21-brmb8-2-0-cust749.1-3.cable.virginm.net] has quit [Read error: Connection reset by peer]
00:01 -!- sunwind [~paradox@cpc21-brmb8-2-0-cust749.1-3.cable.virginm.net] has joined #openvpn
00:14 -!- soapee01 [~soapee01@24-155-219-177.dyn.grandenetworks.net] has quit [Ping timeout: 272 seconds]
00:14 -!- soapee01_ [~soapee01@24-155-219-177.dyn.grandenetworks.net] has joined #openvpn
00:20 -!- Cpt-Oblivious [chatzilla@31-151-71-109.dynamic.upc.nl] has joined #openvpn
00:22 -!- Olipro [~Olipro@uncyclopedia/pdpc.21for7.olipro] has joined #openvpn
00:25 -!- ice9 [~ice9@gateway/tor-sasl/ice9] has quit [Remote host closed the connection]
00:28 -!- Olipro [~Olipro@uncyclopedia/pdpc.21for7.olipro] has quit [Read error: Connection reset by peer]
01:00 -!- Cpt-Oblivious_ [~chatzilla@31.220.44.20] has joined #openvpn
01:02 -!- Cpt-Oblivious [chatzilla@31-151-71-109.dynamic.upc.nl] has quit [Ping timeout: 272 seconds]
01:03 -!- dimm0k [~dimm0k@unaffiliated/dimm0k] has quit [Ping timeout: 260 seconds]
01:05 -!- dimm0k [~dimm0k@pool-96-246-33-134.nycmny.fios.verizon.net] has joined #openvpn
01:05 -!- dimm0k [~dimm0k@pool-96-246-33-134.nycmny.fios.verizon.net] has quit [Changing host]
01:05 -!- dimm0k [~dimm0k@unaffiliated/dimm0k] has joined #openvpn
01:17 -!- pjschmit1 [~parker@209.141.56.12] has quit [Changing host]
01:17 -!- pjschmit1 [~parker@unaffiliated/schmitt953] has joined #openvpn
01:17 -!- pjschmit1 is now known as pjschmitt
01:18 -!- Olipro [~Olipro@uncyclopedia/pdpc.21for7.olipro] has joined #openvpn
01:21 -!- Cpt-Oblivious_ [~chatzilla@31.220.44.20] has quit [Remote host closed the connection]
01:21 -!- Cpt-Oblivious [chatzilla@31-151-71-109.dynamic.upc.nl] has joined #openvpn
01:31 -!- qwertyoruiop_ is now known as qwertyoruiop
01:50 -!- qwertyoruiop [~hax@1.shulgin.dc1.nl.tor.exit.node.qwertyoruiop.com] has quit [Remote host closed the connection]
01:51 -!- qwertyoruiop [~hax@1.shulgin.dc1.nl.tor.exit.node.qwertyoruiop.com] has joined #openvpn
02:00 -!- goldkatze_ [~nobody@unaffiliated/goldkatze] has joined #openvpn
02:03 -!- Synthead [~max@c-50-181-246-100.hsd1.wa.comcast.net] has joined #openvpn
02:13 -!- takamichi [~takamichi@c107-107.i07-27.onvol.net] has joined #openvpn
02:18 -!- Cpt-Oblivious [chatzilla@31-151-71-109.dynamic.upc.nl] has quit [Ping timeout: 272 seconds]
02:25 -!- Synthead [~max@c-50-181-246-100.hsd1.wa.comcast.net] has quit [Ping timeout: 260 seconds]
02:52 -!- gffa [~unknown@unaffiliated/gffa] has joined #openvpn
03:47 -!- Devastatr [~devas@177.18.199.164] has joined #openvpn
03:48 -!- Devastator [~devas@unaffiliated/devastator] has quit [Ping timeout: 252 seconds]
05:02 -!- batrick [batrick@nmap/developer/batrick] has quit [Remote host closed the connection]
05:03 -!- takamichi [~takamichi@c107-107.i07-27.onvol.net] has quit [Ping timeout: 260 seconds]
05:06 -!- HectorBarbossa [uid7850@gateway/web/irccloud.com/x-kbudmhnhsprxzfou] has joined #openvpn
05:06 -!- takamichi [~takamichi@85.12.8.104] has joined #openvpn
05:14 -!- jareth_ [~jareth_@2001:980:e1c0:1:219:66ff:fea0:a502] has quit [Ping timeout: 264 seconds]
05:15 -!- indy [~e-ndy@fantomas.bestit.cz] has quit [Remote host closed the connection]
05:15 -!- jareth_ [~jareth_@2001:980:e1c0:1:219:66ff:fea0:a502] has joined #openvpn
05:31 -!- dimm0k [~dimm0k@unaffiliated/dimm0k] has quit [Read error: Operation timed out]
05:35 -!- takamichi [~takamichi@85.12.8.104] has quit [Ping timeout: 264 seconds]
05:36 -!- dimm0k [~dimm0k@pool-108-21-230-13.nycmny.fios.verizon.net] has joined #openvpn
05:36 -!- dimm0k [~dimm0k@pool-108-21-230-13.nycmny.fios.verizon.net] has quit [Changing host]
05:36 -!- dimm0k [~dimm0k@unaffiliated/dimm0k] has joined #openvpn
05:37 -!- takamichi [~takamichi@c107-107.i07-27.onvol.net] has joined #openvpn
06:13 -!- Olipro [~Olipro@uncyclopedia/pdpc.21for7.olipro] has quit [Ping timeout: 246 seconds]
06:21 -!- digilink [~digilink@unaffiliated/digilink] has quit [Read error: Operation timed out]
06:29 -!- digilink [~digilink@unaffiliated/digilink] has joined #openvpn
06:39 -!- takamichi [~takamichi@c107-107.i07-27.onvol.net] has quit [Quit: Computer has gone to sleep.]
06:44 -!- dradec [~Inigo@unaffiliated/dradec] has quit [Quit: nil]
06:50 -!- Olipro [~Olipro@uncyclopedia/pdpc.21for7.olipro] has joined #openvpn
06:56 -!- Olipro [~Olipro@uncyclopedia/pdpc.21for7.olipro] has quit [Read error: Connection reset by peer]
07:02 -!- davidmp [~davidmp@149.255.100.107] has joined #openvpn
07:16 -!- Olipro [~Olipro@uncyclopedia/pdpc.21for7.olipro] has joined #openvpn
07:24 -!- qwertyoruiop [~hax@1.shulgin.dc1.nl.tor.exit.node.qwertyoruiop.com] has quit [Excess Flood]
07:24 -!- qwertyoruiop [~hax@1.shulgin.dc1.nl.tor.exit.node.qwertyoruiop.com] has joined #openvpn
08:11 -!- e-ndy [~e-ndy@fantomas.bestit.cz] has joined #openvpn
08:13 -!- smerz_ [~smerz@2001:470:1f15:1e5::58] has joined #openvpn
08:13 -!- smerz [~smerz@2001:470:1f15:1e5::58] has joined #openvpn
08:14 -!- Cpt-Oblivious [chatzilla@31-151-71-109.dynamic.upc.nl] has joined #openvpn
08:19 -!- u0m3__ [~u0m3@92.80.94.155] has joined #openvpn
08:20 -!- JSharpe_ [~JSharpe@31.205.60.241] has joined #openvpn
08:21 -!- WinstonSmith [~WinstonSm@unaffiliated/winstonsmith] has quit [Ping timeout: 272 seconds]
08:25 -!- e-ndy [~e-ndy@fantomas.bestit.cz] has quit [Ping timeout: 265 seconds]
08:25 -!- mback2k_ [~freenode@89.238.84.46] has quit [Ping timeout: 265 seconds]
08:26 -!- VsioZashibis [~VsioZashi@unaffiliated/vsiozashibis] has quit [Ping timeout: 265 seconds]
08:26 -!- u0m3__ [~u0m3@92.80.94.155] has quit [Ping timeout: 265 seconds]
08:27 -!- dyer [~dyer@unaffiliated/dyer] has quit [Ping timeout: 265 seconds]
08:27 -!- linuxthefish [~linuxthef@linuxthefish.net] has quit [Ping timeout: 265 seconds]
08:28 -!- ron_ [~ron@ppp121-45-51-97.lns20.adl2.internode.on.net] has quit [Ping timeout: 265 seconds]
--- Log closed Sat Feb 22 08:30:32 2014
--- Log opened Sat Feb 22 08:31:49 2014
08:31 -!- ecrist_ [~ecrist@token-black.secure-computing.net] has joined #openvpn
08:31 -!- Irssi: #openvpn: Total of 209 nicks [7 ops, 0 halfops, 2 voices, 200 normal]
08:32 -!- gardar- [~gardar@bnc.giraffi.net] has joined #openvpn
08:32 -!- orutest|2 [~VsioZashi@unaffiliated/vsiozashibis] has joined #openvpn
08:32 -!- manitu [~manitu@static.88-198-15-112.clients.your-server.de] has quit [Ping timeout: 272 seconds]
08:32 -!- mgorbach [~mgorbach@pool-108-20-78-135.bstnma.fios.verizon.net] has quit [Ping timeout: 272 seconds]
08:32 -!- meepmeep [meepmeep@end.of.cylind.re] has quit [Ping timeout: 272 seconds]
08:32 -!- tempus_fol [~tempus@gateway/tor-sasl/tempusfol] has quit [Ping timeout: 240 seconds]
--- Log closed Sat Feb 22 08:39:19 2014
--- Log opened Sat Feb 22 09:04:36 2014
09:04 -!- ecrist [~ecrist@token-black.secure-computing.net] has joined #openvpn
09:04 -!- Irssi: #openvpn: Total of 160 nicks [5 ops, 0 halfops, 2 voices, 153 normal]
09:04 -!- mode/#openvpn [+o ecrist] by ChanServ
09:04 -!- Matir [~matir@ubuntu/member/matir] has joined #openvpn
09:04 -!- deever [~deever@78.46.68.172] has joined #openvpn
09:05 -!- Irssi: Join to #openvpn was synced in 49 secs
09:05 -!- joevandyk [~ubuntu@ec2-54-235-235-220.compute-1.amazonaws.com] has joined #openvpn
09:05 -!- esde [~esde@107.150.1.2] has joined #openvpn
09:05 -!- cyberspace- [20253@ninthfloor.org] has joined #openvpn
09:05 -!- kirin` [telex@gateway/shell/anapnea.net/session] has joined #openvpn
09:05 -!- Strider [~hans@S0106000db917e89a.vc.shawcable.net] has joined #openvpn
09:05 -!- kevinsky [~kevin@senna.rosendaal.net] has joined #openvpn
09:05 -!- Fusl [~Fusl@unaffiliated/fusl] has joined #openvpn
09:05 -!- Strider is now known as hjohnson
09:05 -!- kwork [~georg@no.life.ee] has joined #openvpn
09:06 -!- jave [~jave@h-235-102.a149.priv.bahnhof.se] has joined #openvpn
09:06 -!- kwork [~georg@no.life.ee] has quit [Changing host]
09:06 -!- kwork [~georg@unaffiliated/kwork] has joined #openvpn
09:06 -!- pjschmitt [~parker@209.141.56.12] has joined #openvpn
09:06 -!- ron_ [~ron@ppp121-45-51-97.lns20.adl2.internode.on.net] has joined #openvpn
09:07 -!- master_of_master [~master_of@p4FF2494D.dip0.t-ipconnect.de] has joined #openvpn
09:07 -!- tessier [~treed@kernel-panic/copilotco] has joined #openvpn
09:07 -!- matsh [divine@nanogene.org] has joined #openvpn
09:08 -!- andi [~andi@unaffiliated/fr00d] has quit [Disconnected by services]
09:08 -!- andi__ [~andi@shell.sixhop.net] has joined #openvpn
09:08 -!- ikla_ [~lbz@c-71-237-62-220.hsd1.co.comcast.net] has joined #openvpn
09:08 -!- gardar [~gardar@bnc.giraffi.net] has joined #openvpn
09:08 -!- Olipro [~Olipro@d.e.r.p.6.a.1.0.d.d.0.7.2.0.1.0.a.2.ip6.arpa] has joined #openvpn
09:08 -!- red_racer12_ [sid20963@gateway/web/irccloud.com/session] has joined #openvpn
09:08 -!- fred`` [fred@earthli.ng] has joined #openvpn
09:08 -!- pnielsen [pnielsen@2a01:7e00::f03c:91ff:fedf:3a21] has joined #openvpn
09:08 -!- m01_ [~quassel@2a02:2658:1011:1::2:4044] has joined #openvpn
09:08 -!- jzaw [~jzaw@loki.dzki.co.uk] has joined #openvpn
09:08 -!- ender| [krneki@2a01:260:4094:1:42:42:42:42] has joined #openvpn
09:08 -!- Ulrar [~Ulrar@luwin.ulrar.net] has joined #openvpn
09:08 -!- Chrisje [chris@2a03:f80:ed15:ed15:ed15:ed15:bc4c:4bfe] has joined #openvpn
09:08 -!- Guest48705 [~reinis@79.132.67.157] has joined #openvpn
09:09 -!- Olipro [~Olipro@d.e.r.p.6.a.1.0.d.d.0.7.2.0.1.0.a.2.ip6.arpa] has quit [Max SendQ exceeded]
09:09 -!- Olipro [~Olipro@uncyclopedia/pdpc.21for7.olipro] has joined #openvpn
09:10 -!- havoc [~havoc@neptune.chaillet.net] has joined #openvpn
09:11 -!- smerz [~smerz@2001:470:1f15:1e5::58] has joined #openvpn
09:11 -!- smerz_ [~smerz@2001:470:1f15:1e5::58] has joined #openvpn
09:11 -!- HectorBarbossa [uid7850@gateway/web/irccloud.com/session] has quit [Ping timeout: 245 seconds]
09:13 -!- Netsplit *.net <-> *.split quits: dos-freak, jeev, tapout, _Cr4zi3, tharkun, @krzee, +thumbs, Haseo, lowkey, wildcat,  (+32 more, use /NETSPLIT to show all of them)
09:13 -!- tempus_fol [~tempus@unaffiliated/tempusfol] has joined #openvpn
09:13 -!- HectorBarbossa_ [uid7850@gateway/web/irccloud.com/session] has joined #openvpn
09:13 -!- kirin` [telex@gateway/shell/anapnea.net/session] has quit [Changing host]
09:13 -!- kirin` [telex@gateway/shell/anapnea.net/x-qzvicykddocklvpx] has joined #openvpn
09:13 -!- red_racer12_ [sid20963@gateway/web/irccloud.com/session] has quit [Changing host]
09:13 -!- red_racer12_ [sid20963@gateway/web/irccloud.com/x-jasvuxrmsnuozaen] has joined #openvpn
09:14 -!- tempus_fol [~tempus@unaffiliated/tempusfol] has quit [Changing host]
09:14 -!- tempus_fol [~tempus@gateway/tor-sasl/tempusfol] has joined #openvpn
09:14 -!- HectorBarbossa_ [uid7850@gateway/web/irccloud.com/session] has quit [Changing host]
09:14 -!- HectorBarbossa_ [uid7850@gateway/web/irccloud.com/x-yjisjjhheczncgbf] has joined #openvpn
09:14 -!- stickpin [~b@173.244.215.195] has joined #openvpn
09:16 -!- DrCode [~DrCode@gateway/tor-sasl/drcode] has joined #openvpn
09:17 -!- megaTherion_ [~therion@unix.io] has quit [Ping timeout: 252 seconds]
09:17 -!- Devastatr [~devas@177.18.199.164] has joined #openvpn
09:17 -!- Fruckiwacki [fruckiwack@5.135.190.66] has quit [Ping timeout: 260 seconds]
09:17 -!- deever [~deever@78.46.68.172] has quit [Write error: Connection reset by peer]
09:17 -!- jave_ [~jave@h-235-102.a149.priv.bahnhof.se] has joined #openvpn
09:17 -!- codehero [codehero@irc.coding4coffee.org] has quit [Ping timeout: 252 seconds]
09:18 -!- james41382_ [~james@unaffiliated/james41382] has quit [Read error: Connection reset by peer]
09:18 -!- Devastator [~devas@177.18.199.164] has quit [Read error: Connection reset by peer]
09:18 -!- EmLeX [~emx@unaffiliated/emlex] has quit [Read error: Operation timed out]
09:18 -!- kirin` [telex@gateway/shell/anapnea.net/x-qzvicykddocklvpx] has quit [Read error: Operation timed out]
09:18 -!- jave [~jave@h-235-102.a149.priv.bahnhof.se] has quit [Write error: Broken pipe]
09:18 -!- deever_ [~deever@78.46.68.172] has joined #openvpn
09:18 -!- kirin` [telex@gateway/shell/anapnea.net/session] has joined #openvpn
09:18 -!- Fruckiwacki- [fruckiwack@5.135.190.66] has joined #openvpn
09:18 -!- EmLeX [~emx@37.46.193.2] has joined #openvpn
09:18 -!- kirin` [telex@gateway/shell/anapnea.net/session] has quit [Changing host]
09:18 -!- kirin` [telex@gateway/shell/anapnea.net/x-bzcnjyhjjmzzvzog] has joined #openvpn
09:18 -!- EmLeX [~emx@37.46.193.2] has quit [Changing host]
09:18 -!- EmLeX [~emx@unaffiliated/emlex] has joined #openvpn
09:18 -!- james41382_ [~james@unaffiliated/james41382] has joined #openvpn
09:18 -!- fejjerai [~quassel@kde/mitchell] has quit [Read error: Connection reset by peer]
09:18 -!- Pei_ [~pei@thinks.outside.theb0x.org] has joined #openvpn
09:19 -!- WinstonSmith [~WinstonSm@unaffiliated/winstonsmith] has quit [Ping timeout: 260 seconds]
09:19 -!- VunKruz [~hhhh@24.205.8.187] has quit [Ping timeout: 260 seconds]
09:20 -!- Fusl [~Fusl@unaffiliated/fusl] has quit [Ping timeout: 260 seconds]
09:21 -!- Fruckiwacki [fruckiwack@5.135.190.66] has joined #openvpn
--- Log closed Sat Feb 22 09:26:14 2014
--- Log opened Sat Feb 22 09:26:27 2014
09:26 -!- ecrist_ [~ecrist@token-black.secure-computing.net] has joined #openvpn
09:26 -!- Irssi: #openvpn: Total of 135 nicks [3 ops, 0 halfops, 1 voices, 131 normal]
09:27 -!- Irssi: Join to #openvpn was synced in 62 secs
09:27 -!- Fruckiwacki- [fruckiwack@5.135.190.66] has joined #openvpn
09:27 -!- enbergj [~enbergj@ec2-54-246-148-207.eu-west-1.compute.amazonaws.com] has joined #openvpn
09:27 -!- HectorBarbossa__ [uid7850@gateway/web/irccloud.com/x-hnomspnpsaysnpvc] has joined #openvpn
09:27 -!- Olipro [~Olipro@uncyclopedia/pdpc.21for7.olipro] has joined #openvpn
09:27 -!- mode/#openvpn [+o ecrist_] by ChanServ
09:28 -!- ron_ [~ron@ppp121-45-51-97.lns20.adl2.internode.on.net] has joined #openvpn
09:28 -!- hjohnson [~hans@S0106000db917e89a.vc.shawcable.net] has quit [Ping timeout: 260 seconds]
09:29 -!- Strider is now known as hjohnson
09:29 -!- bertodsera [~quassel@97e48243.skybroadband.com] has quit [Ping timeout: 260 seconds]
09:29 -!- cyberspace- [20253@ninthfloor.org] has quit [Ping timeout: 248 seconds]
09:29 -!- MadTBone__ [~MadTBone@160.39.238.196] has quit [Ping timeout: 248 seconds]
09:29 -!- WinstonSmith [~WinstonSm@bl7-45-145.dsl.telepac.pt] has joined #openvpn
09:29 -!- ecrist [~ecrist@freebsd/contributor/openvpn.community.support.ecrist] has quit [Ping timeout: 260 seconds]
09:29 -!- Fruckiwacki [fruckiwack@5.135.190.66] has quit [Ping timeout: 260 seconds]
09:29 -!- stickpin [~b@173.244.215.195] has quit [Ping timeout: 260 seconds]
09:29 -!- gardar [~gardar@bnc.giraffi.net] has quit [Ping timeout: 260 seconds]
09:29 -!- Mike3 [mad@mx.probie.nl] has quit [Ping timeout: 260 seconds]
09:29 -!- f0cker [~f0cker@host109-151-224-166.range109-151.btcentralplus.com] has joined #openvpn
09:29 -!- andi [~andi@shell.sixhop.net] has joined #openvpn
09:29 -!- andi [~andi@shell.sixhop.net] has quit [Changing host]
09:29 -!- andi [~andi@unaffiliated/fr00d] has joined #openvpn
09:29 -!- f0cker [~f0cker@host109-151-224-166.range109-151.btcentralplus.com] has quit [Changing host]
09:29 -!- f0cker [~f0cker@unaffiliated/f0cker] has joined #openvpn
09:29 -!- mback2k_ [~freenode@2a00:1828:2000:378:1337:0:59ee:5431] has joined #openvpn
09:29 -!- troyt [~troyt@2601:7:6200:1382:44dd:acff:fe85:9c8e] has joined #openvpn
09:29 -!- tapout [~tapout@unaffiliated/tapout] has joined #openvpn
09:29 -!- lowkey [lowkey@hydra-bom.aufbix.org] has joined #openvpn
09:29 -!- phuzion_ [~phuzion@ipv6.irc.teh-server.com] has joined #openvpn
09:29 -!- XJR-9 [sid2977@pdpc/supporter/active/xjr-9] has joined #openvpn
09:29 -!- dogewaat [uid3966@gateway/web/irccloud.com/x-dtmaxrlwacmiabgq] has joined #openvpn
09:29 -!- kenyon [kenyon@darwin.kenyonralph.com] has joined #openvpn
09:29 -!- Martin` [martin@shell.ipv6.octocore.net] has joined #openvpn
09:29 -!- wildcat [~tomh@ssh.espix.net] has joined #openvpn
09:29 -!- mnathani [~mnathani@umbozero.winvive.com] has joined #openvpn
09:29 -!- simcop2387 [~simcop238@p3m/member/simcop2387] has joined #openvpn
09:29 -!- ljvb [~jason@us.vps.vanbrecht.com] has joined #openvpn
09:29 -!- novaflash [~novaflash@openvpn/corp/support/novaflash] has joined #openvpn
09:29 -!- dos-freak [leecher@zentarim.0wnz.at] has joined #openvpn
09:29 -!- seba [~seba@kratzbaum.someserver.de] has joined #openvpn
09:29 -!- clu5ter [~staff@unaffiliated/clu5ter] has joined #openvpn
09:29 -!- MacGyver [~MacGyver@unaffiliated/macgyvernl] has joined #openvpn
09:29 -!- thoraxe [~thoraxe@50-73-95-6-static.hfc.comcastbusiness.net] has joined #openvpn
09:29 -!- kisom [~kisom@kisom.thr.kth.se] has joined #openvpn
09:29 -!- aji [~alex@atheme/member/aji] has joined #openvpn
09:29 -!- thumbs [1000@unaffiliated/thumbs] has joined #openvpn
09:29 -!- mrrg [~notabot@delicious.sykosys.jp] has joined #openvpn
09:29 -!- _FBi [~B@Aircrack-NG/User] has joined #openvpn
09:29 -!- MeanderingCode [~Meanderin@palantir.aetherislands.net] has joined #openvpn
09:29 -!- krzee [~k@openvpn/community/support/krzee] has joined #openvpn
09:29 -!- ServerMode/#openvpn [+ovo novaflash thumbs krzee] by sendak.freenode.net
09:29 -!- ngharo [~ngharo@nexus.sypherz.com] has joined #openvpn
09:29 -!- Matir_ [~matir@ubuntu/member/matir] has joined #openvpn
09:29 -!- Netsplit *.net <-> *.split quits: Eagleman7, tessier, Linmu_, matsh_, Gasseus, ikla_, lordnikk1n, kevinsky, master_of_master
09:29 -!- linuxthefish [~linuxthef@linuxthefish.net] has joined #openvpn
09:29 -!- emid_ [~emid@192.241.162.156] has joined #openvpn
09:29 -!- megaTherion [~therion@unix.io] has joined #openvpn
09:29 -!- Devastatr [~devas@177.18.199.164] has quit [Ping timeout: 252 seconds]
09:29 -!- pjschmitt [~parker@209.141.56.12] has quit [Ping timeout: 252 seconds]
09:29 -!- joshh20 [~joshh20@v-70-42-74-226.unman-vds.internap-nyc.nfoservers.com] has quit [Ping timeout: 252 seconds]
09:29 -!- Matir [~matir@ubuntu/member/matir] has quit [Ping timeout: 252 seconds]
09:29 -!- dimm0k [~dimm0k@unaffiliated/dimm0k] has quit [Ping timeout: 252 seconds]
09:29 -!- kantlivelong [~kantlivel@home.kantlivelong.com] has quit [Ping timeout: 252 seconds]
09:29 -!- dyer [~dyer@ec2-107-21-15-145.compute-1.amazonaws.com] has quit [Ping timeout: 252 seconds]
09:29 -!- emid [~emid@192.241.162.156] has quit [Ping timeout: 252 seconds]
09:29 -!- james41382_ [~james@unaffiliated/james41382] has quit [Ping timeout: 252 seconds]
09:29 -!- HectorBarbossa_ [uid7850@gateway/web/irccloud.com/x-yjisjjhheczncgbf] has quit [Ping timeout: 252 seconds]
09:29 -!- kwork [~georg@unaffiliated/kwork] has quit [Ping timeout: 252 seconds]
09:29 -!- [1]JPeterson [~JPeterson@81-233-152-121-no83.tbcn.telia.com] has quit [Ping timeout: 252 seconds]
09:29 -!- Devastator [~devas@177.18.199.164] has joined #openvpn
09:29 -!- conroe [~conroe@gateway/tor-sasl/conroe] has joined #openvpn
09:29 -!- WinstonSmith [~WinstonSm@bl7-45-145.dsl.telepac.pt] has quit [Changing host]
09:29 -!- WinstonSmith [~WinstonSm@unaffiliated/winstonsmith] has joined #openvpn
09:29 -!- mgorbach [~mgorbach@pool-108-20-78-135.bstnma.fios.verizon.net] has joined #openvpn
09:30 -!- dyer [~dyer@ec2-107-21-15-145.compute-1.amazonaws.com] has joined #openvpn
09:30 -!- mete [~mete@91.247.253.160] has quit [Ping timeout: 252 seconds]
09:30 -!- xMopxShell [~xMopxShel@pa1.trolls.lv] has quit [Ping timeout: 252 seconds]
09:30 -!- sunwind [~paradox@cpc21-brmb8-2-0-cust749.1-3.cable.virginm.net] has quit [Read error: Connection reset by peer]
09:30 -!- vpnHelper [~vpnHelper@openvpn/bot/vpnHelper] has joined #openvpn
09:30 -!- mode/#openvpn [+o vpnHelper] by ChanServ
09:30 -!- takamichi [~takamichi@c107-107.i07-27.onvol.net] has joined #openvpn
09:30 -!- kantlivelong [~kantlivel@home.kantlivelong.com] has joined #openvpn
09:30 -!- riddle [riddle@us.yunix.net] has joined #openvpn
09:30 -!- Pisuke [~Sembei@unaffiliated/sembei] has joined #openvpn
09:30 -!- HectorBarbossa__ is now known as HectorBarbossa_
09:31 -!- mete [~mete@91.247.253.160] has joined #openvpn
09:31 -!- matsh [divine@nanogene.org] has joined #openvpn
09:31 -!- ikla [~lbz@c-71-237-62-220.hsd1.co.comcast.net] has joined #openvpn
09:31 -!- Olipro [~Olipro@uncyclopedia/pdpc.21for7.olipro] has quit [Max SendQ exceeded]
09:31 -!- kirin` [telex@gateway/shell/anapnea.net/x-oiyxqffeyubexdfg] has joined #openvpn
09:31 -!- conroe [~conroe@gateway/tor-sasl/conroe] has quit [Client Quit]
09:31 -!- Fusl [~Fusl@unaffiliated/fusl] has joined #openvpn
09:31 -!- [1]JPeterson [~JPeterson@81-233-152-121-no83.tbcn.telia.com] has joined #openvpn
09:32 -!- havoc [~havoc@neptune.chaillet.net] has joined #openvpn
09:32 -!- tessier [~treed@kernel-panic/copilotco] has joined #openvpn
09:32 -!- xMopxShell [~xMopxShel@pa1.trolls.lv] has joined #openvpn
09:33 -!- kevinsky [~kevin@senna.rosendaal.net] has joined #openvpn
09:33 -!- joshu__ [~joshu@62-20-176-238-no28.tbcn.telia.com] has quit [Ping timeout: 264 seconds]
09:33 -!- cyberspace- [20253@ninthfloor.org] has joined #openvpn
09:34 -!- master_of_master [~master_of@p4FF2494D.dip0.t-ipconnect.de] has joined #openvpn
09:34 -!- Olipro [~Olipro@uncyclopedia/pdpc.21for7.olipro] has joined #openvpn
09:35 -!- Rallias [~Rallias@i.am.lacking.clothing] has joined #openvpn
09:35 -!- ikrabbe [ingo@pdpc/supporter/professional/ikrabbe] has quit [Ping timeout: 264 seconds]
09:35 -!- joevandyk [~ubuntu@ec2-54-235-235-220.compute-1.amazonaws.com] has joined #openvpn
09:35 -!- elfixit [~Icedove@77-58-251-72.dclient.hispeed.ch] has joined #openvpn
09:35 -!- esde [~esde@107.150.1.2] has joined #openvpn
09:35 -!- JPeterson [~JPeterson@81-233-152-121-no83.tbcn.telia.com] has joined #openvpn
09:35 -!- 17SAAH9BD [~james@108.170.5.74] has joined #openvpn
09:35 -!- 17SAAH9F6 [~quassel@151.228.130.67] has joined #openvpn
09:35 -!- Cr4zi3 [~killaz@staff.xbins.org] has joined #openvpn
09:35 -!- digilink- [~digilink@irc.stephennet.net] has joined #openvpn
09:35 -!- lbft [~lbft@unaffiliated/lbft] has joined #openvpn
09:36 -!- omri [~omrib@unaffiliated/omri] has quit [Ping timeout: 262 seconds]
09:36 -!- elfixit [~Icedove@77-58-251-72.dclient.hispeed.ch] has quit [Client Quit]
09:37 -!- orutest|2 [~VsioZashi@unaffiliated/vsiozashibis] has quit [Read error: Connection reset by peer]
09:37 -!- elfixit [~Icedove@77-58-251-72.dclient.hispeed.ch] has joined #openvpn
09:37 -!- JPeterson [~JPeterson@81-233-152-121-no83.tbcn.telia.com] has quit [Excess Flood]
09:37 -!- Cr4zi3 [~killaz@staff.xbins.org] has quit [Excess Flood]
09:37 -!- esde [~esde@107.150.1.2] has quit [Excess Flood]
09:37 -!- Cr4zi3 [guessswh0@staff.xbins.org] has joined #openvpn
09:37 -!- ikrabbe [ingo@pdpc/supporter/professional/ikrabbe] has joined #openvpn
09:37 -!- orutest|2 [~VsioZashi@unaffiliated/vsiozashibis] has joined #openvpn
09:37 -!- maskedlua [~quassel@unaffiliated/themaskedlua] has joined #openvpn
09:38 -!- pppingme [~pppingme@unaffiliated/pppingme] has quit [Excess Flood]
09:39 -!- Fusl [~Fusl@unaffiliated/fusl] has quit [Remote host closed the connection]
09:39 -!- dradec [~Inigo@unaffiliated/dradec] has joined #openvpn
09:39 -!- hazardous [~hz@openvpn/user/hazardous] has quit [Ping timeout: 264 seconds]
09:39 -!- pppingme [~pppingme@unaffiliated/pppingme] has joined #openvpn
09:39 -!- Linmu [~Linmu@203.70.194.104] has joined #openvpn
09:41 -!- Fruckiwacki- [fruckiwack@5.135.190.66] has quit [Write error: Broken pipe]
09:41 -!- Rallias [~Rallias@i.am.lacking.clothing] has quit [Read error: Operation timed out]
09:42 -!- joevandyk [~ubuntu@ec2-54-235-235-220.compute-1.amazonaws.com] has quit [Read error: Operation timed out]
09:42 -!- takamichi [~takamichi@c107-107.i07-27.onvol.net] has quit [Read error: Operation timed out]
09:42 -!- mcp [~mcp@wolk-project.de] has quit [Read error: Operation timed out]
09:42 -!- kwork_ [~georg@no.life.ee] has quit [Write error: Broken pipe]
09:42 -!- Stew-a [~Stewart@unaffiliated/stew-a/x-2962361] has quit [Read error: Operation timed out]
09:42 -!- Pei [~pei@thinks.outside.theb0x.org] has quit [Read error: Operation timed out]
--- Log closed Sat Feb 22 09:43:13 2014
--- Log opened Sat Feb 22 10:13:51 2014
10:13 -!- ecrist [~ecrist@token-black.secure-computing.net] has joined #openvpn
10:13 -!- Irssi: #openvpn: Total of 145 nicks [5 ops, 0 halfops, 1 voices, 139 normal]
10:13 -!- mode/#openvpn [+o ecrist] by ChanServ
10:13 <@krzee> hi
10:13 -!- n2deep [n2deep@odin.sdf-eu.org] has joined #openvpn
10:14 -!- soapee01 [~soapee01@24-155-219-177.dyn.grandenetworks.net] has joined #openvpn
10:14 -!- stickpin [~b@173.244.215.195] has joined #openvpn
--- Log closed Sat Feb 22 10:18:22 2014
--- Log opened Sat Feb 22 18:15:40 2014
18:15 -!- ecrist [~ecrist@token-black.secure-computing.net] has joined #openvpn
18:15 -!- Irssi: #openvpn: Total of 171 nicks [3 ops, 0 halfops, 0 voices, 168 normal]
18:15 -!- mode/#openvpn [+o ecrist] by ChanServ
18:16 <@ecrist> hi
18:16 -!- Irssi: Join to #openvpn was synced in 37 secs
18:16 <@ecrist> yjod od ejsy oy ;ppld ;olr ejrm upit gomhrtd str pm yjr etpmh lrud/
18:16 <@ecrist> this is what it looks like when your fingers are on the wrong keys.
18:19 -!- Netsplit *.net <-> *.split quits: kossy
18:19 -!- havoc__ [~havoc@neptune.chaillet.net] has joined #openvpn
18:19 -!- havoc__ [~havoc@neptune.chaillet.net] has quit [Client Quit]
18:21 -!- havoc [~havoc@neptune.chaillet.net] has joined #openvpn
18:36 -!- bertodsera [~quassel@97e48243.skybroadband.com] has quit [Remote host closed the connection]
18:54 -!- Brando753 [~Brando753@unaffiliated/brando753] has quit [Ping timeout: 264 seconds]
18:58 -!- ISmithers [~ISmithers@59.167.114.131] has joined #openvpn
18:59 < ISmithers> If I am trying to connect to a VPN and get an error, "Not an Access Server" does this mean I have the wrong client?
18:59 <@ecrist> yup
18:59 < ISmithers> Where do I get the right client from then? I can't find it.
18:59 <@ecrist> you downloaded access server client, and not the openvpn open source client
18:59 <@ecrist> !download
18:59 <@ecrist> fucking bot
18:59 <@ecrist> hang on
19:00 < ISmithers> Lol, thanks.
19:00 < ISmithers> Seriously everything I search for, brings me to the same msi for the Access Server cl.ient.
19:00 < ISmithers> client* even
19:00 <@ecrist> basically, go to openvpn.net, click on "community", click on downloads, and select the open source link
19:00 -!- vpnHelper [~vpnHelper@openvpn/bot/vpnHelper] has joined #openvpn
19:00 -!- mode/#openvpn [+o vpnHelper] by ChanServ
19:00 <@ecrist> it's really not that hard
19:00 <@ecrist> !download
19:00 <@vpnHelper> "download" is (#1) http://openvpn.net/index.php/download/community-downloads.html to download openvpn or (#2) OpenVPN's Windows installer now includes OpenVPN GUI. Don't bother with http://openvpn.se anymore or (#3) Don't trust download.com at all. It provides an extremely old version with malware: http://insecure.org/news/download-com-fiasco.html or (#4) in the community version of openvpn (only
19:00 <@vpnHelper> thing supported here) there is no separate download for client/server, it is the same install with different configs
19:01 < ISmithers> OK so this one: http://grab.by/uzGm
19:01 <@vpnHelper> Title: TinyGrab - Simple. Screenshot. Sharing. (at grab.by)
19:02  * ecrist doesn't click strange links
19:02 < ISmithers> It's a tinygrab link.
19:03 < ISmithers> Im sure I downloaded that one just now.
19:03 -!- Brando753 [~Brando753@unaffiliated/brando753] has joined #openvpn
19:03 < ISmithers> If you won't click the link, then this file openvpn-install-2.3.2-I003-x86_64.exe is the one?
19:03 <@ecrist> yup
19:03 < ISmithers> Okey...
19:04 < ISmithers> Which components are requried?
19:04 < ISmithers> Going with defaults.
19:16 < ISmithers> In the OpenVPN config files, why are some lines started with a ;
19:28 -!- ISmithers [~ISmithers@59.167.114.131] has left #openvpn []
19:35 -!- Olipro [~Olipro@d.e.r.p.6.a.1.0.d.d.0.7.2.0.1.0.a.2.ip6.arpa] has joined #openvpn
19:35 -!- hazardous [~hz@openvpn/user/hazardous] has joined #openvpn
19:35 -!- dren_ [dren@69.163.43.34] has joined #openvpn
19:35 -!- seba [~seba@kratzbaum.someserver.de] has joined #openvpn
19:35 -!- lowkey [lowkey@hydra-bom.aufbix.org] has joined #openvpn
19:35 -!- MacGyver [~MacGyver@sog.polvanaubel.com] has joined #openvpn
19:35 -!- busch [~busch@datenschleuder.com] has joined #openvpn
19:35 -!- ngharo [~ngharo@nexus.sypherz.com] has joined #openvpn
19:35 -!- Martin` [martin@shell.ipv6.octocore.net] has joined #openvpn
19:35 -!- red_racer12_ [sid20963@gateway/web/irccloud.com/x-jasvuxrmsnuozaen] has joined #openvpn
19:35 -!- fred`` [fred@earthli.ng] has joined #openvpn
19:35 -!- pnielsen [pnielsen@2a01:7e00::f03c:91ff:fedf:3a21] has joined #openvpn
19:35 -!- m01_ [~quassel@2a02:2658:1011:1::2:4044] has joined #openvpn
19:35 -!- ender| [krneki@2a01:260:4094:1:42:42:42:42] has joined #openvpn
19:35 -!- Ulrar [~Ulrar@luwin.ulrar.net] has joined #openvpn
19:35 -!- Chrisje [chris@2a03:f80:ed15:ed15:ed15:ed15:bc4c:4bfe] has joined #openvpn
19:35 -!- Guest48705 [~reinis@79.132.67.157] has joined #openvpn
19:35 -!- ServerMode/#openvpn [+v hazardous] by kornbluth.freenode.net
19:35 -!- Olipro [~Olipro@d.e.r.p.6.a.1.0.d.d.0.7.2.0.1.0.a.2.ip6.arpa] has quit [Max SendQ exceeded]
19:37 -!- Olipro [~Olipro@uncyclopedia/pdpc.21for7.olipro] has joined #openvpn
19:55 -!- joshh20-Away is now known as joshh20
20:03 -!- itaddercloud [uid4697@gateway/web/irccloud.com/session] has quit [Quit: Connection closed for inactivity]
20:21 -!- lj1 [~l@192.241.174.169] has joined #openvpn
20:27 -!- batrick [batrick@nmap/developer/batrick] has quit [Ping timeout: 272 seconds]
20:34 -!- mitz [~mitz@rt.miraclelinux.com] has joined #openvpn
20:44 -!- pa [~pa@unaffiliated/pa] has quit [Ping timeout: 272 seconds]
20:45 -!- pa [~pa@unaffiliated/pa] has joined #openvpn
20:45 -!- lj1 [~l@192.241.174.169] has quit [Quit: Leaving.]
20:47 -!- test4 [~vaido@254.123.191.90.dyn.estpak.ee] has left #openvpn []
20:48 -!- Synthead [~max@c-50-181-246-100.hsd1.wa.comcast.net] has quit [Ping timeout: 252 seconds]
20:53 -!- dvl [~dan@nyi.unixathome.org] has quit [Changing host]
20:53 -!- dvl [~dan@pdpc/supporter/active/dvl] has joined #openvpn
20:54 -!- batrick [batrick@nmap/developer/batrick] has joined #openvpn
20:58 -!- tapout [~tapout@unaffiliated/tapout] has quit [Ping timeout: 272 seconds]
20:58 -!- tapout [~tapout@unaffiliated/tapout] has joined #openvpn
21:03 -!- pentiumone133 [will@173.243.115.75] has quit [Remote host closed the connection]
21:03 -!- pentiumone133 [will@173.243.115.75] has joined #openvpn
21:07 -!- Nothing4You [N4Y@w.tf-w.tf] has quit [Ping timeout: 260 seconds]
21:11 -!- Nothing4You [N4Y@Nothing4You.w.tf-w.tf] has joined #openvpn
21:15 -!- pjschmitt [~parker@209.141.56.12] has quit [Changing host]
21:15 -!- pjschmitt [~parker@unaffiliated/schmitt953] has joined #openvpn
21:18 -!- elfixit [~Icedove@77-58-251-72.dclient.hispeed.ch] has quit [Quit: elfixit]
21:20 -!- sunwind [~paradox@cpc21-brmb8-2-0-cust749.1-3.cable.virginm.net] has joined #openvpn
21:22 -!- mnathani [~mnathani@umbozero.winvive.com] has joined #openvpn
21:25 -!- pentiumone133 [will@173.243.115.75] has quit [Read error: Connection reset by peer]
21:26 -!- pentiumone133 [~will@173.243.115.75] has joined #openvpn
21:44 -!- klein_ [~klein@unaffiliated/klein] has quit [Ping timeout: 264 seconds]
21:56 -!- joshh20 is now known as joshh20-Away
22:06 -!- james41382 [~james@unaffiliated/james41382] has joined #openvpn
22:10 -!- noobboob [uid5587@gateway/web/irccloud.com/session] has joined #openvpn
22:26 -!- james41382_ [~james@unaffiliated/james41382] has joined #openvpn
22:39 -!- Cultist [~CultOfThe@c-67-186-111-33.hsd1.il.comcast.net] has quit [Excess Flood]
22:42 -!- pa__ [~pa@host41-135-dynamic.60-82-r.retail.telecomitalia.it] has joined #openvpn
22:42 -!- linlin [will@173.243.115.75] has joined #openvpn
22:45 -!- kantlivelong [~kantlivel@home.kantlivelong.com] has quit [Quit: ZNC - http://znc.sourceforge.net]
22:48 -!- james41382 [~james@unaffiliated/james41382] has quit [Write error: Connection reset by peer]
22:48 -!- pentiumone133 [~will@173.243.115.75] has quit [Write error: Broken pipe]
22:48 -!- pa [~pa@unaffiliated/pa] has quit [Write error: Connection reset by peer]
22:48 -!- vpnHelper [~vpnHelper@openvpn/bot/vpnHelper] has quit [Write error: Broken pipe]
22:52 -!- jgeboski [~jgeboski@unaffiliated/jgeboski] has quit [Excess Flood]
22:53 -!- pa__ [~pa@host41-135-dynamic.60-82-r.retail.telecomitalia.it] has quit [Read error: Connection timed out]
22:54 -!- pa__ [~pa@host41-135-dynamic.60-82-r.retail.telecomitalia.it] has joined #openvpn
22:56 -!- Netsplit *.net <-> *.split quits: MacGyver, ngharo, Guest48705, dren_, red_racer12_, ender|, Martin`, Olipro, pnielsen, Chrisje,  (+7 more, use /NETSPLIT to show all of them)
23:07 -!- Netsplit over, joins: ender|, +hazardous, dren_, seba, lowkey, MacGyver, busch, ngharo, Martin`, red_racer12_ (+6 more)
23:09 -!- Olipro [~Olipro@uncyclopedia/pdpc.21for7.olipro] has joined #openvpn
23:10 -!- b00gz___ [uid6869@gateway/web/irccloud.com/session] has joined #openvpn
23:11 -!- goldkatze_ [~nobody@unaffiliated/goldkatze] has quit [Ping timeout: 252 seconds]
23:12 -!- Netsplit *.net <-> *.split quits: joshh20-Away, mcp, thumbs, Six6siX, @krzee, mete, Linmu, tapout, omrib, mitz,  (+16 more, use /NETSPLIT to show all of them)
23:25 -!- ISmithers [~ISmithers@59.167.114.131] has joined #openvpn
23:26 < ISmithers> Guys what does this error mean:  TLS Error: client->client or server->server connection attempted from [AF_INET] xx.xx.xx.xx
23:26 -!- kantlive- [~kantlivel@home.kantlivelong.com] has joined #openvpn
23:26 -!- Netsplit over, joins: krzee, tapout, mitz, dogewaat
23:26 -!- mete [~mete@91.247.253.160] has joined #openvpn
23:26 -!- Netsplit over, joins: troyt, mcp, Fruckiwacki, thumbs, Six6siX, omrib, AsadH, novaflash, MeanderingCode, joshh20-Away (+5 more)
23:26 -!- ServerMode/#openvpn [+o krzee] by kornbluth.freenode.net
23:27 -!- vpnHelper [~vpnHelper@openvpn/bot/vpnHelper] has joined #openvpn
23:27 -!- mode/#openvpn [+o vpnHelper] by ChanServ
23:27 -!- dradec [~Inigo@unaffiliated/dradec] has joined #openvpn
23:31 < ISmithers> Anyone?
23:32 <@krzee> whats the question?
23:33 < ISmithers> Guys what does this error mean:  TLS Error: client->client or server->server connection attempted from [AF_INET] xx.xx.xx.xx
23:33 <@krzee> it says "client->client or server->server connection" ?
23:33 < ISmithers> Yeah
23:33 < ISmithers> Exactly as written other than the masked ip
23:34 -!- ISmithers [~ISmithers@59.167.114.131] has quit [Quit: ~ Trillian - www.trillian.im ~]
23:34 <@krzee> never seen something like that, post your configs
23:34 <@krzee> lol
23:35 -!- ISmithers [~ISmithers@59.167.114.131] has joined #openvpn
23:35 < ISmithers> Sorry, got disconnected.
23:35 <@krzee> never seen something like that, post your configs
23:35 <@krzee> !configs
23:35 <@vpnHelper> "configs" is (#1) please pastebin your client and server configs (with comments removed, you can use `grep -vE '^#|^;|^$' server.conf`), also include which OS and version of openvpn. or (#2) dont forget to include any ccd entries or (#3) on pfSense, see http://www.secure-computing.net/wiki/index.php/OpenVPN/pfSense to obtain your config
23:39 -!- liriel [~liriel@198.154.114.106] has quit [Ping timeout: 245 seconds]
23:44 -!- mnathani [~mnathani@umbozero.winvive.com] has joined #openvpn
23:49 -!- levifig [~levifig@hakr.io] has joined #openvpn
23:49 -!- Cultist [~CultOfThe@67.186.111.33] has joined #openvpn
23:49 -!- sauce [sauce@173.2.173.32] has joined #openvpn
23:49 -!- mattock [~mattock@2607:5300:60:d5a::2] has joined #openvpn
23:49 -!- niel [niel@om.nom.nom.coooki.es] has joined #openvpn
23:49 -!- Gman32 [~Gman32@2607:2200:0:3400::5616:cdbc] has joined #openvpn
23:49 -!- nunim [nunim@irc.sonicboxes.net] has joined #openvpn
23:49 -!- s0meone [someone@2600:3c01::f03c:91ff:fedf:feb8] has joined #openvpn
23:49 -!- raidz [~raidz@2607:5300:60:d5a::2] has joined #openvpn
23:49 -!- Samopotamus [~IRCIdent@2607:5300:60:a0d::1] has joined #openvpn
23:49 -!- levifig [~levifig@hakr.io] has quit [Max SendQ exceeded]
23:49 -!- raidz [~raidz@2607:5300:60:d5a::2] has quit [Changing host]
23:49 -!- raidz [~raidz@openvpn/corp/admin/andrew] has joined #openvpn
23:49 -!- mode/#openvpn [+o raidz] by ChanServ
23:49 -!- mattock [~mattock@2607:5300:60:d5a::2] has quit [Changing host]
23:49 -!- mattock [~mattock@openvpn/corp/admin/mattock] has joined #openvpn
23:49 -!- mode/#openvpn [+o mattock] by ChanServ
23:49 -!- sauce [sauce@173.2.173.32] has quit [Changing host]
23:49 -!- sauce [sauce@unaffiliated/sauce] has joined #openvpn
23:50 -!- jgeboski [~jgeboski@unaffiliated/jgeboski] has joined #openvpn
23:52 -!- Cr4zi3 [killaz@staff.xbins.org] has joined #openvpn
23:52 -!- yoavz [yoavz@yoavz.net] has joined #openvpn
23:52 -!- phreakocious [~phreakoci@aesoterica.phreakocious.net] has joined #openvpn
23:52 -!- lbft [~lbft@unaffiliated/lbft] has joined #openvpn
23:52 -!- Cr4zi3 [killaz@staff.xbins.org] has quit [Excess Flood]
23:55 -!- Cr4zi3 [killaz@staff.xbins.org] has joined #openvpn
23:56 -!- levifig [~levifig@hakr.io] has joined #openvpn
--- Day changed Sun Feb 23 2014
00:00 -!- ISmithers [~ISmithers@59.167.114.131] has quit [Read error: Connection reset by peer]
00:00 -!- ISmithers [~ISmithers@59.167.114.131] has joined #openvpn
00:06 -!- ISmithers [~ISmithers@59.167.114.131] has left #openvpn []
00:22 -!- megaTherion [~therion@unix.io] has quit [Ping timeout: 264 seconds]
00:25 -!- megaTherion [~therion@unix.io] has joined #openvpn
00:32 -!- hjohnson [~hans@S0106000db917e89a.vc.shawcable.net] has left #openvpn []
00:36 -!- kantlive- [~kantlivel@home.kantlivelong.com] has quit [Ping timeout: 272 seconds]
00:42 -!- noobboob [uid5587@gateway/web/irccloud.com/session] has quit [Quit: Connection closed for inactivity]
00:47 -!- kantlivelong [~kantlivel@home.kantlivelong.com] has joined #openvpn
00:51 -!- takamichi [~takamichi@c107-107.i07-27.onvol.net] has joined #openvpn
01:01 -!- scyld [~scyld@unaffiliated/wasyl] has joined #openvpn
01:01 -!- scyld [~scyld@unaffiliated/wasyl] has quit [Client Quit]
01:05 -!- scyld [~scyld@unaffiliated/wasyl] has joined #openvpn
01:06 -!- kantlivelong [~kantlivel@home.kantlivelong.com] has quit [Ping timeout: 264 seconds]
01:13 -!- scyld [~scyld@unaffiliated/wasyl] has quit [Quit: Wychodzi]
01:14 -!- kantlivelong [~kantlivel@home.kantlivelong.com] has joined #openvpn
01:30 -!- jeev [~j@162.248.241.234] has joined #openvpn
01:30 -!- jeev [~j@162.248.241.234] has quit [Changing host]
01:30 -!- jeev [~j@unaffiliated/jeev] has joined #openvpn
01:39 -!- pjschmitt [~parker@unaffiliated/schmitt953] has quit [Ping timeout: 264 seconds]
01:39 -!- pjschmitt [~parker@209.141.56.12] has joined #openvpn
01:56 -!- mybit [~mybit@184.75.214.226] has joined #openvpn
01:56 -!- pppingme [~pppingme@unaffiliated/pppingme] has quit [Ping timeout: 245 seconds]
02:00 -!- __FBi [B@what.are.you.doing.plzdonthack.us] has quit [Quit: ZNC - http://znc.in]
02:00 -!- __FBi [B@dont.uwantmy.info] has joined #openvpn
02:01 < mybit> !welcome
02:01 <@vpnHelper> "welcome" is (#1) Start by stating your goal, such as 'I would like to access the internet over my vpn' || new to IRC? see the link in !ask || we may need !logs and !configs and maybe !interface to help you. || See !howto for beginners. || See !route for lans behind openvpn. || !redirect for sending inet traffic through the server. || Also interesting: !man !/30 !topology !iporder !sample !forum
02:01 <@vpnHelper> !wiki !mitm or (#2) Don't use 192.168.1.0/24 or 192.168.0.0/24 (too much potential for conflict)
02:06 < mybit> I'm having issues using openvpn as a client on a vps. When I start the vpn connection, it disconnects my ssh connection to the vps.
02:11 <@krzee> redirecting internet over the vpn i take it
02:11 <@krzee> !splitroute
02:11 <@vpnHelper> "splitroute" is (#1) https://forums.openvpn.net/topic7175.html to see how to add a second routing table so you can use --redirect-gateway AND still serve things to the internet or (#2) see !route_override for how to override --redirect-gateway for a certain subnet
02:12 <@krzee> you need policy routing so your ssh session to $vps_ip continues routing as normal and does not attempt to route back over the vpn
02:16 -!- pppingme [~pppingme@unaffiliated/pppingme] has joined #openvpn
02:17 < mybit> thank you krzee
02:21 -!- roentgen [~irc@89.46.129.178] has joined #openvpn
02:21 -!- roentgen [~irc@89.46.129.178] has quit [Changing host]
02:21 -!- roentgen [~irc@openvpn/community/support/roentgen] has joined #openvpn
02:27 <@krzee> np
02:28 -!- kirin` [telex@gateway/shell/anapnea.net/session] has quit [Changing host]
02:28 -!- kirin` [telex@gateway/shell/anapnea.net/x-rcectmyngxxahrto] has joined #openvpn
02:28 -!- tempus_fol [~tempus@unaffiliated/tempusfol] has joined #openvpn
02:28 -!- b00gz___ [uid6869@gateway/web/irccloud.com/session] has quit [Changing host]
02:28 -!- b00gz___ [uid6869@gateway/web/irccloud.com/x-ghaldzbquieicszx] has joined #openvpn
02:29 -!- dogewaat [uid3966@gateway/web/irccloud.com/session] has quit [Changing host]
02:29 -!- dogewaat [uid3966@gateway/web/irccloud.com/x-npimcduiwhcmlamt] has joined #openvpn
02:29 -!- tempus_fol [~tempus@unaffiliated/tempusfol] has quit [Changing host]
02:29 -!- tempus_fol [~tempus@gateway/tor-sasl/tempusfol] has joined #openvpn
02:31 -!- DrCode [~DrCode@gateway/tor-sasl/drcode] has joined #openvpn
02:33 -!- mybit [~mybit@184.75.214.226] has quit [Quit: Leaving]
02:43 -!- jzaw [~jzaw@loki.dzki.co.uk] has joined #openvpn
02:57 -!- _jareth_ is now known as jareth_
03:17 -!- sunwind [~paradox@cpc21-brmb8-2-0-cust749.1-3.cable.virginm.net] has quit [Ping timeout: 264 seconds]
03:37 -!- gffa [~unknown@unaffiliated/gffa] has joined #openvpn
03:38 -!- linuxthefish [~linuxthef@linuxthefish.net] has quit [Changing host]
03:38 -!- linuxthefish [~linuxthef@unaffiliated/edmundf] has joined #openvpn
03:43 -!- makara [~makara@105-208-243-136.access.mtnbusiness.co.za] has joined #openvpn
03:56 -!- sunwind [~paradox@cpc21-brmb8-2-0-cust749.1-3.cable.virginm.net] has joined #openvpn
04:02 -!- sunwind [~paradox@cpc21-brmb8-2-0-cust749.1-3.cable.virginm.net] has quit [Ping timeout: 264 seconds]
04:04 -!- bertodsera [~quassel@97e48243.skybroadband.com] has joined #openvpn
04:25 -!- takamichi [~takamichi@c107-107.i07-27.onvol.net] has quit [Quit: Computer has gone to sleep.]
04:27 -!- kossy [a@kossy.org] has joined #openvpn
04:28 -!- kossy [a@kossy.org] has quit [Max SendQ exceeded]
04:33 -!- jackbrown [~se@93-44-54-187.ip95.fastwebnet.it] has joined #openvpn
04:35 -!- funyun [~temp@cpe-65-25-103-89.neo.res.rr.com] has joined #openvpn
04:35 < funyun> hi. can anyone help me setup a vpn?
04:38 -!- kossy [a@kossy.org] has joined #openvpn
04:40 -!- svg [~svg@hydargos.ginsys.net] has joined #openvpn
04:41 -!- lvv [~loganaden@41.136.77.129] has joined #openvpn
04:46 < funyun> what do i change KEY_NAME=changeme to?
05:03 -!- grep0r [grep0r@bitcoinshell.mooo.com] has joined #openvpn
05:07 -!- sunwind [~paradox@cpc21-brmb8-2-0-cust749.1-3.cable.virginm.net] has joined #openvpn
05:24 -!- sunwind` [~paradox@cpc21-brmb8-2-0-cust749.1-3.cable.virginm.net] has joined #openvpn
05:25 -!- sunwind [~paradox@cpc21-brmb8-2-0-cust749.1-3.cable.virginm.net] has quit [Read error: Operation timed out]
05:35 -!- roentgen_ [~irc@89.46.129.178] has joined #openvpn
05:37 -!- frank-- [1000@modemcable026.116-81-70.mc.videotron.ca] has joined #openvpn
05:37 -!- Linmu_ [~Linmu@203.70.194.104] has joined #openvpn
05:39 -!- Six6siX_ [~Devil@jasmine.sammybakar.com] has joined #openvpn
05:39 < funyun> anyone here use openvpn?
05:40 -!- novaflash_away [~novaflash@its.novaflash.nl] has joined #openvpn
05:40 -!- gardar- [~gardar@bnc.giraffi.net] has joined #openvpn
05:40 -!- Fruckiwacki- [fruckiwack@5.135.190.66] has joined #openvpn
05:40 -!- MeanderingCode_ [~Meanderin@palantir.aetherislands.net] has joined #openvpn
05:42 -!- Netsplit *.net <-> *.split quits: joshh20-Away, @vpnHelper, mcp, thumbs, Six6siX, @krzee, mete, dradec, Linmu, tapout,  (+34 more, use /NETSPLIT to show all of them)
05:42 -!- MeanderingCode_ is now known as MeanderingCode
05:42 -!- Netsplit over, joins: grep0r
05:43 -!- novaflash_away is now known as novaflash
05:45 -!- takamichi [~takamichi@c107-107.i07-27.onvol.net] has joined #openvpn
05:46 -!- Olipro [~Olipro@uncyclopedia/pdpc.21for7.olipro] has quit [Ping timeout: 246 seconds]
05:49 -!- mnathani [~mnathani@umbozero.winvive.com] has joined #openvpn
05:49 -!- mitz [~mitz@rt.miraclelinux.com] has joined #openvpn
05:51 -!- lvv [~loganaden@41.136.77.129] has quit [Quit: lvv]
05:52 -!- Olipro [~Olipro@uncyclopedia/pdpc.21for7.olipro] has joined #openvpn
05:53 -!- HectorBarbossa__ [uid7850@gateway/web/irccloud.com/x-onudlwntnswuwgko] has joined #openvpn
06:00 -!- HectorBarbossa__ [uid7850@gateway/web/irccloud.com/x-onudlwntnswuwgko] has quit []
06:02 -!- HectorBarbossa [uid7850@gateway/web/irccloud.com/x-fkapfjznhnqnmhpg] has joined #openvpn
06:02 -!- lvv [~loganaden@41.136.77.129] has joined #openvpn
06:02 < funyun> hi. can anyone here help me setup a vpn? i've been trying tutorials with no luck
06:03 -!- Samopotamus [~IRCIdent@2607:5300:60:a0d::1] has joined #openvpn
06:03 -!- raidz [~raidz@openvpn/corp/admin/andrew] has joined #openvpn
06:03 -!- s0meone [someone@2600:3c01::f03c:91ff:fedf:feb8] has joined #openvpn
06:03 -!- nunim [nunim@irc.sonicboxes.net] has joined #openvpn
06:03 -!- Gman32 [~Gman32@2607:2200:0:3400::5616:cdbc] has joined #openvpn
06:03 -!- niel [niel@om.nom.nom.coooki.es] has joined #openvpn
06:03 -!- mattock [~mattock@openvpn/corp/admin/mattock] has joined #openvpn
06:03 -!- sauce [sauce@unaffiliated/sauce] has joined #openvpn
06:03 -!- Cultist [~CultOfThe@67.186.111.33] has joined #openvpn
06:03 -!- jgeboski [~jgeboski@unaffiliated/jgeboski] has joined #openvpn
06:03 -!- megaTherion_ [~therion@unix.io] has joined #openvpn
06:03 -!- bertodsera_ [~quassel@97e48243.skybroadband.com] has joined #openvpn
06:03 -!- mcp [~mcp@wolk-project.de] has joined #openvpn
06:03 -!- joshh20 [~joshh20@v-70-42-74-226.unman-vds.internap-nyc.nfoservers.com] has joined #openvpn
06:03 -!- emid_ [~emid@192.241.162.156] has joined #openvpn
06:03 -!- mete- [~mete@91.247.253.160] has joined #openvpn
06:03 -!- kantlive- [~kantlivel@home.kantlivelong.com] has joined #openvpn
06:03 -!- levifig [~levifig@hakr.io] has joined #openvpn
06:03 -!- linuxthefish [~linuxthef@185.17.148.101] has joined #openvpn
06:03 -!- makara [~makara@105-208-243-136.access.mtnbusiness.co.za] has joined #openvpn
06:03 -!- Cr4zi3 [killaz@staff.xbins.org] has joined #openvpn
06:03 -!- omrib_ [~omrib@ec2-50-17-197-161.compute-1.amazonaws.com] has joined #openvpn
06:03 -!- yoavz [yoavz@yoavz.net] has joined #openvpn
06:03 -!- phreakocious [~phreakoci@aesoterica.phreakocious.net] has joined #openvpn
06:03 -!- lbft [~lbft@unaffiliated/lbft] has joined #openvpn
06:03 -!- ServerMode/#openvpn [+oo raidz mattock] by kornbluth.freenode.net
06:06 -!- Cr4zi3 [killaz@staff.xbins.org] has quit [Excess Flood]
06:10 -!- Cr4zi3 [killaz@staff.xbins.org] has joined #openvpn
06:16 -!- u0m3_ [~u0m3@92.80.86.213] has joined #openvpn
06:20 -!- u0m3 [~u0m3@92.80.76.193] has quit [Ping timeout: 264 seconds]
06:20 -!- lvv [~loganaden@41.136.77.129] has quit [Quit: lvv]
06:24 -!- james41382 [~james@unaffiliated/james41382] has joined #openvpn
06:27 -!- james41382_ [~james@unaffiliated/james41382] has quit [Ping timeout: 264 seconds]
06:42 -!- jackbrown [~se@93-44-54-187.ip95.fastwebnet.it] has quit [Quit: Sto andando via]
06:42 -!- sunwind` [~paradox@cpc21-brmb8-2-0-cust749.1-3.cable.virginm.net] has quit [Quit: sunwind`]
06:42 -!- indy [~indy@fantomas.bestit.cz] has joined #openvpn
06:49 -!- takamichi [~takamichi@c107-107.i07-27.onvol.net] has quit [Quit: Computer has gone to sleep.]
07:04 -!- sunwind [~paradox@cpc21-brmb8-2-0-cust749.1-3.cable.virginm.net] has joined #openvpn
07:06 -!- MatToufoutu [~MaT@nl.h6r.org] has joined #openvpn
07:06 -!- MatToufoutu [~MaT@nl.h6r.org] has quit [Excess Flood]
07:10 -!- roentgen_ [~irc@89.46.129.178] has quit [Remote host closed the connection]
07:11 -!- frank-- [1000@modemcable026.116-81-70.mc.videotron.ca] has quit [Changing host]
07:11 -!- frank-- [1000@unaffiliated/thumbs] has joined #openvpn
07:11 -!- frank-- is now known as thumbs
07:21 -!- klein_ [~klein@unaffiliated/klein] has joined #openvpn
07:34 -!- Sembei [~Sembei@unaffiliated/sembei] has quit [Read error: Connection reset by peer]
07:35 -!- MyMind [~Sembei@unaffiliated/sembei] has joined #openvpn
07:36 -!- joshh20 is now known as joshh20-Away
07:45 -!- elfixit [~Icedove@77-58-251-72.dclient.hispeed.ch] has joined #openvpn
07:54 -!- DrCode [~DrCode@gateway/tor-sasl/drcode] has quit [Remote host closed the connection]
07:57 -!- DrCode [~DrCode@gateway/tor-sasl/drcode] has joined #openvpn
08:00 -!- makara [~makara@105-208-243-136.access.mtnbusiness.co.za] has quit [Ping timeout: 265 seconds]
08:12 -!- HectorBarbossa [uid7850@gateway/web/irccloud.com/x-fkapfjznhnqnmhpg] has quit [Quit: Connection closed for inactivity]
08:12 -!- Olipro [~Olipro@uncyclopedia/pdpc.21for7.olipro] has quit [Ping timeout: 246 seconds]
08:13 -!- Guest51725 [~exa@v22013091132414614.yourvserver.net] has quit [Quit: Guest51725]
08:13 -!- exa [~exa@unaffiliated/exa] has joined #openvpn
08:15 -!- MyMind [~Sembei@unaffiliated/sembei] has quit [Read error: No route to host]
08:16 -!- MyMind [~Sembei@unaffiliated/sembei] has joined #openvpn
08:17 -!- takamichi [~takamichi@c107-107.i07-27.onvol.net] has joined #openvpn
08:23 -!- MyMind [~Sembei@unaffiliated/sembei] has quit [Max SendQ exceeded]
08:23 -!- wrongplace [~leicht@gateway/tor-sasl/martinphone] has joined #openvpn
08:24 -!- MyMind [~Sembei@unaffiliated/sembei] has joined #openvpn
08:26 -!- Transfusion [Transfusio@trivialand/master/transfusion] has joined #openvpn
08:28 -!- mauww [~localhost@unaffiliated/mauww] has joined #openvpn
08:42 -!- pa__ is now known as pa
08:42 -!- pa [~pa@host41-135-dynamic.60-82-r.retail.telecomitalia.it] has quit [Changing host]
08:42 -!- pa [~pa@unaffiliated/pa] has joined #openvpn
08:45 -!- goldkatze_ [~nobody@unaffiliated/goldkatze] has joined #openvpn
09:01 -!- _quadDamage [~EmperorTo@boom.blissfulidiot.com] has quit [Remote host closed the connection]
09:01 -!- VsioZashibis [~VsioZashi@unaffiliated/vsiozashibis] has joined #openvpn
09:19 -!- mauww [~localhost@unaffiliated/mauww] has quit [Ping timeout: 264 seconds]
09:23 -!- jzaw [~jzaw@loki.dzki.co.uk] has quit [Ping timeout: 245 seconds]
09:24 -!- lachesis [~lachesis@unaffiliated/lachesis] has quit [Quit: ZNC - http://znc.in]
09:25 -!- penryn [~penryn@gateway/tor-sasl/penryn] has joined #openvpn
09:28 -!- klein_ [~klein@unaffiliated/klein] has quit [Ping timeout: 264 seconds]
09:28 -!- AsadH [~AsadH@unaffiliated/asadh] has joined #openvpn
09:33 -!- mauww [~localhost@unaffiliated/mauww] has joined #openvpn
09:44 -!- smerz [~smerz@2001:470:1f15:1e5::58] has joined #openvpn
09:45 -!- smerz_ [~smerz@2001:470:1f15:1e5::58] has joined #openvpn
09:59 -!- jzaw [~jzaw@loki.dzki.co.uk] has joined #openvpn
10:11 -!- wrongplace [~leicht@gateway/tor-sasl/martinphone] has quit [Quit: gone]
10:27 -!- lachesis [~lachesis@unaffiliated/lachesis] has joined #openvpn
10:33 -!- Olipro [~Olipro@uncyclopedia/pdpc.21for7.olipro] has joined #openvpn
10:35 -!- marlinc [~marlinc@ip1.weert.li.nl.cvo-technologies.com] has quit [Quit: Byebye]
10:38 -!- Olipro [~Olipro@uncyclopedia/pdpc.21for7.olipro] has quit [Ping timeout: 246 seconds]
10:41 -!- lachesis [~lachesis@unaffiliated/lachesis] has quit [Remote host closed the connection]
10:41 -!- marlinc [~marlinc@ip1.weert.li.nl.cvo-technologies.com] has joined #openvpn
10:44 -!- Olipro [~Olipro@uncyclopedia/pdpc.21for7.olipro] has joined #openvpn
10:47 -!- Olipro [~Olipro@uncyclopedia/pdpc.21for7.olipro] has quit [Read error: Connection reset by peer]
10:47 -!- lachesis [~lachesis@unaffiliated/lachesis] has joined #openvpn
10:53 -!- joshh20-Away is now known as joshh20
10:56 -!- troyt [~troyt@2601:7:6200:1382:44dd:acff:fe85:9c8e] has joined #openvpn
10:56 -!- krzee [~k@openvpn/community/support/krzee] has joined #openvpn
10:56 -!- mode/#openvpn [+o krzee] by ChanServ
10:56 -!- dogewaat [uid3966@gateway/web/irccloud.com/x-anjqniamejashpal] has joined #openvpn
10:56 -!- tapout [~tapout@unaffiliated/tapout] has joined #openvpn
10:58 <@Eugene> !howto
10:58 -!- penryn [~penryn@gateway/tor-sasl/penryn] has quit [Quit: penryn]
10:58 -!- mback2k_ [~freenode@89.238.84.46] has joined #openvpn
10:58 -!- vpnHelper [~vpnHelper@openvpn/bot/vpnHelper] has joined #openvpn
10:58 -!- mode/#openvpn [+o vpnHelper] by ChanServ
11:00 <@krzee> !howto
11:00 <@vpnHelper> "howto" is (#1) OpenVPN comes with a great howto, http://openvpn.net/howto PLEASE READ IT! or (#2) http://www.secure-computing.net/openvpn/howto.php for a mirror
11:00 <@krzee> (bot wasnt back yet)
11:01 -!- u0m3_ is now known as u0m3
11:02 <@Eugene> !whoami
11:02 <@vpnHelper> I don't recognize you.
11:04 -!- elfixit [~Icedove@77-58-251-72.dclient.hispeed.ch] has quit [Quit: elfixit]
11:04 -!- kantlive- [~kantlivel@home.kantlivelong.com] has quit [Ping timeout: 265 seconds]
11:06 -!- Olipro [~Olipro@uncyclopedia/pdpc.21for7.olipro] has joined #openvpn
11:07 <@krzee> !whoami
11:07 <@vpnHelper> support
11:08 <@Eugene> !whosyourdaddy
11:08 -!- Olipro [~Olipro@uncyclopedia/pdpc.21for7.olipro] has quit [Remote host closed the connection]
11:13 -!- kantlivelong [~kantlivel@home.kantlivelong.com] has joined #openvpn
11:28 -!- jl- [~lao@c-174-55-121-8.hsd1.pa.comcast.net] has joined #openvpn
11:29 < jl-> I set up an openvpn server behind my router and I can connect from within the network but not outside over the internet
11:29 < jl-> I did enable portforwarding on my router and it works for ssh connections but not vpn
11:30 <@ecrist> try again?
11:30 < jl-> the only thing I changed when connecting from outside was in the config.ovpn I entered the internet ip and to-be-forwarded-port
11:30 <@ecrist> what does the server log show?
11:30 < jl-> tls handshake failed
11:35 -!- jl-_ [~lao@c-174-55-121-8.hsd1.pa.comcast.net] has joined #openvpn
11:35 -!- jl- [~lao@c-174-55-121-8.hsd1.pa.comcast.net] has quit [Write error: Broken pipe]
11:36 < jl-_> sorry I had a disconnect, not sure if anyone replied
11:37 < jl-_> it says the tls handshake failed
11:37 <@ecrist> the SERVER log, not the client
11:37 <@Eugene> My guess is you're forwarding TCP and not UDP.
11:37 <@ecrist> that's a good guess
11:37 < jl-_> forwarding both
11:37  * Eugene uses psychotic powers
11:37 < jl-_> before I had just UDP
11:39 < jl-_> the server log, would that be in /var/log/openvpn-status.log ?
11:39 <@ecrist> if that's where you put it
11:39 <@ecrist> !configs
11:39 <@vpnHelper> "configs" is (#1) please pastebin your client and server configs (with comments removed, you can use `grep -vE '^#|^;|^$' server.conf`), also include which OS and version of openvpn. or (#2) dont forget to include any ccd entries or (#3) on pfSense, see http://www.secure-computing.net/wiki/index.php/OpenVPN/pfSense to obtain your config
11:39 < jl-_> status /var/log/openvpn-status.log
11:39 <@ecrist> that's status, not the log
11:40 < jl-_> found it
11:41 < jl-_> http://paste.debian.net/hidden/5cc4b339/
11:41 -!- roentgen [~irc@openvpn/community/support/roentgen] has joined #openvpn
11:42 <@ecrist> wtf is that?
11:42 <@ecrist> configs, please?
11:43 < jl-_> http://paste.debian.net/hidden/49768db2/
11:43 < jl-_> it works fine from within the network
11:43 < jl-_> but not outside
11:44 <@ecrist> yeah, you said that
11:44 < jl-_> :)
11:44 <@ecrist> on your router/firewall, do you have UDP port 5151 forwarded to your openvpn server?
11:44 -!- instigator [~instigato@ti-225-26-191.telkomadsl.co.za] has joined #openvpn
11:45 < jl-_> I have 5454 forwarding to 5151 so I try to connect to 5454 with openvpn --config.ovpn (where I have entered the internet ip and 5454)
11:45 <@Eugene> And there's your problem.
11:45 < jl-_> hmm
11:45 <@ecrist> your router needs to accepting incoming connections on UDP port 5151 and forward them to your openvpn server's UDP port 5151
11:46 <@ecrist> fwiw, this is'nt an openvpn, but a networking 101 problem.
11:46 <@Eugene> UDP != TCP; port-changing on the forward doesn't work well.
11:46 < jl-_> ineresting
11:46 < jl-_> it works fine for ssh but I suppose that's because it's tcp
11:46 -!- smerz [~smerz@2001:470:1f15:1e5::58] has quit [Ping timeout: 245 seconds]
11:46 -!- smerz_ [~smerz@2001:470:1f15:1e5::58] has quit [Ping timeout: 245 seconds]
11:46 <@ecrist> modifying the port isn't so much the problem
11:47 <@ecrist> it's when you don't know what the fuck you're doing, and then you try to be tricky like that, that exacerbates the problem.
11:47 < jl-_> somebody needs coffee
11:48 -!- jl-_ was kicked from #openvpn by Eugene [Somebody needs to learn how to take free support and say Thank You, Sir.]
11:48 <@ecrist> I have whiskey
11:48 <@ecrist> lol
11:48 <@Eugene> I have a 4-hour airplane ride. :-|
11:48 -!- jl-_ [~lao@c-174-55-121-8.hsd1.pa.comcast.net] has joined #openvpn
11:48 < jl-_> thanks for the help guys
11:48 <@ecrist> :)
11:49 <@ecrist> if you think we're bad, try to write some perl and join #perl with a question
11:49 < instigator> elo. I have an openvpn server running on my pi and can connect using android phone by importing client key and certificate and ovpn file
11:49  * jl-_ is also on a pi
11:49 < instigator> is it possible to import ovpn file in windows desktop client?
11:50 < jl-_> brb
11:50 -!- jl-_ [~lao@c-174-55-121-8.hsd1.pa.comcast.net] has quit [Quit: Caught sigterm, terminating...]
11:50 <@ecrist> instigator: kinda
11:50 < instigator> so I can connect to pi server from windows pc?
11:50 <@Eugene> You don't "import" it into the client, so much as right-click and run
11:50 <@ecrist> you need to take that config and put it in the c:\program files\openvpn\configs dir
11:50 <@Eugene> !win_shortcut
11:50 <@Eugene> !factoids search shortcut
11:50 <@vpnHelper> "winshortcut" is To start OpenVPN-GUI easily on Windows, make a shortcut and set the Target as: \"C:\Program Files (x86)\OpenVPN\bin\openvpn-gui-1.0.3.exe\" --config_dir \"C:\path\to\config\" --connect client.ovpn --show_balloon 0 --silent_connection 1 --show_script_window 0
11:50 < instigator> reason i asked was cause download page says windows client only works wit OpenVPN Access Server
11:51 <@Eugene> You've stumbled across the wrong download
11:51 <@Eugene> !download
11:51 <@vpnHelper> "download" is (#1) http://openvpn.net/index.php/download/community-downloads.html to download openvpn or (#2) OpenVPN's Windows installer now includes OpenVPN GUI. Don't bother with http://openvpn.se anymore or (#3) Don't trust download.com at all. It provides an extremely old version with malware: http://insecure.org/news/download-com-fiasco.html or (#4) in the community version of openvpn (only
11:51 <@vpnHelper> thing supported here) there is no separate download for client/server, it is the same install with different configs
11:51 <@Eugene> Common mistake. Uninstall what you have.
12:06 -!- klein_ [~klein@177.101.109.136] has joined #openvpn
12:06 -!- klein_ [~klein@177.101.109.136] has quit [Changing host]
12:06 -!- klein_ [~klein@unaffiliated/klein] has joined #openvpn
12:13 -!- elfixit [~Icedove@77-58-251-72.dclient.hispeed.ch] has joined #openvpn
12:14 -!- jl- [~lao@c-174-55-121-8.hsd1.pa.comcast.net] has joined #openvpn
12:14 < jl-> got it to work - restarting the d would be a good idea
12:15 < jl-> I also added these iptable rules: http://paste.debian.net/83657/
12:16 < jl-> I'm hoping they aren't too permissive
12:28 < jl-> :>
12:31 -!- Chrisje [chris@2a03:f80:ed15:ed15:ed15:ed15:bc4c:4bfe] has quit [Ping timeout: 246 seconds]
12:31 -!- joshh20 is now known as joshh20-Away
12:32 < instigator> I created shortcut by adding openvpn shortcut path with my config argument, as vpnHelper told me so. it created the shortcut. but when i launch it an error appears
12:32 < instigator> "error creating HKLM\SOFTWARE\OpenVPN-GUI key
12:32 < instigator> looks like its to do with registry
12:34 < pekster> You didn't run it as an "administrator" so it can't touch "sensistive" parts of your OS/registry
12:34 < pekster> UAC requires you elevate when doing admin tasks
12:35 < instigator> oh ya
12:35 < instigator> it loaded now
12:35 < instigator> thanks
12:35 -!- MacGyver [~MacGyver@sog.polvanaubel.com] has quit [Quit: leaving]
12:39 -!- jl- [~lao@c-174-55-121-8.hsd1.pa.comcast.net] has quit [Remote host closed the connection]
12:40 -!- Chrisje [chris@2a03:f80:ed15:ed15:ed15:ed15:bc4c:4bfe] has joined #openvpn
12:41 -!- jl- [~lao@c-174-55-121-8.hsd1.pa.comcast.net] has joined #openvpn
12:41 -!- Chrisje [chris@2a03:f80:ed15:ed15:ed15:ed15:bc4c:4bfe] has quit [Excess Flood]
12:42 -!- MacGyver [~MacGyver@unaffiliated/macgyvernl] has joined #openvpn
12:42 < jl-> how do I ensure that, say the connection to my vpn breaks, my browser won't use the local network for dns lookups or any browsing
12:43 < pekster> Not really a VPN problem. Write firewall rules that do what you want
12:44 < jl-> I'm so pumped for my openvpn server :D
12:44 < jl-> <3 raspberrypi
12:44 -!- Chrisje [chris@2a03:f80:ed15:ed15:ed15:ed15:bc4c:4bfe] has joined #openvpn
12:55 -!- instigator [~instigato@ti-225-26-191.telkomadsl.co.za] has left #openvpn []
12:57 -!- erin [~erin@c-76-126-112-7.hsd1.ca.comcast.net] has joined #openvpn
12:59 -!- kantlivelong [~kantlivel@home.kantlivelong.com] has quit [Read error: Operation timed out]
13:01 -!- VsioZashibis [~VsioZashi@unaffiliated/vsiozashibis] has quit [Read error: Connection reset by peer]
13:10 -!- kantlivelong [~kantlivel@home.kantlivelong.com] has joined #openvpn
13:11 -!- jl-_ [~lao@c-174-55-121-8.hsd1.pa.comcast.net] has joined #openvpn
13:12 -!- smerz_ [~smerz@2001:470:1f15:1e5::58] has joined #openvpn
13:12 -!- smerz [~smerz@2001:470:1f15:1e5::58] has joined #openvpn
13:14 -!- jl- [~lao@c-174-55-121-8.hsd1.pa.comcast.net] has quit [Quit: Disconnecting from stoned server.]
13:14 -!- u0m3 [~u0m3@92.80.86.213] has quit [Read error: Connection reset by peer]
13:14 -!- jl-_ is now known as jl-
13:21 -!- master_of_master [~master_of@p4FF24F97.dip0.t-ipconnect.de] has quit [Ping timeout: 264 seconds]
13:25 -!- indy [~indy@fantomas.bestit.cz] has quit [Remote host closed the connection]
13:29 -!- master_of_master [~master_of@p4FF240D8.dip0.t-ipconnect.de] has joined #openvpn
13:34 -!- propheticsquiddy [~Proph@unaffiliated/propheticsquiddy] has joined #openvpn
13:39 -!- indy [~indy@fantomas.bestit.cz] has joined #openvpn
13:44 -!- tharkun [~0@187.188.94.182] has joined #openvpn
13:44 -!- bogie [bogie@mail.epow0.org] has joined #openvpn
13:44 -!- prettyrobots [~prettyrob@do.inputrc.com] has joined #openvpn
13:46 -!- prettyrobots is now known as Guest79234
13:48 -!- Martin`_ [martin@shell.ipv6.octocore.net] has joined #openvpn
13:48 -!- Linmu [~Linmu@203.70.194.104] has joined #openvpn
13:48 -!- MacGyver_ [~MacGyver@sog.polvanaubel.com] has joined #openvpn
13:50 -!- Martin` [martin@shell.ipv6.octocore.net] has quit [Write error: Broken pipe]
13:50 -!- Martin`_ is now known as Martin`
13:50 -!- Linmu_ [~Linmu@203.70.194.104] has quit [Write error: Broken pipe]
13:50 -!- Guest48705 [~reinis@79.132.67.157] has quit [Write error: Broken pipe]
13:50 -!- MacGyver [~MacGyver@unaffiliated/macgyvernl] has quit [Write error: Broken pipe]
13:50 -!- Fruckiwacki- [fruckiwack@5.135.190.66] has quit [Ping timeout: 330 seconds]
13:50 -!- __FBi [B@dont.uwantmy.info] has quit [Ping timeout: 330 seconds]
13:50 -!- dren_ [dren@69.163.43.34] has quit [Ping timeout: 330 seconds]
13:50 -!- lowkey [lowkey@hydra-bom.aufbix.org] has quit [Ping timeout: 330 seconds]
13:50 -!- Fruckiwacki [fruckiwack@5.135.190.66] has joined #openvpn
13:51 -!- ngharo [~ngharo@nexus.sypherz.com] has quit [Remote host closed the connection]
13:51 -!- dren_ [~dren@69.163.43.34] has joined #openvpn
13:52 -!- __FBi [B@dont.uwantmy.info] has joined #openvpn
13:52 -!- lowkey [lowkey@hydra-bom.aufbix.org] has joined #openvpn
13:53 -!- ngharo [~ngharo@nexus.sypherz.com] has joined #openvpn
13:53 -!- slikts [~reinis@79.132.67.157] has joined #openvpn
13:53 -!- slikts [~reinis@79.132.67.157] has quit [Changing host]
13:53 -!- slikts [~reinis@wikipedia/reinis] has joined #openvpn
14:03 -!- grep0r [grep0r@bitcoinshell.mooo.com] has quit [Ping timeout: 252 seconds]
14:06 -!- kantlivelong [~kantlivel@home.kantlivelong.com] has quit [Read error: Operation timed out]
14:13 -!- liriel [~liriel@198.154.114.106] has joined #openvpn
14:17 -!- elfixit [~Icedove@77-58-251-72.dclient.hispeed.ch] has quit [Quit: elfixit]
14:18 -!- joshh20-Away is now known as joshh20
14:21 -!- Netsplit *.net <-> *.split quits: Guest79234, tharkun, bogie
14:26 -!- sunwind [~paradox@cpc21-brmb8-2-0-cust749.1-3.cable.virginm.net] has quit [Quit: sunwind]
14:26 -!- prettyrobots [~prettyrob@do.inputrc.com] has joined #openvpn
14:26 -!- sunwind [~paradox@cpc21-brmb8-2-0-cust749.1-3.cable.virginm.net] has joined #openvpn
14:26 -!- Netsplit over, joins: bogie
14:27 -!- Netsplit over, joins: tharkun
14:27 -!- prettyrobots is now known as Guest17579
14:37 -!- klein_ [~klein@unaffiliated/klein] has quit [Read error: Operation timed out]
14:58 -!- grep0r [grep0r@bitcoinshell.mooo.com] has joined #openvpn
14:58 -!- bogie [bogie@mail.epow0.org] has quit [Ping timeout: 244 seconds]
14:59 -!- megaTherion_ is now known as megaTherion
15:00 -!- makara [~makara@105-208-250-216.access.mtnbusiness.co.za] has joined #openvpn
15:05 -!- vpnHelper [~vpnHelper@openvpn/bot/vpnHelper] has quit [Remote host closed the connection]
15:06 -!- vpnHelper [~vpnHelper@openvpn/bot/vpnHelper] has joined #openvpn
15:06 -!- mode/#openvpn [+o vpnHelper] by ChanServ
15:08 -!- makara [~makara@105-208-250-216.access.mtnbusiness.co.za] has quit [Ping timeout: 240 seconds]
15:11 -!- Guest17579 is now known as prettyrobots
15:13 -!- instigator [~synthesis@ti-225-26-191.telkomadsl.co.za] has joined #openvpn
15:13 < instigator> Which cipher is most secure: triple-DES or AES?
15:14 -!- jeezy [~zx@bitchx/apple/jeezy] has joined #openvpn
15:14 -!- MyMind [~Sembei@unaffiliated/sembei] has quit [Read error: Connection reset by peer]
15:15 < jeezy> does anyone have openvpn client running on netbsd 6.x ?
15:15 < jeezy> i get the following http://pastebin.com/RupiDXtA
15:16 -!- Guest88807 [~Sembei@62.57.118.216.dyn.user.ono.com] has joined #openvpn
15:17 -!- roentgen [~irc@openvpn/community/support/roentgen] has quit [Remote host closed the connection]
15:29 -!- erin [~erin@c-76-126-112-7.hsd1.ca.comcast.net] has quit [Read error: Connection reset by peer]
15:52 -!- Olipro [~Olipro@uncyclopedia/pdpc.21for7.olipro] has joined #openvpn
15:57 < pekster> jeezy: If the expected system code isn't available to detect the default gateway for your uplink device on your platform, you'd have to handle anything that needs it manually
15:58 < pekster> Things like --redirect-gateway can be expanded manually with the right --route commands, for instance
15:58 < pekster> If you're not doing things that require special routes involving your pre-existing default gateway, happily ignore it; it's a NOTICE only
16:02 -!- VsioZashibis [~VsioZashi@unaffiliated/vsiozashibis] has joined #openvpn
16:13 -!- novaflash [~novaflash@its.novaflash.nl] has quit [Changing host]
16:13 -!- novaflash [~novaflash@openvpn/corp/support/novaflash] has joined #openvpn
16:13 -!- mode/#openvpn [+o novaflash] by ChanServ
16:22 -!- Synthead [~max@c-50-181-246-100.hsd1.wa.comcast.net] has joined #openvpn
16:23 -!- gffa [~unknown@unaffiliated/gffa] has quit [Quit: sleep]
16:26 -!- goldkatze_ is now known as goldkatze
16:26 -!- smerz [~smerz@2001:470:1f15:1e5::58] has quit [Ping timeout: 245 seconds]
16:26 -!- smerz_ [~smerz@2001:470:1f15:1e5::58] has quit [Ping timeout: 245 seconds]
16:27 -!- Synthead [~max@c-50-181-246-100.hsd1.wa.comcast.net] has quit [Ping timeout: 265 seconds]
16:29 -!- elfixit [~Icedove@77-58-251-72.dclient.hispeed.ch] has joined #openvpn
16:48 -!- phunyguy [~vortex@unaffiliated/phunyguy] has quit [Quit: Goodbye cruel world!]
17:03 -!- penryn [~penryn@gateway/tor-sasl/penryn] has joined #openvpn
17:05 -!- HectorBarbossa [uid7850@gateway/web/irccloud.com/x-uqjqimtxasofgkpp] has joined #openvpn
17:08 -!- instigator [~synthesis@ti-225-26-191.telkomadsl.co.za] has quit [Remote host closed the connection]
17:09 -!- phunyguy [~vortex@unaffiliated/phunyguy] has joined #openvpn
17:12 -!- br4ndon [~br4ndon@mic92-6-82-227-94-156.fbx.proxad.net] has joined #openvpn
17:19 -!- joshh20 is now known as joshh20-Away
17:22 -!- br4ndon [~br4ndon@mic92-6-82-227-94-156.fbx.proxad.net] has quit [Ping timeout: 265 seconds]
17:30 -!- sunwind [~paradox@cpc21-brmb8-2-0-cust749.1-3.cable.virginm.net] has quit [Quit: sunwind]
17:39 -!- traph [~traph@unaffiliated/traph] has joined #openvpn
17:39 < traph> hey everyone
17:39 < traph> I'm having a problem
17:40 < traph> linux openvpn client connects fine, but when entring username and password on a windows openvpn client a message appears saying "not an access server"
17:40 < traph> openvpn server works perfectly
17:42 -!- pjschmitt [~parker@209.141.56.12] has quit [Changing host]
17:42 -!- pjschmitt [~parker@unaffiliated/schmitt953] has joined #openvpn
17:46 < pekster> You downloaded the wrong thing
17:46 < pekster> !download
17:46 <@vpnHelper> "download" is (#1) http://openvpn.net/index.php/download/community-downloads.html to download openvpn or (#2) OpenVPN's Windows installer now includes OpenVPN GUI. Don't bother with http://openvpn.se anymore or (#3) Don't trust download.com at all. It provides an extremely old version with malware: http://insecure.org/news/download-com-fiasco.html or (#4) in the community version of openvpn (only
17:46 <@vpnHelper> thing supported here) there is no separate download for client/server, it is the same install with different configs
17:47 < pekster> See also: !connect
18:03 -!- bertodsera_ [~quassel@97e48243.skybroadband.com] has quit [Remote host closed the connection]
18:04 < jeezy> pekster even upon ignoring it still doesnt connect, may have to use --redirect-gateway once i figure out the proper syntax
18:24 -!- penryn [~penryn@gateway/tor-sasl/penryn] has quit [Quit: penryn]
18:29 -!- joshh20-Away is now known as joshh20
18:47 -!- tempus_fol [~tempus@gateway/tor-sasl/tempusfol] has quit [Ping timeout: 240 seconds]
18:49 -!- tempus_fol [~tempus@gateway/tor-sasl/tempusfol] has joined #openvpn
18:49 -!- Netsplit *.net <-> *.split quits: mauww, thumbs, kossy, propheticsquiddy, Fruckiwacki, traph, slikts, MeanderingCode, phunyguy, master_of_master
18:50 -!- Netsplit over, joins: traph, Fruckiwacki, propheticsquiddy, master_of_master, mauww, thumbs
18:51 -!- slikts [~reinis@79.132.67.157] has joined #openvpn
18:51 -!- slikts [~reinis@79.132.67.157] has quit [Changing host]
18:51 -!- slikts [~reinis@wikipedia/reinis] has joined #openvpn
18:53 -!- phunyguy [~vortex@unaffiliated/phunyguy] has joined #openvpn
18:53 -!- XJR-9 [sid2977@pdpc/supporter/active/xjr-9] has quit [Ping timeout: 245 seconds]
18:55 -!- MeanderingCode [~Meanderin@palantir.aetherislands.net] has joined #openvpn
18:55 -!- kossy [a@kossy.org] has joined #openvpn
18:57 -!- XJR-9 [sid2977@pdpc/supporter/active/xjr-9] has joined #openvpn
19:08 -!- u0m3 [~u0m3@92.80.86.213] has joined #openvpn
19:12 -!- HectorBarbossa [uid7850@gateway/web/irccloud.com/x-uqjqimtxasofgkpp] has quit [Quit: Connection closed for inactivity]
19:13 < funyun> hi. can someone help me set up a vpn? i've been at it for a full day now with no luck :'(
19:16 -!- mingdao [~mingdao@unaffiliated/mingdao] has quit [Remote host closed the connection]
19:16 <@ecrist> !howto
19:16 <@vpnHelper> "howto" is (#1) OpenVPN comes with a great howto, http://openvpn.net/howto PLEASE READ IT! or (#2) http://www.secure-computing.net/openvpn/howto.php for a mirror
19:17 <@ecrist> !man
19:17 <@vpnHelper> "man" is (#1) For man pages, see http://openvpn.net/index.php/open-source/documentation/manuals/ or (#2) the man pages are your friend! or (#3) Protip: you can search the manpage for a specific --option (with dashes) to find it quicker
19:17 < funyun> did all of that. even tried 4 tutorials
19:17 <@ecrist> so, show me what you've got so far
19:17 <@ecrist> !config
19:17 <@vpnHelper> (config <name> [<value>]) -- If <value> is given, sets the value of <name> to <value>. Otherwise, returns the current value of <name>. You may omit the leading "supybot." in the name if you so choose.
19:17 < funyun> okay
19:17 <@ecrist> !configs
19:17 <@vpnHelper> "configs" is (#1) please pastebin your client and server configs (with comments removed, you can use `grep -vE '^#|^;|^$' server.conf`), also include which OS and version of openvpn. or (#2) dont forget to include any ccd entries or (#3) on pfSense, see http://www.secure-computing.net/wiki/index.php/OpenVPN/pfSense to obtain your config
19:19 < funyun> ecrist: for config, do you mean the config for client?
19:19 <@ecrist> for the server, and the client
19:19 <@ecrist> !logs
19:19 <@vpnHelper> "logs" is (#1) please pastebin your logfiles from both client and server with verb set to 4 (only use 5 if asked) or (#2) In the Windows client(OpenVPN-GUI) right-click the status icon and pick View Log or (#3) In the OS X client(Tunnelblick) right-click it and select Copy log text to clipboard or (#4) if you dont know how to find your logs, see !logfile
19:20 < funyun> ecrist: http://pastebin.com/nd5YPzd2
19:20 < funyun> config
19:21 <@ecrist> that's the client config
19:21 <@ecrist> I need the server config, as well.
19:22 < funyun> ecrist: i don't have a .conf file for server. maybe that's my problem? or does it not have the .conf extension?
19:22 <@ecrist> where is your openvpn server?
19:22 <@ecrist> how is it running?
19:22 < funyun> dedicated amazon server
19:23 <@ecrist> and how did you start openvpn?
19:23 < funyun> i thought it autostarts?
19:24 <@ecrist> if you configured it to
19:24 <@ecrist> if you don't even have an openvpn server config, I doubt you set it up to start automatically
19:24 < funyun> i think i did. i've tried so many tutorials
19:24 < funyun> i'll paste the files i have
19:24 <@ecrist> what kind of server is it?  linux/bsd?
19:24 < funyun> linux
19:25 < funyun> debian
19:25 <@ecrist> ps auxwww | grep vpn
19:25 <@ecrist> run that on the cli of the server
19:26 < funyun> ecrist: http://pastebin.com/ixBkQCwX
19:26 <@ecrist> I don't really care about those
19:26 -!- kantlivelong [~kantlivel@home.kantlivelong.com] has joined #openvpn
19:26 < funyun> ecrist: admin     5182  0.0  0.0   7832   876 pts/0    S+   01:26   0:00 grep vpn
19:27 <@ecrist> so, no, openvpn is not running
19:27 <@ecrist> you do not, it seems have a vpn config
19:27 <@ecrist> read the howto link, above, and devise a server.conf
19:29 -!- traph [~traph@unaffiliated/traph] has quit [Read error: Operation timed out]
19:30 -!- penryn [~penryn@gateway/tor-sasl/penryn] has joined #openvpn
19:31 -!- penryn [~penryn@gateway/tor-sasl/penryn] has quit [Remote host closed the connection]
19:36 < funyun> ecrist: so this is what i need, correct? http://openvpn.net/index.php/open-source/documentation/howto.html#examples
19:36 <@vpnHelper> Title: HOWTO (at openvpn.net)
19:37 -!- Synthead [~max@c-50-181-246-100.hsd1.wa.comcast.net] has joined #openvpn
19:38 -!- joshh20 is now known as joshh20-Away
19:43 -!- sunwind [~paradox@cpc21-brmb8-2-0-cust749.1-3.cable.virginm.net] has joined #openvpn
19:43 < funyun> ecrist: here's my server config http://pastebin.com/B52xxBbA
19:47 -!- dradec [~Inigo@unaffiliated/dradec] has joined #openvpn
19:50 < funyun> ecrist: okay. it is on and working. but, my ip is still the same on client
19:53 -!- elfixit [~Icedove@77-58-251-72.dclient.hispeed.ch] has quit [Quit: elfixit]
20:10 < jeezy> hello, i am having the following error http://pastebin.com/RupiDXtA and this is my ifconfig output http://pastebin.com/pngjwK0G
20:10 < jeezy> need a bit of help, cannot figure out what is going on
20:11 < jeezy> i recv the Sun Feb 23 15:07:40 2014 Initialization Sequence Completed message but for some reason im not behind the vpn
20:14 -!- mauww [~localhost@unaffiliated/mauww] has quit [Ping timeout: 252 seconds]
20:16 -!- elfixit [~Icedove@77-58-251-72.dclient.hispeed.ch] has joined #openvpn
20:23 -!- shibboleth [~shibbolet@gateway/tor-sasl/shibboleth] has joined #openvpn
20:53 -!- james41382 [~james@unaffiliated/james41382] has quit [Read error: Connection reset by peer]
20:54 -!- james41382 [~james@unaffiliated/james41382] has joined #openvpn
21:09 -!- shibboleth [~shibbolet@gateway/tor-sasl/shibboleth] has quit [Quit: shibboleth]
21:26 < funyun> hi. my vpn isn't changing my ip. can anyone help me fix that?
21:26 -!- corretico_ [~luis@190.5.215.146] has joined #openvpn
21:51 -!- VsioZashibis [~VsioZashi@unaffiliated/vsiozashibis] has quit [Read error: Connection reset by peer]
22:56 < jeezy> that's what's happening to me !
22:59 -!- levifig is now known as levifig_
23:00 -!- levifig__ [sid1908@gateway/web/irccloud.com/x-exmfjqtbhtzgsfnl] has joined #openvpn
23:03 -!- levifig__ is now known as levifig
23:33 -!- elfixit [~Icedove@77-58-251-72.dclient.hispeed.ch] has quit [Ping timeout: 252 seconds]
23:35 -!- makara [~makara@41.164.22.218] has joined #openvpn
23:52 -!- b00gz___ [uid6869@gateway/web/irccloud.com/x-ghaldzbquieicszx] has quit [Quit: Connection closed for inactivity]
--- Day changed Mon Feb 24 2014
00:02 -!- lvv [~loganaden@ITE-INF3.dhcp.mu.afrinic.net] has joined #openvpn
00:04 < funyun> hi. my vpn isn't changing my ip. can anyone help me fix that?
00:12 -!- makara [~makara@41.164.22.218] has quit [Ping timeout: 265 seconds]
00:19 -!- propheticsquiddy [~Proph@unaffiliated/propheticsquiddy] has quit [Quit: later]
00:27 -!- HectorBarbossa [uid7850@gateway/web/irccloud.com/x-gwqlfefpsnsduywf] has joined #openvpn
00:28 -!- corretico_ [~luis@190.5.215.146] has quit [Remote host closed the connection]
00:29 < jeezy> funyun: openvpn?
00:29 < jeezy> im getting the same exact issue http://pastebin.com/RupiDXtA
00:29 < jeezy> i believe that's what is causing it, but cant figure it out
00:29 < jeezy> s/openvpn/netbsd/
00:33 -!- phuzion [~phuzion@ipv6.irc.teh-server.com] has quit [Ping timeout: 245 seconds]
00:33 -!- phuzion [~phuzion@ipv6.irc.teh-server.com] has joined #openvpn
00:39 < funyun> jeezy: i'm not getting that error
00:40 < funyun> mine says it connects, but my ip doesn't change
00:49 -!- dradec [~Inigo@unaffiliated/dradec] has quit [Quit: nil]
00:51 -!- mikkel [~mikkel@93.176.85.50] has joined #openvpn
00:51 -!- pppingme [~pppingme@unaffiliated/pppingme] has quit [Ping timeout: 245 seconds]
00:52 < funyun> anyone have any ideas?
00:53 -!- pppingme [~pppingme@unaffiliated/pppingme] has joined #openvpn
01:06 < funyun> i think there's something wrong in my configs
01:09 < jeezy> ah
01:15 -!- funyun_ [~temp@ec2-54-84-37-194.compute-1.amazonaws.com] has joined #openvpn
01:17 -!- dimitry7 [~antonello@189.190.153.63] has joined #openvpn
01:17 -!- funyun [~temp@cpe-65-25-103-89.neo.res.rr.com] has quit [Ping timeout: 264 seconds]
01:27 -!- alexxtasi [~alex@unaffiliated/alexxtasi] has joined #openvpn
01:30 -!- instigator1 [~instigato@ti-225-26-191.telkomadsl.co.za] has joined #openvpn
01:32 < instigator1> hello. I have installed openvpn on my pc and android phone. It connects successfully using default cipher (blowfish) but when I change the cipher to AES-256-CBC, my phone will say connecting (orange icon) then connected (green) the after few seconds shows connected (orange) and does this continuosly
01:33 < instigator1> funny thing is when cipher is AES-256-CBC on pc it connects with out above error. I added AES-256-CB to client and server config
01:39 -!- lvv_ [~loganaden@2001:4290:10:250:85b:6f52:cac8:4728] has joined #openvpn
01:39 -!- lvv [~loganaden@ITE-INF3.dhcp.mu.afrinic.net] has quit [Read error: Connection reset by peer]
01:39 -!- lvv_ is now known as lvv
01:54 -!- u0m3_ [~u0m3@92.80.86.213] has joined #openvpn
01:54 -!- Synthead [~max@c-50-181-246-100.hsd1.wa.comcast.net] has quit [Quit: p33 ba115]
01:55 -!- funyun [~temp@ec2-54-84-37-194.compute-1.amazonaws.com] has joined #openvpn
01:58 -!- frank-- [1000@modemcable026.116-81-70.mc.videotron.ca] has joined #openvpn
02:02 -!- Fruckiwacki- [fruckiwack@5.135.190.66] has joined #openvpn
02:03 -!- Netsplit *.net <-> *.split quits: Fruckiwacki, funyun_, u0m3, thumbs, master_of_master
02:09 -!- dimitry7 [~antonello@189.190.153.63] has quit [Read error: Connection reset by peer]
02:10 -!- makara [~makara@41.164.22.218] has joined #openvpn
02:13 -!- master_of_master [~master_of@p4FF240D8.dip0.t-ipconnect.de] has joined #openvpn
02:27 -!- sunwind [~paradox@cpc21-brmb8-2-0-cust749.1-3.cable.virginm.net] has quit [Quit: sunwind]
02:29 -!- jeezy [~zx@bitchx/apple/jeezy] has left #openvpn []
02:42 -!- HectorBarbossa [uid7850@gateway/web/irccloud.com/x-gwqlfefpsnsduywf] has quit [Quit: Connection closed for inactivity]
02:46 -!- Fusl is now known as Fusl|test
02:50 -!- Fusl|test is now known as Fusl|test2
02:50 -!- Fusl|test2 is now known as Fusl
03:02 -!- instigator1 [~instigato@ti-225-26-191.telkomadsl.co.za] has quit [Ping timeout: 240 seconds]
03:46 -!- Devastator [~devas@unaffiliated/devastator] has quit [Read error: Connection reset by peer]
03:47 -!- Devastator [~devas@177.18.199.164] has joined #openvpn
03:49 -!- mattock is now known as mattock_afk
03:57 -!- james41382 [~james@unaffiliated/james41382] has quit [Quit: Leaving]
04:15 -!- funyun_ [~temp@cpe-65-25-103-89.neo.res.rr.com] has joined #openvpn
04:18 -!- funyun [~temp@ec2-54-84-37-194.compute-1.amazonaws.com] has quit [Ping timeout: 240 seconds]
04:18 -!- james41382 [~james@unaffiliated/james41382] has joined #openvpn
05:01 -!- makara [~makara@41.164.22.218] has quit [Excess Flood]
05:01 -!- pppingme [~pppingme@unaffiliated/pppingme] has quit [Excess Flood]
05:02 -!- makara [~makara@41.164.22.218] has joined #openvpn
05:02 -!- m01_ [~quassel@2a02:2658:1011:1::2:4044] has quit [Write error: Broken pipe]
05:02 -!- pppingme [~pppingme@unaffiliated/pppingme] has joined #openvpn
05:03 -!- XJR-9 [sid2977@pdpc/supporter/active/xjr-9] has quit [Ping timeout: 378 seconds]
05:03 -!- __FBi [B@dont.uwantmy.info] has quit [Ping timeout: 378 seconds]
05:03 -!- Chrisje [chris@2a03:f80:ed15:ed15:ed15:ed15:bc4c:4bfe] has quit [Ping timeout: 378 seconds]
05:03 -!- seba [~seba@kratzbaum.someserver.de] has quit [Ping timeout: 378 seconds]
05:03 -!- busch [~busch@datenschleuder.com] has quit [Ping timeout: 378 seconds]
05:03 -!- hazardous [~hz@openvpn/user/hazardous] has quit [Ping timeout: 378 seconds]
05:03 -!- red_racer12_ [sid20963@gateway/web/irccloud.com/x-jasvuxrmsnuozaen] has quit [Ping timeout: 378 seconds]
05:03 -!- fred`` [fred@earthli.ng] has quit [Ping timeout: 378 seconds]
05:04 -!- seba [~seba@kratzbaum.someserver.de] has joined #openvpn
05:04 -!- red_racer12__ [sid20963@gateway/web/irccloud.com/x-wxzvqmbsifeebirx] has joined #openvpn
05:04 -!- m01 [~quassel@2a02:2658:1011:1::2:4044] has joined #openvpn
05:04 -!- red_racer12__ is now known as red_racer12_
05:05 -!- XJR-9 [sid2977@pdpc/supporter/active/xjr-9] has joined #openvpn
05:05 -!- busch [~busch@datenschleuder.com] has joined #openvpn
05:05 -!- __FBi [B@dont.uwantmy.info] has joined #openvpn
05:06 -!- fred`` [~fred@earthli.ng] has joined #openvpn
05:06 -!- Chrisje [chris@2a03:f80:ed15:ed15:ed15:ed15:bc4c:4bfe] has joined #openvpn
05:08 -!- Ulrar [~Ulrar@luwin.ulrar.net] has quit [Ping timeout: 241 seconds]
05:09 -!- Linmu_ [~Linmu@203.70.194.104] has joined #openvpn
05:09 -!- hazardous [~hz@openvpn/user/hazardous] has joined #openvpn
05:09 -!- mode/#openvpn [+v hazardous] by ChanServ
05:09 -!- Ulrar [~Ulrar@luwin.ulrar.net] has joined #openvpn
05:14 -!- thumbs [1000@modemcable026.116-81-70.mc.videotron.ca] has joined #openvpn
05:14 -!- thumbs [1000@modemcable026.116-81-70.mc.videotron.ca] has quit [Changing host]
05:14 -!- thumbs [1000@unaffiliated/thumbs] has joined #openvpn
05:14 -!- lbft [~lbft@unaffiliated/lbft] has quit [Excess Flood]
05:15 -!- lbft [~lbft@unaffiliated/lbft] has joined #openvpn
05:16 -!- Cr4zi3 [killaz@staff.xbins.org] has quit [Quit: changing servers]
05:17 -!- Linmu [~Linmu@203.70.194.104] has quit [Write error: Broken pipe]
05:17 -!- frank-- [1000@modemcable026.116-81-70.mc.videotron.ca] has quit [Write error: Broken pipe]
05:17 -!- Fruckiwacki- [fruckiwack@5.135.190.66] has quit [Ping timeout: 469 seconds]
05:17 -!- kantlivelong [~kantlivel@home.kantlivelong.com] has quit [Ping timeout: 469 seconds]
05:17 -!- omrib_ [~omrib@ec2-50-17-197-161.compute-1.amazonaws.com] has quit [Ping timeout: 469 seconds]
05:17 -!- yoavz [yoavz@yoavz.net] has quit [Ping timeout: 469 seconds]
05:18 -!- phunyguy_ [~vortex@unaffiliated/phunyguy] has joined #openvpn
05:18 -!- phunyguy [~vortex@unaffiliated/phunyguy] has quit [Excess Flood]
05:19 -!- omrib [~omrib@ec2-50-17-197-161.compute-1.amazonaws.com] has joined #openvpn
05:19 -!- Fruckiwacki [fruckiwack@5.135.190.66] has joined #openvpn
05:20 -!- yoavz [yoavz@yoavz.net] has joined #openvpn
05:21 -!- kantlivelong [~kantlivel@home.kantlivelong.com] has joined #openvpn
05:21 -!- magellanic [~magellani@unaffiliated/magellanic] has joined #openvpn
05:22 -!- Cr4zi3 [killaz@staff.xbins.org] has joined #openvpn
05:25 -!- defswork [~andy@141.0.50.105] has joined #openvpn
05:29 -!- traph [~traph@46.10.9.133] has joined #openvpn
05:29 -!- traph [~traph@46.10.9.133] has quit [Changing host]
05:29 -!- traph [~traph@unaffiliated/traph] has joined #openvpn
05:34 < magellanic> anyone able to advise me, I have an ipcop machine as an openvpn server, linux mint client, pinging ipcop internet address gets me avg of 25ms no packet loss, pinging any hosts on the vpn gets me avg 5200ms 20% packet loss. i've tried playing with client side mtu settings, has not helped.
05:35 < magellanic> also, just establishing the vpn from client, takes a few mins, errors out a few times with "check your connection" but eventually connects, using the openvpn cli client on linux mint
05:37 <@ecrist> that's odd
05:37 <@ecrist> !mtu
05:37 <@vpnHelper> "mtu" is (#1) see --mtu-test to learn how to test your MTU settings. Basically you just use --mtu-test in your normal client config or (#2) mtu debugging guide: http://www.secure-computing.net/wiki/index.php/OpenVPN/Troubleshooting
05:37 <@ecrist> there's a good how-to on MTU troubleshooting
05:38 <@ecrist> also, try to exclude the vpn from packet sniffing on the ipcop machine
05:38 <@ecrist> if you disable the firewall, and allow all traffic, does the vpn work better?
05:40 < magellanic> excuse the delay, my lag to freenode is very high. thanks for the links, I will have a look, and also will try --mtu-test, the ipcop machine is a clients, so I can't change settings on it in a hurry, esp the firewall on it.
05:41 < magellanic> interestingly, I do get this warning from the openvpn cli client: WARNING: normally if you use --mssfix and/or --fragment, you should also set --tun-mtu 1500 (currently it is 1400)
05:43 < magellanic> busy trying with mtu-test, and removed the tun-mtu and mssfix completely
05:48 -!- elfixit [~Icedove@2001:1620:2777:11:3e97:eff:fe7f:f3ad] has joined #openvpn
05:52 -!- JuriadoBalzac [~cpe@www.badcode.net] has left #openvpn []
06:00 < magellanic> looking through the mtu guide makes me think it isn't mtu, pings do return, just take longer, and pings are tiny so they can't be hitting the mtu limits.
06:00 -!- mauww [~localhost@unaffiliated/mauww] has joined #openvpn
06:00 <@ecrist> could your ISP be limiting the traffic?
06:01 < magellanic> that could be possible, I can't rule it out
06:01 <@ecrist> what does mtr show?
06:02 < magellanic> is using tcp a good idea or advised? currently using udp
06:02 <@ecrist> I generally recommend against it, but give it a shot, see if your problem goes away
06:04 -!- Devastator [~devas@177.18.199.164] has quit [Changing host]
06:04 -!- Devastator [~devas@unaffiliated/devastator] has joined #openvpn
06:04 -!- mattock_afk is now known as mattock
06:05 < magellanic> let me check
06:05 < magellanic> yeah I would think udp performs better..
06:06 < magellanic> mtr to ipcop looks fine, no losses, avg pings of about 20ms
06:06 < magellanic> trying with -u for udp
06:08 < magellanic> mtr udp also looks fine, but no responses from about 3 hops away from dest, the rest of the path seems fine in terms of loss/latency
06:10 < takamichi> Is the --keep-alive directive (and hence --ping restart) only for when the remote peer has a dynamic IP address? i.e. If using IP's is there any point in using it?
06:12 -!- Preed [~root@anubis.preed.net] has joined #openvpn
06:15 -!- Preed [~root@anubis.preed.net] has quit [Client Quit]
06:16 -!- Sembei [~Sembei@unaffiliated/sembei] has joined #openvpn
06:19 -!- Preed [~preed@81-224-43-124-no80.tbcn.telia.com] has joined #openvpn
06:20 -!- Guest88807 [~Sembei@62.57.118.216.dyn.user.ono.com] has quit [Ping timeout: 264 seconds]
06:20 < Preed> Hi.. I'm setting up openvpn on my dedi centos server.. I've gotten as far as being able to connect to it from here on my win7 desktop, but I can't get outside to the internet through it, seems to be a routing issue
06:21 < Preed> this desktop has a private IP behind my DSL router (192.168.100.100
06:21 < Preed> the VPN subnet is the default 10.8.
06:21 < Preed> I can ping both the VPN servers local IP and it's external IP
06:22 < magellanic> what do you get then when you ping 8.8.8.8?
06:22 < Preed> host unreachable
06:22 < Preed> I only get to 10.8.0.1 when traceing
06:22 < magellanic> okay, I'm getting the client to set the server side mtu lower, crossing fingers..
06:23 < Preed> hmm, strange.. when I traceroute the dedi's real ip, it doesn't go through the tunnel at all...
06:23 < Preed> doh nm.. not connected right now haha
06:24 < Preed> brb, gonna get it up and come back with irssi from the dedi
06:24 -!- Preed [~preed@81-224-43-124-no80.tbcn.telia.com] has quit []
06:25 -!- root [~root@anubis.preed.net] has joined #openvpn
06:25 -!- root is now known as Guest2949
06:26 -!- Guest2949 [~root@anubis.preed.net] has quit [Client Quit]
06:27 -!- Preed [~root@anubis.preed.net] has joined #openvpn
06:27 < Preed> There
06:28 < Preed> But yeah.. traceing the dedi's real IP goes the normal route, not through the vpn tunnel...
06:30 < Preed> That's the only IP besides the VPN servers local one that I can connect to
06:32 < Preed> Ah.. Perhaps I have to remove the old route on this desktop for 0.0.0.0 that points to the lan router gateway IP?
06:32 < Preed> there are currently two 0.0.0.0 routes.. one to my router here and one pointing to 10.8.0.5 gateway
06:32 < magellanic> far as I know the openvpn server has a setting to set client routes
06:33 < magellanic> the openvpn peer is meant to go over the bare internet route, not tunnel ;)
06:33 < defswork> Preed, you got ip forwarding and SNAT setup etc.. ?
06:33 < Preed> yeah it sets routes
06:34 < Preed> hold on I'll pastebin
06:36 < Preed> This is before I connect to the VPN
06:36 < Preed> http://pastebin.com/EGRfSgU3
06:36 < Preed> http://pastebin.com/0Xg0WNNR
06:36 < Preed> And that is when I'm connected
06:37 < Preed> 87.98.254.98 is the dedi's IP, so it has its own route through my router
06:37 < magellanic> which IP gives you back host unreachable then?
06:37 < Preed> Do I need to delete the first rule there for 0.0.0.0 to 192.168.100.1?
06:38 < Preed> 8.8.8.8... all I try pretty much
06:40 < Preed> Not sure why 10.8.0.4 .7 etc are in there though.. this desktop has 10.8.0.6 on the VPN subnet
06:41 < Preed> and why gateway address is .5.. ?? The ded's VPN ip is .1
06:41 < magellanic> the host unreachable comes from some IP, as a response, what IP is that
06:42 < magellanic> I don't know, routing tables are headache material to me :p could be the way the tunneling and peer-to-peer are setup
06:42 < magellanic> pastebin the ping command
06:42 < Preed> actually it times out
06:43 < Preed> then reports unreachable
06:43 < Preed> http://pastebin.com/ZqELQiEP
06:44 < Preed> "Målvärddatorn kan inte nås" is swedish for host unreachable
06:46 < magellanic> hmm interesting, if I ping an unknown host, I get these for example: From 10.0.2.226 icmp_seq=2 Destination Host Unreachable
06:46 < magellanic> maybe your client is different
06:46 < magellanic> but it tells me who sent that unreachable, which might be another host than the one I'm on..
06:47 < magellanic> but it does look like it's routing out the vpn
06:47 < magellanic> because your vpn range is in the hops
06:47 < Preed> Why is 10.8.0.5 the gateway for 0.0.0.0? Nothing has that ip
06:48 < magellanic> so as defswork says, check forwarding on your centos host
06:48 < Preed> Well, I should be getting from 10.8.0.1 to 87.98.254.98, right?
06:48 < Preed> forwarding is enabled
06:48 < Preed> probably some fucking SElinux/ipsec crap :p
06:50 < magellanic> do an ipconfig, the peer-to-peer connection might be using that IP
06:50 < Preed> hmm, actually selinux is disabled...
06:50 < Preed> ipconfig on the desktop or on the server?
06:51 < Preed> the VPN ip on the desktop was .6
06:51 < Preed> I cant ping .5
06:51 < Preed> so why is it set as the gw?
06:51 -!- calcifea [~rasla@gateway/tor-sasl/gitsu-sa] has joined #openvpn
06:52 -!- JackWinter_ [~jack@vodsl-8317.vo.lu] has quit [Quit: Konversation terminated!]
06:53 < magellanic> I'm not sure
06:54 < defswork> Preed, without SNAT also nothing will be able to reply
06:55 < defswork> you need to change your source address to the internet IP address of the host for all client traffic
06:55 -!- JackWinter [~jack@vodsl-8317.vo.lu] has joined #openvpn
06:56 < Preed> How do I do that?
06:58 < magellanic> defswork: you think his routing is getting to the point of the vpn peer (centos box) though? I was trying to confirm it, but not sure
07:00 < Preed> Considering I ping 10.8.0.1 without any problems....
07:06 <@dazo> Preed: as I happen to like SELinux a lot ... I can assure you that network routing has _nothing_ to do with SELinux
07:06 <@dazo> Preed: that you can ping 10.8.0.1 means you have a working VPN tunnel ... the rest is routing and firewalling (including NAT, to go out on the Internet)
07:07 <@dazo> Preed: look at the iptables rules used here ... esp. the NAT related ones ... https://community.openvpn.net/openvpn/wiki/BridgingAndRouting#Usingrouting
07:07 <@vpnHelper> Title: BridgingAndRouting – OpenVPN Community (at community.openvpn.net)
07:07 <@dazo> You also need to remember to enable ip_forwarding, unless your server already acts like a router
07:08 < Preed> It is on
07:09 <@dazo> And based on this statement: "Why is 10.8.0.5 the gateway for 0.0.0.0? Nothing has that ip" ... you should read !tcpip carefully ... and you'll understand the importance of routing rules to 0.0.0.0
07:09 <@dazo> !tcpip
07:09 <@vpnHelper> "tcpip" is http://www.redbooks.ibm.com/redbooks/pdfs/gg243376.pdf See chapter 3.1 for useful basic TCP/IP networking knowledge you should probably know
07:10 < Preed> Well, I do have a "firewall".. Not really but I used system-config-firewall-tui to set the base rules
07:10 -!- JackWinter [~jack@vodsl-8317.vo.lu] has quit [Excess Flood]
07:10 -!- JackWinter [~jack@vodsl-8317.vo.lu] has joined #openvpn
07:11 < Preed> heh... The only rule in my FORWARD chain is REJECT     all  --  anywhere             anywhere            reject-with icmp-host-prohibited
07:11 < Preed> ops
07:14 < Preed> those iptables rules are for a server with two nic's though..
07:14 <@dazo> *sigh* ... It's allowed to use your brain and not just copy-paste
07:15 < Preed> but I can skip those
07:15 <@dazo> You need all the "world" rules ... esp. in the nat table
07:18 < Preed> Yeah.. I'm skipping the LAN ones
07:18 < Preed> I had the masquerade rule already though :)
07:18 <@dazo> Preed: no matter what ... I strongly recommend stateful firewalling in the FORWARD table, no matter what
07:19 < magellanic> you can check the rule counters to see what's getting hit if so, to see that it is infact making it to that rule, etc
07:19 < Preed> well, everything is blocked by default.. Only have open ports that I define in iptables
07:19 < Preed> Seems to work now :)
07:19 <@dazo> The FORWARD chain != INPUT chain
07:19 < Preed> It was the default forward reject rule :)
07:20 < Preed> well, the bottom INPUT rule is REJECT     all  --  anywhere             anywhere            reject-with icmp-host-prohibited
07:20 < Preed> same on forward
07:21 <@dazo> but if you allow all traffic over the FORWARD chain, without stateful inspection (--state/--ctstate) ... then anyone from the outside *can* initiate contact with your VPN clients on the insider.  Yeah, it will require some IP address forging and routing trickery, but that's not necessarily always that hard
07:23 < Preed> So this is bad? http://pastebin.com/KmYXZqYm
07:23 <@dazo> no, here you have stateful checking ... I didn't get the impression you used that
07:23 < Preed> I'll be installing APF later on though
07:25 < Preed> Had alot of success with that defending against ddos attacks in the past
07:25 <@dazo> well, learning iptables is probably going to be more valuable than just installing "something which does the iptables magic" for you
07:26 <@dazo> by all means, use APF ... but look carefully at the iptables rules it creates and try to understand them
07:27 < Preed> The only problem was when the attacks reached such a high number of packets that the kernel/netfilter couldnt handle it
07:27 < Preed> Yeah true
07:27 <@dazo> uhm ... wrong ... apf uses iptables (kernel netfilter)
07:28 <@dazo> it just uses clever iptables rules to block ddos
07:28 < Preed> what is wrong?
07:28 <@dazo> "The only problem was when the attacks reached such a high number of packets that the kernel/netfilter couldnt handle it"
07:29 <@dazo> APF isn't a kernel/netfilter alternative
07:29 < Preed> yea? there were so many packets coming in that it choked the entire system.. I couldnt even connect to it with ssh
07:29 < Preed> I know it makes iptables rules
07:29 < Preed> its just a "script"
07:30 < Preed> But having openvpn with ipforwarding enabled means I will still be vulnerable to mirrored attacks.. since as far as I know I have to have forwarding disabled to prevent it
07:31 < Preed> Had some angry sysop emails one day plus my provider had been receiving abuse reports that my server was attacking other systems lol
07:33 -!- Cybert1nus [~Cybertinu@cybertinus.customer.cloud.nl] has joined #openvpn
07:33 -!- fejjerai [~quassel@kde/mitchell] has joined #openvpn
07:34 < Preed> But thankfully it seems the long arm of the law finally caught up with that little prick :) last I heard he was in jail hehe
07:34 -!- n2deep_ [n2deep@odin.sdf-eu.org] has joined #openvpn
07:35 -!- kirin` [telex@gateway/shell/anapnea.net/x-rcectmyngxxahrto] has quit [Disconnected by services]
07:35 -!- lordnikkon [~marme@li388-49.members.linode.com] has joined #openvpn
07:35 -!- MorgyN_ [~mig@island.morgyn.org] has joined #openvpn
07:35 -!- lamokie_ [~steve@li428-245.members.linode.com] has joined #openvpn
07:35 -!- kirin` [telex@gateway/shell/anapnea.net/x-yulsanhlxpkzbati] has joined #openvpn
07:36 -!- lordnikkon is now known as Guest39215
07:36 < Preed> Perhaps because when he ddosed my teamspeak server I rented a small slotted one with gameservers.com in vancouver, and this lowbeat script-kid lived in ft st john.. He actually brought down their datacenter for 6 hours.. I was kind enough to email gameservers.com with voice recordings, logfiles and everything on the little brat ;)
07:37 < Preed> Much easier for the law to catch someone when he attacks something in his own area/country than abroad ;)
07:37 -!- fejjerai [~quassel@kde/mitchell] has quit [Excess Flood]
07:38 -!- fejjerai [~quassel@kde/mitchell] has joined #openvpn
07:38 -!- qwertyoruiop [~hax@1.shulgin.dc1.nl.tor.exit.node.qwertyoruiop.com] has quit [Disconnected by services]
07:39 -!- Brando753-o_O_o [~Brando753@unaffiliated/brando753] has joined #openvpn
07:39 -!- xMopxShe- [~xMopxShel@pa1.trolls.lv] has joined #openvpn
07:39 -!- Pei_ [~pei@thinks.outside.theb0x.org] has joined #openvpn
07:39 -!- davidmp_ [~davidmp@149.255.100.107] has joined #openvpn
07:39 -!- mauww_ [~localhost@unaffiliated/mauww] has joined #openvpn
07:40 -!- EmLeX_ [~emx@37.46.193.2] has joined #openvpn
07:40 -!- ngharo_ [~ngharo@nexus.sypherz.com] has joined #openvpn
07:40 -!- Netsplit *.net <-> *.split quits: Mathias, clu5ter, jareth_, Pei, davidmp, xMopxShell, n2deep, kwork, plaisthos, fremo,  (+18 more, use /NETSPLIT to show all of them)
07:40 -!- Brando753-o_O_o is now known as Brando753
07:40 < Preed> Well, these iptables rules for openvpn, should I just "service iptables save" them?
07:40 -!- qwertyoruiop_ [~hax@1.shulgin.dc1.nl.tor.exit.node.qwertyoruiop.com] has joined #openvpn
07:41 -!- phunyguy_ is now known as phunyguy
07:41 -!- Netsplit over, joins: riddle
07:41 -!- xMopxShe- [~xMopxShel@pa1.trolls.lv] has quit [Client Quit]
07:42 -!- Netsplit over, joins: mgorbach
07:42 -!- kwork [~georg@no.life.ee] has joined #openvpn
07:42 -!- kwork [~georg@no.life.ee] has quit [Changing host]
07:42 -!- kwork [~georg@unaffiliated/kwork] has joined #openvpn
07:42 -!- Netsplit over, joins: xMopxShell
07:42 -!- davidmp_ is now known as davidmp
07:43 -!- mauww [~localhost@unaffiliated/mauww] has quit [Remote host closed the connection]
07:43 -!- ngharo [~ngharo@nexus.sypherz.com] has quit [Remote host closed the connection]
07:46 -!- inch [mijutu@ellipsis.fi] has joined #openvpn
07:46 -!- Transfusion [Transfusio@trivialand/master/transfusion] has joined #openvpn
07:46 -!- clu5ter [~staff@unaffiliated/clu5ter] has joined #openvpn
07:46 -!- jareth_ [~jareth_@2001:980:e1c0:1:219:66ff:fea0:a502] has joined #openvpn
07:46 -!- Mathias [M@unaffiliated/mathias] has joined #openvpn
07:46 -!- plaisthos [~arne@openvpn/community/developer/plaisthos] has joined #openvpn
07:46 -!- ben1066 [~quassel@unaffiliated/ben1066] has joined #openvpn
07:46 -!- pekster [~rewt@openvpn/community/support/pekster] has joined #openvpn
07:46 -!- Eugene [eugene@itvends.com] has joined #openvpn
07:46 -!- BtbN [btbn@btbn.de] has joined #openvpn
07:46 -!- ServerMode/#openvpn [+o Eugene] by kornbluth.freenode.net
07:46 -!- mode/#openvpn [+o plaisthos] by ChanServ
07:46 -!- dazo [~dazo@44.118.9.46.customer.cdi.no] has joined #openvpn
07:46 -!- dazo [~dazo@44.118.9.46.customer.cdi.no] has quit [Changing host]
07:46 -!- dazo [~dazo@openvpn/community/developer/dazo] has joined #openvpn
07:46 -!- mode/#openvpn [+o dazo] by ChanServ
07:46 -!- joshu [~joshu@62-20-176-238-no28.tbcn.telia.com] has joined #openvpn
07:47 -!- magellanic [~magellani@unaffiliated/magellanic] has quit [Excess Flood]
07:47 -!- __FBi [B@dont.uwantmy.info] has quit [Ping timeout: 491 seconds]
07:48 -!- funyun_ [~temp@cpe-65-25-103-89.neo.res.rr.com] has quit [Remote host closed the connection]
07:48 -!- pnielsen [pnielsen@2a01:7e00::f03c:91ff:fedf:3a21] has quit [Excess Flood]
07:48 -!- m01 [~quassel@2a02:2658:1011:1::2:4044] has quit [Excess Flood]
07:48 -!- ender| [krneki@2a01:260:4094:1:42:42:42:42] has quit [Excess Flood]
07:48 -!- funyun [~temp@65.25.103.89] has joined #openvpn
07:48 -!- pnielsen [pnielsen@2a01:7e00::f03c:91ff:fedf:3a21] has joined #openvpn
07:48 -!- f0cker [~f0cker@unaffiliated/f0cker] has joined #openvpn
07:49 -!- ender| [krneki@2a01:260:4094:1:42:42:42:42] has joined #openvpn
07:49 -!- __FBi [B@2a00:d880:3:1::d93:a8cb] has joined #openvpn
07:49 -!- m01 [~quassel@2a02:2658:1011:1::2:4044] has joined #openvpn
07:50 -!- Preed [~root@anubis.preed.net] has quit [Quit: leaving]
07:51 -!- sunwind [~paradox@cpc21-brmb8-2-0-cust749.1-3.cable.virginm.net] has joined #openvpn
07:51 -!- fremo [~fred@gw-salamandre.liazo.net] has joined #openvpn
08:11 -!- makara [~makara@41.164.22.218] has quit [Ping timeout: 265 seconds]
08:25 -!- Olipro is now known as juniper
08:25 -!- juniper is now known as Guest83881
08:25 -!- esde [~esde@107.150.1.2] has quit [Changing host]
08:25 -!- esde [~esde@unaffiliated/esde] has joined #openvpn
08:26 -!- lvv [~loganaden@2001:4290:10:250:85b:6f52:cac8:4728] has quit [Quit: lvv]
08:26 -!- Guest83881 [~Olipro@uncyclopedia/pdpc.21for7.olipro] has left #openvpn []
08:26 -!- Olipro [~Olipro@uncyclopedia/pdpc.21for7.olipro] has joined #openvpn
08:28 -!- mikkel [~mikkel@93.176.85.50] has quit [Quit: Leaving]
08:28 -!- bertodsera [~quassel@97e48243.skybroadband.com] has joined #openvpn
08:35 -!- jtrucks [jtrucks@freenode/staff/lopsa.foundingmember.jtrucks] has joined #openvpn
08:35 -!- BlackPanx [~BlackPanx@cpe-31-15-133-178.cable.telemach.net] has joined #openvpn
08:35 < BlackPanx> could someone clarify some things to me a bit... i have openvpn server and i connect clients from the other side of the world to it... connection directly without using vpn is about 400 ms of ping and it goes up to 300kbit /s... really shitty. without using openvpn my speed goes up to 25mbit.
08:35 < BlackPanx> is there a trick with mtu value or something?
08:36 < BlackPanx> if i lowered my mtu value on openvpn server, would that help ? and if so, how to test that ? maybe with iperf, keep changing mtu values and performance testing ?
08:37 < takamichi> If server is configured with no ping-restart or ping-exit and the client disconnects without notifying the server, how long will the server keep the client object alive?
08:38 -!- mauww_ is now known as mauww
08:39 < rob0>   df
08:39 < rob0> haha
08:40 -!- _bt [~bt@77.240.12.157] has quit [Disconnected by services]
08:41 -!- 14WAB74LI [foobar@77.240.12.157] has joined #openvpn
08:53 -!- mauww [~localhost@unaffiliated/mauww] has quit [Ping timeout: 252 seconds]
08:54 -!- mauww [~localhost@unaffiliated/mauww] has joined #openvpn
09:12 -!- alexxtasi [~alex@unaffiliated/alexxtasi] has left #openvpn []
09:19 -!- naout [~naout@dyn.102-139-19-46.swissinet.com] has joined #openvpn
09:19 < naout> hi
09:19 < naout> The ip-address i recieve from the
09:19 < naout> VPN-server is 10.8.0.15 > > > My public ip is 44.13.140.12 > > > If I open a
09:19 < naout> service on my host which I bind to port 10.8.0.15:49152 > > > checking with
09:19 < naout> netcat shows... > > $ netcat -z -v 44.13.140.12 49152 > netcat: connect to
09:19 < naout> 44.13.140.12 port 49152 (tcp) failed: Connection refused > > > How should I
09:19 < naout> configure to have it accessible? Any hints
09:22 < rob0> openvpn is like a network adapter. It provides you the IP address. It does not do NAT for you. Your OS would handle NAT.
09:23 < rob0> !linnat
09:23 <@vpnHelper> "linnat" is (#1) for a basic iptables NAT where 10.8.0.x is the vpn network: iptables -t nat -I POSTROUTING -s 10.8.0.0/24 -o eth0 -j MASQUERADE or (#2) to choose what IP address to NAT as, you can use iptables -t nat -I POSTROUTING -o eth0 -j SNAT --to <IP ADDRESS> or (#3) http://netfilter.org/documentation/HOWTO//NAT-HOWTO.html for more info or (#4) openvz see !openvzlinnat
09:23 < rob0> oh, and it sounds like you want is not !linnat, you want destination NAT
09:23 < rob0> !dnat
09:24 < rob0> NAT-HOWTO.html does provide a simple intro to DNAT also.
09:24 < naout> NAT-HOWTO.html?
09:24 < naout> where do i find it?
09:27 < naout> aha
09:27 < naout> i found it http://netfilter.org/documentation/HOWTO//NAT-HOWTO.html
09:27 <@vpnHelper> Title: Linux 2.4 NAT HOWTO (at netfilter.org)
09:27 < rob0> are you reading here? yes
09:28 < rob0> it's old but still basically valid
09:29 < naout> so its have nothing to do with the openvpn server?
09:29 < naout> its all about the OS?
09:29 < naout> that the client use
09:29 < naout> right?
09:31 -!- MyMind [~Sembei@unaffiliated/sembei] has joined #openvpn
09:32 -!- mauww [~localhost@unaffiliated/mauww] has quit [Ping timeout: 240 seconds]
09:35 -!- Sembei [~Sembei@unaffiliated/sembei] has quit [Ping timeout: 264 seconds]
09:36 -!- naout2 [~naout@dyn.102-139-19-46.swissinet.com] has joined #openvpn
09:36 -!- naout [~naout@dyn.102-139-19-46.swissinet.com] has quit []
09:37 -!- naout2 is now known as naout
09:39 -!- MyMind [~Sembei@unaffiliated/sembei] has quit [Read error: Connection reset by peer]
09:40 -!- Pisuke [~Sembei@62.57.118.216.dyn.user.ono.com] has joined #openvpn
09:41 -!- Pisuke is now known as Guest78814
09:41 -!- batrick [batrick@nmap/developer/batrick] has quit [Quit: WeeChat 0.4.3]
09:44 -!- jzaw [~jzaw@loki.dzki.co.uk] has quit [Ping timeout: 265 seconds]
09:49 -!- batrick [batrick@nmap/developer/batrick] has joined #openvpn
09:55 -!- Guest78814 [~Sembei@62.57.118.216.dyn.user.ono.com] has quit [Max SendQ exceeded]
09:55 -!- Guest78814 [~Sembei@unaffiliated/sembei] has joined #openvpn
09:58 -!- Guest78814 [~Sembei@unaffiliated/sembei] has quit [Max SendQ exceeded]
09:59 -!- Guest78814 [~Sembei@unaffiliated/sembei] has joined #openvpn
10:01 -!- tharkun [~0@187.188.94.182] has quit [Changing host]
10:01 -!- tharkun [~0@unaffiliated/tharkun] has joined #openvpn
10:01 -!- mauww [~localhost@unaffiliated/mauww] has joined #openvpn
10:13 -!- Guest78814 [~Sembei@unaffiliated/sembei] has quit [Max SendQ exceeded]
10:17 -!- Guest78814 [~Sembei@62.57.118.216.dyn.user.ono.com] has joined #openvpn
10:17 -!- mattock is now known as mattock_afk
10:24 -!- EmperorTom [~EmperorTo@boom.blissfulidiot.com] has joined #openvpn
10:24 -!- hive-mind [pranq@unaffiliated/contempt] has quit [Ping timeout: 252 seconds]
10:26 -!- hive-mind [pranq@unaffiliated/contempt] has joined #openvpn
10:28 -!- Zarrsh [~Zarrsh@198.167.138.150] has quit [Ping timeout: 252 seconds]
10:28 -!- Zarrsh [~Zarrsh@farari.paydayauto.biz] has joined #openvpn
10:30 -!- ngharo_ is now known as ngharo
10:36 -!- calcifea [~rasla@gateway/tor-sasl/gitsu-sa] has quit [Quit: calcifea]
10:49 -!- i0x71 [~vitaly@38.117.92.98] has joined #openvpn
10:51 < i0x71> Hey, can someone help me out with the openvpn static ip config, i have defined this: client-config-dir ccd in the server.conf, created a ccd directory with a file named test, that's the username that i use to authenticate, in the file i have specified this: ifconfig-push 10.10.1.94 10.10.1.93 which is what i want the client to use, however on every new connection the client still gets an ip from the pool, 10.10.1.6
10:52 -!- cronus [~cronus@23.30.140.182] has joined #openvpn
10:53 < cronus> Is it possible to use openVPN to set up a service for users where we inject javascript into all pages to give users of our vpn service features on webpage?
10:54 -!- lordnikkon [~marme@li388-49.members.linode.com] has joined #openvpn
10:54 -!- lordnikkon is now known as Guest15854
10:55 < i0x71> i am not using keys for authentication, instead im using auth-user-pass-verify xxx via-file
10:55 < i0x71> with verb 10 it appears that openvpn is not looking for a file named 'username', it only looks for ccd/UNDEF and ccd/DEFAULT
10:58 -!- mauww_ [~localhost@unaffiliated/mauww] has joined #openvpn
10:59 -!- jzaw [~jzaw@loki.dzki.co.uk] has joined #openvpn
11:00 -!- Netsplit *.net <-> *.split quits: mauww, davidmp, james41382, EmLeX_, sunwind, defswork, Cr4zi3, EmperorTom, Guest39215
11:00 -!- Netsplit *.net <-> *.split quits: megaTherion, slikts, emid_, Guest78814, AsadH, tharkun, Samopotamus, niel, tapout, mete-,  (+43 more, use /NETSPLIT to show all of them)
11:00 -!- qwertyoruiop_ [~hax@1.shulgin.dc1.nl.tor.exit.node.qwertyoruiop.com] has quit [Excess Flood]
11:01 -!- elfixit [~Icedove@2001:1620:2777:11:3e97:eff:fe7f:f3ad] has quit [Quit: elfixit]
11:01 -!- qwertyoruiop_ [~hax@1.shulgin.dc1.nl.tor.exit.node.qwertyoruiop.com] has joined #openvpn
11:04 -!- Netsplit over, joins: tharkun, prettyrobots
11:05 -!- Netsplit over, joins: phreakocious
11:06 -!- Netsplit over, joins: vpnHelper, krzee, MorgyN_, yoavz, Fruckiwacki, omrib, XJR-9, master_of_master, slikts, lowkey (+7 more)
11:06 -!- mete- [~mete@91.247.253.160] has joined #openvpn
11:06 -!- Netsplit over, joins: @mattock_afk, @raidz, emid_, joshh20-Away, mcp, megaTherion, jgeboski, Cultist, sauce, niel (+3 more)
11:06 -!- ServerMode/#openvpn [+oooo vpnHelper krzee mattock_afk raidz] by kornbluth.freenode.net
11:06 -!- Netsplit over, joins: Samopotamus, davidmp
11:06 -!- EmLeX [~emx@37.46.193.2] has joined #openvpn
11:06 -!- EmperorT1m [~EmperorTo@boom.blissfulidiot.com] has joined #openvpn
11:06 -!- Netsplit over, joins: Guest78814, xMopxShell, kwork, ngharo, fejjerai, lamokie_, thumbs, red_racer12_, levifig, kossy
11:06 -!- EmLeX [~emx@37.46.193.2] has quit [Changing host]
11:06 -!- EmLeX [~emx@unaffiliated/emlex] has joined #openvpn
11:07 -!- Netsplit over, joins: phuzion
11:07 -!- Guest78814 [~Sembei@62.57.118.216.dyn.user.ono.com] has quit [Max SendQ exceeded]
11:07 -!- Netsplit over, joins: tapout
11:08 -!- funyun [~temp@65.25.103.89] has quit [Quit: leaving]
11:09 -!- jtrucks [jtrucks@freenode/staff/lopsa.foundingmember.jtrucks] has quit [Remote host closed the connection]
11:09 -!- mauww_ [~localhost@unaffiliated/mauww] has quit [Remote host closed the connection]
11:09 -!- AsadH [~AsadH@unaffiliated/asadh] has joined #openvpn
11:10 -!- Guest78814 [~Sembei@unaffiliated/sembei] has joined #openvpn
11:10 -!- 1JTAAGP4P [~levifig@hakr.io] has joined #openvpn
11:10 -!- takamichi [~takamichi@c107-107.i07-27.onvol.net] has joined #openvpn
11:10 -!- naout2 [~naout@62-210-167-202.rev.poneytelecom.eu] has joined #openvpn
11:11 -!- naout [~naout@dyn.102-139-19-46.swissinet.com] has quit [Write error: Broken pipe]
11:11 -!- i0x71 [~vitaly@38.117.92.98] has quit [Write error: Broken pipe]
11:11 -!- naout2 is now known as naout
11:11 -!- ben1066_ [~quassel@unaffiliated/ben1066] has joined #openvpn
11:11 -!- i0x71 [~vitaly@38.117.92.98] has joined #openvpn
11:11 -!- ben1066 [~quassel@unaffiliated/ben1066] has quit [Ping timeout: 264 seconds]
11:14 -!- Guest71284 [jtrucks@freenode/staff/lopsa.foundingmember.jtrucks] has joined #openvpn
11:14 -!- MeanderingCode [~Meanderin@palantir.aetherislands.net] has joined #openvpn
11:14 -!- gffa [~unknown@unaffiliated/gffa] has joined #openvpn
11:15 -!- Olipro [~Olipro@uncyclopedia/pdpc.21for7.olipro] has quit [Max SendQ exceeded]
11:16 -!- Cybertinus [~Cybertinu@cybertinus.customer.cloud.nl] has joined #openvpn
11:17 < takamichi> Is there anyway to persist client connections whilst restarting the server process?
11:18 < takamichi> (in order to apply new config directives without booting off clients)?
11:20 -!- Olipro [~Olipro@uncyclopedia/pdpc.21for7.olipro] has joined #openvpn
11:26 -!- Olipro [~Olipro@uncyclopedia/pdpc.21for7.olipro] has quit [Excess Flood]
11:27 -!- Olipro [~Olipro@uncyclopedia/pdpc.21for7.olipro] has joined #openvpn
11:31 -!- i0x71 [~vitaly@38.117.92.98] has quit [Quit: Lost terminal]
11:33 -!- fenris_kcf [~fenris@p549BD810.dip0.t-ipconnect.de] has joined #openvpn
11:41 -!- Cpt-Oblivious [chatzilla@31-151-71-109.dynamic.upc.nl] has joined #openvpn
11:41 <@krzee> takamichi, see signals in manual
11:44 -!- mauww [~localhost@ip-static-212-117-180-71.as5577.net] has joined #openvpn
11:44 -!- Cr4zi3 [killaz@staff.xbins.org] has joined #openvpn
11:44 -!- sunwind [~paradox@cpc21-brmb8-2-0-cust749.1-3.cable.virginm.net] has joined #openvpn
11:44 -!- james41382 [~james@unaffiliated/james41382] has joined #openvpn
11:44 -!- dren_ [~dren@69.163.43.34] has joined #openvpn
11:50 -!- mauww_ [~localhost@unaffiliated/mauww] has joined #openvpn
11:52 -!- Cr4zi3 [killaz@staff.xbins.org] has quit [Excess Flood]
11:52 -!- mauww [~localhost@ip-static-212-117-180-71.as5577.net] has quit [Remote host closed the connection]
11:53 -!- mauww_ is now known as mauww
11:54 -!- Cr4zi3 [~killaz@76.74.171.253] has joined #openvpn
12:02 <@ecrist> takamichi: no
12:03 -!- mauww [~localhost@unaffiliated/mauww] has quit [Remote host closed the connection]
12:03 -!- m01 [~quassel@2a02:2658:1011:1::2:4044] has quit [Write error: Broken pipe]
12:06 -!- m01 [~quassel@2a02:2658:1011:1::2:4044] has joined #openvpn
12:08 -!- mauww [~localhost@unaffiliated/mauww] has joined #openvpn
12:19 -!- klein [~klein@189-016-006-003.asselvi.edu.br] has joined #openvpn
12:19 -!- klein [~klein@189-016-006-003.asselvi.edu.br] has quit [Changing host]
12:19 -!- klein [~klein@unaffiliated/klein] has joined #openvpn
12:20 -!- phuzion [~phuzion@ipv6.irc.teh-server.com] has quit [Ping timeout: 240 seconds]
12:27 -!- phuzion [~phuzion@ipv6.irc.teh-server.com] has joined #openvpn
12:37 -!- mattock_afk is now known as mattock
12:39 -!- bertodsera_ [~quassel@97e48243.skybroadband.com] has joined #openvpn
12:40 -!- mauww [~localhost@unaffiliated/mauww] has quit [Remote host closed the connection]
12:42 -!- mauww [~localhost@unaffiliated/mauww] has joined #openvpn
12:43 -!- Six6siX_ [~Devil@jasmine.sammybakar.com] has quit [Excess Flood]
12:43 -!- Six6siX [~Devil@jasmine.sammybakar.com] has joined #openvpn
12:44 -!- bertodsera [~quassel@97e48243.skybroadband.com] has quit [Write error: Broken pipe]
12:44 -!- m01 [~quassel@2a02:2658:1011:1::2:4044] has quit [Write error: Broken pipe]
12:45 -!- lj [~l@192.241.174.169] has joined #openvpn
12:46 -!- m01 [~quassel@2a02:2658:1011:1::2:4044] has joined #openvpn
12:50 -!- smerz_ [~smerz@2001:470:1f15:1e5::58] has joined #openvpn
12:50 -!- smerz [~smerz@2001:470:1f15:1e5::58] has joined #openvpn
12:55 -!- Guest71284 [jtrucks@freenode/staff/lopsa.foundingmember.jtrucks] has quit [Quit: leaving]
12:56 -!- Guest19512 [jtrucks@freenode/staff/lopsa.foundingmember.jtrucks] has joined #openvpn
13:03 -!- lj [~l@192.241.174.169] has left #openvpn []
13:06 -!- raidz [~raidz@openvpn/corp/admin/andrew] has left #openvpn []
13:07 -!- raidz [~raidz@openvpn/corp/admin/andrew] has joined #openvpn
13:07 -!- mode/#openvpn [+o raidz] by ChanServ
13:09 -!- phuzion [~phuzion@ipv6.irc.teh-server.com] has quit [Ping timeout: 240 seconds]
13:14 -!- lachesis [~lachesis@unaffiliated/lachesis] has quit [Ping timeout: 245 seconds]
13:14 -!- defswork [~andy@141.0.50.105] has joined #openvpn
13:16 -!- phuzion [~phuzion@ipv6.irc.teh-server.com] has joined #openvpn
13:17 -!- master_o1_master [~master_of@p4FD7B86B.dip0.t-ipconnect.de] has joined #openvpn
13:21 -!- master_of_master [~master_of@p4FF240D8.dip0.t-ipconnect.de] has quit [Ping timeout: 265 seconds]
13:21 -!- Ziber [~Liber@liber.in] has joined #openvpn
13:21 -!- mode/#openvpn [+b *!*Liber@liber.in] by ChanServ
13:21 -!- Ziber was kicked from #openvpn by ChanServ [User is banned from this channel]
13:29 -!- shibboleth [~shibbolet@gateway/tor-sasl/shibboleth] has joined #openvpn
13:36 -!- qwertyoruiop_ is now known as qwertyoruiop
13:39 -!- Guest19512 [jtrucks@freenode/staff/lopsa.foundingmember.jtrucks] has quit [Quit: leaving]
13:40 -!- jtrucks [jtrucks@freenode/staff/lopsa.foundingmember.jtrucks] has joined #openvpn
13:41 -!- Roa [~roa@unixmexico/Roa] has joined #openvpn
13:41 -!- qwertyoruiop [~hax@1.shulgin.dc1.nl.tor.exit.node.qwertyoruiop.com] has quit [Remote host closed the connection]
13:42 -!- qwertyoruiop [~hax@1.shulgin.dc1.nl.tor.exit.node.qwertyoruiop.com] has joined #openvpn
13:46 -!- star314 [~star314@78.142.105.170] has joined #openvpn
13:51 -!- jtrucks [jtrucks@freenode/staff/lopsa.foundingmember.jtrucks] has quit [Quit: leaving]
13:52 -!- jtrucks [jtrucks@freenode/staff/lopsa.foundingmember.jtrucks] has joined #openvpn
14:08 -!- star314 [~star314@78.142.105.170] has quit [Quit: Leaving]
14:18 -!- Bretos [~Bretos@vps.tyborek.pl] has joined #openvpn
14:27 -!- james41382 [~james@unaffiliated/james41382] has quit [Read error: Connection reset by peer]
14:28 -!- james41382 [~james@unaffiliated/james41382] has joined #openvpn
14:45 -!- defsdoor [~andy@cpc30-sutt4-2-0-cust155.19-1.cable.virginm.net] has joined #openvpn
14:48 -!- elricsfate_wrk [~elricsfat@2602:3f:916c:a402:11c7:ef6c:499c:7431] has joined #openvpn
14:48 < elricsfate_wrk> Hello everyone. Is the negotiation of link speed done on the server side or client side?
14:51 < elricsfate_wrk> My server has a gigabit link but my VPN client is setting the link to only 10Mbps and my home connection goes as high as 50 Mbps (not including upload) so I'm currently knocking against that 10Mbps limit.
14:53 -!- shibboleth [~shibbolet@gateway/tor-sasl/shibboleth] has quit [Ping timeout: 240 seconds]
14:54 < jl-> anyone care to explain what this means: WARNING: No server certificate verification method has been enabled.  See http://openvpn.net/howto.html#mitm for more info.
14:59 < elricsfate_wrk> jl-, Server isn't verifying the signature of the server
14:59 -!- lachesis [~lachesis@unaffiliated/lachesis] has joined #openvpn
14:59 < elricsfate_wrk> *Client isn't
14:59 <@krzee> jl-, did you see the link for more info...?
15:00 <@krzee> elricsfate_wrk, if you're referring to the displayed link speed in windows, that is simply a display issue? if you are referring to your actual performance, maybe this will help:
15:00 <@krzee> !gigabit
15:00 <@vpnHelper> "gigabit" is https://community.openvpn.net/openvpn/wiki/Gigabit_Networks_Linux for JJK's writeup on getting the most out of openvpn over gigabit
15:00 -!- lachesis [~lachesis@unaffiliated/lachesis] has quit [Remote host closed the connection]
15:02 -!- shibboleth [~shibbolet@gateway/tor-sasl/shibboleth] has joined #openvpn
15:05 < elricsfate_wrk> krzee, Gotcha. I will need to double check when I get home but I remember it being locked to 10mbps. I will review your guide. Thank you for sharing!
15:12 -!- br4ndon [~br4ndon@mic92-6-82-226-128-64.fbx.proxad.net] has joined #openvpn
15:12 -!- lachesis [~lachesis@unaffiliated/lachesis] has joined #openvpn
15:16 < jl-> thanks, got it
15:18 < jl-> how can I setup my VM so it will not browse / dns lookup if the openvpn connection breaks
15:18 < jl-> I'm assuming that's a firewall setting
15:31 -!- mattock is now known as mattock_afk
15:37 -!- naout [~naout@62-210-167-202.rev.poneytelecom.eu] has quit []
15:37 <@Eugene> Yes.
15:37 <@Eugene> On iptables you'll want the OUTPUT chain to allow out of eth0 only to your openvpn server
15:37 <@Eugene> Though it's a good idea to also allow ICMP responses ;-)
15:46 -!- GH0 [~GH0@unaffiliated/gh0] has joined #openvpn
15:55 -!- GH0 [~GH0@unaffiliated/gh0] has left #openvpn []
16:05 -!- gffa [~unknown@unaffiliated/gffa] has quit [Quit: sleep]
16:06 -!- klein [~klein@unaffiliated/klein] has quit [Ping timeout: 246 seconds]
16:07 -!- dazo is now known as dazo_afk
16:16 -!- takamichi [~takamichi@c107-107.i07-27.onvol.net] has quit [Quit: Computer has gone to sleep.]
16:22 -!- defsdoor [~andy@cpc30-sutt4-2-0-cust155.19-1.cable.virginm.net] has quit [Quit: Ex-Chat]
16:28 -!- matsh [divine@nanogene.org] has joined #openvpn
16:29 -!- kevinsky [~kevin@senna.rosendaal.net] has joined #openvpn
16:32 -!- lachesis [~lachesis@unaffiliated/lachesis] has left #openvpn ["Leaving"]
16:34 -!- br4ndon [~br4ndon@mic92-6-82-226-128-64.fbx.proxad.net] has quit [Quit: Lorem ipsum dolor sit amet]
16:44 -!- joshh20-Away is now known as joshh20
16:50 -!- lachesis [~lachesis@unaffiliated/lachesis] has joined #openvpn
16:54 -!- smerz_ [~smerz@2001:470:1f15:1e5::58] has quit [Ping timeout: 245 seconds]
16:54 -!- smerz [~smerz@2001:470:1f15:1e5::58] has quit [Ping timeout: 245 seconds]
17:02 -!- lj [~l@192.241.174.169] has joined #openvpn
17:06 -!- goldkatze [~nobody@unaffiliated/goldkatze] has quit []
17:06 -!- tempus_fol [~tempus@gateway/tor-sasl/tempusfol] has quit [Remote host closed the connection]
17:16 -!- lj [~l@192.241.174.169] has quit [Quit: Leaving.]
17:22 -!- lj [~l@192.241.174.169] has joined #openvpn
17:29 -!- lj [~l@192.241.174.169] has quit [Quit: Leaving.]
17:32 -!- Bretos [~Bretos@vps.tyborek.pl] has left #openvpn ["AndroIRC"]
17:33 -!- shibboleth [~shibbolet@gateway/tor-sasl/shibboleth] has quit [Quit: shibboleth]
17:36 -!- cronus [~cronus@23.30.140.182] has quit [Quit: cronus]
17:43 -!- shibboleth [~shibbolet@gateway/tor-sasl/shibboleth] has joined #openvpn
18:07 -!- codehero is now known as that
18:07 -!- cronus [~cronus@c-71-232-48-68.hsd1.ma.comcast.net] has joined #openvpn
18:07 -!- elricsfate_wrk [~elricsfat@2602:3f:916c:a402:11c7:ef6c:499c:7431] has quit [Quit: Leaving]
18:07 -!- elricsfate_wrk [~elricsfat@2602:3f:916c:a402:7dfc:ee04:4824:68eb] has joined #openvpn
18:08 -!- elricsfate_wrk [~elricsfat@2602:3f:916c:a402:7dfc:ee04:4824:68eb] has quit [Remote host closed the connection]
18:08 -!- elricsfate_wrk [~elricsfat@2602:3f:916c:a402:7dfc:ee04:4824:68eb] has joined #openvpn
18:10 -!- that is now known as codehero
18:11 -!- shibboleth [~shibbolet@gateway/tor-sasl/shibboleth] has quit [Quit: shibboleth]
18:13 -!- codehero is now known as codile
18:13 -!- codile is now known as codehero
18:22 -!- codehero is now known as this
18:22 -!- this is now known as that
18:23 -!- that is now known as codehero
18:29 -!- Cultist [~CultOfThe@67.186.111.33] has quit [Ping timeout: 265 seconds]
18:35 -!- fenris_kcf is now known as fenris_afk
18:35 -!- Cultist [~CultOfThe@67.186.111.33] has joined #openvpn
18:47 -!- joshh20 is now known as joshh20-Away
18:56 -!- digilink [~digilink@unaffiliated/digilink] has quit [Ping timeout: 264 seconds]
18:58 -!- digilink [~digilink@70.90.228.197] has joined #openvpn
18:58 -!- digilink [~digilink@70.90.228.197] has quit [Client Quit]
19:02 -!- digilink [~digilink@unaffiliated/digilink] has joined #openvpn
19:04 -!- joshh20-Away is now known as joshh20
19:09 -!- elfixit [~Icedove@77-58-251-72.dclient.hispeed.ch] has joined #openvpn
19:11 -!- klein [~klein@177.101.109.136] has joined #openvpn
19:11 -!- klein [~klein@177.101.109.136] has quit [Changing host]
19:11 -!- klein [~klein@unaffiliated/klein] has joined #openvpn
19:18 -!- P4k3 [~P4k3@c-5a34e255.026-8-6b6c7810.cust.bredbandsbolaget.se] has quit [Ping timeout: 245 seconds]
19:21 -!- ponyofdeath [~vladi@cpe-76-167-201-214.san.res.rr.com] has joined #openvpn
19:21 < ponyofdeath> hi, is it possible to create an pkcs12 format and include openvpn certs + tls key to import into an android device?
19:25 -!- u0m3_ [~u0m3@92.80.86.213] has quit [Read error: Connection reset by peer]
19:26 <@Eugene> That's the definition of how you do it, yes.
19:27 -!- klein [~klein@unaffiliated/klein] has quit [Ping timeout: 244 seconds]
20:06 -!- joshh20 is now known as joshh20-Away
20:20 -!- elfixit [~Icedove@77-58-251-72.dclient.hispeed.ch] has quit [Quit: elfixit]
20:30 -!- james41382_ [~james@unaffiliated/james41382] has joined #openvpn
20:34 -!- james41382 [~james@unaffiliated/james41382] has quit [Ping timeout: 264 seconds]
20:43 -!- cronus_ [~cronus@c-76-119-143-149.hsd1.ma.comcast.net] has joined #openvpn
20:46 -!- cronus [~cronus@c-71-232-48-68.hsd1.ma.comcast.net] has quit [Ping timeout: 264 seconds]
20:46 -!- cronus_ is now known as cronus
20:55 -!- cronus [~cronus@c-76-119-143-149.hsd1.ma.comcast.net] has quit [Quit: cronus]
20:57 -!- traph [~traph@unaffiliated/traph] has quit [Ping timeout: 246 seconds]
21:11 -!- MACscr2 [~MACscr2@c-98-214-103-56.hsd1.il.comcast.net] has joined #openvpn
21:13 -!- phunyguy [~vortex@unaffiliated/phunyguy] has quit [Quit: Goodbye cruel world!]
21:14 -!- phunyguy [~vortex@unaffiliated/phunyguy] has joined #openvpn
21:20 -!- P4k3 [~P4k3@c-5236e255.026-8-6b6c7810.cust.bredbandsbolaget.se] has joined #openvpn
21:23 -!- Cpt-Oblivious [chatzilla@31-151-71-109.dynamic.upc.nl] has quit [Ping timeout: 246 seconds]
21:33 -!- tjhowse [~eness@101.165.185.107] has joined #openvpn
21:35 < tjhowse> I'm setting up two sets of server certs for authenticating WAN connections into two separate LANs. what's the standard way of handing this, when openssl*.cnf is expecting the certs, crl, key, et cetera to have a certain name in be in a certain place?
21:36 < tjhowse> at the moment I've generated separate ca and dh files in my keys directory, with "_a" and "_b" after the filename
21:36 < tjhowse> I'm using easy-rsa under openwrt, if that's relevant
21:37 -!- cyberspace- [20253@ninthfloor.org] has quit [Remote host closed the connection]
21:38 -!- cyberspace- [20253@ninthfloor.org] has joined #openvpn
21:40 -!- lj1 [~l@192.241.174.169] has joined #openvpn
21:41 -!- klein [~klein@unaffiliated/klein] has joined #openvpn
21:43 -!- fenris_afk [~fenris@p549BD810.dip0.t-ipconnect.de] has quit [Ping timeout: 252 seconds]
21:48 -!- klein [~klein@unaffiliated/klein] has quit [Ping timeout: 272 seconds]
21:50 < _FBi> Q: how can I specify 4096bit using openvpn --genkey --secret ta.key
21:54 -!- qwertyoruiop is now known as MagicalFat
21:54 -!- dradec [~Inigo@unaffiliated/dradec] has joined #openvpn
21:54 -!- MagicalFat is now known as haematite
21:55 -!- haematite is now known as qwertyoruiop
21:56 < _FBi> !ta
21:56 -!- toobluesc [~nitro@2001:558:6045:7b:3d70:c3df:18a:884] has joined #openvpn
21:57 < _FBi> !genkey
21:57 < _FBi> !secret
21:57 <@vpnHelper> "secret" is funny that people use free programs, consult free help for them, run a business with them, but are restricted to say what they do.
22:34 -!- bertodsera_ [~quassel@97e48243.skybroadband.com] has quit [Ping timeout: 272 seconds]
22:38 -!- dradec [~Inigo@unaffiliated/dradec] has quit [Remote host closed the connection]
22:39 -!- dradec [~Inigo@unaffiliated/dradec] has joined #openvpn
22:43 -!- dradec [~Inigo@unaffiliated/dradec] has quit [Remote host closed the connection]
22:43 -!- dradec [~Inigo@unaffiliated/dradec] has joined #openvpn
22:53 <@Eugene> _FBi - you can't; --secret only uses 2048-bit keys.
22:53 < _FBi> great! :)
22:54 < _FBi> was getting tired of googling haha
23:14 -!- dradec [~Inigo@unaffiliated/dradec] has quit [Quit: nil]
23:21 -!- dradec [~Inigo@unaffiliated/dradec] has joined #openvpn
23:28 -!- MACscr2 [~MACscr2@c-98-214-103-56.hsd1.il.comcast.net] has quit [Ping timeout: 244 seconds]
23:45 -!- MACscr2 [~MACscr2@c-98-214-103-56.hsd1.il.comcast.net] has joined #openvpn
23:48 <@krzee> _FBi, --secret is for PTP (2 endpoints ONLY)
23:48 <@krzee> !statickey
23:48 <@vpnHelper> "statickey" is (#1) you can use static keys by using --secret </path/to/key> or (#2) static keys only work for ptp links, not client/server. They also do not provide forward encryption. A forward-secure encryption scheme (such as openvpn uses with certs) protects secret keys from exposure by evolving the keys with time. or (#3) see !forwardsecurity for more info
23:49 <@krzee> oh for hmac i see
23:49 < _FBi> :)
23:49 <@krzee> ya hmac doesnt even use the full 1024 / 2048
23:49 < _FBi> I learned from the best, I hope
23:49 <@krzee> just parts of it
23:52 -!- Fusl is now known as fusl
23:54 -!- makara [~makara@41.164.22.218] has joined #openvpn
23:56 <@krzee> http://openvpn.net/index.php/open-source/faq/community-software-server/327-changed-hex-bytes-in-the-static-key-the-key-still-connects-to-a-remote-peer-using-the-original-key.html
23:56 <@vpnHelper> Title: Changed hex bytes in the static key, the key still connects to a remote peer using the original key. (at openvpn.net)
23:56 <@krzee> _FBi, good read for you ^
--- Day changed Tue Feb 25 2014
00:01 < _FBi> interesting :D
00:03 -!- lvv [~loganaden@ITE-INF3.dhcp.mu.afrinic.net] has joined #openvpn
00:41 -!- takamichi [~takamichi@c107-107.i07-27.onvol.net] has joined #openvpn
00:41 -!- tdreyer1 [~tdreyer1@unaffiliated/tdreyer1] has quit [Ping timeout: 252 seconds]
00:49 -!- fusl is now known as Fusl
00:53 -!- max_ [~max@c-50-181-246-100.hsd1.wa.comcast.net] has joined #openvpn
01:00 -!- max_ [~max@c-50-181-246-100.hsd1.wa.comcast.net] has quit [Ping timeout: 246 seconds]
01:01 -!- mauww [~localhost@unaffiliated/mauww] has quit [Ping timeout: 264 seconds]
01:03 -!- lj1 [~l@192.241.174.169] has quit [Ping timeout: 264 seconds]
01:04 -!- tdreyer1 [~tdreyer1@unaffiliated/tdreyer1] has joined #openvpn
01:07 -!- dradec [~Inigo@unaffiliated/dradec] has quit [Ping timeout: 272 seconds]
01:11 -!- Fusl is now known as fusl
01:15 -!- bertodsera [~quassel@97e48243.skybroadband.com] has joined #openvpn
01:21 -!- alexxtasi [~alex@unaffiliated/alexxtasi] has joined #openvpn
01:26 -!- ngharo [~ngharo@nexus.sypherz.com] has quit [Ping timeout: 240 seconds]
01:27 -!- ngharo [~ngharo@nexus.sypherz.com] has joined #openvpn
01:29 -!- fusl is now known as Fusl
01:31 -!- Fusl is now known as fusl
01:36 -!- ade_b [~Ade@redhat/adeb] has joined #openvpn
01:38 -!- bertodsera [~quassel@97e48243.skybroadband.com] has quit [Remote host closed the connection]
01:45 -!- max_ [~max@c-50-181-246-100.hsd1.wa.comcast.net] has joined #openvpn
01:49 -!- tdreyer1 [~tdreyer1@unaffiliated/tdreyer1] has quit [Ping timeout: 264 seconds]
02:01 -!- takamichi [~takamichi@c107-107.i07-27.onvol.net] has quit []
02:11 -!- max_ [~max@c-50-181-246-100.hsd1.wa.comcast.net] has quit [Ping timeout: 264 seconds]
02:15 -!- enbergj- is now known as enbergj
02:18 -!- sunwind [~paradox@cpc21-brmb8-2-0-cust749.1-3.cable.virginm.net] has quit [Quit: sunwind]
02:19 < enbergj> I've got two servers, one in ireland, another in singapore, the ping between these is about 200ms and I can get about 35Mbps over the public internet between them when measuring with iperf .. I set up openvpn server + client on these, and over the openvpn link I get about 5-10Mbps with iperf .. do you think it would be possible to get the VPN throughput higher, and if so, got any ideas how?
02:21 < enbergj> .. the CPU at least is being barely utilized, ~88% free during the iperf test over vpn on the server with higher CPU usage
02:48 -!- cHarNe2 [~thorn@95.85.49.170] has joined #openvpn
02:50 < cHarNe2> hi guys, i need to reboot everytime i compile a new kernel before i use openvpn. anyone way i can use openvpn without rebooting?
02:51 < BtbN> What?
02:51 < cHarNe2> https://bbs.archlinux.org/viewtopic.php?pid=1273051 seems to be the same thing
02:51 <@vpnHelper> Title: [Solved] OpenVPN 2.3.1 - ERROR: Cannot open TUN/TAP dev /dev/net/tun (Page 1) / Networking, Server, and Protection / Arch Linux Forums (at bbs.archlinux.org)
02:51 < BtbN> your kernel needs tun and/or tap support, of course
02:52 < BtbN> if it doesn't have that, you need to rebuild it with support for it.
02:52 < cHarNe2> and that is added at boot i guess?
02:52 < BtbN> ?
02:52 < cHarNe2> if i reboot it will work fine, i get this issue everytime i update kernel.
02:53 < BtbN> well, then build your kernel correctly the first time
02:54 -!- GeekFreak [~GeekFreak@198.204.250.37] has joined #openvpn
02:55 < cHarNe2> ok..
02:55 -!- cHarNe2 [~thorn@95.85.49.170] has left #openvpn []
02:55 < GeekFreak> Howdy :)
02:56 -!- br4ndon [~br4ndon@mic92-6-82-227-94-156.fbx.proxad.net] has joined #openvpn
02:58 < GeekFreak> hmmm sleeping just as much as AS
02:59 -!- Thib [~thibaud@87.239.184.86] has joined #openvpn
03:00 < Thib> Hi guys
03:00 < GeekFreak> Hello Thib
03:00 < Thib> Have any of you already worked with multiple RADIUS servers to authenticate OpenVPN connections ?
03:00 < Thib> Cannot find any info online
03:00 < GeekFreak> why multiple ?
03:01 < Thib> I want to do that just for redundancy purpose
03:01 < Thib> I have quite a lot of users that need to have their connection up 24/7 and having only one Radius isn't ideal for this
03:04 < GeekFreak> TRue
03:04 < GeekFreak> Interesting but cant say i have used multiple
03:04 < GeekFreak> how many users are you expecting at one time ?
03:05 < Thib> Total should be more than 100 openvpn clients
03:05 < Thib> Knowing that we have 10 users on average connected to each clients
03:06 < GeekFreak> Ehh thats abit of over
03:06 < GeekFreak> kill
03:07 < Thib> It is more of a redundancy rather than a performance issue
03:08 < GeekFreak> are you setting up 2 openvpn servers?
03:08 < Thib> I just don't want my users not to be able to connect because of one radius server not reachable
03:12 < Thib> http://safesrv.net/simple-guide-to-a-freeradius-vpn-failover-setup/
03:12 <@vpnHelper> Title: Simple Guide to a FreeRADIUS VPN Failover Setup (at safesrv.net)
03:12 < Thib> Well, it seems it is possible
03:16 -!- dazo_afk is now known as dazo
03:17 -!- Thib [~thibaud@87.239.184.86] has quit [Quit: Ex-Chat]
03:21 -!- bertodsera [~quassel@212.36.61.26] has joined #openvpn
03:31 <@dazo> Eugene: Hey ... Do you know anything about Win8 and how well OpenVPN works?  Any quirks needed to beware of?
03:31 <@dazo> (or if you know someone else who might know)
03:34 -!- dogewaat [uid3966@gateway/web/irccloud.com/x-anjqniamejashpal] has quit [Quit: Connection closed for inactivity]
03:37 -!- Hes_ is now known as Hes
03:37  * GeekFreak dance
03:41 -!- traph [~traph@46.10.9.133] has joined #openvpn
03:41 -!- traph [~traph@46.10.9.133] has quit [Changing host]
03:41 -!- traph [~traph@unaffiliated/traph] has joined #openvpn
03:50 -!- spiekey [~admin@projekte.imos.net] has joined #openvpn
03:50 < spiekey> Hello!
03:51 < spiekey> one of my client keys expired: TLS: tls_process: killed expiring key
03:51 < spiekey> whats the best practice? can i renew it somehow?
03:52 -!- f0cker [~f0cker@unaffiliated/f0cker] has quit [Remote host closed the connection]
03:54 <@krzee> hehe
03:55 <@krzee> it does that hourly
03:55 <@krzee> !reneg
03:55 <@krzee> !factoids search reneg
03:55 <@vpnHelper> No keys matched that query.
03:55 <@krzee> !factoids search
03:55 <@vpnHelper> (factoids search [<channel>] [--values] [--{regexp} <value>] [<glob> ...]) -- Searches the keyspace for keys matching <glob>. If --regexp is given, it associated value is taken as a regexp and matched against the keys. If --values is given, search the value space instead of the keyspace.
03:55 <@krzee> !factoids search --values reneg
03:55 <@vpnHelper> "forwardsecurity" is (#1) in server/client mode with certs your key renegotiates (changes) every hour (by default), so if someone captures your traffic, and then gets your key, they can only decrypt the traffic within the timeframe since last renegotiation or (#2) in ptp mode (static key) you do not have this, so if someone gets your key they can decrypt ANY past traffic that they captured
03:55 <@krzee> hmm, nevermind then
03:56 <@krzee> !learn reneg as by default (in client/server mode) openvpn will renegotiate the tls key hourly. this can be adjusted with the --reneg option
03:56 <@vpnHelper> Joo got it.
03:57 <@krzee> !learn reneg as this should not be disabled as it is important for !forwardsecurity
03:57 <@vpnHelper> Joo got it.
03:57 < GeekFreak> whats going on here
03:58 -!- bertodsera [~quassel@212.36.61.26] has quit [Read error: Connection reset by peer]
03:59 -!- bertodsera [~quassel@212.36.61.26] has joined #openvpn
03:59 -!- bertodsera [~quassel@212.36.61.26] has quit [Remote host closed the connection]
03:59 <@krzee> <Thib> Have any of you already worked with multiple RADIUS servers to authenticate OpenVPN connections ?
04:00 <@krzee> that has nothing to do with openvpn, the script or plugin which you write will need to handle your multiple radius servers in the way you desire =]
04:00 <@krzee> o damn he left
04:00 < GeekFreak> bit late krzee lol
04:01 <@krzee> ya
04:01 -!- bertodsera [~quassel@212.36.61.26] has joined #openvpn
04:01 < enbergj> I've got two servers, one in ireland, another in singapore, the ping between these is about 200ms and I can get about 35Mbps over the public internet between them when measuring with iperf .. I set up openvpn server + client on these, and over the openvpn link I get about 5-10Mbps with iperf .. do you think it would be possible to get the VPN throughput higher, and if so, got any ideas how? .. at least the CPU ...
04:01 < enbergj> ... usage is not the issue, on the server with higher CPU usage during the iperf test there's ~88% idle CPU time
04:01 < Mathias> krzee: did the human bug occur? (scrolling a page up and not realizing)
04:02 <@krzee> Mathias, thats the one
04:02 < Mathias> someone needs to patch that :\
04:02 < GeekFreak> lol
04:02 <@krzee> enbergj,
04:02 <@krzee> !gigabit
04:02 <@vpnHelper> "gigabit" is https://community.openvpn.net/openvpn/wiki/Gigabit_Networks_Linux for JJK's writeup on getting the most out of openvpn over gigabit
04:02 <@krzee> !mtu
04:02 <@vpnHelper> "mtu" is (#1) see --mtu-test to learn how to test your MTU settings. Basically you just use --mtu-test in your normal client config or (#2) mtu debugging guide: http://www.secure-computing.net/wiki/index.php/OpenVPN/Troubleshooting
04:03 <@krzee> maybe you can play with your mtu to get better results
04:03 < enbergj> well, this is far from gigabit speeds, but yeah, I'll check those, thanks ;)
04:04 < GeekFreak> comp-lzo in use ?
04:04 < enbergj> yes
04:05 <@krzee> i really love jjk's gigabit writeup
04:05 <@krzee> speaking of which:
04:05 <@krzee> !book
04:05 <@vpnHelper> "book" is http://www.packtpub.com/openvpn-2-cookbook/book check out JJK's awesome cookbook for openvpn 2!
04:05 <@krzee> he made an entire book of his awesomeness
04:05 < enbergj> cookbook always makes me think of chef
04:06 <@krzee> some of his recipes seem more like spells
04:06 <@krzee> like a transparent bridge
04:06 <@krzee> where the vpn has no ips at all
04:07 <@krzee> i learned a ton while reading that book
04:07 <@krzee> and i was a proof reader!
04:07 < GeekFreak> hehe i accidently did that to my network krzee lol
04:07 <@krzee> hah
04:07 < GeekFreak> was the wrong way around lol
04:08 <@dazo> krzee: do you know if there's any issues with Win8 nowadays?
04:08 <@krzee> other than microsoft made it?
04:08 <@dazo> haha
04:09 <@krzee> :D
04:09 <@dazo> well, I meant openvpn + win8 ;-)
04:09 <@krzee> nah never even seen it
04:09 < GeekFreak> kill it with fire
04:09 < Mathias> fire it with kills!
04:09 <@dazo> I wish I could
04:09 < enbergj> funny, I can successfully get a ping reply with ping -c1 -s 40000 -D 1.2.3.4 over the public network between those servers
04:09 < enbergj> I guess I don't have an issue with MTU 1500
04:09 <@krzee> though it seems to work based on this:
04:09 <@krzee> http://www.vpntutorials.com/tutorials/openvpn-client-setup-tutorial-for-windows-8/
04:09 <@vpnHelper> Title: OpenVPN Client Setup Tutorial for Windows 8 (at www.vpntutorials.com)
04:10 <@krzee> providers giving win8 walkthroughs
04:10 <@krzee> they would test prior one would think
04:10 <@dazo> nice! ... yeah, good thinking
04:10 <@dazo> as we're usually not pointing at external blogs/sources here ... I didn't think of that :)
04:10 <@krzee> ya i sure wouldnt want to actualy follow those directions :D
04:11 <@novaflash> there are issues with windows 8 but they are very hard to track down. 90 machines with windows 8 can be just fine and have no issues whatsoever, and then there are 5 that have issues and even one or two that are completely unable to establish contact. is this a windows 8 issue? not entirely certain, it could be just some other software interfering. who will tell.
04:11 -!- MACscr2 [~MACscr2@c-98-214-103-56.hsd1.il.comcast.net] has quit [Ping timeout: 264 seconds]
04:11 <@krzee> oh interesting
04:12 <@krzee> should we hope dazo has an easy one or broken one?  broken would mean it probably gets fixed? but we shouldnt root against him right?  :-p
04:12 <@novaflash> personally i've found this problem; a laptop that starts an openvpn tunnel BEFORE the wifi adapter has finished configuring itself will fail. solution; restart openvpn.
04:12 <@dazo> novaflash: This user gets "unable to register REG KEY for OPEN VPN GUI" (or something like this) (btw, this guy is a fulltime Windows sysadmin, so not an average dumb user)
04:12 <@krzee> umm
04:12 <@novaflash> on windows 7 this was no issue, on windows 8 it is an issue, sometimes.
04:12 <@novaflash> oh. just run as admin.
04:12 <@krzee> !winroute
04:12 <@vpnHelper> "winroute" is (#1) in windows if the route cannot be added, try route-method exe in your config file or (#2) many users also report it helps to add route-delay to give the interface extra time to get up or (#3) you may need to turn off routing and remote acess in administrative tools - routing and remote access or (#4) make sure you are running openvpn as admin or (#5) you might also want to see that
04:12 <@vpnHelper> and use trial and error with these solutions: http://openvpn.net/index.php/open-source/faq/79-client/259-tap-win32-adapter-is-not-coming-up-qinitialization-sequence-completed-with-errorsq.html
04:12 <@krzee> novaflash, route-delay
04:13 <@novaflash> krzee; i suppose that's a workaround
04:13 <@krzee> gives the adapter time to get ready =]
04:13 <@novaflash> but i never need time to get ready
04:13 <@krzee> thats why that exists
04:13 <@novaflash> i'm always ready
04:13 <@krzee> well if you stay ready you aint gotta get ready
04:13 < enbergj> ah, damnit .. I was looking at the line for ping on BSD and that -D does something quite different on linux ;)
04:13 <@krzee> but you werent made by microsoft
04:13 <@dazo> novaflash: you might be ready ... but Windows?  Nah, I dunno
04:14 <@novaflash> microsoft is pushing hard to get ndis5 out and ndis6 in
04:15 <@novaflash> if i were made by microsoft i'd be very expensive, require activation through the phone and recite the EULA and ask for you to accept the terms before screwing you. and then i'd just stop halfway and die during orgasm and require CPR + shock to get my heart working again. also, my private parts would be in strange places.
04:15 < enbergj> ok, the max size ping I can really send is -s 1472, which apparently results in 1480 bytes, and it says mtu = 1500 .. makes complete sense with 20B ip header, 8B icmp header and 1472B payload = 1500B total
04:16 <@krzee> you see jjk's results?
04:17 <@krzee> his default setup on gigabit was getting 156Mbit
04:17 <@krzee> then he tuned
04:17 < enbergj> yeah, but that's again gigabit, on lan .. the mtu of > 1500 tuning will probably just break for me
04:18 < GeekFreak> ouch 700,000 bitcoins gone poof
04:18 < enbergj> or not on lan, but yeah
04:18 <@krzee> honestly i have no idea, i have never had that situation
04:18 <@krzee> but thats the info i have to pass on =]
04:18 <@krzee> GeekFreak, ya man
04:19 < GeekFreak> 420million
04:19 <@krzee> mtgone
04:19 < enbergj> yeah, I'm checking it ;)
04:21 < GeekFreak> Invest in bitcoin they said it will be great they said lol
04:21 <@novaflash> rm -rf /bitcoins/*
04:22 <@krzee> all my coins will be sold by morning
04:22 <@novaflash> all 0.5 of them
04:22 <@krzee> i will be somewhere between double and tripple my $
04:22 <@novaflash> nice
04:23 <@krzee> then i plan on getting back in once it levels back out
04:23 -!- br4ndon [~br4ndon@mic92-6-82-227-94-156.fbx.proxad.net] has quit [Quit: Lorem ipsum dolor sit amet]
04:23 <@krzee> i expect a short term drop and then back to normal
04:23 <@novaflash> i expect the spanish inquisition
04:23 -!- bertodsera [~quassel@212.36.61.26] has quit [Read error: Connection reset by peer]
04:23 < enbergj> and what's this about bitcoins? something happen to bitcoin?
04:23 <@krzee> mtgox finally died
04:24 <@krzee> had like 700,000+ bitcoin stolen from them
04:24 < enbergj> "whoops"
04:24 <@krzee> but it happened over the long term
04:24 <@krzee> they didnt even know
04:24 <@krzee> it was done slowly over time
04:24 <@krzee> then they were like
04:24 < enbergj> "about 6% of all coins in existence" .. well that's not much at all ;)
04:24 <@krzee> hey guys, where mah coins bro?
04:25 < GeekFreak> in my pocket XD
04:25 <@krzee> selling all my ltc too
04:25 < Mathias> possible to connect to multiple VPN-server simoustanely with the windows-client?
04:26 < GeekFreak> but what did they expect creating a network for criminals to trade currency lol
04:26 < enbergj> Mathias: yes, just create multiple tap/tun devices
04:26 <@krzee> Mathias, yes, you need multiple devices
04:26 <@krzee> damn, beat me to it :D
04:26 < enbergj> Mathias: run the "Add new TAP virtual ethernet adapter" script from your start menu as administrator
04:26 < Mathias> ok
04:27 -!- james41382_ [~james@unaffiliated/james41382] has quit [Ping timeout: 246 seconds]
04:27 <@krzee> GeekFreak, what a currency is used for has nothing to do with the fact that people will always look to rob banks
04:27 < Mathias> might be a little bit offtopic here, but is it possible to only allow certain programs to access it?
04:27 <@krzee> all that happened here is a bank was robbed
04:27 <@krzee> !routebyapp
04:27 <@vpnHelper> "routebyapp" is (#1) if you want to send only certain apps over the VPN you need to run a socks server on the internal VPN subnet (see !sockd) then get an app like proxifier (windows, osx) or tsocks (linux, BSD) to selectively route traffic over the socks proxy based on port/app/subnet or any combination. or (#2) Alternatively, read up about Policy Routing to make routing decisions based on defined
04:27 <@vpnHelper> policies you set. For Linux, read about !lartc
04:27 < GeekFreak> how many "exchanges" have packed up shop and taken all the coins ?
04:28 <@krzee> GeekFreak, can it be proven that mtgox didnt do exactly that?
04:28 < Mathias> exactly what i need :D
04:28 <@krzee> people who leave their coins in the exchange are dumb man
04:29 <@krzee> use the exchange for its service if you need to, but then use your own wallet
04:29 < GeekFreak> but thats what i mean
04:29 < GeekFreak> your trading with criminals ?
04:29 <@krzee> why do you say criminals?
04:29 <@krzee> do you believe only criminals use bitcoin?
04:30 < GeekFreak> no but majority
04:30 <@krzee> umm majority of criminals i know of use USD
04:30 < GeekFreak> and if your a criminal what better to do then to open an exchange :)
04:30 <@krzee> shit the leader of sinaloa cartel just got busted with 18 BILLION USD and 0 bitcoin
04:31 < GeekFreak> we arent talking about traditional criminals anymore krzee
04:31 <@krzee> hella golden guns? no bitcoins tho
04:31 -!- qwertyoruiop [~hax@1.shulgin.dc1.nl.tor.exit.node.qwertyoruiop.com] has quit [Excess Flood]
04:31 < Aketzu_> I've heard that criminals in USA have opened up many banks, reaked up profits from bad loans and then run up with the money while watching the economy collapse
04:31 -!- mode/#openvpn [+v Aketzu_] by krzee
04:31 < enbergj> hmm .. ran mtu-test and it says 1573 is the MTU .. not significantly different from the 1500 so I guess tuning MTU any way will not do much for me
04:31 <@krzee> preach
04:32 -!- cronus [~cronus@c-71-232-48-68.hsd1.ma.comcast.net] has joined #openvpn
04:32 -!- qwertyoruiop [~hax@1.shulgin.dc1.nl.tor.exit.node.qwertyoruiop.com] has joined #openvpn
04:33 < enbergj> my cpus seem to support AES .. hmm
04:34 < GeekFreak> Why do you need crypto digital currency ?
04:35 <@krzee> GeekFreak, because i want alternatives to state run currencies where they steal from us through inflation which they create by making more $ and get first dibs on that $ to make their profits because the inflation catches up
04:35 < GeekFreak> lol you dont think that will happen with digital currency ?
04:36 <@krzee> evidently you dont know how it works
04:36 < GeekFreak> how do you think traditional banks started out ?
04:36 -!- bertodsera [~quassel@212.36.61.26] has joined #openvpn
04:36 <@krzee> !google bitcoin under the hood
04:36 <@vpnHelper> How Bitcoin Works Under the Hood - YouTube: <http://www.youtube.com/watch?v=Lx9zgZCMqXE>; How Bitcoin Works Under the Hood - ImponderableThings: <http://www.imponderablethings.com/2013/07/how-bitcoin-works-under-hood.html>; Video Of The Week: Bitcoin Under The Hood – AVC: <http://avc.com/a_vc/2013/10/video-of-the-week-bitcoin-under-the-hood.html>
04:36 <@krzee> watch that video before we continue talking =]
04:36 < GeekFreak> the only way to stop that is too go back to barter
04:37 < GeekFreak> mate i know all about the bitcoins , the litecoins the dogecoins blah blah blah blah
04:37 <@krzee> obviously not
04:37 <@krzee> some can be inflated by a central authority of some sort, bitcoin can not.
04:37 <@krzee> nor can litcoin for that matter
04:38 < enbergj> you wouldn't know if the correct openssl thing to test when I want to compare speed between aes-256-cbc and BF-CBC cipher is "openssl speed blowfish aes-256-cbc" ?
04:38 < GeekFreak> who is to say Satoshi doesnt come back into the play
04:38 <@krzee> personally all i know is what i read in those links i gave you
04:39 -!- ACKNAK [~regolith@79.133.97.154] has joined #openvpn
04:39 <@krzee>  satoshi wrote 0 lines of code
04:39 <@krzee> he made the idea
04:40 <@krzee> whitepaper author
04:40 <@krzee> so ya, he comes back into the picture and then what dude?
04:40 <@krzee> nevermind dont answer that
04:40 < GeekFreak> lmao
04:40 <@krzee> watch that video, or dont, but you have no clue what you're talking about on thjat
04:41 < GeekFreak> :)
04:43 < GeekFreak> ill watch your little video and then ill come back to you and still continue with my point
04:45 -!- f0cker [~f0cker@unaffiliated/f0cker] has joined #openvpn
04:45 <@novaflash> geez
04:45 <@novaflash> the energy you guys lose debating could power the world for a century
04:47 < GeekFreak> hehe novaflash
04:47 < GeekFreak> cant stand that guys voice
04:47 <@novaflash> whose?
04:47 < GeekFreak> you win krzee
04:48 < GeekFreak> that video krzee sent me
04:48 <@novaflash> oh
04:48 <@novaflash> krzee always wins at everything
04:48 <@novaflash> world's ugliest man contest, world's biggest manboobs, etc
04:48 < GeekFreak> can i play with them ?
04:48 <@novaflash> and debates about bitcoin
04:48 <@novaflash> sure, everybody else does
04:48 < GeekFreak> lmfao
04:48 <@krzee> well i mean some things are not opinion, the idea that bitcoin can be inflated is completely wrong, in fact it is a deflationary currency
04:49 <@novaflash> krzee is correct
04:49 <@novaflash> unlikely his manboobs
04:49 <@novaflash> unlike *
04:49 <@krzee> :D
04:49 < GeekFreak> i understand that but i just dont like the fact of a anonymous factor
04:49 < GeekFreak> or an unknown factor
04:49 < enbergj> .. hmm, well you wouldn't know if I have to do anything in openvpn to enable the "evp" engine in openssl? .. "openssl speed aes-256-cbc blowfish" shows them being about equal in speed, but "openssl speed -evp aes-256-cbc blowfish" shows aes to be ~4x faster, aes-128 is even faster
04:49 <@novaflash> then you must hate religion
04:50 < GeekFreak> dont believe in religion
04:50 <@krzee> i dont like the NON-anonymous factor of the real banks
04:50 <@krzee> i want anonymous money, that is why i like cash
04:50 <@krzee> (and bitcoin)
04:51 < GeekFreak> why not barter then ?
04:51 <@krzee> i barter often
04:51 <@krzee> when convienent
04:51 < GeekFreak> And its that thinking that created fiat currency :)
04:51 <@krzee> if you have something i want, and i have something you want? of course i will barter
04:51 < GeekFreak> CONVIENENT
04:51 <@krzee> bitcoin is fiat too
04:51 < GeekFreak> yes i know
04:52 < GeekFreak> but atleast traditional currency is backed by gold
04:52 < GeekFreak> well used to be...
04:52 <@krzee> name 1
04:52 <@krzee> ya, used to be
04:52 <@krzee> i also own silver and gold tho
04:52 < GeekFreak> yeah i own gold
04:53 < GeekFreak> I 100% agree with you about the banks
04:53 < GeekFreak> but digital currency isnt the way
04:53 < GeekFreak> we need to go back to basics
04:53 <@krzee> there you go, thats fair to say
04:53 <@novaflash> seashells
04:53 -!- bertodsera [~quassel@212.36.61.26] has quit [Read error: Connection reset by peer]
04:53 <@krzee> opinion is all good, just dont give false facts to back up the opinion
04:54 <@novaflash> seashells are superior because a great invisible man in the sky says so
04:54 <@krzee> by the seashore?
04:54 < GeekFreak> lol there is a place in the Samoan Islands that trades with seashells
04:54 < GeekFreak> no bs
04:54 < GeekFreak> but ofcourse the cheif has all the seashells lmao
04:54 <@novaflash> that's fact
04:54 <@novaflash> ask any religious person
04:55 <@novaflash> i wonder if they suffer from inflation, having to carry around a lot more seashells than say a hundred years ago now just to buy some bread
04:55 <@novaflash> imagine the wallets
04:55 < GeekFreak> you trade in your little shells for a big shell XD
04:56 < enbergj> like in zimbabwe, taking a wheelbarrow of cash to the store to buy milk and bread?
04:56 <@novaflash> at the shellsbank
04:56 <@novaflash> or sandbank
04:56 -!- bertodsera [~quassel@212.36.61.26] has joined #openvpn
04:56 < GeekFreak> do you buy in bars or just random objects of silver and gold krzee
04:56 <@krzee> coins
04:57 < GeekFreak> ahhh
04:57 <@krzee> i mean rounds
04:57 < GeekFreak> They keep trying to sell me these fancy bars
04:57 <@krzee> not gov coins
04:57 < GeekFreak> with designs on them
04:58 <@krzee> i cant see getting the bars unless i get tons of $ i wanna put into it
04:58 <@krzee> like enough to make rounds unpractical
04:59 < GeekFreak> i buy 1 to 3 ounces a year
04:59 <@novaflash> i buy things with money i don't have
04:59 < GeekFreak> depending on prices
04:59 <@novaflash> and then i pay someone with money i don't actually get in hand, but goes to the bank, and stays with the bank :-P
04:59 <@novaflash> i hardly ever even see my own money
05:00 <@novaflash> banks have virtualized everything
05:00 < GeekFreak> lol i hear that novaflash
05:00 <@krzee> novaflash, oh dude are you in the bay area? i forgot corp is out here
05:00 < GeekFreak> i always use my card
05:00 <@novaflash> i personally am in the netherlands
05:01 <@krzee> oh
05:01 <@novaflash> sorry
05:01 < GeekFreak> novaflash,  is where ever he wants to be lol
05:01 < GeekFreak> is on high demand
05:01 < GeekFreak> novaflash*
05:01 <@novaflash> would you like to hear some dutch words?
05:01 <@novaflash> fietspomp
05:01 <@novaflash> kachelspecialist
05:02 < ACKNAK> KAAS
05:02 < GeekFreak> lol
05:02 <@krzee> [03:03]  <Shyline> !translate dutch to english fietspomp
05:02 <@krzee> [03:03]  <Golgo13> Shyline: bicycle pump
05:02 <@krzee> [03:03]  <Golgo13> Shyline: bicycle pump
05:02 < ACKNAK> :O
05:03 <@krzee> [03:03]  <Shyline> !translate dutch to english kachelspecialist
05:03 <@krzee> [03:03]  <Golgo13> Shyline: heater specialist
05:03 <@krzee> lol
05:03 <@krzee> those have to be bad translations!
05:03 < GeekFreak> i thought he was fist pumping
05:03 <@novaflash> yes i'm an escort IT person
05:03 <@krzee> or hes a heater specialist with a bicycle pump in his room
05:04 < GeekFreak> makes sense krzee
05:04 <@krzee> hehe a fist pump is throwing your fist in the air
05:04 <@novaflash> poephoofd
05:04 <@novaflash> ditmaal zie ik het door de vingers
05:04 < GeekFreak> LMFAO!
05:04 <@novaflash> de spanning is te snijden
05:04 < GeekFreak> now your just making stuff up
05:04 <@krzee> https://www.youtube.com/watch?v=2z7bhYIQldQ
05:04 <@vpnHelper> Title: TYF Instructional Fist Pumping Video - YouTube (at www.youtube.com)
05:05 <@novaflash> hey it's better than pump fisting
05:05 < GeekFreak> pump fist
05:05 < GeekFreak> I pump fist
05:05 < ACKNAK> I love "kh" sound in dutch, so awesome
05:06 < GeekFreak> i love dutch accent aspecially when i fist pump them
05:06 <@novaflash> ew
05:06 < ACKNAK> :D
05:06 < ACKNAK> xD
05:06 <@novaflash> stoephoer
05:07 <@novaflash> gehaktbal
05:07 < GeekFreak> lmao
05:07 < GeekFreak> i know that one stoepheor
05:07 <@krzee> i have not been to holland in years
05:07 <@novaflash> haha
05:07 <@novaflash> you should come over and i'll swear at you for free
05:07 < GeekFreak> your a stoephoer
05:07 <@novaflash> i know i'm cheap but surely not that cheap
05:07 -!- Brando753 [~Brando753@unaffiliated/brando753] has quit [Ping timeout: 272 seconds]
05:08 < GeekFreak> lol novaflash
05:08 <@krzee> [03:08]  <Shyline> !translate dutch to english stoephoer
05:08 <@krzee> [03:08]  <Golgo13> Shyline: sidewalk whore
05:08 <@krzee> haha
05:08 <@novaflash> you're learning a lot of valuable information today
05:08 <@novaflash> the great thing about dutch is that we can combine words into one
05:08 < GeekFreak> my told me when i am in holland to ask for stoephoer
05:09 <@novaflash> tyfuskankerteringhoerelijer
05:09 -!- Zordrak_ is now known as Zordrak
05:09 < GeekFreak> ^ thats not real
05:09 <@novaflash> it is
05:09 < GeekFreak> no way lol
05:09 <@krzee> i would need a pen and paper to ask for a stoephoer
05:09 <@novaflash> well let's break it into words so the translator understands it
05:09 <@krzee> cause i could not say that correctly for sure
05:09 <@novaflash> tyfus kanker tering hoeren lijder
05:09 < GeekFreak> record that and post it novaflash lol
05:10 <@krzee> [03:11]  <Shyline> !translate dutch to english tyfuskankerteringhoerelijer
05:10 <@krzee> [03:11]  <Golgo13> Shyline: tyfuskankerteringhoerelijer
05:10 <@novaflash> krzee: use the split version
05:10 <@novaflash> either that, or perhaps shyline is responding in kind
05:10 <@krzee> [03:11]  <Shyline> !translate dutch to english tyfus kanker tering hoeren lijder
05:10 <@krzee> [03:11]  <Golgo13> Shyline: typhoid cancer sufferer ment whores
05:10 <@novaflash> that's closer
05:10 < GeekFreak> typhoid cancer consumption whores lead
05:10 -!- mauww [~localhost@unaffiliated/mauww] has joined #openvpn
05:11 <@novaflash> leider is leader, lijder is sufferer
05:11 <@novaflash> sounds the same
05:11 <@novaflash> following the lijder :-P
05:11 < GeekFreak> lmfao
05:11 <@novaflash> anyways yeah, just combine words and it makes an awful swearword in dutch
05:11 < enbergj> hmm .. this is quite annoying .. I can't get the VPN link to deliver more than ~6-11Mbps .. it's still a LOT better than what I got when I tried openswan IPsec, ~1-2Mbps
05:11 < GeekFreak> and thats a swear word?
05:12 <@novaflash> it's something you say when you're really pissed off at someone and motherfucker doesn't cut it
05:12 <@novaflash> more like; you stupid ass-faced dickless motherfucking cunt-sucking tit!
05:12 <@novaflash> and so on
05:12 < GeekFreak> motherfucker might not cut it but if you called me a thphoid cancer suffer whore leader
05:12 < GeekFreak> i would look at you an laugh
05:12 <@novaflash> not in dutch
05:12 <@novaflash> in dutch you'd be impressed and angry
05:13 <@novaflash> the dutch are pussies
05:13 < GeekFreak> see this is why dutch are weird you dont know how to swear properly lol
05:13 < enbergj> service openvpn start
05:13 < enbergj> .. whoops
05:13 <@novaflash> openvpn unable to start
05:13 < enbergj> accidental click
05:13 <@novaflash> dependency missing: brains
05:13 < GeekFreak> lmfao novaflash
05:13 <@novaflash> apt-get install brains
05:13 <@novaflash> unable to locate brains
05:13 <@novaflash> try using apt-get -f to resolve missing dependencies
05:13 < enbergj> apt-get remove brains
05:14 < GeekFreak> you forgot su
05:14 <@novaflash> apt-get remove su
05:14 < GeekFreak> lol
05:14 -!- Brando753 [~Brando753@unaffiliated/brando753] has joined #openvpn
05:14 < enbergj> apt-get remove -f $(dpkg --get-selections)
05:14 <@novaflash> reboot
05:15 < GeekFreak> # fdisk -l | grep '^Brain'
05:15 < enbergj> reminds me of how I just recently did a "neat" thing with dpkg and apt to force reinstall every package
05:15 < enbergj> or almost every package
05:15 < GeekFreak> Brain /dev/sda: 0.1 GB, 100000 bytes
05:15 <@novaflash> enbergj: you like working with your package don't you
05:16 < enbergj> I love it
05:16 <@novaflash> sorry for lowering the quality of this channel by 5000 IQ points
05:16 < GeekFreak> with tyfus kanker tering hoeren lijder
05:17 <@novaflash> i am now angry and impressed
05:17 < GeekFreak> lol
05:17 <@novaflash> you stupid ass-faced dickless motherfucking cunt-sucking tit!
05:17 < GeekFreak> so does that mean you will buy me a beer?
05:17 <@novaflash> yes of course
05:17 <@novaflash> being angry and impressed always leads to beer
05:17 < GeekFreak> i like dutch
05:17 <@novaflash> dutch is funny because of the weird sounds
05:18 < GeekFreak> i also like dutch ovens
05:18  * novaflash lights it for you
05:18 < GeekFreak> not sure if they are dutch
05:19 < GeekFreak> but it has dutch at the beginning so i would assume
05:19 <@novaflash> the dutch have such poor reputation
05:19 <@novaflash> talking double dutch
05:19 <@novaflash> going dutch
05:19 <@novaflash> dutch ovens
05:19 < GeekFreak> lol
05:19 < GeekFreak> i mean actual dutch ovens i take one camping all the time lol
05:20 < GeekFreak> XD
05:20 <@novaflash> the stereotypical dutch; cheap, don't make sense, are disgusting in bed, always high on weed
05:20 <@novaflash> oh i see
05:21 <@novaflash> i thought you meant like the act of farting in bed and stuffing somebody else's face under the sheets
05:21 <@novaflash> also called a dutch oven
05:22 < GeekFreak> Yeah i like to do that to people too
05:23 < GeekFreak> And arent you always high on weed?
05:23 < GeekFreak> or is that beside the point ?
05:23 <@novaflash> no i use my own dutch ovens
05:24 < GeekFreak> So technically any oven you own is dutch ...
05:24 <@novaflash> yes i have an oven in my kitchen
05:24 <@novaflash> i think it's actually made in china
05:24 < GeekFreak> dutch microwave?
05:24 -!- wrongplace [~leicht@gateway/tor-sasl/martinphone] has joined #openvpn
05:24 <@novaflash> microwave and oven
05:24 <@novaflash> and grill
05:24 <@novaflash> all-in-one
05:24 < GeekFreak> dutch grill i like it
05:24 <@novaflash> very efficient
05:24 < GeekFreak> where can i buy one
05:24 <@novaflash> in the netherlands
05:25 < GeekFreak> does it come with a free bag of weed
05:25 <@novaflash> you're not dutch are you?
05:25 <@novaflash> in that case
05:25 <@novaflash> sure
05:25 <@novaflash> free bag of 'weed'
05:25 < GeekFreak> ummmmmmmmmm
05:25 < MorgyN_> schmoke and a pancake
05:25 -!- MorgyN_ is now known as MorgyN
05:25 < GeekFreak> schmoke an a pancake lol
05:25 <@novaflash> pannekoek met siroop
05:25 <@novaflash> or with the new spelling
05:25 <@novaflash> pannenkoek met siroop
05:25 < GeekFreak> I ammmm dutcchh...
05:26  * novaflash hands GeekFreak a bag of random leaves
05:26 <@novaflash> here, it's weed
05:26 <@novaflash> don't smoke it all in one go
05:26 < GeekFreak> CURSES!
05:26 < GeekFreak> id probaly die
05:26 < GeekFreak> i have smoked that stuff in years ..
05:27 < GeekFreak> well atleast i think its been years could still be high ...
05:27 < GeekFreak> havent*
05:27 < GeekFreak> i really need a new keyboard..
05:28 <@novaflash> your excuses are most transparent
05:28 < GeekFreak> sticky keys XD
05:28 <@novaflash> hey, i'm not to judge what you do at your computer... ew
05:29 <@novaflash> http://some.crappy.technology/cat/curling.gif
05:32 <@novaflash> okay back to work
05:32 -!- bertodsera [~quassel@212.36.61.26] has quit [Remote host closed the connection]
05:36 < GeekFreak> too bed for me
05:36 <@novaflash> oh that's too bed
05:37 -!- ade_b [~Ade@redhat/adeb] has quit [Remote host closed the connection]
05:42 -!- bertodsera [~quassel@212.36.61.26] has joined #openvpn
05:45 < Mathias> apparently, the add TAP-interface thingy doesn't exist here :o
05:45 -!- cronus [~cronus@c-71-232-48-68.hsd1.ma.comcast.net] has quit [Quit: cronus]
05:49 < Mathias> ah, it has been removed from the openvpn-submenu
05:53 -!- bertodsera [~quassel@212.36.61.26] has quit [Remote host closed the connection]
05:56 -!- bertodsera [~quassel@212.36.61.26] has joined #openvpn
05:59 -!- cronus [~cronus@c-71-232-48-68.hsd1.ma.comcast.net] has joined #openvpn
05:59 -!- wrongplace [~leicht@gateway/tor-sasl/martinphone] has quit [Quit: gone]
06:09 -!- klein [~klein@189-016-006-003.asselvi.edu.br] has joined #openvpn
06:09 -!- klein [~klein@189-016-006-003.asselvi.edu.br] has quit [Changing host]
06:09 -!- klein [~klein@unaffiliated/klein] has joined #openvpn
06:17 -!- MNVapes- [~randaz@109.201.154.200] has joined #openvpn
06:17 < MNVapes-> If I connect to the OpenVPN instance running on my VPS using the connect client, will all data continue to be routed through PrivateInternetAccess to my VPS? Or would the VPS connect client bypass PrivateInternetAccess?
06:18 < Mathias> hmm, now openvpn is giving me "Cannot load CA certificate file ca.crt (OpenSSL)"
06:18 -!- mattock_afk is now known as mattock
06:26 < Mathias> hahaha, i copied the wrong certificate
06:30 -!- cronus [~cronus@c-71-232-48-68.hsd1.ma.comcast.net] has quit [Quit: cronus]
06:31 -!- 14WAB74LI [foobar@77.240.12.157] has quit [Ping timeout: 245 seconds]
06:33 -!- jfig [~jfig@mail3.aces.ascendi.pt] has joined #openvpn
06:45 <@ecrist> MNVapes-: I don't understand your question.
06:45 < MNVapes-> PrivateInternetAccess is a vpn company that has their own client that installs a tapi driver
06:46 < MNVapes-> but they use shared IPs for better anonymity
06:46 <@ecrist> ah, you need to ask them, then
06:46 < MNVapes-> and I need a dedicated IP
06:46 < MNVapes-> well apparently their support is tarded and the only answer they can give is it might work....
06:47 < MNVapes-> can only get ahold of some kid reading a script
06:47 <@ecrist> well, they way a vpn works is, if we can't see or modify the SERVER config, there's nothing we can really do for you
06:47 <@ecrist> this channel is geared toward people who are running their own openvpn server
06:48 <@ecrist> not "name your vpn service here?
06:48 -!- mattock is now known as mattock_afk
06:51 < MNVapes-> Understood. Well thanks for your time :)
06:52 <@ecrist> no problem.
06:53 -!- MNVapes- [~randaz@109.201.154.200] has left #openvpn []
06:56 -!- bertodsera [~quassel@212.36.61.26] has quit [Remote host closed the connection]
06:56 -!- joshu [~joshu@62-20-176-238-no28.tbcn.telia.com] has quit [Quit: Bye.]
06:56 -!- tdreyer1 [~tdreyer1@unaffiliated/tdreyer1] has joined #openvpn
06:58 -!- mauww [~localhost@unaffiliated/mauww] has quit [Ping timeout: 272 seconds]
06:58 -!- bertodsera [~quassel@212.36.61.26] has joined #openvpn
06:58 -!- ade_b [~Ade@redhat/adeb] has joined #openvpn
06:59 -!- mauww [~localhost@unaffiliated/mauww] has joined #openvpn
07:04 -!- goldkatze [~nobody@unaffiliated/goldkatze] has joined #openvpn
07:04 -!- Guest78814 [~Sembei@unaffiliated/sembei] has quit [Read error: No route to host]
07:05 -!- Guest78814 [~Sembei@unaffiliated/sembei] has joined #openvpn
07:07 -!- elfixit [~Icedove@213.144.137.4] has joined #openvpn
07:13 -!- cronus [~cronus@23.30.140.182] has joined #openvpn
07:22 -!- Cpt-Oblivious [chatzilla@31-151-71-109.dynamic.upc.nl] has joined #openvpn
07:24 -!- jzaw [~jzaw@loki.dzki.co.uk] has quit [Ping timeout: 245 seconds]
07:29 -!- Guest78814 [~Sembei@unaffiliated/sembei] has quit [Read error: No route to host]
07:29 -!- Sembei [~Sembei@unaffiliated/sembei] has joined #openvpn
07:41 -!- mauww [~localhost@unaffiliated/mauww] has quit [Ping timeout: 246 seconds]
07:46 -!- cronus [~cronus@23.30.140.182] has left #openvpn []
07:50 -!- jzaw [~jzaw@loki.dzki.co.uk] has joined #openvpn
07:52 -!- elfixit [~Icedove@213.144.137.4] has quit [Ping timeout: 244 seconds]
07:57 -!- makara [~makara@41.164.22.218] has quit [Ping timeout: 272 seconds]
07:58 -!- james41382 [~james@unaffiliated/james41382] has joined #openvpn
08:22 -!- mattock_afk is now known as mattock
08:22 -!- hazardous [~hz@openvpn/user/hazardous] has quit [Ping timeout: 436 seconds]
08:22 -!- fred`` [~fred@earthli.ng] has quit [Ping timeout: 436 seconds]
08:22 -!- Chrisje [chris@2a03:f80:ed15:ed15:ed15:ed15:bc4c:4bfe] has quit [Ping timeout: 436 seconds]
08:23 -!- ACKNAK [~regolith@79.133.97.154] has quit [Ping timeout: 244 seconds]
08:24 -!- hazardous [~hz@openvpn/user/hazardous] has joined #openvpn
08:24 -!- mode/#openvpn [+v hazardous] by ChanServ
08:24 -!- wrongplace [~leicht@gateway/tor-sasl/martinphone] has joined #openvpn
08:24 -!- fred`` [fred@earthli.ng] has joined #openvpn
08:28 -!- Chrisje [chris@2a03:f80:ed15:ed15:ed15:ed15:bc4c:4bfe] has joined #openvpn
08:33 -!- noobboob [uid5587@gateway/web/irccloud.com/x-sehknqffhvubexbk] has joined #openvpn
08:35 -!- lvv [~loganaden@ITE-INF3.dhcp.mu.afrinic.net] has quit [Quit: lvv]
08:43 -!- bertodsera [~quassel@212.36.61.26] has quit [Remote host closed the connection]
08:46 -!- bertodsera [~quassel@212.36.61.26] has joined #openvpn
08:53 -!- lbft [~lbft@unaffiliated/lbft] has quit [Ping timeout: 274 seconds]
08:54 -!- lbft_ [~lbft@unaffiliated/lbft] has joined #openvpn
08:54 -!- lbft_ is now known as lbft
08:58 -!- fusl is now known as Fusl
09:00 -!- dogewaat [uid3966@gateway/web/irccloud.com/x-hxzvjtabhmxauttt] has joined #openvpn
09:25 -!- lj [~l@192.241.174.169] has joined #openvpn
09:26 -!- alexxtasi [~alex@unaffiliated/alexxtasi] has left #openvpn []
09:29 -!- jfig [~jfig@mail3.aces.ascendi.pt] has quit [Ping timeout: 272 seconds]
09:30 -!- Fusl is now known as fusl
09:31 -!- jfig [~jfig@mail3.aces.ascendi.pt] has joined #openvpn
09:48 -!- goldkatze [~nobody@unaffiliated/goldkatze] has quit []
09:48 -!- fcaral [~Adium@93-2-190-109.dsl.ovh.fr] has joined #openvpn
09:53 -!- goldkatze [~nobody@unaffiliated/goldkatze] has joined #openvpn
09:57 -!- goldkatze [~nobody@unaffiliated/goldkatze] has quit [Excess Flood]
09:58 -!- elfixit [~Icedove@2001:1620:2777:11:3e97:eff:fe7f:f3ad] has joined #openvpn
10:00 -!- goldkatze [~nobody@unaffiliated/goldkatze] has joined #openvpn
10:22 -!- br4ndon [~br4ndon@ns301087.ip-91-121-68.eu] has joined #openvpn
10:23 -!- fusl is now known as Fusl
10:26 -!- jfig [~jfig@mail3.aces.ascendi.pt] has quit [Quit: Leaving]
10:30 -!- goldkatze [~nobody@unaffiliated/goldkatze] has quit [Excess Flood]
10:31 -!- goldkatze [~nobody@unaffiliated/goldkatze] has joined #openvpn
10:31 -!- Fusl is now known as fusl
10:33 -!- elfixit [~Icedove@2001:1620:2777:11:3e97:eff:fe7f:f3ad] has quit [Quit: elfixit]
10:55 -!- gffa [~unknown@unaffiliated/gffa] has joined #openvpn
10:57 -!- wrongplace [~leicht@gateway/tor-sasl/martinphone] has quit [Quit: gone]
11:00 -!- bertodsera [~quassel@212.36.61.26] has quit [Remote host closed the connection]
11:01 -!- mndo [~mndo@bl17-65-125.dsl.telepac.pt] has joined #openvpn
11:03 -!- bertodsera [~quassel@212.36.61.26] has joined #openvpn
11:03 -!- ade_b [~Ade@redhat/adeb] has quit [Remote host closed the connection]
11:03 -!- noobboob [uid5587@gateway/web/irccloud.com/x-sehknqffhvubexbk] has quit [Quit: Connection closed for inactivity]
11:08 -!- spiekey [~admin@projekte.imos.net] has quit [Ping timeout: 264 seconds]
11:21 -!- s0meone is now known as someone
11:26 -!- fusl is now known as Fusl
11:29 -!- bertodsera [~quassel@212.36.61.26] has quit [Remote host closed the connection]
11:29 -!- james41382 [~james@unaffiliated/james41382] has quit [Read error: Connection timed out]
11:37 -!- Sembei [~Sembei@unaffiliated/sembei] has quit [Read error: Connection reset by peer]
11:37 -!- Sembei [~Sembei@unaffiliated/sembei] has joined #openvpn
11:42 -!- Fusl is now known as fusl
11:44 -!- fusl is now known as Fusl
11:45 -!- Fusl is now known as fusl
11:46 -!- noobboob [uid5587@gateway/web/irccloud.com/x-bjgdonxqgftjxswj] has joined #openvpn
12:03 -!- fcaral [~Adium@93-2-190-109.dsl.ovh.fr] has quit [Quit: Leaving.]
12:06 -!- br4ndon [~br4ndon@ns301087.ip-91-121-68.eu] has quit [Quit: Lorem ipsum dolor sit amet]
12:08 -!- br4ndon [~br4ndon@ns301087.ip-91-121-68.eu] has joined #openvpn
12:09 -!- br4ndon [~br4ndon@ns301087.ip-91-121-68.eu] has quit [Client Quit]
12:09 -!- br4ndon [~br4ndon@ns301087.ip-91-121-68.eu] has joined #openvpn
12:10 -!- gffa_ [~unknown@unaffiliated/gffa] has joined #openvpn
12:10 -!- gffa [~unknown@unaffiliated/gffa] has quit [Disconnected by services]
12:10 -!- gffa_ is now known as gffa
12:16 -!- phunyguy [~vortex@unaffiliated/phunyguy] has quit [Excess Flood]
12:16 -!- cyberspace- [20253@ninthfloor.org] has quit [Disconnected by services]
12:16 -!- phunyguy [~vortex@unaffiliated/phunyguy] has joined #openvpn
12:17 -!- cyberspace- [20253@ninthfloor.org] has joined #openvpn
12:18 -!- br4ndon [~br4ndon@ns301087.ip-91-121-68.eu] has quit [Ping timeout: 264 seconds]
12:18 -!- HectorBarbossa [uid7850@gateway/web/irccloud.com/x-votqdgjioqtgnkxl] has joined #openvpn
12:18 -!- joshh20-Away is now known as joshh20
12:20 -!- m01 [~quassel@2a02:2658:1011:1::2:4044] has quit [Write error: Broken pipe]
12:21 -!- __FBi [B@2a00:d880:3:1::d93:a8cb] has quit [Ping timeout: 279 seconds]
12:21 -!- jackbrown [~se@93-44-54-187.ip95.fastwebnet.it] has joined #openvpn
12:22 -!- Cybertinus [~Cybertinu@cybertinus.customer.cloud.nl] has quit [Excess Flood]
12:22 -!- pnielsen [pnielsen@2a01:7e00::f03c:91ff:fedf:3a21] has quit [Excess Flood]
12:22 -!- master_o1_master [~master_of@p4FD7B86B.dip0.t-ipconnect.de] has quit [Remote host closed the connection]
12:22 -!- Ulrar [~Ulrar@luwin.ulrar.net] has quit [Excess Flood]
12:23 -!- m01 [~quassel@2a02:2658:1011:1::2:4044] has joined #openvpn
12:23 -!- master_of_master [~master_of@79.215.184.107] has joined #openvpn
12:23 -!- klein [~klein@unaffiliated/klein] has quit [Ping timeout: 252 seconds]
12:23 -!- __FBi [B@dont.uwantmy.info] has joined #openvpn
12:23 -!- Ulrar [~Ulrar@luwin.ulrar.net] has joined #openvpn
12:23 -!- br4ndon [~br4ndon@195.33.51.31] has joined #openvpn
12:24 -!- Cybertinus [~Cybertinu@cybertinus.customer.cloud.nl] has joined #openvpn
12:24 -!- pnielsen [pnielsen@2a01:7e00::f03c:91ff:fedf:3a21] has joined #openvpn
12:26 -!- br4ndon_ [~br4ndon@ns301087.ip-91-121-68.eu] has joined #openvpn
12:27 -!- br4ndon_ [~br4ndon@ns301087.ip-91-121-68.eu] has quit [Client Quit]
12:27 -!- br4ndon_ [~br4ndon@ns301087.ip-91-121-68.eu] has joined #openvpn
12:27 -!- br4ndon_ [~br4ndon@ns301087.ip-91-121-68.eu] has quit [Client Quit]
12:29 -!- br4ndon_ [~br4ndon@ns301087.ip-91-121-68.eu] has joined #openvpn
12:29 -!- br4ndon [~br4ndon@195.33.51.31] has quit [Ping timeout: 264 seconds]
12:30 -!- Olipro [~Olipro@uncyclopedia/pdpc.21for7.olipro] has quit [Ping timeout: 246 seconds]
12:32 -!- br4ndon_ [~br4ndon@ns301087.ip-91-121-68.eu] has quit [Client Quit]
12:35 -!- fusl is now known as Fusl
12:37 -!- Olipro [~Olipro@uncyclopedia/pdpc.21for7.olipro] has joined #openvpn
12:38 -!- br4ndon [~br4ndon@ns301087.ip-91-121-68.eu] has joined #openvpn
12:38 -!- Sembei [~Sembei@unaffiliated/sembei] has quit [Ping timeout: 272 seconds]
12:45 -!- Olipro [~Olipro@uncyclopedia/pdpc.21for7.olipro] has quit [Excess Flood]
12:46 -!- Olipro [~Olipro@d.e.r.p.6.a.1.0.d.d.0.7.2.0.1.0.a.2.ip6.arpa] has joined #openvpn
12:46 -!- Olipro [~Olipro@d.e.r.p.6.a.1.0.d.d.0.7.2.0.1.0.a.2.ip6.arpa] has quit [Changing host]
12:46 -!- Olipro [~Olipro@uncyclopedia/pdpc.21for7.olipro] has joined #openvpn
12:46 -!- aji [~alex@atheme/member/aji] has quit [Ping timeout: 252 seconds]
12:47 -!- sunwind [~paradox@cpc21-brmb8-2-0-cust749.1-3.cable.virginm.net] has joined #openvpn
12:47 -!- jackbrown [~se@93-44-54-187.ip95.fastwebnet.it] has quit [Quit: Sto andando via]
12:52 -!- br4ndon [~br4ndon@ns301087.ip-91-121-68.eu] has quit [Quit: Lorem ipsum dolor sit amet]
12:55 -!- aji [~alex@atheme/member/aji] has joined #openvpn
13:03 -!- Jeroen52 [~quassel@2001:41d0:1:9592::1] has joined #openvpn
13:03 -!- u0m3 [~u0m3@92.80.86.213] has joined #openvpn
13:10 -!- roentgen [~irc@89.46.129.178] has joined #openvpn
13:10 -!- roentgen [~irc@89.46.129.178] has quit [Changing host]
13:10 -!- roentgen [~irc@openvpn/community/support/roentgen] has joined #openvpn
13:10 -!- bertodsera [~quassel@97e48243.skybroadband.com] has joined #openvpn
13:12 -!- smerz_ [~smerz@2001:470:1f15:1e5::58] has joined #openvpn
13:12 -!- smerz [~smerz@2001:470:1f15:1e5::58] has joined #openvpn
13:19 -!- mattock is now known as mattock_afk
13:21 -!- master_of_master [~master_of@79.215.184.107] has quit [Ping timeout: 246 seconds]
13:23 -!- master_of_master [~master_of@p4FF2486C.dip0.t-ipconnect.de] has joined #openvpn
13:34 -!- bertodsera [~quassel@97e48243.skybroadband.com] has quit [Remote host closed the connection]
13:35 -!- cyberspace- [20253@ninthfloor.org] has quit [Ping timeout: 264 seconds]
13:35 -!- mndo [~mndo@bl17-65-125.dsl.telepac.pt] has quit [Ping timeout: 264 seconds]
13:36 -!- bertodsera [~quassel@97e48243.skybroadband.com] has joined #openvpn
13:36 -!- cyberspace- [20253@ninthfloor.org] has joined #openvpn
13:41 -!- dazo [~dazo@openvpn/community/developer/dazo] has quit [Ping timeout: 264 seconds]
13:41 -!- Sembei [~Sembei@unaffiliated/sembei] has joined #openvpn
13:43 -!- crus [~crusader@2001:44b8:319e:2900:f1d3:cc2d:d662:b8e0] has joined #openvpn
13:46 -!- dazo [~dazo@44.118.9.46.customer.cdi.no] has joined #openvpn
13:46 -!- dazo [~dazo@44.118.9.46.customer.cdi.no] has quit [Changing host]
13:46 -!- dazo [~dazo@openvpn/community/developer/dazo] has joined #openvpn
13:46 -!- mode/#openvpn [+o dazo] by ChanServ
13:53 -!- pablito [~chatzilla@194.90.149.21] has joined #openvpn
14:06 -!- Fusl is now known as fusl
14:06 -!- joshh20 is now known as joshh20-Away
14:17 -!- Xtrivity [~Insanity@S0106602ad096ef86.va.shawcable.net] has joined #openvpn
14:19 < Xtrivity> Hi guys, I've been struggling trying to get my openVPN client to connect to my openvpn server. I have been able to succesfully connect using a windows client but cant figure out how to connect via debian. Heres my log file: http://pastebin.com/1F0nWpRn I have googled the error and can't find any working answers
14:21 < _FBi> that's an old version -- what is the windows version and the server version?
14:26 < Xtrivity> im using debian OS as open vpn client
14:26 < Xtrivity> openvpn server is .. one sec, ill check
14:32 -!- noobboob [uid5587@gateway/web/irccloud.com/x-bjgdonxqgftjxswj] has quit [Quit: Connection closed for inactivity]
14:34 < Xtrivity> _FBi, it's using OpenVPN Access Server
14:35 < Xtrivity> v 1.8.3
14:35 < _FBi> I think you can only have one person connect?
14:35 < _FBi> I forget what the limitations of AS are
14:37 < Xtrivity> I have nobody connected. Im actually losing my mind.
14:39 -!- heraclitus [~heraclitu@unaffiliated/heraclitis] has quit [Remote host closed the connection]
14:40 -!- defsdoor [~andy@cpc30-sutt4-2-0-cust155.19-1.cable.virginm.net] has joined #openvpn
14:41 -!- heraclitus [~heraclitu@unaffiliated/heraclitis] has joined #openvpn
14:41 -!- ecrist [~ecrist@freebsd/contributor/openvpn.community.support.ecrist] has quit [Ping timeout: 252 seconds]
--- Log closed Tue Feb 25 14:41:45 2014
--- Log opened Tue Feb 25 14:41:57 2014
14:41 -!- ecrist [~ecrist@token-black.secure-computing.net] has joined #openvpn
14:41 -!- Irssi: #openvpn: Total of 226 nicks [8 ops, 0 halfops, 2 voices, 216 normal]
14:41 -!- mode/#openvpn [+o ecrist] by ChanServ
14:42 -!- Irssi: Join to #openvpn was synced in 30 secs
14:43 < _FBi> Xtrivity, have you tried without AS ?
14:44 < Xtrivity> _FBi, I have no choice, AS is what is provided by my VPS provider
14:44 < _FBi> debian?
14:44 < _FBi> apt-get update && apt-get upgrade
14:45 < _FBi> apt-cache search OpenVPN
14:54 <@dazo> !AS
14:54 <@dazo> !as
14:54 <@vpnHelper> "AS" is please go to #OpenVPN-AS for help with Access-Server
14:54 <@vpnHelper> "as" is please go to #OpenVPN-AS for help with Access-Server
14:56 < Xtrivity> dazo,  hopefully you have some input in the -as channel :)
14:56 < Xtrivity> _FBi,  i'm updating right now - dont think it'll help me much unfortunately.
14:56 <@dazo> nope, I only support the community edition
14:56 <@dazo> (server and client side)
15:02 -!- HectorBarbossa [uid7850@gateway/web/irccloud.com/x-votqdgjioqtgnkxl] has quit [Quit: Connection closed for inactivity]
15:02 -!- fusl is now known as Fusl
15:06 < Xtrivity> dazo,  if im able to connect via windows client using openvpn server - obviously all ports are open and ready to connect, any reason I would be getting a : TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity) on a debian client
15:07 <@dazo> Firewall
15:07 < Xtrivity> on client side?
15:07 <@dazo> dunno ... on at least one of the sides
15:08 <@dazo> it can also be a router in between which blocks that port/protocol
15:08 <@dazo> The error basically means that the client could not get in touch with the server during the last 60 seconds
15:09  * dazo heads home
15:10 -!- s7r [~s7r@openvpn/user/s7r] has joined #openvpn
15:10 -!- mode/#openvpn [+v s7r] by ChanServ
15:12 -!- dazo is now known as dazo_afk
15:14 -!- Fusl is now known as fusl
15:18 -!- fusl is now known as Fusl
15:18 -!- Fusl is now known as fusl
15:19 -!- fusl is now known as Fusl
15:20 -!- Fusl is now known as fusl
15:21 -!- shibboleth [~shibbolet@gateway/tor-sasl/shibboleth] has joined #openvpn
15:21 -!- fusl is now known as Fusl
15:23 -!- Fusl is now known as fusl
15:23 -!- fusl is now known as Fusl
15:24 -!- Fusl is now known as fusl
15:28 -!- pablito [~chatzilla@194.90.149.21] has quit [Quit: ChatZilla 0.9.90.1 [Firefox 27.0.1/20140212131424]]
15:29 < Xtrivity> I have 2 computers in same lan, one runs windows and is able to connect to openvpn-as server, and the one running debian says TLS key negotation failed to occur within 60 seconds. So I know there are no firewall issues in regards to my router or the server. Can anyone help me out debug this on the debian side of things?
15:30 -!- JodaZ [~joda@unaffiliated/jodaz] has joined #openvpn
15:31 < JodaZ> is there any way to speed up the openvpn connection process? it seems to take in the order of seconds (maybe typical configuration issue i am hitting?)
15:32 -!- kirin` [telex@gateway/shell/anapnea.net/x-yulsanhlxpkzbati] has quit [Ping timeout: 252 seconds]
15:33 -!- kirin` [telex@gateway/shell/anapnea.net/x-cherlaomxavgwwsu] has joined #openvpn
15:34 <@Eugene> Handshake length depends upon your key size & cpu speed, and a few seconds is expected/normal.
15:34 -!- br4ndon [~br4ndon@mic92-6-82-226-128-64.fbx.proxad.net] has joined #openvpn
15:34 <@Eugene> You can use a smaller key(at the expense of security strength) or buy a faster processor, but IMO it really isn't a problem.
15:35 < JodaZ> strange, this is by design? like a pow for key handshake?
15:36 <@Eugene> It establishes a symmetric key channel which is used for the actual data transfer
15:46 -!- Xtrivity [~Insanity@S0106602ad096ef86.va.shawcable.net] has quit [Quit: Leaving]
15:52 < JodaZ> strange, it seems subjective, when i am waiting for an connection it seems to take longer :)
15:53 -!- lj [~l@192.241.174.169] has quit [Quit: Leaving.]
16:09 -!- br4ndon [~br4ndon@mic92-6-82-226-128-64.fbx.proxad.net] has quit [Quit: Lorem ipsum dolor sit amet]
16:10 -!- br4ndon [~br4ndon@mic92-6-82-226-128-64.fbx.proxad.net] has joined #openvpn
16:10 -!- br4ndon [~br4ndon@mic92-6-82-226-128-64.fbx.proxad.net] has quit [Client Quit]
16:11 -!- br4ndon [~br4ndon@mic92-6-82-226-128-64.fbx.proxad.net] has joined #openvpn
16:33 -!- HectorBarbossa [uid7850@gateway/web/irccloud.com/x-urciwboweoevygds] has joined #openvpn
16:45 -!- defsdoor [~andy@cpc30-sutt4-2-0-cust155.19-1.cable.virginm.net] has quit [Quit: Ex-Chat]
17:08 -!- JSharpe_ [~JSharpe@31.205.60.241] has quit [Ping timeout: 252 seconds]
17:11 -!- JSharpe_ [~JSharpe@31.205.60.241] has joined #openvpn
17:16 -!- smerz [~smerz@2001:470:1f15:1e5::58] has quit [Ping timeout: 245 seconds]
17:16 -!- smerz_ [~smerz@2001:470:1f15:1e5::58] has quit [Ping timeout: 245 seconds]
17:18 -!- gffa [~unknown@unaffiliated/gffa] has quit [Quit: sleep]
17:19 -!- JSharpe_ [~JSharpe@31.205.60.241] has quit [Ping timeout: 246 seconds]
17:20 -!- dazo_afk [~dazo@openvpn/community/developer/dazo] has quit [Ping timeout: 264 seconds]
17:24 -!- dogewaat [uid3966@gateway/web/irccloud.com/x-hxzvjtabhmxauttt] has quit [Quit: Connection closed for inactivity]
17:26 -!- dazo_afk [~dazo@openvpn/community/developer/dazo] has joined #openvpn
17:26 -!- mode/#openvpn [+o dazo_afk] by ChanServ
17:26 -!- dazo_afk is now known as dazo
17:27 -!- br4ndon [~br4ndon@mic92-6-82-226-128-64.fbx.proxad.net] has quit [Quit: Lorem ipsum dolor sit amet]
17:33 -!- kantlivelong [~kantlivel@home.kantlivelong.com] has quit [Read error: Operation timed out]
17:35 -!- shibboleth [~shibbolet@gateway/tor-sasl/shibboleth] has quit [Quit: shibboleth]
17:36 -!- dogewaat [uid3966@gateway/web/irccloud.com/x-wcomviuoifdgndch] has joined #openvpn
17:38 -!- shibboleth [~shibbolet@gateway/tor-sasl/shibboleth] has joined #openvpn
17:44 -!- noobboob [uid5587@gateway/web/irccloud.com/x-lycntghllckygfog] has joined #openvpn
17:58 -!- sunwind [~paradox@cpc21-brmb8-2-0-cust749.1-3.cable.virginm.net] has quit [Ping timeout: 245 seconds]
18:00 -!- shibboleth [~shibbolet@gateway/tor-sasl/shibboleth] has quit [Remote host closed the connection]
18:12 -!- kantlivelong [~kantlivel@home.kantlivelong.com] has joined #openvpn
18:18 -!- n2deep_ is now known as n2deep
18:34 -!- s7r [~s7r@openvpn/user/s7r] has quit [Quit: Leaving]
18:43 -!- klein [~klein@177.101.109.136] has joined #openvpn
18:43 -!- klein [~klein@177.101.109.136] has quit [Changing host]
18:43 -!- klein [~klein@unaffiliated/klein] has joined #openvpn
18:44 -!- ender| [krneki@2a01:260:4094:1:42:42:42:42] has quit [Ping timeout: 246 seconds]
18:52 -!- HectorBarbossa [uid7850@gateway/web/irccloud.com/x-urciwboweoevygds] has quit [Quit: Connection closed for inactivity]
18:59 -!- ender| [krneki@2a01:260:4094:1:42:42:42:42] has joined #openvpn
19:04 -!- shibboleth [~shibbolet@gateway/tor-sasl/shibboleth] has joined #openvpn
19:07 -!- elfixit [~Icedove@77-58-251-72.dclient.hispeed.ch] has joined #openvpn
19:08 -!- goldkatze [~nobody@unaffiliated/goldkatze] has quit []
19:13 -!- klein [~klein@unaffiliated/klein] has quit [Ping timeout: 272 seconds]
19:13 < jeev> krzee, around ?
19:14 < _FBi> more rectangle
19:34 -!- Cpt-Oblivious [chatzilla@31-151-71-109.dynamic.upc.nl] has quit [Ping timeout: 246 seconds]
19:36 -!- traph [~traph@unaffiliated/traph] has quit [Ping timeout: 244 seconds]
19:39 -!- u0m3 [~u0m3@92.80.86.213] has quit [Read error: Connection reset by peer]
19:46 -!- shibboleth [~shibbolet@gateway/tor-sasl/shibboleth] has quit [Quit: shibboleth]
19:48 -!- BlackPanx [~BlackPanx@cpe-31-15-133-178.cable.telemach.net] has quit [Ping timeout: 252 seconds]
19:52 -!- BlackPanx [~BlackPanx@cpe-31-15-133-178.cable.telemach.net] has joined #openvpn
19:57 -!- Suterusu [~Suterusu@unaffiliated/suterusu] has joined #openvpn
20:02 -!- noobboob [uid5587@gateway/web/irccloud.com/x-lycntghllckygfog] has quit [Quit: Connection closed for inactivity]
20:17 -!- noobboob [uid5587@gateway/web/irccloud.com/x-brzptwpdvotxqdzf] has joined #openvpn
20:38 -!- BlackPanx [~BlackPanx@cpe-31-15-133-178.cable.telemach.net] has quit [Ping timeout: 272 seconds]
20:44 -!- BlackPanx [~BlackPanx@cpe-31-15-133-178.cable.telemach.net] has joined #openvpn
21:10 -!- WinstonSmith [~WinstonSm@unaffiliated/winstonsmith] has quit [Read error: Connection reset by peer]
21:14 -!- WinstonSmith [~WinstonSm@unaffiliated/winstonsmith] has joined #openvpn
21:39 -!- sunwind [~paradox@cpc21-brmb8-2-0-cust749.1-3.cable.virginm.net] has joined #openvpn
21:52 -!- stickpin [~b@173.244.215.195] has quit [Ping timeout: 245 seconds]
22:19 -!- shibboleth [~shibbolet@gateway/tor-sasl/shibboleth] has joined #openvpn
22:22 -!- noobboob [uid5587@gateway/web/irccloud.com/x-brzptwpdvotxqdzf] has quit [Quit: Connection closed for inactivity]
22:30 <@ecrist> what's up, peeps?
22:32 < Suterusu> satallites?
22:32 <@ecrist> up is relative
22:33 < Suterusu> it is after satallites ...
22:43 -!- akurilin2 [~alex@98.207.161.67] has joined #openvpn
22:58 < akurilin2> Hey guys, what is that %serial%.pem file you get as a byproduct when you run build-key ?
22:59 < akurilin2> And should I bother keeping that around?
23:00 < Suterusu> dh1024.pem?   where 1024 = bits?   yeah possibly need that
23:01 < akurilin2> This is specifically a serial .pem, as in 06.pem 07.epm
23:01 < akurilin2> *pem
23:01 < akurilin2> based on whatever's inthe serial file that the scripts use
23:02 < Suterusu> https://www.openssl.org/docs/crypto/pem.html
23:02 <@vpnHelper> Title: OpenSSL: Documents, pem(3) (at www.openssl.org)
23:02 < Suterusu> It's likely used....
23:02 < Suterusu> by w/e spawned it...
23:02 -!- sunwind [~paradox@cpc21-brmb8-2-0-cust749.1-3.cable.virginm.net] has quit [Ping timeout: 244 seconds]
23:03 -!- shibboleth [~shibbolet@gateway/tor-sasl/shibboleth] has quit [Quit: shibboleth]
23:03 < akurilin2> Yeah, that's what I'm thinking too, just trying to determine if it's safe to nuke it
23:03 < akurilin2> don't think I'll ever need anything but those client credentials that were generated off of that CA
23:04 < Suterusu> well, how many things you got on there utilising SSL? each one that gen'd it's own keys likely made a .pem to compliment ...
23:35 -!- elfixit [~Icedove@77-58-251-72.dclient.hispeed.ch] has quit [Remote host closed the connection]
--- Day changed Wed Feb 26 2014
00:17 -!- sunwind [~paradox@cpc21-brmb8-2-0-cust749.1-3.cable.virginm.net] has joined #openvpn
00:22 -!- lvv [~loganaden@196.1.0.40] has joined #openvpn
00:43 -!- qwertyoruiop [~hax@1.shulgin.dc1.nl.tor.exit.node.qwertyoruiop.com] has quit [Remote host closed the connection]
00:50 -!- bertodsera [~quassel@97e48243.skybroadband.com] has quit [Remote host closed the connection]
00:52 -!- Fiouz [~Fiouz@2001:bc8:3068::dead:beef] has quit [Remote host closed the connection]
00:52 -!- bertodsera [~quassel@97e48243.skybroadband.com] has joined #openvpn
00:57 -!- Fiouz [~Fiouz@2001:bc8:3068::dead:beef] has joined #openvpn
01:10 -!- ACKNAK [~regolith@79.133.97.154] has joined #openvpn
01:12 -!- sunwind [~paradox@cpc21-brmb8-2-0-cust749.1-3.cable.virginm.net] has quit [Quit: sunwind]
01:14 -!- alexxtasi [~alex@unaffiliated/alexxtasi] has joined #openvpn
01:24 -!- roentgen [~irc@openvpn/community/support/roentgen] has quit [Remote host closed the connection]
01:30 -!- bertodsera [~quassel@97e48243.skybroadband.com] has quit [Remote host closed the connection]
01:49 -!- makara [~makara@41.164.22.217] has joined #openvpn
01:52 -!- makara [~makara@41.164.22.217] has quit [Max SendQ exceeded]
01:53 -!- makara [~makara@41.164.22.217] has joined #openvpn
01:55 -!- makara [~makara@41.164.22.217] has quit [Excess Flood]
01:56 -!- makara [~makara@41.164.22.217] has joined #openvpn
01:57 -!- makara [~makara@41.164.22.217] has quit [Max SendQ exceeded]
01:58 -!- makara [~makara@41.164.22.217] has joined #openvpn
01:59 -!- makara [~makara@41.164.22.217] has quit [Max SendQ exceeded]
02:00 -!- makara [~makara@41.164.22.217] has joined #openvpn
02:02 -!- makara [~makara@41.164.22.217] has quit [Max SendQ exceeded]
02:02 -!- makara [~makara@41.164.22.217] has joined #openvpn
02:03 -!- Ulrar [~Ulrar@luwin.ulrar.net] has left #openvpn ["WeeChat 0.4.2"]
02:04 -!- y4h0 [~yavor@94.155.134.12] has quit [Remote host closed the connection]
02:04 -!- makara [~makara@41.164.22.217] has quit [Max SendQ exceeded]
02:05 -!- makara [~makara@41.164.22.217] has joined #openvpn
02:05 -!- mikkel [~mikkel@93.176.85.50] has joined #openvpn
02:06 -!- makara [~makara@41.164.22.217] has quit [Max SendQ exceeded]
02:07 -!- makara [~makara@41.164.22.217] has joined #openvpn
02:09 -!- makara [~makara@41.164.22.217] has quit [Max SendQ exceeded]
02:10 -!- makara [~makara@41.164.22.217] has joined #openvpn
02:11 -!- makara [~makara@41.164.22.217] has quit [Max SendQ exceeded]
02:12 -!- makara [~makara@41.164.22.217] has joined #openvpn
02:13 -!- makara [~makara@41.164.22.217] has quit [Max SendQ exceeded]
02:14 -!- makara [~makara@41.164.22.217] has joined #openvpn
02:14 -!- makara [~makara@41.164.22.217] has quit [Read error: Connection reset by peer]
02:34 -!- br4ndon [~br4ndon@mic92-6-82-227-94-156.fbx.proxad.net] has joined #openvpn
02:40 -!- jzaw [~jzaw@loki.dzki.co.uk] has quit [Quit: really? must I leave? aw pls let me stay!]
02:46 -!- jzaw [~jzaw@loki.dzki.co.uk] has joined #openvpn
03:06 -!- bertodsera [~quassel@212.36.61.26] has joined #openvpn
03:23 -!- linlin [will@173.243.115.75] has quit [Remote host closed the connection]
03:23 -!- pentiumone133 [will@173.243.115.75] has joined #openvpn
03:24 -!- dogewaat [uid3966@gateway/web/irccloud.com/x-wcomviuoifdgndch] has quit [Quit: Connection closed for inactivity]
03:24 -!- traph [~traph@46.10.9.133] has joined #openvpn
03:24 -!- traph [~traph@46.10.9.133] has quit [Changing host]
03:24 -!- traph [~traph@unaffiliated/traph] has joined #openvpn
03:39 -!- jzaw [~jzaw@loki.dzki.co.uk] has quit [Quit: really? must I leave? aw pls let me stay!]
03:40 -!- jzaw [~jzaw@loki.dzki.co.uk] has joined #openvpn
03:47 < Zordrak> Can anyone provide any warnings before I proceed to set up a dual-server openvpn cpnfog?
03:47 < Zordrak> config
03:48 < Zordrak> I have an existing server in an office location with an L2L VPN to a datacentre from there; but because it's on CentOS with PAM->SSSD->FreeIPA authentication it keeps dying (due to occasional segfault or too many open files bugs)
03:48 -!- Devastator [~devas@unaffiliated/devastator] has quit [Ping timeout: 252 seconds]
03:48 -!- Devastatr [~devas@177.18.199.12] has joined #openvpn
03:48 < Zordrak> I can't do too much about the bugs, but to keep connectivity going, I plan to put a backup openvpn server in the datacentre with appropriate reverse routing so the office can also be contacted.
03:49 < Zordrak> As far as I know you can then adjust client configs to have both servers defined
03:50 < Zordrak> But I don't know if it's going to provide more problems than solutions. For example, if due to bugs the failure is an authentication failure rather than a server shutdown; would the secondary server be contacted - or not because it's already been told of an authoritative fail
03:54 -!- bertodsera [~quassel@212.36.61.26] has quit [Remote host closed the connection]
03:57 -!- bertodsera [~quassel@212.36.61.26] has joined #openvpn
04:05 -!- mndo [~mndo@bl17-65-125.dsl.telepac.pt] has joined #openvpn
04:16 -!- Mathias [M@unaffiliated/mathias] has quit [Quit: ...]
04:25 -!- mirco [~mirco@ip-109-90-231-36.unitymediagroup.de] has joined #openvpn
04:27 -!- mndo [~mndo@bl17-65-125.dsl.telepac.pt] has quit [Write error: Connection reset by peer]
04:31 -!- bertodsera_ [~quassel@212.36.61.26] has joined #openvpn
04:31 -!- bertodsera [~quassel@212.36.61.26] has quit [Read error: Connection reset by peer]
04:40 -!- makara [~makara@41.164.22.217] has joined #openvpn
04:41 -!- makara [~makara@41.164.22.217] has left #openvpn []
04:43 -!- Mathias [M@unaffiliated/mathias] has joined #openvpn
04:51 -!- dan_j [~IceChat77@unaffiliated/danfromuk] has joined #openvpn
04:53 < dan_j> Hi. I need to supply a hardware openvpn device to a client overseas. It needs to be a simple installation where they can plug the device in between their router and switch. What would you recommend?
04:54 -!- qwertyoruiop_ [~hax@1.shulgin.dc1.nl.tor.exit.node.qwertyoruiop.com] has joined #openvpn
04:57 <@dazo> dan_j: some ISPs in Germany (iirc) use tp-link wr1043nd with openwrt + openvpn for similar use cases
04:57 <@dazo> so basically, anything which does openwrt is a fairly good match
04:58 < dan_j> I didnt really want to get involved with reflashing with openwrt etc. I was looking for an off the shelf solution.
04:58 < dan_j> Which the client might be able to purchase in their country and easily set up.
04:59 <@dazo> there's no off-the-shelf solution which ships with openvpn afaik
04:59 <@dazo> you need to flash it
04:59 <@dazo> however, with openwrt ... you can build your own custom images, which your client can download and flash ... with everything fully configured
05:00 < dan_j> ah, ok. Thanks
05:00 -!- qwertyoruiop_ is now known as qwertyoruiop
05:00 <@dazo> another idea ... rasberry-pi .....
05:01 <@dazo> it wouldn't be a "in the middle" solution, and the customer would need to set up some routes on their own infrastructure
05:01 <@dazo> but that could work fairly well too
05:02 < dan_j> I dont want it to get too messy though. They need to feel confident that its a commercial solution.
05:05 -!- VunKruz [~hhhh@24-205-8-187.dhcp.mtpk.ca.charter.com] has quit [Ping timeout: 264 seconds]
05:18 -!- br4ndon [~br4ndon@mic92-6-82-227-94-156.fbx.proxad.net] has quit [Quit: Lorem ipsum dolor sit amet]
05:29 -!- VunKruz [~hhhh@24-205-8-187.dhcp.mtpk.ca.charter.com] has joined #openvpn
05:34 -!- ACKNAK [~regolith@79.133.97.154] has quit [Ping timeout: 255 seconds]
05:36 -!- qwertyoruiop [~hax@1.shulgin.dc1.nl.tor.exit.node.qwertyoruiop.com] has quit [Remote host closed the connection]
05:37 -!- qwertyoruiop [~hax@1.shulgin.dc1.nl.tor.exit.node.qwertyoruiop.com] has joined #openvpn
05:41 -!- thigh [~thigh@unaffiliated/thigh] has joined #openvpn
05:41 < thigh> hi guys
05:41 < thigh> !welcome
05:41 <@vpnHelper> "welcome" is (#1) Start by stating your goal, such as 'I would like to access the internet over my vpn' || new to IRC? see the link in !ask || we may need !logs and !configs and maybe !interface to help you. || See !howto for beginners. || See !route for lans behind openvpn. || !redirect for sending inet traffic through the server. || Also interesting: !man !/30 !topology !iporder !sample !forum
05:41 <@vpnHelper> !wiki !mitm or (#2) Don't use 192.168.1.0/24 or 192.168.0.0/24 (too much potential for conflict)
05:42 < thigh> !goal
05:42 <@vpnHelper> "goal" is Please clearly state your goal for your vpn: example, I would like to access the lan behind the server , I would like to access the internet over my vpn , I just want a secure connection between 2 computers , etc
05:49 -!- ACKNAK [~regolith@79.133.97.154] has joined #openvpn
05:55 -!- makara [~makara@41.164.22.218] has joined #openvpn
06:05 -!- m01 [~quassel@2a02:2658:1011:1::2:4044] has quit [Quit: No Ping reply in 180 seconds.]
06:07 -!- dan_j [~IceChat77@unaffiliated/danfromuk] has quit [Quit: OUCH!!!]
06:07 -!- m01 [~quassel@2a02:2658:1011:1::2:4044] has joined #openvpn
06:08 -!- tjz [~tjz@unaffiliated/tjz] has joined #openvpn
06:12 -!- takamichi [~takamichi@c107-107.i07-27.onvol.net] has joined #openvpn
06:17 -!- thigh [~thigh@unaffiliated/thigh] has quit [Quit: Saindo]
06:26 -!- klein [~klein@189-016-006-003.asselvi.edu.br] has joined #openvpn
06:26 -!- klein [~klein@189-016-006-003.asselvi.edu.br] has quit [Changing host]
06:26 -!- klein [~klein@unaffiliated/klein] has joined #openvpn
06:29 -!- ACKNAK [~regolith@79.133.97.154] has quit [Read error: Connection reset by peer]
06:35 -!- Cpt-Oblivious [chatzilla@31-151-71-109.dynamic.upc.nl] has joined #openvpn
06:37 -!- newbie|5 [~tjz@67.228.240.11-static.reverse.softlayer.com] has joined #openvpn
06:40 -!- tjz [~tjz@unaffiliated/tjz] has quit [Ping timeout: 272 seconds]
06:54 < enbergj> when I'm running iperf over an openvpn tunnel to see how it's performing, and I monitor "tcpdump -f", I see that all the udp packets are either 117 or 181 in "length" .. does that mean that it is not using the MTU of 1500 properly?
06:56 -!- elfixit [~Icedove@2001:1620:2777:11:3e97:eff:fe7f:f3ad] has joined #openvpn
06:57 <@ecrist> http://xkcd.com/now
06:57 <@vpnHelper> Title: xkcd: Now (at xkcd.com)
06:57 <@ecrist> that's pretty neat
07:01 -!- ACKNAK [~regolith@79.133.97.154] has joined #openvpn
07:02 -!- Jimi_Neutral [~chatzilla@217.156.151.254] has joined #openvpn
07:04 < enbergj> is it actually dynamic?
07:04 < enbergj> ah, tooltip says it is
07:07 -!- ACKNAK [~regolith@79.133.97.154] has quit [Quit: Leaving]
07:10 -!- ade_b [~Ade@redhat/adeb] has joined #openvpn
07:10 < Jimi_Neutral> Hi All, I set up VPN server on me synology nas. Sorted out the certificate and the opvn file, put that in the install folder on me laptop and it connects fine. However when I try to connect from me Galaxy S4 with the same files it wont connect
07:13 -!- takamichi [~takamichi@c107-107.i07-27.onvol.net] has quit [Ping timeout: 246 seconds]
07:16 -!- br4ndon [~br4ndon@ns301087.ip-91-121-68.eu] has joined #openvpn
07:16 -!- takamichi [~takamichi@85.12.8.15] has joined #openvpn
07:22 -!- br4ndon [~br4ndon@ns301087.ip-91-121-68.eu] has quit [Ping timeout: 246 seconds]
07:23 -!- elfixit [~Icedove@2001:1620:2777:11:3e97:eff:fe7f:f3ad] has quit [Ping timeout: 245 seconds]
07:23 -!- br4ndon [~br4ndon@ns301087.ip-91-121-68.eu] has joined #openvpn
07:33 -!- br4ndon [~br4ndon@ns301087.ip-91-121-68.eu] has quit [Ping timeout: 246 seconds]
07:34 -!- br4ndon [~br4ndon@ns301087.ip-91-121-68.eu] has joined #openvpn
07:42 -!- bertodsera_ [~quassel@212.36.61.26] has quit [Remote host closed the connection]
07:44 -!- bertodsera [~quassel@212.36.61.26] has joined #openvpn
07:49 -!- br4ndon [~br4ndon@ns301087.ip-91-121-68.eu] has quit [Quit: Lorem ipsum dolor sit amet]
07:53 -!- br4ndon [~br4ndon@195.33.51.31] has joined #openvpn
08:00 -!- bertodsera_ [~quassel@212.36.61.26] has joined #openvpn
08:00 -!- takamichi [~takamichi@85.12.8.15] has quit [Ping timeout: 246 seconds]
08:01 -!- bertodsera__ [~quassel@212.36.61.26] has joined #openvpn
08:01 -!- gffa [~unknown@unaffiliated/gffa] has joined #openvpn
08:01 -!- bertodsera [~quassel@212.36.61.26] has quit [Read error: Connection reset by peer]
08:02 -!- makara [~makara@41.164.22.218] has quit [Ping timeout: 272 seconds]
08:02 -!- takamichi [~takamichi@c107-107.i07-27.onvol.net] has joined #openvpn
08:03 -!- sunwind [~paradox@cpc21-brmb8-2-0-cust749.1-3.cable.virginm.net] has joined #openvpn
08:05 -!- bertodsera_ [~quassel@212.36.61.26] has quit [Ping timeout: 264 seconds]
08:16 -!- s7r [~s7r@openvpn/user/s7r] has joined #openvpn
08:16 -!- mode/#openvpn [+v s7r] by ChanServ
08:27 -!- mikkel [~mikkel@93.176.85.50] has quit [Quit: Leaving]
08:27 -!- bertodsera__ [~quassel@212.36.61.26] has quit [Remote host closed the connection]
08:29 <@ecrist> Jimi_Neutral: you need to use inline certificates for android/iphone
08:29 <@ecrist> !man
08:29 <@vpnHelper> "man" is (#1) For man pages, see http://openvpn.net/index.php/open-source/documentation/manuals/ or (#2) the man pages are your friend! or (#3) Protip: you can search the manpage for a specific --option (with dashes) to find it quicker
08:29 <@ecrist> see there for inline certificates
08:29 -!- bertodsera [~quassel@212.36.61.26] has joined #openvpn
08:29 < Jimi_Neutral> thank you very muchly :)
08:29 < Jimi_Neutral> though it sounds very complicated
08:30 <@ecrist> not at all, actually
08:30 <@ecrist> basically, inside your openvpn client config, you'll have three stanzas, <ca>CA_HERE</ca><cert>CERT_HERE</cert><key>KEY_HERE</key>
08:31 <@ecrist> the x_HERE part is what's in the files now, your ca file, your client certificate file, and your key file
08:31 <@ecrist> it's OK/likely those will all be on multiple lines
08:32 < Jimi_Neutral> is that the opvn file
08:32 <@ecrist> yes
08:32 < Jimi_Neutral> hmm not seeing anything like thaty
08:33 < Jimi_Neutral> I see a few lines that are not commented out
08:33 < Jimi_Neutral> the rest is commented out
08:33 <@ecrist> you need to add these lines
08:33 < Jimi_Neutral> i have put my VPN server address in already
08:33 -!- allo [~harry@nemesis.laxu.de] has joined #openvpn
08:33 < allo> hi.
08:33 <@ecrist> in the man page, see the section called inline file support
08:34 < Jimi_Neutral> at the top of the file next to remote
08:34 < allo> What do i need to do, to reconnect (with changed external ip), to keep the tcp-connections inside alive?
08:34 < allo> i thought ping-restart and/or kill -HUP should do this, but it does not seem to work
08:35 < Jimi_Neutral> ok I see the inline file support bit
08:35 < Jimi_Neutral> its not really advising what to do
08:36 <@ecrist> I just told you to do that, 
08:36  * ecrist gives up
08:37 < Jimi_Neutral> so you are telling me to copy and paste what you just typed and stick that in my config file?
08:37 < Jimi_Neutral> because what you wrote is not in my config file
08:40 < Jimi_Neutral> Can anyone here give me help on config of my pvpn file please?
08:40 < Jimi_Neutral> opvn*
08:46 < Jimi_Neutral> i have looked at some other config files and they say you should have these three lines in and they are not in my config file, all i have is
08:47 < Jimi_Neutral> pull, proto udp, script security 2, ca ca.crt, comp-lzo, reneg-sec 0, auth - user- pass
08:47 < Jimi_Neutral> apart from the bit at the top with my server name the rest is comments
09:03 -!- lvv [~loganaden@196.1.0.40] has quit [Quit: lvv]
09:06 <@ecrist> I already told you what to do
09:15 -!- bertodsera [~quassel@212.36.61.26] has quit [Remote host closed the connection]
09:16 -!- sunwind [~paradox@cpc21-brmb8-2-0-cust749.1-3.cable.virginm.net] has quit [Ping timeout: 272 seconds]
09:17 -!- bertodsera [~quassel@212.36.61.26] has joined #openvpn
09:19 -!- sunwind [~paradox@cpc21-brmb8-2-0-cust749.1-3.cable.virginm.net] has joined #openvpn
09:23 -!- sunwind [~paradox@cpc21-brmb8-2-0-cust749.1-3.cable.virginm.net] has quit [Ping timeout: 246 seconds]
09:24 -!- newbie|5 [~tjz@67.228.240.11-static.reverse.softlayer.com] has quit [Quit: quit irc]
09:26 -!- sunwind [~paradox@cpc21-brmb8-2-0-cust749.1-3.cable.virginm.net] has joined #openvpn
09:34 -!- alexxtasi [~alex@unaffiliated/alexxtasi] has left #openvpn []
09:38 < Jimi_Neutral> its ok, i figured it out for myself. Its completely different from what you said when working with the synology nas. I just exported the config file from that and changed the server  addy and plopped it into my phone. Works great. I can add more options later when I understand them
09:39 < Jimi_Neutral> thanks for trying tho
09:40 -!- Jimi_Neutral [~chatzilla@217.156.151.254] has quit [Quit: ChatZilla 0.9.90.1 [Firefox 27.0.1/20140212131424]]
09:45 -!- itaddercloud [uid4697@gateway/web/irccloud.com/x-axkslgytmknjcxar] has joined #openvpn
09:46 -!- Suterusu [~Suterusu@unaffiliated/suterusu] has quit [Ping timeout: 240 seconds]
09:47 -!- teegee543 [~teegee543@berrypi.com] has joined #openvpn
09:47 -!- mirco [~mirco@ip-109-90-231-36.unitymediagroup.de] has quit [Ping timeout: 264 seconds]
09:52 -!- Fiouz [~Fiouz@2001:bc8:3068::dead:beef] has quit [Disconnected by services]
09:52 -!- Fiouz_ [~Fiouz@2001:bc8:3068::dead:beef] has joined #openvpn
09:54 -!- lachesis [~lachesis@unaffiliated/lachesis] has left #openvpn ["Leaving"]
09:54 -!- Suterusu [~Suterusu@unaffiliated/suterusu] has joined #openvpn
09:55 -!- bertodsera [~quassel@212.36.61.26] has quit [Remote host closed the connection]
09:58 <@krzee> he said reneg-sec 0 lol
09:58 < teegee543> hello, i'm having trouble connecting to the internet through my VPN
09:58 < teegee543> here's my config file: http://sprunge.us/BSRg
09:59 -!- br4ndon [~br4ndon@195.33.51.31] has quit [Quit: Lorem ipsum dolor sit amet]
10:06 <@krzee> teegee543,
10:06 <@krzee> !redirect
10:06 <@vpnHelper> "redirect" is (#1) to make all inet traffic flow through the vpn, you will need --redirect-gateway (see !def1), as well as IP forwarding (see !ipforward) and NAT (see !nat) enabled on the server. or (#2) you may need to use a different dns server when redirecting gateway, see !dns or !pushdns or (#3) if using ipv6 try: route-ipv6 2000::/3 or (#4) Handy troubleshooting flowchart:
10:06 <@vpnHelper> http://ircpimps.org/redirect.png | http://pekster.sdf.org/misc/redirect.png
10:07 <@krzee> also if you want us to look at configs, you gotta strip the 100lines of comments lol
10:07 <@krzee> !configs
10:07 <@vpnHelper> "configs" is (#1) please pastebin your client and server configs (with comments removed, you can use `grep -vE '^#|^;|^$' server.conf`), also include which OS and version of openvpn. or (#2) dont forget to include any ccd entries or (#3) on pfSense, see http://www.secure-computing.net/wiki/index.php/OpenVPN/pfSense to obtain your config
10:08 <@krzee> teegee543, also, why are you bridging?
10:08 < teegee543> here's my config: http://sprunge.us/BXMJ
10:08 < teegee543> i'd like to bridge broadcast traffic to see samba devices on both ends
10:09 <@krzee> samba traffic is ip layer
10:09 <@krzee> !wins
10:09 <@vpnHelper> "wins" is http://oreilly.com/catalog/samba/chapter/book/ch07_03.html is a good link for seeing how to run WINS on samba
10:09 <@krzee> !tunortap
10:09 < teegee543> how about afp for time machine traffic?
10:09 <@vpnHelper> "tunortap" is (#1) you ONLY want tap if you need to pass layer2 traffic over the vpn (traffic destined for a MAC address). If you are using IP traffic you want tun. or (#2) and if your reason for wanting tap is windows shares, see !wins or use DNS or (#3) remember layer2 has no security, arp poisoning works over tap vpns or (#4) lan gaming? use tap! or (#5) Normal Android/iOS devices (not
10:09 <@vpnHelper> rooted/jailbroken) support only tun
10:09 <@krzee> afp is also ip traffic
10:10 < teegee543> so i just need a tunnel for those
10:10 < teegee543> or routing (not sure about the terminology)
10:11 <@krzee> yep, for samba discovery you just need dns or wins setup
10:11 < teegee543> what lines can i comment out in my config?
10:11 <@krzee> (or simply connect via IP)
10:11 < teegee543> do i need to leave client-to-client?
10:11 < teegee543> i'm trying to avoid connecting by IP to make things more transparent to the end user
10:11 < teegee543> who aren't tech savvy
10:11 <@krzee> best way to answer that is to tell you what it is (or point at the manual) so you can properly decide the answer to that
10:12 <@krzee> connecting my netbios name is easier than ip for non-techs?
10:12 <@krzee> maybe hostname is equally easy?  if not you definitely need WINS
10:12 <@krzee> !c2c
10:12 <@vpnHelper> "c2c" is "client-to-client" is with this option packets from 1 client to another are routed inside the server process. without it packets leave the server process, hit the kernel (firewall, routing table) and if allowed by firewall and routed back to server process, they go to the client. you use this option when you do not want to use selective firewall rules on what clients can access things behind
10:12 <@vpnHelper> other clients
10:13 < teegee543> gotcha
10:13 <@krzee> i would assume you would auto-mount drives for non-techs
10:14 <@krzee> in which case you can do it by ip cause they arent actually touching anything
10:14 < teegee543> i'm setting this up for a home environment where people can create shares on their own
10:14 < teegee543> i'd like those shares to show up to everyone on the VPN
10:14 < teegee543> so that would be a WINS setup?
10:15 <@krzee> !wins
10:15 <@vpnHelper> "wins" is http://oreilly.com/catalog/samba/chapter/book/ch07_03.html is a good link for seeing how to run WINS on samba
10:16 <@krzee> i gotta run, good luck man
10:16 < teegee543> okay
10:17 < teegee543> thanks for the help
10:17 <@krzee> yw
10:17 < teegee543> should be enough to get further
10:17 <@krzee> once you get a working tun setup going
10:17 <@krzee> !redirect
10:17 <@vpnHelper> "redirect" is (#1) to make all inet traffic flow through the vpn, you will need --redirect-gateway (see !def1), as well as IP forwarding (see !ipforward) and NAT (see !nat) enabled on the server. or (#2) you may need to use a different dns server when redirecting gateway, see !dns or !pushdns or (#3) if using ipv6 try: route-ipv6 2000::/3 or (#4) Handy troubleshooting flowchart:
10:17 <@vpnHelper> http://ircpimps.org/redirect.png | http://pekster.sdf.org/misc/redirect.png
10:17 < teegee543> ok
10:17 < teegee543> thanks
10:17 <@krzee> nice flowchart too
10:18 -!- crus [~crusader@2001:44b8:319e:2900:f1d3:cc2d:d662:b8e0] has quit [Read error: Connection reset by peer]
10:22 -!- ade_b [~Ade@redhat/adeb] has quit [Quit: Too sexy for his shirt]
10:27 -!- mirco_ [~mirco@ip-109-90-231-36.unitymediagroup.de] has joined #openvpn
10:27 < Zordrak> I have duplicated an OpenVPN configuration to a new server. Changed the IPs, but otherwise everything else is the same. Updated the client to point to the new location. Client connects successfully, routes pushed correctly, IP assigned.. but client cannot ping server O_o
10:28 < Zordrak> Would appreciate troubleshooting pointers on this
10:28 -!- allo [~harry@nemesis.laxu.de] has left #openvpn []
10:28 < Zordrak> iptables on server disabled for testing
10:30 < Suterusu> can other places ping the server?
10:30 < Zordrak> yes
10:30 < Zordrak> by both tun0 and eth0 IPs
10:32 < Suterusu> how can a system not on the VPN ping by tun0 IP?
10:33 <+Aketzu_> firewall?
10:33 < Zordrak> client (10.8.x.2) <x>  (10.8.x.1) server (111.111.111.111) <-> (111.111.111.112) otherhost
10:33 < Zordrak> otherhost can ping 10.8.x.1
10:34 < Zordrak> otherhost has a static route for it via 111.111.111.111
10:34 <+Aketzu_> tcpdump tun0, do you get icmp packets in?
10:34 -!- dogewaat [uid3966@gateway/web/irccloud.com/x-ciufmmzxrbvcbtpe] has joined #openvpn
10:35 < Zordrak> only for server pinging client
10:35 < Zordrak> no replies from client, no requests from client
10:36 < Zordrak> client routing seems fine: 10.8.1.0        *               255.255.255.0   U     0      0        0 tun0
10:36 < Zordrak> hm im gonna have to try a different client to see what happens
10:37 < Zordrak> if i can find one
10:39 < Zordrak> plot thickens.
10:40 < Zordrak> Client 2 connects. Can be pinged from the server. Cannot be pinged from otherhost
10:40 < Zordrak> client 2 is harder to test as its android
10:41 < Zordrak> Fing reports accessible server, but nothing else on the lan
10:44 < teegee543> !nat
10:44 <@vpnHelper> "nat" is (#1) http://openvpn.net/howto.html#redirect for an explanation of NAT as it applies to openvpn or (#2) http://www.secure-computing.net/wiki/index.php/OpenVPN/FAQ#Traffic_forwarding_doesn.27t_work_when_using_client_specific_access_rules or (#3) dont forget to turn on ip forwarding or (#4) please choose between !linnat !openvznat !winnat and !fbsdnat for specific howto
10:45 < Zordrak> ugh #3
10:45 < Zordrak> thanks
10:46 < teegee543> lol, np. i'm on the same debugging step
10:46 < Zordrak>  /sbin/sysctl -w net.ipv4.ip_forward=1
10:46 < Zordrak> ftw as it were
10:47 < Zordrak> thats a new one.. Destination Host Prohibited
10:47 < Zordrak> aaand sorted :)
10:51 -!- mirco_ [~mirco@ip-109-90-231-36.unitymediagroup.de] has quit [Remote host closed the connection]
10:53 -!- mirco_ [~mirco@ip-109-90-231-36.unitymediagroup.de] has joined #openvpn
10:53 -!- takamichi [~takamichi@c107-107.i07-27.onvol.net] has quit [Ping timeout: 264 seconds]
10:53 -!- teegee543 [~teegee543@berrypi.com] has quit [Ping timeout: 240 seconds]
10:54 -!- takamichi [~takamichi@85.12.8.15] has joined #openvpn
11:15 < jl-> anyone care to explain the difference between iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o eth0 -j SNAT --to-source 192.168.1.128
11:15 < jl-> and iptables -t nat -A POSTROUTING -s $PRIVATE -o eth0 -j MASQUERADE
11:19 < Suterusu> One specifies CIDR, the other a variable ...   of the two, I'd use CIDR as it's definitive.    the other difference should be explained: http://unix.stackexchange.com/questions/21967/difference-between-snat-and-masquerade
11:19 <@vpnHelper> Title: iptables - Difference between SNAT and Masquerade - Unix & Linux Stack Exchange (at unix.stackexchange.com)
11:22 < jl-> Suterusu thanks
11:23 < jl-> I installed openvpn on my raspberry pi and can connect remotely.. I'm wondering if there is any tweaking that needs to be done for maximum anonymity .. for example with an ssh tunnel, the dns lookup still happens on the local machine
11:30 -!- r0o0ot [~root@5.9.52.22] has joined #openvpn
11:31 < r0o0ot> should i use "chroot" directive in openvpn config ?
11:32 -!- joshh20-Away is now known as joshh20
11:32 -!- charlie111 [~charlie11@204.14.77.85] has joined #openvpn
11:35 < charlie111> Hi all. Im running openvpn on my pi connected to router with Ethernet cable. When openvpn server running my WiFi adapter stops working
11:35 -!- takamichi [~takamichi@85.12.8.15] has quit [Ping timeout: 272 seconds]
11:35 < charlie111> But if u stop openvpn server and reboot, my WiFi adapter works again
11:42 -!- [diecast] [~diecast@unaffiliated/diecast/x-4821952] has joined #openvpn
11:43 -!- takamichi [~takamichi@c107-107.i07-27.onvol.net] has joined #openvpn
11:47 -!- sunwind [~paradox@cpc21-brmb8-2-0-cust749.1-3.cable.virginm.net] has quit [Quit: sunwind]
11:50 -!- r0o0ot [~root@5.9.52.22] has left #openvpn []
11:50 < jl-> charlie111: can't you do everything with the wifi adapter
11:50 < jl-> why plug in ethernet?
11:51 -!- dazo is now known as dazo_afk
11:53 -!- sunwind [~paradox@cpc21-brmb8-2-0-cust749.1-3.cable.virginm.net] has joined #openvpn
11:53 -!- itaddercloud [uid4697@gateway/web/irccloud.com/x-axkslgytmknjcxar] has quit [Quit: Connection closed for inactivity]
11:55 -!- sunwind [~paradox@cpc21-brmb8-2-0-cust749.1-3.cable.virginm.net] has quit [Client Quit]
11:57 -!- sunwind [~paradox@cpc21-brmb8-2-0-cust749.1-3.cable.virginm.net] has joined #openvpn
11:59 < charlie111> Jl: openvpn only working with Ethernet.
11:59 < charlie111> When I try with WiFi adapter the above problem happens
12:01 < jl-> just remove the wifi adapter charlie111  ?
12:01 < jl-> I also have a pi, and I have it hooked up to ethernet only
12:02 < jl-> my openvpn also runs on the pi
12:02 < jl-> Im sure you could use *just* the wifi adapter
12:02 < jl-> use wlan0 instead of eth0
12:02 < jl-> sorry I can't be of better help
12:11 < jl-> I get this about every 2 minutes after the initialization sequence:
12:11 < jl-> Wed Feb 26 13:04:47 2014 [server] Inactivity timeout (--ping-restart), restarting
12:11 < jl-> Wed Feb 26 13:04:47 2014 SIGUSR1[soft,ping-restart] received, process restarting
12:12 -!- Cpt-Oblivious [chatzilla@31-151-71-109.dynamic.upc.nl] has quit [Ping timeout: 240 seconds]
12:12 -!- teegee543 [~teegee543@berrypi.com] has joined #openvpn
12:22 -!- smerz [~smerz@2001:470:1f15:1e5::58] has joined #openvpn
12:22 -!- smerz_ [~smerz@2001:470:1f15:1e5::58] has joined #openvpn
12:30 -!- jl- [~lao@c-174-55-121-8.hsd1.pa.comcast.net] has quit [Quit: Caught sigterm, terminating...]
12:41 -!- mirco_ [~mirco@ip-109-90-231-36.unitymediagroup.de] has quit [Quit: mirco_]
12:42 -!- mirco_ [~mirco@ip-109-90-231-36.unitymediagroup.de] has joined #openvpn
12:48 -!- dinogreen_rex [~Administr@95.87.236.44] has joined #openvpn
12:48 < dinogreen_rex> hi there i have an openvpn connection
12:49 < dinogreen_rex> settup from command line , the connection is running
12:50 < dinogreen_rex> but it is always outputing on terminal window event_write returned error ...
12:55 < dinogreen_rex> it is here http://pastie.org/8791261
12:55 < dinogreen_rex> the command like constantly outputs that
12:55 < dinogreen_rex> i am using tcp and tap
12:56 < dinogreen_rex> and i don't get the message initialization sequence completed
12:56 -!- shodan45 [~chris@71-15-44-176.dhcp.thbd.la.charter.com] has joined #openvpn
12:56 < dinogreen_rex> i have connection though
12:56 -!- roentgen [~irc@openvpn/community/support/roentgen] has joined #openvpn
12:59 < dinogreen_rex> btw the server is on optic con, the client is on adsl
12:59 -!- charlie111 [~charlie11@204.14.77.85] has quit [Ping timeout: 272 seconds]
13:00 < dinogreen_rex> does that matter? could those messages come from the difference in speed ?
13:04 -!- mndo [~mndo@bl17-65-125.dsl.telepac.pt] has joined #openvpn
13:05 < shodan45> is there a way to get openvpn to "reset" networking if it loses its connection to the vpn server?
13:05 -!- joshh20 is now known as joshh20-Away
13:05 < shodan45> sometimes my internet connection drops, then reconnects - but openvpn gets stuck trying to resolve the server's address
13:06 < shodan45> this is on ubuntu server 12.04
13:06 -!- roentgen [~irc@openvpn/community/support/roentgen] has quit [Ping timeout: 240 seconds]
13:09 -!- beo_ [~beo@88-117-71-127.adsl.highway.telekom.at] has joined #openvpn
13:12 < shodan45> (it can't resolve the host name because the routing is still set to use the VPN, and can't contact any DNS servers)
13:14 < dinogreen_rex> i suggest to you , make a bash script and run it as a deamon
13:15 < dinogreen_rex> the bash script should listen the remote address
13:16 -!- mndo [~mndo@bl17-65-125.dsl.telepac.pt] has quit [Quit: going home]
13:18 -!- master_o1_master [~master_of@p4FD7B7BD.dip0.t-ipconnect.de] has joined #openvpn
13:21 -!- joshh20-Away is now known as joshh20
13:21 -!- master_of_master [~master_of@p4FF2486C.dip0.t-ipconnect.de] has quit [Ping timeout: 264 seconds]
13:23 -!- JSharpe [~JSharpe@31.205.60.241] has joined #openvpn
13:29 < dinogreen_rex> when i connect with openvpn i get strange symbols WWrWrWrWrWrWrWrWrWrWrWrWrWrWrWrWrWrWrWrWrWrWrWrWrWrWrWrWrWrWrWrWrWrWrWrWrWrWrWrWrWrWrWrWrWRrW
13:30 <@ecrist> those are reads and writes by openvpn
13:30 <@ecrist> !man
13:30 <@vpnHelper> "man" is (#1) For man pages, see http://openvpn.net/index.php/open-source/documentation/manuals/ or (#2) the man pages are your friend! or (#3) Protip: you can search the manpage for a specific --option (with dashes) to find it quicker
13:30 < dinogreen_rex> so it shows reads and writes when verb is set to 5
13:30 < dinogreen_rex> i get it if i set it lower it should not show those
13:36 < shodan45> so there's no better alternative than a shell script to watch for connection drops?
13:36 < shodan45> obviously openvpn "sees" that the connection dropped - it's just doing the wrong thing when it happens :(
13:37 -!- joshh20 is now known as joshh20-Away
13:39 -!- novaflash_ [~novaflash@its.novaflash.nl] has joined #openvpn
13:42 -!- P4k3_ [~P4k3@c-5236e255.026-8-6b6c7810.cust.bredbandsbolaget.se] has joined #openvpn
13:42 -!- beo__ [~beo@88-117-71-127.adsl.highway.telekom.at] has joined #openvpn
13:46 -!- tdreyer1_ [~tdreyer1@70.94.46.11] has joined #openvpn
13:46 -!- beo__ [~beo@88-117-71-127.adsl.highway.telekom.at] has quit [Client Quit]
13:47 -!- beo__ [~beo@88-117-71-127.adsl.highway.telekom.at] has joined #openvpn
13:47 -!- Netsplit *.net <-> *.split quits: dogewaat, P4k3, beo_, ender|, m01, aji, Olipro, pnielsen, Chrisje, f0cker,  (+5 more, use /NETSPLIT to show all of them)
13:47 -!- novaflash_ is now known as novaflash
13:47 -!- P4k3_ is now known as P4k3
13:48 -!- dinogreen_rex [~Administr@95.87.236.44] has quit [Ping timeout: 264 seconds]
13:53 -!- tdreyer1_ is now known as tdreyer1
13:53 -!- tdreyer1 [~tdreyer1@70.94.46.11] has quit [Changing host]
13:53 -!- tdreyer1 [~tdreyer1@unaffiliated/tdreyer1] has joined #openvpn
13:55 -!- f0cker [~f0cker@host109-151-224-166.range109-151.btcentralplus.com] has joined #openvpn
13:55 -!- f0cker [~f0cker@host109-151-224-166.range109-151.btcentralplus.com] has quit [Changing host]
13:55 -!- f0cker [~f0cker@unaffiliated/f0cker] has joined #openvpn
--- Log closed Wed Feb 26 13:58:01 2014
--- Log opened Wed Feb 26 13:58:16 2014
13:58 -!- ecrist_ [~ecrist@token-black.secure-computing.net] has joined #openvpn
13:58 -!- Irssi: #openvpn: Total of 213 nicks [8 ops, 0 halfops, 3 voices, 202 normal]
13:58 -!- mode/#openvpn [+o ecrist_] by ChanServ
13:58 -!- Irssi: Join to #openvpn was synced in 34 secs
13:58 -!- levifig [sid1908@gateway/web/irccloud.com/session] has joined #openvpn
13:58 -!- dogewaat [uid3966@gateway/web/irccloud.com/x-ciufmmzxrbvcbtpe] has joined #openvpn
13:58 -!- m01 [~quassel@2a02:2658:1011:1::2:4044] has joined #openvpn
13:58 -!- ender| [krneki@2a01:260:4094:1:42:42:42:42] has joined #openvpn
13:58 -!- pnielsen [pnielsen@2a01:7e00::f03c:91ff:fedf:3a21] has joined #openvpn
13:58 -!- __FBi [B@dont.uwantmy.info] has joined #openvpn
13:58 -!- Chrisje [chris@2a03:f80:ed15:ed15:ed15:ed15:bc4c:4bfe] has joined #openvpn
13:58 -!- fred`` [fred@earthli.ng] has joined #openvpn
13:58 -!- teegee543_ [~teegee543@berrypi.com] has joined #openvpn
13:58 -!- novaflash_ [~novaflash@its.novaflash.nl] has joined #openvpn
13:59 -!- Netsplit *.net <-> *.split quits: dogewaat, ender|, m01, Chrisje, pnielsen, levifig, fred``, __FBi
14:00 -!- master_of_master [~master_of@p4FD7B7BD.dip0.t-ipconnect.de] has joined #openvpn
14:01 -!- s7r [~s7r@openvpn/user/s7r] has quit [Ping timeout: 240 seconds]
14:01 -!- novaflash [~novaflash@its.novaflash.nl] has quit [Ping timeout: 272 seconds]
14:01 -!- teegee543 [~teegee543@berrypi.com] has quit [Ping timeout: 272 seconds]
14:01 -!- WinstonSmith [~WinstonSm@unaffiliated/winstonsmith] has quit [Ping timeout: 272 seconds]
14:01 -!- DrCode [~DrCode@gateway/tor-sasl/drcode] has quit [Ping timeout: 240 seconds]
14:01 -!- digilink [~digilink@unaffiliated/digilink] has quit [Ping timeout: 272 seconds]
14:01 -!- master_o1_master [~master_of@p4FD7B7BD.dip0.t-ipconnect.de] has quit [Ping timeout: 272 seconds]
14:01 -!- teegee543_ is now known as teegee543
14:01 -!- ecrist [~ecrist@freebsd/contributor/openvpn.community.support.ecrist] has quit [Ping timeout: 272 seconds]
14:01 -!- cyberspace- [20253@ninthfloor.org] has quit [Ping timeout: 272 seconds]
14:01 -!- jtrucks [jtrucks@freenode/staff/lopsa.foundingmember.jtrucks] has quit [Read error: Connection reset by peer]
14:01 -!- BlackPanx [~BlackPanx@cpe-31-15-133-178.cable.telemach.net] has quit [Ping timeout: 272 seconds]
14:01 -!- jtrucks_ [jtrucks@freenode/staff/lopsa.foundingmember.jtrucks] has joined #openvpn
14:01 -!- novaflash_ is now known as novaflash
14:02 -!- cyberspace- [20253@109.74.194.224] has joined #openvpn
14:02 -!- BlackPanx [~BlackPanx@cpe-31-15-133-178.cable.telemach.net] has joined #openvpn
14:03 -!- WinstonSmith_ [~WinstonSm@bl5-200-26.dsl.telepac.pt] has joined #openvpn
14:04 -!- shodan45 [~chris@71-15-44-176.dhcp.thbd.la.charter.com] has quit [Quit: Konversation terminated!]
14:04 -!- takamichi [~takamichi@c107-107.i07-27.onvol.net] has quit [Ping timeout: 244 seconds]
14:04 -!- WinstonSmith_ [~WinstonSm@bl5-200-26.dsl.telepac.pt] has quit [Excess Flood]
14:05 -!- WinstonSmith [~WinstonSm@bl5-200-26.dsl.telepac.pt] has joined #openvpn
14:05 -!- WinstonSmith [~WinstonSm@bl5-200-26.dsl.telepac.pt] has quit [Changing host]
14:05 -!- WinstonSmith [~WinstonSm@unaffiliated/winstonsmith] has joined #openvpn
14:06 -!- ngharo [~ngharo@nexus.sypherz.com] has quit [Ping timeout: 244 seconds]
14:06 -!- digilink [~digilink@irc.stephennet.net] has joined #openvpn
14:06 -!- Olipro [~Olipro@d.e.r.p.6.a.1.0.d.d.0.7.2.0.1.0.a.2.ip6.arpa] has joined #openvpn
14:06 -!- levifig [sid1908@gateway/web/irccloud.com/x-strxhfbjlvuyvyrs] has joined #openvpn
14:06 -!- Netsplit over, joins: dogewaat, m01, ender|, pnielsen, __FBi, Chrisje, fred``
14:06 -!- Olipro [~Olipro@d.e.r.p.6.a.1.0.d.d.0.7.2.0.1.0.a.2.ip6.arpa] has quit [Max SendQ exceeded]
14:06 -!- digilink [~digilink@irc.stephennet.net] has quit [Changing host]
14:06 -!- digilink [~digilink@unaffiliated/digilink] has joined #openvpn
14:06 -!- ngharo [~ngharo@nexus.sypherz.com] has joined #openvpn
14:07 -!- Olipro [~Olipro@uncyclopedia/pdpc.21for7.olipro] has joined #openvpn
14:07 -!- tharkun [~0@unaffiliated/tharkun] has quit [Ping timeout: 244 seconds]
14:07 -!- baus [baus@unaffiliated/baus] has joined #openvpn
14:07 -!- tharkun [~0@187.188.94.182] has joined #openvpn
14:08 -!- baus [baus@unaffiliated/baus] has left #openvpn ["Textual IRC Client: www.textualapp.com"]
14:08 -!- takamichi [~takamichi@c107-107.i07-27.onvol.net] has joined #openvpn
14:12 -!- jtrucks [jtrucks@freenode/staff/lopsa.foundingmember.jtrucks] has joined #openvpn
14:12 -!- cyberspace- [20253@109.74.194.224] has quit [Disconnected by services]
14:13 -!- cyberspace- [20253@ninthfloor.org] has joined #openvpn
14:18 -!- Netsplit *.net <-> *.split quits: jtrucks_
14:18 -!- Olipro [~Olipro@uncyclopedia/pdpc.21for7.olipro] has quit [Max SendQ exceeded]
14:24 -!- beo__ [~beo@88-117-71-127.adsl.highway.telekom.at] has quit [Quit: Leaving]
14:36 -!- takamichi [~takamichi@c107-107.i07-27.onvol.net] has quit [Quit: Computer has gone to sleep.]
14:37 -!- dazo_afk [~dazo@openvpn/community/developer/dazo] has quit [Ping timeout: 264 seconds]
14:51 -!- br4ndon [~br4ndon@mic92-6-82-226-128-64.fbx.proxad.net] has joined #openvpn
14:53 -!- lachesis [~lachesis@unaffiliated/lachesis] has joined #openvpn
15:02 -!- klein [~klein@unaffiliated/klein] has quit [Ping timeout: 264 seconds]
15:13 -!- Sembei [~Sembei@unaffiliated/sembei] has quit [Ping timeout: 244 seconds]
15:18 -!- smerz_ [~smerz@2001:470:1f15:1e5::58] has quit [Ping timeout: 245 seconds]
15:18 -!- smerz [~smerz@2001:470:1f15:1e5::58] has quit [Ping timeout: 245 seconds]
15:19 -!- Pei [~pei@thinks.outside.theb0x.org] has joined #openvpn
15:19 -!- lordnikkon [~marme@li388-49.members.linode.com] has joined #openvpn
15:19 -!- lordnikkon is now known as Guest67570
15:20 -!- hive-mind [pranq@unaffiliated/contempt] has quit [Disconnected by services]
15:20 -!- JodaZ [~joda@unaffiliated/jodaz] has quit [Read error: Operation timed out]
15:20 -!- Pei_ [~pei@thinks.outside.theb0x.org] has quit [Read error: Operation timed out]
15:20 -!- Guest15854 [~marme@li388-49.members.linode.com] has quit [Ping timeout: 252 seconds]
15:20 -!- hive-mind [pranq@unaffiliated/contempt] has joined #openvpn
15:23 -!- sunwind` [~paradox@cpc21-brmb8-2-0-cust749.1-3.cable.virginm.net] has joined #openvpn
15:26 -!- gffa [~unknown@unaffiliated/gffa] has quit [Quit: sleep]
15:27 -!- lordnikk1n [~marme@li388-49.members.linode.com] has joined #openvpn
15:28 -!- Guest67570 [~marme@li388-49.members.linode.com] has quit [Write error: Broken pipe]
15:34 -!- master_o1_master [~master_of@p4FD7B7BD.dip0.t-ipconnect.de] has joined #openvpn
15:34 -!- master_of_master [~master_of@p4FD7B7BD.dip0.t-ipconnect.de] has quit [Read error: Connection reset by peer]
15:34 -!- ender| [krneki@2a01:260:4094:1:42:42:42:42] has quit [Remote host closed the connection]
15:34 -!- fremo_ [~fred@gw-salamandre.liazo.net] has joined #openvpn
15:35 -!- sunwind [~paradox@cpc21-brmb8-2-0-cust749.1-3.cable.virginm.net] has quit [Ping timeout: 252 seconds]
15:35 -!- Cr4zi3 [~killaz@76.74.171.253] has quit [Ping timeout: 252 seconds]
15:35 -!- Cr4zi3 [~killaz@staff.xbins.org] has joined #openvpn
15:35 -!- fremo [~fred@gw-salamandre.liazo.net] has quit [Ping timeout: 252 seconds]
15:35 -!- riddle [riddle@us.yunix.net] has quit [Ping timeout: 252 seconds]
15:36 -!- jtrucks [jtrucks@freenode/staff/lopsa.foundingmember.jtrucks] has quit [Read error: Connection reset by peer]
15:36 -!- riddle [riddle@us.yunix.net] has joined #openvpn
15:36 -!- dazo_afk [~dazo@openvpn/community/developer/dazo] has joined #openvpn
15:36 -!- mode/#openvpn [+o dazo_afk] by ChanServ
15:37 -!- dazo_afk is now known as dazo
15:37 -!- jtrucks [jtrucks@freenode/staff/lopsa.foundingmember.jtrucks] has joined #openvpn
15:43 -!- batrick [batrick@nmap/developer/batrick] has quit [Quit: WeeChat 0.4.3]
15:44 -!- dazo [~dazo@openvpn/community/developer/dazo] has quit [Ping timeout: 264 seconds]
15:46 -!- batrick [~batrick@nmap/developer/batrick] has joined #openvpn
15:49 -!- mattock_afk [~mattock@openvpn/corp/admin/mattock] has quit [Ping timeout: 265 seconds]
15:49 -!- raidz [~raidz@openvpn/corp/admin/andrew] has quit [Ping timeout: 265 seconds]
15:49 -!- dazo_afk [~dazo@openvpn/community/developer/dazo] has joined #openvpn
15:49 -!- mode/#openvpn [+o dazo_afk] by ChanServ
15:50 -!- dazo_afk is now known as dazo
15:57 -!- noobboob [uid5587@gateway/web/irccloud.com/x-fmlcrjajtyfjbqfi] has joined #openvpn
15:59 -!- pentiumone133 [will@173.243.115.75] has quit [Ping timeout: 244 seconds]
16:02 -!- ikla [~lbz@c-71-237-62-220.hsd1.co.comcast.net] has quit [Ping timeout: 264 seconds]
16:02 -!- pentiumone133 [will@173.243.115.75] has joined #openvpn
16:03 -!- ikla [~lbz@c-71-237-62-220.hsd1.co.comcast.net] has joined #openvpn
16:05 -!- Martin` [martin@shell.ipv6.octocore.net] has quit [Ping timeout: 245 seconds]
16:07 -!- Cpt-Oblivious [chatzilla@31-151-71-109.dynamic.upc.nl] has joined #openvpn
16:08 -!- raidz_away [~raidz@2607:5300:60:d5a::2] has joined #openvpn
16:08 -!- raidz_away is now known as raidz
16:08 -!- raidz [~raidz@2607:5300:60:d5a::2] has quit [Changing host]
16:08 -!- raidz [~raidz@openvpn/corp/admin/andrew] has joined #openvpn
16:08 -!- mode/#openvpn [+o raidz] by ChanServ
16:08 -!- Martin` [martin@shell.ipv6.octocore.net] has joined #openvpn
16:11 -!- Denial [Denial@90.201.173.63] has quit [Ping timeout: 252 seconds]
16:14 -!- elfixit [~Icedove@77-58-251-72.dclient.hispeed.ch] has joined #openvpn
16:14 -!- qwertyoruiop [~hax@1.shulgin.dc1.nl.tor.exit.node.qwertyoruiop.com] has quit [Disconnected by services]
16:26 -!- br4ndon [~br4ndon@mic92-6-82-226-128-64.fbx.proxad.net] has quit [Quit: Lorem ipsum dolor sit amet]
16:26 -!- ikla [~lbz@c-71-237-62-220.hsd1.co.comcast.net] has quit [Ping timeout: 252 seconds]
16:28 -!- ikla [~lbz@c-71-237-62-220.hsd1.co.comcast.net] has joined #openvpn
16:32 -!- Sembei [~Sembei@unaffiliated/sembei] has joined #openvpn
16:50 -!- elfixit [~Icedove@77-58-251-72.dclient.hispeed.ch] has quit [Remote host closed the connection]
16:59 -!- elfixit [~Icedove@77-58-251-72.dclient.hispeed.ch] has joined #openvpn
17:04 -!- traph [~traph@unaffiliated/traph] has quit [Ping timeout: 264 seconds]
17:09 -!- Cpt-Oblivious [chatzilla@31-151-71-109.dynamic.upc.nl] has quit [Ping timeout: 240 seconds]
17:10 -!- lachesis [~lachesis@unaffiliated/lachesis] has left #openvpn ["Leaving"]
17:16 -!- klein [~klein@177.101.109.136] has joined #openvpn
17:16 -!- klein [~klein@177.101.109.136] has quit [Changing host]
17:16 -!- klein [~klein@unaffiliated/klein] has joined #openvpn
17:48 -!- teegee543 [~teegee543@berrypi.com] has quit [Quit: Gone...]
17:49 -!- teegee543 [~teegee543@berrypi.com] has joined #openvpn
17:56 -!- MACscr2 [~MACscr2@172.56.12.193] has joined #openvpn
17:59 -!- [diecast] [~diecast@unaffiliated/diecast/x-4821952] has quit []
18:02 -!- noobboob [uid5587@gateway/web/irccloud.com/x-fmlcrjajtyfjbqfi] has quit [Quit: Connection closed for inactivity]
18:10 -!- shibboleth [~shibbolet@gateway/tor-sasl/shibboleth] has joined #openvpn
18:12 -!- MACscr2 [~MACscr2@172.56.12.193] has quit [Ping timeout: 265 seconds]
18:16 -!- u0m3 [~u0m3@92.80.86.213] has joined #openvpn
18:18 -!- blarghlarghl [michael@efnet.math.uwaterloo.ca] has joined #openvpn
18:19 < blarghlarghl> hey. is there a way to assign static ip addresses to clients just in the main server config? i can't create a client config dir on the server.
18:26 -!- simcop2387 [~simcop238@p3m/member/simcop2387] has quit [Excess Flood]
18:29 -!- simcop2387 [~simcop238@p3m/member/simcop2387] has joined #openvpn
18:38 -!- shibboleth [~shibbolet@gateway/tor-sasl/shibboleth] has quit [Quit: shibboleth]
18:39 <@Eugene> blarghlarghl - you can do it with a --client-connect script, but define "can't" ;-)
18:40 <@Eugene> !xy
18:40 <@vpnHelper> "xy" is http://mywiki.wooledge.org/XyProblem -- I want to do X, but I'm asking how to do Y...
18:40 <@Eugene> In particular, that ^
18:40 < blarghlarghl> Eugene: Actually, I remembered I can :) My router has a jffs partition.
18:43 <@Eugene> ;-)
18:46 -!- elfixit [~Icedove@77-58-251-72.dclient.hispeed.ch] has quit [Quit: elfixit]
18:47 -!- joshh20-Away is now known as joshh20
18:48 < blarghlarghl> Eugene: works - thanks :)
18:48 <@Eugene> Glad I could do.... nothing at all!
18:55 -!- HectorBarbossa [uid7850@gateway/web/irccloud.com/x-smpukxwvqhbnruds] has joined #openvpn
19:07 -!- sunwind` [~paradox@cpc21-brmb8-2-0-cust749.1-3.cable.virginm.net] has quit [Quit: sunwind`]
19:27 -!- VsioZashibis [~VsioZashi@unaffiliated/vsiozashibis] has joined #openvpn
19:43 -!- joshh20 is now known as joshh20-Away
19:47 -!- pentiumone133 [will@173.243.115.75] has quit [Remote host closed the connection]
19:47 -!- pentiumone133 [will@173.243.115.75] has joined #openvpn
20:01 -!- Cpt-Oblivious [chatzilla@31-151-71-109.dynamic.upc.nl] has joined #openvpn
20:07 < pekster> blarghlarghl: openwrt? Sure, just treat it like a "normal" distribution, and my recommendation is to not use UCI's config beyond specifying an "option config /path/to/your/config.conf"
20:08 < pekster> That way you've got some "future-proofing" against the UCI abstraction not handling recent config options
20:15 -!- digilink [~digilink@unaffiliated/digilink] has quit [Quit: ZNC - http://znc.in]
20:17 -!- digilink [~digilink@unaffiliated/digilink] has joined #openvpn
20:24 -!- Jeroen52 [~quassel@2001:41d0:1:9592::1] has quit [Ping timeout: 245 seconds]
21:32 -!- HectorBarbossa [uid7850@gateway/web/irccloud.com/x-smpukxwvqhbnruds] has quit [Quit: Connection closed for inactivity]
21:57 -!- Devastatr [~devas@177.18.199.12] has quit [Changing host]
21:57 -!- Devastatr [~devas@unaffiliated/devastator] has joined #openvpn
21:58 -!- Devastatr is now known as Devastator
22:14 -!- dogewaat [uid3966@gateway/web/irccloud.com/x-ciufmmzxrbvcbtpe] has quit [Quit: Connection closed for inactivity]
22:15 -!- lbft [~lbft@unaffiliated/lbft] has quit [Ping timeout: 265 seconds]
22:16 -!- VsioZashibis [~VsioZashi@unaffiliated/vsiozashibis] has quit [Quit: closing IRC]
22:16 -!- pjschmitt [~parker@unaffiliated/schmitt953] has quit [Ping timeout: 264 seconds]
22:23 -!- lbft [~lbft@unaffiliated/lbft] has joined #openvpn
22:28 -!- pjschmitt [~parker@209.141.56.12] has joined #openvpn
22:41 -!- MACscr2 [~MACscr2@c-98-214-103-147.hsd1.il.comcast.net] has joined #openvpn
22:53 -!- MACscr2 [~MACscr2@c-98-214-103-147.hsd1.il.comcast.net] has quit [Ping timeout: 240 seconds]
22:58 -!- lbft [~lbft@unaffiliated/lbft] has quit [Ping timeout: 240 seconds]
22:59 -!- lbft [~lbft@unaffiliated/lbft] has joined #openvpn
23:10 -!- klein [~klein@unaffiliated/klein] has quit [Ping timeout: 265 seconds]
23:15 -!- dogewaat [uid3966@gateway/web/irccloud.com/x-alzxasgplkoyuqhp] has joined #openvpn
23:18 -!- MACscr2 [~MACscr2@c-98-214-103-147.hsd1.il.comcast.net] has joined #openvpn
23:22 -!- ron_ [~ron@ppp121-45-51-97.lns20.adl2.internode.on.net] has quit [Ping timeout: 264 seconds]
23:22 -!- ron_ [~ron@ppp121-45-51-97.lns20.adl2.internode.on.net] has joined #openvpn
23:34 -!- qwertyoruiop_ [~hax@1.shulgin.dc1.nl.tor.exit.node.qwertyoruiop.com] has joined #openvpn
23:34 -!- makara [~makara@41.164.22.218] has joined #openvpn
23:42 -!- qwertyoruiop_ is now known as qwertyoruiop
--- Day changed Thu Feb 27 2014
00:05 -!- sunwind [~paradox@cpc21-brmb8-2-0-cust749.1-3.cable.virginm.net] has joined #openvpn
00:13 < blarghlarghl> pekster: tomato
00:30 -!- Sembei [~Sembei@unaffiliated/sembei] has quit [Read error: No route to host]
00:30 -!- MyMind [~Sembei@unaffiliated/sembei] has joined #openvpn
00:30 -!- MACscr2 [~MACscr2@c-98-214-103-147.hsd1.il.comcast.net] has quit [Ping timeout: 240 seconds]
00:34 -!- soapee01_ [~soapee01@24-155-219-177.dyn.grandenetworks.net] has joined #openvpn
00:37 -!- soapee01 [~soapee01@24-155-219-177.dyn.grandenetworks.net] has quit [Ping timeout: 264 seconds]
00:56 -!- sunwind [~paradox@cpc21-brmb8-2-0-cust749.1-3.cable.virginm.net] has quit [Read error: Operation timed out]
01:01 < GeekFreak> Anyone in ?
01:06 -!- qwertyoruiop [~hax@1.shulgin.dc1.nl.tor.exit.node.qwertyoruiop.com] has quit [Ping timeout: 264 seconds]
01:07 -!- cripto [~joubin@li131-215.members.linode.com] has joined #openvpn
01:08 < cripto> Hey guys, is there a way to have access to my local domain name. IE: server.local instead of 192.168.1.12
01:08 < cripto> ^ using openvpn
01:16 -!- qwertyoruiop [~hax@1.shulgin.dc1.nl.tor.exit.node.qwertyoruiop.com] has joined #openvpn
01:19 -!- lj [~l@c-50-158-105-68.hsd1.il.comcast.net] has joined #openvpn
01:26 -!- alexxtasi [~alex@unaffiliated/alexxtasi] has joined #openvpn
01:32 -!- mattock [~mattock@openvpn/corp/admin/mattock] has joined #openvpn
01:32 -!- mode/#openvpn [+o mattock] by ChanServ
01:34 -!- takamichi [~takamichi@c107-107.i07-27.onvol.net] has joined #openvpn
01:38 -!- sunwind [~paradox@cpc21-brmb8-2-0-cust749.1-3.cable.virginm.net] has joined #openvpn
01:47 < alexxtasi> vpnHelper:
01:47 < alexxtasi> !vpnHelper
01:50 -!- pjschmitt [~parker@209.141.56.12] has quit [Read error: Operation timed out]
01:50 < alexxtasi> !help
01:50 <@vpnHelper> (help [<plugin>] [<command>]) -- This command gives a useful description of what <command> does. <plugin> is only necessary if the command is in more than one plugin.
01:50 -!- lbft [~lbft@unaffiliated/lbft] has quit [Ping timeout: 272 seconds]
01:50 < alexxtasi> (found it :-))
01:51 -!- ade_b [~Ade@redhat/adeb] has joined #openvpn
01:56 -!- lbft [~lbft@unaffiliated/lbft] has joined #openvpn
01:57 -!- pjschmitt [~parker@209.141.56.12] has joined #openvpn
02:01 -!- br4ndon [~br4ndon@195.33.51.31] has joined #openvpn
02:07 -!- ponyofdeath [~vladi@cpe-76-167-201-214.san.res.rr.com] has quit [Ping timeout: 264 seconds]
02:12 -!- traph [~traph@unaffiliated/traph] has joined #openvpn
02:14 -!- elfixit [~Icedove@77-58-251-72.dclient.hispeed.ch] has joined #openvpn
02:17 -!- br4ndon [~br4ndon@195.33.51.31] has quit [Ping timeout: 240 seconds]
02:21 -!- br4ndon [~br4ndon@195.33.51.31] has joined #openvpn
02:23 -!- br4ndon [~br4ndon@195.33.51.31] has quit [Client Quit]
02:27 -!- sunwind [~paradox@cpc21-brmb8-2-0-cust749.1-3.cable.virginm.net] has quit [Quit: sunwind]
02:32 -!- soapee01_ [~soapee01@24-155-219-177.dyn.grandenetworks.net] has quit [Ping timeout: 244 seconds]
02:34 -!- soapee01 [~soapee01@24-155-219-177.dyn.grandenetworks.net] has joined #openvpn
02:43 < enbergj> I've been battling with poor throughput between ireland and singapore over openvpn .. without openvpn, by bumping up the TCP window, memory limits, etc. I can get ~200-400Mbps between the servers, but there's 200ms latency and that seems to kill a lot of the performance for openvpn .. with UDP I manage to get only ~5-10Mbps through openvpn, but by tuning the TCP settings for slow and fat pipe and switching openvpn ...
02:43 < enbergj> ... to tcp I manage to get ~12-25Mbps through it, but it still seems slow .. any further ideas on how to optimize openvpn for slow and fat pipes?
02:43 -!- elfixit [~Icedove@77-58-251-72.dclient.hispeed.ch] has quit [Quit: elfixit]
02:43 < enbergj> I've got hardware accelerated AES in use, comp-lzo in use, have checked MTUs about 5 times
02:58 -!- MACscr2 [~MACscr2@c-98-214-103-147.hsd1.il.comcast.net] has joined #openvpn
03:05 -!- ponyofdeath [~vladi@cpe-76-167-201-214.san.res.rr.com] has joined #openvpn
03:25 -!- Denial [Denial@90.201.173.63] has joined #openvpn
03:39 -!- danielms [~dmanser@python2.cloud.tilaa.com] has joined #openvpn
03:40 < danielms> I've a question about easy-rsa. is there a way to generate PKCS12 client certificates non-interactively? I'm always asked about the Export password (Enter Export Password)
03:40 < danielms> i've tried with expect but it didnt work
03:49 < alexxtasi> hi all, I want to use the dynamic challenge/request feature of openvpn (so I can use it along with pam-google-authenticator and send otp with sms and the user can provide it in a new prompt on the client, after providing username/password). Is it available on the openvpn-server community edition ? And how can I set it up ?
03:58 < GeekFreak> anyone experiencing issues with inactive timeout ?
04:28 -!- lj [~l@c-50-158-105-68.hsd1.il.comcast.net] has quit [Remote host closed the connection]
04:40 -!- mattock is now known as mattock_afk
05:20 -!- kwork [~georg@unaffiliated/kwork] has quit [Ping timeout: 240 seconds]
05:27 < enbergj> is there any issue running openvpn server and client on the same machine? I'd like to have several networks connected in a chain: a-b-c, where a) is one subnet behind an openvpn server, b) is another, with a client to a and server, and c) is a client connected to b
05:28 < enbergj> .. this because C is physically much closer to B, and mostly communicates with servers in B, so the optimization of connecting straight to B instead of via A makes sense
05:28 < enbergj> .. but we also have other clients to A, physically close to A
05:29 < enbergj> so it's actually a bit more like a-b-c-d, where b and c are subnets connected to eachother, a and d clients connected to their nearest physical endpoint and talking mostly to servers in those subnets
05:31 < Zordrak> enbergj: I'm not sure why you would use openvpn in that scenario and not simply use network routuing
05:32 < enbergj> because they're communicating over public internet, and I want to keep them connected securely, and able to talk to eachother with private network addresses
05:33 < Zordrak> I am using two OpenVPN servers in different parts&subnets of our WAN. Clients are given both servers as "remote" options and "remote-random" is in place to allow basic balancing. However often one of the servers will fail without killing the daemon, only authentication via PAM fails. I want clients to then retry on using the other server but I don't know how.
05:33 < enbergj> B and C are actually VPCs where most machines are not running openvpn as they have the private subnet access already
05:33 < Zordrak> Whenever a client auth-fails, it only retries the same server
05:35 -!- Cpt-Oblivious [chatzilla@31-151-71-109.dynamic.upc.nl] has quit [Ping timeout: 265 seconds]
05:37 < GeekFreak> Ehhh
05:39 < GeekFreak> I just want Inactive to work nicely lol
05:48 -!- br4ndon [~br4ndon@195.33.51.31] has joined #openvpn
05:50 -!- hive-mind [pranq@unaffiliated/contempt] has quit [Ping timeout: 240 seconds]
05:55 < GeekFreak> Nobody about...
05:56 < Zordrak> haylp. After getting my second server working just before I left yesterday it's not working again. Client connects, server pinging client sends packets over tun0 (tshark shows them) but none received, client sending so many packets from it's openvpn client IP to the server's public IP the terminal cant keep up displaying them
05:58 < GeekFreak> Zordrak, is this a linux machine you are speaking of ?
05:58 < Zordrak> yar
05:59 < GeekFreak> are you trying to say ping it but get no response but can send a ping from it and get a response ?
05:59 < Zordrak> no responses either way
05:59 < GeekFreak> have you configured iptables ?
06:00 < Zordrak> server pinging client: packets sent, none received. client pinging server: no packets seen by server. tshark on client shows a millionty packets on tun0 from 10.8.0.2 to <server public ip>
06:00 < Zordrak> GeekFreak: iptables is flushed on both ends
06:01 < GeekFreak> what do you mean by flushed?
06:01 < Zordrak> -F
06:01 < Zordrak> empty with def policy ACCEPT on all chains
06:01 < GeekFreak> even on tun?
06:02 < Zordrak> literally empty. No iptables rules. All policies: ACCEPT
06:02 < andi> Zordrak: What do your server and client logs say?
06:02 < andi> Is the client connecting correctly?
06:03 < Zordrak> all is as expected. Yes, the client seems to connect correctly with ful success, setting routes and IPs successfully
06:03 < andi> Ok, pinging the servers tun IP is not working, too?
06:03 < Zordrak> correct
06:03 < andi> tcp or udp?
06:03 < Zordrak> udp
06:03 < Zordrak> not been explicitly trying to ping server's public IP
06:04 < Zordrak> but tshark shows multiple ks of udp  packets from client tun IP to server public IP
06:04 < Zordrak> 122k packets in 2.5s
06:05 < GeekFreak> did you try these
06:05 < GeekFreak> # Allow TUN interface connections to OpenVPN server
06:05 < GeekFreak> iptables -A INPUT -i tun+ -j ACCEPT
06:05 < GeekFreak>  # Allow TUN interface connections to be forwarded through other interfaces
06:05 < GeekFreak> iptables -A FORWARD -i tun+ -j ACCEPT
06:05 < andi> Without more information about configuration and logs it's hard to say what's the problem.
06:06 < andi> GeekFreak: If he flushed IPTables and default policy is ACCEPT there is no need to "really" accept these packages.
06:06 < GeekFreak> Thats what i thought
06:06 < Zordrak> andi: it must be server configuration - there are two servers on different subnets, the non-working one duplicated from the working one, but with subnets and pools and such changed. The client works when connected to the original one, just not the new one
06:07 < GeekFreak> but some dumber devices dont listen to such commands lol
06:07 < GeekFreak> i had a similar issue
06:07 < andi> Zordrak: Even port or public ip changed?
06:07 < Zordrak> port same, public IP different
06:07 < andi> Does the client have the correct public ip set as server?
06:08 < Zordrak> There's definitely something funny about those packets on tun0. when client connects to the original server, tshark shows ONLY standard vpn traffic packets on the tun0 interface. ie. no traffic, then a ping generates just the echos
06:09 < Zordrak> but when the client connects to the second server instead, tun0 is so flooded with UDP you cant even track it
06:09 < Zordrak> andi: yes IP is as it should be
06:10 < Zordrak> only difference for client config is remote
06:10 < Zordrak> remote <original> 1194
06:10 < Zordrak> remote <new> 1194
06:10 < Zordrak> remote-random
06:10 < andi> Ok, and for server configuration?
06:11 < Zordrak> server line is changed for different private subnet (10.8.1.0 not 10.8.0.0)
06:11 < Zordrak> DNS is changed from 10.8.0.1 to 10.8.1.1
06:11 < Zordrak> and "local" is changed to correct public IP
06:11 < Zordrak> that's it
06:12 < andi> Does netstat -tulpen report both IPs with running openvpn on 1194?
06:13 < Zordrak> netstat -tulpen | grep 1194: udp        0      0 217.147.85.131:1194         0.0.0.0:*                               0          14069325   12390/openvpn
06:13 < Zordrak> one entry
06:13 < Zordrak> whoops on the lack of obfuscation but no matter
06:14 < andi> But you said you are running openvpn on two ips?
06:14 < Zordrak> two different hosts completely
06:14 < andi> Ah
06:14 < andi> I thought this is one host.
06:14 < Zordrak> no, two locations connected by a L2L VPN (cisco) each location having an OpenVPN endpoint that routes to the whole network
06:15 < Zordrak> one endpoint (original) is 10.8.0.0, the new endpoint in the 2nd location is 10.8.1.0
06:15 < Zordrak> the new one was duplicated from the old one, except IPs changed
06:15 < Zordrak> I had a lot of trouble yesterday as I'd neglected to enable ip forwarding on the second server
06:15 < Zordrak> but having done that I thought I had it sorted
06:15 < andi> Ok, which netmask are you using for 10.8.0.0 and 10.8.1.0?
06:16 < Zordrak> good try :p  /24, 255.255.255.0
06:16 < andi> Logs from server and client would be nice. I'll have lunch now. I'll be back in about an hour.
06:16 < Zordrak> k
06:17 < GeekFreak> Who can answer an easy one
06:18 < GeekFreak> I am pushing an inactive directive of 600 2097152 anyways that works fine but its absolutely kills the actual client making it unresponsive forcing to kill from Task Manager
06:18 < Zordrak> sounds like a bug
06:19 < GeekFreak> my fears exactly :(
06:19 < Zordrak> blame canada
06:19 < GeekFreak> Bloody canadians
06:19 < GeekFreak> thats the second bug ive found in the software
06:20 < GeekFreak> OpenVPN hates me :(
06:21 < Zordrak> me too
06:21 < Zordrak> this stopped working overnight
06:21 < GeekFreak> lol
06:21 < GeekFreak> somethings changed then :)
06:21 < Zordrak> i just went home
06:21 < Zordrak> came back, unlocked and boom
06:21 < GeekFreak> no reboots ?
06:22 -!- br4ndon [~br4ndon@195.33.51.31] has quit [Quit: Lorem ipsum dolor sit amet]
06:22 -!- Rienzilla [rien@sinas.rename-it.nl] has joined #openvpn
06:22 < Zordrak> nope
06:22 < Rienzilla> Hey guys
06:22 < GeekFreak> Hello Rienzilla
06:22 < Rienzilla> Suppose I have an 8 core atom processor that is supposed to do openvpn traffic as fast as it can
06:23 < GeekFreak> ok i suppose :)
06:23 < Rienzilla> hwo should I go about that? bond multiple tap interfaces with separate openvpn processes?
06:23 < Rienzilla> (so all cores can work on encrypting/decypting traffic)
06:25 < GeekFreak> so a conectrator ?
06:25 < Rienzilla> well not really a concentrator
06:26 < GeekFreak> or more of a hub ?
06:26 < GeekFreak> whats your goal
06:26 < Rienzilla> I have 2 internet connections of several 100 mbit, and I need an encrypted link between the to endpoints that can do 100mbit+
06:26 < Rienzilla> (more is better)
06:26 < Rienzilla> traffic is going to be mostly pushing backup data
06:26 < GeekFreak> good luck with that
06:27 < Rienzilla> ?
06:27 < Rienzilla> what about it?
06:27 < GeekFreak> i personally dont think you will acheive those speeds XD
06:27 < Rienzilla> why not?
06:28 < GeekFreak> because your encrypting and decrypting data and you want to use an atom processor
06:28 < Rienzilla> 1 core should be able to do a a few dozen mbit right?
06:28 < Rienzilla> even my very low end routerboards can do 15 mbit openvpn traffic
06:29 < GeekFreak> XD
06:29 < Rienzilla> well, apart from the end result speed
06:29 < Zordrak> UGH plot thickens.. it works from an android client, but not from a linux client
06:29 < Zordrak> but both clients work on the original server
06:29 < GeekFreak> HAHAAH
06:30 < Rienzilla> if one core can encrypt x mbit, 8 cores can do 8x minus some overhead right?
06:30 < Rienzilla> in trheory
06:30 < GeekFreak> Theory yes
06:30 < Rienzilla> so
06:30 < Rienzilla> how would I put that intop practice :)
06:30 < GeekFreak> how much data are we talking here ?
06:30 < rob0> Right now, indeed, openvpn is single-threaded, and one process has no way to offload other duties onto other cores.
06:30 < Zordrak> rob0: sup dawg
06:31 -!- klein [~klein@189-016-006-003.asselvi.edu.br] has joined #openvpn
06:31 -!- klein [~klein@189-016-006-003.asselvi.edu.br] has quit [Changing host]
06:31 -!- klein [~klein@unaffiliated/klein] has joined #openvpn
06:31 < rob0> Are you monitoring the openvpn-devel mailing list, Rienzilla?
06:31 < Rienzilla> rob0: so... more processes, and bond tap interfaces on both sides or so?
06:31 < Rienzilla> rob0: I am not
06:31 < rob0> Zordrak, howdy
06:32 < rob0> well, tap is ugly in general, not sure that you will end up with better or worse performance like that.
06:32 < Rienzilla> well tun is fine too
06:32 < rob0> tun can't bond
06:32 < Rienzilla> but I can't think of a way to distribute traffic on level 3
06:32 < Rienzilla> exactly
06:34 < Zordrak> soooo.. there's one thing that looks plausible. the Remote IP has not updated for my user account in the openvpn status log. I have disconnected the working android client and connected the not worlking linux client
06:34 < Zordrak> but the remote IP is still that of the android client
06:35 < rob0> it should be easier to figure out openvpn problems on Linux than on android
06:35 < Zordrak> you'd think
06:35 < rob0> same cert?
06:35 < GeekFreak> lol
06:35 < Zordrak> yar
06:35 < rob0> why, why not a separate cert?
06:35 < Zordrak> im just testing both clients are on my cert
06:35 < Zordrak> i know recommended is per-host cert but there are good reasons we have per-user cett
06:36 < Zordrak> just need to flush this connection and try again on linuyx
06:36 < GeekFreak> People getting help with all these complicated issues and i cant get help with my little problem lol
06:37  * GeekFreak bangs head on desk
06:39 < Zordrak> There's definitely something weird here I just cant find the cause. Why in the hell is the client establishing an openvpn connection but then trying to send the UDP traffic destined for the server from the vpn interface itself not eth0 O_o
06:39 < Rienzilla> rob0: so there is no established way to use more than one processor core for a single vpn link?
06:42 < Zordrak> I think I've just worked out what's going on. The remote server IP is ALSO a privately routed IP. So, after establishing a connection to the public openvpn server at 111.111.111.111, it gets pushed a "route" saying "use tun0 for 111.111.111.0/24"
06:42 < rob0> Rienzilla, people have tried, but I am not aware of a simple answer. When I have seen the question come up, it has been accompanied by developers saying, "oh yeah, we're working on that."
06:42 < Zordrak> so then it starts to send the vpn traffic over tun0
06:42 < Zordrak> I dont know how to fix this
06:43 < Zordrak> it seems like a paradox
06:44 < havoc> Rienzilla: if it's only between two hosts, and not between two "routers", your bonded tap idea may be the only way :|
06:45 < havoc> if there were multiple clients on one end, you could use multiple servers and have each client connect to its own
06:45 < havoc> either way I guess you can just test it
06:45 < havoc> just capture some metrics at each stage
06:46 < Rienzilla> hm no it's pretty muich between two routers
06:46 < Rienzilla> and bonded tap to just create an ethernet link between the two endpoints is asking for trouble? :)
06:46 < havoc> Rienzilla: so multiple clients behind one of them?
06:46 < Rienzilla> behind both
06:46 < Rienzilla> it's an office and a branch office
06:47 < Rienzilla> traffic is mostly remote desktop, but at night they want to push backups from the main office to the brnach office
06:47 < havoc> I'm not sure about the bonded tap creating problems, but tap does have much more overhead than tun
06:47 < Rienzilla> and we need considerable bandwidth to finish the backups overnight
06:47 < havoc> again, "try it"
06:47 < Rienzilla> I will
06:48 < Rienzilla> I was just checking if my idea was not completely wrong
06:48 < havoc> but I'd do it a single tap connection at a time, and measure performance at each stage
06:48 < Rienzilla> yeah
06:48 < Rienzilla> to make sure if adding taps actually increases performance :)
06:48 < Rienzilla> thanks, I'll report back
06:48 < havoc> I'd imagine at some point you'll see diminishing returns, it's just a question of at which stage
06:49 < havoc> also, this is predicated on utilizing multiple cores on both ends
06:49 < havoc> the server end being the key; so you'll need multiple servers running on one end
06:50 < Rienzilla> yeah and multiple clients on the other
06:50 < havoc> but then I guess you know this
06:50 < havoc> yeah, just need distinct processes on each end for each connection
06:50 < Rienzilla> yes indeed
06:50 < Rienzilla> and maybe somehow pin the processes to a specific core
06:51 < Rienzilla> I'll figure something out
06:51 < MorgyN> hmmmm
06:51 < havoc> I don't think you need to "pin" them
06:51 < MorgyN> core pinning
06:51 < Rienzilla> the scheduler will divide them itself?
06:51 < havoc> linux should distribute the load on its own
06:51 < havoc> *should*
06:51 < Rienzilla> hehe
06:51 < Rienzilla> i'll see
06:51 < Rienzilla> my test board should arrive tomorrow
06:51 < havoc> anyway, get your framework setup first, worry about more stuff later :)
06:52 < MorgyN> delicious taskset
06:52 < havoc> Rienzilla: you can actually set it all up now, and just save/xfer the configs
06:52 < GeekFreak> Can someone help me with an issue with inactive directive
06:52 < havoc> but you knew that too
06:53 < Rienzilla> I know my way about openvpn, just never encountered a situation where the processing powe of one cpu was not enough :)
06:53 < havoc> GeekFreak: would if I could, but I know nothing about it other than the documented defaults
06:53 < GeekFreak> Its doing my head in
06:53 < havoc> Rienzilla: a lot of this is more linux specific than openvpn specific
06:53 < GeekFreak> It works the directive but what it does to the client afterwards is not good
06:54 < havoc> Rienzilla: anyway, I am also interested in the results as I have an identical setup
06:54 < havoc> s2s link
06:55 < havoc> s2w high bandwidth link
06:55 < havoc> s2s
06:55 < havoc> bah
06:55 < havoc> Rienzilla: but the hardware it's on right now has no problem pushing at least 50mbps
06:55 < havoc> but I'd like to switch to an atom based unit on one end
06:55 < havoc> but then I could also test it ;)
06:57 < rob0> Zordrak, no time to get deeply involved here this morning, sorry, but maybe I can get you going in the right direction. Why are you pushing that route? Are you using --redirect-gateway?
06:57 < rob0> GeekFreak, that's not a complete question.
06:58 < Zordrak> rob0: simple as I can: server is part of a datacentre group with a public /27 block that we treat as a private LAN, cisco-asa providing firewall to the boxes
06:58 < GeekFreak> Well when it exits it doesnt exit cleanly with the windows client
06:58 < Rienzilla> havoc: i'll report back as soon as I know more
06:58 < Zordrak> rob0: So one IP in that block is on a server running openvpn
06:58 < havoc> cool
06:58 < rob0> Zordrak, and proxy ARP?
06:58 < Zordrak> rob0: but once connected to the VPN, the client needs to access that whole /27 as if locally connected
06:58 < GeekFreak> basically i am unable to connect again the Saved profiles disapear and i have to kill from task manager to get the client to connect again
06:59 < Zordrak> rob0: ovey my head. Something I should know about?
06:59 < Zordrak> rob0: FWIW the android client seems to be ok with the situation, but the linux client (slack with openvpn-2.1.4) doesnt
06:59 < rob0> Zordrak, it sounds like your answer, yes. I've posted about it on openvpn mailing list.
07:00 < Zordrak> orite
07:00 < rob0> oh, now that is strange, if proxy ARP was the answer, they'd both need it
07:00 < Zordrak> yar
07:00 < Zordrak> thats why i figured it was some kind of new feature in 2.2
07:01 < Zordrak> to support the routing to an IP that's also the host
07:01 < rob0> GeekFreak, I don't use Windows, no idea.
07:01 < GeekFreak> I try not too either but i must support the cursed software for technicians
07:03 < Zordrak> what I could do with is some way to describe the situation that can be searched about
07:03 < Zordrak> What do you call it when your VPN server has no private IP and connects you to its own public block
07:05 < GeekFreak> WAN lol
07:05 < GeekFreak> or was that a trick question hahaha
07:06 < GeekFreak> its 12am i am suffering from giddy brain
07:07 < rob0> Zordrak, it might be worth experimentation. Are you sure the android had the same route? Maybe it was not going through the VPN to others in the /27?
07:08 < rob0> IIRC what I posted was about "static IP at home" and I can't remember the year
07:08 < Zordrak> rob0: I thought that, but im using Fing to enumerate and im sure I can see boxes that arent externally visible.. let me double check with a tcp/22 only scan
07:08 < rob0> oh, and I think I used the phrase "openvpn cookbook" which was later co-opted by Jan Just. :)
07:09 < GeekFreak> ehhh found my work around for the bug
07:09 < Zordrak> woo \o/
07:09 < GeekFreak> so stupid
07:10 < Zordrak> rob0: shows up in "Routes" in the client log
07:10 < GeekFreak> FYI if someone has this issue you have to right click on tab in the task bar and close it from there not the X on client window
07:10 < Zordrak> rob0: And then can access Jenkins which is on another host in that subnet but NOT externally accessible
07:11 < Zordrak> rob0: so yes, Android is perfectly fine with it
07:11 < GeekFreak> and then re-open client and then you are able to re-connect and see your profiles
07:11 < Zordrak> i dont know why but it is
07:11 < rob0> do you know if the android had the old route cached?
07:11 < Zordrak> dont know that I can check
07:11 < GeekFreak> rob0, or Zordrak do you guys use inactive on linux devices?
07:12 < GeekFreak> i am unable to test at the moment
07:12 < rob0> inactive no
07:12 < Zordrak> no sorry
07:12 < GeekFreak> :(
07:13 < GeekFreak> i have hand over tomorrow and not sure if i need to write an exit script
07:13 < Zordrak> rob0: installing Network Info II but I doubt it will give me much
07:13 < GeekFreak> to kill the client all together until called up again by another script
07:13 < Zordrak> GeekFreak: is inactive necessary?
07:13 < GeekFreak> Yes
07:13 < GeekFreak> 100%
07:13 < GeekFreak> for my application
07:14 < GeekFreak> basically i am using this for a remote support means for dumb embeded linux devices
07:14 < GeekFreak> and i dont want a constant VPN to the clients
07:16 < GeekFreak> and openvpn and vnc is all have to work with on this devices i can not compile anything else on them
07:16 < Zordrak> rob0: Got my androind routing table.
07:16 < Zordrak> rob0: DOES show the public netblock as routed over tun0
07:17 < Zordrak> but doesnt stop the VPN traffic to the server host going over rmnet0
07:17 < GeekFreak> without putting in a concentrator or a router
07:18 < Zordrak> I need a way to describe the setup.. that's what's holding me back. I have nothing useful to google
07:22 < GeekFreak> now i need to setup managment console -_-
07:23 -!- loganaden [~logan@197.226.30.225] has joined #openvpn
07:24 < GeekFreak> what is the correct syntax for using managment directive
07:25 < GeekFreak> :(
07:26 < loganaden> hoi
07:30 -!- loganaden [~logan@197.226.30.225] has quit [Quit: Lost terminal]
07:33 -!- elfixit [~Icedove@2001:1620:2777:11:3e97:eff:fe7f:f3ad] has joined #openvpn
07:36 -!- HectorBarbossa [uid7850@gateway/web/irccloud.com/x-rbfqfaumslibnhsp] has joined #openvpn
07:38 < Zordrak> GeekFreak: should be as per https://community.openvpn.net/openvpn/wiki/Openvpn23ManPage
07:38 <@vpnHelper> Title: Openvpn23ManPage – OpenVPN Community (at community.openvpn.net)
07:40 -!- takamichi [~takamichi@c107-107.i07-27.onvol.net] has quit [Ping timeout: 265 seconds]
07:41 -!- takamichi [~takamichi@85.12.8.15] has joined #openvpn
07:44 < GeekFreak> Thanks Zordrak
07:49 < Zordrak> np
07:49 < Zordrak> I MIGHT have an answer to my problem
07:49 < GeekFreak> Whats that?
07:50 < Zordrak> ip exclusion
07:50 < GeekFreak> :P
07:50 < Zordrak> route <server> <mask> net_gateway
07:50 < GeekFreak> i  broke my server
07:50 < Zordrak> the server would still be accessible through it's vpn-ip just not its public IP
08:05 -!- james41382 [~james@unaffiliated/james41382] has joined #openvpn
08:05 -!- mattock_afk is now known as mattock
08:06 < GeekFreak> Anyone know how to setup managment
08:07 < GeekFreak> i killed my server with the following directive management localhost 7505
08:08 -!- AsadH [~AsadH@unaffiliated/asadh] has quit [Excess Flood]
08:10 -!- AsadH [~AsadH@unaffiliated/asadh] has joined #openvpn
08:10 -!- makara [~makara@41.164.22.218] has quit [Ping timeout: 240 seconds]
08:25 -!- takamichi [~takamichi@85.12.8.15] has quit [Ping timeout: 265 seconds]
08:26 -!- takamichi [~takamichi@c107-107.i07-27.onvol.net] has joined #openvpn
08:33 <@dazo> GeekFreak: I believe it the man page says "IP" not "Hostname"
08:38 -!- MACscr2 [~MACscr2@c-98-214-103-147.hsd1.il.comcast.net] has quit [Read error: Operation timed out]
08:40 < alexxtasi> hi all, I want to use the dynamic challenge/response feature of openvpn (so I can use it along with pam-google-authenticator and send otp with sms and the user can provide it in a new prompt on the client, after providing username/password).
08:41 < alexxtasi>  Is the dynamic challenge/response feature available on the openvpn-server community edition ? And how can I set it up ? http://openvpn.net/index.php/open-source/documentation/miscellaneous/79-management-interface.html confused about this...
08:41 <@vpnHelper> Title: Management Interface (at openvpn.net)
08:49 -!- dazo is now known as dazo_afk
08:52 -!- mitz [~mitz@rt.miraclelinux.com] has quit [Ping timeout: 264 seconds]
08:52 -!- pjschmitt [~parker@209.141.56.12] has quit [Ping timeout: 241 seconds]
08:52 -!- lbft [~lbft@unaffiliated/lbft] has quit [Ping timeout: 265 seconds]
08:54 -!- JackWinter [~jack@vodsl-8317.vo.lu] has quit [Ping timeout: 264 seconds]
08:55 -!- mitz [~mitz@rt.miraclelinux.com] has joined #openvpn
08:56 -!- mitz [~mitz@rt.miraclelinux.com] has quit [Client Quit]
08:56 -!- mitz [~mitz@rt.miraclelinux.com] has joined #openvpn
08:58 -!- JackWinter [~jack@vodsl-8317.vo.lu] has joined #openvpn
09:01 < Zordrak> hokai.. so back to basics
09:01 -!- srenatus [~srenatus@185.27.180.24] has joined #openvpn
09:02 < srenatus> hi there.  just stumbled upon a weird error - is it possible that the easyrsa KEY_EMAIL has a max length?
09:02 < Zordrak> does *anyone* use OpenVPN to connect to a network with a public IP address space? If so; how do you route?
09:04 < srenatus> ah, got it: https://github.com/OpenVPN/easy-rsa/blob/master/easyrsa3/openssl-1.0.cnf#L98
09:04 <@vpnHelper> Title: easy-rsa/easyrsa3/openssl-1.0.cnf at master · OpenVPN/easy-rsa · GitHub (at github.com)
09:04 -!- Guest18643 [~arajakul@CPE68b6fc3d43d3-CM68b6fc3d43d0.cpe.net.cable.rogers.com] has joined #openvpn
09:06 -!- Guest18643 [~arajakul@CPE68b6fc3d43d3-CM68b6fc3d43d0.cpe.net.cable.rogers.com] has quit [Quit: Leaving]
09:06 -!- Guest18643 [~arajakul@CPE68b6fc3d43d3-CM68b6fc3d43d0.cpe.net.cable.rogers.com] has joined #openvpn
09:07 -!- Guest18643 [~arajakul@CPE68b6fc3d43d3-CM68b6fc3d43d0.cpe.net.cable.rogers.com] has quit [Client Quit]
09:08 -!- Neozonz|Disc [~arajakul@unaffiliated/neozonz] has joined #openvpn
09:09 < Neozonz|Disc> is there a free way to create a vpn in amazon?
09:12 -!- u0m3_ [~u0m3@92.80.86.213] has joined #openvpn
09:12 -!- lbft [~lbft@unaffiliated/lbft] has joined #openvpn
09:17 < Zordrak> Ok, to change tack on this...
09:17 < Zordrak> How do people feel about overlapping routes?
09:18 < Zordrak> i.e. 111.111.111.128/27 via 10.8.1.1 tun0 //WITH// 111.111.111.131/32 via net_gateway eth0
09:21 -!- Netsplit *.net <-> *.split quits: phreakocious, Zarrsh, u0m3
09:22 -!- pjschmitt [~parker@209.141.56.12] has joined #openvpn
09:22 < Zordrak> GOTCHA you little bastard
09:22 < Zordrak> route remote_host 255.255.255.255 net_gateway
09:24 -!- br4ndon [~br4ndon@195.33.51.31] has joined #openvpn
09:24 -!- Zarrsh [~Zarrsh@198.167.138.150] has joined #openvpn
09:28 -!- GENSTAAR [~GENSTAAR@unaffiliated/genstaar] has joined #openvpn
09:29 -!- mattock is now known as mattock_afk
09:34 -!- Netsplit over, joins: phreakocious
09:37 -!- [diecast] [~diecast@unaffiliated/diecast/x-4821952] has joined #openvpn
09:38 -!- br4ndon [~br4ndon@195.33.51.31] has quit [Ping timeout: 240 seconds]
09:48 -!- GENSTAAR [~GENSTAAR@unaffiliated/genstaar] has quit [Quit: Leaving]
09:49 -!- srenatus [~srenatus@185.27.180.24] has left #openvpn []
10:04 -!- sunwind [~paradox@cpc21-brmb8-2-0-cust749.1-3.cable.virginm.net] has joined #openvpn
10:16 -!- traph [~traph@unaffiliated/traph] has quit [Ping timeout: 240 seconds]
10:21 -!- dazo_afk is now known as dazo
10:25 <@ecrist_> Zordrak: overlapping routes is bad, generally
10:26 <@ecrist_> unless you're doing something intelligent, like setting metrics or using something like BGP
10:32 -!- goldkatze [~nobody@unaffiliated/goldkatze] has joined #openvpn
10:38 -!- Neozonz|Disc [~arajakul@unaffiliated/neozonz] has quit [Read error: Connection reset by peer]
10:40 -!- Neozonz [~arajakul@CPE68b6fcc6d913-CM68b6fcc6d910.cpe.net.cable.rogers.com] has joined #openvpn
10:41 -!- Neozonz is now known as Guest48861
10:44 -!- lj [~l@66.94.192.181] has joined #openvpn
10:47 -!- u0m3 [~u0m3@109.96.148.19] has joined #openvpn
10:48 -!- lj [~l@66.94.192.181] has quit [Ping timeout: 240 seconds]
10:49 -!- lj [~l@192.241.174.169] has joined #openvpn
10:50 -!- u0m3_ [~u0m3@92.80.86.213] has quit [Ping timeout: 240 seconds]
11:25 -!- gffa [~unknown@unaffiliated/gffa] has joined #openvpn
11:28 -!- lj1 [~l@66.94.192.181] has joined #openvpn
11:29 -!- lj [~l@192.241.174.169] has quit [Ping timeout: 240 seconds]
11:30 -!- lj [~l@192.241.174.169] has joined #openvpn
11:30 -!- tharkun [~0@187.188.94.182] has quit [Changing host]
11:30 -!- tharkun [~0@unaffiliated/tharkun] has joined #openvpn
11:32 -!- lj1 [~l@66.94.192.181] has quit [Ping timeout: 272 seconds]
11:32 -!- ade_b [~Ade@redhat/adeb] has quit [Ping timeout: 240 seconds]
11:34 -!- danielms [~dmanser@python2.cloud.tilaa.com] has quit [Quit: Lost terminal]
11:44 -!- Guest48861 [~arajakul@CPE68b6fcc6d913-CM68b6fcc6d910.cpe.net.cable.rogers.com] has left #openvpn []
11:52 -!- s7r [~s7r@openvpn/user/s7r] has joined #openvpn
11:52 -!- mode/#openvpn [+v s7r] by ChanServ
11:58 -!- MyMind [~Sembei@unaffiliated/sembei] has quit [Read error: Connection reset by peer]
11:58 -!- Pisuke [~Sembei@unaffiliated/sembei] has joined #openvpn
11:59 -!- ade_b [~Ade@redhat/adeb] has joined #openvpn
12:00 -!- hive-mind [pranq@unaffiliated/contempt] has joined #openvpn
12:08 -!- elfixit [~Icedove@2001:1620:2777:11:3e97:eff:fe7f:f3ad] has quit [Quit: elfixit]
12:09 -!- roentgen [~irc@openvpn/community/support/roentgen] has joined #openvpn
12:10 -!- noobboob [uid5587@gateway/web/irccloud.com/x-zizbqzpkpmaanqze] has joined #openvpn
12:18 -!- fusl is now known as Fusl
12:20 -!- raidz [~raidz@openvpn/corp/admin/andrew] has quit [Ping timeout: 265 seconds]
12:20 -!- roentgen [~irc@openvpn/community/support/roentgen] has quit [Ping timeout: 240 seconds]
12:20 -!- mattock_afk [~mattock@openvpn/corp/admin/mattock] has quit [Ping timeout: 265 seconds]
12:22 -!- HectorBarbossa [uid7850@gateway/web/irccloud.com/x-rbfqfaumslibnhsp] has quit [Quit: Connection closed for inactivity]
12:28 -!- roentgen [~irc@openvpn/community/support/roentgen] has joined #openvpn
12:30 -!- roentgen [~irc@openvpn/community/support/roentgen] has quit [Client Quit]
12:32 -!- roentgen [~irc@openvpn/community/support/roentgen] has joined #openvpn
12:44 -!- HectorBarbossa [uid7850@gateway/web/irccloud.com/x-mflqiqrmpgzgxxel] has joined #openvpn
12:51 -!- s7r [~s7r@openvpn/user/s7r] has quit [Remote host closed the connection]
12:51 -!- s7r [~s7r@openvpn/user/s7r] has joined #openvpn
12:51 -!- mode/#openvpn [+v s7r] by ChanServ
12:53 -!- [diecast] [~diecast@unaffiliated/diecast/x-4821952] has quit []
12:56 -!- [diecast] [~diecast@unaffiliated/diecast/x-4821952] has joined #openvpn
12:57 -!- EmperorT1m is now known as _quadDamage
13:09 -!- lowkey [lowkey@hydra-bom.aufbix.org] has quit [Quit: Data for intranet got routed through the extranet and landed on the internet.]
13:18 -!- master_of_master [~master_of@p4FF24EDE.dip0.t-ipconnect.de] has joined #openvpn
13:19 -!- You're now known as ecrist
13:21 -!- simcop2387 [~simcop238@p3m/member/simcop2387] has quit [Excess Flood]
13:21 -!- master_o1_master [~master_of@p4FD7B7BD.dip0.t-ipconnect.de] has quit [Ping timeout: 240 seconds]
13:21 -!- simcop2387 [~simcop238@p3m/member/simcop2387] has joined #openvpn
13:21 -!- smerz_ [~smerz@2001:470:1f15:1e5::58] has joined #openvpn
13:21 -!- smerz [~smerz@2001:470:1f15:1e5::58] has joined #openvpn
13:33 -!- ade_b [~Ade@redhat/adeb] has quit [Ping timeout: 272 seconds]
13:38 -!- br4ndon [~br4ndon@mic92-6-82-227-94-156.fbx.proxad.net] has joined #openvpn
13:42 -!- raidz_away [~raidz@2607:5300:60:d5a::2] has joined #openvpn
13:42 -!- raidz_away is now known as raidz
13:42 -!- raidz [~raidz@2607:5300:60:d5a::2] has quit [Changing host]
13:42 -!- raidz [~raidz@openvpn/corp/admin/andrew] has joined #openvpn
13:42 -!- mode/#openvpn [+o raidz] by ChanServ
13:50 -!- mattock_afk [~mattock@2607:5300:60:d5a::2] has joined #openvpn
13:54 -!- br4ndon [~br4ndon@mic92-6-82-227-94-156.fbx.proxad.net] has quit [Quit: Lorem ipsum dolor sit amet]
13:58 -!- heraclitus [~heraclitu@unaffiliated/heraclitis] has quit [Remote host closed the connection]
13:58 -!- heraclitus [~heraclitu@unaffiliated/heraclitis] has joined #openvpn
13:59 -!- jackbrown [~se@93-44-54-187.ip95.fastwebnet.it] has joined #openvpn
14:07 -!- takamichi [~takamichi@c107-107.i07-27.onvol.net] has quit [Quit: Computer has gone to sleep.]
14:07 -!- cyberspace- [20253@ninthfloor.org] has quit [Ping timeout: 240 seconds]
14:12 -!- cyberspace- [20253@ninthfloor.org] has joined #openvpn
14:19 -!- [diecast] [~diecast@unaffiliated/diecast/x-4821952] has quit []
14:21 -!- lvv [~loganaden@197.226.1.200] has joined #openvpn
14:22 -!- noobboob [uid5587@gateway/web/irccloud.com/x-zizbqzpkpmaanqze] has quit [Quit: Connection closed for inactivity]
14:22 -!- mirco_ [~mirco@ip-109-90-231-36.unitymediagroup.de] has quit [Quit: mirco_]
14:25 -!- [diecast] [~diecast@unaffiliated/diecast/x-4821952] has joined #openvpn
14:38 -!- HD|Laptop [~marco_lda@wikipedia/harddisk] has joined #openvpn
14:38 < HD|Laptop> hi
14:39 < HD|Laptop> assuming I have two hosts behind a NAT and no way to do portforwarding (crappy old DSL routers with bugs-.-) and a internet-reachable server, can I make PC B host a Openvpn server so that I can reach B from A via server C?
14:39 < HD|Laptop> both hosts are Windoze, server is Debian Linux
14:46 -!- shibboleth [~shibbolet@gateway/tor-sasl/shibboleth] has joined #openvpn
14:46 -!- roentgen [~irc@openvpn/community/support/roentgen] has quit [Read error: Connection reset by peer]
14:54 -!- gostfaced [~gostfaced@ool-435403a4.dyn.optonline.net] has joined #openvpn
14:54 < gostfaced> hello
14:55 < gostfaced> i have a question
14:55 < gostfaced> i have everything installed and i have my own username and pw for the website but i dont know my username and pw when i try to connect to a server with openvpn
14:55 < gostfaced> where can i get the username and password
15:00 -!- mattock_afk is now known as mattock
15:00 -!- mattock [~mattock@2607:5300:60:d5a::2] has quit [Changing host]
15:00 -!- mattock [~mattock@openvpn/corp/admin/mattock] has joined #openvpn
15:00 -!- mode/#openvpn [+o mattock] by ChanServ
15:04 -!- mattock is now known as mattock_afk
15:07 -!- gostfaced [~gostfaced@ool-435403a4.dyn.optonline.net] has quit [Ping timeout: 240 seconds]
15:07 -!- gostfaced [~gostfaced@ool-435403a4.dyn.optonline.net] has joined #openvpn
15:11 -!- klein [~klein@unaffiliated/klein] has quit [Ping timeout: 240 seconds]
15:17 -!- mikemol|zoe [~mikemol@162.17.129.77] has joined #openvpn
15:17 < mikemol|zoe> Could someone please point me to a working example of assigning client IPs via --client-connect scripts?
15:18 -!- sunwind [~paradox@cpc21-brmb8-2-0-cust749.1-3.cable.virginm.net] has quit [Ping timeout: 240 seconds]
15:21 -!- sunwind [~paradox@cpc21-brmb8-2-0-cust749.1-3.cable.virginm.net] has joined #openvpn
15:21 <@krzee> !client-connect
15:21 <@vpnHelper> "client-connect" is --client-connect <script>, runs script on client connection. This can be useful for generating firewall rules dynamicly, or for assigning static ips. This can do anything that a ccd (see !ccd) entry can do, but dynamicly... to use it that way, you should write your dynamic ccd commands to the file named by $1.
15:21 < mikemol|zoe> Preparing pastebin, hang on. I can't even prove that the client-connect script is getting called.
15:22 -!- dazo is now known as dazo_afk
15:22 <@krzee> !factoids
15:22 <@vpnHelper> "factoids" is A semi-regularly updated dump of factoids database is available at http://www.secure-computing.net/factoids.php
15:22 <@krzee> that was for me ^
15:23 <@krzee> then just make a script that runs a simple command like env > /tmp/ovpn_env.txt
15:23 <@krzee> then you'll have a file that tells you every var available to the script =]
15:23 < mikemol|zoe> I went with "logger" ... which dumps things to syslog.
15:24 < mikemol|zoe> Also verified route-up by dumping set to a file in /tmp.
15:25 -!- lvv [~loganaden@197.226.1.200] has quit [Quit: lvv]
15:25 < mikemol|zoe> https://p.6core.net/p/pRmx5dLNxhA8fe2pUTQ420eB
15:26 < mikemol|zoe> You can kinda see what I'm trying to accomplish with it, too. In theory, everything I need to calculate the remote's static IP should be embedded in its common name. And everything I need to know what IP ranges are beyond it should also be calculable, too.
15:30 -!- s7r [~s7r@openvpn/user/s7r] has quit [Remote host closed the connection]
15:30 -!- s7r [~s7r@openvpn/user/s7r] has joined #openvpn
15:30 -!- mode/#openvpn [+v s7r] by ChanServ
15:31 -!- lj [~l@192.241.174.169] has quit [Quit: Leaving.]
15:36 -!- gffa [~unknown@unaffiliated/gffa] has quit [Quit: sleep]
15:36 < mikemol|zoe> Well, at least I can prove that openvpn knows about the script by renaming it...
15:37 < mikemol|zoe> ...? And renaming it back resulted in it executing the script. I don't like it when I don't know why something goes from working<->not working
15:39 -!- jackbrown [~se@93-44-54-187.ip95.fastwebnet.it] has quit [Quit: Sto andando via]
15:39 -!- Denial [Denial@90.201.173.63] has quit []
15:47 < mikemol|zoe> Boom. Static IP assigned. Now to get routing hooked up properly.
15:59 < mikemol|zoe> Grr. There is zero useful information in route-up in a server context. Absolutely nothing to identify which client just connected.
15:59 -!- crus [~crusader@2001:44b8:319e:2900:9162:7193:5003:837b] has joined #openvpn
15:59 < mikemol|zoe> No common_name, no remote IP, nothing.
16:00 < mikemol|zoe> Guess I do my route munging in client-connect.
16:01 < mikemol|zoe> I didn't really want to do that until the client had had a chance to apply the address details that had been pushed.
16:03 <@krzee> or in --up
16:04 <@krzee> oh in server context
16:04 <@krzee> my bad
16:04 <@krzee> gotta run
16:04 < rob0> you are
16:04 < rob0> you can run, cannot hide!
16:05 < mikemol|zoe> I will be so happy when I can deploy this. Finally, a WAN VPN setup without NAT...
16:07 -!- shibboleth [~shibbolet@gateway/tor-sasl/shibboleth] has quit [Quit: shibboleth]
16:08 -!- fremo_ [~fred@gw-salamandre.liazo.net] has quit [Remote host closed the connection]
16:08 -!- shibboleth [~shibbolet@gateway/tor-sasl/shibboleth] has joined #openvpn
16:10 -!- shibboleth [~shibbolet@gateway/tor-sasl/shibboleth] has quit [Client Quit]
16:11 -!- smerz_ [~smerz@2001:470:1f15:1e5::58] has quit [Remote host closed the connection]
16:11 -!- smerz [~smerz@2001:470:1f15:1e5::58] has quit [Remote host closed the connection]
16:13 < mikemol|zoe> Is there any way to add routing rules to the system routing table in --client-connect? "ip route add $subnet via $remote_ip" is failing, though it works when I try it manually.
16:13 < mikemol|zoe> iroute is only within openvpn, and route isn't permitted in that context.
16:23 -!- d1z [~djz@gateway/tor-sasl/grullizzle] has joined #openvpn
16:23 < d1z> when I do ./build-ca I set up a common name
16:23 < d1z> does it have to be the same name that I use for ./build-key-server and ./build-key?
16:25 < d1z> in the example server.conf in /usr/share.../server.conf.gz it says something about uncommenting the setting duplicate-cn in order to allow clients with certificates with different common names
16:25 < mikemol|zoe> That's not quite right.
16:25 -!- Fusl is now known as fusl
16:25 < mikemol|zoe> duplicate-cn allows you to use the same common name for multiple clients.
16:26 < d1z> ok so I should actually uncomment it then. because I don't want to use the same cn for all certificates
16:26 < mikemol|zoe> I.e. you could even use the same client cert on five different devices if you have duplicate-cn enabled.
16:27 < d1z> I see
16:27 < d1z> then I should leave it enabled
16:27 < mikemol|zoe> If you want to force unique CNs you need to ensure duplicate-cn is disabled.
16:27 < d1z> because I don't want to create a different certificate for each user (we're going to be 3 users rolling on the vpn, top)
16:28 < mikemol|zoe> If you do not want to force unique CNs, then you want duplicate-cn enabled.
16:28 < d1z> I'm going to leave it enabled then
16:28 < d1z> I want a single user certificate for various users
16:28 < mikemol|zoe> Generating client certs is pretty easy. Once you've done it once, it's thirty seconds to do it again.
16:28 < rob0> mikemol|zoe, your --client-connect problem is likely because of --user
16:29 -!- MACscr2 [~MACscr2@c-98-214-103-147.hsd1.il.comcast.net] has joined #openvpn
16:29 < rob0> you could grant passwordless sudo to your openvpn user, perhaps
16:29 < mikemol|zoe> For the ip command. Yeah, that'd work.
16:29 < d1z> I wish someone could explain in simple terms what this whole certificates, keys, signing charade is all about
16:30 < mikemol|zoe> d1z: Frankly, here's what I'd suggest if you want a reasonable amount of security with little hassle.
16:31 < mikemol|zoe> Generate one client cert per each user. That user can then put their client cert on as many devices as they want.
16:31 < rob0> for ip, or for a script maybe
16:31 < rob0> (I guess you can sudo a script?)
16:31 < mikemol|zoe> If you need to revoke that user's access, you can still do so, without taking down the VPN for everyone at the same time.
16:32 < mikemol|zoe> Otherwise, the minute you've got someone with their client cert loaded into their stolen phone, you've got to take down the entire VPN for everybody and issue new certs.
16:32 < d1z> mikemol|zoe, in order to generate these certificates, I need to preserve the /easy-rsa/ directory where I'm currently generating them right?
16:33 < mikemol|zoe> d1z: Yes.
16:33 < mikemol|zoe> Well, there may be other ways, but that's how I do it.
16:36 < d1z> mikemol|zoe, ok, thanks for the insight mate
16:36 < mikemol|zoe> d1z: I go more fine-grained than you do, but it sounds like your scenario doesn't require my degree of paranoia.
16:40 -!- traph [~traph@46.10.9.133] has joined #openvpn
16:40 -!- traph [~traph@46.10.9.133] has quit [Changing host]
16:40 -!- traph [~traph@unaffiliated/traph] has joined #openvpn
16:46 < d1z> mikemol|zoe, I noticed that when I do ./build-key-server foo, the following files are created in keys/
16:46 < d1z> foo.crt, foo.csr, foo.key and 01.pem
16:46 < d1z> what is 01.pem for?
16:46 < mikemol|zoe> Don't know, honestly. I'm not an expert. :)
16:49 < mikemol|zoe> rob0: Urgh. So close. *now* SELinux starts biting me. Who knew it'd get in a twist over openvpn executing a shell script that calls sudo? :)
16:49 -!- Pisuke [~Sembei@unaffiliated/sembei] has quit [Ping timeout: 240 seconds]
16:49 < mikemol|zoe> I haven't even gotten to the point where it complains about /sbin/ip yet...
16:50 < d1z> so I would assume that it's used internally by the certificate creating process but not intended for anything else, as in clients don't really need it. I say that because when I do ./build-key for the client certificate, a 02.pem file is created
16:50 -!- MACscr2 [~MACscr2@c-98-214-103-147.hsd1.il.comcast.net] has quit [Ping timeout: 269 seconds]
16:54 < rob0> mikemol|zoe, :)
16:54 < gostfaced> can someone help me with a simple issue with openvpn
17:01 -!- p3rror [~mezgani@196.201.78.139] has joined #openvpn
17:02 < rob0> probably not, unless you say what it is
17:04 < gostfaced> well i dont know my login/pw to login to the vpn i want, i have everything installed and i have my own username and pw for the website but i dont know my username and pw when i try to connect to a server with openvpn
17:05 < rob0> login/password? Are you sure it's openvpn?
17:06 < rob0> openvpn uses SSL certificate verification.
17:06 < gostfaced> well it says auth-failed than it gives my the login pop up box
17:10 -!- __FBi [B@dont.uwantmy.info] has quit [Ping timeout: 246 seconds]
17:12 -!- fremo [~fred@gw-salamandre.liazo.net] has joined #openvpn
17:12 -!- fremo [~fred@gw-salamandre.liazo.net] has quit [Client Quit]
17:12 -!- fremo [~fred@gw-salamandre.liazo.net] has joined #openvpn
17:13 -!- Cpt-Oblivious [chatzilla@31-151-71-109.dynamic.upc.nl] has joined #openvpn
17:14 < HD|Laptop> assuming I have two hosts behind a NAT and no way to do portforwarding (crappy old DSL routers with bugs-.-) and a internet-reachable server, can I make PC B host a Openvpn server so that I can reach B from A via server C?
17:14 < HD|Laptop> both hosts are Windoze, server is Debian Linux
17:16 -!- fremo [~fred@gw-salamandre.liazo.net] has quit [Client Quit]
17:17 -!- fremo [~fred@gw-salamandre.liazo.net] has joined #openvpn
17:24 -!- d1z [~djz@gateway/tor-sasl/grullizzle] has quit [Ping timeout: 240 seconds]
17:32 -!- Cpt-Oblivious_ [chatzilla@31-151-71-109.dynamic.upc.nl] has joined #openvpn
17:32 < gostfaced> i know its a simple problem i choose the vpn config it pops up a connection dialog and asked for the login and i dont know what it is
17:32 -!- Gaming4JC [~Gaming4JC@unaffiliated/gaming4jc] has joined #openvpn
17:33 < Gaming4JC> Hello, does anyone know if it is possible to use OpenVPN client without DHCP? This is in regards to the Win32 version.
17:33 -!- Cpt-Oblivious [chatzilla@31-151-71-109.dynamic.upc.nl] has quit [Ping timeout: 272 seconds]
17:35 -!- linlin [will@173.243.115.75] has joined #openvpn
17:35 -!- mattock_afk [~mattock@openvpn/corp/admin/mattock] has quit [Read error: Connection reset by peer]
17:36 -!- raidz [~raidz@openvpn/corp/admin/andrew] has quit [Read error: Connection reset by peer]
17:36 -!- raidz [~raidz@2607:5300:60:d5a::2] has joined #openvpn
17:36 -!- raidz [~raidz@2607:5300:60:d5a::2] has quit [Changing host]
17:36 -!- raidz [~raidz@openvpn/corp/admin/andrew] has joined #openvpn
17:36 -!- mode/#openvpn [+o raidz] by ChanServ
17:37 -!- pentiumone133 [will@173.243.115.75] has quit [Read error: Connection reset by peer]
17:38 -!- JackWinter [~jack@vodsl-8317.vo.lu] has quit [Excess Flood]
17:38 -!- JackWinter [~jack@vodsl-8317.vo.lu] has joined #openvpn
17:40 -!- elfixit [~Icedove@77-58-251-72.dclient.hispeed.ch] has joined #openvpn
17:44 -!- traph [~traph@unaffiliated/traph] has quit [Ping timeout: 240 seconds]
17:45 -!- s7r [~s7r@openvpn/user/s7r] has quit [Ping timeout: 240 seconds]
17:52 -!- HectorBarbossa [uid7850@gateway/web/irccloud.com/x-mflqiqrmpgzgxxel] has quit [Quit: Connection closed for inactivity]
17:57 -!- d1z [~djz@gateway/tor-sasl/grullizzle] has joined #openvpn
18:00 < gostfaced> why do i get a tls handshake error with vpnbook?
18:01 < Gaming4JC> gostfaced: sounds like they have a bad cert, you should check with them on why that is the case
18:01 < gostfaced> ok
18:01 < Gaming4JC> alternatively someone could be trying to MITM your connection but it is unlikely
18:02 < gostfaced> would i need a tls key?
18:03 < Gaming4JC> it makes the connection secure
18:03 < Gaming4JC> also I see NAT can cause this error sometimes
18:03 < Gaming4JC> https://forums.openvpn.net/topic12036.html#p27224
18:03 < gostfaced> thank you
18:03 <@vpnHelper> Title: OpenVPN Support Forum TLS key negotiation/handshake error : Access Server (at forums.openvpn.net)
18:07 < Gaming4JC> To answer my own question, it looks as if the Win32 TAP adapter and OpenVPN build for windows is dependant on DHCP running. This is unfortunate. Enhancement bug filed: https://github.com/OpenVPN/tap-windows/issues/4
18:07 <@vpnHelper> Title: Enhancement: Allow configuration of adapter without DHCP service · Issue #4 · OpenVPN/tap-windows · GitHub (at github.com)
18:08 < Gaming4JC> Also 10MBps is pretty lame https://github.com/OpenVPN/tap-windows/issues/3
18:08 <@vpnHelper> Title: Enhancement: Increase baud to 100MBPS (currently limited to 10MBPS) · Issue #3 · OpenVPN/tap-windows · GitHub (at github.com)
18:08 < Gaming4JC> :P
18:12 -!- goldkatze [~nobody@unaffiliated/goldkatze] has quit [Ping timeout: 264 seconds]
18:19 -!- p3rror [~mezgani@196.201.78.139] has quit [Ping timeout: 240 seconds]
18:30 -!- JackWinter [~jack@vodsl-8317.vo.lu] has quit [Excess Flood]
18:30 -!- JackWinter [~jack@vodsl-8317.vo.lu] has joined #openvpn
18:31 -!- blarghlarghl [michael@efnet.math.uwaterloo.ca] has left #openvpn []
18:33 -!- u0m3_ [~u0m3@109.96.148.19] has joined #openvpn
18:33 -!- simcop2387 [~simcop238@p3m/member/simcop2387] has quit [Excess Flood]
18:34 -!- elricsfate_wrk [~elricsfat@2602:3f:916c:a402:7dfc:ee04:4824:68eb] has quit [Ping timeout: 240 seconds]
18:34 -!- dazo_afk [~dazo@openvpn/community/developer/dazo] has quit [Ping timeout: 264 seconds]
18:34 -!- elricsfate_wrk [~elricsfat@aus-nat.datapipe.net] has joined #openvpn
18:34 -!- simcop2387 [~simcop238@p3m/member/simcop2387] has joined #openvpn
18:35 -!- u0m3 [~u0m3@109.96.148.19] has quit [Ping timeout: 240 seconds]
18:38 -!- sw_1 [~sw_1@pool-173-63-46-111.nwrknj.fios.verizon.net] has joined #openvpn
18:38 -!- james41382 [~james@unaffiliated/james41382] has quit [Read error: Connection timed out]
18:39 -!- thumbs [1000@unaffiliated/thumbs] has quit [Ping timeout: 240 seconds]
18:39 -!- mndo [~mndo@bl16-177-244.dsl.telepac.pt] has joined #openvpn
18:39 -!- james41382 [~james@unaffiliated/james41382] has joined #openvpn
18:39 -!- dazo_afk [~dazo@openvpn/community/developer/dazo] has joined #openvpn
18:39 -!- mode/#openvpn [+o dazo_afk] by ChanServ
18:39 -!- frank-- [1000@unaffiliated/thumbs] has joined #openvpn
18:39 -!- dazo_afk is now known as dazo
18:40 -!- mndo_ [~mndo@bl16-177-244.dsl.telepac.pt] has joined #openvpn
18:40 -!- mndo [~mndo@bl16-177-244.dsl.telepac.pt] has quit [Read error: Connection reset by peer]
18:41 -!- pjschmitt [~parker@209.141.56.12] has quit [Ping timeout: 240 seconds]
18:41 -!- fejjerai [~quassel@kde/mitchell] has quit [Ping timeout: 240 seconds]
18:41 -!- mndo_ is now known as mndo
18:41 -!- davidmp [~davidmp@149.255.100.107] has quit [Ping timeout: 240 seconds]
18:43 -!- fejjerai [~quassel@kde/mitchell] has joined #openvpn
18:44 -!- Cpt-Oblivious [chatzilla@31-151-71-109.dynamic.upc.nl] has joined #openvpn
18:44 -!- davidmp [~davidmp@149.255.100.107] has joined #openvpn
18:45 -!- red_racer12__ [sid20963@gateway/web/irccloud.com/session] has joined #openvpn
18:45 -!- JackWinter_ [~jack@vodsl-8317.vo.lu] has joined #openvpn
18:46 -!- lamokie [~steve@li428-245.members.linode.com] has joined #openvpn
18:46 -!- Cr4zi3 [~killaz@staff.xbins.org] has quit [Quit: changing servers]
18:47 -!- red_racer12_ [sid20963@gateway/web/irccloud.com/x-wxzvqmbsifeebirx] has quit [Ping timeout: 240 seconds]
18:47 -!- xMopxShell [~xMopxShel@pa1.trolls.lv] has quit [Ping timeout: 240 seconds]
18:47 -!- BlackPanx [~BlackPanx@cpe-31-15-133-178.cable.telemach.net] has quit [Ping timeout: 240 seconds]
18:47 -!- lamokie_ [~steve@li428-245.members.linode.com] has quit [Ping timeout: 240 seconds]
18:47 -!- Cpt-Oblivious_ [chatzilla@31-151-71-109.dynamic.upc.nl] has quit [Ping timeout: 264 seconds]
18:47 -!- red_racer12__ is now known as red_racer12_
18:47 -!- phuzion [~phuzion@ipv6.irc.teh-server.com] has quit [Ping timeout: 240 seconds]
18:47 -!- u0m3__ [~u0m3@109.96.148.19] has joined #openvpn
18:47 -!- simcop2387_ [~simcop238@173.255.192.167] has joined #openvpn
18:47 -!- simcop2387_ [~simcop238@173.255.192.167] has quit [Changing host]
18:47 -!- simcop2387_ [~simcop238@p3m/member/simcop2387] has joined #openvpn
18:48 -!- pjschmitt [~parker@209.141.56.12] has joined #openvpn
18:48 -!- xMopxShell [~xMopxShel@pa1.trolls.lv] has joined #openvpn
18:48 -!- phuzion [~phuzion@ipv6.irc.teh-server.com] has joined #openvpn
18:50 -!- mndo_ [~mndo@bl16-177-244.dsl.telepac.pt] has joined #openvpn
18:50 -!- james41382 [~james@unaffiliated/james41382] has quit [Max SendQ exceeded]
18:51 -!- pentiumone133 [will@173.243.115.75] has joined #openvpn
18:51 -!- mndo_ [~mndo@bl16-177-244.dsl.telepac.pt] has quit [Read error: Connection reset by peer]
18:54 -!- Netsplit *.net <-> *.split quits: JackWinter, simcop2387, elricsfate_wrk, mndo, d1z, u0m3_
18:54 -!- simcop2387_ is now known as simcop2387
18:55 -!- Gaming4JC [~Gaming4JC@unaffiliated/gaming4jc] has quit [Excess Flood]
18:55 -!- linlin [will@173.243.115.75] has quit [Write error: Broken pipe]
18:55 -!- master_of_master [~master_of@p4FF24EDE.dip0.t-ipconnect.de] has quit [Read error: Connection reset by peer]
18:55 -!- Netsplit over, joins: mndo
18:56 -!- frank-- [1000@unaffiliated/thumbs] has quit [Remote host closed the connection]
18:56 -!- AsadH [~AsadH@unaffiliated/asadh] has quit [Excess Flood]
18:58 -!- AsadH [~AsadH@unaffiliated/asadh] has joined #openvpn
18:58 -!- crus` [~crusader@2001:44b8:319e:2900:9162:7193:5003:837b] has joined #openvpn
18:58 -!- thumbs [1000@unaffiliated/thumbs] has joined #openvpn
19:00 -!- p3rror [~mezgani@196.201.78.139] has joined #openvpn
19:00 -!- crus [~crusader@2001:44b8:319e:2900:9162:7193:5003:837b] has quit [Ping timeout: 240 seconds]
19:02 -!- master_of_master [~master_of@p4FF24EDE.dip0.t-ipconnect.de] has joined #openvpn
19:06 -!- elfixit [~Icedove@77-58-251-72.dclient.hispeed.ch] has quit [Quit: elfixit]
19:06 -!- pentiumone133 [will@173.243.115.75] has quit [Ping timeout: 240 seconds]
19:07 -!- pentiumone133 [will@173.243.115.75] has joined #openvpn
19:08 -!- red_racer12_ [sid20963@gateway/web/irccloud.com/session] has quit [Changing host]
19:08 -!- red_racer12_ [sid20963@gateway/web/irccloud.com/x-cyjjozoejcymtsgo] has joined #openvpn
19:09 -!- Cr4zi3 [killaz@staff.xbins.org] has joined #openvpn
19:10 -!- riddle [riddle@us.yunix.net] has quit [Ping timeout: 264 seconds]
19:13 -!- riddle [riddle@us.yunix.net] has joined #openvpn
19:14 -!- Gman32 [~Gman32@2607:2200:0:3400::5616:cdbc] has quit [Quit: Headin Out...]
19:14 -!- Gman32 [~Gman32@2607:2200:0:3400::5616:cdbc] has joined #openvpn
19:16 -!- [diecast] [~diecast@unaffiliated/diecast/x-4821952] has quit [Ping timeout: 264 seconds]
19:23 -!- kirin` [telex@gateway/shell/anapnea.net/x-cherlaomxavgwwsu] has quit [Ping timeout: 264 seconds]
19:23 -!- kirin` [telex@gateway/shell/anapnea.net/x-tuvysxtccrexvmaw] has joined #openvpn
19:28 -!- master_o1_master [~master_of@p4FF24EDE.dip0.t-ipconnect.de] has joined #openvpn
19:28 -!- _quadDam1ge [~EmperorTo@boom.blissfulidiot.com] has joined #openvpn
19:29 -!- tapout_ [~tapout@unaffiliated/tapout] has joined #openvpn
19:29 -!- tapout [~tapout@unaffiliated/tapout] has quit [Ping timeout: 240 seconds]
19:29 -!- fremo [~fred@gw-salamandre.liazo.net] has quit [Ping timeout: 240 seconds]
19:29 -!- master_of_master [~master_of@p4FF24EDE.dip0.t-ipconnect.de] has quit [Ping timeout: 240 seconds]
19:29 -!- kossy [a@kossy.org] has quit [Ping timeout: 240 seconds]
19:29 -!- simcop2387 [~simcop238@p3m/member/simcop2387] has quit [Ping timeout: 240 seconds]
19:29 -!- _quadDamage [~EmperorTo@boom.blissfulidiot.com] has quit [Ping timeout: 240 seconds]
19:29 -!- MeanderingCode [~Meanderin@palantir.aetherislands.net] has quit [Ping timeout: 240 seconds]
19:31 -!- MeanderingCode [~Meanderin@palantir.aetherislands.net] has joined #openvpn
19:31 -!- fremo [~fred@gw-salamandre.liazo.net] has joined #openvpn
19:31 -!- simcop2387 [~simcop238@p3m/member/simcop2387] has joined #openvpn
19:33 -!- kossy [a@kossy.org] has joined #openvpn
19:45 -!- novaflash is now known as novaflash_away
19:55 -!- mndo [~mndo@bl16-177-244.dsl.telepac.pt] has quit [Quit: going home]
19:56 -!- gostfaced [~gostfaced@ool-435403a4.dyn.optonline.net] has quit [Ping timeout: 264 seconds]
19:58 -!- gostfaced [~gostfaced@ool-435404a8.dyn.optonline.net] has joined #openvpn
20:07 -!- sw_1 [~sw_1@pool-173-63-46-111.nwrknj.fios.verizon.net] has quit [Ping timeout: 240 seconds]
20:14 -!- Cpt-Oblivious [chatzilla@31-151-71-109.dynamic.upc.nl] has quit [Ping timeout: 264 seconds]
20:24 -!- elricsfate_wrk [~elricsfat@2602:3f:916c:a402:55d5:6553:11f5:f5bb] has joined #openvpn
20:28 -!- sudormf [~ali@175.110.246.191] has joined #openvpn
20:29 < sudormf> I'm setting up a vpn on amazon (AWS)
20:30 < sudormf> has anyone here done that before?
20:31 < pekster> Nothing is special about that except maybe the weird "default firewalling" you get with VPCs
20:31 < pekster> Otherwise it's just like any other host
20:31 < sudormf> one thing that's different is, you get a domain name rather than the i.p address
20:32 < sudormf> Do i need to put the server domain name anywhere in the server.conf file?
20:32 < Suterusu> lol @ access to ca.key on cloud
20:32 < Suterusu> sounds secure
20:32 < rob0> who said to run the CA from there?
20:33 < Suterusu> It'll be processed there...
20:33 < rob0> why?
20:34 < rob0> It's foolish to put the CA key on the server or any client. Ideally it should be kept offline.
20:34 < Suterusu> I'm pretty sure if it's not accesible to the server, you're going to have fun loggin in.
20:35 < pekster> Your server should _NOT_ have your CA key
20:36 < Suterusu> doesn't you need to be telling it where to find it in the .conf?
20:36 < pekster> Nope
20:36 < pekster> CA _certificate_, yes
20:36 < pekster> Cert != Key
20:36 < Suterusu> my bad, I confuddle them
20:36 < pekster> !intro-to-pki
20:36 <@vpnHelper> "intro-to-pki" is For an intro to PKI basics, see: https://github.com/OpenVPN/easy-rsa/blob/v3.0.0-rc1/doc/Intro-To-PKI.md
20:37 < pekster> !factoids search intro
20:37 <@vpnHelper> "intro-to-pki" is For an intro to PKI basics, see: https://github.com/OpenVPN/easy-rsa/blob/v3.0.0-rc1/doc/Intro-To-PKI.md
20:37 < pekster> Lazy bot
20:37 -!- p3rror [~mezgani@196.201.78.139] has quit [Read error: Connection reset by peer]
20:37 < pekster> There's also !hardening for some generic security recommendations on the wiki
20:37 -!- JSharpe [~JSharpe@31.205.60.241] has quit [Read error: Connection reset by peer]
20:39 < rob0> Anyway, it's a good point for sudormf if not already understood: don't run your CA from Amazon.
20:39 < Suterusu> When the bot catches up. lol.
20:40 < pekster> No, !commands have to be at the beginning
20:40 < Suterusu> OIC
20:40 < Suterusu> !hardening
20:40 <@vpnHelper> "hardening" is https://community.openvpn.net/openvpn/wiki/Hardening
20:40 -!- Pisuke [~Sembei@unaffiliated/sembei] has joined #openvpn
20:43 < sudormf> what exactly will happen if run from aws?
20:44 -!- JSharpe [~JSharpe@31.205.60.241] has joined #openvpn
20:44 < pekster> sudormf: Do what you want. It's poor security practices to put your CA on the server, but it's your call
20:45 < pekster> AWS is not special outside of their service nuances (as with any paid hosting)
20:45 < pekster> Happily ignore the CA discussion if it confuses you; it was a side-track conversation
20:46 < sudormf> do i need to specify any of the push options in server.conf? connection from linux
20:47 < pekster> huh?
20:47 < pekster> "Do exactly what you would do if this wasn't AWS"
20:47 < pekster> AWS has exactly zero to do with your problem
20:47 < pekster> !xy
20:47 <@vpnHelper> "xy" is http://mywiki.wooledge.org/XyProblem -- I want to do X, but I'm asking how to do Y...
20:48 < sudormf> I'm not sure what I would do, this is my first time setting up a vpn
20:48 < pekster> !howto
20:48 <@vpnHelper> "howto" is (#1) OpenVPN comes with a great howto, http://openvpn.net/howto PLEASE READ IT! or (#2) http://www.secure-computing.net/openvpn/howto.php for a mirror
20:49 < sudormf> i've already got a tutorial, mind just telling me if i need to specify push options if i'm connecting from linux?
20:49 < pekster> "it depends"
20:49 < Suterusu> on what your intent for is
20:49 < sudormf> i just want to connect and stream pandora
20:49 < pekster> "it still depends"
20:50 < pekster> Vauge questions aren't going to help you
20:50 < pekster> !welcome
20:50 <@vpnHelper> "welcome" is (#1) Start by stating your goal, such as 'I would like to access the internet over my vpn' || new to IRC? see the link in !ask || we may need !logs and !configs and maybe !interface to help you. || See !howto for beginners. || See !route for lans behind openvpn. || !redirect for sending inet traffic through the server. || Also interesting: !man !/30 !topology !iporder !sample !forum
20:50 <@vpnHelper> !wiki !mitm or (#2) Don't use 192.168.1.0/24 or 192.168.0.0/24 (too much potential for conflict)
20:51 < pekster> If you're new to Freenode, the channel /TOPIC will usually contain helpful hints and often commands for some of this basic help
20:52 -!- gostfaced [~gostfaced@ool-435404a8.dyn.optonline.net] has quit [Read error: Connection reset by peer]
20:52 -!- gostfaced [~gostfaced@ool-435404a8.dyn.optonline.net] has joined #openvpn
20:56 < sudormf> I'm able to connect to my vpn, but pinging or visiting any sites isn't working.
20:56 < sudormf> e.g ping google.com times out
20:57 < pekster> I didn't know until now you wanted to do that
20:57 < pekster> !goal
20:57 <@vpnHelper> "goal" is Please clearly state your goal for your vpn: example, I would like to access the lan behind the server , I would like to access the internet over my vpn , I just want a secure connection between 2 computers , etc
20:57 < pekster> Maybe you'd like to type in and read about: !redirect
20:57 < sudormf> !redirect
20:57 <@vpnHelper> "redirect" is (#1) to make all inet traffic flow through the vpn, you will need --redirect-gateway (see !def1), as well as IP forwarding (see !ipforward) and NAT (see !nat) enabled on the server. or (#2) you may need to use a different dns server when redirecting gateway, see !dns or !pushdns or (#3) if using ipv6 try: route-ipv6 2000::/3 or (#4) Handy troubleshooting flowchart:
20:57 <@vpnHelper> http://ircpimps.org/redirect.png | http://pekster.sdf.org/misc/redirect.png
20:58 < sudormf> i have already run: iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -j MASQUERADE
20:58 < pekster> Then you skipped lots of steps
20:59 < pekster> WHere did you get stuck on the flowchart you haven't followed yet?
20:59 < sudormf> i think i've followed everything.
20:59 < pekster> Then you'd know your problem
20:59 < sudormf> which flowchart are you refering to
21:00 < pekster> Read harder. Maybe under "Handy troubleshooting flowchart"
21:00 < pekster> !redirect
21:00 <@vpnHelper> "redirect" is (#1) to make all inet traffic flow through the vpn, you will need --redirect-gateway (see !def1), as well as IP forwarding (see !ipforward) and NAT (see !nat) enabled on the server. or (#2) you may need to use a different dns server when redirecting gateway, see !dns or !pushdns or (#3) if using ipv6 try: route-ipv6 2000::/3 or (#4) Handy troubleshooting flowchart:
21:00 <@vpnHelper> http://ircpimps.org/redirect.png | http://pekster.sdf.org/misc/redirect.png
21:00 < pekster> #4, if you missed it
21:05 < sudormf> so, i can't ping myvpn.amazonaws.com:1194
21:05 < sudormf> or even myvpn.amazonaws.com:1194
21:05 < sudormf> sorry, or even myvpn.amazonaws.com
21:05 < sudormf> i'm guessing it has to do with that aws firewall?
21:06 < pekster> The ping test (first flowchart box) is to ping the VPN IP
21:06 < pekster> If that isn't working you should fix that first
21:06 < sudormf> yes, and i'm asking how to fix that.
21:07 < pekster> (it's not strictly necessary, but it'll make your life painful to restrict it)
21:07 < sudormf> i'm able to ssh to the same ip
21:07 < pekster> "VPN IP" != "AWS IP"
21:08 < sudormf> its the ip of my aws instance
21:08 < sudormf> where i'm ssh-ing to it
21:09 < pekster> Wrong IP
21:09 < pekster> Your VPN network needs to use a _unique_ and _non_ overlapping IP range
21:09 < pekster> If you followed the !howto this would be 10.8.0.1
21:10 < sudormf> Yes, that is set in my server.conf. But that's not the gateway of my vpn to which i'd connect from the client, right
21:11 < sudormf> i'm talking about the gateway ip here, for which i'm using the aws instance ip
21:11 < pekster> Stop guessing
21:11 < sudormf> i would if you'd tell me the answer
21:11 < pekster> I did
21:11 < pekster> < pekster> The ping test (first flowchart box) is to ping the VPN IP
21:11 < pekster> Go do that
21:11 < pekster> If it's broken, fix it
21:12 < pekster> If it's not, flowchart says move on
21:12 < sudormf> ah, so you mean to ping 10.8.0.1
21:12 < sudormf> from server?
21:12 < pekster> From the client
21:12 < pekster> And only if that's your IP
21:12 < sudormf> that's the subnet i've set in server.conf
21:13 < sudormf> do i need to be connected to vpn while pinging that?
21:13 < pekster> ..
21:13 < pekster> Yes.
21:13 < pekster> It's like asking if the car needs to be started before you can drive it
21:15 < sudormf> ok, so ping 10.8.0.0 didn't work from my client. but i have another vps that i set up a while back, for which i also used 10.8.0.0 , and that one works, so i tried it, and ping 10.8.0.0 doesn't work even from that even though its working
21:15 < sudormf> so i don't think that's related to my issue, its most likely the aws firewall that i need to disable. if you could tell me which ports i need to have open, that should fix my issue
21:15 < pekster> 10.8.0.0 isn't your _server_ IP
21:15 < pekster> To be very blunt, you aren't really doing to be able to use a VPN without some basics
21:16 < sudormf> server 10.8.0.0 255.255.255.0
21:16 < pekster> That's a network
21:16 < pekster> You're not supposed to ping a network
21:16 < sudormf> then which config setting contains the server?
21:17 < pekster> 21:12:24 < sudormf> ah, so you mean to ping 10.8.0.1
21:17 < pekster> So why the hell did you ping something ELSE?
21:17 < sudormf> i did ping just that
21:17 < sudormf> ping 10.8.0.0
21:17 < pekster> FFS man
21:17 < pekster> zero is not one
21:17 < pekster> one is not zero
21:17 < sudormf> oh
21:17 < sudormf> sorry
21:18 < sudormf> so my server.conf says 10.8.0.0 for server
21:18 < sudormf> is that what i should ping?
21:18 < pekster> --server does lots of things
21:18 < pekster> Read the manpage
21:18 < pekster> !man
21:18 <@vpnHelper> "man" is (#1) For man pages, see http://openvpn.net/index.php/open-source/documentation/manuals/ or (#2) the man pages are your friend! or (#3) Protip: you can search the manpage for a specific --option (with dashes) to find it quicker
21:18 < pekster> Maybe someone else has more time. I'm not going to tell you for a 4th time what to ping
21:19 < sudormf> are you able to tell me which ports need to be open on server. that's all i need to know
21:19 < sudormf> i have already opened 1194 for tcp and udp
21:19 < pekster> The one you're using. 1194 UDP is the default, but you can change both the port and the protocol (read about --port and --proto in the manpage for details)
21:38 -!- qwertyoruiop [~hax@1.shulgin.dc1.nl.tor.exit.node.qwertyoruiop.com] has quit [Disconnected by services]
21:49 < sudormf> !howto
21:49 <@vpnHelper> "howto" is (#1) OpenVPN comes with a great howto, http://openvpn.net/howto PLEASE READ IT! or (#2) http://www.secure-computing.net/openvpn/howto.php for a mirror
22:03 < sudormf> So I'm able to ping to 10.8.0.1 from client, and i have redirect gateway enabled, but i can't ping 8.8.8.8
22:03 < sudormf> how can i check if i have ip forwarding enabled?
22:04 <@Eugene> !linipforward
22:04 <@vpnHelper> "linipforward" is (#1) echo 1 > /proc/sys/net/ipv4/ip_forward for a temp solution (til reboot) or set net.ipv4.ip_forward = 1 in sysctl.conf for perm solution or (#2) chmod +x /etc/rc.d/rc.ip_forward for perm solution in slackware or (#3) you also must allow forwarding in your forward chain in iptables. iptables -I FORWARD -i tun+ -j ACCEPT
22:04 <@Eugene> cat that /proc/ value ^
22:04 -!- lj [~l@192.241.174.169] has joined #openvpn
22:05 < sudormf> yes, that is set to 0.
22:05 <@Eugene> Then it's not enabled.
22:06 < sudormf> yes, thanks. i'll try and enable it
22:13 < sudormf> enabled ip forwarding but still can't load up any sites. how do i check if nat is enabled on vpn subnet?
22:13 < sudormf> is it with iptables?
22:19 < sudormf> !nat
22:19 <@vpnHelper> "nat" is (#1) http://openvpn.net/howto.html#redirect for an explanation of NAT as it applies to openvpn or (#2) http://www.secure-computing.net/wiki/index.php/OpenVPN/FAQ#Traffic_forwarding_doesn.27t_work_when_using_client_specific_access_rules or (#3) dont forget to turn on ip forwarding or (#4) please choose between !linnat !openvznat !winnat and !fbsdnat for specific howto
22:26 -!- mikemol|zoe [~mikemol@162.17.129.77] has quit [Ping timeout: 265 seconds]
22:27 -!- mikemol|zoe [~mikemol@162.17.129.77] has joined #openvpn
22:37 -!- EmLeX [~emx@unaffiliated/emlex] has quit [Ping timeout: 240 seconds]
22:37 -!- kossy [a@kossy.org] has quit [Ping timeout: 240 seconds]
22:39 -!- EmLeX [~emx@unaffiliated/emlex] has joined #openvpn
22:39 -!- JSharpe_ [~JSharpe@31.205.60.241] has joined #openvpn
22:39 -!- kossy [a@kossy.org] has joined #openvpn
22:39 -!- Sembei [~Sembei@unaffiliated/sembei] has joined #openvpn
22:41 -!- master_of_master [~master_of@p4FF24EDE.dip0.t-ipconnect.de] has joined #openvpn
22:42 -!- Netsplit *.net <-> *.split quits: master_o1_master, simcop2387, JSharpe, lj, gostfaced, Pisuke, thumbs
22:44 -!- Netsplit over, joins: gostfaced
22:46 -!- simcop2387 [~simcop238@p3m/member/simcop2387] has joined #openvpn
22:47 -!- lj [~l@192.241.174.169] has joined #openvpn
22:49 -!- kossy [a@kossy.org] has quit [Ping timeout: 240 seconds]
22:50 -!- kossy [a@kossy.org] has joined #openvpn
22:51 -!- thumbs [1000@unaffiliated/thumbs] has joined #openvpn
22:59 -!- frank-- [1000@unaffiliated/thumbs] has joined #openvpn
23:02 -!- thumbs [1000@unaffiliated/thumbs] has quit [Ping timeout: 240 seconds]
23:02 -!- kossy [a@kossy.org] has quit [Ping timeout: 240 seconds]
23:05 -!- frank-- is now known as thumbs
23:06 -!- kossy [a@kossy.org] has joined #openvpn
23:07 -!- Cr4zi3 [killaz@staff.xbins.org] has quit [Quit: changing servers]
23:09 < ponyofdeath> hi, how can i push dns server only to certain client? ie in the ccd config file
23:09 -!- gostfaced [~gostfaced@ool-435404a8.dyn.optonline.net] has quit [Ping timeout: 286 seconds]
23:09 -!- Cr4zi3 [~killaz@staff.xbins.org] has joined #openvpn
23:10 -!- gostfaced [~gostfaced@ool-435404a8.dyn.optonline.net] has joined #openvpn
23:11 -!- b00b [~spunk@smurf.mmnetworks.se] has quit [Ping timeout: 252 seconds]
23:12 -!- frank-- [1000@unaffiliated/thumbs] has joined #openvpn
23:15 -!- thumbs [1000@unaffiliated/thumbs] has quit [Read error: Operation timed out]
23:15 -!- kossy [a@kossy.org] has quit [Excess Flood]
23:15 -!- frank-- is now known as thumbs
23:15 -!- b00b [~spunk@smurf.mmnetworks.se] has joined #openvpn
23:20 -!- lj1 [~l@192.241.174.169] has joined #openvpn
23:24 -!- frank-- [1000@unaffiliated/thumbs] has joined #openvpn
23:27 -!- lvv [~loganaden@2001:4290:10:250:9cdd:2568:f7e7:344b] has joined #openvpn
23:27 -!- pekster [~rewt@openvpn/community/support/pekster] has quit [Ping timeout: 264 seconds]
23:27 -!- lj [~l@192.241.174.169] has quit [Read error: Connection reset by peer]
23:28 -!- thumbs [1000@unaffiliated/thumbs] has quit [Ping timeout: 330 seconds]
23:28 -!- Cr4zi3 [~killaz@staff.xbins.org] has quit [Ping timeout: 330 seconds]
23:28 -!- EmLeX [~emx@unaffiliated/emlex] has quit [Ping timeout: 330 seconds]
23:28 -!- alexxtasi [~alex@unaffiliated/alexxtasi] has quit [Ping timeout: 330 seconds]
23:28 -!- batrick [~batrick@nmap/developer/batrick] has quit [Ping timeout: 330 seconds]
23:28 -!- WinstonSmith [~WinstonSm@unaffiliated/winstonsmith] has quit [Ping timeout: 330 seconds]
23:28 -!- WinstonSmith [~WinstonSm@unaffiliated/winstonsmith] has joined #openvpn
23:28 -!- EmLeX_ [~emx@37.46.193.2] has joined #openvpn
23:28 -!- Cr4zi3 [guessswh0@staff.xbins.org] has joined #openvpn
23:29 -!- alexxtasi [~alex@150.140.12.90] has joined #openvpn
23:30 -!- batrick [~batrick@nmap/developer/batrick] has joined #openvpn
23:30 -!- makara [~makara@41.164.22.218] has joined #openvpn
23:35 -!- pekster [~rewt@openvpn/community/support/pekster] has joined #openvpn
23:49 -!- _Cr4zi3 [guessswh0@staff.xbins.org] has joined #openvpn
23:50 -!- cyberspace- [20253@ninthfloor.org] has quit [Remote host closed the connection]
23:50 -!- makara [~makara@41.164.22.218] has quit [Excess Flood]
23:51 -!- makara [~makara@41.164.22.218] has joined #openvpn
23:52 -!- cyberspace- [20253@ninthfloor.org] has joined #openvpn
23:52 -!- Cr4zi3 [guessswh0@staff.xbins.org] has quit [Ping timeout: 240 seconds]
23:53 -!- _Cr4zi3 is now known as Cr4zi3
23:55 -!- kossy [a@kossy.org] has joined #openvpn
--- Day changed Fri Feb 28 2014
00:00 -!- sunwind [~paradox@cpc21-brmb8-2-0-cust749.1-3.cable.virginm.net] has quit [Read error: Connection reset by peer]
00:01 -!- pekster [~rewt@openvpn/community/support/pekster] has quit [Ping timeout: 245 seconds]
00:01 -!- sunwind [~paradox@cpc21-brmb8-2-0-cust749.1-3.cable.virginm.net] has joined #openvpn
00:04 -!- fusl is now known as Fusl
00:05 -!- Cr4zi3 [guessswh0@staff.xbins.org] has quit [Ping timeout: 539 seconds]
00:05 -!- alexxtasi [~alex@150.140.12.90] has quit [Ping timeout: 539 seconds]
00:05 -!- alexxtasi [~alex@150.140.12.90] has joined #openvpn
00:05 -!- Cr4zi3 [guessswh0@staff.xbins.org] has joined #openvpn
00:07 -!- pekster [~rewt@openvpn/community/support/pekster] has joined #openvpn
00:10 -!- cyberspace- [20253@ninthfloor.org] has quit [Ping timeout: 240 seconds]
00:10 -!- kossy [a@kossy.org] has quit [Read error: Connection reset by peer]
00:11 -!- lj1 [~l@192.241.174.169] has quit [Quit: Leaving.]
00:11 -!- cyberspace- [20253@ninthfloor.org] has joined #openvpn
00:13 -!- Fusl is now known as fusl
00:15 -!- mattock [~mattock@openvpn/corp/admin/mattock] has joined #openvpn
00:15 -!- mode/#openvpn [+o mattock] by ChanServ
00:15 -!- kossy [a@kossy.org] has joined #openvpn
00:35 -!- lj [~l@adsl-99-155-21-255.dsl.peoril.sbcglobal.net] has joined #openvpn
00:37 -!- lj1 [~l@192.241.174.169] has joined #openvpn
00:39 -!- lj [~l@adsl-99-155-21-255.dsl.peoril.sbcglobal.net] has quit [Ping timeout: 252 seconds]
00:49 -!- fusl is now known as Fusl
01:04 -!- lj [~l@adsl-99-155-21-255.dsl.peoril.sbcglobal.net] has joined #openvpn
01:05 -!- lj1 [~l@192.241.174.169] has quit [Ping timeout: 244 seconds]
01:06 -!- james41382 [~james@unaffiliated/james41382] has joined #openvpn
01:07 -!- lj1 [~l@192.241.174.169] has joined #openvpn
01:08 -!- takamichi [~takamichi@c107-107.i07-27.onvol.net] has joined #openvpn
01:08 -!- lj [~l@adsl-99-155-21-255.dsl.peoril.sbcglobal.net] has quit [Ping timeout: 252 seconds]
01:11 -!- novaflash_away is now known as novaflash
01:22 < sudormf> can anyone tell me how i can change iptables to allow port 1194?
01:22 < sudormf> i'm on aws where iptables is set to not allow that port
01:38 < inch> iptables -I INPUT -p tcp --dport 1194 -j ACCEPT
01:38 < sudormf> ty
01:40 < inch> Do you use some firewall program or script? You should change settings there.
01:40 < sudormf> i don't use anything, i'm trying to set up a vpn on amazon's cloud
01:40 < sudormf> they have firewalls set up
01:45 -!- goldkatze [~nobody@unaffiliated/goldkatze] has joined #openvpn
01:51 -!- Denial [Denial@90.201.173.63] has joined #openvpn
01:59 -!- alexxtasi [~alex@150.140.12.90] has quit [Changing host]
01:59 -!- alexxtasi [~alex@unaffiliated/alexxtasi] has joined #openvpn
02:04 -!- cktsoi [~cktsoi@236-013.netfront.net] has joined #openvpn
02:05 -!- cktsoi [~cktsoi@236-013.netfront.net] has quit [Remote host closed the connection]
02:13 -!- indy [~indy@fantomas.bestit.cz] has quit [Ping timeout: 265 seconds]
02:18 -!- sudormf [~ali@175.110.246.191] has quit [Ping timeout: 240 seconds]
02:26 -!- ponyofdeath [~vladi@cpe-76-167-201-214.san.res.rr.com] has quit [Ping timeout: 240 seconds]
02:29 -!- indy [~indy@fantomas.bestit.cz] has joined #openvpn
02:34 -!- ponyofdeath [~vladi@cpe-76-167-201-214.san.res.rr.com] has joined #openvpn
02:42 -!- lvv [~loganaden@2001:4290:10:250:9cdd:2568:f7e7:344b] has quit [Ping timeout: 245 seconds]
02:44 -!- tapout_ is now known as tapout
02:45 -!- ade_b [~Ade@redhat/adeb] has joined #openvpn
03:00 -!- indy [~indy@fantomas.bestit.cz] has quit [Ping timeout: 252 seconds]
03:07 -!- indy [~indy@fantomas.bestit.cz] has joined #openvpn
03:36 -!- Fusl is now known as fusl
03:40 -!- lvv [~loganaden@ite-inf3.dhcp.mu.afrinic.net] has joined #openvpn
03:40 -!- gostfaced [~gostfaced@ool-435404a8.dyn.optonline.net] has quit [Ping timeout: 244 seconds]
03:46 -!- Devastator [~devas@unaffiliated/devastator] has quit [Read error: Connection reset by peer]
03:48 -!- Devastator [~devas@177.18.199.12] has joined #openvpn
04:00 -!- mndo [~mndo@bl17-65-125.dsl.telepac.pt] has joined #openvpn
04:12 -!- traph [~traph@unaffiliated/traph] has joined #openvpn
04:14 -!- mndo [~mndo@bl17-65-125.dsl.telepac.pt] has quit [Quit: going home]
04:16 -!- mndo [~mndo@bl17-65-125.dsl.telepac.pt] has joined #openvpn
04:27 -!- mndo [~mndo@bl17-65-125.dsl.telepac.pt] has quit [Quit: going home]
04:27 -!- mndo [~mndo@bl17-65-125.dsl.telepac.pt] has joined #openvpn
04:30 -!- kirin` [telex@gateway/shell/anapnea.net/x-tuvysxtccrexvmaw] has quit [Ping timeout: 244 seconds]
04:31 -!- mattock is now known as mattock_afk
04:33 -!- kirin` [telex@gateway/shell/anapnea.net/x-bggooxjduycsgiie] has joined #openvpn
04:36 -!- mndo [~mndo@bl17-65-125.dsl.telepac.pt] has quit [Quit: going home]
04:36 -!- mndo [~mndo@bl17-65-125.dsl.telepac.pt] has joined #openvpn
04:38 -!- mndo [~mndo@bl17-65-125.dsl.telepac.pt] has quit [Remote host closed the connection]
04:38 -!- mndo [~mndo@bl17-65-125.dsl.telepac.pt] has joined #openvpn
04:38 -!- fusl is now known as Fusl
05:34 -!- Devastator [~devas@177.18.199.12] has quit [Changing host]
05:34 -!- Devastator [~devas@unaffiliated/devastator] has joined #openvpn
05:38 -!- mattock_afk is now known as mattock
05:43 -!- elfixit [~Icedove@2001:1620:2777:11:3e97:eff:fe7f:f3ad] has joined #openvpn
05:53 -!- wrongplace [~leicht@gateway/tor-sasl/martinphone] has joined #openvpn
06:28 -!- klein [~klein@189-016-006-003.asselvi.edu.br] has joined #openvpn
06:28 -!- klein [~klein@189-016-006-003.asselvi.edu.br] has quit [Changing host]
06:28 -!- klein [~klein@unaffiliated/klein] has joined #openvpn
06:37 -!- FlyingPersian [~androirc@xdsl-87-79-224-5.netcologne.de] has joined #openvpn
06:37 < FlyingPersian> Hi
06:38 < FlyingPersian> I'm having some trouble with my openvpn setup..
06:39 < FlyingPersian> I'm running openvpn server on my Netgear router and it seems to work well. But my nexus 4 has two issues
06:39 < FlyingPersian> 1. My connection breaks every 40s or so
06:39 < FlyingPersian> 2. It's super slow, but I think that's Cuz im using tun and my Internet connection at home sucks
06:40 < FlyingPersian> I have to change it to tap, also because I want to be able to connect to my NAS
06:41 < FlyingPersian> A confirmation would be nice on that.. I don't want to tunnel all my traffic through the vpn, but only be able to connect to my nas
06:41 < rob0> why do you need to change to tap for your nas?
06:47 < FlyingPersian> When a client connects via bridging to a remote network, it is assigned an IP address that is part of the remote physical ethernet subnet and is then able to interact with other machines on the remote subnet as if it were connected locally.
06:47 < FlyingPersian> This is why I guess
07:02 -!- Sembei [~Sembei@unaffiliated/sembei] has quit [Read error: Connection reset by peer]
07:03 -!- MyMind [~Sembei@unaffiliated/sembei] has joined #openvpn
07:09 -!- MyMind [~Sembei@unaffiliated/sembei] has quit [Max SendQ exceeded]
07:09 -!- MyMind [~Sembei@unaffiliated/sembei] has joined #openvpn
07:14 -!- mattock is now known as mattock_afk
07:18 -!- br4ndon [~br4ndon@195.33.51.31] has joined #openvpn
07:19 -!- frank-- is now known as thumbs
07:21 -!- nibbo_ [nibbo@gateway/shell/blinkenshell.org/x-bobtqzlumyitjgga] has joined #openvpn
07:21 < nibbo_> !welcome
07:21 <@vpnHelper> "welcome" is (#1) Start by stating your goal, such as 'I would like to access the internet over my vpn' || new to IRC? see the link in !ask || we may need !logs and !configs and maybe !interface to help you. || See !howto for beginners. || See !route for lans behind openvpn. || !redirect for sending inet traffic through the server. || Also interesting: !man !/30 !topology !iporder !sample !forum
07:21 <@vpnHelper> !wiki !mitm or (#2) Don't use 192.168.1.0/24 or 192.168.0.0/24 (too much potential for conflict)
07:22 < nibbo_> !goal
07:22 <@vpnHelper> "goal" is Please clearly state your goal for your vpn: example, I would like to access the lan behind the server , I would like to access the internet over my vpn , I just want a secure connection between 2 computers , etc
07:23 -!- br4ndon [~br4ndon@195.33.51.31] has quit [Quit: Lorem ipsum dolor sit amet]
07:25 -!- mcp [~mcp@wolk-project.de] has quit [Remote host closed the connection]
07:26 < nibbo_> Hello, I have the following setup. 1 web-application server, 1 database server, 1 logserver and more to come. I would like to set up something that makes it possible for these machines to communicate encrypted between themselves. In my mind a final situation where each machines has an IP to each of the other machines that is an encrypted link to it. What is the kind of setup I should be looking for? I am not very versed in t
07:26 -!- lj1 [~l@192.241.174.169] has quit [Quit: Leaving.]
07:27 < nibbo_> Is OpenVPN even what I am looking for? I am very confident in unix-systems in general, so complicated setups is not a problem. I've not worked with VPNs before though.
07:27 -!- Cpt-Oblivious [chatzilla@31-151-71-109.dynamic.upc.nl] has joined #openvpn
07:28 -!- Eagleman7 [~Eagleman@546BBFCD.cm-12-4c.dynamic.ziggo.nl] has quit [Quit: ZNC - http://znc.in]
07:31 -!- ade_b [~Ade@redhat/adeb] has quit [Ping timeout: 240 seconds]
07:43 < rob0> nib, sounds like a Definite Maybe. Are these all at different physical sites?
07:44 < rob0> Think of openvpn as you would a NIC and cable. The actual traffic goes through real NICs and their transport media, but to the OS it is a like a new NIC.
07:50 < FlyingPersian> Rob0, does it make sense what I said?
07:50 < nibbo_> rob0: they will all be at the same datacenter.
07:51 < rob0> and you don't control the links between them?
07:51 < nibbo_> rob0: The provider does not provide private networking between nodes though. That's why I'd like this kind of setup.
07:57 -!- wrongplace [~leicht@gateway/tor-sasl/martinphone] has quit [Quit: gone]
08:02 < nibbo_> rob0: Still a maybe? Do you know of anything else that could suit my scenario? Do I do this with a central server or can each server keep it's links to the other servers in some way? It would be nice if the setup did not depend on one specific server being up.
08:02 -!- mcp [~mcp@wolk-project.de] has joined #openvpn
08:04 -!- makara [~makara@41.164.22.218] has quit [Ping timeout: 244 seconds]
08:06 < rob0> sure, I'd make a little static key round-robin (full mesh)
08:06 < rob0> FlyingPersian, no. I don't see any reason why you need tap/bridging.
08:06 < rob0> !tunortap
08:06 <@vpnHelper> "tunortap" is (#1) you ONLY want tap if you need to pass layer2 traffic over the vpn (traffic destined for a MAC address). If you are using IP traffic you want tun. or (#2) and if your reason for wanting tap is windows shares, see !wins or use DNS or (#3) remember layer2 has no security, arp poisoning works over tap vpns or (#4) lan gaming? use tap! or (#5) Normal Android/iOS devices (not
08:06 <@vpnHelper> rooted/jailbroken) support only tun
08:10 -!- FlyingPersian [~androirc@xdsl-87-79-224-5.netcologne.de] has quit [Read error: Connection reset by peer]
08:10 -!- james41382_ [~james@unaffiliated/james41382] has joined #openvpn
08:13 -!- james41382 [~james@unaffiliated/james41382] has quit [Ping timeout: 241 seconds]
08:19 -!- takamich_ [~takamichi@85.12.8.105] has joined #openvpn
08:20 -!- takamichi [~takamichi@c107-107.i07-27.onvol.net] has quit [Ping timeout: 252 seconds]
08:22 < nibbo_> rob0: Anywhere I can read more about this kind of setup?
08:28 < nibbo_> rob0: would it be OK to run a static-key point-to-point mode daemon for each link each server needs to have? Or would that be too much overhead per link?
08:28 < rob0> that's exactly what I am suggesting
08:29 < rob0> I have done it with 6 endpoints, wasn't that difficult
08:31 < mikemol|zoe> OK, this is frustrating. I can: "sudo -u openvpn bash" and then "sudo ip (add a route)" without being prompted for a password, but when the client-connect script tries to run it, it fails.
08:32 < nibbo_> rob0: That's awesome. Thank you so much. Security depends on length of static key, right? So beef that up and I will be all set, right?
08:32 < mikemol|zoe> command has an exit code of 1, and audit.log shows: type=USER_CMD msg=audit(1393597736.847:14340): user pid=10921 uid=0 auid=16877716 ses=111 subj=unconfined_u:system_r:openvpn_t:s0 msg='cwd="/etc/openvpn" cmd=697020726F757465206164642031302E3136312E31302E302F3234207669612031302E3136332E312E3130 terminal=? res=failed'
08:32 < mikemol|zoe> But I don't know *why* it failed. Hell, I even have selinux set to "permissive" at this point--disable, but log.
08:36 -!- lvv [~loganaden@ite-inf3.dhcp.mu.afrinic.net] has quit [Quit: lvv]
08:39 -!- MyMind [~Sembei@unaffiliated/sembei] has quit [Max SendQ exceeded]
08:41 -!- Pisuke [~Sembei@62.57.118.216.dyn.user.ono.com] has joined #openvpn
08:41 < rob0> nibbo_, I think I would script something to update & replace the static keys periodically, maybe monthly or so. What you need for security depends on your threat model. If your main worry is the DC and other customers there trying to snoop, you're probably okay. But if you want to hide from the NSA, definitely go for bigger keys. And worry about other ways they might attack you, given physical access to the boxes.
08:41 -!- Pisuke is now known as Guest34087
08:42 < rob0> Mike, I have gottne good helkp in the #selinux channel before.
08:42 < rob0> and I have gotten typoes too
08:42 -!- fred`` [fred@earthli.ng] has quit [Ping timeout: 246 seconds]
08:47 -!- Fusl is now known as fusl
08:47 -!- miruoy [~quassel@d51A44BA8.access.telenet.be] has joined #openvpn
08:47 < nibbo_> rob0: thanks. Yes. I will script the whole setup with chef. So swapping keys each month sounds goo
08:47 < nibbo_> d
08:48 -!- fusl is now known as Fusl
08:48 < mikemol|zoe> rob0: thanks
08:51 -!- fred`` [fred@earthli.ng] has joined #openvpn
08:52 -!- Fusl is now known as fusl
08:57 -!- mikemol|zoe is now known as mikemol
08:58 -!- mikemol [~mikemol@162.17.129.77] has quit [Quit: Leaving.]
09:00 -!- mikemol [~mikemol@162.17.129.77] has joined #openvpn
09:16 -!- mattock_afk is now known as 1JTAAHKIE
09:17 -!- ultra [~ed@unaffiliated/ultra] has quit [Quit: Servers? check out these guys at http://www.viciousvps.com]
09:18 -!- Eagleman [~Eagleman@546BBFCD.cm-12-4c.dynamic.ziggo.nl] has joined #openvpn
09:28 -!- ultra [~ed@unaffiliated/ultra] has joined #openvpn
09:33 -!- lj [~l@192.241.174.169] has joined #openvpn
09:43 -!- lj [~l@192.241.174.169] has quit [Quit: Leaving.]
09:52 -!- Cpt-Oblivious [chatzilla@31-151-71-109.dynamic.upc.nl] has quit [Remote host closed the connection]
09:58 -!- Cpt-Oblivious [chatzilla@31-151-71-109.dynamic.upc.nl] has joined #openvpn
10:16 -!- takamich_ [~takamichi@85.12.8.105] has quit [Ping timeout: 240 seconds]
10:20 -!- takamichi [~takamichi@c107-107.i07-27.onvol.net] has joined #openvpn
10:33 -!- FlyingPersian [~androirc@xdsl-87-79-224-5.netcologne.de] has joined #openvpn
10:34 < FlyingPersian> Hi. Why I'd the forum registration not available :/
10:34 < FlyingPersian> I'd = is
10:37 < rob0> hang around and look for ecrist -- he can help you with that
10:38 < rob0> maybe a few others, I don't know
10:40 < rob0> and not sure if you saw this earlier,
10:40 < rob0> !tunortap
10:40 <@vpnHelper> "tunortap" is (#1) you ONLY want tap if you need to pass layer2 traffic over the vpn (traffic destined for a MAC address). If you are using IP traffic you want tun. or (#2) and if your reason for wanting tap is windows shares, see !wins or use DNS or (#3) remember layer2 has no security, arp poisoning works over tap vpns or (#4) lan gaming? use tap! or (#5) Normal Android/iOS devices (not
10:40 <@vpnHelper> rooted/jailbroken) support only tun
10:50 -!- fusl is now known as Fusl
10:54 -!- lj [~l@192.241.174.169] has joined #openvpn
10:55 <@ecrist> FlyingPersian: what's your forum issue?
10:56 < FlyingPersian> Creating a new account is currently not possible.
10:56 < FlyingPersian> @ ecrist
10:56 < FlyingPersian> When I press register in Tapatalk
10:57 <@ecrist> yeah, you can't register from tapatalk because we don't use the forum database for new accounts
10:57 <@ecrist> You need to go here: https://community.openvpn.net/pwm/private/Login
10:57 <@vpnHelper> Title: Password Self Service (at community.openvpn.net)
10:57 <@ecrist> and create a new account
10:57 <@ecrist> then the forum will work for you
10:59 < FlyingPersian> Oh now the forum Web page works. I got a proxy error earlier today
11:00 < FlyingPersian> Oksy
11:01 < FlyingPersian> Do I have to give my real name etc?
11:01 <@ecrist> don't really care.
11:01 <@ecrist> :)
11:01  * ecrist poofs for lunch
11:11 < FlyingPersian> Thx
11:11 -!- FlyingPersian [~androirc@xdsl-87-79-224-5.netcologne.de] has quit [Quit: AndroIRC - Android IRC Client ( http://www.androirc.com )]
11:15 -!- krphop [~krphop@watch.out.the.feds.are.rightbehind.us] has joined #openvpn
11:30 -!- 1JTAAHKIE is now known as mattock_afk
11:42 -!- Netsplit *.net <-> *.split quits: lj, Devastator, Guest34087, krphop, mcp, ponyofdeath, goldkatze, klein, dren_, takamichi,  (+8 more, use /NETSPLIT to show all of them)
11:42 -!- Cpt-Oblivious_ [chatzilla@31-151-71-109.dynamic.upc.nl] has joined #openvpn
11:45 < Roa> .
11:46 -!- ben1066_ [~quassel@unaffiliated/ben1066] has quit [Quit: No Ping reply in 180 seconds.]
11:46 -!- Cpt-Oblivious_ is now known as Cpt-Oblivious
11:46 -!- ben1066 [~quassel@unaffiliated/ben1066] has joined #openvpn
11:47 -!- pekster [~rewt@openvpn/community/support/pekster] has quit [Ping timeout: 265 seconds]
11:48 -!- cyberspace- [20253@ninthfloor.org] has joined #openvpn
11:50 -!- Devastator [~devas@177.18.199.12] has joined #openvpn
11:50 -!- ponyofdeath [~vladi@cpe-76-167-201-214.san.res.rr.com] has joined #openvpn
11:50 -!- Eagleman [~Eagleman@546BBFCD.cm-12-4c.dynamic.ziggo.nl] has joined #openvpn
11:52 -!- kossy [a@kossy.org] has joined #openvpn
11:53 -!- kirin` [telex@gateway/shell/anapnea.net/x-bbgfvjxmlwptfyrg] has joined #openvpn
11:53 -!- ben1066 [~quassel@unaffiliated/ben1066] has quit [Quit: No Ping reply in 180 seconds.]
11:54 -!- ben1066 [~quassel@unaffiliated/ben1066] has joined #openvpn
11:59 -!- ponyofdeath [~vladi@cpe-76-167-201-214.san.res.rr.com] has quit [Ping timeout: 240 seconds]
12:00 -!- bersace [~bersace@sevin.cae.li] has quit [Ping timeout: 252 seconds]
12:04 -!- Eagleman [~Eagleman@546BBFCD.cm-12-4c.dynamic.ziggo.nl] has quit [Ping timeout: 240 seconds]
12:04 -!- Devastator [~devas@177.18.199.12] has quit [Ping timeout: 240 seconds]
12:05 -!- traph [~traph@46.10.9.133] has joined #openvpn
12:05 -!- traph [~traph@46.10.9.133] has quit [Changing host]
12:05 -!- traph [~traph@unaffiliated/traph] has joined #openvpn
12:05 -!- Eagleman [~Eagleman@546BBFCD.cm-12-4c.dynamic.ziggo.nl] has joined #openvpn
12:05 -!- klein [~klein@189-016-006-003.asselvi.edu.br] has joined #openvpn
12:05 -!- klein [~klein@189-016-006-003.asselvi.edu.br] has quit [Changing host]
12:05 -!- klein [~klein@unaffiliated/klein] has joined #openvpn
12:11 -!- kossy [a@kossy.org] has quit [Ping timeout: 240 seconds]
12:14 -!- elfixit [~Icedove@2001:1620:2777:11:3e97:eff:fe7f:f3ad] has quit [Quit: elfixit]
12:15 -!- kossy [a@kossy.org] has joined #openvpn
12:16 -!- pekster [~rewt@openvpn/community/support/pekster] has joined #openvpn
12:19 -!- Eagleman [~Eagleman@546BBFCD.cm-12-4c.dynamic.ziggo.nl] has quit [Quit: ZNC - http://znc.in]
12:19 -!- ponyofdeath [~vladi@cpe-76-167-201-214.san.res.rr.com] has joined #openvpn
12:23 -!- Eagleman [~Eagleman@546BBFCD.cm-12-4c.dynamic.ziggo.nl] has joined #openvpn
12:25 -!- Guest34087 [~Sembei@unaffiliated/sembei] has joined #openvpn
12:25 -!- dyer [~dyer@ec2-107-21-15-145.compute-1.amazonaws.com] has joined #openvpn
12:28 -!- br4ndon [~br4ndon@195.33.51.31] has joined #openvpn
12:31 -!- Cr4zi3 [guessswh0@76.74.171.253] has joined #openvpn
12:31 -!- dren_ [~dren@69.163.43.34] has joined #openvpn
12:39 -!- elfixit [~Icedove@155-225.197-178.cust.bluewin.ch] has joined #openvpn
12:52 -!- teegee543 [~teegee543@berrypi.com] has left #openvpn []
12:57 -!- br4ndon [~br4ndon@195.33.51.31] has quit [Quit: Lorem ipsum dolor sit amet]
12:59 -!- elfixit [~Icedove@155-225.197-178.cust.bluewin.ch] has quit [Ping timeout: 240 seconds]
13:04 -!- HectorBarbossa [uid7850@gateway/web/irccloud.com/x-mnyaybvrjshnjxuf] has joined #openvpn
13:09 -!- mndo [~mndo@bl17-65-125.dsl.telepac.pt] has quit [Ping timeout: 244 seconds]
13:21 -!- master_of_master [~master_of@p4FF24EDE.dip0.t-ipconnect.de] has quit [Ping timeout: 244 seconds]
13:44 -!- master_of_master [~master_of@p4FF24B7F.dip0.t-ipconnect.de] has joined #openvpn
13:45 -!- roentgen [~irc@openvpn/community/support/roentgen] has joined #openvpn
13:57 -!- p3rror [~mezgani@196.201.78.139] has joined #openvpn
14:45 -!- kantlivelong [~kantlivel@home.kantlivelong.com] has quit [Quit: ZNC - http://znc.sourceforge.net]
14:49 -!- lj [~l@192.241.174.169] has joined #openvpn
14:52 -!- kantlivelong [~kantlivel@home.kantlivelong.com] has joined #openvpn
14:57 -!- Cultist [~CultOfThe@67.186.111.33] has quit [Ping timeout: 265 seconds]
15:17 -!- krphop [~krphop@watch.out.the.feds.are.rightbehind.us] has joined #openvpn
15:20 -!- mcp [~mcp@wolk-project.de] has joined #openvpn
15:22 -!- br4ndon [~br4ndon@mic92-6-82-226-128-64.fbx.proxad.net] has joined #openvpn
15:24 -!- sunwind` [~paradox@cpc21-brmb8-2-0-cust749.1-3.cable.virginm.net] has joined #openvpn
15:24 -!- heraclitus__ [~heraclitu@108.59.11.225] has joined #openvpn
15:24 -!- heraclitus__ [~heraclitu@108.59.11.225] has quit [Remote host closed the connection]
15:24 -!- grep0r [grep0r@bitcoinshell.mooo.com] has quit [Ping timeout: 252 seconds]
15:24 -!- heraclitus__ [~heraclitu@vpnus.planetcrypto.com] has joined #openvpn
15:26 -!- HD|Laptop [~marco_lda@wikipedia/harddisk] has quit [Ping timeout: 252 seconds]
15:26 -!- HD|Lapto1 [~marco_lda@stella.vm-dg.de] has joined #openvpn
15:26 -!- heraclitus [~heraclitu@unaffiliated/heraclitis] has quit [Ping timeout: 252 seconds]
15:27 -!- EmLeX_ [~emx@37.46.193.2] has quit [Ping timeout: 252 seconds]
15:27 -!- Fusl- [~Fusl@i.am.going.to.sigqu.it] has joined #openvpn
15:27 -!- Fusl [~Fusl@unaffiliated/fusl] has quit [Ping timeout: 252 seconds]
15:28 -!- sunwind [~paradox@cpc21-brmb8-2-0-cust749.1-3.cable.virginm.net] has quit [Ping timeout: 252 seconds]
15:28 -!- simcop2387 [~simcop238@p3m/member/simcop2387] has quit [Ping timeout: 252 seconds]
15:28 -!- kloeri [~kloeri@freenode/staff/exherbo.kloeri] has quit [Remote host closed the connection]
15:28 -!- b00b [~spunk@smurf.mmnetworks.se] has quit [Ping timeout: 252 seconds]
15:28 -!- kloeri_ [~kloeri@freenode/staff/exherbo.kloeri] has joined #openvpn
15:29 -!- grep0r [grep0r@bitcoinshell.mooo.com] has joined #openvpn
15:29 -!- JSharpe_ [~JSharpe@31.205.60.241] has quit [Ping timeout: 252 seconds]
15:29 -!- Hes [D4kV9@tunkki.fi] has quit [Ping timeout: 252 seconds]
15:29 -!- simcop2387 [~simcop238@p3m/member/simcop2387] has joined #openvpn
15:29 -!- Hes [wXbMkQQW@tunkki.fi] has joined #openvpn
15:29 -!- marlinc [~marlinc@ip1.weert.li.nl.cvo-technologies.com] has quit [Ping timeout: 252 seconds]
15:29 -!- EmLeX [~emx@unaffiliated/emlex] has joined #openvpn
15:31 -!- JSharpe_ [~JSharpe@31.205.60.241] has joined #openvpn
15:31 -!- WinstonSmith [~WinstonSm@unaffiliated/winstonsmith] has quit [Ping timeout: 252 seconds]
15:31 -!- klein [~klein@unaffiliated/klein] has quit [Ping timeout: 240 seconds]
15:31 -!- WinstonSmith [~WinstonSm@unaffiliated/winstonsmith] has joined #openvpn
15:31 -!- b00b [~spunk@smurf.mmnetworks.se] has joined #openvpn
15:32 -!- manitu [~manitu@static.88-198-15-112.clients.your-server.de] has quit [Ping timeout: 252 seconds]
15:32 -!- psycheye [~psycheye@93.49.16.11] has quit [Quit: changing servers]
15:32 -!- psycheye [~psycheye@93.49.16.11] has joined #openvpn
15:32 -!- kisom [~kisom@kisom.thr.kth.se] has quit [Ping timeout: 252 seconds]
15:33 -!- kisom [~kisom@kisom.thr.kth.se] has joined #openvpn
15:34 -!- marlinc [~marlinc@ip1.weert.li.nl.cvo-technologies.com] has joined #openvpn
15:35 -!- manitu [~manitu@static.88-198-15-112.clients.your-server.de] has joined #openvpn
15:36 -!- Fusl- [~Fusl@i.am.going.to.sigqu.it] has quit [Changing host]
15:36 -!- Fusl- [~Fusl@unaffiliated/fusl] has joined #openvpn
15:37 -!- Fusl- is now known as Fusl
15:44 -!- ade_b [~Ade@redhat/adeb] has joined #openvpn
15:49 -!- viperZ28 [uid11066@gateway/web/irccloud.com/x-wdjsrtsbhpuiccwo] has joined #openvpn
15:50 < viperZ28> what causes the error "write to TUN/TAP : Input/output error (code=5)"
15:51 < viperZ28> I am getting this error on both tunnelblick and synology
15:52 < viperZ28> I have tried every tip that I could find from a Google search and nothing seems to work
15:53 -!- paradox`` [~paradox@cpc21-brmb8-2-0-cust749.1-3.cable.virginm.net] has joined #openvpn
15:53 -!- Guest34087 [~Sembei@unaffiliated/sembei] has quit [Max SendQ exceeded]
15:53 -!- WinstonSmith [~WinstonSm@unaffiliated/winstonsmith] has quit [Ping timeout: 240 seconds]
15:53 -!- master_of_master [~master_of@p4FF24B7F.dip0.t-ipconnect.de] has quit [Ping timeout: 240 seconds]
15:53 -!- HectorBarbossa [uid7850@gateway/web/irccloud.com/x-mnyaybvrjshnjxuf] has quit [Ping timeout: 240 seconds]
15:53 -!- pekster [~rewt@openvpn/community/support/pekster] has quit [Ping timeout: 240 seconds]
15:53 -!- manitu [~manitu@static.88-198-15-112.clients.your-server.de] has quit [Ping timeout: 240 seconds]
15:53 -!- ade_b [~Ade@redhat/adeb] has quit [Ping timeout: 240 seconds]
15:53 -!- master_of_master [~master_of@p4FF24B7F.dip0.t-ipconnect.de] has joined #openvpn
15:53 -!- roentgen [~irc@openvpn/community/support/roentgen] has quit [Ping timeout: 240 seconds]
15:53 -!- roentgen_ [~irc@openvpn/community/support/roentgen] has joined #openvpn
15:53 -!- HectorBarbossa [uid7850@gateway/web/irccloud.com/x-lwqeexcwcvttcofg] has joined #openvpn
15:53 -!- pekster [~rewt@openvpn/community/support/pekster] has joined #openvpn
15:53 -!- WinstonSmith [~WinstonSm@unaffiliated/winstonsmith] has joined #openvpn
15:53 -!- manitu [~manitu@static.88-198-15-112.clients.your-server.de] has joined #openvpn
15:54 -!- traph [~traph@unaffiliated/traph] has quit [Ping timeout: 240 seconds]
15:55 -!- simcop2387 [~simcop238@p3m/member/simcop2387] has quit [Excess Flood]
15:58 -!- simcop2387 [~simcop238@p3m/member/simcop2387] has joined #openvpn
16:02 < Suterusu> Tunnelblick 3.2beta10 or later ?
16:04 -!- Hes_ [wel0ji4t@tunkki.fi] has joined #openvpn
16:04 -!- HectorBarbossa_ [uid7850@gateway/web/irccloud.com/x-jcotxjdtgpvxffel] has joined #openvpn
16:04 -!- pekster_ [~rewt@openvpn/community/support/pekster] has joined #openvpn
16:07 -!- dazo is now known as dazo_afk
16:08 -!- Netsplit *.net <-> *.split quits: manitu, psycheye, master_of_master, lj, kossy, HD|Lapto1, sunwind`, Hes, Eagleman, pekster,  (+4 more, use /NETSPLIT to show all of them)
16:08 -!- HectorBarbossa_ is now known as HectorBarbossa
16:08 -!- br4ndon [~br4ndon@mic92-6-82-226-128-64.fbx.proxad.net] has quit [Quit: Lorem ipsum dolor sit amet]
16:09 < viperZ28> Tunnelblick 3.4beta20 (build 3727)
16:11 -!- Netsplit over, joins: manitu
16:11 -!- Netsplit over, joins: lj
16:11 -!- HD|Laptop [~marco_lda@89.238.66.122] has joined #openvpn
16:11 -!- ade_b [~Ade@redhat/adeb] has joined #openvpn
16:12 -!- Netsplit over, joins: Eagleman
16:12 -!- EmLeX [~emx@37.46.193.2] has joined #openvpn
16:12 -!- Netsplit over, joins: kossy
16:12 -!- Guest34087 [~Sembei@unaffiliated/sembei] has joined #openvpn
16:13 -!- Guest34087 is now known as Sembei
16:13 -!- kossy [a@kossy.org] has quit [Max SendQ exceeded]
16:13 -!- EmLeX [~emx@37.46.193.2] has quit [Changing host]
16:13 -!- EmLeX [~emx@unaffiliated/emlex] has joined #openvpn
16:13 -!- Netsplit over, joins: master_of_master
16:14 -!- Netsplit over, joins: WinstonSmith
16:14 < Suterusu> over TUN?  if so,  accord to  https://code.google.com/p/tunnelblick/wiki/cCommonProblems "Although a few such messages are normal, if they continue to be  displayed for more than a few seconds and the connection is never  established, try to connect using "Set nameserver (alternate 1)" in  Tunnelblick 3.2beta10 or later. "
16:14 <@vpnHelper> Title: cCommonProblems - tunnelblick - Common Problems - OpenVPN GUI for Mac OS X - Google Project Hosting (at code.google.com)
16:15 < Suterusu> other than that, seems most things I can see  with that appears problematic around DCHP and or DNS
16:17 -!- takamichi [~takamichi@c107-107.i07-27.onvol.net] has joined #openvpn
16:18 -!- ade_b [~Ade@redhat/adeb] has quit [Quit: Too sexy for his shirt]
16:19 -!- ponyofdeath [~vladi@cpe-76-167-201-214.san.res.rr.com] has joined #openvpn
16:19 -!- kossy [a@kossy.org] has joined #openvpn
16:20 -!- takamichi [~takamichi@c107-107.i07-27.onvol.net] has quit [Client Quit]
16:20 -!- heraclitus__ is now known as heraclitus
16:20 -!- heraclitus [~heraclitu@vpnus.planetcrypto.com] has quit [Changing host]
16:20 -!- heraclitus [~heraclitu@unaffiliated/heraclitis] has joined #openvpn
16:23 < viperZ28> Suterusu: I have tried that and every other option
16:24 < viperZ28> vpnHelper: yes, I have tried that serveral times
16:24 < Suterusu> lol, bot spitting synopsis for link
16:24 -!- MadTBone [~MadTBone@160.39.238.196] has joined #openvpn
16:25 -!- MadTBone [~MadTBone@160.39.238.196] has quit [Client Quit]
16:25 < Suterusu> So I'm warm as to the direction of problem? able to look in logs on t'other end?
16:28 -!- s7r [~s7r@openvpn/user/s7r] has joined #openvpn
16:28 -!- mode/#openvpn [+v s7r] by ChanServ
16:34 -!- lj1 [~l@192.241.174.169] has joined #openvpn
16:37 -!- lj1 [~l@192.241.174.169] has quit [Client Quit]
16:38 -!- HD|Lapto1 [~marco_lda@stella.vm-dg.de] has joined #openvpn
16:42 -!- joshh20-Away is now known as joshh20
16:43 -!- EmLeX_ [~emx@37.46.193.2] has joined #openvpn
16:45 -!- d1z [~djz@gateway/tor-sasl/grullizzle] has joined #openvpn
16:45 < d1z> how can I configure openvpn client side to not set the vpn as the default gateway?
16:46 -!- HD|Laptop [~marco_lda@89.238.66.122] has quit [Ping timeout: 240 seconds]
16:46 -!- lj [~l@192.241.174.169] has quit [Ping timeout: 240 seconds]
16:46 -!- kossy [a@kossy.org] has quit [Ping timeout: 240 seconds]
16:46 -!- EmLeX [~emx@unaffiliated/emlex] has quit [Ping timeout: 240 seconds]
16:46 -!- ponyofdeath [~vladi@cpe-76-167-201-214.san.res.rr.com] has quit [Ping timeout: 240 seconds]
16:46 -!- master_of_master [~master_of@p4FF24B7F.dip0.t-ipconnect.de] has quit [Ping timeout: 240 seconds]
16:46 -!- ponyofdeath [~vladi@cpe-76-167-201-214.san.res.rr.com] has joined #openvpn
16:52 -!- pekster_ is now known as pekster
16:52 -!- master_of_master [~master_of@p4FF24B7F.dip0.t-ipconnect.de] has joined #openvpn
16:52 -!- kossy [a@kossy.org] has joined #openvpn
16:56 -!- elfixit [~Icedove@77-58-251-72.dclient.hispeed.ch] has joined #openvpn
16:59 -!- mikemol [~mikemol@162.17.129.77] has quit [Remote host closed the connection]
17:08 < pppingme> d1z do you control the server?
17:09 < d1z> pppingme, yes
17:09 < pppingme> simple answer then is don't push them
17:10 < pppingme> if for some reason that isn't workable, look at the "route-nopull" option on the client
17:11 < d1z> I'm not pushing any routes to clients, but I do have these 2 directives on the server.conf
17:11 < d1z> push		"dhcp-option DNS 8.8.8.8"
17:11 < d1z> push		"dhcp-option DNS 8.8.4.4"
17:12 < d1z> is there a possibility that the default gateway is being set up by some configuration client-side?
17:12 < d1z> I connected to the vpn via a connection manager applet that comes integrated in my debian crunchbang installation
17:13 < d1z> but in the profile of the connection there's nothing mentioning setting the vpn as the default gateway
17:14 < pppingme> is there an option about "use only local resources" or "use only resources on the network" or anything along those lines?
17:14 < d1z> I'm going to look for the file that this network manager created for the vpn connection profile
17:14 < d1z> let me check
17:16 < d1z> found it! thanks
17:17 < d1z> pppingme, so that option in the gui manager would basically set that 'route-nopull' directive you mention?
17:18 < d1z> 'Use this connection only for resources on its network'
17:18 < d1z> that's the option I ticked, but there's also this one
17:18 < pppingme> I duno what the gui manager is doing for sure, but its probably doing that, or removing the route or something at some level..
17:18 < d1z> 'Ignore automatically obtained routes'
17:18 < d1z> I think that's the one that sets the 'route-nopull'
17:19 < d1z> I mean it sounds like it
17:19 < d1z> anyway thanks
17:23 < d1z> /etc/NetworkManager/system-connections
17:24 < d1z> network manager stores its profiles there, the profile for my vpn connection has a [vpn] section with openvpn directives
17:24 -!- roentgen_ [~irc@openvpn/community/support/roentgen] has quit [Ping timeout: 264 seconds]
17:24 < d1z> it also has a [ipv4] section with these three non openvpn directives
17:24 < d1z> method=auto
17:24 < d1z> ignore-auto-dns=true
17:24 < d1z> never-default=true
17:25 < d1z> never-default=true sounds like it
17:26 < pekster> None of those are openvpn-specific
17:26 < pekster> You should consult the docs for this frontend you're using
17:27 < pekster> Hopefully they've documented it somewhere. If not, hopefully it's open source and you can find out (and maybe consider documenting it for the next person on the project wiki)
17:27 < d1z> as I said, those are non openvpn directives
17:27 < pekster> Ah, right (missed that.) Maybe someone here happens to know, but most of the regulars are happy to ignore the unofficial frontends. Most (nearly all) of them fall short
17:27 < d1z> ticking the "Ignore automatically obtained routes" didn't set "route-nopull" on the [vpn] section
17:28 <@krzee> !netman
17:28 <@vpnHelper> "netman" is (#1) if you are using network manager for linux to configure your vpn, dont! http://openvpn.net/archive/openvpn-users/2008-01/msg00046.html to read the same thing from the author of the openvpn 2 cookbook on the mail list or (#2) Have OpenVPN working but not NetworkManager? Ask the n-m folks for help: http://projects.gnome.org/NetworkManager/
17:28 <@krzee> !ubuntu
17:28 <@vpnHelper> "ubuntu" is dont use network manager!
17:28 <@krzee> :D
17:28 < d1z> but it did set ignore-auto-routes=true in the [ipv4] section
17:28 < pekster> RIght, no clue what that means/does either
17:28 <@krzee> btw, hello from hongkong
17:28 < d1z> yes these are directives for network manager rather
17:29 < d1z> I was just engaged in my detective work and went verbose at it
17:32  * d1z is madness!!!
17:37 -!- iceTwy [~iceTwy@gateway/tor-sasl/icetwy] has joined #openvpn
17:37 -!- master_o1_master [~master_of@p4FF24B7F.dip0.t-ipconnect.de] has joined #openvpn
17:40 -!- elfixit1 [~Icedove@77-58-251-72.dclient.hispeed.ch] has joined #openvpn
17:43 -!- master_of_master [~master_of@p4FF24B7F.dip0.t-ipconnect.de] has quit [Ping timeout: 240 seconds]
17:43 -!- kossy [a@kossy.org] has quit [Ping timeout: 240 seconds]
17:43 -!- elfixit [~Icedove@77-58-251-72.dclient.hispeed.ch] has quit [Ping timeout: 240 seconds]
17:44 -!- kossy [a@kossy.org] has joined #openvpn
17:47 -!- Devastator [~devas@177.18.199.12] has joined #openvpn
17:48 -!- Devastator [~devas@177.18.199.12] has quit [Changing host]
17:48 -!- Devastator [~devas@unaffiliated/devastator] has joined #openvpn
17:49 -!- klein [~klein@187.85.180.100] has joined #openvpn
17:49 -!- klein [~klein@187.85.180.100] has quit [Changing host]
17:49 -!- klein [~klein@unaffiliated/klein] has joined #openvpn
17:51 < iceTwy> !paste
17:51 <@vpnHelper> "paste" is (#1) "pastebin" is (#1) please paste anything with more than 5 lines into a pastebin site or (#2) https://gist.github.com is recommended for fewest ads; try fpaste.org or paste.kde.org as backups or (#3) If you're pasting config files, see !configs for grep syntax to remove comments or (#2) gist allows multiple files per paste, useful if you have several files to show
17:52 < iceTwy> Hey there. I've just set up OpenVPN on my server, and I'm trying to use it on my PC.
17:53 < iceTwy> The only issue I'm running into is that, although I can connect just fine to my VPN, everything hangs if I try to connect.
17:54 < iceTwy> i.e. ping won't return anything and indicate a packet loss of 100%; I can't browse either, because Chromium & Firefox fail to connet and eventually timeout.
17:58 < iceTwy> Server config: https://iceb.in/paste/TK50q-+U#nt2+hmCpNkFp9r9cMD+xa8BWdetKsQ8CFJPPqps0wcA=
18:00 < iceTwy> Client config: https://iceb.in/paste/W9R-x-KJ#dum+xA1C0QrVoxbXm5UagZSIOO5LftQ5e1jZdUub04Y=
18:03 -!- justaguy [~quassel@unaffiliated/justaguy] has joined #openvpn
18:03 < iceTwy> I believe the configs are fine. The error, I think, comes from iptables, which refuses to restore the following config file: https://iceb.in/paste/Aghxdpy5#WrNB78UoCcH8JESflq8MoxucRDT3nFUqXaZVDRhU81o=
18:05 < d1z> what os/distro?
18:06 < iceTwy> Debian Wheezy
18:06 < iceTwy> I installed OpenVPN from the official Debian repo.
18:07 < iceTwy> I've asked #Netfilter for my iptables config - I'm pretty sure that the problem comes from that
18:08 < d1z> it is an iptables issue but I'm not myself an iptables savvy mofo so that config file really scared me away
18:08 < d1z> let me give you the iptables rules that worked for me
18:12 < d1z> http://paste.debian.net/84682/
18:12 < d1z> had to edit the server and port just for you so... you're welcome
18:13 < d1z> jk, hope it works
18:15 < iceTwy> :P
18:16 -!- dls [~dls@gateway/tor-sasl/dls] has joined #openvpn
18:16 -!- elfixit1 [~Icedove@77-58-251-72.dclient.hispeed.ch] has quit [Quit: elfixit1]
18:19 < iceTwy> Right, think I found my mistake. If it's that, then I'm just silly
18:21 < iceTwy> ..
18:21  * iceTwy facepalms
18:22 < iceTwy> nope.jpg
18:28 -!- iceTwy_ [~iceTwy@gateway/tor-sasl/icetwy] has joined #openvpn
18:28 < iceTwy_> d1z: you, absolutely, are the man
18:28 < iceTwy_> no more YouTube throttling
18:28 < iceTwy_> zomfg
18:28 -!- iceTwy [~iceTwy@gateway/tor-sasl/icetwy] has quit [Ping timeout: 240 seconds]
18:33 -!- iceTwy_ is now known as iceTwy
18:36  * d1z is madness!!!
18:37 < iceTwy> hah
18:41 -!- iceTwy [~iceTwy@gateway/tor-sasl/icetwy] has quit [Ping timeout: 240 seconds]
19:14 -!- Fusl is now known as fusl
19:19 -!- p3rror [~mezgani@196.201.78.139] has quit [Quit: Leaving]
19:32 -!- kloeri_ is now known as kloeri
19:32 < justaguy> without vpn: http://www.speedtest.net/result/3339587882.png , with vpn: http://www.speedtest.net/result/3339590524.png
19:32 < justaguy> NOT BAD
19:39 -!- dls [~dls@gateway/tor-sasl/dls] has quit [Quit: dls]
19:44 -!- u0m3__ is now known as u0m3
20:01 -!- justaguy [~quassel@unaffiliated/justaguy] has quit [Quit: OMG JUSTAGUY QUITS]
20:10 -!- wrongplace [~leicht@gateway/tor-sasl/martinphone] has joined #openvpn
20:59 -!- batrick [~batrick@nmap/developer/batrick] has quit [Quit: WeeChat 0.4.3]
21:00 -!- batrick [batrick@nmap/developer/batrick] has joined #openvpn
21:02 -!- HectorBarbossa [uid7850@gateway/web/irccloud.com/x-jcotxjdtgpvxffel] has quit [Quit: Connection closed for inactivity]
21:12 -!- ikla [~lbz@c-71-237-62-220.hsd1.co.comcast.net] has left #openvpn []
21:14 < GeekFreak> I am going to BATTLE!
21:48 -!- wrongplace [~leicht@gateway/tor-sasl/martinphone] has quit [Quit: gone]
22:30 -!- joshh20 is now known as joshh20-Away
22:57 -!- Cpt-Oblivious [chatzilla@31-151-71-109.dynamic.upc.nl] has quit [Ping timeout: 244 seconds]
23:02 -!- VsioZashibis [~VsioZashi@unaffiliated/vsiozashibis] has joined #openvpn
23:35 -!- paradox`` [~paradox@cpc21-brmb8-2-0-cust749.1-3.cable.virginm.net] has quit [Quit: paradox``]
23:36 -!- orutest|2 [~VsioZashi@unaffiliated/vsiozashibis] has joined #openvpn
23:39 -!- VsioZashibis [~VsioZashi@unaffiliated/vsiozashibis] has quit [Ping timeout: 264 seconds]
23:42 -!- orutest|2 [~VsioZashi@unaffiliated/vsiozashibis] has quit [Quit: closing IRC]
--- Day changed Sat Mar 01 2014
00:08 -!- rob0 [rob0@pdpc/valentine/postfixninja/rob0] has quit [Ping timeout: 245 seconds]
--- Log opened Sat Mar 01 08:13:21 2014
08:13 -!- ecrist [~ecrist@token-black.secure-computing.net] has joined #openvpn
08:13 -!- Irssi: #openvpn: Total of 217 nicks [6 ops, 0 halfops, 3 voices, 208 normal]
08:13 -!- mode/#openvpn [+o ecrist] by ChanServ
08:13 -!- Irssi: Join to #openvpn was synced in 26 secs
08:13 < peetaur> pekster: I only want to forward some traffic, not all. And it's just client+server, not many clients.
08:14 -!- vpnHelper [~vpnHelper@openvpn/bot/vpnHelper] has joined #openvpn
08:14 -!- mode/#openvpn [+o vpnHelper] by ChanServ
08:15 < pekster> There is no "client" or "server" in static-key
08:15 < pekster> You've completely missed the point that there are NO clients, thus you CAN NOT route "between" clients
08:15 < pekster> There aren't any
08:16 < pekster> That option is meaningless in statickey. Period.
08:20 -!- peetaur is now known as Guest51412
08:20 -!- Guest51412 [~peter@x2f1669e.dyn.telefonica.de] has quit [Killed (dickson.freenode.net (Nickname regained by services))]
08:20 -!- peetaur [~peter@x2f1669e.dyn.telefonica.de] has joined #openvpn
08:20 < peetaur> pekster: There is obviously a client and server. "Copy the static key to both client and server" https://openvpn.net/index.php/open-source/documentation/miscellaneous/78-static-key-mini-howto.html
08:20 <@vpnHelper> Title: Static Key Mini-HOWTO (at openvpn.net)
08:20 < pekster> Not from openvpn's perspective
08:21 < pekster> The notion of "server" and "client" is _strictly_ for who initiates the connection (L3/L4 concept)
08:21 < pekster> You do not have "multiple" clients
08:21 < peetaur> I never said I do.
08:21 < pekster> THus you can't route in-process between them
08:21 < pekster> No, you cannot have them in static key
08:22 < peetaur> But for some reason, packets routed to the client are dropped.
08:22 < peetaur> with tun... but tap worked fine.
08:22 < pekster> THe FFS, say that, not ask to use --client-to-client
08:22 < pekster> !xy
08:22 <@vpnHelper> "xy" is http://mywiki.wooledge.org/XyProblem -- I want to do X, but I'm asking how to do Y...
08:22 -!- HectorBarbossa [uid7850@gateway/web/irccloud.com/x-hxtcpojjmsvcpiji] has quit [Quit: Connection closed for inactivity]
08:23 < pekster> You'll probably need some !configs and likely !logs somewhere
08:24 < peetaur> looked everywhere... set verb to 9 and it says huge amount of stuff, but not a peep during the failed ping test.
08:24 < pekster> !crystal
08:24 <@vpnHelper> "crystal" is Our crystal ball is out of service. Try explaining your !goal, a description of your problem, and relevant !configs and !logs. See also: !welcome.
08:25 < peetaur> tcpdump -i eth0 shows ping request out, and reply back, but reply never gets to the pingger
08:25 < pekster> !new
08:25 <@vpnHelper> "new" is (#1) New here? Start by reading the /TOPIC and looking at basic info in !welcome, !ask, and !howto or (#2) You can type each of the !commands in this chat and our bot will provide useful references and info or (#3) you can see the full factoids list at !factoids
08:25 < peetaur> your communication style is useless.
08:25 < pekster> Yea, I lost interest. You seem happy to do everything except what I asked for, so presumably you know what your problem is and where to look
08:25 < peetaur> I'll wait for someone else.
08:25 < peetaur> And don't need to anyway, because it works fine with tap.
08:25 < pekster> You haven't even read what I asked for
08:25 < pekster> And don't use tap
08:26 < peetaur> tap works. tun does not. Why the hell would I want to use tun?
08:26 < pekster> Read: !tunortap, or act all put off and angry and not read it
08:26 < pekster> I don't really care
08:35 -!- Sembei [~Sembei@unaffiliated/sembei] has quit [Read error: Connection reset by peer]
08:35 -!- MyMind [~Sembei@unaffiliated/sembei] has joined #openvpn
08:37 -!- propheticsquiddy [~Proph@unaffiliated/propheticsquiddy] has joined #openvpn
08:48 -!- datadl [~Adium@ADijon-654-1-271-192.w92-148.abo.wanadoo.fr] has joined #openvpn
08:48 -!- novaflash_away is now known as novaflash
08:48 < datadl> Hello, I have a question. Is it possible to set the IP adresse on client side instead of using CCD. I would like to use the duplicate-cn option and have static ip adresses for different hosts using the same certificate.
08:49 -!- novaflash [~novaflash@its.novaflash.nl] has quit [Changing host]
08:49 -!- novaflash [~novaflash@openvpn/corp/support/novaflash] has joined #openvpn
08:49 -!- mode/#openvpn [+o novaflash] by ChanServ
08:50 < propheticsquiddy> hello all, novaflash
08:50 <@novaflash> propheticsquiddy!
08:50 < propheticsquiddy> yes, exactly!
08:51 < propheticsquiddy> what's new
08:51 < pekster>  datadl, nope. You can, but in a multi-client setup the server still needs to push the IP or the IP-level protection won't allow packets from that client
08:51 < pekster> So really there's no point in doing it "both" places
08:51 < pekster> Maybe consider adding user-pass auth to your setup and use it to distinguish your "identical" client certs? Or just use per-client certs instead (that's far cleaner)
08:52 -!- dls [~dls@gateway/tor-sasl/dls] has joined #openvpn
08:52 < datadl> Thank you perkster. User-pass auth and ccd works together?
08:53 < datadl> Yes at start I had per-client certs, but in fact I am adding duo-security to vpn connection and I would be using more than the 10 free clients included in their free offer...
08:53 < datadl> *pekster sorry
08:53 < datadl> :)
09:04 -!- MyMind [~Sembei@unaffiliated/sembei] has quit [Remote host closed the connection]
09:04 -!- Sembei [~Sembei@unaffiliated/sembei] has joined #openvpn
09:07 -!- joshh20-Away is now known as joshh20
09:07 < datadl> So just needed to add username-as-common-name in the server.conf
09:07 < datadl> thank you so much pekster, you saved my day!
09:10 -!- peetaur [~peter@x2f1669e.dyn.telefonica.de] has quit [Quit: Konversation terminated!]
09:25 -!- HectorBarbossa [uid7850@gateway/web/irccloud.com/x-yujffzbivmtsumql] has joined #openvpn
09:47 -!- hive-mind [pranq@unaffiliated/contempt] has quit [Ping timeout: 264 seconds]
09:48 -!- joshh20 is now known as joshh20-Away
09:52 < _FBi> Q:  I built all the files offline.  Do I leave the server.key on the server?
09:53 < pekster> Yup,
09:53 < pekster> !pki
09:53 <@vpnHelper> "pki" is (#1) http://openvpn.net/index.php/open-source/documentation/howto.html#pki for how to make your PKI stuff (ca, and certs) or (#2) Heres a basic rundown of how it works... The server, client, and ca certs are all signed by the same ca.key. The server and client use the ca.crt to check that eachother were signed by the right ca.key. Optionally, the client also checks that the server cert was
09:53 <@vpnHelper> signed specially as a server (see !servercert) or (#3) See !certman for various PKI management frontends
09:53 < pekster> Some background for you on how pki works can be read at:
09:53 < pekster> !intro-to-pki
09:53 <@vpnHelper> "intro-to-pki" is For an intro to PKI basics, see: https://github.com/OpenVPN/easy-rsa/blob/v3.0.0-rc1/doc/Intro-To-PKI.md
09:54 -!- datadl [~Adium@ADijon-654-1-271-192.w92-148.abo.wanadoo.fr] has left #openvpn []
09:54 < pekster> Ideally you generate private keys on the systems that use them and never send/transport them anywhere, but some people choose not to do that for a convenience/security tradeoff. If security of PKI is a concern, you might want to read: !hardening
09:56 < _FBi> thanks pekster
09:59 < _FBi> just got this off the website: Duplicate entry '0lpf3fcbial0ohjtivtpfhd6c5' for key 'PRIMARY' SQL=INSERT INTO `jos_session` (`session_id`, `client_id`, `time`) VALUES ('0lpf3fcbial0ohjtivtpfhd6c5', 0, '1393688134')
10:23 < _FBi> !tun
10:23 < _FBi> !tap
10:23 <@vpnHelper> "tap" is "bridge" is (#1) http://openvpn.net/index.php/documentation/faq.html#bridge1, or (#2) http://openvpn.net/index.php/documentation/miscellaneous/ethernet-bridging.html, or (#3) Bridging looks like a good choice to people who don't know how to set up IP routing, but to learn routing is generally far better., or (#4) useful for windows sharing (without wins server) and LAN gaming, anything where
10:23 <@vpnHelper> the protocol uses MAC addresses instead of IP addresses.
10:27 < _FBi> Sat Mar  1 16:26:26 2014 us=808188 ERROR: Cannot open TUN/TAP dev /dev/net/tun: No such file or directory (errno=2)
10:31 -!- dls [~dls@gateway/tor-sasl/dls] has quit [Quit: dls]
10:41 -!- loompek [~noname@unaffiliated/loompek] has joined #openvpn
10:41 < loompek> mornin, smee again
10:42 < pekster> _FBi: missing kernel support, or your kernel doesn't create the device node properly when the kernel support is loaded
10:42 < pekster> Read your platform docs for getting the tun driver/device properly loaded
10:43 -!- Fusl is now known as fusl
10:46 < loompek> so guys.. i'm planning on setting up a l3 vpn server and i have to establish connections with multiple clients and the clients themselves shouldn't be able to connect to each other. would "iptables -I FORWARD -i tun+ -o tun+ -j DROP" work?
10:50 < pekster> Something like that, sure. Good firewall practices have you dropping forwarded and locally-bound traffic anyway, in which case you simply don't accept it
10:50 < pekster> Note that you do not want to use --client-to-client as that defeats the whole purpose of a firewall
10:51 < pekster> #Netfilter can help more with firewall-specific tasks under Linux
10:52 -!- hive-mind [pranq@unaffiliated/contempt] has joined #openvpn
10:52 < loompek> pekster so every client gets it's own "tun" device on a server
10:52 < pekster> No
10:52 < pekster> Every local instance does
10:52 < pekster> (openvpn instance, _not_ client instance)
10:53 < pekster> WHat platform are you on? Linux?
10:53 < loompek> indeed
10:53 < loompek> running openvpn 2.3.2
10:53 < pekster> tun module operation is described in the kernel source at ~linux/Documentation/networking/tuntap.txt
10:54 < pekster> You probably need to review that and set your kernel support (and if your userland sucks, the device node too) correctly
10:54 < pekster> ie: major/minor 10 200. Read the docs for specifics if you need to baby your selected distro along. Modern distros just work when you have proper support built
10:55 < loompek> pekster running it on centpos 6 x64... already has tun device with 10/200
10:56 < loompek> s/centos/centpos/
10:56 < loompek> err
10:56 < pekster> Then you above error makes no sense. Maybe you've misconfigured SELinux or have a permission problem
10:56 < loompek> s/centpos/centos/
10:56 < loompek> selinux is permissive
10:57 < pekster> Oh, I'm mixing you up with the one that reported tun/tap device issues
10:57 < pekster> So, if your setup is working and you just want to firewall, sure, go that
10:57 < pekster> go with*
10:58 < pekster> If you are using devices in your firewall rules, consider explicitly named devices, like `--dev tun_shortName` or something. openvpn will otherwise dynamically create them with integer-suffixes
10:59 < pekster> Unless you don't care (then tun+ works fine)
10:59 < loompek> can i check if there are active clients connected to ovpn?
11:00 < pekster> Read about --status or maybe --management in the manpage
11:01 -!- mgorbach [~mgorbach@pool-108-20-78-135.bstnma.fios.verizon.net] has quit [Quit: ZNC - http://znc.in]
11:02 -!- mgorbach [~mgorbach@pool-108-20-78-135.bstnma.fios.verizon.net] has joined #openvpn
11:08 < loompek> pekster i already have openvpn-status.log in /var/log... the darnest thing is i don't know a particular client's ip. also.. why does each and every client obtain an ip address in /30 instead of /32, which is more or less standard for ptp links
11:10 < pekster> Becuase you're using the old-and-busted net30 topology. More info at the wiki:
11:10 < pekster> !topology
11:10 <@vpnHelper> "topology" is (#1) it is possible to avoid the !/30 behavior if you use 2.1+ with the option: topology subnet This will end up being default in later versions. or (#2) Clients will receive addresses ending in .2, .3, .4, etc, instead of being divided into 2-host subnets. or (#3) details and examples at: https://community.openvpn.net/openvpn/wiki/Topology
11:18 < loompek> awsome.. checking it out tight now
11:18 < loompek> right... what's wrong with this keyboard :S
11:28 -!- mgorbach [~mgorbach@pool-108-20-78-135.bstnma.fios.verizon.net] has quit [Quit: ZNC - http://znc.in]
11:29 -!- mgorbach [~mgorbach@pool-108-20-78-135.bstnma.fios.verizon.net] has joined #openvpn
11:33 -!- elfixit [~Icedove@77-58-251-72.dclient.hispeed.ch] has quit [Ping timeout: 252 seconds]
11:42 -!- HectorBarbossa [uid7850@gateway/web/irccloud.com/x-yujffzbivmtsumql] has quit [Quit: Connection closed for inactivity]
11:43 -!- Cpt-Oblivious [chatzilla@31-151-71-109.dynamic.upc.nl] has joined #openvpn
12:00 -!- HectorBarbossa [uid7850@gateway/web/irccloud.com/x-xmjgskuonemkgnhc] has joined #openvpn
12:01 -!- sudormf [~ali@one.music-blaster.com] has joined #openvpn
12:03 -!- jzaw [~jzaw@loki.dzki.co.uk] has quit [Ping timeout: 245 seconds]
12:04 -!- jzaw [~jzaw@loki.dzki.co.uk] has joined #openvpn
12:07 -!- dls [~dls@gateway/tor-sasl/dls] has joined #openvpn
12:19 -!- jzaw [~jzaw@loki.dzki.co.uk] has quit [Ping timeout: 245 seconds]
12:21 -!- jzaw [~jzaw@loki.dzki.co.uk] has joined #openvpn
12:24 -!- mikemol [~mikemol@2001:470:c5b9:beef:6d81:2aa1:f10f:6d38] has joined #openvpn
12:28 -!- takamichi [~takamichi@c107-107.i07-27.onvol.net] has quit [Quit: Computer has gone to sleep.]
12:39 -!- kossy [a@kossy.org] has quit [Changing host]
12:39 -!- kossy [a@unaffiliated/kossy] has joined #openvpn
12:41 -!- Eagleman [~Eagleman@546BBFCD.cm-12-4c.dynamic.ziggo.nl] has quit [Ping timeout: 240 seconds]
12:46 -!- pdobrogost [~quassel@77-255-249-92.adsl.inetia.pl] has joined #openvpn
12:46 -!- Chrisje [chris@2a03:f80:ed15:ed15:ed15:ed15:bc4c:4bfe] has quit [Ping timeout: 246 seconds]
12:55 -!- Protected [Join@from.myshelter.net] has joined #openvpn
12:56 < Protected> Hey there. I was wondering what I should push to a client to tell it to NOT route internet traffic through the vpn?
12:56 < Protected> A linux client
12:58 -!- joshh20-Away is now known as joshh20
13:01 < pekster> That's not the default behavior; you simply don't do anything special and that never happens
13:01 < pekster> (though the client could still do it anyway, but that's nothing the server has control over)
13:01 < pekster> Read: !redirect for how to enable that behavior if you're unclear on why/how that happens
13:03 < Protected> redirect-gateway is being passed
13:03 < Protected> If I remove that, will people still be able to access the vpn subnet?
13:05 < pekster> Maybe. net30 requires that you push "the rest" of the VPN subnet. net30 is useless anyway, so read the !topology wiki to avoid it if you are
13:06 < sudormf> If you leave redirect-gateway disabled in server.conf, that shouldn't route traffic through vpn
13:06 < Protected> Not even vpn traffic?
13:06 < Protected> !topology
13:06 <@vpnHelper> "topology" is (#1) it is possible to avoid the !/30 behavior if you use 2.1+ with the option: topology subnet This will end up being default in later versions. or (#2) Clients will receive addresses ending in .2, .3, .4, etc, instead of being divided into 2-host subnets. or (#3) details and examples at: https://community.openvpn.net/openvpn/wiki/Topology
13:08 < sudormf> i have my vpn running, but it still seems to be fetching my dns from my local isp rather than the vpn. as a result sites which are blocked for me locally remain blocked. i'm on linux
13:08 < sudormf> any ideas how i can force it to get my dns from vpn?
13:09 -!- Chrisje [chris@2a03:f80:ed15:ed15:ed15:ed15:bc4c:4bfe] has joined #openvpn
13:10 -!- Cpt-Oblivious_ [chatzilla@31-151-71-109.dynamic.upc.nl] has joined #openvpn
13:11 < Protected> push "dhcp-option DNS 8.8.8.8" ?
13:11 < sudormf> i'm doing that already
13:11 < sudormf> that's only for windows i believe
13:11 < Protected> It worked for my linux users
13:12 < sudormf> for linux i've heard that some up/down script needs to be written for dns
13:12 -!- Cpt-Oblivious [chatzilla@31-151-71-109.dynamic.upc.nl] has quit [Ping timeout: 244 seconds]
13:12 < sudormf> not working for me..
13:12 < Protected> If you check locally, your DNS servers are definitely not set to the ones you remotely pushed?
13:13 < sudormf> how would i check that?
13:13 < pekster> !pushdns
13:13 <@vpnHelper> "pushdns" is (#1) push dhcp-option DNS a.b.c.d to push dns to the client or (#2) For pushing DNS to a Windows client, see: !windns or (#3) Unix-alikes are required to process the env-var in an --up script; read about --dhcp-option in the manpage or (#4) For distros that use resolvconf(8) you can try the pull-resolv-conf script under the contrib/ source dir
13:13 < pekster> Only Windows "magically works" (and only when the magic actually works)
13:14 < Protected> I'm not sure; Maybe in resolv.conf?
13:14 -!- Cpt-Oblivious_ [chatzilla@31-151-71-109.dynamic.upc.nl] has quit [Read error: Connection reset by peer]
13:14 < sudormf> resolv.conf does show my isp's dns
13:14 < sudormf> it hasn't changed there
13:14 < pekster> Right; it's _your_ job to write code to manage that
13:14 < sudormf> with an up/down script?
13:14 < pekster> Optionally, leverage the 'resolvconf' or 'dnsmasq' packages to do that
13:14 < Protected> Maybe you should just change the dns server in resolv.conf
13:15 < pekster> Mind that setting googleDNS doesn't send it over your VPN unless the address is also routed across
13:15 < sudormf> i'm using resolvconf currently.
13:15 -!- mnathani [~mnathani@umbozero.winvive.com] has quit [Ping timeout: 264 seconds]
13:15 < sudormf> what do i need to with it?
13:16 < pekster> Integrate with it
13:17 < sudormf> how specifically?
13:17 < pekster> Re-read !pushdns, becuase it's explained (and you missed it)
13:17 < pekster> I don't give you all these !things for my benefit
13:17 < sudormf> i see
13:18 -!- pdobrogost [~quassel@77-255-249-92.adsl.inetia.pl] has left #openvpn ["http://quassel-irc.org - Chat comfortably. Anywhere."]
13:18 -!- master_of_master [~master_of@p4FD7B41B.dip0.t-ipconnect.de] has joined #openvpn
13:18 < sudormf> " Unix-alikes are required to process the env-var in an --up script; read about --dhcp-option in the manpage " which man page?
13:18 < pekster> !man
13:18 <@vpnHelper> "man" is (#1) For man pages, see http://openvpn.net/index.php/open-source/documentation/manuals/ or (#2) the man pages are your friend! or (#3) Protip: you can search the manpage for a specific --option (with dashes) to find it quicker
13:18 < sudormf> i know what a man page is dude
13:18 < sudormf> i'm asking WHICH man page?
13:19 < pekster> openvpn(8)
13:19 < sudormf> ty
13:19 < Protected> They're also online, as in https://community.openvpn.net/openvpn/wiki/Openvpn23ManPage
13:19 <@vpnHelper> Title: Openvpn23ManPage – OpenVPN Community (at community.openvpn.net)
13:20 -!- hive-mind [pranq@unaffiliated/contempt] has quit [Ping timeout: 264 seconds]
13:20 < Protected> The extra colors help my poor windows-corrupted brain
13:21 < pekster> I've taken a liking to Markdown; github introduced me to it as a serious option, and there are plenty of ways to convert it to HTML/PDF/whatever if so-desired
13:21 -!- master_o1_master [~master_of@p4FF24B7F.dip0.t-ipconnect.de] has quit [Ping timeout: 252 seconds]
13:21 < sudormf> the man page doesn't seem to describe what an up script is
13:21 < sudormf> or how i can write one / where to put it
13:21 < pekster> !scripts
13:21 <@vpnHelper> "scripts" is "script" is See SCRIPTING AND ENVIRONMENTAL VARIALBES in the manual for a list of places that scripts can hook into openvpn. Online reference at: https://community.openvpn.net/openvpn/wiki/Openvpn23ManPage#lbAR
13:21 < sudormf> I know what a script is, too.
13:22 < sudormf> But I don't know what an UP script is
13:22 < pekster> THEN READ THE REFERENCE I JUST GAVE YOU
13:22 < pekster> HOnestly
13:22 < pekster> !read
13:22 <@vpnHelper> "read" is <krzee> ive been known to overreact when people look for 2 minutes and ask me to explain it to them
13:22 < sudormf> sorry
13:22 < sudormf> Lol
13:23 < Protected> I wonder why my linux users bitched about their dns servers being overridden with google's if the push isn't supposed to work for them
13:23 < Protected> I didn't really make any scripts
13:23 < Protected> Which is fine, because I don't want to mess with their dns in the first place
13:23 < Protected> Maybe they messed up on their own
13:24 < sudormf> i might be a special case somehow because my isp is blocking certain sites
13:24 < sudormf> or may be different distros handle it differently
13:24 < sudormf> so, i'm still not seeing (1) Where do I need to put this up script, (2) What do I need to put in it to make the dns change work
13:25 -!- phreakocious [~phreakoci@aesoterica.phreakocious.net] has quit [Ping timeout: 264 seconds]
13:26 < pekster> Protected: Windows doesn't require scripts (scroll up for !pushdns on that point.) Windows uses the "faked" DHCP reply to spit that info to the OS. Unixes don't do faked DHCP
13:27 < pekster> sudormf, did you see the "INSTALL NOTES" part of those scripts?
13:27 -!- phreakocious [~phreakoci@aesoterica.phreakocious.net] has joined #openvpn
13:27 < pekster> ~openvpn_src_root/contrib/pull-resolv-conf/client.*
13:27 < pekster> Should be plainly clear
13:27 < Protected> I understand, but they are not on windows
13:27 < sudormf> i'll check that, thanks.
13:28 < Protected> It doesn't matter anyway, they fixed it
13:28 < sudormf> by the way, i just changed my dns manually, and now, the sites which were blocked are loading just fine.
13:28 < sudormf> so it seems that i need to write a script which will go in and manually change my dns as soon as i connect to vpn, and then change the dns back when i disconnect
13:28 < pekster> Right. The scripts are for automatic integration (openvpn just sets the env-var: you have to do something with it if you care)
13:29 -!- mikemol [~mikemol@2001:470:c5b9:beef:6d81:2aa1:f10f:6d38] has quit [Remote host closed the connection]
13:29 < Protected> More importantly, I seem to be unable to push a 0.0.0.0 rule to a guy running arch linux. Any idea why?
13:29 < Protected> If I push 0.0.0.0/1 and 128.0.0.0/1 the second one goes through, but not the first one
13:29 < pekster> Don't use 0/0. !def1 for why
13:29 < pekster> Nope; go debug on that box
13:29 -!- jgeboski [~jgeboski@unaffiliated/jgeboski] has quit [Quit: Leaving]
13:29 < sudormf> Will the up/down scripts change dns when i connect to vpn, then revert changes when i disconnect?
13:29 < Protected> Nope? :P
13:30 < Protected> Probably some security feature
13:30 < sudormf> Are you answering me?
13:30 < pekster> Crystal ball says "lots of shit could be broken: your job is to find out what/why"
13:30 < Protected> Sorry, I wasn't, sudormf
13:30 < sudormf> oh
13:30 < Protected> I have no knowledge about that, so I can't be of any further help
13:33 -!- jgeboski [~jgeboski@unaffiliated/jgeboski] has joined #openvpn
13:35 -!- sudormf [~ali@one.music-blaster.com] has quit [Ping timeout: 264 seconds]
13:38 -!- fusl is now known as Fusl
13:39 -!- hive-mind [pranq@unaffiliated/contempt] has joined #openvpn
13:44 -!- Eagleman [~Eagleman@546BBFCD.cm-12-4c.dynamic.ziggo.nl] has joined #openvpn
13:48 < Protected> Now guy has the network interface, the rules in the routing table, openvpn running, no firewall, yet he can't see anything in the vpn. Any ideas on that?
13:48 -!- Eagleman [~Eagleman@546BBFCD.cm-12-4c.dynamic.ziggo.nl] has quit [Ping timeout: 240 seconds]
13:48 -!- sudormf [~ali@one.music-blaster.com] has joined #openvpn
13:55 -!- sudormf [~ali@one.music-blaster.com] has quit [Ping timeout: 264 seconds]
14:01 -!- dls [~dls@gateway/tor-sasl/dls] has quit [Write error: Connection reset by peer]
14:01 -!- DrCode [~DrCode@gateway/tor-sasl/drcode] has quit [Write error: Connection reset by peer]
14:01 -!- s7r [~s7r@openvpn/user/s7r] has quit [Write error: Connection reset by peer]
14:01 -!- d1z [~djz@gateway/tor-sasl/grullizzle] has quit [Write error: Broken pipe]
14:02 -!- s7r [~s7r@openvpn/user/s7r] has joined #openvpn
14:02 -!- mode/#openvpn [+v s7r] by ChanServ
14:08 -!- Protected [Join@from.myshelter.net] has quit [Disconnected by services]
14:08 -!- sudormf [~ali@ec2-54-81-64-43.compute-1.amazonaws.com] has joined #openvpn
14:21 -!- Eagleman [~Eagleman@546BBFCD.cm-12-4c.dynamic.ziggo.nl] has joined #openvpn
14:26 -!- Eagleman [~Eagleman@546BBFCD.cm-12-4c.dynamic.ziggo.nl] has quit [Ping timeout: 264 seconds]
14:35 -!- joshh20 is now known as joshh20-Away
15:04 -!- Protected [Join@from.myshelter.net] has joined #openvpn
15:05 < Protected> Another issue! Ever since you guys told me to remove client-to-client, apparently intra-vpn traffic hasn't been routed correctly. Any pointers on what kind of firewall rule I should add (or remove)?
15:05 < Protected> (client-to-client was removed because it was sending traffic around the firewall)
15:06 -!- sudormf [~ali@ec2-54-81-64-43.compute-1.amazonaws.com] has left #openvpn ["Leaving"]
15:07 -!- elfixit [~Icedove@77-58-251-72.dclient.hispeed.ch] has joined #openvpn
15:07 < pekster> Push routes you need, very simple
15:08 < pekster> If it's traffic from 1 client to a client on the same VPN instance you want, that "Just Works" with subnet topology. GO read !topolgoy if you haven't (I suggested it earlier)
15:08 < pekster> The rest is just firewalling
15:09 -!- mikemol [~mikemol@2001:470:c5b9:beef:3510:6842:d285:b59a] has joined #openvpn
15:10 < Protected> subnet -- Use a subnet rather than a point-to-point topology by configuring the tun interface with a local IP address and subnet mask, similar to the topology used in --dev tap and ethernet bridging mode
15:10 < Protected> I use dev tap
15:10 < Protected> I'm pretty sure when I first set this up this instruction wasn't available yet
15:11 < Protected> but yeah... I have dev tap and the clients have the correct routes in the routing table (sending traffic in the vpn subnet to the server running openvpn) but the packets they send to each other do not reach their destination
15:11 < Protected> I know it should just work, it did in my previous server
15:12 -!- mnathani [~mnathani@umbozero.winvive.com] has joined #openvpn
15:21 < pekster> Don't use tap unless you need it (and know why)
15:21 < pekster> !tunortap
15:21 <@vpnHelper> "tunortap" is (#1) you ONLY want tap if you need to pass layer2 traffic over the vpn (traffic destined for a MAC address). If you are using IP traffic you want tun. or (#2) and if your reason for wanting tap is windows shares, see !wins or use DNS or (#3) remember layer2 has no security, arp poisoning works over tap vpns or (#4) lan gaming? use tap! or (#5) Normal Android/iOS devices (not
15:21 <@vpnHelper> rooted/jailbroken) support only tun
15:22 < pekster> This said, tap is inherently a "subnet" -- if you can't reach on-link L2 destinations, you've done something fundamentally wrong
15:27 -!- Eagleman [~Eagleman@546BC8D0.cm-12-4d.dynamic.ziggo.nl] has joined #openvpn
15:29 -!- grass7boy [~chatzilla@114-34-136-131.HINET-IP.hinet.net] has joined #openvpn
15:29 < grass7boy> hello everybody
15:29 < grass7boy> i've tried to dial a VPN through the interface ppp0
15:30 < grass7boy> however, i have another usb wifi (interface: wlan0)
15:30 < grass7boy> can i configure my vpn setting to set it connect through wlan0 ?
15:30 < pekster> set what to connect?
15:31 < pekster> Sounds to me like you need to set your local routing to do what you want
15:32 < grass7boy> connect a vpn
15:32 < pekster> grass7boy: This said, maybe read about --local in the manpage
15:32 < pekster> Right. FIx your routing table
15:32 < grass7boy> i would like connect the vpn by my wify
15:32 < grass7boy> wifi
15:32 < pekster> If you want to route to 203.0.113.17 via some device (devExample) then set _YOUR_ routing to do that
15:33 < pekster> ip route add 203.0.113.17/32 dev devExample
15:33 < pekster> Or whatever
15:33 < pekster> read ip(8) for details
15:33 < pekster> This has basically nothing to do with openvpn and all to do with local OS routing
15:34 < grass7boy> got it!! i'll try
15:37 -!- Eagleman [~Eagleman@546BC8D0.cm-12-4d.dynamic.ziggo.nl] has quit [Ping timeout: 240 seconds]
15:44 -!- dogewaat [uid3966@gateway/web/irccloud.com/x-alzxasgplkoyuqhp] has quit [Quit: Connection closed for inactivity]
15:45 -!- Fusl is now known as fusl
15:45 -!- fusl is now known as Fusl
15:47 -!- Eagleman [~Eagleman@546BC8D0.cm-12-4d.dynamic.ziggo.nl] has joined #openvpn
15:49 -!- Cpt-Oblivious [chatzilla@31-151-71-109.dynamic.upc.nl] has joined #openvpn
15:59 -!- Cpt-Oblivious [chatzilla@31-151-71-109.dynamic.upc.nl] has quit [Remote host closed the connection]
16:00 -!- Hes_ is now known as Hes
16:01 -!- grass7boy [~chatzilla@114-34-136-131.HINET-IP.hinet.net] has quit [Quit: ChatZilla 0.9.90.1 [Firefox 27.0.1/20140212131424]]
16:06 -!- Cpt-Oblivious [chatzilla@31-151-71-109.dynamic.upc.nl] has joined #openvpn
16:46 -!- Fusl is now known as fusl
16:48 <@krzee> hello from philippines
16:50 -!- dogewaat [uid3966@gateway/web/irccloud.com/x-mixfeitnxrszanev] has joined #openvpn
16:51 -!- fusl is now known as Fusl
16:52 < pekster> Spending some ₱ ?
16:52 <@krzee> ya but everything is super cheap here
16:52 < GeekFreak> Hey Krzee
16:53 <@krzee> werd
16:54 < GeekFreak> werd to your mother
16:54 <@krzee> im pleasently surprised that my secure phones work well from the hotels here
16:55 <@krzee> very low jitter, nice and clear conversation
16:55 < GeekFreak> how about the midget porn streaming ?
16:56 < pekster> Don't need low-jitter/std-deviation for that ;)
16:56 < GeekFreak> lol pekster
16:56 <@krzee> haha
16:56 < GeekFreak> i need some redbull
16:57 -!- Fusl is now known as fusl
16:58 < GeekFreak> krzee do you know how i can revert changes to web gui from cli
16:58 < GeekFreak> is it the same as reverting directives back ?
16:58 <@krzee> web gui?
16:58 < GeekFreak> yes on the AS
16:58 <@krzee> !as
16:58 <@vpnHelper> "as" is please go to #OpenVPN-AS for help with Access-Server
16:58 < GeekFreak> i was going to say nobody in there
16:58 < GeekFreak> but there is hehe
16:59 <@krzee> yep, they help people for a job in there
16:59 < GeekFreak> when they feel like it lol
16:59 <@krzee> well, they do have hours
17:00 <@krzee> (like most jobs)(
17:00 < GeekFreak> eh
17:00 < GeekFreak> well you need to get india on the phone
17:03 < GeekFreak> Yup nobody there Wahhhh
17:04 <@krzee> that does not change the fact that is the only irc channel that supports AS
17:04 <@krzee> so just hang out in there and wait for it ;]
17:06 < GeekFreak> poo too you sir i bid you adieu
17:06 -!- GeekFreak [~GeekFreak@198.204.250.37] has left #openvpn []
17:06 -!- dls [~dls@gateway/tor-sasl/dls] has joined #openvpn
17:17 -!- fusl is now known as Fusl
17:18 -!- cyberspace- [20253@ninthfloor.org] has quit [Ping timeout: 264 seconds]
17:35 -!- HD|Lapto1 is now known as HD|Laptop
17:35 -!- HD|Laptop [~marco_lda@stella.vm-dg.de] has quit [Changing host]
17:35 -!- HD|Laptop [~marco_lda@wikipedia/harddisk] has joined #openvpn
17:42 -!- traph [~traph@unaffiliated/traph] has quit [Read error: Operation timed out]
17:49 -!- fred`` [fred@earthli.ng] has quit [Ping timeout: 246 seconds]
17:56 -!- joshh20-Away is now known as joshh20
17:57 -!- cyberspace- [20253@ninthfloor.org] has joined #openvpn
17:59 -!- goldkatze [~nobody@unaffiliated/goldkatze] has quit [Ping timeout: 240 seconds]
18:02 -!- br4ndon [~br4ndon@mic92-6-82-226-128-64.fbx.proxad.net] has quit [Quit: Lorem ipsum dolor sit amet]
18:04 -!- dls [~dls@gateway/tor-sasl/dls] has quit [Ping timeout: 240 seconds]
18:14 -!- fred`` [fred@earthli.ng] has joined #openvpn
18:24 -!- Denial [Denial@90.201.173.63] has quit [Ping timeout: 244 seconds]
18:26 -!- elfixit [~Icedove@77-58-251-72.dclient.hispeed.ch] has quit [Quit: elfixit]
19:04 -!- dogewaat [uid3966@gateway/web/irccloud.com/x-mixfeitnxrszanev] has quit [Quit: Connection closed for inactivity]
19:07 -!- kloeri [~kloeri@freenode/staff/exherbo.kloeri] has quit [Remote host closed the connection]
19:11 -!- dogewaat [uid3966@gateway/web/irccloud.com/x-ualespvlcldqimyr] has joined #openvpn
19:13 -!- kloeri [~kloeri@freenode/staff/exherbo.kloeri] has joined #openvpn
19:19 -!- elfixit [~Icedove@77-58-251-72.dclient.hispeed.ch] has joined #openvpn
19:24 -!- dls [~dls@gateway/tor-sasl/dls] has joined #openvpn
19:25 -!- elfixit [~Icedove@77-58-251-72.dclient.hispeed.ch] has quit [Ping timeout: 240 seconds]
19:26 -!- elfixit [~Icedove@77-58-251-72.dclient.hispeed.ch] has joined #openvpn
19:31 -!- Cultist [~CultOfThe@c-67-186-111-33.hsd1.il.comcast.net] has joined #openvpn
20:03 -!- i7c is now known as ICHNIXFOXXX0
20:03 -!- ICHNIXFOXXX0 is now known as i7c
20:10 -!- GeekFreak [~GeekFreak@198.204.250.37] has joined #openvpn
20:10 < GeekFreak> Hello All
20:11 < AsadH> Hello GeekFreak
20:11 < AsadH> Fancy seeing you here..
20:12 < GeekFreak> haha
20:12 < GeekFreak> I am thinking of moving the community version
20:13 < AsadH> woah
20:13 -!- Fusl is now known as fusl
20:13 -!- fusl is now known as Fusl
20:14 < GeekFreak> its doing my head in
20:16 < GeekFreak> and i really dont care what version i use aslong as i can get it too work
20:17 -!- elfixit [~Icedove@77-58-251-72.dclient.hispeed.ch] has quit [Quit: elfixit]
20:24 -!- Fusl is now known as fusl
20:24 -!- fusl is now known as Fusl
20:24 -!- Fusl [~Fusl@unaffiliated/fusl] has quit [Quit: Contact: http://hallowe.lt/]
20:25 -!- gffa [~unknown@unaffiliated/gffa] has quit [Quit: sleep]
20:27 < _FBi> ?
20:31 -!- Fusl [~Fusl@unaffiliated/fusl] has joined #openvpn
20:39 -!- Fusl is now known as knBrIs8g
20:39 -!- knBrIs8g is now known as Fusl
20:53 < GeekFreak> lol
20:53 < GeekFreak> anyone ever had issues of banning a VPN user and disconnecting them and then have them reconnect straight away
20:57 -!- sudormf [~ali@ec2-54-81-64-43.compute-1.amazonaws.com] has joined #openvpn
20:57 -!- sudormf [~ali@ec2-54-81-64-43.compute-1.amazonaws.com] has left #openvpn ["Leaving"]
20:59 -!- pekster [~rewt@openvpn/community/support/pekster] has quit [Ping timeout: 245 seconds]
21:00 < _FBi> do they have your signing key? lol
21:00 -!- pekster [~rewt@openvpn/community/support/pekster] has joined #openvpn
21:01 < _FBi> wb pekster
21:01 <@krzee> GeekFreak, you still talking about AS?
21:01 -!- MACscr2 [~MACscr2@c-98-214-103-56.hsd1.il.comcast.net] has joined #openvpn
21:01 < GeekFreak> krzee quit busting my balls
21:01 <@krzee> if so, please know that AS is off-topic for here, we only support opensource openvpn here.
21:01 < GeekFreak> :P
21:02 <@krzee> !notovpn
21:02 <@vpnHelper> "notovpn" is (#1) "notopenvpn" is your problem is not about openvpn, and while we try to be helpful, you may have a better chance of finding your answer if you ask your question in a channel related to your problem or (#2) sorry, but we dont care. this channel is only for help with openvpn.
21:02 <@krzee> see #3
21:02 <@krzee> err, #2
21:02 < GeekFreak> Well can i ask you a question of which would be best suited for my Scenario
21:02 <@krzee> not if it is about AS
21:03 < GeekFreak> Well AS is just giving me headaches so i want to see if OpenVPN will be better suited for my scenario
21:03 <@krzee> it wont be quite "better" or "worse"
21:03 <@krzee> its just a matter of how much you have to learn
21:04 < GeekFreak> Well i am getting road blocks with AS with everything from Inactive to banning users and disconnecting them
21:04 < GeekFreak> so let me give you my scenario
21:05 <@krzee> go for it
21:05 < GeekFreak> I want to use OpenVPN as a remote support tool
21:05 <@krzee> i cant answer in regards to AS, but i can and will for gpl openvpn
21:06 < GeekFreak> My company has these QT embeded devices that only have openvpn and vnc already compiled
21:06 < GeekFreak> so basically i have made up a little web api that the user goes to and selects Start VPN
21:07 < GeekFreak> then is prompted with the IP address assigned from the VPN the Technician then asks for this IP from the Customer and then connects to the VPN and then uses VNC,FTP,SSH etc
21:07 < GeekFreak> now once they support call is finished the technician should select the other option STOP VPN
21:08 < GeekFreak> but i want to fool proof incase the Technician forgets to disconnect
21:08 < GeekFreak> the customers device
21:08 < pekster> So write your own scripts around it on the server-side?
21:08 < pekster> You can do all of this with open-source tools and some coding on your end for the "magic, foolproof" part you want
21:09 < pekster> It's a matter of where you put the effort in: do you do it in-house, do you contract with someone to do it for you, or do you try and find a commercial solution (AS or otherwise) that works "out of the box"
21:09 -!- james41382 [~james@unaffiliated/james41382] has quit [Read error: Connection reset by peer]
21:10 < GeekFreak> as i mentioned before all i have to work with are OpenVPN and VNC on these devices i can not compile or use any other software
21:10 < pekster> Server ≠ Client
21:11 < GeekFreak> now with AS i used directives such as inactive and tried kicking users off after banning them
21:11 < GeekFreak> both unsuccesful they just connect back up
21:11 < pekster> No clue. Go whine about that to people paid to care
21:11 < GeekFreak> now am i going to get the same problems with OpenVPN
21:11 < GeekFreak> pekster i was talking to krzee thanks :)
21:11 < pekster> Read about the management interface; short anser is "this works just fine"
21:12 < pekster> Fine, piss off then. I have better things to do than help someone who doesn't want help from anyone except one person.
21:12 <@krzee> i also dont care about anything related to AS
21:12 <@krzee> and trust me, you do want any help you can get from pekster
21:12 -!- WinstonSmith [~WinstonSm@unaffiliated/winstonsmith] has quit [Ping timeout: 252 seconds]
21:13 <@krzee> and his answer was the only possible answer
21:13 < GeekFreak> Well if you could understand my scenario you would see i dont give a shit wether is AS or OpenVPN
21:13 <@krzee> you can code up your own solutions or go with AS
21:14 <@krzee> !script
21:14 <@vpnHelper> "script" is See SCRIPTING AND ENVIRONMENTAL VARIALBES in the manual for a list of places that scripts can hook into openvpn. Online reference at: https://community.openvpn.net/openvpn/wiki/Openvpn23ManPage#lbAR
21:14 < GeekFreak> So there is no Inactive options with OpenVPN or Baning and Kicking of users
21:14 -!- WinstonSmith [~WinstonSm@unaffiliated/winstonsmith] has joined #openvpn
21:14 <@krzee> the management interface can be used to boot them, and there a a couple ways to "ban" them
21:15 < GeekFreak> and it works ?
21:15 <@krzee> easiest for your scenario is prolly a ccd entry with --disable
21:15 <@krzee> it prolly works in AS too, but you need to catch their support people
21:16 < GeekFreak> Another reason i didnt go with the community version is i wasnt sure if it was usable for commercial user
21:17 < GeekFreak> use*
21:17 -!- MACscr2 [~MACscr2@c-98-214-103-56.hsd1.il.comcast.net] has quit [Remote host closed the connection]
21:17 <@krzee> or of course you could have a central database which your --client-connect script uses to know if the client can connect, among other things
21:17 <@krzee> really, you can do anything you want if you script it up
21:18 <@krzee> sure, you may use openvpn for commercial purposes all you want
21:18 <@krzee> (legally speaking)
21:19 < GeekFreak> Alright cheers
21:19 < GeekFreak> thanks for the assistance
21:19 <@krzee> np
21:19 -!- GeekFreak [~GeekFreak@198.204.250.37] has left #openvpn []
21:19 <@krzee> in AS channel you can prolly use !hours
21:19 <@krzee> to know when they are working
21:20 < AsadH> lo krzee, that bot hasn't worked in a very long time
21:21 <@krzee> the bot in AS?
21:21 < AsadH> Yeah
21:21 <@krzee> oh hah they dont have a bot anymore
21:21 <@krzee> they can use vpnHelper if they ask us to join it
21:21 <@krzee> hes only not there because they never asked
21:21 < AsadH> ah haha, poke novaflash about it
21:22 <@krzee> novaflash, *poke*
21:22 <@krzee> novaflash, if you want that ^ , just ask me or ecrist
21:23 -!- mode/#openvpn [+v AsadH] by krzee
21:23 -!- MACscr2 [~MACscr2@c-98-214-103-56.hsd1.il.comcast.net] has joined #openvpn
21:24 < _FBi> I also have annoying bots to add places :D
21:24 -!- MACscr2 is now known as MACscr|lappy
21:24 -!- mode/#openvpn [+vvvv _FBi _quadDam1ge jeev kraut] by krzee
21:24 -!- mode/#openvpn [+vv soapee01 thumbs] by krzee
21:24 <+_FBi> merci!
21:25 <+_FBi> how's everyone doing tonight?
21:25 <+_FBi> anyone else awaiting krzee's food poisoning story tomorrow? :D
21:26 <@krzee> haha
21:26 <+_FBi> I'm actually jelly :( haha
21:26 <@krzee> i had wicker food poisoning when i was @ the amazon
21:26 <@krzee> wicked*
21:26 <@krzee> that shit was no joke man
21:26 <+_FBi> bring me back an arowana, I'll pay $400 for a Red or Gold
21:27 <+_FBi> the kind where you're afraid to sneeze?
21:27 <@krzee> nah man my whole body was itching i had a doctor come to my hotel room, he hung an IV from the nail that held up a painting
21:28 <@krzee> anti-biotics and i was fine
21:29 <+_FBi> nothing good 'ol voodoo can't cure, eh?
21:31 -!- james41382 [~james@unaffiliated/james41382] has joined #openvpn
21:32 -!- Denial [Denial@176.250.208.188] has joined #openvpn
21:34 -!- traph [~traph@unaffiliated/traph] has joined #openvpn
21:51 -!- dls [~dls@gateway/tor-sasl/dls] has quit [Quit: dls]
21:55 -!- JPeterson [~JPeterson@81-233-152-121-no83.tbcn.telia.com] has quit [Read error: Connection reset by peer]
21:59 -!- traph [~traph@unaffiliated/traph] has quit [Ping timeout: 264 seconds]
22:26 -!- _FBi [~B@Aircrack-NG/User] has quit [Quit: ZNC - http://znc.in]
22:28 -!- _FBi [~B@199.241.189.120] has joined #openvpn
22:28 -!- _FBi [~B@199.241.189.120] has quit [Changing host]
22:28 -!- _FBi [~B@Aircrack-NG/User] has joined #openvpn
22:33 -!- yauz [4fca40aabe@osgiliath.yauz.de] has joined #openvpn
22:34 -!- JPeterson [~JPeterson@81-233-152-121-no83.tbcn.telia.com] has joined #openvpn
22:36 -!- joshh20 is now known as joshh20-Away
22:50 -!- Cpt-Oblivious [chatzilla@31-151-71-109.dynamic.upc.nl] has quit [Ping timeout: 240 seconds]
22:52 -!- HectorBarbossa [uid7850@gateway/web/irccloud.com/x-xmjgskuonemkgnhc] has quit [Quit: Connection closed for inactivity]
23:02 -!- sunwind [~paradox@cpc21-brmb8-2-0-cust749.1-3.cable.virginm.net] has quit [Quit: sunwind]
23:38 -!- JPeterson [~JPeterson@81-233-152-121-no83.tbcn.telia.com] has quit [Read error: Connection reset by peer]
--- Day changed Sun Mar 02 2014
00:21 -!- sunwind [~paradox@cpc21-brmb8-2-0-cust749.1-3.cable.virginm.net] has joined #openvpn
00:30 -!- goldkatze [~nobody@unaffiliated/goldkatze] has joined #openvpn
00:43 -!- james41382_ [~james@unaffiliated/james41382] has joined #openvpn
00:47 -!- JPeterson [~JPeterson@81-233-152-121-no83.tbcn.telia.com] has joined #openvpn
00:47 -!- james41382 [~james@unaffiliated/james41382] has quit [Ping timeout: 264 seconds]
00:49 -!- james41382__ [~james@unaffiliated/james41382] has joined #openvpn
00:50 -!- lj1 [~l@192.241.174.169] has joined #openvpn
00:53 -!- james41382_ [~james@unaffiliated/james41382] has quit [Ping timeout: 264 seconds]
00:54 -!- sudormf [~ali@ec2-54-81-64-43.compute-1.amazonaws.com] has joined #openvpn
00:55 < sudormf> Hey guys, need a small help related to access server. No one is answering in their channel. Basically, my TLS is using a 1024 bit RSA file. I want to move to 2048 bit. Which config setting do I need to change to do that?
01:10 -!- prettyrobots [~prettyrob@do.inputrc.com] has quit [Quit: ZNC - http://znc.in]
01:13 -!- lj [~l@192.241.174.169] has joined #openvpn
01:13 -!- lj1 [~l@192.241.174.169] has quit [Ping timeout: 240 seconds]
01:14 < Suterusu> When you gen the keys with easy-rsa....  think in vars
01:14 < sudormf> that's for openvpn, but i need to do this with openvpn access server
01:15 -!- sunwind [~paradox@cpc21-brmb8-2-0-cust749.1-3.cable.virginm.net] has quit [Quit: sunwind]
01:15 < Suterusu> There something different with how that determines valid keys? I thought you threw the key at it and it'd figure out the rest...
01:17 < sudormf> well, where would i put the keys once i generated them?
01:17 < sudormf> for access server
01:19 < Suterusu> Where you've tole it t'expects keys?
01:20 < sudormf> it doesn't ask you for location of keys
01:21 < Suterusu> I assume it assumes it's where the rest is
01:22 < sudormf> probably, but i don't know where the rest is either. i just downloaded the .deb package, did dpkg to install it, it asked me some questions like username, password, etc, and now its up and running
01:22 < sudormf> so i don't know where its storing the keys
01:22 < sudormf> i've checked /etc/openvpn, not there
01:25 < sudormf> there's one directory which contains ca.crt  ca.key  server.crt  server.key
01:26 < sudormf> no dh1024 file that i can find. is server.key the 1024 bit file?
01:27 -!- takamichi [~takamichi@c107-107.i07-27.onvol.net] has joined #openvpn
01:28 -!- heraclitus [~heraclitu@unaffiliated/heraclitis] has quit [Remote host closed the connection]
01:28 -!- heraclitus [~heraclitu@unaffiliated/heraclitis] has joined #openvpn
01:30  * Suterusu shrugs
01:30 < Suterusu> prolly
01:31 < Suterusu> dh.pem?
01:31 < Suterusu> or even ta.key. lol./
01:32 < sudormf> nothing for locate dh.pem or locate ta.key
01:55 -!- sudormf [~ali@ec2-54-81-64-43.compute-1.amazonaws.com] has quit [Quit: Leaving]
01:56 -!- heraclitus [~heraclitu@unaffiliated/heraclitis] has quit [Remote host closed the connection]
01:57 -!- heraclitus [~heraclitu@unaffiliated/heraclitis] has joined #openvpn
01:58 -!- heraclitus [~heraclitu@unaffiliated/heraclitis] has quit [Read error: Connection reset by peer]
01:58 -!- heraclitus [~heraclitu@unaffiliated/heraclitis] has joined #openvpn
02:02 < tjhowse> I'm setting up two separate sets of client and server certs for two different openvpn logins to this router, using easy-rsa.
02:02 < tjhowse> I've created two sets of ca_*.key, ca_*.crt and dh2048_*.pem, where * is either BMS or SMS.
02:02 < tjhowse> I want to generate client certificates for these two sets of server certificates now, but easy-rsa expects to find ca.key, ca.crt and dh2048.pem. Is there a neat way of handling this? Or are sets of symlinks my best option?
02:56 -!- br4ndon [~br4ndon@mic92-6-82-227-94-156.fbx.proxad.net] has joined #openvpn
03:18 -!- james41382_ [~james@unaffiliated/james41382] has joined #openvpn
03:21 -!- MACscr|lappy [~MACscr2@c-98-214-103-56.hsd1.il.comcast.net] has quit [Ping timeout: 240 seconds]
03:21 -!- james41382__ [~james@unaffiliated/james41382] has quit [Ping timeout: 264 seconds]
03:22 < tjhowse> who's in charge of openvpn.net?
03:22 < tjhowse> it's an awful website. I can't easily send someone there to grab the client. They're more likely to accidently download the private tunnel thing
03:23 -!- svg [~svg@hydargos.ginsys.net] has quit [Read error: Connection reset by peer]
03:23 -!- svg [~svg@hydargos.ginsys.net] has joined #openvpn
03:27 -!- traph [~traph@unaffiliated/traph] has joined #openvpn
03:35 -!- br4ndon [~br4ndon@mic92-6-82-227-94-156.fbx.proxad.net] has quit [Ping timeout: 240 seconds]
03:57 -!- gffa [~unknown@unaffiliated/gffa] has joined #openvpn
03:58 -!- br4ndon [~br4ndon@mic92-6-82-226-128-64.fbx.proxad.net] has joined #openvpn
04:35 -!- jzaw [~jzaw@loki.dzki.co.uk] has quit [Ping timeout: 245 seconds]
04:44 -!- jzaw [~jzaw@loki.dzki.co.uk] has joined #openvpn
04:58 < nunim> for how much litespeed costs i think their build system is shit
05:15 < nunim> wrong chan.
05:31 -!- br4ndon [~br4ndon@mic92-6-82-226-128-64.fbx.proxad.net] has quit [Ping timeout: 252 seconds]
06:05 -!- hazardous [~hz@openvpn/user/hazardous] has quit [Ping timeout: 264 seconds]
06:05 -!- kenyon [kenyon@darwin.kenyonralph.com] has quit [Ping timeout: 245 seconds]
06:05 -!- kenyon [kenyon@darwin.kenyonralph.com] has joined #openvpn
06:06 -!- hazardous [~hz@openvpn/user/hazardous] has joined #openvpn
06:06 -!- mode/#openvpn [+v hazardous] by ChanServ
06:20 -!- patrakov [~Thunderbi@111279190.convex.ru] has joined #openvpn
06:22 < patrakov> Hi. I have two routers (one OpenWRT, one Tomato Shibby) in my two flats, and an OpenVPN tunnel between them.
06:23 < patrakov> the problem began today and manifests itself as follows: big packets don't come through the tunnel.
06:24 < Thermi> lower the mtu of the tunnel devices
06:24 < Thermi> Your ISP probably screwed up
06:27 < patrakov> how do I determine the correct mtu? On the unencrypted channel the picture does not look like "all packets with size > X are lost", it's that 1420-sized packets come through, 1440-sized packets don't, and 1430-sized packets experience ~40% loss
06:28 < patrakov> and I am afraid that the "correct" mtu will change over time
06:28 < Thermi> try setting the mtu of the tunnel device to 1380
06:28 < Thermi> hmmm wait+
06:28 < patrakov> as in: --tun-mtu 1380?
06:28 -!- p3rror [~mezgani@196.201.78.139] has joined #openvpn
06:29 < patrakov> the packet sizes that I reported are for pings, ping -M do -s $size 212.220.216.224
06:29 -!- sunwind [~paradox@cpc21-brmb8-2-0-cust749.1-3.cable.virginm.net] has joined #openvpn
06:30 < Thermi> are you using udp as transport protocol?
06:30 < patrakov> yes
06:30 < Thermi> try --link-mtu 1380
06:31 < Thermi> Because that sets the size of the packets, that are sent between peers
06:31 < Thermi> If you set the mtu of the tun device, the OpenVPN peers might create packets greater than 1420
06:33 < patrakov> works, with some loss
06:33 < Thermi> try lower ones
06:34 < Thermi> Maybe the link is the problem.
06:35 < Thermi> as some router on the route between the two flats has issues+
06:35 < patrakov> 1360 => same result
06:36 < Thermi> Can you determine what size of outgoing packets get lost?
06:36 < Thermi> try --mtu-test
06:38 < patrakov> I will try it, but I have already said that there is no sharp theshold
06:41 < Thermi> I understood that.
06:45 < patrakov> the openvpn binary on Tomato does not understant --mtu-test, but has mtu-disc. Is it the same?
06:45 < patrakov> oops, read the manual, the answer is "no".
06:46 -!- elfixit [~Icedove@77-58-251-72.dclient.hispeed.ch] has joined #openvpn
06:47 < patrakov> so I am going to figure out the "correct" link-mtu by hand. Thanks!
06:47 < Thermi> You could use tracepath to discover the pmtu between the flats
06:50 -!- elfixit [~Icedove@77-58-251-72.dclient.hispeed.ch] has quit [Client Quit]
06:53 -!- tharkun [~0@unaffiliated/tharkun] has quit [Read error: Connection reset by peer]
06:53 < patrakov> tharepath -l 1460 says pmtu is 1460, tracepath -l 1461 fails
06:55 < Rienzilla> let's see how fast this thing can do openvpn
06:56 < patrakov> Rienzilla: what thing?
06:57 < Rienzilla> an asrock c2750d4i
06:57 < Rienzilla> an 8 core atom serverboard on mini-itx
06:59 -!- tharkun [~0@187.188.94.182] has joined #openvpn
07:00 < Thermi> nice!
07:00 < Thermi> Hmmm.
07:01 < Thermi> Weird .
07:03 -!- Sorcier_FXK [~Sorcier_F@unaffiliated/sorcierfxk] has left #openvpn ["Ex-Chat"]
07:05 <@krzee> 8 cores wont help much
07:05 <@krzee> openvpn is single threaded
07:05 <@krzee> so openvpn will run on a single core.
07:12 -!- s7r_o [~s7r@openvpn/user/s7r] has joined #openvpn
07:12 -!- mode/#openvpn [+v s7r_o] by ChanServ
07:13 -!- s7r [~s7r@openvpn/user/s7r] has quit [Ping timeout: 240 seconds]
07:13 -!- s7r_o is now known as s7r
07:25 < Rienzilla> krzee: I know that
07:25 <@krzee> cool =]
07:27 < Rienzilla> I am going to do some performance tests with bonded taps :)
07:27 < Rienzilla> (eeek! :))
07:27 <@krzee> oh werd
07:28 <@krzee> you gunna try to get 2x speed on a single connection?
07:28 <@krzee> like bonding 2 uplinks and trying to get a single xfer of double speed?
07:30 < Rienzilla> yes
07:30 <@krzee> nice
07:31 <@krzee> i saw someone here do that once
07:31 < Rienzilla> it works with real ethernet ports, so (in theory) why not on taps :)
07:31 <@krzee> it worked
07:31 -!- s7r [~s7r@openvpn/user/s7r] has quit [Quit: Leaving]
07:31 <@krzee> except if 1 connection was slightly faster than the other, then you get buffer issues after awhile
07:31 <@krzee> i theorized that there could be some way to QOS that, but i never heard back if he solved that
07:32 <@krzee> (he was here to get help with understanding the buffer error he was getting)
07:32 < Rienzilla> oh why that? because the kernel distributes evenly and the underlying taps can't process it evenly?
07:32 <@krzee> !factoids search --values ond
07:32 <@vpnHelper> 'hmac', 'tls-auth', 'splitroute', 'timeout', 'windows_problems', 'windows', 'certfight', 'iptables', and 'aws'
07:33 <@krzee> !factoids search --values bond
07:33 <@vpnHelper> No keys matched that query.
07:33 <@krzee> yep, exactly
07:33 <@krzee> but if you could slow down the fast connection to match the slower one, then its all good
07:34 <@krzee> of course that would need to be done dynamicly in case the fast one becomes the slow one some day
07:38 < Rienzilla> well, if the connections all go over the same physical wire it should be ok, right?
07:40 <@krzee> umm
07:40 <@krzee> then what would be the point in bonding?
07:40 < Rienzilla> that multiple openvpn processes can run on multiple cores?
07:41 <@krzee> umm, you dont need tap for that
07:41 <@krzee> any openvpn config can do that
07:41 < Rienzilla> also if you need to have one fast transfer over openvpn?
07:41 -!- br4ndon [~br4ndon@mic92-6-82-227-94-156.fbx.proxad.net] has joined #openvpn
07:41 <@krzee> 1 physical link will not be helped by openvpn in that regard
07:41 < Rienzilla> the thing is this
07:42 <@krzee> if you had 2 physical links like i thought at first, then it could be done that way
07:42 < Rienzilla> I 2 endpoints with fast internet links
07:42 < Rienzilla> +have
07:42 < Rienzilla> I need a backup process (1 transfer) to transfer over openvpn as fast as possible
07:43 <@krzee> bonding would also not help in that case
07:43 < Rienzilla> why not?
07:43 <@krzee> where it could help is if you had a client with 2 uplinks, and a fast server (faster than both uplinks combined), then you could make a config that uses 1 uplink, and a config that uses the other uplink, then you bond them
07:44 < Rienzilla> if 4 separate openvpn processes can all use 1 core, bonding them would quadruple the bandwith (minus bonding overhead)
07:44 <@krzee> then the internet sees your transfer as coming from the server, which can handle full speed, and goes to you over the bonded connection so that also handles faster
07:44 < Rienzilla> and assuming cpu is the bottleneck
07:44 <@krzee> with 2 servers, that helps nothing.
07:44 <@krzee> no, bonding them would help nothing.
07:44 < Rienzilla> why not?
07:44 <@krzee> you'd need 4 uplinks.
07:45 <@krzee> and 1 server.
07:45 <@krzee> then it would be 4 taps bonded together
07:45 <@krzee> you'll see =]
07:45 <@krzee> it'll all make sense after you play with it
07:45 < Rienzilla> well I don't understand why that wouldn't work... at lesat in theory
07:45 <@krzee> im very interested in hearing your results
07:47 < Rienzilla> actually, the performance per core of this thing is not bad at all
07:53 <@krzee> oh you were not trying to really increase single connection bandwidth, just trying to get more clients out of openvpn on that hardware?
07:53 <@krzee> in that case you could simply run multiple processes on multiple ports, and then give clients multiple remote entries and use --max-clients (or whatever that option is)
07:55 < Rienzilla> no I was trying to increase single connection bandwidth, where the cpu is the limiting factor
07:55 <@krzee> i assumed it was where bandwidth is the limiting factor, as thats a much more normal problem to want to solve
07:56 <@krzee> like getting 20mbit out of 2 10mbit links
07:56 <@krzee> (in 1 xfer)
07:58 < Rienzilla> no the thing is I have fast fiber uplinks, and I want to saturate them with low end hardware
07:58 -!- deever [~deever@148.251.52.112] has joined #openvpn
07:58 < deever> re
08:03 < Rienzilla> it seems to work, albeit with considerable overhead
08:04 < deever> i'm using tunnelblick and have set the option "Set DNS/WINS" to "Set nameserver", however there's no change to resolv.conf and thus the nameserver of the vpn is not used
08:05 < deever> s/change/change made/
08:05 -!- heraclitus [~heraclitu@unaffiliated/heraclitis] has quit [Remote host closed the connection]
08:05 < deever> anyone knows how to solve?
08:05 -!- heraclitus [~heraclitu@unaffiliated/heraclitis] has joined #openvpn
08:06 -!- heraclitus [~heraclitu@unaffiliated/heraclitis] has quit [Remote host closed the connection]
08:06 -!- heraclitus [~heraclitu@unaffiliated/heraclitis] has joined #openvpn
08:07 -!- heraclitus [~heraclitu@unaffiliated/heraclitis] has quit [Max SendQ exceeded]
08:08 -!- heraclitus [~heraclitu@unaffiliated/heraclitis] has joined #openvpn
08:08 -!- heraclitus [~heraclitu@unaffiliated/heraclitis] has quit [Read error: Connection reset by peer]
08:14 < pekster> tjhowse: You might consider using this link for downloads:
08:14 < pekster> !download
08:14 <@vpnHelper> "download" is (#1) http://openvpn.net/index.php/download/community-downloads.html to download openvpn or (#2) OpenVPN's Windows installer now includes OpenVPN GUI. Don't bother with http://openvpn.se anymore or (#3) Don't trust download.com at all. It provides an extremely old version with malware: http://insecure.org/news/download-com-fiasco.html or (#4) in the community version of openvpn (only
08:14 <@vpnHelper> thing supported here) there is no separate download for client/server, it is the same install with different configs
08:32 -!- elfixit [~Icedove@77-58-251-72.dclient.hispeed.ch] has joined #openvpn
08:32 -!- HectorBarbossa [uid7850@gateway/web/irccloud.com/x-xubbkjrjbsfcgrbz] has joined #openvpn
08:37 -!- joshh20-Away is now known as joshh20
08:41 -!- sunwind [~paradox@cpc21-brmb8-2-0-cust749.1-3.cable.virginm.net] has quit [Ping timeout: 240 seconds]
08:42 -!- br4ndon [~br4ndon@mic92-6-82-227-94-156.fbx.proxad.net] has quit [Ping timeout: 264 seconds]
08:43 -!- sunwind [~paradox@cpc21-brmb8-2-0-cust749.1-3.cable.virginm.net] has joined #openvpn
08:48 -!- JSharpe__ [~JSharpe@31.205.60.241] has joined #openvpn
08:52 -!- JSharpe_ [~JSharpe@31.205.60.241] has quit [Ping timeout: 264 seconds]
08:56 -!- pa [~pa@unaffiliated/pa] has quit [Ping timeout: 264 seconds]
09:04 < Rienzilla> heh
09:04 < Rienzilla> is decrypting more work than encrypting in an openvpn connection?
09:06 < BtbN> it's exactly the same task
09:06 < Rienzilla> ok
09:07 < pekster> Depends on the cipher, but the workload will be almost identical. Maybe one of your endpoints is using hardware acceleration for crypto?
09:07 < Rienzilla> well I was puzzled that my new atom cores seem to be faster than a xeon
09:07 < Rienzilla> but the atom board may have some dedicated crypto chip, I dunno
09:08 < pekster> Possibly; you using AES?
09:08 < Rienzilla> uh, I'm not sure actually
09:08 < Rienzilla> how do I check?
09:09 < pekster> The --cipher option you're using
09:09 < Rienzilla> i didnt touch it
09:09 < Rienzilla> so, default
09:09 < pekster> AFAIK there's not generally BF crypto accel; I've only seen it commonly supported for AES
09:09 < pekster> `openvpn --show-engines` if you're curious what the local hardware supports
09:11 < Rienzilla> rsax engine and intel rdrand
09:14 -!- br4ndon [~br4ndon@mic92-6-82-226-128-64.fbx.proxad.net] has joined #openvpn
09:14 < Rienzilla> krzee: bonding two taps yields a mild (50%) performance increase. More will just decrease performance: http://sinas.rename-it.nl/~rien/results
09:17 < Rienzilla> is hardware acceleration a single piece of electronics, or does every cpu core have one?
09:18 < Thermi> Rienzilla: In most implementations, it's part of the CPU instruction set
09:18 < Rienzilla> ok
09:18 < Rienzilla> i'm puzzled about the fact that adding more processes decreases performance
09:19 < Rienzilla> more than 2 that is
09:20 < pekster> dual-core? Might be that you can't pipeline accel requests beyond that so the rest get offloaded to software
09:20 < Rienzilla> pekster: yes that's what I was thinking too
09:20 < pekster> Are your links identical and local for your tests? ie: no lattency/jitter that might be the cause?
09:20 < Rienzilla> the links are fairly local. 2 switches so hardly any latency
09:21 < pekster> Yea, should be fine if the specs are the same (speed and duplex)
09:21 < Rienzilla> they are
09:21 < pekster> Just making sure you aren't using e.g. broadband + 4G or something
09:21 < pekster> So my guess is you can only pipeline up to 2 crypto calls at once (maybe one per core if both cores support the hw-instructions)
09:22 < Rienzilla> well the thing has 8 cores
09:22 < Rienzilla> but it must be something like that
09:22 < pekster> Yea. If it's an Intel, beware that the "HT" flag on the proc doesn't really give you another core
09:22 < Rienzilla> I know
09:22 < Rienzilla> :)
09:23 < Rienzilla> it's an avoton c2750 octocore cpu
09:24 < Rienzilla> ohwell
09:24 < Rienzilla> in any case, I can saturate 100mbit with this thing
09:29 -!- p3rror [~mezgani@196.201.78.139] has quit [Read error: Operation timed out]
09:46 -!- p3rror [~mezgani@41.248.148.154] has joined #openvpn
09:56 -!- Cpt-Oblivious [chatzilla@31-151-71-109.dynamic.upc.nl] has joined #openvpn
10:12 -!- propheticsquiddy [~Proph@unaffiliated/propheticsquiddy] has quit [Quit: Leaving]
10:15 -!- joshh20 is now known as joshh20-Away
10:16 -!- p3rror [~mezgani@41.248.148.154] has quit [Quit: Leaving]
10:24 -!- pa [~pa@unaffiliated/pa] has joined #openvpn
10:55 -!- MACscr|lappy [~MACscrlap@c-98-214-103-56.hsd1.il.comcast.net] has joined #openvpn
11:13 -!- Fusl [~Fusl@unaffiliated/fusl] has quit [Ping timeout: 252 seconds]
11:20 -!- kantlivelong [~kantlivel@home.kantlivelong.com] has quit [Ping timeout: 264 seconds]
11:20 -!- Suterusu [~Suterusu@unaffiliated/suterusu] has quit [Ping timeout: 244 seconds]
11:32 -!- kantlivelong [~kantlivel@home.kantlivelong.com] has joined #openvpn
11:39 -!- kantlivelong [~kantlivel@home.kantlivelong.com] has quit [Read error: Operation timed out]
11:49 -!- kantlivelong [~kantlivel@home.kantlivelong.com] has joined #openvpn
11:51 -!- fab__ [~fab@ip-221.net-82-216-236.rev.numericable.fr] has joined #openvpn
11:53 < fab__> hi, i am a noob to openvpn, i try to set up a vpn on TLS mode (no credentials involved), but the client asks for credentals each time it start it
11:53 < fab__> Starting virtual private network daemon: BlackholeEnter Auth Username:
11:54 < fab__> what are the blackhole things anyway ?
11:57 -!- m01 [~quassel@2a02:2658:1011:1::2:4044] has quit [Ping timeout: 246 seconds]
11:59 < pekster> Paste your configs (see: !configs & sans comments+blanks please.) Sounds to me like the client side is using --auth-user-pass
12:05 -!- indy [~indy@fantomas.bestit.cz] has quit [Ping timeout: 252 seconds]
12:06 < fab__> !configs
12:06 <@vpnHelper> "configs" is (#1) please pastebin your client and server configs (with comments removed, you can use `grep -vE '^#|^;|^$' server.conf`), also include which OS and version of openvpn. or (#2) dont forget to include any ccd entries or (#3) on pfSense, see http://www.secure-computing.net/wiki/index.php/OpenVPN/pfSense to obtain your config
12:08 < fab__> here is the client side : http://pastebin.com/LD4ZtwNy
12:09 < pekster> That config won't ask for a username (though it might ask for a private key passphrase if it's encrypted)
12:10 < pekster> Ensure you're not using some screwey frontend that is adding that and hosing things for you. `openvpn --config /path/to/the.conf` won't ask for a username
12:10 < fab__> the thing is : it is ! So it comes from the private key ?
12:10 < pekster> Not the username, no
12:11 < pekster> An encrypted key asks for this: Enter Private Key Password:
12:11 < fab__> actually i think maybe the openvpn packages that is shipped with my OS has an issue, i am currently building it from source
12:13 < fab__> because it is asking a user name and password 3 times: black hole, openvpn & openvpn-NL.
12:13 < pekster> Sounds like your distro init is blindly launching multiple configs
12:14 < pekster> Consult with your distro docs if you need help configuring init
12:19 -!- Fusl [~Fusl@unaffiliated/fusl] has joined #openvpn
12:20 < fab__> ok, now it is up but ping does not work, have to check the firewall
12:20 < fab__> thanks by the way
12:22 -!- m01 [~quassel@2a02:2658:1011:1::2:4044] has joined #openvpn
12:31 < fab__> ok, my client can 'telnet' the server, but not the other way around
12:32 < pekster> firewall
12:32 < pekster> One of the involved systems; routing obviously works if you can send data (pings or otherwise) one way but not the other
12:34 < fab__> but, since the VPN is up, no additional connection is involved when the server wants to connect to the client ?
12:34 < fab__> or, i have to open the udp 1194 on client side to ?
12:35 < pekster> No. I'm telling you that you have a firewall problem on the encapsulated (inside) traffic
12:35 < pekster> Fix your firewall if you want to allow things
12:40 -!- lj [~l@192.241.174.169] has quit [Quit: Leaving.]
12:41 -!- takamichi [~takamichi@c107-107.i07-27.onvol.net] has quit [Quit: Computer has gone to sleep.]
12:50 -!- Cpt-Oblivious [chatzilla@31-151-71-109.dynamic.upc.nl] has quit [Ping timeout: 240 seconds]
12:55 -!- roentgen [~irc@openvpn/community/support/roentgen] has joined #openvpn
12:58 -!- fab__ [~fab@ip-221.net-82-216-236.rev.numericable.fr] has quit [Quit: Quitte]
13:14 -!- patrakov [~Thunderbi@111279190.convex.ru] has quit [Quit: patrakov]
13:18 -!- roentgen [~irc@openvpn/community/support/roentgen] has quit [Ping timeout: 252 seconds]
13:19 -!- master_of_master [~master_of@p4FD7B41B.dip0.t-ipconnect.de] has quit [Read error: Operation timed out]
13:23 -!- master_of_master [~master_of@p4FD7BB84.dip0.t-ipconnect.de] has joined #openvpn
13:37 -!- kantlivelong [~kantlivel@home.kantlivelong.com] has quit [Ping timeout: 264 seconds]
13:41 -!- d1z [~djz@li673-120.members.linode.com] has joined #openvpn
13:46 -!- kantlivelong [~kantlivel@home.kantlivelong.com] has joined #openvpn
13:58 -!- pcdummy is now known as Fast[BDC]
14:01 -!- Cpt-Oblivious [~chatzilla@31.220.44.21] has joined #openvpn
14:06 <@krzee> Rienzilla, cool test/results. thanks for sharing!
14:07 < _FBi> sup krzee :D
14:07 < _FBi> how's .ph
14:08 <@krzee> very good =]
14:12 -!- Sembei [~Sembei@unaffiliated/sembei] has quit [Read error: Connection reset by peer]
14:13 -!- Sembei [~Sembei@unaffiliated/sembei] has joined #openvpn
14:32 -!- joshh20-Away is now known as joshh20
14:32 -!- slikts [~reinis@wikipedia/reinis] has left #openvpn []
14:53 -!- u0m3 [~u0m3@109.96.148.19] has quit [Ping timeout: 264 seconds]
14:55 -!- u0m3 [~u0m3@109.96.148.19] has joined #openvpn
14:57 -!- br4ndon [~br4ndon@mic92-6-82-226-128-64.fbx.proxad.net] has quit [Quit: Lorem ipsum dolor sit amet]
15:22 -!- br4ndon [~br4ndon@mic92-6-82-227-94-156.fbx.proxad.net] has joined #openvpn
15:26 -!- br4ndon [~br4ndon@mic92-6-82-227-94-156.fbx.proxad.net] has quit [Client Quit]
15:35 -!- lj [~l@192.241.174.169] has joined #openvpn
15:37 -!- lj [~l@192.241.174.169] has quit [Client Quit]
15:55 -!- get [219@unaffiliated/get] has joined #openvpn
15:55 < get> hi there
15:56 < get> im trying to setup openvpn server but beeing able to connect clients with multiple subnets.
15:58 < pekster> So do that? Maybe the resources in !clientlan and/or !serverlan will be useful
15:59 < get> my desired schema looks like
16:00 < get> 10.2.0.0/255.255.255.0 = external servers net location 1
16:00 < get> 10.1.2.0/255.255.255.0 = internal servers net
16:00 < get> 10.1.1.0/255.255.255.0 = reserved for client pcs (only access to external servers)
16:00 < get> 10.3.0.0/255.255.255.0 = external servers net location 2
16:00 < get> 10.0.0.0/255.255.255.0 = admin/operator net (access to all)
16:01 < pekster> 10.0.0/24 is a horrible network to use since it's one of several common defaults on embedded commercial hardware
16:01 < get> what did you suggest?
16:01 < pekster> Anything that's not common
16:01 < pekster> As for what you need to do, I suggest you read the aforementioned references I proposed
16:01 -!- Cpt-Oblivious_ [chatzilla@31-151-71-109.dynamic.upc.nl] has joined #openvpn
16:01 < get> gimme some suggestions, im open to changes.
16:02 < pekster> Anything else. Maybe try:
16:02 < pekster> !randomsubnet
16:02 <@vpnHelper> "randomsubnet" is (#1) http://scarydevilmonastery.net/subnet.cgi for a random !1918 subnet or (#2) If your shell has $RANDOM support, perhaps try this: `echo 10.$((RANDOM%256)).$((RANDOM%256)).0/24 `
16:02 < get> ah nice
16:02 < get> but, my question is:
16:02 < get> if i configure the server with net 10.0.0.0
16:03 < get> and configure clients with different subnets, will they beeing routed by openvpn or  i have to handle that with iptables¿?
16:03 < pekster> routing is handled by routing tables, not firewalls
16:03 < get> ok
16:04 < get> sorry
16:04 < pekster> Maybe add !route to your reading list
16:04 < get> !route
16:04 <@vpnHelper> "route" is (#1) http://www.secure-computing.net/wiki/index.php/OpenVPN/Routing or https://community.openvpn.net/openvpn/wiki/RoutedLans (same page mirrored) if you have lans behind openvpn, read it DONT SKIM IT or (#2) READ IT DONT SKIM IT! or (#3) See !tcpip for a basic networking guide or (#4) See !serverlan or !clientlan for steps and troubleshooting flowcharts for LANs behind the server or client
16:04 -!- Cpt-Oblivious [~chatzilla@31.220.44.21] has quit [Ping timeout: 244 seconds]
16:04 -!- Cpt-Oblivious_ is now known as Cpt-Oblivious
16:04 < pekster> Nothing is "wrong" with 10.0.0/24, but any client (think ones you don't control) that collide with that will have problems
16:06 < get> the most used here arround is 192.168.{0,1,2,178}.0
16:06 -!- elfixit [~Icedove@77-58-251-72.dclient.hispeed.ch] has quit [Quit: elfixit]
16:07 < get> ok i understand the route , as i see i can specify more routes on the server, but i gives a question, how to push only some routes to clients instead of all, defined in server.conf
16:08 < pekster> --push only what you want
16:08 < pekster> If you need per-client control, use a !ccd directory
16:08 -!- takamichi [~takamichi@c107-107.i07-27.onvol.net] has joined #openvpn
16:08 < get> ok, there im using atm files with ifconfig-push to assign the ips
16:08 < pekster> (or --client-connect scripts if you have advanced needs and want progromatic control. !scripts for details)
16:09 < get> so in the same file i can add more lines?
16:09 < pekster> Yup
16:09 < pekster> Add whatever --push lines you want
16:09 < get> nice, you made my day
16:09 < get> many thx
16:09 < pekster> Note the need for --iroute there too if you're doing client-lan stuff. The references above (that you haven't read yet) cover that too
16:11 < get> !clientlan
16:11 <@vpnHelper> "clientlan" is (#1) for a lan behind a client, the client must have ip forwarding enabled (!ipforward), the server needs a route to the lan, the server needs to push a route for the lan to clients, the server needs a ccd (!ccd) file for the client with an iroute (!iroute) entry in it, and the router of the lan the client is on needs a route added to it (!route_outside_openvpn) or (#2) see !route for a
16:11 <@vpnHelper> better explanation or (#3) Handy troubleshooting flowchart: http://ircpimps.org/clientlan.png | http://pekster.sdf.org/misc/clientlan.png
16:11 < get> !iroute
16:11 <@vpnHelper> "iroute" is does not bypass or alter the kernel's routing table, it allows openvpn to know it should handle the routing when the kernel points to it but the network is not one that openvpn knows about. This is only needed when connecting a LAN which is behind a client, and therefor belongs in a ccd entry. Also see !route and !ccd
16:14 < get> http://ircpimps.org/clientlan.png <-- down
16:14 < pekster> Yes, this is why I mirror it
16:14 < get> oki
16:15 < pekster> (My copy is optimized png anyway :P )
16:15 < get> but now, i understand it better
16:15 <@krzee> before i left usa that machine was pushing like 20mbit+ and i didnt have time to see what was up, so i just shut it down
16:15 <@krzee> (as it is non-vital)
16:15 < pekster> BIND on there? Vulnerable?
16:15 < get> i go for a cigarrette, and will test with some stuff
16:16 <@krzee> nah but i do use ntpd for updating my time, gotta check if thats the issue
16:16 <@krzee> will get to look in april
16:16 < pekster> Yea, that's the one I meant
16:16 < get> with virtual machines.
16:16 < pekster> Too much vulns in common stuff like that in the past months :P
16:22 <@krzee> oh god, awstats_configure.pl just completely overwrote my httpd.conf
16:22 <@krzee> thats going to be fun to fix :/
16:32 -!- HectorBarbossa [uid7850@gateway/web/irccloud.com/x-xubbkjrjbsfcgrbz] has quit [Quit: Connection closed for inactivity]
16:33 -!- takamichi [~takamichi@c107-107.i07-27.onvol.net] has quit [Quit: Computer has gone to sleep.]
16:42 -!- gffa [~unknown@unaffiliated/gffa] has quit [Quit: sleep]
16:55 -!- lj [~l@192.241.174.169] has joined #openvpn
17:00 -!- HectorBarbossa [uid7850@gateway/web/irccloud.com/x-tjjsntxslvixhxap] has joined #openvpn
17:01 -!- lj1 [~l@192.241.174.169] has joined #openvpn
17:03 -!- lj [~l@192.241.174.169] has quit [Ping timeout: 264 seconds]
17:09 -!- MACscr|lappy [~MACscrlap@c-98-214-103-56.hsd1.il.comcast.net] has quit [Ping timeout: 264 seconds]
17:10 -!- lj1 [~l@192.241.174.169] has quit [Quit: Leaving.]
17:23 -!- mndo [~mndo@bl17-72-245.dsl.telepac.pt] has joined #openvpn
17:24 -!- elfixit [~Icedove@77-58-251-72.dclient.hispeed.ch] has joined #openvpn
17:52 -!- sunwind [~paradox@cpc21-brmb8-2-0-cust749.1-3.cable.virginm.net] has quit [Quit: sunwind]
17:57 -!- mndo [~mndo@bl17-72-245.dsl.telepac.pt] has quit [Ping timeout: 240 seconds]
17:58 -!- dren_ [~dren@69.163.43.34] has quit [Ping timeout: 240 seconds]
18:09 -!- JackWinter_ [~jack@vodsl-8317.vo.lu] has quit [Excess Flood]
18:09 -!- JackWinter_ [~jack@vodsl-8317.vo.lu] has joined #openvpn
18:49 -!- mndo [~mndo@bl17-72-245.dsl.telepac.pt] has joined #openvpn
18:49 -!- Left_Turn [~Left_Turn@unaffiliated/turn-left/x-3739067] has joined #openvpn
18:52 -!- lj [~l@192.241.174.169] has joined #openvpn
19:13 -!- lj [~l@192.241.174.169] has quit [Quit: Leaving.]
19:28 -!- JSharpe__ [~JSharpe@31.205.60.241] has quit [Ping timeout: 240 seconds]
19:39 -!- mndo [~mndo@bl17-72-245.dsl.telepac.pt] has quit [Remote host closed the connection]
19:39 -!- dren_ [dren@obsidian.recompiled.net] has joined #openvpn
19:48 -!- traph [~traph@unaffiliated/traph] has quit [Ping timeout: 264 seconds]
19:52 -!- elfixit [~Icedove@77-58-251-72.dclient.hispeed.ch] has quit [Quit: elfixit]
19:56 -!- joshh20 is now known as joshh20-Away
20:12 -!- lj [~l@adsl-99-155-22-112.dsl.peoril.sbcglobal.net] has joined #openvpn
20:16 -!- lj1 [~l@192.241.174.169] has joined #openvpn
20:17 -!- lj [~l@adsl-99-155-22-112.dsl.peoril.sbcglobal.net] has quit [Ping timeout: 244 seconds]
20:18 -!- MACscr|lappy [~MACscrlap@c-98-214-103-56.hsd1.il.comcast.net] has joined #openvpn
20:30 -!- goldkatze [~nobody@unaffiliated/goldkatze] has quit [Read error: Operation timed out]
20:31 -!- p3rror [~mezgani@41.249.80.249] has joined #openvpn
21:02 -!- pylearner [~py@pool-71-170-181-124.dllstx.fios.verizon.net] has joined #openvpn
21:02 < pylearner> my auth-user-pass line is no longer working does this file need to be in a specific directory or something
21:10 -!- Cpt-Oblivious [chatzilla@31-151-71-109.dynamic.upc.nl] has quit [Ping timeout: 244 seconds]
21:10 -!- pylearner [~py@pool-71-170-181-124.dllstx.fios.verizon.net] has quit [Read error: Operation timed out]
21:10 <@krzee> try a full path
21:10 <@krzee> heh
21:11 -!- pylearner [~py@46.246.88.207] has joined #openvpn
21:24 -!- p3rror [~mezgani@41.249.80.249] has quit [Quit: Leaving]
21:52 -!- HectorBarbossa [uid7850@gateway/web/irccloud.com/x-tjjsntxslvixhxap] has quit [Quit: Connection closed for inactivity]
21:52 -!- Left_Turn [~Left_Turn@unaffiliated/turn-left/x-3739067] has quit [Read error: Connection reset by peer]
22:18 -!- pylearner [~py@46.246.88.207] has quit [Ping timeout: 265 seconds]
22:30 -!- pylearner [~py@pool-71-170-181-124.dllstx.fios.verizon.net] has joined #openvpn
23:16 -!- Samopotamus [~IRCIdent@2607:5300:60:a0d::1] has quit [Ping timeout: 265 seconds]
23:16 -!- mattock_afk [~mattock@openvpn/corp/admin/mattock] has quit [Ping timeout: 265 seconds]
23:17 -!- mattock_afk [~mattock@2607:5300:60:d5a::2] has joined #openvpn
23:17 -!- mattock_afk is now known as mattock
23:17 -!- mattock [~mattock@2607:5300:60:d5a::2] has quit [Changing host]
23:17 -!- mattock [~mattock@openvpn/corp/admin/mattock] has joined #openvpn
23:18 -!- mode/#openvpn [+o mattock] by ChanServ
23:18 -!- raidz [~raidz@openvpn/corp/admin/andrew] has quit [Ping timeout: 265 seconds]
23:18 -!- raidz [~raidz@openvpn/corp/admin/andrew] has joined #openvpn
23:18 -!- mode/#openvpn [+o raidz] by ChanServ
23:19 -!- Samopotamus [~IRCIdent@2607:5300:60:a0d::1] has joined #openvpn
23:34 -!- lvv [~loganaden@2001:4290:10:250:6cf0:1875:b05:7b2d] has joined #openvpn
--- Day changed Mon Mar 03 2014
00:34 -!- sunwind [~paradox@cpc21-brmb8-2-0-cust749.1-3.cable.virginm.net] has joined #openvpn
00:52 -!- MACscr|lappy [~MACscrlap@c-98-214-103-56.hsd1.il.comcast.net] has quit [Ping timeout: 240 seconds]
00:59 -!- d1z [~djz@li673-120.members.linode.com] has quit [Ping timeout: 264 seconds]
01:03 -!- d1z [~djz@li673-120.members.linode.com] has joined #openvpn
01:07 -!- indy [~indy@fantomas.bestit.cz] has joined #openvpn
01:26 -!- takamichi [~takamichi@c107-107.i07-27.onvol.net] has joined #openvpn
01:33 -!- ade_b [~Ade@redhat/adeb] has joined #openvpn
02:26 -!- sunwind [~paradox@cpc21-brmb8-2-0-cust749.1-3.cable.virginm.net] has quit [Quit: sunwind]
02:27 -!- pa [~pa@unaffiliated/pa] has quit [Ping timeout: 264 seconds]
02:38 -!- br4ndon [~br4ndon@195.33.51.31] has joined #openvpn
02:40 -!- pa [~pa@unaffiliated/pa] has joined #openvpn
02:48 -!- makara [~makara@41.164.22.218] has joined #openvpn
02:48 -!- dazo_afk [~dazo@openvpn/community/developer/dazo] has quit [Ping timeout: 265 seconds]
02:50 -!- br4ndon [~br4ndon@195.33.51.31] has quit [Quit: Lorem ipsum dolor sit amet]
02:50 -!- br4ndon [~br4ndon@195.33.51.31] has joined #openvpn
02:52 -!- dazo_afk [~dazo@openvpn/community/developer/dazo] has joined #openvpn
02:52 -!- mode/#openvpn [+o dazo_afk] by ChanServ
02:52 -!- dazo_afk is now known as dazo
02:56 -!- pylearner [~py@pool-71-170-181-124.dllstx.fios.verizon.net] has quit [Ping timeout: 240 seconds]
03:07 -!- br4ndon [~br4ndon@195.33.51.31] has quit [Ping timeout: 240 seconds]
03:15 -!- JSharpe [~JSharpe@31.205.60.241] has joined #openvpn
03:28 -!- james41382_ [~james@unaffiliated/james41382] has quit [Read error: Connection reset by peer]
03:44 < defswork> anyone know if openvpn connect for ios supports authentication ?:
03:55 -!- Denial- [Denial@176.250.208.188] has joined #openvpn
03:57 -!- Denial [Denial@176.250.208.188] has quit [Ping timeout: 252 seconds]
03:57 -!- Denial- is now known as Denial
03:58 -!- Denial- [Denial@176.250.208.188] has joined #openvpn
03:58 -!- JSharpe [~JSharpe@31.205.60.241] has quit [Ping timeout: 240 seconds]
04:01 -!- Denial [Denial@176.250.208.188] has quit [Ping timeout: 252 seconds]
04:01 -!- Denial- is now known as Denial
04:04 -!- Mat_Toufoutu [~MaT@nl.h6r.org] has joined #openvpn
04:05 -!- Mat_Toufoutu is now known as MatToufoutu
04:05 -!- MatToufoutu [~MaT@nl.h6r.org] has quit [Changing host]
04:05 -!- MatToufoutu [~MaT@unaffiliated/mattoufoutu] has joined #openvpn
04:17 -!- traph [~traph@unaffiliated/traph] has joined #openvpn
04:25 -!- f0cker [~f0cker@unaffiliated/f0cker] has quit [Ping timeout: 240 seconds]
04:35 -!- goldkatze [~nobody@unaffiliated/goldkatze] has joined #openvpn
04:38 -!- f0cker [~f0cker@host109-151-224-166.range109-151.btcentralplus.com] has joined #openvpn
04:38 -!- f0cker [~f0cker@host109-151-224-166.range109-151.btcentralplus.com] has quit [Changing host]
04:38 -!- f0cker [~f0cker@unaffiliated/f0cker] has joined #openvpn
04:47 -!- mndo [~mndo@bl16-41-188.dsl.telepac.pt] has joined #openvpn
05:00 -!- mattock is now known as mattock_afk
06:05 <@ecrist> !download
06:05 <@vpnHelper> "download" is (#1) http://openvpn.net/index.php/download/community-downloads.html to download openvpn or (#2) OpenVPN's Windows installer now includes OpenVPN GUI. Don't bother with http://openvpn.se anymore or (#3) Don't trust download.com at all. It provides an extremely old version with malware: http://insecure.org/news/download-com-fiasco.html or (#4) in the community version of openvpn (only
06:05 <@vpnHelper> thing supported here) there is no separate download for client/server, it is the same install with different configs
06:05 <@ecrist> tjhowse: we know it sucks, and we're powerless to fix it
06:05 -!- elfixit [~Icedove@77-58-251-72.dclient.hispeed.ch] has joined #openvpn
06:11 -!- mattock_afk is now known as mattock
06:39 -!- makara [~makara@41.164.22.218] has quit [Ping timeout: 240 seconds]
06:40 -!- mikemol [~mikemol@2001:470:c5b9:beef:3510:6842:d285:b59a] has quit [Remote host closed the connection]
06:56 -!- makara [~makara@41.164.22.218] has joined #openvpn
07:02 -!- pylearner [~py@pool-71-170-181-124.dllstx.fios.verizon.net] has joined #openvpn
07:21 -!- lj1 [~l@192.241.174.169] has quit [Quit: Leaving.]
07:26 -!- elfixit [~Icedove@77-58-251-72.dclient.hispeed.ch] has quit [Ping timeout: 240 seconds]
07:28 -!- Pei [~pei@thinks.outside.theb0x.org] has quit [Ping timeout: 264 seconds]
07:29 -!- lvv [~loganaden@2001:4290:10:250:6cf0:1875:b05:7b2d] has quit [Quit: lvv]
07:29 -!- catsup [d@64.111.123.163] has quit [Ping timeout: 245 seconds]
07:30 -!- Pei [~pei@thinks.outside.theb0x.org] has joined #openvpn
07:31 -!- sunwind [~paradox@cpc21-brmb8-2-0-cust749.1-3.cable.virginm.net] has joined #openvpn
07:31 -!- catsup [d@64.111.123.163] has joined #openvpn
07:32 -!- meepmeep [meepmeep@end.of.cylind.re] has quit [Ping timeout: 245 seconds]
07:33 -!- meepmeep [meepmeep@end.of.cylind.re] has joined #openvpn
07:34 -!- maskedlua [~quassel@unaffiliated/themaskedlua] has quit [Ping timeout: 245 seconds]
07:34 -!- maskedlua [~quassel@unaffiliated/themaskedlua] has joined #openvpn
07:39 -!- Six6siX [~Devil@jasmine.sammybakar.com] has quit [Ping timeout: 264 seconds]
07:39 -!- Six6siX [~Devil@jasmine.sammybakar.com] has joined #openvpn
07:55 -!- lj [~l@192.241.174.169] has joined #openvpn
07:56 -!- __raven_ [~raven@dslb-178-007-176-084.pools.arcor-ip.net] has joined #openvpn
07:56 < __raven_> hi
07:57 < __raven_> ubuntu 13.10: many tutorials tell about links to easy-rsa. has this been removed from openvpn-package due to the nsa/rsa topics?
08:00 -!- elfixit [~Icedove@155-225.197-178.cust.bluewin.ch] has joined #openvpn
08:11 -!- makara [~makara@41.164.22.218] has quit [Ping timeout: 269 seconds]
08:44 -!- mikemol [~mikemol@162.17.129.77] has joined #openvpn
08:50 <@dazo> __raven_: The RSA _encryption_ algorithm is still in good shape
08:50 -!- elfixit [~Icedove@155-225.197-178.cust.bluewin.ch] has quit [Quit: elfixit]
08:50 <@dazo> and the easy-rsa doesn't imply that it's a RSA related product ... it's just a name for CA utility
08:51 <@dazo> it could just as well be called easy-pki or easy-ca
08:51 <@dazo> (and in fact, it's just wrapper scripts around openssl, making the CA management, well, easier)
08:52 -!- lj [~l@192.241.174.169] has quit [Quit: Leaving.]
08:56 -!- elfixit [~Icedove@155-225.197-178.cust.bluewin.ch] has joined #openvpn
08:56 -!- lj [~l@192.241.174.169] has joined #openvpn
09:07 -!- elfixit [~Icedove@155-225.197-178.cust.bluewin.ch] has quit [Quit: elfixit]
09:10 -!- michaelhart [~michaelha@192-0-240-20.cpe.teksavvy.com] has joined #openvpn
09:27 -!- lj [~l@192.241.174.169] has quit [Quit: Leaving.]
09:38 -!- alexxtasi [~alex@unaffiliated/alexxtasi] has quit [Ping timeout: 244 seconds]
09:39 -!- Jeroen52 [~quassel@2001:41d0:1:9592::1] has joined #openvpn
09:44 -!- dirtgrub [~martinn@nukethemonster.com] has joined #openvpn
09:45 -!- bersace [~bersace@sevin.cae.li] has joined #openvpn
09:45 -!- bersace [~bersace@sevin.cae.li] has quit [Client Quit]
09:46 -!- Jeroen52 [~quassel@2001:41d0:1:9592::1] has quit [Remote host closed the connection]
09:55 -!- br4ndon [~br4ndon@mic92-6-82-226-128-64.fbx.proxad.net] has joined #openvpn
09:59 -!- alexxtasi [~alex@150.140.12.90] has joined #openvpn
10:00 -!- Jeroen [~quassel@2001:41d0:1:9592::1] has joined #openvpn
10:03 -!- mikemol [~mikemol@162.17.129.77] has quit [Ping timeout: 240 seconds]
10:06 -!- mndo [~mndo@bl16-41-188.dsl.telepac.pt] has quit [Remote host closed the connection]
10:17 -!- Jeroen is now known as Jeroen52
10:20 -!- mikemol [~mikemol@162.17.129.77] has joined #openvpn
10:30 -!- gffa [~unknown@unaffiliated/gffa] has joined #openvpn
10:51 -!- br4ndon_ [~br4ndon@mic92-6-82-227-94-156.fbx.proxad.net] has joined #openvpn
10:51 -!- Gill [~Gill@50.245.128.227] has joined #openvpn
10:52 -!- br4ndon [~br4ndon@mic92-6-82-226-128-64.fbx.proxad.net] has quit [Ping timeout: 244 seconds]
10:53 -!- lj [~l@192.241.174.169] has joined #openvpn
10:54 < Gill> Hey guys. I have a quick question. Is there a best practice/easy way to manage client certs? I would like to setup openVPN servers on a few PfSenses. I don't want to connect the PfSenses just be able to connect to the PfSense from a computer to access the local network. Basically what I think I need is to have a different server with the certs and have PfSense check that server so that I won;t have to manage the certs locally on each PfSense. Anyone know of a w
10:54 < Gill> to do this? Thanks!
10:59 -!- lj [~l@192.241.174.169] has quit [Remote host closed the connection]
11:00 < pekster> Gill: There are several obvious (and many less-obvious) choices for cert management: see:
11:00 < pekster> !certman
11:00 <@vpnHelper> "certman" is (#1) Various frontends can help you manage your PKI (certs & keys.) !easy-rsa is the officially supported one for OpenVPN. or (#2) Other choices include: !xca, !ssladmin, and probably others online
11:00 < Gill> thank pekster
11:01 -!- lj [~l@192.241.174.169] has joined #openvpn
11:01 < pekster> If you want a security-concious setup, there are some PKI recommendations at !hardening too
11:01 < Gill> pekster: do you know if certman can connect to PfSense systems and remove revoked certs?
11:02 < pekster> You don't "remove" them you revoke them
11:02 < pekster> Also, certman is the bot's info above: it lists your _choices_ (it's not a choice itself)
11:02 < pekster> Maybe a more basic intro would be helpful:
11:02 < pekster> !intro-to-pki
11:02 <@vpnHelper> "intro-to-pki" is For an intro to PKI basics, see: https://github.com/OpenVPN/easy-rsa/blob/v3.0.0-rc1/doc/Intro-To-PKI.md
11:03 < Gill> ah cool yea I'm new to this
11:03 < pekster> It's up to you to figure out how you'd deploy a CRL to your active servers
11:03 < Gill> sorry whats CRL stand for?
11:03 < pekster> If you have a multi-server setup using the same PKI, reovking would require that you 1) perform revocation on your CA, 2) generate an updated CRL, and 3) send that CRL to all systems that reference it
11:04 < pekster> Revocation is explained: https://github.com/OpenVPN/easy-rsa/blob/v3.0.0-rc1/doc/EasyRSA-Readme.md#revoking-and-publishing-crls
11:04 <@vpnHelper> Title: easy-rsa/doc/EasyRSA-Readme.md at v3.0.0-rc1 · OpenVPN/easy-rsa · GitHub (at github.com)
11:05 < pekster> Certificate Revocation List -- it's a format that lists revoked certs and a cryptographic signature by the CA (for authenticity)
11:05 < Gill> cool
11:06 < Gill> thanks pekster I will have to start reading :)
11:11 -!- joshh20-Away is now known as joshh20
11:12 -!- tharkun [~0@187.188.94.182] has quit [Changing host]
11:12 -!- tharkun [~0@unaffiliated/tharkun] has joined #openvpn
11:13 -!- heraclitus [~heraclitu@unaffiliated/heraclitis] has joined #openvpn
11:13 -!- heraclitus [~heraclitu@unaffiliated/heraclitis] has quit [Remote host closed the connection]
11:14 -!- heraclitus [~heraclitu@unaffiliated/heraclitis] has joined #openvpn
11:16 -!- elfixit [~Icedove@155-225.197-178.cust.bluewin.ch] has joined #openvpn
11:24 -!- raidz [~raidz@openvpn/corp/admin/andrew] has left #openvpn []
11:25 -!- raidz [~raidz@openvpn/corp/admin/andrew] has joined #openvpn
11:25 -!- mode/#openvpn [+o raidz] by ChanServ
11:36 -!- HectorBarbossa [uid7850@gateway/web/irccloud.com/x-gyyndoowfkxtmsmu] has joined #openvpn
11:38 -!- sunwind [~paradox@cpc21-brmb8-2-0-cust749.1-3.cable.virginm.net] has quit [Quit: sunwind]
11:43 -!- Cybertinus [~Cybertinu@cybertinus.customer.cloud.nl] has quit [Quit: No Ping reply in 180 seconds.]
11:43 -!- Cybertinus [~Cybertinu@cybertinus.customer.cloud.nl] has joined #openvpn
11:44 -!- heraclitus [~heraclitu@unaffiliated/heraclitis] has quit [Read error: error:1408F10B:SSL routines:SSL3_GET_RECORD:wrong version number]
11:45 -!- heraclitus [~heraclitu@unaffiliated/heraclitis] has joined #openvpn
11:45 -!- heraclitus [~heraclitu@unaffiliated/heraclitis] has quit [Read error: error:1408F10B:SSL routines:SSL3_GET_RECORD:wrong version number]
11:45 -!- heraclitus [~heraclitu@unaffiliated/heraclitis] has joined #openvpn
11:45 -!- heraclitus [~heraclitu@unaffiliated/heraclitis] has quit [Read error: error:1408F10B:SSL routines:SSL3_GET_RECORD:wrong version number]
11:46 -!- sunwind [~paradox@cpc21-brmb8-2-0-cust749.1-3.cable.virginm.net] has joined #openvpn
11:46 -!- heraclitus [~heraclitu@unaffiliated/heraclitis] has joined #openvpn
11:47 -!- heraclitus [~heraclitu@unaffiliated/heraclitis] has quit [Read error: error:1408F10B:SSL routines:SSL3_GET_RECORD:wrong version number]
11:49 -!- heraclitus [~heraclitu@unaffiliated/heraclitis] has joined #openvpn
11:50 -!- heraclitus [~heraclitu@unaffiliated/heraclitis] has quit [Read error: error:1408F10B:SSL routines:SSL3_GET_RECORD:wrong version number]
11:50 -!- heraclitus [~heraclitu@unaffiliated/heraclitis] has joined #openvpn
11:50 -!- lj [~l@192.241.174.169] has quit [Quit: Leaving.]
11:51 -!- heraclitus [~heraclitu@unaffiliated/heraclitis] has quit [Read error: error:1408F10B:SSL routines:SSL3_GET_RECORD:wrong version number]
11:52 -!- Guest33417 [~heraclitu@208.64.66.92] has joined #openvpn
11:52 -!- Guest33417 [~heraclitu@208.64.66.92] has quit [Read error: error:1408F10B:SSL routines:SSL3_GET_RECORD:wrong version number]
11:52 -!- Guest33417 [~heraclitu@208.64.66.92] has joined #openvpn
11:54 -!- Cpt-Oblivious [chatzilla@31-151-71-109.dynamic.upc.nl] has joined #openvpn
12:14 -!- joshh20 is now known as joshh20-Away
12:16 -!- JSharpe [~JSharpe@31.205.60.241] has joined #openvpn
12:20 -!- ade_b [~Ade@redhat/adeb] has quit [Ping timeout: 264 seconds]
12:24 -!- elfixit [~Icedove@155-225.197-178.cust.bluewin.ch] has quit [Ping timeout: 240 seconds]
12:24 -!- joshh20-Away is now known as joshh20
12:31 -!- br4ndon_ [~br4ndon@mic92-6-82-227-94-156.fbx.proxad.net] has quit [Ping timeout: 244 seconds]
12:39 -!- sunwind [~paradox@cpc21-brmb8-2-0-cust749.1-3.cable.virginm.net] has quit [Quit: sunwind]
12:43 -!- br4ndon_ [~br4ndon@mic92-6-82-227-94-156.fbx.proxad.net] has joined #openvpn
12:48 -!- Gill [~Gill@50.245.128.227] has quit [Quit: Gill]
12:52 -!- mattock is now known as mattock_afk
12:59 -!- lj [~l@192.241.174.169] has joined #openvpn
13:12 -!- f0cker [~f0cker@unaffiliated/f0cker] has quit [Ping timeout: 265 seconds]
13:16 -!- linuxthefish [~linuxthef@185.17.148.101] has quit [Remote host closed the connection]
13:19 -!- master_o1_master [~master_of@p4FF2417E.dip0.t-ipconnect.de] has joined #openvpn
13:22 -!- master_of_master [~master_of@p4FD7BB84.dip0.t-ipconnect.de] has quit [Ping timeout: 240 seconds]
13:24 -!- f0cker [~f0cker@host86-151-62-164.range86-151.btcentralplus.com] has joined #openvpn
13:24 -!- f0cker [~f0cker@host86-151-62-164.range86-151.btcentralplus.com] has quit [Changing host]
13:24 -!- f0cker [~f0cker@unaffiliated/f0cker] has joined #openvpn
13:27 -!- d1z [~djz@li673-120.members.linode.com] has quit [Ping timeout: 265 seconds]
13:33 -!- JSharpe [~JSharpe@31.205.60.241] has quit [Read error: Operation timed out]
13:52 -!- HectorBarbossa [uid7850@gateway/web/irccloud.com/x-gyyndoowfkxtmsmu] has quit [Quit: Connection closed for inactivity]
13:52 < loompek> smee again
13:52 < loompek> could i use easyCA for certificate management instead of easy-rsa?
13:55 <@dazo> loompek: you can use whatever CA management tool you'd like
13:55  * dazo likes xca
14:03 -!- dazo is now known as dazo_afk
14:08 -!- sunwind [~paradox@cpc21-brmb8-2-0-cust749.1-3.cable.virginm.net] has joined #openvpn
14:13 -!- d1z [~djz@li673-120.members.linode.com] has joined #openvpn
14:23 -!- elfixit [~Icedove@77-58-251-72.dclient.hispeed.ch] has joined #openvpn
14:26 -!- Guest33417 [~heraclitu@208.64.66.92] has quit [Quit: Ping timeout: 221 seconds]
14:27 -!- heraclitus [~heraclitu@208.64.66.92] has joined #openvpn
14:27 -!- heraclitus [~heraclitu@208.64.66.92] has quit [Changing host]
14:27 -!- heraclitus [~heraclitu@unaffiliated/heraclitis] has joined #openvpn
14:29 -!- traph [~traph@unaffiliated/traph] has quit [Ping timeout: 240 seconds]
14:33 -!- joshh20 is now known as joshh20-Away
14:34 -!- elfixit [~Icedove@77-58-251-72.dclient.hispeed.ch] has quit [Ping timeout: 240 seconds]
14:42 -!- james41382 [~james@192.198.203.26] has joined #openvpn
14:42 -!- james41382 [~james@192.198.203.26] has quit [Changing host]
14:42 -!- james41382 [~james@unaffiliated/james41382] has joined #openvpn
14:46 < loompek> are there any special purposes i need for a server?
14:46 < loompek> VERIFY ERROR: depth=0, error=unsupported certificate purpose...
14:46 < loompek> i keep getting this error
14:47 < loompek> nsCertType
14:47 < loompek> hmm
15:07 -!- james41382 [~james@unaffiliated/james41382] has quit [Quit: Leaving]
15:08 -!- james41382 [~james@unaffiliated/james41382] has joined #openvpn
15:11 -!- gffa [~unknown@unaffiliated/gffa] has quit [Quit: sleep]
15:41 -!- joshh20-Away is now known as joshh20
15:46 -!- elfixit [~Icedove@77-58-251-72.dclient.hispeed.ch] has joined #openvpn
15:58 -!- joshh20 is now known as joshh20-Away
16:21 -!- goldkatze [~nobody@unaffiliated/goldkatze] has quit [Ping timeout: 241 seconds]
16:26 -!- lj [~l@192.241.174.169] has quit [Quit: Leaving.]
16:31 -!- elfixit [~Icedove@77-58-251-72.dclient.hispeed.ch] has quit [Quit: elfixit]
16:47 -!- Cpt-Oblivious [chatzilla@31-151-71-109.dynamic.upc.nl] has quit [Ping timeout: 244 seconds]
16:52 < d1z> what directive do I need to set inside /etc/openvpn/ccd/some-foo-client in order for that client to always get a given static IP?
17:00 -!- mikemol [~mikemol@162.17.129.77] has quit [Remote host closed the connection]
17:13 <@ecrist> !static
17:13 <@vpnHelper> "static" is (#1) use --ifconfig-push in a ccd entry for a static ip for the vpn client or (#2) example in net30 (default): ifconfig-push 10.8.0.6 10.8.0.5 example in subnet (see !topology) or tap (see !tunortap): ifconfig-push 10.8.0.5 255.255.255.0 or (#3) also see !ccd and !iporder or (#4) when pushing static IPs, you should also limit your --ifconfig-pool to exclude the static range or (#5) See
17:13 <@vpnHelper> also: !addressing
17:13 <@ecrist> d1z: see above
17:17 < d1z> ifconfig-push 10.8.0.6 10.8.0.5
17:17 < d1z> which of those two is going to be the client's ip address?
17:17 < d1z> !addressing
17:17 <@ecrist> .6
17:17 <@vpnHelper> "addressing" is For information about IP addressing in OpenVPN, see: https://community.openvpn.net/openvpn/wiki/Concepts-Addressing
17:17 <@ecrist> !net30
17:17 <@vpnHelper> "net30" is "/30" is (#1) http://openvpn.net/index.php/documentation/faq.html#slash30 explains why routed clients each use 4 ips, or (#2) you can avoid this behavior with by reading !topology
17:18 < d1z> !topology
17:18 <@vpnHelper> "topology" is (#1) it is possible to avoid the !/30 behavior if you use 2.1+ with the option: topology subnet This will end up being default in later versions. or (#2) Clients will receive addresses ending in .2, .3, .4, etc, instead of being divided into 2-host subnets. or (#3) details and examples at: https://community.openvpn.net/openvpn/wiki/Topology
17:26 -!- elfixit [~Icedove@77-58-251-72.dclient.hispeed.ch] has joined #openvpn
17:28 -!- br4ndon_ [~br4ndon@mic92-6-82-227-94-156.fbx.proxad.net] has quit [Quit: Lorem ipsum dolor sit amet]
17:30 -!- lj [~l@192.241.174.169] has joined #openvpn
17:32 < d1z> ecrist, http://openvpn.net/index.php/open-source/faq.html#slash30
17:32 <@vpnHelper> Title: FAQ Community Software (at openvpn.net)
17:32 < d1z> leads nowhere
17:49 -!- d1z [~djz@li673-120.members.linode.com] has quit [Ping timeout: 252 seconds]
17:53 -!- heraclitus [~heraclitu@unaffiliated/heraclitis] has quit [Remote host closed the connection]
17:54 -!- heraclitus [~heraclitu@unaffiliated/heraclitis] has joined #openvpn
18:01 -!- sunwind [~paradox@cpc21-brmb8-2-0-cust749.1-3.cable.virginm.net] has quit [Quit: sunwind]
18:07 -!- heraclitus [~heraclitu@unaffiliated/heraclitis] has quit [Remote host closed the connection]
18:07 -!- heraclitus [~heraclitu@unaffiliated/heraclitis] has joined #openvpn
18:08 -!- d1z [~djz@190.78.147.229] has joined #openvpn
18:27 -!- elfixit [~Icedove@77-58-251-72.dclient.hispeed.ch] has quit [Ping timeout: 240 seconds]
18:35 -!- elfixit [~Icedove@77-58-251-72.dclient.hispeed.ch] has joined #openvpn
19:01 -!- pjschmitt [~parker@209.141.56.12] has quit [Changing host]
19:01 -!- pjschmitt [~parker@unaffiliated/schmitt953] has joined #openvpn
19:08 -!- pgib [~pgib@c-71-236-58-232.hsd1.tn.comcast.net] has joined #openvpn
19:33 -!- elfixit [~Icedove@77-58-251-72.dclient.hispeed.ch] has quit [Quit: elfixit]
19:35 -!- d1z [~djz@190.78.147.229] has quit [Ping timeout: 240 seconds]
19:38 -!- __raven [~raven@dslb-178-002-132-144.pools.arcor-ip.net] has joined #openvpn
19:40 -!- d1z [~djz@li673-120.members.linode.com] has joined #openvpn
19:41 -!- __raven_ [~raven@dslb-178-007-176-084.pools.arcor-ip.net] has quit [Ping timeout: 252 seconds]
19:47 -!- ska [~ska@unaffiliated/ska] has joined #openvpn
19:47 -!- pgib [~pgib@c-71-236-58-232.hsd1.tn.comcast.net] has quit [Ping timeout: 240 seconds]
19:47 -!- MACscr|lappy [~MACscrlap@c-98-214-103-147.hsd1.il.comcast.net] has joined #openvpn
19:49 < ska> I have a OPenvpn Setup with a road-warrior (RW), Lan1 and Lan2. Lan1 and Lan2 are connected via OpenVPN using P2P setup, Lan1 -> Lan2 using Tun type Mode. RW -> Lan1 via OpenVPN road-warrior setup.
19:50 < ska> It all works good, but RW needs to have access to LAN2.. Do I need to add a set of routes to both RW and LAN1?
19:52 < ska> http://blog.stefcho.eu/?p=733 seems to have some info
20:07 -!- pgib [~pgib@c-76-18-186-63.hsd1.tn.comcast.net] has joined #openvpn
20:07 -!- supergauntlet [~supergaun@unaffiliated/supergauntlet] has joined #openvpn
20:13 -!- lj [~l@192.241.174.169] has quit [Quit: Leaving.]
20:16 < pgib> Hello, I am stuck with something here, maybe not OpenVPN, but firewall related? Not sure, but is there a way to restrict which local hosts are accessible to clients of a TAP VPN? I understand that the routes can be selectively pushed, but if a local host is (accidentally) configured to route the VPN subnet to the server, and a VPN client attempts to add a route back to the local "safe" subnet, then it seems I'm screwed
20:17 < pgib> I'm using Linux, so maybe there is something I can do with iptables? I don't want to restrict all traffic from the VPN server back to the local "safe" subnet though. In the future I hope to have a security appliance separate these two nets
20:18 <@Eugene> pgib - sure, appropriate rules in the FORWARD table.
20:18 <@Eugene> And as you suspect, yes, its really an iptables question.
20:18 <@Eugene> !liniptables
20:18 <@Eugene> !iptables
20:18 <@vpnHelper> "iptables" is (#1) To test if netfilter ("iptables rules") are your problem, disable all rules with an ACCEPT policy. See https://github.com/QueuingKoala/netfilter-samples/tree/master/reset-rules for a script to do this. or (#2) See also the manpage section on firewalls at this link: https://community.openvpn.net/openvpn/wiki/Openvpn23ManPage#lbBG or (#3) These are just the basics to get you started
20:19 <@vpnHelper> as firewall design is beyond this channel's scope; you can also see #netfilter
20:19 < pgib> Ok cool. just making sure I'm not missing some mechanism cooked into OpenVPN. thanks.
20:19 <@Eugene> Not what I was looking for, eh.
20:19 < pgib> I'll figure it out. thanks
20:25 -!- Dimtree [~Dimitri@r75-110-125-114.rmntcmtc02.rcmtnc.ab.dh.suddenlink.net] has joined #openvpn
20:33 -!- MACscr|lappy [~MACscrlap@c-98-214-103-147.hsd1.il.comcast.net] has quit [Ping timeout: 240 seconds]
20:39 -!- mnathani [~mnathani@umbozero.winvive.com] has quit [Quit: WeeChat 0.4.2]
20:53 -!- pgib [~pgib@c-76-18-186-63.hsd1.tn.comcast.net] has quit [Ping timeout: 240 seconds]
21:20 -!- lachesis [~lachesis@unaffiliated/lachesis] has joined #openvpn
21:20 < lachesis> is it possible to have an auth-user-pass block inline?
21:21 < lachesis> i'm trying to make a single ovpn file hold my full config
21:33 -!- Dimtree [~Dimitri@r75-110-125-114.rmntcmtc02.rcmtnc.ab.dh.suddenlink.net] has quit [Ping timeout: 240 seconds]
21:40 -!- Carbon_Monoxide [~cmonxide@058176022144.ctinets.com] has joined #openvpn
21:41 -!- michaelhart [~michaelha@192-0-240-20.cpe.teksavvy.com] has quit [Quit: michaelhart]
21:41 -!- sunwind [~paradox@cpc21-brmb8-2-0-cust749.1-3.cable.virginm.net] has joined #openvpn
21:41 -!- Carbon_Monoxide [~cmonxide@058176022144.ctinets.com] has left #openvpn []
21:57 -!- dradec [~Inigo@unaffiliated/dradec] has joined #openvpn
22:00 <@Eugene> !pwfile
22:00 <@vpnHelper> "pwfile" is (#1) OpenVPN will only read passwords from a file if it has been built with the --enable-password-save configure option, or on Windows by defining ENABLE_PASSWORD_SAVE in config-win32.h or (#2) see --auth-user-pass in the manual (!man) for more info or (#3) if you're using this with the windows service, you will need --askpass
22:07 -!- Eneerge [eneergealt@unaffiliated/eneerge] has joined #openvpn
22:08 < Eneerge> how does the OpenVPN-GUI trigger a disconnect?
22:08 < Eneerge> does it just terminate the openvpn.exe or does it do any cleanup beforehand?
22:10 < pekster> Either SIGINT or SIGTERM IIRC
22:10 < pekster> Whatever the "mapping" is under the windows translation layer
22:15 < Eneerge> im trying to figure out how to initate the same thing in a batch script.. just doing a taskkill doesn't seem right
22:17 < Eneerge> is the source for the gui included in the source download?
22:18 < pekster> No, but it's on the openvpn.net site (URL in the 'openvpn-build' project.) The GUI is a sf.net project
22:20 -!- mitz [~mitz@rt.miraclelinux.com] has quit [Read error: Connection reset by peer]
22:21 -!- mitz [~mitz@rt.miraclelinux.com] has joined #openvpn
22:22 < pekster> You might also just use the openvpn codebase
22:22 < pekster> THe "F4" key gets mapped to the same thing a Unix SIGTERM would do
22:23 < pekster> Chek out the 'Signal handling' in win32.h
22:30 < pekster> Maybe also win32.c:320 or so
22:55 -!- [diecast] [~diecast@unaffiliated/diecast/x-4821952] has joined #openvpn
22:59 -!- heraclitus [~heraclitu@unaffiliated/heraclitis] has quit [Ping timeout: 252 seconds]
23:17 -!- pgib [~pgib@c-76-18-186-63.hsd1.tn.comcast.net] has joined #openvpn
23:17 < pgib> Eugene: finally done running tests. Looks like the solution for me (don't expose local subnet) is as simple as disabling ip_forwarding. As every service I want is proxy'd into the VPN subnet. Thanks again
23:18 -!- tjhowse [~eness@101.165.185.107] has quit [Ping timeout: 264 seconds]
23:30 < Eneerge> i went with just disabling the tun interface. that seems to work and it intiates the openvpn.exe to close
23:30 < Eneerge> or whatever
23:38 -!- makara [~makara@41.164.22.218] has joined #openvpn
23:48 -!- lvv [~loganaden@2001:4290:10:250:11e7:3170:5fc6:5797] has joined #openvpn
--- Day changed Tue Mar 04 2014
00:05 -!- lj1 [~l@192.241.174.169] has joined #openvpn
00:05 -!- [diecast] [~diecast@unaffiliated/diecast/x-4821952] has quit [Ping timeout: 265 seconds]
00:22 -!- HectorBarbossa [uid7850@gateway/web/irccloud.com/x-ljodybrjlggthxci] has joined #openvpn
00:28 -!- tjhowse [~eness@101.165.185.107] has joined #openvpn
00:33 -!- ade_b [~Ade@redhat/adeb] has joined #openvpn
01:08 -!- phuzion [~phuzion@ipv6.irc.teh-server.com] has quit [Ping timeout: 265 seconds]
01:08 -!- alexxtasi [~alex@150.140.12.90] has left #openvpn []
01:08 -!- phuzion [~phuzion@ipv6.irc.teh-server.com] has joined #openvpn
01:09 -!- traph [~traph@46.10.9.133] has joined #openvpn
01:09 -!- traph [~traph@46.10.9.133] has quit [Changing host]
01:09 -!- traph [~traph@unaffiliated/traph] has joined #openvpn
01:27 -!- traph [~traph@unaffiliated/traph] has quit [Read error: Connection reset by peer]
01:28 -!- traph [~traph@46.10.9.133] has joined #openvpn
01:28 -!- traph [~traph@46.10.9.133] has quit [Changing host]
01:28 -!- traph [~traph@unaffiliated/traph] has joined #openvpn
01:30 -!- mattock_afk is now known as mattock
01:51 -!- JackWinter_ [~jack@vodsl-8317.vo.lu] has quit [Quit: Konversation terminated!]
01:55 -!- JackWinter [~jack@vodsl-8317.vo.lu] has joined #openvpn
02:12 -!- mattock is now known as mattock_afk
02:15 -!- mattock_afk is now known as mattock
02:29 -!- sunwind [~paradox@cpc21-brmb8-2-0-cust749.1-3.cable.virginm.net] has quit [Quit: sunwind]
03:04 -!- br4ndon [~br4ndon@mic92-6-82-226-128-64.fbx.proxad.net] has joined #openvpn
03:13 -!- br4ndon [~br4ndon@mic92-6-82-226-128-64.fbx.proxad.net] has quit [Ping timeout: 264 seconds]
03:21 -!- n13z [~iosick@unaffiliated/n13z] has joined #openvpn
03:21 -!- br4ndon [~br4ndon@mic92-6-82-227-94-156.fbx.proxad.net] has joined #openvpn
03:21 -!- Eneerge [eneergealt@unaffiliated/eneerge] has left #openvpn []
03:31 -!- mattock is now known as mattock_afk
03:32 -!- HectorBarbossa [uid7850@gateway/web/irccloud.com/x-ljodybrjlggthxci] has quit [Quit: Connection closed for inactivity]
03:46 < defswork> anyone know if pushing multiple routes to ios clients works ?
03:46 -!- alexxtasi [~alex@unaffiliated/alexxtasi] has joined #openvpn
03:49 -!- Devastatr [~devas@177.18.198.165] has joined #openvpn
03:50 -!- Devastator [~devas@unaffiliated/devastator] has quit [Ping timeout: 264 seconds]
04:07 -!- dradec [~Inigo@unaffiliated/dradec] has quit [Ping timeout: 265 seconds]
04:22 -!- br4ndon [~br4ndon@mic92-6-82-227-94-156.fbx.proxad.net] has quit [Quit: Lorem ipsum dolor sit amet]
04:42 -!- crus [~crusader@crus0r.soho.on.net] has joined #openvpn
04:42 -!- crus` [~crusader@2001:44b8:319e:2900:9162:7193:5003:837b] has quit [Ping timeout: 265 seconds]
04:49 -!- mikemol [~mikemol@162.17.129.77] has joined #openvpn
05:01 -!- elfixit [~Icedove@77-58-251-72.dclient.hispeed.ch] has joined #openvpn
05:02 -!- crus [~crusader@crus0r.soho.on.net] has quit [Ping timeout: 244 seconds]
05:10 -!- mirco [~mirco@ip-109-90-231-36.unitymediagroup.de] has joined #openvpn
05:25 -!- iokill [~iokill@91.114.127.102] has joined #openvpn
05:30 -!- lvv [~loganaden@2001:4290:10:250:11e7:3170:5fc6:5797] has quit [Quit: lvv]
05:40 -!- br4ndon [~br4ndon@195.33.51.31] has joined #openvpn
05:43 -!- lvv [~loganaden@ite-inf3.dhcp.mu.afrinic.net] has joined #openvpn
05:43 -!- iokill [~iokill@91.114.127.102] has quit [Read error: Connection reset by peer]
05:45 -!- br4ndon [~br4ndon@195.33.51.31] has quit [Ping timeout: 244 seconds]
05:49 -!- pgib [~pgib@c-76-18-186-63.hsd1.tn.comcast.net] has quit [Ping timeout: 240 seconds]
05:51 -!- JSharpe [~JSharpe@31.205.60.241] has joined #openvpn
05:52 -!- iokill [~iokill@91.114.127.102] has joined #openvpn
06:06 -!- iokill [~iokill@91.114.127.102] has quit [Ping timeout: 240 seconds]
06:24 -!- TheWarden [~chatzilla@S0106e0469a3d83ef.ss.shawcable.net] has joined #openvpn
06:24 < TheWarden> !welcome
06:24 <@vpnHelper> "welcome" is (#1) Start by stating your goal, such as 'I would like to access the internet over my vpn' || new to IRC? see the link in !ask || we may need !logs and !configs and maybe !interface to help you. || See !howto for beginners. || See !route for lans behind openvpn. || !redirect for sending inet traffic through the server. || Also interesting: !man !/30 !topology !iporder !sample !forum
06:24 <@vpnHelper> !wiki !mitm or (#2) Don't use 192.168.1.0/24 or 192.168.0.0/24 (too much potential for conflict)
06:25 < TheWarden> !howto
06:25 <@vpnHelper> "howto" is (#1) OpenVPN comes with a great howto, http://openvpn.net/howto PLEASE READ IT! or (#2) http://www.secure-computing.net/openvpn/howto.php for a mirror
06:26 < TheWarden> Hello
06:26 < TheWarden> I'm trying to revoke a user's access. I'm trying to run ./revoke-full client however all I get back is "Please source the vars script first (i.e. "source ./vars")" and "Make sure you have edited it to reflect your configuration."
06:27 < TheWarden> Which appears the revoke didn't work. I did run ./vars first.
06:27 -!- Eagleman [~Eagleman@546BC8D0.cm-12-4d.dynamic.ziggo.nl] has quit [Quit: ZNC - http://znc.in]
06:27 -!- iokill [~iokill@91.114.127.102] has joined #openvpn
06:36 < TheWarden> argh
06:38 -!- Eagleman [~Eagleman@546BC8D0.cm-12-4d.dynamic.ziggo.nl] has joined #openvpn
06:40 < TheWarden> I think for some reason the ./vars is not being loaded. I don't get this. Seems like such a simple script and process yet can't get it to work.
06:43 < TheWarden> I do a printenv and I don't see any of the variables defined within the ./vars script.
06:46 < TheWarden> well for sure its not working, set returns nothing within the ./vars and if I do a echo "$KEY_DIR" nothing is returned. What the heck am I doing wrong? I have BASH as my CLI.
06:51 < TheWarden> When I look at the ./vars file it appears there is not a #!/bin/bash line.
06:54 < TheWarden> ahhh finally I think I figured something out. Turns out you need to do source ./vars. Nice that the docs on OpenVPN don't even mention that when revoking certificates.
07:05 -!- michaelhart [~michaelha@192.237.177.15] has joined #openvpn
07:07 -!- peper [~peper@gentoo/developer/peper] has joined #openvpn
07:19 <@ecrist> TheWarden: you're probably doing it wrong
07:19 <@ecrist> it needs to be loaded like this:
07:19 <@ecrist> . ./vars
07:19 <@ecrist> with the dot, space, dot-slash-vars
07:23 -!- goldkatze [~nobody@unaffiliated/goldkatze] has joined #openvpn
07:27 -!- markus__ [~markus@185.5.44.31] has joined #openvpn
07:39 < loompek> so guys..
07:40 < loompek> i have a yealink T20p phone.. and it should handle openvpn.. but it seems there's an issue...
07:40 < loompek> https://rula.net/683
07:40 <@vpnHelper> Title: pastebin - collaborative debugging tool (at rula.net)
07:41 < loompek> i think the problem is because i use SHA2 (sha512) instead of SHA1 or worse
07:41 < loompek> but i'm not 100%
07:42 < markus__> have u make sure the certficate is correct?
07:42 < loompek> yes
07:42 < loompek> all the certs are oka
07:43 < markus__> I usually see this if u connecting to a server with a diff client certficate than the server.
07:47 < loompek> the server has a different cert than client :)
07:47 < loompek> the server has server's cert
07:47 < loompek> the client has client's cert
07:47 < loompek> both are signed with the same CA
07:47 < loompek> and are verifiable by openssl verify command
08:23 -!- lj1 [~l@192.241.174.169] has quit [Quit: Leaving.]
08:32 -!- lvv [~loganaden@ite-inf3.dhcp.mu.afrinic.net] has quit [Quit: lvv]
08:39 < loompek> crappy yealink... had to change sha512 to sha1
08:39 -!- makara [~makara@41.164.22.218] has quit [Ping timeout: 244 seconds]
08:39 < loompek> now the damn thing works :S
08:40 < loompek> https://forum.pfsense.org/index.php?topic=68398.msg377364#msg377364
08:40 <@vpnHelper> Title: Yealink phones (at forum.pfsense.org)
08:45 -!- Devastatr [~devas@177.18.198.165] has quit [Changing host]
08:45 -!- Devastatr [~devas@unaffiliated/devastator] has joined #openvpn
08:45 -!- Devastatr is now known as Devastator
09:07 -!- lj [~l@192.241.174.169] has joined #openvpn
09:08 -!- troyt [~troyt@2601:7:6200:1382:44dd:acff:fe85:9c8e] has quit [Ping timeout: 265 seconds]
09:08 -!- dazo_afk is now known as dazo
09:13 -!- troyt [~troyt@2601:7:6200:1382:44dd:acff:fe85:9c8e] has joined #openvpn
09:13 -!- dirtgrub [~martinn@nukethemonster.com] has quit [Ping timeout: 240 seconds]
09:32 -!- takamichi [~takamichi@c107-107.i07-27.onvol.net] has quit [Ping timeout: 244 seconds]
09:36 -!- takamichi [~takamichi@85.12.8.14] has joined #openvpn
09:58 -!- dradec [~Inigo@unaffiliated/dradec] has joined #openvpn
10:05 -!- s7r [~s7r@openvpn/user/s7r] has joined #openvpn
10:05 -!- mode/#openvpn [+v s7r] by ChanServ
10:11 -!- darix [darix@irssi/staff/darix] has joined #openvpn
10:11 < darix> moin, did someone already investigate how https://secure-resumption.com affects openvpn?
10:11 <@vpnHelper> Title: Triple Handshakes Considered Harmful: Breaking and Fixing Authentication over TLS (at secure-resumption.com)
10:16 -!- sunwind [~paradox@cpc21-brmb8-2-0-cust749.1-3.cable.virginm.net] has joined #openvpn
10:18 <@plaisthos> darix: same risk as for HTTPS
10:18 <@plaisthos> but for OpenVPN a "custom" CA for the server is much more common migitating the problem
10:19 < darix> plaisthos: so waiting for mitigation in openssl or are there any steps the openvpn team can take to help with the issue?
10:20 < darix> plaisthos: especially interested in setups with client side certs+user/pass auth
10:27 -!- [diecast] [~diecast@unaffiliated/diecast/x-4821952] has joined #openvpn
10:35 -!- Dimtree [~Dimitri@r75-110-125-114.rmntcmtc02.rcmtnc.ab.dh.suddenlink.net] has joined #openvpn
10:43 <@plaisthos> darix: if you get hold of a key+crt of a server you could setup a rogue server that uses the client credentials to authenticate against a second server
10:44 <@plaisthos> but that only works if the second server uses the same CA
10:47 < darix> plaisthos: ok
10:47 < darix> thanks
10:48 -!- iokill [~iokill@91.114.127.102] has quit [Ping timeout: 244 seconds]
10:53 -!- takamichi [~takamichi@85.12.8.14] has quit [Read error: Operation timed out]
10:57 -!- takamichi [~takamichi@c107-107.i07-27.onvol.net] has joined #openvpn
11:36 < pekster> darix: Most of that doesn't apply, since openvpn's renegotiation procedure (read --reneg-* in the manpage for the userland options there) _do_ reauthenticate the full identities
11:37 < pekster> ie: you can't change identity there as openvpn already knows about the client connection, so an attempt to say "oh no, I'm not really eve, I'm bob" won't work
11:39 < darix> pekster: thanks!
11:40 < pekster> Otherwise I'll second the advice from above in that if any of your private components are compromised, the attacker who has those parts can fully impersonate that identity
11:41 < pekster> The solution is security to avoid that, and mitigation (revocation procedures, or selecting a validity period) to limit the damage
11:41 < pekster> Generic security/PKI recommendations for openvpn can be found on the wiki too: see: !hardening
11:42 < Dimtree> !hardening
11:42 <@vpnHelper> "hardening" is https://community.openvpn.net/openvpn/wiki/Hardening
11:42 -!- batrick [batrick@nmap/developer/batrick] has quit [Quit: WeeChat 0.4.3]
11:45 < Dimtree> What's a good way to distribute certificates securely to a group of friends, short of having them physically delivered?
11:45 -!- levifig_ [sid1908@gateway/web/irccloud.com/x-ijbgujiurorhdzef] has joined #openvpn
11:46 < pekster> You don't need to distribute certs securely
11:46 < pekster> Certs can be publicly transported (though for security you should verify fingerprints out-of-band, such as with a phone call or signed GPG message)
11:46 < pekster> Don't transport keys: genearte them on the system that will use them, and you never need to transport them
11:49 -!- HectorBarbossa [uid7850@gateway/web/irccloud.com/x-zhyibrhdeeushifw] has joined #openvpn
11:51 -!- marlinc_ [~marlinc@ip1.weert.li.nl.cvo-technologies.com] has joined #openvpn
11:53 -!- Netsplit *.net <-> *.split quits: marlinc, fred``, levifig, Chrisje
11:58 -!- mattock_afk is now known as mattock
12:04 -!- ska [~ska@unaffiliated/ska] has quit [Quit: Leaving]
12:06 -!- gffa [~unknown@unaffiliated/gffa] has joined #openvpn
12:08 -!- Devastatr [~devas@177.18.198.165] has joined #openvpn
12:08 -!- Devastator [~devas@unaffiliated/devastator] has quit [Read error: Connection reset by peer]
12:10 -!- Netsplit over, joins: fred``, Chrisje
12:16 -!- mndo [~mndo@bl16-41-188.dsl.telepac.pt] has joined #openvpn
12:16 -!- batrick [batrick@nmap/developer/batrick] has joined #openvpn
12:22 -!- [diecast] [~diecast@unaffiliated/diecast/x-4821952] has quit []
12:23 -!- [diecast] [~diecast@unaffiliated/diecast/x-4821952] has joined #openvpn
12:31 -!- JackWinter [~jack@vodsl-8317.vo.lu] has quit [Quit: Konversation terminated!]
12:33 -!- JackWinter [~jack@vodsl-8317.vo.lu] has joined #openvpn
12:52 -!- d1z [~djz@li673-120.members.linode.com] has quit [Read error: Connection reset by peer]
13:00 -!- mndo [~mndo@bl16-41-188.dsl.telepac.pt] has quit [Ping timeout: 240 seconds]
13:01 -!- d1z [~djz@li673-120.members.linode.com] has joined #openvpn
13:18 -!- master_of_master [~master_of@p4FF2494B.dip0.t-ipconnect.de] has joined #openvpn
13:21 -!- master_o1_master [~master_of@p4FF2417E.dip0.t-ipconnect.de] has quit [Ping timeout: 244 seconds]
13:23 -!- [diecast] [~diecast@unaffiliated/diecast/x-4821952] has quit []
13:27 -!- s7r [~s7r@openvpn/user/s7r] has quit [Write error: Connection reset by peer]
14:10 -!- pgib [~pgib@lmms/pgib] has joined #openvpn
14:14 -!- br4ndon [~br4ndon@mic92-6-82-226-128-64.fbx.proxad.net] has joined #openvpn
14:30 -!- vpnHelper [~vpnHelper@openvpn/bot/vpnHelper] has quit [Quit: Ctrl-C at console.]
14:33 -!- vpnHelper [~vpnHelper@openvpn/bot/vpnHelper] has joined #openvpn
14:33 -!- mode/#openvpn [+o vpnHelper] by ChanServ
14:47 -!- MeanderingCode [~Meanderin@palantir.aetherislands.net] has quit [Ping timeout: 252 seconds]
14:47 -!- MeanderingCode [~Meanderin@palantir.aetherislands.net] has joined #openvpn
14:49 -!- dimitry7 [~antonello@38.124.174.31] has joined #openvpn
14:53 -!- Thermi [~Thermi@unaffiliated/thermi] has quit [Quit: Meet your opposition - Profane and disciplined - Take back your pride - With a pounding hammer]
14:55 -!- Thermi [~Thermi@unaffiliated/thermi] has joined #openvpn
14:55 -!- Thermi [~Thermi@unaffiliated/thermi] has quit [Excess Flood]
14:55 -!- Thermi [~Thermi@unaffiliated/thermi] has joined #openvpn
14:58 -!- Devastatr [~devas@177.18.198.165] has quit [Changing host]
14:58 -!- Devastatr [~devas@unaffiliated/devastator] has joined #openvpn
14:59 -!- Devastatr is now known as Devastator
15:03 -!- _quadDam1ge is now known as _quadDamage
15:28 -!- pgib [~pgib@lmms/pgib] has quit [Ping timeout: 265 seconds]
15:28 -!- ade_b [~Ade@redhat/adeb] has quit [Ping timeout: 252 seconds]
15:38 -!- michaelhart [~michaelha@192.237.177.15] has quit [Quit: michaelhart]
15:44 -!- dazo is now known as dazo_afk
15:55 -!- mattock is now known as mattock_afk
15:58 -!- gffa [~unknown@unaffiliated/gffa] has quit [Quit: sleep]
16:22 -!- elfixit [~Icedove@77-58-251-72.dclient.hispeed.ch] has quit [Quit: elfixit]
16:22 -!- mikemol [~mikemol@162.17.129.77] has quit [Ping timeout: 265 seconds]
16:33 -!- br4ndon [~br4ndon@mic92-6-82-226-128-64.fbx.proxad.net] has quit [Ping timeout: 264 seconds]
16:39 -!- mikemol [~mikemol@162.17.129.77] has joined #openvpn
16:50 -!- mikemol [~mikemol@162.17.129.77] has quit [Ping timeout: 265 seconds]
16:50 -!- sunwind [~paradox@cpc21-brmb8-2-0-cust749.1-3.cable.virginm.net] has quit [Read error: Connection reset by peer]
16:50 -!- sunwind [~paradox@cpc21-brmb8-2-0-cust749.1-3.cable.virginm.net] has joined #openvpn
16:53 -!- d1z [~djz@li673-120.members.linode.com] has quit [Ping timeout: 244 seconds]
16:58 -!- cyberspace- [20253@ninthfloor.org] has quit [Read error: Operation timed out]
16:58 -!- cyberspace- [20253@ninthfloor.org] has joined #openvpn
16:59 < havoc> I'm assuming this is well known by now: http://arstechnica.com/security/2014/03/critical-crypto-bug-leaves-linux-hundreds-of-apps-open-to-eavesdropping/
16:59 <@vpnHelper> Title: Critical crypto bug leaves Linux, hundreds of apps open to eavesdropping | Ars Technica (at arstechnica.com)
16:59 -!- d1z [~djz@li673-120.members.linode.com] has joined #openvpn
17:06 -!- Fruckiwacki [fruckiwack@5.135.190.66] has quit [Quit: -]
17:06 -!- cyberspace- [20253@ninthfloor.org] has quit [Remote host closed the connection]
17:13 -!- b00b [~spunk@smurf.mmnetworks.se] has quit [Ping timeout: 252 seconds]
17:19 -!- b00b [~spunk@smurf.mmnetworks.se] has joined #openvpn
17:23 -!- TheWarden [~chatzilla@S0106e0469a3d83ef.ss.shawcable.net] has quit [Quit: ChatZilla 0.9.90.1 [Firefox 27.0.1/20140212131424]]
17:26 -!- lj [~l@192.241.174.169] has quit [Quit: Leaving.]
17:40 -!- niftylettuce_ [uid2733@gateway/web/irccloud.com/x-bocqexinfzwzsnbn] has joined #openvpn
17:41 -!- Xtrivity [~Insanity@S0106602ad096ef86.va.shawcable.net] has joined #openvpn
17:45 < Xtrivity> Hi guys - I have been struggling for the last week trying to get my debian machine to work with openvpn. I have the correct .ovpn file, and on all other OS machines, the connection works. With this one I get a" TLS Error; TLS key negotiation failed to occcur within 60 seconds. I have no firewall blocking that I can figure. If anyone can help me through this i'll be so incredibly thankful!
17:49 -!- michaelhart [~michaelha@192-0-240-20.cpe.teksavvy.com] has joined #openvpn
17:53 < pekster> Xtrivity: Consult your logs on the opposing side of your connection. You should both see the initial packet. If not, you have a connectivity problem (firewall or otherwise)
17:55 < Xtrivity> pekster,  on the server side?
17:55 < pekster> Yup
17:55 < Xtrivity> hmmm, im using openvpn access server, i'll have to dig (not so familiar with it)
17:55 < pekster> Verb 4 (and maybe 3 as well) shows 'initial packet recieved" on first connect
17:55 < pekster> !as
17:55 <@vpnHelper> "as" is please go to #OpenVPN-AS for help with Access-Server
17:55 < pekster> We do not support commercial solutions here
17:56 < pekster> Try that IRC channel or other document support from your vendor
17:56 < Xtrivity> I wasn't asking for support of commercial version, i was asking support of client.
17:57 < pekster> And I'm telling you that without knowing WHAT is happening and WHY on the server-side, you cannot get help for that here. OpenVPN requires 2 endpoints, and your other is a closed-source solution that is not openvpn
17:58 < Xtrivity> pekster,  the logs doen't even show a connection or packet response from the client.
17:58 < pekster> I don't care if what you're talking about is AS
17:59 < pekster> Nobody here does
18:00 < pekster> If you run a the GPL openvpn on both ends, you have !configs and !logs. If you run AS you get whatever AS spews out, which is not in a format the open-source community (us here) are able/willing/interested to support
18:01 < Xtrivity> damn. Sad part is i tried to install the GPL openvpn, but the VPS host wouldn't enable the hardware tun/tap properly for that to work unless i purchased the AS. This is just a pain in the ass.
18:02 < pekster> AS is just a glorified (and non-open) frontend around the prior series of openvpn. It still requires a tap device, so my guess is whatever you did you did incorrectly on your hosted solution before
18:03 < pekster> You might consider real VM solutions instead of crap like openvz, because:
18:03 < pekster> !openvz
18:03 <@vpnHelper> "openvz" is (#1) http://wiki.openvz.org/VPN_via_the_TUN/TAP_device to learn bout openvz specific stuff with regards to openvpn or (#2) It is usually less painful to switch to a host with better virtualization technology, eg KVM or Xen
18:03 < Xtrivity> yeah, I understand.
18:03 < Xtrivity> i'm not a fan of openvz at all.
18:04 < Xtrivity> and pekster  they enabled tap on the hardware only for the pre-installation AS version. thoroughly unimpressed. But, im certain it works due to other clients being able to connect without any issue.
18:04 < pekster> We don't care
18:05 < pekster> Please stop trying to solicit AS help here. WE DO NOT SUPPORT IT
18:09 < Xtrivity> pekster,  i'm not trying to solicit anything. calm the ef down.
18:09 < Xtrivity> im all about gpl.
18:12 < pekster> Yes, then you go on "but <excuse why we should help support commercial software>
18:13  * pekster shrugs
18:13 < Xtrivity> To me this isn't a commercial software. to me I am using the GPL client which is where the problem must relay as all other clients can connect to the server. and i'm trying to ask how I can debug this, but i understand. you're saying there's no way to know log files with commercial software.
18:13 < Xtrivity> got it.
18:14 -!- traph [~traph@unaffiliated/traph] has quit [Ping timeout: 240 seconds]
18:14 < pekster> AS _IS_ commercial software
18:14 < pekster> !download
18:14 <@vpnHelper> "download" is (#1) http://openvpn.net/index.php/download/community-downloads.html to download openvpn or (#2) OpenVPN's Windows installer now includes OpenVPN GUI. Don't bother with http://openvpn.se anymore or (#3) Don't trust download.com at all. It provides an extremely old version with malware: http://insecure.org/news/download-com-fiasco.html or (#4) in the community version of openvpn (only
18:14 <@vpnHelper> thing supported here) there is no separate download for client/server, it is the same install with different configs
18:14 < pekster> ^ that is the GPL stuff
18:14 < Xtrivity> but im using gpl openvpn client <- that is not commercial. And i'd assume support for debugging the client can be supported here.
18:14 < pekster> https://forums.openvpn.net/post34969.html#p34969
18:14 <@vpnHelper> Title: OpenVPN Support Forum Multiple clients, the purpose is? : Off Topic, Related (at forums.openvpn.net)
18:15 < pekster> No, becuase "shit doesn't arrive at the server"
18:15 < pekster> !both
18:15 <@vpnHelper> "both" is If you do not control both ends of the link (server and client) then there is not much we can do to help you. Please talk to your network admin instead.
18:15 < Xtrivity> k.
18:15 < pekster> I'm sick of telling you we can't support AS-based solutions. Next time you get muted
18:15 < Xtrivity> !cranky
18:15 < Xtrivity> hmmm.
18:15 < pekster> The forum link should explain things
18:16 < Xtrivity> lol. If there's another client for AS i'm gonna flip - that would explain a lot.
18:16 < Xtrivity> Thanks.
18:17 < pekster> There is, sort of:
18:17 < pekster> !connect
18:17 <@vpnHelper> "connect" is (#1) OpenVPN Connect is part of the commercial, non-free (non-GPL) corporate offering; see #openvpn-as for help with these. For the community-maintained GPL OpenVPN, see !download for download links, !android for GPL-openvpn on Android, or !howto for the beginner how-to guide or (#2) https://forums.openvpn.net/post34969.html#p34969
18:20 < pekster> Also, fwiw we don't have cranky, but we do have:
18:20 < pekster> !douchey
18:20 <@vpnHelper> "douchey" is http://catb.org/~esr/faqs/smart-questions.html#keepcool
18:28 <+jeev> krzee, you around ?
18:28 <+jeev> this is weird, i've got a routed openvpn set up.. using two different openvpn servers in two different locations. i'm using ip rule to target to each tun0 or tun1 gateway.
18:29 <+jeev> i can use them based on source ip's, however. i am unable to connect to one of them.
18:29 <+jeev> even though it's working just fine.
18:29 -!- elfixit [~Icedove@77-58-251-72.dclient.hispeed.ch] has joined #openvpn
18:32 -!- michaelhart [~michaelha@192-0-240-20.cpe.teksavvy.com] has quit [Quit: michaelhart]
18:40 -!- Xtrivity [~Insanity@S0106602ad096ef86.va.shawcable.net] has quit [Quit: Leaving]
18:43 -!- funnel [~funnel@unaffiliated/espiral] has joined #openvpn
18:45 -!- converge [~converge@unaffiliated/joaop] has joined #openvpn
18:48 < converge> im trying to setup openvpn server on debian and getting this error msg Cannot load certificate file fortunata.crt: error:0906D06C:PEM routines:PEM_read_bio:no start line: error:140AD009:SSL routines:SSL_CTX_use_certificate_file:PEM lib
18:48 < converge> does someone knows whats wrong?
18:52 < converge> just fixed
19:22 -!- darix [darix@irssi/staff/darix] has left #openvpn ["All rights reversed"]
19:34 -!- elfixit [~Icedove@77-58-251-72.dclient.hispeed.ch] has quit [Quit: elfixit]
19:36 -!- __raven_ [~raven@dslb-178-002-136-217.pools.arcor-ip.net] has joined #openvpn
19:39 -!- __raven [~raven@dslb-178-002-132-144.pools.arcor-ip.net] has quit [Ping timeout: 252 seconds]
19:40 -!- goldkatze [~nobody@unaffiliated/goldkatze] has quit [Read error: Operation timed out]
19:44 -!- thoraxe [~thoraxe@50-73-95-6-static.hfc.comcastbusiness.net] has left #openvpn []
19:52 -!- converge [~converge@unaffiliated/joaop] has quit [Quit: Linkinus - http://linkinus.com]
19:53 -!- ponyofdeath [~vladi@cpe-76-167-201-214.san.res.rr.com] has quit [Quit: Lost terminal]
19:59 -!- heraclitus [~heraclitu@unaffiliated/heraclitis] has joined #openvpn
20:00 -!- d1z [~djz@li673-120.members.linode.com] has quit [Ping timeout: 264 seconds]
20:12 -!- d1z [~djz@190.78.147.229] has joined #openvpn
20:14 -!- michaelhart [~michaelha@162.209.54.120] has joined #openvpn
20:20 -!- michaelhart [~michaelha@162.209.54.120] has quit [Quit: michaelhart]
20:26 -!- maskedlua [~quassel@unaffiliated/themaskedlua] has quit [Read error: Connection reset by peer]
20:54 -!- niftylettuce_ [uid2733@gateway/web/irccloud.com/x-bocqexinfzwzsnbn] has quit [Quit: Connection closed for inactivity]
21:15 -!- dradec [~Inigo@unaffiliated/dradec] has quit [Quit: nil]
21:32 -!- HectorBarbossa [uid7850@gateway/web/irccloud.com/x-zhyibrhdeeushifw] has quit [Quit: Connection closed for inactivity]
21:36 -!- dimitry7 [~antonello@38.124.174.31] has quit [Ping timeout: 260 seconds]
21:45 -!- pylearner [~py@pool-71-170-181-124.dllstx.fios.verizon.net] has quit [Ping timeout: 240 seconds]
21:52 -!- [diecast] [~diecast@unaffiliated/diecast/x-4821952] has joined #openvpn
22:03 -!- chrisb [~chrisb@li482-205.members.linode.com] has joined #openvpn
22:05 -!- Cultist [~CultOfThe@c-67-186-111-33.hsd1.il.comcast.net] has quit [Read error: Connection reset by peer]
22:17 -!- chrisb [~chrisb@li482-205.members.linode.com] has quit [Ping timeout: 265 seconds]
22:26 -!- Cultist [~CultOfThe@67.186.111.33] has joined #openvpn
22:28 -!- Carbon_Monoxide [~cmonxide@058176022144.ctinets.com] has joined #openvpn
22:29 -!- Carbon_Monoxide [~cmonxide@058176022144.ctinets.com] has left #openvpn []
22:37 -!- lj [~l@adsl-99-155-21-55.dsl.peoril.sbcglobal.net] has joined #openvpn
22:39 -!- lj1 [~l@192.241.174.169] has joined #openvpn
22:41 -!- lj [~l@adsl-99-155-21-55.dsl.peoril.sbcglobal.net] has quit [Ping timeout: 244 seconds]
22:43 -!- lj1 [~l@192.241.174.169] has quit [Client Quit]
22:52 -!- chrisb [~chrisb@li482-205.members.linode.com] has joined #openvpn
22:52 -!- lj [~l@192.241.174.169] has joined #openvpn
23:00 -!- [diecast] [~diecast@unaffiliated/diecast/x-4821952] has quit []
23:03 -!- chrisb [~chrisb@li482-205.members.linode.com] has quit [Ping timeout: 264 seconds]
23:19 -!- d1z [~djz@190.78.147.229] has quit [Ping timeout: 240 seconds]
23:20 -!- makara [~makara@41.164.22.218] has joined #openvpn
23:20 -!- d1z [~djz@190.78.147.229] has joined #openvpn
23:27 -!- p3rror [~mezgani@196.201.78.139] has joined #openvpn
23:43 -!- lvv [~loganaden@2001:4290:10:250:d85d:1718:e3a7:9688] has joined #openvpn
23:47 <@krzee> !krzee
23:47 <@vpnHelper> "krzee" is (#1) krzee says happy 4/20 or (#2) http://www.ircpimps.org/pics/krzee/blunt.jpg or (#3) location: moon base where he smokes moonajuana
23:47 -!- lj [~l@192.241.174.169] has quit [Ping timeout: 240 seconds]
--- Day changed Wed Mar 05 2014
00:00 -!- sunwind [~paradox@cpc21-brmb8-2-0-cust749.1-3.cable.virginm.net] has quit [Read error: Connection reset by peer]
00:01 -!- sunwind [~paradox@cpc21-brmb8-2-0-cust749.1-3.cable.virginm.net] has joined #openvpn
00:02 -!- d1z [~djz@190.78.147.229] has quit [Ping timeout: 240 seconds]
00:05 <@krzee> !netman
00:06 <@vpnHelper> "netman" is (#1) if you are using network manager for linux to configure your vpn, dont! http://openvpn.net/archive/openvpn-users/2008-01/msg00046.html to read the same thing from the author of the openvpn 2 cookbook on the mail list or (#2) Have OpenVPN working but not NetworkManager? Ask the n-m folks for help: http://projects.gnome.org/NetworkManager/
00:06 <@krzee> !ubuntu
00:06 <@vpnHelper> "ubuntu" is dont use network manager!
00:12 -!- HectorBarbossa [uid7850@gateway/web/irccloud.com/x-yjfxfgvkiwxxunga] has joined #openvpn
00:18 -!- d1z [~djz@190.78.147.229] has joined #openvpn
00:27 -!- soapee01 [~soapee01@24-155-219-177.dyn.grandenetworks.net] has quit [Ping timeout: 244 seconds]
00:29 -!- soapee01 [~soapee01@24-155-219-177.dyn.grandenetworks.net] has joined #openvpn
00:38 -!- soapee01 [~soapee01@24-155-219-177.dyn.grandenetworks.net] has quit [Ping timeout: 252 seconds]
00:41 -!- iokill [~iokill@91.114.127.102] has joined #openvpn
00:41 -!- soapee01 [~soapee01@24-155-219-177.dyn.grandenetworks.net] has joined #openvpn
00:42 <+jeev> oy
00:42 <+jeev> it should be
00:42 <+jeev> dont use ubuntu
00:45 -!- mattock_afk is now known as mattock
00:50 -!- soapee01 [~soapee01@24-155-219-177.dyn.grandenetworks.net] has quit [Ping timeout: 240 seconds]
00:51 -!- Dimtree [~Dimitri@r75-110-125-114.rmntcmtc02.rcmtnc.ab.dh.suddenlink.net] has quit [Read error: Connection reset by peer]
00:57 -!- lvv_ [~loganaden@ITE-INF3.dhcp.mu.afrinic.net] has joined #openvpn
00:57 < lvv_> hoi
01:00 -!- soapee01 [~soapee01@24-155-219-177.dyn.grandenetworks.net] has joined #openvpn
01:01 -!- lvv [~loganaden@2001:4290:10:250:d85d:1718:e3a7:9688] has quit [Ping timeout: 244 seconds]
01:01 -!- lvv_ is now known as lvv
01:08 -!- soapee01 [~soapee01@24-155-219-177.dyn.grandenetworks.net] has quit [Ping timeout: 240 seconds]
01:13 -!- soapee01_ [~soapee01@24-155-219-177.dyn.grandenetworks.net] has joined #openvpn
01:14 -!- alexxtasi [~alex@unaffiliated/alexxtasi] has left #openvpn []
01:20 -!- d1z [~djz@190.78.147.229] has quit [Ping timeout: 264 seconds]
01:23 < MorgyN> ubuntu, african for "can't use debian"
01:23 -!- soapee01_ [~soapee01@24-155-219-177.dyn.grandenetworks.net] has quit [Ping timeout: 244 seconds]
01:24 < lvv> MorgyN: lol
01:29 -!- soapee01_ [~soapee01@24-155-219-177.dyn.grandenetworks.net] has joined #openvpn
01:33 -!- d1z [~djz@li673-120.members.linode.com] has joined #openvpn
01:39 -!- alexxtasi [~alex@unaffiliated/alexxtasi] has joined #openvpn
01:41 -!- james41382 [~james@unaffiliated/james41382] has quit [Read error: Connection reset by peer]
01:42 -!- james41382 [~james@unaffiliated/james41382] has joined #openvpn
01:46 -!- d1z [~djz@li673-120.members.linode.com] has quit [Ping timeout: 240 seconds]
02:03 -!- traph [~traph@46.10.9.133] has joined #openvpn
02:03 -!- traph [~traph@46.10.9.133] has quit [Changing host]
02:03 -!- traph [~traph@unaffiliated/traph] has joined #openvpn
02:03 <@krzee> jeev,
02:03 <@krzee> !bestos
02:03 <@vpnHelper> "bestos" is the best os for openvpn is the one you are most comfortable with
02:03 <@krzee> ;]
02:04 -!- james41382_ [~james@unaffiliated/james41382] has joined #openvpn
02:06 -!- master_o1_master [~master_of@p4FF2494B.dip0.t-ipconnect.de] has joined #openvpn
02:06 -!- JSharpe_ [~JSharpe@31.205.60.241] has joined #openvpn
02:07 -!- lvv_ [~loganaden@ITE-INF3.dhcp.mu.afrinic.net] has joined #openvpn
02:09 -!- Pei_ [~pei@thinks.outside.theb0x.org] has joined #openvpn
02:11 -!- Netsplit *.net <-> *.split quits: Pei, master_of_master, james41382, kloeri, JackWinter, markus__, pnielsen, mitz, kossy, _FBi,  (+13 more, use /NETSPLIT to show all of them)
02:11 -!- lvv_ is now known as lvv
02:32 -!- HectorBarbossa [uid7850@gateway/web/irccloud.com/x-yjfxfgvkiwxxunga] has quit [Quit: Connection closed for inactivity]
02:43 -!- Netsplit over, joins: soapee01_
02:52 -!- soapee01_ [~soapee01@24-155-219-177.dyn.grandenetworks.net] has quit [Ping timeout: 244 seconds]
03:00 -!- Cr4zi3 [killaz@staff.xbins.org] has joined #openvpn
03:00 -!- kossy [a@unaffiliated/kossy] has joined #openvpn
03:00 -!- pnielsen [pnielsen@2a01:7e00::f03c:91ff:fedf:3a21] has joined #openvpn
03:00 -!- __FBi [B@dont.uwantmy.info] has joined #openvpn
03:00 -!- mgorbach [~mgorbach@pool-108-20-78-135.bstnma.fios.verizon.net] has joined #openvpn
03:00 -!- Protected [Join@from.myshelter.net] has joined #openvpn
03:00 -!- kloeri [~kloeri@freenode/staff/exherbo.kloeri] has joined #openvpn
03:00 -!- pekster [~rewt@openvpn/community/support/pekster] has joined #openvpn
03:00 -!- _FBi [~B@Aircrack-NG/User] has joined #openvpn
03:00 -!- Cybertinus [~Cybertinu@cybertinus.customer.cloud.nl] has joined #openvpn
03:00 -!- f0cker [~f0cker@unaffiliated/f0cker] has joined #openvpn
03:00 -!- mitz [~mitz@rt.miraclelinux.com] has joined #openvpn
03:00 -!- markus__ [~markus@185.5.44.31] has joined #openvpn
03:00 -!- takamichi [~takamichi@c107-107.i07-27.onvol.net] has joined #openvpn
03:00 -!- JackWinter [~jack@vodsl-8317.vo.lu] has joined #openvpn
03:00 -!- funnel [~funnel@unaffiliated/espiral] has joined #openvpn
03:00 -!- meepmeep_ [meepmeep@end.of.cylind.re] has joined #openvpn
03:02 -!- Cr4zi3 [killaz@staff.xbins.org] has quit [Excess Flood]
03:02 -!- lvv [~loganaden@ITE-INF3.dhcp.mu.afrinic.net] has quit [Quit: lvv]
03:02 -!- soapee01_ [~soapee01@24-155-219-177.dyn.grandenetworks.net] has joined #openvpn
03:12 -!- soapee01_ [~soapee01@24-155-219-177.dyn.grandenetworks.net] has quit [Ping timeout: 240 seconds]
03:13 -!- Cr4zi3 [killaz@staff.xbins.org] has joined #openvpn
03:18 -!- soapee01_ [~soapee01@24-155-219-177.dyn.grandenetworks.net] has joined #openvpn
03:30 -!- soapee01_ [~soapee01@24-155-219-177.dyn.grandenetworks.net] has quit [Ping timeout: 244 seconds]
03:36 -!- soapee01_ [~soapee01@24-155-219-177.dyn.grandenetworks.net] has joined #openvpn
03:43 -!- lvv [~loganaden@ITE-INF3.dhcp.mu.afrinic.net] has joined #openvpn
04:04 -!- p3rror [~mezgani@196.201.78.139] has quit [Ping timeout: 240 seconds]
04:06 -!- mndo [~mndo@bl17-90-175.dsl.telepac.pt] has joined #openvpn
04:08 -!- mattock is now known as mattock_afk
04:09 -!- mattock_afk is now known as mattock
04:18 -!- takamichi [~takamichi@c107-107.i07-27.onvol.net] has quit [Quit: Computer has gone to sleep.]
04:35 -!- elfixit [~Icedove@77-58-251-72.dclient.hispeed.ch] has joined #openvpn
04:42 -!- goldkatze [~nobody@unaffiliated/goldkatze] has joined #openvpn
04:50 -!- br4ndon [~br4ndon@mic92-6-82-227-94-156.fbx.proxad.net] has joined #openvpn
04:51 -!- p3rror [~mezgani@196.201.78.139] has joined #openvpn
04:51 -!- Ulrar [~Ulrar@luwin.ulrar.net] has joined #openvpn
04:53 < Ulrar> Hi, I have a problem with my VPN. It connects fine, but as soon as I start as I use it (like going on a website), it restarts the connection with a SIGUSR1
04:54 < Ulrar> I have added verb 5 on the server but I don't see any errors
04:54 < Ulrar> Is there a way to get debug logs on a windows client ?
04:55 -!- p3rror [~mezgani@196.201.78.139] has quit [Client Quit]
05:00 -!- goldkatze [~nobody@unaffiliated/goldkatze] has quit []
05:09 -!- dazo_afk is now known as dazo
05:14 -!- goldkatze [~nobody@unaffiliated/goldkatze] has joined #openvpn
05:17 -!- sunwind [~paradox@cpc21-brmb8-2-0-cust749.1-3.cable.virginm.net] has quit [Quit: sunwind]
05:18 -!- le0 [~l30@unaffiliated/le0] has joined #openvpn
05:19 < le0> hola all. I want to implement a scenario where a vpn client dials up to my openvpn server, and allows my server to get to any client side networks my openvpn client is aware of. do i need to be using ccds?
05:31 -!- Eagleman [~Eagleman@546BC8D0.cm-12-4d.dynamic.ziggo.nl] has quit [Quit: ZNC - http://znc.in]
05:35 -!- Eagleman [~Eagleman@546BC8D0.cm-12-4d.dynamic.ziggo.nl] has joined #openvpn
05:38 -!- MacGyver_ [~MacGyver@sog.polvanaubel.com] has quit [Quit: leaving]
05:38 -!- MacGyver [~MacGyver@sog.polvanaubel.com] has joined #openvpn
05:39 -!- MacGyver [~MacGyver@sog.polvanaubel.com] has quit [Changing host]
05:39 -!- MacGyver [~MacGyver@unaffiliated/macgyvernl] has joined #openvpn
05:43 -!- maskedlua [~quassel@unaffiliated/themaskedlua] has joined #openvpn
05:46 -!- m01_ [~quassel@2a02:2658:1011:1::2:4044] has joined #openvpn
05:47 -!- joshh20z [~joshh20@v-70-42-74-226.unman-vds.internap-nyc.nfoservers.com] has joined #openvpn
05:48 -!- joshh20z is now known as joshh20
05:48 -!- a [d@64.111.123.163] has joined #openvpn
05:48 -!- a is now known as Guest84615
05:48 -!- XJR-9_ [sid2977@pdpc/supporter/active/xjr-9] has joined #openvpn
05:48 -!- XJR-9 [sid2977@pdpc/supporter/active/xjr-9] has quit [Killed (asimov.freenode.net (Nickname regained by services))]
05:48 -!- XJR-9_ is now known as XJR-9
05:50 -!- br4ndon [~br4ndon@mic92-6-82-227-94-156.fbx.proxad.net] has quit [Quit: Lorem ipsum dolor sit amet]
05:50 -!- lordnikkon [~marme@li388-49.members.linode.com] has joined #openvpn
05:51 -!- lordnikkon is now known as Guest47675
05:53 -!- sauce_ [sauce@ool-ad02ad20.dyn.optonline.net] has joined #openvpn
05:53 -!- omrib_ [~omrib@ec2-50-17-197-161.compute-1.amazonaws.com] has joined #openvpn
05:54 -!- megaTherion_ [~therion@unix.io] has joined #openvpn
05:54 -!- viperZ28_ [uid11066@gateway/web/irccloud.com/x-wnthbzghvhifjzzg] has joined #openvpn
05:55 -!- m01 [~quassel@2a02:2658:1011:1::2:4044] has quit [Quit: No Ping reply in 180 seconds.]
05:55 -!- tapout [~tapout@unaffiliated/tapout] has quit [Ping timeout: 265 seconds]
05:55 -!- phuzion [~phuzion@ipv6.irc.teh-server.com] has quit [Quit: No Ping reply in 180 seconds.]
05:55 -!- joshh20-Away [~joshh20@v-70-42-74-226.unman-vds.internap-nyc.nfoservers.com] has quit [Ping timeout: 265 seconds]
05:55 -!- catsup [d@64.111.123.163] has quit [Ping timeout: 265 seconds]
05:55 -!- Samopotamus [~IRCIdent@2607:5300:60:a0d::1] has quit [Ping timeout: 265 seconds]
05:55 -!- troyt [~troyt@2601:7:6200:1382:44dd:acff:fe85:9c8e] has quit [Ping timeout: 265 seconds]
05:56 -!- jgeboski [~jgeboski@unaffiliated/jgeboski] has quit [Ping timeout: 265 seconds]
05:56 -!- 1JTAAGP4P [~levifig@hakr.io] has quit [Ping timeout: 265 seconds]
05:56 -!- lordnikk1n [~marme@li388-49.members.linode.com] has quit [Ping timeout: 265 seconds]
05:56 -!- Samopotamus [~IRCIdent@2607:5300:60:a0d::1] has joined #openvpn
05:56 -!- niel [niel@om.nom.nom.coooki.es] has quit [Ping timeout: 265 seconds]
05:56 -!- sauce [sauce@unaffiliated/sauce] has quit [Ping timeout: 265 seconds]
05:56 -!- yoavz- [yoavz@yoavz.net] has joined #openvpn
05:56 -!- raidz [~raidz@openvpn/corp/admin/andrew] has quit [Ping timeout: 265 seconds]
05:56 -!- Gman32 [~Gman32@2607:2200:0:3400::5616:cdbc] has quit [Ping timeout: 265 seconds]
05:56 -!- yoavz- [yoavz@yoavz.net] has quit [Remote host closed the connection]
05:56 -!- viperZ28 [uid11066@gateway/web/irccloud.com/x-wdjsrtsbhpuiccwo] has quit [Ping timeout: 265 seconds]
05:56 -!- yoavz [yoavz@yoavz.net] has quit [Ping timeout: 265 seconds]
05:56 -!- omrib [~omrib@ec2-50-17-197-161.compute-1.amazonaws.com] has quit [Ping timeout: 265 seconds]
05:56 -!- mback2k_ [~freenode@89.238.84.46] has quit [Ping timeout: 265 seconds]
05:56 -!- megaTherion [~therion@unix.io] has quit [Quit: ZNC - http://znc.sourceforge.net]
05:56 -!- Gman32 [~Gman32@2607:2200:0:3400::5616:cdbc] has joined #openvpn
05:56 -!- niel [niel@om.nom.nom.coooki.es] has joined #openvpn
05:56 -!- krzee [~k@openvpn/community/support/krzee] has quit [Remote host closed the connection]
05:56 -!- krzee [~k@openvpn/community/support/krzee] has joined #openvpn
05:56 -!- peper [~peper@gentoo/developer/peper] has quit [Ping timeout: 265 seconds]
05:56 -!- mode/#openvpn [+o krzee] by ChanServ
05:56 -!- mback2k_ [~freenode@89.238.84.46] has joined #openvpn
05:56 -!- tapout [~tapout@unaffiliated/tapout] has joined #openvpn
05:56 -!- troyt [~troyt@2601:7:6200:1382:44dd:acff:fe85:9c8e] has joined #openvpn
05:57 -!- viperZ28_ is now known as viperZ28
05:57 -!- peper [~peper@gentoo/developer/peper] has joined #openvpn
05:58 -!- jgeboski [~jgeboski@unaffiliated/jgeboski] has joined #openvpn
06:00 -!- yoavz [yoavz@yoavz.net] has joined #openvpn
06:02 -!- takamichi [~takamichi@c107-107.i07-27.onvol.net] has joined #openvpn
06:03 -!- levifig [~levifig@hakr.io] has joined #openvpn
06:04 -!- [diecast] [~diecast@unaffiliated/diecast/x-4821952] has joined #openvpn
06:04 -!- [diecast] [~diecast@unaffiliated/diecast/x-4821952] has quit [Max SendQ exceeded]
06:05 -!- converge [~converge@unaffiliated/joaop] has joined #openvpn
06:06 -!- Eagleman [~Eagleman@546BC8D0.cm-12-4d.dynamic.ziggo.nl] has quit [Quit: ZNC - http://znc.in]
06:08 -!- jzaw [~jzaw@loki.dzki.co.uk] has quit [Ping timeout: 265 seconds]
06:08 -!- jzaw [~jzaw@loki.dzki.co.uk] has joined #openvpn
06:19 -!- converge [~converge@unaffiliated/joaop] has quit [Quit: Linkinus - http://linkinus.com]
06:19 -!- Eagleman [~Eagleman@546BC8D0.cm-12-4d.dynamic.ziggo.nl] has joined #openvpn
06:19 -!- jzaw [~jzaw@loki.dzki.co.uk] has quit [Ping timeout: 244 seconds]
06:20 -!- jzaw [~jzaw@loki.dzki.co.uk] has joined #openvpn
06:23 -!- sunwind [~paradox@cpc21-brmb8-2-0-cust749.1-3.cable.virginm.net] has joined #openvpn
06:28 < le0> question: do client-config-dirs only work when you use certs for auth? or will pam auth also work?
06:31 <@ecrist> you can use the auth username 
06:31 <@ecrist> but it requires a specific option in the server config, check the man page
06:31 < le0> thx
06:33 -!- loompek [~noname@unaffiliated/loompek] has quit [Read error: Connection reset by peer]
06:34 < busch> If im using openvpn with a static key (Point-to-Point). Client 1 ist connected. Client 2 with the same static key connects to the same openvpn instance. What happens?
06:34 <@ecrist> try it. :)
06:35 < busch> ecrist: No time :)
06:35 <@ecrist> why is my time less valuable?
06:36 < busch> Im confused. Here: https://openvpn.net/index.php/open-source/documentation/miscellaneous/78-static-key-mini-howto.html "Limited scalability -- one client, one server".
06:36 <@vpnHelper> Title: Static Key Mini-HOWTO (at openvpn.net)
06:36 <@ecrist> you cannot have more than one "client"
06:36 < busch> Here: https://openvpn.net/index.php/open-source/documentation/howto.html "This key should be copied over a pre-existing secure channel to the server and ALL client machines"
06:36 <@vpnHelper> Title: HOWTO (at openvpn.net)
06:36 <@ecrist> it's a one-to-one relationship
06:37 < busch> OK, then why "all client machines"?
06:38 <@ecrist> you need to use certificates
06:39 < busch> I know. Im run my own PKI since 2009
06:39 -!- busch was kicked from #openvpn by ecrist [you're confusing and contradicting]
07:28 -!- phuzion [~phuzion@ipv6.irc.teh-server.com] has joined #openvpn
07:31 -!- pylearner [~py@pool-71-170-181-124.dllstx.fios.verizon.net] has joined #openvpn
07:40 < Ulrar> My problem seem to be the windows firewall
07:41 < Ulrar> I tried to add the push of route-metric 512 and the route 0.0.0.0 0.0.0.0, but that doesn't solve
07:41 < Ulrar> disabling the windows firewall does solve though
07:41 < Ulrar> Any idea of how to make that work with the firewall ?
07:44 <@plaisthos> push "redirect-gateway def1" is probably the thing you want
07:48 -!- enbergj [~enbergj@ec2-54-246-148-207.eu-west-1.compute.amazonaws.com] has left #openvpn []
07:51 < Ulrar> I already have that
07:51 < Ulrar> Without the firewall everything works fine, with the firewall it only works for a few bytes, then it reset the connection, works for a few bytes, reset ..
07:52 < Ulrar> No error on either side with verb 7, I guess the firewall must kill the connection somehow
07:55 -!- megaTherion_ is now known as megaTherion
08:07 -!- makara [~makara@41.164.22.218] has quit [Read error: Operation timed out]
08:09 -!- michaelhart [~michaelha@192.237.177.15] has joined #openvpn
08:11 -!- takamichi [~takamichi@c107-107.i07-27.onvol.net] has quit [Ping timeout: 240 seconds]
08:13 -!- wrongplace [~leicht@gateway/tor-sasl/martinphone] has joined #openvpn
08:13 -!- takamichi [~takamichi@85.12.8.106] has joined #openvpn
08:13 -!- takamichi [~takamichi@85.12.8.106] has quit [Max SendQ exceeded]
08:14 -!- takamichi [~takamichi@85.12.8.106] has joined #openvpn
08:31 -!- lvv [~loganaden@ITE-INF3.dhcp.mu.afrinic.net] has quit [Quit: lvv]
08:31 -!- ade_b [~Ade@redhat/adeb] has joined #openvpn
08:36 -!- funnel [~funnel@unaffiliated/espiral] has quit [Quit: leaving]
08:36 -!- mumixam [~m@unaffiliated/mumixam] has quit [Ping timeout: 265 seconds]
08:36 -!- funnel [~funnel@unaffiliated/espiral] has joined #openvpn
08:50 -!- funnel [~funnel@unaffiliated/espiral] has quit [Changing host]
08:50 -!- funnel [~funnel@unaffiliated/motley] has joined #openvpn
08:53 -!- funnel [~funnel@unaffiliated/motley] has quit [Changing host]
08:53 -!- funnel [~funnel@unaffiliated/espiral] has joined #openvpn
08:59 -!- soapee01_ is now known as soapee01
08:59 -!- takamichi [~takamichi@85.12.8.106] has quit [Ping timeout: 264 seconds]
08:59 -!- klein [~klein@187.85.191.52] has joined #openvpn
08:59 -!- klein [~klein@187.85.191.52] has quit [Changing host]
08:59 -!- klein [~klein@unaffiliated/klein] has joined #openvpn
09:02 -!- funnel [~funnel@unaffiliated/espiral] has quit [Quit: leaving]
09:02 -!- funnel [~funnel@23.226.237.192] has joined #openvpn
09:02 -!- funnel [~funnel@23.226.237.192] has quit [Changing host]
09:02 -!- funnel [~funnel@unaffiliated/espiral] has joined #openvpn
09:09 -!- takamichi [~takamichi@c107-107.i07-27.onvol.net] has joined #openvpn
09:18 -!- alexxtasi [~alex@unaffiliated/alexxtasi] has left #openvpn []
09:19 -!- dimitry7 [~antonello@38.124.174.31] has joined #openvpn
09:23 -!- wrongplace [~leicht@gateway/tor-sasl/martinphone] has quit [Quit: gone]
09:35 -!- cyberspace- [20253@ninthfloor.org] has joined #openvpn
09:44 -!- klein [~klein@unaffiliated/klein] has quit [Ping timeout: 265 seconds]
09:45 -!- dls [~dls@gateway/tor-sasl/dls] has joined #openvpn
09:46 -!- mumixam [~m@unaffiliated/mumixam] has joined #openvpn
09:54 -!- traph [~traph@unaffiliated/traph] has quit [Read error: Operation timed out]
10:07 -!- Cybertinus [~Cybertinu@cybertinus.customer.cloud.nl] has quit [Ping timeout: 240 seconds]
10:17 -!- takamichi [~takamichi@c107-107.i07-27.onvol.net] has quit [Remote host closed the connection]
10:17 -!- takamichi [~takamichi@c107-107.i07-27.onvol.net] has joined #openvpn
10:19 -!- Cybertinus [~Cybertinu@cybertinus.customer.cloud.nl] has joined #openvpn
10:21 -!- iokill [~iokill@91.114.127.102] has quit [Ping timeout: 264 seconds]
10:52 -!- gffa [~unknown@unaffiliated/gffa] has joined #openvpn
10:52 -!- ade_b [~Ade@redhat/adeb] has quit [Read error: Operation timed out]
10:56 -!- dls [~dls@gateway/tor-sasl/dls] has quit [Quit: dls]
11:11 -!- [diecast] [~diecast@unaffiliated/diecast/x-4821952] has joined #openvpn
11:12 -!- mndo [~mndo@bl17-90-175.dsl.telepac.pt] has quit [Remote host closed the connection]
11:16 -!- klein [~klein@189-016-006-003.asselvi.edu.br] has joined #openvpn
11:16 -!- klein [~klein@189-016-006-003.asselvi.edu.br] has quit [Changing host]
11:16 -!- klein [~klein@unaffiliated/klein] has joined #openvpn
11:23 -!- raidz [~raidz@openvpn/corp/admin/andrew] has joined #openvpn
11:23 -!- mode/#openvpn [+o raidz] by ChanServ
11:38 -!- HectorBarbossa [uid7850@gateway/web/irccloud.com/x-dtqshpyjunaqqddb] has joined #openvpn
11:47 < [diecast]> my vpn network is 10.8.0/24 and some of my clients have 192.168.0/24 as their LAN, my LAN is 10.0.1/24, if I push route 192.168 on the openvpn master will I be able to access that network from my local machine using the ip directly (ssh 192168.0.100 for example)
11:51 -!- jzaw [~jzaw@loki.dzki.co.uk] has quit [Ping timeout: 245 seconds]
11:52 -!- jzaw [~jzaw@loki.dzki.co.uk] has joined #openvpn
11:56 -!- jzaw [~jzaw@loki.dzki.co.uk] has quit [Excess Flood]
12:00 -!- jzaw [~jzaw@loki.dzki.co.uk] has joined #openvpn
12:11 -!- jzaw [~jzaw@loki.dzki.co.uk] has quit [Ping timeout: 245 seconds]
12:14 -!- jzaw [~jzaw@loki.dzki.co.uk] has joined #openvpn
12:29 < Rienzilla> [diecast]: machines in both ends of the network need to be able to find a route to the other side
12:30 -!- dimitry7 [~antonello@38.124.174.31] has quit [Quit: Leaving]
12:31 < [diecast]> Rienzilla found this - http://community.openvpn.net/openvpn/wiki/RoutedLans
12:31 <@vpnHelper> Title: RoutedLans – OpenVPN Community (at community.openvpn.net)
12:32 < [diecast]> looks like what i want
12:36 -!- elricsfate_wrk [~elricsfat@2602:3f:916c:a402:55d5:6553:11f5:f5bb] has quit [Quit: Leaving]
12:49 -!- elricsfate_wrk [~elricsfat@2602:3f:916c:a402:2881:af2d:36b6:fd90] has joined #openvpn
12:50 -!- traph [~traph@46.10.9.133] has joined #openvpn
12:50 -!- traph [~traph@46.10.9.133] has quit [Changing host]
12:50 -!- traph [~traph@unaffiliated/traph] has joined #openvpn
12:59 -!- cripto [~joubin@li131-215.members.linode.com] has quit [Ping timeout: 252 seconds]
13:00 -!- marlinc_ is now known as Marlinc
13:00 -!- cripto [~joubin@li131-215.members.linode.com] has joined #openvpn
13:06 -!- mikemol [~mikemol@162.17.129.77] has joined #openvpn
13:08 -!- [diecast] [~diecast@unaffiliated/diecast/x-4821952] has quit [Ping timeout: 264 seconds]
13:09 -!- nibbo_ [nibbo@gateway/shell/blinkenshell.org/x-bobtqzlumyitjgga] has quit [Ping timeout: 264 seconds]
13:09 -!- nibbo [nibbo@gateway/shell/blinkenshell.org/x-attvmqpogvsazdsm] has joined #openvpn
13:17 -!- levifig [~levifig@hakr.io] has quit [Disconnected by services]
13:18 -!- levifig_ is now known as levifig
13:20 -!- master_o1_master [~master_of@p4FF2494B.dip0.t-ipconnect.de] has quit [Read error: Operation timed out]
13:23 -!- jzaw [~jzaw@loki.dzki.co.uk] has quit [Ping timeout: 240 seconds]
13:24 -!- master_of_master [~master_of@p4FD7B1EC.dip0.t-ipconnect.de] has joined #openvpn
13:25 -!- jzaw [~jzaw@loki.dzki.co.uk] has joined #openvpn
13:29 -!- vail [~vail@gateway/tor-sasl/vail] has joined #openvpn
13:38 -!- le0 [~l30@unaffiliated/le0] has quit [Quit: Leaving]
13:45 -!- gphat [~gphat@173.247.206.130] has joined #openvpn
13:46 < gphat> If I'm using the same key/cert combo for multiple clients and have duplicate-cn enabled, will openvpn assign me the same VPN IP if two clients come from the same IP?
13:46 < gphat> in my tests, I'm getting the same IP for two connections
13:47 < gphat> i am using the same client cert and key
13:47 < gphat> and I have duplicate-cn uncommented
13:47 < gphat> but since I'm behind a nat with each machine…
13:48 -!- mattock is now known as mattock_afk
13:48 -!- justinzane [~justinzan@tiny.justinzane.com] has joined #openvpn
13:48 < justinzane> hello all
13:49 -!- nutron [~nutron@unaffiliated/nutron] has joined #openvpn
14:09 < justinzane> !paste
14:09 <@vpnHelper> "paste" is (#1) "pastebin" is (#1) please paste anything with more than 5 lines into a pastebin site or (#2) https://gist.github.com is recommended for fewest ads; try fpaste.org or paste.kde.org as backups or (#3) If you're pasting config files, see !configs for grep syntax to remove comments or (#2) gist allows multiple files per paste, useful if you have several files to show
14:10 < justinzane> This is my goal: https://gist.github.com/justinzane/9375578
14:10 <@vpnHelper> Title: OpenVPN Sketch (at gist.github.com)
14:12 -!- michaelhart [~michaelha@192.237.177.15] has quit [Quit: michaelhart]
14:13 < justinzane> I am having difficulty determining what an ideal OpenVPN setup is for the scenario where an OpenVPN server on a cloud host acts as a virtual "switch" for various and sundry hosts dependent on ISPs/Hotels/CellCarriers for basic IP access.
14:14 -!- jp_cognet [~jp@173-228-102-130.dedicated.static.sonic.net] has joined #openvpn
14:14 -!- michaelhart [~michaelha@192.237.177.15] has joined #openvpn
14:15 < justinzane> Though I do not believe that there is any need to have layer 2 traffic passed and I think that avoiding "dev-type tap" would be better for performance and cost reasons, the analogy between bridged VPN and a switch is appropriate.
14:16 < jp_cognet> can anybody give me some insight on this problem I'm facing? basically I have a script that runs on my openvpn server, and I want it to run whenever a client connects. The script needs to be run from the server not the client. Will the --up command work for me in the situation? or is there another way to do this?
14:16 -!- michaelhart [~michaelha@192.237.177.15] has quit [Client Quit]
14:20 -!- [diecast] [~diecast@unaffiliated/diecast/x-4821952] has joined #openvpn
14:20  * justinzane not an expert
14:21 < justinzane> jp_cognet: have you tried with a simple "#!/bin/sh\necho "asdf" >> /tmp/test\n" type script
14:26 -!- [diecast] [~diecast@unaffiliated/diecast/x-4821952] has quit [Ping timeout: 240 seconds]
14:32 -!- dazo is now known as dazo_afk
14:33 < justinzane> !goal
14:33 <@vpnHelper> "goal" is Please clearly state your goal for your vpn: example, I would like to access the lan behind the server , I would like to access the internet over my vpn , I just want a secure connection between 2 computers , etc
14:35 < justinzane> !welcome
14:35 <@vpnHelper> "welcome" is (#1) Start by stating your goal, such as 'I would like to access the internet over my vpn' || new to IRC? see the link in !ask || we may need !logs and !configs and maybe !interface to help you. || See !howto for beginners. || See !route for lans behind openvpn. || !redirect for sending inet traffic through the server. || Also interesting: !man !/30 !topology !iporder !sample !forum
14:35 <@vpnHelper> !wiki !mitm or (#2) Don't use 192.168.1.0/24 or 192.168.0.0/24 (too much potential for conflict)
14:36 -!- [diecast] [~diecast@unaffiliated/diecast/x-4821952] has joined #openvpn
14:41 -!- [diecast] [~diecast@unaffiliated/diecast/x-4821952] has quit [Ping timeout: 244 seconds]
14:42 -!- gffa [~unknown@unaffiliated/gffa] has quit [Quit: quit]
14:48 -!- joshh20 is now known as joshh20-Away
14:49 -!- [diecast] [~diecast@unaffiliated/diecast/x-4821952] has joined #openvpn
14:54 -!- [diecast] [~diecast@unaffiliated/diecast/x-4821952] has quit [Ping timeout: 244 seconds]
14:58 -!- dzubey [~dzubey@68.14.254.200] has joined #openvpn
15:00 < justinzane> jp_cognet: have you looked at "--client-connect cmd"
15:01  * justinzane deafened by the silence
15:03 <@ecrist> shh
15:03  * ecrist idles
15:07  * Eugene revs ecrist' throttle
15:12 -!- Denial [Denial@176.250.208.188] has quit [Ping timeout: 240 seconds]
15:22 < justinzane> ecrist: any thoughts on the above goal?
15:23 -!- [diecast] [~diecast@unaffiliated/diecast/x-4821952] has joined #openvpn
15:23 < justinzane> Eugene: ?
15:24 <@Eugene> I think I need a drink
15:25 <@Eugene> It sounds like you're trying to connect multiple machones via a single openvpn instance
15:25 < [diecast]> trying to build a client key
15:25 < [diecast]> error on line 120 of /etc/openvpn/easy-rsa/openssl.cnf
15:25 < [diecast]> 139797318526624:error:0E065068:configuration file routines:STR_COPY:variable has no value:conf_def.c:618:line 120
15:25 <@Eugene> Yes, that's totally possible to do
15:25 <@Eugene> !route
15:25 <@vpnHelper> "route" is (#1) http://www.secure-computing.net/wiki/index.php/OpenVPN/Routing or https://community.openvpn.net/openvpn/wiki/RoutedLans (same page mirrored) if you have lans behind openvpn, read it DONT SKIM IT or (#2) READ IT DONT SKIM IT! or (#3) See !tcpip for a basic networking guide or (#4) See !serverlan or !clientlan for steps and troubleshooting flowcharts for LANs behind the server or
15:25 <@vpnHelper> client
15:26 <@Eugene> See also !clientlan and !serverlan for some tips
15:26 <@Eugene> Getting the basic openvpn up+running so you can `ping` is the hardest part, with PKI being the most difficult to get over. The !howto tells all.
15:26 <@Eugene> [diecast] - cool. sounds like an openssl bug and/or a badly handled string.
15:26 < jp_cognet> justinzane, thank you very much
15:27 < jp_cognet> I think that is exactly what I'm looking for
15:27 < [diecast]> Eugene ok
15:27 <@Eugene> jp_cognet - --client-connect is what you want
15:27 < justinzane> single client to server works fine.
15:27 < [diecast]> bummer... #openssl seems to be a wasteland
15:28 < jp_cognet> eugene, if I want to add this to my server.conf file. do I just do client-connect script.sh?
15:28 <@Eugene> jp_cognet - yup
15:28 < jp_cognet> nice, ty
15:29 < justinzane> Eugene: just trying to determine the ideal architecture given the constraints of various ISPs/Carriers/Hotels/Foo (which I do not have a good understanding of) and the amount of bandwidth cost saved by avoiding broadcast ethernet frames (which I also do not have a clear idea of)
15:29 < justinzane> The PKI works
15:30 <@Eugene> justinzane - tl;dr you want tun / routed unless you know otherwise. Trust me.
15:30 < justinzane> But I'm looking for advice/experience from those who have dealt with this.
15:31 <@Eugene> And we're the experience
15:32 -!- klein [~klein@unaffiliated/klein] has quit [Ping timeout: 244 seconds]
15:32 < justinzane> Eugene: I've set up both in the past. I've used tap/bridge for specific needs in the past (when I was dealing with archaic versions of Windows); however, this is the first time I'm setting up something including mostly mobile modes
15:35 -!- woshty [~irc@84.200.211.57] has joined #openvpn
15:35 -!- BtbN [btbn@btbn.de] has quit [Quit: Bye]
15:35 < woshty> !welcome
15:36 <@vpnHelper> "welcome" is (#1) Start by stating your goal, such as 'I would like to access the internet over my vpn' || new to IRC? see the link in !ask || we may need !logs and !configs and maybe !interface to help you. || See !howto for beginners. || See !route for lans behind openvpn. || !redirect for sending inet traffic through the server. || Also interesting: !man !/30 !topology !iporder !sample !forum
15:36 <@vpnHelper> !wiki !mitm or (#2) Don't use 192.168.1.0/24 or 192.168.0.0/24 (too much potential for conflict)
15:39 -!- BtbN [btbn@btbn.de] has joined #openvpn
15:40  * justinzane being stupid
15:40 < justinzane> What is wrong with `push            "route 192.168.2.0 255.255.255.0 192.168.2.1"`
15:41 < justinzane> it gives me `/usr/bin/ip route add 192.168.2.0/24 via 192.168.2.1 RTNETLINK answers: Network is unreachable`
15:44 -!- [diecast] [~diecast@unaffiliated/diecast/x-4821952] has quit [Ping timeout: 264 seconds]
15:45 -!- [diecast] [~diecast@unaffiliated/diecast/x-4821952] has joined #openvpn
15:49 < [diecast]> is there dead peer detection by default in openvpn clients?
15:49 < [diecast]> i have an instance out in the wild with infinite re-connect, but i just restarted the server and it's not coming back on
15:51 -!- joshh20-Away is now known as joshh20
15:53 -!- m01_ [~quassel@2a02:2658:1011:1::2:4044] has quit [Remote host closed the connection]
15:54 -!- [diecast] [~diecast@unaffiliated/diecast/x-4821952] has quit [Ping timeout: 265 seconds]
15:54 < dzubey> didn't use --ping-restart or --ping-exit?
15:55 -!- m01 [~quassel@2a02:2658:1011:1::2:4044] has joined #openvpn
15:57 -!- [diecast] [~diecast@unaffiliated/diecast/x-4821952] has joined #openvpn
16:00 < dzubey> [diecast] you didn't use --ping-restart nor --ping-exit on the client?
16:03 < [diecast]> no
16:03 < [diecast]> it will forever be disconnected until i restart the service then?
16:04 < dzubey> have you tried blocking the ip via iptables for awhile? Think ping-restart 30 is the default, don't remember though
16:04 < [diecast]> ill try that
16:06 < justinzane> Configs:
16:06 < justinzane> https://gist.github.com/justinzane/005ab2d2acac359dceff
16:06 <@vpnHelper> Title: openvpn conf (at gist.github.com)
16:07 < justinzane> Cannot get the push route right
16:09 -!- Tykling [tykling@gibfest.dk] has joined #openvpn
16:10 < Tykling> hello there, https://openvpn.net/index.php/download/60-open-source/faq.html mentions the 'benefit of "perfect forward secrecy"' when using a tls-auth - do I need to do anything apart from using tls-auth to get PFS ?
16:10 <@vpnHelper> Title: Downloads (at openvpn.net)
16:11 < [diecast]> egrep -v '^#|^;' server.conf | awk '/./'
16:12 < [diecast]> why do you have ifconfig in there
16:13 < justinzane> keep getting WARNING: Since you are using --dev tun with a point-to-point topology, the second argument to --ifconfig must be an IP address.  You are using something (255.255.255.0) that looks more like a netmask. (silence this warning with --ifconfig-nowarn)
16:13 < justinzane> I *explicitly* want to have all the client on the same public subnet
16:14 < [diecast]> what do you mean by public
16:14 < [diecast]> a publicly routable address
16:17 -!- klein [~klein@187.85.191.52] has joined #openvpn
16:17 -!- klein [~klein@187.85.191.52] has quit [Changing host]
16:17 -!- klein [~klein@unaffiliated/klein] has joined #openvpn
16:18 < justinzane> [diecast]: sorry, didn't know you were talking to me
16:18 < justinzane> and I meant private subnet
16:19 < justinzane> like 192.168.3.0/24
16:19 < [diecast]> the clients can talk to each others subnet if you supply the routes
16:19 < [diecast]> but they should be on their own unique subnet
16:20 < [diecast]> did you look at https://community.openvpn.net/openvpn/wiki/RoutedLans
16:20 <@vpnHelper> Title: RoutedLans – OpenVPN Community (at community.openvpn.net)
16:20 < [diecast]> it sounds like what you want to do exactly
16:21 < justinzane> [diecast]: So, what you are saying is that there is no good way to emulate a lan via layer 3. Looking at the link, it seems like a very bad idea to use routing for a large number of communicating clients
16:22 < justinzane> have to deal with too many routes and the routing vagaries of various OSs
16:23 < [diecast]> you really need to access the LAN behind all of your clients?
16:23 < justinzane> **Yes**
16:23 < [diecast]> well then this is what you must do
16:23 < justinzane> That is the entire point of this excercise.
16:24 < [diecast]> you are sure you don't want everyone talking on 10/8 ?
16:24 < [diecast]> regardless of local LAN
16:24 < justinzane> dont' much care
16:24 < [diecast]> then just use the tun device and server route
16:24 < [diecast]> server 10.0.0.0 255.0.0.0
16:25 < justinzane> So how do the clients automatically get updated routes when another client joins/leves the vpn?
16:25 < [diecast]> they dont need to
16:25 < [diecast]> its one route
16:26 < [diecast]> to rule them all!
16:26  * justinzane missing old knowledge
16:26 < [diecast]> all clients will be on this network
16:26 < justinzane> so, how do the clients know who is "available" without recieving updates from the server?
16:26 < [diecast]> client1 connected, gets 10.0.0.100, client2 gets 10.0.0.101.... they can ping each other
16:26 < [diecast]> they can ssh, whatever
16:27 < [diecast]> justinzane im not sure i understand
16:27 < [diecast]> have them register the ip with dns or something
16:28 < justinzane> [diecast]: Does OpenVPN do secure updates to bind?
16:28 < justinzane> automatically?
16:28 < [diecast]> i dont know, but i wouldnt use openvpn for that
16:29 < [diecast]> use the connect.sh script to do it
16:29 < justinzane> Can Openvpn do passthrough DHCP to ISC-DHCP?
16:30 -!- mumixam [~m@unaffiliated/mumixam] has quit [Ping timeout: 265 seconds]
16:31 -!- chrisb [~chrisb@li482-205.members.linode.com] has joined #openvpn
16:31 < justinzane> For example, I want my laptop to be know as "justin-14z.dom.tld" --  How do I make sure that every box on the virtual LAN (VPN) can get resolve "justin-14z.dom.tld" to whatever IP OpenVPN assigns it.
16:32 < justinzane> I am trying to accomplish network transparent mobility, not simply remote access to a fixed server.
16:32 < justinzane> [diecast]: does that make what I want clearer?
16:40 < phreakocious> justinzane: I don't know of a way to do dynamic DNS built into openvpn
16:40 < phreakocious> I have scripts that do the DNS updates based on the log files that run out of cron for that
16:40 < justinzane> phreakocious: what about using ISC dhcpd for address assignment instead of ifconfig-pool?
16:41 < phreakocious> openvpn doesn't really do DHCP
16:41 < phreakocious> so I don't know that it's an option
16:41 < [diecast]> ya, you're going to want to manage things outside of openvpn, your getting beyond it's scope.
16:41 < phreakocious> unless you go all layer 2 or something, but that's a lot of weirdness
16:41 < justinzane> Can you use dhcp in a straight layer 2 setup?
16:42 < justinzane> Why does everyone hate? avoid? layer 2
16:42 < phreakocious> never tried it by no reason why you couldn't that I can see
16:42 < phreakocious> mainly because layer 2 is a LAN protocol and adds overhead
16:43 < [diecast]> because its dumb. literally. =)
16:43 < phreakocious> that was poorly worded, but the message is accurate :)
16:44 < pekster> justinzane: Use a server-side connect script to perform DNS zone updates; ideally use a public zone so that you don't need to do trickery on your clients, otherwise it's your responsibility to use your "private" DNS server for queries to your VPN zone (read about that in !pushdns, but really, using proper public zones is far easier)
16:44 < [diecast]> pekster thats what i said
16:44 < [diecast]> use the connect script
16:45 < [diecast]> dzubey after blocking the ip the client came back
16:45 < [diecast]> good idea, looks like there is a default retry built-in
16:45 < justinzane> ok, [diecast], pekster, any links to known working scripts?
16:45 < pekster> No, you need to write one
16:45 < pekster> !scripts
16:46 <@vpnHelper> "scripts" is "script" is See SCRIPTING AND ENVIRONMENTAL VARIALBES in the manual for a list of places that scripts can hook into openvpn. Online reference at: https://community.openvpn.net/openvpn/wiki/Openvpn23ManPage#lbAR
16:46 < [diecast]> should be trivial
16:46 < pekster> It will depend highly on your setup (thus the part where you need to implement it)
16:46 < [diecast]> depending on who does your dns
16:46 < [diecast]> route53, simple
16:46 < justinzane> [diecast]: Me, using bind9, VPN cloud box is a secondary
16:47 < justinzane> master is tucked away at home
16:47 < [diecast]> there ya go, could be a one-liner
16:47 < pekster> Not if the master is "somewhere else" -- then it's your job to send it to the master from the openvpn system, freeze the zone, change it (don't forget the serial increment), & thaw it
16:47 < justinzane> unfortunately, master will be behind one of the clients, unless I move it.
16:48 < pekster> Not sure how you plan to do that as a one-liner. Maybe 'source /usr/local/lib/complex-dns-library.sh && go_do_complex_dns_stuff', but that's not really a one-liner..
16:48 < justinzane> I had hidden it as per a bind security suggestion
16:48 < justinzane> So, I have to move it. Oh, well.
16:48 -!- kirin` [telex@gateway/shell/anapnea.net/x-bbgfvjxmlwptfyrg] has quit [Ping timeout: 264 seconds]
16:48 < pekster> Why not just make the master on the VPN box? Then all you have to do is set up transfers
16:49 < phreakocious> you can do dynamic zone updates with bind just using keys
16:49 < phreakocious> then the master can be anywhere
16:49 < pekster> That's my point, yes
16:49 -!- kirin` [telex@gateway/shell/anapnea.net/x-uzchbsfpnstczxwy] has joined #openvpn
16:50 < phreakocious> I'd offer up a sanitized version of the script I use but it would probably be just as easy to write one new
16:50 < [diecast]> nsupdate -k my.dns.update.key ?
16:50 -!- mikemol [~mikemol@162.17.129.77] has quit [Read error: Operation timed out]
16:59 -!- indy [~indy@fantomas.bestit.cz] has quit [Ping timeout: 264 seconds]
17:02 -!- indy [~indy@fantomas.bestit.cz] has joined #openvpn
17:06 -!- mikemol [~mikemol@162.17.129.77] has joined #openvpn
17:11 -!- mikemol [~mikemol@162.17.129.77] has quit [Remote host closed the connection]
17:12 -!- vail [~vail@gateway/tor-sasl/vail] has quit [Quit: vail]
17:16 -!- goldkatze [~nobody@unaffiliated/goldkatze] has quit []
17:19 -!- [diecast] [~diecast@unaffiliated/diecast/x-4821952] has quit []
17:19 < justinzane> phreakocious: Master cannot be behind a dhcp address to do secure updates, though. And, where I am going, I cannot get a static IP. So, master will move to the cloud...
17:29 -!- justinzane [~justinzan@tiny.justinzane.com] has quit [Remote host closed the connection]
17:29 -!- justinzane [~justinzan@tiny.justinzane.com] has joined #openvpn
17:32 -!- HectorBarbossa [uid7850@gateway/web/irccloud.com/x-dtqshpyjunaqqddb] has quit [Quit: Connection closed for inactivity]
18:07 -!- jp_cognet [~jp@173-228-102-130.dedicated.static.sonic.net] has quit [Quit: Leaving]
18:17 -!- chrisb [~chrisb@li482-205.members.linode.com] has quit [Read error: Operation timed out]
18:33 -!- liriel [~liriel@198.154.114.106] has quit [Ping timeout: 264 seconds]
18:38 -!- liriel [~liriel@198.154.114.106] has joined #openvpn
18:39 -!- Protected [Join@from.myshelter.net] has quit [Quit: Gone.]
18:41 -!- gphat [~gphat@173.247.206.130] has quit [Remote host closed the connection]
18:42 -!- mikemol [~mikemol@2001:470:c5b9:beef:ccc:dcbe:c84d:7d60] has joined #openvpn
18:42 -!- gphat [~gphat@173.247.206.130] has joined #openvpn
18:46 -!- gphat [~gphat@173.247.206.130] has quit [Ping timeout: 240 seconds]
18:55 -!- klein [~klein@unaffiliated/klein] has quit [Ping timeout: 244 seconds]
19:26 -!- traph [~traph@unaffiliated/traph] has quit [Ping timeout: 244 seconds]
19:30 -!- michaelhart [~michaelha@162.209.54.120] has joined #openvpn
19:35 -!- __raven [~raven@dslb-178-002-131-181.pools.arcor-ip.net] has joined #openvpn
19:38 -!- __raven_ [~raven@dslb-178-002-136-217.pools.arcor-ip.net] has quit [Ping timeout: 252 seconds]
19:45 -!- tommydo [~tom@198.55.125.172] has joined #openvpn
19:51 < tommydo> if one computer is running openvpn, can another just patch into it (via route), or do the packets need to actually go through the server on the lan???
19:52 < tommydo> no openvpn on router or modem, just this box
20:04 -!- joshh20 is now known as joshh20-Away
20:17 -!- michaelhart [~michaelha@162.209.54.120] has quit [Quit: michaelhart]
20:27 -!- Tykling [tykling@gibfest.dk] has quit [Ping timeout: 264 seconds]
20:32 -!- Tykling [tykling@gibfest.dk] has joined #openvpn
20:46 -!- pylearner [~py@pool-71-170-181-124.dllstx.fios.verizon.net] has quit [Ping timeout: 252 seconds]
20:49 -!- pylearner [~py@pool-71-170-181-124.dllstx.fios.verizon.net] has joined #openvpn
20:50 -!- klein [~klein@187.85.191.52] has joined #openvpn
20:50 -!- klein [~klein@187.85.191.52] has quit [Changing host]
20:50 -!- klein [~klein@unaffiliated/klein] has joined #openvpn
21:02 -!- pylearner [~py@pool-71-170-181-124.dllstx.fios.verizon.net] has quit [Ping timeout: 264 seconds]
21:14 -!- WinstonSmith [~WinstonSm@unaffiliated/winstonsmith] has quit [Ping timeout: 264 seconds]
21:19 -!- WinstonSmith [~WinstonSm@bl9-220-28.dsl.telepac.pt] has joined #openvpn
21:19 -!- WinstonSmith [~WinstonSm@bl9-220-28.dsl.telepac.pt] has quit [Changing host]
21:19 -!- WinstonSmith [~WinstonSm@unaffiliated/winstonsmith] has joined #openvpn
21:37 -!- mikemol [~mikemol@2001:470:c5b9:beef:ccc:dcbe:c84d:7d60] has quit [Remote host closed the connection]
22:15 -!- elfixit [~Icedove@77-58-251-72.dclient.hispeed.ch] has quit [Quit: elfixit]
22:32 -!- klein [~klein@unaffiliated/klein] has quit [Ping timeout: 264 seconds]
22:53 -!- tommydo [~tom@198.55.125.172] has quit [Quit: Leaving]
22:56 -!- sandeepr_ltp [sandeepr_l@nat/hp/x-xfjvuwfapitrmsau] has joined #openvpn
22:56 -!- sandeepr_ltp [sandeepr_l@nat/hp/x-xfjvuwfapitrmsau] has quit [Read error: Connection reset by peer]
23:25 -!- DrCode [~DrCode@gateway/tor-sasl/drcode] has joined #openvpn
23:46 -!- makara [~makara@41.164.22.218] has joined #openvpn
23:53 -!- lvv [~loganaden@ITE-INF3.dhcp.mu.afrinic.net] has joined #openvpn
--- Day changed Thu Mar 06 2014
00:01 -!- sunwind` [~paradox@cpc21-brmb8-2-0-cust749.1-3.cable.virginm.net] has joined #openvpn
00:04 -!- sunwind [~paradox@cpc21-brmb8-2-0-cust749.1-3.cable.virginm.net] has quit [Ping timeout: 244 seconds]
00:43 -!- iokill [~iokill@91.114.127.102] has joined #openvpn
00:50 -!- p3rror [~mezgani@196.201.78.139] has joined #openvpn
01:06 -!- p3rror [~mezgani@196.201.78.139] has quit [Quit: Leaving]
01:23 -!- Eneerge [eneergealt@unaffiliated/eneerge] has joined #openvpn
01:34 -!- alexxtasi [~alex@unaffiliated/alexxtasi] has joined #openvpn
01:41 -!- mattock_afk is now known as mattock
01:46 -!- goldkatze [~nobody@unaffiliated/goldkatze] has joined #openvpn
01:55 -!- Eneerge [eneergealt@unaffiliated/eneerge] has quit [Ping timeout: 260 seconds]
01:58 -!- Eagleman- [~Eagleman@546BC8D0.cm-12-4d.dynamic.ziggo.nl] has joined #openvpn
02:00 -!- Eagleman [~Eagleman@546BC8D0.cm-12-4d.dynamic.ziggo.nl] has quit [Ping timeout: 264 seconds]
02:03 -!- traph [~traph@46.10.9.133] has joined #openvpn
02:03 -!- traph [~traph@46.10.9.133] has quit [Changing host]
02:03 -!- traph [~traph@unaffiliated/traph] has joined #openvpn
02:05 -!- Eagleman- [~Eagleman@546BC8D0.cm-12-4d.dynamic.ziggo.nl] has quit [Read error: Connection reset by peer]
02:05 -!- fred`` [fred@earthli.ng] has quit [Ping timeout: 246 seconds]
02:05 -!- Eneerge [eneergealt@unaffiliated/eneerge] has joined #openvpn
02:06 < Eneerge> is there anyway to specify multiple ciphers in a certain order so you can prefer them over the other
02:07 < Eneerge> similar to how you can do the same against web servers
02:10 <@krzee> i know you can set the cipher, not sure if it takes multiple values but you can see --cipher
02:10 <@krzee> but you can definitely lock it down to a single cipher
02:10 <@krzee> see --cipher in the manual i meant
02:16 -!- Eagleman [~Eagleman@546BC8D0.cm-12-4d.dynamic.ziggo.nl] has joined #openvpn
02:31 -!- Eagleman [~Eagleman@546BC8D0.cm-12-4d.dynamic.ziggo.nl] has quit [Read error: Connection reset by peer]
02:35 -!- Eagleman [~Eagleman@546BC8D0.cm-12-4d.dynamic.ziggo.nl] has joined #openvpn
02:38 -!- troj [~xxx@2001:470:1f15:107a::50f7] has quit [Ping timeout: 245 seconds]
02:44 -!- JackWinter [~jack@vodsl-8317.vo.lu] has quit [Quit: Konversation terminated!]
02:46 -!- troj [~xxx@2001:470:1f15:107a::50f7] has joined #openvpn
02:47 < Tykling> is it safe to have all clients use the same keys as long as I also use tls-auth to make sure I have PFS ?
02:48 -!- JackWinter [~jack@vodsl-8317.vo.lu] has joined #openvpn
02:50 -!- Eagleman [~Eagleman@546BC8D0.cm-12-4d.dynamic.ziggo.nl] has quit [Read error: Connection reset by peer]
02:50 -!- iokill_ [~iokill@91.114.127.102] has joined #openvpn
02:51 -!- james41382_ [~james@unaffiliated/james41382] has quit [Ping timeout: 264 seconds]
02:51 -!- iokill [~iokill@91.114.127.102] has quit [Ping timeout: 240 seconds]
02:54 -!- br4ndon [~br4ndon@195.33.51.31] has joined #openvpn
02:56 -!- Eagleman [~Eagleman@546BC8D0.cm-12-4d.dynamic.ziggo.nl] has joined #openvpn
03:06 -!- Eagleman [~Eagleman@546BC8D0.cm-12-4d.dynamic.ziggo.nl] has quit [Read error: Connection reset by peer]
03:09 -!- br4ndon [~br4ndon@195.33.51.31] has quit [Ping timeout: 265 seconds]
03:09 -!- Eagleman [~Eagleman@546BC8D0.cm-12-4d.dynamic.ziggo.nl] has joined #openvpn
03:19 < Eneerge> Tykling, I think that would open the potential for malevolent clients to decrypt and eavesdrop in on other clients... the client is already on the network. They could theoretically capture all packets and have an automated system for decrypting the data with each new key
03:19 < Tykling> Eneerge: but I thought using tls-auth keys would prevent that ?
03:34 < Eneerge> Thinking about the logic, it seems like it could be secure depending on how the authentication works. The tls-key could serve as a symmetric key for the data, but only if you also use the username:password so the authentication can take place outside of the data area. So basically, it authenticates the user credentials, and then decrypts the additional level of encrypted text. I'm not sure
03:34 < Eneerge> thats how the tls key is implemented, though
03:34 < Eneerge> how the tls key is implemented, though
03:36 < Eneerge> it's really just reversing the concept
03:36 < Eneerge> either give them different keys for the tls
03:36 < Eneerge> or different keys for the tls-auth
03:36 < Tykling> Eneerge: https://openvpn.net/index.php/download/60-open-source/faq.html says "In addition, if you use SSL/TLS authentication, you have the benefit of "perfect forward secrecy"."
03:36 <@vpnHelper> Title: Downloads (at openvpn.net)
03:37 -!- mitz [~mitz@rt.miraclelinux.com] has quit [Read error: Connection reset by peer]
03:38 -!- mitz [~mitz@rt.miraclelinux.com] has joined #openvpn
03:38 < Eneerge> well yeah, if you use diffie hellman, that provides the perfect forward secrecy part
03:38 < Eneerge> but pfs is still vulnerable
03:39 < Eneerge> but it would be extremely rare to see an attack like that
03:41 -!- iokill_ [~iokill@91.114.127.102] has quit [Read error: Connection reset by peer]
03:41 -!- joonty [~joonty@87-194-18-68.bethere.co.uk] has joined #openvpn
03:42 -!- iokill [~iokill@91.114.127.102] has joined #openvpn
03:43 -!- p3rror [~mezgani@41.249.10.52] has joined #openvpn
03:44 < Eneerge> yeah, the tls-key doesnt work like that. it's a single tls key
03:44 < Eneerge> so if you think about that, all clients will have the tls-auth key as well
03:44 < Eneerge> so clients on the network could decrypt the traffic if you used the same key
03:47 -!- JackWinter [~jack@vodsl-8317.vo.lu] has quit [Quit: Konversation terminated!]
03:48 -!- Devastator [~devas@unaffiliated/devastator] has quit [Read error: Connection reset by peer]
03:49 -!- JackWinter [~jack@vodsl-8317.vo.lu] has joined #openvpn
03:49 -!- Devastator [~devas@177.18.198.165] has joined #openvpn
04:06 -!- wrongplace [~leicht@gateway/tor-sasl/martinphone] has joined #openvpn
04:17 -!- mirco [~mirco@ip-109-90-231-36.unitymediagroup.de] has quit [Ping timeout: 244 seconds]
04:21 -!- Tykling [tykling@gibfest.dk] has quit [Ping timeout: 265 seconds]
04:21 -!- dazo_afk is now known as dazo
04:22 -!- Tykling [tykling@gibfest.dk] has joined #openvpn
04:27 -!- joonty [~joonty@87-194-18-68.bethere.co.uk] has quit [Ping timeout: 244 seconds]
04:28 -!- wrongplace [~leicht@gateway/tor-sasl/martinphone] has quit [Quit: gone]
04:31 -!- joonty [~joonty@87-194-18-68.bethere.co.uk] has joined #openvpn
04:36 -!- n13z [~iosick@unaffiliated/n13z] has quit [Read error: Connection reset by peer]
04:50 -!- p3rror [~mezgani@41.249.10.52] has quit [Ping timeout: 265 seconds]
05:04 -!- goldkatze [~nobody@unaffiliated/goldkatze] has quit [Ping timeout: 265 seconds]
05:04 -!- goldkatze [~nobody@unaffiliated/goldkatze] has joined #openvpn
05:05 -!- Denial [Denial@176.250.208.188] has joined #openvpn
05:11 -!- ade_b [~Ade@redhat/adeb] has joined #openvpn
05:13 -!- Eneerge [eneergealt@unaffiliated/eneerge] has quit [Ping timeout: 256 seconds]
05:16 -!- Eneerge [eneergealt@ipv6.eneerge.org] has joined #openvpn
05:16 -!- Eneerge [eneergealt@ipv6.eneerge.org] has quit [Changing host]
05:16 -!- Eneerge [eneergealt@unaffiliated/eneerge] has joined #openvpn
05:26 -!- p3rror [~mezgani@41.249.10.52] has joined #openvpn
05:35 -!- mattock is now known as mattock_afk
05:38 -!- iokill [~iokill@91.114.127.102] has quit [Ping timeout: 265 seconds]
06:04 -!- elfixit [~Icedove@77-58-251-72.dclient.hispeed.ch] has joined #openvpn
06:04 -!- elfixit [~Icedove@77-58-251-72.dclient.hispeed.ch] has quit [Client Quit]
06:10 -!- mezgani [~mezgani@41.248.183.185] has joined #openvpn
06:10 -!- p3rror [~mezgani@41.249.10.52] has quit [Ping timeout: 265 seconds]
06:11 -!- jfig [~jfig@mail3.aces.ascendi.pt] has joined #openvpn
06:12 -!- jfig [~jfig@mail3.aces.ascendi.pt] has quit [Client Quit]
06:14 -!- jfig [~jfig@mail3.aces.ascendi.pt] has joined #openvpn
06:24 -!- N34lO [~weechat@2a00:12d8:2:7:ccc::ca7] has joined #openvpn
06:25 < N34lO> hi, is IPv6 over OpenVPN working?
06:25 < N34lO> I can ping the other end via IPv4 but noch IPv6
06:26 <@plaisthos> yes. OpenVPN 2.3+ supports IPv6
06:26 -!- mode/#openvpn [-o plaisthos] by plaisthos
06:27 < N34lO> ok, gread that debian uses 2.2 >.<
06:27 -!- james41382 [~james@unaffiliated/james41382] has joined #openvpn
06:28 < N34lO> plaisthos: thanks anyway
06:28 -!- N34lO [~weechat@2a00:12d8:2:7:ccc::ca7] has left #openvpn ["The answer was 0x2A!"]
06:34 -!- pylearner [~py@pool-71-170-181-124.dllstx.fios.verizon.net] has joined #openvpn
06:42 -!- jzaw [~jzaw@loki.dzki.co.uk] has quit [Ping timeout: 245 seconds]
06:45 -!- klein [~klein@189-016-006-003.asselvi.edu.br] has joined #openvpn
06:45 -!- klein [~klein@189-016-006-003.asselvi.edu.br] has quit [Changing host]
06:45 -!- klein [~klein@unaffiliated/klein] has joined #openvpn
06:45 -!- jzaw [~jzaw@loki.dzki.co.uk] has joined #openvpn
06:54 -!- makara [~makara@41.164.22.218] has quit [Ping timeout: 240 seconds]
07:04 -!- defswork [~andy@141.0.50.105] has quit [Remote host closed the connection]
07:07 -!- mikemol [~mikemol@162.17.129.77] has joined #openvpn
07:08 -!- makara [~makara@41.164.22.218] has joined #openvpn
07:10 -!- mezgani [~mezgani@41.248.183.185] has quit [Ping timeout: 240 seconds]
07:17 -!- michaelhart [~michaelha@192.237.177.15] has joined #openvpn
07:23 -!- mezgani [~mezgani@196.201.78.139] has joined #openvpn
07:23 -!- gardar- [~gardar@bnc.giraffi.net] has quit [Quit: ZNC - http://znc.in]
07:24 -!- gardar [~gardar@bnc.giraffi.net] has joined #openvpn
07:26 -!- takamichi [~takamichi@c107-107.i07-27.onvol.net] has quit [Ping timeout: 240 seconds]
07:30 -!- takamichi [~takamichi@85.12.8.104] has joined #openvpn
07:34 -!- Devastator [~devas@177.18.198.165] has quit [Changing host]
07:34 -!- Devastator [~devas@unaffiliated/devastator] has joined #openvpn
07:48 -!- goldkatze [~nobody@unaffiliated/goldkatze] has quit []
07:51 -!- elfixit [~Icedove@2001:1620:2777:11:3e97:eff:fe7f:f3ad] has joined #openvpn
08:02 -!- goldkatze [~nobody@unaffiliated/goldkatze] has joined #openvpn
08:04 -!- elfixit [~Icedove@2001:1620:2777:11:3e97:eff:fe7f:f3ad] has quit [Ping timeout: 245 seconds]
08:07 -!- makara [~makara@41.164.22.218] has quit [Ping timeout: 265 seconds]
08:12 -!- takamichi [~takamichi@85.12.8.104] has quit [Ping timeout: 240 seconds]
08:16 -!- takamichi [~takamichi@c107-107.i07-27.onvol.net] has joined #openvpn
08:27 -!- goldkatze [~nobody@unaffiliated/goldkatze] has quit [Ping timeout: 264 seconds]
08:46 -!- goldkatze [~nobody@unaffiliated/goldkatze] has joined #openvpn
08:55 -!- lvv [~loganaden@ITE-INF3.dhcp.mu.afrinic.net] has quit [Quit: lvv]
08:57 -!- james41382 [~james@unaffiliated/james41382] has quit [Read error: Connection reset by peer]
08:57 -!- james41382 [~james@unaffiliated/james41382] has joined #openvpn
09:13 -!- f0cker [~f0cker@unaffiliated/f0cker] has quit [Remote host closed the connection]
09:17 -!- lj [~l@192.241.174.169] has joined #openvpn
09:23 -!- f0cker [~f0cker@unaffiliated/f0cker] has joined #openvpn
09:28 -!- alexxtasi [~alex@unaffiliated/alexxtasi] has left #openvpn []
09:28 -!- mezgani [~mezgani@196.201.78.139] has quit [Ping timeout: 240 seconds]
09:31 -!- f0cker [~f0cker@unaffiliated/f0cker] has quit [Remote host closed the connection]
09:33 -!- f0cker [~f0cker@host86-151-62-164.range86-151.btcentralplus.com] has joined #openvpn
09:33 -!- f0cker [~f0cker@host86-151-62-164.range86-151.btcentralplus.com] has quit [Changing host]
09:33 -!- f0cker [~f0cker@unaffiliated/f0cker] has joined #openvpn
09:45 -!- mezgani [~mezgani@41.248.183.185] has joined #openvpn
09:53 -!- gphat [~gphat@173.247.206.130] has joined #openvpn
10:01 -!- N34lO [~weechat@2a00:12d8:2:7:ccc::ca7] has joined #openvpn
10:02 -!- mattock_afk is now known as mattock
10:03 < N34lO> hi, I still have some problems with IPv6, i now upgraded to openvpn "2.3.2-7~bpo70+1", the IPv6 Addresses are now shown correctly and added to the tap dev but still i can't ping the other end (IPv4 is working)
10:04 <@ecrist> check your firewall and routing
10:06 < N34lO> ecrist: ah ... fuck icmpv6 ... ip6tables accepts icmp but it doesn't help if i only allow that >.<
10:07 < N34lO> thanks
10:08 < markus__> what happens if u have an ovpn server enable with both v4+v6 but the client running older version with openvpn which only allows ipv4?
10:09 < markus__> will the client connection break because of lacking of ipv6 support?
10:10 -!- joonty_ [~joonty@87-194-18-68.bethere.co.uk] has joined #openvpn
10:12 < N34lO> well the server ipv4 only + client with ipv6&ipv4 works
10:12 -!- joonty [~joonty@87-194-18-68.bethere.co.uk] has quit [Ping timeout: 244 seconds]
10:12 < N34lO> otherway round i don't know markus__
10:12 < markus__> ok
10:17 -!- _f0cker_ [~f0cker@host86-149-26-106.range86-149.btcentralplus.com] has joined #openvpn
10:17 -!- _f0cker_ [~f0cker@host86-149-26-106.range86-149.btcentralplus.com] has quit [Changing host]
10:17 -!- _f0cker_ [~f0cker@unaffiliated/f0cker] has joined #openvpn
10:17 -!- f0cker [~f0cker@unaffiliated/f0cker] has quit [Read error: Operation timed out]
10:20 -!- joonty_ is now known as joonty
10:25 -!- justinzane [~justinzan@tiny.justinzane.com] has quit []
10:35 -!- sauce_ is now known as sauce
10:35 -!- sauce [sauce@ool-ad02ad20.dyn.optonline.net] has quit [Changing host]
10:35 -!- sauce [sauce@unaffiliated/sauce] has joined #openvpn
10:37 -!- fred`` [fred@earthli.ng] has joined #openvpn
11:00 -!- jfig [~jfig@mail3.aces.ascendi.pt] has quit [Quit: Leaving]
11:02 -!- gffa [~unknown@unaffiliated/gffa] has joined #openvpn
11:17 -!- ade_b [~Ade@redhat/adeb] has quit [Read error: Operation timed out]
11:35 -!- chrisb [~chrisb@li482-205.members.linode.com] has joined #openvpn
11:36 -!- mattock is now known as mattock_afk
11:50 -!- Cpt-Oblivious [chatzilla@31-151-71-109.dynamic.upc.nl] has joined #openvpn
11:50 -!- bithash [~bithash@192.241.175.218] has joined #openvpn
11:51 -!- Cpt-Oblivious [chatzilla@31-151-71-109.dynamic.upc.nl] has quit [Excess Flood]
11:52 -!- JackWinter [~jack@vodsl-8317.vo.lu] has quit [Excess Flood]
11:52 -!- Cpt-Oblivious [chatzilla@31-151-71-109.dynamic.upc.nl] has joined #openvpn
11:52 -!- JackWinter [~jack@vodsl-8317.vo.lu] has joined #openvpn
11:54 -!- [diecast] [~diecast@unaffiliated/diecast/x-4821952] has joined #openvpn
11:59 -!- mattock_afk is now known as mattock
12:03 -!- justinzane [~justinzan@tiny.justinzane.com] has joined #openvpn
12:13 -!- __raven [~raven@dslb-178-002-131-181.pools.arcor-ip.net] has quit [Ping timeout: 252 seconds]
12:15 -!- __raven [~raven@dslb-094-216-082-050.pools.arcor-ip.net] has joined #openvpn
12:19 -!- chrisb [~chrisb@li482-205.members.linode.com] has quit [Remote host closed the connection]
12:20 -!- mikemol [~mikemol@162.17.129.77] has quit [Disconnected by services]
12:20 -!- mikemol1 [~mikemol@162.17.129.77] has joined #openvpn
12:20 -!- mikemol1 is now known as mikemol
12:24 -!- VsioZashibis [~VsioZashi@unaffiliated/vsiozashibis] has joined #openvpn
12:25 -!- bithash [~bithash@192.241.175.218] has quit [Quit: Lost terminal]
12:25 -!- mikemol [~mikemol@162.17.129.77] has quit [Ping timeout: 244 seconds]
12:26 -!- maskedlua [~quassel@unaffiliated/themaskedlua] has quit [Ping timeout: 240 seconds]
12:27 -!- jgeboski [~jgeboski@unaffiliated/jgeboski] has quit [Excess Flood]
12:28 -!- jgeboski [~jgeboski@unaffiliated/jgeboski] has joined #openvpn
12:34 -!- maskedlua [~quassel@unaffiliated/themaskedlua] has joined #openvpn
12:43 -!- mikemol [~mikemol@162.17.129.77] has joined #openvpn
12:45 -!- pppingme [~pppingme@unaffiliated/pppingme] has quit [Ping timeout: 245 seconds]
12:52 -!- pppingme [~pppingme@unaffiliated/pppingme] has joined #openvpn
12:54 -!- VunKruz [~hhhh@24-205-8-187.dhcp.mtpk.ca.charter.com] has quit [Ping timeout: 264 seconds]
13:03 -!- N34lO [~weechat@2a00:12d8:2:7:ccc::ca7] has left #openvpn ["The answer was 0x2A!"]
13:06 -!- VunKruz [~hhhh@24-205-8-187.dhcp.mtpk.ca.charter.com] has joined #openvpn
13:19 -!- master_o1_master [~master_of@p4FD7BFBD.dip0.t-ipconnect.de] has joined #openvpn
13:20 -!- mattock is now known as mattock_afk
13:23 -!- master_of_master [~master_of@p4FD7B1EC.dip0.t-ipconnect.de] has quit [Ping timeout: 244 seconds]
14:01 -!- goldkatze [~nobody@unaffiliated/goldkatze] has quit [Read error: Connection reset by peer]
14:03 -!- goldkatze [~nobody@unaffiliated/goldkatze] has joined #openvpn
14:03 -!- phuzion [~phuzion@ipv6.irc.teh-server.com] has quit [Quit: No Ping reply in 180 seconds.]
14:03 -!- mattock_afk is now known as 1JTAAH089
14:05 -!- phuzion [~phuzion@ipv6.irc.teh-server.com] has joined #openvpn
14:16 -!- Samopotamus [~IRCIdent@2607:5300:60:a0d::1] has quit [Ping timeout: 265 seconds]
14:17 -!- AsadH [~AsadH@unaffiliated/asadh] has quit [Ping timeout: 265 seconds]
14:18 -!- phuzion [~phuzion@ipv6.irc.teh-server.com] has quit [Quit: No Ping reply in 180 seconds.]
14:18 < Eneerge> any of you configured your openvpn to use a hardware token for authentication?
14:19 -!- Samopotamus [~IRCIdent@2607:5300:60:a0d::1] has joined #openvpn
14:20 -!- phuzion [~phuzion@ipv6.irc.teh-server.com] has joined #openvpn
14:24 -!- grep0r [grep0r@bitcoinshell.mooo.com] has quit [Ping timeout: 252 seconds]
14:26 -!- br4ndon [~br4ndon@mic92-6-82-226-128-64.fbx.proxad.net] has joined #openvpn
14:29 -!- AsadH [~AsadH@unaffiliated/asadh] has joined #openvpn
14:51 <@Eugene> Eneerge - do you mean a 2FA token? There's nothing built-in to openvpn for this, but you should be able to constrict a --auth-user-pass-verify script to do it.
14:51 <@Eugene> s/constrict/construct
14:55 -!- 1JTAAH089 is now known as mattock_afk
15:02 -!- bonjurkes1 [~julia@open.barbaros.gen.tr] has joined #openvpn
15:03 < bonjurkes1> hello all, I am trying to run and connect to vpn automatically on startup on windows 8. A simple command works fine, but the problem is the UAC dialog. Is there another way to connect vpn automatically without dealing with UAC dialog on startup?
15:09 < bonjurkes1> no luck?
15:15 -!- hardcode [~hardcode@94.102.53.200] has joined #openvpn
15:15 < hardcode> Hello
15:15 < hardcode> does --auth-user-pass-verify gets called only at login or also while the connection is established?
15:16 -!- ade_b [~Ade@redhat/adeb] has joined #openvpn
15:20 -!- ade_b [~Ade@redhat/adeb] has quit [Client Quit]
15:26 -!- klein [~klein@unaffiliated/klein] has quit [Read error: Operation timed out]
15:31 -!- hardcode [~hardcode@94.102.53.200] has quit [Ping timeout: 264 seconds]
15:33 -!- gphat [~gphat@173.247.206.130] has left #openvpn ["Leaving..."]
15:36 -!- michaelhart [~michaelha@192.237.177.15] has quit [Quit: michaelhart]
15:37 -!- [diecast] [~diecast@unaffiliated/diecast/x-4821952] has quit []
15:43 -!- HectorBarbossa [uid7850@gateway/web/irccloud.com/x-lettoljuxomqhdib] has joined #openvpn
15:43 -!- Brando753 [~Brando753@unaffiliated/brando753] has quit [Ping timeout: 264 seconds]
15:47 -!- Brando753 [~Brando753@unaffiliated/brando753] has joined #openvpn
15:48 -!- [diecast] [~diecast@unaffiliated/diecast/x-4821952] has joined #openvpn
16:00 -!- oO0Oo- [Elite9018@gateway/shell/elitebnc/x-gsphfvqbxqoyujlc] has quit [Quit: EliteBNC - http://elitebnc.org (Auto-Removal: idle account/not being used)]
16:03 -!- elfixit [~Icedove@77-58-251-72.dclient.hispeed.ch] has joined #openvpn
16:08 -!- elfixit [~Icedove@77-58-251-72.dclient.hispeed.ch] has quit [Client Quit]
16:10 -!- bonjurkes1 [~julia@open.barbaros.gen.tr] has quit [Quit: AnacønÐa · "It's better to be rich and healthy than poor and sick"]
16:14 -!- dogewaat [uid3966@gateway/web/irccloud.com/x-ualespvlcldqimyr] has quit [Quit: Connection closed for inactivity]
16:25 -!- schultza [~quassel@166.70.157.138] has joined #openvpn
16:25 -!- schultza [~quassel@166.70.157.138] has left #openvpn []
16:29 -!- lj [~l@192.241.174.169] has quit [Quit: Leaving.]
16:30 -!- goldkatze [~nobody@unaffiliated/goldkatze] has quit []
16:35 -!- goldkatze [~nobody@unaffiliated/goldkatze] has joined #openvpn
16:36 -!- joevandyk [~ubuntu@ec2-54-235-235-220.compute-1.amazonaws.com] has quit [Quit: leaving]
16:37 -!- br4ndon [~br4ndon@mic92-6-82-226-128-64.fbx.proxad.net] has quit [Quit: Lorem ipsum dolor sit amet]
16:44 -!- dzubey [~dzubey@68.14.254.200] has left #openvpn ["PING 1394145877"]
16:50 -!- goldkatze [~nobody@unaffiliated/goldkatze] has quit [Ping timeout: 264 seconds]
16:59 <@Eugene> Initial establishment only.
17:00 -!- gffa [~unknown@unaffiliated/gffa] has quit [Quit: sleep]
17:04 -!- mikemol [~mikemol@162.17.129.77] has quit [Remote host closed the connection]
17:06 -!- Cultist [~CultOfThe@67.186.111.33] has quit [Read error: Connection reset by peer]
17:08 -!- Cultist [~CultOfThe@c-67-186-111-33.hsd1.il.comcast.net] has joined #openvpn
17:09 -!- tony [~tony@cpe-66-66-6-48.rochester.res.rr.com] has joined #openvpn
17:15 < tony> I lost my thumb drive with my vpn keys on it and I want to regenerate the user keys. what would be the best way to recreate the keys? I see the revoke-full but is there another way? maybe delete user? I am the only user so I guess I could rebuild the server and start over. I was just wondering if someone could point be in the best direction
17:18 < pekster> Just revoke the issued cert (so the lost and/or stolen key is useless), re-gen your CRL, upload the CRL to your server so the revoked cert can't be used. Then generate a new keypair, sign the request, and give the client a new signed cert
17:18 < pekster> A signed cert is still valid until expiration unless a valid revocation record is available
17:22 < tony> like this pkitool revoke-full client2
17:22 < pekster> Basically, yea
17:23 < pekster> You need to deal with the CRL and server stuff though
17:23 < pekster> Then the re-issuance
17:25 < tony> pekster:  thanks for the help i think i understand what to do.
17:26 -!- dazo is now known as dazo_afk
17:26 -!- heraclitus [~heraclitu@unaffiliated/heraclitis] has quit [Remote host closed the connection]
17:27 -!- heraclitus [~heraclitu@unaffiliated/heraclitis] has joined #openvpn
17:28 -!- joshh20-Away is now known as joshh20
17:39 -!- tony [~tony@cpe-66-66-6-48.rochester.res.rr.com] has left #openvpn []
17:40 -!- justinzane [~justinzan@tiny.justinzane.com] has quit []
17:52 -!- HectorBarbossa [uid7850@gateway/web/irccloud.com/x-lettoljuxomqhdib] has quit [Quit: Connection closed for inactivity]
18:32 -!- sauce [sauce@unaffiliated/sauce] has quit [Ping timeout: 244 seconds]
18:35 -!- sauce [sauce@unaffiliated/sauce] has joined #openvpn
18:41 -!- jzaw [~jzaw@loki.dzki.co.uk] has quit [Ping timeout: 245 seconds]
18:41 -!- jzaw [~jzaw@loki.dzki.co.uk] has joined #openvpn
18:43 -!- Sembei [~Sembei@unaffiliated/sembei] has quit [Ping timeout: 244 seconds]
18:53 -!- [diecast] [~diecast@unaffiliated/diecast/x-4821952] has quit []
18:57 -!- mikemol [~mikemol@2001:470:c5b9:beef:55b2:238d:4e62:2ac8] has joined #openvpn
19:02 -!- justinzane [~justinzan@24.49.207.88] has joined #openvpn
19:07 -!- justinzane [~justinzan@24.49.207.88] has quit [Ping timeout: 265 seconds]
19:18 -!- justinzane [~justinzan@host-12-172-184-180.nctv.com] has joined #openvpn
19:18 -!- [diecast] [~diecast@unaffiliated/diecast/x-4821952] has joined #openvpn
19:20 -!- mikemol [~mikemol@2001:470:c5b9:beef:55b2:238d:4e62:2ac8] has quit [Remote host closed the connection]
19:25 -!- justinzane [~justinzan@host-12-172-184-180.nctv.com] has quit [Read error: Connection reset by peer]
19:26 -!- justinzane [~justinzan@host-12-172-184-180.nctv.com] has joined #openvpn
19:29 -!- mnathani [~mnathani@constance.winvive.com] has joined #openvpn
19:30 < mnathani> I am trying to accomplish OpenVPN Client on Windows 7 behind a firewall I have no control over connecting to my OpenVPN Server on Linux to allow incoming Remote Desktop Connections on a public IP on the Linux Server to get routed to the internal OpenVPN IP on the Windows OpenVPN Client. How would I go about doing this?
19:33 -!- justinzane [~justinzan@host-12-172-184-180.nctv.com] has quit [Read error: Connection reset by peer]
19:34 -!- justinzane [~justinzan@12.172.184.180] has joined #openvpn
19:36 -!- troyt [~troyt@2601:7:6200:1382:44dd:acff:fe85:9c8e] has quit [Ping timeout: 265 seconds]
19:41 -!- justinzane [~justinzan@12.172.184.180] has quit [Ping timeout: 240 seconds]
19:49 -!- clu5ter [~staff@unaffiliated/clu5ter] has quit [Ping timeout: 264 seconds]
19:50 -!- phuzion [~phuzion@ipv6.irc.teh-server.com] has quit [Quit: No Ping reply in 180 seconds.]
19:50 -!- phuzion [~phuzion@ipv6.irc.teh-server.com] has joined #openvpn
19:52 -!- __raven_ [~raven@dslb-092-074-212-094.pools.arcor-ip.net] has joined #openvpn
19:52 -!- clu5ter [~staff@unaffiliated/clu5ter] has joined #openvpn
19:54 -!- joshh20 is now known as joshh20-Away
19:54 -!- __raven [~raven@dslb-094-216-082-050.pools.arcor-ip.net] has quit [Ping timeout: 252 seconds]
19:57 -!- michaelhart_ [~michaelha@192-0-240-20.cpe.teksavvy.com] has joined #openvpn
20:02 -!- paradox`` [~paradox@cpc21-brmb8-2-0-cust749.1-3.cable.virginm.net] has joined #openvpn
20:02 -!- orutest|2 [~VsioZashi@unaffiliated/vsiozashibis] has joined #openvpn
20:03 -!- VsioZashibis [~VsioZashi@unaffiliated/vsiozashibis] has quit [Read error: Connection reset by peer]
20:03 -!- Thermi [~Thermi@unaffiliated/thermi] has quit [Ping timeout: 240 seconds]
20:03 -!- Six6siX [~Devil@jasmine.sammybakar.com] has quit [Ping timeout: 240 seconds]
20:03 -!- novaflash [~novaflash@openvpn/corp/support/novaflash] has quit [Ping timeout: 240 seconds]
20:03 -!- VunKruz [~hhhh@24-205-8-187.dhcp.mtpk.ca.charter.com] has quit [Ping timeout: 240 seconds]
20:03 -!- sunwind` [~paradox@cpc21-brmb8-2-0-cust749.1-3.cable.virginm.net] has quit [Ping timeout: 240 seconds]
20:03 -!- Devastatr [~devas@177.18.198.165] has joined #openvpn
20:03 -!- deever_ [~deever@148.251.52.112] has joined #openvpn
20:05 -!- jtrucks_ [jtrucks@freenode/staff/lopsa.foundingmember.jtrucks] has joined #openvpn
20:05 -!- ngharo_ [~ngharo@nexus.sypherz.com] has joined #openvpn
20:05 -!- Thermi [~Thermi@unaffiliated/thermi] has joined #openvpn
20:05 -!- WinstonSmith_ [~WinstonSm@bl9-220-28.dsl.telepac.pt] has joined #openvpn
20:05 -!- novaflash [~novaflash@its.novaflash.nl] has joined #openvpn
20:06 -!- Six6siX [~Devil@jasmine.sammybakar.com] has joined #openvpn
20:06 -!- xMopxShe- [~xMopxShel@pa1.trolls.lv] has joined #openvpn
20:06 -!- ngharo [~ngharo@nexus.sypherz.com] has quit [Ping timeout: 240 seconds]
20:06 -!- WinstonSmith [~WinstonSm@unaffiliated/winstonsmith] has quit [Ping timeout: 240 seconds]
20:06 -!- megaTherion [~therion@unix.io] has quit [Ping timeout: 240 seconds]
20:06 -!- xMopxShell [~xMopxShel@pa1.trolls.lv] has quit [Ping timeout: 240 seconds]
20:06 -!- davidmp [~davidmp@149.255.100.107] has quit [Ping timeout: 240 seconds]
20:06 -!- deever [~deever@148.251.52.112] has quit [Ping timeout: 240 seconds]
20:06 -!- Devastator [~devas@unaffiliated/devastator] has quit [Ping timeout: 240 seconds]
20:06 -!- VunKruz [~hhhh@24-205-8-187.dhcp.mtpk.ca.charter.com] has joined #openvpn
20:06 -!- Tykling [tykling@gibfest.dk] has quit [Ping timeout: 240 seconds]
20:06 -!- fejjerai [~quassel@kde/mitchell] has quit [Ping timeout: 240 seconds]
20:06 -!- ferai [~quassel@kde/mitchell] has joined #openvpn
20:07 -!- Tykling [tykling@gibfest.dk] has joined #openvpn
20:07 -!- davidmp [~davidmp@149.255.100.107] has joined #openvpn
20:07 -!- Carbon_Monoxide [~cmonxide@058176022144.ctinets.com] has joined #openvpn
20:08 -!- megaTherion_ [~therion@unix.io] has joined #openvpn
20:08 -!- Carbon_Monoxide [~cmonxide@058176022144.ctinets.com] has left #openvpn []
20:08 -!- jtrucks [jtrucks@freenode/staff/lopsa.foundingmember.jtrucks] has quit [Ping timeout: 600 seconds]
20:09 -!- xMopxShe- [~xMopxShel@pa1.trolls.lv] has quit [Client Quit]
20:09 -!- xMopxShell [~xMopxShel@pa1.trolls.lv] has joined #openvpn
20:11 -!- kirin` [telex@gateway/shell/anapnea.net/x-uzchbsfpnstczxwy] has quit [Ping timeout: 240 seconds]
20:11 -!- mgorbach [~mgorbach@pool-108-20-78-135.bstnma.fios.verizon.net] has quit [Ping timeout: 240 seconds]
20:12 -!- kossy [a@unaffiliated/kossy] has quit [Ping timeout: 240 seconds]
20:12 -!- kirin` [telex@gateway/shell/anapnea.net/x-taavaiqdhjsmcglh] has joined #openvpn
20:12 -!- kloeri [~kloeri@freenode/staff/exherbo.kloeri] has quit [Remote host closed the connection]
20:13 -!- kloeri [~kloeri@freenode/staff/exherbo.kloeri] has joined #openvpn
20:14 -!- mgorbach [~mgorbach@pool-108-20-78-135.bstnma.fios.verizon.net] has joined #openvpn
20:20 -!- mback2k__ [~freenode@89.238.84.46] has joined #openvpn
20:20 -!- dazol [~dazo@2001:470:de40:1021::14] has joined #openvpn
20:21 -!- dazol is now known as dazo
20:21 -!- dazo [~dazo@2001:470:de40:1021::14] has quit [Changing host]
20:21 -!- dazo [~dazo@openvpn/community/developer/dazo] has joined #openvpn
20:21 -!- mode/#openvpn [+o dazo] by ChanServ
20:22 -!- kossy [a@kossy.org] has joined #openvpn
20:24 -!- MorgyN_ [~mig@island.morgyn.org] has joined #openvpn
20:24 -!- tapout [~tapout@unaffiliated/tapout] has quit [Ping timeout: 265 seconds]
20:24 -!- Samopotamus [~IRCIdent@2607:5300:60:a0d::1] has quit [Ping timeout: 265 seconds]
20:24 -!- mattock_afk [~mattock@openvpn/corp/admin/mattock] has quit [Ping timeout: 265 seconds]
20:24 -!- someone [someone@2600:3c01::f03c:91ff:fedf:feb8] has quit [Ping timeout: 265 seconds]
20:25 -!- niel [niel@om.nom.nom.coooki.es] has quit [Ping timeout: 265 seconds]
20:25 -!- Cultist [~CultOfThe@c-67-186-111-33.hsd1.il.comcast.net] has quit [Ping timeout: 265 seconds]
20:25 -!- mback2k_ [~freenode@89.238.84.46] has quit [Ping timeout: 265 seconds]
20:25 -!- dazo_afk [~dazo@openvpn/community/developer/dazo] has quit [Ping timeout: 265 seconds]
20:25 -!- joonty [~joonty@87-194-18-68.bethere.co.uk] has quit [Ping timeout: 265 seconds]
20:25 -!- krzee [~k@openvpn/community/support/krzee] has quit [Ping timeout: 265 seconds]
20:25 -!- mete- [~mete@91.247.253.160] has quit [Ping timeout: 265 seconds]
20:25 -!- Tykling [tykling@gibfest.dk] has quit [Ping timeout: 265 seconds]
20:25 -!- phuzion [~phuzion@ipv6.irc.teh-server.com] has quit [Ping timeout: 265 seconds]
20:25 -!- jgeboski [~jgeboski@unaffiliated/jgeboski] has quit [Ping timeout: 265 seconds]
20:25 -!- Gman32 [~Gman32@2607:2200:0:3400::5616:cdbc] has quit [Ping timeout: 265 seconds]
20:25 -!- emid_ [~emid@192.241.162.156] has quit [Ping timeout: 265 seconds]
20:25 -!- pppingme [~pppingme@unaffiliated/pppingme] has quit [Ping timeout: 265 seconds]
20:25 -!- lbft [~lbft@unaffiliated/lbft] has quit [Ping timeout: 265 seconds]
20:25 -!- MorgyN [~mig@island.morgyn.org] has quit [Ping timeout: 265 seconds]
20:25 -!- nunim [nunim@irc.sonicboxes.net] has quit [Ping timeout: 265 seconds]
20:25 -!- s0meone [someone@2600:3c01::f03c:91ff:fedf:feb8] has joined #openvpn
20:25 -!- mback2k__ is now known as mback2k_
20:25 -!- [diecast] [~diecast@unaffiliated/diecast/x-4821952] has quit []
20:25 -!- mete [~mete@91.247.253.160] has joined #openvpn
20:25 -!- Samopotamus [~IRCIdent@2607:5300:60:a0d::1] has joined #openvpn
20:25 -!- Gman32 [~Gman32@2607:2200:0:3400::5616:cdbc] has joined #openvpn
20:25 -!- joonty [~joonty@87-194-18-68.bethere.co.uk] has joined #openvpn
20:25 -!- Netsplit *.net <-> *.split quits: Gman32, mete, Samopotamus, Zarrsh, s0meone
20:25 -!- pppingme [~pppingme@unaffiliated/pppingme] has joined #openvpn
20:27 -!- michaelhart [~michaelha@192-0-240-20.cpe.teksavvy.com] has joined #openvpn
20:28 -!- lbft [~lbft@unaffiliated/lbft] has joined #openvpn
20:28 -!- Cybert1nus [~Cybertinu@cybertinus.customer.cloud.nl] has joined #openvpn
20:29 -!- Cultist [~CultOfThe@c-67-186-111-33.hsd1.il.comcast.net] has joined #openvpn
20:30 -!- MorgyN_ is now known as MorgyN
20:32 -!- grep0r [grep0r@bitcoinshell.mooo.com] has joined #openvpn
20:33 -!- [diecast] [~diecast@unaffiliated/diecast/x-4821952] has joined #openvpn
20:34 -!- omrib [~omrib@ec2-50-17-197-161.compute-1.amazonaws.com] has joined #openvpn
20:35 -!- Netsplit *.net <-> *.split quits: orutest|2, kloeri, davidmp, Devastatr, michaelhart_, james41382, markus__, kossy, _FBi, _f0cker_,  (+19 more, use /NETSPLIT to show all of them)
20:35 -!- [diecast] [~diecast@unaffiliated/diecast/x-4821952] has quit [Client Quit]
20:35 -!- Eagleman- [~Eagleman@546BC8D0.cm-12-4d.dynamic.ziggo.nl] has joined #openvpn
20:53 -!- Pei_ is now known as Pei
20:54 -!- P4k3 [~P4k3@c-5236e255.026-8-6b6c7810.cust.bredbandsbolaget.se] has quit [Ping timeout: 245 seconds]
20:57 -!- P4k3 [~P4k3@c-5236e255.026-8-6b6c7810.cust.bredbandsbolaget.se] has joined #openvpn
21:02 -!- Six6siX_ [~Devil@jasmine.sammybakar.com] has joined #openvpn
21:02 -!- kenyon_ [kenyon@darwin.kenyonralph.com] has joined #openvpn
21:04 -!- megaTherion [~therion@unix.io] has joined #openvpn
21:06 -!- XJR-9 [sid2977@pdpc/supporter/active/xjr-9] has quit [Ping timeout: 244 seconds]
21:06 -!- ferai [~quassel@kde/mitchell] has quit [Ping timeout: 244 seconds]
21:06 -!- megaTherion_ [~therion@unix.io] has quit [Ping timeout: 244 seconds]
21:06 -!- levifig [sid1908@gateway/web/irccloud.com/x-ijbgujiurorhdzef] has quit [Ping timeout: 244 seconds]
21:06 -!- Six6siX [~Devil@jasmine.sammybakar.com] has quit [Ping timeout: 244 seconds]
21:06 -!- kenyon [kenyon@darwin.kenyonralph.com] has quit [Ping timeout: 244 seconds]
21:06 -!- liriel [~liriel@198.154.114.106] has quit [Ping timeout: 244 seconds]
21:06 -!- yoavz [yoavz@yoavz.net] has quit [Ping timeout: 244 seconds]
21:06 -!- master_o1_master [~master_of@p4FD7BFBD.dip0.t-ipconnect.de] has quit [Ping timeout: 244 seconds]
21:06 -!- dyer [~dyer@ec2-107-21-15-145.compute-1.amazonaws.com] has quit [Ping timeout: 244 seconds]
21:06 -!- master_of_master [~master_of@p4FD7BFBD.dip0.t-ipconnect.de] has joined #openvpn
21:06 -!- liriel_ [~liriel@198.154.114.106] has joined #openvpn
21:06 -!- liriel_ is now known as liriel
21:07 -!- paradox`` [~paradox@cpc21-brmb8-2-0-cust749.1-3.cable.virginm.net] has quit [Ping timeout: 244 seconds]
21:08 -!- dyer [~dyer@ec2-107-21-15-145.compute-1.amazonaws.com] has joined #openvpn
21:12 -!- Cpt-Oblivious [chatzilla@31-151-71-109.dynamic.upc.nl] has quit [Remote host closed the connection]
21:17 -!- indy_ [~indy@fantomas.bestit.cz] has joined #openvpn
21:18 -!- michaelhart [~michaelha@192-0-240-20.cpe.teksavvy.com] has quit [Quit: michaelhart]
21:20 -!- miruoy_ [~quassel@d51A44BA8.access.telenet.be] has joined #openvpn
21:20 -!- linlin [will@173.243.115.75] has joined #openvpn
21:24 -!- Netsplit *.net <-> *.split quits: @vpnHelper, cripto, pa, Pei, Guest47675, pylearner, +_quadDamage, MacGyver, Eagleman-, indy,  (+10 more, use /NETSPLIT to show all of them)
21:25 -!- chrisb [~chrisb@li482-205.members.linode.com] has joined #openvpn
21:26 -!- lordnikkon [~marme@li388-49.members.linode.com] has joined #openvpn
21:26 -!- lordnikkon is now known as Guest13000
21:28 -!- Netsplit over, joins: pylearner
21:29 -!- Netsplit over, joins: pa
21:32 -!- tdreyer1 [~tdreyer1@unaffiliated/tdreyer1] has joined #openvpn
21:33 -!- traph [~traph@unaffiliated/traph] has quit [Read error: Operation timed out]
21:34 -!- supergauntlet [~supergaun@unaffiliated/supergauntlet] has quit [Quit: ZNC - http://znc.in]
21:58 -!- tinster [~tinster@unaffiliated/tinster] has joined #openvpn
22:00 < tinster> !logs
22:01 < tinster> !welcome
22:01 < tinster> errm
22:15 -!- jtrucks_ is now known as jtrucks
22:23 < mnathani> I am trying to accomplish OpenVPN Client on Windows 7 behind a firewall I have no control over connecting to my OpenVPN Server on Linux to allow incoming Remote Desktop Connections on a public IP on the Linux Server to get routed to the internal OpenVPN IP on the Windows OpenVPN Client. How would I go about doing this?
23:09 -!- dogewaat [uid3966@gateway/web/irccloud.com/x-mbdkhhtzfekzfqtr] has joined #openvpn
23:11 -!- pylearner [~py@pool-71-170-181-124.dllstx.fios.verizon.net] has quit [Read error: Operation timed out]
23:17 -!- supergauntlet [~supergaun@unaffiliated/supergauntlet] has joined #openvpn
23:36 -!- dren_ [dren@obsidian.recompiled.net] has quit [Ping timeout: 264 seconds]
23:41 -!- Eneerge [eneergealt@unaffiliated/eneerge] has quit [Ping timeout: 256 seconds]
23:52 -!- Eneerge [eneergealt@unaffiliated/eneerge] has joined #openvpn
--- Day changed Fri Mar 07 2014
00:01 -!- dren_ [~dren@69.163.43.34] has joined #openvpn
00:01 -!- Eneerge [eneergealt@unaffiliated/eneerge] has quit [Quit: ZNC - http://znc.in]
00:02 -!- Guest13000 [~marme@li388-49.members.linode.com] has quit [Read error: Operation timed out]
00:05 -!- dren_ [~dren@69.163.43.34] has quit [Ping timeout: 240 seconds]
00:09 -!- Eneerge [eneergealt@ipv6.eneerge.org] has joined #openvpn
00:09 -!- Eneerge [eneergealt@ipv6.eneerge.org] has quit [Changing host]
00:09 -!- Eneerge [eneergealt@unaffiliated/eneerge] has joined #openvpn
00:16 -!- lordnikkon [~marme@li388-49.members.linode.com] has joined #openvpn
00:16 -!- lordnikkon is now known as Guest57872
00:56 -!- chrisb [~chrisb@li482-205.members.linode.com] has quit [Ping timeout: 240 seconds]
01:04 -!- cheesenbiscuits [~cheesenbi@208.76.12.4] has joined #openvpn
01:04 < cheesenbiscuits> Hi Everybody
01:07 < cheesenbiscuits> I have a bit of a difficult questions to explain but here goes...
01:07 < cheesenbiscuits> I live in country 'A'...I use a DD-WRT router opperating in openvpn client mode to encrypt all data to my vpn server located in country B
01:09 < cheesenbiscuits> Whilst living in country 'A' my partner would like to another vpn-server using openvpn running on thier laptop through my dd-wrt openvpn client router to country 'C'.
01:09 < cheesenbiscuits> *would like to CONNECT to another
01:10 < cheesenbiscuits> the problem is that when they connect to via the laptop from country 'A' to country 'C' it connects fine but the routes aren't pushed through correctly
01:11 < cheesenbiscuits> the only way I've been able to around it thus far is to diasable the dd-wrt openvpn client router and so that they can connect, then re-enable it when they're finnished
01:11 < cheesenbiscuits> is there a better way that I can do this?
01:23 -!- Devastator [~devas@177.18.198.165] has joined #openvpn
01:34 -!- VunKruz [~hhhh@24-205-8-187.dhcp.mtpk.ca.charter.com] has quit [Quit: Leaving]
01:51 -!- alexxtasi [~alex@unaffiliated/alexxtasi] has joined #openvpn
01:52 -!- VunKruz [~hhhh@24-205-8-187.dhcp.mtpk.ca.charter.com] has joined #openvpn
01:52 -!- bogie [bogie@mail.epow0.org] has joined #openvpn
01:52 -!- JoshuaP [joshtek0@c-50-171-47-56.hsd1.tx.comcast.net] has joined #openvpn
01:52 -!- goldkatze [~nobody@188-192-253-130-dynip.superkabel.de] has joined #openvpn
01:52 -!- lvv [~loganaden@ITE-INF3.dhcp.mu.afrinic.net] has joined #openvpn
01:52 -!- makara [~makara@41.164.22.218] has joined #openvpn
01:52 -!- phuzion [~phuzion@ipv6.irc.teh-server.com] has joined #openvpn
01:52 -!- tharkun [~0@187.188.94.182] has joined #openvpn
01:52 -!- tjhowse [~eness@101.165.185.107] has joined #openvpn
01:52 -!- raidz [~raidz@openvpn/corp/admin/andrew] has joined #openvpn
01:52 -!- lbft [~lbft@unaffiliated/lbft] has joined #openvpn
01:52 -!- Cultist [~CultOfThe@c-67-186-111-33.hsd1.il.comcast.net] has joined #openvpn
01:52 -!- Eagleman- [~Eagleman@546BC8D0.cm-12-4d.dynamic.ziggo.nl] has joined #openvpn
01:52 -!- Jeroen [~quassel@2001:41d0:1:9592::1] has joined #openvpn
01:52 -!- cripto [~joubin@li131-215.members.linode.com] has joined #openvpn
01:52 -!- _quadDamage [~EmperorTo@boom.blissfulidiot.com] has joined #openvpn
01:52 -!- Pei [~pei@thinks.outside.theb0x.org] has joined #openvpn
01:52 -!- MeanderingCode [~Meanderin@palantir.aetherislands.net] has joined #openvpn
01:52 -!- MacGyver [~MacGyver@sog.polvanaubel.com] has joined #openvpn
01:52 -!- Cr4zi3 [killaz@staff.xbins.org] has joined #openvpn
01:52 -!- pnielsen [pnielsen@2a01:7e00::f03c:91ff:fedf:3a21] has joined #openvpn
01:52 -!- __FBi [B@dont.uwantmy.info] has joined #openvpn
01:52 -!- pekster [~rewt@openvpn/community/support/pekster] has joined #openvpn
01:52 -!- _FBi [~B@Aircrack-NG/User] has joined #openvpn
01:52 -!- markus__ [~markus@185.5.44.31] has joined #openvpn
01:52 -!- meepmeep_ [meepmeep@end.of.cylind.re] has joined #openvpn
01:52 -!- Guest84615 [d@64.111.123.163] has joined #openvpn
01:52 -!- viperZ28 [uid11066@gateway/web/irccloud.com/x-wnthbzghvhifjzzg] has joined #openvpn
01:52 -!- funnel [~funnel@unaffiliated/espiral] has joined #openvpn
01:52 -!- elricsfate_wrk [~elricsfat@2602:3f:916c:a402:2881:af2d:36b6:fd90] has joined #openvpn
01:52 -!- BtbN [btbn@btbn.de] has joined #openvpn
01:52 -!- m01 [~quassel@2a02:2658:1011:1::2:4044] has joined #openvpn
01:52 -!- james41382 [~james@unaffiliated/james41382] has joined #openvpn
01:52 -!- mezgani [~mezgani@41.248.183.185] has joined #openvpn
01:52 -!- orutest|2 [~VsioZashi@unaffiliated/vsiozashibis] has joined #openvpn
01:52 -!- davidmp [~davidmp@149.255.100.107] has joined #openvpn
01:52 -!- kloeri [~kloeri@freenode/staff/exherbo.kloeri] has joined #openvpn
01:52 -!- mgorbach [~mgorbach@pool-108-20-78-135.bstnma.fios.verizon.net] has joined #openvpn
01:52 -!- kossy [a@kossy.org] has joined #openvpn
01:52 -!- emid [~emid@192.241.162.156] has joined #openvpn
01:52 -!- justinzane [~justinzan@tiny.justinzane.com] has joined #openvpn
01:52 -!- fejjerai [~quassel@corkblock.jefferai.org] has joined #openvpn
01:52 -!- yoavz [yoavz@yoavz.net] has joined #openvpn
01:52 -!- paradox`` [~paradox@cpc21-brmb8-2-0-cust749.1-3.cable.virginm.net] has joined #openvpn
01:52 -!- levifig [sid1908@gateway/web/irccloud.com/x-mpcxtvhxkuzuhsky] has joined #openvpn
01:52 -!- XJR-9_ [sid2977@gateway/web/irccloud.com/x-woqiuyvnopczxyde] has joined #openvpn
01:52 -!- ServerMode/#openvpn [+o raidz] by sendak.freenode.net
01:52 -!- f0cker [~f0cker@host86-149-26-106.range86-149.btcentralplus.com] has joined #openvpn
01:52 -!- AsadH [~AsadH@ZNC.HOPPED.CO.UK] has joined #openvpn
01:52 -!- novaflash [~novaflash@its.novaflash.nl] has joined #openvpn
01:52 -!- niel [niel@om.nom.nom.coooki.es] has joined #openvpn
01:52 -!- sauce [sauce@ool-ad02ad20.dyn.optonline.net] has joined #openvpn
01:52 -!- Tykling [tykling@gibfest.dk] has joined #openvpn
01:52 -!- nunim [nunim@irc.sonicboxes.net] has joined #openvpn
01:52 -!- mattock [~mattock@raidz.im] has joined #openvpn
01:52 -!- krzee [~k@2610:150:4002::3:1] has joined #openvpn
01:52 -!- Gman32 [~Gman32@2607:2200:0:3400::5616:cdbc] has joined #openvpn
01:52 -!- Samopotamus [~IRCIdent@2607:5300:60:a0d::1] has joined #openvpn
01:52 -!- mete [~mete@91.247.253.160] has joined #openvpn
01:52 -!- s0meone [someone@2600:3c01::f03c:91ff:fedf:feb8] has joined #openvpn
01:52 -!- Zarrsh [~Zarrsh@198.167.138.150] has joined #openvpn
01:53 -!- mattock [~mattock@raidz.im] has quit [Changing host]
01:53 -!- mattock [~mattock@openvpn/corp/admin/mattock] has joined #openvpn
01:53 -!- mode/#openvpn [+o mattock] by ChanServ
01:53 -!- sauce [sauce@ool-ad02ad20.dyn.optonline.net] has quit [Changing host]
01:53 -!- sauce [sauce@unaffiliated/sauce] has joined #openvpn
01:53 -!- AsadH [~AsadH@ZNC.HOPPED.CO.UK] has quit [Changing host]
01:53 -!- AsadH [~AsadH@unaffiliated/asadh] has joined #openvpn
01:53 -!- tapout [~tapout@unaffiliated/tapout] has joined #openvpn
01:54 -!- novaflash [~novaflash@its.novaflash.nl] has quit [Changing host]
01:54 -!- novaflash [~novaflash@openvpn/corp/support/novaflash] has joined #openvpn
01:54 -!- mode/#openvpn [+o novaflash] by ChanServ
01:56 -!- JackWinter [~jack@vodsl-8317.vo.lu] has quit [Remote host closed the connection]
01:56 -!- Cr4zi3 [killaz@staff.xbins.org] has quit [Excess Flood]
01:56 -!- JackWinter [~jack@vodsl-8317.vo.lu] has joined #openvpn
01:56 -!- vpnHelper [~vpnHelper@openvpn/bot/vpnHelper] has joined #openvpn
01:56 -!- mode/#openvpn [+o vpnHelper] by ChanServ
01:57 -!- dogewaat [uid3966@gateway/web/irccloud.com/x-mbdkhhtzfekzfqtr] has quit [Ping timeout: 245 seconds]
01:57 -!- fejjerai is now known as Guest10196
01:57 -!- goldkatze is now known as Guest88787
01:59 -!- dogewaat [uid3966@gateway/web/irccloud.com/x-vagjmoevfhxzkgib] has joined #openvpn
01:59 -!- JackWinter [~jack@vodsl-8317.vo.lu] has quit [Remote host closed the connection]
01:59 -!- JackWinter [~jack@vodsl-8317.vo.lu] has joined #openvpn
02:00 -!- Cr4zi3 [killaz@staff.xbins.org] has joined #openvpn
02:02 -!- JackWinter [~jack@vodsl-8317.vo.lu] has quit [Remote host closed the connection]
02:02 -!- Sembei [~Sembei@unaffiliated/sembei] has joined #openvpn
02:03 -!- JackWinter [~jack@vodsl-8317.vo.lu] has joined #openvpn
02:11 -!- cheesenbiscuits [~cheesenbi@208.76.12.4] has quit []
02:19 -!- indy_ is now known as indy
02:56 < mnathani> http://pastebin.com/rxnTX1nk
02:56 < mnathani> whats wrong with that route metric
02:57 < mnathani> and how can I fix it
03:04 -!- br4ndon [~br4ndon@mic92-6-82-227-94-156.fbx.proxad.net] has joined #openvpn
03:09 < krzee> whats the problem?
03:10 < krzee> there is  no problem with that
03:11 < krzee> well the table is weird, but i assume you cherrypicked what to post
03:12 < mnathani> I can ping from my server to my client
03:12 < mnathani> and the client an ping the server
03:12 < mnathani> but traffic is not going past the server
03:12 < mnathani> I am trying to setup a NAT
03:12 < mnathani> using config I have used in the pasat
03:12 < krzee> !configs
03:12 <@vpnHelper> "configs" is (#1) please pastebin your client and server configs (with comments removed, you can use `grep -vE '^#|^;|^$' server.conf`), also include which OS and version of openvpn. or (#2) dont forget to include any ccd entries or (#3) on pfSense, see http://www.secure-computing.net/wiki/index.php/OpenVPN/pfSense to obtain your config
03:12 < krzee> !logs
03:12 <@vpnHelper> "logs" is (#1) please pastebin your logfiles from both client and server with verb set to 4 (only use 5 if asked) or (#2) In the Windows client(OpenVPN-GUI) right-click the status icon and pick View Log or (#3) In the OS X client(Tunnelblick) right-click it and select Copy log text to clipboard or (#4) if you dont know how to find your logs, see !logfile
03:12 < mnathani> sec
03:13 < krzee> also follow this flowchart:
03:13 < krzee> !redirect
03:13 <@vpnHelper> "redirect" is (#1) to make all inet traffic flow through the vpn, you will need --redirect-gateway (see !def1), as well as IP forwarding (see !ipforward) and NAT (see !nat) enabled on the server. or (#2) you may need to use a different dns server when redirecting gateway, see !dns or !pushdns or (#3) if using ipv6 try: route-ipv6 2000::/3 or (#4) Handy troubleshooting flowchart:
03:13 <@vpnHelper> http://ircpimps.org/redirect.png | http://pekster.sdf.org/misc/redirect.png
03:13 < krzee> #4
03:16 < mnathani> server: http://pastebin.com/VMsDD9jg
03:16 < mnathani> client http://pastebin.com/fstTd5U5
03:17 -!- br4ndon_ [~br4ndon@mic92-6-82-226-128-64.fbx.proxad.net] has joined #openvpn
03:17 < krzee> .2.x  .20.x   .30.x  are all behind clients?
03:18 < mnathani> 20 and 30 are not in use, 2 is
03:18 -!- br4ndon [~br4ndon@mic92-6-82-227-94-156.fbx.proxad.net] has quit [Ping timeout: 240 seconds]
03:18 < mnathani> 2 is actually the client openvpn
03:18 < mnathani> its not behind
03:18 < krzee> .2 is a little common, you will have an issue with clients on .2.x
03:19 < krzee> what do you mean the client openvpn
03:19 < mnathani> there are only 2 machines here
03:19 < mnathani> 1 server and 1 client
03:19 < mnathani> no machines behind the cilent
03:19 < krzee> then get rid of those 3 lines
03:19 < krzee> lines 26/27/28
03:20 < krzee> or tell me why they are there
03:20 < krzee> line 25 should have quotes
03:20 < krzee> push "redirect-gateway def1"
03:22 < krzee> then restart the server and client
03:22 < mnathani> what kind of NAT
03:22 < mnathani> should IPtables have
03:23 < krzee> !linnat
03:23 <@vpnHelper> "linnat" is (#1) for a basic iptables NAT where 10.8.0.x is the vpn network: iptables -t nat -I POSTROUTING -s 10.8.0.0/24 -o eth0 -j MASQUERADE or (#2) to choose what IP address to NAT as, you can use iptables -t nat -I POSTROUTING -o eth0 -j SNAT --to <IP ADDRESS> or (#3) http://netfilter.org/documentation/HOWTO//NAT-HOWTO.html for more info or (#4) openvz see !openvzlinnat
03:23 < mnathani> iptables -t nat -A POSTROUTING -s 192.168.0.0/16 -j SNAT --to A.B.C.66
03:23 < mnathani> I had something like that earlier
03:23 < krzee> but thats not the vpn subnet
03:24 < krzee> iptables -t nat -I POSTROUTING -s 10.8.1.0/24 -o eth0 -j MASQUERADE
03:24 < mnathani> iptables -t nat -A POSTROUTING -s 10.0.0.0/8 -j SNAT --to A.B.C.66
03:24 < krzee> or
03:24 -!- mezgani [~mezgani@41.248.183.185] has quit [Quit: Leaving]
03:25 < krzee> iptables -t nat -I POSTROUTING -o eth0 -j SNAT --to A.B.C.66
03:26 < krzee> !iptables
03:27 <@vpnHelper> "iptables" is (#1) To test if netfilter ("iptables rules") are your problem, disable all rules with an ACCEPT policy. See https://github.com/QueuingKoala/netfilter-samples/tree/master/reset-rules for a script to do this. or (#2) See also the manpage section on firewalls at this link: https://community.openvpn.net/openvpn/wiki/Openvpn23ManPage#lbBG or (#3) These are just the basics to get you started
03:27 <@vpnHelper> as firewall design is beyond this channel's scope; you can also see #netfilter
03:27 < mnathani> its working now.
03:27 < krzee> nice ignore that ^
03:27 < mnathani> thank you very much
03:27 < krzee> yw
03:27 < mnathani> one other issue, how can I fix the ip the client receives
03:28 < krzee> !static
03:28 <@vpnHelper> "static" is (#1) use --ifconfig-push in a ccd entry for a static ip for the vpn client or (#2) example in net30 (default): ifconfig-push 10.8.0.6 10.8.0.5 example in subnet (see !topology) or tap (see !tunortap): ifconfig-push 10.8.0.5 255.255.255.0 or (#3) also see !ccd and !iporder or (#4) when pushing static IPs, you should also limit your --ifconfig-pool to exclude the static range or (#5) See
03:28 <@vpnHelper> also: !addressing
03:28 < mnathani> !addressing
03:28 <@vpnHelper> "addressing" is For information about IP addressing in OpenVPN, see: https://community.openvpn.net/openvpn/wiki/Concepts-Addressing
03:28 < krzee> also you probably would like topology subnet
03:29 < mnathani> !topology
03:29 <@vpnHelper> "topology" is (#1) it is possible to avoid the !/30 behavior if you use 2.1+ with the option: topology subnet This will end up being default in later versions. or (#2) Clients will receive addresses ending in .2, .3, .4, etc, instead of being divided into 2-host subnets. or (#3) details and examples at: https://community.openvpn.net/openvpn/wiki/Topology
03:42 < mnathani> I am trying to place an Iptables port forwarding rule to be able to connect to the public ip of the server from outside the network which in turn connects me to the vpn ip of the client
03:42 < mnathani> should the instructions for port forwarding here : http://serverfault.com/questions/140622/how-can-i-port-forward-with-iptables work?
03:42 <@vpnHelper> Title: linux - How can I port forward with iptables? - Server Fault (at serverfault.com)
03:42 < krzee> !notovpn
03:42 <@vpnHelper> "notovpn" is (#1) "notopenvpn" is your problem is not about openvpn, and while we try to be helpful, you may have a better chance of finding your answer if you ask your question in a channel related to your problem or (#2) sorry, but we dont care. this channel is only for help with openvpn.
03:48 -!- traph [~traph@46.10.9.133] has joined #openvpn
03:48 -!- traph [~traph@46.10.9.133] has quit [Changing host]
03:48 -!- traph [~traph@unaffiliated/traph] has joined #openvpn
03:52 -!- elfixit [~Icedove@77-58-251-72.dclient.hispeed.ch] has joined #openvpn
04:02 < mnathani> can someone tell me anything about openvpns built in packet filter
04:02 < mnathani> perhaps how to disable it
04:02 -!- P4k3 [~P4k3@c-5236e255.026-8-6b6c7810.cust.bredbandsbolaget.se] has quit [Ping timeout: 252 seconds]
04:03 -!- XJR-9_ is now known as XJR-9
04:04 -!- XJR-9 [sid2977@gateway/web/irccloud.com/x-woqiuyvnopczxyde] has quit [Changing host]
04:04 -!- XJR-9 [sid2977@pdpc/supporter/active/xjr-9] has joined #openvpn
04:13 -!- Linmu_ [~Linmu@203.70.194.104] has quit [Quit: leaving]
04:15 -!- Eagleman- [~Eagleman@546BC8D0.cm-12-4d.dynamic.ziggo.nl] has quit [Ping timeout: 244 seconds]
04:18 -!- Linmu [~Linmu@203.70.194.104] has joined #openvpn
04:33 -!- Eagleman7 [~Eagleman@546BC8D0.cm-12-4d.dynamic.ziggo.nl] has joined #openvpn
04:34 -!- jzaw [~jzaw@loki.dzki.co.uk] has quit [Ping timeout: 245 seconds]
04:40 -!- jzaw [~jzaw@loki.dzki.co.uk] has joined #openvpn
04:43 -!- P4k3 [~P4k3@85.226.54.82] has joined #openvpn
04:43 -!- Eagleman7 [~Eagleman@546BC8D0.cm-12-4d.dynamic.ziggo.nl] has quit [Ping timeout: 264 seconds]
04:46 -!- jzaw [~jzaw@loki.dzki.co.uk] has quit [Ping timeout: 245 seconds]
04:55 -!- P4k3 [~P4k3@85.226.54.82] has quit [Quit: ZNC - http://znc.in]
05:00 -!- Linmu [~Linmu@203.70.194.104] has quit [Quit: leaving]
05:02 -!- P4k3 [~P4k3@85.226.54.82] has joined #openvpn
05:05 -!- clu5ter [~staff@unaffiliated/clu5ter] has quit [Read error: Connection reset by peer]
05:05 -!- jzaw [~jzaw@loki.dzki.co.uk] has joined #openvpn
05:07 -!- clu5ter [~staff@unaffiliated/clu5ter] has joined #openvpn
05:09 -!- Linmu [~Linmu@203.70.194.104] has joined #openvpn
05:24 -!- elfixit [~Icedove@77-58-251-72.dclient.hispeed.ch] has quit [Ping timeout: 252 seconds]
05:28 -!- br4ndon_ [~br4ndon@mic92-6-82-226-128-64.fbx.proxad.net] has quit [Read error: Operation timed out]
05:34 -!- nodashipl [~nodashipl@c-71-197-187-220.hsd1.wa.comcast.net] has joined #openvpn
05:34 -!- chrisb [~chrisb@li482-205.members.linode.com] has joined #openvpn
05:35 < nodashipl> hello
05:35 < nodashipl> i can a question
05:35 < nodashipl> well more of a error
05:35 < nodashipl> im trying to install openvpn on a raspberry pi
05:35 < nodashipl> and i get this error while trying to install it
05:36 < nodashipl> bash: "/etc/openvpn/easy-rsa"/whichopensslcnf: No such file or directory
05:36 < nodashipl> how do i fix this?
05:38 -!- nodashipl [~nodashipl@c-71-197-187-220.hsd1.wa.comcast.net] has quit [Client Quit]
05:56 -!- plaisthos [~arne@openvpn/community/developer/plaisthos] has quit [Remote host closed the connection]
05:57 -!- plaisthos [~arne@openvpn/community/developer/plaisthos] has joined #openvpn
05:57 -!- mode/#openvpn [+o plaisthos] by ChanServ
06:18 -!- tinster [~tinster@unaffiliated/tinster] has left #openvpn []
06:23 -!- pylearner [~py@pool-71-170-181-124.dllstx.fios.verizon.net] has joined #openvpn
06:27 -!- chrisb [~chrisb@li482-205.members.linode.com] has quit [Ping timeout: 264 seconds]
06:33 -!- grep0r [grep0r@bitcoinshell.mooo.com] has quit [Ping timeout: 252 seconds]
06:40 -!- grep0r [grep0r@bitcoinshell.mooo.com] has joined #openvpn
06:48 -!- grep0r [grep0r@bitcoinshell.mooo.com] has quit [Ping timeout: 252 seconds]
06:52 -!- michaelhart [~michaelha@162.209.54.120] has joined #openvpn
07:05 -!- br4ndon [~br4ndon@195.33.51.31] has joined #openvpn
07:12 -!- scyld [~scyld@unaffiliated/wasyl] has joined #openvpn
07:13 -!- Guest88787 [~nobody@188-192-253-130-dynip.superkabel.de] has quit [Read error: Connection reset by peer]
07:14 -!- Guest88787 [~nobody@188-192-253-130-dynip.superkabel.de] has joined #openvpn
07:22 -!- paradox`` [~paradox@cpc21-brmb8-2-0-cust749.1-3.cable.virginm.net] has quit [Quit: paradox``]
07:23 -!- sunwind [~paradox@cpc21-brmb8-2-0-cust749.1-3.cable.virginm.net] has joined #openvpn
07:23 -!- br4ndon [~br4ndon@195.33.51.31] has quit [Quit: Lorem ipsum dolor sit amet]
07:26 -!- br4ndon [~br4ndon@195.33.51.31] has joined #openvpn
07:29 -!- br4ndon [~br4ndon@195.33.51.31] has quit [Client Quit]
07:30 -!- br4ndon [~br4ndon@195.33.51.31] has joined #openvpn
07:54 -!- michaelhart_ [~michaelha@192-0-240-20.cpe.teksavvy.com] has joined #openvpn
07:56 < Mathias> hmm, is it possible to remove the passphrase from the private keys?
07:56 -!- klein [~klein@189-016-006-003.asselvi.edu.br] has joined #openvpn
07:56 -!- klein [~klein@189-016-006-003.asselvi.edu.br] has quit [Changing host]
07:56 -!- klein [~klein@unaffiliated/klein] has joined #openvpn
07:56 -!- michaelhart [~michaelha@162.209.54.120] has quit [Ping timeout: 244 seconds]
07:56 -!- michaelhart_ is now known as michaelhart
07:58 -!- jgeboski [~jgeboski@unaffiliated/jgeboski] has joined #openvpn
08:03 -!- computing_ [~Krescius@host223-197-dynamic.59-82-r.retail.telecomitalia.it] has joined #openvpn
08:03 < computing_> hi guys
08:03 -!- grep0r [grep0r@bitcoinshell.mooo.com] has joined #openvpn
08:04 < computing_> i want to connect n. 2 sides, with zeroshell and openvpn lan to lan, i have connected this with x509 certifybut, i ping remote zeroshell from local lan, but not ping remote Client in the lan, i use router srp527W cisco  anyone can help me please?
08:06 -!- makara [~makara@41.164.22.218] has quit [Ping timeout: 244 seconds]
08:16 -!- mikemol [~mikemol@162.17.129.77] has joined #openvpn
08:30 -!- mikemol [~mikemol@162.17.129.77] has quit [Quit: Leaving.]
08:31 -!- mikemol [~mikemol@162.17.129.77] has joined #openvpn
08:31 -!- mattock is now known as mattock_afk
08:31 -!- u0m3 [~u0m3@109.96.148.19] has quit [Read error: Connection reset by peer]
08:32 -!- u0m3 [~u0m3@109.96.148.19] has joined #openvpn
08:34 -!- deever_ is now known as deever
08:35 -!- lvv [~loganaden@ITE-INF3.dhcp.mu.afrinic.net] has quit [Quit: lvv]
08:49 -!- orutest|2 [~VsioZashi@unaffiliated/vsiozashibis] has quit [Ping timeout: 240 seconds]
08:51 -!- elfixit [~Icedove@2001:1620:2777:11:3e97:eff:fe7f:f3ad] has joined #openvpn
08:53 -!- JoshuaP [joshtek0@c-50-171-47-56.hsd1.tx.comcast.net] has quit [Quit: Reconnecting]
08:53 -!- JoshuaP [joshtek0@unaffiliated/joshuap/x-7771961] has joined #openvpn
08:56 -!- scyld [~scyld@unaffiliated/wasyl] has quit [Quit: Wychodzi]
09:02 -!- Sembei [~Sembei@unaffiliated/sembei] has quit [Read error: Connection reset by peer]
09:03 -!- Sembei [~Sembei@unaffiliated/sembei] has joined #openvpn
09:12 -!- alexxtasi [~alex@unaffiliated/alexxtasi] has left #openvpn []
09:14 -!- tharkun [~0@187.188.94.182] has quit [Changing host]
09:14 -!- tharkun [~0@unaffiliated/tharkun] has joined #openvpn
09:18 -!- Sembei [~Sembei@unaffiliated/sembei] has quit [Read error: Connection reset by peer]
09:19 -!- Sembei [~Sembei@unaffiliated/sembei] has joined #openvpn
09:19 -!- scyld [~scyld@unaffiliated/wasyl] has joined #openvpn
09:20 -!- lj [~l@192.241.174.169] has joined #openvpn
09:21 -!- mikemol [~mikemol@162.17.129.77] has quit [Ping timeout: 264 seconds]
09:21 -!- Sembei [~Sembei@unaffiliated/sembei] has quit [Read error: Connection reset by peer]
09:21 -!- MyMind [~Sembei@unaffiliated/sembei] has joined #openvpn
09:22 -!- lj [~l@192.241.174.169] has quit [Client Quit]
09:23 -!- ah- [~andreas@ks35366.kimsufi.com] has joined #openvpn
09:25 < ah-> hi, i have a connection problem with openvpn and am not really sure how to debug it
09:27 < ah-> i'm using openvpn on arm linux with this config (http://fpaste.org/83379/) and as soon as i heavily use the connection it just freezes
09:27 < ah-> it connects fine, i can ping over the connection and it looks like it works well
09:28 < ah-> but when I open too many connections or have too much traffic via the connection it just freezes
09:28 <@Eugene> Cool.
09:28 < ah-> and after restarting it it works fine again for a few minutes
09:29 < ah-> and i'm not sure how to find out what causes this
09:29 <@Eugene> UDP? might be firewall / router somewhere in the middle
09:29 < ah-> connecting to the same server works from my laptop without any problems so i doubt it's the server
09:29 < ah-> yes it's udp
09:30 <@Eugene> I've seen similar behaviour. kicking the WiFi / router / modem combo box fixed it
09:30 < ah-> yeah, it's probably that, i recently moved and before the same setup worked
09:31 <@Eugene> it would "forget" the nat for the UDP traffic, and then timeout
09:31 < ah-> the strange thing is that it works from my laptop which runs the same openvpn version and is connected to exactly the same router
09:32 <@Eugene> perform an exorcism
09:33 < ah-> yeah that's probably the most effective thing to do
09:41 -!- mikemol [~mikemol@162.17.129.77] has joined #openvpn
09:43 -!- hydrajump [~hydrajump@unaffiliated/hydrajump] has joined #openvpn
09:45 < hydrajump> when tethering an iPhone for internet connection is there and benefit to connecting to an openvpn server via either the iPhone app or an openvpn client on the computer?
09:45 < hydrajump> s/and/any
10:01 -!- lj [~l@192.241.174.169] has joined #openvpn
10:06 <@ecrist> sure
10:07 -!- jzaw_ [~jzaw@loki.dzki.co.uk] has joined #openvpn
10:07 <@plaisthos> normal tethering does not use the VPN connection iirc
10:07 <@plaisthos> even if connected via VPN on the iphone the tethered client uses still the normal mobile connection
10:07 -!- jzaw [~jzaw@loki.dzki.co.uk] has quit [Ping timeout: 240 seconds]
10:09 -!- Cr4zi3 [killaz@staff.xbins.org] has quit [Quit: changing servers]
10:10 -!- lj [~l@192.241.174.169] has quit [Ping timeout: 265 seconds]
10:10 < hydrajump> oh I didn't know that. I thought that if the iPhone was connected via openvpn that a tethered client would use the iPhone's openvpn connection
10:11 -!- Cr4zi3 [killaz@staff.xbins.org] has joined #openvpn
10:11 <@Eugene> that would require iOS to make sense
10:11 < hydrajump> so if I want my Mac to connect to an openvpn server via an iPhone mobile connection, it's the Mac that needs to establish the openvpn connedtion with a mac app?
10:11 <@Eugene> Correct
10:11 < hydrajump> thank you learnt something new ;)
10:11 -!- gffa [~unknown@unaffiliated/gffa] has joined #openvpn
10:12 < hydrajump> is viscosity a recommended openvpn client for Mac?
10:13 <@Eugene> !osx
10:13 <@vpnHelper> "osx" is (#1) Tunnelblick includes everything you need to run OpenVPN on OS X. https://code.google.com/p/tunnelblick/ or (#2) Viscosity is another OpenVPN client for OS X, but it is commercial. http://www.thesparklabs.com/viscosity/
10:13 <@Eugene> "yes".
10:13  * Eugene not a Mac owner
10:14 -!- chrisb [~chrisb@li482-205.members.linode.com] has joined #openvpn
10:15 -!- Eagleman [~Eagleman@546BC8D0.cm-12-4d.dynamic.ziggo.nl] has joined #openvpn
10:15 < hydrajump> thanks Eugene
10:15 -!- Devastator [~devas@177.18.198.165] has quit [Changing host]
10:15 -!- Devastator [~devas@unaffiliated/devastator] has joined #openvpn
10:18 -!- scyld [~scyld@unaffiliated/wasyl] has quit [Quit: Wychodzi]
10:32 -!- krzee [~k@2610:150:4002::3:1] has quit [Changing host]
10:32 -!- krzee [~k@openvpn/community/support/krzee] has joined #openvpn
10:32 -!- mode/#openvpn [+o krzee] by ChanServ
10:33 <@krzee> hydrajump, if you want to pay...
10:33 <@krzee> tunnelblick is what most of us use, since it is open source
10:34 < hydrajump> ok krzee I'll look at both as I setup this up for a client
10:36 -!- GabrieleV [~GabrieleV@host190-79-static.230-95-b.business.telecomitalia.it] has quit [Ping timeout: 252 seconds]
10:37 -!- takamichi [~takamichi@c107-107.i07-27.onvol.net] has quit [Quit: Computer has gone to sleep.]
10:38 < MacGyver> So set up tunnelblick, make 'm pay as though it was viscosity?
10:39 < MacGyver> Note: Not suggesting you tell them it's viscosity while it's tunnelblick.
10:39 -!- kpettit [~keith@c-73-55-170-32.hsd1.tx.comcast.net] has joined #openvpn
10:41 < hydrajump> haha MacGyver
10:41 < hydrajump> i will disconnect now as I try this via tethering
10:41 < hydrajump> brb
10:44 -!- hydrajum_ [~hydrajump@unaffiliated/hydrajump] has joined #openvpn
10:46 -!- hydrajump [~hydrajump@unaffiliated/hydrajump] has quit [Ping timeout: 264 seconds]
10:50 -!- sudormrf [~sudormrf@c-76-102-242-78.hsd1.ca.comcast.net] has joined #openvpn
10:52 < sudormrf> hey guys! I am having an issue with the iOS openvpn app.  The issue I am having is that I do not see anywhere to enter my user credentials.  I am thinking that I may need to make a change to my ovpn file.  is anyone around to assist?
10:53 -!- jzaw_ is now known as jzaw
10:56 -!- GabrieleV [~GabrieleV@host190-79-static.230-95-b.business.telecomitalia.it] has joined #openvpn
11:03 < Eneerge> see if there's a line that has "auth-user-pass"
11:06 < chrisb> is tls-minimum-version = 1.2 working in 2.3-git?
11:06 -!- jzaw [~jzaw@loki.dzki.co.uk] has quit [Ping timeout: 244 seconds]
11:06 < sudormrf> Eneerge: there is, but does the placement of it matter? I know initially I had a problem with it saying that the remote option wasn't defined.  it was defined.  I moved it down a bit and then that error went away.
11:07 < Eneerge> not sure on that. mines near the bottom
11:07 < Eneerge> the app just isn't prompting?
11:08 < sudormrf> Eneerge: correct.  in my ovpn file it is at the very bottom.
11:08 -!- dimitry7 [~antonello@38.124.174.31] has joined #openvpn
11:09 -!- hydrajum_ [~hydrajump@unaffiliated/hydrajump] has quit [Ping timeout: 244 seconds]
11:10 < Eneerge> the app may not support user pass authentication.... you could store the credentials in a text file and pass the filename a parameter to auth-user-pass
11:11 < sudormrf> Eneerge: It does seem to support it as I have seen references to it on various websites, I am just thinking my ovpn file needs to be reworked.  it does seem to care about which line has what on it.  can you confirm that?
11:12 -!- jzaw [~jzaw@loki.dzki.co.uk] has joined #openvpn
11:17 -!- hydrajump [~hydrajump@unaffiliated/hydrajump] has joined #openvpn
11:22 -!- Eagleman [~Eagleman@546BC8D0.cm-12-4d.dynamic.ziggo.nl] has quit [Read error: Connection reset by peer]
11:25 -!- Eagleman [~Eagleman@546BC8D0.cm-12-4d.dynamic.ziggo.nl] has joined #openvpn
11:30 -!- kpettit [~keith@c-73-55-170-32.hsd1.tx.comcast.net] has quit [Read error: Connection reset by peer]
11:31 -!- grep0r [grep0r@bitcoinshell.mooo.com] has quit [Ping timeout: 252 seconds]
11:32 -!- Guest88787 [~nobody@188-192-253-130-dynip.superkabel.de] has quit []
11:32 -!- Eagleman [~Eagleman@546BC8D0.cm-12-4d.dynamic.ziggo.nl] has quit [Ping timeout: 264 seconds]
11:35 -!- grep0r [grep0r@bitcoinshell.mooo.com] has joined #openvpn
11:41 -!- Eagleman7 [~Eagleman@546BC8D0.cm-12-4d.dynamic.ziggo.nl] has joined #openvpn
12:02 -!- br4ndon [~br4ndon@195.33.51.31] has quit [Ping timeout: 264 seconds]
12:05 -!- elfixit [~Icedove@2001:1620:2777:11:3e97:eff:fe7f:f3ad] has quit [Quit: elfixit]
12:18 -!- elfixit [~Icedove@2001:1620:2777:11:3e97:eff:fe7f:f3ad] has joined #openvpn
12:27 -!- br4ndon [~br4ndon@195.33.51.31] has joined #openvpn
12:32 -!- chrisb [~chrisb@li482-205.members.linode.com] has quit [Ping timeout: 244 seconds]
12:38 -!- hydrajump [~hydrajump@unaffiliated/hydrajump] has quit [Ping timeout: 240 seconds]
12:40 -!- br4ndon [~br4ndon@195.33.51.31] has quit [Ping timeout: 244 seconds]
12:45 -!- hydrajump [~hydrajump@unaffiliated/hydrajump] has joined #openvpn
12:54 -!- Cpt-Oblivious [chatzilla@31-151-71-109.dynamic.upc.nl] has joined #openvpn
13:07 -!- mattock_afk is now known as mattock
13:10 -!- Guest34623 [~mbff@2605:6400:1:fed5:22:656:343:3e46] has joined #openvpn
13:14 -!- MyMind [~Sembei@unaffiliated/sembei] has quit [Max SendQ exceeded]
13:15 -!- MyMind [~Sembei@unaffiliated/sembei] has joined #openvpn
13:16 -!- dogewaat [uid3966@gateway/web/irccloud.com/x-vagjmoevfhxzkgib] has quit []
13:16 -!- dogewaat [uid3966@gateway/web/irccloud.com/x-einlpejbyjdgmpyz] has joined #openvpn
13:19 -!- master_o1_master [~master_of@p4FF244F3.dip0.t-ipconnect.de] has joined #openvpn
13:20 -!- dimitry7 [~antonello@38.124.174.31] has quit [Ping timeout: 260 seconds]
13:22 -!- master_of_master [~master_of@p4FD7BFBD.dip0.t-ipconnect.de] has quit [Ping timeout: 240 seconds]
13:24 -!- Guest34623 [~mbff@2605:6400:1:fed5:22:656:343:3e46] has left #openvpn []
13:24 -!- MacGyver [~MacGyver@sog.polvanaubel.com] has quit [Changing host]
13:24 -!- MacGyver [~MacGyver@unaffiliated/macgyvernl] has joined #openvpn
13:27 -!- mbff [~mbff@2605:6400:1:fed5:22:656:343:3e46] has joined #openvpn
13:27 < mbff> clear
13:27 < mbff> helllo! I am having troubles with DNS when connect to an openvpn server
13:28 < mbff> I it works just find on my home connection but when I connect to my school's network. things break down
13:28 < mbff> and only ip's work
13:34 -!- dimitry7 [~antonello@gate.aaamerica.com.mx] has joined #openvpn
13:39 -!- sudormrf [~sudormrf@c-76-102-242-78.hsd1.ca.comcast.net] has left #openvpn ["I'm Dr. Rockso, the rock and roll clown. I do cocaine!"]
13:40 -!- VunKruz [~hhhh@24-205-8-187.dhcp.mtpk.ca.charter.com] has quit [Ping timeout: 240 seconds]
13:40 -!- Eagleman7 [~Eagleman@546BC8D0.cm-12-4d.dynamic.ziggo.nl] has quit [Read error: Connection reset by peer]
13:43 -!- Eagleman [~Eagleman@546BC8D0.cm-12-4d.dynamic.ziggo.nl] has joined #openvpn
13:44 -!- grep0r [grep0r@bitcoinshell.mooo.com] has quit [Ping timeout: 252 seconds]
13:47 -!- grep0r [grep0r@bitcoinshell.mooo.com] has joined #openvpn
13:56 -!- VunKruz [~hhhh@24-205-8-187.dhcp.mtpk.ca.charter.com] has joined #openvpn
13:56 -!- traph [~traph@unaffiliated/traph] has quit [Read error: Operation timed out]
14:01 -!- lj [~l@192.241.174.169] has joined #openvpn
14:03 -!- lj [~l@192.241.174.169] has quit [Client Quit]
14:03 -!- lj [~l@192.241.174.169] has joined #openvpn
14:03 -!- br4ndon [~br4ndon@mic92-6-82-227-94-156.fbx.proxad.net] has joined #openvpn
14:30 -!- chrisb [~chrisb@li482-205.members.linode.com] has joined #openvpn
14:35 -!- traph [~traph@46.10.9.133] has joined #openvpn
14:35 -!- traph [~traph@46.10.9.133] has quit [Changing host]
14:35 -!- traph [~traph@unaffiliated/traph] has joined #openvpn
14:37 -!- mattock is now known as mattock_afk
14:44 -!- sunwind` [~paradox@cpc21-brmb8-2-0-cust749.1-3.cable.virginm.net] has joined #openvpn
14:45 -!- sunwind` [~paradox@cpc21-brmb8-2-0-cust749.1-3.cable.virginm.net] has quit [Read error: Connection reset by peer]
14:47 -!- lambda7__ [~lambda79@pom51-3-88-165-80-74.fbx.proxad.net] has joined #openvpn
14:48 < lambda7__> !welcome
14:48 <@vpnHelper> "welcome" is (#1) Start by stating your goal, such as 'I would like to access the internet over my vpn' || new to IRC? see the link in !ask || we may need !logs and !configs and maybe !interface to help you. || See !howto for beginners. || See !route for lans behind openvpn. || !redirect for sending inet traffic through the server. || Also interesting: !man !/30 !topology !iporder !sample !forum
14:48 <@vpnHelper> !wiki !mitm or (#2) Don't use 192.168.1.0/24 or 192.168.0.0/24 (too much potential for conflict)
14:49 < lambda7__> hi
14:49 < lambda7__> I have two client accessing one openvpn server:
14:50 < lambda7__> tun0: flags=8851<UP,POINTOPOINT,RUNNING,SIMPLEX,MULTICAST> mtu 1500
14:50 < lambda7__> 	inet 10.0.0.10 --> 10.0.0.9
14:50 < lambda7__> the other one get:
14:50 < lambda7__> tun1: flags=8851<UP,POINTOPOINT,RUNNING,SIMPLEX,MULTICAST> mtu 1500
14:50 < lambda7__> 	inet 10.0.0.6 --> 10.0.0.5
14:51 < lambda7__> The problem is two clients can't see eachother ! and that is the main goal i want to achieve
14:53 < lambda7__> !sample
14:53 <@vpnHelper> "sample" is (#1) http://www.ircpimps.org/openvpn.configs for a working sample config or (#2) DO NOT use these configs until you understand the commands in them, read up on each first column of the configs in the manpage (see !man) or (#3) these configs are for a basic multi-user vpn, which you can then build upon to add lans or internet redirecting
14:57 -!- lambda7__ [~lambda79@pom51-3-88-165-80-74.fbx.proxad.net] has quit [Ping timeout: 240 seconds]
14:59 -!- lambda79 [~lambda79@AReims-653-1-80-4.w81-49.abo.wanadoo.fr] has joined #openvpn
15:00 < lambda79> hi again, i have 2 clients that connect openvpn server and get:
15:00 < lambda79> 1) tun0: inet 10.0.0.10 --> 10.0.0.9
15:00 < lambda79> 2) tun0: inet 10.0.0.6 --> 10.0.0.5
15:01 < lambda79> of course because they do not share same gw, they can't speak to each other.
15:02 < lambda79> How could you do that?
15:02 < lambda79> !goal
15:03 <@vpnHelper> "goal" is Please clearly state your goal for your vpn: example, I would like to access the lan behind the server , I would like to access the internet over my vpn , I just want a secure connection between 2 computers , etc
15:04 < lambda79> i mean securing connection between 2 computers with in the middle the openvpn server. thx you for any help.
15:16 -!- traph [~traph@unaffiliated/traph] has quit [Read error: Operation timed out]
15:20 <@krzee>  <lambda79> of course because they do not share same gw, they can't speak to each other.\
15:20 <@krzee> false
15:20 <@krzee> !c2c
15:20 <@vpnHelper> "c2c" is "client-to-client" is with this option packets from 1 client to another are routed inside the server process. without it packets leave the server process, hit the kernel (firewall, routing table) and if allowed by firewall and routed back to server process, they go to the client. you use this option when you do not want to use selective firewall rules on what clients can access things behind
15:20 <@vpnHelper> other clients
15:20 <@krzee> just add that
15:20 <@krzee> then to understand your addressing:
15:20 <@krzee> !addressing
15:20 <@vpnHelper> "addressing" is For information about IP addressing in OpenVPN, see: https://community.openvpn.net/openvpn/wiki/Concepts-Addressing
15:22 -!- lambda79 [~lambda79@AReims-653-1-80-4.w81-49.abo.wanadoo.fr] has quit [Remote host closed the connection]
15:25 -!- digilink [~digilink@unaffiliated/digilink] has quit [Ping timeout: 264 seconds]
15:25 < chrisb> !tls
15:27 -!- lambda79 [~lambda79@AReims-653-1-80-4.w81-49.abo.wanadoo.fr] has joined #openvpn
15:28 < lambda79> ok thx you vpnHelper krzee
15:30 -!- digilink [~digilink@unaffiliated/digilink] has joined #openvpn
15:38 -!- lambda79 [~lambda79@AReims-653-1-80-4.w81-49.abo.wanadoo.fr] has quit [Ping timeout: 240 seconds]
15:40 -!- lambda79 [~lambda79@pom51-3-88-165-80-74.fbx.proxad.net] has joined #openvpn
15:41 < lambda79> I set option 'client_to_client' '1' into openwrt config file, restart openvpn and notice gateway is still not shared.
15:45 < lambda79> okay so in one way hosts can ping themselves but not in another way.
15:48 -!- lambda79 [~lambda79@pom51-3-88-165-80-74.fbx.proxad.net] has quit []
15:48 -!- chrisb [~chrisb@li482-205.members.linode.com] has quit [Remote host closed the connection]
15:52 -!- takamichi [~takamichi@c107-107.i07-27.onvol.net] has joined #openvpn
15:53 -!- takamichi [~takamichi@c107-107.i07-27.onvol.net] has quit [Client Quit]
15:54 -!- dazo is now known as dazo_afk
15:54 -!- treshoem [~treshoem@mnathani-1-pt.tunnel.tserv21.tor1.ipv6.he.net] has joined #openvpn
15:55 < treshoem> How can I get port forwarding to the external IP on the Openvpn server over to an ip on the client end of the openvpn internal port to work
16:01 -!- aji [~alex@atheme/member/aji] has quit [Ping timeout: 264 seconds]
16:03 -!- dimitry7 [~antonello@gate.aaamerica.com.mx] has quit [Ping timeout: 260 seconds]
16:04 -!- aji [~alex@atheme/member/aji] has joined #openvpn
16:17 -!- nodashi [~nodashipl@c-71-197-187-220.hsd1.wa.comcast.net] has joined #openvpn
16:17 < nodashi> anyone on?
16:18 -!- nodashi [~nodashipl@c-71-197-187-220.hsd1.wa.comcast.net] has quit [Client Quit]
16:18 -!- klein [~klein@unaffiliated/klein] has quit [Ping timeout: 264 seconds]
16:19 -!- dimitry7 [~antonello@gate.aaamerica.com.mx] has joined #openvpn
16:23 < pekster> treshoem: There's nothing so special about that compared to any other NAT setup. Think of your openvpn server as a router and do NAT there
16:24 -!- lj [~l@192.241.174.169] has quit [Quit: Leaving.]
16:25 < mnathani> pekster: I got it working now. Thanks
16:26 < mnathani> My previous NAT rule was too broad
16:36 -!- br4ndon [~br4ndon@mic92-6-82-227-94-156.fbx.proxad.net] has quit [Quit: br4ndon]
16:36 -!- maps|wrk [~xyz@94-193-78-219.zone7.bethere.co.uk] has joined #openvpn
16:36 < maps|wrk> !linnat
16:36 <@vpnHelper> "linnat" is (#1) for a basic iptables NAT where 10.8.0.x is the vpn network: iptables -t nat -I POSTROUTING -s 10.8.0.0/24 -o eth0 -j MASQUERADE or (#2) to choose what IP address to NAT as, you can use iptables -t nat -I POSTROUTING -o eth0 -j SNAT --to <IP ADDRESS> or (#3) http://netfilter.org/documentation/HOWTO//NAT-HOWTO.html for more info or (#4) openvz see !openvzlinnat
16:38 < maps|wrk> !ipforward
16:38 <@vpnHelper> "ipforward" is (#1) ip forwarding is needed any time you want packets to flow from 1 interface to another, so from tun to eth, eth to tun, tun to tun, etc etc. it must be enabled in the kernel AND allowed in the firewall or (#2) please choose between !linipforward !winipforward !osxipforward and !fbsdipforward
16:38 < maps|wrk> !linipforward
16:38 <@vpnHelper> "linipforward" is (#1) echo 1 > /proc/sys/net/ipv4/ip_forward for a temp solution (til reboot) or set net.ipv4.ip_forward = 1 in sysctl.conf for perm solution or (#2) chmod +x /etc/rc.d/rc.ip_forward for perm solution in slackware or (#3) you also must allow forwarding in your forward chain in iptables. iptables -I FORWARD -i tun+ -j ACCEPT
16:38 -!- joshh20-Away is now known as joshh20
16:41 -!- joshh20 is now known as joshh20-Away
16:41 -!- joshh20-Away [~joshh20@v-70-42-74-226.unman-vds.internap-nyc.nfoservers.com] has quit [Quit: ZNC - http://znc.in]
16:51 -!- tony25DF [~antonello@38.124.174.31] has joined #openvpn
16:54 -!- dimitry7 [~antonello@gate.aaamerica.com.mx] has quit [Ping timeout: 264 seconds]
16:56 -!- joshh20 [~joshh20@v-70-42-74-226.unman-vds.internap-nyc.nfoservers.com] has joined #openvpn
17:02 -!- mikemol [~mikemol@162.17.129.77] has quit [Remote host closed the connection]
17:04 < joshh20> Hey guys, I tried to use the hosts file on my Debian 7 OpenVPN server to block ads for the VPN client, however editing the hosts file appears to have done nothing
17:04 < joshh20> I have just rebooted the entire machine to no avail either
17:07 -!- computing_ [~Krescius@host223-197-dynamic.59-82-r.retail.telecomitalia.it] has quit [Remote host closed the connection]
17:10 < pekster> Why would you expect that to do any good?
17:10 < joshh20> I thought adding a host file such as this one would work
17:10 < joshh20> http://winhelp2002.mvps.org/hosts.txt
17:11 < joshh20> As I thought that all traffic had to first pass through the server
17:13 < pekster> DNS is a higher-level concept. OpenVPN deals with L3 (IP layer)
17:13 < pekster> Or maybe L2 if you're bridging, but 99.5% or more of people don't want/need that
17:13 < pekster> DNS is its own protocol, and use of openvpn doesn't change how fundamentals like DNS work
17:14 < joshh20> Ok, I definitely didn't know that
17:14 < pekster> Maybe you want to run a resolver on your openvpn server, point clients to it (read about !pushdns maybe) and host a fake master zone for the domains in question? Perhaps you should look into dnsmasq
17:15 < pekster> OpenVPN doesn't care at all what traffic you send over it. Could be DNS, http, or another openvpn tunnel. "It's just packets"
17:16 < joshh20> Alright, I had thought that as I was thinking if the traffic couldn't reach the VPN server, then the client wouldn't be able to receive the traffic either
17:17 < pekster> If you can't ping your VPN peer you've either made a mistake in the core setup or have a firewall problem
17:18 < joshh20> Oh so to block the advertisement servers from reaching the VPN I would need to do it via Firewall and not the hosts file?
17:19 -!- N34lO [~weechat@2a00:12d8:2:7:ccc::ca7] has joined #openvpn
17:19 < pekster> DOn't do it in DNS
17:19 < pekster> Use a proxy for things like this
17:19 < pekster> This has zero to do with openvpn, and everything to do with picking the right tool for your task
17:19 < joshh20> Ok
17:19 < pekster> I suppose DNS might work, it's just a bit clunky
17:19 < pekster> Why not just install adblock and be done?
17:20 < pekster> Far easier
17:20 < joshh20> Well I have a low bandwidth connection, so I was hoping to speed it up by not having to download the ads every time
17:20 < pekster> In any event, ##networking is probably better for suggestions/direction. openvpn isn't your problem: basic protocol/fundamental knowledge is
17:20 -!- james41382 [~james@unaffiliated/james41382] has quit [Ping timeout: 240 seconds]
17:20 < pekster> Yes, this is what adblock does
17:21 < joshh20> Ok, thank you for your help
17:21 < N34lO> hi, i can't realy find a good documentation how i can get a client to automaticly connect the tap-dev to br0 - does anyone know how i could do it? - and no i can't just take tap0 and add it to br0 because my vm-tool creates tap-devs too
17:21 < pekster> No clue what vm-tool is, but #your-distro or #your-vm-solution is a better bet
17:22 < pekster> Also, don't bridge. You almost surely shouldn't be
17:22 < pekster> Read: !tunortap (and maybe !whybridge) for details
17:27 < N34lO> pekster: if you only have a /27 network you don't want to start splitting that so you can route the traffik
17:27 < pekster> OpenVPN works fine in p2p mode that doesn't require "splitting" at all ;)
17:27 < pekster> (won't work with Windows, but one hopes you're not putting Windows as a router on a /27 anyway)
17:28 < pekster> !topology
17:28 <@vpnHelper> "topology" is (#1) it is possible to avoid the !/30 behavior if you use 2.1+ with the option: topology subnet This will end up being default in later versions. or (#2) Clients will receive addresses ending in .2, .3, .4, etc, instead of being divided into 2-host subnets. or (#3) details and examples at: https://community.openvpn.net/openvpn/wiki/Topology
17:29 < N34lO> pekster: i haven't been running windows for quite a while and connecting it to public, non firewalled networks would be suicide
17:29 < pekster> Who said the /27 was public, non-firewalled? Public IP space certainly doesn't imply that (just as the DoD or MoD)
17:29 < pekster> ask*
17:30 < pekster> This said, p2p might be just what you want. You simply assign arbitrary IPs between your peers, and they don't even have to be adjacent if you'd prefer them not to be
17:30 < N34lO> well i need some IPs for test reasons, and i currently only have a /27 network witch i can use via VPN
17:31 < N34lO> and no p2p won't work
17:31 < N34lO> i wan't to connect vms to that bridge
17:31 < N34lO> and not nat the IPs and then install openvpn on every vm
17:32 < pekster> Route a block to openvpn? Bridging as a poor man's hack for routing is rarely a good solution
17:32 < pekster> In any event, if you're sure you know you want bridging, they by all means go for it. It's "up to you" to create your bridge; openvpn simply assumes you've done any bridging you require beforehand
17:33 < N34lO> well in the datacenter i have the openvpn server running and the /27 block is routed to this system
17:33 < pekster> OpenVPN doesn't care. For all it knows, maybe you're not briding to anything and just leaving a dangling tap that isn't connected (a so-called "routed tap" setup is valid in some situations.) THe onus is on you though
17:33 < pekster> So?
17:33 < pekster> Thanks to CIDR you can break that up however you want, and thanks to p2p you can use every single IP via openvpn
17:34 < N34lO> well i could now use a /29 for the openvpn network and then a nother /29 for every end point but this would mean that i would lose tones of IPs
17:34 < pekster> Lots of people try bridging becuase it sounds easier; it's not really easier. You just shift the complexity from learning how to route to learning how to bridge in your OS/distro. That's what you need to do
17:34 < pekster> OpenVPN can't help you if you're not familiar enough with your OS to create a bridge
17:35 < N34lO> oh, and i would lose the posibility to migrate the VMs between the nodes because i would have to change the ip of the vm
17:35 < N34lO> and as i said i don't want to install openvpn in every vm
17:36 < pekster> Possibly (no real handle on your usecase.) My 2￠ if you want a bridge anyway is to just create the bridge and add the requisite members as part of your OS init/networking subsystem
17:36 < N34lO> and i know how to bridge the tap dev to br0
17:36 < pekster> Create a named tap device (like tap_NameHere) and have openvpn use that explicitly via `--dev tap_NameHere`
17:36 < pekster> THat's it
17:36 < N34lO> ah, ok
17:37 < N34lO> that was what i was looking for
17:37 < pekster> You can do "dynamic addition of the ephemeral tapX device" or such things, but it's needlessly complex unless you actually need it
17:38 < pekster> Doing it in the OS for static setups is far easier (well, as "easy" as briding ever is :D
17:38 < N34lO> pekster: "dev tap" => "dev vpntap" should do it then, or?
17:38 -!- joshh20 is now known as joshh20-Away
17:38 < pekster> Start it with tap
17:38 < N34lO> how do you mean?
17:38 < pekster> Otherwise openvpn won't know it's a tap device and you need _another_ directive to tell it so. That's usually pointless
17:38 < pekster> tapFoOO
17:38 < pekster> tap_HIMOM
17:38 < N34lO> ah, ok
17:38 < pekster> whatever
17:39 < N34lO> tapVPN
17:39 < pekster> sure
17:39 < pekster> Then just pass `--tap tapVPN` in your config
17:39 < N34lO> ok, good
17:39 < pekster> Erm, `--dev tapVPN`
17:39 < pekster> --dev in the manpage for details
17:45 -!- cyberspace- [20253@ninthfloor.org] has quit [Remote host closed the connection]
17:47 -!- james41382 [~james@unaffiliated/james41382] has joined #openvpn
17:56 -!- HectorBarbossa [uid7850@gateway/web/irccloud.com/x-dgljkhebetmtzzmj] has joined #openvpn
17:59 < N34lO> pekster: works - thanks :)
17:59 -!- N34lO [~weechat@2a00:12d8:2:7:ccc::ca7] has left #openvpn ["The answer was 0x2A!"]
17:59 -!- scyld [~scyld@unaffiliated/wasyl] has joined #openvpn
18:02 < maps|wrk> hey does anyone else use openvpn with inline profiles on their cell phone?
18:02 < pekster> Yup, see:
18:02 < pekster> !inline
18:02 <@vpnHelper> "inline" is (#1) Inline files (e.g. <ca> ... </ca> are supported since OpenVPN 2.1rc1 and documented in the OpenVPN 2.3 man page at https://community.openvpn.net/openvpn/wiki/Openvpn23ManPage#lbAV or (#2) https://community.openvpn.net/openvpn/wiki/IOSinline for a writeup that includes how to use inline certs
18:02 < maps|wrk> it works..but then it suddenly says pause (network unavaliable) and requires me to disconnect and reconnect..no idea why as the servers still up
18:02 < maps|wrk> that ever happen to you then pekster ?
18:03 < pekster> I don't use it on my phone (ancient phone with some old CM openvpn version) but inline support Just Works™ where supported
18:04 < pekster> Network thing sounds like cell carrier moving your source address. Maybe tweak your --keepalive (--ping/--ping-restart) options for faster detection
18:07 -!- __FBi [B@dont.uwantmy.info] has quit [Ping timeout: 240 seconds]
18:07 -!- pylearner [~py@pool-71-170-181-124.dllstx.fios.verizon.net] has quit [Ping timeout: 240 seconds]
18:14 -!- scyld [~scyld@unaffiliated/wasyl] has quit [Quit: Wychodzi]
18:15 -!- __FBi [B@dont.uwantmy.info] has joined #openvpn
18:32 -!- Jeroen is now known as Jeroen52
18:35 -!- oculus [~oculus@gateway/tor-sasl/oculus] has joined #openvpn
18:46 -!- JackWinter [~jack@vodsl-8317.vo.lu] has quit [Quit: Konversation terminated!]
18:47 -!- i7c [~i7c@unaffiliated/i7c] has quit [Remote host closed the connection]
18:50 -!- cyberspace- [20253@ninthfloor.org] has joined #openvpn
18:54 -!- gffa [~unknown@unaffiliated/gffa] has quit [Quit: sleep]
18:58 -!- i7c [~i7c@rliz.org] has joined #openvpn
19:04 -!- i7c [~i7c@rliz.org] has quit [Ping timeout: 244 seconds]
19:30 < mbff> I setup a openvpn server and can connect to it and route my traffic through it on my router and my android phone via the app. However when I run "sudo openvpn client.conf" on my ubuntu based laptop I can connect but cannot get DNS to work. I visit sites and such via an ip address though
19:31 < mbff> wow that was some poor english right there. apologizes.
19:42 < maps|wrk> mbff - what about the push dns
19:43 < mbff> I don't know what you mean by that... I am that follow the tutorial guy. Also - I am pretty sure it is resolvconf related at this point
19:43 < mbff> is that possible?
19:44 < maps|wrk> hm
19:44 < maps|wrk> check resolv.conf then but ya it is possible bro
19:44 < mbff> i just read to try and run sudo dpkg-reconfigure resolvconf
19:44 < mbff> however...
19:44 < maps|wrk> or just edit it manually
19:44 < maps|wrk> and add 8.8.8.8 and 8.8.4.4
19:45 < mbff> should i prepare it for dynamic updates?
19:45 < mbff> yes or no
19:45 < maps|wrk> not sure what that means is this some debian thing?
19:45 < mbff> kind of?
19:46 < maps|wrk> uh cant you just edit it manually
19:46 < maps|wrk> like those IPs definitly work
19:46 < maps|wrk> so if you use those and still issues we know it aint resolv.conf
19:46 < mbff> i'd rather see if the reconfigure works
19:46 < maps|wrk> sure
19:46 < mbff> cuz then I know i didn't screw anything up too bad.
19:46 < mbff> yah know? Ubuntu set it up! Blame them!
19:47 < maps|wrk> for sure
19:47 < mbff> anyway... i would guess yes for that first question?
19:47 < mbff> dynamic updates
19:47 < maps|wrk> i guess ya
19:47 < mbff> / wall of text
19:47 < mbff>  The resolvconf package contains the infrastructure required for dynamic      │
19:47 < mbff>  │ updating of the resolver configuration file. Part of the necessary           │
19:47 < mbff>  │ infrastructure is a symbolic link from /etc/resolv.conf to                   │
19:47 < mbff>  │ /run/resolvconf/resolv.conf. If you choose this option then this link will   │
19:47 < mbff>  │ be created; the existing /etc/resolv.conf file will be preserved as          │
19:47 < mbff>  │ /etc/resolvconf/resolv.conf.d/original, and will be restored if this         │
19:47 < mbff>  │ package is removed.
19:47 -!- mbff was kicked from #openvpn by ecrist [mbff]
19:47 < maps|wrk> pastebin for big stuff dude
19:47 <@ecrist> GTFO d00d
19:47 -!- mbff [~mbff@2605:6400:1:fed5:22:656:343:3e46] has joined #openvpn
19:47 < maps|wrk> paste.ubuntu.com mbff
19:47 < mbff> grrr
19:47 <@ecrist> do it again and I'll +b you
19:48 < mbff> +b? ban
19:48 <@ecrist> aye
19:48 < mbff> you can't say ban... wow hardcore nerd can you get
19:48 < mbff> anyway...
19:48 -!- mode/#openvpn [+b *!*@2605:6400:1:fed5:22:656:343:3e46] by ecrist
19:49 < maps|wrk> hm
19:49 -!- Cpt-Oblivious [chatzilla@31-151-71-109.dynamic.upc.nl] has quit [Remote host closed the connection]
19:51 -!- __raven [~raven@dslb-178-002-143-216.pools.arcor-ip.net] has joined #openvpn
19:51 < maps|wrk> mbff:  did you try
19:54 -!- __raven_ [~raven@dslb-092-074-212-094.pools.arcor-ip.net] has quit [Ping timeout: 252 seconds]
19:56 -!- mode/#openvpn [-b *!*@2605:6400:1:fed5:22:656:343:3e46] by ecrist
19:56 <@ecrist> let's try again
20:00 < mbff> hello
20:00 < mbff> yah!
20:00 < mbff> anyway... I just went through the re-configure bit and rebooted
20:00 < mbff> (It told me to reboot)
20:00 < mbff> anyway... no dice
20:01 < mbff> so... maps, what was your next idea?
20:03 -!- maps|wrk [~xyz@94-193-78-219.zone7.bethere.co.uk] has quit [Ping timeout: 265 seconds]
20:05 -!- tony25DF [~antonello@38.124.174.31] has quit [Quit: Leaving]
20:23 -!- oculus [~oculus@gateway/tor-sasl/oculus] has quit [Quit: oculus]
20:45 -!- oculus [~oculus@gateway/tor-sasl/oculus] has joined #openvpn
21:02 -!- i7c [~i7c@unaffiliated/i7c] has joined #openvpn
21:11 -!- linlin [will@173.243.115.75] has quit [Remote host closed the connection]
21:19 -!- lj [~l@192.241.174.169] has joined #openvpn
21:23 -!- oculus [~oculus@gateway/tor-sasl/oculus] has quit [Quit: oculus]
21:23 -!- pentiumone133 [will@173.243.115.75] has joined #openvpn
21:42 -!- HectorBarbossa [uid7850@gateway/web/irccloud.com/x-dgljkhebetmtzzmj] has quit [Quit: Connection closed for inactivity]
22:08 -!- JackWinter_ [~jack@vodsl-8317.vo.lu] has joined #openvpn
22:10 -!- VsioZashibis [~VsioZashi@unaffiliated/vsiozashibis] has joined #openvpn
22:11 -!- tony1 [~tony@cpe-66-66-6-48.rochester.res.rr.com] has joined #openvpn
22:23 -!- JackWinter_ [~jack@vodsl-8317.vo.lu] has quit [Quit: Konversation terminated!]
22:26 -!- JackWinter [~jack@vodsl-8317.vo.lu] has joined #openvpn
22:28 -!- tony1 [~tony@cpe-66-66-6-48.rochester.res.rr.com] has left #openvpn []
22:42 -!- lj [~l@192.241.174.169] has quit [Quit: Leaving.]
22:45 -!- JackWinter [~jack@vodsl-8317.vo.lu] has quit [Remote host closed the connection]
22:46 -!- JackWinter [~jack@vodsl-8317.vo.lu] has joined #openvpn
22:54 -!- kenyon_ is now known as kenyon
23:02 -!- JackWinter [~jack@vodsl-8317.vo.lu] has quit [Quit: Konversation terminated!]
23:06 -!- JackWinter [~jack@vodsl-8317.vo.lu] has joined #openvpn
23:27 -!- u0m3_ [~u0m3@92.80.73.232] has joined #openvpn
23:30 -!- u0m3 [~u0m3@109.96.148.19] has quit [Ping timeout: 240 seconds]
23:45 -!- __raven_ [~raven@dslb-092-074-210-096.pools.arcor-ip.net] has joined #openvpn
23:47 -!- __raven [~raven@dslb-178-002-143-216.pools.arcor-ip.net] has quit [Ping timeout: 252 seconds]
--- Day changed Sat Mar 08 2014
00:01 -!- sunwind` [~paradox@cpc21-brmb8-2-0-cust749.1-3.cable.virginm.net] has joined #openvpn
00:03 -!- sunwind [~paradox@cpc21-brmb8-2-0-cust749.1-3.cable.virginm.net] has quit [Ping timeout: 244 seconds]
00:51 -!- DrCode [~DrCode@gateway/tor-sasl/drcode] has quit [Ping timeout: 265 seconds]
00:55 -!- p3rror [~mezgani@196.201.78.139] has joined #openvpn
00:55 -!- justinzane [~justinzan@tiny.justinzane.com] has quit [Read error: Connection reset by peer]
01:29 -!- takamichi [~takamichi@c107-107.i07-27.onvol.net] has joined #openvpn
01:33 -!- takamich_ [~takamichi@c107-107.i07-27.onvol.net] has joined #openvpn
01:35 -!- takamichi [~takamichi@c107-107.i07-27.onvol.net] has quit [Ping timeout: 244 seconds]
01:48 < mnathani> can OpenVPN be used to provide IPv6 connectivity to an IPv4 only client (Server would be dual stacked ofcourse)
01:49 -!- JoshuaP [joshtek0@unaffiliated/joshuap/x-7771961] has quit [Read error: Connection reset by peer]
01:53 -!- heraclitus [~heraclitu@unaffiliated/heraclitis] has quit [Ping timeout: 252 seconds]
02:02 -!- makara [~makara@105-208-249-61.access.mtnbusiness.co.za] has joined #openvpn
02:02 -!- lambda79 [~lambda79@AReims-653-1-80-4.w81-49.abo.wanadoo.fr] has joined #openvpn
02:10 -!- lambda79 [~lambda79@AReims-653-1-80-4.w81-49.abo.wanadoo.fr] has quit [Remote host closed the connection]
02:18 -!- makara [~makara@105-208-249-61.access.mtnbusiness.co.za] has quit [Ping timeout: 265 seconds]
02:33 -!- kossy [a@kossy.org] has quit [Ping timeout: 240 seconds]
02:34 -!- takamichi [~takamichi@c107-107.i07-27.onvol.net] has joined #openvpn
02:35 -!- takamich_ [~takamichi@c107-107.i07-27.onvol.net] has quit [Ping timeout: 240 seconds]
02:39 -!- traph [~traph@unaffiliated/traph] has joined #openvpn
02:46 -!- br4ndon [~br4ndon@mic92-6-82-226-128-64.fbx.proxad.net] has joined #openvpn
02:49 -!- phunyguy_ [~vortex@unaffiliated/phunyguy] has joined #openvpn
02:52 -!- p3rror [~mezgani@196.201.78.139] has quit [Ping timeout: 240 seconds]
02:55 -!- EugeneKay [eugene@itvends.com] has joined #openvpn
02:55 -!- _jareth_ [~jareth_@2001:980:e1c0:1:219:66ff:fea0:a502] has joined #openvpn
02:55 -!- Transfusion_ [Transfusio@trivialand/master/transfusion] has joined #openvpn
02:56 -!- Netsplit *.net <-> *.split quits: @Eugene, jareth_, inch, phunyguy, Transfusion
02:56 -!- ade_b [~Ade@redhat/adeb] has joined #openvpn
02:57 -!- Transfusion_ is now known as Transfusion
02:58 -!- takamich_ [~takamichi@c107-107.i07-27.onvol.net] has joined #openvpn
03:00 -!- takamichi [~takamichi@c107-107.i07-27.onvol.net] has quit [Ping timeout: 240 seconds]
03:09 -!- p3rror [~mezgani@41.249.100.4] has joined #openvpn
03:21 -!- ade_b [~Ade@redhat/adeb] has quit [Ping timeout: 240 seconds]
03:41 -!- HectorBarbossa [uid7850@gateway/web/irccloud.com/x-wtozkmpghqimhpoi] has joined #openvpn
03:48 -!- Devastator [~devas@unaffiliated/devastator] has quit [Read error: Connection reset by peer]
03:50 -!- Devastator [~devas@177.18.198.165] has joined #openvpn
03:52 -!- heraclitus [~heraclitu@unaffiliated/heraclitis] has joined #openvpn
04:05 -!- elfixit1 [~Icedove@77-58-251-72.dclient.hispeed.ch] has joined #openvpn
05:00 -!- gffa [~unknown@unaffiliated/gffa] has joined #openvpn
05:12 -!- loompek [~noname@89-212-48-167.static.t-2.net] has joined #openvpn
05:12 -!- loompek [~noname@89-212-48-167.static.t-2.net] has quit [Changing host]
05:12 -!- loompek [~noname@unaffiliated/loompek] has joined #openvpn
05:12 -!- br4ndon [~br4ndon@mic92-6-82-226-128-64.fbx.proxad.net] has quit [Quit: br4ndon]
05:16 -!- takamich_ [~takamichi@c107-107.i07-27.onvol.net] has quit [Read error: Operation timed out]
05:22 -!- takamichi [~takamichi@c107-107.i07-27.onvol.net] has joined #openvpn
05:54 -!- Pei [~pei@thinks.outside.theb0x.org] has quit [Ping timeout: 240 seconds]
05:57 -!- Pei [~pei@thinks.outside.theb0x.org] has joined #openvpn
06:00 -!- traph [~traph@unaffiliated/traph] has quit [Ping timeout: 240 seconds]
06:05 -!- master_o1_master [~master_of@p4FF244F3.dip0.t-ipconnect.de] has quit [Ping timeout: 265 seconds]
06:06 -!- master_of_master [~master_of@p4FF244F3.dip0.t-ipconnect.de] has joined #openvpn
06:22 -!- elfixit1 [~Icedove@77-58-251-72.dclient.hispeed.ch] has quit [Ping timeout: 252 seconds]
06:37 -!- ron__ [~ron@ppp121-45-67-204.lns20.adl6.internode.on.net] has joined #openvpn
06:38 -!- VunKruz [~hhhh@24-205-8-187.dhcp.mtpk.ca.charter.com] has quit [Quit: Leaving]
06:38 -!- ron_ [~ron@ppp121-45-51-97.lns20.adl2.internode.on.net] has quit [Ping timeout: 240 seconds]
06:44 -!- sunwind` [~paradox@cpc21-brmb8-2-0-cust749.1-3.cable.virginm.net] has quit [Quit: sunwind`]
06:44 -!- julius_ [~julius_@static.88-198-127-82.clients.your-server.de] has joined #openvpn
06:44 < julius_> hi
06:44 < julius_> ive got two openvpn configs for different networks, if i start them via /etc/init.d/openvpn start i get: Sat Mar  8 13:41:08 2014 SENT CONTROL [ws-b]: 'PUSH_REQUEST' (status=1)                (ws-b is the openvpn servers hostname)     and i get no connection
06:45 < julius_> but openvpn --config myconf.conf works...why?
06:45 -!- sunwind [~paradox@cpc21-brmb8-2-0-cust749.1-3.cable.virginm.net] has joined #openvpn
06:46 < julius_> the other network is connection via /etc/init.d/openvpn. that one uses 10.8.33.x and the other one uses 10.8.0.x
06:50 -!- VunKruz [~hhhh@24-205-8-187.dhcp.mtpk.ca.charter.com] has joined #openvpn
06:53 < julius_> http://pastebin.ca/2652914             <- both configs work on their own, but started via the system start scripts yellowstone.conf doesnt connect
06:58 -!- traph [~traph@unaffiliated/traph] has joined #openvpn
07:19 -!- Su7 [~demerzel@2001:41d0:a:16::1] has joined #openvpn
07:38 < Su7> Hi
07:38 < Su7> I'm having issues connecting to my openvpn server
07:39 < Su7> Here's the output line of netstat -lntpu concerning openvpn :
07:39 < Su7> udp        0      0 0.0.0.0:443             0.0.0.0:*                           25512/openvpn
07:39 < Su7> so the port seems to be correctly open but I can't telnet to it or anything
07:40 < Su7> !paste
07:40 <@vpnHelper> "paste" is (#1) "pastebin" is (#1) please paste anything with more than 5 lines into a pastebin site or (#2) https://gist.github.com is recommended for fewest ads; try fpaste.org or paste.kde.org as backups or (#3) If you're pasting config files, see !configs for grep syntax to remove comments or (#2) gist allows multiple files per paste, useful if you have several files to show
07:41 < Su7> here's the startup log https://gist.github.com/QuentinBarrand/826712841d1fb5319322
07:41 <@vpnHelper> Title: gist:826712841d1fb5319322 (at gist.github.com)
07:42 < Thermi> Su7: Firewall.
07:43 < Thermi> And what are you actually trying to test it out?
07:43 < Su7> Thermi: I have these lines in my firewall script : iptables -t filter -A OUTPUT -p tcp --dport 443 -j ACCEPT
07:43 < Su7> iptables -t filter -A INPUT -p tcp --dport 443 -j ACCEPT
07:44 < Su7> (sorry for the bad paste)
07:44 < Thermi> Please paste us the output of iptables-save
07:45 < Su7> Thermi: here's iptables-save https://gist.github.com/QuentinBarrand/44e20fcd7e00bd9cfa8d
07:45 <@vpnHelper> Title: gist:44e20fcd7e00bd9cfa8d (at gist.github.com)
07:47 < Thermi> Su7: The Firewall isn't the problem, so how are you testing it?
07:49 < Su7> Thermi: simply by trying to connect using the client
07:49 < Thermi> From what port and with what settings?
07:49 < Thermi> And from where?
07:49 < Su7> from any other machine on the internet, to that host on port 443
07:50 < Thermi> Try a higher port and where is the box situated? Behind a firewall?
07:50 < Su7> and when I try to connect, nothing goes on on the terminal on which openvpn is launched
07:50 < Su7> Thermi: no firewall except the host's iptables
07:51 < Su7> the box is directly connected to the internet.
07:51 < Thermi> Maybe the ISP is blocking it.
07:51 < Thermi> Try initiating from the LAN and disable pushing routes
07:53 < Su7> Thermi: the ISP is definitely not blocking it. I'd just like to know if something is supposed to happen after this https://gist.github.com/QuentinBarrand/826712841d1fb5319322 when a client tries to connect ?
07:53 <@vpnHelper> Title: gist:826712841d1fb5319322 (at gist.github.com)
07:54 < Thermi> Yes, there should be something happening. use verb 5 in the config file and restart the openvpn daemon.
07:56 < Su7> damn, there's really nothing happening.
07:56 < Thermi> Did you set verb 5 and try to initiate again?
07:56 < Su7> yes
07:56 < Thermi> And it's still the same?
07:56 < Thermi> Meh.
07:56 < Thermi> Can you try initiating from the LAN please?
07:57 -!- JackWinter [~jack@vodsl-8317.vo.lu] has quit [Remote host closed the connection]
07:57 < Su7> I'm using this http://openvpn.defsdoor.org/ for access control, just so you know
07:57 <@vpnHelper> Title: Openvpn authentication using htpasswd file (at openvpn.defsdoor.org)
07:57 < Thermi> Never heard of it. What does it do?
07:58 < Su7> Thermi: uses a htpasswd file for password-based authentication
07:58 < Thermi> Hmm.
07:58 < Thermi> Okay.
07:58 < Su7> because I'm tired of certificates management.
07:58 < Thermi> If a client connects, there should at least be a message and some R and W because packets go in and out.
07:58 < Thermi> But that's not happening, so the packets get lost somewhere
07:59 < Su7> Yes, that's what I don't understand. I'm not sure what you mean by "initiating from the LAN".
07:59 < Thermi> Ah, okay.
07:59 < Thermi> Run the client in the same LAN as the server
07:59 -!- JackWinter [~jack@vodsl-8317.vo.lu] has joined #openvpn
07:59 < Thermi> And connect from there
08:00 < Thermi> And see if it works. If it does, there's some evil router/firewall on the route from the internet to your server that drops the packets
08:01 -!- JackWinter [~jack@vodsl-8317.vo.lu] has quit [Client Quit]
08:01 < Su7> I can't do that, since the server is just a Debian box hosted by a provider and linked to the internet only :-(
08:01 < Thermi> Damnit. Maybe try to initate from the same box and to the loopback interface?
08:01 -!- JackWinter [~jack@vodsl-8317.vo.lu] has joined #openvpn
08:01 < Thermi> or try a higher port. Like 1337 or 31337
08:11 -!- joshh20-Away is now known as joshh20
08:13 < Su7> Thermi: changed for 1338 and still nothing. I should probably give you my config files now.
08:13 < Thermi> Do that.
08:17 -!- oculus [~oculus@gateway/tor-sasl/oculus] has joined #openvpn
08:21 < Su7> Thermi: server https://gist.github.com/QuentinBarrand/4825d58a65432e285bf2
08:21 <@vpnHelper> Title: gist:4825d58a65432e285bf2 (at gist.github.com)
08:22 < Thermi> verb 5 isn't set. Did you revert that change?
08:23 < Su7> and client https://gist.github.com/QuentinBarrand/24492b75a18f50703fb1
08:23 <@vpnHelper> Title: client (at gist.github.com)
08:23 -!- justinzane [~justinzan@tiny.justinzane.com] has joined #openvpn
08:23 < Su7> Thermi: yes, I prefer sending it from the command line
08:23 < Thermi> Okay, I don't know what takes precedence though.
08:23 < Su7> command line works.
08:25 < Thermi> Hmm.
08:25 < Thermi> Can you try to listen on the IP on eth0 specifically?
08:25 < Thermi> And a really high port. And run tcpdump.
08:28 < Thermi> tcpdump -w dump -i eth0 "tcp and port 1338"
08:28 < Thermi> For example
08:28 < Thermi> or in your case, udp and port 1338
08:28 < Thermi> urgh
08:29 < Thermi> you idiot
08:29 < Thermi> -A INPUT -p tcp -m tcp --dport 443 -j ACCEPT
08:29 < Thermi> "proto udp"
08:29 < Thermi> Su7
08:29 < Thermi> Of course it doesn't go through,.
08:29 < Su7> oh man.
08:29 < Thermi> You're allowing TCP traffic, but using UDP as transport protocol.
08:31 < Thermi> switch the rule around or use tcp as transport protocol.
08:31 < Su7> I'm quite ashamed right now.
08:31 < Su7> Obviously it works now.
08:31 < Thermi> Happened to me, too.
08:31 < Thermi> But with other stuff.
08:31 < Thermi> Yeah.
08:32 < Thermi> Everything works?
08:32 < Su7> not everything.
08:33 < Su7> I still have to setup this new authentication system.
08:33 < Su7> but anyway, thanks a lot for your patience !
08:33 < Su7> and you finally found it out, thanks !
08:35 < Thermi> Hmm.
08:35 < Thermi> I should charge for this.
08:48 -!- takamichi [~takamichi@c107-107.i07-27.onvol.net] has quit [Ping timeout: 240 seconds]
08:49 -!- takamichi [~takamichi@c107-107.i07-27.onvol.net] has joined #openvpn
08:57 -!- oculus [~oculus@gateway/tor-sasl/oculus] has quit [Remote host closed the connection]
09:01 -!- m01 [~quassel@2a02:2658:1011:1::2:4044] has quit [Remote host closed the connection]
09:03 -!- m01 [~quassel@2a02:2658:1011:1::2:4044] has joined #openvpn
09:04 -!- ron__ is now known as ron_
09:53 -!- klein [~klein@187.85.191.52] has joined #openvpn
09:53 -!- klein [~klein@187.85.191.52] has quit [Changing host]
09:53 -!- klein [~klein@unaffiliated/klein] has joined #openvpn
10:01 -!- phunyguy_ is now known as phunyguy
10:02 -!- Tykling [tykling@gibfest.dk] has quit [Ping timeout: 265 seconds]
10:02 -!- Tykling [tykling@gibfest.dk] has joined #openvpn
10:07 -!- JackWinter [~jack@vodsl-8317.vo.lu] has quit [Quit: Konversation terminated!]
10:12 -!- JackWinter [~jack@vodsl-8317.vo.lu] has joined #openvpn
10:15 -!- MACscr|lappy [~MACscrlap@c-98-214-103-56.hsd1.il.comcast.net] has joined #openvpn
10:58 < Su7> Guys, I still have weird things
10:58 < Su7> for example in the console output, OpenVPN keeps printing "RW" or "Rw"
10:58 < Su7> I really don't have any idea of what it means
11:00 -!- Transfusion [Transfusio@trivialand/master/transfusion] has quit [Quit: Becoming a butterfly.]
11:02 -!- JackWinter [~jack@vodsl-8317.vo.lu] has quit [Quit: Konversation terminated!]
11:03 -!- Transfusion [Transfusio@trivialand/master/transfusion] has joined #openvpn
11:09 -!- JackWinter [~jack@vodsl-8317.vo.lu] has joined #openvpn
11:12 -!- JackWinter [~jack@vodsl-8317.vo.lu] has quit [Read error: Operation timed out]
11:13 -!- JackWinter [~jack@vodsl-8317.vo.lu] has joined #openvpn
11:15 -!- JackWinter [~jack@vodsl-8317.vo.lu] has quit [Read error: Connection reset by peer]
11:16 -!- JackWinter [~jack@vodsl-8317.vo.lu] has joined #openvpn
11:17 -!- joshh20 is now known as joshh20-Away
11:35 -!- joshh20-Away is now known as joshh20
11:47 -!- lbft is now known as jigglypuff
11:47 -!- AsadH is now known as lbft
11:47 -!- lbft is now known as AsadH
11:49 -!- joshh20 is now known as joshh20-Away
12:00 -!- jigglypuff is now known as lbft
12:10 -!- loompek [~noname@unaffiliated/loompek] has quit [Quit: ( www.nnscript.com :: NoNameScript 4.22 :: www.esnation.com )]
12:52 -!- joshh20-Away is now known as joshh20
12:56 -!- prettyrobots [~prettyrob@do.inputrc.com] has joined #openvpn
13:10 -!- joshh20 is now known as joshh20-Away
13:20 -!- master_o1_master [~master_of@p4FD7B9D0.dip0.t-ipconnect.de] has joined #openvpn
13:21 -!- MACscr|lappy [~MACscrlap@c-98-214-103-56.hsd1.il.comcast.net] has quit [Ping timeout: 265 seconds]
13:23 -!- master_of_master [~master_of@p4FF244F3.dip0.t-ipconnect.de] has quit [Ping timeout: 244 seconds]
13:23 -!- __raven_ [~raven@dslb-092-074-210-096.pools.arcor-ip.net] has quit [Ping timeout: 252 seconds]
13:29 -!- __raven_ [~raven@dslb-092-074-210-096.pools.arcor-ip.net] has joined #openvpn
13:30 -!- tony1 [~tony@cpe-66-66-6-48.rochester.res.rr.com] has joined #openvpn
13:31 -!- tony1 [~tony@cpe-66-66-6-48.rochester.res.rr.com] has left #openvpn []
13:31 -!- tony1 [~tony@cpe-66-66-6-48.rochester.res.rr.com] has joined #openvpn
13:32 -!- tony1 [~tony@cpe-66-66-6-48.rochester.res.rr.com] has left #openvpn []
13:32 -!- tony1 [~tony@cpe-66-66-6-48.rochester.res.rr.com] has joined #openvpn
13:32 -!- tony1 [~tony@cpe-66-66-6-48.rochester.res.rr.com] has left #openvpn []
13:33 -!- tony1 [~tony@cpe-66-66-6-48.rochester.res.rr.com] has joined #openvpn
13:33 -!- tony1 [~tony@cpe-66-66-6-48.rochester.res.rr.com] has left #openvpn []
13:40 -!- tony1 [~tony@cpe-66-66-6-48.rochester.res.rr.com] has joined #openvpn
13:40 -!- tony1 [~tony@cpe-66-66-6-48.rochester.res.rr.com] has left #openvpn []
13:54 -!- EugeneKay is now known as Eugene
14:04 -!- joshh20-Away is now known as joshh20
14:11 -!- joshh20 is now known as joshh20-Away
14:13 -!- Cpt-Oblivious [chatzilla@31-151-71-109.dynamic.upc.nl] has joined #openvpn
14:39 -!- joshh20-Away is now known as joshh20
15:01 -!- Fusl [~Fusl@unaffiliated/fusl] has quit [Quit: Contact: http://hallowe.lt/]
15:13 -!- Fusl [~Fusl@i.am.going.to.sigqu.it] has joined #openvpn
15:13 -!- Fusl is now known as Guest34173
15:21 -!- Guest34173 [~Fusl@i.am.going.to.sigqu.it] has quit [Changing host]
15:21 -!- Guest34173 [~Fusl@unaffiliated/fusl] has joined #openvpn
15:24 -!- Guest34173 is now known as Fusl
16:05 -!- mikemol [~mikemol@2001:470:c5b9:beef:a104:3fca:5535:b507] has joined #openvpn
16:34 -!- lachesis [~lachesis@unaffiliated/lachesis] has left #openvpn ["Leaving"]
16:47 -!- sunwind` [~paradox@149.254.250.144] has joined #openvpn
16:48 -!- paradox`` [~paradox@cpc21-brmb8-2-0-cust749.1-3.cable.virginm.net] has joined #openvpn
16:51 -!- sunwind [~paradox@cpc21-brmb8-2-0-cust749.1-3.cable.virginm.net] has quit [Ping timeout: 240 seconds]
16:52 -!- sunwind` [~paradox@149.254.250.144] has quit [Ping timeout: 244 seconds]
16:53 -!- u0m3_ is now known as u0m3
17:22 -!- traph [~traph@unaffiliated/traph] has quit [Ping timeout: 240 seconds]
17:23 -!- mezgani [~mezgani@adsl196-54-18-217-196.adsl196-9.iam.net.ma] has joined #openvpn
17:26 -!- p3rror [~mezgani@41.249.100.4] has quit [Ping timeout: 240 seconds]
17:30 -!- gffa [~unknown@unaffiliated/gffa] has quit [Quit: sleep]
17:42 -!- mezgani [~mezgani@adsl196-54-18-217-196.adsl196-9.iam.net.ma] has quit [Quit: Leaving]
17:57 -!- s7r [~s7r@openvpn/user/s7r] has joined #openvpn
17:57 -!- mode/#openvpn [+v s7r] by ChanServ
18:02 < Eneerge> openvpn or gui doesn't seem to support unicode chars for authentication
18:02 < Eneerge> The server has no problem authenticating the user, but unable to connect using vpn
18:10 -!- juppp [~luca@ppp-190-131.28-151.libero.it] has joined #openvpn
18:11 < hydrajump> The other day I asked for Mac openvpn app client recommendations and viscosity and tunnel brick were discussed briefly.
18:11 < juppp> !welcome
18:11 <@vpnHelper> "welcome" is (#1) Start by stating your goal, such as 'I would like to access the internet over my vpn' || new to IRC? see the link in !ask || we may need !logs and !configs and maybe !interface to help you. || See !howto for beginners. || See !route for lans behind openvpn. || !redirect for sending inet traffic through the server. || Also interesting: !man !/30 !topology !iporder !sample !forum
18:11 <@vpnHelper> !wiki !mitm or (#2) Don't use 192.168.1.0/24 or 192.168.0.0/24 (too much potential for conflict)
18:13 < MacGyver> hydrajump: I remember, were you the guy setting this up for a client?
18:13 -!- sunwind [~paradox@cpc21-brmb8-2-0-cust749.1-3.cable.virginm.net] has joined #openvpn
18:14 < hydrajump> I'm curious but I see that openvpn is available as a formula via homebrew. I haven't seen this option mentioned for os x but more for linux
18:16 < hydrajump> btw hi MacGyver
18:16 -!- paradox`` [~paradox@cpc21-brmb8-2-0-cust749.1-3.cable.virginm.net] has quit [Ping timeout: 240 seconds]
18:16 < hydrajump> my favourite tv series :P
18:16 < pekster> tunnelblick has some nifty pre-deployment options that might suit you
18:17 < pekster> You can basically ship a complete .app directory that's ready to use OOTB
18:17 < hydrajump> yeah but Im also interested in using it for myself as I've been using ipsec remote vpn previously but making the switch
18:19 < pekster> Different set of benefits; IPSec is done in-kernel, although the setup is generally more complex and not as NAT-friendly. OpenVPN operates in userland (though openssl acceleration for AES may be available) and is very NAT-friendly
18:23 < pekster> I don't know much about viscocity, but most users seem to prefer tunnelblick after comparison
18:24 < pekster> Although it's been about 4-5 years since I seriously compared both for deployment that I had to support (at the time tunnelblick won hands-down)
18:28 < hydrajump> pekster is running the openvpn client directly "unusual" for Mac users?
18:29 < pekster> Generally, yes
18:29 < pekster> If you mean the openvpn CLI program
18:29 < pekster> But if it's for you, use what method you feel most comfortable with
18:30 < hydrajump> are the apps such as tunnel brick just wrappers for the openvpn cli program or is there more to it than that?
18:31 < Eugene> That's it, yup.
18:32 < pekster> Tunnelblick (and maybe viscocity, I don't know offhand) have nice integration with DNS a.la. dnsctl, but the low-level operation is just a wrapper
18:32 < pekster> (you could do the DNS scripting yourself, or by hand, or w/e)
18:34 < hydrajump> feels like the GUI is the way to go and the home-brew openvpn formula is more suited when running in server mode.
18:35 < pekster> Yup, that's generally the right approach to take
18:36 < hydrajump> just thought I'd ask when I saw it in brew.
18:37 < pekster> Dig in some of the tunnblick scripts (the DNS one I remember working with previously) to see how complex some of the integration is. You don't normally need that on a server, but as a client you expect things to "just work"
18:38 < pekster> Unlike NetworkManager, this one actually works ;)
18:38 < hydrajump> pekster yeah it's great when it does too.
18:38 < hydrajump> NetWorkManager you mean on Ubuntu?
18:38 < Eugene> !ubuntu
18:38 <@vpnHelper> "ubuntu" is dont use network manager!
18:39 < pekster> Yea, it's historically been supremely broken for all but the most straight-forward setups
18:41 < hydrajump> I saw that there are two books openvpn 2.0.9 and openvpn cookbook are either worth getting
18:47 < Eugene> !book
18:47 <@vpnHelper> "book" is http://www.packtpub.com/openvpn-2-cookbook/book check out JJK's awesome cookbook for openvpn 2!
18:52 < hydrajump> ok I'll check that one
18:55 -!- corretico_ [~luis@190.5.215.146] has joined #openvpn
19:15 -!- corretico_ [~luis@190.5.215.146] has quit [Remote host closed the connection]
19:23 -!- __raven [~raven@dslb-094-216-073-222.pools.arcor-ip.net] has joined #openvpn
19:26 -!- __raven_ [~raven@dslb-092-074-210-096.pools.arcor-ip.net] has quit [Ping timeout: 252 seconds]
20:02 -!- juppp [~luca@ppp-190-131.28-151.libero.it] has quit [Quit: Konversation terminated!]
20:09 -!- Devastator [~devas@177.18.198.165] has quit [Changing host]
20:09 -!- Devastator [~devas@unaffiliated/devastator] has joined #openvpn
20:26 -!- joshh20 is now known as joshh20-Away
20:28 -!- s7r [~s7r@openvpn/user/s7r] has quit [Quit: Leaving.]
20:30 -!- s0meone is now known as someone
20:37 -!- oculus [~oculus@gateway/tor-sasl/oculus] has joined #openvpn
21:02 -!- HectorBarbossa [uid7850@gateway/web/irccloud.com/x-wtozkmpghqimhpoi] has quit [Quit: Connection closed for inactivity]
21:07 -!- klein [~klein@unaffiliated/klein] has quit [Ping timeout: 265 seconds]
21:18 -!- ron_ [~ron@ppp121-45-67-204.lns20.adl6.internode.on.net] has quit [Ping timeout: 264 seconds]
21:20 -!- ron_ [~ron@ppp118-210-37-193.lns20.adl2.internode.on.net] has joined #openvpn
21:27 -!- mgorbach [~mgorbach@pool-108-20-78-135.bstnma.fios.verizon.net] has quit [Max SendQ exceeded]
21:28 -!- mgorbach [~mgorbach@pool-108-20-78-135.bstnma.fios.verizon.net] has joined #openvpn
21:31 -!- _FBi [~B@Aircrack-NG/User] has quit [Ping timeout: 240 seconds]
21:42 -!- oculus [~oculus@gateway/tor-sasl/oculus] has quit [Quit: oculus]
22:01 -!- Cpt-Oblivious [chatzilla@31-151-71-109.dynamic.upc.nl] has quit [Remote host closed the connection]
22:27 -!- MyMind [~Sembei@unaffiliated/sembei] has quit [Max SendQ exceeded]
22:30 -!- MyMind [~Sembei@62.57.118.216.dyn.user.ono.com] has joined #openvpn
22:34 -!- Cr4zi3 [killaz@staff.xbins.org] has quit [Quit: changing servers]
22:34 -!- pekster [~rewt@openvpn/community/support/pekster] has quit [Ping timeout: 240 seconds]
22:36 -!- master_of_master [~master_of@p4FD7B9D0.dip0.t-ipconnect.de] has joined #openvpn
22:48 -!- joshh20z [~joshh20@v-70-42-74-226.unman-vds.internap-nyc.nfoservers.com] has joined #openvpn
22:48 -!- joshh20z is now known as joshh20
23:21 -!- MyMind is now known as Guest88761
23:22 -!- master_o1_master [~master_of@p4FD7B9D0.dip0.t-ipconnect.de] has quit [Remote host closed the connection]
23:22 -!- joshh20-Away [~joshh20@v-70-42-74-226.unman-vds.internap-nyc.nfoservers.com] has quit [Remote host closed the connection]
23:24 -!- f0cker [~f0cker@host86-149-26-106.range86-149.btcentralplus.com] has quit [Excess Flood]
23:24 -!- _f0cker_ [~f0cker@host86-149-26-106.range86-149.btcentralplus.com] has joined #openvpn
23:24 -!- _f0cker_ [~f0cker@host86-149-26-106.range86-149.btcentralplus.com] has quit [Changing host]
23:24 -!- _f0cker_ [~f0cker@unaffiliated/f0cker] has joined #openvpn
23:27 -!- Cr4zi3 [killaz@staff.xbins.org] has joined #openvpn
23:40 -!- pekster [~rewt@openvpn/community/support/pekster] has joined #openvpn
23:45 -!- traph [~traph@46.10.9.133] has joined #openvpn
23:45 -!- traph [~traph@46.10.9.133] has quit [Changing host]
23:45 -!- traph [~traph@unaffiliated/traph] has joined #openvpn
--- Day changed Sun Mar 09 2014
00:01 -!- sunwind` [~paradox@cpc21-brmb8-2-0-cust749.1-3.cable.virginm.net] has joined #openvpn
00:04 -!- sunwind [~paradox@cpc21-brmb8-2-0-cust749.1-3.cable.virginm.net] has quit [Ping timeout: 264 seconds]
00:26 -!- n2deep [n2deep@odin.sdf-eu.org] has quit [Remote host closed the connection]
00:59 -!- lambda79 [~lambda79@AReims-653-1-80-4.w81-49.abo.wanadoo.fr] has joined #openvpn
00:59 < lambda79> !configs
01:00 <@vpnHelper> "configs" is (#1) please pastebin your client and server configs (with comments removed, you can use `grep -vE '^#|^;|^$' server.conf`), also include which OS and version of openvpn. or (#2) dont forget to include any ccd entries or (#3) on pfSense, see http://www.secure-computing.net/wiki/index.php/OpenVPN/pfSense to obtain your config
01:00 < lambda79> !goal
01:00 <@vpnHelper> "goal" is Please clearly state your goal for your vpn: example, I would like to access the lan behind the server , I would like to access the internet over my vpn , I just want a secure connection between 2 computers , etc
01:01 < lambda79> !welcome
01:01 <@vpnHelper> "welcome" is (#1) Start by stating your goal, such as 'I would like to access the internet over my vpn' || new to IRC? see the link in !ask || we may need !logs and !configs and maybe !interface to help you. || See !howto for beginners. || See !route for lans behind openvpn. || !redirect for sending inet traffic through the server. || Also interesting: !man !/30 !topology !iporder !sample !forum
01:01 <@vpnHelper> !wiki !mitm or (#2) Don't use 192.168.1.0/24 or 192.168.0.0/24 (too much potential for conflict)
01:02 < lambda79> !topology
01:02 <@vpnHelper> "topology" is (#1) it is possible to avoid the !/30 behavior if you use 2.1+ with the option: topology subnet This will end up being default in later versions. or (#2) Clients will receive addresses ending in .2, .3, .4, etc, instead of being divided into 2-host subnets. or (#3) details and examples at: https://community.openvpn.net/openvpn/wiki/Topology
01:02 < lambda79> !iporder
01:02 <@vpnHelper> "iporder" is (#1) OpenVPN's internal client IP address selection algorithm works as follows: 1 -- Use --client-connect script generated file for static IP (first choice). or (#2) Use --client-config-dir file for static IP (next choice) !static for more info or (#3) Use --ifconfig-pool allocation for dynamic IP (last choice) or (#4) if you use --ifconfig-pool-persist see !ipp
01:04 < lambda79> !static
01:04 <@vpnHelper> "static" is (#1) use --ifconfig-push in a ccd entry for a static ip for the vpn client or (#2) example in net30 (default): ifconfig-push 10.8.0.6 10.8.0.5 example in subnet (see !topology) or tap (see !tunortap): ifconfig-push 10.8.0.5 255.255.255.0 or (#3) also see !ccd and !iporder or (#4) when pushing static IPs, you should also limit your --ifconfig-pool to exclude the static range or (#5) See
01:04 <@vpnHelper> also: !addressing
01:28 < Eneerge> is there anyway i can grab the key a connection is sending
01:28 < Eneerge> i restored an old config, but it didn't restore the key of the user and i dont have their key
01:54 -!- weedmic [~weedmic@213.57.118.18] has joined #openvpn
01:56 < weedmic> I am toying with the idea of removing our Fortigate 80C firewall and replacing it with an opensuse 13.1 machine running openvpn.  I need a vpn that will allow home workers (about 80) to connect and get inside our network so they can access file server, printers, etc.  Most use windows, but we also have mac and linux users.  Can openvpn replace our fortigate?
03:29 < weedmic> anyone?
03:34 -!- levifig [sid1908@gateway/web/irccloud.com/x-mpcxtvhxkuzuhsky] has quit [Ping timeout: 265 seconds]
03:36 -!- gffa [~unknown@unaffiliated/gffa] has joined #openvpn
03:47 -!- lambda79 [~lambda79@AReims-653-1-80-4.w81-49.abo.wanadoo.fr] has quit [Ping timeout: 252 seconds]
04:03 -!- jeev [~j@unaffiliated/jeev] has quit [Ping timeout: 264 seconds]
04:28 < weedmic> nvm, i'm going to try it and see.
04:28 -!- weedmic [~weedmic@213.57.118.18] has quit [Quit: Konversation terminated!]
04:33 -!- Guest88761 [~Sembei@62.57.118.216.dyn.user.ono.com] has quit [Quit: WeeChat 0.4.4-dev]
04:33 -!- Sembei [~Sembei@unaffiliated/sembei] has joined #openvpn
04:37 < Su7> Hello all
04:38 < Su7> I keep getting "MULTI: bad source address from client [192.168.10.92], packet dropped" when a client connects
04:38 < Su7> I have already done
04:38 < Su7> iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o eth0 -j MASQUERADE
04:38 < Su7> echo 1 > /proc/sys/net/ipv4/ip_forward
04:39 < Su7> with 192.168.10.92 being the client's IP on my LAN before it joins the OpenVPN server over the Internet
04:39 < Su7> does anyone have an idea ?
05:23 -!- JackWinter [~jack@vodsl-8317.vo.lu] has quit [Quit: Konversation terminated!]
05:24 -!- JackWinter [~jack@vodsl-8317.vo.lu] has joined #openvpn
05:26 -!- levifig [sid1908@gateway/web/irccloud.com/x-legwzthklvqfmjje] has joined #openvpn
05:28 -!- br4ndon [~br4ndon@mic92-6-82-227-94-156.fbx.proxad.net] has joined #openvpn
06:16 -!- br4ndon_ [~br4ndon@mic92-6-82-226-128-64.fbx.proxad.net] has joined #openvpn
06:19 -!- br4ndon [~br4ndon@mic92-6-82-227-94-156.fbx.proxad.net] has quit [Ping timeout: 240 seconds]
06:43 -!- br4ndon_ [~br4ndon@mic92-6-82-226-128-64.fbx.proxad.net] has quit [Quit: br4ndon_]
06:43 -!- Tykling [tykling@gibfest.dk] has quit [Ping timeout: 265 seconds]
06:47 -!- Tykling [tykling@gibfest.dk] has joined #openvpn
07:01 -!- takamichi [~takamichi@c107-107.i07-27.onvol.net] has quit [Quit: Computer has gone to sleep.]
07:08 -!- Eagleman [~Eagleman@546BC8D0.cm-12-4d.dynamic.ziggo.nl] has quit [Read error: Operation timed out]
07:10 -!- grep0r [grep0r@bitcoinshell.mooo.com] has quit [Ping timeout: 252 seconds]
07:38 -!- Transfusion is now known as Disney
08:11 -!- HectorBarbossa [uid7850@gateway/web/irccloud.com/x-yyhwohfxffxnqroh] has joined #openvpn
08:21 -!- Cybert1nus [~Cybertinu@cybertinus.customer.cloud.nl] has quit [Remote host closed the connection]
08:23 -!- Cybertinus [~Cybertinu@cybertinus.customer.cloud.nl] has joined #openvpn
08:42 -!- troj [~xxx@2001:470:1f15:107a::50f7] has quit [Ping timeout: 245 seconds]
08:48 -!- Cpt-Oblivious [chatzilla@31-151-71-109.dynamic.upc.nl] has joined #openvpn
08:50 -!- troj [~xxx@2001:470:1f15:107a::50f7] has joined #openvpn
09:04 -!- s7r [~s7r@openvpn/user/s7r] has joined #openvpn
09:04 -!- mode/#openvpn [+v s7r] by ChanServ
09:13 -!- takamichi [~takamichi@c107-107.i07-27.onvol.net] has joined #openvpn
09:24 < pekster> Su7: That's the fault of your client trying to send a packet from that IP. That is not valid on the VPN, and the server is (rightfully) dropping it
09:30 -!- Eagleman [~Eagleman@546BCA04.cm-12-4d.dynamic.ziggo.nl] has joined #openvpn
09:50 -!- elfixit1 [~Icedove@77-58-251-72.dclient.hispeed.ch] has joined #openvpn
10:28 -!- elfixit1 [~Icedove@77-58-251-72.dclient.hispeed.ch] has quit [Ping timeout: 240 seconds]
10:39 -!- grep0r [grep0r@bitcoinshell.mooo.com] has joined #openvpn
10:40 -!- grep0r [grep0r@bitcoinshell.mooo.com] has quit [Excess Flood]
10:41 -!- grep0r [grep0r@bitcoinshell.mooo.com] has joined #openvpn
10:43 -!- joshh20 is now known as joshh20-Away
10:44 -!- grep0r [grep0r@bitcoinshell.mooo.com] has quit [Excess Flood]
10:55 -!- grep0r [grep0r@bitcoinshell.mooo.com] has joined #openvpn
10:56 -!- sunwind [~paradox@cpc21-brmb8-2-0-cust749.1-3.cable.virginm.net] has joined #openvpn
10:59 -!- sunwind` [~paradox@cpc21-brmb8-2-0-cust749.1-3.cable.virginm.net] has quit [Ping timeout: 240 seconds]
11:00 -!- grep0r [grep0r@bitcoinshell.mooo.com] has quit [Ping timeout: 252 seconds]
11:04 -!- oculus [~oculus@gateway/tor-sasl/oculus] has joined #openvpn
11:04 -!- grep0r [grep0r@bitcoinshell.mooo.com] has joined #openvpn
11:13 -!- takamichi [~takamichi@c107-107.i07-27.onvol.net] has quit [Ping timeout: 264 seconds]
11:17 -!- takamichi [~takamichi@c107-107.i07-27.onvol.net] has joined #openvpn
11:18 -!- bertodsera [~quassel@97e48243.skybroadband.com] has joined #openvpn
11:25 -!- sunwind` [~paradox@cpc21-brmb8-2-0-cust749.1-3.cable.virginm.net] has joined #openvpn
11:26 -!- sunwind [~paradox@cpc21-brmb8-2-0-cust749.1-3.cable.virginm.net] has quit [Ping timeout: 265 seconds]
11:30 -!- VsioZashibis [~VsioZashi@unaffiliated/vsiozashibis] has quit [Ping timeout: 265 seconds]
11:31 -!- VsioZashibis [~VsioZashi@unaffiliated/vsiozashibis] has joined #openvpn
11:36 -!- orutest|2 [~VsioZashi@unaffiliated/vsiozashibis] has joined #openvpn
11:39 -!- VsioZashibis [~VsioZashi@unaffiliated/vsiozashibis] has quit [Ping timeout: 240 seconds]
11:50 -!- VsioZashibis [~VsioZashi@unaffiliated/vsiozashibis] has joined #openvpn
11:50 -!- VsioZashibis [~VsioZashi@unaffiliated/vsiozashibis] has quit [Client Quit]
11:52 -!- joshh20-Away is now known as joshh20
11:52 -!- orutest|2 [~VsioZashi@unaffiliated/vsiozashibis] has quit [Ping timeout: 244 seconds]
12:07 < Ulrar> Yeah I get that too with my link local adress
12:07 < Ulrar> on v6
12:27 -!- sync0pate [~sync@unaffiliated/sync0pate] has joined #openvpn
12:33 < sync0pate> is there a good simple tutorial for setting up an openvpn server so I can connect to the internet through it?
12:33 < sync0pate> I've got a server set up, and I can connect to the server, but not out to the internet from there..
12:34 < pekster> Ulrar: Yup, Windows is notorious for that (though I've seen it on other platforms too)
12:35 < Ulrar> Ha, it's true I didnt checked when I'm connected from a linux
12:35 < Ulrar> Well, never had any problem connecting from linux, so ne reason to look at the logs
12:35 < pekster> Part of the problem is that the Windows implementation of Point-to-Point in openvpn is to set up a fake "network", so it just blindly assigns and attempts to use a LL address, and that is a bogus notion in tun
12:35 < pekster> sync0pate: You want:
12:35 < pekster> !redirect
12:35 <@vpnHelper> "redirect" is (#1) to make all inet traffic flow through the vpn, you will need --redirect-gateway (see !def1), as well as IP forwarding (see !ipforward) and NAT (see !nat) enabled on the server. or (#2) you may need to use a different dns server when redirecting gateway, see !dns or !pushdns or (#3) if using ipv6 try: route-ipv6 2000::/3 or (#4) Handy troubleshooting flowchart:
12:36 <@vpnHelper> http://ircpimps.org/redirect.png | http://pekster.sdf.org/misc/redirect.png
12:36 < pekster> flowchart is most helpful
12:36 < Ulrar> Works anyway so it's not a problem. The problem is I have to disable the firewall :(
12:36 < sync0pate> !def1
12:36 <@vpnHelper> "def1" is (#1) used in redirect-gateway, Add the def1 flag to override the default gateway by using 0.0.0.0/1 and 128.0.0.0/1 rather than 0.0.0.0/0. This has the benefit of overriding but not wiping out the original default gateway. or (#2) please see --redirect-gateway in the man page ( !man ) to fully understand or (#3) push "redirect-gateway def1"
12:36 < pekster> In theory you out to fix the firewall, but that can get interesting on Windows
12:36 < pekster> ought*
12:37 < Ulrar> Yeah, I tried to figure it out, but I just don't understand why it kills the tunnel like that
12:39 < sync0pate> pekster, is there just an example config anywhere that might work, or give me a clue what I'm doing?
12:41 < sync0pate> !ipforward
12:41 <@vpnHelper> "ipforward" is (#1) ip forwarding is needed any time you want packets to flow from 1 interface to another, so from tun to eth, eth to tun, tun to tun, etc etc. it must be enabled in the kernel AND allowed in the firewall or (#2) please choose between !linipforward !winipforward !osxipforward and !fbsdipforward
12:41 < sync0pate> !nat
12:41 <@vpnHelper> "nat" is (#1) http://openvpn.net/howto.html#redirect for an explanation of NAT as it applies to openvpn or (#2) http://www.secure-computing.net/wiki/index.php/OpenVPN/FAQ#Traffic_forwarding_doesn.27t_work_when_using_client_specific_access_rules or (#3) dont forget to turn on ip forwarding or (#4) please choose between !linnat !openvznat !winnat and !fbsdnat for specific howto
12:42 < sync0pate> !linipforward
12:42 <@vpnHelper> "linipforward" is (#1) echo 1 > /proc/sys/net/ipv4/ip_forward for a temp solution (til reboot) or set net.ipv4.ip_forward = 1 in sysctl.conf for perm solution or (#2) chmod +x /etc/rc.d/rc.ip_forward for perm solution in slackware or (#3) you also must allow forwarding in your forward chain in iptables. iptables -I FORWARD -i tun+ -j ACCEPT
12:43 < pekster> sync0pate: Not really, since use of RFC1918 on the VPN (ie: non-public IPs) require that you NAT, and that happens in your OS
12:44 < pekster> The openvpn bits are as simple as pushing (or less commonly, applying on the client) the --redirect-gateway value you just read about. You still need to turn your server into a traditional router and NAT system
12:44 < sync0pate> !linnat
12:44 <@vpnHelper> "linnat" is (#1) for a basic iptables NAT where 10.8.0.x is the vpn network: iptables -t nat -I POSTROUTING -s 10.8.0.0/24 -o eth0 -j MASQUERADE or (#2) to choose what IP address to NAT as, you can use iptables -t nat -I POSTROUTING -o eth0 -j SNAT --to <IP ADDRESS> or (#3) http://netfilter.org/documentation/HOWTO//NAT-HOWTO.html for more info or (#4) openvz see !openvzlinnat
12:45 < sync0pate> gotcha
12:46 < sync0pate> sorted! working now, thanks!
12:46 < sync0pate> turns out I was just looking in the wrong place the whole time. .geez.. thanks pekster :D
12:56 -!- oculus [~oculus@gateway/tor-sasl/oculus] has quit [Ping timeout: 265 seconds]
13:21 <+s7r> !nat
13:21 <@vpnHelper> "nat" is (#1) http://openvpn.net/howto.html#redirect for an explanation of NAT as it applies to openvpn or (#2) http://www.secure-computing.net/wiki/index.php/OpenVPN/FAQ#Traffic_forwarding_doesn.27t_work_when_using_client_specific_access_rules or (#3) dont forget to turn on ip forwarding or (#4) please choose between !linnat !openvznat !winnat and !fbsdnat for specific howto
13:26 -!- ade_b [~Ade@redhat/adeb] has joined #openvpn
13:36 -!- cyberspace- [20253@ninthfloor.org] has quit [Quit: leaving]
13:38 -!- 17SAARQPB [20253@ninthfloor.org] has joined #openvpn
13:38 -!- 23LAAMX8G [20253@ninthfloor.org] has joined #openvpn
13:38 -!- 23LAAMX8G is now known as cyberspace-
13:38 -!- cyberspace- [20253@ninthfloor.org] has quit [Client Quit]
13:38 -!- 17SAARQPB is now known as cyberspace-
13:39 -!- cyberspace- [20253@ninthfloor.org] has quit [Client Quit]
13:40 -!- cyberspace- [20253@ninthfloor.org] has joined #openvpn
13:41 -!- niel [niel@om.nom.nom.coooki.es] has quit [Remote host closed the connection]
13:58 -!- tony1 [~tony@cpe-66-66-6-48.rochester.res.rr.com] has joined #openvpn
13:58 -!- Brando753 [~Brando753@unaffiliated/brando753] has quit [Ping timeout: 255 seconds]
13:59 -!- tony1 [~tony@cpe-66-66-6-48.rochester.res.rr.com] has left #openvpn []
14:05 -!- james41382 [~james@unaffiliated/james41382] has quit [Quit: Leaving]
14:06 -!- Eagleman [~Eagleman@546BCA04.cm-12-4d.dynamic.ziggo.nl] has quit [Ping timeout: 240 seconds]
14:07 -!- Brando753 [~Brando753@unaffiliated/brando753] has joined #openvpn
14:14 -!- joshh20 is now known as joshh20-Away
14:23 -!- master_of_master [~master_of@p4FD7B9D0.dip0.t-ipconnect.de] has quit [Ping timeout: 264 seconds]
14:24 < Su7> pekster: still there ?
14:24 -!- master_of_master [~master_of@p4FD7BFCF.dip0.t-ipconnect.de] has joined #openvpn
14:28 < __FBi> Su7, what's your question?
14:28 < Su7> __FBi: it's concerning  "MULTI: bad source address from client [192.168.10.92], packet dropped"
14:29 < Su7> Shall I paste you my config files ?
14:29 < __FBi> nah, I don't know that error
14:31 < __FBi> maybe paste it for the room, though
14:31 < __FBi> I'm out watching the fight
14:31 < __FBi> peace
14:31 < __FBi> missed it lastnight
14:44 < Su7> there you go : https://gist.github.com/QuentinBarrand/8cddebae64b5ca7b9f22
14:44 <@vpnHelper> Title: OpenVPN config issue (at gist.github.com)
14:48 < pjschmitt> I was wondering, since I don't know much about openvpn development, would it be easy to add a 2 factor authentication
14:49 < pjschmitt> I know sending a text message can be done with smtp
14:54 -!- tony1 [~tony@cpe-66-66-6-48.rochester.res.rr.com] has joined #openvpn
14:54 -!- tony1 [~tony@cpe-66-66-6-48.rochester.res.rr.com] has left #openvpn []
15:09 < pekster> pjschmitt: why not just go with TOTP via OATH?
15:09 < pekster> Supported on any phone, and you don't need cell service for it to work
15:10 < pjschmitt> pekster: awesome, I'll look at it
15:11 -!- joshh20-Away is now known as joshh20
15:11 < pekster> The only trick from a server-side is to only require the right password (ie: the TOTP code) the first time, not subsequent attempts. Compare the `env` output between both and you'll be able to distinguish them
15:12 < pjschmitt> pekster: just curious, any plugins for rsa tokens, I know some people who have them, so I'm curious if it would work there
15:13 < pjschmitt> since I may be able to get some people to ditch juniper :D
15:24 -!- gostfaced [~gostfaced@ool-435404a8.dyn.optonline.net] has joined #openvpn
15:25 < gostfaced> hello my tap win32 driver wont install
15:29 < Su7> I've updated my gist with ip addr output, if anyone understand what the hell is going on https://gist.github.com/QuentinBarrand/8cddebae64b5ca7b9f22#file-ip-addr-output
15:29 <@vpnHelper> Title: OpenVPN config issue (at gist.github.com)
15:43 -!- Sembei [~Sembei@unaffiliated/sembei] has quit [Read error: Connection reset by peer]
15:44 -!- Sembei [~Sembei@unaffiliated/sembei] has joined #openvpn
15:45 -!- oculus [~oculus@gateway/tor-sasl/oculus] has joined #openvpn
15:45 -!- makara [~makara@105-208-245-58.access.mtnbusiness.co.za] has joined #openvpn
15:48 -!- Sembei [~Sembei@unaffiliated/sembei] has quit [Read error: Connection reset by peer]
15:48 -!- MyMind [~Sembei@unaffiliated/sembei] has joined #openvpn
15:51 -!- br4ndon [~br4ndon@mic92-6-82-226-128-64.fbx.proxad.net] has joined #openvpn
15:54 -!- james41382 [~james@unaffiliated/james41382] has joined #openvpn
15:57 -!- james41382 [~james@unaffiliated/james41382] has quit [Client Quit]
15:58 -!- MyMind [~Sembei@unaffiliated/sembei] has quit [Read error: Connection reset by peer]
15:59 -!- MyMind [~Sembei@unaffiliated/sembei] has joined #openvpn
15:59 -!- oculus [~oculus@gateway/tor-sasl/oculus] has quit [Quit: oculus]
16:01 < pekster> Su7: I already told you: that 'bad source' error can be ignored. If you want to stop it, fix your broken client
16:02 < pekster> Your _client_ is doing invalid things by sending from a bogus IP down the VPN tunnel
16:02 < pekster> Stop your client from doing that
16:02 < Su7> pekster: I could'nt agree more, but where's the mistake ?
16:02 < pekster> It's not a "config" mistake
16:02 < Su7> It happens both on Linux and Android.
16:02 < pekster> Then stop your client from mis-routing things
16:02 < pekster> !paste
16:02 <@vpnHelper> "paste" is (#1) "pastebin" is (#1) please paste anything with more than 5 lines into a pastebin site or (#2) https://gist.github.com is recommended for fewest ads; try fpaste.org or paste.kde.org as backups or (#3) If you're pasting config files, see !configs for grep syntax to remove comments or (#2) gist allows multiple files per paste, useful if you have several files to show
16:03 < pekster> Next time don't paste the worthless lines of comments/blanks either
16:03 < pekster> I haven't even read your cofigs (don't need to) but wouldn't have anyway
16:03 -!- james41382 [~james@unaffiliated/james41382] has joined #openvpn
16:04 < Su7> !configs
16:04 <@vpnHelper> "configs" is (#1) please pastebin your client and server configs (with comments removed, you can use `grep -vE '^#|^;|^$' server.conf`), also include which OS and version of openvpn. or (#2) dont forget to include any ccd entries or (#3) on pfSense, see http://www.secure-computing.net/wiki/index.php/OpenVPN/pfSense to obtain your config
16:05 < pekster> The problem is most likely the client application, or perhaps your OS routing setup
16:05 < pekster> Either way, openvpn can't fix it
16:05 < Su7> pekster: on both Android and Linux ?
16:05 < pekster> Go do what I suggested hours ago: tcpdump the traffic to guess at what malfunctioning app is doing that, then stop it
16:05 < pekster> Android is a linux
16:05 < pekster> And, aparently, yes
16:08 < pekster> line 8 of your server config (after removing all the blanks/commnets like you should have done) defines your VPN network. Obviously 192.168.10.92 isn't part of that network
16:09 < pekster> Your packet is bogus. It is dropped. It shouldn't have been sent.
16:10 < Su7> true that, 192.168.10.92 is an IP on my local LAN
16:10 < pekster> Right
16:10 < pekster> You can't send that on "The Internet" at large either
16:10 < pekster> What you're doing is equally as broken
16:10 < Su7> I still try to understand why the client is sending traffic from this IP through the tun0 interface
16:10 < pekster> !notovpn
16:10 <@vpnHelper> "notovpn" is (#1) "notopenvpn" is your problem is not about openvpn, and while we try to be helpful, you may have a better chance of finding your answer if you ask your question in a channel related to your problem or (#2) sorry, but we dont care. this channel is only for help with openvpn.
16:10 < pekster> Your OS has fucked up
16:10 < pekster> (or your application generating that traffic)
16:10 < pekster> Go un-fuck it
16:11 < pekster> Maybe that's blunt enough for you?
16:11 < pekster> OpenVPN is happily sending what the client has asked. And the server is happy to reject that bogus packet
16:11 < pekster> OpenVPN is doing exactly what it's supposed to here.
16:12 < Su7> let me try this on a windows box.
16:12 < Su7> If it's OS-related I should not be encountering this issue right ?
16:12 < pekster> Until you identify what is sending that traffic, it'll presumably keep happing
16:12 < pekster> You might
16:13 < pekster> "If I ate an apple and got sick, surely eating this orange won't make me sick" is just as flawed
16:13 < pekster> You seem less interested in fixing the problem than trying to blame openvpn for it
16:13 < pekster> Fascinating logic
16:13 < Su7> Absolutely not.
16:14 < pekster> Do what I suggested many hours ago: 1) tcpdump the traffic, 2) identif wtf it is 3) stop it from happening
16:14 < pekster> identify*
16:14 < Su7> I'm just trying how it can be my OS's fault since I'm trying from different devices that are not particularly fucked up
16:14 < pekster> WIndows does this a lot. I've seen it on other platforms too, usually caused by junk applications that don't have the slightest clue how to follow networking standards
16:14 < Su7> but I'll tcpdump now.
16:14 -!- makara [~makara@105-208-245-58.access.mtnbusiness.co.za] has quit [Ping timeout: 253 seconds]
16:15 < pekster> Windows NTP loves to do this. So does its IPv6 stack for LL IPv6 addresses. There was some block disk device kernel driver in Linux that was equally poorly coded that did it
16:15 < pekster> etc, etc, etc
16:15 < pekster> It's _your_ job to find out what is the root cause
16:16 < pekster> You are strictly disallowed from sending pakcets sourced from invalid addresses to an openvpn server. Your solution is not to do it. Does that make sense?
16:17 < Su7> it obviously does.
16:17 < pekster> Great. So stop doing it!
16:17 -!- br4ndon [~br4ndon@mic92-6-82-226-128-64.fbx.proxad.net] has quit [Quit: br4ndon]
16:17 < pekster> Something you're running is doing just that
16:19 < Su7> pekster: with tcpdump, should I listen wlan0 or tun0 ?
16:28 -!- james41382 [~james@unaffiliated/james41382] has quit [Quit: Leaving]
16:30 -!- Eagleman [~Eagleman@546BC8D0.cm-12-4d.dynamic.ziggo.nl] has joined #openvpn
16:31 < gostfaced> anyone know why tap wont install?
16:48 -!- traph [~traph@unaffiliated/traph] has quit [Ping timeout: 265 seconds]
16:49 -!- ah- [~andreas@ks35366.kimsufi.com] has left #openvpn []
16:53 < Su7> pekster: with all due respect, the issue can /not/ come from bad OS behaviour. I just tested on two Windows and one iOS device and the connection does not work on any of them. I assume something is wrong with my iptables rules and / or my config files
16:58 -!- ade_b [~Ade@redhat/adeb] has quit [Ping timeout: 240 seconds]
17:01 -!- gffa [~unknown@unaffiliated/gffa] has quit [Quit: sleep]
17:02 < HD|Laptop> hi
17:02 < HD|Laptop> assuming I have two hosts behind a NAT and no way to do portforwarding (crappy old DSL routers with bugs-.-) and a internet-reachable server, can I make PC B host a Openvpn server so that I can reach B from A via server C?
17:03 < HD|Laptop> both hosts are Windoze, server is Debian Linux
17:04 < pekster> Su7: Packets don't magically appear on the tun device. _something_ is putting them there
17:04 < Su7> pekster: OpenVPN client applications are sending them there
17:05 < pekster> No, openvpn does not put anything on in the tun device. Ever.
17:06 < pekster> An application will (ping, netcat, irssi, hexchat, etc)
17:09 < pekster> HD|Laptop: I don't quite get your setup. You have 2 RFC1918 systems you want to act as clients that will connect to a system both can access? If so, just set that external system up as a server and once both clients are connected you can access them over the VPN link via their VPN-assigned addresses
17:09 < Su7> then what ? the OpenVPN client redirects all this traffic to the server's tun0 interface, which is also redirected to its eth0 interface, isn't that true ?
17:10 < pekster> huh?
17:10 < pekster> --redirect-gateway just adjusts the routing table
17:10 < pekster> If you are sourcing from bogus addresses in your routing table, then yes, things will go very wrong
17:11 < pekster> Applications can still choose what source address to send from, a.la bind(2)
17:11 < pekster> try cloudshark.org with a tcpdump of this "mystery" traffic
17:11 < pekster> I've wasted enough time on FUD
17:34 -!- MACscr|lappy [~MACscrlap@c-98-214-103-56.hsd1.il.comcast.net] has joined #openvpn
17:54 < gostfaced> can someone help me?
18:00 -!- james41382 [~james@unaffiliated/james41382] has joined #openvpn
18:31 -!- joshh20 is now known as joshh20-Away
18:33 -!- joshh20-Away is now known as joshh20
18:37 < HD|Laptop> pekster: so you mean I should setup a bridge VPN from A to C, and then from B to C, then assign unique IP addresses out of the private ranges to each of them and it works?
18:38 < pekster> Why do you think you need a bridge?
18:38 < pekster> You're not using IP protocols?
18:39 < pekster> Info at: !tunortap
18:39 < pekster> Route, don't bridge
18:39 < HD|Laptop> pekster: broadcasts for games
18:39 < HD|Laptop> IIRC broadcasts need bridging to work properly
18:41 < pekster> Only if the game requires it, but yea, if you want broadcasts you'll need L2, or tap
18:42 < HD|Laptop> ok
18:42 < pekster> No need to do anything special with the tap device server-side though; just use a "floating tap" (ie: no actual bridge involved)
18:43 < pekster> And remember to use a _unque_ network to avoid collisions. Try !randomsubnet
18:43 < pekster> unique*
18:43 -!- oculus [~oculus@gateway/tor-sasl/oculus] has joined #openvpn
18:43 < HD|Laptop> ok thanks
19:02 -!- Brando753 [~Brando753@unaffiliated/brando753] has quit [Ping timeout: 255 seconds]
19:07 -!- Brando753 [~Brando753@unaffiliated/brando753] has joined #openvpn
19:12 < Su7> pekster: Could my issue be caused be clients not using client certificates ?
19:12 < pekster> Nope
19:12 < Su7> Thus they don't have any CN
19:12 -!- MACscr|lappy [~MACscrlap@c-98-214-103-56.hsd1.il.comcast.net] has quit [Ping timeout: 240 seconds]
19:19 < pekster> gostfaced: It might help if you provided more information than "it's broken." http://catb.org/~esr/faqs/smart-questions.html#beprecise
19:19 <@vpnHelper> Title: How To Ask Questions The Smart Way (at catb.org)
19:28 -!- converge [~converge@unaffiliated/joaop] has joined #openvpn
19:32 -!- HectorBarbossa [uid7850@gateway/web/irccloud.com/x-yyhwohfxffxnqroh] has quit [Quit: Connection closed for inactivity]
19:34 -!- chrisb [~chrisb@li482-205.members.linode.com] has joined #openvpn
19:34 -!- AlbinoGeek [~AlbinoGee@unaffiliated/albinogeek] has joined #openvpn
19:35 < AlbinoGeek> Hey guys!  I have a server tha thas two ethernets (eth0 and eth1).  Public and private networks respectively.  The private network is 10.255.255.255 (so I've switched OpenVPN to use 172.16 private instead.)
19:35 < AlbinoGeek> However, I need to feed OpenVPN into the bridge somehow; as public networking is eth0 through "br0" an existing bridge.
19:36 < AlbinoGeek> How do I make OpenVPN make an adapter that I can join to the bridge?  tun0 doens't create a file in /etc/sysconfig/network-scripts that I can join to the bridge sadly.
19:36 < AlbinoGeek> And that whole "tap0" instructions, since I already have an existing bridge; it doesn't work.  (OpenVPN tries to overwrite my public bridge, which disrupts networking on the server.)
19:37 < converge> my openvpn server is using private network 192.168.0.0 and my client uses 192.168.0.0 too, can I setup openvpn in this way ? or do I need to change the local private network to 10.0.0.0 first ?
19:37 -!- HectorBarbossa [uid7850@gateway/web/irccloud.com/x-vawhgbplkbzwbgkf] has joined #openvpn
19:38 < AlbinoGeek> converge: You can route them using the server config ` route `.
19:38 < AlbinoGeek> converge: Simply add a `route 192.168.0.0 255.255.0.0` or related line, as documented in the same config files.
19:38 < AlbinoGeek> You might need to route 10 -> 192 , and 192 -> 10 on each side; as to not have conflicting addresses (if that's an issue on your end.)
19:38 < AlbinoGeek> ie: remote 192 = local 10
19:42 < converge> AlbinoGeek: so in server config: server 192.168.0.0 255.255.255.0 ; route 192.168.0.0 255.255.255.0 ?
19:43 < AlbinoGeek> converge: I'm not sure about the `server` parameter.  You should be able to use the routes though.  You will need client routes to push your client LAN to the server as well, if you want to do that.
19:49 -!- justinzane [~justinzan@tiny.justinzane.com] has quit []
19:51 < pekster> AlbinoGeek: What are you doing, and why do you think you need tap/bridging?
19:51 < AlbinoGeek> pekster: You can only internet on this server if you are a member of the bridge.
19:51 < pekster> Why can't you route?
19:51 < pekster> !redirect
19:51 < AlbinoGeek> Thus I need to add OpenVPN to the bridge, else it can't internet (I can connect clients, but the clients can't internet.)
19:51 <@vpnHelper> "redirect" is (#1) to make all inet traffic flow through the vpn, you will need --redirect-gateway (see !def1), as well as IP forwarding (see !ipforward) and NAT (see !nat) enabled on the server. or (#2) you may need to use a different dns server when redirecting gateway, see !dns or !pushdns or (#3) if using ipv6 try: route-ipv6 2000::/3 or (#4) Handy troubleshooting flowchart:
19:51 <@vpnHelper> http://ircpimps.org/redirect.png | http://pekster.sdf.org/misc/redirect.png
19:51 < pekster> That does _NOT_ require bridging
19:51 < AlbinoGeek> pekster: That's not the issue (and I already am.)
19:51 < AlbinoGeek> pekster: On the physical server, pre-VPN ; eth0 cannot internet.
19:52 < AlbinoGeek> Only br0 can internet, and any interface joined to it.
19:52 < AlbinoGeek> (As it's a VM host machine.)
19:52 < pekster> "can internet" -- NFI what that means
19:52 < pekster> The Internet works by routing
19:52 < AlbinoGeek> pekster: "You cannot route requests to the public network via eth0 directly."
19:52 < pekster> So what?
19:52 < pekster> !goal
19:52 <@vpnHelper> "goal" is Please clearly state your goal for your vpn: example, I would like to access the lan behind the server , I would like to access the internet over my vpn , I just want a secure connection between 2 computers , etc
19:53 < pekster> Is your goal to access the Internet across the VPN link? If so, _route_, then your server will NAT and send the request "out br0" or wtf your existing interface is
19:53 < AlbinoGeek> goal: Have OpenVPN create a real adapter that I can join to the bridge.  (if it were a real adapter, I'd just edit the adapter file and add the magic `BRIDGE=br0` line, and it would work..)
19:53 < pekster> No, that's the step
19:53 < pekster> What's the purpose?
19:53 < pekster> http://catb.org/~esr/faqs/smart-questions.html#goal
19:53 <@vpnHelper> Title: How To Ask Questions The Smart Way (at catb.org)
19:53 < AlbinoGeek> pekster: Well, I suppose it's to have the VPN actually work through public internet (outgoing.)  Currently it can incoming just fine, but not outgoing.
19:53 < gostfaced> can someone help me?
19:53 < AlbinoGeek> gostfaced: You're asking to ask, don't do that.  Just ask.
19:54 < pekster> gostfaced: I already told you: You can't get help if you don't explain your problem
19:54 < gostfaced> sorry i aksed and noone responded
19:54 < gostfaced> anyone know why tap wont install?
19:54 < pekster> No, I did. You ignored it
19:54 < gostfaced> ohh
19:54 < pekster> FFS man, this is IRC
19:54 < gostfaced> ok
19:54 < pekster> gostfaced: FOr the SECOND time now: http://catb.org/~esr/faqs/smart-questions.html#beprecise
19:54 <@vpnHelper> Title: How To Ask Questions The Smart Way (at catb.org)
19:55 < pekster> Describe the symptoms of your problem or bug carefully and clearly.
19:55 < pekster> Describe the research you did to try and understand the problem before you asked the question.
19:55 < pekster> Describe the diagnostic steps you took to try and pin down the problem yourself before you asked the question
19:55 -!- lj [~l@192.241.174.169] has joined #openvpn
19:55 < converge> is my openvpn config ok ? http://paste2.org/WPtakHM1 the private netowkr ip is 192.168.0.0
19:56 < converge> *network
19:56 < pekster> converge: I'd highly recommend you avoid 192.168.0.0/23 in your VPN range as any system on the "other end" that uses that will have a problem
19:56 < pekster> !randomsubnet
19:56 <@vpnHelper> "randomsubnet" is (#1) http://scarydevilmonastery.net/subnet.cgi for a random !1918 subnet or (#2) If your shell has $RANDOM support, perhaps try this: `echo 10.$((RANDOM%256)).$((RANDOM%256)).0/24 `
19:56 < pekster> Also, verb 6 is usually pointless, (debugging only, and you need a special build for that to work) and verb 5 is for firewall troubleshooting only
19:57 < AlbinoGeek> pekster: The client cannot connect to the public ethernet through the OpenVPN connection as tun0 cannot communicate with the internet on the server end.  That's the issue.
19:57 < pekster> AlbinoGeek:
19:57 < pekster> !redirect
19:57 <@vpnHelper> "redirect" is (#1) to make all inet traffic flow through the vpn, you will need --redirect-gateway (see !def1), as well as IP forwarding (see !ipforward) and NAT (see !nat) enabled on the server. or (#2) you may need to use a different dns server when redirecting gateway, see !dns or !pushdns or (#3) if using ipv6 try: route-ipv6 2000::/3 or (#4) Handy troubleshooting flowchart:
19:57 <@vpnHelper> http://ircpimps.org/redirect.png | http://pekster.sdf.org/misc/redirect.png
19:57 < pekster> "tun0" gets routed
19:57 < pekster> Why can't you route?
19:57 < converge> vpnHelper: 10.0.0.0 is nice to vpn ?
19:57 < pekster> No, pick a _RANDOM_ subnet. I linked you info on that
19:57 < pekster> If you have $RANDOM in your shell (bash, dash, mksh, etc) c/p the syntax
19:58 < pekster> avoid common networks unless you are 100% sure you will never connect SOHO appliances that use them
19:58 -!- elfixit1 [~Icedove@77-58-251-72.dclient.hispeed.ch] has joined #openvpn
19:58 < AlbinoGeek> pekster: It might help if I actually show you what my current config is, and what's going on: http://paste.linuxassist.net/view/ca23803b
19:59 < converge> pekster: nice advice, thanks
19:59 < AlbinoGeek> pekster: Here I thought I had the redirects implemented already, as I had followed one of the generic install guides.
19:59 < pekster> AlbinoGeek: Please clarify that your goal is to allow your VPN clients to access the Internet via your vpn server; that's it, right?
19:59 < pekster> If so, stop briding
19:59 < pekster> Just use tun, route+NAT, and you're done
20:00 < pekster> As in the !redirect steps (use the flowchart) I've now handed to you 3 times
20:00 < pekster> It _will_ go out the server's _existing_ default gateway device
20:00 < gostfaced> well bascially no matter what i try i cannot install tap win32 or 64 bit on my windows 8 platform, it always says tapinstall.exe failed or "an error occured while installing tap driver", ive tried multiple websites and they all dont clearly explain the problem, they just talk about some senarios
20:00 < AlbinoGeek> pekster: 1. Yes    2. I cannot stop bridging, as that interrupts everything else on the server.  (The public ethernet is delivered via four bonded NICs fed into a bridge, as VMs join the bridge for internet.)
20:00 < AlbinoGeek> As I said, bridging was pre-VPN.
20:00 < pekster> No, don't "stop" bridging dude
20:01 < pekster> Just follow the damn steps
20:01 < pekster> Always prefer routing
20:01 < pekster> "The Internet" is not a bridge, thus if that is your only goal you gain nothing but pain by bridging
20:01 < pekster> Do not bridge unless you need L2 protocols
20:01 < pekster> What _ETHERNET_ protocol are you trying to use?
20:01 < AlbinoGeek> "Is the nat ..." No, because both iptables and ifhw are disabled.  Can I NAT without the bloody firewall or no?
20:02 < pekster> So you have a gimped host. Next time explain that
20:02 < pekster> Don't use --server with a bridge. Read about --server-bridge
20:02 < pekster> Be sure not to collide with your existing IPs (static or via DHCP) on the pre-existing bridge
20:02 < AlbinoGeek> Gimped?  I disabled iptables because it's more or less useless, and very difficult to maintain on a public facing server :/.  Especially without any of the good modules (conntrack, recently, knock, etc.)
20:02 < pekster> So you broke things?
20:02 < pekster> Cute
20:03 < AlbinoGeek> Broke?  Linux performs perfectly fine without iptables on.
20:03 < AlbinoGeek> OpenVPN somehow relies on it, not sure about that (NAT?)
20:03 < pekster> whatever. You're trying to solve L3 by hacking L2
20:03 < converge> pekster: is it ok now? http://paste2.org/WkjZEtFw
20:04 < pekster> converge: Much better; that network is far less likely to be used by clients
20:06 < gostfaced> did you see my problem pekster
20:07 < pekster> gostfaced: Yup, just got a few things going on. Verify you ran the installer as an "administrator" (UAC and all that), otherwise check your system log for the real failure reason
20:07 < gostfaced> yea i ran it as admin
20:07 < pekster> Maybe you set your local system security policy to deny all driver instalations?
20:08 < gostfaced> ill check
20:08 < pekster> This is 2.3.2-I003, right?
20:10 < gostfaced> i have openvpn 2.1 rc22 installed right now i heard they worked better for this problem
20:11 -!- joshh20 is now known as joshh20-Away
20:11 < pekster> Use non-old versions
20:11 < pekster> Any reason you're running a many-years old version?
20:11 < pekster> !download
20:11 <@vpnHelper> "download" is (#1) http://openvpn.net/index.php/download/community-downloads.html to download openvpn or (#2) OpenVPN's Windows installer now includes OpenVPN GUI. Don't bother with http://openvpn.se anymore or (#3) Don't trust download.com at all. It provides an extremely old version with malware: http://insecure.org/news/download-com-fiasco.html or (#4) in the community version of openvpn (only
20:11 <@vpnHelper> thing supported here) there is no separate download for client/server, it is the same install with different configs
20:11 < pekster> Stuff that old is not supported anymore
20:20 < gostfaced> does tap install take a while
20:21 < pekster> It might; you'll usually get a UAC full-screen prompt for it
20:22 < pekster> Windows sometimes "forgets" to do that until you click the special window for it. Sometimes it "forgets" to flash it in the taskbar too. YMMV.
20:22 -!- __raven_ [~raven@dslb-092-074-214-136.pools.arcor-ip.net] has joined #openvpn
20:24 < gostfaced> it didnt work, were would the logs be?
20:24 < pekster> System or Application logs
20:24 < pekster> Same place the rest of your logs are
20:25 -!- __raven [~raven@dslb-094-216-073-222.pools.arcor-ip.net] has quit [Ping timeout: 252 seconds]
20:28 < gostfaced> i dont see anything in there
20:28 -!- Fusl [~Fusl@unaffiliated/fusl] has quit [Quit: Contact: http://hallowe.lt/]
20:29 -!- oculus [~oculus@gateway/tor-sasl/oculus] has quit [Quit: oculus]
20:29 -!- Fusl [~Fusl@unaffiliated/fusl] has joined #openvpn
20:34 < gostfaced> are there any tap substitutes
20:41 < pekster> No. OpenVPN requires it
20:41 < pekster> It works on Windows XP through Windows 8.1 (all currently supported releases from Microsoft)
20:48 -!- brokebit [~brokebit@198.0.245.25] has joined #openvpn
20:49 -!- MACscr|lappy [~MACscrlap@c-98-214-103-56.hsd1.il.comcast.net] has joined #openvpn
20:51 < gostfaced> yea this is really weird
20:52 < __FBi> heya pekster
21:02 < brokebit> Hi everyone. We keep getting client disconnects with the following message in the log: AUTH_FAILED,SESSION: Your session has expired, please reauthenticate
21:02 < brokebit> Do you know why this is occuring?
21:22 -!- FkShgWt [~madandyxp@cpc2-nmal1-0-0-cust159.19-2.cable.virginm.net] has joined #openvpn
21:26 -!- FkShgWt [~madandyxp@cpc2-nmal1-0-0-cust159.19-2.cable.virginm.net] has quit [Quit: Nettalk6 - www.ntalk.de]
21:50 < pekster> bogie: That isn't an openvpn message
21:50 < pekster> !as
21:50 <@vpnHelper> "as" is please go to #OpenVPN-AS for help with Access-Server
21:50 < pekster> brokebit: ^ that was meant for you (sorry bogie)
21:50 < pekster> #openvpn supports openvpn, not commercial frontends
21:51 < brokebit> Sorry. Thanks Pekster
22:02 -!- HectorBarbossa [uid7850@gateway/web/irccloud.com/x-vawhgbplkbzwbgkf] has quit [Quit: Connection closed for inactivity]
22:02 -!- gostfaced [~gostfaced@ool-435404a8.dyn.optonline.net] has quit [Ping timeout: 252 seconds]
22:14 -!- WinstonSmith_ [~WinstonSm@bl9-220-28.dsl.telepac.pt] has quit [Ping timeout: 264 seconds]
22:19 -!- WinstonSmith [~WinstonSm@unaffiliated/winstonsmith] has joined #openvpn
22:21 -!- justinzane [~justinzan@tiny.justinzane.com] has joined #openvpn
22:29 -!- chrisb [~chrisb@li482-205.members.linode.com] has quit [Ping timeout: 240 seconds]
22:30 -!- grep0r [grep0r@bitcoinshell.mooo.com] has quit [Ping timeout: 252 seconds]
22:30 -!- AlbinoGeek [~AlbinoGee@unaffiliated/albinogeek] has quit [Quit: KVIrc 4.2.0 Equilibrium http://www.kvirc.net/]
22:39 -!- grep0r [grep0r@bitcoinshell.mooo.com] has joined #openvpn
22:43 -!- Carbon_Monoxide [~cmonxide@058176022144.ctinets.com] has joined #openvpn
22:44 -!- Carbon_Monoxide [~cmonxide@058176022144.ctinets.com] has left #openvpn []
22:45 -!- MACscr|lappy [~MACscrlap@c-98-214-103-56.hsd1.il.comcast.net] has quit [Ping timeout: 240 seconds]
22:49 -!- converge [~converge@unaffiliated/joaop] has quit [Quit: Linkinus - http://linkinus.com]
22:49 -!- Cpt-Oblivious [chatzilla@31-151-71-109.dynamic.upc.nl] has quit [Remote host closed the connection]
23:01 -!- converge [~converge@unaffiliated/joaop] has joined #openvpn
23:11 -!- elfixit1 [~Icedove@77-58-251-72.dclient.hispeed.ch] has quit [Quit: elfixit1]
23:16 -!- converge [~converge@unaffiliated/joaop] has quit [Quit: Linkinus - http://linkinus.com]
23:35 -!- JSharpe_ [~JSharpe@31.205.60.241] has quit [Read error: Operation timed out]
23:38 -!- lj [~l@192.241.174.169] has quit [Quit: Leaving.]
23:40 -!- MACscr|lappy [~MACscrlap@c-98-214-103-56.hsd1.il.comcast.net] has joined #openvpn
23:41 -!- lj [~l@adsl-99-155-18-122.dsl.peoril.sbcglobal.net] has joined #openvpn
23:43 -!- lj1 [~l@192.241.174.169] has joined #openvpn
23:46 -!- lj [~l@adsl-99-155-18-122.dsl.peoril.sbcglobal.net] has quit [Ping timeout: 264 seconds]
23:55 -!- AsadH [~AsadH@unaffiliated/asadh] has quit [Ping timeout: 265 seconds]
--- Day changed Mon Mar 10 2014
00:02 -!- mbff [~mbff@2605:6400:1:fed5:22:656:343:3e46] has quit [Ping timeout: 265 seconds]
00:09 -!- AsadH [~AsadH@unaffiliated/asadh] has joined #openvpn
00:24 -!- makara [~makara@41.164.22.218] has joined #openvpn
00:50 -!- lvv [~loganaden@ITE-INF3.dhcp.mu.afrinic.net] has joined #openvpn
01:00 -!- sunwind` [~paradox@cpc21-brmb8-2-0-cust749.1-3.cable.virginm.net] has quit [Read error: Connection reset by peer]
01:01 -!- sunwind` [~paradox@cpc21-brmb8-2-0-cust749.1-3.cable.virginm.net] has joined #openvpn
01:03 -!- brokebit [~brokebit@198.0.245.25] has quit [Quit: brokebit]
01:06 -!- JSharpe [~JSharpe@31.205.60.241] has joined #openvpn
01:12 -!- MACscr|lappy [~MACscrlap@c-98-214-103-56.hsd1.il.comcast.net] has quit [Ping timeout: 244 seconds]
01:58 -!- mikkel [~mikkel@93.176.85.50] has joined #openvpn
02:36 -!- alexxtasi [~alex@unaffiliated/alexxtasi] has joined #openvpn
02:40 -!- mattock_afk is now known as mattock
03:05 -!- br4ndon [~br4ndon@195.33.51.31] has joined #openvpn
03:05 -!- br4ndon [~br4ndon@195.33.51.31] has quit [Client Quit]
03:06 -!- _FBi [~B@Aircrack-NG/User] has joined #openvpn
03:25 -!- _FBi [~B@Aircrack-NG/User] has quit [Quit: ZNC - http://znc.in]
03:32 -!- _FBi [~B@Aircrack-NG/User] has joined #openvpn
03:35 -!- _FBi [~B@Aircrack-NG/User] has quit [Client Quit]
03:37 -!- oculus [~oculus@gateway/tor-sasl/oculus] has joined #openvpn
03:51 -!- joonty [~joonty@87-194-18-68.bethere.co.uk] has quit [Quit: WeeChat 0.4.2]
04:08 -!- _FBi [B@Aircrack-NG/User] has joined #openvpn
04:12 -!- traph [~traph@unaffiliated/traph] has joined #openvpn
04:20 -!- oculus [~oculus@gateway/tor-sasl/oculus] has quit [Quit: oculus]
04:49 -!- Devastator [~devas@unaffiliated/devastator] has quit [Read error: Connection reset by peer]
04:50 -!- Devastator [~devas@177.18.198.165] has joined #openvpn
05:00 -!- lvv [~loganaden@ITE-INF3.dhcp.mu.afrinic.net] has quit [Quit: lvv]
05:01 -!- lvv [~loganaden@ITE-INF3.dhcp.mu.afrinic.net] has joined #openvpn
05:47 -!- lvv [~loganaden@ITE-INF3.dhcp.mu.afrinic.net] has quit [Quit: lvv]
05:47 -!- JSharpe_ [~JSharpe@31.205.60.241] has joined #openvpn
05:48 -!- [1]JPeterson [~JPeterson@81-233-152-121-no83.tbcn.telia.com] has joined #openvpn
05:50 -!- JPeterson [~JPeterson@81-233-152-121-no83.tbcn.telia.com] has quit [Ping timeout: 264 seconds]
05:51 -!- JSharpe [~JSharpe@31.205.60.241] has quit [Ping timeout: 264 seconds]
05:51 -!- simcop2387 [~simcop238@p3m/member/simcop2387] has quit [Excess Flood]
05:54 -!- simcop2387 [~simcop238@p3m/member/simcop2387] has joined #openvpn
05:55 -!- lvv [~loganaden@ITE-INF3.dhcp.mu.afrinic.net] has joined #openvpn
06:03 -!- michaelhart [~michaelha@192-0-240-20.cpe.teksavvy.com] has quit [Quit: michaelhart]
06:08 -!- tharkun [~0@unaffiliated/tharkun] has quit [Ping timeout: 244 seconds]
06:10 -!- sunwind [~paradox@149.254.235.147] has joined #openvpn
06:11 -!- takamich_ [~takamichi@c107-107.i07-27.onvol.net] has joined #openvpn
06:14 -!- takamichi [~takamichi@c107-107.i07-27.onvol.net] has quit [Ping timeout: 264 seconds]
06:24 -!- supergauntlet [~supergaun@unaffiliated/supergauntlet] has quit [Read error: Operation timed out]
06:25 -!- supergauntlet [~supergaun@unaffiliated/supergauntlet] has joined #openvpn
06:27 -!- elfixit1 [~Icedove@77-58-251-72.dclient.hispeed.ch] has joined #openvpn
06:53 -!- elfixit1 [~Icedove@77-58-251-72.dclient.hispeed.ch] has quit [Ping timeout: 240 seconds]
07:03 -!- MyMind [~Sembei@unaffiliated/sembei] has quit [Read error: Connection reset by peer]
07:04 -!- Pisuke [~Sembei@unaffiliated/sembei] has joined #openvpn
07:04 -!- olalonde [~olalonde@36.250.226.9] has joined #openvpn
07:07 -!- klein [~klein@unaffiliated/klein] has joined #openvpn
07:12 -!- ade_b [~Ade@redhat/adeb] has joined #openvpn
07:12 -!- Pisuke [~Sembei@unaffiliated/sembei] has quit [Read error: Connection reset by peer]
07:13 -!- Pisuke [~Sembei@unaffiliated/sembei] has joined #openvpn
07:22 -!- Pisuke [~Sembei@unaffiliated/sembei] has quit [Read error: Connection reset by peer]
07:23 -!- Sembei [~Sembei@unaffiliated/sembei] has joined #openvpn
07:29 -!- michaelhart [~michaelha@192.237.177.15] has joined #openvpn
07:33 -!- olalonde [~olalonde@36.250.226.9] has quit [Ping timeout: 240 seconds]
07:33 -!- Zumochi [ghosty@535402F6.cm-6-5a.dynamic.ziggo.nl] has joined #openvpn
07:33 < Zumochi> !welcome
07:33 <@vpnHelper> "welcome" is (#1) Start by stating your goal, such as 'I would like to access the internet over my vpn' || new to IRC? see the link in !ask || we may need !logs and !configs and maybe !interface to help you. || See !howto for beginners. || See !route for lans behind openvpn. || !redirect for sending inet traffic through the server. || Also interesting: !man !/30 !topology !iporder !sample !forum
07:33 <@vpnHelper> !wiki !mitm or (#2) Don't use 192.168.1.0/24 or 192.168.0.0/24 (too much potential for conflict)
07:34 < Zumochi> !sample
07:34 <@vpnHelper> "sample" is (#1) http://www.ircpimps.org/openvpn.configs for a working sample config or (#2) DO NOT use these configs until you understand the commands in them, read up on each first column of the configs in the manpage (see !man) or (#3) these configs are for a basic multi-user vpn, which you can then build upon to add lans or internet redirecting
07:35 < Zumochi> :P ircpimps seems to be down
07:35 < Zumochi> !redirect
07:35 <@vpnHelper> "redirect" is (#1) to make all inet traffic flow through the vpn, you will need --redirect-gateway (see !def1), as well as IP forwarding (see !ipforward) and NAT (see !nat) enabled on the server. or (#2) you may need to use a different dns server when redirecting gateway, see !dns or !pushdns or (#3) if using ipv6 try: route-ipv6 2000::/3 or (#4) Handy troubleshooting flowchart:
07:35 <@vpnHelper> http://ircpimps.org/redirect.png | http://pekster.sdf.org/misc/redirect.png
07:38 -!- olalonde [~olalonde@122.13.132.43] has joined #openvpn
07:46 -!- paradox`` [~paradox@149.254.235.147] has joined #openvpn
07:49 -!- olalonde [~olalonde@122.13.132.43] has quit [Ping timeout: 240 seconds]
07:50 -!- sunwind [~paradox@149.254.235.147] has quit [Ping timeout: 240 seconds]
07:52 -!- olalonde [~olalonde@122.13.132.43] has joined #openvpn
08:02 -!- paradox`` [~paradox@149.254.235.147] has quit [Ping timeout: 252 seconds]
08:10 -!- phuzion [~phuzion@ipv6.irc.teh-server.com] has quit [Quit: Adios y'all]
08:10 -!- phuzion [~phuzion@ipv6.irc.teh-server.com] has joined #openvpn
08:10 -!- phuzion [~phuzion@ipv6.irc.teh-server.com] has quit [Client Quit]
08:12 -!- phuzion [~phuzion@ipv6.irc.teh-server.com] has joined #openvpn
08:12 -!- dazo_afk is now known as dazo
08:19 -!- ngharo_ is now known as ngharo
08:28 -!- phuzion [~phuzion@ipv6.irc.teh-server.com] has quit [Ping timeout: 265 seconds]
08:32 -!- phuzion [~phuzion@ipv6.irc.teh-server.com] has joined #openvpn
08:36 -!- olalonde [~olalonde@122.13.132.43] has left #openvpn []
08:36 -!- lvv [~loganaden@ITE-INF3.dhcp.mu.afrinic.net] has quit [Quit: lvv]
08:45 -!- hydrajump [~hydrajump@unaffiliated/hydrajump] has quit [Read error: Connection reset by peer]
08:45 -!- mbff [~mbff@2605:6400:1:fed5:22:656:343:3e46] has joined #openvpn
08:46 -!- mbff is now known as Guest88080
08:46 -!- hydrajump [~hydrajump@unaffiliated/hydrajump] has joined #openvpn
08:49 -!- Eagleman [~Eagleman@546BC8D0.cm-12-4d.dynamic.ziggo.nl] has quit [Quit: ZNC - http://znc.in]
08:56 -!- joshh20-Away is now known as joshh20
09:08 -!- makara [~makara@41.164.22.218] has quit [Ping timeout: 244 seconds]
09:08 -!- Eagleman [~Eagleman@546BC8D0.cm-12-4d.dynamic.ziggo.nl] has joined #openvpn
09:08 -!- lj1 [~l@192.241.174.169] has quit [Quit: Leaving.]
09:09 -!- maxiepax [max@locke.misse.org] has quit [Ping timeout: 245 seconds]
09:10 -!- maxiepax [max@locke.misse.org] has joined #openvpn
09:15 -!- SquirrelCZECH [~squirrel@ip-89-103-45-17.net.upcbroadband.cz] has joined #openvpn
09:15 < SquirrelCZECH> hi folks
09:15 < SquirrelCZECH> I have network, laptop + homeserver connected via router (both ethernet cables)
09:16 < SquirrelCZECH> I've got 160 Mbit/s over OpenVPN
09:16 < SquirrelCZECH> while Iperf told me that over "standard" network I've got around 800 Mbit/s
09:16 < SquirrelCZECH> is it real for me to try to tune performance of OpenVPN for higher value or not ?
09:16 <@krzee> !gigabit
09:17 <@vpnHelper> "gigabit" is https://community.openvpn.net/openvpn/wiki/Gigabit_Networks_Linux for JJK's writeup on getting the most out of openvpn over gigabit
09:17 < SquirrelCZECH> also I noticed that both procesors are not on 100%
09:17 < SquirrelCZECH> krzee: thanks!
09:17 <@krzee> yw
09:20 < SquirrelCZECH> hmm
09:21 < SquirrelCZECH> well, the modifications could harm it when I connect from the internet
09:21 -!- mikkel [~mikkel@93.176.85.50] has quit [Quit: Leaving]
09:23 < Rienzilla> I guess it makes sure that fragmentation is not done by openvpn but just by the kernel, if it turns out to be necessary due to the interface mtu?
09:24 -!- goldkatze [~nobody@unaffiliated/goldkatze] has joined #openvpn
09:25 < SquirrelCZECH> Rienzilla: "For a LAN-based setup this can work, but when handling various types of remote users (road warriors, cable modem users, etc) this is not always a possibility."
09:25 < SquirrelCZECH> but I know what I can google, so I am going to research this a bit :)
09:31 < SquirrelCZECH> well
09:31 < SquirrelCZECH> it looks like Rienzilla were right
09:31 < SquirrelCZECH> it only affects the tunnel
09:31 < SquirrelCZECH> but I do not understand the negative sideeffects
09:32 < SquirrelCZECH> but I suppose I can run two servers (intranet/internet) ? (one keyring)
09:35 < Rienzilla> I guess that it is most efficient that a VPN packet is exactly as big as the mtu of the ethernet interface it is being sent out on (or a multiple thereof). If the tunnel mtu is much smaller, openvpn will fragment while it is unneeded. If it is bigger, but not a multiple of the interface mtu, openvpn will also fragment packets that wouldn't necessarily need fragmenting
09:37 < Rienzilla> and, apparently, the process of encrypting/signing a packet has a high "startup cost"... so having openvpn make one big signed/encrypted packet which is subsequently fragmented by the kernel is cheaper than having openvpn sign and encrypt multiple smaller packets
09:37 < Rienzilla> but, this is all speculation on my part
09:37 < Rienzilla> correct me if I'm wrong please
09:38 < SquirrelCZECH> yep
09:38 < SquirrelCZECH> I agree with that speculation :D
09:38 < SquirrelCZECH> Rienzilla: but in the manual they said it can't be done in some cases when I use "not-only-local-lan" setup
09:38 < SquirrelCZECH> but they didn't explained what can happend :-/
09:39 < Rienzilla> I think it should work... a router that has multiple links with different mtu's is responsible for fragmenting packets in order to fit them onto an interface with a smaller mtu
09:39 < SquirrelCZECH> yep
09:39 < SquirrelCZECH> but I connect to it from the internet
09:39 < Rienzilla> the only thing that can bite you in the ass is if 2 sides of a link disagree on the mtu size
09:40 < SquirrelCZECH> (laptop, tablet, mobile phone)
09:40 < Rienzilla> SquirrelCZECH: I don't see why it can't work in such a case, but maybe others can shine their light on that. (krzee?)
09:47 -!- mete- [~mete@91.247.253.160] has joined #openvpn
09:49 -!- justinzane_ [~justinzan@tiny.justinzane.com] has joined #openvpn
09:49 -!- mete [~mete@91.247.253.160] has quit [Ping timeout: 265 seconds]
09:49 -!- Cybertinus [~Cybertinu@cybertinus.customer.cloud.nl] has quit [Quit: No Ping reply in 180 seconds.]
09:49 -!- pentiumone133 [will@173.243.115.75] has quit [Remote host closed the connection]
09:49 -!- cyberspace- [20253@ninthfloor.org] has quit [Ping timeout: 265 seconds]
09:49 -!- phuzion [~phuzion@ipv6.irc.teh-server.com] has quit [Quit: No Ping reply in 180 seconds.]
09:49 -!- justinzane [~justinzan@tiny.justinzane.com] has quit [Remote host closed the connection]
09:49 -!- digilink [~digilink@unaffiliated/digilink] has quit [Ping timeout: 265 seconds]
09:49 -!- cyberspace- [20253@109.74.194.224] has joined #openvpn
09:49 -!- XJR-9 [sid2977@pdpc/supporter/active/xjr-9] has quit [Ping timeout: 265 seconds]
09:49 -!- Zarrsh [~Zarrsh@198.167.138.150] has quit [Ping timeout: 265 seconds]
09:49 -!- phuzion [~phuzion@ipv6.irc.teh-server.com] has joined #openvpn
09:51 -!- Cybert1nus [~Cybertinu@cybertinus.customer.cloud.nl] has joined #openvpn
09:51 -!- linlin [will@173.243.115.75] has joined #openvpn
09:51 -!- Zarrsh_ [~Zarrsh@198.167.138.150] has joined #openvpn
09:51 -!- linlin [will@173.243.115.75] has quit []
09:52 -!- XJR-9_ [sid2977@gateway/web/irccloud.com/session] has joined #openvpn
09:52 -!- XJR-9_ is now known as XJR-9
09:52 -!- XJR-9 [sid2977@gateway/web/irccloud.com/session] has quit [Changing host]
09:52 -!- XJR-9 [sid2977@gateway/web/irccloud.com/x-xzxozojdxnzmkyqy] has joined #openvpn
09:52 -!- XJR-9 [sid2977@gateway/web/irccloud.com/x-xzxozojdxnzmkyqy] has quit [Changing host]
09:52 -!- XJR-9 [sid2977@pdpc/supporter/active/xjr-9] has joined #openvpn
09:52 -!- Cybert1nus is now known as Cybertinus
09:55 -!- digilink [~digilink@unaffiliated/digilink] has joined #openvpn
09:55 -!- goldkatze [~nobody@unaffiliated/goldkatze] has quit [Read error: Connection reset by peer]
09:56 -!- goldkatze [~nobody@unaffiliated/goldkatze] has joined #openvpn
10:14 -!- alexxtasi [~alex@unaffiliated/alexxtasi] has left #openvpn []
10:15 -!- Guest88080 [~mbff@2605:6400:1:fed5:22:656:343:3e46] has left #openvpn []
10:29 -!- sunwind [~paradox@cpc21-brmb8-2-0-cust749.1-3.cable.virginm.net] has joined #openvpn
10:29 -!- sunwind [~paradox@cpc21-brmb8-2-0-cust749.1-3.cable.virginm.net] has quit [Client Quit]
10:31 -!- brokebit [~brokebit@198.0.245.25] has joined #openvpn
10:35 -!- lvv [~loganaden@197.231.186.220] has joined #openvpn
10:39 -!- tharkun [~0@201.157.22.45] has joined #openvpn
10:45 -!- lvv [~loganaden@197.231.186.220] has quit [Remote host closed the connection]
10:52 -!- HectorBarbossa [uid7850@gateway/web/irccloud.com/x-syxapfdavypidfej] has joined #openvpn
10:57 -!- Cultist [~CultOfThe@c-67-186-111-33.hsd1.il.comcast.net] has quit [Ping timeout: 244 seconds]
10:58 -!- lj [~l@192.241.174.169] has joined #openvpn
11:02 -!- Guest84615 [d@64.111.123.163] has quit [Ping timeout: 240 seconds]
11:13 -!- lvv [~loganaden@197.231.186.220] has joined #openvpn
11:17 -!- gffa [~unknown@unaffiliated/gffa] has joined #openvpn
11:18 -!- lvv [~loganaden@197.231.186.220] has quit [Ping timeout: 252 seconds]
11:18 -!- lvv [~loganaden@197.231.186.220] has joined #openvpn
11:23 -!- lvv [~loganaden@197.231.186.220] has quit [Ping timeout: 240 seconds]
11:24 -!- defswork [~andy@141.0.50.105] has joined #openvpn
11:26 -!- Cpt-Oblivious [chatzilla@31-151-71-109.dynamic.upc.nl] has joined #openvpn
11:48 -!- lj [~l@192.241.174.169] has quit [Quit: Leaving.]
12:01 -!- Devastator [~devas@177.18.198.165] has quit [Changing host]
12:01 -!- Devastator [~devas@unaffiliated/devastator] has joined #openvpn
12:07 -!- ade_b [~Ade@redhat/adeb] has quit [Quit: Too sexy for his shirt]
12:11 -!- maskedlua [~quassel@unaffiliated/themaskedlua] has quit [Read error: Connection reset by peer]
12:13 -!- WinstonSmith [~WinstonSm@unaffiliated/winstonsmith] has quit [Read error: Operation timed out]
12:14 -!- tharkun [~0@201.157.22.45] has quit [Changing host]
12:14 -!- tharkun [~0@unaffiliated/tharkun] has joined #openvpn
12:14 -!- a_ [d@64.111.123.163] has joined #openvpn
12:14 -!- a [d@64.111.123.163] has joined #openvpn
12:14 -!- catsup [d@64.111.123.163] has joined #openvpn
12:14 -!- a__ [d@64.111.123.163] has joined #openvpn
12:14 -!- a_____ [d@64.111.123.163] has joined #openvpn
12:14 -!- a______ [d@64.111.123.163] has joined #openvpn
12:15 -!- a is now known as Guest30932
12:15 -!- a_ is now known as Guest99351
12:15 -!- WinstonSmith [~WinstonSm@unaffiliated/winstonsmith] has joined #openvpn
12:15 -!- lvv [~loganaden@197.231.186.220] has joined #openvpn
12:15 -!- a_______ [d@64.111.123.163] has joined #openvpn
12:16 -!- Guest30932 [d@64.111.123.163] has quit [Read error: Connection reset by peer]
12:16 -!- a__ [d@64.111.123.163] has quit [Read error: Connection reset by peer]
12:16 -!- Guest99351 [d@64.111.123.163] has quit [Read error: Connection reset by peer]
12:16 -!- a_____ [d@64.111.123.163] has quit [Read error: Connection reset by peer]
12:16 -!- catsup [d@64.111.123.163] has quit [Write error: Connection reset by peer]
12:16 -!- a______ [d@64.111.123.163] has quit [Write error: Connection reset by peer]
12:16 -!- a_______ [d@64.111.123.163] has quit [Read error: Connection reset by peer]
12:16 -!- a__ [d@64.111.123.163] has joined #openvpn
12:16 -!- catsup [d@64.111.123.163] has joined #openvpn
12:16 -!- a_____ [d@64.111.123.163] has joined #openvpn
12:16 -!- a______ [d@64.111.123.163] has joined #openvpn
12:16 -!- a_______ [d@64.111.123.163] has joined #openvpn
12:16 -!- a________ [d@64.111.123.163] has joined #openvpn
12:17 < Eneerge> hi i'm a
12:17 < Eneerge> i'm a, too
12:17 < Eneerge> me 3
12:17 < Eneerge> me 4
12:17 < Eneerge> me 5
12:17 < Eneerge> i'm catsup, a's twin brother
12:17 -!- takamich_ [~takamichi@c107-107.i07-27.onvol.net] has quit [Quit: Computer has gone to sleep.]
12:17 -!- a_______1 [d@64.111.123.163] has joined #openvpn
12:18 -!- a_______1 [d@64.111.123.163] has quit [Read error: Connection reset by peer]
12:18 -!- a__ [d@64.111.123.163] has quit [Read error: Connection reset by peer]
12:18 -!- a______ [d@64.111.123.163] has quit [Read error: Connection reset by peer]
12:18 -!- catsup [d@64.111.123.163] has quit [Read error: Connection reset by peer]
12:18 -!- a_______ [d@64.111.123.163] has quit [Read error: Connection reset by peer]
12:18 -!- a_____ [d@64.111.123.163] has quit [Write error: Connection reset by peer]
12:18 -!- a________ [d@64.111.123.163] has quit [Write error: Connection reset by peer]
12:18 < Eneerge> ...
12:19 -!- catsup [d@64.111.123.163] has joined #openvpn
12:21 -!- catsup [d@64.111.123.163] has quit [Client Quit]
12:22 -!- catsup [d@64.111.123.163] has joined #openvpn
12:22 -!- lvv [~loganaden@197.231.186.220] has quit [Ping timeout: 265 seconds]
12:27 -!- catsup [d@64.111.123.163] has quit [Read error: Connection reset by peer]
12:27 -!- catsup [d@64.111.123.163] has joined #openvpn
12:28 -!- catsup [d@64.111.123.163] has quit [Read error: Connection reset by peer]
12:35 < Ulrar> So anyone knows how to make the windows firewall work nicely with a TUN vpn on win 7 ?
12:35 < Ulrar> Having to disable the firewall is a little scary
12:36 < Ulrar> The gateway and always connected tricks doesn't work for me
12:41 -!- catsup [d@64.111.123.163] has joined #openvpn
13:00 -!- mattock [~mattock@openvpn/corp/admin/mattock] has left #openvpn []
13:03 -!- takamichi [~takamichi@c107-107.i07-27.onvol.net] has joined #openvpn
13:05 -!- heraclitus [~heraclitu@unaffiliated/heraclitis] has quit [Remote host closed the connection]
13:05 -!- elfixit [~Icedove@2001:1620:2777:11:3e97:eff:fe7f:f3ad] has quit [Quit: elfixit]
13:06 -!- heraclitus [~heraclitu@unaffiliated/heraclitis] has joined #openvpn
13:07 -!- heraclitus [~heraclitu@unaffiliated/heraclitis] has quit [Remote host closed the connection]
13:08 -!- heraclitus [~heraclitu@208.64.66.92] has joined #openvpn
13:08 -!- heraclitus [~heraclitu@208.64.66.92] has quit [Changing host]
13:08 -!- heraclitus [~heraclitu@unaffiliated/heraclitis] has joined #openvpn
13:08 -!- heraclitus [~heraclitu@unaffiliated/heraclitis] has quit [Remote host closed the connection]
13:09 -!- heraclitus [~heraclitu@unaffiliated/heraclitis] has joined #openvpn
13:13 -!- heraclitus [~heraclitu@unaffiliated/heraclitis] has quit [Remote host closed the connection]
13:14 -!- heraclitus [~heraclitu@unaffiliated/heraclitis] has joined #openvpn
13:14 -!- heraclitus [~heraclitu@unaffiliated/heraclitis] has quit [Remote host closed the connection]
13:15 -!- heraclitus [~heraclitu@unaffiliated/heraclitis] has joined #openvpn
13:20 -!- br4ndon [~br4ndon@mic92-6-82-227-94-156.fbx.proxad.net] has joined #openvpn
13:21 -!- markus__ [~markus@185.5.44.31] has quit [Ping timeout: 240 seconds]
13:22 -!- HectorBarbossa [uid7850@gateway/web/irccloud.com/x-syxapfdavypidfej] has quit [Quit: Connection closed for inactivity]
13:24 -!- heraclitus [~heraclitu@unaffiliated/heraclitis] has quit [Remote host closed the connection]
13:24 -!- heraclitus [~heraclitu@unaffiliated/heraclitis] has joined #openvpn
13:25 -!- heraclitus [~heraclitu@unaffiliated/heraclitis] has quit [Remote host closed the connection]
13:25 -!- heraclitus [~heraclitu@unaffiliated/heraclitis] has joined #openvpn
13:27 -!- heraclitus [~heraclitu@unaffiliated/heraclitis] has quit [Remote host closed the connection]
13:27 -!- heraclitus [~heraclitu@unaffiliated/heraclitis] has joined #openvpn
13:33 -!- lj [~l@192.241.174.169] has joined #openvpn
13:33 -!- markus__ [~markus@irc.anonine.net] has joined #openvpn
13:38 -!- Wile [~Bibi@ip-83-134-220-146.dsl.scarlet.be] has joined #openvpn
13:42 -!- Wile [~Bibi@ip-83-134-220-146.dsl.scarlet.be] has left #openvpn []
14:02 -!- oculus [~oculus@gateway/tor-sasl/oculus] has joined #openvpn
14:02 -!- yoavz [yoavz@yoavz.net] has quit [Ping timeout: 266 seconds]
14:04 -!- oculus [~oculus@gateway/tor-sasl/oculus] has left #openvpn []
14:06 -!- oculus [~oculus@gateway/tor-sasl/oculus] has joined #openvpn
14:07 -!- yoavz [yoavz@yoavz.net] has joined #openvpn
14:17 -!- joshh20 is now known as joshh20-Away
14:19 -!- master_o1_master [~master_of@p4FF243DE.dip0.t-ipconnect.de] has joined #openvpn
14:23 -!- master_of_master [~master_of@p4FD7BFCF.dip0.t-ipconnect.de] has quit [Ping timeout: 265 seconds]
14:44 -!- brokebit [~brokebit@198.0.245.25] has quit [Ping timeout: 265 seconds]
14:49 -!- brokebit [~brokebit@198.0.245.25] has joined #openvpn
14:51 -!- lachesis [~lachesis@unaffiliated/lachesis] has joined #openvpn
14:52 -!- [diecast] [~diecast@unaffiliated/diecast/x-4821952] has joined #openvpn
15:04 -!- oculus [~oculus@gateway/tor-sasl/oculus] has quit [Quit: oculus]
15:18 -!- le0 [~l30@unaffiliated/le0] has joined #openvpn
15:22 -!- maskedlua [~quassel@unaffiliated/themaskedlua] has joined #openvpn
15:24 -!- alanjf [~ajf@unaffiliated/alanjf] has joined #openvpn
15:27 -!- traph [~traph@unaffiliated/traph] has quit [Ping timeout: 240 seconds]
15:29 -!- michaelhart [~michaelha@192.237.177.15] has quit [Quit: michaelhart]
15:37 -!- joshh20-Away is now known as joshh20
15:40 < alanjf> Hello. [http://paste.debian.net/hidden/545ec567/] I'm trying to get OpenVPN on Windows in TUN (routed) mode, using topology subnet, to work using the same subnet as the server's LAN. I can ping between a remote client and the server when using a separate subnet, but not when I use the same. And yes, I know about briding but I cannot use that for this, only routed/TUN mode.
15:42 -!- Irssi: #openvpn: Total of 221 nicks [7 ops, 0 halfops, 5 voices, 209 normal]
15:45 < alanjf> In other words I want to minic how PPTP appears to work (uses same subnet as server, but isn't really a bridge, prevents DHCP leakage, etc)
15:45 <@krzee> !serverlan
15:46 <@vpnHelper> "serverlan" is (#1) for a lan behind a server, the server must have ip forwarding enabled (!ipforward), the server needs to push a route for its lan to clients, and the router of the lan the server is on needs a route added to it (!route_outside_openvpn) or (#2) see !route for a better explanation or (#3) Handy troubleshooting flowchart: http://ircpimps.org/serverlan.png |
15:46 <@vpnHelper> http://pekster.sdf.org/misc/serverlan.png
15:46 <@krzee> you would not use bridging for that anyways =]
15:46 <@krzee> you only use bridging when you need layer2 traffic to the lan
15:46 <@krzee> you simply need to configure your routing correctly.
15:47 < alanjf> So what might I be missing http://paste.debian.net/hidden/545ec567/  then?
15:47 <@krzee> you are trying to use the same subnet as the lan
15:48 <@krzee> that is wrong, your vpn will have its own subnet
15:48 <@krzee> !sample
15:48 <@vpnHelper> "sample" is (#1) http://www.ircpimps.org/openvpn.configs for a working sample config or (#2) DO NOT use these configs until you understand the commands in them, read up on each first column of the configs in the manpage (see !man) or (#3) these configs are for a basic multi-user vpn, which you can then build upon to add lans or internet redirecting
15:48 <@krzee> more like that.
15:48 <@krzee> oh wait that server is down
15:48 < alanjf> I know I was able ot get communication have a separate subnet. But I need to have the clients in the same subnet a the server's LAN.
15:48 <@krzee> no
15:49 <@krzee> you will NOT have the clients in the same subnet
15:49 < alanjf> Why not?
15:49 <@krzee> you will properly configure routing instead.
15:49 -!- brokebit [~brokebit@198.0.245.25] has quit [Quit: brokebit]
15:50 < alanjf> krzee: The problem is we have a site-site VPN on the server's LAN (via our cisco router) to another site that expects out IPs to be in 192.168.1.0/24 and will no accept anything else. So routing another subnet wont allow clients to see that other site.
15:51 <@krzee> !nathack
15:51 <@vpnHelper> "nathack" is see https://community.openvpn.net/openvpn/wiki/NatHack for info on how to solve the problem when you need !route_outside_ovpn but cant add a route to the gateway or the lan machines
15:51 < alanjf> Because that "other" site will see a 192.168.2.x address and reject it
15:51 <@krzee> then you just use NAT
15:51 < alanjf> The POS pptp service in windows is able to do this just fine (keep conencting clients on the same subnet) but it's slow as hell for any client trying to access that "other" site.
15:52 <@krzee> note, this is advanced networking and you should not be doing it unless you are at least semi advanced in networking, or have machines you can test / messup on
15:52 <@krzee> its also very insecure,.
15:52 <@krzee> !pptp
15:52 <@vpnHelper> "pptp" is (#1) PPTP is known to be a faulty protocol. The designers of the protocol, Microsoft, recommend not to use it due to the inherent risks. Lots of people use PPTP anyway due to ease of use, but that doesn't mean it is any less hazardous. The maintainers of PPTP Client and Poptop recommend using OpenVPN (SSL based) or IPSec instead. http://pptpclient.sourceforge.net/protocol-security.phtml to
15:52 <@vpnHelper> read about why to not use pptp or (#2) Why not to use it: http://en.wikipedia.org/wiki/Pptp#Security or (#3) https://www.cloudcracker.com/blog/2012/07/29/cracking-ms-chap-v2/
15:52 < alanjf> I am quite adfanced with networking, just for the record.
15:52 <@krzee> cool =]
15:52 < alanjf> Exactly, this is why I want to get AWAY from using pptp
15:52 <@krzee> then you now know what you wanna do, right?
15:53 <@krzee> im gunna get some sleep, but ill get you on the right path first...
15:53 < alanjf> I just don't quite understand why OpenVPN in TUN mode cannot use the same subnet.
15:54 <@krzee> not gunna stay up to explain networking? just know that it cannot.
15:54 < alanjf> krzee: Also I can't really do NAT for this, since 1) I can't just overload a 192.168.1 address, and 2) somethings the "other" site is uses for require a more direct connection.
15:55 <@krzee> so you cannot use a new subnet, and you cannot use nat?
15:55 <@krzee> and you cannot use tap
15:55 <@krzee> well, you cannot do it.
15:55 < alanjf> Well tap might work but I'm a little concerned with DHCP bleed-thru
15:55 <@krzee> you might have to start being able to do things :-p
15:55 <@krzee> tap is the worst option btw
15:56 <@krzee> best option is to make it so the vpn subnet is recognized on the lan
15:56 <@krzee> if impossible, 1 workaround is to add routes to every lan machine for the vpn, and not go through the nazi switch
15:57 <@dazo> alanjf: I just don't understand why you can't use routing via a dedicated VPN subnet ...
15:57 < alanjf> I know but we don't control that "other" site, they are a separate entity that provides some data services for this company.
15:57 <@krzee> if thats impossible, the workaround is the nathack
15:57 <@dazo> if it's pure IP traffic, routing shouldn't be an issue ... or?
15:57 <@krzee> yay dazo is here
15:57 < alanjf> I keep reading that as nethack (good times...)
15:57  * krzee sleeps
15:57 -!- Eagleman [~Eagleman@546BC8D0.cm-12-4d.dynamic.ziggo.nl] has quit [Ping timeout: 265 seconds]
15:58 <@dazo> alanjf: but I also presume that openvpn clients runs on the end point ... not on a gateway in between, on some kind of router somewhere
15:59 < alanjf> Indeed
16:00  * dazo kicks krzee's bed ... to see how deep his sleep state is .... :-P
16:04 <@dazo> alanjf: It's a shot in the darkness ... but maybe this part of a wiki can enlighten you slightly ... https://community.openvpn.net/openvpn/wiki/BridgingAndRouting#Usingrouting ... it's from a server perspective, but it pushes a route to the client
16:04 <@vpnHelper> Title: BridgingAndRouting – OpenVPN Community (at community.openvpn.net)
16:04 <@dazo> so the app you have on the client side, just needs to have the proper IP address behind your VPN server, and it should just work (tm)
16:06 <@dazo> alanjf: otherwise, maybe NETMAP can be a useful iptables module to check up ... but that immediately sounds more hackish to me in this setup
16:07 <@dazo> (and it might be you'd need this in the client side, not server side)
16:07 <@krzee> you know me too well
16:07 <@krzee> sleep wasnt deep :-p
16:08 <@dazo> heh
16:08 <@krzee> hello from thailand
16:08 <@dazo> krzee: ouch ... that's soon morning at this time now ... right?
16:08 <@krzee> 4am
16:09 <@krzee> it seems i got too much sleep on the plane here from taiwan
16:10 <@dazo> alanjf: otherwise, newer OpenVPN version (don't recall if it arrived in 2.2 or 2.3) you also have --client-nat ... but that's more useful when the VPN subnet conflicts with the local client network
16:10 < alanjf> dazo: I'd love to be able to use iptables, except the server is windows server 2003.
16:10 <@dazo> alanjf: wtf!?! ;-)
16:10 < alanjf> (Not my choice...)
16:10 <@krzee> all these hilarious constraints
16:11 < alanjf> Yes they are
16:11 <@krzee> maybe they should say you must to it on embedded circuits which lie inside an implant in a monkey?
16:11 <@dazo> alanjf: set up a rasberypi to be a local VPN server, running some kind of Linux distro ... I'm sure it'll outperform Windows server :-P
16:11 -!- Zumochi [ghosty@535402F6.cm-6-5a.dynamic.ziggo.nl] has quit [Quit: I probably broke it]
16:12 <@dazo> (at least if you use blowfish algorithms, which is not that CPU intensive)
16:15 < Ulrar> Is it possible to configure the client so that it will try udp and then tcp ?
16:16 < Ulrar> udp is blocked at school unfortunatly
16:16 < SquirrelCZECH> smart folks!
16:16 < SquirrelCZECH> great
16:16 < SquirrelCZECH> https://community.openvpn.net/openvpn/wiki/Gigabit_Networks_Linux -> in the basic Tweaked setup
16:16 <@vpnHelper> Title: Gigabit_Networks_Linux – OpenVPN Community (at community.openvpn.net)
16:16 < SquirrelCZECH> there is note " For a LAN-based setup this can work, but when handling various types of remote users (road warriors, cable modem users, etc) this is not always a possibility."
16:16 < SquirrelCZECH> and I do handle various types of remote users
16:16 <@dazo> Ulrar: yes ... add more --remote options in you config
16:16 < SquirrelCZECH> so I want to ask... why I can't use this tweaks? what could happend?
16:16 <@dazo> it will try the first, then the second and so on
16:17 < SquirrelCZECH> if I use openvpn from local network AND from internet
16:17 < SquirrelCZECH> (laptop, mobile phone, tablet)
16:17 -!- elfixit [~Icedove@77-58-251-72.dclient.hispeed.ch] has joined #openvpn
16:17 <@dazo> SquirrelCZECH: you need to use the same tweaks on all clients, that's basically why
16:17 <@dazo> but if you can do that ... then it should work
16:17 < SquirrelCZECH> ok than!
16:17 < SquirrelCZECH> :)
16:18 < SquirrelCZECH> *thanks
16:18 <@dazo> SquirrelCZECH: if you like that wiki ... you should get JJK's book ... it's he who wrote that gigabit wiki
16:18 <@dazo> !jjk
16:18 <@dazo> !book
16:18 <@vpnHelper> "book" is http://www.packtpub.com/openvpn-2-cookbook/book check out JJK's awesome cookbook for openvpn 2!
16:18 < SquirrelCZECH> wow :)
16:18 < Ulrar> dazo: But how do you specify the protocol with remote ? Will it just try udp then tcp itself ?
16:19 < SquirrelCZECH> btw: openvpn is great!
16:19 <@dazo> nope, read the man page ... and you'll see the syntax
16:19 <@dazo> SquirrelCZECH: I know!  That's why I'm contributing to it ;-)
16:19 < SquirrelCZECH> :D
16:19 <@dazo> !man
16:19 <@vpnHelper> "man" is (#1) For man pages, see http://openvpn.net/index.php/open-source/documentation/manuals/ or (#2) the man pages are your friend! or (#3) Protip: you can search the manpage for a specific --option (with dashes) to find it quicker
16:19 < SquirrelCZECH> only "not good enough" thingy I found was max speed
16:19 <@dazo> Ulrar: ^^
16:19 < SquirrelCZECH> got "only" 160 Mbit/s
16:20 < SquirrelCZECH> so I was curious about speedup
16:20 <@dazo> SquirrelCZECH: the performance bit is tricky ... but it's also highly related to the performance of the tun kernel driver too, unfortunately
16:20 < SquirrelCZECH> hmm
16:20 < SquirrelCZECH> archlinux distributions
16:20 < SquirrelCZECH> so "newest packages"
16:21 -!- michaelhart [~michaelha@162.209.54.120] has joined #openvpn
16:21 <@dazo> SquirrelCZECH: because on hardware NIC's you often have hardware offloading for many things ... to speed up things .... but the tun driver is pure software, and it doesn't have any hardware to offload stuff to
16:21 < Ulrar> dazo: I did look at the man, but I don't see any indication on how to tell remote the protocol
16:21 < Ulrar> it just says host:port
16:21 < SquirrelCZECH> dazo: ok
16:21 < SquirrelCZECH> dazo: I just suppose I should be able to tune it a bit from 160 Mbit/s to more "higher" value
16:21 < SquirrelCZECH> 400 is great for me
16:21 -!- lj [~l@192.241.174.169] has quit [Quit: Leaving.]
16:21 <@dazo> SquirrelCZECH: but ... there are some attempts to make tun faster in the kernel world ... to make it use more rx/tx queues on more CPU cores
16:22 < SquirrelCZECH> wow
16:22  * SquirrelCZECH noticed it as single core so far :)
16:22 < SquirrelCZECH> dazo: thanks anyway!
16:22 < SquirrelCZECH> gn!
16:22 <@dazo> g8!
16:22 <@dazo> Ulrar: https://community.openvpn.net/openvpn/wiki/Openvpn23ManPage .... --remote host [port] [proto]
16:22 <@vpnHelper> Title: Openvpn23ManPage – OpenVPN Community (at community.openvpn.net)
16:23 -!- tony1 [~tony@cpe-66-66-6-48.rochester.res.rr.com] has joined #openvpn
16:23 < Ulrar> dazo: Ha yes, that's not on the 2.x man page
16:23 < Ulrar> thanks
16:24 <@dazo> I sure hope you're not using openvpn 2.0.x
16:24 -!- djh02 [~hash@93.113.125.93] has joined #openvpn
16:24 < Ulrar> No I'm not
16:24 <@dazo> because this syntax which adds protocol, has been present since 2.1
16:24 <@dazo> then why did you look at the 2.0.x man page?
16:25 < Ulrar> That's what google gave me
16:25 < tony1>  I had openvpn setup on fedora 14 and migrated my setup to a new server running Debian. The Debian version is OpenVPN 2.2.1.
16:25 -!- michaelhart [~michaelha@162.209.54.120] has quit [Ping timeout: 264 seconds]
16:26 < djh02> hello, i have a server up and running fine im actually here through said server, but i want to expose this machine's services to the internet via vpn, like http for instance. can that be done ? also i noticed one strange thing, from this box (the client) i can ping the server (default 10.8.0.1) but from the server i can't ping the client 10.8.0.6
16:26 < tony1>    In the vars file I see a few extra options. export KEY_CN=changeme
16:26 < tony1>  export KEY_NAME=changeme
16:26 < tony1>  export KEY_OU=changeme
16:26 < tony1>  export PKCS11_MODULE_PATH=changeme
16:26 < tony1>  export PKCS11_PIN=1234
16:26 < tony1>   
16:26 < tony1>  I am not really sure what to put there or if its important or not.
16:26 < Ulrar> another question, is it still true that I need to run two separate server to listen on both tcp and udp ? If I do that, will it not conflict on the IP it will give to the clients ?
16:27 <@dazo> Ulrar: yes, that's true ... and the tun/tap devices needs to be on separate subnets
16:27 < Ulrar> Okay, well nevermind, it'll just use tcp then
16:28 <@dazo> djh02: sounds like firewalling on the client ... if you can ping the server from the client but not the other way
16:28 -!- indy [~indy@fantomas.bestit.cz] has quit [Remote host closed the connection]
16:28 < Ulrar> Was already hard enough to split my /64 for one server, realy don't want to bother for a second one
16:28 < djh02> dazo, its a windows box this time. but i can usually ping it just fine
16:29 <@dazo> djh02: well, Windows does have firewall too ... and newer windows don't allow ICMP by default
16:29 -!- klein [~klein@unaffiliated/klein] has quit [Ping timeout: 240 seconds]
16:29 < djh02> if this is why it doesnt work im gonna slap myself
16:30  * djh02 slaps himself
16:30 < Ulrar> dazo: Unrelated thing, I noticed on win7 client that tap works fine and tun needs the firewall to be off, would you know any way around that ?
16:31 -!- squirl [~squirl@76.14.69.158] has joined #openvpn
16:31 -!- [diecast] [~diecast@unaffiliated/diecast/x-4821952] has quit []
16:31 <@dazo> Ulrar: not really ... I haven't used Windows for real the last 14 years ... and those Windows clients I server, I don't care about the client side except making openvpn run
16:31 <@dazo> (as long as they can reach the LAN beind the server just fine)
16:32 < djh02> dazo, thank you. what about the other thing? the server has a public ip address, can the internet reach my webserver through the vpn ? the webserver runs on the vpn client
16:32 < Ulrar> Unfortunatly I have to use windows from time to time
16:32 <@dazo> djh02: yeah ... use port NAT on the server side ... or even better probably, setup nginx as a reverse proxy on your openvpn server
16:32 < Ulrar> thanks anyway
16:33 < Ulrar> been searching a solution for weeks now :(
16:33 <@dazo> djh02: if using port NAT ... then you need some routing tricks on the client side (iproute2, using routing tables)
16:34 < djh02> dazo regarding that, i'm trying something like a 1:1 nat but without much success. the server is linux and i've tried SNATting 10.8.0.6 to my public ip(the server's pub ip) and DNATting the pub ip to 10.8.0.6. packets dont even hit the rules, im monitoring with iptables -L
16:35 <@dazo> djh02: I'd generally recommend setting up nginx as a reverse proxy ... it's light-weight, and you can filter out all the "IP address scanners" before they hit your server on the backend
16:35 -!- joshh20 is now known as joshh20-Away
16:35 < djh02> dazo the webserver was an example i'm actually looking to expose the whole client not just selective ports. firewalling and such can be done clientside the server basically needs to route
16:36 < djh02> and do so via openvpn awesome cryptochannel
16:36 <@dazo> djh02: ahh, well don't do that ... it's will most likely just be a pain, from a security perspective ... rather just forward what you do need
16:37 < djh02> Ulrar maybe you can tell me your setup and i may know how to help you. regarding your windows client firewall
16:37 < djh02> dazo i completely agree. but i've been asked to do it. not my call
16:37 <@dazo> djh02: I'm sorry ... I'm just not able to help people doing completely stupid things ... as I don't know how to do that
16:38  * dazo need to head home now
16:38 < Ulrar> djh02: Nothing specific, just the standard windows 7 / 8 firewall. As long as it is on, the tunnel resets everytime a few bytes go though it. I turn it off and the tunnel become stable
16:38 < djh02> ok dazo thanks for the tips mate
16:39 -!- dazo is now known as dazo_afk
16:39 < djh02> Ulrar is windows's firewall the only firewall on the box ?
16:39 < Ulrar> djh02: Yes
16:39 < Ulrar> The strange thing is that it works, it will reset a few times for a page to load, but it will load
16:40 < Ulrar> And even with verb 7 on both client and server, no error at all
16:40 < djh02> do you by chance run it via wireless ?
16:41 < Ulrar> Tried it with a cable too, didn't helped
16:42 < djh02> did you apply any patches or modifications to the standard mtu etc ?
16:42 < djh02> perhaps using speedguide's tcp optimizer ?
16:42 < Ulrar> I found forum posts with that problem, but the fixes doesn't work for me. I try adding a fake gateway to make the network in the home category, not better, and I tried the always on trick, not better
16:42 < Ulrar> I did not
16:44 < djh02> in your client conf do you connect via ip or dns ? the "remote 1.2.3.4 1194" thingy
16:44 < Ulrar> via dns, and I added a bypass-dns on the redirect-gateway to make that work
16:45 < djh02> i had similar issues, try ip directly it could help
16:48 -!- lj [~l@192.241.174.169] has joined #openvpn
16:48 < Ulrar> djh02: Still reseting
16:48 -!- gffa [~unknown@unaffiliated/gffa] has quit [Quit: sleep]
16:54 < djh02> :(
16:54 < Ulrar> I guess I'll just try to convert my config to use a tap device instead of a tun
16:55 < tony1> I had to revoke a key and generate a new one and everything seems to work ok with the new key but I am not sure if I messed anything up by not properly setting up vars?
16:56 -!- djh02 [~hash@93.113.125.93] has quit []
16:57 -!- Cultist [~CultOfThe@67.186.111.33] has joined #openvpn
16:58 -!- joshh20-Away is now known as joshh20
17:01 -!- lj [~l@192.241.174.169] has quit [Quit: Leaving.]
17:02 -!- HectorBarbossa [uid7850@gateway/web/irccloud.com/x-oqzhfbfvnbahbdqn] has joined #openvpn
17:03 -!- lj [~l@192.241.174.169] has joined #openvpn
17:07 -!- asturel [asturel@unaffiliated/asturel] has joined #openvpn
17:08 < asturel> i did dnat+masquarade but i see dont have 'Ip forward' (all request src ip is the vpn server ip) what could be wrong?
17:15 -!- michelem [~Adium@84-72-9-232.dclient.hispeed.ch] has joined #openvpn
17:15 < michelem> hello folks
17:15 -!- niftylettuce_ [uid2733@gateway/web/irccloud.com/x-ljnwojevknsbdtyy] has joined #openvpn
17:15 < michelem> I find the IPv6 doc confusing. Where do the indicated directives go, server or client conf?
17:17 -!- Rallias [~Rallias@i.am.lacking.clothing] has left #openvpn ["trimtime"]
17:20 -!- elfixit [~Icedove@77-58-251-72.dclient.hispeed.ch] has quit [Ping timeout: 240 seconds]
17:26 -!- lj [~l@192.241.174.169] has quit [Quit: Leaving.]
17:29 -!- icba [~bellwood@alb-ny1.noc.turnkeyinternet.net] has joined #openvpn
17:29 -!- Tykling [tykling@gibfest.dk] has quit [Ping timeout: 240 seconds]
17:29 < icba> hello is there a desktop client version higher than 1.5.6? I wasnt able to find a change log on openvpn.net
17:29 -!- lj [~l@192.241.174.169] has joined #openvpn
17:32 -!- [diecast] [~diecast@unaffiliated/diecast/x-4821952] has joined #openvpn
17:33 < tony1> I am starting to think I should have commented out those options but I could be wrong.
17:36 -!- br4ndon [~br4ndon@mic92-6-82-227-94-156.fbx.proxad.net] has quit [Quit: br4ndon]
17:42 -!- indy [~indy@fantomas.bestit.cz] has joined #openvpn
17:54 -!- joshh20 is now known as joshh20-Away
17:55 -!- markus__ [~markus@irc.anonine.net] has quit [Remote host closed the connection]
18:01 -!- michelem [~Adium@84-72-9-232.dclient.hispeed.ch] has left #openvpn []
18:08 -!- icba1 [~bellwood@alb-ny1.noc.turnkeyinternet.net] has joined #openvpn
18:09 -!- icba [~bellwood@alb-ny1.noc.turnkeyinternet.net] has quit [Ping timeout: 240 seconds]
18:09 -!- icba [~bellwood@cpe-72-231-133-225.nycap.res.rr.com] has joined #openvpn
18:09 -!- [diecast] [~diecast@unaffiliated/diecast/x-4821952] has quit [Ping timeout: 264 seconds]
18:12 -!- icba1 [~bellwood@alb-ny1.noc.turnkeyinternet.net] has quit [Ping timeout: 240 seconds]
18:13 -!- elfixit [~Icedove@77-58-251-72.dclient.hispeed.ch] has joined #openvpn
18:14 -!- icba [~bellwood@cpe-72-231-133-225.nycap.res.rr.com] has quit [Ping timeout: 264 seconds]
18:17 -!- elfixit [~Icedove@77-58-251-72.dclient.hispeed.ch] has quit [Ping timeout: 240 seconds]
18:19 -!- Cpt-Oblivious_ [chatzilla@31-151-71-109.dynamic.upc.nl] has joined #openvpn
18:20 -!- Cpt-Oblivious_ [chatzilla@31-151-71-109.dynamic.upc.nl] has quit [Client Quit]
18:20 < tony1> why is KEY_EMAIL set twice in the vars file?
18:21 -!- Cpt-Oblivious [chatzilla@31-151-71-109.dynamic.upc.nl] has quit [Ping timeout: 252 seconds]
18:22 -!- bertodsera [~quassel@97e48243.skybroadband.com] has quit [Remote host closed the connection]
18:30 -!- le0 [~l30@unaffiliated/le0] has quit [Ping timeout: 244 seconds]
18:30 -!- squirl [~squirl@76.14.69.158] has quit [Ping timeout: 240 seconds]
18:36 -!- tapout [~tapout@unaffiliated/tapout] has quit [Ping timeout: 265 seconds]
18:38 < Eneerge> double the fun
18:39 < pekster> Putting the email in your openvpn cert anyway is silly
18:39 < pekster> So is putting in the City, State, Organizational Unit, Company, and Country
18:40 -!- lil0ne- [erik@unaffiliated/lil0ne-] has quit [Quit: leaving]
18:40 < tony1> seems redundant
18:41 < pekster> OpenVPN doesn't care 2 shits about anything but the CN (and the key components, obviously)
18:42 -!- tapout [~tapout@unaffiliated/tapout] has joined #openvpn
18:42 < tony1> pekster:  my old vars file did not have export KEY_CN=changeme in it
18:43 -!- Samopotamus [~IRCIdent@2607:5300:60:a0d::1] has quit [Ping timeout: 265 seconds]
18:43 < tony1> these are the lines that are new and im not sure what to enter export KEY_CN=changeme
18:43 < tony1> export KEY_NAME=changeme
18:43 < tony1> export KEY_OU=changeme
18:43 < tony1> export PKCS11_MODULE_PATH=changeme
18:43 < tony1> export PKCS11_PIN=1234
18:43 -!- tapout [~tapout@unaffiliated/tapout] has quit [Max SendQ exceeded]
18:44 < pekster> Don't mess with them unless you're doing batch (no user interaction) mode
18:44 < pekster> If you are, you need to become an expert in how openssl env-vars work with the openssl.cnf
18:45 < pekster> If you're doing this interactivly, don't touch the "changeme" stuff -- you'll be setting it interactively anyway
18:46 < tony1> pekster: I migrated to a new server and everything was fine and then I had to revoke a key and noticed the new export key fields with 2 email settings
18:47 < tony1> then in index.text the cd name is changeme instead of the key name
18:47 -!- Samopotamus [~IRCIdent@2607:5300:60:a0d::1] has joined #openvpn
18:47 -!- Samopotamus [~IRCIdent@2607:5300:60:a0d::1] has quit [Excess Flood]
18:47 < tony1> opps cn name
18:47 < pekster> Then you've done something wrong
18:48 < pekster> It _asks_ you for the name when you generate a CSR
18:52 < tony1> pekster:  after I revoked the keys I did ./pkitool --pass user01 and in index.txt it shows OU=changeme/CN=changeme/name=changeme
18:52 < tony1> the keys work and the revoked key is denied
18:52 < pekster> RIght
18:53 < pekster> You're not using interactive mode, so it's _your_ job to understand how the env-vars work
18:53 < pekster> You apparently don't, because you failed to set KEY_CN in your environment
18:53 < pekster> THus you get the default of "changeme". If you want to do batch, you _MUST_ set the env-vars the openssl.cnf is using. Or not, if you like the default
18:54 < pekster> pkitool isn't really designed for human use in the v2 world
18:55 -!- Samopotamus [~IRCIdent@2607:5300:60:a0d::1] has joined #openvpn
18:55 < tony1> pekster: well it works but not shure if is secure or not
18:56 <@ecrist> sup, bitches?
18:56 < pekster> Okay, stop using advanced tools
18:56 -!- Samopotamus [~IRCIdent@2607:5300:60:a0d::1] has quit [Max SendQ exceeded]
18:56 < tony1> pekster: ok what tool would you recomend?
18:57 < pekster> THe frontends that are designed for people who aren't going to spend a couple hours learning about the shell source and openssl's operation
18:57 < pekster> Just `alias pkitool='echo "Do not run pkitool"'` and you'll be far happier
18:57 -!- Samopotamus [~IRCIdent@2607:5300:60:a0d::1] has joined #openvpn
18:57 < pekster> Or try the new v3 stuff; it's far more sane
18:58 -!- joshh20-Away is now known as joshh20
18:58 <@ecrist> or ssl-admin
18:58 <@ecrist> !ssl-admin
18:58 <@vpnHelper> "ssl-admin" is (#1) if you use freebsd, it is in ports or (#2) svn co https://www.secure-computing.net/svn/trunk/ssl-admin to grab it from svn or (#3) A perl script for managing SSL certificates (being a CA). Makes a good replacement for easy-rsa
18:58 < pekster> Or basically anything else :P
18:58 < pekster> !certman
18:58 <@vpnHelper> "certman" is (#1) Various frontends can help you manage your PKI (certs & keys.) !easy-rsa is the officially supported one for OpenVPN. or (#2) Other choices include: !xca, !ssladmin, and probably others online
18:59 <@ecrist> ssladmin is also officially supported. :)
18:59 < pekster> I suppose "none" of them are officially supported since it's just howto references as of 2.3.0. Choices!
19:00 <@ecrist> being that this is the official support channel (along with forums and ML), anything we, as ops/staff, choose to support, is supported
19:01 < tony1> I kind of think that if those lines were commented out it would work as before but if I leave those keys as is am I secure?
19:01 <@ecrist> tony1: you should use the tool as designed
19:02 <@ecrist> if you go off the reservation, you're on your own
19:02 < pekster> Nope, easyrsa v2 will fail completely if the require env-var doesn't exist
19:02 < tony1> really I dont even know OU= is ok time to read up
19:03 -!- Samopotamus [~IRCIdent@2607:5300:60:a0d::1] has quit [Ping timeout: 265 seconds]
19:03 < pekster> If you insist on using easyrsa v2, use the frontend scrips for it. ssl-admin is a perl alternative, XCA is a GUI alternative, and easyrsa v3 is (currently) pre-release re-write that mostly does the right thing without having to sacrifice your sanity
19:03 < pekster> OU is more junk openvpn doesn't care about
19:04 < pekster> Claim you're OU is MI5 if you like. Just as useful as a gpg key that claims you're the prime minister of France!
19:05 < tony1> lol
19:05 -!- Samopotamus [~IRCIdent@2607:5300:60:a0d::1] has joined #openvpn
19:05 -!- Samopotamus [~IRCIdent@2607:5300:60:a0d::1] has quit [Max SendQ exceeded]
19:06 <@ecrist> or, has a picture of you and your kid (aka F8489F839D7367F3)
19:06 <@ecrist> aka 9D7367F3
19:08 -!- Samopotamus [~IRCIdent@2607:5300:60:a0d::1] has joined #openvpn
19:08  * pekster huts for photos of the French PM online ;)
19:08 < tony1> I have to learn more about what the new (to me) export KEYs mean
19:09 <@ecrist> from PGP?
19:09 < tony1> i set this server up on fedora 14 and migrated to weasy
19:10 < tony1> I will look into what was mentioned and try before bothering anyone else thanks for the help
19:11 < pekster> Follow the howto instead
19:11 -!- joshh20 is now known as joshh20-Away
19:12 -!- HectorBarbossa [uid7850@gateway/web/irccloud.com/x-oqzhfbfvnbahbdqn] has quit [Quit: Connection closed for inactivity]
19:12 < pekster> You're asking how to do rocket science before you can crawl -- it's a bad setup. Pick a frontend from !certman and follow the associated docs
19:12 -!- oculus [~oculus@gateway/tor-sasl/oculus] has joined #openvpn
19:12 < tony1> will do, i think I will start over and make a clean server. the files a migrated over were from 2008
19:13 <@ecrist> pekster and I maintain easy-rsa, and I fully wrote ssl-admin, so you're likely to get a lot of help with those two
19:14 < tony1> not sure what openvpn version it was originally created on
19:14 < pekster> openvpn and your CA are separate concepts
19:15 < pekster> You can even use completely different systems for improved security (it's best not to put your production CA on your VPN server, but if you're just learning, go for it out of convenience)
19:15 < pekster> Maybe some background reading might help you:
19:15 < pekster> !intro-to-pki
19:15 <@vpnHelper> "intro-to-pki" is For an intro to PKI basics, see: https://github.com/OpenVPN/easy-rsa/blob/v3.0.0-rc1/doc/Intro-To-PKI.md
19:16 < pekster> None of that is easy-rsa specific, so it's good background reading
19:18 < tony1> thanks for the link, and the help. i am going to read up on a few things take care
19:24 -!- klein [~klein@unaffiliated/klein] has joined #openvpn
19:31 -!- joshh20-Away is now known as joshh20
19:32 -!- klein [~klein@unaffiliated/klein] has quit [Ping timeout: 240 seconds]
19:32 -!- [diecast] [~diecast@unaffiliated/diecast/x-4821952] has joined #openvpn
19:34 -!- tony1 [~tony@cpe-66-66-6-48.rochester.res.rr.com] has left #openvpn []
19:34 -!- Tykling [tykling@gibfest.dk] has joined #openvpn
19:44 -!- elfixit [~Icedove@77-58-251-72.dclient.hispeed.ch] has joined #openvpn
19:50 -!- elfixit [~Icedove@77-58-251-72.dclient.hispeed.ch] has quit [Ping timeout: 240 seconds]
19:53 -!- lj [~l@192.241.174.169] has quit [Quit: Leaving.]
20:19 -!- elfixit [~Icedove@77-58-251-72.dclient.hispeed.ch] has joined #openvpn
20:21 -!- __raven [~raven@dslb-092-074-212-194.pools.arcor-ip.net] has joined #openvpn
20:23 -!- grendal_prime [~sgraham@173-166-255-77-stockton.hfc.comcastbusiness.net] has joined #openvpn
20:24 -!- __raven_ [~raven@dslb-092-074-214-136.pools.arcor-ip.net] has quit [Ping timeout: 252 seconds]
20:24 < grendal_prime> hey guys...so im working with a server on a dsl connection, they need connectivity from the outside, but really not information that is sensitive.
20:25 < grendal_prime> whats the best cipher to use for speed?
20:25 < grendal_prime> or really...no ciper..would it be much faster?
20:45 -!- adh0c [~adh0c@216.116.72.173] has joined #openvpn
20:46 < adh0c> Does anyone have any experience with forwarding openvpn traffic through i2p?
20:46 < adh0c>  I have a VPS set up only running OpenVPN, serving traffic for a couple machines.  I'd like to configure the i2p-router on the remote machine, and be able to toggle traffic inside and outside of i2p.
20:46 < adh0c> My google-fu seems to be failing in regards to any documentation on this.
20:47 -!- joshh20 is now known as joshh20-Away
20:50 -!- [diecast] [~diecast@unaffiliated/diecast/x-4821952] has quit []
20:54 < phunyguy> hey quick question, and it is probably a silly one.  I already have an openvpn server going, with a couple users that use it just fine, via x.509 cert authentication.   Can a server certificate be used instead of a user certificate for the client side?  Seems a bit silly to use a user cert when the machine is what is making the connection.   Or am I way off base here?
20:54 -!- niftylettuce_ [uid2733@gateway/web/irccloud.com/x-ljnwojevknsbdtyy] has quit [Quit: Connection closed for inactivity]
21:01 < pekster> phunyguy: Depends on if your server is set to require the client-specific flags in the cert. Read about --remote-cert-tls in the manpage. Normally for the most common MITM protection you want your clients to connect only to a server-indicated cert (so another valid client can't MITM the connection)
21:01 -!- oculus [~oculus@gateway/tor-sasl/oculus] has quit [Quit: oculus]
21:02 < phunyguy> ahh I see.
21:03 < phunyguy> But my question was the "client" using a "server" cert to connect to the server.  So there would be no client cert at all in the mix.  Both sides would have server cert.  But It is not a huge deal, I can make a client cert just as easy.
21:03 -!- [diecast] [~diecast@unaffiliated/diecast/x-4821952] has joined #openvpn
21:03 < phunyguy> pekster: ^
21:03 < pekster> RIght, I get that
21:03 < pekster> It depends completely on if the sever allows it
21:04 < pekster> Did you read the directive I suggested? What did you learn from it? Do you have a related followup question?
21:04 < pekster> http://catb.org/~esr/faqs/smart-questions.html#lesser
21:04 <@vpnHelper> Title: How To Ask Questions The Smart Way (at catb.org)
21:11 < phunyguy> I did.
21:11 < phunyguy> and I do not.
21:11 < grendal_prime> soooooo....im screwed?
21:13 < grendal_prime> when it comes to ciphers,  is it allot faster to just not encrypt...as far as sending data through the wire.. is there allot less with no cipher?
21:13 < pekster> "Depends."
21:13 < pekster> You'll need to evaluate your bottlenecks. Traditionally doing nothing is indeed faster than doing something
21:13 < grendal_prime> logic tells me yes..but i got married due to flawed logic.
21:14 <@krzee> lol
21:14 < phunyguy> but if you have stellar hardware on both sides, and a low latency connection, then you may not see much difference.  Yes, it depends.
21:15 < pekster> hw-accel is preferred if you have it (openvpn --show-engines)
21:15 < pekster> But doing nothing is still faster ;)
21:25 -!- alanjf [~ajf@unaffiliated/alanjf] has left #openvpn []
21:26 -!- alanjf [~ajf@unaffiliated/alanjf] has joined #openvpn
21:28 -!- HD|Laptop [~marco_lda@wikipedia/harddisk] has quit [Remote host closed the connection]
21:34 -!- JackWinter [~jack@vodsl-8317.vo.lu] has quit [Read error: Operation timed out]
21:49 -!- JackWinter [~jack@vodsl-10810.vo.lu] has joined #openvpn
22:00 -!- elfixit [~Icedove@77-58-251-72.dclient.hispeed.ch] has quit [Ping timeout: 240 seconds]
22:05 -!- MACscr|lappy [~MACscrlap@c-98-214-103-56.hsd1.il.comcast.net] has joined #openvpn
22:20 -!- paradox`` [~paradox@cpc21-brmb8-2-0-cust749.1-3.cable.virginm.net] has joined #openvpn
22:23 -!- sunwind` [~paradox@cpc21-brmb8-2-0-cust749.1-3.cable.virginm.net] has quit [Ping timeout: 240 seconds]
22:26 -!- elfixit [~Icedove@77-58-251-72.dclient.hispeed.ch] has joined #openvpn
22:30 -!- phunyguy [~vortex@unaffiliated/phunyguy] has quit [Remote host closed the connection]
22:35 -!- grep0r [grep0r@bitcoinshell.mooo.com] has quit [Ping timeout: 252 seconds]
22:35 -!- alanjf [~ajf@unaffiliated/alanjf] has quit [Read error: Connection reset by peer]
22:36 -!- elfixit [~Icedove@77-58-251-72.dclient.hispeed.ch] has quit [Ping timeout: 240 seconds]
22:39 -!- grep0r [grep0r@bitcoinshell.mooo.com] has joined #openvpn
22:43 -!- lj [~l@adsl-99-74-1-67.dsl.peoril.sbcglobal.net] has joined #openvpn
22:45 -!- lj1 [~l@192.241.174.169] has joined #openvpn
22:48 -!- lj [~l@adsl-99-74-1-67.dsl.peoril.sbcglobal.net] has quit [Ping timeout: 265 seconds]
22:50 -!- elfixit [~Icedove@77-58-251-72.dclient.hispeed.ch] has joined #openvpn
22:52 -!- [diecast] [~diecast@unaffiliated/diecast/x-4821952] has quit []
23:06 -!- lachesis [~lachesis@unaffiliated/lachesis] has quit [Ping timeout: 245 seconds]
23:08 -!- takamichi [~takamichi@c107-107.i07-27.onvol.net] has quit [Quit: Computer has gone to sleep.]
23:10 -!- phunyguy [~vortex@unaffiliated/phunyguy] has joined #openvpn
23:10 -!- lachesis [~lachesis@unaffiliated/lachesis] has joined #openvpn
23:50 -!- lj [~l@99.155.22.46] has joined #openvpn
23:52 -!- lj1 [~l@192.241.174.169] has quit [Ping timeout: 240 seconds]
23:55 -!- elfixit [~Icedove@77-58-251-72.dclient.hispeed.ch] has quit [Quit: elfixit]
--- Day changed Tue Mar 11 2014
00:26 -!- takamichi [~takamichi@c107-107.i07-27.onvol.net] has joined #openvpn
00:41 -!- cyberspace- [20253@109.74.194.224] has quit [Ping timeout: 265 seconds]
00:44 -!- cyberspace- [20253@ninthfloor.org] has joined #openvpn
00:51 -!- makara [~makara@41.164.22.218] has joined #openvpn
00:54 -!- MACscr|lappy [~MACscrlap@c-98-214-103-56.hsd1.il.comcast.net] has quit [Ping timeout: 244 seconds]
00:59 -!- lvv [~loganaden@ITE-INF3.dhcp.mu.afrinic.net] has joined #openvpn
00:59 -!- traph [~traph@unaffiliated/traph] has joined #openvpn
01:08 -!- mikkel [~mikkel@93.176.85.50] has joined #openvpn
01:11 -!- jcadduono [~jc@adduono.com] has joined #openvpn
01:16 < jcadduono> hello, i'm trying to cross-compile the git master of openvpn using mingw-w64 on debian and i'm ending up with some errors that i can't figure out how to escape.. http://www.pastebin.ca/2653745
01:56 < jcadduono> hrmm, looks like 2.3.2 archived compiles perfectly fine... i guess i will have to try and find a way to patch that for snappy compression
02:14 < lvv> hoi
02:29 -!- alexxtasi [~alex@unaffiliated/alexxtasi] has joined #openvpn
02:39 -!- Tykling [tykling@gibfest.dk] has quit [Ping timeout: 265 seconds]
02:43 -!- mattock_afk [~mattock@openvpn/corp/admin/mattock] has joined #openvpn
02:43 -!- mode/#openvpn [+o mattock_afk] by ChanServ
02:43 -!- mattock_afk is now known as mattock
02:45 -!- Tykling [tykling@gibfest.dk] has joined #openvpn
02:48 -!- le0 [~l30@cpc20-bele8-2-0-cust576.2-1.cable.virginm.net] has joined #openvpn
02:48 -!- le0 [~l30@cpc20-bele8-2-0-cust576.2-1.cable.virginm.net] has quit [Changing host]
02:48 -!- le0 [~l30@unaffiliated/le0] has joined #openvpn
03:15 -!- jcadduono [~jc@adduono.com] has quit [Quit: Me, quitting? Never.]
03:36 -!- mikkel [~mikkel@93.176.85.50] has quit [Ping timeout: 264 seconds]
03:38 < tjhowse> can someone more familiar with windows route tables see if they can understand why this tracert isn't routing via my openvpn TAP?
03:38 < tjhowse> http://i.imgur.com/ctVJ5c4.png
03:39 < tjhowse> I'm flummoxed
03:41 -!- dazo_afk is now known as dazo
03:49 -!- mikkel [~mikkel@93.176.85.50] has joined #openvpn
04:15 -!- adh0c [~adh0c@216.116.72.173] has quit [Ping timeout: 265 seconds]
04:16 -!- adh0c [~adh0c@216.116.72.173] has joined #openvpn
04:18 -!- AtuM [~atum@postar-b.abakus.si] has joined #openvpn
04:18 < AtuM> Is is possible to run a server and a client on the same machine, using the same port (but different tun interfaces) ?
04:20 -!- f0cker [~f0cker@host86-149-26-106.range86-149.btcentralplus.com] has joined #openvpn
04:20 -!- f0cker [~f0cker@host86-149-26-106.range86-149.btcentralplus.com] has quit [Changing host]
04:20 -!- f0cker [~f0cker@unaffiliated/f0cker] has joined #openvpn
04:21 -!- adh0c [~adh0c@216.116.72.173] has quit [Ping timeout: 252 seconds]
04:22 -!- f0cker [~f0cker@unaffiliated/f0cker] has quit [Client Quit]
04:26 < AtuM>  it says here: https://community.openvpn.net/openvpn/wiki/283-can-i-run-multiple-openvpn-tunnels-on-a-single-machine i also need a separate port for each instance.. I have read that some made it work using the same port.. can that be done?
04:26 <@vpnHelper> Title: 283-can-i-run-multiple-openvpn-tunnels-on-a-single-machine – OpenVPN Community (at community.openvpn.net)
04:39 < AtuM> is it possible to have the private key password set within the config file?
04:49 < AtuM> I've removed the passphraze from the key file.. so that's taken care of ;)
04:51 < AtuM> this article leads me to believe it's possible to use the same udp port for clinet and server configurations.. has anyone made it work? https://forums.openvpn.net/topic12428.html
04:51 <@vpnHelper> Title: OpenVPN Support Forum Server and Client on same machine : Server Administration (at forums.openvpn.net)
04:55 < tjhowse> http://i.imgur.com/SLLB8H5.png
04:55 < tjhowse> whoops, missed a line
04:55 <@dazo> AtuM: if you use PKI (that is, --cert, --key, --ca) you can have multiple clients on the same server instance ... but if you use static encryption (--secret), then you need one server instance per client
04:56 < AtuM> dazo, I use PKI on the server as does the client I'm trying to connect to.
04:57 < AtuM> dazo, client meaning the other company's server, where I have the client-side config :)
04:57 <@dazo> AtuM: you cannot connect a client to a client.  if you want one box to both accept connections and to connect to another place ... then you need two instances, one being a server and one being a client
04:58 <@dazo> AtuM: but you can use the same "listening" port ... but you might need to use --nobind in the client configs
04:59 < AtuM> dazo, I use nobind in my client config.
05:00 <@dazo> Then it shouldn't be a problem
05:02 <@dazo> AtuM: but you VPN tunnels should use different subnets ... then you would be able to route things correctly
05:03 < AtuM> this is the config I got from the admin:
05:03 < AtuM> client
05:03 < AtuM> proto udp
05:03 < AtuM> dev tun1
05:03 < AtuM> ca ca.crt
05:03 < AtuM> dh dh2048.pem
05:03 < AtuM> cert client.crt
05:03 < AtuM> key client.key
05:03 < AtuM> remote <remote_host> 1194
05:03 < AtuM> cipher DES-CBC
05:03 < AtuM> user nobody
05:03 -!- AtuM was kicked from #openvpn by dazo [Use pastebin]
05:03 -!- AtuM [~atum@postar-b.abakus.si] has joined #openvpn
05:03 < AtuM> persist-tun
05:03 < AtuM> resolv-retry infinite
05:03 -!- AtuM was kicked from #openvpn by dazo [Use pastebin]
05:04 -!- ade_b [~Ade@redhat/adeb] has joined #openvpn
05:04 -!- AtuM [~atum@postar-b.abakus.si] has joined #openvpn
05:05 < AtuM> sorry.. I've misunderstood the topic ;-)  here's the config http://pastebin.com/XWFZmLp7
05:06 <@dazo> AtuM: that push line ... that does not belong in a client config
05:06 <@dazo> group abrt ... that sounds odd too
05:06 <@dazo> otherwise, it looks like a reasonable client config
05:07 < AtuM> dazo, I have no idea.. the admin sent me this and I've tried to use it.. I have commented out the user and group lines, since I don't have such a group..
05:07 <@dazo> w00t!?  Then you have a clueless admin ...
05:07 < AtuM> also I've used "float" and "remote-cert-tls server" lines
05:07 <@dazo> hmmm ... dh dh2048.pem  might cause troubles in a client config too
05:08 <@dazo> I can guarantee you that this config has not been tested at all
05:08 <@dazo> and ... cipher DES-CBC  ... seriously!?
05:08 < AtuM> dazo, I'm struggling with the same thoughts
05:09 <@dazo> you could almost argue that 'cipher none' would be just as safe
05:10 < AtuM> not my call... so in the end - not my problem.. i just need to use it
05:10 <@dazo> 3DES is okay ... but single DES, no way ... that's been broken for decades ... maximum key length is 56 bits, iirc
05:10 <@dazo> "in January, 1999, distributed.net and the Electronic Frontier Foundation collaborated to publicly break a DES key in 22 hours and 15 minutes " ... http://en.wikipedia.org/wiki/Data_Encryption_Standard
05:10 <@vpnHelper> Title: Data Encryption Standard - Wikipedia, the free encyclopedia (at en.wikipedia.org)
05:11 < AtuM> dazo, what is the default if nothing is set within the config?
05:11 <@dazo> it's Blowfish which is the default
05:12 <@dazo> which is not CPU intensive at all ... and performance is basically based on the speed of the CPU, not any kind of CPU feature support
05:12 < AtuM> thank god.. I haven't set a specific cypher on my server side :/
05:12 < AtuM> less problems for me.. but still need to connect to the remote site..
05:14 < AtuM> what I got from the admin was the ".ovpn" file.. I've just renamed it to .conf as I don't use network-manager to establish the connection
05:14 <@dazo> If you fear NSA might have a backdoor into AES and the different DES versions, then Blowfish is good.  Otherwise AES is probably far better performing, with CPUs which supports the AES-NI instructions
05:14 <@dazo> fair enough
05:14 <@dazo> I'm just bashing your admin publicly
05:15 < AtuM> dazo, he's not my admin.. I'm my admin ;) he's one of my client's admin..
05:15 <@dazo> ahh, okay ... that admin is clueless anyway :)
05:15 < AtuM> bashing doesn't help :)
05:15 <@dazo> for people reading the backlogs ... I hope it does!
05:16 <@dazo> at least krzee might have a laugh :-P
05:19 < AtuM> this is what my log says: http://pastebin.com/rQrXHPp3
05:21 < AtuM> what I'm basically suspecting is that my firewall redirects all traffic (even outbound) ment to udp 1194 towards our internal openvpn server.. just can't trace it yet.. since the keys and certificates work well from my android phone :)
05:23 -!- JackWinter [~jack@vodsl-10810.vo.lu] has quit [Ping timeout: 240 seconds]
05:24 < AtuM> I've generated a different config on android - it works when on 3G, but not when connected by wi-fi.. so I'm guessing it must be something with fw aswell
05:26 -!- JackWinter [~jack@vodsl-10810.vo.lu] has joined #openvpn
05:28 <@dazo> AtuM: your log file doesn't really say anything ... please remove the --mute and use --verb 4
05:29 <@dazo> Android can be tricky, as it might not use the DNS you expect ... which might also cause issues.
05:30 <@dazo> Also you use a very old OpenVPN ... 2.1.4 ... please upgrade to at least 2.2, or preferably 2.3
05:31 < AtuM> dazo, as far as the version goes I will try to upgrade.. I'm using slackware there so it's basically build-from-scratch type of install ;)
05:32 <@dazo> well, openvpn builds easily enough ... and you can manually just copy out the openvpn binary to where your old openvpn is then .... that's all which is needed
05:38 < AtuM> dazo, here's a verbose output of the log: http://pastebin.com/PtGZrpFz
05:39 <@dazo> Tue Mar 11 11:33:40 2014 us=96081 TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity)
05:39 <@dazo> Tue Mar 11 11:33:40 2014 us=96245 TLS Error: TLS handshake failed
05:39 <@dazo> That means your client could not access the server
05:41 < AtuM> dazo, is it possible to troubleshoot the connection using any other tools? I've read that openvpn does not respond to nmap calls and such..
05:41 <@dazo> openvpn does not respond to any UDP ports if --tls-auth is used.  Otherwise, it will be possible to nmap ... but this is most likely a firewall issue
05:42 <@dazo> port 1194/udp is blocked
05:43 <@dazo> if it's somewhere in your local network ... or on your openvpn server ... that I dunno ... but if it's the same admin being responsible for this as well, I don't have much hope for a quick and reasonable solution
05:44 < AtuM> we have a separate fw based on linux aswell .. i think there are some fw settings for the server part that disable the client side of this vpn sollution
05:50 < AtuM> I have yet to get used to our firewall solution ;)
06:00 < AtuM> somehow the packet that is ment for the remote server gets redirected to the local machine.. so the tls cannot get established.. the redirection happens on the firewall .  quite a pickle :)
06:01 <@ecrist> not really
06:01 <@ecrist> !firewall
06:01 <@vpnHelper> "firewall" is (#1) please see https://community.openvpn.net/openvpn/wiki/Openvpn23ManPage#lbBG for more info or (#2) see http://www.secure-computing.net/wiki/index.php/OpenVPN/Firewall for brief notes on disabling firewall rulesets. or (#3) Please see this for a better method to unloading netfilter (aka iptables ) rules: https://gist.github.com/QueuingKoala/6350127
06:30 -!- Eagleman7 [~Eagleman@546BC8D0.cm-12-4d.dynamic.ziggo.nl] has joined #openvpn
06:33 < AtuM> ecrist, our setup is not that simple. at most i could just change the policy, but i don't think that's what redirects the packets
06:37 < AtuM> I've found the problem.. just need to solve it now ;)
06:38 < AtuM> I've even found the cause
07:02 <@ecrist> congrats
07:07 -!- klein [~klein@unaffiliated/klein] has joined #openvpn
07:19 < AtuM> and I've solved the issue.. there was a "virtual server" definition written too wide.. it included "from any source" and "for every target ip" .. so everything going out of the box on port 1194 got redirected back to our server ;)
07:19 -!- mikemol [~mikemol@2001:470:c5b9:beef:a104:3fca:5535:b507] has quit [Remote host closed the connection]
07:21 < AtuM> I've been searching for "prerouting" table like crazy.. the gui masks it with "virtual server" menu..  that's why I don't like gui-s that much .. they obfuscate the obvious ;)
07:25 -!- [diecast] [~diecast@unaffiliated/diecast/x-4821952] has joined #openvpn
07:25 -!- [diecast] [~diecast@unaffiliated/diecast/x-4821952] has quit [Max SendQ exceeded]
07:29 -!- sunwind [~paradox@149.254.250.232] has joined #openvpn
07:31 -!- JackWinter_ [~jack@vodsl-10810.vo.lu] has joined #openvpn
07:32 -!- JackWinter [~jack@vodsl-10810.vo.lu] has quit [Ping timeout: 244 seconds]
07:43 -!- HectorBarbossa [uid7850@gateway/web/irccloud.com/x-ifadcftuinssttco] has joined #openvpn
07:45 -!- sunwind [~paradox@149.254.250.232] has quit [Read error: Connection reset by peer]
07:56 -!- goldkatze [~nobody@unaffiliated/goldkatze] has quit [Read error: Connection reset by peer]
07:57 -!- goldkatze [~nobody@unaffiliated/goldkatze] has joined #openvpn
08:05 -!- br4ndon [~br4ndon@195.33.51.31] has joined #openvpn
08:10 -!- br4ndon [~br4ndon@195.33.51.31] has quit [Read error: Operation timed out]
08:12 -!- mikemol [~mikemol@162.17.129.77] has joined #openvpn
08:36 -!- P4k3 [~P4k3@85.226.54.82] has quit [Ping timeout: 245 seconds]
08:38 -!- P4k3 [~P4k3@c-d334e255.026-8-6b6c7810.cust.bredbandsbolaget.se] has joined #openvpn
08:40 -!- _bt [~bt@unaffiliated/bt/x-192343] has joined #openvpn
08:41 < _bt> hello, anyone using google authenticator with openvpn for clients, with certificates and no user/password?
08:43 -!- sync0pate [~sync@unaffiliated/sync0pate] has left #openvpn ["Leaving"]
08:47 -!- elfixit [~Icedove@77-58-251-72.dclient.hispeed.ch] has joined #openvpn
08:58 -!- Neozonz|Disc2 [~arajakul@CPE68b6fc3d43d3-CM68b6fc3d43d0.cpe.net.cable.rogers.com] has joined #openvpn
08:58 < Neozonz|Disc2> Has anyone used vpn with vyatta + ldap authentication?
09:00 -!- MACscr|lappy [~MACscrlap@c-98-214-103-56.hsd1.il.comcast.net] has joined #openvpn
09:01 -!- lvv [~loganaden@ITE-INF3.dhcp.mu.afrinic.net] has quit [Quit: lvv]
09:08 -!- mikkel [~mikkel@93.176.85.50] has quit [Quit: Leaving]
09:14 -!- lj [~l@99.155.22.46] has quit [Quit: Leaving.]
09:18 -!- sunwind [~paradox@149.254.250.232] has joined #openvpn
09:22 -!- mikemol1 [~mikemol@162.17.129.77] has joined #openvpn
09:22 -!- mikemol [~mikemol@162.17.129.77] has quit [Disconnected by services]
09:23 -!- mikemol1 is now known as mikemol
09:32 -!- MACscr|lappy [~MACscrlap@c-98-214-103-56.hsd1.il.comcast.net] has quit [Ping timeout: 240 seconds]
09:38 <@krzee> [21:25]  <dazo> [12:14:33] for people reading the backlogs ... I hope it does!
09:38 <@krzee> [21:25]  <dazo> [12:14:52] at least krzee might have a laugh :-P
09:38 <@krzee> good call :D
09:38 -!- lj [~l@na-ad-guest-lwap-ar01.cat.com] has joined #openvpn
09:38 <@krzee> and thanks for pinging me on it, needed a good chuckle!
09:44 -!- br4ndon [~br4ndon@195.33.51.31] has joined #openvpn
09:44 -!- ACKNAK [~regolith@79.133.97.154] has joined #openvpn
09:45 < AtuM> krzee, glad we could be of service ;)
09:45 <@krzee> :D
09:45 <@krzee> i also agree with your evaluation of gui firewalls
09:46 < AtuM> krzee, as much as i hate em, I gotta use em :/ž
09:46 <@krzee> ya sometimes $work just doesnt get it
09:46 <@krzee> luckily mine lets me use whatever i like
09:46 < ACKNAK> Hello! Anybody knows would I have to optimize tcp/ip options if I want to get 200-300 clients? (LAN-to-LAN)
09:47 <@krzee> ACKNAK, when you say lan-to-lan do you mean theres 2 lans and between the 2 lans theres 200-300 machines?
09:47 <@krzee> if so, you only need a single vpn connection =]
09:47 < ACKNAK> regional offices - to - central office
09:47 -!- michaelhart [~michaelha@69-165-175-193.dsl.teksavvy.com] has joined #openvpn
09:47 <@krzee> oh wow, theres 200-300 offices?
09:48 < ACKNAK> yes
09:48 <@krzee> that must be one hell of a company!
09:48 <@krzee> what sort of links do they have?
09:48 < ACKNAK> consider them terminals
09:48 < ACKNAK> like ATM
09:48 <@krzee> ahh like atm type stuff
09:48 < ACKNAK> these are not really offices
09:48 <@krzee> beat me to it =]
09:48 < ACKNAK> xD
09:48 -!- makara [~makara@41.164.22.218] has quit [Ping timeout: 264 seconds]
09:49 <@krzee> standard dsl/cable type links?  how much data flowing?
09:49 < ACKNAK> these offices do not generate a lot of traffice
09:49 -!- br4ndon [~br4ndon@195.33.51.31] has quit [Quit: br4ndon]
09:49 < ACKNAK> various
09:49 <@krzee> ahh but not much data
09:49 < ACKNAK> 3d cellular, ethernet, dsl
09:49 <@krzee> gotchya
09:49 < ACKNAK> 3g
09:49 <@krzee> the server will be on a nice fast link tho?
09:49 < ACKNAK> usually ethernet
09:49 < ACKNAK> yes
09:49 -!- lachesis [~lachesis@unaffiliated/lachesis] has quit [Ping timeout: 245 seconds]
09:49 <@krzee> any preference on cipher?
09:50 < ACKNAK> server with 100mbps link
09:50 < ACKNAK> AES128, because I want to use build-in encryption in CPU for server
09:50 <@krzee> if you use AES you can get a cpu that supports AES-NI, that will help with the crypto crunching
09:50 <@krzee> hey nice, you beat me to that too :D
09:51 < ACKNAK> and I want to use OpenWRT as clients, seems like they have build in crypto accelerator
09:51 <@krzee> and openvpn is single threaded, so it will only run on 1 core
09:51 < ACKNAK> because they need it for WPA
09:51 <@krzee> which means faster core(s) is better than many cores
09:51 < ACKNAK> I've decided to run 4 instances of OpenVPN
09:51 <@krzee> oh ok
09:51 -!- AtuM [~atum@postar-b.abakus.si] has quit [Quit: Leaving]
09:51 < ACKNAK> each for each core
09:51 <@krzee> to load balance across them
09:51 < ACKNAK> taskset
09:51 <@krzee> well if you're doing that you aint gunna have much issue
09:52 < ACKNAK> and random-remote on clients
09:52 <@krzee> you could maybe get 200-300 on 1 core? but across 4 server processes you'll be fine.
09:53 -!- sunwind [~paradox@149.254.250.232] has quit [Quit: sunwind]
09:53 < ACKNAK> 254 clients per core, (/24 subnet - gateway)
09:53 <@krzee> you know about topology subnet?
09:53 <@krzee> (in openvpn)
09:54 <@krzee> and i thought you said 200-300 clients total? if you're distributing that across 4 services with remote-random then you will never have 254 clients on 1 core
09:54 -!- lachesis [~lachesis@unaffiliated/lachesis] has joined #openvpn
09:55 -!- Cpt-Oblivious [chatzilla@31-151-71-109.dynamic.upc.nl] has joined #openvpn
09:56 < ACKNAK> I hope it would be 200-300 total
09:56 < ACKNAK> I don't know yet
09:58 <@krzee> well in case you dunno bout --topology subnet...
09:59 <@krzee> by default openvpn will assign a /30 per client
09:59 < ACKNAK> tun interface per client?
09:59 <@krzee> this is because of old windows lamesauce
09:59 < ACKNAK> ah yea
09:59 <@krzee> it has been worked around, but is not default
09:59 <@krzee> !topology
09:59 <@vpnHelper> "topology" is (#1) it is possible to avoid the !/30 behavior if you use 2.1+ with the option: topology subnet This will end up being default in later versions. or (#2) Clients will receive addresses ending in .2, .3, .4, etc, instead of being divided into 2-host subnets. or (#3) details and examples at: https://community.openvpn.net/openvpn/wiki/Topology
10:00 <@krzee> other than that, i think you thought of the important stuff =]
10:00 <@krzee> well actually, i do have an idea
10:00 <@krzee> if you plan on unknown amount of growth...
10:00 <@krzee> you could add more hosts to the --remote lines
10:01 <@krzee> but set their DNS to the same IPs as the existing hosts
10:01 < ACKNAK> yeah! and then create routing
10:01 <@krzee> that way to add more servers, you simply change dns
10:01 < ACKNAK> like RIP or OSPF between servers
10:01 < ACKNAK> oooh craps I have to go to dentist >_<
10:01 <@krzee> well ya, that stuff can be decided later? maybe you just change to a dual octocore by then
10:01 <@krzee> or whatev
10:02 <@krzee> but adding the hosts now means not updating clients later
10:02 < ACKNAK> I'm so dumb I ruined my teeth, now I have to enjoy this rainbow of pain and throw away tons of monies
10:02 < ACKNAK> grrrr
10:02 <@krzee> that sucks man
10:03 < ACKNAK> yea xD
10:03 <@krzee> hope they get it handled for ya
10:03 <@krzee> and good job on your pre-planning
10:03 < ACKNAK> I'll be back!
10:03 < ACKNAK> see ya xD
10:03 <@krzee> later
10:03 -!- ACKNAK [~regolith@79.133.97.154] has quit [Quit: Leaving]
10:06 -!- lj [~l@na-ad-guest-lwap-ar01.cat.com] has quit [Quit: Leaving.]
10:07 -!- lj [~l@192.241.174.169] has joined #openvpn
10:08 -!- lachesis [~lachesis@unaffiliated/lachesis] has quit [Ping timeout: 245 seconds]
10:10 -!- klein [~klein@unaffiliated/klein] has quit [Ping timeout: 240 seconds]
10:10 -!- lachesis [~lachesis@unaffiliated/lachesis] has joined #openvpn
10:16 < Neozonz|Disc2> can the vpn server be on the same subnet as the clients?
10:16 < Neozonz|Disc2> a bit confused, would appreciate a little insight
10:17 -!- alexxtasi [~alex@unaffiliated/alexxtasi] has left #openvpn []
10:24 -!- batrick [batrick@nmap/developer/batrick] has quit [Read error: Connection reset by peer]
10:24 -!- batrick [batrick@nmap/developer/batrick] has joined #openvpn
10:26 -!- alanjf [~ajf@unaffiliated/alanjf] has joined #openvpn
10:26 -!- batrick [batrick@nmap/developer/batrick] has quit [Client Quit]
10:28 -!- batrick [batrick@nmap/developer/batrick] has joined #openvpn
10:32 -!- paradox`` [~paradox@cpc21-brmb8-2-0-cust749.1-3.cable.virginm.net] has quit [Quit: paradox``]
10:33 -!- sunwind [~paradox@cpc21-brmb8-2-0-cust749.1-3.cable.virginm.net] has joined #openvpn
10:36 -!- elfixit [~Icedove@77-58-251-72.dclient.hispeed.ch] has quit [Ping timeout: 252 seconds]
10:37 <@dazo> Neozonz|Disc2: it really depends ... it's normally not recommended at all.  You solve access to the LAN beind the openvpn server/client using routing tables
10:37 <@dazo> normally, at least
10:37 < alanjf> Ok, just a couple things I would like to clear up that I'm not sure about after reading <https://community.openvpn.net/openvpn/wiki/Openvpn23ManPage>
10:37 <@vpnHelper> Title: Openvpn23ManPage – OpenVPN Community (at community.openvpn.net)
10:38 < Neozonz|Disc2> dazo, vpn accessible from subnet 1, clients reside on subnet 3, subnet 3 can connect to subnet 2... that's what i'm hoping to accomplish
10:38 < alanjf> 1) For a client config, is there any difference between just `client` and `mode client`, and
10:38 -!- [diecast] [~diecast@unaffiliated/diecast/x-4821952] has joined #openvpn
10:38 < Neozonz|Disc2> subnet 1 is basically public internet
10:39 < alanjf> 2) Is `daemon` necessary, recommended, or go to have on a linux client connecting to a remote OpenVPN server?
10:39 < alanjf> s/go to have/good to have/
10:39 <@krzee> alanjf, did you read --daemon in the manual?
10:39 <@krzee> also, did you read --client and --mode?
10:39 <@krzee> !man
10:39 <@dazo> alanjf: 1) --client is a macro ... which does a few more things ... like adding --mode client --tls-client (I don't recall if there were any more)
10:39 <@vpnHelper> "man" is (#1) For man pages, see http://openvpn.net/index.php/open-source/documentation/manuals/ or (#2) the man pages are your friend! or (#3) Protip: you can search the manpage for a specific --option (with dashes) to find it quicker
10:40 <@krzee> you are basically asking us to read the manual to you, unless i am misunderstanding the questions...
10:40 < alanjf> krzee: Yes, it doesn't say anything about using it for a client though.
10:40 <@dazo> 2) --daemon is only needed if you want to run openvpn as a daemon in the background on *nix based OSes
10:40 <@krzee> alanjf, because its not specific to client or server, its just an option for whether it runs in the foreground or not...
10:40 < alanjf> dazo: Thanks
10:41 <@dazo> alanjf: search for the "Client mode" section in the 2.3 man page
10:41 < alanjf> krzee: Well then I assume it's ok to have multiple configs that use `daemon` then? Because the same Linux machine also is a OpenVPN server.
10:41 < alanjf> dazo: Thank, I will.
10:42 <@krzee> alanjf, sure.
10:43 <@dazo> Neozonz|Disc2: that's all network routing .... look up !tcpip for some good material on how networks really work.  If you don't know networking too well, you *must* know this, otherwise it won't work
10:44 < Neozonz|Disc2> !tcpip
10:44 <@vpnHelper> "tcpip" is http://www.redbooks.ibm.com/redbooks/pdfs/gg243376.pdf See chapter 3.1 for useful basic TCP/IP networking knowledge you should probably know
10:44 < Neozonz|Disc2> k, i can route it all but what ip does openvpn listen on
10:44 < Neozonz|Disc2> when the server is set to a subnet?
10:45 <@dazo> the server dedicates it's own subnet for the VPN ... and then you setup the network routing so that your VPN client's can access your servers LAN subnet via the VPN subnet
10:46 <@dazo> each VPN client will get their VPN IP address, which will reside in the IP address pool of the VPN subnet
10:46 <@dazo> openvpn doesn't listen to any other ports than what the openvpn server users for it's clients to connect to
10:47 <@dazo> the rest is network routing, happening in the OS of your clients and servers
10:48 <@dazo> all OpenVPN is to pick up all the network traffic going to the VPN subnet, encrypt it, transport it to the other side, decrypt it and push it out on the tun/tap device ... the rest is the OS, picking up those packets and sending them to the proper destination
10:48 <@dazo> all OpenVPN *does* is to pick up.......
10:56 -!- [diecast] [~diecast@unaffiliated/diecast/x-4821952] has quit []
10:57 -!- [diecast] [~diecast@unaffiliated/diecast/x-4821952] has joined #openvpn
11:05 -!- Neozonz|Disc2 [~arajakul@CPE68b6fc3d43d3-CM68b6fc3d43d0.cpe.net.cable.rogers.com] has quit [Ping timeout: 244 seconds]
11:06 -!- [diecast] [~diecast@unaffiliated/diecast/x-4821952] has quit []
11:06 -!- Eagleman7 [~Eagleman@546BC8D0.cm-12-4d.dynamic.ziggo.nl] has quit [Ping timeout: 264 seconds]
11:07 -!- Neozonz|Disc [~arajakul@CPE68b6fc3d43d3-CM68b6fc3d43d0.cpe.net.cable.rogers.com] has joined #openvpn
11:07 -!- Neozonz|Disc [~arajakul@CPE68b6fc3d43d3-CM68b6fc3d43d0.cpe.net.cable.rogers.com] has quit [Read error: Connection reset by peer]
11:17 -!- Eagleman7 [~Eagleman@546BC8D0.cm-12-4d.dynamic.ziggo.nl] has joined #openvpn
11:18 -!- [diecast] [~diecast@unaffiliated/diecast/x-4821952] has joined #openvpn
11:23 < Eugene> Annnnnd today, I've had to fuck with my openvpn config and run TCP
11:23 < Eugene> (shitty firewall blocks all UDP)
11:24 <@dazo> ugh
11:24 <@krzee> ouch
11:27 < Eugene> Eh, good quality WAN link in this building. 10ms to my server, with enough bandwidth to max out my WiFi-AC
11:27 < Eugene> But apparently TCP:80 and TCP:443 are the only things that exist
11:31 <@krzee> using nodelay?
11:37 -!- takamichi [~takamichi@c107-107.i07-27.onvol.net] has quit [Read error: Connection reset by peer]
11:38 -!- takamichi [~takamichi@c107-107.i07-27.onvol.net] has joined #openvpn
11:38 -!- takamichi [~takamichi@c107-107.i07-27.onvol.net] has quit [Max SendQ exceeded]
11:39 -!- takamichi [~takamichi@c107-107.i07-27.onvol.net] has joined #openvpn
11:46 -!- pa [~pa@unaffiliated/pa] has quit [Ping timeout: 240 seconds]
11:52 -!- HectorBarbossa [uid7850@gateway/web/irccloud.com/x-ifadcftuinssttco] has quit [Quit: Connection closed for inactivity]
12:00 -!- JustSighDudes [~Anon@unaffiliated/justsighdudes] has joined #openvpn
12:00 < JustSighDudes> Hi. Is there a way I can get the server to a run a python script everytime a client connects?
12:01 -!- pa [~pa@unaffiliated/pa] has joined #openvpn
12:02 < pekster> JustSighDudes: --client-connect (ref the manpage.) See also: !scripts
12:02 < JustSighDudes> !scripts > JustSighDudes
12:02 < pekster> It's a limited bot:
12:02 < pekster> !scripts
12:02 <@vpnHelper> "scripts" is "script" is See SCRIPTING AND ENVIRONMENTAL VARIALBES in the manual for a list of places that scripts can hook into openvpn. Online reference at: https://community.openvpn.net/openvpn/wiki/Openvpn23ManPage#lbAR
12:03 < JustSighDudes> pekster: Would you recommend using a password with each key?
12:03 < JustSighDudes> I don't want to have to be sitting on the computer everytime it has to connect but I like the extra security
12:03 < pekster> Generally yes, unless you need unattended setup
12:03 < pekster> Normally users are the ones connecting
12:04 -!- pa [~pa@unaffiliated/pa] has quit [Max SendQ exceeded]
12:04 < pekster> If it's an automated process, you need to weigh the risks of key disclosure if someone gains access with the convenience
12:04 < JustSighDudes> They're all my computers but sometimes windows restarts for updates and then that machine is strandedd
12:05 < JustSighDudes> Also a few servers that I'd like to have sshd listen only on the openvpn connection so I can't really risk not being able to access them
12:05 -!- klein [~klein@189-016-006-003.asselvi.edu.br] has joined #openvpn
12:05 -!- klein [~klein@189-016-006-003.asselvi.edu.br] has quit [Changing host]
12:05 -!- klein [~klein@unaffiliated/klein] has joined #openvpn
12:13 -!- takamich_ [~takamichi@85.12.8.13] has joined #openvpn
12:13 -!- kirin` [telex@gateway/shell/anapnea.net/x-taavaiqdhjsmcglh] has quit [Ping timeout: 252 seconds]
12:14 -!- elfixit [~Icedove@77-58-251-72.dclient.hispeed.ch] has joined #openvpn
12:14 -!- kirin` [telex@gateway/shell/anapnea.net/x-txduwpsiexuxhyus] has joined #openvpn
12:14 -!- takamichi [~takamichi@c107-107.i07-27.onvol.net] has quit [Read error: Connection reset by peer]
12:15 -!- takamichi [~takamichi@c107-107.i07-27.onvol.net] has joined #openvpn
12:15 -!- takamichi [~takamichi@c107-107.i07-27.onvol.net] has quit [Max SendQ exceeded]
12:15 -!- elfixit [~Icedove@77-58-251-72.dclient.hispeed.ch] has quit [Client Quit]
12:16 -!- takamichi [~takamichi@c107-107.i07-27.onvol.net] has joined #openvpn
12:16 -!- Varazir_ [~mircwars@c-94-255-128-122.cust.bredband2.com] has joined #openvpn
12:17 -!- takamich_ [~takamichi@85.12.8.13] has quit [Ping timeout: 240 seconds]
12:18 -!- RobertoC [~Roberto.C@unaffiliated/robertoc] has joined #openvpn
12:19 < RobertoC> hello sir, sorry for stupid question, what is the cause of this messang into openvpn log? -> RTNETLINK answers: Operation not permitted
12:19 -!- Varazir [~mircwars@c-94-255-130-121.cust.bredband2.com] has quit [Ping timeout: 252 seconds]
12:19 -!- Varazir_ is now known as Varazir
12:19 -!- Varazir is now known as varazir
12:21 < pekster> No permissions generally, RobertoC
12:21 < RobertoC> okay, i run openvpn as daemon user
12:21 -!- MACscr|lappy [~MACscrlap@c-98-214-103-56.hsd1.il.comcast.net] has joined #openvpn
12:21 -!- varazir is now known as Varazir
12:21 < pekster> You can't do that. Read about --user and --group options in the manpage
12:22 < pekster> Well, you _can_ technically, but then you need to manually handle all device/addressing/routing with external scripts that are suid or call sudo, and that's a lot of work. OpenVPN can happily downgrade runtime permission after init
12:22 < RobertoC> i have the directive daemon and user daemon group daemon into conf file, okay i read the doc.
12:22 < RobertoC> thanks
12:23 < pekster> You need to start openvpn as root still
12:23 < pekster> _It_ will downgarde effective UID/GID
12:24 < RobertoC> yeah i run openvpn as root, and use the directive user daemon group daemon into conf file, the message is print into log after call stop
12:25 < RobertoC> http://sprunge.us/GOBb
12:29 < pekster> Ah, right
12:29 < pekster> You can ignore that; the non-root user can't remove the route. You don't need to as it'll go away when the device is closed
12:33 -!- MACscr|lappy [~MACscrlap@c-98-214-103-56.hsd1.il.comcast.net] has quit [Ping timeout: 265 seconds]
12:40 -!- gffa [~unknown@unaffiliated/gffa] has joined #openvpn
12:47 < RobertoC> now, thinking about it, is logical this warning, sorry, for stupid osservation.
12:47 -!- jzaw [~jzaw@loki.dzki.co.uk] has quit [Quit: really? must I leave? aw pls let me stay!]
12:50 -!- pa [~pa@unaffiliated/pa] has joined #openvpn
12:52 -!- dazo is now known as dazo_afk
12:52 -!- jzaw [~jzaw@loki.dzki.co.uk] has joined #openvpn
12:56 -!- ade_b [~Ade@redhat/adeb] has quit [Ping timeout: 244 seconds]
12:56 <@krzee> !noroot
12:56 <@vpnHelper> "noroot" is "unpriv" is see https://community.openvpn.net/openvpn/wiki/UnprivilegedUser for a write-up by EugeneKay on how to run OpenVPN without root/admin permissions.
12:57 <@krzee> pekster, you may enjoy that ^
12:58 <@krzee> although really, i just run it as root and downgrade after startup? why not
13:08 -!- HectorBarbossa [uid7850@gateway/web/irccloud.com/x-lmeuxouujjeupcme] has joined #openvpn
13:11 < RobertoC> oh, great doc!
13:11 -!- pa [~pa@unaffiliated/pa] has quit [Read error: Operation timed out]
13:20 -!- heraclitus [~heraclitu@unaffiliated/heraclitis] has quit [Remote host closed the connection]
13:21 -!- heraclitus [~heraclitu@unaffiliated/heraclitis] has joined #openvpn
13:24 -!- heraclitus [~heraclitu@unaffiliated/heraclitis] has quit [Remote host closed the connection]
13:24 -!- le0 [~l30@unaffiliated/le0] has quit [Quit: Leaving]
13:24 -!- heraclitus [~heraclitu@unaffiliated/heraclitis] has joined #openvpn
13:26 -!- heraclitus [~heraclitu@unaffiliated/heraclitis] has quit [Client Quit]
13:27 -!- heraclitus [~heraclitu@unaffiliated/heraclitis] has joined #openvpn
13:27 -!- heraclitus [~heraclitu@unaffiliated/heraclitis] has quit [Remote host closed the connection]
13:28 -!- heraclitus [~heraclitu@unaffiliated/heraclitis] has joined #openvpn
13:28 -!- pa [~pa@unaffiliated/pa] has joined #openvpn
13:36 < alanjf> Could someone please advise what a reasonable `ping` time might be (setting `ping` in a client conf where I'm using up-delay and connecting via udp) ?
14:12 -!- dogewaat is now known as thewizord
14:13 -!- thewizord is now known as dogewaat
14:15 -!- RobertoC [~Roberto.C@unaffiliated/robertoc] has quit [Quit: exit]
14:20 -!- master_of_master [~master_of@p4FF24DAD.dip0.t-ipconnect.de] has joined #openvpn
14:20 -!- Cybertinus [~Cybertinu@cybertinus.customer.cloud.nl] has quit [Ping timeout: 240 seconds]
14:23 -!- Cybertinus [~Cybertinu@cybertinus.customer.cloud.nl] has joined #openvpn
14:23 -!- master_o1_master [~master_of@p4FF243DE.dip0.t-ipconnect.de] has quit [Ping timeout: 240 seconds]
14:28 -!- Fusl is now known as cutekitten
14:28 -!- cutekitten is now known as Fusl
14:29 -!- michaelhart [~michaelha@69-165-175-193.dsl.teksavvy.com] has quit [Quit: michaelhart]
14:54 -!- mplb [~mplb@37.233.108.93.rev.vodafone.pt] has joined #openvpn
15:05 -!- takamichi [~takamichi@c107-107.i07-27.onvol.net] has quit [Quit: Computer has gone to sleep.]
15:26 -!- joshh20-Away is now known as joshh20
15:28 -!- pa [~pa@unaffiliated/pa] has quit [Ping timeout: 244 seconds]
15:32 -!- br4ndon [~br4ndon@mic92-6-82-226-128-64.fbx.proxad.net] has joined #openvpn
15:41 -!- pa [~pa@unaffiliated/pa] has joined #openvpn
15:48 -!- [diecast] [~diecast@unaffiliated/diecast/x-4821952] has quit []
15:52 -!- cutekitten [~cutekitte@i.am.going.to.sigqu.it] has joined #openvpn
15:53 -!- lj [~l@192.241.174.169] has quit [Quit: Leaving.]
15:54 -!- cutekitten [~cutekitte@i.am.going.to.sigqu.it] has left #openvpn []
15:56 -!- [diecast] [~diecast@unaffiliated/diecast/x-4821952] has joined #openvpn
16:08 -!- ade_b [~Ade@redhat/adeb] has joined #openvpn
16:12 -!- JackWinter [~jack@vodsl-10810.vo.lu] has joined #openvpn
16:13 -!- grendal_prime [~sgraham@173-166-255-77-stockton.hfc.comcastbusiness.net] has quit [Quit: Ex-Chat]
16:18 -!- cyberspace- [20253@ninthfloor.org] has quit [Disconnected by services]
16:18 -!- cyberspace- [20253@ninthfloor.org] has joined #openvpn
16:21 -!- Mike3 [mad@mx.probie.nl] has joined #openvpn
16:22 -!- red_racer12__ [sid20963@gateway/web/irccloud.com/x-dwlehlxistxqpcvs] has joined #openvpn
16:23 -!- ketas- [ketas@ketas6-sixxs.si.pri.ee] has joined #openvpn
16:24 -!- mattock is now known as mattock_afk
16:24 -!- _KaszpiR___ [~quassel@unaffiliated/kaszpir/x-3157048] has joined #openvpn
16:24 -!- _dos-freak [leecher@zentarim.0wnz.at] has joined #openvpn
16:26 -!- JackWinter_ [~jack@vodsl-10810.vo.lu] has quit [Quit: Konversation terminated!]
16:27 -!- Rienzilha [rien@sinas.rename-it.nl] has joined #openvpn
16:27 -!- wildcat_ [~tomh@ssh.espix.net] has joined #openvpn
16:27 -!- kenyon_ [kenyon@darwin.kenyonralph.com] has joined #openvpn
16:27 -!- Fiouz [~Fiouz@2001:bc8:3068::dead:beef] has joined #openvpn
16:27 -!- maxiepax_ [max@locke.misse.org] has joined #openvpn
16:27 -!- TypoNe [~itsme@195.197.184.87] has quit [Ping timeout: 245 seconds]
16:27 -!- KiNgMaR [~ingmar@2001:41d0:2:ba51::1] has quit [Ping timeout: 245 seconds]
16:27 -!- troj [~xxx@2001:470:1f15:107a::50f7] has quit [Ping timeout: 245 seconds]
16:27 -!- Mike-- [mad@mx.probie.nl] has quit [Ping timeout: 245 seconds]
16:28 -!- red_racer12_ [sid20963@gateway/web/irccloud.com/x-cyjjozoejcymtsgo] has quit [Ping timeout: 245 seconds]
16:28 -!- Haigha [~root@dovahkiin.xomg.net] has quit [Ping timeout: 245 seconds]
16:28 -!- maxiepax [max@locke.misse.org] has quit [Ping timeout: 245 seconds]
16:28 -!- kenyon [kenyon@darwin.kenyonralph.com] has quit [Ping timeout: 245 seconds]
16:28 -!- dazo_afk [~dazo@openvpn/community/developer/dazo] has quit [Ping timeout: 245 seconds]
16:28 -!- wildcat [~tomh@unaffiliated/wildcat] has quit [Ping timeout: 245 seconds]
16:28 -!- dos-freak [leecher@zentarim.0wnz.at] has quit [Ping timeout: 245 seconds]
16:28 -!- codehero [codehero@irc.coding4coffee.org] has quit [Ping timeout: 245 seconds]
16:28 -!- Rienzilla [rien@sinas.rename-it.nl] has quit [Ping timeout: 245 seconds]
16:28 -!- Haseo [~Haseo@aufrinfo.net] has quit [Ping timeout: 245 seconds]
16:28 -!- haasn [~nand@2a01:4f8:d13:5245::2] has quit [Ping timeout: 245 seconds]
16:28 -!- guntha` [~guntha@guntha.thecagedog.com] has quit [Ping timeout: 245 seconds]
16:28 -!- lachesis [~lachesis@unaffiliated/lachesis] has quit [Ping timeout: 245 seconds]
16:28 -!- Eugene [eugene@itvends.com] has quit [Ping timeout: 245 seconds]
16:28 -!- ben1066 [~quassel@unaffiliated/ben1066] has quit [Ping timeout: 245 seconds]
16:28 -!- Martin` [martin@shell.ipv6.octocore.net] has quit [Ping timeout: 245 seconds]
16:28 -!- Fiouz_ [~Fiouz@2001:bc8:3068::dead:beef] has quit [Ping timeout: 245 seconds]
16:28 -!- toobluesc [~nitro@2001:558:6045:7b:3d70:c3df:18a:884] has quit [Ping timeout: 245 seconds]
16:28 -!- seba [~seba@kratzbaum.someserver.de] has quit [Ping timeout: 245 seconds]
16:28 -!- Nothing4You [N4Y@Nothing4You.w.tf-w.tf] has quit [Ping timeout: 245 seconds]
16:28 -!- kraut [~kraut@blackhole.netzdeponie.de] has quit [Ping timeout: 245 seconds]
16:28 -!- _KaszpiR_ [~quassel@unaffiliated/kaszpir/x-3157048] has quit [Ping timeout: 245 seconds]
16:28 -!- esde [~esde@unaffiliated/esde] has quit [Ping timeout: 245 seconds]
16:28 -!- Su7 [~demerzel@2001:41d0:a:16::1] has quit [Ping timeout: 245 seconds]
16:28 -!- GrecKo [~GrecKo@2001:41d0:1:cb16::1] has quit [Ping timeout: 245 seconds]
16:28 -!- APTX [~APTX@unaffiliated/aptx] has quit [Ping timeout: 245 seconds]
16:28 -!- ketas [ketas@ketas6-sixxs.si.pri.ee] has quit [Ping timeout: 245 seconds]
16:28 -!- red_racer12__ is now known as red_racer12_
16:29 -!- dazo_afk [~dazo@2001:470:de40:1021::14] has joined #openvpn
16:29 -!- codehero [codehero@irc.coding4coffee.org] has joined #openvpn
16:29 -!- dazo_afk [~dazo@2001:470:de40:1021::14] has quit [Changing host]
16:29 -!- dazo_afk [~dazo@openvpn/community/developer/dazo] has joined #openvpn
16:29 -!- mode/#openvpn [+o dazo_afk] by ChanServ
16:29 -!- KiNgMaR [~ingmar@2001:41d0:2:ba51::1] has joined #openvpn
16:29 -!- troj [~xxx@2001:470:1f15:107a::50f7] has joined #openvpn
16:29 -!- Martin` [martin@shell.ipv6.octocore.net] has joined #openvpn
16:29 -!- dazo_afk is now known as dazo
16:29 -!- Nothing4You [N4Y@Nothing4You.w.tf-w.tf] has joined #openvpn
16:29 -!- lachesis [~lachesis@unaffiliated/lachesis] has joined #openvpn
16:30 -!- Haigha [~root@dovahkiin.xomg.net] has joined #openvpn
16:30 -!- ben1066 [~quassel@unaffiliated/ben1066] has joined #openvpn
16:30 -!- kraut [~kraut@blackhole.netzdeponie.de] has joined #openvpn
16:31 -!- toobluesc [~nitro@2001:558:6045:7b:3d70:c3df:18a:884] has joined #openvpn
16:31 -!- Eugene [eugene@itvends.com] has joined #openvpn
16:32 -!- APTX [~APTX@unaffiliated/aptx] has joined #openvpn
16:32 -!- mode/#openvpn [+o Eugene] by ChanServ
16:33 -!- Netsplit *.net <-> *.split quits: Sembei, julius_, mikemol, prettyrobots, pekster, tjhowse, Jeroen52, XJR-9, tharkun, treshoem,  (+8 more, use /NETSPLIT to show all of them)
16:35 -!- i7c- [~i7c@rliz.org] has joined #openvpn
16:35 -!- dogewaat_ [uid3966@gateway/web/irccloud.com/x-ofjeoqgkxzijkaig] has joined #openvpn
16:38 -!- Netsplit over, joins: julius_, tjhowse
16:38 -!- Jeroen [~quassel@2001:41d0:1:9592::1] has joined #openvpn
16:38 -!- Su7 [~demerzel@2001:41d0:a:16::1] has joined #openvpn
16:38 -!- Netsplit over, joins: raidz
16:38 -!- mode/#openvpn [+o raidz] by ChanServ
16:38 -!- Netsplit over, joins: defswork, pekster
16:38 -!- i7c- [~i7c@rliz.org] has quit [Changing host]
16:38 -!- i7c- [~i7c@unaffiliated/i7c] has joined #openvpn
16:38 -!- Haseo [~Haseo@aufrinfo.net] has joined #openvpn
16:38 -!- Netsplit over, joins: XJR-9, asturel
16:39 -!- Netsplit *.net <-> *.split quits: br4ndon, mplb
16:39 -!- Netsplit over, joins: bogie
16:39 -!- Netsplit *.net <-> *.split quits: klein
16:39 -!- Netsplit *.net <-> *.split quits: davidmp, [1]JPeterson, meepmeep_, viperZ28, Rienzilha, Eagleman7, kloeri, AsadH, funnel, Devastator,  (+29 more, use /NETSPLIT to show all of them)
16:39 -!- GrecKo [~GrecKo@2001:41d0:1:cb16::1] has joined #openvpn
16:39 -!- i7c- is now known as i7c
16:39 -!- dogewaat_ is now known as dogewaat
16:39 -!- HectorBarbossa [uid7850@gateway/web/irccloud.com/x-wcwvmyxmjznbfelk] has joined #openvpn
16:40 -!- prettyrobots [~prettyrob@do.inputrc.com] has joined #openvpn
16:40 -!- esde [~esde@107.150.1.2] has joined #openvpn
16:40 -!- lbft [~lbft@unaffiliated/lbft] has joined #openvpn
16:41 -!- Sembei [~Sembei@62.57.118.216.dyn.user.ono.com] has joined #openvpn
16:41 -!- treshoem [~treshoem@mnathani-1-pt.tunnel.tserv21.tor1.ipv6.he.net] has joined #openvpn
16:41 -!- seba [~seba@kratzbaum.someserver.de] has joined #openvpn
16:41 -!- Netsplit over, joins: maxiepax_
16:41 -!- kenyon [kenyon@darwin.kenyonralph.com] has joined #openvpn
16:41 -!- Netsplit over, joins: _quadDamage, @plaisthos, funnel, wildcat_, Rienzilha, Eagleman7, batrick, Cpt-Oblivious, _bt, traph (+20 more)
16:41 -!- Netsplit over, joins: AsadH
16:41 -!- Sembei [~Sembei@62.57.118.216.dyn.user.ono.com] has quit [Max SendQ exceeded]
16:42 -!- prettyrobots is now known as Guest13645
16:42 -!- haasn [~nand@2a01:4f8:d13:5245::2] has joined #openvpn
16:42 -!- kenyon is now known as Guest98578
16:43 -!- tharkun [~0@187.188.94.182] has joined #openvpn
16:43 -!- Sembei [~Sembei@unaffiliated/sembei] has joined #openvpn
16:43 -!- ade_b [~Ade@redhat/adeb] has quit [Ping timeout: 265 seconds]
16:46 -!- funnel [~funnel@unaffiliated/espiral] has quit [Read error: Connection reset by peer]
16:47 -!- Guest98578 [kenyon@darwin.kenyonralph.com] has left #openvpn []
16:51 -!- elfixit [~Icedove@77-58-251-72.dclient.hispeed.ch] has joined #openvpn
16:51 -!- JPeterson [~JPeterson@81-233-152-121-no83.tbcn.telia.com] has joined #openvpn
16:53 -!- kenyon [kenyon@darwin.kenyonralph.com] has joined #openvpn
16:54 -!- james41382_ [~james@unaffiliated/james41382] has joined #openvpn
16:56 -!- funnel [~funnel@unaffiliated/espiral] has joined #openvpn
16:57 -!- james41382 [~james@unaffiliated/james41382] has quit [Ping timeout: 265 seconds]
16:58 -!- guntha` [~guntha@guntha.thecagedog.com] has joined #openvpn
16:59 -!- Neozonz|Disc [~arajakul@unaffiliated/neozonz] has joined #openvpn
17:04 -!- funnel [~funnel@unaffiliated/espiral] has quit [Read error: Connection reset by peer]
17:07 -!- gffa [~unknown@unaffiliated/gffa] has quit [Quit: sleep]
17:07 -!- funnel [~funnel@unaffiliated/espiral] has joined #openvpn
17:09 -!- Jeroen is now known as Jeroen52
17:09 -!- Neozonz|Disc2 [~arajakul@CPE68b6fcc6d913-CM68b6fcc6d910.cpe.net.cable.rogers.com] has joined #openvpn
17:12 -!- Neozonz|Disc [~arajakul@unaffiliated/neozonz] has quit [Ping timeout: 245 seconds]
17:13 -!- Neozonz|Disc [~arajakul@CPE20e52a22f551-CM68b6fc3d43d0.cpe.net.cable.rogers.com] has joined #openvpn
17:13 -!- Neozonz|Disc2 [~arajakul@CPE68b6fcc6d913-CM68b6fcc6d910.cpe.net.cable.rogers.com] has quit [Read error: Connection reset by peer]
17:13 -!- Neozonz|Disc is now known as Guest22429
17:13 -!- [diecast] [~diecast@unaffiliated/diecast/x-4821952] has joined #openvpn
17:14 -!- funnel [~funnel@unaffiliated/espiral] has quit [Ping timeout: 264 seconds]
17:17 -!- Guest22429 [~arajakul@CPE20e52a22f551-CM68b6fc3d43d0.cpe.net.cable.rogers.com] has quit [Ping timeout: 245 seconds]
17:20 -!- Neozonz|Disc2 [~arajakul@CPE68b6fcc6d913-CM68b6fcc6d910.cpe.net.cable.rogers.com] has joined #openvpn
17:25 -!- lachesis [~lachesis@unaffiliated/lachesis] has left #openvpn ["Leaving"]
17:26 -!- JackWinter is now known as JackWinter_
17:26 -!- dwirc [~irc@d118-75-58-50.col.wideopenwest.com] has quit [Ping timeout: 252 seconds]
17:26 -!- dwirc [~irc@d118-75-58-50.col.wideopenwest.com] has joined #openvpn
17:34 -!- tony2 [~tony@cpe-66-66-6-48.rochester.res.rr.com] has joined #openvpn
17:36 -!- tony2 [~tony@cpe-66-66-6-48.rochester.res.rr.com] has left #openvpn []
17:38 -!- klein [~klein@unaffiliated/klein] has joined #openvpn
17:46 -!- funnel [~funnel@unaffiliated/espiral] has joined #openvpn
17:52 -!- funnel [~funnel@unaffiliated/espiral] has quit [Ping timeout: 246 seconds]
17:53 -!- [diecast] [~diecast@unaffiliated/diecast/x-4821952] has quit [Ping timeout: 252 seconds]
17:54 -!- funnel [~funnel@unaffiliated/espiral] has joined #openvpn
17:59 -!- oculus [~oculus@gateway/tor-sasl/oculus] has joined #openvpn
18:00 -!- joshh20 is now known as joshh20-Away
18:01 -!- funnel [~funnel@unaffiliated/espiral] has quit [Read error: Connection reset by peer]
18:02 -!- funnel [~funnel@unaffiliated/espiral] has joined #openvpn
18:08 -!- funnel [~funnel@unaffiliated/espiral] has quit [Ping timeout: 252 seconds]
18:09 -!- funnel [~funnel@unaffiliated/espiral] has joined #openvpn
18:15 -!- funnel [~funnel@unaffiliated/espiral] has quit [Ping timeout: 264 seconds]
18:17 -!- funnel [~funnel@unaffiliated/espiral] has joined #openvpn
18:20 -!- TypoNe [~itsme@195.197.184.87] has joined #openvpn
18:22 -!- funnel [~funnel@unaffiliated/espiral] has quit [Ping timeout: 246 seconds]
18:23 -!- Neozonz|Disc2 [~arajakul@CPE68b6fcc6d913-CM68b6fcc6d910.cpe.net.cable.rogers.com] has quit [Ping timeout: 245 seconds]
18:25 -!- funnel [~funnel@unaffiliated/espiral] has joined #openvpn
18:30 -!- funnel [~funnel@unaffiliated/espiral] has quit [Ping timeout: 245 seconds]
18:32 -!- funnel [~funnel@unaffiliated/espiral] has joined #openvpn
18:34 -!- Neozonz|Disc2 [~arajakul@CPE68b6fcc6d913-CM68b6fcc6d910.cpe.net.cable.rogers.com] has joined #openvpn
18:38 -!- funnel [~funnel@unaffiliated/espiral] has quit [Ping timeout: 246 seconds]
18:39 -!- funnel [~funnel@unaffiliated/espiral] has joined #openvpn
18:39 -!- Neozonz|Disc2 [~arajakul@CPE68b6fcc6d913-CM68b6fcc6d910.cpe.net.cable.rogers.com] has quit [Ping timeout: 245 seconds]
18:46 -!- funnel [~funnel@unaffiliated/espiral] has quit [Read error: Connection reset by peer]
18:47 -!- funnel [~funnel@unaffiliated/espiral] has joined #openvpn
18:50 -!- f0cker [~f0cker@unaffiliated/f0cker] has joined #openvpn
18:52 -!- [diecast] [~diecast@unaffiliated/diecast/x-4821952] has joined #openvpn
18:52 -!- funnel [~funnel@unaffiliated/espiral] has quit [Ping timeout: 245 seconds]
18:54 -!- funnel [~funnel@unaffiliated/espiral] has joined #openvpn
18:55 -!- goldkatze [~nobody@unaffiliated/goldkatze] has quit [Ping timeout: 240 seconds]
18:56 <@Eugene> Am I imagining things, or is the documentation for <connection> missing from the 2.2 & 2.3 man pages?
18:58 < pekster> manpage has a <connection> section under the heading "Tunnel Options" ;)
18:58 < pekster> At least as of 2.3.2
18:58 <@Eugene> http://openvpn.net/index.php/manuals/427-openvpn-23.html#lbAG
18:58 <@vpnHelper> Title: OpenVPN 2.2 (at openvpn.net)
18:59 <@Eugene> Oh hrm, that url is misleading
18:59 <@Eugene> !man
18:59 <@vpnHelper> "man" is (#1) For man pages, see http://openvpn.net/index.php/open-source/documentation/manuals/ or (#2) the man pages are your friend! or (#3) Protip: you can search the manpage for a specific --option (with dashes) to find it quicker
18:59  * Eugene purges bad page from history
18:59 -!- Eugene was kicked from #openvpn by Eugene [incompetence]
18:59 -!- Eugene [eugene@itvends.com] has joined #openvpn
18:59 -!- mode/#openvpn [+o Eugene] by ChanServ
19:01 -!- funnel [~funnel@unaffiliated/espiral] has quit [Read error: Connection reset by peer]
19:02 -!- funnel [~funnel@unaffiliated/espiral] has joined #openvpn
19:03 -!- funnel [~funnel@unaffiliated/espiral] has quit [Read error: Connection reset by peer]
19:08 -!- funnel [~funnel@unaffiliated/espiral] has joined #openvpn
19:12 -!- HectorBarbossa [uid7850@gateway/web/irccloud.com/x-wcwvmyxmjznbfelk] has quit [Quit: Connection closed for inactivity]
19:16 -!- funnel [~funnel@unaffiliated/espiral] has quit [Read error: Connection reset by peer]
19:17 -!- funnel [~funnel@unaffiliated/espiral] has joined #openvpn
19:18 -!- APTX [~APTX@unaffiliated/aptx] has quit [Ping timeout: 245 seconds]
19:18 -!- lbft [~lbft@unaffiliated/lbft] has quit [Quit: Bye]
19:19 -!- lbft [~lbft@unaffiliated/lbft] has joined #openvpn
19:21 -!- APTX [~APTX@unaffiliated/aptx] has joined #openvpn
19:23 -!- funnel [~funnel@unaffiliated/espiral] has quit [Ping timeout: 252 seconds]
19:24 -!- funnel [~funnel@unaffiliated/espiral] has joined #openvpn
19:26 -!- funnel [~funnel@unaffiliated/espiral] has quit [Read error: Connection reset by peer]
19:30 -!- funnel [~funnel@unaffiliated/espiral] has joined #openvpn
19:34 -!- seba [~seba@kratzbaum.someserver.de] has quit [Ping timeout: 240 seconds]
19:35 -!- seba [~seba@kratzbaum.someserver.de] has joined #openvpn
19:35 -!- seba [~seba@kratzbaum.someserver.de] has quit [Excess Flood]
19:35 -!- funnel [~funnel@unaffiliated/espiral] has quit [Read error: Connection reset by peer]
19:35 -!- seba [~seba@kratzbaum.someserver.de] has joined #openvpn
19:35 -!- seba [~seba@kratzbaum.someserver.de] has quit [Excess Flood]
19:36 -!- seba [~seba@kratzbaum.someserver.de] has joined #openvpn
19:36 -!- seba [~seba@kratzbaum.someserver.de] has quit [Excess Flood]
19:36 -!- seba [~seba@kratzbaum.someserver.de] has joined #openvpn
19:36 -!- seba [~seba@kratzbaum.someserver.de] has quit [Excess Flood]
19:37 -!- seba [~seba@kratzbaum.someserver.de] has joined #openvpn
19:37 -!- seba [~seba@kratzbaum.someserver.de] has quit [Excess Flood]
19:38 -!- seba [~seba@kratzbaum.someserver.de] has joined #openvpn
19:38 -!- seba [~seba@kratzbaum.someserver.de] has quit [Excess Flood]
19:38 -!- Guest31259 [~seba@kratzbaum.someserver.de] has joined #openvpn
19:38 -!- Guest31259 [~seba@kratzbaum.someserver.de] has quit [Excess Flood]
19:39 -!- seebaer [~seba@kratzbaum.someserver.de] has joined #openvpn
19:39 -!- seebaer [~seba@kratzbaum.someserver.de] has quit [Excess Flood]
19:46 -!- oculus [~oculus@gateway/tor-sasl/oculus] has quit [Quit: oculus]
19:49 -!- KiNgMaR [~ingmar@2001:41d0:2:ba51::1] has quit [Ping timeout: 245 seconds]
19:50 -!- Haseo [~Haseo@aufrinfo.net] has quit [Ping timeout: 245 seconds]
19:50 -!- ben1066_ [~quassel@unaffiliated/ben1066] has joined #openvpn
19:50 -!- GrecKo_ [~GrecKo@2001:41d0:1:cb16::1] has joined #openvpn
19:50 -!- GrecKo [~GrecKo@2001:41d0:1:cb16::1] has quit [Ping timeout: 245 seconds]
19:50 -!- Su7 [~demerzel@2001:41d0:a:16::1] has quit [Ping timeout: 245 seconds]
19:50 -!- Jeroen52 [~quassel@2001:41d0:1:9592::1] has quit [Ping timeout: 245 seconds]
19:50 -!- ben1066 [~quassel@unaffiliated/ben1066] has quit [Ping timeout: 245 seconds]
19:50 -!- Haigha [~root@dovahkiin.xomg.net] has quit [Ping timeout: 245 seconds]
19:50 -!- Jeroen [~quassel@2001:41d0:1:9592::1] has joined #openvpn
19:50 -!- Su7_ [~demerzel@2001:41d0:a:16::1] has joined #openvpn
19:51 -!- toobluesc [~nitro@2001:558:6045:7b:3d70:c3df:18a:884] has quit [Ping timeout: 245 seconds]
19:52 -!- ljvb [~jason@us.vps.vanbrecht.com] has quit [Ping timeout: 264 seconds]
19:54 -!- u0m3_ [~u0m3@92.80.73.232] has joined #openvpn
19:55 -!- toobluesc [~nitro@2001:558:6045:7b:3d70:c3df:18a:884] has joined #openvpn
19:55 -!- Devastatr [~devas@177.18.198.165] has joined #openvpn
19:55 -!- KiNgMaR [~ingmar@2001:41d0:2:ba51::1] has joined #openvpn
19:55 -!- Haseo [~Haseo@aufrinfo.net] has joined #openvpn
19:56 -!- Haigha [~root@dovahkiin.xomg.net] has joined #openvpn
19:56 -!- HectorBarbossa [uid7850@gateway/web/irccloud.com/x-aylnujjpgsrotccc] has joined #openvpn
19:56 -!- wildcat [~tomh@ssh.espix.net] has joined #openvpn
19:56 -!- wildcat [~tomh@ssh.espix.net] has quit [Changing host]
19:56 -!- wildcat [~tomh@unaffiliated/wildcat] has joined #openvpn
19:57 -!- plai [~arne@openvpn/community/developer/plaisthos] has joined #openvpn
19:57 -!- mode/#openvpn [+o plai] by ChanServ
19:58 -!- fejjerai [~quassel@kde/mitchell] has joined #openvpn
19:58 -!- batrick [batrick@nmap/developer/batrick] has quit [Ping timeout: 240 seconds]
19:58 -!- Cpt-Oblivious [chatzilla@31-151-71-109.dynamic.upc.nl] has quit [Ping timeout: 240 seconds]
19:58 -!- cripto [~joubin@li131-215.members.linode.com] has quit [Ping timeout: 240 seconds]
19:58 -!- wildcat_ [~tomh@ssh.espix.net] has quit [Ping timeout: 240 seconds]
19:58 -!- Devastator [~devas@unaffiliated/devastator] has quit [Ping timeout: 240 seconds]
19:58 -!- supergauntlet [~supergaun@unaffiliated/supergauntlet] has quit [Ping timeout: 240 seconds]
19:58 -!- u0m3 [~u0m3@92.80.73.232] has quit [Ping timeout: 240 seconds]
19:58 -!- plaisthos [~arne@openvpn/community/developer/plaisthos] has quit [Ping timeout: 240 seconds]
19:58 -!- MeanderingCode [~Meanderin@palantir.aetherislands.net] has quit [Ping timeout: 240 seconds]
19:58 -!- Guest10196 [~quassel@corkblock.jefferai.org] has quit [Ping timeout: 240 seconds]
19:58 -!- davidmp [~davidmp@149.255.100.107] has quit [Ping timeout: 240 seconds]
19:58 -!- viperZ28 [uid11066@gateway/web/irccloud.com/x-wnthbzghvhifjzzg] has quit [Ping timeout: 240 seconds]
19:58 -!- _bt [~bt@unaffiliated/bt/x-192343] has quit [Ping timeout: 240 seconds]
19:58 -!- traph [~traph@unaffiliated/traph] has quit [Ping timeout: 240 seconds]
19:58 -!- funnel [~funnel@23.226.237.192] has joined #openvpn
19:58 -!- funnel [~funnel@23.226.237.192] has quit [Changing host]
19:58 -!- funnel [~funnel@unaffiliated/espiral] has joined #openvpn
19:58 -!- pnielsen_ [pnielsen@2a01:7e00::f03c:91ff:fedf:3a21] has joined #openvpn
19:58 -!- treshoem [~treshoem@mnathani-1-pt.tunnel.tserv21.tor1.ipv6.he.net] has quit [Ping timeout: 240 seconds]
19:58 -!- _bt_ [~bt@mongs.yotm.com] has joined #openvpn
19:58 -!- cripto [~joubin@li131-215.members.linode.com] has joined #openvpn
19:58 -!- treshoem [~treshoem@mnathani-1-pt.tunnel.tserv21.tor1.ipv6.he.net] has joined #openvpn
19:58 -!- kenyon [kenyon@darwin.kenyonralph.com] has quit [Ping timeout: 240 seconds]
19:58 -!- pnielsen [pnielsen@2a01:7e00::f03c:91ff:fedf:3a21] has quit [Ping timeout: 240 seconds]
19:58 -!- kenyon [kenyon@darwin.kenyonralph.com] has joined #openvpn
19:59 -!- Eagleman7 [~Eagleman@546BC8D0.cm-12-4d.dynamic.ziggo.nl] has quit [Ping timeout: 240 seconds]
20:00 -!- supergauntlet [~supergaun@unaffiliated/supergauntlet] has joined #openvpn
20:00 -!- davidmp [~davidmp@149.255.100.107] has joined #openvpn
20:01 -!- HectorBarbossa [uid7850@gateway/web/irccloud.com/x-aylnujjpgsrotccc] has quit []
20:02 -!- HectorBarbossa [uid7850@gateway/web/irccloud.com/x-brmgasurxshsurfu] has joined #openvpn
20:02 -!- Zarrsh_ [~Zarrsh@198.167.138.150] has quit [Ping timeout: 240 seconds]
20:02 -!- SquirrelCZECH_ [~squirrel@ip-89-103-45-17.net.upcbroadband.cz] has joined #openvpn
20:03 -!- m01_ [~quassel@2a02:2658:1011:1::2:4044] has joined #openvpn
20:03 -!- kloeri__ [~kloeri@freenode/staff/exherbo.kloeri] has joined #openvpn
20:04 -!- BtbN [btbn@btbn.de] has quit [Ping timeout: 240 seconds]
20:04 -!- WinstonSmith [~WinstonSm@unaffiliated/winstonsmith] has quit [Ping timeout: 240 seconds]
20:04 -!- meepmeep_ [meepmeep@end.of.cylind.re] has quit [Ping timeout: 240 seconds]
20:04 -!- SquirrelCZECH [~squirrel@ip-89-103-45-17.net.upcbroadband.cz] has quit [Ping timeout: 240 seconds]
20:04 -!- m01 [~quassel@2a02:2658:1011:1::2:4044] has quit [Ping timeout: 240 seconds]
20:04 -!- kloeri [~kloeri@freenode/staff/exherbo.kloeri] has quit [Remote host closed the connection]
20:04 -!- Rienzilha [rien@sinas.rename-it.nl] has quit [Ping timeout: 240 seconds]
20:04 -!- _quadDamage [~EmperorTo@boom.blissfulidiot.com] has quit [Ping timeout: 240 seconds]
20:04 -!- _quadDam1ge [~EmperorTo@boom.blissfulidiot.com] has joined #openvpn
20:04 -!- Zarrsh [~Zarrsh@198.167.138.150] has joined #openvpn
20:04 -!- funnel [~funnel@unaffiliated/espiral] has quit [Read error: Connection reset by peer]
20:04 -!- elricsfate_wrk_ [~elricsfat@aus-nat.datapipe.net] has joined #openvpn
20:04 -!- BtbN_ [btbn@btbn.de] has joined #openvpn
20:04 -!- viperZ28_ [sid11066@gateway/web/irccloud.com/x-iftptqiqmpcytbzx] has joined #openvpn
20:04 -!- phunyguy [~vortex@unaffiliated/phunyguy] has quit [Quit: No Ping reply in 180 seconds.]
20:04 -!- BtbN_ is now known as BtbN
20:04 -!- Rienzilla [rien@sinas.rename-it.nl] has joined #openvpn
20:04 -!- phunyguy [~vortex@unaffiliated/phunyguy] has joined #openvpn
20:05 -!- WinstonSmith [~WinstonSm@unaffiliated/winstonsmith] has joined #openvpn
20:05 -!- MeanderingCode [~Meanderin@palantir.aetherislands.net] has joined #openvpn
20:05 -!- traph [~traph@unaffiliated/traph] has joined #openvpn
20:05 -!- elricsfate_wrk [~elricsfat@2602:3f:916c:a402:2881:af2d:36b6:fd90] has quit [Ping timeout: 240 seconds]
20:05 -!- meepmeep [meepmeep@end.of.cylind.re] has joined #openvpn
20:05 -!- Eagleman7 [~Eagleman@546BC8D0.cm-12-4d.dynamic.ziggo.nl] has joined #openvpn
20:05 -!- mikemol [~mikemol@2001:470:c5b9:beef:61f2:39da:8ba3:aee5] has joined #openvpn
20:06 -!- batrick [batrick@nmap/developer/batrick] has joined #openvpn
20:06 -!- Devastatr [~devas@177.18.198.165] has quit [Changing host]
20:06 -!- Devastatr [~devas@unaffiliated/devastator] has joined #openvpn
20:06 -!- Devastatr is now known as Devastator
20:07 -!- [diecast] [~diecast@unaffiliated/diecast/x-4821952] has quit [Ping timeout: 245 seconds]
20:07 -!- lj [~l@c-50-158-105-68.hsd1.il.comcast.net] has joined #openvpn
20:10 -!- lj1 [~l@192.241.174.169] has joined #openvpn
20:12 -!- lj [~l@c-50-158-105-68.hsd1.il.comcast.net] has quit [Ping timeout: 264 seconds]
20:17 -!- funnel [~funnel@unaffiliated/espiral] has joined #openvpn
20:18 -!- traph [~traph@unaffiliated/traph] has quit [Ping timeout: 264 seconds]
20:19 -!- levifig [sid1908@gateway/web/irccloud.com/x-legwzthklvqfmjje] has joined #openvpn
20:19 -!- Cr4zi3 [guessswh0@staff.xbins.org] has joined #openvpn
20:19 -!- Cpt-Oblivious [chatzilla@31-151-71-109.dynamic.upc.nl] has joined #openvpn
20:20 -!- __raven_ [~raven@dslb-178-002-128-198.pools.arcor-ip.net] has joined #openvpn
20:21 -!- Cr4zi3 [guessswh0@staff.xbins.org] has quit [Excess Flood]
20:21 -!- [diecast] [~diecast@unaffiliated/diecast/x-4821952] has joined #openvpn
20:23 -!- __raven [~raven@dslb-092-074-212-194.pools.arcor-ip.net] has quit [Ping timeout: 252 seconds]
20:23 -!- funnel [~funnel@unaffiliated/espiral] has quit [Read error: Connection reset by peer]
20:23 -!- Cr4zi3 [killaz@staff.xbins.org] has joined #openvpn
20:40 -!- [diecast] [~diecast@unaffiliated/diecast/x-4821952] has quit [Ping timeout: 264 seconds]
21:19 -!- snappy [nipnop@unaffiliated/snappy] has joined #openvpn
21:34 -!- a13x212 [~a13x212@ool-182f341b.dyn.optonline.net] has joined #openvpn
21:53 -!- a13x212 [~a13x212@ool-182f341b.dyn.optonline.net] has left #openvpn []
21:58 -!- elfixit [~Icedove@77-58-251-72.dclient.hispeed.ch] has quit [Quit: elfixit]
21:59 -!- ljvb [~jason@us.vps.vanbrecht.com] has joined #openvpn
22:06 -!- mikemol [~mikemol@2001:470:c5b9:beef:61f2:39da:8ba3:aee5] has quit [Remote host closed the connection]
22:17 -!- hydrajum_ [~hydrajump@unaffiliated/hydrajump] has joined #openvpn
22:17 -!- JackWinter_ [~jack@vodsl-10810.vo.lu] has quit [Ping timeout: 265 seconds]
22:19 -!- hydrajump [~hydrajump@unaffiliated/hydrajump] has quit [Ping timeout: 264 seconds]
22:22 -!- HectorBarbossa [uid7850@gateway/web/irccloud.com/x-brmgasurxshsurfu] has quit [Quit: Connection closed for inactivity]
22:27 -!- hydrajum_ [~hydrajump@unaffiliated/hydrajump] has quit [Ping timeout: 245 seconds]
22:43 -!- lj1 [~l@192.241.174.169] has quit [Ping timeout: 252 seconds]
22:49 -!- hydrajump [~hydrajump@unaffiliated/hydrajump] has joined #openvpn
22:54 -!- gardar [~gardar@bnc.giraffi.net] has quit [Read error: Operation timed out]
22:54 -!- gardar [~gardar@bnc.giraffi.net] has joined #openvpn
22:55 -!- pnielsen_ [pnielsen@2a01:7e00::f03c:91ff:fedf:3a21] has quit [Read error: Connection reset by peer]
22:56 -!- pnielsen [pnielsen@2a01:7e00::f03c:91ff:fedf:3a21] has joined #openvpn
23:04 -!- justinzane_ [~justinzan@tiny.justinzane.com] has quit []
23:07 -!- lachesis [~lachesis@unaffiliated/lachesis] has joined #openvpn
23:35 -!- pnielsen [pnielsen@2a01:7e00::f03c:91ff:fedf:3a21] has quit [Read error: Connection reset by peer]
23:35 -!- pnielsen [pnielsen@2a01:7e00::f03c:91ff:fedf:3a21] has joined #openvpn
23:42 -!- funyun [~temp@cpe-65-25-103-89.neo.res.rr.com] has joined #openvpn
23:43 < funyun> hi. i'm attempting to setup openvpn using my ip failover on my dedicated server. can anyone help me with that?
23:48 -!- klein [~klein@unaffiliated/klein] has quit [Ping timeout: 264 seconds]
--- Day changed Wed Mar 12 2014
00:02 -!- takamichi [~takamichi@c107-107.i07-27.onvol.net] has joined #openvpn
00:17 -!- Marlinc [~marlinc@ip1.weert.li.nl.cvo-technologies.com] has quit [Ping timeout: 240 seconds]
00:21 -!- JackWinter [~jack@vodsl-10810.vo.lu] has joined #openvpn
00:23 -!- novaflash is now known as novaflash_away
00:26 -!- Cpt-Oblivious [chatzilla@31-151-71-109.dynamic.upc.nl] has quit [Ping timeout: 240 seconds]
00:28 -!- bass [bass@unaffiliated/bass] has joined #openvpn
00:30 < bass> I've got openvpn running on a VPS and I'm able to ping through it and it looks like tcp packets are coming back, but my browser never displays anything.  Has anyone seen an issue like this before
00:31 < bass> I can ping the other side of the tunnel from my client and I can traceroute through to external hosts
00:31 < bass> my browser just hangs forever when browsing sites, howeer
00:31 < bass> however*
00:40 <@krzee> dns?
00:40 <@krzee> can you ping by hostname?
00:40 <@krzee> if so, maybe mtu?
00:40 <@krzee> !mtu
00:40 < bass> yeah
00:40 <@vpnHelper> "mtu" is (#1) see --mtu-test to learn how to test your MTU settings. Basically you just use --mtu-test in your normal client config or (#2) mtu debugging guide: http://www.secure-computing.net/wiki/index.php/OpenVPN/Troubleshooting
00:41 < bass> hmm, I'll try the mtu thingie
00:44 -!- ade_b [~Ade@redhat/adeb] has joined #openvpn
00:49 < funyun> hi. can anyone help me set up openvpn using an ip failover i purchased from ovh?
00:51 <@krzee> funyun, not sure i understand the question...
00:52 < funyun> krzee: i ordered an ip failover which is an different ip than my server ip. i want to setup openvpn using that ip
00:52 <@krzee> are you saying your server is dual-homed and you want to be able to reach it on both IPs?
00:53 <@krzee> as in, 2 interfaces to 2 uplinks?
00:53 < funyun> krzee: it's a dedicated server. i want to connect from home and use the ip of the ip failover
00:53 < funyun> no
00:53 <@krzee> then you have to be more technical with me on what you have
00:54 < funyun> sorry
00:54 <@krzee> np
00:54 <@krzee> just helping you help me help you :D
00:54 < funyun> :)
00:54 <@krzee> haha
00:54 <@krzee> (if you are not a native english speaker, sorry for that ^)
00:54 <@krzee> hahaha
00:55 <@krzee> although ohio ip makes me think you are, so it should be fine ;]
00:56 < funyun> haha. yep i'm american :)
00:56 -!- makara [~makara@41.164.22.218] has joined #openvpn
00:56 < funyun> krzee: i tried this tutorial but it didn't work https://wiki.debian.org/OpenVPN
00:56 <@vpnHelper> Title: OpenVPN - Debian Wiki (at wiki.debian.org)
00:57 < bass> krzee: you're a GENIUS
00:57 <@krzee> !walkthrough
00:57 <@vpnHelper> "walkthrough" is if you are using some walkthrough and now you are here cause you have problems and dont understand your setup, type !howto and !man and try to actually learn what you're doing. most those docs about openvpn from google SUCK.
00:57 <@krzee> ;]
00:57 < bass> krzee: it was the MTU after all.  I would have never figured that out :(
00:57 <@krzee> bass, ahh it was mtu?  glad it helped!
00:57 < funyun> that tutorial is for someone using openvpn as the client, which i am not. not sure if that could be the problem..
00:58 <@krzee> funyun, just explain how your server sees this "second ip"
00:58 <@krzee> is it simply 2 ips on the same interface?
00:58 <@krzee> liek in the same subnet with an alias interface?
00:58 < funyun> krzee: http://www.ovh.co.uk/dedicated_servers/ip_failover.xml
00:58 <@vpnHelper> Title: Failover IP: hosting without interruptions - OVH (at www.ovh.co.uk)
00:58 <@krzee> eth0:0
00:59 <@krzee> oh so its 2 seperate servers?
00:59 < funyun> krzee: honestly i have no clue. i just asked ovh if i can do this and they said yes, just buy an ip failover. other than that, i'm clueless
00:59 <@krzee> hehe
01:00 <@krzee> ya im more clueless than you, at least you run the servers :-p
01:00 < funyun> lol
01:00 <@krzee> all i see is marketing terms really
01:01 < funyun> krzee: this might give a better explanation http://help.ovh.com/IpFailover
01:01 <@vpnHelper> Title: OVH : IpFailover (at help.ovh.com)
01:01 -!- bass [bass@unaffiliated/bass] has quit [Quit: leaving]
01:03 <@krzee> looks like 2 servers with layer2 failover with CARP or similar
01:03 < funyun> krzee: so it's possible right?
01:03 <@krzee> you will not be able to sync the state like with sql, but you can simply run identical VPN servers on both and when failover happens client reconnects (if you use --keepalive) and it should work
01:04 <@krzee> now, i could be wrong, i do not intend on fully learning what sort of setup that is if you dont even know it
01:05 <@krzee> especially if it means reading the docs that you have yet to understand (not openvpn related)
01:05 < funyun> krzee: i know this is probably a lot to ask buy could you walk me through this? i am so lost right now
01:05 <@krzee> but if you actually have 2 public ips now, then you simply give the clients 2 --remote options? 1 with each ip
01:06 <@krzee> actually i cannot walk you through it, as im totally guessing what your network is setup like
01:06 <@krzee> you will have to learn your network before you can do advanced networking (vpn stuff) on it
01:16 -!- troyt [~troyt@c-67-161-211-139.hsd1.ut.comcast.net] has joined #openvpn
01:22 -!- ade_b [~Ade@redhat/adeb] has quit [Ping timeout: 264 seconds]
01:24 -!- dogewaat [uid3966@gateway/web/irccloud.com/x-ofjeoqgkxzijkaig] has quit [Quit: Connection closed for inactivity]
01:26 -!- mikkel [~mikkel@93.176.85.50] has joined #openvpn
01:30 -!- goldkatze [~nobody@unaffiliated/goldkatze] has joined #openvpn
02:08 -!- traph [~traph@46.10.9.133] has joined #openvpn
02:08 -!- traph [~traph@46.10.9.133] has quit [Changing host]
02:08 -!- traph [~traph@unaffiliated/traph] has joined #openvpn
02:18 -!- novaflash_away is now known as novaflash
02:31 -!- justinzane [~justinzan@tiny.justinzane.com] has joined #openvpn
02:39 -!- le0 [~l30@unaffiliated/le0] has joined #openvpn
02:45 -!- alexxtasi [~alex@unaffiliated/alexxtasi] has joined #openvpn
02:50 -!- mattock_afk is now known as mattock
03:10 -!- ade_b [~Ade@redhat/adeb] has joined #openvpn
03:15 < tjhowse> What's the most common cause of openvpn clients being assigned the same IP?
03:15 < tjhowse> I haven't verified it myself, but another engineer was claiming that two clients to the same openvpn server were assigned the first IP in the pool defined in server_bridge "172.16.32.254 255.255.255.0 172.16.32.240 172.16.32.249"
03:16 < tjhowse> aha, waidaminnit
03:17 < tjhowse> I see MULTI: new connection by client 'c_ddb' will cause previous active sessions by this client to be dropped.  Remember to use the --duplicate-cn option if you want multiple clients using the same certificate or user
03:17 < tjhowse> in the log
03:17 < tjhowse> so it seems it was silently dropping the first instance of that client
03:23 -!- kloeri__ is now known as kloeri
03:41 -!- nightcracker [~nightcrac@535511B1.cm-6-6a.dynamic.ziggo.nl] has joined #openvpn
03:42 < nightcracker> is there anyone here that knows his way around the internals of TAP-win32?
03:45 -!- Aliekezhi [~Aliekezhi@LPoitiers-156-84-21-170.w193-248.abo.wanadoo.fr] has joined #openvpn
03:58 <@krzee> nightcracker, better to just ask your question
03:59 <@krzee> tjhowse, are you sure you want to bridge?  why are you bridging?
03:59 <@krzee> i used to spend about half my time in here explaining to people that they do not want to bridge, and that the lame ass walkthrough they read was wrong? it seems a little less frequent but still quite common
04:00 <@krzee> !whybridge
04:00 <@vpnHelper> "whybridge" is (#1) you only bridge if you want layer2 to the lan. if you want layer2 only between vpn nodes then routed tap is enough. if you only want layer3 use tun. or (#2) See this URL for a more in-depth discussion on bridging vs routing: https://community.openvpn.net/openvpn/wiki/BridgingAndRouting or (#3) See also !tunortap
04:00 <@krzee> !tunortap
04:00 <@vpnHelper> "tunortap" is (#1) you ONLY want tap if you need to pass layer2 traffic over the vpn (traffic destined for a MAC address). If you are using IP traffic you want tun. or (#2) and if your reason for wanting tap is windows shares, see !wins or use DNS or (#3) remember layer2 has no security, arp poisoning works over tap vpns or (#4) lan gaming? use tap! or (#5) Normal Android/iOS devices (not
04:00 <@vpnHelper> rooted/jailbroken) support only tun
04:02 <@krzee> use my name when you respond, i will be in other windows watching a movie
04:09 < tjhowse> krzee: there's two reasons I've gone with a tap and bridge: A) the lame-ass walkthrough I read told me to and, B) I later discovered that one of the applications that will be communicating over this VPN scans for MACs at L2.
04:09 <@krzee> hahaha nice =]
04:09 <@krzee> i like the honesty ;]
04:09 < tjhowse> now B) isn't exactly a must-have, but it makes it an easier sell
04:09 <@krzee> is B) windows sharing?
04:10 < tjhowse> I am looking at changing to a tun, or running a tun instance on another port, to allow for mobile devices to connect
04:10 < tjhowse> no, B) some propriatory software my company makes to scan for HVAC controllers and index them
04:10 <@krzee> oh cool
04:11 < tjhowse> thanks for those links. I'll read up for the future.
04:11 <@krzee> yep sounds like a valid reason, you dont see those around here very often
04:11 <@krzee> haha
04:11 < tjhowse> it's possible that I can use the mobile device incentive to get them to drop the MAC-scanning thing. most of the time that gets done once and saved to a site profile.
04:12 < tjhowse> but people are weird
04:12 <@krzee> well maybe you could make it still do that, but also accept a file of some sort to just feed the info
04:13 <@krzee> so if the file happens to be there, skip the scan cause you already have the infos
04:13 <@krzee> that file support wouldnt even have to be in the gui, just there for those who know
04:13 <@krzee> i would assume that would be easy enough to add (if you/they care)
04:13 < tjhowse> yeah, but people are often lazy. running a scan is the way most people populate their client with the devices.
04:14 -!- mirco [~mirco@ip-109-90-231-36.unitymediagroup.de] has joined #openvpn
04:14 < tjhowse> rather than digging around for a disk/USB stick
04:14 <@krzee> oh i see, the vpn stuff will be built in for users and not just something for you guys
04:14 < tjhowse> yep
04:15 <@krzee> couldnt the scan be L3 easy enough too?
04:15 < tjhowse> the software is developed outside our department, and outside our country.
04:15 <@krzee> ahh
04:15 <@krzee> hmm, trying to think how you could make it easy for mobile? sounds like a catch 22
04:16 < tjhowse> the mobile angle is only access to a separate web service, or windows remote desktop to a server
04:16 <@krzee> could the scan be done by something on the actual lan and fed to the vpn client from there?
04:16 <@krzee> oh i see, so ya i guess 2 vpns is fine for you
04:44 -!- MrHeisenberg [~MrHeisenb@ip-176-198-50-168.unitymediagroup.de] has joined #openvpn
04:45 < MrHeisenberg> hello, do i have to change my server.conf if i want my server to listen on ipv4 and ipv6?
04:46 <@krzee> you can only listen on 1 of them per process
04:46 <@krzee> if you want to listen on both, you need 2 server configs and 2 processes
04:46 < MrHeisenberg> okay, an what should the config look like to listen on ipv6?
04:47 <@krzee> !ipv6
04:47 <@vpnHelper> "ipv6" is (#1) The wiki has IPv6 details: https://community.openvpn.net/openvpn/wiki/IPv6 or (#2) The manpage contains info about IPv6 features present in 2.3+: https://community.openvpn.net/openvpn/wiki/Openvpn23ManPage#lbAQ
04:47 <@krzee> you're looking for "transport"
04:49 -!- Devastator [~devas@unaffiliated/devastator] has quit [Read error: Connection reset by peer]
04:50 <@krzee> i have never used ipv6 with openvpn, but hopefully you can find what you need there, or maybe just knowing it is "ipv6 transport openvpn" will help find it
04:51 <@krzee> transport is using iopv6 to connect to openvpn? payload is ipv6 inside the tunnel
04:51 -!- Devastator [~devas@177.18.198.165] has joined #openvpn
04:51 < MrHeisenberg> krzee: i'm forced to use ipv6 because my provider switched to DSlite.
04:52 <@krzee> even if it were just for fun theres nothing wrong with that =]
04:52 < MrHeisenberg> and all i need is to reach my server via ipv6, the tunnel itself should remain ipv4, if possivle
04:53 -!- marlinc [~marlinc@ip1.weert.li.nl.cvo-technologies.com] has joined #openvpn
04:55 <@krzee> definitely possible
04:55 <@krzee> transport ipv6 and payload ipv6 are totally different, and both supported in newest openvpn
04:55 < nightcracker> krzee: sure
04:55 <@krzee> im just teaching you the terms in case it helps you
04:56 <@krzee> (the terms openvpn as used in openvpn)
04:56 <@krzee> s/openvpn//
04:56 < nightcracker> my problem right now is that I'm using a TAP-win32 network adapter (2 to be specific), and I can read ethernet frames sent to it just fine, however trying inject ethernet frames (writing to the adapter) doesn't seem to work
04:57 < nightcracker> I am using this interface: https://code.google.com/p/tapcfg/
04:57 <@vpnHelper> Title: tapcfg - Cross-platform configuration utility for TAP devices - Google Project Hosting (at code.google.com)
04:57 < MrHeisenberg> if i'mnot wrong, then all i need is to add server-ipv6 2001:db8:123::/64 to my server config. with the ipv6 network i'm using?
04:57 <@krzee> nightcracker, maybe you should join #openvpn-devel     im not sure anybody is alive in there at the moment, but ask in there and idle until someone pops in
04:58 <@krzee> MrHeisenberg, that would be for payload
04:58 <@krzee> it may be as simple as changing the --listen directive
04:59 <@krzee> i mean the --local directive
05:07 -!- br4ndon [~br4ndon@mic92-6-82-227-94-156.fbx.proxad.net] has joined #openvpn
05:09 <@krzee> MrHeisenberg, looks like all you need is --proto udp6
05:10 <@krzee> http://www.toofishes.net/blog/ipv6-follow-openvpn-transport-over-ipv6/
05:10 <@vpnHelper> Title: toofishes.net - IPv6 follow-up: OpenVPN transport over IPv6 (at www.toofishes.net)
05:11 <@krzee> that was hit #2 for my search:   openvpn local ipv6 transport
05:11 <@krzee> MrHeisenberg, please let me know how that works for you, and i will add it to the wiki IPv6 page if it does.
05:11 <@krzee> since i dont use ipv6 =]
05:26 -!- pa [~pa@unaffiliated/pa] has quit [Ping timeout: 240 seconds]
05:27 -!- funnel [~funnel@unaffiliated/espiral] has joined #openvpn
05:31 -!- funnel_ [~funnel@23.226.237.192] has joined #openvpn
05:31 -!- xTz [~xTz@DeathStar.Techn0.eu] has joined #openvpn
05:33 -!- br4ndon [~br4ndon@mic92-6-82-227-94-156.fbx.proxad.net] has quit [Ping timeout: 264 seconds]
05:34 -!- funnel [~funnel@unaffiliated/espiral] has quit [Ping timeout: 264 seconds]
05:35 -!- funnel [~funnel@unaffiliated/espiral] has joined #openvpn
05:37 -!- flxmmr [~quassel@p5DE9552E.dip0.t-ipconnect.de] has joined #openvpn
05:40 -!- funnel__ [~funnel@23.226.237.192] has joined #openvpn
05:40 -!- pa [~pa@unaffiliated/pa] has joined #openvpn
05:41 -!- funnel__ [~funnel@23.226.237.192] has quit [Read error: Connection reset by peer]
05:41 -!- funnel [~funnel@unaffiliated/espiral] has quit [Ping timeout: 245 seconds]
05:42 -!- funnel [~funnel@unaffiliated/espiral] has joined #openvpn
05:42 -!- AlexPortable [uid7568@gateway/web/irccloud.com/x-lgpsjpsyqmkecxln] has joined #openvpn
05:43 < AlexPortable> What is better, port 80 or 443 for vpn?
05:43 -!- funnel [~funnel@unaffiliated/espiral] has quit [Read error: Connection reset by peer]
05:43 <@krzee> niether...?
05:43 <@krzee> how would a port be "better" ?
05:43 <@krzee> i guess if you are trying to fool very stupid people, 443
05:44 < AlexPortable> port 80 and 443 are the only opened ports
05:44 <@krzee> although if you actually want to be tricky, then i guess it is 443 and using --port-share
05:44 < AlexPortable> --port-share with what?
05:44 < AlexPortable> why would I want to be tricky
05:44 <@krzee> dunno why you think 1 port is better than another...
05:44 < AlexPortable> idk
05:44 < AlexPortable> Someone recommended me not to use 80
05:44 <@krzee> why?
05:44 < AlexPortable> But i'm not sure if I could better use 443 or 80
05:44 < AlexPortable> idk
05:45 <@krzee> use whatever you want, it wont matter unless theres some reason you have not mentioned
05:45 -!- funnel_ [~funnel@23.226.237.192] has quit [Changing host]
05:45 -!- funnel_ [~funnel@unaffiliated/espiral] has joined #openvpn
05:45 -!- funnel_ is now known as funnel
05:45 -!- funnel [~funnel@unaffiliated/espiral] has quit [Remote host closed the connection]
05:46 -!- funnel [~funnel@23.226.237.192] has joined #openvpn
05:46 -!- funnel [~funnel@23.226.237.192] has quit [Changing host]
05:46 -!- funnel [~funnel@unaffiliated/espiral] has joined #openvpn
05:48 < AlexPortable> not that I know off
05:49 < AlexPortable> 80 and 443 are the only opened ports in the firewall
05:49 <@krzee> then i guess flip a coin
05:49 <@krzee> hehehe
05:49 <@krzee> 443 is normally crypto, although it looks very different? so i guess use that
05:49 -!- cyberspace- [20253@ninthfloor.org] has quit [Remote host closed the connection]
05:49 <@krzee> but it does not matter
05:49 < AlexPortable> ok
05:50 -!- cyberspace- [20253@ninthfloor.org] has joined #openvpn
05:52 -!- funnel [~funnel@unaffiliated/espiral] has quit [Read error: Connection reset by peer]
05:53 -!- funnel [~funnel@unaffiliated/espiral] has joined #openvpn
05:58 -!- funnel [~funnel@unaffiliated/espiral] has quit [Ping timeout: 252 seconds]
05:59 -!- funnel [~funnel@unaffiliated/espiral] has joined #openvpn
06:04 -!- funnel [~funnel@unaffiliated/espiral] has quit [Ping timeout: 245 seconds]
06:05 -!- someone [someone@2600:3c01::f03c:91ff:fedf:feb8] has quit [Ping timeout: 265 seconds]
06:06 -!- funnel [~funnel@23.226.237.192] has joined #openvpn
06:06 -!- funnel [~funnel@23.226.237.192] has quit [Changing host]
06:06 -!- funnel [~funnel@unaffiliated/espiral] has joined #openvpn
06:06 -!- funnel [~funnel@unaffiliated/espiral] has quit [Read error: Connection reset by peer]
06:08 -!- kenyon [kenyon@darwin.kenyonralph.com] has quit [Ping timeout: 246 seconds]
06:08 -!- s0meone [someone@2600:3c01::f03c:91ff:fedf:feb8] has joined #openvpn
06:09 -!- kenyon [kenyon@darwin.kenyonralph.com] has joined #openvpn
06:10 -!- funnel [~funnel@unaffiliated/espiral] has joined #openvpn
06:10 -!- funnel [~funnel@unaffiliated/espiral] has quit [Read error: Connection reset by peer]
06:37 -!- mikemol [~mikemol@2001:470:c5b9:beef:7529:5782:51e1:16ed] has joined #openvpn
06:40 -!- sunwind [~paradox@cpc21-brmb8-2-0-cust749.1-3.cable.virginm.net] has quit [Ping timeout: 240 seconds]
06:50 -!- dan_j [~IceChat77@unaffiliated/danfromuk] has joined #openvpn
06:50 -!- sunwind [~paradox@genkt-049-059.t-mobile.co.uk] has joined #openvpn
06:50 -!- mikemol [~mikemol@2001:470:c5b9:beef:7529:5782:51e1:16ed] has quit [Remote host closed the connection]
06:51 < dan_j> Hi, I'm getting this error when trying to make a new key. unable to write 'random state'
06:51 < dan_j> Any idea what could be causing it?
06:59 < dan_j> I've set RANDFILE (which i never had to do before), but that didnt make any difference.
07:00 -!- sunwind` [~paradox@genkt-049-059.t-mobile.co.uk] has joined #openvpn
07:03 -!- sunwind [~paradox@genkt-049-059.t-mobile.co.uk] has quit [Ping timeout: 246 seconds]
07:03 -!- seebaer [~seba@kratzbaum.someserver.de] has joined #openvpn
07:04 -!- funyun [~temp@cpe-65-25-103-89.neo.res.rr.com] has quit [Ping timeout: 245 seconds]
07:05 -!- seebaer is now known as seba
07:07 -!- sunwind` [~paradox@genkt-049-059.t-mobile.co.uk] has quit [Read error: Connection reset by peer]
07:08 -!- sunwind [~paradox@genkt-049-059.t-mobile.co.uk] has joined #openvpn
07:08 -!- Tykling [tykling@gibfest.dk] has quit [Ping timeout: 265 seconds]
07:11 <@krzee> not sure, it is an openssl error not an openvpn error
07:11 <@krzee> while it is a valid topic (not off-topic), you may also want to ask in #openssl
07:11 -!- mattias_ [~mattias@213.132.98.41] has joined #openvpn
07:11 <@krzee> dan_j, ^
07:12 < mattias_> Hi! I want a totally persistent TAP interface, I want to create it on boot and OpenVPN to just use it. But I can see OpenVPN removing the interface anyway.. even if I am using --persistent-tun
07:12 -!- mattias_ is now known as lazzer
07:13 <@krzee> persist-tun does not keep the tun when you kill openvpn, see --mktun
07:13 <@krzee> mkdev mktun, something like that
07:13 <@krzee> and are you sure you want tap and not tun?
07:15 <@krzee> openvpn --mktun --dev tap0 to make a persistant tap device, but you probably dont actually want tap
07:15 <@krzee> !tunortap
07:15 <@vpnHelper> "tunortap" is (#1) you ONLY want tap if you need to pass layer2 traffic over the vpn (traffic destined for a MAC address). If you are using IP traffic you want tun. or (#2) and if your reason for wanting tap is windows shares, see !wins or use DNS or (#3) remember layer2 has no security, arp poisoning works over tap vpns or (#4) lan gaming? use tap! or (#5) Normal Android/iOS devices (not
07:15 <@vpnHelper> rooted/jailbroken) support only tun
07:16 < lazzer> I want L2 traffic :)
07:16 <@krzee> some have valid reasons, most read some lame walkthrough and went with it
07:17 <@krzee> lazzer, L2 traffic to the lan or the vpn nodes?  what sort of L2 traffic?
07:17 < lazzer> krzee: Doing interface bridging, VLAN over OpenVPN
07:18 <@krzee> ahh, there was a vlan tagging patch but i think it was unmaintained and never got merged
07:18 < lazzer> krzee: It works for me
07:18 -!- Tykling [tykling@gibfest.dk] has joined #openvpn
07:18 < lazzer> krzee: as long as I used an modern linux kernel, it worked
07:19 <@krzee> you mean the vlan tagging patch with openvpn, or just using L2?
07:19 < lazzer> krzee: yes
07:19 <@krzee> that was an either/or question
07:19 <@krzee> not a yes/no
07:19 < lazzer> oh :)
07:19 < lazzer> I use the OpenVPN as a layer2 interface, create VLAN interfaces on top if it
07:20 <@krzee> yep, thats the way to do it, because the vlan tagging patch did not make it? you're doing it right =]
07:21 < lazzer> krzee: If I create the interface during boot, with openvpn --mktun, what should happen if OpenVPN exits?
07:21 <@krzee> test it and find out
07:21 <@krzee> you wont need to reboot to test
07:21 < _bt_> hello openvpn peoples. is anybody using openvpn-auth-pam?
07:22 < _bt_> im trying to integrate google authenticator into openvpn using pam, but having some difficulty
07:22 <@krzee> _bt_, some people are i am sure, but not me? you should just ask your question so when someone sees it they can answer it is possible instead of saying "yes" and waiting for you to come back and see it
07:25 <@krzee> lazzer, or see the manual for --mktun
07:25 <@krzee> since it clearly tells you the answer ;]
07:25 < _bt_> well, the auth-pam readme suggests COMMONNAME in the PAM conversation will be replaced with the client certificate common name, but this isn't happening
07:26 < lazzer> krzee: hmm, i see OpenVPN removes the interfaces on exit, I must do something wrong
07:27 -!- klein [~klein@189-016-006-003.asselvi.edu.br] has joined #openvpn
07:27 -!- klein [~klein@189-016-006-003.asselvi.edu.br] has quit [Changing host]
07:27 -!- klein [~klein@unaffiliated/klein] has joined #openvpn
07:27 <@plai> lazzer: I have in my /etc/network/interfaces:
07:27 <@plai> auto tap-knx
07:27 <@plai> iface tap-knx inet manual pre-up /usr/sbin/tunctl -t tap-knx
07:27 <@plai> there should be a \n before pre-up
07:28 <@krzee> lazzer, did openvpn make the interface itself, or did it use one that you had made?  you must make it yourself with --mktun and then you must use it with --dev <exact interface> so --dev tun0 instead of --dev tun
07:30 <@krzee> arne lost half his handle!
07:31  * krzee searches for "stos" to give it back to arne
07:31 < lazzer> krzee: as I said, I must have done something strange here.. But now I know that it should work as i expect, will check what I am doing here..
07:32 <@krzee> cool
07:33 < lazzer> :)
07:33 < lazzer> krzee: thanks
07:35 -!- gffa [~unknown@unaffiliated/gffa] has joined #openvpn
07:37 -!- sunwind` [~paradox@cpc21-brmb8-2-0-cust749.1-3.cable.virginm.net] has joined #openvpn
07:40 -!- sunwind [~paradox@genkt-049-059.t-mobile.co.uk] has quit [Ping timeout: 245 seconds]
07:45 <@krzee> no problem
08:00 -!- funyun [~temp@cpe-65-25-103-89.neo.res.rr.com] has joined #openvpn
08:00 <@plai> krzee: :D
08:00 -!- mode/#openvpn [-o plai] by plai
08:00 < plai> now I lost another o
08:00 <@krzee> hah
08:00 <@krzee> well i CAN find that one for you
08:00 -!- mode/#openvpn [+o plai] by krzee
08:01  * plai smiles 
08:02 -!- michaelhart [~michaelha@192-0-240-20.cpe.teksavvy.com] has joined #openvpn
08:04 -!- funyun [~temp@cpe-65-25-103-89.neo.res.rr.com] has quit [Ping timeout: 240 seconds]
08:14 -!- Devastator [~devas@177.18.198.165] has quit [Changing host]
08:14 -!- Devastator [~devas@unaffiliated/devastator] has joined #openvpn
08:20 -!- JackWinter_ [~jack@vodsl-10810.vo.lu] has joined #openvpn
08:21 -!- JackWinter [~jack@vodsl-10810.vo.lu] has quit [Ping timeout: 246 seconds]
08:30 < hydrajump> hi is it usual to set persist-key and persist-tun on the client?
08:30 < hydrajump> or are they server-side settings?
08:30 -!- dogewaat [uid3966@gateway/web/irccloud.com/x-mogmqfyfzdcjkbmg] has joined #openvpn
08:37 -!- mikemol [~mikemol@2600:1007:b10a:444e:65c2:9e0b:c9a2:4f53] has joined #openvpn
08:46 -!- u0m3_ [~u0m3@92.80.73.232] has quit [Quit: Leaving]
08:52 -!- pa [~pa@unaffiliated/pa] has quit [Ping timeout: 246 seconds]
08:57 -!- Cpt-Oblivious [chatzilla@31-151-71-109.dynamic.upc.nl] has joined #openvpn
08:59 -!- funnel [~funnel@unaffiliated/espiral] has joined #openvpn
09:01 -!- funyun [~temp@cpe-65-25-103-89.neo.res.rr.com] has joined #openvpn
09:04 -!- funnel [~funnel@unaffiliated/espiral] has quit [Quit: leaving]
09:05 -!- funnel [~funnel@unaffiliated/espiral] has joined #openvpn
09:05 -!- funyun [~temp@cpe-65-25-103-89.neo.res.rr.com] has quit [Ping timeout: 264 seconds]
09:11 -!- takamich_ [~takamichi@85.12.8.104] has joined #openvpn
09:13 -!- pa [~pa@unaffiliated/pa] has joined #openvpn
09:14 -!- takamichi [~takamichi@c107-107.i07-27.onvol.net] has quit [Ping timeout: 252 seconds]
09:16 -!- dan_j [~IceChat77@unaffiliated/danfromuk] has quit [Ping timeout: 264 seconds]
09:20 -!- dan_j [~IceChat77@host-2-99-243-1.as13285.net] has joined #openvpn
09:20 -!- dan_j [~IceChat77@host-2-99-243-1.as13285.net] has quit [Changing host]
09:20 -!- dan_j [~IceChat77@unaffiliated/danfromuk] has joined #openvpn
09:24 -!- elfixit [~Icedove@2001:1620:2777:11:3e97:eff:fe7f:f3ad] has joined #openvpn
09:37 -!- makara [~makara@41.164.22.218] has quit [Ping timeout: 264 seconds]
09:40 -!- takamichi [~takamichi@c107-107.i07-27.onvol.net] has joined #openvpn
09:42 <@krzee> hydrajump, yes it is a normal setting for me to use on my clients.
09:43 <@krzee> (and my servers actually, but i guess they matter more on clients)
09:43 -!- takamich_ [~takamichi@85.12.8.104] has quit [Ping timeout: 246 seconds]
09:53 -!- funyun [~temp@cpe-65-25-103-89.neo.res.rr.com] has joined #openvpn
09:55 -!- pa [~pa@unaffiliated/pa] has quit [Ping timeout: 246 seconds]
09:57 -!- funyun [~temp@cpe-65-25-103-89.neo.res.rr.com] has quit [Ping timeout: 246 seconds]
10:05 -!- MrHeisenberg [~MrHeisenb@ip-176-198-50-168.unitymediagroup.de] has quit [Quit: leaving]
10:05 -!- br4ndon [~br4ndon@195.33.51.31] has joined #openvpn
10:06 -!- funnel [~funnel@unaffiliated/espiral] has quit [Quit: leaving]
10:07 -!- funnel [~funnel@unaffiliated/espiral] has joined #openvpn
10:09 -!- pa [~pa@unaffiliated/pa] has joined #openvpn
10:12 -!- [diecast] [~diecast@unaffiliated/diecast/x-4821952] has joined #openvpn
10:14 -!- dan_j [~IceChat77@unaffiliated/danfromuk] has quit [Quit: Hard work pays off in the future, laziness pays off now]
10:19 -!- [diecast] [~diecast@unaffiliated/diecast/x-4821952] has quit [Ping timeout: 252 seconds]
10:22 -!- RobertoC [~Roberto.C@unaffiliated/robertoc] has joined #openvpn
10:28 -!- lj [~l@192.241.174.169] has joined #openvpn
10:29 -!- [diecast] [~diecast@unaffiliated/diecast/x-4821952] has joined #openvpn
10:32 -!- flxmmr [~quassel@p5DE9552E.dip0.t-ipconnect.de] has quit [Remote host closed the connection]
10:33 < hydrajump> krzee oh I was reading through the openvpn cookbook and as far as I can recall only the server config used those settings. That's why I wanted to ask about them on the client side
10:33 <@krzee> im in a different country than my copy
10:33 <@krzee> so i cannot confirm nor deny whats in the cookbook, but i use them in both
10:33 < hydrajump> krzee: "The persist-tun and persist-key options are used to ensure that the connection comes back up automatically if the underlying network is disrupted. These options are necessary when using user nobody and group nobody (orgroup nogroup)."
10:34 <@krzee> right? and a server does not ever have network disruption from its perspective, if the servers network goes down it simply thinks all clients stopped talking to it
10:35 < hydrajump> so regardless of what it says in the book is it common place to have: persist-key, persist-tun, user nobody and group nobody on **both** the client and server?
10:35 <@krzee> or at least thats how im seeing it right now in my head
10:35 <@krzee> i use it on both, i cannot tell you whats most common, only ewhat i do
10:36 -!- alexxtasi [~alex@unaffiliated/alexxtasi] has left #openvpn []
10:40 -!- funnel [~funnel@unaffiliated/espiral] has quit [Quit: leaving]
10:41 -!- funnel [~funnel@unaffiliated/espiral] has joined #openvpn
10:48 -!- br4ndon [~br4ndon@195.33.51.31] has quit [Ping timeout: 252 seconds]
10:50 -!- mikemol1 [~mikemol@162.17.129.77] has joined #openvpn
10:50 -!- mikemol [~mikemol@2600:1007:b10a:444e:65c2:9e0b:c9a2:4f53] has quit [Disconnected by services]
10:50 -!- [diecast] [~diecast@unaffiliated/diecast/x-4821952] has quit []
10:54 -!- funyun [~temp@cpe-65-25-103-89.neo.res.rr.com] has joined #openvpn
10:59 -!- funyun [~temp@cpe-65-25-103-89.neo.res.rr.com] has quit [Ping timeout: 264 seconds]
11:03 -!- mikkel [~mikkel@93.176.85.50] has quit [Quit: Leaving]
11:07 -!- traph [~traph@unaffiliated/traph] has quit [Remote host closed the connection]
11:12 -!- raidz [~raidz@openvpn/corp/admin/andrew] has left #openvpn []
11:14 -!- raidz [~raidz@openvpn/corp/admin/andrew] has joined #openvpn
11:14 -!- mode/#openvpn [+o raidz] by ChanServ
11:19 <@dazo> hydrajump: it may in some cases make sense to use these --persist-* options on the client, if you run the client in chroot or with --user/--group ... it can recover more gracefully in case of loosing the connection over a longer time
11:20 <@dazo> like having it starting up automatically at boot ... but of course, they are even more useful on the server side
11:20 -!- [diecast] [~diecast@unaffiliated/diecast/x-4821952] has joined #openvpn
11:20 <@dazo> using --user/--group anyway makes a lot of sense on the client side
11:21 -!- diecast [~diecast@unaffiliated/diecast/x-4821952] has joined #openvpn
11:23 <@krzee> dazo, im having a tough time seeing why it matters on a server for some reason, although i definitely use it on mine
11:23 <@krzee> persist-tun at least, persist-key makes sense to me
11:25 -!- [diecast] [~diecast@unaffiliated/diecast/x-4821952] has quit [Ping timeout: 252 seconds]
11:25 <@dazo> krzee: I believe it's possible to send SIGUSR1/SIGUSR2/SIGHUP to the server config to "re-initialise" (not re-read config, though) ... which could potentially break the tun setup ... however, I'd need to double check with the code
11:26 -!- Sembei [~Sembei@unaffiliated/sembei] has quit [Read error: No route to host]
11:26 <@dazo> hmmm ... the man page actually says it will re-read the config on SIGHUP
11:27 -!- Guest22512 [~Sembei@unaffiliated/sembei] has joined #openvpn
11:27 -!- diecast [~diecast@unaffiliated/diecast/x-4821952] has quit []
11:28 <@krzee> tbh i hadnt thought of sending signals to it either
11:29 -!- pa [~pa@unaffiliated/pa] has quit [Ping timeout: 252 seconds]
11:31 -!- ade_b [~Ade@redhat/adeb] has quit [Ping timeout: 245 seconds]
11:31 <@plai> dazo: tun is presistent on tun1, hup closes/reopens tun
11:31 <@dazo> USR1, Presume
11:32 -!- Aliekezhi [~Aliekezhi@LPoitiers-156-84-21-170.w193-248.abo.wanadoo.fr] has quit [Quit: Leaving]
11:32 <@plai> yes
11:32 <@dazo> right, makes sense
11:32 <@krzee> much more likely to matter on a client methinks
11:34 -!- xTz [~xTz@DeathStar.Techn0.eu] has quit [Quit: leaving]
11:35 -!- xTz [~xTz@DeathStar.Techn0.eu] has joined #openvpn
11:37 < hydrajump> interesting discussion. so does the client need to support --user/--group before I enable it on the client side as well? I'm using Mac and iOS clients
11:37 <@krzee> i suppose you meant server somewhere in there
11:38 <@krzee> and no, the user that runs the openvpn process is irrelevant outside of the machine it runs on
11:44 -!- dogewaat [uid3966@gateway/web/irccloud.com/x-mogmqfyfzdcjkbmg] has quit [Quit: Connection closed for inactivity]
11:44 -!- dogewaat [uid3966@gateway/web/irccloud.com/x-njnhefjxormfjtye] has joined #openvpn
11:46 -!- [diecast] [~diecast@unaffiliated/diecast/x-4821952] has joined #openvpn
11:48 -!- RobertoC [~Roberto.C@unaffiliated/robertoc] has quit [Quit: exit]
11:48 < hydrajump> Just to check that I follow. --user/--group limit the permissions of the openvpn daemon and --persist-key and --persist-tun are necessary as dazo explained "it can recover more gracefully in case of loosing the connection over a longer time"
11:49 < hydrajump> configuring both the server and client with these options improves security of the openvpn connection is that correct?
11:55 -!- funyun [~temp@cpe-65-25-103-89.neo.res.rr.com] has joined #openvpn
11:59 -!- funyun [~temp@cpe-65-25-103-89.neo.res.rr.com] has quit [Ping timeout: 240 seconds]
12:10 <@dazo> hydrajump: that's correct ... --user/--group restricts what the openvpn process can do (root user can do anything), and --persist-* is needed so that the non-root user can continue to run, also after a re-init
12:10 <@dazo> or re-connection
12:11 <@dazo> --persist-key makes the key material reside in memory ... which is needed if the key files is only readable by root
12:11 <@dazo> and if --chroot is used, it wouldn't be able to reload these files when they are outside the chroot
12:14 -!- davidmp [~davidmp@149.255.100.107] has quit [Ping timeout: 246 seconds]
12:16 -!- [diecast] [~diecast@unaffiliated/diecast/x-4821952] has quit [Ping timeout: 240 seconds]
12:17 < hydrajump> ok I'll change my config to use these options on both sides. Thanks for explaining krzee dazo !
12:17 -!- pa [~pa@unaffiliated/pa] has joined #openvpn
12:20 -!- davidmp [~davidmp@149.255.100.107] has joined #openvpn
12:21 <@krzee> np
12:24 -!- roentgen [~irc@openvpn/community/support/roentgen] has joined #openvpn
12:26 -!- pa [~pa@unaffiliated/pa] has quit [Ping timeout: 264 seconds]
12:27 -!- [diecast] [~diecast@unaffiliated/diecast/x-4821952] has joined #openvpn
12:31 -!- JackWinter_ [~jack@vodsl-10810.vo.lu] has quit [Quit: Konversation terminated!]
12:33 -!- le0 [~l30@unaffiliated/le0] has quit [Quit: Leaving]
12:35 -!- funnel_ [~funnel@23.226.237.192] has joined #openvpn
12:35 -!- funnel_ [~funnel@23.226.237.192] has quit [Client Quit]
12:41 -!- pa__ [~pa@host161-49-dynamic.250-95-r.retail.telecomitalia.it] has joined #openvpn
12:51 -!- JackWinter [~jack@vodsl-10810.vo.lu] has joined #openvpn
12:56 -!- funyun [~temp@cpe-65-25-103-89.neo.res.rr.com] has joined #openvpn
13:00 -!- funyun [~temp@cpe-65-25-103-89.neo.res.rr.com] has quit [Ping timeout: 240 seconds]
13:06 -!- JackWinter [~jack@vodsl-10810.vo.lu] has quit [Quit: Konversation terminated!]
13:17 -!- tharkun [~0@187.188.94.182] has quit [Changing host]
13:17 -!- tharkun [~0@unaffiliated/tharkun] has joined #openvpn
13:18 -!- Cpt-Oblivious [chatzilla@31-151-71-109.dynamic.upc.nl] has quit [Ping timeout: 246 seconds]
13:20 -!- pa__ [~pa@host161-49-dynamic.250-95-r.retail.telecomitalia.it] has quit [Ping timeout: 246 seconds]
13:35 -!- funnel [~funnel@unaffiliated/espiral] has quit [Remote host closed the connection]
13:35 -!- pa__ [~pa@host185-3-dynamic.49-82-r.retail.telecomitalia.it] has joined #openvpn
13:35 -!- funnel [~funnel@unaffiliated/espiral] has joined #openvpn
13:38 -!- JackWinter [~jack@vodsl-10810.vo.lu] has joined #openvpn
13:40 -!- JackWinter [~jack@vodsl-10810.vo.lu] has quit [Client Quit]
13:42 -!- julius_ [~julius_@static.88-198-127-82.clients.your-server.de] has left #openvpn ["Verlassend"]
13:47 -!- JackWinter [~jack@vodsl-10810.vo.lu] has joined #openvpn
13:56 -!- funyun [~temp@cpe-65-25-103-89.neo.res.rr.com] has joined #openvpn
14:01 -!- funyun [~temp@cpe-65-25-103-89.neo.res.rr.com] has quit [Ping timeout: 240 seconds]
14:11 -!- funnel [~funnel@unaffiliated/espiral] has quit [Remote host closed the connection]
14:12 -!- funnel [~funnel@unaffiliated/espiral] has joined #openvpn
14:13 -!- [diecast] [~diecast@unaffiliated/diecast/x-4821952] has quit []
14:15 -!- nutron [~nutron@unaffiliated/nutron] has quit [Remote host closed the connection]
14:17 -!- GrecKo_ is now known as GrecKo
14:19 -!- master_o1_master [~master_of@p4FD7B441.dip0.t-ipconnect.de] has joined #openvpn
14:23 -!- master_of_master [~master_of@p4FF24DAD.dip0.t-ipconnect.de] has quit [Ping timeout: 265 seconds]
14:30 -!- le0 [~l30@unaffiliated/le0] has joined #openvpn
14:45 -!- takamichi [~takamichi@c107-107.i07-27.onvol.net] has quit [Quit: Computer has gone to sleep.]
14:45 -!- roentgen [~irc@openvpn/community/support/roentgen] has quit [Ping timeout: 240 seconds]
14:49 -!- joshh20-Away is now known as joshh20
14:52 -!- [diecast] [~diecast@unaffiliated/diecast/x-4821952] has joined #openvpn
14:54 -!- joshh20 is now known as joshh20-Away
14:57 -!- funyun [~temp@cpe-65-25-103-89.neo.res.rr.com] has joined #openvpn
15:00 -!- joshh20-Away is now known as joshh20
15:01 -!- [diecast] [~diecast@unaffiliated/diecast/x-4821952] has quit [Ping timeout: 264 seconds]
15:02 -!- funyun [~temp@cpe-65-25-103-89.neo.res.rr.com] has quit [Ping timeout: 264 seconds]
15:08 -!- funnel [~funnel@unaffiliated/espiral] has quit [Remote host closed the connection]
15:08 -!- funnel [~funnel@unaffiliated/espiral] has joined #openvpn
15:22 -!- funyun [~temp@cpe-65-25-103-89.neo.res.rr.com] has joined #openvpn
15:27 -!- lj [~l@192.241.174.169] has quit [Quit: Leaving.]
15:27 -!- lj [~l@192.241.174.169] has joined #openvpn
15:27 -!- lj [~l@192.241.174.169] has quit [Client Quit]
15:29 -!- mikemol1 is now known as mikemol
15:35 -!- HectorBarbossa [uid7850@gateway/web/irccloud.com/x-qlxqrkdugxslmxhn] has joined #openvpn
15:46 -!- JackWinter [~jack@vodsl-10810.vo.lu] has quit [Quit: Konversation terminated!]
15:57 -!- maskedlua [~quassel@unaffiliated/themaskedlua] has quit [Ping timeout: 252 seconds]
16:00 -!- maskedlua [~quassel@unaffiliated/themaskedlua] has joined #openvpn
16:06 -!- JackWinter [~jack@vodsl-10810.vo.lu] has joined #openvpn
16:06 -!- notroot [~alastair@host109-149-180-124.range109-149.btcentralplus.com] has joined #openvpn
16:08 < notroot> im having a problem with my client, i can connect to the server but the only thing i can ping is the internal ip of the vpn, i cant get through to the internet, i know the server.conf it right as i have been using it for ages, its only the client that isnt working
16:08 < notroot> *is right
16:08 -!- klein [~klein@unaffiliated/klein] has quit [Ping timeout: 245 seconds]
16:17 -!- yoavz [yoavz@yoavz.net] has quit [Quit: ZNC - http://znc.in]
16:17 -!- notroot [~alastair@host109-149-180-124.range109-149.btcentralplus.com] has quit [Ping timeout: 240 seconds]
16:18 -!- Tyklol [tykling@gibfest.dk] has joined #openvpn
16:18 -!- Tykling [tykling@gibfest.dk] has quit [Ping timeout: 252 seconds]
16:20 -!- yoavz [yoavz@yoavz.net] has joined #openvpn
16:22 -!- heraclitus__ [~heraclitu@cpe-76-187-142-153.tx.res.rr.com] has joined #openvpn
16:22 -!- yoavz [yoavz@yoavz.net] has quit [Read error: Connection reset by peer]
16:23 -!- heraclitus [~heraclitu@unaffiliated/heraclitis] has quit [Ping timeout: 252 seconds]
16:25 -!- yoavz [yoavz@yoavz.net] has joined #openvpn
16:26 -!- ketas- is now known as ketas
16:34 -!- novaflash is now known as novaflash_away
16:36 -!- dazo is now known as dazo_afk
16:38 -!- [diecast] [~diecast@unaffiliated/diecast/x-4821952] has joined #openvpn
16:41 -!- mattock is now known as mattock_afk
16:45 -!- s7r [~s7r@openvpn/user/s7r] has joined #openvpn
16:45 -!- mode/#openvpn [+v s7r] by ChanServ
16:45 -!- Jeroen is now known as Jeroen52
16:47 -!- funnel [~funnel@unaffiliated/espiral] has quit [Remote host closed the connection]
16:47 -!- funnel [~funnel@unaffiliated/espiral] has joined #openvpn
16:54 -!- akurilin2 [~alex@98.207.161.67] has quit [Quit: WeeChat 0.4.1]
16:55 -!- akurilin [~alex@98.207.161.67] has joined #openvpn
16:55 -!- le0 [~l30@unaffiliated/le0] has quit [Quit: Leaving]
16:55 -!- joshh20 is now known as joshh20-Away
16:58 -!- james41382_ [~james@unaffiliated/james41382] has quit [Quit: Leaving]
17:02 -!- djacob_ [~IceChat9@static-96-224-249-30.nycmny.fios.verizon.net] has joined #openvpn
17:02 < djacob_> hello all
17:06 -!- dimitry7 [~antonello@gate.aaamerica.com.mx] has joined #openvpn
17:08 -!- [diecast] [~diecast@unaffiliated/diecast/x-4821952] has quit [Ping timeout: 264 seconds]
17:14 -!- gffa [~unknown@unaffiliated/gffa] has quit [Quit: sleep]
17:17 -!- oculus [~oculus@gateway/tor-sasl/oculus] has joined #openvpn
17:27 -!- nutron [~nutron@unaffiliated/nutron] has joined #openvpn
17:34 -!- MeanderingCode [~Meanderin@palantir.aetherislands.net] has left #openvpn ["elsewhere."]
17:36 -!- Cpt-Oblivious [chatzilla@31-151-71-109.dynamic.upc.nl] has joined #openvpn
17:37 -!- mikemol [~mikemol@162.17.129.77] has quit [Remote host closed the connection]
17:46 -!- miruoy [~quassel@d51A44BA8.access.telenet.be] has joined #openvpn
17:46 -!- _dos-freak [leecher@zentarim.0wnz.at] has quit [Ping timeout: 264 seconds]
17:46 -!- svg [~svg@hydargos.ginsys.net] has quit [Ping timeout: 264 seconds]
17:46 -!- svg [~svg@hydargos.ginsys.net] has joined #openvpn
17:46 -!- dos-freak [leecher@zentarim.0wnz.at] has joined #openvpn
17:46 -!- miruoy_ [~quassel@d51A44BA8.access.telenet.be] has quit [Ping timeout: 264 seconds]
17:47 -!- pablito [~chatzilla@194.90.149.21] has joined #openvpn
17:49 -!- goldkatze [~nobody@unaffiliated/goldkatze] has quit [Ping timeout: 252 seconds]
17:49 -!- pablito [~chatzilla@194.90.149.21] has quit [Client Quit]
18:03 -!- catsup [d@64.111.123.163] has quit [Read error: Operation timed out]
18:04 -!- catsup [~d@iad1-vshost12.dreamhost.com] has joined #openvpn
18:09 -!- oculus [~oculus@gateway/tor-sasl/oculus] has quit [Read error: Connection reset by peer]
18:09 -!- djacob_ [~IceChat9@static-96-224-249-30.nycmny.fios.verizon.net] has quit [Ping timeout: 240 seconds]
18:11 -!- djacob_ [~IceChat9@adfb441e.cst.lightpath.net] has joined #openvpn
18:11 -!- oculus [~oculus@gateway/tor-sasl/oculus] has joined #openvpn
18:20 -!- elfixit1 [~Icedove@77-58-251-72.dclient.hispeed.ch] has joined #openvpn
18:22 -!- HectorBarbossa [uid7850@gateway/web/irccloud.com/x-qlxqrkdugxslmxhn] has quit [Quit: Connection closed for inactivity]
18:27 -!- converge [~converge@unaffiliated/joaop] has joined #openvpn
18:28 < converge> does someone knows a good openvpn client for mac ? (tunneblick dont work for me)
18:30 < pekster> You could try viscocity, though I don't have much experience either way with it
18:31 < pekster> It might be worth working to see why tunnelblick doesn't work; it should play nice on every current Mac version
18:33 < converge> pekster: I always get this message no matter what: tunneblick doesnt start OpenVPN to connecto to "my connection name". See log on vpn details
18:33 < converge> pekster: and the log error message just say http://paste2.org/bn3sda1U
18:35 < pekster> You should check the openvpn log
18:36 -!- oculus [~oculus@gateway/tor-sasl/oculus] has quit [Remote host closed the connection]
18:37 -!- AlexPortable [uid7568@gateway/web/irccloud.com/x-lgpsjpsyqmkecxln] has quit [Quit: Connection closed for inactivity]
18:38 -!- Linmu [~Linmu@203.70.194.104] has quit [Ping timeout: 252 seconds]
18:38 < converge> pekster: ill try that, thanks
18:38 -!- converge [~converge@unaffiliated/joaop] has quit [Quit: Linkinus - http://linkinus.com]
18:38 -!- Linmu [~Linmu@203.70.194.104] has joined #openvpn
18:40 -!- oculus [~oculus@gateway/tor-sasl/oculus] has joined #openvpn
18:44 -!- converge [~converge@179.165.10.12] has joined #openvpn
18:44 -!- converge [~converge@179.165.10.12] has quit [Changing host]
18:44 -!- converge [~converge@unaffiliated/joaop] has joined #openvpn
18:44 -!- funnel [~funnel@unaffiliated/espiral] has quit [Remote host closed the connection]
18:44 -!- funnel [~funnel@unaffiliated/espiral] has joined #openvpn
18:45 -!- HectorBarbossa [uid7850@gateway/web/irccloud.com/x-rohbbvrhgfyhdkde] has joined #openvpn
18:46 -!- oculus [~oculus@gateway/tor-sasl/oculus] has quit [Quit: oculus]
18:47 -!- funnel [~funnel@unaffiliated/espiral] has quit [Remote host closed the connection]
18:47 -!- djacob_ [~IceChat9@adfb441e.cst.lightpath.net] has quit [Ping timeout: 240 seconds]
18:48 -!- funnel [~funnel@unaffiliated/espiral] has joined #openvpn
18:52 -!- Linmu [~Linmu@203.70.194.104] has quit [Ping timeout: 240 seconds]
18:52 -!- lj [~l@192.241.174.169] has joined #openvpn
18:52 -!- Linmu [~Linmu@203.70.194.104] has joined #openvpn
18:53 -!- elfixit1 [~Icedove@77-58-251-72.dclient.hispeed.ch] has quit [Ping timeout: 264 seconds]
19:02 -!- Fruckiwacki- [fruckiwack@5.135.190.66] has joined #openvpn
19:05 -!- Eagleman7 [~Eagleman@546BC8D0.cm-12-4d.dynamic.ziggo.nl] has quit [Ping timeout: 246 seconds]
19:06 < converge> do u guys see something wrong on my tunnelblick ? http://paste2.org/m2Wpahfk
19:08 -!- Thermi [~Thermi@unaffiliated/thermi] has quit [Ping timeout: 260 seconds]
19:09 -!- Linmu [~Linmu@203.70.194.104] has quit [Ping timeout: 246 seconds]
19:09 -!- michaelhart [~michaelha@192-0-240-20.cpe.teksavvy.com] has quit [Quit: michaelhart]
19:10 < pekster> Unrecognized option or missing parameter(s) in /Library/Application Support/Tunnelblick/Users/joaopaulovanzuita/fortunata.tblk/Contents/Resources/config.ovpn:9: remote-cert-tls (2.2.1)
19:10 < pekster> Your config has no value to that directive
19:11 < pekster> Check out --remote-cert-tls in the manpage; it requires the 'server' (probably what you want) or 'client' option
19:13 -!- funnel [~funnel@unaffiliated/espiral] has quit [Remote host closed the connection]
19:13 < pekster> I'm not that familiar with the tunnelblick internal message logs, but it appears as if you're trying to run the program from the .dmg file (which gets mounted on /Volumes/ on MacOS.) You should copy the entier application to your OS or personal Applications folder and start tunnelblick from there
19:13 < pekster> That's a separate issue though
19:13 -!- funnel [~funnel@unaffiliated/espiral] has joined #openvpn
19:14 -!- michaelhart [~michaelha@192-0-240-20.cpe.teksavvy.com] has joined #openvpn
19:14 < converge> wierd cause Im executing it from /Applications
19:15 -!- converge [~converge@unaffiliated/joaop] has quit [Quit: Linkinus - http://linkinus.com]
19:15 -!- converge [~converge@179.165.10.12] has joined #openvpn
19:15 -!- converge [~converge@179.165.10.12] has quit [Changing host]
19:15 -!- converge [~converge@unaffiliated/joaop] has joined #openvpn
19:16 -!- Linmu [~Linmu@203.70.194.104] has joined #openvpn
19:19 < pekster> It could be something else then; the the tunnelblick log noise is something I don't frequently look at (I don't use Macs personally, though have supported tunnelblick for deployments a while back)
19:28 -!- Disney [Transfusio@trivialand/master/transfusion] has quit [Ping timeout: 265 seconds]
19:28 -!- Gman32 [~Gman32@2607:2200:0:3400::5616:cdbc] has quit [Ping timeout: 265 seconds]
19:29 -!- phuzion_ [~phuzion@ipv6.irc.teh-server.com] has joined #openvpn
19:29 -!- Fiouz [~Fiouz@2001:bc8:3068::dead:beef] has quit [Ping timeout: 265 seconds]
19:29 -!- Fiouz [~Fiouz@2001:bc8:3068::dead:beef] has joined #openvpn
19:30 -!- AsadH [~AsadH@unaffiliated/asadh] has quit [Ping timeout: 265 seconds]
19:30 -!- Nothing4You [N4Y@Nothing4You.w.tf-w.tf] has quit [Ping timeout: 265 seconds]
19:30 -!- ketas [ketas@ketas6-sixxs.si.pri.ee] has quit [Ping timeout: 265 seconds]
19:30 -!- jzaw [~jzaw@loki.dzki.co.uk] has quit [Ping timeout: 265 seconds]
19:30 -!- __FBi [B@dont.uwantmy.info] has quit [Ping timeout: 265 seconds]
19:30 -!- haasn [~nand@2a01:4f8:d13:5245::2] has quit [Ping timeout: 265 seconds]
19:30 -!- phuzion [~phuzion@ipv6.irc.teh-server.com] has quit [Ping timeout: 265 seconds]
19:31 -!- Samopotamus [~IRCIdent@2607:5300:60:a0d::1] has quit [Ping timeout: 265 seconds]
19:31 -!- Martin`_ [martin@shell.ipv6.octocore.net] has joined #openvpn
19:31 -!- _FBi [B@Aircrack-NG/User] has quit [Ping timeout: 265 seconds]
19:31 -!- _FBi [B@i.use.pentoo.when.ihack.in] has joined #openvpn
19:31 -!- ketas [ketas@ketas6-sixxs.si.pri.ee] has joined #openvpn
19:31 -!- MacGyver [~MacGyver@unaffiliated/macgyvernl] has quit [Ping timeout: 265 seconds]
19:31 -!- nunim [nunim@irc.sonicboxes.net] has quit [Ping timeout: 265 seconds]
19:32 -!- Martin` [martin@shell.ipv6.octocore.net] has quit [Read error: Connection reset by peer]
19:32 -!- Martin`_ is now known as Martin`
19:32 -!- Samopotamus [~IRCIdent@2607:5300:60:a0d::1] has joined #openvpn
19:33 -!- __FBi [B@dont.uwantmy.info] has joined #openvpn
19:33 -!- MacGyver [~MacGyver@sog.polvanaubel.com] has joined #openvpn
19:33 -!- MacGyver [~MacGyver@sog.polvanaubel.com] has quit [Changing host]
19:33 -!- MacGyver [~MacGyver@unaffiliated/macgyvernl] has joined #openvpn
19:34 -!- Transfusion [Transfusio@trivialand/master/transfusion] has joined #openvpn
19:35 -!- Nothing4You [N4Y@Nothing4You.w.tf-w.tf] has joined #openvpn
19:35 -!- Gman32 [~Gman32@2607:2200:0:3400::5616:cdbc] has joined #openvpn
19:35 -!- jzaw [~jzaw@loki.dzki.co.uk] has joined #openvpn
19:36 -!- nunim [nunim@unaffiliated/nunim] has joined #openvpn
19:38 -!- AsadH [~AsadH@unaffiliated/asadh] has joined #openvpn
19:38 -!- haasn [~nand@2a01:4f8:d13:5245::2] has joined #openvpn
19:40 -!- Linmu [~Linmu@203.70.194.104] has quit [Ping timeout: 264 seconds]
19:41 -!- Linmu [~Linmu@203.70.194.104] has joined #openvpn
19:43 < converge> pekster: ill try, thanks for your support
19:43 -!- converge [~converge@unaffiliated/joaop] has quit [Quit: Linkinus - http://linkinus.com]
19:47 -!- Linmu [~Linmu@203.70.194.104] has quit [Ping timeout: 240 seconds]
19:48 -!- _FBi [B@i.use.pentoo.when.ihack.in] has quit [Ping timeout: 265 seconds]
19:49 -!- Linmu [~Linmu@203.70.194.104] has joined #openvpn
19:49 -!- pekster [~rewt@openvpn/community/support/pekster] has quit [Ping timeout: 265 seconds]
19:50 -!- XJR-9_ [XJR-9@pdpc/supporter/active/xjr-9] has joined #openvpn
19:50 -!- XJR-9 [sid2977@pdpc/supporter/active/xjr-9] has quit [Killed (rajaniemi.freenode.net (Nickname regained by services))]
19:50 -!- XJR-9_ is now known as XJR-9
19:50 -!- red_racer12_ [sid20963@gateway/web/irccloud.com/x-dwlehlxistxqpcvs] has quit [Read error: Connection reset by peer]
19:50 -!- red_racer12__ [sid20963@gateway/web/irccloud.com/x-vbbjcaaogyhpkvqr] has joined #openvpn
19:51 -!- pekster [~rewt@cl-466.chi-03.us.sixxs.net] has joined #openvpn
19:51 -!- pekster [~rewt@cl-466.chi-03.us.sixxs.net] has quit [Changing host]
19:51 -!- pekster [~rewt@openvpn/community/support/pekster] has joined #openvpn
19:53 -!- nunim [nunim@unaffiliated/nunim] has quit [Ping timeout: 265 seconds]
19:54 -!- _FBi [B@i.use.pentoo.when.ihack.in] has joined #openvpn
19:54 -!- Linmu [~Linmu@203.70.194.104] has quit [Ping timeout: 240 seconds]
19:56 -!- nunim [nunim@unaffiliated/nunim] has joined #openvpn
19:59 -!- _FBi [B@i.use.pentoo.when.ihack.in] has quit [Changing host]
19:59 -!- _FBi [B@Aircrack-NG/User] has joined #openvpn
20:01 -!- Eagleman [~Eagleman@546BC8D0.cm-12-4d.dynamic.ziggo.nl] has joined #openvpn
20:06 -!- funnel [~funnel@unaffiliated/espiral] has quit [Remote host closed the connection]
20:07 -!- funnel [~funnel@unaffiliated/espiral] has joined #openvpn
20:08 -!- VunKruz [~hhhh@24-205-8-187.dhcp.mtpk.ca.charter.com] has quit [Ping timeout: 264 seconds]
20:16 -!- Linmu [~Linmu@203.70.194.104] has joined #openvpn
20:17 -!- funnel [~funnel@unaffiliated/espiral] has quit [Remote host closed the connection]
20:17 -!- funnel [~funnel@unaffiliated/espiral] has joined #openvpn
20:19 -!- __raven [~raven@dslb-188-104-091-148.pools.arcor-ip.net] has joined #openvpn
20:19 -!- lj [~l@192.241.174.169] has quit [Quit: Leaving.]
20:22 -!- VunKruz [~hhhh@24-205-8-187.dhcp.mtpk.ca.charter.com] has joined #openvpn
20:22 -!- __raven_ [~raven@dslb-178-002-128-198.pools.arcor-ip.net] has quit [Ping timeout: 252 seconds]
20:27 -!- lj [~l@192.241.174.169] has joined #openvpn
20:30 -!- converge [~converge@unaffiliated/joaop] has joined #openvpn
20:36 -!- Linmu [~Linmu@203.70.194.104] has quit [Remote host closed the connection]
20:39 < converge> Im getting "Options error: Parameter ca_file can only be specified in TLS-mode, i.e. where --tls-server or --tls-client is also specified." but I have tls-server activated on openvpn server
20:39 < converge> what could be wrong..?
20:42 < converge> I added tls-client on client and seeams to work
20:43 -!- Linmu [~Linmu@203.70.194.104] has joined #openvpn
20:48 -!- Thermi [~Thermi@unaffiliated/thermi] has joined #openvpn
20:55 -!- Linmu [~Linmu@203.70.194.104] has quit [Ping timeout: 264 seconds]
20:56 -!- Linmu [~Linmu@203.70.194.104] has joined #openvpn
21:02 -!- HectorBarbossa [uid7850@gateway/web/irccloud.com/x-rohbbvrhgfyhdkde] has quit [Quit: Connection closed for inactivity]
21:02 < dimitry7> hey guys! what is the option to reduce the initial scheduling time in nagios??
21:03 -!- james41382 [~james@unaffiliated/james41382] has joined #openvpn
21:04 -!- Eagleman [~Eagleman@546BC8D0.cm-12-4d.dynamic.ziggo.nl] has quit [Ping timeout: 264 seconds]
21:05 -!- michaelhart [~michaelha@192-0-240-20.cpe.teksavvy.com] has quit [Quit: michaelhart]
21:10 -!- Linmu [~Linmu@203.70.194.104] has quit [Ping timeout: 264 seconds]
21:11 -!- converge [~converge@unaffiliated/joaop] has quit [Quit: Leaving...]
21:11 -!- Cpt-Oblivious [chatzilla@31-151-71-109.dynamic.upc.nl] has quit [Remote host closed the connection]
21:12 -!- Eagleman [~Eagleman@546BC8D0.cm-12-4d.dynamic.ziggo.nl] has joined #openvpn
21:17 -!- Linmu [~Linmu@203.70.194.104] has joined #openvpn
21:28 -!- Linmu [~Linmu@203.70.194.104] has quit [Ping timeout: 240 seconds]
21:30 -!- Linmu [~Linmu@203.70.194.104] has joined #openvpn
21:34 -!- Linmu [~Linmu@203.70.194.104] has quit [Ping timeout: 240 seconds]
21:34 -!- converge [~converge@unaffiliated/joaop] has joined #openvpn
21:35 -!- Linmu [~Linmu@203.70.194.104] has joined #openvpn
21:38 -!- converge [~converge@unaffiliated/joaop] has quit [Client Quit]
21:50 -!- Linmu [~Linmu@203.70.194.104] has quit [Ping timeout: 240 seconds]
21:51 -!- Linmu [~Linmu@203.70.194.104] has joined #openvpn
21:59 -!- AivarasK [~aivaras@188.226.159.184] has joined #openvpn
22:00 < AivarasK> if I use static key to connect and all other settings as default is my connection encrypted?
22:10 -!- Linmu [~Linmu@203.70.194.104] has quit [Ping timeout: 240 seconds]
22:11 -!- phuzion_ is now known as phuzion
22:12 < funyun> hi. can anyone help me setup openvpn to use the IP failover I bought from ovh?
22:12 -!- Linmu [~Linmu@203.70.194.104] has joined #openvpn
22:13 <@krzee> did you learn what your IP failover is yet?
22:13 <@krzee> and how it works?
22:13 <@krzee> because until you understand your network, nobody can possibly help you.
22:17 < funyun> krzee: it's a second ip you order for your server. same as any other server feature. they just call it an ip failover
22:19 < funyun> krzee: i have the option to reverse it or enable virtual MAC
22:19 < funyun> krzee: it's destination is set to my main server IP
22:20 -!- Linmu [~Linmu@203.70.194.104] has quit [Ping timeout: 246 seconds]
22:22 -!- Linmu [~Linmu@203.70.194.104] has joined #openvpn
22:29 -!- AivarasK [~aivaras@188.226.159.184] has quit [Ping timeout: 264 seconds]
22:32 < funyun> krzee: now that you see i've learned that, can you help me out?
22:53 < _FBi> Q:  When a file is to be kept secret, ie server.key, how do you keep that secret on the server?
22:55 -!- Linmu [~Linmu@203.70.194.104] has quit [Ping timeout: 264 seconds]
22:56 -!- Carbon_Monoxide [~cmonxide@058176022144.ctinets.com] has joined #openvpn
22:57 -!- Carbon_Monoxide [~cmonxide@058176022144.ctinets.com] has left #openvpn []
22:57 -!- Linmu [~Linmu@203.70.194.104] has joined #openvpn
22:58 -!- lj [~l@192.241.174.169] has quit [Quit: Leaving.]
23:17 -!- Linmu [~Linmu@203.70.194.104] has quit [Ping timeout: 240 seconds]
23:17 <@Eugene> Generally, make it owned by root:root and chmod 400
23:17 < _FBi> 400 read only?
23:18 <@Eugene> You can store it encrypted at the expense of needing to type the passphrase any time the server is started
23:18 <@Eugene> Generally it's worth the tradeoff to leave it unencrypted and only accessible by the superuser. And yes, ro.
23:18 < _FBi> it's only need for start up?
23:19 -!- Linmu [~Linmu@203.70.194.104] has joined #openvpn
23:20 <@Eugene> It's read into memory, yes.
23:20 < _FBi> so I could remove it, too
23:30 -!- dimitry7 [~antonello@gate.aaamerica.com.mx] has quit [Ping timeout: 260 seconds]
23:41 -!- rizz [~riz@23.92.60.131] has joined #openvpn
23:41 -!- rizz is now known as rizz_
23:41 < rizz_> !welcome
23:41 <@vpnHelper> "welcome" is (#1) Start by stating your goal, such as 'I would like to access the internet over my vpn' || new to IRC? see the link in !ask || we may need !logs and !configs and maybe !interface to help you. || See !howto for beginners. || See !route for lans behind openvpn. || !redirect for sending inet traffic through the server. || Also interesting: !man !/30 !topology !iporder !sample !forum
23:41 <@vpnHelper> !wiki !mitm or (#2) Don't use 192.168.1.0/24 or 192.168.0.0/24 (too much potential for conflict)
23:47 -!- Linmu [~Linmu@203.70.194.104] has quit [Ping timeout: 240 seconds]
23:49 -!- catsup [~d@iad1-vshost12.dreamhost.com] has quit [Read error: Connection reset by peer]
23:49 < rizz_> hello, I successfully connected to openvpn and from there I sshd to the network computer. I have an internal backup server on 10.5.1.0/24 and the openvpn is still using the default at 10.8.0.0/24. What's the best way to connect them?
23:51 < _FBi> I'm not an expect, but a bridge, no?
23:54 < rizz_> how would i set that up?
23:54 < rizz_> if i mess up i have to wait until tomorrow to fix it..
23:54 < _FBi> I cannot help you enough, then.
23:55 -!- Linmu [~Linmu@203.70.194.104] has joined #openvpn
23:59 -!- Linmu [~Linmu@203.70.194.104] has quit [Ping timeout: 240 seconds]
--- Day changed Thu Mar 13 2014
00:08 -!- Linmu [~Linmu@203.70.194.104] has joined #openvpn
00:18 < _FBi> !md5
00:18 < _FBi> !hardening
00:18 <@vpnHelper> "hardening" is https://community.openvpn.net/openvpn/wiki/Hardening
00:19 < _FBi> !openssl
00:20 -!- Linmu [~Linmu@203.70.194.104] has quit [Ping timeout: 264 seconds]
00:27 -!- Linmu [~Linmu@203.70.194.104] has joined #openvpn
00:37 -!- Linmu [~Linmu@203.70.194.104] has quit [Ping timeout: 246 seconds]
00:39 -!- makara [~makara@41.164.22.218] has joined #openvpn
00:41 -!- lvv [~loganaden@2001:4290:10:250:3467:767e:36e9:153a] has joined #openvpn
00:43 -!- Carbon_Monoxide [~cmonxide@058176022144.ctinets.com] has joined #openvpn
00:56 -!- mikkel [~mikkel@93.176.85.50] has joined #openvpn
00:58 -!- Linmu [~Linmu@203.70.194.104] has joined #openvpn
01:01 -!- paradox`` [~paradox@cpc21-brmb8-2-0-cust749.1-3.cable.virginm.net] has joined #openvpn
01:01 -!- lvv [~loganaden@2001:4290:10:250:3467:767e:36e9:153a] has quit [Quit: lvv]
01:04 -!- Linmu [~Linmu@203.70.194.104] has quit [Ping timeout: 264 seconds]
01:04 -!- Linmu [~Linmu@203.70.194.104] has joined #openvpn
01:04 -!- sunwind` [~paradox@cpc21-brmb8-2-0-cust749.1-3.cable.virginm.net] has quit [Ping timeout: 246 seconds]
01:10 -!- miruoy [~quassel@d51A44BA8.access.telenet.be] has quit [Quit: No Ping reply in 180 seconds.]
01:11 -!- miruoy [~quassel@d51A44BA8.access.telenet.be] has joined #openvpn
01:12 -!- Carbon_Monoxide [~cmonxide@058176022144.ctinets.com] has left #openvpn ["Leaving"]
01:14 -!- lvv [~loganaden@ITE-INF3.dhcp.mu.afrinic.net] has joined #openvpn
01:18 < _FBi> do I need to add blowfish to my server.conf or can I leave it commented because it's default?
01:24 -!- Linmu [~Linmu@203.70.194.104] has quit [Ping timeout: 240 seconds]
01:26 -!- Linmu [~Linmu@203.70.194.104] has joined #openvpn
01:27 -!- heraclitus [~heraclitu@unaffiliated/heraclitis] has joined #openvpn
01:30 -!- heraclitus__ [~heraclitu@cpe-76-187-142-153.tx.res.rr.com] has quit [Ping timeout: 252 seconds]
01:38 -!- Linmu [~Linmu@203.70.194.104] has quit [Ping timeout: 240 seconds]
01:38 -!- takamichi [~takamichi@c107-107.i07-27.onvol.net] has joined #openvpn
01:39 < _FBi> Q: how does the daemon work if there's a challenge/pass phrase on the key?  (On start up_
01:43 -!- SquirrelCZECH_ [~squirrel@ip-89-103-45-17.net.upcbroadband.cz] has quit [Ping timeout: 245 seconds]
01:46 -!- Linmu [~Linmu@203.70.194.104] has joined #openvpn
01:52 -!- Linmu [~Linmu@203.70.194.104] has quit [Ping timeout: 240 seconds]
01:53 -!- mattock_afk is now known as mattock
01:55 -!- SquirrelCZECH [~squirrel@ip-89-103-45-17.net.upcbroadband.cz] has joined #openvpn
02:01 -!- Linmu [~Linmu@203.70.194.104] has joined #openvpn
02:13 -!- Linmu [~Linmu@203.70.194.104] has quit [Ping timeout: 246 seconds]
02:13 -!- Linmu [~Linmu@203.70.194.104] has joined #openvpn
02:28 -!- alexxtasi [~alex@unaffiliated/alexxtasi] has joined #openvpn
02:30 -!- goldkatze [~nobody@unaffiliated/goldkatze] has joined #openvpn
02:30 -!- makara [~makara@41.164.22.218] has quit [Quit: Leaving]
02:34 -!- JackWinter [~jack@vodsl-10810.vo.lu] has quit [Quit: Konversation terminated!]
02:35 -!- Linmu [~Linmu@203.70.194.104] has quit [Remote host closed the connection]
02:37 -!- Linmu [~Linmu@203.70.194.104] has joined #openvpn
02:42 -!- JackWinter [~jack@vodsl-10810.vo.lu] has joined #openvpn
02:43 -!- Linmu [~Linmu@203.70.194.104] has quit [Ping timeout: 240 seconds]
02:47 -!- master_o1_master [~master_of@p4FD7B441.dip0.t-ipconnect.de] has quit [Ping timeout: 246 seconds]
02:47 -!- master_of_master [~master_of@p4FD7B441.dip0.t-ipconnect.de] has joined #openvpn
02:50 -!- makara [~makara@41.164.22.218] has joined #openvpn
02:51 -!- Linmu [~Linmu@203.70.194.104] has joined #openvpn
03:04 -!- Linmu [~Linmu@203.70.194.104] has quit [Ping timeout: 246 seconds]
03:12 -!- Linmu [~Linmu@203.70.194.104] has joined #openvpn
03:29 -!- Linmu [~Linmu@203.70.194.104] has quit [Remote host closed the connection]
03:29 -!- Linmu [~Linmu@203.70.194.104] has joined #openvpn
03:36 -!- Linmu [~Linmu@203.70.194.104] has quit [Ping timeout: 240 seconds]
03:36 -!- le0 [~l30@unaffiliated/le0] has joined #openvpn
03:38 -!- Linmu [~Linmu@203.70.194.104] has joined #openvpn
03:38 -!- pa__ [~pa@host185-3-dynamic.49-82-r.retail.telecomitalia.it] has quit [Ping timeout: 240 seconds]
03:49 -!- Linmu [~Linmu@203.70.194.104] has quit [Ping timeout: 264 seconds]
03:55 -!- AL13N_work [~alien@91.183.52.232] has joined #openvpn
04:17 -!- Linmu [~Linmu@203.70.194.104] has joined #openvpn
04:35 -!- Linmu [~Linmu@203.70.194.104] has quit [Ping timeout: 246 seconds]
04:38 -!- Linmu [~Linmu@203.70.194.104] has joined #openvpn
05:04 -!- Linmu [~Linmu@203.70.194.104] has quit [Remote host closed the connection]
05:04 -!- Linmu [~Linmu@203.70.194.104] has joined #openvpn
05:06 -!- Six6siX_ is now known as Six6siX
05:09 < funyun> can i set up openvpn via access server? or do i have to do it in command line?
05:09 -!- Linmu [~Linmu@203.70.194.104] has quit [Ping timeout: 240 seconds]
05:11 -!- Linmu [~Linmu@203.70.194.104] has joined #openvpn
05:19 -!- m01_ is now known as m01
05:25 -!- dazo_afk is now known as dazo
05:27 -!- Linmu [~Linmu@203.70.194.104] has quit [Ping timeout: 240 seconds]
05:28 -!- lvv [~loganaden@ITE-INF3.dhcp.mu.afrinic.net] has quit [Quit: lvv]
05:36 -!- Linmu [~Linmu@203.70.194.104] has joined #openvpn
05:41 -!- Linmu [~Linmu@203.70.194.104] has quit [Ping timeout: 240 seconds]
05:42 -!- funyun [~temp@cpe-65-25-103-89.neo.res.rr.com] has quit [Ping timeout: 246 seconds]
05:43 -!- Linmu [~Linmu@203.70.194.104] has joined #openvpn
05:49 -!- Linmu [~Linmu@203.70.194.104] has quit [Ping timeout: 246 seconds]
05:52 -!- mirco [~mirco@ip-109-90-231-36.unitymediagroup.de] has quit [Ping timeout: 252 seconds]
05:53 -!- mirco [~mirco@ip-109-90-231-36.unitymediagroup.de] has joined #openvpn
05:56 -!- Linmu [~Linmu@203.70.194.104] has joined #openvpn
06:02 -!- Linmu [~Linmu@203.70.194.104] has quit [Ping timeout: 240 seconds]
06:05 -!- mback2k_ [~freenode@89.238.84.46] has quit [Ping timeout: 264 seconds]
06:07 -!- mback2k_ [~freenode@2a00:1828:2000:378:1337:0:59ee:5431] has joined #openvpn
06:09 -!- Linmu [~Linmu@203.70.194.104] has joined #openvpn
06:13 -!- Linmu [~Linmu@203.70.194.104] has quit [Ping timeout: 246 seconds]
06:14 -!- Linmu [~Linmu@203.70.194.104] has joined #openvpn
06:26 -!- lvv [~loganaden@ITE-INF3.dhcp.mu.afrinic.net] has joined #openvpn
06:39 -!- funyun [~temp@cpe-65-25-103-89.neo.res.rr.com] has joined #openvpn
06:43 -!- funyun [~temp@cpe-65-25-103-89.neo.res.rr.com] has quit [Ping timeout: 246 seconds]
06:50 -!- mirco [~mirco@ip-109-90-231-36.unitymediagroup.de] has quit [Ping timeout: 270 seconds]
06:51 -!- Linmu [~Linmu@203.70.194.104] has quit [Ping timeout: 246 seconds]
06:59 -!- Linmu [~Linmu@203.70.194.104] has joined #openvpn
07:04 -!- Linmu [~Linmu@203.70.194.104] has quit [Ping timeout: 246 seconds]
07:12 -!- Linmu [~Linmu@203.70.194.104] has joined #openvpn
07:16 -!- le0 [~l30@unaffiliated/le0] has quit [Quit: Leaving]
07:17 -!- le0 [~l30@unaffiliated/le0] has joined #openvpn
07:18 -!- michaelhart [~michaelha@69-165-175-193.dsl.teksavvy.com] has joined #openvpn
07:33 -!- catsup [~d@iad1-vshost12.dreamhost.com] has joined #openvpn
07:36 -!- Elrond [~elrond@irc.man-da.de] has joined #openvpn
07:37 < Elrond> Hi.  Does anybody know, wether the tripple handshake issue affects openvpn? It might be possible, as openvpn uses client certs.
07:40 -!- funyun [~temp@cpe-65-25-103-89.neo.res.rr.com] has joined #openvpn
07:40 -!- Linmu [~Linmu@203.70.194.104] has quit [Ping timeout: 241 seconds]
07:42 -!- Linmu [~Linmu@203.70.194.104] has joined #openvpn
07:44 -!- funyun [~temp@cpe-65-25-103-89.neo.res.rr.com] has quit [Ping timeout: 240 seconds]
07:44 <@dazo> Elrond: I don't recall now if anyone has really looked into it in details, but it has briefly been discussed without causing any panic at all
07:48 <@dazo> Elrond: IIRC, openvpn does not use the TLS session resume feature at all, it enforces a completely new session to be established ... so it would never go further than the first step in this attack
07:54 < Elrond> dazo - Does it create a fresh ssl-context for every connection?
07:57 < Elrond> dazo - Or does it use something öike SSL_CTX_set_session_cache_mode(ctx, SSL_SESS_CACHE_OFF) ?
07:58 -!- Linmu [~Linmu@203.70.194.104] has quit [Ping timeout: 246 seconds]
08:00 -!- klein [~klein@unaffiliated/klein] has joined #openvpn
08:00 <@dazo> Elrond: It uses SSL_CTX_set_session_cache_mode(ctx, SSL_SESS_CACHE_OFF)
08:00 -!- Linmu [~Linmu@203.70.194.104] has joined #openvpn
08:05 -!- mikemol [~mikemol@162.17.129.77] has joined #openvpn
08:07 -!- mirco [~mirco@ip-5-146-126-177.unitymediagroup.de] has joined #openvpn
08:16 < Elrond> dazo - Thanks!  You might want to put some statement on your website?
08:23 -!- HectorBarbossa [uid7850@gateway/web/irccloud.com/x-ztcklgzyqggkihjj] has joined #openvpn
08:24 -!- mapps [map@host31-49-22-149.range31-49.btcentralplus.com] has joined #openvpn
08:31 -!- catsup [~d@iad1-vshost12.dreamhost.com] has quit [Read error: Connection reset by peer]
08:33 -!- Transfusion [Transfusio@trivialand/master/transfusion] has quit [Quit: mother knows best]
08:38 -!- JackWinter [~jack@vodsl-10810.vo.lu] has quit [Excess Flood]
08:38 -!- rizz_ [~riz@23.92.60.131] has quit [Write error: Broken pipe]
08:38 -!- JackWinter [~jack@vodsl-10810.vo.lu] has joined #openvpn
08:39 -!- rizz_ [~riz@23.92.60.131] has joined #openvpn
08:39 -!- Guest22512 [~Sembei@unaffiliated/sembei] has quit [Max SendQ exceeded]
08:39 -!- makara [~makara@41.164.22.218] has quit [Excess Flood]
08:40 -!- Guest22512 [~Sembei@unaffiliated/sembei] has joined #openvpn
08:41 -!- troj [~xxx@2001:470:1f15:107a::50f7] has quit [Ping timeout: 245 seconds]
08:41 -!- funyun [~temp@65.25.103.89] has joined #openvpn
08:42 -!- makara [~makara@41.164.22.218] has joined #openvpn
08:45 -!- Linmu [~Linmu@203.70.194.104] has quit [Ping timeout: 240 seconds]
08:45 -!- funyun [~temp@65.25.103.89] has quit [Ping timeout: 241 seconds]
08:52 -!- mikemol [~mikemol@162.17.129.77] has quit [Ping timeout: 240 seconds]
08:52 -!- Linmu [~Linmu@203.70.194.104] has joined #openvpn
08:53 -!- hydrajump [~hydrajump@unaffiliated/hydrajump] has quit [Ping timeout: 246 seconds]
08:58 -!- Linmu [~Linmu@203.70.194.104] has quit [Ping timeout: 240 seconds]
08:58 -!- Linmu [~Linmu@203.70.194.104] has joined #openvpn
08:59 -!- hydrajump [~hydrajump@unaffiliated/hydrajump] has joined #openvpn
09:00 -!- xTz [~xTz@DeathStar.Techn0.eu] has quit [Ping timeout: 246 seconds]
09:03 -!- troj [~xxx@2001:470:1f15:107a::50f7] has joined #openvpn
09:07 -!- mikemol [~mikemol@162.17.129.77] has joined #openvpn
09:07 -!- xTz [~xTz@DeathStar.Techn0.eu] has joined #openvpn
09:08 -!- xTz is now known as Guest51129
09:08 -!- sunwind` [~paradox@cpc21-brmb8-2-0-cust749.1-3.cable.virginm.net] has joined #openvpn
09:11 -!- paradox`` [~paradox@cpc21-brmb8-2-0-cust749.1-3.cable.virginm.net] has quit [Ping timeout: 264 seconds]
09:18 -!- sunwind` [~paradox@cpc21-brmb8-2-0-cust749.1-3.cable.virginm.net] has quit [Read error: Connection reset by peer]
09:21 -!- Linmu [~Linmu@203.70.194.104] has quit [Ping timeout: 255 seconds]
09:23 -!- Linmu [~Linmu@203.70.194.104] has joined #openvpn
09:31 -!- makara [~makara@41.164.22.218] has quit [Ping timeout: 240 seconds]
09:32 -!- VsioZashibis [~VsioZashi@unaffiliated/vsiozashibis] has joined #openvpn
09:36 -!- Linmu [~Linmu@203.70.194.104] has quit [Ping timeout: 264 seconds]
09:36 -!- MrSkinny [~MrSkinny@unaffiliated/mrskinny] has joined #openvpn
09:41 -!- funyun [~temp@cpe-65-25-103-89.neo.res.rr.com] has joined #openvpn
09:45 -!- takamichi [~takamichi@c107-107.i07-27.onvol.net] has quit [Quit: Computer has gone to sleep.]
09:46 -!- funyun [~temp@cpe-65-25-103-89.neo.res.rr.com] has quit [Ping timeout: 240 seconds]
09:47 -!- sunwind [~paradox@cpc21-brmb8-2-0-cust749.1-3.cable.virginm.net] has joined #openvpn
09:47 -!- sunwind [~paradox@cpc21-brmb8-2-0-cust749.1-3.cable.virginm.net] has quit [Read error: Connection reset by peer]
09:51 -!- sunwind [~paradox@cpc21-brmb8-2-0-cust749.1-3.cable.virginm.net] has joined #openvpn
09:52 -!- svg_ [~svg@hydargos.ginsys.net] has joined #openvpn
09:53 -!- lvv [~loganaden@ITE-INF3.dhcp.mu.afrinic.net] has quit [Quit: lvv]
09:54 -!- AlexPortable [uid7568@gateway/web/irccloud.com/x-wwznzpdydariytvl] has joined #openvpn
09:55 -!- Cr4zi3 [killaz@staff.xbins.org] has quit [Quit: changing servers]
09:56 -!- JPeterson [~JPeterson@81-233-152-121-no83.tbcn.telia.com] has quit [Ping timeout: 252 seconds]
09:57 -!- Linmu [~Linmu@203.70.194.104] has joined #openvpn
09:59 -!- ade_b [~Ade@redhat/adeb] has joined #openvpn
10:01 < MrSkinny> Hi there, anyone around to answer a new user question?
10:02 -!- SquirrelCZECH [~squirrel@ip-89-103-45-17.net.upcbroadband.cz] has quit [Excess Flood]
10:02 -!- svg [~svg@hydargos.ginsys.net] has quit [Remote host closed the connection]
10:02 -!- svg_ is now known as svg
10:02 -!- le0 [~l30@unaffiliated/le0] has quit [Excess Flood]
10:03 -!- le0 [~l30@wopr.perspectiverisk.com] has joined #openvpn
10:03 -!- le0 [~l30@wopr.perspectiverisk.com] has quit [Changing host]
10:03 -!- le0 [~l30@unaffiliated/le0] has joined #openvpn
10:03 -!- Linmu [~Linmu@203.70.194.104] has quit [Ping timeout: 240 seconds]
10:03 -!- SquirrelCZECH [~squirrel@ip-89-103-45-17.net.upcbroadband.cz] has joined #openvpn
10:03 -!- funnel_ [~funnel@23.226.237.192] has joined #openvpn
10:04 -!- JPeterson [~JPeterson@81-233-152-121-no83.tbcn.telia.com] has joined #openvpn
10:05 -!- funnel [~funnel@unaffiliated/espiral] has quit [Write error: Broken pipe]
10:07 -!- Cr4zi3 [~killaz@staff.xbins.org] has joined #openvpn
10:07 -!- alexxtasi [~alex@unaffiliated/alexxtasi] has left #openvpn []
10:08 -!- elfixit [~Icedove@2001:1620:2777:11:3e97:eff:fe7f:f3ad] has quit [Quit: elfixit]
10:11 -!- Linmu [~Linmu@203.70.194.104] has joined #openvpn
10:11 -!- elfixit [~Icedove@2001:1620:2777:11:3e97:eff:fe7f:f3ad] has joined #openvpn
10:15 -!- funnel_ [~funnel@23.226.237.192] has quit [Changing host]
10:15 -!- funnel_ [~funnel@unaffiliated/espiral] has joined #openvpn
10:15 -!- [diecast] [~diecast@unaffiliated/diecast/x-4821952] has joined #openvpn
10:15 -!- funnel_ is now known as funnel
10:16 -!- VsioZashibis [~VsioZashi@unaffiliated/vsiozashibis] has quit [Quit: closing IRC]
10:16 -!- Linmu [~Linmu@203.70.194.104] has quit [Ping timeout: 240 seconds]
10:17 -!- Linmu [~Linmu@203.70.194.104] has joined #openvpn
10:22 -!- le0 [~l30@unaffiliated/le0] has quit [Ping timeout: 255 seconds]
10:24 -!- Linmu [~Linmu@203.70.194.104] has quit [Ping timeout: 240 seconds]
10:24 -!- Linmu [~Linmu@203.70.194.104] has joined #openvpn
10:31 -!- dimitry7 [~antonello@gate.aaamerica.com.mx] has joined #openvpn
10:32 -!- HectorBarbossa [uid7850@gateway/web/irccloud.com/x-ztcklgzyqggkihjj] has quit [Quit: Connection closed for inactivity]
10:32 -!- dimitry7 [~antonello@gate.aaamerica.com.mx] has quit [Max SendQ exceeded]
10:33 -!- dimitry7 [~antonello@gate.aaamerica.com.mx] has joined #openvpn
10:34 -!- mikkel [~mikkel@93.176.85.50] has quit [Quit: Leaving]
10:34 -!- dimitry7 [~antonello@gate.aaamerica.com.mx] has quit [Max SendQ exceeded]
10:35 -!- dimitry7 [~antonello@gate.aaamerica.com.mx] has joined #openvpn
10:35 < rizz_> hello, I successfully connected to openvpn and from there I sshd to the network computer. I have an internal backup server on 10.5.1.0/24 and the openvpn is still using the default at 10.8.0.0/24. What's the best way to connect them?
10:38 <@Eugene> !route
10:38 <@vpnHelper> "route" is (#1) http://www.secure-computing.net/wiki/index.php/OpenVPN/Routing or https://community.openvpn.net/openvpn/wiki/RoutedLans (same page mirrored) if you have lans behind openvpn, read it DONT SKIM IT or (#2) READ IT DONT SKIM IT! or (#3) See !tcpip for a basic networking guide or (#4) See !serverlan or !clientlan for steps and troubleshooting flowcharts for LANs behind the server or
10:38 <@vpnHelper> client
10:42 -!- funyun [~temp@cpe-65-25-103-89.neo.res.rr.com] has joined #openvpn
10:44 < rizz_> Can I not just bridge it?
10:47 -!- funyun [~temp@cpe-65-25-103-89.neo.res.rr.com] has quit [Ping timeout: 240 seconds]
10:47 < [diecast]> are there any openvpn clients that can use osx keychain certifications
10:48 <@plai> no
10:48 <@plai> there are some patches for that floating around though
10:48 < [diecast]> http://community.openvpn.net/openvpn/ticket/8
10:48 < [diecast]> saw that one
10:48 <@vpnHelper> Title: #8 (MacOSX Keychain Certificate support) – OpenVPN Community (at community.openvpn.net)
10:48 < [diecast]> would it work with the latest version 2.3.2?
10:48 <@plai> You test it and tell me :)
10:49 < [diecast]> wow, 4yrs old
10:49 < [diecast]> hah
10:49 <@plai> there is a newer version of the patch somewhere
10:49 < [diecast]> ok
10:49 <@plai> iirc posted to openvpn-devel
10:49 < [diecast]> https://github.com/OpenVPN/openvpn/pull/11/commits
10:49 <@vpnHelper> Title: Apple Mac OS X Keychain support by csdexter · Pull Request #11 · OpenVPN/openvpn · GitHub (at github.com)
10:50 < [diecast]> looks like this one
10:50 -!- grep0r [grep0r@bitcoinshell.mooo.com] has quit [Ping timeout: 252 seconds]
10:52 <@plai> yes
10:54 -!- grep0r [grep0r@bitcoinshell.mooo.com] has joined #openvpn
11:03 -!- takamichi [~takamichi@c107-107.i07-27.onvol.net] has joined #openvpn
11:10 -!- mikemol1 [~mikemol@162.17.129.77] has joined #openvpn
11:10 -!- mikemol [~mikemol@162.17.129.77] has quit [Disconnected by services]
11:12 -!- mikemol1 is now known as mikemol
11:25 -!- Guest22512 [~Sembei@unaffiliated/sembei] has quit [Read error: Connection reset by peer]
11:25 -!- n2deep [n2deep@odin.sdf-eu.org] has joined #openvpn
11:26 -!- [diecast] [~diecast@unaffiliated/diecast/x-4821952] has quit []
11:26 -!- [diecast] [~diecast@unaffiliated/diecast/x-4821952] has joined #openvpn
11:26 -!- Guest22512 [~Sembei@unaffiliated/sembei] has joined #openvpn
11:33 -!- Guest51129 [~xTz@DeathStar.Techn0.eu] has left #openvpn []
11:43 -!- funyun [~temp@cpe-65-25-103-89.neo.res.rr.com] has joined #openvpn
11:48 -!- funyun [~temp@cpe-65-25-103-89.neo.res.rr.com] has quit [Ping timeout: 264 seconds]
11:50 < MrSkinny> Hi, can I confirm this is the right URL to download 2.3.2 - https://openvpn.net/index.php/open-source/downloads.html - and it should be signed with key fingerprint 198D 22A3
11:50 <@vpnHelper> Title: Downloads (at openvpn.net)
11:51 < MrSkinny> !welcome
11:51 <@vpnHelper> "welcome" is (#1) Start by stating your goal, such as 'I would like to access the internet over my vpn' || new to IRC? see the link in !ask || we may need !logs and !configs and maybe !interface to help you. || See !howto for beginners. || See !route for lans behind openvpn. || !redirect for sending inet traffic through the server. || Also interesting: !man !/30 !topology !iporder !sample !forum
11:51 <@vpnHelper> !wiki !mitm or (#2) Don't use 192.168.1.0/24 or 192.168.0.0/24 (too much potential for conflict)
11:55 -!- Linmu [~Linmu@203.70.194.104] has quit [Ping timeout: 264 seconds]
11:57 < pekster> MrSkinny: Looks right; that matches the key I have on file that I've used in the past for verification
11:58 < pekster> Yea, from the page you linked, here's your key reference: https://openvpn.net/index.php/open-source/documentation/sig.html
11:58 <@vpnHelper> Title: File Signatures (at openvpn.net)
11:59 < MrSkinny> Great, thanks Pekster.
12:00 < MrSkinny> The key wasn't available when I searched on mit.edu, so I didn't love that I had to trust the same website providing the download AND key
12:01 < pekster> It's on keys.gnupg.net
12:01 -!- xTz [~xTz@DeathStar.Techn0.eu] has joined #openvpn
12:01 < pekster> No clue if the keyserver you used is in public rotations, but that mirror is part of the "typical" global mirroring
12:01 < MrSkinny> hmm, i searched for "samuli" and it didn't come up
12:02 < pekster> http://fpaste.org/85095/30129139/raw/
12:03 -!- Linmu [~Linmu@203.70.194.104] has joined #openvpn
12:04 < MrSkinny> Hmm, now it's appearing fine - yesterday wasn't. Or I was doing something drastically wrong. :)  either way, good to have peace of mind, thanks
12:07 -!- Chrisje [chris@2a03:f80:ed15:ed15:ed15:ed15:bc4c:4bfe] has quit [Remote host closed the connection]
12:08 -!- HectorBarbossa [uid7850@gateway/web/irccloud.com/x-xcmgxqrqmoftbbyu] has joined #openvpn
12:15 < AL13N_work> it seems if you run openvpn over TCP, that the TCP queue gets stuck (of sorts; over time) which reduces bandwidth as a result... after some testing the openvpn bandwidth was less than 3mbit; after restart i got a bit more than 10mbit , i set the tcp-queue-limit to 256 now... we'll see if this alleviates the problem a bit
12:15 -!- br4ndon [~br4ndon@195.33.51.31] has joined #openvpn
12:15 -!- nlb [~nlb@ec2-54-213-101-245.us-west-2.compute.amazonaws.com] has joined #openvpn
12:16 < nlb> info nlb
12:16 < AL13N_work> (endpoints have 30mbit and 100mbit respectively)
12:16 -!- MrSkinny [~MrSkinny@unaffiliated/mrskinny] has quit []
12:16 < AL13N_work> i know UDP is better, but sometimes it's not doable
12:17 -!- br4ndon [~br4ndon@195.33.51.31] has quit [Client Quit]
12:20 -!- takamich_ [~takamichi@46.28.49.140] has joined #openvpn
12:23 -!- takamichi [~takamichi@c107-107.i07-27.onvol.net] has quit [Ping timeout: 264 seconds]
12:25 -!- VsioZashibis [~VsioZashi@unaffiliated/vsiozashibis] has joined #openvpn
12:28 -!- Linmu [~Linmu@203.70.194.104] has quit [Ping timeout: 269 seconds]
12:29 -!- Linmu [~Linmu@203.70.194.104] has joined #openvpn
12:37 -!- takamichi [~takamichi@c107-107.i07-27.onvol.net] has joined #openvpn
12:40 -!- takamich_ [~takamichi@46.28.49.140] has quit [Ping timeout: 264 seconds]
12:41 -!- heraclitus [~heraclitu@unaffiliated/heraclitis] has quit [Remote host closed the connection]
12:42 -!- heraclitus [~heraclitu@208.64.66.92] has joined #openvpn
12:42 -!- heraclitus [~heraclitu@208.64.66.92] has quit [Changing host]
12:42 -!- heraclitus [~heraclitu@unaffiliated/heraclitis] has joined #openvpn
12:44 -!- funyun [~temp@cpe-65-25-103-89.neo.res.rr.com] has joined #openvpn
12:49 -!- Cpt-Oblivious [chatzilla@31-151-71-109.dynamic.upc.nl] has joined #openvpn
12:49 -!- funyun [~temp@cpe-65-25-103-89.neo.res.rr.com] has quit [Ping timeout: 255 seconds]
12:50 -!- ade_b [~Ade@redhat/adeb] has quit [Ping timeout: 240 seconds]
12:54 -!- VsioZashibis [~VsioZashi@unaffiliated/vsiozashibis] has quit [Excess Flood]
12:54 -!- Cr4zi3 [~killaz@staff.xbins.org] has quit [Quit: changing servers]
12:54 -!- VsioZashibis [~VsioZashi@unaffiliated/vsiozashibis] has joined #openvpn
12:56 -!- Guest22512 [~Sembei@unaffiliated/sembei] has quit [Max SendQ exceeded]
12:57 -!- Guest22512 [~Sembei@unaffiliated/sembei] has joined #openvpn
12:57 -!- Cr4zi3 [killaz@staff.xbins.org] has joined #openvpn
13:05 -!- Cpt-Oblivious [chatzilla@31-151-71-109.dynamic.upc.nl] has quit [Ping timeout: 240 seconds]
13:16 -!- Linmu [~Linmu@203.70.194.104] has quit [Ping timeout: 240 seconds]
13:22 -!- [diecast] [~diecast@unaffiliated/diecast/x-4821952] has quit []
13:24 -!- Linmu [~Linmu@203.70.194.104] has joined #openvpn
13:40 -!- Linmu [~Linmu@203.70.194.104] has quit [Ping timeout: 255 seconds]
13:41 -!- [diecast] [~diecast@unaffiliated/diecast/x-4821952] has joined #openvpn
13:43 -!- mikemol [~mikemol@162.17.129.77] has quit [Ping timeout: 240 seconds]
13:45 -!- funyun [~temp@cpe-65-25-103-89.neo.res.rr.com] has joined #openvpn
13:45 -!- novaflash_away [~novaflash@openvpn/corp/support/novaflash] has quit [Ping timeout: 265 seconds]
13:45 -!- davidmp [~davidmp@149.255.100.107] has quit [Ping timeout: 240 seconds]
13:47 -!- davidmp [~davidmp@149.255.100.107] has joined #openvpn
13:47 -!- Linmu [~Linmu@203.70.194.104] has joined #openvpn
13:48 -!- novaflash [~novaflash@its.novaflash.nl] has joined #openvpn
13:52 -!- Linmu [~Linmu@203.70.194.104] has quit [Ping timeout: 240 seconds]
13:53 -!- Linmu [~Linmu@203.70.194.104] has joined #openvpn
13:59 -!- mikemol [~mikemol@162.17.129.77] has joined #openvpn
14:04 -!- [diecast] [~diecast@unaffiliated/diecast/x-4821952] has quit [Ping timeout: 264 seconds]
14:07 -!- AlexPortable [uid7568@gateway/web/irccloud.com/x-wwznzpdydariytvl] has quit [Quit: Connection closed for inactivity]
14:20 -!- master_o1_master [~master_of@p4FF2451B.dip0.t-ipconnect.de] has joined #openvpn
14:23 -!- master_of_master [~master_of@p4FD7B441.dip0.t-ipconnect.de] has quit [Ping timeout: 264 seconds]
14:24 -!- Linmu [~Linmu@203.70.194.104] has quit [Ping timeout: 240 seconds]
14:32 -!- Linmu [~Linmu@203.70.194.104] has joined #openvpn
14:43 -!- Linmu [~Linmu@203.70.194.104] has quit [Ping timeout: 241 seconds]
14:44 -!- Linmu [~Linmu@203.70.194.104] has joined #openvpn
14:45 -!- media__ [~ManjXfceu@host86-142-251-19.range86-142.btcentralplus.com] has joined #openvpn
14:50 -!- funnel [~funnel@unaffiliated/espiral] has quit [Remote host closed the connection]
14:51 -!- funnel [~funnel@unaffiliated/espiral] has joined #openvpn
14:56 -!- media__ [~ManjXfceu@host86-142-251-19.range86-142.btcentralplus.com] has quit [Ping timeout: 255 seconds]
15:04 -!- [diecast] [~diecast@unaffiliated/diecast/x-4821952] has joined #openvpn
15:04 -!- [diecast] [~diecast@unaffiliated/diecast/x-4821952] has quit [Max SendQ exceeded]
15:11 -!- Linmu [~Linmu@203.70.194.104] has quit [Ping timeout: 255 seconds]
15:12 -!- Linmu [~Linmu@203.70.194.104] has joined #openvpn
15:24 -!- [diecast] [~diecast@unaffiliated/diecast/x-4821952] has joined #openvpn
15:25 -!- cyberspace- [20253@ninthfloor.org] has quit [Ping timeout: 245 seconds]
15:27 -!- cyberspace- [20253@ninthfloor.org] has joined #openvpn
15:30 -!- qwertyoruiop [~hax@1.shulgin.dc1.nl.tor.exit.node.qwertyoruiop.com] has joined #openvpn
15:33 -!- ade_b [~Ade@redhat/adeb] has joined #openvpn
15:35 -!- michaelhart [~michaelha@69-165-175-193.dsl.teksavvy.com] has quit [Quit: michaelhart]
15:35 -!- Linmu [~Linmu@203.70.194.104] has quit [Ping timeout: 240 seconds]
15:37 -!- Linmu [~Linmu@203.70.194.104] has joined #openvpn
15:41 -!- sunwind [~paradox@cpc21-brmb8-2-0-cust749.1-3.cable.virginm.net] has quit [Quit: sunwind]
15:45 -!- sunwind [~paradox@cpc21-brmb8-2-0-cust749.1-3.cable.virginm.net] has joined #openvpn
15:45 -!- br4ndon [~br4ndon@mic92-6-82-226-128-64.fbx.proxad.net] has joined #openvpn
15:52 -!- ade_b [~Ade@redhat/adeb] has quit [Quit: Too sexy for his shirt]
15:54 -!- takamichi [~takamichi@c107-107.i07-27.onvol.net] has quit [Quit: Computer has gone to sleep.]
15:55 -!- Linmu [~Linmu@203.70.194.104] has quit [Ping timeout: 240 seconds]
16:02 -!- Linmu [~Linmu@203.70.194.104] has joined #openvpn
16:03 -!- hydrajum_ [~hydrajump@unaffiliated/hydrajump] has joined #openvpn
16:05 -!- hydrajump [~hydrajump@unaffiliated/hydrajump] has quit [Ping timeout: 241 seconds]
16:10 -!- jave [~jave@h-235-102.a149.priv.bahnhof.se] has joined #openvpn
16:16 -!- elfixit1 [~Icedove@77-58-251-72.dclient.hispeed.ch] has joined #openvpn
16:17 -!- elfixit1 [~Icedove@77-58-251-72.dclient.hispeed.ch] has quit [Client Quit]
16:31 -!- Linmu [~Linmu@203.70.194.104] has quit [Ping timeout: 264 seconds]
16:31 -!- klein [~klein@unaffiliated/klein] has quit [Ping timeout: 240 seconds]
16:39 -!- Linmu [~Linmu@203.70.194.104] has joined #openvpn
16:39 -!- mikemol [~mikemol@162.17.129.77] has quit [Ping timeout: 255 seconds]
16:43 < mrrg> hmm, is it possible to push route for the subnet that is local to the vpn server?
16:44 < mrrg> and still communicate with services that are on the vpn server itself?
16:44 < pekster> Yup, although more is required than just that if you want clients to access the server lan. See: !serverlan
16:44 < mrrg> !serverlan
16:44 <@vpnHelper> "serverlan" is (#1) for a lan behind a server, the server must have ip forwarding enabled (!ipforward), the server needs to push a route for its lan to clients, and the router of the lan the server is on needs a route added to it (!route_outside_openvpn) or (#2) see !route for a better explanation or (#3) Handy troubleshooting flowchart: http://ircpimps.org/serverlan.png |
16:44 <@vpnHelper> http://pekster.sdf.org/misc/serverlan.png
16:57 -!- map [map@host31-49-22-149.range31-49.btcentralplus.com] has joined #openvpn
16:57 -!- map [map@host31-49-22-149.range31-49.btcentralplus.com] has left #openvpn []
17:00 -!- mapps [map@host31-49-22-149.range31-49.btcentralplus.com] has quit [Ping timeout: 240 seconds]
17:03 < mrrg> hmm i guess my config is borked, i can't seem to ping the vpn ip of the server
17:04 -!- mattock is now known as mattock_afk
17:04 < pekster> Possibly your firewall (which you should fix becuase that's a very useful thing to check) or your connection isn't happening properly
17:05 -!- Linmu [~Linmu@203.70.194.104] has quit [Ping timeout: 264 seconds]
17:06 < mrrg> hmm, i don't have a firewall
17:06 < mrrg> this is all in a lab
17:07 < pekster> Those aren't mutually exclusive; at any rate, !configs and a pastebin might be useful
17:07 < mrrg> one sec..
17:09 -!- [diecast] [~diecast@unaffiliated/diecast/x-4821952] has quit []
17:14 -!- Tyklol [tykling@gibfest.dk] has quit [Ping timeout: 264 seconds]
17:19 -!- dazo is now known as dazo_afk
17:19 -!- Linmu [~Linmu@203.70.194.104] has joined #openvpn
17:22 -!- br4ndon [~br4ndon@mic92-6-82-226-128-64.fbx.proxad.net] has quit [Quit: br4ndon]
17:25 -!- Linmu [~Linmu@203.70.194.104] has quit [Ping timeout: 240 seconds]
17:27 < mrrg> !configs
17:27 <@vpnHelper> "configs" is (#1) please pastebin your client and server configs (with comments removed, you can use `grep -vE '^#|^;|^$' server.conf`), also include which OS and version of openvpn. or (#2) dont forget to include any ccd entries or (#3) on pfSense, see http://www.secure-computing.net/wiki/index.php/OpenVPN/pfSense to obtain your config
17:28 -!- elfixit1 [~Icedove@77-58-251-72.dclient.hispeed.ch] has joined #openvpn
17:32 -!- Linmu [~Linmu@203.70.194.104] has joined #openvpn
17:34 < mrrg> pekster: http://pastebin.com/V2FWLNhR
17:34 < mrrg> server is RHEL 5.6_64
17:35 < mrrg> client is custom embedded linux
17:40 < pekster> Your ping setting won't pass pretty much any modern firewall
17:41 < mrrg> oh?
17:41 < pekster> Otherwise seems generically fine. Your client should (minus firewall issues) be able to ping the VPN server address across the link at 192.168.69.1
17:41 < pekster> 600 seconds? The Linux Netfilter subsystem has a 180 default second on "established" UDP streams
17:42 < pekster> You almsot always want to use a value far lower than that:
17:42 < pekster> !keepalive
17:42 <@vpnHelper> "keepalive" is (#1) see --keepalive in the manual for how to make clients retry connecting if they get disconnected. or (#2) basically it is a wrapper for managing --ping and --ping-restart in server/client mode or (#3) if you use this, don't use --tls-exit and also avoid --single-session and --inactive or (#4) Also beware of --auth-nocache for automated reconnects
17:42 < pekster> 10/60 or 10/120 are better pairings
17:42 < mrrg> ah yeah, we are looking at slowing everything down a bit
17:42 < pekster> You can't do that if you have any stateful firewalls involved
17:42 < mrrg> these are bandwidth-restricted devices
17:43 < pekster> These are tiny packets
17:43 < mrrg> thx for the heads up
17:43 < mrrg> will look into it
17:44 < pekster> Again, either the connection isn't set up properly (your logs will say) or you do have a firewall you aren't aware of
17:45 < pekster> Other goofyness there too; having the client exit after 14400 seconds but the server not until 21600 is silly. So is the concept of 1000 clients when your setup only allows for 63 connected clients
17:46 -!- Linmu [~Linmu@203.70.194.104] has quit [Ping timeout: 240 seconds]
17:46 -!- Linmu [~Linmu@203.70.194.104] has joined #openvpn
17:47 < mrrg> uderstood
17:50 < mrrg> hmm this is so weird
17:50 < mrrg> nothing in log, tunnel interface comes up ok, routes get pushed to client
17:50 < pekster> There is never nothing in your logs
17:50 < pekster> !logs
17:50 <@vpnHelper> "logs" is (#1) please pastebin your logfiles from both client and server with verb set to 4 (only use 5 if asked) or (#2) In the Windows client(OpenVPN-GUI) right-click the status icon and pick View Log or (#3) In the OS X client(Tunnelblick) right-click it and select Copy log text to clipboard or (#4) if you dont know how to find your logs, see !logfile
17:50 < pekster> !logfile
17:50 <@vpnHelper> "logfile" is (#1) openvpn will log to syslog if started in daemon mode. You can manually specify a logfile with: log /path/to/logfile or (#2) verb 3 is good for everyday usage, verb 5 for debugging or (#3) see --daemon --log and --verb in the manual (!man) for more info or (#4) without any log-redirection options, openvpn sends output to stdout. Explicit logging is often more convenient
17:51 < mrrg> hehe, well nothing glaring at least server-side
17:51 < mrrg> taking a look at client
17:51 < pekster> Post them both at verb 4 for assistance; anything less isn't helpful to us here
17:52 < pekster> (on a clean connect attempt, in case that wasn't apparent)
17:52 -!- HectorBarbossa [uid7850@gateway/web/irccloud.com/x-xcmgxqrqmoftbbyu] has quit [Quit: Connection closed for inactivity]
17:53 -!- mikemol [~mikemol@162.17.129.77] has joined #openvpn
17:54 < mrrg> of course
17:54 < mrrg> have to run to a meeting in 5 mins, will bbl
17:54 < mrrg> thx pekster
18:09 -!- Linmu [~Linmu@203.70.194.104] has quit [Ping timeout: 255 seconds]
18:11 -!- Tykling [tykling@gibfest.dk] has joined #openvpn
18:17 -!- klein [~klein@187.85.191.52] has joined #openvpn
18:17 -!- Linmu [~Linmu@203.70.194.104] has joined #openvpn
18:17 -!- klein [~klein@187.85.191.52] has quit [Changing host]
18:17 -!- klein [~klein@unaffiliated/klein] has joined #openvpn
18:17 -!- sunwind` [~paradox@cpc21-brmb8-2-0-cust749.1-3.cable.virginm.net] has joined #openvpn
18:17 -!- klein is now known as Guest53070
18:17 -!- sunwind [~paradox@cpc21-brmb8-2-0-cust749.1-3.cable.virginm.net] has quit [Ping timeout: 240 seconds]
18:36 -!- paradox`` [~paradox@cpc21-brmb8-2-0-cust749.1-3.cable.virginm.net] has joined #openvpn
18:37 -!- Linmu [~Linmu@203.70.194.104] has quit [Ping timeout: 240 seconds]
18:38 -!- s7r1 [~s7r@109.99.157.72] has joined #openvpn
18:38 -!- levifig_ [sid1908@gateway/web/irccloud.com/x-zzinpeunvbijhfuk] has joined #openvpn
18:38 -!- Cpt-Oblivious [chatzilla@31-151-71-109.dynamic.upc.nl] has joined #openvpn
18:41 -!- cyberspace- [20253@ninthfloor.org] has quit [Disconnected by services]
18:41 -!- master_of_master [~master_of@p4FF2451B.dip0.t-ipconnect.de] has joined #openvpn
18:41 -!- cyberspace- [20253@ninthfloor.org] has joined #openvpn
18:41 -!- master_o1_master [~master_of@p4FF2451B.dip0.t-ipconnect.de] has quit [Read error: Connection reset by peer]
18:45 -!- sunwind` [~paradox@cpc21-brmb8-2-0-cust749.1-3.cable.virginm.net] has quit [Ping timeout: 321 seconds]
18:45 -!- Cr4zi3 [killaz@staff.xbins.org] has quit [Ping timeout: 321 seconds]
18:45 -!- s7r [~s7r@openvpn/user/s7r] has quit [Ping timeout: 321 seconds]
18:45 -!- levifig [sid1908@gateway/web/irccloud.com/x-legwzthklvqfmjje] has quit [Ping timeout: 321 seconds]
18:45 -!- _Cr4zi3 [~killaz@76.74.171.253] has joined #openvpn
18:45 -!- _Cr4zi3 is now known as Cr4zi3
18:48 -!- Samopotamus [~IRCIdent@2607:5300:60:a0d::1] has quit [Ping timeout: 240 seconds]
18:49 -!- elfixit1 [~Icedove@77-58-251-72.dclient.hispeed.ch] has quit [Ping timeout: 240 seconds]
18:49 -!- Linmu [~Linmu@203.70.194.104] has joined #openvpn
18:50 -!- Samopotamus [~IRCIdent@2607:5300:60:a0d::1] has joined #openvpn
18:51 -!- Samopotamus [~IRCIdent@2607:5300:60:a0d::1] has quit [Excess Flood]
18:51 -!- JackWinter [~jack@vodsl-10810.vo.lu] has quit [Excess Flood]
18:51 -!- Samopotamus [~IRCIdent@2607:5300:60:a0d::1] has joined #openvpn
18:51 -!- JackWinter [~jack@vodsl-10810.vo.lu] has joined #openvpn
18:52 -!- maxiepax_ [max@locke.misse.org] has quit [Ping timeout: 240 seconds]
18:52 -!- maxiepax [max@locke.misse.org] has joined #openvpn
18:55 -!- Linmu [~Linmu@203.70.194.104] has quit [Ping timeout: 264 seconds]
18:55 -!- jave [~jave@h-235-102.a149.priv.bahnhof.se] has quit [Ping timeout: 264 seconds]
18:57 -!- Linmu [~Linmu@203.70.194.104] has joined #openvpn
18:57 -!- jave [~jave@h-235-102.a149.priv.bahnhof.se] has joined #openvpn
19:03 < funyun> can i set up openvpn via access server? or do i have to do it in command line?
19:04 < pekster> AS is a commercial wrapper and its own EULA. GPL OpenVPN is a CLI program, though you're free to use (or create) a frontend if you wish
19:06 -!- dimitry7 [~antonello@gate.aaamerica.com.mx] has quit [Ping timeout: 260 seconds]
19:06 -!- Linmu [~Linmu@203.70.194.104] has quit [Ping timeout: 255 seconds]
19:11 -!- dimitry7 [~antonello@gate.aaamerica.com.mx] has joined #openvpn
19:11 < funyun> can anyone tell me what i should change in this tutorial https://wiki.debian.org/OpenVPN if i'm not running openvpn on the client side? client will need to import ca.crt, cli.key, cli.crt into tunnelblick..
19:11 <@vpnHelper> Title: OpenVPN - Debian Wiki (at wiki.debian.org)
19:12 < pekster> "not running openvpn on the client side" ??
19:12 < pekster> #openvpn helps with OpenVPN. I'm not sure what you're expecting if you're not using OpenVPN
19:13 < funyun> pekster: i mean client will not have a command line openvpn. but will have a GUI tunnelblick frontend or whatever it is
19:14 -!- Linmu [~Linmu@203.70.194.104] has joined #openvpn
19:16 < pekster> It still has a CLI program; the GUI simply invokes it
19:16 < pekster> !gui
19:16 <@vpnHelper> "gui" is (#1) The only official GUI is the OpenVPN-GUI for Windows (see https://community.openvpn.net/openvpn/wiki/OpenVPN-GUI .) While there are other 3rd party GUIs, they may cause unexpected issues or (#2) If you're having problems starting OpenVPN through an unoffiical GUI, try launching it on the command line; if that works, the GUI is your problem
19:18 < funyun> okay. in the tutorial, do i replace 10.9.8.2 10.9.8.1 with my ip's? or leave them like that?
19:18 -!- Gman32 [~Gman32@2607:2200:0:3400::5616:cdbc] has quit [Ping timeout: 240 seconds]
19:18 -!- Samopotamus [~IRCIdent@2607:5300:60:a0d::1] has quit [Ping timeout: 240 seconds]
19:18 < pekster> !howto
19:18 <@vpnHelper> "howto" is (#1) OpenVPN comes with a great howto, http://openvpn.net/howto PLEASE READ IT! or (#2) http://www.secure-computing.net/openvpn/howto.php for a mirror
19:18 -!- Samopotamus [~IRCIdent@2607:5300:60:a0d::1] has joined #openvpn
19:18 < pekster> No clue about other tutorials; you'd have to ask them
19:19 < pekster> If you want help here, don't be vauge
19:19 < pekster> !welcome
19:19 <@vpnHelper> "welcome" is (#1) Start by stating your goal, such as 'I would like to access the internet over my vpn' || new to IRC? see the link in !ask || we may need !logs and !configs and maybe !interface to help you. || See !howto for beginners. || See !route for lans behind openvpn. || !redirect for sending inet traffic through the server. || Also interesting: !man !/30 !topology !iporder !sample !forum
19:19 <@vpnHelper> !wiki !mitm or (#2) Don't use 192.168.1.0/24 or 192.168.0.0/24 (too much potential for conflict)
19:19 < pekster> !new
19:19 <@vpnHelper> "new" is (#1) New here? Start by reading the /TOPIC and looking at basic info in !welcome, !ask, and !howto or (#2) You can type each of the !commands in this chat and our bot will provide useful references and info or (#3) you can see the full factoids list at !factoids
19:19 < pekster> !configs
19:19 <@vpnHelper> "configs" is (#1) please pastebin your client and server configs (with comments removed, you can use `grep -vE '^#|^;|^$' server.conf`), also include which OS and version of openvpn. or (#2) dont forget to include any ccd entries or (#3) on pfSense, see http://www.secure-computing.net/wiki/index.php/OpenVPN/pfSense to obtain your config
19:19 < pekster> !logs
19:19 <@vpnHelper> "logs" is (#1) please pastebin your logfiles from both client and server with verb set to 4 (only use 5 if asked) or (#2) In the Windows client(OpenVPN-GUI) right-click the status icon and pick View Log or (#3) In the OS X client(Tunnelblick) right-click it and select Copy log text to clipboard or (#4) if you dont know how to find your logs, see !logfile
19:19 -!- Linmu [~Linmu@203.70.194.104] has quit [Ping timeout: 255 seconds]
19:19 < pekster> funyun: ^ there's your reading material. THe /TOPIC has most of that starting info for you as well
19:19 < funyun> pekster: client doesn't have /etc/openvpn/easy-rsa/keys
19:19 -!- michaelhart [~michaelha@162.209.54.120] has joined #openvpn
19:20 < pekster> So what?
19:20 -!- Gman32 [~Gman32@2607:2200:0:3400::5616:cdbc] has joined #openvpn
19:20 < pekster> OpenVPN is an X509 consumer; it doesn't deal with the PKI needs directly beyond using pre-existing certs & keypairs
19:20 < funyun> so that makes the command useless
19:20 < pekster> wtf are you on about?
19:20 < pekster> !intro-to-pki
19:20 <@vpnHelper> "intro-to-pki" is For an intro to PKI basics, see: https://github.com/OpenVPN/easy-rsa/blob/v3.0.0-rc1/doc/Intro-To-PKI.md
19:21 < pekster> !easyrsa
19:21 <@vpnHelper> "easyrsa" is (#1) easy-rsa is a certificate generation utility. or (#2) Download here: https://github.com/OpenVPN/easy-rsa/releases or (#3) Source checkouts available from the github project; current official release download is 2.2.2 with 3.x code in git-master. or (#4) Helpful wiki info about easyrsa at: https://community.openvpn.net/openvpn/wiki/EasyRSA
19:21 < pekster> !certman
19:21 <@vpnHelper> "certman" is (#1) Various frontends can help you manage your PKI (certs & keys.) !easy-rsa is the officially supported one for OpenVPN. or (#2) Other choices include: !xca, !ssladmin, and probably others online
19:21 < pekster> Use whatever PKI system you want
19:21 < pekster> You're doing a hidious job of explaining your problem
19:21 < pekster> http://catb.org/~esr/faqs/smart-questions.html#beprecise
19:21 <@vpnHelper> Title: How To Ask Questions The Smart Way (at catb.org)
19:25 < funyun> pekster: is there a tutorial you know of for what i need?
19:25 < funyun> what i need is a cli.key cli.crt ca.crt
19:25 < funyun> i need to create that with openpvn
19:25 -!- Guest22512 [~Sembei@unaffiliated/sembei] has quit [Max SendQ exceeded]
19:26 < pekster> You can't
19:26 < pekster> OpenVPN is not an RSA/ECDSA utility
19:26 < pekster> You need one
19:26 < pekster> Read harder, maybe?
19:26 < pekster> !certman
19:26 <@vpnHelper> "certman" is (#1) Various frontends can help you manage your PKI (certs & keys.) !easy-rsa is the officially supported one for OpenVPN. or (#2) Other choices include: !xca, !ssladmin, and probably others online
19:26 < pekster> Use any of them
19:26 -!- Guest22512 [~Sembei@unaffiliated/sembei] has joined #openvpn
19:27 < pekster> !pki
19:27 <@vpnHelper> "pki" is (#1) http://openvpn.net/index.php/open-source/documentation/howto.html#pki for how to make your PKI stuff (ca, and certs) or (#2) Heres a basic rundown of how it works... The server, client, and ca certs are all signed by the same ca.key. The server and client use the ca.crt to check that eachother were signed by the right ca.key. Optionally, the client also checks that the server cert was
19:27 <@vpnHelper> signed specially as a server (see !servercert) or (#3) See !certman for various PKI management frontends
19:27 < pekster> It's even in the howto that you haven't bothered to read yet
19:27 -!- Linmu [~Linmu@203.70.194.104] has joined #openvpn
19:28 < pekster> So, 1) pick what tool you want to use to create your PKI. 2) Follow the documentation provided by that utility to generate a PKI structure suitable for OpenVPN. 3) provide openvpn the required output files from your PKI.
19:28 < pekster> and 4) if you get stuck, explain what you're trying to do, what tools you're using, and what you tried so far
19:30 < funyun> okay. in the tutorial, do i replace 10.9.8.2 10.9.8.1 with my ip's? or leave them like that?
19:30 < funyun> i'm using openvpn and i haven't tried anything so far
19:30 < pekster> Then you won't get much help here
19:30 < pekster> http://catb.org/~esr/faqs/smart-questions.html#before
19:30 <@vpnHelper> Title: How To Ask Questions The Smart Way (at catb.org)
19:31 < funyun> make up your mind bro. i just did exactly what you told me to do "if you get stuck, explain what you're trying to do, what tools you're using, and what you tried so far"
19:31 < pekster> You you've done nothing. then you failed to read that link about how to get help here; that's not very clever of you
19:31 < funyun> you just want to be a dick. so either do your job and help me out or stfu
19:31 -!- mode/#openvpn [+o pekster] by ChanServ
19:31 -!- funyun was kicked from #openvpn by pekster [come back when you can behave]
19:31 -!- mode/#openvpn [-o pekster] by ChanServ
19:32 -!- funyun [~temp@cpe-65-25-103-89.neo.res.rr.com] has joined #openvpn
19:32 < pekster> Hello again. Shall we try again?
19:32 < pekster> Here's some fun bits in that link that you should have read:
19:32 < pekster> "When you ask your question, display the fact that you have done these things first; this will help establish that you're not being a lazy sponge and wasting people's time. Better yet, display what you have learned from doing these things. We like answering questions for people who have demonstrated they can learn from the answers."
19:32 < funyun> i will wait for someone else. you obviously have no intentions of helping me
19:32 < pekster> and
19:32 < pekster> "Never assume you are entitled to an answer. You are not; you aren't, after all, paying for the service. You will earn an answer, if you earn it, by asking a substantial, interesting, and thought-provoking question — one that implicitly contributes to the experience of the community rather than merely passively demanding knowledge from others."
19:33 < pekster> Maybe you want to show us what you've tried so far
19:33 < pekster> I shows you !configs and !logs. Everyone here is going to want that
19:34 < funyun> pekster: here's where i'm at so far. i've been trying that debian tutorial i linked to you for the past 4 days. and nothing has worked. so now you linked me to the howto which makes more sense to me but i am still stuck on whether to use the ip it gives me or my own ip. i have no clue if that ip is an example ip or what i'm actually supposed to use. i also cannot be any more clear than this. i have no idea how else to explain this to you
19:35 < pekster> So provide YOUR CONFIGS
19:35 < pekster> FFS man
19:35 < pekster> WHat have you done so far? If it's nothing, then you need to start over completely at !howto
19:35 < pekster> (or go whine to the debian folks who wrote that howto. We don't support blogs, other people howto's, or what you heard from that guy at the bar last week)
19:36 -!- Linmu [~Linmu@203.70.194.104] has quit [Ping timeout: 255 seconds]
19:36 < pekster> THe !howto you were linked has massive comments in the sample file. Can you explain what exactly you're confused about
19:38 -!- Linmu [~Linmu@203.70.194.104] has joined #openvpn
19:43 -!- Linmu [~Linmu@203.70.194.104] has quit [Ping timeout: 240 seconds]
19:45 -!- Linmu [~Linmu@203.70.194.104] has joined #openvpn
19:48 -!- Cpt-Oblivious_ [chatzilla@31-151-71-109.dynamic.upc.nl] has joined #openvpn
19:49 -!- Cpt-Oblivious [chatzilla@31-151-71-109.dynamic.upc.nl] has quit [Ping timeout: 240 seconds]
19:49 -!- emid [~emid@192.241.162.156] has quit [Ping timeout: 240 seconds]
19:50 -!- Samopotamus [~IRCIdent@2607:5300:60:a0d::1] has quit [Ping timeout: 240 seconds]
19:50 -!- emid [~emid@192.241.162.156] has joined #openvpn
19:50 -!- Linmu [~Linmu@203.70.194.104] has quit [Ping timeout: 240 seconds]
19:50 -!- phuzion [~phuzion@ipv6.irc.teh-server.com] has quit [Ping timeout: 240 seconds]
19:50 -!- nutron [~nutron@unaffiliated/nutron] has quit [Ping timeout: 240 seconds]
19:51 -!- phuzion [~phuzion@ipv6.irc.teh-server.com] has joined #openvpn
19:54 -!- MacGyver [~MacGyver@unaffiliated/macgyvernl] has quit [Ping timeout: 240 seconds]
19:55 -!- davidmp [~davidmp@149.255.100.107] has quit [Ping timeout: 240 seconds]
19:56 -!- Samopotamus [~IRCIdent@2607:5300:60:a0d::1] has joined #openvpn
19:56 -!- Samopotamus [~IRCIdent@2607:5300:60:a0d::1] has quit [Excess Flood]
19:56 -!- Samopotamus [~IRCIdent@2607:5300:60:a0d::1] has joined #openvpn
19:56 <@Eugene> !101
19:56 <@vpnHelper> "101" is This channel is not a '101' replacement for any of the following topics or others: Networking, Firewalls, Routing, Your OS, Security, etc etc
19:56 <@Eugene> Likely applies here.
19:56 <@Eugene> !beer
19:56 <@vpnHelper> "beer" is what's for dinner (and occasionally breakfast)
19:56 <@Eugene> That one's for pekster ^
19:57 < pekster> Oh, Already on it
19:57 <@Eugene> Good, good.
19:57 < pekster> Still got half a bottle of Merlot from yesterday to wash it down with ;)
19:57 <@Eugene> wino.
19:57 < pekster> Maybe I'll be prepared to deal with my Windows VM Java issues after that :D
19:58 -!- Gman32 [~Gman32@2607:2200:0:3400::5616:cdbc] has quit [Ping timeout: 240 seconds]
19:58 -!- davidmp [~davidmp@149.255.100.107] has joined #openvpn
19:58 -!- Samopotamus [~IRCIdent@2607:5300:60:a0d::1] has quit [Excess Flood]
19:59 -!- MacGyver [~MacGyver@2a01:4f8:130:3001:509::1] has joined #openvpn
19:59 -!- MacGyver [~MacGyver@2a01:4f8:130:3001:509::1] has quit [Changing host]
19:59 -!- MacGyver [~MacGyver@unaffiliated/macgyvernl] has joined #openvpn
19:59 -!- Gman32 [~Gman32@2607:2200:0:3400::5616:cdbc] has joined #openvpn
20:01 -!- michaelhart_ [~michaelha@162.209.54.120] has joined #openvpn
20:02 -!- michaelhart [~michaelha@162.209.54.120] has quit [Ping timeout: 240 seconds]
20:02 -!- phuzion [~phuzion@ipv6.irc.teh-server.com] has quit [Ping timeout: 240 seconds]
20:02 -!- michaelhart_ is now known as michaelhart
20:02 -!- mback2k_ [~freenode@2a00:1828:2000:378:1337:0:59ee:5431] has quit [Ping timeout: 240 seconds]
20:02 -!- mback2k_ [~freenode@2a00:1828:2000:378:1337:0:59ee:5431] has joined #openvpn
20:02 -!- phuzion [~phuzion@ipv6.irc.teh-server.com] has joined #openvpn
20:04 < mrrg> pekster: following up on that weird issue before, i changed subnets and all is well
20:05 < mrrg> maybe some hidden restriction in the device, i don't know
20:06 -!- dimitry7 [~antonello@gate.aaamerica.com.mx] has quit [Quit: Leaving]
20:07 < pekster> Or that network was used/referenced elsewhere (routing, firewalls, whatever)
20:07 < pekster> Bad appliances use arbitrary networks and expect you to avoid them ;)
20:07 < mrrg> not that i know of... i built the network!
20:08 < mrrg> i guess one of my colleagues could have slipped something by me
20:08 -!- Samopotamus [~IRCIdent@2607:5300:60:a0d::1] has joined #openvpn
20:08 -!- phuzion [~phuzion@ipv6.irc.teh-server.com] has quit [Ping timeout: 240 seconds]
20:08 -!- Samopotamus [~IRCIdent@2607:5300:60:a0d::1] has quit [Excess Flood]
20:08 -!- Samopotamus [~IRCIdent@2607:5300:60:a0d::1] has joined #openvpn
20:08 < mrrg> anyhoo, all is well but for a couple more gray hairs
20:08 -!- phuzion [~phuzion@ipv6.irc.teh-server.com] has joined #openvpn
20:11 -!- mback2k_ [~freenode@2a00:1828:2000:378:1337:0:59ee:5431] has quit [Ping timeout: 240 seconds]
20:11 -!- Gman32 [~Gman32@2607:2200:0:3400::5616:cdbc] has quit [Ping timeout: 240 seconds]
20:11 -!- mback2k_ [~freenode@2a00:1828:2000:378:1337:0:59ee:5431] has joined #openvpn
20:12 < mrrg> i have a more interesting question now
20:12 < mrrg> is TLS suspend/resume something that's been looked at?
20:14 < funyun> i get this error "TCP/UDP: Socket bind failed on local address [undef]: Address already in use" when i try to start openvpn on server. here is my config http://pastebin.com/giTgtrBv.
20:14 -!- Samopotamus [~IRCIdent@2607:5300:60:a0d::1] has quit [Ping timeout: 240 seconds]
20:14 < funyun> i'm following the howto, anyone know what i'm doing wrong?
20:14 -!- Gman32 [~Gman32@2607:2200:0:3400::5616:cdbc] has joined #openvpn
20:14 -!- Samopotamus [~IRCIdent@2607:5300:60:a0d::1] has joined #openvpn
20:15 < mrrg> funyun: sounds like you already have an instance running
20:15 < mrrg> killall -9 openvpn
20:15 < mrrg> then retry
20:16 -!- lambda [~lambda@gateway/tor-sasl/lambda] has joined #openvpn
20:16 -!- s7r1 [~s7r@109.99.157.72] has quit [Read error: Connection reset by peer]
20:18 -!- __raven_ [~raven@dslb-094-216-205-178.pools.arcor-ip.net] has joined #openvpn
20:19 -!- Samopotamus [~IRCIdent@2607:5300:60:a0d::1] has quit [Ping timeout: 240 seconds]
20:20 < funyun> mrrg: that fixed it. thanks. now my vpn is working, but my ip address is the same. i did echo 1 > /proc/sys/net/ipv4/ip_forward on server. is there something i need to do on client so that my ip changes to the vpn ip?
20:21 -!- __raven [~raven@dslb-188-104-091-148.pools.arcor-ip.net] has quit [Ping timeout: 252 seconds]
20:22 < mrrg> it doesn't work that way, you'll gain an additional ip
20:22 < mrrg> ifconfig to see your interfaces and ip
20:23 < mrrg> use route or netstat -r to see which networks are sent through your tunnel interface
20:24 < pekster> More info at:
20:24 < pekster> !redirect
20:24 <@vpnHelper> "redirect" is (#1) to make all inet traffic flow through the vpn, you will need --redirect-gateway (see !def1), as well as IP forwarding (see !ipforward) and NAT (see !nat) enabled on the server. or (#2) you may need to use a different dns server when redirecting gateway, see !dns or !pushdns or (#3) if using ipv6 try: route-ipv6 2000::/3 or (#4) Handy troubleshooting flowchart:
20:24 <@vpnHelper> http://ircpimps.org/redirect.png | http://pekster.sdf.org/misc/redirect.png
20:30 -!- phuzion [~phuzion@ipv6.irc.teh-server.com] has quit [Ping timeout: 240 seconds]
20:30 < funyun> anyone know?
20:30 -!- Samopotamus [~IRCIdent@2607:5300:60:a0d::1] has joined #openvpn
20:30 -!- funyun [~temp@cpe-65-25-103-89.neo.res.rr.com] has quit [Ping timeout: 240 seconds]
20:30 -!- _jareth_ [~jareth_@2001:980:e1c0:1:219:66ff:fea0:a502] has quit [Ping timeout: 240 seconds]
20:30 -!- Samopotamus [~IRCIdent@2607:5300:60:a0d::1] has quit [Ping timeout: 240 seconds]
20:30 -!- MacGyver [~MacGyver@unaffiliated/macgyvernl] has quit [Ping timeout: 240 seconds]
20:31 -!- Gman32 [~Gman32@2607:2200:0:3400::5616:cdbc] has quit [Ping timeout: 240 seconds]
20:31 -!- MacGyver [~MacGyver@sog.polvanaubel.com] has joined #openvpn
20:31 -!- MacGyver [~MacGyver@sog.polvanaubel.com] has quit [Changing host]
20:31 -!- MacGyver [~MacGyver@unaffiliated/macgyvernl] has joined #openvpn
20:32 -!- phuzion [~phuzion@ipv6.irc.teh-server.com] has joined #openvpn
20:32 -!- Samopotamus [~IRCIdent@2607:5300:60:a0d::1] has joined #openvpn
20:34 -!- jareth_ [~jareth_@2001:980:e1c0:1:219:66ff:fea0:a502] has joined #openvpn
20:35 -!- Gman32 [~Gman32@2607:2200:0:3400::5616:cdbc] has joined #openvpn
20:36 -!- WinstonSmith [~WinstonSm@unaffiliated/winstonsmith] has quit [Ping timeout: 245 seconds]
20:36 -!- Samopotamus [~IRCIdent@2607:5300:60:a0d::1] has quit [Ping timeout: 240 seconds]
20:37 -!- converge [~converge@189.7.3.101] has joined #openvpn
20:37 -!- converge [~converge@189.7.3.101] has quit [Changing host]
20:37 -!- converge [~converge@unaffiliated/joaop] has joined #openvpn
20:38 -!- WinstonSmith [~WinstonSm@unaffiliated/winstonsmith] has joined #openvpn
20:38 -!- MacGyver [~MacGyver@unaffiliated/macgyvernl] has quit [Ping timeout: 240 seconds]
20:39 -!- Samopotamus [~IRCIdent@2607:5300:60:a0d::1] has joined #openvpn
20:40 < converge> does someone knows why this reconecting thing happens ? http://paste2.org/fp9jUnxA
20:41 -!- MacGyver [~MacGyver@sog.polvanaubel.com] has joined #openvpn
20:41 -!- MacGyver [~MacGyver@sog.polvanaubel.com] has quit [Changing host]
20:41 -!- MacGyver [~MacGyver@unaffiliated/macgyvernl] has joined #openvpn
20:41 < pekster> line 115 (and all re-occurances.) Your local end got a TCP reset packet that is requesting the connection be torn down right away
20:41 < pekster> Logs on the far said should be more revealing
20:42 -!- funyun [~temp@ns236132.ip-192-99-21.net] has joined #openvpn
20:44 -!- jareth_ [~jareth_@2001:980:e1c0:1:219:66ff:fea0:a502] has quit [Ping timeout: 240 seconds]
20:46 -!- jibcage [~jack@5.150.254.72] has joined #openvpn
20:47 < jibcage> How do I increase the maximum key length for my raspberry pi?
20:47 < jibcage> all of my computers are using 4096 bit but it only does 2048 bit.
20:47 -!- jareth_ [~jareth_@2001:980:e1c0:1:219:66ff:fea0:a502] has joined #openvpn
20:47 < pekster> Generally speaking that's a waste of generation time
20:48 < pekster> Any sane PKI tool will let you pick your keysize: options in !certman if you're looking for replacements, or pass the right options to the tool of your choice (eg: openssl)
20:48 < converge> pekster: logs on the far side ? what do u mean..?
20:48 < jibcage> I don't want to replace my keys...
20:48 < pekster> The _other_ system converge
20:49 < pekster> jibcage: You can't increase your keysize without regenerating them :P
20:49 < jibcage> no, I'm saying the rpi says it has a maximum keylength of 2048 bits
20:49 < jibcage> and I find that hard to believe
20:49 < pekster> NFI what that means
20:49 < pekster> openvpn uses openssl for crypto
20:50 < pekster> Any supported platform should handle up to 4096 bit RSA asymettric keys without issue (more than that boils down to implementation support.)
20:50 < jibcage> Thu Mar 13 21:26:51 2014 Key file ('keyfile') can be a maximum of 2048 bytes
20:50 < pekster> Go regen your keypari and sign a new cert?
20:50 < pekster> Then go complain to the author of your shitty frontend
20:50 < jibcage> do I need to rebuild openvpn?
20:52 < pekster> Hm, possibly
20:52 < pekster> Your distro did stupid things ;)
20:52 < funyun> pekster: i have the vpn set up and working. but the speed is a little slow. is there anything that can be done to increase speed that wasn't mentioned in the howto?
20:53 < pekster> jibcage: https://github.com/OpenVPN/openvpn/blob/master/src/openvpn/crypto.c#L892
20:53 <@vpnHelper> Title: openvpn/src/openvpn/crypto.c at master · OpenVPN/openvpn · GitHub (at github.com)
20:54 < pekster> jibcage: Oh, you're using static keys?
20:54 < pekster> No, just use a smaller size
20:54 < pekster> They're internally converted to 2048 anyway (512 * 4 directions) so more is silly
20:54 < pekster> 4096 is the (sane) limit for _asymettric_ crypto. OpenVPN won't grok more than 512 bits of _symmetric_ crypto at once
20:55 < pekster> No ciphers use it, and even for 512 you must use a supported cipher that can handle larger keysizes. Check --cipher in the manpage for details
20:57 -!- jave [~jave@h-235-102.a149.priv.bahnhof.se] has quit [Ping timeout: 264 seconds]
20:57 < funyun> hi. i have set up my vpn using the HowTo but the speed is a little slow. is there anything that can be done to increase speed that wasn't mentioned in the howto?
20:57 < pekster> jibcage: If this is a --tls-auth key or --secret key, just use what openvpn gives you with `openvpn --genkey --secret output-file-here.key`
20:59 -!- lambda [~lambda@gateway/tor-sasl/lambda] has quit [Quit: lambda]
20:59 -!- jave [~jave@h-235-102.a149.priv.bahnhof.se] has joined #openvpn
21:00 < pekster> funyun: Repeating your is a bad idea. I have an answer for you, but I'm going to wait a bit while you read why what you did was rather rude: http://catb.org/~esr/faqs/smart-questions.html#volume
21:00 <@vpnHelper> Title: How To Ask Questions The Smart Way (at catb.org)
21:00 < pekster> yourself*
21:01 -!- Linmu [~Linmu@203.70.194.104] has joined #openvpn
21:02 -!- grep0r [grep0r@bitcoinshell.mooo.com] has quit [Ping timeout: 252 seconds]
21:03 < funyun> pekster: i wasn't repeating myself. i asked you first and you proved i was right all along when i said you have no intention of helping me. so now i'm asking the channel
21:04 -!- Samopotamus [~IRCIdent@2607:5300:60:a0d::1] has quit [Ping timeout: 240 seconds]
21:07 -!- grep0r [grep0r@bitcoinshell.mooo.com] has joined #openvpn
21:07 -!- jibcage [~jack@5.150.254.72] has quit [Ping timeout: 240 seconds]
21:07 -!- Gman32 [~Gman32@2607:2200:0:3400::5616:cdbc] has quit [Ping timeout: 240 seconds]
21:07 -!- Gman32 [~Gman32@2607:2200:0:3400::5616:cdbc] has joined #openvpn
21:07 -!- Samopotamus [~IRCIdent@2607:5300:60:a0d::1] has joined #openvpn
21:07 -!- phuzion [~phuzion@ipv6.irc.teh-server.com] has quit [Ping timeout: 240 seconds]
21:08 -!- Linmu [~Linmu@203.70.194.104] has quit [Ping timeout: 240 seconds]
21:08 -!- mode/#openvpn [+o pekster] by ChanServ
21:08 <@pekster> Cool story
21:08 -!- mode/#openvpn [+q $a:funyun] by pekster
21:08 <@pekster> Now instead of an answer you get a timeout
21:09 -!- haasn [~nand@2a01:4f8:d13:5245::2] has quit [Ping timeout: 240 seconds]
21:09 -!- phuzion [~phuzion@ipv6.irc.teh-server.com] has joined #openvpn
21:10 -!- Linmu [~Linmu@203.70.194.104] has joined #openvpn
21:13 -!- mode/#openvpn [-q $a:funyun] by pekster
21:13 -!- jibcage [~jack@5.150.254.72] has joined #openvpn
21:13 <@pekster> funyun: You want this:
21:13 <@pekster> !speed
21:13 <@vpnHelper> "speed" is Speed problems? Basic items to check include: 1) Prefer UDP over TCP (see !tcp) 2) MTU issues? Send max-size DF packets and watch for fragmentation/delivery issues 3) iface txqueuelen often needs to be >100 on fast and/or latent links 4) latenty/slow links don't magically get better with openvpn 5) less likely are issues with bad TCP window scaling or the sliding window; generally, don't
21:13 <@vpnHelper> 2nd guess TCP (in openvpn or ...
21:13 < funyun> pekster: thank you
21:14 <@pekster> Yup. If you get stuck it'll help to know what part you'd like clarification on. Some reading or quick googling on a few of those items might help too
21:14 -!- mode/#openvpn [-o pekster] by ChanServ
21:15 -!- lambda [~lambda@gateway/tor-sasl/lambda] has joined #openvpn
21:15  * __FBi removes channel operator status from pekster 
21:16 < __FBi> evening all
21:16 < pekster> Early morning for the East ;)
21:17 -!- haasn [~nand@2a01:4f8:d13:5245::2] has joined #openvpn
21:19 < converge> it's kind hard to identify the problems..
21:19 < converge> pekster: do you know what could be wrong ? http://paste2.org/1fXbeAwX
21:19 < converge> pekster: your last advice helped a lot, about watch the server log
21:20 < converge> tls-auth problem solved, I think. Now Im trying to understand where is the problem
21:22 < funyun> pekster: just want to check with you before i try. i should do openvpn --tun-mtu n --fragment max server.conf?
21:22 < pekster> Line 34/35: the other end (the one you're connecting to, 192.168.1.1) has sent you a TCP RST packet. This is like slamming the door in your face
21:22 < pekster> Go review the logs on the opposing side for why
21:22 < pekster> No "initial packet received" either -- it could be there is no openvpn service listening on that port, perhaps? Otherwise review your logs
21:23 < funyun> on the man page i see those set max mtu and max feagmentation
21:23 < pekster> funyun: Hmm? You'll need some experience in basic networking if you suspect MTU isues. Ideally you fix fragmentation by tuning MTU params based on the actual link abilities of your transport
21:24 < pekster> Basically, send a max-sized packet (use your favourite ping or traceroute utility with support) over the VPN link with the DF bit set and watch for fragmentation in the encapsulated (the encrypted, "outside packet") between peers. It helps to disable compression too
21:24 < pekster> (compression can make pings appear smaller than they are)
21:25 -!- converge [~converge@unaffiliated/joaop] has quit [Quit: Linkinus - http://linkinus.com]
21:25 < pekster> See the --mtu-test in the manpage too: maybe you want to try & let that run for a bit
21:25 -!- converge [~converge@unaffiliated/joaop] has joined #openvpn
21:26 < pekster> That probably won't have a huge impact on speed unless your network has other problems though
21:27 < funyun> oh. i was just trying those because of what vpnHelper posted.
21:27 < funyun> to my knowledge, both networks are working fine
21:28 -!- Carbon_Monoxide [~cmonxide@058176022144.ctinets.com] has joined #openvpn
21:29 < pekster> Depends on where the bottleneck is; CPU is a common one (and missing from that factoid.)
21:29 < pekster> !forget speed
21:29 <@vpnHelper> Joo got it.
21:29 < pekster> !forget speed *
21:29 <@vpnHelper> Error: There is no such factoid.
21:29 < pekster> !learn speed as Having speed problems? The following suggestions may help.
21:29 <@vpnHelper> Joo got it.
21:29 < pekster> !learn speed as OpenVPN is often CPU bound; check utilization, and remember it only uses 1 core (single-threaded)
21:29 <@vpnHelper> Joo got it.
21:29 < pekster> !learn speed as Prefer UDP over TCP (see !tcp)
21:29 <@vpnHelper> Joo got it.
21:30 < pekster> !learn speed as MTU issues? Send max-size DF packets and watch for fragmentation/delivery issues
21:30 <@vpnHelper> Joo got it.
21:30 < pekster> !learn speed as iface txqueuelen often needs to be >100 on fast and/or latent links
21:30 <@vpnHelper> Joo got it.
21:30 < pekster> !learn speed as latenty/slow links don't magically get better with openvpn
21:30 <@vpnHelper> Joo got it.
21:30 < pekster> !learn speed as less likely are issues with bad TCP window scaling or the sliding window; generally, don't 2nd guess TCP (in openvpn or your OS knobs)
21:30 <@vpnHelper> Joo got it.
21:30 < pekster> </spam>
21:30 -!- justinzane [~justinzan@tiny.justinzane.com] has quit [Ping timeout: 264 seconds]
21:30 -!- Carbon_Monoxide [~cmonxide@058176022144.ctinets.com] has left #openvpn []
21:30 < pekster> I should wikify that after less wine :)
21:34 -!- Linmu [~Linmu@203.70.194.104] has quit [Ping timeout: 240 seconds]
21:34 < funyun> just incase i'm already at max speed. does this sound normal to you? my dedicated server is located in canada with 1Gbit up/down. i'm located in Ohio (USA) and my connection is 50Mbit down. speedtest with the vpn on is 30Mbit
21:34 < funyun> ovh dedicated server if that help
21:34 < funyun> s
21:35 < pekster> Sound plausable. OpenVPN crypto is done in userland (not in-kernel, like eg: IPSec.) This means that you usually run into CPU limits before anything else unless both ends do hw-accel
21:36 < funyun> by cpu limits do you mean the computer/server is slow based on HW?
21:36 < pekster> Depends on your hardware and where the real bottleneck is
21:36 -!- justinzane [~justinzan@tiny.justinzane.com] has joined #openvpn
21:36 < funyun> on both client and server the cpu specs are very high
21:40 -!- lambda [~lambda@gateway/tor-sasl/lambda] has quit [Quit: lambda]
21:41 < pekster> Might just be the link. 50 to 30 is more believable than CPU limits, but it depends a lot on what's actually happening. Theory does no good without data to back it up
21:41 < pekster> !gigabit
21:41 <@vpnHelper> "gigabit" is https://community.openvpn.net/openvpn/wiki/Gigabit_Networks_Linux for JJK's writeup on getting the most out of openvpn over gigabit
21:41 < pekster> Some ideas there, but if you "pay for" 50Mbps, you're not likely to _actually_ see it
21:48 -!- Linmu [~Linmu@203.70.194.104] has joined #openvpn
21:52 -!- funyun_ [~temp@cpe-65-25-103-89.neo.res.rr.com] has joined #openvpn
21:52 -!- michaelhart_ [~michaelha@192-0-240-20.cpe.teksavvy.com] has joined #openvpn
21:53 -!- Linmu [~Linmu@203.70.194.104] has quit [Ping timeout: 240 seconds]
21:54 -!- funyun [~temp@ns236132.ip-192-99-21.net] has quit [Ping timeout: 255 seconds]
21:55 -!- michaelhart [~michaelha@162.209.54.120] has quit [Ping timeout: 255 seconds]
21:55 -!- michaelhart_ is now known as michaelhart
21:55 < funyun_> pekster: i tried "openvpn --dev tun --proto udp --tun-mtu 6000 --fragment 0 --mssfix 0 server.conf" and get this http://pastebin.com/nKeEZnVk. am i on the right path?
21:56 < jibcage> I've changed my key size to 2048. How do I tell openvpn not to route all of my traffic through it?
21:59 < funyun_> pekster: or do i just add tun-mtu 6000 to the configs?
22:00 < pekster> funyun_: You can't do that unless your link supports it (do you have a 6k MTU path to OVH or w/e?)
22:00 -!- converge [~converge@unaffiliated/joaop] has quit [Quit: Linkinus - http://linkinus.com]
22:00 < pekster> jibcage: That's the default behavior. ie: don't use --redirect-gateway
22:00 < jibcage> pekster: what option is that in the conf file?
22:01 < pekster> --redirect-gateway
22:01 < pekster> !man
22:01 <@vpnHelper> "man" is (#1) For man pages, see http://openvpn.net/index.php/open-source/documentation/manuals/ or (#2) the man pages are your friend! or (#3) Protip: you can search the manpage for a specific --option (with dashes) to find it quicker
22:01 -!- Linmu [~Linmu@203.70.194.104] has joined #openvpn
22:01 < jibcage> -bash: man: command not found
22:03 < jibcage> The online man page says nothing about configuration file syntax either :/
22:03 < pekster> Your *nix is busted
22:03 < pekster> If you don't have man you should go use a real system, or the helpful web link you were just given
22:03 < jibcage> My question is, is there an explicit way to tell openvpn not to do this in the configuration file
22:04 < pekster> Don't tell it to do it
22:04 < pekster> Then it won't do it
22:04 < pekster> What you describe is _NOT_ what openvpn does. You _MUST_ _TELL_ it to do that
22:04 < pekster> Not sure how that can be any more clear
22:04 < pekster> s/does/does by default/
22:05 < pekster> Or do you mean you don't control the remote end and it's being pushed to you? (it would help a lot if you explained that instead of expecting me to guess, if that's the case
22:05 -!- Carbon_Monoxide [~cmonxide@058176022144.ctinets.com] has joined #openvpn
22:06 -!- Carbon_Monoxide [~cmonxide@058176022144.ctinets.com] has left #openvpn []
22:06 < jibcage> Yes, it's being pushed by the server. Is there a way that I can get one specific client to do this?
22:06 -!- Linmu [~Linmu@203.70.194.104] has quit [Ping timeout: 240 seconds]
22:06 < jibcage> err, to not do this
22:07 -!- funyun [~temp@ns236132.ip-192-99-21.net] has joined #openvpn
22:08 < pekster> It'll require a bit of effort, but yes. Read about --route-nopull or --route-noexec . Note that use of either requires you to handle any routes you do want yourself
22:09 -!- funyun_ [~temp@cpe-65-25-103-89.neo.res.rr.com] has quit [Remote host closed the connection]
22:11 -!- funyun [~temp@ns236132.ip-192-99-21.net] has quit [Read error: Connection reset by peer]
22:12 -!- WinstonSmith [~WinstonSm@unaffiliated/winstonsmith] has quit [Ping timeout: 240 seconds]
22:12 -!- funyun [~temp@ns236132.ip-192-99-21.net] has joined #openvpn
22:13 < funyun> pekster: can i pm you to ask something that might not be allowed in channel?
22:13 < pekster> Go for it
22:14 -!- Linmu [~Linmu@203.70.194.104] has joined #openvpn
22:15 -!- WinstonSmith [~WinstonSm@unaffiliated/winstonsmith] has joined #openvpn
22:17 -!- Carbon_Monoxide [~cmonxide@058176022144.ctinets.com] has joined #openvpn
22:18 -!- Carbon_Monoxide [~cmonxide@058176022144.ctinets.com] has left #openvpn []
22:32 -!- michaelhart [~michaelha@192-0-240-20.cpe.teksavvy.com] has quit [Quit: michaelhart]
22:33 -!- Linmu [~Linmu@203.70.194.104] has quit [Ping timeout: 255 seconds]
22:41 -!- Linmu [~Linmu@203.70.194.104] has joined #openvpn
22:49 -!- Cpt-Oblivious_ [chatzilla@31-151-71-109.dynamic.upc.nl] has quit [Ping timeout: 255 seconds]
22:54 -!- mapps [map@cpc15-woki7-2-0-cust887.6-2.cable.virginm.net] has joined #openvpn
22:58 -!- Linmu [~Linmu@203.70.194.104] has quit [Ping timeout: 240 seconds]
23:11 -!- Linmu [~Linmu@203.70.194.104] has joined #openvpn
23:19 -!- Linmu [~Linmu@203.70.194.104] has quit [Ping timeout: 240 seconds]
23:27 -!- Linmu [~Linmu@203.70.194.104] has joined #openvpn
23:31 -!- Linmu [~Linmu@203.70.194.104] has quit [Ping timeout: 255 seconds]
23:39 -!- Linmu [~Linmu@203.70.194.104] has joined #openvpn
23:44 -!- Linmu [~Linmu@203.70.194.104] has quit [Ping timeout: 240 seconds]
23:48 -!- heraclitus [~heraclitu@unaffiliated/heraclitis] has quit [Quit: Ping timeout: 221 seconds]
23:58 -!- Guest53070 [~klein@unaffiliated/klein] has quit [Ping timeout: 240 seconds]
23:59 -!- Linmu [~Linmu@203.70.194.104] has joined #openvpn
--- Day changed Fri Mar 14 2014
00:03 -!- Linmu [~Linmu@203.70.194.104] has quit [Ping timeout: 264 seconds]
00:09 < nlb> is there anyway to specify which tun interface is bound to a specific .conf file?
00:11 -!- Linmu [~Linmu@203.70.194.104] has joined #openvpn
00:18 -!- Linmu [~Linmu@203.70.194.104] has quit [Ping timeout: 240 seconds]
00:18 -!- Linmu [~Linmu@203.70.194.104] has joined #openvpn
00:27 -!- makara [~makara@41.164.22.218] has joined #openvpn
00:34 -!- Linmu [~Linmu@203.70.194.104] has quit [Ping timeout: 264 seconds]
00:34 -!- Guest22512 [~Sembei@unaffiliated/sembei] has quit [Ping timeout: 264 seconds]
00:42 -!- Linmu [~Linmu@203.70.194.104] has joined #openvpn
00:59 -!- mikkel [~mikkel@93.176.85.50] has joined #openvpn
01:01 -!- sunwind` [~paradox@cpc21-brmb8-2-0-cust749.1-3.cable.virginm.net] has joined #openvpn
01:04 -!- paradox`` [~paradox@cpc21-brmb8-2-0-cust749.1-3.cable.virginm.net] has quit [Ping timeout: 264 seconds]
01:15 -!- Linmu [~Linmu@203.70.194.104] has quit [Ping timeout: 255 seconds]
01:16 -!- Linmu [~Linmu@203.70.194.104] has joined #openvpn
01:18 -!- heraclitus [~heraclitu@unaffiliated/heraclitis] has joined #openvpn
01:19 -!- Carbon_Monoxide [~cmonxide@058176022144.ctinets.com] has joined #openvpn
01:19 -!- Carbon_Monoxide [~cmonxide@058176022144.ctinets.com] has left #openvpn []
01:21 -!- Linmu [~Linmu@203.70.194.104] has quit [Ping timeout: 255 seconds]
01:23 -!- Linmu [~Linmu@203.70.194.104] has joined #openvpn
01:27 -!- takamichi [~takamichi@c107-107.i07-27.onvol.net] has joined #openvpn
02:03 -!- Linmu [~Linmu@203.70.194.104] has quit [Ping timeout: 255 seconds]
02:03 -!- Linmu [~Linmu@203.70.194.104] has joined #openvpn
02:14 -!- al_nz1 [~Ali_nz1@122.58.81.50] has joined #openvpn
02:15 < al_nz1> I am not sure if this is to do with my openvpn config or the static route on the router, but I am finding I cant access clients behind the server (yes IP forwarding is enabled and I have pushed the route, and put a static route in the router)
02:16 -!- Linmu [~Linmu@203.70.194.104] has quit [Ping timeout: 240 seconds]
02:23 -!- Linmu [~Linmu@203.70.194.104] has joined #openvpn
02:25 -!- catsup [~d@iad1-vshost12.dreamhost.com] has joined #openvpn
02:28 -!- Hes [wel0ji4t@tunkki.fi] has quit [Ping timeout: 264 seconds]
02:28 -!- Hes [bJm9VGae@tunkki.fi] has joined #openvpn
02:33 -!- phreakocious [~phreakoci@aesoterica.phreakocious.net] has quit [Ping timeout: 264 seconds]
02:40 -!- elfixit1 [~Icedove@77-58-251-72.dclient.hispeed.ch] has joined #openvpn
02:44 -!- Linmu [~Linmu@203.70.194.104] has quit [Ping timeout: 264 seconds]
02:51 -!- ade_b [~Ade@redhat/adeb] has joined #openvpn
02:51 -!- phreakocious [~phreakoci@aesoterica.phreakocious.net] has joined #openvpn
02:52 -!- Linmu [~Linmu@203.70.194.104] has joined #openvpn
02:56 -!- alexxtasi [~alex@unaffiliated/alexxtasi] has joined #openvpn
02:56 -!- indy [~indy@fantomas.bestit.cz] has quit [Read error: Operation timed out]
02:58 -!- Linmu [~Linmu@203.70.194.104] has quit [Ping timeout: 264 seconds]
03:01 -!- elfixit1 [~Icedove@77-58-251-72.dclient.hispeed.ch] has quit [Ping timeout: 264 seconds]
03:02 < al_nz1> you about krzee?
03:04 -!- mattock_afk is now known as mattock
03:11 -!- indy [~indy@fantomas.bestit.cz] has joined #openvpn
03:12 -!- indy is now known as rescator
03:12 -!- rescator is now known as indy
03:20 -!- Ali_nz2 [~Ali_nz1@203.109.206.199] has joined #openvpn
03:21 -!- al_nz1 [~Ali_nz1@122.58.81.50] has quit [Ping timeout: 255 seconds]
03:22 -!- al_nz1 [~Ali_nz1@203.109.206.199] has joined #openvpn
03:24 -!- Ali_nz2 [~Ali_nz1@203.109.206.199] has quit [Ping timeout: 240 seconds]
03:30 -!- Linmu [~Linmu@203.70.194.104] has joined #openvpn
03:30 -!- al_nz1 [~Ali_nz1@203.109.206.199] has quit []
03:37 -!- br4ndon [~br4ndon@mic92-6-82-227-94-156.fbx.proxad.net] has joined #openvpn
03:39 -!- Linmu [~Linmu@203.70.194.104] has quit [Ping timeout: 255 seconds]
03:42 -!- Linmu [~Linmu@203.70.194.104] has joined #openvpn
03:46 -!- novaflash [~novaflash@its.novaflash.nl] has quit [Changing host]
03:46 -!- novaflash [~novaflash@openvpn/corp/support/novaflash] has joined #openvpn
03:46 -!- mode/#openvpn [+o novaflash] by ChanServ
03:55 -!- Linmu [~Linmu@203.70.194.104] has quit [Ping timeout: 240 seconds]
04:02 -!- Linmu [~Linmu@203.70.194.104] has joined #openvpn
04:02 -!- zumochi [~zumochi@ks387752.kimsufi.com] has joined #openvpn
04:05 -!- le0 [~l30@unaffiliated/le0] has joined #openvpn
04:10 -!- davidmp [~davidmp@149.255.100.107] has quit [Ping timeout: 264 seconds]
04:11 -!- nightcracker [~nightcrac@535511B1.cm-6-6a.dynamic.ziggo.nl] has quit [Quit: Ik ga weg]
04:19 -!- Linmu [~Linmu@203.70.194.104] has quit [Ping timeout: 252 seconds]
04:26 -!- B1nny [~quassel@53541E4A.cm-6-5a.dynamic.ziggo.nl] has joined #openvpn
04:26 -!- Linmu [~Linmu@203.70.194.104] has joined #openvpn
04:28 -!- Aliekezhi [~Aliekezhi@LPoitiers-156-84-21-169.w193-248.abo.wanadoo.fr] has joined #openvpn
04:32 -!- Aliekezhi [~Aliekezhi@LPoitiers-156-84-21-169.w193-248.abo.wanadoo.fr] has quit [Ping timeout: 240 seconds]
04:44 -!- Aliekezhi [~Aliekezhi@LPoitiers-156-84-21-169.w193-248.abo.wanadoo.fr] has joined #openvpn
04:52 -!- Devastatr [~devas@177.18.197.212] has joined #openvpn
04:52 -!- Devastator [~devas@unaffiliated/devastator] has quit [Ping timeout: 252 seconds]
05:15 -!- sunwind` [~paradox@cpc21-brmb8-2-0-cust749.1-3.cable.virginm.net] has quit [Quit: sunwind`]
05:17 -!- Linmu [~Linmu@203.70.194.104] has quit [Ping timeout: 240 seconds]
05:19 -!- Linmu [~Linmu@203.70.194.104] has joined #openvpn
05:28 -!- Linmu [~Linmu@203.70.194.104] has quit [Ping timeout: 252 seconds]
05:36 -!- br4ndon [~br4ndon@mic92-6-82-227-94-156.fbx.proxad.net] has quit [Quit: br4ndon]
05:37 -!- Linmu [~Linmu@203.70.194.104] has joined #openvpn
05:39 -!- dazo_afk is now known as dazo
05:49 -!- zumochi [~zumochi@ks387752.kimsufi.com] has quit [Quit: bbl]
05:52 -!- Linmu [~Linmu@203.70.194.104] has quit [Remote host closed the connection]
05:54 -!- ACKNAK [~regolith@79.133.97.154] has joined #openvpn
05:59 -!- Aliekezhi [~Aliekezhi@LPoitiers-156-84-21-169.w193-248.abo.wanadoo.fr] has quit [Ping timeout: 240 seconds]
06:06 < ACKNAK> Is there any popular tools for stress testing openvpn? I've found "perftest" but uses Amazon EC2 virtual machines, I do not have it.
06:07 < ACKNAK> I have not found docs for that tool yet and Readme could be more informative =/
06:08  * ACKNAK back to googling
06:09 -!- Chrisje [chris@2a03:f80:ed15:ed15:ed15:ed15:bc4c:4bfe] has joined #openvpn
06:12 -!- Linmu [~Linmu@203.70.194.104] has joined #openvpn
06:21 -!- Devastatr [~devas@177.18.197.212] has quit [Changing host]
06:21 -!- Devastatr [~devas@unaffiliated/devastator] has joined #openvpn
06:21 -!- Devastatr is now known as Devastator
06:22 -!- ACKNAK [~regolith@79.133.97.154] has quit [Ping timeout: 240 seconds]
06:26 -!- snappy [nipnop@unaffiliated/snappy] has quit [Ping timeout: 245 seconds]
06:33 -!- Linmu [~Linmu@203.70.194.104] has quit [Ping timeout: 252 seconds]
06:35 -!- ACKNAK [~regolith@79.133.97.154] has joined #openvpn
06:41 -!- Linmu [~Linmu@203.70.194.104] has joined #openvpn
06:48 -!- mapps [map@cpc15-woki7-2-0-cust887.6-2.cable.virginm.net] has quit [Ping timeout: 255 seconds]
06:51 -!- jzaw [~jzaw@loki.dzki.co.uk] has quit [Ping timeout: 246 seconds]
06:58 -!- Linmu [~Linmu@203.70.194.104] has quit [Ping timeout: 240 seconds]
06:59 -!- Linmu [~Linmu@203.70.194.104] has joined #openvpn
07:02 -!- TuxFighter [TuxFighter@pD9E104F5.dip0.t-ipconnect.de] has joined #openvpn
07:02 < TuxFighter> Hi guys, I just downloaded the new OpenVPN client for windows, but I can find the directory where to place the client.conf
07:03 < TuxFighter> Is there still a client.conf, I hope so, because the client gui is now a bit more casualö
07:05 < TuxFighter> ah ok it seems I can import the config via import profile
07:10 -!- jzaw [~jzaw@loki.dzki.co.uk] has joined #openvpn
07:11 -!- JackWinter_ [~jack@vodsl-10810.vo.lu] has joined #openvpn
07:11 -!- JackWinter [~jack@vodsl-10810.vo.lu] has quit [Ping timeout: 255 seconds]
07:13 -!- JackWinter_ [~jack@vodsl-10810.vo.lu] has quit [Client Quit]
07:15 -!- JackWinter [~jack@vodsl-10810.vo.lu] has joined #openvpn
07:20 -!- Linmu [~Linmu@203.70.194.104] has quit [Ping timeout: 240 seconds]
07:21 -!- davidmp [~davidmp@149.255.100.107] has joined #openvpn
07:21 -!- Linmu [~Linmu@203.70.194.104] has joined #openvpn
07:30 -!- sunwind [~paradox@cpc21-brmb8-2-0-cust749.1-3.cable.virginm.net] has joined #openvpn
07:32 -!- Guest53070 [~klein@189-016-006-003.asselvi.edu.br] has joined #openvpn
07:34 -!- takamich_ [~takamichi@85.12.8.15] has joined #openvpn
07:35 -!- davidmp [~davidmp@149.255.100.107] has quit [Ping timeout: 240 seconds]
07:36 -!- takamichi [~takamichi@c107-107.i07-27.onvol.net] has quit [Ping timeout: 240 seconds]
07:39 -!- takamichi [~takamichi@c107-107.i07-27.onvol.net] has joined #openvpn
07:39 -!- michaelhart [~michaelha@69-165-175-193.dsl.teksavvy.com] has joined #openvpn
07:40 -!- davidmp [~davidmp@149.255.100.107] has joined #openvpn
07:41 -!- takamich_ [~takamichi@85.12.8.15] has quit [Ping timeout: 240 seconds]
07:49 -!- WinstonSmith [~WinstonSm@unaffiliated/winstonsmith] has quit [Ping timeout: 255 seconds]
07:50 -!- GabrieleV [~GabrieleV@host190-79-static.230-95-b.business.telecomitalia.it] has quit [Read error: Operation timed out]
07:52 -!- WinstonSmith [~WinstonSm@unaffiliated/winstonsmith] has joined #openvpn
07:54 -!- GabrieleV [~GabrieleV@host190-79-static.230-95-b.business.telecomitalia.it] has joined #openvpn
08:00 -!- mikkel [~mikkel@93.176.85.50] has quit [Quit: Leaving]
08:12 -!- makara [~makara@41.164.22.218] has quit [Ping timeout: 255 seconds]
08:14 -!- takamich_ [~takamichi@c107-107.i07-27.onvol.net] has joined #openvpn
08:14 -!- takamichi [~takamichi@c107-107.i07-27.onvol.net] has quit [Read error: Connection reset by peer]
08:16 -!- ACKNAK [~regolith@79.133.97.154] has quit [Remote host closed the connection]
08:22 -!- TuxFighter [TuxFighter@pD9E104F5.dip0.t-ipconnect.de] has quit []
08:29 -!- ade_b [~Ade@redhat/adeb] has quit [Remote host closed the connection]
08:37 -!- makara [~makara@41.164.22.218] has joined #openvpn
08:44 -!- Neozonz [~arajakul@CPE20e52a22f551-CM68b6fc3d43d0.cpe.net.cable.rogers.com] has joined #openvpn
08:44 -!- Neozonz is now known as Guest46268
09:05 -!- funyun [~temp@ns236132.ip-192-99-21.net] has quit [Ping timeout: 255 seconds]
09:07 -!- makara [~makara@41.164.22.218] has quit [Quit: Leaving]
09:08 -!- takamichi [~takamichi@ks357561.kimsufi.com] has joined #openvpn
09:09 -!- takamich_ [~takamichi@c107-107.i07-27.onvol.net] has quit [Read error: Connection reset by peer]
09:10 -!- takamich_ [~takamichi@c107-107.i07-27.onvol.net] has joined #openvpn
09:13 -!- takamichi [~takamichi@ks357561.kimsufi.com] has quit [Ping timeout: 240 seconds]
09:17 -!- takamichi [~takamichi@85.12.8.15] has joined #openvpn
09:19 -!- takamich_ [~takamichi@c107-107.i07-27.onvol.net] has quit [Ping timeout: 240 seconds]
09:23 -!- takamich_ [~takamichi@c107-107.i07-27.onvol.net] has joined #openvpn
09:24 -!- Guest46268 [~arajakul@CPE20e52a22f551-CM68b6fc3d43d0.cpe.net.cable.rogers.com] has quit [Quit: Leaving]
09:26 -!- takamichi [~takamichi@85.12.8.15] has quit [Ping timeout: 240 seconds]
09:30 -!- ACKNAK [~regolith@79.133.97.154] has joined #openvpn
09:32 -!- alphis [~rage@unaffiliated/alphis] has joined #openvpn
09:33 -!- AlexPortable [uid7568@gateway/web/irccloud.com/x-suipoxbrirkttquo] has joined #openvpn
09:33 < alphis> anyone know why a windows client (win8) running openvpngui can successfully connect to a vpn server running on linux but can't ping the 10.8.0.1 address?
09:37 -!- Linmu [~Linmu@203.70.194.104] has quit [Ping timeout: 252 seconds]
09:37 -!- Linmu [~Linmu@203.70.194.104] has joined #openvpn
09:46 -!- Linmu [~Linmu@203.70.194.104] has quit [Ping timeout: 252 seconds]
09:46 < alphis> or connect to anything at all
09:46 -!- pekster [~rewt@openvpn/community/support/pekster] has quit [Ping timeout: 264 seconds]
09:46 -!- takamichi [~takamichi@c107-107.i07-27.onvol.net] has joined #openvpn
09:46 -!- dvl__ [~dvl@pdpc/supporter/active/dvl] has joined #openvpn
09:47 -!- Linmu [~Linmu@203.70.194.104] has joined #openvpn
09:47 -!- takamich_ [~takamichi@c107-107.i07-27.onvol.net] has quit [Read error: Connection reset by peer]
09:51 -!- takamichi [~takamichi@c107-107.i07-27.onvol.net] has quit [Ping timeout: 240 seconds]
09:53 -!- takamichi [~takamichi@83.170.117.176] has joined #openvpn
09:56 -!- takamichi [~takamichi@83.170.117.176] has quit [Read error: Operation timed out]
09:59 -!- ACKNAK [~regolith@79.133.97.154] has quit [Remote host closed the connection]
10:01 -!- takamichi [~takamichi@c107-107.i07-27.onvol.net] has joined #openvpn
10:03 <@ecrist> alphis: firewall, generally
10:03 <@ecrist> or bad routing
10:04 <@ecrist> odds are, your firewall on the vpnserver isn't allowing connections to the VPN ip range
10:06 < alphis> ecrist: i disabled firewall completely same deal
10:07 <@ecrist> !configs
10:07 <@ecrist> !logs
10:07 <@vpnHelper> "configs" is (#1) please pastebin your client and server configs (with comments removed, you can use `grep -vE '^#|^;|^$' server.conf`), also include which OS and version of openvpn. or (#2) dont forget to include any ccd entries or (#3) on pfSense, see http://www.secure-computing.net/wiki/index.php/OpenVPN/pfSense to obtain your config
10:07 <@vpnHelper> "logs" is (#1) please pastebin your logfiles from both client and server with verb set to 4 (only use 5 if asked) or (#2) In the Windows client(OpenVPN-GUI) right-click the status icon and pick View Log or (#3) In the OS X client(Tunnelblick) right-click it and select Copy log text to clipboard or (#4) if you dont know how to find your logs, see !logfile
10:07 < alphis> the log doesn't seem to have any particular error
10:07 <@ecrist> let me be the judge of that
10:07 < alphis> i dont have access to it so i will have to check again later
10:07 <@ecrist> ok
10:07 <@ecrist> need both client and server logs and configs
10:07 < alphis> im thinking routing might be an issue too
10:07 < alphis> sure i can provide both
10:07 <@ecrist> also, make sure you're running openvpn as an admin on the windows machine
10:07 < alphis> soon as i get back to that machine ill pastebin
10:08 < alphis> yeah def.
10:12 -!- Linmu [~Linmu@203.70.194.104] has quit [Ping timeout: 240 seconds]
10:12 -!- alexxtasi [~alex@unaffiliated/alexxtasi] has left #openvpn []
10:13 -!- Linmu [~Linmu@203.70.194.104] has joined #openvpn
10:32 -!- funyun [~temp@cpe-65-25-103-89.neo.res.rr.com] has joined #openvpn
10:36 -!- funyun [~temp@cpe-65-25-103-89.neo.res.rr.com] has quit [Ping timeout: 240 seconds]
10:39 -!- Linmu [~Linmu@203.70.194.104] has quit [Ping timeout: 240 seconds]
10:40 -!- VsioZashibis [~VsioZashi@unaffiliated/vsiozashibis] has quit [Quit: closing IRC]
10:47 -!- Linmu [~Linmu@203.70.194.104] has joined #openvpn
10:49 -!- mattock is now known as mattock_afk
10:49 -!- funnel [~funnel@unaffiliated/espiral] has quit [Remote host closed the connection]
10:50 -!- funnel [~funnel@unaffiliated/espiral] has joined #openvpn
11:00 -!- f0cker [~f0cker@unaffiliated/f0cker] has quit [Quit: Leaving]
11:03 -!- Cpt-Oblivious [chatzilla@31-151-71-109.dynamic.upc.nl] has joined #openvpn
11:04 -!- Linmu [~Linmu@203.70.194.104] has quit [Ping timeout: 252 seconds]
11:12 -!- Linmu [~Linmu@203.70.194.104] has joined #openvpn
11:27 -!- elfixit1 [~Icedove@145-228.197-178.cust.bluewin.ch] has joined #openvpn
11:33 -!- funyun [~temp@cpe-65-25-103-89.neo.res.rr.com] has joined #openvpn
11:35 -!- Linmu [~Linmu@203.70.194.104] has quit [Ping timeout: 240 seconds]
11:37 -!- funyun [~temp@cpe-65-25-103-89.neo.res.rr.com] has quit [Ping timeout: 240 seconds]
11:37 -!- elfixit1 [~Icedove@145-228.197-178.cust.bluewin.ch] has quit [Ping timeout: 240 seconds]
11:42 -!- Linmu [~Linmu@203.70.194.104] has joined #openvpn
11:44 -!- michaelhart [~michaelha@69-165-175-193.dsl.teksavvy.com] has quit [Quit: michaelhart]
11:45 -!- michaelhart [~michaelha@69-165-175-193.dsl.teksavvy.com] has joined #openvpn
12:05 -!- Linmu [~Linmu@203.70.194.104] has quit [Ping timeout: 240 seconds]
12:07 -!- Linmu [~Linmu@203.70.194.104] has joined #openvpn
12:07 -!- C-S-B [~C-S-B@host217-42-190-155.range217-42.btcentralplus.com] has joined #openvpn
12:07 -!- AlexPortable [uid7568@gateway/web/irccloud.com/x-suipoxbrirkttquo] has quit [Quit: Connection closed for inactivity]
12:11 -!- karsten [~karsten@ip-176-199-81-39.unitymediagroup.de] has joined #openvpn
12:11 < karsten> hello
12:12 < karsten> would somebody help to add a route through my tun0 vpn adapter? connection is stable and i can ping the server, would now like route my internet traffic
12:13 < karsten> 0.0.0.0         192.168.178.1   0.0.0.0         UG    0      0        0 eth0
12:13 < karsten> 10.10.10.0      10.10.10.5      255.255.255.0   UG    0      0        0 tun0
12:13 < karsten> 10.10.10.5      0.0.0.0         255.255.255.255 UH    0      0        0 tun0
12:13 < karsten> (vpn-server)  192.168.178.1   255.255.255.255 UGH   0      0        0 eth0
12:13 < karsten> 192.168.178.0   0.0.0.0         255.255.255.0   U     1      0        0 eth0
12:13 -!- gffa [~unknown@unaffiliated/gffa] has joined #openvpn
12:15 < karsten> i have delete the default route and tried to add a default route tun0  but then I get SIOCADDRT: Das Netzwerk ist nicht erreichbar
12:15 < karsten> what I do wrong?
12:16 -!- Linmu [~Linmu@203.70.194.104] has quit [Ping timeout: 240 seconds]
12:17 -!- Linmu [~Linmu@203.70.194.104] has joined #openvpn
12:22 < alphis> side note. when i use openvpn on a linux client i can clearly see tun or tap depending on the type of vpn server i am using. with windows it seems to be always tap or something. is there a way to determine if windows is using tun vs tap
12:27 -!- michaelhart [~michaelha@69-165-175-193.dsl.teksavvy.com] has quit [Ping timeout: 252 seconds]
12:27 -!- michaelhart_ [~michaelha@192.237.177.15] has joined #openvpn
12:27 -!- karsten [~karsten@ip-176-199-81-39.unitymediagroup.de] has quit [Ping timeout: 240 seconds]
12:28 < le0> hi all. will openvpn parse command line input in addition to a --config file if both are configured?
12:28 < le0> this is for client connections and im using a debian client system
12:29 -!- n2deep [n2deep@odin.sdf-eu.org] has quit [Remote host closed the connection]
12:32 <@plai> le0: yes
12:32 < le0> cool
12:32 -!- hydrajum_ [~hydrajump@unaffiliated/hydrajump] has quit [Quit: Bye.]
12:33 <@plai> You can actually put config otherconfig
12:33 -!- hydrajump [~hydrajump@unaffiliated/hydrajump] has joined #openvpn
12:33 <@plai> in a config
12:33 < le0> i have written a webui for a VM i have created, and passing additonal parameters such as proxy settings would make life simpler if i could pass on command line
12:33 < le0> oO ic. i will go read
12:33 < le0> thanks plai
12:34 -!- funyun [~temp@cpe-65-25-103-89.neo.res.rr.com] has joined #openvpn
12:38 -!- funyun [~temp@cpe-65-25-103-89.neo.res.rr.com] has quit [Ping timeout: 240 seconds]
12:54 -!- jzaw [~jzaw@loki.dzki.co.uk] has quit [Ping timeout: 240 seconds]
12:57 -!- jzaw [~jzaw@loki.dzki.co.uk] has joined #openvpn
12:57 -!- mikemol [~mikemol@162.17.129.77] has quit [Remote host closed the connection]
13:04 -!- MatthewsFace [~mspah@50-78-45-146-static.hfc.comcastbusiness.net] has joined #openvpn
13:11 -!- HectorBarbossa [uid7850@gateway/web/irccloud.com/x-yvzlongirdbhfslq] has joined #openvpn
13:15 -!- pr0t [~pr0t@PSDNCABTNS001.cpe.twtelecom.net] has joined #openvpn
13:16 < pr0t> I have openvpn going it allows me to get to 10.1.0.0/16 I added another network 10.2.0.0/16 what would be the easiest way to have openvpn route for that network
13:18 -!- Neozonz|Discx2 [~arajakul@unaffiliated/neozonz] has joined #openvpn
13:19 < Neozonz|Discx2> I'm setting up a vpn but my client and remote pc cannot connect, see https://gist.github.com/arajakul/451296a12611e904ee06 for config... any help appreciated
13:19 < dvl__> I was reading a post this morning about various NSA VPN exploits, but they all seemed to center around IKE and H.323
13:19 <@vpnHelper> Title: gist:451296a12611e904ee06 (at gist.github.com)
13:19 -!- dvl__ [~dvl@pdpc/supporter/active/dvl] has left #openvpn []
13:34 -!- funyun [~temp@cpe-65-25-103-89.neo.res.rr.com] has joined #openvpn
13:39 -!- funyun [~temp@cpe-65-25-103-89.neo.res.rr.com] has quit [Ping timeout: 252 seconds]
14:11 <@dazo> pr0t: use the --route config option
14:12 <@dazo> Neozonz|Discx2: that's not openvpn config
14:12 <@dazo> !notovpn
14:12 <@vpnHelper> "notovpn" is (#1) "notopenvpn" is your problem is not about openvpn, and while we try to be helpful, you may have a better chance of finding your answer if you ask your question in a channel related to your problem or (#2) sorry, but we dont care. this channel is only for help with openvpn.
14:15 -!- dazo is now known as dazo_afk
14:20 -!- master_o1_master [~master_of@p4FD7B6AE.dip0.t-ipconnect.de] has joined #openvpn
14:22 -!- sunwind [~paradox@cpc21-brmb8-2-0-cust749.1-3.cable.virginm.net] has quit [Quit: sunwind]
14:23 -!- master_of_master [~master_of@p4FF2451B.dip0.t-ipconnect.de] has quit [Ping timeout: 255 seconds]
14:24 -!- sunwind [~paradox@cpc21-brmb8-2-0-cust749.1-3.cable.virginm.net] has joined #openvpn
14:25 -!- Linmu [~Linmu@203.70.194.104] has quit [Ping timeout: 252 seconds]
14:32 -!- Linmu [~Linmu@203.70.194.104] has joined #openvpn
14:35 -!- funyun [~temp@cpe-65-25-103-89.neo.res.rr.com] has joined #openvpn
14:40 -!- funyun [~temp@cpe-65-25-103-89.neo.res.rr.com] has quit [Ping timeout: 240 seconds]
14:41 -!- michaelhart_ [~michaelha@192.237.177.15] has quit [Quit: michaelhart_]
14:41 -!- pppingme [~pppingme@unaffiliated/pppingme] has quit [Read error: Connection reset by peer]
14:55 -!- mikemol [~mikemol@2001:470:c5b9:beef:6cab:79cf:4531:191] has joined #openvpn
14:56 -!- Linmu [~Linmu@203.70.194.104] has quit [Ping timeout: 240 seconds]
14:57 -!- Linmu [~Linmu@203.70.194.104] has joined #openvpn
15:01 -!- pppingme [~pppingme@unaffiliated/pppingme] has joined #openvpn
15:02 -!- mirco [~mirco@ip-5-146-126-177.unitymediagroup.de] has quit [Ping timeout: 255 seconds]
15:06 -!- Linmu [~Linmu@203.70.194.104] has quit [Ping timeout: 240 seconds]
15:14 -!- Linmu [~Linmu@203.70.194.104] has joined #openvpn
15:23 -!- funnel [~funnel@unaffiliated/espiral] has quit [Remote host closed the connection]
15:23 -!- funnel [~funnel@unaffiliated/espiral] has joined #openvpn
15:25 -!- alphis [~rage@unaffiliated/alphis] has quit [Ping timeout: 240 seconds]
15:28 -!- alphis [~rage@unaffiliated/alphis] has joined #openvpn
15:36 -!- funyun [~temp@cpe-65-25-103-89.neo.res.rr.com] has joined #openvpn
15:42 -!- funyun_ [~temp@ns236132.ip-192-99-21.net] has joined #openvpn
15:43 -!- funyun [~temp@cpe-65-25-103-89.neo.res.rr.com] has quit [Ping timeout: 240 seconds]
15:46 -!- le0 [~l30@unaffiliated/le0] has quit [Quit: Leaving]
15:47 -!- pr0t [~pr0t@PSDNCABTNS001.cpe.twtelecom.net] has quit [Quit: Ex-Chat]
15:49 -!- cyberspace- [20253@ninthfloor.org] has quit [Remote host closed the connection]
15:50 -!- cyberspace- [20253@ninthfloor.org] has joined #openvpn
15:52 -!- Linmu [~Linmu@203.70.194.104] has quit [Ping timeout: 240 seconds]
15:53 -!- Linmu [~Linmu@203.70.194.104] has joined #openvpn
15:53 -!- wildcat [~tomh@unaffiliated/wildcat] has left #openvpn []
15:53 -!- alphis [~rage@unaffiliated/alphis] has quit [Read error: Operation timed out]
15:55 -!- AlexPortable [uid7568@gateway/web/irccloud.com/x-nekksikikbvjzdgo] has joined #openvpn
16:07 -!- Guest53070 [~klein@189-016-006-003.asselvi.edu.br] has quit [Ping timeout: 240 seconds]
16:14 -!- Thermi [~Thermi@unaffiliated/thermi] has quit [Quit: Meet your opposition - Profane and disciplined - Take back your pride - With a pounding hammer]
16:16 -!- Thermi [~Thermi@unaffiliated/thermi] has joined #openvpn
16:16 -!- Thermi [~Thermi@unaffiliated/thermi] has quit [Excess Flood]
16:17 -!- Thermi [~Thermi@unaffiliated/thermi] has joined #openvpn
16:17 -!- Thermi [~Thermi@unaffiliated/thermi] has quit [Excess Flood]
16:17 -!- Thermi [~Thermi@unaffiliated/thermi] has joined #openvpn
16:21 -!- alphis [~rage@unaffiliated/alphis] has joined #openvpn
16:21 -!- Thermi was kicked from #openvpn by Eugene [excess excess flood]
16:22 -!- s0meone is now known as someone
16:25 -!- mirco [~mirco@ip-5-146-126-177.unitymediagroup.de] has joined #openvpn
16:35 -!- yoavz [yoavz@yoavz.net] has quit [Ping timeout: 255 seconds]
16:41 -!- yoavz [yoavz@yoavz.net] has joined #openvpn
16:42 -!- alphis_ [~rage@5.254.138.90] has joined #openvpn
16:47 -!- alphis [~rage@unaffiliated/alphis] has quit [Ping timeout: 442 seconds]
16:47 -!- AsadH [~AsadH@unaffiliated/asadh] has quit [Excess Flood]
16:49 -!- Cr4zi3 [~killaz@76.74.171.253] has quit [Ping timeout: 258 seconds]
16:50 -!- [diecast] [~diecast@unaffiliated/diecast/x-4821952] has joined #openvpn
16:51 -!- Cr4zi3 [killaz@staff.xbins.org] has joined #openvpn
16:54 -!- AsadH [~AsadH@unaffiliated/asadh] has joined #openvpn
16:55 -!- funyun_ is now known as funyun
16:56 -!- Samopotamus [~IRCIdent@2607:5300:60:a0d::1] has quit [Ping timeout: 240 seconds]
16:56 < Elrond> google doesn't like me. Is there a recommended way to rename the tun0 interfaces?
16:57 -!- Samopotamus [~IRCIdent@2607:5300:60:a0d::1] has joined #openvpn
17:02 -!- Neozonz|Discx2 [~arajakul@unaffiliated/neozonz] has quit [Ping timeout: 240 seconds]
17:07 -!- phuzion [~phuzion@ipv6.irc.teh-server.com] has quit [Ping timeout: 240 seconds]
17:07 -!- phuzion [~phuzion@ipv6.irc.teh-server.com] has joined #openvpn
17:13 <@Eugene> rename how?
17:15 < Elrond> Eugene - Either to a defined name, or at least to the name of the vpn config?
17:15 < Elrond> This will make firewall config easier. Because I don't have to guess on tun0 or tun1, etc.
17:16 -!- joshh20-Away is now known as joshh20
17:18 <@Eugene> nothing in openvpn for it. you can specify a particular run device in your config
17:18 <@Eugene> or man ifrename
17:18 -!- alphis_ is now known as alphis
17:19 -!- alphis [~rage@5.254.138.90] has quit [Changing host]
17:19 -!- alphis [~rage@unaffiliated/alphis] has joined #openvpn
17:19 < Elrond> Eugene - So ifrename is the recommended tool?
17:19 <@Eugene> renaming interfaces is silly IMO. but sure, its a recommendation
17:19 -!- sunwind [~paradox@cpc21-brmb8-2-0-cust749.1-3.cable.virginm.net] has quit [Ping timeout: 240 seconds]
17:19 -!- AlexPortable [uid7568@gateway/web/irccloud.com/x-nekksikikbvjzdgo] has quit [Ping timeout: 240 seconds]
17:19 -!- sunwind [~paradox@cpc21-brmb8-2-0-cust749.1-3.cable.virginm.net] has joined #openvpn
17:20 -!- JackWinter [~jack@vodsl-10810.vo.lu] has quit [Read error: Connection reset by peer]
17:20 -!- JackWinter [~jack@vodsl-10810.vo.lu] has joined #openvpn
17:20 -!- Hes [bJm9VGae@tunkki.fi] has quit [Ping timeout: 240 seconds]
17:20 < Elrond> Eugene - Why is it silly?
17:20 -!- Hes [WIS@tunkki.fi] has joined #openvpn
17:20 -!- AlexPortable [uid7568@gateway/web/irccloud.com/x-wylntmdkudtsvalv] has joined #openvpn
17:21 <@Eugene> it's a lot of bother for no benefit
17:21 < Elrond> Well, how do I have multiple openvpns on my server. How do I stop them from changing the interface names?!
17:22 <@Eugene> by specifying a --device tun0
17:22 < Elrond> Hmm.
17:23 < Elrond> If you have a lot of them, this is going to be messy.
17:23 -!- gffa [~unknown@unaffiliated/gffa] has quit [Quit: sleep]
17:23 <@Eugene> And that's why you draw a paycheck
17:24 < Elrond> I draw my paycheck for something else, really.
17:25 -!- HectorBarbossa [uid7850@gateway/web/irccloud.com/x-yvzlongirdbhfslq] has quit [Ping timeout: 240 seconds]
17:27 -!- HectorBarbossa [uid7850@gateway/web/irccloud.com/x-krbnifftftoblqxa] has joined #openvpn
17:40 < alphis> hey guys
17:41 < alphis> so i have logs if that helps but my windows machine which successfully connects to my linux vpn server can't ping anything
17:41 < alphis> and logs indicate SUCCESSFUL route.exe so plz scratch that assumption
17:41 < alphis> if anyone has any idea why this could be happening i'd be interested
17:42 -!- [diecast] [~diecast@unaffiliated/diecast/x-4821952] has quit [Ping timeout: 240 seconds]
17:47 -!- alphis [~rage@unaffiliated/alphis] has left #openvpn []
17:48 -!- alphis [~rage@unaffiliated/alphis] has joined #openvpn
17:49 < Elrond> alphis - Does the server give out an ip to the client?
17:50 < alphis> yup
17:50 < alphis> pasting... sec
17:50 < Elrond> alphis - And I guess, you tried pinging the other part of the /30 from client?
17:50 < Elrond> alphis - Please use paste.kde.org or something.
17:52 < alphis> http://pastebin.com/wVi1mCYP
17:52 < alphis> this is server log
17:52 < alphis> i have windows log too but
17:52 < alphis> i mean i guess i can paste that too
17:52 < alphis> i tried to ping 10.8.0.1 and 10.8.0.5
17:53 < alphis> i noticed in the network config on the windows box there was no ipv4 gateway set so i set it to the same as the dhcp server which was 10.8.0.5 manually. same crap
17:54 < Elrond> For gateway, you need some push commands and the like.
17:54 < Elrond> I'd start with a split config first.
17:54 < alphis> well this SAME config
17:54 < alphis> on my crappy android phone
17:54 < alphis> works perfectly
17:54 < alphis> with 0 problems
17:55 < Elrond> Then I have no real idea, if it works on android. Seems like it's a windows issue.
17:56 -!- Linmu [~Linmu@203.70.194.104] has quit [Ping timeout: 252 seconds]
17:56 < alphis> which was my first observation
17:56 < alphis> so now im trying to figure out why openvpn-gui on windows doesn't seem to be working
17:57 -!- Linmu_ [~Linmu@203.70.194.104] has joined #openvpn
18:05 < alphis> think its related at all to the fact that the windows adapter in openvpn is called TAP instead of TUN?
18:06 < Elrond> I think, it's call tap, but it is tun-style device in linux lingua.
18:06 -!- [diecast] [~diecast@unaffiliated/diecast/x-4821952] has joined #openvpn
18:06 < Elrond> But I don't know anything about windows and openvpn.
18:06 -!- Linmu_ [~Linmu@203.70.194.104] has quit [Ping timeout: 240 seconds]
18:07 < alphis> ic
18:07 < alphis> sigh. yeah its a bit annoying. i usually use openvpn on linux myself
18:07 < alphis> but since i have this laptop itd be nice to get it on the vpn too. its a win8 machine
18:08 -!- Linmu [~Linmu@203.70.194.104] has joined #openvpn
18:10 < Elrond> *duck* Install linux. ;)
18:11 < Elrond> You have remembered to start the gui with admin privs?
18:12 -!- mirco [~mirco@ip-5-146-126-177.unitymediagroup.de] has quit [Quit: mirco]
18:21 -!- Linmu [~Linmu@203.70.194.104] has quit [Ping timeout: 265 seconds]
18:28 -!- Linmu [~Linmu@203.70.194.104] has joined #openvpn
18:30 <@Eugene> nO, IT'S GOT NOTHING TO DO WITH TAP/TUN
18:31 <@Eugene> Random unexplainable issues "with windows" tend to come down to three basic categories: you're an idiot; you have some bullshit GPOs restricting the driver, or you're REALLY an idiot and installed v2.0.9 from openvpn.se
18:32 <@Eugene> !logs`
18:32 <@Eugene> !logs
18:32 <@vpnHelper> "logs" is (#1) please pastebin your logfiles from both client and server with verb set to 4 (only use 5 if asked) or (#2) In the Windows client(OpenVPN-GUI) right-click the status icon and pick View Log or (#3) In the OS X client(Tunnelblick) right-click it and select Copy log text to clipboard or (#4) if you dont know how to find your logs, see !logfile
18:37 -!- a [~d@iad1-vshost12.dreamhost.com] has joined #openvpn
18:38 -!- a is now known as Guest65525
18:40 < alphis> Eugene: i've determined the problem to be serverside config issue so chill out. i never said its tap/tun i was just asking if something that is supposed to be TUN is labeled TAP in windows was normal
18:41 <@Eugene> br0tip: don't tell the free support guys to "chill out" when it's your own incompetence at fault, and you're claiming that free software "is annoying"
18:41 -!- Linmu_ [~Linmu@203.70.194.104] has joined #openvpn
18:41 < alphis> i never said anything bad about openvpn or free software
18:41 < alphis> nor did i say it was annoying i've from the beginning speculated it was a windows issue
18:41 < alphis> i've had this working with linux clients with no problem
18:41 <@Eugene> <alphis> sigh. yeah its a bit annoying. i usually use openvpn on linux myself
18:41 -!- alphis was kicked from #openvpn by Eugene [Fuck off]
18:42 <@Eugene> br0tip #2: don't feed me bullshit
18:43 -!- mspah_ [~mspah@50-78-45-146-static.hfc.comcastbusiness.net] has joined #openvpn
18:44 -!- Netsplit *.net <-> *.split quits: catsup, jzaw, JackWinter, mikemol, Eagleman, AL13N_work, [diecast], Gman32, Cr4zi3, @novaflash,  (+3 more, use /NETSPLIT to show all of them)
18:46 -!- Netsplit over, joins: Gman32
18:47 -!- jzaw_ [~jzaw@loki.dzki.co.uk] has joined #openvpn
18:47 -!- pppingme [~pppingme@unaffiliated/pppingme] has joined #openvpn
18:48 -!- XJR-9_ [sid2977@pdpc/supporter/active/xjr-9] has joined #openvpn
18:48 -!- XJR-9 [XJR-9@pdpc/supporter/active/xjr-9] has quit [Killed (morgan.freenode.net (Nickname regained by services))]
18:48 -!- XJR-9_ is now known as XJR-9
18:48 -!- mikemol [~mikemol@2001:470:c5b9:beef:6cab:79cf:4531:191] has joined #openvpn
18:49 -!- JackWinter [~jack@vodsl-10810.vo.lu] has joined #openvpn
18:49 -!- justinzane_ [~justinzan@tiny.justinzane.com] has joined #openvpn
18:50 -!- catsup [~d@iad1-vshost12.dreamhost.com] has joined #openvpn
18:51 -!- [1]JPeterson [~JPeterson@81-233-152-121-no83.tbcn.telia.com] has joined #openvpn
18:51 -!- goldkatze_ [~nobody@unaffiliated/goldkatze] has joined #openvpn
18:51 -!- phreakoct [~phreakoci@aesoterica.phreakocious.net] has joined #openvpn
18:52 -!- elfixit1 [~Icedove@2001:1620:2777:11:3e97:eff:fe7f:f3ad] has joined #openvpn
18:52 -!- Tyklol [tykling@gibfest.dk] has joined #openvpn
18:53 -!- ketas- [ketas@ketas6-sixxs.si.pri.ee] has joined #openvpn
18:54 -!- mikemol [~mikemol@2001:470:c5b9:beef:6cab:79cf:4531:191] has quit [Ping timeout: 255 seconds]
18:55 -!- jave_ [~jave@h-235-102.a149.priv.bahnhof.se] has joined #openvpn
18:55 -!- Brando753-o_O_o [~Brando753@unaffiliated/brando753] has joined #openvpn
18:55 -!- justinzane_ [~justinzan@tiny.justinzane.com] has quit []
18:56 -!- Netsplit *.net <-> *.split quits: elfixit, svg, mspah_, troj, Brando753, phreakocious, miruoy, goldkatze, rizz_, Tykling,  (+8 more, use /NETSPLIT to show all of them)
18:56 -!- Eagleman [~Eagleman@546BC8D0.cm-12-4d.dynamic.ziggo.nl] has joined #openvpn
18:56 -!- Brando753-o_O_o is now known as Brando753
18:56 -!- mikemol [~mikemol@2001:470:c5b9:beef:115f:2eb0:b5cf:3b86] has joined #openvpn
18:57 -!- Linmu_ [~Linmu@203.70.194.104] has quit [Ping timeout: 255 seconds]
18:57 -!- AlexPortable [uid7568@gateway/web/irccloud.com/x-wylntmdkudtsvalv] has quit [Quit: Connection closed for inactivity]
18:58 -!- Netsplit over, joins: akurilin
18:59 -!- ljvb_ [~jason@us.vps.vanbrecht.com] has joined #openvpn
19:01 -!- treshoem1 [~treshoem@mnathani-1-pt.tunnel.tserv21.tor1.ipv6.he.net] has joined #openvpn
19:01 -!- buntfalke [~nobody@unaffiliated/goldkatze] has joined #openvpn
19:01 -!- HectorBarbossa_ [uid7850@gateway/web/irccloud.com/x-gylqxdhmgvzjyakf] has joined #openvpn
19:01 -!- GrecKo_ [~GrecKo@2001:41d0:1:cb16::1] has joined #openvpn
19:02 -!- JackWinter is now known as 6JTAACZS8
19:02 -!- 21WAADKZA [~james@184.164.154.186] has joined #openvpn
19:02 -!- JackWinter [~jack@vodsl-10810.vo.lu] has joined #openvpn
19:02 -!- troj [~xxx@2001:470:1f15:107a::50f7] has joined #openvpn
19:03 -!- Jeroen [~quassel@2001:41d0:1:9592::1] has joined #openvpn
19:03 -!- Fiouz [~Fiouz@2001:bc8:3068::dead:beef] has quit [Disconnected by services]
19:03 -!- Fiouz_ [~Fiouz@2001:bc8:3068::dead:beef] has joined #openvpn
19:03 -!- red_racer12___ [sid20963@gateway/web/irccloud.com/x-orycbylglqbbwtap] has joined #openvpn
19:03 -!- ben1066 [~quassel@unaffiliated/ben1066] has joined #openvpn
19:03 -!- pnielsen_ [pnielsen@2a01:7e00::f03c:91ff:fedf:3a21] has joined #openvpn
19:04 -!- Su7 [~demerzel@2001:41d0:a:16::1] has joined #openvpn
19:04 -!- dogewaat_ [uid3966@gateway/web/irccloud.com/x-aloqdvxmpkqdbuox] has joined #openvpn
19:04 -!- svg [~svg@hydargos.ginsys.net] has joined #openvpn
19:04 -!- Linmu [~Linmu@203.70.194.104] has joined #openvpn
19:05 -!- maskedlua_ [~quassel@unaffiliated/themaskedlua] has joined #openvpn
19:07 -!- emid [~emid@192.241.162.156] has joined #openvpn
19:07 -!- novaflash [~novaflash@its.novaflash.nl] has joined #openvpn
19:07 -!- miruoy [~quassel@d51A44BA8.access.telenet.be] has joined #openvpn
19:07 -!- dos-freak [leecher@zentarim.0wnz.at] has joined #openvpn
19:07 -!- rizz_ [~riz@23.92.60.131] has joined #openvpn
19:07 -!- jzaw [~jzaw@loki.dzki.co.uk] has joined #openvpn
19:08 -!- Martin`_ [martin@shell.ipv6.octocore.net] has joined #openvpn
19:08 -!- supergauntlet_ [~supergaun@v-216-52-148-234.unman-vds.internap-chicago.nfoservers.com] has joined #openvpn
19:08 -!- m01_ [~quassel@2a02:2658:1011:1::2:4044] has joined #openvpn
19:09 -!- Eagleman7 [~Eagleman@546BC8D0.cm-12-4d.dynamic.ziggo.nl] has joined #openvpn
19:10 -!- svg is now known as 21WAADLZW
19:10 -!- HectorBarbossa [uid7850@gateway/web/irccloud.com/x-krbnifftftoblqxa] has quit [Ping timeout: 246 seconds]
19:10 -!- ljvb [~jason@us.vps.vanbrecht.com] has quit [Ping timeout: 246 seconds]
19:10 -!- svg [~svg@213.138.109.172] has joined #openvpn
19:10 -!- supergauntlet [~supergaun@unaffiliated/supergauntlet] has quit [Ping timeout: 246 seconds]
19:10 -!- __FBi [B@dont.uwantmy.info] has quit [Ping timeout: 246 seconds]
19:10 -!- treshoem [~treshoem@mnathani-1-pt.tunnel.tserv21.tor1.ipv6.he.net] has quit [Ping timeout: 246 seconds]
19:10 -!- ben1066_ [~quassel@unaffiliated/ben1066] has quit [Read error: Connection reset by peer]
19:10 -!- VunKruz [~hhhh@24-205-8-187.dhcp.mtpk.ca.charter.com] has quit [Ping timeout: 246 seconds]
19:10 -!- Martin` [martin@shell.ipv6.octocore.net] has quit [Ping timeout: 246 seconds]
19:10 -!- pnielsen [pnielsen@2a01:7e00::f03c:91ff:fedf:3a21] has quit [Ping timeout: 246 seconds]
19:10 -!- Su7_ [~demerzel@2001:41d0:a:16::1] has quit [Ping timeout: 246 seconds]
19:10 -!- james41382 [~james@unaffiliated/james41382] has quit [Write error: Connection reset by peer]
19:10 -!- goldkatze_ [~nobody@unaffiliated/goldkatze] has quit [Ping timeout: 246 seconds]
19:10 -!- 6JTAACZS8 [~jack@vodsl-10810.vo.lu] has quit [Ping timeout: 246 seconds]
19:10 -!- jzaw_ [~jzaw@loki.dzki.co.uk] has quit [Ping timeout: 246 seconds]
19:10 -!- cripto [~joubin@li131-215.members.linode.com] has quit [Ping timeout: 246 seconds]
19:10 -!- Jeroen52 [~quassel@2001:41d0:1:9592::1] has quit [Ping timeout: 246 seconds]
19:10 -!- GrecKo [~GrecKo@2001:41d0:1:cb16::1] has quit [Ping timeout: 246 seconds]
19:10 -!- red_racer12__ [sid20963@gateway/web/irccloud.com/x-vbbjcaaogyhpkvqr] has quit [Ping timeout: 246 seconds]
19:10 -!- dogewaat [uid3966@gateway/web/irccloud.com/x-njnhefjxormfjtye] has quit [Ping timeout: 246 seconds]
19:10 -!- batrick [batrick@nmap/developer/batrick] has quit [Ping timeout: 246 seconds]
19:10 -!- Eagleman [~Eagleman@546BC8D0.cm-12-4d.dynamic.ziggo.nl] has quit [Ping timeout: 246 seconds]
19:10 -!- svg [~svg@213.138.109.172] has quit [Ping timeout: 246 seconds]
19:10 -!- m01 [~quassel@2a02:2658:1011:1::2:4044] has quit [Ping timeout: 246 seconds]
19:10 -!- maskedlua [~quassel@unaffiliated/themaskedlua] has quit [Ping timeout: 246 seconds]
19:10 -!- __FBi [B@2a00:d880:3:1::d93:a8cb] has joined #openvpn
19:10 -!- 21WAADLZW is now known as svg
19:10 -!- Martin`_ is now known as Martin`
19:10 -!- HectorBarbossa_ is now known as HectorBarbossa
19:11 -!- rizz_ [~riz@23.92.60.131] has quit [Read error: Connection reset by peer]
19:11 -!- dogewaat_ is now known as dogewaat
19:11 -!- AL13N_work [~alien@91.183.52.232] has joined #openvpn
19:11 -!- VunKruz [~hhhh@24-205-8-187.dhcp.mtpk.ca.charter.com] has joined #openvpn
19:11 -!- red_racer12___ is now known as red_racer12__
19:12 -!- cripto [~joubin@li131-215.members.linode.com] has joined #openvpn
19:12 -!- rizz_ [~riz@23.92.60.131] has joined #openvpn
19:13 -!- Cr4zi3 [killaz@staff.xbins.org] has joined #openvpn
19:16 -!- miruoy [~quassel@d51A44BA8.access.telenet.be] has quit [Ping timeout: 240 seconds]
19:18 -!- miruoy [~quassel@d51A44BA8.access.telenet.be] has joined #openvpn
19:21 -!- funnel [~funnel@unaffiliated/espiral] has quit [Remote host closed the connection]
19:21 -!- funnel [~funnel@unaffiliated/espiral] has joined #openvpn
19:25 -!- lambda [~lambda@gateway/tor-sasl/lambda] has joined #openvpn
19:26 -!- snappy [nipnop@wbml.net] has joined #openvpn
19:26 -!- snappy [nipnop@wbml.net] has quit [Changing host]
19:26 -!- snappy [nipnop@unaffiliated/snappy] has joined #openvpn
19:26 -!- Netsplit *.net <-> *.split quits: m01_, novaflash, emid, dos-freak
19:30 -!- batrick [batrick@nmap/developer/batrick] has joined #openvpn
19:31 -!- Netsplit over, joins: emid
19:35 -!- m01_ [~quassel@2a02:2658:1011:1::2:4044] has joined #openvpn
19:35 -!- novaflash [~novaflash@its.novaflash.nl] has joined #openvpn
19:35 -!- dos-freak [leecher@zentarim.0wnz.at] has joined #openvpn
19:37 -!- __FBi [B@2a00:d880:3:1::d93:a8cb] has quit [Ping timeout: 246 seconds]
19:37 -!- ___FBi [B@dont.uwantmy.info] has joined #openvpn
19:41 -!- hashstash [~quite@ob.noxio.us] has joined #openvpn
19:43 -!- hydrajum_ [~hydrajump@unaffiliated/hydrajump] has joined #openvpn
19:44 -!- Cr4zi3 [killaz@staff.xbins.org] has quit [Quit: changing servers]
19:44 -!- hashstash [~quite@ob.noxio.us] has quit [Client Quit]
19:44 -!- funnel [~funnel@unaffiliated/espiral] has quit [Write error: Broken pipe]
19:44 -!- rizz_ [~riz@23.92.60.131] has quit [Ping timeout: 372 seconds]
19:45 -!- Cr4zi3 [guessswh0@staff.xbins.org] has joined #openvpn
19:46 -!- rizz_ [~riz@23.92.60.131] has joined #openvpn
19:47 -!- hydrajump [~hydrajump@unaffiliated/hydrajump] has quit [Ping timeout: 252 seconds]
19:47 -!- B1nny [~quassel@53541E4A.cm-6-5a.dynamic.ziggo.nl] has quit [Remote host closed the connection]
19:50 -!- justinzane [~justinzan@24.49.207.112] has joined #openvpn
19:56 -!- Linmu [~Linmu@203.70.194.104] has quit [Ping timeout: 255 seconds]
19:56 -!- buntfalke [~nobody@unaffiliated/goldkatze] has quit [Ping timeout: 255 seconds]
19:57 -!- justinzane [~justinzan@24.49.207.112] has quit []
20:01 -!- funnel [~funnel@unaffiliated/espiral] has joined #openvpn
20:03 -!- Linmu [~Linmu@203.70.194.104] has joined #openvpn
20:16 -!- funnel [~funnel@unaffiliated/espiral] has quit [Remote host closed the connection]
20:19 -!- al_nz1 [~Ali_nz1@203.109.206.199] has joined #openvpn
20:19 -!- __raven_ [~raven@dslb-094-216-205-178.pools.arcor-ip.net] has quit [Ping timeout: 252 seconds]
20:21 -!- joshh20 is now known as joshh20-Away
20:22 -!- __raven_ [~raven@dslb-094-216-076-157.pools.arcor-ip.net] has joined #openvpn
20:22 < al_nz1>  Hi All
20:22 < al_nz1>  Hope someone can help. Problem is that I have setup a vpnserver behind a router. I can connect to the vpn server and even clients behind the server having first put in a NAT rule on the vpnserver.
20:22 < al_nz1> The problem is I can only access the server on its VPN IP (tun0 IP) not its eth0 (lan IP)
20:23 < al_nz1> this is really annoying
20:23 < al_nz1> is there a way to fix this? adding a route perhaps?
20:24 -!- pekster [~rewt@openvpn/community/support/pekster] has joined #openvpn
20:34 -!- funnel [~funnel@unaffiliated/espiral] has joined #openvpn
20:41 -!- lambda [~lambda@gateway/tor-sasl/lambda] has quit [Quit: lambda]
20:43 -!- hive-mind [pranq@unaffiliated/contempt] has quit [Ping timeout: 252 seconds]
20:45 -!- Netsplit *.net <-> *.split quits: cripto
20:55 -!- hive-mind [pranq@unaffiliated/contempt] has joined #openvpn
21:11 -!- Ali_nz2 [~Ali_nz1@122.58.81.50] has joined #openvpn
21:13 -!- Linmu [~Linmu@203.70.194.104] has quit [Ping timeout: 252 seconds]
21:14 -!- al_nz1 [~Ali_nz1@203.109.206.199] has quit [Ping timeout: 265 seconds]
21:19 -!- cripto [~joubin@li131-215.members.linode.com] has joined #openvpn
21:20 -!- mgorbach [~mgorbach@pool-108-20-78-135.bstnma.fios.verizon.net] has quit [Max SendQ exceeded]
21:22 -!- Linmu [~Linmu@203.70.194.104] has joined #openvpn
21:23 -!- justinzane [~justinzan@tiny.justinzane.com] has joined #openvpn
21:29 -!- mgorbach [~mgorbach@pool-108-20-78-135.bstnma.fios.verizon.net] has joined #openvpn
21:34 -!- [diecast] [~diecast@unaffiliated/diecast/x-4821952] has joined #openvpn
21:34 -!- [diecast] [~diecast@unaffiliated/diecast/x-4821952] has quit [Max SendQ exceeded]
21:34 -!- Linmu [~Linmu@203.70.194.104] has quit [Ping timeout: 264 seconds]
21:37 -!- [diecast] [~diecast@unaffiliated/diecast/x-4821952] has joined #openvpn
21:41 -!- Linmu [~Linmu@203.70.194.104] has joined #openvpn
21:48 -!- elfixit [~Icedove@77-58-251-72.dclient.hispeed.ch] has joined #openvpn
21:52 -!- HectorBarbossa [uid7850@gateway/web/irccloud.com/x-gylqxdhmgvzjyakf] has quit [Quit: Connection closed for inactivity]
21:55 -!- elfixit [~Icedove@77-58-251-72.dclient.hispeed.ch] has quit [Ping timeout: 264 seconds]
21:55 <@Eugene> Routes and/or firewall.
21:55 <@Eugene> !server_lan
21:56 <@Eugene> !serverlan
21:56 <@vpnHelper> "serverlan" is (#1) for a lan behind a server, the server must have ip forwarding enabled (!ipforward), the server needs to push a route for its lan to clients, and the router of the lan the server is on needs a route added to it (!route_outside_openvpn) or (#2) see !route for a better explanation or (#3) Handy troubleshooting flowchart: http://ircpimps.org/serverlan.png |
21:56 <@vpnHelper> http://pekster.sdf.org/misc/serverlan.png
22:06 < Ali_nz2> Im doing it via NAT
22:07 -!- elfixit [~Icedove@77-58-251-72.dclient.hispeed.ch] has joined #openvpn
22:08 <@Eugene> Even more likely to be a firewall issue then
22:08 -!- [diecast] [~diecast@unaffiliated/diecast/x-4821952] has quit []
22:09 < Ali_nz2> Eugene: I have tried doing it with static route in gateway and push route = same problem
22:12 <@Eugene> Routes are not firewalls.
22:15 < Ali_nz2> well i can get to devices BEHIND the openvpn server....doesnt make sense I cant access the server itself on the lan ip
22:15 < Ali_nz2> and there is nothign in ipables - only the nat rule
22:16 <@Eugene> Hint: INPUT chain
22:16 < Ali_nz2> accept
22:16 <@Eugene> Then either you're lying about having correct routes or lying about your firewall. It's one of those two things, go figure out which.
22:16 -!- Dan39 [~ddan39@unaffiliated/dan39] has joined #openvpn
22:18 < Dan39> hi im wondering about like... "forwarding ports" to openvpn. not forwarding ports for it to work. i am setting it up on a server in DC, but since i only have 1 IP on the server, i assume by default connections will only be made outgoing. so how can i have a listening service on the vpn? figure id have to somehow forward ports on the box to go thru the vpn
22:20 <@Eugene> The same way you'd forward a port to any other LAN - iptables PREROUTING chain in the nat table.
22:21 < Dan39> makes sense
22:21 < Dan39> thanks
22:21 < Dan39> think i can figure it out from here
22:22 < Dan39> and yea google didnt help much, was all people wondering how to get openvpn working on thier home computers and doing port forwarding thru their home routers to get it to work:P
22:23 < Dan39> and if i get a 2nd IP for the box, i assume i can set it up for the vpn to go from that IP and then dont have to do any routing/nat?
22:23 <@Eugene> What do you mean? You want to hand out a public IP to a VPN client?
22:24 <@Eugene> You would need a subnet routed from your provider; a single IP will not do it. You can 1:1 NAT out to the vpn client tho ;-)
22:25 < Dan39> hmm
22:25 <@Eugene> Or, more sanely, use your server as a server.
22:25 < Dan39> heh
22:25 -!- Linmu [~Linmu@203.70.194.104] has quit [Ping timeout: 264 seconds]
22:25 < Ali_nz2> Eugene: Im not lying
22:25 < Ali_nz2> it could be other things
22:25 <@Eugene> And I'm as sober as a souther baptist judge
22:26 < Dan39> well we didnt want people to know our actual server ip and what someone else had setup in past was they bought a vpn service that provided us with our own IP and then we setup openvpn on our server and everything going to the new VPN ip would go to the server
22:27 < Dan39> like we had webserver etc. running on server and it worked thru vpn so to hide the server's real IP
22:27 < Ali_nz2> well you want to log on and show me how its done?
22:28 < Ali_nz2> i mean it should be easy right?
22:30 <@Eugene> Soooo..... what you really want is a Cloudflare subscription
22:31 < Ali_nz2> nah I dont want to subscribe
22:31 < Ali_nz2> but would be happy to pay for a one off
22:32 -!- Linmu [~Linmu@203.70.194.104] has joined #openvpn
22:35 -!- Ali_nz2 [~Ali_nz1@122.58.81.50] has quit []
22:41 < Dan39> Eugene: me?
22:41 < Dan39> cloudflare is expensive
22:43 -!- Jeroen is now known as Jeroen52
22:45 -!- maskedlua_ [~quassel@unaffiliated/themaskedlua] has quit [Ping timeout: 265 seconds]
22:48 <@Eugene> So is your time.
22:49 <@Eugene> #firstworldproblem: the ping time on Gogo in-flight internet is too high for openvpn to establish a connection before timeout.
22:49 -!- [diecast] [~diecast@unaffiliated/diecast/x-4821952] has joined #openvpn
22:49 -!- [diecast] [~diecast@unaffiliated/diecast/x-4821952] has quit [Max SendQ exceeded]
22:50 -!- Linmu [~Linmu@203.70.194.104] has quit [Ping timeout: 264 seconds]
22:51 -!- Linmu [~Linmu@203.70.194.104] has joined #openvpn
22:55 -!- Linmu [~Linmu@203.70.194.104] has quit [Ping timeout: 264 seconds]
22:56 -!- maskedlua [~quassel@unaffiliated/themaskedlua] has joined #openvpn
22:56 -!- Linmu [~Linmu@203.70.194.104] has joined #openvpn
22:56 -!- elfixit [~Icedove@77-58-251-72.dclient.hispeed.ch] has quit [Quit: elfixit]
23:38 -!- harlan [~harlan@ntp/pmgr/harlan] has joined #openvpn
23:42 -!- ljvb_ is now known as ljvb
23:45 -!- Cpt-Oblivious [chatzilla@31-151-71-109.dynamic.upc.nl] has quit [Quit: ChatZilla 0.9.90.1-rdmsoft [XULRunner 22.0/20130619132145]]
--- Day changed Sat Mar 15 2014
00:21 < harlan> I'm seeing a problem where I have two different sites I can connect to with openvpn.  The configs are functionally identical on both sites (different keys, different local LAN route pushes, different DNS/DOMAIN configs).  When connecting to site A everything is great - I can "work normally", DNS works, I can acces Site A's internal LANs, I can surf the net.  When I bring down that connection and connect to site B, I'm noticing that there seem to be some ro
00:21 -!- funyun [~temp@ns236132.ip-192-99-21.net] has quit [Read error: Connection reset by peer]
00:27 -!- funyun [~temp@cpe-65-25-103-89.neo.res.rr.com] has joined #openvpn
00:39 -!- Linmu [~Linmu@203.70.194.104] has quit [Ping timeout: 264 seconds]
00:40 -!- Linmu [~Linmu@203.70.194.104] has joined #openvpn
00:50 -!- Linmu [~Linmu@203.70.194.104] has quit [Ping timeout: 264 seconds]
00:54 < funyun> hi. i restarted my dedicated server and now the vpn i'm running on it will not start. when i try service openvpn start i get "[FAIL] Starting virtual private network daemon: server tun0 failed!" anyone know how i can get more info or fix this?
00:57 -!- Linmu [~Linmu@203.70.194.104] has joined #openvpn
01:03 <@Eugene> !logs
01:03 <@vpnHelper> "logs" is (#1) please pastebin your logfiles from both client and server with verb set to 4 (only use 5 if asked) or (#2) In the Windows client(OpenVPN-GUI) right-click the status icon and pick View Log or (#3) In the OS X client(Tunnelblick) right-click it and select Copy log text to clipboard or (#4) if you dont know how to find your logs, see !logfile
01:03 <@Eugene> !logfile
01:03 <@vpnHelper> "logfile" is (#1) openvpn will log to syslog if started in daemon mode. You can manually specify a logfile with: log /path/to/logfile or (#2) verb 3 is good for everyday usage, verb 5 for debugging or (#3) see --daemon --log and --verb in the manual (!man) for more info or (#4) without any log-redirection options, openvpn sends output to stdout. Explicit logging is often more convenient
01:11 < harlan> so I have to restart openvpn with cranked debugging in the config file, in my case probalby specifically related to packet routing, right>?
01:12 < harlan> or was that only for funyun ?
01:12 <@Eugene> the latter.
01:12 < harlan> 'k, th
01:12 < harlan> thx
01:13 <@Eugene> you got cut off at "seems to be some"
01:14 < harlan> ... routing issues on the box.  How can I do some debugging or logging to figure out what's going on?
01:16 -!- Linmu [~Linmu@203.70.194.104] has quit [Ping timeout: 264 seconds]
01:17 < funyun> Eugene: where's the log files in linux?
01:19 -!- levifig_ [sid1908@gateway/web/irccloud.com/x-zzinpeunvbijhfuk] has quit [Ping timeout: 255 seconds]
01:19 -!- viperZ28_ [sid11066@gateway/web/irccloud.com/x-iftptqiqmpcytbzx] has quit [Ping timeout: 245 seconds]
01:19 -!- red_racer12__ [sid20963@gateway/web/irccloud.com/x-orycbylglqbbwtap] has quit [Ping timeout: 264 seconds]
01:20 < funyun> Eugene: http://pastebin.com/BrL3GjKf
01:20 -!- dogewaat [uid3966@gateway/web/irccloud.com/x-aloqdvxmpkqdbuox] has quit [Ping timeout: 265 seconds]
01:21 -!- XJR-9 [sid2977@pdpc/supporter/active/xjr-9] has quit [Ping timeout: 265 seconds]
01:24 -!- Linmu [~Linmu@203.70.194.104] has joined #openvpn
01:33 < funyun> Eugene: http://pastebin.com/BMeXxTex
01:34 -!- XJR-9_ [sid2977@pdpc/supporter/active/xjr-9] has joined #openvpn
01:34 -!- XJR-9_ is now known as XJR-9
01:34 -!- Linmu [~Linmu@203.70.194.104] has quit [Ping timeout: 264 seconds]
01:35 -!- Linmu [~Linmu@203.70.194.104] has joined #openvpn
01:38 <@Eugene> on a ferry currently. if you're patient somebody else will take a look eventually
01:40 -!- dogewaat_ [uid3966@gateway/web/irccloud.com/x-oduqfvnznllrdgwf] has joined #openvpn
01:42 < funyun> okay
01:54 -!- Linmu [~Linmu@203.70.194.104] has quit [Ping timeout: 264 seconds]
02:01 -!- Linmu [~Linmu@203.70.194.104] has joined #openvpn
02:53 -!- funyun [~temp@cpe-65-25-103-89.neo.res.rr.com] has quit [Ping timeout: 264 seconds]
03:03 -!- funyun [~temp@75.98.236.75] has joined #openvpn
03:22 -!- mirco [~mirco@ip-5-146-126-177.unitymediagroup.de] has joined #openvpn
03:24 -!- AGinsberg [~AGinsberg@gateway/tor-sasl/aginsberg] has joined #openvpn
03:25 < AGinsberg> "Authenticate/Decrypt packet error: packet HMAC authentication failed" Anyone know why I might be getting this?
03:25 -!- funyun_ [~temp@cpe-65-25-103-89.neo.res.rr.com] has joined #openvpn
03:28 -!- funyun [~temp@75.98.236.75] has quit [Ping timeout: 252 seconds]
03:32 < BtbN> because your mitm screwed up
03:36 -!- Linmu [~Linmu@203.70.194.104] has quit [Ping timeout: 264 seconds]
03:37 -!- Linmu [~Linmu@203.70.194.104] has joined #openvpn
03:50 -!- AGinsberg [~AGinsberg@gateway/tor-sasl/aginsberg] has quit [Ping timeout: 265 seconds]
03:52 -!- Linmu [~Linmu@203.70.194.104] has quit [Ping timeout: 252 seconds]
03:56 -!- AGinsberg [~AGinsberg@gateway/tor-sasl/aginsberg] has joined #openvpn
03:59 -!- Linmu [~Linmu@203.70.194.104] has joined #openvpn
04:02 < funyun_> BtbN: me?
04:10 -!- Linmu [~Linmu@203.70.194.104] has quit [Ping timeout: 252 seconds]
04:10 -!- Linmu [~Linmu@203.70.194.104] has joined #openvpn
04:15 -!- viperZ28_ [uid11066@gateway/web/irccloud.com/x-ladgqssgiocjqfxp] has joined #openvpn
04:15 -!- Linmu [~Linmu@203.70.194.104] has quit [Ping timeout: 252 seconds]
04:15 -!- Linmu [~Linmu@203.70.194.104] has joined #openvpn
04:21 -!- Linmu [~Linmu@203.70.194.104] has quit [Ping timeout: 252 seconds]
04:32 -!- atmosx [~osx@217.70.broadband4.iol.cz] has joined #openvpn
04:32 < atmosx> hello
04:32 < atmosx> can I somehow manage to make openvpn startup at boot on windows 8?
04:32 < atmosx> with no guis etc
04:33 < atmosx> ah never mind found a guide
04:36 -!- Linmu [~Linmu@203.70.194.104] has joined #openvpn
04:40 -!- novaflash [~novaflash@its.novaflash.nl] has quit [Changing host]
04:40 -!- novaflash [~novaflash@openvpn/corp/support/novaflash] has joined #openvpn
04:40 -!- mode/#openvpn [+o novaflash] by ChanServ
04:40 -!- AGinsberg [~AGinsberg@gateway/tor-sasl/aginsberg] has quit [Ping timeout: 265 seconds]
04:41 -!- AGinsberg [~AGinsberg@gateway/tor-sasl/aginsberg] has joined #openvpn
04:45 -!- gffa [~unknown@unaffiliated/gffa] has joined #openvpn
04:46 -!- Linmu [~Linmu@203.70.194.104] has quit [Ping timeout: 252 seconds]
04:48 -!- Linmu [~Linmu@203.70.194.104] has joined #openvpn
04:52 -!- __raven_ is now known as __raven
04:58 -!- Linmu [~Linmu@203.70.194.104] has quit [Ping timeout: 252 seconds]
05:01 < atmosx> any way I can find the name of my local TAP adapter
05:01 < atmosx> ? MyTap TAP Tap doesn't work
05:07 -!- Linmu [~Linmu@203.70.194.104] has joined #openvpn
05:14 -!- Linmu [~Linmu@203.70.194.104] has quit [Ping timeout: 252 seconds]
05:18 < harlan> how do I tell openvpn that I want to see all the D_CLIENT_NAT messages, for example?
05:19 -!- levifig_ [sid1908@gateway/web/irccloud.com/x-qblhonkofdsmpoui] has joined #openvpn
05:21 -!- HectorBarbossa [uid7850@gateway/web/irccloud.com/x-tthgaakxvakkyrbx] has joined #openvpn
05:22 -!- Linmu [~Linmu@203.70.194.104] has joined #openvpn
05:33 -!- AGinsberg [~AGinsberg@gateway/tor-sasl/aginsberg] has quit [Ping timeout: 265 seconds]
05:34 -!- funyun_ is now known as funyun
05:34 -!- AGinsberg [~AGinsberg@gateway/tor-sasl/aginsberg] has joined #openvpn
05:38 -!- Eagleman7 [~Eagleman@546BC8D0.cm-12-4d.dynamic.ziggo.nl] has quit [Ping timeout: 265 seconds]
05:44 -!- Eagleman [~Eagleman@546BC8D0.cm-12-4d.dynamic.ziggo.nl] has joined #openvpn
05:47 -!- Linmu [~Linmu@203.70.194.104] has quit [Ping timeout: 252 seconds]
05:47 -!- Linmu [~Linmu@203.70.194.104] has joined #openvpn
05:49 -!- red_racer12___ [sid20963@gateway/web/irccloud.com/x-gnoirwmgszkftelz] has joined #openvpn
05:51 -!- Linmu [~Linmu@203.70.194.104] has quit [Ping timeout: 252 seconds]
05:54 -!- hydrajum_ [~hydrajump@unaffiliated/hydrajump] has quit [Ping timeout: 264 seconds]
05:57 -!- B1nny [~quassel@53541E4A.cm-6-5a.dynamic.ziggo.nl] has joined #openvpn
06:03 -!- Linmu [~Linmu@203.70.194.104] has joined #openvpn
06:20 -!- Linmu [~Linmu@203.70.194.104] has quit [Ping timeout: 240 seconds]
06:22 -!- Linmu [~Linmu@203.70.194.104] has joined #openvpn
06:36 -!- Linmu [~Linmu@203.70.194.104] has quit [Ping timeout: 252 seconds]
06:37 -!- mikemol [~mikemol@2001:470:c5b9:beef:115f:2eb0:b5cf:3b86] has quit [Ping timeout: 255 seconds]
06:40 -!- mikemol [~mikemol@2001:470:c5b9:beef:115f:2eb0:b5cf:3b86] has joined #openvpn
06:43 -!- Sembei [~Sembei@unaffiliated/sembei] has joined #openvpn
06:44 -!- Linmu [~Linmu@203.70.194.104] has joined #openvpn
06:46 -!- AlexPortable [uid7568@gateway/web/irccloud.com/x-wznbdinchwbeobrb] has joined #openvpn
06:49 -!- Sembei [~Sembei@unaffiliated/sembei] has quit [Remote host closed the connection]
06:49 -!- Sembei [~Sembei@unaffiliated/sembei] has joined #openvpn
06:51 -!- Linmu [~Linmu@203.70.194.104] has quit [Ping timeout: 240 seconds]
06:52 -!- Linmu [~Linmu@203.70.194.104] has joined #openvpn
06:56 -!- maodun [~Adium@li461-101.members.linode.com] has joined #openvpn
06:57 < maodun> i'm trying to obfuscate my traffic to make it more resilient to blocking (i'm using a custom patch to tweak the traffic data). what's a good port to communicate on?
06:58 < maodun> i was previously talking on 443, but it seems like pretty simple rules could see that obfuscated openvpn traffic looks different from https traffic
06:59 < BtbN> propperly encrypted traffic looks like a stream of random numbers
07:00 < maodun> doesn't openvpn have some pretty identifiable handshakes though? and wouldnt vpn traffic look pretty different than https in terms of… i'm not sure, frequency, volume, etc?
07:01 < maodun> i dont know enough about what goes on when the connections are made to be able to speak with certainly, but i figured it should be pretty transparent whether or not someone is actually using https on 443 vs some other weird type of traffic
07:02 < BtbN> Why should a ssl handshake looks diffrent when another program does it?
07:04 <@plai> maodun: yes the handshake is identifiable
07:04 <@plai> you can use --static for complete randomness
07:05 -!- makara [~makara@105-208-254-141.access.mtnbusiness.co.za] has joined #openvpn
07:05 <@plai> but you loose PFS in the process
07:08 < maodun> plai: I see. I'm looking for the static flag definition
07:08 < maodun> https://openvpn.net/index.php/open-source/documentation/manuals/65-openvpn-20x-manpage.html
07:08 <@vpnHelper> Title: OpenVPN 2.0.x (at openvpn.net)
07:08 <@plai> maodun: err, sorry --secret
07:09 < maodun> plai: thanks
07:09 <@plai> there are projects like obfsproxy
07:10 <@plai> but there is no obfucstation included in OpenVPN
07:10 <@plai> and there is little sense in including an obfuscation in the official OpenVPN sinc that is basically a cat and mice race
07:11 < maodun> I figured as much
07:12 < maodun> what is it about using —secret that makes the handshakes un(less?)identifiable?
07:13 < maodun> or alternatively, what is the most identifiable aspect of the handshake
07:13 < maodun> ah: "Another advantageous aspect of Static Key encryption mode is that it is a handshake-free protocol without any distinguishing signature or feature (such as a header or protocol handshake sequence) that would mark the ciphertext packets as being generated by OpenVPN. Anyone eavesdropping on the wire would see nothing but random-looking data."
07:21 -!- Cpt-Oblivious [chatzilla@31-151-71-109.dynamic.upc.nl] has joined #openvpn
07:28 -!- Linmu [~Linmu@203.70.194.104] has quit [Ping timeout: 252 seconds]
07:30 -!- Linmu [~Linmu@203.70.194.104] has joined #openvpn
07:39 -!- Cpt-Oblivious [chatzilla@31-151-71-109.dynamic.upc.nl] has quit [Quit: ChatZilla 0.9.90.1-rdmsoft [XULRunner 22.0/20130619132145]]
07:43 -!- Linmu [~Linmu@203.70.194.104] has quit [Ping timeout: 240 seconds]
07:46 -!- atmosx [~osx@217.70.broadband4.iol.cz] has quit [Quit: Lost in trance]
07:48 -!- Sembei [~Sembei@unaffiliated/sembei] has quit [Read error: Connection reset by peer]
07:49 -!- Pisuke [~Sembei@unaffiliated/sembei] has joined #openvpn
07:51 -!- Cpt-Oblivious [chatzilla@31-151-71-109.dynamic.upc.nl] has joined #openvpn
07:51 -!- Linmu [~Linmu@203.70.194.104] has joined #openvpn
07:54 -!- Pisuke [~Sembei@unaffiliated/sembei] has quit [Max SendQ exceeded]
07:56 -!- Pisuke [~Sembei@unaffiliated/sembei] has joined #openvpn
07:56 -!- Pisuke [~Sembei@unaffiliated/sembei] has quit [Read error: Connection reset by peer]
07:57 -!- Linmu [~Linmu@203.70.194.104] has quit [Ping timeout: 253 seconds]
07:57 -!- Linmu [~Linmu@203.70.194.104] has joined #openvpn
07:57 -!- Pisuke [~Sembei@unaffiliated/sembei] has joined #openvpn
08:02 -!- Linmu [~Linmu@203.70.194.104] has quit [Ping timeout: 240 seconds]
08:02 -!- michaelhart [~michaelha@192-0-240-20.cpe.teksavvy.com] has joined #openvpn
08:03 -!- Linmu [~Linmu@203.70.194.104] has joined #openvpn
08:04 -!- GregB [~GregB@107-218-5-81.lightspeed.hstntx.sbcglobal.net] has joined #openvpn
08:06 < GregB> hey guys, I'm working on creating an ovpn file. When I import it I get: "This is a static profile that will connect to %S@%S". I'd like to fix that. Does anyone know what I need to do to change that text from %S@%S to someting@something
08:25 -!- Linmu [~Linmu@203.70.194.104] has quit [Ping timeout: 264 seconds]
08:26 -!- maodun [~Adium@li461-101.members.linode.com] has quit [Ping timeout: 240 seconds]
08:29 -!- Pisuke [~Sembei@unaffiliated/sembei] has quit [Read error: Operation timed out]
08:32 -!- makara [~makara@105-208-254-141.access.mtnbusiness.co.za] has quit [Quit: Leaving]
08:34 -!- Linmu [~Linmu@203.70.194.104] has joined #openvpn
08:38 -!- Pisuke [~Sembei@unaffiliated/sembei] has joined #openvpn
08:39 -!- michaelhart [~michaelha@192-0-240-20.cpe.teksavvy.com] has quit [Quit: michaelhart]
08:40 -!- Linmu [~Linmu@203.70.194.104] has quit [Ping timeout: 240 seconds]
08:41 -!- Linmu [~Linmu@203.70.194.104] has joined #openvpn
08:49 -!- maodun [~Adium@li461-101.members.linode.com] has joined #openvpn
08:51 -!- Linmu [~Linmu@203.70.194.104] has quit [Ping timeout: 264 seconds]
08:52 -!- joshh20-Away is now known as joshh20
08:53 -!- Linmu [~Linmu@203.70.194.104] has joined #openvpn
09:04 -!- maodun [~Adium@li461-101.members.linode.com] has quit [Quit: Leaving.]
09:06 -!- buntfalke [~nobody@unaffiliated/goldkatze] has joined #openvpn
09:09 -!- Linmu [~Linmu@203.70.194.104] has quit [Ping timeout: 240 seconds]
09:12 -!- Linmu [~Linmu@203.70.194.104] has joined #openvpn
09:35 -!- funyun [~temp@cpe-65-25-103-89.neo.res.rr.com] has quit [Ping timeout: 252 seconds]
09:38 -!- takamichi [~takamichi@c107-107.i07-27.onvol.net] has quit [Quit: Computer has gone to sleep.]
09:38 -!- takamichi [~takamichi@c107-107.i07-27.onvol.net] has joined #openvpn
09:46 -!- funyun [~temp@cpe-65-25-103-89.neo.res.rr.com] has joined #openvpn
09:48 -!- s7r [~s7r@openvpn/user/s7r] has joined #openvpn
09:48 -!- mode/#openvpn [+v s7r] by ChanServ
09:49 -!- Elrond [~elrond@irc.man-da.de] has left #openvpn []
09:50 -!- Linmu [~Linmu@203.70.194.104] has quit [Ping timeout: 264 seconds]
09:59 -!- Linmu [~Linmu@203.70.194.104] has joined #openvpn
10:01 -!- sunwind [~paradox@cpc21-brmb8-2-0-cust749.1-3.cable.virginm.net] has quit [Quit: sunwind]
10:07 -!- GregB [~GregB@107-218-5-81.lightspeed.hstntx.sbcglobal.net] has quit [Read error: Connection reset by peer]
10:07 -!- sunwind [~paradox@cpc21-brmb8-2-0-cust749.1-3.cable.virginm.net] has joined #openvpn
10:08 -!- GregB [~GregB@107-218-5-81.lightspeed.hstntx.sbcglobal.net] has joined #openvpn
10:09 -!- funyun [~temp@cpe-65-25-103-89.neo.res.rr.com] has quit [Ping timeout: 240 seconds]
10:12 -!- Linmu [~Linmu@203.70.194.104] has quit [Ping timeout: 240 seconds]
10:12 -!- Linmu [~Linmu@203.70.194.104] has joined #openvpn
10:17 -!- Linmu [~Linmu@203.70.194.104] has quit [Ping timeout: 240 seconds]
10:18 -!- Linmu [~Linmu@203.70.194.104] has joined #openvpn
10:23 -!- funyun [~temp@cpe-65-25-103-89.neo.res.rr.com] has joined #openvpn
10:23 -!- mirco [~mirco@ip-5-146-126-177.unitymediagroup.de] has quit [Quit: mirco]
10:41 -!- Linmu [~Linmu@203.70.194.104] has quit [Ping timeout: 240 seconds]
10:42 -!- funyun [~temp@cpe-65-25-103-89.neo.res.rr.com] has quit [Ping timeout: 240 seconds]
10:44 -!- __raven [~raven@dslb-094-216-076-157.pools.arcor-ip.net] has left #openvpn ["WeeChat 0.4.1"]
10:49 -!- Linmu [~Linmu@203.70.194.104] has joined #openvpn
10:59 -!- Linmu [~Linmu@203.70.194.104] has quit [Ping timeout: 240 seconds]
11:07 -!- Linmu [~Linmu@203.70.194.104] has joined #openvpn
11:26 -!- buntfalke [~nobody@unaffiliated/goldkatze] has quit []
11:31 -!- mgorbach [~mgorbach@pool-108-20-78-135.bstnma.fios.verizon.net] has quit [Ping timeout: 264 seconds]
11:31 -!- goldkatze [~nobody@unaffiliated/goldkatze] has joined #openvpn
11:36 -!- mgorbach [~mgorbach@pool-108-20-78-135.bstnma.fios.verizon.net] has joined #openvpn
11:38 -!- mgorbach [~mgorbach@pool-108-20-78-135.bstnma.fios.verizon.net] has quit [Read error: Connection reset by peer]
11:38 -!- funyun [~temp@cpe-65-25-103-89.neo.res.rr.com] has joined #openvpn
11:40 -!- hydrajump [~hydrajump@unaffiliated/hydrajump] has joined #openvpn
11:43 -!- funyun [~temp@cpe-65-25-103-89.neo.res.rr.com] has quit [Ping timeout: 240 seconds]
11:43 -!- mgorbach [~mgorbach@pool-108-20-78-135.bstnma.fios.verizon.net] has joined #openvpn
11:46 -!- Cultist [~CultOfThe@67.186.111.33] has quit [Ping timeout: 265 seconds]
11:56 -!- mgorbach [~mgorbach@pool-108-20-78-135.bstnma.fios.verizon.net] has quit [Read error: Connection reset by peer]
12:06 -!- mgorbach [~mgorbach@pool-108-20-78-135.bstnma.fios.verizon.net] has joined #openvpn
12:10 -!- elfixit [~Icedove@77-58-251-72.dclient.hispeed.ch] has joined #openvpn
12:39 -!- funyun [~temp@cpe-65-25-103-89.neo.res.rr.com] has joined #openvpn
12:44 -!- funyun [~temp@cpe-65-25-103-89.neo.res.rr.com] has quit [Ping timeout: 252 seconds]
12:53 -!- root___ [~root@static.2.52.9.5.clients.your-server.de] has joined #openvpn
12:54 -!- aji [~alex@atheme/member/aji] has quit [Ping timeout: 264 seconds]
12:54 < root___> hi! i have some issue with vpn, how is possible to do tun0 vpn client as a bridge for another virtual machine ?
12:54 -!- root___ is now known as edik
13:04 -!- funyun [~temp@cpe-65-25-103-89.neo.res.rr.com] has joined #openvpn
13:08 -!- Linmu [~Linmu@203.70.194.104] has quit [Ping timeout: 252 seconds]
13:09 -!- Linmu [~Linmu@203.70.194.104] has joined #openvpn
13:09 -!- funyun [~temp@cpe-65-25-103-89.neo.res.rr.com] has quit [Ping timeout: 240 seconds]
13:12 -!- AlexPortable [uid7568@gateway/web/irccloud.com/x-wznbdinchwbeobrb] has quit [Ping timeout: 240 seconds]
13:13 -!- red_racer12___ [sid20963@gateway/web/irccloud.com/x-gnoirwmgszkftelz] has quit [Ping timeout: 246 seconds]
13:14 -!- Linmu [~Linmu@203.70.194.104] has quit [Ping timeout: 240 seconds]
13:16 -!- joshh20 is now known as joshh20-Away
13:16 -!- AlexPortable [uid7568@gateway/web/irccloud.com/x-qwmjcnqmkrlwxobw] has joined #openvpn
13:18 -!- Cultist [~CultOfThe@67.186.111.33] has joined #openvpn
13:19 < edik> is it possible to use openvpn client as a router ?
13:20 -!- red_racer12___ [sid20963@gateway/web/irccloud.com/x-svfwgvxzceeapqjg] has joined #openvpn
13:20 -!- Morley93 [~Morley93@carmine.feralhosting.com] has joined #openvpn
13:22 < Morley93> Just installed Access Server on my VPS and downloaded the .ovpn, but when I import that file using the NetworkManager openVPN plugin I can't save it. What am I missing?
13:22 -!- Linmu [~Linmu@203.70.194.104] has joined #openvpn
13:23 < Morley93> I can do openvpn --config client.ovpn which connects the VPN so long as that terminal is running, but I want it set up in NetworkManager.
13:25 -!- Guest53070 [~klein@179.89.201.204] has joined #openvpn
13:32 -!- Linmu [~Linmu@203.70.194.104] has quit [Ping timeout: 264 seconds]
13:35 -!- Linmu [~Linmu@203.70.194.104] has joined #openvpn
13:35 -!- Guest53070 [~klein@179.89.201.204] has quit [Ping timeout: 252 seconds]
13:37 -!- aji [~alex@atheme/member/aji] has joined #openvpn
13:42 -!- elfixit [~Icedove@77-58-251-72.dclient.hispeed.ch] has quit [Quit: elfixit]
13:48 -!- JSharpe_ [~JSharpe@31.205.60.241] has quit [Quit: Leaving]
13:50 -!- JSharpe [~JSharpe@31.205.60.241] has joined #openvpn
14:02 -!- lachesis [~lachesis@unaffiliated/lachesis] has left #openvpn ["Leaving"]
14:04 -!- Tyklol is now known as Tykling
14:05 -!- funyun [~temp@cpe-65-25-103-89.neo.res.rr.com] has joined #openvpn
14:06 -!- edik [~root@static.2.52.9.5.clients.your-server.de] has quit [Quit: Lost terminal]
14:08 -!- Linmu [~Linmu@203.70.194.104] has quit [Ping timeout: 252 seconds]
14:09 -!- Linmu [~Linmu@203.70.194.104] has joined #openvpn
14:10 -!- funyun [~temp@cpe-65-25-103-89.neo.res.rr.com] has quit [Ping timeout: 240 seconds]
14:18 -!- JackWinter [~jack@vodsl-10810.vo.lu] has quit [Quit: Konversation terminated!]
14:18 -!- JackWinter [~jack@vodsl-10810.vo.lu] has joined #openvpn
14:19 -!- JackWinter [~jack@vodsl-10810.vo.lu] has quit [Remote host closed the connection]
14:20 -!- Linmu [~Linmu@203.70.194.104] has quit [Ping timeout: 264 seconds]
14:20 -!- master_of_master [~master_of@p4FD7B946.dip0.t-ipconnect.de] has joined #openvpn
14:21 -!- JackWinter [~jack@vodsl-10810.vo.lu] has joined #openvpn
14:24 -!- master_o1_master [~master_of@p4FD7B6AE.dip0.t-ipconnect.de] has quit [Ping timeout: 240 seconds]
14:27 -!- Linmu [~Linmu@203.70.194.104] has joined #openvpn
14:29 -!- michaelhart [~michaelha@192-0-240-20.cpe.teksavvy.com] has joined #openvpn
14:49 -!- Linmu [~Linmu@203.70.194.104] has quit [Ping timeout: 240 seconds]
14:57 -!- Linmu [~Linmu@203.70.194.104] has joined #openvpn
15:06 -!- funyun [~temp@cpe-65-25-103-89.neo.res.rr.com] has joined #openvpn
15:09 -!- Linmu [~Linmu@203.70.194.104] has quit [Ping timeout: 240 seconds]
15:10 -!- funyun [~temp@cpe-65-25-103-89.neo.res.rr.com] has quit [Ping timeout: 240 seconds]
15:17 -!- Linmu [~Linmu@203.70.194.104] has joined #openvpn
15:33 -!- 21WAADKZA [~james@184.164.154.186] has quit [Quit: Leaving]
15:37 -!- al_nz1 [~Ali_nz1@122.58.81.50] has joined #openvpn
15:38 < al_nz1> you about Eugene or krzee
15:39 -!- mgorbach_ [~mgorbach@pool-108-20-78-135.bstnma.fios.verizon.net] has joined #openvpn
15:39 -!- mgorbach [~mgorbach@pool-108-20-78-135.bstnma.fios.verizon.net] has quit [Excess Flood]
15:40 -!- mgorbach_ is now known as mgorbach
15:41 -!- Ali_nz2 [~Ali_nz1@203.109.206.199] has joined #openvpn
15:42 -!- al_nz1 [~Ali_nz1@122.58.81.50] has quit [Ping timeout: 240 seconds]
15:48 -!- Pisuke [~Sembei@unaffiliated/sembei] has quit [Read error: No route to host]
15:50 -!- Pisuke [~Sembei@unaffiliated/sembei] has joined #openvpn
15:52 -!- Pisuke [~Sembei@unaffiliated/sembei] has quit [Client Quit]
15:55 -!- ernetas [~Ernestas@37.58.69.18-static.reverse.softlayer.com] has joined #openvpn
15:55 < ernetas> Hey guys.
15:55 < ernetas> http://pastebin.com/c5HJB1zj - this is my server config.
15:56 < ernetas> The problem I'm facing is that this by default routes all traffic through my VPN.
15:57 < ernetas> I want that clients would be using VPN only for a certain subnet. I've setup masquerading, IP packet forwarding, etc. on the server. However, I'm failing to define correct routes for this config (tun). Is it even possible for tun connections?
15:58 < ernetas> !welcome
15:58 <@vpnHelper> "welcome" is (#1) Start by stating your goal, such as 'I would like to access the internet over my vpn' || new to IRC? see the link in !ask || we may need !logs and !configs and maybe !interface to help you. || See !howto for beginners. || See !route for lans behind openvpn. || !redirect for sending inet traffic through the server. || Also interesting: !man !/30 !topology !iporder !sample !forum
15:58 <@vpnHelper> !wiki !mitm or (#2) Don't use 192.168.1.0/24 or 192.168.0.0/24 (too much potential for conflict)
15:58 < ernetas> !goal
15:58 <@vpnHelper> "goal" is Please clearly state your goal for your vpn: example, I would like to access the lan behind the server , I would like to access the internet over my vpn , I just want a secure connection between 2 computers , etc
15:58 < ernetas> !goal I want to use OpenVPN for accesing my company LAN
16:07 -!- funyun [~temp@cpe-65-25-103-89.neo.res.rr.com] has joined #openvpn
16:09 < ernetas> Okay... Seems like an issue of NetworkManager. Connecting through command line works as it should - does not route all traffic.
16:10 -!- mback2k_ is now known as mback2k
16:11 -!- funyun [~temp@cpe-65-25-103-89.neo.res.rr.com] has quit [Ping timeout: 252 seconds]
16:17 -!- Linmu [~Linmu@203.70.194.104] has quit [Ping timeout: 264 seconds]
16:18 -!- Linmu [~Linmu@203.70.194.104] has joined #openvpn
16:18 -!- mback2k is now known as mback2k_
16:26 -!- mback2k_ is now known as mback2k
16:26 -!- elfixit [~Icedove@77-58-251-72.dclient.hispeed.ch] has joined #openvpn
16:30 -!- ernetas [~Ernestas@37.58.69.18-static.reverse.softlayer.com] has left #openvpn []
16:31 -!- Linmu [~Linmu@203.70.194.104] has quit [Ping timeout: 240 seconds]
16:33 -!- Linmu [~Linmu@203.70.194.104] has joined #openvpn
17:00 -!- br4ndon [~br4ndon@mic92-6-82-227-94-156.fbx.proxad.net] has joined #openvpn
17:07 -!- funyun [~temp@cpe-65-25-103-89.neo.res.rr.com] has joined #openvpn
17:42 -!- Linmu [~Linmu@203.70.194.104] has quit [Ping timeout: 252 seconds]
17:44 -!- Linmu [~Linmu@203.70.194.104] has joined #openvpn
18:01 -!- jzaw [~jzaw@loki.dzki.co.uk] has quit [Ping timeout: 265 seconds]
18:02 -!- HectorBarbossa [uid7850@gateway/web/irccloud.com/x-tthgaakxvakkyrbx] has quit [Quit: Connection closed for inactivity]
18:06 -!- aji is now known as aji_
18:06 -!- aji [~alex@atheme/member/aji] has joined #openvpn
18:15 -!- MrSkinny [~MrSkinny@unaffiliated/mrskinny] has joined #openvpn
18:16 < MrSkinny> Hi! I just tried using OpenVPN at a public wifi (supermarket) and it failed to connect. It simply timed out at the first step trying to access (I'm using PIA). Any advice?
18:16 -!- aji_ [~alex@atheme/member/aji] has quit [Quit: Segmentation fault (aji dumped)]
18:16 < MrSkinny> It works completely normally from my home
18:18 -!- HectorBarbossa [uid7850@gateway/web/irccloud.com/x-xpwkpvujlkztdjbq] has joined #openvpn
18:24 -!- br4ndon [~br4ndon@mic92-6-82-227-94-156.fbx.proxad.net] has quit [Quit: br4ndon]
18:24 -!- jzaw [~jzaw@loki.dzki.co.uk] has joined #openvpn
18:31 -!- elfixit [~Icedove@77-58-251-72.dclient.hispeed.ch] has quit [Quit: elfixit]
18:35 < hydrajump> MrSkinny could be the supermarket firewall blocking udp traffic
18:36 < hydrajump> if you are using openvpn over udp
18:36 -!- jibcage [~jack@5.150.254.72] has left #openvpn []
18:45 -!- u0m3 [~u0m3@109.96.161.109] has joined #openvpn
18:51 -!- joshh20-Away is now known as joshh20
18:57 -!- VsioZashibis [~VsioZashi@unaffiliated/vsiozashibis] has joined #openvpn
18:58 -!- Linmu [~Linmu@203.70.194.104] has quit [Ping timeout: 253 seconds]
18:58 -!- Linmu [~Linmu@203.70.194.104] has joined #openvpn
19:17 -!- Fiouz_ [~Fiouz@2001:bc8:3068::dead:beef] has quit [Remote host closed the connection]
19:21 -!- Fiouz [~Fiouz@2001:bc8:3068::dead:beef] has joined #openvpn
19:22 -!- Linmu [~Linmu@203.70.194.104] has quit [Ping timeout: 240 seconds]
19:24 -!- Linmu [~Linmu@203.70.194.104] has joined #openvpn
19:26 -!- pinchm [~tom@198.55.125.172] has joined #openvpn
19:28 < pinchm> wonder if vpn provider has to make changes for my system to go from tun to tap with a bridge??
19:38 -!- pinchm [~tom@198.55.125.172] has quit [Quit: Leaving]
19:40 -!- MrSkinny [~MrSkinny@unaffiliated/mrskinny] has quit [Ping timeout: 240 seconds]
20:06 -!- Linmu [~Linmu@203.70.194.104] has quit [Ping timeout: 240 seconds]
20:06 -!- B1nny [~quassel@53541E4A.cm-6-5a.dynamic.ziggo.nl] has quit [Remote host closed the connection]
20:07 -!- Linmu [~Linmu@203.70.194.104] has joined #openvpn
20:20 -!- Linmu [~Linmu@203.70.194.104] has quit [Ping timeout: 264 seconds]
20:22 -!- maodun [~Adium@li461-101.members.linode.com] has joined #openvpn
20:27 -!- Linmu [~Linmu@203.70.194.104] has joined #openvpn
20:32 -!- justinzane [~justinzan@tiny.justinzane.com] has quit []
20:33 -!- justinzane [~justinzan@tiny.justinzane.com] has joined #openvpn
20:33 -!- gffa [~unknown@unaffiliated/gffa] has quit [Quit: sleep]
20:40 -!- lambda [~lambda@gateway/tor-sasl/lambda] has joined #openvpn
20:40 -!- Linmu [~Linmu@203.70.194.104] has quit [Ping timeout: 264 seconds]
20:42 -!- mback2k is now known as mback2k_
20:46 -!- u0m3 [~u0m3@109.96.161.109] has quit [Quit: Leaving]
20:47 -!- Linmu [~Linmu@203.70.194.104] has joined #openvpn
20:58 -!- goldkatze [~nobody@unaffiliated/goldkatze] has quit [Ping timeout: 240 seconds]
21:09 -!- justinzane [~justinzan@tiny.justinzane.com] has quit [Ping timeout: 240 seconds]
21:12 -!- Linmu [~Linmu@203.70.194.104] has quit [Ping timeout: 240 seconds]
21:19 -!- justinzane [~justinzan@tiny.justinzane.com] has joined #openvpn
21:21 -!- Linmu [~Linmu@203.70.194.104] has joined #openvpn
21:43 -!- lambda [~lambda@gateway/tor-sasl/lambda] has quit [Ping timeout: 265 seconds]
21:44 -!- Linmu [~Linmu@203.70.194.104] has quit [Ping timeout: 264 seconds]
21:45 -!- Linmu [~Linmu@203.70.194.104] has joined #openvpn
21:50 -!- maodun [~Adium@li461-101.members.linode.com] has quit [Ping timeout: 240 seconds]
21:56 -!- Linmu [~Linmu@203.70.194.104] has quit [Ping timeout: 240 seconds]
21:57 -!- Linmu [~Linmu@203.70.194.104] has joined #openvpn
22:00 -!- elfixit1 [~Icedove@2001:1620:2777:11:3e97:eff:fe7f:f3ad] has quit [Ping timeout: 255 seconds]
22:02 -!- elfixit [~Icedove@2001:1620:2777:11:3e97:eff:fe7f:f3ad] has joined #openvpn
22:02 -!- Linmu [~Linmu@203.70.194.104] has quit [Ping timeout: 240 seconds]
22:04 -!- Linmu [~Linmu@203.70.194.104] has joined #openvpn
22:05 -!- joshh20 is now known as joshh20-Away
22:10 -!- Linmu [~Linmu@203.70.194.104] has quit [Ping timeout: 264 seconds]
22:11 -!- Linmu [~Linmu@203.70.194.104] has joined #openvpn
22:15 -!- Linmu [~Linmu@203.70.194.104] has quit [Ping timeout: 240 seconds]
22:16 -!- Linmu [~Linmu@203.70.194.104] has joined #openvpn
22:22 -!- HectorBarbossa [uid7850@gateway/web/irccloud.com/x-xpwkpvujlkztdjbq] has quit [Quit: Connection closed for inactivity]
22:26 -!- Linmu [~Linmu@203.70.194.104] has quit [Ping timeout: 240 seconds]
22:27 -!- Linmu [~Linmu@203.70.194.104] has joined #openvpn
22:37 -!- AlexPortable [uid7568@gateway/web/irccloud.com/x-qwmjcnqmkrlwxobw] has quit [Quit: Connection closed for inactivity]
22:39 -!- AGinsberg [~AGinsberg@gateway/tor-sasl/aginsberg] has quit [Ping timeout: 265 seconds]
22:43 -!- roma [~roma@tweezer.apistune.com] has joined #openvpn
22:54 -!- Linmu [~Linmu@203.70.194.104] has quit [Ping timeout: 252 seconds]
22:54 -!- Linmu [~Linmu@203.70.194.104] has joined #openvpn
22:59 -!- Linmu [~Linmu@203.70.194.104] has quit [Ping timeout: 240 seconds]
22:59 -!- VsioZashibis [~VsioZashi@unaffiliated/vsiozashibis] has quit [Read error: Connection reset by peer]
23:07 -!- Linmu [~Linmu@203.70.194.104] has joined #openvpn
23:33 -!- levifig_ is now known as levifig
23:35 -!- Linmu [~Linmu@203.70.194.104] has quit [Ping timeout: 264 seconds]
23:36 -!- pekster [~rewt@openvpn/community/support/pekster] has quit [Ping timeout: 265 seconds]
23:42 -!- meepmeep [meepmeep@end.of.cylind.re] has quit [Remote host closed the connection]
23:44 -!- Linmu [~Linmu@203.70.194.104] has joined #openvpn
23:59 -!- MACscr|lappy [~MACscrlap@c-98-214-103-56.hsd1.il.comcast.net] has joined #openvpn
--- Day changed Sun Mar 16 2014
00:05 -!- meepmeep [meepmeep@end.of.cylind.re] has joined #openvpn
00:05 < funyun> hi. i restarted my dedicated server and now the vpn i'm running on it will not start. when i try service openvpn start i get "[FAIL] Starting virtual private network daemon: server tun0 failed!" anyone know how i can get more info or fix this?
00:06 < funyun> server log http://pastebin.com/BrL3GjKf
00:06 < funyun> client log http://pastebin.com/BMeXxTex
00:13 -!- pekster [~rewt@openvpn/community/support/pekster] has joined #openvpn
00:16 < funyun> pekster: hey. you there?
00:21 -!- Linmu [~Linmu@203.70.194.104] has quit [Ping timeout: 252 seconds]
00:21 -!- Linmu [~Linmu@203.70.194.104] has joined #openvpn
00:57 -!- Linmu [~Linmu@203.70.194.104] has quit [Ping timeout: 252 seconds]
00:57 -!- Linmu [~Linmu@203.70.194.104] has joined #openvpn
01:01 -!- sunwind` [~paradox@cpc21-brmb8-2-0-cust749.1-3.cable.virginm.net] has joined #openvpn
01:02 -!- funyun [~temp@cpe-65-25-103-89.neo.res.rr.com] has quit [Quit: leaving]
01:03 -!- funyun [~temp@cpe-65-25-103-89.neo.res.rr.com] has joined #openvpn
01:04 -!- sunwind [~paradox@cpc21-brmb8-2-0-cust749.1-3.cable.virginm.net] has quit [Ping timeout: 240 seconds]
01:13 < funyun> here's my server config http://pastebin.com/hdUeisTQ. and here's my client config http://pastebin.com/JXxeYBq9. can anyone tell me why i can't connect?
01:22 < Eneerge> both pastes removed
01:22 < Eneerge> did you include your password or something?
01:23 -!- Linmu [~Linmu@203.70.194.104] has quit [Ping timeout: 240 seconds]
01:24 < funyun> Eneerge: maybe the period at the end
01:24 < funyun> not part of the link
01:25 < funyun> Eneerge: try http://pastebin.com/hdUeisTQ and http://pastebin.com/JXxeYBq9
01:27 -!- mikemol [~mikemol@2001:470:c5b9:beef:115f:2eb0:b5cf:3b86] has quit [Ping timeout: 264 seconds]
01:30 -!- Linmu [~Linmu@203.70.194.104] has joined #openvpn
01:34 < funyun> service openvpn status tells me "[FAIL] VPN 'tun0' is not running ... failed!"
01:37 -!- al_nz1 [~Ali_nz1@122.58.81.50] has joined #openvpn
01:40 -!- Ali_nz2 [~Ali_nz1@203.109.206.199] has quit [Ping timeout: 264 seconds]
01:57 -!- Linmu [~Linmu@203.70.194.104] has quit [Ping timeout: 240 seconds]
01:58 -!- Linmu [~Linmu@203.70.194.104] has joined #openvpn
02:08 -!- mikemol [~mikemol@2001:470:c5b9:beef:a88d:5427:a5ee:945d] has joined #openvpn
02:25 -!- Cpt-Oblivious [chatzilla@31-151-71-109.dynamic.upc.nl] has quit [Ping timeout: 240 seconds]
02:40 -!- Linmu [~Linmu@203.70.194.104] has quit [Ping timeout: 264 seconds]
02:44 -!- tessier [~treed@kernel-panic/copilotco] has quit [Remote host closed the connection]
02:44 -!- tessier [~treed@kernel-panic/copilotco] has joined #openvpn
02:47 -!- Linmu [~Linmu@203.70.194.104] has joined #openvpn
02:49 -!- funyun_ [~temp@23.82.54.75] has joined #openvpn
02:50 -!- funyun [~temp@cpe-65-25-103-89.neo.res.rr.com] has quit [Ping timeout: 252 seconds]
02:53 -!- Linmu [~Linmu@203.70.194.104] has quit [Ping timeout: 252 seconds]
02:54 -!- Linmu [~Linmu@203.70.194.104] has joined #openvpn
03:02 -!- mickyz [~mickymaus@please-give-me.remoteaccess.me] has joined #openvpn
03:03 -!- mback2k_ is now known as mback2k
03:10 -!- mickyz [~mickymaus@please-give-me.remoteaccess.me] has left #openvpn []
03:31 < harlan> Looking for help debugging/fixing a routing problem.  I've got openvpn 2.3.2 answering on the public IP of a dual-nic box.  The other nic is attached to an internal LAN.  I connect to the box from my laptop.  I get routes pushed to me for the internal LAN.  I can ping the public IP of the vpn server, and tracroute shows that I can reach internal IPs on both interfaces of the VPN server box.  I cannot reach internal IPs on any other box on the remote side.
03:32 < harlan> The routing looks good.
03:32 < harlan> Traceroute "stops" answering once the packets get to the VPN server.
03:32 < harlan> From the VPN server machine I can ping internal IP addresses of other machines on both the public and private LANs.
03:40 < GregB> hey guys, I'm working on creating an ovpn file. When I import it I get: "This is a static profile that will connect to %S@%S". I'd like to fix that. Does anyone know what I need to do to change that text from %S@%S to someting@something
03:51 -!- Sembei [~Sembei@unaffiliated/sembei] has joined #openvpn
04:23 < GregB> Another question, I need to set an environment variable from either auth-user-pass-verify or from the up script
04:30 -!- Sembei [~Sembei@unaffiliated/sembei] has quit [Read error: Operation timed out]
04:32 -!- funyun [~temp@cpe-65-25-103-89.neo.res.rr.com] has joined #openvpn
04:34 -!- funyun_ [~temp@23.82.54.75] has quit [Ping timeout: 240 seconds]
04:37 -!- funyun_ [~temp@72.37.242.11] has joined #openvpn
04:37 -!- funyun [~temp@cpe-65-25-103-89.neo.res.rr.com] has quit [Ping timeout: 240 seconds]
04:38 -!- mback2k is now known as mback2k_
04:40 -!- Sembei [~Sembei@unaffiliated/sembei] has joined #openvpn
04:42 -!- novaflash is now known as novaflash_away
04:52 -!- Devastator [~devas@unaffiliated/devastator] has quit [Ping timeout: 252 seconds]
04:52 -!- Devastator [~devas@186.214.111.9] has joined #openvpn
04:58 -!- Fast[BDC] [~pcdummy@unaffiliated/pcdummy] has quit [Remote host closed the connection]
05:00 -!- sunwind` [~paradox@cpc21-brmb8-2-0-cust749.1-3.cable.virginm.net] has quit [Quit: sunwind`]
05:02 -!- MACscr|lappy [~MACscrlap@c-98-214-103-56.hsd1.il.comcast.net] has quit [Ping timeout: 240 seconds]
05:02 -!- sunwind [~paradox@cpc21-brmb8-2-0-cust749.1-3.cable.virginm.net] has joined #openvpn
05:03 -!- pcdummy [~pcdummy@unaffiliated/pcdummy] has joined #openvpn
05:08 -!- gffa [~unknown@524895DD.cm-4-1c.dynamic.ziggo.nl] has joined #openvpn
05:08 -!- gffa [~unknown@524895DD.cm-4-1c.dynamic.ziggo.nl] has quit [Changing host]
05:08 -!- gffa [~unknown@unaffiliated/gffa] has joined #openvpn
05:17 -!- novaflash_away is now known as novaflash
05:18 -!- instigator [~instigato@ti-225-26-25.telkomadsl.co.za] has joined #openvpn
05:18 -!- instigator [~instigato@ti-225-26-25.telkomadsl.co.za] has left #openvpn []
05:23 -!- pcdummy [~pcdummy@unaffiliated/pcdummy] has quit [Remote host closed the connection]
05:24 -!- maodun [~Adium@li461-101.members.linode.com] has joined #openvpn
05:25 < maodun> I want to assign my server an ip other than 10.8.0.1 - e.g., 10.8.0.42, or just an ip in addition to 10.8.0.1. Is this possible?
05:25 < maodun> I realize I can do a different subnet, I'm talking about the .1 part
05:29 -!- havoc [~havoc@neptune.chaillet.net] has quit [Ping timeout: 252 seconds]
05:29 -!- havoc [~havoc@neptune.chaillet.net] has joined #openvpn
05:33 -!- Sembei [~Sembei@unaffiliated/sembei] has quit [Remote host closed the connection]
05:34 -!- Sembei [~Sembei@unaffiliated/sembei] has joined #openvpn
05:36 -!- tony1 [~tony1@cpe-66-66-6-48.rochester.res.rr.com] has joined #openvpn
05:36 -!- ade_b [~Ade@redhat/adeb] has joined #openvpn
05:39 -!- mback2k_ is now known as mback2k
05:42 -!- tony1 [~tony1@cpe-66-66-6-48.rochester.res.rr.com] has left #openvpn []
05:42 -!- B1nny [~quassel@53541E4A.cm-6-5a.dynamic.ziggo.nl] has joined #openvpn
05:48 -!- AlexPortable [uid7568@gateway/web/irccloud.com/x-azashnalmtxzdnxm] has joined #openvpn
05:51 -!- pcdummy [~pcdummy@unaffiliated/pcdummy] has joined #openvpn
05:58 -!- Linmu [~Linmu@203.70.194.104] has quit [Ping timeout: 253 seconds]
05:59 -!- Linmu [~Linmu@203.70.194.104] has joined #openvpn
06:08 -!- Linmu [~Linmu@203.70.194.104] has quit [Ping timeout: 240 seconds]
06:12 -!- funyun [~temp@cpe-65-25-103-89.neo.res.rr.com] has joined #openvpn
06:15 -!- funyun_ [~temp@72.37.242.11] has quit [Ping timeout: 240 seconds]
06:16 -!- Linmu [~Linmu@203.70.194.104] has joined #openvpn
06:18 -!- charlie111 [~charlie11@ti-225-26-25.telkomadsl.co.za] has joined #openvpn
06:18 -!- atmosx_ [~osx@217.70.broadband4.iol.cz] has joined #openvpn
06:22 -!- Linmu [~Linmu@203.70.194.104] has quit [Ping timeout: 252 seconds]
06:23 -!- Linmu [~Linmu@203.70.194.104] has joined #openvpn
06:24 -!- atmosx_ [~osx@217.70.broadband4.iol.cz] has quit [Quit: Lost in trance]
06:28 -!- Linmu [~Linmu@203.70.194.104] has quit [Ping timeout: 240 seconds]
06:29 -!- Linmu [~Linmu@203.70.194.104] has joined #openvpn
06:30 -!- charlie111 [~charlie11@ti-225-26-25.telkomadsl.co.za] has quit [Quit: Bye]
06:32 -!- sunwind [~paradox@cpc21-brmb8-2-0-cust749.1-3.cable.virginm.net] has quit [Quit: sunwind]
06:45 -!- Linmu [~Linmu@203.70.194.104] has quit [Ping timeout: 240 seconds]
06:46 -!- Linmu [~Linmu@203.70.194.104] has joined #openvpn
06:54 -!- Linmu [~Linmu@203.70.194.104] has quit [Ping timeout: 240 seconds]
06:56 -!- Linmu [~Linmu@203.70.194.104] has joined #openvpn
06:58 -!- maodun [~Adium@li461-101.members.linode.com] has quit [Ping timeout: 240 seconds]
07:03 -!- Linmu [~Linmu@203.70.194.104] has quit [Ping timeout: 240 seconds]
07:04 -!- Linmu [~Linmu@203.70.194.104] has joined #openvpn
07:13 -!- maodun [~Adium@li461-101.members.linode.com] has joined #openvpn
07:21 -!- maodun [~Adium@li461-101.members.linode.com] has quit [Quit: Leaving.]
07:21 -!- elfixit1 [~Icedove@77-58-251-72.dclient.hispeed.ch] has joined #openvpn
07:27 -!- sunwind [~paradox@cpc21-brmb8-2-0-cust749.1-3.cable.virginm.net] has joined #openvpn
07:40 -!- Linmu [~Linmu@203.70.194.104] has quit [Ping timeout: 264 seconds]
07:47 -!- Linmu [~Linmu@203.70.194.104] has joined #openvpn
07:48 -!- GregB [~GregB@107-218-5-81.lightspeed.hstntx.sbcglobal.net] has quit [Read error: Connection reset by peer]
07:48 -!- GregB [~GregB@107-218-5-81.lightspeed.hstntx.sbcglobal.net] has joined #openvpn
07:52 -!- funyun [~temp@cpe-65-25-103-89.neo.res.rr.com] has quit [Ping timeout: 240 seconds]
07:54 -!- elfixit1 [~Icedove@77-58-251-72.dclient.hispeed.ch] has quit [Quit: elfixit1]
07:58 -!- elfixit1 [~Icedove@77-58-251-72.dclient.hispeed.ch] has joined #openvpn
08:04 -!- makara [~makara@105-208-254-141.access.mtnbusiness.co.za] has joined #openvpn
08:04 -!- Linmu [~Linmu@203.70.194.104] has quit [Ping timeout: 240 seconds]
08:09 -!- joshh20-Away is now known as joshh20
08:12 -!- Linmu [~Linmu@203.70.194.104] has joined #openvpn
08:17 -!- Linmu [~Linmu@203.70.194.104] has quit [Ping timeout: 240 seconds]
08:19 -!- Linmu [~Linmu@203.70.194.104] has joined #openvpn
08:19 -!- funyun [~temp@cpe-65-25-103-89.neo.res.rr.com] has joined #openvpn
08:23 -!- funyun [~temp@cpe-65-25-103-89.neo.res.rr.com] has quit [Ping timeout: 240 seconds]
08:29 -!- goldkatze [~nobody@unaffiliated/goldkatze] has joined #openvpn
08:32 -!- makara [~makara@105-208-254-141.access.mtnbusiness.co.za] has quit [Ping timeout: 240 seconds]
08:37 -!- Linmu [~Linmu@203.70.194.104] has quit [Ping timeout: 240 seconds]
08:40 -!- maodun [~Adium@li461-101.members.linode.com] has joined #openvpn
08:43 -!- mback2k is now known as mback2k_
08:43 -!- Linmu [~Linmu@203.70.194.104] has joined #openvpn
08:44 -!- mback2k_ is now known as mback2k
08:45 -!- VsioZashibis [~VsioZashi@unaffiliated/vsiozashibis] has joined #openvpn
08:52 -!- makara [~makara@105-208-254-141.access.mtnbusiness.co.za] has joined #openvpn
08:57 -!- Linmu [~Linmu@203.70.194.104] has quit [Ping timeout: 252 seconds]
08:58 -!- Linmu [~Linmu@203.70.194.104] has joined #openvpn
09:00 -!- Devastator [~devas@186.214.111.9] has quit [Changing host]
09:00 -!- Devastator [~devas@unaffiliated/devastator] has joined #openvpn
09:05 -!- makara [~makara@105-208-254-141.access.mtnbusiness.co.za] has quit [Quit: Leaving]
09:14 -!- GregB [~GregB@107-218-5-81.lightspeed.hstntx.sbcglobal.net] has quit [Read error: Connection reset by peer]
09:14 -!- GregB [~GregB@107-218-5-81.lightspeed.hstntx.sbcglobal.net] has joined #openvpn
09:16 -!- Linmu [~Linmu@203.70.194.104] has quit [Ping timeout: 240 seconds]
09:20 -!- funyun [~temp@cpe-65-25-103-89.neo.res.rr.com] has joined #openvpn
09:24 -!- Linmu [~Linmu@203.70.194.104] has joined #openvpn
09:25 -!- funyun [~temp@cpe-65-25-103-89.neo.res.rr.com] has quit [Ping timeout: 264 seconds]
09:27 -!- maodun [~Adium@li461-101.members.linode.com] has quit [Ping timeout: 240 seconds]
09:37 -!- Linmu [~Linmu@203.70.194.104] has quit [Ping timeout: 264 seconds]
09:38 -!- Linmu [~Linmu@203.70.194.104] has joined #openvpn
09:39 -!- dwirc [~irc@d118-75-58-50.col.wideopenwest.com] has quit [Ping timeout: 252 seconds]
09:41 -!- elfixit1 [~Icedove@77-58-251-72.dclient.hispeed.ch] has quit [Quit: elfixit1]
09:46 -!- Linmu [~Linmu@203.70.194.104] has quit [Ping timeout: 240 seconds]
09:47 -!- Linmu [~Linmu@203.70.194.104] has joined #openvpn
09:56 -!- Linmu [~Linmu@203.70.194.104] has quit [Ping timeout: 264 seconds]
09:56 -!- Linmu [~Linmu@203.70.194.104] has joined #openvpn
09:57 -!- Sembei [~Sembei@unaffiliated/sembei] has quit [Quit: WeeChat 0.4.4-dev]
09:59 -!- maodun [~Adium@li461-101.members.linode.com] has joined #openvpn
10:09 -!- lambda [~lambda@gateway/tor-sasl/lambda] has joined #openvpn
10:19 -!- staticsafe [~staticsaf@unaffiliated/staticsafe] has joined #openvpn
10:21 -!- funyun [~temp@cpe-65-25-103-89.neo.res.rr.com] has joined #openvpn
10:23 -!- maodun [~Adium@li461-101.members.linode.com] has quit [Ping timeout: 240 seconds]
10:24 -!- maodun [~Adium@li461-101.members.linode.com] has joined #openvpn
10:26 -!- funyun [~temp@cpe-65-25-103-89.neo.res.rr.com] has quit [Ping timeout: 264 seconds]
10:27 -!- Linmu [~Linmu@203.70.194.104] has quit [Ping timeout: 240 seconds]
10:28 -!- Linmu [~Linmu@203.70.194.104] has joined #openvpn
10:35 -!- joshh20 is now known as joshh20-Away
10:35 -!- Linmu [~Linmu@203.70.194.104] has quit [Ping timeout: 264 seconds]
10:36 -!- Linmu [~Linmu@203.70.194.104] has joined #openvpn
10:36 -!- staticsafe [~staticsaf@unaffiliated/staticsafe] has left #openvpn ["WeeChat 0.4.3"]
10:57 -!- Linmu [~Linmu@203.70.194.104] has quit [Ping timeout: 240 seconds]
10:58 -!- Linmu [~Linmu@203.70.194.104] has joined #openvpn
11:02 -!- Linmu [~Linmu@203.70.194.104] has quit [Ping timeout: 240 seconds]
11:07 -!- notroot [~alastair@host81-152-149-74.range81-152.btcentralplus.com] has joined #openvpn
11:08 < notroot> having a problem getting my vpn to work for internet access, i can ping public ip's via the vpn, but i can access the web pages, even though port 80 is reported as open if i nmap a website
11:08 < notroot> *cant access
11:10 -!- Linmu [~Linmu@203.70.194.104] has joined #openvpn
11:10 < pekster> Broken MTU perhaps? tcpdump the session; if it hangs after the client's 'GET /' request or similar, that's likely the cause
11:11 < pekster> You can verify that by doing a ping set to the tun-devices MTU with DF set, although be aware you probably want to disable openvpn's compression (set `comp-lzo no` on both sides, otherwise the compression skews results)
11:12 < notroot> hmm right i'll have a look
11:13 -!- sunwind [~paradox@cpc21-brmb8-2-0-cust749.1-3.cable.virginm.net] has quit [Quit: sunwind]
11:20 -!- notroot [~alastair@host81-152-149-74.range81-152.btcentralplus.com] has quit [Ping timeout: 240 seconds]
11:22 -!- funyun [~temp@cpe-65-25-103-89.neo.res.rr.com] has joined #openvpn
11:22 -!- notroot [~alastair@81.17.22.85] has joined #openvpn
11:26 -!- funyun [~temp@cpe-65-25-103-89.neo.res.rr.com] has quit [Ping timeout: 252 seconds]
11:29 -!- notroot [~alastair@81.17.22.85] has quit [Ping timeout: 264 seconds]
11:30 -!- mitz [~mitz@rt.miraclelinux.com] has quit [Quit: WeeChat 0.4.3]
11:34 -!- Linmu [~Linmu@203.70.194.104] has quit [Ping timeout: 252 seconds]
11:34 -!- Linmu [~Linmu@203.70.194.104] has joined #openvpn
11:37 -!- maodun [~Adium@li461-101.members.linode.com] has quit [Quit: Leaving.]
11:42 -!- sunwind [~paradox@cpc21-brmb8-2-0-cust749.1-3.cable.virginm.net] has joined #openvpn
11:45 -!- Linmu [~Linmu@203.70.194.104] has quit [Ping timeout: 240 seconds]
11:50 -!- mback2k is now known as mback2k_
11:51 -!- joshh20-Away is now known as joshh20
11:53 -!- Linmu [~Linmu@203.70.194.104] has joined #openvpn
11:57 -!- dwirc [~irc@d118-75-218-160.try.wideopenwest.com] has joined #openvpn
11:58 < GregB> anyone know of a way of setting a unique identifier from an earlier script that lives to disconnect?
11:59 < GregB> it seems no environmental variable I create via client connect script remains set when executing client-disconnect
11:59 < GregB> I'm trying to create a tracking method for individual logins, so I can store bandwidth usage and connection details for each user.
12:01 < pekster> GregB: My solution to that is to track the source IP+port of the client connection; that should work even if the client reconnects before the old session expires so long as your clients use the --nobind option
12:01 < pekster> It'll put that in some temporary directory and have an --up script on the server wipe it out on startup (otherwise it'll "track" old logins)
12:02 < pekster> GregB: Here are some scripts of mine that might give you ideas: https://github.com/QueuingKoala/openvpn-dynamic/tree/master/netfilter
12:02 <@vpnHelper> Title: openvpn-dynamic/netfilter at master · QueuingKoala/openvpn-dynamic · GitHub (at github.com)
12:03 < GregB> I suppose that would work, I allow the same user to connect multiple times.
12:04 < pekster> Right, but it would never be on the same source IP/port tupple
12:04 < GregB> that was my only fear with using something like that.
12:04 < GregB> true.
12:05 -!- elfixit1 [~Icedove@77-58-251-72.dclient.hispeed.ch] has joined #openvpn
12:05 < pekster> In theory the client could expire (via --ping-restart) and then re-use the same port, but that shouldn't happen unless you have some really shitty NAT device that tries to agressively reuse ports. I'd file that under "highly unlikely"
12:06 < GregB> I could always use the time_unix variable as well
12:06 < GregB> so, ip, port and time_unix
12:06 < pekster> Sure, make the tupple stronger
12:07 < pekster> Then you need not worry about clients that remove --nobind ;)
12:07 < GregB> yup
12:20 < pekster> GregB: fwiw, looking at that project I referenced, I'm apparently using openvpn's internally-assigned IP. That won't ever be re-used, so it's also a nice option: https://github.com/QueuingKoala/openvpn-dynamic/blob/master/netfilter/client-connect.sh#L33
12:20 <@vpnHelper> Title: openvpn-dynamic/netfilter/client-connect.sh at master · QueuingKoala/openvpn-dynamic · GitHub (at github.com)
12:23 -!- funyun [~temp@cpe-65-25-103-89.neo.res.rr.com] has joined #openvpn
12:23 < GregB> I see, I like it.
12:23 < GregB> I'm sorry, I'm already using the method described.
12:27 -!- funyun [~temp@cpe-65-25-103-89.neo.res.rr.com] has quit [Ping timeout: 240 seconds]
12:28 < pekster> They all do the same thing in the end
12:42 -!- maodun [~Adium@li461-101.members.linode.com] has joined #openvpn
12:42 -!- converge [~converge@189.7.3.101] has joined #openvpn
12:43 -!- converge [~converge@189.7.3.101] has quit [Changing host]
12:43 -!- converge [~converge@unaffiliated/joaop] has joined #openvpn
12:47 -!- lambda [~lambda@gateway/tor-sasl/lambda] has quit [Quit: lambda]
12:49 -!- Ali_nz2 [~Ali_nz1@60-234-250-18.bitstream.orcon.net.nz] has joined #openvpn
12:50 -!- al_nz1 [~Ali_nz1@122.58.81.50] has quit [Ping timeout: 240 seconds]
12:54 -!- al_nz1 [~Ali_nz1@203.109.206.199] has joined #openvpn
12:55 -!- Ali_nz2 [~Ali_nz1@60-234-250-18.bitstream.orcon.net.nz] has quit [Ping timeout: 240 seconds]
12:57 -!- Ali_nz2 [~Ali_nz1@60-234-250-18.bitstream.orcon.net.nz] has joined #openvpn
12:58 -!- Ali_nz2 [~Ali_nz1@60-234-250-18.bitstream.orcon.net.nz] has quit [Client Quit]
12:59 -!- charlie111 [~charlie11@ti-225-26-25.telkomadsl.co.za] has joined #openvpn
13:01 -!- al_nz1 [~Ali_nz1@203.109.206.199] has quit [Ping timeout: 240 seconds]
13:04 -!- HectorBarbossa [uid7850@gateway/web/irccloud.com/x-xjeymhyfsqbeyfva] has joined #openvpn
13:04 -!- maodun [~Adium@li461-101.members.linode.com] has quit [Quit: Leaving.]
13:05 -!- james41382 [~james@unaffiliated/james41382] has joined #openvpn
13:12 -!- Linmu [~Linmu@203.70.194.104] has quit [Ping timeout: 252 seconds]
13:21 -!- Linmu [~Linmu@203.70.194.104] has joined #openvpn
13:23 -!- funyun [~temp@cpe-65-25-103-89.neo.res.rr.com] has joined #openvpn
13:28 -!- funyun [~temp@cpe-65-25-103-89.neo.res.rr.com] has quit [Ping timeout: 240 seconds]
13:35 -!- GregB_ [~GregB@107-218-5-81.lightspeed.hstntx.sbcglobal.net] has joined #openvpn
13:35 -!- GregB_ [~GregB@107-218-5-81.lightspeed.hstntx.sbcglobal.net] has quit [Read error: Connection reset by peer]
13:35 -!- GregB [~GregB@107-218-5-81.lightspeed.hstntx.sbcglobal.net] has quit [Read error: Connection reset by peer]
13:36 -!- GregB_ [~GregB@107-218-5-81.lightspeed.hstntx.sbcglobal.net] has joined #openvpn
13:37 -!- GregB__ [~GregB@77.72.6.200] has joined #openvpn
13:37 -!- GregB_ [~GregB@107-218-5-81.lightspeed.hstntx.sbcglobal.net] has quit [Read error: Connection reset by peer]
13:40 -!- GregB [~GregB@107-218-5-81.lightspeed.hstntx.sbcglobal.net] has joined #openvpn
13:41 -!- GregB__ [~GregB@77.72.6.200] has quit [Ping timeout: 240 seconds]
13:48 -!- Linmu [~Linmu@203.70.194.104] has quit [Ping timeout: 240 seconds]
13:50 -!- hydrajump [~hydrajump@unaffiliated/hydrajump] has quit [Ping timeout: 240 seconds]
13:50 -!- Cultist [~CultOfThe@67.186.111.33] has quit [Quit: Tension, apprehension, and dissension have begun.]
13:51 -!- mback2k_ is now known as mback2k
13:51 -!- Cultist [~CultOfThe@67.186.111.33] has joined #openvpn
13:52 -!- hydrajump [~hydrajump@unaffiliated/hydrajump] has joined #openvpn
13:56 -!- Linmu [~Linmu@203.70.194.104] has joined #openvpn
14:00 -!- u0m3 [~u0m3@109.96.172.38] has joined #openvpn
14:03 -!- hydrajump [~hydrajump@unaffiliated/hydrajump] has quit [Ping timeout: 252 seconds]
14:04 -!- hydrajump [~hydrajump@unaffiliated/hydrajump] has joined #openvpn
14:09 -!- Cultist [~CultOfThe@67.186.111.33] has quit [Ping timeout: 265 seconds]
14:11 -!- mback2k is now known as mback2k_
14:11 -!- mback2k_ is now known as mback2k
14:11 -!- mback2k is now known as mback2k_
14:13 -!- Cultist [~CultOfThe@c-67-186-111-33.hsd1.il.comcast.net] has joined #openvpn
14:15 -!- Latrina [~Latrina@adsl-ull-236-243.45-151.net24.it] has joined #openvpn
14:15 < Latrina> Good evening people ..
14:16 < Latrina> I am setting up OpenVPN server on my OpenWrt router and I want to let the OpenVPN server assign a static IP belonging to the local network subnet
14:16 < Latrina> is there a way to do this with TUN ?
14:17 < Latrina> or is TAP the only option in this case ?
14:17 -!- AlexPortable [uid7568@gateway/web/irccloud.com/x-azashnalmtxzdnxm] has quit [Quit: Connection closed for inactivity]
14:17 < Latrina> I meant I want the client connecting to the VPN to acquire a local ip of the local network lan
14:17 -!- Cultist [~CultOfThe@c-67-186-111-33.hsd1.il.comcast.net] has quit [Ping timeout: 240 seconds]
14:18 -!- notroot [~alastair@host81-152-149-74.range81-152.btcentralplus.com] has joined #openvpn
14:18 -!- Cultist [~CultOfThe@c-67-186-111-33.hsd1.il.comcast.net] has joined #openvpn
14:20 < notroot> how can i run openvpn in the foreground without being in the dir containing the config and cert files? i would prefer not to set absolute paths but if thats the only way i can do
14:20 -!- Linmu [~Linmu@203.70.194.104] has quit [Ping timeout: 264 seconds]
14:22 -!- master_of_master [~master_of@p4FD7B946.dip0.t-ipconnect.de] has quit [Read error: Operation timed out]
14:23 < pekster> Latrina: You can't do that with tun. And you shouldn't bridge unless you're truely using non-IP protocols. Why can't you use standard routing?
14:23 < pekster> notroot: Read about the --cd option
14:24 < Latrina> pekster: standard routing will not give the client an ip address of the network lan subnet right??
14:24 < pekster> Right. In 99% of cases you don't need that
14:24 < pekster> Why do you think you do? What non-IP protocol can you not route with?
14:24 < Latrina> however will give it another subnet ip address with the option to communicate with the clients connected to the network lan
14:24 < Latrina> if I am not mistaken
14:24 < notroot> pekster, thanks that looks like what i need
14:24 -!- notroot [~alastair@host81-152-149-74.range81-152.btcentralplus.com] has quit [Quit: leaving]
14:24 -!- funyun [~temp@cpe-65-25-103-89.neo.res.rr.com] has joined #openvpn
14:25 < Latrina> pekster: I am not sure what the answer is ..
14:25 < Latrina> I am trying to figure things out ..
14:25 < pekster> Read about !serverlan
14:25 < Latrina> thanks
14:26 -!- master_of_master [~master_of@p4FF2457D.dip0.t-ipconnect.de] has joined #openvpn
14:28 -!- Linmu [~Linmu@203.70.194.104] has joined #openvpn
14:28 -!- funyun [~temp@cpe-65-25-103-89.neo.res.rr.com] has quit [Ping timeout: 240 seconds]
14:46 -!- Cultist [~CultOfThe@c-67-186-111-33.hsd1.il.comcast.net] has quit [Ping timeout: 255 seconds]
14:48 -!- charlie111 [~charlie11@ti-225-26-25.telkomadsl.co.za] has quit [Quit: Bye]
14:49 -!- Cultist [~CultOfThe@c-67-186-111-33.hsd1.il.comcast.net] has joined #openvpn
14:53 -!- Linmu [~Linmu@203.70.194.104] has quit [Ping timeout: 240 seconds]
14:55 -!- Linmu [~Linmu@203.70.194.104] has joined #openvpn
14:57 -!- converge [~converge@unaffiliated/joaop] has quit [Quit: Leaving...]
14:59 -!- converge [~converge@189.7.3.101] has joined #openvpn
14:59 -!- converge [~converge@189.7.3.101] has quit [Changing host]
14:59 -!- converge [~converge@unaffiliated/joaop] has joined #openvpn
15:01 -!- Linmu [~Linmu@203.70.194.104] has quit [Ping timeout: 264 seconds]
15:05 -!- snappy [nipnop@unaffiliated/snappy] has quit [Ping timeout: 245 seconds]
15:08 -!- Linmu [~Linmu@203.70.194.104] has joined #openvpn
15:17 -!- snappy [nipnop@wbml.net] has joined #openvpn
15:17 -!- snappy [nipnop@wbml.net] has quit [Changing host]
15:17 -!- snappy [nipnop@unaffiliated/snappy] has joined #openvpn
15:22 -!- HectorBarbossa [uid7850@gateway/web/irccloud.com/x-xjeymhyfsqbeyfva] has quit [Quit: Connection closed for inactivity]
15:23 -!- Linmu [~Linmu@203.70.194.104] has quit [Ping timeout: 252 seconds]
15:24 -!- Linmu [~Linmu@203.70.194.104] has joined #openvpn
15:25 -!- funyun [~temp@cpe-65-25-103-89.neo.res.rr.com] has joined #openvpn
15:25 -!- Sembei [~Sembei@unaffiliated/sembei] has joined #openvpn
15:28 -!- Sembei [~Sembei@unaffiliated/sembei] has quit [Client Quit]
15:29 -!- Sembei [~Sembei@unaffiliated/sembei] has joined #openvpn
15:30 -!- Linmu [~Linmu@203.70.194.104] has quit [Ping timeout: 240 seconds]
15:30 -!- funyun [~temp@cpe-65-25-103-89.neo.res.rr.com] has quit [Ping timeout: 264 seconds]
15:30 -!- Linmu [~Linmu@203.70.194.104] has joined #openvpn
15:32 < converge> my vpn server is on, the client can connect and have an new ip for the vpn. but when I ping to some device, it's not responding
15:32 < converge> does someone knows what could be wrong ?
15:33 -!- br4ndon [~br4ndon@mic92-6-82-226-128-64.fbx.proxad.net] has joined #openvpn
15:34 -!- Linmu [~Linmu@203.70.194.104] has quit [Ping timeout: 240 seconds]
15:36 -!- Linmu [~Linmu@203.70.194.104] has joined #openvpn
15:38 < pekster> "some device"
15:39 -!- Latrina [~Latrina@adsl-ull-236-243.45-151.net24.it] has quit [Read error: Connection reset by peer]
15:40 < pekster> Maybe you should reference either !serverlan or !clientlan depending on which LAN you're trying to connect to
15:40 < pekster> helpful flowcharts are included
15:44 < converge> pekster: do u have an example ?
15:49 < pekster> I just gave you a couple
15:49 < pekster> !serverlan
15:49 <@vpnHelper> "serverlan" is (#1) for a lan behind a server, the server must have ip forwarding enabled (!ipforward), the server needs to push a route for its lan to clients, and the router of the lan the server is on needs a route added to it (!route_outside_openvpn) or (#2) see !route for a better explanation or (#3) Handy troubleshooting flowchart: http://ircpimps.org/serverlan.png |
15:49 <@vpnHelper> http://pekster.sdf.org/misc/serverlan.png
15:49 < pekster> Also, see:
15:49 < pekster> !new
15:49 <@vpnHelper> "new" is (#1) New here? Start by reading the /TOPIC and looking at basic info in !welcome, !ask, and !howto or (#2) You can type each of the !commands in this chat and our bot will provide useful references and info or (#3) you can see the full factoids list at !factoids
15:50 < pekster> (and the channel /TOPIC)
15:52 -!- converge [~converge@unaffiliated/joaop] has quit [Ping timeout: 240 seconds]
15:52 -!- Cr4zi3 [guessswh0@staff.xbins.org] has quit [Quit: changing servers]
15:53 -!- goldkatze_ [~nobody@unaffiliated/goldkatze] has joined #openvpn
15:54 -!- gffa_ [~unknown@unaffiliated/gffa] has joined #openvpn
15:57 -!- converge [~converge@189.7.3.101] has joined #openvpn
15:57 -!- converge [~converge@189.7.3.101] has quit [Changing host]
15:57 -!- converge [~converge@unaffiliated/joaop] has joined #openvpn
15:57 -!- tessier_ [~treed@wsip-98-175-106-200.sd.sd.cox.net] has joined #openvpn
15:57 -!- VsioZashibis [~VsioZashi@unaffiliated/vsiozashibis] has quit [Excess Flood]
15:58 -!- tessier_ [~treed@wsip-98-175-106-200.sd.sd.cox.net] has quit [Changing host]
15:58 -!- tessier_ [~treed@kernel-panic/copilotco] has joined #openvpn
15:58 -!- VsioZashibis [~VsioZashi@unaffiliated/vsiozashibis] has joined #openvpn
15:59 -!- Linmu [~Linmu@203.70.194.104] has quit [Ping timeout: 240 seconds]
16:02 -!- converge [~converge@unaffiliated/joaop] has quit [Quit: Linkinus - http://linkinus.com]
16:05 -!- joshh20 is now known as joshh20-Away
16:06 -!- hydrajump [~hydrajump@unaffiliated/hydrajump] has quit [Ping timeout: 240 seconds]
16:16 -!- goldkatze [~nobody@unaffiliated/goldkatze] has quit [Excess Flood]
16:16 -!- gffa [~unknown@unaffiliated/gffa] has quit [Remote host closed the connection]
16:17 < Haigha> hi
16:17 < Haigha> my --auth-user-pass-verify script is called 2 times more than my --client-connect script, why ?
16:18 < pekster> The former is called every re-key (a full re-auth happens then.) The latter happens only on initial connection
16:18 < pekster> That'll depend on your --reneg-* values, which by default is every hour
16:18 < Haigha> oh
16:18 < Haigha> thanks :)
16:20 -!- B1nny [~quassel@53541E4A.cm-6-5a.dynamic.ziggo.nl] has quit [Excess Flood]
16:21 -!- tessier [~treed@kernel-panic/copilotco] has quit [Remote host closed the connection]
16:21 -!- Linmu_ [~Linmu@203.70.194.104] has joined #openvpn
16:21 -!- HectorBarbossa [uid7850@gateway/web/irccloud.com/x-robvtnwzsirfmmsw] has joined #openvpn
16:21 -!- ade_b [~Ade@redhat/adeb] has quit [Ping timeout: 240 seconds]
16:21 -!- B1nny [~quassel@53541E4A.cm-6-5a.dynamic.ziggo.nl] has joined #openvpn
16:22 -!- Cr4zi3 [~killaz@76.74.171.253] has joined #openvpn
16:26 -!- funyun [~temp@cpe-65-25-103-89.neo.res.rr.com] has joined #openvpn
16:30 -!- funyun [~temp@cpe-65-25-103-89.neo.res.rr.com] has quit [Ping timeout: 240 seconds]
16:32 -!- GregB [~GregB@107-218-5-81.lightspeed.hstntx.sbcglobal.net] has quit [Read error: Connection reset by peer]
16:32 -!- GregB [~GregB@107-218-5-81.lightspeed.hstntx.sbcglobal.net] has joined #openvpn
16:33 -!- maskedlua [~quassel@unaffiliated/themaskedlua] has quit [Read error: Connection reset by peer]
16:34 -!- Linmu_ [~Linmu@203.70.194.104] has quit [Ping timeout: 240 seconds]
16:35 -!- gffa_ [~unknown@unaffiliated/gffa] has quit [Quit: sleep]
16:36 -!- Linmu [~Linmu@203.70.194.104] has joined #openvpn
16:42 -!- maskedlua [~quassel@unaffiliated/themaskedlua] has joined #openvpn
16:43 -!- AlexPortable [uid7568@gateway/web/irccloud.com/x-fqbievdetizxyrrx] has joined #openvpn
16:45 -!- funyun [~temp@cpe-65-25-103-89.neo.res.rr.com] has joined #openvpn
16:48 -!- hydrajump [~hydrajump@unaffiliated/hydrajump] has joined #openvpn
16:59 -!- Linmu [~Linmu@203.70.194.104] has quit [Ping timeout: 264 seconds]
17:06 -!- lambda [~lambda@gateway/tor-sasl/lambda] has joined #openvpn
17:07 -!- Linmu [~Linmu@203.70.194.104] has joined #openvpn
17:15 -!- joshh20-Away is now known as joshh20
17:21 -!- Linmu [~Linmu@203.70.194.104] has quit [Ping timeout: 240 seconds]
17:21 -!- justinzane [~justinzan@tiny.justinzane.com] has quit []
17:24 -!- pcdummy_ [~pcdummy@5.9.210.235] has joined #openvpn
17:25 -!- pcdummy [~pcdummy@unaffiliated/pcdummy] has quit [Read error: Connection reset by peer]
17:25 -!- pcdummy_ is now known as pcdummy
17:25 -!- pcdummy [~pcdummy@5.9.210.235] has quit [Changing host]
17:25 -!- pcdummy [~pcdummy@unaffiliated/pcdummy] has joined #openvpn
17:28 -!- JSharpe [~JSharpe@31.205.60.241] has quit [Ping timeout: 240 seconds]
17:29 -!- Linmu [~Linmu@203.70.194.104] has joined #openvpn
17:29 -!- br4ndon [~br4ndon@mic92-6-82-226-128-64.fbx.proxad.net] has quit [Read error: Operation timed out]
17:34 -!- GregB_ [~GregB@107-218-5-81.lightspeed.hstntx.sbcglobal.net] has joined #openvpn
17:35 -!- Devastatr [~devas@186.214.111.9] has joined #openvpn
17:36 -!- pcdummy_ [~pcdummy@5.9.210.235] has joined #openvpn
17:37 -!- Devastatr [~devas@186.214.111.9] has quit [Changing host]
17:37 -!- Devastatr [~devas@unaffiliated/devastator] has joined #openvpn
17:39 -!- Linmu_ [~Linmu@203.70.194.104] has joined #openvpn
17:39 -!- funyun_ [~temp@cpe-65-25-103-89.neo.res.rr.com] has joined #openvpn
17:40 -!- sunwind` [~paradox@cpc21-brmb8-2-0-cust749.1-3.cable.virginm.net] has joined #openvpn
17:44 -!- Netsplit *.net <-> *.split quits: Devastator, elfixit1, funyun, maskedlua, elfixit, u0m3, sunwind, HectorBarbossa, pcdummy, hydrajump,  (+8 more, use /NETSPLIT to show all of them)
17:44 -!- Netsplit over, joins: maskedlua
17:44 -!- Netsplit over, joins: hydrajump, B1nny, HectorBarbossa, u0m3, elfixit1, elfixit, m01_, @novaflash, dos-freak
17:45 -!- elfixit [~Icedove@2001:1620:2777:11:3e97:eff:fe7f:f3ad] has quit [Remote host closed the connection]
17:45 -!- elfixit [~Icedove@2001:1620:2777:11:3e97:eff:fe7f:f3ad] has joined #openvpn
17:49 -!- hydrajump [~hydrajump@unaffiliated/hydrajump] has quit [Ping timeout: 240 seconds]
17:56 -!- Cr4zi3 [killaz@staff.xbins.org] has joined #openvpn
17:57 -!- pcdummy_ is now known as pcdummy
17:57 -!- pcdummy [~pcdummy@5.9.210.235] has quit [Changing host]
17:57 -!- pcdummy [~pcdummy@unaffiliated/pcdummy] has joined #openvpn
17:59 -!- Linmu_ [~Linmu@203.70.194.104] has quit [Ping timeout: 264 seconds]
18:06 -!- Linmu [~Linmu@203.70.194.104] has joined #openvpn
18:17 -!- Linmu [~Linmu@203.70.194.104] has quit [Ping timeout: 255 seconds]
18:19 -!- Linmu [~Linmu@203.70.194.104] has joined #openvpn
18:21 -!- B1nny [~quassel@53541E4A.cm-6-5a.dynamic.ziggo.nl] has quit [Read error: Connection reset by peer]
18:33 -!- Linmu [~Linmu@203.70.194.104] has quit [Ping timeout: 252 seconds]
18:33 -!- Linmu [~Linmu@203.70.194.104] has joined #openvpn
18:35 -!- converge [~converge@unaffiliated/joaop] has joined #openvpn
18:39 < converge> pekster: are u there ?
18:40 -!- hydrajump [~hydrajump@unaffiliated/hydrajump] has joined #openvpn
18:42 -!- Linmu [~Linmu@203.70.194.104] has quit [Ping timeout: 240 seconds]
18:43 -!- Linmu [~Linmu@203.70.194.104] has joined #openvpn
18:47 -!- elfixit1 [~Icedove@77-58-251-72.dclient.hispeed.ch] has quit [Quit: elfixit1]
18:48 -!- Linmu [~Linmu@203.70.194.104] has quit [Ping timeout: 240 seconds]
18:48 -!- Linmu [~Linmu@203.70.194.104] has joined #openvpn
18:52 -!- lambda [~lambda@gateway/tor-sasl/lambda] has quit [Quit: lambda]
18:53 -!- Linmu [~Linmu@203.70.194.104] has quit [Ping timeout: 255 seconds]
18:54 -!- Linmu [~Linmu@203.70.194.104] has joined #openvpn
19:03 -!- shibboleth [~shibbolet@gateway/tor-sasl/shibboleth] has joined #openvpn
19:05 -!- converge [~converge@unaffiliated/joaop] has quit [Ping timeout: 255 seconds]
19:05 -!- converge [~converge@unaffiliated/joaop] has joined #openvpn
19:14 < converge> I can connect, but I can't ping, can someone help me ? dont know what to do
19:17 -!- Linmu [~Linmu@203.70.194.104] has quit [Ping timeout: 255 seconds]
19:23 -!- converge [~converge@unaffiliated/joaop] has quit [Ping timeout: 252 seconds]
19:24 -!- Linmu [~Linmu@203.70.194.104] has joined #openvpn
19:36 -!- joshh20 is now known as joshh20-Away
19:40 -!- Linmu [~Linmu@203.70.194.104] has quit [Ping timeout: 264 seconds]
19:46 -!- Brando753 [~Brando753@unaffiliated/brando753] has quit [Read error: Connection reset by peer]
19:48 -!- Brando753 [~Brando753@unaffiliated/brando753] has joined #openvpn
19:52 -!- goldkatze_ [~nobody@unaffiliated/goldkatze] has quit []
19:55 -!- goldkatze [~nobody@unaffiliated/goldkatze] has joined #openvpn
19:56 <@ecrist> nope
19:58 -!- elfixit1 [~Icedove@77-58-251-72.dclient.hispeed.ch] has joined #openvpn
20:04 -!- goldkatze [~nobody@unaffiliated/goldkatze] has quit [Ping timeout: 264 seconds]
20:08 -!- Linmu [~Linmu@203.70.194.104] has joined #openvpn
20:13 -!- Linmu [~Linmu@203.70.194.104] has quit [Ping timeout: 255 seconds]
20:15 -!- Linmu [~Linmu@203.70.194.104] has joined #openvpn
20:20 -!- michaelhart [~michaelha@192-0-240-20.cpe.teksavvy.com] has quit [Quit: michaelhart]
20:22 -!- maodun [~Adium@li461-101.members.linode.com] has joined #openvpn
20:27 -!- AlexPortable [uid7568@gateway/web/irccloud.com/x-fqbievdetizxyrrx] has quit [Quit: Connection closed for inactivity]
20:32 -!- shibboleth [~shibbolet@gateway/tor-sasl/shibboleth] has quit [Quit: shibboleth]
20:32 -!- HectorBarbossa [uid7850@gateway/web/irccloud.com/x-robvtnwzsirfmmsw] has quit [Quit: Connection closed for inactivity]
20:32 -!- converge [~converge@189.7.3.101] has joined #openvpn
20:32 -!- converge [~converge@189.7.3.101] has quit [Changing host]
20:32 -!- converge [~converge@unaffiliated/joaop] has joined #openvpn
20:32 < converge> can someone help me with my server config ? https://forums.openvpn.net/topic15327.html
20:32 <@vpnHelper> Title: OpenVPN Support Forum OpenVPN server + Tunnelblick = connect but can't ping : Server Administration (at forums.openvpn.net)
20:33 -!- justinzane [~justinzan@tiny.justinzane.com] has joined #openvpn
20:37 -!- Linmu [~Linmu@203.70.194.104] has quit [Ping timeout: 264 seconds]
20:37 -!- Linmu [~Linmu@203.70.194.104] has joined #openvpn
20:39 < pekster> converge: The connection looks okay, as to your configs. At 22:06:37 the client reports 'Initialization Sequence Completed' which means that it came up successfully
20:40 < pekster> I'm not sure what Tunnelblick is whining about with 'ipInfo hosts's name' offhand
20:42 < converge> pekster: does the routing config is ok ?
20:42 -!- maodun [~Adium@li461-101.members.linode.com] has quit [Ping timeout: 246 seconds]
20:43 -!- maodun [~Adium@li461-101.members.linode.com] has joined #openvpn
20:44 -!- shibboleth [~shibbolet@gateway/tor-sasl/shibboleth] has joined #openvpn
20:45 -!- Latrina [~Latrina@adsl-ull-236-243.45-151.net24.it] has joined #openvpn
20:45 < Latrina> Hello everyone.. I am here to bother again ..
20:45 < Latrina> I managed to create a simple point to point openvpn server
20:46 < Latrina> I can connect to the server the problem is I cannot surf the web
20:46 < Latrina> according to the OpenVPN FAQ I have added the following rule to the fw
20:46 < Latrina> iptables -t nat -A POSTROUTING -s $PRIVATE -o eth0 -j MASQUERADE
20:47 < Latrina> changing $PRIVATE with the OpenVPN private subnet and eth0 with the WAN of the router ..
20:47 < Latrina> still I can't seem to be able to let the clients access the web
20:49 < shibboleth> Latrina, http://bit.ly/NlGlrN
20:49 < Latrina> I am going to take a look.. thanks
20:49 < Latrina> ahaha .. lovely
20:49 < shibboleth> wait for it...
20:50 -!- elfixit1 [~Icedove@77-58-251-72.dclient.hispeed.ch] has quit [Quit: elfixit1]
20:51 < shibboleth> Latrina, are the clients aware that they should route traffic through the vpn gateway?
20:51 < shibboleth> and -o IP wont work
20:51 < Latrina> I guess so.. I am going to post the client conf
20:52 -!- Linmu [~Linmu@203.70.194.104] has quit [Ping timeout: 240 seconds]
20:52 -!- Linmu [~Linmu@203.70.194.104] has joined #openvpn
20:53 < Latrina> shibboleth: here it comes http://pastebin.com/YTkYWyUt
20:54 < shibboleth> Latrina, dont use uci for openvpn on openwrt
20:54 < Latrina> to be honest I don't see any indication in the client that tell to router the traffic
20:54 < Latrina> I can use plain conf its okay
20:54 < Latrina> do u think the client setting looks good =
20:54 < Latrina> ?
20:55 < shibboleth> Latrina, no, that server wont push any routes to clients
20:55 < shibboleth> err
20:55 < Latrina> as I thought :(
20:55 < shibboleth> what is the server conf like?
20:55 < Latrina> I am using UCI though
20:56 < shibboleth> and dont use compression on weak hardware
20:56 < Latrina> http://pastebin.com/cUytuvsh
20:56 < Latrina> oh okay I thought it would optimize the data encryption
20:56 < Latrina> will disable it
20:57 -!- Linmu [~Linmu@203.70.194.104] has quit [Ping timeout: 240 seconds]
20:57 < shibboleth> Latrina, ehh
20:57 < shibboleth> option 'server' '10.8.0.0 255.255.255.0'
20:57 < shibboleth> list 'push' 'dhcp-option DNS 192.168.1.1'
20:58 -!- Linmu [~Linmu@203.70.194.104] has joined #openvpn
20:58 < Latrina> what's wrong with that=
20:58 < shibboleth> nothing unless you allow traffic between the zones
20:58 < shibboleth> nothing *if* you allow...
20:59 < Latrina> here u can find the entire network and fw confing https://forum.openwrt.org/viewtopic.php?pid=227750#p227750
20:59 <@vpnHelper> Title: Unable to connect to my OpenVPN server (Page 1) — General Discussion — OpenWrt (at forum.openwrt.org)
21:00 < Latrina> only change that I have made is I swapped the wan interface eth0.2 with the ppp wan interface which is pppoe-wan
21:00 < Latrina> in /etc/firewall.user
21:00 < Latrina> because it seems to work that way .. not sure why ..
21:00 < Latrina> even the SIP proxy, if I put it on eth0.2 it wont work..
21:01 < Latrina> I have even manually added 10.8.0.0/24 to be routed to 192.168.1.1
21:01 < Latrina> with route add -net 10.8.0.0/24 gw 192.168.1.1   . but no go
21:02 < shibboleth> you should post the route table from the clients
21:03 < shibboleth> route -an
21:03 < Latrina> sure
21:03 -!- Linmu [~Linmu@203.70.194.104] has quit [Ping timeout: 246 seconds]
21:03 < Latrina> well on the mac that seems to be different
21:03 < Latrina> let me read the man
21:03 -!- Linmu [~Linmu@203.70.194.104] has joined #openvpn
21:08 < Latrina> back
21:08 < Latrina> here's the routing table of the client
21:08 < Latrina> http://pastebin.com/ZnZBJAs6
21:09 < Latrina> and some ifconfig as well http://pastebin.com/vburqLkS
21:09 < shibboleth> im using tor and i get http://i.imgur.com/a27BE.jpg
21:09 < Latrina> ahaha too bad :)
21:10 < shibboleth> there
21:11 < Latrina> the only weird thing that I can notice in ifconfig under the tun0 interface on the client is this
21:11 < Latrina> netmask 0xffffffff
21:11 < Latrina> is that normal ?
21:13 -!- converge [~converge@unaffiliated/joaop] has quit [Quit: Leaving...]
21:19 -!- Linmu [~Linmu@203.70.194.104] has quit [Ping timeout: 246 seconds]
21:20 -!- shibboleth [~shibbolet@gateway/tor-sasl/shibboleth] has quit [Quit: shibboleth]
21:22 < Latrina> anyone?
21:28 -!- Linmu [~Linmu@203.70.194.104] has joined #openvpn
21:32 -!- maodun [~Adium@li461-101.members.linode.com] has quit [Ping timeout: 246 seconds]
21:33 -!- Linmu [~Linmu@203.70.194.104] has quit [Ping timeout: 246 seconds]
21:39 -!- Linmu [~Linmu@203.70.194.104] has joined #openvpn
21:40 -!- Latrina [~Latrina@adsl-ull-236-243.45-151.net24.it] has quit [Quit: Leaving...]
21:58 -!- rizz_ [~riz@23.92.60.131] has quit []
21:59 -!- treshoem1 [~treshoem@mnathani-1-pt.tunnel.tserv21.tor1.ipv6.he.net] has quit [Ping timeout: 265 seconds]
22:00 -!- Linmu [~Linmu@203.70.194.104] has quit [Ping timeout: 240 seconds]
22:00 -!- treshoem1 [~treshoem@mnathani-1-pt.tunnel.tserv21.tor1.ipv6.he.net] has joined #openvpn
22:01 -!- Linmu [~Linmu@203.70.194.104] has joined #openvpn
22:04 -!- maodun [~Adium@li461-101.members.linode.com] has joined #openvpn
22:10 -!- converge [~converge@unaffiliated/joaop] has joined #openvpn
22:14 < converge> can someone help me with my openvpn server config ? https://forums.openvpn.net/topic15327.html
22:14 <@vpnHelper> Title: OpenVPN Support Forum OpenVPN server + Tunnelblick = connect but can't ping : Server Administration (at forums.openvpn.net)
22:25 -!- Linmu [~Linmu@203.70.194.104] has quit [Ping timeout: 252 seconds]
22:33 -!- Linmu [~Linmu@203.70.194.104] has joined #openvpn
22:42 -!- Linmu [~Linmu@203.70.194.104] has quit [Ping timeout: 255 seconds]
22:43 -!- Linmu [~Linmu@203.70.194.104] has joined #openvpn
22:45 -!- [1]JPeterson [~JPeterson@81-233-152-121-no83.tbcn.telia.com] has quit [Ping timeout: 255 seconds]
22:48 -!- Linmu [~Linmu@203.70.194.104] has quit [Ping timeout: 255 seconds]
22:49 -!- Linmu [~Linmu@203.70.194.104] has joined #openvpn
23:08 -!- VsioZashibis [~VsioZashi@unaffiliated/vsiozashibis] has quit [Read error: Connection reset by peer]
23:09 -!- MACscr|lappy [~MACscrlap@c-98-214-103-56.hsd1.il.comcast.net] has joined #openvpn
23:14 -!- Linmu [~Linmu@203.70.194.104] has quit [Ping timeout: 246 seconds]
23:15 -!- Linmu [~Linmu@203.70.194.104] has joined #openvpn
23:23 -!- Linmu [~Linmu@203.70.194.104] has quit [Ping timeout: 246 seconds]
23:29 -!- maodun [~Adium@li461-101.members.linode.com] has quit [Quit: Leaving.]
23:31 -!- Linmu [~Linmu@203.70.194.104] has joined #openvpn
23:35 -!- Linmu [~Linmu@203.70.194.104] has quit [Ping timeout: 255 seconds]
23:36 -!- Linmu [~Linmu@203.70.194.104] has joined #openvpn
23:45 -!- akurilin [~alex@98.207.161.67] has quit [Read error: Connection reset by peer]
23:48 -!- Linmu [~Linmu@203.70.194.104] has quit [Ping timeout: 252 seconds]
23:49 -!- Linmu [~Linmu@203.70.194.104] has joined #openvpn
--- Day changed Mon Mar 17 2014
00:01 -!- Linmu [~Linmu@203.70.194.104] has quit [Remote host closed the connection]
00:08 -!- Linmu [~Linmu@203.70.194.104] has joined #openvpn
00:22 -!- Latrina [~Latrina@ppp-15-13.26-151.libero.it] has joined #openvpn
00:24 < Latrina> anyone awake wants to take a look into this ? https://forums.openvpn.net/post39216.html#p39216
00:24 <@vpnHelper> Title: OpenVPN Support Forum OpenVPN clients unable to access the internet : Server Administration (at forums.openvpn.net)
00:24 < Latrina> it's going to take a bit though :D
00:27 -!- Linmu [~Linmu@203.70.194.104] has quit [Ping timeout: 240 seconds]
00:36 -!- Linmu [~Linmu@203.70.194.104] has joined #openvpn
00:36 -!- HectorBarbossa [uid7850@gateway/web/irccloud.com/x-vcupzjtrplgeqjdt] has joined #openvpn
00:41 -!- Linmu [~Linmu@203.70.194.104] has quit [Ping timeout: 246 seconds]
00:42 -!- Linmu [~Linmu@203.70.194.104] has joined #openvpn
00:51 -!- Latrina [~Latrina@ppp-15-13.26-151.libero.it] has quit [Remote host closed the connection]
01:01 -!- paradox`` [~paradox@cpc21-brmb8-2-0-cust749.1-3.cable.virginm.net] has joined #openvpn
01:01 -!- sunwind` [~paradox@cpc21-brmb8-2-0-cust749.1-3.cable.virginm.net] has quit [Read error: Operation timed out]
01:13 -!- JPeterson [~JPeterson@81-233-152-121-no83.tbcn.telia.com] has joined #openvpn
01:16 -!- xMopxShell [~xMopxShel@pa1.trolls.lv] has quit [Remote host closed the connection]
01:22 -!- Linmu [~Linmu@203.70.194.104] has quit [Ping timeout: 255 seconds]
01:22 -!- mikkel [~mikkel@93.176.85.50] has joined #openvpn
01:22 -!- Linmu [~Linmu@203.70.194.104] has joined #openvpn
01:24 -!- takamichi [~takamichi@c107-107.i07-27.onvol.net] has joined #openvpn
01:30 -!- Linmu [~Linmu@203.70.194.104] has quit [Ping timeout: 264 seconds]
01:30 -!- B1nny [~quassel@53541E4A.cm-6-5a.dynamic.ziggo.nl] has joined #openvpn
01:31 -!- Linmu [~Linmu@203.70.194.104] has joined #openvpn
01:43 -!- Linmu [~Linmu@203.70.194.104] has quit [Ping timeout: 240 seconds]
01:44 -!- Linmu [~Linmu@203.70.194.104] has joined #openvpn
02:10 -!- Linmu [~Linmu@203.70.194.104] has quit [Ping timeout: 255 seconds]
02:12 -!- Linmu [~Linmu@203.70.194.104] has joined #openvpn
02:14 -!- s7r [~s7r@openvpn/user/s7r] has quit [Ping timeout: 252 seconds]
02:16 -!- s7r [~s7r@openvpn/user/s7r] has joined #openvpn
02:16 -!- mode/#openvpn [+v s7r] by ChanServ
02:21 -!- makara [~makara@41.164.22.218] has joined #openvpn
02:22 -!- makara [~makara@41.164.22.218] has quit [Max SendQ exceeded]
02:48 -!- Carbon_Monoxide [~cmonxide@058176022144.ctinets.com] has joined #openvpn
02:51 -!- Carbon_Monoxide [~cmonxide@058176022144.ctinets.com] has left #openvpn []
02:56 -!- indy is now known as dr_jones
02:57 -!- dr_jones is now known as indy
02:57 -!- indy is now known as indiana
02:57 -!- indiana is now known as indy
03:13 -!- Aliekezhi [~Aliekezhi@LPoitiers-156-84-21-169.w193-248.abo.wanadoo.fr] has joined #openvpn
03:20 -!- elfixit1 [~Icedove@2001:1620:2777:11:3e97:eff:fe7f:f3ad] has joined #openvpn
03:21 -!- _dos-freak [leecher@zentarim.0wnz.at] has joined #openvpn
03:21 -!- m01 [~quassel@2a02:2658:1011:1::2:4044] has joined #openvpn
03:22 -!- B1nny_ [~quassel@53541E4A.cm-6-5a.dynamic.ziggo.nl] has joined #openvpn
03:23 -!- elfixit [~Icedove@2001:1620:2777:11:3e97:eff:fe7f:f3ad] has quit [Ping timeout: 240 seconds]
03:23 -!- dos-freak [leecher@zentarim.0wnz.at] has quit [Ping timeout: 240 seconds]
03:23 -!- Linmu [~Linmu@203.70.194.104] has quit [Ping timeout: 264 seconds]
03:24 -!- Aliekezhi [~Aliekezhi@LPoitiers-156-84-21-169.w193-248.abo.wanadoo.fr] has quit [Ping timeout: 240 seconds]
03:25 -!- treshoem2 [~treshoem@mnathani-1-pt.tunnel.tserv21.tor1.ipv6.he.net] has joined #openvpn
03:25 -!- u0m3_ [~u0m3@109.96.172.38] has joined #openvpn
03:27 -!- B1nny [~quassel@53541E4A.cm-6-5a.dynamic.ziggo.nl] has quit [Disconnected by services]
03:27 -!- B1nny_ is now known as B1nny
03:27 -!- nunim [nunim@unaffiliated/nunim] has left #openvpn []
03:28 -!- mikkel [~mikkel@93.176.85.50] has quit [Ping timeout: 240 seconds]
03:28 -!- novaflash [~novaflash@openvpn/corp/support/novaflash] has quit [Ping timeout: 240 seconds]
03:28 -!- m01_ [~quassel@2a02:2658:1011:1::2:4044] has quit [Ping timeout: 240 seconds]
03:28 -!- u0m3 [~u0m3@109.96.172.38] has quit [Ping timeout: 240 seconds]
03:28 -!- treshoem1 [~treshoem@mnathani-1-pt.tunnel.tserv21.tor1.ipv6.he.net] has quit [Ping timeout: 240 seconds]
03:29 -!- novaflash [~novaflash@its.novaflash.nl] has joined #openvpn
03:29 -!- Carbon_Monoxide [~cmonxide@058176022144.ctinets.com] has joined #openvpn
03:29 -!- br4ndon [~br4ndon@mic92-6-82-226-128-64.fbx.proxad.net] has joined #openvpn
03:35 -!- mikkel [~mikkel@93.176.85.50] has joined #openvpn
03:36 -!- makara [~makara@41-134-154-221.dsl.mweb.co.za] has joined #openvpn
03:37 -!- Linmu [~Linmu@203.70.194.104] has joined #openvpn
03:40 -!- Carbon_Monoxide [~cmonxide@058176022144.ctinets.com] has quit [Quit: Leaving]
03:52 -!- Linmu [~Linmu@203.70.194.104] has quit [Ping timeout: 264 seconds]
03:59 -!- Linmu [~Linmu@203.70.194.104] has joined #openvpn
04:14 -!- Linmu [~Linmu@203.70.194.104] has quit [Ping timeout: 240 seconds]
04:16 -!- Carbon_Monoxide [~cmonxide@058176022144.ctinets.com] has joined #openvpn
04:21 -!- Linmu [~Linmu@203.70.194.104] has joined #openvpn
04:21 -!- Carbon_Monoxide [~cmonxide@058176022144.ctinets.com] has left #openvpn ["Leaving"]
04:35 -!- Linmu [~Linmu@203.70.194.104] has quit [Ping timeout: 240 seconds]
04:35 -!- Linmu [~Linmu@203.70.194.104] has joined #openvpn
04:39 -!- elfixit [~Icedove@77-58-251-72.dclient.hispeed.ch] has joined #openvpn
04:42 -!- HectorBarbossa [uid7850@gateway/web/irccloud.com/x-vcupzjtrplgeqjdt] has quit [Quit: Connection closed for inactivity]
04:44 -!- Linmu [~Linmu@203.70.194.104] has quit [Ping timeout: 264 seconds]
04:44 -!- Linmu [~Linmu@203.70.194.104] has joined #openvpn
04:55 -!- Linmu [~Linmu@203.70.194.104] has quit [Ping timeout: 264 seconds]
05:02 -!- Linmu [~Linmu@203.70.194.104] has joined #openvpn
05:07 -!- dazo_afk is now known as dazo
05:10 -!- NyB_ [~archon@athedsl-311477.home.otenet.gr] has joined #openvpn
05:10 -!- br4ndon [~br4ndon@mic92-6-82-226-128-64.fbx.proxad.net] has quit [Quit: br4ndon]
05:11 < NyB_> Hi! Is there a way to have an OpenVPN client configuration file include another file?
05:12 < NyB_> I'd like to have my configuration files share a common part and only contain the differences
05:12 -!- viperZ28_ [uid11066@gateway/web/irccloud.com/x-ladgqssgiocjqfxp] has quit [Read error: Connection reset by peer]
05:14 -!- viperZ28_ [uid11066@gateway/web/irccloud.com/x-fxdejeebjadjpdkv] has joined #openvpn
05:15 -!- Aliekezhi [~Aliekezhi@LPoitiers-156-84-21-169.w193-248.abo.wanadoo.fr] has joined #openvpn
05:26 -!- Linmu [~Linmu@203.70.194.104] has quit [Ping timeout: 240 seconds]
05:28 -!- Linmu [~Linmu@203.70.194.104] has joined #openvpn
05:37 -!- troj [~xxx@2001:470:1f15:107a::50f7] has quit [Ping timeout: 264 seconds]
05:40 -!- Linmu [~Linmu@203.70.194.104] has quit [Remote host closed the connection]
05:41 -!- troj [~xxx@2001:470:1f15:107a::50f7] has joined #openvpn
05:54 -!- Linmu [~Linmu@203.70.194.104] has joined #openvpn
05:55 -!- AlexPortable [uid7568@gateway/web/irccloud.com/x-hxovvuhsqleergnm] has joined #openvpn
05:55 -!- alexxtasi [~alex@unaffiliated/alexxtasi] has joined #openvpn
06:00 -!- Linmu [~Linmu@203.70.194.104] has quit [Ping timeout: 252 seconds]
06:01 -!- JackWinter [~jack@vodsl-10810.vo.lu] has quit [Excess Flood]
06:03 -!- JackWinter [~jack@vodsl-10810.vo.lu] has joined #openvpn
06:08 -!- Linmu [~Linmu@203.70.194.104] has joined #openvpn
06:13 -!- Linmu [~Linmu@203.70.194.104] has quit [Ping timeout: 246 seconds]
06:13 -!- Linmu [~Linmu@203.70.194.104] has joined #openvpn
06:16 -!- venkatesh [~venkatesh@223.239.244.197] has joined #openvpn
06:16 -!- venkatesh [~venkatesh@223.239.244.197] has left #openvpn []
06:17 < B1nny> Good afternoon, does anyone in here have any issues with the Android app for OpenVPN and the connection dropping when putting the device in standby? (Android 4.4.2 KitKat that is)
06:19 -!- Linmu [~Linmu@203.70.194.104] has quit [Ping timeout: 264 seconds]
06:23 -!- elfixit [~Icedove@77-58-251-72.dclient.hispeed.ch] has quit [Ping timeout: 240 seconds]
06:26 -!- elfixit [~Icedove@82.197.179.15] has joined #openvpn
06:26 -!- Linmu [~Linmu@203.70.194.104] has joined #openvpn
06:32 -!- elfixit [~Icedove@82.197.179.15] has quit [Ping timeout: 240 seconds]
06:33 -!- Linmu [~Linmu@203.70.194.104] has quit [Ping timeout: 246 seconds]
06:34 -!- Linmu [~Linmu@203.70.194.104] has joined #openvpn
06:41 -!- Guest53070 [~klein@189-016-006-003.asselvi.edu.br] has joined #openvpn
06:45 -!- Linmu [~Linmu@203.70.194.104] has quit [Ping timeout: 240 seconds]
06:47 -!- Linmu [~Linmu@203.70.194.104] has joined #openvpn
06:49 -!- MACscr|lappy [~MACscrlap@c-98-214-103-56.hsd1.il.comcast.net] has quit [Ping timeout: 264 seconds]
06:57 -!- converge [~converge@unaffiliated/joaop] has quit [Quit: Linkinus - http://linkinus.com]
07:20 <@plai> B1nny: I have not heard reports that suggest so
07:21 -!- Linmu [~Linmu@203.70.194.104] has quit [Ping timeout: 246 seconds]
07:22 < B1nny> plai: Hmm odd, I do have this problem and someone else I spoke to does as well. The VPN works fine, but if you put your phone in standby for like 15 minutes or so and wake it up again no data is being transferred whatsoever. OpenVPN still reports it's connected, but you have to 'disconnect' and reconnect in order to use the VPN again.
07:22 <@plai> B1nny: over mobile?
07:23 <@plai> and udp?
07:23 <@plai> the nat states might simply drop
07:23 < B1nny> plai: both over mobile network (3G/HSDPA) and wifi and yes UDP
07:26 <@plai> the connection is dropping if ping settings are > 60s is a common issue with NATs
07:26 -!- michaelhart [~michaelha@192.237.177.15] has joined #openvpn
07:27 <@plai> other than that, I don't know of any bugs or broken behaviour
07:28 -!- le0 [~l30@unaffiliated/le0] has joined #openvpn
07:28 -!- Linmu [~Linmu@203.70.194.104] has joined #openvpn
07:31 < NyB_> Hmm, how can I get the OpenVPN client on Linux to use a different interface name than tun*?
07:31 < NyB_> I tried dev vpn0; dev-type tun;
07:32 < NyB_> but while it brought up the vpn0 interface, it had no IP address
07:32 <@plai> that is a different bug then
07:32 < NyB_> and no routes were established either...
07:32 <@plai> check your log
07:33 < NyB_> is there a way to tell OpenVPN to wait for a couple of seconds after creating the interface?
07:33 < NyB_> the commands seemed to be issued, but perhaps they were a bit premature...
07:38 < NyB_> ah, sometimes automation sucks
07:39 < NyB_> I *think* that the culprit may be ifplugd/networkmanager or something like that
07:39 < NyB_> it seems to recognize tunX as a "do-not-touch-me" interface
07:39 < NyB_> but goes straight on to start dhclient for my vpnX interfaces...
07:55 -!- GregB_ [~GregB@107-218-5-81.lightspeed.hstntx.sbcglobal.net] has quit [Read error: Connection reset by peer]
07:55 -!- GregB_ [~GregB@107-218-5-81.lightspeed.hstntx.sbcglobal.net] has joined #openvpn
08:01 -!- Linmu [~Linmu@203.70.194.104] has quit [Ping timeout: 264 seconds]
08:02 -!- Linmu [~Linmu@203.70.194.104] has joined #openvpn
08:04 -!- Aliekezhi [~Aliekezhi@LPoitiers-156-84-21-169.w193-248.abo.wanadoo.fr] has quit [Ping timeout: 240 seconds]
08:04 -!- shibboleth [~shibbolet@gateway/tor-sasl/shibboleth] has joined #openvpn
08:11 -!- mikemol [~mikemol@2001:470:c5b9:beef:a88d:5427:a5ee:945d] has quit [Remote host closed the connection]
08:11 -!- makara [~makara@41-134-154-221.dsl.mweb.co.za] has quit [Quit: Leaving]
08:17 -!- Aliekezhi [~Aliekezhi@LPoitiers-156-84-21-169.w193-248.abo.wanadoo.fr] has joined #openvpn
08:17 -!- Linmu [~Linmu@203.70.194.104] has quit [Ping timeout: 255 seconds]
08:19 -!- Linmu [~Linmu@203.70.194.104] has joined #openvpn
08:21 -!- funyun_ [~temp@cpe-65-25-103-89.neo.res.rr.com] has quit [Ping timeout: 240 seconds]
08:22 -!- Neozonz|Discx2 [~arajakul@CPE20e52a22f551-CM68b6fc3d43d0.cpe.net.cable.rogers.com] has joined #openvpn
08:22 -!- Neozonz|Discx2 [~arajakul@CPE20e52a22f551-CM68b6fc3d43d0.cpe.net.cable.rogers.com] has quit [Changing host]
08:23 -!- Neozonz|Discx2 [~arajakul@unaffiliated/neozonz] has joined #openvpn
08:26 -!- funyun [~temp@cpe-65-25-103-89.neo.res.rr.com] has joined #openvpn
08:30 -!- Linmu [~Linmu@203.70.194.104] has quit [Ping timeout: 255 seconds]
08:32 -!- shibboleth [~shibbolet@gateway/tor-sasl/shibboleth] has quit [Quit: shibboleth]
08:35 -!- indy [~indy@fantomas.bestit.cz] has quit [Remote host closed the connection]
08:43 -!- xMopxShell [~xMopxShel@pa1.trolls.lv] has joined #openvpn
08:44 -!- NyB_ [~archon@athedsl-311477.home.otenet.gr] has left #openvpn []
08:44 -!- Linmu [~Linmu@203.70.194.104] has joined #openvpn
08:48 -!- jpkroehling [~jpkroehli@2001:a60:16ac:5f00:3e97:eff:fe96:48d7] has joined #openvpn
08:49 -!- seppo_ [~seppo@5.57.255.218] has joined #openvpn
08:50 -!- HyperGlide [~HyperGlid@17.249.127.199.client.dyn.strong-in61.as13926.net] has joined #openvpn
08:50 -!- JSharpe [~JSharpe@31.205.60.241] has joined #openvpn
08:52 < seppo_> Good afternoon, anyone familiar with openvpn configs on openwrt ?
08:53 -!- indy [~indy@194.213.226.242] has joined #openvpn
08:53 -!- indy [~indy@194.213.226.242] has quit [Excess Flood]
08:55 -!- pnielsen_ is now known as pnielsen
08:55 -!- indy [~indy@fantomas.bestit.cz] has joined #openvpn
08:56 < jpkroehling> hello, I'm trying to get a configuration working, and I'm certain that it's a problem with the combination of iptables and openvpn, and I guess there might be someone on this channel with a similar setup as mine
08:56 < jpkroehling> basically, I have an openvpn server at digital ocean, to provide me with a fixed ip
08:56 -!- Linmu [~Linmu@203.70.194.104] has quit [Ping timeout: 264 seconds]
08:57 < jpkroehling> then, I have a few virtual machines in a host at home, and a few of those vms connect to the openvpn server at digital ocean
08:57 -!- funyun_ [~temp@72.37.242.11] has joined #openvpn
08:57 < jpkroehling> the main host (and hence, the vms) are on my local network
08:57 < jpkroehling> so, what I want to accomplish, is to have access to my servers from the internet via digital ocean, and from my local network via my host
08:57 -!- funyun [~temp@cpe-65-25-103-89.neo.res.rr.com] has quit [Ping timeout: 255 seconds]
08:58 < jpkroehling> (so, local network speed from my laptop to the vms, basically)
08:58 < jpkroehling> there's port forwarding configured both at the host and at the openvpn server
08:58 < jpkroehling> but when the vm is connected to the vpn, I cannot get access to the vm via the local network
08:59 < jpkroehling> and when disconnecting, it works fine (from the local network perspective)
08:59 < jpkroehling> this is my server configuration: http://pastebin.com/UEhzuUuT
08:59 < jpkroehling> btw, I'm not really an expert in neither openvpn nor iptables :-) and I've played a bit with the "push redirect-gateway" option, to no avail
09:03 -!- goldkatze [~nobody@unaffiliated/goldkatze] has joined #openvpn
09:04 -!- Linmu [~Linmu@203.70.194.104] has joined #openvpn
09:04 < jpkroehling> just to make it clear, simple forwarding from the openvpn to the client (the vm) works fine, the problem is only that I cannot get to port 80 on the vm from my local network
09:05 < jpkroehling> but at the moment that I disconnect the vm from the openvpn, it works fine
09:05 -!- GregB_ [~GregB@107-218-5-81.lightspeed.hstntx.sbcglobal.net] has quit [Read error: Connection reset by peer]
09:06 -!- GregB_ [~GregB@107-218-5-81.lightspeed.hstntx.sbcglobal.net] has joined #openvpn
09:10 -!- HyperGlide [~HyperGlid@17.249.127.199.client.dyn.strong-in61.as13926.net] has quit [Quit: Leaving...]
09:15 -!- levifig [sid1908@gateway/web/irccloud.com/x-qblhonkofdsmpoui] has quit [Read error: Connection reset by peer]
09:15 -!- levifig [sid1908@gateway/web/irccloud.com/x-krtaqgrmqemezgjf] has joined #openvpn
09:21 -!- Guest53070 [~klein@189-016-006-003.asselvi.edu.br] has quit [Quit: Leaving]
09:21 -!- klein [~klein@unaffiliated/klein] has joined #openvpn
09:44 -!- Neozonz|Discx2 is now known as Neozonz
09:45 -!- ljvb [~jason@us.vps.vanbrecht.com] has quit [Ping timeout: 255 seconds]
09:49 -!- ljvb [~jason@us.vps.vanbrecht.com] has joined #openvpn
09:55 -!- elfixit1 [~Icedove@2001:1620:2777:11:3e97:eff:fe7f:f3ad] has quit [Ping timeout: 255 seconds]
09:59 -!- elfixit [~Icedove@64.35.9.23] has joined #openvpn
09:59 -!- ade_b [~Ade@redhat/adeb] has joined #openvpn
10:01 -!- Linmu [~Linmu@203.70.194.104] has quit [Ping timeout: 264 seconds]
10:05  * jpkroehling got it working
10:07 -!- le0 [~l30@unaffiliated/le0] has quit [Quit: Leaving]
10:08 -!- Linmu [~Linmu@203.70.194.104] has joined #openvpn
10:13 -!- elfixit [~Icedove@64.35.9.23] has quit [Ping timeout: 264 seconds]
10:14 -!- elfixit [~Icedove@dhcp-129-154.office.init7.net] has joined #openvpn
10:14 -!- alexxtasi [~alex@unaffiliated/alexxtasi] has left #openvpn []
10:19 -!- mikemol [~mikemol@162.17.129.77] has joined #openvpn
10:34 -!- funyun_ [~temp@72.37.242.11] has quit [Ping timeout: 240 seconds]
10:37 -!- AlexPortable [uid7568@gateway/web/irccloud.com/x-hxovvuhsqleergnm] has quit [Quit: Connection closed for inactivity]
10:39 -!- MatthewsFace [~mspah@50-78-45-146-static.hfc.comcastbusiness.net] has joined #openvpn
10:42 -!- MatthewsFace [~mspah@50-78-45-146-static.hfc.comcastbusiness.net] has quit [Remote host closed the connection]
10:48 -!- MatthewsFace [~mspah@50-78-45-146-static.hfc.comcastbusiness.net] has joined #openvpn
10:49 -!- phreakoct is now known as phreakocious
10:56 -!- seppo_ [~seppo@5.57.255.218] has quit [Ping timeout: 264 seconds]
10:57 -!- lj [~l@192.241.174.169] has joined #openvpn
11:02 -!- funyun [~temp@cpe-65-25-103-89.neo.res.rr.com] has joined #openvpn
11:06 -!- funyun [~temp@cpe-65-25-103-89.neo.res.rr.com] has quit [Ping timeout: 255 seconds]
11:07 -!- seppo_ [~seppo@5.57.255.218] has joined #openvpn
11:16 -!- Linmu [~Linmu@203.70.194.104] has quit [Ping timeout: 264 seconds]
11:18 -!- Linmu [~Linmu@203.70.194.104] has joined #openvpn
11:18 -!- Neozonz [~arajakul@unaffiliated/neozonz] has quit [Read error: Connection reset by peer]
11:19 -!- Neozonz [~arajakul@CPE20e52a22f551-CM68b6fc3d43d0.cpe.net.cable.rogers.com] has joined #openvpn
11:19 -!- Neozonz is now known as Guest95815
11:21 -!- Guest95815 [~arajakul@CPE20e52a22f551-CM68b6fc3d43d0.cpe.net.cable.rogers.com] has left #openvpn []
11:21 -!- takamichi [~takamichi@c107-107.i07-27.onvol.net] has quit [Ping timeout: 246 seconds]
11:23 -!- takamichi [~takamichi@85.12.8.14] has joined #openvpn
11:24 -!- Aliekezhi [~Aliekezhi@LPoitiers-156-84-21-169.w193-248.abo.wanadoo.fr] has quit [Remote host closed the connection]
11:28 -!- GregB_ [~GregB@107-218-5-81.lightspeed.hstntx.sbcglobal.net] has quit [Read error: Connection reset by peer]
11:28 -!- GregB_ [~GregB@107-218-5-81.lightspeed.hstntx.sbcglobal.net] has joined #openvpn
11:28 -!- Linmu [~Linmu@203.70.194.104] has quit [Ping timeout: 264 seconds]
11:29 -!- Linmu [~Linmu@203.70.194.104] has joined #openvpn
11:35 -!- MACscr|lappy [~MACscrlap@c-98-214-103-56.hsd1.il.comcast.net] has joined #openvpn
11:47 -!- mikemol [~mikemol@162.17.129.77] has quit [Disconnected by services]
11:47 -!- mikemol1 [~mikemol@162.17.129.77] has joined #openvpn
11:52 -!- simpleirc1 [~tony@cpe-024-074-158-200.carolina.res.rr.com] has joined #openvpn
11:54 -!- simpleirc1 [~tony@cpe-024-074-158-200.carolina.res.rr.com] has left #openvpn []
11:55 -!- Linmu [~Linmu@203.70.194.104] has quit [Ping timeout: 264 seconds]
11:56 -!- Linmu [~Linmu@203.70.194.104] has joined #openvpn
12:00 -!- Linmu [~Linmu@203.70.194.104] has quit [Ping timeout: 252 seconds]
12:02 -!- funyun [~temp@cpe-65-25-103-89.neo.res.rr.com] has joined #openvpn
12:07 -!- funyun [~temp@cpe-65-25-103-89.neo.res.rr.com] has quit [Ping timeout: 264 seconds]
12:08 -!- Linmu [~Linmu@203.70.194.104] has joined #openvpn
12:15 -!- takamich_ [~takamichi@c107-107.i07-27.onvol.net] has joined #openvpn
12:17 -!- takamichi [~takamichi@85.12.8.14] has quit [Ping timeout: 246 seconds]
12:25 -!- Darren [~darren@173-163-215-178-westflorida.hfc.comcastbusiness.net] has joined #openvpn
12:25 -!- ade_b [~Ade@redhat/adeb] has quit [Ping timeout: 264 seconds]
12:26 < Darren> Hello All, is this the appropriate place to ask for help with OpenVPN on DD-WRT routers?
12:29 -!- gffa [~unknown@unaffiliated/gffa] has joined #openvpn
12:41 -!- GregB__ [~GregB@107-218-5-81.lightspeed.hstntx.sbcglobal.net] has joined #openvpn
12:41 -!- GregB_ [~GregB@107-218-5-81.lightspeed.hstntx.sbcglobal.net] has quit [Read error: Connection reset by peer]
12:49 -!- HectorBarbossa [uid7850@gateway/web/irccloud.com/x-wixebenwhmmhfmwh] has joined #openvpn
12:53 <@plai> Darren: If it is not specific for DD-WRT
12:54 <@plai> See also:
12:54 <@plai> !ask
12:54 <@vpnHelper> "ask" is (#1) don't ask to ask, just ask your question please, see this link for how to get help on IRC: http://workaround.org/getting-help-on-irc or (#2) See also, How to ask questions the smart way here: http://catb.org/~esr/faqs/smart-questions.html
12:56 -!- GrecKo_ is now known as GrecKo
13:01 -!- MACscr|lappy [~MACscrlap@c-98-214-103-56.hsd1.il.comcast.net] has quit [Ping timeout: 252 seconds]
13:03 < Haigha> hi, my openvpn servers seem to have a udp packet loss problem
13:03 < Haigha> i see many "Inactivity timeout (--ping-restart), restarting" in my clients logs
13:03 -!- funyun [~temp@cpe-65-25-103-89.neo.res.rr.com] has joined #openvpn
13:03 < Haigha> and sometimes "replay-window backtrack occurred"
13:04 < Haigha> how can I fix this? (servers are running GNU/Linux, clients use multiple OS)
13:05 -!- MACscr|lappy [~MACscrlap@c-98-214-103-56.hsd1.il.comcast.net] has joined #openvpn
13:06 -!- Linmu [~Linmu@203.70.194.104] has quit [Ping timeout: 264 seconds]
13:08 -!- Darren [~darren@173-163-215-178-westflorida.hfc.comcastbusiness.net] has quit []
13:08 -!- funyun [~temp@cpe-65-25-103-89.neo.res.rr.com] has quit [Ping timeout: 246 seconds]
13:08 <@dazo> Haigha: The "replay-window backtrack occurred" message is just information .... to solve that, you need to do something about your connection ... it's not OpenVPN's fault, it just fixes it
13:09 <@dazo> "Inactivity timeout (--ping-restart), restarting" ... that's probably something different, but still related to connection issues ... the connection has "idled" for too long without anything happening, so the tunnel is restarted to re-establish the connection
13:09 <@dazo> !config
13:09 <@vpnHelper> (config <name> [<value>]) -- If <value> is given, sets the value of <name> to <value>. Otherwise, returns the current value of <name>. You may omit the leading "supybot." in the name if you so choose.
13:09 <@dazo> !configs
13:09 <@vpnHelper> "configs" is (#1) please pastebin your client and server configs (with comments removed, you can use `grep -vE '^#|^;|^$' server.conf`), also include which OS and version of openvpn. or (#2) dont forget to include any ccd entries or (#3) on pfSense, see http://www.secure-computing.net/wiki/index.php/OpenVPN/pfSense to obtain your config
13:09 < Haigha> yeah but it happens on multiple servers and multiple clients, each with different ISPs
13:09 -!- mikkel [~mikkel@93.176.85.50] has quit [Quit: Leaving]
13:10 < Haigha> do i need to push --replay-window ?
13:11 <@dazo> Haigha: no, not really
13:11 <@dazo> Haigha: the default values for the --replay-windows is pretty sane for almost any setup
13:12 < Haigha> so here is my server config: http://pastebin.com/5LUvjR4j
13:13 -!- Linmu [~Linmu@203.70.194.104] has joined #openvpn
13:14 <@dazo> I'd recommend to replace the ping/ping-restart (including the corresponding push) with just --keepalive ... I'd probably use 'keepalive 10 60' ... that should help on the "Inactivity timeout (--ping-restart), restarting" warnings
13:14 -!- MACscr|lappy [~MACscrlap@c-98-214-103-56.hsd1.il.comcast.net] has quit [Ping timeout: 264 seconds]
13:15 < Haigha> and for the first error, should I try to increase --replay-window default values ?
13:16 <@dazo> Haigha: by doing that, you just hide the real issue ... keep the defaults, you can really solve it (unless you figure out if the ISP on the client or server side, and the get a different ISP)
13:16 -!- ade_b [~Ade@redhat/adeb] has joined #openvpn
13:17 <@plai> replay-window notification only happens if a packet is *way* out of order
13:18 < Haigha> okay, thank you for your help :)
13:19 <@dazo> From the man page on --replay-window:
13:19 <@dazo> If you are using a network link with a large pipeline (meaning that the product
13:19 <@dazo> of  bandwidth  and  latency is high), you may want to use a larger value for n.
13:19 <@dazo> Satellite links in particular often require this.
13:19 <@plai> a message here and then is okay because that can happen from time to time when routing paths change (for whatever reason)
13:20 <@plai> I still curious why satellite links should reorder packets
13:20 < Haigha> yeah, i'll ignore them for now, that would already be great if the second error is fixed
13:20 <@dazo> plai: packets gets sorted by size before transmitting them? :-P
13:20 < Haigha> :D
13:21 <@plai> dazo: :)
13:22 <@plai> actually --passtos can easily break replay-window
13:23 <@dazo> true
13:23 -!- Linmu [~Linmu@203.70.194.104] has quit [Ping timeout: 264 seconds]
13:24 -!- Linmu [~Linmu@203.70.194.104] has joined #openvpn
13:26 -!- ade_b [~Ade@redhat/adeb] has quit [Ping timeout: 255 seconds]
13:26 -!- nutron [~nutron@unaffiliated/nutron] has joined #openvpn
13:38 -!- ade_b [~Ade@redhat/adeb] has joined #openvpn
13:42 -!- t0r [~textual@167.206.48.217] has joined #openvpn
13:42 < t0r> are there docs for openvpn connect on MacOS anywhere?  I'm trying to figure out if it's possible to configure it so that you can switch between multiple VPN connections
13:43 -!- Tykling [tykling@gibfest.dk] has quit [Ping timeout: 265 seconds]
13:48 -!- Linmu [~Linmu@203.70.194.104] has quit [Ping timeout: 264 seconds]
13:49 -!- Linmu [~Linmu@203.70.194.104] has joined #openvpn
13:53 -!- _KaszpiR___ is now known as _KaszpiR_
13:54 -!- mikemol1 [~mikemol@162.17.129.77] has quit [Ping timeout: 252 seconds]
13:54 -!- GregB__ [~GregB@107-218-5-81.lightspeed.hstntx.sbcglobal.net] has quit [Read error: Connection reset by peer]
13:54 -!- GregB__ [~GregB@107-218-5-81.lightspeed.hstntx.sbcglobal.net] has joined #openvpn
13:55 -!- mikemol [~mikemol@162.17.129.77] has joined #openvpn
13:57 -!- BCrookAtRA [~bcrook@2001:470:1f11:942::443] has joined #openvpn
13:58 < BCrookAtRA> openvpn is suppose to/has to add routes on a client when the client connects for the client to take advantage of the vpn link.  But for me, openvpn is creating a route that is expressly detrimental to the vpn link.  its adding a route for the server's public ip(/32) to be sent THROUGH the tunnel
13:58 < BCrookAtRA> of course that means the second that route is added, the tunnel is bricked.
13:58 < BCrookAtRA> like a snake eating its own tail
13:58 < BCrookAtRA> what on earth could cause that?
13:59 -!- Tykling [tykling@gibfest.dk] has joined #openvpn
14:00 < BCrookAtRA> if I quickly remove that route right after the tunnel comes up, then I can use it.
14:00 <@dazo> !configs
14:00 <@vpnHelper> "configs" is (#1) please pastebin your client and server configs (with comments removed, you can use `grep -vE '^#|^;|^$' server.conf`), also include which OS and version of openvpn. or (#2) dont forget to include any ccd entries or (#3) on pfSense, see http://www.secure-computing.net/wiki/index.php/OpenVPN/pfSense to obtain your config
14:03 < BCrookAtRA> dazo: my question is a general one, not specific to any config or logs I have
14:03 < BCrookAtRA> what COULD cause such a route to be created, aside from a manual push route command in the server config, which I do not have
14:04 < BCrookAtRA> !goal
14:04 <@vpnHelper> "goal" is Please clearly state your goal for your vpn: example, I would like to access the lan behind the server , I would like to access the internet over my vpn , I just want a secure connection between 2 computers , etc
14:04 -!- takamich_ [~takamichi@c107-107.i07-27.onvol.net] has quit [Quit: Computer has gone to sleep.]
14:04 <@dazo> BCrookAtRA: then it sounds like a misconfiguration at some level ... that is not common behaviour at all
14:04 -!- funyun [~temp@cpe-65-25-103-89.neo.res.rr.com] has joined #openvpn
14:04 <@dazo> (hence asking for the logs)
14:05 <@dazo> errr... asking for the configs
14:07 < BCrookAtRA> http://pastebin.centos.org/8476/39508323/
14:08 <@dazo> BCrookAtRA: Seriously ... "OpenVPN 2.0 Win32-MinGW [SSL] [LZO] built on Apr 17 2005"
14:08 < BCrookAtRA> like 4699 is where it takes a steaming shit on itself
14:08 <@dazo> 9 years old version?
14:08 <@ecrist> lol
14:08 <@dazo> that's the first real issue
14:08 < BCrookAtRA> not really
14:08 <@ecrist> update
14:08 <@dazo> BCrookAtRA: trust me, *that* is a real issue
14:08 < BCrookAtRA> yesterday whent it was 8 years and 364 days old it worked
14:09 <@ecrist> the unfuck what you fucked
14:09 -!- funyun [~temp@cpe-65-25-103-89.neo.res.rr.com] has quit [Ping timeout: 246 seconds]
14:10 < BCrookAtRA> so in otherwords, you have no idea what could cause that route add
14:10 -!- Linmu [~Linmu@203.70.194.104] has quit [Remote host closed the connection]
14:10 <@ecrist> really, BCrookAtRA, you need to update.
14:10 <@dazo> BCrookAtRA: we stopped completely supporting 2.0 many years ago
14:10 <@ecrist> then we can help you.
14:10 < BCrookAtRA> client devices are in read only storage, there is no such thing as update
14:11 <@ecrist> you're kind of on your own, then.
14:11 <@dazo> BCrookAtRA: the code base which does all of these things are completely different in 2.0 and 2.1 .... and now we're at 2.3 ... this might be a subtle bug you're hitting
14:11 < BCrookAtRA> well I need to figure out how to un-hit it from the server side then
14:12 -!- Linmu [~Linmu@203.70.194.104] has joined #openvpn
14:12 <@dazo> Excuse me ... but what's the problem of updating?
14:12 < BCrookAtRA> READ ONLY STORAGE, NOT MODIFIABLE, UPDATE NOT AN OPTION
14:12 < BCrookAtRA> GO FISH
14:12 -!- BCrookAtRA was kicked from #openvpn by dazo [Dont scream at us]
14:13 <@ecrist> awww, beat me to it
14:13 <@dazo> sorry!
14:13 -!- BCrookAtRA [~bcrook@2001:470:1f11:942::443] has joined #openvpn
14:13 < BCrookAtRA> You asked once, and I said it once
14:13 -!- BCrookAtRA was kicked from #openvpn by ecrist [my turn]
14:13 <@dazo> lol
14:13 -!- BCrookAtRA [~bcrook@2001:470:1f11:942::443] has joined #openvpn
14:13 <@ecrist> third time's the charm.
14:14 < BCrookAtRA> I am being civil
14:14 < BCrookAtRA> but readonly is readonly
14:14 <@ecrist> BCrookAtRA: it doesn't matter if your clients are on read only storage.  your software is 9 years old and OFFICIALLY unsupported
14:14 <@dazo> Then you're really on your own
14:14 <@ecrist> it was writeable at one point, do what ever you did before, again
14:17 -!- Linmu [~Linmu@203.70.194.104] has quit [Ping timeout: 240 seconds]
14:18 -!- Linmu [~Linmu@203.70.194.104] has joined #openvpn
14:20 -!- master_o1_master [~master_of@p4FD7BC89.dip0.t-ipconnect.de] has joined #openvpn
14:20 -!- ecrist was kicked from #openvpn by Eugene [I want in on the fun!]
--- Log closed Mon Mar 17 14:20:33 2014
--- Log opened Mon Mar 17 14:21:56 2014
14:21 -!- ecrist [~ecrist@freebsd/contributor/openvpn.community.support.ecrist] has joined #openvpn
14:21 -!- Irssi: #openvpn: Total of 226 nicks [7 ops, 0 halfops, 4 voices, 215 normal]
14:21 -!- mode/#openvpn [+o ecrist] by ChanServ
14:21 <@ecrist> lol
14:21 -!- Irssi: Join to #openvpn was synced in 2 secs
14:22 < BCrookAtRA> the medical device industry will be using XP for another 15 years.  Not my choice.  and they don't care about EOL
14:22 -!- Cpt-Oblivious [chatzilla@31-151-71-109.dynamic.upc.nl] has joined #openvpn
14:23 <@Eugene> So switch to Debian. ;-)
14:23 <@Eugene> But i'm not looking to philosophize about this; I really do not care
14:23 <@Eugene> It's Saint Patty's day, so get our your
14:23 <@Eugene> !beer
14:23 < Dan39> using xp for 15 more years?
14:23 <@vpnHelper> "beer" is what's for dinner (and occasionally breakfast)
14:23 -!- Cpt-Oblivious [chatzilla@31-151-71-109.dynamic.upc.nl] has quit [Client Quit]
14:23 < Dan39> are they freakin nuts...
14:23 <@ecrist> lol
14:23 -!- master_of_master [~master_of@p4FF2457D.dip0.t-ipconnect.de] has quit [Ping timeout: 240 seconds]
14:23 < BCrookAtRA> Dan39: yes.  they are.
14:23 <@dazo> Dan39: I'm planning not to get ill the next 15 years, so I'm safe
14:24 <@Eugene> I only use free-range doctors, raised on the finest soy
14:24 <@Eugene> That's probably racist somehow, but I don't know who
14:26 -!- Linmu [~Linmu@203.70.194.104] has quit [Ping timeout: 252 seconds]
14:27 <@plai> BCrookAtRA: My bet is, unless you pay someone for it, nobody cares to debug a decade old version
14:27 -!- Linmu [~Linmu@203.70.194.104] has joined #openvpn
14:29 <@dazo> plai: but the fun is ... if it needs to be fixed, it can't be updated ... so you're back to start again :-P
14:29 <@ecrist> and, even if they fixed the bug, you can't apply the patch to READ ONLY STORAGE
14:30 <@plai> debug as in understand the problem and find a workaround
14:30 < BCrookAtRA> the bug can't be on the client because the client hasn't changed
14:30 <@ecrist> you changed the server?
14:30 < BCrookAtRA> nope
14:30 <@dazo> LOL
14:30 < BCrookAtRA> last login was weeks ago
14:30 <@ecrist> so, nothing changed?
14:31 <@ecrist> magic bugs?
14:31 < BCrookAtRA> thats what blows my mind
14:31 <@ecrist> you, or someone, changed something, if the result changed
14:31 -!- asturel [asturel@unaffiliated/asturel] has quit [Ping timeout: 264 seconds]
14:31 < BCrookAtRA> maybe some counting integer rolled over or something
14:31 < BCrookAtRA> daylight savings time was not too long ago
14:31 <@plai> the 15 year old ca certificate expired *duck*
14:32 <@ecrist> daylight savings isn't new
14:32 <@dazo> that should definitely not impact routes ... and if it does .... well, then that's a nasty overflow bug in 2.0
14:33 <@dazo> And it could just as well be a bug in the WinTAP driver as well, for all we know
14:37 -!- le0 [~l30@unaffiliated/le0] has joined #openvpn
14:41 -!- takamichi [~takamichi@c107-107.i07-27.onvol.net] has joined #openvpn
14:41 -!- takamichi [~takamichi@c107-107.i07-27.onvol.net] has quit [Max SendQ exceeded]
14:42 -!- takamichi [~takamichi@c107-107.i07-27.onvol.net] has joined #openvpn
14:42 -!- takamichi [~takamichi@c107-107.i07-27.onvol.net] has quit [Max SendQ exceeded]
14:44 -!- takamichi [~takamichi@c107-107.i07-27.onvol.net] has joined #openvpn
14:54 -!- Linmu [~Linmu@203.70.194.104] has quit [Ping timeout: 255 seconds]
14:56 -!- Linmu [~Linmu@203.70.194.104] has joined #openvpn
14:57 -!- joshh20-Away is now known as joshh20
15:03 -!- le0 [~l30@unaffiliated/le0] has quit [Ping timeout: 246 seconds]
15:04 -!- lj [~l@192.241.174.169] has quit [Quit: Leaving.]
15:05 -!- funyun [~temp@cpe-65-25-103-89.neo.res.rr.com] has joined #openvpn
15:06 -!- Cpt-Oblivious [chatzilla@31-151-71-109.dynamic.upc.nl] has joined #openvpn
15:11 -!- funyun [~temp@cpe-65-25-103-89.neo.res.rr.com] has quit [Ping timeout: 255 seconds]
15:22 -!- Linmu [~Linmu@203.70.194.104] has quit [Ping timeout: 264 seconds]
15:23 -!- Linmu [~Linmu@203.70.194.104] has joined #openvpn
15:31 -!- pcdummy [~pcdummy@unaffiliated/pcdummy] has quit [Read error: Operation timed out]
15:37 -!- michaelhart [~michaelha@192.237.177.15] has quit [Quit: michaelhart]
15:39 -!- occupant [~null@204.14.158.226] has joined #openvpn
15:41 < occupant> so I recently upgraded from 2.2.2 to 2.3.2 and since then, I noticed that each connection gets a "PID_ERR replay-window backtrack occurred" and lots of "bad source address from client" errors. But people are saying that their connections are okay. Is this anything I should be concerned about?
15:41 < occupant> there aren't many mentions of that error online
15:42 < occupant> mostly just in code and context-free logs
15:43 -!- jpkroehling [~jpkroehli@2001:a60:16ac:5f00:3e97:eff:fe96:48d7] has quit [Quit: Leaving]
15:51 -!- AlexPortable [uid7568@gateway/web/irccloud.com/x-twvdplrmyockuloa] has joined #openvpn
16:00 -!- Linmu [~Linmu@203.70.194.104] has quit [Ping timeout: 246 seconds]
16:02 -!- lj [~l@192.241.174.169] has joined #openvpn
16:08 -!- funyun [~temp@cpe-65-25-103-89.neo.res.rr.com] has joined #openvpn
16:08 -!- Linmu [~Linmu@203.70.194.104] has joined #openvpn
16:12 -!- funyun [~temp@cpe-65-25-103-89.neo.res.rr.com] has quit [Ping timeout: 240 seconds]
16:14 -!- dazo is now known as dazo_afk
16:14 -!- takamichi [~takamichi@c107-107.i07-27.onvol.net] has quit [Quit: Computer has gone to sleep.]
16:20 -!- funyun [~temp@cpe-65-25-103-89.neo.res.rr.com] has joined #openvpn
16:21 -!- squirl [~squirl@76.14.69.158] has joined #openvpn
16:23 -!- klein [~klein@unaffiliated/klein] has quit [Ping timeout: 255 seconds]
16:23 -!- pcdummy [~pcdummy@5.9.128.182] has joined #openvpn
16:23 -!- pcdummy [~pcdummy@5.9.128.182] has quit [Changing host]
16:23 -!- pcdummy [~pcdummy@unaffiliated/pcdummy] has joined #openvpn
16:35 -!- lj [~l@192.241.174.169] has quit [Quit: Leaving.]
16:53 -!- Linmu [~Linmu@203.70.194.104] has quit [Ping timeout: 252 seconds]
16:54 -!- Linmu [~Linmu@203.70.194.104] has joined #openvpn
17:08 -!- qwertyoruiop [~hax@1.shulgin.dc1.nl.tor.exit.node.qwertyoruiop.com] has quit [Remote host closed the connection]
17:11 -!- gffa [~unknown@unaffiliated/gffa] has quit [Quit: sleep]
17:14 -!- ade_b [~Ade@redhat/adeb] has quit [Quit: Too sexy for his shirt]
17:16 -!- Linmu [~Linmu@203.70.194.104] has quit [Ping timeout: 240 seconds]
17:17 -!- Linmu [~Linmu@203.70.194.104] has joined #openvpn
17:23 -!- Linmu [~Linmu@203.70.194.104] has quit [Ping timeout: 252 seconds]
17:25 -!- Linmu [~Linmu@203.70.194.104] has joined #openvpn
17:35 -!- Linmu [~Linmu@203.70.194.104] has quit [Ping timeout: 246 seconds]
17:36 -!- Linmu [~Linmu@203.70.194.104] has joined #openvpn
17:38 -!- cyberspace- [20253@ninthfloor.org] has quit [Remote host closed the connection]
17:40 -!- cyberspace- [20253@ninthfloor.org] has joined #openvpn
17:48 -!- Linmu [~Linmu@203.70.194.104] has quit [Ping timeout: 255 seconds]
17:48 -!- Linmu [~Linmu@203.70.194.104] has joined #openvpn
18:05 -!- ketas- is now known as ketas
18:07 -!- squirl [~squirl@76.14.69.158] has quit [Ping timeout: 246 seconds]
18:23 -!- B1nny [~quassel@53541E4A.cm-6-5a.dynamic.ziggo.nl] has quit [Remote host closed the connection]
18:26 <@Eugene> 'bad-source address' is usually IPv6 related, and IIRC that particular PID_ERR is a new debug thing. Turn --verb down to 3 and move on with life. ;-)
18:35 -!- Martin` [martin@shell.ipv6.octocore.net] has quit [Ping timeout: 255 seconds]
18:39 -!- michaelhart [~michaelha@192-0-240-20.cpe.teksavvy.com] has joined #openvpn
18:40 -!- Martin` [martin@shell.ipv6.octocore.net] has joined #openvpn
18:52 -!- HectorBarbossa [uid7850@gateway/web/irccloud.com/x-wixebenwhmmhfmwh] has quit [Quit: Connection closed for inactivity]
19:12 -!- Linmu [~Linmu@203.70.194.104] has quit [Ping timeout: 264 seconds]
19:14 -!- Linmu [~Linmu@203.70.194.104] has joined #openvpn
19:18 -!- MatthewsFace [~mspah@50-78-45-146-static.hfc.comcastbusiness.net] has quit [Quit: Leaving]
19:25 -!- Linmu [~Linmu@203.70.194.104] has quit [Ping timeout: 252 seconds]
19:27 -!- P4k3 [~P4k3@c-d334e255.026-8-6b6c7810.cust.bredbandsbolaget.se] has quit [Ping timeout: 265 seconds]
19:27 -!- Fusl [~Fusl@unaffiliated/fusl] has quit [Ping timeout: 240 seconds]
19:27 -!- P4k3 [~P4k3@c-d334e255.026-8-6b6c7810.cust.bredbandsbolaget.se] has joined #openvpn
19:32 -!- Linmu [~Linmu@203.70.194.104] has joined #openvpn
19:34 -!- james41382 [~james@unaffiliated/james41382] has quit [Quit: Leaving]
19:36 -!- MatToufoutu [~MaT@unaffiliated/mattoufoutu] has quit [Ping timeout: 240 seconds]
19:37 -!- AlexPortable [uid7568@gateway/web/irccloud.com/x-twvdplrmyockuloa] has quit [Quit: Connection closed for inactivity]
19:38 -!- Linmu [~Linmu@203.70.194.104] has quit [Ping timeout: 246 seconds]
19:38 -!- Linmu [~Linmu@203.70.194.104] has joined #openvpn
19:39 -!- james41382 [~james@unaffiliated/james41382] has joined #openvpn
19:39 -!- james41382 [~james@unaffiliated/james41382] has quit [Read error: Connection reset by peer]
19:42 -!- klein [~klein@unaffiliated/klein] has joined #openvpn
19:45 -!- tapout [~tapout@unaffiliated/tapout] has joined #openvpn
19:49 -!- Mat_Toufoutu [~MaT@nl.h6r.org] has joined #openvpn
19:49 -!- Mat_Toufoutu [~MaT@nl.h6r.org] has quit [Excess Flood]
19:52 -!- Mat_Toufoutu [~MaT@nl.h6r.org] has joined #openvpn
19:52 -!- Mat_Toufoutu [~MaT@nl.h6r.org] has quit [Excess Flood]
19:54 -!- clu5ter [~staff@unaffiliated/clu5ter] has quit [Ping timeout: 240 seconds]
19:54 -!- viperZ28_ [uid11066@gateway/web/irccloud.com/x-fxdejeebjadjpdkv] has quit [Ping timeout: 246 seconds]
19:54 -!- levifig [sid1908@gateway/web/irccloud.com/x-krtaqgrmqemezgjf] has quit [Ping timeout: 240 seconds]
19:54 -!- Linmu [~Linmu@203.70.194.104] has quit [Ping timeout: 252 seconds]
19:56 -!- u0m3_ is now known as u0m3
19:56 -!- jgeboski [~jgeboski@unaffiliated/jgeboski] has quit [Ping timeout: 265 seconds]
19:56 -!- viperZ28_ [uid11066@gateway/web/irccloud.com/x-suscptgrcbonnmjv] has joined #openvpn
19:56 -!- phuzion [~phuzion@ipv6.irc.teh-server.com] has quit [Remote host closed the connection]
19:57 -!- levifig [sid1908@gateway/web/irccloud.com/x-ivgpcabgqqnvdlrf] has joined #openvpn
20:00 -!- Mat_Toufoutu [~MaT@nl.h6r.org] has joined #openvpn
20:00 -!- Mat_Toufoutu [~MaT@nl.h6r.org] has quit [Excess Flood]
20:01 -!- clu5ter [~staff@unaffiliated/clu5ter] has joined #openvpn
20:02 -!- jgeboski [~jgeboski@unaffiliated/jgeboski] has joined #openvpn
20:03 -!- Mat_Toufoutu [~MaT@nl.h6r.org] has joined #openvpn
20:03 -!- Mat_Toufoutu [~MaT@nl.h6r.org] has quit [Excess Flood]
20:04 -!- phuzion [~phuzion@ipv6.irc.teh-server.com] has joined #openvpn
20:08 -!- Linmu [~Linmu@203.70.194.104] has joined #openvpn
20:10 -!- Mat_Toufoutu [~MaT@nl.h6r.org] has joined #openvpn
20:10 -!- Mat_Toufoutu [~MaT@nl.h6r.org] has quit [Excess Flood]
20:11 -!- viperZ28_ [uid11066@gateway/web/irccloud.com/x-suscptgrcbonnmjv] has quit [Ping timeout: 246 seconds]
20:11 -!- joshh20 is now known as joshh20-Away
20:12 -!- james41382 [~james@unaffiliated/james41382] has joined #openvpn
20:12 -!- levifig [sid1908@gateway/web/irccloud.com/x-ivgpcabgqqnvdlrf] has quit [Ping timeout: 246 seconds]
20:15 -!- viperZ28_ [uid11066@gateway/web/irccloud.com/x-cccmpjyzjldvbqhg] has joined #openvpn
20:16 -!- levifig [sid1908@gateway/web/irccloud.com/x-vjtgihgjzicjwvkv] has joined #openvpn
20:17 -!- Mat_Toufoutu [~MaT@nl.h6r.org] has joined #openvpn
20:17 -!- Mat_Toufoutu [~MaT@nl.h6r.org] has quit [Excess Flood]
20:18 -!- Mat_Toufoutu [~MaT@nl.h6r.org] has joined #openvpn
20:18 -!- Mat_Toufoutu [~MaT@nl.h6r.org] has quit [Excess Flood]
20:19 -!- ljvb [~jason@us.vps.vanbrecht.com] has quit [Ping timeout: 252 seconds]
20:20 -!- Mat_Toufoutu [~MaT@nl.h6r.org] has joined #openvpn
20:20 -!- Mat_Toufoutu [~MaT@nl.h6r.org] has quit [Excess Flood]
20:21 -!- Linmu [~Linmu@203.70.194.104] has quit [Ping timeout: 246 seconds]
20:22 -!- Linmu [~Linmu@203.70.194.104] has joined #openvpn
20:22 -!- Mat_Toufoutu [~MaT@nl.h6r.org] has joined #openvpn
20:22 -!- Mat_Toufoutu [~MaT@nl.h6r.org] has quit [Excess Flood]
20:23 -!- Mat_Toufoutu [~MaT@nl.h6r.org] has joined #openvpn
20:23 -!- Mat_Toufoutu [~MaT@nl.h6r.org] has quit [Excess Flood]
20:25 -!- Mat_Toufoutu [~MaT@nl.h6r.org] has joined #openvpn
20:25 -!- Mat_Toufoutu [~MaT@nl.h6r.org] has quit [Excess Flood]
20:29 -!- Mat_Toufoutu [~MaT@nl.h6r.org] has joined #openvpn
20:29 -!- Mat_Toufoutu [~MaT@nl.h6r.org] has quit [Excess Flood]
20:32 -!- Mat_Toufoutu [~MaT@nl.h6r.org] has joined #openvpn
20:32 -!- Mat_Toufoutu [~MaT@nl.h6r.org] has quit [Excess Flood]
20:33 -!- Linmu [~Linmu@203.70.194.104] has quit [Ping timeout: 252 seconds]
20:34 -!- Linmu [~Linmu@203.70.194.104] has joined #openvpn
20:35 -!- Mat_Toufoutu [~MaT@nl.h6r.org] has joined #openvpn
20:35 -!- Mat_Toufoutu [~MaT@nl.h6r.org] has quit [Excess Flood]
20:36 -!- Mat_Toufoutu [~MaT@nl.h6r.org] has joined #openvpn
20:36 -!- Mat_Toufoutu [~MaT@nl.h6r.org] has quit [Excess Flood]
20:37 -!- Mat_Toufoutu [~MaT@nl.h6r.org] has joined #openvpn
20:37 -!- Mat_Toufoutu [~MaT@nl.h6r.org] has quit [Excess Flood]
20:38 -!- Mat_Toufoutu [~MaT@nl.h6r.org] has joined #openvpn
20:38 -!- Mat_Toufoutu [~MaT@nl.h6r.org] has quit [Excess Flood]
20:39 -!- shibboleth [~shibbolet@gateway/tor-sasl/shibboleth] has joined #openvpn
20:39 -!- Mat_Toufoutu [~MaT@nl.h6r.org] has joined #openvpn
20:39 -!- Mat_Toufoutu [~MaT@nl.h6r.org] has quit [Excess Flood]
20:41 -!- Mat_Toufoutu [~MaT@nl.h6r.org] has joined #openvpn
20:41 -!- Mat_Toufoutu [~MaT@nl.h6r.org] has quit [Excess Flood]
20:41 -!- Mat_Toufoutu [~MaT@nl.h6r.org] has joined #openvpn
20:41 -!- Mat_Toufoutu [~MaT@nl.h6r.org] has quit [Excess Flood]
20:42 -!- Linmu [~Linmu@203.70.194.104] has quit [Ping timeout: 264 seconds]
20:43 -!- Linmu [~Linmu@203.70.194.104] has joined #openvpn
20:43 -!- Mat_Toufoutu [~MaT@nl.h6r.org] has joined #openvpn
20:43 -!- Mat_Toufoutu [~MaT@nl.h6r.org] has quit [Excess Flood]
20:43 -!- BtbN [btbn@btbn.de] has quit [Ping timeout: 240 seconds]
20:45 -!- Guest84697 [~MaT@nl.h6r.org] has joined #openvpn
20:45 -!- Guest84697 [~MaT@nl.h6r.org] has quit [Excess Flood]
20:47 -!- BtbN [btbn@btbn.de] has joined #openvpn
20:50 -!- Mat_Toufoutu [~MaT@nl.h6r.org] has joined #openvpn
20:50 -!- Mat_Toufoutu [~MaT@nl.h6r.org] has quit [Excess Flood]
20:51 -!- AngryNapkin [~david@97-90-144-70.static.mtpk.ca.charter.com] has joined #openvpn
20:51 -!- Mat_Toufoutu [~MaT@nl.h6r.org] has joined #openvpn
20:51 -!- Mat_Toufoutu [~MaT@nl.h6r.org] has quit [Excess Flood]
20:53 -!- Mat_Toufoutu [~MaT@nl.h6r.org] has joined #openvpn
20:53 -!- Mat_Toufoutu [~MaT@nl.h6r.org] has quit [Excess Flood]
20:54 < AngryNapkin> Im using openvpn to connect to a network which is on the same subnet as my local network. The network I am connecting to has its own dns server running, and I tried to point my dns numbers to the ip of the connected vpn dns servers ip, yet dns does not function. Can someone point me in a drection to get this working?
20:55 -!- Mat_Toufoutu [~MaT@nl.h6r.org] has joined #openvpn
20:55 -!- Mat_Toufoutu [~MaT@nl.h6r.org] has quit [Excess Flood]
20:55 -!- Linmu [~Linmu@203.70.194.104] has quit [Ping timeout: 246 seconds]
20:56 -!- Linmu [~Linmu@203.70.194.104] has joined #openvpn
20:58 -!- Mat_Toufoutu [~MaT@nl.h6r.org] has joined #openvpn
20:58 -!- Mat_Toufoutu [~MaT@nl.h6r.org] has quit [Excess Flood]
21:03 -!- megaTherion [~therion@unix.io] has quit [Read error: Connection reset by peer]
21:03 -!- megaTherion [~therion@unix.io] has joined #openvpn
21:05 -!- Mat_Toufoutu [~MaT@nl.h6r.org] has joined #openvpn
21:05 -!- Mat_Toufoutu [~MaT@nl.h6r.org] has quit [Excess Flood]
21:06 -!- Mat_Toufoutu [~MaT@nl.h6r.org] has joined #openvpn
21:06 -!- Mat_Toufoutu [~MaT@nl.h6r.org] has quit [Excess Flood]
21:07 -!- Mat_Toufoutu [~MaT@nl.h6r.org] has joined #openvpn
21:07 -!- Mat_Toufoutu [~MaT@nl.h6r.org] has quit [Excess Flood]
21:08 -!- Mat_Toufoutu [~MaT@nl.h6r.org] has joined #openvpn
21:08 -!- Mat_Toufoutu [~MaT@nl.h6r.org] has quit [Excess Flood]
21:08 -!- Mat_Toufoutu [~MaT@nl.h6r.org] has joined #openvpn
21:08 -!- Mat_Toufoutu [~MaT@nl.h6r.org] has quit [Excess Flood]
21:10 -!- Cpt-Oblivious [chatzilla@31-151-71-109.dynamic.upc.nl] has quit [Remote host closed the connection]
21:11 -!- Devastatr is now known as Devastator
21:12 -!- Mat_Toufoutu [~MaT@nl.h6r.org] has joined #openvpn
21:12 -!- Mat_Toufoutu [~MaT@nl.h6r.org] has quit [Excess Flood]
21:14 -!- Mat_Toufoutu [~MaT@nl.h6r.org] has joined #openvpn
21:14 -!- Mat_Toufoutu [~MaT@nl.h6r.org] has quit [Excess Flood]
21:17 -!- Mat_Toufoutu [~MaT@nl.h6r.org] has joined #openvpn
21:17 -!- Mat_Toufoutu [~MaT@nl.h6r.org] has quit [Excess Flood]
21:20 -!- s7r [~s7r@openvpn/user/s7r] has left #openvpn []
21:21 -!- AngryNapkin [~david@97-90-144-70.static.mtpk.ca.charter.com] has quit [Quit: Konversation terminated!]
21:21 -!- Mat_Toufoutu [~MaT@nl.h6r.org] has joined #openvpn
21:21 -!- Mat_Toufoutu [~MaT@nl.h6r.org] has quit [Excess Flood]
21:22 -!- Mat_Toufoutu [~MaT@nl.h6r.org] has joined #openvpn
21:22 -!- Mat_Toufoutu [~MaT@nl.h6r.org] has quit [Excess Flood]
21:23 -!- Mat_Toufoutu [~MaT@nl.h6r.org] has joined #openvpn
21:23 -!- Mat_Toufoutu [~MaT@nl.h6r.org] has quit [Excess Flood]
21:24 -!- Mat_Toufoutu [~MaT@nl.h6r.org] has joined #openvpn
21:24 -!- Mat_Toufoutu [~MaT@nl.h6r.org] has quit [Excess Flood]
21:30 -!- Carbon_Monoxide [~cmonxide@058176022144.ctinets.com] has joined #openvpn
21:30 -!- Carbon_Monoxide [~cmonxide@058176022144.ctinets.com] has left #openvpn []
21:30 -!- Mat_Toufoutu [~MaT@nl.h6r.org] has joined #openvpn
21:30 -!- Mat_Toufoutu [~MaT@nl.h6r.org] has quit [Excess Flood]
21:31 -!- Mat_Toufoutu [~MaT@nl.h6r.org] has joined #openvpn
21:31 -!- Mat_Toufoutu [~MaT@nl.h6r.org] has quit [Excess Flood]
21:31 -!- shibboleth [~shibbolet@gateway/tor-sasl/shibboleth] has quit [Remote host closed the connection]
21:31 -!- alanjf [~ajf@unaffiliated/alanjf] has quit [Read error: Connection reset by peer]
21:35 -!- Mat_Toufoutu [~MaT@nl.h6r.org] has joined #openvpn
21:35 -!- Mat_Toufoutu [~MaT@nl.h6r.org] has quit [Excess Flood]
21:38 -!- Mat_Toufoutu [~MaT@nl.h6r.org] has joined #openvpn
21:38 -!- Mat_Toufoutu [~MaT@nl.h6r.org] has quit [Excess Flood]
21:40 -!- ben1066 [~quassel@unaffiliated/ben1066] has quit [Quit: No Ping reply in 180 seconds.]
21:40 -!- ben1066 [~quassel@unaffiliated/ben1066] has joined #openvpn
21:41 -!- Mat_Toufoutu [~MaT@nl.h6r.org] has joined #openvpn
21:41 -!- Mat_Toufoutu [~MaT@nl.h6r.org] has quit [Excess Flood]
21:46 -!- Mat_Toufoutu [~MaT@nl.h6r.org] has joined #openvpn
21:46 -!- Mat_Toufoutu [~MaT@nl.h6r.org] has quit [Excess Flood]
21:46 -!- alanjf [~ajf@unaffiliated/alanjf] has joined #openvpn
21:48 -!- Linmu [~Linmu@203.70.194.104] has quit [Ping timeout: 240 seconds]
21:49 -!- Linmu [~Linmu@203.70.194.104] has joined #openvpn
21:54 -!- Mat_Toufoutu [~MaT@nl.h6r.org] has joined #openvpn
21:54 -!- Mat_Toufoutu [~MaT@nl.h6r.org] has quit [Excess Flood]
21:55 -!- Mat_Toufoutu [~MaT@nl.h6r.org] has joined #openvpn
21:55 -!- Mat_Toufoutu [~MaT@nl.h6r.org] has quit [Excess Flood]
21:55 -!- Linmu [~Linmu@203.70.194.104] has quit [Ping timeout: 255 seconds]
21:56 -!- Mat_Toufoutu [~MaT@nl.h6r.org] has joined #openvpn
21:56 -!- Mat_Toufoutu [~MaT@nl.h6r.org] has quit [Excess Flood]
21:57 -!- Linmu [~Linmu@203.70.194.104] has joined #openvpn
22:02 -!- Mat_Toufoutu [~MaT@nl.h6r.org] has joined #openvpn
22:02 -!- Mat_Toufoutu [~MaT@nl.h6r.org] has quit [Excess Flood]
22:04 -!- Mat_Toufoutu [~MaT@nl.h6r.org] has joined #openvpn
22:04 -!- Mat_Toufoutu [~MaT@nl.h6r.org] has quit [Excess Flood]
22:05 -!- Mat_Toufoutu [~MaT@nl.h6r.org] has joined #openvpn
22:05 -!- Mat_Toufoutu [~MaT@nl.h6r.org] has quit [Excess Flood]
22:06 -!- Mat_Toufoutu [~MaT@nl.h6r.org] has joined #openvpn
22:06 -!- Mat_Toufoutu [~MaT@nl.h6r.org] has quit [Excess Flood]
22:07 -!- Mat_Toufoutu [~MaT@nl.h6r.org] has joined #openvpn
22:07 -!- Mat_Toufoutu [~MaT@nl.h6r.org] has quit [Excess Flood]
22:08 -!- Mat_Toufoutu [~MaT@nl.h6r.org] has joined #openvpn
22:08 -!- Mat_Toufoutu [~MaT@nl.h6r.org] has quit [Excess Flood]
22:09 -!- Linmu [~Linmu@203.70.194.104] has quit [Ping timeout: 246 seconds]
22:10 -!- Mat_Toufoutu [~MaT@nl.h6r.org] has joined #openvpn
22:10 -!- Mat_Toufoutu [~MaT@nl.h6r.org] has quit [Excess Flood]
22:11 -!- michaelhart [~michaelha@192-0-240-20.cpe.teksavvy.com] has quit [Quit: michaelhart]
22:13 -!- Mat_Toufoutu [~MaT@nl.h6r.org] has joined #openvpn
22:13 -!- Mat_Toufoutu [~MaT@nl.h6r.org] has quit [Excess Flood]
22:13 -!- WinstonSmith [~WinstonSm@unaffiliated/winstonsmith] has quit [Ping timeout: 240 seconds]
22:15 -!- WinstonSmith [~WinstonSm@unaffiliated/winstonsmith] has joined #openvpn
22:16 -!- Mat_Toufoutu [~MaT@nl.h6r.org] has joined #openvpn
22:16 -!- Mat_Toufoutu [~MaT@nl.h6r.org] has quit [Excess Flood]
22:16 -!- ljvb [~jason@us.vps.vanbrecht.com] has joined #openvpn
22:16 -!- Mat_Toufoutu [~MaT@nl.h6r.org] has joined #openvpn
22:16 -!- Mat_Toufoutu [~MaT@nl.h6r.org] has quit [Excess Flood]
22:17 -!- Linmu [~Linmu@203.70.194.104] has joined #openvpn
22:20 -!- Mat_Toufoutu [~MaT@nl.h6r.org] has joined #openvpn
22:24 -!- ben1066 [~quassel@unaffiliated/ben1066] has quit [Quit: No Ping reply in 180 seconds.]
22:24 -!- ben1066 [~quassel@unaffiliated/ben1066] has joined #openvpn
22:27 -!- Linmu [~Linmu@203.70.194.104] has quit [Ping timeout: 255 seconds]
22:29 -!- Linmu [~Linmu@203.70.194.104] has joined #openvpn
22:38 -!- klein [~klein@unaffiliated/klein] has quit [Ping timeout: 252 seconds]
22:38 -!- goldkatze [~nobody@unaffiliated/goldkatze] has quit [Ping timeout: 264 seconds]
22:54 -!- Linmu [~Linmu@203.70.194.104] has quit [Ping timeout: 264 seconds]
22:55 -!- Linmu [~Linmu@203.70.194.104] has joined #openvpn
23:09 -!- supergauntlet_ [~supergaun@v-216-52-148-234.unman-vds.internap-chicago.nfoservers.com] has quit [Changing host]
23:09 -!- supergauntlet_ [~supergaun@unaffiliated/supergauntlet] has joined #openvpn
23:09 -!- supergauntlet_ is now known as supergauntlet
23:12 -!- Linmu [~Linmu@203.70.194.104] has quit [Ping timeout: 255 seconds]
23:12 -!- Linmu [~Linmu@203.70.194.104] has joined #openvpn
23:19 -!- Pei [~pei@thinks.outside.theb0x.org] has quit [Ping timeout: 264 seconds]
23:26 -!- Pei [~pei@thinks.outside.theb0x.org] has joined #openvpn
--- Day changed Tue Mar 18 2014
00:06 -!- Linmu [~Linmu@203.70.194.104] has quit [Ping timeout: 246 seconds]
00:08 -!- Linmu [~Linmu@203.70.194.104] has joined #openvpn
00:43 -!- elfixit [~Icedove@dhcp-129-154.office.init7.net] has quit [Remote host closed the connection]
00:58 -!- B1nny [~quassel@5ED16034.cm-7-2b.dynamic.ziggo.nl] has joined #openvpn
01:12 -!- Carbon_Monoxide [~cmonxide@058176022144.ctinets.com] has joined #openvpn
01:12 -!- Carbon_Monoxide [~cmonxide@058176022144.ctinets.com] has left #openvpn []
01:33 -!- Fusl [~Fusl@unaffiliated/fusl] has joined #openvpn
01:50 -!- mitz [~mitz@rt.miraclelinux.com] has joined #openvpn
02:08 -!- Devastatr [~devas@186.214.14.39] has joined #openvpn
02:08 -!- Devastator [~devas@unaffiliated/devastator] has quit [Ping timeout: 252 seconds]
02:27 -!- GregB_ [~GregB@107-218-5-81.lightspeed.hstntx.sbcglobal.net] has joined #openvpn
02:31 -!- GregB__ [~GregB@107-218-5-81.lightspeed.hstntx.sbcglobal.net] has quit [Ping timeout: 264 seconds]
02:31 -!- seppo_ [~seppo@5.57.255.218] has quit [Quit: Leaving]
02:32 -!- alexxtasi [~alex@unaffiliated/alexxtasi] has joined #openvpn
02:34 -!- blueice [~root@14.139.82.6] has joined #openvpn
02:36 < blueice> i want to know more about "foreign_option_n" for DNS, as i couldn't understand from the manual page...any idea, example, or tutorial ???
02:43 -!- takamichi [~takamichi@c107-107.i07-27.onvol.net] has joined #openvpn
02:43 -!- takamichi [~takamichi@c107-107.i07-27.onvol.net] has quit [Max SendQ exceeded]
02:44 -!- takamichi [~takamichi@c107-107.i07-27.onvol.net] has joined #openvpn
03:28 -!- Martin` [martin@shell.ipv6.octocore.net] has quit [Ping timeout: 264 seconds]
03:38 -!- makara [~makara@41.164.22.218] has joined #openvpn
03:41 -!- Martin` [martin@shell.ipv6.octocore.net] has joined #openvpn
03:47 -!- le0 [~l30@unaffiliated/le0] has joined #openvpn
04:03 -!- pcdummy [~pcdummy@unaffiliated/pcdummy] has quit [Remote host closed the connection]
04:04 -!- pcdummy [~pcdummy@wserv2.page4me.ch] has joined #openvpn
04:04 -!- pcdummy [~pcdummy@wserv2.page4me.ch] has quit [Changing host]
04:04 -!- pcdummy [~pcdummy@unaffiliated/pcdummy] has joined #openvpn
04:12 -!- GregB_ [~GregB@107-218-5-81.lightspeed.hstntx.sbcglobal.net] has quit [Read error: Connection reset by peer]
04:13 -!- GregB_ [~GregB@107-218-5-81.lightspeed.hstntx.sbcglobal.net] has joined #openvpn
04:13 -!- defswork [~andy@141.0.50.105] has quit [Quit: Ex-Chat]
04:14 -!- funyun [~temp@cpe-65-25-103-89.neo.res.rr.com] has quit [Ping timeout: 255 seconds]
04:17 -!- mgorbach [~mgorbach@pool-108-20-78-135.bstnma.fios.verizon.net] has quit [Read error: Operation timed out]
04:17 -!- aji [~alex@atheme/member/aji] has quit [Read error: Operation timed out]
04:18 -!- mgorbach [~mgorbach@pool-108-20-78-135.bstnma.fios.verizon.net] has joined #openvpn
04:18 -!- aji [~alex@atheme/member/aji] has joined #openvpn
04:19 -!- soapee01 [~soapee01@24-155-219-177.dyn.grandenetworks.net] has quit [Excess Flood]
04:19 -!- soapee01 [~soapee01@24-155-219-177.dyn.grandenetworks.net] has joined #openvpn
04:19 < blueice> hey ! there, i am connected to my vpn-server(10.25.2.3), also there is a DNS server (10.25.2.4), i want to use this DNS server while connecting through tunnel...i am using linux on both (vpn-client and vpn-server)...i saw "foreign_option_n" for non-windows clients, but i couldn't find any significant information regarding this option...!!!
04:20 -!- Mat_Toufoutu is now known as MatToufoutu
04:20 -!- MatToufoutu [~MaT@nl.h6r.org] has quit [Changing host]
04:20 -!- MatToufoutu [~MaT@unaffiliated/mattoufoutu] has joined #openvpn
04:21 <@plai> !resolv
04:21 <@plai> !resolv-conf
04:21 <@plai> !search resolv
04:21 <@vpnHelper> There were no matching configuration variables.
04:22 <@plai> :/
04:29 -!- pcdummy [~pcdummy@unaffiliated/pcdummy] has quit [Remote host closed the connection]
04:29 -!- pcdummy [~pcdummy@unaffiliated/pcdummy] has joined #openvpn
04:34 -!- takamich_ [~takamichi@c107-107.i07-27.onvol.net] has joined #openvpn
04:34 -!- takamich_ [~takamichi@c107-107.i07-27.onvol.net] has quit [Max SendQ exceeded]
04:34 -!- takamich_ [~takamichi@c107-107.i07-27.onvol.net] has joined #openvpn
04:36 -!- takamichi [~takamichi@c107-107.i07-27.onvol.net] has quit [Ping timeout: 264 seconds]
04:41 < blueice> these are the options i included in the client.conf #push foreign_option_1='dhcp-option DNS 10.25.2.4'  # push foreign_option_2='dhcp-option DOMAIN ipa.eg.com'
04:42 < blueice> on the server.conf, i have these options...>>> # push "dhcp-option DNS 10.25.2.4"
04:42 < blueice> push "dhcp-option DNS ipa.eg.com"
04:42 < blueice> push "dhcp-option DOMAIN eg.com"
04:45 < blueice> still not working...!!!
04:46 -!- takamichi [~takamichi@85.12.8.15] has joined #openvpn
04:49 -!- takamich_ [~takamichi@c107-107.i07-27.onvol.net] has quit [Ping timeout: 246 seconds]
04:53 < blueice> i already installed the "resolvconf" package...!!! and added "up" and "down" options in client.conf
05:04 -!- Aliekezhi [~Aliekezhi@LPoitiers-156-84-21-169.w193-248.abo.wanadoo.fr] has joined #openvpn
05:10 -!- funyun [~temp@cpe-65-25-103-89.neo.res.rr.com] has joined #openvpn
05:14 -!- funyun [~temp@cpe-65-25-103-89.neo.res.rr.com] has quit [Ping timeout: 255 seconds]
05:24 <@plai> blueice: DNS server is an IP address not a dns name
05:27 < blueice> ok...actually i added this option later, and was trying to check all options...
05:32 -!- takamich_ [~takamichi@c107-107.i07-27.onvol.net] has joined #openvpn
05:36 -!- takamichi [~takamichi@85.12.8.15] has quit [Ping timeout: 264 seconds]
05:44 -!- f0cker [~f0cker@unaffiliated/f0cker] has joined #openvpn
05:54 -!- f0cker [~f0cker@unaffiliated/f0cker] has quit [Ping timeout: 246 seconds]
06:08 -!- blueice [~root@14.139.82.6] has quit [Ping timeout: 264 seconds]
06:10 -!- funyun [~temp@cpe-65-25-103-89.neo.res.rr.com] has joined #openvpn
06:14 -!- funyun [~temp@cpe-65-25-103-89.neo.res.rr.com] has quit [Ping timeout: 264 seconds]
06:34 < _bt_> hello, are there any options to openvpnserv.exe that can install the service to start automatically?
06:36 <@plai> _bt_: why don you use standard windows tools to set a service to automatically start?
06:37 < _bt_> well, i probably can, i'm modifying the installer to make deployment to clients a bit easier
06:37 < _bt_> just wondered if i can be done from openvpnserv.exe so i can modify that behaviour in the nsis file
06:39 <@plai> you can call also service.exe in the nsis file
06:39 <@plai> I don't see the problem
06:40 < _bt_> there isn't a problem, i just asked if it could be done  : )
06:46 -!- dazo_afk is now known as dazo
06:51 -!- AlexPortable [uid7568@gateway/web/irccloud.com/x-uwfxkjoqzvaannpn] has joined #openvpn
06:55 -!- kirin` [telex@gateway/shell/anapnea.net/x-txduwpsiexuxhyus] has quit [Ping timeout: 264 seconds]
06:56 -!- elfixit [~Icedove@77-58-251-72.dclient.hispeed.ch] has joined #openvpn
06:57 -!- f0cker [~f0cker@host81-149-11-109.in-addr.btopenworld.com] has joined #openvpn
06:57 -!- f0cker [~f0cker@host81-149-11-109.in-addr.btopenworld.com] has quit [Changing host]
06:57 -!- f0cker [~f0cker@unaffiliated/f0cker] has joined #openvpn
06:57 -!- kirin` [telex@gateway/shell/anapnea.net/x-dvfbydvqmrzynina] has joined #openvpn
06:59 -!- cyberspace- [20253@ninthfloor.org] has quit [Ping timeout: 264 seconds]
07:01 -!- blueice [~root@14.139.82.6] has joined #openvpn
07:03 -!- cyberspace- [20253@ninthfloor.org] has joined #openvpn
07:06 -!- MyMind [~Sembei@unaffiliated/sembei] has joined #openvpn
07:07 -!- [1]JPeterson [~JPeterson@81-233-152-121-no83.tbcn.telia.com] has joined #openvpn
07:07 -!- Devastatr [~devas@186.214.14.39] has quit [Read error: Connection reset by peer]
07:07 -!- Sembei [~Sembei@unaffiliated/sembei] has quit [Read error: Operation timed out]
07:07 -!- Devastator [~devas@186.214.14.39] has joined #openvpn
07:08 -!- miruoy [~quassel@d51A44BA8.access.telenet.be] has quit [Remote host closed the connection]
07:08 -!- supergauntlet [~supergaun@unaffiliated/supergauntlet] has quit [Ping timeout: 264 seconds]
07:08 -!- miruoy [~quassel@d51A44BA8.access.telenet.be] has joined #openvpn
07:08 -!- Aketzu_ [akolehma@kelvin.aketzu.net] has quit [Ping timeout: 252 seconds]
07:09 -!- JPeterson [~JPeterson@81-233-152-121-no83.tbcn.telia.com] has quit [Ping timeout: 255 seconds]
07:09 -!- jave_ [~jave@h-235-102.a149.priv.bahnhof.se] has quit [Ping timeout: 255 seconds]
07:09 -!- Six6siX [~Devil@jasmine.sammybakar.com] has quit [Ping timeout: 252 seconds]
07:09 -!- makara [~makara@41.164.22.218] has quit [Ping timeout: 264 seconds]
07:09 -!- Brando753 [~Brando753@unaffiliated/brando753] has quit [Ping timeout: 264 seconds]
07:10 -!- Zarrsh [~Zarrsh@198.167.138.150] has quit [Ping timeout: 245 seconds]
07:10 -!- dwirc [~irc@d118-75-218-160.try.wideopenwest.com] has quit [Ping timeout: 264 seconds]
07:10 -!- Aketzu [akolehma@kelvin.aketzu.net] has joined #openvpn
07:10 -!- Six6siX [~Devil@jasmine.sammybakar.com] has joined #openvpn
07:10 -!- klein [~klein@189-016-006-003.asselvi.edu.br] has joined #openvpn
07:10 -!- klein [~klein@189-016-006-003.asselvi.edu.br] has quit [Changing host]
07:10 -!- klein [~klein@unaffiliated/klein] has joined #openvpn
07:10 -!- Aliekezhi [~Aliekezhi@LPoitiers-156-84-21-169.w193-248.abo.wanadoo.fr] has quit [Ping timeout: 264 seconds]
07:10 -!- aji [~alex@atheme/member/aji] has quit [Ping timeout: 264 seconds]
07:11 -!- Zarrsh [~Zarrsh@farari.paydayauto.biz] has joined #openvpn
07:11 -!- funyun [~temp@cpe-65-25-103-89.neo.res.rr.com] has joined #openvpn
07:13 -!- justinzane [~justinzan@tiny.justinzane.com] has quit [Ping timeout: 264 seconds]
07:13 -!- Brando753 [~Brando753@unaffiliated/brando753] has joined #openvpn
07:14 -!- jave [~jave@85.24.235.102] has joined #openvpn
07:15 -!- funyun [~temp@cpe-65-25-103-89.neo.res.rr.com] has quit [Ping timeout: 240 seconds]
07:16 -!- supergauntlet [~supergaun@unaffiliated/supergauntlet] has joined #openvpn
07:20 -!- Aliekezhi [~Aliekezhi@LPoitiers-156-84-21-169.w193-248.abo.wanadoo.fr] has joined #openvpn
07:20 -!- makara [~makara@41.164.22.218] has joined #openvpn
07:21 -!- aji [~alex@atheme/member/aji] has joined #openvpn
07:21 -!- michaelhart [~michaelha@192.237.177.15] has joined #openvpn
07:24 -!- dwirc [~irc@d118-75-218-160.try.wideopenwest.com] has joined #openvpn
07:29 -!- elfixit [~Icedove@77-58-251-72.dclient.hispeed.ch] has quit [Ping timeout: 264 seconds]
07:49 -!- cyberspace- [20253@ninthfloor.org] has quit [Ping timeout: 264 seconds]
07:53 -!- blueice [~root@14.139.82.6] has quit [Remote host closed the connection]
07:55 -!- Suterusu [~Suterusu@unaffiliated/suterusu] has joined #openvpn
07:57 -!- cyberspace- [20253@ninthfloor.org] has joined #openvpn
08:04 -!- takamichi [~takamichi@85.12.8.105] has joined #openvpn
08:06 -!- takamich_ [~takamichi@c107-107.i07-27.onvol.net] has quit [Ping timeout: 252 seconds]
08:10 -!- sauce [sauce@unaffiliated/sauce] has quit [Ping timeout: 265 seconds]
08:10 -!- AL13N_work [~alien@91.183.52.232] has left #openvpn []
08:12 -!- funyun [~temp@cpe-65-25-103-89.neo.res.rr.com] has joined #openvpn
08:16 -!- funyun [~temp@cpe-65-25-103-89.neo.res.rr.com] has quit [Ping timeout: 252 seconds]
08:19 -!- lj [~l@192.241.174.169] has joined #openvpn
08:25 -!- Aliekezhi [~Aliekezhi@LPoitiers-156-84-21-169.w193-248.abo.wanadoo.fr] has quit [Ping timeout: 264 seconds]
08:46 -!- mirco [~mirco@ip-5-146-126-177.unitymediagroup.de] has joined #openvpn
08:56 -!- Neozonz [~arajakul@unaffiliated/neozonz] has joined #openvpn
08:56 < Neozonz> could someone help me with a routing issue between openvpn client/server (connection works)
09:00 -!- mattock_afk is now known as mattock
09:02 -!- Aliekezhi [~Aliekezhi@LPoitiers-156-84-21-169.w193-248.abo.wanadoo.fr] has joined #openvpn
09:12 -!- Neozonz [~arajakul@unaffiliated/neozonz] has quit [Read error: Connection reset by peer]
09:12 -!- Neozonz [~arajakul@CPE20e52a22f551-CM68b6fc3d43d0.cpe.net.cable.rogers.com] has joined #openvpn
09:12 -!- Neozonz [~arajakul@CPE20e52a22f551-CM68b6fc3d43d0.cpe.net.cable.rogers.com] has quit [Changing host]
09:12 -!- Neozonz [~arajakul@unaffiliated/neozonz] has joined #openvpn
09:13 -!- funyun [~temp@cpe-65-25-103-89.neo.res.rr.com] has joined #openvpn
09:17 -!- funyun [~temp@cpe-65-25-103-89.neo.res.rr.com] has quit [Ping timeout: 255 seconds]
09:21 -!- Aliekezhi [~Aliekezhi@LPoitiers-156-84-21-169.w193-248.abo.wanadoo.fr] has quit [Ping timeout: 240 seconds]
09:33 -!- takamichi [~takamichi@85.12.8.105] has quit [Quit: Computer has gone to sleep.]
09:33 -!- Thermi [~Thermi@unaffiliated/thermi] has joined #openvpn
09:33 < Thermi> Is there a page for openvpn example configurations?
09:34 -!- makara [~makara@41.164.22.218] has quit [Ping timeout: 240 seconds]
09:35 < Suterusu> The how-to doesn't has an example config?   there not a template one is /usr/share somewhere?
09:35 < Thermi> Ah, I didn't know about that.
09:35 < Thermi> I'll go looking in there then. Thanks!
09:35 < Suterusu> Neozonz:  What "routing issues"?
09:35 < Suterusu> locate openvpn.conf might priducce it
09:35 < Suterusu> or produce
09:36 < Neozonz> ?
09:36 <@dazo> !book
09:36 <@vpnHelper> "book" is http://www.packtpub.com/openvpn-2-cookbook/book check out JJK's awesome cookbook for openvpn 2!
09:38 <@dazo> Thermi: ^^^ grab a copy of that one, if you want the quick route .... there's no templates/example configs because the features of openvpn is too great to fully be captured correctly in example/template configs
09:38 < Thermi> Well, okay.
09:38 < Thermi> I hoped for something like the test cases for strongSwan
09:39 <@dazo> openvpn does not do IPSec ... which strongswan is, afaik
09:39 < Thermi> Yep.
09:39 < Thermi> I know that.
09:40 <@dazo> Neozonz: you need to explain better what your issues are ... start with !configs and then explain what doesn't work for you
09:40 < Suterusu> Sure there was a "basic" template - could just bind up adapters n keys n it'd roll off and work - Ofc, various features would need application manually..
09:41 < Suterusu> http://openvpn.net/index.php/open-source/documentation/howto.html#examples
09:41 <@vpnHelper> Title: HOWTO (at openvpn.net)
09:41 <@dazo> Suterusu: it was a config file, which listed all possibilities ... you couldn't really use that one for a quick start, so it's easier to grab !book and find the recipe which fits your need
09:41 < Suterusu> Iunno, seemed to work well enough for me...
09:42 <@dazo> Suterusu: also note ... "2.0" ... even though most of the options do still work, there are some quirks which may not work so well with 2.2 and 2.3
09:43 <@dazo> which is one of the reasons we usually don't point people at that old section
09:43 < Suterusu> nt my fault aint kept teh how to up to date...
09:45 -!- sauce [sauce@ool-ad02ad20.dyn.optonline.net] has joined #openvpn
09:45 -!- sauce [sauce@ool-ad02ad20.dyn.optonline.net] has quit [Changing host]
09:45 -!- sauce [sauce@unaffiliated/sauce] has joined #openvpn
09:45 -!- sauce [sauce@unaffiliated/sauce] has quit [Excess Flood]
09:46 -!- sauce [sauce@ool-ad02ad20.dyn.optonline.net] has joined #openvpn
09:46 -!- sauce [sauce@ool-ad02ad20.dyn.optonline.net] has quit [Changing host]
09:46 -!- sauce [sauce@unaffiliated/sauce] has joined #openvpn
09:47 -!- AlexPortable [uid7568@gateway/web/irccloud.com/x-uwfxkjoqzvaannpn] has quit [Quit: Connection closed for inactivity]
10:08 -!- justinzane [~justinzan@tiny.justinzane.com] has joined #openvpn
10:13 -!- funyun [~temp@cpe-65-25-103-89.neo.res.rr.com] has joined #openvpn
10:16 -!- dren [~dren@access.not.allowed.org] has joined #openvpn
10:18 -!- funyun [~temp@cpe-65-25-103-89.neo.res.rr.com] has quit [Ping timeout: 264 seconds]
10:26 -!- JustSighDudes [~Anon@unaffiliated/justsighdudes] has left #openvpn []
10:30 -!- elfixit [~Icedove@173-228.197-178.cust.bluewin.ch] has joined #openvpn
10:51 -!- alexxtasi [~alex@unaffiliated/alexxtasi] has left #openvpn []
10:51 -!- scyld [~scyld@unaffiliated/wasyl] has joined #openvpn
10:56 -!- johnfg [johnfg@host-174-45-92-254.bzm-mt.client.bresnan.net] has joined #openvpn
10:56 < johnfg> hi guys
10:58 < johnfg> I'm trying to figure out how to print with cups over openvpn.  On 10.8.0.1 I can print on 10.8.0.6, this is from a debian to a gentoo machine.
10:58 < johnfg> But I'm not able to print from the 10.8.0.6 on 10.8.0.1, gentoo to debian.
10:59 < johnfg> An Officejet_6700 is on the debian, 10.8.0.1; Canon-MF4100 on 10.8.0.6 gentoo.
11:04 -!- lj [~l@192.241.174.169] has quit [Quit: Leaving.]
11:07 -!- elfixit [~Icedove@173-228.197-178.cust.bluewin.ch] has quit [Ping timeout: 255 seconds]
11:09 -!- goldkatze [~nobody@unaffiliated/goldkatze] has joined #openvpn
11:10 -!- lj [~l@192.241.174.169] has joined #openvpn
11:11 -!- defswork [~andy@141.0.50.105] has joined #openvpn
11:14 -!- funyun [~temp@cpe-65-25-103-89.neo.res.rr.com] has joined #openvpn
11:15 -!- GabrieleV [~GabrieleV@host190-79-static.230-95-b.business.telecomitalia.it] has quit [Ping timeout: 240 seconds]
11:15 -!- MatthewsFace [~mspah@50-78-45-146-static.hfc.comcastbusiness.net] has joined #openvpn
11:16 -!- johnfg_ [johnfg@host-174-45-92-254.bzm-mt.client.bresnan.net] has joined #openvpn
11:17 -!- raidz [~raidz@openvpn/corp/admin/andrew] has left #openvpn []
11:19 -!- funyun [~temp@cpe-65-25-103-89.neo.res.rr.com] has quit [Ping timeout: 246 seconds]
11:19 -!- johnfg [johnfg@host-174-45-92-254.bzm-mt.client.bresnan.net] has quit [Ping timeout: 264 seconds]
11:20 -!- GabrieleV [~GabrieleV@host190-79-static.230-95-b.business.telecomitalia.it] has joined #openvpn
11:21 <@dazo> johnfg_: can you access 10.8.0.1:631 (tcp) from 10.8.0.6 ?
11:22 <@dazo> johnfg_: doing a 'curl http://10.8.0.1:631' from 10.8.0.6 should be enough to test this
11:23 -!- ade_b [~Ade@redhat/adeb] has joined #openvpn
11:23 <@dazo> if that doesn't work ... check with netstat on 10.8.0.1, that cups is listening to either all IP addresses (* or 0.0.0.0) on port 631 ... and if so, check the firewall
11:28 -!- takamichi [~takamichi@c107-107.i07-27.onvol.net] has joined #openvpn
11:28 < johnfg_> dazo: No, neither machine allows me to connect to 10.8.0.?:631.
11:29 < johnfg_> The firewall's not the problem though, as I can do everything else I need on each machine.
11:31 < johnfg_> dazo: And I got a connection refused with that curl cmd.
11:32 < johnfg_> dazo: So if it's not the firewalls (pretty sure it's not), where do I add/open up/whatever, to allow 10.8.0.?:631 on both machines?
11:42 -!- raidz [~raidz@openvpn/corp/admin/andrew] has joined #openvpn
11:42 -!- mode/#openvpn [+o raidz] by ChanServ
11:55 < johnfg_> dazo: Here's the output from netstat: http://bpaste.net/show/c1XUW6vZjgbcCLRvEvHU/
12:04 -!- johnfg_ is now known as johnfg
12:13 <@plai> so cups listens only on localhost
12:14 -!- MyMind [~Sembei@unaffiliated/sembei] has quit [Ping timeout: 252 seconds]
12:15 -!- funyun [~temp@cpe-65-25-103-89.neo.res.rr.com] has joined #openvpn
12:18 <@plai> you have to reconfigure cups to listen on all ips/interface
12:18 <@plai> but I am no cups expert
12:20 -!- funyun [~temp@cpe-65-25-103-89.neo.res.rr.com] has quit [Ping timeout: 264 seconds]
12:20 < johnfg> Ok, listening as it should be.  Thanks for that.
12:25 -!- VunKruz [~hhhh@24-205-8-187.dhcp.mtpk.ca.charter.com] has quit [Ping timeout: 264 seconds]
12:44 -!- VunKruz [~hhhh@24-205-8-187.dhcp.mtpk.ca.charter.com] has joined #openvpn
12:44 -!- al_nz1 [~Ali_nz1@122.58.81.50] has joined #openvpn
12:45 < al_nz1> Is there a way in windows to run openvpn as a server (on the client) and auto connect at startup?
12:45 < al_nz1> I couldnt find a how to
12:48 < scyld> What you want openvpn as server to connect to at startup?
12:50 <@dazo> I presume you meant run openvpn as a /service/ at startup, connecting to a server at boot
12:51 -!- elfixit [~Icedove@77-58-251-72.dclient.hispeed.ch] has joined #openvpn
12:51 <@dazo> Yes, it's possible ... but I don't remember how ... but it's possible to register openvpn as a service, and modify the command line (add --config /full/path/to/config/file)
12:51 < al_nz1> Hmmm
12:52 < scyld> dazo... please it's in install wizard
12:52 < al_nz1> i could not find howto :-(
12:52 <@dazo> al_nz1: iirc, it's an openvpnserv.exe file in the bin directory ... that's your clue, I believe
12:52 -!- Cpt-Oblivious [chatzilla@31-151-71-109.dynamic.upc.nl] has joined #openvpn
12:53 <@dazo> al_nz1: http://openvpn.net/index.php/open-source/documentation/install.html?start=1 .... search for "Running OpenVPN as a Windows service"
12:53 <@vpnHelper> Title: Installation Notes (at openvpn.net)
12:54 < scyld> just when you install openvpn on windows select „OpenVPN Service” in wizard.
12:56 -!- Guest17247 [~Sembei@81.184.39.244.dyn.user.ono.com] has joined #openvpn
12:56 -!- Guest17247 is now known as MyMind
12:57 -!- MyMind is now known as Guest24470
12:58 -!- Guest24470 is now known as MyMind
12:58 -!- cyberspace- [20253@ninthfloor.org] has quit [Ping timeout: 252 seconds]
12:58 -!- MyMind [~Sembei@81.184.39.244.dyn.user.ono.com] has quit [Changing host]
12:58 -!- MyMind [~Sembei@unaffiliated/sembei] has joined #openvpn
13:00 -!- cyberspace- [20253@ninthfloor.org] has joined #openvpn
13:03 -!- Pinchiukas [~keps@unaffiliated/pinchiukas] has joined #openvpn
13:06 -!- takamichi [~takamichi@c107-107.i07-27.onvol.net] has quit [Quit: Computer has gone to sleep.]
13:07 < Pinchiukas> From what I'm reading I have the impression that static keys are deemed insecure. Why?
13:11 <@dazo> Pinchiukas: it's less secure, because there are no temporary session keys and key exchange involved
13:12 <@dazo> Pinchiukas: with PKI, the client and server uses the public/private key pairs to exchange enough key material to compose a symmetric encryption key, which is then rotated regularly (configured by --reneg-* options)
13:13 <@dazo> This does not happen when using a static key
13:13 < Pinchiukas> But what kind of improvement does that provide?
13:15 <@dazo> That the data being transported over the wire change encryption key regularly, which then makes it harder to bruteforce attack the connection
13:15 < Pinchiukas> How easy is it to bruteforce a 2048bit key? That's the default afaik.
13:16 <@dazo> Because it's not using 2048bits ... it's using maximum 256bits ... that's the highest openssl supports on symmetric encryption
13:16 -!- funyun [~temp@cpe-65-25-103-89.neo.res.rr.com] has joined #openvpn
13:17 < Pinchiukas> 256bits should be pretty secure also, shouldn't it?
13:18 <@dazo> Yes, but when the encryption key does not change, you can do more analysis on the traffic and from that with time deduct possible keys
13:18 <@dazo> when the encryption key changes regularly, then this will be much harder
13:19 < Pinchiukas> Makes sense. Didn't know that the resulting key was only 256bit...
13:20 <@dazo> It's because the algorithms available in openssl doesn't support higher values.  And if used right, that's not a problem
13:21 <@dazo> When you use PKI, you have much higher key values, and IIRC a 4096 bits RSA based PKI (asymmetric) key provides a similar security to a 256 symmetric key
13:21 -!- funyun [~temp@cpe-65-25-103-89.neo.res.rr.com] has quit [Ping timeout: 264 seconds]
13:21 <@dazo> but the problem with symmetric keys are that they must be identical on both sides, however symmetric algorithms are darn fast
13:22 <@dazo> PKI is much slower, because it needs longer keys ... but then again, you have separated the key in a public and a private key
13:22 <@dazo> so PKI keys are used to negotiate a symmetric key ... very often via a Diffie-Hellman Key Exchange process
13:23 <@dazo> (this is the theory, very shortly and quickly explained)
13:24 <@dazo> The static key openvpn produces actually contains keying material for more keys ... like HMAC, and you can tell openvpn to use a different key-pair between client and server with the 'direction' flags
13:24 <@dazo> (for more info about that ... see this one: http://community.openvpn.net/openvpn/wiki/327-changed-hex-bytes-in-the-static-key-the-key-still-connects-to-a-remote-peer-using-the-original-key )
13:24 <@vpnHelper> Title: 327-changed-hex-bytes-in-the-static-key-the-key-still-connects-to-a-remote-peer-using-the-original-key – OpenVPN Community (at community.openvpn.net)
13:24 -!- yoavz [yoavz@yoavz.net] has quit [Ping timeout: 265 seconds]
13:25 -!- ade_b [~Ade@redhat/adeb] has quit [Ping timeout: 252 seconds]
13:27 -!- yoavz [yoavz@yoavz.net] has joined #openvpn
13:31 -!- mgorbach [~mgorbach@pool-108-20-78-135.bstnma.fios.verizon.net] has quit [Read error: Connection reset by peer]
13:38 -!- VunKruz [~hhhh@24-205-8-187.dhcp.mtpk.ca.charter.com] has quit [Quit: Leaving]
13:38 < al_nz1> hi dazo
13:39 -!- mgorbach [~mgorbach@pool-108-20-78-135.bstnma.fios.verizon.net] has joined #openvpn
13:40 < al_nz1> Do you know about openvpn as a startup service in windows? The howto says it will autoconnect to any .ovpn servers via any client config files found, but I cant seem to get it to go on a windows client
13:40 <@Eugene> Drop into c:\Program Files\OpenVPN\config\, open services.msc and enable the Service
13:41 -!- Devastator [~devas@186.214.14.39] has quit [Changing host]
13:41 -!- Devastator [~devas@unaffiliated/devastator] has joined #openvpn
13:41 -!- mgorbach [~mgorbach@pool-108-20-78-135.bstnma.fios.verizon.net] has quit [Read error: Connection reset by peer]
13:42 -!- VunKruz [~hhhh@24-205-8-187.dhcp.mtpk.ca.charter.com] has joined #openvpn
13:42 < al_nz1> Hi Eugene
13:43 < al_nz1> Ok I have tree folders under \config\ which relate to 3 servers. Will they be found in the sub folders or must client.conf be directly under \config\ (no sub folder)
13:43 <@Eugene> Directly.
13:43 < al_nz1> right...that will be the first problem
13:44 < al_nz1> just going to logoff/on....brb
13:46 -!- mgorbach [~mgorbach@pool-108-20-78-135.bstnma.fios.verizon.net] has joined #openvpn
13:47 < al_nz1> Eugene: ok thats nice. it works :-)
13:48 < al_nz1> It looks like, unless you go to command line, there is no indiciation within windows that you have connected?
13:48 < al_nz1> (unless you ipconfig etc?)
13:48 <@Eugene> Network Connections will change from unplugged for the TAP adapter
13:49 <@Eugene> I usually rename it to OpenVPN for clarity(and my other connections to WiFi, Ethernet, VMware, etc)
13:49 < al_nz1> Im just thinking how I would get a status icon for the TUN adapter in the taskbar
13:49 <@Eugene> Black voodoo magic
13:50 < al_nz1> How does a whiteman do blackmans magic ;-)
13:50 <@Eugene> I would(and do) drop my configs into %userprofile%/openvpn/ instead, and then make a shortcut to start
13:50 -!- johnfg [johnfg@host-174-45-92-254.bzm-mt.client.bresnan.net] has left #openvpn []
13:50 <@Eugene> You can set it to autorun at login if desired
13:51 <@Eugene> Only gotcha there is UAC - you get a prompt to allow if it's enabled, unless you're using one of the app-specific-exemption hacks.
13:53 < al_nz1> Sorry, go back one step, you put all the files in %userprofile%/openvpn - how does the service then find the openvpn file which it expects in \config\?
13:54 <@Eugene> It doesn't; you use shortcut + Startup folder instead.
13:59 < al_nz1> Eugene: Oh i see. I experimented with that way of doing it, using the gui, but I didnt like the log window flashing up on the users screen for about 6 seconds - the would complain
14:00 <@Eugene> You can specify a flag to minimize automatically
14:00 < al_nz1> Eugene: a openvpn-gui flag?
14:01 <@Eugene> Yeah, in your shortcut
14:01 <@Eugene> !win_shortcut
14:02 <@Eugene> !winshortcut
14:02 <@vpnHelper> "winshortcut" is To start OpenVPN-GUI easily on Windows, make a shortcut and set the Target as: \"C:\Program Files (x86)\OpenVPN\bin\openvpn-gui-1.0.3.exe\" --config_dir \"C:\path\to\config\" --connect client.ovpn --show_balloon 0 --silent_connection 1 --show_script_window 0
14:02 <@Eugene> You could also modify the registry key HKLM\Software\OpenVPN-GUI\config_dir, I think it is
14:03 <@Eugene> Ehhh wait that wouldn't do it, nevermind.
14:03 <@Eugene> But there are some other settings in there worth noting
14:03 < al_nz1> ahhhh
14:04 < al_nz1> your using opevpn-gui-1.0.3
14:04 < al_nz1> I was just using openvpn-gui
14:04 -!- ade_b [~Ade@redhat/adeb] has joined #openvpn
14:04 <@Eugene> I am not, no.
14:04 <@Eugene> !download
14:04 <@vpnHelper> "download" is (#1) http://openvpn.net/index.php/download/community-downloads.html to download openvpn or (#2) OpenVPN's Windows installer now includes OpenVPN GUI. Don't bother with http://openvpn.se anymore or (#3) Don't trust download.com at all. It provides an extremely old version with malware: http://insecure.org/news/download-com-fiasco.html or (#4) in the community version of openvpn (only
14:04 <@vpnHelper> thing supported here) there is no separate download for client/server, it is the same install with different configs
14:05 <@Eugene> openvpn-gui(last stable release 1.0.3 for 2.0.9) was rolled into the openvpn project proper; AFAIK all the options for it are still supported.
14:05 <@Eugene> But I can't find good docs on the openvpn community site
14:06 < al_nz1> Eugene: What I am getting at is, for some reason, I have two openvpn installations, 1 @ \Programfiles\OpenVpn\bin\openvpn-gui.exe 2@ \Programs Files (x86)\Openvpn\bin\openvpn-gui-1.0.3.exe
14:07 < al_nz1> Looking at your example I should use the 1.0.3.exe version
14:07 <@Eugene> Oh, that.
14:07 <@Eugene> Bot shortcut is out of date. No 1.0.3.exe involved
14:08 <@Eugene> !whoami
14:08 <@vpnHelper> I don't recognize you.
14:08 <@Eugene> And it still doesn't love me.
14:08 < al_nz1> Eugene: NICE! Thats version of the gui has heaps more arguments available :-)
14:11 -!- takamichi [~takamichi@c107-107.i07-27.onvol.net] has joined #openvpn
14:11 -!- takamichi [~takamichi@c107-107.i07-27.onvol.net] has quit [Max SendQ exceeded]
14:12 -!- takamichi [~takamichi@c107-107.i07-27.onvol.net] has joined #openvpn
14:12 -!- takamichi [~takamichi@c107-107.i07-27.onvol.net] has quit [Max SendQ exceeded]
14:12 -!- takamichi [~takamichi@c107-107.i07-27.onvol.net] has joined #openvpn
14:17 -!- funyun [~temp@cpe-65-25-103-89.neo.res.rr.com] has joined #openvpn
14:19 -!- phuzion [~phuzion@ipv6.irc.teh-server.com] has quit [Quit: No Ping reply in 180 seconds.]
14:19 -!- clu5ter [~staff@unaffiliated/clu5ter] has quit [Ping timeout: 245 seconds]
14:20 -!- phuzion [~phuzion@ipv6.irc.teh-server.com] has joined #openvpn
14:20 -!- master_of_master [~master_of@p4FD7B772.dip0.t-ipconnect.de] has joined #openvpn
14:21 -!- clu5ter [~staff@unaffiliated/clu5ter] has joined #openvpn
14:22 -!- funyun [~temp@cpe-65-25-103-89.neo.res.rr.com] has quit [Ping timeout: 255 seconds]
14:24 -!- master_o1_master [~master_of@p4FD7BC89.dip0.t-ipconnect.de] has quit [Ping timeout: 255 seconds]
14:26 -!- fellayaboy [~cottod@gatekeepernj1.sharpsec.com] has joined #openvpn
14:26 -!- fellayaboy [~cottod@gatekeepernj1.sharpsec.com] has quit [Client Quit]
14:26 -!- fellayaboy [~cottod@unaffiliated/fellayaboy] has joined #openvpn
14:27 < fellayaboy> i deleted the /etc/openvpn/easy-rsa folder
14:27 < fellayaboy> im using linux mint 16 how do i get this back?
14:36 -!- kevinsky [~kevin@senna.rosendaal.net] has quit [Ping timeout: 240 seconds]
14:43 -!- kevinsky [~kevin@senna.rosendaal.net] has joined #openvpn
14:44 < fellayaboy> hmm i have linux mint 16 and i dont see a easy-rsa  is there a new way to create keys?
14:48 -!- fellayaboy [~cottod@unaffiliated/fellayaboy] has quit [Quit: Leaving]
14:53 < MatthewsFace> That's probably because you deleted it
14:56 <@Eugene> !easyrsa
14:56 <@vpnHelper> "easyrsa" is (#1) easy-rsa is a certificate generation utility. or (#2) Download here: https://github.com/OpenVPN/easy-rsa/releases or (#3) Source checkouts available from the github project; current official release download is 2.2.2 with 3.x code in git-master. or (#4) Helpful wiki info about easyrsa at: https://community.openvpn.net/openvpn/wiki/EasyRSA
14:57 <@Eugene> Or /part before somebody can answer, that's cool too.
15:00 -!- le0 [~l30@unaffiliated/le0] has quit [Quit: Leaving]
15:02 -!- scyld [~scyld@unaffiliated/wasyl] has quit [Quit: Wychodzi]
15:04 -!- joshh20-Away is now known as joshh20
15:05 < dren> fellayaboy, if you deleted your keys you'll have to recreate
15:06 < dren> just backup your confs and reinstall the latest to get easy-rsa
15:06 < dren> and recreate your keys/certs/etc.
15:06 < dren> you should not ever use your original easy-rsa directory
15:06 < dren> copy it.
15:06 < dren> keep the original, and then everytime you update the dir you are using make a backup
15:07 < dren> whoops i see he parted lol
15:14 <@Eugene> Yup.
15:18 -!- funyun [~temp@cpe-65-25-103-89.neo.res.rr.com] has joined #openvpn
15:20 -!- le0 [~l30@unaffiliated/le0] has joined #openvpn
15:21 -!- Neozonz|Disc2 [~arajakul@CPE68b6fcc6d913-CM68b6fcc6d910.cpe.net.cable.rogers.com] has joined #openvpn
15:22 -!- takamichi [~takamichi@c107-107.i07-27.onvol.net] has quit [Quit: Computer has gone to sleep.]
15:23 -!- funyun [~temp@cpe-65-25-103-89.neo.res.rr.com] has quit [Ping timeout: 264 seconds]
15:24 -!- MyMind [~Sembei@unaffiliated/sembei] has quit [Quit: WeeChat 0.4.4-dev]
15:25 -!- Neozonz [~arajakul@unaffiliated/neozonz] has quit [Ping timeout: 255 seconds]
15:29 -!- Sembei [~Sembei@unaffiliated/sembei] has joined #openvpn
15:32 -!- Fohlen [~Fohlen@134.255.220.143] has joined #openvpn
15:32 < Fohlen> !goal
15:32 <@vpnHelper> "goal" is Please clearly state your goal for your vpn: example, I would like to access the lan behind the server , I would like to access the internet over my vpn , I just want a secure connection between 2 computers , etc
15:33 -!- michaelhart [~michaelha@192.237.177.15] has quit [Quit: michaelhart]
15:34 -!- Fohlen [~Fohlen@134.255.220.143] has left #openvpn []
15:39 -!- CygniX [~CygniX@unaffiliated/twois10] has joined #openvpn
15:39 -!- al_nz1 [~Ali_nz1@122.58.81.50] has quit [Remote host closed the connection]
15:39 -!- al_nz1 [~Ali_nz1@122.58.81.50] has joined #openvpn
15:45 -!- le0 [~l30@unaffiliated/le0] has quit [Read error: Connection reset by peer]
15:46 -!- dazo is now known as dazo_afk
15:52 -!- kevinsky [~kevin@senna.rosendaal.net] has quit [Ping timeout: 240 seconds]
15:55 -!- i7c [~i7c@unaffiliated/i7c] has quit [Ping timeout: 252 seconds]
16:02 -!- i7c [~i7c@rliz.org] has joined #openvpn
16:03 -!- pppingme [~pppingme@unaffiliated/pppingme] has quit [Excess Flood]
16:04 -!- pppingme [~pppingme@unaffiliated/pppingme] has joined #openvpn
16:06 -!- kevinsky [~kevin@senna.rosendaal.net] has joined #openvpn
16:08 -!- i7c [~i7c@rliz.org] has quit [Changing host]
16:08 -!- i7c [~i7c@unaffiliated/i7c] has joined #openvpn
16:18 -!- le0 [~l30@unaffiliated/le0] has joined #openvpn
16:19 -!- funyun [~temp@cpe-65-25-103-89.neo.res.rr.com] has joined #openvpn
16:30 -!- lj [~l@192.241.174.169] has quit [Quit: Leaving.]
16:33 < Haigha> hi again, i changed my servers' settings to use keepalive 10 60, but i still have "Inactivity timeout (--ping-restart), restarting" in my clients' logs
16:49 -!- klein [~klein@unaffiliated/klein] has quit [Ping timeout: 240 seconds]
16:51 -!- Neozonz|Disc2 [~arajakul@CPE68b6fcc6d913-CM68b6fcc6d910.cpe.net.cable.rogers.com] has quit [Ping timeout: 255 seconds]
16:56 -!- mattock is now known as mattock_afk
17:05 < CygniX> openvpn connect for android requires .ovpn, is it possible to convert a .conf to .ovpn
17:11 -!- le0 [~l30@unaffiliated/le0] has quit [Quit: Leaving]
17:19 < CygniX> my original .conf file has tls-auth "ta.key" 1,  if using <tls-auth> key here  </tls-auth> in .ovpn file, where does the 1 go?
17:25 -!- AlexPortable [uid7568@gateway/web/irccloud.com/x-faxeldznnfdgbfzw] has joined #openvpn
17:29 -!- littlebit [~Miranda@ulmg-5d84d236.pool.mediaWays.net] has joined #openvpn
17:33 -!- atmosx [~osx@217.70.broadband4.iol.cz] has joined #openvpn
17:34 < littlebit> hi people, I have a basic question to openvpn focusing on the aspect of routed ip tunnel. If I run a dns on my vpn called "my-network.vpn", I'll be able to reach my samba server that is signed in my vpn on the other side of the globe right?
17:37 < atmosx> littlebit: are these windows machines?
17:38 < littlebit> atmosx: no debian
17:39 < littlebit> atmosx: or would i still need an ethernet tunnel?
17:40 -!- goldkatze [~nobody@unaffiliated/goldkatze] has quit []
17:42 -!- Cybertinus [~Cybertinu@cybertinus.customer.cloud.nl] has quit [Quit: No Ping reply in 180 seconds.]
17:42 < atmosx> littlebit: ah no idea, your question is a little bit confusing. Not sure I understand the setup.
17:42 -!- Cybertinus [~Cybertinu@cybertinus.customer.cloud.nl] has joined #openvpn
17:45 -!- goldkatze [~nobody@unaffiliated/goldkatze] has joined #openvpn
17:48 < littlebit> atmosx: to be honest, I'm at the beginning of setting up an openvpn server, and i read this: https://community.openvpn.net/openvpn/wiki/BridgingAndRouting
17:48 <@vpnHelper> Title: BridgingAndRouting – OpenVPN Community (at community.openvpn.net)
17:51 < littlebit> atmosx: and the thing i tought of, if I run a bind within the TUN, I could reach the different hosts and servers for exchanging data right?
17:51 < atmosx> littlebit: yes but it's not an optimal solution IMHO.
17:52 < littlebit> atmosx: how so? please explain
17:52 < atmosx> littlebit: it's better to edit to edit /etc/hosts, it's more straight forward... I would consider running a DNS through OpenVPN only if I had a huge amount of clients.
17:52 < atmosx> that's my vpn server: PING piseli-vpn (10.8.0.1): 56 data bytes
17:53 < atmosx> I'm on a mac, so I'm using /etc/hosts to map IP addresses to hosts for me to use. Then depends on what you want to do and how you need to setup your network. Some services require TAP interface (Apple's TimeMachine for example) and I think Windows services too.
17:54 < atmosx> So if you want to use SAMBA you need just TAP everywhere and that's about it. I wouldn't touch DNS.
17:54 < littlebit> atmosx: ok
17:54 <@Eugene> What the fuck? No.
17:55 <@Eugene> !wins
17:55 <@vpnHelper> "wins" is http://oreilly.com/catalog/samba/chapter/book/ch07_03.html is a good link for seeing how to run WINS on samba
17:55 <@Eugene> littlebit - trust me, you want Routing using Tun devices.
17:55 < littlebit> and when running TAP, would you prefer running a dhcp server on that interface??
17:55 <@Eugene> atmosx - I dunno wtf you're doing, but /etc/hosts is never the right answer.
17:56 <@Eugene> littlebit - you never use TAP. TAP is not what you use. TAP causes cancer.
17:56 < atmosx> Eugene: it's always the right place imho.
17:56 <@Eugene> atmosx - well your opinion is wrong
17:56 < atmosx> Eugene: vs yours I gather..
17:56 <@Eugene> No, versus the collective experts in this room. ANd if you want to argue about it, fuck off, because I won't beat a dead horse back to life.
17:57 < atmosx> littlebit: /etc/hosts apart, I agree with Eugene on the fact that TAP is going to create problems.
17:57 < littlebit> Eugene:hey easy, I didn't want to kick off a flame war
17:57 < atmosx> Eugene: expert without arguments? Hardly.
17:57 -!- f0cker [~f0cker@unaffiliated/f0cker] has quit [Ping timeout: 246 seconds]
17:57 <@Eugene> No flame war involved, just wrongness.
17:57 -!- atmosx was kicked from #openvpn by Eugene [I'm not discussing it. Go educate yourself before giving advice in here.]
17:57 -!- atmosx [~osx@217.70.broadband4.iol.cz] has joined #openvpn
17:59 < littlebit> Eugene: well he siad "IMHO", I would see it that serious
17:59 <@Eugene> Opinions are like assholes. Everybody has at least one.
17:59 < atmosx> littlebit: I also asked for some arguments, but apparently that's all his got right now. Anyway.
18:00 <@Eugene> !bridge
18:00 <@vpnHelper> "bridge" is (#1) http://openvpn.net/index.php/documentation/miscellaneous/ethernet-bridging.html for the doc or (#2) http://openvpn.net/index.php/documentation/faq.html#bridge1 for info from the FAQ or (#3) also see !tunortap and !layer2 and read --server-bridge in the manual (!man) or (#4) also see !whybridge
18:00 <@Eugene> !whybridge
18:00 <@vpnHelper> "whybridge" is (#1) you only bridge if you want layer2 to the lan. if you want layer2 only between vpn nodes then routed tap is enough. if you only want layer3 use tun. or (#2) See this URL for a more in-depth discussion on bridging vs routing: https://community.openvpn.net/openvpn/wiki/BridgingAndRouting or (#3) See also !tunortap
18:00 <@Eugene> !tunortap
18:00 <@vpnHelper> "tunortap" is (#1) you ONLY want tap if you need to pass layer2 traffic over the vpn (traffic destined for a MAC address). If you are using IP traffic you want tun. or (#2) and if your reason for wanting tap is windows shares, see !wins or use DNS or (#3) remember layer2 has no security, arp poisoning works over tap vpns or (#4) lan gaming? use tap! or (#5) Normal Android/iOS devices (not
18:00 <@vpnHelper> rooted/jailbroken) support only tun
18:01 -!- B1nny [~quassel@5ED16034.cm-7-2b.dynamic.ziggo.nl] has quit [Remote host closed the connection]
18:01 < atmosx> Eugene: you called me an asshole too? Because I have a different opinion on where littlebit should map his IPs?
18:01 -!- mode/#openvpn [+b *!*osx@*.70.broadband4.iol.cz] by Eugene
18:01 -!- atmosx was kicked from #openvpn by Eugene [Bye]
18:02 -!- mode/#openvpn [-b *!*osx@*.70.broadband4.iol.cz] by Eugene
18:02 <@Eugene> br0tip: declaring yourself an expert does not a clue imbue.
18:02 < littlebit> Eugene: thx for the info, got now something to work on :)
18:02 <@Eugene> Anyway, to answer your original question, the wins links above are what you need.
18:03 -!- p3rror [~mezgani@41.248.166.195] has joined #openvpn
18:03 <@Eugene> Or, if you're doing any sort of static addressing(trivial with a bit of vpn config) you can set up a few A records to point to your VPN IPs and be done with it all.
18:03 <@Eugene> Contrary to what anybody tells you, there is nothing wrong with putting RFC1918 space in public DNS zones, either.
18:03 < littlebit> Eugene: and what if I want my holy private webserver only to be available on my vpn, I user bind and not dns?
18:04 <@Eugene> Rely upon your VPN security to protect it, not anonymising a few IP addresses ;-)
18:04 < littlebit> Eugene: understood, that cleared up some things now. :D
18:04 < littlebit> thanks
18:05 < littlebit> see you later
18:05 <@Eugene> We'll be around
18:05 -!- littlebit [~Miranda@ulmg-5d84d236.pool.mediaWays.net] has quit [Quit: Miranda IM! Smaller, Faster, Easier. http://miranda-im.org]
18:12 -!- f0cker [~f0cker@unaffiliated/f0cker] has joined #openvpn
18:19 < CygniX> openvpn connect  does not reroute traffic through vpn
18:19 < CygniX> android app tha tis
18:22 -!- mezgani [~mezgani@41.249.24.9] has joined #openvpn
18:24 -!- p3rror [~mezgani@41.248.166.195] has quit [Ping timeout: 240 seconds]
18:24 -!- MatthewsFace [~mspah@50-78-45-146-static.hfc.comcastbusiness.net] has quit [Ping timeout: 255 seconds]
18:35 -!- paradox`` [~paradox@cpc21-brmb8-2-0-cust749.1-3.cable.virginm.net] has quit [Quit: paradox``]
18:37 -!- sunwind [~paradox@cpc21-brmb8-2-0-cust749.1-3.cable.virginm.net] has joined #openvpn
18:42 -!- sunwind [~paradox@cpc21-brmb8-2-0-cust749.1-3.cable.virginm.net] has quit [Quit: sunwind]
18:43 -!- sunwind [~paradox@cpc21-brmb8-2-0-cust749.1-3.cable.virginm.net] has joined #openvpn
18:54 -!- ade_b [~Ade@redhat/adeb] has quit [Ping timeout: 264 seconds]
18:58 -!- shibboleth [~shibbolet@gateway/tor-sasl/shibboleth] has joined #openvpn
19:00 <@Eugene> Connect is the OpenVPN Inc-compatible AS client
19:00 <@Eugene> !android
19:00 <@vpnHelper> "android" is (#1) an open source OpenVPN client for ICS is available in Google Play, look for OpenVPN for Android. FAQ is here: http://code.google.com/p/ics-openvpn/wiki/FAQ or (#2) If you do not have cyanogenmod or ICS, but your device is rooted, you can use android-openvpn-installer and openvpn-settings from the market or (#3) Direct Play link:
19:00 <@vpnHelper> https://play.google.com/store/apps/details?id=de.blinkt.openvpn
19:01 <@Eugene> And if you want traffic rerouted then you need to
19:01 <@Eugene> !redirect
19:01 <@vpnHelper> "redirect" is (#1) to make all inet traffic flow through the vpn, you will need --redirect-gateway (see !def1), as well as IP forwarding (see !ipforward) and NAT (see !nat) enabled on the server. or (#2) you may need to use a different dns server when redirecting gateway, see !dns or !pushdns or (#3) if using ipv6 try: route-ipv6 2000::/3 or (#4) Handy troubleshooting flowchart:
19:01 <@vpnHelper> http://ircpimps.org/redirect.png | http://pekster.sdf.org/misc/redirect.png
19:03 -!- elfixit [~Icedove@77-58-251-72.dclient.hispeed.ch] has quit [Quit: elfixit]
19:11 -!- elricsfate_wrk_ [~elricsfat@aus-nat.datapipe.net] has quit [Quit: Leaving]
19:11 -!- elricsfate_wrk [~elricsfat@aus-nat.datapipe.net] has joined #openvpn
19:35 -!- joshh20 is now known as joshh20-Away
19:38 -!- shibboleth [~shibbolet@gateway/tor-sasl/shibboleth] has quit [Quit: shibboleth]
20:16 -!- sunwind` [~paradox@cpc21-brmb8-2-0-cust749.1-3.cable.virginm.net] has joined #openvpn
20:16 -!- Sembei [~Sembei@unaffiliated/sembei] has quit [Ping timeout: 264 seconds]
20:18 -!- sunwind [~paradox@cpc21-brmb8-2-0-cust749.1-3.cable.virginm.net] has quit [Ping timeout: 264 seconds]
20:34 -!- Sembei [~Sembei@unaffiliated/sembei] has joined #openvpn
20:34 -!- Cpt-Oblivious [chatzilla@31-151-71-109.dynamic.upc.nl] has quit [Remote host closed the connection]
20:35 -!- Thermi [~Thermi@unaffiliated/thermi] has quit [Quit: Meet your opposition - Profane and disciplined - Take back your pride - With a pounding hammer]
20:36 -!- mezgani [~mezgani@41.249.24.9] has quit [Quit: Leaving]
20:40 -!- Sembei [~Sembei@unaffiliated/sembei] has quit [Ping timeout: 246 seconds]
20:40 -!- Thermi [~Thermi@unaffiliated/thermi] has joined #openvpn
20:40 -!- Thermi [~Thermi@unaffiliated/thermi] has quit [Excess Flood]
20:40 -!- Thermi [~Thermi@unaffiliated/thermi] has joined #openvpn
20:40 -!- Thermi [~Thermi@unaffiliated/thermi] has quit [Excess Flood]
20:41 -!- Thermi [~Thermi@unaffiliated/thermi] has joined #openvpn
20:41 -!- Thermi [~Thermi@unaffiliated/thermi] has quit [Excess Flood]
20:43 -!- Thermi [~Thermi@unaffiliated/thermi] has joined #openvpn
20:43 -!- Thermi [~Thermi@unaffiliated/thermi] has quit [Excess Flood]
20:44 -!- Thermi [~Thermi@unaffiliated/thermi] has joined #openvpn
20:44 -!- Thermi [~Thermi@unaffiliated/thermi] has quit [Excess Flood]
20:44 -!- Thermi [~Thermi@unaffiliated/thermi] has joined #openvpn
20:44 -!- Thermi [~Thermi@unaffiliated/thermi] has quit [Excess Flood]
20:47 -!- Thermi [~Thermi@unaffiliated/thermi] has joined #openvpn
20:47 -!- Thermi [~Thermi@unaffiliated/thermi] has quit [Excess Flood]
20:47 -!- Thermi [~Thermi@unaffiliated/thermi] has joined #openvpn
20:47 -!- Thermi [~Thermi@unaffiliated/thermi] has quit [Excess Flood]
20:48 -!- Thermi [~Thermi@unaffiliated/thermi] has joined #openvpn
20:48 -!- Thermi [~Thermi@unaffiliated/thermi] has quit [Excess Flood]
20:52 -!- funnel [~funnel@unaffiliated/espiral] has quit [Ping timeout: 264 seconds]
20:54 -!- funnel [~funnel@unaffiliated/espiral] has joined #openvpn
20:59 -!- Sembei [~Sembei@unaffiliated/sembei] has joined #openvpn
21:02 -!- Carbon_Monoxide [~cmonxide@058176022144.ctinets.com] has joined #openvpn
21:02 -!- Carbon_Monoxide [~cmonxide@058176022144.ctinets.com] has left #openvpn []
21:04 -!- Sembei [~Sembei@unaffiliated/sembei] has quit [Ping timeout: 252 seconds]
21:05 -!- Dan39 is now known as TheHoop
21:05 -!- al_nz1 [~Ali_nz1@122.58.81.50] has quit [Ping timeout: 246 seconds]
21:06 -!- TheHoop is now known as Dan39
21:09 -!- converge [~converge@unaffiliated/joaop] has joined #openvpn
21:15 -!- Sembei [~Sembei@unaffiliated/sembei] has joined #openvpn
22:14 -!- VunKruz [~hhhh@24-205-8-187.dhcp.mtpk.ca.charter.com] has quit [Quit: Leaving]
22:21 -!- VunKruz [~hhhh@24-205-8-187.dhcp.mtpk.ca.charter.com] has joined #openvpn
22:26 -!- converge [~converge@unaffiliated/joaop] has quit [Quit: Leaving...]
22:27 -!- AlexPortable [uid7568@gateway/web/irccloud.com/x-faxeldznnfdgbfzw] has quit [Quit: Connection closed for inactivity]
22:54 -!- sauce_ [sauce@ool-ad02ad20.dyn.optonline.net] has joined #openvpn
22:58 -!- jgeboski- [~jgeboski@unaffiliated/jgeboski] has joined #openvpn
22:58 -!- Cr4zi3 [killaz@staff.xbins.org] has quit [Quit: changing servers]
22:58 -!- jgeboski [~jgeboski@unaffiliated/jgeboski] has quit [Read error: Connection reset by peer]
22:59 -!- jgeboski- is now known as jgeboski
23:00 -!- Cr4zi3 [killaz@staff.xbins.org] has joined #openvpn
23:00 -!- sauce [sauce@unaffiliated/sauce] has quit [Ping timeout: 247 seconds]
23:39 -!- snappy [nipnop@unaffiliated/snappy] has quit [Read error: Connection reset by peer]
23:40 -!- snappy [nipnop@wbml.net] has joined #openvpn
23:40 -!- snappy [nipnop@wbml.net] has quit [Changing host]
23:40 -!- snappy [nipnop@unaffiliated/snappy] has joined #openvpn
--- Day changed Wed Mar 19 2014
00:03 -!- diverse [~diverse@unaffiliated/diverse] has joined #openvpn
00:22 -!- makara [~makara@41.164.22.218] has joined #openvpn
00:40 -!- B1nny [~quassel@5ED16034.cm-7-2b.dynamic.ziggo.nl] has joined #openvpn
01:03 -!- raidz is now known as raidz_away
01:12 -!- Carbon_Monoxide [~cmonxide@058176022144.ctinets.com] has joined #openvpn
01:14 -!- Carbon_Monoxide [~cmonxide@058176022144.ctinets.com] has left #openvpn []
01:28 -!- ade_b [~Ade@80-72-52-20.cmts.powersurf.li] has joined #openvpn
01:28 -!- ade_b [~Ade@80-72-52-20.cmts.powersurf.li] has quit [Changing host]
01:28 -!- ade_b [~Ade@redhat/adeb] has joined #openvpn
01:32 -!- CygniX [~CygniX@unaffiliated/twois10] has quit [Ping timeout: 246 seconds]
01:37 -!- GregB_ [~GregB@107-218-5-81.lightspeed.hstntx.sbcglobal.net] has quit [Read error: Connection reset by peer]
01:37 -!- GregB_ [~GregB@107-218-5-81.lightspeed.hstntx.sbcglobal.net] has joined #openvpn
01:41 -!- ade_b [~Ade@redhat/adeb] has quit [Ping timeout: 246 seconds]
01:45 -!- Cybertinus [~Cybertinu@cybertinus.customer.cloud.nl] has quit [Quit: No Ping reply in 180 seconds.]
01:45 -!- Cybertinus [~Cybertinu@cybertinus.customer.cloud.nl] has joined #openvpn
01:51 -!- Cybertinus [~Cybertinu@cybertinus.customer.cloud.nl] has quit [Quit: No Ping reply in 180 seconds.]
01:51 -!- Cybertinus [~Cybertinu@cybertinus.customer.cloud.nl] has joined #openvpn
01:54 -!- ade_b [~Ade@redhat/adeb] has joined #openvpn
02:04 < ___FBi> what happened to that really nice layout for windows clients?
02:16 -!- takamichi [~takamichi@c107-107.i07-27.onvol.net] has joined #openvpn
02:24 -!- funyun_ [~temp@199.16.191.140] has joined #openvpn
02:24 -!- Pinchiukas [~keps@unaffiliated/pinchiukas] has left #openvpn []
02:24 -!- Tyklol [tykling@gibfest.dk] has joined #openvpn
02:24 -!- Tykling [tykling@gibfest.dk] has quit [Ping timeout: 252 seconds]
02:25 -!- mattock_afk is now known as mattock
02:27 -!- funyun [~temp@cpe-65-25-103-89.neo.res.rr.com] has quit [Ping timeout: 252 seconds]
02:28 -!- alexxtasi [~alex@unaffiliated/alexxtasi] has joined #openvpn
02:59 -!- diverse [~diverse@unaffiliated/diverse] has left #openvpn ["WeeChat 0.4.3"]
03:07 -!- dazo_afk is now known as dazo
03:13 -!- f0cker [~f0cker@unaffiliated/f0cker] has quit [Remote host closed the connection]
03:16 -!- raidz_away is now known as raidz
03:29 -!- Latrina [~Latrina@ppp-16-15.26-151.libero.it] has joined #openvpn
03:29 < Latrina> Good morning
03:32 -!- Eagleman [~Eagleman@546BC8D0.cm-12-4d.dynamic.ziggo.nl] has quit [Quit: ZNC - http://znc.in]
03:35 -!- Latrina [~Latrina@ppp-16-15.26-151.libero.it] has quit [Read error: Connection reset by peer]
03:37 -!- Latrina [~Latrina@ppp-16-15.26-151.libero.it] has joined #openvpn
03:43 -!- Eagleman [~Eagleman@546BC8D0.cm-12-4d.dynamic.ziggo.nl] has joined #openvpn
03:51 < Latrina> Guys I need a little help with my OpenVPN server
03:51 < Latrina> I have detailed everything here  https://forums.openvpn.net/post39216.html#p39216
03:51 <@vpnHelper> Title: OpenVPN Support Forum OpenVPN clients unable to access the internet : Server Administration (at forums.openvpn.net)
03:51 < Latrina> to make a long story short clients are unable to access the internet
03:53 < Latrina> I really know little about iptables however according the OpenVPN faq I have added the rule to forward packets from the wan over to the TUN interface
03:56 -!- f0cker [~f0cker@unaffiliated/f0cker] has joined #openvpn
03:57 -!- sunwind` [~paradox@cpc21-brmb8-2-0-cust749.1-3.cable.virginm.net] has quit [Quit: sunwind`]
03:59 < Latrina> anyone knows about OpenVPN here ?
03:59 < Latrina> ops.. wrong chan.. certainly someone here knows for sure :P
04:00 < Mathias> they'd better know about it :p
04:00 < Latrina> hey Mathias .. ehhe
04:01 < Latrina> do u know why I openvpn clients cannot access to the internet ?
04:13 <@dazo> Latrina: maybe this "Using routing" section can help you: https://community.openvpn.net/openvpn/wiki/BridgingAndRouting#Usingrouting
04:13 <@vpnHelper> Title: BridgingAndRouting – OpenVPN Community (at community.openvpn.net)
04:15 < Latrina> I am going to take a look... thanks dazo
04:15 <@dazo> Also look at this:
04:15 <@dazo> !redirect
04:15 <@vpnHelper> "redirect" is (#1) to make all inet traffic flow through the vpn, you will need --redirect-gateway (see !def1), as well as IP forwarding (see !ipforward) and NAT (see !nat) enabled on the server. or (#2) you may need to use a different dns server when redirecting gateway, see !dns or !pushdns or (#3) if using ipv6 try: route-ipv6 2000::/3 or (#4) Handy troubleshooting flowchart:
04:15 <@vpnHelper> http://ircpimps.org/redirect.png | http://pekster.sdf.org/misc/redirect.png
04:16 -!- sunwind [~paradox@cpc21-brmb8-2-0-cust749.1-3.cable.virginm.net] has joined #openvpn
04:23 -!- elfixit [~Icedove@77-58-251-72.dclient.hispeed.ch] has joined #openvpn
04:29 -!- f0cker [~f0cker@unaffiliated/f0cker] has quit [Quit: Leaving]
04:30 -!- funyun [~temp@cpe-65-25-103-89.neo.res.rr.com] has joined #openvpn
04:30 -!- f0cker [~f0cker@unaffiliated/f0cker] has joined #openvpn
04:32 -!- funyun_ [~temp@199.16.191.140] has quit [Ping timeout: 240 seconds]
04:32 -!- ade_b [~Ade@redhat/adeb] has quit [Ping timeout: 240 seconds]
04:47 -!- Latrina [~Latrina@ppp-16-15.26-151.libero.it] has quit [Read error: Connection reset by peer]
04:50 -!- Latrina [~Latrina@ppp-16-15.26-151.libero.it] has joined #openvpn
04:51 < Latrina> dazo: u saved my day ..
04:51 < Latrina> it works now..
04:51 <@dazo> good to hear! :)
04:52 < Latrina> I also want to point out that was the UCI iptables confing of openwrt regarding openvpn that was messing up the whole thing
04:52 < Latrina> thank god it works with plain iptables rules
04:52 <@dazo> oh, I uninstall the openwrt uci firewall crap ... and install iptables-restore/iptables-save instead ... and load a dump directly from rc.local instead
04:54 < Latrina> yeah that's what I am going to do actually
04:55 < Latrina> since none of services I had to set up worked through UCI
04:55 < Latrina> and I had to smash my head on a wall for hours and if not days like in this case
04:55 < Latrina> to find out what the issue was
04:55 -!- ade_b [~Ade@redhat/adeb] has joined #openvpn
05:01 -!- Varazir [~mircwars@c-94-255-128-122.cust.bredband2.com] has quit [Ping timeout: 240 seconds]
05:04 -!- elfixit [~Icedove@77-58-251-72.dclient.hispeed.ch] has quit [Ping timeout: 246 seconds]
05:05 -!- dazo is now known as dazo_afk
05:34 -!- blueice [~root@14.139.82.6] has joined #openvpn
05:42 -!- Varazir [~mircwars@c-94-255-128-122.cust.bredband2.com] has joined #openvpn
05:44 -!- Aliekezhi [~Aliekezhi@LPoitiers-156-84-21-169.w193-248.abo.wanadoo.fr] has joined #openvpn
05:48 -!- gffa [~unknown@unaffiliated/gffa] has joined #openvpn
05:53 -!- dazo_afk is now known as dazo
05:55 -!- elfixit [~Icedove@2001:1620:2777:11:3e97:eff:fe7f:f3ad] has joined #openvpn
06:01 -!- converge [~converge@unaffiliated/joaop] has joined #openvpn
06:05 -!- AlexPortable [uid7568@gateway/web/irccloud.com/x-hlrazsdeirfhsndh] has joined #openvpn
06:26 < blueice> plai: hi, you there ???
06:27 < blueice> plai: i got the solution of the problem, actually mine "/etc/resolve.conf" wasn't a symbolic link to the "/etc/resolvconf/run/resolv.conf".
06:29 < blueice> so, i just added the link to the "/etc/resolvconf/run/resolv.conf", by removing the "/etc/resolve.conf" and adding "# ln -s /etc/resolvconf/run/resolv.conf /etc" ...!!!
06:29 < blueice> thanks.
06:29 < blueice> cheers !!!
06:35 -!- mirco [~mirco@ip-5-146-126-177.unitymediagroup.de] has quit [Ping timeout: 264 seconds]
06:37 -!- converge [~converge@unaffiliated/joaop] has quit [Quit: Leaving...]
07:07 <@plai> blueice: grats :)
07:08 < blueice> plai: thanks, man !!!
07:23 -!- ACKNAK [~regolith@79.133.97.154] has joined #openvpn
07:25 < ACKNAK> Hello! If I have several instances of openvpn, what is the best way to find out where client is connected to?
07:26 < ACKNAK> Client could not have static IP since there is several instances
07:27 < ACKNAK> use same "status /var/openvpn/status.log" ?
07:30 <@dazo> ACKNAK: same status.log will fail, the different openvpn instances will overwrite each other's changes
07:30 <@ecrist> ACKNAK: yes, that's what I'd do
07:31 < ACKNAK> :O
07:31 <@ecrist> well, unless you write to different files
07:31 < ACKNAK> :D
07:31 <@ecrist> status /var/openvpn/status_foobar.log
07:31 <@ecrist> status /var/openvpn/status_foobaz.log
07:31 < ACKNAK> okay different files, then grep?
07:31 <@dazo> yeah
07:31 < ACKNAK> thanks, I'll try
07:32 <@dazo> or you can use --client-connect and --client-disconnect scripts ... and log it all in a database or another shared text file
07:34 < ACKNAK> where can I find what kind of arguments will I receive during "--client-connect"/disc?
07:34 < ACKNAK> sorry for this question :D
07:34 <@dazo> ACKNAK: in the man page ... there's a scripting and environment section there, describing all this
07:35 < ACKNAK> thanks!
07:38 < ACKNAK> "grep ,client1 openvpn-status.*" works fine ^^
07:39 < ACKNAK> with comma!
07:39 < ACKNAK> xD
07:40 < ACKNAK> and awk ip address from it
07:40 < ACKNAK> cool
07:42 < ACKNAK> hmmm may be I should store openvpn-status in ram, I think these files would be updated often
07:43 <@dazo> you can combined the grep into your awk trick, though ;-)
07:43 <@dazo> s/ned/ne/
07:44 -!- ade_b [~Ade@redhat/adeb] has quit [Ping timeout: 240 seconds]
07:44 <@ecrist> OR, you can have a client connect script that dumps the info into a database, coupled with a client disconnect script that upates the bandwidth accounts for that connection ID, then you can just run a neat little SQL query
07:45 < ACKNAK> dazo, indeed!
07:46 < ACKNAK> ecrist, in future! :O
07:48 -!- indy is now known as exegete
07:53 -!- funyun [~temp@cpe-65-25-103-89.neo.res.rr.com] has quit [Ping timeout: 240 seconds]
07:58 -!- ade_b [~Ade@redhat/adeb] has joined #openvpn
08:01 -!- michaelhart [~michaelha@192.237.177.15] has joined #openvpn
08:08 -!- Thermi [~Thermi@unaffiliated/thermi] has joined #openvpn
08:12 -!- Eagleman [~Eagleman@546BC8D0.cm-12-4d.dynamic.ziggo.nl] has quit [Quit: ZNC - http://znc.in]
08:16 -!- blueice [~root@14.139.82.6] has quit [Remote host closed the connection]
08:24 -!- Eagleman [~Eagleman@546BC8D0.cm-12-4d.dynamic.ziggo.nl] has joined #openvpn
08:31 -!- u0m3_ [~u0m3@92.80.123.206] has joined #openvpn
08:33 -!- u0m3 [~u0m3@109.96.172.38] has quit [Ping timeout: 246 seconds]
08:34 -!- Cpt-Oblivious [chatzilla@31-151-71-109.dynamic.upc.nl] has joined #openvpn
08:40 -!- elfixit1 [~Icedove@163-227.197-178.cust.bluewin.ch] has joined #openvpn
08:49 -!- lj [~l@192.241.174.169] has joined #openvpn
08:50 -!- funyun [~temp@cpe-65-25-103-89.neo.res.rr.com] has joined #openvpn
08:55 -!- funyun [~temp@cpe-65-25-103-89.neo.res.rr.com] has quit [Ping timeout: 264 seconds]
08:57 -!- u0m3_ is now known as u0m3
08:57 -!- elfixit1 [~Icedove@163-227.197-178.cust.bluewin.ch] has quit [Ping timeout: 246 seconds]
08:59 -!- lj [~l@192.241.174.169] has quit [Read error: Connection reset by peer]
09:00 -!- lj [~l@192.241.174.169] has joined #openvpn
09:03 -!- Cybertinus [~Cybertinu@cybertinus.customer.cloud.nl] has quit [Remote host closed the connection]
09:03 -!- converge [~converge@unaffiliated/joaop] has joined #openvpn
09:03 -!- converge [~converge@unaffiliated/joaop] has quit [Client Quit]
09:04 -!- makara [~makara@41.164.22.218] has quit [Ping timeout: 255 seconds]
09:04 -!- Cybertinus [~Cybertinu@cybertinus.customer.cloud.nl] has joined #openvpn
09:11 -!- Cybertinus [~Cybertinu@cybertinus.customer.cloud.nl] has quit [Quit: No Ping reply in 180 seconds.]
09:11 -!- exegete is now known as indy
09:26 -!- iokill [~iokill@91.114.127.102] has joined #openvpn
09:30 -!- Latrina [~Latrina@ppp-16-15.26-151.libero.it] has quit [Quit: Leaving...]
09:34 -!- ACKNAK [~regolith@79.133.97.154] has quit [Ping timeout: 264 seconds]
09:35 -!- fischli [~fischli@data.fischer-ing.de] has joined #openvpn
09:36 -!- Neozonz [~arajakul@CPE68b6fcc6d913-CM68b6fcc6d910.cpe.net.cable.rogers.com] has joined #openvpn
09:36 -!- Neozonz [~arajakul@CPE68b6fcc6d913-CM68b6fcc6d910.cpe.net.cable.rogers.com] has quit [Changing host]
09:36 -!- Neozonz [~arajakul@unaffiliated/neozonz] has joined #openvpn
09:50 -!- funyun [~temp@cpe-65-25-103-89.neo.res.rr.com] has joined #openvpn
09:55 -!- ACKNAK [~regolith@79.133.97.154] has joined #openvpn
09:55 -!- funyun [~temp@cpe-65-25-103-89.neo.res.rr.com] has quit [Ping timeout: 264 seconds]
09:58 -!- takamich_ [~takamichi@85.12.8.14] has joined #openvpn
10:01 -!- takamichi [~takamichi@c107-107.i07-27.onvol.net] has quit [Ping timeout: 252 seconds]
10:01 -!- dazo is now known as dazo_afk
10:07 -!- Cybertinus [~Cybertinu@cybertinus.customer.cloud.nl] has joined #openvpn
10:08 -!- ACKNAK [~regolith@79.133.97.154] has quit [Ping timeout: 240 seconds]
10:10 -!- indy is now known as harvester
10:10 -!- fischli [~fischli@data.fischer-ing.de] has quit [Quit: Leaving.]
10:12 -!- harvester is now known as the_harvester
10:12 -!- the_harvester is now known as indy
10:15 -!- indy is now known as conserver
10:15 -!- conserver is now known as indy
10:17 -!- lj [~l@192.241.174.169] has quit [Ping timeout: 246 seconds]
10:25 -!- lj [~l@192.241.174.169] has joined #openvpn
10:27 -!- alexxtasi [~alex@unaffiliated/alexxtasi] has left #openvpn []
10:36 -!- takamichi [~takamichi@c107-107.i07-27.onvol.net] has joined #openvpn
10:38 -!- takamich_ [~takamichi@85.12.8.14] has quit [Ping timeout: 246 seconds]
10:40 -!- hyper_ch [~hyper_ch@ks357331.kimsufi.com] has joined #openvpn
10:41 < hyper_ch> hmmm, I wonder, in zonefiles I can set srv1.domain.tld to a private IP and that private IP can also be a VPN IP.... so if you have machines that are only accessible through VPN, is there a  reason why I shouldn't map them in the bind zonefile like that?
10:42 -!- VunKruz [~hhhh@24-205-8-187.dhcp.mtpk.ca.charter.com] has quit [Quit: Leaving]
10:51 -!- funyun [~temp@cpe-65-25-103-89.neo.res.rr.com] has joined #openvpn
10:53 -!- VunKruz [~hhhh@24-205-8-187.dhcp.mtpk.ca.charter.com] has joined #openvpn
10:55 -!- kirin` [telex@gateway/shell/anapnea.net/x-dvfbydvqmrzynina] has quit [Ping timeout: 246 seconds]
10:55 -!- kirin` [telex@gateway/shell/anapnea.net/x-bekzsyzbphblodyg] has joined #openvpn
10:56 -!- funyun [~temp@cpe-65-25-103-89.neo.res.rr.com] has quit [Ping timeout: 240 seconds]
10:58 <@Eugene> No reason to keep RFC1918 addresses out of DNS, no. Go for it.
10:59 <@Eugene> Some non-RFC-compliant DNS servers(eg, OpenDNS) will try to keep you "safe" by replacing such addresses with their own records(linkbait spam), but don't fucking use those servers
10:59 < hyper_ch> good to konw
10:59 < hyper_ch> I just thought that's easier to maintain than custom sets of dns entries in varous lans
11:00 < hyper_ch> and dnsmasq each and stuff
11:00 < hyper_ch> or individual openvpn clients
11:00 <@Eugene> Yup. And especially once you start thinking in terms of IPv6 - openvpn is just a secure tunnel.
11:00 < hyper_ch> ipv6 isn't on the radar here yet
11:00 < hyper_ch> it'll probably take another 10 years before we'll get that
11:01 <@Eugene> Sadface
11:01 < hyper_ch> btw, how are the latest tls vulnerabilities affect openvpn?
11:02 <@Eugene> Which?
11:02 <@Eugene> The Apple goto bugs?
11:03 < hyper_ch> http://arstechnica.com/security/2014/03/critical-crypto-bug-leaves-linux-hundreds-of-apps-open-to-eavesdropping/
11:03 <@vpnHelper> Title: Critical crypto bug leaves Linux, hundreds of apps open to eavesdropping | Ars Technica (at arstechnica.com)
11:03 <@Eugene> That's GnuTLS. OpenVPN imports openssl ;-)
11:04 < hyper_ch> ok :)
11:04 <@plai> I never heard anyone saying good things about GnuTLS
11:04 <@Eugene> That's because the FSF are a bunch of idots
11:05 < hyper_ch> without FSF I'd be using Windows ;)
11:05 <@Eugene> I am using Windows.
11:05 < hyper_ch> my condolences
11:05 <@Eugene> I like having my graphics, power management, touchscreen, WiFi, Bluetooth, NFC, etc all work.
11:06 < hyper_ch> I don't believe in NFC
11:06 <@Eugene> So pardon fucking me if this requires using software where a monetary transaction didn't occur.
11:06 < hyper_ch> and the rest works out of the box
11:06 <@Eugene> And I don't believe in bullshit
11:06 < Tyklol> there there
11:06 -!- Tyklol is now known as Tykling
11:07 <@plai> Not all killer apps for nfc are on the mobile phone
11:07 <@plai> ski passes use nfc too ....
11:07 < hyper_ch> hmmm, gotta get a nfc-proof wallet... got a new credit card the other day with nfc
11:07 < hyper_ch> I don't like that
11:08 <@plai> just get 3 or 4 nfc cards
11:08 <@plai> They interfere so much that nfc will stoping then anyway
11:09 < hyper_ch> you're sure?
11:09 <@plai> not really sure
11:09 <@Eugene> Seriously though, "I don't like $X" is a fucking stupid reason for using Y
11:09 <@Eugene> I hope you understand that
11:10 < hyper_ch> not really
11:10 <@plai> but the nfc cards I want to use don't work because there are other nfc cards in my wallet
11:10 < hyper_ch> not liking one thing is a rather good reason to use a different thing IMHO
11:10 <@Eugene> Not when discussing Z
11:10 < Neozonz> whats a good gui openvpn client one can use on windows?
11:10 <@Eugene> !download
11:10 <@vpnHelper> "download" is (#1) http://openvpn.net/index.php/download/community-downloads.html to download openvpn or (#2) OpenVPN's Windows installer now includes OpenVPN GUI. Don't bother with http://openvpn.se anymore or (#3) Don't trust download.com at all. It provides an extremely old version with malware: http://insecure.org/news/download-com-fiasco.html or (#4) in the community version of openvpn (only
11:10 <@vpnHelper> thing supported here) there is no separate download for client/server, it is the same install with different configs
11:11 <@Eugene> The official one works fine
11:15 -!- lj [~l@192.241.174.169] has quit [Quit: Leaving.]
11:15 -!- lj [~l@192.241.174.169] has joined #openvpn
11:16 < Neozonz> any other alternatives?
11:19 -!- iokill [~iokill@91.114.127.102] has quit [Ping timeout: 240 seconds]
11:20 -!- Aliekezhi [~Aliekezhi@LPoitiers-156-84-21-169.w193-248.abo.wanadoo.fr] has quit [Ping timeout: 240 seconds]
11:32 -!- indy [~indy@fantomas.bestit.cz] has quit [Ping timeout: 264 seconds]
11:33 -!- mirco_ [~mirco@ip-5-146-126-177.unitymediagroup.de] has joined #openvpn
11:33 -!- indy [~indy@194.213.226.242] has joined #openvpn
11:34 -!- indy [~indy@194.213.226.242] has quit [Remote host closed the connection]
11:52 -!- funyun [~temp@cpe-65-25-103-89.neo.res.rr.com] has joined #openvpn
11:57 -!- funyun [~temp@cpe-65-25-103-89.neo.res.rr.com] has quit [Ping timeout: 240 seconds]
12:00 -!- kirin` [telex@gateway/shell/anapnea.net/x-bekzsyzbphblodyg] has quit [Ping timeout: 246 seconds]
12:04 -!- kirin` [telex@gateway/shell/anapnea.net/x-povlxaeqkiwgvlbf] has joined #openvpn
12:13 -!- elfixit [~Icedove@2001:1620:2777:11:3e97:eff:fe7f:f3ad] has quit [Quit: elfixit]
12:17 -!- Cr4zi3 [killaz@staff.xbins.org] has quit [Quit: changing servers]
12:17 < Haigha> "TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity)" on both my servers and with clients from everywhere
12:18 < Haigha> what can cause this?
12:18 < Haigha> it's only since the last weekend and i haven't changed anything
12:23 -!- Cr4zi3 [killaz@staff.xbins.org] has joined #openvpn
12:27 <@Eugene> Any of a dozen things. Typically: internet failure, firewall rules, certificate expiration
12:27 <@Eugene> If you really haven't changed anything, has it been about a year since you set it up?
12:42 -!- takamichi [~takamichi@c107-107.i07-27.onvol.net] has quit []
12:44 -!- takamichi [~takamichi@c107-107.i07-27.onvol.net] has joined #openvpn
12:47 -!- zeus_ [~zeus@c107-107.i07-27.onvol.net] has joined #openvpn
12:48 -!- zeus_ [~zeus@c107-107.i07-27.onvol.net] has quit [Read error: Connection reset by peer]
12:48 -!- zeus_ [~zeus@c107-107.i07-27.onvol.net] has joined #openvpn
12:48 -!- zeus_ [~zeus@c107-107.i07-27.onvol.net] has quit [Read error: Connection reset by peer]
12:48 -!- zeus_ [~zeus@c107-107.i07-27.onvol.net] has joined #openvpn
12:49 -!- takamichi_2 [~takamichi@c107-107.i07-27.onvol.net] has joined #openvpn
12:50 -!- takamichi_2 [~takamichi@c107-107.i07-27.onvol.net] has quit [Client Quit]
12:50 -!- zeus_ [~zeus@c107-107.i07-27.onvol.net] has quit [Client Quit]
12:51 -!- takamichi_2 [~takamichi@c107-107.i07-27.onvol.net] has joined #openvpn
12:51 -!- takamichi_3 [~takamichi@c107-107.i07-27.onvol.net] has joined #openvpn
12:51 -!- takamichi_3 [~takamichi@c107-107.i07-27.onvol.net] has quit [Client Quit]
12:52 -!- takamichi_3 [~takamichi@c107-107.i07-27.onvol.net] has joined #openvpn
12:53 -!- chakatz [~chakatz@212.199.106.82.static.012.net.il] has joined #openvpn
12:53 -!- takamichi_3 [~takamichi@c107-107.i07-27.onvol.net] has quit [Client Quit]
12:53 -!- funyun [~temp@cpe-65-25-103-89.neo.res.rr.com] has joined #openvpn
12:53 < chakatz> Is it possible to set up OpenVPN without using any NAT? I have three networks which each use unique private-net subnets and I want all servers to see the real private IP addresses of the hosts that are communicating with them.
12:54 <@ecrist> you don't have to use NAT with openvpn
12:54 < chakatz> In the config file I have "server 10.8.0.0 255.255.0.0" and all the traffic arrives with a 10.8.0.* address
12:54 <@ecrist> those are IPs, still not seeing NAT
12:55 < chakatz> How to I change the config to not use that NAT?
12:55 <@ecrist> I think you don't understand IP
12:55 < chakatz> could be :-)
12:56 <@ecrist> !goal
12:56 <@vpnHelper> "goal" is Please clearly state your goal for your vpn: example, I would like to access the lan behind the server , I would like to access the internet over my vpn , I just want a secure connection between 2 computers , etc
12:56 < chakatz> I would like to access the lan behind the VPN and I would like the target server to se my IP address
12:57 < chakatz> *the originating host's IP address
12:57 <@ecrist> ok, when one system connects to another system, it's going to see the IP that's closest to that network
12:57 <@ecrist> that's not NAT
12:57 <@ecrist> in some cases, the VPN IP is closest (part of being on a VPN), and that's the IP you'll see
12:58 < chakatz> Ah, K, so it's seeing the IP of the gateway server and I want it to see the IP of the originating host
12:58 <@ecrist> no
12:58 <@ecrist> draw a diagram of your setup
12:58 <@ecrist> !diagram
12:58 <@vpnHelper> "diagram" is You can use a site such as http://gliffy.com to create a network diagram as well as programs such as Visio, Dia, or OmniGraffle
12:59 -!- funyun [~temp@cpe-65-25-103-89.neo.res.rr.com] has quit [Ping timeout: 240 seconds]
13:01 -!- lj [~l@192.241.174.169] has quit [Ping timeout: 240 seconds]
13:13 < chakatz> vpnHelper: This is the diagram - http://www.gliffy.com/go/publish/image/5503383/L.png
13:14 < chakatz> I want Host A to be able to reach Host B and I want Host B to see the traffic as coming from Host A
13:15 < chakatz> same for traffic from Host B to Host A
13:15 -!- Martyn [~Martin@216.38.134.150] has joined #openvpn
13:20 < Haigha> Eugene: i don't think so, "VERIFY OK: depth=0,..."
13:20 <@Eugene> !logs
13:20 <@vpnHelper> "logs" is (#1) please pastebin your logfiles from both client and server with verb set to 4 (only use 5 if asked) or (#2) In the Windows client(OpenVPN-GUI) right-click the status icon and pick View Log or (#3) In the OS X client(Tunnelblick) right-click it and select Copy log text to clipboard or (#4) if you dont know how to find your logs, see !logfile
13:21 < Haigha> Eugene: http://pastebin.com/euKSLzAK
13:21 < Haigha> that's an interresting part, i've never seen that
13:22 < Haigha> PID_ERR replay-window backtrack occurred [1] appears after most of the TLS resets
13:22 < chakatz> Sorry, my comment above should have been addressed to ecrist
13:24 <@ecrist> chakatz: you need iroute
13:24 <@ecrist> !iroute
13:24 <@vpnHelper> "iroute" is does not bypass or alter the kernel's routing table, it allows openvpn to know it should handle the routing when the kernel points to it but the network is not one that openvpn knows about. This is only needed when connecting a LAN which is behind a client, and therefor belongs in a ccd entry. Also see !route and !ccd
13:24 <@ecrist> !route
13:24 <@vpnHelper> "route" is (#1) http://www.secure-computing.net/wiki/index.php/OpenVPN/Routing or https://community.openvpn.net/openvpn/wiki/RoutedLans (same page mirrored) if you have lans behind openvpn, read it DONT SKIM IT or (#2) READ IT DONT SKIM IT! or (#3) See !tcpip for a basic networking guide or (#4) See !serverlan or !clientlan for steps and troubleshooting flowcharts for LANs behind the server or
13:24 <@ecrist> and route
13:24 <@vpnHelper> client
13:25 -!- Cpt-Oblivious [chatzilla@31-151-71-109.dynamic.upc.nl] has quit [Ping timeout: 240 seconds]
13:25 < chakatz> Thanks ecrist. I'll look into that more carefully.
13:26 -!- lj [~l@192.241.174.169] has joined #openvpn
13:29 < lj> ecrist: I'm getting no such file or directory error for my —client-connect script. (It is there). Would that just be permissions, and if so what permissions are req'd for openvpn to access it [them including the disconnect]?
13:31 < Haigha> lj: i think you need to chmod +x your scripts
13:32 < lj> Already done.
13:32 < lj> Good thought though.
13:33 <@ecrist> lj: the directory needs to be writeable by the openvpn user
13:33 <@ecrist> or whatever users you have executing the openvpn binary
13:33 <@ecrist> or the dropped privs user
13:33 < lj> ecrist: Word. Checking now.
13:34 <@ecrist> it's a good try to use /tmp/<name>
13:35 < lj> In this case afaik, it's running as root. Any reason I'd still have this issue?
13:35 <@ecrist> do you have a user and group arg in your server config?
13:36 < lj> Set to nobody and nogroup respectively.
13:36 <@ecrist> that user/group  needs write access, then
13:38 < lj> Before I do that, I'm looking at this currently, would this be preferred: https://community.openvpn.net/openvpn/wiki/UnprivilegedUser to using the —user/—group?
13:38 <@vpnHelper> Title: UnprivilegedUser – OpenVPN Community (at community.openvpn.net)
13:42 < lj> @ ecrist
13:45 -!- ade_b [~Ade@redhat/adeb] has quit [Ping timeout: 246 seconds]
13:50 <@ecrist> lj: regardless what that page says, if you have user/group set, the destination for your status log MUST be writeable by that user/group
13:52 < lj> ecrist: My status log or the script it's trying to execute on connection?
13:53 <@krzee> it shouldnt be necessary but doesnt hurt to do
13:56 -!- funyun [~temp@cpe-65-25-103-89.neo.res.rr.com] has joined #openvpn
13:57 < lj> Ah ecrist / krzee: I didn't need those directives anyway since I'm on *nix.
13:58 -!- ade_b [~Ade@redhat/adeb] has joined #openvpn
14:01 -!- funyun [~temp@cpe-65-25-103-89.neo.res.rr.com] has quit [Ping timeout: 269 seconds]
14:01 -!- chakatz [~chakatz@212.199.106.82.static.012.net.il] has quit [Ping timeout: 246 seconds]
14:08 -!- Latrina [~Latrina@ppp-16-15.26-151.libero.it] has joined #openvpn
14:15 -!- Latrina [~Latrina@ppp-16-15.26-151.libero.it] has quit [Quit: Leaving...]
14:21 -!- master_o1_master [~master_of@p4FD7BF48.dip0.t-ipconnect.de] has joined #openvpn
14:24 -!- master_of_master [~master_of@p4FD7B772.dip0.t-ipconnect.de] has quit [Ping timeout: 246 seconds]
14:28 -!- Martyn [~Martin@216.38.134.150] has quit []
14:35 <@ecrist> lj: user/group?
14:35 <@ecrist> being on *nix doesn't mean you shouldn't use those.
14:37 < lj> ecrist: Yeah noticed that. Read this incorrectly.
14:37 < lj> user/group (non-Windows only) != user/group (Windows only)
14:38 < lj> ecrist: Going to setup the unpriv'd setup on the docs as soon as I get a minute, set perms in the scripts dir to the user I run openvpn as, and try again.
14:44 -!- Martyn [~Martin@216.38.134.150] has joined #openvpn
14:49 -!- joshh20-Away is now known as joshh20
14:55 <@ecrist> lj: really, the status log file just needs to be writeable by the openvpn process owner
14:57 -!- funyun [~temp@cpe-65-25-103-89.neo.res.rr.com] has joined #openvpn
14:59 -!- gffa_ [~unknown@unaffiliated/gffa] has joined #openvpn
15:01 -!- funyun [~temp@cpe-65-25-103-89.neo.res.rr.com] has quit [Ping timeout: 240 seconds]
15:02 -!- justinzane [~justinzan@tiny.justinzane.com] has quit [Ping timeout: 264 seconds]
15:04 < mrrg> does anyone know how openvpn handle tls session resumption, if at all? does it use server-side caching or support client-side session tickets?
15:05 -!- Cr4zi3 [killaz@staff.xbins.org] has quit [Quit: changing servers]
15:06 -!- Varazir [~mircwars@c-94-255-128-122.cust.bredband2.com] has quit [Write error: Broken pipe]
15:07 -!- kirin` [telex@gateway/shell/anapnea.net/x-povlxaeqkiwgvlbf] has quit [Disconnected by services]
15:07 -!- gffa [~unknown@unaffiliated/gffa] has quit [Read error: Connection reset by peer]
15:07 -!- Varazir [~mircwars@c-94-255-128-122.cust.bredband2.com] has joined #openvpn
15:07 -!- kirin` [telex@gateway/shell/anapnea.net/x-bahbfpeahcnypvzj] has joined #openvpn
15:08 -!- justinzane [~justinzan@tiny.justinzane.com] has joined #openvpn
15:09 < lj> What does the status log file have to do with the —connect-script though? :|
15:09 -!- Cr4zi3 [~killaz@76.74.171.253] has joined #openvpn
15:09 -!- Latrina [~Latrina@ppp-16-15.26-151.libero.it] has joined #openvpn
15:11 -!- [diecast] [~diecast@unaffiliated/diecast/x-4821952] has joined #openvpn
15:21 -!- joshh20 is now known as joshh20-Away
15:22 -!- MACscr|lappy [~MACscrlap@c-50-158-179-100.hsd1.il.comcast.net] has joined #openvpn
15:28 -!- indy [~indy@fantomas.bestit.cz] has joined #openvpn
15:43 -!- aef [~smuxi@schweinehegel.raxys.net] has joined #openvpn
15:43 < aef> where can i find the OpenPGP signing key for the OpenVPN community release files?
15:47 -!- michaelhart [~michaelha@192.237.177.15] has quit [Quit: michaelhart]
15:47 < aef> or at least a fingerprint
15:57 -!- funyun [~temp@cpe-65-25-103-89.neo.res.rr.com] has joined #openvpn
15:59 -!- p3rror [~mezgani@41.249.24.9] has joined #openvpn
16:03 -!- funyun [~temp@cpe-65-25-103-89.neo.res.rr.com] has quit [Ping timeout: 240 seconds]
16:06 -!- mattock is now known as mattock_afk
16:12 -!- Martyn [~Martin@216.38.134.150] has quit [Read error: Connection reset by peer]
16:15 -!- kirin` [telex@gateway/shell/anapnea.net/x-bahbfpeahcnypvzj] has quit [Ping timeout: 246 seconds]
16:16 -!- kirin` [telex@gateway/shell/anapnea.net/x-dlkudtcybegkafaf] has joined #openvpn
16:21 -!- funyun [~temp@cpe-65-25-103-89.neo.res.rr.com] has joined #openvpn
16:33 -!- lj [~l@192.241.174.169] has quit [Quit: Leaving.]
16:36 -!- shibboleth [~shibbolet@gateway/tor-sasl/shibboleth] has joined #openvpn
16:39 -!- Cybert1nus [~Cybertinu@cybertinus.customer.cloud.nl] has joined #openvpn
16:40 -!- Cybertinus [~Cybertinu@cybertinus.customer.cloud.nl] has quit [Ping timeout: 240 seconds]
16:42 -!- [diecast] [~diecast@unaffiliated/diecast/x-4821952] has quit []
16:56 -!- [diecast] [~diecast@unaffiliated/diecast/x-4821952] has joined #openvpn
17:03 -!- shibboleth [~shibbolet@gateway/tor-sasl/shibboleth] has quit [Quit: shibboleth]
17:04 -!- shibboleth [~shibbolet@gateway/tor-sasl/shibboleth] has joined #openvpn
17:07 -!- shibboleth [~shibbolet@gateway/tor-sasl/shibboleth] has quit [Client Quit]
17:13 -!- ade_b [~Ade@redhat/adeb] has quit [Ping timeout: 246 seconds]
17:17 -!- Cpt-Oblivious [chatzilla@31-151-71-109.dynamic.upc.nl] has joined #openvpn
17:17 -!- gffa_ [~unknown@unaffiliated/gffa] has quit [Quit: sleep]
17:31 -!- MACscr|lappy [~MACscrlap@c-50-158-179-100.hsd1.il.comcast.net] has quit [Ping timeout: 264 seconds]
17:32 -!- [diecast] [~diecast@unaffiliated/diecast/x-4821952] has quit []
17:37 -!- Latrina [~Latrina@ppp-16-15.26-151.libero.it] has quit [Remote host closed the connection]
17:47 -!- hyper_ch [~hyper_ch@ks357331.kimsufi.com] has left #openvpn ["Konversation terminated!"]
17:53 -!- MACscr|lappy [~MACscrlap@172.56.13.104] has joined #openvpn
17:54 -!- p3rror [~mezgani@41.249.24.9] has quit [Quit: Leaving]
18:19 -!- MACscr|lappy [~MACscrlap@172.56.13.104] has quit [Ping timeout: 264 seconds]
18:27 -!- AlexPortable [uid7568@gateway/web/irccloud.com/x-hlrazsdeirfhsndh] has quit [Quit: Connection closed for inactivity]
18:29 -!- B1nny [~quassel@5ED16034.cm-7-2b.dynamic.ziggo.nl] has quit [Remote host closed the connection]
19:51 -!- mirco_ [~mirco@ip-5-146-126-177.unitymediagroup.de] has quit [Quit: mirco_]
19:57 -!- Cpt-Oblivious [chatzilla@31-151-71-109.dynamic.upc.nl] has quit [Remote host closed the connection]
20:06 -!- Neozonz [~arajakul@unaffiliated/neozonz] has quit [Read error: Connection reset by peer]
20:07 -!- Neozonz [~arajakul@CPE68b6fcc6d913-CM68b6fcc6d910.cpe.net.cable.rogers.com] has joined #openvpn
20:07 -!- Neozonz [~arajakul@CPE68b6fcc6d913-CM68b6fcc6d910.cpe.net.cable.rogers.com] has quit [Changing host]
20:07 -!- Neozonz [~arajakul@unaffiliated/neozonz] has joined #openvpn
20:28 -!- chrisb [~chrisb@li482-205.members.linode.com] has joined #openvpn
20:50 -!- Neozonz [~arajakul@unaffiliated/neozonz] has quit [Read error: Connection reset by peer]
20:51 -!- Neozonz [~arajakul@CPE68b6fcc6d913-CM68b6fcc6d910.cpe.net.cable.rogers.com] has joined #openvpn
20:51 -!- Neozonz [~arajakul@CPE68b6fcc6d913-CM68b6fcc6d910.cpe.net.cable.rogers.com] has quit [Changing host]
20:51 -!- Neozonz [~arajakul@unaffiliated/neozonz] has joined #openvpn
20:51 -!- Neozonz [~arajakul@unaffiliated/neozonz] has quit [Read error: Connection reset by peer]
20:52 -!- Neozonz [~arajakul@unaffiliated/neozonz] has joined #openvpn
20:52 -!- converge [~converge@189.7.3.101] has joined #openvpn
20:52 -!- converge [~converge@189.7.3.101] has quit [Changing host]
20:52 -!- converge [~converge@unaffiliated/joaop] has joined #openvpn
21:01 -!- Neozonz [~arajakul@unaffiliated/neozonz] has quit [Read error: Connection reset by peer]
21:02 -!- Neozonz [~arajakul@unaffiliated/neozonz] has joined #openvpn
21:10 -!- Carbon_Monoxide [~cmonxide@058176022144.ctinets.com] has joined #openvpn
21:10 -!- Carbon_Monoxide [~cmonxide@058176022144.ctinets.com] has left #openvpn []
21:13 -!- jeev [~jeev@unaffiliated/jeev] has joined #openvpn
21:17 -!- elfixit [~Icedove@77-58-251-72.dclient.hispeed.ch] has joined #openvpn
21:26 -!- MACscr|lappy [~MACscrlap@c-98-214-103-56.hsd1.il.comcast.net] has joined #openvpn
21:40 -!- converge [~converge@unaffiliated/joaop] has quit [Quit: Leaving...]
21:48 -!- chrisb is now known as rms
21:48 -!- rms is now known as Guest65445
21:53 -!- goldkatze [~nobody@unaffiliated/goldkatze] has quit []
21:58 -!- Guest65445 [~chrisb@li482-205.members.linode.com] has quit [Remote host closed the connection]
22:36 -!- Neozonz [~arajakul@unaffiliated/neozonz] has quit [Ping timeout: 240 seconds]
22:46 -!- krzee [~k@openvpn/community/support/krzee] has quit [Excess Flood]
22:47 -!- krzee [~k@openvpn/community/support/krzee] has joined #openvpn
22:47 -!- mode/#openvpn [+o krzee] by ChanServ
22:50 -!- elfixit [~Icedove@77-58-251-72.dclient.hispeed.ch] has quit [Ping timeout: 246 seconds]
23:15 -!- chris349 [~office@c-50-143-41-49.hsd1.fl.comcast.net] has joined #openvpn
23:15 < chris349> What hash algorithm does openvpn use if its not defined?
23:16 <@Eugene> Do you mean --auth? The default is sha1.
23:17 < chris349> Eugene, I dont know. I am trying to connect two different devices so not everything in the GUI matches up
23:17 <@Eugene> We usually dont' support GUIs for exactly that reason.
23:20 < chris349> And what would be the default TLS Cipher?
23:20 <@Eugene> !man
23:20 <@vpnHelper> "man" is (#1) For man pages, see http://openvpn.net/index.php/open-source/documentation/manuals/ or (#2) the man pages are your friend! or (#3) Protip: you can search the manpage for a specific --option (with dashes) to find it quicker
23:21 <@Eugene> --cipher defaults to BF-CBC, sez the man page
23:22 -!- GabrieleV [~GabrieleV@host190-79-static.230-95-b.business.telecomitalia.it] has quit [Ping timeout: 264 seconds]
23:23 < dren> don't use a GUI
23:24 < dren> learn how it works
23:24 < dren> it will pay off in the end
23:25 < dren> everything you need to know to build most of any config is here or on the openvpn site
23:27 < chris349> dren, Yes but the issue is the systems are designed to use the GUI
23:27 < chris349> How can I get a more detailed error other than TLS failed
23:28 < chris349> Actually my log shows the TLS error constantly but the VPN link is working
23:30 < dren> turn the verbosity up for logging
23:31 < dren> your problem is common chris349 you will get it :) you are close!
23:34 < chris349>  I am getting ACK Output Sequence Broken
23:36 <@krzee> we usually tell people who must use lame gui's to get support from the maker of the gui
23:36 <@krzee> cause their problem is the gui, not openvpn
23:36 <@krzee> (and we dont use the guis)
23:37 -!- takamichi [~takamichi@c107-107.i07-27.onvol.net] has quit [Remote host closed the connection]
23:37 -!- takamichi_2 [~takamichi@c107-107.i07-27.onvol.net] has quit [Remote host closed the connection]
23:42 < dren> krzee, it's the system he's using
23:43 < dren> i agree though
23:43 < dren> chris349: you might have more luck with the vendor than here to be honest
23:44 < dren> what sys are you using out of curiosity?
23:44 < chris349> dren, I am trying to connect a dd-wrt client to a pfsense server
23:44 < dren> yea that's what i figured it was pfsense or something like that
23:44 < dren> i've used the openvpn in both, I was not impressed
23:45 < dren> so i just installed openvpn and used pf instead much easier
23:45 < dren> especially when you are wanting something very specific
23:45 < dren> i suggest you do the same, or reach out to dd-wrt/pfsense
23:45 < dren> gL!
23:46 < chris349> Honestly I never had a problem with the pfsense and various openvpn clients. THe issue to me seems the dd-wrt has very few options in the GUI
23:56 <@krzee> hah
23:56 <@krzee> you can actually run openvpn from normal config on dd-wrt AND on pfsense
23:56 <@krzee> !pfsense
23:56 <@vpnHelper> "pfsense" is dont use the web gui for configuring openvpn, you need to understand the config and logfiles
23:56 <@krzee> :-p
23:57 <@krzee> just because there exists a gui, does not mean you MUST use it. you just named 2 systems that DEFINITELY give you cli access
23:59 < dren> busybox for dd-wrt you can just config there
--- Day changed Thu Mar 20 2014
00:00 < dren> pfsense is just freebsd
00:00 <@krzee> and if you do want to use the guis, im not saying it is offtopic here, you may ask all you want, but you'll be better off asking them about their gui than asking us
00:00 <@krzee> as for me, you'll never see me configuring either of those via gui
00:01 <@krzee> !openwrt
00:01 <@vpnHelper> "openwrt" is In OpenWRT, the easiest way to supply configs with the stock init is to use the `option config /path/to/your/openvpn.conf` in your UCI stanza. This allows you to maintain a standard config file that OpenWRT can launch for you.
00:01 <@krzee> not sure if dd-wrt uses the same UCI or not, but that general idea will work there too.
00:02 <@krzee> i strongly prefer openwrt to dd-wrt, but maybe your router cannot run both
00:02 <@krzee> or maybe you prefer dd-wrt
00:17 -!- GabrieleV [~GabrieleV@host190-79-static.230-95-b.business.telecomitalia.it] has joined #openvpn
00:21 < chris349> If the server has a --dh option does the client need the same file?
00:21 -!- makara [~makara@41.164.22.218] has joined #openvpn
00:39 -!- chris349 [~office@c-50-143-41-49.hsd1.fl.comcast.net] has left #openvpn ["Leaving"]
00:39 -!- chris349 [~office@c-50-143-41-49.hsd1.fl.comcast.net] has joined #openvpn
00:40 < chris349> I try to run openvpn manually but when I do that there is no output and the process terminates
00:41 -!- Carbon_Monoxide [~cmonxide@058176022144.ctinets.com] has joined #openvpn
00:42 -!- Carbon_Monoxide [~cmonxide@058176022144.ctinets.com] has left #openvpn []
00:47 < chris349> So I finally see the client errors. Something generated the certificate in GMT so it is not valid yet!
00:47 < chris349> Is there any way to disable this check?
00:59 -!- digilink [~digilink@unaffiliated/digilink] has quit [Ping timeout: 240 seconds]
01:00 -!- digilink [~digilink@unaffiliated/digilink] has joined #openvpn
01:10 -!- Dan39 [~ddan39@unaffiliated/dan39] has quit [Ping timeout: 265 seconds]
01:11 -!- sunwind [~paradox@cpc21-brmb8-2-0-cust749.1-3.cable.virginm.net] has quit [Quit: sunwind]
01:12 -!- Dan39 [~ddan39@unaffiliated/dan39] has joined #openvpn
01:13 -!- sunwind [~paradox@cpc21-brmb8-2-0-cust749.1-3.cable.virginm.net] has joined #openvpn
01:22 -!- jareth_ [~jareth_@2001:980:e1c0:1:219:66ff:fea0:a502] has quit [Ping timeout: 255 seconds]
01:23 -!- jareth_ [~jareth_@2001:980:e1c0:1:219:66ff:fea0:a502] has joined #openvpn
01:40 -!- iokill [~iokill@188-22-139-135.adsl.highway.telekom.at] has joined #openvpn
01:41 -!- iokill [~iokill@188-22-139-135.adsl.highway.telekom.at] has quit [Client Quit]
01:50 -!- chris349 [~office@c-50-143-41-49.hsd1.fl.comcast.net] has quit [Quit: Leaving]
02:01 -!- B1nny [~quassel@5ED16034.cm-7-2b.dynamic.ziggo.nl] has joined #openvpn
02:07 -!- MACscr|lappy [~MACscrlap@c-98-214-103-56.hsd1.il.comcast.net] has quit [Ping timeout: 240 seconds]
02:10 -!- Devastatr [~devas@186.214.110.180] has joined #openvpn
02:10 -!- Devastator [~devas@unaffiliated/devastator] has quit [Ping timeout: 246 seconds]
02:15 -!- ACKNAK [~regolith@79.133.97.154] has joined #openvpn
02:37 -!- alexxtasi [~alex@unaffiliated/alexxtasi] has joined #openvpn
02:58 -!- mattock_afk is now known as mattock
03:27 -!- AlexPortable [uid7568@gateway/web/irccloud.com/x-dlcgyrwobctyedig] has joined #openvpn
03:32 -!- le0 [~l30@unaffiliated/le0] has joined #openvpn
03:46 -!- ade_b [~Ade@redhat/adeb] has joined #openvpn
04:18 -!- Eagleman [~Eagleman@546BC8D0.cm-12-4d.dynamic.ziggo.nl] has quit [Ping timeout: 240 seconds]
04:34 -!- hive-mind [pranq@unaffiliated/contempt] has quit [Ping timeout: 264 seconds]
04:35 -!- hive-mind [pranq@unaffiliated/contempt] has joined #openvpn
04:37 -!- ACKNAK [~regolith@79.133.97.154] has quit [Ping timeout: 265 seconds]
04:40 -!- Dan39 [~ddan39@unaffiliated/dan39] has quit [Ping timeout: 265 seconds]
04:41 -!- sunwind` [~paradox@149.254.234.15] has joined #openvpn
04:49 -!- BCrookAtRA [~bcrook@2001:470:1f11:942::443] has quit [Ping timeout: 245 seconds]
04:50 -!- ACKNAK [~regolith@79.133.97.154] has joined #openvpn
04:58 -!- sunwind` [~paradox@149.254.234.15] has quit [Ping timeout: 264 seconds]
05:00 -!- dazo_afk is now known as dazo
05:02 -!- funyun [~temp@cpe-65-25-103-89.neo.res.rr.com] has quit [Ping timeout: 240 seconds]
05:02 -!- BCrookAtRA [~bcrook@2001:470:1f11:942::443] has joined #openvpn
05:06 -!- sunwind` [~paradox@149.254.234.15] has joined #openvpn
05:18 -!- Latrina [~Latrina@ppp-16-15.26-151.libero.it] has joined #openvpn
05:40 -!- sunwind` [~paradox@149.254.234.15] has quit [Ping timeout: 240 seconds]
05:49 -!- Latrina [~Latrina@ppp-16-15.26-151.libero.it] has quit [Remote host closed the connection]
05:58 -!- funyun [~temp@cpe-65-25-103-89.neo.res.rr.com] has joined #openvpn
06:01 -!- sunwind` [~paradox@149.254.234.15] has joined #openvpn
06:02 -!- vpnHelper [~vpnHelper@openvpn/bot/vpnHelper] has quit [Disconnected by services]
06:02 -!- pcdummy [~pcdummy@unaffiliated/pcdummy] has quit [Quit: No Ping reply in 180 seconds.]
06:02 -!- pcdummy [~pcdummy@wserv2.page4me.ch] has joined #openvpn
06:02 -!- pcdummy [~pcdummy@wserv2.page4me.ch] has quit [Changing host]
06:02 -!- pcdummy [~pcdummy@unaffiliated/pcdummy] has joined #openvpn
06:02 -!- funyun [~temp@cpe-65-25-103-89.neo.res.rr.com] has quit [Ping timeout: 240 seconds]
06:04 -!- vpnHelper [~vpnHelper@openvpn/bot/vpnHelper] has joined #openvpn
06:04 -!- mode/#openvpn [+o vpnHelper] by ChanServ
06:04 -!- Suterusu [~Suterusu@unaffiliated/suterusu] has quit [Ping timeout: 255 seconds]
06:04 -!- _dos-freak [leecher@zentarim.0wnz.at] has quit [Quit: Serverwechsel]
06:04 -!- dos-freak [leecher@zentarim.0wnz.at] has joined #openvpn
06:06 -!- Devastatr [~devas@186.214.110.180] has quit [Changing host]
06:06 -!- Devastatr [~devas@unaffiliated/devastator] has joined #openvpn
06:06 -!- Devastatr is now known as Devastator
06:08 -!- funyun [~temp@cpe-65-25-103-89.neo.res.rr.com] has joined #openvpn
06:08 -!- wrongplace [~leicht@gateway/tor-sasl/martinphone] has joined #openvpn
06:11 -!- paradox`` [~paradox@149.254.250.114] has joined #openvpn
06:13 -!- sunwind` [~paradox@149.254.234.15] has quit [Ping timeout: 265 seconds]
06:18 -!- Suterusu [~Suterusu@unaffiliated/suterusu] has joined #openvpn
06:19 -!- converge [~converge@189.7.3.101] has joined #openvpn
06:19 -!- converge [~converge@189.7.3.101] has quit [Changing host]
06:19 -!- converge [~converge@unaffiliated/joaop] has joined #openvpn
06:19 -!- converge [~converge@unaffiliated/joaop] has quit [Client Quit]
06:33 -!- funyun_ [~temp@199.16.191.140] has joined #openvpn
06:33 -!- Latrina [~Latrina@adsl-ull-1-219.50-151.net24.it] has joined #openvpn
06:34 -!- funyun [~temp@cpe-65-25-103-89.neo.res.rr.com] has quit [Ping timeout: 265 seconds]
06:49 -!- Latrina [~Latrina@adsl-ull-1-219.50-151.net24.it] has quit [Remote host closed the connection]
06:54 -!- paradox`` [~paradox@149.254.250.114] has quit [Ping timeout: 240 seconds]
06:55 -!- paradox`` [~paradox@149.254.250.114] has joined #openvpn
07:04 -!- paradox`` [~paradox@149.254.250.114] has quit [Ping timeout: 240 seconds]
07:05 -!- goldkatze [~nobody@unaffiliated/goldkatze] has joined #openvpn
07:14 -!- michaelhart [~michaelha@192.237.177.15] has joined #openvpn
07:16 -!- iokill [~iokill@91.114.127.102] has joined #openvpn
07:24 -!- cyberspace- [20253@ninthfloor.org] has quit [Remote host closed the connection]
07:26 -!- cyberspace- [20253@ninthfloor.org] has joined #openvpn
07:40 -!- Cultist [~CultOfThe@c-67-186-111-33.hsd1.il.comcast.net] has quit [Read error: Connection reset by peer]
07:43 -!- _quadDam1ge is now known as _quadDamage
07:49 -!- Cultist [~CultOfThe@67.186.111.33] has joined #openvpn
07:57 -!- BCrookAtRA [~bcrook@2001:470:1f11:942::443] has quit [Ping timeout: 240 seconds]
07:58 -!- Latrina [~Latrina@adsl-ull-1-219.50-151.net24.it] has joined #openvpn
08:00 -!- BCrookAtRA [~bcrook@Droplet0.BCrook.com] has joined #openvpn
08:08 -!- funyun [~temp@cpe-65-25-103-89.neo.res.rr.com] has joined #openvpn
08:10 < seba> my openvpn does strange things. it seems like whenever io-load on the machine goes high the ping to the other end of the tunnel goes up do 10+ seconds
08:11 -!- funyun_ [~temp@199.16.191.140] has quit [Ping timeout: 265 seconds]
08:18 -!- vpnHelper [~vpnHelper@openvpn/bot/vpnHelper] has quit [Disconnected by services]
08:18 -!- makara [~makara@41.164.22.218] has quit [Excess Flood]
08:19 -!- makara [~makara@41.164.22.218] has joined #openvpn
08:20 -!- vpnHelper [~vpnHelper@openvpn/bot/vpnHelper] has joined #openvpn
08:20 -!- mode/#openvpn [+o vpnHelper] by ChanServ
08:22 -!- sunwind` [~paradox@149.254.250.74] has joined #openvpn
08:22 -!- esde [~esde@107.150.1.2] has quit [Changing host]
08:22 -!- esde [~esde@unaffiliated/esde] has joined #openvpn
08:57 -!- Latrina [~Latrina@adsl-ull-1-219.50-151.net24.it] has quit [Remote host closed the connection]
09:01 -!- Latrina [~Latrina@adsl-ull-1-219.50-151.net24.it] has joined #openvpn
09:02 -!- lj [~l@192.241.174.169] has joined #openvpn
09:07 -!- makara [~makara@41.164.22.218] has quit [Ping timeout: 240 seconds]
09:09 -!- Eagleman7 [~Eagleman@546BC8D0.cm-12-4d.dynamic.ziggo.nl] has joined #openvpn
09:10 -!- elfixit [~Icedove@2001:1620:2777:11:3e97:eff:fe7f:f3ad] has joined #openvpn
09:11 -!- marlinc [~marlinc@ip1.weert.li.nl.cvo-technologies.com] has quit [Ping timeout: 252 seconds]
09:14 -!- marlinc [~marlinc@ip1.weert.li.nl.cvo-technologies.com] has joined #openvpn
09:23 -!- sunwind` [~paradox@149.254.250.74] has quit [Quit: sunwind`]
09:25 -!- APTX [~APTX@unaffiliated/aptx] has quit [Ping timeout: 245 seconds]
09:27 -!- APTX [~APTX@unaffiliated/aptx] has joined #openvpn
09:47 -!- sauce_ is now known as sauce
09:47 -!- sauce [sauce@ool-ad02ad20.dyn.optonline.net] has quit [Changing host]
09:47 -!- sauce [sauce@unaffiliated/sauce] has joined #openvpn
09:49 -!- Aliekezhi [~Aliekezhi@LPoitiers-156-84-21-169.w193-248.abo.wanadoo.fr] has joined #openvpn
09:58 -!- JackWinter [~jack@vodsl-10810.vo.lu] has quit [Remote host closed the connection]
10:00 -!- MACscr|lappy [~MACscrlap@c-98-214-103-56.hsd1.il.comcast.net] has joined #openvpn
10:00 -!- JackWinter [~jack@vodsl-10810.vo.lu] has joined #openvpn
10:02 -!- ACKNAK [~regolith@79.133.97.154] has quit [Ping timeout: 265 seconds]
10:06 -!- Dan39 [~ddan39@unaffiliated/dan39] has joined #openvpn
10:29 -!- JackWinter [~jack@vodsl-10810.vo.lu] has quit [Remote host closed the connection]
10:32 -!- JackWinter [~jack@vodsl-10810.vo.lu] has joined #openvpn
10:37 -!- funyun [~temp@cpe-65-25-103-89.neo.res.rr.com] has quit [Ping timeout: 245 seconds]
10:39 -!- alexxtasi [~alex@unaffiliated/alexxtasi] has left #openvpn []
10:56 -!- phunyguy [~vortex@unaffiliated/phunyguy] has quit [Remote host closed the connection]
10:56 -!- phunyguy [~vortex@unaffiliated/phunyguy] has joined #openvpn
10:57 -!- red_racer12___ [sid20963@gateway/web/irccloud.com/x-svfwgvxzceeapqjg] has quit [Read error: Operation timed out]
10:57 -!- red_racer12___ [sid20963@gateway/web/irccloud.com/x-lwgfcfktarcanwqz] has joined #openvpn
11:04 -!- funyun [~temp@cpe-65-25-103-89.neo.res.rr.com] has joined #openvpn
11:05 -!- makara [~makara@105-208-229-77.access.mtnbusiness.co.za] has joined #openvpn
11:08 -!- BCrookAtRA [~bcrook@Droplet0.BCrook.com] has left #openvpn []
11:08 -!- funyun [~temp@cpe-65-25-103-89.neo.res.rr.com] has quit [Ping timeout: 246 seconds]
11:21 -!- iokill [~iokill@91.114.127.102] has quit [Ping timeout: 240 seconds]
11:23 -!- makara [~makara@105-208-229-77.access.mtnbusiness.co.za] has quit [Ping timeout: 240 seconds]
11:31 -!- Aliekezhi [~Aliekezhi@LPoitiers-156-84-21-169.w193-248.abo.wanadoo.fr] has quit [Quit: Leaving]
11:32 -!- f0cker [~f0cker@unaffiliated/f0cker] has quit [Ping timeout: 246 seconds]
11:45 -!- f0cker [~f0cker@unaffiliated/f0cker] has joined #openvpn
11:52 -!- [diecast] [~diecast@unaffiliated/diecast/x-4821952] has joined #openvpn
12:02 -!- [diecast] [~diecast@unaffiliated/diecast/x-4821952] has quit []
12:02 -!- [diecast] [~diecast@unaffiliated/diecast/x-4821952] has joined #openvpn
12:02 -!- [diecast] [~diecast@unaffiliated/diecast/x-4821952] has quit [Max SendQ exceeded]
12:05 -!- [diecast] [~diecast@unaffiliated/diecast/x-4821952] has joined #openvpn
12:05 -!- funyun [~temp@cpe-65-25-103-89.neo.res.rr.com] has joined #openvpn
12:09 -!- funyun [~temp@cpe-65-25-103-89.neo.res.rr.com] has quit [Ping timeout: 240 seconds]
12:14 -!- MACscr|lappy [~MACscrlap@c-98-214-103-56.hsd1.il.comcast.net] has quit [Ping timeout: 240 seconds]
12:15 -!- Latrina [~Latrina@adsl-ull-1-219.50-151.net24.it] has quit [Remote host closed the connection]
12:22 -!- ade_b [~Ade@redhat/adeb] has quit [Ping timeout: 240 seconds]
12:34 <@krzee> doesnt sound so weird to me, your kernel sounds occupied
12:38 < [diecast]> creepy
12:57 -!- Latrina [~Latrina@95.239.251.125] has joined #openvpn
12:59 -!- lj [~l@192.241.174.169] has quit [Quit: Leaving.]
13:00 -!- lj [~l@66.94.192.181] has joined #openvpn
13:01 -!- lj [~l@66.94.192.181] has quit [Client Quit]
13:01 -!- lj [~l@66.94.192.181] has joined #openvpn
13:01 -!- lj [~l@66.94.192.181] has quit [Client Quit]
13:02 -!- lj [~l@192.241.174.169] has joined #openvpn
13:04 -!- ade_b [~Ade@80-72-52-20.cmts.powersurf.li] has joined #openvpn
13:04 -!- ade_b [~Ade@80-72-52-20.cmts.powersurf.li] has quit [Changing host]
13:04 -!- ade_b [~Ade@redhat/adeb] has joined #openvpn
13:06 -!- funyun [~temp@cpe-65-25-103-89.neo.res.rr.com] has joined #openvpn
13:09 -!- gffa [~unknown@524895DD.cm-4-1c.dynamic.ziggo.nl] has joined #openvpn
13:09 -!- gffa [~unknown@524895DD.cm-4-1c.dynamic.ziggo.nl] has quit [Changing host]
13:09 -!- gffa [~unknown@unaffiliated/gffa] has joined #openvpn
13:10 -!- funyun [~temp@cpe-65-25-103-89.neo.res.rr.com] has quit [Ping timeout: 240 seconds]
13:13 -!- dazo is now known as dazo_afk
13:19 -!- EmLeX_ [~emx@37.46.193.2] has quit [Ping timeout: 264 seconds]
13:22 -!- wrongplace [~leicht@gateway/tor-sasl/martinphone] has quit [Quit: gone]
13:23 -!- scyld [~scyld@unaffiliated/wasyl] has joined #openvpn
13:26 -!- Cpt-Oblivious [chatzilla@31-151-71-109.dynamic.upc.nl] has joined #openvpn
13:44 -!- Pinchiukas [~keps@unaffiliated/pinchiukas] has joined #openvpn
13:45 < Pinchiukas> I can't do a tun type VPN without encryption?
13:46 < Aketzu> --cipher none
13:47 < Aketzu> I just wonder why would you want to do that
13:51 -!- [diecast] [~diecast@unaffiliated/diecast/x-4821952] has quit []
13:51 -!- Latrina [~Latrina@95.239.251.125] has quit [Quit: Leaving...]
13:55 -!- GregB_ [~GregB@107-218-5-81.lightspeed.hstntx.sbcglobal.net] has quit [Read error: Connection reset by peer]
13:55 -!- GregB_ [~GregB@107-218-5-81.lightspeed.hstntx.sbcglobal.net] has joined #openvpn
13:56 -!- GregB_ [~GregB@107-218-5-81.lightspeed.hstntx.sbcglobal.net] has quit [Read error: Connection reset by peer]
13:56 -!- GregB_ [~GregB@107-218-5-81.lightspeed.hstntx.sbcglobal.net] has joined #openvpn
14:01 <@krzee> !noenc
14:01 <@vpnHelper> "noenc" is (#1) if you're going to disable encryption, you might as well build a GRE tunnel or (#2) but you would use cipher none or (#3) Reference --cipher in the manpage (--auth may also be useful to review)
14:01 <@krzee> in general openvpn is for encryption, tunnels can be made without encryption without using openvpn
14:02 <@krzee> but if theres some reason you want to do it, openvpn is able to.
14:02 -!- ade_b [~Ade@redhat/adeb] has quit [Ping timeout: 240 seconds]
14:07 -!- funyun [~temp@cpe-65-25-103-89.neo.res.rr.com] has joined #openvpn
14:10 -!- le0 [~l30@unaffiliated/le0] has quit [Quit: Leaving]
14:11 -!- funyun [~temp@cpe-65-25-103-89.neo.res.rr.com] has quit [Ping timeout: 246 seconds]
14:12 < Pinchiukas> Aketzu: just trying it out.
14:12 < Pinchiukas> Aketzu: Options error: You must define DH file (--dh)
14:14 <@krzee> yep mdoe server wants dh params
14:14 <@krzee> mode*
14:14 <@krzee> seems like an obvious solution given the error you posted...
14:14 <@krzee> not sure how to say it better than : You must define DH file (--dh)
14:15 -!- ade_b [~Ade@redhat/adeb] has joined #openvpn
14:20 -!- master_of_master [~master_of@p4FD7B36E.dip0.t-ipconnect.de] has joined #openvpn
14:21 -!- Cpt-Oblivious [chatzilla@31-151-71-109.dynamic.upc.nl] has quit [Ping timeout: 252 seconds]
14:23 -!- master_o1_master [~master_of@p4FD7BF48.dip0.t-ipconnect.de] has quit [Ping timeout: 240 seconds]
14:37 -!- Suterusu [~Suterusu@unaffiliated/suterusu] has quit [Ping timeout: 264 seconds]
14:49 -!- gffa [~unknown@unaffiliated/gffa] has quit [Quit: quit]
14:54 -!- joshh20-Away is now known as joshh20
14:57 <@plai> !dh
14:57 <@vpnHelper> "dh" is build-dh from easy-rsa and option dh in ssl-admin, creates a file which is a prime number the size of bits you defined (1024 default) which is used in the diffie-hellman algorithm to provide a method to negotiate a secure connection over an insecure channel. just one of the layers of encryption available to you in your VPN
14:58 <@plai> !learn dh as or just openssl gendh 2048
14:58 <@vpnHelper> Joo got it.
14:58 <@plai> !dh
14:58 <@vpnHelper> "dh" is (#1) build-dh from easy-rsa and option dh in ssl-admin, creates a file which is a prime number the size of bits you defined (1024 default) which is used in the diffie-hellman algorithm to provide a method to negotiate a secure connection over an insecure channel. just one of the layers of encryption available to you in your VPN or (#2) or just openssl gendh 2048
14:59 <@plai> !forget dh 2
14:59 <@vpnHelper> Joo got it.
14:59 <@plai> !dh
14:59 <@vpnHelper> "dh" is build-dh from easy-rsa and option dh in ssl-admin, creates a file which is a prime number the size of bits you defined (1024 default) which is used in the diffie-hellman algorithm to provide a method to negotiate a secure connection over an insecure channel. just one of the layers of encryption available to you in your VPN
14:59 <@plai> !learn dh as openssl gendh [numbits]
14:59 <@vpnHelper> Joo got it.
14:59 <@plai> !dh
14:59 <@vpnHelper> "dh" is (#1) build-dh from easy-rsa and option dh in ssl-admin, creates a file which is a prime number the size of bits you defined (1024 default) which is used in the diffie-hellman algorithm to provide a method to negotiate a secure connection over an insecure channel. just one of the layers of encryption available to you in your VPN or (#2) openssl gendh [numbits]
15:06 -!- scyld [~scyld@unaffiliated/wasyl] has quit [Ping timeout: 245 seconds]
15:07 -!- funyun [~temp@cpe-65-25-103-89.neo.res.rr.com] has joined #openvpn
15:12 -!- funyun [~temp@cpe-65-25-103-89.neo.res.rr.com] has quit [Ping timeout: 245 seconds]
15:15 -!- chrisb [~chrisb@li482-205.members.linode.com] has joined #openvpn
15:15 -!- mattock is now known as mattock_afk
15:18 -!- scyld [~scyld@unaffiliated/wasyl] has joined #openvpn
15:32 -!- scyld [~scyld@unaffiliated/wasyl] has quit [Quit: Wychodzi]
15:34 -!- funyun [~temp@cpe-65-25-103-89.neo.res.rr.com] has joined #openvpn
15:42 -!- Sembei [~Sembei@unaffiliated/sembei] has quit [Read error: Connection reset by peer]
15:43 -!- Sembei [~Sembei@unaffiliated/sembei] has joined #openvpn
15:44 -!- [diecast] [~diecast@unaffiliated/diecast/x-4821952] has joined #openvpn
15:44 -!- michaelhart [~michaelha@192.237.177.15] has quit [Quit: michaelhart]
15:55 -!- MyMind [~Sembei@unaffiliated/sembei] has joined #openvpn
15:58 -!- Sembei [~Sembei@unaffiliated/sembei] has quit [Ping timeout: 269 seconds]
16:08 -!- Latrina [~Latrina@159.20.175.109] has joined #openvpn
16:09 -!- le0 [~l30@unaffiliated/le0] has joined #openvpn
16:12 -!- MACscr|lappy [~MACscrlap@c-98-214-103-56.hsd1.il.comcast.net] has joined #openvpn
16:26 -!- Latrina [~Latrina@159.20.175.109] has quit [Remote host closed the connection]
16:27 -!- [diecast] [~diecast@unaffiliated/diecast/x-4821952] has quit []
16:29 -!- [diecast] [~diecast@unaffiliated/diecast/x-4821952] has joined #openvpn
16:29 -!- EmLeX [~emx@unaffiliated/emlex] has joined #openvpn
16:35 -!- lj [~l@192.241.174.169] has quit [Quit: Leaving.]
16:38 -!- chrisb [~chrisb@li482-205.members.linode.com] has quit [Ping timeout: 240 seconds]
16:41 -!- MACscr|lappy [~MACscrlap@c-98-214-103-56.hsd1.il.comcast.net] has quit [Ping timeout: 245 seconds]
16:44 -!- michaelhart [~michaelha@192-0-240-20.cpe.teksavvy.com] has joined #openvpn
16:53 -!- Martyn [~Martin@162-232-173-152.lightspeed.sntcca.sbcglobal.net] has joined #openvpn
17:19 -!- le0 [~l30@unaffiliated/le0] has quit [Quit: Leaving]
17:25 -!- b0bbi10 [~me@se2x.mullvad.net] has joined #openvpn
17:25 < b0bbi10> hi, how can I setup Linux (Fedora)/ network manager to block internet access when my VPN disconnects?
17:28 < pekster> Write a script to do that (though don't use n-m for it.) Try dynamically adjusting your firewall in a --down script (see: !scripts for details.) You probably also want --up-restart to handle timeout events
17:30 -!- [diecast] [~diecast@unaffiliated/diecast/x-4821952] has quit []
17:30 <@plai> also see persist-tun
17:30 <@plai> you also might consider not adding a default route
17:30 < b0bbi10> ok, thanks, not sure if I can implement that solution on my own, but will have a look at it eventually :)
17:30 <@plai> but only a host route only to the the vpn server
17:32 < pekster> Sure, but n-m tries really hard to "do that for you" ;)
17:37 -!- [diecast] [~diecast@unaffiliated/diecast/x-4821952] has joined #openvpn
17:40 -!- ade_b [~Ade@redhat/adeb] has quit [Ping timeout: 265 seconds]
17:41 -!- Latrina [~Latrina@159.20.175.109] has joined #openvpn
17:46 -!- Denial- [Denial@2.126.201.65] has joined #openvpn
17:46 -!- Denial [Denial@176.250.208.188] has quit [Ping timeout: 264 seconds]
17:46 -!- Denial- is now known as Denial
17:53 -!- p3rror [~mezgani@41.140.42.163] has joined #openvpn
18:00 -!- B1nny [~quassel@5ED16034.cm-7-2b.dynamic.ziggo.nl] has quit [Remote host closed the connection]
18:07 -!- Latrina [~Latrina@159.20.175.109] has quit [Remote host closed the connection]
18:24 -!- b0bbi10 [~me@se2x.mullvad.net] has quit [Quit: Leaving]
18:28 -!- Cpt-Oblivious [chatzilla@31-151-71-109.dynamic.upc.nl] has joined #openvpn
18:31 -!- funyun_ [~temp@64.120.53.43] has joined #openvpn
18:33 -!- funyun [~temp@cpe-65-25-103-89.neo.res.rr.com] has quit [Ping timeout: 240 seconds]
18:36 -!- [diecast] [~diecast@unaffiliated/diecast/x-4821952] has quit []
18:37 -!- [diecast] [~diecast@unaffiliated/diecast/x-4821952] has joined #openvpn
18:38 -!- [diecast] [~diecast@unaffiliated/diecast/x-4821952] has quit [Client Quit]
18:54 -!- [diecast] [~diecast@unaffiliated/diecast/x-4821952] has joined #openvpn
19:03 -!- [diecast] [~diecast@unaffiliated/diecast/x-4821952] has quit []
19:10 -!- Martyn [~Martin@162-232-173-152.lightspeed.sntcca.sbcglobal.net] has quit [Quit: Computer has gone to sleep.]
19:10 -!- Cpt-Oblivious [chatzilla@31-151-71-109.dynamic.upc.nl] has quit [Remote host closed the connection]
19:27 -!- AlexPortable [uid7568@gateway/web/irccloud.com/x-dlcgyrwobctyedig] has quit [Quit: Connection closed for inactivity]
19:29 -!- [diecast] [~diecast@unaffiliated/diecast/x-4821952] has joined #openvpn
19:29 -!- [diecast] [~diecast@unaffiliated/diecast/x-4821952] has quit [Client Quit]
19:30 -!- JackWinter [~jack@vodsl-10810.vo.lu] has quit [Read error: Connection reset by peer]
19:31 -!- JackWinter [~jack@vodsl-10810.vo.lu] has joined #openvpn
19:42 -!- phunyguy [~vortex@unaffiliated/phunyguy] has quit [Remote host closed the connection]
19:42 -!- phunyguy [~vortex@unaffiliated/phunyguy] has joined #openvpn
19:56 -!- noobboob [uid5587@gateway/web/irccloud.com/x-hrcriesxkxqeoigi] has joined #openvpn
20:07 -!- joshh20 is now known as joshh20-Away
20:13 -!- matsh [divine@nanogene.org] has quit [Read error: Connection reset by peer]
20:14 -!- phunyguy [~vortex@unaffiliated/phunyguy] has quit [Remote host closed the connection]
20:14 -!- phunyguy [~vortex@unaffiliated/phunyguy] has joined #openvpn
20:15 -!- matsh [divine@nanogene.org] has joined #openvpn
20:19 -!- phunyguy [~vortex@unaffiliated/phunyguy] has quit [Remote host closed the connection]
20:19 -!- goldkatze [~nobody@unaffiliated/goldkatze] has quit [Ping timeout: 264 seconds]
20:19 -!- phunyguy [~vortex@unaffiliated/phunyguy] has joined #openvpn
20:21 -!- phunyguy [~vortex@unaffiliated/phunyguy] has quit [Remote host closed the connection]
20:22 -!- phunyguy [~vortex@unaffiliated/phunyguy] has joined #openvpn
20:24 -!- phunyguy [~vortex@unaffiliated/phunyguy] has quit [Remote host closed the connection]
20:25 -!- Martyn [~Martin@162-232-173-152.lightspeed.sntcca.sbcglobal.net] has joined #openvpn
20:26 -!- phunyguy [~vortex@unaffiliated/phunyguy] has joined #openvpn
21:01 -!- troyt [~troyt@c-67-161-211-139.hsd1.ut.comcast.net] has quit [Quit: AAAGH!  IT BURNS!]
21:10 -!- chrisb [~chrisb@li482-205.members.linode.com] has joined #openvpn
21:59 -!- troyt [~troyt@2601:7:6200:14c2:44dd:acff:fe85:9c8e] has joined #openvpn
22:07 -!- Martyn [~Martin@162-232-173-152.lightspeed.sntcca.sbcglobal.net] has quit [Read error: Connection reset by peer]
22:07 -!- Martyn [~Martin@162-232-173-152.lightspeed.sntcca.sbcglobal.net] has joined #openvpn
22:12 -!- phuzion [~phuzion@ipv6.irc.teh-server.com] has quit [Ping timeout: 240 seconds]
22:17 -!- phuzion [~phuzion@ipv6.irc.teh-server.com] has joined #openvpn
22:22 -!- noobboob [uid5587@gateway/web/irccloud.com/x-hrcriesxkxqeoigi] has quit [Quit: Connection closed for inactivity]
22:35 -!- Carbon_Monoxide [~cmonxide@058176022144.ctinets.com] has joined #openvpn
22:36 -!- Carbon_Monoxide [~cmonxide@058176022144.ctinets.com] has left #openvpn []
22:40 -!- Martyn [~Martin@162-232-173-152.lightspeed.sntcca.sbcglobal.net] has quit []
22:46 -!- chris349 [~office@c-50-143-41-49.hsd1.fl.comcast.net] has joined #openvpn
22:47 < chris349> I have setup OpenVPN site-to-site but the conection is dropping approx every 5 minutes with an error: Inactivity timeout (--ping-timeout.)
22:52 <@krzee> i would guess firewall issue, change verbosity to verb 5 and post logs
22:52 <@krzee> you probably need to allow traffic to tun interface
22:52 <@krzee> if verb 5 shows 1 side just doing wwwww and no rrrrr you know its firewall
22:52 <@krzee> verb 5 on both sides, logs from both sides
22:54 <@krzee> say my name in your response, im watching a movie and may not see the response otherwise
22:54 < chris349> krzee, It connects and passes traffic it just drops almost exactly every 10 minutes
22:57 <@krzee> do what i said
23:19 < chris349> I have an issue with routing. From the server I can ping the client itself but I can not ping the LAN of the client
23:26 <@krzee> i guess it was silly of me to try to help you, you know your problems and do not need help, otherwise you would listen to those trying to help you and provide what is asked of you
23:27 <@krzee> ill just add you to my ignore list so i dont waste my time
23:27 <@krzee> done =]
23:30 < chris349> In the logs there is no error or warning
23:30 < chris349>  It just constantly reconnects every 10 minutes
23:31 < chris349> Inactivity Timeout (--ping restart) restarting
23:31 < chris349> SIGUSR1 recieved client instance restarting
23:47 -!- MyMind [~Sembei@unaffiliated/sembei] has quit [Ping timeout: 240 seconds]
23:49 -!- grendal [~sgraham@173-166-255-77-stockton.hfc.comcastbusiness.net] has joined #openvpn
23:49 < grendal> i want the best of both worlds
23:51 < grendal> got this situation about 10 roadwariors all is working well. (despite the dsl line they are all comming in on)
23:55 < grendal> Now one of them needs rdp access into her desktop.  ...allot of variables on this one of which is that everything is on dhcp...
23:56 < grendal> so im thinking we put a vpn client on her desktop..make it just another vpn node...problem is..that means i need to enable client to client.
23:56 <@krzee> why not just configure routing?
23:57 <@krzee> and no it would not mean enabling client to client
23:57 <@krzee> it would mean doing that OR properly configuring your firewall
23:57 <@krzee> !c2c
23:57 <@vpnHelper> "c2c" is "client-to-client" is with this option packets from 1 client to another are routed inside the server process. without it packets leave the server process, hit the kernel (firewall, routing table) and if allowed by firewall and routed back to server process, they go to the client. you use this option when you do not want to use selective firewall rules on what clients can access things behind
23:57 <@vpnHelper> other clients
23:57 < grendal> which might make some things better but these are mostly windows clients,  im just worried all the typical bs stuff thrown around the network is gonna slow down all the remote people.
23:58 -!- MyMind [~Sembei@unaffiliated/sembei] has joined #openvpn
23:58 < grendal> i can enable routing so there interntal subnet is 192.168.1.x
23:59 < grendal> gets complicated now right?
23:59 <@krzee> well, you should change that, but you already know that
23:59 <@krzee> so im guessing you arent allowed
23:59 < grendal> that part was not my doing
23:59 <@krzee> this is grendal prime, right?
--- Day changed Fri Mar 21 2014
00:00 < grendal> ya hows it going
00:00 <@krzee> ya thought so, so you do already know that =]
00:00 <@krzee> good man
00:00 < grendal> ya...soon as i saw that i was like....grrrrrrr
00:01 <@krzee> i feel lucky that i get carte blanche at my office
00:01 <@krzee> if i wanna overhaul the network, its on me if something messes up, but i can feel free to go at it
00:01 < grendal> well...i mean everything is dhcp..so we technically could switch everything to something obscure.
00:01 < grendal> nobody would know..
00:02 < grendal> there are some printers though...hmmm
00:02 -!- ade_b [~Ade@redhat/adeb] has joined #openvpn
00:03 < grendal> ya so last time we talked i was working for a diff company i think
00:03 < grendal> im retired now.
00:04 < grendal> and the company i was working for laid 2/3 of us off a year ago Christmas.  Now all the management have moved on and are hiring me as a private contractor.
00:04 < grendal> worked out pretty good for me in the end..
00:07 < grendal> hey i just ran a huge update ..i got something kinda crazy to tell yo ubout though...brb
00:07 -!- grendal [~sgraham@173-166-255-77-stockton.hfc.comcastbusiness.net] has quit [Quit: Ex-Chat]
00:11 -!- MyMind [~Sembei@unaffiliated/sembei] has quit [Ping timeout: 252 seconds]
00:12 -!- grendal [~sgraham@173-166-255-77-stockton.hfc.comcastbusiness.net] has joined #openvpn
00:13 < grendal> krzee, ya so you still here?
00:13 <@krzee> 1sec someone just contacted me and i need to relay stuff about a new job
00:13 <@krzee> brb
00:14 < grendal> ok np...so like i build this cool box..its a filler with vpn access into it....i get like 4 clients for this thing bam bam bam...
00:19 <@krzee> ok im back
00:19 <@krzee> not for long tho, got an elephant ride tour in 40min and i havnt eaten yet
00:19 <@krzee> (im in thailand)
00:20 <@krzee> ill try to help you first tho
00:24 < grendal> na...i think i got it figered...
00:24 < grendal> couple diff ways ..we can just forward rdp for her at the router...worst case.
00:24 <@krzee> nooo
00:24 <@krzee> you mean without vpn?
00:25 < grendal> rdp is encrypted.
00:25 <@krzee> hah
00:25 <@krzee> riiiiiight
00:25 <@krzee> dont do it bro
00:25 <@krzee> but you're right theres a couple diff ways
00:26 < grendal> well im thinking it may make sense to just do the c2c,
00:26 <@krzee> you could configure routing and only route to a lan /32 not the whole subnet so its only 1 ip to possibly conflict
00:26 -!- Guest13645 is now known as blogometer
00:26 <@krzee> in which case you could push that route in a ccd entry and it can only conflict for that user
00:26 -!- blogometer is now known as prettyrobots
00:26 <@krzee> you will never HAVE TO use c2c
00:26 -!- MyMind [~Sembei@unaffiliated/sembei] has joined #openvpn
00:27 <@krzee> thats only if you want to allow ALL c2c, you can allow some c2c without the config option by allowing everything to forward in the firewall
00:27 <@krzee> no c2c = selective config according to firewall, c2c option is to allow * by bypassing the firewall
00:29 < grendal> ok so i enable routing in the os ...(why are you in thailand?)  then
00:29 < grendal> on the vpn, allow routing ...but thats a bitch cause now im back to the issue with the subnet.
00:32 -!- ade_b [~Ade@redhat/adeb] has quit [Ping timeout: 240 seconds]
00:39 <@krzee> not really
00:39 <@krzee> only push the single ip
00:39 <@krzee> and only to the user(s) who need it
00:40 <@krzee> then the chance of conflict with a lan machine is rather small for the client (we hope!)
00:41 <@krzee> so when you add the route netmask is 255.255.255.255
00:41 -!- mattock_afk is now known as mattock
00:43 < grendal> ya...i thought that if i allowed routing for that vpn instance it was for everyone
00:43 <@krzee> !ccd
00:44 <@vpnHelper> "ccd" is (#1) entries that are basically included into server.conf, but only for the specified client based on common-name. use --client-config-dir <dir> to enable it, then put the config options for the client in <dir>/common-name or (#2) the ccd file is parsed each time the client connects.
00:44 <@krzee> you can push it there
00:44 <@krzee> or add it direct to the client config
00:44 <@krzee> i prefer pushing via ccd, for central management
00:45 <@krzee> remember others can add routes at will, so not giving a route does NOT replace proper firewall configuring
00:45 < grendal> ya ive don that several times...however pushing a route to the client...ive tried that without setting route..it seems like the client couldnt get through
00:45 <@krzee> gotta go, time to ride elephant
00:45 <@krzee> gl man
00:46 < grendal> YOU RIDE THAT BITCH
00:46 <@krzee> lol
00:46 -!- ade_b [~Ade@redhat/adeb] has joined #openvpn
00:46 < grendal> AND TAKE VIDEO IF YOU CAN
00:46 <@krzee> oh and re: what im doing here, just being a tourist
00:46 <@krzee> been to philippines, taiwan, vietnam, and thailand on this trip
00:46 <@krzee> going home soon
00:46 <@krzee> bbl =]
00:50 -!- chris349 [~office@c-50-143-41-49.hsd1.fl.comcast.net] has quit [Quit: Leaving]
00:55 -!- MyMind [~Sembei@unaffiliated/sembei] has quit [Ping timeout: 252 seconds]
00:55 -!- warthog9 [~warthog9@2001:470:b:312:224:d7ff:fee3:3984] has joined #openvpn
00:57 < warthog9> does anyone know if thre's a way to get an openvpn client to bind to a specific outgoing interface on a multi interfaced box?  I.E. I have eth0 with ip 1.2.3.4 and eth1 with ip 4.3.2.1, and I normally default route through eth0, but I want the openvpn traffic to go out over eth1?
00:57 -!- B1nny [~quassel@5ED16034.cm-7-2b.dynamic.ziggo.nl] has joined #openvpn
01:00 -!- sunwind [~paradox@cpc21-brmb8-2-0-cust749.1-3.cable.virginm.net] has quit [Read error: Connection reset by peer]
01:01 -!- sunwind [~paradox@cpc21-brmb8-2-0-cust749.1-3.cable.virginm.net] has joined #openvpn
01:01 -!- Carbon_Monoxide [~cmonxide@058176022144.ctinets.com] has joined #openvpn
01:01 -!- Carbon_Monoxide [~cmonxide@058176022144.ctinets.com] has left #openvpn []
01:10 < warthog9> nevermind think I got it figured out, if I replace nobind with local and lport that seems to clear it up
01:17 < grendal> sorry was writing an article on zdnet
01:17 < grendal> you work that out for sure?
01:21 < warthog9> grendal: looks like it from a tcpdump and watching the banwidth
01:22 -!- Latrina [~Latrina@adsl-ull-1-219.50-151.net24.it] has joined #openvpn
01:22 < grendal> sounds like you got the right voodoo there
01:22 < warthog9> having multiple upstream isps and trying to deal with centralized routing is by far *VOODOO*
01:23 < grendal> yep.  I refer to allot as digital witchcraft.
01:23 -!- chrisb [~chrisb@li482-205.members.linode.com] has quit [Ping timeout: 240 seconds]
01:23 < Aketzu> try adding loadbalacing to outgoing traffic :)
01:23 < warthog9> Aketzu: loadbalancing is a nightmare
01:24 < grendal> and it is to most people...and they typically pay between 65 and 85 an hour for that.
01:24 < warthog9> particularly if you want traffic to seemingly come from a single point
01:24 < grendal> outbound ...i can see...hmmm i think i have done that sometime back
01:25 < grendal> inbound pretty simple with haproxy
01:25 < warthog9> try load balancing inbound at the dns level though across multiple datacenters in multiple countries ;-)
01:26 < grendal> dns i would think would make it easyer
01:27 < grendal> round robin
01:27 < grendal> is the first thing that comes ti mind
01:28 < warthog9> grendal: except that ipv6, and unfortunately microsoft, broke round robin entirely
01:29 < grendal> kill someone for an ipv4 address?
01:29 < grendal> damn it..did i just type that ...i thought i was just thinking it
01:29 < grendal> stupid fingers
01:30 < warthog9> getting v4 addresses is practically at the killing point
01:30 -!- MyMind [~Sembei@unaffiliated/sembei] has joined #openvpn
01:30 < grendal> im sure its been done
01:31 < grendal> brazil...russia
01:31 < warthog9> sadly
01:31 < grendal> whatever-zakistan
01:32 < grendal> sorry..i cant help you .its to depressing
01:33 < warthog9> ok, I think I got that fixed, on to the next thing ;-)
01:33 < warthog9> thanks!
01:33 -!- warthog9 [~warthog9@2001:470:b:312:224:d7ff:fee3:3984] has left #openvpn ["Leaving"]
01:33 < grendal> yourwelcome..please leave a dime on the toilet.
01:39 < grendal> what has become of this channel...people riding elephants in thailand others figuring out their problems by themselfs.
01:40 < grendal> soon there will be no work for out of work smart asses such as myself.
01:40 < grendal> who likes cheese?
01:53 -!- ade_b [~Ade@redhat/adeb] has quit [Quit: Too sexy for his shirt]
02:32 -!- kirin` [telex@gateway/shell/anapnea.net/x-dlkudtcybegkafaf] has quit [Ping timeout: 240 seconds]
02:36 -!- mnathani [~mnathani@constance.winvive.com] has quit [Read error: Operation timed out]
02:36 -!- mnathani [~mnathani@constance.winvive.com] has joined #openvpn
02:49 -!- alexxtasi [~alex@unaffiliated/alexxtasi] has joined #openvpn
02:50 -!- ACKNAK [~regolith@79.133.97.154] has joined #openvpn
02:55 -!- Latrina [~Latrina@adsl-ull-1-219.50-151.net24.it] has quit [Quit: Leaving...]
03:02 -!- funyun_ [~temp@64.120.53.43] has quit [Ping timeout: 240 seconds]
03:03 -!- fred`` [fred@earthli.ng] has quit [Ping timeout: 246 seconds]
03:04 -!- AlexPortable [uid7568@gateway/web/irccloud.com/x-wkybslwnoykvrcwf] has joined #openvpn
03:11 -!- b0bbi10 [~me@88.128.80.3] has joined #openvpn
03:18 -!- Latrina [~Latrina@adsl-ull-104-255.45-151.net24.it] has joined #openvpn
03:18 -!- iokill [~iokill@91-115-244-66.adsl.highway.telekom.at] has joined #openvpn
03:18 -!- iokill [~iokill@91-115-244-66.adsl.highway.telekom.at] has quit [Client Quit]
03:26 -!- LordDrako [~felix@dslb-188-102-182-084.pools.arcor-ip.net] has joined #openvpn
03:26 < LordDrako> hi guys... I somehow have a problem with an assertion in OpenVPN clients 2.3.1 and 2.3.2... I cannot really track the reason for this :-/
03:27 < b0bbi10> hi, can you give me some hints for what I need to do when blocking Internet access once my VPN connection drops? I am using Fedora and Network Manager to configure the VPN. I figured I would use firewall rules (iptables) but don't exactly know what/ how to setup.
03:27 < b0bbi10> or is this possible with OpenVPN inside Network Manager, too?
03:30 < LordDrako> http://pastebin.com/ECC7SWvi this is my OpenVPN log. I just masked the IP addresses
03:31 < LordDrako> the assertion happens at win32.c:276 (in both versions)... the check at that point is the following: ASSERT (!socket_defined (ne->sd));
03:31 < LordDrako> so it would seem as if the socket were invalid... but I cannot explain why
03:40 <@krzee> b0bbi10, if openvpn is still running you could simply use redirect-gateway without def1
03:40 <@krzee> otherwise you could block outbound traffic from leaving your external interface unless headed for VPN_IP
03:40 <@krzee> (external ip of the vpn server)
03:40 <@krzee> !netman
03:40 <@vpnHelper> "netman" is (#1) if you are using network manager for linux to configure your vpn, dont! http://openvpn.net/archive/openvpn-users/2008-01/msg00046.html to read the same thing from the author of the openvpn 2 cookbook on the mail list or (#2) Have OpenVPN working but not NetworkManager? Ask the n-m folks for help: http://projects.gnome.org/NetworkManager/
03:41 <@krzee> LordDrako, those logs are very devoid of info, try verb 5
03:41 < b0bbi10> krzee: the first suggestion of yours doesn't kill Internet once the VPN connection drops, right?
03:42 <@krzee> b0bbi10,
03:42 <@krzee> !def1
03:42 <@vpnHelper> "def1" is (#1) used in redirect-gateway, Add the def1 flag to override the default gateway by using 0.0.0.0/1 and 128.0.0.0/1 rather than 0.0.0.0/0. This has the benefit of overriding but not wiping out the original default gateway. or (#2) please see --redirect-gateway in the man page ( !man ) to fully understand or (#3) push "redirect-gateway def1"
03:43 <@krzee> if you dont use def1 the default gateway gets wiped out and replaced by a new one that goes through the vpn, i have not done this since i do not use redirect-gateway, but it may work for you, the better way is iptables
03:44 < b0bbi10> ok, thanks
03:46 <@krzee> np
03:48 -!- mattock is now known as mattock_afk
03:50 -!- le0 [~l30@unaffiliated/le0] has joined #openvpn
03:58 < LordDrako> krzee: here is a more complete log (I used --verb 5 as you suggested) http://pastebin.com/bRNJ7TLf
03:58 < LordDrako> It appears something is wrong with the management console
03:59 <@krzee> can you post both configs?
03:59 <@krzee> !configs
03:59 <@vpnHelper> "configs" is (#1) please pastebin your client and server configs (with comments removed, you can use `grep -vE '^#|^;|^$' server.conf`), also include which OS and version of openvpn. or (#2) dont forget to include any ccd entries or (#3) on pfSense, see http://www.secure-computing.net/wiki/index.php/OpenVPN/pfSense to obtain your config
03:59 <@krzee> like that ^
04:00 <@krzee> also, why are you masking internal VPN ips?
04:00 <@krzee> or are you trying to hand out public IPs?
04:00 -!- funyun [~temp@cpe-65-25-103-89.neo.res.rr.com] has joined #openvpn
04:00 <@krzee> this could be one of those times that masking IPs in your logs actually stops us from determining your problem
04:01 <@krzee> haha thanks for the translation at the bottom, i didnt see that at first and had google translate tell me :D
04:02 < LordDrako> okay lol :p
04:02 < LordDrako> yeah I wasn't exactly sure which ones were public ips :p
04:03 <@krzee> are you attempting to hand out public IPs over the vpn?
04:03 <@krzee> !1918
04:03 <@vpnHelper> "1918" is (#1) RFC1918 makes three unique netblocks available for private use: 10.0.0.0/8, 172.16.0.0/12, and 192.168.0.0/16 or (#2) see also: http://en.wikipedia.org/wiki/Private_network or http://www.faqs.org/rfcs/rfc1918.html or (#3) Too lazy to find your own subnet? Try this one: http://scarydevilmonastery.net/subnet.cgi or (#4) See !5737 for addresses to use for examples and documentation
04:03 <@krzee> ^ everything else is a public ip
04:03 < LordDrako> actually no
04:03 <@krzee> well, almost everything else? iana does have some reserved for other things but lets ignore that fact
04:04 < LordDrako> client config: http://pastebin.com/0PShsdg7
04:04 <@krzee> oh i see
04:04 <@krzee> i think you need a different dev-node
04:04 <@krzee> windows identifier
04:04 <@krzee> lemme google for the right doc
04:04 -!- funyun [~temp@cpe-65-25-103-89.neo.res.rr.com] has quit [Ping timeout: 252 seconds]
04:06 <@krzee> hrm maybe / maybe not, also just FYI
04:06 <@krzee> !tcp
04:06 <@vpnHelper> "tcp" is (#1) Sometimes you cannot avoid tunneling over tcp, but if you can avoid it, DO. http://sites.inka.de/~bigred/devel/tcp-tcp.html Why TCP Over TCP Is A Bad Idea. or (#2) http://www.openvpn.net/papers/BLUG-talk/14.html for a presentation by James Yonan (OpenVPN lead developer) or (#3) if you must use tcp, you likely want --tcp-nodelay
04:07 <@krzee> route 192.168.178.0 255.255.255.0 vpn_gateway    <-- what do you expect that to do?
04:07 <@krzee> where is 192.168.178.0
04:07 -!- Bretos [~Bretos@vps.tyborek.pl] has joined #openvpn
04:08 < LordDrako> on the other side of the tunnel
04:09 <@krzee> remove vpn_gateway it is not needed
04:09 < Bretos> hey guys, I am having a weird problem with easy-rsa installed from debian testing repo... http://pastebin.com/QeT9UJJ7
04:09 <@krzee> Bretos, you probably did not source vars
04:09 < Bretos> indeed I did
04:09 <@krzee> note the leading . in:   . ./vars
04:09 < Bretos> yep
04:09 < Bretos> i sourced ./vars
04:10 <@krzee> try:
04:10 <@krzee> !easy-rsa
04:10 <@vpnHelper> "easy-rsa" is (#1) easy-rsa is a certificate generation utility. or (#2) Download here: https://github.com/OpenVPN/easy-rsa/downloads or (#3) https://community.openvpn.net/openvpn/wiki/EasyRSA
04:10 <@krzee> instead of debian's
04:10 <@krzee> it should be newer
04:10 < Bretos> okay, trying right now ;-)
04:11 <@krzee> easy-rsa is now maintained seperately by pekster, and has been overhauled
04:11 <@krzee> new version is easy-rsa 3
04:13 < Bretos> I see
04:13 < Bretos> usage is a bit different
04:13 < LordDrako> krzee: I might also tell you that it usually worked and just today this assertion appears... the only thing I changed was the program launching openvpn (which is strange, because the change was nowhere near the openvpn launch stuff and would also not affect it)
04:13 <@krzee> Bretos, yep, but theres a readme and stuff at the link provided
04:14 <@krzee> LordDrako, interesting, what was the change?
04:14 <@krzee> (but everything i said remains true, tcp should be avoided and you dont need vpn_gateway)
04:14 < Bretos> krzee: openvpn's howto is all that is needed anyway ;-)
04:15 < Bretos> huh I'm gonna have to change my quick-openvpn-deploy script now :<
04:15 <@krzee> Bretos, oh well openvpn's howto is for easy-rsa2, the wiki post at community.openvpn.net is for easy-rsa 3
04:15 <@krzee> my deploy script does not use easy-rsa at all, i use the raw openssl commands like easy-rsa does
04:16 < LordDrako> krzee: I look for the openvpn binary in the registry to find its position. the old version only looked in the native registry, while the new version looks at the native one first and the other one second (native means, my launcher is 32 bit, so it looks at the 32 bit part of the registry; after that it looks if there is an openvpn entry in the 64 bit registry)
04:17 <@krzee> LordDrako, and if you switch back it still works?
04:17 < LordDrako> not tested, though I could do that
04:17 <@krzee> i think it would be a smart test
04:17 <@krzee> to know if thats a red herring or the problem
04:21 -!- sono [~sono@tucana.uberspace.de] has joined #openvpn
04:21 < sono> !welcome
04:22 <@vpnHelper> "welcome" is (#1) Start by stating your goal, such as 'I would like to access the internet over my vpn' || new to IRC? see the link in !ask || we may need !logs and !configs and maybe !interface to help you. || See !howto for beginners. || See !route for lans behind openvpn. || !redirect for sending inet traffic through the server. || Also interesting: !man !/30 !topology !iporder !sample !forum !wiki
04:22 <@vpnHelper> !mitm or (#2) Don't use 192.168.1.0/24 or 192.168.0.0/24 (too much potential for conflict)
04:22 < sono> !redirect
04:22 <@vpnHelper> "redirect" is (#1) to make all inet traffic flow through the vpn, you will need --redirect-gateway (see !def1), as well as IP forwarding (see !ipforward) and NAT (see !nat) enabled on the server. or (#2) you may need to use a different dns server when redirecting gateway, see !dns or !pushdns or (#3) if using ipv6 try: route-ipv6 2000::/3 or (#4) Handy troubleshooting flowchart:
04:22 <@vpnHelper> http://ircpimps.org/redirect.png | http://pekster.sdf.org/misc/redirect.png
04:22  * sono sighs. will get back to you guys
04:23 <@krzee> =]
04:23 <@krzee> i love self-help
04:23  * krzee pets vpnHelper 
04:23 < sono> love that-
04:23 < sono> a well organized channel!
04:24 -!- mode/#openvpn [+v sono] by krzee
04:24 -!- funyun [~temp@cpe-65-25-103-89.neo.res.rr.com] has joined #openvpn
04:24 <@krzee> still takes a user willing to help themselves to make it matter
04:28 < LordDrako> krzee: I checked out the revision before the change but the assertion stays :/
04:28 -!- funyun [~temp@cpe-65-25-103-89.neo.res.rr.com] has quit [Ping timeout: 240 seconds]
04:28 <@krzee> so it is unrelated to your "only" change
04:28 <@krzee> and something else must have also changed
04:28 <@krzee> right?
04:29 < LordDrako> it might seem so
04:29 <@krzee> and what if you dont rename the tap adapter?
04:30 < LordDrako> I have no idea, but it had that name from the beginning and always worked... also there was a windows update lately :p
04:30 <@krzee> i dont run windows, but i know that in troubleshooting you assume nothing and take things 1 by 1
04:31 < LordDrako> maybe you can help with another problem then :D
04:31 <@krzee> and since you only made 1 change, which must be unrelated to the problem as per your test, you gotta go back now
04:31 < Bretos> krzee: could you share your script?
04:31 <@krzee> Bretos, nope, its actually a phone provisioning script for my darknet phone company
04:31 <@krzee> lots of magic in there
04:31 < Bretos> ok ok :P
04:32 < LordDrako> krzee: I also have a Linux version of my lets call it "OpenVPN launcher" (it gathers the config and some other stuff from some places, launches openvpn and uses the management console to show the user the status)
04:33 <@krzee> LordDrako, sounds like you do some pretty cool stuff
04:33 < LordDrako> thanks :p
04:34 < LordDrako> so it launches openvpn successfully, openvpn connects and authenticates successfully... now comes the problem: openvpn tries to use "ifconfig" or "ip" (depending on distribution as it seems to me) to configure the tunnel interface
04:34 < LordDrako> and at this point I always get "external program fork failed"
04:34 < LordDrako> when I run openvpn from the commandline with the exact same config everything works fine
04:34 <+sono> krzee: you know what would be awesome? if vpnHelper would respond in queries so i don't have to clutter this place with bang commands.
04:35 < LordDrako> the launcher runs as root, so there should be no permission problem
04:35 <+sono> !wiki
04:35 <@vpnHelper> "wiki" is (#1) http://www.secure-computing.net/wiki/index.php/OpenVPN for the Unofficial wiki or (#2) https://community.openvpn.net/openvpn/wiki for the Official wiki
04:35 <@krzee> LordDrako, may i message privately?
04:35 <@krzee> !msg
04:35 < LordDrako> ofcourse
04:35 <@vpnHelper> "msg" is (#1) to see vpnHelper's factoids in msg instead of the channel, /msg vpnHelper factoids whatis #openvpn <key> or (#2) so to see !configs in msg, you would type /msg vpnHelper factoids whatis #openvpn configs or (#3) you can also just see !factoids for a link to the full list of what the bot knows
04:35 <@krzee> !tell sono [msg]
04:35 <@krzee> =]
04:36 <+sono> \o/
04:38 <@krzee> oh and you might just want:
04:38 <@krzee> !factoids
04:38 <@vpnHelper> "factoids" is A semi-regularly updated dump of factoids database is available at http://www.secure-computing.net/factoids.php
04:38 <@krzee> even lazier :D
04:39 <@krzee> HAHA i had not seen !woman before i just looked at the factoids dump
04:39 <@krzee> !woman
04:39 <@vpnHelper> "woman" is see !man but with a monthly attitude :D
04:40 <@krzee> im gunna assume that was ecrist Eugene or pekster, kudos to whichever it was
04:46 <+sono> i'm not even sure if i have a routing, server config, or client config problem at this point, but i am at work and really have to do some workstuff. i'm sure i'll get it worked out with your help at least when i get home.
04:46 <+sono> ircpimps seems to be down, btw
04:47 <@krzee> ya, i had to take it down before i left for asia
04:48 <@krzee> it was pushing major bw and i didnt have time to diagnose, didnt want the colo guys to take down my important servers so i just shutdown -h now
04:49 <+sono> 'sok
05:15  * plai wonders if there is any women program to view man pages
05:18 -!- kirin` [telex@gateway/shell/anapnea.net/x-xmxxikifgjgakrhe] has joined #openvpn
05:20 <+sono> what, it gives you a random manpage 3 days a month?
05:25 -!- funyun [~temp@cpe-65-25-103-89.neo.res.rr.com] has joined #openvpn
05:29 -!- funyun [~temp@cpe-65-25-103-89.neo.res.rr.com] has quit [Ping timeout: 252 seconds]
05:36 -!- Latrina [~Latrina@adsl-ull-104-255.45-151.net24.it] has quit [Remote host closed the connection]
06:10 -!- defswork [~andy@141.0.50.105] has quit [Read error: No route to host]
06:11 -!- p3rror [~mezgani@41.140.42.163] has quit [Remote host closed the connection]
06:17 -!- pa__ [~pa@host59-65-dynamic.182-80-r.retail.telecomitalia.it] has joined #openvpn
06:20 -!- michaelhart [~michaelha@192-0-240-20.cpe.teksavvy.com] has quit [Quit: michaelhart]
06:25 -!- funyun [~temp@cpe-65-25-103-89.neo.res.rr.com] has joined #openvpn
06:27 -!- Latrina [~Latrina@adsl-ull-104-255.45-151.net24.it] has joined #openvpn
06:30 -!- funyun [~temp@cpe-65-25-103-89.neo.res.rr.com] has quit [Ping timeout: 252 seconds]
06:53 -!- pa__ is now known as pa
06:53 -!- pa [~pa@host59-65-dynamic.182-80-r.retail.telecomitalia.it] has quit [Changing host]
06:53 -!- pa [~pa@unaffiliated/pa] has joined #openvpn
07:07 -!- michaelhart [~michaelha@192.237.177.15] has joined #openvpn
07:17 -!- cpm [~Chip@216.169.175.102] has joined #openvpn
07:17 -!- cpm [~Chip@216.169.175.102] has quit [Changing host]
07:17 -!- cpm [~Chip@pdpc/supporter/active/cpm] has joined #openvpn
07:26 -!- funyun [~temp@cpe-65-25-103-89.neo.res.rr.com] has joined #openvpn
07:28 -!- Pinchiukas [~keps@unaffiliated/pinchiukas] has left #openvpn []
07:32 -!- funyun [~temp@cpe-65-25-103-89.neo.res.rr.com] has quit [Ping timeout: 253 seconds]
07:38 -!- b0bbi10 [~me@88.128.80.3] has left #openvpn ["Leaving"]
07:58 -!- Neozonz [~arajakul@unaffiliated/neozonz] has joined #openvpn
08:06 -!- cpm [~Chip@pdpc/supporter/active/cpm] has quit [Quit: cpm]
08:08 -!- chrisb [~chrisb@li482-205.members.linode.com] has joined #openvpn
08:21 -!- mattock_afk is now known as mattock
08:29 -!- funyun [~temp@cpe-65-25-103-89.neo.res.rr.com] has joined #openvpn
08:33 -!- funyun [~temp@cpe-65-25-103-89.neo.res.rr.com] has quit [Ping timeout: 252 seconds]
08:40 -!- ACKNAK [~regolith@79.133.97.154] has quit [Ping timeout: 240 seconds]
08:49 -!- Latrina [~Latrina@adsl-ull-104-255.45-151.net24.it] has quit [Remote host closed the connection]
08:54 <@mattock> plai, sono: just a fyi: searching the Internet for "man for women" does not yield any man-page reader for women
08:54 <@mattock> not sure why
08:54 <+sono> *G*
08:55 <@mattock> I guess innovative use of scripting could produce one, though :P
09:08 <@plai> mattock: :D
09:08 <@mattock> I even tried "apt-file -x search "^.*/wo$", but in vain
09:08 <@mattock> wo man
09:09 <@mattock> there is a "wo", but it's not executable unfortunately
09:09 -!- dan_j [~IceChat77@unaffiliated/danfromuk] has joined #openvpn
09:10 < dan_j> Hi. I need to recommend a router for a client to use which supports openvpn. They aren't in the same city, so they'll have to deal with the configuration themselves.
09:11 < dan_j> Do any routers come with openvpn preinstalled?
09:12 < Rienzilla> openwrt includes it
09:12 < Rienzilla> and that runs on a lot of devices
09:12 -!- takamichi [~takamichi@c107-107.i07-27.onvol.net] has joined #openvpn
09:13 -!- [diecast] [~diecast@unaffiliated/diecast/x-4821952] has joined #openvpn
09:13 -!- [diecast] [~diecast@unaffiliated/diecast/x-4821952] has quit [Max SendQ exceeded]
09:13 -!- [diecast] [~diecast@unaffiliated/diecast/x-4821952] has joined #openvpn
09:16 -!- car [~car@pd95cfe54.dip0.t-ipconnect.de] has joined #openvpn
09:17 -!- petapetapeta [~Peter@static.88-198-213-168.clients.your-server.de] has joined #openvpn
09:18 -!- takamichi [~takamichi@c107-107.i07-27.onvol.net] has quit [Ping timeout: 245 seconds]
09:18 < petapetapeta> !welcome
09:18 <@vpnHelper> "welcome" is (#1) Start by stating your goal, such as 'I would like to access the internet over my vpn' || new to IRC? see the link in !ask || we may need !logs and !configs and maybe !interface to help you. || See !howto for beginners. || See !route for lans behind openvpn. || !redirect for sending inet traffic through the server. || Also interesting: !man !/30 !topology !iporder !sample
09:18 <@vpnHelper> !forum !wiki !mitm or (#2) Don't use 192.168.1.0/24 or 192.168.0.0/24 (too much potential for conflict)
09:18 < dan_j> ok. I'll take a look. I'm surprised routers arent readily available with openvpn preinstalled.
09:18 < petapetapeta> !howto
09:19 <@vpnHelper> "howto" is (#1) OpenVPN comes with a great howto, http://openvpn.net/howto PLEASE READ IT! or (#2) http://www.secure-computing.net/openvpn/howto.php for a mirror
09:19 < petapetapeta> !goal
09:19 <@vpnHelper> "goal" is Please clearly state your goal for your vpn: example, I would like to access the lan behind the server , I would like to access the internet over my vpn , I just want a secure connection between 2 computers , etc
09:19 < petapetapeta> !paste
09:19 <@vpnHelper> "paste" is (#1) "pastebin" is (#1) please paste anything with more than 5 lines into a pastebin site or (#2) https://gist.github.com is recommended for fewest ads; try fpaste.org or paste.kde.org as backups or (#3) If you're pasting config files, see !configs for grep syntax to remove comments or (#2) gist allows multiple files per paste, useful if you have several files to show
09:20 < petapetapeta> !config
09:20 <@vpnHelper> (config <name> [<value>]) -- If <value> is given, sets the value of <name> to <value>. Otherwise, returns the current value of <name>. You may omit the leading "supybot." in the name if you so choose.
09:22 < petapetapeta> Hello, I am attempting to set up OpenVPN on a Ubuntu server and a Windows client. I have the server set up and I can connect using my client. When I check my IP at http://www.ipchicken.com it shows correctly. What I want to be able to is set some ports on the server to be open only to clients connected with the VPN. Any ideas about how I would do this?
09:22 <@vpnHelper> Title: IP Chicken - Whats my IP address? ip address lookup (at www.ipchicken.com)
09:23 <@plai> !iptables
09:24 <@vpnHelper> "iptables" is (#1) To test if netfilter ("iptables rules") are your problem, disable all rules with an ACCEPT policy. See https://github.com/QueuingKoala/netfilter-samples/tree/master/reset-rules for a script to do this. or (#2) See also the manpage section on firewalls at this link: https://community.openvpn.net/openvpn/wiki/Openvpn23ManPage#lbBG or (#3) These are just the basics to get you started
09:24 <@vpnHelper> as firewall design is beyond this channel's scope; you can also see #netfilter
09:24 -!- petapetapeta_ [~Peter@6164198-cl69.boa.fiberby.dk] has joined #openvpn
09:26 -!- petapetapeta [~Peter@static.88-198-213-168.clients.your-server.de] has quit [Read error: Operation timed out]
09:30 -!- funyun [~temp@cpe-65-25-103-89.neo.res.rr.com] has joined #openvpn
09:31 -!- takamichi [~takamichi@85.12.8.104] has joined #openvpn
09:32 -!- [diecast] [~diecast@unaffiliated/diecast/x-4821952] has quit []
09:33 -!- [diecast] [~diecast@unaffiliated/diecast/x-4821952] has joined #openvpn
09:34 -!- funyun [~temp@cpe-65-25-103-89.neo.res.rr.com] has quit [Ping timeout: 240 seconds]
09:40 <@Eugene> !blame
09:40 <@vpnHelper> "blame" is (#1) According to Bushmills, it's always krzee's fault or (#2) According to krzee, it's always dazo's fault or (#3) and dazo will always blame EugeneKay, Bushmills, ecrist or any other sensible victims in the required moments or (#4) cron2 says its always d12fk's fault (and sometimes the customers)
09:40 <@Eugene> krzee ^
09:40 <@Eugene> (and no, not me)
09:45 -!- sadon [~debian@37.247.54.157] has joined #openvpn
09:45 < sadon> hi
09:45 < sadon> whats the command to add user to my openVPN serer?
10:00 -!- takamichi [~takamichi@85.12.8.104] has quit [Ping timeout: 240 seconds]
10:03 < petapetapeta_> I am getting this error: "ROUTE: route addition failed using CreateIpForwardEntry: The object already exists.   [status=5010 if_index=22]" when connecting to the Ubuntu VPN server I've set up. What could be the cause of this?
10:03 < chrisb> should a client/server config which works in 2.3.2 also work with no changes with 2.3-git?
10:05 -!- mikemol [~mikemol@162.17.129.77] has quit [Ping timeout: 264 seconds]
10:09 -!- MyMind [~Sembei@unaffiliated/sembei] has quit [Ping timeout: 240 seconds]
10:10 -!- s7r [~s7r@openvpn/user/s7r] has joined #openvpn
10:10 -!- mode/#openvpn [+v s7r] by ChanServ
10:16 -!- alexxtasi [~alex@unaffiliated/alexxtasi] has left #openvpn []
10:16 -!- takamichi [~takamichi@c107-107.i07-27.onvol.net] has joined #openvpn
10:17 -!- mikemol [~mikemol@162.17.129.77] has joined #openvpn
10:17 -!- AlexPortable [uid7568@gateway/web/irccloud.com/x-wkybslwnoykvrcwf] has quit [Quit: Connection closed for inactivity]
10:26 -!- reiffert [~thomas@mail.reifferscheid.org] has joined #openvpn
10:27 < reiffert> Hi. Is there a webgui for creating certs and crls?
10:27 <@Eugene> !xca
10:27 <@vpnHelper> "xca" is (#1) XCA is a GUI to create/manage a PKI, much more user-friendly than easy-rsa. or (#2) Example XCA PKI for OpenVPN(writeup pending): https://community.openvpn.net/openvpn/wiki/XCA
10:28 < reiffert> Thanks Eugene
10:28 <@Eugene> Not aware of any web guis. Not something I'd really want accessible by browser anyway
10:28 < reiffert> Does it fit into existing easy-rsa setup's .. like easyily convertible and so on?
10:29 <@Eugene> Not a wizard, but it's not hard to import all of your crts/keys.
10:30 -!- chrisb [~chrisb@li482-205.members.linode.com] has quit [Ping timeout: 240 seconds]
10:31 < reiffert> How would I best describe the PKI admin role to some non technical decision makers?
10:31 -!- funyun [~temp@cpe-65-25-103-89.neo.res.rr.com] has joined #openvpn
10:31 <@Eugene> Locksmith.
10:32 < reiffert> hm?
10:32 -!- mikemol [~mikemol@162.17.129.77] has quit [Ping timeout: 245 seconds]
10:32 <@Eugene> It's where all the keys are kept. If somebody has access to a locksmith's shop, they can make any key they want ;-)
10:33 < reiffert> Oh Locksmith. I understand
10:35 -!- funyun [~temp@cpe-65-25-103-89.neo.res.rr.com] has quit [Ping timeout: 240 seconds]
10:36 -!- mikemol [~mikemol@162.17.129.77] has joined #openvpn
10:37 -!- [diecast] [~diecast@unaffiliated/diecast/x-4821952] has quit []
10:39 -!- MyMind [~Sembei@unaffiliated/sembei] has joined #openvpn
10:50 -!- goldkatze [~nobody@unaffiliated/goldkatze] has joined #openvpn
10:57 -!- [diecast] [~diecast@unaffiliated/diecast/x-4821952] has joined #openvpn
11:03 -!- [diecast] [~diecast@unaffiliated/diecast/x-4821952] has quit []
11:03 -!- funyun [~temp@cpe-65-25-103-89.neo.res.rr.com] has joined #openvpn
11:04 -!- MyMind [~Sembei@unaffiliated/sembei] has quit [Ping timeout: 240 seconds]
11:08 -!- chrisb [~chrisb@li482-205.members.linode.com] has joined #openvpn
11:09 -!- lj1 [~l@74.120.200.95] has joined #openvpn
11:10 -!- funyun [~temp@cpe-65-25-103-89.neo.res.rr.com] has quit [Ping timeout: 240 seconds]
11:11 -!- funyun [~temp@23.82.54.67] has joined #openvpn
11:14 -!- LordDrako [~felix@dslb-188-102-182-084.pools.arcor-ip.net] has quit [Quit: Verlassend]
11:15 -!- petapetapeta_ [~Peter@6164198-cl69.boa.fiberby.dk] has quit [Read error: Operation timed out]
11:22 -!- MyMind [~Sembei@unaffiliated/sembei] has joined #openvpn
11:32 -!- marlinc [~marlinc@ip1.weert.li.nl.cvo-technologies.com] has quit [Quit: Byebye]
11:39 -!- MyMind [~Sembei@unaffiliated/sembei] has quit [Ping timeout: 246 seconds]
11:39 -!- elfixit1 [~Icedove@77-58-251-72.dclient.hispeed.ch] has joined #openvpn
11:44 -!- fred`` [fred@earthli.ng] has joined #openvpn
11:47 -!- marlinc [~marlinc@ip1.weert.li.nl.cvo-technologies.com] has joined #openvpn
11:53 -!- alanjf [~ajf@unaffiliated/alanjf] has quit []
11:54 -!- dan_j [~IceChat77@unaffiliated/danfromuk] has quit [Quit: If your not living on the edge, you're taking up too much space]
11:59 -!- p3rror [~mezgani@41.248.214.232] has joined #openvpn
12:00 -!- wrongplace [~leicht@gateway/tor-sasl/martinphone] has joined #openvpn
12:02 -!- MyMind [~Sembei@unaffiliated/sembei] has joined #openvpn
12:06 -!- mattock is now known as mattock_afk
12:10 -!- [diecast] [~diecast@unaffiliated/diecast/x-4821952] has joined #openvpn
12:13 -!- MatthewsFace [~mspah@50-78-45-146-static.hfc.comcastbusiness.net] has joined #openvpn
12:14 -!- MyMind [~Sembei@unaffiliated/sembei] has quit [Ping timeout: 265 seconds]
12:31 -!- petapetapeta [~Peter@130.225.165.43] has joined #openvpn
12:31 -!- gffa [~unknown@unaffiliated/gffa] has joined #openvpn
12:34 -!- Latrina [~Latrina@adsl-ull-104-255.45-151.net24.it] has joined #openvpn
12:37 -!- petapetapeta [~Peter@130.225.165.43] has quit [Ping timeout: 240 seconds]
12:45 -!- MyMind [~Sembei@unaffiliated/sembei] has joined #openvpn
12:51 -!- HectorBarbossa [uid7850@gateway/web/irccloud.com/x-khxutgtgjhglmwwh] has joined #openvpn
12:55 -!- klein [~klein@unaffiliated/klein] has joined #openvpn
12:56 -!- [diecast] [~diecast@unaffiliated/diecast/x-4821952] has quit [Ping timeout: 246 seconds]
12:58 -!- Neozonz|Disc2 [~arajakul@CPE20e52a22f551-CM68b6fc3d43d0.cpe.net.cable.rogers.com] has joined #openvpn
13:01 -!- Neozonz [~arajakul@unaffiliated/neozonz] has quit [Ping timeout: 240 seconds]
13:01 -!- MyMind [~Sembei@unaffiliated/sembei] has quit [Ping timeout: 245 seconds]
13:02 < mgorbach> Anyone know if the learn-address script can work with ipv6 addresses? I need to "learn" both ipv4 and ipv6 to get my DNS updated correctly.
13:02 < mgorbach> The TODO file for ipv6 mentions learn-address, which leads me to think it's unimplemented for ipv6?
13:04 -!- p3rror [~mezgani@41.248.214.232] has quit [Ping timeout: 265 seconds]
13:05 -!- jeffkap [~jkaplan@vega.jeffkaplan.net] has joined #openvpn
13:08 < jeffkap> anybody know what service is listening on port 946 on a windows client?
13:13 -!- MyMind [~Sembei@unaffiliated/sembei] has joined #openvpn
13:18 -!- sadon [~debian@37.247.54.157] has quit [Quit: Lost terminal]
13:18 -!- Latrina [~Latrina@adsl-ull-104-255.45-151.net24.it] has quit [Remote host closed the connection]
13:20 -!- MyMind [~Sembei@unaffiliated/sembei] has quit [Ping timeout: 252 seconds]
13:24 -!- Six6siX [~Devil@jasmine.sammybakar.com] has quit [Ping timeout: 255 seconds]
13:25 -!- get [219@unaffiliated/get] has quit [Excess Flood]
13:30 <@ecrist> jeffkap: you'll have to get a socket listing with process ID.  946 isn't assigned to anything by IANA
13:31 < jeffkap> ecrist: i'm seeing these lines in the log file
13:32 < jeffkap> 2014-03-21 13:59:33-0400 [-] twisted.web.server.Site starting on 946
13:32 < jeffkap> 2014-03-21 13:59:33-0400 [-] twisted.web.server.Site starting on 944
13:32 <@ecrist> ftr, this is not related to openvpn
13:32 <@ecrist> well, it looks like a web server is starting on those ports
13:33 <@ecrist> oh, it's OpenVPN-AS
13:33 <@ecrist> !as
13:33 <@vpnHelper> "as" is please go to #OpenVPN-AS for help with Access-Server
13:33 < jeffkap> gotcha, thanks
13:33 -!- jeffkap [~jkaplan@vega.jeffkaplan.net] has left #openvpn []
13:34 -!- Six6siX [~Devil@jasmine.sammybakar.com] has joined #openvpn
13:40 -!- lj1 [~l@74.120.200.95] has quit [Quit: Leaving.]
13:43 -!- MyMind [~Sembei@unaffiliated/sembei] has joined #openvpn
13:48 -!- le0 [~l30@unaffiliated/le0] has quit [Quit: Leaving]
14:06 -!- Latrina [~Latrina@adsl-ull-104-255.45-151.net24.it] has joined #openvpn
14:15 -!- wrongplace [~leicht@gateway/tor-sasl/martinphone] has quit [Quit: gone]
14:17 -!- MyMind [~Sembei@unaffiliated/sembei] has quit [Ping timeout: 245 seconds]
14:21 -!- master_o1_master [~master_of@p4FD7BE74.dip0.t-ipconnect.de] has joined #openvpn
14:24 -!- master_of_master [~master_of@p4FD7B36E.dip0.t-ipconnect.de] has quit [Ping timeout: 265 seconds]
14:27 -!- Latrina [~Latrina@adsl-ull-104-255.45-151.net24.it] has quit [Remote host closed the connection]
14:28 -!- p3rror [~mezgani@41.140.36.151] has joined #openvpn
14:33 -!- MyMind [~Sembei@unaffiliated/sembei] has joined #openvpn
14:37 -!- MyMind [~Sembei@unaffiliated/sembei] has quit [Ping timeout: 246 seconds]
14:37 -!- grendal [~sgraham@173-166-255-77-stockton.hfc.comcastbusiness.net] has quit [Ping timeout: 240 seconds]
14:41 -!- MyMind [~Sembei@unaffiliated/sembei] has joined #openvpn
14:46 -!- grendal [~sgraham@99.22.153.166] has joined #openvpn
14:52 -!- chrisb [~chrisb@li482-205.members.linode.com] has quit [Ping timeout: 240 seconds]
14:57 -!- AlexPortable [uid7568@gateway/web/irccloud.com/x-uoogbobynplppbop] has joined #openvpn
14:57 <@krzee> mgorbach, i dont use ipv6 so i dunno, but i would expect its supported in 2.3
14:58 -!- ljvb [~jason@us.vps.vanbrecht.com] has quit [Quit: brb]
15:07 -!- wrongplace [~leicht@gateway/tor-sasl/martinphone] has joined #openvpn
15:08 -!- sadon [~debian@5.134.1.30] has joined #openvpn
15:08 < sadon> hello
15:08 < sadon> how do i adduser without SSH login?
15:08 < sadon> to openvpn?
15:08 < sadon> PEM
15:08 < Dan39> o_O
15:08 < sadon> ?
15:08 -!- grendal [~sgraham@99.22.153.166] has quit [Ping timeout: 240 seconds]
15:10 -!- Latrina [~Latrina@adsl-ull-104-255.45-151.net24.it] has joined #openvpn
15:21 -!- dwirc [~irc@d118-75-218-160.try.wideopenwest.com] has quit [Ping timeout: 264 seconds]
15:23 -!- grendal [~sgraham@adsl-75-61-111-1.dsl.pltn13.sbcglobal.net] has joined #openvpn
15:23 -!- grendal [~sgraham@adsl-75-61-111-1.dsl.pltn13.sbcglobal.net] has quit [Client Quit]
15:29 -!- scyld [~scyld@89-73-226-155.dynamic.chello.pl] has joined #openvpn
15:29 -!- scyld [~scyld@89-73-226-155.dynamic.chello.pl] has quit [Changing host]
15:29 -!- scyld [~scyld@unaffiliated/wasyl] has joined #openvpn
15:30 -!- sadon [~debian@5.134.1.30] has quit [Quit: Lost terminal]
15:31 -!- sadon [~debian@5.134.1.30] has joined #openvpn
15:36 -!- michaelhart [~michaelha@192.237.177.15] has quit [Quit: michaelhart]
15:44 -!- klein [~klein@unaffiliated/klein] has quit [Ping timeout: 240 seconds]
15:45 -!- dwirc [~irc@d118-75-218-160.try.wideopenwest.com] has joined #openvpn
15:47 -!- VsioZashibis [~VsioZashi@unaffiliated/vsiozashibis] has joined #openvpn
15:52 -!- [diecast] [~diecast@unaffiliated/diecast/x-4821952] has joined #openvpn
16:04 -!- XJR-9 [sid2977@pdpc/supporter/active/xjr-9] has quit []
16:04 -!- XJR-9 [sid2977@pdpc/supporter/active/xjr-9] has joined #openvpn
16:05 < mgorbach> krzee, hmm, looking at the source, it might actually be
16:09 -!- sadon [~debian@5.134.1.30] has quit [Quit: Lost terminal]
16:11 -!- [diecast] [~diecast@unaffiliated/diecast/x-4821952] has quit []
16:15 < mgorbach> Hmm, I'm trying to set up a learn-address script, but I'm getting WARNING: Failed running command (--learn-address): could not execute external program
16:15 < mgorbach> The file is 777 ... what am I missing?
16:25 -!- nutron [~nutron@unaffiliated/nutron] has quit [Quit: I must go eat my cheese!]
16:35 -!- scyld [~scyld@unaffiliated/wasyl] has quit [Quit: Wychodzi]
16:39 -!- [diecast] [~diecast@unaffiliated/diecast/x-4821952] has joined #openvpn
16:40 < pekster> mgorbach: No (or invalid) shebang?
16:40 < mgorbach> @pekster, yeah looks like that was the problem
16:40 < mgorbach> Does anyone know if I can force openvpn to run the learn-address script as root even though it has dropped priveledges to nobody?
16:41 < pekster> sudo or the suid bit
16:42 < pekster> Or don't downgrade
16:46 -!- mattock_afk is now known as mattock
16:52 -!- mikemol [~mikemol@162.17.129.77] has quit [Read error: Connection reset by peer]
16:56 -!- mattock is now known as mattock_afk
16:59 -!- Latrina [~Latrina@adsl-ull-104-255.45-151.net24.it] has quit [Ping timeout: 240 seconds]
17:02 -!- Latrina [~Latrina@host211-22-static.226-95-b.business.telecomitalia.it] has joined #openvpn
17:06 -!- mattock_afk is now known as mattock
17:07 -!- Neozonz|Disc2 [~arajakul@CPE20e52a22f551-CM68b6fc3d43d0.cpe.net.cable.rogers.com] has quit [Ping timeout: 240 seconds]
17:12 -!- le0 [~l30@unaffiliated/le0] has joined #openvpn
17:15 -!- joshh20-Away is now known as joshh20
17:17 -!- Latrina [~Latrina@host211-22-static.226-95-b.business.telecomitalia.it] has quit [Remote host closed the connection]
17:20 -!- le0 [~l30@unaffiliated/le0] has quit [Quit: Leaving]
17:22 -!- HectorBarbossa [uid7850@gateway/web/irccloud.com/x-khxutgtgjhglmwwh] has quit [Quit: Connection closed for inactivity]
17:23 -!- GregB_ [~GregB@107-218-5-81.lightspeed.hstntx.sbcglobal.net] has quit [Read error: Connection reset by peer]
17:24 -!- GregB_ [~GregB@107-218-5-81.lightspeed.hstntx.sbcglobal.net] has joined #openvpn
17:32 -!- p3rror [~mezgani@41.140.36.151] has quit [Ping timeout: 245 seconds]
17:33 -!- p3rror [~mezgani@41.140.36.151] has joined #openvpn
17:39 -!- wrongplace [~leicht@gateway/tor-sasl/martinphone] has quit [Quit: gone]
18:09 -!- goldkatze [~nobody@unaffiliated/goldkatze] has quit []
18:12 -!- kraut [~kraut@blackhole.netzdeponie.de] has quit [Ping timeout: 245 seconds]
18:14 -!- [diecast] [~diecast@unaffiliated/diecast/x-4821952] has quit []
18:15 -!- funyun_ [~temp@cpe-65-25-103-89.neo.res.rr.com] has joined #openvpn
18:16 -!- funyun [~temp@23.82.54.67] has quit [Ping timeout: 252 seconds]
18:17 -!- [diecast] [~diecast@unaffiliated/diecast/x-4821952] has joined #openvpn
18:48 -!- [diecast] [~diecast@unaffiliated/diecast/x-4821952] has quit []
18:51 -!- michaelhart [~michaelha@192-0-240-20.cpe.teksavvy.com] has joined #openvpn
18:55 -!- elfixit1 [~Icedove@77-58-251-72.dclient.hispeed.ch] has quit [Ping timeout: 240 seconds]
18:56 -!- michaelhart [~michaelha@192-0-240-20.cpe.teksavvy.com] has quit [Quit: michaelhart]
19:01 -!- kraut [~kraut@blackhole.netzdeponie.de] has joined #openvpn
19:02 -!- gffa [~unknown@unaffiliated/gffa] has quit [Quit: sleep]
19:08 -!- MatthewsFace [~mspah@50-78-45-146-static.hfc.comcastbusiness.net] has quit [Ping timeout: 240 seconds]
19:22 -!- goldkatze [~nobody@unaffiliated/goldkatze] has joined #openvpn
19:38 -!- B1nny [~quassel@5ED16034.cm-7-2b.dynamic.ziggo.nl] has quit [Remote host closed the connection]
19:38 -!- Latrina [~Latrina@adsl-ull-104-255.45-151.net24.it] has joined #openvpn
19:41 -!- HectorBarbossa [uid7850@gateway/web/irccloud.com/x-qlbxmtffooziifal] has joined #openvpn
20:00 -!- cornfeedhobo [~cornfeedh@unaffiliated/cornfeed] has joined #openvpn
20:00 < cornfeedhobo> hello again
20:03 < cornfeedhobo> I am using openvpn on a gentoo host and kubuntu +networkmanager+openvpn as a client. right now I am trying to setup ipv6 support for an already working tunnel. so far i am getting ipv6 addresses assigned, and am able to ping both the public(eth0) and private (tun) ipv6 addresses that exist on the server, and i have masquerading setup, but I can not ping google's ipv6 dns address. I am assuming that this is an ipv6 routing issue and  i am
20:03 < cornfeedhobo> simply not pushing the proper routes.
20:03 < cornfeedhobo> ping from the connected client that is
20:06 < cornfeedhobo> currently i am using push "redirect-gateway def1" for the ipv4 tunnel, does this also affect the ipv6 route default? https://ezcrypt.it/Tn8n#K0D42gNExkAjoVYuXGUz9Yth   it looks like my ipv6 default route is already the tun device... is there something i am missing?
20:06 <@vpnHelper> Title: EZCrypt - Paste (at ezcrypt.it)
20:10 -!- indy [~indy@fantomas.bestit.cz] has quit [Ping timeout: 240 seconds]
20:13 -!- indy [~indy@fantomas.bestit.cz] has joined #openvpn
20:17 -!- goldkatze [~nobody@unaffiliated/goldkatze] has quit [Ping timeout: 245 seconds]
20:19 < cornfeedhobo> haha... nvm... of course i forgot to turn on ipv6 forwarding :3
20:19 < cornfeedhobo> sorry for the spam
20:32 -!- joshh20 is now known as joshh20-Away
20:59 -!- lj [~l@c-98-214-132-144.hsd1.il.comcast.net] has joined #openvpn
21:09 -!- Martyn [~Martin@adsl-76-254-22-110.dsl.pltn13.sbcglobal.net] has joined #openvpn
21:09 -!- Martyn [~Martin@adsl-76-254-22-110.dsl.pltn13.sbcglobal.net] has quit [Max SendQ exceeded]
21:11 -!- Martyn [~Martin@adsl-76-254-22-110.dsl.pltn13.sbcglobal.net] has joined #openvpn
21:29 < cornfeedhobo> ... no one still around?
21:42 -!- lj [~l@c-98-214-132-144.hsd1.il.comcast.net] has quit [Quit: Leaving.]
21:50 -!- Martyn [~Martin@adsl-76-254-22-110.dsl.pltn13.sbcglobal.net] has quit [Ping timeout: 240 seconds]
21:54 -!- Martyn [~Martin@216.38.134.150] has joined #openvpn
21:56 -!- car_ [~car@ip-109-47-143-105.web.vodafone.de] has joined #openvpn
21:58 -!- Hes [WIS@tunkki.fi] has quit [Ping timeout: 255 seconds]
21:58 -!- car [~car@pd95cfe54.dip0.t-ipconnect.de] has quit [Read error: Connection reset by peer]
21:58 -!- car__ [~car@pd95cfe54.dip0.t-ipconnect.de] has joined #openvpn
21:59 -!- Hes [xyPto2j8@tunkki.fi] has joined #openvpn
22:02 -!- car_ [~car@ip-109-47-143-105.web.vodafone.de] has quit [Ping timeout: 240 seconds]
22:09 -!- Martyn [~Martin@216.38.134.150] has quit [Ping timeout: 240 seconds]
22:13 -!- WinstonSmith [~WinstonSm@unaffiliated/winstonsmith] has quit [Ping timeout: 264 seconds]
22:16 -!- WinstonSmith [~WinstonSm@unaffiliated/winstonsmith] has joined #openvpn
22:49 -!- cornfeedhobo [~cornfeedh@unaffiliated/cornfeed] has quit [Quit: When I leave, come together like butt cheeks]
22:50 -!- cornfeedhobo [~cornfeedh@unaffiliated/cornfeed] has joined #openvpn
23:02 -!- HectorBarbossa [uid7850@gateway/web/irccloud.com/x-qlbxmtffooziifal] has quit [Quit: Connection closed for inactivity]
23:17 -!- AlexPortable [uid7568@gateway/web/irccloud.com/x-uoogbobynplppbop] has quit [Quit: Connection closed for inactivity]
23:37 -!- prettyrobots [~prettyrob@do.inputrc.com] has quit [Ping timeout: 255 seconds]
23:44 -!- troj [~xxx@2001:470:1f15:107a::50f7] has quit [Ping timeout: 264 seconds]
23:46 -!- cornfeedhobo [~cornfeedh@unaffiliated/cornfeed] has quit [Quit: When I leave, come together like butt cheeks]
23:46 -!- cornfeedhobo [~cornfeedh@unaffiliated/cornfeed] has joined #openvpn
23:49 -!- funyun [~temp@199.16.191.140] has joined #openvpn
23:49 -!- ron_ [~ron@ppp118-210-37-193.lns20.adl2.internode.on.net] has quit [Ping timeout: 264 seconds]
23:49 -!- funyun_ [~temp@cpe-65-25-103-89.neo.res.rr.com] has quit [Ping timeout: 246 seconds]
23:50 -!- troj [~xxx@2001:470:1f15:107a::50f7] has joined #openvpn
23:50 -!- ron_ [~ron@ppp118-210-185-93.lns20.adl6.internode.on.net] has joined #openvpn
--- Day changed Sat Mar 22 2014
00:00 -!- Netsplit *.net <-> *.split quits: Eneerge, clu5ter
00:00 -!- Netsplit over, joins: clu5ter
00:10 -!- Latrina [~Latrina@adsl-ull-104-255.45-151.net24.it] has quit [Remote host closed the connection]
00:19 -!- Eneerge [eneergealt@ipv6.eneerge.org] has joined #openvpn
00:22 -!- Eneerge [eneergealt@ipv6.eneerge.org] has quit [Changing host]
00:22 -!- Eneerge [eneergealt@unaffiliated/eneerge] has joined #openvpn
00:24 -!- digilink [~digilink@unaffiliated/digilink] has quit [Ping timeout: 240 seconds]
00:26 -!- digilink [~digilink@unaffiliated/digilink] has joined #openvpn
00:28 -!- GregB_ [~GregB@107-218-5-81.lightspeed.hstntx.sbcglobal.net] has quit [Read error: Connection reset by peer]
01:01 -!- sunwind` [~paradox@cpc21-brmb8-2-0-cust749.1-3.cable.virginm.net] has joined #openvpn
01:04 -!- sunwind [~paradox@cpc21-brmb8-2-0-cust749.1-3.cable.virginm.net] has quit [Ping timeout: 240 seconds]
01:21 -!- Netsplit *.net <-> *.split quits: Eneerge
01:32 -!- someone [someone@2600:3c01::f03c:91ff:fedf:feb8] has quit [Quit: ZNC - http://znc.in]
01:35 -!- [1]JPeterson [~JPeterson@81-233-152-121-no83.tbcn.telia.com] has quit [Read error: Connection reset by peer]
01:37 -!- s0meone [someone@2600:3c01::f03c:91ff:fedf:feb8] has joined #openvpn
01:43 -!- JPeterson [~JPeterson@81-233-152-121-no83.tbcn.telia.com] has joined #openvpn
01:52 -!- Netsplit over, joins: Eneerge
02:10 -!- Devastatr [~devas@177.18.198.229] has joined #openvpn
02:11 -!- Devastator [~devas@unaffiliated/devastator] has quit [Ping timeout: 240 seconds]
03:00 -!- goldkatze [~nobody@unaffiliated/goldkatze] has joined #openvpn
03:16 -!- wrongplace [~leicht@gateway/tor-sasl/martinphone] has joined #openvpn
03:21 -!- takamichi [~takamichi@c107-107.i07-27.onvol.net] has quit [Read error: Connection reset by peer]
03:31 -!- james41382 [~james@unaffiliated/james41382] has quit [Read error: Connection reset by peer]
03:32 -!- james41382 [~james@unaffiliated/james41382] has joined #openvpn
03:45 -!- CygniX [~CygniX@unaffiliated/twois10] has joined #openvpn
03:45 < CygniX> is it normally recommend or good practice to change default 1194 port?
04:02 -!- JackWinter [~jack@vodsl-10810.vo.lu] has quit [Quit: Konversation terminated!]
04:05 -!- JackWinter [~jack@vodsl-10810.vo.lu] has joined #openvpn
04:12 -!- funyun_ [~temp@cpe-65-25-103-89.neo.res.rr.com] has joined #openvpn
04:12 -!- funyun [~temp@199.16.191.140] has quit [Ping timeout: 240 seconds]
04:15 -!- gffa [~unknown@unaffiliated/gffa] has joined #openvpn
04:18 -!- gffa [~unknown@unaffiliated/gffa] has quit [Client Quit]
04:21 -!- miruoy [~quassel@d51A44BA8.access.telenet.be] has quit [Ping timeout: 255 seconds]
04:24 -!- miruoy [~quassel@d51A44BA8.access.telenet.be] has joined #openvpn
04:46 -!- gffa [~unknown@unaffiliated/gffa] has joined #openvpn
04:51 -!- funyun_ [~temp@cpe-65-25-103-89.neo.res.rr.com] has quit [Ping timeout: 240 seconds]
05:17 -!- funyun [~temp@cpe-65-25-103-89.neo.res.rr.com] has joined #openvpn
05:20 -!- diverse [~diverse@unaffiliated/diverse] has joined #openvpn
05:22 -!- funyun [~temp@cpe-65-25-103-89.neo.res.rr.com] has quit [Ping timeout: 240 seconds]
05:23 < diverse> When connecting to a openvpn server, I'm getting a very slow connection to the point it is unusable on my linux machine. I do the same on a windows 7 machine in my lan but is able to get a decent connection. Can someone help me here?
05:39 -!- B1nny [~quassel@5ED16034.cm-7-2b.dynamic.ziggo.nl] has joined #openvpn
05:50 < snappy> diverse: perhaps packet loss?
05:50 < snappy> try flood ping to the gateway on the linux machine (make sure to disable icmp rate limiting in both sysctl and firewalls)
05:51 -!- CygniX [~CygniX@unaffiliated/twois10] has quit [Ping timeout: 240 seconds]
06:01 -!- mattock is now known as mattock_afk
06:12 -!- mattock_afk is now known as mattock
06:16 < diverse> snappy: I get about 22% packet loss. I tried manually increasing the icmp_ratelimit from 1000 to 10000, and I get the same amount of packet loss from ping flooding.
06:17 < diverse> to my gateway
06:18 -!- funyun [~temp@cpe-65-25-103-89.neo.res.rr.com] has joined #openvpn
06:25 -!- funyun [~temp@cpe-65-25-103-89.neo.res.rr.com] has quit [Ping timeout: 252 seconds]
06:28 -!- AlexPortable [uid7568@gateway/web/irccloud.com/x-youkxujaoaqhcupb] has joined #openvpn
06:29 < snappy> diverse: set the rate limit sysctls to 0, that disables it
06:29 < snappy> but in any case, 22% pcaket loss sounds bad.
06:29 < snappy> what if you ping flood the public ip without openvpn?
06:36 -!- wrongplace [~leicht@gateway/tor-sasl/martinphone] has quit [Quit: gone]
06:36 -!- funyun [~temp@cpe-65-25-103-89.neo.res.rr.com] has joined #openvpn
06:47 < diverse> snappy: well it turns out from ping flooding my public ip, I get 100% packet loss... this is weird
06:48 < diverse> and I did set the rate limit to 0
06:49 < diverse> 'echo 0 > /proc/sys/net/ipv4/icmp_ratelimit'
06:49 -!- makara [~makara@105-208-239-93.access.mtnbusiness.co.za] has joined #openvpn
07:04 -!- p3rror [~mezgani@41.140.36.151] has quit [Read error: Operation timed out]
07:09 -!- le0 [~l30@unaffiliated/le0] has joined #openvpn
07:14 -!- le0 [~l30@unaffiliated/le0] has quit [Ping timeout: 246 seconds]
07:21 < diverse> snappy: I think I found the problem. Thanks for pointing me in the right direction. :)
07:21 -!- p3rror [~mezgani@41.140.157.69] has joined #openvpn
07:40 -!- diverse [~diverse@unaffiliated/diverse] has quit [Quit: WeeChat 0.4.3]
07:43 -!- Latrina [~Latrina@adsl-ull-104-255.45-151.net24.it] has joined #openvpn
07:47 -!- mikemol [~mikemol@2001:470:c5b9:beef:71a6:8d1f:672d:1b8e] has joined #openvpn
07:48 -!- le0 [~l30@unaffiliated/le0] has joined #openvpn
08:15 -!- [diecast] [~diecast@unaffiliated/diecast/x-4821952] has joined #openvpn
08:16 -!- [diecast] [~diecast@unaffiliated/diecast/x-4821952] has quit [Client Quit]
08:20 -!- Devastatr [~devas@177.18.198.229] has quit [Changing host]
08:20 -!- Devastatr [~devas@unaffiliated/devastator] has joined #openvpn
08:20 -!- Devastatr is now known as Devastator
08:24 -!- Hes [xyPto2j8@tunkki.fi] has quit [Ping timeout: 240 seconds]
08:25 -!- Latrina [~Latrina@adsl-ull-104-255.45-151.net24.it] has quit [Remote host closed the connection]
08:34 -!- MyMind [~Sembei@unaffiliated/sembei] has quit [Ping timeout: 240 seconds]
08:44 -!- joshh20-Away is now known as joshh20
08:46 -!- MyMind [~Sembei@unaffiliated/sembei] has joined #openvpn
08:50 -!- Hes [tunoujIp@tunkki.fi] has joined #openvpn
08:57 -!- converge [~converge@unaffiliated/joaop] has joined #openvpn
08:59 -!- le0 [~l30@unaffiliated/le0] has quit [Quit: Leaving]
09:01 -!- Netsplit *.net <-> *.split quits: gardar, aef, cripto, kisom, mrrg, mcp, rkantos, mitz, dogewaat_, kantlivelong,  (+18 more, use /NETSPLIT to show all of them)
09:01 -!- Netsplit over, joins: rkantos, Aketzu, lazzer, andi, Rienzilla
09:01 -!- Netsplit over, joins: NChief
09:01 -!- yauz [9571c35871@osgiliath.yauz.de] has joined #openvpn
09:01 -!- Netsplit over, joins: dren
09:01 -!- Roa [~roa@ns4009357.ip-192-99-8.net] has joined #openvpn
09:01 -!- Netsplit over, joins: raidz
09:01 -!- mode/#openvpn [+o raidz] by ChanServ
09:01 -!- Netsplit over, joins: exa
09:01 -!- mete [~mete@91.247.253.160] has joined #openvpn
09:01 -!- Netsplit over, joins: cripto, kisom
09:02 -!- Netsplit over, joins: jtrucks, krphop
09:02 -!- hive-mind [pranq@unaffiliated/contempt] has joined #openvpn
09:02 -!- mcp [~mcp@178.63.188.211] has joined #openvpn
09:02 -!- roma [~roma@198.199.116.181] has joined #openvpn
09:02 -!- mitz [~mitz@122.212.45.242] has joined #openvpn
09:02 -!- riddle [riddle@76.72.170.57] has joined #openvpn
09:02 -!- Netsplit over, joins: gardar, _KaszpiR_
09:02 -!- dogewaat_ [uid3966@gateway/web/irccloud.com/x-kfrkumtagkjlixkj] has joined #openvpn
09:03 -!- aef [~smuxi@schweinehegel.raxys.net] has joined #openvpn
09:03 -!- kantlivelong [~kantlivel@home.kantlivelong.com] has joined #openvpn
09:05 -!- mnathani [~mnathani@constance.winvive.com] has quit [Ping timeout: 367 seconds]
09:05 -!- mnathani1 [~mnathani@constance.winvive.com] has joined #openvpn
09:06 -!- mrrg [~notabot@delicious.sykosys.jp] has joined #openvpn
09:06 -!- gffa_ [~unknown@unaffiliated/gffa] has joined #openvpn
09:07 -!- funyun [~temp@cpe-65-25-103-89.neo.res.rr.com] has quit [Ping timeout: 252 seconds]
09:07 -!- Matir [~matir@ubuntu/member/matir] has joined #openvpn
09:07 -!- phunyguy_ [~vortex@unaffiliated/phunyguy] has joined #openvpn
09:10 -!- kirin` [telex@gateway/shell/anapnea.net/x-xmxxikifgjgakrhe] has quit [Disconnected by services]
09:10 -!- kirin` [telex@gateway/shell/anapnea.net/x-yqhkyzwccjmyrxac] has joined #openvpn
09:15 -!- Cr4zi3 [~killaz@76.74.171.253] has quit [Quit: changing servers]
09:16 -!- gffa [~unknown@unaffiliated/gffa] has quit [Remote host closed the connection]
09:16 -!- Eagleman7 [~Eagleman@546BC8D0.cm-12-4d.dynamic.ziggo.nl] has quit [Excess Flood]
09:16 -!- phunyguy [~vortex@unaffiliated/phunyguy] has quit [Remote host closed the connection]
09:17 -!- Cr4zi3 [killaz@staff.xbins.org] has joined #openvpn
09:18 -!- Eagleman7 [~Eagleman@546BC8D0.cm-12-4d.dynamic.ziggo.nl] has joined #openvpn
09:19 -!- digilink [~digilink@unaffiliated/digilink] has quit [Quit: ZNC - http://znc.in]
09:22 -!- digilink [~digilink@unaffiliated/digilink] has joined #openvpn
09:22 -!- makara [~makara@105-208-239-93.access.mtnbusiness.co.za] has quit [Quit: Leaving]
09:27 -!- digilink [~digilink@unaffiliated/digilink] has quit [Quit: ZNC - http://znc.in]
09:28 -!- funyun [~temp@cpe-65-25-103-89.neo.res.rr.com] has joined #openvpn
09:30 -!- digilink [~digilink@unaffiliated/digilink] has joined #openvpn
09:36 -!- wrongplace [~leicht@gateway/tor-sasl/martinphone] has joined #openvpn
09:41 -!- digilink [~digilink@unaffiliated/digilink] has quit [Ping timeout: 245 seconds]
09:42 -!- converge [~converge@unaffiliated/joaop] has quit [Quit: Leaving...]
09:42 -!- Hes [tunoujIp@tunkki.fi] has quit [Read error: Operation timed out]
09:44 -!- funyun [~temp@cpe-65-25-103-89.neo.res.rr.com] has quit [Ping timeout: 245 seconds]
09:44 -!- converge [~converge@189.7.3.101] has joined #openvpn
09:44 -!- converge [~converge@189.7.3.101] has quit [Changing host]
09:44 -!- converge [~converge@unaffiliated/joaop] has joined #openvpn
09:44 -!- converge [~converge@unaffiliated/joaop] has quit [Client Quit]
09:49 -!- Hes [OwwhJ8j@tunkki.fi] has joined #openvpn
09:57 -!- jave [~jave@85.24.235.102] has quit [Quit: ZNC - http://znc.in]
10:01 -!- jave [~jave@h-235-102.a149.priv.bahnhof.se] has joined #openvpn
10:10 -!- funyun [~temp@cpe-65-25-103-89.neo.res.rr.com] has joined #openvpn
10:14 -!- funyun [~temp@cpe-65-25-103-89.neo.res.rr.com] has quit [Ping timeout: 246 seconds]
10:45 -!- MACscr|lappy [~MACscrlap@173-165-109-75-Illinois.hfc.comcastbusiness.net] has joined #openvpn
10:57 -!- Martyn [~Martin@162-232-173-152.lightspeed.sntcca.sbcglobal.net] has joined #openvpn
11:01 -!- master_o1_master [~master_of@p4FD7BE74.dip0.t-ipconnect.de] has quit [Read error: Operation timed out]
11:05 -!- master_of_master [~master_of@p4FF2486F.dip0.t-ipconnect.de] has joined #openvpn
11:09 -!- MACscr|lappy [~MACscrlap@173-165-109-75-Illinois.hfc.comcastbusiness.net] has quit [Ping timeout: 246 seconds]
11:11 -!- funyun [~temp@cpe-65-25-103-89.neo.res.rr.com] has joined #openvpn
11:13 -!- Martyn [~Martin@162-232-173-152.lightspeed.sntcca.sbcglobal.net] has quit [Read error: Connection reset by peer]
11:15 -!- Martyn [~Martin@162-232-173-152.lightspeed.sntcca.sbcglobal.net] has joined #openvpn
11:15 -!- funyun [~temp@cpe-65-25-103-89.neo.res.rr.com] has quit [Ping timeout: 265 seconds]
11:38 -!- Martyn [~Martin@162-232-173-152.lightspeed.sntcca.sbcglobal.net] has quit [Read error: Connection reset by peer]
11:39 -!- Martyn [~Martin@162-232-173-152.lightspeed.sntcca.sbcglobal.net] has joined #openvpn
12:02 -!- gffa_ is now known as gffa
12:03 -!- Martyn [~Martin@162-232-173-152.lightspeed.sntcca.sbcglobal.net] has quit [Read error: Connection reset by peer]
12:04 -!- Martyn [~Martin@162-232-173-152.lightspeed.sntcca.sbcglobal.net] has joined #openvpn
12:06 -!- cornfeedhobo [~cornfeedh@unaffiliated/cornfeed] has left #openvpn ["when i leave, come together like butt cheeks"]
12:12 -!- funyun [~temp@cpe-65-25-103-89.neo.res.rr.com] has joined #openvpn
12:12 -!- converge [~converge@189.7.3.101] has joined #openvpn
12:12 -!- converge [~converge@189.7.3.101] has quit [Changing host]
12:12 -!- converge [~converge@unaffiliated/joaop] has joined #openvpn
12:15 -!- u0m3_ [~u0m3@109.96.165.13] has joined #openvpn
12:16 -!- funyun [~temp@cpe-65-25-103-89.neo.res.rr.com] has quit [Ping timeout: 252 seconds]
12:16 -!- u0m3_ [~u0m3@109.96.165.13] has quit [Read error: Connection reset by peer]
12:17 -!- u0m3 [~u0m3@92.80.123.206] has quit [Ping timeout: 240 seconds]
12:21 -!- u0m3 [~u0m3@92.80.121.87] has joined #openvpn
12:21 -!- Latrina [~Latrina@adsl-ull-104-255.45-151.net24.it] has joined #openvpn
12:29 -!- p3rror [~mezgani@41.140.157.69] has quit [Read error: Operation timed out]
12:35 -!- Latrina [~Latrina@adsl-ull-104-255.45-151.net24.it] has quit [Remote host closed the connection]
12:48 -!- converge [~converge@unaffiliated/joaop] has quit [Quit: Leaving...]
12:53 -!- Martyn [~Martin@162-232-173-152.lightspeed.sntcca.sbcglobal.net] has quit [Read error: Connection reset by peer]
12:56 -!- JackWinter [~jack@vodsl-10810.vo.lu] has quit [Quit: Konversation terminated!]
12:57 -!- Martyn [~Martin@216.38.134.150] has joined #openvpn
12:58 -!- joshh20 is now known as joshh20-Away
13:00 -!- JackWinter [~jack@vodsl-10810.vo.lu] has joined #openvpn
13:00 -!- JackWinter [~jack@vodsl-10810.vo.lu] has quit [Client Quit]
13:01 -!- JackWinter [~jack@vodsl-10810.vo.lu] has joined #openvpn
13:13 -!- funyun [~temp@cpe-65-25-103-89.neo.res.rr.com] has joined #openvpn
13:14 -!- phunyguy_ is now known as phunyguy
13:17 -!- funyun [~temp@cpe-65-25-103-89.neo.res.rr.com] has quit [Ping timeout: 246 seconds]
13:18 -!- wrongplace [~leicht@gateway/tor-sasl/martinphone] has quit [Quit: gone]
13:20 -!- s7r_h [~s7r@openvpn/user/s7r] has joined #openvpn
13:20 -!- mode/#openvpn [+v s7r_h] by ChanServ
13:20 -!- s7r [~s7r@openvpn/user/s7r] has quit [Disconnected by services]
13:20 -!- s7r_h is now known as s7r
13:27 -!- Rolybrau [noident@unaffiliated/rolybrau] has joined #openvpn
13:49 -!- Latrina [~Latrina@host116-237-dynamic.211-62-r.retail.telecomitalia.it] has joined #openvpn
13:50 -!- Latrina [~Latrina@host116-237-dynamic.211-62-r.retail.telecomitalia.it] has quit [Remote host closed the connection]
13:51 -!- lj1 [~l@c-98-214-132-144.hsd1.il.comcast.net] has joined #openvpn
14:04 -!- Latrina [~Latrina@adsl-ull-104-255.45-151.net24.it] has joined #openvpn
14:08 -!- Martyn [~Martin@216.38.134.150] has quit []
14:10 -!- lj1 [~l@c-98-214-132-144.hsd1.il.comcast.net] has quit [Quit: Leaving.]
14:13 -!- funyun [~temp@cpe-65-25-103-89.neo.res.rr.com] has joined #openvpn
14:16 < Latrina> Hello people .. I am trying to test my OpenVPN connection speed and I am using iperf
14:16 < Latrina> when I test the upload of tot mbs I get this output on the client side
14:16 < Latrina> [  4] Sent 8505 datagrams
14:16 < Latrina> [  4] WARNING: did not receive ack of last datagram after 10 tries.
14:17 < Latrina> while on the server side I get little no output, when normally you would get the progress of the transfer, latency and hops ..
14:18 < Latrina> I have tested my local connection speed with iper and it works amazingly .. what am I doing wrong ??
14:19 -!- funyun [~temp@cpe-65-25-103-89.neo.res.rr.com] has quit [Ping timeout: 252 seconds]
14:32 -!- CygniX [~CygniX@unaffiliated/twois10] has joined #openvpn
14:34 -!- joshh20-Away is now known as joshh20
14:37 -!- SoWhat [~SoWhat@46.109.150.216] has joined #openvpn
14:38 < SoWhat> hello! I am trying to install OpenVPN on my CentOS 6.5, but none of manuals I have found in google actually work, can you give me a link to manual that works on latest CentOS with latest OpenVPN ?
14:40 < SoWhat> the main problems are with EasyRSA
14:42 < pekster> !easyrsa
14:42 <@vpnHelper> "easyrsa" is (#1) easy-rsa is a certificate generation utility. or (#2) Download here: https://github.com/OpenVPN/easy-rsa/releases or (#3) Source checkouts available from the github project; current official release download is 2.2.2 with 3.x code in git-master. or (#4) Helpful wiki info about easyrsa at: https://community.openvpn.net/openvpn/wiki/EasyRSA
14:42 < pekster> Docs for both the legacy ("current") 2.x and the next-gen 3.x stuff there. Choose what you're using and follow the relevant guide
14:43 < pekster> Ask here if you get stuck. See also: !certman for alternatives, but all will require you to read their associated documentation
14:46 < SoWhat> thanks for replay
14:46 < SoWhat> I have stuck on the step where it is required to copy this: cp -rf easy-rsa-master/easy-rsa/2.0/* /etc/openvpn/easy-rsa/
14:47 < SoWhat> easy-rsa directory doesn't exist
14:47 < pekster> That's not listed anywhere on the howto I just linked you
14:48 < pekster> All bets are off if you're using someone else's docs (in which case you should bug them)
14:52 -!- Latrina [~Latrina@adsl-ull-104-255.45-151.net24.it] has quit [Ping timeout: 245 seconds]
15:02 -!- red-lichtie [~red-licht@host86-170-42-78.range86-170.btcentralplus.com] has joined #openvpn
15:04 -!- tacajushi [~tacajushi@ks211235.kimsufi.com] has joined #openvpn
15:05 < red-lichtie> Hi. I have a question about openvpn that I can't find an answer to. I would like to use tap/bridging for my VPN but I see that the Android client can only use tun mode. Can I have the server in tap mode and the clients using both modes or do I need to set up 2 server instances, one for each mode ?
15:06 < pekster> You'd need separate instances. But you probably don't need bridging in the first place. Read about why from the both with: !tunortap and !whybridge
15:06 < pekster> from the bot*
15:06 -!- KarlBauman [~SoWhat@81.198.10.40] has joined #openvpn
15:08 < red-lichtie> I want to have a seamless connection for my PCs and I can live with no broadcast support for Android. So 2 instances it will have to be. Thinking about it, I suppose mixing lvl2 and lvl3 is impossible anyway. Thanks pekster
15:08 < tacajushi> hi guys, I want to route entire traffic via vpn server (web browser etc.) I have the following configuration: http://paste.kde.org/ptfwsjhep/blahi8/raw  of course, I can ping the openvpn server, yet not the external host
15:09 < pekster> IP is seamless to anything at or above OSI L3; what are you using that sends raw-Ethernet frames that isn't IP?
15:09 < pekster> tacajushi: you'll want to follow the info (flowchart is helpful) at:
15:09 < pekster> !redirect
15:09 <@vpnHelper> "redirect" is (#1) to make all inet traffic flow through the vpn, you will need --redirect-gateway (see !def1), as well as IP forwarding (see !ipforward) and NAT (see !nat) enabled on the server. or (#2) you may need to use a different dns server when redirecting gateway, see !dns or !pushdns or (#3) if using ipv6 try: route-ipv6 2000::/3 or (#4) Handy troubleshooting flowchart:
15:09 <@vpnHelper> http://ircpimps.org/redirect.png | http://pekster.sdf.org/misc/redirect.png
15:10 -!- SoWhat [~SoWhat@46.109.150.216] has quit [Ping timeout: 240 seconds]
15:12 -!- Rolybrau [noident@unaffiliated/rolybrau] has quit [Quit: Rolybrau]
15:16 -!- funyun [~temp@cpe-65-25-103-89.neo.res.rr.com] has joined #openvpn
15:18 < tacajushi> pekster: is nat enabled on the vpn subnet how to check it?
15:21 -!- funyun [~temp@cpe-65-25-103-89.neo.res.rr.com] has quit [Ping timeout: 265 seconds]
15:22 < pekster> That depends on your platform, which is why the deatils you got hinted at !nat
15:22 < red-lichtie> pesker I'll only be doing IP (TCP & UDP) and I see that I have version 2.3 so IPv6 shouldn't be an issue either. Is that correct?
15:23 < tacajushi> !nat
15:23 <@vpnHelper> "nat" is (#1) http://openvpn.net/howto.html#redirect for an explanation of NAT as it applies to openvpn or (#2) http://www.secure-computing.net/wiki/index.php/OpenVPN/FAQ#Traffic_forwarding_doesn.27t_work_when_using_client_specific_access_rules or (#3) dont forget to turn on ip forwarding or (#4) please choose between !linnat !openvznat !winnat and !fbsdnat for specific howto
15:24 < red-lichtie> pekster: I'll only be doing IP (TCP & UDP) and I see that I have version 2.3 so IPv6 shouldn't be an issue either. Is that correct?
15:25 < pekster> Right, no need for bridging if you'll be using TCP/UDP (and probably implicitly ICMP too.) 2.3 supports dual-stack inside the tunnel, and either one as the transport
15:25 < KarlBauman> how to do this command in easyrsa3 ? ./build-key-server server
15:26 < pekster> Ideally you don't do that KarlBauman: it's highly recommended to generate keys on the target systems then transport the CSR to your CA, sign it, then return a signed cert
15:27 < pekster> If you want to do it anyway, read about `./easyrsa help build-server-full`
15:27 < KarlBauman> thanks
15:28 < pekster> fwiw, doing the "-full" commands in v3 is a bit like sending out your housekeys by mail when you want copies ;)
15:28 < pekster> You can do it, but…
15:29 < KarlBauman> this is my first experiance with VPN so I need to stick to manuals that I have found.. Later I can try to experiment and make it more secure
15:30 < pekster> There is a howto for v3 and the -full stuff isn't in it ;)
15:30 < pekster> !easyrsa
15:30 <@vpnHelper> "easyrsa" is (#1) easy-rsa is a certificate generation utility. or (#2) Download here: https://github.com/OpenVPN/easy-rsa/releases or (#3) Source checkouts available from the github project; current official release download is 2.2.2 with 3.x code in git-master. or (#4) Helpful wiki info about easyrsa at: https://community.openvpn.net/openvpn/wiki/EasyRSA
15:30 < pekster> #4 above
15:31 < KarlBauman> yeah, I saw it, but it is a bit too complicated for a beginner like me:)
15:31 < pekster> Copy and pastable commands is hard? Oh my
15:32 < KarlBauman> I am using this manual https://www.digitalocean.com/community/articles/how-to-setup-and-configure-an-openvpn-server-on-centos-6
15:32 <@vpnHelper> Title: How to Setup and Configure an OpenVPN Server on CentOS 6 | DigitalOcean (at www.digitalocean.com)
15:32 < pekster> NFI
15:32 < pekster> I don't care to fix all the (frequetnly broken) guides on the 'Net
15:32 < pekster> YMMV with things downstream. If they can't be bothered to filter improvements upstream, I can't be bothered to care
15:34 < pekster> If you're trying to use v3 "like v2" then sure, the -full stuff should do what you want. But really openvpn doesn't care how you generate the certs/keys so long as you have a working collection when you're done
15:34 < KarlBauman> okay
15:35 -!- tarball [~quassel@port-52005.pppoe.wtnet.de] has joined #openvpn
15:42 -!- EnginA [~e@ea.tl] has joined #openvpn
15:42 < EnginA> everything works fine except concurrent connections. when i connect from my phone, my desktop connection drops.
15:42 < tacajushi> I've done everyrhing as here: http://openvpn.net/index.php/open-source/documentation/howto.html#redirect and I still have no working openvpn http://paste.kde.org/p30ppvwdz/gpii8i/raw
15:42 <@vpnHelper> Title: HOWTO (at openvpn.net)
15:42 < EnginA> (i set up the openvpn server on my vps) and pointers?
15:42 < pekster> EnginA: Right, normally you issue separate certs. If you really want concurrent connections from the same cert, see:
15:43 < pekster> !dupe
15:43 <@vpnHelper> "dupe" is (#1) see --duplicate-cn in the manual (!man) to see how to allow multiple clients to use the same key (NOT recommended) or (#2) instead, use !pki to make a cert for each user
15:43 < EnginA> oh ok
15:44 < EnginA> i wished i copied my steps when i used to prepare the bundle :/
15:44 < pekster> tacajushi: Not nearly enough there to even guess as to what's wrong. The /TOPIC suggests you supply !configs and !logs, which will be necessary here. Please mind the format requested in each
15:44 < EnginA> !pki
15:44 <@vpnHelper> "pki" is (#1) http://openvpn.net/index.php/open-source/documentation/howto.html#pki for how to make your PKI stuff (ca, and certs) or (#2) Heres a basic rundown of how it works... The server, client, and ca certs are all signed by the same ca.key. The server and client use the ca.crt to check that eachother were signed by the right ca.key. Optionally, the client also checks that the server cert was
15:44 <@vpnHelper> signed specially as a server (see !servercert) or (#3) See !certman for various PKI management frontends
15:45 < tacajushi> !configs
15:45 <@vpnHelper> "configs" is (#1) please pastebin your client and server configs (with comments removed, you can use `grep -vE '^#|^;|^$' server.conf`), also include which OS and version of openvpn. or (#2) dont forget to include any ccd entries or (#3) on pfSense, see http://www.secure-computing.net/wiki/index.php/OpenVPN/pfSense to obtain your config
15:45 -!- red-lichtie [~red-licht@host86-170-42-78.range86-170.btcentralplus.com] has quit [Quit: Leaving.]
15:46 < tacajushi> !logs
15:46 <@vpnHelper> "logs" is (#1) please pastebin your logfiles from both client and server with verb set to 4 (only use 5 if asked) or (#2) In the Windows client(OpenVPN-GUI) right-click the status icon and pick View Log or (#3) In the OS X client(Tunnelblick) right-click it and select Copy log text to clipboard or (#4) if you dont know how to find your logs, see !logfile
15:49 < tacajushi> !logfile
15:49 <@vpnHelper> "logfile" is (#1) openvpn will log to syslog if started in daemon mode. You can manually specify a logfile with: log /path/to/logfile or (#2) verb 3 is good for everyday usage, verb 5 for debugging or (#3) see --daemon --log and --verb in the manual (!man) for more info or (#4) without any log-redirection options, openvpn sends output to stdout. Explicit logging is often more convenient
15:49 -!- deever [~deever@148.251.52.112] has left #openvpn []
15:51 -!- mattock is now known as mattock_afk
15:53 < tacajushi> pekster: http://paste.kde.org/pnfvrhivx/hyveal/raw
15:55 -!- KarlBauman [~SoWhat@81.198.10.40] has quit [Read error: Connection reset by peer]
15:55 < EnginA> ok another cert works great
15:55 < EnginA> thanks
15:55 -!- KarlBauman [~SoWhat@81.198.10.40] has joined #openvpn
15:55 -!- KarlBauman [~SoWhat@81.198.10.40] has quit [Client Quit]
15:56 -!- tarball [~quassel@port-52005.pppoe.wtnet.de] has quit [Quit: none]
16:00 < pekster> tacajushi: That's not a complete log; at the end it will either connect or time out after 60 seconds. If you time out, the server is either not getting, or refusing the connection. Since there's no server log, that remains a mystery
16:00 < pekster> EnginA: Yup, that's the better choice (that way you can revoke a cert if one device is lost/compromised but the other one remains trusted)
16:03 < tacajushi> pekster: http://paste.kde.org/pxkqn9dtj/o3z8e8/raw
16:06 -!- Haigha [~root@dovahkiin.xomg.net] has quit [Ping timeout: 245 seconds]
16:06 < pekster> An earlier session is getting terminated in that log; you should verify you have only a single connection to your server with the client's keypair
16:07 < pekster> Otherwise everything appears fine from the server-side. Without logs showing a successfull connection from your client you won't actually know if everything worked there or not
16:07 < tacajushi> pekster: yes, because I reconnect to the server, I guess its not the issue here, I can ping 10.8.0.1, but not the 8.8.8.8
16:07 < pekster> But routes might be
16:07 < pekster> Since you didn't produce a _useful_ log from the client, that can't be checked
16:08 < pekster> The 'packet dropped' can usually be ignored; it just means some application on your client is brain-dead and can't route properly (or you fundamentally screwed up routing on the client; that's less common)
16:09 < tacajushi> pekster: how about this http://paste.kde.org/p4f2gfukb/uoq8jq/raw ?
16:09 -!- Haigha [~root@dovahkiin.xomg.net] has joined #openvpn
16:10 < pekster> Much better; all the routes came up without error, so the client & routing setup looks good. If you traceroute to 8.8.8.8, how far do you get? Just the first-hop to 10.8.0.1?
16:13 < pekster> tacajushi: Oh, did you do that NAT stuff on the client? Or is wlp2s6 _also_ your uplink on the server? You NAT on the server, not the client
16:13 < tacajushi> pekster: yes, fist hop
16:13 < tacajushi> first*
16:13 < pekster> (routers do NAT, not their downstream clients)
16:13 < tacajushi> I didn't on the server
16:14 < tacajushi> iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o eth0 -j MASQUERADE like that?
16:14 < pekster> Sure. You should put that into your distro's perferred way to load rules automatically on boot, but that's distro-specific
16:16 < tacajushi> pekster: it's working now, thanks a million
16:16 < tacajushi> I've been strugglig with this like 6 hours
16:17 -!- funyun [~temp@cpe-65-25-103-89.neo.res.rr.com] has joined #openvpn
16:20 -!- HectorBarbossa [uid7850@gateway/web/irccloud.com/x-vcljmytziienbbrh] has joined #openvpn
16:22 -!- funyun [~temp@cpe-65-25-103-89.neo.res.rr.com] has quit [Ping timeout: 265 seconds]
16:26 -!- MyMind [~Sembei@unaffiliated/sembei] has quit [Read error: Connection reset by peer]
16:27 -!- MyMind [~Sembei@unaffiliated/sembei] has joined #openvpn
16:30 -!- funyun [~temp@cpe-65-25-103-89.neo.res.rr.com] has joined #openvpn
16:31 -!- SoWhat [~SoWhat@81.198.10.40] has joined #openvpn
16:31 < SoWhat> can I use build in VPN client in Windows 8 for OpenVPN ?
16:35 -!- Thermi [~Thermi@unaffiliated/thermi] has quit [Quit: Meet your opposition - Profane and disciplined - Take back your pride - With a pounding hammer]
16:38 < pekster> Nope. See:
16:38 < pekster> !notcompat
16:38 <@vpnHelper> "notcompat" is (#1) IPsec, PPTP, & L2TP are _not_ compatible with OpenVPN. OpenVPN uses SSL whereas PPTP and IPSEC use their own protocols and therefore cannot be compatible. or (#2) OpenVPN connects only to OpenVPN
16:39 -!- Thermi [~Thermi@unaffiliated/thermi] has joined #openvpn
16:39 -!- Thermi [~Thermi@unaffiliated/thermi] has quit [Excess Flood]
16:39 -!- Thermi [~Thermi@unaffiliated/thermi] has joined #openvpn
16:39 -!- Thermi [~Thermi@unaffiliated/thermi] has quit [Excess Flood]
16:40 -!- Thermi [~Thermi@unaffiliated/thermi] has joined #openvpn
16:40 -!- Thermi [~Thermi@unaffiliated/thermi] has quit [Excess Flood]
16:41 < SoWhat> tnx
16:42 -!- Thermi [~Thermi@unaffiliated/thermi] has joined #openvpn
16:42 -!- Thermi [~Thermi@unaffiliated/thermi] has quit [Excess Flood]
16:43 -!- Thermi [~Thermi@unaffiliated/thermi] has joined #openvpn
16:43 -!- Thermi [~Thermi@unaffiliated/thermi] has quit [Excess Flood]
16:43 -!- Thermi [~Thermi@unaffiliated/thermi] has joined #openvpn
16:43 -!- Thermi [~Thermi@unaffiliated/thermi] has quit [Excess Flood]
16:46 -!- Thermi [~Thermi@unaffiliated/thermi] has joined #openvpn
16:46 -!- Thermi [~Thermi@unaffiliated/thermi] has quit [Excess Flood]
16:46 -!- Thermi [~Thermi@unaffiliated/thermi] has joined #openvpn
16:46 -!- Thermi [~Thermi@unaffiliated/thermi] has quit [Excess Flood]
16:47 -!- Thermi [~Thermi@unaffiliated/thermi] has joined #openvpn
16:47 -!- Thermi [~Thermi@unaffiliated/thermi] has quit [Excess Flood]
16:47 -!- Thermi [~Thermi@unaffiliated/thermi] has joined #openvpn
16:47 -!- Thermi [~Thermi@unaffiliated/thermi] has quit [Excess Flood]
16:50 -!- Thermi [~Thermi@unaffiliated/thermi] has joined #openvpn
16:50 -!- Thermi [~Thermi@unaffiliated/thermi] has quit [Excess Flood]
16:59 -!- tacajushi [~tacajushi@ks211235.kimsufi.com] has left #openvpn ["EKG2 bejbi! http://ekg2.org/"]
17:06 -!- converge [~converge@unaffiliated/joaop] has joined #openvpn
17:07 < SoWhat> I finnaly managed to get OpenVPN client to start connecting to server, but it is already connecting for few minutes. Any ideas? https://www.dropbox.com/s/56ikeltpp5fn3hu/Screenshot%202014-03-23%2000.07.14.png
17:07 <@vpnHelper> Title: Dropbox - Screenshot 2014-03-23 00.07.14.png (at www.dropbox.com)
17:11 < SoWhat> windows firewall is disabled
17:13 -!- Martyn [~Martin@162-232-173-152.lightspeed.sntcca.sbcglobal.net] has joined #openvpn
17:15 -!- Martyn [~Martin@162-232-173-152.lightspeed.sntcca.sbcglobal.net] has left #openvpn []
17:17 < pekster> That's not OpenVPN
17:17 < pekster> !connect
17:17 <@vpnHelper> "connect" is (#1) OpenVPN Connect is part of the commercial, non-free (non-GPL) corporate offering; see #openvpn-as for help with these. For the community-maintained GPL OpenVPN, see !download for download links, !android for GPL-openvpn on Android, or !howto for the beginner how-to guide or (#2) https://forums.openvpn.net/post34969.html#p34969
17:18 < SoWhat> !download
17:18 <@vpnHelper> "download" is (#1) http://openvpn.net/index.php/download/community-downloads.html to download openvpn or (#2) OpenVPN's Windows installer now includes OpenVPN GUI. Don't bother with http://openvpn.se anymore or (#3) Don't trust download.com at all. It provides an extremely old version with malware: http://insecure.org/news/download-com-fiasco.html or (#4) in the community version of openvpn (only
17:18 <@vpnHelper> thing supported here) there is no separate download for client/server, it is the same install with different configs
17:24 < SoWhat> so which is the correct OenVPN client for Windows? I opened link the bot gave me, but there is no client, only server
17:25 -!- mback2k_ is now known as mback2k
17:27 -!- Thermi [~Thermi@unaffiliated/thermi] has joined #openvpn
17:27 -!- Thermi [~Thermi@unaffiliated/thermi] has quit [Excess Flood]
17:27 -!- Thermi [~Thermi@unaffiliated/thermi] has joined #openvpn
17:27 -!- Thermi [~Thermi@unaffiliated/thermi] has quit [Excess Flood]
17:28 -!- Cpt-Oblivious [chatzilla@31-151-71-109.dynamic.upc.nl] has joined #openvpn
17:28 -!- Thermi [~Thermi@unaffiliated/thermi] has joined #openvpn
17:28 -!- Thermi [~Thermi@unaffiliated/thermi] has quit [Excess Flood]
17:28 -!- joshh20 is now known as joshh20-Away
17:29 -!- ngharo [~ngharo@nexus.sypherz.com] has quit [Read error: Operation timed out]
17:29 < pekster> SoWhat: OpenVPN does both. There is no "client" or "server" download. That's why the download info you got said, "there is no separate download for client/server, it is the same install with different configs"
17:29 < SoWhat> than how can I run client?
17:29 < pekster> !gui
17:29 <@vpnHelper> "gui" is (#1) The only official GUI is the OpenVPN-GUI for Windows (see https://community.openvpn.net/openvpn/wiki/OpenVPN-GUI .) While there are other 3rd party GUIs, they may cause unexpected issues or (#2) If you're having problems starting OpenVPN through an unoffiical GUI, try launching it on the command line; if that works, the GUI is your problem
17:30 < pekster> Maybe you should read !howto if you need the basics
17:30 < pekster> !new
17:30 <@vpnHelper> "new" is (#1) New here? Start by reading the /TOPIC and looking at basic info in !welcome, !ask, and !howto or (#2) You can type each of the !commands in this chat and our bot will provide useful references and info or (#3) you can see the full factoids list at !factoids
17:30 -!- Thermi [~Thermi@unaffiliated/thermi] has joined #openvpn
17:30 -!- Thermi [~Thermi@unaffiliated/thermi] has quit [Excess Flood]
17:31 -!- Thermi [~Thermi@unaffiliated/thermi] has joined #openvpn
17:31 -!- Thermi [~Thermi@unaffiliated/thermi] has quit [Excess Flood]
17:31 -!- Thermi [~Thermi@unaffiliated/thermi] has joined #openvpn
17:32 < SoWhat> okay, so this gui is the right client https://www.dropbox.com/s/0bff15wjh37xet5/Screenshot%202014-03-23%2000.32.04.png
17:32 <@vpnHelper> Title: Dropbox - Screenshot 2014-03-23 00.32.04.png (at www.dropbox.com)
17:32 < pekster> Yup, although nearly all users shouldn't mess with the 'settings'
17:32 -!- ngharo [~ngharo@nexus.sypherz.com] has joined #openvpn
17:33 < pekster> Did you see the wiki info at !gui I gave you? That'll tell you everything you need to use the Windows GUI frontend. If you need help creating config files, what you really want is !howto
17:34 < pekster> https://community.openvpn.net/openvpn/wiki/OpenVPN-GUI#Creatingandplacingconfigfiles
17:34 <@vpnHelper> Title: OpenVPN-GUI – OpenVPN Community (at community.openvpn.net)
17:35 -!- converge [~converge@unaffiliated/joaop] has quit [Quit: Leaving...]
17:42 < SoWhat> !howto
17:42 <@vpnHelper> "howto" is (#1) OpenVPN comes with a great howto, http://openvpn.net/howto PLEASE READ IT! or (#2) http://www.secure-computing.net/openvpn/howto.php for a mirror
17:43 < SoWhat> It tries to connect to wrong IP, I cant find where is the server IP set
17:43 < pekster> Read about --remote in the manpage
17:43 < pekster> !man
17:43 <@vpnHelper> "man" is (#1) For man pages, see http://openvpn.net/index.php/open-source/documentation/manuals/ or (#2) the man pages are your friend! or (#3) Protip: you can search the manpage for a specific --option (with dashes) to find it quicker
17:46 < SoWhat> any ideas? https://www.dropbox.com/s/os82cclqop6zfyj/Screenshot%202014-03-23%2000.46.12.png
17:46 <@vpnHelper> Title: Dropbox - Screenshot 2014-03-23 00.46.12.png (at www.dropbox.com)
17:47 -!- mback2k is now known as mback2k_
17:50 < pekster> The connection timed out; check your server logs
17:50 < pekster> Chances are good your client's request never makes it that far
17:51 -!- SoWhat [~SoWhat@81.198.10.40] has quit [Read error: Connection reset by peer]
17:51 -!- SoWhat [~SoWhat@81.198.10.40] has joined #openvpn
17:51 < pekster> 17:50:34 < pekster> The connection timed out; check your server logs
17:51 < pekster> r
17:51 < pekster> 17:50:49 < pekster> Chances are good your client's request never makes it that far
17:52 < pekster> Also, TCP is best avoided
17:52 < pekster> !tcp
17:52 <@vpnHelper> "tcp" is (#1) Sometimes you cannot avoid tunneling over tcp, but if you can avoid it, DO. http://sites.inka.de/~bigred/devel/tcp-tcp.html Why TCP Over TCP Is A Bad Idea. or (#2) http://www.openvpn.net/papers/BLUG-talk/14.html for a presentation by James Yonan (OpenVPN lead developer) or (#3) if you must use tcp, you likely want --tcp-nodelay
17:59 < SoWhat> there is something else happening when I changed to UDP https://www.dropbox.com/s/51ohucgigy95im7/Screenshot%202014-03-23%2000.57.01.png  server logs are empty
17:59 <@vpnHelper> Title: Dropbox - Screenshot 2014-03-23 00.57.01.png (at www.dropbox.com)
18:00 < pekster> Text files are preferred for logs
18:01 < pekster> With nothing at all at --verb 4 on your server, packets aren't arriving
18:01 < pekster> Something is preventing them from getting delivered, or you supplied the wrong IP/port
18:02 < pekster> Probably your firewall, but some router in the path could be blocking things too (nmap can help, possibly with the --trace target)
18:02 < pekster> !nmap
18:03 -!- Thermi [~Thermi@unaffiliated/thermi] has quit [Quit: Meet your opposition - Profane and disciplined - Take back your pride - With a pounding hammer]
18:03 -!- EnginA [~e@ea.tl] has left #openvpn ["WeeChat 0.3.7"]
18:03 < SoWhat> thats weird, because this first commercial client displayed information about SSL sertificate
18:04 < SoWhat> Company name etc
18:04 < pekster> Are you using OpenVPN on your server?
18:04 < SoWhat> yes
18:04 < pekster> Not Access Server, which is a commercial wrapper around OpenVPN?
18:05 < SoWhat> I installed it using this command yum install openvpn -y
18:06 -!- converge [~converge@189.7.3.101] has joined #openvpn
18:06 -!- converge [~converge@189.7.3.101] has quit [Changing host]
18:06 -!- converge [~converge@unaffiliated/joaop] has joined #openvpn
18:06 -!- Thermi [~Thermi@unaffiliated/thermi] has joined #openvpn
18:06 < pekster> Sounds like the right thing then. Your port/protocol needs to match, and the packet must be allowed through every host it's passing through
18:06 < pekster> Figure out what system is blocking it
18:07 < SoWhat> OpenVPN 2.3.2 x86_64-redhat-linux-gnu [SSL (OpenSSL)] [LZO] [EPOLL] [PKCS11] [eurephia] [MH] [IPv6] built on Sep 12 2013
18:07 < pekster> Did you have your !configs pasted somewhere yet?
18:08 < SoWhat> http://pastebin.com/7rh7Gqj2
18:10 < pekster> That would be on config
18:11 < pekster> Also you messed up the plugin line; those trailing 2 options are supposed to be their own directives, not options to the plugin directive
18:11 < pekster> one*
18:11 < pekster> !configs
18:11 <@vpnHelper> "configs" is (#1) please pastebin your client and server configs (with comments removed, you can use `grep -vE '^#|^;|^$' server.conf`), also include which OS and version of openvpn. or (#2) dont forget to include any ccd entries or (#3) on pfSense, see http://www.secure-computing.net/wiki/index.php/OpenVPN/pfSense to obtain your config
18:11 -!- CygniX [~CygniX@unaffiliated/twois10] has left #openvpn ["Konversation terminated!"]
18:12 < pekster> And don't use 192.168.1.0 as your server-side network; you'll encounter problems if any of your clients connect from that network (as is common on millions of SOHO devices)
18:15 < SoWhat> ok
18:16 < pekster> Oh, 'TLS handshake failed' (this really is a lot easier if you paste logs as text, not png files.) So your server rejected it
18:16 < pekster> THere _will_ be otuput in the logs
18:16 < pekster> !logs
18:16 <@vpnHelper> "logs" is (#1) please pastebin your logfiles from both client and server with verb set to 4 (only use 5 if asked) or (#2) In the Windows client(OpenVPN-GUI) right-click the status icon and pick View Log or (#3) In the OS X client(Tunnelblick) right-click it and select Copy log text to clipboard or (#4) if you dont know how to find your logs, see !logfile
18:16 < pekster> Looks like your keys/certs aren't valid
18:17 < pekster> Oh, nm, that's just the timeout. So, same as before; packets don't arrive
18:17 < pekster> Firewall somewhere (your server, or maybe your ISP or such)
18:23 < SoWhat> can you tell me which iptable rules I have to use?
18:24 < SoWhat> in the manual it is written only this one "iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o eth0 -j MASQUERADE"
18:26 < pekster> !netfilter
18:26 <@vpnHelper> "netfilter" is Under Linux, use `iptables-save` to show firewall rulesets (add -c to include counters.) Do not use iptables -L as it is incomplete & often lies. #netfilter is more on-topic for detailed help.
18:26 < pekster> The "rules to use" depend greatly on your setup
18:27 < SoWhat> I can't believe port 1194 is not mentioned
18:27 < pekster> It's rather assumed you know how to use the firewall on your OS if you're setting up a VPN server
18:28 < SoWhat> my setup is very simple, I am at home and my server is somewhere far away on different ISP
18:28 < pekster> And you honestly had no clue you had to allow network traffic through the network firewall on your server? Really?
18:28 < pekster> It's not magic, and you managed to put the 'port' and 'proto' in your server config
18:29 < SoWhat> this magic is somethimes called upnp or something like this
18:29 < pekster> SOHO bullshit, mostly
18:29 < pekster> Real networks don't use upnp to do things ;)
18:30 < pekster> Although I do enjoy the shitty upnp on my netgear AP (it's a router too, but I only use it as a dumb AP.) I'm able to get it to NAT an external (Internet-sources) connection to _another_ LAN client. Super secure ;)
18:30 < pekster> So yea, upnp is a joke in most SOHO appliances
18:31 < pekster> http://openvpn.net/index.php/open-source/documentation/howto.html#start
18:31 <@vpnHelper> Title: HOWTO (at openvpn.net)
18:31 < pekster> Also, read harder
18:31 < pekster> opening up UDP port 1194 on the firewall (or whatever TCP/UDP port you've configured), or
18:31 < pekster> Right in the howto
18:47 < SoWhat> btw, this is my client config http://pastebin.com/BZPnGS7H
18:48 < pekster> Don't use the --persist options on clients; it'll cause problems if the IP ever changes, and since you can't downgrade permission anyway it's silly
18:48 < pekster> Otheriwse just fine, and not your problem here. Your problem is that packets don't arrive
18:48 < pekster> Go figure out why & fix it
18:49 -!- esde [~esde@unaffiliated/esde] has quit [Ping timeout: 265 seconds]
18:49 -!- esde [~esde@107.150.1.2] has joined #openvpn
19:00 -!- B1nny [~quassel@5ED16034.cm-7-2b.dynamic.ziggo.nl] has quit [Remote host closed the connection]
19:10 -!- converge [~converge@unaffiliated/joaop] has quit [Quit: Leaving...]
19:14 < SoWhat> this is what I see in logs https://www.dropbox.com/s/4ml724a5a9ra6lx/Screenshot%202014-03-23%2002.13.44.png
19:14 <@vpnHelper> Title: Dropbox - Screenshot 2014-03-23 02.13.44.png (at www.dropbox.com)
19:15 < pekster> That's even uglier than your last photos
19:15 < pekster> What's wrong with text files?
19:15 < pekster> http://fpaste.org/
19:15 < pekster> !paste
19:15 <@vpnHelper> "paste" is (#1) "pastebin" is (#1) please paste anything with more than 5 lines into a pastebin site or (#2) https://gist.github.com is recommended for fewest ads; try fpaste.org or paste.kde.org as backups or (#3) If you're pasting config files, see !configs for grep syntax to remove comments or (#2) gist allows multiple files per paste, useful if you have several files to show
19:17 < pekster> 11232, creative counting methinks
19:17 < pekster> !forget paste 2
19:17 <@vpnHelper> Joo got it.
19:17 < pekster> !learn pastebin as gist allows multiple files per paste, useful if you have several files to show
19:17 <@vpnHelper> Joo got it.
19:18 < SoWhat> sorry :) http://pastebin.com/8FenvP3S
19:20 <@Eugene> !paste
19:20 <@vpnHelper> "paste" is "pastebin" is (#1) please paste anything with more than 5 lines into a pastebin site or (#2) https://gist.github.com is recommended for fewest ads; try fpaste.org or paste.kde.org as backups or (#3) If you're pasting config files, see !configs for grep syntax to remove comments
19:20 <@Eugene> !pastebin
19:20 <@vpnHelper> "pastebin" is (#1) please paste anything with more than 5 lines into a pastebin site or (#2) https://gist.github.com is recommended for fewest ads; try fpaste.org or paste.kde.org as backups or (#3) If you're pasting config files, see !configs for grep syntax to remove comments or (#4) gist allows multiple files per paste, useful if you have several files to show
19:20 <@Eugene> Well that's just screwy.
19:22 < pekster> I fixed it
19:22 < pekster> !paste
19:22 <@vpnHelper> "paste" is "pastebin" is (#1) please paste anything with more than 5 lines into a pastebin site or (#2) https://gist.github.com is recommended for fewest ads; try fpaste.org or paste.kde.org as backups or (#3) If you're pasting config files, see !configs for grep syntax to remove comments
19:22 < pekster> paste is a link to pastebin
19:22 < pekster> Or, hmm, 3 vs 4? :\
19:23 < pekster> ERR_NOT_ENOUGH_BEER
19:24 < pekster> SoWhat: The openvpn process can't send packets to the network
19:25 < pekster> Fix your (likely) broken firewall
19:25 < SoWhat> but error log shows, that something is received and openvpn is trying to replay, correct?
19:26 < pekster> Also, outbound filtering is an advanced topic that you Should Not Do™ unless you are an expert and Know What You're Doing™
19:26 < pekster> Yes
19:27 < pekster> !forget paste
19:27 <@vpnHelper> Joo got it.
19:27 < pekster> !learn paste as [patebin]
19:27 <@vpnHelper> Joo got it.
19:27 < pekster> Ugh
19:27 <@Eugene> That uh. Yeah.
19:27 < pekster> !forget paste
19:27 <@vpnHelper> Joo got it.
19:28 < pekster> !learn paste as [pastebin]
19:28 <@vpnHelper> Joo got it.
19:28 < pekster> !paste
19:28 <@vpnHelper> "paste" is "pastebin" is (#1) please paste anything with more than 5 lines into a pastebin site or (#2) https://gist.github.com is recommended for fewest ads; try fpaste.org or paste.kde.org as backups or (#3) If you're pasting config files, see !configs for grep syntax to remove comments or (#4) gist allows multiple files per paste, useful if you have several files to show
19:28 < pekster> So did it just not update before? wtf?
19:28 < pekster> !learn pastebin as x
19:28 <@vpnHelper> Joo got it.
19:28 < pekster> !paste
19:28 <@vpnHelper> "paste" is "pastebin" is (#1) please paste anything with more than 5 lines into a pastebin site or (#2) https://gist.github.com is recommended for fewest ads; try fpaste.org or paste.kde.org as backups or (#3) If you're pasting config files, see !configs for grep syntax to remove comments or (#4) gist allows multiple files per paste, useful if you have several files to show
19:28 <@Eugene> No, it stores it statically
19:28 < pekster> Oh, humph. Not helpful :(
19:28 < pekster> !forget pastebin 5
19:28 <@vpnHelper> Joo got it.
19:28 <@Eugene> Yeah, supybot is pretty shit in that regard
19:28 <@Eugene> I've moved to gitinfo for my factoid bot
19:29 < pekster> Yea, #git has a nice bot
19:29 < pekster> Plus a nice VCS :P
19:34 <@Eugene> It's a good object storage model, but TBQH the `git` family of commands are pretty shitacular.
19:36 < SoWhat> you were right about OUTBOUND filtering
19:36 < SoWhat> I have default policy to drop it ;)
19:41 < SoWhat> openvpn GUI shows that everything is okay, but my IP hasnt changed :(
19:52 -!- SoWhat [~SoWhat@81.198.10.40] has quit [Read error: Connection reset by peer]
19:55 -!- SoWhat [~SoWhat@81.198.10.40] has joined #openvpn
19:59 -!- KarlBauman [~SoWhat@81.198.10.40] has joined #openvpn
20:00 -!- SoWhat [~SoWhat@81.198.10.40] has quit [Ping timeout: 268 seconds]
20:00 -!- KarlBauman [~SoWhat@81.198.10.40] has quit [Read error: Connection reset by peer]
20:00 -!- SoWhat [~SoWhat@81.198.10.40] has joined #openvpn
20:02 -!- HectorBarbossa [uid7850@gateway/web/irccloud.com/x-vcljmytziienbbrh] has quit [Quit: Connection closed for inactivity]
20:04 <@Eugene> !redirect
20:04 <@vpnHelper> "redirect" is (#1) to make all inet traffic flow through the vpn, you will need --redirect-gateway (see !def1), as well as IP forwarding (see !ipforward) and NAT (see !nat) enabled on the server. or (#2) you may need to use a different dns server when redirecting gateway, see !dns or !pushdns or (#3) if using ipv6 try: route-ipv6 2000::/3 or (#4) Handy troubleshooting flowchart:
20:04 <@vpnHelper> http://ircpimps.org/redirect.png | http://pekster.sdf.org/misc/redirect.png
20:04 -!- KarlBauman [~SoWhat@81.198.10.40] has joined #openvpn
20:05 -!- SoWhat [~SoWhat@81.198.10.40] has quit [Read error: Connection reset by peer]
20:17 -!- KarlBauman [~SoWhat@81.198.10.40] has quit [Ping timeout: 240 seconds]
20:18 -!- SoWhat [~SoWhat@81.198.10.40] has joined #openvpn
20:23 -!- SoWhat [~SoWhat@81.198.10.40] has quit [Ping timeout: 246 seconds]
20:28 -!- gffa [~unknown@unaffiliated/gffa] has quit [Quit: sleep]
20:30 -!- converge [~converge@189.7.3.101] has joined #openvpn
20:30 -!- converge [~converge@189.7.3.101] has quit [Changing host]
20:30 -!- converge [~converge@unaffiliated/joaop] has joined #openvpn
20:30 -!- HectorBarbossa [uid7850@gateway/web/irccloud.com/x-uhmlqxcvfrlwmxss] has joined #openvpn
20:38 -!- SoWhat [~SoWhat@81.198.10.40] has joined #openvpn
20:42 -!- SoWhat [~SoWhat@81.198.10.40] has quit [Ping timeout: 240 seconds]
20:51 -!- SoWhat [~SoWhat@81.198.10.40] has joined #openvpn
20:57 -!- s0meone is now known as someone
21:10 -!- KarlBauman [~SoWhat@87.246.136.13] has joined #openvpn
21:12 -!- SoWhat [~SoWhat@81.198.10.40] has quit [Ping timeout: 240 seconds]
21:15 < KarlBauman> AES encription seems to be quite slow, is there something faster available?
21:16 < pekster> BF for CPU speed, or AES when you have hw acceleration available
21:16 < pekster> Or nothing, of course
21:18 -!- SoWhat [~SoWhat@81.198.10.40] has joined #openvpn
21:21 -!- KarlBauman [~SoWhat@87.246.136.13] has quit [Ping timeout: 265 seconds]
21:21 -!- KarlBauman [~SoWhat@87.246.136.13] has joined #openvpn
21:23 -!- SoWhat [~SoWhat@81.198.10.40] has quit [Ping timeout: 240 seconds]
21:25 -!- KarlBauman [~SoWhat@87.246.136.13] has quit [Read error: Connection reset by peer]
21:27 < BtbN> AES is actualy one of the faster encrpytions
21:27 < pekster> It's slower than BF in CPU
21:27 < pekster> (w/out acceleration)
21:28 -!- SoWhat [~SoWhat@87.246.136.13] has joined #openvpn
21:33 -!- KarlBauman [~SoWhat@81.198.10.40] has joined #openvpn
21:35 -!- SoWhat [~SoWhat@87.246.136.13] has quit [Read error: Operation timed out]
21:38 -!- KarlBauman [~SoWhat@81.198.10.40] has quit [Read error: Connection reset by peer]
21:38 -!- SoWhat [~SoWhat@81.198.10.40] has joined #openvpn
21:40 -!- KarlBauman [~SoWhat@81.198.10.40] has joined #openvpn
21:40 -!- SoWhat [~SoWhat@81.198.10.40] has quit [Read error: Connection reset by peer]
21:46 -!- SoWhat [~SoWhat@81.198.10.40] has joined #openvpn
21:46 -!- KarlBauman [~SoWhat@81.198.10.40] has quit [Read error: Connection reset by peer]
21:50 -!- KarlBauman [~SoWhat@81.198.10.40] has joined #openvpn
21:51 -!- SoWhat [~SoWhat@81.198.10.40] has quit [Ping timeout: 246 seconds]
21:51 -!- converge [~converge@unaffiliated/joaop] has quit [Quit: Leaving...]
21:52 -!- KarlBauman [~SoWhat@81.198.10.40] has quit [Read error: Connection reset by peer]
21:54 -!- SoWhat [~SoWhat@81.198.10.40] has joined #openvpn
21:56 -!- car_ [~car@ip-109-47-53-130.web.vodafone.de] has joined #openvpn
21:58 -!- KarlBauman [~SoWhat@87.246.136.13] has joined #openvpn
21:59 -!- car__ [~car@pd95cfe54.dip0.t-ipconnect.de] has quit [Read error: Connection reset by peer]
21:59 -!- car [~car@pd95cfe54.dip0.t-ipconnect.de] has joined #openvpn
22:01 -!- SoWhat [~SoWhat@81.198.10.40] has quit [Ping timeout: 240 seconds]
22:01 -!- KarlBauman [~SoWhat@87.246.136.13] has quit [Read error: Connection reset by peer]
22:02 -!- car_ [~car@ip-109-47-53-130.web.vodafone.de] has quit [Ping timeout: 240 seconds]
22:02 -!- SoWhat [~SoWhat@87.246.136.13] has joined #openvpn
22:06 -!- rola [~a@2605:6400:2:fed5:22:0:fde:35f1] has joined #openvpn
22:06 -!- SoWhat [~SoWhat@87.246.136.13] has quit [Read error: Connection reset by peer]
22:08 -!- SoWhat [~SoWhat@81.198.10.40] has joined #openvpn
22:08 -!- KarlBauman [~SoWhat@87.246.136.13] has joined #openvpn
22:08 -!- rola [~a@2605:6400:2:fed5:22:0:fde:35f1] has left #openvpn []
22:10 -!- converge [~converge@unaffiliated/joaop] has joined #openvpn
22:12 -!- SoWhat [~SoWhat@81.198.10.40] has quit [Ping timeout: 268 seconds]
22:17 -!- KarlBauman [~SoWhat@87.246.136.13] has quit [Ping timeout: 240 seconds]
22:27 -!- AlexPortable [uid7568@gateway/web/irccloud.com/x-youkxujaoaqhcupb] has quit [Quit: Connection closed for inactivity]
22:42 -!- HectorBarbossa [uid7850@gateway/web/irccloud.com/x-uhmlqxcvfrlwmxss] has quit [Quit: Connection closed for inactivity]
23:04 -!- Latrina [~Latrina@adsl-ull-104-255.45-151.net24.it] has joined #openvpn
23:29 -!- pekster [~rewt@openvpn/community/support/pekster] has quit [Ping timeout: 246 seconds]
23:42 -!- Latrina [~Latrina@adsl-ull-104-255.45-151.net24.it] has quit [Remote host closed the connection]
23:48 -!- converge [~converge@unaffiliated/joaop] has quit [Quit: Leaving...]
23:51 -!- Eneerge [eneergealt@unaffiliated/eneerge] has quit [Ping timeout: 255 seconds]
23:51 -!- converge [~converge@unaffiliated/joaop] has joined #openvpn
23:52 -!- Eneerge [eneergealt@unaffiliated/eneerge] has joined #openvpn
--- Day changed Sun Mar 23 2014
00:10 -!- funyun_ [~temp@199.16.191.134] has joined #openvpn
00:11 -!- funyun [~temp@cpe-65-25-103-89.neo.res.rr.com] has quit [Ping timeout: 268 seconds]
00:18 -!- converge [~converge@unaffiliated/joaop] has quit [Read error: Connection reset by peer]
00:18 -!- converge [~converge@189.7.3.101] has joined #openvpn
00:18 -!- converge [~converge@189.7.3.101] has quit [Changing host]
00:18 -!- converge [~converge@unaffiliated/joaop] has joined #openvpn
00:19 -!- converge_ [~converge@189.7.3.101] has joined #openvpn
00:23 -!- converge [~converge@unaffiliated/joaop] has quit [Ping timeout: 240 seconds]
00:26 -!- pekster [~rewt@openvpn/community/support/pekster] has joined #openvpn
00:28 -!- converge_ [~converge@189.7.3.101] has quit [Quit: Leaving...]
00:57 -!- MyMind [~Sembei@unaffiliated/sembei] has quit [Ping timeout: 265 seconds]
01:00 -!- sunwind` [~paradox@cpc21-brmb8-2-0-cust749.1-3.cable.virginm.net] has quit [Read error: Connection reset by peer]
01:01 -!- sunwind` [~paradox@cpc21-brmb8-2-0-cust749.1-3.cable.virginm.net] has joined #openvpn
01:16 -!- MyMind [~Sembei@unaffiliated/sembei] has joined #openvpn
01:20 -!- MyMind [~Sembei@unaffiliated/sembei] has quit [Ping timeout: 240 seconds]
01:37 -!- s7r [~s7r@openvpn/user/s7r] has quit [Ping timeout: 265 seconds]
01:56 -!- funyun_ [~temp@199.16.191.134] has quit [Ping timeout: 240 seconds]
02:05 -!- MyMind [~Sembei@unaffiliated/sembei] has joined #openvpn
02:31 -!- joako [~joako@opensuse/member/joak0] has joined #openvpn
02:32 < joako> I have the openvpn running in client mode and I can pass traffic through the same machine but how can I let it pass traffic from other machines through the vpn?
02:39 -!- funyun [~temp@173.208.81.19] has joined #openvpn
02:46 -!- mnathani1 is now known as mnathani
02:48 -!- funyun_ [~temp@cpe-65-25-103-89.neo.res.rr.com] has joined #openvpn
02:50 -!- funyun [~temp@173.208.81.19] has quit [Ping timeout: 240 seconds]
03:09 -!- KarlBauman [~SoWhat@87.246.136.13] has joined #openvpn
03:13 < KarlBauman> hello :) I have a question - why openVPN is much slower than Proxy ? basically it does something very similar
03:33 -!- KarlBauman [~SoWhat@87.246.136.13] has quit [Ping timeout: 265 seconds]
03:41 -!- ade_b [~Ade@redhat/adeb] has joined #openvpn
04:13 -!- KarlBauman [~SoWhat@81.198.10.40] has joined #openvpn
04:16 < KarlBauman> can somebody please tell me how to enable Username/Password only authentication so I can set up my dd-wrt router as a VPN client?
04:27 -!- KarlBauman [~SoWhat@81.198.10.40] has quit [Read error: Connection reset by peer]
04:38 -!- KarlBauman [~SoWhat@46.109.253.209] has joined #openvpn
04:51 -!- gffa [~unknown@unaffiliated/gffa] has joined #openvpn
04:58 -!- gffa [~unknown@unaffiliated/gffa] has quit [Remote host closed the connection]
05:00 -!- gffa [~unknown@unaffiliated/gffa] has joined #openvpn
05:05 -!- goldkatze_ [~nobody@unaffiliated/goldkatze] has joined #openvpn
05:07 -!- Cybertinus [~Cybertinu@cybertinus.customer.cloud.nl] has joined #openvpn
05:07 -!- goldkatze [~nobody@unaffiliated/goldkatze] has quit [Max SendQ exceeded]
05:07 -!- Cybert1nus [~Cybertinu@cybertinus.customer.cloud.nl] has quit [Quit: No Ping reply in 180 seconds.]
05:09 -!- phuzion [~phuzion@ipv6.irc.teh-server.com] has quit [Quit: No Ping reply in 180 seconds.]
05:09 -!- phuzion [~phuzion@ipv6.irc.teh-server.com] has joined #openvpn
05:15 -!- Lolths [~Lolths@unaffiliated/lolths] has joined #openvpn
05:31 -!- AlexPortable [uid7568@gateway/web/irccloud.com/x-cwrupnvoeihnlfbg] has joined #openvpn
05:44 -!- funyun [~temp@172.241.151.99] has joined #openvpn
05:47 -!- funyun_ [~temp@cpe-65-25-103-89.neo.res.rr.com] has quit [Ping timeout: 268 seconds]
05:51 -!- Mike-- [mad@mx.probie.nl] has joined #openvpn
05:52 -!- pnielsen_ [pnielsen@2a01:7e00::f03c:91ff:fedf:3a21] has joined #openvpn
05:53 -!- Samopotamus [~IRCIdent@2607:5300:60:a0d::1] has quit [Ping timeout: 265 seconds]
05:53 -!- troyt [~troyt@2601:7:6200:14c2:44dd:acff:fe85:9c8e] has quit [Ping timeout: 265 seconds]
05:53 -!- __FBi [B@dont.uwantmy.info] has joined #openvpn
05:54 -!- Hes_ [YC8FclfB@tunkki.fi] has joined #openvpn
05:54 -!- Devastatr [~devas@177.18.198.229] has joined #openvpn
05:54 -!- APTX_ [~APTX@unaffiliated/aptx] has joined #openvpn
05:54 -!- Fruckiwacki [fruckiwack@5.135.190.66] has joined #openvpn
05:54 -!- Mike3 [mad@mx.probie.nl] has quit [Remote host closed the connection]
05:54 -!- Samopotamus [~IRCIdent@2607:5300:60:a0d::1] has joined #openvpn
05:54 -!- pnielsen [pnielsen@2a01:7e00::f03c:91ff:fedf:3a21] has quit [Quit: No Ping reply in 180 seconds.]
05:54 -!- pekster [~rewt@openvpn/community/support/pekster] has quit [Ping timeout: 265 seconds]
05:54 -!- phuzion [~phuzion@ipv6.irc.teh-server.com] has quit [Quit: No Ping reply in 180 seconds.]
05:54 -!- ___FBi [B@dont.uwantmy.info] has quit [Ping timeout: 265 seconds]
05:54 -!- Bretos [~Bretos@vps.tyborek.pl] has quit [Ping timeout: 265 seconds]
05:54 -!- pekster [~rewt@cl-466.chi-03.us.sixxs.net] has joined #openvpn
05:54 -!- Hes [OwwhJ8j@tunkki.fi] has quit [Ping timeout: 265 seconds]
05:54 -!- Fruckiwacki- [fruckiwack@5.135.190.66] has quit [Ping timeout: 265 seconds]
05:54 -!- pekster [~rewt@cl-466.chi-03.us.sixxs.net] has quit [Changing host]
05:54 -!- pekster [~rewt@openvpn/community/support/pekster] has joined #openvpn
05:54 -!- APTX [~APTX@unaffiliated/aptx] has quit [Quit: No Ping reply in 180 seconds.]
05:54 -!- Devastator [~devas@unaffiliated/devastator] has quit [Remote host closed the connection]
05:55 -!- phuzion [~phuzion@ipv6.irc.teh-server.com] has joined #openvpn
05:55 -!- troyt [~troyt@2601:7:6200:14c2:44dd:acff:fe85:9c8e] has joined #openvpn
06:04 -!- cyberspace- [20253@ninthfloor.org] has quit [Disconnected by services]
06:04 -!- cyberspace- [20253@ninthfloor.org] has joined #openvpn
06:04 -!- Brando753 [~Brando753@unaffiliated/brando753] has quit [Ping timeout: 255 seconds]
06:17 -!- Hes_ [YC8FclfB@tunkki.fi] has quit [Remote host closed the connection]
06:17 -!- u0m3_ [~u0m3@92.80.121.87] has joined #openvpn
06:17 -!- Hes [~hessu@tunkki.fi] has joined #openvpn
06:18 -!- u0m3 [~u0m3@92.80.121.87] has quit [Read error: Connection reset by peer]
06:19 -!- Bretos [~Bretos@vps.tyborek.pl] has joined #openvpn
06:20 -!- JackWinter [~jack@vodsl-10810.vo.lu] has quit [Quit: Konversation terminated!]
06:21 -!- jgeboski- [~jgeboski@unaffiliated/jgeboski] has joined #openvpn
06:22 -!- JackWinter [~jack@vodsl-10810.vo.lu] has joined #openvpn
06:25 -!- Matir_ [~matir@ubuntu/member/matir] has joined #openvpn
06:25 -!- codile [codehero@irc.coding4coffee.org] has joined #openvpn
06:28 -!- Roa_ [~roa@ns4009357.ip-192-99-8.net] has joined #openvpn
06:28 -!- lbft_ [~lbft@unaffiliated/lbft] has joined #openvpn
06:29 -!- lbft [~lbft@unaffiliated/lbft] has quit [Disconnected by services]
06:29 -!- lbft_ is now known as lbft
06:29 -!- mattockl [~mattock@raidz.im] has joined #openvpn
06:30 -!- Netsplit *.net <-> *.split quits: troyt, Roa, phuzion, AsadH, @mattock_afk, Dan39, pekster, AlexPortable, Matir, Samopotamus,  (+14 more, use /NETSPLIT to show all of them)
06:30 -!- mattockl is now known as mattock
06:30 -!- codile is now known as codehero
06:30 -!- mattock [~mattock@raidz.im] has quit [Changing host]
06:30 -!- mattock [~mattock@openvpn/corp/admin/mattock] has joined #openvpn
06:30 -!- mode/#openvpn [+o mattock] by ChanServ
06:30 -!- jgeboski- is now known as jgeboski
06:30 -!- Netsplit over, joins: mnathani
06:33 -!- AlexPortable [uid7568@gateway/web/irccloud.com/x-wlookuybdrbemjhz] has joined #openvpn
06:37 -!- pekster [~rewt@openvpn/community/support/pekster] has joined #openvpn
06:40 -!- aef [~smuxi@schweinehegel.raxys.net] has joined #openvpn
06:41 -!- AsadH [~AsadH@unaffiliated/asadh] has joined #openvpn
06:41 -!- mback2k_ is now known as mback2k
06:42 -!- phreakocious [~phreakoci@aesoterica.phreakocious.net] has joined #openvpn
06:43 -!- sauce [sauce@unaffiliated/sauce] has joined #openvpn
06:44 -!- B1nny [~quassel@5ED16034.cm-7-2b.dynamic.ziggo.nl] has joined #openvpn
06:45 -!- _FBi [B@i.use.pentoo.when.ihack.in] has joined #openvpn
06:45 -!- krzee [~k@2610:150:4002::3:1] has joined #openvpn
06:45 -!- Samopotamus [~IRCIdent@2607:5300:60:a0d::1] has joined #openvpn
06:45 -!- Gman32 [~Gman32@2607:2200:0:3400::5616:cdbc] has joined #openvpn
06:45 -!- someone [someone@2600:3c01::f03c:91ff:fedf:feb8] has joined #openvpn
06:45 -!- Cultist [~CultOfThe@67.186.111.33] has joined #openvpn
06:45 -!- someone [someone@2600:3c01::f03c:91ff:fedf:feb8] has quit [Read error: Connection timed out]
06:46 -!- s0meone [someone@2600:3c01::f03c:91ff:fedf:feb8] has joined #openvpn
06:46 -!- Lolths [~Lolths@unaffiliated/lolths] has joined #openvpn
06:46 -!- troyt [~troyt@2601:7:6200:14c2:44dd:acff:fe85:9c8e] has joined #openvpn
06:46 -!- funyun_ [~temp@cpe-65-25-103-89.neo.res.rr.com] has joined #openvpn
06:46 -!- converge [~converge@unaffiliated/joaop] has joined #openvpn
06:48 -!- batrick [batrick@nmap/developer/batrick] has joined #openvpn
06:48 -!- funyun [~temp@172.241.151.99] has quit [Ping timeout: 240 seconds]
06:51 -!- mback2k is now known as mback2k_
06:52 -!- funyun_ [~temp@cpe-65-25-103-89.neo.res.rr.com] has quit [Ping timeout: 268 seconds]
06:54 -!- Dan39 [~ddan39@2607:5300:60:1173::1] has joined #openvpn
06:54 -!- Dan39 [~ddan39@2607:5300:60:1173::1] has quit [Changing host]
06:54 -!- Dan39 [~ddan39@unaffiliated/dan39] has joined #openvpn
06:57 -!- HectorBarbossa [uid7850@gateway/web/irccloud.com/x-zhnvsjwfnctofqun] has joined #openvpn
06:57 -!- le0 [~l30@unaffiliated/le0] has joined #openvpn
06:59 < KarlBauman> anyone there?
07:07 -!- Denial [Denial@2.126.201.65] has quit [Ping timeout: 240 seconds]
07:08 -!- pablito [~chatzilla@194.90.149.21] has joined #openvpn
07:17 -!- Denial [Denial@2.126.201.65] has joined #openvpn
07:40 -!- Hes [~hessu@tunkki.fi] has quit [Ping timeout: 246 seconds]
07:42 -!- Hes [VpAm@tunkki.fi] has joined #openvpn
07:48 -!- funyun [~temp@cpe-65-25-103-89.neo.res.rr.com] has joined #openvpn
07:53 -!- funyun [~temp@cpe-65-25-103-89.neo.res.rr.com] has quit [Ping timeout: 268 seconds]
07:55 -!- hydrajump [~hydrajump@unaffiliated/hydrajump] has quit [Quit: Computer has gone to sleep.]
08:04 -!- hydrajump [~hydrajump@unaffiliated/hydrajump] has joined #openvpn
08:12 < reiffert> no
08:17 -!- pablito [~chatzilla@194.90.149.21] has quit [Ping timeout: 246 seconds]
08:20 -!- elfixit1 [~Icedove@77-58-251-72.dclient.hispeed.ch] has joined #openvpn
08:22 -!- troyt [~troyt@2601:7:6200:14c2:44dd:acff:fe85:9c8e] has quit [Ping timeout: 265 seconds]
08:22 -!- Dan39 [~ddan39@unaffiliated/dan39] has quit [Ping timeout: 265 seconds]
08:22 -!- krzee [~k@2610:150:4002::3:1] has quit [Ping timeout: 265 seconds]
08:22 -!- s0meone [someone@2600:3c01::f03c:91ff:fedf:feb8] has quit [Quit: ZNC - http://znc.in]
08:22 -!- s0meone [someone@2600:3c01::f03c:91ff:fedf:feb8] has joined #openvpn
08:23 -!- pablito [~chatzilla@194.90.149.21] has joined #openvpn
08:23 -!- _FBi [B@i.use.pentoo.when.ihack.in] has quit [Ping timeout: 265 seconds]
08:24 -!- troyt [~troyt@2601:7:6200:14c2:44dd:acff:fe85:9c8e] has joined #openvpn
08:24 -!- krzee [~k@openvpn/community/support/krzee] has joined #openvpn
08:24 -!- mode/#openvpn [+o krzee] by ChanServ
08:25 -!- _FBi [B@i.use.pentoo.when.ihack.in] has joined #openvpn
08:26 -!- exa [~exa@unaffiliated/exa] has joined #openvpn
08:36 -!- indy [~indy@fantomas.bestit.cz] has quit [Remote host closed the connection]
08:39 -!- Dan39 [~ddan39@unaffiliated/dan39] has joined #openvpn
08:49 -!- funyun [~temp@cpe-65-25-103-89.neo.res.rr.com] has joined #openvpn
08:53 -!- funyun [~temp@cpe-65-25-103-89.neo.res.rr.com] has quit [Ping timeout: 240 seconds]
08:57 -!- Brando753 [~Brando753@unaffiliated/brando753] has joined #openvpn
09:01 -!- Cpt-Oblivious [chatzilla@31-151-71-109.dynamic.upc.nl] has quit [Remote host closed the connection]
09:11 -!- elfixit1 [~Icedove@77-58-251-72.dclient.hispeed.ch] has quit [Ping timeout: 252 seconds]
09:11 -!- UukGoblin [~jaa@unaffiliated/uukgoblin] has joined #openvpn
09:12 < UukGoblin> !welcome
09:12 <@vpnHelper> "welcome" is (#1) Start by stating your goal, such as 'I would like to access the internet over my vpn' || new to IRC? see the link in !ask || we may need !logs and !configs and maybe !interface to help you. || See !howto for beginners. || See !route for lans behind openvpn. || !redirect for sending inet traffic through the server. || Also interesting: !man !/30 !topology !iporder !sample !forum
09:12 <@vpnHelper> !wiki !mitm or (#2) Don't use 192.168.1.0/24 or 192.168.0.0/24 (too much potential for conflict)
09:13 < UukGoblin> !goal
09:13 <@vpnHelper> "goal" is Please clearly state your goal for your vpn: example, I would like to access the lan behind the server , I would like to access the internet over my vpn , I just want a secure connection between 2 computers , etc
09:15 < UukGoblin> right, hello everyone :-) So my goal is a VPN between two or more clients behind a firewall, and possibly a server (without a firewall), however I'd like to ensure that if the server is hacked or otherwise compromised, the clients can still communicate securely
09:16 < UukGoblin> in other words, if someone hacks into the openvpn server, I'd like to be able to ensure that client A can be sure that it communicates with client B (and not someone who has obtained all the keys on the server)
09:16 < UukGoblin> one solution that comes to mind is to run openvpn-over-openvpn, i.e. use the non-firewalled server to provide a tunnel for the clients, and then run openvpn again over that tunnel on the clients - but I was wondering if there perhaps is a better way?
09:20 -!- KarlBauman [~SoWhat@46.109.253.209] has quit [Ping timeout: 268 seconds]
09:24 -!- krzee [~k@openvpn/community/support/krzee] has quit [Ping timeout: 265 seconds]
09:24 -!- Dan39 [~ddan39@unaffiliated/dan39] has quit [Ping timeout: 265 seconds]
09:24 -!- Dan39 [~ddan39@unaffiliated/dan39] has joined #openvpn
09:25 -!- krzee [~k@openvpn/community/support/krzee] has joined #openvpn
09:25 -!- mode/#openvpn [+o krzee] by ChanServ
09:25 -!- SlutaTramsa [~SlutaTram@unaffiliated/slutatramsa] has joined #openvpn
09:29 -!- SASDOE [~maxime@APuteaux-651-1-40-242.w81-249.abo.wanadoo.fr] has joined #openvpn
09:30 -!- pablito [~chatzilla@194.90.149.21] has quit [Ping timeout: 252 seconds]
09:31 < SASDOE> hey all, I was wondering whether one could setup a vpn server that would allow direct connections (bypassing vpn) for some domains and not other? If impossible could I setup openvpn to make connected device use the server's dns but let the device connect directly, bypassing server?
09:32 < SASDOE> what I want in final is an adblocking vpn server for my iphone that would only block certain domains and allow direct connections for others
09:32 < SASDOE> I allready have a DNS server installed serving that purpose but I would like to export it to idevices
09:32 < SASDOE> Even when roaming
09:39 -!- esde [~esde@107.150.1.2] has quit [Ping timeout: 240 seconds]
09:40 -!- esde [~esde@107.150.1.2] has joined #openvpn
09:41 -!- esde [~esde@107.150.1.2] has quit [Changing host]
09:41 -!- esde [~esde@unaffiliated/esde] has joined #openvpn
09:44 -!- Devastatr [~devas@177.18.198.229] has quit [Changing host]
09:44 -!- Devastatr [~devas@unaffiliated/devastator] has joined #openvpn
09:44 -!- Devastatr is now known as Devastator
09:45 < SASDOE> Does anyone know wheter this is possible? Not how
09:45 < UukGoblin> SASDOE, that's more of a firewall/routing issue, not openvpn
09:45 < pekster> Use a proxy
09:45 < SASDOE> pekster: can't set a global proxy in ios
09:45 < SASDOE> thk u apple
09:46 < pekster> L3 isn't where you solve L7 problems
09:46 < UukGoblin> can't do anything with those apples, if you ask me.
09:46 < SASDOE> UukGoblin: So openVPN cannot do something like this
09:46 < pekster> Not by itself, no
09:46 < pekster> Have you considered a proxy?
09:46 < UukGoblin> a transparent proxy would be a solution, yeah
09:47 < SASDOE> pekster: proxies are ok but need to be set for each wifi, and cannot be set for 3/4g data
09:47 < UukGoblin> keyword: transparent
09:47 < SASDOE> transparent as in openvpn forwards to the proxy?
09:48 < UukGoblin> no
09:48 < UukGoblin> as in your routing/nat forwards to the proxy
09:48 < UukGoblin> openvpn just provides a communication channel between your iphone and your router
09:48 < pekster> Think of openvpn as a router. Router's don't care if you're visiting google, a porn site, or streaming music: they deliver packets
09:49 -!- f0cker [~f0cker@unaffiliated/f0cker] has quit [Quit: Leaving]
09:49 < SASDOE> But wouldn't data go through openvpn either way with the proxy?
09:49 < pekster> A proxy is what you use when you want different things to happen based on something as high-level as the domain name referenced
09:50 < pekster> openvpn will never care about that
09:50 -!- funyun [~temp@cpe-65-25-103-89.neo.res.rr.com] has joined #openvpn
09:50 < UukGoblin> SASDOE, if you tell your devices to route your data through openvpn, then it will go through openvpn
09:51 < SASDOE> Ok so there is no way to have openvpn route certain domains and not others on the server side?
09:51 < UukGoblin> your questions seem to indicate you need to read up about routing, nat and transparent proxies :-)
09:51 < SASDOE> bad use of the word route though
09:52 < UukGoblin> and firewalls, perhaps
09:52 < SASDOE> UukGoblin: I know..!
09:52 < UukGoblin> SASDOE, domains aren't routed, packets are
09:53 < UukGoblin> and even then, openvpn only provides a communication channel. It's up to your devices to decide through which channel they will route certain data.
09:54 < UukGoblin> a "network device" would be a more precise term for "channel"
09:54 -!- funyun [~temp@cpe-65-25-103-89.neo.res.rr.com] has quit [Ping timeout: 240 seconds]
09:54 < UukGoblin> I guess
09:55 < SASDOE> What I wanted was to change the DNS for my phone and the only way to do so looked like using openvpn, which I know opens a "tunnel" between client and server. I was hoping there was a way to not open the tunnel but simply change the dns, or use the tunnel only for certain domains, and all of this via openvpn's config and not the iphone's, because I can't configure s**t on it.
09:55 < UukGoblin> SASDOE, one way to achieve what you want would be to ask your iphone to route all your data via an openvpn tunnel to a server, then have this server NAT all HTTP traffic through a transparent proxy, and then have that proxy perform ad-blocking (I think privoxy maybe can do it)
09:56 < SASDOE> So apparently I can't and will consider having everything go through server
09:56 < SASDOE> UukGoblin: yeah I'll try that. THanks !
09:56 < UukGoblin> the DNS should be configured on the iphone. Perhaps the iphone app for openvpn can change the system-wide DNS setting, I dunno.
09:57 < UukGoblin> I guess openvpn can actually instruct your OS to change things like the default route and DNS
09:57 < SASDOE> UukGoblin: Looks like it can on google
09:57 < UukGoblin> even if it couldn't though, you could still set up a transparent DNS proxy...
09:57 < UukGoblin> but it seems like HTTP proxy is more what you want
09:58 < UukGoblin> although I've not done any ad-blocking, really
09:58 < SASDOE> UukGoblin: I've got a pac list that works fine I'm sure I could use that as well with openvpn
09:59 < UukGoblin> on android, I just use an adblock app, does it all for me
10:00 < SASDOE> UukGoblin: there's an iphone app that supposedly blocks add for all connections on system wide settings, I was wondering how they did it and though it had to involve vpn settings, but they say they don't route traffic so I have no idea how they do it
10:00 < UukGoblin> but I guess apple wouldn't allow such an app ;-)
10:00 < SASDOE> and they cost a dollar
10:01 < UukGoblin> maybe it sets up a firewall
10:01 < UukGoblin> I dunno
10:01 < SASDOE> UukGoblin: I doubt that since I don't see apple having firewall settings in the SDK
10:01 < UukGoblin> a dollar should be rather cheap for an apple user ;-)
10:01 < SASDOE> Mhh phone was given so unfortunatly not
10:14 -!- joshh20-Away is now known as joshh20
10:26 -!- SASDOE [~maxime@APuteaux-651-1-40-242.w81-249.abo.wanadoo.fr] has quit [Quit: leaving]
10:33 -!- u0m3_ is now known as u0m3
10:43 -!- le0 [~l30@unaffiliated/le0] has quit [Quit: Leaving]
10:50 -!- funyun [~temp@cpe-65-25-103-89.neo.res.rr.com] has joined #openvpn
10:54 -!- MyMind [~Sembei@unaffiliated/sembei] has quit [Ping timeout: 240 seconds]
10:55 -!- funyun [~temp@cpe-65-25-103-89.neo.res.rr.com] has quit [Ping timeout: 264 seconds]
11:02 -!- master_o1_master [~master_of@p4FF242D6.dip0.t-ipconnect.de] has joined #openvpn
11:05 -!- master_of_master [~master_of@p4FF2486F.dip0.t-ipconnect.de] has quit [Ping timeout: 246 seconds]
11:06 -!- cornfeedhobo [~cornfeedh@unaffiliated/cornfeed] has joined #openvpn
11:07 < cornfeedhobo> does anyone have any specific experience with the "openvpn connect" android application? or is there a more "official" method I should be using?
11:09 < pekster> !android
11:09 <@vpnHelper> "android" is (#1) an open source OpenVPN client for ICS is available in Google Play, look for OpenVPN for Android. FAQ is here: http://code.google.com/p/ics-openvpn/wiki/FAQ or (#2) If you do not have cyanogenmod or ICS, but your device is rooted, you can use android-openvpn-installer and openvpn-settings from the market or (#3) Direct Play link:
11:09 <@Eugene> Connect is the AS client
11:09 <@vpnHelper> https://play.google.com/store/apps/details?id=de.blinkt.openvpn
11:09 <@Eugene> You want that one ^
11:10 -!- indy [~indy@fantomas.bestit.cz] has joined #openvpn
11:10 <@Eugene> Also, we can probably get rid of #2
11:11 <@Eugene> ICS is 2+ years old at this point, nobody sane still has Gingerbread
11:11 <@krzee> i use gingerbread on my darknet devices
11:11 < pekster> I've got a phone the mfgr never updated past it, but I'm not insane enough to still run it (I rock CM7)
11:12 <@Eugene> Update, foo. ;-)
11:12 <@krzee> nope!
11:12 < pekster> !learn android-old If you do not have cyanogenmod or ICS, but your device is rooted, you can use android-openvpn-installer and openvpn-settings from the market
11:12 -!- MyMind [~Sembei@unaffiliated/sembei] has joined #openvpn
11:12 <@vpnHelper> (learn [<channel>] <key> as <value>) -- Associates <key> with <value>. <channel> is only necessary if the message isn't sent on the channel itself. The word 'as' is necessary to separate the key from the value. It can be changed to another word via the learnSeparator registry value.
11:12 < pekster> !learn android-old as If you do not have cyanogenmod or ICS, but your device is rooted, you can use android-openvpn-installer and openvpn-settings from the market
11:12 <@vpnHelper> Joo got it.
11:12 < pekster> !forget android 2
11:12 <@vpnHelper> Joo got it.
11:12 <@Eugene> Heh.
11:12 < pekster> !learn android as Old (pre-ICS) device? See: !android-old
11:12 <@vpnHelper> Joo got it.
11:12 <@Eugene> I like that solution. :-p
11:13 <@krzee> +1
11:13 < pekster> Of course, who has an old device, roots, but doesn't put on a sane ROM? :P
11:13 <@Eugene> Any particular reason for sticking with 2.3 devices? Lack of availability of non-cell-radio "phones"?
11:13 <@Eugene> (rah rah Nexus 7 wuth a BT headset)
11:14 < pekster> I'm with a provider that doesn't offer a huge selection of supported devices and don't have the need to update
11:14 < pekster> It's a phone boys ;)
11:15 <@Eugene> I have 7 devices with an active cell plan
11:15 <@Eugene> And another half-dozen or so WiFi-only
11:16 < pekster> I'll update when I need something on the newer OSes. CM7 has an old openvpn version, but I usually just tether to my netbook for any "real work" ;)
11:16 < cornfeedhobo> pekster & Eugene: stepped away for a moment.I will look into that. thanks
11:20 <@krzee> Lack of availability of non-cell-radio "phones"  yes
11:21 <@krzee> thats exactly why =]
11:21 <@krzee> i cannot just ignore the baseband, i must have devices that do not have one
11:22 < Aketzu> does it count if you use hammer and chisel to get rid of radio part?
11:23 <@krzee> well that should lead to an unstable device
11:23 <@krzee> not to mention it would be a major PITA for provisioning if my partner has to chizel out every device
11:23 < Aketzu> :)
11:24 -!- _FBi [B@i.use.pentoo.when.ihack.in] has quit [Changing host]
11:24 -!- _FBi [B@Aircrack-NG/User] has joined #openvpn
11:29 < cornfeedhobo> pekster & Eugene: my issue still persists with ipv6, but thanks for the heads up, i like this client alot more!
11:29 < pekster> It's also open-source, which is a huge plus in the security world
11:29 < cornfeedhobo> indeed
11:32 -!- Olipro [~Olipro@uncyclopedia/pdpc.21for7.olipro] has joined #openvpn
11:34 -!- dwirc [~irc@d118-75-218-160.try.wideopenwest.com] has quit [Ping timeout: 246 seconds]
11:43 -!- BtbN [btbn@btbn.de] has quit [Quit: Bye]
11:44 -!- MatthewsFace [~mspah@c-67-161-105-108.hsd1.wa.comcast.net] has joined #openvpn
11:45 -!- BtbN [btbn@btbn.de] has joined #openvpn
11:47 -!- Dan39 [~ddan39@unaffiliated/dan39] has quit [Quit: WeeChat 0.4.3]
11:47 -!- Dan39 [~ddan39@unaffiliated/dan39] has joined #openvpn
11:48 -!- dwirc [~irc@d118-75-60-164.try.wideopenwest.com] has joined #openvpn
11:48 < cornfeedhobo> alright. i am rebooting and starting over. so far I have ipv4 working well, and default routes were being pushed fine without having to tell the client to set default routes. now I am introducing ipv6, which is working on the laptop I am typing to you from, but not the android client. I am getting an ipv6 address in the subnet I expect, but beyond that I cant seem to do anything. gathing up configs to paste now.
11:48 < cornfeedhobo> gathering*
11:49 -!- KarlBauman [~SoWhat@46.109.253.209] has joined #openvpn
11:49 -!- dwirc [~irc@d118-75-60-164.try.wideopenwest.com] has quit [Read error: Connection reset by peer]
11:51 -!- funyun [~temp@cpe-65-25-103-89.neo.res.rr.com] has joined #openvpn
11:53 -!- dwirc [~irc@d118-75-60-164.try.wideopenwest.com] has joined #openvpn
11:53 -!- converge [~converge@unaffiliated/joaop] has quit [Quit: Leaving...]
11:55 -!- mback2k_ is now known as mback2k
11:55 < cornfeedhobo> https://ezcrypt.it/xo8n#LgAClSG3D6VHFu4I0MLQGMk5
11:55 -!- funyun [~temp@cpe-65-25-103-89.neo.res.rr.com] has quit [Ping timeout: 240 seconds]
11:56 <@vpnHelper> Title: EZCrypt - Paste (at ezcrypt.it)
11:56 < cornfeedhobo> i will see what i can do to get route info off the phone
11:57 < cornfeedhobo> but this is working on my laptop very well, is there something special for android i need to include?
12:05 < cornfeedhobo> i take that back
12:05 < cornfeedhobo> i got it working
12:05 < cornfeedhobo> :3
12:08 -!- Latrina [~Latrina@adsl-ull-104-255.45-151.net24.it] has joined #openvpn
12:19 -!- converge [~converge@unaffiliated/joaop] has joined #openvpn
12:21 <@plai> converge: ics-openvpn should also print the installed routes in the log
12:22 < KarlBauman> I cant use PPTP with OpenVPN, right?
12:23 <@plai> right
12:23 <@plai> !pptp
12:23 <@vpnHelper> "pptp" is (#1) PPTP is known to be a faulty protocol. The designers of the protocol, Microsoft, recommend not to use it due to the inherent risks. Lots of people use PPTP anyway due to ease of use, but that doesn't mean it is any less hazardous. The maintainers of PPTP Client and Poptop recommend using OpenVPN (SSL based) or IPSec instead. http://pptpclient.sourceforge.net/protocol-security.phtml to
12:23 <@vpnHelper> read about why to not use pptp or (#2) Why not to use it: http://en.wikipedia.org/wiki/Pptp#Security or (#3) https://www.cloudcracker.com/blog/2012/07/29/cracking-ms-chap-v2/
12:24 < KarlBauman> my dd-wrt router doesn't support OpenVPN :(
12:26 < KarlBauman> I was hoping to make router as a OpenVPN client, but as I read in internet, it needs at least 8MB flash memory
12:28 < KarlBauman> I was thinking, maybe there is a workaround for this?
12:28 <@krzee> if you make your own firmware you can delete other stuff and add that
12:29 < pekster> I've done openvpn with custom firmware in openwrt with 4MB flash, but it's a really tight fit
12:30 < KarlBauman> I am not so good in linux, probably I wont be able to compile my own firmware :(
12:30 < KarlBauman> but that gives us hope
12:31 -!- Zordrak [~jaz@87-194-137-223.bethere.co.uk] has quit [Ping timeout: 252 seconds]
12:31 < KarlBauman> I have TP-Link WR841N router
12:32 < pekster> http://wiki.openwrt.org/toh/tp-link/tl-wr841nd
12:33 < KarlBauman> Version 8.4
12:39 -!- u0m3 [~u0m3@92.80.121.87] has quit [Read error: Connection reset by peer]
12:39 < KarlBauman> Is it possible to install default version of OpenWRT, remove unnecessary packages and install openVPN ?
12:39 < pekster> You don't save space by "removing packages", no
12:39 < pekster> You need to build from _source_ to do that
12:40 < pekster> And on 4MB flash you'll have no room for a GUI at all, and basically no extra space for packages
12:41 < pekster> Once you've flashed a ROM, the only way to save space on preinstalled things is to reflash without them
12:42 < KarlBauman> gui isn't very user friendly, so I wouldn't miss it anyway :)
12:43 -!- converge [~converge@unaffiliated/joaop] has quit [Quit: Leaving...]
12:47 <+hazardous> hrm
12:47 <+hazardous> if i have an openvpn-as server, i should be able to grab the .ovpn and connect to that from standard ovpn-community client, right?
12:48 <@krzee> !as
12:48 <@vpnHelper> "as" is please go to #OpenVPN-AS for help with Access-Server
12:51 < KarlBauman> Why OpenVPN is better than OpenVPN AS ?
12:52 <@krzee> "better" is a matter of opinion
12:52 <@plai> KarlBauman: why is an Apple better than an Orange?
12:52 -!- funyun [~temp@cpe-65-25-103-89.neo.res.rr.com] has joined #openvpn
12:52 <@krzee> nice answer =]
12:53 < KarlBauman> is it more lightveight?
12:53 <@krzee> AS is the non-opensource corp solution
12:53 <@krzee> fancy web gui and stuff
12:53 <@krzee> auto-installers
12:53 <@plai> or more fitting: Is Fedora better than Red Hat Enterprise Linux?
12:53 <@krzee> real support (as opposed to having me tell you to rtfm)
12:54 < KarlBauman> I was asking opposite :D
12:54 < KarlBauman> Why OpenVPN is better than OpenVPN AS  not why AS ir better than OpenVPN
12:54 <@krzee> plai, dazo prolly has an answer for that :D
12:55 <@krzee> KarlBauman, either way its an erroneous question.
12:56 < KarlBauman> but it must be more lightweight
12:56 <@krzee> why must it be?
12:56 < pekster> AS is a commercial wrapper around openvpn, nothing more
12:56 -!- funyun [~temp@cpe-65-25-103-89.neo.res.rr.com] has quit [Ping timeout: 240 seconds]
12:56 < KarlBauman> because there are less useless features
12:56 < pekster> Connect (the "AS-centric client) is a non-open codebase to avoid copyright violations
12:57 < pekster> If you want pretty UI and paid support, check out the corporate solutions. If you want GPL code and a community-developed codebase, stick with that. They're different solutions
12:58 < KarlBauman> okay, thanks :)
13:06 <@plai> KarlBauman: what useless features are you talking about?
13:06 <@plai> many of the more obscure features in OpenVPN are there because of the commercial OpenVPN product
13:06 <@plai> or because they got implemented on request
13:07 < KarlBauman> GUI, preconfigured client.. I dont actually know, I was just guessing
13:09 < KarlBauman> Yesterday evening I had my first experiance with VPN ever, I am still trying to understand how powerfull all this functionality is
13:12 < KarlBauman> Can you explain, why OpenVPN is much slower than Squid Proxy?
13:12 < KarlBauman> bandwidth
13:13 < KarlBauman> with squid I can easily reach 90-100Mbps, but with OpenVPN it doesn't get faster than 60Mbps download and upload even less
13:14 < KarlBauman> In the beginning I thought it is because of encription, but after disabling it, speed didn't encrease a lot
13:15 -!- joshh20 is now known as joshh20-Away
13:20 -!- Latrina [~Latrina@adsl-ull-104-255.45-151.net24.it] has quit [Quit: Leaving...]
13:21 -!- Latrina [~Latrina@adsl-ull-104-255.45-151.net24.it] has joined #openvpn
13:22 -!- HectorBarbossa [uid7850@gateway/web/irccloud.com/x-zhnvsjwfnctofqun] has quit [Quit: Connection closed for inactivity]
13:31 -!- le0 [~l30@unaffiliated/le0] has joined #openvpn
13:45 -!- SoWhat [~SoWhat@78.84.136.189] has joined #openvpn
13:45 -!- converge [~converge@189.7.3.101] has joined #openvpn
13:45 -!- converge [~converge@189.7.3.101] has quit [Changing host]
13:45 -!- converge [~converge@unaffiliated/joaop] has joined #openvpn
13:47 -!- KarlBauman [~SoWhat@46.109.253.209] has quit [Ping timeout: 240 seconds]
13:53 -!- cornfeedhobo [~cornfeedh@unaffiliated/cornfeed] has left #openvpn ["when i leave, come together like butt cheeks"]
13:53 -!- Latrina [~Latrina@adsl-ull-104-255.45-151.net24.it] has quit [Quit: Leaving...]
13:55 -!- Latrina [~Latrina@adsl-ull-194-222.50-151.net24.it] has joined #openvpn
13:58 -!- mback2k is now known as mback2k_
13:58 -!- mback2k_ is now known as mback2k
13:59 -!- SlutaTramsa [~SlutaTram@unaffiliated/slutatramsa] has quit [Ping timeout: 246 seconds]
14:01 -!- ade_b [~Ade@redhat/adeb] has quit [Ping timeout: 240 seconds]
14:05 -!- mback2k is now known as mback2k_
14:18 -!- SlutaTramsa [~SlutaTram@unaffiliated/slutatramsa] has joined #openvpn
14:21 -!- pablito [~chatzilla@194.90.149.21] has joined #openvpn
14:23 -!- converge [~converge@unaffiliated/joaop] has quit [Quit: Leaving...]
14:24 -!- pablito [~chatzilla@194.90.149.21] has quit [Client Quit]
14:29 -!- Zordrak [~jaz@87-194-137-223.bethere.co.uk] has joined #openvpn
14:32 -!- Latrina_ [~Latrina@adsl-ull-194-222.50-151.net24.it] has joined #openvpn
14:35 -!- Latrina [~Latrina@adsl-ull-194-222.50-151.net24.it] has quit [Ping timeout: 240 seconds]
14:37 -!- Latrina_ [~Latrina@adsl-ull-194-222.50-151.net24.it] has quit [Client Quit]
14:40 -!- Latrina [~Latrina@ppp-198-20.26-151.libero.it] has joined #openvpn
14:40 -!- HectorBarbossa [uid7850@gateway/web/irccloud.com/x-wxnlscgzfurrvygj] has joined #openvpn
14:51 -!- mback2k_ is now known as mback2k
14:54 -!- funyun [~temp@cpe-65-25-103-89.neo.res.rr.com] has joined #openvpn
14:58 -!- joshh20-Away is now known as joshh20
14:59 -!- funyun [~temp@cpe-65-25-103-89.neo.res.rr.com] has quit [Ping timeout: 268 seconds]
14:59 < SoWhat> is there a step-by-step manual that explains setting up openvpn-plugin-auth-pam.so on both - client and server side ?
15:00 -!- pnielsen_ is now known as pnielsen
15:02 < pekster> The README included with the plugin?
15:03 < pekster> https://github.com/OpenVPN/openvpn/tree/v2.3.2/src/plugins/auth-pam
15:03 <@vpnHelper> Title: openvpn/src/plugins/auth-pam at v2.3.2 · OpenVPN/openvpn · GitHub (at github.com)
15:06 < SoWhat> I dont see anything mentioned there about client side
15:06 < pekster> You don't do anything special client side
15:07 < pekster> --auth-user-pass is all you need
15:07 < pekster> What do you think happens client side? It's hardly going to accept a "user" and "password" from your server…
15:07 -!- Latrina [~Latrina@ppp-198-20.26-151.libero.it] has quit [Quit: Leaving...]
15:08 < SoWhat> As I understand, I can use pam instead of client sertificates
15:09 < pekster> Or in addition to, as is expalined in the SYNOPSIS of that document
15:09 < SoWhat> so can I remove sertificates and add this --auth-user-pas and will everything work?
15:09 < SoWhat> on client side
15:10 < pekster> Client certs, yes. THe server always needs a keypair & certs, and the client side always needs a copy of the CA
15:10 < SoWhat> ahaa
15:10 < pekster> THat's how TLS works
15:12 < SoWhat> So If I want to connect from new client, I cant connect only using username and password? I need this CA, right?
15:12 -!- Latrina [~Latrina@ppp-198-20.26-151.libero.it] has joined #openvpn
15:13 < pekster> That is what "the client side always needs a copy of the CA" means
15:14 < SoWhat> there is no way of using only username and password
15:14 < pekster> It's how *EVERY* TLS application works. email clients, web browsers, VPNs...
15:14 < pekster> It's not magic
15:15 < pekster> That is using "only" username/password. How else do you expect the _client_ to trust your _server_ ?
15:15 < pekster> https://en.wikipedia.org/wiki/Transport_Layer_Security
15:15 <@vpnHelper> Title: Transport Layer Security - Wikipedia, the free encyclopedia (at en.wikipedia.org)
15:16 < SoWhat> what if I don't need any security ?
15:17 < SoWhat> is there a way to use something else instead of TLS ?
15:17 < pekster> !statickey
15:17 <@vpnHelper> "statickey" is (#1) you can use static keys by using --secret </path/to/key> or (#2) static keys only work for ptp links, not client/server. They also do not provide forward encryption. A forward-secure encryption scheme (such as openvpn uses with certs) protects secret keys from exposure by evolving the keys with time. or (#3) see !forwardsecurity for more info
15:17 < pekster> If you want >1 client, you must use TLS
15:20 <@plai> SoWhat: OpenVPN is primarely a security product, it really does not like to be used insecure
15:20 -!- dazo_afk [~dazo@openvpn/community/developer/dazo] has quit [Ping timeout: 245 seconds]
15:20 -!- s0meone is now known as someone
15:23 < SoWhat> so even if I set "cipher none", tunnel is stil encripted using TLS ?
15:24 < pekster> cipher/alg are for the _symmetric_ encryption. As the wikipedia page I just sent you to explains, TLS & X509 are _asymmetric_ encryption
15:24 < pekster> Completely different concepts
15:24 < pekster> >1 client _cannot_ avoid using TLS with openvpn. TLS _requires_ you to set up an X509 PKI infrastructure
15:24 < pekster> If that's a problem, consider a dumb-transport protocol like GRE
15:25 < SoWhat> the main problem is with speed
15:25 < SoWhat> bandwidth speed
15:25 < pekster> !speed
15:25 <@vpnHelper> "speed" is (#1) Having speed problems? The following suggestions may help. or (#2) OpenVPN is often CPU bound; check utilization, and remember it only uses 1 core (single-threaded) or (#3) Prefer UDP over TCP (see !tcp) or (#4) MTU issues? Send max-size DF packets and watch for fragmentation/delivery issues or (#5) iface txqueuelen often needs to be >100 on fast and/or latent links or (#6)
15:25 <@vpnHelper> latenty/slow links don't magically get better with openvpn or (#7) less likely are issues with bad TCP window scaling or the sliding window; generally, don't 2nd guess TCP (in openvpn or your OS knobs)
15:27 -!- converge [~converge@unaffiliated/joaop] has joined #openvpn
15:28 -!- dazo_afk [~dazo@openvpn/community/developer/dazo] has joined #openvpn
15:28 -!- mode/#openvpn [+o dazo_afk] by ChanServ
15:28 < SoWhat> hmm, it might be because of CPU usage. It takes a lot of CPU to encript and decript data
15:28 -!- dazo_afk is now known as dazo
15:30 < pekster> Yes it does. If your hardware at both ends supports AES acceleration in your linked SSL library, use of AES can frequently improve things, but YMMV based on what the real bottleneck is
15:33 -!- indy [~indy@fantomas.bestit.cz] has quit [Remote host closed the connection]
15:35 <@plai> SoWhat: you can disable data encryption with cipher none
15:35 <@plai> and auth none
15:35 <@plai> iirc
15:35 <@plai> !gre
15:35 <@plai> !none
15:36 <@plai> !cipher-none
15:36 < pekster> !factoids search none
15:36 <@vpnHelper> No keys matched that query.
15:37 < pekster> !learn noenc as Want to disable all data-channel encryption? While not generally useful, set `cipher none` and `auth none` to do this, or use either one by itself
15:37 <@vpnHelper> Joo got it.
15:37 < pekster> !learn noenc See the manpage for the --auth and --cipher options for more detail
15:37 <@vpnHelper> (learn [<channel>] <key> as <value>) -- Associates <key> with <value>. <channel> is only necessary if the message isn't sent on the channel itself. The word 'as' is necessary to separate the key from the value. It can be changed to another word via the learnSeparator registry value.
15:38 < pekster> !learn noenc as See the manpage for the --auth and --cipher options for more detail
15:38 <@vpnHelper> Joo got it.
15:43 <@plai> !factoids search gre
15:43 <@vpnHelper> No keys matched that query.
15:43 <@plai> !factoids search GRE
15:43 <@vpnHelper> No keys matched that query.
15:43 <@plai> !factoids
15:43 <@vpnHelper> "factoids" is A semi-regularly updated dump of factoids database is available at http://www.secure-computing.net/factoids.php
15:44 < pekster> Oh, ther ewas a noenc already :\
15:44 < pekster> !forget noenc 4
15:44 <@vpnHelper> Joo got it.
15:44 < pekster> !forget noenc 4
15:44 <@vpnHelper> Joo got it.
15:44 < pekster> !factoids search --values GRE
15:44 <@vpnHelper> 'noenc', 'all', 'configs', 'tcp', 'howto', 'dropje', 'pastebin', 'tcptcp', 'tcpdump', and 'paste'
15:44 < pekster> ;)
15:48 < SoWhat> I think it really sucks that OpenVPN is using only one core. What is the reason for this?
15:52 -!- funyun [~temp@cpe-65-25-103-89.neo.res.rr.com] has joined #openvpn
15:53 -!- Latrina [~Latrina@ppp-198-20.26-151.libero.it] has quit [Remote host closed the connection]
15:57 -!- le0 [~l30@unaffiliated/le0] has quit [Read error: Connection reset by peer]
15:57 <@plai> !noenc
15:57 <@vpnHelper> "noenc" is (#1) if you're going to disable encryption, you might as well build a GRE tunnel or (#2) but you would use cipher none or (#3) Reference --cipher in the manpage (--auth may also be useful to review)
16:00 -!- hydrajump [~hydrajump@unaffiliated/hydrajump] has left #openvpn ["Bye."]
16:00 < pekster> SoWhat: It's a single-threaded application, and that's non-trivial to change from a code perspective
16:00 -!- MatthewsFace [~mspah@c-67-161-105-108.hsd1.wa.comcast.net] has quit [Ping timeout: 240 seconds]
16:02 < SoWhat> It is only linux server application I know that doesn't support multi-core CPU.
16:02 < SoWhat> Is it going to be fixed?
16:04 < pekster> Whining isn't how FOSS improves, no
16:05 < pekster> Things improve when someone spends the time to improve them, and openvpn is a huge codebase
16:06 < pekster> Maybe review some advanced performance features here, though this assumes you're already maxing things out with AES-NI:
16:06 < pekster> !gigabit
16:06 <@vpnHelper> "gigabit" is https://community.openvpn.net/openvpn/wiki/Gigabit_Networks_Linux for JJK's writeup on getting the most out of openvpn over gigabit
16:07 < SoWhat> okay, tnx
16:15 -!- indy [~indy@194.213.226.242] has joined #openvpn
16:17 -!- Latrina [~Latrina@host211-22-static.226-95-b.business.telecomitalia.it] has joined #openvpn
16:24 <@plai> SoWhat: there are no plan to make OpenVPN multi threaded
16:26 < SoWhat> so if I use 1.6Ghz 4Threaded intel atom processor, openVPN will be able to use only 400Mhz ?
16:26 <@plai> SoWhat: what?!
16:26 < SoWhat> ahh, no, it's 1.6Ghz
16:27 < SoWhat> I am going to use this motherboard for VPN server http://www.intel.com/content/www/us/en/motherboards/desktop-motherboards/desktop-board-dn2800mt.html
16:27 <@vpnHelper> Title: Intel® Desktop Board DN2800MT (at www.intel.com)
16:28 <@plai> just make sure your cpu supports AES-NI
16:29 < pekster> (then set AES as your --cipher)
16:36 < MorgyN> N2800 does not have aes
16:37 < SoWhat> :( http://ark.intel.com/products/58917/Intel-Atom-Processor-N2800-1M-Cache-1_86-GHz
16:38 < SoWhat> so I shoud use Blowfish instead of AES
16:38 < MorgyN> it appears in "Instruction Set Extensions" for reference
16:44 -!- justinzane [~justinzan@tiny.justinzane.com] has quit []
16:57 -!- Latrina [~Latrina@host211-22-static.226-95-b.business.telecomitalia.it] has quit [Ping timeout: 246 seconds]
16:57 -!- Latrina [~Latrina@host211-22-static.226-95-b.business.telecomitalia.it] has joined #openvpn
16:58 -!- Latrina [~Latrina@host211-22-static.226-95-b.business.telecomitalia.it] has quit [Remote host closed the connection]
17:01 -!- lj1 [~l@99.59.12.82] has joined #openvpn
17:03 -!- Latrina [~Latrina@host211-22-static.226-95-b.business.telecomitalia.it] has joined #openvpn
17:08 -!- Latrina [~Latrina@host211-22-static.226-95-b.business.telecomitalia.it] has quit [Read error: Connection reset by peer]
17:13 -!- gffa [~unknown@unaffiliated/gffa] has quit [Quit: sleep]
17:24 -!- lazyjack [4e5c29e4@gateway/web/cgi-irc/kiwiirc.com/ip.78.92.41.228] has joined #openvpn
17:24 -!- lazyjack [4e5c29e4@gateway/web/cgi-irc/kiwiirc.com/ip.78.92.41.228] has quit [Client Quit]
17:24 -!- MatthewsFace [~mspah@c-67-161-105-108.hsd1.wa.comcast.net] has joined #openvpn
17:28 -!- s7r [~s7r@openvpn/user/s7r] has joined #openvpn
17:28 -!- mode/#openvpn [+v s7r] by ChanServ
17:34 -!- MatthewsFace [~mspah@c-67-161-105-108.hsd1.wa.comcast.net] has quit [Ping timeout: 240 seconds]
17:48 -!- _tarball [~quassel@port-5692.pppoe.wtnet.de] has joined #openvpn
17:53 -!- mback2k is now known as mback2k_
17:59 < SoWhat> actually the main reason why I need VPN is hiding my traffic content from internet provider. I don't want them to know what torrents I am downloading and what pornos watching
17:59 -!- B1nny [~quassel@5ED16034.cm-7-2b.dynamic.ziggo.nl] has quit [Remote host closed the connection]
18:02 < reiffert> SoWhat: sowhat.
18:03 < SoWhat> So is this a popular reason why people are using VPN?
18:03 < SoWhat> What is the best configuration for this
18:06 < reiffert> how would you like to hide your porn traffic at the other endpoint .. there's an ISP too
18:07 < SoWhat> this ISP is trustes :)
18:07 < SoWhat> trusted :)
18:07 < reiffert> https://www.google.com/search?q=reasons+to+use+VPN&oq=reasons+to+use+VPN&aqs=chrome..69i57j0l5.3030j0j7&sourceid=chrome&espv=2&es_sm=91&ie=UTF-8
18:07 <@vpnHelper> Title: reasons to use VPN - Google Search (at www.google.com)
18:13 < SoWhat> Thanks! I guess this is the most popular reason :)
18:29 -!- converge [~converge@unaffiliated/joaop] has quit [Quit: Leaving...]
18:36 -!- KarlBauman [~SoWhat@87.246.136.13] has joined #openvpn
18:39 -!- SoWhat [~SoWhat@78.84.136.189] has quit [Ping timeout: 252 seconds]
18:42 -!- converge [~converge@unaffiliated/joaop] has joined #openvpn
18:44 -!- justinzane [~justinzan@tiny.justinzane.com] has joined #openvpn
18:48 < KarlBauman> is it possible to filter traffic with OpenVPN ? Forbid skype, torrents, video streaming etc ?
18:50 < pekster> Nope. A proxy could though
18:51 < KarlBauman> how can I tell OpenVPN server to use proxy?
18:51 < pekster> !google transparent proxy
18:51 <@vpnHelper> Proxy server - Wikipedia, the free encyclopedia: <http://en.wikipedia.org/wiki/Proxy_server>; Transparent Proxy with Linux and Squid mini-HOWTO: <http://www.tldp.org/HOWTO/TransparentProxy.html>; Differences Between 3 Types Of Proxy Servers: Normal, Transparent ...: <http://www.webupd8.org/2010/02/differences-between-3-types-of-proxy.html>
18:52 -!- justinzane [~justinzan@tiny.justinzane.com] has quit [Remote host closed the connection]
18:52 < KarlBauman> I mean not how to create proxy, but how to connect to it
18:53 < pekster> THat's not openvpn's responsibility
18:53 < pekster> OpenVPN delivers IP packets
18:53 < pekster> What you do after packets are delivered is entierly up to you, as is what you send over your openvpn link
18:54 < KarlBauman> so I cant tell OpenVPN to filter all trafic through proxy? I have to set it up on client side..?
18:55 < KarlBauman> I want following sequence:     Client ---> VPN server ---> proxy --> VPN server ----> Client
18:56 < KarlBauman> This would be more correct Client ---> VPN server ---> proxy ----> Internet ---> proxy --> VPN server ----> Client
19:05 < KarlBauman> I guess that only way to acheave that is using iptables
19:09 -!- justinzane [~justinzan@tiny.justinzane.com] has joined #openvpn
19:17 -!- KarlBauman [~SoWhat@87.246.136.13] has quit [Ping timeout: 268 seconds]
19:20 -!- converge [~converge@unaffiliated/joaop] has quit [Quit: Leaving...]
19:21 -!- dren [~dren@access.not.allowed.org] has quit [Read error: Operation timed out]
19:22 -!- dren [dren@obsidian.recompiled.net] has joined #openvpn
19:36 -!- MatthewsFace [~mspah@c-67-161-105-108.hsd1.wa.comcast.net] has joined #openvpn
19:38 -!- converge [~converge@189.7.3.101] has joined #openvpn
19:38 -!- converge [~converge@189.7.3.101] has quit [Changing host]
19:38 -!- converge [~converge@unaffiliated/joaop] has joined #openvpn
19:38 -!- _tarball [~quassel@port-5692.pppoe.wtnet.de] has quit [Quit: none]
19:52 -!- aji [~alex@atheme/member/aji] has quit [Quit: brb]
19:53 -!- aji [~alex@atheme/member/aji] has joined #openvpn
19:54 -!- aji [~alex@atheme/member/aji] has quit [Client Quit]
19:56 -!- aji [~alex@atheme/member/aji] has joined #openvpn
20:03 -!- Cpt-Oblivious [chatzilla@31-151-71-109.dynamic.upc.nl] has joined #openvpn
20:12 -!- mikemol [~mikemol@2001:470:c5b9:beef:71a6:8d1f:672d:1b8e] has quit [Remote host closed the connection]
20:16 -!- joshh20 is now known as joshh20-Away
20:17 -!- AlexPortable [uid7568@gateway/web/irccloud.com/x-wlookuybdrbemjhz] has quit [Quit: Connection closed for inactivity]
20:17 -!- justinzane [~justinzan@tiny.justinzane.com] has quit [Remote host closed the connection]
20:17 -!- klein [~klein@187.85.183.105] has joined #openvpn
20:17 -!- klein [~klein@187.85.183.105] has quit [Changing host]
20:17 -!- klein [~klein@unaffiliated/klein] has joined #openvpn
20:19 -!- goldkatze_ [~nobody@unaffiliated/goldkatze] has quit [Ping timeout: 240 seconds]
20:20 -!- justinzane [~justinzan@tiny.justinzane.com] has joined #openvpn
20:23 -!- klein [~klein@unaffiliated/klein] has quit [Ping timeout: 246 seconds]
21:01 -!- Carbon_Monoxide [~cmonxide@058176022144.ctinets.com] has joined #openvpn
21:02 -!- Carbon_Monoxide [~cmonxide@058176022144.ctinets.com] has left #openvpn []
21:05 -!- converge [~converge@unaffiliated/joaop] has quit [Quit: Linkinus - http://linkinus.com]
21:13 -!- lj1 [~l@99.59.12.82] has quit [Ping timeout: 240 seconds]
21:21 -!- lj1 [~l@192.241.174.169] has joined #openvpn
21:42 -!- HectorBarbossa [uid7850@gateway/web/irccloud.com/x-wxnlscgzfurrvygj] has quit [Quit: Connection closed for inactivity]
21:45 -!- joako [~joako@opensuse/member/joak0] has quit [Excess Flood]
21:46 -!- dwirc [~irc@d118-75-60-164.try.wideopenwest.com] has left #openvpn []
21:47 -!- joako [~joako@opensuse/member/joak0] has joined #openvpn
21:48 < joako> Does anyone know what configuration is required to run OpenVPN client on a router? I've setup OpenVPN client and from the same machine I can access the OpenVPN but other machines that use the router aren't given access.
21:49 < pekster> !serverlan
21:49 <@vpnHelper> "serverlan" is (#1) for a lan behind a server, the server must have ip forwarding enabled (!ipforward), the server needs to push a route for its lan to clients, and the router of the lan the server is on needs a route added to it (!route_outside_openvpn) or (#2) see !route for a better explanation or (#3) Handy troubleshooting flowchart: http://ircpimps.org/serverlan.png |
21:49 <@vpnHelper> http://pekster.sdf.org/misc/serverlan.png
21:56 -!- car_ [~car@ip-2-203-86-83.web.vodafone.de] has joined #openvpn
21:58 -!- car [~car@pd95cfe54.dip0.t-ipconnect.de] has quit [Read error: Connection reset by peer]
22:01 -!- car_ [~car@ip-2-203-86-83.web.vodafone.de] has quit [Ping timeout: 240 seconds]
22:01 < joako> !route_outside_openvpn
22:01 <@vpnHelper> "route_outside_openvpn" is (#1) If your server is not the default gateway for the LAN, you will need to add routes to your gateway. See ROUTES TO ADD OUTSIDE OPENVPN in !route or (#2) Here are 2 diagrams that explain how this works: http://www.secure-computing.net/wiki/index.php/Graph http://i.imgur.com/BM9r1.png
22:03 < joako> pekster, So in my setup "OpenVPN client"  is in "Gateway" and from "gateway" everything is working 100%, but other machines that use "gateway" are not getting access to OpenVPN resources
22:14 -!- car_ [~car@pd95cfe54.dip0.t-ipconnect.de] has joined #openvpn
22:15 -!- midacts [~midacts@207.59.77.254] has joined #openvpn
22:15 < midacts> I am trying to setup openvpn on pfSense
22:16 < midacts> ive gone through all the steps to set it up. my question is- i keep getting a 'Enter password' prompt, and i didnt set a passphrase on any certs
22:20 < joako> midacts, Where do you get that password prompt? Did you use the pfSense certificate manager to create the certificates?
22:21 < midacts> i install openvpn on my windows machine and created the ca, server and client certs from the windows cmd prompt as an admin
22:21 < midacts> i get the password prompt when i open openvpn as admin and connect to my pfSense firewall
22:22 < joako> midacts, What do you have for "Server Mode"  in pfSense?
22:22 < midacts> private-key-password-failure is the error
22:25 < joako> midacts, I suspect that you have Server Modem = Remote Access (SSL/TLS + User Auth) as your server mode in pfSense.
22:27 < midacts> sorry i lost my connection
22:27 < midacts> server mode is : peer to peer (ssl/tls)
22:29 < midacts> ERROR: could not read Private Key username/password/ok/string from management interface
22:29 < midacts> i see tahat file in the logs too, but im running openvpn (on my windows box) as administrator
22:30 < joako> midacts, How did you generate the configuration?
22:31 < midacts> https://forum.pfsense.org/index.php?topic=48667.0
22:31 <@vpnHelper> Title: HOWTO: Pfsense 2.0.1 - OpenVPN Site 2 MultiSite PKI (at forum.pfsense.org)
22:31 < midacts> its basically the same
22:31 < midacts> setup that the offical pfsense docs say to use to configure openvpn
22:33 < joako> midacts, It sounds like you may have a configuration issue on the client because you really shouldn't be doing anything with the management interface on a simple client. What I recommend in pfSense is go under System > Packages and install the OpenVPN Client Export and it will generate the proper OpenVPN configuration for you.
22:34 < midacts> okay ill give that a try
22:34 < midacts> THanks.
22:35 < joako> Once you do that you will have a new tab under VPN > OpenVPN
22:37 < midacts> i see the tab
22:37 -!- noobboob [uid5587@gateway/web/irccloud.com/x-qytpkniahdsfmfpj] has joined #openvpn
22:38 < midacts> what should i do from there
22:38 < midacts> i thought maybe it would let me download the certs or something
22:39 < midacts> pretty complicated?
22:47 < joako> midacts, If you create the certs under System > Cert Manager you should be able to click under Windows Installers: and download a ready to run Windows installer
22:47 < joako> But in your case you could try "File Only"  and then make sure you specify the correct certificates.
22:56 < midacts> i followed how to do the export method and it worked
22:57 < midacts> i created a user account on pfsense and created a password with two facotr authentication. is that pretty secure?
23:11 -!- s7r [~s7r@openvpn/user/s7r] has quit [Remote host closed the connection]
23:11 -!- s7r [~s7r@openvpn/user/s7r] has joined #openvpn
23:11 -!- mode/#openvpn [+v s7r] by ChanServ
23:21 -!- Latrina [~Latrina@ppp-198-20.26-151.libero.it] has joined #openvpn
23:36 -!- VsioZashibis [~VsioZashi@unaffiliated/vsiozashibis] has quit [Quit: closing IRC]
23:39 -!- MatthewsFace [~mspah@c-67-161-105-108.hsd1.wa.comcast.net] has quit [Quit: Leaving]
23:40 -!- dren [dren@obsidian.recompiled.net] has quit [Ping timeout: 240 seconds]
23:59 -!- Latrina [~Latrina@ppp-198-20.26-151.libero.it] has quit [Remote host closed the connection]
--- Day changed Mon Mar 24 2014
00:51 -!- B1nny [~quassel@5ED16034.cm-7-2b.dynamic.ziggo.nl] has joined #openvpn
00:52 -!- noobboob [uid5587@gateway/web/irccloud.com/x-qytpkniahdsfmfpj] has quit [Quit: Connection closed for inactivity]
01:01 -!- paradox`` [~paradox@cpc21-brmb8-2-0-cust749.1-3.cable.virginm.net] has joined #openvpn
01:03 -!- sunwind` [~paradox@cpc21-brmb8-2-0-cust749.1-3.cable.virginm.net] has quit [Ping timeout: 246 seconds]
01:13 -!- HectorBarbossa [uid7850@gateway/web/irccloud.com/x-wsxisxrhvdanhqcw] has joined #openvpn
01:28 -!- ade_b [~Ade@redhat/adeb] has joined #openvpn
01:49 -!- joako [~joako@opensuse/member/joak0] has quit [Excess Flood]
01:57 -!- KarlBauman [~SoWhat@87.246.136.13] has joined #openvpn
02:00 -!- Latrina [~Latrina@ppp-198-20.26-151.libero.it] has joined #openvpn
02:00 -!- nibbo [nibbo@gateway/shell/blinkenshell.org/x-attvmqpogvsazdsm] has quit [Read error: Operation timed out]
02:03 -!- joako [~joako@opensuse/member/joak0] has joined #openvpn
02:03 -!- nibbo [nibbo@gateway/shell/blinkenshell.org/x-qkdaahhiyigdtemu] has joined #openvpn
02:04 -!- Latrina [~Latrina@ppp-198-20.26-151.libero.it] has quit [Ping timeout: 240 seconds]
02:11 -!- Devastatr [~devas@186.214.14.39] has joined #openvpn
02:12 -!- Devastator [~devas@unaffiliated/devastator] has quit [Ping timeout: 252 seconds]
02:17 -!- Mike3 [mad@mx.probie.nl] has joined #openvpn
02:19 -!- Fruckiwacki [fruckiwack@5.135.190.66] has quit [Ping timeout: 240 seconds]
02:19 -!- ade_b [~Ade@redhat/adeb] has quit [Ping timeout: 240 seconds]
02:19 -!- ade_b [~Ade@dslb-178-008-220-116.pools.arcor-ip.net] has joined #openvpn
02:19 -!- ade_b [~Ade@dslb-178-008-220-116.pools.arcor-ip.net] has quit [Changing host]
02:19 -!- ade_b [~Ade@redhat/adeb] has joined #openvpn
02:20 -!- Mike-- [mad@mx.probie.nl] has quit [Ping timeout: 268 seconds]
02:23 -!- b00gz___ [uid6869@gateway/web/irccloud.com/x-gkbdbdleqckegnug] has joined #openvpn
02:24 -!- Fruckiwacki [fruckiwack@5.135.190.66] has joined #openvpn
02:33 -!- james41382 [~james@unaffiliated/james41382] has quit [Read error: Connection reset by peer]
02:35 < KarlBauman> is here anyone who  knows how to set up OpenVPN server so it uses Proxy ? I have proxy running on the same server
02:38 -!- alexxtasi [~alex@unaffiliated/alexxtasi] has joined #openvpn
02:41 -!- james41382 [~james@unaffiliated/james41382] has joined #openvpn
02:49 -!- KarlBauman [~SoWhat@87.246.136.13] has quit [Read error: Connection reset by peer]
02:49 -!- KarlBauman [~SoWhat@87.246.136.13] has joined #openvpn
02:57 -!- KarlBauman [~SoWhat@87.246.136.13] has quit [Ping timeout: 265 seconds]
02:58 -!- KarlBauman [~SoWhat@81.198.10.40] has joined #openvpn
03:00 -!- goldkatze_ [~nobody@unaffiliated/goldkatze] has joined #openvpn
03:01 -!- le0 [~l30@unaffiliated/le0] has joined #openvpn
03:02 -!- KarlBauman [~SoWhat@81.198.10.40] has quit [Read error: Connection reset by peer]
03:04 -!- MyMind [~Sembei@unaffiliated/sembei] has quit [Ping timeout: 246 seconds]
03:05 -!- le0 [~l30@unaffiliated/le0] has quit [Client Quit]
03:06 -!- le0 [~l30@unaffiliated/le0] has joined #openvpn
03:09 -!- KarlBauman [~SoWhat@87.246.136.13] has joined #openvpn
03:20 -!- MyMind [~Sembei@unaffiliated/sembei] has joined #openvpn
03:22 -!- HectorBarbossa [uid7850@gateway/web/irccloud.com/x-wsxisxrhvdanhqcw] has quit [Quit: Connection closed for inactivity]
03:32 -!- KarlBauman [~SoWhat@87.246.136.13] has quit [Read error: Connection reset by peer]
03:33 -!- KarlBauman [~SoWhat@87.246.136.13] has joined #openvpn
03:33 -!- Aliekezhi [~Aliekezhi@LPoitiers-156-84-21-169.w193-248.abo.wanadoo.fr] has joined #openvpn
03:47 -!- get [219@unaffiliated/get] has joined #openvpn
03:49 -!- funyun_ [~temp@64.120.47.67] has joined #openvpn
03:52 -!- funyun [~temp@cpe-65-25-103-89.neo.res.rr.com] has quit [Ping timeout: 268 seconds]
03:52 -!- KarlBauman [~SoWhat@87.246.136.13] has quit [Read error: Connection reset by peer]
03:59 -!- KarlBauman [~SoWhat@81.198.10.40] has joined #openvpn
04:00 -!- Latrina [~Latrina@ppp-198-20.26-151.libero.it] has joined #openvpn
04:05 -!- Latrina [~Latrina@ppp-198-20.26-151.libero.it] has quit [Ping timeout: 252 seconds]
04:14 -!- MyMind [~Sembei@unaffiliated/sembei] has quit [Ping timeout: 264 seconds]
04:21 -!- MyMind [~Sembei@unaffiliated/sembei] has joined #openvpn
04:26 -!- KarlBauman [~SoWhat@81.198.10.40] has quit [Ping timeout: 268 seconds]
04:28 -!- KarlBauman [~SoWhat@81.198.10.40] has joined #openvpn
04:47 -!- KarlBauman [~SoWhat@81.198.10.40] has quit [Ping timeout: 246 seconds]
04:51 -!- Latrina [~Latrina@ppp-198-20.26-151.libero.it] has joined #openvpn
04:54 -!- mikemol [~mikemol@2001:470:c5b9:beef:5d98:b7ef:e758:ea5d] has joined #openvpn
04:55 -!- f0cker [~f0cker@host81-149-11-109.in-addr.btopenworld.com] has joined #openvpn
04:55 -!- f0cker [~f0cker@host81-149-11-109.in-addr.btopenworld.com] has quit [Changing host]
04:55 -!- f0cker [~f0cker@unaffiliated/f0cker] has joined #openvpn
04:57 -!- KarlBauman [~SoWhat@87.246.136.13] has joined #openvpn
05:08 -!- KarlBauman [~SoWhat@87.246.136.13] has quit [Ping timeout: 264 seconds]
05:09 -!- KarlBauman [~SoWhat@81.198.10.40] has joined #openvpn
05:11 -!- statarb3 [uid19902@gateway/web/irccloud.com/x-zmlyobxiuygxomvo] has joined #openvpn
05:12 < statarb3> Morning everybody
05:14 -!- KarlBauman [~SoWhat@81.198.10.40] has quit [Ping timeout: 265 seconds]
05:15 -!- KarlBauman [~SoWhat@87.246.136.13] has joined #openvpn
05:28 -!- KarlBauman [~SoWhat@87.246.136.13] has quit [Read error: Connection reset by peer]
05:29 -!- KarlBauman [~SoWhat@87.246.136.13] has joined #openvpn
05:41 < KarlBauman> there is something weird happening with my OpenVPN, sometimes internet just stops working, but VPN GUI shows that everything is okay, than after a while it starts working again
05:54 -!- s7r [~s7r@openvpn/user/s7r] has quit [Remote host closed the connection]
05:54 -!- s7r [~s7r@openvpn/user/s7r] has joined #openvpn
05:54 -!- mode/#openvpn [+v s7r] by ChanServ
06:02 -!- Devastatr [~devas@186.214.14.39] has quit [Changing host]
06:02 -!- Devastatr [~devas@unaffiliated/devastator] has joined #openvpn
06:02 -!- Devastatr is now known as Devastator
06:12 -!- KarlBauman [~SoWhat@87.246.136.13] has quit [Ping timeout: 252 seconds]
06:12 -!- KarlBauman [~SoWhat@87.246.136.13] has joined #openvpn
06:14 -!- mikemol [~mikemol@2001:470:c5b9:beef:5d98:b7ef:e758:ea5d] has quit [Remote host closed the connection]
06:27 -!- KarlBauman [~SoWhat@87.246.136.13] has quit [Read error: Connection reset by peer]
06:28 -!- mirco [~mirco@ip-5-146-126-177.unitymediagroup.de] has joined #openvpn
06:28 -!- mirco [~mirco@ip-5-146-126-177.unitymediagroup.de] has quit [Client Quit]
06:29 -!- mirco [~mirco@ip-5-146-126-177.unitymediagroup.de] has joined #openvpn
06:32 -!- KarlBauman [~SoWhat@87.246.136.13] has joined #openvpn
06:33 -!- Mathias [M@unaffiliated/mathias] has quit [Remote host closed the connection]
06:44 -!- lj [~l@adsl-99-155-21-127.dsl.peoril.sbcglobal.net] has joined #openvpn
06:46 -!- lj1 [~l@192.241.174.169] has quit [Ping timeout: 246 seconds]
06:47 -!- cpm [~Chip@pdpc/supporter/active/cpm] has joined #openvpn
06:47 < KarlBauman> it looks like it is somehow connected to iptables, because after reflushing iptables, it starts working again for a while
06:54 -!- lj [~l@adsl-99-155-21-127.dsl.peoril.sbcglobal.net] has quit [Quit: Leaving.]
07:12 -!- ACKNAK [~regolith@79.133.97.154] has joined #openvpn
07:14 -!- mikemol [~mikemol@162.17.129.77] has joined #openvpn
07:14 < ACKNAK> oh oh! question! is there any web-interface for creating/downloading certificates for openvpn?
07:15 < ACKNAK> or is it better to call for easy-rsa from python?
07:16 -!- phuzion [~phuzion@ipv6.irc.teh-server.com] has joined #openvpn
07:17 < ACKNAK> but ./build-key  script requires some interaction, hmm...
07:21 -!- Mathias___ [M@91.247.228.60] has joined #openvpn
07:22 -!- Mathias___ [M@91.247.228.60] has quit [Changing host]
07:22 -!- Mathias___ [M@unaffiliated/mathias] has joined #openvpn
07:24 -!- Mathias___ is now known as Mathias
07:31 -!- KarlBauman [~SoWhat@87.246.136.13] has quit [Ping timeout: 240 seconds]
07:32 -!- KarlBauman [~SoWhat@87.246.136.13] has joined #openvpn
07:34 <@ecrist> ACKNAK: there is a batch option
07:34 <@ecrist> iirc, we've been down this road with you before
07:40 -!- cpm [~Chip@pdpc/supporter/active/cpm] has quit [Ping timeout: 265 seconds]
07:46 -!- Latrina [~Latrina@ppp-198-20.26-151.libero.it] has quit [Remote host closed the connection]
07:47 -!- Cpt-Oblivious [chatzilla@31-151-71-109.dynamic.upc.nl] has quit [Ping timeout: 252 seconds]
07:55 < ACKNAK> ehm
07:55 < ACKNAK> I do not remember ^^
07:55 <@ecrist> regardless, there is a batch option
07:55 < ACKNAK> sure
07:56 < ACKNAK> pure openssl, fixed easy-rsa, openvpn-web-gui
07:57 < ACKNAK> may be openvpn-sa
07:58 < ACKNAK> openssl should be best since it's "raw", but I'm lazy and prever easy-rsa, I should either send "enter" tap from python or make it un-interactive
07:58  * ACKNAK googles
07:59 <@ecrist> easy-rsa and ssl-admin are just wrappers for openssl
07:59 -!- lj [~l@192.241.174.169] has joined #openvpn
08:03 < ACKNAK> thats what I mean as "raw"
08:08 -!- klein [~klein@189-016-006-003.asselvi.edu.br] has joined #openvpn
08:08 -!- klein [~klein@189-016-006-003.asselvi.edu.br] has quit [Changing host]
08:08 -!- klein [~klein@unaffiliated/klein] has joined #openvpn
08:19 -!- makara [~makara@41.164.22.218] has joined #openvpn
08:20  * ACKNAK stares at author of ssl-admin
08:20 < ACKNAK> it is you :O
08:20 <@ecrist> I'm also one of the maintainers for easy-rsa
08:21 < ACKNAK> nice :)
08:21 < ACKNAK> good job.
08:23 -!- statarb3 [uid19902@gateway/web/irccloud.com/x-zmlyobxiuygxomvo] has quit [Quit: Connection closed for inactivity]
08:26 -!- simcop2387 [~simcop238@p3m/member/simcop2387] has quit [Excess Flood]
08:26 -!- simcop2387 [~simcop238@p3m/member/simcop2387] has joined #openvpn
08:31 -!- KarlBauman [~SoWhat@87.246.136.13] has quit [Ping timeout: 265 seconds]
08:32 -!- KarlBauman [~SoWhat@87.246.136.13] has joined #openvpn
08:40 -!- funyun_ [~temp@64.120.47.67] has quit [Ping timeout: 264 seconds]
08:43 -!- elfixit1 [~Icedove@77-58-251-72.dclient.hispeed.ch] has joined #openvpn
08:48 -!- lj [~l@192.241.174.169] has quit [Quit: Leaving.]
08:58 -!- makara [~makara@41.164.22.218] has quit [Ping timeout: 252 seconds]
08:58 -!- Latrina [~Latrina@ppp-198-20.26-151.libero.it] has joined #openvpn
09:00 -!- elfixit1 [~Icedove@77-58-251-72.dclient.hispeed.ch] has quit [Ping timeout: 240 seconds]
09:28 -!- ade_b [~Ade@redhat/adeb] has quit [Read error: Operation timed out]
09:31 -!- KarlBauman [~SoWhat@87.246.136.13] has quit [Ping timeout: 240 seconds]
09:31 -!- KarlBauman [~SoWhat@81.198.10.40] has joined #openvpn
09:32 < KarlBauman> how can I make my Windows client to connect to VPN automatically on everytime computer is connected to internet?
09:33 < Eneerge> do you want the gui accessible or inaccessible?
09:35 < KarlBauman> inaccessible
09:35 < KarlBauman> and no asking for passwords
09:37 -!- funyun [~temp@cpe-65-25-103-89.neo.res.rr.com] has joined #openvpn
09:37 < KarlBauman> would be nice if non-admin users would not be able to disable it
09:39 < Eneerge> there's a vpn service you can enable
09:39 < Eneerge> if no password, that means you'll have to store it somewhere
09:39 < KarlBauman> thats okay
09:40 < Eneerge> ok
09:40 < KarlBauman> where is this service?
09:40 < Eneerge> services.msc
09:40 < KarlBauman> whats the name of it?
09:41 < Eneerge> OpenVPN Service or something like that
09:41 < KarlBauman> hmm, OpenVPN Access Client
09:41 < KarlBauman> but this is commercial version, right?
09:41 -!- funyun [~temp@cpe-65-25-103-89.neo.res.rr.com] has quit [Ping timeout: 265 seconds]
09:43 < Eneerge> http://openvpn.net/index.php/open-source/documentation/install.html?start=1
09:43 <@vpnHelper> Title: Installation Notes (at openvpn.net)
09:43 < Eneerge> ctrl+f service
09:44 -!- HardlySeen [~HardlySee@unaffiliated/gatheringknowleg] has joined #openvpn
09:45 < HardlySeen> good morning. I have two vpns running with matching configs, only differing on port and config locations.
09:45 < HardlySeen> I can connect to both, but only one can see non-vpn machines on servers's network
09:46 < KarlBauman> Eneerge, thanks, i'll try that
09:51 < HardlySeen> relevant configs: http://pastebin.com/W8Prisvh and http://pastebin.com/UneqKHKn
09:54 -!- prettyrobots [~prettyrob@do.inputrc.com] has joined #openvpn
09:55 -!- EmLeX [~emx@unaffiliated/emlex] has quit [Ping timeout: 246 seconds]
09:55 -!- Latrina [~Latrina@ppp-198-20.26-151.libero.it] has quit [Remote host closed the connection]
09:59 < KarlBauman> Eneerge, btw, I had to reinstall OpenVPN to get this service you were talking about :)
10:02 < HardlySeen> any ideas what I can do to resolve this?
10:05 -!- Cpt-Oblivious [chatzilla@31-151-71-109.dynamic.upc.nl] has joined #openvpn
10:06 -!- Aliekezhi [~Aliekezhi@LPoitiers-156-84-21-169.w193-248.abo.wanadoo.fr] has quit [Ping timeout: 240 seconds]
10:07 < KarlBauman> HardlySeen, I wish I could help you, buy I cant :(
10:07 -!- alexxtasi [~alex@unaffiliated/alexxtasi] has left #openvpn []
10:08 < KarlBauman> Eneerge, how to tell OpenVPN service, from where to take password ?
10:09 < HardlySeen> KarlBauman: thanks.
10:11 -!- KarlBauman [~SoWhat@81.198.10.40] has quit [Quit: Leaving]
10:11 -!- ACKNAK [~regolith@79.133.97.154] has quit [Ping timeout: 264 seconds]
10:13 -!- KarlBauman [~SoWhat@81.198.10.40] has joined #openvpn
10:19 -!- Aliekezhi [~Aliekezhi@LPoitiers-156-84-21-170.w193-248.abo.wanadoo.fr] has joined #openvpn
10:20 < Eneerge> KarlBauman, that's in documentation too
10:21 -!- prettyrobots [~prettyrob@do.inputrc.com] has quit [Read error: Connection reset by peer]
10:23 -!- HardlySeen [~HardlySee@unaffiliated/gatheringknowleg] has quit [Quit: leaving]
10:23 < KarlBauman> cant find it :(
10:23 -!- AlexPortable [uid7568@gateway/web/irccloud.com/x-smxvpqqlbrcsujrs] has joined #openvpn
10:25 < KarlBauman> this is only thing I can find:   --enable-password-save  allow --askpass and --auth-user-pass passwords to be read from a file [default=yes]
10:26 < Eneerge> --auth-user-passwords mypassword.txt
10:26 < Eneerge> username and password on separate line
10:26 < Eneerge> auth-user-pass
10:27 -!- michaelhart [~michaelha@192.237.177.15] has joined #openvpn
10:27 < KarlBauman> I think this is only if I am using pam auth
10:28 <@ecrist> no
10:31 < KarlBauman> so I need to add only one line? auth-user-pass password.txt
10:32 < jeev> so i've got a linux router with an office with 50 people behind it, i have tun0,tun1, two different openvpn's going two different locations. i have an ip route table 900 and 901, i then ip rule from localip/32 to .. table 900
10:32 < jeev> so far it's working great but incase of a reboot, it comes back and the rules are missing, what's the best way to automate this? or at least prevent a failure
10:32 < jeev> i'm thinking if there's an ip rule to go out that specific route, 900.. if that route isn't there, i haven't tested whether or not it'll just die or connected from default gateway.
10:33 -!- ayaka [~ayaka@ayaka-2-pt.tunnel.tserv21.tor1.ipv6.he.net] has joined #openvpn
10:33 < KarlBauman> btw, Options error: Unrecognized option or missing parameter(s) in my_config.ovpn:129: enable-password-save (2.3.2)
10:33 < KarlBauman> Use --help for more information.
10:34 < ayaka> I meet a problem with my vpn, if I don't restart it after a period of time, the bandwidth of it will be  very slow, only 6KB/S
10:34 < ayaka> but after I have restarted it, it speed up to 700KB/s at once
10:34 < ayaka> what is the problem? have I must restart it after a period of time?
10:36 < Aliekezhi> jeev: you can make a startup script. But maybe there is a simplier method
10:37 < KarlBauman> Eneerge, ecrist I think this method is for authentication on serverside, but I need to enter password which is saved in my sertificate
10:37 -!- funyun [~temp@cpe-65-25-103-89.neo.res.rr.com] has joined #openvpn
10:37 < KarlBauman> client sertificate
10:37 < KarlBauman> withoud username
10:39 < KarlBauman> this is what I see in logs: Mon Mar 24 17:38:50 2014 WARNING: No server certificate verification method has been enabled.  See http://openvpn.net/howto.html#mitm for more info.
10:39 < KarlBauman> Enter Private Key Password:
10:42 < KarlBauman> So I guess I have to make a sertificate without password... ?
10:42 -!- funyun [~temp@cpe-65-25-103-89.neo.res.rr.com] has quit [Ping timeout: 264 seconds]
10:54 -!- Mathias [M@unaffiliated/mathias] has quit [Remote host closed the connection]
10:56 -!- lj [~l@192.241.174.169] has joined #openvpn
10:58 -!- Mathias [M@unaffiliated/mathias] has joined #openvpn
11:03 -!- master_of_master [~master_of@p4FD7BFA2.dip0.t-ipconnect.de] has joined #openvpn
11:06 -!- master_o1_master [~master_of@p4FF242D6.dip0.t-ipconnect.de] has quit [Ping timeout: 240 seconds]
11:11 < KarlBauman> so I tried to generate new sertificates, but again it asks for password after entering this command ./easyrsa build-ca
11:11 < KarlBauman> If I don't enter password, it fails
11:13 < KarlBauman> https://www.dropbox.com/s/7l89cvy89ndmv7a/Screenshot%202014-03-24%2018.12.48.png
11:13 <@vpnHelper> Title: Dropbox - Screenshot 2014-03-24 18.12.48.png (at www.dropbox.com)
11:16 < Rienzilla> you probably need a password for the ca
11:19 < KarlBauman> I am not jet into this sertificate stuff. So many different files..
11:21 < KarlBauman> Can I generate all files on server or I have to do part on server and part on client?
11:22 -!- Aliekezhi [~Aliekezhi@LPoitiers-156-84-21-170.w193-248.abo.wanadoo.fr] has quit [Quit: Leaving]
11:28 -!- MatthewsFace [~mspah@50.78.45.146] has joined #openvpn
11:30 <@Eugene> It doesn't realy matter where
11:31 <@Eugene> If you're paranoid about security, yes, you can generate the key on one machine(and a CSR to go with it), then sign the cert on a different machine
11:31 <@Eugene> But in all honesty, just copypasting via SSH is easy and plenty secure.
11:32 < KarlBauman> and I don't really need to make new PKI every time as described here https://community.openvpn.net/openvpn/wiki/EasyRSA3-OpenVPN-Howto , right?
11:32 <@vpnHelper> Title: EasyRSA3-OpenVPN-Howto – OpenVPN Community (at community.openvpn.net)
11:32 -!- lj [~l@192.241.174.169] has quit [Quit: Leaving.]
11:38 -!- funyun [~temp@cpe-65-25-103-89.neo.res.rr.com] has joined #openvpn
11:39 -!- Latrina [~Latrina@ppp-198-20.26-151.libero.it] has joined #openvpn
11:42 -!- Roa_ is now known as Roa
11:42 -!- funyun [~temp@cpe-65-25-103-89.neo.res.rr.com] has quit [Ping timeout: 246 seconds]
11:43 -!- Roa [~roa@ns4009357.ip-192-99-8.net] has quit [Changing host]
11:43 -!- Roa [~roa@unixmexico/Roa] has joined #openvpn
11:58 <@dazo> KarlBauman: you need to initialise your CA once ... and then you use ./build-client or ./build-server each time you need a new certificate.  Easy-RSA will with this process generate both encryption keys and signed certificates
11:58 <@dazo> for the client/server
11:59 <@dazo> Then you just need to copy out the ca.crt, {client,server}.key and {client,server}.crt ... and transfer that safely to your {client,server}
11:59 < KarlBauman> thanks! I am using EasyRSA 3, it is a bit different
11:59 -!- gffa [~unknown@unaffiliated/gffa] has joined #openvpn
11:59 <@dazo> (Ideally, these CA files should reside on an offline medium when you don't need to generate new certificates/keys)
12:00 <@dazo> right ... the interaction is probably different ... the concept is the same
12:01  * dazo has not yet tried out easy-rsa 3 yet ... got it on my todo-list :)
12:07 -!- pgib [~pgib@lmms/pgib] has joined #openvpn
12:13 -!- pgib [~pgib@lmms/pgib] has quit [Ping timeout: 268 seconds]
12:15 < KarlBauman> maybe you could take a look at it now? :) I cant find equivalent command for ./build-client in version 3. Documentation is here https://community.openvpn.net/openvpn/wiki/EasyRSA
12:15 <@vpnHelper> Title: EasyRSA – OpenVPN Community (at community.openvpn.net)
12:19 < KarlBauman> because I am not able to sign my server certificate the new way https://www.dropbox.com/s/xnc3uzy41wlb6va/Screenshot%202014-03-24%2019.18.54.png
12:19 <@vpnHelper> Title: Dropbox - Screenshot 2014-03-24 19.18.54.png (at www.dropbox.com)
12:24 < KarlBauman> okay, I found equivalent commands
12:24 < KarlBauman>   build-client-full <filename_base> [ cmd-opts ]
12:24 < KarlBauman>   build-server-full <filename_base> [ cmd-opts ]
12:26 -!- lj [~l@192.241.174.169] has joined #openvpn
12:39 -!- funyun [~temp@cpe-65-25-103-89.neo.res.rr.com] has joined #openvpn
12:44 -!- funyun [~temp@cpe-65-25-103-89.neo.res.rr.com] has quit [Ping timeout: 264 seconds]
12:46 -!- grandom [~malcolm@2601:6:2c00:97e:a11:96ff:fe8d:1c54] has joined #openvpn
12:47 -!- KarlBauman [~SoWhat@81.198.10.40] has quit [Ping timeout: 252 seconds]
12:51 -!- KarlBauman [~SoWhat@81.198.10.40] has joined #openvpn
12:53 < grandom> Does OpenVPN mask DNS resolutions?
12:56 -!- KarlBauman [~SoWhat@81.198.10.40] has quit [Ping timeout: 252 seconds]
12:56 < grandom> at least, by default? or how can I make sure?
12:57 -!- KarlBauman [~SoWhat@87.246.136.13] has joined #openvpn
12:58 <@Eugene> openvpn doesn't touch DNS unless you tell it to, and only then in very limited capability
12:58 <@Eugene> !pushdns
12:58 <@vpnHelper> "pushdns" is (#1) push dhcp-option DNS a.b.c.d to push dns to the client or (#2) For pushing DNS to a Windows client, see: !windns or (#3) Unix-alikes are required to process the env-var in an --up script; read about --dhcp-option in the manpage or (#4) For distros that use resolvconf(8) you can try the pull-resolv-conf script under the contrib/ source dir
12:59 <@Eugene> To save some time, the usual line of questioning goes like: Why do you want dns masking? To serve my VPN addresses via hostnames. So why do you want masking? Because my VPN IPs are private! But nobody cares about RFC1918 addresses in public DNS zones. Yes they do! No, they don't.
13:00 <@Eugene> (we should consider a bot factoid along those lines. !pubdns maybe?)
13:03 < grandom> Eugene: sorry, I have an alright understanding of network/Internet theory, but I don't understand the specifics of how OpenVPN / VPNs in general work. So, does this mean, if I open up wikileaks.org in my browser, it's obvious to my ISP/government/etc that I'm accessing wikileaks, but not the specific content? Furthermore, is this because DNS is implemented on top of UDP? (which it seems to me that OpenVPN is only used for routing TCP?)
13:04 <@Eugene> A VPN in general(and openvpn specifically) is simply an encrypted network tunnel.
13:04 <@Eugene> You can choose to route certain traffic via this tunnel(the general case of "hide behind a vpn")
13:04 < grandom> Right, but is network ==> packets, or network ==> certain sockets?
13:04 <@Eugene> It's Layer 3 packets we're talking about.
13:05 <@Eugene> (or layer 2, but you don't want/need that)
13:05 <@Eugene> If you're doing redirection in this manner you probably also want to have your DNS servers be accessed via that same tunnel
13:06 <@Eugene> But this can of course be leaky - if you don't have the right routes, traffic will go out to the open internet via oyur normal connection. For this reason, anything other than Tor(and even not that, really) is not good enough to protect your ass in any sort of Wikileaks/anti-NSA scenario.
13:07 < grandom> I'm just a normal home user. My DNS server is my home router. I just want to use OpenVPN to the best of its ability to protect my privacy (and to understand how/if I should recommend it to other people)
13:07 -!- le0 [~l30@unaffiliated/le0] has quit [Quit: Leaving]
13:08 <@Eugene> That's really more than just openvpn to protect your privacy.
13:10 < grandom> Eugene: Thanks for the info and help. So, just so I understand correctly, when you say "A VPN is simply an encrypted tunnel for layer 3 packets", do you mean both TCP and UDP packets? Or only TCP? If so, is all my UDP traffic unprotected by OpenVPN?
13:11 <@Eugene> Any Layer3 protocol can be sent via openvpn; TCP and UDP both.
13:11 <@Eugene> As well as all te others
13:12 < grandom> Eugene: cool, so why wouldn't public DNS be protected by default? What makes it special?
13:12 <@Eugene> Your DNS is usually going to a "local" address
13:12  * plai always wonders why people think that a VPN from some shady VPN provider will magically protect their Internet
13:12 <@Eugene> A route is kept for local subnets to go out via your local interface, and for the vpn server via your locla default gateway
13:12 <@Eugene> Otherwise networking would fall over on the client ;-)
13:13 <@plai> grandom: if you don't trust your normal VPN and still ask their DNS servers, ....
13:13 <@Eugene> As well, you need to be able to DNS resolve your vpn server's hostname
13:13 <@Eugene> plai - because hidemyass.com :-|
13:14 <@plai> Eugene: oh they have now android app
13:14 <@plai> lets see if they violate GPL :D
13:15 <@Eugene> I hate the GPL
13:15 <@Eugene> Too damned restrictive
13:15 < grandom> I see the need for keeping LAN subnet traffic off the VPN. Couldn't the DNS resolution of my VPN be the last one I do? As in, after that, now when I open a UDP socket to 12.34.56.78 to resolve this domain, just tunnel that through the VPN? Why isn't that done by default? What makes that UDP socket special? I'm probably missing something here - thanks for helping
13:15 <@plai> Eugene: *shrug*
13:15 <@plai> Eugene: openvpn is gpl as well
13:16 <@Eugene> It's got nothing to do with sockets; it's purely where you're routing traffic to
13:16 <@Eugene> If your regular DNS server isn't "on" a local subnet, then DNS requests will flow through the vpn tunnel and on to the DNS server
13:16 < jeev> hm, anyone familiar with source based routing on linux? specifically.. ip rule's, i've got an ip route table with a default gateway, i use it with a priority and table number.. if that route is down, the rule is still there, it goes out it's default gw
13:17 < grandom> Ah, okay. Yeah, now that I'm actually looking at it, when I say "my DNS server is my router", I mean, my router tells me my DNS server, which actually isn't local
13:17 < grandom> So in that case, my DNS resolutions are protected?
13:17 <@plai> Eugene: Yay! HMA android App violates my GPL copyright ...
13:17 < jeev> bogie: 192.168.1.5/32 table 100, ip route show table 100 shows default gw ip of openvpn target.. if i del that table 100, the 192.168.1.5/32 table 100 is still active however it goes out the main default gateway now..
13:17 < jeev> ie 192.168.1.5/32 table 100, ip route show table 100 shows default gw ip of openvpn target.. if i del that table 100, the 192.168.1.5/32 table 100 is still active however it goes out the main default gateway now..
13:17 <@Eugene> Cool. Whine about it, why don't ya ;-)
13:17 < jeev> bah, brb
13:17 <@plai> Eugene: ?!
13:18 <@Eugene> File a takedown request
13:20 < grandom> Eugene: just to confirm, if my DNS server is not in a local subnet, then DNS resolutions are tunnelled through my VPN?
13:20 <@Eugene> If you have all ttaffic being redirected
13:20 < KarlBauman> summing up discussion abut DNS - is openVPN changing clients DNS server address or not?
13:20 <@Eugene> But again, don't count on "a vpn" to magically grant you privacy.
13:20 <@Eugene> And no, openvpn will not change your DNS server unless you tell it to
13:21 < grandom> Avoiding "magic" is why I'm here asking questions :-)
13:21 -!- klein [~klein@unaffiliated/klein] has quit [Ping timeout: 265 seconds]
13:21 < grandom> I'm using GNOME NetworkManager to configure my VPN connection. I don't know if that changes the DNS server by default... I'll check it out
13:22 <@Eugene> So what do you really want to happen
13:22 <@Eugene> !ubuntu
13:22 <@vpnHelper> "ubuntu" is dont use network manager!
13:22 < grandom> Why not?
13:22 < grandom> (not using Ubuntu btw)
13:22 <@Eugene> Because it hides the acutla openvpn config
13:22 <@plai> Eugene: so stealing software is okay?!
13:23 <@Eugene> plai - having software be steal-able is stupid. WTFPL or GTFO. Apache/BSD if you have a problem with the word Fuck.
13:23 <@Eugene> (and fuck you if you do)
13:23 -!- Cpt-Oblivious [chatzilla@31-151-71-109.dynamic.upc.nl] has quit [Remote host closed the connection]
13:24 < KarlBauman> so, the DNS traffic is not going through tunnel, as I understand ... /
13:24 < grandom> No, it seems like NetworkManager/OpenVPN is not changing my DNS server
13:24 <@Eugene> And thats why we say don't use NM.
13:24 < grandom> But still, the DNS server is not in a local subnet (sorry about the misinfo before), so it should be okay?
13:25 < KarlBauman> as I understand, traffic from your PC to DNS server is not encripted, so it is not okay
13:26 < svg> Which GUI client do you guys recommend then?
13:26 < grandom> KarlBauman: If that's the case (I don't know yet), I'm trying to understand what makes DNS traffic special such that it's not tunnelled
13:26 -!- Latrina [~Latrina@ppp-198-20.26-151.libero.it] has quit [Remote host closed the connection]
13:27 <@plai> Eugene: And the requirements of Apache/BSD don't need to met either, right?
13:29 -!- [diecast] [~diecast@unaffiliated/diecast/x-4821952] has joined #openvpn
13:30 <@Eugene> That's what Freedom is all about
13:30 < grandom> Can anyone help with this? If my DNS server is not in a local subnet, then are DNS resolutions tunnelled through my VPN? Or not?
13:30 -!- KarlBauman [~SoWhat@87.246.136.13] has quit [Ping timeout: 240 seconds]
13:31 <@Eugene> <Eugene> If you have all ttaffic being redirected
13:31 <@plai> Eugene: so I understand you right, you have the standpoint that anyone should be able to take any sourcecode and do whatever he wants to do with it
13:31 -!- KarlBauman [~SoWhat@87.246.136.13] has joined #openvpn
13:31 <@Eugene> That's the point of having free software, ain't it?
13:32 <@Eugene> I find it a bit hipocritcal of the free software movement to turn around and enforce requirements
13:32 <@Eugene> s/hip/hyp
13:33 < grandom> How can I determine if I have all traffic being redirected? Is that the default configuration? What network diagnostic tools can I use to determine what traffic is and is not?
13:34 <@Eugene> No, it is not the default(unless NetworkManager is truly insane; don't use it).
13:34 <@Eugene> !redirect
13:34 <@vpnHelper> "redirect" is (#1) to make all inet traffic flow through the vpn, you will need --redirect-gateway (see !def1), as well as IP forwarding (see !ipforward) and NAT (see !nat) enabled on the server. or (#2) you may need to use a different dns server when redirecting gateway, see !dns or !pushdns or (#3) if using ipv6 try: route-ipv6 2000::/3 or (#4) Handy troubleshooting flowchart:
13:34 <@vpnHelper> http://ircpimps.org/redirect.png | http://pekster.sdf.org/misc/redirect.png
13:35 <@Eugene> And any sort of packet capture utility will tell you where packets are going
13:35 < KarlBauman> wireshark
13:36 <@dazo> tcpdump might be easier, just for quick verifications
13:36 <@plai> Eugene: not really, if you publish source code with the requirement that anyone who uses that should at least mention that they use your software, I think I can expect that requirement to be meet
13:36 <@Eugene> I use iftop as a first-level step; rarely need for the actual packets, just what kind/where they're going.
13:36 < KarlBauman> dazo, yes, if you are on linux :)
13:36 -!- klein [~klein@189-016-006-003.asselvi.edu.br] has joined #openvpn
13:36 -!- klein [~klein@189-016-006-003.asselvi.edu.br] has quit [Changing host]
13:36 -!- klein [~klein@unaffiliated/klein] has joined #openvpn
13:37 <@dazo> KarlBauman: is there anything else?
13:37  * dazo ducks
13:37 <@Eugene> plai - it's a slippery slope I'd rather not approach. ;-)
13:37 -!- AlexPortable [uid7568@gateway/web/irccloud.com/x-smxvpqqlbrcsujrs] has quit [Quit: Connection closed for inactivity]
13:38 < KarlBauman> dazo, you really helped me with these sertificates! thanks!
13:38 <@dazo> sure, no prob!
13:40 -!- funyun [~temp@cpe-65-25-103-89.neo.res.rr.com] has joined #openvpn
13:40 < grandom> Okay, I'll experiment with tcpdump. If it looks like DNS resolutions aren't being tunneled, I'll ask the NetworkManager developers and my VPN provider what to do, and failing that, I'll probably just start using Tor for day-to-day browsing. Thanks for your help Eugene and others
13:40 <@Eugene> Per before, anything less than Tor should never be considered for regular users protecting privacy.
13:42 -!- Latrina [~Latrina@host207-250-dynamic.19-79-r.retail.telecomitalia.it] has joined #openvpn
13:43 < KarlBauman> grandom, let me know if there is a solution to send DNS through tunnel also
13:44 -!- funyun [~temp@cpe-65-25-103-89.neo.res.rr.com] has quit [Ping timeout: 246 seconds]
13:45 < grandom> On the whole copyleft licensing / GPL vs noncopyleft licenses discussion, I've been biting my tongue. I think it's incredibly naive to overlook the benefit that GPL has brought the free software community. Consider where we'd be if Linux was released under your preferred WTFPL? Or GCC? The GPL is an indispensable tool in making sure that the work that free software developers do is never used against people and for the exclusive benef
13:45 < grandom> it of for-profit companies. Consider how Linux being GPL has resulted in Google being forced to release the AOSP? Consider how GCC being GPL has resulted in lots of companies being forced to contribute to the common good? (although now, with the rise of LLVM, there's unfortunately not so much of impetus there anymore). If you appreciate and understand the importance of free software (particularly given the revelations of the past year
13:46 < grandom> ), then you would appreciate the importance of the GPL.
13:47 <@plai> Eugene: I am on standpoint, that anyone should either opensource their copy of my software when they make money with it or pay to me to keep it closed source
13:48 <@Eugene> And I reject your restrictions. ;-)
13:49 <@Eugene> And FWIW, Android userspace(aka AOSP) is NOT GPL; it's BSD. The linux kernel is under the more restrictive license there
13:49 <@plai> Eugene: it is Apache but yes
13:49 < grandom> Eugene: Okay, sure, but Google was still pushed to merge a large body of code back into Linux
13:49 <@Eugene> The point stands. ;-)
13:50 <@Eugene> grandom - actually, the kernel developers rejected a lot of Google's code....
13:51 < grandom> For contrast, look at the BSDs. Look at all the freedom those developers works are affording users of OSX (Darwin)? Or iOS? *Nothing at all*. That's the difference between copyleft licenses (GPL) and noncopyleft.
13:52 < grandom> You're welcome to contribute to BSD projects if you like your work being used by for-profit companies for their exclusive benefit. I'll always prefer to write code under a license that I can be sure will protect it from being used by companies to harm users freedoms.
13:52 <@plai> Eugene: People like you are propably the ones using GPL source code and sell the software as their own
13:52 <@Eugene> Or conversely, look at the freedom that has been afforded to the developers of those OSes. No need to release all of their hard work for free - they can instead earn money based upon their changes.
13:53 <@Eugene> Don't mix your ideologies here. I Hate Corporations is a very different thing from Software Should Be Free
13:53 <@Eugene> As a businessman myself, fuck yeah money.
13:54 < grandom> Eugene: I don't hate corporations. I love Red Hat. I love Google's GSOC and contribution to Linux. What I hate is people enabling (nay - DEFENDING) other corporations to take free software (but not copyleft) and use it for their exclusive benefit, at the cost of users freedoms.
13:55 <@Eugene> And I think you're a hypocrite. People are dicks, don't be a dick to encourage not-being-a-dick.
13:55 -!- HectorBarbossa [uid7850@gateway/web/irccloud.com/x-zqbhdxdvsyxyywaz] has joined #openvpn
13:56 < grandom> That said, at the end of the day, if its a choice between writing noncopylefted free software, and writing nonfree software, of course I would encourage you to write free software :-) But if its a choice between copylefting and noncopylefting, if you care about software *staying* free, you should opt for copylefting
13:57 <@Eugene> If somebody is gonna take copyleft software, modify it, and then sell it as their own, ain't shit you can do about it. Sure, crack out the lawyers. They have bigger ones, because they're making money.
13:58 <@Eugene> So I don't bother, and just make it truly restriction free. Do What The Fuck You Want To.
13:58 < grandom> I have no problem with people taking free software and selling it. That's not the issue here. Like I said, I love Red Hat. What I have a problem with is people taking free software and making it nonfree. That's the difference.
13:58 <@plai> Eugene: from that logic. I should stay closed source and don't publish source code
13:58 <@Eugene> If you want to make money off it, sure.
14:00 <@dazo> If I have the choice between choosing a paid product with the source being free and open or proprietary and closed ... I default to free and open, even though it might not even be the best solution ... why?  Because of the freedom, and that I can contribute back if I find time to do so
14:00 <@Eugene> Sure. Go for it. But don't tell me that by imposing restrictions you're making it freer. That's bullshit.
14:01 <@plai> Eugene: that no bullshit
14:01 <@dazo> It's different views of freedom
14:01 <@Eugene> ^ that
14:01 <@dazo> it's like saying that anarchy is the only freedom and democracy is not
14:01 < grandom> Eugene: the only restriction is that you're restricted from adding restrictions :P
14:01 <@plai> Eugene: open source with restrictions is less restrictions that closed source without any source
14:02 <@dazo> from viewpoint of the source code
14:02 <@Eugene> Here's a spoiler: you earn more money charging for support than binaries
14:02 <@Eugene> So WTFPL(or BSD-like) is very profitable
14:02 <@Eugene> You just need to get somebody hooked
14:02 <@plai> Eugene: not in my case
14:03 <@dazo> That's a side-track of this discussion, though (at least from the point of freedom)
14:03 <@Eugene> sux2bu. Take my WTFPL code and relicense it as AGPL and Bob's Your Uncle.
14:03 < grandom> Eugene: Uhm, companies that support and write GPL software are service companies. Companies that write noncopylefted free software are product companies
14:03 <@Eugene> Tell that to your example company- Google and android.
14:04 <@plai> Eugene: that wasn't my example
14:04 < grandom> Anyway, I'd agree that this is a sidetrack of the discussion about copylefting vs noncopylefting.
14:04 <@Eugene> Correct; It was grandom's.
14:04 -!- klein [~klein@unaffiliated/klein] has quit [Ping timeout: 265 seconds]
14:05 -!- Latrina [~Latrina@host207-250-dynamic.19-79-r.retail.telecomitalia.it] has quit [Remote host closed the connection]
14:06 < grandom> What it comes down to is if you think that being able to make the software nonfree is more important than ensuring that the work you do always stays free, then you would be against copylefting. In my opinion, if you think that, you don't understand the importance of free software.
14:06 <@Eugene> The original software will always stay free. It's out there.
14:06 <@Eugene> Derivatives are different software, somewhat by definition.
14:07 < grandom> Write more GPL and we'll end up with a world running free software (e.g. Linux). Write noncopylefted software, and we'll end up with a world running OS X and iOS.
14:07 <@Eugene> And in that second world, which we live in, our graphics drivers will work.
14:08 <@Eugene> And the people doing stuff with their computers say that it was good, and they Rejoiced.
14:08 <@dazo> That's a short-sighted approach ... and even Nvidia and ATI have even began to contribute with open sourced drivers
14:09 <@dazo> they have been against that to protect reverse engineering of their hardware chips
14:09 <@Eugene> I'm well aware; the point stands.
14:10 <@dazo> Currently, yes
14:12 -!- [diecast] [~diecast@unaffiliated/diecast/x-4821952] has quit []
14:13 < grandom> There's only thing intrinsic to copylefted free software that prevents graphics drivers (for example) from working is that it forces companies to contribute back to the common good, which is why most product companies writing software prefer to write noncopylefted software (if they're writing free software at all). For what it's worth, if you pick the right hardware, the experience today is flawless (my experience: Thinkpad X220 runni
14:13 < grandom> ng Fedora).
14:14 < grandom> I'm going to go do useful things now, but I would encourage you, Eugene, to read more about copylefting: see "Copyleft: Pragmatic Idealism" https://www.gnu.org/philosophy/pragmatic.html
14:14 <@vpnHelper> Title: Copyleft: Pragmatic Idealism - GNU Project - Free Software Foundation (at www.gnu.org)
14:14 < grandom> " My work on free software is motivated by an idealistic goal: spreading freedom and cooperation. I want to encourage free software to spread, replacing proprietary software that forbids cooperation, and thus make our society better." <-- That's my belief too.
14:14 < grandom> Thanks
14:15 -!- mikemol [~mikemol@162.17.129.77] has quit [Ping timeout: 252 seconds]
14:26 -!- [diecast] [~diecast@unaffiliated/diecast/x-4821952] has joined #openvpn
14:27 -!- KarlBauman [~SoWhat@87.246.136.13] has quit [Read error: Connection reset by peer]
14:28 -!- pjschmitt [~parker@unaffiliated/schmitt953] has quit [Ping timeout: 240 seconds]
14:29 -!- KarlBauman [~SoWhat@87.246.136.13] has joined #openvpn
14:31 -!- mikemol [~mikemol@162.17.129.77] has joined #openvpn
14:32 < grandom> KarlBauman: it looks like all my DNS traffic is being tunneled through my VPN
14:32 < grandom> tcpdump wasn't useful, but dnstop is
14:32 -!- APTX_ [~APTX@unaffiliated/aptx] has quit [Remote host closed the connection]
14:34 -!- chrisb [~chrisb@li482-205.members.linode.com] has joined #openvpn
14:36 -!- klein [~klein@unaffiliated/klein] has joined #openvpn
14:40 <@dazo> !??!? .... wow ... just ... wow!
14:41 -!- funyun [~temp@cpe-65-25-103-89.neo.res.rr.com] has joined #openvpn
14:42 < grandom> dazo: ?
14:42 <@dazo> tcpdump -ni tun0 port 53
14:43 <@dazo> or ... if you want more info .... tcpdump -ni tun0 -s0 -X port 53
14:44 < grandom> oh, gee, sorry I didn't bother working out how to get tcpdump only listening to DNS traffic. I figured since DNS is UDP, it would be difficult. I found a tutorial that shows how to use dnstop to monitor DNS traffic, and that worked for me.
14:45 <@dazo> DNS can also be TCP
14:45 -!- funyun [~temp@cpe-65-25-103-89.neo.res.rr.com] has quit [Ping timeout: 252 seconds]
14:46 < grandom> According to Wikipedia, only when the response is >512 bytes. I don't know how often that's applicable.
14:48 < grandom> Anyway, good to know that tcpdump can be used for other transport protocols. I'll remember that.
14:48 <@dazo> Might happen more often with TXT and SRV records ... and definitely with AXFR
14:52 -!- joshh20-Away is now known as joshh20
15:03 -!- chrisb [~chrisb@li482-205.members.linode.com] has quit [Ping timeout: 240 seconds]
15:07 -!- elfixit [~Icedove@2001:1620:2777:11:3e97:eff:fe7f:f3ad] has quit [Quit: elfixit]
15:10 < KarlBauman> grandom, did you use dnstop on client or on server?
15:10 -!- lj1 [~l@192.241.174.169] has joined #openvpn
15:11 < grandom> client
15:11 < KarlBauman> and what did it tell?
15:12 < KarlBauman> what is the difference between tuneled DNS and usual one?
15:12 < grandom> That all DNS queries are going through the tun0 device
15:12 < KarlBauman> hmm, what command you used for that?
15:12 < KarlBauman> what parameters
15:13 < grandom> dnstop tun0
15:13 -!- lj [~l@192.241.174.169] has quit [Ping timeout: 252 seconds]
15:13 < grandom> But you could also use tcpdump with the incantation dazo provided earlier
15:14 < KarlBauman> I dont have linux on client side, so I ran this command on server side and I dont see any DNS queries going throug tun0
15:15 < grandom> right, because that doesn't make sense. Your best bet on Windows or OS X is probably using Wireshark to watch DNS queries.
15:15 < KarlBauman> hmm, why it doesnt make sense? I think there must be outgoing queries
15:16 < grandom> because the server isn't protecting any of its traffic - it's doing the protecting
15:16 < grandom> the server will be sending DNS queries through eth0 or whatever, because the server isn't connected to another VPN
15:16 < KarlBauman> ahh, okay
15:24 -!- [diecast] [~diecast@unaffiliated/diecast/x-4821952] has quit [Ping timeout: 265 seconds]
15:28 -!- KarlBauman [~SoWhat@87.246.136.13] has quit [Ping timeout: 252 seconds]
15:31 -!- KarlBauman [~SoWhat@46.109.150.216] has joined #openvpn
15:38 -!- KarlBauman [~SoWhat@46.109.150.216] has quit [Ping timeout: 252 seconds]
15:38 -!- Aliekezhi [~Aliekezhi@80.215.20.210] has joined #openvpn
15:39 -!- KarlBauman [~SoWhat@87.246.136.13] has joined #openvpn
15:40 -!- goldkatze_ is now known as goldkatze
15:41 -!- funyun [~temp@cpe-65-25-103-89.neo.res.rr.com] has joined #openvpn
15:44 -!- michaelhart [~michaelha@192.237.177.15] has quit [Quit: michaelhart]
15:44 -!- indy [~indy@194.213.226.242] has quit [Remote host closed the connection]
15:46 -!- funyun [~temp@cpe-65-25-103-89.neo.res.rr.com] has quit [Ping timeout: 252 seconds]
15:50 <@dazo> grandom: tcpdump exists for OSX
15:51 -!- grandom [~malcolm@2601:6:2c00:97e:a11:96ff:fe8d:1c54] has quit [Quit: grandom]
16:05 -!- KarlBauman [~SoWhat@87.246.136.13] has quit [Read error: Connection reset by peer]
16:06 -!- KarlBauman [~SoWhat@81.198.10.40] has joined #openvpn
16:09 -!- mattock is now known as mattock_afk
16:10 -!- KarlBauman [~SoWhat@81.198.10.40] has quit [Ping timeout: 251 seconds]
16:10 -!- indy [~indy@fantomas.bestit.cz] has joined #openvpn
16:11 -!- KarlBauman [~SoWhat@87.246.136.13] has joined #openvpn
16:12 -!- klein [~klein@unaffiliated/klein] has quit [Ping timeout: 251 seconds]
16:16 -!- KarlBauman [~SoWhat@87.246.136.13] has quit [Ping timeout: 264 seconds]
16:17 -!- KarlBauman [~SoWhat@81.198.10.40] has joined #openvpn
16:21 -!- lj1 [~l@192.241.174.169] has quit [Quit: Leaving.]
16:22 -!- KarlBauman [~SoWhat@81.198.10.40] has quit [Ping timeout: 264 seconds]
16:23 -!- KarlBauman [~SoWhat@87.246.136.13] has joined #openvpn
16:23 -!- clynamen [~clynamen@net-2-36-61-167.cust.vodafonedsl.it] has joined #openvpn
16:25 < clynamen> I succesfully created a connection with an openvpn server, and I can send data with netcat from client to server
16:25 < clynamen> however I can't do the reverse
16:25 -!- clu5ter [~staff@unaffiliated/clu5ter] has quit [Read error: Connection reset by peer]
16:25 < clynamen> running netcat with -v says that the tcp connection is refused
16:28 <@dazo> clynamen: firewall issues?
16:28 < pekster> KarlBauman: You shouldn't use build-client: that means you're trying to build client _keys_ on your _CA_ -- that's a huge security no-no
16:29 < pekster> Build client keys on the system/directory for your client stuff, not your sensitive CA
16:30 < pekster> KarlBauman: THe wiki you linked includes commands you can just about copy and paste to get a working PKI; where did you get stuck there?
16:30 -!- syzzer_ [~syzzer@2001:610:697::12] has joined #openvpn
16:30 < pekster> You really don't want to use the build-client-full stuff -- that's a very evil command
16:31 < clynamen> @dazo do you mean that packets are dropped due to client's iptables?
16:32 <@dazo> clynamen: yeah
16:32 <@dazo> clynamen: or that server's iptables setup doesn't allow outgoing traffic on the tun/tap device
16:32 -!- KarlBauman [~SoWhat@87.246.136.13] has quit [Ping timeout: 268 seconds]
16:33 < clynamen> both have all policy ACCEPT
16:33 < clynamen> in every table
16:34 <@dazo> and you're using the right IP address?
16:34 < clynamen> the one obtained by ip addr
16:35 < clynamen> server:  inet 10.8.0.1 peer 10.8.0.2/32 scope global tun0
16:35 < clynamen> client inet 10.8.0.6 peer 10.8.0.5/32 scope global tun0
16:35 < clynamen> on client: netcat -l 333
16:35 <@dazo> can you ping 10.8.0.6 from 10.8.0.1?
16:35 < clynamen> on server: netcat 10.8.0.6 333
16:35 < clynamen> dazo yes
16:35 <@dazo> which distro?
16:36 < clynamen> client: arch server:ubuntu
16:36 <@dazo> and the netcat server has been started on the right interface on the VPN client?
16:36 < clynamen> dazo this could be the cause... How Can I be sure about it?
16:37 <@dazo> you're kidding me now?
16:38 < clynamen> dazo: I'm not. I tried with netcat -vl 333 --source 10.8.0.6
16:38 < clynamen> ah sorry I misunderstood your last question
16:38 -!- gffa [~unknown@unaffiliated/gffa] has quit [Quit: sleep]
16:39 <@dazo> double check with netstat on the client side, that you have a process listening to port 333
16:39 -!- syzzer_ is now known as syzzer
16:39 -!- syzzer [~syzzer@2001:610:697::12] has quit [Changing host]
16:39 -!- syzzer [~syzzer@openvpn/community/developer/syzzer] has joined #openvpn
16:39 -!- mode/#openvpn [+o syzzer] by ChanServ
16:40 -!- pjschmitt [~parker@209.141.56.12] has joined #openvpn
16:42 -!- elfixit [~Icedove@cust.static.46-14-121-145.swisscomdata.ch] has joined #openvpn
16:42 -!- Aliekezhi [~Aliekezhi@80.215.20.210] has quit [Remote host closed the connection]
16:42 -!- funyun [~temp@cpe-65-25-103-89.neo.res.rr.com] has joined #openvpn
16:43 -!- [diecast] [~diecast@unaffiliated/diecast/x-4821952] has joined #openvpn
16:44 < clynamen> dazo: seems not
16:45 <@dazo> then you did something wrong on the client side
16:45 < clynamen> dazo: plus with netcat -vl 333 on client i'm getting:
16:45 < clynamen> Warning: Inverse name lookup failed for `0.0.1.77'
16:45 < clynamen> that is 333 converted to an ip addr
16:46 <@dazo> I don't recall the syntax for netcat ... but if you made this work on the server, it should be the same command line as you used on the server side when that worked
16:46 <@dazo> I'm guessing you need to use --port, or something similar
16:46 <@dazo> or:  ${ipaddress} 333
16:47 < clynamen> with netcat -vl 10.8.0.6 23
16:47 < clynamen> i get: Warning: Host 10.8.0.6 isn't authoritative! (direct lookup mismatch
16:47 < clynamen> 10.8.0.6 -> clynamen-hp-nb  BUT  clynamen-hp-nb -> 127.0.0.1
16:48 <@dazo> this is something related to netcat
16:48 <@dazo> !notopenvn
16:48 <@dazo> !notopenvpn
16:48 <@vpnHelper> "notopenvpn" is your problem is not about openvpn, and while we try to be helpful, you may have a better chance of finding your answer if you ask your question in a channel related to your problem
16:48 < clynamen> dazo: ok, thanks
16:49 -!- Latrina [~Latrina@ppp-198-20.26-151.libero.it] has joined #openvpn
16:50 -!- lj [~l@192.241.174.169] has joined #openvpn
16:57 -!- APTX [~APTX@unaffiliated/aptx] has joined #openvpn
17:01 < tessier_> How do most people implement inactivity timeouts with OpenVPN as required by PCI requirement 12.3.8? And what could we consider "inactivity"?
17:02 < clynamen> dazo: eventually the netcat syntax was wrong
17:02 < clynamen> right is:
17:02 < clynamen> client: netcat -l -p 3333
17:02 < clynamen> server: netcat 10.8.0.6 3333
17:03 <@dazo> makes sense
17:05 -!- le0 [~l30@unaffiliated/le0] has joined #openvpn
17:08 -!- B1nny [~quassel@5ED16034.cm-7-2b.dynamic.ziggo.nl] has quit [Remote host closed the connection]
17:08 -!- elfixit [~Icedove@cust.static.46-14-121-145.swisscomdata.ch] has quit [Ping timeout: 264 seconds]
17:10 -!- elfixit [~Icedove@cust.static.46-14-121-145.swisscomdata.ch] has joined #openvpn
17:25 -!- lj [~l@192.241.174.169] has quit [Quit: Leaving.]
17:25 -!- u0m3 [~u0m3@92.80.117.153] has joined #openvpn
17:46 -!- elfixit [~Icedove@cust.static.46-14-121-145.swisscomdata.ch] has quit [Ping timeout: 246 seconds]
17:52 -!- [diecast] [~diecast@unaffiliated/diecast/x-4821952] has quit [Read error: Connection reset by peer]
17:58 -!- le0 [~l30@unaffiliated/le0] has quit [Quit: Leaving]
18:00 -!- dazo is now known as dazo_afk
18:09 -!- Latrina [~Latrina@ppp-198-20.26-151.libero.it] has quit [Remote host closed the connection]
18:14 -!- Latrina [~Latrina@ppp-198-20.26-151.libero.it] has joined #openvpn
18:15 -!- justinzane [~justinzan@tiny.justinzane.com] has quit [Remote host closed the connection]
18:16 -!- elfixit [~Icedove@77-58-251-72.dclient.hispeed.ch] has joined #openvpn
18:18 -!- Su7 is now known as quba
18:27 -!- MatthewsFace [~mspah@50.78.45.146] has quit [Quit: Leaving]
18:32 -!- HectorBarbossa [uid7850@gateway/web/irccloud.com/x-zqbhdxdvsyxyywaz] has quit [Quit: Connection closed for inactivity]
18:35 -!- chrisb [~chrisb@li482-205.members.linode.com] has joined #openvpn
18:51 -!- VsioZashibis [~VsioZashi@unaffiliated/vsiozashibis] has joined #openvpn
18:55 -!- joshh20 is now known as joshh20-Away
19:05 -!- indy [~indy@fantomas.bestit.cz] has quit [Read error: Operation timed out]
19:10 -!- indy [~indy@fantomas.bestit.cz] has joined #openvpn
19:11 -!- grep0r [grep0r@bitcoinshell.mooo.com] has quit [Ping timeout: 252 seconds]
19:13 -!- grep0r [grep0r@bitcoinshell.mooo.com] has joined #openvpn
19:15 -!- grep0r [grep0r@bitcoinshell.mooo.com] has quit [Client Quit]
19:17 -!- JackWinter [~jack@vodsl-10810.vo.lu] has quit [Ping timeout: 240 seconds]
19:18 -!- JackWinter [~jack@vodsl-10810.vo.lu] has joined #openvpn
19:18 -!- chrisb [~chrisb@li482-205.members.linode.com] has quit [Ping timeout: 268 seconds]
19:25 -!- JackWinter [~jack@vodsl-10810.vo.lu] has quit [Read error: Operation timed out]
19:26 -!- Thermi [~Thermi@unaffiliated/thermi] has quit [Read error: Operation timed out]
19:29 -!- JackWinter [~jack@vodsl-10810.vo.lu] has joined #openvpn
19:31 -!- Thermi [~Thermi@unaffiliated/thermi] has joined #openvpn
19:32 -!- Latrina [~Latrina@ppp-198-20.26-151.libero.it] has quit [Remote host closed the connection]
19:40 -!- cyberspace- [20253@ninthfloor.org] has quit [Ping timeout: 240 seconds]
19:48 -!- clynamen [~clynamen@net-2-36-61-167.cust.vodafonedsl.it] has quit [Quit: WeeChat 0.4.3]
19:51 -!- Latrina [~Latrina@ppp-198-20.26-151.libero.it] has joined #openvpn
19:55 -!- chrisb [~chrisb@li482-205.members.linode.com] has joined #openvpn
19:56 < chrisb> what's the least computationally demanding cipher for tls 1.2?
20:11 < pekster> chrisb: That's likely not the problem you want to be solving; TLS is used for the control channel only, not the exchange of tunneled transit
20:14 < chrisb> pekster: could auth SHA256 be slowing transit down, then?
20:15 < chrisb> pekster: i am trying to move from 2.3.2 to tls-minimum 1.2 on 2.3-git and having issues
20:16 < pekster> The cipher and hash are the crypto components applied to the data channel, yes. OpenVPN tends to be CPU bound; that's due to the crypto and to a lesser extent the context switching
20:16 < pekster> I run a patched 2.3.2 version myself with TLSv1.2 and it works quite nicely
20:17 < pekster> Note that both ends need to support that or you're still stuck using a TLS1.0 cipher-suite
20:17 < pekster> https://community.openvpn.net/openvpn/wiki/Hardening#Useof--tls-cipher
20:17 <@vpnHelper> Title: Hardening – OpenVPN Community (at community.openvpn.net)
20:17 < chrisb> pekster: did you upgrade to a cipher which supports perfect forward secrecy?
20:18 < pekster> TLSv1.0 has that already
20:18 < pekster> 1.2 just opens up the new ciphers, namely the "Suite B" ciphers
20:18 < chrisb> pekster: and i am using 2.3-git on both ends
20:18 < pekster> Right; my point is you don't need that for forward-secrecy
20:18 -!- klein [~klein@unaffiliated/klein] has joined #openvpn
20:19 < pekster> DH and a sane cipher setting does that; read that link I just gave you for more detail
20:19 < chrisb> pekster: thanks for the link
20:36 -!- clu5ter [~staff@unaffiliated/clu5ter] has joined #openvpn
20:39 < chrisb> pekster: should I back down from auth SHA256?
20:42 < pekster> The cipher is probably the biggest hit; BF is the fastest high-security cipher for CPU, but if your hardware supports AES-NI (and openvpn & openssl are built to support it) use of AES as your --cipher will be faster
20:43 < chrisb> pekster: i am trying camellia-256-CBC
20:43 < chrisb> pekster: and it works in 2.3.2
20:44 < pekster> Yup, it's TLSv1.0
20:45 < pekster> https://www.openssl.org/docs/apps/ciphers.html#TLS_v1_0_cipher_suites_
20:45 <@vpnHelper> Title: OpenSSL: Documents, ciphers(1) (at www.openssl.org)
20:46 < chrisb> ok
20:48 < snappy> chrisb: chacha20 + poly1035 aes?
20:48 < snappy> google uses it i think
20:51 < chrisb> snappy: i haven't seen that in --show-ciphers
20:51 < pekster> It's not, and thus not a valid choice
20:51 < pekster> (not with openvpn anyway)
20:52 < chrisb> what about --prng ?  any advantage to setting it?
20:52 < pekster> Not really
20:53 < pekster> It's best to leave complex internal things alone unless you Know What You're Doing™
20:53 < pekster> At least complex crypto things; it's called "rolling your own crypto" and ill-adviced unless you study high-level math for years ;)
20:54 < pekster> sha1 produces fine PRNG for this use
20:56 -!- JackWinter_ [~jack@vodsl-10810.vo.lu] has joined #openvpn
20:57 -!- Brando753 [~Brando753@unaffiliated/brando753] has quit [Ping timeout: 255 seconds]
20:58 -!- JackWinter [~jack@vodsl-10810.vo.lu] has quit [Ping timeout: 265 seconds]
20:58 -!- Latrina [~Latrina@ppp-198-20.26-151.libero.it] has quit [Remote host closed the connection]
21:00 -!- goldkatze [~nobody@unaffiliated/goldkatze] has quit [Ping timeout: 268 seconds]
21:00 -!- converge [~converge@unaffiliated/joaop] has joined #openvpn
21:04 -!- Brando753 [~Brando753@unaffiliated/brando753] has joined #openvpn
21:51 -!- klein [~klein@unaffiliated/klein] has quit [Ping timeout: 264 seconds]
22:12 -!- converge [~converge@unaffiliated/joaop] has quit [Quit: Linkinus - http://linkinus.com]
22:15 -!- lj [~l@adsl-99-155-21-127.dsl.peoril.sbcglobal.net] has joined #openvpn
22:19 -!- lj [~l@adsl-99-155-21-127.dsl.peoril.sbcglobal.net] has quit [Ping timeout: 246 seconds]
22:21 -!- lj [~l@192.241.174.169] has joined #openvpn
22:42 -!- funyun [~temp@cpe-65-25-103-89.neo.res.rr.com] has quit [Ping timeout: 246 seconds]
22:42 -!- funyun [~temp@174.34.166.171] has joined #openvpn
23:05 -!- lj [~l@192.241.174.169] has quit [Ping timeout: 265 seconds]
23:12 -!- lj [~l@adsl-99-155-17-6.dsl.peoril.sbcglobal.net] has joined #openvpn
--- Day changed Tue Mar 25 2014
00:18 -!- VsioZashibis [~VsioZashi@unaffiliated/vsiozashibis] has quit [Read error: Connection reset by peer]
00:30 -!- cyberspace- [20253@ninthfloor.org] has joined #openvpn
00:31 -!- cyberspace- [20253@ninthfloor.org] has quit [Remote host closed the connection]
00:32 -!- elfixit [~Icedove@77-58-251-72.dclient.hispeed.ch] has quit [Ping timeout: 246 seconds]
00:35 -!- elfixit [~Icedove@77-58-251-72.dclient.hispeed.ch] has joined #openvpn
00:45 -!- makara [~makara@41-134-154-221.dsl.mweb.co.za] has joined #openvpn
00:48 -!- makara [~makara@41-134-154-221.dsl.mweb.co.za] has quit [Max SendQ exceeded]
00:51 -!- justinzane [~justinzan@67.21.190.135] has joined #openvpn
00:54 -!- cyberspace_ [20253@ninthfloor.org] has joined #openvpn
00:54 -!- cyberspace_ is now known as cyberspace-
00:56 -!- B1nny [~quassel@5ED16034.cm-7-2b.dynamic.ziggo.nl] has joined #openvpn
01:18 -!- clu5ter [~staff@unaffiliated/clu5ter] has quit [Quit: ||||||||||||||||||||||||||||||||||||||||||||||| 99%]
01:20 -!- clu5ter [~staff@unaffiliated/clu5ter] has joined #openvpn
01:26 -!- mikkel [~mikkel@93.176.85.50] has joined #openvpn
01:44 -!- ayaka [~ayaka@ayaka-2-pt.tunnel.tserv21.tor1.ipv6.he.net] has left #openvpn ["离开"]
01:46 -!- clu5ter [~staff@unaffiliated/clu5ter] has quit [Read error: Connection reset by peer]
01:49 -!- clu5ter [~staff@unaffiliated/clu5ter] has joined #openvpn
01:55 -!- ACKNAK [~regolith@79.133.97.154] has joined #openvpn
01:58 -!- mattock_afk is now known as mattock
02:35 -!- Aliekezhi [~Aliekezhi@LPoitiers-156-84-21-170.w193-248.abo.wanadoo.fr] has joined #openvpn
02:58 -!- makara [~makara@41-134-154-221.dsl.mweb.co.za] has joined #openvpn
03:12 -!- chrisb [~chrisb@li482-205.members.linode.com] has quit [Ping timeout: 265 seconds]
03:12 -!- b00gz___ [uid6869@gateway/web/irccloud.com/x-gkbdbdleqckegnug] has quit [Quit: Connection closed for inactivity]
03:12 -!- car_ [~car@pd95cfe54.dip0.t-ipconnect.de] has quit [Remote host closed the connection]
03:14 -!- dogewaat_ [uid3966@gateway/web/irccloud.com/x-kfrkumtagkjlixkj] has quit [Quit: Connection closed for inactivity]
03:30 -!- goldkatze [~nobody@unaffiliated/goldkatze] has joined #openvpn
03:37 -!- le0 [~l30@unaffiliated/le0] has joined #openvpn
03:39 -!- Cpt-Oblivious [chatzilla@31-151-71-109.dynamic.upc.nl] has joined #openvpn
03:54 -!- KarlBauman [~SoWhat@87.246.136.13] has joined #openvpn
03:55 -!- funyun [~temp@174.34.166.171] has quit [Ping timeout: 240 seconds]
04:04 -!- elfixit [~Icedove@77-58-251-72.dclient.hispeed.ch] has quit [Ping timeout: 246 seconds]
04:08 -!- elfixit [~Icedove@77-58-251-72.dclient.hispeed.ch] has joined #openvpn
04:21 -!- funyun [~temp@72.37.242.19] has joined #openvpn
04:23 -!- eliasp [~quassel@HSI-KBW-134-3-243-224.hsi14.kabel-badenwuerttemberg.de] has quit [Ping timeout: 252 seconds]
04:24 < KarlBauman> Hello! I have following problem: I use OpenVPN client service on my laptop. When I connect to another Wifi, OpenVPN does not connect back to VPN server. Is it possible to fix this? I want to make it always connect to VPN when there is internet connection available
04:30 -!- eliasp [~quassel@HSI-KBW-134-3-243-224.hsi14.kabel-badenwuerttemberg.de] has joined #openvpn
05:34 -!- KarlBauman [~SoWhat@87.246.136.13] has quit [Ping timeout: 264 seconds]
05:34 -!- KarlBauman [~SoWhat@87.246.136.13] has joined #openvpn
05:47 -!- Latrina [~Latrina@ppp-198-20.26-151.libero.it] has joined #openvpn
05:52 -!- dazo_afk is now known as dazo
06:02 -!- KarlBauman [~SoWhat@87.246.136.13] has quit [Ping timeout: 268 seconds]
06:04 -!- KarlBauman [~SoWhat@87.246.136.13] has joined #openvpn
06:09 -!- cpm [~Chip@173-163-100-91-cpennsylvania.hfc.comcastbusiness.net] has joined #openvpn
06:09 -!- cpm [~Chip@173-163-100-91-cpennsylvania.hfc.comcastbusiness.net] has quit [Changing host]
06:09 -!- cpm [~Chip@pdpc/supporter/active/cpm] has joined #openvpn
06:13 -!- KarlBauman [~SoWhat@87.246.136.13] has quit [Ping timeout: 246 seconds]
06:13 -!- KarlBauman [~SoWhat@87.246.136.13] has joined #openvpn
06:17 -!- AlexPortable [uid7568@gateway/web/irccloud.com/x-oyeqcfmyvtyppgxm] has joined #openvpn
06:18 -!- wrongplace [~leicht@gateway/tor-sasl/martinphone] has joined #openvpn
06:26 -!- KarlBauman [~SoWhat@87.246.136.13] has quit [Ping timeout: 265 seconds]
06:26 -!- KarlBauman [~SoWhat@87.246.136.13] has joined #openvpn
06:27 -!- mikkel [~mikkel@93.176.85.50] has quit [Quit: Leaving]
06:32 -!- klein [~klein@unaffiliated/klein] has joined #openvpn
06:34 -!- KarlBauman [~SoWhat@87.246.136.13] has quit [Ping timeout: 252 seconds]
06:34 -!- cpm [~Chip@pdpc/supporter/active/cpm] has quit [Quit: cpm]
06:34 -!- SoWhat [~SoWhat@81.198.10.40] has joined #openvpn
06:48 -!- Zordrak [~jaz@87-194-137-223.bethere.co.uk] has quit [Read error: Operation timed out]
06:51 -!- cizra [~cizra@lambdatron.undo.it] has joined #openvpn
06:52 -!- Zordrak [~jaz@87-194-137-223.bethere.co.uk] has joined #openvpn
06:54 < cizra> Hello! I'm trying to tunnel IPv6 over OpenVPN, and it seems that only traffic destined to the endpoint address gets through the tunnel, any other IPv6 addresses get stuck in the tunnel. What am I doing wrong?
06:55 <@ecrist> you need to enable IP6 forwarding in the kernel
06:55 <@ecrist> !forward
06:55 <@ecrist> !factoids search forward
06:55 <@vpnHelper> 'winipforward', 'linipforward', 'fbsdipforward', 'linportforward', 'osxipforward', 'ipforward', and 'forwardsecurity'
06:56 < cizra> ecrist: Enabled on both tunnel endpoints. What else?
06:59 < cizra> tcpdump -i tun0, on server side, shows pings going towards the client side.
06:59 < cizra> tcpdump -i tun0 on the client side shows nothing.
06:59 < cizra> Clarification: pings work for the _tunnel_ configured addresses (...::1000), but not for any other addresses, even in the same /64.
07:01 -!- SoWhat [~SoWhat@81.198.10.40] has quit [Ping timeout: 268 seconds]
07:06 < cizra> Neither do TCP connections work.
07:06 < cizra> On both sides, the only ip6tables rules about INPUT and FORWARD are ACCEPT     all      anywhere             anywhere
07:07 < cizra> /proc/sys/net/ipv6/conf/all/forwarding is 1 on both sides
07:14 < cizra> Does OpenVPN inspect the IPv6 packets in any way?
07:22 < cizra> Do I need "topology subnet" for this to work? It seems adding it didn't help.
07:32 -!- michaelhart [~michaelha@192-0-240-20.cpe.teksavvy.com] has joined #openvpn
07:33 -!- mattock [~mattock@openvpn/corp/admin/mattock] has quit [Ping timeout: 252 seconds]
07:33  * cizra is thoroughly stuck :-(
07:34 -!- mattock [~mattock@openvpn/corp/admin/mattock] has joined #openvpn
07:34 -!- mode/#openvpn [+o mattock] by ChanServ
07:34 -!- raidz [~raidz@openvpn/corp/admin/andrew] has quit [Read error: Operation timed out]
07:35 -!- raidz [~raidz@openvpn/corp/admin/andrew] has joined #openvpn
07:35 -!- mode/#openvpn [+o raidz] by ChanServ
07:42 -!- SoWhat [~SoWhat@81.198.10.40] has joined #openvpn
07:46 -!- chrisb [~chrisb@li482-205.members.linode.com] has joined #openvpn
07:47 -!- funyun [~temp@72.37.242.19] has quit [Ping timeout: 240 seconds]
07:48 <@plai> cizra: yes of course it does
07:49 <@plai> !iroute
07:49 <@vpnHelper> "iroute" is does not bypass or alter the kernel's routing table, it allows openvpn to know it should handle the routing when the kernel points to it but the network is not one that openvpn knows about. This is only needed when connecting a LAN which is behind a client, and therefor belongs in a ccd entry. Also see !route and !ccd
07:49 <@plai> see also iroute-ipv6
07:51 < cizra> Hmmm, that sounds like the missing link.
07:52 < cizra> !ccd
07:52 <@vpnHelper> "ccd" is (#1) entries that are basically included into server.conf, but only for the specified client based on common-name. use --client-config-dir <dir> to enable it, then put the config options for the client in <dir>/common-name or (#2) the ccd file is parsed each time the client connects.
07:52 < cizra> If I only have one client, I guess I don't need ccd, right?
07:53 <@plai> if you only have one client why should any other IP of the subnet ping?
07:54 < cizra> The client is going to serve IPv6 to the LAN using radvd.
07:55 < cizra> My setup is basically like this: I have ...:1::1 as the server, ...:1::1000 as the client, ...:2::/64 as the LAN. No address in ...:2::/64 pings from the server, so far. Will try with iroute. Thanks for the tip.
07:57 <@plai> hm
07:57 <@plai> that looks more like your forwarding does not work
08:04 -!- f0cker [~f0cker@unaffiliated/f0cker] has quit [Remote host closed the connection]
08:08 < cizra> Might well be. Can you help me debug it? *innocent smile*
08:14 < cizra> Hey, now it works!
08:15 -!- lj [~l@adsl-99-155-17-6.dsl.peoril.sbcglobal.net] has quit [Quit: Leaving.]
08:15 -!- batrick [batrick@nmap/developer/batrick] has quit [Quit: WeeChat 0.4.3]
08:23 -!- SoWhat [~SoWhat@81.198.10.40] has quit [Ping timeout: 265 seconds]
08:24 -!- wrongplace [~leicht@gateway/tor-sasl/martinphone] has quit [Quit: gone]
08:33 -!- xorox90___ [uid7069@gateway/web/irccloud.com/x-lsyxldlydneizbip] has joined #openvpn
08:41 -!- ron_ [~ron@ppp118-210-185-93.lns20.adl6.internode.on.net] has quit [Ping timeout: 240 seconds]
08:41 -!- ron_ [~ron@ppp118-210-185-93.lns20.adl6.internode.on.net] has joined #openvpn
08:42 -!- ade_b [Ade@redhat/adeb] has joined #openvpn
08:42 -!- lj [~l@192.241.174.169] has joined #openvpn
08:45 -!- f0cker [~f0cker@unaffiliated/f0cker] has joined #openvpn
08:46 -!- batrick [batrick@nmap/developer/batrick] has joined #openvpn
08:54 -!- xorox90___ [uid7069@gateway/web/irccloud.com/x-lsyxldlydneizbip] has quit []
09:08 -!- makara [~makara@41-134-154-221.dsl.mweb.co.za] has quit [Ping timeout: 264 seconds]
09:13 -!- mirco [~mirco@ip-5-146-126-177.unitymediagroup.de] has quit [Ping timeout: 264 seconds]
09:14 -!- SoWhat [~SoWhat@81.198.10.40] has joined #openvpn
09:15 -!- funyun [~temp@cpe-65-25-103-89.neo.res.rr.com] has joined #openvpn
09:19 -!- mirco [~mirco@ip-5-146-126-177.unitymediagroup.de] has joined #openvpn
09:20 -!- funyun [~temp@cpe-65-25-103-89.neo.res.rr.com] has quit [Ping timeout: 265 seconds]
09:20 -!- novaflash is now known as novaflash_away
09:20 -!- Aliekezhi [~Aliekezhi@LPoitiers-156-84-21-170.w193-248.abo.wanadoo.fr] has quit [Quit: Leaving]
09:21 -!- makara [~makara@41.164.22.218] has joined #openvpn
09:22 -!- novaflash_away is now known as novaflash
09:25 < SoWhat> Can you give me an example of iptable rules where only VPN traffic is allowed?
09:26 < SoWhat> but from VPN side - everything is allowed
09:27 < SoWhat> from outside only VPN
09:29 <@plai> !notovpn
09:29 <@vpnHelper> "notovpn" is (#1) "notopenvpn" is your problem is not about openvpn, and while we try to be helpful, you may have a better chance of finding your answer if you ask your question in a channel related to your problem or (#2) sorry, but we dont care. this channel is only for help with openvpn.
09:29 <@plai> !iptables
09:29 <@vpnHelper> "iptables" is (#1) To test if netfilter ("iptables rules") are your problem, disable all rules with an ACCEPT policy. See https://github.com/QueuingKoala/netfilter-samples/tree/master/reset-rules for a script to do this. or (#2) See also the manpage section on firewalls at this link: https://community.openvpn.net/openvpn/wiki/Openvpn23ManPage#lbBG or (#3) These are just the basics to get you started
09:29 <@vpnHelper> as firewall design is beyond this channel's scope; you can also see #netfilter
09:31 < SoWhat> I think this should be somewhere in OpenVPN documentation. What I am asking is basically default configuration
09:31 < ACKNAK> -P FORWARD -j DROP; -A FORWARD -i tun -j ACCEPT
09:31 < ACKNAK> o_O
09:31 -!- KaiForce [~chatzilla@107-223-70-10.lightspeed.bcvloh.sbcglobal.net] has joined #openvpn
09:31 < ACKNAK> like this?
09:32 < SoWhat> maybe
09:32 < SoWhat> there should be also rule with masquarading
09:32 < ACKNAK> from VPN?
09:33 < SoWhat> yeah, I was now able to connect to internet without ir
09:33 < SoWhat> it
09:33 <@plai> SoWhat: "default" configuration for firewall is what your Linux distribution gives you
09:33 <@plai> different use cases for VPN firewalling are a firewalling topic not a VPN topic
09:34 <@plai> SoWhat: And I don't even understand what you are trying to achieve with your iptables rules
09:34 < ACKNAK> yea
09:34 < SoWhat> Is VPN going to be working when I disable iptables ?
09:35 <@plai> not if you need NAT
09:35 <@plai> if you don't NAT need are doing "normal" forwarding only, probably
09:35 < ACKNAK> why not, he could NAT it somewhere else
09:36 <@dazo> ..oO(someone is trying to make networking work without understanding networking again ....)
09:36 < SoWhat> NAT is needed if I need to send all traffic through tunnel?
09:36 <@plai> dazo: But... but ... but.. I successfully setup my home router and installed Linux
09:37 <@dazo> SoWhat: What do you understand NAT being?
09:37 <@plai> !ip-basics
09:37 <@dazo> plai: :)
09:37 <@dazo> !tcpip
09:37 <@vpnHelper> "tcpip" is http://www.redbooks.ibm.com/redbooks/pdfs/gg243376.pdf See chapter 3.1 for useful basic TCP/IP networking knowledge you should probably know
09:37 < SoWhat> I dont know what nat is :)
09:38 <@plai> SoWhat: You are trying to knit a pullover but don't know what knitting needle is
09:38 <@dazo> SoWhat: okay ... you really need to understand that
09:38  * dazo looks up some useful stuff
09:45 < cizra> plai: ecrist: Thank you! I finally got IPv6 tunneling to work with iroute-ipv6.
09:47 <@dazo> SoWhat: http://www.karlrupp.net/en/computer/nat_tutorial
09:47 <@vpnHelper> Title: NAT with Linux and iptables - Tutorial (Introduction) (at www.karlrupp.net)
09:50 -!- jgeboski [~jgeboski@unaffiliated/jgeboski] has quit [Ping timeout: 240 seconds]
10:01 -!- dogewaat_ [uid3966@gateway/web/irccloud.com/x-nzxnhfpsdfzuviod] has joined #openvpn
10:11 -!- ACKNAK [~regolith@79.133.97.154] has quit [Ping timeout: 268 seconds]
10:16 -!- funyun [~temp@cpe-65-25-103-89.neo.res.rr.com] has joined #openvpn
10:17 < SoWhat> dozo, thanks. In this tutorial are combined most of things I wanted to know about iptables
10:20 -!- funyun [~temp@cpe-65-25-103-89.neo.res.rr.com] has quit [Ping timeout: 246 seconds]
10:31 -!- mattock [~mattock@openvpn/corp/admin/mattock] has left #openvpn []
10:31 -!- mattock [~mattock@openvpn/corp/admin/mattock] has joined #openvpn
10:31 -!- mode/#openvpn [+o mattock] by ChanServ
10:33 -!- ACKNAK [~Celestial@broadband-5-228-253-21.nationalcablenetworks.ru] has joined #openvpn
10:33 -!- jgeboski [~jgeboski@unaffiliated/jgeboski] has joined #openvpn
10:42 -!- mirco_ [~mirco@ip-5-146-126-177.unitymediagroup.de] has joined #openvpn
10:46 -!- mirco [~mirco@ip-5-146-126-177.unitymediagroup.de] has quit [Ping timeout: 265 seconds]
10:46 -!- mirco_ is now known as mirco
10:53 -!- f0cker [~f0cker@unaffiliated/f0cker] has quit [Remote host closed the connection]
10:53 -!- SlutaTramsa [~SlutaTram@unaffiliated/slutatramsa] has quit [Ping timeout: 246 seconds]
10:54 -!- chrisb [~chrisb@li482-205.members.linode.com] has quit [Ping timeout: 265 seconds]
11:05 -!- f0cker [~f0cker@host81-149-11-109.in-addr.btopenworld.com] has joined #openvpn
11:05 -!- f0cker [~f0cker@host81-149-11-109.in-addr.btopenworld.com] has quit [Changing host]
11:05 -!- f0cker [~f0cker@unaffiliated/f0cker] has joined #openvpn
11:06 -!- master_of_master [~master_of@p4FD7BFA2.dip0.t-ipconnect.de] has quit [Ping timeout: 240 seconds]
11:07 -!- f0cker [~f0cker@unaffiliated/f0cker] has quit [Remote host closed the connection]
11:08 -!- master_of_master [~master_of@p4FD7B97B.dip0.t-ipconnect.de] has joined #openvpn
11:11 -!- ade_b [Ade@redhat/adeb] has quit [Ping timeout: 252 seconds]
11:17 -!- funyun [~temp@cpe-65-25-103-89.neo.res.rr.com] has joined #openvpn
11:21 -!- funyun [~temp@cpe-65-25-103-89.neo.res.rr.com] has quit [Ping timeout: 246 seconds]
11:21 -!- kraut [~kraut@blackhole.netzdeponie.de] has quit [Ping timeout: 245 seconds]
11:21 <@krzee> !learn triplehandshake as <mattock> here a page about the TLS Triple Handshake Vulnerability: https://community.openvpn.net/openvpn/wiki/TLSTripleHandshakeVulnerabilityAndOpenVPN
11:21 <@vpnHelper> Joo got it.
11:29 -!- MatthewsFace [~mspah@50-78-45-146-static.hfc.comcastbusiness.net] has joined #openvpn
11:31 -!- SoWhat [~SoWhat@81.198.10.40] has quit [Quit: Leaving]
11:52 -!- gffa [~unknown@unaffiliated/gffa] has joined #openvpn
11:57 -!- f0cker [~f0cker@unaffiliated/f0cker] has joined #openvpn
12:00 -!- f0cker [~f0cker@unaffiliated/f0cker] has quit [Read error: Connection reset by peer]
12:01 <@dazo> krzee: What do you think about adding this one as "iptables/nat for dummies" factoid?  http://www.karlrupp.net/en/computer/nat_tutorial
12:02 <@vpnHelper> Title: NAT with Linux and iptables - Tutorial (Introduction) (at www.karlrupp.net)
12:02 <@dazo> (the official netfilter docs is usually a bit too technical for people who don't fully grasp the basic iptables and NAT stuff)
12:05 -!- SlutaTramsa [~SlutaTram@unaffiliated/slutatramsa] has joined #openvpn
12:08 -!- f0cker [~f0cker@unaffiliated/f0cker] has joined #openvpn
12:08 < pekster> fwiw, #Netfilter tends to send people to the frozentux.net guide linked from the references of the top /TOPIC page
12:08 < pekster> It's rather long, but starts out with the very basics and works up from there
12:11 <@krzee> i dont mind adding it, but i feel like we're better off pointing them to #netfilter
12:11 <@krzee> giving them that doc is almost like asking them to learn about NAT here
12:12 <@krzee> haha
12:17 -!- funyun [~temp@cpe-65-25-103-89.neo.res.rr.com] has joined #openvpn
12:18 -!- f0cker [~f0cker@unaffiliated/f0cker] has quit [Ping timeout: 252 seconds]
12:20 -!- SoWhat [~SoWhat@87.246.136.13] has joined #openvpn
12:21 <@krzee> !nat
12:21 <@vpnHelper> "nat" is (#1) http://openvpn.net/howto.html#redirect for an explanation of NAT as it applies to openvpn or (#2) http://www.secure-computing.net/wiki/index.php/OpenVPN/FAQ#Traffic_forwarding_doesn.27t_work_when_using_client_specific_access_rules or (#3) dont forget to turn on ip forwarding or (#4) please choose between !linnat !openvznat !winnat and !fbsdnat for specific howto
12:21 <@krzee> !iptables
12:21 <@vpnHelper> "iptables" is (#1) To test if netfilter ("iptables rules") are your problem, disable all rules with an ACCEPT policy. See https://github.com/QueuingKoala/netfilter-samples/tree/master/reset-rules for a script to do this. or (#2) See also the manpage section on firewalls at this link: https://community.openvpn.net/openvpn/wiki/Openvpn23ManPage#lbBG or (#3) These are just the basics to get you started
12:21 <@vpnHelper> as firewall design is beyond this channel's scope; you can also see #netfilter
12:21 <@krzee> !factoids search tutorial
12:21 <@vpnHelper> No keys matched that query.
12:21 <@krzee> !factoids search --values tutorial
12:21 <@vpnHelper> 'irc', 'winnat', 'frozentux', and 'frozentux'
12:22 <@krzee> !frozentux
12:22 <@vpnHelper> "frozentux" is (#1) Frozentux Netfilter/iptables tutorial at: https://www.frozentux.net/iptables-tutorial/iptables-tutorial.html or (#2) If you want to do port-forwarding (aka DNAT) check out the relevant DNAT section of that tutorial
12:22 -!- funyun [~temp@cpe-65-25-103-89.neo.res.rr.com] has quit [Ping timeout: 246 seconds]
12:22 <@krzee> !learn frozentux as theres another NAT tutorial at http://www.karlrupp.net/en/computer/nat_tutorial
12:22 <@vpnHelper> Joo got it.
12:24 -!- Latrina [~Latrina@ppp-198-20.26-151.libero.it] has quit [Remote host closed the connection]
12:25 < SoWhat> is there some specific configuration required for OpenVPN to use Named DNS server on the same machine?
12:25 <@krzee> which OS?
12:25 < SoWhat> Centos
12:25 <@krzee> yes
12:25 <@krzee> !pushdns
12:25 <@vpnHelper> "pushdns" is (#1) push dhcp-option DNS a.b.c.d to push dns to the client or (#2) For pushing DNS to a Windows client, see: !windns or (#3) Unix-alikes are required to process the env-var in an --up script; read about --dhcp-option in the manpage or (#4) For distros that use resolvconf(8) you can try the pull-resolv-conf script under the contrib/ source dir
12:25 <@krzee> see #4
12:26 < SoWhat> what this script does?
12:27 -!- ade_b [~Ade@redhat/adeb] has joined #openvpn
12:27 <@krzee> takes the pushed dhcp-option DNS option, and applies it
12:27 <@krzee> only windows magically does that, other OS need a script
12:29 -!- KarlBauman [~SoWhat@87.246.136.13] has joined #openvpn
12:30 < KarlBauman> ohh, I just checked script
12:30 -!- SoWhat [~SoWhat@87.246.136.13] has quit [Ping timeout: 240 seconds]
12:30 < KarlBauman> Client is on Windows
12:31 < KarlBauman> but on Centos is OpenVPN and Named
12:31 < KarlBauman> this script is for client
12:31 < KarlBauman> as I understand
12:32 <@krzee> windows client shouldnt need a script
12:32 -!- HectorBarbossa [uid7850@gateway/web/irccloud.com/x-fzgkuoxmokwizxdp] has joined #openvpn
12:35 < KarlBauman> so basically to force client use my Named DNS server, I have to enable this "push "dhcp-option DNS 10.8.0.1"" and everything should work fine?
12:35 -!- Aliekezhi [~Aliekezhi@80.215.84.78] has joined #openvpn
12:35 <@krzee> !windns
12:35 <@vpnHelper> "windns" is (#1) http://thread.gmane.org/gmane.network.openvpn.user/25139/focus=25147 see that mail archive for some info on pushing dns or (#2) http://article.gmane.org/gmane.network.openvpn.user/25149 for a perm fix via regedit or (#3) http://comments.gmane.org/gmane.network.openvpn.user/31975 reports --register-dns as fixing their problems pushing DNS to windows 7
12:36 <@krzee> you may need --register-dns on [some] windows clients
12:36 <@krzee> i dont think it hurts on any windows clients tho
12:36 -!- le0 [~l30@unaffiliated/le0] has quit [Quit: Leaving]
12:38 -!- Aliekezhi [~Aliekezhi@80.215.84.78] has quit [Client Quit]
12:38 -!- Aliekezhi [~Aliekezhi@80.215.84.78] has joined #openvpn
12:44 -!- johanbr [~johanbr@vps.nullinfinity.org] has joined #openvpn
12:45 < KarlBauman> okay, thanks! but I am experiancing a bit weird behavior. When I was trying to stop and start Named service, it was really slow and sometimes it hangs up, so I was thinking, maybe it has something to do with OpenVPN
12:45 < KarlBauman> probably it is not connected to OpenVPN
12:46 -!- clu5ter [~staff@unaffiliated/clu5ter] has quit [Read error: Connection reset by peer]
12:48 -!- SoWhat [~SoWhat@81.198.10.40] has joined #openvpn
12:49 -!- KarlBauman [~SoWhat@87.246.136.13] has quit [Ping timeout: 240 seconds]
12:50 -!- clu5ter [~staff@unaffiliated/clu5ter] has joined #openvpn
12:56 < johanbr> Hi. I have a problem with an openvpn ARM server hanging intermittently. The first connection attempt works, but after a while the openvpn process hangs and all following connections fail. On the client, I get TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity)
12:57 -!- [diecast] [~diecast@unaffiliated/diecast/x-4821952] has joined #openvpn
12:58 < johanbr> Attaching gdb to the hung openvpn process and doing a backtrace showed that it was stuck somewhere inside PAM. How would I go about debugging this?
12:58 < SoWhat> disable pam ?
13:00 < SoWhat> I am totall beginner, probably I won't be able to say anything helpful, but you can try not to use PAM authentication, if you are using one
13:00 < johanbr> SoWhat: I guess that would at least show that the problem is PAM-related. I'll try that... thank you!
13:11 -!- clu5ter [~staff@unaffiliated/clu5ter] has quit [Remote host closed the connection]
13:18 -!- funyun [~temp@cpe-65-25-103-89.neo.res.rr.com] has joined #openvpn
13:23 -!- altker128 [~vr@bitblit.mit.edu] has joined #openvpn
13:23 -!- funyun [~temp@cpe-65-25-103-89.neo.res.rr.com] has quit [Ping timeout: 265 seconds]
13:23 < altker128> Hey all
13:29 < altker128> Anyone here have an openvpn server behind a pfsense firewall?  I lost my pfsense firewall rules and need to recall how to add a rule so traffic from the openvpn subnet (10.5.0.x) can be routed to my internal network (192.168.1.x)
13:33 -!- hive-mind [pranq@unaffiliated/contempt] has quit [Ping timeout: 246 seconds]
13:34 -!- Cygni [~CygniX@unaffiliated/twois10] has joined #openvpn
13:34 -!- Cygni is now known as CygniX
13:36 -!- hive-mind [pranq@unaffiliated/contempt] has joined #openvpn
13:38 < CygniX> I dont know if this is the right place to ask. If the mobile device is connected to wireless router, and it connects fine to the vpn, but when using tmobile network, it does not connect. Also, if I use usb tether tmobile network to a computer, and then connect to the vpn, it also works. Am curious where the issue could be.
13:40 < CygniX> maybe i should ask in android channel
13:40 <@plai> CygniX: t-mobile US?
13:40 <@plai> androd android 4.4?
13:41 < CygniX> yep
13:41 -!- APTX_ [~APTX@unaffiliated/aptx] has joined #openvpn
13:41 <@plai> can you forward me a log of the app?
13:41 <@plai> I think this is NAT46 related
13:42 < CygniX> which log exactly plai?
13:42 < CygniX> adb log?
13:43 <@plai> CygniX: which app are you using?
13:43 < CygniX> both 'openvpn connect' and openvpn for android
13:43 <@plai> CygniX: can you send me the log from openvpn for android?
13:43 <@plai> (use the share button in the log window)
13:46 < altker128> Sorry to bug you guys ; still trying to debug my OpenVPN setup, so these are more generic TCP/IP type questions
13:46 < CygniX> plai: give me a sec please
13:47 < altker128> OpenVPN server gives out 10.5.0.x IPs and there's an iptables rule to forward that to 192.168.1.0/24
13:48 -!- SoWhat [~SoWhat@81.198.10.40] has quit [Quit: Leaving]
13:49 -!- SoWhat [~SoWhat@87.246.136.13] has joined #openvpn
13:54 < CygniX> plai: i was trying to share using owncloud, but it's saying not content received
13:54 < CygniX> still trying
13:54 -!- Latrina [~Latrina@ppp-198-20.26-151.libero.it] has joined #openvpn
13:57 < altker128> OK, problem solved! :)
13:57 < CygniX> plai: paste.opensuse.org/view/raw/4ba6707d
14:00 < CygniX> i suspect it may have something to do with my IPs
14:01 < CygniX> mail server is also not connecting
14:02 <@plai> CygniX: urgh
14:02 <@plai> that paste ist all messages contactanated to one long line
14:02 < CygniX> unfortunately, that was how it got it
14:02 <@plai> CygniX: what program did you use?
14:03 <@plai> CygniX: otherwise use share -> email -> arne@rfc2549.org
14:03 <@plai> CygniX: nevermind replacing 2014 with \n2014 fixes the log
14:03 < CygniX> just copied/paste into mailbox and sent to self
14:06 <@plai> CygniX: can you check you APN settings for the fast.t-mobile.com APN
14:07 <@plai> what the APN protocol is set to?
14:07 < CygniX> not sure
14:07 <@plai> if it is IPv6 or IPv4
14:08 <@plai> settings -> networks -> more ... -> mobile networks -> APN/ access points?
14:08 <@plai> (might be something like that, I am translating from the german settings here)
14:08 <@plai> or go to test-ipv6.com and see what score you get when connected via LTE
14:09 < CygniX> APN protocol say IPV6
14:09 <@plai> hm
14:10 < CygniX> the vpn servers have IPv6, but not configured
14:11 <@plai> yeah
14:11 <@plai> but resolving the VPN serer IP server address should give you a mapped IPv6 addres of the IPv4 address
14:11 <@plai> should
14:12 <@plai> but appearently that does not work
14:12 < CygniX> so the issue you believe has to do with IPv6 vs ipv4?
14:12 <@plai> t-mobile us uses nat46 for ipv4
14:12 <@plai> which breaks with the VPN API
14:12 <@plai> oh
14:13 <@plai> and since you are using a fixes ipv4 address and not a hostname you never get the mapped address
14:14 < CygniX> yet it works fine, if i tether tombile connection to my computer
14:15 < CygniX> I also noticed that mail app wont connect to mail servers either
14:15 < CygniX> my own hosted mail server, but connects to say openmailbox.org fine
14:18 <@plai> for the computer the xlat464 feature probably kicks in
14:18 <@plai> about the mail app, no idea why that is broken
14:19 <@plai> Vpn Apps connecting to a  literal IPv4 instead of hostname on IPv6 only APNs is expected/known to fail
14:19 <@plai> since xlat464 does not work there
14:19 -!- funyun [~temp@cpe-65-25-103-89.neo.res.rr.com] has joined #openvpn
14:21 < CygniX> this was not an issue with 4.2.2 it seems
14:21 <@plai> yeah
14:21 <@plai> sure
14:22 <@plai> the default for the APN changed from IPv4 to IPv6 in 4.4.2
14:22 < CygniX> there must be a ways to change it
14:22 <@plai> CygniX: yeah, I told you what to do :)
14:23 <@plai> try with a hostname instead of a literal IP address
14:24 -!- funyun [~temp@cpe-65-25-103-89.neo.res.rr.com] has quit [Ping timeout: 246 seconds]
14:24 < CygniX> meaning i have to get a domain name
14:24 <@plai> that may or may not work
14:24 -!- KarlBauman [~SoWhat@81.198.10.40] has joined #openvpn
14:25 <@plai> CygniX: for a short test, I cna provide you a testdomain
14:25 <@plai> so we can see what happens then
14:26 < CygniX> how would this works
14:28 <@plai> you put in remote host test-cygni.blinkt.de instead of 209.141.53.252
14:28 <@plai> and see what happens
14:28 -!- SoWhat [~SoWhat@87.246.136.13] has quit [Ping timeout: 264 seconds]
14:28 < CygniX> have you set that urn to that ip?
14:28 < CygniX> url
14:29 <@plai> yes
14:29 <@plai> host test-cygni.blinkt.de
14:29 <@plai> test-cygni.blinkt.de has address 209.141.53.252
14:29 -!- MyMind [~Sembei@unaffiliated/sembei] has quit [Quit: WeeChat 0.4.4-dev]
14:30 -!- Latrina [~Latrina@ppp-198-20.26-151.libero.it] has quit [Remote host closed the connection]
14:31 < CygniX> plai: it connected
14:32 <@plai> CygniX: nice
14:32 -!- altker128 [~vr@bitblit.mit.edu] has quit [Quit: Konversation terminated!]
14:32 <@plai> can you forward me the log?
14:36 < CygniX> weird, sending to log failed, but if i connect to my wifi, it will send
14:37 <@plai> the alternative approach you try is to set the APN from IPv6 to IPv4
14:37 -!- Sembei [~Sembei@unaffiliated/sembei] has joined #openvpn
14:38 < CygniX> did you receive the log?
14:40 <@plai> yes thanks
14:42 -!- HectorBarbossa [uid7850@gateway/web/irccloud.com/x-fzgkuoxmokwizxdp] has quit [Quit: Connection closed for inactivity]
14:44 -!- Sembei [~Sembei@unaffiliated/sembei] has quit [Quit: WeeChat 0.4.4-dev]
14:46 <@plai> from the log all looks fine now
14:47 -!- cesurasean1 [~Sean@c-71-207-242-72.hsd1.al.comcast.net] has joined #openvpn
14:47 < cesurasean1> hey guys. i can connect from my router to my windows server 2k8R2 openvpn server just fine, but when go to surf the internet, it wont load anything.
14:48 < cesurasean1> im using push "redirect-gateway" as well, and no success.
14:49 <@ecrist> add def1 after that
14:49 <@ecrist> so
14:49 <@ecrist> push "redirect-gateway def1"
14:49 <@ecrist> make sure your router is setting outbound NAT on VPN clients so there's a valid return path, as well
14:51 -!- Sembei [~Sembei@unaffiliated/sembei] has joined #openvpn
14:52 -!- Sembei [~Sembei@unaffiliated/sembei] has quit [Client Quit]
14:55 -!- joshh20-Away is now known as joshh20
14:57 -!- Sembei [~Sembei@unaffiliated/sembei] has joined #openvpn
15:02 -!- funyun [~temp@cpe-65-25-103-89.neo.res.rr.com] has joined #openvpn
15:02 -!- elfixit [~Icedove@77-58-251-72.dclient.hispeed.ch] has quit [Ping timeout: 246 seconds]
15:04 -!- MatthewsFace [~mspah@50-78-45-146-static.hfc.comcastbusiness.net] has quit [Remote host closed the connection]
15:13 -!- chrisb [~chrisb@li482-205.members.linode.com] has joined #openvpn
15:22 < cesurasean1> ecrist, i tried def1 after that, same thing.
15:22 < cesurasean1> what do you mean to check if setting outbound NAT on vpn clients?
15:23 -!- chrisb [~chrisb@li482-205.members.linode.com] has quit [Ping timeout: 252 seconds]
15:29 -!- piem [~piem@coconut.piem.org] has joined #openvpn
15:30 < piem> hi all. is there a way to set up an osx mountain lion machine as an openvpn client?
15:31 < piem> i followed the steps described here to set it up on debian, works great: https://wiki.debian.org/OpenVPN
15:31 <@vpnHelper> Title: OpenVPN - Debian Wiki (at wiki.debian.org)
15:31 -!- SquirrelCZECH [~squirrel@ip-89-103-45-17.net.upcbroadband.cz] has quit [Read error: Connection reset by peer]
15:32 < piem> but i don't know how to get a darwin machine to grok all that. specifically, the vpn wizard thing doesn't seem to want my certs
15:34 <@plai> !tunnelblick
15:34 <@vpnHelper> "tunnelblick" is http://www.tunnelblick.net - Free OpenVPN GUI Client for Mac OS X
15:37 < piem> plai: cool, thx!
15:38 -!- SquirrelCZECH [~squirrel@ip-89-103-45-17.net.upcbroadband.cz] has joined #openvpn
15:42 -!- kraut [~kraut@blackhole.netzdeponie.de] has joined #openvpn
15:47 -!- mattock is now known as mattock_afk
15:48 < cesurasean1> ecrist, ?
15:48 < cesurasean1> how do i get windows server openvpn to redirect?
15:48 < cesurasean1> if the push is not working?
15:49 <@krzee> !winnat
15:49 <@vpnHelper> "winnat" is (#1) http://www.windowsnetworking.com/articles_tutorials/NAT_Windows_2003_Setup_Configuration.html for a guide on setting up NAT in windows or (#2) http://www.nanodocumet.com/?p=14 for windows XP or (#3) https://community.openvpn.net/openvpn/wiki/NatOverWindows2008 for 2k8
15:50 -!- Aliekezhi [~Aliekezhi@80.215.84.78] has quit [Quit: Leaving]
15:50 -!- Aliekezhi [~Aliekezhi@80.215.84.78] has joined #openvpn
15:55 -!- le0 [~l30@unaffiliated/le0] has joined #openvpn
16:00 -!- SquirrelCZECH [~squirrel@ip-89-103-45-17.net.upcbroadband.cz] has quit [Read error: Connection reset by peer]
16:01 -!- Aliekezhi [~Aliekezhi@80.215.84.78] has quit [Remote host closed the connection]
16:02 < cesurasean1> krzee, I enabled NAT, and still same problem.
16:02 < cesurasean1> cant load any webpages.
16:03 <@krzee> !redirect
16:03 <@vpnHelper> "redirect" is (#1) to make all inet traffic flow through the vpn, you will need --redirect-gateway (see !def1), as well as IP forwarding (see !ipforward) and NAT (see !nat) enabled on the server. or (#2) you may need to use a different dns server when redirecting gateway, see !dns or !pushdns or (#3) if using ipv6 try: route-ipv6 2000::/3 or (#4) Handy troubleshooting flowchart:
16:03 <@vpnHelper> http://ircpimps.org/redirect.png | http://pekster.sdf.org/misc/redirect.png
16:03 <@krzee> try the flowchart at the final link
16:03 -!- dazo is now known as dazo_afk
16:05 -!- gffa [~unknown@unaffiliated/gffa] has quit [Quit: sleep]
16:05 < KarlBauman> I have few problems with OpenVPN client service which make it unusable. If I reconnect wireless network or if system goes to sleep, VPN does not reconnect
16:05 < cesurasean1> i cant ping google, but can ping it's ip.
16:05 < cesurasean1> krzee, ?
16:06 < cesurasean1> dns is my problem the flowchart says.
16:06 < cesurasean1> how do i fix that?
16:06 <@krzee> !dns
16:06 <@vpnHelper> "dns" is (#1) Level3 open recursive DNS server at 4.2.2.[1-6] or (#2) Google open recursive DNS server at 8.8.8.8 / 8.8.4.4 or (#3) you might be looking for !pushdns
16:06 < cesurasean1> !pushdns
16:06 <@vpnHelper> "pushdns" is (#1) push dhcp-option DNS a.b.c.d to push dns to the client or (#2) For pushing DNS to a Windows client, see: !windns or (#3) Unix-alikes are required to process the env-var in an --up script; read about --dhcp-option in the manpage or (#4) For distros that use resolvconf(8) you can try the pull-resolv-conf script under the contrib/ source dir
16:06 <@krzee> you can use one of those nameservers on the client, or push dns info
16:06 < cesurasean1> i have tried dhcp-option push 8.8.8.8
16:06 < cesurasean1> doesnt work.
16:07 <@krzee> what os is the client?
16:07 < KarlBauman> have you tried ipconfig /release and ipconfig /renew ?
16:07 < KarlBauman> sometimes it helps me
16:07 -!- quba is now known as Su7
16:08 <@krzee> if the helps then --register-dns in the client config should fix it
16:09 < KarlBauman> so I guess, there is no workaround for my client service problem..? :(
16:10 <@krzee> sure there is
16:10 <@krzee> !keepalive
16:10 <@vpnHelper> "keepalive" is (#1) see --keepalive in the manual for how to make clients retry connecting if they get disconnected. or (#2) basically it is a wrapper for managing --ping and --ping-restart in server/client mode or (#3) if you use this, don't use --tls-exit and also avoid --single-session and --inactive or (#4) Also beware of --auth-nocache for automated reconnects
16:12 < cesurasean1> krzee, can load google now, but nothing else.
16:12 < cesurasean1> and i can search google.
16:12 < cesurasean1> but msn, nothing else works!
16:12 < KarlBauman> google uses SSL
16:12 <@krzee> ipconfig /help
16:13 <@krzee> there should be something about reloaddns or soemthing
16:13 -!- Cpt-Oblivious [chatzilla@31-151-71-109.dynamic.upc.nl] has quit [Read error: Connection reset by peer]
16:13 <@krzee> i dont have windows so i cant look
16:13 < KarlBauman> you mean ipconfig /flushdns
16:13 <@krzee> yep
16:13 -!- Cpt-Oblivious [chatzilla@31.151.71.109] has joined #openvpn
16:14 -!- ACKNAK [~Celestial@broadband-5-228-253-21.nationalcablenetworks.ru] has quit [Quit: Leaving]
16:14 < cesurasean1> same issue still. can search google, and go to google, but cant load any of google's results.
16:14 <@krzee> is that also a dns issue?
16:15 <@krzee> test it the same way
16:15 < cesurasean1> what do you mean test it the same way?
16:15 < cesurasean1> how do i fix it?
16:16 < KarlBauman> cesurasean1, can you type in cmd: nslookup bing.com
16:17 < KarlBauman> and tell what it answers?
16:22 <@krzee> yes ^
16:22 <@krzee> basically, ping something by ip and by hostname
16:23 <@krzee> does it work by IP and not by hostname?
16:24 < cesurasean1> yes.
16:24 <@krzee> dns is still your problem, what nameserver is the client using?
16:25 <@krzee> and what OS is the client using?
16:26 < cesurasean1> the client is using the router as DNS, and the router is a client for openvpn.
16:26 <@krzee> i see, is the router running dnsmasq?
16:26 < cesurasean1> not sure. it's an ASUS firmware.
16:27 -!- lj [~l@192.241.174.169] has quit [Quit: Leaving.]
16:27 < cesurasean1> i got disconnected from the host. so i will have to come back here, i guess.
16:27 < cesurasean1> be back in a few hours.
16:27 <@krzee> well if you cannot ssh into the router then you need to have the machine change its DNS to 8.8.8.8
16:28 <@krzee> instead of taking dns from dhcp
16:28 <@krzee> or in router config you may be able to use 8.8.8.8 and stop using !pushdns
16:28 <@krzee> basically, you cannot use your ISP dns server when connecting over VPN
16:29 <@krzee> because the dns requests come from vpn_server which isnt on the ISP subnet, so is not allowed to get dns
16:31 < KarlBauman> back to my problem - it looks like --keepalive just deals with timing of reconnects, but in my case Client never reconnects, it tries, but unsuccessfully
16:32 <@krzee> do you have:
16:32 <@krzee> nobind
16:32 <@krzee> persist-key
16:32 <@krzee> persist-tun
16:32 <@krzee> resolv-retry infinite
16:32 -!- SquirrelCZECH [~squirrel@ip-89-103-45-17.net.upcbroadband.cz] has joined #openvpn
16:33 <@krzee> in your client config?
16:33 < KarlBauman> http://pastebin.com/GTrDq4SS
16:34 -!- SquirrelCZECH [~squirrel@ip-89-103-45-17.net.upcbroadband.cz] has quit [Read error: Connection reset by peer]
16:34 <@krzee> !configs
16:34 <@vpnHelper> "configs" is (#1) please pastebin your client and server configs (with comments removed, you can use `grep -vE '^#|^;|^$' server.conf`), also include which OS and version of openvpn. or (#2) dont forget to include any ccd entries or (#3) on pfSense, see http://www.secure-computing.net/wiki/index.php/OpenVPN/pfSense to obtain your config
16:34 <@krzee> pls post it without comments
16:34 < KarlBauman> sorry, I am on windows :)
16:35 -!- SquirrelCZECH [~squirrel@ip-89-103-45-17.net.upcbroadband.cz] has joined #openvpn
16:35 -!- Cpt-Oblivious [chatzilla@31.151.71.109] has quit [Read error: Connection reset by peer]
16:35 < KarlBauman> only thing that solves problem is stopping service and then starting it again
16:38 < KarlBauman> comments removed http://pastebin.com/B16CKdVx
16:39 -!- lnb [~lnb@CPE000347b24a71-CM602ad06bec2f.cpe.net.cable.rogers.com] has joined #openvpn
16:40 <@krzee> you really running with no auth/cipher?
16:40 <@krzee> why even use openvpn?
16:40 <@krzee> you have a super heavyweight GRE tunnel
16:40 < KarlBauman> I will turn it on later
16:40 < lnb> office lan and 1 remote client have same subnet. Remote client windows cannot find //server on office lan. How can this be resolved?
16:41 -!- cizra [~cizra@lambdatron.undo.it] has left #openvpn []
16:41 < lnb> in the .conf have it set to push office subnet to remote clients
16:42 <@krzee> lnb, if you have those entries in dns you can push that dns server to clients, if you have a wins server you can push that to clients
16:42 <@krzee> !wins
16:42 <@vpnHelper> "wins" is http://oreilly.com/catalog/samba/chapter/book/ch07_03.html is a good link for seeing how to run WINS on samba
16:42 <@krzee> its literally 1 line in samba config
16:42 -!- roma_ [~roma@tweezer.apistune.com] has joined #openvpn
16:44 < lnb> krzee: i dont follow you... the other remote clients have NO issue with //server/share (windows finds the server) its only one client that happens to have the same subnet at home as is with the office lan (192.168.1.0)
16:44 < CygniX> does openvpn connect not take ipv6 address?
16:45 -!- bogie [bogie@mail.epow0.org] has quit [Ping timeout: 245 seconds]
16:45 -!- joako [~joako@opensuse/member/joak0] has quit [Ping timeout: 245 seconds]
16:45 -!- roma [~roma@198.199.116.181] has quit [Ping timeout: 245 seconds]
16:46 -!- troj [~xxx@2001:470:1f15:107a::50f7] has quit [Ping timeout: 245 seconds]
16:47 < lnb> krzee: i have in server.conf: push "route 192.168.1.0 255.255.255.0" push "dhcp-option DNS 192.168.1.2"
16:47 < lnb> push "dhcp-option WINS 192.168.1.2"
16:47 -!- red_racer12___ [sid20963@gateway/web/irccloud.com/x-lwgfcfktarcanwqz] has quit [Ping timeout: 245 seconds]
16:47 -!- APTX| [~APTX@unaffiliated/aptx] has joined #openvpn
16:47 -!- APTX|_ [~APTX@unaffiliated/aptx] has joined #openvpn
16:47 -!- toobluesc [~nitro@2001:558:6045:7b:3d70:c3df:18a:884] has quit [Ping timeout: 245 seconds]
16:47 -!- APTX_ [~APTX@unaffiliated/aptx] has quit [Ping timeout: 264 seconds]
16:47 -!- APTX [~APTX@unaffiliated/aptx] has quit [Ping timeout: 264 seconds]
16:48 -!- troj [~xxx@2001:470:1f15:107a::50f7] has joined #openvpn
16:49 -!- red_racer12___ [sid20963@gateway/web/irccloud.com/x-tdzclxwylnodcbuk] has joined #openvpn
16:49 -!- bogie [bogie@2001:4ba0:fffd:65::101] has joined #openvpn
16:49 -!- toobluesc [~nitro@2001:558:6045:7b:3d70:c3df:18a:884] has joined #openvpn
16:49 -!- xMopxShell [~xMopxShel@pa1.trolls.lv] has quit [Ping timeout: 264 seconds]
16:50 -!- joako [~joako@opensuse/member/joak0] has joined #openvpn
16:50 < cesurasean1> hey guys. i have a centos server with the same issue. no internet. ive tried to run this but no luck! - [root@charter ~]# iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o venet0:0 -j MASQUERADE
16:50 < cesurasean1> iptables: No chain/target/match by that name.
16:51 -!- le0 [~l30@unaffiliated/le0] has quit [Ping timeout: 264 seconds]
16:51 < KarlBauman> whats that? -o venet0:0
16:52 -!- xMopxShell [~xMopxShel@pa1.trolls.lv] has joined #openvpn
16:52 -!- klein [~klein@unaffiliated/klein] has quit [Ping timeout: 252 seconds]
16:52 -!- Cpt-Oblivious [chatzilla@31-151-71-109.dynamic.upc.nl] has joined #openvpn
16:54 -!- Cpt-Oblivious [chatzilla@31-151-71-109.dynamic.upc.nl] has quit [Client Quit]
16:56 < CygniX> cesurasean1: does 'venet0:0' exist on your server?
16:57 < CygniX> https://community.openvpn.net/openvpn/wiki/IPv6 does not make sense to me
16:57 <@vpnHelper> Title: IPv6 – OpenVPN Community (at community.openvpn.net)
16:58 < cesurasean1> yes it does exist.
16:58 -!- piem [~piem@coconut.piem.org] has left #openvpn []
16:58 < CygniX> I have native IPv6 on the server and trying to set openvpn on that IP but that howto is unclear
16:59 < CygniX> cesurasean1: do you mind pasting output of ifconfig -a
16:59 -!- [diecast] [~diecast@unaffiliated/diecast/x-4821952] has quit []
16:59 -!- B1nny [~quassel@5ED16034.cm-7-2b.dynamic.ziggo.nl] has quit [Remote host closed the connection]
17:00 < CygniX> you can remove your mac id and real ip if you want
17:04 < pekster> cesurasean1: That's not an interface. You want #Netfilter, but aliases are _not_ interfaces. In fact they're about 10 year old networking. Don't use old and broken networking on Linux
17:04 -!- [diecast] [~diecast@unaffiliated/diecast/x-4821952] has joined #openvpn
17:04 -!- [diecast] [~diecast@unaffiliated/diecast/x-4821952] has quit [Max SendQ exceeded]
17:04 < pekster> If you're unlucky enough to be using openvz, see the bot's links at !openvz, but it's often less painful to use proper virt solutions instead
17:05 < CygniX> !ipv6
17:05 <@vpnHelper> "ipv6" is (#1) The wiki has IPv6 details: https://community.openvpn.net/openvpn/wiki/IPv6 or (#2) The manpage contains info about IPv6 features present in 2.3+: https://community.openvpn.net/openvpn/wiki/Openvpn23ManPage#lbAQ
17:08 < pekster> Also, ifconfig sucks (on Linux. Do use it on platforms where it's still current.)
17:08 < pekster> !ifconfig_linux
17:08 <@vpnHelper> "ifconfig_linux" is Avoid use of 'ifconfig' and 'route' commands on modern Linux distros. It's old, deprecated, and often misleading/wrong. Use the 'ip a' and 'ip r' commands instead. More info: http://inai.de/2008/0219-ifconfig-sucks.php
17:11 -!- [diecast] [~diecast@unaffiliated/diecast/x-4821952] has joined #openvpn
17:13 < KarlBauman> still nobody with solution to my non-reconnecting Client service problem?
17:15 < CygniX> to get ipv6 working, I have to add to server.conf file, server-ipv6 [the server ip] only?
17:16 < pekster> CygniX: Once you have a routable /64 (an _unused_ /64) routed to your VPN server, add the directives shown and the tunnel has IPv6
17:16 < pekster> Yea, basically. That's simply a helper-directives that does all the real work as the wiki page demonstrates
17:18 -!- KarlBauman [~SoWhat@81.198.10.40] has quit [Quit: Leaving]
17:19 < CygniX> pekster: the directive is a bit confusing. what if I dont have a /64 pool
17:19 < pekster> Call your ISP and demand they suck less
17:19 -!- SoWhat [~SoWhat@87.246.136.13] has joined #openvpn
17:19 < pekster> This should be explained in "Details: IPv6 routed block"
17:19 < CygniX> vp gives me 2 ipv6 address
17:19 < pekster> Was there a particular part of that you got hung up on?
17:19 < CygniX> vps that is
17:20 < pekster> Then they're assholes
17:20 < pekster> Find an ISP that has a clue-by-four
17:20 < pekster> Ref: RFC6177
17:20 < pekster> You're paying people who have no care in the world about following Internet standards; they likely do other stuff very wrong too
17:21 -!- SoWhat [~SoWhat@87.246.136.13] has quit [Client Quit]
17:21 < CygniX> pekster: the problem could be my lack of understanding
17:21 < pekster> #ipv6 might be able to help more
17:22 < CygniX> on one vps, i have 16 ipv6 address
17:22 < pekster> Right, they're idiots
17:22 < pekster> If you're not routed a sane netblock per RFC6177 (and they don't give you one if you explain and ask nicely) they stop giving them money for doings things wrong
17:23 -!- Cpt-Oblivious [chatzilla@31-151-71-109.dynamic.upc.nl] has joined #openvpn
17:23 < pekster> It should be trivial to get a /56 (or at least a /60) routed to you. If not, find people who know how the Internet works
17:23 < CygniX> one gives me 5, lol
17:23 < CygniX> another give /112
17:23 -!- Cpt-Oblivious [chatzilla@31-151-71-109.dynamic.upc.nl] has quit [Client Quit]
17:23 < pekster> It's called "fucking customers"
17:24 < pekster> ask #ipv6 how routable netblocks work, but the tl;dr is that you can generally assume that 1 network == 1x /64. If you're routing multiple networks, you need a considerably larger netblock (generally a /56) routed to you
17:25 < pekster> You can get a /48 for free with tunnelbroker.net or sixxs.net
17:25 < pekster> Why the hell wouldn't you be able to get a /56 at minimum from people you pay?
17:26 < CygniX> they probably figured most customers dont care about ipv6
17:27 < pekster> "Never assume mallicous intent when the answer is explained by incompetence." They're likely just clueless ;)
17:27 <@krzee> on ya lnb sharing a lan over vpn when on the same subnet is a problem
17:27 < lnb> no kidding
17:27 <@krzee> you should change the shared lan to something less common
17:28 -!- le0 [~l30@unaffiliated/le0] has joined #openvpn
17:28 < lnb> that would involve a ton of work. I wanted to change the one home users lan instead
17:28 < pekster> And run into that problem when they go to a wifi cafe? :P
17:28 < pekster> !randomsubnet
17:28 <@vpnHelper> "randomsubnet" is (#1) http://scarydevilmonastery.net/subnet.cgi for a random !1918 subnet or (#2) If your shell has $RANDOM support, perhaps try this: `echo 10.$((RANDOM%256)).$((RANDOM%256)).0/24 `
17:28 < pekster> re-numbering isn't _that_ hard..
17:28 <@krzee> that'll work for that one user that one time, but many road warriors will have this problem
17:29 < CygniX> i think will give up on ipv6 for now
17:29 < lnb> but trying here with a dlink wireless access point, I had to put on our gateway server another alias IP of 192.168.2.0/24 for any notebook to get out. I doubt this person has a FreeBSD server in thier house to do this.
17:29 < CygniX> need to find out how to set tmobile device to use default ipv4
17:30 < lnb> i should have put the office lan as 192.168.100.0/24
17:30 -!- elfixit [~Icedove@77-58-251-72.dclient.hispeed.ch] has joined #openvpn
17:30 <@krzee> thats even too common
17:30 < lnb> really
17:30 <@krzee> !randomsubnet
17:30 <@vpnHelper> "randomsubnet" is (#1) http://scarydevilmonastery.net/subnet.cgi for a random !1918 subnet or (#2) If your shell has $RANDOM support, perhaps try this: `echo 10.$((RANDOM%256)).$((RANDOM%256)).0/24 `
17:30 < lnb> wow
17:31 < lnb> ok 192.168.214.0/24
17:31 < pekster> Humans are very bad at being "random"
17:31 < pekster> Your PRNG isn't
17:32 -!- elfixit [~Icedove@77-58-251-72.dclient.hispeed.ch] has quit [Remote host closed the connection]
17:34 -!- goldkatze [~nobody@unaffiliated/goldkatze] has quit []
17:35 -!- ade_b [~Ade@redhat/adeb] has quit [Quit: Too sexy for his shirt]
17:36 < CygniX> pekster: i just found out one of the vps  though it only give me 16 ipv6 address, it has an option there for me to get  /64 pool
17:36 < CygniX> at least we know he is competent :P
17:36 < pekster> Marginally
17:36 -!- elfixit [~Icedove@77-58-251-72.dclient.hispeed.ch] has joined #openvpn
17:36 < lnb> what a nitemare this is going to be
17:36 < pekster> /64 should be the default with a /56 on request
17:36 < pekster> 1 _routed_ /64, that is (in addition to whatever the uplink is)
17:37 < pekster> Brain-dead ISPs put "your /64" on-link, which is also criminally stupid
17:41 -!- xup [~xup@unaffiliated/othermth] has joined #openvpn
17:42 -!- VsioZashibis [~VsioZashi@unaffiliated/vsiozashibis] has joined #openvpn
17:42 < xup> Hi, I'm trying to create and standalone server, and I'm getting this error: openvpn --mktun --type tun --dev tunX --user xup --group xup
17:42 < xup> Options error: Unrecognized option or missing parameter(s) in [CMD-LINE]:1: type (2.3.2)
17:42 < xup> I'm not a native english speaker...
17:42 <@krzee> --type is not an option
17:43 < xup> krzee, I got this at: http://openvpn.net/index.php/open-source/documentation/howto.html#security
17:43 <@vpnHelper> Title: HOWTO (at openvpn.net)
17:43 < xup> admins, please correct it
17:43 < xup> the right is:
17:43 < xup> --dev-type
17:44 <@krzee> thanks, i will make a ticket
17:45 < xup> krzee, not, thank you
17:46 < xup> krzee, there's also --enable-iproute2, it doesn't exists
17:47 < xup> aparently, openvpn already uses it by default
17:47 < pekster> That's a compile option and it does exist
17:47 <@krzee> that may be a configure option
17:47 <@krzee> ya ^^
17:48 -!- michaelhart [~michaelha@192-0-240-20.cpe.teksavvy.com] has quit [Quit: michaelhart]
17:48 < xup> yes
17:50 <@krzee> https://community.openvpn.net/openvpn/ticket/381
17:50 <@vpnHelper> Title: #381 (slight bug in howto (--type)) – OpenVPN Community (at community.openvpn.net)
17:51 < xup> krzee, thanks
17:52 <@krzee> np
17:52 -!- VsioZashibis [~VsioZashi@unaffiliated/vsiozashibis] has quit [Read error: Connection reset by peer]
17:54 < xup> anyway to use openvpn and scramble suits?
17:55 <@krzee> whats scramble suits?
17:57 < xup> krzee, openvpn protocols, it could be reckognized by DPI
17:57 < xup> scramble suits will scramble it's traffic so it can't be blocked
17:57 < pekster> You want to read:
17:57 < pekster> !obfs
17:57 <@vpnHelper> "obfs" is (#1) if you are looking to obfuscate your traffic to get through a firewall that recognizes and blocks openvpn, try using this proxy: obfsproxy https://www.torproject.org/projects/obfsproxy.html.en to encapsulate your packets in other protocols or (#2) http://community.openvpn.net/openvpn/wiki/TrafficObfuscation or (#3) in client/server mode an admin can know that openvpn is being used.
17:57 <@vpnHelper> in static-key mode they only know that it is some encrypted data, but not specifically openvpn; however with static-key you lose forward security (!forwardsecurity)
17:58 < pekster> xup: Basically openvpn in TLS makes no effort to hide itself. You can get some protection against that by using static-key encryption in openvpn. If you do that, you give up some advanced security: you lose the perfect-forward-secrecy, but no one will know it is openvpn
17:59 < xup> pekster, I don't want lose PFS
17:59 < xup> pekster, best using obfs
17:59 < xup> thanks
18:07 -!- VsioZashibis [~VsioZashi@unaffiliated/vsiozashibis] has joined #openvpn
18:07 -!- MatthewsFace [~mspah@50-78-45-146-static.hfc.comcastbusiness.net] has joined #openvpn
18:14 -!- klein [~klein@187.85.183.105] has joined #openvpn
18:14 -!- klein [~klein@187.85.183.105] has quit [Changing host]
18:14 -!- klein [~klein@unaffiliated/klein] has joined #openvpn
18:16 -!- HectorBarbossa [uid7850@gateway/web/irccloud.com/x-ietljwnygjagiiuk] has joined #openvpn
18:16 -!- le0 [~l30@unaffiliated/le0] has quit [Quit: Leaving]
18:24 -!- SoWhat [~SoWhat@81.198.10.40] has joined #openvpn
18:25 < SoWhat> Any ideas why OpenVPN client Daemon service eats 32% of my i5 CPU ?
18:26 < SoWhat> and shows that it is connected to VPN, but there is no internet
18:28 < xup> I have other question, openvpn user needs more permissions at sudoers, it's using iproute2, but I think that's not sufficient
18:29 -!- dyer [~dyer@ec2-107-21-15-145.compute-1.amazonaws.com] has left #openvpn ["Textual IRC Client: www.textualapp.com"]
18:32 -!- occupant [~null@204.14.158.226] has quit [Ping timeout: 255 seconds]
18:38 -!- [diecast] [~diecast@unaffiliated/diecast/x-4821952] has quit []
18:39 < SoWhat> I uninstalled community edition and installed commercial edition and now I see why it eats 32%
18:39 < SoWhat> client is sending out somewhere data in enourmous speed, something like 500Megs per second
18:40 < SoWhat> no data ir comming in
18:42 < SoWhat> and no traffic is visible in task manages, only OpenVPN AS client https://www.dropbox.com/s/3pha9tkkq6aht6q/Screenshot%202014-03-26%2001.41.35.png
18:42 <@vpnHelper> Title: Dropbox - Screenshot 2014-03-26 01.41.35.png (at www.dropbox.com)
18:43 <@krzee> !download
18:43 <@vpnHelper> "download" is (#1) http://openvpn.net/index.php/download/community-downloads.html to download openvpn or (#2) OpenVPN's Windows installer now includes OpenVPN GUI. Don't bother with http://openvpn.se anymore or (#3) Don't trust download.com at all. It provides an extremely old version with malware: http://insecure.org/news/download-com-fiasco.html or (#4) in the community version of openvpn (only
18:43 <@vpnHelper> thing supported here) there is no separate download for client/server, it is the same install with different configs
18:43 < SoWhat> I tried both clients and they both act the same
18:44 <@krzee> both?
18:45 < SoWhat> community and access server
18:46 < SoWhat> I started having problems with high CPU usage on OpenVPN GUI, so I uninstalled it
18:46 < SoWhat> and installed this orange one
18:46 < pekster> !as
18:46 <@vpnHelper> "as" is please go to #OpenVPN-AS for help with Access-Server
18:46 < SoWhat> and they both eat 32% of cpu
18:46 < pekster> the "orange one" is closed-source and not using any of the codebase openvpn is
18:46 -!- Olipro [~Olipro@uncyclopedia/pdpc.21for7.olipro] has quit [Ping timeout: 246 seconds]
18:47 < pekster> !speed
18:47 <@vpnHelper> "speed" is (#1) Having speed problems? The following suggestions may help. or (#2) OpenVPN is often CPU bound; check utilization, and remember it only uses 1 core (single-threaded) or (#3) Prefer UDP over TCP (see !tcp) or (#4) MTU issues? Send max-size DF packets and watch for fragmentation/delivery issues or (#5) iface txqueuelen often needs to be >100 on fast and/or latent links or (#6)
18:47 <@vpnHelper> latenty/slow links don't magically get better with openvpn or (#7) less likely are issues with bad TCP window scaling or the sliding window; generally, don't 2nd guess TCP (in openvpn or your OS knobs)
18:47 < pekster> Chances are you're simply saturating a core, though ideas there
18:49 < SoWhat> it starts only after connecting to vpn server
18:50 < SoWhat> If I disconnect, goes back to 0%
18:50 < pekster> No shit. In unrelated news, you sweat a lot when you run hard
18:50 < pekster> (or, marginally-related)
18:51 < cesurasean1> krzee, how do i fix this server thats only loading google pages?
18:51 < SoWhat> and internet stops working when I connect to VPN, no dns, no web browsing, no skype
18:51 < pekster> OpenVPN doesn't care one bit about that; it's a router
18:52 < pekster> !goal
18:52 <@vpnHelper> "goal" is Please clearly state your goal for your vpn: example, I would like to access the lan behind the server , I would like to access the internet over my vpn , I just want a secure connection between 2 computers , etc
18:53 < pekster> Also review !configs, !logs, and put them on a single place along with a clear description of your goal
18:53 < SoWhat> I will try to reboot :) maybe it will help
18:53 -!- SoWhat [~SoWhat@81.198.10.40] has quit [Quit: Leaving]
18:54 < pekster> Must be in. I'm sure that's what the unread references said to do!
18:54 -!- Olipro [~Olipro@d.e.r.p.6.a.1.0.d.d.0.7.2.0.1.0.a.2.ip6.arpa] has joined #openvpn
18:54 -!- Olipro [~Olipro@d.e.r.p.6.a.1.0.d.d.0.7.2.0.1.0.a.2.ip6.arpa] has quit [Changing host]
18:54 -!- Olipro [~Olipro@uncyclopedia/pdpc.21for7.olipro] has joined #openvpn
18:55 < cesurasean1> actually, when i ping google, it doesn't work.
18:56 -!- SoWhat [~SoWhat@87.246.136.13] has joined #openvpn
18:56 < cesurasean1> cannot seem to ping 8.8.8.8 either.
18:57 < SoWhat> okay, my problem is solved with reboot :D
18:58 < xup> !permissions
18:58 < xup> !sudoers
18:58 -!- KarlBauman [~SoWhat@81.198.10.40] has joined #openvpn
18:58 < pekster> xup: What are you trying to do? OpenVPN generally requires root permision (though you can drop it after initilization with --user and --group)
18:59 -!- altker128 [~vr@bitblit.mit.edu] has joined #openvpn
18:59 < xup> pekster, run it at unprevilegied user
18:59 < pekster> Don't do that
18:59 < xup> pekster, which commands it needs
18:59 < xup> ?
18:59 < altker128> Hey all, two questions.  1. Anyone using Tunneblick on OSX Mavericks?  For some reason DNS pushing doesn't seem to work.  2.  I'm trying to debug an odd TCP routing issue and wanted to see if anyone had advice
18:59 < xup> pekster, yes... you're right...
18:59 < xup> I'll need to put root on it
18:59 < xup> shit!
19:00 < xup> there's no other way?
19:00 < pekster> Use --user and --group, and you probably also need --persist-tun and --persist-key
19:00 < pekster> I just GAVE you the other way
19:00 < pekster> Twice, in fact
19:00 < xup> pekster, I'm already using that dude
19:00 < xup> "openvpn user needs more permissions at sudoers, it's using iproute2, but I think that's not sufficient"
19:00 < pekster> there is no "sudoers" invovled here
19:00 < xup> "ERROR: Cannot ioctl TUNSETIFF tunH/tapH: Operation not permitted (errno=1)"
19:01 < xup> there is
19:01 < pekster> No, not if you do it right
19:01 < xup> withouth sudoers openvpn user couldn't change IP
19:01 -!- SoWhat [~SoWhat@87.246.136.13] has quit [Ping timeout: 252 seconds]
19:02 < pekster> Don't. Use. sudo. Period.
19:02 < cesurasean1> i can ping 8.8.8.8 but cant ping google. whats my issue?
19:02 < pekster> --user and --group _will_ downgrade permission. For you. No sudo need. Don't use sudo. Sudo is the wrong soltuion
19:02 < pekster> I don't know how I can explain this in any shorter words.
19:02 < xup> one sec
19:02 -!- TypoNe [~itsme@195.197.184.87] has quit [Ping timeout: 246 seconds]
19:03 < cesurasean1> im also using windows server.
19:04 < pekster> (in theory you can run as an unpriveleged user provided that you 1) have a script to set up the device before hand, 2) scrape the needed routes from the env-vars and parse them by hand, 3) use --ifconfig-noexec and --route-noexec, and 4) call custom code that you need to write at --route-up (and most likely --down too.) That is not what you want
19:04 < pekster> Or you could just do what I told you 3 times
19:04 < pekster> Whatever sounds easier.
19:05 < xup> pekster, I'm sorry, you're right
19:05 < altker128> Anyone using OSX Mavericks as an OpenVPN client?
19:05 < xup> I didn't understand
19:05 < xup> but now I do
19:05 < xup> nnes here
19:05 < pekster> `openvpn --user openvpn --group openvpn --persist-tun --persist-key --other --options --here` and you win
19:05 -!- TypoNe [~itsme@195.197.184.87] has joined #openvpn
19:06 -!- f0cker [~f0cker@unaffiliated/f0cker] has joined #openvpn
19:08 < cesurasean1> can anyone help me with my issue?
19:09 < pekster> !new
19:09 <@vpnHelper> "new" is (#1) New here? Start by reading the /TOPIC and looking at basic info in !welcome, !ask, and !howto or (#2) You can type each of the !commands in this chat and our bot will provide useful references and info or (#3) you can see the full factoids list at !factoids
19:09 -!- xup [~xup@unaffiliated/othermth] has quit [Ping timeout: 240 seconds]
19:10 < cesurasean1> if i can ping 8.8.8.8 but cannot resolve google.com, what is my issue?
19:10 < pekster> Failure to read, apparently
19:11 < KarlBauman> cesurasean1, go to your router configuration and set up static DNS to 8.8.8.8 and 8.8.4.4
19:12 < KarlBauman> your issue is that your client is using wrong DNS server address
19:12 < cesurasean1> KarlBauman, i just made that change.
19:13 < KarlBauman> now can you confirm that your client DNS server address is 8.8.8.8 ?
19:13 < pekster> You're apparently trying to redirect your traffic over openvpn? Sharing that with the people you're asking help from might do you better in the future
19:13 < pekster> You should follow the info (and helpful flowchart) here:
19:13 < pekster> !redirect
19:13 <@vpnHelper> "redirect" is (#1) to make all inet traffic flow through the vpn, you will need --redirect-gateway (see !def1), as well as IP forwarding (see !ipforward) and NAT (see !nat) enabled on the server. or (#2) you may need to use a different dns server when redirecting gateway, see !dns or !pushdns or (#3) if using ipv6 try: route-ipv6 2000::/3 or (#4) Handy troubleshooting flowchart:
19:13 <@vpnHelper> http://ircpimps.org/redirect.png | http://pekster.sdf.org/misc/redirect.png
19:13 < pekster> You'll need a DNS server you can access after your adjusted routes
19:14 < pekster> The dns factoids in the help output above will contain more helpful info for you
19:14 < CygniX> pekster: regarding ipv6 setup, a /112 should also suffice right?
19:15 -!- xup [~xup@unaffiliated/othermth] has joined #openvpn
19:15 < pekster> CygniX: A _routed_ /112, yes. And that won't work with the debian versions (or others that might be out there) that use the 2.2.x series "early preview" ipv6 support -- those work with /64 only
19:16 < pekster> The issues are explained at my earlier reference: https://community.openvpn.net/openvpn/wiki/IPv6#Requirements
19:16 <@vpnHelper> Title: IPv6 – OpenVPN Community (at community.openvpn.net)
19:16 < CygniX> i am on debian wtih 2.3.x but throught backport
19:22 -!- xup [~xup@unaffiliated/othermth] has left #openvpn []
19:23 -!- SoWhat [~SoWhat@87.246.136.13] has joined #openvpn
19:23 < altker128> Anyone able to push DNS to an OSX client?  For me, everything else is working
19:24 < SoWhat> btw, I found out when OpenVPN Client starts to eat 32% of CPU - when I connect to another wireless network
19:24 -!- KarlBauman [~SoWhat@81.198.10.40] has quit [Ping timeout: 246 seconds]
19:24 < pekster> altker128, tunnelblick includes client-side scripts that interface with the Mac's dnsctl utility to do DNS updates
19:24 < altker128> pekster: I've tried playing with the various options but it still didn't seem to successfully set the DNS
19:25 < pekster> Verify you get the dhcp-option DNS stuff in your openvpn logs (it'll be shown at --verb 4, read !verb for details on doing that.) Otherwise maybe add some debugging lines in the shell script that tunnelblick provides? Have it dump each DNS entry it's finding?
19:26 < pekster> In my experience it all just works in tunnelblick so long as it gets the right data pushed to it
19:30 < altker128> pekster: I'm using a specific client-side conf which includes the DNS push option
19:30 < pekster> You can't push "from" the client
19:31 < pekster> You could possibly use --dhcp-option on the client though
19:31 < altker128> pekster: I meant in the client config
19:31 < altker128> push "dhcp-option DNS 192.168.0.1"
19:31 < pekster> Nope, you can't do that on the client
19:31 < altker128> In the client-configs folder
19:31 < altker128> on the server
19:31 -!- SoWhat [~SoWhat@87.246.136.13] has quit [Ping timeout: 252 seconds]
19:32 < pekster> Ah, okay. I'd still check the --verb4 output on the client to make sure it gets it
19:32 < pekster> (typos or case-sensitive issues have broken that before)
19:32 < pekster> !logs
19:32 <@vpnHelper> "logs" is (#1) please pastebin your logfiles from both client and server with verb set to 4 (only use 5 if asked) or (#2) In the Windows client(OpenVPN-GUI) right-click the status icon and pick View Log or (#3) In the OS X client(Tunnelblick) right-click it and select Copy log text to clipboard or (#4) if you dont know how to find your logs, see !logfile
19:32 < pekster> Toss that to a patebin if you're unsure
19:34 < CygniX> pekster: could you kindly explain lines 3 and 4 under Add the following to a functioning OpenVPN config: in https://community.openvpn.net/openvpn/wiki/IPv6
19:34 <@vpnHelper> Title: IPv6 – OpenVPN Community (at community.openvpn.net)
19:35 < CygniX> ifconfig-ipv6 and ifconfig-ipv6-pool lines in general
19:35 < altker128> The other issue
19:35 < altker128> My client connects successfully via openvpn and I can route all traffic, etc.  On my LAN I have a bunch of servers and the openvpn client can reach any freebsd servers, but not the Linux based ones.  If feels like something simple has been missed on the router/gateway side of things
19:36 < altker128> My setup is basically following "Using routing and OpenVPN not running on the default gateway" from https://community.openvpn.net/openvpn/wiki/BridgingAndRouting
19:36 <@vpnHelper> Title: BridgingAndRouting – OpenVPN Community (at community.openvpn.net)
19:40 -!- pjschmitt [~parker@209.141.56.12] has quit [Ping timeout: 264 seconds]
19:40 -!- pjschmitt [~parker@209.141.56.12] has joined #openvpn
19:47 < altker128> hrm
19:47 < altker128> I think my issue is that the Linux server is trying to do a lookup on the openvpn client and the default gateway(router) returns NXdomain
19:47 -!- joshh20 is now known as joshh20-Away
19:49 < altker128> Any suggestions?
19:49 < altker128> 00:19:48.485897 IP wiki.loco.55569 > icabod.loco.domain: 24739+ PTR? 21.0.8.10.in-addr.arpa. (40)
19:49 < altker128> 00:19:48.486282 IP icabod.loco.domain > wiki.loco.55569: 24739 NXDomain 0/0/0 (40)
19:51 -!- MatthewsFace [~mspah@50-78-45-146-static.hfc.comcastbusiness.net] has quit [Quit: Leaving]
19:54 < pekster> CygniX: Same as the non-ipv6 counterparts: the first sets addressing and the 2nd sets the pool from which addresses are issued to clients
19:54 < pekster> altker128: Fix your DNS? OpenVPN doesn't have anything to do with DNS
19:54 < pekster> If you don't like the reply your DNS server is giving, fix it?
19:56 < CygniX> pekster: you are saying that each client will be issued an external IP instead of local? that seems rather strange
19:56 < pekster> You apparently don't have a reverse record for 10.8.0.21 in the in-addr.arpa zone at icabod.loco.domain
19:56 < pekster> CygniX: That's the magic of IPv6
19:58 < CygniX> hmmm
19:59 < pekster> You can use ULA IP space, but if you're doing that you probably don't need a VPN in the first place
20:00 < pekster> #ipv6 is a better place to ask basic questions like "why does everything get a globally-routable IP" and "why don't we need NAT" as these are basic concepts
20:00 < CygniX> I could not ask that question because I did not even understand the point you explained
20:01 < CygniX> now that you mentioned it, that question could be asked
20:01 < pekster> But not here ;) here it's assumed you know the basics. Gotta learn to crawl before you can learn to skydive. Or something.
20:03 < CygniX> you are right, though, the initial prompt has to do with openvpn and ipv6
20:07 -!- AlexPortable [uid7568@gateway/web/irccloud.com/x-oyeqcfmyvtyppgxm] has quit [Quit: Connection closed for inactivity]
20:08 < pekster> Use global addresspace. Doing otherwise assumes you are an expert and Know What You're Doing™
20:13 -!- bitvilag [~HUNbitvi@62-165-198-139.pool.digikabel.hu] has joined #openvpn
20:13 < bitvilag> hey everyone
20:14 < bitvilag> i am wondering if its possible to masq a netowork to a different network like 192.168.122.1 becoming 192.168.123.1 because I have already a 192.168.122.1 in my routing table and it would be conflicting
20:15 < pekster> So fix the network?
20:15 < bitvilag> what do you mean?
20:15 < pekster> Bi-directional NAT is rarely the right (and obviously not the proper) solution
20:15 < pekster> Don't use identical networks. Problem solved
20:15 < bitvilag> so what would be?
20:15 < bitvilag> yeah but its alreaddy done
20:15 < bitvilag> I know now
20:15 < pekster> So renumber 1?
20:16 < bitvilag> but these are virtual networks with vms that I cant even reboot...
20:16 < bitvilag> but I would like to reach it from home
20:17 < bitvilag> there is two servers with 192.168.122. subnet and well I managed to attach it with vpn through several vms... but I am not sure how to attach a network that is conflicting
20:17 < bitvilag> are*
20:17 < bitvilag> by the way openvpn is far the best I have ever used...just love it:)
20:18 < pekster> This isn't an openvpn problem. At best it's a "how do I do awful and broken things with NAT" problem
20:18 < bitvilag> so openvpn wont be able to solve the conflict
20:19 < bitvilag> I would prefer not to use nat at all
20:19 < pekster> Then fix your broken networking
20:19 < pekster> Those are your 2 choices
20:19 < bitvilag> no other.
20:20 < pekster> Nope. You can look at openvpn's --client-nat option, but I've never used it, and it's doing the same silly bi-directional NAT you could do in the OS anyway
20:20 < bitvilag> naaah no NAT
20:21 < bitvilag> so far i managed with route alone
20:22 < bitvilag> i never thought of connecting my home network with office servers but now since I can work from home seemed a good idea
20:27 -!- klein [~klein@unaffiliated/klein] has quit [Ping timeout: 246 seconds]
20:41 -!- clu5ter [~staff@unaffiliated/clu5ter] has joined #openvpn
20:53 -!- [diecast] [~diecast@unaffiliated/diecast/x-4821952] has joined #openvpn
21:02 -!- HectorBarbossa [uid7850@gateway/web/irccloud.com/x-ietljwnygjagiiuk] has quit [Quit: Connection closed for inactivity]
21:03 -!- Carbon_Monoxide [~cmonxide@058176022144.ctinets.com] has joined #openvpn
21:07 -!- [diecast] [~diecast@unaffiliated/diecast/x-4821952] has quit [Ping timeout: 252 seconds]
21:10 -!- KaiForce [~chatzilla@107-223-70-10.lightspeed.bcvloh.sbcglobal.net] has quit [Quit: ChatZilla 0.9.90.1 [Firefox 27.0.1/20140212131424]]
21:11 -!- Carbon_Monoxide [~cmonxide@058176022144.ctinets.com] has left #openvpn ["Leaving"]
21:15 -!- chrisb [~chrisb@li482-205.members.linode.com] has joined #openvpn
21:16 -!- bitvilag [~HUNbitvi@62-165-198-139.pool.digikabel.hu] has quit []
21:19 -!- elfixit [~Icedove@77-58-251-72.dclient.hispeed.ch] has quit [Quit: elfixit]
21:25 -!- converge [~converge@189.7.3.101] has joined #openvpn
21:25 -!- converge [~converge@189.7.3.101] has quit [Changing host]
21:25 -!- converge [~converge@unaffiliated/joaop] has joined #openvpn
21:27 -!- lj [~l@c-50-158-105-68.hsd1.il.comcast.net] has joined #openvpn
22:14 -!- WinstonSmith [~WinstonSm@unaffiliated/winstonsmith] has quit [Ping timeout: 246 seconds]
22:16 -!- WinstonSmith [~WinstonSm@unaffiliated/winstonsmith] has joined #openvpn
22:43 -!- converge [~converge@unaffiliated/joaop] has quit [Quit: Linkinus - http://linkinus.com]
22:50 < CygniX> pekster: do you mind if you bug you again?
22:52 -!- altker128 [~vr@bitblit.mit.edu] has left #openvpn ["Konversation terminated!"]
22:58 -!- funyun_ [~temp@173.208.81.19] has joined #openvpn
22:58 -!- funyun [~temp@cpe-65-25-103-89.neo.res.rr.com] has quit [Ping timeout: 264 seconds]
23:08 < CygniX> I added the following to server.conf  and openvpn connect fails, but openvpn for android succeeds, tun-ipv6; push tun-ipv6; ifconfig-ipv6 2605:6400:20:4f80::1 2605:6400:20:4f80::2; ifconfig-ipv6-pool 2605:6400:20:4f80::8000/64
23:11 < CygniX> I am still connecting via ipv4 to be clear, and the openvpn connect error is "Tun interfaces setup failed: option_error: onl topology 'subnet' supported with ipv6"
--- Day changed Wed Mar 26 2014
00:08 < CygniX> plai: I figured out why the email server was not working regarding our earlier discussion on tmobile ipv6  nat46 switch. dovecot was not configured to listen on ipv6  addresses
00:18 -!- lj1 [~l@192.241.174.169] has joined #openvpn
00:20 -!- lj [~l@c-50-158-105-68.hsd1.il.comcast.net] has quit [Read error: Operation timed out]
00:26 -!- lj1 [~l@192.241.174.169] has quit [Quit: Leaving.]
00:28 -!- peper [~peper@gentoo/developer/peper] has quit [Ping timeout: 252 seconds]
00:28 -!- peper [~peper@gentoo/developer/peper] has joined #openvpn
00:37 -!- chrisb [~chrisb@li482-205.members.linode.com] has quit [Ping timeout: 265 seconds]
00:52 -!- Devastator [~devas@unaffiliated/devastator] has quit [Ping timeout: 240 seconds]
00:52 -!- Devastatr [~devas@186.214.14.39] has joined #openvpn
01:39 -!- lj [~l@74.120.200.95] has joined #openvpn
01:45 -!- Carbon_Monoxide [~cmonxide@058176022144.ctinets.com] has joined #openvpn
01:45 -!- Carbon_Monoxide [~cmonxide@058176022144.ctinets.com] has left #openvpn []
01:45 -!- soapee01 [~soapee01@24-155-219-177.dyn.grandenetworks.net] has quit [Ping timeout: 255 seconds]
01:56 -!- B1nny [~quassel@5ED16034.cm-7-2b.dynamic.ziggo.nl] has joined #openvpn
02:10 -!- APTX|_ [~APTX@unaffiliated/aptx] has quit [Remote host closed the connection]
02:12 -!- Devastator [~devas@177.18.197.78] has joined #openvpn
02:13 -!- Devastatr [~devas@186.214.14.39] has quit [Ping timeout: 240 seconds]
02:25 -!- alexxtasi [~alex@unaffiliated/alexxtasi] has joined #openvpn
02:34 -!- ACKNAK [~regolith@79.133.97.154] has joined #openvpn
02:36 -!- Cpt-Oblivious [chatzilla@31-151-71-109.dynamic.upc.nl] has joined #openvpn
02:41 -!- Aliekezhi [~Aliekezhi@LPoitiers-156-84-21-170.w193-248.abo.wanadoo.fr] has joined #openvpn
02:54 -!- KarlBauman [~SoWhat@87.246.136.13] has joined #openvpn
02:56 -!- Cpt-Oblivious [chatzilla@31-151-71-109.dynamic.upc.nl] has quit [Read error: Connection reset by peer]
03:03 -!- _FBi [B@Aircrack-NG/User] has quit [Ping timeout: 265 seconds]
03:03 -!- _FBi [B@i.use.pentoo.when.ihack.in] has joined #openvpn
03:04 -!- Sembei [~Sembei@unaffiliated/sembei] has quit [Ping timeout: 246 seconds]
03:05 -!- Karl_Bauman [~SoWhat@87.246.136.13] has joined #openvpn
03:07 -!- le0 [~l30@unaffiliated/le0] has joined #openvpn
03:08 -!- KarlBauman [~SoWhat@87.246.136.13] has quit [Ping timeout: 240 seconds]
03:11 -!- ade_b [Ade@redhat/adeb] has joined #openvpn
03:11 -!- gardar [~gardar@bnc.giraffi.net] has quit [Ping timeout: 245 seconds]
03:15 -!- JackWinter_ [~jack@vodsl-10810.vo.lu] has quit [Quit: Konversation terminated!]
03:17 -!- gardar [~gardar@bnc.giraffi.net] has joined #openvpn
03:17 -!- JackWinter [~jack@vodsl-10810.vo.lu] has joined #openvpn
03:22 < Karl_Bauman> is there any alternative to openvpn clients? none of them works normally after Waking pc from sleep.
03:23 < Karl_Bauman> of course, problem might also be with TAP driver
03:23 < Karl_Bauman> which they are using
03:23 -!- Sembei [~Sembei@unaffiliated/sembei] has joined #openvpn
03:33 -!- AlexPortable [uid7568@gateway/web/irccloud.com/session] has joined #openvpn
03:34 -!- AlexPortable [uid7568@gateway/web/irccloud.com/session] has quit [Changing host]
03:34 -!- AlexPortable [uid7568@gateway/web/irccloud.com/x-otdwjinouwirsyms] has joined #openvpn
03:35 -!- reiffert [~thomas@mail.reifferscheid.org] has quit [Ping timeout: 255 seconds]
03:35 -!- reiffert [~thomas@mail.reifferscheid.org] has joined #openvpn
03:44 <@krzee> !download
03:44 <@vpnHelper> "download" is (#1) http://openvpn.net/index.php/download/community-downloads.html to download openvpn or (#2) OpenVPN's Windows installer now includes OpenVPN GUI. Don't bother with http://openvpn.se anymore or (#3) Don't trust download.com at all. It provides an extremely old version with malware: http://insecure.org/news/download-com-fiasco.html or (#4) in the community version of openvpn (only
03:44 <@vpnHelper> thing supported here) there is no separate download for client/server, it is the same install with different configs
03:44 <@krzee> you using the windows client from there?
03:44 <@krzee> or the "openvpn client" ?
03:57 < Karl_Bauman> this one http://swupdate.openvpn.org/community/releases/openvpn-install-2.3.2-I003-x86_64.exe
03:59 < Karl_Bauman> and I have tried also this one http://swupdate.openvpn.net/downloads/openvpn-client.msi
03:59 < Karl_Bauman> they both hang up after Sleep
04:00 < Karl_Bauman> I have Windows 8.1 64bit
04:04 -!- dogewaat_ [uid3966@gateway/web/irccloud.com/x-nzxnhfpsdfzuviod] has quit [Quit: Connection closed for inactivity]
04:06 < Karl_Bauman> I installed OpenVPN client for Android, it works really nice
04:06 < Karl_Bauman> I wish that Windows clients could work the same
04:07 < Karl_Bauman> You just install, and forget about it
04:09 -!- Sembei [~Sembei@unaffiliated/sembei] has quit [Ping timeout: 246 seconds]
04:09 -!- soapee01 [~soapee01@65-36-104-170.dyn.grandenetworks.net] has joined #openvpn
04:10 -!- lj [~l@74.120.200.95] has quit [Quit: Leaving.]
04:15 -!- Sembei [~Sembei@unaffiliated/sembei] has joined #openvpn
04:15 <@plai> Karl_Bauman: thanks :D
04:15 < Karl_Bauman> did you make it? :D
04:18 <@plai> yes
04:18 < Karl_Bauman> nice work! :)
04:24 -!- JackWinter [~jack@vodsl-10810.vo.lu] has quit [Quit: Konversation terminated!]
04:26 -!- JackWinter [~jack@vodsl-10810.vo.lu] has joined #openvpn
04:27 -!- JackWinter [~jack@vodsl-10810.vo.lu] has quit [Client Quit]
04:28 -!- roentgen [~irc@openvpn/community/support/roentgen] has joined #openvpn
04:30 -!- JackWinter [~jack@vodsl-10810.vo.lu] has joined #openvpn
05:07 <@krzee> Karl_Bauman, i guess the only thing i can suggest is putting in a ticket at community.openvpn.net
05:08 < Karl_Bauman> thanks :)
05:19 -!- mikkel [~mikkel@93.176.85.50] has joined #openvpn
05:24 < Karl_Bauman> ha haa, here's a ticket about the same problem http://community.openvpn.net/openvpn/ticket/71
05:25 <@vpnHelper> Title: #71 (Windows 7 (and Vista) - tunnel fails after resume from Sleep/Standby) – OpenVPN Community (at community.openvpn.net)
05:27 -!- mattock_afk is now known as mattock
05:27 < Karl_Bauman> 3 years old :D
05:42 -!- novaflash [~novaflash@its.novaflash.nl] has quit [Changing host]
05:42 -!- novaflash [~novaflash@openvpn/corp/support/novaflash] has joined #openvpn
05:42 -!- mode/#openvpn [+o novaflash] by ChanServ
05:58 -!- Karl_Bauman [~SoWhat@87.246.136.13] has quit [Ping timeout: 265 seconds]
05:58 -!- KarlBauman [~SoWhat@87.246.136.13] has joined #openvpn
06:05 -!- CygniX [~CygniX@unaffiliated/twois10] has quit [Ping timeout: 240 seconds]
06:26 -!- dazo_afk is now known as dazo
06:42 -!- Latrina [~Latrina@ppp-198-20.26-151.libero.it] has joined #openvpn
06:48 -!- lnb [~lnb@CPE000347b24a71-CM602ad06bec2f.cpe.net.cable.rogers.com] has quit [Read error: Connection reset by peer]
06:49 -!- mattock is now known as mattock_afk
06:57 -!- EmLeX [~emx@unaffiliated/emlex] has joined #openvpn
07:14 -!- funyun_ [~temp@173.208.81.19] has quit [Ping timeout: 265 seconds]
07:16 -!- goldkatze [~nobody@unaffiliated/goldkatze] has joined #openvpn
07:18 -!- mattock_afk is now known as mattock
07:20 -!- clu5ter [~staff@unaffiliated/clu5ter] has quit [Remote host closed the connection]
07:22 -!- klein [~klein@189-016-006-003.asselvi.edu.br] has joined #openvpn
07:22 -!- klein [~klein@189-016-006-003.asselvi.edu.br] has quit [Changing host]
07:22 -!- klein [~klein@unaffiliated/klein] has joined #openvpn
07:29 -!- elfixit [~Icedove@77-58-251-72.dclient.hispeed.ch] has joined #openvpn
07:39 < UukGoblin> if you set an ifconfig-push with an IP in a CCD, can a client override it?\
07:48 -!- Devastator [~devas@177.18.197.78] has quit [Changing host]
07:48 -!- Devastator [~devas@unaffiliated/devastator] has joined #openvpn
07:52 <@ecrist> yes
07:52 <@ecrist> --no-pull
08:09 -!- elfixit [~Icedove@77-58-251-72.dclient.hispeed.ch] has quit [Ping timeout: 240 seconds]
08:10 -!- funyun [~temp@cpe-65-25-103-89.neo.res.rr.com] has joined #openvpn
08:11 -!- VsioZashibis [~VsioZashi@unaffiliated/vsiozashibis] has quit [Quit: closing IRC]
08:15 -!- funyun [~temp@cpe-65-25-103-89.neo.res.rr.com] has quit [Ping timeout: 245 seconds]
08:18 -!- funyun [~temp@cpe-65-25-103-89.neo.res.rr.com] has joined #openvpn
08:21 -!- michaelhart [~michaelha@192.237.177.15] has joined #openvpn
08:23 -!- funyun [~temp@cpe-65-25-103-89.neo.res.rr.com] has quit [Ping timeout: 268 seconds]
08:23 -!- KarlBauman [~SoWhat@87.246.136.13] has quit [Ping timeout: 245 seconds]
08:39 -!- hive-mind [pranq@unaffiliated/contempt] has quit [Remote host closed the connection]
08:40 -!- hive-mind [pranq@unaffiliated/contempt] has joined #openvpn
08:42 < Mathias> "pull my finger"
09:03 -!- funyun [~temp@cpe-65-25-103-89.neo.res.rr.com] has joined #openvpn
09:04 -!- paradox`` [~paradox@cpc21-brmb8-2-0-cust749.1-3.cable.virginm.net] has quit [Quit: paradox``]
09:04 -!- sunwind [~paradox@cpc21-brmb8-2-0-cust749.1-3.cable.virginm.net] has joined #openvpn
09:04 -!- Tool_Fan [~Tool_Fan@vpn-router1.dur1.host-h.net] has joined #openvpn
09:06 -!- mikkel [~mikkel@93.176.85.50] has quit [Quit: Leaving]
09:08 -!- funyun [~temp@cpe-65-25-103-89.neo.res.rr.com] has quit [Ping timeout: 265 seconds]
09:17 -!- elfixit [~Icedove@2001:1620:2777:11:3e97:eff:fe7f:f3ad] has joined #openvpn
09:26 < ACKNAK> hey, question. how stable is openvpn connection from client? do I have to use some kind of script which checks connection and restarts openvpn or should it be fine by default?
09:26 < ACKNAK> linux to linux
09:26 < ACKNAK> openvpn 2.3.2
09:27 <@ecrist> this is covered in the man page
09:27 <@ecrist> !keepalive
09:27 <@vpnHelper> "keepalive" is (#1) see --keepalive in the manual for how to make clients retry connecting if they get disconnected. or (#2) basically it is a wrapper for managing --ping and --ping-restart in server/client mode or (#3) if you use this, don't use --tls-exit and also avoid --single-session and --inactive or (#4) Also beware of --auth-nocache for automated reconnects
09:27 < ACKNAK> not sure if it is
09:27 <@ecrist> yes it is
09:28 < ACKNAK> I hope!
09:28 <@ecrist> the only reason you wouldn't be sure is if you didn't try to look in the manual
09:28 < ACKNAK> nope
09:28 -!- ACKNAK was kicked from #openvpn by ecrist [try again]
09:29 -!- ACKNAK [~regolith@79.133.97.154] has joined #openvpn
09:35 < ACKNAK> ecrist, manual would never say if there is some kind of bugs, keepalive worked fine for me, but I want to know if there been any problem with it.
09:36 <@ecrist> you didn't ask about bugs
09:36 <@ecrist> you are welcome to search the project bug trac
09:36 <@ecrist> but if it's working, why do you care?
09:36 < ACKNAK> it works with good network
09:38 -!- makara [~makara@41.164.22.218] has quit [Quit: Leaving]
09:46 -!- defswork [~andy@141.0.50.105] has joined #openvpn
09:59 <@dazo> ACKNAK: I have several 24/7 tunnels open between different sites ... as long as the ISP connection is stable, OpenVPN lives ... and with proper --keepalive settings on the servers, clients will reconnect automatically whenever needed
09:59 < ACKNAK> dazo, thats what I wanted to hear :) thanks
09:59 <@dazo> stability has never really been an issue with OpenVPN itself .... when there's been instabilities, that's usually caused by ISPs or poorly written openvpn plug-ins
10:00  * ACKNAK stares at his crapcode
10:01 <@dazo> Please note I distinguish between plug-ins and using script-hooks .... script-hooks can of course cause troubles too, but it's hard to make openvpn crash .... plug-ins can make openvpn crash
10:01 -!- ron_ [~ron@ppp118-210-185-93.lns20.adl6.internode.on.net] has quit [Ping timeout: 240 seconds]
10:02 < ACKNAK> nice ^^
10:03 -!- ron_ [~ron@ppp121-45-32-191.lns20.adl2.internode.on.net] has joined #openvpn
10:04 < ACKNAK> I only manage routes and block users via tls-verify and learn-address
10:04 -!- funyun [~temp@cpe-65-25-103-89.neo.res.rr.com] has joined #openvpn
10:05 < ACKNAK> that should not cause much troubles
10:05 <@dazo> usually not
10:08 < ACKNAK> worktime is over here. bb!
10:09 -!- funyun [~temp@cpe-65-25-103-89.neo.res.rr.com] has quit [Ping timeout: 252 seconds]
10:10 -!- fletsche [~Adium@p5DC57CC1.dip0.t-ipconnect.de] has joined #openvpn
10:13 -!- ACKNAK [~regolith@79.133.97.154] has quit [Ping timeout: 252 seconds]
10:13 < fletsche> !welcome
10:13 <@vpnHelper> "welcome" is (#1) Start by stating your goal, such as 'I would like to access the internet over my vpn' || new to IRC? see the link in !ask || we may need !logs and !configs and maybe !interface to help you. || See !howto for beginners. || See !route for lans behind openvpn. || !redirect for sending inet traffic through the server. || Also interesting: !man !/30 !topology !iporder !sample !forum
10:13 <@vpnHelper> !wiki !mitm or (#2) Don't use 192.168.1.0/24 or 192.168.0.0/24 (too much potential for conflict)
10:25 -!- esde [~esde@unaffiliated/esde] has quit [Ping timeout: 268 seconds]
10:27 -!- alexxtasi [~alex@unaffiliated/alexxtasi] has left #openvpn []
10:40 -!- goldkatze [~nobody@unaffiliated/goldkatze] has quit []
10:55 -!- esde [~esde@107.150.1.2] has joined #openvpn
10:58 -!- s7r [~s7r@openvpn/user/s7r] has quit [Remote host closed the connection]
10:58 -!- s7r [~s7r@openvpn/user/s7r] has joined #openvpn
10:58 -!- mode/#openvpn [+v s7r] by ChanServ
10:59 -!- ade_b [Ade@redhat/adeb] has quit [Ping timeout: 240 seconds]
11:03 -!- master_o1_master [~master_of@p4FD7B069.dip0.t-ipconnect.de] has joined #openvpn
11:04 -!- master_of_master [~master_of@p4FD7B97B.dip0.t-ipconnect.de] has quit [Read error: Operation timed out]
11:05 -!- funyun [~temp@cpe-65-25-103-89.neo.res.rr.com] has joined #openvpn
11:10 -!- funyun [~temp@cpe-65-25-103-89.neo.res.rr.com] has quit [Ping timeout: 268 seconds]
11:10 -!- CygniX [~CygniX@unaffiliated/twois10] has joined #openvpn
11:11 -!- lj [~l@192.241.174.169] has joined #openvpn
11:11 < CygniX> pekster:  re ipv6 block assignment. I asked my vps provider fo /64 and here was the reply "Unfortunately due to the way SolusVM works, we are only able to assign /128s"
11:17 -!- jpkroehling [~jpkroehli@2001:a60:16d0:ef00:3e97:eff:fe96:48d7] has joined #openvpn
11:23 < jpkroehling> hello! I'm trying to figure out what's wrong with my setup... I have a machine at home, with several virtual machines on it, a couple of them providing services to the internet (mail server and web server, each on its own vm)... those two VMs connect to an openvpn server at digitalocean, which forwards the incoming connections to the proper client (port 25 to the openvpn client used by the mail server, and so on)... my probl
11:23 < jpkroehling> em is that I would like to have a local network connection between my laptop and the VMs, but it seems that all connections received by those machines are replied back via the openvpn server, instead of from where they came from
11:23 < jpkroehling> this is my server configuration: http://pastebin.com/pf39WE1L
11:24 -!- KarlBauman [~SoWhat@81.198.10.40] has joined #openvpn
11:25 < jpkroehling> and this is my client config: http://pastebin.com/qvnSEuBc
11:25 -!- Aliekezhi [~Aliekezhi@LPoitiers-156-84-21-170.w193-248.abo.wanadoo.fr] has quit [Remote host closed the connection]
11:26 < jpkroehling> and this is the iptables rules related to this forwarding:
11:26 < jpkroehling> http://pastebin.com/5SrxDMX8
11:27 < jpkroehling> if I use /etc/hosts to point the mail server hostname to the lan ip, I get a connection timeout, which suggests a firewall issue
11:28 < jpkroehling> running a tcpdump on the mail server, I see the data related to the request, but I'm not experienced enough to go deeper than that :-)
11:30 < jpkroehling> what I *assume* that is happening is that the mail/http servers are receiving the requests via the LAN's interface, but trying to reply via the VPN interface...
11:30 < jpkroehling> btw, this is how the routing table looks like on the http server:
11:30 < jpkroehling> http://pastebin.com/UYA8FXwX
11:37 <@dazo> jpkroehling: just a vague feeling ... maybe you need to use routing tables, so that the traffic from the VPN passed via the VPN and the traffic from LAN is passed back via the LAN
11:37 <@dazo> (rob0 who helped me with a similar setup, tipped me about this)
11:39 <@dazo> (however, I had the opposite problem ... traffic from the VPN exited on the LAN ... but that's just a minor difference)
11:41 <@dazo> jpkroehling: http://pastebin.com/B711p4nU  ... this is my --up/--down scripts on the client
11:42 < jpkroehling> dazo, cool! I'll try that
11:42 <@dazo> jpkroehling: and I've added a routing table called 'vpntunnel' to /etc/iproute2/rt_tables
11:42 -!- KarlBauman [~SoWhat@81.198.10.40] has quit [Quit: Leaving]
11:42 <@dazo> jpkroehling: 10.35.82.1 in my scripts is the VPN IP address of the VPN server
11:42 < jpkroehling> dazo, any reason to not use the push "route. .." on the server, but to use the script ?
11:43 <@dazo> jpkroehling: if you have default route going out on the eth0 ... traffic will hit your server on the tun/tap device and the reply will go out on eth0 in my case (because you will have the public IP address of the mail/web client)
11:44 <@dazo> so you need this table to say that traffic coming on the tun/tap device should be routed by default via the same interface
11:44 -!- fletsche [~Adium@p5DC57CC1.dip0.t-ipconnect.de] has quit [Quit: Leaving.]
11:45 < jpkroehling> dazo, got it, but manipulating the routing table sent to the client is the purpose of the push "route" from the server's config, no ?
11:45 < jpkroehling> dazo, line on the line 40 of this: http://pastebin.com/pf39WE1L
11:47 <@dazo> yes, but it takes the "default" routing table ... and only takes traffic going _from_ the client .... in your case, the traffic hits your VPN server, which is PNATted to your VPN clients IP address .... and hits your VPN client with a public IP address (not a private address), thus the reply it will by default exit via the local interface and not the tun/tap device
11:47 < jpkroehling> ha, got it !
11:47 < jpkroehling> makes sense
11:48 <@dazo> it took me some rounds of failing to get it right too :)
11:49 < jpkroehling> dazo, do you mind sharing your /etc/iproute2/rt_tables ?
11:49 < jpkroehling> just the relevant parts, to get an idea on how it would look like for my case
11:49 -!- lj [~l@192.241.174.169] has quit [Quit: Leaving.]
11:49 <@dazo> jpkroehling: but! I've improved my setup slightly ... I set up nginx as a web proxy on my public VM .... and also set up a separate postfix+spamassassin+amavisd service .... so they filter out all the trash, and only forwards traffic which is more relevant via the VPN
11:50 <@dazo> jpkroehling: echo "1000  vpntunnel" >> /etc/iproute2/rt_tables :)
11:50 < jpkroehling> lol
11:50 < jpkroehling> thanks :D
11:51  * dazo didn't check ... 
11:51 <@dazo> but it was something like that ... just a number and the table name
11:51 -!- Latrina [~Latrina@ppp-198-20.26-151.libero.it] has quit [Remote host closed the connection]
11:52 < jpkroehling> dazo, and ${ifconfig_local}  is the interface (eth0), right ?
11:53 -!- CygniX [~CygniX@unaffiliated/twois10] has quit [Remote host closed the connection]
11:53 -!- havoc [~havoc@neptune.chaillet.net] has quit [Ping timeout: 252 seconds]
11:53 <@dazo> it's actually an environment variable openvpn sets for you .... I don't recall now, but I believe it's the local tun/tap device
11:53 < jpkroehling> no, inet prefix :-)
11:53 -!- havoc [~havoc@neptune.chaillet.net] has joined #openvpn
11:53 < jpkroehling> ah, ok
11:54 <@dazo> right ip address
11:54 <@dazo> "The local VPN endpoint IP address specified in the --ifconfig option"
11:54 <@dazo> (from the man page)
12:01 -!- funyun [~temp@cpe-65-25-103-89.neo.res.rr.com] has joined #openvpn
12:05 -!- funyun [~temp@cpe-65-25-103-89.neo.res.rr.com] has quit [Ping timeout: 245 seconds]
12:06 -!- dogewaat_ [uid3966@gateway/web/irccloud.com/x-rabfypkwcwzpzmey] has joined #openvpn
12:11 < jpkroehling> dazo, while checking the logs because of the script, I found something interesting... MULTI: bad source address from client [192.168.122.50], packet dropped
12:11 < jpkroehling> this might actually be the cause of my problems :-)
12:11 <@ecrist> try googleing that error
12:12 < jpkroehling> ecrist, yup, am already on the page
12:28 -!- roentgen [~irc@openvpn/community/support/roentgen] has quit [Ping timeout: 264 seconds]
12:33 -!- Aliekezhi [~Aliekezhi@80.215.44.251] has joined #openvpn
12:39 -!- HectorBarbossa [uid7850@gateway/web/irccloud.com/x-eopxegqbgmplpxhn] has joined #openvpn
12:42 -!- clu5ter [~staff@unaffiliated/clu5ter] has joined #openvpn
12:45 -!- Latrina [~Latrina@95.239.255.156] has joined #openvpn
12:54 -!- funyun [~temp@cpe-65-25-103-89.neo.res.rr.com] has joined #openvpn
12:56 -!- Latrina [~Latrina@95.239.255.156] has quit [Remote host closed the connection]
12:57 -!- KarlBauman [~SoWhat@81.198.10.40] has joined #openvpn
12:59 -!- funyun [~temp@cpe-65-25-103-89.neo.res.rr.com] has quit [Ping timeout: 268 seconds]
13:13 -!- Latrina [~Latrina@159.20.175.109] has joined #openvpn
13:14 < jpkroehling> dazo, it's working, thanks for the insight, man !
13:15 -!- clu5ter [~staff@unaffiliated/clu5ter] has quit [Read error: No route to host]
13:20 -!- clu5ter [~staff@unaffiliated/clu5ter] has joined #openvpn
13:27 <@dazo> jpkroehling: cool!
13:29 < jpkroehling> dazo, in the end, it was just stupidity from my part... my local network is on 192.168.1.0/24, the vms are on .122.0/24 , and the default route is .122.1, which knows about .1.0/24
13:29 < jpkroehling> so, I just had to push a route for .1.0/24 via 122.1
13:29 <@dazo> ahh
13:43 -!- gffa [~unknown@unaffiliated/gffa] has joined #openvpn
13:54 -!- le0 [~l30@unaffiliated/le0] has quit [Quit: Leaving]
13:55 -!- funyun [~temp@cpe-65-25-103-89.neo.res.rr.com] has joined #openvpn
13:59 -!- funyun [~temp@cpe-65-25-103-89.neo.res.rr.com] has quit [Ping timeout: 268 seconds]
14:04 -!- fletsche [~Adium@p5DC57CC1.dip0.t-ipconnect.de] has joined #openvpn
14:11 -!- gffa [~unknown@unaffiliated/gffa] has quit [Read error: Connection reset by peer]
14:11 -!- gffa [~unknown@unaffiliated/gffa] has joined #openvpn
14:14 -!- havoc [~havoc@neptune.chaillet.net] has quit [Ping timeout: 252 seconds]
14:16 -!- gffa [~unknown@unaffiliated/gffa] has quit [Remote host closed the connection]
14:16 -!- gffa [~unknown@unaffiliated/gffa] has joined #openvpn
14:18 -!- fletsche [~Adium@p5DC57CC1.dip0.t-ipconnect.de] has quit [Quit: Leaving.]
14:20 -!- havoc [~havoc@neptune.chaillet.net] has joined #openvpn
14:22 -!- fletsche [~Adium@p5DC57CC1.dip0.t-ipconnect.de] has joined #openvpn
14:33 -!- Aliekezhi [~Aliekezhi@80.215.44.251] has quit [Ping timeout: 265 seconds]
14:47 -!- Aliekezhi [~Aliekezhi@80.215.20.210] has joined #openvpn
14:49 -!- elfixit [~Icedove@2001:1620:2777:11:3e97:eff:fe7f:f3ad] has quit [Quit: elfixit]
14:49 -!- Putdeksel [50397034@gateway/web/cgi-irc/kiwiirc.com/ip.80.57.112.52] has joined #openvpn
14:55 -!- funyun [~temp@cpe-65-25-103-89.neo.res.rr.com] has joined #openvpn
15:03 -!- funyun_ [~temp@23.19.138.91] has joined #openvpn
15:05 -!- funyun [~temp@cpe-65-25-103-89.neo.res.rr.com] has quit [Ping timeout: 268 seconds]
15:22 -!- HectorBarbossa [uid7850@gateway/web/irccloud.com/x-eopxegqbgmplpxhn] has quit [Quit: Connection closed for inactivity]
15:29 -!- DrCode [~DrCode@gateway/tor-sasl/drcode] has joined #openvpn
15:54 -!- michaelhart [~michaelha@192.237.177.15] has quit [Quit: michaelhart]
15:57 -!- Aliekezhi [~Aliekezhi@80.215.20.210] has quit [Remote host closed the connection]
15:58 -!- deraps [~ubuntu@ec2-50-18-158-69.us-west-1.compute.amazonaws.com] has joined #openvpn
15:59 -!- deraps [~ubuntu@ec2-50-18-158-69.us-west-1.compute.amazonaws.com] has left #openvpn []
16:06 -!- Latrina [~Latrina@159.20.175.109] has quit [Remote host closed the connection]
16:15 -!- joshh20-Away is now known as joshh20
16:26 -!- CygniX [~CygniX@unaffiliated/twois10] has joined #openvpn
16:28 -!- klein [~klein@unaffiliated/klein] has quit [Ping timeout: 245 seconds]
16:31 -!- mback2k_ is now known as mback2k
16:35 -!- mback2k is now known as mback2k_
16:37 -!- fletsche [~Adium@p5DC57CC1.dip0.t-ipconnect.de] has quit [Quit: Leaving.]
16:38 -!- KarlBauman [~SoWhat@81.198.10.40] has quit [Ping timeout: 240 seconds]
16:43 -!- mattock [~mattock@openvpn/corp/admin/mattock] has left #openvpn []
16:57 -!- KarlBauman [~SoWhat@81.198.10.40] has joined #openvpn
17:12 -!- B1nny [~quassel@5ED16034.cm-7-2b.dynamic.ziggo.nl] has quit [Remote host closed the connection]
17:17 -!- gffa [~unknown@unaffiliated/gffa] has quit [Quit: sleep]
17:19 < jeev> ie 192.168.1.5/32 table 100, ip route show table 100 shows default gw ip of openvpn target.. if i del that table 100, the 192.168.1.5/32 table 100 is still active however it goes out the main default gateway now..
17:24 < pekster> "del that table" ? as in `ip rule flush table 100` ?
17:25 < pekster> Erm, ip route flush table 100
17:27 -!- goldkatze [~nobody@unaffiliated/goldkatze] has joined #openvpn
17:28 -!- indy [~indy@fantomas.bestit.cz] has quit [Remote host closed the connection]
17:29 < jeev> yup
17:29 < jeev> pekster, when that happens, it then defaults out the default gateway
17:30 < jeev> even though my ip rule tells it to go out that table, since the table doesn't exist./have a gateway, then it goes out regular ip
17:30 < jeev> how can i block this
17:36 -!- dazo is now known as dazo_afk
17:43 -!- michaelhart [~michaelha@192-0-240-20.cpe.teksavvy.com] has joined #openvpn
17:44 < pekster> jeev: Righ, that's what happens when no route matches in an empty table: it continues on to the next rule
17:44 < pekster> This procedure is repeated until a matching is found. Perhaps you should use a firewall if you don't want that traffic to go certain places
17:44 -!- VsioZashibis [~VsioZashi@unaffiliated/vsiozashibis] has joined #openvpn
17:44 < pekster> matching rule*
17:49 -!- michaelhart [~michaelha@192-0-240-20.cpe.teksavvy.com] has quit [Quit: michaelhart]
18:03 -!- Cybertinus [~Cybertinu@cybertinus.customer.cloud.nl] has quit [Read error: Connection reset by peer]
18:04 -!- Cybertinus [~Cybertinu@cybertinus.customer.cloud.nl] has joined #openvpn
18:12 -!- CygniX is now known as Persei
18:13 -!- Persei is now known as CygniX
18:19 -!- Putdeksel [50397034@gateway/web/cgi-irc/kiwiirc.com/ip.80.57.112.52] has quit [Quit: http://www.kiwiirc.com/ - A hand crafted IRC client]
18:38 -!- michaelhart [~michaelha@162.209.54.120] has joined #openvpn
18:46 -!- converge [~converge@191.199.60.222] has joined #openvpn
18:46 -!- converge [~converge@191.199.60.222] has quit [Changing host]
18:46 -!- converge [~converge@unaffiliated/joaop] has joined #openvpn
18:57 -!- AlexPortable [uid7568@gateway/web/irccloud.com/x-otdwjinouwirsyms] has quit [Quit: Connection closed for inactivity]
18:59 -!- goldkatze [~nobody@unaffiliated/goldkatze] has quit [Ping timeout: 240 seconds]
19:06 -!- midacts [~midacts@207.59.77.254] has left #openvpn ["openvpn"]
19:13 -!- chrisb [~chrisb@li482-205.members.linode.com] has joined #openvpn
19:15 -!- converge [~converge@unaffiliated/joaop] has quit [Ping timeout: 268 seconds]
19:17 < pekster> CygniX: You'd best spend your money elsewhere. RFC6177 lays out the provider's obligations pretty clearly
19:18 < CygniX> pekster: most of them don't know how to implement it, because they are using a control panel that does not support it
19:18 < pekster> Then they're idiots
19:18 < pekster> Ask #ipv6 what they recommend for non-idiotic companies if you want it
19:19 < pekster> If not, just understand that you can't ever connect downstream networks and expect them to have routable IPv6 space
19:19 < CygniX> at least 2 request that i have have come back with the same response that they couldn't due to 'control panel' limitation
19:20 < pekster> And I don't care. I'm merely discouraging you from rewarding companies that can't follow standards by becoming a customer
19:27 < CygniX> Unless one is getting a dedicated server, this is just what we have to deal with for now
19:35 -!- mikemol [~mikemol@162.17.129.77] has quit [Ping timeout: 252 seconds]
19:37 < pekster> Plenty of VPS providers aren't idiots. I know from hanging out in #ipv6 that Linode is one, but there are surely others
19:38 < pekster> My point is you're _choosing_ to spend money with people who can't follow the standards I've refernced, then choosing to try and justify it here, in a channel that helps with OpenVPN. Have I suggested #ipv6 yet if you need help with IPv6 concepts?
19:41 -!- chrisb [~chrisb@li482-205.members.linode.com] has quit [Ping timeout: 265 seconds]
19:42 < CygniX> I would say that am trying to justify it, but just pointing to current reality. Some providers get it right, but right now, most do not.
19:42 < CygniX> I would not say*
19:44 < pekster> "this is just what we have to deal with" is bulshit: it's what you're choosing to deal with. Anything else is, IMO, a justification. fwiw, I idle in #ipv6 too if you'd like a more on-topic discusion of the relevant standards and recommendations
19:45 < pekster> Brokering might be a solution too; #ipv6 can offer pointers on that too, as can their /TOPIC and google
19:50 < CygniX> I am going to take some time to learn mroe about ipv6, i think he offers some help on this
19:51 < CygniX> s/he/hurricane electric
19:55 -!- KarlBauman [~SoWhat@81.198.10.40] has quit [Ping timeout: 268 seconds]
19:55 < pekster> Yup, HE/SixXS are the 2 largest global v6 brokering options. It's not as nice as native, but it would allow you as much room as you need for things like VPN deployments
19:55 < pekster> (assuming 65,536 /64 networks for your VPNs is enough)
19:56 < pekster> VPN server on every port!
19:59 < CygniX> I use HE for dns and always to dab into ipv6 but maybe this was the motivation needed
20:00 < CygniX> always wanted to*
20:00 -!- mikemol [~mikemol@162.17.129.77] has joined #openvpn
20:05 -!- pekster [~rewt@openvpn/community/support/pekster] has quit [Ping timeout: 264 seconds]
20:12 -!- Eagleman- [~Eagleman@546BC8D0.cm-12-4d.dynamic.ziggo.nl] has joined #openvpn
20:12 -!- joshh20 is now known as joshh20-Away
20:13 -!- Netsplit *.net <-> *.split quits: troyt, Dan39, AsadH, Eagleman7, mikemol, phuzion, @krzee, someone, Cultist, Samopotamus,  (+9 more, use /NETSPLIT to show all of them)
20:14 -!- pekster [~rewt@openvpn/community/support/pekster] has joined #openvpn
20:16 -!- Latrina [~Latrina@ppp-61-62.26-151.libero.it] has joined #openvpn
20:16 -!- Guest57872 [~marme@li388-49.members.linode.com] has quit [Ping timeout: 240 seconds]
20:40 -!- illusion [~illusion@188.51.190.80] has joined #openvpn
20:42 < illusion>  i need to open port for client how to do it with openvpn ? for example client need to browse local apache from vpn server ip.
20:43 -!- Netsplit over, joins: CygniX
20:43 < pekster> Same way you'd do it without openvpn; ensure your routing is set up properly and allow the traffic past any firewalls involved
20:43 < pekster> Use of unroutable IP space (like RFC1918 for your VPN) will require NAT, as does any use of such IP blocks
20:44 < pekster> Oh, and you'll have a second problem, which is the return traffic; your VPN client with the webserver needs to return the traffic via the same network path
20:45 < pekster> To do that you can either 1) redirect _all_ Internet-bound traffic from the VPN client across the VPN (see the bot's help with that at: !redirect) or 2) set up policy routing on your VPN client to route traffic arriving on the VPN interface back out the VPN's gateway
20:47 < illusion> pekster, i dont understund any thing that you sed :p , i m on ec2 ubuntu server with openvpn server is there a command that i type to forword port ?
20:47 < pekster> Nope, it's more complex than that
20:47 < pekster> If you don't understand fundamental routing concepts you'll be very hard-pressed to set up a somewhat complex multi-homed routing solution
20:47 < illusion> ok if it is openvpn-as ?
20:48 < illusion> same ?
20:48 < pekster> That is a non-GPL commercial solution that is unsupported here. You want:
20:48 < pekster> !as
20:48 <@vpnHelper> "as" is please go to #OpenVPN-AS for help with Access-Server
20:48 < pekster> (and here's a gentle reminder that this information is helpfully included in our channel's /TOPIC)
20:49 -!- AsadH [~AsadH@ZNC.HOPPED.CO.UK] has joined #openvpn
20:49 -!- lordnikkon [~marme@li388-49.members.linode.com] has joined #openvpn
20:49 -!- mikemol [~mikemol@162.17.129.77] has joined #openvpn
20:49 -!- funyun_ [~temp@23.19.138.91] has joined #openvpn
20:49 -!- gardar [~gardar@bnc.giraffi.net] has joined #openvpn
20:49 -!- _FBi [B@i.use.pentoo.when.ihack.in] has joined #openvpn
20:49 -!- xMopxShell [~xMopxShel@pa1.trolls.lv] has joined #openvpn
20:49 -!- phuzion [~phuzion@ipv6.irc.teh-server.com] has joined #openvpn
20:49 -!- dazo_afk [~dazo@openvpn/community/developer/dazo] has joined #openvpn
20:49 -!- Dan39 [~ddan39@unaffiliated/dan39] has joined #openvpn
20:49 -!- krzee [~k@openvpn/community/support/krzee] has joined #openvpn
20:49 -!- troyt [~troyt@2601:7:6200:14c2:44dd:acff:fe85:9c8e] has joined #openvpn
20:49 -!- someone [someone@2600:3c01::f03c:91ff:fedf:feb8] has joined #openvpn
20:49 -!- Samopotamus [~IRCIdent@2607:5300:60:a0d::1] has joined #openvpn
20:49 -!- Gman32 [~Gman32@2607:2200:0:3400::5616:cdbc] has joined #openvpn
20:49 -!- Cultist [~CultOfThe@67.186.111.33] has joined #openvpn
20:49 -!- ServerMode/#openvpn [+oo dazo_afk krzee] by sendak.freenode.net
20:49 < illusion> ok sorry for braking rules
20:50 -!- AsadH [~AsadH@ZNC.HOPPED.CO.UK] has quit [Changing host]
20:50 -!- AsadH [~AsadH@unaffiliated/asadh] has joined #openvpn
20:50 -!- lordnikkon is now known as Guest7366
20:52 -!- Latrina [~Latrina@ppp-61-62.26-151.libero.it] has quit [Remote host closed the connection]
20:53 -!- _FBi [B@i.use.pentoo.when.ihack.in] has quit [Changing host]
20:53 -!- _FBi [B@Aircrack-NG/User] has joined #openvpn
20:53 -!- soapee01 [~soapee01@65-36-104-170.dyn.grandenetworks.net] has quit [Quit: ZNC - http://znc.sourceforge.net]
20:56 < _FBi> ?
20:57 < pekster> illusion: No worries. We're not here to punish you, but the open-source community volunteers (all of us active here) can't support commercial products. The company whose products you're using will support you with such needs
20:58 < pekster> You can find more info on the differences are the wiki article here:
20:58 < pekster> !connect
20:58 <@vpnHelper> "connect" is (#1) OpenVPN Connect is part of the commercial, non-free (non-GPL) corporate offering; see #openvpn-as for help with these. For the community-maintained GPL OpenVPN, see !download for download links, !android for GPL-openvpn on Android, or !howto for the beginner how-to guide or (#2) https://forums.openvpn.net/post34969.html#p34969
20:58 < _FBi> pekster, what happened to the nice GUI?
20:59 < pekster> "nice" ? It's been the same since 2.0.9
20:59 < pekster> If you mean the non-Free GUI, it's never "been here" in the first place
20:59 < pekster> In fact the corporate product isn't even open-source code
20:59 < _FBi> no, nothing pirated
20:59 < _FBi> and I haven't paid for anything
20:59 < pekster> It's not priated; it's just not GPL (or any other copyleft)
20:59 < _FBi> oh
21:00 < pekster> It's also unsupproted here; for help with it you'd need to consult the vendor who supplies it
21:00 < _FBi> 10-4
21:00 < pekster> I'll refer you to the same wiki page I just linked ;)
21:00 < illusion> i m on openvpn open source edition, i install it with https://github.com/Nyr/openvpn-install on EC2 ubuntu server, i just need the exact iptables command to open for example port 3030 :) is this complex ?
21:00 <@vpnHelper> Title: Nyr/openvpn-install · GitHub (at github.com)
21:00 < _FBi> not looking for support -- I thought I downloaded it from openvpn site.
21:01 < _FBi> now I don't have the nice GUI with load from option files etc.
21:01 < pekster> You probably did; sadly, the GPL product shares a top-level-domain with the corporate products, and there's some rather painful naming likeness
21:02 < _FBi> open a port on IPtables?  that's easy, unless I missed something
21:03 < pekster> You did; there's the issue of return-routing a multi-homed setup at play here
21:03 < pekster> It's non-trivial, although I offered the 2 usable solutions earlier
21:05 < pekster> illusion: Let me clarify what you're trying to do: is your web server on the VPN client or the VPN server?
21:05 < pekster> Re-reading your query, I'm not actually sure
21:05 < illusion> in vpn client
21:06 < illusion> and i whant to acces it with vpn ip
21:06 < illusion> remotly
21:06 < pekster> I'm still not sure what you mean. Where does your web server exist?
21:07 < pekster> Is the client the web server? Or is your VPN server also your web server that you wish to access from a web browser on the VPN client?
21:08 -!- Mathias [M@unaffiliated/mathias] has joined #openvpn
21:08 < illusion> i have wamp on my local machine and i want to access it remotly with vpn ip address
21:08 < illusion> client is the webserver
21:08 < illusion> no webserver on client
21:08 < illusion> sorry on server
21:09 < pekster> Okay, that's far easier. Just use your VPN server's VPN address. That's usually going to be a private (RFC1918) address
21:09 < _FBi> ie: apache is running on 10.0.0.1  not your external IP?
21:09 < illusion> yes
21:09 < illusion> it is on 10.0.0.1
21:09 < pekster> But it needs to listen on your VPN address as well
21:09 < pekster> Then you use _that_ to reach it if you want the request to go over the VPN link
21:10 < illusion> okay i m gonna try now
21:10 < pekster> If you use the public IP (or however you "normally" reach your webserver without a VPN) it won't go over the VPN link
21:11 < _FBi> pekster, what if it's bridged?
21:11 < pekster> Fuck bridging
21:12 < pekster> Same problem in theory, although a secondary IP might hack the issue if you push a route for it across the VPN link, though that won't help if you're expecting a single DNS view to allow you to use the same record on and off the VPN without fancy routing tricks
21:12 < pekster> In other words, fuck bridging ;)
21:12 < _FBi> I second F- Bridging
21:12 < pekster> More helpful info on avoiding bridging at: !tunortap if anyone needed reasons why it's awful
21:13 < pekster> In marginally related news, IPv6 solves the "I only have 1 IP but I don't want my VPN server to be the same as my web server on the same host" problem -- you just add another IP out of your LAN's /64 and call it a day
21:14 -!- Carbon_Monoxide [~cmonxide@058176022144.ctinets.com] has joined #openvpn
21:14 < _FBi> pekster, is there any scripts already made like AS but free? lol
21:14 -!- Carbon_Monoxide [~cmonxide@058176022144.ctinets.com] has left #openvpn []
21:15 < pekster> There are a large variety of codebases out there, not unlike the one that was referenced earlier. I haven't used most of them becuase most of what I do are specialized solutions that require development and integration
21:16 < pekster> I'm also at home on command-line-only systems, so I'm probably the wrong person to ask for GUI solutions to routing problems :P
21:16 < _FBi> gone to watch walking dead, ttfn :D
21:16 < pekster> enjoy
21:16 < _FBi> take care pekster
21:16 < illusion> pekster, it is not working :(
21:17 < pekster> Do you have your VPN configs at a pastebin somewhere? With comments/blanks removed (we have grep syntax to do that for you if you type !configs)
21:17 < illusion> tun0 is 10.8.0.1 my external ip is X.x.x.x how to redirect all port or a single port from x.x.x.x to tun0 ?
21:18 < pekster> That's much different than what you asked a moment ago
21:19 < pekster> And that's more complicated. I told you earlier, you have 2 choices. 1) follow the directions at !redirect so that _all_ your VPN client's Internet traffic is routed across your VPN link. OR 2) set up policy routing on your client to multi-home properly
21:19 < illusion> !redirect
21:19 <@vpnHelper> "redirect" is (#1) to make all inet traffic flow through the vpn, you will need --redirect-gateway (see !def1), as well as IP forwarding (see !ipforward) and NAT (see !nat) enabled on the server. or (#2) you may need to use a different dns server when redirecting gateway, see !dns or !pushdns or (#3) if using ipv6 try: route-ipv6 2000::/3 or (#4) Handy troubleshooting flowchart:
21:19 <@vpnHelper> http://ircpimps.org/redirect.png | http://pekster.sdf.org/misc/redirect.png
21:20 < pekster> That's what you need to do when you want arbitrary Internet clients to reach a webserver run on your VPN client (by accessing the public IP on your VPN server)
21:21 < illusion> !ipforward
21:21 <@vpnHelper> "ipforward" is (#1) ip forwarding is needed any time you want packets to flow from 1 interface to another, so from tun to eth, eth to tun, tun to tun, etc etc. it must be enabled in the kernel AND allowed in the firewall or (#2) please choose between !linipforward !winipforward !osxipforward and !fbsdipforward
21:21 < illusion> !linipforward
21:21 <@vpnHelper> "linipforward" is (#1) echo 1 > /proc/sys/net/ipv4/ip_forward for a temp solution (til reboot) or set net.ipv4.ip_forward = 1 in sysctl.conf for perm solution or (#2) chmod +x /etc/rc.d/rc.ip_forward for perm solution in slackware or (#3) you also must allow forwarding in your forward chain in iptables. iptables -I FORWARD -i tun+ -j ACCEPT
21:23 -!- Carbon_Monoxide [~cmonxide@058176022144.ctinets.com] has joined #openvpn
21:27 -!- Carbon_Monoxide [~cmonxide@058176022144.ctinets.com] has left #openvpn []
21:28 -!- soapee01 [~soapee01@65-36-104-170.dyn.grandenetworks.net] has joined #openvpn
22:19 -!- ron_ [~ron@ppp121-45-32-191.lns20.adl2.internode.on.net] has quit [Ping timeout: 268 seconds]
22:22 -!- Dan39 [~ddan39@unaffiliated/dan39] has quit [Ping timeout: 265 seconds]
22:25 -!- ron_ [~ron@ppp118-210-236-235.lns20.adl6.internode.on.net] has joined #openvpn
22:32 -!- esde [~esde@107.150.1.2] has quit [Read error: Operation timed out]
22:36 -!- nutron [~nutron@unaffiliated/nutron] has joined #openvpn
22:36 -!- esde [~esde@107.150.1.2] has joined #openvpn
22:38 -!- Dan39 [~ddan39@unaffiliated/dan39] has joined #openvpn
22:39 < illusion> pekster, i solve the problem i find a great tool in ubuntu called rinetd ! it was very helpfull and easy
22:41 -!- lj [~l@74.120.200.95] has joined #openvpn
22:43 -!- lj1 [~l@192.241.174.169] has joined #openvpn
22:45 -!- lj [~l@74.120.200.95] has quit [Ping timeout: 252 seconds]
23:08 -!- treshoem2 [~treshoem@mnathani-1-pt.tunnel.tserv21.tor1.ipv6.he.net] has quit [Ping timeout: 246 seconds]
23:08 -!- treshoem2 [~treshoem@mnathani-1-pt.tunnel.tserv21.tor1.ipv6.he.net] has joined #openvpn
23:17 -!- illusion [~illusion@188.51.190.80] has quit [Quit: Leaving]
23:22 -!- justinzane [~justinzan@67.21.190.135] has quit [Ping timeout: 264 seconds]
23:51 -!- justinzane [~justinzan@host-12-172-184-180.nctv.com] has joined #openvpn
23:57 -!- lj1 [~l@192.241.174.169] has quit [Quit: Leaving.]
--- Day changed Thu Mar 27 2014
00:03 -!- james41382 [~james@unaffiliated/james41382] has quit [Quit: Leaving]
00:12 -!- lj [~l@74.120.200.95] has joined #openvpn
00:14 -!- james41382 [~james@unaffiliated/james41382] has joined #openvpn
00:14 -!- lj1 [~l@192.241.174.169] has joined #openvpn
00:16 -!- lj [~l@74.120.200.95] has quit [Ping timeout: 252 seconds]
00:19 -!- lj [~l@74.120.200.95] has joined #openvpn
00:20 -!- lj1 [~l@192.241.174.169] has quit [Ping timeout: 264 seconds]
00:47 -!- AlexPortable [uid7568@gateway/web/irccloud.com/x-jeuonfnycbawoubs] has joined #openvpn
01:07 -!- funyun [~temp@cpe-65-25-103-89.neo.res.rr.com] has joined #openvpn
01:09 -!- funyun_ [~temp@23.19.138.91] has quit [Ping timeout: 265 seconds]
01:16 -!- mikkel [~mikkel@93.176.85.50] has joined #openvpn
01:20 -!- Tool_Fan [~Tool_Fan@vpn-router1.dur1.host-h.net] has quit [Quit: Leaving]
01:23 -!- makara [~makara@41.164.22.218] has joined #openvpn
01:30 -!- indy [~indy@fantomas.bestit.cz] has joined #openvpn
01:37 -!- AsadH [~AsadH@unaffiliated/asadh] has quit [Ping timeout: 265 seconds]
01:45 -!- Dan39 [~ddan39@unaffiliated/dan39] has quit [Ping timeout: 265 seconds]
01:50 -!- B1nny [~quassel@5ED16034.cm-7-2b.dynamic.ziggo.nl] has joined #openvpn
02:00 -!- goldkatze [~nobody@unaffiliated/goldkatze] has joined #openvpn
02:01 -!- Dan39 [~ddan39@unaffiliated/dan39] has joined #openvpn
02:05 -!- s7r_q [~s7r@openvpn/user/s7r] has joined #openvpn
02:05 -!- mode/#openvpn [+v s7r_q] by ChanServ
02:05 -!- mattock_afk [~mattock@openvpn/corp/admin/mattock] has joined #openvpn
02:05 -!- mode/#openvpn [+o mattock_afk] by ChanServ
02:05 -!- mattock_afk is now known as mattock
02:08 -!- s7r [~s7r@openvpn/user/s7r] has quit [Ping timeout: 265 seconds]
02:13 -!- t0r [~textual@167.206.48.217] has quit [Ping timeout: 240 seconds]
02:16 -!- ACKNAK [~regolith@79.133.97.154] has joined #openvpn
02:25 -!- mattock is now known as mattock_afk
02:25 -!- fletsche [~Adium@p549B6B3E.dip0.t-ipconnect.de] has joined #openvpn
02:29 -!- michaelhart [~michaelha@162.209.54.120] has quit [Ping timeout: 245 seconds]
02:34 -!- jpkroehling [~jpkroehli@2001:a60:16d0:ef00:3e97:eff:fe96:48d7] has left #openvpn ["Leaving"]
02:51 -!- michaelhart [~michaelha@162.209.54.120] has joined #openvpn
02:55 -!- maskedlua [~quassel@unaffiliated/themaskedlua] has quit [Ping timeout: 253 seconds]
02:58 -!- alexxtasi [~alex@unaffiliated/alexxtasi] has joined #openvpn
03:05 -!- maskedlua [~quassel@unaffiliated/themaskedlua] has joined #openvpn
03:05 -!- syzzer [~syzzer@openvpn/community/developer/syzzer] has quit [Ping timeout: 264 seconds]
03:05 -!- syzzer [~syzzer@openvpn/community/developer/syzzer] has joined #openvpn
03:05 -!- mode/#openvpn [+o syzzer] by ChanServ
03:14 -!- dogewaat_ [uid3966@gateway/web/irccloud.com/x-rabfypkwcwzpzmey] has quit [Quit: Connection closed for inactivity]
03:24 -!- Cr4zi3 [killaz@staff.xbins.org] has joined #openvpn
03:24 -!- AsadH [~AsadH@ZNC.HOPPED.CO.UK] has joined #openvpn
03:25 -!- Cr4zi3 [killaz@staff.xbins.org] has quit [Excess Flood]
03:25 -!- AsadH [~AsadH@ZNC.HOPPED.CO.UK] has quit [Changing host]
03:25 -!- AsadH [~AsadH@unaffiliated/asadh] has joined #openvpn
03:26 -!- CygniX [~CygniX@unaffiliated/twois10] has quit [Remote host closed the connection]
03:28 -!- Cr4zi3 [killaz@staff.xbins.org] has joined #openvpn
03:29 -!- le0 [~l30@unaffiliated/le0] has joined #openvpn
03:31 -!- funyun_ [~temp@23.82.46.155] has joined #openvpn
03:32 -!- Putdeksel [50397034@gateway/web/cgi-irc/kiwiirc.com/ip.80.57.112.52] has joined #openvpn
03:33 -!- funyun [~temp@cpe-65-25-103-89.neo.res.rr.com] has quit [Ping timeout: 240 seconds]
03:33 -!- Aliekezhi [~Aliekezhi@LPoitiers-156-84-21-170.w193-248.abo.wanadoo.fr] has joined #openvpn
03:34 < Putdeksel> Hi, there.
03:34 < Putdeksel> I'm having trouble setting up OpenVPN on a Ubuntu 12.04 oracle VB.
03:35 < Putdeksel> I'm a linux novice so i'm using a walk through. But when I get to the point is should run the source vars script I get stuck.
03:36 < Putdeksel> I'm from the Netherlands btw.
03:37 -!- KarlBauman [~SoWhat@81.198.10.40] has joined #openvpn
03:52 -!- Lolths [~Lolths@unaffiliated/lolths] has quit [Ping timeout: 264 seconds]
03:53 -!- Dan39 [~ddan39@unaffiliated/dan39] has quit [Ping timeout: 265 seconds]
04:00 -!- Dan39 [~ddan39@unaffiliated/dan39] has joined #openvpn
04:09 -!- fletsche [~Adium@p549B6B3E.dip0.t-ipconnect.de] has quit [Quit: Leaving.]
04:29 -!- elfixit [~Icedove@2001:1620:2777:11:3e97:eff:fe7f:f3ad] has joined #openvpn
04:30 -!- Lolths [~Lolths@unaffiliated/lolths] has joined #openvpn
04:40 -!- fletsche [~Adium@p549B6B3E.dip0.t-ipconnect.de] has joined #openvpn
04:53 -!- fletsche [~Adium@p549B6B3E.dip0.t-ipconnect.de] has quit [Ping timeout: 252 seconds]
05:02 -!- sunwind [~paradox@cpc21-brmb8-2-0-cust749.1-3.cable.virginm.net] has quit [Ping timeout: 264 seconds]
05:12 -!- ron__ [~ron@ppp118-210-123-58.lns20.adl2.internode.on.net] has joined #openvpn
05:14 -!- dazo_afk is now known as dazo
05:15 -!- ron_ [~ron@ppp118-210-236-235.lns20.adl6.internode.on.net] has quit [Ping timeout: 245 seconds]
05:17 -!- sunwind [~paradox@cpc21-brmb8-2-0-cust749.1-3.cable.virginm.net] has joined #openvpn
05:20 -!- fletsche [~Adium@p549B6B3E.dip0.t-ipconnect.de] has joined #openvpn
05:31 -!- ron__ is now known as ron_
05:33 -!- kraut [~kraut@blackhole.netzdeponie.de] has quit [Ping timeout: 245 seconds]
05:33 -!- fletsche [~Adium@p549B6B3E.dip0.t-ipconnect.de] has quit [Ping timeout: 252 seconds]
05:36 < Putdeksel> Good morning
05:39 -!- kraut [~kraut@blackhole.netzdeponie.de] has joined #openvpn
05:46 -!- Arr0way [arr0w@unaffiliated/arr0way] has joined #openvpn
05:47 < Arr0way> Guys I have an Ubuntu client that the DNS is not updating on.
05:53 -!- wrongplace [~leicht@gateway/tor-sasl/martinphone] has joined #openvpn
06:08 < UukGoblin> ecrist, thanks.. so is there a way (on the server) to ensure that an IP belongs to a particular certificate and no-one else?
06:09 < UukGoblin> (sorry for the late response)
06:09 < UukGoblin> I mean, when a client does --no-pull?
06:15 -!- KarlBauman [~SoWhat@81.198.10.40] has quit [Ping timeout: 268 seconds]
06:18 -!- cpm [~Chip@pdpc/supporter/active/cpm] has joined #openvpn
06:20 -!- wrongplace [~leicht@gateway/tor-sasl/martinphone] has quit [Quit: gone]
06:21 -!- michaelhart [~michaelha@162.209.54.120] has quit [Quit: michaelhart]
06:21 -!- Latrina [~Latrina@ppp-61-62.26-151.libero.it] has joined #openvpn
06:23 -!- funyun_ [~temp@23.82.46.155] has quit [Ping timeout: 264 seconds]
06:26 -!- funyun [~temp@cpe-65-25-103-89.neo.res.rr.com] has joined #openvpn
06:30 -!- fletsche [~Adium@p549B6B3E.dip0.t-ipconnect.de] has joined #openvpn
06:30 -!- funyun [~temp@cpe-65-25-103-89.neo.res.rr.com] has quit [Ping timeout: 240 seconds]
06:35 < Putdeksel> I'm having trouble setting up OpenVPN on a Ubuntu 12.04 oracle VB.
06:35 < Putdeksel> I'm a total linux novice so i'm using a walk through. But when I get to the point is should run the source vars script I get stuck.
06:36 < Putdeksel> I'm not a native English speaker btw.
06:37 -!- funyun [~temp@cpe-65-25-103-89.neo.res.rr.com] has joined #openvpn
06:37 < Latrina> do u execute source vars as root user ?
06:37 < Putdeksel> yes
06:38 < Putdeksel> I do cd /etc/openvpn/easy-rsa/
06:38 < Latrina> what's the message u get? use pastebin
06:39 < Putdeksel> k
06:41 < Putdeksel> http://pastebin.com/vC4EWxee
06:41 -!- funyun [~temp@cpe-65-25-103-89.neo.res.rr.com] has quit [Ping timeout: 252 seconds]
06:43 -!- fletsche [~Adium@p549B6B3E.dip0.t-ipconnect.de] has quit [Ping timeout: 252 seconds]
06:43 < Latrina> Putdeksel: what shell do u use?
06:44 -!- dan_j [~IceChat77@unaffiliated/danfromuk] has joined #openvpn
06:44 < Latrina> seems like the shell is having issue to locate source
06:44 -!- funyun [~temp@cpe-65-25-103-89.neo.res.rr.com] has joined #openvpn
06:44 < Latrina> if ur using bash I assume u are on linux
06:44 < Putdeksel> ubuntu 12.04
06:45 < Latrina> run    /bin/bash source
06:45 < Putdeksel> k
06:45 < Latrina> do u get the same error not found output ?
06:45 < Putdeksel> Not such file or directory
06:46 < Latrina> just /bin/bash
06:46 < Latrina> I don't use ubuntu nor I use linux beside openwrt on my router
06:46 < Latrina> but bash should be in /bin as far as I know
06:47 < dan_j> Hi, I've already go openvpn set up for roadwarrier-to-site. Is it a big step to ADD site-to-site using a router on the client side? Can the two types operate at the same time?
06:47 < dan_j> got*
06:48 < Latrina> it's indeed there
06:48 < Latrina> anyways
06:48 < Latrina>   /bin/bash -c source vars
06:48 < Latrina> as root user
06:49 -!- funyun [~temp@cpe-65-25-103-89.neo.res.rr.com] has quit [Ping timeout: 268 seconds]
06:50 < Putdeksel> http://pastebin.com/ybtsMA5x
06:51 < Latrina> vars: line 0: source: filename argument required
06:51 < Latrina> source is working now
06:51 < Latrina> u need to revise ur vars file
06:52 -!- dan_j [~IceChat77@unaffiliated/danfromuk] has quit [Quit: Now if you will excuse me, I have a giant ball of oil to throw out my window]
06:53 -!- dan_j [~androirc@unaffiliated/danfromuk] has joined #openvpn
06:54 < ACKNAK> Am I right, openvpn uses EVP by default so if I'm using CPU with AES instructions and openssl -evp shows 1000% faster encryption than without evp.
06:54 < ACKNAK> means openvpn uses hardware acceleration
06:54 < ACKNAK> rrright?
06:54 -!- funyun [~temp@cpe-65-25-103-89.neo.res.rr.com] has joined #openvpn
06:58 < Putdeksel> my vars file looks like this http://pastebin.com/TprpmCbe
06:59 -!- funyun [~temp@cpe-65-25-103-89.neo.res.rr.com] has quit [Ping timeout: 240 seconds]
07:00 -!- klein [~klein@unaffiliated/klein] has joined #openvpn
07:02 < Putdeksel> how come I can generate keys when I use the vars in /ect/openvpn/easy-rsa/tmp/ ?
07:02 < Putdeksel> It won't work 'normally'
07:03 < Putdeksel> !welcome
07:03 <@vpnHelper> "welcome" is (#1) Start by stating your goal, such as 'I would like to access the internet over my vpn' || new to IRC? see the link in !ask || we may need !logs and !configs and maybe !interface to help you. || See !howto for beginners. || See !route for lans behind openvpn. || !redirect for sending inet traffic through the server. || Also interesting: !man !/30 !topology !iporder !sample !forum
07:03 <@vpnHelper> !wiki !mitm or (#2) Don't use 192.168.1.0/24 or 192.168.0.0/24 (too much potential for conflict)
07:03 < Putdeksel> !howto
07:03 <@vpnHelper> "howto" is (#1) OpenVPN comes with a great howto, http://openvpn.net/howto PLEASE READ IT! or (#2) http://www.secure-computing.net/openvpn/howto.php for a mirror
07:05 -!- funyun [~temp@cpe-65-25-103-89.neo.res.rr.com] has joined #openvpn
07:05 < Putdeksel> Using this guide btw http://tiny.cc/piqddx
07:05 <@vpnHelper> Title: Host Your Own Virtual Private Network (VPN) with OpenVPN (at tiny.cc)
07:07 < Putdeksel> !goal I would like to access the internet over my vpn with my android device and laptop.
07:08 < Latrina> Putdeksel: export EASY_RSA="`pwd`"
07:08 < Latrina> thats the issue
07:09 < Latrina> Im on the phone btw
07:09 < Latrina> should be
07:09 < Putdeksel> Take your time please.
07:09 < Latrina> export EASY_RSA="/path/to/easy-rsa"
07:10 -!- funyun [~temp@cpe-65-25-103-89.neo.res.rr.com] has quit [Ping timeout: 265 seconds]
07:11 -!- dan_j [~androirc@unaffiliated/danfromuk] has quit [Ping timeout: 265 seconds]
07:13 -!- michaelhart [~michaelha@192.237.177.15] has joined #openvpn
07:13 < Putdeksel> still get http://pastebin.com/vC4EWxee
07:15 -!- funyun [~temp@cpe-65-25-103-89.neo.res.rr.com] has joined #openvpn
07:18 < Putdeksel> brb grab some coffee
07:22 < Putdeksel> shouuld I be using openssl-0.9.6.cnf instead?
07:25 -!- funyun [~temp@cpe-65-25-103-89.neo.res.rr.com] has quit [Ping timeout: 240 seconds]
07:32 -!- funyun [~temp@cpe-65-25-103-89.neo.res.rr.com] has joined #openvpn
07:33 -!- ACKNAK [~regolith@79.133.97.154] has quit [Ping timeout: 240 seconds]
07:37 -!- funyun [~temp@cpe-65-25-103-89.neo.res.rr.com] has quit [Ping timeout: 268 seconds]
07:40 -!- fletsche [~Adium@p549B6B3E.dip0.t-ipconnect.de] has joined #openvpn
07:40 -!- dan_j [~androirc@unaffiliated/danfromuk] has joined #openvpn
07:44 -!- fletsche [~Adium@p549B6B3E.dip0.t-ipconnect.de] has quit [Ping timeout: 252 seconds]
07:48 -!- ACKNAK [~regolith@79.133.97.154] has joined #openvpn
07:52 -!- funyun [~temp@cpe-65-25-103-89.neo.res.rr.com] has joined #openvpn
07:52 < Latrina> Putdeksel:  /bin/bash -c source vars
07:55 < Putdeksel> still the sme
07:55 < Putdeksel> same
07:55 < Putdeksel> vars: line 0: source: filename argument required
07:57 < Putdeksel> could you comment on why I can use the vars script when cd /etc/openvpn/easy-rsa/tmp/ ?
07:57 -!- funyun [~temp@cpe-65-25-103-89.neo.res.rr.com] has quit [Ping timeout: 264 seconds]
07:57 -!- dan_j [~androirc@unaffiliated/danfromuk] has quit [Ping timeout: 255 seconds]
08:02 -!- funyun [~temp@cpe-65-25-103-89.neo.res.rr.com] has joined #openvpn
08:05 -!- cpm [~Chip@pdpc/supporter/active/cpm] has quit [Quit: cpm]
08:06 -!- Putdeksel [50397034@gateway/web/cgi-irc/kiwiirc.com/ip.80.57.112.52] has quit [Quit: http://www.kiwiirc.com/ - A hand crafted IRC client]
08:07 -!- funyun [~temp@cpe-65-25-103-89.neo.res.rr.com] has quit [Ping timeout: 265 seconds]
08:11 -!- Putdeksel [50397034@gateway/web/cgi-irc/kiwiirc.com/ip.80.57.112.52] has joined #openvpn
08:22 -!- funyun [~temp@cpe-65-25-103-89.neo.res.rr.com] has joined #openvpn
08:25 <@dazo> Putdeksel: you use it like this:  $ . ./vars    (please notice the space in between the dots)
08:28 -!- funyun [~temp@cpe-65-25-103-89.neo.res.rr.com] has quit [Ping timeout: 268 seconds]
08:28 < Putdeksel> I'm sorry I don't see what you mean.
08:28 < Putdeksel> I do cd /etc/openvpn/easy-rsa/
08:28 < Putdeksel> then source vars
08:31 <@dazo> try doing:  . ./vars    instead of  source vars
08:32 -!- funyun [~temp@cpe-65-25-103-89.neo.res.rr.com] has joined #openvpn
08:35 < Putdeksel> k
08:35 < Putdeksel> I get the same output
08:35 < Putdeksel> http://pastebin.com/vC4EWxee
08:36 -!- lj [~l@74.120.200.95] has quit [Quit: Leaving.]
08:37 -!- funyun [~temp@cpe-65-25-103-89.neo.res.rr.com] has quit [Ping timeout: 255 seconds]
08:38 <@dazo> Putdeksel: where's your vars file?
08:38 <@dazo> you have a typo in the vars file
08:39 < Putdeksel> its in /etc/openvpn/easy-rsa/
08:39 <@dazo> pastebin it, please
08:39 < Putdeksel> this is my vars file: http://pastebin.com/TprpmCbe
08:40 <@dazo> 28: export KEY_CONFIG=`$EASY_RSA/openssl-1.0.0.cnf
08:40 <@dazo> it's missing an `  at the very end
08:40 < Putdeksel> >_<
08:41 -!- fletsche [~Adium@p549B6B3E.dip0.t-ipconnect.de] has joined #openvpn
08:42 -!- funyun [~temp@cpe-65-25-103-89.neo.res.rr.com] has joined #openvpn
08:45 -!- fletsche [~Adium@p549B6B3E.dip0.t-ipconnect.de] has quit [Ping timeout: 252 seconds]
08:46 -!- havoc [~havoc@neptune.chaillet.net] has quit [Ping timeout: 252 seconds]
08:47 < Putdeksel> ok, now I get this: http://pastebin.com/zbUYp3KG
08:47 -!- funyun [~temp@cpe-65-25-103-89.neo.res.rr.com] has quit [Ping timeout: 265 seconds]
08:49 -!- orkaa [~textual@89.143.12.238] has joined #openvpn
08:49 < orkaa> hey
08:50 < orkaa> i'm trying to separate a few groups of people and give them different permissions based on their ip
08:50 -!- ACKNAK [~regolith@79.133.97.154] has quit [Ping timeout: 240 seconds]
08:50 < orkaa> and I'm setting those static ips using client override
08:50 < orkaa> but is this secure? is there a way a client can set his own ip manually
08:51 < orkaa> and effectively jumps into a different group
08:53 -!- havoc [~havoc@neptune.chaillet.net] has joined #openvpn
08:57 -!- Latrina [~Latrina@ppp-61-62.26-151.libero.it] has quit [Remote host closed the connection]
08:58 <@dazo> Putdeksel: It sounds like you do:  ./vars .... not:   . ./vars    (notice the dots, they're important!)
08:59 <@dazo> When I have this line in your file, it works fine for me
08:59 <@dazo> export KEY_CONFIG=`$EASY_RSA/openssl-1.0.0.cnf`
08:59 <@dazo> (I copy-pasted your pastebin, added the missing ` ... and did . ./vars in a bash shell)
09:01 < Putdeksel> still not working though
09:01 <@dazo> you are using a bash shell?
09:01 <@dazo> not csh or tcsh or some other less commonly used shells on Linux?
09:02 < Putdeksel> Not familiar with that term, i'm the terminal that is in ubuntu 12.04
09:02 -!- funyun [~temp@cpe-65-25-103-89.neo.res.rr.com] has joined #openvpn
09:02 < Putdeksel> i'm a linux novice
09:02 <@dazo> in your terminal window .... do:  bash [ENTER]
09:02 <@dazo> and then try . ./vars
09:03 < Putdeksel> done that, same problem.
09:03 <@dazo> okay ... then I'm not able to get you further
09:03 <@dazo> !notopenvpn
09:03 <@vpnHelper> "notopenvpn" is your problem is not about openvpn, and while we try to be helpful, you may have a better chance of finding your answer if you ask your question in a channel related to your problem
09:03 -!- ACKNAK [~regolith@79.133.97.154] has joined #openvpn
09:03 < Putdeksel> earlier on i've tried source vars in cd /etc/openvpn/easy-rsa/tmp and that worked
09:04 < Putdeksel> I could generate keys and all
09:04 < Putdeksel> was able to.
09:04 <@dazo> then this is a classic pebkac ....
09:04 < Putdeksel> ?
09:05 < Putdeksel> ah, user problem...
09:05 < Putdeksel> but I still don't understand why it works and what I am doing wrong...
09:06 -!- funyun [~temp@cpe-65-25-103-89.neo.res.rr.com] has quit [Ping timeout: 240 seconds]
09:09 < Putdeksel> anyway, thanks for trying to help me out.
09:11 -!- makara [~makara@41.164.22.218] has quit [Ping timeout: 264 seconds]
09:12 -!- Latrina [~Latrina@ppp-61-62.26-151.libero.it] has joined #openvpn
09:12 -!- funyun [~temp@cpe-65-25-103-89.neo.res.rr.com] has joined #openvpn
09:13 < Putdeksel> should I generate keys using the vars script in the tmp folder?
09:17 -!- funyun [~temp@cpe-65-25-103-89.neo.res.rr.com] has quit [Ping timeout: 240 seconds]
09:17 < Putdeksel> or won't I be able to use those
09:20 -!- ACKNAK [~regolith@79.133.97.154] has quit [Read error: Connection reset by peer]
09:22 -!- funyun [~temp@cpe-65-25-103-89.neo.res.rr.com] has joined #openvpn
09:23 -!- lj [~l@192.241.174.169] has joined #openvpn
09:27 -!- funyun [~temp@cpe-65-25-103-89.neo.res.rr.com] has quit [Ping timeout: 240 seconds]
09:33 -!- funyun [~temp@cpe-65-25-103-89.neo.res.rr.com] has joined #openvpn
09:35 -!- donileo [~adonis@c-68-46-32-245.hsd1.nj.comcast.net] has joined #openvpn
09:35 < donileo> hey guys, is it mandatory to use the easy-rsa for generating the ca?
09:36 < fremo> it is strictly forbiden to use anything else!
09:36 < fremo> or not...
09:36 < donileo> I ask because im under the impression using rsa is insecure
09:36 < fremo> what do you want to use?
09:37 < donileo> anything better if there is anything
09:37 -!- funyun [~temp@cpe-65-25-103-89.neo.res.rr.com] has quit [Ping timeout: 265 seconds]
09:38 -!- ACKNAK [~regolith@79.133.97.154] has joined #openvpn
09:39 < donileo> i guess im just wondering if there is an alternative encryption other than rsa that can be used for generating the keys
09:39 < Putdeksel> I see why you want that...
09:40 < Putdeksel> http://tinyurl.com/mhyyu3a
09:40 < donileo> exactly
09:41 < donileo> it just makes me wonder though.. even knowing this openvpn is not thinking of changing to something else? or is it unnecessary
09:41 -!- fletsche [~Adium@p549B6B3E.dip0.t-ipconnect.de] has joined #openvpn
09:43 -!- funyun [~temp@cpe-65-25-103-89.neo.res.rr.com] has joined #openvpn
09:46 -!- ACKNAK [~regolith@79.133.97.154] has quit [Read error: Connection reset by peer]
09:46 -!- fletsche [~Adium@p549B6B3E.dip0.t-ipconnect.de] has quit [Ping timeout: 252 seconds]
09:47 -!- mikemol [~mikemol@162.17.129.77] has quit [Ping timeout: 265 seconds]
09:48 -!- funyun [~temp@cpe-65-25-103-89.neo.res.rr.com] has quit [Ping timeout: 255 seconds]
09:50 -!- [diecast] [~diecast@unaffiliated/diecast/x-4821952] has joined #openvpn
09:51 -!- donileo [~adonis@c-68-46-32-245.hsd1.nj.comcast.net] has left #openvpn []
09:52 -!- funyun [~temp@cpe-65-25-103-89.neo.res.rr.com] has joined #openvpn
09:56 -!- funyun [~temp@cpe-65-25-103-89.neo.res.rr.com] has quit [Ping timeout: 264 seconds]
10:02 -!- mikemol [~mikemol@162.17.129.77] has joined #openvpn
10:02 -!- ACKNAK [~regolith@79.133.97.154] has joined #openvpn
10:03 -!- funyun [~temp@cpe-65-25-103-89.neo.res.rr.com] has joined #openvpn
10:08 -!- funyun [~temp@cpe-65-25-103-89.neo.res.rr.com] has quit [Ping timeout: 265 seconds]
10:09 -!- esde [~esde@107.150.1.2] has quit [Ping timeout: 245 seconds]
10:10 -!- alexxtasi [~alex@unaffiliated/alexxtasi] has left #openvpn []
10:11 <@dazo> Putdeksel: that article is quite tabloid ... and this particular case is related to a specific random number generator
10:11 <@dazo> (of course, bad random numbers, gives bad encryption ... so that's the critical part)
10:11 -!- ACKNAK [~regolith@79.133.97.154] has quit [Read error: Operation timed out]
10:12 -!- esde [~esde@107.150.1.2] has joined #openvpn
10:12 <@dazo> but as long as you use proper random numbers, there is currently no known exploits on the most common and popular _encryption_ algorithms
10:13 <@dazo> (even though, there are scepticism related to AES ... however Blowfish is a good alternative, even though not as fast as AES if you have hardware support)
10:13 -!- funyun [~temp@cpe-65-25-103-89.neo.res.rr.com] has joined #openvpn
10:17 -!- esde [~esde@107.150.1.2] has quit [Excess Flood]
10:17 -!- esde [~esde@unaffiliated/esde] has joined #openvpn
10:17 -!- funyun [~temp@cpe-65-25-103-89.neo.res.rr.com] has quit [Ping timeout: 240 seconds]
10:17 -!- Denial [Denial@2.126.201.65] has quit [Ping timeout: 264 seconds]
10:19 -!- ChrisH [~dg7pc@dslb-094-221-221-143.pools.arcor-ip.net] has joined #openvpn
10:22 -!- Aliekezhi [~Aliekezhi@LPoitiers-156-84-21-170.w193-248.abo.wanadoo.fr] has quit [Ping timeout: 268 seconds]
10:23 -!- p3rror [~mezgani@41.248.109.50] has joined #openvpn
10:23 -!- funyun [~temp@cpe-65-25-103-89.neo.res.rr.com] has joined #openvpn
10:25 -!- Denial [Denial@176.253.208.105] has joined #openvpn
10:26 < ChrisH> I connected from my S4 (Android 4.4.2, rooted) via Mobile network (this time, some via WLAN) to my Linux OpenVPN Server. Since sometime The log looks like this http://paste.debian.net/90031/  I am unsure about line 31. The IP mentioned is the IP I got from the network provider.
10:28 -!- funyun [~temp@cpe-65-25-103-89.neo.res.rr.com] has quit [Ping timeout: 240 seconds]
10:28 <@dazo> ChrisH: try adding --float in your server config
10:28 < ChrisH> Is that an issue with the OpenVPN client on Android, some Kernel issue with/without root, or can I simply ignore that line?  I tried to check/unchck the "bind to local adress" on Androids OpenVPN GUI.  Access to all internal stuff works (eg. apache logs the ecpected IP) only FritzBox Phone app does not connect to Fritzbox. So no remote Phone is possible currently. That worked a while ago.
10:29 < ChrisH> dazo: will check that.
10:29 < ChrisH> dazo: I assume in client's ccd file
10:29 <@dazo> ChrisH: nope, it's global option
10:30 <@dazo> ChrisH: it's just a hunch ... I see that it's a re-connection going on ... and if the client IP address changed, this could cause this kind of issues
10:30 <@dazo> --float will make the server disregard checking the IP address for re-connections
10:31 <@dazo> ChrisH: another issue can be that the connection is completely disconnected (outside of openvpn) by your cellphone or mobile provider
10:32 <@dazo> (--keepalive is most likely the option to check further then)
10:32 <@dazo> maybe plai got some other ideas too
10:33 -!- Demon_Jester [Demon_Jest@70.94.84.221] has joined #openvpn
10:33 -!- funyun [~temp@cpe-65-25-103-89.neo.res.rr.com] has joined #openvpn
10:34 < ChrisH> with --float still Mar 27 16:33:34 clio3 ovpn-server[8296]: s4-chi/109.44.3.27:34037 MULTI: bad source address from client [10.162.139.27], packet dropped
10:34 -!- Aliekezhi [~Aliekezhi@LPoitiers-156-84-21-169.w193-248.abo.wanadoo.fr] has joined #openvpn
10:36 -!- orkaa [~textual@89.143.12.238] has quit [Quit: Textual IRC Client: www.textualapp.com]
10:37  * ChrisH just checked who plai is.. :) I posted the same question in G+ yesteday, so maybe he saw it before ;-)
10:38 -!- funyun [~temp@cpe-65-25-103-89.neo.res.rr.com] has quit [Ping timeout: 264 seconds]
10:41 -!- cnnx [~cnnx@67.68.93.171] has joined #openvpn
10:41 <@dazo> ChrisH: okay, it might be something related to Android then ... mobile phones seems to be more tricky
10:41 < cnnx> can openvpn on linux be configured to route all outgoing server traffic via tor?
10:42 -!- fletsche [~Adium@p549B6B3E.dip0.t-ipconnect.de] has joined #openvpn
10:43 <@dazo> well, theoretically yes .... you'd need to figure out how to set up a transparent proxy (additional software) on your VPN server, and then configure this transparent proxy to pass the traffic via a the TOR socks proxy port
10:43 <@dazo> and then you need to make your VPN clients route all traffic via the VPN tunnel
10:43 <@dazo> so ... probably not impossible ... but will require some efforts to get it right
10:43 < cnnx> my goal is i have an open unix system and want users outgoign traffic to be anonymous so my ip doesnt get blacklisted if they try to hack other systems
10:43 -!- funyun [~temp@cpe-65-25-103-89.neo.res.rr.com] has joined #openvpn
10:44 -!- DemonJester [~Demon_Jes@70.94.84.221] has joined #openvpn
10:44 <@dazo> cnnx: sounds like you shouldn't share your system if you don't trust your users ... that's easier to tackle
10:44 -!- Demon_Jester [Demon_Jest@70.94.84.221] has quit [Ping timeout: 240 seconds]
10:45 <@dazo> (and TOR will make the traffic flow slower)
10:45 < cnnx> dont mind sharing it just wanna protect my static ip
10:45 < cnnx> from my dedicated server
10:46 <@dazo> and that's the contradiction .... if you want to protect your static IP, you must trust your users
10:46 <@dazo> if you don't trust your users, you can't share your server
10:46 < cnnx> well thats my service
10:46 < cnnx> free unix shell provider
10:47 -!- fletsche [~Adium@p549B6B3E.dip0.t-ipconnect.de] has quit [Ping timeout: 252 seconds]
10:47 <@dazo> there's always a risk to when you're giving away stuff for free ... loading the TOR network with crappy traffic, just makes you equally bad as those abusing your service
10:47 < cnnx> im still exploring different possibilities
10:48 < cnnx> i dont want to charge money taht wont get me many users
10:48 -!- funyun [~temp@cpe-65-25-103-89.neo.res.rr.com] has quit [Ping timeout: 255 seconds]
10:49 <@dazo> My general experience is that using free services is always making me loose in the end ... service quality is generally bad
10:49 < cnnx> i guess i can disable outgoing ssh service cause thats my main concern
10:50 <@dazo> So I've started paying for some of these services ... which has given me more predictable quality, all in all
10:51 <@dazo> I'd block port 25 as well
10:51 < cnnx> users get a free email account
10:51 < cnnx> they can send/receive emails
10:51 < cnnx> from my domain
10:51 <@dazo> oh dear ... you know you'll be abused by spammers?
10:52 < cnnx> how? they have to write the emails one at a time
10:52 < cnnx> in webmail or mutt
10:52 <@dazo> they'll script that quickly
10:52 < cnnx> well other providers are giving this feature
10:52 < cnnx> i dont see them having in troubles
10:52 < cnnx> like sdf.org
10:52 < cnnx> since 1987
10:53 <@dazo> but you don't get that for free, you'll need to pay a donation, right?
10:53 < cnnx> http://sdf.org/?join
10:53 <@vpnHelper> Title: SDF Public Access UNIX System - Free Shell Account and Shell Access (at sdf.org)
10:53 < cnnx> its free, i sent 1$ to get validated
10:53 < cnnx> but u have email before sending 1$
10:54 <@dazo> I just see on some mail systems a lot of spam coming from free e-mail services .... of course, gmail, yahoo, hotmail/outlook.com is on the top of the list ... but also others
10:55 < cnnx> anyways ill be monitoring the system closely
10:55 < cnnx> just delete the abusive accounts for sure
10:55 <@Eugene> !blame
10:55 <@vpnHelper> "blame" is (#1) According to Bushmills, it's always krzee's fault or (#2) According to krzee, it's always dazo's fault or (#3) and dazo will always blame EugeneKay, Bushmills, ecrist or any other sensible victims in the required moments or (#4) cron2 says its always d12fk's fault (and sometimes the customers)
10:56 <@krzee> =]
10:56 <@dazo> but once that's happened ... you'll quickly start to appear on different RBLs ... and you're getting troubles
10:56 < cnnx> rbl = black list?
10:57 <@dazo> yeah
10:57 < cnnx> yeah dont want that
10:57 <@Eugene> One thing I've learned is that if a service is not a core part of your business, pay somebody who does that as part of theirs the $5/mo to do it.
10:57 <@Eugene> Email is the #1 offender there.
10:57 <@dazo> +1
10:58 < cnnx> any other ideas then what i can provider with my server?
10:58 < cnnx> or else ill cancel it
10:58 <@Eugene> You can always serve pr0n
10:59 <@krzee> pr0n fserve
11:00 <@dazo> cnnx: don't try to provide a service "everyone else" provides ... figure out how to provide a unique service nobody else (or very few) provides ... and have some limited free accounts, and then some paywall for more advanced features ... then you're doing something good ... but(!) providing a service doesn't mean somebody won't take the chance to abuse it
11:01 <@dazo> so you really need to monitor things closely, and beware of the risk that abuses can result in blacklisting (at least for some time)
11:01 < cnnx> not many provide shell unix accounts
11:01 <@Eugene> That's because unix shell accounts are a massive liability
11:02 <@dazo> cnnx: sourceforge.net ... they did that (and still do, to some degree, but it's heavily locked down now) .... because it was free and was abused
11:02 < cnnx> sourceforge gave accounts?
11:02 <@dazo> yeah, that's for free still
11:02 < cnnx> hmmm
11:02 < cnnx> how about a site like sourceforge
11:03 <@dazo> Many ISP and domain service providers do have shell access, but you need to pay for it
11:03 < cnnx> for developers to host their open source projects
11:03 < cnnx> with forums
11:03 <@Eugene> Its called Github.
11:03 <@krzee> free shell providers came and went throughout the 90s
11:03 <@krzee> i cant remember one that did not have major issues from it
11:03 <@dazo> that *can* work, if you're able to do something better than github, gitorious, sf.net, and so on
11:04 <@dazo> you need to have an edge which makes people willing to try something brand new
11:04 -!- funyun [~temp@cpe-65-25-103-89.neo.res.rr.com] has joined #openvpn
11:04 <@dazo> otherwise, they'll use what "everyone else uses"
11:04 < cnnx> k
11:05 <@dazo> cnnx: here's a thought .... setup a diasporas pod ... and combine that with some development features (like git), with facebook/twitter/etc integration
11:05 <@dazo> https://www.joindiaspora.com/
11:05 <@vpnHelper> Title: Diaspora* (at www.joindiaspora.com)
11:06 <@dazo> https://diasporafoundation.org/
11:06 -!- master_o1_master [~master_of@p4FD7B069.dip0.t-ipconnect.de] has quit [Ping timeout: 240 seconds]
11:06 <@vpnHelper> Title: The diaspora* Project (at diasporafoundation.org)
11:06 <@dazo> (that's a better starting point probably)
11:07 -!- mikkel [~mikkel@93.176.85.50] has quit [Quit: Leaving]
11:07 < jeev> hm
11:08 < jeev> i have a different set up, a linux router with tun0/tun1, each one goes to another vpn.
11:08 -!- master_of_master [~master_of@p4FF24849.dip0.t-ipconnect.de] has joined #openvpn
11:08 < jeev> i use ip rule to send it out the table (default gw of tun0 or tun1)
11:08 < jeev> if the table is down, vpn.. it goes out default gw of the server.
11:08 < jeev> any way to make it die if this happens?
11:09 -!- funyun [~temp@cpe-65-25-103-89.neo.res.rr.com] has quit [Ping timeout: 252 seconds]
11:15 -!- Lolths [~Lolths@unaffiliated/lolths] has quit [Ping timeout: 265 seconds]
11:17 -!- Lolths [~Lolths@unaffiliated/lolths] has joined #openvpn
11:24 -!- funyun [~temp@cpe-65-25-103-89.neo.res.rr.com] has joined #openvpn
11:28 -!- Aliekezhi [~Aliekezhi@LPoitiers-156-84-21-169.w193-248.abo.wanadoo.fr] has quit [Remote host closed the connection]
11:29 -!- funyun [~temp@cpe-65-25-103-89.neo.res.rr.com] has quit [Ping timeout: 265 seconds]
11:34 -!- klein [~klein@unaffiliated/klein] has quit [Read error: Operation timed out]
11:34 -!- Latrina [~Latrina@ppp-61-62.26-151.libero.it] has quit [Remote host closed the connection]
11:35 -!- fletsche [~Adium@p549B6B3E.dip0.t-ipconnect.de] has joined #openvpn
11:43 -!- [diecast] [~diecast@unaffiliated/diecast/x-4821952] has quit []
11:44 -!- [diecast] [~diecast@unaffiliated/diecast/x-4821952] has joined #openvpn
11:52 -!- CygniX [~CygniX@unaffiliated/twois10] has joined #openvpn
11:58 -!- pekster [~rewt@openvpn/community/support/pekster] has quit [Quit: AF_INET -> AF_INET6]
11:58 -!- pekster [~rewt@openvpn/community/support/pekster] has joined #openvpn
12:02 -!- syntaxx [~patvan@unaffiliated/syntaxx] has joined #openvpn
12:03 -!- mattock_afk is now known as mattock
12:05 -!- DemonJester [~Demon_Jes@70.94.84.221] has quit [Ping timeout: 252 seconds]
12:14 -!- [diecast] [~diecast@unaffiliated/diecast/x-4821952] has quit []
12:20 -!- [diecast] [~diecast@unaffiliated/diecast/x-4821952] has joined #openvpn
12:25 -!- funyun [~temp@cpe-65-25-103-89.neo.res.rr.com] has joined #openvpn
12:27 -!- HectorBarbossa [uid7850@gateway/web/irccloud.com/x-vggyqnzdotfzgjtp] has joined #openvpn
12:32 -!- funyun [~temp@cpe-65-25-103-89.neo.res.rr.com] has quit [Ping timeout: 265 seconds]
12:32 -!- s7r_q_s [~s7r@openvpn/user/s7r] has joined #openvpn
12:32 -!- mode/#openvpn [+v s7r_q_s] by ChanServ
12:33 -!- ferai [~quassel@kde/mitchell] has joined #openvpn
12:33 -!- s7r_q [~s7r@openvpn/user/s7r] has quit [Ping timeout: 265 seconds]
12:34 -!- emcepe [~mcp@wolk-project.de] has joined #openvpn
12:37 -!- s7r_q_s is now known as s7r
12:37 -!- mcp [~mcp@178.63.188.211] has quit [Ping timeout: 245 seconds]
12:37 -!- fejjerai [~quassel@kde/mitchell] has quit [Ping timeout: 245 seconds]
12:37 -!- emcepe is now known as mcp
12:37 -!- p3rror [~mezgani@41.248.109.50] has quit [Ping timeout: 240 seconds]
12:39 -!- funyun [~temp@cpe-65-25-103-89.neo.res.rr.com] has joined #openvpn
12:39 -!- KarlBauman [~SoWhat@81.198.10.40] has joined #openvpn
12:44 -!- funyun [~temp@cpe-65-25-103-89.neo.res.rr.com] has quit [Ping timeout: 255 seconds]
12:49 -!- funyun [~temp@cpe-65-25-103-89.neo.res.rr.com] has joined #openvpn
12:54 -!- funyun [~temp@cpe-65-25-103-89.neo.res.rr.com] has quit [Ping timeout: 255 seconds]
12:59 -!- syntaxx [~patvan@unaffiliated/syntaxx] has quit [Quit: Leaving]
12:59 -!- funyun [~temp@cpe-65-25-103-89.neo.res.rr.com] has joined #openvpn
13:01 -!- p3rror [~mezgani@105.157.103.166] has joined #openvpn
13:03 -!- elfixit [~Icedove@2001:1620:2777:11:3e97:eff:fe7f:f3ad] has quit [Quit: elfixit]
13:04 -!- funyun [~temp@cpe-65-25-103-89.neo.res.rr.com] has quit [Ping timeout: 268 seconds]
13:09 -!- funyun [~temp@cpe-65-25-103-89.neo.res.rr.com] has joined #openvpn
13:09 -!- Dan39 [~ddan39@unaffiliated/dan39] has quit [Ping timeout: 265 seconds]
13:12 -!- mattock is now known as mattock_afk
13:14 -!- liriel [~liriel@198.154.114.106] has quit [Remote host closed the connection]
13:14 -!- funyun [~temp@cpe-65-25-103-89.neo.res.rr.com] has quit [Ping timeout: 240 seconds]
13:16 -!- klein [~klein@189-016-006-003.asselvi.edu.br] has joined #openvpn
13:16 -!- klein [~klein@189-016-006-003.asselvi.edu.br] has quit [Changing host]
13:16 -!- klein [~klein@unaffiliated/klein] has joined #openvpn
13:16 -!- p3rror [~mezgani@105.157.103.166] has quit [Ping timeout: 265 seconds]
13:19 -!- heraclitus [~heraclitu@unaffiliated/heraclitis] has quit [Ping timeout: 252 seconds]
13:19 -!- Dan39 [~ddan39@unaffiliated/dan39] has joined #openvpn
13:20 -!- funyun [~temp@cpe-65-25-103-89.neo.res.rr.com] has joined #openvpn
13:25 -!- [diecast] [~diecast@unaffiliated/diecast/x-4821952] has quit []
13:25 -!- funyun [~temp@cpe-65-25-103-89.neo.res.rr.com] has quit [Ping timeout: 265 seconds]
13:25 -!- dan_j [~IceChat77@unaffiliated/danfromuk] has joined #openvpn
13:30 -!- funyun [~temp@cpe-65-25-103-89.neo.res.rr.com] has joined #openvpn
13:31 < dan_j> Can a single openvpn server be used to support roadwarrior to site, and also site to site vpn connections?
13:31 < dan_j> at the same time
13:34 -!- funyun [~temp@cpe-65-25-103-89.neo.res.rr.com] has quit [Ping timeout: 252 seconds]
13:37 -!- KarlBauman [~SoWhat@81.198.10.40] has quit [Ping timeout: 265 seconds]
13:38 -!- p3rror [~mezgani@105.157.97.176] has joined #openvpn
13:38 <@Eugene> You can do anything at zombocom
13:39 <@Eugene> (yes, its all just routing and ccd entries)
13:39 -!- le0 [~l30@unaffiliated/le0] has quit [Quit: Leaving]
13:40 <@dazo> dan_j: Yes ... just configure your openvpn with PKI and use --server
13:41 < dan_j> Am I correct in saying that if you have x number of remote sites, each remote site must have a unique subnet? In my situation, i dont have any control over the remote sites, so can't guarantee uniqueness.
13:42 < dan_j> In short, I offer openvpn support to sip endpoints (which support openvpn). However, a client has endpoints that don't support openvpn, so they want to set it up on their router to cover the entire site.
13:43 < dan_j> If I offer the service, then will i run into problems if another client comes along with the same internal subnet?
13:46 -!- ChrisH [~dg7pc@dslb-094-221-221-143.pools.arcor-ip.net] has quit [Ping timeout: 264 seconds]
13:46 -!- ChrisH [~dg7pc@dslb-188-109-007-012.pools.arcor-ip.net] has joined #openvpn
13:47 -!- funyun [~temp@cpe-65-25-103-89.neo.res.rr.com] has joined #openvpn
13:48 < andi> Hi
13:49 <@dazo> dan_j: no ... if you use --server (which is just a configuration macro, see man page for info), then you will have 1 subnet for all VPN clients, which you then route the traffic over
13:50 <@dazo> dan_j: You can use --client-nat to avoid subnet conflicts
13:50 < andi> I'm trying to figure out what's needed to use a non public domain like intern.example.org for a vpn. The DNS server needs to resolve all other dns queries aswell. Is there a way to be able to be connected to multiple of such vpns with private domains?
13:50 < dan_j> Ok. Thanks. I'll check out the man pages for those.
13:51 <@dazo> andi: sounds like you need to look into split DNS
13:51 <@dazo> !splitdns
13:51 <@vpnHelper> "splitdns" is see http://www.thekelleys.org.uk/dnsmasq/doc.html for dnsmasq, which will let you do split-dns setups
13:52 -!- funyun [~temp@cpe-65-25-103-89.neo.res.rr.com] has quit [Ping timeout: 255 seconds]
13:54 < andi> dazo: That's not all. I'm thinking about two of these setups in parallel.
13:54 < andi> Is there a way to tell the client which nameserver to ask for which internal domain?
13:54 <@dazo> andi: that's what splitdns is all about ... you configure that on the client, and tell the client to use the local dnsmasq instance
13:55 < andi> i.e. intern.example.com and intern.example.org which are in two different vpn setups.
13:55 < andi> Ah
13:55 <@dazo> dnsmasq will then query the proper back-end DNS
13:55 <@dazo> (you can also do the same with bind ... but it's more work to set up)
13:56 < andi> Yes sure. Thanks, that's not exactly what I was searching for but this gives different possibilities to solve the problem. I'll think about it, thanks.
13:57 <@dazo> there's no other possibilities to use multiple DNS servers, depending on the domain you query for
13:58 -!- funyun [~temp@cpe-65-25-103-89.neo.res.rr.com] has joined #openvpn
13:59 -!- dan_j [~IceChat77@unaffiliated/danfromuk] has quit [Ping timeout: 240 seconds]
14:00 < andi> Yes, I did not know, yet, that it's a good idea to setup a local dns server which redirects the queries to the correct dns server.
14:01 -!- p3rror [~mezgani@105.157.97.176] has quit [Quit: Leaving]
14:01 < andi> The question which I need to answer is now if I will set this up on the client or if I connect the router to the vpn and set dnsmasq up there.
14:03 -!- funyun [~temp@cpe-65-25-103-89.neo.res.rr.com] has quit [Ping timeout: 268 seconds]
14:09 -!- funyun [~temp@cpe-65-25-103-89.neo.res.rr.com] has joined #openvpn
14:14 -!- funyun [~temp@cpe-65-25-103-89.neo.res.rr.com] has quit [Ping timeout: 265 seconds]
14:19 -!- funyun [~temp@cpe-65-25-103-89.neo.res.rr.com] has joined #openvpn
14:24 -!- funyun [~temp@cpe-65-25-103-89.neo.res.rr.com] has quit [Ping timeout: 240 seconds]
14:30 -!- funyun [~temp@cpe-65-25-103-89.neo.res.rr.com] has joined #openvpn
14:34 -!- funyun [~temp@cpe-65-25-103-89.neo.res.rr.com] has quit [Ping timeout: 240 seconds]
14:34 -!- CygniX [~CygniX@unaffiliated/twois10] has left #openvpn ["Konversation terminated!"]
14:38 < Putdeksel> !goal
14:38 <@vpnHelper> "goal" is Please clearly state your goal for your vpn: example, I would like to access the lan behind the server , I would like to access the internet over my vpn , I just want a secure connection between 2 computers , etc
14:38 < Putdeksel> dont get it
14:40 < Putdeksel> !goal "Set up VPN to use with my android and laptop. Want to use VNC later on"
14:40 -!- funyun [~temp@cpe-65-25-103-89.neo.res.rr.com] has joined #openvpn
14:45 -!- funyun [~temp@cpe-65-25-103-89.neo.res.rr.com] has quit [Ping timeout: 255 seconds]
14:45 -!- JPeterson [~JPeterson@81-233-152-121-no83.tbcn.telia.com] has quit [Read error: Connection reset by peer]
14:46 -!- JPeterson [~JPeterson@81-233-152-121-no83.tbcn.telia.com] has joined #openvpn
14:50 -!- funyun [~temp@cpe-65-25-103-89.neo.res.rr.com] has joined #openvpn
14:54 -!- FreshDumbledore [~Aziraphae@unaffiliated/freshdumbledore] has joined #openvpn
14:55 -!- funyun [~temp@cpe-65-25-103-89.neo.res.rr.com] has quit [Ping timeout: 264 seconds]
14:55 < FreshDumbledore> hi. is would like to read some more information about using smartcards to authenticate. i did read about it in the openvpn wiki but i still dont really understand it all :) any links?
15:00 -!- funyun [~temp@cpe-65-25-103-89.neo.res.rr.com] has joined #openvpn
15:01 -!- joshh20-Away is now known as joshh20
15:05 -!- funyun [~temp@cpe-65-25-103-89.neo.res.rr.com] has quit [Ping timeout: 265 seconds]
15:07 <@dazo> FreshDumbledore: get a copy of !book
15:07 <@dazo> !book
15:07 <@vpnHelper> "book" is http://www.packtpub.com/openvpn-2-cookbook/book check out JJK's awesome cookbook for openvpn 2!
15:07 <@dazo> iirc, JJK covers that in that book
15:08 < FreshDumbledore> meh. basicly i want to check if we really need to invest money in a access server solution or if we can just create this keys on a linux machine and copy them over to such a smartcard l:
15:10 -!- funyun [~temp@cpe-65-25-103-89.neo.res.rr.com] has joined #openvpn
15:15 -!- funyun [~temp@cpe-65-25-103-89.neo.res.rr.com] has quit [Ping timeout: 240 seconds]
15:16 < Putdeksel> I can't get my vars script to work...
15:17 < Putdeksel> when I cd /etc/openvpn/easy-rsa/ and then source vars or . ./vars  I get this: http://pastebin.com/zbUYp3KG
15:18 <@dazo> Putdeksel: ditch easy-rsa and use xca or tinyca or whatever else CA utility you're able to understand
15:18 < Putdeksel> ok...
15:18 <@dazo> "command not found" indicates your shell is doing something weird
15:18 <@dazo> it's not an openvpn issue
15:18 <@dazo> its your box
15:18 <@dazo> which is what I told you last time too
15:19 < Putdeksel> yes so where am I supposed to go to for support then?
15:19 -!- [diecast] [~diecast@unaffiliated/diecast/x-4821952] has joined #openvpn
15:19 <@dazo> you used ubuntu?  go to their support channels ... there's tons of other easy-rsa users who don't have such an issue at all
15:20 < Putdeksel> ok got it. won't bother you anymore. Tnx for the help.
15:21 <@dazo> hahaha
15:21 <@dazo>  Putdeksel!*@* added to ignore list.
15:21 <@dazo> I wonder how that happened
15:22  * dazo must have pushed an unknown button by mistake
15:22 -!- liriel [~liriel@aphrodite.feralhosting.com] has joined #openvpn
15:23 < Putdeksel> so friendly
15:23 < FreshDumbledore> hmm. well. what i dont understand in the openvpn wiki-smartcard section is the part about generating this keys. can they be generated with stuff like puttygen? are it usual rsa keys? or something special? :l
15:24 -!- [diecast] [~diecast@unaffiliated/diecast/x-4821952] has quit [Ping timeout: 264 seconds]
15:27 <@dazo> Putdeksel: I'm sorry, didn't want to offend you .... it was just a funny coincidence, as I got that message right after your last message
15:27 <@dazo> I first thought it was you who put me on an ignore list :)
15:28 <@dazo> I still try to figure out how I managed that ... because I don't understand why it happened
15:28 < Putdeksel> Haha, maybe in the #mIRC support channel? :P
15:28 <@dazo> FreshDumbledore: no, ssh keys cannot be used
15:28 <@dazo> Putdeksel: it would be #hexchat or #xchat in my case ;-)
15:28 < FreshDumbledore> dazo: so something special is needed. and that has to be bought? to explain it all noob-friendly :D
15:29 < Putdeksel> hehe, anyway, tnx and cya
15:29 -!- Putdeksel [50397034@gateway/web/cgi-irc/kiwiirc.com/ip.80.57.112.52] has left #openvpn []
15:29 -!- UukGoblin [~jaa@unaffiliated/uukgoblin] has quit [Read error: Connection reset by peer]
15:29 <@dazo> FreshDumbledore: OpenVPN uses standard X.509 certificates (which is also used by web browsers, and most SSL based client/server setups)
15:30 <@dazo> FreshDumbledore: SSH uses it's own special key format, and doesn't necessarily have signed certificates
15:30 -!- funyun [~temp@cpe-65-25-103-89.neo.res.rr.com] has joined #openvpn
15:30 < FreshDumbledore> dazo: i understood the wiki like i could create a list of authorized certificates on the server and only clients with one of them on their smartcard could connect then. am i mistaken?
15:31 <@dazo> okay, do you know the basic PKI principles?  How PKI works?
15:32 < FreshDumbledore> no. sadly not. i just read about self-signed-x509 key creation right now.
15:32 <@dazo> FreshDumbledore: okay ... I'll give a quick'n'dirty PKI crash course
15:32 < FreshDumbledore> thanks!
15:33 -!- michaelhart [~michaelha@192.237.177.15] has quit [Quit: michaelhart]
15:33 <@dazo> If Alice wants to connect to Bob's server ... Bob want's to validate that Alice is whom she claims to be, and Alice wants to validate that Bob is whom he claim to be
15:33 <@dazo> So each of them have been issued a certificate
15:33 < FreshDumbledore> okay so far :)
15:34 <@dazo> Alice's certificate contains her public key, and a signature.  The signature is produced by a CA, who issued the certificate
15:34 -!- [diecast] [~diecast@unaffiliated/diecast/x-4821952] has joined #openvpn
15:34 <@dazo> And the same is true for Bob's certificate
15:34 <@dazo> So when Alice contacts Bob's server ... there is an exchange of certificates (Alice->Bob and Bob->Alice)
15:34 -!- funyun [~temp@cpe-65-25-103-89.neo.res.rr.com] has quit [Ping timeout: 240 seconds]
15:35 <@dazo> then they look up who issued the certificate (CA) and then controls that the signature matches what they'd expect, based on their local copy of a CA certificate (which often can be self-signed, in OpenVPN's case)
15:35 <@dazo> If that matches ... and Alice and Bob trusts that CA ... then Alice is Alice and Bob is Bob
15:36 <@dazo> Now, if Charlie comes along, and have a certificate issued by the same CA ... Charlie can also community with full trust with both Alice and Bob, because the signature will match everyone's copy of the CA certificate
15:37 <@dazo> So ... The difference between these certificates and a smartcard ... is that the certificate is stored inside a physical smartcard, protected with a pin code
15:38 <@dazo> (in addition, and that's what's really protected with the pin ... is the private key)
15:38 <@dazo> With PKI it is so that you can encrypt data with a public key (which is provided inside the certificate) and decrypt it with the private key
15:38 < FreshDumbledore> hmm. could you also explain the difference to ssh keypairs?
15:39 <@dazo> In the most basic SSH setups ... there are no signatures involved.  You just connect and you need to manually check that the fingerprint of the server matches (to ensure the authenticity of the server)
15:40 < FreshDumbledore> is it possible to restrict openvpn to certain ip adresses?
15:40 <@dazo> or actually, that's inaccurate .... there is no signatures involved by a trusted third party (a CA)
15:40 -!- funyun [~temp@cpe-65-25-103-89.neo.res.rr.com] has joined #openvpn
15:40 <@dazo> the server gets some data from the client which is signed by the clients private key ... the server validates that information by verifying the signature against the public key of the user
15:41 -!- UukGoblin [~jaa@yatima.uukgoblin.net] has joined #openvpn
15:41 <@dazo> FreshDumbledore: that's an entirely different question ... and yes, it is, but you usually do that in the firewall, not in OpenVPN itself .... however, you can add such restrictions using a --client-connect script on the server side
15:43 < FreshDumbledore> dazo: so would it be viable to use selfsigned PKI validation?
15:43 <@dazo> FreshDumbledore: that's impossible with openvpn
15:43 <@dazo> because you need a CA certificate, to be able to fully authenticate the client and server
15:43 <@dazo> (that's the --ca option)
15:44 < FreshDumbledore> dazo: is this the same certificate people have for stuff like outlook web access? x)
15:44 <@dazo> nope
15:44 < FreshDumbledore> because this one is bought and validated as well .. xD ok random guess
15:44 <@dazo> For OpenVPN to function with certificates, it's recommended to set up your own CA
15:45 <@dazo> (use f.ex. easy-rsa, xca, tinyca, and so on)
15:45 -!- funyun [~temp@cpe-65-25-103-89.neo.res.rr.com] has quit [Ping timeout: 255 seconds]
15:45 <@dazo> this CA can be on an offline medium when you don't need to create new client or server certificates
15:45 < FreshDumbledore> ok. so we could run our own CA server, issue our own 'signed' certificates and provide them to a few users to connect with them?
15:46 <@dazo> that's right
15:46 < FreshDumbledore> i dont see the need for an access server yet
15:46 < FreshDumbledore> an.. openvpn access server.. the you-have-to-pay-one
15:46 <@dazo> Access Server is just openvpn with a admin interface wrapped around it, to it quicker to get started
15:46 <@dazo> and also to integrate with more authentication methods and so on
15:47 <@dazo> (I don't know all details, as I've never tried it out)
15:47 < FreshDumbledore> http://openvpn.net/index.php/access-server/pricing.html this stuff :l
15:47 <@vpnHelper> Title: Pricing (at openvpn.net)
15:47 <@dazo> yeah, I understand what you point at
15:48 < FreshDumbledore> so its no necessisi.. not necessary
15:48 < FreshDumbledore> but would make administration easier :)
15:48 <@dazo> If you want the AS product purely depend on if you like the admin interface and/or want to integrate it more easily in an already established environment
15:49 <@dazo> (Like LDAP or AD username/password authentication and so on)
15:50 < FreshDumbledore> we already have a running openvpn solution. we would just like to add token based authentification for more security. we got someone to advice us on this stuff and his first shot were expensives of a few thousand euro. i dont see where this expenses would come from.
15:51 < FreshDumbledore> even if we use that administration / access server, we wont need that many client connection licenses. a few hundred euro probably.
15:51 -!- funyun [~temp@cpe-65-25-103-89.neo.res.rr.com] has joined #openvpn
15:52 <@dazo> FreshDumbledore: A cheaper alternative might be to implement something which uses yubikey
15:52 <@dazo> (USB based devices, with open source code to implement it in different environments)
15:53 < FreshDumbledore> dazo: im on their website. so it would send the openvpn password?
15:53 <@dazo> my employer uses LinOTP for the openvpn authentication  (but it's a big enterprise, and I believe RADIUS is involved as well here)
15:53 <@dazo> FreshDumbledore: kind of ... depends on the authentication model you aim for
15:54 <@dazo> the "simplest" one is that you have a normal username + a pin/passphrase the user knows ... and then a token code the yubikey produces
15:54 < FreshDumbledore> dazo: could work. we could set up a pretty long password for each user, he doesnt even need to know it himself then and he has to plug in this key and it sends the pw.. x)
15:54 < FreshDumbledore> or your way. even better :D
15:55 <@dazo> the most advanced method, the yubikey will provide the "username" as a long string, which includes a token code + a normal password in the pasword field
15:56 < FreshDumbledore> dazo: would require manual user management instead of ldap / windows logins, right?
15:56 -!- funyun [~temp@cpe-65-25-103-89.neo.res.rr.com] has quit [Ping timeout: 240 seconds]
15:56 <@dazo> it can be integrated with LDAP too, iirc
15:56 < FreshDumbledore> so a tiny bit more of administration.. but not much impact for us
15:56 <@dazo> yeah
15:57 < FreshDumbledore> the yubikey itself is the only expense?
15:57 <@dazo> yeah
15:57 <@dazo> and it's fairly affordable too ... but it requires a USB port
15:57 < FreshDumbledore> would have to check about the differences, they start at 25$ and go up to 500
15:57 < FreshDumbledore> xD
15:57 <@dazo> (openvpn doesn't support the NFC variant)
15:58 <@dazo> yubikey standard or nano is what you most likely want
15:58 < FreshDumbledore> usb is fine. usb port locking is another topic i have to worry about but the users that are allowed to use openvpn should not be affected
15:58 -!- [diecast] [~diecast@unaffiliated/diecast/x-4821952] has quit [Ping timeout: 255 seconds]
15:59 <@dazo> neo got a NFC support too ... but that's really new, so getting support for it in openvpn will most likely be a long road to walk
15:59 <@dazo> the HSM is not what you really need
15:59 < ngharo> wonder how difficult hooking NFC into the openvpn app is
15:59 <@dazo> (that's a server module, to keep encryption keys well protected)
15:59 < ngharo> seems like all the hard would be abstracted away in the android NFC APIs
15:59 <@dazo> ngharo: you'd need to ask plai about that
16:00 < FreshDumbledore> ok thanks for the support. that helped :)
16:00 < ngharo> it's a fantastic idea -- been using a neo for lastpass on android for a couple months now
16:00 <@dazo> cool
16:00 <@dazo> FreshDumbledore: you're welcome
16:00 < FreshDumbledore> bye
16:00 -!- FreshDumbledore [~Aziraphae@unaffiliated/freshdumbledore] has left #openvpn ["@NSA: terrorist, bomb, government, djihad"]
16:01 -!- funyun [~temp@cpe-65-25-103-89.neo.res.rr.com] has joined #openvpn
16:03 -!- dazo is now known as dazo_afk
16:06 -!- funyun [~temp@cpe-65-25-103-89.neo.res.rr.com] has quit [Ping timeout: 265 seconds]
16:13 -!- le0 [~l30@unaffiliated/le0] has joined #openvpn
16:14 -!- [diecast] [~diecast@unaffiliated/diecast/x-4821952] has joined #openvpn
16:16 -!- funyun [~temp@cpe-65-25-103-89.neo.res.rr.com] has joined #openvpn
16:17 -!- mikemol [~mikemol@162.17.129.77] has quit [Remote host closed the connection]
16:20 -!- klein [~klein@unaffiliated/klein] has quit [Ping timeout: 265 seconds]
16:28 -!- mikemol [~mikemol@162.17.129.77] has joined #openvpn
16:35 -!- elfixit [~Icedove@77-58-251-72.dclient.hispeed.ch] has joined #openvpn
16:37 -!- jave [~jave@h-235-102.a149.priv.bahnhof.se] has quit [Quit: ZNC - http://znc.in]
16:40 -!- jave [~jave@h-235-102.a149.priv.bahnhof.se] has joined #openvpn
16:41 -!- le0 [~l30@unaffiliated/le0] has quit [Quit: Leaving]
16:42 -!- Olipro [~Olipro@uncyclopedia/pdpc.21for7.olipro] has quit [Ping timeout: 246 seconds]
16:44 -!- Mathias is now known as GaleMathias
16:46 -!- C-S-B [~C-S-B@host217-42-190-155.range217-42.btcentralplus.com] has quit [Read error: Connection reset by peer]
16:49 -!- mikemol [~mikemol@162.17.129.77] has quit [Remote host closed the connection]
16:55 -!- Olipro [~Olipro@uncyclopedia/pdpc.21for7.olipro] has joined #openvpn
16:55 -!- fletsche [~Adium@p549B6B3E.dip0.t-ipconnect.de] has quit [Quit: Leaving.]
17:06 -!- B1nny [~quassel@5ED16034.cm-7-2b.dynamic.ziggo.nl] has quit [Remote host closed the connection]
17:26 -!- Latrina [~Latrina@ppp-61-62.26-151.libero.it] has joined #openvpn
17:57 -!- lj [~l@192.241.174.169] has quit [Quit: Leaving.]
18:03 -!- michaelhart [~michaelha@162.209.54.120] has joined #openvpn
18:13 -!- klein_ [~klein@unaffiliated/klein] has joined #openvpn
18:16 -!- michaelhart [~michaelha@162.209.54.120] has quit [Quit: michaelhart]
18:20 -!- Demon_Jester [~Demon_Jes@70.94.84.221] has joined #openvpn
18:28 -!- donileo [~adonis@c-68-46-32-245.hsd1.nj.comcast.net] has joined #openvpn
18:28 < donileo> guys whats the best practical tun-mtu setting to use
18:28 < donileo> i currently have tun-mtu 48000 and mssfix 0
18:28 -!- pa [~pa@unaffiliated/pa] has quit [Ping timeout: 246 seconds]
18:28 < donileo> but i will be using iOS to connect to the VPN
18:29 -!- spindritf [~spindritf@brandy.soyellow.net] has joined #openvpn
18:30 < spindritf> hey, what is the equivalent of redirect-gateway for ipv6? I can set up a tunnel, get an ipv6 address from the server and would like to redirect all ipv6 traffic through it but the default route remains through my local router
18:31 < spindritf> or will I need a script for that?
18:32 < spindritf> !welcome
18:32 <@vpnHelper> "welcome" is (#1) Start by stating your goal, such as 'I would like to access the internet over my vpn' || new to IRC? see the link in !ask || we may need !logs and !configs and maybe !interface to help you. || See !howto for beginners. || See !route for lans behind openvpn. || !redirect for sending inet traffic through the server. || Also interesting: !man !/30 !topology !iporder !sample !forum
18:32 <@vpnHelper> !wiki !mitm or (#2) Don't use 192.168.1.0/24 or 192.168.0.0/24 (too much potential for conflict)
18:36 -!- donileo [~adonis@c-68-46-32-245.hsd1.nj.comcast.net] has left #openvpn []
18:42 < pekster> spindritf, push a route for 2000::/3 which is all globally routable IP space
18:42 < pekster> See also:
18:42 < pekster> !redirect
18:42 <@vpnHelper> "redirect" is (#1) to make all inet traffic flow through the vpn, you will need --redirect-gateway (see !def1), as well as IP forwarding (see !ipforward) and NAT (see !nat) enabled on the server. or (#2) you may need to use a different dns server when redirecting gateway, see !dns or !pushdns or (#3) if using ipv6 try: route-ipv6 2000::/3 or (#4) Handy troubleshooting flowchart:
18:42 <@vpnHelper> http://ircpimps.org/redirect.png | http://pekster.sdf.org/misc/redirect.png
18:42 < pekster> #3 above
18:44 < spindritf> thanks
18:44 -!- pa [~pa@unaffiliated/pa] has joined #openvpn
18:48 -!- MadTBone [~MadTBone@160.39.238.196] has joined #openvpn
18:49 -!- Demon_Jester [~Demon_Jes@70.94.84.221] has left #openvpn []
18:51 -!- megaTherion [~therion@unix.io] has quit [Ping timeout: 252 seconds]
18:52 -!- megaTherion_ [~therion@unix.io] has joined #openvpn
18:56 -!- b00b [~spunk@smurf.mmnetworks.se] has quit [Ping timeout: 252 seconds]
18:58 -!- dvl [~dan@pdpc/supporter/active/dvl] has quit [Ping timeout: 252 seconds]
18:59 -!- [diecast] [~diecast@unaffiliated/diecast/x-4821952] has quit []
18:59 -!- b00b [~spunk@smurf.mmnetworks.se] has joined #openvpn
19:01 -!- Morley93 [~Morley93@carmine.feralhosting.com] has quit [Ping timeout: 252 seconds]
19:02 -!- KarlBauman [~SoWhat@81.198.10.40] has joined #openvpn
19:03 -!- Morley93 [~Morley93@carmine.feralhosting.com] has joined #openvpn
19:14 -!- [diecast] [~diecast@unaffiliated/diecast/x-4821952] has joined #openvpn
19:20 -!- [diecast] [~diecast@unaffiliated/diecast/x-4821952] has quit []
19:22 -!- mikemol [~mikemol@2001:470:c5b9:beef:6de1:21e7:f7f9:b20c] has joined #openvpn
19:30 -!- klein_ [~klein@unaffiliated/klein] has quit [Ping timeout: 264 seconds]
19:56 -!- troj [~xxx@2001:470:1f15:107a::50f7] has quit [Ping timeout: 264 seconds]
19:59 -!- joshh20 is now known as joshh20-Away
20:07 -!- AlexPortable [uid7568@gateway/web/irccloud.com/x-jeuonfnycbawoubs] has quit [Quit: Connection closed for inactivity]
20:23 -!- Latrina [~Latrina@ppp-61-62.26-151.libero.it] has quit [Remote host closed the connection]
20:24 -!- lj [~l@74.120.200.95] has joined #openvpn
20:25 -!- Latrina [~Latrina@ppp-61-62.26-151.libero.it] has joined #openvpn
20:26 -!- lj1 [~l@192.241.174.169] has joined #openvpn
20:29 -!- lj [~l@74.120.200.95] has quit [Ping timeout: 255 seconds]
20:32 -!- HectorBarbossa [uid7850@gateway/web/irccloud.com/x-vggyqnzdotfzgjtp] has quit [Quit: Connection closed for inactivity]
20:35 -!- justinzane [~justinzan@host-12-172-184-180.nctv.com] has quit [Read error: Connection reset by peer]
20:58 -!- chrisb [~chrisb@li482-205.members.linode.com] has joined #openvpn
20:59 -!- dvl [~dan@nyi.unixathome.org] has joined #openvpn
20:59 -!- heraclitus [~heraclitu@208.64.66.92] has joined #openvpn
20:59 -!- heraclitus [~heraclitu@208.64.66.92] has quit [Changing host]
20:59 -!- heraclitus [~heraclitu@unaffiliated/heraclitis] has joined #openvpn
21:03 -!- BlackWabi [~wabi@c83-191-78-163.cust.tele2.se] has joined #openvpn
21:03 < BlackWabi> !welcome
21:03 <@vpnHelper> "welcome" is (#1) Start by stating your goal, such as 'I would like to access the internet over my vpn' || new to IRC? see the link in !ask || we may need !logs and !configs and maybe !interface to help you. || See !howto for beginners. || See !route for lans behind openvpn. || !redirect for sending inet traffic through the server. || Also interesting: !man !/30 !topology !iporder !sample !forum
21:03 <@vpnHelper> !wiki !mitm or (#2) Don't use 192.168.1.0/24 or 192.168.0.0/24 (too much potential for conflict)
21:05 < BlackWabi> !howto
21:05 -!- justinzane [~justinzan@12.172.184.180] has joined #openvpn
21:05 <@vpnHelper> "howto" is (#1) OpenVPN comes with a great howto, http://openvpn.net/howto PLEASE READ IT! or (#2) http://www.secure-computing.net/openvpn/howto.php for a mirror
21:14 -!- Carbon_Monoxide [~cmonxide@058176022144.ctinets.com] has joined #openvpn
21:16 -!- Carbon_Monoxide [~cmonxide@058176022144.ctinets.com] has left #openvpn []
21:16 -!- justinzane [~justinzan@12.172.184.180] has quit [Ping timeout: 255 seconds]
21:17 -!- cnnx [~cnnx@67.68.93.171] has quit [Quit: Lost terminal]
21:20 -!- michaelhart [~michaelha@192-0-240-20.cpe.teksavvy.com] has joined #openvpn
21:22 -!- chrisb [~chrisb@li482-205.members.linode.com] has quit [Ping timeout: 240 seconds]
21:26 -!- chrisb [~chrisb@li482-205.members.linode.com] has joined #openvpn
21:28 -!- BlackWabi [~wabi@c83-191-78-163.cust.tele2.se] has quit [Ping timeout: 245 seconds]
21:31 -!- BlackWabi [~wabi@c83-191-78-163.cust.tele2.se] has joined #openvpn
21:35 -!- BlackWabi [~wabi@c83-191-78-163.cust.tele2.se] has quit [Ping timeout: 245 seconds]
21:37 -!- BlackWabi [~wabi@185.3.135.26] has joined #openvpn
21:43 -!- BlackWabi [~wabi@185.3.135.26] has quit [Ping timeout: 245 seconds]
21:43 -!- Denial- [Denial@90.222.17.193] has joined #openvpn
21:44 -!- BlackWabi [~wabi@185.3.135.18] has joined #openvpn
21:45 -!- Denial [Denial@176.253.208.105] has quit [Ping timeout: 255 seconds]
21:45 -!- Denial- is now known as Denial
21:48 -!- BlackWabi [~wabi@185.3.135.18] has quit [Ping timeout: 245 seconds]
21:50 -!- BlackWabi [~wabi@c83-191-78-163.cust.tele2.se] has joined #openvpn
21:54 -!- mikemol [~mikemol@2001:470:c5b9:beef:6de1:21e7:f7f9:b20c] has quit [Remote host closed the connection]
21:55 -!- KarlBauman [~SoWhat@81.198.10.40] has quit [Ping timeout: 255 seconds]
21:58 -!- michaelhart [~michaelha@192-0-240-20.cpe.teksavvy.com] has quit [Quit: michaelhart]
22:00 -!- Latrina [~Latrina@ppp-61-62.26-151.libero.it] has quit [Remote host closed the connection]
22:01 -!- BlackWab1 [~wabi@c83-191-78-163.cust.tele2.se] has joined #openvpn
22:01 -!- BlackWabi [~wabi@c83-191-78-163.cust.tele2.se] has quit [Ping timeout: 245 seconds]
22:17 -!- funyun [~temp@cpe-65-25-103-89.neo.res.rr.com] has quit [Ping timeout: 255 seconds]
22:20 -!- lj1 [~l@192.241.174.169] has quit [Quit: Leaving.]
22:22 -!- BlackWab1 [~wabi@c83-191-78-163.cust.tele2.se] has quit [Ping timeout: 245 seconds]
22:24 -!- BlackWabi [~wabi@185.3.135.26] has joined #openvpn
22:26 -!- hobosteaux [~hobosteau@c-24-19-150-110.hsd1.wa.comcast.net] has joined #openvpn
22:28 -!- BlackWabi [~wabi@185.3.135.26] has quit [Ping timeout: 245 seconds]
22:32 < hobosteaux> How come the freenode webchat is banned here?
22:35 -!- BlackWabi [~wabi@5.153.234.74] has joined #openvpn
22:35 <@Eugene> Spam.
22:35 < hobosteaux> fair enough Eugene
22:36 <@Eugene> And idiocy ;-)
22:36 < hobosteaux> heh its still useful in the field
22:36 <@Eugene> If you can't figure out a real IRC client you probably aren't technically inclined enough to sort out openvpn
22:36 <@Eugene> I guess, but the pros outweight the cons
22:36 < hobosteaux> ture
22:36 < hobosteaux> true*
22:42 < chrisb> this is a nice improvement: f8c4e88 Disable unsupported TLS cipher modes by default, cleans --show-tls output
23:10 -!- BlackWabi [~wabi@5.153.234.74] has quit [Quit: leaving]
23:12 -!- Carbon_Monoxide [~cmonxide@058176022144.ctinets.com] has joined #openvpn
23:12 -!- Carbon_Monoxide [~cmonxide@058176022144.ctinets.com] has left #openvpn []
23:12 -!- jareth_ [~jareth_@2001:980:e1c0:1:219:66ff:fea0:a502] has quit [Ping timeout: 246 seconds]
23:19 -!- jareth_ [~jareth_@bak.project-treadstone.nl] has joined #openvpn
--- Day changed Fri Mar 28 2014
00:30 -!- u0m3 [~u0m3@92.80.117.153] has quit [Read error: Connection reset by peer]
00:30 -!- u0m3 [~u0m3@92.80.117.153] has joined #openvpn
00:32 -!- elfixit [~Icedove@77-58-251-72.dclient.hispeed.ch] has quit [Ping timeout: 240 seconds]
00:33 -!- B1nny [~quassel@5ED16034.cm-7-2b.dynamic.ziggo.nl] has joined #openvpn
00:57 -!- makara [~makara@41.164.22.218] has joined #openvpn
01:01 -!- sunwind` [~paradox@cpc21-brmb8-2-0-cust749.1-3.cable.virginm.net] has joined #openvpn
01:04 -!- sunwind [~paradox@cpc21-brmb8-2-0-cust749.1-3.cable.virginm.net] has quit [Ping timeout: 264 seconds]
01:08 -!- mikkel [~mikkel@93.176.85.50] has joined #openvpn
01:18 <@krzee> webchat didnt start out as banned
01:19 <@krzee> but it was a somewhat steady flow of people that should not be doing anything related to networking
01:20 <@krzee> it is so much nicer with them banned lol
01:28 < jeev> krz?
01:29 <@krzee> jeev?
01:31 < jeev> how are you
01:33 <@krzee> i am well, and you?
01:38 < jeev> tired..
01:38 < jeev> krzee, not sure if you've seen what i've been asking recently, i haven't had time to try it.
01:38 < jeev> i've got a linux router with tun0/tun1 going to two different openvpn'
01:38 <@krzee> havnt seen, but if you already got advice you should try it
01:39 < jeev> i'm using ip route tables setting a default gw of the tun0/tun1 ip for each one.. so then i have a rule with ip rule to match a source IP and send out a specific table..
01:39 < jeev> so ip 192.168.1.5/32 will go table 900 which is LA vpn
01:39 < jeev> but the thing is.. if openvpn is down for example, like tun0 is not there, the table will be empty and it'll default the default gw of the machine.
01:40 < jeev> do you have any idea on how i could make it die?
01:40 < jeev> i was thinking.. maybe squid on the remote servers and use prerouting.. at least that'll be fail safe?
01:40 <@krzee> firewall
01:40 <@krzee> only allow the traffic out when its going out the way you want it to go out
01:41 < jeev> i thought about maybe an iptables to prevent 192.168.1.5/32 from heading out eth0 (isp) for example but couldn't achieve it during my short test
01:42 < jeev> i think it would have to be done with nat prerouting though
01:43 <@krzee> outbound chain
01:44 < jeev> tried it. didn't even get a match
01:44 <@krzee> oh well you'll figure it out, tcpdump will be your friend
01:45 < jeev> well i had like 5 min to try since my battery had died.. i could try it now i guess
01:45 <@krzee> trying makes more sense than talking to krzee ;]
01:45 < jeev> well, it's always good to ask someone for some sort of opinion
01:46 < jeev> i think i might need to tag and mangle
01:46 < jeev> mark packets
01:52 <@krzee> !netfilter
01:52 <@vpnHelper> "netfilter" is Under Linux, use `iptables-save` to show firewall rulesets (add -c to include counters.) Do not use iptables -L as it is incomplete & often lies. #netfilter is more on-topic for detailed help.
02:00 -!- chrisb [~chrisb@li482-205.members.linode.com] has quit [Ping timeout: 265 seconds]
02:01 -!- mattock_afk is now known as mattock
02:06 < jeev> krzee, actually adding it to FORWARD chain stopped it.
02:07 < jeev> iptables -I FORWARD -o eth1 -s 192.168.1.5/32 -j DROP (eth1) is wan
02:07 < jeev> i flushed table 900.. and boom, saw forward stopping packets.
02:11 -!- Devastatr [~devas@177.18.196.200] has joined #openvpn
02:13 -!- Devastator [~devas@unaffiliated/devastator] has quit [Ping timeout: 264 seconds]
02:17 -!- sunwind [~paradox@cpc21-brmb8-2-0-cust749.1-3.cable.virginm.net] has joined #openvpn
02:17 -!- sunwind` [~paradox@cpc21-brmb8-2-0-cust749.1-3.cable.virginm.net] has quit [Ping timeout: 255 seconds]
02:24 -!- alexxtasi [~alex@unaffiliated/alexxtasi] has joined #openvpn
02:48 -!- LumberCartel [~LumberCar@96.53.47.42] has joined #openvpn
02:48 -!- LumberCartel [~LumberCar@96.53.47.42] has left #openvpn []
02:57 -!- ACKNAK [~regolith@79.133.97.154] has joined #openvpn
03:00 -!- le0 [~l30@unaffiliated/le0] has joined #openvpn
03:05 -!- AlexPortable [uid7568@gateway/web/irccloud.com/x-ejdomghzixuotxvq] has joined #openvpn
03:14 -!- Aliekezhi [~Aliekezhi@LPoitiers-156-84-21-170.w193-248.abo.wanadoo.fr] has joined #openvpn
03:26 -!- KarlBauman [~SoWhat@81.198.10.40] has joined #openvpn
03:26 -!- spindritf [~spindritf@brandy.soyellow.net] has left #openvpn []
03:50 -!- ACKNAK [~regolith@79.133.97.154] has quit [Read error: Connection reset by peer]
04:07 -!- ACKNAK [~regolith@79.133.97.154] has joined #openvpn
04:11 -!- u0m3_ [~u0m3@92.80.117.153] has joined #openvpn
04:12 -!- u0m3 [~u0m3@92.80.117.153] has quit [Ping timeout: 268 seconds]
04:15 -!- cyberspace- [20253@ninthfloor.org] has quit [Remote host closed the connection]
04:16 -!- cyberspace- [20253@ninthfloor.org] has joined #openvpn
04:29 -!- Jack64 [~jacktakah@188.122.93.34] has joined #openvpn
04:30 -!- Putdeksel [50397034@gateway/web/cgi-irc/kiwiirc.com/ip.80.57.112.52] has joined #openvpn
04:31 < Jack64> Hi. I got a question if you guys can answer. I got an openvpn server running and I added an iptables rulo to forward traffic from the ovpn subnet to my internal LAN, however, this only works when I'm on 3G/4G connection, otherwise I can't access other computers in the LAN. Why is that?
04:43 <@plai> are you trying to connect the vpn server from the same lan?
04:45 -!- fletsche [~Adium@p549B6042.dip0.t-ipconnect.de] has joined #openvpn
04:47 -!- fin__ [~l30@unaffiliated/le0] has joined #openvpn
04:50 -!- le0 [~l30@unaffiliated/le0] has quit [Ping timeout: 265 seconds]
05:13 -!- dazo_afk is now known as dazo
05:15 -!- dupondje [~dupondje@artemis.dupie.be] has joined #openvpn
05:16 < dupondje> Hi. I'm trying to setup a IPv4 & IPv6 VPN Tunnel (to use as default gateway). Now with IPv4 enabled it works fine, but if I enable IPv6, nothing works anymore. I can't even resolve
05:16 < dupondje> I can ping my IPv6 server IP, but nothing else
05:21 -!- ACKNAK [~regolith@79.133.97.154] has quit [Ping timeout: 264 seconds]
05:26 -!- makara [~makara@41.164.22.218] has quit [Quit: Leaving]
05:32 -!- ACKNAK [~regolith@79.133.97.154] has joined #openvpn
05:33 -!- klein_ [~klein@187.85.183.105] has joined #openvpn
05:33 -!- klein_ [~klein@187.85.183.105] has quit [Changing host]
05:33 -!- klein_ [~klein@unaffiliated/klein] has joined #openvpn
05:34 < dupondje> So any idea's ? :)
05:41 -!- imdea [~joel@193.145.14.94] has joined #openvpn
05:42 < imdea> Hi.. I have installed openvpn into my windows machine, but was wondering how do I do if I have two openvpn profiles (for two sites) to connect to them simultaniously?
05:42 < GaleMathias> just add another TAP-device
05:43 -!- GaleMathias is now known as Mathias
05:43 < imdea> GaleMathias: and that's it? that would allow me to connect to them at the same time without any problem?
05:43 < Mathias> yup
05:44 < imdea> Ok, thanks.
05:48 -!- klein_ [~klein@unaffiliated/klein] has quit [Ping timeout: 265 seconds]
05:56 -!- Aliekezhi [~Aliekezhi@LPoitiers-156-84-21-170.w193-248.abo.wanadoo.fr] has quit [Remote host closed the connection]
06:10 -!- mikemol [~mikemol@2001:470:c5b9:beef:40f7:8ef5:57cc:2c54] has joined #openvpn
06:11 < pekster> dupondje, see the info on routing IPv6 here:
06:11 < pekster> !ipv6
06:11 <@vpnHelper> "ipv6" is (#1) The wiki has IPv6 details: https://community.openvpn.net/openvpn/wiki/IPv6 or (#2) The manpage contains info about IPv6 features present in 2.3+: https://community.openvpn.net/openvpn/wiki/Openvpn23ManPage#lbAQ
06:16 -!- Latrina [~Latrina@ppp-61-62.26-151.libero.it] has joined #openvpn
06:36 -!- cpm [~Chip@pdpc/supporter/active/cpm] has joined #openvpn
06:39 <@plai> syzzer: you said something about CFB and OFB broken
06:39 <@plai> i have bug report about a crash in AES-256-CFB1.
06:52 <@plai> it crashes in
06:52 <@plai> crytpto.c:177
07:09 -!- klein_ [~klein@189-016-006-003.asselvi.edu.br] has joined #openvpn
07:09 -!- klein_ [~klein@189-016-006-003.asselvi.edu.br] has quit [Changing host]
07:09 -!- klein_ [~klein@unaffiliated/klein] has joined #openvpn
07:10 -!- mikemol [~mikemol@2001:470:c5b9:beef:40f7:8ef5:57cc:2c54] has quit [Remote host closed the connection]
07:15 -!- indy [~indy@fantomas.bestit.cz] has quit [Ping timeout: 265 seconds]
07:15 -!- indy_ [~indy@fantomas.bestit.cz] has joined #openvpn
07:15 -!- imdea [~joel@193.145.14.94] has quit [Ping timeout: 265 seconds]
07:16 -!- Dan39 [~ddan39@unaffiliated/dan39] has quit [Ping timeout: 265 seconds]
07:17 -!- Devastatr [~devas@177.18.196.200] has quit [Changing host]
07:17 -!- Devastatr [~devas@unaffiliated/devastator] has joined #openvpn
07:17 -!- chocolate [~AndChat18@179.155.69.131] has joined #openvpn
07:17 -!- Devastatr is now known as Devastator
07:19 -!- Dan39 [~ddan39@unaffiliated/dan39] has joined #openvpn
07:22 -!- imdea [~joel@193.145.14.94] has joined #openvpn
07:24 -!- indy_ is now known as indy
07:24 < chocolate> I've followed an standard howto configure openvpn, and did create all keys and working fine to connect, but in the way I block the access to smb share from address outside tunnel my client just don't see smb content anymore, and I think so, data is not passing through the tunnel... I'm not experienced with openvpn and would enjoy any comments or advice about it to fix my issue
07:25 < chocolate> Blocking I mean iptables
07:26 <@dazo> !wins
07:26 <@vpnHelper> "wins" is http://oreilly.com/catalog/samba/chapter/book/ch07_03.html is a good link for seeing how to run WINS on samba
07:26 <@dazo> chocolate: you need to set up WINS to be able to do the browsing
07:27 < chocolate> Thank you very much for reply
07:27 < cpm> hrmmm. I've always avoided using WINS, relying instead on static paths.
07:28 < chocolate> I must read about it
07:28 <@dazo> cpm: My (little!) experience with SMB/CIFS over routed VPN, is that having a DNS and WINS pushed to clients makes it work quite well
07:29 < cpm> dazo, I've no doubt.
07:29 < chocolate> And in the way about data passing through the tunnel?
07:29 < chocolate> Is it already doing?
07:30 < chocolate> Cz seems not
07:30 < chocolate> Seems just to be a connection
07:30 <@dazo> chocolate: you need to have routing set up
07:31 <@dazo> chocolate: have a look at this for more input on that: https://community.openvpn.net/openvpn/wiki/BridgingAndRouting#Usingrouting
07:31 <@vpnHelper> Title: BridgingAndRouting – OpenVPN Community (at community.openvpn.net)
07:31 -!- elfixit [~Icedove@77-58-251-72.dclient.hispeed.ch] has joined #openvpn
07:31 < chocolate> Wow thanks again
07:32 < chocolate> That's all I need
07:37 -!- spindritf [~spindritf@brandy.soyellow.net] has joined #openvpn
07:38 < spindritf> hey, I want to run a client-connect script that depends on the IPv6 of the client, is there an environmental variable for that? there is one for ipv4 (ifconfig_pool_remote_ip) and it works fine
07:39 <@dazo> spindritf: it's a while since I tried it with ipv6 ... but I believe it should be an environment variable keeping the ipv6 info too ... have you tried to dump 'printenv' to a file in your client-connect script?
07:39 < spindritf> no, I haven't
07:40 <@dazo> it might also be you need to look at --learn-address ... that may give more detailed info about the clients
07:43 < spindritf> ifconfig_ipv6_remote looks like clients ip6
07:43 < spindritf> thanks
07:49 -!- VsioZashibis [~VsioZashi@unaffiliated/vsiozashibis] has quit [Quit: closing IRC]
07:53 -!- Cibel [~Sbratzber@187.110.4.118] has joined #openvpn
07:53 -!- As001 [~uros@82.117.198.142] has joined #openvpn
07:54 -!- Cibel [~Sbratzber@187.110.4.118] has quit [Client Quit]
07:56 < As001> Hello I have problems with openvpn and asterisk configuration. I successfully installed openvpn on server and told asterisk to listen on private ip 10.8.0.1 (openvpn private ip).  I can connect from openvpn client and make test calls, but when I try to call over voip provider it does not work as I am sending 10.8.0.1 as address and never get answer. If I put externip=publicip in asterisk i send to provider public ip and it sends me reply but it never reach 10.
07:56 <@krzee> maybe you need NAT and stun?
07:57 <@krzee> really you do not have an openvpn problem
07:57 <@krzee> your vpn works fine, you'll get better help in #asterisk im sure
07:57 < As001> can I tell with DNAT everything which come to public ip to go to 10.8.0.1 will it work ?
07:57 <@krzee> dunno
07:57 <@krzee> theres a good reason im not in #asterisk helping people ;]
07:58 < As001> I guess it won't because provider has no key certs etc...
08:00 < As001> ok I will try there sure, but I would really like to know would DNAT be of any help. Is it possible to redirect traffic which is going on public ip to 10.8.0.1 if source ip has notting incomon with openvpn no certs keys etc ?
08:04 <@krzee> your problem is very much not openvpn
08:05 < spindritf> yeah, just general networking
08:05 < spindritf> and if you're doing this to encrypt connections to asterisk, it supports tls nowadays
08:05 <@krzee> i dont blame wanting to do more than just their tls
08:06 <@krzee> i definitely agree with darknet voip, i even run a darknet voip company
08:06 < spindritf> really?
08:06 < spindritf> a darknet voip company?
08:06 <@krzee> but that problem is very much unrelated to openvpn
08:06 <@krzee> yep, secure phones
08:06 < spindritf> could you post a link?
08:06 <@krzee> www.libertyprivate.net
08:06 < spindritf> thanks
08:06 <@krzee> we dont have the info up about our mobiles yet
08:07 <@krzee> but we do have them, no baseband, wifi only.
08:07 <@krzee> we do NOT interconnect to the real phone company, darknet only.
08:07 < spindritf> what's the benefit of using openvpn over tls?
08:08 < spindritf> I mean, instead of tls or in addition to
08:08 -!- cpm [~Chip@pdpc/supporter/active/cpm] has quit [Ping timeout: 255 seconds]
08:08 <@krzee> more configurable, able to use stronger crypto
08:08 <@krzee> does tls even have forward encryption?
08:09 < spindritf> I think so, in general, don't know about this particular application
08:10 <@krzee> also theres no ports open on the machine to the internet, only openvpn port
08:10 < spindritf> that is always nice
08:10 <@krzee> which requires static-key hmac signed packets to communicate with
08:10 <@krzee> !hmac
08:10 <@vpnHelper> "hmac" is (#1) The tls-auth directive adds an additional HMAC signature to all SSL/TLS handshake packets for integrity verification. Any UDP packet not bearing the correct HMAC signature can be dropped without further processing. The tls-auth HMAC signature provides an additional level of security above and beyond that provided by SSL/TLS. or (#2) openvpn --genkey --secret ta.key to make the tls
08:10 <@vpnHelper> static key , in configs: tls-auth ta.key # , 1 for client or 0 for server in the configs
08:10 < spindritf> on the downside, you need to run an openvpn client
08:11 <@krzee> well i control the phones
08:11 <@krzee> so theres 1 mobile model and 1 desk model
08:11 <@krzee> and configuring openvpn is part of the provisioning process
08:11 < spindritf> it makes byod-ers unhappy though
08:12 <@krzee> well
08:12 <@krzee> for my instance its important they dont BYOD
08:12 <@krzee> cause YOD has backdoors
08:13 <@krzee> you know, for "theft assistance"
08:13 <@krzee> stuff like that
08:14 <@krzee> i cant very well call it a secure phone when samsung still has access to it
08:15 -!- converge [~converge@unaffiliated/joaop] has joined #openvpn
08:24 -!- mikemol [~mikemol@162.17.129.77] has joined #openvpn
08:33 -!- nomefalso [~nomefalso@151.13.210.219] has joined #openvpn
08:34 < nomefalso> Hi, I'm a completely newbie. a few months ago a was (by miracle) able to setup a openvpn using a tun interface. Now I'd like it to support multicast (upnp servers exposed on the vpn) can anyone tell me how can I do that? Thanks
08:35 < nomefalso> even a link to a tutorial is fine
08:36 <@krzee> i believe you'll need to change to dev tap and multicast will be able to work
08:37 < nomefalso> oh... I read that... what do I lose passing from tun to tap? ...and is that easy... I just need to change proto or other changes are needed?
08:40 -!- spindritf [~spindritf@brandy.soyellow.net] has left #openvpn []
08:41 -!- le0 [~l30@unaffiliated/le0] has joined #openvpn
08:42 < nomefalso> dev...I meant change dev
08:43 -!- As001 [~uros@82.117.198.142] has left #openvpn []
08:44 -!- fin__ [~l30@unaffiliated/le0] has quit [Ping timeout: 240 seconds]
08:52 <@dazo> nomefalso: just --dev
08:53 < nomefalso> nice...what about the client-dir setups...are they still needed?
08:53 < nomefalso> i have static ips for all the certified clients
08:53 <@dazo> to switch from tun to tap ... ONLY --dev is needed to change
08:53 < nomefalso> :D ..ojk...thanks a lto
08:54 < nomefalso> lot
09:07 -!- lj [~l@74.120.200.95] has joined #openvpn
09:18 -!- lj [~l@74.120.200.95] has quit [Quit: Leaving.]
09:43 <@krzee> !krzee
09:43 <@vpnHelper> "krzee" is (#1) krzee says happy 4/20 or (#2) http://www.ircpimps.org/pics/krzee/blunt.jpg or (#3) location: moon base where he smokes moonajuana
09:44 < nomefalso> sorry... do I still need to push client's lan with tun... switching from tun to tap works but I can only ping lan ips now...
09:45 < nomefalso> sorry... I meant do I still need to push client's lan with tun... switching from tun to tap works but I can only ping VPN ips now...
09:45 -!- fletsche [~Adium@p549B6042.dip0.t-ipconnect.de] has quit [Quit: Leaving.]
09:46 < nomefalso> I cant ping my 10.51.0.4 from server
09:46 < nomefalso> with tun I can
09:47 -!- fletsche [~Adium@p549B6042.dip0.t-ipconnect.de] has joined #openvpn
09:48 < nomefalso> oh.,.. I thinkt he problem is this... WARNING: potential route subnet conflict between local LAN [10.51.0.0/255.255.0.0] and remote VPN [10.51.0.0/255.255.255.0]
09:49 -!- converge [~converge@unaffiliated/joaop] has quit [Quit: Leaving...]
09:52 -!- mikkel [~mikkel@93.176.85.50] has quit [Quit: Leaving]
09:54 -!- converge [~converge@unaffiliated/joaop] has joined #openvpn
09:57 -!- KarlBauman [~SoWhat@81.198.10.40] has quit [Quit: Leaving]
10:03 -!- ACKNAK [~regolith@79.133.97.154] has quit [Remote host closed the connection]
10:08 -!- converge [~converge@unaffiliated/joaop] has quit [Quit: Leaving...]
10:29 -!- alexxtasi [~alex@unaffiliated/alexxtasi] has left #openvpn []
10:29 -!- Aliekezhi [~Aliekezhi@9.142.122.78.rev.sfr.net] has joined #openvpn
10:41 -!- gffa [~unknown@unaffiliated/gffa] has joined #openvpn
10:49 < _bt_> hello, anyone using 2 factor auth with openvpn? how do you manage ping-restarts etc?
11:06 -!- master_of_master [~master_of@p4FF24849.dip0.t-ipconnect.de] has quit [Ping timeout: 240 seconds]
11:07 -!- kraut [~kraut@blackhole.netzdeponie.de] has quit [Ping timeout: 245 seconds]
11:08 -!- master_of_master [~master_of@p4FF2467D.dip0.t-ipconnect.de] has joined #openvpn
11:18 -!- Olipro [~Olipro@uncyclopedia/pdpc.21for7.olipro] has quit [Ping timeout: 246 seconds]
11:19 < pekster> _bt_: If you auth via --user-auth-pass script for your OTP token (google Auth or RSA token or whatever) then some of the env-vars allow you to detect if this is an initial user auth, or an existing user re-authenticating
11:20 < pekster> Basically you'd only want to require a OTP token for initial connections and not subsequent ones, so the script should just silently allow a client to renew the TLS session without check the OTP again (as the prior OTP won't be valid again, of course)
11:20 < pekster> You can't do that by using the PAM plugin, for instance, becuase it's not AFAIK aware of this distinction
11:21 < _bt_> yeah im using the pam plugin
11:21 < _bt_> and oath pam module
11:21 < pekster> Right, but that won't work
11:21 < pekster> PAM never gets the info you need to ignore all but the initial-connection authentication
11:22 < _bt_> im just going to have to throw the OTP token entry box when detecting a ping-restart
11:23 -!- chrisb [~chrisb@li482-205.members.linode.com] has joined #openvpn
11:23 < pekster> The whole point of OATH is that you have a user interactively sitting behind the system to supply the OTP
11:24 < pekster> How are you currently dealing with the hourly renegotiations?
11:24 < _bt_> im not
11:24 < _bt_> i havent deployed it yet
11:25 < _bt_> im just working on a connector app that uses the management interface to start and stop the tunnel
11:25 < _bt_> and prompt for otp token
11:25 < pekster> Ah, okay. So yea, ping-restart is only part of the issue. By default openvpn performs a TLS re-negotiation every hour. This does several things: 1) re-authenticats your client (using all auth methods you're specified) and then  2) negotiations a new session key (used to encrypt the data channel)
11:26 < pekster> Clients generally cache the auth password, which in the case of OTP isn't going to work. You could prompt them for it every hour somehow, but that's not user-friendly
11:27 < _bt_> what would be your advice to get round this problem?
11:28 <@Eugene> !beer
11:28 <@vpnHelper> "beer" is what's for dinner (and occasionally breakfast)
11:28 <@Eugene> Always good advice ^
11:28 < _bt_> beer starts in 1 hour
11:28 < pekster> Everything but the ping-restart case is fixed by _not_ using the PAM module becuase it can't know if the auth is a re-auth of an existing session or a fresh one. Use oathtool (a CLI implemetnation of OATH) or something called from the verify script
11:29 <@Eugene> That sounds like two hours too far
11:29 < pekster> ping-restart can't be solved at all unless you do something silly like have OATH accept the last 960 OTP codes (for an 8 hour window) or something
11:29 < _bt_> right okay i will look into ditching the PAM module and switching to verify
11:29 < pekster> And then it's not really an OTP anymore, but "a code good for an 8 hour window" ;)
11:30 < _bt_> and secondly just reprompting for OTP on ping restart
11:30 < pekster> Right, that's the best way to solve it. Or don't ping-restart at all and inform the user to reconnect
11:30 < _bt_> are there any scripts/helpers out there already built (do you know)?
11:30 < _bt_> pekster: that's what it does at the moment - just throws a disconnected balloon
11:30 < pekster> I forget exactly what thte env-var differences are in a re-auth verses a fresh auth, but try calling `env >> /tmp/env-log` or such during the auth script
11:31 < pekster> There's at least 1 var that is in one list but not the other (re-auth vs new auth) that you can key off of
11:31 < _bt_> im attempting to get the vpn connector fool proof, idiot proof and smart guy proof
11:32 <@Eugene> You could have your OTP checking script cache the OTP code that was used for 8 hours
11:32 < pekster> http://www.nongnu.org/oath-toolkit/man-oathtool.html is pretty easy
11:32 <@vpnHelper> Title: OATHTOOL (at www.nongnu.org)
11:33 <@Eugene> So it'll accept "the current code or the last valid one that was used, within the past X hours"
11:33 < pekster> Nah, no point in caching becuase eg. oathtool can specifically allow the last X number of them
11:33 < _bt_> yeah im using oathtool already
11:33 < pekster> I suppose it'll also allow any of the ones in between too (not sure why that might be an issue, but YMMV)
11:33 < pekster> huh? I thought you were using the PAM support for OATH
11:34 <@Eugene> In case of an OTP compromise
11:34 < chrisb> is there a successful MITM attack of openvn?
11:34 < pekster> (I'm talking server-side, not client side. I don't really care how your client "supplies" the OTP)
11:34 <@Eugene> None that we're aware of
11:34 < _bt_> pekster: i am, but im using oathtool for displaying the secret key and feeding that to qrencode
11:35 < _bt_> just for client set up that
11:36 < pekster> Oh, I see. I mean use oathtool on the server-side to check if the client-supplied code is valid. By doing that you can avoid PAM (that doesn't have enough info about the session) and have an --auth-user-pass-verify script that can exit code 0 when an already-OTP-validated clients re-auths
11:36 < pekster> Either that, or find a way to patch the openvpn PAM plugin with a feature to allow that
11:36 < _bt_> otp_key_b32=$(oathtool --totp --window=30 --verbose "$otp_key_hex" | head -n 2 | tail -n 1 | awk '{print $3}')
11:36 < _bt_> otp_qr="otpauth://totp/$user:BLAH?secret=$otp_key_b32&digits=6&period=30"
11:36 < _bt_> thats all im using it for at the moment
11:37 < _bt_> so i guess i better get writing a verify script
11:37 < pekster> A feature to the PAM plugin that only auths on first-connect might be a useful feature, but that involves a bit more high-level C and openvpn-code foo
11:38 < pekster> A shell (or perl/python/whatever) script is probably easier ;0
11:38 < _bt_> thank you for all your help
11:38 < _bt_> i'll get reading the docs on verify now
11:40 < pekster> The other solution you got above abut having the server cache the accepted OTP might be a work-around too, although IMO probably more work than keying off the env-var when it's a re-auth and doing nothing
11:40 < pekster> `[ -z "$whatever_that_var_is" ] && exit 0` sounds more trivial than caching logic
11:41 <@Eugene> Hah.
11:41 < pekster> In theory you could cache it for _future_ login attempts for a while, solving your ping-restart problem
11:41 < pekster> That is the one advantage I see to that method
11:41 < pekster> (of course, if a bad guy saw the code on the user's phone at the wifi cafe, that's a potential security risk.) Choose a solution that works for you
11:41 -!- converge [~converge@unaffiliated/joaop] has joined #openvpn
11:41 <@Eugene> The reason I suggested caching is that yeah, it will differentiate between any sort of automated attempt vs a new connection(or a manual restart) by a user.
11:42 < pekster> Right. The traditional "security vs usability" trade-off
11:42 < _bt_> i will see how ping restarts affect people
11:42 < _bt_> and take it from there
11:43 -!- Olipro [~Olipro@uncyclopedia/pdpc.21for7.olipro] has joined #openvpn
11:45 < _bt_> pekster: are you suggesting to use the via-env option? or will the env options i need still be sent when using via-file?
11:46 < pekster> The latter; you can use either auth method so long as you handle security correctly
11:46 -!- Morley93 [~Morley93@carmine.feralhosting.com] has quit [Ping timeout: 255 seconds]
11:46 < pekster> via-env is often safe, but it depends on how your platform handles env-vars to other users (on some systems tools like `ps` will leak environment)
11:47 < _bt_> well there are no other users on this gateway, but i'll try via-file using tmpfs first
11:47 < pekster> via-file of course puts them on-disk, so use of a RAM-only disk and/or encrypted storage might be wise
11:48 < pekster> Yup :)
11:50 -!- converge [~converge@unaffiliated/joaop] has quit [Quit: Leaving...]
11:50 -!- Morley93 [~Morley93@carmine.feralhosting.com] has joined #openvpn
11:54 -!- nlb is now known as nlb_
11:55 -!- nlb_ is now known as ampzero
11:56 -!- ampzero is now known as TCPDump
11:58 -!- TCPDump is now known as nlb
12:00 -!- nlb [~nlb@ec2-54-213-101-245.us-west-2.compute.amazonaws.com] has quit [Changing host]
12:00 -!- nlb [~nlb@unaffiliated/nlb] has joined #openvpn
12:00 -!- Lolths [~Lolths@unaffiliated/lolths] has quit [Read error: Operation timed out]
12:06 -!- imdea [~joel@193.145.14.94] has quit [Remote host closed the connection]
12:10 -!- Lolths [~Lolths@unaffiliated/lolths] has joined #openvpn
12:15 -!- Lolths [~Lolths@unaffiliated/lolths] has quit [Ping timeout: 265 seconds]
12:22 -!- Latrina [~Latrina@ppp-61-62.26-151.libero.it] has quit [Remote host closed the connection]
12:27 -!- Lolths [~Lolths@unaffiliated/lolths] has joined #openvpn
12:28 < _bt_> lol pekster
12:28 < _bt_> was scratching my head for a bit
12:28 < _bt_> until i figured out i needed script-security 3
12:29 -!- Lolths [~Lolths@unaffiliated/lolths] has quit [Max SendQ exceeded]
12:29 -!- Lolths [~Lolths@unaffiliated/lolths] has joined #openvpn
12:54 -!- fletsche [~Adium@p549B6042.dip0.t-ipconnect.de] has quit [Quit: Leaving.]
13:00 -!- Cpt-Oblivious [chatzilla@31-151-71-109.dynamic.upc.nl] has joined #openvpn
13:03 < _bt_> pekster: got my auth-user-pass-verify script working beautifully. thanks! now i just need to leave it connected long enough to dump the env and see what the deal is for re-authenticating clients. thats a job for monday though. ta ta
13:13 < dupondje> Ok. I have OpenVPN working with IPv6 now. I receive an IPv6 address on my client, and I can ping my server IP. But nothing on the internet it seems :(
13:18 <@Eugene> !redirect
13:18 <@vpnHelper> "redirect" is (#1) to make all inet traffic flow through the vpn, you will need --redirect-gateway (see !def1), as well as IP forwarding (see !ipforward) and NAT (see !nat) enabled on the server. or (#2) you may need to use a different dns server when redirecting gateway, see !dns or !pushdns or (#3) if using ipv6 try: route-ipv6 2000::/3 or (#4) Handy troubleshooting flowchart:
13:18 <@vpnHelper> http://ircpimps.org/redirect.png | http://pekster.sdf.org/misc/redirect.png
13:21 < dupondje> push "route-ipv6 2000::/3"
13:21 < dupondje> this is added to the config, but traffic is not passing it seems
13:24 -!- kraut [~kraut@blackhole.netzdeponie.de] has joined #openvpn
13:25 -!- fletsche [~Adium@p549B6042.dip0.t-ipconnect.de] has joined #openvpn
13:33 -!- elfixit [~Icedove@77-58-251-72.dclient.hispeed.ch] has quit [Quit: elfixit]
13:37 -!- edge226 [~quassel@unaffiliated/edge226] has joined #openvpn
13:38 < edge226> Does openvpn require both the client and the server to have static ip's?
13:39 < Eneerge> no
13:39 -!- fletsche [~Adium@p549B6042.dip0.t-ipconnect.de] has quit [Ping timeout: 252 seconds]
13:40 < edge226> if not a static ip does it need a dynamic dns?
13:40 < Eneerge> it doesn't have to be, but it's a good idea for it to be so that the client doesnt try to connect to the wrong ip
13:40 < Eneerge> only the server needs the name
13:41 < edge226> Eneerge: Ah okay. The server has a static IP.
13:41 < Eneerge> for firewall rules, you could just limit it to whatever subnet changes for the client
13:41 < Eneerge> edge226, in that case, no need
13:43 < edge226> Setting up openvpn has been eluding me, I do not quite get how to do it. I even bought a book, the problem is most of the book is windows based :/
13:46 <@dazo> edge226: think of VPN like a virtual network cable ... just instead of pulling a cable from the network to where you are, you use OpenVPN as virtual cable
13:46 <@dazo> !book
13:46 <@vpnHelper> "book" is http://www.packtpub.com/openvpn-2-cookbook/book check out JJK's awesome cookbook for openvpn 2!
13:46 <@dazo> edge226: ^^^  grab a copy of that book :)
13:46 -!- dren [dren@access.not.allowed.org] has joined #openvpn
13:47 < edge226> kk thanks. Too bad I grabbed the wrong one before :P.
13:48 <@dazo> edge226: VPN configuration is quite different between the different solutions, but that mostly covers configuring the security parameters .... once the tunnel is established, it's basic networking knowledge which is common for all TCP/IP based networking
13:51 < edge226> dazo: yeah, I understand that. OpenVPN interests me due to its wide compatibility.
13:52 <@dazo> I presume you mean "wide platform support" when you say compatibility
13:53 <@dazo> (openvpn itself is only compatible with it's own protocol)
13:53 < edge226> dazo: that is correct.
13:54 < edge226> I do meed compatibility.
13:54 < edge226> mean*
13:55 -!- troj [~xxx@2001:470:1f15:107a::50f7] has joined #openvpn
13:55 <@dazo> (sounds like a contradiction ... but, oh well ......)
14:07 -!- le0 [~l30@unaffiliated/le0] has quit [Quit: Leaving]
14:28 < __FBi> Q:  How do I add a cert to a server, so users can use the service?
14:29 < __FBi> ie: server is running, and certs are signed offline
14:35 -!- fletsche [~Adium@p549B6042.dip0.t-ipconnect.de] has joined #openvpn
14:40 -!- _tarball [~quassel@port-22230.pppoe.wtnet.de] has joined #openvpn
14:49 -!- fletsche [~Adium@p549B6042.dip0.t-ipconnect.de] has quit [Ping timeout: 252 seconds]
14:58 -!- _tarball [~quassel@port-22230.pppoe.wtnet.de] has quit [Remote host closed the connection]
15:02 -!- joshh20-Away is now known as joshh20
15:03 -!- chrisb [~chrisb@li482-205.members.linode.com] has quit [Ping timeout: 252 seconds]
15:03 -!- fletsche [~Adium@p549B6042.dip0.t-ipconnect.de] has joined #openvpn
15:06 -!- [diecast] [~diecast@unaffiliated/diecast/x-4821952] has joined #openvpn
15:07 < dupondje> mmm. I have a server with a /64. Now I want to use a small part of that range for OpenVPN clients. But IPv6 doesn't seem to work on the client :s
15:08 < dupondje> I get an IPv6 ip, can ping the server IP, but nothing else :s
15:11 -!- le0 [~l30@unaffiliated/le0] has joined #openvpn
15:19 -!- [diecast] [~diecast@unaffiliated/diecast/x-4821952] has quit [Ping timeout: 255 seconds]
15:20 -!- pppingme [~pppingme@unaffiliated/pppingme] has quit [Excess Flood]
15:21 -!- pppingme [~pppingme@unaffiliated/pppingme] has joined #openvpn
15:22 -!- mattock [~mattock@openvpn/corp/admin/mattock] has left #openvpn []
15:23 <@plai> ngharo: still there?
15:23 <@plai> ngharo: you wanted something from me?
15:31 < ngharo> oh, i think i was just commenting on the yubikey neo coverstation regarding the difficulty in accessing the android NFC APIs in an application
15:31 <@dazo> __FBi: You go to you CA you have most likely set up ... and issue a new client certificate and provide that certificate to your VPN user
15:31 <@dazo> that's really all you need to do
15:34 <@plai> ngharo: the android nfc api is not difficult
15:37 <@plai> ngharo: if the yubikey  hasn't screwed up their API it is should straightforward to integrate the yubikey neo into my app
15:38 -!- Fusl [~Fusl@unaffiliated/fusl] has quit [Ping timeout: 264 seconds]
15:51 -!- phunyguy [~vortex@unaffiliated/phunyguy] has quit [Remote host closed the connection]
15:53 -!- Fusl [~Fusl@unaffiliated/fusl] has joined #openvpn
15:54 -!- [diecast] [~diecast@unaffiliated/diecast/x-4821952] has joined #openvpn
15:57 -!- syntaxx [~patvan@unaffiliated/syntaxx] has joined #openvpn
15:58 < syntaxx> Hi, I tried using tcp on port 443 on my openvpn and i am having slowness connection. While udp is getting almost 95% of my speed. Is there a way I can speed tcp up?
16:00 < syntaxx> I also tried setting the tun mtu, mssfix based on what I have read but still the same. I also tried udp but it wont route any traffic to the tunnel using (linux) while my dd-wrt works fine when udp is being used. I am not sure what I am missing
16:03 <@plai> !tcp
16:03 <@vpnHelper> "tcp" is (#1) Sometimes you cannot avoid tunneling over tcp, but if you can avoid it, DO. http://sites.inka.de/~bigred/devel/tcp-tcp.html Why TCP Over TCP Is A Bad Idea. or (#2) http://www.openvpn.net/papers/BLUG-talk/14.html for a presentation by James Yonan (OpenVPN lead developer) or (#3) if you must use tcp, you likely want --tcp-nodelay
16:04 <@plai> tcp does not expect to tunneled over anything that acts other than a dump pipe
16:04 <@plai> so tcp over tcp has strange effects
16:04 -!- APTX| is now known as APTX
16:16 -!- klein_ [~klein@unaffiliated/klein] has quit [Ping timeout: 252 seconds]
16:19 < __FBi> dazo, how do I add it to the server?
16:19 < __FBi> I made the cert offline -- not on the server
16:20 < pekster> dupondje: To do IPv6 properly like this with a downstream network (ie: your VPN) you need a _separate_ routable network block, generally at least a /64
16:21 < pekster> To do it improperly you can use awful and broken hacks like tap, or faking a /112 or something "inside" your /64 and expecting routing priority to send it to a different device, but these are almost always hacks around a shitty ISP
16:21 <@dazo> __FBi: you don't .... you only need to push it to the client ... as long as the client cert is signed by the CA the server it expects, it just works
16:22 < pekster> dupondje: Does your network provider not follow RFC6177? Have you politely asked them to provide a routed deligation to you (anything between a /64 and a /56 might be appropriate depending on your needs)
16:23 -!- megaTherion_ is now known as megaTherion
16:24 < Jack64> Hi. I got a question if you guys can answer. I got an openvpn server running and I added an iptables rulo to forward traffic from the ovpn subnet to my internal LAN, however, this only works when I'm on 3G/4G connection, otherwise I can't access other computers in the LAN. Why is that?
16:24 -!- [diecast] [~diecast@unaffiliated/diecast/x-4821952] has quit []
16:25 <@dazo> __FBi: btw ... your CA *should* be offline ... you only need the CA files when you need to generate new server or client certificates
16:25 <@dazo> the server only needs updates, when you change the CA or server certificates
16:25 < dupondje> pekster: I have a /64 (but already need some IP's for VM's on my server)
16:25 < pekster> dupondje: A _routed_ /64?
16:25 < pekster> Or is your ISP brain-dead and gives you only a single one on-link?
16:26 < dupondje> Don't know exaclty if its a routed /64 (provider is hetzner btw)
16:26 -!- chrisb [~chrisb@li482-205.members.linode.com] has joined #openvpn
16:27 < pekster> Is the /64 on-link or is it a routed block?
16:28 -!- [diecast] [~diecast@unaffiliated/diecast/x-4821952] has joined #openvpn
16:28 < Jack64> anyone?
16:28 < dupondje> pekster: sorry, but how to check exactly?
16:28 < pekster> One is on your interface, the other block(s) are routed to you and not on the interface
16:29 < __FBi> dazo, I must be having another problem then :/
16:29 < __FBi> my phone was giving me a cert, problem
16:29 < pekster> dupondje: Start with a pastebin of this perhaps:
16:29 < pekster> !interface
16:29 <@vpnHelper> "interface" is (#1) paste interface configuration from both client and server, while being disconnected and when beeing connected. Be sure to also add the routing tables for both situations from client and from server or (#2) For Windows: iface: 'ipconfig /all' routing: 'route print' (add -4 or -6 for just IPv4 or v6) or (#3) For Unix: iface: 'ifconfig -a' routing: 'netstat -rn' or (#4) For Linux:
16:29 <@vpnHelper> iface: 'ip a' routing: 'ip r' (use ip -6 for IPv6 routes)
16:29 < pekster> Just your server is fine for now
16:30 < dupondje> http://pastebin.com/g2mhs9kA
16:31 < pekster> Okay, so 2a01:4f8:200:5009::2/64 is on-link on br0; what blocks are you assigned for downstream routing?
16:31 < pekster> If you aren't assigned any, you should go ask your network provider for a deligation, probably easiest to just ask for a /60 to /56 so you have some room to expand (although you could get away with "just" a single /64 that openvpn will consume)
16:31 < dupondje> 2a01:4f8:200:5009::/64 is the only one I have :)
16:32 < pekster> Then ask for a proper segment for routing
16:32 < syntaxx> plai, thanks
16:32 -!- phunyguy [~vortex@unaffiliated/phunyguy] has joined #openvpn
16:32 < dupondje> Guess they don't have a bigger subnet then /64
16:32 < dupondje> asked them for it tho
16:32 < pekster> Then they're retarted
16:33 < dupondje> my other server just has a /112 héhé
16:33 < pekster> Well, lots of customers don't need it: if they don't give you one after you nicely ask, _then_ they're idiots
16:33 < dupondje> sad thing is that they will only respond monday
16:33 < dupondje> there goes my weekend project :P
16:33 < pekster> Yes, may companies try to fuck customers. It's very popular to screw your paying customers, apparently. RFC6177 pretty clearly indicates that this is awful behavior for them
16:33 < pekster> s/may/many/
16:34  * pekster shrugs
16:34 < Jack64> please help..
16:35 < pekster> Jack64: Without a better description of your network topology there's not enough info to provide any meaningful help
16:35 < dupondje> pekster: anyway thx for the help :) lets see what they respond :)
16:36 < pekster> Sometimes politely asking (and sometimes nudging them with references to RFC6177 and a description of what you're trying to do) helps. If not, quite frankly you might be better off paying a company who knows how The Internet works
16:36 < dupondje> it still feels a waste to use a /64 for like 4 vpn clients :p
16:36 < pekster> That's how routing works
16:37 -!- catsup [~d@iad1-vshost12.dreamhost.com] has quit [Remote host closed the connection]
16:37 -!- catsup [~d@iad1-vshost12.dreamhost.com] has joined #openvpn
16:37 < pekster> Every network segment has its _own_ and _unique_ network range. They need not be /64's, but that's just the convention (and plays nice with SLAAC anyway, for physical L2 networks)
16:37 < pekster> Since your existing /64 is on-link, you can't use it to route downstream
16:38 < pekster> In theory if your provider put a /112 to you on-link (or even a /126, or a /127 using PtP networking) then you could route a /112 for OpenVPN. Read this wiki page for reasons why you should use a /64 though:
16:38 < pekster> !ipv6
16:38 <@vpnHelper> "ipv6" is (#1) The wiki has IPv6 details: https://community.openvpn.net/openvpn/wiki/IPv6 or (#2) The manpage contains info about IPv6 features present in 2.3+: https://community.openvpn.net/openvpn/wiki/Openvpn23ManPage#lbAQ
16:38 < pekster> Ask #ipv6 if you're confused why we use a /64 pretty much everywhere
16:40 -!- HectorBarbossa [uid7850@gateway/web/irccloud.com/x-guowmmuflczyhzuo] has joined #openvpn
16:41 < dupondje> but you could split the /64 into some /84's for example ?
16:44 < Jack64> pekster: I have a 192.168.1.* network and 10.8.0.* is the ovpn subnet, what else do you need to know? I want the clients from 10.8. to be able to get to the 192.168.1.* subnet
16:49 < syntaxx> plai, on my dd-wrt protocol udp is fine while on my linux box using udp is just the same as tcp. i wonder what i am missing.
16:58 < pekster> dupondje: Not if your _existing_ /64 is on-link. That means it's _all_ used up
16:58 < pekster> You could split an _unused_ /64 into 281474976710656 individual /112's, though
16:59 < pekster> (raise 2 to the power of the difference between 112 and 64)
17:00 < pekster> Jack64: Don't use 192.168.1/24 for your server; it's a problem when anything on the far side of the VPN (ie: your VPN client) uses that range. That is the single most popular RFC1918 LAN
17:00 < pekster> You also didn't explain where the client is relative to your network
17:00 < pekster> ie: you didn't provide your topology
17:03 < dupondje> pekster: but I could assign a /84 on-link no?
17:06 < pekster> Not if the ISP expects your /64 to be on-link
17:07 < pekster> Not without proxy-NDP anyway, and that falls into the "hacking your fucked up ISP" category
17:07 < pekster> (the problem is that your host won't answer an NDP query from your on-link peer if there's no host on that box that will respond to the request)
17:07 < pekster> proxy-NDP is just as stupid in the v6 world as proxy-ARP is in v4: it means you're not doing things right in the first place
17:08 < pekster> To borrow a Bud commercial slogan, "Routing: less filling tastes great!"
17:09 -!- mikemol [~mikemol@162.17.129.77] has quit [Remote host closed the connection]
17:13 -!- fletsche [~Adium@p549B6042.dip0.t-ipconnect.de] has quit [Quit: Leaving.]
17:13 -!- dazo is now known as dazo_afk
17:15 -!- syntaxx [~patvan@unaffiliated/syntaxx] has quit [Quit: Leaving]
17:16 -!- le0 [~l30@unaffiliated/le0] has quit [Quit: Leaving]
17:18 -!- mixxi [~mix@188.29.165.81.threembb.co.uk] has joined #openvpn
17:18 < mixxi> hey guys i have a problem with accessing the internet after connecting to my server
17:18 -!- chrisb [~chrisb@li482-205.members.linode.com] has quit [Ping timeout: 264 seconds]
17:18 < mixxi> i can ping my openvpn server fine after connection but i dont seem to be able to ping 8.8.8.8
17:19 < mixxi> my server config: http://paste.ubuntu.com/7171012/
17:20 < mixxi> my client config http://paste.ubuntu.com/7171016/
17:20 -!- f0cker [~f0cker@unaffiliated/f0cker] has quit [Ping timeout: 252 seconds]
17:20 < mixxi> i also have echo 1 > /proc/sys/net/ipv4/ip_forward
17:20 < Jack64> pekster: So how should I set up the network in order to be able to access the internal LAN from the 10.8 openvpn subnet?
17:20 < mixxi> and iptables -t nat -A POSTROUTING -s 10.9.0.0/24 -o eth0 -j MASQUERADE
17:23 < mixxi> brb a sec
17:26 -!- [diecast] [~diecast@unaffiliated/diecast/x-4821952] has quit []
17:27 -!- mixxi [~mix@188.29.165.81.threembb.co.uk] has quit []
17:32 < pekster> Jack64: 1) change your server's network (read: !randomsubnet) unless you are 100% sure clients will never be on 192.168.1/24 on "their" side. 2) set up everything in !serverlan to get the routing working. If clients can connect today this works. 3) avoid NAT unless it's unavoidable. NAT between RFC1918 networks you control is almost always wrong
17:32 -!- joshh20 is now known as joshh20-Away
17:33 -!- f0cker [~f0cker@host81-149-11-109.in-addr.btopenworld.com] has joined #openvpn
17:33 -!- f0cker [~f0cker@host81-149-11-109.in-addr.btopenworld.com] has quit [Changing host]
17:33 -!- f0cker [~f0cker@unaffiliated/f0cker] has joined #openvpn
17:34 < Jack64> !randomsubnet
17:34 <@vpnHelper> "randomsubnet" is (#1) http://scarydevilmonastery.net/subnet.cgi for a random !1918 subnet or (#2) If your shell has $RANDOM support, perhaps try this: `echo 10.$((RANDOM%256)).$((RANDOM%256)).0/24 `
17:34 < Jack64> !serverlan
17:34 <@vpnHelper> "serverlan" is (#1) for a lan behind a server, the server must have ip forwarding enabled (!ipforward), the server needs to push a route for its lan to clients, and the router of the lan the server is on needs a route added to it (!route_outside_openvpn) or (#2) see !route for a better explanation or (#3) Handy troubleshooting flowchart: http://ircpimps.org/serverlan.png |
17:34 <@vpnHelper> http://pekster.sdf.org/misc/serverlan.png
17:35 < Jack64> pekster: thanks for the advice :) I get it, they can't reach me because they go to their own network with is the same..
17:35 < Jack64> s/with/which
17:37 -!- michaelhart [~michaelha@192-0-240-20.cpe.teksavvy.com] has joined #openvpn
17:38 -!- Olipro_ [~Olipro@uncyclopedia/pdpc.21for7.olipro] has joined #openvpn
17:39 -!- Olipro [~Olipro@uncyclopedia/pdpc.21for7.olipro] has quit [Ping timeout: 246 seconds]
17:42 -!- Olipro_ is now known as Olipro
17:46 -!- Aralucc10 [~Aralucc10@151.77.144.150] has joined #openvpn
17:47 < Aralucc10> hi, can anyone help? I changed my config from tun to tap...after a few hours everything seems to work except static ips for my clients. I used ccd dolfer files and it worked for tun...but it seems to fail with tap
17:47 < Aralucc10> folder
18:14 < pekster> Why tap in the first place?
18:16 -!- VsioZashibis [~VsioZashi@unaffiliated/vsiozashibis] has joined #openvpn
18:25 < Aralucc10> I need to broadcast upno outsite local net
18:25 < Aralucc10> upnp
18:25 < Aralucc10> and multicast is not supported by tun...I was told
18:26 < Aralucc10> and yes...tun worked great for me but I need this
18:26 < pekster> Yup
18:26 < Aralucc10> but I need static ips too :)
18:26 < pekster> ccd and pushing addresses works pretty much the same, although you need to push an IP+netmask, not PtP IPs. You should really be using the 'subnet' topology with tun, which is the same
18:26 < pekster> Are your ccd files using the right --ifconfig-push syntax?
18:27 < Aralucc10> I need this client to have *.226 -> ifconfig-push 192.168.1.226 255.255.255.0 192.168.1.1
18:27 < Aralucc10> latest is my gateway
18:28 < Aralucc10> I added it after everything els failed
18:28 < pekster> Just 2 directives to ifconfig-push
18:28 < pekster> Not 3
18:28 < Aralucc10> ok, so : ifconfig-push 192.168.1.226 255.255.255.0 is right?
18:29 < Aralucc10> with tun I used also a iroute diective...I commented it
18:29 < Aralucc10> and a route directive into main conf
18:29 < pekster> iroute is when you have a LAN behind your client
18:30 < Aralucc10> well... it could be..but not for this one
18:30 < pekster> That's the only time you use iroute in a ccd
18:30 < Aralucc10> got it
18:30 -!- gffa [~unknown@unaffiliated/gffa] has quit [Quit: sleep]
18:30 < Aralucc10> so no route directive into main conf?
18:30 < Aralucc10> just the ifconfig-push into ccd\certname file
18:31 < pekster> Not unless you have "extra" networks floating around somewhere relative to the VPN
18:31 < Aralucc10> nope
18:31 < Aralucc10> ok..I retry...
18:31 < pekster> Also, take care that any --ifconfig-pool ranges and pushed addresses don't conflict with any LAN DHCP or staticly addressed systems or you'll have issues
18:31 < pekster> Some hints on the wiki about topolgoy:
18:31 < pekster> !topology
18:31 <@vpnHelper> "topology" is (#1) it is possible to avoid the !/30 behavior if you use 2.1+ with the option: topology subnet This will end up being default in later versions. or (#2) Clients will receive addresses ending in .2, .3, .4, etc, instead of being divided into 2-host subnets. or (#3) details and examples at: https://community.openvpn.net/openvpn/wiki/Topology
18:35 < Aralucc10> nope..it always gets the forst of the range...
18:35 < Aralucc10> first
18:35 -!- DrCode [~DrCode@gateway/tor-sasl/drcode] has quit [Ping timeout: 265 seconds]
18:35 < Aralucc10> I tried the topology subnet clause ...but yes... 192.168.1.* class sucks
18:36 < Aralucc10> uits late and I have to go to sleep...I retry tomorrrow ...thanks a lot for your help
18:36 -!- DrCode [~DrCode@gateway/tor-sasl/drcode] has joined #openvpn
18:38 -!- joshh20-Away is now known as joshh20
18:40 -!- sunwind [~paradox@cpc21-brmb8-2-0-cust749.1-3.cable.virginm.net] has quit [Quit: sunwind]
18:41 -!- sunwind [~paradox@cpc21-brmb8-2-0-cust749.1-3.cable.virginm.net] has joined #openvpn
18:52 -!- Cpt-Oblivious [chatzilla@31-151-71-109.dynamic.upc.nl] has quit [Ping timeout: 268 seconds]
19:20 -!- B1nny [~quassel@5ED16034.cm-7-2b.dynamic.ziggo.nl] has quit [Remote host closed the connection]
19:59 <+s7r> on a windows machine what can i do to make everything (all applications) stop connecting to the internet if the openvpn connection failed or got disconnected?
20:00 <+s7r> like a rule to enforce all internet traffic through the vpn, and if it fails or computer reboots, until vpn is not connected again no traffic to the internet at all
20:00 < pekster> Configure your firewall?
20:01 < pekster> 1) allow the IP/port tupple involved to reach your VPN server, 2) block all other traffic out your uplink 3) have a way to reverse that when you "want" normal Internet again
20:01 < pekster> How you do that is Windows-specific and best learned via MSDN, the web, or ##windows
20:01 -!- joshh20 is now known as joshh20-Away
20:01 < pekster> You /could/ manually do that, but there's an API to it (netsh if nothing else, though you might want some high-level code for that, like the .NET or C# frameworks)
20:02 < pekster> Maybe powershell. YMMV.
20:02 <+s7r> ok thank you
20:02 <+s7r> it's good. i will try to configure a sandbox
20:02 <+s7r> like a virtual machine inside the windows machine
20:02 <+s7r> it's simpler...
20:02 < pekster> Sounds like a good test environment
20:02 <+s7r> and if i use a vpn to hide the true IP and location of an IRC server, can the real IP be traced by verifing what IP addresses are permanently connected to the VPN ip?
20:03 < pekster> Don't forget to allow traffic from you to your L3 gateway
20:03 < pekster> Yes, they can (if someone has access to the VPN server in realtime, or its logs after-the fact)
20:04 < pekster> Use tor (properly) if you want to be "anonymous." VPNs use authentication and are thus the exact opposite of anonymous
20:04 <+s7r> i can use TOR + VPN
20:04 < pekster> Also, fun website to see how trackable your browser is that's marginally related: https://panopticlick.eff.org
20:04 <@vpnHelper> Title: Panopticlick (at panopticlick.eff.org)
20:12 -!- s7r [~s7r@openvpn/user/s7r] has quit [Quit: Leaving]
20:12 -!- michaelhart [~michaelha@192-0-240-20.cpe.teksavvy.com] has quit [Quit: michaelhart]
20:18 -!- goldkatze [~nobody@unaffiliated/goldkatze] has quit [Ping timeout: 240 seconds]
20:28 -!- sunwind` [~paradox@cpc21-brmb8-2-0-cust749.1-3.cable.virginm.net] has joined #openvpn
20:29 -!- eliasp [~quassel@HSI-KBW-134-3-243-224.hsi14.kabel-badenwuerttemberg.de] has quit [Read error: Connection reset by peer]
20:30 -!- sunwind` [~paradox@cpc21-brmb8-2-0-cust749.1-3.cable.virginm.net] has quit [Client Quit]
20:32 -!- eliasp [~quassel@HSI-KBW-134-3-243-224.hsi14.kabel-badenwuerttemberg.de] has joined #openvpn
20:32 -!- sunwind [~paradox@cpc21-brmb8-2-0-cust749.1-3.cable.virginm.net] has quit [Quit: sunwind]
20:34 -!- Putdeksel [50397034@gateway/web/cgi-irc/kiwiirc.com/ip.80.57.112.52] has quit [Quit: http://www.kiwiirc.com/ - A hand crafted IRC client]
20:34 -!- sunwind [~paradox@cpc21-brmb8-2-0-cust749.1-3.cable.virginm.net] has joined #openvpn
20:41 -!- mikemol [~mikemol@2001:470:c5b9:beef:695d:4957:7caf:5693] has joined #openvpn
20:48 -!- sunwind` [~paradox@cpc21-brmb8-2-0-cust749.1-3.cable.virginm.net] has joined #openvpn
20:52 -!- sunwind` [~paradox@cpc21-brmb8-2-0-cust749.1-3.cable.virginm.net] has quit [Quit: sunwind`]
21:03 -!- heraclitus [~heraclitu@unaffiliated/heraclitis] has quit [Remote host closed the connection]
21:03 -!- heraclitus [~heraclitu@unaffiliated/heraclitis] has joined #openvpn
21:11 -!- mikemol [~mikemol@2001:470:c5b9:beef:695d:4957:7caf:5693] has quit [Remote host closed the connection]
21:21 -!- klein_ [~klein@187.85.183.105] has joined #openvpn
21:21 -!- klein_ [~klein@187.85.183.105] has quit [Changing host]
21:21 -!- klein_ [~klein@unaffiliated/klein] has joined #openvpn
21:24 -!- msn [~kvirc@115.73.64.114] has joined #openvpn
21:25 < msn> would it be possible to use LDAP as a openvpn certificate store?
21:27 -!- msn [~kvirc@115.73.64.114] has quit [Quit: KVIrc 4.2.0 Equilibrium http://www.kvirc.net/]
21:32 -!- HectorBarbossa [uid7850@gateway/web/irccloud.com/x-guowmmuflczyhzuo] has quit [Quit: Connection closed for inactivity]
21:33 -!- klein_ [~klein@unaffiliated/klein] has quit [Read error: Operation timed out]
21:35 -!- AndChat|185600 [~AndChat18@179.104.14.85] has joined #openvpn
21:35 -!- AndChat-185600 [~AndChat18@179.155.69.131] has joined #openvpn
21:36 -!- chocolate [~AndChat18@179.155.69.131] has quit [Read error: Connection reset by peer]
21:36 <@Eugene> In what way? Openvpn checks that a certificate was signed by a particular CA
21:36 <@Eugene> You can use a MS-centric CA tool to generate these certs, yes.
21:39 -!- AndChat|185600 [~AndChat18@179.104.14.85] has quit [Ping timeout: 252 seconds]
21:50 -!- Denial- [Denial@2.126.201.112] has joined #openvpn
21:52 -!- Denial [Denial@90.222.17.193] has quit [Ping timeout: 265 seconds]
21:52 -!- Denial- is now known as Denial
21:53 -!- Zordrak [~jaz@87-194-137-223.bethere.co.uk] has quit [Remote host closed the connection]
22:47 -!- AlexPortable [uid7568@gateway/web/irccloud.com/x-ejdomghzixuotxvq] has quit [Quit: Connection closed for inactivity]
22:52 -!- zxvff [~michael@00x.in] has joined #openvpn
22:53 < zxvff> Hi. Is there a simple way to get openvpn in Linux to route all of my traffic over the VPN connection? I'm having trouble getting this set up, trying to mess with default route and etc. in my system but not having luck.
22:54 < zxvff> Maybe this is more of general Linux question, but I was hoping to get help in here.
22:54 <@Eugene> !redirect
22:54 <@vpnHelper> "redirect" is (#1) to make all inet traffic flow through the vpn, you will need --redirect-gateway (see !def1), as well as IP forwarding (see !ipforward) and NAT (see !nat) enabled on the server. or (#2) you may need to use a different dns server when redirecting gateway, see !dns or !pushdns or (#3) if using ipv6 try: route-ipv6 2000::/3 or (#4) Handy troubleshooting flowchart:
22:54 <@vpnHelper> http://ircpimps.org/redirect.png | http://pekster.sdf.org/misc/redirect.png
22:54 <@Eugene> !def1
22:54 <@vpnHelper> "def1" is (#1) used in redirect-gateway, Add the def1 flag to override the default gateway by using 0.0.0.0/1 and 128.0.0.0/1 rather than 0.0.0.0/0. This has the benefit of overriding but not wiping out the original default gateway. or (#2) please see --redirect-gateway in the man page ( !man ) to fully understand or (#3) push "redirect-gateway def1"
22:54 <@Eugene> Very simple. ;-)
22:56 < zxvff> Thanks :)
22:58 < zxvff> Think I'm having a hard time becuase I'm trying to use this network-manager thing built into my distro, not the openvpn client itself. I don't know where to add options. Perhaps I'll just try from the CLI
22:58 < zxvff> !ipforward
22:58 <@vpnHelper> "ipforward" is (#1) ip forwarding is needed any time you want packets to flow from 1 interface to another, so from tun to eth, eth to tun, tun to tun, etc etc. it must be enabled in the kernel AND allowed in the firewall or (#2) please choose between !linipforward !winipforward !osxipforward and !fbsdipforward
23:03 < zxvff> Okay, just needed to enable ip forwarding. Silly thing to forget. My ip route solved it without messing with openvpn config. Thanks againf or the help.
23:03 -!- zxvff [~michael@00x.in] has left #openvpn []
23:29 -!- noobboob [uid5587@gateway/web/irccloud.com/x-fnjgdnrvjspaobnv] has joined #openvpn
23:43 -!- heraclitus [~heraclitu@unaffiliated/heraclitis] has quit [Remote host closed the connection]
23:43 -!- heraclitus [~heraclitu@unaffiliated/heraclitis] has joined #openvpn
23:46 -!- mback2k_ [~freenode@2a00:1828:2000:378:1337:0:59ee:5431] has quit [Ping timeout: 255 seconds]
23:46 -!- mback2k_ [~freenode@2a00:1828:2000:378:1337:0:59ee:5431] has joined #openvpn
--- Day changed Sat Mar 29 2014
00:45 -!- heraclitus [~heraclitu@unaffiliated/heraclitis] has quit [Remote host closed the connection]
00:46 -!- heraclitus [~heraclitu@unaffiliated/heraclitis] has joined #openvpn
00:49 -!- Jack64 [~jacktakah@188.122.93.34] has quit [Quit: Lost terminal]
00:55 -!- heraclitus [~heraclitu@unaffiliated/heraclitis] has quit [Remote host closed the connection]
00:56 -!- heraclitus [~heraclitu@unaffiliated/heraclitis] has joined #openvpn
01:02 -!- Dan39 [~ddan39@unaffiliated/dan39] has quit [Ping timeout: 265 seconds]
01:53 -!- edge226 [~quassel@unaffiliated/edge226] has quit [Remote host closed the connection]
02:42 -!- Dan39 [~ddan39@unaffiliated/dan39] has joined #openvpn
02:43 -!- karab44 [~kvirc@host-91-192-90-101.elomza.pl] has joined #openvpn
02:44 -!- truexfan81 [truexfan81@gateway/shell/cadoth.net/x-cigqhqntlvmozldg] has joined #openvpn
02:47 < truexfan81> i'm having a problem, windows 8.1 openvpn will not launch, i have tried launching it from cmd, i get no output, no errors, program just doesn't launch
02:48 -!- karab44 [~kvirc@host-91-192-90-101.elomza.pl] has left #openvpn ["Everytime you tell people to read FAQ, RTFM and direct them to Manual somewhere on Earth God kills innocent kitty."]
02:51 < truexfan81> i just tried reinstalling, didn't fix it
03:04 -!- Dan39 [~ddan39@unaffiliated/dan39] has quit [Ping timeout: 265 seconds]
03:05 -!- Dan39 [~ddan39@unaffiliated/dan39] has joined #openvpn
03:05 < truexfan81> anyone here? this problem is quite frustrating
03:06 < truexfan81> it worked a few weeks ago, afaik nothing on this machine has changed since the last time openvpn gui worked
03:07 -!- edge226 [~quassel@unaffiliated/edge226] has joined #openvpn
03:10 -!- Dan39 [~ddan39@unaffiliated/dan39] has quit [Ping timeout: 265 seconds]
03:12 -!- Dan39 [~ddan39@unaffiliated/dan39] has joined #openvpn
03:22 -!- noobboob [uid5587@gateway/web/irccloud.com/x-fnjgdnrvjspaobnv] has quit [Quit: Connection closed for inactivity]
03:49 -!- Dan39 [~ddan39@unaffiliated/dan39] has quit [Ping timeout: 265 seconds]
03:56 < edge226> how long does it take to write the private keys?
03:58 -!- Dan39 [~ddan39@unaffiliated/dan39] has joined #openvpn
04:06 -!- Tykling [tykling@gibfest.dk] has quit [Ping timeout: 252 seconds]
04:07 -!- Tykling [tykling@gibfest.dk] has joined #openvpn
04:27 -!- Dan39 [~ddan39@unaffiliated/dan39] has quit [Ping timeout: 265 seconds]
04:28 -!- Aralucc10 [~Aralucc10@151.77.144.150] has quit [Read error: Connection reset by peer]
04:29 -!- Aralucc10 [~Aralucc10@151.77.144.150] has joined #openvpn
04:40 < edge226> http://dpaste.com/1762722/
04:41 < edge226> Anyone now how to get that so I can keep going on the set up?
04:41 < edge226> know*
04:50 -!- Dan39 [~ddan39@unaffiliated/dan39] has joined #openvpn
04:56 < edge226> I am trying to set up a typtical client/server. The resources I am following are unclear whether what I am doing should be done on the server or the key server box.
05:01 -!- fletsche [~Adium@p5DC5702A.dip0.t-ipconnect.de] has joined #openvpn
05:02 -!- miruoy [~quassel@d51A44BA8.access.telenet.be] has quit [Read error: Operation timed out]
05:05 -!- miruoy [~quassel@d51A44BA8.access.telenet.be] has joined #openvpn
05:20 -!- B1nny [~quassel@5ED16034.cm-7-2b.dynamic.ziggo.nl] has joined #openvpn
06:03 -!- j2quinn [~j2quinn@165-154-94-112.ispnetbilling.com] has joined #openvpn
06:04 < j2quinn> !paste
06:04 <@vpnHelper> "paste" is "pastebin" is (#1) please paste anything with more than 5 lines into a pastebin site or (#2) https://gist.github.com is recommended for fewest ads; try fpaste.org or paste.kde.org as backups or (#3) If you're pasting config files, see !configs for grep syntax to remove comments or (#4) gist allows multiple files per paste, useful if you have several files to show
06:05 < dupondje> Ok. I did split up my /64 into multiple /112's now. All VM's have correct IPv6 connectivity now. But how to get the VPN working now. The VPN hands out IP's from a /112 now. But what to use as gateway?
06:06 < dupondje> The tun0 should be in a bridge with the eth0 or ?
06:07 < j2quinn> https://gist.github.com/anonymous/9852512 this is my server conf for openvpn however, i can connect but my ip doesnt change on mac. my server is archlinux.
06:07 <@vpnHelper> Title: gist:9852512 (at gist.github.com)
06:08 < j2quinn> https://gist.github.com/anonymous/9852537 client conf for tunnelblick
06:08 <@vpnHelper> Title: gist:9852537 (at gist.github.com)
06:09 < j2quinn> any ideas about why my ip is not changing? My mac is running on the latest mavericks and I am using the latest beta of tunnelblick
06:12 -!- gffa [~unknown@unaffiliated/gffa] has joined #openvpn
06:17 -!- AlexBones [~AlexBones@gateway/tor-sasl/alexbones] has joined #openvpn
06:17 < AlexBones> Every day now for a long time, I have started a Windows 7 VM, Shift + right-clicked the OpenVPN icon, picked "Run as administrator", then clicked "yes", then finally right-clicked the notification area icon to pick a server. If I open it normally, it doesn't work. This has GOT to be possible to script/automate...
06:18 -!- AlexPortable [uid7568@gateway/web/irccloud.com/x-kuuaydpkrstqtwge] has joined #openvpn
06:23 -!- elfixit [~Icedove@77-58-251-72.dclient.hispeed.ch] has joined #openvpn
06:29 < Eneerge> AlexBones
06:29 < Eneerge> If you want to store your password somewhere on the drive, you can make use of the OpenVPN Service in services.msc
06:30 < Eneerge> alternatively you can use something like http://pastebin.com/vtQLiFbW
06:50 -!- joshh20-Away is now known as joshh20
06:56 -!- bimbo [~emerino@187.240.120.251] has joined #openvpn
06:57 < bimbo> hello, I'm trying to route all traffic from my computer through the openvpn server
06:57 < bimbo> it is working, however when I attempt to connect to a website that uses TLS/SSL the connection will fail
06:58 < bimbo> is there anything special I need to do to be able to access TLS/SSL websites?
06:59 < dupondje> Ok having a server with a /64 IPv6. Splitted the IPv6 into multiple /112 ranges now. And assigned 1 /112 to each VM, and a /112 to the VPN tunnel. Now IPv6 connectivity is working fine on the servers. Also I receive a IPv6 address in my client. I can ping my server's IPv6 address, but nothing further. Do I miss any routes or?
07:12 < dupondje> any idea's?
07:14 -!- bimbo [~emerino@187.240.120.251] has quit [Ping timeout: 268 seconds]
07:29 -!- bimbo1 [~emerino@187.240.120.251] has joined #openvpn
07:29 -!- mikemol [~mikemol@2001:470:c5b9:beef:ec18:b03c:1f32:91e7] has joined #openvpn
07:35 -!- cpm [~Chip@pdpc/supporter/active/cpm] has joined #openvpn
07:36 -!- B1nny [~quassel@5ED16034.cm-7-2b.dynamic.ziggo.nl] has quit [Ping timeout: 240 seconds]
07:39 -!- bimbo1 [~emerino@187.240.120.251] has quit [Ping timeout: 255 seconds]
07:39 -!- michaelhart [~michaelha@192-0-240-20.cpe.teksavvy.com] has joined #openvpn
07:44 -!- michaelhart [~michaelha@192-0-240-20.cpe.teksavvy.com] has quit [Client Quit]
07:48 < esde> when i generate ta.key it is only 2048 bit, how to increase bit size???
08:02 -!- B1nny [~quassel@5ED16034.cm-7-2b.dynamic.ziggo.nl] has joined #openvpn
08:05 -!- cpm [~Chip@pdpc/supporter/active/cpm] has quit [Ping timeout: 252 seconds]
08:09 -!- elfixit [~Icedove@77-58-251-72.dclient.hispeed.ch] has quit [Quit: elfixit]
08:20 -!- Cpt-Oblivious [chatzilla@31-151-71-109.dynamic.upc.nl] has joined #openvpn
08:21 -!- chrisb [~chrisb@li482-205.members.linode.com] has joined #openvpn
08:28 -!- UukGoblin [~jaa@yatima.uukgoblin.net] has quit [Changing host]
08:28 -!- UukGoblin [~jaa@unaffiliated/uukgoblin] has joined #openvpn
08:44 -!- Eagleman- [~Eagleman@546BC8D0.cm-12-4d.dynamic.ziggo.nl] has quit [Ping timeout: 245 seconds]
08:50 -!- [diecast] [~diecast@unaffiliated/diecast/x-4821952] has joined #openvpn
08:51 -!- Eagleman [~Eagleman@546BC8D0.cm-12-4d.dynamic.ziggo.nl] has joined #openvpn
08:55 -!- Dan39 [~ddan39@unaffiliated/dan39] has quit [Ping timeout: 265 seconds]
08:57 -!- Dan39 [~ddan39@unaffiliated/dan39] has joined #openvpn
09:08 -!- [diecast] [~diecast@unaffiliated/diecast/x-4821952] has quit []
09:10 -!- joshh20 is now known as joshh20-Away
09:17 -!- Dan39 [~ddan39@unaffiliated/dan39] has quit [Quit: WeeChat 0.4.3]
09:18 -!- Dan39 [~ddan39@unaffiliated/dan39] has joined #openvpn
09:20 -!- fletsche [~Adium@p5DC5702A.dip0.t-ipconnect.de] has quit [Remote host closed the connection]
09:20 -!- joshh20-Away is now known as joshh20
09:21 -!- le0 [~l30@unaffiliated/le0] has joined #openvpn
09:24 -!- dvl [~dan@nyi.unixathome.org] has quit [Changing host]
09:24 -!- dvl [~dan@pdpc/supporter/active/dvl] has joined #openvpn
09:46 -!- mback2k_ is now known as mback2k
09:58 < edge226> I am having sound trouble getting the server and client to tls handshake...
09:58 -!- Eagleman [~Eagleman@546BC8D0.cm-12-4d.dynamic.ziggo.nl] has quit [Quit: ZNC - http://znc.in]
09:59 < edge226> I can get it working with the basic tun/tap methods but once I add security onto it everything goes poop!
10:02 < edge226> what would be the best configuration to be able to get the VPN operating correctly on a chromebook? The chromebook requires a username and I have not hit a point in configuration where you set usernames...
10:45 -!- joshh20 is now known as joshh20-Away
10:45 -!- mgorbach [~mgorbach@pool-108-20-78-135.bstnma.fios.verizon.net] has quit [Quit: ZNC - http://znc.in]
10:45 -!- goldkatze [~nobody@unaffiliated/goldkatze] has joined #openvpn
10:46 -!- mgorbach [~mgorbach@pool-108-20-78-135.bstnma.fios.verizon.net] has joined #openvpn
11:05 -!- joako [~joako@opensuse/member/joak0] has quit [Ping timeout: 252 seconds]
11:07 -!- master_of_master [~master_of@p4FF2467D.dip0.t-ipconnect.de] has quit [Ping timeout: 264 seconds]
11:10 -!- master_of_master [~master_of@p4FD7B54D.dip0.t-ipconnect.de] has joined #openvpn
11:15 -!- chrisb [~chrisb@li482-205.members.linode.com] has quit [Read error: Connection reset by peer]
11:32 -!- goldkatze [~nobody@unaffiliated/goldkatze] has quit []
11:43 -!- noobboob [uid5587@gateway/web/irccloud.com/x-llwasfmzdvcuolnj] has joined #openvpn
11:52 -!- JackWinter [~jack@vodsl-10810.vo.lu] has quit [Read error: Connection reset by peer]
11:53 -!- JackWinter [~jack@vodsl-10810.vo.lu] has joined #openvpn
12:05 -!- is3nov [~NA@se2x.mullvad.net] has joined #openvpn
12:06 < is3nov> How does openvpn handle trying to connect to two different vpns?
12:06 < is3nov> Is it even possible? Does one VPN tunnel through the other? what happens?
12:08 <@Eugene> A VPN is just a network tunnel. You can have as many open as you like.
12:08 <@Eugene> You're probably thinking of the behaviour when doing default route redirection
12:08 <@Eugene> In which case, yes, things get screwy.
12:08 < is3nov> Ah
12:09 -!- AlexBones [~AlexBones@gateway/tor-sasl/alexbones] has quit [Quit: AlexBones]
12:10 < is3nov> What order does openvpn start up each configuration in the /etc/openvpn directory? Would 00-foo start before 01-bar ?
12:11 <@Eugene> Depends entirely upon how your distro's init script is invoking it.
12:12 <@Eugene> The Red Hat & friends use "for c in `/bin/ls *.conf`", so whatever order ls puts 'em in
12:12 < is3nov> Ah. Usually I just call invoke-rc.d openvpn start, which starts the vpns in the /etc/openvpn on its own
12:12 <@Eugene> (usually alphabetical, yes)
12:13 <@Eugene> I have no idea how it works with systemd, sorry
12:13 <@Eugene> Or whatever one thati s
12:13 < is3nov> That is the Debian init, iirc sysv
12:18 < MorgyN> it's a wrapper like chkconfig then
12:19 < MorgyN> or actually, "service"
12:19 -!- Latrina [~Latrina@ppp-61-62.26-151.libero.it] has joined #openvpn
12:19 <@Eugene> Ahhhh Debian.
12:20 < MorgyN> which debian also has
12:20 <@Eugene> And which is actually sane to type
12:21 < MorgyN> I like service more and more cause it handles upstart/sysv/systemd all magically
12:21 < MorgyN> not to mention each different flavour of distro sticks thier upstart/systemd confs in different places =/
12:23 <@Eugene> s/magically/as a giant series of hacks/, but yes. ;-)
12:23 <@Eugene> I've just started poking at systemd yesterday, and I arleady hate it. Buuuut I know it's the future, so ugh.
12:24 < MorgyN> I initially hated it.. (woo pun)
12:24 < MorgyN> but I've started to like it
12:24 < edge226> I've setup my VPN with PAM Authentication. I can access the box via my Linux desktop but not via my chromebook.
12:27 -!- ted20_ [~ted20@46.33.25.50] has joined #openvpn
12:28 < ted20_> OpenVPN work also for DNS traffic?
12:29 <@Eugene> OpenVPN will pass any Layr 3 protocol, including DNS over UDP, yes.
12:29 <@Eugene> (or L2, if you do TAP devices, which you shouldn't without reason)
12:29 < pekster> edge226: OpenVPN works with either X.509 keypairs and/or username-pass. AFAIK there is no openvpn support for the chromebook, so it's probably using some "other" VPN sytem
12:29 < pekster> If anything "requires a user/pass and nothing else" it's probably not openvpn
12:30 <@Eugene> You could flip the dev switch and do whatever on the chromebook.
12:31 < pekster> IIRC it's the lack of tun support, but I don't really recall the details well
12:31 < edge226> pekster: yes there is...
12:31 < pekster> Then how the hell did they "disable" X509 auth?
12:32 < pekster> Do you have `openvpn --version` output from the chromebook? If it has a compile define list I'm very curious to see it
12:32 < edge226> I added certificates to the system. it required the ca.crt and a p12 auth key.
12:32 < edge226> pekster: it is built into chromeOS.
12:32 < edge226> its a graphical thing.
12:33 < pekster> OpenVPN is not a graphical thing, though there are GUIs built on top of openvpn
12:33 <@Eugene> !ubuntu
12:33 <@vpnHelper> "ubuntu" is dont use network manager!
12:33 <@Eugene> Open a shell and get the --version
12:33 < pekster> All but the Windows GUI client are unsupported here, and for help you'll need to either ask them, or use the command-line version while we help find out what's wrong
12:33 < pekster> I'd suggest calling the binary so we can at least find out what it is you have
12:34 <@Eugene> And to be fiar, the "windows GUI" is just a pretty way to start a .ovpn
12:34 < edge226> pekster: chromeos does not see a openvpn binary, otherwise I could probably hack it out to work...
12:34 <@Eugene> Well there's your answer.
12:35 < pekster> Then it sounds like what you're using isn't openvpn, like I posited above
12:35 < pekster> !notcompat
12:35 <@Eugene> It isn't openvpn, it's some crap that's pretending to be openvpn. Go talk to your vendor.
12:35 <@vpnHelper> "notcompat" is (#1) IPsec, PPTP, & L2TP are _not_ compatible with OpenVPN. OpenVPN uses SSL whereas PPTP and IPSEC use their own protocols and therefore cannot be compatible. or (#2) OpenVPN connects only to OpenVPN
12:36 < pekster> OpenVPN on a server requires an OpenVPN installation on your client. This at minimum includes the `openvpn` program binary (a compile C executable) but may also include a GUI frontend that invokes the binary in a "friendly" way
12:36 -!- j2quinn [~j2quinn@165-154-94-112.ispnetbilling.com] has quit [Quit: j2quinn]
12:36 < edge226> pekster: I know it is not supported software... sheesh. It doesnt hurt to ask though...
12:37 <@Eugene> It does hurt to keep asking after we tell you that it isn't
12:41 < pekster> OpenVPN requires a build from source (by you or the packaging vendor) and a successful build and operation requires certain support, most notably the tun driver and openssl
12:42 < pekster> If you're a developer, you might take a look at what SDK the chrmebook offers to see what the issues are; some folks have probably done some of the initial work online somewhere
12:44 < edge226> pekster: I did set my ca.crt and client.p12 key into openvpn. The article I found from google said to do that. It still would not auth though. Sorry for being a pain but the chromebook is specifically what I am trying to vpn client. I suppose I could just vpn in through crouton.
12:45 < pekster> Does it explicitly support openvpn? If it does, there should be an openvpn binary somehwere (though maybe not in the $PATH if the distro tries to "hide" it from you)
12:46 < pekster> Do you have a real shell on this thing? Can you perhaps try to search for it? Maybe try `locate openvpn | grep 'openvpn$'` looking for the program
12:46 < edge226> pekster: it does, To enable it I goto the network stuff. Add network and it states "OpenVPN" Ill do a back end find to see if it is hidden from the $PATH
12:47 < pekster> Or failing that, a probably slower search, like `find / -type f -executable -name openvpn`
12:47 < edge226> pekster: ah looks like it is there! its version 2.3.2
12:48 < pekster> I'm pretty sure they wouldn't have disabled X.509 auth (certs+keypairs) but you can paste the full --version output with the compile details and I can double-check if you'd like
12:49 < pekster> This means that you can likely use all openvpn features from the command line just fine. Perhaps the GUI is lacking (and this comes up a lot)
12:50 < edge226> pekster: makes sense. Thanks for the help. I think I can get it going from here.
12:51 -!- JackWinter [~jack@vodsl-10810.vo.lu] has quit [Quit: Konversation terminated!]
12:51 -!- Aketzu [akolehma@kelvin.aketzu.net] has quit [Ping timeout: 246 seconds]
12:52 < ted20_> BTW How to distable keep-alive in fx? I haven't network.http.keep-alive in about:config. I must add this?
12:52 < pekster> fx?
12:52 < ted20_> disable ofc
12:52 < ted20_> This is short name form firefox
12:55 < ted20_> I added this without result...
12:55 -!- is3nov [~NA@se2x.mullvad.net] has quit [Quit: Leaving]
12:55 -!- JackWinter [~jack@vodsl-10810.vo.lu] has joined #openvpn
12:55 < pekster> #openvpn helps with OpenVPN, not Firefox. Maybe you want ##networking . http://catb.org/~esr/faqs/smart-questions.html#forum
12:55 <@vpnHelper> Title: How To Ask Questions The Smart Way (at catb.org)
12:56 < ted20_> pekster: Man, I know that, but firefox channel is dead..
12:57 < pekster> As a hint, don't pick a channel specific to another project when this happens. ##networking helps with general networking. You wouldn't go to #git to ask about firefox either, I hope
12:57 -!- JackWinter [~jack@vodsl-10810.vo.lu] has quit [Client Quit]
12:58 -!- Aketzu [akolehma@kelvin.aketzu.net] has joined #openvpn
13:01 -!- JackWinter [~jack@vodsl-10810.vo.lu] has joined #openvpn
13:03 -!- le0 [~l30@unaffiliated/le0] has quit [Ping timeout: 255 seconds]
13:06 < edge226> pekster: it works :)
13:09 < pekster> Neat. I don't follow chrombook development closely, but for a while the support was completely lacking. Sounds like most of that is fixed (though perhaps the GUI still needs some work, evidently)
13:14 -!- ted20_ [~ted20@46.33.25.50] has quit [Quit: leaving]
13:16 < edge226> pekster: yeah definitely. No matter what I did with the GUI it did not work. The CLI works snappy though. I got the client-to-client tunnel going properly too :)
13:16 < pekster> It might be worth opening a well-written bugreport with your distro if you'd like to se that fixed
13:17 < edge226> pekster: distro being chromeos?
13:19 < pekster> Yup
13:20 -!- Latrina [~Latrina@ppp-61-62.26-151.libero.it] has quit [Remote host closed the connection]
13:20 -!- Latrina [~Latrina@ppp-61-62.26-151.libero.it] has joined #openvpn
13:20 -!- Latrina [~Latrina@ppp-61-62.26-151.libero.it] has quit [Remote host closed the connection]
13:35 -!- mback2k is now known as mback2k_
13:36 -!- joako [~joako@opensuse/member/joak0] has joined #openvpn
13:41 -!- joako [~joako@opensuse/member/joak0] has quit [Ping timeout: 246 seconds]
13:43 -!- klein_ [~klein@unaffiliated/klein] has joined #openvpn
13:49 -!- joako [~joako@opensuse/member/joak0] has joined #openvpn
14:00 -!- b4tm4n [~b4tm4n@109.201.154.154] has joined #openvpn
14:01 -!- Eagleman [~Eagleman@546BC8D0.cm-12-4d.dynamic.ziggo.nl] has joined #openvpn
14:02 -!- Putdeksel [50397034@gateway/web/cgi-irc/kiwiirc.com/ip.80.57.112.52] has joined #openvpn
14:02 < Putdeksel> !redirect
14:02 <@vpnHelper> "redirect" is (#1) to make all inet traffic flow through the vpn, you will need --redirect-gateway (see !def1), as well as IP forwarding (see !ipforward) and NAT (see !nat) enabled on the server. or (#2) you may need to use a different dns server when redirecting gateway, see !dns or !pushdns or (#3) if using ipv6 try: route-ipv6 2000::/3 or (#4) Handy troubleshooting flowchart:
14:02 <@vpnHelper> http://ircpimps.org/redirect.png | http://pekster.sdf.org/misc/redirect.png
14:03 < pekster> Basically, in exchange for getting rid of all the complex bridging, the routing will "just work" when you're done. No messing around with bridges and shared address space or any of that
14:05 < pekster> All that interface config goes away, and so does the script you'd need to have to dyamically add the tap device to the bridge. You replace it with a single NAT rule and IP forwarding enabled. See why it's easier? ;)
14:06 < Putdeksel> Yes I do.
14:06 < pekster> Oh, and this is an android client, right? Android clients don't do tap either (so you must use tun)
14:06 < pekster> !android
14:06 <@vpnHelper> "android" is (#1) an open source OpenVPN client for ICS is available in Google Play, look for OpenVPN for Android. FAQ is here: http://code.google.com/p/ics-openvpn/wiki/FAQ or (#2) Direct Play link: https://play.google.com/store/apps/details?id=de.blinkt.openvpn or (#3) Old (pre-ICS) device? See: !android-old
14:07 < pekster> Oh, that doesn't list it (different fact does.) Anyway, no tap on android :P
14:07 < Putdeksel> Got it.
14:13 < Putdeksel> !def1
14:13 <@vpnHelper> "def1" is (#1) used in redirect-gateway, Add the def1 flag to override the default gateway by using 0.0.0.0/1 and 128.0.0.0/1 rather than 0.0.0.0/0. This has the benefit of overriding but not wiping out the original default gateway. or (#2) please see --redirect-gateway in the man page ( !man ) to fully understand or (#3) push "redirect-gateway def1"
14:16 < Putdeksel> So I can remove the bridge-utils right?
14:17 < pekster> If you'd like (once you remove all your bridges.) It won't hurt to keep it there if you ever bridge for more relevant reasons in the future
14:18 -!- bimbo1 [~emerino@187.240.120.251] has joined #openvpn
14:19 -!- KarlBauman [~SoWhat@81.198.10.40] has joined #openvpn
14:21 -!- mikemol [~mikemol@2001:470:c5b9:beef:ec18:b03c:1f32:91e7] has quit [Remote host closed the connection]
14:22 -!- AndChat-185600 [~AndChat18@179.155.69.131] has quit [Quit: Bye]
14:27 < Putdeksel> Got the bridge out of the way pekster, can reach my server again from outside my network.
14:30 < Putdeksel> Should I include the original eth0 declaration in the interfaces file?
14:33 < pekster> Yup, whatever your actual network setup calls for
14:33 < UukGoblin> guys, if I create a CA-based setup for a few clients, how can I ensure that a given CN (and no-one else) ends up on a given IP?
14:33 <@ecrist> !static
14:33 <@vpnHelper> "static" is (#1) use --ifconfig-push in a ccd entry for a static ip for the vpn client or (#2) example in net30 (default): ifconfig-push 10.8.0.6 10.8.0.5 example in subnet (see !topology) or tap (see !tunortap): ifconfig-push 10.8.0.5 255.255.255.0 or (#3) also see !ccd and !iporder or (#4) when pushing static IPs, you should also limit your --ifconfig-pool to exclude the static range or (#5) See
14:33 <@vpnHelper> also: !addressing
14:34 < UukGoblin> ecrist, thanks... so I basically need to create a /30 for each client in a CCD?
14:35 < UukGoblin> !addressing
14:35 <@vpnHelper> "addressing" is For information about IP addressing in OpenVPN, see: https://community.openvpn.net/openvpn/wiki/Concepts-Addressing
14:35 < pekster> /30's are the old-and-busted way to do things. Read about topology too at:
14:35 < pekster> !topology
14:35 <@vpnHelper> "topology" is (#1) it is possible to avoid the !/30 behavior if you use 2.1+ with the option: topology subnet This will end up being default in later versions. or (#2) Clients will receive addresses ending in .2, .3, .4, etc, instead of being divided into 2-host subnets. or (#3) details and examples at: https://community.openvpn.net/openvpn/wiki/Topology
14:36 < UukGoblin> my concern was that if I had a pool of, say, /24, then clients could override their ifconfig-push with --no-pull
14:37 < pekster> They can, but the server won't allow clients to send from addresses they haven't been assigned
14:37 < UukGoblin> ah, interesting, that might do it
14:37 < pekster> No need for static assignment unless you actually want to bind a particular client to the same address each time
14:37 -!- klein_ [~klein@unaffiliated/klein] has quit [Ping timeout: 255 seconds]
14:37 < pekster> If you do, mind the info above about reducing the pool range
14:39 < UukGoblin> another issue I have is that I'd like to ensure client-to-client security - i.e. even if the server gets compromised, clients won't blindly accept traffic from some IP if that traffic isn't "signed" with the appropriate cert
14:39 < UukGoblin> but I guess there's no easy way around it other than to make a new server on each client (and use the master server for providing a dumb tunnel only)?
14:40 < UukGoblin> i.e. if my master server is 172.16.0.1, client A is 172.16.0.5 and client B is 172.16.0.9, then from the point of view of client B I'd like to create firewall rules that make sure that traffic claiming to be from 172.16.0.5 was actually signed by client A's cert
14:41 < UukGoblin> as opposed to coming from a hacked server
14:41 -!- [diecast] [~diecast@unaffiliated/diecast/x-4821952] has joined #openvpn
14:44 < UukGoblin> so the only solution I can think of is to create a new openvpn server on client B and have client A connect to that server
14:45 < UukGoblin> however with many clients, such a setup would not scale very well
14:47 < pekster> OpenVPN already drops traffic that's not from teh client
14:48 < pekster> That's the magic of TLS with ephemeral session keys
14:49 < UukGoblin> oh? but it's the server that controls what IPs clients get, so how will client B know what cert to match traffic from 172.16.0.5?
14:50 < pekster> The server has already validated that
14:50 < pekster> If you don't trust your server, stop using your VPN
14:50 < UukGoblin> yes, but I'm talking about the situation in which the server is compromised (and clients aren't)
14:50 < pekster> THen you're fucked
14:50 < pekster> Use end-to-end security if you care
14:51 < pekster> (ie: run ssh over the VPN link, or any other form of real security. https, whatever
14:51 < UukGoblin> yes, that was pretty much my openvpn-inside-openvpn idea
14:51 < UukGoblin> (described briefly above)
14:57 -!- Putdeksel [50397034@gateway/web/cgi-irc/kiwiirc.com/ip.80.57.112.52] has quit [Quit: http://www.kiwiirc.com/ - A hand crafted IRC client]
15:04 -!- b4tm4n [~b4tm4n@109.201.154.154] has quit [Quit: Leaving]
15:14 -!- kirin` [telex@gateway/shell/anapnea.net/x-yqhkyzwccjmyrxac] has quit [Ping timeout: 240 seconds]
15:15 -!- kirin` [telex@gateway/shell/anapnea.net/x-bonrkphekknbptgs] has joined #openvpn
15:37 -!- cyberspace- [20253@ninthfloor.org] has quit [Ping timeout: 255 seconds]
15:39 -!- cyberspace- [20253@ninthfloor.org] has joined #openvpn
15:59 -!- joshh20-Away is now known as joshh20
16:22 -!- le0 [~l30@unaffiliated/le0] has joined #openvpn
16:22 -!- Mike-- [mad@mx.probie.nl] has joined #openvpn
16:23 -!- Mike3 [mad@mx.probie.nl] has quit [Ping timeout: 246 seconds]
16:24 -!- m01 [~quassel@2a02:2658:1011:1::2:4044] has quit [Read error: Connection reset by peer]
16:24 -!- m01 [~quassel@2a02:2658:1011:1::2:4044] has joined #openvpn
16:39  * edge226 wonders of the chromeos GUI will accept tun.
16:39 < edge226> I was only trying tap.
16:42 -!- le0 [~l30@unaffiliated/le0] has quit [Ping timeout: 268 seconds]
16:44 -!- cyberspace- [20253@ninthfloor.org] has quit [Ping timeout: 268 seconds]
16:46 -!- KarlBauman [~SoWhat@81.198.10.40] has quit [Ping timeout: 255 seconds]
16:47 -!- cyberspace- [20253@ninthfloor.org] has joined #openvpn
17:03 -!- joako [~joako@opensuse/member/joak0] has quit [Ping timeout: 245 seconds]
17:07 -!- elfixit [~Icedove@77-58-251-72.dclient.hispeed.ch] has joined #openvpn
17:07 < Su7> Hello guys
17:09 < Su7> Still having issues with accessing the internet from my android device through my debian openvpn box :/
17:09 < Su7> In the logs, I keep getting "MULTI: bad source address from client [192.168.10.92], packet dropped"
17:09 < Su7> with 192.168.10.92 being my device's IP on my home's LAN
17:10 -!- mikemol [~mikemol@2001:470:c5b9:beef:d4a3:3249:79ab:3ae1] has joined #openvpn
17:11 < pekster> That's a non-fatal information message that informs you your client has been Naughty and tried to send an address it shouldn't have down the tunnel
17:11 < pekster> Stop whatever application on your client is generating that traffic to avoid it
17:13 < Su7> pekster: could it be that my server is not sending a proper address to my device ?
17:14 -!- KarlBauman [~SoWhat@81.198.10.40] has joined #openvpn
17:14 < Su7> (I'm using password-based authentication by the way, and no client certificates)
17:14 < pekster> If it's misconfigured, sure. Review your configs (paste them here if you'd like a review, by following !configs) and then check your --verb 4 (see: !verb) logs on your client
17:14 -!- m01_ [~quassel@2a02:2658:1011:1::2:4044] has joined #openvpn
17:14 < pekster> Watch for the PUSH_REPLY command
17:14 -!- m01 [~quassel@2a02:2658:1011:1::2:4044] has quit [Ping timeout: 246 seconds]
17:14 < Su7> !confgi
17:14 < Su7> !config
17:14 <@vpnHelper> (config <name> [<value>]) -- If <value> is given, sets the value of <name> to <value>. Otherwise, returns the current value of <name>. You may omit the leading "supybot." in the name if you so choose.
17:15 < Su7> !configs
17:15 <@vpnHelper> "configs" is (#1) please pastebin your client and server configs (with comments removed, you can use `grep -vE '^#|^;|^$' server.conf`), also include which OS and version of openvpn. or (#2) dont forget to include any ccd entries or (#3) on pfSense, see http://www.secure-computing.net/wiki/index.php/OpenVPN/pfSense to obtain your config
17:18 < Su7> pekster: i'd apreciate if you could that a quick look at this
17:18 < Su7> http://pastie.org/private/ofksokbtgiqo4vogxg5wq
17:18 -!- joako [~joako@opensuse/member/joak0] has joined #openvpn
17:18 < Su7> take*, sorry
17:21 < pekster> Seems sane enough
17:21 < pekster> You should add --username-as-common-name though
17:21 < Su7> in server right ?
17:22 < pekster> Yea, otherwise you can't tell apart your clients or use things like ccds or management or reference log enries for them
17:23 < Su7> I'm not using ccds
17:24 < Su7> damn, that's insane
17:24 < pekster> So you'd rather have the CN be null in your logs? Unable to tell apart your clients except by the source IP address? That seems foolish, but it's your cohice
17:25 < Su7> pekster: this is a small installation for a personnal use, managing client certificates is a hassle
17:26 < pekster> huh⁇
17:26 < pekster> Have you read --username-as-common-name?
17:26 < pekster> This is _exactly_ the usecase you want it
17:26 < pekster> !man
17:26 <@vpnHelper> "man" is (#1) For man pages, see http://openvpn.net/index.php/open-source/documentation/manuals/ or (#2) the man pages are your friend! or (#3) Protip: you can search the manpage for a specific --option (with dashes) to find it quicker
17:26 < Su7> pekster: yes, I read about it, so I added it to my config file and restarted the server - still does not work :-(
17:27 < pekster> That won't fix your address issue, just allow you to address your clients properly by name
17:27 < pekster> Did you have verb 4 output from your client up somewhere?
17:27 < pekster> Did you check the PUSH_REPLY line like I suggested?
17:27 < pekster> Did you compare that addressing to the actual address of the tun device?
17:29 < Su7> ok, let me grab the logs from the client
17:32 -!- omrib [~omrib@ec2-50-17-197-161.compute-1.amazonaws.com] has quit [Changing host]
17:32 -!- omrib [~omrib@unaffiliated/omri] has joined #openvpn
17:32 < Su7> pekster: I get PUSH_REPLY,redirect-gateway def1,dhcp-option DNS 213.186.33.99,route 10.8.0.1,topology net30,ping 10,ping-restart 120,ifconfig 10.8.0.6 10.8.0.5'
17:32 < Su7> which seems correct
17:34 < pekster> So long as the client sets the 10.8.0.6 -> 10.8.0.5 on the client side, yes
17:34 < pekster> It's just your client making crappy routing decisions without whatever application is doing that
17:34 < pekster> Same solution I said much earlier: identify the application that is doing it, then stop (or correct) it
17:35 < pekster> Can you ping the VPN server from your client? If you can ping 10.8.0.1, then "OpenVPN is working"
17:36 < Su7> pekster: I can ping the server and even access its main apache virtualhost.
17:37 < pekster> Then openvpn is working as advertised
17:37 < Su7> Basically any application using network seems to be sending this shitty traffic then
17:37 < pekster> It's just as bogus as me using 1.2.3.4 as the IP on my home ISP
17:37 < pekster> I'm not assigned that address and thus can't use it
17:38 < Su7> pekster: could this be due to some bad iptables configuration on the server ?
17:38 < pekster> Nope
17:38 < Su7> damn
17:38 < pekster> The client is sending data down the tun device claiming to be sourced from 192.168.10.92. Look at your config: that's _invalid_ on your VPN
17:38 < pekster> You can't use it. Something is. Identify and stop/correct it
17:43 < pekster> Google around a bit for the error; there are a couple of well-known applications that send traffic like this
17:43 < pekster> Or just do what I've been suggested a couple times now and tcpdump your traffic to find out for yourself
17:43 < pekster> !tcpdump
17:43 <@vpnHelper> "tcpdump" is (#1) tcpdump is a great troubleshooting tool (Wireshark or the tshark.exe CLI tools for Windows.) To start, try a syntax like `tcpdump -pni ifWhatever` or (#2) You can also add filters to the command, like 'icmp' or 'udp port 1194' and the like. Consult the tcpdump docs for details.
17:45 -!- Dan39 [~ddan39@unaffiliated/dan39] has quit [Ping timeout: 265 seconds]
17:47 -!- Dan39 [~ddan39@unaffiliated/dan39] has joined #openvpn
17:50 < Su7> pekster: okay, I did some tcpdump, and I get a lot of lines like
17:50 < Su7> 23:47:45.265287 IP 10.8.0.6.41503 > 188.165.185.33.443: Flags [S], seq 542022100, win 29200, options [mss 1460,sackOK,TS val 12082954 ecr 0,nop,wscale 7], length 0
17:50 < Su7> seems it is using the correct IP, no ?
17:52 < Su7> (I also see some packets departing from my LAN's IP address through tun0, like if the system would use it as a fallback if I cannot use the 10.8.0.6 one)
17:55 -!- Dan39 [~ddan39@unaffiliated/dan39] has quit [Ping timeout: 265 seconds]
17:57 < pekster> Where are you getting this silly "fallback" notion
17:57 < pekster> You cannot send from addresses you aren't assigned
17:58 < pekster> You can't send "from your LAN's IP address through tun0" -- for about the 4th time now, this is DISALLOWED by openvpn
17:58 < pekster> This is WHY it whines about it
17:58 -!- Dan39 [~ddan39@unaffiliated/dan39] has joined #openvpn
18:03 -!- s7r [~s7r@openvpn/user/s7r] has joined #openvpn
18:03 -!- mode/#openvpn [+v s7r] by ChanServ
18:04 < Su7> pekster: still, the majority of the packets are coming from 10.8.0.6, which is the correct adress
18:04 < pekster> And those aren't the cause of your "problem"
18:04 < pekster> Did you have a real issue here?
18:04 < Su7> of course
18:05 < pekster> Or just some goofy application that's sending malformed packets
18:05 < pekster> Then explaining it upfront might have helped
18:05 < pekster> (as in an hour ago)
18:05 < Su7> pekster: maybe thoses packets coming from 192.168.x.x are from the bad app you're mentionning
18:06 < Su7> the issue is that the whole system, I mean any app is unable to access the internet throught the tunnel
18:06 < Su7> on all of my clients
18:06 < pekster> !redirect
18:06 <@vpnHelper> "redirect" is (#1) to make all inet traffic flow through the vpn, you will need --redirect-gateway (see !def1), as well as IP forwarding (see !ipforward) and NAT (see !nat) enabled on the server. or (#2) you may need to use a different dns server when redirecting gateway, see !dns or !pushdns or (#3) if using ipv6 try: route-ipv6 2000::/3 or (#4) Handy troubleshooting flowchart:
18:06 <@vpnHelper> http://ircpimps.org/redirect.png | http://pekster.sdf.org/misc/redirect.png
18:06 < pekster> Review your setup, and perhaps use the flowchart
18:07 < pekster> lack of IP forwarding of misconfigured firewall are common issues
18:07 < pekster> The 'bad address from client' is a separate issue
18:09 < Su7> pekster: I was looking at those redirection settings
18:09 < Su7> ipv4 forwarding and NAT are enabled on the server
18:11 < pekster> probably firewall then
18:12 -!- Dan39_ [~ddan39@unaffiliated/dan39] has joined #openvpn
18:13 -!- Su7 [~demerzel@2001:41d0:a:16::1] has quit [Read error: Connection reset by peer]
18:15 -!- Su7 [~demerzel@2001:41d0:a:16::1] has joined #openvpn
18:15 -!- Dan39_ [~ddan39@unaffiliated/dan39] has quit [Client Quit]
18:17 -!- Dan39 [~ddan39@unaffiliated/dan39] has quit [Ping timeout: 265 seconds]
18:17 < Su7> pekster: and the weirdest : rebooting the server solved the issue.
18:17 < Su7> wtf.
18:17 < Su7> thanks a lot for your help anyway.
18:18 < pekster> likely your routing or firewalling was screwed up
18:20 -!- Dan39 [~ddan39@unaffiliated/dan39] has joined #openvpn
18:22 -!- noobboob [uid5587@gateway/web/irccloud.com/x-llwasfmzdvcuolnj] has quit [Quit: Connection closed for inactivity]
18:23 < Su7> I'll keep blaming my apps for sending bad traffic to tun0 ;-)
18:23 < Su7> thanks a lot.
18:50 -!- geordie [~pi@96.49.128.199] has joined #openvpn
18:56 -!- gffa [~unknown@unaffiliated/gffa] has quit [Quit: sleep]
19:00 -!- [diecast] [~diecast@unaffiliated/diecast/x-4821952] has quit []
19:08 -!- philipp__ [~philipp@chello084113015143.2.12.vie.surfer.at] has joined #openvpn
19:08 < philipp__> hey, for some reason the openvpn connection on my rapberry pi is very slow. can you help me finding out what could cause that?
19:13 < philipp__> anyone alive?
19:18 -!- KarlBauman [~SoWhat@81.198.10.40] has quit [Ping timeout: 255 seconds]
19:21 < pekster> The CPU on those things is very weak. Check if it supports AES-NI perhaps and if so consider using AES as your --cipher selection
19:29 -!- treshoem2 [~treshoem@mnathani-1-pt.tunnel.tserv21.tor1.ipv6.he.net] has quit [Ping timeout: 240 seconds]
19:30 -!- philipp__ [~philipp@chello084113015143.2.12.vie.surfer.at] has quit [Ping timeout: 265 seconds]
19:33 -!- Latrina [~Latrina@ppp-61-62.26-151.libero.it] has joined #openvpn
19:36 -!- joako [~joako@opensuse/member/joak0] has quit [Ping timeout: 252 seconds]
19:42 -!- james41382_ [~james@unaffiliated/james41382] has joined #openvpn
19:46 -!- james41382 [~james@unaffiliated/james41382] has quit [Ping timeout: 240 seconds]
19:46 -!- treshoem2 [~treshoem@198-84-231-11.cpe.teksavvy.com] has joined #openvpn
19:47 -!- joako [~joako@opensuse/member/joak0] has joined #openvpn
20:11 -!- joako [~joako@opensuse/member/joak0] has quit [Ping timeout: 246 seconds]
20:13 -!- tjhowse [~eness@101.165.185.107] has left #openvpn []
20:18 < esde> what else can i do to harden this http://pastebin.com/W2afnBr1
20:19 < pekster> It's much nicer if you remove comments/blanks. Grep syntax at: !configs
20:19 < esde> !configs
20:19 <@vpnHelper> "configs" is (#1) please pastebin your client and server configs (with comments removed, you can use `grep -vE '^#|^;|^$' server.conf`), also include which OS and version of openvpn. or (#2) dont forget to include any ccd entries or (#3) on pfSense, see http://www.secure-computing.net/wiki/index.php/OpenVPN/pfSense to obtain your config
20:19 < pekster> Also, you might wish to review !hardening for security suggestions
20:19 < esde> !hardening
20:19 <@vpnHelper> "hardening" is https://community.openvpn.net/openvpn/wiki/Hardening
20:20 < esde> great, thank you
20:21 -!- joako [~joako@opensuse/member/joak0] has joined #openvpn
20:24 -!- james41382_ [~james@unaffiliated/james41382] has quit [Ping timeout: 255 seconds]
20:25 -!- michaelhart [~michaelha@192-0-240-20.cpe.teksavvy.com] has joined #openvpn
20:25 < esde> http://pastebin.com/7ziDuZQb with comments/blanks removed
20:27 -!- converge [~converge@unaffiliated/joaop] has joined #openvpn
20:29 -!- B1nny [~quassel@5ED16034.cm-7-2b.dynamic.ziggo.nl] has quit [Remote host closed the connection]
20:33 < esde> also, what should permissions be for .key, .crt, .pem files in /etc/openvpn?
20:40 -!- ron__ [~ron@ppp118-210-251-174.lns20.adl6.internode.on.net] has joined #openvpn
20:43 -!- ron_ [~ron@ppp118-210-123-58.lns20.adl2.internode.on.net] has quit [Ping timeout: 240 seconds]
20:48 -!- geordie [~pi@96.49.128.199] has quit [Remote host closed the connection]
20:48 -!- ron__ is now known as ron_
20:49 -!- JackWinter [~jack@vodsl-10810.vo.lu] has quit [Ping timeout: 268 seconds]
21:00 -!- converge [~converge@unaffiliated/joaop] has quit [Quit: Linkinus - http://linkinus.com]
21:03 -!- aef [~smuxi@schweinehegel.raxys.net] has quit [Remote host closed the connection]
21:03 -!- aef [~smuxi@schweinehegel.raxys.net] has joined #openvpn
21:10 -!- Denial- [Denial@94.10.1.42] has joined #openvpn
21:11 -!- michaelhart_ [~michaelha@162.209.54.120] has joined #openvpn
21:11 -!- michaelhart [~michaelha@192-0-240-20.cpe.teksavvy.com] has quit [Ping timeout: 240 seconds]
21:11 -!- michaelhart_ is now known as michaelhart
21:11 -!- Denial [Denial@2.126.201.112] has quit [Ping timeout: 240 seconds]
21:11 -!- Denial- is now known as Denial
21:48 -!- joshh20 is now known as joshh20-Away
21:49 -!- m01_ [~quassel@2a02:2658:1011:1::2:4044] has quit [Ping timeout: 246 seconds]
21:49 -!- m01 [~quassel@2a02:2658:1011:1::2:4044] has joined #openvpn
21:57 -!- AlexPortable [uid7568@gateway/web/irccloud.com/x-kuuaydpkrstqtwge] has quit [Quit: Connection closed for inactivity]
22:14 -!- WinstonSmith [~WinstonSm@unaffiliated/winstonsmith] has quit [Ping timeout: 240 seconds]
22:17 -!- Cpt-Oblivious [chatzilla@31-151-71-109.dynamic.upc.nl] has quit [Ping timeout: 255 seconds]
22:20 -!- WinstonSmith [~WinstonSm@bl9-0-70.dsl.telepac.pt] has joined #openvpn
22:20 -!- WinstonSmith [~WinstonSm@bl9-0-70.dsl.telepac.pt] has quit [Changing host]
22:20 -!- WinstonSmith [~WinstonSm@unaffiliated/winstonsmith] has joined #openvpn
22:20 -!- bimbo1 [~emerino@187.240.120.251] has quit [Ping timeout: 255 seconds]
22:22 -!- Latrina [~Latrina@ppp-61-62.26-151.libero.it] has quit [Remote host closed the connection]
22:38 -!- pjschmitt [~parker@209.141.56.12] has quit [Changing host]
22:38 -!- pjschmitt [~parker@unaffiliated/schmitt953] has joined #openvpn
22:44 -!- Latrina [~Latrina@ppp-61-62.26-151.libero.it] has joined #openvpn
22:44 -!- Latrina [~Latrina@ppp-61-62.26-151.libero.it] has quit [Remote host closed the connection]
22:45 -!- michaelhart [~michaelha@162.209.54.120] has quit [Read error: No route to host]
22:46 -!- michaelhart [~michaelha@162.209.54.120] has joined #openvpn
23:03 -!- esde [~esde@unaffiliated/esde] has quit [Ping timeout: 240 seconds]
23:33 -!- elfixit [~Icedove@77-58-251-72.dclient.hispeed.ch] has quit [Ping timeout: 255 seconds]
23:36 -!- pekster [~rewt@openvpn/community/support/pekster] has quit [Ping timeout: 264 seconds]
23:39 -!- esde [~esde@unaffiliated/esde] has joined #openvpn
23:43 -!- pekster [~rewt@openvpn/community/support/pekster] has joined #openvpn
--- Day changed Sun Mar 30 2014
00:11 -!- michaelhart_ [~michaelha@192-0-240-20.cpe.teksavvy.com] has joined #openvpn
00:11 -!- michaelhart [~michaelha@162.209.54.120] has quit [Ping timeout: 268 seconds]
00:11 -!- michaelhart_ is now known as michaelhart
00:16 -!- michaelhart_ [~michaelha@162.209.54.120] has joined #openvpn
00:17 -!- michaelhart_ [~michaelha@162.209.54.120] has quit [Client Quit]
00:17 -!- michaelhart [~michaelha@192-0-240-20.cpe.teksavvy.com] has quit [Ping timeout: 255 seconds]
00:24 -!- Devastator [~devas@unaffiliated/devastator] has quit [Ping timeout: 265 seconds]
00:28 -!- Devastator [~devas@177.18.198.36] has joined #openvpn
00:36 -!- bimbo1 [~emerino@187.240.120.251] has joined #openvpn
00:42 -!- nomefalso [~nomefalso@151.13.210.219] has quit [Read error: Connection reset by peer]
00:42 -!- nomefalso [~nomefalso@151.13.210.219] has joined #openvpn
01:30 -!- james41382 [~james@unaffiliated/james41382] has joined #openvpn
01:37 < _FBi> good morning all
01:42 -!- Devastator [~devas@177.18.198.36] has quit [Changing host]
01:42 -!- Devastator [~devas@unaffiliated/devastator] has joined #openvpn
01:50 -!- s7r_m [~s7r@openvpn/user/s7r] has joined #openvpn
01:50 -!- mode/#openvpn [+v s7r_m] by ChanServ
01:51 -!- s7r [~s7r@openvpn/user/s7r] has quit [Remote host closed the connection]
02:00 -!- KarlBauman [~SoWhat@81.198.10.40] has joined #openvpn
02:06 -!- s7r_m [~s7r@openvpn/user/s7r] has quit [Remote host closed the connection]
02:07 -!- s7r_m [~s7r@openvpn/user/s7r] has joined #openvpn
02:07 -!- mode/#openvpn [+v s7r_m] by ChanServ
02:20 < edge226> What is the practical application of tap vs tun? If you just need a punch out of one network then tun is better? I have a working tap configuration but was wondering if this configuration is overkill for what I need. It certainly is nice having the server be able to dynamically give out IP's and such.
02:21 < edge226> tap doesnt work on my phone but I do not know if I really care.
02:23 < _FBi> probably don't care
02:23 < _FBi> !taptun
02:23 < _FBi> !tap
02:23 <@vpnHelper> "tap" is "bridge" is (#1) http://openvpn.net/index.php/documentation/faq.html#bridge1, or (#2) http://openvpn.net/index.php/documentation/miscellaneous/ethernet-bridging.html, or (#3) Bridging looks like a good choice to people who don't know how to set up IP routing, but to learn routing is generally far better., or (#4) useful for windows sharing (without wins server) and LAN gaming, anything where
02:23 <@vpnHelper> the protocol uses MAC addresses instead of IP addresses.
02:23 < _FBi> !tun
02:26 < edge226> apparently it does not want to give tun information.
02:27 < edge226> well that gives me a pretty secure answer anyways. Have a tap based config and work on upgrading my routing knowledge to be able to properly set up a tun based config.
02:32 < _FBi> !tun
02:41 < _FBi> Q:  I'm getting Cert. verify failed.  I used: openssl verify -CAfile ca.crt client.crt  came back as okay
02:41 < _FBi> what could be wrong?
02:41 < _FBi> code that be an incorrect password?
02:42 < _FBi> s/code/could
03:08 -!- JackWinter [~jack@vodsl-10810.vo.lu] has joined #openvpn
03:23 < edge226> is it possible to run a tap and a tun and depending on the client config it connects to the appropriate one?
04:12 -!- bimbo1 [~emerino@187.240.120.251] has quit [Ping timeout: 265 seconds]
04:15 -!- s7r_m is now known as s7r
04:17 -!- B1nny [~quassel@5ED16034.cm-7-2b.dynamic.ziggo.nl] has joined #openvpn
04:45 <+s7r> edge226 dev tap or dev tun in configs?
05:08 -!- JPeterson [~JPeterson@81-233-152-121-no83.tbcn.telia.com] has quit [Read error: Connection reset by peer]
05:21 -!- JPeterson [~JPeterson@81-233-152-121-no83.tbcn.telia.com] has joined #openvpn
05:25 -!- ajon [~ajon@2a02:8109:a080:11a4:997f:fad4:8421:940f] has joined #openvpn
05:26 < ajon> !welcome
05:26 <@vpnHelper> "welcome" is (#1) Start by stating your goal, such as 'I would like to access the internet over my vpn' || new to IRC? see the link in !ask || we may need !logs and !configs and maybe !interface to help you. || See !howto for beginners. || See !route for lans behind openvpn. || !redirect for sending inet traffic through the server. || Also interesting: !man !/30 !topology !iporder !sample !forum !wiki
05:26 <@vpnHelper> !mitm or (#2) Don't use 192.168.1.0/24 or 192.168.0.0/24 (too much potential for conflict)
05:26 < ajon> !goal
05:26 <@vpnHelper> "goal" is Please clearly state your goal for your vpn: example, I would like to access the lan behind the server , I would like to access the internet over my vpn , I just want a secure connection between 2 computers , etc
05:32 < ajon> hi
05:34 < ajon> following the "howto" the easy-rsa/whichopenvpnsslcnf script fails for me, because the regex "1\.0\.([[:digit:]][[:alnum:]])" doesent match "OpenSSL 1.0.1 14 Mar 2012"
05:34 < ajon> anyone know if this is a known problem?
05:39 -!- joshh20-Away is now known as joshh20
05:50 -!- AlexPortable [uid7568@gateway/web/irccloud.com/x-hyfsxlcwbdapgfja] has joined #openvpn
06:34 -!- KarlBauman [~SoWhat@81.198.10.40] has quit [Ping timeout: 255 seconds]
06:34 -!- aef [~smuxi@schweinehegel.raxys.net] has quit [Remote host closed the connection]
06:42 -!- gffa [~unknown@unaffiliated/gffa] has joined #openvpn
07:06 -!- KarlBauman [~SoWhat@81.198.10.40] has joined #openvpn
07:25 -!- kirin` [telex@gateway/shell/anapnea.net/x-bonrkphekknbptgs] has quit [Ping timeout: 265 seconds]
07:28 -!- kirin` [~kirin`@gateway/shell/anapnea.net/x-ntujoqmfudkzypts] has joined #openvpn
07:33 -!- kirin` [~kirin`@gateway/shell/anapnea.net/x-ntujoqmfudkzypts] has quit [Ping timeout: 240 seconds]
07:35 -!- kirin` [~kirin`@gateway/shell/anapnea.net/x-qmhcvldghocdvzpz] has joined #openvpn
07:39 -!- HectorBarbossa [uid7850@gateway/web/irccloud.com/x-pekrlwufpwlgwzhm] has joined #openvpn
07:40 -!- kirin` [~kirin`@gateway/shell/anapnea.net/x-qmhcvldghocdvzpz] has quit [Ping timeout: 264 seconds]
07:44 -!- Cpt-Oblivious [chatzilla@31-151-71-109.dynamic.upc.nl] has joined #openvpn
08:13 -!- u0m3 [~u0m3@109.96.136.13] has joined #openvpn
08:16 -!- u0m3_ [~u0m3@92.80.117.153] has quit [Ping timeout: 264 seconds]
08:23 -!- kraut [~kraut@blackhole.netzdeponie.de] has quit [Ping timeout: 245 seconds]
08:24 -!- kraut [~kraut@blackhole.netzdeponie.de] has joined #openvpn
08:36 -!- Latrina [~Latrina@ppp-61-62.26-151.libero.it] has joined #openvpn
08:42 -!- marlinc [~marlinc@ip1.weert.li.nl.cvo-technologies.com] has quit [Ping timeout: 240 seconds]
08:43 -!- KarlBauman [~SoWhat@81.198.10.40] has quit [Quit: Leaving]
08:44 -!- marlinc [~marlinc@ip1.weert.li.nl.cvo-technologies.com] has joined #openvpn
08:52 < esde> found docs that say ta.key should be chmod 600, should ca.crt server.crt server.key and hd.pem be the same chmod 600?
08:53 < esde> *dh
08:58 -!- marlinc [~marlinc@ip1.weert.li.nl.cvo-technologies.com] has quit [Ping timeout: 252 seconds]
09:00 -!- marlinc [~marlinc@ip1.weert.li.nl.cvo-technologies.com] has joined #openvpn
09:28 -!- goldkatze [~nobody@unaffiliated/goldkatze] has joined #openvpn
09:37 -!- B1nny [~quassel@5ED16034.cm-7-2b.dynamic.ziggo.nl] has quit [Quit: No Ping reply in 180 seconds.]
09:37 -!- B1nny [~quassel@5ED16034.cm-7-2b.dynamic.ziggo.nl] has joined #openvpn
09:46 < pekster> esde: bogus docs then; only key components need to be considered private, though you're free to use more restrictive permissions as you see fit. Public keys (ie: the certs) are by definition, public. DH params aren't security critical either
09:49 < pekster> For improved security you transport your CSRs and signed certs anyway such that your server and clients generate their _own_ keypairs (locally) and never transport the private ones. See !hardening for ways to secure your PKI
09:52 <@syzzer> esde, pekster: .crt
09:52 <@syzzer> esde, pekster: .crt and dh-parameters may be public, ta.key not
09:53 < pekster> ta.key would be a "key component" ;)
09:53 < esde> thanks for the tips
09:53 <@syzzer> yup, just to make that explicit :)
09:53 < pekster> Also, if you're using .p12 bundles, they may contain both keys and certs, so you should secure them unless you know it's only holding public info
10:20 -!- lazarus477 [~lazarus@78-72-29-198-no191.tbcn.telia.com] has joined #openvpn
10:22 < lazarus477> I have an issue with ICMP echo replies getting dropped at the OpenVPN server end of a connection. The requests comes from the client end on a different LAN subnet and the replies have to traverse back over the VPN for the response to get through.
10:22 < lazarus477> Any ideas?
10:23 < pekster> firewall or lack of a proper return route
10:23 < lazarus477> All other protocols work without a hitch, such as SAMBA, Wins, SSH, netcat (nc, ncat).
10:23 < pekster> probably firewall then
10:23 < lazarus477> pekster: For testing purposes, all firewalls have been disabled, except for the server side routing device's firewall.
10:24 < lazarus477> The open VPN server itself has the firewall disabled.
10:25 < pekster> What's the target device? You have [Client-LAN] -> [VPN-Client] -> {Internet} -> [VPN-Server] -> [Server-LAN], right? And you have some LAN client sending to something on the server-LAN (not the server), right?
10:25 < lazarus477> Not the server, right.
10:26 < lazarus477> Hang on and I shall elaborate.
10:26 < pekster> So the server-LAN's default gateway is involved here too, and its routing/firewall needs to be configured to pass the traffic
10:26 < pekster> tcpdump should help show what's going on
10:26 < pekster> Play the "follow the packet" game -- tcpdump each hop in that process, then follow the reply. The hop where it gets lost is your issue
10:27 < pekster> Sounds like your server-side LAN gateway is the issue, but you'll need to confirm that
10:27 < lazarus477> My theory is this: The VPN server is a VM using a virtual network interface. In order for traffic to flow across the VPN, traffic must pass over the VM hosting machines network bridge (br0).
10:27 < lazarus477> On the other side of the VPN is OpenVPN running on an OpenWRT device running OpenVPN in client mode.
10:28 < lazarus477> Along this either side of the VPN is tied to a LAN with local subnets.
10:28 < lazarus477> Traffic flows fine between hosts on either LAN across the subnet.
10:28 < lazarus477> This is a routed VPN using TUN.
10:29 < lazarus477> I have tcpdump | grep ICMP, running on the VPN server, server side router and physical VM cluster box providing the bridge br0.
10:30 < lazarus477> I clearly see ICMP echo requests getting through, replies getting through but then getting lost when they reach the VPN server on their return to the requesting host.
10:32 < lazarus477> I have no issues with any other traffic loss. The connection has worked without a hitch for a few month. I just noticed that ping sweaps from the client end were getting lost on their return. I have now spent the past 3 days investigating the issue.
10:33 < lazarus477> Site A can ping B but replies get lost.
10:33 < lazarus477> Site B can ping A and nothing is lost, works.
10:34 < lazarus477> Any other traffic between A and B work as expected, ssh, file shares, http, dns and so forth.
10:35 < pekster> So what did you learn from my earlier suggestion?
10:35 < pekster> What hop causes the problem?
10:36 < lazarus477> Ok
10:37 < lazarus477> Well the server side gateway sees the ICMP echo reply and indicates it is destined for the IP of the originating host, at the client side of the VPN connection.
10:37 < lazarus477> To me that indicates that the server side gateway is not at fault.
10:37 < lazarus477> But hey, I am rusty at this!
10:38 < lazarus477> pekster: Now I see the reply on the srv side gateway but the reply never see the reply show up at the vpn srv.
10:39 < lazarus477> Hang on, I shall see if I can detect the reply going through the lan side gateway passing back through the VM clusters bridge...
10:39 < pekster> No, it still could be
10:39 < pekster> The firewall there could be dropping or mis-routing it
10:39 < pekster> Do you see it at the _next_ hop, ie: your VPN server's LAN interface?
10:39 < pekster> Right, that
10:41 < lazarus477> pekster: Not sure, but let me say this. I think I should be seeing 2 replies for each request, on the bridge.
10:42 < lazarus477> pekster: You know what. Your questioning has given me a new thought. I need to reconsider that the problem is the srv side lan gateway.
10:43 < lazarus477> pekster: I shall investigate it by getting some sort of firewall logging going there and see if it does something funny to ICMP traffic from the VPN.
10:44 < lazarus477> pekster: I do not think this is a routing issue since other traffic finds its' way back and forth just fine.
10:45 < pekster> This is why I said it's probably your firewall (20 minutes ago)
10:45 < pekster> And why would you see _2_ replies? ICMP has no retransmit ability, so 1 request should be 1 reply unless you have more fundamental network issues
10:46 < lazarus477> pekster: Haha.
10:46 < pekster> echo-request is sent from source to destination, then ehco-reply is sent from destination (now the source) to the source (now the destination)
10:46 < pekster> Your LAN interface on the VPN server should see both, when everything is working
10:46 < lazarus477> pekster: Love the way networking gurus mock guys like me :-)
10:47 < lazarus477> pekster: Yep
10:47 < lazarus477> pekster: Well I am convinced enough to look into it. If I did not want the help then I would not have asked, would I?
10:47 < lazarus477> pekster: Thanks for now. Now I shall check that firewall.
10:56 < edge226> s7r: I am currently running just dev tap across all configs.
11:04 -!- master_o1_master [~master_of@p4FF24D63.dip0.t-ipconnect.de] has joined #openvpn
11:04 < pekster> Don't use tap unless you actually need it: info at !tunortap
11:07 -!- master_of_master [~master_of@p4FD7B54D.dip0.t-ipconnect.de] has quit [Ping timeout: 252 seconds]
11:22 -!- HectorBarbossa [uid7850@gateway/web/irccloud.com/x-pekrlwufpwlgwzhm] has quit [Quit: Connection closed for inactivity]
11:56 -!- joshh20 is now known as joshh20-Away
12:00 -!- marlinc [~marlinc@ip1.weert.li.nl.cvo-technologies.com] has quit [Ping timeout: 246 seconds]
12:00 -!- obesd [~obsed@ppp121-45-200-183.lns20.cbr1.internode.on.net] has joined #openvpn
12:01 < obesd> what is the security track record of openvpn like? e.g. how many remote arbritary code execution exploits for the openssh server (or client) have there been since the softwares inception?
12:02 -!- marlinc [~marlinc@ip1.weert.li.nl.cvo-technologies.com] has joined #openvpn
12:03 -!- cambazz [~can@188.226.175.129] has joined #openvpn
12:03 < pekster> Very few, and nothing serious that came from the openvpn codebase in the last 7 years: http://www.cvedetails.com/vulnerability-list.php?vendor_id=3278&product_id=0&version_id=0&page=1&hasexp=0&opdos=0&opec=0&opov=0&opcsrf=0&opgpriv=0&opsqli=0&opxss=0&opdirt=0&opmemc=0&ophttprs=0&opbyp=0&opfileinc=0&opginf=0&cvssscoremin=0&cvssscoremax=0&year=0&month=0&cweid=0&order=1&trc=10&sha=f3ad470bc74f74f0cffa7b657583a2bf81ed2127
12:03 <@vpnHelper> Title: Openvpn : Security vulnerabilities (at www.cvedetails.com)
12:03 < pekster> Ugh, sorry for the long link
12:04 < pekster> 2.0.x series is 7-years old, for reference
12:04 < cambazz> hello, i setup my first openvpn as server, and established connection. i now need a sample iptables script to allow access only for required ports
12:04 < cambazz> i am also concernet about port 943 port globally open
12:04 < pekster> You probably want #Netfilter
12:04 < obesd> pekster: really is that it, only 10 advisories since inception lol? I was looking at secunia and only found about 10 or so advisories too, infact nothing really serious at all, which meant i had to keep looking
12:05 < pekster> At least with CVE opened on them. Many of those are either very old (the 2.0.x and earlier stuff you can basically ignore for today's usage) or low-risk stuff like CVE-2013-2061, which isn't a serious issue for almost everyone
12:07 < obesd> so that page seems to show two remote code execution exploits against the server
12:07 < obesd> that is a very low number
12:08 < pekster> openvpn relies on the ssl library for most of the heavy-crypto work
12:08 < obesd> yeah
12:08 < obesd> so this http://www.cvedetails.com/vendor/3278/Openvpn.html is for all past versions of openvpn ?
12:08 <@vpnHelper> Title: Openvpn : Products and vulnerabilities (at www.cvedetails.com)
12:09 < obesd> seems to say 0 remote code execution vulns in the server for the past 5 years
12:09 < obesd> or 6 years
12:10 < pekster> Yup
12:10 < obesd> thats pretty sweet
12:10 < pekster> It's one of the primary goals of the openvpn project, and remember, most of the serious crypto stuff (that tends to have vulns more frequently) is offloaded to a library designed for that task
12:11 < pekster> You might be intesreted in reading some general hardening recommendations too at: !hardening
12:11 < obesd> !hardening
12:11 <@vpnHelper> "hardening" is https://community.openvpn.net/openvpn/wiki/Hardening
12:11 < obesd> yes, i would be running openvpn on openbsd
12:12 < obesd> I was curious, can you setup PFS ('perfect forward secrecy') with openvpn too ?
12:12 < pekster> That wiki doc covers that
12:12 < obesd> neato
12:12 < pekster> So long as you're using a secure TLS cipher-suite, you get that "for free"
12:12 < obesd> yeah i should have used a search engine for the PFS question hehe
12:12 -!- lbft [~lbft@unaffiliated/lbft] has quit [Ping timeout: 255 seconds]
12:13 -!- obesd [~obsed@ppp121-45-200-183.lns20.cbr1.internode.on.net] has left #openvpn []
12:13 -!- obesd [~obsed@ppp121-45-200-183.lns20.cbr1.internode.on.net] has joined #openvpn
12:13 < obesd> damn ctrl+w, was meant to close a firefox tab
12:15 -!- lbft [~lbft@unaffiliated/lbft] has joined #openvpn
12:20 < obesd> i am thinking of setting up an openbsd machine as a SVoSIP server, with TLS-DHE-RSA-WITH-AES-256-CBC-SHA and ZRTP
12:20 < obesd> erm, *SRTP rather
12:22 < obesd> perhaps with MIKEY, i dunno yet
12:22 < pekster> Double-encrypted, but that also gives you full end-to-end security between SIP client & server. As far as openvpn goes, that's a secure cipher-suite. Add --tls-auth if you're paranoid or want security in case TLS is ever shown to be weak
12:22 < pekster> And of course keep your PKI secure; all the security in the world won't save you from bad key or CA management
12:29 -!- elfixit [~Icedove@77-58-251-72.dclient.hispeed.ch] has joined #openvpn
12:29 < obesd> yeah i suppose i would add --tls-auth
12:30 < obesd> yeah well an openbsd openvpn server should be quite secure pekster
12:30 < obesd> but many endpoint devices are very insecure
12:30 < obesd> and they hold important keys
12:31 < obesd> i wouldnt mind TLS-DHE-RSA-WITH-AES-256-CBC-SHA256 as well when >= 2.3.3 is released rather  than SHA
12:32 < pekster> Which is why you generally encrypt them when an interactive user will be initiating the connection. Consider lower certificate validity too
12:32 < obesd> i guess i would go with 4096 bit rsa keys
12:32 < obesd> or 2048bit ones
12:32 < pekster> 'eh, that's just a waste of generation time IMO
12:32 < obesd> how long is the generation time though, afew seconds ?
12:32 -!- cambazz [~can@188.226.175.129] has quit [Quit: leaving]
12:32 < pekster> DH params at 4096? Many minutes
12:32 < pekster> And TLS negotiation begins to really suck on embedded devices (routers, rPi, etc) above 2048
12:32 < obesd> oh right, but it doesnt have to do that for every phone call right though
12:33 < pekster> No, initial connection and renegotiations (every hour by default, but there's a rollover period)
12:33 < obesd> yeah i guess the openvpn openbsd, and sip servers would be capable machines, but im not sure yet what a good endpoint device is to use as they all seem to suck
12:33 < pekster> Keep in mind it will pound CPU (very bad for embedded) every renegotiation
12:33 < pekster> I have had great luck with openwrt so long as your bandwidth isn't high
12:34 -!- ted20_ [~ted20@cpc6-pool12-2-0-cust43.15-1.cable.virginm.net] has joined #openvpn
12:34 < pekster> $100 (or less, if you shop around) gets you 5x GigE ports, wifi (if you want it,) and a ~700 MHz CPU, often MIPS, but there's some ARM stuff coming onto the market too
12:34 < obesd> well ideally a sip phone device would be an openbsd machine, though that kind of makes them not that portable (compared to a mobile phone)
12:35 < pekster> Sure, find some tiny cube-style PC too if you'd prefer. If you want data-crypto-performance, verify both your server & client support AES-NI, then use AES as your --cipher
12:35 < ted20_> How to use dns servers from received control message?
12:35 < pekster> ted20_, read:
12:35 < pekster> !pushdns
12:35 <@vpnHelper> "pushdns" is (#1) push dhcp-option DNS a.b.c.d to push dns to the client or (#2) For pushing DNS to a Windows client, see: !windns or (#3) Unix-alikes are required to process the env-var in an --up script; read about --dhcp-option in the manpage or (#4) For distros that use resolvconf(8) you can try the pull-resolv-conf script under the contrib/ source dir
12:35 < obesd> pekster: yeah maybe those eeepcs that arent sold anymore could make a good endpoint openbsd+openvpn+sip-phone device, with a wired headset for mic and speakers
12:36 < ted20_> pekster: Thx
12:37 < obesd> pekster: yeah i guess i would want that performance if there start to be issues with acceptable phonecall performance
12:37 < obesd> SVoSIP would entail a fair bit of overhead per call
12:37 < pekster> Nah, I mean > 10Mbps or whatever the MIPS stuff does in-CPU
12:37 < obesd> ahh right
12:37 < pekster> Maybe a few-hundred kbps for high-quality, not many Mbps
12:38 < obesd> i was going to use fairly capable x86 cpus
12:38 < pekster> Blowfish on 700 MHz MIPS could do that
12:38 < obesd> i dont think openbsd has very good mips support though, the OS i'd rather use
12:39 < obesd> Cavium Octeon-based MIPS64 systems | and SGI MIPS they seemt o support
12:40 -!- michaelhart [~michaelha@192-0-240-20.cpe.teksavvy.com] has joined #openvpn
12:40 -!- ted20_ is now known as ted20
12:40 < pekster> I've had good luck with 2 recent deployments using Netgear WNDR3800, though neigher is bandwidth intensive for VPN tasks
12:41 < pekster> No AES-NI on either though, so the CPU is limiting. Next time I'm on-site at either location I should benchmark what the local VPN thoughput is
12:48 < ted20> pekster: You mean this script? http://mcs.une.edu.au/doc/openvpn-2.3.2/contrib/pull-resolv-conf/client.up
12:49 < pekster> Yup, or one you write that integrates into your environment
12:49 < pekster> That script tries to play nice with distros using resolvconf or a manual resolv.conf file. Your needs may vary
12:50 < obesd> hmm it would be good to limit openvpn between two machines with static ips, though im not sure what the best way would be for a machine with a dynamic ip (of course, i assume it means setting up dynamic dns)
12:51 < edge226> I heard you can do that with bind+dns but I have not tested it yet.
12:52 < obesd> yeah i will probably just leave that out for now
12:52 < obesd> oh wait, i think my SVoSIP implementation might need to support that though lol
12:52 -!- HectorBarbossa [uid7850@gateway/web/irccloud.com/x-kyomfbtbmqlohryo] has joined #openvpn
12:53 -!- ted20 [~ted20@cpc6-pool12-2-0-cust43.15-1.cable.virginm.net] has quit [Quit: leaving]
12:58 -!- cambazz [~can@81.213.72.49] has joined #openvpn
12:58 < cambazz> hello, i am running an openvpn as server, and i only would like the necessary ports to be open to world. so i made this iptables script: http://pastebin.ca/2689188 - but unfortunately it will connect (client to server openvpn) but openvpn client wont be able to connect to world
12:58 < cambazz> any ideas what i have done wrong
12:59 < obesd> hmm why is this called hardening: https://community.openvpn.net/openvpn/wiki/Hardening i thought it was called configuring :D
12:59 <@vpnHelper> Title: Hardening – OpenVPN Community (at community.openvpn.net)
12:59 < obesd> i watched some asterisk security presentations, truly appalling
13:01 -!- ted20_ [~ted20@cpc6-pool12-2-0-cust43.15-1.cable.virginm.net] has joined #openvpn
13:03 < ted20_> I don't understand that, i run openvpn from root with switches --config my-config.blah.bla --up client.up --script-security 2. It doesn't work...
13:03 < ted20_> I've got only dns servers from dhcp
13:04 < pekster> What exactly are you trying to do here?
13:04 < ted20_> I need use dns from vpn push message
13:05 < ted20_> In freebsd haven't pull-resolv-conf script
13:07 < pekster> Right, so all that openvpn does with that on non-Windows systems is expose DNS options as environmental variables
13:07 < pekster> The stock 'contrib' script might work for you, but it depends on your environment
13:09 < ted20_> FreeBSD use by defalt resolvconf...
13:09 -!- joshh20-Away is now known as joshh20
13:10 < pekster> That's not what the handbook says at 12.8.2.1
13:11 < pekster> resolvconf ≠ resolv.conf
13:11 < ted20_> I know that
13:13 < ted20_> Ok, so what's need?
13:14 < pekster> The contrib script tries to use resolvconf if it exists, and if not edits your resolv.conf file itself. Debug which one of those it's attempting and why it's not working?
13:14 < obesd> sip also seems like a goddamn awful terrible protocol
13:15 -!- cambazz [~can@81.213.72.49] has quit [Quit: leaving]
13:16 < pekster> Note that if resolvconf exists but is _not_ actively used to generate your resolv.conf file, that script won't work. Edit to taste
13:19 < ted20_> So, I must always manually edit this file? This is very uncomfortable
13:22 -!- ted20_ is now known as ted20
13:22 < pekster> "you" don't have to manually edit the file. You should really script it
13:23 < pekster> The env-var the client gets is explained fairly clearly in the manpage under the --dhcp-option parameter
13:24 < pekster> If you want to use resolvconf, reference resolvconf(8) to learn how it works. If not, maybe try modifying the contrib script to edit your resolv.conf file directly? Or write a script yourself to do this?
13:28 < ted20> brb
13:29 -!- ted20 [~ted20@cpc6-pool12-2-0-cust43.15-1.cable.virginm.net] has quit [Quit: leaving]
13:36 -!- ted20_ [~ted20@cpc6-pool12-2-0-cust43.15-1.cable.virginm.net] has joined #openvpn
13:38 < ted20_> Zero changes, after running script...
13:38 < ted20_> Were is fucking problem?
13:39 < ted20_> I can't remove resolvconf...
13:42 < ted20_> Fuck, I waste my free time...
13:42 < ted20_> Fuck, I wasted my free time...
13:47 < lazarus477> ted20_: Fuck, typo! lol
13:48 < lazarus477> pekster: I just got back at my VPN ICMP issue (was taking a break). Whenever I apply settings in OpenWRT, I notice an ICMP echo request getting through! I am sure you are right about it being a firewall issue.
13:48 < ted20_> Exactly
13:49 < lazarus477> Where the heck do I enable firewall logging in the GUI?
13:49 < ted20_> In the GUI? Seriously?
13:50 < lazarus477> I want to enable logging, as for reading it, I use logread -f over SSH...
13:55 < lazarus477> pekster: Problem solved. Had a totally nonsense rule on the routers firewall... Back when I added that rule I was way busy documenting the way Backfire handled VLANs. Also my IPTables skills are lacking...
13:56 < lazarus477> pekster: Now ICMP traffic is flowing once again.
13:56 -!- stickpin [~bam@cpe-70-123-127-206.tx.res.rr.com] has joined #openvpn
14:01 -!- s7r [~s7r@openvpn/user/s7r] has quit [Remote host closed the connection]
14:02 -!- s7r [~s7r@openvpn/user/s7r] has joined #openvpn
14:02 -!- mode/#openvpn [+v s7r] by ChanServ
14:09 -!- Aliekezhi [~Aliekezhi@9.142.122.78.rev.sfr.net] has quit [Remote host closed the connection]
14:21 -!- elfixit [~Icedove@77-58-251-72.dclient.hispeed.ch] has quit [Quit: elfixit]
14:32 -!- niftylettuce_ [uid2733@gateway/web/irccloud.com/x-cpzxgtxtlsxkdnyy] has joined #openvpn
14:44 -!- dupondje [~dupondje@artemis.dupie.be] has quit [Remote host closed the connection]
14:45 -!- ted20_ [~ted20@cpc6-pool12-2-0-cust43.15-1.cable.virginm.net] has quit [Quit: leaving]
14:49 -!- ajon [~ajon@2a02:8109:a080:11a4:997f:fad4:8421:940f] has quit [Quit: Leaving]
15:17 -!- davidmp [~davidmp@149.255.100.107] has quit [Ping timeout: 240 seconds]
15:19 -!- davidmp [~davidmp@149.255.100.107] has joined #openvpn
15:33 -!- converge [~converge@189.7.3.101] has joined #openvpn
15:33 -!- converge [~converge@189.7.3.101] has quit [Changing host]
15:33 -!- converge [~converge@unaffiliated/joaop] has joined #openvpn
15:46 -!- gffa [~unknown@unaffiliated/gffa] has quit [Quit: sleep]
16:06 -!- obesd [~obsed@ppp121-45-200-183.lns20.cbr1.internode.on.net] has quit [Quit: obesd]
16:11 -!- le0 [~l30@unaffiliated/le0] has joined #openvpn
16:30 -!- esde [~esde@unaffiliated/esde] has quit [Ping timeout: 268 seconds]
16:31 -!- benedikt [~benedikt@unaffiliated/benedikt] has joined #openvpn
16:32 < benedikt> on one of my openvpn servers, the openvpn-status.log file will be empty most of the time (showing the header and footer but not the actual users). then for a few seoncs the users are written to it, before it is again overwritten with only header and footer
16:36 -!- le0 [~l30@unaffiliated/le0] has quit [Quit: Leaving]
16:37 -!- Devastatr [~devas@177.18.198.36] has joined #openvpn
16:38 -!- Devastator [~devas@unaffiliated/devastator] has quit [Ping timeout: 268 seconds]
16:57 < pekster> benedikt: Sounds to me like you have 2 instances both referencing the same file
16:57 < pekster> That, or your users connect for a moment, then disconnect and the server writes the now-empty userlist to the file
17:01 -!- B1nny [~quassel@5ED16034.cm-7-2b.dynamic.ziggo.nl] has quit [Remote host closed the connection]
17:06 -!- [diecast] [~diecast@unaffiliated/diecast/x-4821952] has joined #openvpn
17:08 < benedikt> pekster: dammit, i do.
17:09 -!- Latrina [~Latrina@ppp-61-62.26-151.libero.it] has quit [Remote host closed the connection]
17:09 < benedikt> thanks
17:25 -!- kirin` [telex@gateway/shell/anapnea.net/x-mnywddfchciqkkun] has joined #openvpn
17:32 -!- HectorBarbossa [uid7850@gateway/web/irccloud.com/x-kyomfbtbmqlohryo] has quit [Quit: Connection closed for inactivity]
17:36 -!- Hazza [~Harrison@107.170.75.145] has joined #openvpn
17:38 -!- lazarus477 [~lazarus@78-72-29-198-no191.tbcn.telia.com] has quit [Quit: leaving]
18:05 -!- MatthewsFace [~mspah@c-67-183-108-87.hsd1.wa.comcast.net] has joined #openvpn
18:17 -!- AlexPortable [uid7568@gateway/web/irccloud.com/x-hyfsxlcwbdapgfja] has quit [Quit: Connection closed for inactivity]
18:24 -!- niftylettuce_ [uid2733@gateway/web/irccloud.com/x-cpzxgtxtlsxkdnyy] has quit [Quit: Connection closed for inactivity]
18:29 -!- DrCode [~DrCode@gateway/tor-sasl/drcode] has quit [Remote host closed the connection]
18:30 -!- bimbo1 [~emerino@187.240.120.251] has joined #openvpn
18:34 -!- joshh20 is now known as joshh20-Away
18:38 -!- DrCode [~DrCode@gateway/tor-sasl/drcode] has joined #openvpn
19:30 -!- esde [~esde@unaffiliated/esde] has joined #openvpn
19:33 -!- klein_ [~klein@unaffiliated/klein] has joined #openvpn
19:47 -!- Hazza [~Harrison@107.170.75.145] has quit [Ping timeout: 264 seconds]
19:49 -!- Sembei [~Sembei@unaffiliated/sembei] has quit [Max SendQ exceeded]
19:50 -!- Sembei [~Sembei@unaffiliated/sembei] has joined #openvpn
19:56 -!- u0m3 [~u0m3@109.96.136.13] has quit [Ping timeout: 264 seconds]
20:05 -!- michaelhart_ [~michaelha@192-0-240-20.cpe.teksavvy.com] has joined #openvpn
20:06 -!- Denial- [Denial@94.10.1.42] has joined #openvpn
20:06 -!- fejjerai [~quassel@kde/mitchell] has joined #openvpn
20:06 -!- miruoy_ [~quassel@d51A44BA8.access.telenet.be] has joined #openvpn
20:08 -!- u0m3 [~u0m3@109.96.136.13] has joined #openvpn
20:08 -!- kirin` [telex@gateway/shell/anapnea.net/x-mnywddfchciqkkun] has quit [Disconnected by services]
20:08 -!- a [~d@iad1-vshost12.dreamhost.com] has joined #openvpn
20:08 -!- kirin` [telex@gateway/shell/anapnea.net/x-qkfloldcvgttcfhm] has joined #openvpn
20:08 -!- hive-mind [pranq@unaffiliated/contempt] has quit [Disconnected by services]
20:08 -!- Hes_ [axZtxWS@tunkki.fi] has joined #openvpn
20:09 -!- a is now known as Guest81702
20:09 -!- pjschmit1 [~parker@209.141.56.12] has joined #openvpn
20:09 -!- roma [~roma@tweezer.apistune.com] has joined #openvpn
20:09 -!- hive-mind [pranq@unaffiliated/contempt] has joined #openvpn
20:11 -!- megaTherion_ [~therion@unix.io] has joined #openvpn
20:12 -!- jgeboski- [~jgeboski@unaffiliated/jgeboski] has joined #openvpn
20:12 -!- Fruckiwacki- [fruckiwack@5.135.190.66] has joined #openvpn
20:12 -!- mgorbach_ [~mgorbach@pool-108-20-78-135.bstnma.fios.verizon.net] has joined #openvpn
20:13 -!- davidmp_ [~davidmp@149.255.100.107] has joined #openvpn
20:13 -!- Netsplit *.net <-> *.split quits: pjschmitt, catsup, davidmp, Aralucc10, michaelhart, exa, Fruckiwacki, klein_, ferai, jgeboski,  (+9 more, use /NETSPLIT to show all of them)
20:13 -!- davidmp_ is now known as davidmp
20:13 -!- Denial- is now known as Denial
20:13 -!- michaelhart_ is now known as michaelhart
20:13 -!- mgorbach_ is now known as mgorbach
20:13 -!- Netsplit over, joins: Aralucc10
20:13 -!- jgeboski- is now known as jgeboski
20:16 -!- peper [~peper@gentoo/developer/peper] has joined #openvpn
20:19 -!- klein_ [~klein@unaffiliated/klein] has joined #openvpn
20:19 -!- exa [~exa@unaffiliated/exa] has joined #openvpn
20:20 -!- mspah_ [~mspah@c-67-183-108-87.hsd1.wa.comcast.net] has joined #openvpn
20:42 -!- Denial [Denial@94.10.1.42] has quit [Ping timeout: 264 seconds]
20:42 -!- Denial [Denial@2.220.193.155] has joined #openvpn
21:11 -!- Dan39 [~ddan39@unaffiliated/dan39] has quit [Ping timeout: 265 seconds]
21:27 -!- Dan39 [~ddan39@unaffiliated/dan39] has joined #openvpn
21:41 -!- Dan39 [~ddan39@unaffiliated/dan39] has quit [Ping timeout: 265 seconds]
21:45 -!- goldkatze [~nobody@unaffiliated/goldkatze] has quit [Ping timeout: 265 seconds]
21:50 -!- Dan39 [~ddan39@unaffiliated/dan39] has joined #openvpn
21:50 -!- klein_ [~klein@unaffiliated/klein] has quit [Ping timeout: 246 seconds]
21:55 -!- converge [~converge@unaffiliated/joaop] has quit [Quit: Linkinus - http://linkinus.com]
21:58 -!- Cpt-Oblivious [chatzilla@31-151-71-109.dynamic.upc.nl] has quit [Ping timeout: 255 seconds]
22:04 -!- mgorbach [~mgorbach@pool-108-20-78-135.bstnma.fios.verizon.net] has quit [Read error: Connection reset by peer]
22:08 -!- mgorbach [~mgorbach@pool-108-20-78-135.bstnma.fios.verizon.net] has joined #openvpn
22:09 -!- mgorbach [~mgorbach@pool-108-20-78-135.bstnma.fios.verizon.net] has quit [Read error: Connection reset by peer]
22:11 -!- mgorbach [~mgorbach@pool-108-20-78-135.bstnma.fios.verizon.net] has joined #openvpn
22:17 -!- Carbon_Monoxide [~cmonxide@058176022144.ctinets.com] has joined #openvpn
22:19 -!- [diecast] [~diecast@unaffiliated/diecast/x-4821952] has quit []
22:30 -!- Carbon_Monoxide [~cmonxide@058176022144.ctinets.com] has left #openvpn ["Leaving"]
22:36 -!- tpw_rules [~tpw_rules@li242-215.members.linode.com] has joined #openvpn
22:37 < tpw_rules> if i have client-to-client enabled, then can two clients talk to each other with no packets being sent to the server>
22:38 < tpw_rules> or does that only mean they are allowed to communicate through the server?
22:38 < pekster> It still goes through the server; all that means is that openvpn "routes them itself" instead of sending the packets to the server's kernel for routing
22:38 < pekster> IOW, it bypasses your OS firewall
22:38 < tpw_rules> okay, thanks
22:39 < tpw_rules> have a good day
22:39 -!- tpw_rules [~tpw_rules@li242-215.members.linode.com] has left #openvpn ["Evil will always triumph, because good is dumb."]
23:13 -!- Devastatr [~devas@177.18.198.36] has quit [Changing host]
23:13 -!- Devastatr [~devas@unaffiliated/devastator] has joined #openvpn
23:13 -!- Devastatr is now known as Devastator
23:41 -!- lj [~l@74.120.200.95] has joined #openvpn
23:42 -!- mspah_ [~mspah@c-67-183-108-87.hsd1.wa.comcast.net] has quit [Ping timeout: 252 seconds]
23:43 -!- B1nny [~quassel@5ED16034.cm-7-2b.dynamic.ziggo.nl] has joined #openvpn
--- Day changed Mon Mar 31 2014
00:10 -!- Latrina [~Latrina@ppp-61-62.26-151.libero.it] has joined #openvpn
00:23 -!- heraclitus [~heraclitu@unaffiliated/heraclitis] has quit [Remote host closed the connection]
00:23 -!- heraclitus [~heraclitu@unaffiliated/heraclitis] has joined #openvpn
00:30 -!- HectorBarbossa [uid7850@gateway/web/irccloud.com/x-rumccrwpnotxazum] has joined #openvpn
00:54 -!- Cpt-Oblivious [chatzilla@31-151-71-109.dynamic.upc.nl] has joined #openvpn
00:58 -!- jeev [~jeev@unaffiliated/jeev] has quit [Ping timeout: 255 seconds]
00:59 -!- Cpt-Oblivious [chatzilla@31-151-71-109.dynamic.upc.nl] has quit [Ping timeout: 255 seconds]
01:07 -!- Latrina [~Latrina@ppp-61-62.26-151.libero.it] has quit [Remote host closed the connection]
01:10 -!- jeev [~jeev@unaffiliated/jeev] has joined #openvpn
01:39 -!- alexxtasi [~alex@unaffiliated/alexxtasi] has joined #openvpn
01:45 -!- JackWinter [~jack@vodsl-10810.vo.lu] has quit [Quit: Konversation terminated!]
01:46 -!- heraclitus [~heraclitu@unaffiliated/heraclitis] has quit [Remote host closed the connection]
01:46 -!- heraclitus [~heraclitu@unaffiliated/heraclitis] has joined #openvpn
01:49 -!- JackWinter [~jack@vodsl-10810.vo.lu] has joined #openvpn
01:50 -!- mattock_afk [~mattock@openvpn/corp/admin/mattock] has joined #openvpn
01:50 -!- mode/#openvpn [+o mattock_afk] by ChanServ
01:50 -!- mattock_afk is now known as mattock
01:54 -!- JackWinter [~jack@vodsl-10810.vo.lu] has quit [Ping timeout: 268 seconds]
01:54 -!- bimbo1 [~emerino@187.240.120.251] has quit [Ping timeout: 265 seconds]
02:00 -!- goldkatze [~nobody@unaffiliated/goldkatze] has joined #openvpn
02:01 -!- JackWinter [~jack@vodsl-10810.vo.lu] has joined #openvpn
02:07 -!- bimbo [~emerino@mail.nuevebit.com] has joined #openvpn
02:08 -!- Aliekezhi [~Aliekezhi@LPoitiers-156-84-21-169.w193-248.abo.wanadoo.fr] has joined #openvpn
02:44 -!- obesd [~obsed@ppp121-45-200-183.lns20.cbr1.internode.on.net] has joined #openvpn
02:46 -!- bimbo [~emerino@mail.nuevebit.com] has quit [Ping timeout: 245 seconds]
02:54 -!- le0 [~l30@unaffiliated/le0] has joined #openvpn
02:59 -!- obesd [~obsed@ppp121-45-200-183.lns20.cbr1.internode.on.net] has quit [Quit: obesd]
03:19 -!- dazo_afk is now known as dazo
03:36 -!- sunwind` [~paradox@genkt-058-129.t-mobile.co.uk] has joined #openvpn
03:52 -!- mirco_ [~mirco@ip-5-146-126-177.unitymediagroup.de] has joined #openvpn
03:52 -!- mirco [~mirco@ip-5-146-126-177.unitymediagroup.de] has quit [Read error: Connection reset by peer]
03:52 -!- mirco_ is now known as mirco
03:54 -!- B1nny_ [~quassel@5ED16034.cm-7-2b.dynamic.ziggo.nl] has joined #openvpn
03:55 -!- B1nny [~quassel@5ED16034.cm-7-2b.dynamic.ziggo.nl] has quit [Ping timeout: 252 seconds]
04:04 -!- B1nny_ is now known as B1nny
04:05 -!- WinstonSmith [~WinstonSm@unaffiliated/winstonsmith] has quit [Read error: Operation timed out]
04:06 -!- Cybertinus [~Cybertinu@cybertinus.customer.cloud.nl] has quit [Ping timeout: 240 seconds]
04:09 -!- WinstonSmith [~WinstonSm@unaffiliated/winstonsmith] has joined #openvpn
04:09 -!- bosnjak [~bosnjak@wr-zip.cpe.iskon.hr] has joined #openvpn
04:09 < bosnjak> hi all
04:10 < bosnjak> I am having problems connecting to VPN server, I keep getting this repeatedly: http://pastebin.com/BU6aiBVn
04:11 < bosnjak> I have created a certificate file via easy-rsa 2, and am using it to connect to the server, so i guess the warning is not the problem here. I keep getting connection reset. This was working fine until recently, i haven't changed anything other than generate some more keys for clients.
04:11 < bosnjak> what other logs can i provide from the server side? how to debug what is happening?
04:12 -!- HectorBarbossa [uid7850@gateway/web/irccloud.com/x-rumccrwpnotxazum] has quit [Quit: Connection closed for inactivity]
04:14 -!- sunwind` [~paradox@genkt-058-129.t-mobile.co.uk] has quit [Ping timeout: 255 seconds]
04:15 -!- Cybertinus [~Cybertinu@cybertinus.customer.cloud.nl] has joined #openvpn
04:20 -!- sunwind` [~paradox@genkt-058-129.t-mobile.co.uk] has joined #openvpn
04:45 < bosnjak> i am now getting this error: Fatal TLS error (check_tls_errors_co), restarting
04:58 -!- sunwind` [~paradox@genkt-058-129.t-mobile.co.uk] has quit [Quit: sunwind`]
05:03 < ChrisH> bosnjak: Port 443 looks unusual to me, are you sure about that?
05:04 < bosnjak> ChrisH: i haven't changed much for some time, and it worked before... I will check the port, second
05:04 < bosnjak> ChrisH: in the meantime, now i am getting this error also: TLS_ERROR: BIO read tls_read_plaintext error: error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed
05:05 < bosnjak> VERIFY ERROR: depth=1, error=certificate is not yet valid
05:05 < bosnjak> but this seems to be a different issue
05:06 < ChrisH> bosnjak: from my understanding that might also releated to the wrong potentially wrong port
05:07 < bosnjak> ChrisH: how can i check what port openvpn server is listening on?
05:08 < bosnjak> ChrisH: the server.conf file contains this line: port 40443
05:08 < bosnjak> ChrisH: does that mean it is 100% the port used is 40443? Or can i get openvpn current status somehow
05:16 < ChrisH> bosnjak: man lsof
05:16 -!- AlexPortable [uid7568@gateway/web/irccloud.com/x-drcjzvuamqxrbcdr] has joined #openvpn
05:16 <@krzee> !time
05:16 <@vpnHelper> "time" is if you see VERIFY ERROR: depth=1, error=certificate is not yet valid: then make sure you update the clocks of your client,server,ca via ntp
05:17 <@krzee> bosnjak, ^
05:17 < bosnjak> krzee: wow! the time saving was changed yesterday!! The time jumped for 1 hour. Could this be the cause? Maybe timezone is not set properly?
05:18 <@krzee> something like that
05:18 < bosnjak> checking..
05:18 <@krzee> its definitely time on 1 of those 3 machines
05:19 < bosnjak> krzee: ok, the time between server and client is offset by 2h
05:19 < bosnjak> krzee: it was offset by 1h before, and it worked...
05:19 <@krzee> if you mean they are in different timezones, that does not matter
05:19 < bosnjak> krzee: well, what then?
05:19 <@krzee> timezone is simply offset from GMT
05:19 <@krzee> one of those 3 clocks is wrong.
05:20 <@krzee> possibly dates
05:20 <@krzee> use ntp.
05:20 < bosnjak> krzee: to my knowledge, i am using ntp...
05:20 <@krzee> what os on all 3 machines?
05:20 < bosnjak> krzee: which "3" clocks?
05:20 <@krzee> "then make sure you update the clocks of your client,server,ca via ntp"
05:20 < bosnjak> krzee: server and client, no third node?
05:21 <@krzee> the CA machine
05:21 <@krzee> the machine issuing certs
05:21 < bosnjak> krzee: hm
05:21 < bosnjak> krzee: could it be that my server is that?
05:21 <@krzee> it could be
05:21 <@krzee> did you make your certs on your server?
05:21 < bosnjak> krzee: yes
05:22 < bosnjak> openvpn probably starts on client before ntp kicks in. that would explain first failure, but later it just fails constantly...
05:22 <@krzee> ok so
05:22 <@krzee> what os on all 2 machines?
05:22 < bosnjak> krzee: where can i find the openvpn logs on my server? using ubuntu..
05:22 < bosnjak> krzee: client is Arch, server is Ubuntu
05:23 <@krzee> date -u
05:23 <@krzee> on both
05:24 < bosnjak> krzee: hmm, they are offset by few minutes
05:24 <@krzee> !certinfo
05:24 <@vpnHelper> "certinfo" is run `openssl x509 -in <file> -noout -text` for info from your cert file
05:25 <@krzee> do that making <file> all 3 .crt files
05:25 < bosnjak> krzee: again, all three? or two?
05:25 -!- maxiepax [max@locke.misse.org] has quit [Ping timeout: 245 seconds]
05:25 <@krzee> ca.crt too
05:26 <@krzee> server and client .crt's
05:26 < bosnjak> ok, what do i do with the output, match it to see if its the same?
05:26 <@krzee> 1sec
05:27 <@krzee> after that command put:    grep Not
05:27 <@krzee> err
05:27 <@krzee> |grep Not
05:28 <@krzee> then compare the dates with:     date -u
05:28 -!- maxiepax [~max@locke.misse.org] has joined #openvpn
05:28 <@krzee> you may find that you just need to wait a few minutes or an hour, or that you need to rebuild your certs (or maybe your entire PKI)
05:28 <@krzee> you may post all that stuff to pastebin if you want me to tell you
05:30 < bosnjak> krzee: all files have: not before 2011 and not after 2030. My date -u returns 2014 everywhere.
05:30 <@krzee> !logfile
05:30 <@vpnHelper> "logfile" is (#1) openvpn will log to syslog if started in daemon mode. You can manually specify a logfile with: log /path/to/logfile or (#2) verb 3 is good for everyday usage, verb 5 for debugging or (#3) see --daemon --log and --verb in the manual (!man) for more info or (#4) without any log-redirection options, openvpn sends output to stdout. Explicit logging is often more convenient
05:30 <@krzee> restart openvpn on both sides
05:30 <@krzee> grab nice fresh new logs
05:31 < bosnjak> krzee: i tried to look for logs but there is nothing
05:31 <@krzee> !logfile
05:31 <@vpnHelper> "logfile" is (#1) openvpn will log to syslog if started in daemon mode. You can manually specify a logfile with: log /path/to/logfile or (#2) verb 3 is good for everyday usage, verb 5 for debugging or (#3) see --daemon --log and --verb in the manual (!man) for more info or (#4) without any log-redirection options, openvpn sends output to stdout. Explicit logging is often more convenient
05:31 < bosnjak> second
05:33 -!- maxiepax [~max@locke.misse.org] has quit [Ping timeout: 255 seconds]
05:35 < bosnjak> krzee: i don't get it. openvpn is started with --daemon, but there is nothing in syslog
05:36 <@krzee> see the rest of the factoid
05:36 <@krzee> make your own log file
05:36 -!- maxiepax [max@locke.misse.org] has joined #openvpn
05:37 <@krzee> !forget log *
05:37 <@vpnHelper> Joo got it.
05:37 <@krzee> !factoids
05:37 <@vpnHelper> "factoids" is A semi-regularly updated dump of factoids database is available at http://www.secure-computing.net/factoids.php
05:38 <@krzee> damn, oops
05:38 <@krzee> !forget logfile *
05:38 <@vpnHelper> Joo got it.
05:38 < bosnjak> krzee: there are currently machines connected to my openvpn. If i restart it i will remove them from the network?
05:39 <@krzee> !learn logfile as If you want logging you can easily just specify your own logfile with: log /path/to/logfile
05:39 <@vpnHelper> Joo got it.
05:40 <@krzee> !learn logfile as openvpn will log to syslog if started in daemon mode, but without any log-redirection options, openvpn sends output to stdout.
05:40 <@vpnHelper> Joo got it.
05:40 < svg> looking into client connect scripts, how could I have a client get an ip assigned from a particular subnet?
05:40 <@krzee> !learn logfile as verb 3 is good for everyday usage, verb 5 for debugging.  see --daemon --log and --verb in the manual (!man) for more info
05:40 <@vpnHelper> Joo got it.
05:41 <@krzee> !client-connect
05:41 <@vpnHelper> "client-connect" is --client-connect <script>, runs script on client connection. This can be useful for generating firewall rules dynamicly, or for assigning static ips. This can do anything that a ccd (see !ccd) entry can do, but dynamicly... to use it that way, you should write your dynamic ccd commands to the file named by $1.
05:42 <@krzee> !static
05:42 <@vpnHelper> "static" is (#1) use --ifconfig-push in a ccd entry for a static ip for the vpn client or (#2) example in net30 (default): ifconfig-push 10.8.0.6 10.8.0.5 example in subnet (see !topology) or tap (see !tunortap): ifconfig-push 10.8.0.5 255.255.255.0 or (#3) also see !ccd and !iporder or (#4) when pushing static IPs, you should also limit your --ifconfig-pool to exclude the static range or (#5) See
05:42 <@vpnHelper> also: !addressing
05:43 < svg> well, thanks, but ccd afaics is about pushing 1 particular ip address?
05:43 <@krzee> so your script could: echo "ifconfig-push 10.8.0.5 255.255.255.0"  > "$1"
05:43 <@krzee> yes, and client-connect is run once per connection
05:43 < svg> krzee: then I have to reserve an ip address for each possible client
05:44 <@krzee> your script needs to handle the logic of who is who and deal with it how you would like
05:44 < bosnjak> krzee: is there a way to get the log without kicking all the clients out of vpn?
05:44 <@krzee> bosnjak, are you already using the management interface?
05:44 < svg> given that clients come from ldap, I still would need to reserver more ip addresses than I might have available in the subnet reserverd for clients
05:44 < bosnjak> krzee: i don't know, how do i check?
05:45 <@krzee> bosnjak, does your config or openvpn commandline (as seen in ps) contain the word management?
05:45 < svg> the use case is about having profiles, and give certain clients an ip out of a certain pool, others from other pools
05:46 < svg> then I have to setup firewall rules for those subnets only (fw managed outside of openvpn)
05:46 < bosnjak> krzee: this is the line as it appears in ps: /usr/sbin/openvpn --writepid /var/run/openvpn.server.pid --daemon ovpn-server --status /var/run/openvpn.server.status 10 --cd /etc/openvpn --config /etc/openvpn/server.conf
05:46 <@krzee> svg, is the subnetting only for the sake of firewalling?
05:47 < svg> yes, that was the idea
05:47 <@krzee> you could skip the middle-man and simply make firewall rules in your --learn-address script
05:47 <@krzee> !script
05:47 <@vpnHelper> "script" is See SCRIPTING AND ENVIRONMENTAL VARIALBES in the manual for a list of places that scripts can hook into openvpn. Online reference at: https://community.openvpn.net/openvpn/wiki/Openvpn23ManPage#lbAR
05:48 <@krzee> that would stop a client from simply using ifconfig to change his IP to a subnet that you allowed stuff on
05:48 < svg> b/c that firewall (not the openvpn server) is another box, and I can't sccript that one
05:49 <@krzee> so what happens when a user does what i just said?
05:49 <@krzee> changes subnets using ifconfig after he connects
05:49 < svg> yes I got your point
05:50 < svg> I wasn't aware a client could just do that
05:50 -!- s7r [~s7r@openvpn/user/s7r] has quit [Remote host closed the connection]
05:50 < svg> I'd expect the server woul need to change it's endpoint ip's too
05:51 -!- s7r [~s7r@openvpn/user/s7r] has joined #openvpn
05:51 -!- mode/#openvpn [+v s7r] by ChanServ
05:51 < svg> but ok, then I need to just allow the maximum on that external firewall, and linit thing on openvpn
05:51 <@krzee> oh is the server running in net30 mode?
05:52 <@krzee> !topology
05:52 <@vpnHelper> "topology" is (#1) it is possible to avoid the !/30 behavior if you use 2.1+ with the option: topology subnet This will end up being default in later versions. or (#2) Clients will receive addresses ending in .2, .3, .4, etc, instead of being divided into 2-host subnets. or (#3) details and examples at: https://community.openvpn.net/openvpn/wiki/Topology
05:57 < svg> no server yet, still in design mode :)
05:58 < svg> bit afaics I see no reason why I'd need /30
06:03 <@krzee> ya, its default
06:04 <@krzee> but i agree, topology subnet makes more sense, it just came way later and nobody wants to break compatability with older versions
06:11 < svg> too bad I cant do 'take ip from subnet x' for a certain client
06:12 < svg> maybe I should look into source based routing
06:23 -!- indy [~indy@fantomas.bestit.cz] has quit [Remote host closed the connection]
06:30 < svg> is there still an issue on windows clients that need net30 due to some win tun device limitation?
06:31 -!- mikkel [~mikkel@93.176.85.50] has joined #openvpn
06:32 <@krzee> nah
06:32 <@krzee> not so long as the clients openvpn is not 2.0
06:33 <@krzee> they worked around that when they figured out topology subnet
06:38 -!- indy [~indy@fantomas.bestit.cz] has joined #openvpn
06:42 < bosnjak> i can't seem to restart or stop the openvpn daemon: "service openvpn stop" -> "Stopping virtual private network daemon:."
06:42 < bosnjak> nothing happens
06:44 <@krzee> how about when you start it manually?
06:44 <@krzee> is it an openvpn issue, or an issue with your OS startup script not being configured?
06:45 -!- michaelhart [~michaelha@192-0-240-20.cpe.teksavvy.com] has quit [Quit: michaelhart]
06:48 < bosnjak> krzee: the openvpn is currently started, so i guess its not OS startup script.
06:49 < bosnjak> i can start it manually, but i would need to kill it then first
06:49 < bosnjak> and if i kill it, the ports will remain used untill they timeout, right?
06:50 <@krzee> you dont want it running twice
06:50 -!- maxiepax [max@locke.misse.org] has quit [Ping timeout: 240 seconds]
06:50 <@krzee> if you kill it can the OS startup script start it?
06:50 -!- DrCode [~DrCode@gateway/tor-sasl/drcode] has quit [Ping timeout: 265 seconds]
06:50 < bosnjak> krzee: the os startup scripts executes when the os boots. I don't want to restart the whole server
06:51 <@krzee> you can call it manually
06:51 <@krzee> by killing process manually and then:  service openvpn start
06:51 <@krzee> if that works, then service openvpn stop   should also work
06:51 -!- maxiepax [~max@locke.misse.org] has joined #openvpn
06:52 < svg> krzee: I assume you mean client should be >2.0?
06:52 <@krzee> yes
06:52 < svg> k, thx
06:52 < bosnjak> krzee: and if it doesn't? then im stuck with no openvpn running
06:52 <@krzee> bosnjak, then you start it with the same command that it was running with before you killed it
06:52 < bosnjak> krzee: i see
06:53 <@krzee> svg, really that should be no problem as 2.0 is massively old now
06:53 < bosnjak> krzee: can i add the log option to /etc/default/openvpn as OPTARGS="-log /var/log/openvpn.log"?
06:53 <@krzee> bosnjak, no idea thats OS specific i would just put it in the config
06:54 <@krzee> not even OS specific but distro specific
06:54 < bosnjak> i see
06:55 < bosnjak> i don't seem to be able to kill it via 'killall openvpn'
06:55 <@krzee> are you root? cant you just kill the pid?
06:55 < svg> krzee: thanks, been a while last time I needed to setup openvpn :)
06:56 <@krzee> np =]
06:56 < bosnjak> krzee: ok, -9 did the trick
06:58 -!- s7r [~s7r@openvpn/user/s7r] has quit [Ping timeout: 265 seconds]
06:58 < bosnjak> krzee: ok, managed to start it again
06:59 -!- DrCode [~DrCode@gateway/tor-sasl/drcode] has joined #openvpn
06:59 -!- s7r [~s7r@openvpn/user/s7r] has joined #openvpn
07:00 -!- mode/#openvpn [+v s7r] by ChanServ
07:12 -!- mikemol [~mikemol@2001:470:c5b9:beef:d4a3:3249:79ab:3ae1] has quit [Remote host closed the connection]
07:14 < bosnjak> krzee: for a weird reson, after restart the client can connect and no problem is visible.
07:14 < bosnjak> i am stunned by this
07:14 < bosnjak> and worried since i don't know the reason, it might happen again anytime
07:15 <@krzee> im guessing the clock was wrong when openvpn was started
07:20 < bosnjak> krzee: it wouldn't get updated later?
07:21 <@krzee> it seems to have
07:21 <@krzee> ive never started openvpn before ntp, so im not sure what would happen, and if persist options work against you or not
07:21 -!- sunwind [~paradox@cpc21-brmb8-2-0-cust749.1-3.cable.virginm.net] has quit [Quit: sunwind]
07:21 < bosnjak> well, i won't be able to know more until reproduced
07:21 <@krzee> or really anything, since i never saw logs or antything
07:22 < bosnjak> i know, and thank you for the help
07:22 < bosnjak> i know its not easy to do remote help with no info or access
07:22 < bosnjak> but you helpe
07:22 < bosnjak> helped*
07:22 < bosnjak> thx
07:22 <@krzee> np
07:23 -!- sunwind [~paradox@cpc21-brmb8-2-0-cust749.1-3.cable.virginm.net] has joined #openvpn
07:32 -!- michaelhart [~michaelha@192.237.177.15] has joined #openvpn
07:36 -!- elfixit [~Icedove@77-58-251-72.dclient.hispeed.ch] has joined #openvpn
07:51 < esde> !configs
07:51 <@vpnHelper> "configs" is (#1) please pastebin your client and server configs (with comments removed, you can use `grep -vE '^#|^;|^$' server.conf`), also include which OS and version of openvpn. or (#2) dont forget to include any ccd entries or (#3) on pfSense, see http://www.secure-computing.net/wiki/index.php/OpenVPN/pfSense to obtain your config
07:52 -!- klein_ [~klein@unaffiliated/klein] has joined #openvpn
07:57 -!- Latrina [~Latrina@ppp-61-62.26-151.libero.it] has joined #openvpn
08:00 -!- mikemol [~mikemol@162.17.129.77] has joined #openvpn
08:11 < svg> krzee: thinking about your remark where a client can change it's ip address on the tun: how would the cse where a client gets assigned some ip address from openvpn and firewalled through the learn address script, be different from the case of assigning an ip address from a particular subnet that is by default firewalled?
08:12 <@krzee> learn-address script fires off every time the server learns about a clients address
08:13 <@krzee> you may wish to verify if the client can change addresses, im not 100% that still works
08:13 <@krzee> it was tested by someone long ago and again more recently, i dont remember the more recent test
08:14 < svg> slet's assume for now that still works; the lean-address script would apply basically the same firewall policy I'd already have on subnet level
08:15 < svg> what I mean is: in what you proposed, I'd expect a client could still change it's ip to one that got assigned to another user, with a different firewall rule (he'd need to know that ip address, and know it's a live one, but that would be easily scripted)
08:15 <@krzee> it would apply firewall rules based on whatever you say, i would think a list/array of clients would do the trick
08:15 <@krzee> so then whenever that client gets an IP, firewall rules are applied to that IP
08:16 <@krzee> then you dont need to worry about static addressing, because your firewall rules apply directly to each client
08:16 < svg> yes, but if a client can change its ip, it could still change it to another ip that has other fw rules applied to
08:16 <@krzee> no, the learn-address script would fire off again
08:16 <@krzee> thats why learn-address and not client-connect
08:17 < svg> oh, so learn address fires of when noticing another client ip in a particular tunnel?
08:17 <@krzee> !script
08:17 <@vpnHelper> "script" is See SCRIPTING AND ENVIRONMENTAL VARIALBES in the manual for a list of places that scripts can hook into openvpn. Online reference at: https://community.openvpn.net/openvpn/wiki/Openvpn23ManPage#lbAR
08:17 <@krzee>  Executed in --mode server mode whenever an IPv4 address/route or MAC address is added to OpenVPN's internal routing table.
08:17 < svg> (as here the client would change its ip manually, not by assigment by the server)
08:18 <@krzee> give it a test
08:18 <@krzee> that'll be the only thing that matters
08:18 < svg> ok, thanks for the calrification
08:18 <@krzee> np, and it all hinges on if i was even right about being able to change ips
08:18 <@krzee> otherwise i appologize for the time waste ;]
08:19 < svg> i found a forum article where someone comfirms it, ut it;s from oct 2012
08:19 < svg> but it's
08:19 < svg> no worries, helps me to dive deep enough into openvpn
08:38 -!- lj [~l@74.120.200.95] has quit [Quit: Leaving.]
08:50 -!- mirco [~mirco@ip-5-146-126-177.unitymediagroup.de] has quit [Quit: mirco]
08:53 -!- mirco [~mirco@ip-5-146-126-177.unitymediagroup.de] has joined #openvpn
09:01 < svg> krzee: tried it, can't seem to make the tunnel work with another ip; reinstating the original ip makes it then work again
09:02 < svg> now I'd still like to to subnet based ip assignment, given that i don;t want to replicate a large firewall rules set on the openvpn box :(
09:04 <@krzee> cool
09:05 <@krzee> so you can have 1 pool by openvpn, gotta manage the rest
09:05 < svg> basically I'd need a script that assigns an ip from a particular subnet based on ldap membership
09:06 < svg> I guess that should be doable, just need to keep track of assigned ip addresses
09:06 <@krzee> client-connect also has client-disconnect
09:06 <@krzee> for your ip state keeping enjoyment
09:07 < svg> yes I know
09:08 < svg> some variation of https://github.com/kanaka/OpenVPN-LDAP-Integration/blob/master/client-connect.py
09:08 <@vpnHelper> Title: OpenVPN-LDAP-Integration/client-connect.py at master · kanaka/OpenVPN-LDAP-Integration · GitHub (at github.com)
09:09 <@krzee> and can be any language you enjoy
09:10 -!- edge226 [~quassel@unaffiliated/edge226] has joined #openvpn
09:16 < edge226> https://forums.openvpn.net/topic15453.html anyone have any idea's in regards to this?
09:16 <@vpnHelper> Title: OpenVPN Support Forum tap openvpn TLS handshake failed. : Configuration (at forums.openvpn.net)
09:17 <@krzee> !timeout
09:17 <@vpnHelper> "timeout" is if you see TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity) then your problem is likely one of the following: either the server isnt running, your client is connecting to the wrong ip/port/protocol, the server's firewall/nat has an issue, or the client's isp blocks it
09:18 < edge226> krzee: I would guess it is a client issue. Is there a potential resolution?
09:18 < edge226> krzee: and why does it work with no certs but the second I add the certs it plops?
09:18 <@krzee> wait am i reading that it works when you use statickey?
09:19 < edge226> krzee: it works if I do it manually yes, I 'can' connect to the server with the commands at the end of the post.
09:19 <@krzee> i wonder if your college blocks the openvpn protocol using deap packet inspection
09:19 <@dazo> if server and client config doesn't "match" (like one side using certs, the other one not) ... then timeouts may also happen
09:19 <@dazo> but DPI is plausible too
09:19 < edge226> dazo: as stated it worked on my home network.
09:19 <@krzee> oh that would timeout?
09:20 <@krzee> ohhh sure it would, if 1 side was statickey and other side certs
09:20  * dazo hasn't read the forum post ... just reading "between the lines" here on irc
09:21 -!- dan_j [~IceChat77@unaffiliated/danfromuk] has joined #openvpn
09:21 < edge226> dazo: okay to fill you in, the configs have been tested @ home. I took mr chromebook to college and bam, it busted. I proceeded to troubleshoot and using no certs and only ta.key I can connect with --secret on the CLI. Not with server/client.conf files though.
09:21 <@krzee> edge226, when openvpn uses certs it has a connection fingerprint that can be detected and blocked by a DPI filter
09:21 <@krzee> when statickey mode is used, it cannot be
09:21 <@krzee> !obfs
09:21 <@vpnHelper> "obfs" is (#1) if you are looking to obfuscate your traffic to get through a firewall that recognizes and blocks openvpn, try using this proxy: obfsproxy https://www.torproject.org/projects/obfsproxy.html.en to encapsulate your packets in other protocols or (#2) http://community.openvpn.net/openvpn/wiki/TrafficObfuscation or (#3) in client/server mode an admin can know that openvpn is being used. in
09:21 <@vpnHelper> static-key mode they only know that it is some encrypted data, but not specifically openvpn; however with static-key you lose forward security (!forwardsecurity)
09:21 -!- alexxtasi [~alex@unaffiliated/alexxtasi] has left #openvpn []
09:21 < dan_j> Hi, I'm trying to set up openvpn on a router with dd-wrt. Are there any guides available? There are no openvpn options on the dd-wrt panel.
09:22 <@dazo> !ddwrt
09:22 <@krzee> im not 100% thats what is going on, but its possible
09:22 < dan_j> dazo: i didnt get anything from that.
09:22 <@krzee> if theres no openvpn options in the web config you probably dont have a firmware with openvpn in it
09:22 <@krzee> !openwrt
09:22 <@vpnHelper> "openwrt" is In OpenWRT, the easiest way to supply configs with the stock init is to use the `option config /path/to/your/openvpn.conf` in your UCI stanza. This allows you to maintain a standard config file that OpenWRT can launch for you.
09:22 <@krzee> also we dont support the web configs for those things anyways
09:22 <@dazo> dan_j: dd-wrt and openvpn doesn't really match well ... as dd-wrt doesn't care about security
09:23 <@dazo> !dd-wrt
09:23 <@krzee> !dd-wrt
09:23 <@vpnHelper> "dd-wrt" is (#1) While some users have success with dd-wrt, the build system isn't very accessible to users and there have been security issues with the distro. Consider carefully if this is the platform you want to use for OpenVPN or (#2) Firewall oopsie : http://www.dd-wrt.com/phpBB2/viewtopic.php?t=35783 or (#3) more issues: http://www.dd-wrt.com/phpBB2/viewtopic.php?t=84536
09:23 <@vpnHelper> "dd-wrt" is (#1) While some users have success with dd-wrt, the build system isn't very accessible to users and there have been security issues with the distro. Consider carefully if this is the platform you want to use for OpenVPN or (#2) Firewall oopsie : http://www.dd-wrt.com/phpBB2/viewtopic.php?t=35783 or (#3) more issues: http://www.dd-wrt.com/phpBB2/viewtopic.php?t=84536
09:23 <@krzee> hehe
09:23 < dan_j> I'm purely interested in the routing benefits... IE getting around nat issues.
09:23 <@krzee> is openwrt not an option on your router?
09:23 < dan_j> Let me check. 1sec.
09:23 <@krzee> what router are you using?
09:24 < dan_j> Not yet. For this test, I just bought a Netgear WNR2200
09:25 -!- mikkel [~mikkel@93.176.85.50] has quit [Quit: Leaving]
09:25 <@krzee> 4MB flash
09:25 <@krzee> thats why your rom doesnt have openvpn
09:26 <@krzee> if you build your own openwrt firmware then you can remove other stuff to add openvpn, personally i remove the web interface
09:26 <@krzee> or you can get a different router
09:26 <@dazo> or grab a raspberry-pi :-P
09:27 < dan_j> krzee: wnr2200 has 8MB
09:27 <@krzee> up to you and which is easier for you
09:27 < edge226> krzee: so in essense I have to use tor?
09:27 <@dazo> dan_j: I can recommend tp-link wr1043nd
09:27 <@dazo> awesome hacking device
09:27 <@krzee> dazo, i have a couple routers i wouldnt replace with raspi
09:27 <@dazo> krzee: depends on the traffic amount, of course :)
09:28 <@krzee> true, it manages multiple links but it doesnt have high bandwidth on any
09:28 <@krzee> i actually just use TL-WR741ND
09:29 <@dazo> hah ... there'ya go :)  TP-Link again :)
09:29 <@krzee> yep, low end but once hacked up its a nice lil device
09:29 <@krzee> and so cheap i can just roll out my custom firmware and load it up on a few, then if one were to die (hasnt happened yet) i just plug in another and let everything continue as normal
09:29 < dan_j> annoyingly, I simply want to configure and test site to site openvpn before offering it to a client.
09:30 <@krzee> which is good since i just took almost 4 months of vacation lol
09:30 <@dazo> :)
09:31 < edge226> Hmmmm, what would be the downside to just using  --secret in my setup?
09:31 <@krzee> !forwardsecurity
09:31 <@vpnHelper> "forwardsecurity" is (#1) in server/client mode with certs your key renegotiates (changes) every hour (by default), so if someone captures your traffic, and then gets your key, they can only decrypt the traffic within the timeframe since last renegotiation or (#2) in ptp mode (static key) you do not have this, so if someone gets your key they can decrypt ANY past traffic that they captured
09:32 <@dazo> dan_j: It kind of helps to do a more thorough research before buying stuff, than to do it afterwards ... esp. when money spending is involved
09:33 <@dazo> krzee: how much ram and flash does the 741 got?
09:33 < dan_j> agreed. i thought dd-wrt would do the job.
09:33 <@krzee> it can. i have also made my own dd-wrt firmwares and removed the web interface to add openvpn
09:33 <@krzee> having done both, i recommend openwrt
09:34 < edge226> krzee: ah I see. I am not too worried about the encryption and I am using it primarily to jump out of the colleges network to be able to get access to my VNC on my server and use Mosh instead of ssh lol.
09:35 < dan_j> No idea where to start to make my own firmware.
09:36 <@krzee> dan_j, then go with a router with more flash and you wont have to worry about that
09:36 < dan_j> Ok, so with WR1043ND, i should be able to install openwrt and setup openvpn?
09:36 <@krzee> edge226, then if you dont need multiple clients, it sounds like statickey is fine for you
09:36 < dan_j> without any issues.
09:36 <@dazo> dan_j: yes
09:37 < edge226> krzee: now I just need to figure out how to set that up. Would it just be taking all the stuff I type in the command and then sticking it in the config?
09:37 <@dazo> I'm using mine everyday ... even though I currently run my own compiled firmware ... but afair, it works with openvpn out of the box
09:37 -!- indy [~indy@fantomas.bestit.cz] has quit [Remote host closed the connection]
09:38 <@dazo> (anyhow, compiling a new firmware is fairly straight forward .... pull down source tree, 'make menu' to configure the firmware, and then kick of the build.  Wait 2-3 hours, and you have it)
09:38 < dan_j> Ok. great.
09:38 < dan_j> Now i've got to find somewhere that sells it locally.
09:38 <@dazo> Amazon?
09:39 < dan_j> think so.
09:39 <@krzee> edge226,
09:39 <@krzee> !--
09:39 <@vpnHelper> "--" is OpenVPN allows any option to be placed either on the command line or in a configuration file. Though all command line options are preceded by a double-leading-dash ("--"), this prefix is usually omitted when an option is placed in a configuration file.
09:39 <@krzee> dazo, Atheros AR7240 CPU 350MHz, Atheros AR9285 Chipset, 4/32MB
09:40 <@krzee> very weak, but does my needs very well
09:40 <@dazo> krzee: ahh, so it's the small "little brother" of 1043nd :)
09:40 <@krzee> it replaced a freebsd computer
09:41 <@krzee> i setup the switch to have vlans and basically made it have a bunch of router ports instead of switch ports
09:41 <@dazo> :)
09:41 <@krzee> then multiple vpn uplinks, with failover for certain internal stuff
09:41  * dazo is looking fwd for openvswitch on router firmware :-P
09:42 <@krzee> running bird over openvpn to make that happen
09:43 <@krzee> also listening for openvpn connections on multiple interfaces, with --multihome to make that happen
09:43 <@dazo> nice!
09:45 <@krzee> (and some crazy policy routing / nat hackery)
09:46 <@krzee> it was very nice to get that only a little machine with no moving parts instead of a big bsd box
09:46 <@krzee> ild rather power up a new router pre-configured than deal with replacing another harddrive
09:46 -!- dan_j [~IceChat77@unaffiliated/danfromuk] has quit [Quit: Make it idiot proof and someone will make a better idiot.]
09:47 <@krzee> [10:37]  <dazo> I'm using mine everyday ... even though I currently run my own compiled firmware ... but afair, it works with openvpn out of the box
09:47 <@krzee> if its 8MB then im sure it has openvpn in the standard firmware
09:47 -!- Hes_ is now known as Hes
09:48 <@krzee> its just left out of those lil 4MB builds
09:48 <@dazo> krzee: ahh, okay ... I don't really recall, I just know I had to use cron2's build to get IPv6 in the early days
09:48  * dazo should upgrade his firmware again soonish
09:49 -!- indy [~indy@fantomas.bestit.cz] has joined #openvpn
10:11 -!- gffa [~unknown@unaffiliated/gffa] has joined #openvpn
10:22 -!- Latrina [~Latrina@ppp-61-62.26-151.libero.it] has quit [Remote host closed the connection]
10:27 -!- Aliekezhi [~Aliekezhi@LPoitiers-156-84-21-169.w193-248.abo.wanadoo.fr] has quit [Remote host closed the connection]
10:29 -!- Latrina [~Latrina@ppp-61-62.26-151.libero.it] has joined #openvpn
10:33 -!- Latrina [~Latrina@ppp-61-62.26-151.libero.it] has quit [Ping timeout: 252 seconds]
11:03 -!- master_of_master [~master_of@p4FF24E9E.dip0.t-ipconnect.de] has joined #openvpn
11:07 -!- master_o1_master [~master_of@p4FF24D63.dip0.t-ipconnect.de] has quit [Ping timeout: 264 seconds]
11:11 < edge226> I was wondering what category topology subnet was on the network level. is it 2 or 3 with a tun? I am trying to use the tun over ssh with -w. Should this be asked in #openssh?
11:11 -!- HectorBarbossa [uid7850@gateway/web/irccloud.com/x-fwgovofhtsdtbfjk] has joined #openvpn
11:12 <@plai> edge226: topology subnet has nothing to do with layer 2 or 3
11:12 <@plai> it works with both
11:12 < edge226> plai: so tap vs tun is layer 2 and 3 respectively?
11:12 <@plai> ssh -w is a replacement for OpenVPN in tcp/tun mode
11:12 <@plai> edge226: yes
11:13 < edge226> okay.
11:13 < edge226> so topology subnet has more to do with how the clients connect then.
11:13 < pekster> Yup, there's a handy wiki article on what --topology means for openvpn:
11:13 < pekster> !topology
11:13 <@vpnHelper> "topology" is (#1) it is possible to avoid the !/30 behavior if you use 2.1+ with the option: topology subnet This will end up being default in later versions. or (#2) Clients will receive addresses ending in .2, .3, .4, etc, instead of being divided into 2-host subnets. or (#3) details and examples at: https://community.openvpn.net/openvpn/wiki/Topology
11:14 < edge226> ah yes. topology seems to behave more as I would expect things to. I like how it works :)
11:15 < edge226> It might have been my wifi but it also kept disconnecting the vpn.
11:18 < pekster> Maybe review !keepalive
11:27 -!- Aliekezhi [~Aliekezhi@80.215.44.228] has joined #openvpn
11:36 -!- B1nny [~quassel@5ED16034.cm-7-2b.dynamic.ziggo.nl] has quit [Read error: Connection reset by peer]
11:37 -!- MatthewsFace [~mspah@50-78-45-146-static.hfc.comcastbusiness.net] has joined #openvpn
11:37 -!- [diecast] [~diecast@unaffiliated/diecast/x-4821952] has joined #openvpn
11:38 -!- B1nny [~quassel@5ED16034.cm-7-2b.dynamic.ziggo.nl] has joined #openvpn
11:50 -!- B1nny [~quassel@5ED16034.cm-7-2b.dynamic.ziggo.nl] has quit [Read error: Connection reset by peer]
11:50 < edge226> would removing the use of client side certs work just as well as a static key?
11:51 -!- B1nny [~quassel@5ED16034.cm-7-2b.dynamic.ziggo.nl] has joined #openvpn
11:55 -!- [diecast] [~diecast@unaffiliated/diecast/x-4821952] has quit []
11:56 -!- B1nny [~quassel@5ED16034.cm-7-2b.dynamic.ziggo.nl] has quit [Read error: Connection reset by peer]
11:56 -!- [diecast] [~diecast@unaffiliated/diecast/x-4821952] has joined #openvpn
11:58 -!- B1nny [~quassel@5ED16034.cm-7-2b.dynamic.ziggo.nl] has joined #openvpn
12:06 -!- kraut [~kraut@blackhole.netzdeponie.de] has quit [Ping timeout: 245 seconds]
12:06 -!- kraut [~kraut@blackhole.netzdeponie.de] has joined #openvpn
12:06 -!- pgib [~pgib@lmms/pgib] has joined #openvpn
12:09 <@dazo> edge226: you must use either static keys on both sides, *or* cert/key/ca on both sides ... you cannot mix these
12:09 < edge226> dazo: okay thanks.
12:19 < edge226> dazo: if you do a seperate tap and tun on the same server can the be on the same subnet but have different ip ranges?
12:20 <@dazo> edge226: technically speaking, that's a contradiction ... each subnet needs a different IP range
12:20 <@dazo> edge226: but yes, each tun/tap device needs a separate subnet
12:21 <@dazo> (meaning, these subnets cannot overlap)
12:21 < edge226> gotcha.
12:24 <@dazo> you can imagine what would happen if you have 2 Ethernet interfaces in your computer, and you assign overlapping subnets on each of them ... then connect each of these interfaces to separate networks ... that's how tun/tap devices works, just instead of being physical interfaces, they're virtual interfaces made of pure software
12:33 -!- lj [~l@192.241.174.169] has joined #openvpn
12:36 -!- Latrina [~Latrina@ppp-61-62.26-151.libero.it] has joined #openvpn
12:39 -!- Latrina [~Latrina@ppp-61-62.26-151.libero.it] has quit [Remote host closed the connection]
12:39 -!- bimbo [~emerino@187.240.120.251] has joined #openvpn
12:41 -!- megaTherion_ is now known as megaTherion
12:42 -!- bimbo [~emerino@187.240.120.251] has left #openvpn []
12:45 -!- Latrina [~Latrina@ppp-61-62.26-151.libero.it] has joined #openvpn
12:45 < edge226> tun works as daemon on client side but tap does not? How strange.
12:46 -!- KarlBauman [~SoWhat@81.198.10.40] has joined #openvpn
12:47 -!- bosnjak [~bosnjak@wr-zip.cpe.iskon.hr] has quit [Remote host closed the connection]
12:47 <@krzee> sure it does
12:49 < edge226> krzee: where should I put daemon in the tun file. after the cert/keys?
12:49 < edge226> oops tap*
12:50 < edge226> I do not get a tap0 when I daemonize it.
12:50 -!- le0 [~l30@unaffiliated/le0] has quit [Quit: Leaving]
12:50 <@krzee> see the log for why
12:52 < edge226> as it gives me one when I enable logging lol
12:54 < edge226> fixed :) awesomeness. I now have a public and a work config :)
13:10 -!- KarlBauman [~SoWhat@81.198.10.40] has quit [Quit: Leaving]
13:11 -!- KarlBauman [~SoWhat@81.198.10.40] has joined #openvpn
13:12 -!- KarlBauman [~SoWhat@81.198.10.40] has quit [Read error: Connection reset by peer]
13:13 -!- KarlBauman [~SoWhat@81.198.10.40] has joined #openvpn
13:16 -!- KarlBauman [~SoWhat@81.198.10.40] has quit [Client Quit]
13:17 -!- KarlBauman [~SoWhat@81.198.10.40] has joined #openvpn
13:18 -!- KarlBauman [~SoWhat@81.198.10.40] has quit [Read error: Connection reset by peer]
13:20 -!- KarlBauman [~SoWhat@81.198.10.40] has joined #openvpn
13:25 -!- pgib [~pgib@lmms/pgib] has quit [Ping timeout: 252 seconds]
13:30 -!- [diecast] [~diecast@unaffiliated/diecast/x-4821952] has quit []
13:45 -!- KarlBauman [~SoWhat@81.198.10.40] has quit [Quit: Leaving]
13:54 -!- Cpt-Oblivious [chatzilla@31-151-71-109.dynamic.upc.nl] has joined #openvpn
13:57 -!- AlexPortable [uid7568@gateway/web/irccloud.com/x-drcjzvuamqxrbcdr] has quit [Quit: Connection closed for inactivity]
14:11 -!- dazo is now known as dazo_afk
14:47 -!- AlexPortable [uid7568@gateway/web/irccloud.com/x-wowhjkvbxhyrjuxg] has joined #openvpn
15:01 -!- joshh20-Away is now known as joshh20
15:02 -!- cyberspace- [20253@ninthfloor.org] has quit [Remote host closed the connection]
15:03 -!- _bt_ [~bt@mongs.yotm.com] has quit [Quit: bye]
15:04 -!- cyberspace- [20253@ninthfloor.org] has joined #openvpn
15:11 -!- le0 [~l30@unaffiliated/le0] has joined #openvpn
15:14 -!- klein_ is now known as klein
15:23 -!- mattock is now known as mattock_afk
15:32 -!- gffa [~unknown@unaffiliated/gffa] has quit [Quit: sleep]
15:36 -!- elfixit [~Icedove@77-58-251-72.dclient.hispeed.ch] has quit [Quit: elfixit]
15:39 -!- [diecast] [~diecast@unaffiliated/diecast/x-4821952] has joined #openvpn
15:41 -!- orutest|2 [~VsioZashi@unaffiliated/vsiozashibis] has joined #openvpn
15:41 -!- orutest|2 is now known as quadzki
15:44 -!- michaelhart [~michaelha@192.237.177.15] has quit [Quit: michaelhart]
15:53 -!- Aliekezhi [~Aliekezhi@80.215.44.228] has quit [Quit: Leaving]
16:04 -!- raidz [~raidz@openvpn/corp/admin/andrew] has quit [Read error: Connection reset by peer]
16:05 -!- raidz [~raidz@raidz.im] has joined #openvpn
16:05 -!- raidz [~raidz@raidz.im] has quit [Changing host]
16:05 -!- raidz [~raidz@openvpn/corp/admin/andrew] has joined #openvpn
16:05 -!- mode/#openvpn [+o raidz] by ChanServ
16:06 -!- mattock_afk [~mattock@openvpn/corp/admin/mattock] has quit [Ping timeout: 264 seconds]
16:07 -!- raidz is now known as raidz_away
16:08 -!- raidz_away is now known as raidz
16:15 -!- raidz_away [~raidz@raidz.im] has joined #openvpn
16:17 -!- raidz [~raidz@openvpn/corp/admin/andrew] has quit [Ping timeout: 265 seconds]
16:17 -!- raidz_away is now known as raidz
16:17 -!- raidz [~raidz@raidz.im] has quit [Changing host]
16:17 -!- raidz [~raidz@openvpn/corp/admin/andrew] has joined #openvpn
16:17 -!- mode/#openvpn [+o raidz] by ChanServ
16:24 -!- Latrina [~Latrina@ppp-61-62.26-151.libero.it] has quit [Read error: Connection reset by peer]
16:24 -!- Latrina [~Latrina@ppp-61-62.26-151.libero.it] has joined #openvpn
16:26 -!- Neytiri [~The_Acid_@2001:470:860d:127:4eb:a91e:e09c:c811] has joined #openvpn
16:27 < Neytiri> i am trying to setup a point to point vpn link  between 2 boxes, my client is configured properly, but i cant get the server to start
16:30 < Neytiri> error log here
16:30 < Neytiri> http://pastebin.com/cftLUupb
16:30 -!- lj [~l@192.241.174.169] has quit [Quit: Leaving.]
16:32 -!- elfixit [~Icedove@77-58-251-72.dclient.hispeed.ch] has joined #openvpn
16:38 -!- elfixit [~Icedove@77-58-251-72.dclient.hispeed.ch] has quit [Ping timeout: 264 seconds]
16:39 < johanbr> Neytiri: looks like you specify a command to run (using --up or --down) and that command can't be found
16:41 < Neytiri> thabks
16:41 < Neytiri> i thougth i found all the bugs
16:41 -!- klein [~klein@unaffiliated/klein] has quit [Ping timeout: 240 seconds]
16:41 < Neytiri> where is the  location of these files on debain            up /usr/local/sbin/ovpn-linkup  down /usr/local/sbin/ovpn-linkdown
16:42 < johanbr> not sure exactly what you mean... by default, debian doesn't place *any* files in /usr/local
16:44 < johanbr> so those pathnames suggest files that have been added by hand to your particular server
16:49 < Neytiri> well i adaped the script from a pfesne box
16:50 < Neytiri> :q
16:55 -!- tessier_ [~treed@kernel-panic/copilotco] has quit [Read error: Operation timed out]
16:55 -!- tessier_ [~treed@kernel-panic/copilotco] has joined #openvpn
16:56 < johanbr> Neytiri: if the path to those is correct, also check that the path to the shell interpreter in the scripts (#!/bin/sh or similar) is right
17:06 < Neytiri> i got it working, thanks
17:06 -!- phunyguy_ [~vortex@unaffiliated/phunyguy] has joined #openvpn
17:10 -!- B1nny [~quassel@5ED16034.cm-7-2b.dynamic.ziggo.nl] has quit [Remote host closed the connection]
17:14 -!- lj [~l@192.241.174.169] has joined #openvpn
17:14 -!- joshh20 is now known as joshh20-Away
17:17 -!- mikemol [~mikemol@162.17.129.77] has quit [Remote host closed the connection]
17:21 -!- f0cker [~f0cker@unaffiliated/f0cker] has quit [Ping timeout: 265 seconds]
17:21 -!- f0cker [~f0cker@unaffiliated/f0cker] has joined #openvpn
17:23 -!- phunyguy_ [~vortex@unaffiliated/phunyguy] has quit [Remote host closed the connection]
17:29 -!- lj [~l@192.241.174.169] has quit [Quit: Leaving.]
17:31 -!- Cultist [~CultOfThe@67.186.111.33] has quit [Quit: Tension, apprehension, and dissension have begun.]
17:31 -!- klein [~klein@unaffiliated/klein] has joined #openvpn
17:31 -!- noobboob [uid5587@gateway/web/irccloud.com/x-lutdabpnsnkqbwgo] has joined #openvpn
17:32 -!- Cultist [~CultOfThe@c-67-186-111-33.hsd1.il.comcast.net] has joined #openvpn
17:38 -!- lj [~l@192.241.174.169] has joined #openvpn
17:38 -!- dimitry7 [~antonello@38.124.174.31] has joined #openvpn
17:38 -!- phunyguy_ [~vortex@unaffiliated/phunyguy] has joined #openvpn
17:38 -!- michaelhart [~michaelha@192-0-240-20.cpe.teksavvy.com] has joined #openvpn
17:39 -!- phunyguy_ [~vortex@unaffiliated/phunyguy] has quit [Client Quit]
17:40 -!- joshh20-Away is now known as joshh20
17:42 -!- [diecast] [~diecast@unaffiliated/diecast/x-4821952] has quit []
17:44 -!- [diecast] [~diecast@unaffiliated/diecast/x-4821952] has joined #openvpn
17:45 -!- hfp` [~ryenda@MTRLPQ0736W-LP130-01-2925269982.dsl.bell.ca] has joined #openvpn
17:47 -!- michaelhart [~michaelha@192-0-240-20.cpe.teksavvy.com] has quit [Quit: michaelhart]
17:50 < hfp`> Hi, I have a server with two ethernet cards. One is connected to a LAN that has access to the internet, the other card is connected to a modem and dials a PPPoE session. I want the OpenVPN client to connect to a remote server over the PPPoE session and not over the LAN. Right now, OpenVPN connects to the server alright but I don't think it is using the PPPoE connection. How can I verify this and how can I make it use the P
17:50 < hfp`> PPoE rather than the LAN's internet?
17:51 < hfp`> Using Debian wheezy
17:53 -!- aji [~alex@atheme/member/aji] has quit [Quit: no]
17:57 -!- AlexPortable [uid7568@gateway/web/irccloud.com/x-wowhjkvbxhyrjuxg] has quit [Quit: Connection closed for inactivity]
17:58 -!- aji [~alex@atheme/member/aji] has joined #openvpn
18:06 -!- le0 [~l30@unaffiliated/le0] has quit [Quit: Leaving]
18:06 -!- hfp`_ [~ryenda@MTRLPQ0736W-LP130-01-2925269581.dsl.bell.ca] has joined #openvpn
18:07 -!- Tykling [tykling@gibfest.dk] has quit [Read error: Operation timed out]
18:08 -!- marlinc [~marlinc@ip1.weert.li.nl.cvo-technologies.com] has quit [Ping timeout: 240 seconds]
18:09 -!- hfp` [~ryenda@MTRLPQ0736W-LP130-01-2925269982.dsl.bell.ca] has quit [Ping timeout: 246 seconds]
18:11 -!- Tykling [tykling@gibfest.dk] has joined #openvpn
18:14 -!- hfp`_ is now known as hfp`
18:14 -!- s7r_w [~s7r@openvpn/user/s7r] has joined #openvpn
18:14 -!- mode/#openvpn [+v s7r_w] by ChanServ
18:15 -!- s7r [~s7r@openvpn/user/s7r] has quit [Disconnected by services]
18:15 -!- s7r_w is now known as s7r
18:16 -!- marlinc [~marlinc@ip1.weert.li.nl.cvo-technologies.com] has joined #openvpn
18:35 -!- philipp__ [~philipp@chello084113015143.2.12.vie.surfer.at] has joined #openvpn
18:36 < philipp__> hello, my raspberry pi gets terrible low bandwidth with openvpn. I alrady checked and CPU is not the issue. is there any way how to find out what bottleneck openvpn is standing on?
18:39 -!- quadzki [~VsioZashi@unaffiliated/vsiozashibis] has quit [Quit: closing IRC]
18:47 -!- heraclitus [~heraclitu@unaffiliated/heraclitis] has quit [Remote host closed the connection]
18:48 -!- heraclitus [~heraclitu@unaffiliated/heraclitis] has joined #openvpn
18:54 < philipp__> okey its exactly this issue: http://raspberrypi.stackexchange.com/questions/14065/raspberry-pi-openvpn-client-speed-bottleneck
18:54 <@vpnHelper> Title: raspbian - Raspberry Pi OpenVPN Client Speed Bottleneck - Raspberry Pi Stack Exchange (at raspberrypi.stackexchange.com)
18:58 < hfp`> I solved my first problem, it was an error in the PPPoE config.
19:00 < hfp`> Now, the connection to the OpenVPN server is made over ppp0 like I want it to but I can't get the internet traffic router over tun0. I have a notice when connecting to the VPN telling me `unable to redirect default gateway -- Cannot read current default gateway from system` and a few lines above, I have `default_gateway=UNDEF`.
19:01 < hfp`> How can I fix this so all internet traffic is sent over tun0 but LAN traffic is still sent over eth0?
19:05 -!- Denial- [Denial@94.3.118.240] has joined #openvpn
19:06 -!- Denial [Denial@2.220.193.155] has quit [Ping timeout: 246 seconds]
19:06 -!- Denial- is now known as Denial
19:07 -!- philipp__ [~philipp@chello084113015143.2.12.vie.surfer.at] has quit [Remote host closed the connection]
19:07 -!- [diecast] [~diecast@unaffiliated/diecast/x-4821952] has quit []
19:09 -!- MatthewsFace [~mspah@50-78-45-146-static.hfc.comcastbusiness.net] has quit [Ping timeout: 240 seconds]
19:12 -!- thumbs is now known as httpd
19:12 -!- httpd is now known as thumbs
19:21 -!- marlinc [~marlinc@ip1.weert.li.nl.cvo-technologies.com] has quit [Ping timeout: 240 seconds]
19:26 -!- dimitry7 [~antonello@38.124.174.31] has quit [Read error: Connection reset by peer]
19:39 -!- lj [~l@192.241.174.169] has quit [Quit: Leaving.]
19:49 -!- stickpin [~bam@cpe-70-123-127-206.tx.res.rr.com] has quit [Quit: leaving]
19:54 -!- Latrina [~Latrina@ppp-61-62.26-151.libero.it] has quit [Remote host closed the connection]
19:54 -!- Cpt-Oblivious [chatzilla@31-151-71-109.dynamic.upc.nl] has quit [Ping timeout: 252 seconds]
19:58 -!- Cultist [~CultOfThe@c-67-186-111-33.hsd1.il.comcast.net] has quit [Quit: Tension, apprehension, and dissension have begun.]
19:59 -!- Cultist [~CultOfThe@c-67-186-111-33.hsd1.il.comcast.net] has joined #openvpn
20:02 -!- noobboob [uid5587@gateway/web/irccloud.com/x-lutdabpnsnkqbwgo] has quit [Quit: Connection closed for inactivity]
20:04 -!- mikemol [~mikemol@2001:470:c5b9:beef:7c89:ab50:dc3c:dcfe] has joined #openvpn
20:05 -!- joshh20 is now known as joshh20-Away
20:09 -!- Denial- [Denial@90.214.35.75] has joined #openvpn
20:11 -!- Denial [Denial@94.3.118.240] has quit [Ping timeout: 252 seconds]
20:11 -!- Denial- is now known as Denial
20:12 -!- ron__ [~ron@ppp118-210-90-92.lns20.adl2.internode.on.net] has joined #openvpn
20:15 -!- ron_ [~ron@ppp118-210-251-174.lns20.adl6.internode.on.net] has quit [Ping timeout: 252 seconds]
20:22 -!- klein [~klein@unaffiliated/klein] has quit [Ping timeout: 252 seconds]
20:32 -!- HectorBarbossa [uid7850@gateway/web/irccloud.com/x-fwgovofhtsdtbfjk] has quit [Quit: Connection closed for inactivity]
20:58 -!- mikemol [~mikemol@2001:470:c5b9:beef:7c89:ab50:dc3c:dcfe] has quit [Remote host closed the connection]
21:00 -!- heraclitus [~heraclitu@unaffiliated/heraclitis] has quit [Remote host closed the connection]
21:01 -!- heraclitus [~heraclitu@unaffiliated/heraclitis] has joined #openvpn
21:06 -!- Neytiri [~The_Acid_@2001:470:860d:127:4eb:a91e:e09c:c811] has quit [Quit: Leaving]
21:07 -!- mastercode [~root@203.189.141.246] has joined #openvpn
21:08 < mastercode> is there a way to get the openvpn client/server to use multible connections ? for the same session ? i do not want to setup bonding.
21:08 < mastercode> its due to speed over multbile connection is always bether then a sigal connection.
21:11 -!- james41382_ [~james@unaffiliated/james41382] has joined #openvpn
21:11 -!- james41382 [~james@unaffiliated/james41382] has quit [Read error: Connection reset by peer]
22:10 -!- klein [~klein@unaffiliated/klein] has joined #openvpn
22:13 -!- s7r [~s7r@openvpn/user/s7r] has quit [Ping timeout: 265 seconds]
22:14 -!- s7r [~s7r@openvpn/user/s7r] has joined #openvpn
22:14 -!- mode/#openvpn [+v s7r] by ChanServ
22:19 -!- lj [~l@192.241.174.169] has joined #openvpn
22:20 -!- [diecast] [~diecast@unaffiliated/diecast/x-4821952] has joined #openvpn
22:30 -!- lj [~l@192.241.174.169] has quit [Quit: Leaving.]
22:34 -!- tekzilla [~jon@g224082204.adsl.alicedsl.de] has joined #openvpn
22:34 < tekzilla> hi, can i tell the client which tun interface to use (tun0,tun1..) ?
22:34 -!- Eugene is now known as EugeneKay
22:37 <@EugeneKay> !man
22:37 <@vpnHelper> "man" is (#1) For man pages, see http://openvpn.net/index.php/open-source/documentation/manuals/ or (#2) the man pages are your friend! or (#3) Protip: you can search the manpage for a specific --option (with dashes) to find it quicker
22:37 <@EugeneKay> See --device
22:37 < tekzilla> yeah sorry i just realized it was as easy as saying "dev tun1" in the client config
22:38 < tekzilla> thanks :)
22:56 -!- goldkatze [~nobody@unaffiliated/goldkatze] has quit [Ping timeout: 255 seconds]
22:57 -!- tekzilla [~jon@g224082204.adsl.alicedsl.de] has quit [Ping timeout: 255 seconds]
23:13 -!- [diecast] [~diecast@unaffiliated/diecast/x-4821952] has quit []
23:23 -!- ron__ is now known as ron_
23:48 -!- klein [~klein@unaffiliated/klein] has quit [Read error: Operation timed out]
23:48 -!- B1nny [~quassel@5ED16034.cm-7-2b.dynamic.ziggo.nl] has joined #openvpn
23:54 -!- SpiceMan [~SpiceMan@unaffiliated/spiceman] has joined #openvpn
23:54 < SpiceMan> !goal
23:54 <@vpnHelper> "goal" is Please clearly state your goal for your vpn: example, I would like to access the lan behind the server , I would like to access the internet over my vpn , I just want a secure connection between 2 computers , etc
23:56 < SpiceMan> I've just configured a nice vpn without client-to-client.... which is nice. But I want a single client to be able to client-to-client to others.  ie: SERVER + clients A, B, C, and D.... A can see them all, but B C D can only see the server. pointers?
23:57 < SpiceMan> (or is my only option to set client-to-client and enforce that network-wise?)
23:57 <@krzee> just allow it in the server firewall
23:57 <@krzee> !c2c
23:57 <@vpnHelper> "c2c" is "client-to-client" is with this option packets from 1 client to another are routed inside the server process. without it packets leave the server process, hit the kernel (firewall, routing table) and if allowed by firewall and routed back to server process, they go to the client. you use this option when you do not want to use selective firewall rules on what clients can access things behind
23:57 <@vpnHelper> other clients
23:58 <@krzee> read that and understand what the client-to-client option really is
23:58 <@krzee> (a method of bypassing the need for proper firewall / forwarding config
23:58 <@krzee> )
23:58 < SpiceMan> I see.
--- Day changed Tue Apr 01 2014
00:00 < SpiceMan> I guess I'm bound for ##networking for routing and whatnot  (my network-fu sucks :P)
00:00 <@krzee> you trying to configure lans over the vpn?
00:02 < SpiceMan> kind of. a data-syncing server that connects to several servers. but the "several servers" must not see each other.
00:03 < SpiceMan> so it's a syncserver - singleserver LAN... ish?
00:03 <@EugeneKay> wat
00:03 < SpiceMan> yes, it's LAN. ignore that
00:04 <@krzee> you're definitely going to want a diagram hehe
00:04 <@krzee> !gliffy
00:04 <@krzee> !diagram
00:04 <@vpnHelper> "diagram" is You can use a site such as http://gliffy.com to create a network diagram as well as programs such as Visio, Dia, or OmniGraffle
00:08 < SpiceMan> krzee: http://www.gliffy.com/go/publish/image/5558110/L.png
00:10 <@krzee> easy
00:10 <@krzee> !static
00:10 <@vpnHelper> "static" is (#1) use --ifconfig-push in a ccd entry for a static ip for the vpn client or (#2) example in net30 (default): ifconfig-push 10.8.0.6 10.8.0.5 example in subnet (see !topology) or tap (see !tunortap): ifconfig-push 10.8.0.5 255.255.255.0 or (#3) also see !ccd and !iporder or (#4) when pushing static IPs, you should also limit your --ifconfig-pool to exclude the static range or (#5) See
00:10 <@vpnHelper> also: !addressing
00:11 <@krzee> give them all static ips, do not use client-to-client, properly configure firewall on openvpn server, enable ip forwarding on openvpn server
00:12 < SpiceMan> !topology
00:12 <@vpnHelper> "topology" is (#1) it is possible to avoid the !/30 behavior if you use 2.1+ with the option: topology subnet This will end up being default in later versions. or (#2) Clients will receive addresses ending in .2, .3, .4, etc, instead of being divided into 2-host subnets. or (#3) details and examples at: https://community.openvpn.net/openvpn/wiki/Topology
00:13 < SpiceMan> I hate to need to read what every term is :p
00:13 < SpiceMan> I'll munch all that
00:16 <@krzee> well you could always pay instead
00:16 <@krzee> !as
00:16 <@vpnHelper> "as" is please go to #OpenVPN-AS for help with Access-Server
00:17 <@krzee> access-server is a product by openvpn technologies that makes all that stuff much much easier
00:18 < SpiceMan> no, I'm ok with reading. I just... never got to like networking stuff much :) thanks
00:20 <@krzee> np
00:30 -!- Devastatr [~devas@177.18.197.115] has joined #openvpn
00:30 -!- Devastator [~devas@unaffiliated/devastator] has quit [Ping timeout: 255 seconds]
00:37 -!- mikkel [~mikkel@93.176.85.50] has joined #openvpn
00:42 -!- EugeneKay is now known as Eugene
01:06 -!- SquirrelCZECH [~squirrel@ip-89-103-45-17.net.upcbroadband.cz] has quit [Ping timeout: 264 seconds]
01:12 -!- alexxtasi [~alex@unaffiliated/alexxtasi] has joined #openvpn
01:30 -!- Mathias [M@unaffiliated/mathias] has quit [Ping timeout: 240 seconds]
01:34 -!- Mathias` [M@unaffiliated/mathias] has joined #openvpn
01:41 -!- Aliekezhi [~Aliekezhi@LPoitiers-156-84-21-169.w193-248.abo.wanadoo.fr] has joined #openvpn
01:54 -!- AlexPortable [uid7568@gateway/web/irccloud.com/x-waqgomjdwohmwrpy] has joined #openvpn
02:11 -!- Mathias` is now known as Mathias
02:20 -!- s7r [~s7r@openvpn/user/s7r] has quit [Remote host closed the connection]
02:20 -!- ShiroNeko [~MrHeisenb@ip-37-24-129-31.unitymediagroup.de] has joined #openvpn
02:21 -!- s7r [~s7r@openvpn/user/s7r] has joined #openvpn
02:21 -!- mode/#openvpn [+v s7r] by ChanServ
02:21 < ShiroNeko> hello, i have a question about the float option. is it required on server-config only or in the client-config too?
02:31 -!- ade_b [~Ade@redhat/adeb] has joined #openvpn
02:36 -!- takamichi [~takamichi@c107-107.i07-27.onvol.net] has joined #openvpn
02:45 -!- mattock [~mattock@openvpn/corp/admin/mattock] has joined #openvpn
02:45 -!- mode/#openvpn [+o mattock] by ChanServ
02:49 -!- le0 [~l30@unaffiliated/le0] has joined #openvpn
02:53 -!- rf5 [~r@unaffiliated/rf5] has joined #openvpn
02:53 < rf5> yo
02:53 -!- cesurasean1 [~Sean@c-71-207-242-72.hsd1.al.comcast.net] has quit [Ping timeout: 260 seconds]
02:54 < rf5> any recomendations of vpn company?
03:01 < svg> why would you want to outsource your vpn?
03:01 <@Eugene> We don't generally recommend providers here, no.
03:01 < rf5> oh yes no worries
03:02 <@Eugene> But if anybody knows what they're doing, it'd be OpenVPN Techologies, Inc, aka openvpn.cm
03:02 <@Eugene> openvpn.com, if I can spell.
03:05 < rf5> haha fair enough
03:05 < rf5> im actually looking for a vpn company that has a server in brazil as i am living out of the country and i want to access some websites that are restricted
03:07 < rf5> but thats all good, thanks eugene
03:09 -!- mattock is now known as mattock_afk
03:10 -!- rf5 [~r@unaffiliated/rf5] has quit [Quit: bye]
03:14 -!- bigsky [~jack@183.157.13.73] has joined #openvpn
03:14 < bigsky> hi all
03:49 -!- jzaw [~jzaw@loki.dzki.co.uk] has quit [Ping timeout: 246 seconds]
03:56 -!- ShiroNeko [~MrHeisenb@ip-37-24-129-31.unitymediagroup.de] has left #openvpn []
03:59 -!- jzaw [~jzaw@loki.dzki.co.uk] has joined #openvpn
04:25 -!- ACKNAK [~regolith@79.133.97.154] has joined #openvpn
04:27 -!- s7r [~s7r@openvpn/user/s7r] has quit [Quit: Leaving]
04:43 -!- bigsky_ [~jack@183.157.13.73] has joined #openvpn
04:45 -!- bigsky [~jack@183.157.13.73] has quit [Ping timeout: 252 seconds]
04:45 -!- ACKNAK [~regolith@79.133.97.154] has quit [Ping timeout: 240 seconds]
04:47 -!- mastercode [~root@203.189.141.246] has quit [Read error: Connection reset by peer]
04:58 -!- ACKNAK [~regolith@79.133.97.154] has joined #openvpn
05:04 -!- Latrina [~Latrina@ppp-61-62.26-151.libero.it] has joined #openvpn
05:05 -!- ACKNAK [~regolith@79.133.97.154] has quit [Read error: Connection reset by peer]
05:05 -!- regolith_ [~regolith@79.133.97.154] has joined #openvpn
05:15 -!- regolith_ [~regolith@79.133.97.154] has quit [Ping timeout: 268 seconds]
05:23 -!- makara [~makara@41.164.22.218] has joined #openvpn
05:23 -!- ACKNAK [~regolith@79.133.97.154] has joined #openvpn
05:28 -!- regolith_ [~regolith@79.133.97.154] has joined #openvpn
05:42 -!- le0 [~l30@unaffiliated/le0] has quit [Quit: Leaving]
05:44 -!- mikemol [~mikemol@2001:470:c5b9:beef:c0de:444d:d2f5:2a3c] has joined #openvpn
05:50 -!- SquirrelCZECH [~squirrel@ip-89-103-45-17.net.upcbroadband.cz] has joined #openvpn
05:51 -!- ade_b [~Ade@redhat/adeb] has quit [Ping timeout: 245 seconds]
06:03 -!- regolith_ [~regolith@79.133.97.154] has quit [Ping timeout: 268 seconds]
06:03 -!- ACKNAK [~regolith@79.133.97.154] has quit [Ping timeout: 268 seconds]
06:07 -!- Latrina [~Latrina@ppp-61-62.26-151.libero.it] has quit [Remote host closed the connection]
06:15 -!- ACKNAK [~regolith@79.133.97.154] has joined #openvpn
06:15 -!- regolith_ [~regolith@79.133.97.154] has joined #openvpn
06:17 -!- Proshot [~FSM@217.68.49.75] has joined #openvpn
06:24 -!- mikemol [~mikemol@2001:470:c5b9:beef:c0de:444d:d2f5:2a3c] has quit [Remote host closed the connection]
06:28 -!- ade_b [~Ade@redhat/adeb] has joined #openvpn
06:39 -!- mirco [~mirco@ip-5-146-126-177.unitymediagroup.de] has quit [Ping timeout: 240 seconds]
06:41 -!- mirco [~mirco@ip-5-146-126-177.unitymediagroup.de] has joined #openvpn
06:42 -!- Eagleman [~Eagleman@546BC8D0.cm-12-4d.dynamic.ziggo.nl] has quit [Ping timeout: 255 seconds]
06:43 -!- Lolths [~Lolths@unaffiliated/lolths] has quit [Ping timeout: 255 seconds]
06:46 -!- regolith_ [~regolith@79.133.97.154] has quit [Ping timeout: 268 seconds]
06:46 -!- ACKNAK [~regolith@79.133.97.154] has quit [Ping timeout: 268 seconds]
06:48 -!- Eagleman [~Eagleman@546BC8D0.cm-12-4d.dynamic.ziggo.nl] has joined #openvpn
06:51 -!- cesurasean1 [~Sean@c-71-207-242-72.hsd1.al.comcast.net] has joined #openvpn
06:57 -!- Lolths [~Lolths@unaffiliated/lolths] has joined #openvpn
06:58 -!- [diecast] [~diecast@unaffiliated/diecast/x-4821952] has joined #openvpn
07:02 -!- mikemol [~mikemol@162.17.129.77] has joined #openvpn
07:03 -!- le0 [~l30@unaffiliated/le0] has joined #openvpn
07:08 -!- takamichi [~takamichi@c107-107.i07-27.onvol.net] has quit [Ping timeout: 268 seconds]
07:10 -!- Latrina [~Latrina@ppp-61-62.26-151.libero.it] has joined #openvpn
07:17 -!- tuvok [tuvok@Photography.tuvok.eu] has joined #openvpn
07:20 -!- takamichi [~takamichi@85.12.8.104] has joined #openvpn
07:21 -!- ACKNAK [~regolith@79.133.97.154] has joined #openvpn
07:21 -!- regolith_ [~regolith@79.133.97.154] has joined #openvpn
07:28 -!- michaelhart [~michaelha@192.237.177.15] has joined #openvpn
07:33 -!- [diecast] [~diecast@unaffiliated/diecast/x-4821952] has quit []
07:33 -!- cpm [~Chip@pdpc/supporter/active/cpm] has joined #openvpn
07:34 < Proshot> what is a good openvpn client for ios so i could connect to my openvpn server at home
07:35 < defswork> the openvpn app for ios
07:35 -!- regolith__ [~regolith@79.133.97.154] has joined #openvpn
07:36 < defswork> works fine apart from DNS doesnt resolve unless you also redirect-gateway for some stupid reason
07:36 < Proshot> is there another way then itunes to get those keys in ios openvpn since i am on linux and don't use itunes
07:36 < defswork> just put the .ovpn file on the internet somewhere
07:36 < defswork> and open it in safari
07:36 < defswork> you put the keys inside the ovpn file
07:37 < defswork> inside <tags>
07:37 <@krzee> defswork, what do you mean DNS doesnt resolve unless you redirect-gateway? are you pushing dns from your server to your client?
07:37 < Proshot> ehm, defswork that is a bit strange i don't have an .ovpn file i have the keys and the ca but those are three different files howdo i create an .ovpn
07:37 < defswork> krzee, yes
07:37 <@krzee> !ios
07:37 <@krzee> !inline
07:37 <@vpnHelper> "inline" is (#1) Inline files (e.g. <ca> ... </ca> are supported since OpenVPN 2.1rc1 and documented in the OpenVPN 2.3 man page at https://community.openvpn.net/openvpn/wiki/Openvpn23ManPage#lbAV or (#2) https://community.openvpn.net/openvpn/wiki/IOSinline for a writeup that includes how to use inline certs
07:37 <@krzee> Proshot, ^^
07:38 < defswork> Proshot, the ovpn file is the client config
07:38 < defswork> krzee, but yeah - we push DNS and nothing internal resolves unless we also push redirect-gateway
07:38 < defswork> we had similar problem using ipsec
07:39 <@krzee> defswork, make sure you pushed a route to said DNS server
07:39 < defswork> we pushed subnet route - is that enough ?
07:39 <@krzee> depends
07:39 < defswork> the dns is on that subnet ;)
07:39 <@krzee> also be sure you did the other stuff that got done when you redirect-gateway, such as ip forwarding and firewall allowing it
07:40 < defswork> yeah thats all ok - non-ios clients work ok
07:40 < defswork> have 40-60 clients
07:40 <@krzee> have you made a support ticket?
07:40 <@krzee> granted ios version isnt opensource so it could be an issue that only exists there
07:41 < Proshot> thanks defswork
07:41 < defswork> krzee, nah - I asked in here a week or so but everyone was afk - didn't know who looked after it to be honest
07:41 -!- indy [~indy@fantomas.bestit.cz] has quit [Remote host closed the connection]
07:41 < defswork> at the moment for ios clients we push the gateway in their ccd file
07:41 <@krzee> defswork, i dont know how many people here actually have the code to the ios app, you should make a trouble ticket
07:42 < Proshot> btw, is there a way when the openvpn server goes down and later up, that the client reconnects automatically ? defswork
07:42 <@krzee> you push the gateway or redirect-gateway?
07:42 < defswork> Proshot, sure
07:42 <@krzee> Proshot,
07:42 <@krzee> !keepalive
07:42 <@vpnHelper> "keepalive" is (#1) see --keepalive in the manual for how to make clients retry connecting if they get disconnected. or (#2) basically it is a wrapper for managing --ping and --ping-restart in server/client mode or (#3) if you use this, don't use --tls-exit and also avoid --single-session and --inactive or (#4) Also beware of --auth-nocache for automated reconnects
07:42 < defswork> redirect-gateway
07:43 < defswork> it may be something relates to having a .local zone internally also
07:43 < defswork> not my choice unfortunately - predates me here
07:44 < defswork> but for everyother openvpn client (Windows/Linux/Android) it works ok without redirect-gateway - just not on IOS
07:44 < defswork> I also found that the android client doesnt like remote-random
07:44 < defswork> which is odd
07:48 -!- indy [~indy@fantomas.bestit.cz] has joined #openvpn
07:50 -!- elfixit [~Icedove@77-58-251-72.dclient.hispeed.ch] has joined #openvpn
07:50 -!- klein [~klein@unaffiliated/klein] has joined #openvpn
07:56 -!- Proshot [~FSM@217.68.49.75] has quit [Quit: Leaving]
07:56 -!- takamichi [~takamichi@85.12.8.104] has quit [Ping timeout: 252 seconds]
08:08 -!- elfixit [~Icedove@77-58-251-72.dclient.hispeed.ch] has quit [Ping timeout: 255 seconds]
08:12 -!- takamichi [~takamichi@c107-107.i07-27.onvol.net] has joined #openvpn
08:19 -!- cpm [~Chip@pdpc/supporter/active/cpm] has quit [Quit: cpm]
08:20 -!- indy [~indy@fantomas.bestit.cz] has quit [Remote host closed the connection]
08:20 -!- Aliekezhi [~Aliekezhi@LPoitiers-156-84-21-169.w193-248.abo.wanadoo.fr] has quit [Remote host closed the connection]
08:25 -!- regolith_ [~regolith@79.133.97.154] has quit [Read error: Operation timed out]
08:30 -!- regolith__ [~regolith@79.133.97.154] has quit [Ping timeout: 240 seconds]
08:30 -!- ACKNAK [~regolith@79.133.97.154] has quit [Ping timeout: 265 seconds]
08:41 -!- regolith_ [~regolith@79.133.97.154] has joined #openvpn
08:44 -!- rightshift [~rightshif@41.85.8.91] has joined #openvpn
08:44 -!- regolith_ [~regolith@79.133.97.154] has quit [Read error: Connection reset by peer]
08:45 < rightshift> Hi, is their any way to change the VPN timeout - clients get disconnected after 1 hour.
08:45 < rightshift> there*
08:46 -!- ACKNAK [~regolith@79.133.97.154] has joined #openvpn
08:46 -!- hash-afk [~hash@ip103.216-37-89.PNeT.Ro] has joined #openvpn
08:47 < hash-afk> anybody else encounter a (WSAENETRESET) (code=10052) error when trying to connect to a vpn server hosted somewhere with ip addr starting with 192.168 when the client also has this address ? need i mention the server's ip is public. the client's isn't.
08:48 < hash-afk> and they're not the same. just the first 16 bits are the same. i'm thinking a windows routing issue since the client is windows in this case
08:48 < hash-afk> serverside packets from the client don't even hit iptables... so it must be a client-issue. tho it only happens on this particular server
08:49 -!- mikkel [~mikkel@93.176.85.50] has quit [Quit: Leaving]
08:54 -!- ACKNAK [~regolith@79.133.97.154] has quit [Read error: Connection reset by peer]
08:57 < BtbN> 192.168.0.0/16 is a private address space, there can be no public IPs in that range.
08:59 < hash-afk> BtbN i have a vps in nl
08:59 < hash-afk> that disagrees
08:59 < hash-afk> or maybe my isp is playing april's fools
09:00 < hash-afk> to be honest that was my impression in the 1st place
09:00 < BtbN> 192.168.0.0/16 is private, if your server has an ip from that range, it's not its public ip.
09:00 < BtbN> make sure it's actualy 192.168, there are some public ranges which are similar
09:01 < hash-afk> that is true, but thats how i use to connect to ssh to it :| which is in itse3lf baffling unless my isp has some funny routes
09:02 < MorgyN> what vps provider is this? ;D
09:02 < MorgyN> Wondering if this is an awesome april fools
09:03 -!- takamichi [~takamichi@c107-107.i07-27.onvol.net] has quit [Ping timeout: 264 seconds]
09:03 < hash-afk> hosted.by.leaseweb.com  2'nd node in a trace to google
09:03 < hash-afk> somewhere in nl
09:03 < hash-afk> dont know dont live there
09:04 -!- Latrina [~Latrina@ppp-61-62.26-151.libero.it] has quit [Quit: Leaving...]
09:04 < BtbN> well, i can say for sure that 192.168.0.0/16 is reserved for private use. Your server can't have a public IP from that range.
09:10 <@plai> defswork: that's not odd, that is the author that has not implemented multiple remotes yet and put refusing remote-random in there as a /temporary/ solution
09:14 -!- Immunity [~Immunity@37.59.161.192] has joined #openvpn
09:14 < Immunity> hello
09:14 < Immunity> is there anyone who can help me about assigning static ip address to clients at pptp server?
09:16 -!- takamichi [~takamichi@85.12.8.105] has joined #openvpn
09:20 <@krzee> !notcompat
09:20 <@vpnHelper> "notcompat" is (#1) IPsec, PPTP, & L2TP are _not_ compatible with OpenVPN. OpenVPN uses SSL whereas PPTP and IPSEC use their own protocols and therefore cannot be compatible. or (#2) OpenVPN connects only to OpenVPN
09:21 < Immunity> I know this, but i googled about week.
09:22 < Immunity> I'm really exhausted...
09:22 <@krzee> well you cannot do anything related to pptp with openvpn
09:22 <@krzee> !pptp
09:22 <@vpnHelper> "pptp" is (#1) PPTP is known to be a faulty protocol. The designers of the protocol, Microsoft, recommend not to use it due to the inherent risks. Lots of people use PPTP anyway due to ease of use, but that doesn't mean it is any less hazardous. The maintainers of PPTP Client and Poptop recommend using OpenVPN (SSL based) or IPSec instead. http://pptpclient.sourceforge.net/protocol-security.phtml to
09:22 <@vpnHelper> read about why to not use pptp or (#2) Why not to use it: http://en.wikipedia.org/wiki/Pptp#Security or (#3) https://www.cloudcracker.com/blog/2012/07/29/cracking-ms-chap-v2/
09:24 < Immunity> without client, can users login to OpenVPN Server?
09:25 < ChrisH> Immunity: no. They cannot connect to a PPTP server without a client, too!
09:25 <@krzee> !download
09:25 <@vpnHelper> "download" is (#1) http://openvpn.net/index.php/download/community-downloads.html to download openvpn or (#2) OpenVPN's Windows installer now includes OpenVPN GUI. Don't bother with http://openvpn.se anymore or (#3) Don't trust download.com at all. It provides an extremely old version with malware: http://insecure.org/news/download-com-fiasco.html or (#4) in the community version of openvpn (only
09:25 <@vpnHelper> thing supported here) there is no separate download for client/server, it is the same install with different configs
09:25 <@krzee> #4
09:25 < Immunity> I am talkin about executable client files
09:25 <@krzee> wait what?
09:26 <@krzee> oh you are asking if openvpn can be logged into without installing a client?
09:26 -!- Six6siX [~Devil@jasmine.sammybakar.com] has quit [Ping timeout: 252 seconds]
09:26 <@krzee> no, and you must also install a device (since i assume you are in windows)
09:26 < Immunity> we will serve these VPNS to 2000 end users. So they cant install this. Because of this i wanted to install pptp server
09:26 < Immunity> Whatever, thank you very much for your interest
09:27 <@krzee> no problem, no pptp help here tho
09:28 -!- lj [~l@192.241.174.169] has joined #openvpn
09:28 <@krzee> also, pptp should not be considered a vpn, it is really no safer than cleartext
09:28 < Immunity> mate, vpn users will use this to open somewebsites
09:28 <@krzee> its a tunnel, but not very virtually private
09:28 < Immunity> Unfortunalitely, we are living in Turkey and damned goverment blocked some websites
09:29 < Immunity> shortly, this vpn will not be for security or e.g. something like this
09:29 <@krzee> !obfs
09:29 <@vpnHelper> "obfs" is (#1) if you are looking to obfuscate your traffic to get through a firewall that recognizes and blocks openvpn, try using this proxy: obfsproxy https://www.torproject.org/projects/obfsproxy.html.en to encapsulate your packets in other protocols or (#2) http://community.openvpn.net/openvpn/wiki/TrafficObfuscation or (#3) in client/server mode an admin can know that openvpn is being used. in
09:29 <@vpnHelper> static-key mode they only know that it is some encrypted data, but not specifically openvpn; however with static-key you lose forward security (!forwardsecurity)
09:29 < Immunity> it is also blocked.. :)
09:29 <@krzee> you wont really need a vpn you need obfsproxy
09:29 <@krzee> whats blocked? the obfsproxy page or obfsproxy itself?
09:30 < Immunity> mate
09:30 < Immunity> torproject is blocked by turk telecom
09:30 < Immunity> its ports are blocked
09:30 < Immunity> so noone can reach this.
09:31 <@krzee> im not talking about tor, im talking about a proxy they made called obfsproxy
09:31 <@krzee> just because you see tor in the link doesnt mean you can ignore the text surrounding the link :D
09:32 <@krzee> also, pptp and openvpn can be detected, even with those you will want something like obfsproxy
09:32 <@krzee> obfsproxy is a tool that attempts to circumvent censorship, by transforming the Tor traffic between the client and the bridge. This way, censors, who usually monitor traffic between the client and the bridge, will see innocent-looking transformed traffic instead of the actual Tor traffic.
09:32 <@krzee>  obfsproxy supports multiple protocols, called pluggable transports, which specify how the traffic is transformed. For example, there might be a HTTP transport which transforms Tor traffic to look like regular HTTP traffic. See the pluggable transports page for more information.
09:32 <@krzee>  Even though obfsproxy is a separate application, completely independent from tor, it speaks to tor using an internal protocol to minimize necessary end-user configuration.
09:32 < ChrisH> Immunity: considered offering a web proxy which you connect via OpenVPN, Tor, obfsproxy, XXX into some other country?
09:33 <@krzee> ChrisH, obfsproxy is something used to connect to said web proxy, openvpn, tor, etc
09:33 <@krzee> not something to be connected to via proxy
09:33 <@krzee> its simply a proxy that encapsulates data in harmless looking protocols to bypass censoring firewalls
09:34 -!- ACKNAK [~regolith@79.133.97.154] has joined #openvpn
09:34 -!- regolith_ [~regolith@79.133.97.154] has joined #openvpn
09:35 -!- hfp` [~ryenda@MTRLPQ0736W-LP130-01-2925269581.dsl.bell.ca] has quit [Remote host closed the connection]
09:35 <@krzee> openvpn statickey mode will bypass DPI as well, but that's not much of an option with your 2000 clients haha
09:35 < Immunity> .)
09:35 <@krzee> anyways, you want obfsproxy.
09:35 < Immunity> they also have limited connections by hourly to website via a client
09:35 <@krzee> your use case is the reason it was invented
09:36 < Immunity> because of this, i want to give static ip address to all clients. At least if they get a ban, only one user will live problem
09:36 < Immunity> now, you can imagine what a fuckin country is this
09:37 <@krzee> i guess you could also load balance the outbound traffic to monitor / bypass that
09:38 <@krzee> but all of this is outside the scope of openvpn. you want obfsproxy and random network hackery
09:39 <@krzee> in the game of cat+mouse you are in, obfsproxy will be a very valuable tool for you
09:39 -!- indy [~indy@fantomas.bestit.cz] has joined #openvpn
09:40 < Immunity> ok krzee, thank you
09:40 <@krzee> np
09:40 -!- hfp` [~ryenda@MTRLPQ0736W-LP130-01-2925269581.dsl.bell.ca] has joined #openvpn
09:42 -!- [diecast] [~diecast@unaffiliated/diecast/x-4821952] has joined #openvpn
09:42 -!- Immunity [~Immunity@37.59.161.192] has quit []
09:43 < edge226> is it possible/desirable to vpn through another vpn connection?
09:44 < hfp`> edge226: It's possible but stacking up vpn tunnels slows everything down
09:44 -!- makara [~makara@41.164.22.218] has quit [Quit: Leaving]
09:44 < edge226> hfp`: ah thought this might be the case.
09:44 < hfp`> edge226: Try it and see how it goes
09:45 < hfp`> !goal
09:45 <@vpnHelper> "goal" is Please clearly state your goal for your vpn: example, I would like to access the lan behind the server , I would like to access the internet over my vpn , I just want a secure connection between 2 computers , etc
09:46 < hfp`> I would like to access the internet over the VPN. The VPN connects fine but internet traffic is sent outside the VPN. I suspect this `ROUTE: default_gateway=UNDEF` and that `NOTE: unable to redirect default gateway -- Cannot read current default gateway from system` have something to do with it but I can't figure out how to fix it
09:46 < edge226> goal would be to get true encryption without the fallback of using just a key encryption code. Or possibly piggy back a encrypted through a non encrypted since doing just one method is broken.
09:47 < edge226> I am just throwing around theory but if it is going to bandwidth hog then its probably not worth it.
09:48 < hfp`> edge226: Not necessarily, depends on your connection. You should try and see how it goes.
09:48 -!- Six6siX [~Devil@jasmine.sammybakar.com] has joined #openvpn
09:48 < edge226> hfp`: how would one set up the connections to work like this?
09:49 < edge226> remote <vpn-ip>?
09:50 -!- james41382_ [~james@unaffiliated/james41382] has quit [Read error: Connection reset by peer]
09:50 -!- james41382__ [~james@unaffiliated/james41382] has joined #openvpn
09:50 < hfp`> that's above my pay grade :)
09:50 < hfp`> I use Viscosity on my Mac and I can connect to another VPN once connected to the first VPN
09:50 < edge226> hfp`: kk. Ill play around with it. Have a decent idea how this would work :)
09:51 <@plai> edge226: try to understand the routing before doing VPN over VPN
09:51 < edge226> plai: kk.
09:51 < edge226> plai: I will look into that.
09:51 <@plai> otherwise it will be hell to debug it because you have no idea what is going on
09:51 < edge226> plai: tun > tap would not be very efficient would it?
09:52 <@plai> edge226: was has tun > tap to do with that?
09:52 < edge226> nothing really.
09:52 < edge226> I do need to learn the routing stuff though, you are right there.
09:53 -!- [diecast] [~diecast@unaffiliated/diecast/x-4821952] has quit []
09:54 < edge226> from what I read I think if I understood the routing stuff well then running tap would not really be needed.
09:54 < edge226> plai: do you have a good routing tutorial?
09:57 -!- regolith_ [~regolith@79.133.97.154] has quit [Remote host closed the connection]
09:57 -!- ACKNAK [~regolith@79.133.97.154] has quit [Remote host closed the connection]
09:58 <@krzee> !route
09:58 <@vpnHelper> "route" is (#1) http://www.secure-computing.net/wiki/index.php/OpenVPN/Routing or https://community.openvpn.net/openvpn/wiki/RoutedLans (same page mirrored) if you have lans behind openvpn, read it DONT SKIM IT or (#2) READ IT DONT SKIM IT! or (#3) See !tcpip for a basic networking guide or (#4) See !serverlan or !clientlan for steps and troubleshooting flowcharts for LANs behind the server or client
09:58 <@krzee> i wrote that document after learning everything needed for vpnchains
--- Log closed Tue Apr 01 10:01:20 2014
--- Log opened Tue Apr 01 10:01:35 2014
10:01 -!- ecrist_ [~ecrist@freebsd/contributor/openvpn.community.support.ecrist] has joined #openvpn
10:01 -!- Irssi: #openvpn: Total of 234 nicks [10 ops, 0 halfops, 3 voices, 221 normal]
10:01 -!- mode/#openvpn [+o ecrist_] by ChanServ
10:02 -!- Irssi: Join to #openvpn was synced in 42 secs
10:02 -!- vpnHelper [~vpnHelper@openvpn/bot/vpnHelper] has quit [Read error: Operation timed out]
10:02 -!- ecrist [~ecrist@freebsd/contributor/openvpn.community.support.ecrist] has quit [Read error: Operation timed out]
10:03 -!- vpnHelper [~vpnHelper@openvpn/bot/vpnHelper] has joined #openvpn
10:03 -!- mode/#openvpn [+o vpnHelper] by ChanServ
10:03 -!- ade_b [~Ade@redhat/adeb] has quit [Ping timeout: 240 seconds]
10:03 -!- dan_j [~IceChat77@unaffiliated/danfromuk] has joined #openvpn
10:04 < dan_j> Hi, I've set up openvpn client on openwrt and the connection is up to a centos-based openvpn server. I want all client behind the openwrt router to be able to access all the IPs behind the server.
10:05 < dan_j> Its already working for standard openvpn clients so i know the config is sound.
10:05 < dan_j> The connection is up now, and the openvpn client can ping IPs behind the vpn server.
10:05 <@Eugene> !route
10:05 <@vpnHelper> "route" is (#1) http://www.secure-computing.net/wiki/index.php/OpenVPN/Routing or https://community.openvpn.net/openvpn/wiki/RoutedLans (same page mirrored) if you have lans behind openvpn, read it DONT SKIM IT or (#2) READ IT DONT SKIM IT! or (#3) See !tcpip for a basic networking guide or (#4) See !serverlan or !clientlan for steps and troubleshooting flowcharts for LANs behind the server or
10:05 <@vpnHelper> client
10:07 -!- vpnHelper [~vpnHelper@openvpn/bot/vpnHelper] has quit [Remote host closed the connection]
10:07 -!- _bt [~bt@unaffiliated/bt/x-192343] has joined #openvpn
10:08 -!- vpnHelper [~vpnHelper@openvpn/bot/vpnHelper] has joined #openvpn
10:08 -!- mode/#openvpn [+o vpnHelper] by ChanServ
10:08 < _bt> hello, can anyone tell me more about the environment variables "untrusted_ip" and "trusted_ip"
10:09 < dan_j> Eugene: i think it's not an openvpn issue, because the openvpn client can ping ip's behind the vpn
10:09 -!- takamichi [~takamichi@85.12.8.105] has quit [Ping timeout: 265 seconds]
10:09 <@Eugene> !serverlan
10:09 <@vpnHelper> "serverlan" is (#1) for a lan behind a server, the server must have ip forwarding enabled (!ipforward), the server needs to push a route for its lan to clients, and the router of the lan the server is on needs a route added to it (!route_outside_openvpn) or (#2) see !route for a better explanation or (#3) Handy troubleshooting flowchart: http://ircpimps.org/serverlan.png |
10:09 <@vpnHelper> http://pekster.sdf.org/misc/serverlan.png
10:09 <@Eugene> Follow ze flowchart
10:11 < dan_j> If openvpn is set up to give a single IP to the openvpn client, what do i need to change in order to get a site to site connection?
10:11 -!- mullinator [~mike@ip70-178-219-27.ks.ks.cox.net] has joined #openvpn
10:12 -!- mullinator [~mike@ip70-178-219-27.ks.ks.cox.net] has quit [Quit: Leaving]
10:12 <@krzee> _bt, you can see it in the manual at !script or you can make a script that just runs (with bash or sh shbang) env >> /tmp/openvpn.env    and have openvpn run it, then see the vars for yourself
10:12 <@krzee> !script
10:12 <@vpnHelper> "script" is See SCRIPTING AND ENVIRONMENTAL VARIALBES in the manual for a list of places that scripts can hook into openvpn. Online reference at: https://community.openvpn.net/openvpn/wiki/Openvpn23ManPage#lbAR
10:12 < dan_j> I dont really want to change the server as thats working fine. I want to change the client only if possible.
10:13 -!- mullinator [~mike@ip70-178-219-27.ks.ks.cox.net] has joined #openvpn
10:14 < _bt> krzee: i am using auth-user-pass-verify script and i want to avoid re-entry of OTP tokens during renegotiation - as far i can tell trusted_ip is set when its a re-auth, and not when it's an initial connection. i just wanted to check (the docs are sparse) that this is the correct method
10:15 <@krzee> so then look at the env and see if that is true or not
10:15 < _bt> ive already looked at the env
10:15 < _bt> that behaviour is true
10:15 < _bt> but i want confirmation from the docs
10:16 <@krzee> trusted_ip (or trusted_ip6)
10:16 <@krzee>  Actual IP address of connecting client or peer which has been authenticated. Set prior to execution of --ipchange, --client-connect, and --client-disconnect scripts. If using ipv6 endpoints (udp6, tcp6), trusted_ip6 will be set instead.
10:16 <@krzee> says it is executed before client-connect
10:16 <@krzee> which is ONLY run upon connection, not reneg
10:17 < _bt> are you aware of a flag that is set only for reneg?
10:18 <@krzee> i didnt even know you could execute scripts during reneg
10:18 <@krzee> plai, any input?
10:19 < _bt> yes - auth-user-pass-verify is executed to re-auth at reneg
10:19 -!- [diecast] [~diecast@unaffiliated/diecast/x-4821952] has joined #openvpn
10:19 < _bt> i was informed that something in the env at that point would allow me to deduce if it was a reneg or an initial connect
10:19 < _bt> (to decide whether to need OTP or not)
10:19 <@krzee> oh ok
10:19 < _bt> i think trusted ip is correct one to use
10:20 <@krzee> then maybe it is trusted_ip, i dont feel like coding a script and waiting reneg-sec to check
10:20 -!- Latrina [~Latrina@ppp-61-62.26-151.libero.it] has joined #openvpn
10:20 <@krzee> i would think diff would weed out the contenders pretty quick
10:20 < ChrisH> plai: I hope my postings are not the cause for you to post the FAQ/Rules.
10:20 < _bt> yeah, i set my reneg-sec to 60
10:21 < _bt> and did a diff
10:25 -!- takamichi [~takamichi@c107-107.i07-27.onvol.net] has joined #openvpn
10:25 -!- thumbs [1000@unaffiliated/thumbs] has quit [Ping timeout: 252 seconds]
10:27 -!- thumbs [1000@unaffiliated/thumbs] has joined #openvpn
10:34 -!- f0cker [~f0cker@unaffiliated/f0cker] has quit [Remote host closed the connection]
10:40 -!- Cpt-Oblivious [chatzilla@31-151-71-109.dynamic.upc.nl] has joined #openvpn
10:45 -!- danfromuk_ [~IceChat77@host-78-147-113-47.as13285.net] has joined #openvpn
10:45 -!- danfromuk_ [~IceChat77@host-78-147-113-47.as13285.net] has quit [Client Quit]
10:47 -!- dan_j [~IceChat77@unaffiliated/danfromuk] has quit [Ping timeout: 240 seconds]
10:51 -!- ade_b [~Ade@redhat/adeb] has joined #openvpn
10:52 -!- alexxtasi [~alex@unaffiliated/alexxtasi] has left #openvpn []
11:07 -!- master_of_master [~master_of@p4FF24E9E.dip0.t-ipconnect.de] has quit [Ping timeout: 268 seconds]
11:09 -!- master_of_master [~master_of@p4FD7B422.dip0.t-ipconnect.de] has joined #openvpn
11:15 -!- MatthewsFace [~mspah@50-78-45-146-static.hfc.comcastbusiness.net] has joined #openvpn
11:16 -!- masterkorp [~masterkor@boobierack.masterkorp.net] has joined #openvpn
11:16 < masterkorp> hello fellow openvpn users
11:16 < masterkorp> so i am facing more of a feature dilema when using openvpn
11:16 < masterkorp> this is the case:
11:17 -!- s7r [~s7r@openvpn/user/s7r] has joined #openvpn
11:17 -!- mode/#openvpn [+v s7r] by ChanServ
11:17 < masterkorp> while connecting to a TCP openvpn server, so routes are added by openvpn "68.68.97.0/24 via 192.168.100.1 dev tun0 "
11:18 < masterkorp> which i don't want
11:18 < masterkorp> it makes the connection timeout right after connections
11:19 < masterkorp> so counteract this behauvious i need to add the following route "68.68.97.IPOFSERVER via 192.168.1.254 dev eth0 "
11:19 < masterkorp> being 192.168.1.254
11:19 -!- dimitry7 [~antonello@38.124.174.31] has joined #openvpn
11:20 < masterkorp> so the openvpn does not timeout and i actually can get inside the vpn
11:20 < masterkorp> how can I prevent this ?
11:20 < Aketzu> so you want to route access to server network through the vpn
11:20 <@krzee> no, NOT through the vpn
11:20 -!- klein [~klein@189-016-006-003.asselvi.edu.br] has joined #openvpn
11:20 -!- klein [~klein@189-016-006-003.asselvi.edu.br] has quit [Changing host]
11:20 -!- klein [~klein@unaffiliated/klein] has joined #openvpn
11:20 <@krzee> !route_override
11:20 <@vpnHelper> "route_override" is (#1) https://forums.openvpn.net/viewtopic.php?f=15&t=7161 for how to override --redirect-gateway for a certain subnet or (#2) to see how to make it so the client will still reply to requests to its public ip over the internet and not the vpn see !splitroute
11:21 < Aketzu> isn't it better to fix in server side config so it will work for all clients
11:21 <@krzee> route 155.98.10.0 255.255.252.0 net_gateway
11:21 <@krzee> show me your configs
11:22 <@krzee> cause it shouldnt be adding 8.68.97.0/24 via 192.168.100.1 dev tun0 unless you told it to
11:22 <@krzee> !configs
11:22 <@vpnHelper> "configs" is (#1) please pastebin your client and server configs (with comments removed, you can use `grep -vE '^#|^;|^$' server.conf`), also include which OS and version of openvpn. or (#2) dont forget to include any ccd entries or (#3) on pfSense, see http://www.secure-computing.net/wiki/index.php/OpenVPN/pfSense to obtain your config
11:22 < masterkorp> krzee: is that for me ??
11:22 <@krzee> yes
11:23 -!- joako [~joako@opensuse/member/joak0] has quit [Ping timeout: 245 seconds]
11:23 < masterkorp> so, all i need is to push the route ?
11:23 <@krzee> no, you need to show me your configs
11:23 < masterkorp> client ?
11:23 <@krzee> both, like !configs above
11:23 < masterkorp> i don't have access to server side config :(
11:24 < masterkorp> fixing the server side is not an option right know
11:24 <@krzee> !provider
11:24 <@vpnHelper> "provider" is (#1) We are not your provider's free tech support. We support the free open source app OpenVPN, not your provider. Just because they run openvpn does not mean we are their support team. or (#2) Please contact their support team.
11:24 < masterkorp> its not a provided
11:25 <@Eugene> !both
11:25 <@vpnHelper> "both" is If you do not control both ends of the link (server and client) then there is not much we can do to help you. Please talk to your network admin instead.
11:25 < masterkorp> i can get access to the machine in month or so if everything goes well
11:25 < masterkorp> i control the client
11:25 <@krzee> well post the client config and log and ill take a look, but i probably cant help much
11:25 < masterkorp> thank you
11:26 < masterkorp> log: http://pastie.org/8986172 config: http://pastie.org/private/b0pnlp5db9enrx1hgxhitw
11:26 -!- [diecast] [~diecast@unaffiliated/diecast/x-4821952] has quit []
11:31 <@krzee> comment tun-mtu and add verb 5
11:31 -!- dimitry7 [~antonello@38.124.174.31] has left #openvpn ["Leaving"]
11:31 -!- dimitry7 [~antonello@38.124.174.31] has joined #openvpn
11:31 <@krzee> actually i guess leave it uncommented
11:32 <@krzee> simply because we cant fix the server
11:34 < masterkorp> http://pastie.org/private/lrczgngc7rcbeggbbg4rxg
11:34 < masterkorp> new log
11:37 -!- edge226 [~quassel@unaffiliated/edge226] has quit [Ping timeout: 245 seconds]
11:39 < Aketzu> heh... braindead server config that likely will not work for anybody
11:39 < masterkorp> what would be needed to fix the server
11:39 < Aketzu> remove "route 68.68.97.0 255.255.255.0" from config
11:39 < masterkorp> i don't really have access to it
11:42 < Aketzu> try adding 'route 68.68.97.2 255.255.255.255 net_gateway' to client config
11:42 < masterkorp> a push ?
11:43 < Aketzu> .. you can only push in server configs
11:43 < Aketzu> just that line without push
11:44 <@krzee> well really, you dont need that new route
11:44 <@krzee> just removing route 68.68.97.0 255.255.255.0 will do it
11:44 <@krzee> you dont want that, then dont add it.
11:45 < masterkorp> but the client adds it for me
11:45 <@krzee> oh the server pushes it
11:46 <@krzee> thats some seriously misconfigured stuff
11:46 <@krzee> what Aketzu said will help, but i mean really they should fix their stuff
11:46 < masterkorp> the propose they say its to secure connections
11:46 <@krzee> umm
11:47 < Aketzu> to use vpn you must use vpn
11:47 < Aketzu> .. gotta go deeper
11:47 <@krzee> have they really never seen it not able to reconnect because they created a routing loop?
11:47 <@krzee> how long have they been open?
11:47 < masterkorp> no everyone uses viscosity
11:48 < masterkorp> i am the only linux guy
11:48 < masterkorp> using a proper vpn client
11:48 <@krzee> so maybe their viscosity config is less dumb?
11:48 <@krzee> cause its not linux's fault? any OS would be in a routing loop with that config
11:48 <@krzee> (its the server config)
11:49 < Aketzu> or can win/mac remember routing at the point of socket creation
11:49 <@krzee> you see, it tells you that to reach the server to have a vpn connection you must go over the vpn connection
11:49 < Aketzu> that would make no sense
11:49 -!- goldkatze [~nobody@unaffiliated/goldkatze] has joined #openvpn
11:49 < masterkorp> i don't have the authority to question my collegues capacity yet
11:49 < masterkorp> skills
11:49 <@krzee> it'll work the first time, but it'll have a hell of a time reconnecting
11:50 <@krzee> well just tell him the line that fixes it for you
11:50 -!- joako [~joako@opensuse/member/joak0] has joined #openvpn
11:50 <@krzee> so he can at least throw that in configs
11:51 < masterkorp> "its necessary, securing connections"
11:51 <@krzee> "you may not route to 68.68.97.2 over the vpn if 68.68.97.2 is the vpn server"
11:52 <@krzee>  <Aketzu> try adding 'route 68.68.97.2 255.255.255.255 net_gateway' to client config
11:52 <@krzee> put that in your config and your problem will be solved.
11:52 < masterkorp> Aketzu: that does noting
11:52 <@krzee> then restart openvpn and show me the log
11:52 < masterkorp> also you mean net_gateway literaly or the ip right ?
11:53 < masterkorp> i used the ip of the gateway
11:53 < Aketzu> both work
11:53 < Aketzu> net_gateway works even if the gateway changes :)
11:53 <@krzee> put net_gateway
11:53 -!- [diecast] [~diecast@unaffiliated/diecast/x-4821952] has joined #openvpn
11:53 -!- [diecast] [~diecast@unaffiliated/diecast/x-4821952] has quit [Max SendQ exceeded]
11:53 <@krzee> that way we dont have to help you next time your gateway changes
11:54 < masterkorp> haha, yes
11:54 < masterkorp> thanks for your times
11:54 -!- [diecast] [~diecast@unaffiliated/diecast/x-4821952] has joined #openvpn
11:54 -!- [diecast] [~diecast@unaffiliated/diecast/x-4821952] has quit [Max SendQ exceeded]
11:54 < masterkorp> Tue Apr  1 17:54:07 2014 ERROR: Linux route add command failed: external program exited with error status: 2
11:55 <@krzee> show me the new line from your config
11:55 < masterkorp> http://pastie.org/private/qrn8tbn7jp3em2xdalr9g
11:55 <@krzee> route 68.68.97.2 255.255.255.255 net_gateway
11:55 <@krzee> is NOT what you put :-p
11:55 < masterkorp> oh derp derp
11:55 < masterkorp> i need coffee
11:55 < masterkorp> sorry
11:56 < masterkorp> thank you guys so much
11:56 <@krzee> yw
11:56 < Aketzu> np
11:57 < masterkorp> its always nice to see other people helping
11:57 < masterkorp> i gotta go, bye
11:57 -!- masterkorp [~masterkor@boobierack.masterkorp.net] has left #openvpn ["WeeChat 0.3.8"]
11:57 <@krzee> boobierack
11:57 -!- [diecast] [~diecast@unaffiliated/diecast/x-4821952] has joined #openvpn
11:58 -!- [diecast] [~diecast@unaffiliated/diecast/x-4821952] has quit [Max SendQ exceeded]
11:58 -!- [diecast] [~diecast@unaffiliated/diecast/x-4821952] has joined #openvpn
11:58 -!- [diecast] [~diecast@unaffiliated/diecast/x-4821952] has quit [Max SendQ exceeded]
11:58 <@Eugene> Booooobies
11:59 -!- gffa [~unknown@unaffiliated/gffa] has joined #openvpn
11:59 -!- [diecast] [~diecast@unaffiliated/diecast/x-4821952] has joined #openvpn
11:59 -!- [diecast] [~diecast@unaffiliated/diecast/x-4821952] has quit [Max SendQ exceeded]
12:00 < Aketzu> tissit!
12:00 < Aketzu> (as we say here)
12:00 -!- [diecast] [~diecast@unaffiliated/diecast/x-4821952] has joined #openvpn
12:00 -!- [diecast] [~diecast@unaffiliated/diecast/x-4821952] has quit [Max SendQ exceeded]
12:10 -!- JPeterson [~JPeterson@81-233-152-121-no83.tbcn.telia.com] has quit [Read error: Connection reset by peer]
12:10 -!- [1]JPeterson [~JPeterson@81-233-152-121-no83.tbcn.telia.com] has joined #openvpn
12:12 -!- ade_b [~Ade@redhat/adeb] has quit [Quit: Too sexy for his shirt]
12:59 -!- mgorbach [~mgorbach@pool-108-20-78-135.bstnma.fios.verizon.net] has quit [Ping timeout: 246 seconds]
13:00 -!- philipp__ [~philipp@chello084113015143.2.12.vie.surfer.at] has joined #openvpn
13:01 < philipp__> hi i am experienting connection issues of openvpn beeing very slow. I think its the same issue this guy http://raspberrypi.stackexchange.com/questions/14065/raspberry-pi-openvpn-client-speed-bottleneck is experienting. Today i found http://forums.opensuse.org/showthread.php/443769-11-3-openvpn-connection-hangs but i dont really understand there solution. Can anyone explain what log they mean?
13:01 <@vpnHelper> Title: raspbian - Raspberry Pi OpenVPN Client Speed Bottleneck - Raspberry Pi Stack Exchange (at raspberrypi.stackexchange.com)
13:01 -!- mgorbach [~mgorbach@pool-108-20-78-135.bstnma.fios.verizon.net] has joined #openvpn
13:13 -!- HectorBarbossa [uid7850@gateway/web/irccloud.com/x-mboxhsgpdijhwqfy] has joined #openvpn
13:25 -!- Aliekezhi [~Aliekezhi@80.215.44.200] has joined #openvpn
13:30 -!- Latrina [~Latrina@ppp-61-62.26-151.libero.it] has quit [Remote host closed the connection]
13:46 -!- mikemol [~mikemol@162.17.129.77] has quit [Ping timeout: 264 seconds]
13:48 < _FBi> http://pastie.org/private/b7kwnpwbt47owbsdprjbjw  think it's my certs?  should I start over?
13:49 < _FBi> I checked them all with openssl verify all certs come back as okay
13:51 < _FBi> also looks like the CN are different names, does that matter?
13:54 <@krzee> every CN should be different
13:57 -!- AlexPortable [uid7568@gateway/web/irccloud.com/x-waqgomjdwohmwrpy] has quit [Quit: Connection closed for inactivity]
14:01 -!- mikemol [~mikemol@162.17.129.77] has joined #openvpn
14:02 -!- f0cker [~f0cker@unaffiliated/f0cker] has joined #openvpn
14:03 -!- le0 [~l30@unaffiliated/le0] has quit [Ping timeout: 268 seconds]
14:08 -!- Cpt-Oblivious [chatzilla@31-151-71-109.dynamic.upc.nl] has quit [Quit: ChatZilla 0.9.90.1-rdmsoft [XULRunner 22.0/20130619132145]]
14:20 -!- lj [~l@192.241.174.169] has quit [Quit: Leaving.]
14:23 -!- Bretos [~Bretos@vps.tyborek.pl] has quit [Ping timeout: 246 seconds]
14:24 -!- Cpt-Oblivious [chatzilla@31-151-71-109.dynamic.upc.nl] has joined #openvpn
14:24 < _FBi> Sun Mar 30 03:29:38 2014 VERIFY OK: depth=1, CN=U Want My Info
14:24 < _FBi> Sun Mar 30 03:29:38 2014 VERIFY nsCertType ERROR: CN=ihack, require nsCertType=SERVER
14:25 < _FBi> did I make my cert a client cert?
14:25 < Aketzu> sounds like that
14:26 -!- lj [~l@na-ad-guest-lwap-ar01.cat.com] has joined #openvpn
14:26 < Rienzilla> looks lik eit
14:26 < _FBi> doh'ith
14:27 -!- lj1 [~l@192.241.174.169] has joined #openvpn
14:27 < _FBi> !windows
14:27 <@vpnHelper> "windows" is (#1) computers are like air conditioners, they work well until you open windows. or (#2) http://secure-computing.net/files/windows.jpg for funny or (#3) http://secure-computing.net/files/windows_2.jpg for more funny
14:28 < _FBi> hah
14:28 -!- Bretos [~Bretos@vps.tyborek.pl] has joined #openvpn
14:30 -!- fellayaboy [~cottod@unaffiliated/fellayaboy] has joined #openvpn
14:30 -!- lj [~l@na-ad-guest-lwap-ar01.cat.com] has quit [Ping timeout: 240 seconds]
14:32 < _FBi> back to the drawing board :)
14:35 -!- fellayaboy [~cottod@unaffiliated/fellayaboy] has quit [Quit: Leaving]
14:39 -!- JSharpe [~JSharpe@31.205.60.241] has quit [Read error: Connection reset by peer]
14:40 -!- Aliekezhi [~Aliekezhi@80.215.44.200] has quit [Ping timeout: 240 seconds]
14:41 -!- Aliekezhi [~Aliekezhi@80.215.44.200] has joined #openvpn
14:49 -!- digitalpunk [~scout@mail.zemaitijos-spauda.lt] has joined #openvpn
14:49 < digitalpunk> hello, how to route all traffic via openvpn?
14:50 < _FBi> !push
14:50 <@vpnHelper> "push" is usage: push <command> , goes in the server config and makes the command act as if it was in the client config, can be used in ccd entries
14:50 < digitalpunk> i've added postrouting iptables rule but traffic didn't go through openvpn
14:50 < _FBi> !route
14:50 <@vpnHelper> "route" is (#1) http://www.secure-computing.net/wiki/index.php/OpenVPN/Routing or https://community.openvpn.net/openvpn/wiki/RoutedLans (same page mirrored) if you have lans behind openvpn, read it DONT SKIM IT or (#2) READ IT DONT SKIM IT! or (#3) See !tcpip for a basic networking guide or (#4) See !serverlan or !clientlan for steps and troubleshooting flowcharts for LANs behind the server or client
14:52 < digitalpunk> i've added to server.conf this route:
14:53 < digitalpunk> push "route 0.0.0.0 10.8.0.1"
14:53 < digitalpunk> push "redirect-gateway def1"
14:53 < digitalpunk> push "dhcp-option DNS 8.8.8.8"
14:53 < digitalpunk> iptables rule: iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o eth0 -j MASQUERADE
14:54 <@krzee> remove that: push "route 0.0.0.0 10.8.0.1"
14:54 <@krzee> the rest should be fine
14:54 <@krzee> !redirect
14:54 <@vpnHelper> "redirect" is (#1) to make all inet traffic flow through the vpn, you will need --redirect-gateway (see !def1), as well as IP forwarding (see !ipforward) and NAT (see !nat) enabled on the server. or (#2) you may need to use a different dns server when redirecting gateway, see !dns or !pushdns or (#3) if using ipv6 try: route-ipv6 2000::/3 or (#4) Handy troubleshooting flowchart:
14:54 <@vpnHelper> http://ircpimps.org/redirect.png | http://pekster.sdf.org/misc/redirect.png
14:55 < digitalpunk> krzee: didn't help
14:55 -!- le0 [~l30@cpc20-bele8-2-0-cust576.2-1.cable.virginm.net] has joined #openvpn
14:55 -!- le0 [~l30@cpc20-bele8-2-0-cust576.2-1.cable.virginm.net] has quit [Changing host]
14:55 -!- le0 [~l30@unaffiliated/le0] has joined #openvpn
14:55 < digitalpunk> !pushdns
14:55 <@vpnHelper> "pushdns" is (#1) push dhcp-option DNS a.b.c.d to push dns to the client or (#2) For pushing DNS to a Windows client, see: !windns or (#3) Unix-alikes are required to process the env-var in an --up script; read about --dhcp-option in the manpage or (#4) For distros that use resolvconf(8) you can try the pull-resolv-conf script under the contrib/ source dir
14:56 < digitalpunk> !windns
14:56 <@vpnHelper> "windns" is (#1) http://thread.gmane.org/gmane.network.openvpn.user/25139/focus=25147 see that mail archive for some info on pushing dns or (#2) http://article.gmane.org/gmane.network.openvpn.user/25149 for a perm fix via regedit or (#3) http://comments.gmane.org/gmane.network.openvpn.user/31975 reports --register-dns as fixing their problems pushing DNS to windows 7
14:57 <@krzee> digitalpunk, use the troubleshooting flowchart
15:03 < digitalpunk> i'm getting this on cmd:
15:03 < digitalpunk> Reply from 10.8.0.1: Destination host unreachable.
15:03 < digitalpunk> Reply from 10.8.0.1: Destination host unreachable.
15:03 < digitalpunk> Reply from 10.8.0.1: Destination host unreachable.
15:03 < digitalpunk> Request timed out.
15:12 -!- goldkatze [~nobody@unaffiliated/goldkatze] has quit []
15:16 -!- goldkatze [~nobody@unaffiliated/goldkatze] has joined #openvpn
15:18 -!- mattock_afk is now known as mattock
15:22 -!- AlexPortable [uid7568@gateway/web/irccloud.com/x-muswmbpcynisxork] has joined #openvpn
15:23 -!- goldkatze [~nobody@unaffiliated/goldkatze] has quit [Ping timeout: 255 seconds]
15:24 <@krzee> !configs
15:24 <@vpnHelper> "configs" is (#1) please pastebin your client and server configs (with comments removed, you can use `grep -vE '^#|^;|^$' server.conf`), also include which OS and version of openvpn. or (#2) dont forget to include any ccd entries or (#3) on pfSense, see http://www.secure-computing.net/wiki/index.php/OpenVPN/pfSense to obtain your config
15:24 <@krzee> !logs
15:24 <@vpnHelper> "logs" is (#1) please pastebin your logfiles from both client and server with verb set to 4 (only use 5 if asked) or (#2) In the Windows client(OpenVPN-GUI) right-click the status icon and pick View Log or (#3) In the OS X client(Tunnelblick) right-click it and select Copy log text to clipboard or (#4) if you dont know how to find your logs, see !logfile
15:24 <@krzee> digitalpunk, ^^
15:24 -!- goldkatze [~nobody@unaffiliated/goldkatze] has joined #openvpn
15:32 < digitalpunk> one min
15:33 -!- mullinator [~mike@ip70-178-219-27.ks.ks.cox.net] has quit [Quit: Leaving]
15:34 < _FBi> :)
15:34 <@krzee> i gotta run along but anyone else who is gunna help will need those too
15:34 < _FBi> I hope his windows firewall isn't the problem
15:34 < _FBi> ciao krzee
15:35 < digitalpunk> http://pastebin.com/TfPffi19
15:35 < digitalpunk> is it ok that my nic doesn't show default gw of vpn tunnel?
15:36 < digitalpunk> server.conf - http://pastebin.com/U7Wid2iv
15:39 -!- Aliekezhi [~Aliekezhi@80.215.44.200] has quit [Quit: Leaving]
15:40 -!- hfp` [~ryenda@MTRLPQ0736W-LP130-01-2925269581.dsl.bell.ca] has quit [Quit: Leaving...]
15:41 -!- batrick [batrick@nmap/developer/batrick] has quit [Quit: WeeChat 0.4.3]
15:41 -!- goldkatze [~nobody@unaffiliated/goldkatze] has quit []
15:42 -!- vn [~sys6x@nostalgeek.net] has joined #openvpn
15:45 < vn> hi, i probably have a firewall issue...I am not familiar with this Fortigate 80c and I hate to setup an openvpn service.  to test connectivity, is it OK and functional to put proto tcp in the configuration?  actually, on my LAN, I can connect and get connection logs, but from the internet side, I can see logs in the firewall that traffic was accepted, but no log on the server.  I did setup a firewall rule to ACCEPT port 1194 tcp and udp to the LAN IP of the mach
15:47 < vn> I put proto tcp because I can't telnet to the service in udpo
15:48 < vn> Also, if I do a nmap scap on openvpn, does it always show as filtered or it should normally be shown as open on 1194?
15:48 -!- gffa [~unknown@unaffiliated/gffa] has quit [Quit: sleep]
15:49 -!- batrick [batrick@nmap/developer/batrick] has joined #openvpn
15:53 -!- michaelhart [~michaelha@192.237.177.15] has quit [Quit: michaelhart]
15:55 -!- johanbr [~johanbr@vps.nullinfinity.org] has quit [Ping timeout: 240 seconds]
15:56 -!- johanbr [~johanbr@vps.nullinfinity.org] has joined #openvpn
15:59 < pekster> vn: review nmap's manpage on what the resulting states mean; openvpn won't respond to a received packet unless it looks like an openvpn packet (and even then it might not if you're using --tls-auth)
16:00 < pekster> The only reason you get anything back in TCP is because the kernel handles the transaction until a socket is successfully opened
16:01 -!- james41382_ [~james@unaffiliated/james41382] has joined #openvpn
16:01 < vn> pekster: ok thanks
16:01 < vn> another question: in the conf file, if a line starts with ;, is it a comment or..?
16:01 < vn> there are both in the sample files
16:01 < pekster> !comment
16:01 <@vpnHelper> "comment" is you can use ; or # to make comments in the config file
16:02  * vn facepalms
16:03 -!- james41382__ [~james@unaffiliated/james41382] has quit [Ping timeout: 246 seconds]
16:04 -!- tuvok [tuvok@Photography.tuvok.eu] has quit [Excess Flood]
16:05 -!- tuvok [tuvok@Photography.tuvok.eu] has joined #openvpn
16:05 -!- simcop2387 [~simcop238@p3m/member/simcop2387] has quit [Excess Flood]
16:09 -!- simcop2387 [~simcop238@p3m/member/simcop2387] has joined #openvpn
16:10 -!- le0 [~l30@unaffiliated/le0] has quit [Quit: Leaving]
16:14 < philipp__> hi i am experienting connection issues of openvpn beeing very slow. I think its the same issue this guy http://raspberrypi.stackexchange.com/questions/14065/raspberry-pi-openvpn-client-speed-bottleneck is experienting. Today i found http://forums.opensuse.org/showthread.php/443769-11-3-openvpn-connection-hangs but i dont really understand there solution. Can anyone explain what log they mean?
16:14 <@vpnHelper> Title: raspbian - Raspberry Pi OpenVPN Client Speed Bottleneck - Raspberry Pi Stack Exchange (at raspberrypi.stackexchange.com)
16:16 -!- lj [~l@66.94.192.181] has joined #openvpn
16:16 -!- lj1 [~l@192.241.174.169] has quit [Ping timeout: 255 seconds]
16:18 -!- klein [~klein@unaffiliated/klein] has quit [Ping timeout: 252 seconds]
16:20 -!- lj1 [~l@192.241.174.169] has joined #openvpn
16:20 -!- lj [~l@66.94.192.181] has quit [Ping timeout: 265 seconds]
16:33 -!- lj1 [~l@192.241.174.169] has quit [Quit: Leaving.]
16:40 -!- AsadH [~AsadH@unaffiliated/asadh] has quit [Ping timeout: 265 seconds]
16:41 -!- johanbr [~johanbr@vps.nullinfinity.org] has quit [Ping timeout: 265 seconds]
16:49 -!- elfixit [~Icedove@77-58-251-72.dclient.hispeed.ch] has joined #openvpn
16:53 -!- indy_ [~indy@fantomas.bestit.cz] has joined #openvpn
16:54 -!- Dan39 [~ddan39@unaffiliated/dan39] has quit [Ping timeout: 265 seconds]
16:54 -!- s7r [~s7r@openvpn/user/s7r] has quit [Ping timeout: 265 seconds]
16:54 -!- DrCode [~DrCode@gateway/tor-sasl/drcode] has quit [Ping timeout: 265 seconds]
16:54 -!- indy [~indy@fantomas.bestit.cz] has quit [Ping timeout: 255 seconds]
16:54 -!- mikemol [~mikemol@162.17.129.77] has quit [Ping timeout: 255 seconds]
16:54 -!- reiffert [~thomas@mail.reifferscheid.org] has quit [Ping timeout: 255 seconds]
16:54 -!- reiffert [~thomas@mail.reifferscheid.org] has joined #openvpn
16:55 -!- mikemol [~mikemol@162.17.129.77] has joined #openvpn
16:56 -!- Dan39 [~ddan39@unaffiliated/dan39] has joined #openvpn
16:57 -!- Olipro [~Olipro@uncyclopedia/pdpc.21for7.olipro] has quit [Ping timeout: 246 seconds]
16:58 -!- joshh20-Away is now known as joshh20
16:59 -!- Olipro [~Olipro@uncyclopedia/pdpc.21for7.olipro] has joined #openvpn
17:07 -!- B1nny [~quassel@5ED16034.cm-7-2b.dynamic.ziggo.nl] has quit [Remote host closed the connection]
17:08 -!- jave [~jave@h-235-102.a149.priv.bahnhof.se] has quit [Ping timeout: 240 seconds]
17:09 -!- goldkatze [~nobody@unaffiliated/goldkatze] has joined #openvpn
17:10 -!- jave [~jave@h-235-102.a149.priv.bahnhof.se] has joined #openvpn
17:12 -!- tekzilla [~jon@e177176097.adsl.alicedsl.de] has joined #openvpn
17:14 -!- indy_ [~indy@fantomas.bestit.cz] has quit [Quit: ZNC - http://znc.sourceforge.net]
17:16 -!- johanbr [~johanbr@vps.nullinfinity.org] has joined #openvpn
17:17 -!- indy [~indy@fantomas.bestit.cz] has joined #openvpn
17:18 -!- edge226 [~quassel@unaffiliated/edge226] has joined #openvpn
17:19 -!- AsadH [~AsadH@unaffiliated/asadh] has joined #openvpn
17:21 -!- jmr` [~zero@bsdnode.org] has joined #openvpn
17:26 -!- marsje [~anonymous@2001:470:1f15:8fa::1] has joined #openvpn
17:26 < marsje> !welcome
17:26 <@vpnHelper> "welcome" is (#1) Start by stating your goal, such as 'I would like to access the internet over my vpn' || new to IRC? see the link in !ask || we may need !logs and !configs and maybe !interface to help you. || See !howto for beginners. || See !route for lans behind openvpn. || !redirect for sending inet traffic through the server. || Also interesting: !man !/30 !topology !iporder !sample !forum
17:26 <@vpnHelper> !wiki !mitm or (#2) Don't use 192.168.1.0/24 or 192.168.0.0/24 (too much potential for conflict)
17:26 -!- philipp__ [~philipp@chello084113015143.2.12.vie.surfer.at] has quit [Remote host closed the connection]
17:28 < marsje> I just set up a simple vpn from the howto, with a point to point connection (tun) and I can ping the other end of the tunnel on both machines. Now I would like to use my vpn tunnel as default gateway, so all my traffic goes through the tunnel to the internet
17:28 < marsje> I tried adding a default gateway, but this seems to break everything (I'm a routing n00b)
17:28 < pekster> !redirect
17:28 <@vpnHelper> "redirect" is (#1) to make all inet traffic flow through the vpn, you will need --redirect-gateway (see !def1), as well as IP forwarding (see !ipforward) and NAT (see !nat) enabled on the server. or (#2) you may need to use a different dns server when redirecting gateway, see !dns or !pushdns or (#3) if using ipv6 try: route-ipv6 2000::/3 or (#4) Handy troubleshooting flowchart:
17:28 <@vpnHelper> http://ircpimps.org/redirect.png | http://pekster.sdf.org/misc/redirect.png
17:28 < marsje> how would I add this route (linux mint) using the ip command?
17:29 < marsje> hmmm
17:29 < marsje> :)
17:29 < pekster> It's not quite that simple, since you can't adjust your default route (or more commonly two /1 routes, read !def1 for why we do that) without _also_ voiding the route to your non-local VPN connection
17:29 < pekster> Read the openvpn manpage description of what --redirect-gateway does, becuase it's a several-step process
17:30 < marsje> ah, at least by that remark I understand why things break
17:32 -!- elfixit [~Icedove@77-58-251-72.dclient.hispeed.ch] has quit [Remote host closed the connection]
17:33 < marsje> !nat
17:33 <@vpnHelper> "nat" is (#1) http://openvpn.net/howto.html#redirect for an explanation of NAT as it applies to openvpn or (#2) http://www.secure-computing.net/wiki/index.php/OpenVPN/FAQ#Traffic_forwarding_doesn.27t_work_when_using_client_specific_access_rules or (#3) dont forget to turn on ip forwarding or (#4) please choose between !linnat !openvznat !winnat and !fbsdnat for specific howto
17:34 < marsje> !linnat
17:34 <@vpnHelper> "linnat" is (#1) for a basic iptables NAT where 10.8.0.x is the vpn network: iptables -t nat -I POSTROUTING -s 10.8.0.0/24 -o eth0 -j MASQUERADE or (#2) to choose what IP address to NAT as, you can use iptables -t nat -I POSTROUTING -o eth0 -j SNAT --to <IP ADDRESS> or (#3) http://netfilter.org/documentation/HOWTO//NAT-HOWTO.html for more info or (#4) openvz see !openvzlinnat
17:36 < marsje> not so easy to test all this on a local network....
17:46 -!- bigsky_ [~jack@183.157.13.73] has quit [Ping timeout: 246 seconds]
17:47 -!- AlexPortable [uid7568@gateway/web/irccloud.com/x-muswmbpcynisxork] has quit [Quit: Connection closed for inactivity]
17:47 -!- edge226 [~quassel@unaffiliated/edge226] has quit [Quit: http://quassel-irc.org - Chat comfortably. Anywhere.]
17:48 < marsje> !def1
17:48 <@vpnHelper> "def1" is (#1) used in redirect-gateway, Add the def1 flag to override the default gateway by using 0.0.0.0/1 and 128.0.0.0/1 rather than 0.0.0.0/0. This has the benefit of overriding but not wiping out the original default gateway. or (#2) please see --redirect-gateway in the man page ( !man ) to fully understand or (#3) push "redirect-gateway def1"
17:50 -!- Rienzilla [rien@sinas.rename-it.nl] has quit [Read error: Operation timed out]
17:50 -!- Rienzilla [rien@sinas.rename-it.nl] has joined #openvpn
18:07 -!- i7c is now known as i8c
18:07 -!- michaelhart [~michaelha@192-0-240-20.cpe.teksavvy.com] has joined #openvpn
18:09 -!- novaflash is now known as novaflash_away
18:28 -!- lj [~l@192.241.174.169] has joined #openvpn
18:28 -!- s7r [~s7r@openvpn/user/s7r] has joined #openvpn
18:28 -!- mode/#openvpn [+v s7r] by ChanServ
18:28 -!- DrCode [~DrCode@gateway/tor-sasl/drcode] has joined #openvpn
18:32 < marsje> looks like it is working :)
18:32 < marsje> just need make sure my client uses my dns
18:33 -!- lj [~l@192.241.174.169] has quit [Quit: Leaving.]
18:33 < pekster> That or some public DNS (googleDNS is a popular choice)
18:33 -!- novaflash_away is now known as novaflash
18:34 < marsje> pekster: I use my own dns because I'm paranoid and I want to avoid anyone faking, impersonating, blocking popular dns servers (read news about Turkey)
18:34 < marsje> well, I don't mind using opendns or google dns, but it will have to go through my own internet connection at home, that I trust
18:35 < pekster> Nothing stops it from being adjusted after that point (sans DNSSEC-enables sites, provided you do signature validation at your trusted endpoint)
18:35 < pekster> But yes, it depends where you threat model is concerned with
18:35 -!- lj [~l@192.241.174.169] has joined #openvpn
18:36 -!- elfixit [~Icedove@77-58-251-72.dclient.hispeed.ch] has joined #openvpn
18:36 < marsje> pekster: thread model is I'm scared of wifi hotspots, hotel internet and some countries (notmy own)
18:36 < marsje> threat
18:37 < marsje> and yes, the other reason to use my own dns is that is supports dnssec
18:38 < pekster> supports ≠ locally validating, but either works for your main concern
18:38 < marsje> the funny thing I just found out, is that --redirect-gateway causes all traffic to go through the vpn, except the vpn endpoint, which was the point of it, but my vpn endpoint is also my server where all my mail is
18:38 < marsje> and which I wanted to access over the vpn
18:38 < pekster> The DNSSEC issue is one of who does the RRSIG validation: your upstream recursor, or your own. I'm hoping stub-resolvers become commonplace such that a non-recursing forwarder can perform validation as a matter of fact
18:39 < pekster> Ah, right. You can do policy routing there
18:39 < marsje> policy routing?
18:39 < pekster> But it's less trouble to use 2 IPs, one for the VPN, and another for "non-VPN" things
18:39 < pekster> Yea, you can route not just by the FIB, but by arbitrary policies (say based on the port as well as IP)
18:40 < marsje> ah ok
18:40 < marsje> no experience with that... sounds complicated
18:40 < pekster> 2nd IP is easier, but in IPv4-land things are scarce. IPv6 makes it trivial
18:40 < marsje> 2 ips... well, I only have 1 (public)
18:41 < marsje> and a few billion IPv6 addresses...
18:41 < pekster> What OS? If it's Linux, LARTC's howto has a primer on advanced routing, including policy routing (see: !lartc)
18:41 < marsje> !lartc
18:41 <@vpnHelper> "lartc" is LARTC is the de-facto guide to policy routing and QoS (tc, or traffic control) on Linux. http://lartc.org/howto/ . Policy routing in Ch. 4, QoS in Ch. 9. Start at the beginning if you're new to advanced routing on Linux
18:41 < pekster> Under most BSDs you have the route-to directive
18:41 < MatthewsFace> ugh I know this isn't the AS channel, but is there a way to disable the openvpn client web server?
18:42 < marsje> pekster: I was just preparing my notebook for a trip abroad on friday, so no time to find out all that... in the meantime I'll just try to access my server through the tunnel endpoint address
18:43 < pekster> Yup, that's your other option
18:43 < pekster> You can (ab)use your /etc/hosts file too, perhaps
18:43 < marsje> right :)
18:43 < marsje> thanks for the info... I need some sleep now
18:43  * marsje is AFK
18:50 -!- MatthewsFace [~mspah@50-78-45-146-static.hfc.comcastbusiness.net] has quit [Read error: Operation timed out]
18:53 -!- lj [~l@192.241.174.169] has quit [Quit: Leaving.]
19:00 -!- michaelhart [~michaelha@192-0-240-20.cpe.teksavvy.com] has quit [Quit: michaelhart]
19:03 -!- [diecast] [~diecast@unaffiliated/diecast/x-4821952] has joined #openvpn
19:08 -!- tuvok [tuvok@Photography.tuvok.eu] has quit [Excess Flood]
19:09 -!- tuvok [tuvok@Photography.tuvok.eu] has joined #openvpn
19:09 -!- klein [~klein@187.85.183.105] has joined #openvpn
19:09 -!- klein [~klein@187.85.183.105] has quit [Changing host]
19:09 -!- klein [~klein@unaffiliated/klein] has joined #openvpn
19:14 -!- hive-mind [pranq@unaffiliated/contempt] has quit [Quit: Reconnecting]
19:14 -!- hive-mind [pranq@mail.bbis.us] has joined #openvpn
19:19 -!- goldkatze [~nobody@unaffiliated/goldkatze] has quit [Ping timeout: 268 seconds]
19:25 -!- philipp__ [~philipp@chello084113015143.2.12.vie.surfer.at] has joined #openvpn
19:25 < philipp__> hey, can anyone think of what could cause http://raspberrypi.stackexchange.com/questions/14065/raspberry-pi-openvpn-client-speed-bottleneck ?
19:25 <@vpnHelper> Title: raspbian - Raspberry Pi OpenVPN Client Speed Bottleneck - Raspberry Pi Stack Exchange (at raspberrypi.stackexchange.com)
19:27 -!- mingdao [~mingdao@unaffiliated/mingdao] has joined #openvpn
19:27 < philipp__> hey, can anyone think of what could cause http://raspberrypi.stackexchange.com/questions/14065/raspberry-pi-openvpn-client-speed-bottleneck ?
19:27 <@vpnHelper> Title: raspbian - Raspberry Pi OpenVPN Client Speed Bottleneck - Raspberry Pi Stack Exchange (at raspberrypi.stackexchange.com)
19:28 < _FBi> drivers, x64, dunno
19:30 -!- joshh20 is now known as joshh20-Away
19:30 < philipp__> FBi its armv6 but i think i also read people reporting the issue on other plattforms
19:34 -!- novaflash is now known as novaflash_away
19:39 < philipp__> rly? noone knows anything?
19:39 < _FBi> not everyone's active
19:40 < _FBi> whois your provider?
19:42 < philipp__> its not like im the only guy having problems like that https://forums.openvpn.net/topic15367.html
19:42 <@vpnHelper> Title: OpenVPN Support Forum ISP/cable modem slows down openvpn-connections : Off Topic, Related (at forums.openvpn.net)
19:43 < philipp__> FBi ists not the provider either... can use the vpn at full speed from my desktop pc
19:44 < philipp__> the really odd think is: when i see all the people posting the problem it seems that it reduces the bandwith between 80 and 90% no matter of the actuall mbps...
19:45 < _FBi> using a rpi
19:45 < _FBi> ?
19:46 < pekster> THey have shit CPUs
19:46 < pekster> You've been told this before
19:47 < pekster> 5-10 Mbps is about all you get for in-CPU crypto on sub-1GHz hardware
19:47 < _FBi> can connect the pi to the VPN then wget a speedtest file?
19:47 < pekster> Invest in AES-NI CPUs or faster hardware if you need more than that
19:52 < _FBi> pekster is the man, fyi
19:56 -!- MatthewsFace [~mspah@c-67-183-108-87.hsd1.wa.comcast.net] has joined #openvpn
19:58 -!- Cpt-Oblivious [chatzilla@31-151-71-109.dynamic.upc.nl] has quit [Ping timeout: 246 seconds]
19:59 -!- novaflash_away is now known as novaflash
20:01 -!- Cpt-Oblivious [chatzilla@31-151-71-109.dynamic.upc.nl] has joined #openvpn
20:09 < _FBi> Q: I make my offline ca, server, ta.key, dh, and put them on the server.  I make my client side, then give it to my client.  Is there anything else I need to do?
20:10 <@Eugene> Drink.
20:11 < _FBi> how many beers will this require?
20:11 <@Eugene> One more than you have.
20:13 < _FBi> I gotta be missing something :'(
20:14 <@Eugene> That sounds like all the pieces you need
20:14 <@Eugene> tls-auth key is optional
20:14 -!- novaflash is now known as novaflash_away
20:15 < _FBi> I must be missing the beer
20:16 < _FBi> do you think the howto will be updated for easy-rsa 3.0
20:18 <@Eugene> It definitely ought to be, yes.
20:18 <@Eugene> Will it? Beats me.
20:18 < _FBi> heh
20:19 < _FBi> I don't think it would take too much?
20:19 < _FBi> add a git clone and change the commands
20:19 -!- klein [~klein@unaffiliated/klein] has quit [Ping timeout: 265 seconds]
20:21 <@Eugene> Patches Welcome.
20:22 -!- HectorBarbossa [uid7850@gateway/web/irccloud.com/x-mboxhsgpdijhwqfy] has quit [Quit: Connection closed for inactivity]
20:22 < _FBi> ++ -- :D
20:24 -!- edge226 [~quassel@unaffiliated/edge226] has joined #openvpn
20:24 < _FBi> how does one revoke, same way?
20:26 < _FBi> is there no database of the clients I need to add them too?
20:26 <@Eugene> Honestly, it's been ages since I've used easy-rsa. I believe there's a revoke.sh script?
20:27 -!- VsioZashibis [~VsioZashi@unaffiliated/vsiozashibis] has quit [Quit: closing IRC]
20:27 -!- VsioZashibis [~VsioZashi@unaffiliated/vsiozashibis] has joined #openvpn
20:32 -!- justinzane [~justinzan@12.172.184.180] has joined #openvpn
20:39 -!- novaflash_away is now known as novaflash
20:46 < _FBi> easy-rsa 3 doesn't have that MD5 flaw?
20:47 -!- Denial- [Denial@176.250.249.230] has joined #openvpn
20:49 -!- Denial [Denial@90.214.35.75] has quit [Ping timeout: 246 seconds]
20:49 -!- Denial- is now known as Denial
21:01 -!- dimitry7 [~antonello@38.124.174.31] has quit [Ping timeout: 260 seconds]
21:52 -!- [diecast] [~diecast@unaffiliated/diecast/x-4821952] has quit []
21:58 -!- james41382_ [~james@unaffiliated/james41382] has quit [Read error: Connection reset by peer]
22:04 -!- Carbon_Monoxide [~cmonxide@058176022144.ctinets.com] has joined #openvpn
22:04 -!- Carbon_Monoxide [~cmonxide@058176022144.ctinets.com] has left #openvpn []
22:13 -!- Cpt-Oblivious [chatzilla@31-151-71-109.dynamic.upc.nl] has quit [Ping timeout: 252 seconds]
22:13 -!- Carbon_Monoxide [~cmonxide@058176022144.ctinets.com] has joined #openvpn
22:13 -!- Carbon_Monoxide [~cmonxide@058176022144.ctinets.com] has left #openvpn []
22:20 -!- edge226 [~quassel@unaffiliated/edge226] has quit [Quit: http://quassel-irc.org - Chat comfortably. Anywhere.]
22:29 -!- elfixit [~Icedove@77-58-251-72.dclient.hispeed.ch] has quit [Ping timeout: 255 seconds]
22:33 < pekster> Eugene: fwiw, howto probably needs quite the overhaul at this point, ideally on the wiki. The corp-integrated website has some CMS goo that makes updates non-trivial. Wikis are easy ;)
22:34 <@Eugene> A good idea.
22:35 < pekster> _FBi: easyrsa3 uses sha256 by default (though you can change it.) There's a patch to the v2 series to do that too, but why use old :P
22:36 < _FBi> pekster, I see the error in my ways :)
22:38 < _FBi> Q:  cn_only, I set the name when I build the cert? ie build-server server  server is the CN ?
22:39 < pekster> yes, but build-server is the broken way to do things in easyrsa v2-land where you don't generate keys on target systems
22:40 < _FBi> (I forgot the v3 command, off hand. I'm using v3)
22:40 < _FBi> thanks pekster
22:41 < _FBi> so really, the only thing 'needed' to change is the 2048 to 4096 ?
22:41 < _FBi> in the vars
22:44 < pekster> 'eh, that's mostly a waste
22:45 < pekster> !hadening
22:45 < pekster> !hardening
22:45 <@vpnHelper> "hardening" is https://community.openvpn.net/openvpn/wiki/Hardening
22:47 < _FBi> yup, done and done.
22:48 < pekster> Instead of 'build-server-full' (key escrow sucks) it's smarter to gen-req, send CSR to your CA, run `sign-req server NameGoesHere` on the CA, then send the cert back to the server
22:49 < pekster> No key escrow, and separation of duty
22:49 < _FBi> why not create with root?
22:49 < pekster> Because doing things you don't need to do as root is stupid
22:49 < _FBi> oh, so linux logic
22:49 < pekster> Plus did you actually audit all 1k lines of code you're running? Or verify the gpg sig the package was signed with? Did you check the signature came from one of the maintainers?
22:49 < pekster> etc, etc
22:49 < _FBi> pekster, I don't know how to do wht you said lol
22:50 < pekster> So yea, "all the uses reasons"
22:50 -!- kantlivelong [~kantlivel@home.kantlivelong.com] has quit [Quit: ZNC - http://znc.sourceforge.net]
22:50 < _FBi> I see your points
22:50 < pekster> Basically just follow the howto at:
22:50 < pekster> !easyrsa
22:50 <@vpnHelper> "easyrsa" is (#1) easy-rsa is a certificate generation utility. or (#2) Download here: https://github.com/OpenVPN/easy-rsa/releases or (#3) Source checkouts available from the github project; current official release download is 2.2.2 with 3.x code in git-master. or (#4) Helpful wiki info about easyrsa at: https://community.openvpn.net/openvpn/wiki/EasyRSA
22:50 < pekster> The wiki-version of the v3-openvpn-howto has you do it the right way
22:51 < pekster> But if this is low-security, do whatever you want
22:52 -!- kantlivelong [~kantlivel@home.kantlivelong.com] has joined #openvpn
22:52 -!- heraclitus [~heraclitu@unaffiliated/heraclitis] has quit [Quit: Ping timeout: 221 seconds]
22:53 -!- kantlivelong [~kantlivel@home.kantlivelong.com] has quit [Client Quit]
22:54 < _FBi> thanks, I'll read it over tomorrow.  great help
22:54 < _FBi> the part that gets me is the import.  I thought on my server I had to import the clients.  I guess not
22:54 < pekster> Nope, you only ever import CSRs on your CA
22:55 < pekster> (which in theory could be on your server, but shouldn't be. If it is, it should be in a very separate directory)
22:55 < _FBi> I create everything offline
22:55 < pekster> The server never needs the client components; the server only needs its own keypair, the DH param file, and the CA cert (everything needs the CA cert)
22:55 -!- kantlivelong [~kantlivel@home.kantlivelong.com] has joined #openvpn
22:55 < pekster> !intro_to_pki
22:55 <@vpnHelper> "intro_to_pki" is For an intro to PKI basics, see: https://github.com/OpenVPN/easy-rsa/blob/v3.0.0-rc1/doc/Intro-To-PKI.md
22:56 < _FBi> and my ta.key
22:56 < pekster> That explains why the server does not need anything client related
22:56 < _FBi> do I ever need to update my servers CA cert ?
22:56 < pekster> Only if it expires or is compromised (CA compromise taints your whole security and requires that you re-do it all; thus you keep it secure)
22:57 < pekster> If just your server or a client is compromised, you can revoke and re-issue without damage to the rest of the PKI
22:57 < _FBi> with revoke
22:58 < _FBi> and revoke adds the cert to the CRL list
22:58 < _FBi> ?
22:58 < cesurasean1> is there a way to make an ASUS router tell me when the vpn is disconnected, or at least stop surfing internet when the vpn has disconnected?
22:58 < pekster> It merely marks it as revoked. You then need to produce a CRL (the signed revocation list) and do something useful wtih it
22:59 < pekster> See: https://github.com/OpenVPN/easy-rsa/blob/v3.0.0-rc1/doc/EasyRSA-Readme.md#revoking-and-publishing-crls
22:59 <@vpnHelper> Title: easy-rsa/doc/EasyRSA-Readme.md at v3.0.0-rc1 · OpenVPN/easy-rsa · GitHub (at github.com)
22:59 < _FBi> cesurasean1, I'm sure you could script something :)
22:59 < pekster> cesurasean1: Try the --down and --up-restart directives (consult the manpage for details) and a firewall hook
23:00 < _FBi> I'm out for the night.  thanks pekster you are a plethora of knowledge. :)
23:03 < cesurasean1> how do i do a firewall hook to do this though?
23:03 < cesurasean1> can you give me an example?
23:13 -!- tekzilla [~jon@e177176097.adsl.alicedsl.de] has quit [Ping timeout: 264 seconds]
23:48 -!- MatthewsFace [~mspah@c-67-183-108-87.hsd1.wa.comcast.net] has quit [Read error: Operation timed out]
23:49 -!- s7r [~s7r@openvpn/user/s7r] has quit [Quit: Leaving]
23:56 -!- james41382 [~james@unaffiliated/james41382] has joined #openvpn
23:56 -!- B1nny [~quassel@5ED16034.cm-7-2b.dynamic.ziggo.nl] has joined #openvpn
--- Day changed Wed Apr 02 2014
00:20 -!- heraclitus [~heraclitu@unaffiliated/heraclitis] has joined #openvpn
00:30 -!- mikkel [~mikkel@93.176.85.50] has joined #openvpn
01:09 -!- justinzane [~justinzan@12.172.184.180] has quit []
01:15 -!- justinzane [~justinzan@12.172.184.180] has joined #openvpn
01:17 -!- lj [~l@74.120.200.95] has joined #openvpn
01:23 -!- james41382 [~james@unaffiliated/james41382] has quit [Read error: Connection reset by peer]
01:24 -!- james41382 [~james@unaffiliated/james41382] has joined #openvpn
01:25 -!- lj1 [~l@192.241.174.169] has joined #openvpn
01:26 -!- lj [~l@74.120.200.95] has quit [Ping timeout: 246 seconds]
01:33 -!- lj [~l@74.120.200.95] has joined #openvpn
01:34 -!- lj1 [~l@192.241.174.169] has quit [Ping timeout: 264 seconds]
01:39 -!- alexxtasi [~alex@unaffiliated/alexxtasi] has joined #openvpn
01:50 -!- Aliekezhi [~Aliekezhi@LPoitiers-156-84-21-170.w193-248.abo.wanadoo.fr] has joined #openvpn
02:00 -!- goldkatze [~nobody@unaffiliated/goldkatze] has joined #openvpn
02:13 -!- goldkatze [~nobody@unaffiliated/goldkatze] has quit []
02:13 -!- goldkatze [~nobody@unaffiliated/goldkatze] has joined #openvpn
02:38 -!- AlexPortable [uid7568@gateway/web/irccloud.com/x-utyopvmbrpldeens] has joined #openvpn
02:46 -!- le0 [~l30@unaffiliated/le0] has joined #openvpn
02:50 -!- joako [~joako@opensuse/member/joak0] has quit [Excess Flood]
02:55 -!- joako [~joako@opensuse/member/joak0] has joined #openvpn
03:26 -!- rkantos [robin@4e.fi] has quit [Read error: Operation timed out]
03:29 -!- rkantos [robin@109.169.7.197] has joined #openvpn
03:45 -!- lj [~l@74.120.200.95] has quit [Quit: Leaving.]
03:45 -!- lj [~l@74.120.200.95] has joined #openvpn
03:47 -!- mattock is now known as mattock_afk
03:51 -!- indy [~indy@fantomas.bestit.cz] has quit [Remote host closed the connection]
04:02 < alexxtasi> !welcome
04:02 <@vpnHelper> "welcome" is (#1) Start by stating your goal, such as 'I would like to access the internet over my vpn' || new to IRC? see the link in !ask || we may need !logs and !configs and maybe !interface to help you. || See !howto for beginners. || See !route for lans behind openvpn. || !redirect for sending inet traffic through the server. || Also interesting: !man !/30 !topology !iporder !sample !forum
04:02 <@vpnHelper> !wiki !mitm or (#2) Don't use 192.168.1.0/24 or 192.168.0.0/24 (too much potential for conflict)
04:04 < alexxtasi> !ask
04:04 <@vpnHelper> "ask" is (#1) don't ask to ask, just ask your question please, see this link for how to get help on IRC: http://workaround.org/getting-help-on-irc or (#2) See also, How to ask questions the smart way here: http://catb.org/~esr/faqs/smart-questions.html
04:04 < alexxtasi> !logs
04:04 <@vpnHelper> "logs" is (#1) please pastebin your logfiles from both client and server with verb set to 4 (only use 5 if asked) or (#2) In the Windows client(OpenVPN-GUI) right-click the status icon and pick View Log or (#3) In the OS X client(Tunnelblick) right-click it and select Copy log text to clipboard or (#4) if you dont know how to find your logs, see !logfile
04:05 < alexxtasi> !configs
04:05 <@vpnHelper> "configs" is (#1) please pastebin your client and server configs (with comments removed, you can use `grep -vE '^#|^;|^$' server.conf`), also include which OS and version of openvpn. or (#2) dont forget to include any ccd entries or (#3) on pfSense, see http://www.secure-computing.net/wiki/index.php/OpenVPN/pfSense to obtain your config
04:05 < alexxtasi> !howto
04:05 <@vpnHelper> "howto" is (#1) OpenVPN comes with a great howto, http://openvpn.net/howto PLEASE READ IT! or (#2) http://www.secure-computing.net/openvpn/howto.php for a mirror
04:05 < alexxtasi> !route
04:06 <@vpnHelper> "route" is (#1) http://www.secure-computing.net/wiki/index.php/OpenVPN/Routing or https://community.openvpn.net/openvpn/wiki/RoutedLans (same page mirrored) if you have lans behind openvpn, read it DONT SKIM IT or (#2) READ IT DONT SKIM IT! or (#3) See !tcpip for a basic networking guide or (#4) See !serverlan or !clientlan for steps and troubleshooting flowcharts for LANs behind the server or
04:06 <@vpnHelper> client
04:06 < alexxtasi> !redirect
04:07 <@vpnHelper> "redirect" is (#1) to make all inet traffic flow through the vpn, you will need --redirect-gateway (see !def1), as well as IP forwarding (see !ipforward) and NAT (see !nat) enabled on the server. or (#2) you may need to use a different dns server when redirecting gateway, see !dns or !pushdns or (#3) if using ipv6 try: route-ipv6 2000::/3 or (#4) Handy troubleshooting flowchart:
04:07 <@vpnHelper> http://ircpimps.org/redirect.png | http://pekster.sdf.org/misc/redirect.png
04:12 -!- Latrina [~Latrina@adsl-ull-52-203.50-151.net24.it] has joined #openvpn
04:16 -!- Proshot [~FSM@535623C8.cm-6-7a.dynamic.ziggo.nl] has joined #openvpn
04:16 < Proshot> Morning everybody
04:16 < alexxtasi> hi all!! In the howto page I see that there are two ways to "enable different firewall access policies for different groups of clients". 1-different OpenVPN daemons (with different policy settings) and 2- one OpenVPN daemon with enabling the learn-address ./script directive and making firewall changes through the script. -- Is there any other way to configure firewall settings and restriction per user or even per group of users access ?
04:17 < Proshot> I was wondering what happends if i use the same client key and certificate on two different devices, would that be a problem
04:20 -!- hash-afk [~hash@ip103.216-37-89.PNeT.Ro] has quit [Ping timeout: 246 seconds]
04:35 -!- ron_ [~ron@ppp118-210-90-92.lns20.adl2.internode.on.net] has quit [Ping timeout: 252 seconds]
04:37 -!- ron_ [~ron@ppp118-210-213-5.lns20.adl6.internode.on.net] has joined #openvpn
04:37 -!- lj [~l@74.120.200.95] has quit [Quit: Leaving.]
04:41 -!- indy [~indy@shadow.kastnerove.cz] has joined #openvpn
04:48 -!- MorgyN [~mig@island.morgyn.org] has quit [Quit: Lost terminal]
04:53 -!- ade_b [~Ade@redhat/adeb] has joined #openvpn
06:13 -!- Jippi [~cw@0607ds5-by.0.fullrate.dk] has joined #openvpn
06:19 < Jippi> Hi! I'm having trouble getting my openvpn box to provide a decent throughput (~250mbps) between two boxes, both on 1gbps connections. What I'm seeing is through OpenVPN I get ~25mbps throughput, and using raw sftp I get ~250mbps. During OpenVPN transmission there is no noticable CPU or IO load on the box at all. My configuration is here: https://gist.github.com/jippi/9932195
06:19 <@vpnHelper> Title: client.conf (at gist.github.com)
06:20 < Jippi> I've tried to read community.openvpn.net/openvpn/wiki/Gigabit_Networks_Linux as well, but applying any of these changes do not seem to improve anything
06:21 < Jippi> also, all iptables rules has been flushed
06:22 < Jippi> the vpn tunnel server is running inside a kvm instance on dedicated sandy bridge hardwarw, the client is running the biggest instance (20 cores) at digital ocean
06:22 < Jippi> i've tried to disable both ciphers and compression
06:24 -!- Latrina [~Latrina@adsl-ull-52-203.50-151.net24.it] has quit [Remote host closed the connection]
06:24 -!- Latrina [~Latrina@adsl-ull-52-203.50-151.net24.it] has joined #openvpn
06:27 < Jippi> i've got echo "1" > /proc/sys/net/ipv4/ip_forward  as well as iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
06:27 -!- Latrina [~Latrina@adsl-ull-52-203.50-151.net24.it] has quit [Remote host closed the connection]
06:28 < Jippi> throughput just stalls at ~27Mbps
06:30 -!- Latrina [~Latrina@adsl-ull-52-203.50-151.net24.it] has joined #openvpn
06:32 -!- You're now known as ecrist
06:43 -!- Morley93 [~Morley93@carmine.feralhosting.com] has quit [Ping timeout: 265 seconds]
06:43 -!- Roa [~roa@unixmexico/Roa] has quit [Ping timeout: 264 seconds]
06:48 < marsje> anyone any experiences raspberry pi + raspbian + openvpn?
06:48 -!- Morley93 [~Morley93@carmine.feralhosting.com] has joined #openvpn
06:52 -!- Roa [~roa@ns4009357.ip-192-99-8.net] has joined #openvpn
06:53 -!- tekzilla [~jon@e177176216.adsl.alicedsl.de] has joined #openvpn
06:57 -!- m01_ [~quassel@2a02:2658:1011:1::2:4044] has joined #openvpn
06:58 -!- m01 [~quassel@2a02:2658:1011:1::2:4044] has quit [Ping timeout: 246 seconds]
07:12 -!- get [219@unaffiliated/get] has quit [Excess Flood]
07:12 -!- get [219@alpha.undeadlinux.org] has joined #openvpn
07:12 -!- get [219@alpha.undeadlinux.org] has quit [Changing host]
07:12 -!- get [219@unaffiliated/get] has joined #openvpn
07:23 -!- elfixit [~Icedove@2001:1620:2777:11:3e97:eff:fe7f:f3ad] has joined #openvpn
07:28 -!- mattock_afk is now known as mattock
07:32 < svg> I suppose there is no way to have 2 or more openvpn instances (same server, same config except proto+port) to share ip pools?
07:33 < svg> .. or have 1 openvpn instance listen on ultiple sockets?
07:37 -!- mirco [~mirco@ip-5-146-126-177.unitymediagroup.de] has quit [Quit: mirco]
07:41 -!- klein [~klein@unaffiliated/klein] has joined #openvpn
07:44 < Proshot> what happens when two devices connect to the same openvpn server with the same keys and certificates?
07:47 -!- [diecast] [~diecast@unaffiliated/diecast/x-4821952] has joined #openvpn
07:48 < svg> Proshot: depends on the config, I believe by default only one connection is allowed, so the former will be disconnected
07:48 < svg> but you can config to allow multiple configs
07:53 -!- lj [~l@95.sub-70-194-100.myvzw.com] has joined #openvpn
08:01 -!- lj [~l@95.sub-70-194-100.myvzw.com] has quit [Quit: Leaving.]
08:01 -!- goldkatze [~nobody@unaffiliated/goldkatze] has quit []
08:04 -!- michaelhart [~michaelha@192.237.177.15] has joined #openvpn
08:06 -!- goldkatze [~nobody@unaffiliated/goldkatze] has joined #openvpn
08:08 -!- goldkatze [~nobody@unaffiliated/goldkatze] has quit [Client Quit]
08:08 -!- [diecast] [~diecast@unaffiliated/diecast/x-4821952] has quit []
08:14 < Proshot> ok, thanks svg
08:14 < Proshot> be back later
08:14 -!- Proshot [~FSM@535623C8.cm-6-7a.dynamic.ziggo.nl] has quit [Quit: Leaving]
08:27 < alexxtasi> hi again!! In the howto page I see that there are two ways to "enable different firewall access policies for different groups of clients". 1-different OpenVPN daemons (with different policy settings) and 2- one OpenVPN daemon with enabling the learn-address ./script directive and making firewall changes through the script. -- Is there any other way to configure firewall settings and restriction per user or even per group of users access ?
09:33 -!- andygraybeal [~andy@151.213.206.234] has joined #openvpn
09:34 < andygraybeal> hey guys, is OpenVPN Access Server only come with two concurrent licenses?  the rest I have to buy?
09:34 < andygraybeal> oh nevermind i see #openvpn-as
09:39 < _FBi> and yes
09:41 -!- tekzilla [~jon@e177176216.adsl.alicedsl.de] has quit [Ping timeout: 245 seconds]
09:43 < andygraybeal> thank you FBI
09:44 -!- Latrina [~Latrina@adsl-ull-52-203.50-151.net24.it] has quit [Quit: Leaving...]
09:45 < _FBi> I thought it was like $6 a year per license.  But that's the other channel, not this one
09:53 -!- Latrina [~Latrina@adsl-ull-52-203.50-151.net24.it] has joined #openvpn
09:54 -!- mikkel [~mikkel@93.176.85.50] has quit [Quit: Leaving]
10:01 < andygraybeal> cool thank you
10:03 -!- gffa [~unknown@unaffiliated/gffa] has joined #openvpn
10:05 < philipp__> FBi sry i went to bed yesturday and no its not a cpu issue. cpu is at 30-40%
10:13 -!- Thermi [~Thermi@unaffiliated/thermi] has quit [Quit: Meet your opposition - Profane and disciplined - Take back your pride - With a pounding hammer]
10:15 -!- dimitry7 [~antonello@38.124.174.31] has joined #openvpn
10:16 -!- Thermi [~Thermi@unaffiliated/thermi] has joined #openvpn
10:17 -!- AlexPortable [uid7568@gateway/web/irccloud.com/x-utyopvmbrpldeens] has quit [Quit: Connection closed for inactivity]
10:20 -!- [diecast] [~diecast@unaffiliated/diecast/x-4821952] has joined #openvpn
10:27 -!- Aliekezhi [~Aliekezhi@LPoitiers-156-84-21-170.w193-248.abo.wanadoo.fr] has quit [Remote host closed the connection]
10:40 < _FBi> philipp__, did you try a speed test from the RPI?
10:40 < _FBi> using wget and ssh into the RPI
10:41 < philipp__> FBi like i saied yesturday, i tried a speed test without vpn wich resulted in low cpu usage and 2.5 mbps, i tryied speed test with vpn wich resulted in medium cpu usage and 400kbps and i tried the vpn from my dektop wich resulted in 2.5kbps
10:41 < philipp__> 2.5mbps sry
10:42 < _FBi> pekster pretty much said the RPI sucks.  He's the man when it comes to OpenVPN.  (one of the many here)
10:45 -!- goldkatze [~nobody@unaffiliated/goldkatze] has joined #openvpn
10:45 < philipp__> to be honest im tired that noone takes this issue seriously. im not the only guy who has this. i found like A TON of threads in the internet asking for help with this problem but noone cares
10:49 < Jippi> philipp__: slow throughput from openvpn ? idle cpu ?
10:50 < philipp__> Jippi: yes... well not idle but definitely not the bottleneck
10:50 < Jippi> philipp__: got the same problem, 4% cpu load, 1/10th of the throughput of a raw scp between the same hosts (25mbps vs 250mbps)
10:50 < Jippi> spend 2 days on it so far
10:51 < Jippi> debian wheezy 7.4 on a kvm box
10:51 < philipp__> Jippi: i found various threads reporting the same problem. Interresting: the speend seems to be allways 10-20% of the normal no matter of the actuall mbps
10:52 < Jippi> yeah, tried more or less evertyhing
10:52 < Jippi> changing io scheduler, net scheduler, different kernels, interfaces, mtus and what not
10:52 < philipp__> Jippi: on what archtecture and what os do you have the problem?
10:52 < _FBi> Jippi, it can be your host drivers
10:53 < Jippi> debian 7.4, amd64
10:53 < _FBi> Jippi, 32bit OpenVPN has found faster speeds, too
10:53 < Jippi> _FBi: then why would an scp yield 10 times the throughput
10:54 < philipp__> Jippi: i am experienting the issue on a raspberry pi rasperian, amdv6... so the problem is not architecture related but may be related to debian
10:54 <@plai> philipp__: It is not that we don't care. But debugging a issue like that is extremely difficult to debug
10:54 <@plai> philipp__: are you using udp or tcp?
10:55 < Jippi> plai: wouldn't mind giving you rootz to debug the shizzle out of it
10:55 < philipp__> plai: udp
10:55 < Jippi> i've tried udp and tcp
10:55 < philipp__> Jippi: whats your version of openvpn?
10:55 < Jippi> -> dpkg -l|grep openvpn
10:55 < Jippi> ii  openvpn                            2.2.1-8+deb7u2                 amd64        virtual private network daemon
10:55 <@plai> and time consuming I might add
10:56 < Jippi> plai: super time consuming :) spend 2 days on it on my own so far :)
10:56 < philipp__> Jippi:  dpkg -l|grep openvpn
10:56 < philipp__> ii  openvpn                               2.2.1-8+deb7u2                         armhf        virtual private network daemon
10:56 < Jippi> i've even tried to disable ciphers and compression, didn't do squad
10:56 <@plai> openvpn --version
10:56 <@plai> OpenVPN 2.3_git [git:HEAD/+*]
10:56 <@plai> ;)
10:57 < Jippi> I'm not cool enough for that ;)
10:57 < philipp__> Jippi: there is one more think i would like you to check. i experienced when i wget a testfile IMEDIATLY after restarting openvpn the connection is fine for like 5 secs and slows down after. can you confirm?
10:58 < Jippi> philipp__: tried that, didn't happen for me :) it just ramped up slowly from very slow to ~10% of the scp throughput
10:58 < Jippi> which is expected
10:58 < Jippi> wondered if it was some kind of network contestion, but didn't look like it
10:59 < philipp__> Jippi: maybe its a bug of 2.2.1.8?
10:59 < Jippi> tried a few other debs, didn't help
11:01 < philipp__> Jippi: so what could we have in common that could cause the same issue on armv6 and amd64?
11:01 < Jippi> same origin source I guess :)
11:02 < Jippi> same ~kernel
11:02 < philipp__> Jippi: maybe debian related?
11:02 < Jippi> maybe, haven't tried other dists
11:03 < Jippi> I don't see that as an option :π
11:04 < philipp__> Jippi: my client.conf btw http://bpaste.net/show/4vhtnshm7BuwE8Z56juN/
11:04 < Jippi> mine https://gist.github.com/jippi/9932195 :)
11:04 <@vpnHelper> Title: client.conf (at gist.github.com)
11:04 < Jippi> well, one of many
11:05 -!- master_of_master [~master_of@p4FD7B422.dip0.t-ipconnect.de] has quit [Read error: Operation timed out]
11:06 < philipp__> Jippi: seems not to be caused by the conf i guess... we barely have anything in common
11:08 < philipp__> Jippi: ur time to make suggestions what could cause it! im running out of ideas :P
11:09 -!- master_of_master [~master_of@p4FD7B03D.dip0.t-ipconnect.de] has joined #openvpn
11:10 < philipp__> Jippi: uname -a plz
11:10 < philipp__> Linux raspberrypi 3.10.25+ #622 PREEMPT Fri Jan 3 18:41:00 GMT 2014 armv6l GNU/Linux
11:10 <@plai> you should remove mute-replay-warnings
11:12 < philipp__> plai: did, where can i find the log?
11:13 <@plai> philipp__: ?!?!
11:13 -!- bashusr [~bashusr@unaffiliated/bashusr] has joined #openvpn
11:13 <@plai> you are debugging openvpn since 2 days and don't know where the log is?
11:14 < philipp__> plai: i guess /var/log/syslog but im not sure if that is the right place to look
11:16 < bashusr> hi all, I have multiple clients connecting to my VPN server - some of those clients are single computer connections with redirect-gateway, while others are site to site bridge, while others are a single computer to the server. Is there any way to setup IPTables so that the single computer to the server is never able to talk to the host network? I'm using ip forwarding (not masquerade).
11:17 < philipp__> bashusr: im not sure if that is what you mean but this helped a lot for me https://www.privateinternetaccess.com/forum/index.php?p=/discussion/35/block-non-vpn-traffic-on-linux-with-iptables-protect-against-disconnect/p1
11:17 <@vpnHelper> Title: Block Non-VPN Traffic on Linux with iptables (Protect against Disconnect) - Privacy Online Forum (at www.privateinternetaccess.com)
11:19 < Jippi> philipp__: Linux vpn 3.2.0-4-amd64 #1 SMP Debian 3.2.54-2 x86_64 GNU/Linux
11:20 < bashusr> philipp__, what's this trying to accomplish?
11:20 < bashusr> philipp__, that looks like something on the client side, not the server?
11:21 < philipp__> bashusr: its trying to stop the client from connecting directly to the internet when the vpn crashes. It achieves that by blocking all ips exept the one to the vpn provider
11:22 < bashusr> philipp__, yeah, i'm looking to protect the server's internal network from the 3rd single computer to server connection
11:23 < bashusr> basically, i want to disable all forwarding from those clients
11:25 < philipp__> bashusr: still not entirely sure what you mean but i think you gonna need a crash course on iptables. dont worry its not that hard as it sounds. You should be trough in like 5-10 min
11:26 < bashusr> philipp__, i'm using ip forwarding, i have 3 types of clients connected to my VPN server
11:26 < bashusr> 2 of the 3 types SHOULD have access to my internal network (192.168.x.x), 1 of them i do not want any access
11:27 < bashusr> i just want that to be able to connect to the server and communicate to the server
11:27 -!- Aliekezhi [~Aliekezhi@80.215.44.180] has joined #openvpn
11:28 < philipp__> bashusr: well sounds like the easiest way is to make a firewall rule on your server to block a certain port (the port ur last group is using)
11:29 < bashusr> philipp__, that makes no sense
11:29 < bashusr> i need to block any forwarding from those clients, blocking a single port won't help?
11:31 < philipp__> bashusr: no, lets iamginge the last group is using port 1234, now you can make a rule in the forward chain "for port 1234 to ip whatever throw away"
11:32 < bashusr> philipp__, the last group is VPNed to the server, there is no single por
11:32 < bashusr> port*
11:32 -!- Jippi [~cw@0607ds5-by.0.fullrate.dk] has left #openvpn []
11:33 < philipp__> hmm... no idea how to spot out the last group. i guess you will have to find a way. anyway iptables seems the right way to block them
11:35 -!- JackWinter [~jack@vodsl-10810.vo.lu] has quit [Quit: Konversation terminated!]
11:35 -!- JackWinter [~jack@vodsl-10810.vo.lu] has joined #openvpn
11:39 -!- ade_b [~Ade@redhat/adeb] has quit [Ping timeout: 240 seconds]
11:55 -!- andygraybeal [~andy@151.213.206.234] has quit [Ping timeout: 240 seconds]
11:57 -!- wrongplace [~leicht@gateway/tor-sasl/martinphone] has joined #openvpn
12:00 -!- dimitry7 [~antonello@38.124.174.31] has quit [Ping timeout: 260 seconds]
12:05 -!- MatthewsFace [~mspah@c-67-183-108-87.hsd1.wa.comcast.net] has joined #openvpn
12:08 -!- dimitry7 [~antonello@38.124.174.31] has joined #openvpn
12:10 -!- MatthewsFace [~mspah@c-67-183-108-87.hsd1.wa.comcast.net] has quit [Read error: Operation timed out]
12:14 -!- Carbon_Monoxide [~cmonxide@058176022144.ctinets.com] has joined #openvpn
12:14 -!- Carbon_Monoxide [~cmonxide@058176022144.ctinets.com] has left #openvpn []
12:20 -!- Cpt-Oblivious [chatzilla@31-151-71-109.dynamic.upc.nl] has joined #openvpn
12:29 -!- u0m3_ [~u0m3@109.96.136.13] has joined #openvpn
12:30 -!- Cpt-Oblivious_ [chatzilla@31-151-71-109.dynamic.upc.nl] has joined #openvpn
12:30 -!- Latrina [~Latrina@adsl-ull-52-203.50-151.net24.it] has quit [Remote host closed the connection]
12:31 -!- pekster [~rewt@openvpn/community/support/pekster] has quit [Ping timeout: 255 seconds]
12:33 -!- HobGoblin [~jaa@yatima.uukgoblin.net] has joined #openvpn
12:33 -!- HobGoblin is now known as Guest37104
12:33 -!- catsup [~d@iad1-vshost12.dreamhost.com] has joined #openvpn
12:34 -!- Latrina [~Latrina@adsl-ull-52-203.50-151.net24.it] has joined #openvpn
12:34 -!- Guest37104 [~jaa@yatima.uukgoblin.net] has quit [Changing host]
12:34 -!- Guest37104 [~jaa@unaffiliated/uukgoblin] has joined #openvpn
12:38 -!- Netsplit *.net <-> *.split quits: AsadH, UukGoblin, @vpnHelper, exa, pa, lbft, Cr4zi3, u0m3, Guest81702, Hes,  (+1 more, use /NETSPLIT to show all of them)
12:38 -!- Latrina [~Latrina@adsl-ull-52-203.50-151.net24.it] has quit [Ping timeout: 252 seconds]
12:40 -!- Cpt-Oblivious_ [chatzilla@31-151-71-109.dynamic.upc.nl] has quit [Quit: ChatZilla 0.9.90.1-rdmsoft [XULRunner 22.0/20130619132145]]
12:40 -!- Netsplit over, joins: lbft
12:40 -!- Olipro [~Olipro@uncyclopedia/pdpc.21for7.olipro] has quit [Ping timeout: 246 seconds]
12:42 -!- AsadH- [~AsadH@ZNC.HOPPED.CO.UK] has joined #openvpn
12:43 -!- Olipro [~Olipro@uncyclopedia/pdpc.21for7.olipro] has joined #openvpn
12:46 -!- exa [~exa@unaffiliated/exa] has joined #openvpn
12:46 -!- pa [~pa@unaffiliated/pa] has joined #openvpn
12:49 -!- Hes [AHO65@tunkki.fi] has joined #openvpn
12:56 -!- Guest37104 [~jaa@unaffiliated/uukgoblin] has left #openvpn []
13:12 -!- elfixit [~Icedove@2001:1620:2777:11:3e97:eff:fe7f:f3ad] has quit [Quit: elfixit]
13:13 -!- justinzane [~justinzan@12.172.184.180] has quit []
13:22 -!- athan [~athan@50-200-167-50-static.hfc.comcastbusiness.net] has joined #openvpn
13:22 < athan> hello folks, could someone help me with my openvpn set up?
13:23 < athan> my job has the server set up, I'm just trying to connect to it with a linux box
13:23 < athan> the server itself exports a "client.opvn" config file, and it takes care of all the complex stuff
13:24 < athan> the issue I'm having is that openvpn adjusts my routing table, and when I run `openvpn --config client.opvn`, it sets up another default gateway (the server)
13:24 < athan> what's weird, though, is that I can't even `ping` out eth0 (with ping -I eth0)
13:24 < athan> any ideas? I would really appreciate it!
13:27 -!- JackWinter [~jack@vodsl-10810.vo.lu] has quit [Quit: Konversation terminated!]
13:28 < _FBi> are you pushing everything through your vpn?
13:29 -!- JackWinter [~jack@vodsl-10810.vo.lu] has joined #openvpn
13:30 < athan> I would rather not :/
13:30 < athan> I don't think the server is off net
13:30 < athan> er
13:30 < athan> I _do_ think that the server is off net - it has no internet connection
13:30 < _FBi> then disconnect when you're not using it :)
13:31 < athan> :/
13:31 < athan> what's weird, though
13:31 < athan> is that I can't ping the server
13:31 < _FBi> you'll need to wait for someone more knowledgeable than myself :P
13:31 < athan> when I'm connected to the vpn. Does the vpn turn the ip's into local ones? (172...)
13:31 < _FBi> ping 10.8.0.1 or w/e the address is?
13:31 < athan> yeah
13:31 < athan> thank you anyway :)
13:31 < _FBi> that doesn't work
13:31 < _FBi> ?
13:31 < athan> nope!
13:31 < athan> nothin
13:32 < athan> here one se
13:32 < athan> sec*
13:32 < athan> I'll try (my internet's gonna cut :P )
13:33 < athan> ><
13:33 < athan> yeah, no dice
13:34 < athan> so does a vpn turn the public IP addresses involved into private ones?
13:34 -!- Cr4zi3 [killaz@staff.xbins.org] has joined #openvpn
13:34 -!- riddle [riddle@76.72.170.57] has quit [Ping timeout: 245 seconds]
13:34 < athan> and makes a subset network through ssl?
13:37 -!- takamichi [~takamichi@c107-107.i07-27.onvol.net] has quit [Ping timeout: 264 seconds]
13:37 -!- justinzane [~justinzan@12.172.184.180] has joined #openvpn
13:39 <@Eugene> !redirect
13:39 -!- JackWinter [~jack@vodsl-10810.vo.lu] has quit [Quit: Konversation terminated!]
13:40 <@Eugene> A VPN by itself only provides a secured networking tunnel. You need to send traffic via that tunnel to "change your IP", as it is known.
13:40 -!- shanlar [~shanlar@50-73-55-209-static.hfc.comcastbusiness.net] has joined #openvpn
13:40 < athan> Eugene: I've seen from the Cisco docs that it's basically just an extension to ethernet frames
13:40 < shanlar> is it possible to limit a CN to only connect from a specific ip?
13:41 <@Eugene> Hm, where'd vpnHelpr go
13:41 < athan> Eugene: o.O
13:41 < _FBi> no idea
13:41 <@Eugene> Our bot is dead :-(
13:41 < _FBi> netsplit Eugene
13:41 <@Eugene> athan - kind of, not really.
13:41 < _FBi> * vpnHelper has quit (*.net *.split)
13:42 <@Eugene> So he has
13:42 -!- JackWinter [~jack@vodsl-10810.vo.lu] has joined #openvpn
13:42 < shanlar> !welcome
13:42 < shanlar> :(
13:42 <@Eugene> athan - openvpn(and other VPN software) encapsulates Layer 3(or possibly Layer 2) traffic inside of another carrier protocol, which is an encrypted stream of some sort. With openvpn this is UDP(optionally TCP), and a static-key communicated via a TLS handshake.
13:43 <@Eugene> We recommend that you only pass L3 traffic via UDP for performance reasons. 99% of the time you're passing TCP sessions over the link, and there are serious problems with TCP-in-TCP, and overhead with TCP-plus-Ethernet-Frames.
13:44 <@Eugene> But we let you do it, if you need to.
13:44 -!- Cpt-Oblivious [chatzilla@31-151-71-109.dynamic.upc.nl] has joined #openvpn
13:44 < athan> ahh! Awesome, thank you!
13:44 < athan> hmm
13:44 <@Eugene> You can also(again, not recommended) do a full "bridge" between two sites, making openvpn act as a really long ethernet cable between switches. That is horrible on performance, but sometimes its needed ;-)
13:45 < athan> Eugene: Very useful :) I take it you're a developer?
13:45 <@Eugene> "Power User"
13:46 < _FBi> Power Awesome!
13:46 <@Eugene> I POOP AT FULL POWER ONLY
13:46 <@Eugene> Wait, wrong channel.
13:46 < _FBi> no no, you were right the first time
13:47 < athan> hahaha
13:47 < athan> hmm
13:47 < athan> do you know a lot about... linux routing?
13:48 < _FBi> !routing
13:48 <@Eugene> More than I'm comfortable with, but less than I need.
13:48 <@Eugene> Silly _FBi.
13:48 < _FBi> WORST DAY EVER!
13:49 < athan> hahaha
13:50 -!- JackWinter_ [~jack@vodsl-10810.vo.lu] has joined #openvpn
13:50 < athan> Eugene: What happens if you have multiple default gateways on different interfaces?
13:50 < athan> do ambiguous requests go out both?
13:50 -!- takamichi [~takamichi@c107-107.i07-27.onvol.net] has joined #openvpn
13:50 <@Eugene> All hell breaks looe.
13:51 < athan> then there's my issue :]
13:51 < athan> it's not easy to remove a route from the routing table, is it?
13:51 < athan> like
13:52 < athan> the system doesn't just automatically adjust to the new rules, right?
13:52 -!- JackWinter [~jack@vodsl-10810.vo.lu] has quit [Ping timeout: 240 seconds]
13:52 < athan> And isn't the routing table itself dynamically constructed from other daemons? ._.
13:52 <@Eugene> It sure does.
13:52 < athan> really? Hmm
13:53 < athan> because when I did a `route del default...`, they didn't get removed :/
13:53 <@Eugene> Probably aren't typing it correctly
13:53 <@Eugene> It'll let you delete a nonexistant route, because its a no-op ;-)
13:53 < athan> :)
13:54 < athan> hmm
13:54 <@Eugene> I'm guessing what you want to do is redirection, having a VPN to send all your traffic through
13:54 < athan> it didn't give any syntax error :/
13:54 <@Eugene> It doesn't.
13:54 < athan> ...not quite
13:54 <@Eugene> You have multiple ISPs?
13:54 < athan> well, actually
13:54 < athan> yeah
13:54 < athan> sure haha
13:54 < athan> I'll do that
13:55 < athan> no, only one
13:55 < athan> but I'd rather not have all my traffic route through Chicago to Denver :/
13:55 < _FBi> then only use the VPN when needed :)
13:55 <@Eugene> Then what you want is policy-based routing.
13:55 <@Eugene> Which is a pain.
13:56  * _FBi just made another cert, Boom!
13:56 < bashusr> can someone point me to a link or give me a refresher why openvpn uses multiple ip addresses for tun?
13:56 < _FBi> what do you mean?
13:56 < _FBi> the DHCP is giving you different IPs?
13:57 < _FBi> releasing you IPs?
13:57 < _FBi> day one 10.10.10.2  Day two 10.10.10.3  etc..
13:57 < _FBi> ?
13:57 < athan> Eugene: I'll just tear down openvpn when I don't need it then :)
13:57 < bashusr> _FBi, are you talking to me?
13:57 <@Eugene> A good idea.
13:57 < athan> Eugene: however, when I initiate the command, openvpn creates two default gateways ._.
13:57 <@Eugene> bashusr - if the bot was here, I'd point you at !/30
13:58 <@Eugene> http://openvpn.net/index.php/open-source/faq.html#slash30
13:58 < bashusr> yay
13:58 < bashusr> thanks
13:58 <@Eugene> But that link seems to have rotted, ugh
13:58 < bashusr> what??
13:58 < bashusr> how can links rot?
13:58 < bashusr> this is the internet!
13:58 < bashusr> ;-)
13:58 <@Eugene> http://openvpn.net/index.php/open-source/faq/community-software-server/273-qifconfig-poolq-option-use-a-30-subnet-4-private-ip-addresses-per-client-when-used-in-tun-mode.html
13:58 <@Eugene> tl;dr fu windows
13:58 < _FBi> ^
13:58 < athan> hahaha
13:58 < bashusr> reallly...
13:58 < bashusr> it's all because of windows?
13:59 < athan> have you used nixOs before, Eugene?
13:59 <@Eugene> Never heard ofi t.
13:59 < bashusr> sad, lots of openvpn networks don't even have a single windows client
13:59 <@Eugene> bashusr - yup, compatibility. Modern windows works with it, so use --topology subnet and then have ad rink
13:59 < athan> Eugene: It's really good for... long-lasting rigs that change often
14:00 < athan> Eugene: It's package management system is designed to be revertable and have multiple versions of any package installed at the same time
14:00 < athan> so nothing breaks!
14:00 -!- JackWinter_ [~jack@vodsl-10810.vo.lu] has quit [Read error: Operation timed out]
14:00 <@Eugene> Cool. I'll stick with Salt, though. Got enough invested in it.
14:00 < bashusr> Eugene, great reading
14:00 < bashusr> thanks
14:00 <@Eugene> Also it isn't its own distribution
14:00 < athan> Salt?
14:00 < athan> hmm
14:00 < bashusr> i wish google can read me my mind and give me these results
14:01 < bashusr> sometimes nothing can substitute a good human ;-)
14:01 < bashusr> i hope you are a human Eugene
14:01 <@Eugene> I AM BENDER, INSERT GIRDER
14:01 < athan> hmm!
14:01 < athan> is Salt like puppet?
14:01 < _FBi> under rated show -- Futurama (sp?)
14:04 < athan> Spelling is ohverateid
14:04 < athan> :P
14:04 <@Eugene> Yes, but Pythonist.
14:05 <@Eugene> And it's not under-. It's exactly as rated as it needs to be. Good show, but not ZOMG PERFECTI WANT IT LIKE FIREFLY
14:05 <@Eugene> (also, that's an overrated show. It was cancelled for a reason)
14:12 -!- MatthewsFace [~mspah@50-78-45-146-static.hfc.comcastbusiness.net] has joined #openvpn
14:16 -!- AlexPortable [uid7568@gateway/web/irccloud.com/x-dxeaqhiseeewanuc] has joined #openvpn
14:17 -!- tekzilla [~jon@e177176216.adsl.alicedsl.de] has joined #openvpn
14:25 < marsje> what is this debug output that openvpn puts onmy screen: WRWRWRwrwrwRwR... etc
14:26 -!- elfixit [~Icedove@77-58-251-72.dclient.hispeed.ch] has joined #openvpn
14:30 -!- elfixit [~Icedove@77-58-251-72.dclient.hispeed.ch] has quit [Ping timeout: 240 seconds]
14:35 -!- wrongplace [~leicht@gateway/tor-sasl/martinphone] has quit [Quit: gone]
14:41 -!- i8c [~i7c@unaffiliated/i7c] has quit [Quit: oh no, why]
14:54 < athan> is there a declaration in client config files that tells openvpn to _not_ create a default gateway?
14:55 -!- joshh20-Away is now known as joshh20
14:57 -!- Devastatr [~devas@177.18.197.115] has quit [Changing host]
14:57 -!- Devastatr [~devas@unaffiliated/devastator] has joined #openvpn
14:57 -!- Devastatr is now known as Devastator
14:58 -!- p3rror [~mezgani@41.143.230.147] has joined #openvpn
15:04 < reiffert> athan: only thing you could do is having your own up scripts clientside
15:05 -!- JackWinter [~jack@vodsl-10810.vo.lu] has joined #openvpn
15:06 < athan> hmm
15:06 < athan> sounds fun
15:08 < reiffert> Stick around for some time, my openvpn is a bit rusty.
15:08 < reiffert> Some other folks do know better
15:10 < reiffert> I'm sure you'll get all the details in the up script environment variables .. but if you also get the redirect-gateway def1 in there after pulling it from the server? Mhm.
15:10 -!- JackWinter [~jack@vodsl-10810.vo.lu] has quit [Ping timeout: 255 seconds]
15:11 < reiffert> oh look at that
15:11 < reiffert>        --route-noexec
15:11 < reiffert>               Don't add or remove routes automatically.  Instead pass routes to --route-up script using environmental variables.
15:11 -!- elfixit [~Icedove@77-58-251-72.dclient.hispeed.ch] has joined #openvpn
15:12 -!- JackWinter [~jack@vodsl-10810.vo.lu] has joined #openvpn
15:14 < athan> oh woah!!
15:15 < athan> Aweomse! Where did you find that info?
15:16 < reiffert> searching through the unix manpage :)
15:16 < reiffert> u on windows?
15:17 < reiffert> https://community.openvpn.net/openvpn/wiki/Openvpn23ManPage
15:17 < reiffert> Excuse me, I'm on openvpn 2.1
15:17 < reiffert> http://openvpn.net/index.php/open-source/documentation/manuals/openvpn-21.html
15:19 < reiffert> the bot is brilliant too ... look
15:19 < reiffert> !welcome
15:19 < reiffert> the bot is brilliantly dead
15:19 <@krzee> athan, theres a couple ways, no way is overly simple (like if --ignore-redirect-gateway existed or something
15:19 <@krzee> !route_override
15:20 <@krzee> oh hah hes not there
15:20 <@krzee> 1sec
15:20 < reiffert> ignore redirect gateway? Sounds like some fency new options made it into openvpn?
15:20 <@krzee> no im saying such a thing does not exist
15:20 <@krzee> there is no method *that* easy unfortunately
15:21 <@krzee> you can ignore ALL routes and add the needed ones manually
15:21 <@krzee> or you can override the routes in the same way that def1 works
15:21 <@krzee> so if def1 is used then youd need 4 /2 entries to override the 2 /1 entries
15:23 < reiffert> but will redirect gateway actually push the two /1 routes?
15:25 <@krzee> yes, if def1 is used
15:26 < reiffert> I'd try --route-noexec with --route-up then
15:26 -!- mattock is now known as mattock_afk
15:27 <@krzee> ecrist,
15:27 <@krzee> WARNING 2014-04-02T15:27:12 Error connecting to asimov.freenode.net:6667:
15:27 <@krzee>         error: [Errno 1] Operation not permitted
15:27 <@krzee> im guessing your ipv6 is broken again
15:27 <@krzee> (vpnHelper)
15:27 -!- vpnHelper [~vpnHelper@openvpn/bot/vpnHelper] has joined #openvpn
15:27 -!- mode/#openvpn [+o vpnHelper] by ChanServ
15:27 < reiffert> !welcome
15:27 <@krzee> oh fine, nevermind
15:27 <@krzee> hah
15:27 <@vpnHelper> "welcome" is (#1) Start by stating your goal, such as 'I would like to access the internet over my vpn' || new to IRC? see the link in !ask || we may need !logs and !configs and maybe !interface to help you. || See !howto for beginners. || See !route for lans behind openvpn. || !redirect for sending inet traffic through the server. || Also interesting: !man !/30 !topology !iporder !sample !forum
15:27 <@vpnHelper> !wiki !mitm or (#2) Don't use 192.168.1.0/24 or 192.168.0.0/24 (too much potential for conflict)
15:27 <@krzee> !route_override
15:27 <@vpnHelper> "route_override" is (#1) https://forums.openvpn.net/viewtopic.php?f=15&t=7161 for how to override --redirect-gateway for a certain subnet or (#2) to see how to make it so the client will still reply to requests to its public ip over the internet and not the vpn see !splitroute
15:28 <@krzee> !cidr
15:28 <@vpnHelper> "cidr" is http://www.oav.net/mirrors/cidr.html
15:30 <@krzee> route 0.0.0.0 192.0.0.0 net_gateway
15:30 <@krzee> route 0.0.0.0 192.0.0.0 net_gateway
15:30 <@krzee> route 64.0.0.0 192.0.0.0 net_gateway
15:30 <@krzee> route 128.0.0.0 192.0.0.0 net_gateway
15:30 <@krzee> route 192.0.0.0 192.0.0.0 net_gateway
15:30 <@krzee> oops, without the first one duplicated
15:30 <@krzee> those 4 entries would override redirect-gateway def1
15:31 <@krzee> probably the easiest way, and also certainly the ugliest in your routing table
15:31 <@krzee> haha
15:31 <@krzee> i gotta go, bbl
15:31 -!- wrongplace [~leicht@gateway/tor-sasl/martinphone] has joined #openvpn
15:35 -!- eliasp [~quassel@HSI-KBW-134-3-243-224.hsi14.kabel-badenwuerttemberg.de] has left #openvpn ["http://quassel-irc.org - Chat comfortably. Anywhere."]
15:36 -!- Latrina [~Latrina@adsl-ull-249-254.45-151.net24.it] has joined #openvpn
15:36 -!- elfixit [~Icedove@77-58-251-72.dclient.hispeed.ch] has quit [Ping timeout: 255 seconds]
15:37 < athan> yeah
15:37 < athan> I have a feeling I'm gonna need to pull some magic tricks
15:38 < athan> thank you for your help, though!
15:38 < athan> But yeah, I'm on linux. I think I might set up a polocy-based routing system, or something along those lines if I can't easilly change openvpn's routine for setting up routes
15:39 -!- Latrina [~Latrina@adsl-ull-249-254.45-151.net24.it] has quit [Remote host closed the connection]
15:42 -!- Latrina [~Latrina@adsl-ull-249-254.45-151.net24.it] has joined #openvpn
15:59 -!- f0cker [~f0cker@unaffiliated/f0cker] has quit [Read error: Operation timed out]
16:00 -!- michaelhart [~michaelha@192.237.177.15] has quit [Quit: michaelhart]
16:06 -!- HectorBarbossa [uid7850@gateway/web/irccloud.com/x-mmlvjijqamqbiahm] has joined #openvpn
16:06 -!- klein [~klein@unaffiliated/klein] has quit [Ping timeout: 255 seconds]
16:08 -!- gffa [~unknown@unaffiliated/gffa] has quit [Quit: sleep]
16:09 -!- pekster [~rewt@openvpn/community/support/pekster] has joined #openvpn
16:14 -!- f0cker [~f0cker@unaffiliated/f0cker] has joined #openvpn
16:21 -!- Aliekezhi [~Aliekezhi@80.215.44.180] has quit [Quit: Leaving]
16:23 -!- kirin` [telex@gateway/shell/anapnea.net/x-qkfloldcvgttcfhm] has quit [Ping timeout: 245 seconds]
16:23 -!- kirin` [telex@gateway/shell/anapnea.net/x-gtebktjwxakiykvv] has joined #openvpn
16:25 -!- le0 [~l30@unaffiliated/le0] has quit [Quit: Leaving]
16:26 -!- philipp__ [~philipp@chello084113015143.2.12.vie.surfer.at] has quit [Remote host closed the connection]
16:44 -!- [diecast] [~diecast@unaffiliated/diecast/x-4821952] has quit []
16:45 < _FBi> ERROR: Windows route add command failed [adaptive]: returned error code 1
16:48 -!- heraclitus [~heraclitu@unaffiliated/heraclitis] has quit [Ping timeout: 252 seconds]
16:49 -!- heraclitus [~heraclitu@unaffiliated/heraclitis] has joined #openvpn
16:50 -!- heraclitus__ [~heraclitu@208.64.66.92] has joined #openvpn
16:51 -!- heraclitus__ is now known as halcyon
16:52 -!- heraclitus [~heraclitu@unaffiliated/heraclitis] has quit [Disconnected by services]
16:52 -!- halcyon is now known as heraclitus
16:52 -!- heraclitus [~heraclitu@208.64.66.92] has quit [Changing host]
16:52 -!- heraclitus [~heraclitu@unaffiliated/heraclitis] has joined #openvpn
16:59 < athan> _FBi: Don't use winblows :P
17:03 -!- elfixit [~Icedove@77-58-251-72.dclient.hispeed.ch] has joined #openvpn
17:11 < Arr0way> hmm cant seem to get all traffic routing over my openvpn server on my macbook using tunnelblick
17:11 < pekster> You want:
17:12 < pekster> !redirect
17:12 <@vpnHelper> "redirect" is (#1) to make all inet traffic flow through the vpn, you will need --redirect-gateway (see !def1), as well as IP forwarding (see !ipforward) and NAT (see !nat) enabled on the server. or (#2) you may need to use a different dns server when redirecting gateway, see !dns or !pushdns or (#3) if using ipv6 try: route-ipv6 2000::/3 or (#4) Handy troubleshooting flowchart:
17:12 <@vpnHelper> http://ircpimps.org/redirect.png | http://pekster.sdf.org/misc/redirect.png
17:12 < Arr0way> pekster: ive done that
17:14 < Arr0way> push "redirect-gateway def1"
17:14 < Arr0way> !def1
17:14 <@vpnHelper> "def1" is (#1) used in redirect-gateway, Add the def1 flag to override the default gateway by using 0.0.0.0/1 and 128.0.0.0/1 rather than 0.0.0.0/0. This has the benefit of overriding but not wiping out the original default gateway. or (#2) please see --redirect-gateway in the man page ( !man ) to fully understand or (#3) push "redirect-gateway def1"
17:15 < pekster> There's a lot more in that setup and the helpful flowchart than that 1 directive
17:16 < Arr0way> hmm
17:16 < Arr0way> perhaps i need the directive on the client side also ?
17:16 < pekster> Read about what --push does in the manpage: a client in that setup would need --pull, or one of the helper-directives that includes it
17:17 < pekster> If you're still confused, follow the posting instructions in !configs (and mind the grep to remove comments/blanks)
17:18 -!- [diecast] [~diecast@unaffiliated/diecast/x-4821952] has joined #openvpn
17:18 < Arr0way> pekster: this is what i have done server side https://gist.github.com/Arr0way/64f37d5eeeef6bdce06e
17:18 <@vpnHelper> Title: gist:64f37d5eeeef6bdce06e (at gist.github.com)
17:20 < Arr0way> i've never had to put a pull directive in my configs before pekster, not when pushing routes etc
17:20 < pekster> THen it doesn't work
17:20 < pekster> --client implies --pull (manpage can again explain why)
17:20 < Arr0way> i already have that directive.
17:21 < pekster> When you figure out what I asked for the configs can be evaluated
17:21 < Arr0way> ill show you my configs.
17:21 < pekster> useful grep for you at:
17:21 < pekster> !configs
17:21 <@vpnHelper> "configs" is (#1) please pastebin your client and server configs (with comments removed, you can use `grep -vE '^#|^;|^$' server.conf`), also include which OS and version of openvpn. or (#2) dont forget to include any ccd entries or (#3) on pfSense, see http://www.secure-computing.net/wiki/index.php/OpenVPN/pfSense to obtain your config
17:26 < Arr0way> pekster: server: https://gist.github.com/Arr0way/c0087242638cf872f623
17:26 <@vpnHelper> Title: OpenVPN server.conf (at gist.github.com)
17:27 -!- AlexPortable [uid7568@gateway/web/irccloud.com/x-dxeaqhiseeewanuc] has quit [Quit: Connection closed for inactivity]
17:28 < Arr0way> pekster: https://gist.github.com/Arr0way/92e8958f962a5e8474bf
17:28 <@vpnHelper> Title: OpenVPN client.conf (at gist.github.com)
17:28 < pekster> That doesn't work; you can't mix tun and tap like that
17:29 < Arr0way> whats advised
17:29 < pekster> tun unless you actually need to send raw non-IP Ethernet frames
17:29 < Arr0way> tun or tap, ive never really understood the difference, i thought it was just a name for the interface.
17:29 < pekster> !tunortap
17:29 <@vpnHelper> "tunortap" is (#1) you ONLY want tap if you need to pass layer2 traffic over the vpn (traffic destined for a MAC address). If you are using IP traffic you want tun. or (#2) and if your reason for wanting tap is windows shares, see !wins or use DNS or (#3) remember layer2 has no security, arp poisoning works over tap vpns or (#4) lan gaming? use tap! or (#5) Normal Android/iOS devices (not
17:29 <@vpnHelper> rooted/jailbroken) support only tun
17:29 < pekster> IP vs Ethernet
17:29 < Arr0way> ok tun should sifice.
17:29 < Arr0way> sufice
17:31 < pekster> line 17 in your client config is bogus, and line 18 only makes sense if you're performing user+pass validation on the server (you're not)
17:31 -!- marsje [~anonymous@2001:470:1f15:8fa::1] has left #openvpn []
17:32 < pekster> Additionally, line 15 is using the deprecated Netscape extensions. It'll work with the right cert extensions, but the modern way to do that is `--remote-cert-tls server`
17:33 < pekster> (and yes, the official howto samples do use that deprecated extension)
17:34 < Arr0way> ok ive updated those 3
17:34 < Arr0way> do you think they are related to my issue ?
17:35 < Arr0way> pekster: the encryption i've chosen, is it the best offered?
17:35 < pekster> Your configs were broken to the point of not working
17:35 < Arr0way> i see
17:36 < pekster> AES is fine. If you want higher security, consider hardening your PKI or TLS cipher-suite; reading at:
17:36 < pekster> !hardening
17:36 <@vpnHelper> "hardening" is https://community.openvpn.net/openvpn/wiki/Hardening
17:37 < Arr0way> so i made those changes, now it does not connect ;)
17:37 < pekster> It wouldn't have before either. tun & tap can't be used together
17:37 < Arr0way> it was connecting ;)
17:39 < Arr0way> haha
17:39 < Arr0way> i left the bogus IP in by accident...
17:39 < Arr0way> doh
17:40 -!- davidmp [~davidmp@149.255.100.107] has quit [Ping timeout: 264 seconds]
17:40 -!- miruoy_ [~quassel@d51A44BA8.access.telenet.be] has quit [Read error: Connection reset by peer]
17:40 -!- catsup [~d@iad1-vshost12.dreamhost.com] has quit [Ping timeout: 240 seconds]
17:40 -!- miruoy [~quassel@d51a44ba8.access.telenet.be] has joined #openvpn
17:41 -!- davidmp [~davidmp@149.255.100.107] has joined #openvpn
17:41 -!- _bt [~bt@unaffiliated/bt/x-192343] has quit [Ping timeout: 246 seconds]
17:41 < Arr0way>   pekster connecting, but trafic is still not routing via vpn
17:42 -!- catsup [~d@iad1-vshost12.dreamhost.com] has joined #openvpn
17:42 < Arr0way> I can't ping the vpn ip of the server.
17:43 < pekster> Firewall, or your connection hasn't actually been made
17:43 -!- _bt [~bt@mongs.yotm.com] has joined #openvpn
17:43 < Arr0way> local interface is still being called tap0   o.O
17:45 < Arr0way> pekster: nice working onw.
17:45 < Arr0way> was the tun / tap issue
17:45 < Arr0way> thanks
17:45 < Arr0way> :)
18:00 -!- wrongplace [~leicht@gateway/tor-sasl/martinphone] has quit [Quit: gone]
18:03 -!- B1nny [~quassel@5ED16034.cm-7-2b.dynamic.ziggo.nl] has quit [Remote host closed the connection]
18:29 -!- pppingme [~pppingme@unaffiliated/pppingme] has quit [Quit: Leaving]
18:47 -!- [diecast] [~diecast@unaffiliated/diecast/x-4821952] has quit []
18:49 -!- michaelhart [~michaelha@192-0-240-20.cpe.teksavvy.com] has joined #openvpn
18:50 -!- MatthewsFace [~mspah@50-78-45-146-static.hfc.comcastbusiness.net] has quit [Ping timeout: 240 seconds]
18:51 -!- p3rror [~mezgani@41.143.230.147] has quit [Ping timeout: 240 seconds]
19:00 -!- michaelhart [~michaelha@192-0-240-20.cpe.teksavvy.com] has quit [Quit: michaelhart]
19:04 -!- cteeto [~corey@cpe-65-27-129-15.cinci.res.rr.com] has joined #openvpn
19:06 < cteeto> Hey there, I am having problems using openvpn. After running the openvpn client (I am on linux), the output from the command looks like its working right, but when I try to browse the web im always stuck at "resolving host".
19:06 < cteeto> I am using a paid server from hidemyass
19:09 -!- MatthewsFace [~mspah@50-78-45-146-static.hfc.comcastbusiness.net] has joined #openvpn
19:19 -!- cteeto [~corey@cpe-65-27-129-15.cinci.res.rr.com] has quit [Ping timeout: 240 seconds]
19:21 -!- MatthewsFace [~mspah@50-78-45-146-static.hfc.comcastbusiness.net] has quit [Ping timeout: 268 seconds]
19:29 -!- joshh20 is now known as joshh20-Away
19:31 -!- Zarrsh [~Zarrsh@farari.paydayauto.biz] has quit [Ping timeout: 255 seconds]
19:32 -!- elfixit [~Icedove@77-58-251-72.dclient.hispeed.ch] has quit [Quit: elfixit]
19:33 -!- cteeto [~corey@cpe-65-27-129-15.cinci.res.rr.com] has joined #openvpn
19:42 -!- athan [~athan@50-200-167-50-static.hfc.comcastbusiness.net] has quit [Ping timeout: 255 seconds]
19:48 -!- cteeto [~corey@cpe-65-27-129-15.cinci.res.rr.com] has quit [Ping timeout: 240 seconds]
19:55 -!- Zarrsh [~Zarrsh@farari.paydayauto.biz] has joined #openvpn
19:59 -!- klein [~klein@unaffiliated/klein] has joined #openvpn
20:02 -!- HectorBarbossa [uid7850@gateway/web/irccloud.com/x-mmlvjijqamqbiahm] has quit [Quit: Connection closed for inactivity]
20:05 -!- u0m3_ [~u0m3@109.96.136.13] has quit [Read error: Connection reset by peer]
20:11 -!- klein [~klein@unaffiliated/klein] has quit [Ping timeout: 240 seconds]
20:20 -!- goldkatze [~nobody@unaffiliated/goldkatze] has quit []
20:26 < _FBi> !def1
20:26 <@vpnHelper> "def1" is (#1) used in redirect-gateway, Add the def1 flag to override the default gateway by using 0.0.0.0/1 and 128.0.0.0/1 rather than 0.0.0.0/0. This has the benefit of overriding but not wiping out the original default gateway. or (#2) please see --redirect-gateway in the man page ( !man ) to fully understand or (#3) push "redirect-gateway def1"
20:29 -!- Denial- [Denial@176.248.104.92] has joined #openvpn
20:31 -!- Denial [Denial@176.250.249.230] has quit [Ping timeout: 255 seconds]
20:31 -!- Denial- is now known as Denial
20:36 -!- Thermi [~Thermi@unaffiliated/thermi] has quit [Ping timeout: 246 seconds]
20:40 -!- cesurasean1 [~Sean@c-71-207-242-72.hsd1.al.comcast.net] has left #openvpn []
20:41 -!- Thermi [~Thermi@unaffiliated/thermi] has joined #openvpn
20:46 -!- [diecast] [~diecast@unaffiliated/diecast/x-4821952] has joined #openvpn
20:52 -!- dimitry7 [~antonello@38.124.174.31] has quit [Ping timeout: 260 seconds]
20:56 -!- michaelhart [~michaelha@192-0-240-20.cpe.teksavvy.com] has joined #openvpn
21:05 -!- mardok45 [~mardok45@74-128-145-91.dhcp.insightbb.com] has joined #openvpn
21:06 < mardok45> Is there a way to assign a hostname to a client IP address, or does the OpenVPN server have to run a separate DNS server?
21:06 <@Eugene> !static
21:06 <@vpnHelper> "static" is (#1) use --ifconfig-push in a ccd entry for a static ip for the vpn client or (#2) example in net30 (default): ifconfig-push 10.8.0.6 10.8.0.5 example in subnet (see !topology) or tap (see !tunortap): ifconfig-push 10.8.0.5 255.255.255.0 or (#3) also see !ccd and !iporder or (#4) when pushing static IPs, you should also limit your --ifconfig-pool to exclude the static range or (#5) See
21:06 <@vpnHelper> also: !addressing
21:07 <@Eugene> The usual methid is to statically assign your VPN client IP addresses via CCD, and then have matching records in a DNS zone someplace
21:07 <@Eugene> This doesn't necessarily need to be run on the vpn server - you can (and arguably, ought to) put RFC 1918 addresses in public DNS zones, hosted on whatever provider your domain name is with.
21:08 < mardok45> Eugene: Yes, I have a static IP address assigned to the client, but very long story short, I need to assign a local domain name to it as well.  I guess that's not possible with OpenVPN?
21:08 <@Eugene> openvpn is not a DNS server in and of itself, no.
21:09 <@Eugene> Or do you mean you want to push the "dns" dhcp option?
21:09 < mardok45> Eugene: I saw the dns DHCP option.  If I have to run a DNS server as well, that's fine.  Thanks.
21:19 -!- Cpt-Oblivious [chatzilla@31-151-71-109.dynamic.upc.nl] has quit [Remote host closed the connection]
21:36 -!- tekzilla [~jon@e177176216.adsl.alicedsl.de] has quit [Ping timeout: 240 seconds]
21:57 -!- michaelhart [~michaelha@192-0-240-20.cpe.teksavvy.com] has quit [Quit: michaelhart]
21:59 -!- mardok45 [~mardok45@74-128-145-91.dhcp.insightbb.com] has left #openvpn []
22:07 -!- klein [~klein@unaffiliated/klein] has joined #openvpn
22:13 -!- WinstonSmith [~WinstonSm@unaffiliated/winstonsmith] has quit [Read error: Operation timed out]
22:13 -!- dimitry7 [~antonello@201.141.134.178] has joined #openvpn
22:16 -!- WinstonSmith [~WinstonSm@unaffiliated/winstonsmith] has joined #openvpn
22:19 -!- pppingme [~pppingme@unaffiliated/pppingme] has joined #openvpn
22:26 <@krzee> _FBi,
22:26 <@krzee> !winroute
22:26 <@vpnHelper> "winroute" is (#1) in windows if the route cannot be added, try route-method exe in your config file or (#2) many users also report it helps to add route-delay to give the interface extra time to get up or (#3) you may need to turn off routing and remote acess in administrative tools - routing and remote access or (#4) make sure you are running openvpn as admin or (#5) you might also want to see that
22:26 <@vpnHelper> and use trial and error with these solutions: http://openvpn.net/index.php/open-source/faq/79-client/259-tap-win32-adapter-is-not-coming-up-qinitialization-sequence-completed-with-errorsq.html
22:30 -!- MatthewsFace [~mspah@c-67-183-108-87.hsd1.wa.comcast.net] has joined #openvpn
22:34 -!- Latrina [~Latrina@adsl-ull-249-254.45-151.net24.it] has quit [Remote host closed the connection]
22:42 -!- converge [~converge@unaffiliated/joaop] has joined #openvpn
23:11 -!- tjz [~tjz@unaffiliated/tjz] has joined #openvpn
23:19 -!- klein [~klein@unaffiliated/klein] has quit [Ping timeout: 255 seconds]
23:27 -!- converge [~converge@unaffiliated/joaop] has quit [Ping timeout: 268 seconds]
23:28 -!- converge [~converge@189.7.3.101] has joined #openvpn
23:28 -!- converge [~converge@189.7.3.101] has quit [Changing host]
23:28 -!- converge [~converge@unaffiliated/joaop] has joined #openvpn
23:37 -!- [diecast] [~diecast@unaffiliated/diecast/x-4821952] has quit []
23:41 -!- tjz [~tjz@unaffiliated/tjz] has quit [Quit: quit irc]
23:55 -!- nrgskill [~nrgskill@2.50.187.243] has joined #openvpn
23:55 < nrgskill> ya haa
23:55 < nrgskill> N TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity)
23:56 < nrgskill> trying to get connected from dd-wrt to our openvpnas
23:56 < nrgskill> any idea on how to troubleshoot this?
--- Day changed Thu Apr 03 2014
00:00 < nrgskill> I have cookies...
00:01 < nrgskill> I changed the ip of the server and the dns name, should I re-create the CA certificate?
00:04 -!- converge [~converge@unaffiliated/joaop] has quit [Quit: Linkinus - http://linkinus.com]
00:13 < nrgskill> with the client is working, I can't get it working with dd-wrt
00:14 -!- mikkel [~mikkel@93.176.85.50] has joined #openvpn
00:20 -!- HectorBarbossa [uid7850@gateway/web/irccloud.com/x-hcepvvpvendaenxd] has joined #openvpn
00:31 -!- Devastatr [~devas@186.214.15.237] has joined #openvpn
00:32 -!- Devastator [~devas@unaffiliated/devastator] has quit [Ping timeout: 265 seconds]
00:46 -!- newb123 [~Jonathan@64-79-125-252.static.wiline.com] has joined #openvpn
00:47 < newb123> Hi, I managed to configure openvpn for bridged and routed mode, but I'd like to know how openvpn assigns the ips. I wanted to know if it is possible to make the VPN Gateway a standard internet gateway where I have a seperate switch with other computers attached behind the VPN on a private nic?
01:01 -!- B1nny [~quassel@5ED16034.cm-7-2b.dynamic.ziggo.nl] has joined #openvpn
01:29 -!- alexxtasi [~alex@unaffiliated/alexxtasi] has left #openvpn []
01:34 -!- alexxtasi [~alex@unaffiliated/alexxtasi] has joined #openvpn
02:02 -!- ketas [ketas@ketas6-sixxs.si.pri.ee] has quit [Read error: Connection reset by peer]
02:02 -!- ketas [ketas@ketas6-sixxs.si.pri.ee] has joined #openvpn
02:03 -!- treshoem2 [~treshoem@198-84-231-11.cpe.teksavvy.com] has quit [Read error: Operation timed out]
02:04 -!- dren_ [dren@access.not.allowed.org] has joined #openvpn
02:04 -!- Latrina [~Latrina@adsl-ull-249-254.45-151.net24.it] has joined #openvpn
02:05 -!- dren [dren@access.not.allowed.org] has quit [Ping timeout: 240 seconds]
02:06 -!- treshoem2 [~treshoem@mnathani-1-pt.tunnel.tserv21.tor1.ipv6.he.net] has joined #openvpn
02:09 -!- AlexPortable [uid7568@gateway/web/irccloud.com/x-ajxwkxocgczsumma] has joined #openvpn
02:13 -!- Eneerge [eneergealt@unaffiliated/eneerge] has quit [Read error: Connection reset by peer]
02:13 -!- SpiceMan [~SpiceMan@unaffiliated/spiceman] has quit [Ping timeout: 246 seconds]
02:14 -!- SpiceMan [~SpiceMan@209.54.61.227] has joined #openvpn
02:14 -!- Eneerge [eneergealt@unaffiliated/eneerge] has joined #openvpn
02:16 -!- le0 [~l30@unaffiliated/le0] has joined #openvpn
02:17 -!- Latrina [~Latrina@adsl-ull-249-254.45-151.net24.it] has quit [Remote host closed the connection]
02:20 -!- newb123 [~Jonathan@64-79-125-252.static.wiline.com] has quit [Ping timeout: 240 seconds]
02:31 -!- dimitry7 [~antonello@201.141.134.178] has quit [Ping timeout: 260 seconds]
02:32 -!- HectorBarbossa [uid7850@gateway/web/irccloud.com/x-hcepvvpvendaenxd] has quit [Quit: Connection closed for inactivity]
02:48 -!- elfixit [~Icedove@2001:1620:2777:11:3e97:eff:fe7f:f3ad] has joined #openvpn
02:53 -!- goldkatze [~nobody@unaffiliated/goldkatze] has joined #openvpn
02:58 -!- takamichi [~takamichi@c107-107.i07-27.onvol.net] has quit [Ping timeout: 240 seconds]
03:02 -!- Aliekezhi [~Aliekezhi@LPoitiers-156-84-21-170.w193-248.abo.wanadoo.fr] has joined #openvpn
03:16 -!- newb123 [~Jonathan@c-24-6-80-199.hsd1.ca.comcast.net] has joined #openvpn
03:17 -!- newb123 [~Jonathan@c-24-6-80-199.hsd1.ca.comcast.net] has quit [Client Quit]
03:40 -!- tekzilla [~jon@e177176216.adsl.alicedsl.de] has joined #openvpn
03:52 -!- nrgskill [~nrgskill@2.50.187.243] has quit [Read error: Connection reset by peer]
03:53 -!- psbrandt [~psbrandt@105-236-185-117.access.mtnbusiness.co.za] has joined #openvpn
03:53 < psbrandt> !nathack
03:53 -!- nrgskill [~nrgskill@2.50.187.243] has joined #openvpn
03:53 <@vpnHelper> "nathack" is see https://community.openvpn.net/openvpn/wiki/NatHack for info on how to solve the problem when you need !route_outside_ovpn but cant add a route to the gateway or the lan machines
03:55 -!- tekzilla [~jon@e177176216.adsl.alicedsl.de] has quit [Quit: leaving]
03:55 < psbrandt> Hi, is there a good way to solve the problem of your local network and your VPN network having the same IP subnet (without changing one of the IP ranges)?
03:59 -!- ade_b [~Ade@redhat/adeb] has joined #openvpn
03:59 < psbrandt> I was looking at that nethack page, but it doesn't seem to solve this exact problem.
04:03 <@Eugene> Yeah, change one.
04:06 < _bt> http://community.openvpn.net/openvpn/ticket/131
04:06 <@vpnHelper> Title: #131 (client management interface user authentication abort inconsistency) – OpenVPN Community (at community.openvpn.net)
04:06 < _bt> is anyone able to work on that?
04:11 <@plai> _bt: attaching a log from openvpn should help
04:13 < _bt> plai: there is no log file
04:20 < psbrandt> Eugene, thanks.
04:21 < nrgskill> exception in AuthDelegateProplist: credential username must not be empty
04:21 < psbrandt> Perhaps someone has experience with address translation?
04:21 < nrgskill> how to get rid of this? setting the client on dd-wrt
04:21 <@plai> _bt: starting openvpn with log /foo/bar/xy.log and verb 4 will create a logfile
04:22 <@plai> _bt: and addding a config file (without private data) to help reproduce the issue should help too
04:24 < _bt> ok so are you asking for a server side log?
04:24 < _bt> its the management interface on the client that is crashing
04:24 < _bt> (windows)
04:24 <@plai> _bt: no I am aksing for log and config of the crashing openvpn process
04:24 <@plai> if that is the client, then client's log and config
04:25 < _bt> okay, ill do that now..
04:28 < _bt> plai: log added
04:40 -!- wrongplace [~leicht@gateway/tor-sasl/martinphone] has joined #openvpn
04:41 < _bt> plai: it seems to be related to GET_USER_PASS_NOFATAL
04:52 -!- nrgskill [~nrgskill@2.50.187.243] has quit [Quit: Leaving]
05:02 -!- nrgskill [~nrgskill@2.50.187.243] has joined #openvpn
05:03 < nrgskill> !welcome
05:03 <@vpnHelper> "welcome" is (#1) Start by stating your goal, such as 'I would like to access the internet over my vpn' || new to IRC? see the link in !ask || we may need !logs and !configs and maybe !interface to help you. || See !howto for beginners. || See !route for lans behind openvpn. || !redirect for sending inet traffic through the server. || Also interesting: !man !/30 !topology !iporder !sample !forum
05:03 <@vpnHelper> !wiki !mitm or (#2) Don't use 192.168.1.0/24 or 192.168.0.0/24 (too much potential for conflict)
05:03 < nrgskill> !howto
05:03 <@vpnHelper> "howto" is (#1) OpenVPN comes with a great howto, http://openvpn.net/howto PLEASE READ IT! or (#2) http://www.secure-computing.net/openvpn/howto.php for a mirror
05:16 -!- br4ndon [~br4ndon@ns301087.ip-91-121-68.eu] has joined #openvpn
05:22 -!- br4ndon [~br4ndon@ns301087.ip-91-121-68.eu] has quit [Quit: br4ndon]
05:28 < nrgskill> AUTH: Received control message: AUTH_FAILED
05:28 < nrgskill> please help me with dd-wrt  client
05:30 < ChrisH> nrgskill: pw,certificate,key something is wrong
05:32 < nrgskill> this what the server says:
05:32 < nrgskill> exception in AuthDelegateProplist: credential username must not be empty: internet/defer:744,python/failure:338,auth/authpambase:23,python/threadpool:210,python/context:59,python/context:37,auth/authpam:14,auth/authbase:53,auth/authbase:36,python2.7/threading:783,python2.7/threading:810,python2.7/threading:763,python/threadpool:210,python/context:59,python/context:37,auth/authpam:14,auth/authbase:53,auth/authbase:36,util/error:61,util/error:44
05:33 < nrgskill> credentials (password only) is given to the client by: askpass /tmp/openvpncl/client.pwd
05:33 < nrgskill> and is in plaintext, no user is given
05:34 < nrgskill> I am using private client key
05:35 < nrgskill> It's almost 5 hours I getting mad with this..
05:35 < ChrisH> That logfile excerpt is client or server side?
05:35 < nrgskill> server side
05:36 < nrgskill> username is not identified anyway, looks like public/private client key are not recognized
05:38 < ChrisH> with your error I found: https://forums.openvpn.net/topic11804.html  and I am not deep enough into, but none of my openvpn servers uses python.Someone else must help here.
05:38 <@vpnHelper> Title: OpenVPN Support Forum Auth with certificates not working -> exception in AuthDeleg : Configuration (at forums.openvpn.net)
05:38 <@plai> _bt: hm what happens if simply abort the USER_PASS_QUERY?
05:39 -!- ACKNAK [~regolith@79.133.97.154] has joined #openvpn
05:39 < _bt> plai: what command could I issue to do that?
05:40 < nrgskill> I am using the virtual appliance, should I switch to a brand new installation?
05:40 <@plai> _bt: hm
05:41 <@plai> cancel seems only to be implemented for the needok stuff
05:42 <@plai> hm
05:50 -!- mete [~mete@91.247.253.160] has quit [Read error: Operation timed out]
05:59 -!- mete [~mete@91.247.253.160] has joined #openvpn
06:05 -!- takamichi [~takamichi@c107-107.i07-27.onvol.net] has joined #openvpn
06:11 -!- tormen__ [~me@90-83-190-109.dsl.ovh.fr] has joined #openvpn
06:12 < tormen__> Hi. I have a strange problem: I am starting a client and I keep getting : TCP/UDP: Socket bind failed on local address [undef]: Address already in use (because there is a server running an listening on the openvpn port 1194)) ... but why does the CLIENT want to bind to that port ?! :(
06:14 <@plai> !nobind
06:14 <@vpnHelper> "nobind" is Do not bind to local address and port. The IP stack will allocate a dynamic port for returning packets. Since the value of the dynamic port could not be known in advance by a peer, this option is only suitable for peers which will be initiating connections by using the --remote option.
06:15 < tormen__> Thanks, I'll have a look !
06:16 < tormen__> I meant: Thanks ! - I'll have a look.
06:25 -!- krzee [~k@openvpn/community/support/krzee] has quit [Quit: your mom - its whats for breakfast]
06:32 < tormen__> plai: I must still miss something here : Why does the client want to bind locally at all (to 1194) ?  A client is supposed to connect remotely to the server and that's it. No LISTENing involved. I have a 2nd client and it is doing exactly this.
06:33 <@plai> tormen__: history mostly
06:33 <@plai> you can have to openvpn "clients" in p2p and both with --remote
06:33 <@plai> connecting to each other
06:33 <@plai> which was the default mode for OpenVPN 1.x
06:34 <@plai> for tcp nobind is the default btw
06:38 -!- krzee [~k@openvpn/community/support/krzee] has joined #openvpn
06:39 -!- mode/#openvpn [+o krzee] by ChanServ
06:39 < tormen__> Ok here is the thing: I have 2 machines. Both debian, both the same version of openvpn (I just diffed the output of openvpn --version ;). I just copy the config opver the other machine and on one being in /etc/openvpn an openvpn my.conf does NOT bind on 1194 and on the other machine it does bind
06:39 < tormen__> That does not make sense :(
06:40 < tormen__> plai: I mean the same config should behave the same with the same openvpn, no ?
06:40 < tormen__> aaaaargh ^^
06:41 <@plai> tormen__: yes it should
06:41 < tormen__> I guess it must be EXTREMLY obvious ... but I just don't get it...
06:41 <@plai> are you sure that the other box does not bind to 1194?
06:41 < tormen__> I could show you via teamviewer ? :)
06:42 <@plai> Nah
06:42 < tormen__> Yes: netstat -tulpen|grep openvpn
06:42 <@plai> and what port does it use?
06:42 < tormen__> brings me nothing and netstat -tupen|grep openvpn shows me the client:random-port -> server:configured-port
06:43 <@plai> tcp or udp?
06:43 < tormen__> udp
06:43 <@plai> I know the socket code very well
06:43 -!- michaelhart [~michaelha@192.237.177.15] has joined #openvpn
06:43 <@plai> and without nobind + udp it will bind to the port
06:44 -!- krzee [~k@openvpn/community/support/krzee] has quit [Quit: your mom - its whats for breakfast]
06:45 < tormen__> hmm
06:48 -!- krzee [~k@openvpn/community/support/krzee] has joined #openvpn
06:48 -!- mode/#openvpn [+o krzee] by ChanServ
06:49 -!- krzee [~k@openvpn/community/support/krzee] has quit [Client Quit]
06:51 < tormen__> plai: D*mn it... YES you are absolutely right! ... I got things mixed up between the screen sessions to the 2 machines and the 3 openvpn connections ... I have to appologize. I guess I should have eaten something a while ago :( ...
06:52 < tormen__> plai: THANKS a lot !!!
06:52 <@plai> tormen__: no problem
06:52 -!- krzee [~k@openvpn/community/support/krzee] has joined #openvpn
06:52 -!- mode/#openvpn [+o krzee] by ChanServ
06:56 -!- Mehran [~mehran@unaffiliated/mehran] has joined #openvpn
06:57 < Mehran> my openvpn established success on DD-WRT , but internet Traffic Route thorough old Gateway and not route in VPN
06:57 < Mehran> how route all Traffic to tunnel ?
07:06 -!- Mehran [~mehran@unaffiliated/mehran] has quit [Remote host closed the connection]
07:10 -!- Fruckiwacki- [fruckiwack@5.135.190.66] has quit [Ping timeout: 265 seconds]
07:10 -!- dvl [~dan@pdpc/supporter/active/dvl] has quit [Ping timeout: 265 seconds]
07:10 -!- lbft [~lbft@unaffiliated/lbft] has quit [Ping timeout: 265 seconds]
07:10 -!- Dan39 [~ddan39@unaffiliated/dan39] has quit [Ping timeout: 265 seconds]
07:11 -!- Fruckiwacki [fruckiwack@5.135.190.66] has joined #openvpn
07:11 -!- lbft_ [~lbft@unaffiliated/lbft] has joined #openvpn
07:11 -!- lbft_ is now known as lbft
07:18 <@krzee> 13 minute flyby? maybe he figured it out on his own
07:27 < tormen__> Hi. I have another problem with mlock and chroot: I am getting an Out of memory the moment a client connects. README.DEBIAN + https://bugs.maemo.org/show_bug.cgi?id=8467 to apply a higher ulimit -l. I had already run into the problem and I had put a "ulimit -l 524288" into /etc/init.d/openvpn. This worked ... until I updated openvpn from2.2.1-8+deb7u2  to 2.3.2-7~bpo70+1. Now I have the Out Of Memory again and I already tried with "ulimit -l
07:27 < tormen__> 2097152" ...
07:27 <@vpnHelper> Title: Bug 8467 OpenVPN fails when --mlock specified (at bugs.maemo.org)
07:28 < tormen__> so do I need even more ulimit -l ?! ... I read somewhere that you need around 200k per client... so my 2MB should be sufficient for one client... I have done an strace -ff -v -T -e all -F -f openvpn my.conf: http://paste.debian.net/91414/
07:30 < tormen__> actually : I did a strace -ff -v -T -e all -F -f openvpn 01_server.my-domic.eu.conf to be precise ;)
07:32 < tormen__> I can upload the server and/or client config if needed
07:33 -!- Mehran [~mehran@unaffiliated/mehran] has joined #openvpn
07:33 < Mehran> my openvpn established success on DD-WRT , but internet Traffic Route thorough old Gateway and not route in VPN
07:34 -!- JSharpe [~JSharpe@31.205.60.241] has joined #openvpn
07:34 < tormen__> Mehran: Where does your default route point to ?
07:35 < Mehran> tomrmen__ on dd-wrt is my cpe modem
07:36 -!- Tykling [tykling@gibfest.dk] has quit [Read error: Operation timed out]
07:36 < tormen__> Mehran: http://www.kleinfelter.com/node/246
07:36 <@vpnHelper> Title: Routing All Traffic Over VPN Using OpenVPN and DD-WRT | Input Jam (at www.kleinfelter.com)
07:37 -!- Dan39 [~ddan39@unaffiliated/dan39] has joined #openvpn
07:39 < Mehran> tormen__ yes i look at it , i must do section iptables right ?
07:39 -!- klein [~klein@189-016-006-003.asselvi.edu.br] has joined #openvpn
07:39 -!- klein [~klein@189-016-006-003.asselvi.edu.br] has quit [Changing host]
07:39 -!- klein [~klein@unaffiliated/klein] has joined #openvpn
07:40 < tormen__> Mehran: Look for "redirect-gateway"
07:41 < tormen__> krzee: I guess he tested and reconnected ;)
07:42 < Mehran> tormen__ redirect-gateway def1
07:43 < Mehran> i must put it in additional Config ?
07:43 < Mehran> i set it from GUI
07:43 < Mehran> Services , VPN
07:44 -!- mikemol [~mikemol@162.17.129.77] has quit [Ping timeout: 252 seconds]
07:49 < Mehran> tormen__ i add redirect-gateway def1 on additional Config but not connect to  VPN
07:51 < ACKNAK> !help
07:51 <@vpnHelper> (help [<plugin>] [<command>]) -- This command gives a useful description of what <command> does. <plugin> is only necessary if the command is in more than one plugin.
07:51 < ACKNAK> !welcome
07:52 <@vpnHelper> "welcome" is (#1) Start by stating your goal, such as 'I would like to access the internet over my vpn' || new to IRC? see the link in !ask || we may need !logs and !configs and maybe !interface to help you. || See !howto for beginners. || See !route for lans behind openvpn. || !redirect for sending inet traffic through the server. || Also interesting: !man !/30 !topology !iporder !sample !forum
07:52 <@vpnHelper> !wiki !mitm or (#2) Don't use 192.168.1.0/24 or 192.168.0.0/24 (too much potential for conflict)
07:53 < ACKNAK> !howto
07:53 <@vpnHelper> "howto" is (#1) OpenVPN comes with a great howto, http://openvpn.net/howto PLEASE READ IT! or (#2) http://www.secure-computing.net/openvpn/howto.php for a mirror
07:56 -!- johanbr [~johanbr@vps.nullinfinity.org] has quit [Ping timeout: 252 seconds]
07:57 -!- AlexPortable [uid7568@gateway/web/irccloud.com/x-ajxwkxocgczsumma] has quit [Quit: Connection closed for inactivity]
08:01 -!- mikemol [~mikemol@162.17.129.77] has joined #openvpn
08:01 < tormen__> Hi. I have a server with mlock and chroot option (servers config: http://paste.debian.net/91426/). The server starts. When I connect with a client I get Out of Memory error and the server crashes.
08:01 -!- SpiceMan [~SpiceMan@209.54.61.227] has quit [Ping timeout: 255 seconds]
08:03 < tormen__> README.Debian + https://bugs.maemo.org/show_bug.cgi?id=8467 suggest that I need to increase the ulimit -l. I tried that. It did do the trick for openvpn 2.2.1-8+deb7u2. But with the current version 2.3.2-7~bpo70+1 the server keeps crashing the moment the FIRST client connects even with an "ulimit -l of 2097152".
08:03 <@vpnHelper> Title: Bug 8467 OpenVPN fails when --mlock specified (at bugs.maemo.org)
08:04 < tormen__> I did an strace -ff -v -T -e all -F -f openvpn 01_server.my-domic.eu.conf on the server: http://paste.debian.net/91414/
08:05 -!- Tykling [tykling@gibfest.dk] has joined #openvpn
08:05 -!- Latrina [~Latrina@adsl-ull-249-254.45-151.net24.it] has joined #openvpn
08:06 < tormen__> What can I do to resolv the Out of memory crash of the openvpn server ?
08:08 -!- SpiceMan [~SpiceMan@unaffiliated/spiceman] has joined #openvpn
08:09 -!- _bt [~bt@mongs.yotm.com] has quit [Changing host]
08:09 -!- _bt [~bt@unaffiliated/bt/x-192343] has joined #openvpn
08:09 -!- rightshift [~rightshif@41.85.8.91] has quit [Ping timeout: 240 seconds]
08:10 -!- synapt [NBishop@pdpc/supporter/monthlybronze/synapt] has joined #openvpn
08:13 -!- Devastatr [~devas@186.214.15.237] has quit [Changing host]
08:13 -!- Devastatr [~devas@unaffiliated/devastator] has joined #openvpn
08:13 -!- Devastatr is now known as Devastator
08:13 < synapt> Is there any recent change to config style formats that would cause an imported .ovpn file to show the address (remote) as %S@%S (and subsequently attempt to connect to nothing due to it)?  I can paste the config but I'd have to remove address and a couple things out of it, but the config is pretty much identical to; https://openvpn.net/index.php/open-source/documentation/howto.html#client this format
08:13 <@vpnHelper> Title: HOWTO (at openvpn.net)
08:14 < synapt> This is a Windows7 system with the latest OpenVPN client software from this page http://openvpn.net/index.php/access-server/download-openvpn-as-sw/357.html as well
08:14 <@vpnHelper> Title: Client Packages (at openvpn.net)
08:14 -!- AlexPortable [uid7568@gateway/web/irccloud.com/x-vzmselfghevzpabn] has joined #openvpn
08:15 -!- johanbr [~johanbr@vps.nullinfinity.org] has joined #openvpn
08:16 <@krzee> imported? what is importing it?
08:16 <@krzee> ohh
08:16 <@krzee> !as
08:16 <@vpnHelper> "as" is please go to #OpenVPN-AS for help with Access-Server
08:16 < Mehran> how can i route all traffic to DD-WRT openvon ?
08:16 < synapt> OpenVPN client is Access Server? o.O
08:17 <@krzee> !download
08:17 <@vpnHelper> "download" is (#1) http://openvpn.net/index.php/download/community-downloads.html to download openvpn or (#2) OpenVPN's Windows installer now includes OpenVPN GUI. Don't bother with http://openvpn.se anymore or (#3) Don't trust download.com at all. It provides an extremely old version with malware: http://insecure.org/news/download-com-fiasco.html or (#4) in the community version of openvpn (only
08:17 <@vpnHelper> thing supported here) there is no separate download for client/server, it is the same install with different configs
08:17 < synapt> ah I guess it is
08:17 <@krzee> !website
08:17 <@krzee> hrm
08:18 <@krzee> not sure if theres a factoid for it, but we know the website is kinda misleading :/
08:18 < synapt> Indeed
08:18 < synapt> Well right off the home page it points to that "PrivateTunnel" thing :P
08:19 < synapt> I had to have someone else link me to the old windows OpenVPN Client thingy, lol, which is what I used before, but it the config file worked before
08:19 < synapt> I'll hit up the other chan, thanks :P
08:19 <@krzee> you would have to click "community"
08:19 <@krzee> well
08:19 <@krzee> if you want access server you want the other channel
08:19 -!- johanbr [~johanbr@vps.nullinfinity.org] has quit [Ping timeout: 252 seconds]
08:20 <@krzee> if you're connecting to a server running opensource openvpn you want to download the other app and be here
08:20 < synapt> Well I guess access server is what I used previously, and was designed for this ovpn file format, https://5vpn.net/img/img/tutorials/win7_openvpn/3.png <-- this thing here
08:20 -!- johanbr [~johanbr@vps.nullinfinity.org] has joined #openvpn
08:21 < synapt> Is that access server?  wasn't entirely sure since it just said "OpenVPN client"
08:21 <@krzee> opensource uses .ovpn file format, but yes that app is access-server
08:21 < synapt> hm, let me try the community version then if it'll use the same file, maybe it'll load the format properly since access-server isn't
08:23 -!- Mehran [~mehran@unaffiliated/mehran] has quit [Remote host closed the connection]
08:24 < synapt> I'm assuming at the very least I should modify the ovpn config file to `dev tap` instead of `dev tun`?
08:24 -!- johanbr [~johanbr@vps.nullinfinity.org] has quit [Ping timeout: 240 seconds]
08:27 <@krzee> no
08:27 <@krzee> !tunortap
08:27 <@vpnHelper> "tunortap" is (#1) you ONLY want tap if you need to pass layer2 traffic over the vpn (traffic destined for a MAC address). If you are using IP traffic you want tun. or (#2) and if your reason for wanting tap is windows shares, see !wins or use DNS or (#3) remember layer2 has no security, arp poisoning works over tap vpns or (#4) lan gaming? use tap! or (#5) Normal Android/iOS devices (not
08:27 <@vpnHelper> rooted/jailbroken) support only tun
08:27 <@krzee> windows "tap device" does tun mode
08:28 <@krzee> tap is layer2 tun is layer3, they must match
08:31 -!- KaiForce [~chatzilla@107-223-70-10.lightspeed.bcvloh.sbcglobal.net] has joined #openvpn
08:34 -!- Aralucc10 [~Aralucc10@151.77.144.150] has quit [Ping timeout: 264 seconds]
08:35 -!- Aralucc10 [~Aralucc10@151.77.64.254] has joined #openvpn
08:37 -!- wrongplace [~leicht@gateway/tor-sasl/martinphone] has quit [Quit: gone]
08:38 -!- johanbr [~johanbr@vps.nullinfinity.org] has joined #openvpn
08:39 < ACKNAK> !scripting
08:39 <@vpnHelper> "scripting" is "script" is See SCRIPTING AND ENVIRONMENTAL VARIALBES in the manual for a list of places that scripts can hook into openvpn. Online reference at: https://community.openvpn.net/openvpn/wiki/Openvpn23ManPage#lbAR
08:40 -!- Fusl [~Fusl@unaffiliated/fusl] has left #openvpn []
08:40 -!- Fusl [~Fusl@unaffiliated/fusl] has joined #openvpn
08:40 -!- regolith_ [~regolith@79.133.97.154] has joined #openvpn
08:40 -!- nrgskill [~nrgskill@2.50.187.243] has quit [Ping timeout: 240 seconds]
08:42 < synapt> krzee: Ah gotcha
08:44 < synapt> "Exiting due to fatal error: WRWWWWRRRWRWRWRWRWRWRWRWRWRWRWRWRWRWRWRWRWRWRWRWRWRWRWRWRWRWRWRWRWRWRWRWRWRWRWRWRWRWWWWRWRWRWRWRWRWRWRWRWRWRWRWRWRWRWRWRWRWRWRWRWRWRWRWRWRWRWRWRWRRRRWRWRWRWRWRWRWRWRWRWRWRWRWRWRWRWWWWRRRRWRWRWWRRWRWR"
08:44 < synapt> lol what? o.O
08:44 < Thermi> W == Write, R == Read
08:45 < Thermi> No further meaning to that
08:45 < synapt> I thought that might have been it but, lol, for it to show up like that in the log, admittedly made me laugh a bit
08:45 -!- johanbr [~johanbr@vps.nullinfinity.org] has quit [Remote host closed the connection]
08:49 < synapt> Hm, got it connected but now the other side isn't assigning me an IP properly, might be their side, guess time to poke them now
08:53 -!- johanbr [~johanbr@vps.nullinfinity.org] has joined #openvpn
08:57 -!- johanbr [~johanbr@vps.nullinfinity.org] has quit [Ping timeout: 252 seconds]
08:59 -!- tormen0815__ [~me@90-83-190-109.dsl.ovh.fr] has joined #openvpn
09:02 -!- tormen__ [~me@90-83-190-109.dsl.ovh.fr] has quit [Ping timeout: 240 seconds]
09:08 -!- edge226 [~quassel@unaffiliated/edge226] has joined #openvpn
09:08 -!- dvl [~dan@nyi.unixathome.org] has joined #openvpn
09:09 -!- johanbr [~johanbr@vps.nullinfinity.org] has joined #openvpn
09:13 -!- johanbr [~johanbr@vps.nullinfinity.org] has quit [Ping timeout: 240 seconds]
09:24 < synapt> Ah bugger, still can't get this sucker to assign a DHCP, despite the fact it even shows it attempted to assign an IP in the log
09:24 < synapt> slightly odd
09:41 -!- regolith_ is now known as WRWWWWRRRWR
09:45 -!- alexxtasi [~alex@unaffiliated/alexxtasi] has left #openvpn []
09:45 < tormen0815__> My mistake : I did some of my test without the ulimit being active ;) - Thanks again !! :)))
09:46 -!- dazo_afk is now known as dazo
09:52 -!- Cpt-Oblivious [chatzilla@31-151-71-109.dynamic.upc.nl] has joined #openvpn
09:55 -!- WRWWWWRRRWR [~regolith@79.133.97.154] has quit [Remote host closed the connection]
09:55 -!- ACKNAK [~regolith@79.133.97.154] has quit [Remote host closed the connection]
09:56 -!- ACKNAK [~regolith@79.133.97.154] has joined #openvpn
09:58 -!- tormen0815_ [~me@90-83-190-109.dsl.ovh.fr] has joined #openvpn
10:02 -!- ACKNAK [~regolith@79.133.97.154] has quit [Remote host closed the connection]
10:02 -!- Pol [~macgyver@sog.polvanaubel.com] has joined #openvpn
10:02 -!- tormen0815__ [~me@90-83-190-109.dsl.ovh.fr] has quit [Ping timeout: 268 seconds]
10:03 -!- mikkel [~mikkel@93.176.85.50] has quit [Quit: Leaving]
10:03 -!- Pol [~macgyver@sog.polvanaubel.com] has quit [Changing host]
10:03 -!- Pol [~macgyver@unaffiliated/macgyvernl] has joined #openvpn
10:07 -!- MacGyver [~MacGyver@unaffiliated/macgyvernl] has left #openvpn []
10:09 -!- kantlivelong [~kantlivel@home.kantlivelong.com] has quit [Ping timeout: 252 seconds]
10:10 -!- kantlivelong [~kantlivel@home.kantlivelong.com] has joined #openvpn
10:16 -!- mattock_afk [~mattock@openvpn/corp/admin/mattock] has left #openvpn []
10:17 -!- mattock_afk [~mattock@openvpn/corp/admin/mattock] has joined #openvpn
10:17 -!- mode/#openvpn [+o mattock_afk] by ChanServ
10:17 -!- mattock_afk is now known as mattock
10:26 -!- Aliekezhi [~Aliekezhi@LPoitiers-156-84-21-170.w193-248.abo.wanadoo.fr] has quit [Remote host closed the connection]
10:29 -!- s7r [~s7r@openvpn/user/s7r] has joined #openvpn
10:29 -!- mode/#openvpn [+v s7r] by ChanServ
10:47 -!- AlexPortable [uid7568@gateway/web/irccloud.com/x-vzmselfghevzpabn] has quit [Quit: Connection closed for inactivity]
10:50 -!- gffa [~unknown@unaffiliated/gffa] has joined #openvpn
10:50 -!- Fiouz [~Fiouz@2001:bc8:3068::dead:beef] has quit [Ping timeout: 246 seconds]
10:51 -!- psbrandt [~psbrandt@105-236-185-117.access.mtnbusiness.co.za] has quit [Quit: This computer has gone to sleep]
10:53 -!- Fiouz [~Fiouz@2001:bc8:3068::dead:beef] has joined #openvpn
10:54 -!- MatthewsFace [~mspah@c-67-183-108-87.hsd1.wa.comcast.net] has quit [Ping timeout: 240 seconds]
10:54 -!- Latrina [~Latrina@adsl-ull-249-254.45-151.net24.it] has quit [Quit: Leaving...]
10:56 -!- Latrina [~Latrina@ppp-25-10.26-151.libero.it] has joined #openvpn
10:56 -!- s7r [~s7r@openvpn/user/s7r] has quit [Ping timeout: 265 seconds]
10:57 -!- s7r [~s7r@openvpn/user/s7r] has joined #openvpn
10:57 -!- mode/#openvpn [+v s7r] by ChanServ
11:01 -!- AlexPortable [uid7568@gateway/web/irccloud.com/x-vufetayeckhaoifz] has joined #openvpn
11:05 -!- tormen0815 [~me@90-83-190-109.dsl.ovh.fr] has joined #openvpn
11:05 -!- tormen0815_ [~me@90-83-190-109.dsl.ovh.fr] has quit [Ping timeout: 268 seconds]
11:08 -!- master_of_master [~master_of@p4FD7B03D.dip0.t-ipconnect.de] has quit [Ping timeout: 268 seconds]
11:09 -!- master_of_master [~master_of@p4FF2434E.dip0.t-ipconnect.de] has joined #openvpn
11:25 -!- JackWinter [~jack@vodsl-10810.vo.lu] has quit [Quit: Konversation terminated!]
11:25 -!- JackWinter [~jack@vodsl-10810.vo.lu] has joined #openvpn
11:28 -!- le0 [~l30@unaffiliated/le0] has quit [Quit: Leaving]
11:32 -!- psbrandt [~psbrandt@196-210-247-30.dynamic.isadsl.co.za] has joined #openvpn
11:32 -!- s7r [~s7r@openvpn/user/s7r] has quit [Remote host closed the connection]
11:32 -!- s7r [~s7r@openvpn/user/s7r] has joined #openvpn
11:33 -!- mode/#openvpn [+v s7r] by ChanServ
11:33 -!- JackWinter [~jack@vodsl-10810.vo.lu] has quit [Quit: Konversation terminated!]
11:34 -!- psbrandt [~psbrandt@196-210-247-30.dynamic.isadsl.co.za] has quit [Client Quit]
11:36 -!- JackWinter [~jack@vodsl-10810.vo.lu] has joined #openvpn
11:45 < GrecKo> hello what does the local do in 'push "redirect-gateway def1 local bypass-dhcp"'
11:46 < GrecKo> does it just prevent the route to the server being created in the routing table ?
11:57 -!- jmr` [~zero@bsdnode.org] has quit [Quit: leaving]
12:02 <@dazo> !man
12:02 <@vpnHelper> "man" is (#1) For man pages, see http://openvpn.net/index.php/open-source/documentation/manuals/ or (#2) the man pages are your friend! or (#3) Protip: you can search the manpage for a specific --option (with dashes) to find it quicker
12:03 -!- ade_b [~Ade@redhat/adeb] has quit [Ping timeout: 240 seconds]
12:15 -!- statarb3 [uid19902@gateway/web/irccloud.com/x-xyqzmkpvkobgupjd] has joined #openvpn
12:25 -!- [diecast] [~diecast@unaffiliated/diecast/x-4821952] has joined #openvpn
12:27 -!- cteeto [~corey@cpe-65-27-129-15.cinci.res.rr.com] has joined #openvpn
12:28 < cteeto> Does anyone else have issues with your cable modem/router rebooting when trying to use a VPN connection?
12:36 -!- freinhard [~freinhard@dslb-188-098-253-058.pools.arcor-ip.net] has joined #openvpn
12:36 < freinhard> !welcome
12:36 <@vpnHelper> "welcome" is (#1) Start by stating your goal, such as 'I would like to access the internet over my vpn' || new to IRC? see the link in !ask || we may need !logs and !configs and maybe !interface to help you. || See !howto for beginners. || See !route for lans behind openvpn. || !redirect for sending inet traffic through the server. || Also interesting: !man !/30 !topology !iporder !sample !forum
12:36 <@vpnHelper> !wiki !mitm or (#2) Don't use 192.168.1.0/24 or 192.168.0.0/24 (too much potential for conflict)
12:38 < freinhard> firstgoal: setup openvpn, create certificates and login. done :) second goal: have clients on different subnets (that's covered by the howto with ccd and ifconfig-push). third goal: have a route between clients of each subnet. is this possible?
12:39 < freinhard> from the howto i've understood that it's possible to give clients a route to services visible to the server but not if it's possible to have a route between the clients
12:41 < freinhard> so i can't say what the effect of  "client-to-client" and "push 'route 10.8.2.0 255.255.255.0'" will be
12:42 < freinhard> woudl i have to setup that "push 'route.." for each client in the ccd folder?
12:43 < freinhard> !topology
12:43 <@vpnHelper> "topology" is (#1) it is possible to avoid the !/30 behavior if you use 2.1+ with the option: topology subnet This will end up being default in later versions. or (#2) Clients will receive addresses ending in .2, .3, .4, etc, instead of being divided into 2-host subnets. or (#3) details and examples at: https://community.openvpn.net/openvpn/wiki/Topology
12:45 -!- [diecast] [~diecast@unaffiliated/diecast/x-4821952] has quit []
12:55 -!- gffa [~unknown@unaffiliated/gffa] has quit [Ping timeout: 240 seconds]
13:03 -!- n13l [~Daniel@aaa.anect.cz] has joined #openvpn
13:06 < n13l> hey all
13:06 < n13l> #openvpn-devel Cannot join channel (+r) - you need to be identified with services
13:06 < n13l> what i need to do ? :)
13:06 < n13l> thx
13:07 -!- AlexPortable [uid7568@gateway/web/irccloud.com/x-vufetayeckhaoifz] has quit [Quit: Connection closed for inactivity]
13:14 <@Eugene> Exactly what it says on the tin.
13:18 -!- d10n [~d10n@unaffiliated/d10n] has joined #openvpn
13:18 < d10n> !welcome
13:18 <@vpnHelper> "welcome" is (#1) Start by stating your goal, such as 'I would like to access the internet over my vpn' || new to IRC? see the link in !ask || we may need !logs and !configs and maybe !interface to help you. || See !howto for beginners. || See !route for lans behind openvpn. || !redirect for sending inet traffic through the server. || Also interesting: !man !/30 !topology !iporder !sample !forum !wiki
13:18 <@vpnHelper> !mitm or (#2) Don't use 192.168.1.0/24 or 192.168.0.0/24 (too much potential for conflict)
13:18 < d10n> !goal
13:18 <@vpnHelper> "goal" is Please clearly state your goal for your vpn: example, I would like to access the lan behind the server , I would like to access the internet over my vpn , I just want a secure connection between 2 computers , etc
13:21 < d10n> I want very high security. I notice that blowfish is the default cipher. Where is a list of supported ciphers? I've tried some from openvpn --show-tls and openssl ciphers -v with the same "Cipher algorithm not found" errors.
13:33 -!- freinhard [~freinhard@dslb-188-098-253-058.pools.arcor-ip.net] has quit [Remote host closed the connection]
13:42 -!- [diecast] [~diecast@unaffiliated/diecast/x-4821952] has joined #openvpn
13:44 -!- heraclitus__ [~heraclitu@cpe-76-187-142-153.tx.res.rr.com] has joined #openvpn
13:45 -!- heraclitus [~heraclitu@unaffiliated/heraclitis] has quit [Ping timeout: 252 seconds]
13:47 -!- cteeto [~corey@cpe-65-27-129-15.cinci.res.rr.com] has quit [Ping timeout: 240 seconds]
13:47 -!- elfixit [~Icedove@2001:1620:2777:11:3e97:eff:fe7f:f3ad] has quit [Quit: elfixit]
13:47 -!- jmr` [~zero@badnode.org] has joined #openvpn
13:53 -!- mcp [~mcp@wolk-project.de] has quit [Remote host closed the connection]
13:57 <@dazo> d10n: --show-tls shows ciphers used for the key exchange between client and server ... and --show-ciphers shows what can be used on the data channel
13:57 <@dazo> d10n: having that said ... blowfish is a very good algorithm, security wise and many trusts it more than AES
13:59 < d10n> thanks, dazo. https://en.wikipedia.org/wiki/Blowfish_%28cipher%29#Weakness_and_successors
13:59 <@vpnHelper> Title: Blowfish (cipher) - Wikipedia, the free encyclopedia (at en.wikipedia.org)
14:00 -!- heraclitus__ [~heraclitu@cpe-76-187-142-153.tx.res.rr.com] has quit [Quit: Ping timeout: 221 seconds]
14:00 <@dazo> d10n: notice that blowfish has issues on *weak keys* ... within OpenVPN, you don't decide the key itself, and if using 256 bits, it's a strong key
14:00 <@dazo> But I'd like to see support for twofish and threefish
14:01 < d10n> I see, thank you
14:01 -!- heraclitus [~heraclitu@unaffiliated/heraclitis] has joined #openvpn
14:02 -!- heraclitus [~heraclitu@unaffiliated/heraclitis] has quit [Remote host closed the connection]
14:02  * Eugene wants redfish and bluefish
14:02 -!- heraclitus [~heraclitu@unaffiliated/heraclitis] has joined #openvpn
14:03 <@dazo> d10n: on a side note ... the strengths of blowfish is that it's strictly bound to the CPU speed (how many cycles it does per time unit) ... while AES can perform far better if you have a hardware accelerator (which is fairly common on in Intel i5 and i7 CPUs)
14:04 <@dazo> OpenVPN can make use of the CPU accelerator for AES, by providing --engine aesni ... if your CPU supports AES-NI
14:06 -!- freinhard [~freinhard@dslb-188-098-253-058.pools.arcor-ip.net] has joined #openvpn
14:12 -!- me [~me@90-83-190-109.dsl.ovh.fr] has joined #openvpn
14:12 -!- me is now known as Guest6176
14:15 -!- tormen0815 [~me@90-83-190-109.dsl.ovh.fr] has quit [Ping timeout: 240 seconds]
14:17 < d10n> !/30
14:17 <@vpnHelper> "/30" is (#1) http://goo.gl/SbKrT5 explains why routed clients each use 4 ips or (#2) you can avoid this behavior with by reading !topology
14:17 <@Eugene> Hey, bot's back!
14:17 <@Eugene> !botsnack
14:17 <@vpnHelper> "botsnack" is Om nom nom!
14:17 < d10n> haha
14:18 < d10n> !topology
14:18 <@vpnHelper> "topology" is (#1) it is possible to avoid the !/30 behavior if you use 2.1+ with the option: topology subnet This will end up being default in later versions. or (#2) Clients will receive addresses ending in .2, .3, .4, etc, instead of being divided into 2-host subnets. or (#3) details and examples at: https://community.openvpn.net/openvpn/wiki/Topology
14:18 < d10n> !iporder
14:18 <@vpnHelper> "iporder" is (#1) OpenVPN's internal client IP address selection algorithm works as follows: 1 -- Use --client-connect script generated file for static IP (first choice). or (#2) Use --client-config-dir file for static IP (next choice) !static for more info or (#3) Use --ifconfig-pool allocation for dynamic IP (last choice) or (#4) if you use --ifconfig-pool-persist see !ipp
14:23 -!- le0 [~l30@unaffiliated/le0] has joined #openvpn
14:23 -!- statarb3 [uid19902@gateway/web/irccloud.com/x-xyqzmkpvkobgupjd] has quit [Quit: Connection closed for inactivity]
14:25 -!- wrongplace [~leicht@gateway/tor-sasl/martinphone] has joined #openvpn
14:31 -!- mcp [~mcp@wolk-project.de] has joined #openvpn
14:32 < d10n> !sample
14:32 <@vpnHelper> "sample" is (#1) http://www.ircpimps.org/openvpn.configs for a working sample config or (#2) DO NOT use these configs until you understand the commands in them, read up on each first column of the configs in the manpage (see !man) or (#3) these configs are for a basic multi-user vpn, which you can then build upon to add lans or internet redirecting
14:42 < freinhard> !botsnack
14:42 <@vpnHelper> "botsnack" is Om nom nom!
14:42 < freinhard> do i need /dev/tap for a route between clients with "client-to-client" ?
14:47 < d10n> Is this bad? TLS_ERROR: BIO read tls_read_plaintext error: error:1408E098:SSL routines:SSL3_GET_MESSAGE:excessive message size -- server.conf http://sprunge.us/OTFZ ; client.conf http://sprunge.us/ceBK ; server log https://dpaste.de/f7bG#L27
15:00 -!- michaelhart [~michaelha@192.237.177.15] has quit [Quit: michaelhart]
15:01 -!- takamichi [~takamichi@c107-107.i07-27.onvol.net] has quit [Remote host closed the connection]
15:03 -!- le0 [~l30@unaffiliated/le0] has quit [Quit: Leaving]
15:11 <@dazo> freinhard: you need the tun/tap adapter, yes ... that's how openvpn can read/write network packets and ship them to the remote side
15:12 <@dazo> !configs
15:12 <@vpnHelper> "configs" is (#1) please pastebin your client and server configs (with comments removed, you can use `grep -vE '^#|^;|^$' server.conf`), also include which OS and version of openvpn. or (#2) dont forget to include any ccd entries or (#3) on pfSense, see http://www.secure-computing.net/wiki/index.php/OpenVPN/pfSense to obtain your config
15:12 <@dazo> d10n: please repost your configs (as described ^^^) ... I'm not willing to look at 90% comments
15:12 <@dazo> !logs
15:12 <@vpnHelper> "logs" is (#1) please pastebin your logfiles from both client and server with verb set to 4 (only use 5 if asked) or (#2) In the Windows client(OpenVPN-GUI) right-click the status icon and pick View Log or (#3) In the OS X client(Tunnelblick) right-click it and select Copy log text to clipboard or (#4) if you dont know how to find your logs, see !logfile
15:13 <@dazo> d10n: also, please increase your log level to at least 4
15:13 < d10n> OK
15:15 < freinhard> dazo: http://paste.kde.org/pxkegkhvt i've got /dev/tun but no /dev/tap (shared virtual host)
15:16 <@dazo> freinhard: ahh, that sounds right ... both tun and tap devices are controlled via /dev/tun
15:17 < freinhard> maybe i should define my goal again:
15:18 < freinhard> clients on subnet should be able to access each other
15:21 <@dazo> freinhard: It's a long time since I've configured that ... but I usually tend to _not_ use --client-to-client and actually do the firewalling on the VPN server (on Linux, that's the FORWARD iptables chain in this case)
15:21 < synapt> What might be possible issues that cause the OpenVPN client to not pull a proper DHCP in the adapter?  Like the OpenVPN client in the task tray shows a proper "Assigned IP:" value, but the adapter then pulls a DHCP-failed address (eg; 169.254.126.210)
15:21 <@dazo> with client-to-client enabled on the server, packets going from a client to another client, will be tackled by OpenVPN and not the OS kernel
15:21 < synapt> Could that actually be something on my side or is that more likely the server side?
15:22 <@dazo> synapt: is this on Windows?
15:22 < synapt> Indeed, with the 'Community' version of OpenVPN
15:23 < synapt> I switched to it earlier when I couldn't get the old "AS" client thing working (that thing wouldn't even read an .ovpn file properly, let alone connect, this at least connects, just doesn't get the DHCP properly)
15:23 < synapt> let me snag the log file
15:24 <@dazo> I honestly don't know much about Windows ... other than I've made it work for several of my clients without issues (on Win7) .... but have a look at the log file OpenVPN GUI grabs for you ... and increase logging to verb 4
15:24 < synapt> it's actually set to 5 in the .ovpn file
15:24 <@dazo> okay, that's a bit aggressive in this case
15:24 < synapt> it's what they gave me, lol
15:25 <@dazo> (iirc, you'll get all those rWRw .... which isn't really useful now)
15:25 < synapt> See I used to (successfully) use the old OpenVPN "as-client" thingy or whatever, with this same exact config file oddly, with exception of an IP change
15:26 <@dazo> could be you have to try to remove openvpn and the TUN/TAP driver ... and reinstall openvpn ... could be driver conflict, but first lets see what the log file says
15:26 < synapt> but I reinstalled it yesterday as this is a new windows install, but when I load the .ovpn file into that it shows the address as %S@%S, like it won't read the remote line properly, this community version of OpenVPN however reads it fine and connects, even shows the proper assignment IP in the status, just fails at DHCP then
15:27 < synapt> but yeah once sec, let me log it, I just need to remove some of the less-important things due to NDA (Address and SSL cert details)
15:27 <@dazo> did you ensure the TUN/TAP driver got removed and did a reboot inbetween?
15:27  * dazo don't look at redacted logs
15:27 < synapt> Did not do a reboot, but I hadn't ever needed to do one previously, so didn't think of it specifically, and the TAP driver did install with it
15:27 -!- elfixit [~Icedove@77-58-251-72.dclient.hispeed.ch] has joined #openvpn
15:27 < synapt> well unfortunately I either have to redact the IP I'm connecting to and the SSL exchange info (since it also has the address) or I can't share it
15:28 <@dazo> okay, then I can't help you .... seriously, there's nothing secret about IP addresses
15:28 < synapt> I can say with certainty that neither of those should be related to not being able to DHCP though, if it is then I think there's something worse off in the client than I thought :P
15:28 < synapt> Yes well nevermind then, I'll wait for someone else who understands the concept of what an NDA implies :P
15:29 -!- synapt was kicked from #openvpn by dazo [synapt]
15:29 -!- synapt [NBishop@pdpc/supporter/monthlybronze/synapt] has joined #openvpn
15:29 -!- synapt was kicked from #openvpn by dazo [synapt]
15:29 -!- synapt [NBishop@pdpc/supporter/monthlybronze/synapt] has joined #openvpn
15:29 < synapt> Seriously? o_O
15:29 -!- s7r [~s7r@openvpn/user/s7r] has quit [Read error: Connection reset by peer]
15:30 -!- mode/#openvpn [+b *!*@pdpc/supporter/monthlybronze/synapt] by dazo
15:30 -!- s7r [~s7r@openvpn/user/s7r] has joined #openvpn
15:30 -!- mode/#openvpn [+v s7r] by ChanServ
15:30 < d10n> SSL3_GET_MESSAGE:excessive message  https://gist.github.com/anonymous/527e81554eec3060b136
15:30 <@vpnHelper> Title: client.conf (at gist.github.com)
15:31 < d10n> (the link includes the client and server configs and logs (level 5)
15:31  * dazo looks
15:32 -!- elfixit [~Icedove@77-58-251-72.dclient.hispeed.ch] has quit [Ping timeout: 255 seconds]
15:32 < freinhard> dazo: but shouldn't i be able to ping the openvpn server at least?
15:32 <@dazo> freinhard: yes, if you allow icmp echo on your tun/tap interface in your server firewall (in iptables terms, that's the INPUT chain)
15:33 <@dazo> d10n: looks like some issues with your client certificate
15:34 -!- maestrojed [~maestroje@173-8-213-38-Oregon.hfc.comcastbusiness.net] has joined #openvpn
15:34 <@dazo> d10n: maybe you use a server certificate on the client side?
15:34 < d10n> let me double-check
15:36 <@dazo> hmm ... nope ... I misread/mixed client/server logs
15:36 < d10n> the certificates appear to be in order. Might it matter that I'm using 15360 key size?
15:36 <@dazo> lol
15:36 < pekster> That's very silly
15:36 < pekster> !hardening
15:36 <@dazo> yeah, that is definitely extreme
15:36 <@vpnHelper> "hardening" is https://community.openvpn.net/openvpn/wiki/Hardening
15:36 <@dazo> d10n: you can use 4096bits without needing to fear much
15:37 < pekster> It _might_ work (iif all the involved libs can process them) but it's pontless.)
15:37 < pekster> And yea, IMO even 4096 is overkill from a security standpoint (far better security can be had with 2048 - 3072 sizes with lower validity time, for instance)
15:37 < pekster> But up to 4096 is at least commonly supported everywhere ;)
15:38 <@dazo> pekster++
15:38 < d10n> I will try with 4096 key size
15:41 <@dazo> d10n: the purpose of the key/certs is to negotiate a temporary encryption key between the client and server ... and since the key exchange process is very CPU intensive (due to asymmetric encryption), the PKI keys shouldn't be too big (4096bits is considered very safe).  The tunnel data uses a symmetric encryption (using the temporary key), and currently 256bits is the longest key length possible
15:42 <@dazo> symmetric encryption on the other hand is _not_ CPU intensive at all, and goes really fast
15:42 <@dazo> (and 256bits symmetric is far stronger than 1024bit RSA based PKI keys)
15:44 < d10n> I see, thanks
15:45 < pekster> BF can actually use keys up to 448, which is why the "v2" tls-auth keys are 2048 bits (providing 512 bits for encrypt/signing in each direction, or 512 * 2 * 2)
15:46 -!- HectorBarbossa [uid7850@gateway/web/irccloud.com/x-oioblalvcmqbmzob] has joined #openvpn
15:46 <@dazo> pekster: does openssl support it?
15:46 < pekster> Yes, more than 448 might be non-standard though
15:46 <@dazo> interesting ... I stand corrected :)
15:47 < pekster> I don't think it's all that useful though, TBH. It would be cool to see something like twofish supported, but I haven't even looked at the code to see what needs to happen for openvpn
15:48 <@dazo> pekster: for twofish support, I believe it should be generally be enough to get the support into openssl
15:48 < pekster> Should already be there on most modern systems IIRC
15:48 <@dazo> for gost and elliptic curve stuff, some adjustments are needed to openvpn ... as they work somewhat differently than the common openssl ciphers
15:49 <@dazo> afaik, it's not available in openssl-1.0.1e-37.fc19.x86_64
15:49 <@dazo> (not the newest, but fairly new)
15:50 < pekster> hmm, right you are. I must be confusing the big black box known as "OpenSSL" with more modern projects, like GPG :P
15:50 <@dazo> :)
15:51 < pekster> s/black/open but very murky/
15:51 <@dazo> heh :)
15:51  * dazo checks polarssl
15:52 <@dazo> nope
15:53 <@dazo> blowfish is actually quite trivial ... https://polarssl.org/blowfish-source-code
15:53 <@vpnHelper> Title: Blowfish Source Code (BF) - PolarSSL (at polarssl.org)
15:53 -!- KaiForce [~chatzilla@107-223-70-10.lightspeed.bcvloh.sbcglobal.net] has quit [Quit: ChatZilla 0.9.90.1 [Firefox 28.0/20140314220517]]
15:54 < freinhard> is there a copy paste howto for this? http://community.openvpn.net/openvpn/wiki/263-openvpn-can-ping-both-peers-but-i-cant-reach-any-of-the-other-machines-on-the-remote-subnet
15:54 <@vpnHelper> Title: 263-openvpn-can-ping-both-peers-but-i-cant-reach-any-of-the-other-machines-on-the-remote-subnet – OpenVPN Community (at community.openvpn.net)
15:54 < freinhard> i don't get it but i guess i should get some sleep before i try again
15:55 <@dazo> freinhard: try to get some sleep ... that wiki page is actually quite straight forward
15:56 -!- nibbo [nibbo@gateway/shell/blinkenshell.org/x-qkdaahhiyigdtemu] has quit [Read error: Operation timed out]
15:56 < freinhard> thx any ways, you're all superb :)
15:56 -!- nibbo [nibbo@gateway/shell/blinkenshell.org/x-xwhnphasatrmzmhh] has joined #openvpn
15:56 -!- freinhard [~freinhard@dslb-188-098-253-058.pools.arcor-ip.net] has quit [Quit: leaving]
16:05 -!- mikemol [~mikemol@162.17.129.77] has quit [Quit: Leaving.]
16:06 -!- mikemol [~mikemol@162.17.129.77] has joined #openvpn
16:10 -!- klein [~klein@unaffiliated/klein] has quit [Ping timeout: 252 seconds]
16:24 < n13l> #openvpn-devel Cannot join channel (+r) - you need to be identified with services
16:24 < n13l> what i need to do ? :)
16:26 < pekster> n13l, the Freenode network has an FAQ for that: http://freenode.net/faq.shtml#nicksetup
16:26 <@vpnHelper> Title: freenode: frequently-asked questions (at freenode.net)
16:36 -!- Cybertinus [~Cybertinu@cybertinus.customer.cloud.nl] has quit [Remote host closed the connection]
16:39 -!- MatthewsFace [~mspah@50-78-45-146-static.hfc.comcastbusiness.net] has joined #openvpn
16:52 -!- Latrina [~Latrina@ppp-25-10.26-151.libero.it] has quit [Ping timeout: 240 seconds]
16:53 -!- Cybertinus [~Cybertinu@cybertinus.customer.cloud.nl] has joined #openvpn
16:55 -!- Cybertinus [~Cybertinu@cybertinus.customer.cloud.nl] has quit [Remote host closed the connection]
16:56 -!- Latrina [~Latrina@ppp-25-10.26-151.libero.it] has joined #openvpn
17:01 -!- Latrina [~Latrina@ppp-25-10.26-151.libero.it] has quit [Remote host closed the connection]
17:04 -!- Cybertinus [~Cybertinu@2a00:6960:1:1:0:24:63:1] has joined #openvpn
17:09 -!- goldkatze [~nobody@unaffiliated/goldkatze] has quit [Ping timeout: 240 seconds]
17:14 -!- B1nny [~quassel@5ED16034.cm-7-2b.dynamic.ziggo.nl] has quit [Remote host closed the connection]
17:15 -!- dvl [~dan@nyi.unixathome.org] has quit [Changing host]
17:15 -!- dvl [~dan@pdpc/supporter/active/dvl] has joined #openvpn
17:27 -!- Guest35643 [~klein@187.85.183.105] has joined #openvpn
17:47 -!- dazo [~dazo@openvpn/community/developer/dazo] has quit [Ping timeout: 265 seconds]
17:50 -!- dazo [~dazo@openvpn/community/developer/dazo] has joined #openvpn
17:50 -!- mode/#openvpn [+o dazo] by ChanServ
17:54 -!- wrongplace [~leicht@gateway/tor-sasl/martinphone] has quit [Quit: gone]
17:57 -!- MatthewsFace [~mspah@50-78-45-146-static.hfc.comcastbusiness.net] has quit [Ping timeout: 240 seconds]
18:04 <@dazo> n13l: register yourself as freenode user
18:05 -!- sumkindaseal [~sumkindas@cpe-108-184-154-132.socal.res.rr.com] has joined #openvpn
18:05 < sumkindaseal> any1 here?
18:06 <@dazo> nope
18:07 < sumkindaseal> daaaaaazo
18:07 < sumkindaseal> help
18:07 < sumkindaseal> i cant conect w out CA
18:07 < sumkindaseal> but the server doesnt have it
18:08 <@dazo> ehm ... you cannot connect without a CA certificate, that's technically impossible.  It's how OpenVPN is designed to work in server/client mode
18:08 < sumkindaseal> i know
18:08 < sumkindaseal> but hear me out
18:08 < sumkindaseal> ok so
18:08 < sumkindaseal> the server ppl gave me pass and username
18:09 <@dazo> !welcome
18:09 <@vpnHelper> "welcome" is (#1) Start by stating your goal, such as 'I would like to access the internet over my vpn' || new to IRC? see the link in !ask || we may need !logs and !configs and maybe !interface to help you. || See !howto for beginners. || See !route for lans behind openvpn. || !redirect for sending inet traffic through the server. || Also interesting: !man !/30 !topology !iporder !sample !forum !wiki
18:09 <@vpnHelper> !mitm or (#2) Don't use 192.168.1.0/24 or 192.168.0.0/24 (too much potential for conflict)
18:09 < sumkindaseal> so i added auth-user-pass
18:09 < sumkindaseal> this
18:09 < sumkindaseal> now it asks me for user and pass
18:09 <@dazo> start with reading !welcome carefully ... share server and client configs and logs files from both
18:09 < sumkindaseal> at least
18:10 < sumkindaseal> i dont have the server omfg
18:10 <@dazo> okay, then talk to your server people who provided this
18:10 < sumkindaseal> they are teling me CA is not needed
18:10 <@dazo> this is a channel where we help people who also control servers ... as server and client configs are tightly connected
18:10 <@dazo> ask them for a working config file
18:11 < sumkindaseal> they said talk to the guy who conected from windws 8
18:11 < sumkindaseal> he said i jus conected
18:11 < sumkindaseal> w user and pass
18:11 < sumkindaseal> and host i[
18:11 < sumkindaseal> ip
18:12 -!- james41382 [~james@unaffiliated/james41382] has quit [Quit: Leaving]
18:12  * dazo heads out  (it's 1 am where I am)
18:12 -!- Latrina [~Latrina@ppp-25-10.26-151.libero.it] has joined #openvpn
18:12 -!- dazo is now known as dazo_afk
18:18 -!- james41382 [~james@unaffiliated/james41382] has joined #openvpn
18:22 -!- octocodercat [octocoderc@unaffiliated/octocodercat] has joined #openvpn
18:22 < octocodercat> Can OpenVPN run in 128MB RAM?
18:45 -!- james41382 [~james@unaffiliated/james41382] has quit [Quit: Leaving]
18:58 < pekster> OpenVPN only needs about 10-20MB, though you'll need more if you plan to have more than that for more than just a few clients
18:58 < octocodercat> pekster, Even on 64 bit systems?
18:59 < pekster> That's got very little to do with anything here
18:59 < octocodercat> pekster, Actually several people I asked said that on 64bit systems the resource consumption of OpenVPN was significantly higher than that of 32bit systems
19:00 < pekster> 128M is far more than you need to "use openvpn"
19:00 < pekster> !goal
19:00 <@vpnHelper> "goal" is Please clearly state your goal for your vpn: example, I would like to access the lan behind the server , I would like to access the internet over my vpn , I just want a secure connection between 2 computers , etc
19:01 < pekster> The less vauge you are about what you're trying to do the more useful further answers will be
19:03 < octocodercat> I want a secure connection between 3-5 computers and internet access over OpenVPN
19:04 < pekster> 128MB is plenty then, though if that's all you have _total_ you shold select a small footprint OS
19:05 < octocodercat> Will Ubuntu Server 64-bit suffice?
19:05 < pekster> 'eh, maybe, but if that's all you have why not go with a distro designed for small memory usage? Maybe look at Alpine Linux (I've used it as a router in lab environments before, and generally only give it 64MB for basic needs)
19:06 < pekster> ubuntu is not the model of small-footprint
19:08 < pekster> OpenVPN itself only consumes about 5-10MB, plus maybe 600-800k per client, give or take
19:08 < pekster> Your issue is really "what distro do I use", and openvpn cares not
19:08 < pekster> !bestos
19:08 <@vpnHelper> "bestos" is the best os for openvpn is the one you are most comfortable with
19:09 -!- u0m3 [~u0m3@109.96.136.13] has joined #openvpn
19:11 -!- Guest6176 [~me@90-83-190-109.dsl.ovh.fr] has quit [Ping timeout: 240 seconds]
19:11 < octocodercat> pekster, Let me see if I can even do something other than Ubuntu
19:12 < pekster> Or spend 2 minutes searching the web?
19:12 < pekster> https://lmddgtfy.net/?q=ubuntu%20server%20minimum%20requirements
19:12 <@vpnHelper> Title: Let Me DuckDuckGo That For You (at lmddgtfy.net)
19:12 < sumkindaseal> gaize
19:12 < sumkindaseal> HEEEEEEELP
19:12 < octocodercat> pekster, It's a cheap VPS
19:12 < octocodercat> I'm limited to what I can choose
19:13 < sumkindaseal> i cant conect w out CA cert
19:13 < pekster> And this prevents you from using a search engine how?
19:13 < pekster> I'm confused
19:14 < octocodercat> oh nvm
19:14 < pekster> Apparently that's "Recommended", so YMMV. My point is this isn't an openvpn problem at all
19:14 < pekster> What you need is "about 10MB of available memory for openvpn to consume." What OS you install and how you ensure that much RAM is available is completely up to you
19:19 < octocodercat> okay, thanks
19:23 -!- maestrojed [~maestroje@173-8-213-38-Oregon.hfc.comcastbusiness.net] has quit [Quit: Computer has gone to sleep.]
19:32 -!- Pol [~macgyver@unaffiliated/macgyvernl] has quit [Quit: Exiting]
19:32 -!- MacGyver [~macgyver@unaffiliated/macgyvernl] has joined #openvpn
19:34 -!- Latrina [~Latrina@ppp-25-10.26-151.libero.it] has quit [Remote host closed the connection]
19:35 -!- MacGyver [~macgyver@unaffiliated/macgyvernl] has quit [Client Quit]
19:36 -!- MacGyver [~macgyver@unaffiliated/macgyvernl] has joined #openvpn
19:38 -!- MacGyver [~macgyver@unaffiliated/macgyvernl] has quit [Client Quit]
19:39 -!- MacGyver [~macgyver@unaffiliated/macgyvernl] has joined #openvpn
19:50 -!- MacGyver [~macgyver@unaffiliated/macgyvernl] has quit [Quit: Exiting]
19:50 -!- MacGyver [~macgyver@unaffiliated/macgyvernl] has joined #openvpn
19:52 -!- HectorBarbossa [uid7850@gateway/web/irccloud.com/x-oioblalvcmqbmzob] has quit [Quit: Connection closed for inactivity]
20:01 -!- Latrina [~Latrina@ppp-25-10.26-151.libero.it] has joined #openvpn
20:13 -!- Latrina [~Latrina@ppp-25-10.26-151.libero.it] has quit [Remote host closed the connection]
20:24 -!- sumkindaseal [~sumkindas@cpe-108-184-154-132.socal.res.rr.com] has quit [Ping timeout: 240 seconds]
20:27 -!- Denial- [Denial@90.214.34.101] has joined #openvpn
20:28 -!- Denial [Denial@176.248.104.92] has quit [Ping timeout: 240 seconds]
20:28 -!- Denial- is now known as Denial
20:34 -!- mspah_ [~mspah@c-67-183-108-87.hsd1.wa.comcast.net] has joined #openvpn
20:40 -!- [diecast] [~diecast@unaffiliated/diecast/x-4821952] has quit []
20:50 -!- cyberspace- [20253@ninthfloor.org] has quit [Remote host closed the connection]
20:52 -!- cyberspace- [20253@ninthfloor.org] has joined #openvpn
20:53 -!- MacGyver [~macgyver@unaffiliated/macgyvernl] has quit [Quit: Exiting]
20:55 -!- MacGyver [~macgyver@unaffiliated/macgyvernl] has joined #openvpn
21:05 -!- sauce [sauce@unaffiliated/sauce] has quit [Quit: sauce]
21:06 -!- sauce [sauce@unaffiliated/sauce] has joined #openvpn
21:10 -!- Olipro_ [~Olipro@uncyclopedia/pdpc.21for7.olipro] has joined #openvpn
21:10 -!- Olipro [~Olipro@uncyclopedia/pdpc.21for7.olipro] has quit [Ping timeout: 246 seconds]
21:13 -!- james41382 [~james@unaffiliated/james41382] has joined #openvpn
21:13 -!- michaelhart [~michaelha@192-0-240-20.cpe.teksavvy.com] has joined #openvpn
21:13 -!- Olipro_ is now known as Olipro
21:17 -!- james41382 [~james@unaffiliated/james41382] has quit [Client Quit]
21:17 -!- megaTherion [~therion@unix.io] has quit [Read error: Connection reset by peer]
21:19 -!- megaTherion_ [~therion@unix.io] has joined #openvpn
21:24 < d10n> !route
21:24 <@vpnHelper> "route" is (#1) http://www.secure-computing.net/wiki/index.php/OpenVPN/Routing or https://community.openvpn.net/openvpn/wiki/RoutedLans (same page mirrored) if you have lans behind openvpn, read it DONT SKIM IT or (#2) READ IT DONT SKIM IT! or (#3) See !tcpip for a basic networking guide or (#4) See !serverlan or !clientlan for steps and troubleshooting flowcharts for LANs behind the server or client
21:28 -!- converge [~converge@unaffiliated/joaop] has joined #openvpn
21:47 -!- Cpt-Oblivious [chatzilla@31-151-71-109.dynamic.upc.nl] has quit [Remote host closed the connection]
21:58 -!- michaelhart [~michaelha@192-0-240-20.cpe.teksavvy.com] has quit [Quit: michaelhart]
22:16 -!- Guest35643 [~klein@187.85.183.105] has quit [Ping timeout: 252 seconds]
22:54 -!- converge [~converge@unaffiliated/joaop] has quit [Quit: Leaving...]
23:23 -!- __FBi [B@dont.uwantmy.info] has quit [Ping timeout: 246 seconds]
23:31 -!- hobosteaux [~hobosteau@c-24-19-150-110.hsd1.wa.comcast.net] has left #openvpn []
23:43 -!- kirin` [telex@gateway/shell/anapnea.net/x-gtebktjwxakiykvv] has quit [Ping timeout: 240 seconds]
23:44 -!- kirin` [telex@gateway/shell/anapnea.net/x-zvkkienlajbtpcsi] has joined #openvpn
23:57 -!- B1nny [~quassel@5ED16034.cm-7-2b.dynamic.ziggo.nl] has joined #openvpn
--- Day changed Fri Apr 04 2014
00:29 -!- HectorBarbossa [uid7850@gateway/web/irccloud.com/x-sijmuhglmnitzxbo] has joined #openvpn
00:53 -!- megaTherion_ [~therion@unix.io] has quit [Ping timeout: 240 seconds]
00:59 -!- megaTherion [~therion@unix.io] has joined #openvpn
01:07 -!- sunwind [~paradox@cpc21-brmb8-2-0-cust749.1-3.cable.virginm.net] has quit [Ping timeout: 245 seconds]
01:15 -!- mattock is now known as mattock_afk
01:17 -!- mattock_afk is now known as mattock
01:23 -!- MACscr [~Adium@c-50-158-183-38.hsd1.il.comcast.net] has joined #openvpn
01:26 < MACscr> ok, so i have a an named Viscosity on my OSX system that works as my openvpn client. Works great with the connection to my openvpn server on my pfsense router. Now I am trying to setup another vpn connection to a dd-wrt enabled router that has an openvpn daemon. I need to generate the proper server and client certificates. Can i simply generate these with openssl?
01:40 -!- Carbon_Monoxide [~cmonxide@058176022144.ctinets.com] has joined #openvpn
01:41 -!- Carbon_Monoxide [~cmonxide@058176022144.ctinets.com] has left #openvpn []
01:42 -!- maestrojed [~maestroje@c-98-246-149-230.hsd1.or.comcast.net] has joined #openvpn
01:48 -!- Aliekezhi [~Aliekezhi@LPoitiers-156-84-21-170.w193-248.abo.wanadoo.fr] has joined #openvpn
02:00 -!- goldkatze [~nobody@unaffiliated/goldkatze] has joined #openvpn
02:12 -!- le0 [~l30@unaffiliated/le0] has joined #openvpn
02:21 -!- nrgskill [~nrgskill@bba66533.alshamil.net.ae] has joined #openvpn
02:38 -!- nrgskill [~nrgskill@bba66533.alshamil.net.ae] has quit [Ping timeout: 240 seconds]
02:41 -!- nrgskill [~nrgskill@bba66533.alshamil.net.ae] has joined #openvpn
02:42 -!- HectorBarbossa [uid7850@gateway/web/irccloud.com/x-sijmuhglmnitzxbo] has quit [Quit: Connection closed for inactivity]
02:48 -!- nrgskill [~nrgskill@bba66533.alshamil.net.ae] has quit [Ping timeout: 240 seconds]
03:00 -!- AlexPortable [uid7568@gateway/web/irccloud.com/x-bmjgbjhmjtsthyle] has joined #openvpn
03:00 -!- alexxtasi [~alex@150.140.12.90] has joined #openvpn
03:01 -!- alexxtasi [~alex@150.140.12.90] has quit [Changing host]
03:01 -!- alexxtasi [~alex@unaffiliated/alexxtasi] has joined #openvpn
03:16 -!- makara [~makara@41.164.22.218] has joined #openvpn
03:19 -!- Aralucc10 [~Aralucc10@151.77.64.254] has quit [Ping timeout: 252 seconds]
03:22 -!- sunwind [~paradox@cpc21-brmb8-2-0-cust749.1-3.cable.virginm.net] has joined #openvpn
03:39 -!- jackbrown [~se@93-44-54-187.ip95.fastwebnet.it] has joined #openvpn
03:42 -!- maestrojed [~maestroje@c-98-246-149-230.hsd1.or.comcast.net] has quit [Quit: Computer has gone to sleep.]
03:54 -!- mingdao [~mingdao@unaffiliated/mingdao] has quit [Ping timeout: 246 seconds]
04:11 -!- Guest6176 [~me@90-83-190-109.dsl.ovh.fr] has joined #openvpn
04:54 -!- troj [~xxx@2001:470:1f15:107a::50f7] has quit [Ping timeout: 264 seconds]
05:09 -!- makara [~makara@41.164.22.218] has quit [Ping timeout: 240 seconds]
05:11 -!- nrgskill [~nrgskill@bba66533.alshamil.net.ae] has joined #openvpn
05:15 -!- Aliekezhi [~Aliekezhi@LPoitiers-156-84-21-170.w193-248.abo.wanadoo.fr] has quit [Remote host closed the connection]
05:16 -!- nrgskill [~nrgskill@bba66533.alshamil.net.ae] has quit [Client Quit]
05:31 -!- bosnjak [~bosnjak@wr-zip.cpe.iskon.hr] has joined #openvpn
05:31 < bosnjak> hi all
05:32 < bosnjak> i am having issues with connecting to my vpn. sometimes it seems to work, sometimes not. I am now getting this error: http://pastie.org/8993767
05:33 < bosnjak> can anyone help with this? the certificate is valid from 2011 to 2030, so i am not sure what this means
05:34 < bosnjak> http://pastie.org/8993772
05:38 -!- jackbrown [~se@93-44-54-187.ip95.fastwebnet.it] has quit [Quit: Sto andando via]
05:45 -!- jackbrown [~se@93-44-54-187.ip95.fastwebnet.it] has joined #openvpn
05:48 -!- heraclitus [~heraclitu@unaffiliated/heraclitis] has quit [Remote host closed the connection]
05:48 <@krzee> bosnjak,
05:48 <@krzee> !time
05:48 <@vpnHelper> "time" is if you see VERIFY ERROR: depth=1, error=certificate is not yet valid: then make sure you update the clocks of your client,server,ca via ntp
05:49 -!- heraclitus [~heraclitu@unaffiliated/heraclitis] has joined #openvpn
05:49 < bosnjak> krzee: yes, just figured out it might be some issue with that, ill get back with more info, thanks
05:50 <@krzee> cool, goodluck =]
05:50 <@krzee> !certinfo
05:50 <@vpnHelper> "certinfo" is run `openssl x509 -in <file> -noout -text` for info from your cert file
05:50 <@krzee> ^ if you need to inspect the cert =]
05:50 < bosnjak> krzee: great, thanks!
05:54 -!- jackbrown [~se@93-44-54-187.ip95.fastwebnet.it] has quit [Quit: Sto andando via]
05:57 -!- jackbrown [~se@93-44-54-187.ip95.fastwebnet.it] has joined #openvpn
06:01 -!- jackbrown [~se@93-44-54-187.ip95.fastwebnet.it] has quit [Client Quit]
06:02 -!- wrongplace [~leicht@gateway/tor-sasl/martinphone] has joined #openvpn
06:16 -!- makara [~makara@41.164.22.218] has joined #openvpn
06:28 -!- mirco [~mirco@ip-5-146-126-177.unitymediagroup.de] has joined #openvpn
06:30 -!- converge [~converge@unaffiliated/joaop] has joined #openvpn
06:37 -!- cpm_ [~Chip@pdpc/supporter/active/cpm] has joined #openvpn
06:41 <@krzee> !winroute
06:41 <@vpnHelper> "winroute" is (#1) in windows if the route cannot be added, try route-method exe in your config file or (#2) many users also report it helps to add route-delay to give the interface extra time to get up or (#3) you may need to turn off routing and remote acess in administrative tools - routing and remote access or (#4) make sure you are running openvpn as admin or (#5) you might also want to see that
06:41 <@vpnHelper> and use trial and error with these solutions: http://openvpn.net/index.php/open-source/faq/79-client/259-tap-win32-adapter-is-not-coming-up-qinitialization-sequence-completed-with-errorsq.html
06:41 -!- converge [~converge@unaffiliated/joaop] has quit [Quit: Leaving...]
06:47 <@krzee> !winadmin
06:47 <@krzee> !win_admin
06:47 <@krzee> !factoids search admin
06:47 <@vpnHelper> 'ssl-admin', 'win_noadmin', and 'ssl-admin 1'
06:47 <@krzee> !factoids
06:47 <@vpnHelper> "factoids" is A semi-regularly updated dump of factoids database is available at http://www.secure-computing.net/factoids.php
06:55 -!- michaelhart [~michaelha@192.237.177.15] has joined #openvpn
06:55 -!- c0ded [~c0ded@unaffiliated/c0ded] has joined #openvpn
06:56 < c0ded> !welcome
06:56 <@vpnHelper> "welcome" is (#1) Start by stating your goal, such as 'I would like to access the internet over my vpn' || new to IRC? see the link in !ask || we may need !logs and !configs and maybe !interface to help you. || See !howto for beginners. || See !route for lans behind openvpn. || !redirect for sending inet traffic through the server. || Also interesting: !man !/30 !topology !iporder !sample !forum
06:56 <@vpnHelper> !wiki !mitm or (#2) Don't use 192.168.1.0/24 or 192.168.0.0/24 (too much potential for conflict)
06:58 < c0ded> id like to use my openvpn client to access the internet, now ive been doing this for a while actually, using the openvpn-client.msi that just installs that little client thing and i drop my .ovpn files in config and good to go, but it came across my attention that that version of the client isnt the real open source open vpn
06:58 -!- riddle [riddle@us.yunix.net] has joined #openvpn
06:58 < c0ded> and even heard rumors of nsa sniffing ppl using that app, so what id like to do is setup the open source 2.3.3 client part on my windows box and use my provider's .ovpn files to use my openvpn with like i always have
06:59 < c0ded> but with the legit openvpn open source client
06:59 -!- troj [~xxx@2001:470:1f15:107a::50f7] has joined #openvpn
06:59 < c0ded> already dl'd this: openvpn-install-2.3.2-I003-x86_64.exe
07:00 < c0ded> i got that other client still installed, im just wondering, should i uninstall that one, then install thisone(with the tap driver), then the other thing is getting the openvpn gui to work with: openvpn-install-2.3.2-I003-x86_64.exe
07:00 < c0ded> and again i just want the client so i can connect out from this pc, ill also need to know how to do all this on nix too when i dual boot, but that can be another day heh
07:00 < c0ded> any any help is way appreciate
07:02 <@krzee> so you dont run the server?
07:04 -!- bosnjak [~bosnjak@wr-zip.cpe.iskon.hr] has quit [Ping timeout: 268 seconds]
07:08 < c0ded> [krzee]: u mean my provider's server? like i got a provider which i use an openvpn client to connect to their servers then out to the internet
07:09 < c0ded> unless u mean openvpn setups a local server in that situation that u need for openvpn to work, i thought the server was just if u wanted to accept vpn connects from other clients, like if u set it up on a linux server or something
07:09 < c0ded> or whatr my provider has on their servers that i connect to
07:12 <@krzee> you need to get support from them
07:12 <@krzee> !provider
07:12 <@vpnHelper> "provider" is (#1) We are not your provider's free tech support. We support the free open source app OpenVPN, not your provider. Just because they run openvpn does not mean we are their support team. or (#2) Please contact their support team.
07:14 < c0ded> no, there's a missunderstanding, the provider is working fine, i just am not sure on how to setup the openvpn open source client compared to what i was using
07:15 <@krzee> but i cant tell you if thats even possible
07:15 <@krzee> here we *only* deal with the opensource client
07:16 < c0ded> like should i uninstall the other one i was using 1st?, would it hurt to keep both? do i just install openvpn-install-2.3.2-I003-x86_64.exe with default settings? then if so, do i just copy my .ovpn files over to the config folder and run the gui?
07:16 <@krzee> i cant tell you if your providers setup even *can* be used with it if you were currently using AS
07:16 < c0ded> cuz when i tried that the gui wouldnt open gave some registry error
07:16 <@krzee> !AS
07:16 <@vpnHelper> "AS" is please go to #OpenVPN-AS for help with Access-Server
07:16 <@krzee> i dont know.
07:16 < c0ded> yea i wanna use the OS client
07:16 < c0ded> not the other one
07:16 <@krzee> right, but you dont run the server
07:17 -!- JackWinter [~jack@vodsl-10810.vo.lu] has quit [Quit: Konversation terminated!]
07:17 <@krzee> i cant tell you if THEIR setup *CAN* be used with opensource client, nor how
07:17 -!- JackWinter [~jack@vodsl-10810.vo.lu] has joined #openvpn
07:17 <@krzee> general questions about if its possible *may* be able to be answered in #OpenVPN-AS
07:17 < c0ded> no, i just want to use it as a client, to connect to y providers servers
07:17 < c0ded> wait
07:17 < c0ded> are u saying this is for like server side questions mainly in here?
07:17 <@krzee> but if anything depends on the providers config, then only they can help you
07:18 < c0ded> ppl who wanna setup the openvpn server for openvpn clients to connect to
07:18 <@krzee> im saying that your question is impossible to answer without being an access-server support guy or the server admin
07:18 <@krzee> you have a chance in #OpenVPN-AS, but really this is a question for your provider
07:18 < c0ded> well the configs have worked fine, im sure it will work fine with this open source verrsion of opoenvpn
07:18 <@krzee> only they know their config
07:18 <@krzee> hah you are sure...
07:18 -!- bosnjak [~bosnjak@wr-zip.cpe.iskon.hr] has joined #openvpn
07:18 -!- synapt [NBishop@pdpc/supporter/monthlybronze/synapt] has left #openvpn []
07:18 < c0ded> yea im sure
07:19 -!- mode/#openvpn [+q c0ded!*@*] by krzee
07:19 <@krzee> go to #OpenVPN-AS
07:19 <@krzee> ask them if what you are asking for is possible
07:20 <@krzee> your provider must be running access-server if you were using the AS client to connect. this channel is not for AS and it is possible that the opensource client can not connect to an AS server. i would not know, because this is not #OpenVPN-AS
07:20 -!- mode/#openvpn [-q #openvpn!*@*] by krzee
07:21 -!- mode/#openvpn [-q #openvpn!*@*] by krzee
07:21 <@krzee> weird
07:21 -!- mode/#openvpn [-q c0ded!*@*] by krzee
07:32 -!- mode/#openvpn [+q #openvpn!*@*] by krzee
07:33 -!- mode/#openvpn [-q #openvpn!*@*] by krzee
07:37 -!- Guest35643 [~klein@189-016-006-003.asselvi.edu.br] has joined #openvpn
07:43 <@krzee> !android
07:43 <@vpnHelper> "android" is (#1) an open source OpenVPN client for ICS is available in Google Play, look for OpenVPN for Android. FAQ is here: http://code.google.com/p/ics-openvpn/wiki/FAQ or (#2) Direct Play link: https://play.google.com/store/apps/details?id=de.blinkt.openvpn or (#3) Old (pre-ICS) device? See: !android-old
07:47 <@plai> !android-old
07:47 <@vpnHelper> "android-old" is If you do not have cyanogenmod or ICS, but your device is rooted, you can use android-openvpn-installer and openvpn-settings from the market
07:53 -!- cpm_ [~Chip@pdpc/supporter/active/cpm] has quit [Quit: cpm_]
07:54 -!- bosnjak [~bosnjak@wr-zip.cpe.iskon.hr] has quit [Remote host closed the connection]
08:22 -!- elfixit [~Icedove@77-58-251-72.dclient.hispeed.ch] has joined #openvpn
08:28 -!- Cpt-Oblivious [chatzilla@31-151-71-109.dynamic.upc.nl] has joined #openvpn
08:30 -!- deeville [~deeville@38.117.108.108] has joined #openvpn
08:36 -!- f0cker [~f0cker@unaffiliated/f0cker] has quit [Read error: Operation timed out]
08:49 -!- f0cker [~f0cker@host81-149-11-109.in-addr.btopenworld.com] has joined #openvpn
08:49 -!- f0cker [~f0cker@host81-149-11-109.in-addr.btopenworld.com] has quit [Changing host]
08:49 -!- f0cker [~f0cker@unaffiliated/f0cker] has joined #openvpn
08:56 -!- freinhard [~freinhard@dslb-188-098-253-058.pools.arcor-ip.net] has joined #openvpn
08:57 < freinhard> hi!
08:57 < freinhard> do i need to bridge to get multicast between vpn clients?
08:58 < BtbN> multicast does not work via tun
09:00 <@krzee> you do not need to bridge, you can use tap
09:01 <@krzee> !tunortap
09:01 <@vpnHelper> "tunortap" is (#1) you ONLY want tap if you need to pass layer2 traffic over the vpn (traffic destined for a MAC address). If you are using IP traffic you want tun. or (#2) and if your reason for wanting tap is windows shares, see !wins or use DNS or (#3) remember layer2 has no security, arp poisoning works over tap vpns or (#4) lan gaming? use tap! or (#5) Normal Android/iOS devices (not
09:01 <@vpnHelper> rooted/jailbroken) support only tun
09:01 <@krzee> hmm i think i meant:
09:01 <@krzee> !whybridge
09:01 <@vpnHelper> "whybridge" is (#1) you only bridge if you want layer2 to the lan. if you want layer2 only between vpn nodes then routed tap is enough. if you only want layer3 use tun. or (#2) See this URL for a more in-depth discussion on bridging vs routing: https://community.openvpn.net/openvpn/wiki/BridgingAndRouting or (#3) See also !tunortap
09:01 <@krzee> ya
09:02 < freinhard> thx!
09:02 -!- indy [~indy@shadow.kastnerove.cz] has quit [Ping timeout: 264 seconds]
09:02 <@krzee> np
09:02 < freinhard> my reason is: have mdns working for salut/bonjour (chat) working
09:19 -!- makara [~makara@41.164.22.218] has quit [Quit: Leaving]
09:28 -!- hackman127 [~luke@cable-33-146.sssnet.com] has joined #openvpn
09:30 < hackman127> I'm having a problem getting a new VPN running on my Gentoo box. I used an existing VPN that I have in place as a template for the config files, but when I go to start the client on my gentoo box I get this error: "Unrecognized option or missing parameter(s) in client.conf:1: client (2.3.2)" Surely I must be missing something blindingly obvious?
09:36 -!- mirco [~mirco@ip-5-146-126-177.unitymediagroup.de] has quit [Quit: mirco]
09:38 -!- alexxtasi [~alex@unaffiliated/alexxtasi] has left #openvpn []
09:39 < freinhard> ok here's what was missing: configure tap on server and clients.
09:46 -!- maskedlua [~quassel@unaffiliated/themaskedlua] has quit [Read error: Connection reset by peer]
09:47 -!- AlexPortable [uid7568@gateway/web/irccloud.com/x-bmjgbjhmjtsthyle] has quit [Quit: Connection closed for inactivity]
09:47 < deeville> Hi all, new here. Is site-to-site / gateway-to-gateway vpn possible with OpenVPN?
09:48 <@krzee> sure
09:48 <@krzee> !route
09:48 <@vpnHelper> "route" is (#1) http://www.secure-computing.net/wiki/index.php/OpenVPN/Routing or https://community.openvpn.net/openvpn/wiki/RoutedLans (same page mirrored) if you have lans behind openvpn, read it DONT SKIM IT or (#2) READ IT DONT SKIM IT! or (#3) See !tcpip for a basic networking guide or (#4) See !serverlan or !clientlan for steps and troubleshooting flowcharts for LANs behind the server or client
09:51 -!- mirco [~mirco@ip-5-146-126-177.unitymediagroup.de] has joined #openvpn
09:51 < deeville> oh cool!, thanks krzee, I will read them and not skim. :)
09:51 <@krzee> np =]
09:53 < deeville> one quick follow up question, if I wanted to check out !serverlan or !clientlan, can I do it here?  Will vpnHelper show up on everyone's feed or just mine?
09:54 <@Eugene> We don't mind if you do it here but the bot also supports /msg, yes.
09:54 < deeville> neat, thanks Eugene
09:56 <@krzee> !msg
09:56 <@vpnHelper> "msg" is (#1) to see vpnHelper's factoids in msg instead of the channel, /msg vpnHelper factoids whatis #openvpn <key> or (#2) so to see !configs in msg, you would type /msg vpnHelper factoids whatis #openvpn configs or (#3) you can also just see !factoids for a link to the full list of what the bot knows
09:56 <@krzee> but here is fine
09:57 < deeville> wish there was a "clip to Evernote" :)
09:57 <@krzee> !factoids
09:57 <@vpnHelper> "factoids" is A semi-regularly updated dump of factoids database is available at http://www.secure-computing.net/factoids.php
09:57 <@krzee> theres that ^
09:59 < deeville> Clipped...just keeps getting better, thanks!
09:59 <@krzee> np =]
10:01 -!- hackman127 [~luke@cable-33-146.sssnet.com] has quit [Read error: Connection reset by peer]
10:05 -!- mirco [~mirco@ip-5-146-126-177.unitymediagroup.de] has quit [Quit: mirco]
10:09 -!- mirco [~mirco@ip-5-146-126-177.unitymediagroup.de] has joined #openvpn
10:10 -!- mirco [~mirco@ip-5-146-126-177.unitymediagroup.de] has quit [Client Quit]
10:18 -!- mirco [~mirco@ip-5-146-126-177.unitymediagroup.de] has joined #openvpn
10:35 -!- mspah_ [~mspah@c-67-183-108-87.hsd1.wa.comcast.net] has quit [Ping timeout: 268 seconds]
10:36 -!- u0m3 [~u0m3@109.96.136.13] has quit [Ping timeout: 240 seconds]
10:36 -!- Latrina [~Latrina@adsl-ull-90-183.50-151.net24.it] has joined #openvpn
10:41 -!- wrongplace [~leicht@gateway/tor-sasl/martinphone] has quit [Remote host closed the connection]
10:42 -!- gffa [~unknown@unaffiliated/gffa] has joined #openvpn
10:42 -!- u0m3 [~u0m3@92.80.126.165] has joined #openvpn
10:42 -!- wrongplace [~leicht@gateway/tor-sasl/martinphone] has joined #openvpn
10:44 -!- indy [~indy@shadow.kastnerove.cz] has joined #openvpn
10:48 -!- maestrojed [~maestroje@173-8-213-38-Oregon.hfc.comcastbusiness.net] has joined #openvpn
10:59 -!- wrongplace [~leicht@gateway/tor-sasl/martinphone] has quit [Quit: gone]
11:05 -!- master_o1_master [~master_of@p4FD7BDE9.dip0.t-ipconnect.de] has joined #openvpn
11:05 -!- SquirrelCZECH [~squirrel@ip-89-103-45-17.net.upcbroadband.cz] has quit [Ping timeout: 264 seconds]
11:08 -!- master_of_master [~master_of@p4FF2434E.dip0.t-ipconnect.de] has quit [Ping timeout: 240 seconds]
11:15 -!- niftylettuce_ [uid2733@gateway/web/irccloud.com/x-hiuwinthdidixynq] has joined #openvpn
11:19 -!- jackbrown [~se@93-44-54-187.ip95.fastwebnet.it] has joined #openvpn
11:24 -!- jackbrown [~se@93-44-54-187.ip95.fastwebnet.it] has quit [Client Quit]
11:33 -!- jackbrown [~se@93-44-54-187.ip95.fastwebnet.it] has joined #openvpn
11:35 -!- pekster [~rewt@openvpn/community/support/pekster] has quit [Quit: AF_INET ➙ AF_INET6]
11:36 -!- pekster [~rewt@openvpn/community/support/pekster] has joined #openvpn
11:40 -!- jackbrown [~se@93-44-54-187.ip95.fastwebnet.it] has quit [Quit: Sto andando via]
11:43 -!- lj [~l@192.241.174.169] has joined #openvpn
11:45 -!- maestrojed [~maestroje@173-8-213-38-Oregon.hfc.comcastbusiness.net] has quit [Quit: Computer has gone to sleep.]
11:50 -!- lj [~l@192.241.174.169] has quit [Quit: Leaving.]
11:52 -!- edge226 [~quassel@unaffiliated/edge226] has quit [Quit: http://quassel-irc.org - Chat comfortably. Anywhere.]
11:54 -!- jackbrown [~se@93-44-54-187.ip95.fastwebnet.it] has joined #openvpn
12:03 -!- MadTBone [~MadTBone@160.39.238.196] has quit [Quit: Leaving]
12:04 -!- maestrojed [~maestroje@173-8-213-38-Oregon.hfc.comcastbusiness.net] has joined #openvpn
12:05 -!- cpm_ [~Chip@pdpc/supporter/active/cpm] has joined #openvpn
12:06 -!- edge226 [~quassel@unaffiliated/edge226] has joined #openvpn
12:07 -!- converge [~converge@unaffiliated/joaop] has joined #openvpn
12:07 -!- converge [~converge@unaffiliated/joaop] has quit [Remote host closed the connection]
12:25 -!- mirco [~mirco@ip-5-146-126-177.unitymediagroup.de] has quit [Ping timeout: 268 seconds]
12:25 -!- jackbrown [~se@93-44-54-187.ip95.fastwebnet.it] has quit [Quit: Sto andando via]
12:25 -!- jackbrown [~se@93-44-54-187.ip95.fastwebnet.it] has joined #openvpn
12:30 -!- jackbrown [~se@93-44-54-187.ip95.fastwebnet.it] has quit [Client Quit]
12:31 -!- SquirrelCZECH [~squirrel@ip-89-103-45-17.net.upcbroadband.cz] has joined #openvpn
12:33 -!- edge226 [~quassel@unaffiliated/edge226] has quit [Remote host closed the connection]
12:39 -!- mirco [~mirco@ip-5-146-126-177.unitymediagroup.de] has joined #openvpn
12:46 -!- phunyguy [~vortex@unaffiliated/phunyguy] has quit [Read error: Connection reset by peer]
12:47 -!- phunyguy [~vortex@unaffiliated/phunyguy] has joined #openvpn
12:59 -!- nk121 [~nk109@23.252.48.189] has joined #openvpn
13:05 < nk121> hola amigos, i'm having some problems setting up a openvpn client on an iphone/ios connecting to an openvpn server. i have what appears to be a working openvpn server on ubuntu 13.10, i've successfully been able to get my macbook to connect to it using viscosity.   however, using the openvpn ios app, i'm running into some problems - i've imported a .ovpn file and the crts/keys, I can connect successfully to my server, but the traffic on my iphone doesn't
13:05 < nk121>  seem to be going through the openvpn (ie, going to safari and going to what is my ip shows my regular ip not openvpn ip). this is my .ovpn config http://pastebin.com/P6c2Hf9E
13:05 < nk121> i don't think its a firewall issue on the server side as i struggled with that and got it to work, and the mac viscosity client connects to it and appears to work
13:05 < nk121> !welcome
13:05 <@vpnHelper> "welcome" is (#1) Start by stating your goal, such as 'I would like to access the internet over my vpn' || new to IRC? see the link in !ask || we may need !logs and !configs and maybe !interface to help you. || See !howto for beginners. || See !route for lans behind openvpn. || !redirect for sending inet traffic through the server. || Also interesting: !man !/30 !topology !iporder !sample !forum
13:05 <@vpnHelper> !wiki !mitm or (#2) Don't use 192.168.1.0/24 or 192.168.0.0/24 (too much potential for conflict)
13:05 < nk121> !redirect
13:05 <@vpnHelper> "redirect" is (#1) to make all inet traffic flow through the vpn, you will need --redirect-gateway (see !def1), as well as IP forwarding (see !ipforward) and NAT (see !nat) enabled on the server. or (#2) you may need to use a different dns server when redirecting gateway, see !dns or !pushdns or (#3) if using ipv6 try: route-ipv6 2000::/3 or (#4) Handy troubleshooting flowchart:
13:05 <@vpnHelper> http://ircpimps.org/redirect.png | http://pekster.sdf.org/misc/redirect.png
13:11 < nk121> hmm redirect-gateway def1   might be the missing config on the client side
13:20 -!- lj [~l@192.241.174.169] has joined #openvpn
13:22 < nk121> ah, success. thank you vpnHelper.   I, for one, welcome our new bot overlords
13:26 <@krzee> nk121++
13:26 <@krzee> good job =]
13:26 <@krzee> self-help winner
13:26 -!- mode/#openvpn [+v nk121] by krzee
13:29 <+nk121> :)
13:32 -!- Aliekezhi [~Aliekezhi@9.142.122.78.rev.sfr.net] has joined #openvpn
13:34 <+nk121> !def1
13:34 <@vpnHelper> "def1" is (#1) used in redirect-gateway, Add the def1 flag to override the default gateway by using 0.0.0.0/1 and 128.0.0.0/1 rather than 0.0.0.0/0. This has the benefit of overriding but not wiping out the original default gateway. or (#2) please see --redirect-gateway in the man page ( !man ) to fully understand or (#3) push "redirect-gateway def1"
13:44 -!- phreakocious [~phreakoci@aesoterica.phreakocious.net] has quit [Ping timeout: 240 seconds]
13:46 -!- phreakocious [~phreakoci@aesoterica.phreakocious.net] has joined #openvpn
13:46 -!- cpm_ [~Chip@pdpc/supporter/active/cpm] has quit [Quit: cpm_]
13:47 -!- Varazir [~mircwars@c-94-255-128-122.cust.bredband2.com] has quit [Quit: bbl I hope]
13:56 -!- [diecast] [~diecast@unaffiliated/diecast/x-4821952] has joined #openvpn
14:29 -!- [diecast] [~diecast@unaffiliated/diecast/x-4821952] has quit [Ping timeout: 240 seconds]
14:35 -!- karsten [~karsten@ip-176-199-81-39.unitymediagroup.de] has joined #openvpn
14:37 < karsten> good evening! please I need Help! my openvpn client service status is running, but i have no tcp address assigned, which verb level would help ?
14:38 -!- mattock is now known as mattock_afk
14:48 -!- mirco [~mirco@ip-5-146-126-177.unitymediagroup.de] has quit [Ping timeout: 240 seconds]
14:51 -!- maestrojed [~maestroje@173-8-213-38-Oregon.hfc.comcastbusiness.net] has quit [Quit: Computer has gone to sleep.]
14:58 -!- mirco [~mirco@ip-5-146-126-177.unitymediagroup.de] has joined #openvpn
15:00 -!- mirco [~mirco@ip-5-146-126-177.unitymediagroup.de] has quit [Client Quit]
15:11 -!- Varazir [~mircwars@c-94-255-131-47.cust.bredband2.com] has joined #openvpn
15:13 -!- pjschmit1 [~parker@209.141.56.12] has quit [Changing host]
15:13 -!- pjschmit1 [~parker@unaffiliated/schmitt953] has joined #openvpn
15:13 -!- pjschmit1 is now known as pjschmitt
15:21 -!- pppingme [~pppingme@unaffiliated/pppingme] has quit [Ping timeout: 245 seconds]
15:25 -!- b00b [~spunk@smurf.mmnetworks.se] has quit [Ping timeout: 252 seconds]
15:31 -!- vn [~sys6x@nostalgeek.net] has quit [Read error: Connection reset by peer]
15:31 -!- vn [~sys6x@nostalgeek.net] has joined #openvpn
15:33 -!- b00b [~spunk@smurf.mmnetworks.se] has joined #openvpn
15:34 -!- hackman127 [~luke@cable-33-146.sssnet.com] has joined #openvpn
15:35 -!- michaelhart [~michaelha@192.237.177.15] has quit [Quit: michaelhart]
15:38 < hackman127> Anyone know why "client", "ca", or "cert" would be an Unrecognized option or have missing parameters? https://gist.github.com/anonymous/5e562de3fddf0779f5e8
15:38 <@vpnHelper> Title: gist:5e562de3fddf0779f5e8 (at gist.github.com)
15:40 -!- [diecast] [~diecast@unaffiliated/diecast/x-4821952] has joined #openvpn
15:43 -!- pppingme [~pppingme@unaffiliated/pppingme] has joined #openvpn
15:46 -!- [1]JPeterson [~JPeterson@81-233-152-121-no83.tbcn.telia.com] has quit [Read error: Connection reset by peer]
15:49 -!- Lolths [~Lolths@unaffiliated/lolths] has quit [Read error: Operation timed out]
15:51 -!- [diecast] [~diecast@unaffiliated/diecast/x-4821952] has quit []
15:54 -!- pppingme [~pppingme@unaffiliated/pppingme] has quit [Ping timeout: 255 seconds]
15:55 -!- maestrojed [~maestroje@173-8-213-38-Oregon.hfc.comcastbusiness.net] has joined #openvpn
15:58 -!- pppingme [~pppingme@unaffiliated/pppingme] has joined #openvpn
16:02 -!- riddle [riddle@us.yunix.net] has quit [Disconnected by services]
16:02 -!- riddle [riddle@us.yunix.net] has joined #openvpn
16:04 -!- Lolths [~Lolths@unaffiliated/lolths] has joined #openvpn
16:10 -!- pppingme [~pppingme@unaffiliated/pppingme] has quit [Ping timeout: 255 seconds]
16:12 -!- pppingme [~pppingme@unaffiliated/pppingme] has joined #openvpn
16:13 -!- kaotiko [~0xFF@unaffiliated/kaotiko] has joined #openvpn
16:13 -!- kaotiko [~0xFF@unaffiliated/kaotiko] has left #openvpn ["Saliendo"]
16:18 -!- pepito_R [~mm@p5DDB0C4C.dip0.t-ipconnect.de] has joined #openvpn
16:18 < pepito_R> hi
16:18 < pepito_R> :D
16:21 -!- pppingme [~pppingme@unaffiliated/pppingme] has quit [Ping timeout: 240 seconds]
16:22 < karsten> shit i have an invader
16:22 < karsten> 169.255.30.1
16:22 < karsten> whis?
16:22 < karsten> whois?
16:22 < karsten> NSA?
16:23 < pepito_R> mm
16:23 < pepito_R> puede ser
16:23 < pepito_R> como lo has detectado
16:23 < karsten> fucking script maipulates my interfaces conf
16:23 < karsten> sure, but how to find?
16:29 -!- pppingme [~pppingme@unaffiliated/pppingme] has joined #openvpn
16:29 -!- Guest35643 [~klein@189-016-006-003.asselvi.edu.br] has quit [Ping timeout: 252 seconds]
16:32 -!- le0 [~l30@unaffiliated/le0] has quit [Quit: Leaving]
16:41 -!- lj [~l@192.241.174.169] has quit [Quit: Leaving.]
16:43 -!- wrongplace [~leicht@gateway/tor-sasl/martinphone] has joined #openvpn
16:46 -!- goldkatze [~nobody@unaffiliated/goldkatze] has quit []
17:07 -!- gffa [~unknown@unaffiliated/gffa] has quit [Quit: sleep]
17:07 -!- nk121 [~nk109@23.252.48.189] has left #openvpn ["Textual IRC Client: www.textualapp.com"]
17:10 -!- wrongplace [~leicht@gateway/tor-sasl/martinphone] has quit [Quit: gone]
17:12 < hackman127> Got it, apparently I built it excluding Gentoo's ssl USE flag. Rebuilt it with the ssl flag and all is well.
17:22 -!- karsten [~karsten@ip-176-199-81-39.unitymediagroup.de] has quit [Quit: Verlassend]
17:33 -!- elfixit [~Icedove@77-58-251-72.dclient.hispeed.ch] has quit [Ping timeout: 240 seconds]
17:48 -!- JPeterson [~JPeterson@81-233-152-121-no83.tbcn.telia.com] has joined #openvpn
17:52 -!- Cybertinus [~Cybertinu@2a00:6960:1:1:0:24:63:1] has quit [Remote host closed the connection]
17:52 -!- Cybertinus [~Cybertinu@2a00:6960:1:1:0:24:42:1] has joined #openvpn
17:55 -!- michaelhart [~michaelha@162.209.54.120] has joined #openvpn
17:57 -!- Guest6176 [~me@90-83-190-109.dsl.ovh.fr] has quit [Ping timeout: 240 seconds]
17:57 -!- Morley93_ [~Morley93@95.85.56.186] has joined #openvpn
17:57 -!- mikemol [~mikemol@162.17.129.77] has quit [Remote host closed the connection]
18:00 -!- Eneerge [eneergealt@unaffiliated/eneerge] has left #openvpn []
18:02 -!- converge [~converge@unaffiliated/joaop] has joined #openvpn
18:05 -!- Guest35643 [~klein@187.85.183.105] has joined #openvpn
18:05 -!- Fusl [~Fusl@unaffiliated/fusl] has quit [Ping timeout: 252 seconds]
18:06 -!- maestrojed [~maestroje@173-8-213-38-Oregon.hfc.comcastbusiness.net] has quit [Quit: Computer has gone to sleep.]
18:08 -!- michaelhart [~michaelha@162.209.54.120] has quit [Ping timeout: 268 seconds]
18:09 -!- michaelhart [~michaelha@192-0-240-20.cpe.teksavvy.com] has joined #openvpn
18:14 -!- Fusl [Fusl@unaffiliated/fusl] has joined #openvpn
18:23 -!- hackman127 [~luke@cable-33-146.sssnet.com] has left #openvpn []
18:35 -!- joshh20-Away is now known as joshh20
18:54 -!- niftylettuce_ [uid2733@gateway/web/irccloud.com/x-hiuwinthdidixynq] has quit [Quit: Connection closed for inactivity]
18:55 -!- michaelhart [~michaelha@192-0-240-20.cpe.teksavvy.com] has quit [Quit: michaelhart]
19:09 -!- converge [~converge@unaffiliated/joaop] has quit [Quit: Leaving...]
19:13 -!- converge [~converge@unaffiliated/joaop] has joined #openvpn
19:29 -!- HectorBarbossa [uid7850@gateway/web/irccloud.com/x-ofeebpxlkbcxngfr] has joined #openvpn
19:37 -!- Latrina [~Latrina@adsl-ull-90-183.50-151.net24.it] has quit [Remote host closed the connection]
19:43 -!- B1nny [~quassel@5ED16034.cm-7-2b.dynamic.ziggo.nl] has quit [Remote host closed the connection]
19:45 -!- converge [~converge@unaffiliated/joaop] has quit [Quit: Leaving...]
19:52 -!- rawburt [~irc@pdpc/supporter/professional/rawburt] has joined #openvpn
19:52 < rawburt> any one have types on the server side configuration for the Android OpenVPN client? I've done some Googling and not finding exactly what I'm looking for; step-by-step guide for both the server and the client.
19:58 < pekster> rawburt, just follow the standard !howto, then use !inline configs for your android client
19:59 < pekster> Also be sure you're using the OpenVPN android client, not the "OpenVPN Connect" product that doesn't actually use any OpenVPN code
19:59 < pekster> See:
19:59 < pekster> !android
19:59 <@vpnHelper> "android" is (#1) an open source OpenVPN client for ICS is available in Google Play, look for OpenVPN for Android. FAQ is here: http://code.google.com/p/ics-openvpn/wiki/FAQ or (#2) Direct Play link: https://play.google.com/store/apps/details?id=de.blinkt.openvpn or (#3) Old (pre-ICS) device? See: !android-old
19:59 < pekster> (plus see all the above references)
20:02 < rawburt> I'm using OpenVPN Connect from OpenVPN, it was the only client I saw that was from OpenVPN
20:02 < rawburt> Android 4.4.2
20:03 < rawburt> opyright 2012-2014 OpenVPN Technologies, Inc.
20:04 < rawburt> its the most legit looking one
20:06 < pekster> Then read above
20:06 < pekster> That is not actually using any of the OpenVPN code base
20:06 < pekster> !connect
20:06 <@vpnHelper> "connect" is (#1) OpenVPN Connect is part of the commercial, non-free (non-GPL) corporate offering; see #openvpn-as for help with these. For the community-maintained GPL OpenVPN, see !download for download links, !android for GPL-openvpn on Android, or !howto for the beginner how-to guide or (#2) https://forums.openvpn.net/post34969.html#p34969
20:08 < rawburt> interesting, so the OpenVPN Connect (maintained by OpenVPN) does not contain OpenVPN code?
20:08 < pekster> "OpenVPN Connect" is maintained by "OpenVPN Technologies, Inc." _specifically_ . OpenVPN is a GPL project, and the 2 share no code in common
20:09 < rawburt> no code in common?
20:09 < rawburt> heh
20:09 < pekster> If you want help using or support with commercial products (including the free-but-not-open "Connect" product) you need to work with the vendor that designs/supports it
20:09 < rawburt> alright, thanks for your help.
20:09 < rawburt> I'll bite, and try the Arne Schwabe app.
20:09 < pekster> No code in common, and since the corporate folks have a business model attached to it, they probably have followed the law
20:09 < pekster> (otherwise they get sued if anyone finds out, and businesses don't tend to like that)
20:10 < rawburt> heh
20:10 < rawburt> how is that thick bubble you're living in?
20:11 < rawburt> seriously, thanks for the help.
20:11 < pekster> Thick? As I understand, Connect is a C++ codebase, while the current GPL OpenVPN is C. Not exactly copy-and-pastable code :P
20:12 < pekster> Go fire up a debugger if you're curious. I'm not that interested
20:12 < rawburt> yeah, I'm losing interest too.
20:13 < pekster> Arne's app works pretty slick really. Just prep your config files with the inline key/cert syntax, import it, and that's it
20:13 < pekster> Provided you have your configs done, of course
20:13 < rawburt> can I use a static key configuration?
20:15 < pekster> With android? I'm not sure offhand, but static-key is even simplier from a config standpoint, so give it a try?
20:15 -!- converge [~converge@unaffiliated/joaop] has joined #openvpn
20:15 -!- justinzane [~justinzan@12.172.184.180] has quit [Read error: Connection reset by peer]
20:15 < rawburt> I will
20:17 < rawburt> actually, I like the path I've started going down even more; multi-client
20:17 -!- justinzane [~justinzan@12.172.184.180] has joined #openvpn
20:18 < pekster> security benefits too with TLS
20:18 < pekster> !statickey
20:18 <@vpnHelper> "statickey" is (#1) you can use static keys by using --secret </path/to/key> or (#2) static keys only work for ptp links, not client/server. They also do not provide forward encryption. A forward-secure encryption scheme (such as openvpn uses with certs) protects secret keys from exposure by evolving the keys with time. or (#3) see !forwardsecurity for more info
20:20 < rawburt> so you're endorsing static key over CA for security?
20:20 < pekster> No, other way around
20:20 < pekster> TLS is what has the security benefits
20:25 < rawburt> gotcha
20:27 -!- justinzane [~justinzan@12.172.184.180] has quit [Read error: Connection reset by peer]
20:35 -!- jes [~jessica@75-41-106-3.lightspeed.dtrtmi.sbcglobal.net] has joined #openvpn
20:46 -!- justinzane [~justinzan@12.172.184.180] has joined #openvpn
20:49 < _FBi> !radius
20:51 -!- justinzane [~justinzan@12.172.184.180] has quit [Ping timeout: 240 seconds]
20:51 -!- justinzane [~justinzan@host-12-172-184-180.nctv.com] has joined #openvpn
21:02 -!- elfixit [~Icedove@77-58-251-72.dclient.hispeed.ch] has joined #openvpn
21:09 < jes> So I'm trying to route ipv6 from my laptop through openvpn client on a local server to a remote server. ipv6 starting on my local server works fine, ipv6 on remote server works fine, ipv6 from my laptop gets stuck... in a weird place.
21:10 < jes> I see it being sent to the tun by using tcpdump, but I don't see it being received on the remote
21:11 < jes> I thought it was a routing issue, but instead it seems like openvpn is just silently dropping the packets
21:11 -!- joshh20 is now known as joshh20-Away
21:24 < pekster> jes, you probably want to follow the routing advice at:
21:24 < pekster> !ipv6
21:24 <@vpnHelper> "ipv6" is (#1) The wiki has IPv6 details: https://community.openvpn.net/openvpn/wiki/IPv6 or (#2) The manpage contains info about IPv6 features present in 2.3+: https://community.openvpn.net/openvpn/wiki/Openvpn23ManPage#lbAQ
21:24 < pekster> If you're still stuck after that, seeing your configs (without comments/whitespace, read !configs for details) would help
21:26 < _FBi> heya pekster
21:26 < rawburt> pekster: hey, went down the previous road; not multi-user, static keys, /31
21:26 < rawburt> just had to specify the IPv4 address as <ipLocal> <ipRemote>
21:27 < _FBi> why is --shaper in the client config :(
21:42 -!- HectorBarbossa [uid7850@gateway/web/irccloud.com/x-ofeebpxlkbcxngfr] has quit [Quit: Connection closed for inactivity]
21:43 -!- JPeterson [~JPeterson@81-233-152-121-no83.tbcn.telia.com] has quit [Read error: Connection reset by peer]
21:45 -!- converge [~converge@unaffiliated/joaop] has quit [Quit: Leaving...]
21:51 -!- lj [~l@adsl-99-155-23-113.dsl.peoril.sbcglobal.net] has joined #openvpn
21:55 -!- lj1 [~l@192.241.174.169] has joined #openvpn
21:55 -!- pepito_R [~mm@p5DDB0C4C.dip0.t-ipconnect.de] has quit [Quit: Leaving]
21:55 -!- lj [~l@adsl-99-155-23-113.dsl.peoril.sbcglobal.net] has quit [Ping timeout: 255 seconds]
22:00 -!- elfixit [~Icedove@77-58-251-72.dclient.hispeed.ch] has quit [Quit: elfixit]
22:10 -!- lj1 [~l@192.241.174.169] has quit [Ping timeout: 240 seconds]
22:11 -!- JPeterson [~JPeterson@81-233-152-121-no83.tbcn.telia.com] has joined #openvpn
22:37 -!- Cpt-Oblivious [chatzilla@31-151-71-109.dynamic.upc.nl] has quit [Ping timeout: 240 seconds]
22:54 -!- jes [~jessica@75-41-106-3.lightspeed.dtrtmi.sbcglobal.net] has left #openvpn []
22:56 -!- converge [~converge@unaffiliated/joaop] has joined #openvpn
23:00 -!- __FBi [B@dont.uwantmy.info] has joined #openvpn
23:55 -!- Guest35643 [~klein@187.85.183.105] has quit [Ping timeout: 240 seconds]
--- Day changed Sat Apr 05 2014
00:00 -!- pppingme [~pppingme@unaffiliated/pppingme] has quit [Ping timeout: 240 seconds]
00:02 -!- converge [~converge@unaffiliated/joaop] has quit [Quit: Leaving...]
00:09 -!- james41382 [~james@unaffiliated/james41382] has joined #openvpn
00:15 -!- pppingme [~pppingme@unaffiliated/pppingme] has joined #openvpn
00:31 -!- Devastatr [~devas@186.214.14.68] has joined #openvpn
00:32 -!- Devastator [~devas@unaffiliated/devastator] has quit [Ping timeout: 240 seconds]
00:32 -!- jerryc [~pppingme@172.56.10.13] has joined #openvpn
00:34 -!- pppingme [~pppingme@unaffiliated/pppingme] has quit [Ping timeout: 268 seconds]
00:43 -!- jzaw [~jzaw@loki.dzki.co.uk] has quit [Ping timeout: 265 seconds]
00:51 -!- jzaw [~jzaw@loki.dzki.co.uk] has joined #openvpn
01:08 -!- jerryc [~pppingme@172.56.10.13] has quit [Quit: Leaving]
01:09 -!- nk121 [~nk109@23.252.48.189] has joined #openvpn
01:09 -!- nk121 [~nk109@23.252.48.189] has left #openvpn ["Textual IRC Client: www.textualapp.com"]
01:09 -!- pppingme [~pppingme@unaffiliated/pppingme] has joined #openvpn
01:40 -!- Devastatr [~devas@186.214.14.68] has quit [Changing host]
01:40 -!- Devastatr [~devas@unaffiliated/devastator] has joined #openvpn
01:40 -!- Devastatr is now known as Devastator
01:54 -!- Left_Turn [~Left_Turn@unaffiliated/turn-left/x-3739067] has joined #openvpn
02:40 -!- Devastator [~devas@unaffiliated/devastator] has quit [Ping timeout: 240 seconds]
02:41 -!- Devastator [~devas@186.214.14.68] has joined #openvpn
02:50 -!- Devastator [~devas@186.214.14.68] has quit [Ping timeout: 252 seconds]
02:50 -!- Devastatr [~devas@186.214.14.68] has joined #openvpn
03:07 -!- ^Gecko^ [~asdjhasd@108-222-140-119.lightspeed.hstntx.sbcglobal.net] has joined #openvpn
03:07 < ^Gecko^> what's up?
03:08 < ^Gecko^> I'm having trouble with my vpn.  mirc is not connecting through the tunnel but through the normal way...
03:24 -!- ^Gecko^ [~asdjhasd@108-222-140-119.lightspeed.hstntx.sbcglobal.net] has quit [Remote host closed the connection]
03:24 -!- le0 [~l30@unaffiliated/le0] has joined #openvpn
03:24 -!- ^Gecko^ [~asdjhasd@108-222-140-119.lightspeed.hstntx.sbcglobal.net] has joined #openvpn
03:31 -!- pppingme [~pppingme@unaffiliated/pppingme] has quit [Ping timeout: 240 seconds]
03:44 -!- pppingme [~pppingme@unaffiliated/pppingme] has joined #openvpn
04:06 -!- wrongplace [~leicht@gateway/tor-sasl/martinphone] has joined #openvpn
04:15 -!- gffa [~unknown@unaffiliated/gffa] has joined #openvpn
04:24 -!- ^Gecko^ [~asdjhasd@108-222-140-119.lightspeed.hstntx.sbcglobal.net] has quit [Remote host closed the connection]
04:32 -!- B1nny [~quassel@5ED16034.cm-7-2b.dynamic.ziggo.nl] has joined #openvpn
04:37 -!- ron__ [~ron@ppp14-2-57-200.lns21.adl2.internode.on.net] has joined #openvpn
04:39 -!- ron_ [~ron@ppp118-210-213-5.lns20.adl6.internode.on.net] has quit [Ping timeout: 252 seconds]
04:45 -!- ron__ [~ron@ppp14-2-57-200.lns21.adl2.internode.on.net] has quit [Ping timeout: 268 seconds]
04:47 -!- ron_ [~ron@ppp118-210-162-44.lns20.adl6.internode.on.net] has joined #openvpn
05:28 -!- Guest6176 [~me@90-83-190-109.dsl.ovh.fr] has joined #openvpn
05:49 -!- Latrina [~Latrina@adsl-ull-90-183.50-151.net24.it] has joined #openvpn
05:53 -!- freinhard [~freinhard@dslb-188-098-253-058.pools.arcor-ip.net] has quit [Remote host closed the connection]
06:07 -!- JackWinter [~jack@vodsl-10810.vo.lu] has quit [Excess Flood]
06:08 -!- JackWinter [~jack@vodsl-10810.vo.lu] has joined #openvpn
06:20 -!- joshh20-Away is now known as joshh20
06:22 -!- joshh20 is now known as joshh20-Away
06:24 -!- joshh20-Away is now known as joshh20
06:26 -!- hive-mind [pranq@mail.bbis.us] has quit [Read error: Connection reset by peer]
06:44 -!- AlexPortable [uid7568@gateway/web/irccloud.com/x-safydbcibeyierdl] has joined #openvpn
06:46 -!- Guest35643 [~klein@187.85.183.105] has joined #openvpn
06:49 -!- goldkatze [~nobody@unaffiliated/goldkatze] has joined #openvpn
07:02 -!- Fusl [Fusl@unaffiliated/fusl] has quit [Quit: Contact: http://hallowe.lt/]
07:06 -!- Left_Turn [~Left_Turn@unaffiliated/turn-left/x-3739067] has quit [Read error: Connection reset by peer]
07:09 -!- athan [~athan@50-200-167-50-static.hfc.comcastbusiness.net] has joined #openvpn
07:10 < athan> Does anyone know of any good into openvpn books? Preferably one that's linux-based and goes through openvpn configuration (even kinda advanced config stuff)?
07:11 <@krzee> !book
07:11 <@vpnHelper> "book" is http://www.packtpub.com/openvpn-2-cookbook/book check out JJK's awesome cookbook for openvpn 2!
07:11 < athan> Awesome!! Sorry :/
07:11 <@krzee> sorry for what?
07:11 -!- elfixit [~Icedove@77-58-251-72.dclient.hispeed.ch] has joined #openvpn
07:12 < athan> oh, it just seemed like a drain of a question, nothing that's interesting or helpful to other people :/
07:14 <@krzee> if its interesting to anyone else, it will be helpful to them
07:14 <@krzee> i was one of the proofreaders of the book so i read it completely when it was being published, i think it is excellent
07:15 <@krzee> i learned a lot from it, even after years of using and helping people use openvpn
07:16 <@krzee> the author, jjk, really knows his stuff
07:16 < athan> oh okay :) Awesome! That's really good news!
07:16 < athan> Have you done any other work on other projects?
07:19 -!- converge [~converge@unaffiliated/joaop] has joined #openvpn
07:20 <@krzee> sure
08:49 -!- converge [~converge@unaffiliated/joaop] has quit [Quit: Leaving...]
08:51 -!- Fusl [Fusl@unaffiliated/fusl] has joined #openvpn
09:08 -!- edge226 [~quassel@unaffiliated/edge226] has joined #openvpn
09:17 -!- Fusl [Fusl@unaffiliated/fusl] has quit [Read error: Operation timed out]
09:22 -!- Left_Turn [~Left_Turn@unaffiliated/turn-left/x-3739067] has joined #openvpn
09:29 < octocodercat> How do I allow VPN users to access the IPv6 internet with OpenVPN?
09:31 -!- converge [~converge@unaffiliated/joaop] has joined #openvpn
09:31 <@krzee> !ipv6
09:31 <@vpnHelper> "ipv6" is (#1) The wiki has IPv6 details: https://community.openvpn.net/openvpn/wiki/IPv6 or (#2) The manpage contains info about IPv6 features present in 2.3+: https://community.openvpn.net/openvpn/wiki/Openvpn23ManPage#lbAQ
09:31 <@krzee> !redirect
09:31 <@vpnHelper> "redirect" is (#1) to make all inet traffic flow through the vpn, you will need --redirect-gateway (see !def1), as well as IP forwarding (see !ipforward) and NAT (see !nat) enabled on the server. or (#2) you may need to use a different dns server when redirecting gateway, see !dns or !pushdns or (#3) if using ipv6 try: route-ipv6 2000::/3 or (#4) Handy troubleshooting flowchart:
09:31 <@vpnHelper> http://ircpimps.org/redirect.png | http://pekster.sdf.org/misc/redirect.png
09:33 -!- Fusl [Fusl@unaffiliated/fusl] has joined #openvpn
09:38 < octocodercat> krzee, Those docs confuse me
09:39 < octocodercat> krzee, I know how IPv4 setup works, how NAT works and how to redirect all traffic through the VPN - that's what I'm doing now, but I'm baffled when it comes to IPv6
09:40 <@krzee> tbh so am i, i have never done it
09:40 <@krzee> :D
09:40 < octocodercat> :P
09:40 < octocodercat> I just want to do it because I have no IPv6 on my local internet and a low chance of ever getting it
09:41 < octocodercat> That and I have 16 IPv6 IPs on my OpenVPN VPS going to waste
09:41 <@krzee> well you can have local ipv6 if you want it
09:41 <@krzee> arent there still free tunnel brokers?
09:42 <@krzee> yep, https://tunnelbroker.net
09:42 <@vpnHelper> Title: Hurricane Electric Free IPv6 Tunnel Broker (at tunnelbroker.net)
09:42 < octocodercat> Does that give you a unique IPv6 IP?
09:43 -!- converge [~converge@unaffiliated/joaop] has quit [Quit: Leaving...]
09:44 < octocodercat> Or is it on a shared IP?
09:45 -!- Cpt-Oblivious [chatzilla@31-151-71-109.dynamic.upc.nl] has joined #openvpn
09:50 -!- corretico [~luis@190.5.215.146] has joined #openvpn
10:01 -!- goldkatze [~nobody@unaffiliated/goldkatze] has quit []
10:11 -!- mirco [~mirco@ip-5-146-126-177.unitymediagroup.de] has joined #openvpn
10:13 < octocodercat> The iOS client is giving me this error: tun_builder_error: ifconfig addresses are not in the same /30 subnet (topology net30)
10:14 < octocodercat> What does that mean exactly?
10:16 -!- ade_b [~Ade@redhat/adeb] has joined #openvpn
10:17 < octocodercat> Hmm, removing this from the client configs on the server(that I use to assign static internal IPs) get's rid of the error: ifconfig-push 10.8.0.6 255.255.255.0
10:32 -!- le0 [~l30@unaffiliated/le0] has quit [Quit: Leaving]
10:38 -!- master_of_master [~master_of@p4FF2490D.dip0.t-ipconnect.de] has joined #openvpn
10:40 < octocodercat> Does anyone know why the command ifconfig-push 10.8.0.6 255.255.255.0 would break OpenVPN for iOS?
10:40 -!- master_o1_master [~master_of@p4FD7BDE9.dip0.t-ipconnect.de] has quit [Ping timeout: 240 seconds]
10:41 -!- xTz [~xTz@DeathStar.Techn0.eu] has quit [Quit: Lost terminal]
10:43 < octocodercat> It's on the server-side client config(client-config-dir)
10:43 -!- DrCode [~DrCode@gateway/tor-sasl/drcode] has quit [Remote host closed the connection]
10:43 -!- s7r [~s7r@openvpn/user/s7r] has quit [Remote host closed the connection]
10:44 -!- DrCode [~DrCode@gateway/tor-sasl/drcode] has joined #openvpn
10:45 -!- s7r [~s7r@openvpn/user/s7r] has joined #openvpn
10:45 -!- mode/#openvpn [+v s7r] by ChanServ
10:46 -!- dogewaat_ [uid3966@gateway/web/irccloud.com/x-jjnnmmbgdmvxkitu] has joined #openvpn
10:47 -!- mback2k_ is now known as mback2k
10:48 -!- mback2k is now known as mback2k_
10:55 -!- wrongplace [~leicht@gateway/tor-sasl/martinphone] has quit [Ping timeout: 265 seconds]
10:56 -!- joshh20 is now known as joshh20-Away
11:04 -!- mirco [~mirco@ip-5-146-126-177.unitymediagroup.de] has quit [Quit: Verlassend]
11:08 -!- wrongplace [~leicht@gateway/tor-sasl/martinphone] has joined #openvpn
11:19 -!- gffa [~unknown@unaffiliated/gffa] has quit [Quit: quit]
11:24 < octocodercat> Does anyone know how the line 'ifconfig-push 10.8.0.6 255.255.255.0' in the server config for a specific iOS client would cause the iOS OpenVPN app to give the error 'tun_builder_error: ifconfig addresses are not in the same /30 subnet (topology net30)'?
11:27 -!- p3rror [~mezgani@196.201.78.139] has joined #openvpn
11:34 -!- mikemol [~mikemol@2001:470:c5b9:beef:5ca9:1377:3da4:9605] has joined #openvpn
11:42 < Latrina> pepes a question here
11:42 < Latrina> is an openwrt image built with the linaro toolchain considered to run stable ??
11:43 < Latrina> ops
11:43 < Latrina> wrong chan .. my bad
11:43 -!- le0 [~l30@unaffiliated/le0] has joined #openvpn
11:47 -!- maskedlua [~quassel@unaffiliated/themaskedlua] has joined #openvpn
11:56 -!- Sidewinder [~de@unaffiliated/sidewinder] has joined #openvpn
12:03 -!- Sidewinder [~de@unaffiliated/sidewinder] has quit [Quit: Leaving]
12:19 -!- Sidewinder [~de@unaffiliated/sidewinder] has joined #openvpn
12:19 -!- maestrojed [~maestroje@c-98-246-149-230.hsd1.or.comcast.net] has joined #openvpn
12:27 -!- AlexPortable [uid7568@gateway/web/irccloud.com/x-safydbcibeyierdl] has quit [Quit: Connection closed for inactivity]
12:27 -!- joshh20-Away is now known as joshh20
12:28 -!- mikemol [~mikemol@2001:470:c5b9:beef:5ca9:1377:3da4:9605] has quit [Remote host closed the connection]
12:29 -!- Sidewinder [~de@unaffiliated/sidewinder] has quit [Quit: Leaving]
12:38 -!- HectorBarbossa [uid7850@gateway/web/irccloud.com/x-kpkgtnobqjdujztl] has joined #openvpn
12:40 -!- le0 [~l30@unaffiliated/le0] has quit [Quit: Leaving]
12:44 -!- p3rror [~mezgani@196.201.78.139] has quit [Quit: Leaving]
12:47 -!- Guest6176 [~me@90-83-190-109.dsl.ovh.fr] has quit [Ping timeout: 268 seconds]
12:51 -!- hive-mind [pranq@mail.bbis.us] has joined #openvpn
12:51 -!- gffa [~unknown@unaffiliated/gffa] has joined #openvpn
12:53 -!- Guest35643 [~klein@187.85.183.105] has quit [Ping timeout: 255 seconds]
13:07 -!- gffa_ [~unknown@unaffiliated/gffa] has joined #openvpn
13:08 -!- gffa [~unknown@unaffiliated/gffa] has quit [Quit: quit]
13:08 -!- gffa_ is now known as gffa
13:17 -!- wrongplace [~leicht@gateway/tor-sasl/martinphone] has quit [Quit: gone]
13:24 -!- Lolths [~Lolths@unaffiliated/lolths] has quit [Ping timeout: 240 seconds]
13:26 -!- Lolths [~Lolths@unaffiliated/lolths] has joined #openvpn
13:33 -!- converge [~converge@189.7.3.101] has joined #openvpn
13:33 -!- converge [~converge@189.7.3.101] has quit [Changing host]
13:33 -!- converge [~converge@unaffiliated/joaop] has joined #openvpn
14:04 < octocodercat> Why would ifconfig-push 10.8.0.6 255.255.255.0 create a 'tun_builder_error: ifconfig addresses are not in the same /30 subnet (topology net30)' on the iOS OpenVPN app?
14:07 < reiffert> !configs
14:07 <@vpnHelper> "configs" is (#1) please pastebin your client and server configs (with comments removed, you can use `grep -vE '^#|^;|^$' server.conf`), also include which OS and version of openvpn. or (#2) dont forget to include any ccd entries or (#3) on pfSense, see http://www.secure-computing.net/wiki/index.php/OpenVPN/pfSense to obtain your config
14:15 < reiffert> octocodercat: see above
14:16 < octocodercat> sec
14:17 -!- ade_b [~Ade@redhat/adeb] has quit [Ping timeout: 255 seconds]
14:22 -!- iBong [~tittyspri@46.19.139.182] has joined #openvpn
14:23 < octocodercat> Pastebin is being slow -.-
14:23 < iBong> how do you build openvpn from bithub source?
14:24 < iBong> i see no configure file to execute, i see no autoreconf file
14:25 < iBong> pekster?
14:25 < iBong> *github
14:27 -!- converge [~converge@unaffiliated/joaop] has quit [Quit: Leaving...]
14:27 < octocodercat> iBong, I think you run autoconf
14:28 -!- converge [~converge@unaffiliated/joaop] has joined #openvpn
14:28 < octocodercat> to make the configure file, I'm not sure though - I have almost no experience with automake :P
14:31 < octocodercat> reiffert, http://pastebin.com/7cpyN16u
14:31 < iBong> this is why i need help octocodercat
14:32 < octocodercat> iBong, Just running the command 'autoconf' doesn't work?
14:35 < iBong> no
14:38 < reiffert> let me take a look at it
14:43 < reiffert> octocodercat: add: topology subnet  to your server config
14:43 -!- tony1 [~tony@cpe-66-66-6-48.rochester.res.rr.com] has joined #openvpn
14:43 < reiffert> and paste
14:43 < reiffert> !logs
14:43 <@vpnHelper> "logs" is (#1) please pastebin your logfiles from both client and server with verb set to 4 (only use 5 if asked) or (#2) In the Windows client(OpenVPN-GUI) right-click the status icon and pick View Log or (#3) In the OS X client(Tunnelblick) right-click it and select Copy log text to clipboard or (#4) if you dont know how to find your logs, see !logfile
14:44 -!- tony1 [~tony@cpe-66-66-6-48.rochester.res.rr.com] has left #openvpn []
14:50 < iBong> so am i missing something obvious with building openvpn from github source?
14:51 < iBong> whether i try autoconf or autoreconf, i get errors about undefined macros
14:51 < reiffert> iBong: https://github.com/OpenVPN this?
14:51 <@vpnHelper> Title: OpenVPN · GitHub (at github.com)
14:51 < iBong> reiffert: https://github.com/OpenVPN/openvpn
14:51 <@vpnHelper> Title: OpenVPN/openvpn · GitHub (at github.com)
14:51 < reiffert> iBong: it comes with a README file
14:51 < iBong> and i read it
14:52 -!- converge [~converge@unaffiliated/joaop] has quit [Quit: Leaving...]
14:52 < iBong> like i said, ive tried autoconf, ive tried autoreconf, and there is no configure file
14:53 < octocodercat> reiffert, Should I add it to the server config or the CCD?
14:53 < octocodercat> the iOS client is the only one malfunctioning under this configuration
14:54 < reiffert> iBong: so while trying stuff .. did stuff come back with messages on the command line?
14:55 < iBong> like i said, always errors about possibly undefined macros
14:55 < reiffert> octocodercat: server
14:55 < reiffert> iBong: do you want me to get to use my crystall ball?
14:56 < reiffert> whats your autoconf version?
14:56 < reiffert> (and automake=
14:57 < iBong> https://pastee.org/qge5j
14:58 -!- converge [~converge@unaffiliated/joaop] has joined #openvpn
14:58 < iBong> autoconf (GNU Autoconf) 2.69
14:58 < reiffert> iBong: u trying to build the windows port?
14:58 < octocodercat> Copying logs, sec
14:58 < iBong> automake (GNU automake) 1.11.6
14:58 < iBong> reiffert: no
14:59 < iBong> i just want the absolute latest version
14:59 < iBong> trying to install on debian wheezy
14:59 < reiffert> the absolute latest one comes with all the bugs that will get fixed in future releases.
14:59 -!- maestrojed [~maestroje@c-98-246-149-230.hsd1.or.comcast.net] has quit [Quit: Computer has gone to sleep.]
15:00 < iBong> also comes with a few things that my current version doesn't have
15:00 < iBong> like GCM
15:00 < reiffert> hm libtool might have guessed you being on mingw32
15:01 < reiffert> did you compare changelogs for most recent configure.ac's yet?
15:01 < iBong> no
15:03 < octocodercat> reiffert, http://pastebin.com/1sP3hPC3 - that's without a topology line in the server config
15:03 < octocodercat> what exactly would I put in a topology line?
15:05 < reiffert> octocodercat: "topology subnet"
15:05 < octocodercat> okay, sec
15:06 < reiffert> iBong: you do have automake, correct?
15:06 < iBong> yes
15:08 < iBong> removing my current openvpn install had 0 effect
15:08 < iBong> still get the same error when i try to autoconf
15:10 < reiffert> libtoolize
15:10 < reiffert> aclocal -l m4
15:10 < reiffert> autoheader
15:10 < reiffert> automake -add-missing
15:10 < reiffert> autoconf
15:10 < reiffert> where does it break?
15:10 < octocodercat> reiffert, topology subnet appears to have fixed my problems. Thank you very much for your help :D
15:11 < reiffert> alternatively: aclocal ; autoheader; automake ; autoconf    might work
15:12 < reiffert> octocodercat: yw
15:12 < iBong> bash: libtoolize: command not found
15:12 -!- AlexPortable [uid7568@gateway/web/irccloud.com/x-kxfeczqdjdcdwihn] has joined #openvpn
15:12 -!- pepinillo [~mm@p5DDB276B.dip0.t-ipconnect.de] has joined #openvpn
15:16 < iBong> lol, even after installing libtool, i still get the same errors
15:17 < reiffert> clocal ; autoheader; automake ; autoconf
15:17 < reiffert> +a
15:17 < iBong> i think i got it working
15:18 < reiffert> k
15:18 < iBong> https://pastee.org/csegh
15:20 < reiffert> It's been a please working with you. Thank you for your assistance.
15:21 < iBong> lol
15:21 < iBong> yes thank you
15:22 < iBong> octocodercat gave me the biggest clue tho
15:22 < iBong> before he mentioned autoconf, i was like wtf
15:22 -!- HectorBarbossa [uid7850@gateway/web/irccloud.com/x-kpkgtnobqjdujztl] has quit [Quit: Connection closed for inactivity]
15:22 -!- jacekowski [jacekowski@jacekowski.org] has joined #openvpn
15:22 < jacekowski> hi people
15:22 < iBong> but yeah, i sincerely appreciate the help
15:22 < jacekowski> i've got a strange openvpn problem, my vpn stopped working
15:22 < reiffert> you mean autoconf that's referenced to in the INSTALL file that gets mentioned in the README file?
15:23 < jacekowski> Sat Apr  5 21:40:48 2014 TLS: Initial packet from 178.33.236.141:56799, sid=753a7f4f bb8dd60f
15:23 < jacekowski> Sat Apr  5 21:41:14 2014 [UNDEF] Inactivity timeout (--ping-restart), restarting
15:23 < jacekowski> it's a UDP tunnel
15:23 < jacekowski> and it was working few hours ago
15:27 < iBong> mentioned literally one time reiffert
15:27 < iBong> OPTIONAL (for developers only):
15:27 < iBong> (1) Autoconf 2.59 or higher + Automake 1.9 or higher
15:27 < reiffert> jacekowski:
15:27 < octocodercat> Ok, this is slightly offtopic, but does anyone happen to know how to use IPTables to forward all traffic that is trying to go to a certain IP to a user connected to my VPN on 10.8.0.5?
15:27 < reiffert> !configs
15:27 < reiffert> !logs
15:27 <@vpnHelper> "configs" is (#1) please pastebin your client and server configs (with comments removed, you can use `grep -vE '^#|^;|^$' server.conf`), also include which OS and version of openvpn. or (#2) dont forget to include any ccd entries or (#3) on pfSense, see http://www.secure-computing.net/wiki/index.php/OpenVPN/pfSense to obtain your config
15:28 <@vpnHelper> "logs" is (#1) please pastebin your logfiles from both client and server with verb set to 4 (only use 5 if asked) or (#2) In the Windows client(OpenVPN-GUI) right-click the status icon and pick View Log or (#3) In the OS X client(Tunnelblick) right-click it and select Copy log text to clipboard or (#4) if you dont know how to find your logs, see !logfile
15:28 -!- le0 [~l30@unaffiliated/le0] has joined #openvpn
15:29 < reiffert> octocodercat: iptables -t nat -I PREROUTING -p tcp -d 1.2.3.4 -j DNAT --to 10.8.0.5
15:29 < reiffert> octocodercat: or .. if routing fits your needs better .. use routing.
15:30 < octocodercat> routing?
15:30 < reiffert> octocodercat: yeah .. layer 3 routing .. ip packets .. routing table .. most likely static routing
15:31 < reiffert> octocodercat: I have no idea what you are trying to accomplish by reading your 2 sentencens .. you might want to explain first
15:32 < octocodercat> reiffert, Basically the other guy who uses my VPN(besides myself) wants to be able to run a server behind the VPN
15:32 < octocodercat> we both have our own public IPs, which was accomplished by using iptables -t nat -A POSTROUTING -s 10.8.0.5 -j SNAT --to-source 1.2.3.4
15:32 -!- corretico [~luis@190.5.215.146] has quit [Read error: Connection reset by peer]
15:32 < reiffert> you need to setup a source nat rule as well
15:32 < octocodercat> he wants to be able to get connections to his computer from his public IP
15:33 < reiffert> the above does that. no idea about the return traffic. tcpdump will help
15:33 -!- corretico [~luis@190.5.215.146] has joined #openvpn
15:33 -!- athan [~athan@50-200-167-50-static.hfc.comcastbusiness.net] has quit [Remote host closed the connection]
15:33 < reiffert> 1.2.3.4 = your friends public IP
15:34 < octocodercat> reiffert, I know :P It works, thanks!
15:34 < octocodercat> Now to run it on myself as well - for the first time in three years I'll be able to get incoming connections :D
15:35 < reiffert> iptables -t nat -I POSTROUTING -p tcp -s 10.8.0.5 ! -d 10.8.0.0/24 -j SNAT --to-source 1.2.3.4   might be necessary as well
15:35 < reiffert> it just took you three years to figure it out? awesome. Need my paypal account?
15:36 -!- freinhard [~freinhard@p3E9EE946.dip0.t-ipconnect.de] has joined #openvpn
15:37 < octocodercat> reiffert, Why would that be necessary? and I didn't spend three years trying to do this with OpenVPN, just three years missing incoming connections
15:37 < octocodercat> Also, what does "iptables -t nat -I POSTROUTING -p tcp -s 10.8.0.5 ! -d 10.8.0.0/24 -j SNAT --to-source 1.2.3.4 " do?
15:38 < reiffert> replace the server address with the public address for outgoing traffic. return traffic to service clients for your case I believe
15:40 < reiffert> hang on, there's connection tracking in linux. it should work by its own
15:42 < octocodercat> Okay, thank you :D
15:42 -!- Guest6176 [~me@90-83-190-109.dsl.ovh.fr] has joined #openvpn
15:42 < jacekowski> http://pastebin.com/UNc7bhLF
15:43 < jacekowski> reiffert: i don't think it's configuration problem as it was working for over a year
15:44 < reiffert> jacekowski: for over a year? Certs expired?
15:44 < jacekowski> new certs
15:44 < reiffert> since when?
15:44 < jacekowski> november
15:44 < jacekowski> it's not failing on certs, it's failing on timeout
15:45 < jacekowski> but i can see communication going both ways in tcpdump
15:46 < reiffert> add this to client.conf: ns-cert-type server
15:47 -!- wrongplace [~leicht@gateway/tor-sasl/martinphone] has joined #openvpn
15:47 < octocodercat> reiffert, Isn't that broken? Easy-RSA 3 didn't set nsCertType to server when building a server certificate for me
15:48 < jacekowski> no changes
15:48 < jacekowski> reiffert: it doesn't even get to the point where it's checking the certs
15:48 < jacekowski> octocodercat: i'm not using easy-rsa
15:48 < jacekowski> just pure openssl
15:48 -!- Guest6176 [~me@90-83-190-109.dsl.ovh.fr] has quit [Ping timeout: 268 seconds]
15:48 < reiffert> octocodercat: it's not an issue of openvpn .. dont you think?
15:49 < octocodercat> reiffert, True
15:49 < jacekowski> i can see W's and R's appearing on the client
15:49 < jacekowski> which i presume mean Writes and Reads
15:50 < reiffert> remove comp-lzo and try again
15:51 < reiffert> for both, client and server.
15:51 < jacekowski> no change
15:52 < jacekowski> it may be network issue though
15:52 < reiffert> jacekowski: what else changed on your openwrt?
15:52 < jacekowski> it's not openwrt
15:52 < jacekowski> but nothing has changed
15:52 < jacekowski> it was working in the morning
15:52 < reiffert> oh let me ask my crystall ball
15:53 < reiffert> armle .. fritzbox or diskstation?
15:53 < jacekowski> diskstation
15:53 < reiffert> 212+?
15:53 -!- iBong [~tittyspri@46.19.139.182] has quit [Quit: Senkei.Senbonzakura.Kageyoshi]
15:53 < reiffert> oh no the 212's are on a different arch
15:54 < jacekowski> [   55.410000] Model: DS-411j
15:54 < jacekowski> DiskStation> uptime 21:54:42 up 26 days,  3:30,  3 users,  load average: 0.27, 0.12, 0.12
15:55 < jacekowski> so it wasn't a power cut or something
15:55 < reiffert> what does /etc/openvpn/up.sh do?
15:55 < jacekowski> it's just setting up ipv6 addresses and routing
15:56 < jacekowski> but it doesn't even get that far
15:56 < jacekowski> but i'm feeling tempted to restart it
15:56 < reiffert> openvpn --mtu-test
15:56 < jacekowski> it looks like stuff being sent is not the same as recieved stuff
15:57 < jacekowski> it looks like server is sending a lot of 114 bytes long packets and only some are getting through
15:58 < reiffert> "getting through"?
15:58 < reiffert> when running captures, add a "or icmp" to be sure catching "destination host unreachable, fragmentation needed" packets.
15:59 < jacekowski> as in, http://pastebin.com/NPGvJmYQ
15:59 < reiffert> tcpdump -nn -i any -s0 port 56799 or icmp
15:59 < reiffert> should do
16:00 -!- Nothing4You [N4Y@Nothing4You.w.tf-w.tf] has quit [Quit: Gone...]
16:00 < reiffert> the timestamps differ.
16:01 < reiffert> run a ping while taking captures so we can identify what belongs to each other by looking at the sequence numbers
16:01 -!- Nothing4You [N4Y@Nothing4You.w.tf-w.tf] has joined #openvpn
16:03 < reiffert> when you stop the openvpn service, do you see further openvpn processes by looking at ps w ?
16:05 < jacekowski> http://pastebin.com/Lz2JqWp5
16:05 < jacekowski> no
16:06 < jacekowski> i've set it to 10s interval
16:06 < jacekowski> it clocks should be in sync now
16:07 < reiffert> client sees:
16:07 < reiffert> 22:03:05.735248 IP 192.168.1.97 > 178.33.236.141: ICMP echo request, id 37988, seq 0, length 64
16:07 < reiffert> 22:03:05.752246 IP 178.33.236.141 > 192.168.1.97: ICMP echo reply, id 37988, seq 0, length 64
16:07 < reiffert> 22:03:15.752775 IP 192.168.1.97 > 178.33.236.141: ICMP echo request, id 37988, seq 256, length 64
16:07 < reiffert> 22:03:15.767401 IP 178.33.236.141 > 192.168.1.97: ICMP echo reply, id 37988, seq 256, length 64
16:07 < reiffert> while during these 10 seconds ... the server
16:07 < jacekowski> yeah
16:07 < reiffert> is sending 7 packets with size 114 which then never make it back to the client
16:08 < reiffert> fix this.
16:08 < jacekowski> easy to say
16:09 < reiffert> restart the server.
16:09 < jacekowski> i'm not sure if that is the problem
16:09 < reiffert> synology didnt do well when building tun.ko and iptables.
16:10 -!- Proshot [~FSM@535623C8.cm-6-7a.dynamic.ziggo.nl] has joined #openvpn
16:10 < jacekowski> synology is the client
16:10 < jacekowski> hmm, i'm going to restart synology first
16:10 < jacekowski> before doing anything drastic on the server
16:10 < reiffert> :-)
16:12 < reiffert> I guess you dont have more client?
16:12 < reiffert> s
16:12 < jacekowski> no
16:12 < jacekowski> but i'm just quickly setting up one
16:12 < reiffert> "no, I do have more clients"?
16:12 < jacekowski> no i don't have more clients (yet)
16:14 < reiffert> you could even try the syno certs on a different machine
16:14 < reiffert> no need to create new client certs just for that
16:16 < reiffert> 178.214.19.246 is?
16:17 < jacekowski> dunn
16:17 < jacekowski> o
16:17 < jacekowski> nothing to do with me
16:17 < jacekowski> as in, random stuff
16:17 < reiffert> so why are so many differnt clients trying to get to your port 22502?
16:17 < jacekowski> linux iso downloads over torrent
16:18 < reiffert> sigh.
16:19 < jacekowski> hmm
16:19 < jacekowski> same thing on another device
16:20 < reiffert> 178.33.236.141 is in France?
16:20 < jacekowski> yep
16:20 < jacekowski> but i've got no packet loss to/from it otherwise
16:20 < reiffert> lsof -n | wc -l
16:21 < jacekowski> 11117
16:21 < jacekowski> open files                      (-n) 524288
16:22 < jacekowski> i'm going to switch it to tcp and see if it will connect
16:22 < reiffert> df -h /
16:23 < jacekowski> /dev/md2        1.9T  1.7T  208G  89% /
16:23 < reiffert> your mysql tables were crashing also ...
16:23 < reiffert> http://178.33.236.141/Contact
16:23 <@vpnHelper> Title: Contact | jacekowski.org (at 178.33.236.141)
16:23 -!- ade_b [~Ade@redhat/adeb] has joined #openvpn
16:24 < jacekowski> yeah, i can't be bothered to fix it
16:24 < reiffert> so it's not related ..?
16:25 < jacekowski> no
16:25 < reiffert> "yes, it's not related"
16:25 < jacekowski> nothing strange in dmesg either
16:25 < jacekowski> yes, it's not related
16:25 < jacekowski> i'm going to restart my home router
16:26 < jacekowski> i'll be back in a moment
16:26 < reiffert> out for a smoke
16:28 < jacekowski> hmmm
16:30 < jacekowski> it's working now
16:31 < jacekowski> so it was my home router, however i don't understand how
16:31 < jacekowski> how it was somehow randomly dropping only openvpn packets
16:31 < jacekowski> and that is over tcp and udp (and i've changed the port as well to start with)
16:32 < jacekowski> while still letting everything else through unharmed
16:32 < reiffert> QoS
16:33 < reiffert> show policy-map int f0/0/0 | i Class|drops   ;)
16:33 < jacekowski> it's just ISP router
16:33 < reiffert> guess it's one of the fency France Telekom modems?
16:33 < jacekowski> EE
16:33 < jacekowski> Brightbox2
16:34 < jacekowski> with VDSL
16:34 < reiffert> glad we made it .. fun one
16:36 < reiffert> NSA pops up to mind but you wont recognize their taps anyway :)
16:36 < jacekowski> well, QoS is disabled
16:37 < jacekowski> and it's still using the same firmware it came with
16:37 < reiffert> it broke and we found it .. get on to something else
16:38 < jacekowski> well, i don't like idea of things breaking for no apparent reason
16:39 < reiffert> buy better hardware next time.
16:39 < jacekowski> well, it was free + VDSL routers are hard to come by
16:40 < reiffert> last week I found two routers restarting unexpectedly in the APAC region and it turned out that NASA been recording a huge solar flare on that day hitting southern APAC :=
16:40 < reiffert> )
16:41 < jacekowski> fun
16:41 < reiffert> kind of
16:42 < jacekowski> i've had a fault where stepper motor controller would restart randomly on a machine
16:43 < reiffert> earthing issues on a self soldered controller?
16:43 < jacekowski> whole thing was made out of stainless steel with some bits made out of alluminium
16:43 < jacekowski> as in machine where that controller was used
16:43 < jacekowski> it was earthing issue, but not where i was expecting it
16:45 < jacekowski> as it turned out, stuff they used to clean it caused aluminium to corode and therefore it was not earthed anymore
16:45 < reiffert> I had stopped messing around with breadboards when not being able to fix flickering issues when multiplexing 7 segment displays
16:46 -!- jeev [~jeev@unaffiliated/jeev] has quit [Ping timeout: 255 seconds]
16:46 < reiffert> an engineer was looking at it for 30 seconds indicating earthing issues here there and there which made me being depressed a lot
16:48 -!- converge [~converge@unaffiliated/joaop] has quit [Quit: Leaving...]
16:48 < jacekowski> talking about crap earthing, have a look at any car
16:49 -!- jeev [~jeev@192.198.83.41] has joined #openvpn
16:49 -!- jeev [~jeev@192.198.83.41] has quit [Changing host]
16:49 -!- jeev [~jeev@unaffiliated/jeev] has joined #openvpn
16:49 < jacekowski> anyways, thanks for your effort
16:49 < reiffert> :-)
16:49 < reiffert> yw
16:56 < reiffert> http://www.youtube.com/watch?v=YWZG1nhgwgg#t=558
16:56 <@vpnHelper> Title: CRAZY On-Bike Lap! 200mph TT races! Michael Dunlop - HD - YouTube (at www.youtube.com)
17:02 -!- joako [~joako@opensuse/member/joak0] has quit [Ping timeout: 246 seconds]
17:04 -!- converge [~converge@189.7.3.101] has joined #openvpn
17:04 -!- converge [~converge@189.7.3.101] has quit [Changing host]
17:04 -!- converge [~converge@unaffiliated/joaop] has joined #openvpn
17:05 -!- brianblaze420 [~admin@unaffiliated/brianblaze] has joined #openvpn
17:06 -!- pekster [~rewt@openvpn/community/support/pekster] has quit [Ping timeout: 246 seconds]
17:06 < brianblaze420> hello beautiful people, I am trying to connect to my openvpn with tunnilblick and it says I need a tap or tun device. I am on mavericks :)
17:06 < brianblaze420> how do I add such things?
17:08 -!- pekster [~rewt@openvpn/community/support/pekster] has joined #openvpn
17:10 < reiffert> I just were installing tunnelblick and it worked
17:11 < brianblaze420> really? weird… I have my config file and it worked from my ipad no problem using the openvpn program but with tunnelblick no luck and it says i am missing a tun or tap device
17:12 -!- Proshot [~FSM@535623C8.cm-6-7a.dynamic.ziggo.nl] has quit [Quit: Leaving]
17:15 < brianblaze420> it says my configfile doesn’t have a dev tun or dev tap...
17:15 -!- ade_b [~Ade@redhat/adeb] has quit [Ping timeout: 240 seconds]
17:23 -!- corretico [~luis@190.5.215.146] has quit [Read error: Connection reset by peer]
17:23 -!- Guest6176 [~me@90-83-190-109.dsl.ovh.fr] has joined #openvpn
17:23 -!- corretico [~luis@190.5.215.146] has joined #openvpn
17:24 -!- elfixit [~Icedove@77-58-251-72.dclient.hispeed.ch] has quit [Ping timeout: 255 seconds]
17:26 -!- converge [~converge@unaffiliated/joaop] has quit [Quit: Leaving...]
17:27 < reiffert> add: dev tun
17:27 < reiffert> in your config file then
17:28 -!- joako [~joako@opensuse/member/joak0] has joined #openvpn
17:28 < brianblaze420> just add that line?
17:29 < brianblaze420> well that worked i don’t get the same message
17:29 < brianblaze420> but now i gotta check the log
17:33 < octocodercat> Can I configure OpenVPN to have two internal IPs?
17:33 < octocodercat> ex 10.8.0.1 and 10.8.0.2?
17:36 -!- Guest6176 [~me@90-83-190-109.dsl.ovh.fr] has quit [Ping timeout: 268 seconds]
17:37 -!- mikemol [~mikemol@2001:470:c5b9:beef:34dc:2856:6f1f:eecc] has joined #openvpn
17:42 -!- le0 [~l30@unaffiliated/le0] has quit [Quit: Leaving]
17:52 < reiffert> octocodercat: why would you want to do that?
17:54 < octocodercat> reiffert, I'm setting up a DNS server on the VPN's VPS, and iirc most OSs perfer two DNS IPs specified instead of one
17:55 < reiffert> complete fail.
17:56 < reiffert> just give it the same ip address twice.
17:57 < reiffert> just having one will work as well.
17:57 < octocodercat> I thought OSs like iOS rejected the same IP
17:59 -!- brianblaze420 [~admin@unaffiliated/brianblaze] has quit [Quit: brianblaze420]
18:15 -!- gffa [~unknown@unaffiliated/gffa] has quit [Quit: sleep]
18:23 -!- wrongplace [~leicht@gateway/tor-sasl/martinphone] has quit [Quit: gone]
18:25 -!- lj [~l@192.241.174.169] has joined #openvpn
18:33 -!- joshh20 is now known as joshh20-Away
18:41 -!- lj [~l@192.241.174.169] has quit [Ping timeout: 268 seconds]
18:47 -!- AlexPortable [uid7568@gateway/web/irccloud.com/x-kxfeczqdjdcdwihn] has quit [Quit: Connection closed for inactivity]
18:48 -!- joshh20-Away is now known as joshh20
18:52 -!- lj [~l@192.241.174.169] has joined #openvpn
19:06 -!- lj [~l@192.241.174.169] has quit [Quit: Leaving.]
19:12 -!- Left_Turn [~Left_Turn@unaffiliated/turn-left/x-3739067] has quit [Remote host closed the connection]
19:13 -!- corretico [~luis@190.5.215.146] has quit [Read error: Connection reset by peer]
19:13 -!- corretico [~luis@190.5.215.146] has joined #openvpn
19:18 -!- lj [~l@192.241.174.169] has joined #openvpn
19:21 -!- Latrina [~Latrina@adsl-ull-90-183.50-151.net24.it] has quit [Remote host closed the connection]
19:26 -!- Left_Turn [~Left_Turn@unaffiliated/turn-left/x-3739067] has joined #openvpn
19:42 -!- heraclitus [~heraclitu@unaffiliated/heraclitis] has quit [Remote host closed the connection]
19:43 -!- heraclitus [~heraclitu@unaffiliated/heraclitis] has joined #openvpn
19:58 < pekster> octocodercat: EasyRSA 3 doesn't by default. It's deprecated and you shoudln't use it, but it's availble as a non-default option if you need the deprecated support
20:05 -!- pepinillo [~mm@p5DDB276B.dip0.t-ipconnect.de] has quit [Quit: Leaving]
20:21 -!- Cpt-Oblivious [chatzilla@31-151-71-109.dynamic.upc.nl] has quit [Ping timeout: 240 seconds]
20:31 -!- converge [~converge@unaffiliated/joaop] has joined #openvpn
20:31 -!- Left_Turn [~Left_Turn@unaffiliated/turn-left/x-3739067] has quit [Ping timeout: 268 seconds]
20:36 -!- B1nny [~quassel@5ED16034.cm-7-2b.dynamic.ziggo.nl] has quit [Remote host closed the connection]
20:42 -!- converge [~converge@unaffiliated/joaop] has quit [Quit: Leaving...]
20:44 -!- AlexPortable [uid7568@gateway/web/irccloud.com/x-vxcaajhxnjefvhar] has joined #openvpn
21:03 -!- corretico [~luis@190.5.215.146] has quit [Read error: Connection reset by peer]
21:04 -!- corretico [~luis@190.5.215.146] has joined #openvpn
21:06 -!- converge [~converge@189.7.3.101] has joined #openvpn
21:06 -!- converge [~converge@189.7.3.101] has quit [Changing host]
21:06 -!- converge [~converge@unaffiliated/joaop] has joined #openvpn
21:22 -!- mikemol [~mikemol@2001:470:c5b9:beef:34dc:2856:6f1f:eecc] has quit [Remote host closed the connection]
21:23 -!- lj [~l@192.241.174.169] has quit [Quit: Leaving.]
21:32 -!- ron_ [~ron@ppp118-210-162-44.lns20.adl6.internode.on.net] has quit [Ping timeout: 268 seconds]
21:34 -!- ron_ [~ron@ppp118-210-119-92.lns20.adl2.internode.on.net] has joined #openvpn
21:40 -!- p3rror [~mezgani@105.158.217.158] has joined #openvpn
21:45 -!- lj [~l@192.241.174.169] has joined #openvpn
21:49 -!- esde [~esde@unaffiliated/esde] has quit [Ping timeout: 255 seconds]
21:50 -!- esde [~esde@107.150.1.2] has joined #openvpn
21:57 -!- esde [~esde@107.150.1.2] has quit [Ping timeout: 252 seconds]
21:57 -!- esde [~esde@107.150.1.2] has joined #openvpn
22:10 -!- orutest|2 [~VsioZashi@unaffiliated/vsiozashibis] has joined #openvpn
22:12 -!- VsioZashibis [~VsioZashi@unaffiliated/vsiozashibis] has quit [Ping timeout: 252 seconds]
22:12 -!- brianblaze420 [~admin@unaffiliated/brianblaze] has joined #openvpn
22:14 -!- joshh20 is now known as joshh20-Away
23:07 -!- rawburt [~irc@pdpc/supporter/professional/rawburt] has left #openvpn []
23:09 -!- brianblaze420 [~admin@unaffiliated/brianblaze] has left #openvpn []
23:24 -!- lj [~l@192.241.174.169] has quit [Quit: Leaving.]
23:27 < esde> !configs
23:27 <@vpnHelper> "configs" is (#1) please pastebin your client and server configs (with comments removed, you can use `grep -vE '^#|^;|^$' server.conf`), also include which OS and version of openvpn. or (#2) dont forget to include any ccd entries or (#3) on pfSense, see http://www.secure-computing.net/wiki/index.php/OpenVPN/pfSense to obtain your config
23:27 -!- AlexPortable [uid7568@gateway/web/irccloud.com/x-vxcaajhxnjefvhar] has quit [Quit: Connection closed for inactivity]
23:44 -!- lj [~l@192.241.174.169] has joined #openvpn
--- Day changed Sun Apr 06 2014
00:00 -!- lj [~l@192.241.174.169] has quit [Quit: Leaving.]
01:05 -!- nrgskill [~nrgskill@2.50.187.243] has joined #openvpn
01:05 < nrgskill> hi all, I need to authenticate my users with active directory. can you help me on this?
01:05 < nrgskill> domain name is domain.local
01:06 < nrgskill> OU that stores the users is Openvpn
01:06 < nrgskill> I tried DN=documents, DC=domain, DC=local
01:06 < nrgskill> with additional memberOf=CN=Openvpn, CN=Users, DC=miccogroup, DC=local
01:06 < nrgskill> but I can't log them in
01:07 < nrgskill> can you help me on troubleshoot this? I don't understand why I have to use  DN=documents
01:13 < reiffert> nrgskill: is this for access server?
01:15 < nrgskill> is to authenticate openvpn users
01:15 < reiffert> nrgskill: is your question about access server, yes or no?
01:16 < nrgskill> yep it is, sorry
01:16 < reiffert> !as
01:16 <@vpnHelper> "as" is please go to #OpenVPN-AS for help with Access-Server
01:16 < nrgskill> thanks
01:18 < reiffert> yw
02:00 -!- dogewaat_ [uid3966@gateway/web/irccloud.com/x-jjnnmmbgdmvxkitu] has quit []
02:30 -!- Varazir [~mircwars@c-94-255-131-47.cust.bredband2.com] has quit [Read error: Operation timed out]
02:34 -!- corretico [~luis@190.5.215.146] has quit [Read error: Connection reset by peer]
02:34 -!- mikemol [~mikemol@2001:470:c5b9:beef:db4:f67a:a77:3258] has joined #openvpn
02:34 -!- ade_b [~Ade@redhat/adeb] has joined #openvpn
02:34 -!- corretico [~luis@190.5.215.146] has joined #openvpn
03:07 -!- pepinillo [~mm@igepaberlin.org] has joined #openvpn
03:07 < pepinillo> :D
03:07 < pepinillo> hi
03:09 -!- Guest6176 [~me@90-83-190-109.dsl.ovh.fr] has joined #openvpn
03:22 < nrgskill>  #OpenVPN-AS are not helping, maybe because of the timezone
03:24 < nrgskill>  I can connect to openvpn SA server, I can ping it, but I would ping also other servers in the network I am connecting to. I can't. I guess it's a routing issue
03:30 < pepinillo> mm
03:30 < pepinillo> classical issue
03:31 < pepinillo> If you have ping, then you have route ..
03:31 < pepinillo> maybe you ahve a firewall problem
03:33 -!- nrgskill [~nrgskill@2.50.187.243] has quit [Ping timeout: 252 seconds]
03:34 -!- nrgskill [~nrgskill@94.57.89.200] has joined #openvpn
03:39 -!- nrgskill [~nrgskill@94.57.89.200] has quit [Ping timeout: 240 seconds]
03:41 -!- Left_Turn [~Left_Turn@unaffiliated/turn-left/x-3739067] has joined #openvpn
03:47 -!- rooth [tomte@stuck.in.the.basement.at.fritzl.nu] has quit [Ping timeout: 252 seconds]
03:47 -!- rooth [tomte@stuck.in.the.basement.at.fritzl.nu] has joined #openvpn
03:52 -!- pa [~pa@unaffiliated/pa] has quit [Remote host closed the connection]
03:53 -!- pa [~pa@unaffiliated/pa] has joined #openvpn
03:55 -!- rooth [tomte@stuck.in.the.basement.at.fritzl.nu] has quit [Ping timeout: 240 seconds]
03:56 -!- rooth [tomte@stuck.in.the.basement.at.fritzl.nu] has joined #openvpn
03:56 -!- le0 [~l30@unaffiliated/le0] has joined #openvpn
04:01 -!- ade_b [~Ade@redhat/adeb] has quit [Quit: Too sexy for his shirt]
04:19 -!- nrgskill [~nrgskill@2.50.187.243] has joined #openvpn
04:21 -!- catsup [~d@iad1-vshost12.dreamhost.com] has quit [Read error: Connection reset by peer]
04:22 -!- catsup [~d@iad1-vshost12.dreamhost.com] has joined #openvpn
04:24 -!- pepinillo [~mm@igepaberlin.org] has quit [Quit: Leaving]
04:47 -!- nrgskill [~nrgskill@2.50.187.243] has quit [Ping timeout: 255 seconds]
04:48 -!- nrgskill [~nrgskill@2.48.33.236] has joined #openvpn
04:51 -!- nrgskill [~nrgskill@2.48.33.236] has quit [Client Quit]
04:52 -!- gffa [~unknown@unaffiliated/gffa] has joined #openvpn
05:03 -!- Varazir [~mircwars@c-94-255-130-182.cust.bredband2.com] has joined #openvpn
05:10 -!- Varazir [~mircwars@c-94-255-130-182.cust.bredband2.com] has quit [Quit: leaving]
05:33 -!- AlexPortable [uid7568@gateway/web/irccloud.com/x-nqqqmtzjyzfqxbfv] has joined #openvpn
05:37 -!- Guest6176 [~me@90-83-190-109.dsl.ovh.fr] has quit [Ping timeout: 268 seconds]
05:44 -!- wrongplace [~leicht@gateway/tor-sasl/martinphone] has joined #openvpn
05:50 -!- rooth [tomte@stuck.in.the.basement.at.fritzl.nu] has quit [Remote host closed the connection]
06:07 -!- B1nny [~quassel@5ED16034.cm-7-2b.dynamic.ziggo.nl] has joined #openvpn
06:20 -!- rooth [tomte@stuck.in.the.basement.at.fritzl.nu] has joined #openvpn
06:25 -!- rooth [tomte@stuck.in.the.basement.at.fritzl.nu] has quit [Ping timeout: 255 seconds]
06:26 -!- rooth [tomte@stuck.in.the.basement.at.fritzl.nu] has joined #openvpn
06:43 -!- joshh20-Away is now known as joshh20
06:54 -!- wrongplace [~leicht@gateway/tor-sasl/martinphone] has quit [Quit: gone]
07:38 -!- leeyaa [~leeyaa@158-58-238-148.sf.ddns.bulsat.com] has joined #openvpn
07:41 < leeyaa> hello
07:41 < leeyaa> i am trying to set up a centos openvpn client
07:41 < leeyaa> when i initiate vpn connection manually with openvpn --remote 10.10.10.1 --dev tun1 --ifconfig 192.168.2.2 192.168.2.1 it is working fine
07:41 < leeyaa> however i cant seem to make it work using the config file
07:41 < leeyaa> any tips what I might be missing ?
07:42 < leeyaa> this is my config file
07:42 < leeyaa> http://bpaste.net/show/3LwUj6AlZwQUuGbESzEu/
08:04 -!- corretico [~luis@190.5.215.146] has quit [Read error: Connection reset by peer]
08:05 -!- corretico [~luis@190.5.215.146] has joined #openvpn
08:28 -!- brianblaze420 [~admin@unaffiliated/brianblaze] has joined #openvpn
08:38 -!- brianblaze420 [~admin@unaffiliated/brianblaze] has quit [Remote host closed the connection]
08:59 -!- brianblaze420 [~admin@unaffiliated/brianblaze] has joined #openvpn
09:09 -!- le0 [~l30@unaffiliated/le0] has quit [Quit: Leaving]
09:26 -!- goldkatze [~nobody@unaffiliated/goldkatze] has joined #openvpn
09:29 -!- wrongplace [~leicht@gateway/tor-sasl/martinphone] has joined #openvpn
09:43 -!- elfixit [~Icedove@77-58-251-72.dclient.hispeed.ch] has joined #openvpn
09:50 -!- oliLinchstropop [~fdg@modemcable126.70-56-74.mc.videotron.ca] has joined #openvpn
09:51 < oliLinchstropop> Quelqu'un parle français et pourrait répondre à quelques question au sujet d'OpenVPN ?
09:55 -!- corretico [~luis@190.5.215.146] has quit [Read error: Connection reset by peer]
09:55 -!- ade_b [~Ade@redhat/adeb] has joined #openvpn
09:55 -!- corretico [~luis@190.5.215.146] has joined #openvpn
10:16 < svg> oliLinchstropop: je t'écoute
10:18 < oliLinchstropop> svg: merci, premièrement est-ce que je peux avoir mon serveur et client sur une même machine ?
10:19 < svg> euh, oui, en théorie, mais je vois pas l'utilité de ça :)
10:23 < oliLinchstropop> je crois que je ne comprends pas bien le principe d'openvpn..  En gros ce que je voulais ces que mon IP ne soit pas visible (ex: comme ici sur irc) Je pense que un vpn est ce qu'il me faut?
10:24 < svg> c'est possible oui, avec un vpn, tu as la possibilite de ne pas montrer ton ip locale, mais tu montreras l'ip du serveur
10:25 < svg> le vpn te permets de passer par un autre reseau, afin de 'cacher' ton adresse locale
10:25 < svg> mais il te faut donc (access á) un serverur dans un autre reseau
10:26 < oliLinchstropop> alors la pluspart des gens sur irc on a des vpn ?
10:26 < svg> pas necessairement
10:27 < oliLinchstropop> il y a donc plusieur façon de cacher son ip ?
10:27 < svg> je ne sais pas pq tu penses que bcp de gens sur irc cachent leurs ip
10:28 < svg> sur irc y a plus a cacher que juste ton ip sortante
10:28 < svg> hostname, username etc
10:28 < oliLinchstropop> Je dirais que je comprends mal le système des vpn et de cacher son identité sur internet alors j'interprètent mal ce que je pense puisque ces flou
10:29 -!- chocolate [~AndChat18@177.191.83.17] has joined #openvpn
10:29 < svg> vpn n'est pas un systeme pour cache l'ip
10:29 < svg> ca peut aider, etre un utilitaire afin de, etc
10:29 < oliLinchstropop> ok ok
10:29 < svg> mais tout ca est plus complexe que juste l'ip
10:30 < oliLinchstropop> oui j'y comprend rien justement
10:31 < svg> un conseil, ne te lance pas dans un projet de securite sans comprendre le fin fond, sinon tu peut etre sur de laisser une faille
10:31 < svg> si tu veux comprendre vpn, commence par connaitre reseaux et ip.. :)
10:32 < oliLinchstropop> ces vrai mais je cherche simplement a me protéger le mieux possible et en même d'être le plus anonyme possible, tout en ayant rien à cacher..
10:32 -!- jareth_ [~jareth_@bak.project-treadstone.nl] has quit [Quit: ZNC - http://znc.in]
10:34 -!- jareth_ [~jareth_@bak.project-treadstone.nl] has joined #openvpn
10:37 -!- chocolate [~AndChat18@177.191.83.17] has quit [Ping timeout: 252 seconds]
10:38 -!- master_o1_master [~master_of@p4FF24BAA.dip0.t-ipconnect.de] has joined #openvpn
10:38 -!- chocolate [~AndChat18@177.191.83.17] has joined #openvpn
10:39 -!- joshh20 is now known as joshh20-Away
10:41 -!- master_of_master [~master_of@p4FF2490D.dip0.t-ipconnect.de] has quit [Ping timeout: 240 seconds]
10:43 -!- chocolate [~AndChat18@177.191.83.17] has quit [Ping timeout: 252 seconds]
10:44 -!- chocolate [~AndChat18@179.155.69.131] has joined #openvpn
10:46 -!- pepinillo [~mm@igepaberlin.org] has joined #openvpn
10:48 < pepinillo> HI, I had a problem with my openvpn configuration. The case is that I can connect and the VPN is open correctly. HOwever, when I try to access thorugh a browser my internet domain through the tunnel, the domain is not correctly resolved. I tried to do a domain push, but apparently this does not work, because the tunnel must be open before the push can be performed. Do you know of a solution to this problem ?
10:52 -!- freinhard [~freinhard@p3E9EE946.dip0.t-ipconnect.de] has quit [Remote host closed the connection]
10:55 -!- orutest|2 [~VsioZashi@unaffiliated/vsiozashibis] has quit [Quit: closing IRC]
10:56 -!- VsioZashibis [~VsioZashi@unaffiliated/vsiozashibis] has joined #openvpn
10:59 -!- oliLinchstropop [~fdg@modemcable126.70-56-74.mc.videotron.ca] has quit [Read error: Connection reset by peer]
11:32 -!- novaflash is now known as novaflash_away
11:34 < _FBi> pepinillo, what?  your not resovling the host correctly, or at all?
11:45 -!- corretico [~luis@190.5.215.146] has quit [Read error: Connection reset by peer]
11:46 -!- corretico [~luis@190.5.215.146] has joined #openvpn
11:56 -!- novaflash_away is now known as novaflash
11:57 < pepinillo> _FBi, I am not resolving the host only
11:58 < pepinillo> the rest is resolving well.
11:59 < pepinillo> the - logical - problem is that the DNS entries point to the Internet address of the server, and they do not point, logically, to the internal network created by the tunner, namely the 10.8.00/24 Network
11:59 < pepinillo> I am solving this by modifying the hosts file in the local computer, but I would like to push for the domain name of the server also through the internal network of the tunnel
12:01 <@krzee> !splitdns
12:01 <@vpnHelper> "splitdns" is see http://www.thekelleys.org.uk/dnsmasq/doc.html for dnsmasq, which will let you do split-dns setups
12:07 < pepinillo> ok
12:07 < pepinillo> thanks !
12:07 < pepinillo> will take a look
12:21 < edge226> what commands can you pass to vpn  helper to learn how to use the bot better?
12:22 < _FBi> !learn
12:22 <@vpnHelper> Error: You don't have the factoids.learn capability. If you think that you should have this capability, be sure that you are identified before trying again. The 'whoami' command can tell you if you're identified.
12:25 <@krzee> !msg
12:25 <@vpnHelper> "msg" is (#1) to see vpnHelper's factoids in msg instead of the channel, /msg vpnHelper factoids whatis #openvpn <key> or (#2) so to see !configs in msg, you would type /msg vpnHelper factoids whatis #openvpn configs or (#3) you can also just see !factoids for a link to the full list of what the bot knows
12:25 <@krzee> !factoids
12:25 <@vpnHelper> "factoids" is A semi-regularly updated dump of factoids database is available at http://www.secure-computing.net/factoids.php
12:25 <@krzee> really everything the bot is for is at the !factoids link
12:34 -!- heraclitus [~heraclitu@unaffiliated/heraclitis] has quit [Remote host closed the connection]
12:35 -!- heraclitus [~heraclitu@unaffiliated/heraclitis] has joined #openvpn
12:42 < Aketzu> !5737
12:42 <@vpnHelper> "5737" is Clever readers may attempt to use RFC5737 to represent arbitrary public IPs one wishes to hide; unclever attempts may be ignored with prejudice.
12:43 < Aketzu> hmm... that website autogenerates links or something
12:43 < Aketzu> that RFC-link has extra " /" in the end which breaks it
12:47 -!- cesurasean1 [~Sean@c-71-207-242-72.hsd1.al.comcast.net] has joined #openvpn
12:47 -!- cesurasean1 [~Sean@c-71-207-242-72.hsd1.al.comcast.net] has left #openvpn []
13:08 -!- kirin` [telex@gateway/shell/anapnea.net/x-zvkkienlajbtpcsi] has quit [Ping timeout: 268 seconds]
13:11 -!- kirin` [telex@gateway/shell/anapnea.net/x-uigakdlgmtfnqnlz] has joined #openvpn
13:12 -!- Latrina [~Latrina@adsl-ull-90-183.50-151.net24.it] has joined #openvpn
13:17 -!- tony1 [~tony@cpe-66-66-6-48.rochester.res.rr.com] has joined #openvpn
13:29 -!- tony1 [~tony@cpe-66-66-6-48.rochester.res.rr.com] has left #openvpn []
13:34 -!- elfixit [~Icedove@77-58-251-72.dclient.hispeed.ch] has quit [Ping timeout: 255 seconds]
13:44 -!- Guest35643 [~klein@187.85.183.105] has joined #openvpn
13:54 -!- brianblaze420 [~admin@unaffiliated/brianblaze] has left #openvpn []
14:00 -!- sunwind [~paradox@cpc21-brmb8-2-0-cust749.1-3.cable.virginm.net] has quit [Quit: sunwind]
14:01 -!- wrongplace [~leicht@gateway/tor-sasl/martinphone] has quit [Quit: gone]
14:02 -!- sunwind [~paradox@cpc21-brmb8-2-0-cust749.1-3.cable.virginm.net] has joined #openvpn
14:02 -!- converge [~converge@unaffiliated/joaop] has left #openvpn ["Linkinus - http://linkinus.com"]
14:13 -!- le0 [~l30@unaffiliated/le0] has joined #openvpn
14:33 -!- Left_Turn [~Left_Turn@unaffiliated/turn-left/x-3739067] has quit [Read error: Connection reset by peer]
14:36 -!- AndChat|185600 [~AndChat18@179.126.242.45] has joined #openvpn
14:37 -!- Left_Turn [~Left_Turn@unaffiliated/turn-left/x-3739067] has joined #openvpn
14:40 -!- chocolate [~AndChat18@179.155.69.131] has quit [Ping timeout: 268 seconds]
14:41 -!- AndChat|185600 [~AndChat18@179.126.242.45] has quit [Ping timeout: 252 seconds]
14:42 -!- chocolate [~AndChat18@179.126.247.254] has joined #openvpn
14:43 -!- nanuko [~nanuko@204.57.118.174] has joined #openvpn
14:45 < nanuko> hello, when i run '#openvpn --config client.ovpn', my VPN works just fine.  However, when I try to let the service run itself, the VPN fails.  any idea why?
14:56 -!- p3rror [~mezgani@105.158.217.158] has quit [Ping timeout: 268 seconds]
14:58 -!- chocolate [~AndChat18@179.126.247.254] has quit [Ping timeout: 252 seconds]
14:59 -!- HectorBarbossa [uid7850@gateway/web/irccloud.com/x-ibqqnmxhyrsngpkg] has joined #openvpn
15:00 -!- chocolate [~AndChat18@179.126.247.254] has joined #openvpn
15:01 < reiffert> nanuko: I highly doubt it will work with the leading "#".
15:01 < nanuko> oh lol
15:01 < nanuko> there is no leading #
15:01 < nanuko> typo
15:01 < reiffert> client.ovpn is existing in which directory?
15:02 < nanuko> it exists in /etc/openvpn
15:02 < reiffert> grep client /etc/openvpn/client.ovpn
15:02 < reiffert> sorry.
15:02 -!- Aliekezhi [~Aliekezhi@9.142.122.78.rev.sfr.net] has quit [Remote host closed the connection]
15:02 < reiffert> grep client /etc/openvpn/client.ovpn | grep -v ^#
15:03 < reiffert> nanuko: lets put it this way
15:03 < reiffert> !configs
15:03 <@vpnHelper> "configs" is (#1) please pastebin your client and server configs (with comments removed, you can use `grep -vE '^#|^;|^$' server.conf`), also include which OS and version of openvpn. or (#2) dont forget to include any ccd entries or (#3) on pfSense, see http://www.secure-computing.net/wiki/index.php/OpenVPN/pfSense to obtain your config
15:03 < nanuko> ah, got it
15:04 < nanuko> alright, i'll get you a paste bin dump in a moment
15:04 -!- chocolate [~AndChat18@179.126.247.254] has quit [Ping timeout: 240 seconds]
15:06 < nanuko> http://pastebin.com/nf3VXXm2
15:06 < nanuko> that's my client config file
15:07 < reiffert> does it work when you start openvpn with /etc/init.d/openvpn start    or whatever the command is for your distro?
15:08 < nanuko> openvpn --config raspberrypi.ovpn
15:08 < nanuko> that works
15:09 -!- p3rror [~mezgani@196.201.78.139] has joined #openvpn
15:09 < nanuko> however, /etc/init.d/openvpn start doesn't work
15:10 < reiffert> what's in your logs when you try the initscript?
15:11 < nanuko> http://pastebin.com/j7MkkNT4
15:11 < nanuko> oh wait
15:11 < nanuko> hang on
15:12 < reiffert> :)
15:12 < nanuko> http://pastebin.com/7dyZkw6v
15:13 < nanuko> that help any?
15:13 < reiffert> allright. do a /etc/init.d/openvpn stop
15:14 < nanuko> k
15:14 < reiffert> edit /etc/init.d/openvpn adding a new 2nd row: set -x
15:14 < reiffert> then do:
15:14 < reiffert> /etc/init.d/openvpn start >/tmp/out 2>&1
15:14 < reiffert> let it run and paste the contents of /tmp/out
15:15 < nanuko> using a text editor, i insert 'set -x' into the 2nd row, correct?
15:16 < reiffert> yes.
15:16 < reiffert> in a blank line
15:18 < nanuko> http://pastebin.com/T9LLKfNc
15:20 < reiffert> remove the set -x line
15:20 < reiffert> cd /etc/openvpn
15:20 < reiffert> mv client.ovpn client.conf
15:20 -!- jackbrown [~se@93-44-54-187.ip95.fastwebnet.it] has joined #openvpn
15:20 < reiffert> and it will work
15:21 < nanuko> well fuck me with a hammer
15:21 < nanuko> it did
15:21 < nanuko> thanks lol
15:21 < reiffert> line 30 of your last pastebin
15:22 < nanuko> oh
15:22 < nanuko> that makes sense
15:22 < nanuko> how did you know it would be client.ovpn from that though?
15:22 < reiffert> thats what you said
15:22 < nanuko> oh lol
15:22 < nanuko> ok
15:22 < nanuko> makes sense
15:22 < nanuko> sweet
15:22 < reiffert> 21:45 < nanuko> hello, when i run '#openvpn --config client.ovpn',
15:23 < nanuko> yeah, i see that now.  wow, thanks for the help.  that's been failing for the past day or so
15:24 < reiffert> your initscript should call ls *.conf *.ovpn ... whats your distro?
15:24 < nanuko> raspbian
15:25 < reiffert> how's the CPU consuption on your rasberry when using comp-lzo and seeing 10mbps of openvpn traffic?
15:25 -!- corretico [~luis@190.5.215.146] has quit [Read error: Connection reset by peer]
15:26 -!- corretico [~luis@190.5.215.146] has joined #openvpn
15:27 < nanuko> how would i check that?
15:28 < reiffert> make some noise and look at the "top" command
15:28 < nanuko> using top
15:28 < nanuko> it looks like openvpn is consuming 0.0% while i ping google.com
15:29 < reiffert> ... make some noise .. transfer a big file via http or ftp .. try to get 10mbps
15:29 < reiffert> or better
15:29 -!- mode/#openvpn [+vvvv __FBi _FBi _quadDamage reiffert] by krzee
15:29 -!- mode/#openvpn [+v thumbs] by krzee
15:30  * reiffert starts feeling +very important
15:31 <+reiffert> krzee: wssup?
15:31 <+reiffert> excuse me .. sup sup? :)
15:33 < nanuko> looking at about 5%
15:34 < nanuko> started at 34% then dropped to 5%
15:35 <+reiffert> whats the arch on rasberry?
15:37 <+reiffert> x86
15:37 -!- gffa [~unknown@unaffiliated/gffa] has quit [Quit: sleep]
15:38 <+reiffert> excuse me, it's arm
15:38 < nanuko> armv6l
15:39 -!- orutest|2 [~VsioZashi@unaffiliated/vsiozashibis] has joined #openvpn
15:40 <+reiffert> how long takes compiling a ALLNOCONF 2.6 kernel?
15:41 -!- B1nny_ [~quassel@5ED16034.cm-7-2b.dynamic.ziggo.nl] has joined #openvpn
15:41 -!- dren__ [dren@access.not.allowed.org] has joined #openvpn
15:41 < nanuko> lol, am I being quizzed?
15:41 -!- B1nny [~quassel@5ED16034.cm-7-2b.dynamic.ziggo.nl] has quit [Disconnected by services]
15:41 -!- B1nny_ is now known as B1nny
15:42 <+reiffert> trying to figure out if it will be of interest for myself
15:42 < nanuko> ah, kk
15:42 <+reiffert> getting one, playing with linux again, wasting some time
15:42 < nanuko> is it AUTOCONF
15:42 -!- SquirrelCZECH_ [~squirrel@ip-89-103-45-17.net.upcbroadband.cz] has joined #openvpn
15:42 < nanuko> or ALLNOCONF?
15:42 <+reiffert> it's unpack the kernel source, make ALLNOCONF
15:43 < nanuko> so, commands to do that?
15:43 -!- digitalp1nk [~scout@mail.zemaitijos-spauda.lt] has joined #openvpn
15:43 -!- a___ [~d@iad1-vshost12.dreamhost.com] has joined #openvpn
15:43 -!- cyberspace- [20253@ninthfloor.org] has quit [Disconnected by services]
15:43 <+reiffert> it's make allnoconfig
15:43 -!- cyberspace- [20253@ninthfloor.org] has joined #openvpn
15:44 -!- riddle [riddle@us.yunix.net] has quit [Disconnected by services]
15:44 -!- frank-- [1000@unaffiliated/thumbs] has joined #openvpn
15:44 -!- Rienzilha [rien@sinas.rename-it.nl] has joined #openvpn
15:44 -!- Zarrsh_ [~Zarrsh@farari.paydayauto.biz] has joined #openvpn
15:44 -!- hive-min1 [pranq@mail.bbis.us] has joined #openvpn
15:44 <+reiffert> cd /usr/src
15:44 <+reiffert> wget https://www.kernel.org/pub/linux/kernel/v2.6/longterm/v2.6.34/linux-2.6.34.15.tar.xz
15:44 -!- riddle [riddle@us.yunix.net] has joined #openvpn
15:45 <+reiffert> tar xJf linux-2.6.34.15.tar.xz
15:45 <+reiffert> cd linux-2.6.34.15
15:45 <+reiffert> make allnoconfig; time make
15:46 -!- jackbrown [~se@93-44-54-187.ip95.fastwebnet.it] has quit [Quit: Sto andando via]
15:46 <+reiffert> it's assuming you have a C compiler installed previously
15:47 -!- _jareth_ [~jareth_@2001:980:e1c0:1:219:66ff:fea0:a502] has joined #openvpn
15:47 -!- esde_ [~esde@107.150.1.2] has joined #openvpn
15:47 -!- raidz_ [~raidz@raidz.im] has joined #openvpn
15:47 < nanuko> dude, are you a wizard?
15:47 -!- Six6siX_ [~Devil@jasmine.sammybakar.com] has joined #openvpn
15:47 <+reiffert> nanuko: my crystall ball came back from its repairs last week
15:48 -!- mattockl [~mattock@raidz.im] has joined #openvpn
15:48 -!- mattockl is now known as mattock
15:48 -!- mattock [~mattock@raidz.im] has quit [Changing host]
15:48 -!- mattock [~mattock@openvpn/corp/admin/mattock] has joined #openvpn
15:48 -!- mode/#openvpn [+o mattock] by ChanServ
15:48 -!- Netsplit *.net <-> *.split quits: Zarrsh, p3rror, catsup, digitalpunk, hive-mind, SquirrelCZECH, jareth_, aji, phreakocious, @mattock_afk,  (+9 more, use /NETSPLIT to show all of them)
15:48 -!- esde_ is now known as esde
15:48 -!- raidz_ is now known as raidz
15:48 -!- raidz [~raidz@raidz.im] has quit [Changing host]
15:48 -!- raidz [~raidz@openvpn/corp/admin/andrew] has joined #openvpn
15:48 -!- mode/#openvpn [+o raidz] by ChanServ
15:48 <+reiffert> krzee: why is there so much join/leave noise nowadays?
15:49 -!- indy_ [~indy@shadow.kastnerove.cz] has joined #openvpn
15:50 <+reiffert> nanuko:
15:50 <+reiffert> Kernel: arch/x86/boot/bzImage is ready  (#1)
15:50 <+reiffert> real	1m9.764s
15:50 <+reiffert> user	1m4.936s
15:50 <+reiffert> sys	0m6.324s
15:50 <+reiffert> I'm particularily interested in these lines
15:51 < nanuko> hang on
15:51 <+reiffert> (the very last 4 lines when it's done)
15:51 <+reiffert> yeah, I'm expecting to see something between 3 and 8 minutes
15:51 -!- ade_b [~Ade@redhat/adeb] has quit [Ping timeout: 252 seconds]
15:52 <+reiffert> 3 would let me buy one
15:52 -!- joshh20-Away is now known as joshh20
15:54 < nanuko> real	0m9.821s
15:54 < nanuko> user	0m5.920s
15:54 < nanuko> sys	0m1.910s
15:54 < nanuko> i think there was an error though
15:54 -!- p3rror [~mezgani@105.156.198.176] has joined #openvpn
15:55 -!- f0cker [~f0cker@host81-149-11-109.in-addr.btopenworld.com] has joined #openvpn
15:55 -!- f0cker [~f0cker@host81-149-11-109.in-addr.btopenworld.com] has quit [Changing host]
15:55 -!- f0cker [~f0cker@unaffiliated/f0cker] has joined #openvpn
15:55 -!- aji [~alex@atheme/member/aji] has joined #openvpn
15:56 <+reiffert> nanuko: thanks for trying, it's too slow, I'll look at it when it's faster than that
15:56 < nanuko> got it
15:57 < nanuko> thanks for the help
15:57 -!- tony1 [~tony@cpe-66-66-6-48.rochester.res.rr.com] has joined #openvpn
15:57 -!- nanuko [~nanuko@204.57.118.174] has left #openvpn []
15:57 <+reiffert> u too
15:57 -!- chocolate [~AndChat18@179.126.247.254] has joined #openvpn
16:02 -!- phreakocious [~phreakoci@aesoterica.phreakocious.net] has joined #openvpn
16:02 -!- f0cker [~f0cker@unaffiliated/f0cker] has quit [Ping timeout: 268 seconds]
16:04 -!- chocolate [~AndChat18@179.126.247.254] has quit [Ping timeout: 246 seconds]
16:05 -!- Cpt-Oblivious [chatzilla@31-151-71-109.dynamic.upc.nl] has joined #openvpn
16:07 -!- chocolate [~AndChat18@179.126.247.254] has joined #openvpn
16:10 -!- orutest|2 [~VsioZashi@unaffiliated/vsiozashibis] has quit [Quit: closing IRC]
16:10 -!- VsioZashibis [~VsioZashi@unaffiliated/vsiozashibis] has joined #openvpn
16:14 -!- f0cker [~f0cker@host81-149-11-109.in-addr.btopenworld.com] has joined #openvpn
16:14 -!- f0cker [~f0cker@host81-149-11-109.in-addr.btopenworld.com] has quit [Changing host]
16:14 -!- f0cker [~f0cker@unaffiliated/f0cker] has joined #openvpn
16:14 -!- chocolate [~AndChat18@179.126.247.254] has quit [Ping timeout: 255 seconds]
16:15 -!- chocolate [~AndChat18@179.126.247.254] has joined #openvpn
16:15 -!- chocolate [~AndChat18@179.126.247.254] has quit [Client Quit]
16:17 -!- esde [~esde@107.150.1.2] has quit [Ping timeout: 255 seconds]
16:19 -!- esde [~esde@107.150.1.2] has joined #openvpn
16:19 -!- jackbrown [~se@93-44-54-187.ip95.fastwebnet.it] has joined #openvpn
16:25 -!- jackbrown [~se@93-44-54-187.ip95.fastwebnet.it] has quit [Quit: Sto andando via]
16:26 -!- Morley93_ [~Morley93@95.85.56.186] has left #openvpn []
16:34 -!- wrongplace [~leicht@gateway/tor-sasl/martinphone] has joined #openvpn
16:56 -!- j00d [~john@69.164.209.29] has joined #openvpn
16:56 < j00d> !welcome
16:56 <@vpnHelper> "welcome" is (#1) Start by stating your goal, such as 'I would like to access the internet over my vpn' || new to IRC? see the link in !ask || we may need !logs and !configs and maybe !interface to help you. || See !howto for beginners. || See !route for lans behind openvpn. || !redirect for sending inet traffic through the server. || Also interesting: !man !/30 !topology !iporder !sample !forum !wiki
16:56 <@vpnHelper> !mitm or (#2) Don't use 192.168.1.0/24 or 192.168.0.0/24 (too much potential for conflict)
16:56 -!- le0 [~l30@unaffiliated/le0] has quit [Ping timeout: 252 seconds]
16:58 -!- B1nny [~quassel@5ED16034.cm-7-2b.dynamic.ziggo.nl] has quit [Remote host closed the connection]
17:04 < j00d> hi, they removed the "legacy network adapter" from Hyper-V 2012 R2 host (not role), does that mean I won't be able to install the .vhd?
17:10 <+reiffert> It does not.
17:11 -!- pepinillo [~mm@igepaberlin.org] has quit [Remote host closed the connection]
17:12 -!- HectorBarbossa [uid7850@gateway/web/irccloud.com/x-ibqqnmxhyrsngpkg] has quit [Quit: Connection closed for inactivity]
17:16 -!- corretico [~luis@190.5.215.146] has quit [Read error: Connection reset by peer]
17:16 -!- corretico [~luis@190.5.215.146] has joined #openvpn
17:36 -!- HectorBarbossa [uid7850@gateway/web/irccloud.com/x-ievnhviqrlfzpcrh] has joined #openvpn
17:43 -!- frank-- is now known as thumbs
18:06 -!- wrongplace [~leicht@gateway/tor-sasl/martinphone] has quit [Quit: gone]
18:17 -!- AlexPortable [uid7568@gateway/web/irccloud.com/x-nqqqmtzjyzfqxbfv] has quit [Quit: Connection closed for inactivity]
18:27 -!- j00d [~john@69.164.209.29] has quit [Quit: leaving]
18:58 -!- Beta2K [~Beta2K@2607:f1c0:841:4eff::20] has joined #openvpn
18:59 < Beta2K> Quick question, I don't suppose there's any way from a openvpn server to push a command to run on the client?
19:09 -!- heraclitus [~heraclitu@unaffiliated/heraclitis] has quit [Remote host closed the connection]
19:09 -!- heraclitus [~heraclitu@unaffiliated/heraclitis] has joined #openvpn
19:19 -!- lj [~l@74.120.200.95] has joined #openvpn
19:26 -!- elfixit [~Icedove@77-58-251-72.dclient.hispeed.ch] has joined #openvpn
19:29 -!- lj1 [~l@192.241.174.169] has joined #openvpn
19:30 -!- lj [~l@74.120.200.95] has quit [Ping timeout: 240 seconds]
19:40 -!- h6w [~tudor@254.86.96.58.static.exetel.com.au] has joined #openvpn
19:41 < h6w> Hi!
19:42 < h6w> I need to have two sets of servers co-located but assigned the same IPs regardless of location.   Is this called a site-to-site setup?
19:43 < h6w> So a client accessing a server needs to access it by the same IP regardless of the client's location.
19:53 < Beta2K> the same remoteip?
19:56 < h6w> Yes.  The same IP on the overall VPN.
19:58 < h6w> It can be routed, tho, so if the client is 10.20.0.10 and it asks for 10.20.0.8, obviously that's local, so it goes straight there.  But if the client is 10.20.1.10, then it should be routed via the gateway to 10.20.1.1 to 10.20.0.1 and then back down to 10.20.0.8.
19:59 <+_FBi> still not sure :/
20:01 -!- goldkatze [~nobody@unaffiliated/goldkatze] has quit []
20:02 -!- HectorBarbossa [uid7850@gateway/web/irccloud.com/x-ievnhviqrlfzpcrh] has quit [Quit: Connection closed for inactivity]
20:08 < h6w> Basically, the servers 10.20.0.1 and 10.20.1.1 need to talk to each other and act as a local gateway for each subnet.
20:09 -!- joshh20 is now known as joshh20-Away
20:10 <+_FBi> okay?  and you don't want to connect your one server to your other server as a client
20:13 < h6w> That could work, too, but I need to be sure that the routing works in the opposite direction.  I don't want to port-forward on the gateway's IP.  It needs to route transparently.
20:36 -!- Linmu [~Linmu@203.70.194.104] has quit [Ping timeout: 246 seconds]
20:43 -!- mikemol [~mikemol@2001:470:c5b9:beef:db4:f67a:a77:3258] has quit [Remote host closed the connection]
20:44 -!- Linmu [~Linmu@203.70.194.104] has joined #openvpn
20:47 < MACscr> ok, so i have openvpn as a daemon on a dd-wrt router and then the test client is an ubuntu guest, though eventually its just going to be two dd-wrt routers. Anyway, here is my config and some troubleshooting info: http://pastie.org/private/gh9h5kaerq1hwseg9rmaa
20:48 < MACscr> i can ping the client from the server, but not the other way around
20:48 < MACscr> i am not using iptables on the client and the iptables on the server are pretty basic
20:49 -!- Cpt-Oblivious [chatzilla@31-151-71-109.dynamic.upc.nl] has quit [Quit: ChatZilla 0.9.90.1-rdmsoft [XULRunner 22.0/20130619132145]]
20:53 < Latrina> MACscr: I had the same problem
20:54 < Latrina> I believe something could be wrong with ur iptables rules
20:54 < Latrina> I suggest u take a look here
20:54 < Latrina> https://community.openvpn.net/openvpn/wiki/BridgingAndRouting#Usingrouting
20:54 <@vpnHelper> Title: BridgingAndRouting – OpenVPN Community (at community.openvpn.net)
20:54 < Latrina> this save
20:54 < MACscr> im not doing a bridge
20:54 < Latrina> *this articles saved mu life
20:54 < MACscr> reading, thanks
20:55 < Latrina> it doesnt matter .. I do not use bridge either
20:55 < Latrina> look at the iptables conf
20:55 < Latrina> basically what it does is routing the clients IP's to the server and eventually to the LAN
20:56 < Latrina> I hope it can help ..
20:56 < Latrina> oh btw, u don't want to enable lzo compression os such a weak hw ..
20:56 < Latrina> *on such ..
20:57 < MACscr> okie dokie
20:57 < MACscr> btw, here are the firewall rules i was told to use http://pastie.org/pastes/8999481/text?key=6czyaj815cmjsbifjmjclg
20:57 < Latrina> MACscr: You need to router the IPS
20:58 < Latrina> I am not an iptables master, actually I dont know much about it .. but what those macros do is to forward the private interface to the tun interface
20:58 < Latrina> and opens the 1194
21:00 < MACscr> right, the forwarding would help with the client being able to access ip's on the the wan, but shouldnt it be able to still ping the 3.1 ip of the router?
21:00 < MACscr> er, IP's on the lan
21:01 < Latrina> I dont know.. I tell u my OpenVPN server is an openwrt router
21:01 < Latrina> and I happen to have the same exact fw conf that u have posted
21:01 < Latrina> and it did not work ..
21:02 < Latrina> couldn't access to the internet, couldn't ping other clients connected
21:02 < Latrina> nor I could ping the server
21:02 < MACscr> i can ping the client
21:02 < MACscr> from the server
21:02 < MACscr> i just cant ping the server from the client
21:02 < Latrina> I meant pinging the clients from within the VLAN
21:03 < Latrina> the clients connected to the VPN subnet
21:03 -!- a___ [~d@iad1-vshost12.dreamhost.com] has quit [Quit: Reconnecting]
21:03 -!- catsup [~d@iad1-vshost12.dreamhost.com] has joined #openvpn
21:06 < MACscr> hmm, actually, shouldnt i need a route on the client be able to access 192.168.2.0? I mean, right now the route is just for 192.168.3.1 as the destination
21:06 < MACscr> lol, i suck at this stuff
21:07 < Latrina> its better if u tell us what u want to achieve..
21:08 < MACscr> i have to locations with two different subnets and i want to connect the two so they have access to each others lan's
21:08 < Latrina> one is the private one and the other one is the vpn one ?
21:08 < MACscr> i have dd-wrt enabled routers at both locations
21:08 < MACscr> they both are private
21:08 < Latrina> oh okay.
21:10 < Latrina> than u have to route one subnet to the other
21:10 < Latrina> so that they can comunicate
21:10 -!- Guest35643 [~klein@187.85.183.105] has quit [Ping timeout: 255 seconds]
21:10 < Latrina> or u can use a dynamic routing table protocol such as RIP
21:11 < Latrina> but since u only have two subnets, route one subnet to the other and ur done
21:11 < Latrina> http://ubuntuforums.org/showthread.php?t=1518144
21:11 <@vpnHelper> Title: [SOLVED] Routing two Subnets (at ubuntuforums.org)
21:19 -!- Left_Turn [~Left_Turn@unaffiliated/turn-left/x-3739067] has quit [Remote host closed the connection]
21:24 -!- Left_Turn [~Left_Turn@unaffiliated/turn-left/x-3739067] has joined #openvpn
21:29 < MACscr> Latrina: i get why that routing might be needed to get the two subnets to talk to each other, but something else must be wrong since the client cant ping the openvpn ip of the server. The client and the server would be both on the same subnet since they both use ip's from the openvpn subnet (aka, 192.168.3.1 and 192.168.3.2) on tun0
21:31 < Latrina> and with this I don't get whats the matter with the two private subnets you want to route together ..
21:31 < Latrina> Anyways.. 4:30am, time to get some sleep .. Good night
21:33 < MACscr> np, thanks for the help
21:42 -!- Latrina [~Latrina@adsl-ull-90-183.50-151.net24.it] has quit [Remote host closed the connection]
21:54 -!- rkantos [robin@109.169.7.197] has quit [Ping timeout: 255 seconds]
22:10 -!- Left_Turn [~Left_Turn@unaffiliated/turn-left/x-3739067] has quit [Read error: Connection reset by peer]
22:13 -!- WinstonSmith [~WinstonSm@unaffiliated/winstonsmith] has quit [Read error: Operation timed out]
22:16 -!- WinstonSmith [~WinstonSm@unaffiliated/winstonsmith] has joined #openvpn
22:24 -!- goldkatze [~nobody@unaffiliated/goldkatze] has joined #openvpn
22:30 -!- edge226 [~quassel@unaffiliated/edge226] has quit [Read error: Connection reset by peer]
22:31 -!- lj1 is now known as lj
23:19 -!- elfixit [~Icedove@77-58-251-72.dclient.hispeed.ch] has quit [Ping timeout: 240 seconds]
23:28 -!- justinzane [~justinzan@host-12-172-184-180.nctv.com] has quit [Read error: Connection reset by peer]
23:28 -!- justinzane [~justinzan@12.172.184.180] has joined #openvpn
23:37 -!- heraclitus [~heraclitu@unaffiliated/heraclitis] has quit [Ping timeout: 252 seconds]
23:54 -!- B1nny [~quassel@5ED16034.cm-7-2b.dynamic.ziggo.nl] has joined #openvpn
--- Day changed Mon Apr 07 2014
00:06 -!- rooth [tomte@stuck.in.the.basement.at.fritzl.nu] has quit [Ping timeout: 240 seconds]
00:07 -!- rooth [tomte@stuck.in.the.basement.at.fritzl.nu] has joined #openvpn
00:09 -!- leeyaa [~leeyaa@158-58-238-148.sf.ddns.bulsat.com] has quit [Quit: Leaving]
00:18 -!- rooth [tomte@stuck.in.the.basement.at.fritzl.nu] has quit [Ping timeout: 246 seconds]
00:19 -!- rooth [tomte@stuck.in.the.basement.at.fritzl.nu] has joined #openvpn
00:26 -!- rooth [tomte@stuck.in.the.basement.at.fritzl.nu] has quit [Ping timeout: 240 seconds]
00:28 -!- rooth [tomte@stuck.in.the.basement.at.fritzl.nu] has joined #openvpn
00:29 -!- pppingme [~pppingme@unaffiliated/pppingme] has quit [Ping timeout: 245 seconds]
00:29 -!- kenyon [kenyon@darwin.kenyonralph.com] has quit [Ping timeout: 245 seconds]
00:29 -!- Eugene [eugene@itvends.com] has quit [Ping timeout: 245 seconds]
00:31 -!- kenyon [kenyon@darwin.kenyonralph.com] has joined #openvpn
00:32 -!- Devastator [~devas@186.214.15.46] has joined #openvpn
00:32 -!- Devastatr [~devas@186.214.14.68] has quit [Ping timeout: 255 seconds]
00:33 -!- pppingme [~pppingme@unaffiliated/pppingme] has joined #openvpn
00:34 -!- Eugene [eugene@itvends.com] has joined #openvpn
00:37 -!- corretico [~luis@190.5.215.146] has quit [Read error: Connection reset by peer]
00:37 -!- corretico [~luis@190.5.215.146] has joined #openvpn
00:59 -!- makara [~makara@41.164.22.218] has joined #openvpn
01:04 -!- heraclitus [~heraclitu@unaffiliated/heraclitis] has joined #openvpn
01:08 < h6w> I have a multi-client server running.  For some reason it seems to be allocating 10.8.0.1 P-t-P 10.8.0.2 at the server, but 10.8.0.10 P-t-P 10.8.0.9
01:08 < h6w> I can't ping either way.  Why is it allocating IPs that don't seem to match?
01:19 -!- MacGyver [~macgyver@unaffiliated/macgyvernl] has quit [Ping timeout: 264 seconds]
01:29 -!- alexxtasi [~alex@unaffiliated/alexxtasi] has joined #openvpn
01:33 -!- MacGyver [~macgyver@unaffiliated/macgyvernl] has joined #openvpn
01:37 < heraclitus> can you pastebin your configuration, h6w?
01:38 < h6w> http://ix.io/bx7
01:39 < h6w> OpenVPN 2.2.1 x86_64-linux-gnu  on Ubuntu 12.04.4 LTS
01:43 < heraclitus> ip addr show tun0 ?
01:43 < heraclitus> you only have the one openvpn daemon running?
01:45 -!- sunwind [~paradox@cpc21-brmb8-2-0-cust749.1-3.cable.virginm.net] has quit [Quit: sunwind]
01:45 < h6w> Server:   http://ix.io/bx8   Client: http://ix.io/bx9
01:45 < h6w> Correct.  Just one on each end.
01:47 < h6w> Hmmm.  Ok.  Now I can ping the server 10.8.0.1 from the client, and the client 10.8.0.6 from the server.
01:47 < heraclitus> I was just going to say, it looked fine to me
01:47 -!- sunwind [~paradox@cpc21-brmb8-2-0-cust749.1-3.cable.virginm.net] has joined #openvpn
01:47 < heraclitus> :)
01:49 < heraclitus> if you  want internet access on the interface, you'll have to setup a masquerade rule in your netfilter. this is simple, though
01:51 < h6w> heraclitus: Thanks, but I'm actually looking to use each end of the link as a router to the 10.8.1.0/24 (server end) and 10.8.2.0/24 (client end) CIDRs.
01:52 < heraclitus> ah okay, cool
01:53 < h6w> I added push "route 10.8.1.0 255.255.255.0" to the server.conf and reset everything.
01:53 < h6w> Now the client can ping 10.8.1.1, but not anything else in the 10.8.1.0/24 range. :-(
01:54 < h6w> http://ix.io/bxa
01:54 < h6w> IP forwarding is enabled.
01:55 < h6w> Routes: Server: http://ix.io/bxc  Client: http://ix.io/bxb
01:57 -!- Latrina [~Latrina@adsl-ull-90-183.50-151.net24.it] has joined #openvpn
02:00 < heraclitus> I think you need a `push 'redirect-gateway def1 bypass-dhcp' ` not `'push route 10.8.1.0 255.255.255.0'`
02:00 < heraclitus> if you're looking to route all traffic between the two networks.
02:03 < h6w> Nope, just the 10.8.1.0/24 and 10.8.2.0/24 traffic.
02:04 < heraclitus> https://forums.openvpn.net/topic12869.html < have you taken a look @ this?
02:04 <@vpnHelper> Title: OpenVPN Support Forum Routing problem: Subnets on both sides of OpenVPN connection : Configuration (at forums.openvpn.net)
02:04 < heraclitus> this is not a particular scenario I've dealt with.
02:05 < h6w> Looks great.  Thanks!  I'll try it tomorrow, but have to go now.  Thanks again for your help! :-D
02:05 < heraclitus> alright :)
02:05 < heraclitus> np
02:06 -!- h6w [~tudor@254.86.96.58.static.exetel.com.au] has left #openvpn []
02:20 -!- AlexPortable [uid7568@gateway/web/irccloud.com/x-uddkpmbrpfroharc] has joined #openvpn
02:21 -!- makara [~makara@41.164.22.218] has quit [Ping timeout: 255 seconds]
02:27 -!- corretico [~luis@190.5.215.146] has quit [Read error: Connection reset by peer]
02:27 -!- corretico [~luis@190.5.215.146] has joined #openvpn
02:42 -!- Aliekezhi [~Aliekezhi@LPoitiers-156-84-21-170.w193-248.abo.wanadoo.fr] has joined #openvpn
03:02 -!- makara [~makara@41.164.22.218] has joined #openvpn
03:09 < nomefalso> hi, im a newbie I had a TUN configuration I switched to tap cause I need broadcast upnp servers. I need my client subnet to getserver vpn ips. Is there an easy way to do that. I read on the official faq but there is a tutorial, just advices. Thanks
03:10 < nomefalso> no tutorials...just advices
03:14 -!- Latrina [~Latrina@adsl-ull-90-183.50-151.net24.it] has quit [Quit: Leaving...]
03:20 -!- le0 [~l30@unaffiliated/le0] has joined #openvpn
03:22 -!- le0 [~l30@unaffiliated/le0] has quit [Client Quit]
03:25 -!- Latrina [~Latrina@adsl-ull-90-183.50-151.net24.it] has joined #openvpn
03:25 -!- le0 [~l30@unaffiliated/le0] has joined #openvpn
03:26 -!- Latrina [~Latrina@adsl-ull-90-183.50-151.net24.it] has quit [Client Quit]
03:30 -!- Latrina [~Latrina@adsl-ull-90-183.50-151.net24.it] has joined #openvpn
04:14 -!- rooth [tomte@stuck.in.the.basement.at.fritzl.nu] has quit [Remote host closed the connection]
04:14 -!- rooth [tomte@stuck.in.the.basement.at.fritzl.nu] has joined #openvpn
04:16 -!- Left_Turn [~Left_Turn@unaffiliated/turn-left/x-3739067] has joined #openvpn
04:17 -!- corretico [~luis@190.5.215.146] has quit [Read error: Connection reset by peer]
04:18 -!- corretico [~luis@190.5.215.146] has joined #openvpn
04:19 -!- rooth [tomte@stuck.in.the.basement.at.fritzl.nu] has quit [Read error: Operation timed out]
04:21 -!- tony1 [~tony@cpe-66-66-6-48.rochester.res.rr.com] has left #openvpn []
04:30 -!- rooth [tomte@stuck.in.the.basement.at.fritzl.nu] has joined #openvpn
04:38 -!- rooth [tomte@stuck.in.the.basement.at.fritzl.nu] has quit [Ping timeout: 240 seconds]
04:46 -!- ACKNAK [~regolith@79.133.97.154] has joined #openvpn
04:55 -!- rooth [tomte@stuck.in.the.basement.at.fritzl.nu] has joined #openvpn
04:56 < ACKNAK> Hey, Is it possible to get "status" info faster than every minute? Would scripting be the only way?
04:59 < ACKNAK> hmm "status /path/to/file 10" saves status to file ever 10 seconds
05:01 < ACKNAK> Status can also be written to the syslog by sending a SIGUSR2 signal.
05:01 < ACKNAK> cool!
05:03 -!- rooth [tomte@stuck.in.the.basement.at.fritzl.nu] has quit [Ping timeout: 255 seconds]
05:06 < ACKNAK> found it in manual, but its mentioned as argument for openvpn, not as config file option :(
05:09 -!- gu [~gu@194.231.39.10] has joined #openvpn
05:14 < gu> anybody alive who's specialized in openvpn script issues?
05:14 -!- rooth [tomte@stuck.in.the.basement.at.fritzl.nu] has joined #openvpn
05:19 -!- rooth [tomte@stuck.in.the.basement.at.fritzl.nu] has quit [Ping timeout: 255 seconds]
05:25 -!- nrgskill [~nrgskill@176.204.249.166] has joined #openvpn
05:26 < nrgskill> hi all, can you help me on setting up the routing for having my openvpn server give access to the cleint to the internal network?
05:27 -!- AlexPortable [uid7568@gateway/web/irccloud.com/x-uddkpmbrpfroharc] has quit [Quit: Connection closed for inactivity]
05:29 -!- maxiepax [~max@locke.misse.org] has quit [Ping timeout: 245 seconds]
05:34 -!- AlexPortable [uid7568@gateway/web/irccloud.com/x-wmpwedsxyrmezjzf] has joined #openvpn
05:35 -!- maxiepax [~max@locke.misse.org] has joined #openvpn
05:39 -!- nrgskill [~nrgskill@176.204.249.166] has quit [Ping timeout: 240 seconds]
05:39 -!- nrgskill [~nrgskill@2.50.187.243] has joined #openvpn
05:53 -!- rightshift [~rightshif@41.85.8.91] has joined #openvpn
05:53 < rightshift> Hi,
05:53 < rightshift> I'm using OpenVPN under PFSense
05:53 < rightshift> Is there a way to increase my client timeouts?
05:54 < rightshift> Users get disconnected after an hour.
05:54 < rightshift> I'd like to increase this, but I don't see where?
05:54 < rightshift> using OTP
06:00 -!- lj [~l@192.241.174.169] has quit [Quit: Leaving.]
06:04 -!- rooth [tomte@stuck.in.the.basement.at.fritzl.nu] has joined #openvpn
06:08 -!- corretico [~luis@190.5.215.146] has quit [Read error: Connection reset by peer]
06:08 -!- corretico [~luis@190.5.215.146] has joined #openvpn
06:11 -!- bertodsera [~quassel@97e48243.skybroadband.com] has joined #openvpn
06:12 -!- rooth [tomte@stuck.in.the.basement.at.fritzl.nu] has quit [Quit: flapping connection.. bbl.]
06:15 -!- wrongplace [~leicht@gateway/tor-sasl/martinphone] has joined #openvpn
06:17 < jacekowski> rightshift: keepalive option
06:23 -!- Haseo [~Haseo@aufrinfo.net] has quit [Quit: Surement une maj, je reviens vite ...]
06:27 -!- Haseo [~Haseo@aufrinfo.net] has joined #openvpn
06:27 -!- ade_b [~Ade@redhat/adeb] has joined #openvpn
06:28 -!- ron__ [~ron@ppp118-210-232-69.lns20.adl6.internode.on.net] has joined #openvpn
06:31 -!- ron_ [~ron@ppp118-210-119-92.lns20.adl2.internode.on.net] has quit [Ping timeout: 255 seconds]
06:51 -!- funyun [~temp@cpe-65-25-103-89.neo.res.rr.com] has joined #openvpn
06:56 < funyun> hi. when i try service openvpn start i get "server tun0 failed!". here's my server config http://pastebin.com/wcaYe6TD
06:56 < funyun> can anyone help?
06:56 -!- indy_ is now known as indy
07:01 -!- lj [~l@74.120.200.95] has joined #openvpn
07:03 -!- Guest35643 [~klein@189.16.6.3] has joined #openvpn
07:05 -!- lj [~l@74.120.200.95] has quit [Ping timeout: 240 seconds]
07:20 < nrgskill> guys, please help me with routing
07:22 -!- wrongplace [~leicht@gateway/tor-sasl/martinphone] has quit [Quit: gone]
07:28 < nrgskill> server config http://pastebin.com/UAnDpcXS
07:30 < nrgskill> client connection log http://pastebin.com/vy33fvid
07:32 < nrgskill> server log http://pastebin.com/5CVrAcn9
07:32 -!- SlutaTramsa [~SlutaTram@unaffiliated/slutatramsa] has quit [Ping timeout: 246 seconds]
07:33 < nrgskill> routing tables
07:33 < nrgskill> http://pastebin.com/4tfPeMRu
07:34 < nrgskill> now, can please someone of you help me this routing thing?
07:35 -!- SlutaTramsa [~SlutaTram@unaffiliated/slutatramsa] has joined #openvpn
07:35 < nrgskill> ping from client 10.118.0.3 to server 10.107.0.44 works
07:35 < funyun> hi. when i try service openvpn start i get "server tun0 failed!". here's my server config http://pastebin.com/wcaYe6TD
07:35 < funyun> nrgskill: any idea?
07:36 < nrgskill> uncomment #log openvpn.log and check what it says
07:37 < nrgskill> vpnHelper: can you help me please?
07:38 < nrgskill> it's two days I am getting crazy here
07:39 < nrgskill> I need help with routing to access the openvpn server sideork
07:40 < funyun> nrgskill: where is the log file located?
07:40 < nrgskill> windows or linux?
07:40 < funyun> linux
07:42 < nrgskill> "cd /" and "find openvpn.log"
07:42 < nrgskill> you gotta restart the service before
07:43 < funyun> nrgskill: No such file or directory
07:43 < funyun> tried locate also
07:44 -!- elfixit [~Icedove@77-58-251-72.dclient.hispeed.ch] has joined #openvpn
07:44 < funyun> since the error is tun0 failed. is that an openvpn problem or a system problem?
07:44 < nrgskill> "service openvpn restart"
07:44 < funyun> nrgskill: [FAIL] Starting virtual private network daemon: server tun0 failed!
07:44 < nrgskill> you should have /etc/openvpn/openvpn.log
07:45 < funyun> nrgskill: http://pastebin.com/TcGESKvB
07:47 < nrgskill> it says TUN/TAP device tun0 opened, should work
07:48 < nrgskill> ifconfig tun0, what you get?
07:48 < funyun> nrgskill: so the server tun0 failed! error doesn't mean anything?
07:48 < funyun> nrgskill: inet addr:10.8.0.1  P-t-P:10.8.0.2  Mask:255.255.255.255
07:49 < nrgskill> looks fine
07:49 < nrgskill> are you on ubuntu 13.10?
07:49 < funyun> debian wheezy
07:50 < nrgskill> this was ok for me https://help.ubuntu.com/13.10/serverguide/openvpn.html
07:50 <@vpnHelper> Title: OpenVPN (at help.ubuntu.com)
07:51 < nrgskill> vpnHelper: any advice on the routing? I need to access local network on server side
07:51 <@vpnHelper> (any [<channel>] [--user <name>] [<nick>]) -- Returns the last time <nick> was seen and what <nick> was last seen doing. This includes any form of activity, instead of just PRIVMSGs. If <nick> isn't specified, returns the last activity seen in <channel>. If --user is specified, looks up name in the user database and returns the last time user was active in <channel>. <channel> is only necessary
07:51 <@vpnHelper> if the message isn't sent on the channel itself.
07:51 < ACKNAK> :O
07:52  * ACKNAK flops on vpnHelper 
07:52 < nrgskill> my routing table http://pastebin.com/4tfPeMRu
07:53 < ACKNAK> whaaa
07:54 < ACKNAK> nrgskill, so whats the problem
07:54 < ACKNAK> you push "route 10.107.0.0 255.255.0.0" to client
07:54 < ACKNAK> and your clients gets it
07:54 < ACKNAK> 10.107.0.0      10.69.64.5      255.255.0.0     UG    0      0        0 tun1
07:55  * ACKNAK read previous messages ~_~
07:57 < ACKNAK> ping from client 10.118.0.3 to server 10.107.0.44 works
07:57 < nrgskill> ACKNAK: applied, restarted the server and the client  ping 10.118.0.3 (client) from server still not
07:58 < ACKNAK> but it works from client to server?
07:58 < ACKNAK> and not from server to client?
07:58 -!- mattock [~mattock@openvpn/corp/admin/mattock] has left #openvpn []
07:58 < nrgskill> yep
07:59 < nrgskill> I think because the routing on the server
07:59 < ACKNAK> you sure its not because of firewall on client?
07:59 < ACKNAK> if your server knows how to answer on ping requests it should know how to ping too
08:00 < nrgskill> firewall disabled both sides, routing table you find it here http://pastebin.com/4tfPeMRu
08:00 < funyun> nrgskill: should i have a tun0.conf file in my /etc/openvpn dir?
08:00 < ACKNAK> try tcpdump, you will see whats going on! :)
08:01 < ACKNAK> like "tcpdump -i tun0 icmp"
08:01 < ACKNAK> on server side
08:01 < nrgskill> funyun: nope
08:01 < ACKNAK> then try to ping your client
08:02 < ACKNAK> if you are using tun0 ofc :D
08:02 < ACKNAK> if you will see packets leaving interface, its not routing problem
08:03 < ACKNAK> at least not on server side
08:04 < nrgskill> no output, but "traceroute 10.118.0.3" says I'm using default gw instead the tunnel
08:04 < nrgskill> I can't set up the route properly
08:04 < ACKNAK> :O
08:05 < ACKNAK> waaaait
08:05 < ACKNAK> nrgskill, you say your client is 10.118.0.3
08:05 < nrgskill> yep, a local network
08:05 < ACKNAK> while server 10.69.64.0 255.255.255.0
08:06 < ACKNAK> so your client should be 10.69.64.*
08:06 < ACKNAK> not 10.118
08:06 < nrgskill> that's the ip on the tun interface
08:06 < nrgskill> the local interface is 10.107.0.44
08:06 < nrgskill> it's routing
08:06 < ACKNAK> so 10.118 is network BEHIND your client?
08:06 < nrgskill> is eth0 of my client
08:06 < ACKNAK> yeah
08:06 < ACKNAK> its BEHIND client
08:06 < ACKNAK> you have to use iroute
08:06 < funyun> nrgskill: that was the problem. i deleted that file and now it works. thanks
08:07 < nrgskill> iroute? anyway, for cleint Local Address: 10.69.64.6 Remote Address: 10.69.64.5
08:08 < ACKNAK> nrgskill, https://openvpn.net/index.php/open-source/documentation/howto.html search for iroute
08:08 <@vpnHelper> Title: HOWTO (at openvpn.net)
08:09 < ACKNAK> you have to put do something like echo "iroute 10.118.0.0 255.255.255.0" >> openvpn/ccd/certificate_name
08:09 < ACKNAK> that would tell server that there is a network behind client
08:10 < nrgskill> cool, thanks
08:11 <@krzee> !route
08:11 <@vpnHelper> "route" is (#1) http://www.secure-computing.net/wiki/index.php/OpenVPN/Routing or https://community.openvpn.net/openvpn/wiki/RoutedLans (same page mirrored) if you have lans behind openvpn, read it DONT SKIM IT or (#2) READ IT DONT SKIM IT! or (#3) See !tcpip for a basic networking guide or (#4) See !serverlan or !clientlan for steps and troubleshooting flowcharts for LANs behind the server or client
08:11 <@krzee> !clientlan
08:11 <@vpnHelper> "clientlan" is (#1) for a lan behind a client, the client must have ip forwarding enabled (!ipforward), the server needs a route to the lan, the server needs to push a route for the lan to clients, the server needs a ccd (!ccd) file for the client with an iroute (!iroute) entry in it, and the router of the lan the client is on needs a route added to it (!route_outside_openvpn) or (#2) see !route for
08:11 <@vpnHelper> a better explanation or (#3) Handy troubleshooting flowchart: http://ircpimps.org/clientlan.png | http://pekster.sdf.org/misc/clientlan.png
08:11 < ACKNAK> ah yup ^^
08:11 <@krzee> (for more reading enjoyment) =]
08:21 < esde> !configs | esde
08:21 < esde> !configs
08:21 <@vpnHelper> "configs" is (#1) please pastebin your client and server configs (with comments removed, you can use `grep -vE '^#|^;|^$' server.conf`), also include which OS and version of openvpn. or (#2) dont forget to include any ccd entries or (#3) on pfSense, see http://www.secure-computing.net/wiki/index.php/OpenVPN/pfSense to obtain your config
08:25 < funyun> nrgskill: i'm no longer getting the error but i can't connect either.. server config http://pastebin.com/SpAbXfyS, client config http://pastebin.com/piKM0XYc, and client log http://pastebin.com/mhrEmnx0. any idea?
08:29 < ACKNAK> btw, why do you use resolv-retry infinite if you are connecting to IP address
08:29 < funyun> ACKNAK: i just used the example config. should i remove it?
08:32 < funyun> ACKNAK: i removed it. still not working :'(
08:32 < ACKNAK> it could not fix your problem, it just does nothing in your case
08:33 < funyun> ACKNAK: any idea what my problem is?
08:33  * ACKNAK looks
08:35 -!- jackbrown [~se@93-44-54-187.ip95.fastwebnet.it] has joined #openvpn
08:35 -!- nrgskill [~nrgskill@2.50.187.243] has quit [Ping timeout: 255 seconds]
08:43 -!- sunwind` [~paradox@86.10.62.238] has joined #openvpn
08:46 -!- sunwind [~paradox@cpc21-brmb8-2-0-cust749.1-3.cable.virginm.net] has quit [Ping timeout: 252 seconds]
08:48 < funyun> ACKNAK: find anything?
08:50 < ACKNAK> sorry, work attack!
08:51 < funyun> np
08:51 -!- jackbrown [~se@93-44-54-187.ip95.fastwebnet.it] has quit [Quit: Sto andando via]
08:56 -!- funyun_ [~temp@cpe-65-25-103-89.neo.res.rr.com] has joined #openvpn
08:57 -!- funyun [~temp@cpe-65-25-103-89.neo.res.rr.com] has quit [Ping timeout: 240 seconds]
08:58 -!- funyun_ is now known as funyun
09:04 < ACKNAK> funnel, do you have log from server?
09:05 < ACKNAK> I'm noob, but it seems like your client cannot initiate connection, you should get AUTH after WAIT, or at least TLS timeout
09:06 < funyun> ACKNAK: http://pastebin.com/ugiiEvBw
09:13 -!- gu [~gu@194.231.39.10] has quit [Quit: Leaving.]
09:14 < ACKNAK> funyun, whats going after "Initialization Sequence Completed"? o_O
09:15 < funyun> ACKNAK: i get this with viscocity WARNING: No server certificate verification method has been enabled.  See http://openvpn.net/howto.html#mitm for more info.
09:16 < ACKNAK> yeah that could be problem
09:19 < ACKNAK> or not :O
09:19  * ACKNAK have no idea
09:19 < funyun> ACKNAK: i did what it said. still no change
09:20 -!- alexxtasi [~alex@unaffiliated/alexxtasi] has left #openvpn []
09:22 -!- gu [~gu@194.231.39.10] has joined #openvpn
09:23 < ChrisH> funyun: did you show the server log?
09:24 < funyun> ChrisH: yes. but i can't scroll up to repost it. i got disconnected..
09:24 < ACKNAK> ChrisH, http://pastebin.com/ugiiEvBw
09:25 -!- ron__ is now known as ron_
09:25 -!- gu [~gu@194.231.39.10] has quit [Client Quit]
09:26 -!- rooth [tomte@stuck.in.the.basement.at.fritzl.nu] has joined #openvpn
09:27 -!- makara [~makara@41.164.22.218] has quit [Ping timeout: 246 seconds]
09:32 < ChrisH> funyun: I cannot see anything but some pressed "disconenct" on tunnelblick
09:32 -!- lj [~l@192.241.174.169] has joined #openvpn
09:32 -!- sunwind` [~paradox@86.10.62.238] has quit [Read error: Connection reset by peer]
09:32 -!- sunwind` [~paradox@cpc21-brmb8-2-0-cust749.1-3.cable.virginm.net] has joined #openvpn
09:33 < funyun> ChrisH: i tried replacing udp with tcp on both server and client config and now i can connect
09:36 < ChrisH> funyun: I cannot see any incomming connect in your server log. Did yopu forward the UDP to your OpenVPN Server?
09:36 -!- funyun_ [~temp@cpe-65-25-103-89.neo.res.rr.com] has joined #openvpn
09:37 < funyun_> were my last few messages posted?
09:37 -!- funyun [~temp@cpe-65-25-103-89.neo.res.rr.com] has quit [Ping timeout: 246 seconds]
09:37 < funyun_> ChrisH: i tried replacing udp with tcp on both server and client config and now i can connect
09:38 < funyun_> ChrisH: new client output http://pastebin.com/AWkG4sp9
09:42 -!- hive-min1 [pranq@mail.bbis.us] has quit [Changing host]
09:42 -!- hive-min1 [pranq@unaffiliated/contempt] has joined #openvpn
09:43 -!- mikemol [~mikemol@162.17.129.77] has joined #openvpn
09:48 -!- corretico [~luis@190.5.215.146] has quit [Read error: Connection reset by peer]
09:48 -!- corretico [~luis@190.5.215.146] has joined #openvpn
09:51 -!- michaelhart [~michaelha@192.237.177.15] has joined #openvpn
09:55 -!- Proshot [~FSM@535623C8.cm-6-7a.dynamic.ziggo.nl] has joined #openvpn
10:03 -!- s7r [~s7r@openvpn/user/s7r] has quit [Ping timeout: 265 seconds]
10:04 -!- s7r [~s7r@openvpn/user/s7r] has joined #openvpn
10:04 -!- mode/#openvpn [+v s7r] by ChanServ
10:11 -!- ACKNAK [~regolith@79.133.97.154] has quit [Quit: Leaving]
10:18 -!- elfixit [~Icedove@77-58-251-72.dclient.hispeed.ch] has quit [Quit: elfixit]
10:24 -!- funyun [~temp@75.98.236.75] has joined #openvpn
10:25 -!- funyun_ [~temp@cpe-65-25-103-89.neo.res.rr.com] has quit [Ping timeout: 252 seconds]
10:28 -!- Aliekezhi [~Aliekezhi@LPoitiers-156-84-21-170.w193-248.abo.wanadoo.fr] has quit [Remote host closed the connection]
10:31 -!- funyun_ [~temp@75.98.236.67] has joined #openvpn
10:33 -!- funyun [~temp@75.98.236.75] has quit [Ping timeout: 255 seconds]
10:38 -!- master_of_master [~master_of@p4FF2462F.dip0.t-ipconnect.de] has joined #openvpn
10:40 -!- gffa [~unknown@unaffiliated/gffa] has joined #openvpn
10:42 -!- master_o1_master [~master_of@p4FF24BAA.dip0.t-ipconnect.de] has quit [Ping timeout: 240 seconds]
10:47 -!- ACKNAK [~Celestial@broadband-5-228-253-217.nationalcablenetworks.ru] has joined #openvpn
10:50 -!- lj [~l@192.241.174.169] has quit [Quit: Leaving.]
10:54 -!- octocodercat [octocoderc@unaffiliated/octocodercat] has quit [Quit: Octocodercat pwns all]
10:59 -!- edge226 [~quassel@unaffiliated/edge226] has joined #openvpn
10:59 -!- ade_b [~Ade@redhat/adeb] has quit [Quit: Too sexy for his shirt]
11:04 -!- [diecast] [~diecast@unaffiliated/diecast/x-4821952] has joined #openvpn
11:06 -!- lj [~l@192.241.174.169] has joined #openvpn
11:06 -!- lj [~l@192.241.174.169] has quit [Client Quit]
11:07 -!- lj [~l@192.241.174.169] has joined #openvpn
11:14 -!- funyun_ [~temp@75.98.236.67] has quit [Ping timeout: 255 seconds]
11:20 -!- sunwind [~paradox@cpc21-brmb8-2-0-cust749.1-3.cable.virginm.net] has joined #openvpn
11:21 -!- raidz is now known as raidz_away
11:21 -!- d^^b [~tittyspri@dyn.170-56-7-31.swissinet.com] has joined #openvpn
11:23 < d^^b> !welcome
11:23 <@vpnHelper> "welcome" is (#1) Start by stating your goal, such as 'I would like to access the internet over my vpn' || new to IRC? see the link in !ask || we may need !logs and !configs and maybe !interface to help you. || See !howto for beginners. || See !route for lans behind openvpn. || !redirect for sending inet traffic through the server. || Also interesting: !man !/30 !topology !iporder !sample !forum !wiki
11:23 <@vpnHelper> !mitm or (#2) Don't use 192.168.1.0/24 or 192.168.0.0/24 (too much potential for conflict)
11:24 < d^^b> Will someone help me with an openvpn/networking issue?
11:24 < d^^b> for some reason, openvpn is not listening
11:24 < d^^b> tun opens
11:24 -!- sunwind [~paradox@cpc21-brmb8-2-0-cust749.1-3.cable.virginm.net] has quit [Client Quit]
11:24 < d^^b> port is specified
11:24 <+_FBi> netstart
11:24 <+_FBi> err
11:25 <+_FBi> netstat -nlp | grep openvpn
11:25 < d^^b> yeah i have already use netstat -ntlp
11:25 < d^^b> openvpn is not listening
11:25 < d^^b> at all
11:25 < d^^b> but it is running
11:25 < d^^b> which is odd
11:26 <+_FBi> ps -A | grep openvpn
11:26 <+_FBi> oh
11:27 < d^^b> https://pastee.org/mtu3c
11:28 < d^^b> here is my syslog
11:28 < d^^b> see everything looks good
11:28 < d^^b> except
11:28 < d^^b> it should have one more line that tells me it is listening
11:32 -!- raidz_away is now known as raidz
11:33 -!- freinhard [~freinhard@dslb-188-098-253-058.pools.arcor-ip.net] has joined #openvpn
11:36 < d^^b> anyone have any clues?
11:40 -!- funyun [~temp@75.98.236.75] has joined #openvpn
11:45 < Beta2K> What's your config look like?
11:46 < Beta2K> Do you have a port specified in it?
11:46 -!- elfixit [~Icedove@196-227.197-178.cust.bluewin.ch] has joined #openvpn
11:47 -!- elfixit [~Icedove@196-227.197-178.cust.bluewin.ch] has quit [Client Quit]
11:48 < Beta2K> Can I run a command on a client when the link comes up just using the server config or ccd, without touching the client config?
11:49 < d^^b> there is no link to be made
11:49 < d^^b> it is not listening at all
11:50 < d^^b> and yes, as i said, port is specified
11:50 -!- lj [~l@192.241.174.169] has quit [Quit: Leaving.]
11:50 < d^^b> take a look at the pastee link
11:51 < d^^b> it is just not listening for some reason
11:51 < d^^b> restarted openvpn several times
11:51 < d^^b> changed the config several times
11:54 < d^^b> when i start openvpn, i should be seeing something like "Listening for incoming UDP connection on [undef]" but it just will not listen for some reason
11:54 < d^^b> *I should see that when i tail /var/log/syslog
11:58 -!- gu [~gu@dslb-088-071-090-153.pools.arcor-ip.net] has joined #openvpn
12:11 < Beta2K> d^^b: Tried rolling your own from source?
12:18 -!- olegreal [~oleg@broadband-95-84-206-158.nationalcablenetworks.ru] has joined #openvpn
12:22 < d^^b> yes i installed from github earlier, but that was odd too
12:24 < d^^b> it was putting openvpn in /usr/local/sbin, and nothing in /usr/sbin and bash was not recognizing openvpn as a command
12:24 < d^^b> so i had to fix that
12:25 < d^^b> and during the install i had errors with pkcs11 support
12:26 < d^^b> configured fine, but then when i would make it, it would fail with some reference to pkcs11 giving an unexpected reference in a .so file
12:27 < d^^b> and when i enabled snappy support, it gave me errors when i tried to generate a ta.key file
12:28 < d^^b> this is why i went back to the openvpn repo install
12:28 < d^^b> but maybe the github version fucked things up for me somehow
12:28 < d^^b> i used make uninstall
12:28 < d^^b> so idk
12:29 -!- olegreal [~oleg@broadband-95-84-206-158.nationalcablenetworks.ru] has quit [Quit: Leaving]
12:34 -!- freinhard [~freinhard@dslb-188-098-253-058.pools.arcor-ip.net] has quit [Remote host closed the connection]
12:36 -!- p3rror [~mezgani@105.156.198.176] has quit [Ping timeout: 240 seconds]
12:42 -!- gu [~gu@dslb-088-071-090-153.pools.arcor-ip.net] has quit [Ping timeout: 252 seconds]
12:44 < Beta2K> Oye, sorry dont know how to set the prefix with CMake
12:44 < Beta2K> You can always add /usr/local/bin /usr/local/sbin to your path
12:45 < Beta2K> Or directly call it
12:45 -!- p3rror [~mezgani@105.156.198.176] has joined #openvpn
12:45 < Beta2K> It would be a good test to make sure your distros build isnt broken
12:47 < BtbN> just never do make install if you don't intend to potentialy break your system
12:50 -!- p3rror [~mezgani@105.156.198.176] has quit [Ping timeout: 255 seconds]
12:51 < pekster> That is why things go into /usr/local by default
12:52 < pekster> See also: `./configure --help` from the release tarballs. If you're using git HEAD (of any non-release branch) you need to be familiar with basic build processes, dependency resolution, and autoconf (maybe `autoreconf -vfi`)
12:52 < Beta2K> Isn't openvpn's build system cmake not automake?
12:52 < pekster> Not 2.3 anyway
12:52 -!- gu [~gu@dslb-188-096-250-101.pools.arcor-ip.net] has joined #openvpn
12:53 < d^^b> these are all things i have done
12:53 < d^^b> dunno if i have broken my server tho
12:53 < d^^b> that would suck
12:54 < Beta2K> If you use the compiled from source version, do you get the same log output?
12:54 < d^^b> i am getting a new error after adding a new iptables rule tho
12:55 < d^^b> idk, i didn't look at the github version log
12:55 < d^^b> never even tried to connect with that version
12:56 < Beta2K> Try it, also turn off your firewall while trying to diagnose, takes one more unknown out of the equation :)
12:56 < pekster> My suggestion: don't use master or 2.3 HEAD versions unless you know what you're doing
12:56 < d^^b> already tried that
12:58 < d^^b> well what is there to know about autoreconf -vfi, ./configure with options, make, make install pekster?
13:01 -!- p3rror [~mezgani@105.156.198.176] has joined #openvpn
13:02 -!- lj [~l@192.241.174.169] has joined #openvpn
13:05 <+reiffert> you would need libtoolize to make it work
13:05 -!- kirin` [telex@gateway/shell/anapnea.net/x-uigakdlgmtfnqnlz] has quit [Ping timeout: 255 seconds]
13:05 < d^^b> i had all the necessary dependencies
13:06 <+reiffert> not dropping packets on the loopback interface might be mandatory
13:06 < d^^b> right now i am on a openvpn repo install right now
13:06 < d^^b> idk why i repeated myself there
13:06 < d^^b> haha
13:07 < d^^b> but yeah, the problem is that the process is starting fine, but it is jst not listening
13:07 < d^^b> if you take a look at my pastee from a little bit ago... that was my syslog
13:08 < d^^b> then i added this... iptables -A INPUT -p udp -m state --state NEW -m udp --dport 1194 -j ACCEPT
13:09 < d^^b> and now this is my output.... https://pastee.org/8fgha
13:12 -!- Denial- [Denial@90.214.34.101] has joined #openvpn
13:12 -!- kirin` [telex@gateway/shell/anapnea.net/x-yhwvefbuwgdjsjak] has joined #openvpn
13:13 -!- Denial [Denial@90.214.34.101] has quit [Ping timeout: 255 seconds]
13:13 -!- Denial- is now known as Denial
13:13 -!- Latrina [~Latrina@adsl-ull-90-183.50-151.net24.it] has quit [Ping timeout: 240 seconds]
13:19 -!- Latrina [~Latrina@adsl-ull-90-183.50-151.net24.it] has joined #openvpn
13:23 -!- kirin` [telex@gateway/shell/anapnea.net/x-yhwvefbuwgdjsjak] has quit [Ping timeout: 252 seconds]
13:26 -!- gu [~gu@dslb-188-096-250-101.pools.arcor-ip.net] has quit [Ping timeout: 240 seconds]
13:28 -!- corretico [~luis@190.5.215.146] has quit [Read error: Connection reset by peer]
13:29 -!- corretico [~luis@190.5.215.146] has joined #openvpn
13:30 -!- kirin` [telex@gateway/shell/anapnea.net/x-tuwlyzcwnboyscag] has joined #openvpn
13:35 < d^^b> ok, well i switched back to the github version, and it is giving me some better errors
13:35 < d^^b> but i still do not know what the problem is
13:36 < d^^b> https://pastee.org/y5jeb
13:36 < d^^b> do you have any insight pekster?
13:37 -!- gu [~gu@dslb-088-070-172-039.pools.arcor-ip.net] has joined #openvpn
13:38 -!- wrongplace [~leicht@gateway/tor-sasl/martinphone] has joined #openvpn
13:45 < Beta2K> Hate to ask, are you running as root? :)
13:46 < d^^b> yes
13:47 < Beta2K> Wait, your ctrl-c broke out of it
13:47 < Beta2K> It started up
13:50 < d^^b> no it didn't start up
13:50 < d^^b> =/
13:50 < d^^b> also, while i was using the repo version, it was starting up just fine
13:50 < d^^b> it just wasn't listening
13:51 <@krzee> Mon Apr  7 20:29:53 2014 Initialization Sequence Completed
13:51 <@krzee> ^CMon Apr  7 20:30:31 2014 event_wait : Interrupted system call (code=4)
13:51 <@krzee> from what i see it was done, for 38 seconds before you killed it
13:51 < d^^b> i didn't crtl c there
13:52 -!- gu [~gu@dslb-088-070-172-039.pools.arcor-ip.net] has quit [Quit: Leaving.]
13:52 <@krzee> howd it get into the paste then?
13:52 < d^^b> let me try again, just to be sure
13:52 < d^^b> but i have no idea
13:52 <@krzee> maybe a ghost typing with you ;]
13:52 <@krzee> !call
13:53 -!- james41382 [~james@unaffiliated/james41382] has quit [Ping timeout: 240 seconds]
13:53 <@krzee> !learn call as http://www.xmg.com/wp-content/uploads/2012/07/GB_Logo_New_MB_WIP-2.png
13:53 <@vpnHelper> Joo got it.
13:53 < d^^b> oh right, yes i did ctrl c out of it
13:53 < d^^b> it wasn't doingf anything
13:53 < d^^b> -f
13:53 <@krzee> it was connected for 38 seconds, what were you expecting it to do?
13:54 <@krzee> especially if running as a server
13:54 < d^^b> how was it connected?
13:54 <@krzee> its a server right?
13:54 < Beta2K> It wasn't connected, it was sitting there waiting for connections
13:54 <@krzee> right ^
13:54 < d^^b> yes
13:55 <@krzee> it gave itself a VPN ip, and sat there for 38 seconds waiting for a client to connect
13:55 <@krzee> tghen you killed it.
13:55 < d^^b> then maybe it i am starting up the github version wrong
13:55 < d^^b> i am use to being able to simply type service openvpn start
13:55 <@krzee> the errors only exist after you kill it, and only because you downgrade to daemon so it cant run the commands, and that is fine nothing wrong there
13:56 <@krzee> its starting fine
13:56 <@krzee> its doing what it should
13:56 <@krzee> im not sure what more you want from it
13:56 < d^^b> now that i am back to the github version, i cd to /etc/openvpn and start it with openvpn server.conf
13:57 < d^^b> then i never get my cli back after it says "Initialization Sequence Completed"
13:57 <@krzee> see --daemon in the manual
13:57 < d^^b> which btw krzee, this is a new developement
13:57 <@krzee> !man
13:57 <@vpnHelper> "man" is (#1) For man pages, see http://openvpn.net/index.php/open-source/documentation/manuals/ or (#2) the man pages are your friend! or (#3) Protip: you can search the manpage for a specific --option (with dashes) to find it quicker
13:57 < d^^b> i was not getting this earlier
13:57 <@krzee> heh
13:57 <@krzee> then your config changed
13:57 < d^^b> actually my version changed
13:57 <@krzee> because if you dont have --daemon then it wont fork
13:58 < d^^b> ?
13:58 <@krzee> and changing version didnt change that
13:58 <@krzee> your config is not set to fork to background, it is set to keep in foreground
13:58 <@krzee> if you depended on your OS to start and stop it, then it was adding --daemon for you
13:58 < d^^b> my .conf?
13:58 <@krzee> yes.
13:58 < d^^b> i see
13:58 <@krzee> so like i said
13:58 < d^^b> never seen --daemon in htop
13:58 <@krzee> see --daemon in the manual
13:59 < d^^b> typically it shows me the openvpn start arguements
13:59 <@krzee> great, off to the manual
14:00 -!- le0 [~l30@unaffiliated/le0] has quit [Quit: Leaving]
14:00 < d^^b> yeah it's still not working
14:00 <@krzee> !configs
14:00 <@vpnHelper> "configs" is (#1) please pastebin your client and server configs (with comments removed, you can use `grep -vE '^#|^;|^$' server.conf`), also include which OS and version of openvpn. or (#2) dont forget to include any ccd entries or (#3) on pfSense, see http://www.secure-computing.net/wiki/index.php/OpenVPN/pfSense to obtain your config
14:01 -!- Aliekezhi [~Aliekezhi@80.215.210.64] has joined #openvpn
14:03 < d^^b> krzee: https://pastee.org/f4b9c
14:04 <@krzee> so how didnt it work?  you didnt add daemon
14:04 -!- funyun [~temp@75.98.236.75] has quit [Ping timeout: 255 seconds]
14:04 < d^^b> when i do openvpn --daemon server.conf there is nothing listening when i use netstat -ntlp, and when i look in htop, the only thing with --daemon is udevd
14:05 <@krzee> server 10.8.0.0 255.255.255.192   <-- is there a purpose to that small of a subnet?
14:05 < d^^b> it's what i have been using for years
14:05 <@krzee> also, how many ips do you think that would even give you?
14:06 < d^^b> i only need one
14:06 < Beta2K> 4 if my brain is working :)
14:06 < d^^b> you would know better than I would
14:06 < Proshot> a noob with openvpn, i can't connect to my vpn and i get the following error TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity) -- my client and server log are here http://pastebin.com/GAHRAyyV
14:07 < Proshot> i mean my client and server config files
14:07 <@krzee> ok well ya, you didnt add daemon so i dont know how you're saying it didnt work
14:08 < d^^b> didn't i just say i started it with daemon?
14:08 < d^^b> (d^^b) when i do openvpn --daemon server.conf there is nothing listening when i use netstat -ntlp, and when i look in htop, the only thing with --daemon is udevd
14:09 < d^^b> also, i thought 10.8.0.0 255.255.255.* was common?
14:09 < d^^b> Proshot is using that too
14:09 <@krzee> 255.255.255.0 is common
14:09 < Beta2K> It is, 192 is just a really small subnet :)
14:09 <@krzee> 255.255.255.192 is very uncommon
14:09 <@krzee> also, you are using topology net30 so EACH connection gets 4 ips
14:10 <@krzee> so you can handle like 15 clients
14:10 < d^^b> i use 192 because that is my server's netmask
14:10 <@krzee> huh?
14:11 < d^^b> when i look in network interfaces
14:11 < Proshot> ah what d^^b ?
14:11 < d^^b> netmask 255.255.255.192
14:11 <@krzee> for what interface?
14:11 < d^^b> eth0
14:11 < Beta2K> Speaking of ip assignment, how do I make sure I don't assign a IP defined in a ccd connection?
14:11 <@krzee> completely irrelevant to your vpn
14:11 < d^^b> and then all of my extra IP's
14:11 < d^^b> orly?
14:11 <@krzee> orly
14:12 < d^^b> well that is good to know
14:12 <@krzee> and also:
14:12 <@krzee> !topology
14:12 <@vpnHelper> "topology" is (#1) it is possible to avoid the !/30 behavior if you use 2.1+ with the option: topology subnet This will end up being default in later versions. or (#2) Clients will receive addresses ending in .2, .3, .4, etc, instead of being divided into 2-host subnets. or (#3) details and examples at: https://community.openvpn.net/openvpn/wiki/Topology
14:12 <@krzee> !/30
14:12 <@vpnHelper> "/30" is (#1) http://goo.gl/SbKrT5 explains why routed clients each use 4 ips or (#2) you can avoid this behavior with by reading !topology
14:14 < d^^b> ok krzee, i changed that... but obviously that was not the cause of my issue
14:15 < d^^b> what would you recommend i do now?
14:15 <@krzee> from what i can see you have no issue
14:15 <@krzee> lol
14:15 <@krzee> you posted a log of openvpn connecting as expected
14:15 <@krzee> err starting as expected
14:15 < d^^b> but it is not connecting
14:15 < d^^b> or listening at all
14:15 <@krzee> servers dont make connections.
14:15 <@krzee> it was listening for 38 seconds
14:16 <@krzee> then you killed it.
14:16 < d^^b> but it was not
14:16 <@krzee> but it was, prove to me it wasnt.
14:16 < d^^b> uhhhh
14:16 < d^^b> like i told you
14:16 < Beta2K> Proshot: Dunno, I setup TLS auth so I only get that if I forget to give a new client the ta cert :)
14:16 < d^^b> nothing in netstat when i look
14:16 < d^^b> nothing in htop
14:16 <@krzee> ps auxw|grep vpn
14:17 <@krzee> show me the output
14:17 < d^^b> root 5846 0.0 0.0 10340 868 pts/0 S+ 21:15 0:00 grep vpn
14:17 <@krzee> well its not running.
14:17 < d^^b> yeah
14:17 <@krzee> that is why its not listening.
14:18 <@krzee> very much what is expected.
14:18 < d^^b> yes but even when i start it
14:18 <@krzee> !logfile
14:18 <@vpnHelper> "logfile" is (#1) If you want logging you can easily just specify your own logfile with: log /path/to/logfile or (#2) openvpn will log to syslog if started in daemon mode, but without any log-redirection options, openvpn sends output to stdout. or (#3) verb 3 is good for everyday usage, verb 5 for debugging. see --daemon --log and --verb in the manual (!man) for more info
14:19 <@krzee> do that, start it, if its not running look at the logfile
14:19 <@krzee> im gussing you're running it differently now?
14:19 <@krzee> trying to use the OS scripts or something?
14:20 < d^^b> when i do openvpn --daemon server.conf it looks like the command completes successfully, but the only time i get to view what happens when i start it, is if i use openvpn server.conf
14:20 < d^^b> and then it hangs
14:20 < d^^b> no i am using the github version now
14:21 < d^^b> just starting it like i said
14:21 <+reiffert> krzee: hi
14:21 < d^^b> i will add those options right now
14:21 < d^^b> and show you the output
14:21 < Beta2K> So if you want to start something on the cli and background it, but still get it's output add a & at the end of the command
14:21 < d^^b> thanks for this help btw
14:21 <@krzee> hey reiffert
14:21 < Beta2K> But yes, you should be using the logging, verb 4 should a fair bit without being too nuts :)
14:22 < Beta2K> shows...
14:22 <@krzee> d^^b, that command should not work
14:22 <@krzee> you must use --config if you have other options
14:22 < Proshot> ehm oke thanks Beta2K
14:22 <@krzee> openvpn --daemon server.conf   = bad
14:22 <@krzee> openvpn --daemon --config server.conf
14:22 <@krzee> = good
14:23 <@krzee> and it doesnt hang, it runs in the foreground
14:23 < d^^b> looks like it all works the same
14:23 <@krzee> and you can put daemon in the config
14:23 <@krzee> !--
14:23 <@vpnHelper> "--" is OpenVPN allows any option to be placed either on the command line or in a configuration file. Though all command line options are preceded by a double-leading-dash ("--"), this prefix is usually omitted when an option is placed in a configuration file.
14:23 < d^^b> whether i add config or not, i get the same output
14:23 <@krzee> i dunno, maybe they changed something, because before you could only skip --config if using no other options
14:23 < d^^b> how do i add daemon to the config?
14:24 <@krzee> are you being serious?
14:24 <+reiffert> krzee: why not simply let him come up with something worth reading instead all that pointless typing?
14:24 <@krzee> ya im gunna go shower, you can help him
14:24 <@krzee> =]
14:24 -!- mode/#openvpn [+v reiffert] by krzee
14:24 < d^^b> why are you being shitty about it?
14:25 < d^^b> i have done everything you asked
14:25 <+reiffert> d^^b: do this:
14:25 -!- Varazir [~mircwars@c-94-255-128-92.cust.bredband2.com] has joined #openvpn
14:25 <+reiffert> !configs
14:25 <@vpnHelper> "configs" is (#1) please pastebin your client and server configs (with comments removed, you can use `grep -vE '^#|^;|^$' server.conf`), also include which OS and version of openvpn. or (#2) dont forget to include any ccd entries or (#3) on pfSense, see http://www.secure-computing.net/wiki/index.php/OpenVPN/pfSense to obtain your config
14:25 <+reiffert> !logs
14:25 <@vpnHelper> "logs" is (#1) please pastebin your logfiles from both client and server with verb set to 4 (only use 5 if asked) or (#2) In the Windows client(OpenVPN-GUI) right-click the status icon and pick View Log or (#3) In the OS X client(Tunnelblick) right-click it and select Copy log text to clipboard or (#4) if you dont know how to find your logs, see !logfile
14:25 < d^^b> i already did that reiffert
14:25 < d^^b> read up
14:25 < d^^b> he already went through my config
14:30 < Proshot> anybody an idea how to solve my tls handshake problem for this openvpn noob
14:32 -!- s7r_e [~s7r@openvpn/user/s7r] has joined #openvpn
14:32 -!- mode/#openvpn [+v s7r_e] by ChanServ
14:32 -!- s7r [~s7r@openvpn/user/s7r] has quit [Ping timeout: 265 seconds]
14:32 < d^^b> O__O
14:33 < d^^b> well now it is back to running, but not listening
14:33 -!- p3rror [~mezgani@105.156.198.176] has quit [Ping timeout: 255 seconds]
14:33 <+reiffert> sorry my crystall ball broke
14:34 < d^^b> krzee: i used openvpn --daemon --config server.conf and now it is running, like it was before with the repo version, but it's still not listening
14:34 < d^^b> reiffert: gee thanks
14:37 <+reiffert> glad you have it running. proceed with !logs
14:38 -!- [diecast] [~diecast@unaffiliated/diecast/x-4821952] has quit []
14:38 -!- Martin` [martin@shell.ipv6.octocore.net] has quit [Ping timeout: 255 seconds]
14:39 -!- HectorBarbossa [uid7850@gateway/web/irccloud.com/x-ruzxqigjsfvxrrfb] has joined #openvpn
14:40 -!- Martin` [martin@shell.ipv6.octocore.net] has joined #openvpn
14:40 -!- p3rror [~mezgani@41.140.97.200] has joined #openvpn
14:43 -!- rightshift [~rightshif@41.85.8.91] has quit [Ping timeout: 246 seconds]
14:44 -!- rightshift [~rightshif@41.85.8.91] has joined #openvpn
14:51 -!- funyun [~temp@cpe-65-25-103-89.neo.res.rr.com] has joined #openvpn
14:55 < d^^b> well that took me forever but here you go reiffert
14:56 -!- funyun [~temp@cpe-65-25-103-89.neo.res.rr.com] has quit [Ping timeout: 240 seconds]
14:56 < d^^b> i would like you to look at this log as well krzee
14:56 < d^^b> https://pastee.org/uuypy
14:56 < d^^b> it looks like it completes
14:56 < d^^b> but it does not
14:56 -!- ACKNAK [~Celestial@broadband-5-228-253-217.nationalcablenetworks.ru] has quit [Ping timeout: 255 seconds]
14:57 < d^^b> no listening at all
14:58 < d^^b> hmmm
14:58 < d^^b> maybe something is fucked up with my routing?
14:59 < d^^b> before i was getting nothing, but now i have 2 new results
14:59 <@krzee> looks fine to me. what makes you say its not listening?
15:01 < d^^b> https://pastee.org/nrdtz
15:01 < d^^b> netstat tells me it's not listening
15:01 <@krzee> netstat -nap
15:01 -!- MyMind [~Sembei@unaffiliated/sembei] has joined #openvpn
15:01 <@krzee> show me
15:01 <@krzee> do NOT change anything.
15:02 < d^^b> lol, way too many results to paste that
15:02 < d^^b> that shows a lot of connections
15:03 < d^^b> netstat -ntlp shows anything listening
15:03 -!- _KaszpiR___ [~quassel@unaffiliated/kaszpir/x-3157048] has joined #openvpn
15:03 <@krzee> no
15:03 <@krzee> show me what i said, at least until Active UNIX domain sockets (servers and established)
15:04 <@krzee>  
15:04 <@krzee> netstat -ntlp doesnt show me my openvpn either, gotta use the tools right :-p
15:05 -!- joshh20-Away is now known as joshh20
15:05 < d^^b> wait, let me see if this works
15:05 < Proshot> funny krzee
15:05 -!- Martin`_ [martin@2001:16f8:15:1000::85] has joined #openvpn
15:05 -!- cripto__ [~joubin@li131-215.members.linode.com] has joined #openvpn
15:05 -!- kloeri_ [~kloeri@freenode/staff/exherbo.kloeri] has joined #openvpn
15:05 < Proshot> i have the same problem
15:05 < d^^b> brb
15:05 -!- maxiepax_ [max@locke.misse.org] has joined #openvpn
15:05 -!- tessier [~treed@kernel-panic/copilotco] has joined #openvpn
15:05 -!- d^^b [~tittyspri@dyn.170-56-7-31.swissinet.com] has quit [Quit: Senkei.Senbonzakura.Kageyoshi]
15:05 <@krzee> Proshot, your problem is using netstat wrong?
15:05 -!- kisom_ [~kisom@kisom.thr.kth.se] has joined #openvpn
15:06 -!- jacekows1i [jacekowski@jacekowski.org] has joined #openvpn
15:06 -!- Beta2K_ [~Beta2K@2607:f1c0:841:4eff::20] has joined #openvpn
15:06 < Proshot> oh noh, my problem is that it seems that my openvpn server is not listening on the port i say it should listen namely 443 krzee
15:07 <@krzee> !logs
15:07 <@vpnHelper> "logs" is (#1) please pastebin your logfiles from both client and server with verb set to 4 (only use 5 if asked) or (#2) In the Windows client(OpenVPN-GUI) right-click the status icon and pick View Log or (#3) In the OS X client(Tunnelblick) right-click it and select Copy log text to clipboard or (#4) if you dont know how to find your logs, see !logfile
15:07 -!- simcop2387_ [~simcop238@p3m/member/simcop2387] has joined #openvpn
15:07 -!- plaisthos [~arne@openvpn/community/developer/plaisthos] has joined #openvpn
15:08 -!- mode/#openvpn [+o plaisthos] by ChanServ
15:08 -!- P4k3_ [~P4k3@c-d334e255.026-8-6b6c7810.cust.bredbandsbolaget.se] has joined #openvpn
15:08 -!- syzzer_ [~syzzer@2001:610:697::12] has joined #openvpn
15:09 -!- seebaer [~seba@kratzbaum.someserver.de] has joined #openvpn
15:09 -!- emid_ [~emid@192.241.162.156] has joined #openvpn
15:09 <+reiffert> :)
15:09 -!- EugeneKay [eugene@itvends.com] has joined #openvpn
15:10 -!- joako_ [~joako@opensuse/member/joak0] has joined #openvpn
15:10 -!- Netsplit *.net <-> *.split quits: tessier_, cripto, guntha`, joako, kloeri, kisom, seba, jacekowski, mitz, @plai,  (+17 more, use /NETSPLIT to show all of them)
15:10 -!- joako_ is now known as joako
15:10 -!- Martin`_ is now known as Martin`
15:10 -!- seebaer is now known as seba
15:10 -!- P4k3_ is now known as P4k3
15:10 -!- simcop2387_ is now known as simcop2387
15:10 -!- EugeneKay is now known as Eugene
15:10 -!- d-_-b [~tittyspri@dyn.170-56-7-31.swissinet.com] has joined #openvpn
15:10 -!- d-_-b is now known as d^^b
15:10 -!- Eagleman7 [~Eagleman@546BC8D0.cm-12-4d.dynamic.ziggo.nl] has joined #openvpn
15:11 < d^^b> krzee: ok, so openvpn is running, and it is listening
15:11 < d^^b> but still not working
15:11 < d^^b> tail on syslog says i have to define a device
15:13 < d^^b> what is the syntax for specifying a device via command line?
15:13 < d^^b> and can you just add it as a configure option to the .conf?
15:16 -!- jacekows1i is now known as jacekowski
15:17 -!- Bretos [~Bretos@vps.tyborek.pl] has joined #openvpn
15:17 -!- mitz [~mitz@rt.miraclelinux.com] has joined #openvpn
15:17 -!- guntha` [~guntha@guntha.thecagedog.com] has joined #openvpn
15:17 -!- gffa [~unknown@unaffiliated/gffa] has quit [Quit: sleep]
15:18 -!- pppingme [~pppingme@unaffiliated/pppingme] has joined #openvpn
15:18 -!- Haigha [~root@dovahkiin.xomg.net] has joined #openvpn
15:19 -!- TypoNe [~itsme@195.197.184.87] has joined #openvpn
15:33 -!- d^^b [~tittyspri@dyn.170-56-7-31.swissinet.com] has quit [Quit: Senkei.Senbonzakura.Kageyoshi]
15:33 -!- truexfan81 [truexfan81@gateway/shell/cadoth.net/x-cigqhqntlvmozldg] has quit [Read error: Connection reset by peer]
15:34 -!- truexfan81 [truexfan81@gateway/shell/cadoth.net/x-ziqwxsmvntkkajqh] has joined #openvpn
15:35 -!- t0r [~textual@167.206.48.217] has joined #openvpn
15:35 -!- [diecast] [~diecast@unaffiliated/diecast/x-4821952] has joined #openvpn
15:43 -!- gu [~gu@194.231.39.10] has joined #openvpn
15:50 -!- michaelhart [~michaelha@192.237.177.15] has quit [Quit: michaelhart]
15:52 -!- Moony22 [~Moony22@unaffiliated/moony22] has joined #openvpn
15:53 < Moony22> Can I use tor with openvpn on linux?
15:53 -!- d-_-b [~tittyspri@46.19.137.78] has joined #openvpn
15:54 -!- d-_-b is now known as d^^b
15:54 < d^^b> ok, well now i am at a complete loss
15:54 < d^^b> it has to be a networking issue
15:56 < d^^b> openvpn shows as alive and listening, but when i try to connect with a client, it's like nothing happens at all
15:56 < d^^b> i can't even see an attempted connection being made
15:57 -!- Aliekezhi [~Aliekezhi@80.215.210.64] has quit [Remote host closed the connection]
15:58 -!- cyberspace- [20253@ninthfloor.org] has quit [Remote host closed the connection]
16:00 < Moony22> no? :p
16:00 <+reiffert> :)
16:00 -!- cyberspace- [20253@ninthfloor.org] has joined #openvpn
16:03 < d^^b> ?
16:04 -!- funyun [~temp@cpe-65-25-103-89.neo.res.rr.com] has joined #openvpn
16:09 -!- funyun [~temp@cpe-65-25-103-89.neo.res.rr.com] has quit [Ping timeout: 255 seconds]
16:09 < Moony22> Is it very difficult to setup openVPN?
16:10 -!- KiNgMaR [~ingmar@2001:41d0:2:ba51::1] has joined #openvpn
16:10 < d^^b> not really
16:10 < d^^b> this is the first time i have had this many issues
16:10 < d^^b> it started when i tried to use the github repo version
16:12 -!- kraut [~kraut@blackhole.netzdeponie.de] has joined #openvpn
16:12 < Moony22> do you know any decent tutorials/guides for debian?
16:13 < d^^b> tons of guides out there
16:13 < d^^b> what distro are you using?
16:13 < d^^b> i mean version of debian
16:13 < Moony22> 7
16:14 < d^^b> add this to your sources.list
16:14 < d^^b> deb http://swupdate.openvpn.net/apt wheezy main
16:15 < d^^b> the only version more up to date than that, is github
16:15 -!- bashusr [~bashusr@unaffiliated/bashusr] has quit [Read error: Operation timed out]
16:15 < Moony22> is the one in the package manager out of date?
16:15 < Moony22> (the usual repos)
16:16 < d^^b> debian packages almost always have old shit
16:16 < d^^b> better to just get the latest stable version straight from openvpn
16:16 -!- bashusr [~bashusr@unaffiliated/bashusr] has joined #openvpn
16:16 < d^^b> i would say that the hardest part of setting up openvpn now, is using easyrsa3
16:17 < d^^b> you might want to try xca
16:17 < d^^b> if you have windows or mac
16:17 < d^^b> as a home computer
16:17 < Moony22> I have a linux VPS
16:18 < Moony22> d^^b: what is KEY_SIZE?
16:18 < d^^b> yes but that is what you will be connecting to, isn't it?
16:18 < Moony22> I'm also using linux to connect to it
16:18 < d^^b> oh
16:19 < Moony22> so what is KEY_SIZE in the vars?
16:19 < d^^b> so you already downloaded easyrsa?
16:19 < Moony22> I'm just reading a guide
16:19 < d^^b> are you using 2.0 or 3?
16:19 < d^^b> oh
16:20 < Moony22> d^^b: http://www.tecmint.com/install-openvpn-in-debian/
16:20 <@vpnHelper> Title: OpenVPN Server and Client Installation and Configuration on Debian 7 (at www.tecmint.com)
16:20 < d^^b> well the guide is most likely using easyrsa 2.0 to create the certs
16:20 < d^^b> yes it is
16:21 < Moony22> so what is KEY_SIZE?
16:21 < d^^b> easyrsa3 documentation is really lacking, you might want to try 2.0
16:21 < d^^b> keysize refers to the size of the keys you want to create
16:22 < d^^b> whether a diffie helman control channel key or whatever
16:22 < d^^b> easyrsa is basically just making it much easier to use openssl x509 commands
16:23 < Moony22> ok
16:23 < d^^b> offers a way to automate the whole process
16:23 < d^^b> but that article mentions 8192 size in bold
16:24 < d^^b> pretty sure openvpn or openssl doesn't support over 4096
16:24 < Moony22> I wasn't going to choose that anyways
16:25 < d^^b> well with rsa, bigger keys = harder to crack
16:25 < d^^b> for the most part anyway
16:26 < Moony22> d^^b: It doesn't look TOO difficult. One thing though, I don't REALLY understand how a VPN works. So all connections going out from the computer go through the VPN?
16:26 < d^^b> not all
16:26 < Moony22> what are the exceptions?
16:26 < d^^b> depends what method you are using
16:26  * Moony22 is confused
16:27 < d^^b> tun does one thing, tap does another
16:27  * Moony22 is INCREDIBLY confused
16:27 < d^^b> they both have their weaknesses and strengths
16:27  * Moony22 just wants simple elaboration
16:27 < Moony22> woah woah woah slow down :p
16:27 < d^^b> yeah me too, they laughed at me when they got bored with helping
16:27 < d^^b> lol
16:28 < Moony22> what method what is using?
16:28 -!- lj [~l@192.241.174.169] has quit [Quit: Leaving.]
16:28 < d^^b> Moony22: read this... https://community.openvpn.net/openvpn/wiki/BridgingAndRouting
16:28 <@vpnHelper> Title: BridgingAndRouting – OpenVPN Community (at community.openvpn.net)
16:30 < Moony22> Still confused
16:31 < Moony22> what are tun and tap methods OF?
16:31 < d^^b> routing and bridging?
16:31 < Moony22> :(
16:31 < d^^b> at a software level
16:31 < Moony22> :((
16:31 < Moony22> you said this was easy
16:32 < d^^b> well as with all things, it depends what you want to do
16:32 -!- s7r_e is now known as s7r
16:32 < Moony22> have a vpn
16:32 < Moony22> lol
16:32 < Moony22> EVERYTHING
16:33 < d^^b> if you want to setup some elaborate private network, you probably want to use tap
16:33 < Moony22> but if...
16:33 < d^^b> if you just want to have a completely private network connection between you and ur vps, so you can fap to youporn .... probably want to use tun
16:35 < Moony22> probably the second one
16:35 < Moony22> i want simple me > vpn > tor > internet :D
16:37 -!- joshh20 is now known as joshh20-Away
16:37 < d^^b> pretty sure you can just pay someone to set you up with openvpn on fiverr
16:37 < Moony22> never
16:37 < d^^b> if you trust that
16:37 < Moony22> NO.
16:37 -!- james41382 [~james@unaffiliated/james41382] has joined #openvpn
16:38 < Moony22> I'd rather let anyone look at everything I do on my computer than pay someone
16:38 < Moony22> to set something up for me
16:38 < d^^b> well then i suggest you get familiar with the wiki
16:39 < Moony22> does the guide I sent use tun or tap?
16:39 < d^^b> tap
16:40 < Moony22> d^^b: does this use tun? http://d.stavrovski.net/blog/post/how-to-install-and-set-up-openvpn-in-debian-7-wheezy
16:40 <@vpnHelper> Title: How to install and set-up OpenVPN in Debian 7 (Wheezy) - The Worst Website - Stavrovski.Net (at d.stavrovski.net)
16:40 < d^^b> yes
16:41 -!- funyun [~temp@cpe-65-25-103-89.neo.res.rr.com] has joined #openvpn
16:41 < d^^b> tun or tap is just a configuration startup option, that you can specify in your .conf file
16:42 < d^^b> see this part in that link...
16:42 < d^^b> port 1194
16:42 < d^^b> proto udp
16:42 < d^^b> dev tun
16:42 < d^^b> dev = device
16:42 < d^^b> tun/tap = virtual network devices
16:43 < Moony22> I think I'll choose tun
16:43 < pekster> d^^b: Exactly what part of the easyrsa3 docs need improving? If there's an omission I'd like to correct it. I assume you've seen the openvpn wiki howto and the in-source docs already? The wiki is:
16:43 < pekster> !easyrsa
16:43 <@vpnHelper> "easyrsa" is (#1) easy-rsa is a certificate generation utility. or (#2) Download here: https://github.com/OpenVPN/easy-rsa/releases or (#3) Source checkouts available from the github project; current official release download is 2.2.2 with 3.x code in git-master. or (#4) Helpful wiki info about easyrsa at: https://community.openvpn.net/openvpn/wiki/EasyRSA
16:43 < Moony22> Thanks for your help, I understand now
16:44 < pekster> Moony22: Don't use tap
16:44 < pekster> The only valid reason for using tap is if you need to send raw Ethernet frames; if you don't, tap is horrible choice
16:44 < pekster> !tunortap
16:44 <@vpnHelper> "tunortap" is (#1) you ONLY want tap if you need to pass layer2 traffic over the vpn (traffic destined for a MAC address). If you are using IP traffic you want tun. or (#2) and if your reason for wanting tap is windows shares, see !wins or use DNS or (#3) remember layer2 has no security, arp poisoning works over tap vpns or (#4) lan gaming? use tap! or (#5) Normal Android/iOS devices (not
16:44 <@vpnHelper> rooted/jailbroken) support only tun
16:45 < d^^b> not exactly verbose pekster
16:46 -!- funyun [~temp@cpe-65-25-103-89.neo.res.rr.com] has quit [Ping timeout: 252 seconds]
16:47 < d^^b> i do sincerely appreciate your work tho
16:47 < pekster> d^^b: A howto is designed to walk you through the procedure. The easyrsa docs go into lots of detail, starting with the intro
16:47 < pekster> !intro-to-pki
16:47 <@vpnHelper> "intro-to-pki" is For an intro to PKI basics, see: https://github.com/OpenVPN/easy-rsa/blob/v3.0.0-rc1/doc/Intro-To-PKI.md
16:48 < pekster> If anything, that kind of an intro is perhaps too verbose (if the audiance needs a primer to how PKI works, they should probably be using a howto for the usage anyway)
16:48 < pekster> Do remember that easyrsa is not only used for openvpn
16:49 < pekster> https://github.com/OpenVPN/easy-rsa/tree/master/doc
16:49 <@vpnHelper> Title: easy-rsa/doc at master · OpenVPN/easy-rsa · GitHub (at github.com)
16:49 -!- joshh20-Away is now known as joshh20
16:50 < pekster> Was there a part of the howto that was hard to follow? That's a wiki, so constructive edits are more than welcome ;)
16:53 -!- mikemol [~mikemol@162.17.129.77] has quit [Remote host closed the connection]
16:53 -!- B1nny [~quassel@5ED16034.cm-7-2b.dynamic.ziggo.nl] has quit [Remote host closed the connection]
16:56 < d^^b> pekster: we were talking about openvpn, not PKI basics
16:57 -!- AlexPortable [uid7568@gateway/web/irccloud.com/x-wmpwedsxyrmezjzf] has quit [Quit: Connection closed for inactivity]
16:58 -!- Guest35643 [~klein@189.16.6.3] has quit [Ping timeout: 252 seconds]
16:58 < d^^b> what i would have liked to see, is stuff like a list of tweaks that can be made to enhance security over the default vars
17:00 < d^^b> i tried to use the value option rather than distinguished name, and it failed completely as i tried to connect
17:00 < d^^b> the wiki seems new to me tho
17:01 < pekster> d^^b: defaults are already secured very well
17:01 < pekster> "value option" ??
17:01 < pekster> The DN now is _just_ the CN as of easyrsa v3
17:02 < pekster> v2 was dumb in that it mandated (without serious hacking) that you provide sillyness like your City, State, Orginization, Orginizational Unit, & Country
17:02 < d^^b> last i tried easyrsa3.... i immediately felt that v2 was easier
17:02 < pekster> It's very hard to use properly
17:02 < pekster> v2 is very hard to use the _right_ way, by sending CSRs to a CA for signing
17:03 < d^^b> yeah i gathered that the moment i started using xca
17:03 < pekster> There's effectively no import feature, the documents encourage what amounts to key-escrow by having your CA generate all the entity private keys (this is _horrible_ for security)
17:03 < pekster> Security is a seperate wiki, if that's your goal:
17:03 < pekster> !hardening
17:03 <@vpnHelper> "hardening" is https://community.openvpn.net/openvpn/wiki/Hardening
17:03 < d^^b> yeah ive already been there
17:04 < pekster> Follow that and you'll have amazingly good security
17:04 < d^^b> right now it's all irrelevant to me, because i can't get my server to accept connections to openvpn
17:04 < pekster> I presume you have your !configs and !logs at a pastebin somewhere?
17:04 < pekster> (If not, review the bot's helpful info on posting them)
17:05 < d^^b> yes, but they have changed over time as i received some help here
17:05 < d^^b> if you are willing to help, i honestly think it is a networking issue
17:09 -!- corretico [~luis@190.5.215.146] has quit [Read error: Connection reset by peer]
17:09 < d^^b> guess not
17:09 -!- corretico [~luis@190.5.215.146] has joined #openvpn
17:09 < pekster> I haven't seen your files
17:09 < pekster> !new
17:09 -!- Latrina_ [~Latrina@adsl-ull-90-183.50-151.net24.it] has joined #openvpn
17:09 <@vpnHelper> "new" is (#1) New here? Start by reading the /TOPIC and looking at basic info in !welcome, !ask, and !howto or (#2) You can type each of the !commands in this chat and our bot will provide useful references and info or (#3) you can see the full factoids list at !factoids
17:10 < pekster> !welcome
17:10 < d^^b> lol
17:10 <@vpnHelper> "welcome" is (#1) Start by stating your goal, such as 'I would like to access the internet over my vpn' || new to IRC? see the link in !ask || we may need !logs and !configs and maybe !interface to help you. || See !howto for beginners. || See !route for lans behind openvpn. || !redirect for sending inet traffic through the server. || Also interesting: !man !/30 !topology !iporder !sample !forum
17:10 <@vpnHelper> !wiki !mitm or (#2) Don't use 192.168.1.0/24 or 192.168.0.0/24 (too much potential for conflict)
17:10 -!- Latrina_ [~Latrina@adsl-ull-90-183.50-151.net24.it] has quit [Client Quit]
17:10 < d^^b> yes i have done those
17:10 < d^^b> =D
17:10 < pekster> You have not provided them to me
17:10 < d^^b> which files would you like?
17:10 < d^^b> see that is the terrible part now
17:10 < pekster> really?
17:10 < Moony22> !logs
17:10 < pekster> 17:04:22 < pekster> I presume you have your !configs and !logs at a pastebin somewhere?
17:10 <@vpnHelper> "logs" is (#1) please pastebin your logfiles from both client and server with verb set to 4 (only use 5 if asked) or (#2) In the Windows client(OpenVPN-GUI) right-click the status icon and pick View Log or (#3) In the OS X client(Tunnelblick) right-click it and select Copy log text to clipboard or (#4) if you dont know how to find your logs, see !logfile
17:10 < pekster> 17:04:44 < pekster> (If not, review the bot's helpful info on posting them)
17:10 < Moony22> !configs
17:10 <@vpnHelper> "configs" is (#1) please pastebin your client and server configs (with comments removed, you can use `grep -vE '^#|^;|^$' server.conf`), also include which OS and version of openvpn. or (#2) dont forget to include any ccd entries or (#3) on pfSense, see http://www.secure-computing.net/wiki/index.php/OpenVPN/pfSense to obtain your config
17:11 < pekster> THere we go. We have a winner :)
17:11 < d^^b> my syslog looks clear after i worked krzee
17:11 < Moony22> :D
17:11 < d^^b> netstat shows openvpn as listening now
17:11 < Moony22> Do I get a t-shirt?
17:11 < pekster> d^^b: What's syslog to do with anything? If you're confused how logging works, you should have read the info above about that. Please try to read before asking already-answered questions
17:11 < pekster> Moony22: You won't have me making fun of you (yet) ;)
17:11 < pekster> Try:
17:11 < pekster> !logfile
17:11 <@vpnHelper> "logfile" is (#1) If you want logging you can easily just specify your own logfile with: log /path/to/logfile or (#2) openvpn will log to syslog if started in daemon mode, but without any log-redirection options, openvpn sends output to stdout. or (#3) verb 3 is good for everyday usage, verb 5 for debugging. see --daemon --log and --verb in the manual (!man) for more info
17:12 < d^^b> pekster: if you read up, you are not telling me anything new
17:12 < pekster> d^^b: Yes, I am. You apparently have no idea where your logs are. They're _not_ automatically in syslog
17:12 -!- HectorBarbossa [uid7850@gateway/web/irccloud.com/x-ruzxqigjsfvxrrfb] has quit [Quit: Connection closed for inactivity]
17:12 < Moony22> !logs
17:12 <@vpnHelper> "logs" is (#1) please pastebin your logfiles from both client and server with verb set to 4 (only use 5 if asked) or (#2) In the Windows client(OpenVPN-GUI) right-click the status icon and pick View Log or (#3) In the OS X client(Tunnelblick) right-click it and select Copy log text to clipboard or (#4) if you dont know how to find your logs, see !logfile
17:12 < d^^b> i have already done this if you read up
17:12 < d^^b> like i said twice
17:12 < Moony22> hey what happens if you follow all the commands said in each command
17:12 < pekster> So where's the link?
17:13 < d^^b> like i said, my syslog is clear
17:13 < d^^b> no mention of any errors when i try to connect
17:13 < pekster> Then you have failed to do what was asked
17:13 < Moony22> !configs
17:13 <@vpnHelper> "configs" is (#1) please pastebin your client and server configs (with comments removed, you can use `grep -vE '^#|^;|^$' server.conf`), also include which OS and version of openvpn. or (#2) dont forget to include any ccd entries or (#3) on pfSense, see http://www.secure-computing.net/wiki/index.php/OpenVPN/pfSense to obtain your config
17:13 -!- joshh20 is now known as joshh20-Away
17:13 < pekster> When you figure it out, let me know. You _never_ get "nothing" in your logs. Ever.
17:13 < d^^b> which was what?
17:14 < d^^b> /sigh
17:14 < d^^b> tail /var/log/syslog | less has 0 mention of openvpn
17:14 < pekster> YOUR LOGS MAY NOT BE IN SYSLOG
17:14 < pekster> FFS
17:14 < d^^b> openvpn is running and listening
17:14 < pekster> !read
17:14 <@vpnHelper> "read" is <krzee> ive been known to overreact when people look for 2 minutes and ask me to explain it to them
17:15 -!- p3rror [~mezgani@41.140.97.200] has quit [Quit: Leaving]
17:15 < Moony22> !logfile
17:15 <@vpnHelper> "logfile" is (#1) If you want logging you can easily just specify your own logfile with: log /path/to/logfile or (#2) openvpn will log to syslog if started in daemon mode, but without any log-redirection options, openvpn sends output to stdout. or (#3) verb 3 is good for everyday usage, verb 5 for debugging. see --daemon --log and --verb in the manual (!man) for more info
17:15 < d^^b> log /var/log/openvpn
17:15 < d^^b> you were saying?
17:15 < Moony22> When do I get t-shirt?
17:15 < d^^b> just as uninformative
17:16 < d^^b> shows the one good startup that i currently have running and that is all
17:16 < d^^b> that link is still above if you wish to read it
17:16 < pekster> It's your job to paste a recent link. I limit my playing of "go fish" to children who deserve such things
17:17 < pekster> factoid for that too:
17:17 < pekster> !paste
17:17 -!- syzzer_ is now known as syzzer
17:17 -!- syzzer [~syzzer@2001:610:697::12] has quit [Changing host]
17:17 -!- syzzer [~syzzer@openvpn/community/developer/syzzer] has joined #openvpn
17:17 -!- mode/#openvpn [+o syzzer] by ChanServ
17:17 <@vpnHelper> "paste" is "pastebin" is (#1) please paste anything with more than 5 lines into a pastebin site or (#2) https://gist.github.com is recommended for fewest ads; try fpaste.org or paste.kde.org as backups or (#3) If you're pasting config files, see !configs for grep syntax to remove comments or (#4) gist allows multiple files per paste, useful if you have several files to show
17:17 < d^^b> well you are telling me to paste logs that give no new info than what i have already pasted
17:18 < pekster> two fucking hours ago
17:18 < Moony22> !copy
17:18 < pekster> Are you really so lazy you can't provide a recent link, and your current setup?
17:18 < pekster> If so, I'm too lazy to give a shit
17:18 < pekster> Very simple :)
17:18 < Moony22> !giveashit
17:18 < pekster> Nah, but we do have:
17:18 < pekster> !douchey
17:18 <@vpnHelper> "douchey" is http://catb.org/~esr/faqs/smart-questions.html#keepcool
17:18 < Moony22> :D
17:19 < pekster> Swearing encourage when required. Stupidity best left at the door.
17:19 < d^^b> my current setup may be relevant, but my openvpn logs and my syslog ar enot
17:19 < Moony22> !paste !paste
17:20 < Moony22> lol
17:20 -!- gu [~gu@194.231.39.10] has quit [Quit: Leaving.]
17:20 < pekster> Then you clearly have things well in hand. I'll defer to your expert opinion on what's wrong
17:20 < Moony22> ^ How can you say what's relevant if you don't know what's wrong
17:20 -!- Olipro [~Olipro@uncyclopedia/pdpc.21for7.olipro] has quit [Ping timeout: 246 seconds]
17:21 < d^^b> i was hoping you might be able to tell me when i may have done wrong with the networking aspect of things, if you listen to me
17:21 < d^^b> *gone
17:21 -!- Moony22 [~Moony22@unaffiliated/moony22] has quit [Quit: leaving]
17:22 -!- Moony22 [~AndChat30@unaffiliated/moony22] has joined #openvpn
17:23 < Moony22> This support session isn't having a holiday this year
17:23 < Moony22> Because IT ISN'T GOING ANYWHERE (insert_laugh_here)
17:25 < d^^b> pekster: https://pastee.org/gh5we https://pastee.org/bbabq
17:25 < d^^b> and yes i have echo 1 > /proc/sys/net/ipv4/ip_forward
17:26 < Moony22> !goal
17:26 <@vpnHelper> "goal" is Please clearly state your goal for your vpn: example, I would like to access the lan behind the server , I would like to access the internet over my vpn , I just want a secure connection between 2 computers , etc
17:27 < pekster> That's half your config
17:28 < pekster> line 17 of your netfilter rules is bogus: aliases are not interfaces
17:28 < d^^b> you want my client config too?
17:28 < pekster> aliases are how the 2.2 kernel did networking. It's old, it's broken, and it won't work in Netfilter
17:28 < pekster> Good news is that you don't need it; line 16 does what you want
17:28 < pekster> And yes, both sides of the config are required to check things over
17:28 < d^^b> ok
17:29 < d^^b> so that is likely my issue
17:29 < d^^b> 1 sec
17:29 < d^^b> this is relevant
17:29 < pekster> Line 17 of the iptables-save? That's not a problem (it's just 100% worthless)
17:30 < pekster> server configs looks fine though; your logs will go in /var/log/openvpn, fwiw
17:31 < pekster> Although with line 7, you should remove lines 2 & 3
17:32 < pekster> See --server in the manpage; those are already included
17:32 < Beta2K_> d^^b: Still not working?
17:32 < d^^b> sorry for the delay
17:33 < d^^b> pekster: https://pastee.org/2hv79
17:33 < d^^b> that was from my last successful startup of openvpn
17:33 < d^^b> see how it is referencing the alias
17:34 < d^^b> the reason for this is because i have 5 IP's in total on my server, and it was my goal to be able to use them all
17:34 < pekster> That's not how Netfilter works; that message is not from netfitler
17:34 < pekster> http://inai.de/2008/0219-ifconfig-sucks.php
17:34 <@vpnHelper> Title: j.eng's site: News, Notes, Quips, Tweets, Things to share. (at inai.de)
17:34 < d^^b> well i did compile with iproute2 like you told me to before pekster
17:34 < pekster> On Linux, stop using broken tools like ifconfig & route. And stop referencing broken Netfilter references
17:35 < pekster> It's just as useful as -o bogus
17:35 < d^^b> ok, so what do you suggest i do?
17:35 < d^^b> other than what i shouldn't do
17:35 < pekster> Delete line 17
17:36 < pekster> It's 100% worthless (so, let's put the thinking cap on, shall we? If it's worthless, why are you defending it so hard?)
17:36 -!- funyun [~temp@cpe-65-25-103-89.neo.res.rr.com] has joined #openvpn
17:36 < pekster> Or don't. But don't try to tell me how right it is
17:36 < d^^b> o___O what are you even talking about
17:36 < pekster> https://pastee.org/bbabq
17:36 < pekster> Line 17
17:36 < pekster> It's bogus
17:36 < d^^b> i never defended it even once
17:36 < d^^b> yeah i heard you the first time
17:37 < pekster> 17:33:42 < d^^b> see how it is referencing the alias
17:37 < pekster> Yes, you were. Do _NOT_ put that in your Netfilter (aka "iptables") files. Even if you have >1 IP
17:37 < d^^b> i meant openvpn
17:38 < pekster> Lines 2 & 3 are breaking things when line 7 gets processed
17:38 < d^^b> ROUTE_GATEWAY MY.IP.WAS.HERE/255.255.255.192 IFACE=eth0:0
17:39 < d^^b> that is what i was talking about
17:39 < pekster> Yes, I know
17:39 < pekster> And You're not paying any attention
17:39 < pekster> It is NOT (as in FUCKING NOT) your interface
17:39 < d^^b> that looks like openvpn is referencing some connection to 0:0
17:39 < pekster> meh.
17:39 < d^^b> jesus christ, i set it up, i know it's not
17:39 < d^^b> wtf
17:39 < d^^b> but...
17:40 < pekster> Ignore that output
17:40 < pekster> Fix your logging
17:40 < d^^b> like i said, it looks like openvpn is referencing it
17:40 < pekster> Fix the lines in your sever config I've told you about 3 times now
17:40 < d^^b> fix it how?
17:40 < pekster> (and yes, that's part of the route detection)
17:40 < pekster> 17:38:46 < pekster> Lines 2 & 3 are breaking things when line 7 gets processed
17:40 < pekster> Stop tying so much shit. Read more. Do more.
17:40 < pekster> typing*
17:40 < pekster> You're bordering clueless here
17:41 < pekster> Told you this 10 minutes ago too
17:41 < pekster> 17:31:52 < pekster> Although with line 7, you should remove lines 2 & 3
17:41 < d^^b> no, you are just taking my replies as responses to what i am not responding too
17:41 < pekster> Reading mush be hard for you
17:41 < d^^b> you don't have to be a dick
17:41 < pekster> Did you even read --server in the manpage? I suggested you do that
17:41 -!- funyun [~temp@cpe-65-25-103-89.neo.res.rr.com] has quit [Ping timeout: 240 seconds]
17:41 < pekster> !douchey
17:41 <@vpnHelper> "douchey" is http://catb.org/~esr/faqs/smart-questions.html#keepcool
17:41 < d^^b> the goal here is to help people
17:42 < pekster> You're entitled a full refund if my time volunteering doesn't meet your standards
17:42 < Moony22> You are both being showers
17:42 < pekster> So, how about we do productive things? Remove line 17 from your iptables-save output, then feed it back to iptables-restore(8). This is optional, but removes the junk
17:42 < d^^b> just saying, every word you type doesn't have to have a condescending attitude behind it
17:42 < pekster> Then go delete lines 2-2 of your server config
17:42 < pekster> Then go put what is on line 9 at the very top
17:42 < pekster> Then you will have complete logs
17:42 < Moony22> JUST DO WHAT HE SAYS
17:42 < pekster> Most of this I've already said earlier
17:42 < Moony22> Or she
17:43 < Moony22> Sorry of its a she
17:43 < Moony22> If*
17:43 < d^^b> Moony22: how about you stay out of it, i do love how you accept my help, and then turn around and try to gang up on me while he is being condescending
17:43 < d^^b> class act
17:44 < Moony22> d^^b I'm ganging up on both of you
17:44 < Moony22> I said you're both being showers
17:44 < d^^b> pekster: mode server is not needed?
17:45 < Beta2K_> Huh?  The root question still comes down to, did you make the sujested changes to the config?  If so, what was the result, if not?....
17:45 < pekster> 17:31:52 < pekster> Although with line 7, you should remove lines 2 & 3
17:45 < pekster> 17:32:18 < pekster> See --server in the manpage; those are already included
17:45 < pekster> Did you read --server in the manpage?
17:45 < d^^b> no
17:45 < pekster> http://catb.org/~esr/faqs/smart-questions.html#lesser
17:45 <@vpnHelper> Title: How To Ask Questions The Smart Way (at catb.org)
17:45 < Beta2K_> I mean, why banter about symantics on who's being and ass hole :)  It doesn't help solve the problem :)
17:46 < pekster> Read that link. Then go read the manpage reference I gave you
17:46 < Beta2K_> *an
17:46 < Moony22> Beta2K_ I prefer the term shower instead of asshole
17:46 < pekster> Beta2K_: catb.org can help, but only for people who want to learn how to ask smart questions :\
17:47 < d^^b> don't be a cunt pekster
17:47 < Beta2K_> Moony22: noted :)
17:47 -!- mode/#openvpn [+o pekster] by ChanServ
17:47 -!- mode/#openvpn [+q *!~tittyspri@*] by pekster
17:47 -!- mode/#openvpn [-o pekster] by ChanServ
17:47 < Beta2K_> hehehe
17:48 < pekster> Problem solved. When you figure the manpage out, let me know.
17:48 -!- Beta2K_ is now known as Beta2K
17:49 < Moony22> Use your VPN to not be quieted huehuehue
17:49 -!- d^^b [~tittyspri@46.19.137.78] has quit [Quit: Senkei.Senbonzakura.Kageyoshi]
17:49 < Beta2K> Won't help
17:50 < Beta2K> It's based on his ident
17:50 < Moony22> It was a joke
17:50 < Moony22> He can't use his VPN that's why he's on this channel
17:50 -!- d-_-b [~fuckpekst@46.19.137.78] has joined #openvpn
17:51 < Moony22> looool
17:51 < d-_-b> no need for the oper abuse
17:51 -!- mode/#openvpn [+o pekster] by ChanServ
17:51 <@pekster> Ban evsion, cute
17:51 -!- d-_-b was kicked from #openvpn by pekster [d-_-b]
17:51 -!- d-_-b [~fuckpekst@46.19.137.78] has joined #openvpn
17:51 -!- mode/#openvpn [+b *!*fuckpekst@46.19.137.*] by pekster
17:51 -!- d-_-b was kicked from #openvpn by pekster [d-_-b]
17:51 < Moony22> Haha
17:51 -!- JSharpe_ [~JSharpe@31.205.60.241] has joined #openvpn
17:51 -!- mode/#openvpn [+b *!*@46.19.137.78] by pekster
17:51 <@krzee> that took longer than i expected
17:52 -!- JSharpe [~JSharpe@31.205.60.241] has quit [Read error: Operation timed out]
17:52 <@krzee> i almost banned him when i told him to add daemon to the config, and he asked "how?"
17:52 -!- mode/#openvpn [-b *!*fuckpekst@46.19.137.*] by pekster
17:52 <@krzee> decided at that point he had to be a troll
17:52 -!- mode/#openvpn [-q *!~tittyspri@*] by pekster
17:52 -!- lj [~l@192.241.174.169] has joined #openvpn
17:53 < Moony22> That's the sort of thing I would ask krzee
17:53 < Moony22> No trolling involved
17:53 <@pekster> I think he mant the trolling started after that :P
17:53 -!- screwpekster [~fuckpekst@5.153.234.74] has joined #openvpn
17:53 < screwpekster> not very nice
17:53 -!- mode/#openvpn [+b *!*@5.153.234.*] by pekster
17:53 < Moony22> Yay did you get your VPN working?
17:54 -!- screwpekster [~fuckpekst@5.153.234.74] has quit [Client Quit]
17:54 < Beta2K> lol
17:55 -!- mode/#openvpn [+b *!*fuck*@*] by pekster
17:56 < Moony22> You can always troll the troll when you're an op, can't you?
17:56 <@pekster> Apparently. Next one goes to staff
17:56 <@pekster> (not you Moony22, but ban evasion. That's against network policy)
17:57 -!- mode/#openvpn [-o pekster] by ChanServ
17:57 < pekster> Or +r might fix it too
17:58 -!- joshh20-Away is now known as joshh20
17:58 < Moony22> It'll delay any ban evasion
17:59 < pekster> What I never got are the ddos against freenode linked servers. Kinda like stealing from the soup kitchen
18:00 < Moony22> Mm well that tomato soup costs some big money
18:00 < Moony22> Heh, I remember when I was banned from #defocus for pretending to be a bot
18:00 < Moony22> It was quite believable
18:03 -!- [diecast] [~diecast@unaffiliated/diecast/x-4821952] has quit []
18:12 -!- elfixit [~Icedove@77-58-251-72.dclient.hispeed.ch] has joined #openvpn
18:20 -!- wrongplace [~leicht@gateway/tor-sasl/martinphone] has quit [Quit: gone]
18:29 -!- funyun [~temp@cpe-65-25-103-89.neo.res.rr.com] has joined #openvpn
18:34 -!- funyun [~temp@cpe-65-25-103-89.neo.res.rr.com] has quit [Ping timeout: 252 seconds]
18:36 -!- Guest35643 [~klein@187.85.183.105] has joined #openvpn
18:38 -!- Latrina [~Latrina@adsl-ull-90-183.50-151.net24.it] has quit [Ping timeout: 255 seconds]
18:43 -!- h6w [~tudor@254.86.96.58.static.exetel.com.au] has joined #openvpn
18:47 -!- mode/#openvpn [+o Eugene] by ChanServ
18:53 -!- Latrina [~Latrina@ppp-109-8.26-151.libero.it] has joined #openvpn
18:55 -!- joshh20 is now known as joshh20-Away
18:58 -!- Latrina [~Latrina@ppp-109-8.26-151.libero.it] has quit [Ping timeout: 240 seconds]
18:59 -!- corretico [~luis@190.5.215.146] has quit [Read error: Connection reset by peer]
18:59 -!- corretico [~luis@190.5.215.146] has joined #openvpn
19:05 < Aketzu> that was fun to read
19:05 < Aketzu> .. as if there's nothing better to do at 3am
19:11 < pekster> https://lh3.ggpht.com/-fKf4ysY-c00/Udr0c9lRfzI/AAAAAAAARSw/gtx9JRi-iOE/s1600/why+i+am.jpg
19:11 < pekster> Though you'll probably learn more from wikipedia in this case ;)
19:11 -!- elfixit [~Icedove@77-58-251-72.dclient.hispeed.ch] has quit [Ping timeout: 255 seconds]
19:23 < Mathias> pekster: that's how i go to bed :P
19:26 -!- Proshot [~FSM@535623C8.cm-6-7a.dynamic.ziggo.nl] has quit [Ping timeout: 255 seconds]
19:28 -!- Proshot [~FSM@535623C8.cm-6-7a.dynamic.ziggo.nl] has joined #openvpn
19:31 -!- michaelhart [~michaelha@192-0-240-20.cpe.teksavvy.com] has joined #openvpn
19:34 -!- lj [~l@192.241.174.169] has quit [Quit: Leaving.]
19:34 -!- Linmu [~Linmu@203.70.194.104] has quit [Ping timeout: 240 seconds]
19:34 -!- lj [~l@192.241.174.169] has joined #openvpn
19:34 -!- Linmu [~Linmu@203.70.194.104] has joined #openvpn
19:45 -!- Latrina [~Latrina@ppp-91-35.26-151.libero.it] has joined #openvpn
19:50 -!- liriel [~liriel@aphrodite.feralhosting.com] has quit [Quit: bye]
19:50 -!- Latrina [~Latrina@ppp-91-35.26-151.libero.it] has quit [Ping timeout: 255 seconds]
19:53 -!- Latrina [~Latrina@ppp-186-42.26-151.libero.it] has joined #openvpn
19:58 -!- lj [~l@192.241.174.169] has quit [Quit: Leaving.]
20:06 -!- Guest35643 [~klein@187.85.183.105] has quit [Ping timeout: 255 seconds]
20:11 -!- Linmu [~Linmu@203.70.194.104] has quit [Ping timeout: 252 seconds]
20:11 -!- Linmu [~Linmu@203.70.194.104] has joined #openvpn
20:12 -!- mikemol [~mikemol@2001:470:c5b9:beef:9d46:4c66:5b0d:dafb] has joined #openvpn
20:16 -!- Latrina_ [~Latrina@ppp-204-49.26-151.libero.it] has joined #openvpn
20:17 -!- funyun [~temp@cpe-65-25-103-89.neo.res.rr.com] has joined #openvpn
20:18 -!- Latrina [~Latrina@ppp-186-42.26-151.libero.it] has quit [Ping timeout: 240 seconds]
20:22 -!- funyun [~temp@cpe-65-25-103-89.neo.res.rr.com] has quit [Ping timeout: 240 seconds]
20:23 -!- s7r [~s7r@openvpn/user/s7r] has quit [Remote host closed the connection]
20:23 -!- s7r [~s7r@openvpn/user/s7r] has joined #openvpn
20:23 -!- mode/#openvpn [+v s7r] by ChanServ
20:25 -!- Latrina_ [~Latrina@ppp-204-49.26-151.libero.it] has quit [Quit: ZNC - http://znc.in]
20:25 -!- Latrina [~Latrina@ppp-204-49.26-151.libero.it] has joined #openvpn
20:33 -!- bashusr [~bashusr@unaffiliated/bashusr] has quit [Ping timeout: 240 seconds]
20:34 -!- bashusr [~bashusr@unaffiliated/bashusr] has joined #openvpn
20:34 -!- mikemol [~mikemol@2001:470:c5b9:beef:9d46:4c66:5b0d:dafb] has quit [Remote host closed the connection]
20:39 -!- nibbo [nibbo@gateway/shell/blinkenshell.org/x-xwhnphasatrmzmhh] has quit [Ping timeout: 255 seconds]
20:45 -!- james41382 [~james@unaffiliated/james41382] has quit [Ping timeout: 252 seconds]
20:45 -!- james41382_ [~james@unaffiliated/james41382] has joined #openvpn
20:45 -!- james41382_ [~james@unaffiliated/james41382] has quit [Client Quit]
20:49 -!- corretico [~luis@190.5.215.146] has quit [Read error: Connection reset by peer]
20:50 -!- corretico [~luis@190.5.215.146] has joined #openvpn
20:50 -!- james41382 [~james@unaffiliated/james41382] has joined #openvpn
20:53 -!- nibbo_ [nibbo@gateway/shell/blinkenshell.org/x-soqeazshzeobyzbc] has joined #openvpn
21:10 -!- nibbo_ [nibbo@gateway/shell/blinkenshell.org/x-soqeazshzeobyzbc] has quit [Read error: Operation timed out]
21:12 -!- nibbo [nibbo@gateway/shell/blinkenshell.org/x-dbokcrkkuxsjkonr] has joined #openvpn
21:15 -!- goldkatze [~nobody@unaffiliated/goldkatze] has quit []
21:17 -!- nibbo [nibbo@gateway/shell/blinkenshell.org/x-dbokcrkkuxsjkonr] has quit [Ping timeout: 255 seconds]
21:17 -!- nibbo [nibbo@gateway/shell/blinkenshell.org/x-skjtrmuqxjgeahdc] has joined #openvpn
21:22 -!- BtbN [btbn@btbn.de] has quit [Quit: Bye]
21:23 -!- BtbN [btbn@btbn.de] has joined #openvpn
21:24 -!- BtbN [btbn@btbn.de] has quit [Client Quit]
21:25 -!- BtbN [btbn@btbn.de] has joined #openvpn
21:39 -!- Linmu [~Linmu@203.70.194.104] has quit [Ping timeout: 240 seconds]
21:40 -!- Linmu [~Linmu@203.70.194.104] has joined #openvpn
21:51 < h6w> Is the "topology" term still used in the config?
21:51 -!- james41382 [~james@unaffiliated/james41382] has quit [Ping timeout: 240 seconds]
21:51 -!- Linmu [~Linmu@203.70.194.104] has quit [Ping timeout: 255 seconds]
21:52 -!- Linmu [~Linmu@203.70.194.104] has joined #openvpn
22:06 -!- funyun [~temp@cpe-65-25-103-89.neo.res.rr.com] has joined #openvpn
22:11 -!- funyun [~temp@cpe-65-25-103-89.neo.res.rr.com] has quit [Ping timeout: 240 seconds]
22:12 -!- Left_Turn [~Left_Turn@unaffiliated/turn-left/x-3739067] has quit [Quit: Leaving]
22:24 -!- lj [~l@192.241.174.169] has joined #openvpn
22:29 -!- niftylettuce_ [uid2733@gateway/web/irccloud.com/x-gvzxmyxlpmzxvjvi] has joined #openvpn
22:33 -!- Guest35643 [~klein@187.85.183.105] has joined #openvpn
22:34 <@krzee> sure
22:34 <@krzee> !topology
22:34 <@vpnHelper> "topology" is (#1) it is possible to avoid the !/30 behavior if you use 2.1+ with the option: topology subnet This will end up being default in later versions. or (#2) Clients will receive addresses ending in .2, .3, .4, etc, instead of being divided into 2-host subnets. or (#3) details and examples at: https://community.openvpn.net/openvpn/wiki/Topology
22:57 -!- Guest35643 [~klein@187.85.183.105] has quit [Ping timeout: 240 seconds]
23:07 -!- lj [~l@192.241.174.169] has quit [Quit: Leaving.]
23:29 -!- james41382 [~james@unaffiliated/james41382] has joined #openvpn
23:34 -!- nrgskill [~nrgskill@2.50.187.243] has joined #openvpn
23:34 -!- nrgskill [~nrgskill@2.50.187.243] has quit [Client Quit]
23:41 -!- orutest|2 [~VsioZashi@unaffiliated/vsiozashibis] has joined #openvpn
23:42 -!- cyberspace- [20253@ninthfloor.org] has quit [Ping timeout: 246 seconds]
23:42 -!- VsioZashibis [~VsioZashi@unaffiliated/vsiozashibis] has quit [Ping timeout: 240 seconds]
23:43 -!- cyberspace- [20253@ninthfloor.org] has joined #openvpn
23:50 -!- lj [~l@99.74.3.130] has joined #openvpn
23:52 -!- B1nny [~quassel@5ED16034.cm-7-2b.dynamic.ziggo.nl] has joined #openvpn
23:54 -!- funyun [~temp@cpe-65-25-103-89.neo.res.rr.com] has joined #openvpn
23:57 -!- lj [~l@99.74.3.130] has quit [Ping timeout: 240 seconds]
23:57 -!- lj [~l@192.241.174.169] has joined #openvpn
23:59 -!- funyun [~temp@cpe-65-25-103-89.neo.res.rr.com] has quit [Ping timeout: 240 seconds]
--- Day changed Tue Apr 08 2014
00:01 -!- paradox`` [~paradox@cpc21-brmb8-2-0-cust749.1-3.cable.virginm.net] has joined #openvpn
00:03 -!- sunwind` [~paradox@cpc21-brmb8-2-0-cust749.1-3.cable.virginm.net] has quit [Ping timeout: 240 seconds]
00:05 -!- lj [~l@192.241.174.169] has quit [Ping timeout: 246 seconds]
00:06 -!- lj [~l@192.241.174.169] has joined #openvpn
00:15 -!- ade_b [~Ade@redhat/adeb] has joined #openvpn
00:28 -!- Eugene [eugene@itvends.com] has quit [Quit: ZNC - http://znc.sourceforge.net]
00:31 -!- Eugene [eugene@itvends.com] has joined #openvpn
00:38 -!- lj [~l@192.241.174.169] has quit [Quit: Leaving.]
00:42 -!- Avroceptyr [~Avrocepty@unaffiliated/aurorus] has joined #openvpn
00:43 -!- funyun [~temp@cpe-65-25-103-89.neo.res.rr.com] has joined #openvpn
00:43 < Avroceptyr> hey hey - I may have missed any links, however what is openvpn's plan around the heartbeat upgrade, given openvpn ships with its own openssl version?
00:44 -!- ade_b [~Ade@redhat/adeb] has quit [Ping timeout: 252 seconds]
00:47 -!- funyun [~temp@cpe-65-25-103-89.neo.res.rr.com] has quit [Ping timeout: 240 seconds]
00:47 -!- mode/#openvpn [+o Eugene] by ChanServ
00:47 <@Eugene> I don't believe that it's vulnerable
00:48 -!- funyun [~temp@75.98.234.75] has joined #openvpn
00:48 <@krzee> it kinda is (if your openssl version is)
00:48 < Avroceptyr> Eugene: how can I confirm that, as I have an openvpn server with an open port that I can force into dumping
00:49 <@krzee> but the client has to be auth'ed already
00:49 <@Eugene> I'd call that one not-vuln ;-)
00:49 < Avroceptyr> the local openssl version (Ubuntu) is updated and is fine, however the openvpn server (using a custom version of ubuntu) is not
00:49 <@Eugene> But yeah, still expect to see a rebuild soonish.
00:49 <@krzee>  seems openvpn in vulnerable too, but:
00:49 <@krzee> 1. the attack seems not possible during handshakes, so only authenticated clients can mount an attack (unless your config allows connecting w/o client certs, ofc)
00:49 <@krzee> 2. TLS auth provides (yet again) an extra layer of security
00:50 <@Eugene> That ^
00:50 <@Eugene> It's bidirectional SSL, unlike a traditional webserver implementation, where only the server cert matters
00:50 <@krzee> well it would still matter, imagine you're attacking someone who uses a vpn that sells access
00:50 < Avroceptyr> krzee: thanks, I'm getting the same
00:50 <@krzee> but also, this only effects some versions on openssl
00:51 <@krzee> only some of 1.1 branch even
00:51 <@Eugene> 1.0.1
00:51 <@Eugene> I've already updated & rebooted my boxes(new kernels, woo). I'll get around to reissuing keys+certs in the morning.
00:51 < Avroceptyr> 1.0.1e is the only safe version, previous is not safe
00:51 <@Eugene> Uh, no.
00:51 <@Eugene> 1.0.1e is THE vulnerable one
00:51 <@krzee> oh right
00:51 <@Eugene> g is what you're thinking of
00:51 < Avroceptyr> of openssl
00:52 < Avroceptyr> right! less than e
00:52 <@krzee> affects OpenSSL 1.0.1 through 1.0.1f.
00:52 < Avroceptyr> thanks
00:52 <@Eugene> I guess I should nuke SSH hostkeys for good measure, too
00:52 <@Eugene> Sigh, this is such an undertaking.
00:53 <@krzee> !learn heartbeat as only affects OpenSSL 1.0.1 through 1.0.1f.  Does not affect polarssl
00:53 <@vpnHelper> Joo got it.
00:53 <@Eugene> !learn heartbeat as tub-thump. tub-thump. tub-thump.
00:53 <@vpnHelper> Error: You don't have the factoids.learn capability. If you think that you should have this capability, be sure that you are identified before trying again. The 'whoami' command can tell you if you're identified.
00:53 <@Eugene> :-(
00:53 <@Eugene> (also, it's Heartbleed)
00:53 <@krzee> oops
00:53 <@Eugene> (or so the twitter #hashtag goes)
00:54 <@krzee> !forget heartbeat
00:54 <@vpnHelper> Joo got it.
00:54 <@krzee> !learn heartbleed as only affects OpenSSL 1.0.1 through 1.0.1f.  Does not affect polarssl
00:54 <@vpnHelper> Joo got it.
00:54 <@krzee> you're right :D
00:54 <@Eugene> Technically it is the heartbeat tls extension, yes, but that's not the vuln name :-p
00:55 <@krzee> i was reading about it and wasnt thinking while typing and smoking this blunt
00:56 -!- VsioZashibis [~VsioZashi@unaffiliated/vsiozashibis] has joined #openvpn
00:57 <@Eugene> I'm getting the girlfriend(and I) a vaporizer for her birthday, coming up soon :-D
00:58 -!- orutest|2 [~VsioZashi@unaffiliated/vsiozashibis] has quit [Ping timeout: 255 seconds]
00:58 -!- ade_b [~Ade@80-72-52-23.cmts.powersurf.li] has joined #openvpn
00:58 -!- ade_b [~Ade@80-72-52-23.cmts.powersurf.li] has quit [Changing host]
00:58 -!- ade_b [~Ade@redhat/adeb] has joined #openvpn
00:58 -!- funyun_ [~temp@cpe-65-25-103-89.neo.res.rr.com] has joined #openvpn
01:00 -!- funyun [~temp@75.98.234.75] has quit [Ping timeout: 255 seconds]
01:06 <@Eugene> Oh heh, no SSH key regen needed.
01:06 <@Eugene> It's only the openssl-hosting process that leaks
01:07 <@krzee> right
01:07 <@krzee> heartbeat has nothing to do with generation
01:07 <@krzee> i thought you were joking
01:07 <@Eugene> No, I thought it leaked ALL ram.
01:08 <@krzee> you sure it doesnt?
01:08 <@Eugene> Not really :-p
01:08 <@krzee> all i know is i expect more
01:08 <@krzee> and im glad people are looking for them
01:09 <@Eugene> Oh, totally. Security is a massive arms race.
01:09 <@Eugene> And ye with the best weapons, wins.
01:09 <@krzee> and personally i think polarssl is cleaner
01:10 <@Eugene> Probably. I make the assumption that the people who write widely-deployed crypto libs are smarter than I, and just go with it.
01:11 -!- Nothing4You [N4Y@Nothing4You.w.tf-w.tf] has quit [Quit: Gone...]
01:12 -!- Nothing4You [N4Y@Nothing4You.w.tf-w.tf] has joined #openvpn
01:13  * Eugene bed
01:15  * reiffert work
01:24 -!- niftylettuce_ [uid2733@gateway/web/irccloud.com/x-gvzxmyxlpmzxvjvi] has quit [Quit: Connection closed for inactivity]
01:28 -!- Proshot [~FSM@535623C8.cm-6-7a.dynamic.ziggo.nl] has quit [Read error: Operation timed out]
01:41 -!- Karl_Bauman [~SoWhat@81.198.10.40] has joined #openvpn
01:41 < Karl_Bauman> did you know that? http://heartbleed.com/
01:41 <@vpnHelper> Title: Heartbleed Bug (at heartbleed.com)
01:42 -!- ade_b [~Ade@redhat/adeb] has quit [Quit: Too sexy for his shirt]
01:51 -!- bertodsera [~quassel@97e48243.skybroadband.com] has quit [Remote host closed the connection]
01:55 -!- Aliekezhi [~Aliekezhi@LPoitiers-156-84-21-170.w193-248.abo.wanadoo.fr] has joined #openvpn
01:59 -!- AlexPortable [uid7568@gateway/web/irccloud.com/x-usvgrpbhylqtaroa] has joined #openvpn
02:16 -!- DrCode [~DrCode@gateway/tor-sasl/drcode] has quit [Remote host closed the connection]
02:17 -!- DrCode [~DrCode@gateway/tor-sasl/drcode] has joined #openvpn
02:20 -!- corretico_ [~luis@190.5.215.146] has joined #openvpn
02:23 -!- corretico [~luis@190.5.215.146] has quit [Ping timeout: 240 seconds]
02:26 -!- alexxtasi [~alex@unaffiliated/alexxtasi] has joined #openvpn
02:30 <@krzee> Karl_Bauman,
02:30 <@krzee> !heartbleed
02:30 <@vpnHelper> "heartbleed" is only affects OpenSSL 1.0.1 through 1.0.1f. Does not affect polarssl
02:38 -!- funyun_ [~temp@cpe-65-25-103-89.neo.res.rr.com] has quit [Ping timeout: 252 seconds]
02:38 -!- funyun [~temp@75.98.233.131] has joined #openvpn
02:51 < Karl_Bauman> okay, tnx :)
02:59 -!- sontek [~sontek@opensuse/member/Sontek] has joined #openvpn
03:01 < sontek> With the heartbleed issue, if the openvpn client is using a vulnerable openssl, but the server is patched, that is ok right?
03:01 < sontek> Or do the user's have to upgrade as well?
03:03 < Mathias> afaik, it affects clients as well as servers
03:06 < Hes> It would appear that the server can attack the client. So, if you (as a client) are running against an untrusted server, the client should be patched.
03:08 < sontek> But the server would have to be compromised for that to be an issue, if we run our own VPN server and have patched openssl, it should be fine?
03:09 < Avroceptyr> sontek: not quite, as openvpn has its own openssl library
03:09 < Avroceptyr> I found that issue the hard way :)
03:11 < sontek> Oh, so openvpn isn't vulnerable by default if it is running heartbeat, since it has it's own implementation?
03:13 < Hes> Avroceptyr: Nope, that varies. openvpn can be compiled with either openssl or polarssl.
03:13 < Avroceptyr> ^ openvpn + openssl 1.0 within the ranges
03:13 < Avroceptyr> !heartbleed
03:13 <@vpnHelper> "heartbleed" is only affects OpenSSL 1.0.1 through 1.0.1f. Does not affect polarssl
03:13 < Avroceptyr> within those versions ^
03:13 < Hes> For example, if you run default openvpn packages from Debian or Ubuntu, they use openssl, and appear to be vulnerable.
03:14 < Hes> If you have a polarssl build, not affected.
03:14 < B1nny> time to recompile openvpn then
03:15 < sontek> Ok, I'll check our build as well.  Once I know my openvpn server is fixed, do each of the clients still need to upgrade their openssl client?
03:15 < sontek> or is securing the server the important part?
03:15 < B1nny> sontek: <Hes> It would appear that the server can attack the client. So, if you (as a client) are running against an untrusted server, the client should be patched.
03:16 < B1nny> if something needs to be 100% secure, update it
03:16 < sontek> B1nny: Yeah, but if it is not an untrusted server, a server I make sure is upgraded properly, then it should be ok
03:17 < B1nny> sontek: yes it should be ok then
03:17 < sontek> Thanks!
03:17 < B1nny> just make sure you don't forget to update the clients at some point
03:18 < sontek> So if it was an untrusted server and the client updated, it would also be safe against the bad server?
03:19 < Avroceptyr> sontek: what if your client connects to a malicious server that it thinks is trusted, but gets attacked by it?
03:19 < Avroceptyr> typical MITM stuff
03:19 < B1nny> sontek: yes it would be safe, at least to the heartbeat exploit
03:19 < B1nny> connecting to a malicious server is pretty stupid though
03:20 < sontek> ahh, so for example if they were at a coffee shop and someoned pointed the DNS of sonteksvpnserver.com to a different server, the client could be attacked
03:21 < B1nny> yes, but that's where certificates come in
03:21 < Hes> To protect against that you should be using certificate authentication to authenticate the server, so that you're sure you've got the right server.
03:22 < sontek> Yeah, I have cert's setup as well, so I don't think updating the client is as important
03:25 < B1nny> sontek: Does TLS client certificate authentication mitigate this?
03:25 < B1nny> No, heartbeat request can be sent and is replied to during the handshake phase of the protocol. This occurs prior to client certificate authentication.
03:25 < B1nny> - http://heartbleed.com/
03:25 <@vpnHelper> Title: Heartbleed Bug (at heartbleed.com)
03:26 < B1nny> I think that means that with a MITM attack a malicious server could use this exploit on a client
03:26 < sontek> That does sound like it
03:26 < sontek> ok, client's get an upgrade as well!
03:26 < B1nny> and since it's prior to the certificate authentication
03:33 -!- ade_b [~Ade@redhat/adeb] has joined #openvpn
03:40 -!- Cpt-Oblivious [chatzilla@31-151-71-109.dynamic.upc.nl] has joined #openvpn
03:56 -!- MaxFrames [~MaxFrames@unaffiliated/maxframes] has joined #openvpn
03:56 < MaxFrames> hello
03:57 < Moony22> Hi
03:57 < Moony22> I'm secretly French
03:57 < MaxFrames> heartbleed: need advice. I am using openvpn in two scenarios: my home router (need to check which version of openssl it has) and a corporate debian server with openvpn
03:58 < MaxFrames> on a few clients, I have the openvpn windows client which also of course ships with openssl, and I can't identify which version it is (no info on the exe file properties)
03:59 -!- Karl_Bauman [~SoWhat@81.198.10.40] has quit [Ping timeout: 255 seconds]
03:59 < MaxFrames> I hope the debian repos will be updated soon with a patch, but what about the certificates I've already issued? will I need to void them all and reissue new ones?
04:02 -!- gu [~gu@194.231.39.10] has joined #openvpn
04:04 -!- wrongplace [~leicht@gateway/tor-sasl/martinphone] has joined #openvpn
04:07 -!- Karl_Bauman [~SoWhat@81.198.10.40] has joined #openvpn
04:07 -!- kisom_ [~kisom@kisom.thr.kth.se] has quit [Remote host closed the connection]
04:08 -!- Left_Turn [~Left_Turn@unaffiliated/turn-left/x-3739067] has joined #openvpn
04:10 -!- corretico_ [~luis@190.5.215.146] has quit [Read error: Connection reset by peer]
04:10 -!- corretico_ [~luis@190.5.215.146] has joined #openvpn
04:18 < MacGyver> I'm on Debian testing, does openvpn dynamically link to openssl, i.e. if I fix openssl will I also fix, by extension, openvpn, or does openvpn need special attention because it e.g. statically links in openssl? It's not really clear to me from the above.
04:20 -!- wrongplace [~leicht@gateway/tor-sasl/martinphone] has quit [Read error: Connection reset by peer]
04:20 -!- DrCode [~DrCode@gateway/tor-sasl/drcode] has quit [Write error: Connection reset by peer]
04:20 -!- s7r [~s7r@openvpn/user/s7r] has quit [Write error: Connection reset by peer]
04:21 -!- DrCode [~DrCode@gateway/tor-sasl/drcode] has joined #openvpn
04:21 -!- s7r [~s7r@openvpn/user/s7r] has joined #openvpn
04:21 -!- mode/#openvpn [+v s7r] by ChanServ
04:26 < Avroceptyr> MacGyver: no, it has a static .so file in the package
04:29 -!- Eagleman [~Eagleman@145.1.195.125] has joined #openvpn
04:31 < Eagleman> I've configured openvpn on pfsense, however after running speedtest 2 times or after a few minutes the connections stops working, forcing me to reconnect.
04:34 -!- Eagleman [~Eagleman@145.1.195.125] has quit [Client Quit]
04:34 -!- Eagleman [~Eagleman@546BC8D0.cm-12-4d.dynamic.ziggo.nl] has joined #openvpn
04:38 -!- gu [~gu@194.231.39.10] has quit [Quit: Leaving.]
04:38 -!- gu2 [~gu@194.231.39.10] has joined #openvpn
04:39 -!- Netsplit *.net <-> *.split quits: MacGyver, tessier, digitalp1nk, riddle, funyun, kloeri_, ron_, simcop2387, SquirrelCZECH_, indy,  (+8 more, use /NETSPLIT to show all of them)
04:39 -!- Netsplit *.net <-> *.split quits: haasn, nomefalso, tharkun, Su7, yoavz, GrecKo, mgorbach, soapee01, Jeroen52, lbft
04:39 -!- Jeroen52 [~quassel@sona-gaming.com] has joined #openvpn
04:39 -!- Netsplit over, joins: Su7, plaisthos
04:39 -!- mode/#openvpn [+o plaisthos] by ChanServ
04:39 -!- Netsplit over, joins: MacGyver, nomefalso
04:39 -!- tessier [~treed@wsip-98-175-106-200.sd.sd.cox.net] has joined #openvpn
04:39 -!- tessier [~treed@wsip-98-175-106-200.sd.sd.cox.net] has quit [Changing host]
04:39 -!- tessier [~treed@kernel-panic/copilotco] has joined #openvpn
04:39 -!- kloeri [~kloeri@freenode/staff/exherbo.kloeri] has joined #openvpn
04:39 -!- digitalpunk [~scout@mail.zemaitijos-spauda.lt] has joined #openvpn
04:39 -!- hive-mind [pranq@mail.bbis.us] has joined #openvpn
04:39 -!- Netsplit over, joins: yoavz
04:39 -!- Netsplit *.net <-> *.split quits: Lolths, mcp, +s7r, JackWinter, davidmp, +reiffert, bashusr, t0r, DrCode, Aliekezhi,  (+5 more, use /NETSPLIT to show all of them)
04:40 -!- Netsplit *.net <-> *.split quits: tapout, levifig, _bt, GabrieleV, d10n, pcdummy, jtrucks, codehero, ngharo, lazzer,  (+4 more, use /NETSPLIT to show all of them)
04:40 -!- Netsplit over, joins: mgorbach
04:40 -!- Netsplit over, joins: soapee01, mcp
04:40 -!- ngharo [~ngharo@95.211.6.133] has joined #openvpn
04:40 -!- Netsplit over, joins: riddle, lazzer, Lolths
04:40 -!- Latrina [~Latrina@151.26.49.204] has joined #openvpn
04:40 -!- d10n_ [~d10n@bitinvert.xen.prgmr.com] has joined #openvpn
04:40 -!- pcdummy [~pcdummy@wserv2.page4me.ch] has joined #openvpn
04:40 -!- pcdummy [~pcdummy@wserv2.page4me.ch] has quit [Changing host]
04:40 -!- pcdummy [~pcdummy@unaffiliated/pcdummy] has joined #openvpn
04:40 -!- Netsplit over, joins: Cpt-Oblivious
04:40 -!- codile [codehero@i.have.ipv6.on.coding4coffee.org] has joined #openvpn
04:40 -!- gu [~gu@194.231.39.10] has joined #openvpn
04:40 -!- Netsplit over, joins: NChief, exa, dos-freak
04:40 -!- SquirrelCZECH [~squirrel@ip-89-103-45-17.net.upcbroadband.cz] has joined #openvpn
04:40 -!- _bt_ [~bt@mongs.yotm.com] has joined #openvpn
04:40 -!- Netsplit over, joins: JackWinter
04:40 -!- levifig [sid1908@gateway/web/irccloud.com/session] has joined #openvpn
04:40 -!- Netsplit over, joins: batrick, GrecKo
04:40 -!- Netsplit over, joins: WinstonSmith, Aliekezhi, lbft
04:41 -!- Netsplit *.net <-> *.split quits: @syzzer, APTX, Mike--, Brando753, ben1066, toobluesc, Matir_, Su7, Beta2K, @plaisthos,  (+11 more, use /NETSPLIT to show all of them)
04:41 -!- nipnop [nipnop@wbml.net] has joined #openvpn
04:41 -!- alexxtasi [~alex@150.140.12.90] has joined #openvpn
04:41 -!- codile is now known as codehero
04:41 -!- Netsplit over, joins: Aketzu
04:41 -!- mode/#openvpn [+o plaisthos] by ChanServ
04:41 -!- Netsplit over, joins: funyun, Jeroen52, Su7, plaisthos
04:41 -!- Netsplit *.net <-> *.split quits: soapee01
04:42 -!- Netsplit over, joins: simcop2387
04:42 -!- MatToufoutu [~MaT@unaffiliated/mattoufoutu] has quit [Quit: Read Error 1664 (Connection reset by beer)]
04:42 -!- Netsplit *.net <-> *.split quits: funyun
04:42 -!- Netsplit over, joins: tapout, toobluesc
04:42 -!- Netsplit *.net <-> *.split quits: kevinsky, nutron, emid_, Rienzilha, Six6siX_, Devastator, matsh, EmLeX, megaTherion, f0cker,  (+16 more, use /NETSPLIT to show all of them)
04:42 -!- Netsplit over, joins: Mike--, esde, APTX, mete, ChrisH
04:42 -!- elricsfate_wrk [~elricsfat@2602:3f:916c:a402:5517:e49d:dfbb:d40] has joined #openvpn
04:42 -!- Netsplit over, joins: clu5ter, Devastator, jtrucks, GabrieleV
04:43 -!- Netsplit over, joins: GrecKo, ben1066, maskedlua, Fruckiwacki, miruoy, haasn
04:43 -!- alexxtasi [~alex@150.140.12.90] has quit [Changing host]
04:43 -!- alexxtasi [~alex@unaffiliated/alexxtasi] has joined #openvpn
04:43 -!- gu2 [~gu@194.231.39.10] has quit [Ping timeout: 240 seconds]
04:43 -!- Six6siX [~Devil@192.241.154.150] has joined #openvpn
04:43 -!- Netsplit over, joins: Linmu, MyMind
04:44 -!- corretico_ [~luis@190.5.215.146] has quit [Ping timeout: 252 seconds]
04:44 -!- Netsplit over, joins: jzaw
04:44 -!- Netsplit over, joins: davidmp
04:44 -!- Netsplit over, joins: Haseo, megaTherion
04:44 -!- Netsplit over, joins: nutron, defswork, jeev
04:44 -!- bogie [bogie@mail.epow0.org] has joined #openvpn
04:45 -!- Netsplit over, joins: soapee01
04:45 -!- indy [~indy@84.242.65.172] has joined #openvpn
04:46 -!- _KaszpiR_ [~quassel@unaffiliated/kaszpir/x-3157048] has joined #openvpn
04:46 -!- Matir [~matir@ubuntu/member/matir] has joined #openvpn
04:46 -!- Netsplit over, joins: Beta2K, Brando753
04:46 -!- Netsplit over, joins: bashusr
04:47 -!- Netsplit over, joins: EmLeX
04:47 -!- Netsplit over, joins: troj, matsh, svg
04:47 -!- syzzer [~syzzer@2001:610:697::12] has joined #openvpn
04:47 -!- syzzer [~syzzer@2001:610:697::12] has quit [Changing host]
04:47 -!- syzzer [~syzzer@openvpn/community/developer/syzzer] has joined #openvpn
04:47 -!- Netsplit over, joins: kevinsky, tuvok
04:47 -!- mode/#openvpn [+o syzzer] by ChanServ
04:47 -!- Rienzilla [rien@sinas.rename-it.nl] has joined #openvpn
04:48 < Eagleman> I've configured openvpn on pfsense, however after running speedtest 2 times or after a few minutes the connections stops working, forcing me to reconnect.
04:48 -!- Netsplit over, joins: Eugene
04:48 -!- Netsplit over, joins: mitz
04:48 -!- thumbs [1000@modemcable026.116-81-70.mc.videotron.ca] has joined #openvpn
04:48 -!- thumbs [1000@modemcable026.116-81-70.mc.videotron.ca] has quit [Changing host]
04:48 -!- thumbs [1000@unaffiliated/thumbs] has joined #openvpn
04:49 -!- tharkun [~0@187.188.94.182] has joined #openvpn
04:49 -!- Netsplit over, joins: ron_
04:49 -!- Netsplit over, joins: reiffert
04:50 -!- Netsplit over, joins: rooth
04:50 -!- MaxFrames [~MaxFrames@unaffiliated/maxframes] has left #openvpn ["Reality is that which, when you stop believing in it, doesn't go away"]
04:50 -!- Netsplit over, joins: phreakocious
04:50 -!- f0cker [~f0cker@host81-149-11-109.in-addr.btopenworld.com] has joined #openvpn
04:50 -!- f0cker [~f0cker@host81-149-11-109.in-addr.btopenworld.com] has quit [Changing host]
04:50 -!- f0cker [~f0cker@unaffiliated/f0cker] has joined #openvpn
04:51 -!- Netsplit over, joins: n13l
04:51 -!- emid [~emid@192.241.162.156] has joined #openvpn
04:51 -!- DrCode [~DrCode@127.0.0.1] has joined #openvpn
04:51 -!- jtrucks [jtrucks@freenode/staff/lopsa.foundingmember.jtrucks] has quit [Read error: Connection reset by peer]
04:52 -!- jtrucks [jtrucks@freenode/staff/lopsa.foundingmember.jtrucks] has joined #openvpn
04:56 -!- levifig [sid1908@gateway/web/irccloud.com/session] has quit [Changing host]
04:56 -!- levifig [sid1908@gateway/web/irccloud.com/x-rzaszyluqasfyeis] has joined #openvpn
04:59 -!- Eagleman [~Eagleman@546BC8D0.cm-12-4d.dynamic.ziggo.nl] has quit [Read error: Operation timed out]
04:59 -!- Eagleman [~Eagleman@546BC8D0.cm-12-4d.dynamic.ziggo.nl] has joined #openvpn
04:59 -!- funyun [~temp@75.98.233.131] has joined #openvpn
05:00 -!- pa__ [~pa@host118-64-dynamic.250-95-r.retail.telecomitalia.it] has joined #openvpn
05:01 -!- jmr` [~zero@badnode.org] has joined #openvpn
05:03 -!- Netsplit over, joins: Jeroen52, Su7
05:03 -!- Netsplit *.net <-> *.split quits: gardar, treshoem2, Fusl, @krzee, Guest7366, xMopxShell, Samopotamus, troyt, jacekowski, someone,  (+26 more, use /NETSPLIT to show all of them)
05:03 -!- lordnikkon [~marme@li388-49.members.linode.com] has joined #openvpn
05:03 -!- Netsplit over, joins: roma
05:03 -!- Avroceptyr [~Avrocepty@lps17.davidcalculli.com] has joined #openvpn
05:03 -!- Netsplit over, joins: xMopxShell
05:03 -!- fejjerai [~quassel@corkblock.jefferai.org] has joined #openvpn
05:03 -!- fejjerai [~quassel@corkblock.jefferai.org] has quit [Changing host]
05:03 -!- fejjerai [~quassel@kde/mitchell] has joined #openvpn
05:03 -!- Avroceptyr [~Avrocepty@lps17.davidcalculli.com] has quit [Changing host]
05:03 -!- Avroceptyr [~Avrocepty@unaffiliated/aurorus] has joined #openvpn
05:03 -!- Netsplit over, joins: phuzion
05:03 -!- AlexPortable [uid7568@gateway/web/irccloud.com/x-fdpdccfdyroocbya] has joined #openvpn
05:03 -!- jareth_ [~jareth_@2001:980:e1c0:1:219:66ff:fea0:a502] has joined #openvpn
05:04 -!- Netsplit over, joins: toobluesc
05:04 -!- Martin` [martin@shell.ipv6.octocore.net] has joined #openvpn
05:04 -!- Netsplit over, joins: jacekowski, dazo_afk, gardar
05:04 -!- mode/#openvpn [+o dazo_afk] by ChanServ
05:04 -!- Eagleman [~Eagleman@546BC8D0.cm-12-4d.dynamic.ziggo.nl] has quit [Ping timeout: 255 seconds]
05:04 -!- Netsplit over, joins: Dan39
05:04 -!- lordnikkon is now known as Guest27951
05:04 -!- Netsplit over, joins: jgeboski
05:04 -!- dazo_afk is now known as dazo
05:04 -!- Netsplit over, joins: elricsfate_wrk, Beta2K, Fiouz, treshoem2
05:04 -!- Netsplit over, joins: GrecKo, APTX, ben1066, MacGyver
05:04 -!- levifig [sid1908@gateway/web/irccloud.com/x-mfvgfcwwbadkrbhh] has joined #openvpn
05:05 -!- Cultist [~CultOfThe@c-67-186-111-33.hsd1.il.comcast.net] has joined #openvpn
05:06 -!- Eagleman [~Eagleman@145.1.195.125] has joined #openvpn
05:07 -!- AsadH [~AsadH@unaffiliated/asadh] has joined #openvpn
05:08 -!- Fusl [Fusl@unaffiliated/fusl] has joined #openvpn
05:08 -!- snappy [nipnop@wbml.net] has joined #openvpn
05:08 -!- snappy [nipnop@wbml.net] has quit [Changing host]
05:08 -!- snappy [nipnop@unaffiliated/snappy] has joined #openvpn
05:08 -!- pekster [~rewt@openvpn/community/support/pekster] has joined #openvpn
05:09 -!- Linmu [~Linmu@203.70.194.104] has quit [Quit: leaving]
05:12 -!- snappy [nipnop@unaffiliated/snappy] has quit [Read error: Connection reset by peer]
05:13 -!- Linmu [~Linmu@203.70.194.104] has joined #openvpn
05:13 -!- AlexPortable [uid7568@gateway/web/irccloud.com/x-fdpdccfdyroocbya] has quit [Read error: Connection reset by peer]
05:14 -!- jareth_ [~jareth_@2001:980:e1c0:1:219:66ff:fea0:a502] has quit [Ping timeout: 264 seconds]
05:14 -!- Jeroen52 [~quassel@sona-gaming.com] has quit [Remote host closed the connection]
05:14 -!- GrecKo [~GrecKo@2001:41d0:1:cb16::1] has quit [Quit: No Ping reply in 180 seconds.]
05:14 -!- Su7 [~demerzel@2001:41d0:a:16::1] has quit [Remote host closed the connection]
05:14 -!- AlexPortable [uid7568@gateway/web/irccloud.com/x-lvmrzblcflwbrnuw] has joined #openvpn
05:14 -!- bogie [bogie@mail.epow0.org] has quit [Ping timeout: 264 seconds]
05:14 -!- GrecKo [~GrecKo@2001:41d0:1:cb16::1] has joined #openvpn
05:14 -!- Jeroen52 [~quassel@sona-gaming.com] has joined #openvpn
05:14 -!- Su7 [~demerzel@2001:41d0:a:16::1] has joined #openvpn
05:15 -!- pekster [~rewt@openvpn/community/support/pekster] has quit [Ping timeout: 264 seconds]
05:15 -!- Haseo [~Haseo@aufrinfo.net] has quit [Ping timeout: 264 seconds]
05:16 -!- edge226 [~quassel@unaffiliated/edge226] has quit [Remote host closed the connection]
05:16 -!- pekster [~rewt@openvpn/community/support/pekster] has joined #openvpn
05:17 -!- Gman32 [~Gman32@2607:2200:0:3400::5616:cdbc] has joined #openvpn
05:17 -!- c0ded [~c0ded@unaffiliated/c0ded] has joined #openvpn
05:18 -!- krzee [~k@openvpn/community/support/krzee] has joined #openvpn
05:18 -!- mode/#openvpn [+o krzee] by ChanServ
05:18 -!- Samopotamus [~IRCIdent@2607:5300:60:a0d::1] has joined #openvpn
05:19 -!- mikemol [~mikemol@2001:470:c5b9:beef:f8e8:436e:a0d9:fca0] has joined #openvpn
05:19 -!- snappy [nipnop@wbml.net] has joined #openvpn
05:19 -!- snappy [nipnop@wbml.net] has quit [Changing host]
05:19 -!- snappy [nipnop@unaffiliated/snappy] has joined #openvpn
05:19 -!- jareth_ [~jareth_@2001:980:e1c0:1:219:66ff:fea0:a502] has joined #openvpn
05:20 -!- troyt [~troyt@2601:7:6200:14c2:44dd:acff:fe85:9c8e] has joined #openvpn
05:20 -!- Proshot [~FSM@217.68.49.75] has joined #openvpn
05:27 -!- Netsplit *.net <-> *.split quits: viperZ28_, gu, Roa, VunKruz, andi, master_of_master, james41382, maskedlua, jzaw, pppingme,  (+32 more, use /NETSPLIT to show all of them)
05:27 -!- pcdummy [~pcdummy@wserv2.page4me.ch] has joined #openvpn
05:27 -!- pcdummy [~pcdummy@wserv2.page4me.ch] has quit [Changing host]
05:27 -!- pcdummy [~pcdummy@unaffiliated/pcdummy] has joined #openvpn
05:27 -!- s0meone [someone@2600:3c01::f03c:91ff:fedf:feb8] has joined #openvpn
05:27 -!- Netsplit over, joins: plaisthos
05:27 -!- mode/#openvpn [+o plaisthos] by ChanServ
05:27 -!- Netsplit over, joins: maskedlua, Denial, Roa
05:27 -!- kirin` [telex@gateway/shell/anapnea.net/x-hnqckvqateziygwd] has joined #openvpn
05:27 -!- Netsplit over, joins: mgorbach
05:27 -!- Zarrsh [~Zarrsh@198.167.138.150] has joined #openvpn
05:27 -!- pjschmitt [~parker@209.141.56.12] has joined #openvpn
05:27 -!- Netsplit over, joins: Aketzu, sono, james41382, dren__
05:27 -!- andi [~andi@shell.sixhop.net] has joined #openvpn
05:27 -!- raidz [~raidz@raidz.im] has joined #openvpn
05:27 -!- Netsplit over, joins: Bretos
05:27 -!- andi [~andi@shell.sixhop.net] has quit [Changing host]
05:27 -!- andi [~andi@unaffiliated/fr00d] has joined #openvpn
05:27 -!- supergauntlet [~supergaun@v-216-52-148-234.unman-vds.internap-chicago.nfoservers.com] has joined #openvpn
05:27 -!- Netsplit over, joins: rightshift, funnel, justinzane
05:27 -!- master_of_master [~master_of@79.242.70.47] has joined #openvpn
05:27 -!- Netsplit over, joins: phreakocious, cyberspace-, nomefalso
05:27 -!- mrrg [~notabot@209.20.75.42] has joined #openvpn
05:27 -!- Netsplit over, joins: VunKruz, gu
05:27 -!- Netsplit over, joins: paradox``
05:27 -!- tessier [~treed@98.175.106.200] has joined #openvpn
05:27 -!- tessier [~treed@98.175.106.200] has quit [Changing host]
05:27 -!- tessier [~treed@kernel-panic/copilotco] has joined #openvpn
05:27 -!- Netsplit over, joins: riddle
05:27 -!- supergauntlet [~supergaun@v-216-52-148-234.unman-vds.internap-chicago.nfoservers.com] has quit [Changing host]
05:27 -!- supergauntlet [~supergaun@unaffiliated/supergauntlet] has joined #openvpn
05:27 -!- raidz [~raidz@raidz.im] has quit [Changing host]
05:27 -!- raidz [~raidz@openvpn/corp/admin/andrew] has joined #openvpn
05:28 -!- mode/#openvpn [+o raidz] by ChanServ
05:28 -!- Netsplit over, joins: pppingme
05:28 -!- Netsplit over, joins: MyMind
05:28 -!- red_racer12___ [sid20963@gateway/web/irccloud.com/x-ypsxbzirqutirovv] has joined #openvpn
05:28 -!- GabrieleV [~GabrieleV@host190-79-static.230-95-b.business.telecomitalia.it] has joined #openvpn
05:28 -!- viperZ28_ [uid11066@gateway/web/irccloud.com/x-htzfiowltssxdwbj] has joined #openvpn
05:29 -!- Netsplit over, joins: jzaw
05:29 -!- Netsplit over, joins: haasn
05:29 -!- ketas [ketas@ketas6-sixxs.si.pri.ee] has quit [Excess Flood]
05:30 -!- Netsplit over, joins: SquirrelCZECH
05:30 -!- jareth_ [~jareth_@2001:980:e1c0:1:219:66ff:fea0:a502] has quit [Ping timeout: 248 seconds]
05:30 -!- m01 [~quassel@2a02:2658:1011:1::2:4044] has joined #openvpn
05:31 -!- ketas [~ketas@2001:ad0:91f:0:290:27ff:fea6:a66a] has joined #openvpn
05:31 -!- mback2k_ [~freenode@2a00:1828:2000:378:1337:0:59ee:5431] has joined #openvpn
05:31 -!- Linmu [~Linmu@203.70.194.104] has quit [Quit: leaving]
05:32 -!- kenyon [kenyon@darwin.kenyonralph.com] has joined #openvpn
05:33 -!- digitalpunk [~scout@mail.zemaitijos-spauda.lt] has joined #openvpn
05:33 -!- jareth_ [~jareth_@2001:980:e1c0:1:219:66ff:fea0:a502] has joined #openvpn
05:36 -!- ketas [~ketas@2001:ad0:91f:0:290:27ff:fea6:a66a] has quit [Remote host closed the connection]
05:37 -!- ketas [ketas@ketas6-sixxs.si.pri.ee] has joined #openvpn
05:39 -!- nrgskill [~nrgskill@2.50.187.243] has joined #openvpn
05:40 -!- Netsplit *.net <-> *.split quits: Devastator, P4k3, soapee01, maskedlua, JSharpe_, ChrisH, guntha`, paradox``, fejjerai, Rienzilla,  (+1 more, use /NETSPLIT to show all of them)
05:40 -!- Netsplit over, joins: Devastator, ChrisH, Rienzilla, fejjerai, P4k3
05:40 -!- Netsplit over, joins: guntha`, maskedlua, JSharpe_, soapee01, Cpt-Oblivious
05:40 -!- paradox`` [~paradox@86.10.62.238] has joined #openvpn
05:40 < nrgskill> yesterday I set up my openvpn server with iroute to ping the client
05:41 < nrgskill> now the cleint can ping the server and the computer in the cleint's network can also ping the server
05:41 < nrgskill> but a computer in the server network can't ping the client
05:41 -!- dschoepe [~dschoepe@unaffiliated/dschoepe] has joined #openvpn
05:42 < nrgskill> pratically, the client is acting as a vpn gateway but the server is not
05:43 < dschoepe> Does it make sense at all to use 4096 bit keys with OpenVPN, since the usual recommended key size for RSA is 2048 and it never hurts to use a bit more than the recommendation? And if so, can that be used with smaller DH params (since generating them for that key size takes an insanely long time)?
05:43 < nrgskill> can you help me on this?
05:45 -!- pa__ [~pa@host118-64-dynamic.250-95-r.retail.telecomitalia.it] has quit [Changing host]
05:45 -!- pa__ [~pa@unaffiliated/pa] has joined #openvpn
05:46 -!- pa__ is now known as pa
05:46 -!- Linmu [~Linmu@203.70.194.104] has joined #openvpn
05:50 -!- tomgco [c29f0426@gateway/web/cgi-irc/kiwiirc.com/ip.194.159.4.38] has joined #openvpn
05:55 < Bretos> hey, does that heartbeat openssl bug affect openvpn?
05:56 < nrgskill> echo 1 > /proc/sys/net/ipv4/ip_forward
05:56 < nrgskill> that solved my prob
05:56 < nrgskill> thanks
05:56 < Eagleman> Bretos depends on which openssl library you are using with openvpn
05:56 -!- nbjoerg [~joerg@netbsd/developer/joerg] has joined #openvpn
05:57 < nbjoerg> does heartbleed affect openvpn or not?
05:57 < Eagleman> Bretos depends on which openssl library you are using with openvpn
05:58 < Eagleman> nbjoerg depends on which openssl library you are using with openvpn
05:58 < nbjoerg> one of the vulnerable ones, otherwise I wouldn't ask the question
05:58 < nbjoerg> but the tls use in openvpn is somewhat special, so it makes sense to ask :)
05:58 < Eagleman> nbjoerg then i would think so, i've heard people talking about it in #pfsense
05:59 < Beta2K> ssl bug?
06:00 < Eagleman> CVE-2014-0160
06:07 -!- thm [610884ac1b@fedora/thm] has joined #openvpn
06:08 -!- tomgco [c29f0426@gateway/web/cgi-irc/kiwiirc.com/ip.194.159.4.38] has quit [Quit: http://www.kiwiirc.com/ - A hand crafted IRC client]
06:10 -!- michaelhart [~michaelha@192-0-240-20.cpe.teksavvy.com] has quit [Quit: michaelhart]
06:13 < thm> this might be a faq today: is openvpn directly affected by the heartbleed bug?
06:13 < nbjoerg> :)
06:16 < reiffert> do you want an official answer to that?
06:17 < thm> is there one?
06:18 < reiffert> 0.9.8 is not affected
06:19 < Beta2K> There is a backport from redhat to 1.0.1e in the repos already
06:19 < Beta2K> haven't checked my debian machines yet
06:19 -!- havoc [~havoc@neptune.chaillet.net] has quit [Quit: leaving]
06:20 < thm> the question is, can the ssl bug be exploited via the openvpn protocol, and are thus all openvpn keys to be regenerated.
06:20 < thm> *revoked.
06:29 < ChrisH> Debian and Ubuntu have released updates
06:30 < Bretos>     some time ago
06:33 < Bretos> but it seems that testing update is broken
06:34 -!- MatToufoutu [~MaT@unaffiliated/mattoufoutu] has joined #openvpn
06:34 -!- MatToufoutu [~MaT@unaffiliated/mattoufoutu] has quit [Excess Flood]
06:43 -!- indy [~indy@84.242.65.172] has quit [Read error: Operation timed out]
06:46 -!- Haseo [~Haseo@aufrinfo.net] has joined #openvpn
06:47 -!- _bt_ is now known as _bt
06:47 -!- _bt [~bt@mongs.yotm.com] has quit [Changing host]
06:47 -!- _bt [~bt@unaffiliated/bt/x-192343] has joined #openvpn
06:50 -!- lj [~l@192.241.174.169] has joined #openvpn
07:02 -!- indy [~indy@shadow.kastnerove.cz] has joined #openvpn
07:04 -!- bogie [bogie@mail.epow0.org] has joined #openvpn
07:08 -!- cpm [~Chip@216.169.175.102] has joined #openvpn
07:08 -!- cpm [~Chip@216.169.175.102] has quit [Changing host]
07:08 -!- cpm [~Chip@pdpc/supporter/active/cpm] has joined #openvpn
07:16 -!- snappy [nipnop@unaffiliated/snappy] has quit [Read error: Connection reset by peer]
07:16 -!- snappy [nipnop@wbml.net] has joined #openvpn
07:16 -!- snappy [nipnop@wbml.net] has quit [Changing host]
07:16 -!- snappy [nipnop@unaffiliated/snappy] has joined #openvpn
07:16 -!- bogie [bogie@mail.epow0.org] has quit [Ping timeout: 252 seconds]
07:16 -!- Gman32 [~Gman32@2607:2200:0:3400::5616:cdbc] has quit [Ping timeout: 252 seconds]
07:16 -!- levifig [sid1908@gateway/web/irccloud.com/x-mfvgfcwwbadkrbhh] has quit [Ping timeout: 252 seconds]
07:16 -!- dazo [~dazo@openvpn/community/developer/dazo] has quit [Ping timeout: 252 seconds]
07:16 -!- red_racer12___ [sid20963@gateway/web/irccloud.com/x-ypsxbzirqutirovv] has quit [Read error: Connection reset by peer]
07:16 -!- krzee [~k@openvpn/community/support/krzee] has quit [Read error: Connection reset by peer]
07:17 -!- c0ded [~c0ded@unaffiliated/c0ded] has quit [Ping timeout: 252 seconds]
07:17 -!- syzzer [~syzzer@openvpn/community/developer/syzzer] has quit [Ping timeout: 252 seconds]
07:17 -!- AlexPortable [uid7568@gateway/web/irccloud.com/x-lvmrzblcflwbrnuw] has quit [Read error: Connection reset by peer]
07:17 -!- GrecKo [~GrecKo@2001:41d0:1:cb16::1] has quit [Quit: No Ping reply in 180 seconds.]
07:17 -!- Jeroen52 [~quassel@sona-gaming.com] has quit [Remote host closed the connection]
07:17 -!- Su7 [~demerzel@2001:41d0:a:16::1] has quit [Remote host closed the connection]
07:17 -!- red_racer12___ [sid20963@gateway/web/irccloud.com/x-hhdfbgembfrpbccx] has joined #openvpn
07:17 -!- APTX [~APTX@unaffiliated/aptx] has quit [Quit: No Ping reply in 180 seconds.]
07:17 -!- phuzion [~phuzion@ipv6.irc.teh-server.com] has quit [Quit: No Ping reply in 180 seconds.]
07:17 -!- ben1066 [~quassel@unaffiliated/ben1066] has quit [Quit: No Ping reply in 180 seconds.]
07:17 -!- Samopotamus [~IRCIdent@2607:5300:60:a0d::1] has quit [Ping timeout: 252 seconds]
07:17 -!- Eugene [eugene@itvends.com] has quit [Ping timeout: 252 seconds]
07:17 -!- troj [~xxx@2001:470:1f15:107a::50f7] has quit [Ping timeout: 252 seconds]
07:17 -!- GrecKo [~GrecKo@2001:41d0:1:cb16::1] has joined #openvpn
07:17 -!- Jeroen52 [~quassel@sona-gaming.com] has joined #openvpn
07:17 -!- Su7 [~demerzel@2001:41d0:a:16::1] has joined #openvpn
07:17 -!- levifig [sid1908@gateway/web/irccloud.com/x-qjspvtsxvucskmkb] has joined #openvpn
07:17 -!- AlexPortable [uid7568@gateway/web/irccloud.com/x-sxlqyouzxpifyvml] has joined #openvpn
07:18 -!- troyt [~troyt@2601:7:6200:14c2:44dd:acff:fe85:9c8e] has quit [Ping timeout: 252 seconds]
07:18 -!- ben1066 [~quassel@unaffiliated/ben1066] has joined #openvpn
07:18 -!- APTX [~APTX@unaffiliated/aptx] has joined #openvpn
07:18 -!- phuzion [~phuzion@ipv6.irc.teh-server.com] has joined #openvpn
07:18 -!- plaisthos [~arne@openvpn/community/developer/plaisthos] has quit [Ping timeout: 252 seconds]
07:18 -!- mikemol [~mikemol@2001:470:c5b9:beef:f8e8:436e:a0d9:fca0] has quit [Ping timeout: 252 seconds]
07:18 -!- pekster [~rewt@openvpn/community/support/pekster] has quit [Ping timeout: 252 seconds]
07:18 -!- toobluesc [~nitro@2001:558:6045:7b:3d70:c3df:18a:884] has quit [Ping timeout: 252 seconds]
07:18 -!- tuvok [tuvok@Photography.tuvok.eu] has quit [Ping timeout: 252 seconds]
07:18 -!- jzaw [~jzaw@loki.dzki.co.uk] has quit [Ping timeout: 252 seconds]
07:19 -!- haasn [~nand@2a01:4f8:d13:5245::2] has quit [Ping timeout: 252 seconds]
07:19 -!- Dan39 [~ddan39@unaffiliated/dan39] has quit [Ping timeout: 252 seconds]
07:19 -!- elricsfate_wrk [~elricsfat@2602:3f:916c:a402:5517:e49d:dfbb:d40] has quit [Ping timeout: 252 seconds]
07:19 -!- pekster [~rewt@openvpn/community/support/pekster] has joined #openvpn
07:20 -!- s0meone [someone@2600:3c01::f03c:91ff:fedf:feb8] has quit [Ping timeout: 252 seconds]
07:20 -!- [diecast] [~diecast@unaffiliated/diecast/x-4821952] has joined #openvpn
07:20 -!- troyt [~troyt@2601:7:6200:14c2:44dd:acff:fe85:9c8e] has joined #openvpn
07:21 -!- c0ded [~c0ded@unaffiliated/c0ded] has joined #openvpn
07:21 -!- mikemol [~mikemol@2001:470:c5b9:beef:f8e8:436e:a0d9:fca0] has joined #openvpn
07:21 -!- troj [~xxx@2001:470:1f15:107a::50f7] has joined #openvpn
07:21 -!- haasn [~nand@2a01:4f8:d13:5245::2] has joined #openvpn
07:21 -!- krzee [~k@openvpn/community/support/krzee] has joined #openvpn
07:21 -!- mode/#openvpn [+o krzee] by ChanServ
07:21 -!- Dan39 [~ddan39@unaffiliated/dan39] has joined #openvpn
07:21 -!- plaisthos [~arne@kamera.blinkt.de] has joined #openvpn
07:21 -!- plaisthos [~arne@kamera.blinkt.de] has quit [Changing host]
07:21 -!- plaisthos [~arne@openvpn/community/developer/plaisthos] has joined #openvpn
07:21 -!- mode/#openvpn [+o plaisthos] by ChanServ
07:21 -!- bogie [bogie@mail.epow0.org] has joined #openvpn
07:21 -!- s0meone [someone@2600:3c01::f03c:91ff:fedf:feb8] has joined #openvpn
07:21 -!- tuvok [tuvok@Photography.tuvok.eu] has joined #openvpn
07:21 -!- jzaw [~jzaw@loki.dzki.co.uk] has joined #openvpn
07:21 -!- syzzer [~syzzer@openvpn/community/developer/syzzer] has joined #openvpn
07:21 -!- mode/#openvpn [+o syzzer] by ChanServ
07:21 -!- toobluesc [~nitro@2001:558:6045:7b:3d70:c3df:18a:884] has joined #openvpn
07:22 -!- Samopotamus [~IRCIdent@2607:5300:60:a0d::1] has joined #openvpn
07:22 -!- dazo_afk [~dazo@openvpn/community/developer/dazo] has joined #openvpn
07:22 -!- mode/#openvpn [+o dazo_afk] by ChanServ
07:22 -!- Gman32 [~Gman32@2607:2200:0:3400::5616:cdbc] has joined #openvpn
07:22 -!- dazo_afk is now known as dazo
07:22 -!- Moony22 [~AndChat30@unaffiliated/moony22] has quit [Quit: Bye]
07:22 -!- lj [~l@192.241.174.169] has quit [Quit: Leaving.]
07:22 -!- Eugene [eugene@itvends.com] has joined #openvpn
07:23 -!- michaelhart [~michaelha@192.237.177.15] has joined #openvpn
07:23 -!- nbjoerg [~joerg@netbsd/developer/joerg] has left #openvpn []
07:24 -!- kwork [~georg@unaffiliated/kwork] has joined #openvpn
07:24 < kwork> is openvpn affected by the latest openssl bug ?
07:25 < reiffert> no
07:29 -!- Guest35643 [~klein@189-016-006-003.asselvi.edu.br] has joined #openvpn
07:33 -!- raignarok [~raignarok@p20030066EE238C0002224DFFFEA7B6DC.dip0.t-ipconnect.de] has joined #openvpn
07:33 < kwork> reiffert: okey, ty
07:33 -!- iokill [~iokill@91.114.127.102] has joined #openvpn
07:33 < seba> why is openvpn not affected? i thought it uses TLS?
07:34 < kwork> i guess it doesnot have heartbleed
07:35 -!- havoc [~havoc@neptune.chaillet.net] has joined #openvpn
07:36 -!- havoc [~havoc@neptune.chaillet.net] has quit [Client Quit]
07:37 -!- havoc [~havoc@neptune.chaillet.net] has joined #openvpn
07:38 < seba> from the backlog it seems that it depends on the ssl library used. so if its the affected library they are vulnerable as well, if an older/newer version of openssl or polarssl is used then everything is fine
07:38 < seba> so if i read this correct the wheezy openvpn version is (or better was) vulnerable
07:39 < gu> centos6 openvpn seems to be vulnerable too: http://www.centosblog.com/critical-openssl-vulnerability-heartbleed-openssl-1-0-1-1-0-1f-patch-bug-centos-system/
07:39 <@vpnHelper> Title: CRITICAL OpenSSL Vulnerability "Heartbleed" in OpenSSL 1.0.1 to 1.0.1f - How to patch this bug on your CentOS system - CentOS Blog (at www.centosblog.com)
07:39 < Beta2K> Depends on how ovpn uses TLS
07:39 < Beta2K> gu, there's a update in the repo
07:46 -!- s0meone is now known as someone
07:46 -!- ShadniX [dagger@p5DDFC546.dip0.t-ipconnect.de] has joined #openvpn
07:50 < dschoepe> My guess is also that if you're using tls-auth, you're not vulnerable
07:52 -!- amsterdam [~Adium@vlan251.lenin01.cgn.dg-i.net] has joined #openvpn
07:53 < amsterdam> !welcom
07:54 < amsterdam> !welcome
07:54 <@vpnHelper> "welcome" is (#1) Start by stating your goal, such as 'I would like to access the internet over my vpn' || new to IRC? see the link in !ask || we may need !logs and !configs and maybe !interface to help you. || See !howto for beginners. || See !route for lans behind openvpn. || !redirect for sending inet traffic through the server. || Also interesting: !man !/30 !topology !iporder !sample !forum
07:54 <@vpnHelper> !wiki !mitm or (#2) Don't use 192.168.1.0/24 or 192.168.0.0/24 (too much potential for conflict)
07:54 < amsterdam> !wiki
07:54 <@vpnHelper> "wiki" is (#1) http://www.secure-computing.net/wiki/index.php/OpenVPN for the Unofficial wiki or (#2) https://community.openvpn.net/openvpn/wiki for the Official wiki
07:55 < amsterdam> !/30
07:55 <@vpnHelper> "/30" is (#1) http://goo.gl/SbKrT5 explains why routed clients each use 4 ips or (#2) you can avoid this behavior with by reading !topology
07:55 < amsterdam> hi
07:57 < amsterdam> is there information about heartbleed and openvpn available? (http://heartbleed.com/ https://security-tracker.debian.org/tracker/CVE-2014-0160)
07:57 <@vpnHelper> Title: Heartbleed Bug (at heartbleed.com)
08:06 < amsterdam> i had an openvpn server with vunerable openssl version. how bad is it? or how i can find out about it? (e.g. about tls and openvpn)
08:07 -!- gu [~gu@194.231.39.10] has quit [Quit: Leaving.]
08:07 -!- gu2 [~gu@194.231.39.10] has joined #openvpn
08:07 -!- Eagleman [~Eagleman@145.1.195.125] has quit [Read error: Connection reset by peer]
08:07 -!- gu2 [~gu@194.231.39.10] has quit [Client Quit]
08:08 -!- gu [~gu@194.231.39.10] has joined #openvpn
08:09 -!- cpm [~Chip@pdpc/supporter/active/cpm] has quit [Ping timeout: 255 seconds]
08:12 -!- lj [~l@na-ad-guest-lwap-ar01.cat.com] has joined #openvpn
08:12 -!- ribasushi [~riba@113.212.96.195] has joined #openvpn
08:13 < ribasushi> greetings
08:14 -!- JustEra_ [~JustEra@89.234.148.12] has joined #openvpn
08:14 < JustEra_> Hello
08:14 < ribasushi> wrt the heartbeat clusterfuck: if one has an *unaffected* openvpn *server* but has a number of affected *clients* (not listening anywhere) - is a PKI rotation necessary, or there's no possibility of heartbeat-related compromise?
08:15 -!- lj1 [~l@192.241.174.169] has joined #openvpn
08:16 -!- nrgskill [~nrgskill@2.50.187.243] has quit [Quit: Leaving]
08:16 -!- lj [~l@na-ad-guest-lwap-ar01.cat.com] has quit [Ping timeout: 240 seconds]
08:17 -!- [diecast] [~diecast@unaffiliated/diecast/x-4821952] has quit []
08:21 -!- amsterdam [~Adium@vlan251.lenin01.cgn.dg-i.net] has quit [Quit: Leaving.]
08:22 < dschoepe> ribasushi: given that the bug affected the client side as well for things like client-side certificates (for https or so), I would assume a mitm-attack with someone impersonating the server could have compromised the clients' keys as well
08:22 -!- Aliekezhi [~Aliekezhi@LPoitiers-156-84-21-170.w193-248.abo.wanadoo.fr] has quit [Quit: Leaving]
08:23 < JustEra_> can someone help me, I want to know if the openvpn is a good solution for that design : http://pastebin.com/M3m8cXVC I have to route all traffic to the client in the server
08:23 < dschoepe> (but that is wild speculation, so feel free to disregard that)
08:32 -!- plaisthos [~arne@openvpn/community/developer/plaisthos] has quit [Quit: foo!]
08:32 -!- amsterdam [~Adium@vlan251.lenin01.cgn.dg-i.net] has joined #openvpn
08:32 -!- plaisthos [~arne@openvpn/community/developer/plaisthos] has joined #openvpn
08:32 -!- mode/#openvpn [+o plaisthos] by ChanServ
08:37 -!- xBytez_ [xBytez@libxbytez.so] has joined #openvpn
08:38 -!- Devastator [~devas@186.214.15.46] has quit [Changing host]
08:38 -!- Devastator [~devas@unaffiliated/devastator] has joined #openvpn
08:39 -!- mattock [~mattock@openvpn/corp/admin/mattock] has joined #openvpn
08:39 -!- mode/#openvpn [+o mattock] by ChanServ
08:41 -!- mikemol [~mikemol@2001:470:c5b9:beef:f8e8:436e:a0d9:fca0] has quit [Remote host closed the connection]
08:47 -!- xBytez_ [xBytez@libxbytez.so] has quit [Read error: Connection reset by peer]
08:47 -!- xBytez__ [xBytez@libxbytez.so] has joined #openvpn
09:09 -!- gu [~gu@194.231.39.10] has quit [Quit: Leaving.]
09:10 -!- angs [ubuntu@85.235.3.236] has joined #openvpn
09:13 -!- fejjerai [~quassel@kde/mitchell] has quit [Read error: Connection reset by peer]
09:14 -!- goldkatze [~nobody@unaffiliated/goldkatze] has joined #openvpn
09:15 -!- d10n_ is now known as d10n
09:15 -!- d10n [~d10n@bitinvert.xen.prgmr.com] has quit [Changing host]
09:15 -!- d10n [~d10n@unaffiliated/d10n] has joined #openvpn
09:16 -!- fejjerai [~quassel@kde/mitchell] has joined #openvpn
09:17 -!- kld [~acer@85.235.3.224] has joined #openvpn
09:19 < kld> hi, can someone give a website about how to connect 2 computers via openvpn using unbuntu ?
09:19 -!- alexxtasi [~alex@unaffiliated/alexxtasi] has left #openvpn []
09:20 <@ecrist> openvpn.net
09:22 < kld> thanks
09:22 -!- JustEra [~JustEra@89.234.148.12] has joined #openvpn
09:24 -!- JustEra_ [~JustEra@89.234.148.12] has quit [Ping timeout: 246 seconds]
09:26 < kld> is it enough with the configuration file to build the connection ?
09:27 < kld> i mean the config. files in openvpn.net
09:34 -!- c0ded [~c0ded@unaffiliated/c0ded] has quit [Quit: I Was Just De-c0ded!]
09:35 -!- c0ded [~c0ded@unaffiliated/c0ded] has joined #openvpn
09:38 -!- JustEra [~JustEra@89.234.148.12] has quit [Read error: Connection reset by peer]
09:39 -!- JustEra [~JustEra@89.234.148.12] has joined #openvpn
09:41 -!- edge226 [~quassel@unaffiliated/edge226] has joined #openvpn
--- Log closed Tue Apr 08 09:45:04 2014
--- Log opened Tue Apr 08 09:45:35 2014
09:45 -!- ecrist [~ecrist@token-black.secure-computing.net] has joined #openvpn
09:45 -!- Irssi: #openvpn: Total of 218 nicks [8 ops, 0 halfops, 2 voices, 208 normal]
09:45 -!- mode/#openvpn [+o ecrist] by ChanServ
09:45 -!- d10n [~d10n@unaffiliated/d10n] has joined #openvpn
09:45 -!- kloeri [~kloeri@freenode/staff/exherbo.kloeri] has joined #openvpn
09:45 -!- hazardous [~hz@openvpn/user/hazardous] has joined #openvpn
09:45 -!- mode/#openvpn [+v hazardous] by ChanServ
09:45 -!- Six6siX [~Devil@jasmine.sammybakar.com] has joined #openvpn
09:45 -!- dschoepe [~dschoepe@unaffiliated/dschoepe] has joined #openvpn
09:45 -!- sontek [~sontek@opensuse/member/Sontek] has joined #openvpn
09:46 -!- Irssi: Join to #openvpn was synced in 40 secs
09:46 -!- simcop2387 [~simcop238@simcop2387.info] has joined #openvpn
09:46 -!- simcop2387 [~simcop238@simcop2387.info] has quit [Changing host]
09:46 -!- simcop2387 [~simcop238@p3m/member/simcop2387] has joined #openvpn
09:46 -!- omrib [~omrib@ec2-50-17-197-161.compute-1.amazonaws.com] has joined #openvpn
09:47 -!- EmLeX [~emx@unaffiliated/emlex] has joined #openvpn
09:47 -!- miruoy [~quassel@d51A44BA8.access.telenet.be] has joined #openvpn
09:47 -!- Eagleman [~Eagleman@546BC8D0.cm-12-4d.dynamic.ziggo.nl] has joined #openvpn
09:47 -!- Morley93 [~Morley93@carmine.feralhosting.com] has joined #openvpn
09:48 -!- ribasushi [~riba@mujunyku.leporine.io] has joined #openvpn
09:49 -!- rgouveia [~rgouveia@unaffiliated/rgouveia] has joined #openvpn
09:49 -!- Latrina [~Latrina@ppp-204-49.26-151.libero.it] has joined #openvpn
09:49 -!- ade_b [~Ade@redhat/adeb] has joined #openvpn
09:49 -!- Fruckiwacki [fruckiwack@5.135.190.66] has joined #openvpn
09:52 -!- NChief [~nchief@unaffiliated/nchief] has joined #openvpn
09:52 -!- peper [~peper@gentoo/developer/peper] has joined #openvpn
09:53 -!- jmr` [~zero@badnode.org] has joined #openvpn
09:55 -!- liriel [~liriel@aphrodite.feralhosting.com] has joined #openvpn
09:56 -!- exa [~exa@unaffiliated/exa] has joined #openvpn
09:56 -!- kld [~acer@85.235.3.224] has quit [Quit: Leaving]
09:58 -!- tharkun [~0@187.188.94.182] has quit [Changing host]
09:58 -!- tharkun [~0@unaffiliated/tharkun] has joined #openvpn
09:58 -!- jtrucks [jtrucks@freenode/staff/lopsa.foundingmember.jtrucks] has quit [Read error: Connection reset by peer]
09:59 -!- jtrucks [jtrucks@freenode/staff/lopsa.foundingmember.jtrucks] has joined #openvpn
10:00 -!- joako [~joako@opensuse/member/joak0] has joined #openvpn
10:07 -!- [diecast] [~diecast@unaffiliated/diecast/x-4821952] has joined #openvpn
10:20 -!- iokill [~iokill@91.114.127.102] has quit [Ping timeout: 255 seconds]
10:31 -!- someone [someone@2600:3c01::f03c:91ff:fedf:feb8] has quit [Quit: ZNC - http://znc.in]
10:32 -!- Proshot [~FSM@217.68.49.75] has quit [Ping timeout: 255 seconds]
10:36 -!- s0meone [someone@2600:3c01::f03c:91ff:fedf:feb8] has joined #openvpn
10:39 -!- master_o1_master [~master_of@p4FF24BE1.dip0.t-ipconnect.de] has joined #openvpn
10:40 -!- lj1 [~l@192.241.174.169] has quit [Ping timeout: 255 seconds]
10:41 -!- _FBi [B@i.use.pentoo.when.ihack.in] has joined #openvpn
10:41 -!- kloeri [~kloeri@freenode/staff/exherbo.kloeri] has quit [Quit: brb]
10:42 -!- kloeri [~kloeri@freenode/staff/exherbo.kloeri] has joined #openvpn
10:42 -!- master_of_master [~master_of@79.242.70.47] has quit [Ping timeout: 255 seconds]
10:42 -!- t0r [~textual@167.206.48.217] has joined #openvpn
10:44 -!- Left_Turn [~Left_Turn@unaffiliated/turn-left/x-3739067] has joined #openvpn
10:50 -!- JustEra [~JustEra@89.234.148.12] has quit [Ping timeout: 255 seconds]
10:52 -!- shiftplusone [~Shift@unaffiliated/shiftplusone] has joined #openvpn
10:53 -!- shiftplusone [~Shift@unaffiliated/shiftplusone] has left #openvpn ["Leaving"]
10:57 < Cpt-Oblivious> Is openvpn affected by the heartbleed bug?
10:57 -!- s0meone is now known as someone
10:57 < Cpt-Oblivious> (if openssl on the system is affected)
10:58 <@plaisthos> yes
10:58 -!- wbk_j [~wallbroke@151.72.84.62] has joined #openvpn
10:58 < wbk_j> hi guys
10:59 < wbk_j> does openssl last bug affect easyRSA?
11:01 -!- JustEra [~JustEra@89.234.148.12] has joined #openvpn
11:01 -!- amsterdam [~Adium@vlan251.lenin01.cgn.dg-i.net] has quit [Quit: Leaving.]
11:02 -!- ribasushi [~riba@mujunyku.leporine.io] has quit [Read error: Connection reset by peer]
11:03 -!- ribasushi [~riba@mujunyku.leporine.io] has joined #openvpn
11:03 -!- ribasushi [~riba@mujunyku.leporine.io] has quit [Excess Flood]
11:03 -!- ribasushi [~riba@mujunyku.leporine.io] has joined #openvpn
11:03 -!- ribasushi [~riba@mujunyku.leporine.io] has quit [Excess Flood]
11:03 -!- elfixit [~Icedove@77-58-251-72.dclient.hispeed.ch] has joined #openvpn
11:04 -!- lj [~l@192.241.174.169] has joined #openvpn
11:04 -!- ribasushi [~riba@mujunyku.leporine.io] has joined #openvpn
11:04 -!- ribasushi [~riba@mujunyku.leporine.io] has quit [Excess Flood]
11:04 -!- ribasushi [~riba@mujunyku.leporine.io] has joined #openvpn
11:04 -!- ribasushi [~riba@mujunyku.leporine.io] has quit [Excess Flood]
11:05 -!- ribasushi [~riba@mujunyku.leporine.io] has joined #openvpn
11:05 -!- ribasushi [~riba@mujunyku.leporine.io] has quit [Excess Flood]
11:05 -!- utrtfu [~user@109.201.154.188] has joined #openvpn
11:05 -!- ribasushi [~riba@mujunyku.leporine.io] has joined #openvpn
11:05 -!- ribasushi [~riba@mujunyku.leporine.io] has quit [Excess Flood]
11:06 -!- ribasushi [~riba@mujunyku.leporine.io] has joined #openvpn
11:06 -!- ribasushi [~riba@mujunyku.leporine.io] has quit [Excess Flood]
11:06 < utrtfu> need some help with an openvpn client running on a raspberry pi.
11:06 -!- giorgiodinapoli [~giorgiodi@146-52-156-68-dynip.superkabel.de] has joined #openvpn
11:06 -!- ribasushi [~riba@mujunyku.leporine.io] has joined #openvpn
11:06 -!- ribasushi [~riba@mujunyku.leporine.io] has quit [Excess Flood]
11:06 < utrtfu> open vpn is only using ~50% cpu on the pi when there should be at least 80% for it to use
11:07 -!- ribasushi [~riba@mujunyku.leporine.io] has joined #openvpn
11:07 -!- ribasushi [~riba@mujunyku.leporine.io] has quit [Excess Flood]
11:07 < utrtfu> is there any way to find out why it is only using 50%. or some way to force it to use more??
11:07 -!- ribasushi [~riba@mujunyku.leporine.io] has joined #openvpn
11:07 -!- ribasushi [~riba@mujunyku.leporine.io] has quit [Excess Flood]
11:08 -!- ribasushi [~riba@mujunyku.leporine.io] has joined #openvpn
11:08 -!- ribasushi [~riba@mujunyku.leporine.io] has quit [Excess Flood]
11:08 < dschoepe> utrtfu: I don't know much about the raspberry pi, but does it have two cores by any chance?
11:08 -!- ribasushi [~riba@mujunyku.leporine.io] has joined #openvpn
11:08 -!- ribasushi [~riba@mujunyku.leporine.io] has quit [Excess Flood]
11:08 -!- smead [~smead@98.159.223.18] has joined #openvpn
11:09 < giorgiodinapoli> guys i have a openvpn server vm with virtual subnet 10.200.200.0 in a  subnet 192.168.178.0. i can connect with my clients. perfect. but i f i ping a  192.178 address traffic goes in but doesntz come back. what can be the reason for thsi
11:09 -!- toobluesc [~nitro@2001:558:6045:7b:3d70:c3df:18a:884] has quit [Remote host closed the connection]
11:09 -!- ribasushi [~riba@mujunyku.leporine.io] has joined #openvpn
11:09 -!- ribasushi [~riba@mujunyku.leporine.io] has quit [Excess Flood]
11:09 -!- ribasushi [~riba@mujunyku.leporine.io] has joined #openvpn
11:09 -!- ribasushi [~riba@mujunyku.leporine.io] has quit [Excess Flood]
11:09 < smead> giorgiodinapoli: The 192.178 subnet is inside your firewall? Did you setup NAT on the VPN host ?
11:10 < utrtfu> single core as far as i know
11:11 -!- ben1066 [~quassel@unaffiliated/ben1066] has quit [Remote host closed the connection]
11:11 < giorgiodinapoli> i did this: echo 1 > /proc/sys/net/ipv4/ip_forward; iptables -t nat -A POSTROUTING -o tun0 -j MASQUERADE
11:11 < utrtfu> yeah single core https://en.wikipedia.org/wiki/ARM11
11:11 <@vpnHelper> Title: ARM11 - Wikipedia, the free encyclopedia (at en.wikipedia.org)
11:11 < angs> is it possible to run openvpn on a processor where it does not have any operating system? The processor is connected to a WiFi module.
11:12 < smead> Which distribution are you on ? Centos / RH ?
11:12 -!- ben1066 [~quassel@unaffiliated/ben1066] has joined #openvpn
11:12 < smead> giorgiodinapoli: and, which version ?
11:12 < giorgiodinapoli> ubuntu 12.04
11:12 < giorgiodinapoli> ?
11:13 -!- ribasushi [~riba@mujunyku.leporine.io] has joined #openvpn
11:13 -!- ribasushi [~riba@mujunyku.leporine.io] has quit [Excess Flood]
11:13 < smead> Okay, just a sec
11:14 -!- [diecast] [~diecast@unaffiliated/diecast/x-4821952] has quit []
11:14 < giorgiodinapoli> if i do tcmdump on eth0 i can see that ping is trying to push back to virtual subnet
11:14 < smead> So, I have only used the default ufw on ubuntu
11:14 < giorgiodinapoli> but tcpdump on tun0 doesnt show it
11:15 < utrtfu> dschoepe: it used a single core ARM v6
11:15 < giorgiodinapoli> so its lost between eth0 and tun0 backwards
11:15 < smead> https://help.ubuntu.com/12.04/serverguide/firewall.html#ip-masquerading
11:15 <@vpnHelper> Title: Firewall (at help.ubuntu.com)
11:15 < smead> This is what I followed to get it working
11:15 -!- [diecast] [~diecast@unaffiliated/diecast/x-4821952] has joined #openvpn
11:15 < smead> Ah, one other thing
11:15 < smead> is this a virtual machine ?
11:18 -!- busch [~busch@datenschleuder.com] has joined #openvpn
11:18 < giorgiodinapoli> smead YES!
11:18 < giorgiodinapoli> smead thx as of yet!
11:19 -!- elfixit [~Icedove@77-58-251-72.dclient.hispeed.ch] has quit [Ping timeout: 240 seconds]
11:19 -!- ribasushi [~riba@mujunyku.leporine.io] has joined #openvpn
11:19 -!- ribasushi [~riba@mujunyku.leporine.io] has quit [Excess Flood]
11:19 < smead> So, I was doing this in virutalbox
11:19 -!- ribasushi [~riba@mujunyku.leporine.io] has joined #openvpn
11:19 -!- ribasushi [~riba@mujunyku.leporine.io] has quit [Excess Flood]
11:19 < giorgiodinapoli> prmosic mode?
11:19 < smead> Yeah
11:20 < smead> You have to set allow
11:20 -!- christofftoo [~christoff@ip70-173-152-171.lv.lv.cox.net] has joined #openvpn
11:20 < smead> I can't remember correctly… ( it was a while ago )
11:21 < smead> I can't remember if I had to delete the interface and re-make it with promisc or not
11:21 < smead> I banged my head on that for a while
11:21 < giorgiodinapoli> np this should be finde
11:21 < giorgiodinapoli> fine
11:22 -!- Immunity [~Immunity@212.175.5.55] has joined #openvpn
11:22 < giorgiodinapoli> thx for helping ufw was goodpoint
11:22 < smead> No problem
11:22 < smead> goodluck
11:23 -!- nutron [~nutron@unaffiliated/nutron] has joined #openvpn
11:25 -!- raidz [~raidz@openvpn/corp/admin/andrew] has left #openvpn []
11:25 < Immunity> Hello. I have a dedicated server which have 32 failover ips. I want to install OpenVPN server and want to give these public ips to clients. Is this possible? If it is, how? :)
11:27 < smead> Are the IPs installed directly on the host? Or are they managed by a firewall ?
11:28 < Immunity> i have to add them to server to route
11:28 -!- batrick [batrick@nmap/developer/batrick] has quit [Quit: WeeChat 0.4.3]
11:28 -!- raidz [~raidz@openvpn/corp/admin/andrew] has joined #openvpn
11:28 < Immunity> all of them are /32 bits...
11:28 -!- mode/#openvpn [+o raidz] by ChanServ
11:29 -!- angs [ubuntu@85.235.3.236] has quit [Read error: Connection reset by peer]
11:29 < smead> So, you want to provide every one of your clients a dedicated external IP
11:29 < Immunity> yes smead
11:31 < smead> I'm not sure how to do that personally.  I've never tried that
11:31 -!- batrick [batrick@nmap/developer/batrick] has joined #openvpn
11:32 -!- WinstonSmith [~WinstonSm@unaffiliated/winstonsmith] has quit [Quit: off to do some thoughtcrime]
11:33 -!- mgorbach [~mgorbach@pool-108-20-78-135.bstnma.fios.verizon.net] has quit [Quit: ZNC - http://znc.in]
11:33 < Immunity> if i knew it is possible i would try to do it
11:33 -!- JustEra [~JustEra@89.234.148.12] has quit [Ping timeout: 240 seconds]
11:33 -!- mgorbach [~mgorbach@pool-108-20-78-135.bstnma.fios.verizon.net] has joined #openvpn
11:34 < smead> Yeah, I'm not even sure
11:35 -!- gu [~gu@194.231.39.10] has joined #openvpn
11:35 < smead> I would assume you could always setup a different tun interface for each one on a different in-bound TCP/IP port
11:35 -!- WinstonSmith [~WinstonSm@unaffiliated/winstonsmith] has joined #openvpn
11:38 -!- ribasushi [~riba@mujunyku.leporine.io] has joined #openvpn
11:38 -!- ribasushi [~riba@mujunyku.leporine.io] has quit [Excess Flood]
11:38 -!- Immunity [~Immunity@212.175.5.55] has left #openvpn []
11:43 -!- ade_b [~Ade@redhat/adeb] has quit [Ping timeout: 265 seconds]
11:44 -!- JustEra [~JustEra@89.234.148.12] has joined #openvpn
11:46 -!- ribasushi [~riba@mujunyku.leporine.io] has joined #openvpn
11:51 -!- K1rk2 [~administr@equinox.epecweb.com] has joined #openvpn
11:51 < K1rk2> Hello -- Is OpenVPN vulnerable to the Heartbleed vulnerability discovered in OpenSSL?  Should I rekey my OpenVPN server today?
11:52 <@krzee> !hearbleed
11:52 <@krzee> !heartbleed
11:52 <@vpnHelper> "heartbleed" is only affects OpenSSL 1.0.1 through 1.0.1f. Does not affect polarssl
11:52 < K1rk2> I know my server was running a vulnerable version of OpenSSL for awhile.
11:52 < K1rk2> So, yes, it's affected?
11:54 <@krzee> !learn heartbleed as if running vuln openssl then both client and server keys not protected by tls-auth should be considered compromised.
11:54 <@vpnHelper> Joo got it.
11:54 < Eugene> I thought it needed to have an established session
11:54 < Eugene> Eg, only an auth-ed client could compromise
11:54 < K1rk2> Eugene: I had a similar preconception. That's why I'm here asking.
11:55 < Eugene> We had this same discussion last night, and I thought that was the outcome
11:55 <@krzee> after i fell asleep:  "just in: client certs do not protect you, it was late last night and mistook the check in the heartbeat *sending* code for a check in the heartbeat *processing* code."
11:56 < Eugene> Lovely.
11:56 <@krzee> you use tls-auth dont you?
11:56 < Eugene> Yeah
11:57 -!- JustEra [~JustEra@89.234.148.12] has quit [Ping timeout: 250 seconds]
11:57 <@krzee> how many clients?
11:57 < Eugene> About a dozen, most are my phones / laptops. :-p
11:57 < K1rk2> Great. Yeah I use tls-auth and I have about 20 clients
11:57 <@krzee> you can prolly just upgrade to good openssl and not worry about it
11:57 < Eugene> That was my plan, yeah. Don't I need to wait for an openvpn package update?
11:58 <@krzee> no, just compile openvpn with good openssl
11:58  * Eugene is not in a compiling mood.
11:58 <@krzee> doesnt your os know how to compile?
11:58 < Eugene> Effort
11:58 <@krzee> like freebsd ports and osx macports
11:58 < Eugene> I'm using the epel package, I'm sure they'll get to it.
11:59 < K1rk2> Just updating openssl isn't good enough?
11:59 <@krzee> oh hah
11:59 < K1rk2> I updated openssl and the vulnerability no longer applies to my jabber server
11:59 < Eugene> Also, laptops are Windows. That's openvpn.net ;-)
11:59 < K1rk2> I didn't have to update the jabber server
11:59  * Eugene is NOT setting up a fucking windows buildchain
12:00 -!- Aliekezhi [~Aliekezhi@80.215.20.151] has joined #openvpn
12:00 <@krzee> windows build is coming out as we speak
12:00 -!- utrtfu [~user@109.201.154.188] has quit [Ping timeout: 250 seconds]
12:00 < Eugene> Excellente.
12:00 <@krzee>  <mattock> ok, 2.3.2-I004 installer out: http://openvpn.net/index.php/download/community-downloads.html
12:00 <@vpnHelper> Title: Community Downloads (at openvpn.net)
12:00 <@krzee> literally THIS minute he said that
12:00 <@krzee> hehe
12:00 < Eugene> Heh, I actually was visiting the page
12:01 < Eugene> Next: phones. Where's Arne
12:01 <@krzee> actually thats androids job
12:01 -!- flickerfly [~jritchie@216.115.64.202] has joined #openvpn
12:01 <@krzee> he doesnt include his own openssl lib
12:01 <@krzee> or if you use connect, it uses polarssl not openssl
12:01 < Eugene> Eh. I'll live with it on the clients
12:02 < Eugene> I highly doubt somebody will get root on one of my servers
12:02 -!- JustEra [~JustEra@ns2.exhosting.fr] has joined #openvpn
12:02 <@plaisthos> Eugene: ANdroid has to wait 1-2 days
12:02 < Eugene> At least I'm already using CyanogenMod, so it isn't a massive ordeal for a carrier OTA
12:03 < Eugene> Though THEIR website is dead today, for unrelated reasons
12:04 < K1rk2> Thanks for the input.
12:04 -!- K1rk2 [~administr@equinox.epecweb.com] has quit [Quit: leaving]
12:06 -!- JustEra [~JustEra@ns2.exhosting.fr] has quit [Read error: Connection reset by peer]
12:06 -!- DFC [~DFC@ltea-047-066-115-112.pools.arcor-ip.net] has joined #openvpn
12:06 < DFC> hi @ all
12:06 < Eugene> !welcome
12:07 <@vpnHelper> "welcome" is (#1) Start by stating your goal, such as 'I would like to access the internet over my vpn' || new to IRC? see the link in !ask || we may need !logs and !configs and maybe !interface to help you. || See !howto for beginners. || See !route for lans behind openvpn. || !redirect for sending inet traffic through the server. || Also interesting: !man !/30 !topology !iporder !sample !forum
12:07 <@vpnHelper> !wiki !mitm or (#2) Don't use 192.168.1.0/24 or 192.168.0.0/24 (too much potential for conflict)
12:07 -!- DFC is now known as Guest80029
12:07 -!- jareth_ [~jareth_@2001:980:e1c0:1:219:66ff:fea0:a502] has quit [Ping timeout: 246 seconds]
12:08 -!- JustEra [~JustEra@ns2.exhosting.fr] has joined #openvpn
12:09 -!- jareth_ [~jareth_@2001:980:e1c0:1:219:66ff:fea0:a502] has joined #openvpn
12:09 -!- Guest80029 [~DFC@ltea-047-066-115-112.pools.arcor-ip.net] has left #openvpn []
12:09 -!- Guest80029 [~DFC@ltea-047-066-115-112.pools.arcor-ip.net] has joined #openvpn
12:11 -!- Guest80029 [~DFC@ltea-047-066-115-112.pools.arcor-ip.net] has left #openvpn []
12:11 -!- DFC90 [~DFC@ltea-047-066-115-112.pools.arcor-ip.net] has joined #openvpn
12:11 < DFC90> ive got one question and hope that anyone could help me (sorry for my bad english :-)
12:11 -!- mikemol [~mikemol@162.17.129.77] has joined #openvpn
12:12 < DFC90> ive got an debian rootserver with openvpn, at home ive got an easybox 904 with openvpn.
12:13 -!- JustEra [~JustEra@ns2.exhosting.fr] has quit [Ping timeout: 240 seconds]
12:14 < DFC90> the easybox can only works as a server, so i connect my debian (client) to my router at home. it all works great! now i would like to connect my iphone trough the openvpn app with my debian server. it works too, but i cant access the network behind my router from my iphone....
12:14 < DFC90> router(server) <------->(client)debian(server)<-------> iphone
12:14 -!- utrtfu [~user@tsn109-201-135-220.dyn.nltelcom.net] has joined #openvpn
12:15 < DFC90> is it possible to get access from my iphone over debian to my router/local network ?
12:17 -!- JustEra [~JustEra@ns2.exhosting.fr] has joined #openvpn
12:17 <@krzee> it seems android happens to have heartbeat disabled
12:18 <@krzee> for other reasons
12:18 < wbk_j> does openssl last bug affect easyRSA?
12:18 <@krzee> its not about the generating of the keys, so not easy-rsa
12:18 <@krzee> but it can affect openvpn if used with vuln openssl
12:19 <@krzee> !heartbleed
12:19 <@vpnHelper> "heartbleed" is (#1) only affects OpenSSL 1.0.1 through 1.0.1f. Does not affect polarssl or (#2) if running vuln openssl then both client and server keys not protected by tls-auth should be considered compromised.
12:19 -!- Trebortech [~Trebortec@66.55.33.66] has joined #openvpn
12:19 <@krzee> more info coming later. one of the devs is writing on the wiki
12:19 < Eugene> Oh good.
12:19 < wbk_j> easyrsa 3 is final or RC?
12:20 -!- utrtfu [~user@tsn109-201-135-220.dyn.nltelcom.net] has quit [Quit: Leaving]
12:20 -!- raidz [~raidz@openvpn/corp/admin/andrew] has quit [Ping timeout: 264 seconds]
12:20 -!- ketas [ketas@ketas6-sixxs.si.pri.ee] has quit [Ping timeout: 265 seconds]
12:20 -!- catsup [~d@iad1-vshost12.dreamhost.com] has quit [Read error: Operation timed out]
12:20 -!- catsup [~d@iad1-vshost12.dreamhost.com] has joined #openvpn
12:21 -!- mattock [~mattock@openvpn/corp/admin/mattock] has quit [Ping timeout: 264 seconds]
12:22 <@krzee> !learn heartbleed as android 4.1.2_r1 is the first one to have -DOPENSSL_NO_HEARTBEATS and it is still in master. android 4.1 and 4.1.1 are probably affected.
12:22 <@vpnHelper> Joo got it.
12:22 <@krzee> !heartbleed
12:22 <@vpnHelper> "heartbleed" is (#1) only affects OpenSSL 1.0.1 through 1.0.1f. Does not affect polarssl or (#2) if running vuln openssl then both client and server keys not protected by tls-auth should be considered compromised. or (#3) android 4.1.2_r1 is the first one to have -DOPENSSL_NO_HEARTBEATS and it is still in master. android 4.1 and 4.1.1 are probably affected.
12:22 < Eugene> Since I'm too lazy to look it up, what's the reason for that being added to android
12:23 <@krzee> "Use OPENSSL_NO_HEARTBEATS for better wpa_supplicant interoperability"
12:23 < Eugene> Sensible.
12:24 <@krzee> full disclosure: im just pasting this stuff from the dev chan
12:24  * Eugene shrugs
12:24 -!- JustEra [~JustEra@ns2.exhosting.fr] has quit [Ping timeout: 240 seconds]
12:24 < Eugene> I just need something to stuff in the #cyanogenmod bot to shut up idiots myself ;-)
12:24 <@krzee> :D
12:25 -!- JustEra [~JustEra@89.234.148.12] has joined #openvpn
12:26 -!- Guest80029 [~DFC@ltea-047-066-115-112.pools.arcor-ip.net] has joined #openvpn
12:28 -!- Guest80029 [~DFC@ltea-047-066-115-112.pools.arcor-ip.net] has left #openvpn []
12:29 -!- DFC90 [~DFC@ltea-047-066-115-112.pools.arcor-ip.net] has quit [Ping timeout: 250 seconds]
12:29 -!- raidz_away [~raidz@raidz.im] has joined #openvpn
12:29 -!- mattock_afk [~mattock@raidz.im] has joined #openvpn
12:29 -!- mattock_afk is now known as mattock
12:29 -!- mattock [~mattock@raidz.im] has quit [Changing host]
12:29 -!- mattock [~mattock@openvpn/corp/admin/mattock] has joined #openvpn
12:29 -!- mode/#openvpn [+o mattock] by ChanServ
12:29 -!- raidz_away is now known as raidz
12:30 -!- raidz [~raidz@raidz.im] has quit [Changing host]
12:30 -!- raidz [~raidz@openvpn/corp/admin/andrew] has joined #openvpn
12:30 -!- mode/#openvpn [+o raidz] by ChanServ
12:30 -!- Corey [~Corey@freenode/staff/corey] has joined #openvpn
12:30 -!- JustEra [~JustEra@89.234.148.12] has quit [Ping timeout: 240 seconds]
12:32 -!- xMopxShell [~xMopxShel@pa1.trolls.lv] has quit [Read error: Operation timed out]
12:35 -!- ketas [ketas@ketas6-sixxs.si.pri.ee] has joined #openvpn
12:35 -!- s7r [~s7r@openvpn/user/s7r] has joined #openvpn
12:35 -!- mode/#openvpn [+v s7r] by ChanServ
12:35 -!- JustEra [~JustEra@89.234.148.12] has joined #openvpn
12:35 -!- xMopxShell [~xMopxShel@pa1.trolls.lv] has joined #openvpn
12:36 -!- heraclitus [~heraclitu@unaffiliated/heraclitis] has quit [Ping timeout: 252 seconds]
12:36 -!- lj [~l@192.241.174.169] has quit [Quit: Leaving.]
12:37 -!- lj [~l@192.241.174.169] has joined #openvpn
12:43 <@krzee> !learn heartbleed as https://community.openvpn.net/openvpn/wiki/heartbleed
12:43 <@vpnHelper> Joo got it.
12:43 <@krzee> work in progress ^
12:44 -!- Left_Turn [~Left_Turn@unaffiliated/turn-left/x-3739067] has quit [Read error: Connection timed out]
12:44 -!- Left_Turn [~Left_Turn@unaffiliated/turn-left/x-3739067] has joined #openvpn
12:46 -!- JustEra [~JustEra@89.234.148.12] has quit [Read error: No route to host]
12:47 -!- JustEra [~JustEra@89.234.148.12] has joined #openvpn
12:54 -!- Lolths [~Lolths@unaffiliated/lolths] has quit [Ping timeout: 252 seconds]
12:55 -!- JustEra [~JustEra@89.234.148.12] has quit [Ping timeout: 250 seconds]
13:08 -!- [diecast] [~diecast@unaffiliated/diecast/x-4821952] has quit [Ping timeout: 246 seconds]
13:09 -!- niftylettuce_ [uid2733@gateway/web/irccloud.com/x-vcsdoeecpotpvnak] has joined #openvpn
13:09 -!- elricsfate_wrk [~elricsfat@aus-nat.datapipe.net] has joined #openvpn
13:13 -!- sunwind` [~paradox@cpc21-brmb8-2-0-cust749.1-3.cable.virginm.net] has joined #openvpn
13:16 -!- VsioZashibis [~VsioZashi@unaffiliated/vsiozashibis] has joined #openvpn
13:16 -!- paradox`` [~paradox@86.10.62.238] has quit [Ping timeout: 255 seconds]
13:20 -!- christofftoo [~christoff@ip70-173-152-171.lv.lv.cox.net] has quit [Quit: christofftoo]
13:20 <+s7r> openvpn + heartbleed flaw @ openssl = recepie for disaster?
13:20 <+s7r> how was / is it affected
13:20 <+s7r> ?
13:21 <+s7r> i use it to secure connection to a server and exchange files via RFC1918 internal address via tun device...
13:21 <+s7r> so is the crypto still ok for me ?
13:21 <+s7r> i have the lastest stable version
13:23 -!- funyun [~temp@75.98.233.131] has quit [Ping timeout: 252 seconds]
13:23 <+s7r> !heartbleed
13:23 <@vpnHelper> "heartbleed" is (#1) only affects OpenSSL 1.0.1 through 1.0.1f. Does not affect polarssl or (#2) if running vuln openssl then both client and server keys not protected by tls-auth should be considered compromised. or (#3) android 4.1.2_r1 is the first one to have -DOPENSSL_NO_HEARTBEATS and it is still in master. android 4.1 and 4.1.1 are probably affected. or (#4)
13:23 <@vpnHelper> https://community.openvpn.net/openvpn/wiki/heartbleed
13:23 -!- funyun [~temp@cpe-65-25-103-89.neo.res.rr.com] has joined #openvpn
13:24 -!- Eduard_Munteanu [~EduardMun@5-12-253-122.residential.rdsnet.ro] has joined #openvpn
13:25 < VsioZashibis> hi. how can I prevent one client from connecting to the server? I gave a .key file to a friend, but now I want to prevent him from connecting, if he ever tries.
13:25 -!- kantlivelong [~kantlivel@home.kantlivelong.com] has quit [Read error: Operation timed out]
13:29 <@krzee> you can revoke the cert, or disable it with a ccd entry
13:29 -!- wrongplace [~leicht@gateway/tor-sasl/martinphone] has joined #openvpn
13:30 < reiffert> how to do with a ccd entry?
13:30 -!- giorgiodinapoli [~giorgiodi@146-52-156-68-dynip.superkabel.de] has quit [Ping timeout: 264 seconds]
13:31 <+s7r> krzee are you concerned about heartbleed openssl problem?
13:32 <@krzee> not for me, not using affected openssl
13:32  * reiffert is on 0.9.8 everywhere.
13:33 <@krzee> same ^
13:33 <@krzee> well except my osx had 1.0.1 but i port upgrade openssl and call it cool, my osx doesnt login to any public servers i think my tls-auth kept it fine
13:33 <+s7r> but this openssl is independent of openvpn
13:34 <+s7r> like when i installed apt-get openvpn
13:34 <+s7r> it fetched the correct openssl?
13:34 <@krzee> the ssl on your system wasnt openvpn's concern
13:34 <@krzee> openssl version
13:34 <@krzee> ^ run that
13:35 -!- [diecast] [~diecast@unaffiliated/diecast/x-4821952] has joined #openvpn
13:36 -!- kantlivelong [~kantlivel@home.kantlivelong.com] has joined #openvpn
13:38 -!- james41382 [~james@unaffiliated/james41382] has quit [Ping timeout: 255 seconds]
13:39 -!- danielbw [~danielbw@secured.monstertool.com] has joined #openvpn
13:39 -!- christofftoo [~christoff@ip70-173-152-171.lv.lv.cox.net] has joined #openvpn
13:39 < danielbw> how can I tell if the openvpn service on my pfsense is vulnerable to the openssl heartbleed bug?
13:39 -!- [diecast] [~diecast@unaffiliated/diecast/x-4821952] has quit [Read error: Connection reset by peer]
13:40 <@krzee> by checking its openssl version, shell command is: openssl version
13:42 < ribasushi> it'd be nice to get a list of affected/unaffected win32 client binaries
13:43 < ribasushi> that is the ones you can get from the site
13:43 < VsioZashibis> OpenSSL 1.0.1e 11 Feb 2013
13:43 < ribasushi> ah already on the wiki
13:43 < VsioZashibis> this must be upgrdaed?
13:44 <@krzee> yes
13:45 < ribasushi> openvpn-install-2.3rc1-32bit.exe \o/ yay for no time to do upgrades
13:47 <@krzee> ooo you skated by lol
13:48 <@novaflash> hello people
13:48 <@novaflash> just wanted to bring you guys up to date that openvpn ACCESS SERVER does not use the system's own libs
13:48 <@novaflash> it uses its own bundled set
13:48 <@novaflash> if anyone asks about access server, direct them to our channel or let them know version 2.0.6 is out, and that we also have patched libs available
13:49 <@krzee> does it use polar or open?
13:49 <@novaflash> versions 1.8.1 -> 2.0.5 are affected, older and newer versions are okay
13:49 <@novaflash> it uses openssl
13:49 <@novaflash> but this is making a strong case to switch to polar, which openvpn for ios is already using i think
13:49 <@krzee> yes connect uses polar
13:49 <@novaflash> hell, openssl is getting a beating so hard they'll be crying for mommy till christmas
13:52 -!- ed6612 [~ed6612@206.214.43.172] has joined #openvpn
13:52 -!- deeville [~deeville@38.117.108.108] has quit [Remote host closed the connection]
13:52 -!- thm [610884ac1b@fedora/thm] has left #openvpn []
13:52 <@novaflash> i'm also asking debbie10t to post something on the forums about this
13:52 <@novaflash> Access Server 2.0.6 is out and addresses the heartbleed vulnerability. Binary patches are at http://swupdate.openvpn.org/hb/ and are meant for versions 1.8.1 --> 2.0.5.
13:52 <@vpnHelper> Title: Index of /hb/ (at swupdate.openvpn.org)
13:53 -!- le0 [~l30@unaffiliated/le0] has joined #openvpn
13:54 -!- ed6612 [~ed6612@206.214.43.172] has left #openvpn []
14:00 < havoc> I hate to ask, as I haven't been following, but is OpenVPN affected by this heartbleed ssl vuln?
14:00 < havoc> I would guess it is
14:01 < havoc> ah, nm, I built from src, so as long as I have the openssl fixes, I can rebuild, and I'm fine
14:01 < ribasushi> havoc: https://community.openvpn.net/openvpn/wiki/heartbleed
14:01 <@vpnHelper> Title: heartbleed – OpenVPN Community (at community.openvpn.net)
14:01 < havoc> ribasushi: thanks
14:03 -!- ed6612 [~ed6612@206.214.43.172] has joined #openvpn
14:07 -!- mattock [~mattock@openvpn/corp/admin/mattock] has left #openvpn []
14:09 -!- wrongplace [~leicht@gateway/tor-sasl/martinphone] has quit [Quit: gone]
14:11 -!- MatToufoutu [~MaT@unaffiliated/mattoufoutu] has joined #openvpn
14:24 -!- Sidewinder [~de@unaffiliated/sidewinder] has joined #openvpn
14:24 -!- christofftoo [~christoff@ip70-173-152-171.lv.lv.cox.net] has quit [Quit: christofftoo]
14:28 -!- Lolths [~Lolths@unaffiliated/lolths] has joined #openvpn
14:30 -!- christofftoo [~christoff@ip70-173-152-171.lv.lv.cox.net] has joined #openvpn
14:31 -!- le0 [~l30@unaffiliated/le0] has quit [Quit: Leaving]
14:32 -!- bashusr [~bashusr@unaffiliated/bashusr] has quit [Quit: ZNC - http://znc.in]
14:32 -!- Aliekezhi [~Aliekezhi@80.215.20.151] has quit [Ping timeout: 246 seconds]
14:36 -!- bashusr [~bashusr@unaffiliated/bashusr] has joined #openvpn
14:36 < GrecKo> is it possible to push something to the hosts file or equivalent when connecting ?
14:36 <@krzee> !splitdns
14:36 <@vpnHelper> "splitdns" is see http://www.thekelleys.org.uk/dnsmasq/doc.html for dnsmasq, which will let you do split-dns setups
14:37 < GrecKo> thx
14:37 -!- Sidewinder [~de@unaffiliated/sidewinder] has quit [Quit: Leaving]
14:38 -!- [diecast] [~diecast@unaffiliated/diecast/x-4821952] has joined #openvpn
14:38 < Aketzu> hmm... I would like to know how much / how deterministically openvpn leaks data
14:39 < Aketzu> .. easiest way would be to code PoC exploit and run it with unpatched versions
14:40 -!- p3rror [~mezgani@41.140.209.77] has joined #openvpn
14:40 -!- VsioZashibis [~VsioZashi@unaffiliated/vsiozashibis] has quit [Ping timeout: 240 seconds]
14:42 -!- VsioZashibis [~VsioZashi@unaffiliated/vsiozashibis] has joined #openvpn
14:44 -!- Lolths [~Lolths@unaffiliated/lolths] has quit [Ping timeout: 246 seconds]
14:47 -!- KenMatlock [~KenMatloc@63.231.92.41] has joined #openvpn
14:47 -!- Lolths [~Lolths@unaffiliated/lolths] has joined #openvpn
14:47 -!- AlexPortable [uid7568@gateway/web/irccloud.com/x-sxlqyouzxpifyvml] has quit [Quit: Connection closed for inactivity]
14:48 -!- Aliekezhi [~Aliekezhi@80.215.210.97] has joined #openvpn
14:51 <@syzzer> Aketzu: has nothing to do with openvpn, and much more with your local malloc implementation
14:51 -!- smead [~smead@98.159.223.18] has quit [Quit: Leaving.]
14:51 < Aketzu> yes... I quickly tested with apache... almost same response every time
14:51 -!- Lolths [~Lolths@unaffiliated/lolths] has quit [Ping timeout: 240 seconds]
14:51 <@syzzer> on a server with many client that would probably be different
14:51 < Aketzu> "at most" http headers (which could contain basic auth, cookies etc.)
14:53 <@syzzer> yeah, you'll get a lot of what there's a lot of in the program memory :)
14:55 < Aketzu> annoying that this has all the potential to leak everything but it might be that some malloc implementations just wouldn't leak practically anything
15:00 -!- KenMatlock [~KenMatloc@63.231.92.41] has left #openvpn []
15:01 -!- Falcon| [andreas@shell.lamerschool.net] has joined #openvpn
15:04 -!- [diecast] [~diecast@unaffiliated/diecast/x-4821952] has quit [Ping timeout: 246 seconds]
15:05 -!- Lolths [~Lolths@unaffiliated/lolths] has joined #openvpn
15:11 -!- smead [~smead@cpe-67-247-135-80.rochester.res.rr.com] has joined #openvpn
15:14 -!- gu2 [~gu@194.231.39.10] has joined #openvpn
15:14 -!- gu [~gu@194.231.39.10] has quit [Read error: Connection reset by peer]
15:14 -!- m01 [~quassel@2a02:2658:1011:1::2:4044] has quit [Remote host closed the connection]
15:14 -!- bashusr [~bashusr@unaffiliated/bashusr] has quit [Quit: ZNC - http://znc.in]
15:15 -!- bashusr [~bashusr@unaffiliated/bashusr] has joined #openvpn
15:15 -!- m01 [~quassel@2a02:2658:1011:1::2:4044] has joined #openvpn
15:18 -!- james41382 [~james@unaffiliated/james41382] has joined #openvpn
15:22 -!- JackWinter [~jack@vodsl-10810.vo.lu] has quit [Quit: Konversation terminated!]
15:23 -!- AlexPortable [uid7568@gateway/web/irccloud.com/x-bzewqosztdqzudtu] has joined #openvpn
15:24 -!- niftylettuce_ [uid2733@gateway/web/irccloud.com/x-vcsdoeecpotpvnak] has quit [Quit: Connection closed for inactivity]
15:25 -!- JackWinter [~jack@vodsl-10810.vo.lu] has joined #openvpn
15:27 -!- JackWinter [~jack@vodsl-10810.vo.lu] has quit [Read error: Connection reset by peer]
15:30 -!- Aliekezhi [~Aliekezhi@80.215.210.97] has quit [Remote host closed the connection]
15:30 -!- JackWinter [~jack@vodsl-10810.vo.lu] has joined #openvpn
15:32 -!- gu2 [~gu@194.231.39.10] has quit [Quit: Leaving.]
15:32 -!- gu [~gu@194.231.39.10] has joined #openvpn
15:35 -!- JackWinter [~jack@vodsl-10810.vo.lu] has quit [Read error: Connection reset by peer]
15:36 -!- ketas [ketas@ketas6-sixxs.si.pri.ee] has quit [Ping timeout: 246 seconds]
15:37 -!- ketas [ketas@ketas6-sixxs.si.pri.ee] has joined #openvpn
15:38 -!- lbft [~lbft@unaffiliated/lbft] has quit [Quit: Bye]
15:43 -!- JackWinter [~jack@vodsl-10810.vo.lu] has joined #openvpn
15:46 -!- ade_b [~Ade@redhat/adeb] has joined #openvpn
15:46 -!- lbft [~lbft@unaffiliated/lbft] has joined #openvpn
15:49 -!- smead [~smead@cpe-67-247-135-80.rochester.res.rr.com] has quit [Quit: Leaving.]
15:50 -!- ade_b [~Ade@redhat/adeb] has quit [Client Quit]
15:51 -!- JustEra [~JustEra@val59-9-78-223-170-206.fbx.proxad.net] has joined #openvpn
15:52 -!- jackbrown [~se@93-44-54-187.ip95.fastwebnet.it] has joined #openvpn
15:53 -!- jackbrown [~se@93-44-54-187.ip95.fastwebnet.it] has quit [Max SendQ exceeded]
15:55 -!- mback2k_ [~freenode@2a00:1828:2000:378:1337:0:59ee:5431] has quit [Remote host closed the connection]
15:55 -!- jackbrown [~se@93-44-54-187.ip95.fastwebnet.it] has joined #openvpn
15:57 -!- codehero is now known as scientificat
15:59 -!- Trebortech_ [~Trebortec@66.55.33.66] has joined #openvpn
16:03 -!- jackbrown [~se@93-44-54-187.ip95.fastwebnet.it] has quit [Quit: Sto andando via]
16:03 -!- Trebortech [~Trebortec@66.55.33.66] has quit [Ping timeout: 246 seconds]
16:03 -!- Trebortech_ is now known as Trebortech
16:03 -!- mback2k_ [~freenode@2a00:1828:2000:378:1337:0:59ee:5431] has joined #openvpn
16:13 -!- rooth [tomte@stuck.in.the.basement.at.fritzl.nu] has quit [Ping timeout: 240 seconds]
16:14 -!- rooth [tomte@stuck.in.the.basement.at.fritzl.nu] has joined #openvpn
16:16 -!- Guest35643 [~klein@189-016-006-003.asselvi.edu.br] has quit [Ping timeout: 246 seconds]
16:18 -!- michaelhart [~michaelha@192.237.177.15] has quit [Quit: michaelhart]
16:19 -!- rooth [tomte@stuck.in.the.basement.at.fritzl.nu] has quit [Ping timeout: 240 seconds]
16:20 -!- rooth [tomte@stuck.in.the.basement.at.fritzl.nu] has joined #openvpn
16:21 -!- goldkatze [~nobody@unaffiliated/goldkatze] has quit []
16:23 -!- lj [~l@192.241.174.169] has quit [Quit: Leaving.]
16:24 -!- rooth [tomte@stuck.in.the.basement.at.fritzl.nu] has quit [Ping timeout: 240 seconds]
16:25 -!- rooth [tomte@stuck.in.the.basement.at.fritzl.nu] has joined #openvpn
16:30 -!- smead [~smead@cpe-67-247-135-80.rochester.res.rr.com] has joined #openvpn
16:30 -!- B1nny [~quassel@5ED16034.cm-7-2b.dynamic.ziggo.nl] has quit [Remote host closed the connection]
16:33 -!- smead1 [~smead@cpe-67-247-135-80.rochester.res.rr.com] has joined #openvpn
16:34 -!- smead [~smead@cpe-67-247-135-80.rochester.res.rr.com] has quit [Ping timeout: 246 seconds]
16:36 -!- smead1 [~smead@cpe-67-247-135-80.rochester.res.rr.com] has quit [Client Quit]
16:39 -!- Latrina [~Latrina@ppp-204-49.26-151.libero.it] has quit [Ping timeout: 246 seconds]
16:41 -!- Latrina [~Latrina@ppp-160-51.26-151.libero.it] has joined #openvpn
16:43 -!- joshh20-Away is now known as joshh20
16:46 -!- rooth [tomte@stuck.in.the.basement.at.fritzl.nu] has quit [Ping timeout: 240 seconds]
16:47 -!- rooth [tomte@stuck.in.the.basement.at.fritzl.nu] has joined #openvpn
16:47 -!- gu [~gu@194.231.39.10] has quit [Quit: Leaving.]
16:51 -!- ed6612 [~ed6612@206.214.43.172] has quit [Read error: Connection reset by peer]
16:51 < pekster> wbk_j: easyrsa is rc still; I'm the primary author and consider all the core features stable, but there's at least one outstanding issue with advanced features (from vars.example) that needs fixing before it can be marked stable
16:51 -!- smead [~smead@cpe-67-247-135-80.rochester.res.rr.com] has joined #openvpn
16:52 -!- ed6612 [~ed6612@206.214.43.172] has joined #openvpn
16:52 -!- Latrina [~Latrina@ppp-160-51.26-151.libero.it] has quit [Ping timeout: 250 seconds]
16:53 < pekster> wbk_j: As noted above, the heartbleed issue only impacts systems using TLS with vulnerable openssl versions; easyrsa doesn't use TLS, just generates keys/certs. You might want to consider revoking & re-issuing all your current certs that are deployed though. After upgrading the vulnerable versions, of course. Adding --tls-auth can help too (read !hardening for that and other general secuity ideas)
16:53 -!- gu [~gu@194.231.39.10] has joined #openvpn
16:55 -!- pjschmitt [~parker@209.141.56.12] has quit [Changing host]
16:55 -!- pjschmitt [~parker@unaffiliated/schmitt953] has joined #openvpn
16:55 -!- Latrina [~Latrina@ppp-214-42.26-151.libero.it] has joined #openvpn
16:55 -!- gu [~gu@194.231.39.10] has quit [Client Quit]
16:56 -!- smead [~smead@cpe-67-247-135-80.rochester.res.rr.com] has quit [Ping timeout: 240 seconds]
16:57 -!- mikemol [~mikemol@162.17.129.77] has quit [Remote host closed the connection]
16:58 -!- kwmiebach [sid16855@gateway/web/irccloud.com/x-uazriwxffbhmrjta] has joined #openvpn
16:58 -!- kloeri [~kloeri@freenode/staff/exherbo.kloeri] has quit [Quit: leaving]
16:59 -!- kloeri [~kloeri@freenode/staff/exherbo.kloeri] has joined #openvpn
16:59 -!- p3rror [~mezgani@41.140.209.77] has quit [Ping timeout: 240 seconds]
16:59 -!- scientificat is now known as codehero
17:00 < kwmiebach> Hello, I have read that there is a windows binary with fixed openssl, thank you for doing this so quickly! Where can I find it?
17:03 -!- rooth [tomte@stuck.in.the.basement.at.fritzl.nu] has quit [Ping timeout: 240 seconds]
17:04 < Eugene> !download
17:04 <@vpnHelper> "download" is (#1) http://openvpn.net/index.php/download/community-downloads.html to download openvpn or (#2) OpenVPN's Windows installer now includes OpenVPN GUI. Don't bother with http://openvpn.se anymore or (#3) Don't trust download.com at all. It provides an extremely old version with malware: http://insecure.org/news/download-com-fiasco.html or (#4) in the community version of openvpn (only
17:04 <@vpnHelper> thing supported here) there is no separate download for client/server, it is the same install with different configs
17:04 < Eugene> kwmiebach - released today, I004
17:05 < Eugene> (is that a L or an i ? Stupid tiny font.)
17:05 < Eugene> Aha, capital i
17:05 < tharkun> i
17:05 -!- rooth [tomte@stuck.in.the.basement.at.fritzl.nu] has joined #openvpn
17:05  * Avroceptyr proposes using a naming scheme that does not cause confusion
17:06 < kwmiebach> Eugene: thank you I was blind I was on that page bnut only saw 2013.06.03 :/
17:06 < Eugene> F5 ;-)
17:06 < wbk_j> guys, somebody of you tried running openvpn server on a raspberrypi board? it works ok?
17:07 < kwmiebach> I will just stop the service, swap the exe files and restar
17:07 < Eugene> Works fine. No CPU grunt and no dedicated crypto instructions, so it tops out at a few mbit/s, but other than that fine.
17:07  * pekster doesn't own an rPi, but they have weak processors. Provided data encryption speed isn't an issue for you, it should work
17:07 < pekster> Eugene: See, I let others win sometimes too ;
17:07 < pekster> ;)
17:08 < Eugene> Bite me.
17:08 < wbk_j> there are also better dev board with better performance?
17:08 < pekster> Look for something with AES-NI if you want performance
17:08 < wbk_j> i need a cheap one
17:09 < pekster> Unless you find one in your budget range that does AES-NI, it's going to come down to pure CPU performance
17:09 < wbk_j> there are so many others devboard like "beagleboard black" or "cubieboard"
17:09 < wbk_j> maybe one of these should be better for an openvpn server
17:10 < wbk_j> but if you don't know nothing about this, never mind
17:10 < wbk_j> that's not a very strictly related openvpn argument
17:11 -!- orutest|2 [~VsioZashi@unaffiliated/vsiozashibis] has joined #openvpn
17:11 < Eugene> By "dev board" do you mean "small, cheap computer suitable to replace my wifi router combo unit"
17:11 < Eugene> $50 goes a lot farther for CPU performance on eBay than a RasPi ;-)
17:11 < wbk_j> yes, exactly.
17:12 < wbk_j> you can't replace your router with a dev board, it has only one ethernet port, generally a router got 2 ethernet ports
17:12 -!- p3rror [~mezgani@196.201.78.139] has joined #openvpn
17:13 < wbk_j> you should use the same port for incoming/outcoming traffic, but i don't know if it is a right rule
17:15 < pekster> If the hardware supports VLANs (802.1Q) you can trunk to a VLAN-aware switch
17:16 -!- le0 [~l30@unaffiliated/le0] has joined #openvpn
17:19 < kwmiebach> Thanks again for the update. All works fine now here on the windows 64 bit machines. :)
17:19 -!- VsioZashibis [~VsioZashi@unaffiliated/vsiozashibis] has quit [Ping timeout: 240 seconds]
17:31 -!- flickerfly [~jritchie@216.115.64.202] has left #openvpn []
17:32 -!- le0 [~l30@unaffiliated/le0] has quit [Quit: Leaving]
17:34 -!- TypoNe [~itsme@195.197.184.87] has quit [Ping timeout: 246 seconds]
17:35 -!- JustEra [~JustEra@val59-9-78-223-170-206.fbx.proxad.net] has quit [Ping timeout: 250 seconds]
17:37 < Beta2K> If you want another SBC with better performance check out the odroid
17:37 < Beta2K> it's not terribly expensive
17:38 < Beta2K> even the beaglebone black will out perform a rpi without much cost increase
17:41 -!- heraclitus [~heraclitu@unaffiliated/heraclitis] has joined #openvpn
17:47 -!- wrongplace [~leicht@gateway/tor-sasl/martinphone] has joined #openvpn
17:47 -!- TypoNe [~itsme@195.197.184.87] has joined #openvpn
17:47 -!- michaelhart [~michaelha@162.209.54.120] has joined #openvpn
17:48 -!- backz [~backz@189.120.201.91] has joined #openvpn
17:50 < backz> cheers! this is my config: http://pastebin.com/PpD2iWsZ - this is using the same ip 192.168.200.6 to all my clients. How can I build a true LAN over VPN?
17:50 -!- Guest35643 [~klein@187.85.183.105] has joined #openvpn
17:51 -!- christofftoo [~christoff@ip70-173-152-171.lv.lv.cox.net] has quit [Quit: christofftoo]
17:51 < pekster> backz: lines 11, 23, 39, & 46 are unnecessary; --server and --client already expand to include those
17:52 < pekster> Otherwise looks like a perfectly fine routed setup. If by "true LAN" you mean OSI L2, or Ethernet, you probably don't want that unless:
17:52 < pekster> !tunortap
17:52 <@vpnHelper> "tunortap" is (#1) you ONLY want tap if you need to pass layer2 traffic over the vpn (traffic destined for a MAC address). If you are using IP traffic you want tun. or (#2) and if your reason for wanting tap is windows shares, see !wins or use DNS or (#3) remember layer2 has no security, arp poisoning works over tap vpns or (#4) lan gaming? use tap! or (#5) Normal Android/iOS devices (not
17:52 <@vpnHelper> rooted/jailbroken) support only tun
17:54 < backz> pekster: thanks, is it the bridge?
17:54 < pekster> Right, bridging is how you join Ethernet-type networks together. It's more complicated as it involves more moving parts (including your OS/distro networking) and is best avoided unless you actually need it
17:55 < backz> pekster: the only thing I need is to have a different ip address to each client connected on this 'net'. Like 192.168.200.6 to client A, 192.168.200.7 to client B, and so..
17:55 < pekster> Your VPN clients? Read !static if that's all you want
17:55 < pekster> THere's some wiki info at !addressing too
17:56 < backz> Ok, but, will client A pings client B?
17:56 < backz> !static
17:56 <@vpnHelper> "static" is (#1) use --ifconfig-push in a ccd entry for a static ip for the vpn client or (#2) example in net30 (default): ifconfig-push 10.8.0.6 10.8.0.5 example in subnet (see !topology) or tap (see !tunortap): ifconfig-push 10.8.0.5 255.255.255.0 or (#3) also see !ccd and !iporder or (#4) when pushing static IPs, you should also limit your --ifconfig-pool to exclude the static range or (#5) See
17:56 <@vpnHelper> also: !addressing
17:56 < pekster> Yes, if your firewall allows it. Optionally, if you use `--client-to-client` on your server, that will bypass the firewall for vpn-to-vpn (on the same VPN that is) traffic
17:57 < pekster> I'd encourage you not to use that option and do it in your firewall, but that's up to you
17:57 < backz> there are more: I dont know how many clients will be connected in this VPN server :)
17:57 -!- mode/#openvpn [+o pekster] by ChanServ
17:58 <@pekster> OpenVPN Community Support Channel || PLEASE read entire topic || Current Release: 2.3.2 (03 Jun 2013) || First time? Use !welcome and !goal || Access-Server? /join #openvpn-as || We're not psychic - please !paste your !configs and !logs and a description of the issue  || Your problem is probably firewall, Really || Heartbleed info: see !heardbleed
17:58 -!- mode/#openvpn [-o pekster] by ChanServ
17:58 < backz> so, is static the solution that I need ?
17:58 < pekster> If you want static addressing for your clients? Yes.
17:59 < pekster> There are examples of how to do that in !addressing
17:59 < backz> !addressing
17:59 -!- kirin` [telex@gateway/shell/anapnea.net/x-hnqckvqateziygwd] has quit [Ping timeout: 240 seconds]
17:59 <@vpnHelper> "addressing" is For information about IP addressing in OpenVPN, see: https://community.openvpn.net/openvpn/wiki/Concepts-Addressing
18:00 -!- kirin` [telex@gateway/shell/anapnea.net/x-yssvpjszyltlbryp] has joined #openvpn
18:01 < pekster> Oh, bah, topic fail..
18:02 -!- ChanServ changed the topic of #openvpn to: OpenVPN Community Support Channel || PLEASE read entire topic || Current Release: 2.3.2 (03 Jun 2013) || First time? Use !welcome and !goal || Access-Server? /join #openvpn-as || We're not psychic - please !paste your !configs and !logs and a description of the issue  || Your problem is probably firewall, Really || Heartbleed info: see !heardbleed
18:04 < backz> first all, can I use the same cert to all clients? since I dont know how many clients will be connected on, it must be easy to share the same 'config' folder
18:04 < pekster> !dupe
18:04 <@vpnHelper> "dupe" is (#1) see --duplicate-cn in the manual (!man) to see how to allow multiple clients to use the same key (NOT recommended) or (#2) instead, use !pki to make a cert for each user
18:04 -!- Corey_ [~Corey@freenode/staff/corey] has joined #openvpn
18:05 < backz> !man
18:05 <@vpnHelper> "man" is (#1) For man pages, see http://openvpn.net/index.php/open-source/documentation/manuals/ or (#2) the man pages are your friend! or (#3) Protip: you can search the manpage for a specific --option (with dashes) to find it quicker
18:05 < pekster> Be aware if you do that and need to revoke one (or one is lost/compromised) you end up revoking _all_ access to the shared users
18:05 < backz> !pki
18:05 < backz> Ok
18:05 <@vpnHelper> "pki" is (#1) http://openvpn.net/index.php/open-source/documentation/howto.html#pki for how to make your PKI stuff (ca, and certs) or (#2) Heres a basic rundown of how it works... The server, client, and ca certs are all signed by the same ca.key. The server and client use the ca.crt to check that eachother were signed by the right ca.key. Optionally, the client also checks that the server cert was
18:05 <@vpnHelper> signed specially as a server (see !servercert) or (#3) See !certman for various PKI management frontends
18:07 -!- Corey [~Corey@freenode/staff/corey] has quit [Disconnected by services]
18:07 -!- Trebortech [~Trebortec@66.55.33.66] has quit [Quit: Trebortech]
18:08 -!- Corey_ is now known as Corey
18:08 -!- WinstonSmith [~WinstonSm@unaffiliated/winstonsmith] has quit [Ping timeout: 240 seconds]
18:09 -!- bashusr [~bashusr@unaffiliated/bashusr] has quit [Ping timeout: 246 seconds]
18:10 < backz> so, what am I looking for is the net30?
18:10 < backz> (best to avoid this)
18:11 < backz> is subnet the default Addressing?
18:11 -!- bashusr [~bashusr@pool-173-56-245-35.nycmny.fios.verizon.net] has joined #openvpn
18:11 -!- bashusr [~bashusr@pool-173-56-245-35.nycmny.fios.verizon.net] has quit [Changing host]
18:11 -!- bashusr [~bashusr@unaffiliated/bashusr] has joined #openvpn
18:15 -!- WinstonSmith [~WinstonSm@unaffiliated/winstonsmith] has joined #openvpn
18:17 -!- AlexPortable [uid7568@gateway/web/irccloud.com/x-bzewqosztdqzudtu] has quit [Quit: Connection closed for inactivity]
18:20 -!- bashusr [~bashusr@unaffiliated/bashusr] has quit [Ping timeout: 250 seconds]
18:22 -!- truexfan81 [truexfan81@gateway/shell/cadoth.net/x-ziqwxsmvntkkajqh] has quit [Quit: ZNC - http://znc.in]
18:23 -!- truexfan81 [truexfan81@gateway/shell/cadoth.net/x-xtknqnblnrduiwzi] has joined #openvpn
18:27 < Eugene> !/30
18:27 <@vpnHelper> "/30" is (#1) http://goo.gl/SbKrT5 explains why routed clients each use 4 ips or (#2) you can avoid this behavior with by reading !topology
18:27 < Eugene> /30 is the default.
18:27 < Eugene> !topology
18:27 <@vpnHelper> "topology" is (#1) it is possible to avoid the !/30 behavior if you use 2.1+ with the option: topology subnet This will end up being default in later versions. or (#2) Clients will receive addresses ending in .2, .3, .4, etc, instead of being divided into 2-host subnets. or (#3) details and examples at: https://community.openvpn.net/openvpn/wiki/Topology
18:27 < Eugene> You want subnet ;-)
18:27 < backz> thanks! :)
18:30 -!- Cpt-Oblivious_ [~chatzilla@31-151-71-109.dynamic.upc.nl] has joined #openvpn
18:30 -!- Cpt-Oblivious [chatzilla@31-151-71-109.dynamic.upc.nl] has quit [Ping timeout: 240 seconds]
18:31 < backz> I've inserted --client-to-client and --duplicate-cn and I've got 192.168.200.6 on client A and 192.168.200.10 on client B. Now it's working! (I suppose)
18:34 -!- Cpt-Oblivious_ [~chatzilla@31-151-71-109.dynamic.upc.nl] has quit [Client Quit]
18:34 -!- Moony22 [~AndChat30@unaffiliated/moony22] has joined #openvpn
18:34 < backz> I'm talking from a remote desktop connection from client B to client a :)
18:34 -!- tony1 [~tony1@cpe-66-66-6-48.rochester.res.rr.com] has joined #openvpn
18:36 < backz> the ips are dhcped. will it change or can I trust that these address will be the same to these machines?
18:38 < backz> s/address/addresses/g
18:38 < tony1> I Was looking for info on Heartbleed Bug I see in the topic something about see see !heardbleed but not shure what I need to do?
18:40 < tony1> if I upgrade openssl will I be ok? I read openvpn needs a fix as well but I am not sure
18:40 -!- s7r [~s7r@openvpn/user/s7r] has quit [Quit: Leaving]
18:43 -!- Left_Turn [~Left_Turn@unaffiliated/turn-left/x-3739067] has quit [Remote host closed the connection]
18:43 < tony1> !heardbleed
18:53 -!- wrongplace [~leicht@gateway/tor-sasl/martinphone] has quit [Quit: gone]
18:53 < backz> push "redirect-gateway def1"  # what is it?
18:55 < pekster> tony1: Sorry, typo in the topic
18:55 < pekster> !heartbleed
18:55 <@vpnHelper> "heartbleed" is (#1) only affects OpenSSL 1.0.1 through 1.0.1f. Does not affect polarssl or (#2) if running vuln openssl then both client and server keys not protected by tls-auth should be considered compromised. or (#3) android 4.1.2_r1 is the first one to have -DOPENSSL_NO_HEARTBEATS and it is still in master. android 4.1 and 4.1.1 are probably affected. or (#4)
18:55 <@vpnHelper> https://community.openvpn.net/openvpn/wiki/heartbleed
18:55 -!- ChanServ changed the topic of #openvpn to: OpenVPN Community Support Channel || PLEASE read entire topic || Current Release: 2.3.2 (03 Jun 2013) || First time? Use !welcome and !goal || Access-Server? /join #openvpn-as || We're not psychic - please !paste your !configs and !logs and a description of the issue  || Your problem is probably firewall, Really || Heartbleed info: see !heartbleed
18:55 -!- bashusr [~bashusr@unaffiliated/bashusr] has joined #openvpn
18:56 -!- Left_Turn [~Left_Turn@unaffiliated/turn-left/x-3739067] has joined #openvpn
19:02 -!- christofftoo [~christoff@ip70-173-152-171.lv.lv.cox.net] has joined #openvpn
19:04 -!- DrCode [~DrCode@127.0.0.1] has quit [Ping timeout: 272 seconds]
19:05 -!- orutest|2 [~VsioZashi@unaffiliated/vsiozashibis] has quit [Quit: closing IRC]
19:05 -!- VsioZashibis [~VsioZashi@unaffiliated/vsiozashibis] has joined #openvpn
19:06 -!- VsioZashibis [~VsioZashi@unaffiliated/vsiozashibis] has quit [Client Quit]
19:06 -!- bashusr [~bashusr@unaffiliated/bashusr] has quit [Ping timeout: 246 seconds]
19:06 -!- DrCode [~DrCode@gateway/tor-sasl/drcode] has joined #openvpn
19:06 -!- VsioZashibis [~VsioZashi@unaffiliated/vsiozashibis] has joined #openvpn
19:07 -!- bashusr [~bashusr@unaffiliated/bashusr] has joined #openvpn
19:10 < tony1> pekster: so I take it that I have this problem 1.0.1e-2+rvt+deb7u6
19:10 -!- funyun [~temp@cpe-65-25-103-89.neo.res.rr.com] has quit [Quit: Lost terminal]
19:12 < pekster> https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=743883
19:12 <@vpnHelper> Title: #743883 - CVE-2014-0160 heartbeat read overrun (heartbleed) - Debian Bug report logs (at bugs.debian.org)
19:13 < pekster> You'd need to check your distro to find what changed since "deb7u5" and "deb7u6", but your sounds one distro-rev-newer
19:17 < tony1> pekster: so if I understand once openssl is say 1.0.1g things will be fixed with any version of open vpn as log as you generate new keys
19:17 < pekster> distros are backporting the fix
19:17 < pekster> This is why I linked you to the bug for your distro where this is noted ;)
19:18 < pekster> It's wise to regenerate keys since any public use of them since 2012 (when 1.0.1 came out, introducing this problem) you could have been attacked
19:20 < tony1> pekster: ok i think I understand I will look over the links. dam I just got everything running good on the new hardware
19:21 < pekster> It's just the entity keys that you should re-generate; your CA isn't impacted (as your CA won't be serving TLS directly, or at least you shouldn't ever do such silly things)
19:23 < tony1> backz: changes client routing table so that all traffic is directed via server
19:24 < tony1> pekster: your CA won't be serving TLS directly   ok well how do I make sure im not silly? LOL
19:25 < pekster> Did you take your CA keypair and install it into a TLS-secured application by hand?
19:26 < tony1> pekster: I dont think so, I put my keys on android
19:30 -!- backz [~backz@189.120.201.91] has quit []
19:32 -!- heraclitus [~heraclitu@unaffiliated/heraclitis] has quit [Ping timeout: 252 seconds]
19:37 < tony1> pekster: well more to learn thanks for the links
19:52 -!- Trebortech [~Trebortec@70.114.224.68] has joined #openvpn
19:54 -!- heraclitus [~heraclitu@unaffiliated/heraclitis] has joined #openvpn
19:55 -!- tony1 [~tony1@cpe-66-66-6-48.rochester.res.rr.com] has left #openvpn []
19:56 -!- tony1 [~tony1@cpe-66-66-6-48.rochester.res.rr.com] has joined #openvpn
19:59 -!- Eduard_Munteanu [~EduardMun@5-12-253-122.residential.rdsnet.ro] has quit [Ping timeout: 246 seconds]
20:04 -!- u0m3 [~u0m3@92.80.126.165] has quit [Quit: Leaving]
20:09 -!- joshh20 is now known as joshh20-Away
20:10 -!- ed6612 [~ed6612@206.214.43.172] has quit []
20:17 -!- smead [~smead@173-85-171-224.dsl1-erie.roch.ny.frontiernet.net] has joined #openvpn
20:27 -!- smead [~smead@173-85-171-224.dsl1-erie.roch.ny.frontiernet.net] has quit [Quit: Leaving.]
20:49 -!- VsioZashibis [~VsioZashi@unaffiliated/vsiozashibis] has quit [Quit: closing IRC]
20:49 -!- VsioZashibis [~VsioZashi@unaffiliated/vsiozashibis] has joined #openvpn
20:51 -!- VsioZashibis [~VsioZashi@unaffiliated/vsiozashibis] has quit [Client Quit]
20:51 -!- VsioZashibis [~VsioZashi@unaffiliated/vsiozashibis] has joined #openvpn
20:52 -!- VsioZashibis [~VsioZashi@unaffiliated/vsiozashibis] has quit [Client Quit]
20:53 -!- VsioZashibis [~VsioZashi@unaffiliated/vsiozashibis] has joined #openvpn
21:01 -!- elfixit [~Icedove@77-58-251-72.dclient.hispeed.ch] has joined #openvpn
21:10 -!- christofftoo [~christoff@ip70-173-152-171.lv.lv.cox.net] has quit [Quit: christofftoo]
21:12 -!- christofftoo [~christoff@ip70-173-152-171.lv.lv.cox.net] has joined #openvpn
21:21 -!- christofftoo [~christoff@ip70-173-152-171.lv.lv.cox.net] has quit [Quit: christofftoo]
21:25 -!- Left_Turn [~Left_Turn@unaffiliated/turn-left/x-3739067] has quit [Ping timeout: 250 seconds]
21:26 -!- christofftoo [~christoff@ip70-173-152-171.lv.lv.cox.net] has joined #openvpn
21:30 -!- kaneonuskatew [~kaneonusk@unaffiliated/kaneonuskatew] has joined #openvpn
21:31 < kaneonuskatew> ! heartbleed
21:31 <@vpnHelper> "heartbleed" is (#1) only affects OpenSSL 1.0.1 through 1.0.1f. Does not affect polarssl or (#2) if running vuln openssl then both client and server keys not protected by tls-auth should be considered compromised. or (#3) android 4.1.2_r1 is the first one to have -DOPENSSL_NO_HEARTBEATS and it is still in master. android 4.1 and 4.1.1 are probably affected. or (#4)
21:31 <@vpnHelper> https://community.openvpn.net/openvpn/wiki/heartbleed
21:37 -!- kaneonuskatew [~kaneonusk@unaffiliated/kaneonuskatew] has quit [Quit: .]
21:39 -!- christofftoo [~christoff@ip70-173-152-171.lv.lv.cox.net] has quit [Read error: Connection reset by peer]
21:39 -!- Guest35643 [~klein@187.85.183.105] has quit [Ping timeout: 240 seconds]
21:49 -!- michaelhart [~michaelha@162.209.54.120] has quit [Quit: michaelhart]
21:50 -!- michaelhart [~michaelha@162.209.54.120] has joined #openvpn
21:50 -!- michaelhart [~michaelha@162.209.54.120] has quit [Client Quit]
22:03 -!- MACscr [~Adium@c-50-158-183-38.hsd1.il.comcast.net] has quit [Quit: Leaving.]
22:21 -!- amsterdam [~Adium@xdsl-89-0-228-229.netcologne.de] has joined #openvpn
22:28 -!- lj [~l@74.120.200.95] has joined #openvpn
22:32 -!- Trebortech [~Trebortec@70.114.224.68] has quit [Quit: Trebortech]
22:56 < soapee01> heartbleed SUCKS
22:56 <@krzee> ahh you were vuln and had to re-do your pki?
22:57 < soapee01> I'm just looking at the shit ton of servers and keys I have to redo
22:57 <@krzee> sucks, i got lucky
22:57 < soapee01> TLS for mail, openvpn, https, chat FUCK
22:58 <@krzee> i wasnt running 1.0.1
22:58 < soapee01> what version are those snoms running though
22:58  * soapee01 needs more booze.
22:59 < soapee01> krzee yeah I'm pretty much ubuntu lts on everything or debian, ergo boned.
23:00 <@krzee> no tls-auth?
23:01 <@krzee> the snoms are 0.9.8g
23:02 < soapee01> nice
23:02 < soapee01> no tls auth
23:02 <@krzee> ouch
23:02 < soapee01> tls is vulerable too
23:03 <@krzee> tls-auth is not really tls
23:03 <@krzee> !hmac
23:03 <@vpnHelper> "hmac" is (#1) The tls-auth directive adds an additional HMAC signature to all SSL/TLS handshake packets for integrity verification. Any UDP packet not bearing the correct HMAC signature can be dropped without further processing. The tls-auth HMAC signature provides an additional level of security above and beyond that provided by SSL/TLS. or (#2) openvpn --genkey --secret ta.key to make the tls
23:03 <@vpnHelper> static key , in configs: tls-auth ta.key # , 1 for client or 0 for server in the configs
23:03 <@krzee> if the attacker doesnt have your tls-auth static key then they cannot attack you
23:04 <@krzee> 1 huge advantage openvpn has over pretty much everything else affected by this bug
23:04 < soapee01> agreed, but I don't think tls-auth is common practice
23:04 < soapee01> I've not seen many openvpn appliances that enable that, and if they do (pfsense iirc) makes it a huge pita to do so.
23:05 < soapee01> dd-wrt/tomato/untanggle, etc
23:06 <@krzee> well i think its extremely common practice
23:07 <@krzee> !pfsense
23:07 <@vpnHelper> "pfsense" is dont use the web gui for configuring openvpn, you need to understand the config and logfiles
23:07 <@krzee> !openwrt
23:07 <@vpnHelper> "openwrt" is In OpenWRT, the easiest way to supply configs with the stock init is to use the `option config /path/to/your/openvpn.conf` in your UCI stanza. This allows you to maintain a standard config file that OpenWRT can launch for you.
23:09 < soapee01> most people (me included) want the ez button. We reap what we sow however...
23:10 < soapee01> mostly I'm on tomato and untangle. Both don't do tls auth without breaking the gui.
23:10 < soapee01> no reason I *shouldn't* though on tomato.
23:10 < soapee01> since you have to hand roll all the certs anyhow, and it can be configured.
23:12 -!- ShadniX [dagger@p5DDFC546.dip0.t-ipconnect.de] has quit [Ping timeout: 252 seconds]
23:14 -!- ShadniX [dagger@p5DDFEF05.dip0.t-ipconnect.de] has joined #openvpn
23:20 <@krzee> first thing i do with openwrt is break the gui
23:20 <@krzee> i roll my own firmware with no web gui, just ssh
23:21 -!- amsterdam [~Adium@xdsl-89-0-228-229.netcologne.de] has quit [Quit: Leaving.]
23:22 -!- mattock_afk [~mattock@openvpn/corp/admin/mattock] has joined #openvpn
23:22 -!- mode/#openvpn [+o mattock_afk] by ChanServ
23:22 -!- mattock_afk is now known as mattock
23:24 < Avroceptyr> What do librarians use to tell people off? SSH
23:24 < Avroceptyr> eh eh eh
23:24 < Avroceptyr> I'll see myself out
23:32 -!- elfixit [~Icedove@77-58-251-72.dclient.hispeed.ch] has quit [Ping timeout: 240 seconds]
23:35 -!- elfixit [~Icedove@77-58-251-72.dclient.hispeed.ch] has joined #openvpn
23:38 -!- obesd [~obsed@unaffiliated/obesd] has joined #openvpn
23:42 -!- aji [~alex@atheme/member/aji] has quit [Remote host closed the connection]
23:43 -!- aji [~alex@atheme/member/aji] has joined #openvpn
23:52 -!- B1nny [~quassel@5ED16034.cm-7-2b.dynamic.ziggo.nl] has joined #openvpn
--- Day changed Wed Apr 09 2014
00:01 -!- paradox`` [~paradox@cpc21-brmb8-2-0-cust749.1-3.cable.virginm.net] has joined #openvpn
00:03 -!- yodasan [~yodasan@ip70-173-152-171.lv.lv.cox.net] has joined #openvpn
00:03 -!- yodasan [~yodasan@ip70-173-152-171.lv.lv.cox.net] has quit [Client Quit]
00:04 -!- centrx [~centrx@pool-72-74-93-238.bstnma.fios.verizon.net] has joined #openvpn
00:04 -!- centrx [~centrx@pool-72-74-93-238.bstnma.fios.verizon.net] has left #openvpn ["End transmission"]
00:04 -!- freemont5 [~yodasan@ip70-173-152-171.lv.lv.cox.net] has joined #openvpn
00:04 -!- sunwind` [~paradox@cpc21-brmb8-2-0-cust749.1-3.cable.virginm.net] has quit [Ping timeout: 250 seconds]
00:14 -!- kantlivelong [~kantlivel@home.kantlivelong.com] has quit [Ping timeout: 240 seconds]
00:17 -!- goldkatze [~nobody@unaffiliated/goldkatze] has joined #openvpn
00:18 -!- Linmu [~Linmu@203.70.194.104] has quit [Ping timeout: 255 seconds]
00:19 -!- Linmu [~Linmu@203.70.194.104] has joined #openvpn
00:22 -!- [ghost] [~ghost@76-201-60-136.lightspeed.irvnca.sbcglobal.net] has joined #openvpn
00:22 < [ghost]> im running ubunut server 12.04 i'm trying to setup openvpn to connect to my server remotely. internel connection works i just can't connect to the internet. i tried bridge but no luck any suggestions.
00:23 < [ghost]> can't really find a good guide online please help
00:23 -!- Linmu [~Linmu@203.70.194.104] has quit [Ping timeout: 240 seconds]
00:24 -!- Linmu [~Linmu@203.70.194.104] has joined #openvpn
00:31 -!- Devastator [~devas@unaffiliated/devastator] has quit [Read error: Connection reset by peer]
00:32 -!- Devastator [~devas@186.214.15.19] has joined #openvpn
00:34 < h6w> [ghost]: What do you mean by "internet connection works I just can't connect to the internet"?   If you traceroute 8.8.8.8, does it go via your vpn?
00:35 -!- CygniX [~CygniX@unaffiliated/twois10] has joined #openvpn
00:35 -!- mattock [~mattock@openvpn/corp/admin/mattock] has left #openvpn []
00:36 < Eugene> !redirect
00:36 <@vpnHelper> "redirect" is (#1) to make all inet traffic flow through the vpn, you will need --redirect-gateway (see !def1), as well as IP forwarding (see !ipforward) and NAT (see !nat) enabled on the server. or (#2) you may need to use a different dns server when redirecting gateway, see !dns or !pushdns or (#3) if using ipv6 try: route-ipv6 2000::/3 or (#4) Handy troubleshooting flowchart:
00:36 <@vpnHelper> http://ircpimps.org/redirect.png | http://pekster.sdf.org/misc/redirect.png
00:37 -!- APTX [~APTX@unaffiliated/aptx] has quit [Remote host closed the connection]
00:37 -!- APTX [~APTX@unaffiliated/aptx] has joined #openvpn
00:44 -!- ghost88 [~ghost@ctours-69-16-147-98.phx1.puregig.net] has joined #openvpn
00:44 < h6w> Eugene, what if I don't want to provide internet access, but I want subnets on both sides to be available to subnets on the other side?
00:45 -!- [ghost] [~ghost@76-201-60-136.lightspeed.irvnca.sbcglobal.net] has quit [Ping timeout: 246 seconds]
00:47 < h6w> e.g. 10.8.1.0/24 <-- eth --> 10.8.1.1 "Server" 10.8.0.1 <-- tun --> 10.8.0.2 "Client" 10.8.2.1 <-- eth --> 10.8.2.0/24
00:48 < h6w> I have "topology subnet" already.
01:10 -!- ghost88 [~ghost@ctours-69-16-147-98.phx1.puregig.net] has quit [Remote host closed the connection]
01:14 -!- mikkel [~mikkel@93.176.85.50] has joined #openvpn
01:15 < soapee01> krzee FYI earlier I misspoke about untangle, and they seem fine: https://support.untangle.com/hc/en-us/articles/201956817
01:15 <@vpnHelper> Title: What is the heartbleed bug? Are Untangle products and services vulnerable? Untangle Support (at support.untangle.com)
01:16 < Avroceptyr> I may be misreading something, however easyrsa 3.x does not supply nsCertType in a certificate generation (context, server) process
01:16 < Avroceptyr> The OpenVPN GUI (I004) expects a nsCertType key in a server cert
01:17 < Avroceptyr> Do I have that correctly?
01:19 < Avroceptyr> this is for the context of a server 2.3
01:37 -!- alexxtasi [~alex@unaffiliated/alexxtasi] has joined #openvpn
01:40 -!- giorgiodinapoli [~giorgiodi@146-52-156-68-dynip.superkabel.de] has joined #openvpn
01:41 -!- giorgiodinapoli [~giorgiodi@146-52-156-68-dynip.superkabel.de] has quit [Remote host closed the connection]
01:41 -!- bashusr [~bashusr@unaffiliated/bashusr] has quit [Ping timeout: 240 seconds]
01:42 -!- bashusr [~bashusr@unaffiliated/bashusr] has joined #openvpn
01:44 -!- mattock [~mattock@openvpn/corp/admin/mattock] has joined #openvpn
01:44 -!- mode/#openvpn [+o mattock] by ChanServ
01:47 -!- Aliekezhi [~Aliekezhi@LPoitiers-156-84-21-169.w193-248.abo.wanadoo.fr] has joined #openvpn
02:00 -!- freemont5 [~yodasan@ip70-173-152-171.lv.lv.cox.net] has quit [Quit: freemont5]
02:06 -!- bashusr [~bashusr@unaffiliated/bashusr] has quit [Ping timeout: 240 seconds]
02:12 -!- gu [~gu@194.231.39.10] has joined #openvpn
02:12 -!- bashusr [~bashusr@unaffiliated/bashusr] has joined #openvpn
02:14 -!- JustEra [~JustEra@val59-9-78-223-170-206.fbx.proxad.net] has joined #openvpn
02:14 -!- JustEra [~JustEra@val59-9-78-223-170-206.fbx.proxad.net] has quit [Client Quit]
02:17 -!- gu [~gu@194.231.39.10] has quit [Quit: Leaving.]
02:18 -!- gu [~gu@194.231.39.10] has joined #openvpn
02:26 -!- bashusr [~bashusr@unaffiliated/bashusr] has quit [Ping timeout: 240 seconds]
02:29 -!- bashusr [~bashusr@unaffiliated/bashusr] has joined #openvpn
02:33 -!- bashusr [~bashusr@unaffiliated/bashusr] has quit [Ping timeout: 250 seconds]
02:36 -!- bashusr [~bashusr@unaffiliated/bashusr] has joined #openvpn
02:36 -!- DrCode [~DrCode@gateway/tor-sasl/drcode] has quit [Write error: Connection reset by peer]
02:39 -!- DrCode [~DrCode@gateway/tor-sasl/drcode] has joined #openvpn
02:40 -!- DrCode [~DrCode@gateway/tor-sasl/drcode] has quit [Excess Flood]
02:41 -!- DrCode [~DrCode@gateway/tor-sasl/drcode] has joined #openvpn
02:46 -!- nomefalso [~nomefalso@151.13.210.219] has quit []
02:48 -!- DrCode [~DrCode@gateway/tor-sasl/drcode] has quit [Remote host closed the connection]
02:49 -!- DrCode [~DrCode@gateway/tor-sasl/drcode] has joined #openvpn
02:49 -!- bashusr [~bashusr@unaffiliated/bashusr] has quit [Ping timeout: 240 seconds]
02:52 -!- bashusr [~bashusr@unaffiliated/bashusr] has joined #openvpn
03:11 -!- Left_Turn [~Left_Turn@unaffiliated/turn-left/x-3739067] has joined #openvpn
03:14 -!- AlexPortable [uid7568@gateway/web/irccloud.com/x-ursmsmvmxbhmhalf] has joined #openvpn
03:25 -!- gu [~gu@194.231.39.10] has quit [Quit: Leaving.]
03:35 -!- DrCode [~DrCode@gateway/tor-sasl/drcode] has quit [Remote host closed the connection]
03:36 -!- DrCode [~DrCode@gateway/tor-sasl/drcode] has joined #openvpn
03:43 -!- DrCode [~DrCode@gateway/tor-sasl/drcode] has quit [Quit: ZNC - http://znc.in]
03:56 -!- ade_b [~Ade@redhat/adeb] has joined #openvpn
04:03 -!- Latrina [~Latrina@ppp-214-42.26-151.libero.it] has quit [Ping timeout: 240 seconds]
04:05 -!- Latrina [~Latrina@adsl-ull-15-193.50-151.net24.it] has joined #openvpn
04:05 -!- maxiepax_ [max@locke.misse.org] has quit [Read error: Operation timed out]
04:10 -!- maxiepax [max@locke.misse.org] has joined #openvpn
04:12 -!- jzaw [~jzaw@loki.dzki.co.uk] has quit [Ping timeout: 252 seconds]
04:17 -!- _bt [~bt@mongs.yotm.com] has quit [Changing host]
04:17 -!- _bt [~bt@unaffiliated/bt/x-192343] has joined #openvpn
04:24 -!- tony1 [~tony1@cpe-66-66-6-48.rochester.res.rr.com] has quit [Quit: Leaving.]
04:35 -!- Cybertinus [~Cybertinu@2a00:6960:1:1:0:24:42:1] has quit [Quit: No Ping reply in 180 seconds.]
04:36 -!- Cybertinus [~Cybertinu@cybertinus.customer.cloud.nl] has joined #openvpn
04:39 -!- JuriadoBalzac [~cpe@www.badcode.net] has joined #openvpn
04:40 < JuriadoBalzac> !heartbleed
04:40 <@vpnHelper> "heartbleed" is (#1) only affects OpenSSL 1.0.1 through 1.0.1f. Does not affect polarssl or (#2) if running vuln openssl then both client and server keys not protected by tls-auth should be considered compromised. or (#3) android 4.1.2_r1 is the first one to have -DOPENSSL_NO_HEARTBEATS and it is still in master. android 4.1 and 4.1.1 are probably affected. or (#4)
04:40 <@vpnHelper> https://community.openvpn.net/openvpn/wiki/heartbleed
04:50 < jacekowski> what cipher is openvpn using?
04:51 < jacekowski>  https://community.openvpn.net/openvpn/wiki/heartbleed
04:51 <@vpnHelper> Title: heartbleed – OpenVPN Community (at community.openvpn.net)
04:51 < jacekowski> ehh
04:51 < jacekowski> by default i mean
04:51 -!- freemont5 [~yodasan@ip70-173-152-171.lv.lv.cox.net] has joined #openvpn
04:54 <@plaisthos> !cipher
04:54 <@plaisthos> hm
04:54 <@plaisthos> BF-CBC
04:54 < jacekowski> hmmm
04:54 < jacekowski> on both ends i've got ECDHE-ECDSA-AES256-GCM-SHA384
04:54 < jacekowski> and other
04:55 < jacekowski> yet it seems to connect with TLSv1/SSLv3 DHE-RSA-AES256-SHA
04:55 < jacekowski> which is supposed to be weaker
05:00 <@plaisthos> cipher != tls-cipher
05:01 <@plaisthos> openvpn 2.3.2 does only tls 1.0
05:02 -!- JackWinter [~jack@vodsl-10810.vo.lu] has quit [Ping timeout: 240 seconds]
05:05 -!- gu [~gu@194.231.39.10] has joined #openvpn
05:11 -!- makara [~makara@41.164.22.218] has joined #openvpn
05:16 -!- jzaw [~jzaw@loki.dzki.co.uk] has joined #openvpn
05:17 -!- dwarder [~dwarder@unaffiliated/dwarder] has joined #openvpn
05:17 < dwarder> does attacker must have a client cert in order to exploit  Heart Bleed bug?
05:19 < dwarder> http://blog.existentialize.com/diagnosis-of-the-openssl-heartbleed-bug.html
05:22 -!- EnginA [~e@54.228.196.247] has joined #openvpn
05:22 < EnginA> hi!
05:23 < EnginA> was OpenVPN affected by the heartbleed bug?
05:24 < dwarder> yes
05:24 < dwarder> lol
05:25 -!- Moony22 [~AndChat30@unaffiliated/moony22] has quit [Remote host closed the connection]
05:27 -!- MaxFrames [~MaxFrames@unaffiliated/maxframes] has joined #openvpn
05:27 < MaxFrames> hello
05:27 < MaxFrames> https://forums.openvpn.net/topic15526.html
05:27 <@vpnHelper> Title: OpenVPN Support Forum CVE-2014-0160 / Heartbleed : Off Topic, Related (at forums.openvpn.net)
05:28 < MaxFrames> where's the new windows build?
05:28 -!- mikkel [~mikkel@93.176.85.50] has quit [Quit: Leaving]
05:28 < pekster> Avroceptyr: "Netscape" extensions are deprecated. Use --remote-cert-tls in your configs, _not_ --ns-cert-type
05:29 < pekster> Avroceptyr: If you insist on using the old-and-deprecated functionality, read the vars.example file included in easyrsa3
05:33 -!- freemont5 [~yodasan@ip70-173-152-171.lv.lv.cox.net] has quit [Quit: freemont5]
05:38 -!- plaisthos [~arne@openvpn/community/developer/plaisthos] has quit [Ping timeout: 246 seconds]
05:39 -!- plaisthos [~arne@openvpn/community/developer/plaisthos] has joined #openvpn
05:39 -!- mode/#openvpn [+o plaisthos] by ChanServ
05:39 -!- Thermi [~Thermi@unaffiliated/thermi] has quit [Ping timeout: 240 seconds]
05:41 -!- optixx [~optixx@bl14-172-175.dsl.telepac.pt] has joined #openvpn
05:42 < optixx> hello, is openvpn affected by the heartbleed exploit if linked to vulnerable libssl?
05:43 -!- plaisthos [~arne@openvpn/community/developer/plaisthos] has quit [Ping timeout: 240 seconds]
05:43 -!- plaisthos [~arne@openvpn/community/developer/plaisthos] has joined #openvpn
05:43 -!- mode/#openvpn [+o plaisthos] by ChanServ
05:46 < MaxFrames> oh yes
05:46 < MaxFrames> everything is
05:58 -!- gffa [~unknown@unaffiliated/gffa] has joined #openvpn
06:00 -!- Thermi [~Thermi@unaffiliated/thermi] has joined #openvpn
06:06 < optixx> MaxFrames: Thanks
06:06 -!- optixx [~optixx@bl14-172-175.dsl.telepac.pt] has quit [Quit: Linkinus - http://linkinus.com]
06:07 -!- chrispercol [~chrisperc@ks3355862.kimsufi.com] has joined #openvpn
06:08 < chrispercol> gday, although I've enabled packet forwarding in a ubuntu server running openvpn I can't ping other devices on the lan...the ubuntu server is behind a remote firewall...anyone any thoughts?
06:09 < chrispercol> the packets are coming into to the server but then getting stuck
06:15 -!- Latrina [~Latrina@adsl-ull-15-193.50-151.net24.it] has quit [Read error: Connection reset by peer]
06:16 -!- jackbrown [~se@93-44-54-187.ip95.fastwebnet.it] has joined #openvpn
06:19 -!- jzaw [~jzaw@loki.dzki.co.uk] has quit [Ping timeout: 246 seconds]
06:20 -!- Latrina [~Latrina@adsl-ull-15-193.50-151.net24.it] has joined #openvpn
06:26 -!- Latrina [~Latrina@adsl-ull-15-193.50-151.net24.it] has quit [Read error: Connection reset by peer]
06:30 <@ecrist> chrispercol: your other lan needs to know how to route back to the vpn 
06:30 <@ecrist> either do that with proper static routes, or use nat outbound from the vpn server
06:31 -!- Latrina [~Latrina@adsl-ull-15-193.50-151.net24.it] has joined #openvpn
06:33 -!- Trebortech [~Trebortec@70.114.224.68] has joined #openvpn
06:34 < chrispercol> ecrist: thanks, I have a route setup in my firewall to the openvpn subnet?
06:37 -!- Latrina [~Latrina@adsl-ull-15-193.50-151.net24.it] has quit [Quit: ZNC - http://znc.in]
06:40 -!- Latrina [~Latrina@adsl-ull-15-193.50-151.net24.it] has joined #openvpn
06:44 -!- elfixit [~Icedove@77-58-251-72.dclient.hispeed.ch] has quit [Quit: elfixit]
06:44 -!- jzaw [~jzaw@loki.dzki.co.uk] has joined #openvpn
06:45 -!- Latrina [~Latrina@adsl-ull-15-193.50-151.net24.it] has quit [Ping timeout: 240 seconds]
06:45 -!- Latrina_ [~Latrina@adsl-ull-238-209.50-151.net24.it] has joined #openvpn
06:46 < JuriadoBalzac> Reasons I like Openssl 0.9.8 1)
06:48 <@dazo> krzee: be careful with suggesting that tls-auth resolves heartbleed issues ... I believe it only reduces the risk of MITM attacks with extracted keys due to heartbleed ... but the VPN traffic can be decrypted, and that's all until the keys have been replaced
06:48 -!- Latrina_ [~Latrina@adsl-ull-238-209.50-151.net24.it] has quit [Client Quit]
06:49 -!- Latrina [~Latrina@adsl-ull-238-209.50-151.net24.it] has joined #openvpn
06:51 -!- JackWinter [~jack@vodsl-10810.vo.lu] has joined #openvpn
06:52 -!- Trebortech [~Trebortec@70.114.224.68] has quit [Quit: Trebortech]
06:57 -!- freemont5 [~yodasan@ip70-173-152-171.lv.lv.cox.net] has joined #openvpn
07:11 -!- BtbN [btbn@btbn.de] has left #openvpn ["Leaving"]
07:16 -!- JoeLinux [~joelinux@184.75.221.82] has joined #openvpn
07:16 -!- mirco [~mirco@ip-5-146-126-177.unitymediagroup.de] has joined #openvpn
07:18 -!- kld [~acer@85.235.3.224] has joined #openvpn
07:18 < kld> hi, Please edit the vars script to reflect your configuration,
07:18 < kld>   then source it with "source ./vars". how to make that ?
07:21 -!- sunwind [~paradox@cpc21-brmb8-2-0-cust749.1-3.cable.virginm.net] has joined #openvpn
07:23 -!- sunwind [~paradox@cpc21-brmb8-2-0-cust749.1-3.cable.virginm.net] has quit [Client Quit]
07:25 -!- freemont5 [~yodasan@ip70-173-152-171.lv.lv.cox.net] has quit [Quit: freemont5]
07:28 <@dazo> kld: in your shell ... you'll do something like:
07:28 <@dazo> $ source ./vars
07:28 <@dazo> and that's it
07:29 < kld> shell you mean the terminal screen ?
07:29 -!- Cybertinus [~Cybertinu@cybertinus.customer.cloud.nl] has quit [Remote host closed the connection]
07:29 -!- Cybertinus [~Cybertinu@cybertinus.customer.cloud.nl] has joined #openvpn
07:29 <@dazo> kld: yes.
07:30 -!- kantlivelong [~kantlivel@home.kantlivelong.com] has joined #openvpn
07:30 < kld> thanks alot
07:32 -!- wbk_j [~wallbroke@151.72.84.62] has quit []
07:32 -!- elfixit [~Icedove@8-237.197-178.cust.bluewin.ch] has joined #openvpn
07:35 < c0ded> Connection: Intel(R) Ethernet Connection I217-V-WinpkFilter NDIS LightWeight Filter-0000 @ 100.0 Mbps (Rec: 1499.40MB Sent: 176.49MB)
07:35 < c0ded> oops sry
07:36 < kld> dazo, after typing "./clean-all" it shows me : mkdir: cannot create directory `/etc/openvpn/2.0/keys': Permission denied
07:36 < kld> i wanna remove the other keys so as to build new keys
07:39 <@dazo> kld: are you doing this on your server?
07:39 < kld> yes
07:39 <@dazo> okay ... you never ever want to have easy-rsa (or any CA files) on your server
07:40 <@dazo> all you want to have on your server is CA key, server key, server certificate and a dhparms file
07:40 -!- dvl_ [~dvl@pdpc/supporter/active/dvl] has joined #openvpn
07:40 < dvl_> Hello folks, what's everyone been up to lately?  ;)
07:41 <@dazo> kld: so copy that easy-rsa to your workstation (or even better, some external harddrive or flash keys) ... and do the easy-rsa stuff on there
07:42 -!- Guest35643 [~klein@189-016-006-003.asselvi.edu.br] has joined #openvpn
07:43 <@dazo> kld: the reason is that, if your CA key is lost to someone else ... that person can issue client certificates to him/herself and connect to your VPN server without you really needing to notice ... with full VPN privileges
07:43 <@dazo> kld: or worse, s/he can issue server certificates and pose to be your VPN server, so that you or your other users connects to the wrong VPN server without noticing instantly
07:44 <@dazo> so the CA key needs to be very well protected, preferably on an offline medium
07:45 -!- mirco [~mirco@ip-5-146-126-177.unitymediagroup.de] has quit [Quit: mirco]
07:46 < kld> oh, really cool to know that.. )
07:46 < kld> dazo )
07:47 -!- smead [~smead@98.159.223.18] has joined #openvpn
07:48 -!- smead [~smead@98.159.223.18] has quit [Client Quit]
07:48 -!- dnivra [~dnivra@unaffiliated/dnivra] has joined #openvpn
07:49 < dvl_> kld: what dazo said.  Certs can be replaced if compromised, but if your easy-rsa is taken, you must create a new CA key and issue all new certs.  No choice there.
07:50 <@dazo> krzee: I stand corrected ... --tls-auth provides some protection ... as you can't mount a heartbeat attack as the server will reject packets with the wrong HMAC (provided via tls-auth)
07:50 <@dazo> syzzer++   for the education :)
07:51 < dvl_> Yeah, I use tls-auth
07:51 -!- Trebortech [~Trebortec@66.55.33.66] has joined #openvpn
07:54 < dvl_> Has the past 24 hours seen lots of heartbleed questions?
07:55 <@dazo> I've been away ... but it's been discussions on the ML
08:00 -!- flickerfly [~jritchie@216.115.64.202] has joined #openvpn
08:00 < flickerfly> !heartbleed
08:00 <@vpnHelper> "heartbleed" is (#1) only affects OpenSSL 1.0.1 through 1.0.1f. Does not affect polarssl or (#2) if running vuln openssl then both client and server keys not protected by tls-auth should be considered compromised. or (#3) android 4.1.2_r1 is the first one to have -DOPENSSL_NO_HEARTBEATS and it is still in master. android 4.1 and 4.1.1 are probably affected. or (#4)
08:00 <@vpnHelper> https://community.openvpn.net/openvpn/wiki/heartbleed
08:02 -!- elfixit [~Icedove@8-237.197-178.cust.bluewin.ch] has quit [Quit: elfixit]
08:07 < jacekowski> "only"
08:07 -!- michaelhart [~michaelha@192.237.177.15] has joined #openvpn
08:11 < dvl_> My thoughts lately: was I vulnerable at some time in the past, and should I replace my certs now.
08:11 -!- jgeboski [~jgeboski@unaffiliated/jgeboski] has quit [Excess Flood]
08:12 -!- jgeboski [~jgeboski@unaffiliated/jgeboski] has joined #openvpn
08:12 <@dazo> dvl_: depends on when you started to use openssl 1.0.1 with OpenVPN
08:13 -!- obesd [~obsed@unaffiliated/obesd] has quit [Quit: obesd]
08:13 < dvl_> dazo: Never did use 1.0.1
08:13 <@dazo> dvl_: I'm going to issue new certificate and encryption key to my VPN servers
08:13 <@dazo> dvl_: if you never use 1.0.1, then you have nothing to worry about ... the hearbeat feature came in 1.0.1
08:13 < dvl_> dazo: Which is what I plan to do as well.  I may go so far as to create a new XA
08:14 < dvl_> dazo: I checked all my servers and non were found vuln.  They're getting updated anyway (via freebsd-update) to the latest.
08:14 <@dazo> https://www.openssl.org/news/secadv_20140407.txt
08:14 <@dazo> "
08:14 <@dazo> Only 1.0.1 and 1.0.2-beta releases of OpenSSL are affected including
08:14 <@dazo> 1.0.1f and 1.0.2-beta1."
08:15 <@dazo> so if you've never used any of those openssl versions ... then you have nothing to worry about
08:16 < dvl_> dazo: Noted.  Agreed.
08:16 < jacekowski> well, chances that certificate has leaked are quite slim actually
08:16 < jacekowski> attacker only gets "random" 64k bytes long chunks of memory
08:16 < dvl_> jacekowski: Yeah.  Agreed.
08:17 < dvl_> For me, I'm low profile, not  likely a target.  But if I was.... newegg, I'd be replacing all my certs.
08:17 < jacekowski> now, because of when the key is loaded there is small chance that heartbeat request struct being anywhere close to the actual key
08:17 <@dazo> true enough ... but there are port scans happening
08:18 < dvl_> dazo: you mentioned port scans, in relation to what we just said?
08:18 < jacekowski> so for the key to leak, malloc would have to allocate memory for that struct within 64k of the key location in memory
08:18 < kld> dazo, what about if i already will do the rmdir of the easy-rsa from the server instead of copying it to some external hardware ? like do it i need it on the server ?
08:18 < dvl_> FYI, https://www.newegg.com/ is not active at present.  Can't get to it.
08:18 -!- syzzer [~syzzer@openvpn/community/developer/syzzer] has quit [Ping timeout: 252 seconds]
08:19 < kld> do i need it on the server
08:19 < kld> ?
08:19 < jacekowski> and during initialisation keys are loaded and then a lot more stuff is allocated and never released
08:19 <@dazo> dvl_: port scans happens, which can attempt heartbeat requests ... and you wouldn't really notice, as it's not really logged
08:19 < jacekowski> so you are unlikely to actually end up with heartbeat struct anywhere in that memory region
08:19 -!- mikemol [~mikemol@162.17.129.77] has joined #openvpn
08:19 < dvl_> dazo: Ahh yes, and yeah....  I don't think I was running any heartbeat at all.
08:19 <@dazo> kld: you never need the easy-rsa stuff on your server ... your server only needs ca.crt, server.crt, server.key and dh*.pem
08:20 < jacekowski> dvl_: you are
08:20 < jacekowski> dvl_: it's on by default
08:20 -!- Devastator [~devas@186.214.15.19] has quit [Changing host]
08:20 -!- Devastator [~devas@unaffiliated/devastator] has joined #openvpn
08:20 <@dazo> jacekowski: dvl_: given that you're running openssl 1.0.1 or later
08:21 < jacekowski> + realistically, if you've been compromised, all your data is already gone
08:21 < jacekowski> and changing keys now is not really going to change the fact
08:21 -!- bertodsera [~quassel@212.36.61.26] has joined #openvpn
08:22 < dvl_> jacekowski: no, I was on openssl < 1.0.1
08:22 -!- lj [~l@74.120.200.95] has quit [Quit: Leaving.]
08:22 <@dazo> jacekowski: true, but it makes it harder to gain more information in the future when keys have been changed
08:22 <@dazo> but I guess NSA is smiling big time nowadays .....
08:22 < dvl_> right now, I'm on: OpenSSL 0.9.8y 5 Feb 2013
08:23 < jacekowski> dazo: NSA has huge underground cluster where they break all encryptions in real time
08:23 <@dazo> jacekowski: but if they have already captured the keys, they further decryption of encrypted traffic will speed up that process
08:23 -!- Guest35643 [~klein@189-016-006-003.asselvi.edu.br] has quit [Ping timeout: 240 seconds]
08:23 < jacekowski> at least that's the assumption i make when sending sensitive data
08:24 < jacekowski> that somebody will crack it sooner or later
08:24 -!- maskedlua [~quassel@unaffiliated/themaskedlua] has quit [Ping timeout: 240 seconds]
08:25 <@dazo> encryption != safe forever .... encryption == safe for a period of time .... the "period time" is defined by the security level you've set up (key length, encryption algorithms, layers of encryption, etc, etc)
08:25 < dnivra> Hello everyone! I'm trying to connect a private network to another host using openvpn. The gateway machine of the private network(10.1.14.2) can connect, using it's other interface, to the VPN server(10.100.100.1) and is assigned a tun IP 10.100.100.14. The host connects to the VPN network and is assigned 10.100.100.26. 10.100.100.x IPs can ping each other but the ping request to 10.1.14.2 from 10.100.100.26 gets dropped at the VPN server(10.100.100.1)
08:25 < dnivra> . Could someone help me out here?
08:25 < dnivra> Server configuration file: http://pastebin.com/ghPEk37a, Client configuration file: http://pastebin.com/GQ8wXkAF, route.sh called by server: http://pastebin.com/Brg5QPp3
08:25 -!- syzzer [~syzzer@openvpn/community/developer/syzzer] has joined #openvpn
08:25 -!- mode/#openvpn [+o syzzer] by ChanServ
08:28 -!- elfixit [~Icedove@2001:1620:2777:11:3e97:eff:fe7f:f3ad] has joined #openvpn
08:32 -!- maskedlua [~quassel@unaffiliated/themaskedlua] has joined #openvpn
08:32 -!- paradox`` [~paradox@cpc21-brmb8-2-0-cust749.1-3.cable.virginm.net] has quit [Quit: paradox``]
08:42 -!- copper [~copper@unaffiliated/copper] has joined #openvpn
08:43 < copper> !heartbleed
08:43 <@vpnHelper> "heartbleed" is (#1) only affects OpenSSL 1.0.1 through 1.0.1f. Does not affect polarssl or (#2) if running vuln openssl then both client and server keys not protected by tls-auth should be considered compromised. or (#3) android 4.1.2_r1 is the first one to have -DOPENSSL_NO_HEARTBEATS and it is still in master. android 4.1 and 4.1.1 are probably affected. or (#4)
08:43 <@vpnHelper> https://community.openvpn.net/openvpn/wiki/heartbleed
08:47 < defswork> is this channel archived somewhere ?
08:47 < defswork> I think someone said something to me but it's fallen off my scroll buffer
08:49 -!- exa [~exa@unaffiliated/exa] has quit [Read error: Connection reset by peer]
08:50 -!- exa [~exa@unaffiliated/exa] has joined #openvpn
08:52 -!- phreakocious [~phreakoci@aesoterica.phreakocious.net] has quit [Ping timeout: 240 seconds]
08:53 -!- chrispercol [~chrisperc@ks3355862.kimsufi.com] has left #openvpn []
08:54 -!- sunwind [~paradox@cpc21-brmb8-2-0-cust749.1-3.cable.virginm.net] has joined #openvpn
08:55 -!- phreakocious [~phreakoci@aesoterica.phreakocious.net] has joined #openvpn
09:03 -!- wrongplace [~leicht@gateway/tor-sasl/martinphone] has joined #openvpn
09:04 <@krzee> dazo, to an extent i agree tho. if you're a target then getting the tls-auth file is simply 1 dumb client away
09:04 <@dazo> krzee: true enough, but it's still an extra step
09:04 <@krzee> yep
09:05 <@krzee> so small setups are likely safer
09:05 <@krzee> im so lucky i wasnt using vuln openssl anywhere that mattered
09:06 < dvl_> krzee: same here.
09:06 -!- fred`` [fred@earthli.ng] has quit [Ping timeout: 246 seconds]
09:06 -!- mode/#openvpn [+v dvl_] by krzee
09:06 <@krzee> ^5
09:09 -!- kld [~acer@85.235.3.224] has quit [Quit: Leaving]
09:10 -!- copper [~copper@unaffiliated/copper] has quit [Quit: ZNC - http://znc.in]
09:13 -!- fred`` [fred@earthli.ng] has joined #openvpn
09:13 -!- copper [~copper@unaffiliated/copper] has joined #openvpn
09:16 -!- copper [~copper@unaffiliated/copper] has left #openvpn []
09:20 -!- smellis [~stephan@24.49.219.131] has joined #openvpn
09:21 < smellis> anyone know if windows version of heartbleed vulnerable windows clients really need to be reissued certs?
09:21 < smellis> if they're connecting to a non vulnerable openvpn instance over tcp
09:22 <@krzee> doesnt matter if the server or client is vuln, one of them being vuln means the key could have leaked
09:22 <@krzee> !heartbleed
09:22 <@krzee> !ping
09:22 < defswork> how protected are you with authentication on top though?
09:22 <@vpnHelper> "heartbleed" is (#1) only affects OpenSSL 1.0.1 through 1.0.1f. Does not affect polarssl or (#2) if running vuln openssl then both client and server keys not protected by tls-auth should be considered compromised. or (#3) android 4.1.2_r1 is the first one to have -DOPENSSL_NO_HEARTBEATS and it is still in master. android 4.1 and 4.1.1 are probably affected. or (#4)
09:22 <@vpnHelper> https://community.openvpn.net/openvpn/wiki/heartbleed
09:22 <@vpnHelper> pong
09:22 < MaxFrames> so also if tls-auth was enabled on the server?
09:23 <@krzee> as protected as your tls-auth key i guess
09:23 < smellis> hmm
09:23 <@krzee> however protected *it* was
09:23 < defswork> luckily my openvpns used 0.9.8
09:23 <@krzee> defswork, same :D
09:23 < MaxFrames> ok, so assuming the tls-auth key is safe, I shall not worry if I have clients out there who were vulnerable, while my server isn't?
09:23 < smellis> mine too, except on windows, I have a few that are on vuln version
09:24 <@krzee> MaxFrames, a client being vuln is the same as your server being vuln
09:24 <@krzee> does not matter which.
09:24 <@krzee> read this link:
09:24 <@krzee> !heartbleed
09:24 <@vpnHelper> "heartbleed" is (#1) only affects OpenSSL 1.0.1 through 1.0.1f. Does not affect polarssl or (#2) if running vuln openssl then both client and server keys not protected by tls-auth should be considered compromised. or (#3) android 4.1.2_r1 is the first one to have -DOPENSSL_NO_HEARTBEATS and it is still in master. android 4.1 and 4.1.1 are probably affected. or (#4)
09:24 <@vpnHelper> https://community.openvpn.net/openvpn/wiki/heartbleed
09:25 < MaxFrames> I don't get it, so if the client is vulnerable, the clients certificates should be reissued even if the server was not vulnerable _and_ tls-auth was used _and_ the tls-auth key is safe?
09:25 <@krzee> you can decide for yourself if you want to trust that tls-auth kept you safe, i cannot fully answer that part for you
09:26 < MaxFrames> ok, that is why I said "let's assume the key is safe"
09:26 < MaxFrames> assuming that, reissuing client certs should not be necessary
09:26 <@krzee> i didnt see "assume" but ok
09:26 < MaxFrames> correct?
09:26 <@krzee> correct
09:26 < MaxFrames> ok thx
09:26 -!- tuvok [tuvok@Photography.tuvok.eu] has quit [Ping timeout: 252 seconds]
09:27 < MaxFrames> now let's assume tls-auth was not used, and assume that the server was not vuln. but the clients were vuln.
09:28 <@krzee> then youd need to redo *
09:28 -!- tuvok [~tuvok@Photography.tuvok.eu] has joined #openvpn
09:28 < MaxFrames> also the server certs?
09:28 <@krzee> all
09:28 -!- Guest35643 [~klein@189-016-006-003.asselvi.edu.br] has joined #openvpn
09:28  * MaxFrames blesses the day he chose to use tls-auth
09:29 <@krzee> i guess technically just affected peers
09:29 <@krzee> but really, if you're going that far just do it all
09:29 < MaxFrames> peers=clients?
09:29 <@krzee> or servers, yes
09:31 -!- freemont5 [~yodasan@ip70-173-152-171.lv.lv.cox.net] has joined #openvpn
09:31 < Rienzilla> im happy I was still on debian squeezefor all my vpn machines lol
09:33 < defswork> i built 2.2.2 from source on debian to avoid some logging verbosity issue - against the debian libs at the time
09:33 <@krzee> for those who are upgrading? try to automate as much as you can during this update; i have a strong feeling openssl is going to continue getting chopped apart in the next couple yrs
09:33 < Rienzilla> yeah
09:34 <@krzee> which makes a case for polarssl
09:34 < Rienzilla> weed out the rest of the nsa-induced "errors"
09:34 < defswork> we need to redo all our certs in our holland office though  as the silly admin gave them stupid names - not related to machine names
09:34 <@krzee> !polarssl
09:34 <@krzee> !polar
09:34 <@krzee> !factoids
09:34 <@vpnHelper> "factoids" is A semi-regularly updated dump of factoids database is available at http://www.secure-computing.net/factoids.php
09:36 -!- MaxFrames [~MaxFrames@unaffiliated/maxframes] has left #openvpn ["Reality is that which, when you stop believing in it, doesn't go away"]
09:36 -!- alexxtasi [~alex@unaffiliated/alexxtasi] has left #openvpn []
09:37 <@krzee> !learn polarssl as https://polarssl.org/core-features  polarssl is an alternative to openssl which openvpn supports. it is open source, small with clean code, and made for the embedded world. openvpn connect (ios,android) uses this instead of openssl.
09:37 <@vpnHelper> Joo got it.
09:38 <@krzee> !learn polarssl as https://community.openvpn.net/openvpn/wiki/UsingPolarSSL
09:38 <@vpnHelper> Joo got it.
09:41 -!- freemont5 [~yodasan@ip70-173-152-171.lv.lv.cox.net] has quit [Quit: freemont5]
09:41 -!- yoavz [yoavz@yoavz.net] has quit [Read error: Connection reset by peer]
09:45 -!- yoavz [yoavz@yoavz.net] has joined #openvpn
09:46 -!- freemont5 [~yodasan@ip70-173-152-171.lv.lv.cox.net] has joined #openvpn
09:50 -!- freemont5 [~yodasan@ip70-173-152-171.lv.lv.cox.net] has quit [Ping timeout: 250 seconds]
09:51 -!- jackbrown [~se@93-44-54-187.ip95.fastwebnet.it] has quit [Quit: Sto andando via]
10:09 < n13l> how can i join #openvpn-devel ?
10:10 < n13l> #openvpn-devel Cannot join channel (+r) - you need to be identified with services
10:10 <@krzee> looking to help code? or for support?
10:11 < n13l> working on tls side channel authentication plugin
10:13 <@krzee> msg nickserv help register
10:13 -!- Mik3C [~miguelc@77.202.37.188.rev.vodafone.pt] has joined #openvpn
10:13 -!- Mik3C [~miguelc@77.202.37.188.rev.vodafone.pt] has quit [Client Quit]
10:14 <@krzee> +r means you cannot join the channel unless you are registered with freenode
10:19 -!- Mik3C [~miguelc@77.202.37.188.rev.vodafone.pt] has joined #openvpn
10:23 -!- Aliekezhi [~Aliekezhi@LPoitiers-156-84-21-169.w193-248.abo.wanadoo.fr] has quit [Quit: Leaving]
10:25 -!- EnginA [~e@54.228.196.247] has left #openvpn ["WeeChat 0.3.7"]
10:37 -!- Mik3C [~miguelc@77.202.37.188.rev.vodafone.pt] has quit [Remote host closed the connection]
10:38 -!- master_of_master [~master_of@p4FD7B514.dip0.t-ipconnect.de] has joined #openvpn
10:41 -!- master_o1_master [~master_of@p4FF24BE1.dip0.t-ipconnect.de] has quit [Ping timeout: 240 seconds]
10:45 -!- s7r [~s7r@openvpn/user/s7r] has joined #openvpn
10:45 -!- mode/#openvpn [+v s7r] by ChanServ
11:04 <+dvl_> I have one client which is acting up and restarting the tunnel on a regular basis.  Not sure why it's complaining: Inactivity timeout (--ping-restart), restarting
11:04 <+dvl_> Bumped the debug to 6
11:07 -!- mikemol [~mikemol@162.17.129.77] has quit [Quit: Leaving.]
11:08 -!- ade_b [~Ade@redhat/adeb] has quit [Quit: Too sexy for his shirt]
11:09 <@dazo> dvl_: sounds like the connection gets dropped ... what's your --keepalive server setting (or --ping-restart on that client)?
11:10 <+dvl_> dazo: For what it;s worth, it is only this client affected.  The other clients are stable.  Checking server setting now.
11:10 <+dvl_> keepalive 10 120
11:10 <@dazo> could be you need a lower --ping / --ping-restart on that particular client
11:10 <+dvl_> no ping-restart setting at all.
11:11 <@dazo> read the man page for --keepalive, and you'll see it translates into --ping + --ping-restart ;-)
11:11 <@dazo> + some more stuff
11:14 -!- [diecast] [~diecast@unaffiliated/diecast/x-4821952] has joined #openvpn
11:15 <+dvl_> Trying ping 5 on the client.
11:16 <+dvl_> This problem arose this morning after rebooting the client.
11:17 <+dvl_> and it just restarted...
11:17 <+dvl_> perhaps a higher ping-restart
11:19 <@krzee> changing those on the client will be overwritten by the server pushing them to it
11:19 <+dvl_> this past indicates to me that a UDP write occured and 8 seconds later, it restarted. http://pastebin.com/raw.php?i=hWGm5Gv3
11:20 -!- raidz [~raidz@openvpn/corp/admin/andrew] has left #openvpn []
11:20 <+dvl_> krzee: Oh...
11:21 <+dvl_> I'm misled by the 'lower value on that particular client'.  Reading more.
11:23 -!- bertodsera [~quassel@212.36.61.26] has quit [Remote host closed the connection]
11:23 -!- mikemol1 [~mikemol@162.17.129.77] has joined #openvpn
11:24 <+dvl_> Already using ccd.... so the file for that client can contain this directive.. hmmm.
11:24 -!- mikemol1 [~mikemol@162.17.129.77] has quit [Client Quit]
11:24 <@dazo> that makes sense
11:25 <+dvl_> well, the 'Received control message' includes: ping 10,ping-restart 120, which is from the server config file, not the ccd
11:26 <@dazo> dvl_: did you do: push "ping 5" ?
11:27 <+dvl_> dazo: oh, no, I did just ping 5 in the ccd file.
11:27 <@krzee> !ccd
11:27 <@vpnHelper> "ccd" is (#1) entries that are basically included into server.conf, but only for the specified client based on common-name. use --client-config-dir <dir> to enable it, then put the config options for the client in <dir>/common-name or (#2) the ccd file is parsed each time the client connects.
11:27 <@dazo> that's probably the difference :)
11:28 <+dvl_> now I see: topology net30,ping 10,ping-restart 120,ping 5,
11:28 <@dazo> right ... it should now hopefully have been overridden to 5
11:28 <+dvl_> 
11:29 <+dvl_> Now let's see.
11:29 <+dvl_> Nope, restart
11:30 <+dvl_> oh wait. I have tun0 and tun1... ugh. sad
11:31 -!- backz [~backz@189.120.201.91] has joined #openvpn
11:38 <+dvl_> and look at that... no more restarts... amazing what happens when you use tun0 and not tun1....
11:38 <+dvl_> Thank you for your help.  BTW.
11:39 -!- Devastator [~devas@unaffiliated/devastator] has quit []
11:41 < backz> Cheers! I'm using --client-to-client and --duplicate-cn. So how can I ensure that all my clients will get the same IP address when connecting into my OpenVPN server?
11:44 -!- Aliekezhi [~Aliekezhi@80.215.138.29] has joined #openvpn
11:50 -!- freemont5 [~yodasan@ip70-173-152-171.lv.lv.cox.net] has joined #openvpn
11:55 -!- freemont5 [~yodasan@ip70-173-152-171.lv.lv.cox.net] has quit [Client Quit]
11:57 -!- KarlBauman [~SoWhat@87.246.136.13] has joined #openvpn
11:57 < KarlBauman> can you tell me how to assign static IP for specific client ?
12:02 -!- raidz [~raidz@openvpn/corp/admin/andrew] has joined #openvpn
12:02 -!- mode/#openvpn [+o raidz] by ChanServ
12:04 -!- crosshair84 [~crosshair@201-212-216-105.cab.prima.net.ar] has joined #openvpn
12:05 -!- crosshair84 [~crosshair@201-212-216-105.cab.prima.net.ar] has left #openvpn []
12:07 -!- [diecast] [~diecast@unaffiliated/diecast/x-4821952] has quit []
12:08 -!- [diecast] [~diecast@unaffiliated/diecast/x-4821952] has joined #openvpn
12:12 < pekster> KarlBauman, read:
12:12 < pekster> !static
12:12 < pekster> (when the bot finally gets around to showing it)
12:12 <@vpnHelper> "static" is (#1) use --ifconfig-push in a ccd entry for a static ip for the vpn client or (#2) example in net30 (default): ifconfig-push 10.8.0.6 10.8.0.5 example in subnet (see !topology) or tap (see !tunortap): ifconfig-push 10.8.0.5 255.255.255.0 or (#3) also see !ccd and !iporder or (#4) when pushing static IPs, you should also limit your --ifconfig-pool to exclude the static range or (#5) See
12:12 <@vpnHelper> also: !addressing
12:13 < KarlBauman> ahh, why you have to make it so complicated
12:13 < KarlBauman> where is this ccd entry?
12:13 < pekster> Read about !ccd , and the wiki linked from !addressing has examples
12:13 < pekster> !new
12:14 <@vpnHelper> "new" is (#1) New here? Start by reading the /TOPIC and looking at basic info in !welcome, !ask, and !howto or (#2) You can type each of the !commands in this chat and our bot will provide useful references and info or (#3) you can see the full factoids list at !factoids
12:14 < KarlBauman> !ccd
12:14 <@vpnHelper> "ccd" is (#1) entries that are basically included into server.conf, but only for the specified client based on common-name. use --client-config-dir <dir> to enable it, then put the config options for the client in <dir>/common-name or (#2) the ccd file is parsed each time the client connects.
12:15 < KarlBauman> !addressing
12:15 <@vpnHelper> "addressing" is For information about IP addressing in OpenVPN, see: https://community.openvpn.net/openvpn/wiki/Concepts-Addressing
12:21 -!- freemont5 [~yodasan@ip70-173-152-171.lv.lv.cox.net] has joined #openvpn
12:22 -!- Karl_Bauman [~SoWhat@81.198.10.40] has joined #openvpn
12:25 -!- KarlBauman [~SoWhat@87.246.136.13] has quit [Ping timeout: 247 seconds]
12:25 -!- Karl_Bauman [~SoWhat@81.198.10.40] has quit [Client Quit]
12:28 -!- joako [~joako@opensuse/member/joak0] has quit [Ping timeout: 245 seconds]
12:30 < backz> is it right to ccd? C:\Program Files (x86)\OpenVPN\config\ccd ?
12:32 -!- p3rror [~mezgani@196.201.78.139] has quit [Ping timeout: 246 seconds]
12:34 -!- joako [~joako@opensuse/member/joak0] has joined #openvpn
12:40 < backz> is client-config-dir ccd set on the server?
12:40 < backz> so where ccd must be stored on windows?
12:41 < backz> is ccd stored on client or on the server?
12:48 < backz> to use a ccd with duplicate-cn, do I need username-as-common-name?
12:49 -!- p3rror [~mezgani@41.140.209.77] has joined #openvpn
12:49 -!- freemont5 [~yodasan@ip70-173-152-171.lv.lv.cox.net] has left #openvpn []
12:49 < backz> I only need persistent IP address to the clients (using duplicate-cn)
12:56 -!- wrongplace [~leicht@gateway/tor-sasl/martinphone] has quit [Quit: gone]
13:06 -!- JackWinter [~jack@vodsl-10810.vo.lu] has quit [Quit: Konversation terminated!]
13:08 -!- JackWinter [~jack@vodsl-10810.vo.lu] has joined #openvpn
13:08 -!- michaelhart [~michaelha@192.237.177.15] has quit [Quit: michaelhart]
13:09 -!- michaelhart [~michaelha@192.237.177.15] has joined #openvpn
13:10 <@dazo> backz: --client-config-dir is exactly where you point it to be ... it can be wherever you want, as long as --client-config-dir points at the proper place
13:11 <@dazo> --client-config-dir is a server only option
13:12 <@dazo> you need --duplicate-cn only if you allow your users to share certificates or a single user connecting from several places with the same certificate
13:12 <@dazo> however, fixed IP address via ccd can easily back-clash with --duplicate-cn
13:13 <@dazo> --username-as-common-name only works if you have username/password authentication, and that could get you out of the troubles --duplicate-cn can give you; provided you use username/password authentication
13:13 -!- elfixit [~Icedove@2001:1620:2777:11:3e97:eff:fe7f:f3ad] has quit [Quit: elfixit]
13:15 -!- dwarder [~dwarder@unaffiliated/dwarder] has left #openvpn []
13:15 < backz> dazo: fine! I've read about username-as-common-name, but I'm not using usernames. I dont care about usernames, but for some machines that I want to keep static IP it would be fine. Just username, no need for password. so how can I set it?
13:16 -!- Lolths [~Lolths@unaffiliated/lolths] has quit [Ping timeout: 247 seconds]
13:17 <@dazo> you can't use --username-as-common-name unless you also use --auth-pass on the client and --auth-pass-verify (or a suitable --plugin) on the server side .... and --auth-pass on the client will make the client ask for username/password
13:17 < backz> according to the docs, I need use --auth-user-pass-verify on server. is it?
13:18 < backz> dazo: fine! I think I can make a simple python script to --auth-pass-verify on server to accept everyone
13:18 <@dazo> that's it ... or you can you use --plugin together openvpn-plugin-auth-pam.so ... or an LDAP auth plug-in ... or whatever else exists as auth plug-ins for openvpn
13:18 < backz> but I want autologon on the client
13:21 -!- Lolths [~Lolths@unaffiliated/lolths] has joined #openvpn
13:21 < backz> this would be: auth-user-pass-verify /usr/local/sbin/openvpn-login.py via-env
13:33 < backz> this is my auth script: #!/bin/sh \n exit 0
13:33 < backz> :)
13:35 <@ecrist> why even user user/pass, then?
13:36 < backz> to use ccd, to set a static ip addr when using duplicate-cn
13:36 <@ecrist> that's kinda silly
13:37 < backz> ecrist: so, how can I set a persistent IP addr when using duplicate-cn? is it silly?
13:37 <@ecrist> using duplicate-cn and trying to assign static IPs is silly
13:37 < Rienzilla> the ip is mapped to the cn
13:37 < Rienzilla> so yes, that is silly
13:37 <@ecrist> you're really better off using DHCP and setting dynamic host names
13:38 <@ecrist> or using a client-connect script to set firewall policy
13:38 < backz> ecrist: I'm using it. But, if client A goes down, the client B get their ip
13:38 -!- Moony22 [~AndChat30@unaffiliated/moony22] has joined #openvpn
13:39 < backz> on the client, I'm using --auth-user-pass. How can I set default username and pass here?
13:39 < Moony22> 03 Jun 2013?
13:40 -!- ecrist changed the topic of #openvpn to: OpenVPN Community Support Channel || PLEASE read entire topic || Current Release: 2.3.3 (09 Apr 2014) || First time? Use !welcome and !goal || Access-Server? /join #openvpn-as || We're not psychic - please !paste your !configs and !logs and a description of the issue  || Your problem is probably firewall, Really || Heartbleed info: see !heartbleed
13:44 -!- APTX [~APTX@unaffiliated/aptx] has quit [Remote host closed the connection]
13:44 -!- APTX [~APTX@unaffiliated/aptx] has joined #openvpn
13:47 < backz> on my /etc/openvpn/ccd/myuser: ifconfig-push 192.168.200.100 255.255.255.0. is it right?
13:50 -!- mezgani [~mezgani@105.156.203.84] has joined #openvpn
13:53 -!- p3rror [~mezgani@41.140.209.77] has quit [Ping timeout: 250 seconds]
13:55  * dazo don't understand why people are so persistent to have fixed IP addresses
13:56 < backz> dazo: what do you suggest? NetBIOS name?
13:56 <@dazo> DNS
13:57 -!- JackWinter [~jack@vodsl-10810.vo.lu] has quit [Ping timeout: 250 seconds]
13:57 < backz> dazo: but if the ip changes. how to deal with it?
13:57 <@dazo> dynamic DNS?
13:57 <@dazo> nsupdate
13:58 <@dazo> but ... if you truly want to identify your clients, you cannot use --duplicate-cn
13:58 < backz> yes, it would be perfect. but I can't install and manage keys or dns
13:58 < backz> you're right
13:58 <@dazo> why can you not manage your own keys?
13:59 <@dazo> by all means, if you configure your own vpn server ... you can easily setup a DNS server on the same box too ... which supports dynamic updates
14:00 < backz> yes
14:00 <@dazo> and those who needs access to those vpn client host names, use that DNS server instead of something else
14:00 <@dazo> or heck, another DNS server can be a slave server of your VPN DNS
14:01 < backz> but talking about ips. what's wrong here? ifconfig-push 192.168.200.100 192.168.200.101
14:02 <@dazo> please, read the man page and you'll see it
14:02 -!- JackWinter [~jack@vodsl-10810.vo.lu] has joined #openvpn
14:02 <@dazo> !man
14:02 <@vpnHelper> "man" is (#1) For man pages, see http://openvpn.net/index.php/open-source/documentation/manuals/ or (#2) the man pages are your friend! or (#3) Protip: you can search the manpage for a specific --option (with dashes) to find it quicker
14:02 -!- plaisthos [~arne@openvpn/community/developer/plaisthos] has quit [Remote host closed the connection]
14:02 <@dazo> search for --ifconfig-push
14:02 -!- Fusl [Fusl@unaffiliated/fusl] has quit [Remote host closed the connection]
14:03 < backz> The local and remote VPN endpoints cannot use the first or last address within a given 255.255.255.252 subnet.
14:03 < backz> fine. according to the manpage, this last argument must be a netmask.
14:03 <@dazo> correct
14:05 < backz> But my windows client says that: "the second argument must be a IP address"
14:06 <@dazo> backz: then your server and client config are not compatible ... like, client config missing --client ... or server having a faulty --server option ... or --topology mismatches
14:06 <@dazo> or --mode is wrong, if --server and --client have not been used
14:07 -!- opti2k4 [~opti2k4@cpe-94-253-225-210.st.cable.xnet.hr] has joined #openvpn
14:08 -!- plaisthos [~arne@openvpn/community/developer/plaisthos] has joined #openvpn
14:08 -!- mode/#openvpn [+o plaisthos] by ChanServ
14:08 < opti2k4> Hi
14:09 < opti2k4> can anyone tell me from where can i update openvpn to 2.3.3 for centos?
14:09 < opti2k4> need rpm
14:09 <@dazo> opti2k4: you need to wait for centos guys to package it ... or Fedora EPEL
14:10 < backz> dazo: this is my configs. http://pastebin.com/gkEY8XbS - client and server. what's wrong?
14:10 < opti2k4> aha, though they already did it :/ thanks dazo
14:11 <@dazo> opti2k4: we don't primarily focus on distro packaging ... even though we do some builds from time to time, but that's more for more bleeding edge testing than production
14:11 <@dazo> opti2k4: but there's no need to rush for an update
14:11 < opti2k4> i guess it's same for ubuntu?
14:11 <@dazo> that's right
14:11 < opti2k4> Ok
14:11 < opti2k4> thanks
14:11 -!- mattock is now known as mattock_afk
14:11 <@dazo> you're welcome
14:11 <@dazo> backz: that's hard to say .... provide some logs with --verb 4 ... and it's easier to spot
14:11 < opti2k4> but if update openssl to 1.0.1.g it will break existing openvpn 2.3.2 ?
14:12 -!- JackWinter [~jack@vodsl-10810.vo.lu] has quit [Ping timeout: 250 seconds]
14:12 <@dazo> opti2k4: nope
14:12 <@dazo> opti2k4: that's a wise upgrade
14:12 < backz> dazo: ok
14:13 <@dazo> opti2k4: in fact, that upgrade secures you from heartbleed ... just remember to restart all services you have running which provides TLS/SSL based services
14:14 < backz> dazo: this is the log from my client: There is a problem in your selection of --ifconfig endpoints [local=192.168.200.7, remote=192.168.200.1].  The local and remote VPN endpoints must exist within the same 255.255.255.252 subnet.  This is a limitation of --dev tun when used with the TAP-WIN32 driver.  Try 'openvpn --show-valid-subnets' option for more info.
14:14 < backz> Wed Apr 09 16:13:38 2014 Exiting due to fatal error
14:14 <@dazo> !pastebin
14:14 <@vpnHelper> "pastebin" is (#1) please paste anything with more than 5 lines into a pastebin site or (#2) https://gist.github.com is recommended for fewest ads; try fpaste.org or paste.kde.org as backups or (#3) If you're pasting config files, see !configs for grep syntax to remove comments or (#4) gist allows multiple files per paste, useful if you have several files to show
14:14 < backz> sorry the flood
14:15 <@dazo> We need to see complete log files
14:15 <@dazo> however
14:15 <@dazo> The error is quite obvious
14:15 <@dazo> [local=192.168.200.7, remote=192.168.200.1].  The local and remote VPN endpoints must exist within the same 255.255.255.252 subnet
14:16 < backz> I changed it to ifconfig-push 192.168.200.7 192.168.200.1
14:16 <@dazo> that's not the right solution
14:16 -!- JackWinter [~jack@vodsl-10810.vo.lu] has joined #openvpn
14:16 <@dazo> your netmask is way too narrow
14:17 <@dazo> 255.255.255.252 == 4 IP addresses, where the first one is the network IP and the last one broadcast, just leaving you more 2 IP addresses
14:18 < backz> fine. so I need to change de subnet. how?
14:18 < backz> *the subnet
14:19 <@dazo> please ... read !tcpip carefully
14:19 < backz> !tcpip
14:19 <@vpnHelper> "tcpip" is http://www.redbooks.ibm.com/redbooks/pdfs/gg243376.pdf See chapter 3.1 for useful basic TCP/IP networking knowledge you should probably know
14:19 <@dazo> to set up VPN, you need to fully understand networking basics
14:19 -!- Guest35643 [~klein@189-016-006-003.asselvi.edu.br] has quit [Ping timeout: 240 seconds]
14:19 -!- Guest46960 [Fusl@mail.hallowe.lt] has joined #openvpn
14:24 < svg> dazo: quote of the era :)
14:24 <@dazo> :)
14:25 < backz> is this from stevens?
14:25 -!- mezgani [~mezgani@105.156.203.84] has left #openvpn ["Leaving"]
14:26 -!- p3rror [~mezgani@105.156.203.84] has joined #openvpn
14:26 -!- [diecast] [~diecast@unaffiliated/diecast/x-4821952] has quit [Ping timeout: 250 seconds]
14:26 -!- budman_ [~budman@ip68-111-79-253.oc.oc.cox.net] has joined #openvpn
14:28 < backz> dazo: fine! thanks! it's working... [13, 14]. So I need to respect this table, because the subnet of driver. is working now
14:29 <@dazo> backz: did you understand why your subnet mask was wrong?
14:29 < backz> no!
14:29 <@dazo> *sigh*
14:29 < backz> I read it when I was young
14:29 < backz> stevens, maybe
14:29 < backz> old times...
14:29 <@dazo> then you should not be doing networking.
14:30 < backz> yes! but the admin is out on the holidays
14:30 <@dazo> wait for that admin to come back
14:30 < backz> and, finally, it's working very nice
14:30 < backz> tell it to my boss
14:30 < backz> LOL
14:30 -!- backz was kicked from #openvpn by dazo [backz]
14:30 -!- backz [~backz@189.120.201.91] has joined #openvpn
14:30 -!- backz was kicked from #openvpn by dazo [backz]
14:31 -!- backz [~backz@189.120.201.91] has joined #openvpn
14:31 < backz> whats wrong?
14:31 <@dazo> your attitude
14:31 <@dazo> you're a lazy bastard who actually can make more troubles than actually help out
14:31 < backz> sorry. but I can't understand it. whats wrong?
14:31 < backz> wow
14:31 <@dazo> you don't understand what you're doing
14:32 <@dazo> and doing networking and VPN ... that requires understanding what you do
14:32 < backz> this is a value judgment. I can't measure it.
14:32 <@dazo> or else, you'll endanger your colleagues with extra work
14:32 <@dazo> plenty of us on this channel have had to clean up from bastards similar to you
14:32 <@dazo> so go back to school and learn networking
14:32 < backz> man! I have no colleagues. this is a small company. just I as programmer and the admin. he's out
14:33 <@dazo> I pity your colleagues
14:33 <@dazo> or, colleague, that is
14:34 < backz> that's fine. I must to be here a lot of times. No wife, no girlfriend. without human contact. Lots of pr0n. I know
14:34 < backz> but, again, anyway, thanks for your help
14:35 < backz> and fuck off your tcp/ip stuff :)
14:35 < backz> _|_
14:35 -!- backz [~backz@189.120.201.91] has left #openvpn []
14:35 -!- mode/#openvpn [+b backz!*@*] by dazo
14:35 < budman_> ha
14:35 -!- Guest35643 [~klein@189-016-006-003.asselvi.edu.br] has joined #openvpn
14:39 -!- Guest46960 [Fusl@mail.hallowe.lt] has left #openvpn []
14:41 -!- Fusl [Fusl@unaffiliated/fusl] has joined #openvpn
14:51 -!- Guest35643 [~klein@189-016-006-003.asselvi.edu.br] has quit [Ping timeout: 240 seconds]
14:54 < michaelhart> I recently added a “crl-verify” stanza to my openvpn config (hello heartbleed) and now it appears my client-connect script (that i’m using for ddns updates) isn’t getting called, openvpn 2.2. Is that expected?
14:57 -!- JoeLinux [~joelinux@184.75.221.82] has quit [Quit: Leaving]
15:04 -!- klein [~klein@unaffiliated/klein] has joined #openvpn
15:08 -!- Aliekezhi [~Aliekezhi@80.215.138.29] has quit [Quit: Leaving]
15:08 -!- codehero is now known as scientificat
15:10 -!- scientificat is now known as codile
15:11 -!- joshh20-Away is now known as joshh20
15:11 -!- codile is now known as Americat
15:29 -!- [diecast] [~diecast@unaffiliated/diecast/x-4821952] has joined #openvpn
15:39 -!- deraps [~ubuntu@ec2-50-18-158-69.us-west-1.compute.amazonaws.com] has joined #openvpn
15:40 -!- deraps [~ubuntu@ec2-50-18-158-69.us-west-1.compute.amazonaws.com] has left #openvpn []
15:42 -!- james41382 [~james@unaffiliated/james41382] has quit [Quit: Leaving]
15:43 -!- Moony2202 [~AndChat30@212.183.128.6] has joined #openvpn
15:43 -!- dazo is now known as dazo_afk
15:45 -!- Moony22 [~AndChat30@unaffiliated/moony22] has quit [Ping timeout: 246 seconds]
15:46 -!- james41382 [~james@unaffiliated/james41382] has joined #openvpn
15:49 -!- Moony22 [~AndChat30@host86-132-53-208.range86-132.btcentralplus.com] has joined #openvpn
15:49 -!- Moony22 [~AndChat30@host86-132-53-208.range86-132.btcentralplus.com] has quit [Changing host]
15:49 -!- Moony22 [~AndChat30@unaffiliated/moony22] has joined #openvpn
15:50 -!- Verdi [~dagda@ip1.thgersdorf.net] has joined #openvpn
15:51 < Verdi> hi. i'm trying to setup an openvpn network for myself. so far i've connected two clients to the server, both of which the server can access, and both of which i can access from the server. however from one client to another won't work. is there anything obvious i could be doing wrong?
15:52 -!- Moony2202 [~AndChat30@212.183.128.6] has quit [Ping timeout: 250 seconds]
15:52 -!- jmr` [~zero@badnode.org] has quit [Quit: leaving]
15:54 < Verdi> am i right that i will probably have to push the correct route to all clients?
15:58 -!- michaelhart [~michaelha@192.237.177.15] has quit [Quit: michaelhart]
16:03 < Verdi> oh, nevermind, there is apparently a client-to-client directive that needs to be set
16:03 <+dvl_> I treat all the clients the same.
16:03 <+dvl_> ccd ?
16:03 <+dvl_> That
16:03 <+dvl_> s what I do
16:04 < Verdi> openvpns flood of options can be... overwhelming
16:07 < pekster> Verdi: Right, add that option, or allow forwarded traffic in  your firewall. If you're using the old-and-not-recommended net30 topology (read !topology here) you will need to push the full VPN network to clients (this is part of what --client-to-client does. It also "skips" your firewall, so it's the wrong choice if you need traffic filtering on client-to-another-client traffic)
16:09 -!- elfixit [~Icedove@77-58-251-72.dclient.hispeed.ch] has joined #openvpn
16:11 < Verdi> pekster: thanks for the clarification. i do not need filtering between clients, i assume that access is restricted to the right keys, and then all the machines on the network are trusted. since i've not set a specific topology, i assume i'll still have the default
16:11 -!- opti2k4 [~opti2k4@cpe-94-253-225-210.st.cable.xnet.hr] has quit []
16:12 < pekster> Right about security; I'm referring to filtering as in "This client can only talk to these ones" or "Only allow ssh between clients" -- stuff you'd use a firewall for
16:13 -!- ShadniX [dagger@p5DDFEF05.dip0.t-ipconnect.de] has quit [Ping timeout: 252 seconds]
16:13 < pekster> If you don't need that, the easy way is to add --client-to-client and you're done
16:14 -!- ShadniX [dagger@p5DDFEF05.dip0.t-ipconnect.de] has joined #openvpn
16:16 -!- gu [~gu@194.231.39.10] has quit [Quit: Leaving.]
16:17 < Verdi> i will... changing network topologies to something without fully understanding them sounds like a royal plan to shoot yourself in the foot ;)
16:19 < pekster> It's really as simple as `--topology subnet` in your server config
16:19 < pekster> (so long as you haven't done really silly things like define that manually _after_ your --client or --pull directive in the client config. If you have, you've already shot yourself in the foot!)
16:20 -!- klein [~klein@unaffiliated/klein] has quit [Ping timeout: 252 seconds]
16:20 < Verdi> ok let me read up on that
16:21 < pekster> wiki page will help:
16:21 < pekster> !topology
16:21 <@vpnHelper> "topology" is (#1) it is possible to avoid the !/30 behavior if you use 2.1+ with the option: topology subnet This will end up being default in later versions. or (#2) Clients will receive addresses ending in .2, .3, .4, etc, instead of being divided into 2-host subnets. or (#3) details and examples at: https://community.openvpn.net/openvpn/wiki/Topology
16:21 -!- joako [~joako@opensuse/member/joak0] has quit [Ping timeout: 250 seconds]
16:22 -!- Americat is now known as codehero
16:23 < Verdi> ok, that sounds fairly simple... let's try :)
16:23 -!- mete [~mete@91.247.253.160] has quit [Quit: .]
16:24 -!- mete [~mete@91.247.253.160] has joined #openvpn
16:26 -!- WinstonSmith [~WinstonSm@unaffiliated/winstonsmith] has quit [Quit: off to do some thoughtcrime]
16:26 -!- tony1 [~tony1@cpe-66-66-6-48.rochester.res.rr.com] has joined #openvpn
16:28 -!- joako [~joako@opensuse/member/joak0] has joined #openvpn
16:30 -!- WinstonSmith [~WinstonSm@unaffiliated/winstonsmith] has joined #openvpn
16:42 < Verdi> pekster: ok, got it working. is --client-to-client still the way to go, or do i need to set different options in this case?
16:42 < pekster> Did you say you eventually want to filter traffic between VPN clients?
16:43 < pekster> If you can answer "no, I never plan to do that" then what you've done is fine
16:43 < Verdi> no, not really
16:43 < pekster> It'll require reconfig and a server instance restart to do it later, but it's easier not to
16:44 < Verdi> hehe. i can live with a server restart... i've had more than a few today ;)
16:44 < pekster> Nah, openvpn instance
16:44 < pekster> Server restarts are for hardware and kernel changes ;)
16:44 < Verdi> yes yes of course ;)
16:44 < pekster> Or Windows, but, while supported, we reserve the right to make endless fun of it here
16:45 < pekster> "supported." Like a fork in the eye.
16:45 < Verdi> wouldn't dream of putting a windows machine in my private funpark
16:45 < Verdi> i only do windows and mac at work for money ;)
16:47 < Verdi> pekster: thanks for your input
16:47 < pekster> Sure
16:51 -!- gffa [~unknown@unaffiliated/gffa] has quit [Quit: sleep]
16:56 -!- gu [~gu@194.231.39.10] has joined #openvpn
17:09 -!- wrongplace [~leicht@gateway/tor-sasl/martinphone] has joined #openvpn
17:13 -!- HectorBarbossa [uid7850@gateway/web/irccloud.com/x-hyupagzxcvzjalzz] has joined #openvpn
17:15 -!- gu [~gu@194.231.39.10] has quit [Quit: Leaving.]
17:15 -!- gu2 [~gu@194.231.39.10] has joined #openvpn
17:27 -!- wrongplace [~leicht@gateway/tor-sasl/martinphone] has quit [Quit: gone]
17:35 -!- roma [~roma@tweezer.apistune.com] has quit [Quit: leaving]
17:47 -!- AlexPortable [uid7568@gateway/web/irccloud.com/x-ursmsmvmxbhmhalf] has quit [Quit: Connection closed for inactivity]
17:48 -!- michaelhart [~michaelha@192-0-240-20.cpe.teksavvy.com] has joined #openvpn
17:57 -!- B1nny [~quassel@5ED16034.cm-7-2b.dynamic.ziggo.nl] has quit [Remote host closed the connection]
18:01 -!- sunwind [~paradox@cpc21-brmb8-2-0-cust749.1-3.cable.virginm.net] has quit [Read error: Connection reset by peer]
18:02 -!- sunwind [~paradox@cpc21-brmb8-2-0-cust749.1-3.cable.virginm.net] has joined #openvpn
18:13 -!- dazo_afk [~dazo@openvpn/community/developer/dazo] has quit [Ping timeout: 252 seconds]
18:18 -!- gu2 [~gu@194.231.39.10] has quit [Quit: Leaving.]
18:21 -!- dazo_afk [~dazo@openvpn/community/developer/dazo] has joined #openvpn
18:21 -!- mode/#openvpn [+o dazo_afk] by ChanServ
18:21 -!- dazo_afk is now known as dazo
18:24 -!- elfixit [~Icedove@77-58-251-72.dclient.hispeed.ch] has quit [Quit: elfixit]
18:30 -!- esde [~esde@107.150.1.2] has quit [Changing host]
18:30 -!- esde [~esde@unaffiliated/esde] has joined #openvpn
18:59 -!- chocolate [~AndChat18@179.155.69.131] has joined #openvpn
19:10 -!- p3rror [~mezgani@105.156.203.84] has quit [Quit: Leaving]
19:11 -!- klein [~klein@unaffiliated/klein] has joined #openvpn
19:17 -!- aricon [~aricon@aberrant.bordergatewayprotocol.net] has joined #openvpn
19:17 < aricon> good work on the updated version
19:18 -!- goldkatze [~nobody@unaffiliated/goldkatze] has quit [Ping timeout: 240 seconds]
19:21 < aricon> Are there any scripts or that that are able to detect if a UDP listener for openvpn is vulnerable?
19:25 < h6w> Morning all.
19:25 -!- aricon [~aricon@aberrant.bordergatewayprotocol.net] has left #openvpn []
19:29 -!- acu [~acu@50.244.13.221] has joined #openvpn
19:32 -!- HectorBarbossa [uid7850@gateway/web/irccloud.com/x-hyupagzxcvzjalzz] has quit [Quit: Connection closed for inactivity]
19:34 -!- rawDawg [~rawDawg@cpe-76-188-27-72.neo.res.rr.com] has joined #openvpn
19:34 < rawDawg> !heartbleed
19:34 <@vpnHelper> "heartbleed" is (#1) only affects OpenSSL 1.0.1 through 1.0.1f. Does not affect polarssl or (#2) if running vuln openssl then both client and server keys not protected by tls-auth should be considered compromised. or (#3) android 4.1.2_r1 is the first one to have -DOPENSSL_NO_HEARTBEATS and it is still in master. android 4.1 and 4.1.1 are probably affected. or (#4)
19:34 <@vpnHelper> https://community.openvpn.net/openvpn/wiki/heartbleed
19:35 -!- ShadniX [dagger@p5DDFEF05.dip0.t-ipconnect.de] has quit [Ping timeout: 252 seconds]
19:35 -!- leveldoc [~user@fw.coe.hawaii.edu] has joined #openvpn
19:36 -!- ShadniX [dagger@p5DDFEF05.dip0.t-ipconnect.de] has joined #openvpn
19:36 < rawDawg> wow
19:38 -!- elfixit [~Icedove@77-58-251-72.dclient.hispeed.ch] has joined #openvpn
19:44 -!- justinzane [~justinzan@12.172.184.180] has quit []
19:49 -!- justinzane [~justinzan@host-12-172-184-180.nctv.com] has joined #openvpn
19:53 -!- obesd [~obsed@unaffiliated/obesd] has joined #openvpn
19:55 < obesd> hmm so if we had openvpn with the vulnerable openssl version but used tls-auth, what kind of additional protection occured with tls-auth ?
19:57 <@ecrist> some, but you're still vulnerable
19:58 < obesd> i am not vulnerable
20:03 -!- joshh20 is now known as joshh20-Away
20:09 -!- Trebortech [~Trebortec@66.55.33.66] has quit [Quit: Trebortech]
20:18 -!- f0cker [~f0cker@unaffiliated/f0cker] has quit [Ping timeout: 255 seconds]
20:18 -!- rightshift [~rightshif@41.85.8.91] has quit []
20:19 -!- red_racer12____ [sid20963@gateway/web/irccloud.com/x-urrvnnnjspzhsuhj] has joined #openvpn
20:19 -!- Su7_ [~demerzel@2001:41d0:a:16::1] has joined #openvpn
20:19 -!- Wolfbutt [~quassel@sona-gaming.com] has joined #openvpn
20:19 -!- levifig_ [sid1908@gateway/web/irccloud.com/x-qzbtqupfbzxbncwo] has joined #openvpn
20:19 -!- nipnop [nipnop@wbml.net] has joined #openvpn
20:21 -!- simcop2387_ [~simcop238@p3m/member/simcop2387] has joined #openvpn
20:21 -!- lazzer_ [~mattias@213.132.98.41] has joined #openvpn
20:22 -!- red_racer12___ [sid20963@gateway/web/irccloud.com/x-hhdfbgembfrpbccx] has quit [Ping timeout: 265 seconds]
20:22 -!- Morley93 [~Morley93@carmine.feralhosting.com] has quit [Ping timeout: 265 seconds]
20:22 -!- Six6siX [~Devil@jasmine.sammybakar.com] has quit [Ping timeout: 265 seconds]
20:22 -!- EmLeX [~emx@unaffiliated/emlex] has quit [Ping timeout: 265 seconds]
20:22 -!- omrib [~omrib@ec2-50-17-197-161.compute-1.amazonaws.com] has quit [Ping timeout: 265 seconds]
20:22 -!- Eagleman [~Eagleman@546BC8D0.cm-12-4d.dynamic.ziggo.nl] has quit [Ping timeout: 265 seconds]
20:22 -!- levifig [sid1908@gateway/web/irccloud.com/x-qjspvtsxvucskmkb] has quit [Ping timeout: 265 seconds]
20:22 -!- lazzer [~mattias@213.132.98.41] has quit [Ping timeout: 265 seconds]
20:22 -!- simcop2387 [~simcop238@p3m/member/simcop2387] has quit [Ping timeout: 265 seconds]
20:22 -!- dschoepe [~dschoepe@unaffiliated/dschoepe] has quit [Ping timeout: 265 seconds]
20:22 -!- Su7 [~demerzel@2001:41d0:a:16::1] has quit [Ping timeout: 265 seconds]
20:22 -!- Jeroen52 [~quassel@sona-gaming.com] has quit [Ping timeout: 265 seconds]
20:22 -!- snappy [nipnop@unaffiliated/snappy] has quit [Ping timeout: 265 seconds]
20:22 -!- ChrisH [~dg7pc@dslb-188-109-007-012.pools.arcor-ip.net] has quit [Ping timeout: 265 seconds]
20:22 -!- simcop2387_ is now known as simcop2387
20:23 -!- Morley93 [~Morley93@carmine.feralhosting.com] has joined #openvpn
20:23 < h6w> I'm trying to get routed lans working according to this doc:  http://community.openvpn.net/openvpn/wiki/RoutedLans
20:23 -!- EmLeX [~emx@unaffiliated/emlex] has joined #openvpn
20:23 -!- Six6siX [~Devil@jasmine.sammybakar.com] has joined #openvpn
20:23 < h6w> It seems that I can ping the other side of the server, but I can't ping any machine in that subnet.
20:23 -!- klein [~klein@unaffiliated/klein] has quit [Ping timeout: 252 seconds]
20:24 < h6w> Sorry, the other side of the server from the client.
20:24 -!- dschoepe [~dschoepe@unaffiliated/dschoepe] has joined #openvpn
20:24 < h6w> I also can't seem to ping the client's subnet.
20:24 < h6w> I've enabled ip_forwarding.
20:25 -!- ChrisH__ [~dg7pc@dslb-188-109-007-012.pools.arcor-ip.net] has joined #openvpn
20:25 -!- red_racer12____ is now known as red_racer12___
20:25 -!- omrib [~omrib@ec2-50-17-197-161.compute-1.amazonaws.com] has joined #openvpn
20:25 -!- Eagleman7 [~Eagleman@546BC8D0.cm-12-4d.dynamic.ziggo.nl] has joined #openvpn
20:25 -!- vpnHelper [~vpnHelper@openvpn/bot/vpnHelper] has quit [Disconnected by services]
20:26 -!- makara [~makara@41.164.22.218] has quit [Excess Flood]
20:26 -!- makara [~makara@41.164.22.218] has joined #openvpn
20:27 -!- vpnHelper [~vpnHelper@openvpn/bot/vpnHelper] has joined #openvpn
20:27 -!- mode/#openvpn [+o vpnHelper] by ChanServ
20:34 -!- f0cker [~f0cker@unaffiliated/f0cker] has joined #openvpn
20:34 -!- Thermi [~Thermi@unaffiliated/thermi] has quit [Ping timeout: 250 seconds]
20:38 -!- Thermi [~Thermi@unaffiliated/thermi] has joined #openvpn
20:46 -!- elfixit [~Icedove@77-58-251-72.dclient.hispeed.ch] has quit [Quit: elfixit]
20:58 <@ecrist> !roue
20:58 <@ecrist> !route
20:58 <@vpnHelper> "route" is (#1) http://www.secure-computing.net/wiki/index.php/OpenVPN/Routing or https://community.openvpn.net/openvpn/wiki/RoutedLans (same page mirrored) if you have lans behind openvpn, read it DONT SKIM IT or (#2) READ IT DONT SKIM IT! or (#3) See !tcpip for a basic networking guide or (#4) See !serverlan or !clientlan for steps and troubleshooting flowcharts for LANs behind the server or
20:58 <@ecrist> !iroute
20:58 <@vpnHelper> client
20:58 <@vpnHelper> "iroute" is does not bypass or alter the kernel's routing table, it allows openvpn to know it should handle the routing when the kernel points to it but the network is not one that openvpn knows about. This is only needed when connecting a LAN which is behind a client, and therefor belongs in a ccd entry. Also see !route and !ccd
21:04 < h6w> ecrist:  Thanks.  I already have all that in my server config.   http://ix.io/bBC
21:07 -!- Left_Turn [~Left_Turn@unaffiliated/turn-left/x-3739067] has quit [Read error: Connection reset by peer]
21:08 < h6w> And the routes look ok, although I don't know why 10.8.2.0 isn't turning up on the server.   Server: http://ix.io/bBH Client: http://ix.io/bBI
21:21 -!- backz_ [~backz@177.81.5.105] has joined #openvpn
21:22 -!- backz_ is now known as backz
21:36 -!- backz [~backz@177.81.5.105] has left #openvpn []
21:37 < chocolate> If you are tunneled means all trafic is gonna pass as default through the tunnel between client server?
21:38 < h6w> chocolate: Yes.   As in "route add default [gateway]"
21:40 -!- backz_ [~backz@177.81.5.105] has joined #openvpn
21:40 < backz_> cheers! I`m backs!
21:40 < backz_> !logs
21:40 <@vpnHelper> "logs" is (#1) please pastebin your logfiles from both client and server with verb set to 4 (only use 5 if asked) or (#2) In the Windows client(OpenVPN-GUI) right-click the status icon and pick View Log or (#3) In the OS X client(Tunnelblick) right-click it and select Copy log text to clipboard or (#4) if you dont know how to find your logs, see !logfile
21:42 < chocolate> So if you ping all sides and the route is okay,  means all you share between that computers will gonna be compressed and authenticated as SSL secure connections, h6w?
21:44 -!- akurilin [~alex@c-98-234-90-17.hsd1.ca.comcast.net] has joined #openvpn
21:44 < akurilin> !heartbleed
21:44 <@vpnHelper> "heartbleed" is (#1) only affects OpenSSL 1.0.1 through 1.0.1f. Does not affect polarssl or (#2) if running vuln openssl then both client and server keys not protected by tls-auth should be considered compromised. or (#3) android 4.1.2_r1 is the first one to have -DOPENSSL_NO_HEARTBEATS and it is still in master. android 4.1 and 4.1.1 are probably affected. or (#4)
21:44 <@vpnHelper> https://community.openvpn.net/openvpn/wiki/heartbleed
21:45 < h6w> backz_: http://ix.io/bBN
21:45 < h6w> chocolate: Best if you traceroute to make sure it's going via the vpn.
21:46 < akurilin> Hm, has anybody tried running easy-rsa scripts for setting up PKI after patching for the latest openssl build?
21:46 < backz_> h6w: this is very pretty
21:46 < akurilin> Can't seem to find openssl.cnf in the easy-rsa/2.0 folder, I'm thinking because the latest version is 1.0.1
21:47 < chocolate> h6w and if its not how the set the tunnel as default route for client server path? Sorry about being asking so much
21:47 < chocolate> And thx until now
21:48 < h6w> akurilin:  You on Ubuntu/Debian?  If so, you need to copy the openssl-1.0.0.cnf file to openssl.cnf.  It's a packaging issue.
21:51 < akurilin> h6w: ah ok, strange, I must have run into this before when doing this the first time
21:51 < h6w> chocolate: Use push "redirect-gateway def1"   https://openvpn.net/index.php/open-source/documentation/howto.html#redirect
21:51 <@vpnHelper> Title: HOWTO (at openvpn.net)
21:51 < akurilin> h6w: you're saying it's just an issue with the latest available package version available for my version of ubuntu?
21:51 < akurilin> that got addressed later
21:52 < h6w> akurilin:  I'm still dealing with it.
21:52 < akurilin> Well I'm on 12.04, not sure if they fixed it in 13.* or 14.*
21:53 < h6w> I have 13.10 and the problem is still there. :-p
21:54 < backz_> But lo! Men have become the tools of their tools...
21:55 < akurilin> h6w: ok that's helpful thanks.
21:55 < akurilin> Do I need to worry about making a new openssl-1.0.1.cnf or is the 1.0.0 good enough somehow?
21:55 < h6w> 1.0.0 worked for me!
21:58 -!- backz_ [~backz@177.81.5.105] has quit [Quit: backz_]
21:58 < pekster> akurilin: The conf is something completely different; it'll work fine with 1.0.0
21:58 -!- Cpt-Oblivious [chatzilla@31-151-71-109.dynamic.upc.nl] has joined #openvpn
21:58 < pekster> It's just a config reference, and that hasn't changed since the 1.0.0 release
22:00 < akurilin> pekster: ok thank you
22:00 -!- Mike-- [mad@mx.probie.nl] has quit [Ping timeout: 252 seconds]
22:00 < akurilin> I have no insights into how this works so I feel like I need to double-check every single step with you guys :)
22:02 < akurilin> Am I sanely understanding that if I re-generated the whole PKI, I don't need to bother with CRL since the old client keys have nothing in common with the server key any longer.
22:05 -!- acu [~acu@50.244.13.221] has quit [Quit: Leaving]
22:06 -!- Mike-- [mad@mx.probie.nl] has joined #openvpn
22:08 < pekster> akurilin: Right
22:13 -!- ljvb [~jason@us.vps.vanbrecht.com] has joined #openvpn
22:13 < ljvb> !heartbleed
22:13 <@vpnHelper> "heartbleed" is (#1) only affects OpenSSL 1.0.1 through 1.0.1f. Does not affect polarssl or (#2) if running vuln openssl then both client and server keys not protected by tls-auth should be considered compromised. or (#3) android 4.1.2_r1 is the first one to have -DOPENSSL_NO_HEARTBEATS and it is still in master. android 4.1 and 4.1.1 are probably affected. or (#4)
22:13 <@vpnHelper> https://community.openvpn.net/openvpn/wiki/heartbleed
22:17 -!- leveldoc [~user@fw.coe.hawaii.edu] has quit [Read error: Connection reset by peer]
22:20 < akurilin> pekster: thanks.
22:21 < akurilin> Is it safe to assume I don't need the .csr files that are byproduct of running easy-rsa script suite?
22:21 < akurilin> I'm assuming .csr is what you use to get the .cst?
22:21 < akurilin> *crt
22:21 < Eugene> It's the public key of a key, which indicates which key to trust in a crt, yes
22:23 < akurilin> Eugene: will I be able to get a public key again if I need to if I nuke the csr? As in, can I make a new one from the private?
22:23 -!- klein [~klein@187.85.183.105] has joined #openvpn
22:23 -!- klein [~klein@187.85.183.105] has quit [Changing host]
22:23 -!- klein [~klein@unaffiliated/klein] has joined #openvpn
22:23 < Eugene> Yes.
22:24 < akurilin> Wonderful, thank you
22:26 < akurilin> So I'm swapping all of the PKI files on the server with new ones: is the change only going to take effect on reboot?
22:26 < akurilin> *opevpn restart
22:26 < akurilin> to be precise
22:31 < pekster> openvpn restart, yes
22:32 < h6w> Why is my iroute being ignored?   server.conf: http://ix.io/bBP ccd/client1: http://ix.io/bBQ log: http://ix.io/bBR
22:33 < h6w> Is it because the route line appears *after* the client-config-dir ?
22:35 < h6w> Apparently not.  I swapped those lines and it still appears as a route on the client.
22:37 -!- jareth_ [~jareth_@2001:980:e1c0:1:219:66ff:fea0:a502] has quit [Ping timeout: 246 seconds]
22:38 -!- klein [~klein@unaffiliated/klein] has quit [Ping timeout: 240 seconds]
22:42 -!- novaflash is now known as novaflash_away
22:48 -!- nipnop is now known as snappy
22:48 -!- snappy [nipnop@wbml.net] has quit [Changing host]
22:48 -!- snappy [nipnop@unaffiliated/snappy] has joined #openvpn
22:53 < h6w> Any other ideas?
22:54 < reiffert> !route
22:54 <@vpnHelper> "route" is (#1) http://www.secure-computing.net/wiki/index.php/OpenVPN/Routing or https://community.openvpn.net/openvpn/wiki/RoutedLans (same page mirrored) if you have lans behind openvpn, read it DONT SKIM IT or (#2) READ IT DONT SKIM IT! or (#3) See !tcpip for a basic networking guide or (#4) See !serverlan or !clientlan for steps and troubleshooting flowcharts for LANs behind the server or
22:54 <@vpnHelper> client
22:54 < reiffert> take a look at these for your iroute thing
22:55 < h6w> reiffert: Yes, ecrist suggested that 2 hours ago, and I'd already read it at least a dozen times already, hence the logs.
22:59 -!- lj [~l@adsl-99-155-19-109.dsl.peoril.sbcglobal.net] has joined #openvpn
23:03 < h6w> I can ping the VPN IP and the Ethernet IP on each end across the tunnel, but I can't ping anything past that into the local subnet on either end.
23:04 < h6w> traceroute says it gets to the gateway on the other end and then dies.
23:04 < reiffert> From what I recall I had to read it twice.
23:06 -!- novaflash_away is now known as novaflash
23:09 < reiffert> h6w: a guess: The remote default gateway does not know where to send the packets that should go to the other side of the vpn
23:12 -!- ShadniX [dagger@p5DDFEF05.dip0.t-ipconnect.de] has quit [Ping timeout: 252 seconds]
23:13 -!- ShadniX [dagger@p5DDFD39F.dip0.t-ipconnect.de] has joined #openvpn
23:14 < h6w> reiffert: Is that something iptables needs to do?  Like a forwarding rule?   I thought that this was something that was set up already.
23:28 < h6w> If I traceroute to the server's subnet, and tcpdump on the tunnel.  I get "IP 10.8.0.1 > 10.8.0.2: ICMP time exceeded in-transit, length 68"
23:29 < h6w> So that's a response coming back from the server, heading to the client.
23:32 -!- jareth_ [~jareth_@2001:980:e1c0:1:219:66ff:fea0:a502] has joined #openvpn
23:42 -!- jareth_ [~jareth_@2001:980:e1c0:1:219:66ff:fea0:a502] has quit [Ping timeout: 246 seconds]
23:45 -!- jareth_ [~jareth_@2001:980:e1c0:1:219:66ff:fea0:a502] has joined #openvpn
23:51 -!- goldcaf [~Brigham@198.24.140.66] has joined #openvpn
23:52 < goldcaf> !heartbleed
23:52 <@vpnHelper> "heartbleed" is (#1) only affects OpenSSL 1.0.1 through 1.0.1f. Does not affect polarssl or (#2) if running vuln openssl then both client and server keys not protected by tls-auth should be considered compromised. or (#3) android 4.1.2_r1 is the first one to have -DOPENSSL_NO_HEARTBEATS and it is still in master. android 4.1 and 4.1.1 are probably affected. or (#4)
23:52 <@vpnHelper> https://community.openvpn.net/openvpn/wiki/heartbleed
23:57 < Dan39> pretty crappy factpod tbh lol
23:57 < Dan39> factoid
--- Day changed Thu Apr 10 2014
00:00 -!- goldkatze [~nobody@unaffiliated/goldkatze] has joined #openvpn
00:04 -!- dnivra [~dnivra@unaffiliated/dnivra] has left #openvpn []
00:16 -!- budman_ [~budman@ip68-111-79-253.oc.oc.cox.net] has quit [Ping timeout: 240 seconds]
00:19 < goldcaf> I was going to ask in here but am having a discussion in ##linux about how heartbleed can be exploited on a home server where the only port forwarded from the router is 1194/udp. What's scary is that if I was to allow all in at 1194/udp, having a cert/key system, any random requester can get server info.
00:19 -!- pppingme [~pppingme@unaffiliated/pppingme] has quit [Ping timeout: 264 seconds]
00:19 < goldcaf> regardless of whether or not they're an approved client.
00:21 < goldcaf> But what this also means is that on a small scale operation, like say with just friends and family from a home server, one can see unrecognized IP addresses in the router's log.
00:23 < goldcaf> And if this bug has been exploited for the past 2 years, there would be attempts on home routers. I have not seen this on port 1194. I always see attempts on ports 22 and 80, but have only seen attempts from addresses of friends and family.
00:23 -!- mattock_afk is now known as mattock
00:24 < goldcaf> on port 1194
00:32 -!- pppingme [~pppingme@unaffiliated/pppingme] has joined #openvpn
00:42 -!- fischli [~fischli@data.fischer-ing.de] has joined #openvpn
01:01 -!- B1nny [~quassel@5ED16034.cm-7-2b.dynamic.ziggo.nl] has joined #openvpn
01:07 -!- Zarrsh [~Zarrsh@198.167.138.150] has quit [Ping timeout: 264 seconds]
01:07 -!- Zarrsh [~Zarrsh@198.167.138.150] has joined #openvpn
01:16 -!- dvl_ [~dvl@pdpc/supporter/active/dvl] has quit [Ping timeout: 264 seconds]
01:17 -!- dvl_ [~dvl@static-108-16-252-210.phlapa.fios.verizon.net] has joined #openvpn
01:17 -!- maskedlua [~quassel@unaffiliated/themaskedlua] has quit [Ping timeout: 250 seconds]
01:17 -!- goldcaf [~Brigham@198.24.140.66] has quit [Quit: Leaving]
01:17 -!- maskedlua [~quassel@unaffiliated/themaskedlua] has joined #openvpn
01:35 -!- ChrisH__ is now known as ChrisH
01:37 -!- alexxtasi [~alex@unaffiliated/alexxtasi] has joined #openvpn
01:39 -!- jareth_ [~jareth_@2001:980:e1c0:1:219:66ff:fea0:a502] has quit [Ping timeout: 246 seconds]
01:41 -!- jareth_ [~jareth_@2001:980:e1c0:1:219:66ff:fea0:a502] has joined #openvpn
01:53 -!- penguinpowernz [~robert@180.189.199.6] has joined #openvpn
01:54 < penguinpowernz> hey anyone around?
01:57 -!- ade_b [~Ade@redhat/adeb] has joined #openvpn
01:59 -!- penguinpowernz [~robert@180.189.199.6] has quit [Quit: leaving]
01:59 -!- penguinpowernz [~robert@180.189.199.6] has joined #openvpn
02:00 < penguinpowernz> ls
02:00 < penguinpowernz> this is  not a shell
02:00 < penguinpowernz> does anyone know when openvpn will re-read the server key?
02:00 < penguinpowernz> i replaced a server key in place
02:00 < penguinpowernz> with the server running
02:00 < penguinpowernz> (and the cert)
02:00 < svg> penguinpowernz: afaik, you have to fully restart the proces
02:01 < penguinpowernz> ah ok
02:01 < penguinpowernz> and the client keys/crt is matched against the server keys/cert right?
02:01 < svg> the man page mentions things on particular kill signals, but iirc rereading certs is not part of it
02:01 < penguinpowernz> ohyep
02:04 < penguinpowernz> cos i regenerated client keys
02:04 < penguinpowernz> send them to the client
02:04 < penguinpowernz> and the client was able to reconnect...
02:04 < penguinpowernz> *revoked and regenerated that is
02:05 < penguinpowernz> i'm scared to restart the server in case all the other hosts disappear
02:05 < penguinpowernz> lol
02:05 < penguinpowernz> nvm i have another way to check
02:05 < penguinpowernz> thanks svg
02:17 -!- gu [~gu@dslb-178-011-196-079.pools.arcor-ip.net] has joined #openvpn
02:20 -!- makara [~makara@41.164.22.218] has quit [Quit: Leaving]
02:26 -!- AlexPortable [uid7568@gateway/web/irccloud.com/x-kqfqoljsoclbmjdg] has joined #openvpn
02:31 -!- levifig_ is now known as levifig
02:43 -!- le0 [~l30@unaffiliated/le0] has joined #openvpn
02:58 -!- Aliekezhi [~Aliekezhi@LPoitiers-156-84-21-170.w193-248.abo.wanadoo.fr] has joined #openvpn
03:16 -!- makara [~makara@41.164.22.218] has joined #openvpn
03:18 < svg> nice check site ! http://privatekeycheck.com/
03:18 <@vpnHelper> Title: Check if your private key is secure? (at privatekeycheck.com)
03:33 -!- Kosch [uid3708@c-base/crew/kosch] has joined #openvpn
03:38 < Kosch> hiho. I've a problem with openvpn running as client. At some point the process was not able to resolve the hostname for the server (maybe due to a disconnect of the network). That was ~2 days ago. The openvpn client was not restarted and still hangs with "RESOLVE: Cannot resolve host address". All other services/programs on this host can resolv the hostname.
03:38 < Kosch> I'm using openvpn 2.3.2 and resolv-retry infinite is used.
03:40 < Kosch> Does openvpn maybe cache negative dns results?
03:44 -!- gu [~gu@dslb-178-011-196-079.pools.arcor-ip.net] has quit [Quit: Leaving.]
03:45 -!- [diecast] [~diecast@unaffiliated/diecast/x-4821952] has quit []
03:46 < Kosch> when looking at the strace output /etc/hosts is read, but I can't see any access to the /etc/resolv.conf
03:51 < ChrisH> Kosch: check for getent calls
03:51 -!- Fusl [Fusl@unaffiliated/fusl] has quit [Quit: Contact: http://hallowe.lt/]
03:53 -!- [diecast] [~diecast@unaffiliated/diecast/x-4821952] has joined #openvpn
03:55 < Kosch> hm. no getent calls so far
03:55 -!- [diecast] [~diecast@unaffiliated/diecast/x-4821952] has quit [Client Quit]
03:58 < Kosch> it looks very similar to this problem https://forums.openvpn.net/topic14708.html
03:58 <@vpnHelper> Title: OpenVPN Support Forum openvpn is unable to resolve server hostname : Server Administration (at forums.openvpn.net)
04:02 < Kosch> ok, this maybe is the cause. I'v got a local dnsmasq running, but this local dns is used for resolv only to resolve hosts inside the vpn.
04:04 -!- Left_Turn [~Left_Turn@unaffiliated/turn-left/x-3739067] has joined #openvpn
04:07 < Kosch> ... used _only_ to resolv hosts inside the vpn. I use dnsmasq at this point to get around the problem, that there is no "resolvconf" available on centos. So the local dnsmasq is usually placed in front of all nameserver inside resolv.conf, when dhcp comes up and it resolves only specific domain server=/vpn/10.10.0.1.
04:09 < Kosch> hm. unfortunality, I've stopped the local dnsmasq and removed the entry of it from resolv.conf, but openvpn still can't resolve the vpn server.
04:16 < Kosch> ChrisH: http://nopaste.info/030bca0cbc.html thats the way it looks like. hub.foobar.com is the host to be resolved (I replaced the original name)
04:18 -!- pcdummy [~pcdummy@unaffiliated/pcdummy] has quit [Quit: No Ping reply in 180 seconds.]
04:18 -!- pcdummy [~pcdummy@unaffiliated/pcdummy] has joined #openvpn
04:18 < ChrisH> Kosch: line 4 connetcs to DNS on 192.168.0.1
04:19 < ChrisH> line 34. 42 85 ... do the same
04:19 < Kosch> ChrisH: hm. I'm wondering why. This host is not listed inside resolv.conf neither I used it inside dnsmasq config.
04:20 < ChrisH> is 192.168.0.1 a local IP?
04:20 < Kosch> jep, maybe the router
04:20 < ChrisH> local == Local on the system you are running openvpn
04:21 < Kosch> no, its not a local ip
04:22 -!- Verdi [~dagda@ip1.thgersdorf.net] has quit [Ping timeout: 255 seconds]
04:22 < ChrisH> then its strange.  find /etc -type f | xargs grep -l "192.168.0.1"  ?
04:23 < Kosch> only found in commented sections.
04:23 -!- gu [~gu@dslb-178-011-196-079.pools.arcor-ip.net] has joined #openvpn
04:24 -!- gu2 [~gu@31-19-166-76-dynip.superkabel.de] has joined #openvpn
04:25 < Kosch> Its possible that at some point the router published 192.168.0.1 as DNS and openvpn now still stucks with that dns server?
04:26 < Kosch> I think this situation I can reproduce...
04:26 -!- hive-mind [pranq@mail.bbis.us] has quit [Read error: Operation timed out]
04:27 -!- mnathani [~mnathani@constance.winvive.com] has quit [Ping timeout: 240 seconds]
04:28 -!- gu [~gu@dslb-178-011-196-079.pools.arcor-ip.net] has quit [Ping timeout: 250 seconds]
04:28 -!- mnathani [~mnathani@constance.winvive.com] has joined #openvpn
04:28 -!- tdreyer1 [~tdreyer1@unaffiliated/tdreyer1] has quit [Ping timeout: 240 seconds]
04:30 -!- hive-mind [pranq@mail.bbis.us] has joined #openvpn
04:31 -!- cyberspace- [20253@ninthfloor.org] has quit [Remote host closed the connection]
04:31 -!- tdreyer1 [~tdreyer1@unaffiliated/tdreyer1] has joined #openvpn
04:32 -!- cyberspace- [20253@ninthfloor.org] has joined #openvpn
04:33 -!- dan_j [~IceChat77@unaffiliated/danfromuk] has joined #openvpn
04:33 < dan_j> !heartbleed
04:33 <@vpnHelper> "heartbleed" is (#1) only affects OpenSSL 1.0.1 through 1.0.1f. Does not affect polarssl or (#2) if running vuln openssl then both client and server keys not protected by tls-auth should be considered compromised. or (#3) android 4.1.2_r1 is the first one to have -DOPENSSL_NO_HEARTBEATS and it is still in master. android 4.1 and 4.1.1 are probably affected. or (#4)
04:33 <@vpnHelper> https://community.openvpn.net/openvpn/wiki/heartbleed
04:36 < Kosch> iptables -t filter -A INPUT -p tcp --dport 443 -m u32 --u32 "52=0x18030000:0x1803FFFF" -j DROP   In case your router/software is not so easy to update.
04:37 -!- elfixit [~Icedove@77-58-251-72.dclient.hispeed.ch] has joined #openvpn
04:38 <@plaisthos> Kosch: I would not bet on such a thing. That might work against the current in the wild exploits but changing an exploit to evade such a static rule might be possible
04:39 -!- nocturn [~nocturn@unaffiliated/nocturn] has joined #openvpn
04:39 < Kosch> plaisthos: indeed, but if you face propietäry software or other cause that prevents updates, this might help a bit
04:39 < nocturn> !heartbleed
04:39 <@vpnHelper> "heartbleed" is (#1) only affects OpenSSL 1.0.1 through 1.0.1f. Does not affect polarssl or (#2) if running vuln openssl then both client and server keys not protected by tls-auth should be considered compromised. or (#3) android 4.1.2_r1 is the first one to have -DOPENSSL_NO_HEARTBEATS and it is still in master. android 4.1 and 4.1.1 are probably affected. or (#4)
04:39 <@vpnHelper> https://community.openvpn.net/openvpn/wiki/heartbleed
04:41 < nocturn> Hi all, I just read the heartbleed wiki and I downloaded exploit code.  But all test code asks for a TCP port.  Is heartbleed exploitable over UDP?
04:45 -!- makara [~makara@41.164.22.218] has quit [Quit: Leaving]
04:45 -!- gu [~gu@dslb-178-011-196-079.pools.arcor-ip.net] has joined #openvpn
04:46 < jacekowski> nocturn: yes
04:48 -!- gu3 [~gu@31-19-166-76-dynip.superkabel.de] has joined #openvpn
04:49 -!- gu2 [~gu@31-19-166-76-dynip.superkabel.de] has quit [Ping timeout: 250 seconds]
04:51 -!- gu [~gu@dslb-178-011-196-079.pools.arcor-ip.net] has quit [Ping timeout: 240 seconds]
04:53 -!- dan_j [~IceChat77@unaffiliated/danfromuk] has quit [Quit: Beware of programmers who carry screwdrivers.]
04:55 -!- gu [~gu@dslb-178-011-196-079.pools.arcor-ip.net] has joined #openvpn
04:57 -!- JackWinter [~jack@vodsl-10810.vo.lu] has quit [Ping timeout: 240 seconds]
04:59 -!- gu3 [~gu@31-19-166-76-dynip.superkabel.de] has quit [Ping timeout: 240 seconds]
05:00 -!- gu2 [~gu@31-19-166-76-dynip.superkabel.de] has joined #openvpn
05:03 -!- gu [~gu@dslb-178-011-196-079.pools.arcor-ip.net] has quit [Ping timeout: 240 seconds]
05:08 -!- gu2 [~gu@31-19-166-76-dynip.superkabel.de] has quit [Ping timeout: 252 seconds]
05:08 -!- indy [~indy@shadow.kastnerove.cz] has quit [Ping timeout: 246 seconds]
05:13 -!- elfixit [~Icedove@77-58-251-72.dclient.hispeed.ch] has quit [Ping timeout: 250 seconds]
05:16 -!- klein [~klein@187.85.183.105] has joined #openvpn
05:16 -!- klein [~klein@187.85.183.105] has quit [Changing host]
05:16 -!- klein [~klein@unaffiliated/klein] has joined #openvpn
05:18 -!- MisterB [~Adium@xdsl-78-35-73-17.netcologne.de] has joined #openvpn
05:20 -!- indy [~indy@shadow.kastnerove.cz] has joined #openvpn
05:21 -!- gu [~gu@31-19-166-76-dynip.superkabel.de] has joined #openvpn
05:29 -!- Corey_ [~Corey@freenode/staff/corey] has joined #openvpn
05:33 -!- Corey [~Corey@freenode/staff/corey] has quit [Ping timeout: 612 seconds]
05:39 -!- dvl_ [~dvl@static-108-16-252-210.phlapa.fios.verizon.net] has quit [Ping timeout: 276 seconds]
05:42 < Kosch> ChrisH: so I was able more or less to reproduce a similar situation. I changed the resolv.conf, placed different DNS. Then I stopped the openvpn server. The openvpn client recognized server is down and tries to resolv it using the dns configured inside resolv.conf. Now I change the resolv.conf back to the right nameserver, but openvpn client stucks in not
05:42 < Kosch> resolving the server host.
05:44 < Kosch> ChrisH: Its anyhow possible to configure a lifetime of dns resolve to force new dns resolves?
05:46 < Kosch> some kind of networkaddress.cache.ttl :-)
05:46 < Kosch> for both situations, positive and negative resolves...
05:49 -!- chocolate [~AndChat18@179.155.69.131] has quit [Ping timeout: 240 seconds]
06:02 < Kosch> or just a way to force obtain new nameserver configuration from time to time..
06:15 < Kosch> maybe ping-restart solves this
06:16 -!- rgouveia [~rgouveia@unaffiliated/rgouveia] has left #openvpn []
06:16 -!- giorgiodinapoli [~giorgiodi@146-52-156-68-dynip.superkabel.de] has joined #openvpn
06:16 -!- mikkel [~mikkel@93.176.85.50] has joined #openvpn
06:17 < giorgiodinapoli> hey guys what does openvpn use as dhcp server per default?
06:17 < pekster> Kosch: Are you setting DNS inside openvpn (by way of using/push --dhcp-option and the associated client-side-script-hook?) If so, be careful you don't set resolvers that are only accessible over the VPN and also avoid removing them on disconnect events
06:18 < pekster> Kosch: In practice, this means you must call --down (where the DNS-removal-hook usually lives) on restarts as well as termination. Read about --up, --down, and --up-restart
06:19 < Kosch> pekster: no, I do not publish dns settings
06:20 < pekster> giorgiodinapoli: OpenVPN doesn't "use" DHCP at all (as a client or server.) The Windows TAP-WIN32 driver fakes a local dhcp reply due to no real point-to-point networking, but it's not a "real" DHCP server
06:20 < giorgiodinapoli> and on LINUX?
06:20 < giorgiodinapoli> the server pushes the client ip
06:20 < pekster> It's over the control channel
06:20 < pekster> In other words, nothing to do with DHCP
06:21 < pekster> Try --verb 4 in your config, then look at your logs. Search for the strings PUSH_REQUEST and PUSH_REPLY
06:24 < giorgiodinapoli> ok
06:30  * Kosch sighs.
06:34 -!- dvl_ [~dvl@static-108-16-252-210.phlapa.fios.verizon.net] has joined #openvpn
06:34 -!- dvl_ [~dvl@static-108-16-252-210.phlapa.fios.verizon.net] has quit [Changing host]
06:34 -!- dvl_ [~dvl@pdpc/supporter/active/dvl] has joined #openvpn
06:35 < Kosch> the only way to get the openvpn client informed about changes inside the resolv.conf seems to restart the process. ping-restart does not reload resolv.conf and ping-exit does not work too, when the server can not be resolved.
06:48 -!- [diecast] [~diecast@unaffiliated/diecast/x-4821952] has joined #openvpn
06:53 <@dazo> Kosch: that's not surprising, if you read the --up paragraph of the openvpn man page ... and you'll get some further clues there too
07:01 < Kosch> is there a way to get the openvpn process exited when resolving fails after XXX seconds? resolv-retry just restarts internally, when limit is reached.
07:02 <@dazo> not afair
07:02 <@dazo> try setting --resolv-retry 0 ?
07:05 -!- michaelhart [~michaelha@192-0-240-20.cpe.teksavvy.com] has quit [Quit: michaelhart]
07:05 < Kosch> inifinite resolve is more or less my problem. since the openvpn process does not recognize changes inside the resolv.conf, I need to restart the openvpn process. When the openvpn process exits, its restartet by Monit again. Now is the challenge to get the openvpn process exited, when dns resolv issues appears or ping-exit happens :)
07:08 < Kosch> It would be nice if I get the openvpn process exited by itself when problems appears. The other solutions are more complex.
07:09 -!- klein [~klein@unaffiliated/klein] has quit [Ping timeout: 240 seconds]
07:10 -!- JackWinter [~jack@vodsl-10810.vo.lu] has joined #openvpn
07:10 <@dazo> Kosch: infinite resolving is the default ...  --resolv-retry 0  disables that ... you also have --single-session
07:10 < Kosch> oh, thought 0=infinite.. lets try,....
07:10 < Kosch> a wait...
07:24 < Kosch> hm. even with single-session it just performs a reinit of the instance, but does not reload the resolv.conf nor is the process exited.
07:26  * Kosch sighs.
07:29 -!- kld [~acer@85.235.3.224] has joined #openvpn
07:31 -!- Fusl [Fusl@unaffiliated/fusl] has joined #openvpn
07:33 < Kosch> well... maybe I can configure openvpn to force using only and always the dns server on localhost...
07:41 -!- klein [~klein@unaffiliated/klein] has joined #openvpn
07:48 -!- phuzion [~phuzion@ipv6.irc.teh-server.com] has quit [Remote host closed the connection]
07:49 -!- tommygu [~tommygu@194.63.250.46] has joined #openvpn
07:49 -!- kld [~acer@85.235.3.224] has quit [Quit: Leaving]
07:49 -!- phuzion [~phuzion@ipv6.irc.teh-server.com] has joined #openvpn
07:50 -!- phuzion [~phuzion@ipv6.irc.teh-server.com] has quit [Remote host closed the connection]
07:51 -!- phuzion [~phuzion@ipv6.irc.teh-server.com] has joined #openvpn
07:51 -!- Trebortech [~Trebortec@66.55.33.66] has joined #openvpn
07:51 -!- phuzion [~phuzion@ipv6.irc.teh-server.com] has quit [Remote host closed the connection]
07:53 -!- elfixit [~Icedove@cust.static.46-14-206-196.swisscomdata.ch] has joined #openvpn
07:53 -!- phuzion [~phuzion@ipv6.irc.teh-server.com] has joined #openvpn
08:00 -!- michaelhart [~michaelha@192.237.177.15] has joined #openvpn
08:05 -!- ChrisH is now known as Guest93226
08:05 -!- ChrisH__ [~dg7pc@dslb-092-072-163-032.pools.arcor-ip.net] has joined #openvpn
08:05 -!- acu [~acu@50.244.13.221] has joined #openvpn
08:05 -!- Guest93226 [~dg7pc@dslb-188-109-007-012.pools.arcor-ip.net] has quit [Ping timeout: 240 seconds]
08:06 -!- ago [~ago@gentoo/developer/ago] has joined #openvpn
08:06 < ago> hello folks
08:06 < ago> I'm just wondering if, due to heartbleed bug, we need to regenerate the certificate
08:07 < Kosch> yes.
08:07 < Kosch> !heartbleed
08:07 <@vpnHelper> "heartbleed" is (#1) only affects OpenSSL 1.0.1 through 1.0.1f. Does not affect polarssl or (#2) if running vuln openssl then both client and server keys not protected by tls-auth should be considered compromised. or (#3) android 4.1.2_r1 is the first one to have -DOPENSSL_NO_HEARTBEATS and it is still in master. android 4.1 and 4.1.1 are probably affected. or (#4)
08:07 <@vpnHelper> https://community.openvpn.net/openvpn/wiki/heartbleed
08:09 -!- VsioZashibis [~VsioZashi@unaffiliated/vsiozashibis] has quit [Quit: closing IRC]
08:20 < ago> Kosch: thanks
08:27 -!- mikkel [~mikkel@93.176.85.50] has quit [Quit: Leaving]
08:28 -!- ago [~ago@gentoo/developer/ago] has quit [Quit: Lost terminal]
08:31 -!- Mik3C [~miguelc@77.202.37.188.rev.vodafone.pt] has joined #openvpn
08:32 -!- fischli [~fischli@data.fischer-ing.de] has quit [Quit: Leaving.]
08:39 -!- Kosch [uid3708@c-base/crew/kosch] has left #openvpn []
08:39 -!- sunwind [~paradox@cpc21-brmb8-2-0-cust749.1-3.cable.virginm.net] has quit [Quit: sunwind]
08:40 -!- sunwind [~paradox@cpc21-brmb8-2-0-cust749.1-3.cable.virginm.net] has joined #openvpn
08:47 -!- lj [~l@adsl-99-155-19-109.dsl.peoril.sbcglobal.net] has quit [Quit: Leaving.]
08:53 -!- ChrisH__ is now known as ChrisH
08:57 -!- Trebortech [~Trebortec@66.55.33.66] has quit [Ping timeout: 240 seconds]
08:57 -!- MisterB1 [~Adium@xdsl-78-34-119-219.netcologne.de] has joined #openvpn
08:58 -!- Trebortech [~Trebortec@66.55.33.66] has joined #openvpn
09:00 -!- MisterB [~Adium@xdsl-78-35-73-17.netcologne.de] has quit [Ping timeout: 252 seconds]
09:07 -!- Trebortech [~Trebortec@66.55.33.66] has quit [Quit: Trebortech]
09:08 < Eugene> !fail2ban
09:08 <@vpnHelper> "fail2ban" is in linux you can replace fail2ban without the background process with something like: iptables -A INPUT -m tcp -p tcp --dport 22 -m hashlimit --hashlimit-name ssh --hashlimit-upto 5/minute --hashlimit-mode srcip --hashlimit-srcmask 24 -j ACCEPT
09:10 -!- elfixit [~Icedove@cust.static.46-14-206-196.swisscomdata.ch] has quit [Ping timeout: 250 seconds]
09:11 -!- tony1 [~tony1@cpe-66-66-6-48.rochester.res.rr.com] has quit [Ping timeout: 240 seconds]
09:13 -!- tony1 [~tony1@cpe-66-66-6-48.rochester.res.rr.com] has joined #openvpn
09:30 -!- Haseo [~Haseo@aufrinfo.net] has quit [Ping timeout: 252 seconds]
09:31 -!- Haseo [~Haseo@aufrinfo.net] has joined #openvpn
09:32 -!- Trebortech [~Trebortec@66.55.33.66] has joined #openvpn
09:33 -!- snoopybbt [~manu@2-225-176-148.ip176.fastwebnet.it] has joined #openvpn
09:33 < snoopybbt> hello guys!
09:33 < snoopybbt> a couple of friends of mine are in china and are having troubles with reading emails and other things, due to china's fucking  censorship
09:33 < snoopybbt> now, one of these friends has a mac
09:34 < snoopybbt> if he installs openvpn on his mac, can he just use a config file i provide him that works on linux ?
09:36 -!- [diecast] [~diecast@unaffiliated/diecast/x-4821952] has quit []
09:37 -!- alexxtasi [~alex@unaffiliated/alexxtasi] has left #openvpn []
09:39 -!- jareth_ [~jareth_@2001:980:e1c0:1:219:66ff:fea0:a502] has quit [Ping timeout: 252 seconds]
09:39 -!- MisterB1 [~Adium@xdsl-78-34-119-219.netcologne.de] has quit [Read error: Connection reset by peer]
09:39 -!- MisterB [~Adium@xdsl-78-34-119-219.netcologne.de] has joined #openvpn
09:41 -!- jareth_ [~jareth_@2001:980:e1c0:1:219:66ff:fea0:a502] has joined #openvpn
09:41 -!- lj [~l@na-ad-guest-lwap-ar01.cat.com] has joined #openvpn
09:46 -!- elfixit [~Icedove@cust.static.46-14-206-196.swisscomdata.ch] has joined #openvpn
09:50 <@ecrist> snoopybbt: the configs are the same across all platforms
09:50 < snoopybbt> ecrist: so will redirect-gateway work properly ?
09:50 < MisterB> snoopybbt: yes
09:51 < snoopybbt> MisterB: thanks
09:52 < MisterB> snoopybbt: Have you looked at Tunnelblick (https://code.google.com/p/tunnelblick/)?
09:52 <@vpnHelper> Title: tunnelblick - OpenVPN GUI for Mac OS X - Google Project Hosting (at code.google.com)
09:53 <@ecrist> I would strongly recommend tunnelblick for your mac users
09:53 <@plaisthos> ee also !inline
09:53 <@plaisthos> that will make your life easier
09:54 < MisterB> Absolutely, Tunnelblick checks if your IP changed on login and will warn you if that didn't happen
09:54 <@ecrist> ssl-admin can now push configs with in-line certificates
09:56 < MisterB> snoopybbt: If you place alle the certificates + client.conf in a directory with a ".tblk" suffix Tunnelblick users can install it with a double click, very convenient
09:56 -!- HectorBarbossa [uid7850@gateway/web/irccloud.com/x-pcqbwcwizsrcohbf] has joined #openvpn
09:57 -!- Trebortech [~Trebortec@66.55.33.66] has quit [Quit: Trebortech]
09:57 < snoopybbt> i'm doing a quick and dirty secret-key-based setup
09:57 < MisterB> then you're fine with just the config
09:57 -!- jareth_ [~jareth_@2001:980:e1c0:1:219:66ff:fea0:a502] has quit [Ping timeout: 240 seconds]
09:58 -!- jtrucks [jtrucks@freenode/staff/lopsa.foundingmember.jtrucks] has quit [Quit: leaving]
10:00 -!- jareth_ [~jareth_@2001:980:e1c0:1:219:66ff:fea0:a502] has joined #openvpn
10:00 -!- jtrucks [jtrucks@freenode/staff/lopsa.foundingmember.jtrucks] has joined #openvpn
10:03 -!- elfixit [~Icedove@cust.static.46-14-206-196.swisscomdata.ch] has quit [Ping timeout: 250 seconds]
10:07 -!- AlexPortable [uid7568@gateway/web/irccloud.com/x-kqfqoljsoclbmjdg] has quit [Quit: Connection closed for inactivity]
10:09 -!- tony1 [~tony1@cpe-66-66-6-48.rochester.res.rr.com] has quit [Ping timeout: 252 seconds]
10:15 -!- fellayaboy [~fellayama@unaffiliated/fellayaboy] has joined #openvpn
10:16 < fellayaboy> i have linux  mint.  i installed openvpn using sudo apt-get install openvpn.  i use to use openvpn alot and there was a folder called /etc/openvpn/easy-rsa  however i dont see easy-rsa any more is there a new way to set up openvpn??
10:17 -!- fellayaboy [~fellayama@unaffiliated/fellayaboy] has quit [Quit: Leaving]
10:18 < havoc> was gonna say: https://github.com/OpenVPN/easy-rsa
10:18 <@vpnHelper> Title: OpenVPN/easy-rsa · GitHub (at github.com)
10:18 < havoc> guess he was impatient
10:20 -!- tony1 [~tony1@cpe-66-66-6-48.rochester.res.rr.com] has joined #openvpn
10:22 -!- Corey_ is now known as Corey
10:24 -!- snoopybbt [~manu@2-225-176-148.ip176.fastwebnet.it] has quit [Read error: No route to host]
10:24 -!- snoopybbt [~manu@2-225-176-148.ip176.fastwebnet.it] has joined #openvpn
10:27 -!- Aliekezhi [~Aliekezhi@LPoitiers-156-84-21-170.w193-248.abo.wanadoo.fr] has quit [Remote host closed the connection]
10:32 -!- lj1 [~l@192.241.174.169] has joined #openvpn
10:32 -!- lj [~l@na-ad-guest-lwap-ar01.cat.com] has quit [Ping timeout: 276 seconds]
10:34 -!- tony1 [~tony1@cpe-66-66-6-48.rochester.res.rr.com] has quit [Ping timeout: 276 seconds]
10:34 -!- snoopybbt [~manu@2-225-176-148.ip176.fastwebnet.it] has quit [Read error: No route to host]
10:35 -!- snoopybbt [~manu@2-225-176-148.ip176.fastwebnet.it] has joined #openvpn
10:39 -!- master_o1_master [~master_of@p4FD7B15C.dip0.t-ipconnect.de] has joined #openvpn
10:42 -!- master_of_master [~master_of@p4FD7B514.dip0.t-ipconnect.de] has quit [Ping timeout: 240 seconds]
10:43 -!- freezer [~mkramer@p5DDB2C0F.dip0.t-ipconnect.de] has joined #openvpn
10:43 < freezer> hi
10:43 < freezer> !heartbleed
10:43 <@vpnHelper> "heartbleed" is (#1) only affects OpenSSL 1.0.1 through 1.0.1f. Does not affect polarssl or (#2) if running vuln openssl then both client and server keys not protected by tls-auth should be considered compromised. or (#3) android 4.1.2_r1 is the first one to have -DOPENSSL_NO_HEARTBEATS and it is still in master. android 4.1 and 4.1.1 are probably affected. or (#4)
10:43 <@vpnHelper> https://community.openvpn.net/openvpn/wiki/heartbleed
10:43 -!- Aliekezhi [~Aliekezhi@80.215.210.37] has joined #openvpn
10:46 -!- pekster [~rewt@openvpn/community/support/pekster] has quit [Ping timeout: 246 seconds]
10:47 -!- pekster [~rewt@openvpn/community/support/pekster] has joined #openvpn
10:48 -!- tony1 [~tony1@cpe-66-66-6-48.rochester.res.rr.com] has joined #openvpn
10:52 -!- snoopybbt [~manu@2-225-176-148.ip176.fastwebnet.it] has quit [Read error: No route to host]
10:52 -!- snoopybbt [~manu@2-225-176-148.ip176.fastwebnet.it] has joined #openvpn
10:58 -!- budman__ [~budman@ip68-111-79-253.oc.oc.cox.net] has joined #openvpn
11:06 -!- gffa [~unknown@unaffiliated/gffa] has joined #openvpn
11:06 -!- ade_b [~Ade@redhat/adeb] has quit [Ping timeout: 252 seconds]
11:09 -!- otwieracz [~gonet9@v6.gen2.org] has joined #openvpn
11:09 < otwieracz> Hi
11:09 < otwieracz> I am using OpenVPN with redirect-gateway option
11:10 < otwieracz> And I am receiving correct routes:
11:10 < otwieracz> default via 255.255.255.0 dev tun1
11:10 < otwieracz> VPN_ENDPOINT via 192.168.0.1 dev eth0
11:11 < otwieracz> But, I am often switching between eth (from dock station) and wlan.
11:11 < otwieracz> So, when I plug out from the dock station, my connection is no longer working.
11:12 < otwieracz> One reason why I wanted to use redirect-gateway was ability to hold TCP sessions while switching between eth and wlan.
11:12 -!- tommygu [~tommygu@194.63.250.46] has quit [Quit: Linkinus - http://linkinus.com]
11:14 -!- MisterB [~Adium@xdsl-78-34-119-219.netcologne.de] has left #openvpn []
11:15 -!- MisterB [~Adium@xdsl-78-34-119-219.netcologne.de] has joined #openvpn
11:15 -!- Moony2202 [~Moony22@host86-132-53-208.range86-132.btcentralplus.com] has joined #openvpn
11:15 < Moony2202> Hello
11:15 -!- MisterB [~Adium@xdsl-78-34-119-219.netcologne.de] has left #openvpn []
11:15 -!- alexwebr [~alexwebr@162.243.13.193] has joined #openvpn
11:15 < Moony2202> If I use my VPS to host openvpn
11:15 < Moony2202> can they see what I am doing?
11:15 < Moony2202> (the VPS)
11:15 < alexwebr> !heartbleed
11:15 <@vpnHelper> "heartbleed" is (#1) only affects OpenSSL 1.0.1 through 1.0.1f. Does not affect polarssl or (#2) if running vuln openssl then both client and server keys not protected by tls-auth should be considered compromised. or (#3) android 4.1.2_r1 is the first one to have -DOPENSSL_NO_HEARTBEATS and it is still in master. android 4.1 and 4.1.1 are probably affected. or (#4)
11:15 <@vpnHelper> https://community.openvpn.net/openvpn/wiki/heartbleed
11:15 < Moony2202> Sorry I don't understand
11:16 < Thermi> Yes.
11:16 < Thermi> They could.
11:16 < alexwebr> I am slightly unclear on Heartbleed. Is the daemon/client affected, or only the Access Server (because of its Web GUI)?
11:16 < Aliekezhi> is a VPN tunnel more secured than a ssh tunnel ?
11:16 < Thermi> _all_ of it
11:17 < Moony2202> Thermi: really? How?
11:17 < Moony2202> wait are you talking to me?
11:17 -!- MisterB [~Adium@xdsl-78-34-119-219.netcologne.de] has joined #openvpn
11:17 < Thermi> Moony2202: Yes, the could see it. They have direct access to the server. They could just dump the RAM of the VM and look for your keys in it.
11:17 -!- d10n [~d10n@unaffiliated/d10n] has quit [Disconnected by services]
11:18 < Moony2202> So its not a good idea to use a VPS i guess
11:18 -!- d10n [~d10n@unaffiliated/d10n] has joined #openvpn
11:18 < alexwebr> I guess a better question is: does the daemon/client handle heartbeat messages at all? Because if not, it would appear that the client/server are safe.
11:18 < Thermi> Not for sensitive stuff, no.
11:19 < Thermi> alexwebr: Check the openssl version of both sides. If they're affected by the bug and have been compiled with heartbeat support, you're vulnerable.
11:20 < alexwebr> Thermi: Got it. Thanks!
11:20 -!- snoopybbt [~manu@2-225-176-148.ip176.fastwebnet.it] has quit [Ping timeout: 240 seconds]
11:20 -!- MisterB [~Adium@xdsl-78-34-119-219.netcologne.de] has left #openvpn []
11:20 < Moony2202> Thermi: but so what if they get the keys?
11:21 -!- d10n_ [~d10n@107.170.121.245] has joined #openvpn
11:21 -!- Aliekezhi [~Aliekezhi@80.215.210.37] has quit [Remote host closed the connection]
11:22 < Thermi> Moony2202: Hope that you employed pfs on your connections, think of any information, that was transmitted, as compromitted, upgrade openssl to a fixed version or recompile it without heartbeat support, create a new pair of keys, deploy them.
11:22 < Thermi> USE GOD DAMN PFS! IT'S THERE FOR A REASON!
11:23 < Moony2202> is that a no?
11:23 -!- d10n [~d10n@unaffiliated/d10n] has quit [Quit: why all the #hashtags #lol #hackers #overheard]
11:23 < Thermi> No, just a comment.
11:23 -!- d10n_ is now known as d10n
11:23 -!- d10n [~d10n@107.170.121.245] has quit [Changing host]
11:23 -!- d10n [~d10n@unaffiliated/d10n] has joined #openvpn
11:27 < Thermi> Did I answer your question?
11:28 -!- mode/#openvpn [+o Eugene] by ChanServ
11:30 -!- P4k3 [~P4k3@c-d334e255.026-8-6b6c7810.cust.bredbandsbolaget.se] has quit [Remote host closed the connection]
11:30 < otwieracz> Is there any option to let OpenVPN redirect gateway to two interfaces?
11:31 < otwieracz> For example, I want to let openvpn create both VPN_ENDPOINT via 192.168.0.1 dev wlan0 and VPN_ENDPOINT via 192.168.0.1 dev eth0
11:31 < otwieracz> When doing redirect-gateway
11:34 < gu> otwieracz: you could use fw mark
11:34 < otwieracz> hmm?
11:35 < otwieracz> Sorry, I do not understand.
11:35 < gu> openvpn marks its own packets and a routing rule puts the packets into the routing table of the device
11:36 < otwieracz> Umm… You mean, do something with policy based routing
11:36 < gu> are you trying this on linux?
11:37 < otwieracz> Yes.
11:37 < otwieracz> I see that --mark works only on linux.
11:37 < gu> but I guess you'd have to use two tunnels
11:37 < gu> one over each device
11:38 < otwieracz> What about redirect-gateway local
11:38 < otwieracz> And manual routes?
11:38 < gu> and maybe put a bonding device on top
11:38 < Thermi> Y u no use bonding?
11:38 < Thermi> VPN_ENDPOING via 192.168.0.1 dev bond0
11:38 < Thermi> Done
11:39 < gu> Thermi: depends on how you assemble your bond0
11:39 < otwieracz> So, create bridge of wlan0 and eth0?
11:39 < Thermi> Sure, but it's a solution.
11:39 < Thermi> s/bridge/bond
11:40 < gu> maybe otwieracz should tell us what exactly he wants to do
11:40 -!- EmLeX [~emx@unaffiliated/emlex] has quit [Ping timeout: 240 seconds]
11:40 < otwieracz> gu: I want OpenVPN tunnel (with redirect-gateway) to freely transfer between wlan and eth connections.
11:40 < otwieracz> gu: And do not broke up.
11:41 < Thermi> Bonding.
11:41 < gu> yes, sounds like bonding
11:43 < gu> I wonder if it would work to just do ifenslave bond0 wlan0 eth0
11:44 < gu> at least you'd have to select failover mode
11:44 < reiffert> He should go with a layer 2 bridge.
11:44 < Thermi> Are you insane?!
11:44 < reiffert> which might be what you guys call bonding.
11:45 < reiffert> and no, I'm not insane.
11:45 < Thermi> we don't even know if those two networks are the same!
11:45 < reiffert> use tap instead of tun.
11:45 < Thermi> (Looking at the IP, they probably are)
11:45 < reiffert> Thermi: we dont need to. Layer 2 bridge does what it name says.
11:46 < gu> reiffert: are you talking about bridgeing wlan0 and eth0 or just using tap interfaces on the openvpn link?
11:46 < otwieracz> Often those are different networks.
11:46 < reiffert> gu: depends on what otwieracz additionally will share about what he's trying to achieve.
11:47 < otwieracz> To clarify – I do not want to take care about which interface is connected where.
11:47 < otwieracz> If only VPN endpoint is reachable through any interface – I want openvpn tunnel to stay up and working.
11:47 < gu> otwieracz: and I guess you're connectiong to some openvpn server somewhere in the internet
11:47 < otwieracz> gu: Yep.
11:48 < otwieracz> And, for better use case, I am disconnecting from eth and moving to 3G connection through wan0.
11:48 < gu> bonding
11:48 < reiffert> ???
11:48 < otwieracz> s/wan0/wwan0/
11:49 < otwieracz> And after I find wifi, then I connect disconnect from 3G and connect to wifi via dev wlan0.
11:49 < otwieracz> And I want to have tunnel and tunneled connections running the whole time.
11:49 < gu> umm, I guess that won't work because your IPs keep changing
11:50 < otwieracz> My tunnel goes through UDP.
11:50 < otwieracz> OpenVPN is not able to act the same way as mosh?
11:50 < reiffert> otwieracz: let me make one thing clear: forget whatever I said above.
11:50 < otwieracz> reiffert: OK. So no classic bridge. :)
11:51 < reiffert> !factoids search mesh
11:51 <@vpnHelper> "mesh" is (#1) openvpn does not do mesh networking or (#2) see !rip or (#3) check out http://github.com/darkpixel/openmesher/ for auto-creating openvpn meshes
11:51 < otwieracz> reiffert: „mosh”.
11:51 < otwieracz> reiffert: Not „mesh”.
11:51 < otwieracz> mosh is „ssh over UDP”.
11:51 < reiffert> !factoids search mosh
11:51 <@vpnHelper> No keys matched that query.
11:52 < otwieracz> reiffert: Awesome tool. Really.
11:52 < otwieracz> And secure exactly like ssh.
11:52 < otwieracz> (because it uses ssh)
11:57 < pekster> otwieracz: There's --float, but it doesn't work currently
11:58 < pekster> If you use static IP assignment, take a look at the --persist-local-ip and --persist-tun options
11:58 < pekster> You have to avoid a condition where you get a different IP though, which means you can't use --duplicate-cn (not without some clever tricks anyway) and should follow the static setup: read !static and maybe !addressing for that
11:59 <+s7r> can i make IPSec in openvpn?
11:59 < Thermi> Yes.
11:59 <+s7r> how
11:59 < Thermi> Ah
11:59 < pekster> You could transfer IPSec inside an openvpn tunnel, but openvpn won't inter-operate with IPSec
11:59 < Thermi> ^
12:00 < pekster> Doing IPSec-in-openvpn sounds like it's not very useful (double encryption!)
12:00 -!- obesd [~obsed@unaffiliated/obesd] has quit [Quit: obesd]
12:00 < Thermi> I read that as "I want to create an IPsec tunnel inside an openvpn tunnel. How do I do that?"
12:00 <+s7r> i know an openvpn tunnel is encrpted by default via ssl
12:00 -!- ade_b [~Ade@redhat/adeb] has joined #openvpn
12:00 <+s7r> but i wanted layer 3 end to end encryption
12:01 < Thermi> So what is the difference for you?
12:01 < Thermi> Just create openvpn tunnels between your devices.
12:01 <+s7r> isn't openvpn default encryption  at application layer? (SSL)
12:02 < Thermi> It encapsulates whole IP or ethernet frames (tun/tap)
12:02 < Thermi> or not ethernet frames
12:02 < Thermi> but layer two.
12:02 < pekster> "basically" Ethernet :)
12:02 < pekster> s7r: openvpn already does end-to-end L3 encryption
12:03 < pekster> It's an alternative to IPSec, not inter-operable
12:03 <+s7r> ohh sorry
12:03 <+s7r> nevermind yes you are right
12:03 <+s7r> i wasn't thinking about this straight
12:07 -!- P4k3 [~P4k3@c-d334e255.026-8-6b6c7810.cust.bredbandsbolaget.se] has joined #openvpn
12:09 -!- tony1 [~tony1@cpe-66-66-6-48.rochester.res.rr.com] has quit [Ping timeout: 252 seconds]
12:17 -!- tony1 [~tony1@cpe-66-66-6-48.rochester.res.rr.com] has joined #openvpn
12:22 -!- HectorBarbossa [uid7850@gateway/web/irccloud.com/x-pcqbwcwizsrcohbf] has quit [Quit: Connection closed for inactivity]
12:23 -!- ade_b [~Ade@redhat/adeb] has quit [Quit: Too sexy for his shirt]
12:31 -!- AlexPortable [uid7568@gateway/web/irccloud.com/x-ozkouatkxzgrhxih] has joined #openvpn
12:32 -!- Kireji [~nospam@biocontact.org] has joined #openvpn
12:35 < Kireji> using tunnelblick on a mac as a client, running server on remote machine.  tunneling traffic through the remote machine.  do 10.xxx.xxx.xxx addresses get put through the tunnel?  how can I test that ?
12:35 < Thermi> tracepath?
12:35 < Thermi> :D
12:38 -!- HectorBarbossa [uid7850@gateway/web/irccloud.com/x-ptqjclvlixltnkqv] has joined #openvpn
12:41 < Kireji> work ing
12:42 -!- giorgiodinapoli [~giorgiodi@146-52-156-68-dynip.superkabel.de] has quit [Ping timeout: 252 seconds]
12:42 < Kireji> erm  working on a mac, is that the same as traceroute / Thermi ?
12:43 < Thermi> idk.
12:45 < Kireji> so... apparently yes.  with tunnelblick on (the VPN activated) 10.136.1.102 is routing through the VPN
12:46 <@dazo> alexwebr: OpenVPN (all versions/variants, both client and servers) are potentially vulnerable *if* and *only if* you have a vulnerable OpenSSL.  What can protect you somewhat is --tls-auth, given that you don't have a user which abuses that tls-auth key to attack your VPN server
12:46 < Kireji> is there a way to tell openvpn to treat certain subnets as local and not to route them through?
12:47 < Thermi> dazo: A heartbeat can be sent and received and acted upon before the command to change ciphers is sent. When  does the tls-auth thingy happen?
12:47 <@dazo> Thermi: on all packets, even the initial ones
12:48 < Thermi> I assume the tls-auth key is not retrievable by capturing traffic?
12:48 <@dazo> alexwebr: General advise is to update your OpenSSL libraries, ensure that OpenVPN uses the updated ones (you can use lsof) ... further it is recommended to at least replace your server key + certificate, and preferably all your client keys+certs
12:49 <@dazo> Thermi: tls-auth adds an additional HMAC "packet" outside of the VPN data.  If either side gets a packet and the HMAC "signature" doesn't match the expected value, the packet is dropped
12:49 < Thermi> Òkay, thank you for clarifying that
12:50 <@dazo> which is why you can use --tls-auth together with --proto udp to hide your OpenVPN server ... no port scans will reveal that port at all, as OpenVPN won't touch those un-authenticated packets
13:03 -!- mattock [~mattock@openvpn/corp/admin/mattock] has left #openvpn []
13:12 -!- x0011BF [~x007899@96.44.144.218] has joined #openvpn
13:13 < x0011BF> Not sure if you guys would know this, but on Ubuntu, where would I find the files for my VPN config?
13:13 < x0011BF> I connect through a proxy server with authentication, and so I store those credentials.
13:13 < x0011BF> But I have many different OpenVPN servers.
13:13 < x0011BF> Ideally I'd have it pull from a variable somewhere, but that doesn't seem to be an option, so I want to write a bash script that updates my password.
13:27 -!- Verdi [~dagda@ip1.thgersdorf.net] has joined #openvpn
13:28 -!- gu [~gu@31-19-166-76-dynip.superkabel.de] has quit [Ping timeout: 252 seconds]
13:35 < Kireji> how can I configure a client tunnel (dev tun) not forward local subnet IP addresses (10.136.xx.xx) through tunnel?
13:39 -!- mattock_afk [~mattock@openvpn/corp/admin/mattock] has joined #openvpn
13:39 -!- mode/#openvpn [+o mattock_afk] by ChanServ
13:39 -!- mattock_afk is now known as mattock
13:40 -!- mattock is now known as mattock_afk
13:41 -!- Eagleman7 [~Eagleman@546BC8D0.cm-12-4d.dynamic.ziggo.nl] has quit [Ping timeout: 240 seconds]
13:43 -!- acu [~acu@50.244.13.221] has quit [Quit: Leaving]
13:43 <@dazo> Kireji: don't route 10.136.0.0/16 via the tunnel
13:43 < alexwebr> dazo: Thanks.
13:44 < Kireji> dazo: right.  found that so far.  reading about route command
13:46 < Kireji> so I want 10.136.0.0/16 to all route to 10.136.100.1
13:47 -!- wrongplace [~leicht@gateway/tor-sasl/martinphone] has joined #openvpn
13:48 -!- gu [~gu@31-19-166-76-dynip.superkabel.de] has joined #openvpn
13:49 < Kireji> what is a gateway "link#4" in the routing table
13:49 < Kireji> this makes my head hurt
13:51 <@dazo> no, you got it wrong ... you make my head hurt
13:52 <@dazo> Kireji: What is the IP address of your local interfaces?
13:53 -!- Corey_ [~Corey@freenode/staff/corey] has joined #openvpn
13:55 < Kireji> when I connect to the wifi (no vpn) I get 10.136.100.189 with a router of 10.136.100.1
13:56 < Kireji> dhcp defines the subnet mask on that as 255.255.252.0
13:56 < Kireji> when I start the vpn, I get ton0
13:56 < Kireji> tun0
13:56 -!- Corey_ [~Corey@freenode/staff/corey] has quit [Client Quit]
13:57 < Kireji> and I get 10.8.0.9 that routes to 10.8.0.1
13:57 -!- Corey [~Corey@freenode/staff/corey] has quit [Ping timeout: 612 seconds]
13:57 <@dazo> Kireji: okay ... you cannot normally route any of your local networks via a VPN tunnel.
13:57 <@dazo> Do you use --redirect-gateway?
13:58 -!- wrongplace [~leicht@gateway/tor-sasl/martinphone] has quit [Quit: gone]
13:58 <@dazo> (even though, I struggle to remember that --redirect-gateway would redirect local networks via the tunnel)
13:58 < Kireji> yes: redirect-gateway def1
13:58 <@dazo> okay ... pastebin the output of 'ip route show' (or 'route -n')
13:59 <@dazo> when the tunnel is up
14:00 -!- Avroceptyr [~Avrocepty@unaffiliated/aurorus] has quit [Ping timeout: 264 seconds]
14:00 < Kireji> http://pastebin.com/raw.php?i=0xxGF4ny
14:01 < Kireji> I can reach 10.136.100.1 with the vpn up, I cannot reach 10.136.1.102
14:01 < Kireji> because it gets routed through the tunnel
14:02 -!- AsadH [~AsadH@unaffiliated/asadh] has quit [Ping timeout: 246 seconds]
14:03 -!- CygniX [~CygniX@unaffiliated/twois10] has quit [Ping timeout: 250 seconds]
14:04 <@dazo> Kireji: okay ... do you see the route: 10.136.100/22  ?
14:04 < Kireji> up
14:04 < Kireji> yup
14:04 <@dazo> you need to learn how netmasks work
14:04 -!- Guest8860 [~Avrocepty@unaffiliated/aurorus] has joined #openvpn
14:04 < Kireji> that looks wrong to me
14:05 <@dazo>  /22 means in that context IP addresses from 10.136.100.0 to 10.136.103.255
14:05 -!- Moony2202 [~Moony22@host86-132-53-208.range86-132.btcentralplus.com] has quit [Read error: Connection reset by peer]
14:05 -!- Aliekezhi [~Aliekezhi@80.215.20.30] has joined #openvpn
14:05 < Kireji> yup  just found translator here http://tuxgraphics.org/toolbox/network_address_calculator_add.html
14:05 <@vpnHelper> Title: network address calculator and ip address calculator, javascript based (at tuxgraphics.org)
14:05 <@dazo> so what you need to do do, is to add a route in your openvpn client config, saying:  route 10.136.0.0 255.255.255.0 net_gateway
14:06 <@dazo> (net_gateway is a config macro, which openvpn will translate to your local gateway's IP address)
14:06 < Kireji> add "route 10.136.0.0 255.255.255.0 net_gateway" to client config?
14:06 <@dazo> yes
14:06 <@dazo> no
14:06 <@dazo> 255.255.255.0 should be 255.255.0.0
14:06 < Kireji> whoa
14:07 < Kireji> add "route 10.136.0.0 255.255.0.0 net_gateway" to client config?
14:07 <@dazo> yes
14:07 < Kireji> so /16
14:07 <@dazo> Correct.  I'm so used to type 255.255.255.0, I failed to type it correctly
14:08 < Kireji> trying now...
14:08 <@dazo> Using /16 is kind of hackish, but as long as you said you wanted all 10.136.x.x ... I translated that into /16
14:09 < Kireji> oh. ok.  seen netmasks many times, still don't fullt grok them
14:11 -!- zach [~zfouts@213.251.184.209] has joined #openvpn
14:11 < Kireji> works!
14:11 < Kireji> updated route table: http://pastebin.com/raw.php?i=dsAMaH1x
14:11 < zach> Hey folks, is there a way to view the CID (Client-id) in the management console?
14:12 < Kireji> dazo: so is the subnet mask I'm getting from DHCP incorrect?
14:12 < Kireji> seems so
14:13 < zach> !heartbleed
14:13 <@vpnHelper> "heartbleed" is (#1) only affects OpenSSL 1.0.1 through 1.0.1f. Does not affect polarssl or (#2) if running vuln openssl then both client and server keys not protected by tls-auth should be considered compromised. or (#3) android 4.1.2_r1 is the first one to have -DOPENSSL_NO_HEARTBEATS and it is still in master. android 4.1 and 4.1.1 are probably affected. or (#4)
14:13 <@vpnHelper> https://community.openvpn.net/openvpn/wiki/heartbleed
14:13 < zach> Good thing I use tls-auth ;)
14:14 -!- le0 [~l30@unaffiliated/le0] has quit [Quit: Leaving]
14:15 -!- AsadH [~AsadH@unaffiliated/asadh] has joined #openvpn
14:15 < zach> So I came across this: http://sourceforge.net/p/openvpn/mailman/openvpn-devel/thread/4B8BAD59.1060908@topphemmelig.net/ -- which discusses the issue I'm experiencing, which appears to have been patched back in 2010 -- However, the management console (unless I'm blind) does not show me the CID
14:15 <@vpnHelper> Title: OpenVPN / Mailing Lists (at sourceforge.net)
14:21 -!- lj [~l@192.241.174.169] has joined #openvpn
14:22 -!- gu2 [~gu@31-19-166-76-dynip.superkabel.de] has joined #openvpn
14:23 -!- lj1 [~l@192.241.174.169] has quit [Ping timeout: 250 seconds]
14:25 -!- gu [~gu@31-19-166-76-dynip.superkabel.de] has quit [Ping timeout: 258 seconds]
14:25 < Kireji> dazo: thank you - extremely helpful.  much appreciated
14:26 < Kireji> it all works again!
14:26 -!- Kireji [~nospam@biocontact.org] has left #openvpn []
14:26 -!- gu2 [~gu@31-19-166-76-dynip.superkabel.de] has quit [Client Quit]
14:27 -!- lj [~l@192.241.174.169] has quit [Quit: Leaving.]
14:32 -!- Matir [~matir@ubuntu/member/matir] has quit [Ping timeout: 264 seconds]
14:32 -!- Matir [~matir@ubuntu/member/matir] has joined #openvpn
14:50 < haasn> In light of the recent OpenSSL vulnerabilities and also OpenSSL's horrible track record for security, I'm wondering what alternatives are on the table for running an encrypted VPN via OpenVPN - preferably without SSL
14:51 < haasn> Where can I find documentation on all the available encryption modes OpenVPN supports?
14:51 <@dazo> haasn: ehm ... encrypted VPN without using SSL libraries which is responsible for encryption?
14:51 < haasn> dazo: Exactly
14:51 <@dazo> You hear that's a contradiction?
14:52 <@dazo> haasn: OpenVPN 2.3 can also be built to use PolarSSL, as an alternative to OpenSSL
14:52 -!- HectorBarbossa [uid7850@gateway/web/irccloud.com/x-ptqjclvlixltnkqv] has quit [Quit: Connection closed for inactivity]
14:53 <@dazo> OpenSSL have indeed had many issues over the years.  But I would say that despite this, it is one of the most well tested libraries available.  The reason things are found is also that it is so widely used.
14:54 < haasn> My personal opinion is that the main reason OpenSSL has so many issues is because TLS is so complex, which is exactly why I'm trying to avoid it altogether - it doesn't seem necessary for an encrypted VPN. You're right that OpenSSL is most likely far more analyzed and tested than a third party TLS implementation like PolarSSL. I want to avoid SSL altogether
14:55 <@dazo> haasn: there exists no encryption on the Internet (socket/stream wise) without the usage of SSL/TLS
14:55 < haasn> Judging by http://openvpn.net/index.php/open-source/documentation/security-overview.html OpenVPN has two modes available, one based on TLS and one based on pre-shared static keys?
14:55 <@vpnHelper> Title: Security Overview (at openvpn.net)
14:55 < haasn> dazo: That is a blatant untruth
14:55 < haasn> SSH is a direct counter-example
14:56 <@dazo> well, if you think that the static encryption is safer ... then you don't understand the core concept of how openvpn works
14:56 <@dazo> because the security is actually much more vulnerable for bruteforce attacks using static encryption mode
14:57 < haasn> Why, what algorithm does the static mode use?
14:58 <@dazo> it uses a static key the whole time.  While using PKI (server mode), it will use only use the pub/private keys to exchange temporary encryption keys which changes regularly ... that temporary key is what's used to encrypt the tunnelled data
14:59 <@dazo> With static encryption ... you can record years of packets ... and you can decode them in the past, once you get hold of the static key
14:59 <@dazo> with PKI mode, you're only able to decrypt a small time-frame of the communication, if you're able to bruteforce the temporary encryption key
14:59 <@dazo> how often the encryption key is changed, is defined by the --reneg-* options
15:00 < haasn> Does OpenVPN's TLS mode offer PFS by default?
15:01 <@dazo> AFAIR, yes
15:01 <@dazo> and it can further be enhanced with --tls-auth
15:02 < haasn> I wonder if OTR or SSH's algorithms could be used as a more or less drop-in replacement for TLS, here; of course that would require significant work on the OpenVPN side
15:03 <@dazo> well, there's always the tunnelling feature in SSH
15:03 <@dazo> however, using TCP as a transport mechanism for TCP packets, is really not ideal at all
15:03 < haasn> Yeah, I was just thinking about that. All relevant users of the VPN have SSH access to the server it's running on either way, so in this case I could just restrict to local addresses and tunnel over SSH - I'm mainly worried about automatically restarting it in case of network failure, though
15:05 <@dazo> I think that the SSH tunnelling usability is due to that it's really tricky to do VPN right, and also given that you need extra privileges to be able to configure the needed routes and interfaces
15:05 -!- michaelhart [~michaelha@192.237.177.15] has quit [Quit: michaelhart]
15:05 <@dazo> SSH tunnelling have the framework in place, but not the usability part
15:05 < haasn> Oh, speaking of TCP - according to documentation OpenVPN provides its own TCP-like sequencing capabilities to UDP packets in order to make them supply the requisites for the TLS algorithm. I assume these are not necessary when using TCP as the transport - does this mean TCP+TLS would be equivalent to UDP+TLS in terms of overhead?
15:07 < haasn> oh, that's cool; --tls-auth can be used to add a sort of “firewall” in front of the TLS connection using a pre-shared static key?
15:07 <@dazo> nope, the scheme is much simpler ... it's more like to have an idea if packets have been re-injected (avoid duplicated packets).  OpenVPN in UDP doens't care about lost packets, as the that's the nature of UDP ... the TCP layer inside the tunnel takes care of requesting packets again if it misses something
15:07 <@dazo> haasn: in regards to heartbleed ... --tls-auth actually also protects you quite well here.  Unless you have a user with your static tls-auth key which uses heartbleed attacks on your server
15:08 < haasn> Right, I am less concerned about that
15:08 < haasn> I do not have reason to suspect any of my users have malicious intent, I'm just worried about TLS implementation bugs exposing critical vulnerabilities to arbitrary attackers
15:10 -!- Left_Turn [~Left_Turn@unaffiliated/turn-left/x-3739067] has quit [Read error: Connection reset by peer]
15:10 <@dazo> What makes SSL/TLS good, in theory, is the possibility to have a trusted third party (CA) which provides the authentication level ... you won't have that with other solutions
15:11 < haasn> In this case the CA is the server itself, I would be fine with manually adding a list of trusted public keys to a file on the server, like SSH's allowed_keys
15:12 <@dazo> yeah ... and that doesn't really scale well if you have 100's of users ... when you need to have some kind of user management
15:12 <@dazo> In regards to heartbleed ... that heartbeat feature is "fairly" new ... and any encryption implementation can have issues in the beginning.  Even SSH had nasty issues in the very beginning ... just think of all the issues around the SSHv1 protocol
15:18 < haasn> I'm a bit less worried about the frequency of vulnerabilities but more about the severity - the amount of information Heartbleed leaks is significantly amplified by the bad coding practices used in OpenSSL, which is why it's something to worry about more than the fact that they made a mistake that should have been minor
15:21 -!- Left_Turn [~Left_Turn@unaffiliated/turn-left/x-3739067] has joined #openvpn
15:21 <@dazo> For me it sounds like you're mixing things a bit.  Heartbleed is a pure implementation failure.  SSL/TLS design flaws is something different.  No software, design or implementation is 100% perfect.  No matter which solution you end up with, you'll be in a risk
15:23 < haasn> Well, the connection for me is the fact that TLS is a very, very complicated protocol - and the more complicated a protocol, the more difficult a bug-free implementation gets - and OpenSSL is certainly a great example of this. But you are right, it's an implementation failure, which is why I was also asking about alternatives to OpenSSL (that are still TLS implementations), it's just that due to the nature
15:23 < haasn> of TLS I have little reason to trust these more than OpenSSL itself
15:23 < haasn> The ultimate goal is reducing the complexity of the system as much as possible under the constraints, and I for example, do not require many features of TLS in my set-up
15:24 <@dazo> I personally actually prefer OpenSSL due to the fact that it's been widely used since the early days of encryption ... many bugs have been fixed, and it passes many certifications.  As an alternative, I'm willing to look at PolarSSL, due to the simplicity of the code ... but as PolarSSL is the newbie, I prefer OpenSSL on the serious stuff.  When PolarSSL proves itself over the coming years, it can replace OpenSSL's usage more and more
15:25 < haasn> I know nothing about PolarSSL, I'm not about to switch to it either - for all I know it could be far, far worse than OpenSSL
15:25 <@dazo> If you read C code, then you should truly look at PolarSSL
15:25 <@dazo> https://polarssl.org/source-code
15:25 <@vpnHelper> Title: PolarSSL Source Code: Fully open-source (at polarssl.org)
15:26 <@dazo> For the implementation failures of SSL/TLS ... you have this overview: http://pbs.twimg.com/media/Bk0DY8XCEAAPpS7.png:large
15:27 < haasn> I'm more comfortable with a false negative than a false positive, I guess
15:27 < haasn> How come GnuTLS, CyaSSL, PolarSSL, MatrixSSL have so many false positives?
15:28 <@dazo> PolarSSL are actually working on these issues, and based on their track records, I guess most of them can be expected to be fixed during this or early next year
15:29 <@dazo> (it depends on if they focus on other algorithms or fixing these TLS issues)
15:32 -!- Aliekezhi [~Aliekezhi@80.215.20.30] has quit [Quit: Leaving]
15:35 -!- EmLeX [~emx@unaffiliated/emlex] has joined #openvpn
15:36 -!- Corey [~Corey@freenode/staff/corey] has joined #openvpn
15:37 -!- Guest8860 [~Avrocepty@unaffiliated/aurorus] has quit [Quit: leaving]
15:39 -!- gu [~gu@194.231.39.10] has joined #openvpn
15:48 -!- Nirgali42 [~dmart@96-28-36-107.dhcp.insightbb.com] has joined #openvpn
15:48 < Nirgali42> good afternoon
15:49 -!- occupant [~null@204.14.158.226] has joined #openvpn
15:51 < Nirgali42> can someone suggest for me a good way to lock down three servers, one vpn connected to the net and one nginx server and mysql server sitting on a private network that has other hosts on it. I am thinking about using iptables to stop other hosts on the lan from connecting. I want to use openvpn to connect clients to the vpn server. I want those clients to be able to connect to the nginx host after logging onto the vpn. I want the data stre
15:51 < Nirgali42> I'm having trouble with the design
15:52 < Nirgali42> this wouldn't be an issue if I were allowed to have my own vlan
15:53 -!- x0011BF [~x007899@96.44.144.218] has left #openvpn ["Leaving"]
15:56 -!- tuvok [~tuvok@Photography.tuvok.eu] has quit [Excess Flood]
15:57 -!- tuvok [tuvok@Photography.tuvok.eu] has joined #openvpn
16:10 -!- Nirgali42 [~dmart@96-28-36-107.dhcp.insightbb.com] has quit [Ping timeout: 276 seconds]
16:19 -!- raignarok [~raignarok@p20030066EE238C0002224DFFFEA7B6DC.dip0.t-ipconnect.de] has quit [Quit: ZNC - http://znc.in]
16:20 -!- gffa [~unknown@unaffiliated/gffa] has quit [Quit: sleep]
16:21 -!- Moony2202 [~AndChat30@85.255.235.211] has joined #openvpn
16:23 -!- Moony22 [~AndChat30@unaffiliated/moony22] has quit [Ping timeout: 276 seconds]
16:26 -!- Nirgali42 [~dmart@96-28-36-107.dhcp.insightbb.com] has joined #openvpn
16:27 -!- Moony22 [~Moony22@unaffiliated/moony22] has joined #openvpn
16:27 < Moony22> please tell me you have enabled
16:27 < Moony22> !slap ?
16:28 < Moony22> :(
16:28 < Nirgali42> eh?
16:28 < Moony22> you haven't got supybot with slap enabled :(
16:28 < Nirgali42> why do you need !slap?
16:28 -!- goldkatze [~nobody@unaffiliated/goldkatze] has quit []
16:29 < Moony22> It's...er...useful...for expressing feelings
16:31 < freezer> shut the fuck up.
16:32 < Moony22> that works too
16:32 -!- raignarok [~raignarok@p20030066EE238C0002224DFFFEA7B6DC.dip0.t-ipconnect.de] has joined #openvpn
16:32 < Moony22> lol
16:37 -!- Moony22 [~Moony22@unaffiliated/moony22] has quit [Quit: leaving]
16:38 -!- n13l [~Daniel@aaa.anect.cz] has quit [Ping timeout: 240 seconds]
16:38 -!- Moony22 [~AndChat30@host86-132-53-208.range86-132.btcentralplus.com] has joined #openvpn
16:38 -!- Moony22 [~AndChat30@host86-132-53-208.range86-132.btcentralplus.com] has quit [Changing host]
16:38 -!- Moony22 [~AndChat30@unaffiliated/moony22] has joined #openvpn
16:40 -!- klein [~klein@unaffiliated/klein] has quit [Ping timeout: 252 seconds]
16:41 -!- Moony2202 [~AndChat30@85.255.235.211] has quit [Ping timeout: 240 seconds]
16:42 -!- lamba [~lamba@unaffiliated/lamba] has joined #openvpn
16:42 -!- HectorBarbossa [uid7850@gateway/web/irccloud.com/x-fhddakohyhldgonz] has joined #openvpn
16:43 < lamba> sorry for the dumb question. but cn checking (the type disabled by "duplicate_cn" just checks that the IP of the CN cert as returned by DNS matches that of the correcting client, right ?
16:43 < haasn> dazo: how large is the overhead added by --tls-auth?
16:44 < lamba> hmm, i managed to put a lot of typos into that.  connecting client*
16:44 -!- n13l [~Daniel@aaa.anect.cz] has joined #openvpn
16:45 -!- nocturn [~nocturn@unaffiliated/nocturn] has quit [Ping timeout: 240 seconds]
16:50 <@syzzer> haasn: very little, as it is only on control packets, not data packets.
16:51 -!- nocturn [~nocturn@unaffiliated/nocturn] has joined #openvpn
16:57 -!- digitalp1nk [~scout@mail.zemaitijos-spauda.lt] has joined #openvpn
16:58 -!- Su7_ is now known as Su7
16:58 -!- digitalpunk [~scout@mail.zemaitijos-spauda.lt] has quit [Ping timeout: 264 seconds]
16:58 -!- gu [~gu@194.231.39.10] has quit [Quit: Leaving.]
17:05 -!- Roa [~roa@ns4009357.ip-192-99-8.net] has quit [Ping timeout: 240 seconds]
17:05 -!- Rienzilla [rien@sinas.rename-it.nl] has quit [Ping timeout: 240 seconds]
17:05 -!- joshh20-Away is now known as joshh20
17:06 -!- Roa [~roa@ns4009357.ip-192-99-8.net] has joined #openvpn
17:06 -!- Rienzilla [rien@sinas.rename-it.nl] has joined #openvpn
17:07 < pekster> lamba: No, it's checking the connecting clients commonName, which is normally the CN attribute of the certificates DN (Distinguished Name)
17:08 < lamba> yeah. checking it against what ?
17:08 < pekster> The CN field of the X.509's DN
17:08 < pekster> If there's a client by that name already connected, the new connection kicks the old one off
17:09 < lamba> oh right. so its solely checking for uniqueness. fair enough. is there a way to do dns fqdn == CN checking ? (and is it even worth while?)
17:09 < pekster> Probably not, no
17:09 < pekster> What is the end-goal here?
17:10 < lamba> just making sure a client ip matches the cert i expect to be for that client.
17:10 -!- elfixit [~Icedove@77-58-251-72.dclient.hispeed.ch] has joined #openvpn
17:10 < lamba> kinda dumb but just an extra layer. haven't fully quanitified dumbness yet
17:10 < pekster> People usually/often want clients to roam. If you don't, consider either keeping a server-side mapping of CN to IP and check it in a --client-connect script, or code it into your certs as part of the DN
17:11 < pekster> I don't see why you want this, but it's there for you to code if you do
17:11 < lamba> ok :)
17:12 -!- B1nny [~quassel@5ED16034.cm-7-2b.dynamic.ziggo.nl] has quit [Remote host closed the connection]
17:12 < pekster> Coding the "expected IP" of your client into the cert is a setup for pain; do you really want to have to revoke & re-issue if this value changes?
17:13 < pekster> It's far more trivial to have a text file that you can parse with a rather simple shell (or perl or awk or C or whatever) script
17:14 < lamba> oh no, the cn is the fqdn of the host, i was going to check that fqdn in dns against the ip of the client trying to connect. which i think makes sense ?
17:14 < pekster> huh?
17:15 < pekster> what's fqdn have to do with anything? You mean the PTR (reverse DNS) record for whatever arbitrary IP your client connects from?
17:15 < pekster> What you're asking for makes zero sense
17:15 < pekster> What happens if I'm connecting from Comcast and they happen to change the PTR naming scheme? It's just text in a zone file
17:16 < pekster> What happens if the IP changes, thus changing the PTR record? What do you do if there is no PTR record? You probably need to learn more about DNS before making it part of your security scheme (it's also trivial to fake unless you're doing forward-confirmed DNS checks..)
17:16 < lamba> yeah, i dont think you understand. dont worry. i get what i'm trying to do.
17:16 < lamba> im not even using the ptr records. at all.
17:16 < pekster> Then what on earth does FQDN have to do with anything?
17:16 < pekster> An OpenVPN server never has that info
17:17 < lamba> heh :) the fqdn IS the CN. the cn is literally myclient.mydomain.com
17:17 < pekster> That fails utterly if you ever move your client
17:18 < lamba> i wont.
17:18  * pekster shrugs
17:18 < pekster> Still no idea what your end-goal is. If you really want, go write a script that looks at your CN, does a DNS lookup, and checks that the client's source IP matches it
17:19 < pekster> !scripts
17:19 <@vpnHelper> "scripts" is "script" is See SCRIPTING AND ENVIRONMENTAL VARIALBES in the manual for a list of places that scripts can hook into openvpn. Online reference at: https://community.openvpn.net/openvpn/wiki/Openvpn23ManPage#lbAR
17:20 -!- klein [~klein@unaffiliated/klein] has joined #openvpn
17:31 -!- joshh20 is now known as joshh20-Away
17:33 -!- Cpt-Oblivious [chatzilla@31-151-71-109.dynamic.upc.nl] has quit [Remote host closed the connection]
17:47 -!- Moony2202 [~AndChat30@212.183.128.209] has joined #openvpn
17:50 -!- Moony22 [~AndChat30@unaffiliated/moony22] has quit [Ping timeout: 276 seconds]
17:51 -!- Moony22 [~AndChat30@host86-132-53-208.range86-132.btcentralplus.com] has joined #openvpn
17:51 -!- Moony22 [~AndChat30@host86-132-53-208.range86-132.btcentralplus.com] has quit [Changing host]
17:51 -!- Moony22 [~AndChat30@unaffiliated/moony22] has joined #openvpn
17:54 -!- Moony2202 [~AndChat30@212.183.128.209] has quit [Ping timeout: 250 seconds]
17:55 -!- freezer [~mkramer@p5DDB2C0F.dip0.t-ipconnect.de] has quit [Ping timeout: 240 seconds]
18:01 -!- ben1066 [~quassel@unaffiliated/ben1066] has quit [Read error: Connection reset by peer]
18:02 -!- michaelhart [~michaelha@162.209.54.120] has joined #openvpn
18:02 -!- elfixit [~Icedove@77-58-251-72.dclient.hispeed.ch] has quit [Quit: elfixit]
18:03 -!- ben1066 [~quassel@unaffiliated/ben1066] has joined #openvpn
18:19 -!- Moony2202 [~AndChat30@212.183.128.208] has joined #openvpn
18:20 -!- Moony22 [~AndChat30@unaffiliated/moony22] has quit [Read error: No route to host]
18:20 -!- AndChat-305025 [~AndChat30@host86-132-53-208.range86-132.btcentralplus.com] has joined #openvpn
18:24 -!- Moony2202 [~AndChat30@212.183.128.208] has quit [Ping timeout: 252 seconds]
18:32 -!- joshh20-Away is now known as joshh20
18:32 -!- dazo is now known as dazo_afk
18:39 -!- AndChat-305025 is now known as Moony22
18:39 -!- Moony22 [~AndChat30@host86-132-53-208.range86-132.btcentralplus.com] has quit [Changing host]
18:39 -!- Moony22 [~AndChat30@unaffiliated/moony22] has joined #openvpn
18:44 -!- Samopotamus [~IRCIdent@2607:5300:60:a0d::1] has quit [Read error: Connection reset by peer]
18:54 -!- VunKruz [~hhhh@24-205-8-187.dhcp.mtpk.ca.charter.com] has quit [Ping timeout: 264 seconds]
18:54 -!- Mik3C [~miguelc@77.202.37.188.rev.vodafone.pt] has quit [Ping timeout: 255 seconds]
19:04 -!- VunKruz [~hhhh@24-205-8-187.dhcp.mtpk.ca.charter.com] has joined #openvpn
19:05 -!- mchinea [a5e44eaa@gateway/web/cgi-irc/kiwiirc.com/ip.165.228.78.170] has joined #openvpn
19:05 -!- Left_Turn [~Left_Turn@unaffiliated/turn-left/x-3739067] has quit [Remote host closed the connection]
19:07 -!- jgeboski [~jgeboski@unaffiliated/jgeboski] has quit [Quit: Leaving]
19:10 -!- jgeboski [~jgeboski@unaffiliated/jgeboski] has joined #openvpn
19:12 < mchinea> !welcome
19:12 <@vpnHelper> "welcome" is (#1) Start by stating your goal, such as 'I would like to access the internet over my vpn' || new to IRC? see the link in !ask || we may need !logs and !configs and maybe !interface to help you. || See !howto for beginners. || See !route for lans behind openvpn. || !redirect for sending inet traffic through the server. || Also interesting: !man !/30 !topology !iporder !sample !forum
19:12 <@vpnHelper> !wiki !mitm or (#2) Don't use 192.168.1.0/24 or 192.168.0.0/24 (too much potential for conflict)
19:13 < mchinea> !heartbleed
19:13 <@vpnHelper> "heartbleed" is (#1) only affects OpenSSL 1.0.1 through 1.0.1f. Does not affect polarssl or (#2) if running vuln openssl then both client and server keys not protected by tls-auth should be considered compromised. or (#3) android 4.1.2_r1 is the first one to have -DOPENSSL_NO_HEARTBEATS and it is still in master. android 4.1 and 4.1.1 are probably affected. or (#4)
19:13 <@vpnHelper> https://community.openvpn.net/openvpn/wiki/heartbleed
19:16 < occupant> when I ran a scanner against my openvpn TCP port, it couldn't even properly negotiate to do the check
19:19 < pekster> OpenVPN isn't "plain" TLS
19:19 < pekster> None-the-less, it's vulnerable just the same should you be using an affected OpenSSL version (or ever have) without using --tls-auth
19:22 -!- justinzane [~justinzan@host-12-172-184-180.nctv.com] has quit [Ping timeout: 250 seconds]
19:22 -!- Left_Turn [~Left_Turn@unaffiliated/turn-left/x-3739067] has joined #openvpn
19:23 -!- s7r [~s7r@openvpn/user/s7r] has quit [Remote host closed the connection]
19:28 -!- justinzane [~justinzan@12.172.184.180] has joined #openvpn
19:30 -!- u0m3 [~u0m3@92.80.126.165] has joined #openvpn
19:33 -!- elfixit [~Icedove@77-58-251-72.dclient.hispeed.ch] has joined #openvpn
20:12 < Thermi> pekster: Did you find a POC of heartbeat vs openvpn yet?
20:13 -!- joshh20 is now known as joshh20-Away
20:21 -!- Linmu [~Linmu@203.70.194.104] has quit [Ping timeout: 250 seconds]
20:21 -!- Linmu [~Linmu@203.70.194.104] has joined #openvpn
20:37 -!- Denial- [Denial@90.214.34.101] has joined #openvpn
20:38 -!- Denial [Denial@90.214.34.101] has quit [Ping timeout: 240 seconds]
20:38 -!- Denial- is now known as Denial
20:42 -!- HectorBarbossa [uid7850@gateway/web/irccloud.com/x-fhddakohyhldgonz] has quit [Quit: Connection closed for inactivity]
21:00 -!- elfixit [~Icedove@77-58-251-72.dclient.hispeed.ch] has quit [Quit: elfixit]
21:12 -!- Linmu [~Linmu@203.70.194.104] has quit [Ping timeout: 276 seconds]
21:12 -!- Linmu [~Linmu@203.70.194.104] has joined #openvpn
21:30 -!- cyberspace- [20253@ninthfloor.org] has quit [Ping timeout: 250 seconds]
21:31 -!- rawDawg [~rawDawg@cpe-76-188-27-72.neo.res.rr.com] has quit [Quit: ( www.nnscript.com :: NoNameScript 4.22 :: www.esnation.com )]
21:32 -!- cyberspace- [20253@ninthfloor.org] has joined #openvpn
21:35 -!- klein [~klein@unaffiliated/klein] has quit [Ping timeout: 276 seconds]
21:51 -!- corretico [~luis@190.5.215.146] has joined #openvpn
21:53 -!- Carbon_Monoxide [~cmonxide@058176022144.ctinets.com] has joined #openvpn
21:54 -!- Carbon_Monoxide [~cmonxide@058176022144.ctinets.com] has left #openvpn []
21:58 -!- flickerfly [~jritchie@216.115.64.202] has quit [Ping timeout: 240 seconds]
22:00 -!- flickerfly [~jritchie@216.115.64.202] has joined #openvpn
22:07 < bashusr> pekster, concerning heartbleed, the only vulnerability for "ever have" is if my private key was somehow leaked out
22:07 < bashusr> besides that, using an updated fixed version of openssl mitigates from all attack from the old system?
22:12 -!- Left_Turn [~Left_Turn@unaffiliated/turn-left/x-3739067] has quit [Read error: Connection reset by peer]
22:14 <@Eugene> The .key is what would be leaked by heartbleed
22:14 <@Eugene> If you're using --tls-auth then you are "safe", but any client which is auth-ed(ie, has that tls-auth secret) could compromise nonetheless.
22:15 -!- WinstonSmith [~WinstonSm@unaffiliated/winstonsmith] has quit [Ping timeout: 252 seconds]
22:17 -!- WinstonSmith [~WinstonSm@unaffiliated/winstonsmith] has joined #openvpn
22:40 -!- justinzane [~justinzan@12.172.184.180] has quit [Read error: Connection reset by peer]
22:41 -!- sunwind [~paradox@cpc21-brmb8-2-0-cust749.1-3.cable.virginm.net] has quit [Quit: sunwind]
22:45 -!- sunwind [~paradox@cpc21-brmb8-2-0-cust749.1-3.cable.virginm.net] has joined #openvpn
22:50 -!- justinzane [~justinzan@host-12-172-184-180.nctv.com] has joined #openvpn
23:06 -!- Nirgali42 [~dmart@96-28-36-107.dhcp.insightbb.com] has quit [Ping timeout: 240 seconds]
23:10 -!- Nirgali42 [~dmart@96-28-36-107.dhcp.insightbb.com] has joined #openvpn
23:10 -!- ShadniX [dagger@p5DDFD39F.dip0.t-ipconnect.de] has quit [Ping timeout: 252 seconds]
23:10 < bashusr> this sucks... i can't believe this huge of a bug has been around for 2 years and nobody knew. wow.
23:11 -!- ShadniX [dagger@p5DDFDCD4.dip0.t-ipconnect.de] has joined #openvpn
23:11 < bashusr> err, i mean, nobody disclosed... i would not be surprised if lots of malicious people knew and just didn't say!
23:12 < reiffert> stop public conspiracy.
23:12 -!- flickerfly [~jritchie@216.115.64.202] has quit [Ping timeout: 250 seconds]
23:14 -!- flickerfly [~jritchie@216.115.64.202] has joined #openvpn
23:19 < bashusr> reiffert, you don't think any black hats knew about this and used it for their own gain?
23:23 -!- funnel [~funnel@unaffiliated/espiral] has quit [Ping timeout: 264 seconds]
23:23 -!- funnel [~funnel@unaffiliated/espiral] has joined #openvpn
23:24 -!- corretico [~luis@190.5.215.146] has quit [Read error: Connection reset by peer]
23:24 -!- corretico [~luis@190.5.215.146] has joined #openvpn
23:31 -!- u0m3_ [~u0m3@92.80.126.165] has joined #openvpn
23:34 -!- u0m3 [~u0m3@92.80.126.165] has quit [Ping timeout: 276 seconds]
23:38 -!- funnel [~funnel@unaffiliated/espiral] has quit [Ping timeout: 258 seconds]
23:39 -!- funnel [~funnel@unaffiliated/espiral] has joined #openvpn
23:40 -!- budman_ [~budman@ip68-111-79-253.oc.oc.cox.net] has joined #openvpn
23:43 -!- budman__ [~budman@ip68-111-79-253.oc.oc.cox.net] has quit [Ping timeout: 252 seconds]
23:52 <@Eugene> If you think that they didn't then you're smoking something
23:52 <@Eugene> This is exactly the kind of exploit that gov'ts pay millions for
23:54 -!- budman_ [~budman@ip68-111-79-253.oc.oc.cox.net] has quit [Remote host closed the connection]
--- Day changed Fri Apr 11 2014
00:00 -!- budman_ [~budman@ip68-111-79-253.oc.oc.cox.net] has joined #openvpn
00:01 -!- B1nny [~quassel@5ED16034.cm-7-2b.dynamic.ziggo.nl] has joined #openvpn
00:47 -!- obesd [~obsed@unaffiliated/obesd] has joined #openvpn
00:54 -!- mattock_afk is now known as mattock
01:15 -!- corretico_ [~luis@190.5.215.146] has joined #openvpn
01:18 -!- corretico [~luis@190.5.215.146] has quit [Ping timeout: 240 seconds]
01:32 -!- sunwind` [~paradox@cpc21-brmb8-2-0-cust749.1-3.cable.virginm.net] has joined #openvpn
01:35 -!- sunwind [~paradox@cpc21-brmb8-2-0-cust749.1-3.cable.virginm.net] has quit [Ping timeout: 258 seconds]
01:39 -!- Carbon_Monoxide [~cmonxide@058176022144.ctinets.com] has joined #openvpn
01:39 -!- Carbon_Monoxide [~cmonxide@058176022144.ctinets.com] has left #openvpn []
01:39 -!- ChrisH [~dg7pc@dslb-092-072-163-032.pools.arcor-ip.net] has quit [Ping timeout: 252 seconds]
01:40 -!- ChrisH [~dg7pc@dslb-088-078-252-186.pools.arcor-ip.net] has joined #openvpn
01:53 -!- Moony22 [~AndChat30@unaffiliated/moony22] has quit [Ping timeout: 258 seconds]
01:56 -!- mchinea [a5e44eaa@gateway/web/cgi-irc/kiwiirc.com/ip.165.228.78.170] has quit [Quit: http://www.kiwiirc.com/ - A hand crafted IRC client]
02:03 -!- le0 [~l30@unaffiliated/le0] has joined #openvpn
02:07 -!- gu [~gu@194.231.39.10] has joined #openvpn
02:08 -!- alexxtasi [~alex@unaffiliated/alexxtasi] has joined #openvpn
02:21 -!- Nirgali42 [~dmart@96-28-36-107.dhcp.insightbb.com] has quit [Ping timeout: 245 seconds]
02:23 -!- ribasushi [~riba@mujunyku.leporine.io] has quit [Ping timeout: 250 seconds]
02:28 -!- ribasushi [~riba@mujunyku.leporine.io] has joined #openvpn
02:32 -!- gu [~gu@194.231.39.10] has quit [Quit: Leaving.]
02:32 -!- gu2 [~gu@194.231.39.10] has joined #openvpn
02:39 -!- HectorBarbossa [uid7850@gateway/web/irccloud.com/x-bgvqqtseuaxykcys] has joined #openvpn
02:53 -!- fred`` [fred@earthli.ng] has quit [Quit: +++ATH0]
03:04 -!- corretico_ [~luis@190.5.215.146] has quit [Read error: Connection reset by peer]
03:05 -!- corretico_ [~luis@190.5.215.146] has joined #openvpn
03:07 -!- fred`` [fred@earthli.ng] has joined #openvpn
03:10 -!- freezer [~mkramer@p5DDB19BC.dip0.t-ipconnect.de] has joined #openvpn
03:13 -!- ade_b [~Ade@193.202.255.218] has joined #openvpn
03:13 -!- ade_b [~Ade@193.202.255.218] has quit [Changing host]
03:13 -!- ade_b [~Ade@redhat/adeb] has joined #openvpn
03:14 -!- Left_Turn [~Left_Turn@unaffiliated/turn-left/x-3739067] has joined #openvpn
03:15 -!- freezer [~mkramer@p5DDB19BC.dip0.t-ipconnect.de] has quit [Ping timeout: 276 seconds]
03:35 -!- ACKNAK [~regolith@79.133.97.154] has joined #openvpn
03:56 -!- elfixit [~Icedove@77-58-251-72.dclient.hispeed.ch] has joined #openvpn
04:00 -!- giorgiodinapoli [~giorgiodi@146-52-156-68-dynip.superkabel.de] has joined #openvpn
04:01 -!- gu2 [~gu@194.231.39.10] has quit [Quit: Leaving.]
04:04 -!- giorgiodinapoli [~giorgiodi@146-52-156-68-dynip.superkabel.de] has quit [Ping timeout: 252 seconds]
04:18 -!- mattock is now known as mattock_afk
04:25 -!- freezer [~mkramer@178.19.211.52] has joined #openvpn
04:25 < Haigha> is there a way to run openvpn without tun/tap (and root)?
04:26 < Haigha> i'd like to ping something through a OpenVPN server in a nagios plugin
04:27 -!- mattock_afk is now known as mattock
04:32 < mcp> Haigha: hm?
04:35 -!- tuvok [tuvok@Photography.tuvok.eu] has quit [Ping timeout: 252 seconds]
04:41 -!- makara [~makara@41.164.22.218] has joined #openvpn
04:43 -!- tuvok [tuvok@Photography.tuvok.eu] has joined #openvpn
04:47 -!- MisterB [~Adium@xdsl-87-79-62-185.netcologne.de] has joined #openvpn
04:47 -!- takamichi [~takamichi@c107-107.i07-27.onvol.net] has joined #openvpn
04:47 < MisterB> !heartbleed
04:47 <@vpnHelper> "heartbleed" is (#1) only affects OpenSSL 1.0.1 through 1.0.1f. Does not affect polarssl or (#2) if running vuln openssl then both client and server keys not protected by tls-auth should be considered compromised. or (#3) android 4.1.2_r1 is the first one to have -DOPENSSL_NO_HEARTBEATS and it is still in master. android 4.1 and 4.1.1 are probably affected. or (#4)
04:48 <@vpnHelper> https://community.openvpn.net/openvpn/wiki/heartbleed
04:48 < MisterB> !welcome
04:48 <@vpnHelper> "welcome" is (#1) Start by stating your goal, such as 'I would like to access the internet over my vpn' || new to IRC? see the link in !ask || we may need !logs and !configs and maybe !interface to help you. || See !howto for beginners. || See !route for lans behind openvpn. || !redirect for sending inet traffic through the server. || Also interesting: !man !/30 !topology !iporder !sample !forum
04:48 <@vpnHelper> !wiki !mitm or (#2) Don't use 192.168.1.0/24 or 192.168.0.0/24 (too much potential for conflict)
04:48 < takamichi> Can anyone confirm if "OpenVPN for Android" by Arne Schwabe is based on polarssl?
04:49 -!- MisterB [~Adium@xdsl-87-79-62-185.netcologne.de] has quit [Quit: Leaving.]
04:55 -!- elfixit [~Icedove@77-58-251-72.dclient.hispeed.ch] has quit [Ping timeout: 245 seconds]
05:00 -!- tuvok [tuvok@Photography.tuvok.eu] has quit [Ping timeout: 252 seconds]
05:02 -!- HectorBarbossa [uid7850@gateway/web/irccloud.com/x-bgvqqtseuaxykcys] has quit [Quit: Connection closed for inactivity]
05:07 <@plaisthos> takamichi: no
05:08 <@plaisthos> takamichi: it can be compiled with polarssl but the play store variant is based on OpenSSL
05:17 < takamichi> plaisthos: Do you know if the version of openssl is vulnerable?
05:17 <@plaisthos> takamichi: have you read the Android section of https://community.openvpn.net/openvpn/wiki/heartbleed?
05:17 <@vpnHelper> Title: heartbleed – OpenVPN Community (at community.openvpn.net)
05:18 < takamichi> plaisthos: Thanks, I can see the answer clearly now, I didn't see that before.
05:19 -!- tuvok [tuvok@Photography.tuvok.eu] has joined #openvpn
05:20 < havoc> major pita :(
05:20 <@plaisthos> takamichi: :)
05:21 -!- MisterB [~Adium@xdsl-87-79-62-185.netcologne.de] has joined #openvpn
05:24 -!- MisterB [~Adium@xdsl-87-79-62-185.netcologne.de] has left #openvpn []
05:41 -!- Varazir [~mircwars@c-94-255-128-92.cust.bredband2.com] has quit [Quit: leaving]
05:41 -!- Varazir [~mircwars@c-94-255-128-92.cust.bredband2.com] has joined #openvpn
05:58 -!- gu [~gu@voip.radio-zusa.net] has joined #openvpn
06:04 -!- gu2 [~gu@voip.radio-zusa.net] has joined #openvpn
06:05 -!- gu [~gu@voip.radio-zusa.net] has quit [Ping timeout: 258 seconds]
06:12 -!- adh0c [~adh0c@info.recurse.info] has joined #openvpn
06:22 -!- dazo_afk is now known as dazo
06:26 -!- gu2 [~gu@voip.radio-zusa.net] has quit [Quit: Leaving.]
06:26 -!- gu [~gu@voip.radio-zusa.net] has joined #openvpn
06:30 -!- gu [~gu@voip.radio-zusa.net] has quit [Ping timeout: 240 seconds]
06:32 < pekster> bashusr: The way it works is if you were ever vulnerable and had your key "bled" out, even if you add --tls-auth now you're still vulnerable (since your key has been exposed.) Unless you are 100% sure that hasn't happened, just revoke & re-issue your client & server certs (with different private keys, obviously.) Your CA doesn't need to be changed due to this
06:33 < pekster> And by "still vulnerable" I mean to anyone who got the key (which might be no one, or might be your favourite gov't or grade school nemesis)
06:36 -!- gu [~gu@voip.radio-zusa.net] has joined #openvpn
06:40 -!- gu2 [~gu@voip.radio-zusa.net] has joined #openvpn
06:41 -!- gu [~gu@voip.radio-zusa.net] has quit [Ping timeout: 252 seconds]
06:45 -!- corretico_ [~luis@190.5.215.146] has quit [Read error: Connection reset by peer]
06:45 -!- corretico_ [~luis@190.5.215.146] has joined #openvpn
06:53 -!- klein [~klein@189-016-006-003.asselvi.edu.br] has joined #openvpn
06:53 -!- klein [~klein@189-016-006-003.asselvi.edu.br] has quit [Changing host]
06:53 -!- klein [~klein@unaffiliated/klein] has joined #openvpn
07:21 -!- elfixit [~Icedove@2001:1620:2777:11:3e97:eff:fe7f:f3ad] has joined #openvpn
07:23 -!- nlb_ [~nlb@ec2-54-213-101-245.us-west-2.compute.amazonaws.com] has joined #openvpn
07:24 -!- nlb [~nlb@unaffiliated/nlb] has quit [Ping timeout: 240 seconds]
07:24 -!- nlb_ is now known as nlb
07:25 -!- goldkatze [~nobody@unaffiliated/goldkatze] has joined #openvpn
07:27 -!- michaelhart [~michaelha@162.209.54.120] has quit [Ping timeout: 240 seconds]
07:27 -!- gu2 [~gu@voip.radio-zusa.net] has quit [Ping timeout: 240 seconds]
07:29 -!- s7r [~s7r@openvpn/user/s7r] has joined #openvpn
07:29 -!- mode/#openvpn [+v s7r] by ChanServ
07:31 -!- gu [~gu@voip.radio-zusa.net] has joined #openvpn
07:31 -!- ade_b [~Ade@redhat/adeb] has quit [Ping timeout: 240 seconds]
07:56 -!- elfixit [~Icedove@2001:1620:2777:11:3e97:eff:fe7f:f3ad] has quit [Quit: elfixit]
07:56 -!- gu [~gu@voip.radio-zusa.net] has quit [Read error: Connection reset by peer]
07:56 -!- gu [~gu@voip.radio-zusa.net] has joined #openvpn
07:57 -!- elfixit [~Icedove@2001:1620:2777:11:3e97:eff:fe7f:f3ad] has joined #openvpn
07:57 <@ecrist> !learn heartbleed as http://xkcd.com/1354/
07:57 <@vpnHelper> Error: You don't have the factoids.learn capability. If you think that you should have this capability, be sure that you are identified before trying again. The 'whoami' command can tell you if you're identified.
07:57 <@ecrist> fuck you, vpn	
07:58 <@ecrist> pekster: can you learn that for me, please?
07:58 <@krzee> !learn heartbleed as http://xkcd.com/1354/
07:58 <@vpnHelper> Joo got it.
07:58 <@ecrist> thanks
07:59 -!- gu2 [~gu@voip.radio-zusa.net] has joined #openvpn
07:59 -!- gu [~gu@voip.radio-zusa.net] has quit [Client Quit]
08:14 -!- HectorBarbossa [uid7850@gateway/web/irccloud.com/x-ghvskedaeuwnpknu] has joined #openvpn
08:28 -!- takamichi [~takamichi@c107-107.i07-27.onvol.net] has quit [Ping timeout: 240 seconds]
08:35 -!- corretico_ [~luis@190.5.215.146] has quit [Read error: Connection reset by peer]
08:35 -!- corretico_ [~luis@190.5.215.146] has joined #openvpn
08:37 -!- cloudera [~chatzilla@cpe-76-179-73-252.maine.res.rr.com] has joined #openvpn
08:37 -!- cloudera [~chatzilla@cpe-76-179-73-252.maine.res.rr.com] has left #openvpn []
08:37 -!- bertodsera [~quassel@212.36.61.26] has joined #openvpn
08:38 -!- adh0c [~adh0c@info.recurse.info] has quit [Ping timeout: 240 seconds]
08:39 -!- cloudera [~chatzilla@cpe-76-179-73-252.maine.res.rr.com] has joined #openvpn
08:39 -!- cloudera [~chatzilla@cpe-76-179-73-252.maine.res.rr.com] has left #openvpn []
08:55 -!- budman___ [~budman@ip68-111-79-253.oc.oc.cox.net] has joined #openvpn
08:59 -!- budman_ [~budman@ip68-111-79-253.oc.oc.cox.net] has quit [Ping timeout: 258 seconds]
09:14 < dvl_> ecrist: BTW, thanks. :)
09:14 < dvl_> ecrist: for the work you do on OpenVPN
09:19 -!- makara [~makara@41.164.22.218] has quit [Ping timeout: 276 seconds]
09:22 <@ecrist> thanks, dvl_, but dazo, cron2, plaisthos, and mattock (and others) do far more than I 
09:22 < dvl_> oh, in that case.
09:22 < dvl_> ecrist: f you ya lazy bastard.
09:22 < dvl_> Thanks to dazo cron2 plaisthos and mattock .
09:22 < dvl_> ;)
09:23 -!- mattock [~mattock@openvpn/corp/admin/mattock] has left #openvpn []
09:25 <@ecrist> indeed. :)
09:33 -!- budman___ is now known as budman__
09:34 -!- budman__ is now known as budmang
09:37 -!- Cpt-Oblivious [chatzilla@31-151-71-109.dynamic.upc.nl] has joined #openvpn
09:38 -!- dvl_ [~dvl@pdpc/supporter/active/dvl] has quit [Quit: Leaving]
09:39 -!- pjschmitt [~parker@unaffiliated/schmitt953] has quit [Ping timeout: 240 seconds]
09:41 -!- pjschmitt [~parker@209.141.56.12] has joined #openvpn
09:57 -!- freezer [~mkramer@178.19.211.52] has quit [Ping timeout: 240 seconds]
09:57 -!- funnel [~funnel@unaffiliated/espiral] has quit [Ping timeout: 240 seconds]
10:00 -!- hectorh30 [~hectorh30@190.149.223.38] has joined #openvpn
10:01 < hectorh30> !welcome
10:01 <@vpnHelper> "welcome" is (#1) Start by stating your goal, such as 'I would like to access the internet over my vpn' || new to IRC? see the link in !ask || we may need !logs and !configs and maybe !interface to help you. || See !howto for beginners. || See !route for lans behind openvpn. || !redirect for sending inet traffic through the server. || Also interesting: !man !/30 !topology !iporder !sample !forum
10:01 <@vpnHelper> !wiki !mitm or (#2) Don't use 192.168.1.0/24 or 192.168.0.0/24 (too much potential for conflict)
10:02 < hectorh30> Hi. I would like to automatically connect my cloud windows server to my office VPN at system startup
10:02 < hectorh30> but the openvpn windows client doesn't seem to recognize the --connect parameter
10:02 < hectorh30> (client version 1.5.6)
10:03 < hectorh30> Was that feature removed or am I doing something wrong?
10:03 -!- ACKNAK [~regolith@79.133.97.154] has quit [Remote host closed the connection]
10:07 -!- justinzane [~justinzan@host-12-172-184-180.nctv.com] has quit []
10:09 -!- acu [~acu@50.244.13.221] has joined #openvpn
10:10 -!- justinzane [~justinzan@host-12-172-184-180.nctv.com] has joined #openvpn
10:16 -!- funnel [~funnel@unaffiliated/espiral] has joined #openvpn
10:18 -!- heraclitus [~heraclitu@unaffiliated/heraclitis] has quit [Remote host closed the connection]
10:18 -!- heraclitus [~heraclitu@208.64.66.92] has joined #openvpn
10:18 -!- heraclitus [~heraclitu@208.64.66.92] has quit [Changing host]
10:18 -!- heraclitus [~heraclitu@unaffiliated/heraclitis] has joined #openvpn
10:21 -!- alliebean [~allie@unaffiliated/alliebean] has joined #openvpn
10:22 < alliebean> hello :)  I have a hopefully easy/quick question.  Is it possible to have the OpenVPN server assign tunnel devices from a set of device numbers?  I ask because I already have tunnel devices setup using SSH, but I'm having to supplement this config with OpenVPN.  But the SSH tunnel devices (tun1, tun2, etc.) are assigned, whereas OpenVPN seems to pick them at random.
10:24 -!- gu2 [~gu@voip.radio-zusa.net] has quit [Ping timeout: 250 seconds]
10:25 -!- corretico_ [~luis@190.5.215.146] has quit [Read error: Connection reset by peer]
10:26 -!- corretico_ [~luis@190.5.215.146] has joined #openvpn
10:29 <@dazo> alliebean: just use --dev tun  or  --dev tap .... (without number) ... then openvpn will use whatever is available
10:29 <@dazo> or ... use --dev tun0, --dev tun1 and so on for a fixed device
10:30 < alliebean> can you specify more than one with fixed devices?
10:30 <@dazo> you can also use --dev myprivate1 --dev-type tun
10:30 <@dazo> alliebean: nope, you can only specify one device per config
10:31 < alliebean> so if specified, only one device per config on the server?
10:31 <@dazo> yes
10:31 < alliebean> boo :(  okay ... hmmm...
10:32 < alliebean> and I'm guessing that, while you can run multiple servers with different config files and different ports, you can't make openvpn share a single UDP port with the various servers/configs?
10:34 <@dazo> alliebean: okay how would that work out in reality?  How can you tell which openvpn process to send the data to, if you have 3 listening to the same port?
10:34 -!- heraclitus [~heraclitu@unaffiliated/heraclitis] has quit [Remote host closed the connection]
10:35 -!- heraclitus [~heraclitu@unaffiliated/heraclitis] has joined #openvpn
10:35 -!- alexxtasi [~alex@unaffiliated/alexxtasi] has left #openvpn []
10:38 < alliebean> dazo: I know multiple processes can't listen to the same port.  I was asking more if openvpn was aware of multiple configuration files and able to support those configuration files with a single listener process that then sets data to the correct processes to handle that particular configuration.  I didn't think it was built to work that way, but, before I wrote that possibility off I was asking. :)
10:38 <@dazo> oh, I see
10:38 <@dazo> no, you need a separate process with a separate tun device, usually with a separate VPN subnet per config
10:39 < alliebean> *nodnods* that's basically how I have the SSH stuff set up, but I'm running into weird network issues with SSH that I'm unable to adequately troubleshoot or repair.  So trying openvpn instead :)
10:43 -!- master_o1_master [~master_of@p4FD7B15C.dip0.t-ipconnect.de] has quit [Ping timeout: 276 seconds]
10:44 -!- master_of_master [~master_of@p4FD7B734.dip0.t-ipconnect.de] has joined #openvpn
10:45 -!- pablito [~chatzilla@194.90.149.21] has joined #openvpn
10:45 < pablito> !heartbleed
10:45 <@vpnHelper> "heartbleed" is (#1) only affects OpenSSL 1.0.1 through 1.0.1f. Does not affect polarssl or (#2) if running vuln openssl then both client and server keys not protected by tls-auth should be considered compromised. or (#3) android 4.1.2_r1 is the first one to have -DOPENSSL_NO_HEARTBEATS and it is still in master. android 4.1 and 4.1.1 are probably affected. or (#4)
10:45 <@vpnHelper> https://community.openvpn.net/openvpn/wiki/heartbleed or (#5) http://xkcd.com/1354/
10:46 <@krzee> good call on topic'ing that eric
10:48 <@Eugene> That's the only good explanation I've seen of that, for Laymen
10:49 < pablito> hi all
10:50 < pablito> I have an openvpn system that works fine until a few days ago, it may be related to heartbleed
10:50 < pablito> I run debian wheezy
10:51 < pablito> so I did apt-get to update and upgrade the openssl package
10:52 < pablito> but after that things broke
10:52 < pablito> does anyone here have a similar problem?
10:52 <@krzee> tried updating openvpn too?
10:52 <@krzee> also, whats your openvpn error?
10:53 -!- Left_Turn [~Left_Turn@unaffiliated/turn-left/x-3739067] has quit [Read error: Connection reset by peer]
10:53 < pablito> there's really no error, but here's the situation
10:54 < pablito> I have a server in Rome that has access to online journal of a university
10:54 < pablito> i can't access the online journal outside of the university
10:54 < alliebean> dazo: thanks for your help :)  I'm setting it all up with just separate configs now, at least until I can get rid of the SSH tunnels.
10:54 < pablito> so i VPN into the server to enable access
10:55 -!- warriorforGod [~warriorfo@unaffiliated/warriorforgod] has joined #openvpn
10:55 < pablito> but since the upgrade, I can't access the online journal via vpn anymore
10:55 < pablito> it doesn't resolve the url of the journal site
10:55 <@dazo> alliebean: if you use PKI (--ca, --cert, --key) then you normally don't need more than one openvpn process ... unless you want to enable VPN access over both UDP and TCP and on different ports to escape strict firewalls and so on
10:55 < warriorforGod> Can anybody tell me if there is currently a way to configure an ipv6 only tunnel with openvpn, or do I still have to assign ipv4 addresses in addition to ipv6 addresses?
10:56 <@dazo> warriorforGod: you need ipv4 in addition ... but you don't need to route anything over the ipv4 net
10:56 <@dazo> in fact you can block it in the firewall
10:56 -!- Left_Turn [~Left_Turn@unaffiliated/turn-left/x-3739067] has joined #openvpn
10:57 <@dazo> but to configure ipv6, you need to have ipv4 set up .... under the hood, the ipv6 implementation re-uses a lot of the ipv4 code, that's why
10:57 < pablito> I look at the server and client logs for openvpn and see nothing unusual
10:57 -!- vn [~sys6x@nostalgeek.net] has quit [Read error: Connection reset by peer]
10:57 <@dazo> (the ipv6 developer have it on his todo list to fix it ... but it's not considered a critical feature)
10:58 -!- vn [~sys6x@nostalgeek.net] has joined #openvpn
10:59 < pablito> any ideas?
11:00 < pablito> if I ssh into the server, i can access the online journal site from there
11:00 < pablito> but via VPN, there's no access
11:01 < alliebean> dazo: the problem is that it's a mixed environment where the SSH tunnel devices are hard-coded.  So if a user isn't using their tun1 SSH tunnel, for example, and someone logs in with OpenVPN, it'll grab tun1.  Then when the original user tries to login and reclaim that device either it doesn't work and they're unable to establish their tunnel, or it'll reconfigure it and screw up the OpenVPN user.
11:02 <@dazo> alliebean: are we talking client or server side now?
11:03 <@dazo> on the server side, you normally just need one openvpn process running ... and you can even do --dev vpn0 --dev-type tun .... and it won't conflict with any tun* devices at all
11:03 < reiffert> hey guys whats up?
11:03 <@dazo> and each client config can also do a similar thing with --dev and --dev-type
11:03 < alliebean> dazo: all server-side, but I'd need to specify multiple devices on the server
11:03 <@krzee> hey reiffert
11:04 < alliebean> dazo: I don't care what devices it uses on the client side, it's only the server side where I may have conflicts
11:04 -!- mode/#openvpn [+v reiffert] by krzee
11:04 <@dazo> alliebean: okay ... but with openvpn you just need one --dev device .... which can tackle all the clients you throw at it
11:04 <@dazo> it's not like SSH where you'll have one tun device per user
11:05 < pablito> krzee: you have any suggestion for my issue?
11:05 <@dazo> (unless you use openvpn in peer-to-peer mode, which is really not ideal for multi-user setups)
11:05 < alliebean> dazo: oh?  hmmm... I guess that's provided all the clients get assigned addresses within the same subnet?
11:05 <+reiffert> sounds like you need to have NAT on your server or a route back
11:05 <@krzee> pablito, you did not actually provide any info
11:06 <@krzee> pablito,
11:06 <@krzee> !goal
11:06 <@vpnHelper> "goal" is Please clearly state your goal for your vpn: example, I would like to access the lan behind the server , I would like to access the internet over my vpn , I just want a secure connection between 2 computers , etc
11:06 <@krzee> !logs
11:06 <@vpnHelper> "logs" is (#1) please pastebin your logfiles from both client and server with verb set to 4 (only use 5 if asked) or (#2) In the Windows client(OpenVPN-GUI) right-click the status icon and pick View Log or (#3) In the OS X client(Tunnelblick) right-click it and select Copy log text to clipboard or (#4) if you dont know how to find your logs, see !logfile
11:06 <@dazo> alliebean: that's right ... you give openvpn a subnet, and it allocates a different VPN IP address for each client in that subnet ... the rest is routing
11:06 < alliebean> okay, cool :)  Let me try that configuration then and see how it goes
11:07 < pablito> !goal
11:07 <@vpnHelper> "goal" is Please clearly state your goal for your vpn: example, I would like to access the lan behind the server , I would like to access the internet over my vpn , I just want a secure connection between 2 computers , etc
11:07 <@dazo> alliebean: have a look here ... not directly related, but it'll give you an overview at least: https://community.openvpn.net/openvpn/wiki/BridgingAndRouting#Usingrouting
11:07 <@vpnHelper> Title: BridgingAndRouting – OpenVPN Community (at community.openvpn.net)
11:08 <@krzee> dazo, thats some sweet ascii art ;]
11:08 <@dazo> :)
11:08 < pablito> krzee: ok, my goal is to access the an online journal website over my vpn because the journal site is limited to certain IP addresses
11:08 <@krzee> !redirect
11:08 <@vpnHelper> "redirect" is (#1) to make all inet traffic flow through the vpn, you will need --redirect-gateway (see !def1), as well as IP forwarding (see !ipforward) and NAT (see !nat) enabled on the server. or (#2) you may need to use a different dns server when redirecting gateway, see !dns or !pushdns or (#3) if using ipv6 try: route-ipv6 2000::/3 or (#4) Handy troubleshooting flowchart:
11:08 <@vpnHelper> http://ircpimps.org/redirect.png | http://pekster.sdf.org/misc/redirect.png
11:09 <@krzee> follow the flowchart
11:09 <+reiffert> pablito: is your vpn server a linux machine?
11:09 <@dazo> krzee: I've been wanting to do a similar wiki page for setting up the encryption and openvpn-to-openvpn connection setup ... but it's this "having enough time" issue
11:09 < pablito> reiffert: yes, it's Debian
11:09 <+reiffert> pablito: what's your public interface?
11:09 <@krzee> dazo, what do you mean by openvpn-to-openvpn ?  vpnchains?
11:10 < pablito> krzee: I have successfully setup my system and it has worked for months until this heartbleed issue
11:10 <@krzee> pablito, well heartbleed didnt stop servers from working, so either post your logs or follow the flowchart
11:10 <@dazo> krzee: no, I mean setting up the proper --proto, --port/--lport/--rport/--nobind and --remote stuff ... explaining that a little bit
11:10 < pablito> reiffert: what do you mean public interface?
11:10 <+reiffert> pablito: the one that's connected to the internet
11:10 <@krzee> i dont have a magic answer based on "it broke when heartbleed happened" so you need to troubleshoot
11:11 <@krzee> oh i see
11:11 <+reiffert> pablito: I'm assuming it's eth0, y/n?
11:11 < pablito> krzee: what's the url for pastebin?
11:11 < alliebean> dazo: okay, that seems to work perfectly :)  Thanks!!
11:11 < pablito> reiffert: it's eth0 yest
11:11 <+reiffert> pablito: do two things:
11:11 <+reiffert> cat /proc/sys/net/ipv4/ip_forward
11:12 <+reiffert> do you get a 0 or a 1?
11:12 <@krzee> dazo, like how to conect 2 sites both behind NAT without port forwarding? good example of when to break those out
11:12 <@krzee> dazo, would be a cool writeup =]
11:12 <@dazo> yeah
11:12 <@dazo> alliebean: cool!  happy it worked!
11:12 < pablito> reiffert: it's 0
11:12 <@krzee> heh
11:12 <+reiffert> pablito: do: echo 1 > /proc/sys/net/ipv4/ip_forward
11:12 <+reiffert> pablito: then do: iptables -t nat -I POSTROUTING -o eth0 -j MASQUERADE
11:12 <+reiffert> pablito: done.
11:13 < alliebean> okay, back to more boring work now :)  later!
11:13 -!- alliebean [~allie@unaffiliated/alliebean] has quit [Quit: leaving]
11:13 <@krzee> pablito, following the flowchart would have gotten you there? you're lucky reiffert brought his crystal ball
11:13 <@dazo> reiffert: that wiki page I pointed alliebean at, it covers setting up iptables and ip forwarding as well
11:13 <@krzee> !crystal
11:13 <@vpnHelper> "crystal" is Our crystal ball is out of service. Try explaining your !goal, a description of your problem, and relevant !configs and !logs. See also: !welcome.
11:13 < pablito> reiffert: eh, it says permission denied
11:13 <+reiffert> krzee: repairs got it back to me last week .. awesome crystall ball, you must get one too
11:13 < pablito> reiffert: even with sudo
11:13 <+reiffert> pablito: do it as root dude.
11:13 <@krzee> !learn unless reiffert is here, his crystal ball is functional again
11:13 <@vpnHelper> (learn [<channel>] <key> as <value>) -- Associates <key> with <value>. <channel> is only necessary if the message isn't sent on the channel itself. The word 'as' is necessary to separate the key from the value. It can be changed to another word via the learnSeparator registry value.
11:13 <@krzee> !learn crystal as unless reiffert is here, his crystal ball is functional again
11:13 <@vpnHelper> Joo got it.
11:14 <@krzee> haha
11:14 <+reiffert> :)
11:14 < pablito> reiffert: ok done!
11:14 <+reiffert> done with both, the echo and the iptables?
11:14 < pablito> reiffert: not IPtable yet, hold on
11:14 <+reiffert> do it faster
11:15 < pablito> reiffert: ok iptable done
11:15 <+reiffert> good. confirm it's working.
11:15 <@krzee> reiffert, dont forget to make his changes permanent, dont wanna have to walk him back through it on his next reboot next time theres some vuln he patches and says "but it worked before i fixed $vuln"
11:15 < pablito> reiffert: you are the MAN!
11:16 < pablito> reiffert: it's WORKING!
11:16 <+reiffert> krzee: I miss the DEBIAN letters branded on my forehead ...
11:16 <@krzee> pablito, for the record, read this again:
11:16 <@krzee> !redirect
11:16 <@vpnHelper> "redirect" is (#1) to make all inet traffic flow through the vpn, you will need --redirect-gateway (see !def1), as well as IP forwarding (see !ipforward) and NAT (see !nat) enabled on the server. or (#2) you may need to use a different dns server when redirecting gateway, see !dns or !pushdns or (#3) if using ipv6 try: route-ipv6 2000::/3 or (#4) Handy troubleshooting flowchart:
11:16 <@vpnHelper> http://ircpimps.org/redirect.png | http://pekster.sdf.org/misc/redirect.png
11:16 <+reiffert> pablito: echo "net.ipv4.ip_forward=1
11:16 <+reiffert> pablito: echo "net.ipv4.ip_forward=1" >> /etc/sysctl.conf
11:17 <+reiffert> pablito: and do whatever is necessary to make your firewall being st[ui]ck
11:17 <@krzee> pablito, the first 2 commands were temporary, you need to make them permanent now
11:18 <+reiffert> krzee: last week a server of one of my guys was sending out 30.000 emails per minute
11:18 <+reiffert> krzee: so first thing he did .. restart the box
11:18 < pablito> krzee: how do I make them permanent?
11:18 <@krzee> pablito: echo "net.ipv4.ip_forward=1" >> /etc/sysctl.conf
11:18 <@krzee> i mean
11:18 <@krzee>  <reiffert> pablito: echo "net.ipv4.ip_forward=1" >> /etc/sysctl.conf
11:18 <@krzee> and then:
11:18 <+reiffert> krzee: another one started installing a firewall on his server .. on the next day he found out the box stopped resolving
11:18 < pablito> krzee: yes, i ran the two echo commands
11:18 <@krzee> echo "iptables -t nat -I POSTROUTING -o eth0 -j MASQUERADE" >> /etc/rc.local
11:19 <+reiffert> krzee: damnit stop dropping packets on your loopback interface
11:19 <+reiffert> krzee: hold on the last one sucks
11:19 <@krzee> *shrug* it would work
11:19 <+reiffert> pablito: whats the firewall software on your machine?
11:20 <+reiffert> stable debian usually does it with the software called iptables-persistent
11:20 < pablito> reiffert: hmm, good question, how would I find out?
11:20 <+reiffert> saving and loading iptables rules
11:20 <+reiffert> pablito: ask the guy who helped you setup your box 6 months ago
11:20 <@krzee> i figure for the firewall rule he can learn his os or use my rc.local 1-size-fits-all solution
11:21 <+reiffert> krzee: so how would his rc.local reach that line after the last exit 0?
11:21 < pablito> reiffert: I think it's a default one from the Debian DVD
11:21 <+reiffert> pablito: apt-get install iptables-persistent
11:21 <@krzee> reiffert, =/
11:21 <+reiffert> iptables-save > /etc/iptables/rules
11:23 < pablito> reiffert: ok, ran the install, the dialog said it would save to the file rules.v4 and rules.v6 respectively
11:23 <+reiffert> yeah whatever
11:23 <+reiffert> should be all set now
11:23 <+reiffert> next
11:23 < pablito> awesome, thank you very much
11:24 < pablito> uh huh
11:24 -!- Eagleman [~Eagleman@546BC8D0.cm-12-4d.dynamic.ziggo.nl] has joined #openvpn
11:24 < pablito> ?
11:24 -!- freezer [~mkramer@p5DDB19BC.dip0.t-ipconnect.de] has joined #openvpn
11:24 -!- hive-mind [pranq@mail.bbis.us] has quit [Ping timeout: 250 seconds]
11:24 <+reiffert> out for some beers
11:24 -!- hive-mind [pranq@mail.bbis.us] has joined #openvpn
11:25 < pablito> hehe, let me send you a case, what would you like?
11:26 -!- bertodsera [~quassel@212.36.61.26] has quit [Remote host closed the connection]
11:29 -!- x0011BF [~x007899@96.44.144.218] has joined #openvpn
11:30 < x0011BF> Does OpenVPN have some sort of public key authentication method like SSH?
11:34 -!- pablito [~chatzilla@194.90.149.21] has quit [Quit: ChatZilla 0.9.90.1 [Firefox 27.0.1/20140212131424]]
11:42 -!- HectorBarbossa [uid7850@gateway/web/irccloud.com/x-ghvskedaeuwnpknu] has quit [Quit: Connection closed for inactivity]
11:45 -!- acu [~acu@50.244.13.221] has quit [Quit: Leaving]
11:49 < heraclitus> x0011BF, --tls-auth is similar to what you look for
11:50 -!- [diecast] [~diecast@unaffiliated/diecast/x-4821952] has joined #openvpn
11:58 -!- kantlivelong [~kantlivel@home.kantlivelong.com] has quit [Ping timeout: 250 seconds]
11:59 -!- Denial [Denial@90.214.34.101] has quit []
12:00 -!- le0 [~l30@unaffiliated/le0] has quit [Quit: Leaving]
12:06 -!- Lolths [~Lolths@unaffiliated/lolths] has quit [Ping timeout: 240 seconds]
12:08 -!- Denial [Denial@90.214.34.101] has joined #openvpn
12:10 -!- u0m3_ is now known as u0m3
12:14 -!- Aliekezhi [~Aliekezhi@223.146.122.78.rev.sfr.net] has joined #openvpn
12:15 -!- mattock [~mattock@openvpn/corp/admin/mattock] has joined #openvpn
12:15 -!- mode/#openvpn [+o mattock] by ChanServ
12:20 -!- Lolths [~Lolths@unaffiliated/lolths] has joined #openvpn
12:23 -!- acu [~acu@50.244.13.221] has joined #openvpn
12:32 -!- mattock [~mattock@openvpn/corp/admin/mattock] has left #openvpn []
12:32 -!- Thermi [~Thermi@unaffiliated/thermi] has quit [Ping timeout: 246 seconds]
12:34 -!- Thermi [~Thermi@unaffiliated/thermi] has joined #openvpn
12:34 -!- budmang_ [~budman@ip68-111-79-253.oc.oc.cox.net] has joined #openvpn
12:35 -!- budmang_ [~budman@ip68-111-79-253.oc.oc.cox.net] has quit [Client Quit]
12:37 -!- budmang [~budman@ip68-111-79-253.oc.oc.cox.net] has quit [Ping timeout: 258 seconds]
12:37 -!- ChrisH is now known as Guest2286
12:37 -!- gffa [~unknown@unaffiliated/gffa] has joined #openvpn
12:37 -!- ChrisH_ [~dg7pc@dslb-188-109-006-029.pools.arcor-ip.net] has joined #openvpn
12:38 -!- Linmu [~Linmu@203.70.194.104] has quit [Ping timeout: 240 seconds]
12:38 -!- Guest2286 [~dg7pc@dslb-088-078-252-186.pools.arcor-ip.net] has quit [Ping timeout: 258 seconds]
12:43 -!- gffa [~unknown@unaffiliated/gffa] has quit [Ping timeout: 252 seconds]
12:44 -!- gffa [~unknown@unaffiliated/gffa] has joined #openvpn
12:44 -!- corretico_ [~luis@190.5.215.146] has quit [Quit: Leaving]
12:57 -!- sync0pate [~sync@unaffiliated/sync0pate] has joined #openvpn
12:58 < sync0pate> any reason why a peer-to-peer config would suddenly stop working?
12:58 < sync0pate> still works from client->server
12:58 < sync0pate> at the moment I've ssh'ed from client->server->client2
12:59 < sync0pate> but can't ssh/ping client->client2
12:59 < sync0pate> although it worked an hour or so ago, and no configs have changed..
13:00 -!- budmang [~budman@ip68-111-79-253.oc.oc.cox.net] has joined #openvpn
13:01 -!- le0 [~l30@unaffiliated/le0] has joined #openvpn
13:03 -!- x0011BF [~x007899@96.44.144.218] has left #openvpn ["Leaving"]
13:05 <@dazo> sync0pate: in practically 100% of all cases we have here: When something stops working, something was changed on either client or server side.
13:05 < sync0pate> yeah, that's what I'd imagine :\
13:05 < sync0pate> but I doubt anyone else is working at this time, and it was working just an hour ago
13:05 < sync0pate> and I've been in the garden in the meantime..
13:06 <@dazo> check log files, check what kind of updates where done lately, check who was logged in ... but some times, it's also the ISP to blame, where something in their infrastructure changed
13:06 -!- elfixit [~Icedove@2001:1620:2777:11:3e97:eff:fe7f:f3ad] has quit [Quit: elfixit]
13:06 < sync0pate> you know, I might just wait another hour
13:06 < sync0pate> see if that does it ;)
13:06 < sync0pate> but yeah, your suggestion is step 2
13:08 -!- chrisb [~chrisb@li482-205.members.linode.com] has joined #openvpn
13:09 -!- tony1 [~tony1@cpe-66-66-6-48.rochester.res.rr.com] has quit [Quit: Leaving.]
13:11 -!- tony1 [~tony1@cpe-66-66-6-48.rochester.res.rr.com] has joined #openvpn
13:26 -!- le0 [~l30@unaffiliated/le0] has quit [Ping timeout: 240 seconds]
13:27 -!- ChrisH_ is now known as ChrisH
13:41 -!- AsadH [~AsadH@unaffiliated/asadh] has quit [Ping timeout: 258 seconds]
13:48 -!- makara [~makara@105-208-231-228.access.mtnbusiness.co.za] has joined #openvpn
13:56 -!- AsadH [~AsadH@unaffiliated/asadh] has joined #openvpn
14:01 -!- HectorBarbossa [uid7850@gateway/web/irccloud.com/x-xpcrcyblljghcygi] has joined #openvpn
14:03 -!- makara [~makara@105-208-231-228.access.mtnbusiness.co.za] has quit [Ping timeout: 258 seconds]
14:08 -!- makara [~makara@105-208-231-228.access.mtnbusiness.co.za] has joined #openvpn
14:11 -!- Cpt-Oblivious [chatzilla@31-151-71-109.dynamic.upc.nl] has quit [Ping timeout: 252 seconds]
14:15 -!- aji [~alex@atheme/member/aji] has quit [Ping timeout: 246 seconds]
14:27 -!- chrisb [~chrisb@li482-205.members.linode.com] has quit [Ping timeout: 252 seconds]
14:28 -!- raignarok [~raignarok@p20030066EE238C0002224DFFFEA7B6DC.dip0.t-ipconnect.de] has left #openvpn ["Konversation terminated!"]
14:33 -!- batrick [batrick@nmap/developer/batrick] has quit [Quit: WeeChat 0.4.3]
14:34 -!- heraclitus [~heraclitu@unaffiliated/heraclitis] has quit [Remote host closed the connection]
14:34 -!- heraclitus [~heraclitu@unaffiliated/heraclitis] has joined #openvpn
14:34 -!- batrick [batrick@nmap/developer/batrick] has joined #openvpn
14:48 -!- aji [~alex@atheme/member/aji] has joined #openvpn
14:52 -!- heraclitus [~heraclitu@unaffiliated/heraclitis] has quit [Remote host closed the connection]
14:53 -!- heraclitus [~heraclitu@unaffiliated/heraclitis] has joined #openvpn
14:55 -!- joshh20-Away is now known as joshh20
14:57 -!- heraclitus [~heraclitu@unaffiliated/heraclitis] has quit [Client Quit]
14:58 -!- wrongplace [~leicht@gateway/tor-sasl/martinphone] has joined #openvpn
15:04 < haasn> Out of mild curiosity: Is it possible to for OpenVPN to use OCSP instead of CRLs to check client certificate revocation status? Furthermore, is it possible to use a technique similar to OCSP stapling for this?
15:10 <@dazo> Yes it is ... we even ship an example file for doing that in the tarball
15:11 <@Eugene> A better question: how the shit do you set up a OCSP server :-|
15:12 < haasn> I have no idea, I'm just reading up on it and it's interesting me
15:19 -!- dazo is now known as dazo_afk
15:23 -!- gu [~gu@194.231.39.10] has joined #openvpn
15:28 -!- makara [~makara@105-208-231-228.access.mtnbusiness.co.za] has quit [Ping timeout: 276 seconds]
15:36 -!- le0 [~l30@unaffiliated/le0] has joined #openvpn
15:38 -!- sync0pate [~sync@unaffiliated/sync0pate] has left #openvpn ["Leaving"]
15:39 -!- mgorbach [~mgorbach@pool-108-20-78-135.bstnma.fios.verizon.net] has quit [Read error: Connection reset by peer]
15:40 -!- mgorbach [~mgorbach@pool-108-20-78-135.bstnma.fios.verizon.net] has joined #openvpn
15:43 < pekster> IIRC there's some openssl feature to turn it into an openssl responder; if you're willing to use it, that is :P
15:44 < pekster> OCSP responder*
16:05 -!- klein [~klein@unaffiliated/klein] has quit [Ping timeout: 252 seconds]
16:12 -!- HectorBarbossa [uid7850@gateway/web/irccloud.com/x-xpcrcyblljghcygi] has quit [Quit: Connection closed for inactivity]
16:23 -!- le0 [~l30@unaffiliated/le0] has quit [Quit: Leaving]
16:24 -!- VsioZashibis [~VsioZashi@unaffiliated/vsiozashibis] has joined #openvpn
16:24 -!- wrongplace [~leicht@gateway/tor-sasl/martinphone] has quit [Remote host closed the connection]
16:24 -!- warriorforGod [~warriorfo@unaffiliated/warriorforgod] has quit [Quit: Computer has gone to sleep]
16:25 -!- wrongplace [~leicht@gateway/tor-sasl/martinphone] has joined #openvpn
16:30 -!- tony1 [~tony1@cpe-66-66-6-48.rochester.res.rr.com] has quit [Quit: Leaving.]
16:32 -!- heraclitus [~heraclitu@unaffiliated/heraclitis] has joined #openvpn
16:53 -!- jmpf [~jmpf@66-162-33-27.static.twtelecom.net] has joined #openvpn
17:01 -!- heraclitus [~heraclitu@unaffiliated/heraclitis] has quit [Quit: Ping timeout: 221 seconds]
17:02 < jmpf> I have a connection http://pastie.org/9073871 - can ping/nc from client/server, but I'm trying to reach a host that is reachable from the server and am having trouble
17:17 -!- AlexPortable [uid7568@gateway/web/irccloud.com/x-ozkouatkxzgrhxih] has quit [Quit: Connection closed for inactivity]
17:25 -!- Left_Turn [~Left_Turn@unaffiliated/turn-left/x-3739067] has quit [Remote host closed the connection]
17:28 -!- AlexPortable [uid7568@gateway/web/irccloud.com/x-eorttflzpznuhpkr] has joined #openvpn
17:29 < haasn> Heh, actually seems to work; but I've gone ahead and set up a CRL either way for simplicity
17:29 < haasn> Rather than running an entire extra server on top of it..
17:29 -!- Left_Turn [~Left_Turn@unaffiliated/turn-left/x-3739067] has joined #openvpn
17:37 -!- gattytto [gattytto@200.59.75.250] has joined #openvpn
17:38 < gattytto> good evening! I'd like to know if I can use my VPS to host a VPN server, I just got two /128 IPV6 addresses and conntrack is disabled (no chance to get it enabled by ticket)
17:39 < gattytto> !goal
17:39 <@vpnHelper> "goal" is Please clearly state your goal for your vpn: example, I would like to access the lan behind the server , I would like to access the internet over my vpn , I just want a secure connection between 2 computers , etc
17:40 < gattytto> !goal I'd like to use my "no-conntrack+two IPV6 /128" VPS as a vpn server
17:40 -!- sundaymouse [~sundaymou@unaffiliated/sundaymouse] has joined #openvpn
17:41 -!- sundaymouse [~sundaymou@unaffiliated/sundaymouse] has left #openvpn []
17:41 -!- heraclitus [~heraclitu@unaffiliated/heraclitis] has joined #openvpn
17:45 -!- heraclitus [~heraclitu@unaffiliated/heraclitis] has quit [Read error: Connection timed out]
17:46 -!- heraclitus [~heraclitu@unaffiliated/heraclitis] has joined #openvpn
17:49 -!- [diecast] [~diecast@unaffiliated/diecast/x-4821952] has quit []
17:57 -!- jmpf [~jmpf@66-162-33-27.static.twtelecom.net] has quit [Quit: leaving]
17:59 -!- thinkpad [~thinkpad@pool-173-56-43-197.nycmny.fios.verizon.net] has joined #openvpn
18:02 -!- B1nny [~quassel@5ED16034.cm-7-2b.dynamic.ziggo.nl] has quit [Remote host closed the connection]
18:09 -!- wrongplace [~leicht@gateway/tor-sasl/martinphone] has quit [Quit: gone]
18:24 -!- marlinc [~marlinc@ip1.weert.li.nl.cvo-technologies.com] has joined #openvpn
18:24 < marlinc> Is it possible to let the OpenVPN ca be a subordinate of our company's root ca?
18:29 -!- gffa [~unknown@unaffiliated/gffa] has quit [Quit: sleep]
18:32 < haasn> marlinc: sign the OpenVPN CA using the root CA?
18:36 < marlinc> Wouldn't I need to do a Certificate Authority Request? if so how do I create one using easy-rsa? I know how to do it using the regular openssl tools but not using easy-rsa
18:37 -!- occupant [~null@204.14.158.226] has quit [Read error: Connection reset by peer]
18:40 < haasn> You don't need to use easy-rsa
18:40 < haasn> It really doesn't provide all that much abstraction
18:44 -!- gu [~gu@194.231.39.10] has quit [Quit: Leaving.]
18:44 < marlinc> And the OpenVPN servers automatically accepts connections with certificates signed by the CA given to the server right?
18:46 < haasn> Yes
18:51 -!- gattytto [gattytto@200.59.75.250] has quit []
18:52 -!- gattytto [gattytto@200.59.75.250] has joined #openvpn
18:55 < pekster> marlinc: Mostly. It's highly recommended to use MITM protection at least on your clients such that another authorized client cannot MITM another client
18:56 < pekster> Read !mitm for that. This said, you can use "any" CA management utility you want: some options are listed in !certman, but openvpn doesn't care at all what you use. You may also like to read about secure PKI management at: !hardening
18:56 < marlinc> !mitm
18:56 <@vpnHelper> "mitm" is (#1) http://openvpn.net/index.php/documentation/howto.html#mitm to know about stopping Man-in-the-Middle attacks by signing the server cert specially or (#2) use !servercert to generate the server cert manually or use the easy-rsa build-key-server script to build your server certificates or (#3) then use: remote-cert-tls server in the client config
18:56 < marlinc> !certman
18:56 <@vpnHelper> "certman" is (#1) Various frontends can help you manage your PKI (certs & keys.) !easy-rsa is the officially supported one for OpenVPN. or (#2) Other choices include: !xca, !ssladmin, and probably others online
18:56 < marlinc> !hardening
18:56 <@vpnHelper> "hardening" is https://community.openvpn.net/openvpn/wiki/Hardening
18:57 < marlinc> !servercert
18:57 <@vpnHelper> "servercert" is (#1) openssl req -days 3650 -nodes -new -keyout server.key -out server.csr -extensions server -config ./openssl.cnf && openssl ca -days 3650 -out server.crt -in server.csr -extensions server -config ./openssl.cnf && chmod 0600 server.key or (#2) or just use build-key-server in easy-rsa or (#3) this will help with !mitm
19:00 < thinkpad> how do you prevent hosts on your client's subnet from accessing server's hosts? I'm worried that when I get on unsecure wifi and hook up to my vpn, i'll open up the pcs on server's subnet to them
19:00 < thinkpad> i have a lan-to-lan with tun going
19:00 -!- VsioZashibis [~VsioZashi@unaffiliated/vsiozashibis] has quit [Read error: Connection reset by peer]
19:01 < marlinc> Could the OpenVPN server use a server certificate generated by this configuration file? http://pki-tutorial.readthedocs.org/en/latest/advanced/server.conf.html
19:01 <@vpnHelper> Title: TLS Server Certificate Request Configuration File OpenSSL PKI Tutorial (at pki-tutorial.readthedocs.org)
19:01 < marlinc> And http://pki-tutorial.readthedocs.org/en/latest/advanced/client.conf.html for clients?
19:01 <@vpnHelper> Title: TLS Client Certificate Request Configuration File OpenSSL PKI Tutorial (at pki-tutorial.readthedocs.org)
19:03 < gattytto> good evening! I'd like to know if I can use my VPS to host a VPN server, I just got two /128 IPV6 addresses and conntrack is disabled (no chance to get it enabled by ticket)
19:09 < thinkpad> !goal
19:09 <@vpnHelper> "goal" is Please clearly state your goal for your vpn: example, I would like to access the lan behind the server , I would like to access the internet over my vpn , I just want a secure connection between 2 computers , etc
19:15 -!- seba [~seba@kratzbaum.someserver.de] has quit [Ping timeout: 246 seconds]
19:18 -!- seba [~seba@kratzbaum.someserver.de] has joined #openvpn
20:05 -!- mkramer_ [~mkramer@p5DDB23A5.dip0.t-ipconnect.de] has joined #openvpn
20:07 -!- joshh20 is now known as joshh20-Away
20:09 -!- freezer [~mkramer@p5DDB19BC.dip0.t-ipconnect.de] has quit [Ping timeout: 252 seconds]
20:41 < pekster> thinkpad: firewall, same way you prevent packets from crossing any routing boundry. This said, accessing LANs is not enabled by default in openvpn, but the smart money is on firewalling your hosts correctly regardless
20:43 < thinkpad> pekster: i posted my question with a small illustration here to better explain what i'm trying to do https://forums.openvpn.net/topic15573.html
20:43 <@vpnHelper> Title: OpenVPN Support Forum Advice on security for my setup (illustration included) : Configuration (at forums.openvpn.net)
20:44 < thinkpad> pekster: so firewall then?
20:45 < pekster> If your phone isn't acting as a router it won't forward traffic from the wifi cafe's LAN across the VPN
20:45 < pekster> If someone is able to hack/root/whatever your phone remotely, you have bigger problems anyway
20:49 < thinkpad> that's the ip forwarding?
20:50 < pekster> To forward packets? You need forwarding enabled, and the firewall needs to permit it
20:50 < pekster> When RFC1918 is involved you also need either NAT or a return-route on the remote end
20:50 -!- Left_Turn [~Left_Turn@unaffiliated/turn-left/x-3739067] has quit [Ping timeout: 250 seconds]
20:50 < pekster> I _assume_ you haven't set up your phone to be a forwarding IP router?
20:50 < pekster> With NAT enabled?
20:51 < pekster> If not, you're not exposing anything. Unless of course your phone is hacked, but then the attacker has access to your phone (contacts, documents, photos, whatever) anyway, and you're already fucked.
20:51 -!- gattytto [gattytto@200.59.75.250] has quit []
20:53 < thinkpad> hehe yeah. i only enabled ip forwarding on the vpn client that's on the other lan
20:53 < pekster> Right. The point is routing isn't "magic" -- root has to enable it
20:54 < pekster> That's (hopefully) you, but my point is that if a node is compromised and has access to part of your network, it can act as nasty as it wants
20:54 < pekster> ##security is more on-topic if you want to ask general questions about how things get hacked
20:55 < pekster> Client devices (non-routers) should 1) never have forwarding enabled, and 2) practice secure computing in regards to firewalls, passwords, updates, etc
21:12 < thinkpad> thanks for the help
21:12 -!- thinkpad [~thinkpad@pool-173-56-43-197.nycmny.fios.verizon.net] has quit [Quit: Leaving]
22:07 -!- AlexPortable [uid7568@gateway/web/irccloud.com/x-eorttflzpznuhpkr] has quit [Quit: Connection closed for inactivity]
23:10 -!- ShadniX [dagger@p5DDFDCD4.dip0.t-ipconnect.de] has quit [Ping timeout: 252 seconds]
23:11 -!- ShadniX [dagger@p5481D880.dip0.t-ipconnect.de] has joined #openvpn
23:20 -!- akurilin [~alex@c-98-234-90-17.hsd1.ca.comcast.net] has quit [Quit: WeeChat 0.4.1]
23:27 -!- acu [~acu@50.244.13.221] has quit [Quit: Leaving]
--- Day changed Sat Apr 12 2014
00:00 -!- acu [~acu@50.244.13.221] has joined #openvpn
00:27 -!- Cpt-Oblivious [chatzilla@31-151-71-109.dynamic.upc.nl] has joined #openvpn
01:29 -!- Cpt-Oblivious [chatzilla@31-151-71-109.dynamic.upc.nl] has quit [Quit: ChatZilla 0.9.90.1-rdmsoft [XULRunner 22.0/20130619132145]]
01:31 -!- B1nny [~quassel@5ED16034.cm-7-2b.dynamic.ziggo.nl] has joined #openvpn
01:35 -!- elfixit [~Icedove@77-58-251-72.dclient.hispeed.ch] has joined #openvpn
01:38 -!- ChinaMit [~ChinaMit@116.251.216.194] has joined #openvpn
01:38 < ChinaMit> !welcome
01:38 <@vpnHelper> "welcome" is (#1) Start by stating your goal, such as 'I would like to access the internet over my vpn' || new to IRC? see the link in !ask || we may need !logs and !configs and maybe !interface to help you. || See !howto for beginners. || See !route for lans behind openvpn. || !redirect for sending inet traffic through the server. || Also interesting: !man !/30 !topology !iporder !sample !forum
01:38 <@vpnHelper> !wiki !mitm or (#2) Don't use 192.168.1.0/24 or 192.168.0.0/24 (too much potential for conflict)
01:38 -!- acu [~acu@50.244.13.221] has quit [Quit: Leaving]
01:39 < ChinaMit> !goal
01:39 <@vpnHelper> "goal" is Please clearly state your goal for your vpn: example, I would like to access the lan behind the server , I would like to access the internet over my vpn , I just want a secure connection between 2 computers , etc
01:39 < ChinaMit> !goal I would like to access the internet over my VPN from China
01:50 -!- Bretos [~Bretos@vps.tyborek.pl] has quit [Quit: RUN FOR YOUR LIVES!]
01:57 -!- Bretos [~Bretos@vps.tyborek.pl] has joined #openvpn
01:57 -!- Bretos [~Bretos@vps.tyborek.pl] has left #openvpn []
02:05 -!- ChinaMit [~ChinaMit@116.251.216.194] has quit [Remote host closed the connection]
02:06 -!- ChinaMit [~ChinaMit@216.218.208.51] has joined #openvpn
02:06 -!- tiny [~ivob@unaffiliated/tiny] has joined #openvpn
02:19 -!- ChinaMit_ [~ChinaMit@183.3.245.172] has joined #openvpn
02:20 -!- ChrisH is now known as Guest83162
02:20 -!- ChrisH_ [~dg7pc@dslb-094-221-218-241.pools.arcor-ip.net] has joined #openvpn
02:21 -!- Guest83162 [~dg7pc@dslb-188-109-006-029.pools.arcor-ip.net] has quit [Ping timeout: 250 seconds]
02:21 -!- ChinaMit [~ChinaMit@216.218.208.51] has quit [Ping timeout: 240 seconds]
02:26 -!- tiny [~ivob@unaffiliated/tiny] has left #openvpn ["Leaving"]
02:27 -!- opti2k4 [~opti2k4@cpe-94-253-225-210.st.cable.xnet.hr] has joined #openvpn
02:28 -!- mateee [~opti2k4@cpe-94-253-225-210.st.cable.xnet.hr] has joined #openvpn
02:28 -!- gffa [~unknown@unaffiliated/gffa] has joined #openvpn
02:29 < mateee> Hello, is openvpn maybe capped (linux) with 80/60 Mbit ?
02:31 -!- opti2k4 [~opti2k4@cpe-94-253-225-210.st.cable.xnet.hr] has quit [Ping timeout: 258 seconds]
02:35 -!- Left_Turn [~Left_Turn@unaffiliated/turn-left/x-3739067] has joined #openvpn
02:39 -!- pcdummy [~pcdummy@unaffiliated/pcdummy] has quit [Remote host closed the connection]
02:40 -!- pcdummy [~pcdummy@wserv2.page4me.ch] has joined #openvpn
02:40 -!- pcdummy [~pcdummy@wserv2.page4me.ch] has quit [Changing host]
02:40 -!- pcdummy [~pcdummy@unaffiliated/pcdummy] has joined #openvpn
02:42 -!- s7r_o [~s7r@openvpn/user/s7r] has joined #openvpn
02:42 -!- mode/#openvpn [+v s7r_o] by ChanServ
02:43 -!- ShadniX [dagger@p5481D880.dip0.t-ipconnect.de] has quit [Quit: Bye.]
02:44 -!- ShadniX [dagger@p5481D880.dip0.t-ipconnect.de] has joined #openvpn
02:44 -!- s7r [~s7r@openvpn/user/s7r] has quit [Ping timeout: 272 seconds]
03:08 -!- s7r_o_b [~s7r@openvpn/user/s7r] has joined #openvpn
03:08 -!- mode/#openvpn [+v s7r_o_b] by ChanServ
03:08 -!- s7r_o [~s7r@openvpn/user/s7r] has quit [Ping timeout: 272 seconds]
03:25 -!- s7r_o_b is now known as s7r
03:30 -!- s7r [~s7r@openvpn/user/s7r] has quit [Remote host closed the connection]
03:31 -!- s7r [~s7r@openvpn/user/s7r] has joined #openvpn
03:31 -!- mode/#openvpn [+v s7r] by ChanServ
03:31 -!- wrongplace [~leicht@gateway/tor-sasl/martinphone] has joined #openvpn
03:35 -!- optixx [~optixx@xdsl-89-0-208-49.netcologne.de] has joined #openvpn
03:37 -!- optixx [~optixx@xdsl-89-0-208-49.netcologne.de] has quit [Client Quit]
04:28 -!- gu [~gu@194.231.39.10] has joined #openvpn
04:28 -!- gu [~gu@194.231.39.10] has quit [Read error: Connection reset by peer]
04:29 -!- gu [~gu@194.231.39.10] has joined #openvpn
04:29 -!- optixx [~optixx@xdsl-89-0-208-49.netcologne.de] has joined #openvpn
04:38 -!- optixx [~optixx@xdsl-89-0-208-49.netcologne.de] has quit [Quit: Leaving...]
04:43 -!- gu [~gu@194.231.39.10] has quit [Quit: Leaving.]
04:49 -!- optixx [~optixx@xdsl-89-0-208-49.netcologne.de] has joined #openvpn
04:54 -!- makara [~makara@105-208-230-27.access.mtnbusiness.co.za] has joined #openvpn
04:56 -!- makara [~makara@105-208-230-27.access.mtnbusiness.co.za] has quit [Read error: Connection reset by peer]
05:00 -!- wrongplace [~leicht@gateway/tor-sasl/martinphone] has quit [Quit: gone]
05:11 -!- optixx [~optixx@xdsl-89-0-208-49.netcologne.de] has quit [Quit: Leaving...]
05:27 -!- Aliekezhi [~Aliekezhi@223.146.122.78.rev.sfr.net] has quit [Ping timeout: 276 seconds]
05:40 -!- Aliekezhi [~Aliekezhi@223.146.122.78.rev.sfr.net] has joined #openvpn
05:47 -!- b00b [~spunk@smurf.mmnetworks.se] has quit [Ping timeout: 252 seconds]
05:53 -!- elfixit [~Icedove@77-58-251-72.dclient.hispeed.ch] has quit [Ping timeout: 250 seconds]
05:54 -!- b00b [~spunk@smurf.mmnetworks.se] has joined #openvpn
05:54 -!- elfixit [~Icedove@77-58-251-72.dclient.hispeed.ch] has joined #openvpn
05:58 -!- Aliekezhi [~Aliekezhi@223.146.122.78.rev.sfr.net] has quit [Remote host closed the connection]
06:12 -!- Aliekezhi [~Aliekezhi@223.146.122.78.rev.sfr.net] has joined #openvpn
06:26 -!- seba [~seba@kratzbaum.someserver.de] has quit [Ping timeout: 246 seconds]
06:29 -!- AlexPortable [uid7568@gateway/web/irccloud.com/x-ediojegrguwzumqc] has joined #openvpn
06:32 -!- Aliekezhi [~Aliekezhi@223.146.122.78.rev.sfr.net] has quit [Remote host closed the connection]
06:37 -!- seba [~seba@kratzbaum.someserver.de] has joined #openvpn
06:41 -!- seba [~seba@kratzbaum.someserver.de] has quit [Ping timeout: 245 seconds]
06:43 -!- seba [~seba@kratzbaum.someserver.de] has joined #openvpn
06:43 -!- gffa [~unknown@unaffiliated/gffa] has quit [Ping timeout: 245 seconds]
06:45 < mateee> Hello, is openvpn maybe capped (linux) with 80/60 Mbit ?
06:49 -!- jackbrown [~se@93-44-54-187.ip95.fastwebnet.it] has joined #openvpn
06:49 -!- seba [~seba@kratzbaum.someserver.de] has quit [Ping timeout: 240 seconds]
06:51 -!- gffa [~unknown@unaffiliated/gffa] has joined #openvpn
06:53 -!- seba [~seba@kratzbaum.someserver.de] has joined #openvpn
06:55 < mcp> mateee: no
06:58 -!- elfixit [~Icedove@77-58-251-72.dclient.hispeed.ch] has quit [Ping timeout: 250 seconds]
07:00 -!- optixx [~optixx@xdsl-89-0-208-49.netcologne.de] has joined #openvpn
07:02 -!- seba [~seba@kratzbaum.someserver.de] has quit [Ping timeout: 252 seconds]
07:04 -!- seba [~seba@kratzbaum.someserver.de] has joined #openvpn
07:05 -!- optixx [~optixx@xdsl-89-0-208-49.netcologne.de] has quit [Ping timeout: 245 seconds]
07:14 -!- seba [~seba@kratzbaum.someserver.de] has quit [Ping timeout: 246 seconds]
07:19 -!- gffa [~unknown@unaffiliated/gffa] has quit [Ping timeout: 240 seconds]
07:22 -!- Aliekezhi [~Aliekezhi@223.146.122.78.rev.sfr.net] has joined #openvpn
07:24 -!- ootput [~ootput@unaffiliated/ootput] has joined #openvpn
07:24 -!- joshh20-Away is now known as joshh20
07:25 -!- gffa [~unknown@unaffiliated/gffa] has joined #openvpn
07:26 < ootput> hello guys, I've got a basic question: I'm using Freebsd 9.1 Release, and just installed openvpn to connect to a privateinternetaccess server. I'm using their provided ovpn for the conf, and the openvpn connection seems to be established. However, it now seems lan access to that machine is blocked, and i'm guessing its due to the new tunnel device/route made
07:26 < ootput> can this be addressed?
07:26 -!- Aliekezhi [~Aliekezhi@223.146.122.78.rev.sfr.net] has quit [Remote host closed the connection]
07:26 < ootput> ie i still want to access services on the machine from my lan
07:27 -!- Aliekezhi [~Aliekezhi@223.146.122.78.rev.sfr.net] has joined #openvpn
07:34 -!- tony1 [~tony1@cpe-66-66-6-48.rochester.res.rr.com] has joined #openvpn
07:35 < mateee> mcp you sure about that? I'have been testing this issue for several days now. I have a 350/80 line , my VPS sends me data at 140Mbit but best what i can send when pulling data from VPS trough tunnel is 88Mbit. I even tried without encryption. CPU is not at 100% while i am testing this (1 core comes at maximum of 55%)
07:36 < mateee> ... best what i can GET when ...
07:36 < mateee> so it seems i can't find an answer why i am not getting more than 88Mbit over VPN
07:36 < mateee> UDP protocol is used
07:36 < mateee> mtu is at 1380
07:37 < Rienzilla> overhead and/or fragmentation?
07:37 < mateee> keysize 256
07:37 < mateee> comp-lzo adaptive
07:37 < mateee> link-mtu 1300
07:37 < mateee> mssfix 1300
07:37 < mateee> fragment 1300
07:37 < mateee> those options i use for my config
07:38 < mateee> i increase 1300 to 1380 since i was getting some warnings on windows client
07:38 < mateee> now i am doing only linux to linux
07:38 -!- jackbrown [~se@93-44-54-187.ip95.fastwebnet.it] has quit [Remote host closed the connection]
07:40 < mcp> mateee: https://community.openvpn.net/openvpn/wiki/Gigabit_Networks_Linux
07:40 <@vpnHelper> Title: Gigabit_Networks_Linux – OpenVPN Community (at community.openvpn.net)
07:41 < mateee> AHA!
07:41 < mateee> thaks!
07:49 < mateee> mcp since i have fiber at home, MTU for xDLS is usually 1492 (i think) so what would be my MTU on fiber do you know by any chance? Also this article decribes LAN environment, so in WAN 1Gbit environment do things change?
07:52 < mcp> mateee: dunno. its still on my todo because some VPN connections are too slow for me too but had no time yet to debug it
07:54 -!- elfixit [~Icedove@238-228.197-178.cust.bluewin.ch] has joined #openvpn
07:54 < Aketzu> 100/10 at home, 100/100 at work... direct iperf 91.4Mbps, openvpn 85.7Mbps
07:54 < Aketzu> default settings
07:55 < mateee> i am getting 80/60 on 100Mbit
07:55 < mateee> server is on 100/100 my conn 350/80
07:55 < mateee> so i would say that should be OK
07:55 < Aketzu> yeah... "good enough"
07:55 < mateee> but i got new server on 1000/1000 and getting almost same results 80/60
07:55 < mateee> so wanted to debug where is the problem
07:56 < mateee> and why i am not getting better results
08:01 -!- ootput [~ootput@unaffiliated/ootput] has quit [Quit: leaving]
08:06 < pekster> !gigabit
08:06 <@vpnHelper> "gigabit" is https://community.openvpn.net/openvpn/wiki/Gigabit_Networks_Linux for JJK's writeup on getting the most out of openvpn over gigabit
08:07 < pekster> Mind that adjusting MTU between endpoints isn't possible when you don't have full control of the entire network path
08:07 -!- elfixit [~Icedove@238-228.197-178.cust.bluewin.ch] has quit [Ping timeout: 250 seconds]
08:15 -!- SquirrelCZECH [~squirrel@ip-89-103-45-17.net.upcbroadband.cz] has quit [Read error: Connection reset by peer]
08:16 -!- SquirrelCZECH [~squirrel@ip-89-103-45-17.net.upcbroadband.cz] has joined #openvpn
08:19 -!- mkramer_ [~mkramer@p5DDB23A5.dip0.t-ipconnect.de] has quit [Ping timeout: 245 seconds]
08:20 -!- zach [~zfouts@213.251.184.209] has left #openvpn []
08:21 -!- elfixit [~Icedove@zux221-111-244.adsl.green.ch] has joined #openvpn
08:38 -!- elfixit [~Icedove@zux221-111-244.adsl.green.ch] has quit [Remote host closed the connection]
08:39 -!- elfixit [~Icedove@zux221-111-244.adsl.green.ch] has joined #openvpn
08:44 -!- p3rror [~mezgani@41.140.40.32] has joined #openvpn
08:53 -!- kevinsky [~kevin@senna.rosendaal.net] has quit [Ping timeout: 255 seconds]
08:54 -!- klein [~klein@unaffiliated/klein] has joined #openvpn
08:54 -!- kevinsky [~kevin@senna.rosendaal.net] has joined #openvpn
09:02 -!- elfixit [~Icedove@zux221-111-244.adsl.green.ch] has quit [Ping timeout: 245 seconds]
09:10 -!- [diecast] [~diecast@unaffiliated/diecast/x-4821952] has joined #openvpn
09:36 -!- gu [~gu@194.231.39.10] has joined #openvpn
09:39 -!- gu [~gu@194.231.39.10] has quit [Client Quit]
09:42 -!- acu [~acu@50.244.13.221] has joined #openvpn
09:43 -!- toobluesc [~nitro@2001:558:6045:7b:3d70:c3df:18a:884] has joined #openvpn
09:53 -!- p3rror [~mezgani@41.140.40.32] has quit [Ping timeout: 276 seconds]
10:21 -!- mkramer_ [~mkramer@p5DDB23A5.dip0.t-ipconnect.de] has joined #openvpn
10:30 -!- obesd [~obsed@unaffiliated/obesd] has quit [Ping timeout: 252 seconds]
10:32 -!- [diecast] [~diecast@unaffiliated/diecast/x-4821952] has quit []
10:33 -!- Cpt-Oblivious [chatzilla@31-151-71-109.dynamic.upc.nl] has joined #openvpn
10:34 -!- hectorh30 [~hectorh30@190.149.223.38] has quit [Ping timeout: 276 seconds]
10:39 -!- master_o1_master [~master_of@p4FD7B2C9.dip0.t-ipconnect.de] has joined #openvpn
10:43 -!- master_of_master [~master_of@p4FD7B734.dip0.t-ipconnect.de] has quit [Ping timeout: 245 seconds]
10:44 -!- SquirrelCZECH [~squirrel@ip-89-103-45-17.net.upcbroadband.cz] has quit [Remote host closed the connection]
10:45 -!- SquirrelCZECH [~squirrel@ip-89-103-45-17.net.upcbroadband.cz] has joined #openvpn
10:46 -!- obesd [~obsed@unaffiliated/obesd] has joined #openvpn
10:51 -!- SquirrelCZECH [~squirrel@ip-89-103-45-17.net.upcbroadband.cz] has quit [Remote host closed the connection]
10:51 -!- SquirrelCZECH [~squirrel@ip-89-103-45-17.net.upcbroadband.cz] has joined #openvpn
11:04 -!- bonjurkes [~julia@192.34.58.231] has joined #openvpn
11:05 < bonjurkes> hello all, I have 2 issues. 1-) I tried to install openvpn on linux (it works fine on windows) but probably I am missing some iptables setup because I can't ping vpn's ip (10.8.0.1) I want to share this vpn connection via hot spot (will turn device to hotspot after setting up openvpn)
11:07 < pekster> If you can't ping your VPN endpoint, you've either incorrectly set it up or have a firewall blocking the traffic
11:09 -!- bonjurkes2 [~julia@192.34.58.231] has joined #openvpn
11:10 < bonjurkes2> and my second issue is how can openvpn give different ips for different clients?
11:10 < bonjurkes2> it gives same ip 10.8.0.6 for all clients so it causes problem
11:11 -!- bonjurkes [~julia@192.34.58.231] has quit [Ping timeout: 240 seconds]
11:11 < pekster> It will never give the "same" address to another client unless that first one has disconnected
11:11 < bonjurkes2> well it does
11:11 < pekster> You should read about !static and !addressing (type them here) for info on per-client addresses
11:12 < pekster> I'm very sure it doesn't
11:12 < bonjurkes2> maybe it does because both clients same use key files?
11:12 < pekster> If you _think_ it does, read about !configs and paste both ends (including any ccds)
11:12 < pekster> bonjurkes2: Ah, read about !dupe then
11:12 < bonjurkes2> !dupe
11:12 <@vpnHelper> "dupe" is (#1) see --duplicate-cn in the manual (!man) to see how to allow multiple clients to use the same key (NOT recommended) or (#2) instead, use !pki to make a cert for each user
11:12 < pekster> It's not actually assigning the same IP: what is happening is the 2nd connect from the "same" client (based on the cert's commonName) is kicking the first one off
11:12 < bonjurkes2> so if I use different keys for different users, openvpn will give different ips?
11:12 < pekster> THus the first isn't on any more ;)
11:12 < pekster> Yes
11:13 < bonjurkes2> okay that's easier and safest optionb
11:13 < pekster> Or if you use --duplicate-cn, but that is discouraged
11:13 < bonjurkes2> I will do that :)
11:13 < pekster> Yup, per-client certs are the way to go
11:14 -!- Left_Turn [~Left_Turn@unaffiliated/turn-left/x-3739067] has quit [Read error: Connection reset by peer]
11:25 -!- Left_Turn [~Left_Turn@unaffiliated/turn-left/x-3739067] has joined #openvpn
11:29 -!- Aliekezhi [~Aliekezhi@223.146.122.78.rev.sfr.net] has quit [Remote host closed the connection]
11:35 -!- Aliekezhi [~Aliekezhi@223.146.122.78.rev.sfr.net] has joined #openvpn
11:37 < bonjurkes2> .crt and .key files are unique right? ca.crt and ta.key is common?
11:39 < pekster> Yup
11:39 < pekster> Ideally you generate your keys on the end systems, not your CA, but low-security environments somtimes do it anyway for convenience (and easyrsa v2 doesn't make it easy to do it "properly")
11:40 < pekster> OpenVPN doesn't care how you get your PKI created
11:40 < bonjurkes2> yay i got different ip!
11:43 < bonjurkes2> umm I can ping 10.8.0.1 but I can't visit any outer website. Curl fails to resolve anything
11:49 < pekster> Read about !redirect and maybe !pushdns
11:49 < pekster> Sounds like possibly a problem using site-local DNS that refuses your queries when redirected, but that's just a WAG
11:50 < bonjurkes2> !pushdns
11:50 <@vpnHelper> "pushdns" is (#1) push dhcp-option DNS a.b.c.d to push dns to the client or (#2) For pushing DNS to a Windows client, see: !windns or (#3) Unix-alikes are required to process the env-var in an --up script; read about --dhcp-option in the manpage or (#4) For distros that use resolvconf(8) you can try the pull-resolv-conf script under the contrib/ source dir
11:50 < bonjurkes2> yeah looks like dns issue
11:51 < bonjurkes2> !redirect
11:51 <@vpnHelper> "redirect" is (#1) to make all inet traffic flow through the vpn, you will need --redirect-gateway (see !def1), as well as IP forwarding (see !ipforward) and NAT (see !nat) enabled on the server. or (#2) you may need to use a different dns server when redirecting gateway, see !dns or !pushdns or (#3) if using ipv6 try: route-ipv6 2000::/3 or (#4) Handy troubleshooting flowchart:
11:51 <@vpnHelper> http://ircpimps.org/redirect.png | http://pekster.sdf.org/misc/redirect.png
11:51 < bonjurkes2> !def1
11:51 <@vpnHelper> "def1" is (#1) used in redirect-gateway, Add the def1 flag to override the default gateway by using 0.0.0.0/1 and 128.0.0.0/1 rather than 0.0.0.0/0. This has the benefit of overriding but not wiping out the original default gateway. or (#2) please see --redirect-gateway in the man page ( !man ) to fully understand or (#3) push "redirect-gateway def1"
11:51 < bonjurkes2> !ipforward
11:51 <@vpnHelper> "ipforward" is (#1) ip forwarding is needed any time you want packets to flow from 1 interface to another, so from tun to eth, eth to tun, tun to tun, etc etc. it must be enabled in the kernel AND allowed in the firewall or (#2) please choose between !linipforward !winipforward !osxipforward and !fbsdipforward
11:52 < bonjurkes2> !linipforward
11:52 <@vpnHelper> "linipforward" is (#1) echo 1 > /proc/sys/net/ipv4/ip_forward for a temp solution (til reboot) or set net.ipv4.ip_forward = 1 in sysctl.conf for perm solution or (#2) chmod +x /etc/rc.d/rc.ip_forward for perm solution in slackware or (#3) you also must allow forwarding in your forward chain in iptables. iptables -I FORWARD -i tun+ -j ACCEPT
11:56 < bonjurkes2> didn't understand anything about pushdns
12:00 < pekster> Are you pushing DNS across your link?
12:00 < pekster> TBH, in a redirect situation, you're really better off just using googleDNS on your client
12:00 < pekster> No hassle, and works everywhere
12:01 < pekster> Using ISP DNS may break (as they often don't accept public queries from external sources) and using a LAN DNS resolver won't be redirected due to a more specific routing table match
12:01 < pekster> Pushing DNS is complex and fails in certain cases (your local DHCP client, network-manager, whatever)
12:02 < bonjurkes2> hmm
12:03 < bonjurkes2> i guess my server is pushing dns, because i arranged it like that because i had issues about dns on windows
12:03 < bonjurkes2> so openvpn server is pushing google dns already
12:03 < bonjurkes2> well nope looks like linux is set up to use my isp's dns
12:05 < pekster> Right, if you read !pushdns it says you must have client-side-scripts to do something with it
12:06 < pekster> "all" that happens otherwise is it gets set as an env-var and ignored
12:07 < bonjurkes2> gaaahh
12:14 < bonjurkes2> pfft
12:14 < bonjurkes2> i am using 8.8.8.8 on client, it's all fine till i connect to openvpn
12:15 < bonjurkes2> it creates tun0 and i can't curl or ping google.com
12:15 < pekster> Stop testing "the kitchen sink" -- can you even ping 8.8.8.8?
12:16 < bonjurkes2> i do
12:16 < bonjurkes2> i can't ping google.com
12:17 < pekster> What does `host eff.org` (or something you aren't likely to have in your resolver) say?
12:17 < pekster> Do you get the expected reply?
12:18 < bonjurkes2> 1 sec
12:18 -!- scanman84 [~luser@gateway/tor-sasl/scanman84] has joined #openvpn
12:19 -!- scanman84 [~luser@gateway/tor-sasl/scanman84] has left #openvpn []
12:19 -!- [diecast] [~diecast@unaffiliated/diecast/x-4821952] has joined #openvpn
12:22 -!- scanman84 [~scanman84@gateway/tor-sasl/scanman84] has joined #openvpn
12:22 < scanman84> !welcome
12:22 <@vpnHelper> "welcome" is (#1) Start by stating your goal, such as 'I would like to access the internet over my vpn' || new to IRC? see the link in !ask || we may need !logs and !configs and maybe !interface to help you. || See !howto for beginners. || See !route for lans behind openvpn. || !redirect for sending inet traffic through the server. || Also interesting: !man !/30 !topology !iporder !sample !forum
12:22 <@vpnHelper> !wiki !mitm or (#2) Don't use 192.168.1.0/24 or 192.168.0.0/24 (too much potential for conflict)
12:22 < bonjurkes2> root@raspberrypi:~# host eff.org
12:22 < bonjurkes2> Host eff.org not found: 5(REFUSED)
12:23 < bonjurkes2> it's all fine if openvpn service is stopped
12:23 < pekster> What's /etc/resolv.conf when you're connected?
12:24 < pekster> The DNS server is refusing your query, so DNS is clearly not working when it comes up
12:24 < pekster> GoogleDNS should not AFAIK refuse queries, so either you're not really using google DNS, or something along the link is hijacking it. Or they managed to get banned from the service ;)
12:24 < bonjurkes2> it set back to my isp's resolver, changed them back to 8.8.8.8 and now host eff.org worked
12:25 < pekster> Then go fix "it"
12:25 < pekster> Sounds like your distro has automagic DNS-management stuff that's doing something you don't want
12:25 < bonjurkes2> let me get my gun
12:25 < bonjurkes2> yay!
12:26 < bonjurkes2> curl ifconfig.me shows the correct result now
12:26 < bonjurkes2> looks like my dhcp is reverting it back
12:29 < pekster> Obviously something is doing that. Go fix whatever utility you've given permission (knowingly or not) to mess with your DNS
12:29 < pekster> DHCP clients like to have fingers in DNS, and so do network management utilities (networkManager, wicd, etc)
12:30 < scanman84> !paste
12:30 < pekster> Read your distro/client docs, becuase they often have a way to "just leave my DNS alone" -- then you can use googleDNS all the time
12:30 <@vpnHelper> "paste" is "pastebin" is (#1) please paste anything with more than 5 lines into a pastebin site or (#2) https://gist.github.com is recommended for fewest ads; try fpaste.org or paste.kde.org as backups or (#3) If you're pasting config files, see !configs for grep syntax to remove comments or (#4) gist allows multiple files per paste, useful if you have several files to show
12:30 -!- alexwebr [~alexwebr@162.243.13.193] has left #openvpn []
12:30 < scanman84> !configs
12:30 < bonjurkes2> i set resolver.conf read only, so it doesnt get changed now :)
12:30 <@vpnHelper> "configs" is (#1) please pastebin your client and server configs (with comments removed, you can use `grep -vE '^#|^;|^$' server.conf`), also include which OS and version of openvpn. or (#2) dont forget to include any ccd entries or (#3) on pfSense, see http://www.secure-computing.net/wiki/index.php/OpenVPN/pfSense to obtain your config
12:33 -!- joshh20 is now known as joshh20-Away
12:43 -!- scanman84 [~scanman84@gateway/tor-sasl/scanman84] has quit [Quit: Segmentation fault...]
12:44 -!- optixx [~optixx@xdsl-85-197-13-49.netcologne.de] has joined #openvpn
12:48 -!- scanman84 [~scanman84@gateway/tor-sasl/scanman84] has joined #openvpn
12:48 -!- br4ndon [~br4ndon@mic92-6-82-227-94-156.fbx.proxad.net] has joined #openvpn
12:51 -!- scanman84 is now known as scanman
13:10 -!- br4ndon [~br4ndon@mic92-6-82-227-94-156.fbx.proxad.net] has quit [Ping timeout: 258 seconds]
13:23 -!- Guest27951 [~marme@li388-49.members.linode.com] has quit [Quit: Lost terminal]
13:32 -!- scanman [~scanman84@gateway/tor-sasl/scanman84] has left #openvpn ["Segmentation fault..."]
13:33 -!- Left_Turn [~Left_Turn@unaffiliated/turn-left/x-3739067] has quit [Quit: Leaving]
13:34 -!- Left_Turn [~Left_Turn@unaffiliated/turn-left/x-3739067] has joined #openvpn
13:36 -!- scanman84 [~scanman84@gateway/tor-sasl/scanman84] has joined #openvpn
13:36 < scanman84> !configs
13:36 <@vpnHelper> "configs" is (#1) please pastebin your client and server configs (with comments removed, you can use `grep -vE '^#|^;|^$' server.conf`), also include which OS and version of openvpn. or (#2) dont forget to include any ccd entries or (#3) on pfSense, see http://www.secure-computing.net/wiki/index.php/OpenVPN/pfSense to obtain your config
13:39 -!- scanman84 [~scanman84@gateway/tor-sasl/scanman84] has left #openvpn []
13:44 -!- gu [~gu@194.231.39.10] has joined #openvpn
13:54 -!- [diecast] [~diecast@unaffiliated/diecast/x-4821952] has quit []
14:04 -!- codingrobot [~codingrob@77.118.77.50.wireless.dyn.drei.com] has joined #openvpn
14:06 < codingrobot> I have a rather strange issue with openvpn. My vpn used to work smoothly, but for the last few days the speeds are <20kb/s. SSH to the same remote server reaches 10Mbps+. Now I tried openvpn over ssh tunnel and the speed remained slow. Any ideas? The configuration hasn't changed except upgrade of openssl.
14:06 -!- wrongplace [~leicht@gateway/tor-sasl/martinphone] has joined #openvpn
14:16 <@krzee> !polarssl
14:16 <@vpnHelper> "polarssl" is (#1) https://polarssl.org/core-features polarssl is an alternative to openssl which openvpn supports. it is open source, small with clean code, and made for the embedded world. openvpn connect (ios,android) uses this instead of openssl. or (#2) https://community.openvpn.net/openvpn/wiki/UsingPolarSSL
14:23 < pekster> codingrobot: Speeds that slow suggest some form of QoS or other network issue is at play; there's effectively no kind of hardware that actually performs that badly under normal conditions
14:23 < pekster> codingrobot: Try checking logs for issues like replay protection (use `--verb 4`) and otherwise perform some speed test purely across the inside of the tunnel (ie: to the VPN endpoint)
14:24 -!- joshh20-Away is now known as joshh20
14:27 < codingrobot> pekster: I just tried netcat over the tunnel and it seems fine. All other services (ssh,http) are slow... I'm still investigating but at least the tunnel itself is ok
14:28 < pekster> Then your problem appears to be with those services. I assume you're reaching them on your VPN endpoint? If not, it could be "any" of the hops involved getting to your final destination
14:42 -!- wrongplace [~leicht@gateway/tor-sasl/martinphone] has quit [Quit: gone]
14:47 -!- hectorh30 [~hectorh30@190.149.223.38] has joined #openvpn
14:56 -!- gu2 [~gu@194.231.39.10] has joined #openvpn
14:56 -!- gu [~gu@194.231.39.10] has quit [Quit: Leaving.]
14:57 -!- seba [~seba@kratzbaum.someserver.de] has joined #openvpn
14:57 -!- seba [~seba@kratzbaum.someserver.de] has quit [Excess Flood]
14:57 -!- acu [~acu@50.244.13.221] has quit [Ping timeout: 245 seconds]
14:58 -!- seba [~seba@kratzbaum.someserver.de] has joined #openvpn
14:58 -!- seba [~seba@kratzbaum.someserver.de] has quit [Excess Flood]
15:00 -!- seba [~seba@kratzbaum.someserver.de] has joined #openvpn
15:00 -!- seba [~seba@kratzbaum.someserver.de] has quit [Excess Flood]
15:00 < codingrobot> yep.. this seems to be really strange behaviour
15:01 -!- hectorh30 [~hectorh30@190.149.223.38] has quit [Remote host closed the connection]
15:01 -!- seba [~seba@kratzbaum.someserver.de] has joined #openvpn
15:01 -!- acu [~acu@50.244.13.221] has joined #openvpn
15:01 -!- seba [~seba@kratzbaum.someserver.de] has quit [Excess Flood]
15:04 -!- seba [~seba@kratzbaum.someserver.de] has joined #openvpn
15:04 -!- seba [~seba@kratzbaum.someserver.de] has quit [Excess Flood]
15:07 -!- seebaer [~seba@kratzbaum.someserver.de] has joined #openvpn
15:07 -!- seebaer is now known as seba
15:29 -!- acu [~acu@50.244.13.221] has quit [Ping timeout: 250 seconds]
15:31 -!- acu [~acu@50.244.13.221] has joined #openvpn
15:42 -!- obesd [~obsed@unaffiliated/obesd] has quit [Ping timeout: 250 seconds]
15:47 -!- p3rror [~mezgani@41.140.40.32] has joined #openvpn
15:50 -!- Mike-- [mad@mx.probie.nl] has quit [Read error: Connection reset by peer]
15:50 -!- Mike-- [mad@mx.probie.nl] has joined #openvpn
16:07 -!- otwieracz [~gonet9@v6.gen2.org] has quit [Ping timeout: 246 seconds]
16:10 -!- optixx [~optixx@xdsl-85-197-13-49.netcologne.de] has quit [Quit: Leaving...]
16:14 -!- pjschmitt [~parker@209.141.56.12] has quit [Changing host]
16:14 -!- pjschmitt [~parker@unaffiliated/schmitt953] has joined #openvpn
16:14 -!- otwieracz [~gonet9@v6.gen2.org] has joined #openvpn
16:20 -!- acu [~acu@50.244.13.221] has quit [Quit: Leaving]
16:49 -!- optixx [~optixx@xdsl-85-197-13-49.netcologne.de] has joined #openvpn
16:54 -!- optixx [~optixx@xdsl-85-197-13-49.netcologne.de] has quit [Ping timeout: 258 seconds]
17:02 -!- gffa [~unknown@unaffiliated/gffa] has quit [Quit: sleep]
17:03 -!- joako [~joako@opensuse/member/joak0] has quit [Ping timeout: 246 seconds]
17:09 -!- optixx [~optixx@xdsl-85-197-13-49.netcologne.de] has joined #openvpn
17:11 -!- bonjurkes2 [~julia@192.34.58.231] has quit [Ping timeout: 240 seconds]
17:13 -!- optixx [~optixx@xdsl-85-197-13-49.netcologne.de] has quit [Ping timeout: 250 seconds]
17:17 -!- elfixit [~Icedove@77-58-251-72.dclient.hispeed.ch] has joined #openvpn
17:20 -!- joako [~joako@opensuse/member/joak0] has joined #openvpn
17:35 -!- gu2 [~gu@194.231.39.10] has quit [Quit: Leaving.]
17:46 -!- klein [~klein@unaffiliated/klein] has quit [Ping timeout: 240 seconds]
17:47 -!- optixx [~optixx@xdsl-85-197-13-49.netcologne.de] has joined #openvpn
17:48 -!- Cpt-Oblivious [chatzilla@31-151-71-109.dynamic.upc.nl] has quit [Remote host closed the connection]
17:51 -!- optixx [~optixx@xdsl-85-197-13-49.netcologne.de] has quit [Ping timeout: 240 seconds]
17:52 -!- Left_Turn [~Left_Turn@unaffiliated/turn-left/x-3739067] has quit [Remote host closed the connection]
17:57 -!- Left_Turn [~Left_Turn@unaffiliated/turn-left/x-3739067] has joined #openvpn
18:37 -!- mateee [~opti2k4@cpe-94-253-225-210.st.cable.xnet.hr] has quit []
18:47 -!- optixx [~optixx@xdsl-85-197-13-49.netcologne.de] has joined #openvpn
18:52 -!- optixx [~optixx@xdsl-85-197-13-49.netcologne.de] has quit [Ping timeout: 258 seconds]
19:09 -!- elfixit [~Icedove@77-58-251-72.dclient.hispeed.ch] has quit [Quit: elfixit]
19:17 -!- optixx [~optixx@xdsl-89-0-241-119.netcologne.de] has joined #openvpn
19:22 -!- optixx [~optixx@xdsl-89-0-241-119.netcologne.de] has quit [Ping timeout: 252 seconds]
19:25 -!- gu [~gu@194.231.39.10] has joined #openvpn
19:27 -!- B1nny [~quassel@5ED16034.cm-7-2b.dynamic.ziggo.nl] has quit [Remote host closed the connection]
19:52 -!- budmang_ [~budman@ip68-111-79-253.oc.oc.cox.net] has joined #openvpn
19:56 -!- budmang [~budman@ip68-111-79-253.oc.oc.cox.net] has quit [Ping timeout: 258 seconds]
20:04 -!- mkramer__ [~mkramer@p4FC96421.dip0.t-ipconnect.de] has joined #openvpn
20:07 -!- goldkatze [~nobody@unaffiliated/goldkatze] has quit []
20:07 -!- mkramer_ [~mkramer@p5DDB23A5.dip0.t-ipconnect.de] has quit [Ping timeout: 240 seconds]
20:11 -!- brianblaze420 [~admin@unaffiliated/brianblaze] has joined #openvpn
--- Log closed Sat Apr 12 20:14:40 2014
--- Log opened Sat Apr 12 20:14:47 2014
20:14 -!- ecrist [~ecrist@token-black.secure-computing.net] has joined #openvpn
20:14 -!- Irssi: #openvpn: Total of 239 nicks [8 ops, 0 halfops, 5 voices, 226 normal]
20:14 !sendak.freenode.net [freenode-info] why register and identify? your IRC nick is how people know you. http://freenode.net/faq.shtml#nicksetup
20:14 -!- mode/#openvpn [+o ecrist] by ChanServ
20:15 -!- Irssi: Join to #openvpn was synced in 33 secs
20:17 -!- optixx [~optixx@xdsl-89-0-241-119.netcologne.de] has joined #openvpn
20:21 -!- brianblaze420 [~admin@unaffiliated/brianblaze] has quit [Quit: brianblaze420]
20:22 -!- jareth_ [~jareth_@2001:980:e1c0:1:219:66ff:fea0:a502] has quit [Ping timeout: 252 seconds]
20:23 -!- optixx [~optixx@xdsl-89-0-241-119.netcologne.de] has quit [Ping timeout: 276 seconds]
20:23 -!- jareth_ [~jareth_@2001:980:e1c0:1:219:66ff:fea0:a502] has joined #openvpn
20:26 -!- mezgani [~mezgani@41.140.180.145] has joined #openvpn
20:29 -!- p3rror [~mezgani@41.140.40.32] has quit [Ping timeout: 252 seconds]
20:36 -!- Thermi [~Thermi@unaffiliated/thermi] has quit [Quit: Meet your opposition - Profane and disciplined - Take back your pride - With a pounding hammer]
20:39 -!- Thermi [~Thermi@unaffiliated/thermi] has joined #openvpn
20:41 -!- gu [~gu@194.231.39.10] has quit [Quit: Leaving.]
21:05 -!- Left_Turn [~Left_Turn@unaffiliated/turn-left/x-3739067] has quit [Ping timeout: 250 seconds]
21:08 -!- mezgani [~mezgani@41.140.180.145] has quit [Quit: Leaving]
21:11 -!- batrick [batrick@nmap/developer/batrick] has quit [Read error: Connection reset by peer]
21:16 -!- acu [~acu@50.244.13.221] has joined #openvpn
21:17 -!- optixx [~optixx@xdsl-89-0-241-119.netcologne.de] has joined #openvpn
21:18 -!- batrick [batrick@nmap/developer/batrick] has joined #openvpn
21:22 -!- optixx [~optixx@xdsl-89-0-241-119.netcologne.de] has quit [Ping timeout: 258 seconds]
21:27 -!- brianblaze420 [~admin@modemcable235.154-82-70.mc.videotron.ca] has joined #openvpn
21:27 -!- brianblaze420 [~admin@modemcable235.154-82-70.mc.videotron.ca] has quit [Changing host]
21:27 -!- brianblaze420 [~admin@unaffiliated/brianblaze] has joined #openvpn
21:29 -!- mkramer__ [~mkramer@p4FC96421.dip0.t-ipconnect.de] has quit [Ping timeout: 250 seconds]
21:34 -!- kirin` [telex@gateway/shell/anapnea.net/x-yssvpjszyltlbryp] has quit [Ping timeout: 240 seconds]
21:36 -!- f0cker [~f0cker@unaffiliated/f0cker] has quit [Read error: Connection reset by peer]
21:41 -!- JBravo [~ra@babylon5.ra.is] has joined #openvpn
21:41 < JBravo> Anyone in the mood to help me figure out why openvpn isnt working properly?    I get the connection up but I cant ping anything except my local tun0 device
21:42 < JBravo> I get the routes I need as well
21:42 -!- kirin` [telex@gateway/shell/anapnea.net/x-hlzkeqqzizfjtwwn] has joined #openvpn
21:44 -!- jareth_ [~jareth_@2001:980:e1c0:1:219:66ff:fea0:a502] has quit [Ping timeout: 246 seconds]
21:45 < JBravo> bah. needed to enable lzo on my end
21:45 < JBravo> :)
21:45 -!- JBravo [~ra@babylon5.ra.is] has left #openvpn ["Leaving"]
21:46 -!- jareth_ [~jareth_@2001:980:e1c0:1:219:66ff:fea0:a502] has joined #openvpn
21:49 -!- kirin` [telex@gateway/shell/anapnea.net/x-hlzkeqqzizfjtwwn] has quit [Ping timeout: 258 seconds]
21:50 -!- Martin` [martin@shell.ipv6.octocore.net] has quit [Ping timeout: 246 seconds]
21:51 -!- Martin` [martin@shell.ipv6.octocore.net] has joined #openvpn
21:53 -!- brianblaze420 [~admin@unaffiliated/brianblaze] has quit [Quit: brianblaze420]
21:54 -!- acu [~acu@50.244.13.221] has quit [Ping timeout: 258 seconds]
22:07 -!- AlexPortable [uid7568@gateway/web/irccloud.com/x-ediojegrguwzumqc] has quit [Quit: Connection closed for inactivity]
22:07 -!- kirin` [telex@gateway/shell/anapnea.net/x-jsrfudkkjojdefwn] has joined #openvpn
22:17 -!- optixx [~optixx@xdsl-89-0-241-119.netcologne.de] has joined #openvpn
22:22 -!- optixx [~optixx@xdsl-89-0-241-119.netcologne.de] has quit [Ping timeout: 276 seconds]
22:28 -!- [1]JPeterson [~JPeterson@81-233-152-121-no83.tbcn.telia.com] has joined #openvpn
22:33 -!- Netsplit *.net <-> *.split quits: flickerfly, Zarrsh, Six6siX, Eagleman, Morley93, penguinpowernz, simcop2387, budmang_, Denial, jgeboski,  (+5 more, use /NETSPLIT to show all of them)
22:33 -!- Netsplit *.net <-> *.split quits: GabrieleV, d10n, @raidz, TypoNe, NChief, t0r, edge226, @krzee, troyt, bogie,  (+76 more, use /NETSPLIT to show all of them)
22:33 -!- Netsplit *.net <-> *.split quits: hive-mind, defswork, jave, guntha`, marlinc, mete, APTX, soapee01, kwork, tharkun,  (+49 more, use /NETSPLIT to show all of them)
22:33 -!- Netsplit *.net <-> *.split quits: Nothing4You, MatToufoutu, get, dvl, codingrobot, phreakocious, sunwind`, h6w, meepmeep, Beta2K,  (+44 more, use /NETSPLIT to show all of them)
22:33 -!- Netsplit *.net <-> *.split quits: rustem, harlan, manitu, woshty, fremo
--- Day changed Sun Apr 13 2014
00:16 -!- lamokie [~steve@li428-245.members.linode.com] has joined #openvpn
00:16 -!- joshh20-Away [~joshh20@v-70-42-74-226.unman-vds.internap-nyc.nfoservers.com] has joined #openvpn
00:16 -!- meepmeep [meepmeep@end.of.cylind.re] has joined #openvpn
00:16 -!- yauz [9571c35871@osgiliath.yauz.de] has joined #openvpn
00:16 -!- krphop [~krphop@watch.out.the.feds.are.rightbehind.us] has joined #openvpn
00:16 -!- Arr0way [arr0w@unaffiliated/arr0way] has joined #openvpn
00:16 -!- benedikt [~benedikt@unaffiliated/benedikt] has joined #openvpn
00:16 -!- Hes [AHO65@tunkki.fi] has joined #openvpn
00:16 -!- SpiceMan [~SpiceMan@unaffiliated/spiceman] has joined #openvpn
00:16 -!- dvl [~dan@pdpc/supporter/active/dvl] has joined #openvpn
00:16 -!- phunyguy [~vortex@unaffiliated/phunyguy] has joined #openvpn
00:16 -!- h6w [~tudor@254.86.96.58.static.exetel.com.au] has joined #openvpn
00:16 -!- MatToufoutu [~MaT@unaffiliated/mattoufoutu] has joined #openvpn
00:16 -!- maxiepax [max@locke.misse.org] has joined #openvpn
00:16 -!- phreakocious [~phreakoci@aesoterica.phreakocious.net] has joined #openvpn
00:16 -!- matsh [divine@nanogene.org] has joined #openvpn
00:16 -!- mitz [~mitz@rt.miraclelinux.com] has joined #openvpn
00:16 -!- gardar [~gardar@bnc.giraffi.net] has joined #openvpn
00:16 -!- mrrg [~notabot@209.20.75.42] has joined #openvpn
00:16 -!- tessier [~treed@kernel-panic/copilotco] has joined #openvpn
00:16 -!- MyMind [~Sembei@unaffiliated/sembei] has joined #openvpn
00:16 -!- GabrieleV [~GabrieleV@host190-79-static.230-95-b.business.telecomitalia.it] has joined #openvpn
00:16 -!- JSharpe_ [~JSharpe@31.205.60.241] has joined #openvpn
00:16 -!- edge226 [~quassel@unaffiliated/edge226] has joined #openvpn
00:16 -!- kevinsky [~kevin@senna.rosendaal.net] has joined #openvpn
00:16 -!- _FBi [B@i.use.pentoo.when.ihack.in] has joined #openvpn
00:16 -!- lbft [~lbft@unaffiliated/lbft] has joined #openvpn
00:16 -!- dazo_afk [~dazo@openvpn/community/developer/dazo] has joined #openvpn
00:16 -!- n13l [~Daniel@aaa.anect.cz] has joined #openvpn
00:16 -!- nocturn [~nocturn@unaffiliated/nocturn] has joined #openvpn
00:16 -!- AsadH [~AsadH@unaffiliated/asadh] has joined #openvpn
00:16 -!- aji [~alex@atheme/member/aji] has joined #openvpn
00:16 -!- SquirrelCZECH [~squirrel@ip-89-103-45-17.net.upcbroadband.cz] has joined #openvpn
00:16 -!- otwieracz [~gonet9@v6.gen2.org] has joined #openvpn
00:16 -!- batrick [batrick@nmap/developer/batrick] has joined #openvpn
00:16 -!- a [~d@iad1-vshost12.dreamhost.com] has joined #openvpn
00:16 -!- Fiouz [~Fiouz@2001:bc8:3068::dead:beef] has joined #openvpn
00:16 -!- thumbs [1000@70.81.116.26] has joined #openvpn
00:16 -!- sauce [sauce@ool-ad02ad20.dyn.optonline.net] has joined #openvpn
00:16 -!- pcdummy [~pcdummy@unaffiliated/pcdummy] has joined #openvpn
00:16 -!- ChrisH_ [~dg7pc@dslb-094-221-218-241.pools.arcor-ip.net] has joined #openvpn
00:16 -!- hive-mind [pranq@mail.bbis.us] has joined #openvpn
00:16 -!- pjschmitt [~parker@unaffiliated/schmitt953] has joined #openvpn
00:16 -!- Roa [~roa@ns4009357.ip-192-99-8.net] has joined #openvpn
00:16 -!- digitalp1nk [~scout@mail.zemaitijos-spauda.lt] has joined #openvpn
00:16 -!- Corey [~Corey@freenode/staff/corey] has joined #openvpn
00:16 -!- ServerMode/#openvpn [+o dazo_afk] by sendak.freenode.net
00:16 -!- phuzion [~phuzion@ipv6.irc.teh-server.com] has joined #openvpn
00:16 -!- JackWinter [~jack@vodsl-10810.vo.lu] has joined #openvpn
00:16 -!- indy [~indy@shadow.kastnerove.cz] has joined #openvpn
00:16 -!- maskedlua [~quassel@unaffiliated/themaskedlua] has joined #openvpn
00:16 -!- vpnHelper [~vpnHelper@openvpn/bot/vpnHelper] has joined #openvpn
00:16 -!- omrib [~omrib@ec2-50-17-197-161.compute-1.amazonaws.com] has joined #openvpn
00:16 -!- snappy [nipnop@unaffiliated/snappy] has joined #openvpn
00:16 -!- red_racer12___ [sid20963@gateway/web/irccloud.com/x-urrvnnnjspzhsuhj] has joined #openvpn
00:16 -!- mete [~mete@91.247.253.160] has joined #openvpn
00:16 -!- APTX [~APTX@unaffiliated/aptx] has joined #openvpn
00:16 -!- syzzer [~syzzer@openvpn/community/developer/syzzer] has joined #openvpn
00:16 -!- kloeri [~kloeri@freenode/staff/exherbo.kloeri] has joined #openvpn
00:16 -!- kwmiebach [sid16855@gateway/web/irccloud.com/x-uazriwxffbhmrjta] has joined #openvpn
00:16 -!- elricsfate_wrk [~elricsfat@aus-nat.datapipe.net] has joined #openvpn
00:16 -!- someone [someone@2600:3c01::f03c:91ff:fedf:feb8] has joined #openvpn
00:16 -!- budmang_ [~budman@ip68-111-79-253.oc.oc.cox.net] has joined #openvpn
00:16 -!- seba [~seba@kratzbaum.someserver.de] has joined #openvpn
00:16 -!- Denial [Denial@90.214.34.101] has joined #openvpn
00:16 -!- jtrucks [jtrucks@freenode/staff/lopsa.foundingmember.jtrucks] has joined #openvpn
00:16 -!- penguinpowernz [~robert@180.189.199.6] has joined #openvpn
00:16 -!- Morley93 [~Morley93@carmine.feralhosting.com] has joined #openvpn
00:16 -!- simcop2387 [~simcop238@p3m/member/simcop2387] has joined #openvpn
00:16 -!- ShadniX [dagger@p5DDFE93F.dip0.t-ipconnect.de] has joined #openvpn
00:16 -!- heraclitus [~heraclitu@208.64.66.92] has joined #openvpn
00:16 -!- codingrobot [~codingrob@77.118.77.50.wireless.dyn.drei.com] has joined #openvpn
00:16 -!- master_o1_master [~master_of@p4FD7B2C9.dip0.t-ipconnect.de] has joined #openvpn
00:16 -!- b00b [~spunk@smurf.mmnetworks.se] has joined #openvpn
00:16 -!- mgorbach [~mgorbach@pool-108-20-78-135.bstnma.fios.verizon.net] has joined #openvpn
00:16 -!- justinzane [~justinzan@host-12-172-184-180.nctv.com] has joined #openvpn
00:16 -!- WinstonSmith [~WinstonSm@unaffiliated/winstonsmith] has joined #openvpn
00:16 -!- VunKruz [~hhhh@24-205-8-187.dhcp.mtpk.ca.charter.com] has joined #openvpn
00:16 -!- dschoepe [~dschoepe@unaffiliated/dschoepe] has joined #openvpn
00:16 -!- james41382 [~james@unaffiliated/james41382] has joined #openvpn
00:16 -!- havoc [~havoc@neptune.chaillet.net] has joined #openvpn
00:16 -!- get [219@unaffiliated/get] has joined #openvpn
00:16 -!- Pei [~pei@thinks.outside.theb0x.org] has joined #openvpn
00:16 -!- novaflash [~novaflash@openvpn/corp/support/novaflash] has joined #openvpn
00:16 -!- harlan [~harlan@ntp/pmgr/harlan] has joined #openvpn
00:16 -!- _quadDamage [~EmperorTo@boom.blissfulidiot.com] has joined #openvpn
00:16 -!- ServerMode/#openvpn [+ooov vpnHelper syzzer novaflash _quadDamage] by sendak.freenode.net
00:16 -!- woshty [~irc@84.200.211.57] has joined #openvpn
00:16 -!- manitu [~manitu@static.88-198-15-112.clients.your-server.de] has joined #openvpn
00:16 -!- fremo [~fred@gw-salamandre.liazo.net] has joined #openvpn
00:16 -!- rustem [~ka4ok@141.0.170.169] has joined #openvpn
00:16 -!- kenyon [kenyon@darwin.kenyonralph.com] has joined #openvpn
00:16 -!- ketas [ketas@ketas6-sixxs.si.pri.ee] has joined #openvpn
00:16 -!- _jareth_ [~jareth_@2001:980:e1c0:1:219:66ff:fea0:a502] has joined #openvpn
00:16 -!- kirin` [telex@gateway/shell/anapnea.net/x-jsrfudkkjojdefwn] has joined #openvpn
00:16 -!- joako [~joako@opensuse/member/joak0] has joined #openvpn
00:16 -!- Aliekezhi [~Aliekezhi@223.146.122.78.rev.sfr.net] has joined #openvpn
00:16 -!- tony1 [~tony1@cpe-66-66-6-48.rochester.res.rr.com] has joined #openvpn
00:16 -!- u0m3 [~u0m3@92.80.126.165] has joined #openvpn
00:16 -!- Rienzilla [rien@sinas.rename-it.nl] has joined #openvpn
00:16 -!- lamba [~lamba@unaffiliated/lamba] has joined #openvpn
00:16 -!- P4k3 [~P4k3@c-d334e255.026-8-6b6c7810.cust.bredbandsbolaget.se] has joined #openvpn
00:16 -!- Haseo [~Haseo@aufrinfo.net] has joined #openvpn
00:16 -!- TypoNe [~itsme@195.197.184.87] has joined #openvpn
00:16 -!- Falcon| [andreas@shell.lamerschool.net] has joined #openvpn
00:16 -!- clu5ter [~staff@unaffiliated/clu5ter] has joined #openvpn
00:16 -!- kraut [~kraut@blackhole.netzdeponie.de] has joined #openvpn
00:16 -!- KiNgMaR [~ingmar@2001:41d0:2:ba51::1] has joined #openvpn
00:16 -!- megaTherion [~therion@unix.io] has joined #openvpn
00:16 -!- esde [~esde@unaffiliated/esde] has joined #openvpn
00:16 -!- dos-freak [leecher@zentarim.0wnz.at] has joined #openvpn
00:16 -!- ngharo [~ngharo@95.211.6.133] has joined #openvpn
00:16 -!- mcp [~mcp@wolk-project.de] has joined #openvpn
00:16 -!- nibbo [nibbo@gateway/shell/blinkenshell.org/x-skjtrmuqxjgeahdc] has joined #openvpn
00:16 -!- Tykling [tykling@gibfest.dk] has joined #openvpn
00:16 -!- jave [~jave@h-235-102.a149.priv.bahnhof.se] has joined #openvpn
00:18 -!- danielbw [~danielbw@secured.monstertool.com] has joined #openvpn
00:18 -!- sunwind` [~paradox@cpc21-brmb8-2-0-cust749.1-3.cable.virginm.net] has joined #openvpn
00:18 -!- plaisthos [~arne@kamera.blinkt.de] has joined #openvpn
00:18 -!- Beta2K [~Beta2K@2607:f1c0:841:4eff::20] has joined #openvpn
00:18 -!- Martin` [martin@shell.ipv6.octocore.net] has joined #openvpn
00:18 -!- Nothing4You [N4Y@w.tf-w.tf] has joined #openvpn
00:18 -!- Thermi [~Thermi@unaffiliated/thermi] has joined #openvpn
00:18 -!- marlinc [~marlinc@ip1.weert.li.nl.cvo-technologies.com] has joined #openvpn
00:18 -!- fred`` [fred@earthli.ng] has joined #openvpn
00:18 -!- Cybertinus [~Cybertinu@cybertinus.customer.cloud.nl] has joined #openvpn
00:18 -!- jzaw [~jzaw@loki.dzki.co.uk] has joined #openvpn
00:18 -!- mback2k_ [~freenode@2a00:1828:2000:378:1337:0:59ee:5431] has joined #openvpn
00:18 -!- m01 [~quassel@2a02:2658:1011:1::2:4044] has joined #openvpn
00:18 -!- GrecKo [~GrecKo@2001:41d0:1:cb16::1] has joined #openvpn
00:18 -!- MacGyver [~macgyver@unaffiliated/macgyvernl] has joined #openvpn
00:18 -!- treshoem2 [~treshoem@mnathani-1-pt.tunnel.tserv21.tor1.ipv6.he.net] has joined #openvpn
00:18 -!- codehero [codehero@i.have.ipv6.on.coding4coffee.org] has joined #openvpn
00:18 -!- Haigha [~root@dovahkiin.xomg.net] has joined #openvpn
00:18 -!- SlutaTramsa [~SlutaTram@unaffiliated/slutatramsa] has joined #openvpn
00:18 -!- __FBi [B@dont.uwantmy.info] has joined #openvpn
00:18 -!- Mathias [M@unaffiliated/mathias] has joined #openvpn
00:18 -!- pnielsen [pnielsen@2a01:7e00::f03c:91ff:fedf:3a21] has joined #openvpn
00:18 -!- XJR-9 [sid2977@pdpc/supporter/active/xjr-9] has joined #openvpn
00:18 -!- Chrisje [chris@2a03:f80:ed15:ed15:ed15:ed15:bc4c:4bfe] has joined #openvpn
00:18 -!- Ulrar [~Ulrar@luwin.ulrar.net] has joined #openvpn
00:18 -!- ServerMode/#openvpn [+v __FBi] by sendak.freenode.net
00:18 -!- toobluesc [~nitro@2001:558:6045:7b:3d70:c3df:18a:884] has joined #openvpn
00:18 -!- funnel [~funnel@unaffiliated/espiral] has joined #openvpn
00:18 -!- tuvok [tuvok@Photography.tuvok.eu] has joined #openvpn
00:18 -!- cyberspace- [20253@ninthfloor.org] has joined #openvpn
00:18 -!- ben1066 [~quassel@unaffiliated/ben1066] has joined #openvpn
00:18 -!- Verdi [~dagda@ip1.thgersdorf.net] has joined #openvpn
00:18 -!- d10n [~d10n@unaffiliated/d10n] has joined #openvpn
00:18 -!- pekster [~rewt@openvpn/community/support/pekster] has joined #openvpn
00:18 -!- mnathani [~mnathani@constance.winvive.com] has joined #openvpn
00:18 -!- pppingme [~pppingme@unaffiliated/pppingme] has joined #openvpn
00:18 -!- ljvb [~jason@us.vps.vanbrecht.com] has joined #openvpn
00:18 -!- lazzer_ [~mattias@213.132.98.41] has joined #openvpn
00:18 -!- levifig [sid1908@gateway/web/irccloud.com/x-qzbtqupfbzxbncwo] has joined #openvpn
00:18 -!- Wolfbutt [~quassel@sona-gaming.com] has joined #openvpn
00:18 -!- Su7 [~demerzel@2001:41d0:a:16::1] has joined #openvpn
00:18 -!- busch [~busch@datenschleuder.com] has joined #openvpn
00:18 -!- c0ded [~c0ded@unaffiliated/c0ded] has joined #openvpn
00:18 -!- xBytez__ [xBytez@libxbytez.so] has joined #openvpn
00:18 -!- Eugene [eugene@itvends.com] has joined #openvpn
00:18 -!- Gman32 [~Gman32@2607:2200:0:3400::5616:cdbc] has joined #openvpn
00:18 -!- bogie [bogie@mail.epow0.org] has joined #openvpn
00:18 -!- Dan39 [~ddan39@unaffiliated/dan39] has joined #openvpn
00:18 -!- krzee [~k@openvpn/community/support/krzee] has joined #openvpn
00:18 -!- haasn [~nand@2a01:4f8:d13:5245::2] has joined #openvpn
00:18 -!- troj [~xxx@2001:470:1f15:107a::50f7] has joined #openvpn
00:18 -!- troyt [~troyt@2601:7:6200:14c2:44dd:acff:fe85:9c8e] has joined #openvpn
00:18 -!- ServerMode/#openvpn [+oo Eugene krzee] by sendak.freenode.net
00:18 -!- optixx [~optixx@xdsl-89-0-241-119.netcologne.de] has joined #openvpn
00:18 -!- raidz [~raidz@raidz.im] has joined #openvpn
00:18 -!- peper [~peper@node.piotrj.org] has joined #openvpn
00:18 -!- Eagleman [~Eagleman@546BC8D0.cm-12-4d.dynamic.ziggo.nl] has joined #openvpn
00:18 -!- vn [~sys6x@nostalgeek.net] has joined #openvpn
00:18 -!- Varazir [~mircwars@c-94-255-128-92.cust.bredband2.com] has joined #openvpn
00:18 -!- ribasushi [~riba@mujunyku.leporine.io] has joined #openvpn
00:18 -!- flickerfly [~jritchie@216.115.64.202] has joined #openvpn
00:18 -!- jgeboski [~jgeboski@unaffiliated/jgeboski] has joined #openvpn
00:18 -!- Zarrsh [~Zarrsh@198.167.138.150] has joined #openvpn
00:18 -!- Six6siX [~Devil@jasmine.sammybakar.com] has joined #openvpn
00:18 -!- rooth [tomte@stuck.in.the.basement.at.fritzl.nu] has joined #openvpn
00:18 -!- xMopxShell [~xMopxShel@pa1.trolls.lv] has joined #openvpn
00:18 -!- NChief [~nchief@unaffiliated/nchief] has joined #openvpn
00:18 -!- miruoy [~quassel@d51A44BA8.access.telenet.be] has joined #openvpn
00:18 -!- sontek [~sontek@opensuse/member/Sontek] has joined #openvpn
00:18 -!- hazardous [~hz@openvpn/user/hazardous] has joined #openvpn
00:18 -!- _bt [~bt@unaffiliated/bt/x-192343] has joined #openvpn
00:18 -!- fejjerai [~quassel@kde/mitchell] has joined #openvpn
00:18 -!- ServerMode/#openvpn [+v hazardous] by sendak.freenode.net
00:18 -!- s7r [~s7r@openvpn/user/s7r] has joined #openvpn
00:18 -!- pa [~pa@unaffiliated/pa] has joined #openvpn
00:18 -!- reiffert [~thomas@mail.reifferscheid.org] has joined #openvpn
00:18 -!- Brando753 [~Brando753@unaffiliated/brando753] has joined #openvpn
00:18 -!- _KaszpiR_ [~quassel@unaffiliated/kaszpir/x-3157048] has joined #openvpn
00:18 -!- ServerMode/#openvpn [+vv s7r reiffert] by sendak.freenode.net
00:19 -!- Brando753 [~Brando753@unaffiliated/brando753] has quit [Max SendQ exceeded]
00:19 -!- fejjerai [~quassel@kde/mitchell] has quit [Max SendQ exceeded]
00:19 -!- peper [~peper@node.piotrj.org] has quit [Max SendQ exceeded]
00:19 -!- peper [~peper@node.piotrj.org] has joined #openvpn
00:19 -!- fejjerai [~quassel@corkblock.jefferai.org] has joined #openvpn
00:22 -!- optixx [~optixx@xdsl-89-0-241-119.netcologne.de] has quit [Ping timeout: 240 seconds]
00:22 -!- kirin` [telex@gateway/shell/anapnea.net/x-jsrfudkkjojdefwn] has quit [Read error: Connection reset by peer]
00:22 -!- kirin` [telex@gateway/shell/anapnea.net/session] has joined #openvpn
00:24 -!- kirin` [telex@gateway/shell/anapnea.net/session] has quit [Changing host]
00:24 -!- kirin` [telex@gateway/shell/anapnea.net/x-mjnyesklrxmeilqs] has joined #openvpn
00:31 -!- Cr4zi3 [killaz@staff.xbins.org] has joined #openvpn
00:31 -!- Fruckiwacki [fruckiwack@5.135.190.66] has joined #openvpn
00:31 -!- liriel [~liriel@aphrodite.feralhosting.com] has joined #openvpn
00:31 -!- t0r [~textual@167.206.48.217] has joined #openvpn
00:31 -!- Latrina [~Latrina@adsl-ull-238-209.50-151.net24.it] has joined #openvpn
00:31 -!- Cultist [~CultOfThe@c-67-186-111-33.hsd1.il.comcast.net] has joined #openvpn
00:31 -!- yoavz [yoavz@yoavz.net] has joined #openvpn
00:31 -!- JuriadoBalzac [~cpe@www.badcode.net] has joined #openvpn
00:31 -!- kwork [~georg@unaffiliated/kwork] has joined #openvpn
00:31 -!- soapee01 [~soapee01@65-36-104-170.dyn.grandenetworks.net] has joined #openvpn
00:31 -!- guntha` [~guntha@guntha.thecagedog.com] has joined #openvpn
00:31 -!- viperZ28_ [uid11066@gateway/web/irccloud.com/x-htzfiowltssxdwbj] has joined #openvpn
00:31 -!- riddle [riddle@us.yunix.net] has joined #openvpn
00:31 -!- supergauntlet [~supergaun@unaffiliated/supergauntlet] has joined #openvpn
00:31 -!- andi [~andi@unaffiliated/fr00d] has joined #openvpn
00:31 -!- dren__ [dren@access.not.allowed.org] has joined #openvpn
00:31 -!- sono [~sono@tucana.uberspace.de] has joined #openvpn
00:31 -!- Aketzu [akolehma@kelvin.aketzu.net] has joined #openvpn
00:31 -!- emid [~emid@192.241.162.156] has joined #openvpn
00:31 -!- ron_ [~ron@ppp118-210-232-69.lns20.adl6.internode.on.net] has joined #openvpn
00:31 -!- tharkun [~0@unaffiliated/tharkun] has joined #openvpn
00:31 -!- svg [~svg@hydargos.ginsys.net] has joined #openvpn
00:31 -!- jeev [~jeev@unaffiliated/jeev] has joined #openvpn
00:31 -!- defswork [~andy@141.0.50.105] has joined #openvpn
00:31 -!- davidmp [~davidmp@149.255.100.107] has joined #openvpn
00:31 -!- truexfan81 [truexfan81@gateway/shell/cadoth.net/x-vdxfsqfbmbtszbqz] has joined #openvpn
00:33 -!- Cr4zi3 [killaz@staff.xbins.org] has quit [Excess Flood]
00:38 -!- t0r [~textual@167.206.48.217] has quit [Ping timeout: 246 seconds]
00:38 -!- Cr4zi3 [killaz@staff.xbins.org] has joined #openvpn
00:48 -!- Champi [Champi@rootshell.fr] has joined #openvpn
01:17 -!- optixx [~optixx@xdsl-89-0-241-119.netcologne.de] has joined #openvpn
01:21 -!- optixx [~optixx@xdsl-89-0-241-119.netcologne.de] has quit [Ping timeout: 240 seconds]
01:28 -!- truexfan81 [truexfan81@gateway/shell/cadoth.net/x-vdxfsqfbmbtszbqz] has quit [Quit: ZNC - http://znc.in]
01:29 -!- truexfan81 [truexfan81@gateway/shell/cadoth.net/x-ldgvsahmscanbgmp] has joined #openvpn
01:37 -!- tapout [~tapout@ns4007107.ip-198-27-81.net] has joined #openvpn
01:40 -!- tapout [~tapout@ns4007107.ip-198-27-81.net] has quit [Remote host closed the connection]
01:42 -!- tapout [~tapout@ns4007107.ip-198-27-81.net] has joined #openvpn
01:43 -!- tapout [~tapout@ns4007107.ip-198-27-81.net] has left #openvpn []
01:44 -!- tapout [~tapout@ns4007107.ip-198-27-81.net] has joined #openvpn
01:45 -!- tapout [~tapout@ns4007107.ip-198-27-81.net] has quit [Remote host closed the connection]
02:06 -!- goldkatze [~nobody@188-192-253-29-dynip.superkabel.de] has joined #openvpn
02:12 -!- edge226 [~quassel@unaffiliated/edge226] has quit [Remote host closed the connection]
02:17 -!- optixx [~optixx@xdsl-89-0-241-119.netcologne.de] has joined #openvpn
02:18 -!- truexfan81 [truexfan81@gateway/shell/cadoth.net/x-ldgvsahmscanbgmp] has quit [Changing host]
02:18 -!- truexfan81 [truexfan81@unaffiliated/truexfan81] has joined #openvpn
02:18 -!- truexfan81 [truexfan81@unaffiliated/truexfan81] has quit [Changing host]
02:18 -!- truexfan81 [truexfan81@gateway/shell/cadoth.net/x-ldgvsahmscanbgmp] has joined #openvpn
02:18 -!- a is now known as Guest38352
02:18 -!- thumbs is now known as Guest23550
02:18 -!- heraclitus is now known as Guest74179
02:18 -!- sauce [sauce@ool-ad02ad20.dyn.optonline.net] has quit [Changing host]
02:18 -!- sauce [sauce@unaffiliated/sauce] has joined #openvpn
02:18 -!- fejjerai is now known as Guest62618
02:18 -!- goldkatze is now known as Guest48648
02:18 -!- raidz [~raidz@raidz.im] has quit [Changing host]
02:18 -!- raidz [~raidz@openvpn/corp/admin/andrew] has joined #openvpn
02:18 -!- mode/#openvpn [+o raidz] by ChanServ
02:18 -!- truexfan81 [truexfan81@gateway/shell/cadoth.net/x-ldgvsahmscanbgmp] has quit [Quit: ZNC - http://znc.in]
02:18 -!- kenyon is now known as Guest73739
02:19 -!- Brando753 [~Brando753@unaffiliated/brando753] has joined #openvpn
02:19 -!- truexfan81 [truexfan81@gateway/shell/cadoth.net/x-jxxqllbsqgxnzoss] has joined #openvpn
02:20 -!- Guest23550 [1000@70.81.116.26] has quit [Changing host]
02:20 -!- Guest23550 [1000@unaffiliated/thumbs] has joined #openvpn
02:21 -!- Guest23550 [1000@unaffiliated/thumbs] has left #openvpn []
02:21 -!- optixx [~optixx@xdsl-89-0-241-119.netcologne.de] has quit [Ping timeout: 245 seconds]
02:29 -!- Mimiko [~Mimiko@89.28.88.177] has joined #openvpn
02:30 -!- thumbs [1000@unaffiliated/thumbs] has joined #openvpn
02:32 -!- aji [~alex@atheme/member/aji] has quit [Quit: Segmentation fault (aji dumped)]
02:32 -!- aji [~alex@atheme/member/aji] has joined #openvpn
02:39 -!- mirco [~mirco@ip-5-146-126-177.unitymediagroup.de] has joined #openvpn
02:40 -!- tapout [~tapout@unaffiliated/tapout] has joined #openvpn
02:40 -!- Mimiko [~Mimiko@89.28.88.177] has quit []
02:41 -!- Guest74179 [~heraclitu@208.64.66.92] has left #openvpn []
02:41 -!- heraclitus [~heraclitu@unaffiliated/heraclitis] has joined #openvpn
02:42 -!- codingrobot [~codingrob@77.118.77.50.wireless.dyn.drei.com] has quit [Quit: leaving]
02:51 -!- Left_Turn [~Left_Turn@unaffiliated/turn-left/x-3739067] has joined #openvpn
03:17 -!- optixx [~optixx@xdsl-89-0-241-119.netcologne.de] has joined #openvpn
03:21 -!- optixx [~optixx@xdsl-89-0-241-119.netcologne.de] has quit [Ping timeout: 258 seconds]
03:45 -!- gffa [~unknown@unaffiliated/gffa] has joined #openvpn
03:50 -!- obesd [~obsed@unaffiliated/obesd] has joined #openvpn
03:52 -!- optixx [~optixx@xdsl-89-0-241-119.netcologne.de] has joined #openvpn
03:59 -!- obesd [~obsed@unaffiliated/obesd] has left #openvpn []
04:18 -!- Netsplit *.net <-> *.split quits: jeev, guntha`, svg, davidmp, kwork, tapout, Latrina, tharkun, sono, Cr4zi3,  (+15 more, use /NETSPLIT to show all of them)
04:19 -!- Netsplit over, joins: tapout, Cr4zi3, Fruckiwacki, liriel, Latrina, Cultist, yoavz, JuriadoBalzac, kwork, soapee01 (+15 more)
04:30 -!- codingrobot [~codingrob@77.118.27.112.wireless.dyn.drei.com] has joined #openvpn
04:31 -!- HectorBarbossa [uid7850@gateway/web/irccloud.com/x-yqztuvjgluqnueim] has joined #openvpn
04:31 < codingrobot> anyone having super slow tunnels with the latest kernel 3.14? 3.13 works w/o problems
04:34 < codingrobot> seems to be a known regression in 3.14...
04:38 -!- edge226 [~quassel@unaffiliated/edge226] has joined #openvpn
04:49 -!- B1nny [~quassel@5ED16034.cm-7-2b.dynamic.ziggo.nl] has joined #openvpn
04:49 -!- edge226 [~quassel@unaffiliated/edge226] has quit [Read error: Connection reset by peer]
04:55 -!- B1nny [~quassel@5ED16034.cm-7-2b.dynamic.ziggo.nl] has quit [Ping timeout: 240 seconds]
04:57 -!- B1nny [~quassel@5ED16034.cm-7-2b.dynamic.ziggo.nl] has joined #openvpn
04:58 -!- mkramer__ [~mkramer@p4FC96421.dip0.t-ipconnect.de] has joined #openvpn
05:11 -!- gu [~gu@194.231.39.10] has joined #openvpn
05:21 -!- gu [~gu@194.231.39.10] has quit [Quit: Leaving.]
05:21 -!- gu [~gu@194.231.39.10] has joined #openvpn
05:27 -!- AlexPortable [uid7568@gateway/web/irccloud.com/x-ypmqyczcbxnklfwc] has joined #openvpn
05:29 -!- heraclitus [~heraclitu@unaffiliated/heraclitis] has quit [Remote host closed the connection]
05:29 -!- heraclitus [~heraclitu@unaffiliated/heraclitis] has joined #openvpn
05:29 -!- heraclitus [~heraclitu@unaffiliated/heraclitis] has quit [Remote host closed the connection]
05:31 -!- heraclitus [~heraclitu@unaffiliated/heraclitis] has joined #openvpn
05:31 -!- heraclitus [~heraclitu@unaffiliated/heraclitis] has quit [Remote host closed the connection]
05:31 -!- heraclitus [~heraclitu@unaffiliated/heraclitis] has joined #openvpn
05:41 -!- gu [~gu@194.231.39.10] has quit [Ping timeout: 240 seconds]
05:46 -!- jackbrown [~se@93-44-54-187.ip95.fastwebnet.it] has joined #openvpn
05:54 -!- gu [~gu@194.231.39.10] has joined #openvpn
06:01 -!- Cpt-Oblivious [chatzilla@31-151-71-109.dynamic.upc.nl] has joined #openvpn
06:18 -!- heraclitus [~heraclitu@unaffiliated/heraclitis] has quit [Remote host closed the connection]
06:22 -!- heraclitus [~heraclitu@208.64.66.92] has joined #openvpn
06:22 -!- heraclitus [~heraclitu@208.64.66.92] has quit [Remote host closed the connection]
06:23 -!- heraclitus__ [~heraclitu@208.64.66.92] has joined #openvpn
06:26 -!- Fusl [Fusl@unaffiliated/fusl] has quit [Quit: Contact: http://hallowe.lt/]
06:26 -!- jackbrown [~se@93-44-54-187.ip95.fastwebnet.it] has quit [Remote host closed the connection]
06:28 -!- Guest29998 [Fusl@unaffiliated/fusl] has joined #openvpn
06:29 -!- Guest38352 [~d@iad1-vshost12.dreamhost.com] has quit [Quit: Reconnecting]
06:29 -!- catsup [~d@iad1-vshost12.dreamhost.com] has joined #openvpn
06:36 -!- Guest29998 [Fusl@unaffiliated/fusl] has quit [Quit: Contact: http://hallowe.lt/]
06:38 -!- Fusl [Fusl@unaffiliated/fusl] has joined #openvpn
06:42 -!- heraclitus__ [~heraclitu@208.64.66.92] has quit [Remote host closed the connection]
06:43 -!- joshh20-Away is now known as joshh20
06:43 -!- heraclitus__ [~heraclitu@208.64.66.92] has joined #openvpn
06:43 -!- heraclitus__ [~heraclitu@208.64.66.92] has quit [Remote host closed the connection]
06:45 -!- heraclitus__ [~heraclitu@208.64.66.92] has joined #openvpn
07:05 -!- kunago [~kunago@77.87.243.110] has joined #openvpn
07:07 < kunago> Hi. Would anyone know if it is possible to redirect a traffic from OpenVPN server (which has a public IP) to an internal machine on a different subnet and on a specific port?
07:13 -!- gu [~gu@194.231.39.10] has quit [Quit: Leaving.]
07:44 -!- edge226 [~quassel@unaffiliated/edge226] has joined #openvpn
07:47 -!- gardar [~gardar@bnc.giraffi.net] has quit [Quit: ZNC - http://znc.in]
07:52 -!- optixx [~optixx@xdsl-89-0-241-119.netcologne.de] has quit [Ping timeout: 252 seconds]
08:12 -!- N34lO [~weechat@2a00:12d8:2004::ccc] has joined #openvpn
08:14 < N34lO> hi, i have a problem with openvpn - the client connects correctly to the server but i can't ping the other end (running openvpn --config [file] for debuging - no errors are shown / no messages when pinging)
08:22 -!- kunago [~kunago@77.87.243.110] has quit []
08:24 -!- ben1066 [~quassel@unaffiliated/ben1066] has quit [Remote host closed the connection]
08:24 -!- mkramer__ [~mkramer@p4FC96421.dip0.t-ipconnect.de] has quit [Ping timeout: 250 seconds]
08:46 -!- jackbrown [~se@93-44-54-187.ip95.fastwebnet.it] has joined #openvpn
08:50 -!- jackbrown [~se@93-44-54-187.ip95.fastwebnet.it] has quit [Client Quit]
08:51 -!- Guest73739 [kenyon@darwin.kenyonralph.com] has left #openvpn []
08:52 -!- jerbob92 [jerbob92@2001:41d0:1:fe2e::1] has joined #openvpn
08:53 < jerbob92> hi guys, what's the best way to route some of your traffic over the vpn? everytime i remove the 0.0.0.0/1 default gw route, i can't seem to get any traffic over openvpn anymore
08:53 -!- kenyon [kenyon@darwin.kenyonralph.com] has joined #openvpn
08:53 -!- elfixit [~Icedove@77-58-251-72.dclient.hispeed.ch] has joined #openvpn
08:55 <@krzee> by correctly configuring your routers
08:55 <@krzee> routes*
08:55 <@krzee> whatever is routed to go over the vpn, will.
08:55 <@krzee> !101
08:56 <@vpnHelper> "101" is This channel is not a '101' replacement for any of the following topics or others: Networking, Firewalls, Routing, Your OS, Security, etc etc
08:59 < jerbob92> ok sorry :/
09:03 -!- N34lO [~weechat@2a00:12d8:2004::ccc] has left #openvpn ["..."]
09:08 < jerbob92> krzee, what if my $ifconfig_remote is empty in my route script
09:22 -!- HectorBarbossa [uid7850@gateway/web/irccloud.com/x-yqztuvjgluqnueim] has quit [Quit: Connection closed for inactivity]
09:36 -!- s7r [~s7r@openvpn/user/s7r] has quit [Remote host closed the connection]
09:37 -!- s7r [~s7r@openvpn/user/s7r] has joined #openvpn
09:37 -!- mode/#openvpn [+v s7r] by ChanServ
09:43 -!- gu [~gu@194.231.39.10] has joined #openvpn
09:43 -!- elfixit [~Icedove@77-58-251-72.dclient.hispeed.ch] has quit [Quit: elfixit]
09:49 -!- jackbrown [~se@93-44-54-187.ip95.fastwebnet.it] has joined #openvpn
09:58 -!- gu [~gu@194.231.39.10] has quit [Quit: Leaving.]
10:02 -!- jackbrown [~se@93-44-54-187.ip95.fastwebnet.it] has quit [Quit: Sto andando via]
10:02 <@krzee> !script
10:02 <@vpnHelper> "script" is See SCRIPTING AND ENVIRONMENTAL VARIALBES in the manual for a list of places that scripts can hook into openvpn. Online reference at: https://community.openvpn.net/openvpn/wiki/Openvpn23ManPage#lbAR
10:03 <@krzee> which script is a route script?  --route-up?
10:05 < jerbob92> krzee, yeah, but i got it working already
10:06 <@krzee> cool
10:06 < jerbob92> i removed the route-nopull and replace the route in uo.sh
10:06 < jerbob92> up
10:11 -!- elfixit [~Icedove@2001:1620:2018:11:5e51:4fff:fec8:5b90] has joined #openvpn
10:39 -!- master_of_master [~master_of@p4FD7B6EB.dip0.t-ipconnect.de] has joined #openvpn
10:42 -!- master_o1_master [~master_of@p4FD7B2C9.dip0.t-ipconnect.de] has quit [Ping timeout: 252 seconds]
11:28 -!- joshh20 is now known as joshh20-Away
11:28 -!- codingrobot [~codingrob@77.118.27.112.wireless.dyn.drei.com] has quit [Ping timeout: 252 seconds]
11:30 -!- codingrobot [~codingrob@77.118.125.115.wireless.dyn.drei.com] has joined #openvpn
11:44 -!- n13l [~Daniel@aaa.anect.cz] has quit [Ping timeout: 258 seconds]
11:45 -!- Cpt-Oblivious [chatzilla@31-151-71-109.dynamic.upc.nl] has quit [Ping timeout: 250 seconds]
11:49 -!- Nirgali42 [~dmart@74-143-121-180.static.insightbb.com] has joined #openvpn
11:49 -!- tony1 [~tony1@cpe-66-66-6-48.rochester.res.rr.com] has quit [Quit: Leaving.]
11:54 -!- Nirgali42 [~dmart@74-143-121-180.static.insightbb.com] has quit [Ping timeout: 240 seconds]
11:55 -!- gu [~gu@194.231.39.10] has joined #openvpn
12:07 -!- elfixit [~Icedove@2001:1620:2018:11:5e51:4fff:fec8:5b90] has quit [Ping timeout: 252 seconds]
12:09 -!- mback2k_ is now known as mback2k
12:11 -!- wrongplace [~leicht@gateway/tor-sasl/martinphone] has joined #openvpn
12:14 -!- Thermi [~Thermi@unaffiliated/thermi] has quit [Quit: Meet your opposition - Profane and disciplined - Take back your pride - With a pounding hammer]
12:15 -!- Thermi [~Thermi@unaffiliated/thermi] has joined #openvpn
12:16 -!- Cpt-Oblivious [chatzilla@31-151-71-109.dynamic.upc.nl] has joined #openvpn
12:17 -!- mapps [~map@2e40c43a.skybroadband.com] has joined #openvpn
12:18 -!- joshh20-Away is now known as joshh20
12:30 -!- elricsfate_wrk [~elricsfat@aus-nat.datapipe.net] has quit [Quit: Leaving]
12:30 -!- elricsfate_wrk [~elricsfat@aus-nat.datapipe.net] has joined #openvpn
12:33 -!- n13l [~Daniel@aaa.anect.cz] has joined #openvpn
12:34 -!- Guest48648 [~nobody@188-192-253-29-dynip.superkabel.de] has left #openvpn []
12:39 -!- mback2k is now known as mback2k_
12:41 -!- flixner [~flixner@2a02:908:dc44:d100:224:e8ff:fed2:db7b] has joined #openvpn
12:41 < flixner> hi there
12:43 < flixner> do i have to reinstall openvpn on vpn client-machines if the vpn-server is not openvpn?
12:44 < pekster> !notcompat
12:44 <@vpnHelper> "notcompat" is (#1) IPsec, PPTP, & L2TP are _not_ compatible with OpenVPN. OpenVPN uses SSL whereas PPTP and IPSEC use their own protocols and therefore cannot be compatible. or (#2) OpenVPN connects only to OpenVPN
12:44 < pekster> ie: OpenVPN only connects to things that use the OpenVPN wire-protocol
12:44 <+reiffert> do you know if openvpn clients are compatible with openvpn Access Server? ;)
12:45 < pekster> "probably", but AS & "OpenVPN Connect" (more info at: !connect) are commercial products that are unsupported here. "OpenVPN Connect" doesn't even use GPL/open code
12:45 < pekster> AS is just a non-free web frontend to the OpenVPN 2.2.x series
12:50 -!- elfixit [~Icedove@77-58-251-72.dclient.hispeed.ch] has joined #openvpn
12:52 -!- s7r [~s7r@openvpn/user/s7r] has quit [Write error: Connection reset by peer]
12:52 -!- wrongplace [~leicht@gateway/tor-sasl/martinphone] has quit [Write error: Connection reset by peer]
12:53 -!- s7r [~s7r@openvpn/user/s7r] has joined #openvpn
12:53 -!- mode/#openvpn [+v s7r] by ChanServ
13:16 -!- s7r [~s7r@openvpn/user/s7r] has quit [Read error: Connection reset by peer]
13:37 -!- u0m3_ [~u0m3@92.80.126.165] has joined #openvpn
13:39 -!- u0m3 [~u0m3@92.80.126.165] has quit [Ping timeout: 245 seconds]
13:46 -!- sono [~sono@tucana.uberspace.de] has quit [Quit: Changing server]
13:56 -!- cyberspace- [20253@ninthfloor.org] has quit [Remote host closed the connection]
13:58 -!- cyberspace- [20253@ninthfloor.org] has joined #openvpn
13:59 -!- Aliekezhi [~Aliekezhi@223.146.122.78.rev.sfr.net] has quit [Remote host closed the connection]
14:06 < flixner> hmm, did anyone of you reply me :D ?
14:07 < pekster> flixner: Yes, 51 seconds after you asked
14:07 < flixner> as openvpn-clients are not servers and their dynip changes all the time, they are not open for request and so do not have to be upgraded?
14:07 < Rienzilla> heh
14:07 < Rienzilla> weird network issues ftw
14:07 < flixner> oh well pekster, thx .. so than i did not get it
14:07 < pekster> YOu haven't disconnected since then. You simply did not read it
14:08 < flixner> get it meant as "i do not understand" :)
14:08 < pekster> OpenVPN will not inter-operate with anything that is not OpenVPN.
14:09 < pekster> PPTP, IPSec, and L2TP are all incompatible protocols
14:09 < pekster> In turn, they each only communicate with each other too
14:09 < Rienzilla> anyone wanna guess at the root cause of this problem (not openvpn related so insult me if this is offtopic :)): Motherboard with separate management nic. plug it into a switch, give ip, works... plug one of the real nics of the mobo into a switch on the same subnet: also works... Now, configure the real nic and its switchport to use tagged vlans: communication to the separate management port gets 80% packet loss
14:09 < Rienzilla> I'm at a loss :-)
14:10 < pekster> You want ##networking
14:10 < pekster> That's not even marginally openvpn related
14:10 < Rienzilla> it's not, but people here tend to know their networking :)
14:10 < pekster> http://catb.org/~esr/faqs/smart-questions.html#forum
14:10 <@vpnHelper> Title: How To Ask Questions The Smart Way (at catb.org)
14:10 < Rienzilla> never mind, I'll take it somewhere else
14:10 < pekster> Thanks
14:10 < Rienzilla> oh please
14:12 < pekster> flixner: What "non-OpenVPN" software are you trying to operate with?
14:21 -!- Mike-- [mad@mx.probie.nl] has quit []
14:28 -!- jerbob92 [jerbob92@2001:41d0:1:fe2e::1] has left #openvpn ["Ik ga weg"]
14:36 -!- warriorforGod [~warriorfo@ip24-252-61-224.om.om.cox.net] has joined #openvpn
14:36 -!- warriorforGod [~warriorfo@ip24-252-61-224.om.om.cox.net] has quit [Changing host]
14:36 -!- warriorforGod [~warriorfo@unaffiliated/warriorforgod] has joined #openvpn
14:46 <@krzee> Rienzilla, you didnt join #networking...
14:47 <@krzee> ?
14:54 -!- tony1 [~tony1@cpe-66-66-6-48.rochester.res.rr.com] has joined #openvpn
15:05 < flixner> pekster: its about heartbleed, one oy my customers has about 50 employes out there ... do I have to upgrade all these openvpn client-version on windows that have installed version 2.3.2?
15:07 < flixner> sry for my late answer :/
15:08 < pekster> You should ideally, yes. If you are currently (and _always_ have) used --tls-auth with every involved keypair, only people who have (or ever had) the --tls-auth  key could have possibly attacked you
15:08 < pekster> (which is hopefully just your "trusted" clients, but could in "theory" be anyone who used their PC for 2 minutes or more)
15:11 -!- MaxFrames [kvirc@unaffiliated/maxframes] has joined #openvpn
15:16 <+reiffert> in short: no impact
15:19 < pekster> Well, "minimal" impact. It's still vulnerable from a TLS standpoint, but to attack it, a bad-actor would also need the --tls-auth key
15:19 < pekster> You 'should' still upgrade everyone, and 'should' still give them new keypairs, but there's probably not a rush in your case
15:19 < pekster> If it takes 8 weeks, so be it
15:23 < tony1> i wonder how bad it has been exploited
15:24 -!- wrongplace [~leicht@gateway/tor-sasl/martinphone] has joined #openvpn
15:27 -!- AlexPortable [uid7568@gateway/web/irccloud.com/x-ypmqyczcbxnklfwc] has quit [Quit: Connection closed for inactivity]
15:27 < flixner> pekster ... thx
15:27 < flixner> that is what I also guess
15:29 < flixner> so I will advice my customer to upgrade the server-system, create new vpn-zert and make an upgrade plan ... how do big company do this? this is $$$ :/
15:31 < MaxFrames> after doing this, big companies should consider supporting openssl
15:32 < MaxFrames> or generally speaking, free software they consistently rely on for their core businesses, and adopt seamlessly without contributing to it
15:33 -!- gu [~gu@194.231.39.10] has quit [Ping timeout: 250 seconds]
15:33 < MaxFrames> one would think google, amazon or yahoo (to name but a few) can afford a team of developers doing bug hunting around the clock
15:33 -!- gu [~gu@194.231.39.10] has joined #openvpn
15:39 -!- wrongplace [~leicht@gateway/tor-sasl/martinphone] has quit [Remote host closed the connection]
15:40 -!- Mike-- [mad@mx.probie.nl] has joined #openvpn
15:42 -!- gffa [~unknown@unaffiliated/gffa] has quit [Quit: sleep]
15:43 -!- Mike-- [mad@mx.probie.nl] has quit [Client Quit]
15:43 -!- Mike-- [mad@mx.probie.nl] has joined #openvpn
15:43 -!- Mike-- [mad@mx.probie.nl] has quit [Client Quit]
15:43 -!- Mike-- [mad@mx.probie.nl] has joined #openvpn
15:51 -!- MaxFrames [kvirc@unaffiliated/maxframes] has quit [Quit: It's nice to be important, but it's more important to be nice]
16:03 -!- AlexPortable [uid7568@gateway/web/irccloud.com/x-xaphexovbwfkukzf] has joined #openvpn
16:08 -!- ChrisH_ [~dg7pc@dslb-094-221-218-241.pools.arcor-ip.net] has quit [Ping timeout: 240 seconds]
16:10 -!- ChrisH [~dg7pc@dslb-094-221-215-003.pools.arcor-ip.net] has joined #openvpn
16:12 <@Eugene> They do. That's how this one got found.
16:12 <@Eugene> Morons.
16:17 -!- heraclitus__ is now known as heraclitus
16:17 -!- heraclitus [~heraclitu@208.64.66.92] has quit [Changing host]
16:17 -!- heraclitus [~heraclitu@unaffiliated/heraclitis] has joined #openvpn
16:18 -!- joshh20 is now known as joshh20-Away
16:21 -!- B1nny [~quassel@5ED16034.cm-7-2b.dynamic.ziggo.nl] has quit [Remote host closed the connection]
16:21 -!- mapps [~map@2e40c43a.skybroadband.com] has quit [Ping timeout: 245 seconds]
16:26 -!- Cpt-Oblivious [chatzilla@31-151-71-109.dynamic.upc.nl] has quit [Read error: Connection reset by peer]
16:31 -!- Cpt-Oblivious [chatzilla@31-151-71-109.dynamic.upc.nl] has joined #openvpn
16:35 -!- Gl4di4t0r [~Gl4di4t0r@unaffiliated/gl4di4t0r] has joined #openvpn
16:38 < Gl4di4t0r> I need an OpenVPN client for Mint/Ubuntu
16:38 < Gl4di4t0r> Any suggestions?
16:42 -!- sadeqzad [~sadeqzad@2001:708:110:1004:cacb:b8ff:fe24:8b10] has joined #openvpn
16:43 < sadeqzad> hi guys, I got a problem after setting up the server on Debian and connecting to it from Ubuntu
16:43 < sadeqzad> I want to route all traffic at client side through the VPN tunnel, all except DHCP
16:44 < sadeqzad> I've done some config, but it's not working I guess, 'caz when I use traceroute, the packets (ICMP) don't seem to go through the tunnel
16:46 < sadeqzad> here are my configs and log files: http://askubuntu.com/questions/446003/route-traffic-throught-openvpn
16:46 <@vpnHelper> Title: route traffic throught openvpn - Ask Ubuntu (at askubuntu.com)
16:46 < sadeqzad> that's my post actually
16:46 < sadeqzad> my own post, but no answer yet
16:48 < sadeqzad> any clues?
16:50 < sadeqzad> guys, I'm at the 24h room at my university, I have to leave now, but may you please reply with an answer on Askubuntu? you would do a great favor to me and all those encountering the same problem
16:51 -!- sadeqzad [~sadeqzad@2001:708:110:1004:cacb:b8ff:fe24:8b10] has quit [Quit: Leaving]
17:00 -!- joshh20-Away is now known as joshh20
17:11 -!- s7r [~s7r@openvpn/user/s7r] has joined #openvpn
17:11 -!- mode/#openvpn [+v s7r] by ChanServ
17:21 -!- n2deep [n2deep@odin.sdf-eu.org] has joined #openvpn
17:32 -!- penguinpowernz [~robert@180.189.199.6] has quit [Quit: leaving]
17:45 -!- elfixit [~Icedove@77-58-251-72.dclient.hispeed.ch] has quit [Quit: elfixit]
17:51 -!- s7r [~s7r@openvpn/user/s7r] has quit [Quit: Leaving]
18:09 -!- _nexxus_ [~bwg@ragnar.pannexusa.com] has joined #openvpn
18:21 -!- elfixit [~Icedove@77-58-251-72.dclient.hispeed.ch] has joined #openvpn
18:27 -!- AlexPortable [uid7568@gateway/web/irccloud.com/x-xaphexovbwfkukzf] has quit [Quit: Connection closed for inactivity]
18:41 -!- u0m3_ is now known as u0m3
18:47 -!- s7r [~s7r@openvpn/user/s7r] has joined #openvpn
18:48 -!- mode/#openvpn [+v s7r] by ChanServ
18:49 -!- sunwind` [~paradox@cpc21-brmb8-2-0-cust749.1-3.cable.virginm.net] has quit [Quit: sunwind`]
18:49 -!- sunwind [~paradox@cpc21-brmb8-2-0-cust749.1-3.cable.virginm.net] has joined #openvpn
18:58 -!- elfixit [~Icedove@77-58-251-72.dclient.hispeed.ch] has quit [Ping timeout: 250 seconds]
18:59 -!- elfixit [~Icedove@77-58-251-72.dclient.hispeed.ch] has joined #openvpn
19:23 -!- Mik3C [~miguelc@77.202.37.188.rev.vodafone.pt] has joined #openvpn
19:24 -!- n2deep [n2deep@odin.sdf-eu.org] has quit [Ping timeout: 250 seconds]
19:29 -!- Cpt-Oblivious_ [chatzilla@31-151-71-109.dynamic.upc.nl] has joined #openvpn
19:30 -!- elfixit [~Icedove@77-58-251-72.dclient.hispeed.ch] has quit [Ping timeout: 250 seconds]
19:30 -!- elfixit [~Icedove@77-58-251-72.dclient.hispeed.ch] has joined #openvpn
19:30 -!- Cpt-Oblivious [chatzilla@31-151-71-109.dynamic.upc.nl] has quit [Ping timeout: 250 seconds]
19:31 -!- Cpt-Oblivious_ is now known as Cpt-Oblivious
19:50 -!- funyun [~temp@cpe-65-25-103-89.neo.res.rr.com] has joined #openvpn
19:51 < funyun> hi. i can connect to my vpn through tcp but not udp. can anyone help me connect with udp?
19:51 < funyun> client tcp log http://pastebin.com/9kRDuA7V server tcp log http://pastebin.com/M2CABZK0
19:52 < funyun> client udp log http://pastebin.com/ZLMd7UGv server udp log http://pastebin.com/Xi56Arc1
19:52 < funyun> client config  http://pastebin.com/VWrwwjTA server config  http://pastebin.com/6ruy58EK
19:53 < funyun> also, when i connect with tcp. it only allows me to use certain sites like google.com
19:57 < _nexxus_> having trouble with scp over openvpn
19:57 < _nexxus_> xfers in one direction are stalling
19:57 < _nexxus_> anyone have any ideas?
19:57 < _nexxus_> stalling and/or extremely slow
19:57 < _nexxus_> other direction is fine
19:57 -!- Mik3C is now known as MiguelC
19:57 < _nexxus_> and xfers outside the tunnel are fine, also
19:59 -!- indy [~indy@shadow.kastnerove.cz] has quit [Ping timeout: 240 seconds]
20:00 -!- Cpt-Oblivious [chatzilla@31-151-71-109.dynamic.upc.nl] has quit [Ping timeout: 245 seconds]
20:00 -!- elfixit [~Icedove@77-58-251-72.dclient.hispeed.ch] has quit [Ping timeout: 250 seconds]
20:01 -!- indy [~indy@shadow.kastnerove.cz] has joined #openvpn
20:02 -!- joshh20 is now known as joshh20-Away
20:03 < funyun> _nexxus_: any idea what my problem could be?
20:03 -!- elfixit [~Icedove@77-58-251-72.dclient.hispeed.ch] has joined #openvpn
20:14 -!- MiguelC [~miguelc@77.202.37.188.rev.vodafone.pt] has quit [Quit: leaving]
20:15 -!- Mik3C [~miguelc@77.202.37.188.rev.vodafone.pt] has joined #openvpn
20:45 -!- gu [~gu@194.231.39.10] has quit [Quit: Leaving.]
20:47 -!- Samopotamus [~IRCIdent@2607:5300:60:a0d::1] has joined #openvpn
20:58 -!- Gl4di4t0r [~Gl4di4t0r@unaffiliated/gl4di4t0r] has left #openvpn ["Leaving"]
21:05 -!- Mik3C [~miguelc@77.202.37.188.rev.vodafone.pt] has quit [Quit: leaving]
21:06 -!- Mik3C [~miguelc@77.202.37.188.rev.vodafone.pt] has joined #openvpn
21:07 -!- Mik3C [~miguelc@77.202.37.188.rev.vodafone.pt] has quit [Client Quit]
21:08 -!- Mik3C [~miguelc@77.202.37.188.rev.vodafone.pt] has joined #openvpn
21:09 -!- Mik3C [~miguelc@77.202.37.188.rev.vodafone.pt] has quit [Client Quit]
21:09 < _nexxus_> funnel: no..but maybe explain what the problem is rather than ask others to click a bunch of links and figure it out
21:09 < _nexxus_> sorry funnel
21:09 < _nexxus_> and funyun, for that matter..didn't see you explain
21:09 < _nexxus_> funyun: perhaps your ISP is blocking udp?
21:10 < _nexxus_> try another port?
21:11 -!- Mik3C [~miguelc@77.202.37.188.rev.vodafone.pt] has joined #openvpn
21:11 -!- Mik3C [~miguelc@77.202.37.188.rev.vodafone.pt] has quit [Client Quit]
21:12 -!- Mik3C [~miguelc@77.202.37.188.rev.vodafone.pt] has joined #openvpn
21:14 -!- Mik3C [~miguelc@77.202.37.188.rev.vodafone.pt] has quit [Client Quit]
21:16 -!- Mik3C [~miguelc@77.202.37.188.rev.vodafone.pt] has joined #openvpn
21:18 -!- Mik3C [~miguelc@77.202.37.188.rev.vodafone.pt] has quit [Client Quit]
21:18 -!- Mik3C [~miguelc@77.202.37.188.rev.vodafone.pt] has joined #openvpn
21:19 -!- Mik3C [~miguelc@77.202.37.188.rev.vodafone.pt] has quit [Client Quit]
21:23 -!- Mik3C [~miguelc@77.202.37.188.rev.vodafone.pt] has joined #openvpn
21:23 -!- Mik3C [~miguelc@77.202.37.188.rev.vodafone.pt] has quit [Client Quit]
21:24 -!- Mik3C [~miguelc@77.202.37.188.rev.vodafone.pt] has joined #openvpn
21:24 -!- Mik3C [~miguelc@77.202.37.188.rev.vodafone.pt] has quit [Client Quit]
21:25 -!- Mik3C [~miguelc@77.202.37.188.rev.vodafone.pt] has joined #openvpn
21:25 -!- Mik3C [~miguelc@77.202.37.188.rev.vodafone.pt] has quit [Client Quit]
21:25 -!- Mik3C [~miguelc@77.202.37.188.rev.vodafone.pt] has joined #openvpn
21:28 < funyun> _nexxus_: the problem is it doesn't connect when i change tcp to udp on server/client config
21:29 -!- Mik3C [~miguelc@77.202.37.188.rev.vodafone.pt] has quit [Client Quit]
21:29 -!- Mik3C [~miguelc@77.202.37.188.rev.vodafone.pt] has joined #openvpn
21:40 -!- joako [~joako@opensuse/member/joak0] has quit [Ping timeout: 245 seconds]
21:42 -!- funyun [~temp@cpe-65-25-103-89.neo.res.rr.com] has quit [Ping timeout: 276 seconds]
21:43 -!- Left_Turn [~Left_Turn@unaffiliated/turn-left/x-3739067] has quit [Read error: Connection reset by peer]
21:48 -!- lkthomas [~lkthomas@n218250153109.netvigator.com] has joined #openvpn
21:48 < lkthomas> hey guys
21:49 < lkthomas> anyone know if hardware accelerator card would help to speed up ?
21:51 -!- funyun [~temp@cpe-65-25-103-89.neo.res.rr.com] has joined #openvpn
21:53 -!- joako [~joako@opensuse/member/joak0] has joined #openvpn
21:57 -!- funyun [~temp@cpe-65-25-103-89.neo.res.rr.com] has quit [Read error: Connection reset by peer]
21:57 -!- funyun [~temp@cpe-65-25-103-89.neo.res.rr.com] has joined #openvpn
22:02 -!- funyun [~temp@cpe-65-25-103-89.neo.res.rr.com] has quit [Ping timeout: 240 seconds]
22:02 -!- funyun [~temp@cpe-65-25-103-89.neo.res.rr.com] has joined #openvpn
22:05 < snappy> lkthomas: speed up what exactly? its good to identify a bottleneck first.
22:06 -!- MyMind [~Sembei@unaffiliated/sembei] has quit [Ping timeout: 255 seconds]
22:06 < lkthomas> snappy: latency
22:06 < lkthomas> snappy: we want to find a way to lower down latency
22:07 < lkthomas> snappy: looks like there isn't a lot of company selling PCIe SSL accelerator card
22:11 -!- Sup3rFly [~sup3rfly@host-64-17-85-86.beyondbb.com] has joined #openvpn
22:11 < Sup3rFly> trying to wrap head on differences between tun and tap
22:11 < Sup3rFly> i use tap currently, can push multiple subnets
22:11 -!- heraclitus [~heraclitu@unaffiliated/heraclitis] has quit [Remote host closed the connection]
22:11 < Sup3rFly> can you do the same with tun?
22:12 -!- funyun [~temp@cpe-65-25-103-89.neo.res.rr.com] has quit [Ping timeout: 250 seconds]
22:12 -!- heraclitus [~heraclitu@unaffiliated/heraclitis] has joined #openvpn
22:12 -!- funyun [~temp@ns236132.ip-192-99-21.net] has joined #openvpn
22:14 < snappy> lkthomas: if you use AES you're already benefiting from hardware acceleration
22:15 < snappy> lkthomas: assuming you have the AES instruction set in hardware
22:23 -!- MyMind [~Sembei@unaffiliated/sembei] has joined #openvpn
22:25 -!- s7r [~s7r@openvpn/user/s7r] has quit [Write error: Connection reset by peer]
22:25 < Sup3rFly> mm?
22:27 -!- Carbon_Monoxide [~cmonxide@058176022144.ctinets.com] has joined #openvpn
22:28 -!- Carbon_Monoxide [~cmonxide@058176022144.ctinets.com] has left #openvpn []
22:30 < snappy> could probably improve openvpn speeds by implementing chacha20+poly1305
22:38 -!- mushroomed [~mushroome@li173-111.members.linode.com] has joined #openvpn
22:39 < lkthomas> snappy: you mean, like CPU ?
22:39 < mushroomed> Hi, I have a OpenVPN Server installed at my DigitalOcean VPS and I am able to connect from my Mac through Viscosity but my problem is that I don't have internet connection. Can someone tell tell me about some checklist to 'check'?
22:41 < snappy> lkthomas: what do you expect from an SSL accelerator card? you already get hardware AES from modern CPUs.
22:41 < snappy> the asymmetric ops are expensive, but that's only for the initial handshake
22:41 < lkthomas> snappy: good point, I didn't check if my CPU support AES acceleration
22:41 < snappy> AES in CPUs have been around for at least half a decade now, like i said
22:41 < mushroomed> I should add that my Firewall (iptables) is down and rules flushed
22:42 < snappy> have you identified your bottleneck?
22:42 < lkthomas> snappy: yep, I will check
22:42 < snappy> there's only soe much to reduce latency, for example, you can't have packets travel faster than the speed of light
22:42 < lkthomas> snappy: there is no bottleneck yet, we are latency sensitive firm, so
22:43 < snappy> if you're worried about latency sensitive tunnels, you're probably better off with a GRE tunnel with symmetric crypto only
22:43 < snappy> assuming point to point, static IPs at both ends
22:43 < lkthomas> right
22:43 < lkthomas> snappy: it's fair enough for now. Thanks
22:47 < mushroomed> Can someone help me please?
22:48 -!- emid [~emid@192.241.162.156] has quit [Quit: quit]
22:55 < snappy> mushroomed: (1) make sure other tunnel endpoint pings (see if you can ssh in using the tunnel endpoint IP)
22:55 < snappy> mushroomed: (2) see if you can ping beyond that
22:55 < snappy> mushroomed: if not, traceroute
22:55 < snappy> mushroomed: do you have NAT properly setup
22:56 < snappy> mushroomed: similary DHCP
22:56 < mushroomed> snappy: Already done that
22:57 < mushroomed> snappy: And it pings, SSH connection after VPN connection succeed is on and I don't understand why I don't have Internet Connection over that VPN
22:59 -!- emid [~emid@192.241.162.156] has joined #openvpn
23:00 -!- thefinn93 [~finn@unaffiliated/thefinn93] has joined #openvpn
23:03 -!- MyMind [~Sembei@unaffiliated/sembei] has quit [Ping timeout: 276 seconds]
23:04 -!- Sup3rFly [~sup3rfly@host-64-17-85-86.beyondbb.com] has quit [Ping timeout: 258 seconds]
23:05 < snappy> mushroomed: NAT?
23:08 -!- ShadniX [dagger@p5DDFE93F.dip0.t-ipconnect.de] has quit [Ping timeout: 252 seconds]
23:09 -!- elfixit [~Icedove@77-58-251-72.dclient.hispeed.ch] has quit [Ping timeout: 250 seconds]
23:10 < mushroomed> snappy: What about NAT?
23:11 -!- ShadniX [dagger@p57941EE8.dip0.t-ipconnect.de] has joined #openvpn
23:12 < mushroomed> snappy: You say to set some iptables rule like this? --> iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o eth0 -j MASQUERADE
23:12 -!- emid_ [~emid@107.170.54.127] has joined #openvpn
23:15 -!- flixner [~flixner@2a02:908:dc44:d100:224:e8ff:fed2:db7b] has quit [Quit: ... das wars von mir, gott sei dank!]
23:21 -!- elfixit [~Icedove@77-58-251-72.dclient.hispeed.ch] has joined #openvpn
23:28 -!- emid [~emid@192.241.162.156] has quit [Ping timeout: 252 seconds]
23:29 < mushroomed> snappy: Done~ It was iptables NAT rules, thank you
23:31 -!- elfixit [~Icedove@77-58-251-72.dclient.hispeed.ch] has quit [Ping timeout: 240 seconds]
23:32 -!- B1nny [~quassel@5ED16034.cm-7-2b.dynamic.ziggo.nl] has joined #openvpn
23:37 -!- elfixit [~Icedove@77-58-251-72.dclient.hispeed.ch] has joined #openvpn
23:38 -!- emid_ [~emid@107.170.54.127] has quit [Quit: quit]
23:43 -!- MyMind [~Sembei@unaffiliated/sembei] has joined #openvpn
23:47 -!- emid [~emid@107.170.54.127] has joined #openvpn
23:56 -!- MyMind [~Sembei@unaffiliated/sembei] has quit [Ping timeout: 250 seconds]
--- Day changed Mon Apr 14 2014
00:01 -!- sunwind` [~paradox@cpc21-brmb8-2-0-cust749.1-3.cable.virginm.net] has joined #openvpn
00:02 -!- Linmu [~Linmu@203.70.194.104] has joined #openvpn
00:04 -!- sunwind [~paradox@cpc21-brmb8-2-0-cust749.1-3.cable.virginm.net] has quit [Ping timeout: 276 seconds]
00:08 -!- funyun [~temp@ns236132.ip-192-99-21.net] has left #openvpn []
00:08 -!- MyMind [~Sembei@unaffiliated/sembei] has joined #openvpn
00:12 -!- ChinaMit_ [~ChinaMit@183.3.245.172] has quit [Ping timeout: 250 seconds]
00:17 -!- elfixit [~Icedove@77-58-251-72.dclient.hispeed.ch] has quit [Quit: elfixit]
00:35 -!- goldkatze [~nobody@unaffiliated/goldkatze] has joined #openvpn
00:43 -!- toobluesc [~nitro@2001:558:6045:7b:3d70:c3df:18a:884] has quit [Quit: Ex-Chat]
00:44 -!- toobluesc [~nitro@2001:558:6045:7b:3d70:c3df:18a:884] has joined #openvpn
01:04 -!- MyMind [~Sembei@unaffiliated/sembei] has quit [Ping timeout: 252 seconds]
01:14 -!- MyMind [~Sembei@unaffiliated/sembei] has joined #openvpn
01:20 -!- Carbon_Monoxide [~cmonxide@058176022144.ctinets.com] has joined #openvpn
01:20 -!- Carbon_Monoxide [~cmonxide@058176022144.ctinets.com] has left #openvpn []
01:31 -!- alexxtasi [~alex@unaffiliated/alexxtasi] has joined #openvpn
01:41 -!- alexxtasi [~alex@unaffiliated/alexxtasi] has quit [Ping timeout: 276 seconds]
01:49 -!- mattock [~mattock@openvpn/corp/admin/mattock] has joined #openvpn
01:49 -!- mode/#openvpn [+o mattock] by ChanServ
01:50 -!- mattock [~mattock@openvpn/corp/admin/mattock] has left #openvpn []
01:50 -!- mattock [~mattock@openvpn/corp/admin/mattock] has joined #openvpn
01:50 -!- mode/#openvpn [+o mattock] by ChanServ
01:55 -!- budmang_ [~budman@ip68-111-79-253.oc.oc.cox.net] has quit [Remote host closed the connection]
02:03 -!- le0 [~l30@unaffiliated/le0] has joined #openvpn
02:12 -!- MyMind [~Sembei@unaffiliated/sembei] has quit [Ping timeout: 252 seconds]
02:18 -!- alexxtasi [~alex@unaffiliated/alexxtasi] has joined #openvpn
--- Log closed Mon Apr 14 02:19:56 2014
--- Log opened Mon Apr 14 02:20:03 2014
02:20 -!- ecrist [~ecrist@token-black.secure-computing.net] has joined #openvpn
02:20 -!- Irssi: #openvpn: Total of 234 nicks [8 ops, 0 halfops, 4 voices, 222 normal]
02:20 -!- mode/#openvpn [+o ecrist] by ChanServ
02:20 -!- MyMind [~Sembei@unaffiliated/sembei] has joined #openvpn
02:20 -!- Irssi: Join to #openvpn was synced in 33 secs
03:04 -!- MyMind [~Sembei@unaffiliated/sembei] has quit [Ping timeout: 250 seconds]
03:25 -!- MyMind [~Sembei@unaffiliated/sembei] has joined #openvpn
03:28 -!- Left_Turn [~Left_Turn@unaffiliated/turn-left/x-3739067] has joined #openvpn
03:36 -!- MyMind [~Sembei@unaffiliated/sembei] has quit [Ping timeout: 240 seconds]
03:39 -!- B1nny [~quassel@5ED16034.cm-7-2b.dynamic.ziggo.nl] has quit [Changing host]
03:39 -!- B1nny [~quassel@unaffiliated/b1nny] has joined #openvpn
03:50 -!- MyMind [~Sembei@unaffiliated/sembei] has joined #openvpn
04:00 < otwieracz> Hey
04:04 -!- mikkel [~mikkel@93.176.85.50] has joined #openvpn
04:08 -!- AlexPortable [uid7568@gateway/web/irccloud.com/x-uisumitxzxarbalj] has joined #openvpn
04:15 -!- AsadH [~AsadH@unaffiliated/asadh] has quit [Ping timeout: 258 seconds]
04:20 -!- B1nny [~quassel@unaffiliated/b1nny] has quit [Remote host closed the connection]
04:20 -!- gu [~gu@194.231.39.10] has joined #openvpn
04:23 -!- tony1 [~tony1@cpe-66-66-6-48.rochester.res.rr.com] has quit [Quit: Leaving.]
04:27 -!- B1nny [~quassel@ti0088a400-1888.bb.online.no] has joined #openvpn
04:27 -!- B1nny [~quassel@ti0088a400-1888.bb.online.no] has quit [Changing host]
04:27 -!- B1nny [~quassel@unaffiliated/b1nny] has joined #openvpn
04:30 -!- MyMind [~Sembei@unaffiliated/sembei] has quit [Ping timeout: 252 seconds]
04:46 -!- pa [~pa@unaffiliated/pa] has quit [Ping timeout: 240 seconds]
04:49 -!- B1nny [~quassel@unaffiliated/b1nny] has quit [Remote host closed the connection]
04:49 -!- B1nny [~quassel@unaffiliated/b1nny] has joined #openvpn
04:54 -!- MyMind [~Sembei@unaffiliated/sembei] has joined #openvpn
04:54 -!- Brando753 [~Brando753@unaffiliated/brando753] has quit [Read error: Operation timed out]
04:54 -!- Brando753 [~Brando753@unaffiliated/brando753] has joined #openvpn
05:01 -!- pa [~pa@unaffiliated/pa] has joined #openvpn
05:26 -!- optixx [~optixx@p549A79CA.dip0.t-ipconnect.de] has joined #openvpn
05:36 -!- MyMind [~Sembei@unaffiliated/sembei] has quit [Ping timeout: 276 seconds]
05:42 -!- lazzer_ is now known as lazzer
05:50 -!- sunwind` [~paradox@cpc21-brmb8-2-0-cust749.1-3.cable.virginm.net] has quit [Ping timeout: 245 seconds]
05:50 -!- MyMind [~Sembei@unaffiliated/sembei] has joined #openvpn
05:54 -!- optixx [~optixx@p549A79CA.dip0.t-ipconnect.de] has quit [Quit: Leaving...]
05:57 -!- GabrieleV [~GabrieleV@host190-79-static.230-95-b.business.telecomitalia.it] has quit [Ping timeout: 255 seconds]
05:57 -!- gu2 [~gu@194.231.39.10] has joined #openvpn
05:57 -!- gu [~gu@194.231.39.10] has quit [Quit: Leaving.]
06:00 -!- GabrieleV_ [~GabrieleV@host190-79-static.230-95-b.business.telecomitalia.it] has joined #openvpn
06:06 -!- Cpt-Oblivious [chatzilla@31-151-71-109.dynamic.upc.nl] has joined #openvpn
06:16 -!- AsadH [~AsadH@unaffiliated/asadh] has joined #openvpn
06:24 -!- Mik3C [~miguelc@77.202.37.188.rev.vodafone.pt] has quit [Remote host closed the connection]
06:25 -!- optixx [~optixx@p549A79CA.dip0.t-ipconnect.de] has joined #openvpn
06:25 -!- sunwind [~paradox@genld-224-222.t-mobile.co.uk] has joined #openvpn
06:26 -!- optixx [~optixx@p549A79CA.dip0.t-ipconnect.de] has quit [Read error: Connection reset by peer]
06:42 -!- plaisthos [~arne@kamera.blinkt.de] has quit [Remote host closed the connection]
06:46 -!- plaisthos [~arne@openvpn/community/developer/plaisthos] has joined #openvpn
06:46 -!- mode/#openvpn [+o plaisthos] by ChanServ
06:50 -!- B1nny [~quassel@unaffiliated/b1nny] has left #openvpn ["http://quassel-irc.org - Chat comfortably. Anywhere."]
06:57 -!- MyMind [~Sembei@unaffiliated/sembei] has quit [Ping timeout: 250 seconds]
07:02 -!- sunwind [~paradox@genld-224-222.t-mobile.co.uk] has quit [Ping timeout: 252 seconds]
07:02 -!- sunwind` [~paradox@cpc21-brmb8-2-0-cust749.1-3.cable.virginm.net] has joined #openvpn
07:07 -!- xMopxShell [~xMopxShel@pa1.trolls.lv] has quit [Ping timeout: 240 seconds]
07:10 -!- plaisthos [~arne@openvpn/community/developer/plaisthos] has quit [Remote host closed the connection]
07:10 -!- sunwind` [~paradox@cpc21-brmb8-2-0-cust749.1-3.cable.virginm.net] has quit [Ping timeout: 250 seconds]
07:11 -!- Guest4381 [~Sembei@81.184.39.244.dyn.user.ono.com] has joined #openvpn
07:14 -!- xMopxShell [~xMopxShel@198.27.127.96] has joined #openvpn
07:15 -!- klein [~klein@unaffiliated/klein] has joined #openvpn
07:19 -!- warriorforGod [~warriorfo@unaffiliated/warriorforgod] has quit [Quit: Computer has gone to sleep]
07:19 -!- warriorforGod [~warriorfo@ip24-252-61-224.om.om.cox.net] has joined #openvpn
07:19 -!- warriorforGod [~warriorfo@ip24-252-61-224.om.om.cox.net] has quit [Changing host]
07:19 -!- warriorforGod [~warriorfo@unaffiliated/warriorforgod] has joined #openvpn
07:24 -!- warriorforGod [~warriorfo@unaffiliated/warriorforgod] has quit [Ping timeout: 240 seconds]
07:45 -!- f0cker [~f0cker@host81-149-11-109.in-addr.btopenworld.com] has joined #openvpn
07:45 -!- f0cker [~f0cker@host81-149-11-109.in-addr.btopenworld.com] has quit [Changing host]
07:45 -!- f0cker [~f0cker@unaffiliated/f0cker] has joined #openvpn
08:28 -!- gu2 [~gu@194.231.39.10] has quit [Read error: Connection reset by peer]
08:29 -!- gu [~gu@194.231.39.10] has joined #openvpn
08:30 -!- warriorforGod [~warriorfo@207.188.46.181] has joined #openvpn
08:30 -!- warriorforGod [~warriorfo@207.188.46.181] has quit [Changing host]
08:30 -!- warriorforGod [~warriorfo@unaffiliated/warriorforgod] has joined #openvpn
08:47 -!- Sup3rFly [~sup3rfly@host-64-17-85-86.beyondbb.com] has joined #openvpn
08:59 -!- utrtfu [~user@178.162.199.144] has joined #openvpn
08:59 -!- utrtfu [~user@178.162.199.144] has left #openvpn []
09:01 -!- Sup3rFly [~sup3rfly@host-64-17-85-86.beyondbb.com] has quit []
09:02 -!- Guest4381 [~Sembei@81.184.39.244.dyn.user.ono.com] has quit [Ping timeout: 250 seconds]
09:05 -!- mikkel [~mikkel@93.176.85.50] has quit [Quit: Leaving]
09:06 -!- pcdummy [~pcdummy@unaffiliated/pcdummy] has quit [Remote host closed the connection]
09:06 -!- pcdummy [~pcdummy@wserv2.page4me.ch] has joined #openvpn
09:06 -!- pcdummy [~pcdummy@wserv2.page4me.ch] has quit [Changing host]
09:06 -!- pcdummy [~pcdummy@unaffiliated/pcdummy] has joined #openvpn
09:12 -!- budmang [~budman@ip68-111-79-253.oc.oc.cox.net] has joined #openvpn
09:15 -!- JuriadoBalzac [~cpe@www.badcode.net] has left #openvpn []
09:20 -!- budmang [~budman@ip68-111-79-253.oc.oc.cox.net] has quit [Remote host closed the connection]
09:25 -!- Aliekezhi [~Aliekezhi@80.215.210.218] has joined #openvpn
09:27 -!- Nirgali42 [~dmart@64.132.167.18] has joined #openvpn
09:29 -!- alexxtasi [~alex@unaffiliated/alexxtasi] has left #openvpn []
09:33 -!- budmang [~budman@ip68-111-79-253.oc.oc.cox.net] has joined #openvpn
09:35 -!- Guest4381 [~Sembei@unaffiliated/sembei] has joined #openvpn
09:56 -!- [diecast] [~diecast@unaffiliated/diecast/x-4821952] has joined #openvpn
10:05 -!- Aliekezhi [~Aliekezhi@80.215.210.218] has quit [Ping timeout: 250 seconds]
10:16 -!- Aliekezhi [~Aliekezhi@80.215.210.218] has joined #openvpn
10:23 -!- utrtfu [~user@178.162.201.97] has joined #openvpn
10:23 -!- utrtfu [~user@178.162.201.97] has left #openvpn []
10:42 -!- master_of_master [~master_of@p4FD7B6EB.dip0.t-ipconnect.de] has quit [Ping timeout: 240 seconds]
10:44 -!- master_of_master [~master_of@p4FF24424.dip0.t-ipconnect.de] has joined #openvpn
10:51 -!- Aliekezhi [~Aliekezhi@80.215.210.218] has quit [Ping timeout: 250 seconds]
10:52 -!- elfixit [~Icedove@2001:1620:2777:11:3e97:eff:fe7f:f3ad] has joined #openvpn
10:53 -!- gffa [~unknown@unaffiliated/gffa] has joined #openvpn
11:03 -!- tzica [~tzica@unaffiliated/tzica] has joined #openvpn
11:03 < tzica> !heartbleed
11:03 <@vpnHelper> "heartbleed" is (#1) only affects OpenSSL 1.0.1 through 1.0.1f. Does not affect polarssl or (#2) if running vuln openssl then both client and server keys not protected by tls-auth should be considered compromised. or (#3) android 4.1.2_r1 is the first one to have -DOPENSSL_NO_HEARTBEATS and it is still in master. android 4.1 and 4.1.1 are probably affected. or (#4)
11:03 <@vpnHelper> https://community.openvpn.net/openvpn/wiki/heartbleed or (#5) http://xkcd.com/1354/
11:04 -!- [diecast] [~diecast@unaffiliated/diecast/x-4821952] has quit []
11:07 < tzica> could find anything related around so I'm asking here
11:08 -!- dazo_afk is now known as dazo
11:08 < tzica> if I was using openvpn, radius auth and ofc certificates what should I consider compromissed by heartbleed ?
11:09 <@krzee> !heartbleed
11:09 <@vpnHelper> "heartbleed" is (#1) only affects OpenSSL 1.0.1 through 1.0.1f. Does not affect polarssl or (#2) if running vuln openssl then both client and server keys not protected by tls-auth should be considered compromised. or (#3) android 4.1.2_r1 is the first one to have -DOPENSSL_NO_HEARTBEATS and it is still in master. android 4.1 and 4.1.1 are probably affected. or (#4)
11:09 <@vpnHelper> https://community.openvpn.net/openvpn/wiki/heartbleed or (#5) http://xkcd.com/1354/
11:09 <@krzee> oh sorry you saw that
11:09 <@krzee> if you were running vuln openssl, yes
11:10 <@krzee> the certs.
11:10 < tzica> so the certificates
11:10 < tzica> by any chance user/passowords too ?
11:10 < tzica> from radius
11:10 -!- takamichi [~takamichi@c107-107.i07-27.onvol.net] has joined #openvpn
11:11 <@krzee> actually give me a minute, im asking the devs; its a good question
11:11 < edge226> wc I am guessing ;)
11:11 < tzica> please
11:12 < edge226> oh nm. I was interpreting that wrong.
11:12 <@krzee> was it the server or client who was vuln?
11:13 < tzica> the server is linux
11:13 < tzica> for radius I was using Active DIrectory so different server
11:13 < takamichi> One of our users using OpenVPN connect on Android is seeing the following in there log on connection "OpenVPN route6 needs a gateway parameter". We don't have any ipv6 directives in our server config and dozens of users connecting successfully with exactly the same client config. Any idea what could cause this?
11:13 < tzica> and for the client. ... let me check
11:14 <@krzee> i did not ask what OS
11:14 <@krzee> i asked who was vuln to heartbleed
11:14 <@krzee> server, client, both?
11:14 < tzica> @krzee: both
11:14 -!- raidz is now known as raidz_away
11:14 < tzica> just checked the client too
11:14 -!- raidz_away is now known as raidz
11:15 <@krzee> i have no confirmation from devs right now; but i would say passwords should change too
11:15 <@krzee> cause the clients had to keep the pass in memory to reauth hourly
11:15 -!- WinstonSmith [~WinstonSm@unaffiliated/winstonsmith] has quit [Ping timeout: 252 seconds]
11:15 <@krzee> ahh there we go, confirmation from a dev...
11:15 <@krzee> yes, consider it all dirty
11:15 < tzica> listening
11:15 < tzica> pff
11:16 < tzica> thanks
11:16 <@krzee> remember, you need new private keys
11:16 <@krzee> not just new certs with old keys
11:16 < edge226> Yeah thats the only way to truely know its fully clean.
11:17 <@dazo> half a decade is probably an exaggeration ... but half a decennium, indeed!
11:18 <@dazo> (oh, my scrollback fooled me)
11:27 -!- [diecast] [~diecast@unaffiliated/diecast/x-4821952] has joined #openvpn
11:28 < Aketzu> two people got private keys from cloudflare challenge (nginx+openssl)... one used 2.5M requests and other 100k reqs
11:28 < Aketzu> so seems possible although not easy
11:29 -!- codingrobot [~codingrob@77.118.125.115.wireless.dyn.drei.com] has quit [Ping timeout: 252 seconds]
11:31 -!- codingrobot [~codingrob@77.118.21.162.wireless.dyn.drei.com] has joined #openvpn
11:31 <@dazo> Aketzu: well, it is like winning the lottery.  And somebody do win.  With security, you want to lower the odds as much as possible.  Because if somebody did win, they can decrypt your traffic, not just your traffic in the past (if they saved that), but also the future traffic
11:31 -!- WinstonSmith [~WinstonSm@unaffiliated/winstonsmith] has joined #openvpn
11:31 < Aketzu> yeah
11:34 <+reiffert> I've got nothing to hide. It's the reason I'm on VPN
11:35 <@dazo> heh
11:36 <@krzee> "Because if somebody did win, they can decrypt your traffic, not just your traffic in the past (if they saved that), but also the future traffic"
11:36 <@krzee> thats in reference to web right, forward security in openvpn would stop that afaik
11:36 <@dazo> I like another way of seeing it ... I have nothing to hide, but when I go to toilet I prefer to be in private
11:37 <@dazo> krzee: depends ... If you have captured the key exchange process, like if you were also able to grab the client keys in addition ... then you just follow the stream
11:38 <@dazo> The server is the most important to protect ... however, don't forget that clients may have a role to play in heartbleed
11:39 <@krzee> ooo right the person could get the server AND the client key
11:39 <@dazo> yupp
11:39 <@krzee> that would be impressive
11:39 <@dazo> if the attacker first gets the server key ... he can mount a MITM attack against clients, and hit the clients
11:40 <@dazo> the CA cert and server key are already public, by definition
11:40 <@dazo> but okay ... I don't say it's easy.  But it is doable for a persistent attacker
11:40 <@krzee> server cert* ^
11:40 <@dazo> right :)
11:41 -!- michaelhart [~michaelha@192.237.177.15] has joined #openvpn
11:41 <@krzee> was it openvpn or certain openssl versions that had an hmac issue awhile back?
11:41 <@dazo> that was a theoretical timing attack in openvpn
11:42 <@krzee> would be crazy ninja to see that implimented with this in an attack with no prior access
11:42 <@dazo> you could measure how long time it took to get a response packet based on wrong and correct HMAC values, to bruteforce the HMAC key (tls-auth)
11:43 <@krzee> response packet on wrong HMAC values?
11:43 <@krzee> i thought those were silently dropped
11:43 -!- elfixit [~Icedove@2001:1620:2777:11:3e97:eff:fe7f:f3ad] has quit [Quit: elfixit]
11:44 <@dazo> krzee: I think this was in TCP mode, where some feedback is received, even on wrong HMAC
11:44 <@krzee> oh hah i thought tls-auth was udp only? i wonder why i thought that
11:44 <@dazo> krzee: it was are really hard-to-abuse attack ... which is why I consider it more theoretical (academic) than a real threat
11:45 <@dazo> With tls-auth enabled and an attacker *not* having access to your tls-auth key, you're far safer ... because neither clients nor servers would respond to packets with the wrong HMAC
11:45 <@dazo> (it wouldn't even respond to TLS heartbeat packets)
11:45 <@krzee> right
11:46 <@krzee> hard to trust just that when it comes down to it
11:47 <@krzee> im lucky i wasnt running vuln openssl :D
11:47 <+reiffert> so what, they will read your traffic anyway, a tap a the PTT CO or a different central point will do the trick.
11:47 <+reiffert> store for later use.
11:48 <+reiffert> EMERGENCY MAINTENANCE .. or just even without advance notification. PTT down, TAP in, PTT up. "Oups".
11:48 <@dazo> which is what NSA would be able to do ... at least when limiting it to, for them, interesting IP addresses
11:48 < pekster> Iff. you always used --tls-auth with any side using a vuln openssl, the keys are safe to the extent you trust the tls-auth key has been kept a secret
11:48 -!- gu [~gu@194.231.39.10] has quit [Remote host closed the connection]
11:48 <+reiffert> dazo: why limiting .. just record everything.
11:49 <@krzee> reiffert, you're assuming the traffic leaves the darknet
11:49 <@dazo> reiffert: well, it needs to be stored somewhere ... and granted, they have capacity, but do they really have capacity to store all packets for everything passing in and out of the US?
11:49 <+reiffert> dazo: they do.
11:50 <+reiffert> There's no reason to assume there are any limitations on anything.
11:50 <@dazo> It wouldn't surprise me, but my math gets up to such big numbers my common sense isn't able to believe it
11:50 <@krzee> their budget is pretty unlimited
11:51 <+reiffert> Read up how much data the ATLAS experiment is storing at CERN/LHC
11:51 <@krzee> those numbers add up to such big numbers my common sense isn't able to believe it, too
11:51 <@dazo> but harddrives do take space and energy ... which requires even bigger physical space where to place these drives and power plants
11:51 <@krzee> the federal gov controls a crazy amount of land in usa
11:52 < pekster> dazo: ie: Bluffdale, Utah
11:52 <@krzee> like 84% of nevada, 50% of california, etc
11:52 <@dazo> But I do believe they're able to capture insane amounts of all traffic for a limited time (say 1-2 years or so)
11:52 <@dazo> pekster: Bluffdale is big ... but is it big enough to save *everything* and saving it *forever*?
11:53 <+reiffert> no reason to store it with a centralistic approach.
11:53 <@dazo> hehe ... that would be priceless ... if NSA used amazon and google drive :-P
11:53 < pekster> Not realistically, no. I imagine them keeping metadata basically "forever" and data as long as feasible in general, and "forever" for select targets
11:54 <@dazo> pekster: I'm with you on that one!
11:54 <@dazo> (hence my limitation to "interesting IP addresses")
11:54 < pekster> https://panopticlick.eff.org -- IPs aren't how clever attackers identify you anymore
11:54 <@vpnHelper> Title: Panopticlick (at panopticlick.eff.org)
11:55 <@dazo> pekster: true enough
11:55 -!- acu [~acu@50.244.13.221] has joined #openvpn
12:04 -!- HectorBarbossa [uid7850@gateway/web/irccloud.com/x-kjqfqzvhlllmuovw] has joined #openvpn
12:08 -!- flickerfly [~jritchie@216.115.64.202] has left #openvpn []
12:16 < Haigha> so about my last question, how could i make a nagios plugin that connects to a OpenVPN server and run ping/dig through it?
12:17 < Haigha> i'd prefer not to use root to do it, as nagios has its own user
12:18 <@dazo> Haigha: you need to write a plug-in which is able to speak the openvpn wire protocol ... wich means the plug-in would probably be easier to write if it just kicks off openvpn with a pre-defined config file, keeps the connection open, does a normal ping on a regular basis
12:19 < Haigha> the first one looks fun to implement. is there any "easy" docs about the protocol?
12:19 <@dazo> nope, just the source code
12:20 < Haigha> thanks
12:20 <@dazo> and ... the wire protocol changes slightly, based on which options are being used
12:36 < takamichi>  One of our users using OpenVPN connect on Android is seeing the following in there log on connection "OpenVPN route6 needs a gateway parameter". We don't have any ipv6 directives in our server config and dozens of users connecting successfully with exactly the same client config. Any idea what could cause this?
12:38 -!- warriorforGod [~warriorfo@unaffiliated/warriorforgod] has quit [Ping timeout: 240 seconds]
12:47 -!- james41382 [~james@unaffiliated/james41382] has quit [Quit: Leaving]
12:53 -!- subway [~jrb@unaffiliated/subway] has joined #openvpn
12:55 -!- james41382 [~james@unaffiliated/james41382] has joined #openvpn
12:58 -!- le0 [~l30@unaffiliated/le0] has quit [Quit: Leaving]
12:59 -!- niftylettuce_ [uid2733@gateway/web/irccloud.com/x-wcjcwhjwjtsatauj] has joined #openvpn
12:59 -!- Aliekezhi [~Aliekezhi@80.215.210.218] has joined #openvpn
13:04 -!- nlb [~nlb@ec2-54-213-101-245.us-west-2.compute.amazonaws.com] has quit [Changing host]
13:04 -!- nlb [~nlb@unaffiliated/nlb] has joined #openvpn
13:06 <@Eugene> !as
13:06 <@vpnHelper> "as" is please go to #OpenVPN-AS for help with Access-Server
13:07 -!- subway [~jrb@unaffiliated/subway] has left #openvpn []
13:17 < takamichi> Hmm I just can't figure out why the client would report "route6 needs a gateway" when there are no ipv6 directives. Does this error mean anything to anyone?
13:20 -!- cyberspace- [20253@ninthfloor.org] has quit [Ping timeout: 250 seconds]
13:21 <@Eugene> It means you're using Connect, a proprietary product we do not support
13:25 < takamichi> Hi Eugene, thanks. This is the official client developed by ovpn tech, who you are referring to in 'we do not support'?
13:27 <@krzee> exactly
13:27 <@krzee> that is a closed source app for Access Server
13:27 <@krzee> we support the opensource app found here:
13:27 <@krzee> !download
13:27 <@vpnHelper> "download" is (#1) http://openvpn.net/index.php/download/community-downloads.html to download openvpn or (#2) OpenVPN's Windows installer now includes OpenVPN GUI. Don't bother with http://openvpn.se anymore or (#3) Don't trust download.com at all. It provides an extremely old version with malware: http://insecure.org/news/download-com-fiasco.html or (#4) in the community version of openvpn (only
13:27 <@vpnHelper> thing supported here) there is no separate download for client/server, it is the same install with different configs
13:27 <@krzee> and for android:
13:27 <@krzee> !android
13:27 <@vpnHelper> "android" is (#1) an open source OpenVPN client for ICS is available in Google Play, look for OpenVPN for Android. FAQ is here: http://code.google.com/p/ics-openvpn/wiki/FAQ or (#2) Direct Play link: https://play.google.com/store/apps/details?id=de.blinkt.openvpn or (#3) Old (pre-ICS) device? See: !android-old
13:29 <@Eugene> Should append !as to mention Connect specifically
13:29 <@Eugene> "this includes other OpenVPN Technologies, Inc products, such as the Android Connect client"
13:30 <@krzee> !forget as
13:30 <@vpnHelper> Joo got it.
13:30 < takamichi> krzee: ok, so if I understand you guys support Arne's app here, if I need support for 'connect' I should post in the forums (I can see a forum for 'connect' client).
13:30 <@Eugene> Correct.
13:30 <@krzee> or in the AS channel
13:30 <@krzee> they support connect
13:30 < takamichi> krezee: gratzie
13:31 <@krzee> !learn as as please go to #OpenVPN-AS for help with Access-Server or any other closed source tech from openvpn technologies such as Connect.
13:31 <@vpnHelper> Joo got it.
13:31 <@Eugene> Though usually we'll just tell you to test the same config on a PC and then you find the issue
13:31 <@krzee> takamichi, prego
13:32 <@Eugene> Also, isn't AS/Connect speaking 2.2 on-wire? the v6 stuff didn't make it there
13:32 <@krzee> i think, but have no idea
13:32 <@krzee> or rather not enough of an idea to be confident
13:35 <@krzee> Ottawa (AFP) - Personal data for as many as 900 Canadian taxpayers was stolen after being made vulnerable by the "Heartbleed" bug, officials in Ottawa said on Monday.
13:48 -!- cyberspace- [20253@ninthfloor.org] has joined #openvpn
13:55 -!- m01 [~quassel@2a02:2658:1011:1::2:4044] has quit [Quit: No Ping reply in 180 seconds.]
13:55 -!- m01 [~quassel@2a02:2658:1011:1::2:4044] has joined #openvpn
13:56 -!- warriorforGod [~warriorfo@ip24-252-61-224.om.om.cox.net] has joined #openvpn
13:56 -!- warriorforGod [~warriorfo@ip24-252-61-224.om.om.cox.net] has quit [Changing host]
13:56 -!- warriorforGod [~warriorfo@unaffiliated/warriorforgod] has joined #openvpn
14:00 -!- warriorforGod [~warriorfo@unaffiliated/warriorforgod] has quit [Ping timeout: 252 seconds]
14:02 -!- warriorforGod [~warriorfo@207.188.46.242] has joined #openvpn
14:02 -!- warriorforGod [~warriorfo@207.188.46.242] has quit [Changing host]
14:02 -!- warriorforGod [~warriorfo@unaffiliated/warriorforgod] has joined #openvpn
14:03 -!- warriorforGod was kicked from #openvpn by Eugene [Allah Ackbar! and fix your fucking connection.]
14:11 -!- mattock [~mattock@openvpn/corp/admin/mattock] has left #openvpn []
14:14 -!- tomreyn [~tomreyn@megaglest/team/tomreyn] has joined #openvpn
14:14 < tomreyn> hi
14:15 < tomreyn> how would you security test (hardening) a SSL/UDP based openvpn?
14:15 < tomreyn> most of the ssl scanners i'm aware of don't support udp
14:18 < Beta2K> beta@cerberus:~$ dig @192.168.1.50 mysql.parksfurniture.com
14:18 < Beta2K> ; <<>> DiG 9.4.3-P3 <<>> @192.168.1.50 mysql.parksfurniture.comes.parksfurniture.
14:18 < Beta2K> ; (1 server found)
14:18 < Beta2K> ;; global options:  printcmd
14:18 < Beta2K> ;; Got answer:
14:18 < Beta2K> ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 58201
14:18 < Beta2K> ;; flags: qr aa rd ra; QUERY: 1, ANSWER: 3, AUTHORITY: 0, ADDITIONAL: 0
14:18 < Beta2K> ;; QUESTION SECTION:
14:18 < Beta2K> ;mysql.parksfurniture.com.      IN      A
14:18 < Beta2K> ;; ANSWER SECTION:
14:18 < Beta2K> mysql.parksfurniture.com. 3600  IN      A       192.168.1.50
14:19 < Beta2K> mysql.parksfurniture.com. 3600  IN      A       192.168.4.1
14:19 < Beta2K> mysql.parksfurniture.com. 3600  IN      A       192.168.3.50
14:19 < Beta2K> ;; Query time: 107 msec
14:19 < Beta2K> ;; SERVER: 192.168.1.50#53(192.168.1.50)
14:19 -!- Beta2K was kicked from #openvpn by ecrist [Beta2K]
14:19 < tomreyn> ?!
14:19 -!- Beta2K [~Beta2K@2607:f1c0:841:4eff::20] has joined #openvpn
14:19 < tomreyn> wrong channel i guess
14:19 < Beta2K> Sorry about that
14:19 <@ecrist> no pasting
14:19 <@ecrist> +b next time
14:19 -!- AsadH [~AsadH@unaffiliated/asadh] has quit [Ping timeout: 246 seconds]
14:20 < Beta2K> tomreyn: No, bent over my laptop and right-click pasted with PuTTY by accident
14:20 < Beta2K> There, my clipboard only has a , in it now :)
14:20 < tomreyn> oh dang
14:20 < tomreyn> luckily it wasn't your passphrase
14:21 < Beta2K> hehehe
14:21 < Beta2K> Sorry again ecrist :)
14:21 < tomreyn> would one of you know how to security test an openvpn server?
14:22 -!- Nirgali42 [~dmart@64.132.167.18] has quit [Ping timeout: 252 seconds]
14:22 < tomreyn> i've done https://community.openvpn.net/openvpn/wiki/Hardening but now i'd like to confirm that from the public internet
14:22 <@vpnHelper> Title: Hardening – OpenVPN Community (at community.openvpn.net)
14:22 -!- HectorBarbossa [uid7850@gateway/web/irccloud.com/x-kjqfqzvhlllmuovw] has quit [Quit: Connection closed for inactivity]
14:29 -!- Guest4381 [~Sembei@unaffiliated/sembei] has quit [Quit: WeeChat 0.4.4-dev]
14:29 -!- elfixit [~Icedove@77-58-251-72.dclient.hispeed.ch] has joined #openvpn
14:30 -!- Sembei [~Sembei@unaffiliated/sembei] has joined #openvpn
14:32 -!- Nirgali42 [~dmart@74-143-25-90.static.insightbb.com] has joined #openvpn
14:35 -!- JSharpe_ [~JSharpe@31.205.60.241] has quit [Quit: Leaving]
14:41 -!- JSharpe [~JSharpe@31.205.60.241] has joined #openvpn
14:42 -!- michaelhart [~michaelha@192.237.177.15] has quit [Ping timeout: 245 seconds]
14:45 -!- ron__ [~ron@ppp118-210-28-177.lns20.adl2.internode.on.net] has joined #openvpn
14:45 -!- klein [~klein@unaffiliated/klein] has quit [Ping timeout: 276 seconds]
14:48 -!- ron_ [~ron@ppp118-210-232-69.lns20.adl6.internode.on.net] has quit [Ping timeout: 264 seconds]
14:49 -!- JackWinter [~jack@vodsl-10810.vo.lu] has quit [Ping timeout: 240 seconds]
14:50 -!- AsadH [~AsadH@unaffiliated/asadh] has joined #openvpn
14:51 -!- JackWinter [~jack@vodsl-10810.vo.lu] has joined #openvpn
14:55 <@dazo> tomreyn: one thing to test is to create another CA (not related to your setup) and try to use a client cert from that CA ... but use --ca based on the original CA.  The idea is to test that unknown client certs is rejected
14:55 <@dazo> tomreyn: then you can try to use a server certificate on the client side, and see if that's accepted
14:55 <@dazo> tomreyn: that server certificate should be from your valid/original CA
14:56 <@dazo> tomreyn: and the last you can test is to create a valid client cert in your origin CA and then revoke that certificate.  Install the CRL on your VPN server, and try to connect from the client
14:57 <@dazo> tomreyn: the last thing to check is your log files.  Use --verb 4 on server and client, and read through and see that they use the encryption algorithms you've configured
14:57 <@dazo> (modifying the algortihms, say on the client, should make it impossible to connect)
14:57 < tomreyn> dazo: thanks. those are good suggestions (which i appreciate). i'm mostly interested in how to test the ssl implementation, though.
14:57 <@dazo> tomreyn: and then of course, if you added --tls-auth (which you should) ... try using a bogus --tls-auth secret
14:58 <@dazo> well ... that is core pieces of the SSL implementation ... but, yeah, it focuses on the authentication part
14:59 <@dazo> there are no other tool I'm aware of which could try to abuse your server somehow
15:00 < tomreyn> you probably heard of sslscan, ssl-enum, ssl-cipher-suite-enum, sslyze and similar. i'm wondering whether there's some tool which can enumerate supported tls cipher suites and other aspects of the ssl connection remotely.
15:00 < tomreyn> i'm not trying to abuse it, just to get a better picture of what it does support and what it won't
15:01 < tomreyn> i mean, it's kind of a sad state if you can't "proove" that a service configuration was done properly (in terms of security) other than by inspecting its configuration.
15:07 -!- Aliekezhi [~Aliekezhi@80.215.210.218] has quit [Ping timeout: 252 seconds]
15:08 -!- P4k3 [~P4k3@c-d334e255.026-8-6b6c7810.cust.bredbandsbolaget.se] has quit [Quit: ZNC - http://znc.in]
15:09 < tomreyn> i guess one could write a wrapper around openvpn which just maps what's supported by connecting using each of the cipher modes, TLS ciphers and digests supported.
15:10 < tomreyn> or maybe just the ones known to be weak
15:11 -!- Aliekezhi [~Aliekezhi@80.215.210.218] has joined #openvpn
15:12 < tomreyn> RC2-64-CBC, MD4, TLS-RSA-EXPORT-WITH-RC2-CBC-40-MD5
15:13 < tomreyn> (for example)
15:19 -!- klein [~klein@unaffiliated/klein] has joined #openvpn
15:19 -!- gffa [~unknown@unaffiliated/gffa] has quit [Quit: sleep]
15:19 -!- P4k3 [~P4k3@c-d334e255.026-8-6b6c7810.cust.bredbandsbolaget.se] has joined #openvpn
15:21 -!- cyberspace- [20253@ninthfloor.org] has quit [Remote host closed the connection]
15:28 -!- Aliekezhi [~Aliekezhi@80.215.210.218] has quit [Remote host closed the connection]
15:32 -!- Sup3rFly [~sup3rfly@host-64-17-85-86.beyondbb.com] has joined #openvpn
15:32 < Sup3rFly> m00
15:32 < Sup3rFly> can you push networks when using tun?
15:32 < Sup3rFly> or is tun basic, just single subnet
15:34 <@krzee> !route
15:34 <@vpnHelper> "route" is (#1) http://www.secure-computing.net/wiki/index.php/OpenVPN/Routing or https://community.openvpn.net/openvpn/wiki/RoutedLans (same page mirrored) if you have lans behind openvpn, read it DONT SKIM IT or (#2) READ IT DONT SKIM IT! or (#3) See !tcpip for a basic networking guide or (#4) See !serverlan or !clientlan for steps and troubleshooting flowcharts for LANs behind the server or client
15:34 <@krzee> Sup3rFly, ^
15:37 -!- wrongplace [~leicht@gateway/tor-sasl/martinphone] has joined #openvpn
15:49 -!- s7r [~s7r@openvpn/user/s7r] has joined #openvpn
15:50 -!- mode/#openvpn [+v s7r] by ChanServ
15:53 -!- elfixit [~Icedove@77-58-251-72.dclient.hispeed.ch] has quit [Ping timeout: 250 seconds]
15:55 -!- jzaw [~jzaw@loki.dzki.co.uk] has quit [Ping timeout: 246 seconds]
15:59 -!- klein [~klein@unaffiliated/klein] has quit [Ping timeout: 252 seconds]
15:59 -!- siso [~siso@166.78.145.224] has joined #openvpn
16:03 -!- jzaw [~jzaw@loki.dzki.co.uk] has joined #openvpn
16:03 < siso> Hi, I'm setting up OpenVPN on a RPi. Clients can connect, but cannot browse the Internet
16:03 < siso> Could anyone take a look at fw rules? http://pastebin.com/3nX4jB3u
16:04 -!- Sup3rFly [~sup3rfly@host-64-17-85-86.beyondbb.com] has quit [Ping timeout: 240 seconds]
16:05 -!- Sup3rFly [~sup3rfly@host-64-17-85-86.beyondbb.com] has joined #openvpn
16:08 -!- Sup3rFly [~sup3rfly@host-64-17-85-86.beyondbb.com] has quit [Client Quit]
16:11 -!- elfixit [~Icedove@77-58-251-72.dclient.hispeed.ch] has joined #openvpn
16:16 -!- HectorBarbossa [uid7850@gateway/web/irccloud.com/x-aythuzictvvsbfqd] has joined #openvpn
16:18 -!- otwieracz [~gonet9@v6.gen2.org] has quit [Ping timeout: 258 seconds]
16:22 <@dazo> !redirect
16:22 <@vpnHelper> "redirect" is (#1) to make all inet traffic flow through the vpn, you will need --redirect-gateway (see !def1), as well as IP forwarding (see !ipforward) and NAT (see !nat) enabled on the server. or (#2) you may need to use a different dns server when redirecting gateway, see !dns or !pushdns or (#3) if using ipv6 try: route-ipv6 2000::/3 or (#4) Handy troubleshooting flowchart:
16:22 <@vpnHelper> http://ircpimps.org/redirect.png | http://pekster.sdf.org/misc/redirect.png
16:22 <@dazo> siso: ^^^
16:23 -!- codingrobot [~codingrob@77.118.21.162.wireless.dyn.drei.com] has quit [Quit: leaving]
16:25 -!- otwieracz [~gonet9@v6.gen2.org] has joined #openvpn
16:25 -!- acu [~acu@50.244.13.221] has quit [Ping timeout: 276 seconds]
16:36 -!- dazo is now known as dazo_afk
16:38 -!- acu [~acu@50.244.13.221] has joined #openvpn
16:40 -!- isuldor [~brianb@199.192.78.178] has joined #openvpn
16:41 < isuldor> hello, my client list (status) does not list any clients even though I know several are connected.  Any advice about what might be wrong?
16:42 < isuldor> oh weird, they just started showing up
16:43 -!- acu [~acu@50.244.13.221] has quit [Ping timeout: 250 seconds]
16:44 < pekster> isuldor: Take a look at the optional refresh parameter for --status in the manpage
16:45 < pekster> The default for that value is 60
16:51 -!- elfixit [~Icedove@77-58-251-72.dclient.hispeed.ch] has quit [Quit: elfixit]
16:52 -!- br4ndon [~br4ndon@mic92-6-82-227-94-156.fbx.proxad.net] has joined #openvpn
16:53 -!- [diecast] [~diecast@unaffiliated/diecast/x-4821952] has quit []
16:56 -!- acu [~acu@50.244.13.221] has joined #openvpn
17:09 < Su7> Hi all
17:10 -!- Nirgali42 [~dmart@74-143-25-90.static.insightbb.com] has quit [Ping timeout: 258 seconds]
17:10 < Su7> (and Hi pekster who's always here)
17:11 < Su7> I'm using a password-based authentication with a hand made script that's htaccess-based
17:12 < Su7> I'm wondering how weak is that compared to a certificate-based authentication ? should I worry about this ?
17:13 -!- cyberspace- [20253@ninthfloor.org] has joined #openvpn
17:14 < Su7> second question is about logging : how could I log all the traffic going through my openvpn server ? I read things about a transparent squid server, is this the recommended way ?
17:22 -!- br4ndon [~br4ndon@mic92-6-82-227-94-156.fbx.proxad.net] has quit [Quit: br4ndon]
17:33 < pekster> Su7: Mere knowledge of the credentials is accepted as proof of identity; with a certificate, the client must also be in posession of the private key file
17:33 < pekster> https://duckduckgo.com/?q=%22something+you+have%22+%22something+you+know%22
17:33 <@vpnHelper> Title: "something you have" "something you know" at DuckDuckGo (at duckduckgo.com)
17:34 < Su7> pekster: that's not what I'm most afraid of - what I want is to make sure that no one on my network can sniff those credentials during the connection process
17:36 < pekster> Not with a perfect-forward-secret TLS exchange. Unless of course the protocol itself is compromised (such as with the heartbleed bug)
17:44 -!- niftylettuce_ [uid2733@gateway/web/irccloud.com/x-wcjcwhjwjtsatauj] has quit [Quit: Connection closed for inactivity]
17:48 -!- Cpt-Oblivious [chatzilla@31-151-71-109.dynamic.upc.nl] has quit [Remote host closed the connection]
17:52 -!- jason_rad [~jason_rad@66.60.164.164] has joined #openvpn
17:52 -!- elfixit [~Icedove@77-58-251-72.dclient.hispeed.ch] has joined #openvpn
17:53 < jason_rad> Can someone describe the difference between a persistant VPN vs on demand? (click to connect) .  I don't understand the difference.. I assume you would always have to "click to connect" to a vpn server
17:57 -!- AlexPortable [uid7568@gateway/web/irccloud.com/x-uisumitxzxarbalj] has quit [Quit: Connection closed for inactivity]
18:00 -!- tomreyn [~tomreyn@megaglest/team/tomreyn] has quit [Quit: tomreyn]
18:04 -!- goldkatze [~nobody@unaffiliated/goldkatze] has quit []
18:06 -!- dazo_afk is now known as dazo
18:19 -!- kraut [~kraut@blackhole.netzdeponie.de] has quit [Ping timeout: 245 seconds]
18:20 -!- joshh20-Away is now known as joshh20
18:20 -!- kraut [~kraut@blackhole.netzdeponie.de] has joined #openvpn
18:27 -!- jonathan__ [~jonathan@cpe-107-015-019-011.nc.res.rr.com] has joined #openvpn
18:30 -!- steveb [steveb@about/uk/perfect] has joined #openvpn
18:30 -!- jonathan__ [~jonathan@cpe-107-015-019-011.nc.res.rr.com] has quit [Remote host closed the connection]
18:30 -!- steveb [steveb@about/uk/perfect] has left #openvpn ["A person's a person, no matter how small"]
18:30 -!- wrongplace [~leicht@gateway/tor-sasl/martinphone] has quit [Quit: gone]
18:32 -!- jason_rad [~jason_rad@66.60.164.164] has quit [Quit: leaving]
18:42 -!- acu [~acu@50.244.13.221] has quit [Read error: No route to host]
18:43 -!- Denial [Denial@90.214.34.101] has quit [Ping timeout: 276 seconds]
18:49 -!- klein [~klein@187.85.183.105] has joined #openvpn
18:49 -!- klein [~klein@187.85.183.105] has quit [Changing host]
18:49 -!- klein [~klein@unaffiliated/klein] has joined #openvpn
18:54 -!- klein [~klein@unaffiliated/klein] has quit [Ping timeout: 258 seconds]
19:07 -!- Denial [Denial@176.250.235.182] has joined #openvpn
19:08 -!- klein [~klein@187.85.183.105] has joined #openvpn
19:08 -!- klein [~klein@187.85.183.105] has quit [Changing host]
19:08 -!- klein [~klein@unaffiliated/klein] has joined #openvpn
19:16 -!- kraut [~kraut@blackhole.netzdeponie.de] has quit [Ping timeout: 245 seconds]
19:16 -!- kraut [~kraut@blackhole.netzdeponie.de] has joined #openvpn
19:18 -!- jgeboski [~jgeboski@unaffiliated/jgeboski] has quit [Quit: Leaving]
19:19 -!- ron__ is now known as ron_
19:19 -!- jgeboski [~jgeboski@unaffiliated/jgeboski] has joined #openvpn
19:43 < Beta2K> Should I not use the ovpn interface IP for services on a client?  On my server I'm getting MULTI: bad source address from client [a.client.s.ip]
19:44 < pekster> Beta2K: It's just as bugus as using an address you aren't assigned on any other transport
19:44 < pekster> If your home LAN is 192.168.25.0/24, you obviously can't send from 10.1.2.3. OpenVPN (correctly) rejects such bogus attempts by VPN clients
19:44 < pekster> tcpdump the tun device on your client to find out what nasty application is misbehaving if you want to identify/correct it
19:45 < Beta2K> I know what app is doing it, asterisk
19:46 < Beta2K> Just isn't clicking in my head why I can't use the tun interface IP :)
19:49 -!- joshh20 is now known as joshh20-Away
19:49 < pekster> You can use the tun interface IP (so long as it's the one the server pushed)
19:51 < Beta2K> Ok
19:51 < Beta2K> So this one I understand, it's rejected because the subnet is a pptp subnet on a distant router.  MULTI: bad source address from client [192.168.100.10]
19:52 < Beta2K> This one doesn't make sence, MULTI: bad source address from client [10.8.0.14]
19:52 < Beta2K> 10.8.0.14 is the clients tun IP
19:53 < pekster> The same one associated with that client (check the commonName and the IP+port of the source connection tupple)?
19:54 < pekster> You can check with the status file (see: --status in the manpage) or send the openvpn process on the server a SIGUSR2 signal and check the logs
20:10 -!- pnielsen [pnielsen@2a01:7e00::f03c:91ff:fedf:3a21] has quit [Max SendQ exceeded]
20:11 -!- pnielsen [pnielsen@2a01:7e00::f03c:91ff:fedf:3a21] has joined #openvpn
20:16 -!- jtrucks [jtrucks@freenode/staff/lopsa.foundingmember.jtrucks] has quit [Read error: Connection reset by peer]
20:17 -!- jtrucks [jtrucks@freenode/staff/lopsa.foundingmember.jtrucks] has joined #openvpn
20:18 -!- kloeri [~kloeri@freenode/staff/exherbo.kloeri] has quit [Read error: Connection reset by peer]
20:18 -!- xBytez__ [xBytez@libxbytez.so] has quit [Max SendQ exceeded]
20:18 -!- kloeri [~kloeri@freenode/staff/exherbo.kloeri] has joined #openvpn
20:18 -!- ketas [ketas@ketas6-sixxs.si.pri.ee] has quit [Max SendQ exceeded]
20:18 -!- peper [~peper@node.piotrj.org] has quit [Max SendQ exceeded]
20:18 -!- riddle [riddle@us.yunix.net] has quit [Max SendQ exceeded]
20:18 -!- tharkun [~0@unaffiliated/tharkun] has quit [Max SendQ exceeded]
20:18 -!- hive-mind [pranq@mail.bbis.us] has quit [Max SendQ exceeded]
20:18 -!- cyberspace- [20253@ninthfloor.org] has quit [Max SendQ exceeded]
20:18 -!- guntha` [~guntha@guntha.thecagedog.com] has quit [Ping timeout: 264 seconds]
20:19 -!- [1]JPeterson [~JPeterson@81-233-152-121-no83.tbcn.telia.com] has quit [Max SendQ exceeded]
20:19 -!- tharkun [~0@187.188.94.182] has joined #openvpn
20:19 -!- cyberspace- [20253@ninthfloor.org] has joined #openvpn
20:19 -!- ketas [ketas@ketas6-sixxs.si.pri.ee] has joined #openvpn
20:19 -!- ketas [ketas@ketas6-sixxs.si.pri.ee] has quit [Max SendQ exceeded]
20:19 -!- tharkun [~0@187.188.94.182] has quit [Max SendQ exceeded]
20:19 -!- peper [~peper@gentoo/developer/peper] has joined #openvpn
20:19 -!- hive-mind [pranq@mail.bbis.us] has joined #openvpn
20:19 -!- riddle [riddle@us.yunix.net] has joined #openvpn
20:19 -!- hive-mind [pranq@mail.bbis.us] has quit [Max SendQ exceeded]
20:19 -!- peper [~peper@gentoo/developer/peper] has quit [Max SendQ exceeded]
20:19 -!- cyberspace- [20253@ninthfloor.org] has quit [Max SendQ exceeded]
20:19 -!- riddle [riddle@us.yunix.net] has quit [Max SendQ exceeded]
20:20 -!- JPeterson [~JPeterson@81-233-152-121-no83.tbcn.telia.com] has joined #openvpn
20:23 -!- JPeterson [~JPeterson@81-233-152-121-no83.tbcn.telia.com] has quit [Max SendQ exceeded]
20:24 -!- tharkun [~0@187.188.94.182] has joined #openvpn
20:24 -!- ketas [ketas@ketas6-sixxs.si.pri.ee] has joined #openvpn
20:24 -!- peper [~peper@gentoo/developer/peper] has joined #openvpn
20:24 -!- hive-mind [pranq@mail.bbis.us] has joined #openvpn
20:24 -!- ketas [ketas@ketas6-sixxs.si.pri.ee] has quit [Max SendQ exceeded]
20:24 -!- tharkun [~0@187.188.94.182] has quit [Max SendQ exceeded]
20:24 -!- hive-mind [pranq@mail.bbis.us] has quit [Max SendQ exceeded]
20:24 -!- peper [~peper@gentoo/developer/peper] has quit [Max SendQ exceeded]
20:24 -!- cyberspace- [20253@ninthfloor.org] has joined #openvpn
20:25 -!- JPeterson [~JPeterson@81-233-152-121-no83.tbcn.telia.com] has joined #openvpn
20:25 -!- jtrucks [jtrucks@freenode/staff/lopsa.foundingmember.jtrucks] has quit [Read error: Connection reset by peer]
20:26 -!- jtrucks [jtrucks@freenode/staff/lopsa.foundingmember.jtrucks] has joined #openvpn
20:29 -!- tharkun [~0@187.188.94.182] has joined #openvpn
20:29 -!- ketas [ketas@ketas6-sixxs.si.pri.ee] has joined #openvpn
20:29 -!- peper [~peper@gentoo/developer/peper] has joined #openvpn
20:29 -!- hive-mind [pranq@mail.bbis.us] has joined #openvpn
20:29 -!- JPeterson [~JPeterson@81-233-152-121-no83.tbcn.telia.com] has quit [Max SendQ exceeded]
20:29 -!- ketas [ketas@ketas6-sixxs.si.pri.ee] has quit [Max SendQ exceeded]
20:29 -!- riddle [riddle@us.yunix.net] has joined #openvpn
20:29 -!- hive-mind [pranq@mail.bbis.us] has quit [Max SendQ exceeded]
20:29 -!- tharkun [~0@187.188.94.182] has quit [Max SendQ exceeded]
20:29 -!- peper [~peper@gentoo/developer/peper] has quit [Max SendQ exceeded]
20:29 -!- riddle [riddle@us.yunix.net] has quit [Max SendQ exceeded]
20:30 -!- cyberspace- [20253@ninthfloor.org] has quit [Max SendQ exceeded]
20:30 -!- JPeterson [~JPeterson@81-233-152-121-no83.tbcn.telia.com] has joined #openvpn
20:31 -!- cyberspace- [20253@ninthfloor.org] has joined #openvpn
20:34 -!- tharkun [~0@187.188.94.182] has joined #openvpn
20:34 -!- peper [~peper@gentoo/developer/peper] has joined #openvpn
20:34 -!- hive-mind [pranq@mail.bbis.us] has joined #openvpn
20:34 -!- ketas [ketas@ketas6-sixxs.si.pri.ee] has joined #openvpn
20:34 -!- jtrucks [jtrucks@freenode/staff/lopsa.foundingmember.jtrucks] has quit [Read error: Connection reset by peer]
20:35 -!- guntha` [~guntha@guntha.thecagedog.com] has joined #openvpn
20:35 -!- riddle [riddle@us.yunix.net] has joined #openvpn
20:35 -!- jtrucks [jtrucks@freenode/staff/lopsa.foundingmember.jtrucks] has joined #openvpn
20:42 -!- dazo is now known as dazo_afk
20:42 -!- Corey [~Corey@freenode/staff/corey] has quit [Max SendQ exceeded]
20:43 -!- jtrucks [jtrucks@freenode/staff/lopsa.foundingmember.jtrucks] has quit [Read error: Connection reset by peer]
20:44 -!- Corey [~Corey@freenode/staff/corey] has joined #openvpn
20:44 -!- jtrucks [jtrucks@freenode/staff/lopsa.foundingmember.jtrucks] has joined #openvpn
20:49 -!- Corey [~Corey@freenode/staff/corey] has quit [Read error: Connection reset by peer]
20:49 -!- kloeri [~kloeri@freenode/staff/exherbo.kloeri] has quit [Read error: Connection reset by peer]
20:49 -!- Corey [~Corey@freenode/staff/corey] has joined #openvpn
20:50 -!- kloeri [~kloeri@freenode/staff/exherbo.kloeri] has joined #openvpn
20:54 -!- jtrucks [jtrucks@freenode/staff/lopsa.foundingmember.jtrucks] has quit [Read error: Connection reset by peer]
20:55 -!- jtrucks [jtrucks@freenode/staff/lopsa.foundingmember.jtrucks] has joined #openvpn
20:58 -!- Corey [~Corey@freenode/staff/corey] has quit [Max SendQ exceeded]
20:58 -!- kloeri [~kloeri@freenode/staff/exherbo.kloeri] has quit [Read error: Connection reset by peer]
20:59 -!- kloeri [~kloeri@freenode/staff/exherbo.kloeri] has joined #openvpn
20:59 -!- Corey [~Corey@freenode/staff/corey] has joined #openvpn
21:01 -!- jtrucks [jtrucks@freenode/staff/lopsa.foundingmember.jtrucks] has quit [Read error: Connection reset by peer]
21:02 -!- jtrucks [jtrucks@freenode/staff/lopsa.foundingmember.jtrucks] has joined #openvpn
21:04 -!- Corey [~Corey@freenode/staff/corey] has quit [Read error: Connection reset by peer]
21:05 -!- Corey [~Corey@freenode/staff/corey] has joined #openvpn
21:06 -!- Left_Turn [~Left_Turn@unaffiliated/turn-left/x-3739067] has quit [Quit: Leaving]
21:08 -!- kloeri [~kloeri@freenode/staff/exherbo.kloeri] has quit [Read error: Connection reset by peer]
21:09 -!- kloeri [~kloeri@freenode/staff/exherbo.kloeri] has joined #openvpn
21:27 -!- Carbon_Monoxide [~cmonxide@058176022144.ctinets.com] has joined #openvpn
21:40 -!- sunwind [~paradox@cpc21-brmb8-2-0-cust749.1-3.cable.virginm.net] has joined #openvpn
21:42 -!- Carbon_Monoxide [~cmonxide@058176022144.ctinets.com] has left #openvpn ["Leaving"]
22:16 -!- WinstonSmith [~WinstonSm@unaffiliated/winstonsmith] has quit [Ping timeout: 258 seconds]
22:17 -!- WinstonSmith [~WinstonSm@unaffiliated/winstonsmith] has joined #openvpn
22:31 -!- klein [~klein@unaffiliated/klein] has quit [Ping timeout: 258 seconds]
22:32 -!- catsup [~d@iad1-vshost12.dreamhost.com] has quit [Ping timeout: 276 seconds]
22:47 -!- dogewaat_ [uid3966@gateway/web/irccloud.com/x-wepliitzcauqfzba] has joined #openvpn
22:54 -!- takamichi [~takamichi@c107-107.i07-27.onvol.net] has quit [Ping timeout: 250 seconds]
23:00 -!- JackWinter [~jack@vodsl-10810.vo.lu] has quit [Read error: Connection reset by peer]
23:00 -!- catsup [d@ps38852.dreamhost.com] has joined #openvpn
23:00 -!- JackWinter_ [~jack@vodsl-10810.vo.lu] has joined #openvpn
23:00 -!- dazo_afk [~dazo@openvpn/community/developer/dazo] has quit [Ping timeout: 258 seconds]
23:02 -!- catsup [d@ps38852.dreamhost.com] has quit [Remote host closed the connection]
23:04 -!- dazo_afk [~dazo@openvpn/community/developer/dazo] has joined #openvpn
23:04 -!- mode/#openvpn [+o dazo_afk] by ChanServ
23:04 -!- dazo_afk is now known as dazo
23:08 -!- ShadniX [dagger@p57941EE8.dip0.t-ipconnect.de] has quit [Ping timeout: 252 seconds]
23:10 -!- catsup [d@ps38852.dreamhost.com] has joined #openvpn
23:10 -!- ShadniX [dagger@p5DDFF1E0.dip0.t-ipconnect.de] has joined #openvpn
23:11 -!- red_racer12___ [sid20963@gateway/web/irccloud.com/x-urrvnnnjspzhsuhj] has quit [Ping timeout: 240 seconds]
23:19 -!- AcidRain [~The_Acid_@2001:470:860d:127::219] has joined #openvpn
23:20 < AcidRain> i am having a issue with openvpn client, it was running fine on my RPI for months then all of a sudden it stopped working
23:21 < AcidRain> http://pastebin.com/TT3jQmHT    error log
23:27 -!- __FBi [B@dont.uwantmy.info] has quit [Ping timeout: 246 seconds]
23:31 -!- takamichi [~takamichi@c107-107.i07-27.onvol.net] has joined #openvpn
23:32 -!- elfixit [~Icedove@77-58-251-72.dclient.hispeed.ch] has quit [Ping timeout: 245 seconds]
--- Day changed Tue Apr 15 2014
00:01 -!- sunwind` [~paradox@cpc21-brmb8-2-0-cust749.1-3.cable.virginm.net] has joined #openvpn
00:04 -!- sunwind [~paradox@cpc21-brmb8-2-0-cust749.1-3.cable.virginm.net] has quit [Ping timeout: 276 seconds]
00:12 -!- HectorBarbossa [uid7850@gateway/web/irccloud.com/x-aythuzictvvsbfqd] has quit [Quit: Connection closed for inactivity]
00:22 -!- red_racer12____ [sid20963@gateway/web/irccloud.com/x-raoecjnnhauvzoqf] has joined #openvpn
00:41 -!- red_racer12____ [sid20963@gateway/web/irccloud.com/x-raoecjnnhauvzoqf] has quit []
00:42 -!- AcidRain [~The_Acid_@2001:470:860d:127::219] has quit [Quit: Leaving]
00:49 -!- mattock_afk [~mattock@openvpn/corp/admin/mattock] has joined #openvpn
00:49 -!- mode/#openvpn [+o mattock_afk] by ChanServ
00:49 -!- mattock_afk is now known as mattock
00:52 -!- mattock [~mattock@openvpn/corp/admin/mattock] has left #openvpn []
00:52 -!- mattock [~mattock@openvpn/corp/admin/mattock] has joined #openvpn
00:52 -!- mode/#openvpn [+o mattock] by ChanServ
01:07 -!- red_racer12____ [sid20963@gateway/web/irccloud.com/x-bheejrapbvtqmyjw] has joined #openvpn
01:19 -!- alexxtasi [~alex@unaffiliated/alexxtasi] has joined #openvpn
01:29 -!- krzee [~k@openvpn/community/support/krzee] has quit [Ping timeout: 252 seconds]
01:29 -!- krzee [~k@openvpn/community/support/krzee] has joined #openvpn
01:29 -!- mode/#openvpn [+o krzee] by ChanServ
01:54 -!- mirco [~mirco@ip-5-146-126-177.unitymediagroup.de] has quit [Quit: mirco]
02:40 -!- le0 [~l30@unaffiliated/le0] has joined #openvpn
03:03 -!- Sembei [~Sembei@unaffiliated/sembei] has quit [Ping timeout: 240 seconds]
03:09 -!- Left_Turn [~Left_Turn@unaffiliated/turn-left/x-3739067] has joined #openvpn
03:10 -!- wrongplace [~leicht@gateway/tor-sasl/martinphone] has joined #openvpn
03:23 -!- plaisthos [~arne@openvpn/community/developer/plaisthos] has joined #openvpn
03:23 <@plaisthos> !heartbleat
03:23 -!- mode/#openvpn [+o plaisthos] by ChanServ
03:24 <@plaisthos> !heartbleat
03:25 -!- Sembei [~Sembei@unaffiliated/sembei] has joined #openvpn
03:27 <@mattock> plaisthos: I wonder why that does not work? :P
03:30 -!- Left_Turn [~Left_Turn@unaffiliated/turn-left/x-3739067] has quit [Read error: Connection reset by peer]
03:31 -!- Left_Turn [~Left_Turn@unaffiliated/turn-left/x-3739067] has joined #openvpn
03:31 -!- Left_Turn [~Left_Turn@unaffiliated/turn-left/x-3739067] has quit [Read error: Connection reset by peer]
03:33 -!- fin__ [~l30@cpc20-bele8-2-0-cust576.2-1.cable.virginm.net] has joined #openvpn
03:33 -!- fin__ [~l30@cpc20-bele8-2-0-cust576.2-1.cable.virginm.net] has quit [Changing host]
03:33 -!- fin__ [~l30@unaffiliated/le0] has joined #openvpn
03:35 -!- le0 [~l30@unaffiliated/le0] has quit [Ping timeout: 252 seconds]
03:42 -!- AlexPortable [uid7568@gateway/web/irccloud.com/x-iitsvitfjaqrbtjg] has joined #openvpn
03:47 -!- justinzane [~justinzan@host-12-172-184-180.nctv.com] has quit [Ping timeout: 252 seconds]
03:49 -!- Aliekezhi [~Aliekezhi@80.215.210.0] has joined #openvpn
04:30 -!- giorgiodinapoli [~giorgiodi@146-52-156-68-dynip.superkabel.de] has joined #openvpn
04:32 < giorgiodinapoli> hey guys littl question: after i sucessfully connect to openvpn, i manually disconnect my wlan. with pin-restart directive, it tries to reconnect. so far good. but it cannot reconnect even after wlan comes back. only i i completely restart connection it works again. what can be the problem for this?  i think i has to destroy the route or something and resetup it-
04:41 -!- giorgiodinapoli [~giorgiodi@146-52-156-68-dynip.superkabel.de] has quit [Remote host closed the connection]
04:45 -!- Aliekezhi [~Aliekezhi@80.215.210.0] has quit [Remote host closed the connection]
05:12 -!- takamichi [~takamichi@c107-107.i07-27.onvol.net] has quit [Ping timeout: 250 seconds]
05:21 -!- budmang [~budman@ip68-111-79-253.oc.oc.cox.net] has quit [Remote host closed the connection]
05:24 -!- takamichi [~takamichi@85.12.8.104] has joined #openvpn
05:33 -!- wrongplace [~leicht@gateway/tor-sasl/martinphone] has quit [Remote host closed the connection]
05:33 -!- gowned [~leicht@gateway/tor-sasl/martinphone] has joined #openvpn
05:41 -!- Left_Turn [~Left_Turn@unaffiliated/turn-left/x-3739067] has joined #openvpn
05:45 -!- elfixit [~Icedove@cust.static.46-14-206-196.swisscomdata.ch] has joined #openvpn
05:48 -!- takamichi [~takamichi@85.12.8.104] has quit [Ping timeout: 258 seconds]
05:53 -!- win5hit1 [~Winshit@HSI-KBW-46-237-201-154.hsi.kabel-badenwuerttemberg.de] has joined #openvpn
05:56 < win5hit1> hi there! I've got a problem with my openvpn config. i recently changed x509 certs on my openvpn server. i changed the openvpn server to be a sub-ca of my ca instead of being it's own ca. i recreated all certificates and updated them on the clients... but i still got some issues with them. maybe someone could clarify if i need the root-ca certificate on the clients for validation or if i need the sub-ca's certificat
05:58 < win5hit1> currently i get on the client side: "unable to get local issuer certificate". i pointed the ca option within the client config to the sub-ca's cert
05:58 < win5hit1> (or maybe i need both of them?)
06:04 -!- takamichi [~takamichi@c107-107.i07-27.onvol.net] has joined #openvpn
06:07 -!- AlexPortable [uid7568@gateway/web/irccloud.com/x-iitsvitfjaqrbtjg] has quit [Quit: Connection closed for inactivity]
06:25 -!- justinzane [~justinzan@host-12-172-184-180.nctv.com] has joined #openvpn
06:27 -!- gowned [~leicht@gateway/tor-sasl/martinphone] has quit [Remote host closed the connection]
06:28 -!- gowned [~leicht@gateway/tor-sasl/martinphone] has joined #openvpn
06:31 <@plaisthos> does the server have the whole ca chain?
06:36 -!- klein [~klein@187.85.183.105] has joined #openvpn
06:36 -!- klein [~klein@187.85.183.105] has quit [Changing host]
06:36 -!- klein [~klein@unaffiliated/klein] has joined #openvpn
06:38 < win5hit1> plaisthos: i'm not sure... i just changed the client config : i chained the client cert and the sub-ca-cert and referred to it via "cert = chained.crt" and "CA" to point to the root ca certificate
06:39 < win5hit1> plaisthos: means: "i haven't verified yet". actually its a sophos / astaro box which is running the openvpn server.
06:40 < win5hit1> the error message has "changed". no i get a x509name error
06:41 < pekster> win5hit1: You need the entire cert chain in the file you pass to your --ca option
06:42 < win5hit1> pekster: do i need the whole chain in "cert" or do i need it in "ca"? or both?
06:43 -!- goldkatze [~nobody@unaffiliated/goldkatze] has joined #openvpn
06:44 < win5hit1> btw: thanks for your patiece and help! thats very kind, and i'm happy about it!
06:44 < pekster> You need the root CA and any subordinate-CAs together in the file referenced by --ca
06:45 < win5hit1> i'll try that right away...
06:45 < pekster> So, `cat ca.crt sub-1.crt sub-2.crt > ca-bundle.crt` and reference that. You need a complete trust path to the CA
06:50 < win5hit1> hm, i still get the same error.
06:52 -!- Tykling [tykling@gibfest.dk] has quit [Read error: Operation timed out]
06:55 -!- Olipro [~Olipro@uncyclopedia/pdpc.21for7.olipro] has joined #openvpn
06:56 -!- AlexPortable [uid7568@gateway/web/irccloud.com/x-ovhocgmesnffzkbb] has joined #openvpn
06:56 -!- klein [~klein@unaffiliated/klein] has quit [Ping timeout: 250 seconds]
06:57 < pekster> Check the rest of your config options; sounds like you're using an additional check on the CN or something that's failing
06:58 -!- gowned [~leicht@gateway/tor-sasl/martinphone] has quit [Quit: gone]
06:59 -!- Tykling [tykling@89.233.43.74] has joined #openvpn
07:14 -!- cpm [~Chip@216.169.175.102] has joined #openvpn
07:14 -!- cpm [~Chip@216.169.175.102] has quit [Changing host]
07:14 -!- cpm [~Chip@pdpc/supporter/active/cpm] has joined #openvpn
07:21 -!- budmang [~budman@ip68-111-79-253.oc.oc.cox.net] has joined #openvpn
07:26 -!- budmang [~budman@ip68-111-79-253.oc.oc.cox.net] has quit [Ping timeout: 258 seconds]
07:26 -!- klein [~klein@unaffiliated/klein] has joined #openvpn
07:33 -!- JessD [~Jesse@ciscoasa.ecrsoft.com] has joined #openvpn
07:37 -!- michaelhart [~michaelha@192-0-240-20.cpe.teksavvy.com] has joined #openvpn
07:44 -!- cpm [~Chip@pdpc/supporter/active/cpm] has quit [Ping timeout: 250 seconds]
07:47 -!- klein [~klein@unaffiliated/klein] has quit [Ping timeout: 250 seconds]
07:50 -!- michaelhart [~michaelha@192-0-240-20.cpe.teksavvy.com] has quit [Quit: michaelhart]
07:53 -!- red_racer12____ [sid20963@gateway/web/irccloud.com/x-bheejrapbvtqmyjw] has quit [Remote host closed the connection]
08:00 -!- elfixit [~Icedove@cust.static.46-14-206-196.swisscomdata.ch] has quit [Ping timeout: 252 seconds]
08:01 -!- Cpt-Oblivious [chatzilla@31-151-71-109.dynamic.upc.nl] has joined #openvpn
08:03 -!- klein [~klein@189-016-006-003.asselvi.edu.br] has joined #openvpn
08:03 -!- klein [~klein@189-016-006-003.asselvi.edu.br] has quit [Changing host]
08:03 -!- klein [~klein@unaffiliated/klein] has joined #openvpn
08:11 -!- elfixit [~Icedove@cust.static.46-14-206-196.swisscomdata.ch] has joined #openvpn
08:18 -!- acu [~acu@50.244.13.221] has joined #openvpn
08:25 -!- red_racer12____ [sid20963@gateway/web/irccloud.com/x-sbrhsqxpyfdchdfk] has joined #openvpn
08:26 -!- n13l [~Daniel@aaa.anect.cz] has quit [Ping timeout: 250 seconds]
08:27 -!- heraclitus [~heraclitu@unaffiliated/heraclitis] has quit [Remote host closed the connection]
08:27 -!- heraclitus [~heraclitu@unaffiliated/heraclitis] has joined #openvpn
08:41 -!- klein [~klein@unaffiliated/klein] has quit [Ping timeout: 258 seconds]
08:45 -!- n13l [~Daniel@aaa.anect.cz] has joined #openvpn
08:46 -!- angs [~ubuntu@85.235.3.240] has joined #openvpn
08:57 -!- klein [~klein@unaffiliated/klein] has joined #openvpn
08:57 -!- elfixit [~Icedove@cust.static.46-14-206-196.swisscomdata.ch] has quit [Ping timeout: 252 seconds]
09:04 -!- elfixit [~Icedove@cust.static.46-14-206-196.swisscomdata.ch] has joined #openvpn
09:16 -!- MadTBone [~MadTBone@160.39.238.196] has joined #openvpn
09:23 -!- dogewaat_ [uid3966@gateway/web/irccloud.com/x-wepliitzcauqfzba] has quit [Remote host closed the connection]
09:23 -!- XJR-9 [sid2977@pdpc/supporter/active/xjr-9] has quit [Remote host closed the connection]
09:31 -!- krzee [~k@openvpn/community/support/krzee] has quit [Excess Flood]
09:32 -!- krzee [~k@openvpn/community/support/krzee] has joined #openvpn
09:32 -!- mode/#openvpn [+o krzee] by ChanServ
09:34 -!- XJR-9 [sid2977@pdpc/supporter/active/xjr-9] has joined #openvpn
09:35 -!- dogewaat_ [uid3966@gateway/web/irccloud.com/x-tcprwfjmokebfboy] has joined #openvpn
09:36 -!- alexxtasi [~alex@unaffiliated/alexxtasi] has left #openvpn []
09:40 -!- Beta2K [~Beta2K@2607:f1c0:841:4eff::20] has quit [Ping timeout: 252 seconds]
09:42 -!- Beta2K [~Beta2K@2607:f1c0:841:4eff::120] has joined #openvpn
09:43 -!- tharkun [~0@187.188.94.182] has quit [Changing host]
09:43 -!- tharkun [~0@unaffiliated/tharkun] has joined #openvpn
09:58 -!- elfixit [~Icedove@cust.static.46-14-206-196.swisscomdata.ch] has quit [Ping timeout: 252 seconds]
09:59 -!- Moony22 [~Moony22@unaffiliated/moony22] has joined #openvpn
09:59 < Moony22> does a vpn depend on connection speed?
10:04 <@krzee> not sure i understand the question
10:05 < Moony22> Will my connection speed be slow if my server has a slow connection speed?
10:06 <@krzee> will your "connection" be going through the vpn server?
10:07 < angs> does anyone know what is the limit for export CA_EXPIRE?
10:07 < Moony22> krzee: yes
10:07 <@krzee> Moony22, then yes
10:07 < Moony22> :/
10:07 < angs> and for KEY_EXPIRE as well
10:07 <@krzee> if you route through a slow machine, your connection will be slow
10:08 <@krzee> obviously? because the packets travel to that machine, then to the internet? and back from the internet to that machine and then to you
10:08 < Moony22> It's annoying because it seems the server has a slow connection speed but doing a speed test it has a really good connection speed...weird
10:09 <@krzee> that also makes no sense to me
10:09 <@krzee> (the sentence)
10:11 < Moony22> as in, when downloading files from repos etc on my VPS the connection speed seems slow; it takes a long time for files to download
10:11 < Moony22> yet speedtest-cli shows a much faster download & upload speed
10:11 <@krzee> then you have a good link to the speedtest but not the repos
10:12 <@krzee> or you're grabbing from slow repos
10:12 <@krzee> seems none of this is actually related to a vpn
10:12 <@dazo> angs: Not sure there are any limits there ... but it's wise not to have them live too long ... CA's usually have 20 years, and the recommended lifetime for server keys are 4-5 years
10:14 < Moony22> krzee: sorry, no it's not directly related to a VPN, I guess I'll stop. But just saying, speedtest-cli reports a 280Mbit/s download speed and a 50Mbit/s upload speed, which is quite a lot o.O
10:15 <@dazo> Moony22: In general, you cannot get a higher down/upload speed through a VPN than the slowest ISP connection on either server or client side ... And your user experience will be based upon what you route via the VPN tunnel, and what you don't put through the tunnel
10:15 < angs> dazo, thanks. I just wanted to know what would be the maximum of a CA. 20 years sounds good
10:16 <@dazo> Moony22: also beware that stupid speed tests (which tests the connection using easily compressible data) will be worthless if you use --comp-lzo
10:16 < Moony22> dazo: what is --comp-lzo?
10:17 <@dazo> !man
10:17 <@vpnHelper> "man" is (#1) For man pages, see http://openvpn.net/index.php/open-source/documentation/manuals/ or (#2) the man pages are your friend! or (#3) Protip: you can search the manpage for a specific --option (with dashes) to find it quicker
10:17 < Moony22> "unrecognised option"
10:18 <@dazo> Moony22: read the man page.  I'm not going to read it for you
10:18 <@krzee> !read
10:18 <@vpnHelper> "read" is <krzee> ive been known to overreact when people look for 2 minutes and ask me to explain it to them
10:19 <@dazo> good one :)
10:19 <@dazo> It's a long time since I /kick'ed someone ... so I beg you .... pleeeeaaaaseeee! Give me a reason to do it again :-P
10:20 <@krzee> hey you can /kick me, im already the most kicked in this channel
10:20 <@krzee> !ircstats
10:20 <@vpnHelper> "ircstats" is (#1) See http://secure-computing.net/logs/openvpn.html for all-time IRC stats. or (#2) See http://secure-computing.net/logs/openvpn-devel.html for all-time dev channel IRC stats.
10:20 <@dazo> hahaha
10:20 <@dazo> Nah ... I only kick people who truly deserve it :)
10:20 <@krzee> krzee wasn't very popular, getting kicked 21 times!
10:20 <@krzee> For example, like this:
10:20 <@krzee>      *** krzie was kicked by ecrist
10:20 <@krzee> ecrist is either insane or just a fair op, kicking a total of 71 people!
10:20 <@krzee> hahah
10:21 <@dazo> *grmbl* I'm not even mentioned! *fcuk*
10:21 <@krzee> Also, dazo tells us what's up with 808 actions.
10:22 <@dazo> oh gee .... that history must go way back
10:22 <@krzee> way way back
10:22 <@krzee> Statistics generated on Tuesday 15 April 2014 - 9:33:19
10:22 <@krzee> During this 2046-day reporting period
10:23 <@dazo> yeah
10:23 <@krzee> 5.6 yrs
10:23 <@dazo> in two days, we're breaking 2k!  (2048)
10:24 <@krzee> woot, time for a /massvoice celebration
10:24 <@dazo> :)
10:24 <@dazo> that's a round number!  (in binary, that is)
10:25 <@krzee> by the time we got to 2048, 1024 was no longer a safe bitsize
10:25 <@krzee> and by the time we get to 4096 days 2048 will not be a safe keysize
10:25 <@dazo> :)
10:25 <@krzee> haha
10:25 <@dazo> that'll be interesting to observe :)
10:25  * dazo has already switched to 4096
10:25 <@krzee> there may be a relation between #openvpn lifetime and safe keysize? someone should investigate
10:25 <@krzee> same, been using 4096 for yrs
10:26 <@krzee> not confident about going any higher
10:26 <@dazo> I did try both 8192 and 16384 .... the latter was a complete disaster, the former worked some places
10:26 < Rienzilla> it should
10:26 -!- budmang [~budman@ip68-111-79-253.oc.oc.cox.net] has joined #openvpn
10:26 <@dazo> but this is many years ago, though
10:26 <@krzee> maybe someone can calculate when 2048 will become unsafe based on the age of #openvpn
10:27 < Rienzilla> bruteforcing a key is exponentioal complexity right
10:27 <@dazo> it is
10:27 <@krzee> Rienzilla, sure, but do such large keysizes hold up the same?
10:27 <@dazo> each bit doubles the possibilities
10:27 < Rienzilla> and the possibility of cracking also grows exponentially as long as moore's law holds up :)
10:27 <@krzee> or does something internally weaken in ways that have yet to be studied...
10:27 < Rienzilla> so it's proably truish :)
10:28 <@krzee> 4096 has been used by enough people that i believe it has been studied thoroughly
10:28 < Rienzilla> why would there be extra vulnerabilities when the size of the key is increased?
10:28 < Rienzilla> weaknesses I must say
10:29 <@krzee> dont know? but theres a lot about the math of crypto that i do not know? so i do not try to be the first to start doing new things
10:29 <@krzee> i try to step in the footprints of those who know more than i
10:29 <@dazo> Might be some design flaws, which were never discovered due to people 10 years ago thinking "sane people won't use such big keys, let's not waste our time"
10:29 <@krzee> ^^^ that
10:29 < Rienzilla> possibly
10:29 < Rienzilla> or implementation errors; overflows that do not occur with smaller keys
10:30 <@dazo> however, things will probably get more interesting with sha3/keccak ... and also elliptic curves
10:30 <@krzee> yep
10:30 <@krzee> although for now i feel the same about ECC
10:30 < Rienzilla> but if we disregard all that, the safe keysize will probably be proportional to the age of #openvpn :)
10:30 <@dazo> with EC, the keys gets incredibly much stronger
10:30 < Rienzilla> linearly
10:30 <@krzee> not tested thoroughly enough yet for me
10:30 <@dazo> if you use the proper curves
10:30 <@krzee> feels like community has less time than the gov working on ECC
10:31 <@dazo> agreed ... but mathematicians and cryptologists have at least dug into EC for quite some time
10:32 <@krzee> but ya, ECC is where things will move towards
10:32 <@dazo> but with Keccak, it's also possibilities to extend it with encryption algorithms (if I understood the FOSDEM presentation correctly last year) ... and considering Keccak is based upon research done in European universities, it sounds quite promising
10:33 <@dazo> http://keccak.noekeon.org/
10:33 <@vpnHelper> Title: The Keccak sponge function family (at keccak.noekeon.org)
10:40 -!- master_o1_master [~master_of@p4FD7B6E2.dip0.t-ipconnect.de] has joined #openvpn
10:43 -!- master_of_master [~master_of@p4FF24424.dip0.t-ipconnect.de] has quit [Ping timeout: 258 seconds]
10:44 -!- dimitry7 [~antonello@187.188.84.149] has joined #openvpn
10:45 -!- [diecast] [~diecast@unaffiliated/diecast/x-4821952] has joined #openvpn
10:52 -!- wrongplace [~leicht@gateway/tor-sasl/martinphone] has joined #openvpn
10:58 -!- fin__ [~l30@unaffiliated/le0] has quit [Quit: Leaving]
11:00 -!- siso [~siso@166.78.145.224] has quit [Quit: WeeChat 0.3.8]
11:07 -!- plaisthos [~arne@openvpn/community/developer/plaisthos] has quit [Remote host closed the connection]
11:11 -!- gffa [~unknown@unaffiliated/gffa] has joined #openvpn
11:15 -!- elfixit [~Icedove@cust.static.46-14-206-196.swisscomdata.ch] has joined #openvpn
11:17 -!- takamichi [~takamichi@c107-107.i07-27.onvol.net] has quit [Remote host closed the connection]
11:20 -!- elfixit [~Icedove@cust.static.46-14-206-196.swisscomdata.ch] has quit [Quit: elfixit]
11:25 -!- acu [~acu@50.244.13.221] has quit [Quit: Leaving]
11:32 <@Eugene> Crypto is much like particle physics
11:33 <@Eugene> "What if you encrypted everything by using tiny, vibrating strings?" "What would that imply?" "I have no idea." "Perfect!"
11:48 -!- wrongplace [~leicht@gateway/tor-sasl/martinphone] has quit [Quit: gone]
11:51 < angs> I use the same vars file on both server and client, when I check ca.crt after running ./build_ca, both server and client do not have an identical certificate. do ca.crts suppose to be different on both ends or identical?
11:57 <@Eugene> You should only be running build_ca on one location, then copying the resulting ca.crt to the other.
12:02 -!- GrecKo [~GrecKo@2001:41d0:1:cb16::1] has quit [Quit: No Ping reply in 180 seconds.]
12:02 -!- GrecKo [~GrecKo@2001:41d0:1:cb16::1] has joined #openvpn
12:03 -!- Haigha [~root@dovahkiin.xomg.net] has quit [Ping timeout: 246 seconds]
12:03 -!- Ulrar [~Ulrar@luwin.ulrar.net] has quit [Ping timeout: 246 seconds]
12:03 <@ecrist> !ircstats
12:03 <@vpnHelper> "ircstats" is (#1) See http://secure-computing.net/logs/openvpn.html for all-time IRC stats. or (#2) See http://secure-computing.net/logs/openvpn-devel.html for all-time dev channel IRC stats.
12:03 < angs> Eugene, thanks I will copy and then test it
12:03 -!- kld [~acer@85.235.3.224] has joined #openvpn
12:07 -!- Ulrar [~Ulrar@luwin.ulrar.net] has joined #openvpn
12:08 -!- angs [~ubuntu@85.235.3.240] has quit [Ping timeout: 240 seconds]
12:08 -!- Haigha [~root@dovahkiin.xomg.net] has joined #openvpn
12:09 -!- michaelhart [~michaelha@192-0-240-20.cpe.teksavvy.com] has joined #openvpn
12:13 -!- nlb [~nlb@unaffiliated/nlb] has quit [Ping timeout: 250 seconds]
12:14 -!- nlb [~nlb@ec2-54-213-101-245.us-west-2.compute.amazonaws.com] has joined #openvpn
12:21 <@dazo> andi: in fact, the easy-rsa files should ideally be stored on an offline location or at least offline medium when you don't need to prepare new keys/certs
12:26 -!- angs [~ubuntu@85.235.3.240] has joined #openvpn
12:26 -!- angs [~ubuntu@85.235.3.240] has quit [Read error: Connection reset by peer]
12:27 -!- angs [~ubuntu@85.235.3.240] has joined #openvpn
12:30 < angs> I run openvpn on ubuntu 13.10 (as server) and debian wheezy (client) I run ". ./vars ; ./clean-all;  ./build-ca; ./build-key-server server; ./build_dh" on the server side and ". ./vars ; ./clean-all;  ./build-ca;  ./build-key client1" on the client side. Then I copy ca.crt of the server to the client. But I have a problem on the verification on the server side. Here are the config files and output logs http://pastebin.com/AMFLeZJA
12:30 < angs> could anyone point out what am I doing wrong?
12:30 < pekster> You can't use two disjoined CAs like that
12:30 < pekster> Your CA is _common_ to _everything_ in your entire PKI
12:31 -!- shodan45 [~chris@71-15-44-176.dhcp.thbd.la.charter.com] has joined #openvpn
12:31 < pekster> What you should ideally do is 1) create your CA keypair/cert on a system (or at least a protected location) that is _unrelated_ to your sever OR client
12:31 < pekster> Then generate separate keypairs for the server & client, and have them send a CSR (certificate signing request) to your CA
12:31 < pekster> CA signs each with the right attributes, and returns the signed cert and a copy of the CA.crt
12:32 < pekster> Finally, the server generates DH params. Server uses ca.crt, server.crt, and server.key (and its dh.pem file) and the client uses the ca.crt+client.crt (returned from the CA) and the client.key
12:33 -!- le0 [~l30@unaffiliated/le0] has joined #openvpn
12:33 < angs> pekster, I have only two PCs. is it possible to use the server as CA?
12:34 < pekster> Yes, but 1) don't use the openvpn or any other "shared" directory, and 2) don't do it as root
12:34 < pekster> Best to create a 'pki' user, give it a umask of 077 in your profile, and protect that account/system access very well; if compromised, your entire PKI must be re-done
12:35 < pekster> !pki
12:35 <@vpnHelper> "pki" is (#1) http://openvpn.net/index.php/open-source/documentation/howto.html#pki for how to make your PKI stuff (ca, and certs) or (#2) Heres a basic rundown of how it works... The server, client, and ca certs are all signed by the same ca.key. The server and client use the ca.crt to check that eachother were signed by the right ca.key. Optionally, the client also checks that the server cert was
12:35 <@vpnHelper> signed specially as a server (see !servercert) or (#3) See !certman for various PKI management frontends
12:37 < pekster> If you're using easyrsa v2 (today's stable) release, it's not easy to do this the "proper/secure" way. Follow that guide to use it the less-than-secure way. Or read !easyrsa for the new easyrsa v3 howto that is secure. It's a newer codebase, but I can walk you though the process a bit now, and more later this afternoon (ca. 20:30 UTC) if you need more help then
12:38 < pekster> Well, "more secure," anyway
12:39 < angs> pekster, thank you I will think/read a little bit more to understand it completely. For me to understand better, does "unable to get local issuer certificate:" mean that I need a separate user as a CA?
12:39 < pekster> No, it means you created 2 entierly unrelated CAs and thus have a bogus PKI setup
12:39 < pekster> ie: you didn't follow directions (either the v2 or v3 directions.)
12:40 < pekster> Pick what version you want and follow the docs for it. Or use a different PKI solution
12:40 < pekster> easyrsa docs at:
12:40 < pekster> !easyrsa
12:40 <@vpnHelper> "easyrsa" is (#1) easy-rsa is a certificate generation utility. or (#2) Download here: https://github.com/OpenVPN/easy-rsa/releases or (#3) Source checkouts available from the github project; current official release download is 2.2.2 with 3.x code in git-master. or (#4) Helpful wiki info about easyrsa at: https://community.openvpn.net/openvpn/wiki/EasyRSA
12:40 < pekster> Other alternatives (non-easyrsa) to create PKI at:
12:40 < pekster> !certman
12:40 <@vpnHelper> "certman" is (#1) Various frontends can help you manage your PKI (certs & keys.) !easy-rsa is the officially supported one for OpenVPN. or (#2) Other choices include: !xca, !ssladmin, and probably others online
12:40 < pekster> Link #4 has references to step-by-step procedures for easyrsa
12:41 < angs> thanks a lot I will read them through. Btw, you type very fast :)
12:48 -!- Cpt-Oblivious [chatzilla@31-151-71-109.dynamic.upc.nl] has quit [Read error: Connection reset by peer]
12:48 <@dazo> angs: put your CA files on a flash disk or external harddrive ... otherwise you can put your CA files on the least accessible target (usually a CA) ... if someone gets a copy of the CA key, that person can issue new certificates without your knowledge, that's why we're saying that CA files should be on an offline medium .... server/clients only need their respective cert and key files, together with the CA cert ... that's all
12:48 -!- Cpt-Oblivious [chatzilla@31-151-71-109.dynamic.upc.nl] has joined #openvpn
12:50 < pekster> And if you go that route, you probably want to use easyrsa v3 (instead of v2) as that workflow dazo just described is supported poorly in v2
12:52 < angs> thanks for the help and suggestion, apparently I need to learn more then will ask when I get stuck.
12:52 < pekster> Yup :)
12:54 < shodan45> what's the right way to get openvpn to restart when it loses connection to the server? I already have persist-key, persist-tun, ping 10, and ping-restart 60 in my config file.
12:56 <@dazo> that does sound like a sane config to me ... it'll probably take about a minute before it tries to restart the connection, though
12:56 < pekster> shodan45: Keep in mind both sides need --ping (reference the manpage expansion of the --keepalive for more info.) If the local side gets no remote --ping packet (it's a 1-way ping) in the timeout period, it'll restart
12:57 < shodan45> dazo: it doesn't :( I'm running 2.2.1 in ubuntu server 12.04
12:57 <@dazo> the server doesn't reconnect  .... it's the client which should reconnect
12:58 <@dazo> if you use --keepalive on the server, and ensure you use --pull or --client on the client side, you should be pretty much setup for it
12:58 <@dazo> (I'm using --keepalive quite successfully)
12:58 < shodan45> sorry.... my "server" is running the openvpn client, connecting to mullvad's VPN
12:58 <@dazo> ahh, okay
12:59 <@dazo> shodan45: then listen to pekster, he got it pretty well summed up
13:00 < shodan45> what if mullvad doesn't use --ping?
13:00 -!- JessD [~Jesse@ciscoasa.ecrsoft.com] has quit [Quit: Lost terminal]
13:00 <@dazo> then you're lost ... then you need to add your own little trick
13:01 < shodan45> can't openvpn just ping (IP ping) the other side of the VPN?
13:01 <@dazo> have a crontab pinging the VPN server's VPN IP address ... if no response, kill -USR1 $pid_of_openvpn
13:02 <@dazo> that approach is simulating a --ping-restart
13:02 < shodan45> dazo: I might end up doing that... kinda sucks, though
13:03 < kld> hi, from beginning when i type (apt-get update) i get something : Could not open lock file /var/lib/apt/lists/lock .........why ?
13:03 < shodan45> kld: wrong channel?
13:04 < kld> isn't it openvpn ?
13:05 < kld> i wanna make connection through openvpn
13:05 <@dazo> kld: apt-get update has nothing to do with openvpn
13:05 <@dazo> that has something to do with Debian or Ubuntu, but not openvpn
13:06 < Moony22> !tun
13:06 < Moony22> wow
13:06 < Moony22> !tap
13:06 <@vpnHelper> "tap" is "bridge" is (#1) http://openvpn.net/index.php/documentation/faq.html#bridge1, or (#2) http://openvpn.net/index.php/documentation/miscellaneous/ethernet-bridging.html, or (#3) Bridging looks like a good choice to people who don't know how to set up IP routing, but to learn routing is generally far better., or (#4) useful for windows sharing (without wins server) and LAN gaming, anything
13:06 <@vpnHelper> where the protocol uses MAC addresses instead of IP addresses.
13:06 < Moony22> !taportun
13:07 < Moony22> !tunortap
13:07 <@vpnHelper> "tunortap" is (#1) you ONLY want tap if you need to pass layer2 traffic over the vpn (traffic destined for a MAC address). If you are using IP traffic you want tun. or (#2) and if your reason for wanting tap is windows shares, see !wins or use DNS or (#3) remember layer2 has no security, arp poisoning works over tap vpns or (#4) lan gaming? use tap! or (#5) Normal Android/iOS devices (not
13:07 <@vpnHelper> rooted/jailbroken) support only tun
13:07 <@dazo> !learn tap as For tun/tap and route/bridge comparing, see https://community.openvpn.net/openvpn/wiki/BridgingAndRouting
13:07 <@vpnHelper> Joo got it.
13:08 <@dazo> !bridge
13:08 <@vpnHelper> "bridge" is (#1) http://openvpn.net/index.php/documentation/miscellaneous/ethernet-bridging.html for the doc or (#2) http://openvpn.net/index.php/documentation/faq.html#bridge1 for info from the FAQ or (#3) also see !tunortap and !layer2 and read --server-bridge in the manual (!man) or (#4) also see !whybridge
13:08 <@dazo> !whybridge
13:08 <@vpnHelper> "whybridge" is (#1) you only bridge if you want layer2 to the lan. if you want layer2 only between vpn nodes then routed tap is enough. if you only want layer3 use tun. or (#2) See this URL for a more in-depth discussion on bridging vs routing: https://community.openvpn.net/openvpn/wiki/BridgingAndRouting or (#3) See also !tunortap
13:08 < Moony22> !tap
13:08 <@vpnHelper> "tap" is (#1) "bridge" is (#1) http://openvpn.net/index.php/documentation/faq.html#bridge1, or (#2) http://openvpn.net/index.php/documentation/miscellaneous/ethernet-bridging.html, or (#3) Bridging looks like a good choice to people who don't know how to set up IP routing, but to learn routing is generally far better., or (#4) useful for windows sharing (without wins server) and LAN gaming,
13:08 <@vpnHelper> anything where the protocol uses MAC addresses instead of IP addresses. or (#2) For tun/tap and route/bridge comparing, see https://community.openvpn.net/openvpn/wiki/BridgingAndRouting
13:08 < Moony22> dazo: what did you just do :p
13:08 <@dazo> I got powers ;-)
13:09 < Moony22> Oh, I see what you did there ;)
13:09 < Moony22> dazo: http://community.us.playstation.com/t5/image/serverpage/image-id/279078iF57B2F84025C0789/image-size/original?v=mpbl-1&px=-1
13:13 -!- Aliekezhi [~Aliekezhi@80.215.210.75] has joined #openvpn
13:16 < Moony22> Do you put fake info in the key cert?
13:16 < Moony22> ificate
13:17 < Moony22> (are you meant to put incorrect information there)?
13:18 < Moony22> (in order to trick whoever is reading it, for more privacy)
13:20 < Moony22> :{
13:20 < Moony22> and do you put the info of the VPN? or yourself?
13:21  * Moony22 is confused
13:24 -!- agentbob [anonymoose@unaffiliated/agentbob] has joined #openvpn
13:24 < agentbob> is it possible to have 'groups' in openvpn where certain routes are pushed to all clients within that group?
13:25 <@dazo> Moony22: that doesn't make much sense ... in fact server certificates should have their hostname as CN (Common Name) ... and it'll help you looking at log files, if you make use of some sane info
13:26 <@dazo> agentbob: not "out of the box" ... but you can create a "group" CCD file, and just link these users CN to taht "group" file
13:27 < Moony22> dazo: But what about the location?
13:28 < Moony22> I just don't understand, am I supposed to change all of them? There are also 2 KEY_EMAILs
13:28 <@dazo> Moony22: that's not really used by OpenVPN ... but you can use it for whatever yo like
13:29 <@dazo> the default setup provides CN (Common Name), L (Location), C (Country) and emailAddress
13:29 < Moony22> dazo: so anybody can see this?
13:29 <@dazo> in the server logs, usually
13:29 <@dazo> it's included in the certificates, and certificates are considered public info
13:30 < Moony22> but what if I don't want people to know where I live?
13:30 <@dazo> So write, Dark side of the Moon, or whatever else you'd like
13:30 < Moony22> Is it illegal?
13:31 < Moony22> is that illegal*
13:31 <@dazo> No, it is not illegal
13:32 < Moony22> excellent, I guess it's time to be creative
13:47 < agentbob> dazo: do you mean 'client-config-dir ccd' ?
13:49 <@dazo> agentbob: yes
13:49 < agentbob> dazo: not sure i'm understanding entirely...
13:50 < agentbob> the ccd dir is where all the client files already are... no?
13:52 < agentbob> do you mean just make symlinks to the 'group' file?
13:52 <@dazo> agentbob: right all the client configs ... if you have the same set of routes and stuff you want to push to a group of users, put that into a single file, f.ex.  UserGroup1 .... and then use symbolic links for each CN who belongs to that group and link that CN to point at UserGroup1
13:52 <@dazo> yeah
13:53 < agentbob> they'll all have the same IP though, correct?
13:53 <@dazo> uhm you assign static IPs to your clients?
13:54 < agentbob> private ips, but yea
13:54 < agentbob> can't have people just running around all willy nilly! it'd be chaos!!! heh
13:54 <@dazo> any reasons you do that? (I personally have never understood why people do that)
13:55 <@dazo> as the only alternative, which I have not tested, is to use the config option inside the CCD config file
13:55 <@dazo> Using config inside a config file, behaves like an include statement
13:55 < agentbob> not too sure myself... i didn't do the original setup. but it's a good point
13:59 < agentbob> apparently for acl...
14:00 < agentbob> i think it's what's recommended here as well https://openvpn.net/index.php/open-source/documentation/howto.html#policy
14:00 <@vpnHelper> Title: HOWTO (at openvpn.net)
14:01 <@dazo> ugh, yeah, that's an old and simple approach
14:01 <@dazo> agentbob: that's why I wrote eurephia
14:01 <@dazo> !eurephia
14:01 <@vpnHelper> "eurephia" is http://www.eurephia.net/
14:13 -!- Michael0 [~ZNT_A@c-68-41-175-6.hsd1.mi.comcast.net] has joined #openvpn
14:13 < svg> interesting, I accidently just discovered about eurephia today
14:13 < svg> dazo: afaics, user base doesn't plugin with an ldap backend? - which is my use case
14:14 <@krzee> !dazo
14:14 <@vpnHelper> "dazo" is The project name krzee always forgets .... eurephia ... http://www.eurephia.net/
14:14 <@krzee> :D
14:14 <@krzee> haha
14:14 < Michael0> Hi
14:14 <@dazo> svg: I've started hacking on an LDAP auth backend ... but haven't been pushed enough to complete it
14:15 < svg> I'm working on an openvpn script (client-connect stuff) to do ip assignments based on ldap group memberships
14:17 < Michael0> i probably came wrong way, I dont think I can ask question here can I ?
14:17 <+reiffert> !ask
14:17 <@vpnHelper> "ask" is (#1) don't ask to ask, just ask your question please, see this link for how to get help on IRC: http://workaround.org/getting-help-on-irc or (#2) See also, How to ask questions the smart way here: http://catb.org/~esr/faqs/smart-questions.html
14:17 <@krzee> if your question is about openvpn then you can
14:17 <@krzee> if its about the meaning of life (42) or something else, then maybe not
14:17 < Michael0> it is kinda
14:18 < Michael0> hard to explain
14:18 <+reiffert> skip explaining. just go straight forward to your question.
14:18 <@krzee> !welcome
14:18 < Michael0> right, give me sec let me organize it
14:18 <@vpnHelper> "welcome" is (#1) Start by stating your goal, such as 'I would like to access the internet over my vpn' || new to IRC? see the link in !ask || we may need !logs and !configs and maybe !interface to help you. || See !howto for beginners. || See !route for lans behind openvpn. || !redirect for sending inet traffic through the server. || Also interesting: !man !/30 !topology !iporder !sample !forum
14:18 <@vpnHelper> !wiki !mitm or (#2) Don't use 192.168.1.0/24 or 192.168.0.0/24 (too much potential for conflict)
14:18 <@krzee> !goal
14:18 <@vpnHelper> "goal" is Please clearly state your goal for your vpn: example, I would like to access the lan behind the server , I would like to access the internet over my vpn , I just want a secure connection between 2 computers , etc
14:19 < Michael0> I only want to apply VPN to IRC, rest regular internet provided from my ISP
14:20 < Michael0> saw many topics about it qith tunneling
14:20 -!- plaisthos [~arne@openvpn/community/developer/plaisthos] has joined #openvpn
14:20 -!- mode/#openvpn [+o plaisthos] by ChanServ
14:21 < Michael0> is there any simpler way?
14:21 <@krzee> you can add a route so that whatever ips/subnets you want go over the vpn
14:21 <@krzee> !redirect
14:21 <@vpnHelper> "redirect" is (#1) to make all inet traffic flow through the vpn, you will need --redirect-gateway (see !def1), as well as IP forwarding (see !ipforward) and NAT (see !nat) enabled on the server. or (#2) you may need to use a different dns server when redirecting gateway, see !dns or !pushdns or (#3) if using ipv6 try: route-ipv6 2000::/3 or (#4) Handy troubleshooting flowchart:
14:21 <@vpnHelper> http://ircpimps.org/redirect.png | http://pekster.sdf.org/misc/redirect.png
14:21 <@krzee> do all of that EXCEPT redirect-gateway
14:21 <@krzee> then in your client config:  "route <ip> <netmask>"
14:22 <@krzee> and only those routes will be added to go over the vpn
14:22 <@krzee> add routes for whatever IP/subnets you want to flow over the vpn, and they will
14:22 <@krzee> then if IP forwarding and NAT is correct, it'll work
14:23 <@krzee> im glad you did not take the time to explain, it was a pretty straight forward question / use case
14:23 < Michael0> thanks
14:23 <@krzee> np
14:24 <@krzee> what OS is your server?
14:24 <+reiffert> but vpn endpoint <> ircserver would be unencrypted.
14:24 <@krzee> yes, that is also true ^
14:26 < Michael0> sorry for slow chat
14:28 -!- mattock [~mattock@openvpn/corp/admin/mattock] has left #openvpn []
14:28 -!- le0 [~l30@unaffiliated/le0] has quit [Quit: Leaving]
14:33 < agentbob> dazo: http://www.eurephia.net doesn't load in safari btw
14:33 <@vpnHelper> Title: eurephia :: a flexible OpenVPN authentication module (at www.eurephia.net)
14:34 <@dazo> agentbob: oh? what happens?  it should be valid xhtml, without much trickery
14:36 < agentbob> dazo: the middle frame/diz just shows up grey... ohhh weird... i reloaded and it came up now.. n/m.. some glitch on my end i guess
14:36 < agentbob> dazo: is the project still maintained?
14:37 <@dazo> agentbob: it is ... it's been "dead", but that's mostly due to being very stable
14:38 <@dazo> I have works in the pipe for postgresql database backend, LDAP authentication and a socket based authentication API
14:38 < agentbob> cool.. i'd suggest maybe just posting an update every few months with a datestamp saying 'still alive and stable!'
14:39 <@dazo> yeah, should probably do that :)
14:40 < agentbob> last update from 2012-11-05.. couple people from my office already were skeptical hehe
14:58 -!- kld [~acer@85.235.3.224] has quit [Quit: Leaving]
14:59 -!- joshh20-Away is now known as joshh20
15:02 <@dazo> agentbob: okay, I'll update it :)
15:04 <@dazo> gee, nov 2012 ... time flies
15:09 -!- Cpt-Oblivious [chatzilla@31-151-71-109.dynamic.upc.nl] has quit [Quit: ChatZilla 0.9.90.1-rdmsoft [XULRunner 22.0/20130619132145]]
15:31 < Beta2K> Is there any way to make clients talk directly to each other?
15:43 -!- Michael0 [~ZNT_A@c-68-41-175-6.hsd1.mi.comcast.net] has quit []
15:44 <@dazo> Beta2K: --client-to-client
15:44 <@dazo> but there's no mesh-networking possibility, if that's what you're looking for
15:46 -!- Left_Turn [~Left_Turn@unaffiliated/turn-left/x-3739067] has quit [Read error: Connection reset by peer]
15:53 -!- isuldor [~brianb@199.192.78.178] has quit [Quit: Lost terminal]
15:53 -!- Aliekezhi [~Aliekezhi@80.215.210.75] has quit [Remote host closed the connection]
15:55 -!- Aliekezhi [~Aliekezhi@80.215.210.75] has joined #openvpn
15:58 -!- Left_Turn [~Left_Turn@unaffiliated/turn-left/x-3739067] has joined #openvpn
15:59 < Beta2K> dazo: Basically that was yes :)  I was contemplating site-to-site links
16:00 <@dazo> sorry, openvpn doesn't do mesh :/
16:01 < Beta2K> No worries, easier to maintain than a mesh of ipsec tunnels :)
16:02 -!- cyberspace- [20253@ninthfloor.org] has quit [Remote host closed the connection]
16:18 -!- klein [~klein@unaffiliated/klein] has quit [Ping timeout: 250 seconds]
16:20 -!- joshh20 is now known as joshh20-Away
16:28 -!- Cybertinus [~Cybertinu@cybertinus.customer.cloud.nl] has quit [Remote host closed the connection]
16:28 -!- Cybertinus [~Cybertinu@2a00:6960:1:1:0:24:107:1] has joined #openvpn
16:39 <@dazo> agentbob: eurephia web page "updated"
16:40 -!- n2deep [n2deep@odin.sdf-eu.org] has joined #openvpn
16:48 -!- dazo is now known as dazo_afk
16:51 -!- wrongplace [~leicht@gateway/tor-sasl/martinphone] has joined #openvpn
16:53 -!- paradox`` [~paradox@cpc21-brmb8-2-0-cust749.1-3.cable.virginm.net] has joined #openvpn
16:56 -!- sunwind` [~paradox@cpc21-brmb8-2-0-cust749.1-3.cable.virginm.net] has quit [Ping timeout: 258 seconds]
17:03 < Beta2K> Is there any way to reserve IP's for ccd?
17:04 < Aketzu> ?
17:05 < Aketzu> you can push ip settings with files in client-config-dir
17:08 -!- ChrisH [~dg7pc@dslb-094-221-215-003.pools.arcor-ip.net] has quit [Ping timeout: 276 seconds]
17:08 -!- ChrisH [~dg7pc@dslb-094-221-215-003.pools.arcor-ip.net] has joined #openvpn
17:13 -!- Aliekezhi [~Aliekezhi@80.215.210.75] has quit [Quit: Leaving]
17:14 < pekster> Aketzu, see:
17:14 < pekster> !static
17:14 <@vpnHelper> "static" is (#1) use --ifconfig-push in a ccd entry for a static ip for the vpn client or (#2) example in net30 (default): ifconfig-push 10.8.0.6 10.8.0.5 example in subnet (see !topology) or tap (see !tunortap): ifconfig-push 10.8.0.5 255.255.255.0 or (#3) also see !ccd and !iporder or (#4) when pushing static IPs, you should also limit your --ifconfig-pool to exclude the static range or (#5) See
17:14 <@vpnHelper> also: !addressing
17:14 < pekster> Examples at !addressing
17:15 -!- angs [~ubuntu@85.235.3.240] has quit [Quit: Leaving]
17:25 -!- lbft [~lbft@unaffiliated/lbft] has quit [Ping timeout: 258 seconds]
17:30 -!- [diecast] [~diecast@unaffiliated/diecast/x-4821952] has quit []
17:33 -!- f0cker [~f0cker@unaffiliated/f0cker] has quit [Ping timeout: 250 seconds]
17:36 -!- win5hit1 [~Winshit@HSI-KBW-46-237-201-154.hsi.kabel-badenwuerttemberg.de] has left #openvpn []
17:41 -!- lbft [~lbft@unaffiliated/lbft] has joined #openvpn
17:45 -!- goldkatze [~nobody@unaffiliated/goldkatze] has quit []
17:45 -!- f0cker [~f0cker@host81-149-11-109.in-addr.btopenworld.com] has joined #openvpn
17:45 -!- f0cker [~f0cker@host81-149-11-109.in-addr.btopenworld.com] has quit [Changing host]
17:45 -!- f0cker [~f0cker@unaffiliated/f0cker] has joined #openvpn
17:46 -!- gffa [~unknown@unaffiliated/gffa] has quit [Quit: sleep]
17:56 -!- Moony22 [~Moony22@unaffiliated/moony22] has quit [Ping timeout: 250 seconds]
18:17 -!- AlexPortable [uid7568@gateway/web/irccloud.com/x-ovhocgmesnffzkbb] has quit [Quit: Connection closed for inactivity]
18:22 -!- wrongplace [~leicht@gateway/tor-sasl/martinphone] has quit [Quit: gone]
18:24 -!- elfixit [~Icedove@77-58-251-72.dclient.hispeed.ch] has joined #openvpn
18:26 -!- [diecast] [~diecast@unaffiliated/diecast/x-4821952] has joined #openvpn
18:28 -!- s7r [~s7r@openvpn/user/s7r] has quit [Quit: Leaving]
18:41 -!- [diecast] [~diecast@unaffiliated/diecast/x-4821952] has quit []
19:04 -!- justinzane [~justinzan@host-12-172-184-180.nctv.com] has quit []
19:06 -!- justinzane [~justinzan@host-12-172-184-180.nctv.com] has joined #openvpn
19:13 -!- batrick [batrick@nmap/developer/batrick] has quit [Quit: WeeChat 0.4.3]
19:16 -!- batrick [batrick@nmap/developer/batrick] has joined #openvpn
19:26 -!- justinzane [~justinzan@host-12-172-184-180.nctv.com] has quit [Remote host closed the connection]
19:36 -!- elfixit [~Icedove@77-58-251-72.dclient.hispeed.ch] has quit [Quit: elfixit]
19:52 -!- ryonaloli [~Mengele@se3x.mullvad.net] has joined #openvpn
19:53 < ryonaloli> is there a way to get openvpn to run a script or command before it tries to resolve and connect to the VPN?
19:54 < ryonaloli> brb reboot
19:54 -!- ryonaloli [~Mengele@se3x.mullvad.net] has quit [Quit: https://zqktlwi4fecvo6ri.onion.lu/wiki/index.php/The_Matrix]
19:59 -!- HectorBarbossa [uid7850@gateway/web/irccloud.com/x-dwxkljdkghxtouzj] has joined #openvpn
20:03 -!- ryonaloli [~Mengele@se2x.mullvad.net] has joined #openvpn
20:03 -!- ryonaloli [~Mengele@se2x.mullvad.net] has quit [Client Quit]
20:06 -!- ryonaloli [~Mengele@se2x.mullvad.net] has joined #openvpn
20:11 -!- ryonaloli [~Mengele@se2x.mullvad.net] has quit [Quit: https://zqktlwi4fecvo6ri.onion.lu/wiki/index.php/The_Matrix]
20:13 -!- klein [~klein@unaffiliated/klein] has joined #openvpn
20:15 -!- Devastator [~devas@unaffiliated/devastator] has joined #openvpn
20:31 -!- michaelhart [~michaelha@192-0-240-20.cpe.teksavvy.com] has quit [Quit: michaelhart]
20:58 -!- Left_Turn [~Left_Turn@unaffiliated/turn-left/x-3739067] has quit [Remote host closed the connection]
21:02 -!- Left_Turn [~Left_Turn@unaffiliated/turn-left/x-3739067] has joined #openvpn
21:20 -!- Carbon_Monoxide [~cmonxide@058176022144.ctinets.com] has joined #openvpn
21:21 -!- Carbon_Monoxide [~cmonxide@058176022144.ctinets.com] has left #openvpn []
21:25 -!- klein [~klein@unaffiliated/klein] has quit [Ping timeout: 265 seconds]
21:28 -!- justinzane [~justinzan@12.172.184.180] has joined #openvpn
21:37 -!- Left_Turn [~Left_Turn@unaffiliated/turn-left/x-3739067] has quit [Quit: Leaving]
21:55 -!- dimitry7 [~antonello@187.188.84.149] has quit [Remote host closed the connection]
22:09 -!- troyt [~troyt@2601:7:6200:14c2:44dd:acff:fe85:9c8e] has quit [Quit: AAAGH!  IT BURNS!]
22:11 -!- troyt [~troyt@2601:7:6200:14c2:44dd:acff:fe85:9c8e] has joined #openvpn
22:16 -!- troyt [~troyt@2601:7:6200:14c2:44dd:acff:fe85:9c8e] has quit [Quit: AAAGH!  IT BURNS!]
22:16 -!- troyt [~troyt@2601:7:6200:14c2:44dd:acff:fe85:9c8e] has joined #openvpn
22:18 -!- troyt [~troyt@2601:7:6200:14c2:44dd:acff:fe85:9c8e] has quit [Client Quit]
22:19 -!- HectorBarbossa [uid7850@gateway/web/irccloud.com/x-dwxkljdkghxtouzj] has quit [Quit: Connection closed for inactivity]
22:20 -!- troyt [~troyt@2601:7:6200:14c2:44dd:acff:fe85:9c8e] has joined #openvpn
22:21 -!- troyt [~troyt@2601:7:6200:14c2:44dd:acff:fe85:9c8e] has quit [Remote host closed the connection]
22:23 -!- troyt [~troyt@2601:7:6200:14c2:44dd:acff:fe85:9c8e] has joined #openvpn
23:01 -!- Sembei [~Sembei@unaffiliated/sembei] has quit [Ping timeout: 245 seconds]
23:07 -!- ShadniX [dagger@p5DDFF1E0.dip0.t-ipconnect.de] has quit [Ping timeout: 252 seconds]
23:08 -!- ShadniX [dagger@p5DDFEF2C.dip0.t-ipconnect.de] has joined #openvpn
23:31 -!- Sembei [~Sembei@unaffiliated/sembei] has joined #openvpn
23:49 -!- Sembei [~Sembei@unaffiliated/sembei] has quit [Ping timeout: 265 seconds]
23:49 -!- VsioZashibis [~VsioZashi@unaffiliated/vsiozashibis] has joined #openvpn
23:52 -!- pppingme [~pppingme@unaffiliated/pppingme] has quit [Ping timeout: 252 seconds]
--- Day changed Wed Apr 16 2014
00:01 -!- sunwind` [~paradox@cpc21-brmb8-2-0-cust749.1-3.cable.virginm.net] has joined #openvpn
00:02 -!- Guest40285 [~Sembei@81.184.39.244.dyn.user.ono.com] has joined #openvpn
00:03 -!- paradox`` [~paradox@cpc21-brmb8-2-0-cust749.1-3.cable.virginm.net] has quit [Ping timeout: 258 seconds]
00:12 -!- pppingme [~pppingme@unaffiliated/pppingme] has joined #openvpn
00:17 -!- pppingme [~pppingme@unaffiliated/pppingme] has quit [Max SendQ exceeded]
00:19 -!- Guest40285 [~Sembei@81.184.39.244.dyn.user.ono.com] has quit [Ping timeout: 276 seconds]
00:24 -!- pppingme [~pppingme@unaffiliated/pppingme] has joined #openvpn
00:26 -!- Guest40285 [~Sembei@unaffiliated/sembei] has joined #openvpn
00:26 -!- Carbon_Monoxide [~cmonxide@058176022144.ctinets.com] has joined #openvpn
00:27 -!- toobluesc [~nitro@2001:558:6045:7b:3d70:c3df:18a:884] has quit [Remote host closed the connection]
00:29 -!- Carbon_Monoxide [~cmonxide@058176022144.ctinets.com] has left #openvpn []
00:32 -!- ron_ [~ron@ppp118-210-28-177.lns20.adl2.internode.on.net] has quit [Ping timeout: 276 seconds]
00:34 -!- ron_ [~ron@ppp118-210-13-97.lns20.adl2.internode.on.net] has joined #openvpn
00:41 -!- Devastatr [~devas@186.214.15.168] has joined #openvpn
00:41 -!- Devastator [~devas@unaffiliated/devastator] has quit [Read error: Connection reset by peer]
00:57 <@krzee> !mesh
00:57 <@vpnHelper> "mesh" is (#1) openvpn does not do mesh networking or (#2) see !rip or (#3) check out http://github.com/darkpixel/openmesher/ for auto-creating openvpn meshes
01:01 -!- Guest40285 [~Sembei@unaffiliated/sembei] has quit [Ping timeout: 240 seconds]
01:06 <@krzee> dazo_afk, seen that ^ ?
01:06 <@krzee> Beta2K, you may find that interesting if you are advanced with networking
01:10 -!- mattock_afk [~mattock@openvpn/corp/admin/mattock] has joined #openvpn
01:10 -!- mode/#openvpn [+o mattock_afk] by ChanServ
01:10 -!- mattock_afk is now known as mattock
01:10 -!- mattock [~mattock@openvpn/corp/admin/mattock] has left #openvpn []
01:20 -!- Guest40285 [~Sembei@unaffiliated/sembei] has joined #openvpn
01:22 -!- mattock [~mattock@openvpn/corp/admin/mattock] has joined #openvpn
01:22 -!- mode/#openvpn [+o mattock] by ChanServ
01:22 -!- mattock [~mattock@openvpn/corp/admin/mattock] has left #openvpn []
01:22 -!- eebrah [~eebrah@212.49.88.104] has joined #openvpn
01:26 -!- mattock_afk [~mattock@openvpn/corp/admin/mattock] has joined #openvpn
01:26 -!- mode/#openvpn [+o mattock_afk] by ChanServ
01:26 -!- mattock_afk is now known as mattock
01:46 -!- alexxtasi [~alex@unaffiliated/alexxtasi] has joined #openvpn
02:22 -!- AlexPortable [uid7568@gateway/web/irccloud.com/x-alatjrodnstzbbby] has joined #openvpn
02:28 -!- budmang [~budman@ip68-111-79-253.oc.oc.cox.net] has quit [Remote host closed the connection]
02:28 -!- budmang [~budman@ip68-111-79-253.oc.oc.cox.net] has joined #openvpn
02:49 -!- gffa [~unknown@unaffiliated/gffa] has joined #openvpn
03:00 -!- colttt [~stefan.kr@cpe-001a8c164dee.ip-pool.rftonline.net] has joined #openvpn
03:01 < colttt> hello!
03:01 < colttt> a short question to the heartblled bug.. i has an openvpn-client with an old .dll can i only replace it wih a newer .dll?
03:18 -!- le0 [~l30@unaffiliated/le0] has joined #openvpn
03:22 <@plaisthos> should work
03:36 -!- Left_Turn [~Left_Turn@unaffiliated/turn-left/x-3739067] has joined #openvpn
03:39 -!- esde [~esde@unaffiliated/esde] has quit [Read error: Operation timed out]
03:39 -!- esde [~esde@107.150.1.2] has joined #openvpn
03:40 -!- ngharo [~ngharo@95.211.6.133] has quit [Read error: Operation timed out]
03:40 -!- ngharo [~ngharo@nexus.sypherz.com] has joined #openvpn
03:51 -!- nandersson [~nandersso@25.238.76.188.dynamic.jazztel.es] has joined #openvpn
03:51 -!- Moony2202 [~Moony22@host86-132-53-208.range86-132.btcentralplus.com] has joined #openvpn
03:52 < nandersson> Hi, I am giving this "post_auth script" I.e "hostchecker" a look. Is this something that is only available in the commercial version of OpenVPN, or is it present in the community edition as well? http://openvpn.net/index.php/access-server/docs/admin-guides/411-access-server-post-auth-script.html
03:52 <@vpnHelper> Title: Access Server Post-Auth Script/Host Checking (at openvpn.net)
03:53 < Moony2202> o.o who pasted that link
03:54 < nandersson> Moony2202, I did
03:54 < Moony2202> OH
03:54 < Moony2202> oh*
03:55 -!- Moony2202 is now known as Moony22
03:55 -!- Moony22 [~Moony22@host86-132-53-208.range86-132.btcentralplus.com] has quit [Changing host]
03:55 -!- Moony22 [~Moony22@unaffiliated/moony22] has joined #openvpn
03:56 -!- benedikt [~benedikt@unaffiliated/benedikt] has left #openvpn []
04:18 -!- Aliekezhi [~Aliekezhi@80.215.210.93] has joined #openvpn
04:31 -!- eebrah [~eebrah@212.49.88.104] has quit [Ping timeout: 250 seconds]
04:36 -!- jave [~jave@h-235-102.a149.priv.bahnhof.se] has quit [Read error: Operation timed out]
04:48 -!- wrongplace [~leicht@gateway/tor-sasl/martinphone] has joined #openvpn
04:53 -!- jave [~jave@h-235-102.a149.priv.bahnhof.se] has joined #openvpn
05:08 -!- dazo_afk is now known as dazo
05:10 -!- budmang [~budman@ip68-111-79-253.oc.oc.cox.net] has quit [Read error: Connection reset by peer]
05:11 -!- budmang [~budman@ip68-111-79-253.oc.oc.cox.net] has joined #openvpn
05:23 -!- elfixit [~Icedove@77-58-251-72.dclient.hispeed.ch] has joined #openvpn
05:24 -!- elfixit [~Icedove@77-58-251-72.dclient.hispeed.ch] has quit [Client Quit]
05:36 -!- mattock [~mattock@openvpn/corp/admin/mattock] has left #openvpn []
05:43 -!- goldkatze [~nobody@unaffiliated/goldkatze] has joined #openvpn
05:50 -!- mattock_afk [~mattock@openvpn/corp/admin/mattock] has joined #openvpn
05:50 -!- mode/#openvpn [+o mattock_afk] by ChanServ
05:50 -!- mattock_afk is now known as mattock
05:55 -!- wrongplace [~leicht@gateway/tor-sasl/martinphone] has quit [Quit: gone]
06:10 -!- Martin` [martin@shell.ipv6.octocore.net] has quit [Ping timeout: 252 seconds]
06:11 -!- Aliekezhi [~Aliekezhi@80.215.210.93] has quit [Quit: Leaving]
06:12 -!- Martin` [martin@2001:16f8:15:1000::85] has joined #openvpn
06:13 -!- Aliekezhi [~Aliekezhi@80.215.210.93] has joined #openvpn
06:14 -!- nandersson [~nandersso@25.238.76.188.dynamic.jazztel.es] has quit [Ping timeout: 250 seconds]
06:17 -!- nandersson [~nandersso@25.238.76.188.dynamic.jazztel.es] has joined #openvpn
06:20 -!- troulouliou_dev [~troulouli@unaffiliated/troulouliou-dev/x-4757952] has joined #openvpn
06:20 < troulouliou_dev> hi what does the diffie helman file that one generate for openvpn content ?
06:21 <@plaisthos> !fps
06:22 <@plaisthos> hm
06:23 < troulouliou_dev> i mean the one generate for parameter dh  ....../dh1024.pem
06:23 < troulouliou_dev> what does that file contain ?
06:28 <@plaisthos> diffie hellmann parameters
06:28 <@plaisthos> it is used for perferct forward secrecy
06:29 < troulouliou_dev> plaisthos, ot is the generator and prime ?
06:29 < troulouliou_dev> plaisthos, or those are still exchanged on the wire for each parameters ?
06:31 <@plaisthos> troulouliou_dev: sorry I have not looked into dh in detail
06:31 < troulouliou_dev> plaisthos, ha ok
06:31 <@plaisthos> openssl gendh docu might help too
06:35 -!- nutron [~nutron@unaffiliated/nutron] has quit [Ping timeout: 250 seconds]
06:36 -!- Aliekezhi [~Aliekezhi@80.215.210.93] has quit [Remote host closed the connection]
06:40 -!- elfixit [~Icedove@2001:1620:2777:11:3e97:eff:fe7f:f3ad] has joined #openvpn
06:40 -!- Moony22 is now known as OfficialSlangPla
06:40 -!- OfficialSlangPla is now known as SlangPlanter
06:51 -!- SlangPlanter is now known as Moony22
06:52 -!- tzica [~tzica@unaffiliated/tzica] has quit [Ping timeout: 265 seconds]
06:54 -!- Moony22 is now known as SlangPlanter
06:56 -!- SlangPlanter is now known as Moony22
06:59 <@dazo> troulouliou_dev: dh parameters is basically a large public prime number
06:59 < troulouliou_dev> dazo, a 1024 dh pem file corespond to a 1024 bit prime ?
06:59 < troulouliou_dev> dazo, or 512 prime and 512 generator
07:00 < troulouliou_dev> dazo, like the 2 prime for rsa ?
07:00 < troulouliou_dev> dazo, i m somehow confused :)
07:01 <@dazo> yeah ... but I believe it produces more than 1024 bits ... as the DH parameters requires some more info, but the most important product (and most CPU intensive work) is the prime
07:01 <@dazo> it's not just a prime, it's a random prime number ... which is what makes it "complicated"
07:01 < troulouliou_dev> dazo, yes of course ; and in dh what  is the average generator length ?
07:02 <@dazo> oh, I don't remember that
07:02 < troulouliou_dev> ha ok
07:02 -!- mattock [~mattock@openvpn/corp/admin/mattock] has left #openvpn []
07:02 -!- Devastatr [~devas@186.214.15.168] has quit [Changing host]
07:02 -!- Devastatr [~devas@unaffiliated/devastator] has joined #openvpn
07:02 -!- Devastatr is now known as Devastator
07:03 <@dazo> I've focused more on understand why it's needed, not so much the math behind it :)
07:03 < troulouliou_dev> dazo, it is just that after reading it seemed to me
07:03 < troulouliou_dev> that the generator is a constant valule of 2 or 5
07:04 < troulouliou_dev> dazo, wonder if it is possible ..
07:04 < troulouliou_dev> dazo, ok indeed it is after some reseach
07:04 <@dazo> Oh, I vaguely remember something now ... the DH generator values are restricted, and 2 and 5 sounds familiar
07:05 < troulouliou_dev> dazo, yes thats it ; understood now ....
07:18 < Moony22> What iptable rules should I use?
07:18 -!- klein [~klein@189-016-006-003.asselvi.edu.br] has joined #openvpn
07:19 -!- klein [~klein@189-016-006-003.asselvi.edu.br] has quit [Changing host]
07:19 -!- klein [~klein@unaffiliated/klein] has joined #openvpn
07:19 < Moony22> is there something which I can read that tells me/
07:20 <@dazo> Moony22: have you ever done iptables firewalling before?
07:20 < Moony22> only simple port forwardin
07:20 < Moony22> port forwarding*
07:22 <@dazo> Moony22: the absolute bare minimum knowledge you need, can be found here: http://www.netfilter.org/documentation/HOWTO/packet-filtering-HOWTO.html ... there are some newer howto's too, I'll look it up
07:22 <@vpnHelper> Title: Linux 2.4 Packet Filtering HOWTO (at www.netfilter.org)
07:22 <@dazo> (it's old, but the core principles of iptables haven't changed much at all since 2.4 kernels)
07:23 < Moony22> !log
07:23 <@vpnHelper> Error: You don't have the owner capability. If you think that you should have this capability, be sure that you are identified before trying again. The 'whoami' command can tell you if you're identified.
07:24 < Moony22> :{
07:24 <@dazo> Moony22: okay, here it is ... https://www.frozentux.net/iptables-tutorial/iptables-tutorial.html
07:24 <@dazo> !logs
07:24 <@vpnHelper> Title: Iptables Tutorial 1.2.2 (at www.frozentux.net)
07:24 <@vpnHelper> "logs" is (#1) please pastebin your logfiles from both client and server with verb set to 4 (only use 5 if asked) or (#2) In the Windows client(OpenVPN-GUI) right-click the status icon and pick View Log or (#3) In the OS X client(Tunnelblick) right-click it and select Copy log text to clipboard or (#4) if you dont know how to find your logs, see !logfile
07:24 < Moony22> !logfile
07:24 <@vpnHelper> "logfile" is (#1) If you want logging you can easily just specify your own logfile with: log /path/to/logfile or (#2) openvpn will log to syslog if started in daemon mode, but without any log-redirection options, openvpn sends output to stdout. or (#3) verb 3 is good for everyday usage, verb 5 for debugging. see --daemon --log and --verb in the manual (!man) for more info
07:26 <@dazo> Moony22: please read that last URL (frozentux) carefully.  It's long, but not complicated.  If you do that, you most likely won't need to ask any questions about iptables to really get started
07:43 -!- nandersson [~nandersso@25.238.76.188.dynamic.jazztel.es] has quit [Remote host closed the connection]
07:57 -!- michaelhart [~michaelha@192.237.177.15] has joined #openvpn
07:57 -!- VsioZashibis [~VsioZashi@unaffiliated/vsiozashibis] has quit [Read error: Connection reset by peer]
08:03 -!- nutron [~nutron@unaffiliated/nutron] has joined #openvpn
08:13 -!- Moony22 [~Moony22@unaffiliated/moony22] has quit [Ping timeout: 250 seconds]
08:14 -!- Moony22 [~Moony22@host86-132-53-208.range86-132.btcentralplus.com] has joined #openvpn
08:14 -!- Moony22 [~Moony22@host86-132-53-208.range86-132.btcentralplus.com] has quit [Changing host]
08:14 -!- Moony22 [~Moony22@unaffiliated/moony22] has joined #openvpn
08:19 -!- Moony22 [~Moony22@unaffiliated/moony22] has quit [Disconnected by services]
08:19 -!- Moony22 [~Moony22@192.3.54.239] has joined #openvpn
08:19 < Moony22> hmm
08:19 -!- plaisthos [~arne@openvpn/community/developer/plaisthos] has quit [Remote host closed the connection]
08:20 < Moony22> I think I got everthing working
08:21 < Moony22> but my down & up speed is much slower than my VPS(servers) max/average speed :/
08:28 < Moony22> er, for example on my VPS my download speed is 300Mb/s and upload 50Mb/s, however when I connect to my VPN I have a 18Mb/s download speed and a 10Mb/s upload speed -- granted, my home local download & upload speeds are 50Mb/s and 20Mb/s average respectively, but that's still less than half
08:34 -!- Moony22 [~Moony22@192.3.54.239] has quit [Read error: Connection reset by peer]
08:36 -!- Nikon [Nikon@alpha.yourbnc.co.uk] has joined #openvpn
08:36 < Nikon> hey there
08:39 -!- Moony22 [~Moony22@host86-132-53-208.range86-132.btcentralplus.com] has joined #openvpn
08:39 -!- Moony22 [~Moony22@host86-132-53-208.range86-132.btcentralplus.com] has quit [Changing host]
08:39 -!- Moony22 [~Moony22@unaffiliated/moony22] has joined #openvpn
08:39 < Nikon> Is it possible for clients to be able to connect to things on my servers network?
08:46 <@ecrist> if you allow it through your firewall, and provide the needed routes, sure.
08:48 < Nikon> Needed routes as in?
09:21 -!- colttt [~stefan.kr@cpe-001a8c164dee.ip-pool.rftonline.net] has left #openvpn []
09:30 -!- plaisthos [~arne@openvpn/community/developer/plaisthos] has joined #openvpn
09:30 -!- mode/#openvpn [+o plaisthos] by ChanServ
09:31 -!- alexxtasi [~alex@unaffiliated/alexxtasi] has left #openvpn []
09:37 -!- ade_b [~Ade@redhat/adeb] has joined #openvpn
09:39 -!- troulouliou_dev [~troulouli@unaffiliated/troulouliou-dev/x-4757952] has quit [Remote host closed the connection]
10:00 -!- Moony22 [~Moony22@unaffiliated/moony22] has quit [Quit: Lost terminal]
10:02 -!- shodan45 [~chris@71-15-44-176.dhcp.thbd.la.charter.com] has quit [Quit: Konversation terminated!]
10:06 <@Eugene> !route
10:06 <@vpnHelper> "route" is (#1) http://www.secure-computing.net/wiki/index.php/OpenVPN/Routing or https://community.openvpn.net/openvpn/wiki/RoutedLans (same page mirrored) if you have lans behind openvpn, read it DONT SKIM IT or (#2) READ IT DONT SKIM IT! or (#3) See !tcpip for a basic networking guide or (#4) See !serverlan or !clientlan for steps and troubleshooting flowcharts for LANs behind the server or
10:06 <@vpnHelper> client
10:06 <@Eugene> !serverlan
10:06 <@vpnHelper> "serverlan" is (#1) for a lan behind a server, the server must have ip forwarding enabled (!ipforward), the server needs to push a route for its lan to clients, and the router of the lan the server is on needs a route added to it (!route_outside_openvpn) or (#2) see !route for a better explanation or (#3) Handy troubleshooting flowchart: http://ircpimps.org/serverlan.png |
10:06 <@vpnHelper> http://pekster.sdf.org/misc/serverlan.png
10:06 <@Eugene> Nikon ^
10:18 -!- [diecast] [~diecast@unaffiliated/diecast/x-4821952] has joined #openvpn
10:27 -!- acu [~acu@50.244.13.221] has joined #openvpn
10:41 -!- JSharpe [~JSharpe@31.205.60.241] has quit [Read error: Connection reset by peer]
10:41 -!- Left_Turn [~Left_Turn@unaffiliated/turn-left/x-3739067] has quit [Read error: Connection reset by peer]
10:41 -!- JSharpe [~JSharpe@31.205.60.241] has joined #openvpn
10:42 -!- Left_Turn [~Left_Turn@unaffiliated/turn-left/x-3739067] has joined #openvpn
10:42 -!- master_o1_master [~master_of@p4FD7B6E2.dip0.t-ipconnect.de] has quit [Ping timeout: 276 seconds]
10:44 -!- joako [~joako@opensuse/member/joak0] has quit [Ping timeout: 250 seconds]
10:44 -!- master_of_master [~master_of@p4FD7B0A9.dip0.t-ipconnect.de] has joined #openvpn
10:45 -!- ade_b [~Ade@redhat/adeb] has quit [Remote host closed the connection]
10:47 -!- Left_Turn [~Left_Turn@unaffiliated/turn-left/x-3739067] has quit [Read error: Connection reset by peer]
10:48 -!- Left_Turn [~Left_Turn@unaffiliated/turn-left/x-3739067] has joined #openvpn
10:49 -!- joako [~joako@opensuse/member/joak0] has joined #openvpn
10:54 -!- elfixit [~Icedove@2001:1620:2777:11:3e97:eff:fe7f:f3ad] has quit [Quit: elfixit]
11:04 -!- t0r [~textual@167.206.48.217] has joined #openvpn
11:10 -!- Proshot [~FSM@2001:981:7ede:1:118b:80f1:ddcf:681a] has joined #openvpn
11:11 < Proshot> i was wondering for the openvpn client on the iphone, is the only functionality to browse the internet via the openvpn connection?
11:11 < Proshot> and if so, could i have a per client policy to only forward the traffic from the iphone and not the other devices connected to the openvpn server
11:12 -!- budmang [~budman@ip68-111-79-253.oc.oc.cox.net] has quit [Remote host closed the connection]
11:13 -!- budmang [~budman@ip68-111-79-253.oc.oc.cox.net] has joined #openvpn
11:14 <@krzee> Proshot, i have a couple users that use vpn on iphone without it redirecting their internet at all
11:15 <@krzee> you must have configured it to do so
11:16 < Proshot> ok, that is good,
11:16 < Proshot> since i wanted no traffic to be redirected
11:16 < Proshot> but only to access the resources in the vpn
11:21 < Proshot> bbl i am heading home
11:21 -!- Proshot [~FSM@2001:981:7ede:1:118b:80f1:ddcf:681a] has quit [Quit: Leaving]
11:49 -!- Sidewinder [~de@unaffiliated/sidewinder] has joined #openvpn
11:52 -!- Sidewinder [~de@unaffiliated/sidewinder] has quit [Client Quit]
12:23 -!- timmmaaaayyy [~timmmaaaa@207.224.126.188] has joined #openvpn
12:23 < timmmaaaayyy> is there a way to boot a user thats connected to openvpn?
12:28 <@plaisthos> timmmaaaayyy: see the management interface documentation
12:30 < timmmaaaayyy> we don't use that.  i guess i'm out of luck.  thanks for the answer plaisthos!
12:31 -!- ron_ [~ron@ppp118-210-13-97.lns20.adl2.internode.on.net] has quit [Ping timeout: 245 seconds]
12:33 -!- ron_ [~ron@ppp118-210-5-168.lns20.adl2.internode.on.net] has joined #openvpn
12:53 -!- le0 [~l30@unaffiliated/le0] has quit [Quit: Leaving]
13:26 -!- Left_Turn [~Left_Turn@unaffiliated/turn-left/x-3739067] has quit [Read error: Connection reset by peer]
13:29 -!- Left_Turn [~Left_Turn@unaffiliated/turn-left/x-3739067] has joined #openvpn
13:47 -!- dazo is now known as dazo_afk
14:02 -!- Guest40285 [~Sembei@unaffiliated/sembei] has quit [Quit: WeeChat 0.4.4-dev]
14:02 -!- Sembei [~Sembei@unaffiliated/sembei] has joined #openvpn
14:11 <@plaisthos> atmosx: the arne@openvpn/community/developer/plaisthos has joined #FreeBSD part  :)
14:12 <@plaisthos> argh
14:12 <@plaisthos> wrong chang
14:14 -!- VsioZashibis [~VsioZashi@unaffiliated/vsiozashibis] has joined #openvpn
14:27 -!- le0 [~l30@unaffiliated/le0] has joined #openvpn
14:40 -!- timmmaaaayyy [~timmmaaaa@207.224.126.188] has left #openvpn []
14:48 -!- joshh20-Away is now known as joshh20
14:59 -!- ade_b [~Ade@redhat/adeb] has joined #openvpn
15:02 -!- pqatsi [~leonardo@unaffiliated/leleobhz] has joined #openvpn
15:02 < pqatsi> There is a way to avoid server push of redirect-gateway?
15:03 < pqatsi> (And only redirect-gateway, receiving others static routes)
15:03 -!- digitalp1nk is now known as digitalpunk
15:04 -!- digitalpunk [~scout@mail.zemaitijos-spauda.lt] has left #openvpn []
15:05 -!- ron__ [~ron@ppp118-210-131-174.lns20.adl6.internode.on.net] has joined #openvpn
15:06 <@Eugene> !reset
15:06 <@Eugene> !factoids search reset
15:06 <@vpnHelper> "push-reset" is Don't inherit the global push list for a specific client instance. Specify this option in a client-specific context such as with a --client-config-dir configuration file. This option will ignore --push options at the global config file level.
15:07 -!- ron_ [~ron@ppp118-210-5-168.lns20.adl2.internode.on.net] has quit [Ping timeout: 250 seconds]
15:08 <@Eugene> You can sniff the routes pushed with an --up script. See SCRIPTING AND ENVIRONMENTAL VARIABLES in the man page.
15:08 < pqatsi> Eugene: i did not undersand. This will avoid all routes? For this i have route-nopull, right?
15:08 <@Eugene> Oh derp, yeah, sorry, route-nopull
15:08  * Eugene had his brain installed backwards
15:09 <@Eugene> !nopull
15:09 <@vpnHelper> "nopull" is "route-nopull" is If you want to accept pushed options from the server but not apply the routes (including --redirect-gateway) you can use --route-nopull to ignore all pushed routes
15:09 <@Eugene> (push-reset is NOT what you want; I need a drink)
15:13 -!- latebloom [~ling_@192.30.35.192] has joined #openvpn
15:13 < latebloom> !welcome
15:13 <@vpnHelper> "welcome" is (#1) Start by stating your goal, such as 'I would like to access the internet over my vpn' || new to IRC? see the link in !ask || we may need !logs and !configs and maybe !interface to help you. || See !howto for beginners. || See !route for lans behind openvpn. || !redirect for sending inet traffic through the server. || Also interesting: !man !/30 !topology !iporder !sample !forum
15:14 <@vpnHelper> !wiki !mitm or (#2) Don't use 192.168.1.0/24 or 192.168.0.0/24 (too much potential for conflict)
15:14 < latebloom> !goal
15:14 <@vpnHelper> "goal" is Please clearly state your goal for your vpn: example, I would like to access the lan behind the server , I would like to access the internet over my vpn , I just want a secure connection between 2 computers , etc
15:17 < pqatsi> Eugene: route-nopull dischard all routes. I just want to avoid receive redirect-gateway. Its not possible?
15:18 <@Eugene> Not without extra scripting, no.
15:21 < pqatsi> Right!
15:24 -!- brianblaze420 [~admin@70.82.154.235] has joined #openvpn
15:24 -!- brianblaze420 [~admin@70.82.154.235] has quit [Changing host]
15:24 -!- brianblaze420 [~admin@unaffiliated/brianblaze] has joined #openvpn
15:26 -!- VsioZashibis [~VsioZashi@unaffiliated/vsiozashibis] has quit [Quit: closing IRC]
15:33 -!- pqatsi [~leonardo@unaffiliated/leleobhz] has quit [Quit: leaving]
15:42 -!- latebloom [~ling_@192.30.35.192] has quit [Ping timeout: 240 seconds]
15:42 -!- latebloom [~latebloom@192.30.35.192] has joined #openvpn
15:43 -!- michaelhart [~michaelha@192.237.177.15] has quit [Quit: michaelhart]
15:48 -!- wrongplace [~leicht@gateway/tor-sasl/martinphone] has joined #openvpn
15:58 -!- ron__ is now known as ron_
16:00 <@krzee> thats not true eugene
16:00 <@Eugene> Do tell
16:00 <@krzee> you can override the redirect-gateway with 2 routes, or if def1 is used then you can override it with 4 routes.
16:01 <@Eugene> overrride != ignore
16:01 <@krzee> in the exact same way def1 overrides the orig default route.
16:01 -!- VsioZashibis [~VsioZashi@unaffiliated/vsiozashibis] has joined #openvpn
16:01 <@Eugene> But yes, technically true.
16:01 <@krzee> you (the user) can ignore it once its overridden ;)
16:02 <@Eugene> For the original question, "is there a magical openvpn --directive to do this", the answer stands.
16:02 <@krzee> oh right
16:02 -!- brianblaze420 [~admin@unaffiliated/brianblaze] has left #openvpn []
16:02 <@krzee> i just meant "<Eugene> Not without extra scripting, no."
16:03 <@Eugene> I'd call that scripting, because you need to make it aware of the default route
16:03 <@Eugene> And tear it down / set up
16:03 <@krzee> erm no
16:03 <@krzee> 4 --route configs options in the client config, done
16:03 <@krzee> see net_gateway variable
16:03 <@krzee> !route_override
16:03 <@vpnHelper> "route_override" is (#1) https://forums.openvpn.net/viewtopic.php?f=15&t=7161 for how to override --redirect-gateway for a certain subnet or (#2) to see how to make it so the client will still reply to requests to its public ip over the internet and not the vpn see !splitroute
16:04 <@Eugene> That one is new to me
16:04 <@Eugene> Still a hack. :-p
16:05 <@krzee> just a couple ovpn config options...
16:05 <@krzee> (or 1 option, used a couple times)
16:05 <@Eugene> !beer
16:05 <@vpnHelper> "beer" is what's for dinner (and occasionally breakfast)
16:12 -!- le0 [~l30@unaffiliated/le0] has quit [Quit: Leaving]
16:13 -!- VsioZashibis [~VsioZashi@unaffiliated/vsiozashibis] has quit [Quit: closing IRC]
16:13 -!- tony1 [~tony1@cpe-66-66-6-48.rochester.res.rr.com] has joined #openvpn
16:35 -!- klein [~klein@unaffiliated/klein] has quit [Ping timeout: 250 seconds]
16:46 -!- gffa [~unknown@unaffiliated/gffa] has quit [Quit: sleep]
16:50 -!- ade_b [~Ade@redhat/adeb] has quit [Ping timeout: 252 seconds]
17:04 -!- klein [~klein@177.101.105.94] has joined #openvpn
17:04 -!- klein [~klein@177.101.105.94] has quit [Changing host]
17:04 -!- klein [~klein@unaffiliated/klein] has joined #openvpn
17:24 -!- jgeboski [~jgeboski@unaffiliated/jgeboski] has quit [Ping timeout: 240 seconds]
17:27 -!- VsioZashibis [~VsioZashi@unaffiliated/vsiozashibis] has joined #openvpn
17:27 -!- [diecast] [~diecast@unaffiliated/diecast/x-4821952] has quit [Read error: Connection reset by peer]
17:28 -!- [diecast] [~diecast@unaffiliated/diecast/x-4821952] has joined #openvpn
17:32 -!- ChrisH [~dg7pc@dslb-094-221-215-003.pools.arcor-ip.net] has quit [Ping timeout: 252 seconds]
17:32 -!- ChrisH [~dg7pc@dslb-094-221-210-185.pools.arcor-ip.net] has joined #openvpn
17:37 -!- AlexPortable [uid7568@gateway/web/irccloud.com/x-alatjrodnstzbbby] has quit [Quit: Connection closed for inactivity]
17:49 -!- noobboob [uid5587@gateway/web/irccloud.com/x-aybmghnhggeajgfw] has joined #openvpn
17:52 -!- jgeboski [~jgeboski@unaffiliated/jgeboski] has joined #openvpn
17:53 -!- goldkatze [~nobody@unaffiliated/goldkatze] has quit []
18:04 -!- michaelhart [~michaelha@192-0-240-20.cpe.teksavvy.com] has joined #openvpn
18:13 -!- wrongplace [~leicht@gateway/tor-sasl/martinphone] has quit [Quit: gone]
18:20 -!- michaelhart [~michaelha@192-0-240-20.cpe.teksavvy.com] has quit [Quit: michaelhart]
18:30 -!- acu [~acu@50.244.13.221] has quit [Ping timeout: 240 seconds]
18:44 -!- acu [~acu@50.244.13.221] has joined #openvpn
18:59 -!- justinzane [~justinzan@12.172.184.180] has quit [Ping timeout: 258 seconds]
19:03 -!- latebloom [~latebloom@192.30.35.192] has quit [Quit: Leaving]
19:04 -!- Left_Turn [~Left_Turn@unaffiliated/turn-left/x-3739067] has quit [Remote host closed the connection]
19:10 -!- Left_Turn [~Left_Turn@unaffiliated/turn-left/x-3739067] has joined #openvpn
19:35 -!- joshh20 is now known as joshh20-Away
19:48 -!- s7r [~s7r@openvpn/user/s7r] has joined #openvpn
19:48 -!- mode/#openvpn [+v s7r] by ChanServ
20:11 -!- elfixit [~Icedove@77-58-251-72.dclient.hispeed.ch] has joined #openvpn
20:19 -!- _KaszpiR___ [~quassel@unaffiliated/kaszpir/x-3157048] has joined #openvpn
20:22 -!- noobboob [uid5587@gateway/web/irccloud.com/x-aybmghnhggeajgfw] has quit [Quit: Connection closed for inactivity]
20:22 -!- s7r [~s7r@openvpn/user/s7r] has quit [Ping timeout: 272 seconds]
20:22 -!- reiffert [~thomas@mail.reifferscheid.org] has quit [Ping timeout: 240 seconds]
20:22 -!- _KaszpiR_ [~quassel@unaffiliated/kaszpir/x-3157048] has quit [Ping timeout: 240 seconds]
20:22 -!- reiffert [~thomas@mail.reifferscheid.org] has joined #openvpn
20:30 -!- mh100 [~mh100@host-92-17-217-225.as13285.net] has joined #openvpn
20:30 < mh100> !welcome
20:30 <@vpnHelper> "welcome" is (#1) Start by stating your goal, such as 'I would like to access the internet over my vpn' || new to IRC? see the link in !ask || we may need !logs and !configs and maybe !interface to help you. || See !howto for beginners. || See !route for lans behind openvpn. || !redirect for sending inet traffic through the server. || Also interesting: !man !/30 !topology !iporder !sample !forum
20:30 <@vpnHelper> !wiki !mitm or (#2) Don't use 192.168.1.0/24 or 192.168.0.0/24 (too much potential for conflict)
20:30 < mh100> !howto
20:30 <@vpnHelper> "howto" is (#1) OpenVPN comes with a great howto, http://openvpn.net/howto PLEASE READ IT! or (#2) http://www.secure-computing.net/openvpn/howto.php for a mirror
20:31 < mh100> !goal
20:31 <@vpnHelper> "goal" is Please clearly state your goal for your vpn: example, I would like to access the lan behind the server , I would like to access the internet over my vpn , I just want a secure connection between 2 computers , etc
20:32 < mh100> Hi, trying to get Easy RSA working on my Windows PC but when I lauch the bat file I get the message "The system cannot find the path specified". What am I doing wrong?
20:33 < mh100> looking at the bat file, I cant understand where bin\sh.exe is supposed to be located?
20:38 -!- SpiceMan [~SpiceMan@unaffiliated/spiceman] has quit [Ping timeout: 240 seconds]
20:38 -!- SpiceMan [~SpiceMan@unaffiliated/spiceman] has joined #openvpn
20:57 -!- justinzane [~justinzan@12.172.184.180] has joined #openvpn
21:01 -!- justinzane [~justinzan@12.172.184.180] has quit [Client Quit]
21:01 -!- Fusl [Fusl@unaffiliated/fusl] has quit [Ping timeout: 252 seconds]
21:01 -!- jzaw [~jzaw@loki.dzki.co.uk] has quit [Ping timeout: 252 seconds]
21:02 -!- ketas [ketas@ketas6-sixxs.si.pri.ee] has quit [Ping timeout: 252 seconds]
21:03 -!- ketas [ketas@ketas6-sixxs.si.pri.ee] has joined #openvpn
21:04 -!- mh100 [~mh100@host-92-17-217-225.as13285.net] has quit []
21:06 -!- AsadH [~AsadH@unaffiliated/asadh] has quit [Ping timeout: 246 seconds]
21:07 -!- lj [~l@192.241.174.169] has joined #openvpn
21:08 -!- jzaw [~jzaw@loki.dzki.co.uk] has joined #openvpn
21:12 -!- justinzane [~justinzan@12.172.184.180] has joined #openvpn
21:15 -!- Fusl [Fusl@unaffiliated/fusl] has joined #openvpn
21:21 -!- AsadH [~AsadH@unaffiliated/asadh] has joined #openvpn
21:30 -!- zoomequipd [~zoomequip@gateway/tor-sasl/zoomequipd] has joined #openvpn
21:35 < lj> krzee, ecrist ping.
21:35 < lj> If you have a few minutes, let me know.
21:36 < lj> Mostly setup efficiency opinions/suggestions.
21:37 -!- Fusl [Fusl@unaffiliated/fusl] has quit [Ping timeout: 252 seconds]
21:41 -!- Left_Turn [~Left_Turn@unaffiliated/turn-left/x-3739067] has quit [Quit: Leaving]
21:44 -!- Fusl [Fusl@unaffiliated/fusl] has joined #openvpn
22:15 -!- klein [~klein@unaffiliated/klein] has quit [Ping timeout: 240 seconds]
22:17 -!- lj1 [~l@74.120.200.95] has joined #openvpn
22:17 -!- lj [~l@192.241.174.169] has quit [Ping timeout: 276 seconds]
22:28 -!- [diecast] [~diecast@unaffiliated/diecast/x-4821952] has quit []
22:43 -!- elfixit [~Icedove@77-58-251-72.dclient.hispeed.ch] has quit [Quit: elfixit]
23:04 <@krzee> that was the worst use of pinging someone ever
23:04  * krzee goes back to being away
23:05 <@krzee> welcome to IRC
23:07 -!- ShadniX [dagger@p5DDFEF2C.dip0.t-ipconnect.de] has quit [Ping timeout: 252 seconds]
23:08 -!- ShadniX [dagger@p5DDFE20E.dip0.t-ipconnect.de] has joined #openvpn
23:14 -!- Fusl [Fusl@unaffiliated/fusl] has quit [Ping timeout: 252 seconds]
23:24 -!- Fusl [Fusl@unaffiliated/fusl] has joined #openvpn
23:25 -!- no_wai_ [~no_wai@203.Red-88-14-15.dynamicIP.rima-tde.net] has joined #openvpn
23:27 -!- no_wai_ is now known as no__wai
23:28 -!- no__wai is now known as nowai_
23:28 -!- nowai_ [~no_wai@203.Red-88-14-15.dynamicIP.rima-tde.net] has quit [Client Quit]
23:53 -!- justinzane [~justinzan@12.172.184.180] has quit [Ping timeout: 276 seconds]
23:54 -!- paradox`` [~paradox@cpc21-brmb8-2-0-cust749.1-3.cable.virginm.net] has joined #openvpn
23:57 -!- sunwind` [~paradox@cpc21-brmb8-2-0-cust749.1-3.cable.virginm.net] has quit [Ping timeout: 240 seconds]
--- Day changed Thu Apr 17 2014
00:09 -!- justinzane [~justinzan@24.49.207.201] has joined #openvpn
00:33 -!- justinzane [~justinzan@24.49.207.201] has quit [Ping timeout: 252 seconds]
00:33 -!- Devastator [~devas@unaffiliated/devastator] has quit [Read error: Connection reset by peer]
00:34 -!- Devastator [~devas@186.214.15.168] has joined #openvpn
00:43 -!- justinzane [~justinzan@host-12-172-184-180.nctv.com] has joined #openvpn
00:59 -!- justinzane [~justinzan@host-12-172-184-180.nctv.com] has quit [Ping timeout: 252 seconds]
01:03 -!- lj [~l@74.120.200.95] has joined #openvpn
01:03 -!- lj1 [~l@74.120.200.95] has quit [Ping timeout: 276 seconds]
01:19 -!- alexxtasi [~alex@unaffiliated/alexxtasi] has joined #openvpn
01:23 -!- mattock_afk [~mattock@openvpn/corp/admin/mattock] has joined #openvpn
01:23 -!- mode/#openvpn [+o mattock_afk] by ChanServ
01:24 -!- mattock_afk is now known as mattock
01:39 -!- justinzane [~justinzan@host-12-172-184-180.nctv.com] has joined #openvpn
01:42 -!- goldkatze [~nobody@unaffiliated/goldkatze] has joined #openvpn
01:44 -!- AlexPortable [uid7568@gateway/web/irccloud.com/x-mpllglpfwohfsbmw] has joined #openvpn
01:49 -!- _KaszpiR___ is now known as _KaszpiR_
01:57 -!- ade_b [~Ade@redhat/adeb] has joined #openvpn
02:17 -!- mrrg [~notabot@209.20.75.42] has quit [Ping timeout: 255 seconds]
02:17 -!- mrrg [~notabot@delicious.sykosys.jp] has joined #openvpn
02:18 -!- _nexxus_ [~bwg@ragnar.pannexusa.com] has quit [Ping timeout: 252 seconds]
02:18 -!- _nexxus_ [~bwg@ragnar.pannexusa.com] has joined #openvpn
02:19 -!- Ko_lo [~kolo@unaffiliated/baptistem] has joined #openvpn
02:19 < Ko_lo> o/
02:19 < Ko_lo> I have a running openvpn on my server, behind this vpn I have a oracle-xe running, how can I tell my server to forward connection from port foo to 10.8.0.x:1521 ?
02:19 -!- le0 [~l30@unaffiliated/le0] has joined #openvpn
02:21 -!- budmang [~budman@ip68-111-79-253.oc.oc.cox.net] has quit [Ping timeout: 245 seconds]
02:38 -!- stemid [~avatar@ns4.sydit.se] has joined #openvpn
02:39 < stemid> I'm reading the docs on setting up unprivileged user for my openvpn server. the step where it says to create a persistent tunX device with the openvpn --mktun command, how is this possibly persistent? won't it be deleted at reboot?
02:39 < stemid> just wondering if I should do this in my up script, or in my distros init
02:39 < stemid> because I can't imagine it being persistent between reboots
02:39 < ribasushi> greetings
02:39 < ribasushi> what do we think of http://frozenriver.net/SigmaVPN ?
02:39 <@vpnHelper> Title: frozenriver: SigmaVPN. Tunnels made simple. (at frozenriver.net)
02:51 < stemid> ok I read in the man now that the interface is deleted at reboot
02:51 < stemid> so I guess I'll use the rc scripts or init to make it persistent
03:04 -!- Left_Turn [~Left_Turn@unaffiliated/turn-left/x-3739067] has joined #openvpn
03:23 < snappy> never heard of it, sounds interesting
03:25 < snappy> ribasushi: this is what "we" think: no documentation, no protocol description -- and since when did optimizing for RAM usage even matter...
03:25 < ribasushi> snappy: that'd djb, optimizing for crazyshit is his specialty :)
03:26 < snappy> but this isn't djb, the statement is: running a single tunnel in less than a single megabyte of RAM
03:26 < snappy> im sure nacl lends itself to that, but for vpn it reall doesn't matter.
03:27 < snappy> i do like the idea of automatic handover/roaming
03:27 < ribasushi> nod, it's a thin wrapper around nacl basically, hence my conjecture it is an extension of djb "principles"
03:27 < snappy> i think this is something that openvpn could use -- apply the "mosh principle", synchronize state of the packet queue buffer between vpn server and client
03:27 < ribasushi> this would be *very* sexy yes
03:29 < ribasushi> snappy: in case you want to do "PR damage control" there's a wave of openvpn-hate raising in the HN thread: https://news.ycombinator.com/item?id=7599091
03:29 <@vpnHelper> Title: SigmaVPN: Stateless OpenVPN Replacement Using NaCl Encryption Library | Hacker News (at news.ycombinator.com)
03:29 < ribasushi> (also v. misleading title)
03:30 < snappy> i'm not too concerned about code issues with openvpn, but peter gutmann did analyse the protocol at one point and said it was sound; that's pretty good praise
03:34 < ribasushi> aye
03:35 < ribasushi> I still put aside setting up a "lab" and diagnosing why openvpn reconnects take so long
03:35 < ribasushi> I can't see to bring my handshake down from ~5s
03:35 < ribasushi> *seem
03:35 < ribasushi> it's probably some bullshit in my config though
03:39 -!- mirco [~mirco@ip-5-146-126-177.unitymediagroup.de] has joined #openvpn
03:45 -!- SquirrelCZECH [~squirrel@ip-89-103-45-17.net.upcbroadband.cz] has quit [Ping timeout: 258 seconds]
03:47 -!- SquirrelCZECH [~squirrel@ip-89-103-45-17.net.upcbroadband.cz] has joined #openvpn
03:49 -!- Moony22 [~Moony22@unaffiliated/moony22] has joined #openvpn
03:55 < Moony22> Hello, I'm having difficulty connecting to the internet after connecting to my VPN successfully. I can ping the VPN server, but not anything else. My server.conf: http://paste.debian.net/94159/
03:55 -!- Pei [~pei@thinks.outside.theb0x.org] has quit [Ping timeout: 252 seconds]
03:56 < Moony22> my client.conf: http://pastebin.com/et55Ts4S
03:57 < Moony22> my nat tables: http://paste.debian.net/94161/
03:59 -!- Moony22 is now known as IceCreamBot
04:03 -!- IceCreamBot [~Moony22@unaffiliated/moony22] has quit [Quit: leaving]
04:04 -!- Moony22 [~AndChat30@unaffiliated/moony22] has joined #openvpn
04:08 < Moony22> Anyone got any ideas?
04:09 < ribasushi> Moony22: is your forwarding enabled in-kernel?
04:09 < Moony22> Yes I believe so ribasushi
04:09 -!- Pei [~pei@thinks.outside.theb0x.org] has joined #openvpn
04:10 < Moony22> net.ipv4.ip_forward = 1
04:23 < woshty> Moony22: Do you have a masquerading rule in iptables nat table?
04:28 < Moony22> woshty: I pasted my nat table I thought?
04:28 < Moony22> Here it is again I believe http://paste.debian.net/94161/
04:29 < woshty> Moony22: ah, sry. Did not see that. No idea.
04:34 < woshty> Moony22: you could take a look with -v. maybe interfaces do not match?
04:39 < Moony22> woshty: sorry for late reply, I don't quite understand?
04:51 -!- Aliekezhi [~Aliekezhi@80.215.178.220] has joined #openvpn
04:51 -!- s7r [~s7r@openvpn/user/s7r] has joined #openvpn
04:52 -!- mode/#openvpn [+v s7r] by ChanServ
04:52 -!- Moony22 [~AndChat30@unaffiliated/moony22] has quit [Quit: Bye]
04:52 -!- Moony22 [~Moony22@host86-132-53-208.range86-132.btcentralplus.com] has joined #openvpn
04:52 -!- Moony22 [~Moony22@host86-132-53-208.range86-132.btcentralplus.com] has quit [Changing host]
04:52 -!- Moony22 [~Moony22@unaffiliated/moony22] has joined #openvpn
04:52 < woshty> Moony22: iptables -L -t nat -v
04:52 < woshty> Moony22: serverside
04:53 < Moony22> woshty: http://paste.debian.net/94174/
04:55 -!- acu [~acu@50.244.13.221] has quit [Ping timeout: 276 seconds]
04:55 -!- heraclitus__ [~heraclitu@cpe-76-187-142-153.tx.res.rr.com] has joined #openvpn
04:56 -!- acu [~acu@50.244.13.221] has joined #openvpn
04:58 -!- heraclitus [~heraclitu@unaffiliated/heraclitis] has quit [Ping timeout: 252 seconds]
05:03 < Moony22> !config
05:03 <@vpnHelper> (config <name> [<value>]) -- If <value> is given, sets the value of <name> to <value>. Otherwise, returns the current value of <name>. You may omit the leading "supybot." in the name if you so choose.
05:03 < Moony22> what
05:03 < Moony22> !configs
05:03 <@vpnHelper> "configs" is (#1) please pastebin your client and server configs (with comments removed, you can use `grep -vE '^#|^;|^$' server.conf`), also include which OS and version of openvpn. or (#2) dont forget to include any ccd entries or (#3) on pfSense, see http://www.secure-computing.net/wiki/index.php/OpenVPN/pfSense to obtain your config
05:04 < Moony22> !logs
05:04 <@vpnHelper> "logs" is (#1) please pastebin your logfiles from both client and server with verb set to 4 (only use 5 if asked) or (#2) In the Windows client(OpenVPN-GUI) right-click the status icon and pick View Log or (#3) In the OS X client(Tunnelblick) right-click it and select Copy log text to clipboard or (#4) if you dont know how to find your logs, see !logfile
05:05 < Moony22> Well, I pasted my configs and tables :p
05:05 -!- acu [~acu@50.244.13.221] has quit [Ping timeout: 276 seconds]
05:17 -!- acu [~acu@50.244.13.221] has joined #openvpn
05:21 < stemid> when I'm running with a non-privileged user, will that user also execute the up and down scripts?
05:22 < stemid> I guess it executed any script, because I had to add sudo to the iproute script
05:25 < Moony22> does that -v paste show anything?
05:37 -!- jave [~jave@h-235-102.a149.priv.bahnhof.se] has quit [Quit: ZNC - http://znc.in]
05:40 -!- jave [~jave@h-235-102.a149.priv.bahnhof.se] has joined #openvpn
05:43 < Moony22> I guess I have to wait for american prime time
05:51 < pekster> Moony22: You want:
05:51 < pekster> !redirect
05:51 <@vpnHelper> "redirect" is (#1) to make all inet traffic flow through the vpn, you will need --redirect-gateway (see !def1), as well as IP forwarding (see !ipforward) and NAT (see !nat) enabled on the server. or (#2) you may need to use a different dns server when redirecting gateway, see !dns or !pushdns or (#3) if using ipv6 try: route-ipv6 2000::/3 or (#4) Handy troubleshooting flowchart:
05:51 <@vpnHelper> http://ircpimps.org/redirect.png | http://pekster.sdf.org/misc/redirect.png
05:53 < Moony22> !def1
05:53 <@vpnHelper> "def1" is (#1) used in redirect-gateway, Add the def1 flag to override the default gateway by using 0.0.0.0/1 and 128.0.0.0/1 rather than 0.0.0.0/0. This has the benefit of overriding but not wiping out the original default gateway. or (#2) please see --redirect-gateway in the man page ( !man ) to fully understand or (#3) push "redirect-gateway def1"
05:54 < Moony22> pekster: I have "push "redirect-gateway def1 bypass-dhcp"" in my server.conf
05:54 < Moony22> I have ip-forwarding enabled
05:54 < Moony22> Not using ipv6
05:55 < pekster> I didn't even look at your server config; it's full of exactly what the grep told you to remove
05:55 < Moony22> !configs
05:55 <@vpnHelper> "configs" is (#1) please pastebin your client and server configs (with comments removed, you can use `grep -vE '^#|^;|^$' server.conf`), also include which OS and version of openvpn. or (#2) dont forget to include any ccd entries or (#3) on pfSense, see http://www.secure-computing.net/wiki/index.php/OpenVPN/pfSense to obtain your config
05:55 < Moony22> one second
05:55 < pekster> And I don't really have time to de-mess your configs as I leave shortly
05:55 < pekster> However, clean it up for the next person who can help
05:58 < Moony22> well here is my uncommented server.conf: http://paste.debian.net/94179/
06:10 < Moony22> and here is my uncommented client.conf:
06:10 < Moony22> http://pastebin.com/gRXdP4CE
06:11 < Moony22> using the second flowchart...it seems i likely have a firewall issue >.>
06:17 < Moony22> I'm going to try connect again, I'll be back
06:19 < Moony22> >.> still doesn't work...
06:21 -!- michaelhart [~michaelha@192-0-240-20.cpe.teksavvy.com] has joined #openvpn
06:25 < Moony22> I'll paste the output of /sbin/iptables -L
06:25 < Moony22> /sbin/iptables -L : http://paste.debian.net/94184/
06:43 -!- alexxtasi [~alex@unaffiliated/alexxtasi] has left #openvpn []
07:07 -!- AlexPortable [uid7568@gateway/web/irccloud.com/x-mpllglpfwohfsbmw] has quit [Quit: Connection closed for inactivity]
07:12 -!- charlie_ [~charlie@c-174-48-37-15.hsd1.fl.comcast.net] has joined #openvpn
07:12 < charlie_> hello?
07:13 < charlie_> I'm trying to create a vpn server on my router,
07:13 < charlie_> I've downloaded openvpn
07:14 < charlie_> and downloaded the git repo into the correct folder
07:14 < charlie_> the guide I'm following says to do ./init-config
07:14 < charlie_> but that doesn't work
07:14 < charlie_> can someone help?
07:15 < Moony22> on windows?
07:15 < charlie_> Linux
07:15 < charlie_> 13.10
07:15 < charlie_> ubuntu
07:16 < charlie_> Hello?
07:16 < Moony22> you couldn't just use the repos?
07:16 < charlie_> there's no executable named init-config in the repo
07:17 < charlie_> I put the repo in /usr/share/doc/openvpn/examples
07:17 < Moony22> eg, apt-get update && apt-get install openvpn
07:17 < charlie_> oh, this is the repo for easy-rsa
07:17 < charlie_> since it doesn't come with the most recent version
07:18 < Moony22> oh
07:18 < Moony22> what guide are you reading?
07:22 < Moony22> https://help.ubuntu.com/13.10/serverguide/openvpn.html
07:22 <@vpnHelper> Title: OpenVPN (at help.ubuntu.com)
07:23 -!- klein [~klein@189-016-006-003.asselvi.edu.br] has joined #openvpn
07:23 -!- klein [~klein@189-016-006-003.asselvi.edu.br] has quit [Changing host]
07:23 -!- klein [~klein@unaffiliated/klein] has joined #openvpn
07:23 < charlie_> Sorry, had to go afk for a second
07:23 < charlie_> http://www.howtogeek.com/60774/connect-to-your-home-network-from-anywhere-with-openvpn-and-tomato/
07:23 <@vpnHelper> Title: Connect to Your Home Network From Anywhere with OpenVPN and Tomato (at www.howtogeek.com)
07:24 < Moony22> charlie_: I'm pretty sure that's for windows
07:24 < charlie_> I'm on the point where you create the certificates and keys
07:25 < charlie_> Yeah, but the file structures the same
07:25 < Moony22> not really, init-config is for windows
07:25 < charlie_> And, I've also been using this guide too:
07:26 < charlie_> http://www.linux.com/learn/tutorials/304510:weekend-project-setting-up-a-vpn-on-your-linux-router-or-gateway
07:26 <@vpnHelper> Title: Weekend Project: Setting Up a VPN on Your Linux Router or Gateway | Linux.com (at www.linux.com)
07:26 < charlie_> and it says to do ./init-config to run the file
07:27 < Moony22> fair enough, but that's from 2010
07:27 < charlie_> Oh,
07:27 < charlie_> do you have an updated version?
07:27 < Moony22> https://help.ubuntu.com/13.10/serverguide/openvpn.html ubuntu
07:27 <@vpnHelper> Title: OpenVPN (at help.ubuntu.com)
07:28 < Moony22> ubuntu 13.10 to be specific
07:29 < charlie_> I've been using the howtogeek guide for the router part, since I have that same router
07:29 < charlie_> I'll try using that guide for the keys
07:30 < Moony22> sure, follow that guide but use the updated ubuntu one for getting the keys
07:30 < Moony22> ^
07:50 -!- charlie_ [~charlie@c-174-48-37-15.hsd1.fl.comcast.net] has quit [Quit: Leaving]
07:52 -!- lj [~l@74.120.200.95] has quit [Quit: Leaving.]
07:55 < esde> http://arstechnica.com/security/2014/04/confirmed-nasty-heartbleed-bug-exposes-openvpn-private-keys-too/
07:55 <@vpnHelper> Title: Confirmed: Nasty Heartbleed bug exposes OpenVPN private keys, too | Ars Technica (at arstechnica.com)
07:55 < esde> Only if not using TLS-Cipher though
07:56 -!- Ko_lo [~kolo@unaffiliated/baptistem] has quit [Ping timeout: 240 seconds]
07:56 < esde> *TLS Auth sorry
07:58 -!- Ko_lo [~kolo@ip-125.net-82-216-83.rev.numericable.fr] has joined #openvpn
07:58 -!- Ko_lo is now known as Guest58895
08:12 -!- klein [~klein@unaffiliated/klein] has quit [Ping timeout: 240 seconds]
08:19 -!- ChrisH [~dg7pc@dslb-094-221-210-185.pools.arcor-ip.net] has quit [Ping timeout: 245 seconds]
08:21 -!- ChrisH [~dg7pc@dslb-092-072-151-057.pools.arcor-ip.net] has joined #openvpn
08:28 -!- klein [~klein@unaffiliated/klein] has joined #openvpn
08:49 -!- ade_b [~Ade@redhat/adeb] has quit [Ping timeout: 252 seconds]
08:51 -!- klein [~klein@unaffiliated/klein] has quit [Ping timeout: 265 seconds]
09:07 -!- klein [~klein@189-016-006-003.asselvi.edu.br] has joined #openvpn
09:07 -!- klein [~klein@189-016-006-003.asselvi.edu.br] has quit [Changing host]
09:07 -!- klein [~klein@unaffiliated/klein] has joined #openvpn
09:13 -!- Rienzilla [rien@sinas.rename-it.nl] has left #openvpn []
09:14 -!- KaiForce [~chatzilla@107-223-70-10.lightspeed.bcvloh.sbcglobal.net] has joined #openvpn
09:21 -!- elfixit [~Icedove@2001:1620:2777:11:3e97:eff:fe7f:f3ad] has joined #openvpn
09:32 -!- julius_ [~julius_@static.88-198-127-82.clients.your-server.de] has joined #openvpn
09:32 < julius_> hi
09:32 -!- batrick [batrick@nmap/developer/batrick] has quit [Remote host closed the connection]
09:34 -!- AlexPortable [uid7568@gateway/web/irccloud.com/x-abxnjdlsydorqsmu] has joined #openvpn
09:35 -!- Cpt-Oblivious [chatzilla@31-151-71-109.dynamic.upc.nl] has joined #openvpn
09:40 -!- HectorBarbossa [uid7850@gateway/web/irccloud.com/x-tjoiucsuvdicppoe] has joined #openvpn
09:49 -!- batrick [batrick@nmap/developer/batrick] has joined #openvpn
09:52 -!- Guest58895 [~kolo@ip-125.net-82-216-83.rev.numericable.fr] has quit [Ping timeout: 240 seconds]
09:54 -!- Ko_lo [~kolo@ip-125.net-82-216-83.rev.numericable.fr] has joined #openvpn
09:54 -!- Ko_lo is now known as Guest67693
09:58 -!- budmang [~budman@ip68-111-79-253.oc.oc.cox.net] has joined #openvpn
10:20 -!- Sembei [~Sembei@unaffiliated/sembei] has quit [Ping timeout: 265 seconds]
10:27 -!- Sembei [~Sembei@unaffiliated/sembei] has joined #openvpn
10:28 -!- mattock is now known as mattock_afk
10:35 -!- heraclitus [~heraclitu@unaffiliated/heraclitis] has joined #openvpn
10:37 -!- heraclitus__ [~heraclitu@cpe-76-187-142-153.tx.res.rr.com] has quit [Ping timeout: 252 seconds]
10:41 -!- Sembei [~Sembei@unaffiliated/sembei] has quit [Ping timeout: 276 seconds]
10:43 -!- master_of_master [~master_of@p4FD7B0A9.dip0.t-ipconnect.de] has quit [Ping timeout: 276 seconds]
10:44 -!- master_of_master [~master_of@p4FF24D5C.dip0.t-ipconnect.de] has joined #openvpn
10:52 -!- SupaYoshi [Elite9191@gateway/shell/elitebnc/x-hkzbxjzpzwipjfhw] has joined #openvpn
10:52 < SupaYoshi> I want to delete all my openvpn certificates / revoke.
10:52 < SupaYoshi> What is the right way of doing so.
10:52 < SupaYoshi> Step wise.
10:52 < SupaYoshi> Revoke all command, and then delete the files,
10:54 <@Eugene> If you're not going to be using the PKI anymore you can skip the revocation
10:54 <@Eugene> Just delete it all & rerun through the easy-rsa creation process
11:02 -!- lj [~l@66.94.192.181] has joined #openvpn
11:06 < SupaYoshi> Okay
11:06 < SupaYoshi> ./build-dh gives me, Generating DH parameters, 1024 bit long safe prime, generator 2
11:06 < SupaYoshi> Is that good enough? Shouldn't i use 2048?
11:11 -!- Guest67693 [~kolo@ip-125.net-82-216-83.rev.numericable.fr] has quit [Ping timeout: 265 seconds]
11:12 -!- lj1 [~l@192.241.174.169] has joined #openvpn
11:12 -!- Ko_lo [~kolo@ip-125.net-82-216-83.rev.numericable.fr] has joined #openvpn
11:13 -!- Ko_lo is now known as Guest16191
11:13 -!- lj [~l@66.94.192.181] has quit [Ping timeout: 252 seconds]
11:15 <@krzee> sure, go for it
11:18 -!- tony1 [~tony1@cpe-66-66-6-48.rochester.res.rr.com] has quit [Quit: Leaving.]
11:24 < lj1> krzee: I'm wondering whether or not it would be more efficient for me to run multiple instances of openvpn on a few servers, or separate them server -> server via single instances. Thoughts?
11:24 -!- lj1 is now known as lj
11:30 <@krzee> up to you
11:31 -!- MadTBone_ [~MadTBone@160.39.238.199] has joined #openvpn
11:31 <@krzee> also depends how many cpu cores you have
11:31 <@krzee> you kinda gave NO relevant information
11:31 -!- Sembei [~Sembei@unaffiliated/sembei] has joined #openvpn
11:33 <@krzee> !learn redirect_ignore as if you want to ignore --redirect-gateway (because you do not run the server, and the server pushes it to you) then you can use route-nopull and use a script to add the routes that are needed
11:33 <@vpnHelper> Joo got it.
11:35 -!- MadTBone [~MadTBone@160.39.238.196] has quit [Ping timeout: 250 seconds]
11:36 -!- Sembei [~Sembei@unaffiliated/sembei] has quit [Ping timeout: 252 seconds]
11:41 -!- takamichi [~takamichi@c107-107.i07-27.onvol.net] has joined #openvpn
11:46 < julius_> hi
11:47 < julius_> if a router is connected to a vpn and gets the option "redirect-gateway", will it now route all traffic over the vpn?
11:47 < julius_> the router in this case is a openvpn client
11:48 < pekster> Minus the IP of the remote endpoint (avoiding a chicken-vs-egg problem), yes. Except that not using 'def1' with that is foolish as DHCP/PPP clients like to reset your gateway
11:48 < pekster> Read !def1 for deatils, and add that in for better results (on the server if you're pushing it to your clients)
11:51 -!- le0 [~l30@unaffiliated/le0] has quit [Quit: Leaving]
11:54 -!- Sembei [~Sembei@unaffiliated/sembei] has joined #openvpn
11:57 -!- [diecast] [~diecast@unaffiliated/diecast/x-4821952] has joined #openvpn
11:58 -!- mattock_afk is now known as mattock
12:07 -!- mapps [~map@bcdc3ff7.skybroadband.com] has joined #openvpn
12:08 -!- lj1 [~l@na-ad-guest-lwap-ar01.cat.com] has joined #openvpn
12:09 -!- Devastator [~devas@186.214.15.168] has quit [Changing host]
12:09 -!- Devastator [~devas@unaffiliated/devastator] has joined #openvpn
12:11 -!- lj [~l@192.241.174.169] has quit [Ping timeout: 265 seconds]
12:12 -!- lj [~l@192.241.174.169] has joined #openvpn
12:12 -!- lj1 [~l@na-ad-guest-lwap-ar01.cat.com] has quit [Ping timeout: 245 seconds]
12:13 -!- Milenco [~notspam@home.milenco.net] has joined #openvpn
12:13 < Milenco> !welcome
12:13 <@vpnHelper> "welcome" is (#1) Start by stating your goal, such as 'I would like to access the internet over my vpn' || new to IRC? see the link in !ask || we may need !logs and !configs and maybe !interface to help you. || See !howto for beginners. || See !route for lans behind openvpn. || !redirect for sending inet traffic through the server. || Also interesting: !man !/30 !topology !iporder !sample !forum
12:13 <@vpnHelper> !wiki !mitm or (#2) Don't use 192.168.1.0/24 or 192.168.0.0/24 (too much potential for conflict)
12:15 < Milenco> can i restrict accessable networks within openvpn to different users?
12:16 < Milenco> currently i push "route 10.20.1.0 255.255.255.0" to normal users and "route 10.20.0.0 255.255.0" to admins
12:16 < Milenco> however, a normal user can locally add routes through the vpn tunnel and access other network than i pushed him
12:17 < Milenco> can i prevent that within openvpn? i serve dynamic ip's so iptables cant differentiate openvpn users
12:18 < Milenco> ive searched for 'openvpn disallow access to unpushed routes' but can't find any good result
12:19 < pekster> Firewall them. You can either use static IPs (read !static for info, and check out the examples on the wiki link at !addressing)
12:20 < pekster> You _can_ also firewall clients on dynamic IPs assigned by openvpn; use a --client-connect script to do dynamic firewalling
12:21 < pekster> I even have a Netfilter-integrated set of examples for dynamic firewalling here: https://github.com/QueuingKoala/openvpn-dynamic/tree/master/netfilter
12:21 <@vpnHelper> Title: openvpn-dynamic/netfilter at master · QueuingKoala/openvpn-dynamic · GitHub (at github.com)
12:21 < Milenco> thanks! i was thinking about assigning static ip's to certain groups as i wrote it
12:22 < pekster> That's the easier method since you can keep a static firewall config
12:22 < pekster> dynamic firewall rules can get a bit complex in a hurry
12:22 < Milenco> but i would like to use the whole /24 for all types of users
12:22 < pekster> You have more than 252 users total?
12:23 < Milenco> not yet, somewhere near 100
12:23 < pekster> Be sure you're using the 'subnet' topology; you only get 63 users in the old 'net30' topology
12:23 < Milenco> but we aquired some other companies recently so we will be growing, and i wouldnt like to change the assigned subnets when one grows out of its pool
12:24 < Milenco> good point, forgot about that
12:24 < pekster> Otherwise just increase the network size. Nothing wrong with using a /22 or even a /20 if you want to assign static IPs
12:24 < Milenco> usually there are only about 20 connected but that isn't an issue
12:25 < Milenco> static ip's seems less hassle if dynamic firewalling is complex
12:26 < Milenco> i suppose i can't easily change the topology to 'net32' or whatever to use ~250 addresses? without a new client config
12:26 < pekster> No new client config if they're doing the right thing and using --pull (implied by --client)
12:26 < pekster> Just a server restart
12:26 < pekster> Read !topology and !addressing for examples
12:27 < Milenco> thanks again for your help :)
12:27 < Milenco> !static
12:27 <@vpnHelper> "static" is (#1) use --ifconfig-push in a ccd entry for a static ip for the vpn client or (#2) example in net30 (default): ifconfig-push 10.8.0.6 10.8.0.5 example in subnet (see !topology) or tap (see !tunortap): ifconfig-push 10.8.0.5 255.255.255.0 or (#3) also see !ccd and !iporder or (#4) when pushing static IPs, you should also limit your --ifconfig-pool to exclude the static range or (#5) See
12:27 <@vpnHelper> also: !addressing
12:28 < Milenco> !topology
12:28 <@vpnHelper> "topology" is (#1) it is possible to avoid the !/30 behavior if you use 2.1+ with the option: topology subnet This will end up being default in later versions. or (#2) Clients will receive addresses ending in .2, .3, .4, etc, instead of being divided into 2-host subnets. or (#3) details and examples at: https://community.openvpn.net/openvpn/wiki/Topology
12:29 < Milenco> sweet
12:31 < Milenco> cool, i'll switch to --topology subnet then, since my clients use --client option they'll keep working :)
12:32 < pekster> Yea, you only run into problems if you hard-coded a --topology in your clients after the --pull (a silly idea anyway)
12:33 < Milenco> as for the security issue, i'll take a look into the script you linked
12:33 < Milenco> if i can edit my current script so everything is done automatically that would be great
12:34 -!- amsterdam [~Adium@xdsl-85-197-27-84.netcologne.de] has joined #openvpn
12:35 < Milenco> either way is doable, but dynamic seems more fun :>
12:35 < pekster> You learn more, and it's more flexible should you need that level of control
12:36 < Milenco> exactly :)
12:38 -!- amsterdam [~Adium@xdsl-85-197-27-84.netcologne.de] has quit [Ping timeout: 240 seconds]
12:39 -!- JPeterson [~JPeterson@81-233-152-121-no83.tbcn.telia.com] has quit [Ping timeout: 265 seconds]
12:40 -!- JPeterson [~JPeterson@81-233-152-121-no83.tbcn.telia.com] has joined #openvpn
12:40 -!- saint_ [~saint@c-50-166-85-78.hsd1.nj.comcast.net] has joined #openvpn
12:40 < saint_> !clientlan
12:40 <@vpnHelper> "clientlan" is (#1) for a lan behind a client, the client must have ip forwarding enabled (!ipforward), the server needs a route to the lan, the server needs to push a route for the lan to clients, the server needs a ccd (!ccd) file for the client with an iroute (!iroute) entry in it, and the router of the lan the client is on needs a route added to it (!route_outside_openvpn) or (#2) see !route for
12:40 <@vpnHelper> a better explanation or (#3) Handy troubleshooting flowchart: http://ircpimps.org/clientlan.png | http://pekster.sdf.org/misc/clientlan.png
12:40 < saint_> !serverlan
12:40 <@vpnHelper> "serverlan" is (#1) for a lan behind a server, the server must have ip forwarding enabled (!ipforward), the server needs to push a route for its lan to clients, and the router of the lan the server is on needs a route added to it (!route_outside_openvpn) or (#2) see !route for a better explanation or (#3) Handy troubleshooting flowchart: http://ircpimps.org/serverlan.png |
12:40 <@vpnHelper> http://pekster.sdf.org/misc/serverlan.png
12:43 < saint_> !route
12:43 <@vpnHelper> "route" is (#1) http://www.secure-computing.net/wiki/index.php/OpenVPN/Routing or https://community.openvpn.net/openvpn/wiki/RoutedLans (same page mirrored) if you have lans behind openvpn, read it DONT SKIM IT or (#2) READ IT DONT SKIM IT! or (#3) See !tcpip for a basic networking guide or (#4) See !serverlan or !clientlan for steps and troubleshooting flowcharts for LANs behind the server or
12:43 <@vpnHelper> client
12:43 < reiffert> \!route is the best
12:47 -!- [diecast] [~diecast@unaffiliated/diecast/x-4821952] has quit [Ping timeout: 252 seconds]
12:47 -!- saint_ [~saint@c-50-166-85-78.hsd1.nj.comcast.net] has quit [Quit: UNIVERSE CORRUPTED. REBOOT (Y/N) ?]
12:49 -!- HectorBarbossa [uid7850@gateway/web/irccloud.com/x-tjoiucsuvdicppoe] has quit [Quit: Connection closed for inactivity]
12:51 -!- [diecast] [~diecast@unaffiliated/diecast/x-4821952] has joined #openvpn
12:55 -!- Mike3 [mad@mx.probie.nl] has joined #openvpn
12:55 -!- Mike-- [mad@mx.probie.nl] has quit [Read error: Connection reset by peer]
12:59 -!- s7r [~s7r@openvpn/user/s7r] has quit [Quit: Leaving]
13:00 -!- surrealillusion [~surreal@206.191.57.58] has joined #openvpn
13:02 -!- JPeterson [~JPeterson@81-233-152-121-no83.tbcn.telia.com] has quit [Ping timeout: 240 seconds]
13:02 -!- JPeterson [~JPeterson@81-233-152-121-no83.tbcn.telia.com] has joined #openvpn
13:02 -!- HectorBarbossa [uid7850@gateway/web/irccloud.com/x-pwrwjmqecmyszkay] has joined #openvpn
13:04 -!- Martin` [martin@2001:16f8:15:1000::85] has quit [Ping timeout: 245 seconds]
13:08 -!- elfixit [~Icedove@2001:1620:2777:11:3e97:eff:fe7f:f3ad] has quit [Quit: elfixit]
13:10 -!- Martin` [martin@shell.ipv6.octocore.net] has joined #openvpn
13:17 -!- Sidewinder [~de@unaffiliated/sidewinder] has joined #openvpn
13:18 -!- mattock [~mattock@openvpn/corp/admin/mattock] has left #openvpn []
13:18 -!- lj1 [~l@na-ad-guest-lwap-ar01.cat.com] has joined #openvpn
13:18 -!- mattock [~mattock@openvpn/corp/admin/mattock] has joined #openvpn
13:18 -!- mode/#openvpn [+o mattock] by ChanServ
13:19 -!- lj1 [~l@na-ad-guest-lwap-ar01.cat.com] has quit [Client Quit]
13:20 -!- lj [~l@192.241.174.169] has quit [Ping timeout: 265 seconds]
13:21 -!- lj [~l@na-ad-guest-lwap-ar01.cat.com] has joined #openvpn
13:29 -!- Sidewinder [~de@unaffiliated/sidewinder] has quit [Quit: Leaving]
13:32 -!- someone [someone@2600:3c01::f03c:91ff:fedf:feb8] has quit [Quit: ZNC - http://znc.in]
13:33 -!- [diecast] [~diecast@unaffiliated/diecast/x-4821952] has quit []
13:33 -!- Cpt-Oblivious [chatzilla@31-151-71-109.dynamic.upc.nl] has quit [Ping timeout: 240 seconds]
13:34 -!- EvilRoey [~roey@flame-n.senet-int.com] has joined #openvpn
13:34 < EvilRoey> hi
13:34 < EvilRoey> HI
13:34 < EvilRoey> should I change my keys/
13:34 < EvilRoey> ?
13:34 < EvilRoey> I've upgrraded libssl of course.
13:34 < EvilRoey> I am pretty sure the correct next action to take is to replace the keys
13:35 < EvilRoey> !heartbleed
13:35 <@vpnHelper> "heartbleed" is (#1) only affects OpenSSL 1.0.1 through 1.0.1f. Does not affect polarssl or (#2) if running vuln openssl then both client and server keys not protected by tls-auth should be considered compromised. or (#3) android 4.1.2_r1 is the first one to have -DOPENSSL_NO_HEARTBEATS and it is still in master. android 4.1 and 4.1.1 are probably affected. or (#4)
13:35 <@vpnHelper> https://community.openvpn.net/openvpn/wiki/heartbleed or (#5) http://xkcd.com/1354/
13:36 -!- someone [someone@2600:3c01::f03c:91ff:fedf:feb8] has joined #openvpn
13:46 -!- [diecast] [~diecast@unaffiliated/diecast/x-4821952] has joined #openvpn
14:02 < Thermi> EvilRoey: Of course you should change keys.
14:09 < EvilRoey> ok that's what I suspected, thank you Thermi
14:09 < EvilRoey> vpnHelper:  thanks!
14:12 < Thermi> vpnhelper is a bot.
14:19 < EvilRoey> gotcha
14:19 < EvilRoey> I figured
14:19  * EvilRoey pats vpnHelper, nice bot.
14:19 < EvilRoey> but anyway like I said, thank you
14:19 < EvilRoey> for your help
14:38 -!- klein [~klein@unaffiliated/klein] has quit [Ping timeout: 240 seconds]
14:39 < julius_> !def1
14:40 <@vpnHelper> "def1" is (#1) used in redirect-gateway, Add the def1 flag to override the default gateway by using 0.0.0.0/1 and 128.0.0.0/1 rather than 0.0.0.0/0. This has the benefit of overriding but not wiping out the original default gateway. or (#2) please see --redirect-gateway in the man page ( !man ) to fully understand or (#3) push "redirect-gateway def1"
14:40 -!- deeville [~deeville@38.117.108.108] has joined #openvpn
14:41 -!- deeville [~deeville@38.117.108.108] has quit [Client Quit]
14:41 < julius_> pekster, im not really sure about your answer to my vpn problem, could you specifiy?
14:42 -!- deeville [~deeville@38.117.108.108] has joined #openvpn
14:42 -!- deeville [~deeville@38.117.108.108] has quit [Client Quit]
14:43 -!- deeville [~deeville@66.97.28.166] has joined #openvpn
14:43 -!- deeville [~deeville@66.97.28.166] has quit [Remote host closed the connection]
14:44 -!- deeville [~deeville@38.117.108.108] has joined #openvpn
14:44 -!- deeville [~deeville@38.117.108.108] has quit [Remote host closed the connection]
14:44 -!- deeville [~deeville@38.117.108.108] has joined #openvpn
14:52 -!- klein [~klein@189-016-006-003.asselvi.edu.br] has joined #openvpn
14:52 -!- klein [~klein@189-016-006-003.asselvi.edu.br] has quit [Changing host]
14:52 -!- klein [~klein@unaffiliated/klein] has joined #openvpn
14:53 -!- klein [~klein@unaffiliated/klein] has quit [Remote host closed the connection]
14:54 < julius_> i may have to specify my network a bit better:  lan client -> router -> inet -> dedicated server(running openvpn)                what i want is now to change my router config to use openvpn as a client and to connect to the dedicated server and route all traffic over that machine.   if i just use "redirect-gateway" will my lan client be able to use the router and all traffic will be send to the dedicated server first before
14:54 < julius_> it hits the internet?
15:00 -!- dreville [~deeville@dhcp-108-168-112-137.cable.user.start.ca] has joined #openvpn
15:03 < esde> i think so julius_
15:03 -!- dvl_ [~dvl@pdpc/supporter/active/dvl] has joined #openvpn
15:03 -!- deeville [~deeville@38.117.108.108] has quit [Ping timeout: 258 seconds]
15:03 < dvl_> Hah!  getting paid to configure an openvpn client... hah!
15:05 -!- [diecast] [~diecast@unaffiliated/diecast/x-4821952] has quit []
15:07 -!- AlexPortable [uid7568@gateway/web/irccloud.com/x-abxnjdlsydorqsmu] has quit [Quit: Connection closed for inactivity]
15:09 -!- HectorBarbossa [uid7850@gateway/web/irccloud.com/x-pwrwjmqecmyszkay] has quit [Quit: Connection closed for inactivity]
15:15 < julius_> esde, thx
15:17 -!- gardar [~gardar@bnc.giraffi.net] has joined #openvpn
15:20 -!- [diecast] [~diecast@unaffiliated/diecast/x-4821952] has joined #openvpn
15:30 -!- justinzane [~justinzan@host-12-172-184-180.nctv.com] has quit [Ping timeout: 240 seconds]
15:32 < dreville> !heartbleed
15:32 <@vpnHelper> "heartbleed" is (#1) only affects OpenSSL 1.0.1 through 1.0.1f. Does not affect polarssl or (#2) if running vuln openssl then both client and server keys not protected by tls-auth should be considered compromised. or (#3) android 4.1.2_r1 is the first one to have -DOPENSSL_NO_HEARTBEATS and it is still in master. android 4.1 and 4.1.1 are probably affected. or (#4)
15:32 <@vpnHelper> https://community.openvpn.net/openvpn/wiki/heartbleed or (#5) http://xkcd.com/1354/
15:34 -!- Aliekezhi [~Aliekezhi@80.215.178.220] has quit [Remote host closed the connection]
15:37 -!- gardar [~gardar@bnc.giraffi.net] has quit [Quit: ZNC - http://znc.in]
15:39 < dreville> what's a good client for Windows? I'm currently testing http://sourceforge.net/projects/securepoint/
15:39 <@vpnHelper> Title: OpenVPN Client Windows | Free software downloads at SourceForge.net (at sourceforge.net)
15:41 -!- gardar [~gardar@bnc.giraffi.net] has joined #openvpn
15:41 -!- dreville [~deeville@dhcp-108-168-112-137.cable.user.start.ca] has quit [Quit: Leaving]
15:42 -!- deeville [~deeville@dhcp-108-168-112-137.cable.user.start.ca] has joined #openvpn
15:50 -!- gardar [~gardar@bnc.giraffi.net] has quit [Ping timeout: 265 seconds]
16:10 -!- gffa [~unknown@unaffiliated/gffa] has joined #openvpn
16:13 -!- Snuupy [~Snuupy@unaffiliated/snuupy] has joined #openvpn
16:13 -!- lj1 [~l@na-ad-guest-lwap-ar01.cat.com] has joined #openvpn
16:13 -!- lj [~l@na-ad-guest-lwap-ar01.cat.com] has quit [Read error: Connection reset by peer]
16:15 < Snuupy> hey - I've installed the openvpn windows x64 client, and for some reason it won't start. the process can be seen from taskmanager (using only 96k RAM), so I'm inclined to believe something went wrong. When I tried to uninstall it, it would get stuck on Service REMOVE, and I can't end the Au_.exe, openvpn-gui.exe, or openvpnserv.exe processes in task manager for some reason.
16:15 < Snuupy> what should I do?
16:16 < Snuupy> running the app as admin doesn't change anything
16:16 -!- gardar [~gardar@bnc.giraffi.net] has joined #openvpn
16:17 < Snuupy> Au_.exe and Bu_.exe then take up 100% of a single core for some reason
16:18 -!- lj [~l@192.241.174.169] has joined #openvpn
16:18 -!- lj1 [~l@na-ad-guest-lwap-ar01.cat.com] has quit [Ping timeout: 258 seconds]
16:19 -!- gardar [~gardar@bnc.giraffi.net] has quit [Client Quit]
16:19 -!- gardar [~gardar@bnc.giraffi.net] has joined #openvpn
16:22 -!- gardar [~gardar@bnc.giraffi.net] has quit [Client Quit]
16:23 -!- gardar [~gardar@bnc.giraffi.net] has joined #openvpn
16:25 -!- KaiForce [~chatzilla@107-223-70-10.lightspeed.bcvloh.sbcglobal.net] has quit [Quit: ChatZilla 0.9.90.1 [Firefox 28.0/20140314220517]]
16:27 < dvl_> Anyone know if you can configure ccd on openvpn via pfsense?
16:28 -!- lj [~l@192.241.174.169] has quit [Quit: Leaving.]
16:40 -!- gunb0at [gunb0at@114.4.80.47] has joined #openvpn
16:51 -!- le0 [~l30@unaffiliated/le0] has joined #openvpn
16:55 -!- [diecast] [~diecast@unaffiliated/diecast/x-4821952] has quit []
16:59 -!- [diecast] [~diecast@unaffiliated/diecast/x-4821952] has joined #openvpn
17:00 -!- f0cker [~f0cker@unaffiliated/f0cker] has quit [Ping timeout: 250 seconds]
17:12 -!- f0cker [~f0cker@host81-149-11-109.in-addr.btopenworld.com] has joined #openvpn
17:12 -!- f0cker [~f0cker@host81-149-11-109.in-addr.btopenworld.com] has quit [Changing host]
17:12 -!- f0cker [~f0cker@unaffiliated/f0cker] has joined #openvpn
17:13 -!- cyberspace- [20253@ninthfloor.org] has joined #openvpn
17:19 -!- le0 [~l30@unaffiliated/le0] has quit [Quit: Leaving]
17:21 -!- otwieracz [~gonet9@v6.gen2.org] has left #openvpn []
17:36 -!- Cpt-Oblivious [chatzilla@31-151-71-109.dynamic.upc.nl] has joined #openvpn
17:40 -!- gffa [~unknown@unaffiliated/gffa] has quit [Quit: sleep]
17:43 -!- esde [~esde@107.150.1.2] has quit [Changing host]
17:43 -!- esde [~esde@unaffiliated/esde] has joined #openvpn
17:51 -!- smokealot [smoke@unaffiliated/smokealot] has joined #openvpn
17:51 -!- smokealot [smoke@unaffiliated/smokealot] has left #openvpn ["Leaving"]
17:52 < pekster> Snuupy: Sounds like you got malware. "Au_" sounds really suspect
17:52 < pekster> !download
17:52 <@vpnHelper> "download" is (#1) http://openvpn.net/index.php/download/community-downloads.html to download openvpn or (#2) OpenVPN's Windows installer now includes OpenVPN GUI. Don't bother with http://openvpn.se anymore or (#3) Don't trust download.com at all. It provides an extremely old version with malware: http://insecure.org/news/download-com-fiasco.html or (#4) in the community version of openvpn (only
17:52 <@vpnHelper> thing supported here) there is no separate download for client/server, it is the same install with different configs
17:52 < pekster> Snuupy: All OpenVPN builds are signed by MS Authenticode and gpg keys
17:53 < thefinn93> Is this a good channel to ask about OpenVPN for android?
17:53 < pekster> thefinn93: Yup. GPL OpenVPN is available at:
17:53 < pekster> !android
17:53 <@vpnHelper> "android" is (#1) an open source OpenVPN client for ICS is available in Google Play, look for OpenVPN for Android. FAQ is here: http://code.google.com/p/ics-openvpn/wiki/FAQ or (#2) Direct Play link: https://play.google.com/store/apps/details?id=de.blinkt.openvpn or (#3) Old (pre-ICS) device? See: !android-old
17:54 < thefinn93> kay
17:54 < thefinn93> uh so for various reasons OpenVPN wont connect over T-Mobile's network because it's IPv6 only (according to my googling)
17:55 < thefinn93> i can put it into 4/6 mode, but i'd rather just have it connect over v6
17:55 < pekster> !ipv6
17:55 <@vpnHelper> "ipv6" is (#1) The wiki has IPv6 details: https://community.openvpn.net/openvpn/wiki/IPv6 or (#2) The manpage contains info about IPv6 features present in 2.3+: https://community.openvpn.net/openvpn/wiki/Openvpn23ManPage#lbAQ
17:55 < thefinn93> i added v6 support to the server, but im not sure how to tell the app to use it
17:55 < pekster> Oh, that article only covers v6 in the tunnel
17:55 < thefinn93> do i ah
17:56 < thefinn93> grr
17:56 < pekster> thefinn93: In the client config, specify `--proto udp6`
17:56 < pekster> (or tcp-client6)
17:57 < pekster> So, basically the exact same thing you did on your server
17:57 < thefinn93> right
17:57 < pekster> (providing v6 in the tunnel is completely optional and not required for v6 transport; they're separate things)
17:57 < thefinn93> hmm okay
17:57 < thefinn93> yeah i assumed as much
17:58 -!- FatDarrel [~anandab@50.242.126.113] has joined #openvpn
17:58 < thefinn93> how do i specify that in the app?
17:58 < thefinn93> or do i need to re-import
17:58 < pekster> Yea, do that
17:58 < pekster> Or find a text editor and just edit the config on the 'droid
17:58 < FatDarrel> hey i just got openvpnas running iin qemu any hints in how to get it to work
17:58 < thefinn93> yeah
17:58 < pekster> FatDarrel: #openvpn supports OpenVPN, which is a GPL product. AS is a closed-source, EULA-bound commercial product, and for support you should ask the company that maintains/sells it:
17:58 < FatDarrel> how many network interfaces doe it need?
17:58 < pekster> !as
17:59 < thefinn93> uh, just to confirm, the config change is from "proto udp" to "proto udp6 udp", right?
17:59 < pekster> Well, lazy bot. See our /TOPIC for the ref too
17:59 < pekster> No, just `proto udp6`
17:59 < FatDarrel> thanks
17:59 < pekster> Same idea as AF_INET -> AF_INET6
17:59 < thefinn93> pekster: right... anyway to have it allow both?
18:00 < pekster> Nope, you need two instances to do that on your server (with different network ranges for the VPN)
18:00 <@plaisthos> thefinn93: err
18:00 < pekster> dual-stack is on the wishlist
18:00 < thefinn93> damn
18:00 < thefinn93> okay
18:00 <@plaisthos> thefinn93: are you connecting to a ipv4 address or a hostname?
18:00 < thefinn93> plaisthos: its a dualstacked hostname
18:00 <@plaisthos> hm
18:00 < thefinn93> vpn.thefinn93.com
18:01 <@plaisthos> then openvpn shouldn't have problems one t-mobile ipv6 net
18:01 -!- JackWinter_ [~jack@vodsl-10810.vo.lu] has quit [Ping timeout: 245 seconds]
18:01 < thefinn93> my server may not be listening properly, based on what pekster just said
18:01 <@plaisthos> yeah
18:02 <@plaisthos> you could try to remove the ipv6 address from the hostname
18:02 < thefinn93> i only added the v6 address after this came up
18:02 <@plaisthos> then dns64 will provide a nat64 ipv6 address for the ipv4 address
18:04 < thefinn93> this is what i was reading before: http://support.t-mobile.com/thread/60804
18:04 <@vpnHelper> Title: T-Mobile VPN Fix | T-Mobile Support (at support.t-mobile.com)
18:04 < thefinn93> changing the APN settings as suggested is the only thing that's made it connect
18:05 <@Eugene> Never had a problem with it on my T-Mo lines, but I'm a CyanogenMod user.
18:05 <@plaisthos> thefinn93: I have seen a nat64 log from my client which worked
18:05 <@plaisthos> Eugene: android 4.4 already?
18:05 -!- JackWinter [~jack@vodsl-10810.vo.lu] has joined #openvpn
18:05 < thefinn93> plaisthos: huh. idk
18:05 <@Eugene> Android Version: 4.4.2
18:06 <@Eugene> CyanogenMod version: 11-20140331-NIGHTLY-hammerhead
18:06 <@plaisthos> Eugene: check if you APN uses IPv6 or IPv4
18:06 < thefinn93> im fine with this TBH, theres no actual downside, just sort of forcing legacy options rather than moving to v6
18:06 < thefinn93> i guess v4 isnt legacy yet, but yeah
18:06 <@Eugene> v4 indeed. Guessing CM hasn't taken that push from upstream ;-)
18:06 <@Eugene> Actually wait, that one is a AT&T SIM. Hah
18:07 < thefinn93> lol
18:07 < thefinn93> that might do it
18:07 <@Eugene> IPv4 on an actually-Tmo phone
18:08 <@plaisthos> I cannot test that ipv6 stuff on my phone :/
18:08 < thefinn93> :(
18:08 <@plaisthos> T-mobile here does not have IPv6
18:08 <@plaisthos> the T-mobile that was once just T-mobil
18:08 < thefinn93> hey pekster you mentioned that dual-stack was on the wishlist. Could you give me a rough ETA? Im just trying to get an idea of where on the wishlist
18:09 <@plaisthos> thefinn93: for client or server?
18:09 < thefinn93> both
18:09 <@plaisthos> for client it is in -master
18:09 <@plaisthos> which is what OpenVPN for Android uses
18:09 < thefinn93> mk
18:10 < thefinn93> so how bout server?
18:10 <@plaisthos> for server you can bind to a Ipv6 socket and get mapped v4 addresses
18:10 <@plaisthos> more complete support would require OpenVPN opening multiple sockets
18:10 < thefinn93> mk
18:10 <@plaisthos> which is doable but nobody has stepped yp to do it
18:11 < thefinn93> gotcha
18:12 < thefinn93> hmm so the v6 socket mapped to a v4 address thing
18:12 < thefinn93> what does that entail?
18:13 <@plaisthos> basically connecting to a 4 address is broken
18:13 <@plaisthos> but only for the VPN API
18:13 <@plaisthos> so you have to use a IPv6 address
18:13 <@plaisthos> either a real one
18:13 <@plaisthos> or an IPv4 mapped NAT64/DNS64 address
18:16 < thefinn93> mk
18:16 < thefinn93> i need to learn more about IPv6...
18:16 < thefinn93> thanks though
18:21 -!- gunb0at [gunb0at@114.4.80.47] has quit [Ping timeout: 250 seconds]
18:23 -!- heraclitus [~heraclitu@unaffiliated/heraclitis] has quit [Quit: Ping timeout: 221 seconds]
18:24 -!- Moony22 [~Moony22@unaffiliated/moony22] has quit [Ping timeout: 240 seconds]
18:30 -!- goldkatze [~nobody@unaffiliated/goldkatze] has quit [Ping timeout: 250 seconds]
18:46 -!- FatDarrel [~anandab@50.242.126.113] has quit [Ping timeout: 252 seconds]
18:47 -!- zoomequipd [~zoomequip@gateway/tor-sasl/zoomequipd] has quit [Remote host closed the connection]
18:48 -!- zoomequipd [~zoomequip@gateway/tor-sasl/zoomequipd] has joined #openvpn
19:13 -!- lj [~l@74.120.200.95] has joined #openvpn
19:18 -!- elfixit [~Icedove@77-58-251-72.dclient.hispeed.ch] has joined #openvpn
19:19 -!- c0ded [~c0ded@unaffiliated/c0ded] has quit [Quit: I Was Just De-c0ded!]
19:20 -!- Left_Turn [~Left_Turn@unaffiliated/turn-left/x-3739067] has quit [Ping timeout: 250 seconds]
19:33 -!- c0ded [~c0ded@2607:5300:60:350:c0d3:c0d3:c0d3:c0d3] has joined #openvpn
19:38 -!- c0ded [~c0ded@2607:5300:60:350:c0d3:c0d3:c0d3:c0d3] has quit [Changing host]
19:38 -!- c0ded [~c0ded@unaffiliated/c0ded] has joined #openvpn
19:45 -!- [diecast] [~diecast@unaffiliated/diecast/x-4821952] has quit []
20:35 -!- Cpt-Oblivious [chatzilla@31-151-71-109.dynamic.upc.nl] has quit [Remote host closed the connection]
20:45 -!- lj [~l@74.120.200.95] has quit [Quit: Leaving.]
20:58 -!- michaelhart [~michaelha@192-0-240-20.cpe.teksavvy.com] has quit [Quit: michaelhart]
20:58 -!- michaelhart [~michaelha@192-0-240-20.cpe.teksavvy.com] has joined #openvpn
21:07 -!- elfixit [~Icedove@77-58-251-72.dclient.hispeed.ch] has quit [Quit: elfixit]
21:11 -!- Olipro [~Olipro@uncyclopedia/pdpc.21for7.olipro] has quit [Ping timeout: 246 seconds]
21:23 -!- Olipro [~Olipro@uncyclopedia/pdpc.21for7.olipro] has joined #openvpn
21:29 -!- Olipro [~Olipro@uncyclopedia/pdpc.21for7.olipro] has quit [Read error: Connection reset by peer]
21:44 -!- acu [~acu@50.244.13.221] has quit [Ping timeout: 252 seconds]
21:44 -!- acu [~acu@50.244.13.221] has joined #openvpn
21:49 -!- lj [~l@74.120.200.95] has joined #openvpn
22:00 -!- michaelhart [~michaelha@192-0-240-20.cpe.teksavvy.com] has quit [Quit: michaelhart]
22:01 -!- lj [~l@74.120.200.95] has quit [Ping timeout: 252 seconds]
22:04 -!- Devastator [~devas@unaffiliated/devastator] has quit [Read error: Connection reset by peer]
22:04 -!- Devastatr [~devas@186.214.15.168] has joined #openvpn
22:04 -!- u0m3_ [~u0m3@92.80.126.165] has joined #openvpn
22:07 -!- u0m3 [~u0m3@92.80.126.165] has quit [Ping timeout: 258 seconds]
22:08 -!- acu [~acu@50.244.13.221] has quit [Ping timeout: 240 seconds]
22:09 -!- acu_ [~acu@50.244.13.221] has joined #openvpn
22:09 -!- dazo_afk [~dazo@openvpn/community/developer/dazo] has quit [Ping timeout: 258 seconds]
22:10 -!- dazo_afk [~dazo@openvpn/community/developer/dazo] has joined #openvpn
22:10 -!- mode/#openvpn [+o dazo_afk] by ChanServ
22:10 -!- dazo_afk is now known as dazo
22:12 < n13l> morning :)
22:12 -!- f0cker [~f0cker@unaffiliated/f0cker] has quit [Ping timeout: 245 seconds]
22:22 -!- haasn` [~haasn@2a01:4f8:d13:5245::2] has joined #openvpn
22:27 -!- Diegosan [~chatzilla@S0106586d8f02c173.vn.shawcable.net] has joined #openvpn
22:28 -!- haasn [~nand@2a01:4f8:d13:5245::2] has quit [Quit: nand]
22:28 -!- haasn` [~haasn@2a01:4f8:d13:5245::2] has quit [Quit: haasn]
22:30 -!- haasn [~haasn@2a01:4f8:d13:5245::2] has joined #openvpn
22:50 -!- Snuupy [~Snuupy@unaffiliated/snuupy] has left #openvpn ["I'm not being mean, you're just insignificant."]
22:57 -!- acu_ [~acu@50.244.13.221] has quit [Ping timeout: 252 seconds]
22:58 -!- acu_ [~acu@50.244.13.221] has joined #openvpn
23:00 -!- lj [~l@74.120.203.218] has joined #openvpn
23:01 -!- pppingme [~pppingme@unaffiliated/pppingme] has quit [Excess Flood]
23:04 -!- pppingme [~pppingme@unaffiliated/pppingme] has joined #openvpn
23:04 < lj> Anyone about that could help me with an error in the pam service module. Having issues with authentication.
23:04 -!- ShadniX [dagger@p5DDFE20E.dip0.t-ipconnect.de] has quit [Ping timeout: 252 seconds]
23:06 < lj> error logs : http://privatepaste.com/232b35bdef/error
23:06 -!- ShadniX [dagger@p5DDFEE43.dip0.t-ipconnect.de] has joined #openvpn
23:06 -!- acu_ [~acu@50.244.13.221] has quit [Ping timeout: 252 seconds]
23:08 -!- ron_ [~ron@ppp118-210-131-174.lns20.adl6.internode.on.net] has quit [Ping timeout: 276 seconds]
23:09 -!- ron_ [~ron@ppp118-210-236-250.lns20.adl6.internode.on.net] has joined #openvpn
23:11 -!- pppingme [~pppingme@unaffiliated/pppingme] has quit [Max SendQ exceeded]
23:12 -!- pppingme [~pppingme@unaffiliated/pppingme] has joined #openvpn
23:12 -!- Guest16191 [~kolo@ip-125.net-82-216-83.rev.numericable.fr] has quit [Ping timeout: 240 seconds]
23:14 -!- Ko_lo [~kolo@ip-125.net-82-216-83.rev.numericable.fr] has joined #openvpn
23:15 -!- Ko_lo is now known as Guest71383
23:16 -!- pppingme [~pppingme@unaffiliated/pppingme] has quit [Max SendQ exceeded]
23:20 -!- pppingme [~pppingme@unaffiliated/pppingme] has joined #openvpn
23:20 -!- pppingme [~pppingme@unaffiliated/pppingme] has quit [Excess Flood]
23:37 -!- mspah_ [~mspah@c-67-183-108-87.hsd1.wa.comcast.net] has joined #openvpn
23:56 -!- Mike3 is now known as Mike--
--- Day changed Fri Apr 18 2014
00:00 -!- dreville [~deeville@38.117.108.108] has joined #openvpn
00:00 -!- goldkatze [~nobody@unaffiliated/goldkatze] has joined #openvpn
00:01 -!- acu [~acu@50.244.13.221] has joined #openvpn
00:03 -!- deeville [~deeville@dhcp-108-168-112-137.cable.user.start.ca] has quit [Ping timeout: 240 seconds]
00:03 -!- pppingme [~pppingme@unaffiliated/pppingme] has joined #openvpn
00:05 -!- dreville [~deeville@38.117.108.108] has quit [Ping timeout: 240 seconds]
00:08 -!- acu_ [~acu@50.244.13.221] has joined #openvpn
00:09 -!- acu [~acu@50.244.13.221] has quit [Quit: Leaving]
00:13 -!- FatDarrel [~anandab@199.116.72.195] has joined #openvpn
00:13 -!- acu_ [~acu@50.244.13.221] has quit [Ping timeout: 245 seconds]
00:18 -!- gunb0at [gunb0at@114.4.80.47] has joined #openvpn
00:22 -!- FatDarrel [~anandab@199.116.72.195] has quit [Quit: FatDarrel]
00:23 -!- gunb0at [gunb0at@114.4.80.47] has quit [Ping timeout: 245 seconds]
01:19 -!- grep0r [grep0r@bitcoinshell.mooo.com] has joined #openvpn
01:26 -!- FatDarrel [~anandab@199.116.72.195] has joined #openvpn
01:53 -!- takamichi [~takamichi@c107-107.i07-27.onvol.net] has quit [Ping timeout: 240 seconds]
02:05 -!- Linmu [~Linmu@203.70.194.104] has quit [Quit: leaving]
02:06 -!- takamichi [~takamichi@c107-107.i07-27.onvol.net] has joined #openvpn
02:06 -!- Linmu [~Linmu@203.70.194.104] has joined #openvpn
02:19 -!- mspah_ [~mspah@c-67-183-108-87.hsd1.wa.comcast.net] has quit [Ping timeout: 276 seconds]
02:31 -!- Moony22 [~Moony22@host86-132-53-208.range86-132.btcentralplus.com] has joined #openvpn
02:31 -!- Moony22 [~Moony22@host86-132-53-208.range86-132.btcentralplus.com] has quit [Changing host]
02:31 -!- Moony22 [~Moony22@unaffiliated/moony22] has joined #openvpn
02:33 -!- Fusl is now known as ^f
02:35 -!- ^f is now known as ^o
02:35 -!- ^o is now known as ^p
02:35 -!- ^p is now known as ^q
02:35 -!- ^q is now known as ^p
02:36 -!- FatDarrel [~anandab@199.116.72.195] has quit [Quit: FatDarrel]
02:36 -!- ^p is now known as ^y
02:36 -!- ^y is now known as Fusl
03:10 -!- indy [~indy@shadow.kastnerove.cz] has quit [Ping timeout: 240 seconds]
03:26 -!- takamichi [~takamichi@c107-107.i07-27.onvol.net] has quit [Ping timeout: 240 seconds]
03:40 -!- takamichi [~takamichi@c107-107.i07-27.onvol.net] has joined #openvpn
03:42 -!- Left_Turn [~Left_Turn@unaffiliated/turn-left/x-3739067] has joined #openvpn
04:24 -!- mapps [~map@bcdc3ff7.skybroadband.com] has quit [Ping timeout: 276 seconds]
04:39 < svg> Hi, is there a way to force output of scripts to go to syslog?
04:44 -!- acu [~acu@50.244.13.215] has joined #openvpn
04:48 -!- b00b [~spunk@smurf.mmnetworks.se] has quit [Quit: ZNC - http://znc.in]
04:51 -!- b00b [~spunk@smurf.mmnetworks.se] has joined #openvpn
05:10 -!- b00b [~spunk@smurf.mmnetworks.se] has quit [Remote host closed the connection]
05:11 -!- gunb0at [gunb0at@114.4.80.47] has joined #openvpn
05:16 -!- b00b [~spunk@smurf.mmnetworks.se] has joined #openvpn
05:20 -!- gffa [~unknown@unaffiliated/gffa] has joined #openvpn
05:25 -!- elfixit [~Icedove@77-58-251-72.dclient.hispeed.ch] has joined #openvpn
05:43 -!- julius_ [~julius_@static.88-198-127-82.clients.your-server.de] has left #openvpn ["Leaving"]
05:54 -!- le0 [~l30@unaffiliated/le0] has joined #openvpn
06:03 < pekster> svg: Yup, read about logger(1)
06:06 -!- treshoem2 [~treshoem@mnathani-1-pt.tunnel.tserv21.tor1.ipv6.he.net] has quit [Ping timeout: 246 seconds]
06:07 -!- joshh20-Away is now known as joshh20
06:08 < svg> pekster: thanks, but that means doing it in the script itself :)
06:10 < dos-freak> svg: Just pipe it into logger
06:10 < dos-freak> myscript.sh | logger -i
06:11 < svg> right, did'nt think of that, but then I guess I'd need a wrapper script, I can't put the pipe notation directly in the openvpn config
06:26 -!- Left_Turn [~Left_Turn@unaffiliated/turn-left/x-3739067] has quit [Ping timeout: 250 seconds]
06:29 -!- acu [~acu@50.244.13.215] has quit [Read error: Connection timed out]
06:29 -!- acu [~acu@50.244.13.215] has joined #openvpn
06:46 -!- Left_Turn [~Left_Turn@unaffiliated/turn-left/x-3739067] has joined #openvpn
06:47 -!- Olipro [~Olipro@uncyclopedia/pdpc.21for7.olipro] has joined #openvpn
06:52 -!- Olipro [~Olipro@uncyclopedia/pdpc.21for7.olipro] has quit [Ping timeout: 246 seconds]
06:56 -!- acu [~acu@50.244.13.215] has quit [Quit: Leaving]
06:56 -!- Olipro [~Olipro@uncyclopedia/pdpc.21for7.olipro] has joined #openvpn
07:04 -!- acu [~acu@50.244.13.215] has joined #openvpn
07:10 -!- indy [~indy@shadow.kastnerove.cz] has joined #openvpn
07:15 -!- VsioZashibis [~VsioZashi@unaffiliated/vsiozashibis] has quit [Read error: Connection reset by peer]
07:25 -!- s7r [~s7r@openvpn/user/s7r] has joined #openvpn
07:25 -!- mode/#openvpn [+v s7r] by ChanServ
07:31 -!- Dan39 [~ddan39@unaffiliated/dan39] has quit [Ping timeout: 252 seconds]
07:32 < dvl_> Any opinions on using storing a username & password and invoking it via 'auth-user-pass auth.txt'?  in conjunction with a certificate.
07:36 -!- Dan39 [~ddan39@unaffiliated/dan39] has joined #openvpn
07:39 -!- mattock is now known as mattock_afk
07:40 -!- jackbrown [~se@93-44-38-152.ip95.fastwebnet.it] has joined #openvpn
07:40 -!- antihero [~antihero@37.139.5.204] has joined #openvpn
07:40 < antihero> If I'm using my OVPN config with NetworkManager, it seems to try and route my packets through it.
07:40 < antihero> How do I make it not hijack my default route to the internet
07:41 -!- Dan39 [~ddan39@unaffiliated/dan39] has quit [Ping timeout: 258 seconds]
07:42 -!- Dan39 [~ddan39@unaffiliated/dan39] has joined #openvpn
07:45 -!- jackbrown [~se@93-44-38-152.ip95.fastwebnet.it] has quit [Quit: Sto andando via]
07:55 -!- Cpt-Oblivious [chatzilla@31-151-71-109.dynamic.upc.nl] has joined #openvpn
07:57 -!- Milenco [~notspam@home.milenco.net] has quit [Ping timeout: 276 seconds]
07:57 -!- elfixit [~Icedove@77-58-251-72.dclient.hispeed.ch] has quit [Ping timeout: 240 seconds]
08:00 -!- Dan39 [~ddan39@unaffiliated/dan39] has quit [Ping timeout: 258 seconds]
08:00 -!- zrdz13 [~zrdz13@login.univie.ac.at] has joined #openvpn
08:01 -!- zrdz13 [~zrdz13@login.univie.ac.at] has quit [Quit: leaving]
08:02 -!- Dan39 [~ddan39@unaffiliated/dan39] has joined #openvpn
08:05 -!- mgorbach [~mgorbach@pool-108-20-78-135.bstnma.fios.verizon.net] has quit [Ping timeout: 252 seconds]
08:06 -!- Aliekezhi [~Aliekezhi@223.146.122.78.rev.sfr.net] has joined #openvpn
08:08 -!- mgorbach [~mgorbach@pool-108-20-78-135.bstnma.fios.verizon.net] has joined #openvpn
08:08 -!- treshoem2 [~treshoem@mnathani-1-pt.tunnel.tserv21.tor1.ipv6.he.net] has joined #openvpn
08:09 -!- elfixit [~Icedove@77-58-251-72.dclient.hispeed.ch] has joined #openvpn
08:11 -!- elfixit [~Icedove@77-58-251-72.dclient.hispeed.ch] has quit [Client Quit]
08:13 -!- elfixit [~Icedove@77-58-251-72.dclient.hispeed.ch] has joined #openvpn
08:16 -!- Dan39 [~ddan39@unaffiliated/dan39] has quit [Ping timeout: 258 seconds]
08:21 -!- Dan39 [~ddan39@unaffiliated/dan39] has joined #openvpn
08:36 -!- Dan39 [~ddan39@unaffiliated/dan39] has quit [Ping timeout: 258 seconds]
08:37 -!- le0 [~l30@unaffiliated/le0] has quit [Quit: Leaving]
08:38 -!- Dan39 [~ddan39@unaffiliated/dan39] has joined #openvpn
08:47 -!- elfixit [~Icedove@77-58-251-72.dclient.hispeed.ch] has quit [Ping timeout: 252 seconds]
08:57 -!- mattock_afk is now known as mattock
09:10 -!- gunb0at [gunb0at@114.4.80.47] has quit []
09:11 -!- acu [~acu@50.244.13.215] has quit [Ping timeout: 245 seconds]
09:12 -!- acu [~acu@50.244.13.215] has joined #openvpn
09:31 -!- FatDarrel [~anandab@199.116.72.195] has joined #openvpn
09:43 < stemid> what's the advantage to using tls-server option?
09:44 < stemid> I'm a bit confused about that option because it seems most people use the TLS Mode Options but I rarely see the tls-server option specified. so is it implied?
09:44 -!- FatDarrel [~anandab@199.116.72.195] has quit [Quit: FatDarrel]
09:46 -!- Devastatr [~devas@186.214.15.168] has quit [Ping timeout: 240 seconds]
09:49 -!- edge226 [~quassel@unaffiliated/edge226] has quit [Read error: Connection reset by peer]
10:13 -!- jave [~jave@h-235-102.a149.priv.bahnhof.se] has quit [Ping timeout: 265 seconds]
10:14 -!- jave [~jave@h-235-102.a149.priv.bahnhof.se] has joined #openvpn
10:22 -!- Aliekezhi [~Aliekezhi@223.146.122.78.rev.sfr.net] has quit [Remote host closed the connection]
10:25 -!- joshh20 is now known as joshh20-Away
10:31 <@Eugene> dvl_ - auth-user-pass is meant to be dealt with by a human being; for this reason reading from a text file is disabled in the Official builds to discourage that behaviour
10:31 <@Eugene> !ubuntu
10:31 <@vpnHelper> "ubuntu" is dont use network manager!
10:32 < dvl_> Eugene: Indeed
10:32 <@Eugene> antihero - ^ we hate NM because it hides the real openvpn config from you. Use /etc/openvpn/ and `service`
10:32 <@Eugene> stemid - typically --server is used, which expands to include --tls-server
10:33 < stemid> Eugene: I see, that would explain it. but the manpage does not make this clear that server implies tls-server
10:33 -!- Aliekezhi [~Aliekezhi@223.146.122.78.rev.sfr.net] has joined #openvpn
10:33 <@Eugene> stemid - Yes, it does. "expands as follows:"
10:33 < stemid> oic thanks
10:34 < stemid> strangely enough I've gotten away without using either of those on my server.
10:34 <@Eugene> Single-client? ;-)
10:34 < stemid> I was hoping not, but so far I've only used it with one client
10:34 < stemid> I'm just about to try another
10:34 <@Eugene> That's why. --mode defaults to p2p, which is 1:1
10:35 < stemid> oh so most likely I will fail with two clients
10:35 <@Eugene> Yup.
10:35 < stemid> good to know!
10:35 -!- mattock is now known as mattock_afk
10:35 < dvl_> Eugene: in this case, it's not a person, but a server.  Weren't sure how to best handle it.
10:36 <@Eugene> Don't use manual verification on automatd connetions
10:39 < dvl_> Eugene: It wouldn't be manual.  auth-user-pass auth.txt
10:39 < dvl_> with u/p in auth.txt
10:40 -!- master_o1_master [~master_of@p4FF24ABA.dip0.t-ipconnect.de] has joined #openvpn
10:40 < dvl_> plus cert
10:42 <@ecrist> Eugene: windows builds now are done with --enable-passwd-save enabled
10:43 -!- master_of_master [~master_of@p4FF24D5C.dip0.t-ipconnect.de] has quit [Ping timeout: 240 seconds]
10:44 <@ecrist> dvl_: wrt to opinion, it depends on how you use the user/pass, and how secure/trusted your clients really are.
10:45 < dvl_> ecrist: Noted.  We're using pfsense to host the OpenVPN server, and we don't want to deviate far from that.  For my own hosts, I just do certs.
10:45 <@ecrist> we actually have an admin VPN setup that uses authentication, but we use it as a variable
10:45 <@ecrist> i.e., we auth based on certificate, and pull the username into a connect script that passes routes based on the username sent
10:46 -!- nlb [~nlb@ec2-54-213-101-245.us-west-2.compute.amazonaws.com] has quit [Changing host]
10:46 -!- nlb [~nlb@unaffiliated/nlb] has joined #openvpn
10:46 <@ecrist> so, as I connect, if I want routes for one data center, I set the username to that DC nickname, and I get routes JUST for that DC
10:46 <@ecrist> if I want routes for all of our DCs, I use the username "full"
10:46 <@ecrist> we ignore the password
10:46 <@ecrist> dvl_: you can upload whatever openvpn config you want, you don't have to use their GUI
10:47 < dvl_> ecrist: I'll mention that here.  Thanks.
11:01 -!- megaTherion [~therion@unix.io] has quit [Remote host closed the connection]
11:10 -!- FatDarrel [~anandab@50.242.126.113] has joined #openvpn
11:12 -!- Guest71383 [~kolo@ip-125.net-82-216-83.rev.numericable.fr] has quit [Ping timeout: 258 seconds]
11:14 -!- Ko_lo [~kolo@ip-125.net-82-216-83.rev.numericable.fr] has joined #openvpn
11:15 -!- Ko_lo is now known as Guest19034
11:33 -!- VsioZashibis [~VsioZashi@unaffiliated/vsiozashibis] has joined #openvpn
11:35 -!- dogewaat_ [uid3966@gateway/web/irccloud.com/x-tcprwfjmokebfboy] has quit [Quit: Connection closed for inactivity]
11:41 -!- edge226 [~quassel@unaffiliated/edge226] has joined #openvpn
12:03 < lj> ecrist: You around?
12:05 -!- joshh20-Away is now known as joshh20
12:05 -!- VsioZashibis [~VsioZashi@unaffiliated/vsiozashibis] has quit [Ping timeout: 245 seconds]
12:13 <@Eugene> !anyone
12:13 -!- Moony22 [~Moony22@unaffiliated/moony22] has quit [Quit: Lost terminal]
12:13 <@Eugene> Hm
12:33 <@krzee> lj,!ask
12:33 <@krzee> !ask
12:33 <@vpnHelper> "ask" is (#1) don't ask to ask, just ask your question please, see this link for how to get help on IRC: http://workaround.org/getting-help-on-irc or (#2) See also, How to ask questions the smart way here: http://catb.org/~esr/faqs/smart-questions.html
12:33 <@krzee> stop pinging us and just ask your questions
12:33 <@krzee> and you should probably read that link ^
12:35 <@krzee> #1
12:37 -!- noobboob [uid5587@gateway/web/irccloud.com/x-wrzlehaigpxhlvta] has joined #openvpn
12:45 < lj> :P krzee I already asked it.
12:46 < lj> krzee: http://privatepaste.com/b17d87dc16/lj issue I'm having.
12:47 < lj> Failure with authentication. Somethin gto do with the pam mod. Haven't found anything conclusive.
12:47 < lj> Was pinging ecrist to discuss a few different setup choices, but I suppose I could just post those in here as well :).
12:56 -!- elfixit [~Icedove@77-58-251-72.dclient.hispeed.ch] has joined #openvpn
12:58 < pekster> lj: Looks like your plugin is returning a generic 'auth does not pass PAM checks' code. Your system logs should have details as to why so long as the request got to PAM for authentication
13:02 < lj> pekster: openvpn[8709]: pam_securetty(login:auth): cannot determine user's tty
13:02 < pekster> Yea, sounds like you need to re-work your PAM stack because something in there is requiring a tty
13:02 < lj> Lol took a second for me to realize that that was secure-tty
13:06 < lj> "re-work my pam stack" *squints*
13:06 < pekster> Unless you actually want to deny VPN access to any user who is not on a secure-tty (generally the "actually, physical ones") you shouldn't be requiring that
13:07 < pekster> Sounds to me like you have a 'require' when it should be 'sufficient', or are simply throwing vpn users into that module needlessly
13:32 -!- kevinsky [~kevin@senna.rosendaal.net] has quit [Ping timeout: 255 seconds]
13:48 -!- _tarball [~quassel@port-53949.pppoe.wtnet.de] has joined #openvpn
13:49 -!- _nexxus_ [~bwg@ragnar.pannexusa.com] has quit [Quit: Leaving.]
13:57 -!- Latrina [~Latrina@adsl-ull-238-209.50-151.net24.it] has quit [Ping timeout: 246 seconds]
14:00 -!- elfixit [~Icedove@77-58-251-72.dclient.hispeed.ch] has quit [Ping timeout: 252 seconds]
14:00 -!- Latrina [~Latrina@adsl-ull-131-223.50-151.net24.it] has joined #openvpn
14:02 -!- VsioZashibis [~VsioZashi@unaffiliated/vsiozashibis] has joined #openvpn
14:02 -!- elfixit [~Icedove@77-58-251-72.dclient.hispeed.ch] has joined #openvpn
14:05 -!- Latrina [~Latrina@adsl-ull-131-223.50-151.net24.it] has quit [Ping timeout: 250 seconds]
14:06 -!- Latrina [~Latrina@adsl-ull-126-220.50-151.net24.it] has joined #openvpn
14:10 -!- Latrina_ [~Latrina@ppp-144-52.26-151.libero.it] has joined #openvpn
14:12 -!- Latrina [~Latrina@adsl-ull-126-220.50-151.net24.it] has quit [Ping timeout: 276 seconds]
14:28 -!- lj1 [~l@192.241.174.169] has joined #openvpn
14:30 -!- _tarball [~quassel@port-53949.pppoe.wtnet.de] has quit [Quit: none]
14:30 -!- lj [~l@74.120.203.218] has quit [Ping timeout: 276 seconds]
14:36 -!- justinzane [~justinzan@host-12-172-184-180.nctv.com] has joined #openvpn
14:39 -!- joshh20 is now known as joshh20-Away
14:50 -!- mback2k_ is now known as mback2k
15:01 -!- justinzane [~justinzan@host-12-172-184-180.nctv.com] has quit [Remote host closed the connection]
15:02 -!- justinzane [~justinzan@12.172.184.180] has joined #openvpn
15:06 -!- VsioZashibis [~VsioZashi@unaffiliated/vsiozashibis] has quit [Quit: closing IRC]
15:08 -!- marlinc is now known as Marlinc
15:08 -!- Marlinc is now known as Simex
15:08 -!- Simex is now known as Simex1995
15:08 -!- Simex1995 is now known as Marlinc
15:18 < harlan> What's a good way to edit the config file under windows if the user account has admin rights but does not ordinarily run as the administrator?
15:18 < harlan> I'm trying to solve the problem of routes pushed to the box are not being added - trying the fix described in http://mugurel.sumanariu.ro/windows/vista-and-win-7-openvpn-route-problem/
15:22 -!- noobboob [uid5587@gateway/web/irccloud.com/x-wrzlehaigpxhlvta] has quit [Quit: Connection closed for inactivity]
15:25 < harlan> OK, I just tweaked the access perms on the file.
15:28 -!- Marlinc is now known as Marlin
15:28 -!- Marlin is now known as Marlinc
15:40 -!- zetheroo1 [~zeth@53-61.1-85.cust.bluewin.ch] has joined #openvpn
15:42 < zetheroo1> I am trying to get an openvpn connection to work ... I can connect fine, but cannot ping any systems in the remote network - not with IP's nor with hostnames ... the client is running Ubuntu ... I know the server side is working because the connection and pings/sshing works perfectly from my Android phone ...
15:43 -!- justinzane [~justinzan@12.172.184.180] has quit [Remote host closed the connection]
15:44 -!- justinzane [~justinzan@12.172.184.180] has joined #openvpn
15:48 < reiffert> zetheroo1: crystall balls tells me that the clients LAN subnet is overlapping the vpn subnet
15:52 < zetheroo1> ok ... if I understand that .. yes it sounds likely ...
15:55 < reiffert> client logs would be best
15:55 < reiffert> !logs
15:55 <@vpnHelper> "logs" is (#1) please pastebin your logfiles from both client and server with verb set to 4 (only use 5 if asked) or (#2) In the Windows client(OpenVPN-GUI) right-click the status icon and pick View Log or (#3) In the OS X client(Tunnelblick) right-click it and select Copy log text to clipboard or (#4) if you dont know how to find your logs, see !logfile
15:56 < zetheroo1> I cannot get the logs for the OpenVPN server ...
15:58 < zetheroo1> I am looking for the log files on the Ubuntu client ...
15:58 < pekster> !logfile
15:58 <@vpnHelper> "logfile" is (#1) If you want logging you can easily just specify your own logfile with: log /path/to/logfile or (#2) openvpn will log to syslog if started in daemon mode, but without any log-redirection options, openvpn sends output to stdout. or (#3) verb 3 is good for everyday usage, verb 5 for debugging. see --daemon --log and --verb in the manual (!man) for more info
15:58 < pekster> !configs
15:58 <@vpnHelper> "configs" is (#1) please pastebin your client and server configs (with comments removed, you can use `grep -vE '^#|^;|^$' server.conf`), also include which OS and version of openvpn. or (#2) dont forget to include any ccd entries or (#3) on pfSense, see http://www.secure-computing.net/wiki/index.php/OpenVPN/pfSense to obtain your config
15:58 < pekster> And, to put them somewhere useful:
15:58 < pekster> !paste
15:58 <@vpnHelper> "paste" is "pastebin" is (#1) please paste anything with more than 5 lines into a pastebin site or (#2) https://gist.github.com is recommended for fewest ads; try fpaste.org or paste.kde.org as backups or (#3) If you're pasting config files, see !configs for grep syntax to remove comments or (#4) gist allows multiple files per paste, useful if you have several files to show
16:02 < zetheroo1> ok, here is something from syslog ... don't know if it helps http://paste.ubuntu.com/7278808/
16:05 < zetheroo1> the config is done through Network Manager ... not sure how to get the config from there into pastebin ..
16:06 < pekster> !ubuntu
16:06 <@vpnHelper> "ubuntu" is dont use network manager!
16:06 < pekster> If you have problems with a GUI, don't use it. Try `openvpn --config /your/config/file.conf`
16:06 < pekster> If that works, the GUI is your problem. If not, you can then provide the real logs
16:08 -!- wrongplace [~leicht@gateway/tor-sasl/martinphone] has joined #openvpn
16:09 < zetheroo1> it worked via the GUI before ... I just reformatted and reinstalled Ubuntu ...
16:18 < zetheroo1> so I somehow need to get the Local LAN connection to pay attention to the remote LAN when the VPN is connected ...
16:20 < reiffert> zetheroo1:
16:20 < reiffert> !ubuntu
16:20 <@vpnHelper> "ubuntu" is dont use network manager!
16:21 < pekster> If you can't show your configs or logs, we can't do much to help
16:21 < pekster> You can whine to the people who maintain the Network-Manager, but pretty much no one here uses it becuase (as you've discovered) it doesn't really tell you what's gone wrong
16:22 -!- justinzane [~justinzan@12.172.184.180] has quit [Ping timeout: 240 seconds]
16:22 < zetheroo1> ok thanks ;)
16:23 < pekster> As I suggested earlier, invoke openvpn on your configs from a command line, as root. Once you get that working correctly feel free to mess with a GUI frontend, but not before then
16:24 < pekster> The one thing I do see from your earlier paste is on line 135: somethin causes the network to become unreachable there. OpenVPN obviously does not work if you can't route
16:25 < zetheroo1> I am trying to get this working in a manner that our other users can use it ... so going through the GUI is preferable ...
16:25 < pekster> Then go complain to n-m that it doesn't work
16:25 < zetheroo1> on the server side all is well because the connection works fully on my mobile phone ...
16:25 < pekster> You have so many moving parts that #openvpn will not help with: network-manager, dbus, avahi, and probably good chunks of systemd
16:25 < pekster> We don't deal with any of that
16:26 < zetheroo1> ok - but routing!?
16:26 < pekster> Yes, the cause of your failure is a routing problem
16:26 < zetheroo1> there are routing options ...
16:26 < pekster> You're not reading
16:26 < pekster> !read
16:26 <@vpnHelper> "read" is <krzee> ive been known to overreact when people look for 2 minutes and ask me to explain it to them
16:26 < zetheroo1> I can add a route on the LAN connection or on the VPN connection ....
16:26 < pekster> I'm telling you that SOMETHING (very likelyh realted to the fucked up networkmanager) is breaking things
16:27 < pekster> FFS, you won't get help here unless you run openvpn without all the bullshit attached
16:27 < zetheroo1> ok
16:27 < zetheroo1> thanks
16:27 < pekster> Apr 18 22:36:22 zeth-ThinkPad-R61 nm-openvpn[4443]: write UDPv4: Network is unreachable (code=101)
16:27 < pekster> Yup, routing problem
16:27 -!- Nikon [Nikon@alpha.yourbnc.co.uk] has quit [Ping timeout: 258 seconds]
16:27 < pekster> If you can't reach a network, stuff breaks
16:27 <@krzee> then once you get it working with just openvpn, you can add all the extra crap you want,
16:28 <@krzee> cause you'll know from there its not an openvpn related issue
16:29 < pekster> krzee: Oh geez, "/usr/lib/NetworkManager/nm-openvpn-server-openvpn-helper" . I'm actually somewhat surprised that's not yet using some systemd/dbus interface for it :P
16:35 -!- Eugene is now known as EuyenaKeg
16:35 <@krzee> i hate nm
16:35 <@krzee> !netman
16:35 <@vpnHelper> "netman" is (#1) if you are using network manager for linux to configure your vpn, dont! http://openvpn.net/archive/openvpn-users/2008-01/msg00046.html to read the same thing from the author of the openvpn 2 cookbook on the mail list or (#2) Have OpenVPN working but not NetworkManager? Ask the n-m folks for help: http://projects.gnome.org/NetworkManager/
16:35 <@krzee> !ubuntu
16:35 <@vpnHelper> "ubuntu" is dont use network manager!
16:38 < reiffert> !ubuntu
16:38 <@vpnHelper> "ubuntu" is dont use network manager!
16:38 < reiffert> !nm
16:39 < reiffert> learn nm as nevermind or never use network manager or network manager or see !ubuntu
16:45 -!- HectorBarbossa [uid7850@gateway/web/irccloud.com/x-txajyvfiwbvpobje] has joined #openvpn
16:46 -!- Left_Turn [~Left_Turn@unaffiliated/turn-left/x-3739067] has quit [Read error: Connection reset by peer]
16:50 -!- Left_Turn [~Left_Turn@unaffiliated/turn-left/x-3739067] has joined #openvpn
16:50 -!- zetheroo1 [~zeth@53-61.1-85.cust.bluewin.ch] has quit [Ping timeout: 265 seconds]
16:54 -!- zetheroo [~zeth@2a02:1205:5013:d350:714f:fee8:4fea:433b] has joined #openvpn
16:58 -!- lj1 [~l@192.241.174.169] has quit [Quit: Leaving.]
17:00 -!- JackWinter [~jack@vodsl-10810.vo.lu] has quit [Quit: Konversation terminated!]
17:03 -!- JackWinter [~jack@vodsl-10810.vo.lu] has joined #openvpn
17:03 -!- VsioZashibis [~VsioZashi@unaffiliated/vsiozashibis] has joined #openvpn
17:05 -!- michaelhart [~michaelha@192-0-240-20.cpe.teksavvy.com] has joined #openvpn
17:08 -!- wrongplace [~leicht@gateway/tor-sasl/martinphone] has quit [Remote host closed the connection]
17:08 -!- wrongplace [~leicht@gateway/tor-sasl/martinphone] has joined #openvpn
17:09 -!- michaelhart [~michaelha@192-0-240-20.cpe.teksavvy.com] has quit [Client Quit]
17:12 -!- JackWinter [~jack@vodsl-10810.vo.lu] has quit [Quit: Konversation terminated!]
17:19 -!- zetheroo [~zeth@2a02:1205:5013:d350:714f:fee8:4fea:433b] has quit [Read error: Connection reset by peer]
17:19 -!- zetheroo [~zeth@2a02:1205:5013:d350:714f:fee8:4fea:433b] has joined #openvpn
17:20 -!- wrongplace [~leicht@gateway/tor-sasl/martinphone] has quit [Quit: gone]
17:22 -!- zetheroo [~zeth@2a02:1205:5013:d350:714f:fee8:4fea:433b] has left #openvpn []
17:23 -!- JackWinter [~jack@vodsl-10810.vo.lu] has joined #openvpn
17:26 -!- JackWinter [~jack@vodsl-10810.vo.lu] has quit [Client Quit]
17:27 -!- mback2k is now known as mback2k_
17:34 -!- X-Scale [email@2001:470:1f14:135b::2] has joined #openvpn
17:46 -!- JackWinter [~jack@vodsl-10810.vo.lu] has joined #openvpn
17:53 -!- JackWinter [~jack@vodsl-10810.vo.lu] has quit [Quit: Konversation terminated!]
17:58 -!- JackWinter [~jack@vodsl-10810.vo.lu] has joined #openvpn
17:59 -!- lj [~l@74.120.203.218] has joined #openvpn
17:59 -!- gffa [~unknown@unaffiliated/gffa] has quit [Quit: sleep]
18:03 -!- lj [~l@74.120.203.218] has quit [Ping timeout: 265 seconds]
18:07 -!- JackWinter [~jack@vodsl-10810.vo.lu] has quit [Quit: Konversation terminated!]
18:27 -!- Fudge [~Rob@static-173-53-104-240.netstablellc.com] has joined #openvpn
18:28 < Fudge> !welcome
18:28 <@vpnHelper> "welcome" is (#1) Start by stating your goal, such as 'I would like to access the internet over my vpn' || new to IRC? see the link in !ask || we may need !logs and !configs and maybe !interface to help you. || See !howto for beginners. || See !route for lans behind openvpn. || !redirect for sending inet traffic through the server. || Also interesting: !man !/30 !topology !iporder !sample !forum
18:28 <@vpnHelper> !wiki !mitm or (#2) Don't use 192.168.1.0/24 or 192.168.0.0/24 (too much potential for conflict)
18:29 < Fudge> good idea
18:45 -!- lj [~l@74.120.203.218] has joined #openvpn
18:48 -!- justinzane [~justinzan@host-12-172-184-180.nctv.com] has joined #openvpn
18:50 -!- lj [~l@74.120.203.218] has quit [Ping timeout: 258 seconds]
18:51 -!- FatDarrel [~anandab@50.242.126.113] has quit [Ping timeout: 250 seconds]
19:00 -!- HectorBarbossa [uid7850@gateway/web/irccloud.com/x-txajyvfiwbvpobje] has quit [Quit: Connection closed for inactivity]
19:34 -!- happy_nodes [~happy_nod@5353BF9D.cm-6-4c.dynamic.ziggo.nl] has joined #openvpn
19:34 < happy_nodes> <happy_nodes> I have two process of openvpn running on same port but different protocols namely udp and TCP. I added a route today to both the configs today and restarted the process, but UDP one is not working but TCP is working fine. Does anyone know what could be the reason for this
19:34 < happy_nodes> I am using radius for authentication
19:37 -!- Latrina_ is now known as Latrina
19:37 -!- Latrina is now known as Latrina_
19:37 -!- Latrina_ is now known as Latrina
19:42 -!- TheNumbers [uid21212@gateway/web/irccloud.com/x-rqodeslyiulhagor] has joined #openvpn
19:44 < TheNumbers> question regarding Access Server and Layer 3 routing/NAT. Possible to VPN in from a remote location and RDP to a client on the local LAN using DNS name? Sort of worked with Layer 2 VPN mode but was really glitch.
19:45 < pekster> !as
19:45  * pekster points to the topic while the bot takes its time
19:46 < pekster> happy_nodes: define "not working", ideally with logs (see: !logs if you're not sure where/what they are)
19:46 -!- lj [~l@74.120.203.218] has joined #openvpn
19:50 -!- lj [~l@74.120.203.218] has quit [Ping timeout: 240 seconds]
19:51 < TheNumbers> pekster: thanks missed the topic :P
19:52 < pekster> !ping
19:52 <@vpnHelper> pong
19:52 < pekster> Weird
19:56 < happy_nodes> Process is running on the server, authentication is not working
19:57 < happy_nodes> I checked logs on the Radius Server and I see following error : Reason = Authentication was not successful because an unknown user name or incorrect password was used.
19:58 < happy_nodes> We have two radius servers, for one server its working but for other server authentication is not working
19:58 < pekster> So the auth server is rejecting the conection. Bad credentials or maybe sending it to the wrong auth server
20:07 < happy_nodes> On one server its working on other server its not
20:07 < happy_nodes> Configs on both the server are exactly the same
20:08 -!- happy_nodes [~happy_nod@5353BF9D.cm-6-4c.dynamic.ziggo.nl] has quit [Quit:  HydraIRC -> http://www.hydrairc.com <- *I* use it, so it must be good!]
20:23 -!- goldkatze [~nobody@unaffiliated/goldkatze] has quit []
20:47 -!- lj [~l@74.120.203.218] has joined #openvpn
20:48 -!- lj1 [~l@74.120.203.218] has joined #openvpn
20:52 -!- lj [~l@74.120.203.218] has quit [Ping timeout: 276 seconds]
20:53 -!- lj1 [~l@74.120.203.218] has quit [Ping timeout: 240 seconds]
21:04 -!- jeev [~jeev@unaffiliated/jeev] has quit [Ping timeout: 264 seconds]
21:20 -!- jeev [~jeev@unaffiliated/jeev] has joined #openvpn
21:28 -!- Left_Turn [~Left_Turn@unaffiliated/turn-left/x-3739067] has quit [Remote host closed the connection]
21:36 -!- elfixit [~Icedove@77-58-251-72.dclient.hispeed.ch] has quit [Ping timeout: 252 seconds]
21:42 -!- elfixit [~Icedove@77-58-251-72.dclient.hispeed.ch] has joined #openvpn
21:47 -!- elfixit [~Icedove@77-58-251-72.dclient.hispeed.ch] has quit [Client Quit]
21:49 -!- lj [~l@74.120.203.218] has joined #openvpn
21:54 -!- lj [~l@74.120.203.218] has quit [Ping timeout: 245 seconds]
21:56 -!- toobluesc [~nitro@2001:558:6045:7b:3d70:c3df:18a:884] has joined #openvpn
22:16 -!- WinstonSmith [~WinstonSm@unaffiliated/winstonsmith] has quit [Ping timeout: 245 seconds]
22:17 -!- WinstonSmith [~WinstonSm@unaffiliated/winstonsmith] has joined #openvpn
22:19 -!- Cpt-Oblivious [chatzilla@31-151-71-109.dynamic.upc.nl] has quit [Ping timeout: 240 seconds]
22:50 -!- lj [~l@74.120.203.218] has joined #openvpn
22:55 -!- lj [~l@74.120.203.218] has quit [Ping timeout: 258 seconds]
23:05 -!- ShadniX [dagger@p5DDFEE43.dip0.t-ipconnect.de] has quit [Ping timeout: 252 seconds]
23:06 -!- ShadniX [dagger@p5DDFF669.dip0.t-ipconnect.de] has joined #openvpn
23:12 -!- Guest19034 [~kolo@ip-125.net-82-216-83.rev.numericable.fr] has quit [Ping timeout: 240 seconds]
23:14 -!- Ko_lo [~kolo@ip-125.net-82-216-83.rev.numericable.fr] has joined #openvpn
23:14 -!- Ko_lo is now known as Guest67379
23:24 -!- MadTBone_ [~MadTBone@160.39.238.199] has quit [Ping timeout: 240 seconds]
23:25 -!- MadTBone_ [~MadTBone@160.39.238.199] has joined #openvpn
23:27 -!- jeev [~jeev@unaffiliated/jeev] has quit [Ping timeout: 264 seconds]
23:42 -!- jeev [~jeev@192.198.83.41] has joined #openvpn
23:42 -!- jeev [~jeev@192.198.83.41] has quit [Changing host]
23:42 -!- jeev [~jeev@unaffiliated/jeev] has joined #openvpn
--- Day changed Sat Apr 19 2014
00:01 -!- sunwind` [~paradox@cpc21-brmb8-2-0-cust749.1-3.cable.virginm.net] has joined #openvpn
00:01 -!- ShadniX [dagger@p5DDFF669.dip0.t-ipconnect.de] has quit [Ping timeout: 252 seconds]
00:04 -!- paradox`` [~paradox@cpc21-brmb8-2-0-cust749.1-3.cable.virginm.net] has quit [Ping timeout: 252 seconds]
00:04 -!- ShadniX [dagger@p5DDFD3D8.dip0.t-ipconnect.de] has joined #openvpn
00:06 -!- SpiceMan [~SpiceMan@unaffiliated/spiceman] has quit [Quit: reboot]
00:11 -!- FatDarrel [~anandab@199.116.72.195] has joined #openvpn
00:17 -!- X-Scale [email@2001:470:1f14:135b::2] has quit [Ping timeout: 240 seconds]
00:49 -!- adh0c [~adh0c@50.116.51.165] has joined #openvpn
00:55 < adh0c> !welcome
00:55 <@vpnHelper> "welcome" is (#1) Start by stating your goal, such as 'I would like to access the internet over my vpn' || new to IRC? see the link in !ask || we may need !logs and !configs and maybe !interface to help you. || See !howto for beginners. || See !route for lans behind openvpn. || !redirect for sending inet traffic through the server. || Also interesting: !man !/30 !topology !iporder !sample !forum
00:55 <@vpnHelper> !wiki !mitm or (#2) Don't use 192.168.1.0/24 or 192.168.0.0/24 (too much potential for conflict)
01:00 -!- nattom [~nattom@5.104.224.195] has joined #openvpn
01:09 -!- FatDarrel [~anandab@199.116.72.195] has quit [Quit: FatDarrel]
01:23 -!- Guest67379 [~kolo@ip-125.net-82-216-83.rev.numericable.fr] has quit [Ping timeout: 250 seconds]
01:25 -!- Ko_lo [~kolo@ip-125.net-82-216-83.rev.numericable.fr] has joined #openvpn
01:26 -!- Ko_lo is now known as Guest83884
01:53 -!- gallatin [~gallatin@dslb-092-073-072-016.pools.arcor-ip.net] has joined #openvpn
01:56 -!- adh0c [~adh0c@50.116.51.165] has quit [Ping timeout: 258 seconds]
02:12 -!- troyt [~troyt@2601:7:6200:14c2:44dd:acff:fe85:9c8e] has quit [Ping timeout: 258 seconds]
02:13 -!- _KaszpiR_ [~quassel@unaffiliated/kaszpir/x-3157048] has quit [Quit: No Ping reply in 180 seconds.]
02:14 -!- troyt [~troyt@2601:7:6200:14c2:44dd:acff:fe85:9c8e] has joined #openvpn
02:14 -!- _KaszpiR_ [~quassel@unaffiliated/kaszpir/x-3157048] has joined #openvpn
02:38 -!- JPeterson [~JPeterson@81-233-152-121-no83.tbcn.telia.com] has quit [Read error: Connection reset by peer]
03:03 -!- gffa [~unknown@unaffiliated/gffa] has joined #openvpn
03:15 -!- X-Scale [email@2001:470:1f14:135b::2] has joined #openvpn
03:15 -!- f0cker [~f0cker@host81-149-11-109.in-addr.btopenworld.com] has joined #openvpn
03:15 -!- f0cker [~f0cker@host81-149-11-109.in-addr.btopenworld.com] has quit [Changing host]
03:15 -!- f0cker [~f0cker@unaffiliated/f0cker] has joined #openvpn
03:18 -!- clu5ter [~staff@unaffiliated/clu5ter] has quit [Ping timeout: 245 seconds]
03:21 -!- clu5ter [~staff@unaffiliated/clu5ter] has joined #openvpn
03:25 -!- Left_Turn [~Left_Turn@unaffiliated/turn-left/x-3739067] has joined #openvpn
03:28 -!- phuzion [~phuzion@ipv6.irc.teh-server.com] has quit [Quit: No Ping reply in 180 seconds.]
03:33 -!- phuzion [~phuzion@ipv6.irc.teh-server.com] has joined #openvpn
03:48 -!- clu5ter [~staff@unaffiliated/clu5ter] has quit [Ping timeout: 256 seconds]
03:50 -!- clu5ter [~staff@unaffiliated/clu5ter] has joined #openvpn
04:01 -!- phuzion [~phuzion@ipv6.irc.teh-server.com] has quit [Quit: No Ping reply in 180 seconds.]
04:03 -!- pppingme [~pppingme@unaffiliated/pppingme] has quit [Ping timeout: 264 seconds]
04:05 -!- wrongplace [~leicht@gateway/tor-sasl/martinphone] has joined #openvpn
04:11 -!- pppingme [~pppingme@unaffiliated/pppingme] has joined #openvpn
04:30 -!- catsup [d@ps38852.dreamhost.com] has quit [Remote host closed the connection]
04:30 -!- catsup [~d@iad1-vshost12.dreamhost.com] has joined #openvpn
04:37 -!- syzzer [~syzzer@openvpn/community/developer/syzzer] has quit [Quit: ZNC - http://znc.in]
04:37 -!- wrongplace [~leicht@gateway/tor-sasl/martinphone] has quit [Ping timeout: 272 seconds]
04:45 -!- JackWinter [~jack@vodsl-10810.vo.lu] has joined #openvpn
04:49 -!- wrongplace [~leicht@gateway/tor-sasl/martinphone] has joined #openvpn
04:50 -!- AlexPortable [uid7568@gateway/web/irccloud.com/x-miszgsznprvhtaqw] has joined #openvpn
04:56 -!- JackWinter [~jack@vodsl-10810.vo.lu] has quit [Quit: Konversation terminated!]
04:58 -!- wrongplace [~leicht@gateway/tor-sasl/martinphone] has quit [Quit: gone]
05:16 -!- joako [~joako@opensuse/member/joak0] has quit [Ping timeout: 246 seconds]
05:19 -!- JackWinter [~jack@vodsl-10810.vo.lu] has joined #openvpn
05:39 -!- joako [~joako@opensuse/member/joak0] has joined #openvpn
05:47 -!- mback2k_ is now known as mback2k
05:52 -!- syzzer [~syzzer@openvpn/community/developer/syzzer] has joined #openvpn
05:52 -!- mode/#openvpn [+o syzzer] by ChanServ
06:15 -!- joshh20-Away is now known as joshh20
06:47 -!- gallatin [~gallatin@dslb-092-073-072-016.pools.arcor-ip.net] has quit [Quit: Client exiting]
06:50 -!- le0 [~l30@unaffiliated/le0] has joined #openvpn
07:00 -!- goldkatze [~nobody@unaffiliated/goldkatze] has joined #openvpn
07:03 -!- Eagleman [~Eagleman@546BC8D0.cm-12-4d.dynamic.ziggo.nl] has quit [Ping timeout: 240 seconds]
07:06 -!- h6w [~tudor@254.86.96.58.static.exetel.com.au] has quit [Ping timeout: 240 seconds]
07:09 -!- chimeric [~surreal@206.191.57.58] has joined #openvpn
07:10 -!- _KaszpiR___ [~quassel@unaffiliated/kaszpir/x-3157048] has joined #openvpn
07:13 -!- WinstonSmith_ [~WinstonSm@bl13-192-220.dsl.telepac.pt] has joined #openvpn
07:14 -!- Netsplit *.net <-> *.split quits: Nothing4You, surrealillusion, WinstonSmith, nlb, _KaszpiR_
07:15 -!- Netsplit over, joins: Nothing4You
07:15 -!- goldkatze [~nobody@unaffiliated/goldkatze] has quit []
07:16 -!- joshh20 is now known as joshh20-Away
07:17 -!- nlb [~nlb@ec2-54-213-101-245.us-west-2.compute.amazonaws.com] has joined #openvpn
07:19 -!- u0m3_ [~u0m3@92.80.126.165] has quit [Ping timeout: 245 seconds]
07:24 -!- joshh20-Away is now known as joshh20
07:30 -!- JackWinter [~jack@vodsl-10810.vo.lu] has quit [Read error: Connection reset by peer]
07:35 -!- michelem [~Adium@84-73-202-179.dclient.hispeed.ch] has joined #openvpn
07:36 < michelem> hello folks
07:37 < michelem> I have a VPN server setup with route-through. "ping" and "dig" direct to 8.8.8.8 work, but if I try to ping anything else, I get "unknown host"
07:42 -!- michelem [~Adium@84-73-202-179.dclient.hispeed.ch] has quit [Read error: Connection reset by peer]
07:42 -!- michelem [~Adium@84-73-202-179.dclient.hispeed.ch] has joined #openvpn
07:45 -!- michelem [~Adium@84-73-202-179.dclient.hispeed.ch] has quit [Client Quit]
07:48 -!- Eagleman [~Eagleman@546BC8D0.cm-12-4d.dynamic.ziggo.nl] has joined #openvpn
08:07 -!- t0r [~textual@167.206.48.217] has quit [Ping timeout: 250 seconds]
08:27 -!- u0m3 [~u0m3@92.80.105.70] has joined #openvpn
08:28 -!- JackWinter [~jack@vodsl-10810.vo.lu] has joined #openvpn
08:34 -!- adh0c [~adh0c@ool-182fc1d0.dyn.optonline.net] has joined #openvpn
08:40 -!- master_of_master [~master_of@p4FD7B0E2.dip0.t-ipconnect.de] has joined #openvpn
08:41 -!- esde [~esde@unaffiliated/esde] has quit [Remote host closed the connection]
08:42 -!- esde [~esde@unaffiliated/esde] has joined #openvpn
08:43 -!- Left_Turn [~Left_Turn@unaffiliated/turn-left/x-3739067] has quit [Ping timeout: 250 seconds]
08:44 -!- master_o1_master [~master_of@p4FF24ABA.dip0.t-ipconnect.de] has quit [Ping timeout: 258 seconds]
08:48 -!- dw1 [~id@unaffiliated/dw-] has joined #openvpn
08:48 -!- dw1 [~id@unaffiliated/dw-] has left #openvpn ["http://quassel-irc.org - Chat comfortably. Anywhere."]
08:50 -!- Left_Turn [~Left_Turn@unaffiliated/turn-left/x-3739067] has joined #openvpn
08:50 -!- X-Scale [email@2001:470:1f14:135b::2] has left #openvpn []
08:52 < nattom> !welcome
08:52 <@vpnHelper> "welcome" is (#1) Start by stating your goal, such as 'I would like to access the internet over my vpn' || new to IRC? see the link in !ask || we may need !logs and !configs and maybe !interface to help you. || See !howto for beginners. || See !route for lans behind openvpn. || !redirect for sending inet traffic through the server. || Also interesting: !man !/30 !topology !iporder !sample !forum
08:52 <@vpnHelper> !wiki !mitm or (#2) Don't use 192.168.1.0/24 or 192.168.0.0/24 (too much potential for conflict)
08:57 -!- Luyin [~alex@p54BDDB57.dip0.t-ipconnect.de] has joined #openvpn
08:58 < Luyin> hi guys, I need help with the setup of an open-vpn client. I got the config files in ~/.openvpn, including key and certs, and the file server.firma.conf. its contents are: http://pastebin.com/0WsYkY8Z when I try to connect via networkmanager, I get the time-out error, if I try in the terminal via "openvpn --config server.firma.conf", I get this: http://pastebin.com/3bf7Z0xe. What could I do now?
09:06 -!- joshh20 is now known as joshh20-Away
09:21 <@krzee> Sat Apr 19 15:04:24 2014 RESOLVE: Cannot resolve host address: server.firma.local: [HOST_NOT_FOUND] The specified host is unknown.
09:22 <@krzee> i guess maybe try using a hostname for the server that resolves...
09:23 <@krzee> did you not read that log before you posted it?
09:23 <@krzee> Luyin, ^
09:24 <@krzee> you're also using a rather old openvpn version
09:25 <@krzee> you are using 2.2.1, not even the most up to date version of 2.2, which came out in 2011? we are on 2.3.3 now (as topic states)
09:28 -!- le0 [~l30@unaffiliated/le0] has quit [Ping timeout: 276 seconds]
09:29 -!- FatDarrel [~anandab@199.116.72.195] has joined #openvpn
09:30 -!- Luyin [~alex@p54BDDB57.dip0.t-ipconnect.de] has quit [Ping timeout: 240 seconds]
09:44 -!- jutta [~jutta@p54BDDB57.dip0.t-ipconnect.de] has joined #openvpn
09:45 -!- Luyin [~alex@p54BDDB57.dip0.t-ipconnect.de] has joined #openvpn
09:46 < Luyin> krzee: I'm using the default version of (X)ubuntu
09:47 -!- elfixit [~Icedove@77-58-251-72.dclient.hispeed.ch] has joined #openvpn
09:50 -!- mback2k is now known as mback2k_
09:53 <@krzee> *shrug* that changes nothing of what i said
09:54 < Luyin> krzee: I've just updated my version. hang on, checking again.
09:57 < Luyin> krzee: 2.2.1 is the most up to date package in ubuntu 12.04.
09:57 <@krzee> thats funny
09:57 -!- adh0c [~adh0c@ool-182fc1d0.dyn.optonline.net] has quit [Quit: Leaving]
09:58 -!- adh0c [~adh0c@ool-182fc1d0.dyn.optonline.net] has joined #openvpn
10:00 < Luyin> krzee: does "specified host is unknown" mean that it might be offline? I'm going to check on this, but in the case it isn't, what else could it be?
10:00 < Luyin> sorry, "it" = the server
10:00 <@krzee> it means that is not a valid hostname
10:01 <@krzee> and im sad that it was not obvious when you looked at it
10:01 < Luyin> so I need an IP adress rather than this "server.firma.local"
10:01 <@krzee> or a REAL hostname
10:01 <@krzee> do you not know the difference between server.firma.local and a hostname?
10:01 <@krzee> you probably do not belong administrating a vpn
10:03 <@krzee> Host server.firma.local not found: 3(NXDOMAIN)
10:03 <@krzee> that is the problem.
10:04 < Luyin> krzee: well I'm quite new to the problematic. I've set up Xubuntu as a replacement for win xp for my mother, but she has some special issues like a vpn connection that's more complicated than the one I use to connect to for my university
10:05 <@krzee> oh no
10:05 <@krzee> you dont even know anything about the vpn do you
10:05 <@krzee> and that was a working config in windows
10:05 <@krzee> so it prolly used a special nameserver
10:05 <@krzee> !101
10:05 <@vpnHelper> "101" is This channel is not a '101' replacement for any of the following topics or others: Networking, Firewalls, Routing, Your OS, Security, etc etc
10:06 <@krzee> i hope you're working on a new harddrive and did not format her windows drive to make way for linux
10:09 -!- ChrisH [~dg7pc@dslb-092-072-151-057.pools.arcor-ip.net] has quit [Ping timeout: 252 seconds]
10:09 -!- ChrisH [~dg7pc@dslb-092-072-177-079.pools.arcor-ip.net] has joined #openvpn
10:12 -!- Cpt-Oblivious [chatzilla@31-151-71-109.dynamic.upc.nl] has joined #openvpn
10:16 <@krzee> !repo
10:16 <@vpnHelper> "repo" is openvpn runs some software repositories for your installing pleasure, http://community.openvpn.net/openvpn/wiki/OpenvpnSoftwareRepos
10:16 <@krzee> btw there is that, if you want up to date openvpn from a repo
10:17 < Luyin> krzee: if I understand you correctly, that won't help very much with that issue
10:17 <@krzee> you are correct
10:18 <@krzee> do you have any way of figuring out what nameserver windows used?
10:18 < Luyin> krzee: I can contact the administrator, but not today due to easter holidays. I will try on tuesday
10:19 < jeev> hey krzee
10:21 <@krzee> hey jeev
10:21 < adh0c> Hi, can anyone advise me on setting up openvpn to forward all DNS requests from client through the server?
10:21 < adh0c> I've set this up on a Centos 6.4 box, and have tried installing and configuring dnsmasq but still see my ISP's nameservers.
10:21 <@krzee> you want to use the server itself as a nameserver for the client?
10:22 < adh0c> Yes, or the nameservers in the server's resolv.conf
10:22 <@krzee> and the server is running a nameserver?
10:22 <@krzee> what OS is the client?
10:22 -!- EuyenaKeg is now known as Eugene
10:23 < Luyin> thanks so far krzee. good bye
10:23 <@krzee> bye, good luck man
10:23 < adh0c> Client is 64-bit arch.
10:23 <@krzee> and the server is running dnsmasq on the VPN ip?
10:23 < adh0c> Not running bind on the server.
10:23 -!- Luyin [~alex@p54BDDB57.dip0.t-ipconnect.de] has left #openvpn ["Leaving"]
10:23 < adh0c> Let me double check that.
10:23 <@krzee> !pushdns
10:23 <@vpnHelper> "pushdns" is (#1) push dhcp-option DNS a.b.c.d to push dns to the client or (#2) For pushing DNS to a Windows client, see: !windns or (#3) Unix-alikes are required to process the env-var in an --up script; read about --dhcp-option in the manpage or (#4) For distros that use resolvconf(8) you can try the pull-resolv-conf script under the contrib/ source dir
10:24 <@krzee> if your ns is listening on VPN ip, you just need to push the nameserver and see #4
10:24 <@krzee> (or #3)
10:25 < adh0c> Yes, dnsmasq is set to use 10.8.0.1
10:25 -!- jutta [~jutta@p54BDDB57.dip0.t-ipconnect.de] has quit [Quit: Verlassend]
10:26 < adh0c> Just realized my client config is not pushing DNS though.
10:26 < adh0c> I assume that line would look like:
10:26 <@krzee> clients never push
10:26 < adh0c> #push "dhcp-option DNS 10.8.0.1"
10:26 <@krzee> server pushes
10:26 < adh0c> Ah.
10:26 <@krzee> !push
10:26 <@vpnHelper> "push" is usage: push <command> , goes in the server config and makes the command act as if it was in the client config, can be used in ccd entries
10:27 <@krzee> and the # in front stops the config option from processing (a comment)
10:28 < adh0c> I know, that line was commented out in my client config.
10:28 < adh0c> My server conf also has this:
10:28 < adh0c> push "redirect-gateway def1"
10:28 < adh0c> Will these clash at all?
10:28 < adh0c> Or is that just for persistent tunneling?
10:28 <@krzee> !man
10:28 <@vpnHelper> "man" is (#1) For man pages, see http://openvpn.net/index.php/open-source/documentation/manuals/ or (#2) the man pages are your friend! or (#3) Protip: you can search the manpage for a specific --option (with dashes) to find it quicker
10:28 <@krzee> they do not clash, they do different things, see the manual to know what they do
10:29 <@krzee> are you trying to send ALL client traffic over the vpn?
10:32 -!- FatDarrel [~anandab@199.116.72.195] has quit [Quit: FatDarrel]
10:32 -!- acu [~acu@50.244.13.215] has quit [Ping timeout: 250 seconds]
10:32 < adh0c> krzee: yes
10:34 < adh0c> krzee: does running the server as 'nobody' conflict with DNS forwarding?
10:34 <@krzee> no, how would it?
10:35 <@krzee> is the client using an up script?
10:36 -!- acu [~acu@50.244.13.215] has joined #openvpn
10:39 -!- JackWinter [~jack@vodsl-10810.vo.lu] has quit [Quit: Konversation terminated!]
10:41 < adh0c> No, I've been initializing it by calling the binary with the --config flag.
10:42 <@krzee> !up
10:42 <@krzee> !script
10:42 <@vpnHelper> "script" is See SCRIPTING AND ENVIRONMENTAL VARIALBES in the manual for a list of places that scripts can hook into openvpn. Online reference at: https://community.openvpn.net/openvpn/wiki/Openvpn23ManPage#lbAR
10:42 <@krzee> see --up in the manual
10:42 <@krzee> !man
10:42 <@vpnHelper> "man" is (#1) For man pages, see http://openvpn.net/index.php/open-source/documentation/manuals/ or (#2) the man pages are your friend! or (#3) Protip: you can search the manpage for a specific --option (with dashes) to find it quicker
10:42 <@krzee> then see #3 and #4 here again:
10:42 <@krzee> !pushdns
10:42 <@vpnHelper> "pushdns" is (#1) push dhcp-option DNS a.b.c.d to push dns to the client or (#2) For pushing DNS to a Windows client, see: !windns or (#3) Unix-alikes are required to process the env-var in an --up script; read about --dhcp-option in the manpage or (#4) For distros that use resolvconf(8) you can try the pull-resolv-conf script under the contrib/ source dir
10:42 <@krzee> an up script has nothing to do with how you start openvpn
10:44 < adh0c> Instead, it's a script called once the tunnel has been opened, excuting the relevant route command and etc?
10:44 -!- james41382 [~james@unaffiliated/james41382] has quit [Read error: Connection reset by peer]
10:45 -!- james41382 [~james@unaffiliated/james41382] has joined #openvpn
10:46 <@krzee> right, and the client MUST use it to process the pushed dns options
10:46 <@krzee> for all os except windows
10:48 -!- heraclitus [~heraclitu@unaffiliated/heraclitis] has joined #openvpn
11:00 -!- u0m3_ [~u0m3@92.80.121.181] has joined #openvpn
11:02 -!- u0m3 [~u0m3@92.80.105.70] has quit [Ping timeout: 276 seconds]
11:11 < adh0c> Well, I installed resolvconf on my client, and added the up script for it.
11:11 < adh0c> Now ininitializing the VPN starts with:
11:11 < adh0c> ******* WARNING *******: all encryption and authentication features disabled
11:12 -!- JackWinter [~jack@vodsl-10810.vo.lu] has joined #openvpn
11:12 < pekster> That's on you. Don't use --auth none --cipher none unless you _actually_ want no encryption
11:12 < adh0c> I'm not.
11:13 < adh0c> The server and client configs both specific auth and cipher
11:13 < pekster> Apparently you have since that's where the warning comes from
11:13 < pekster> Do you have your (sanitized, no comments/blanks) configs and the exact command line you're launching openvpn with posted somewhere?
11:13 < pekster> grep syntax to clean up configs is at !configs
11:17 < adh0c> pekster: http://pastebin.com/0R5bUBaU
11:18 < adh0c> It always hangs between lines 58 & 59
11:19 < adh0c> Ah, I just noticed the user/group directives are missing from the client conf.
11:19 < pekster> client.ovpn ≠ server.conf
11:19 < adh0c> Nevermind
11:20 < adh0c> Yeah, makes no difference.
11:20 < pekster> You showed me a server config and an unrelated client config
11:20 < pekster> !configs
11:20 <@vpnHelper> "configs" is (#1) please pastebin your client and server configs (with comments removed, you can use `grep -vE '^#|^;|^$' server.conf`), also include which OS and version of openvpn. or (#2) dont forget to include any ccd entries or (#3) on pfSense, see http://www.secure-computing.net/wiki/index.php/OpenVPN/pfSense to obtain your config
11:20 -!- JackWinter [~jack@vodsl-10810.vo.lu] has quit [Quit: Konversation terminated!]
11:20 < adh0c> That is the client config I'm using on my local machine.
11:20 < pekster> No, that's a server config
11:20 < adh0c> I just removed identifying details from it.
11:21 < pekster> Erm, it's not, but it's not the same config
11:21 < pekster> # cat /etc/openvpn/server.conf
11:21 < pekster> [12:15PM][/home/user/keys/vps/ovpn] ~ % sudo openvpn --script-security 2 --dev tun0 client.ovpn
11:21 < pekster> Not the same config dude
11:21 < pekster> /etc/openvpn/server.conf is not the same as /home/user/keys/vps/ovpn/client.ovpn
11:21 < pekster> I want to see the _actual_ config you're using, not something entierly unrelated
11:21 < adh0c> The server config is first, after the '$' prompt.
11:22 < adh0c> The client config is after that, with the '%' prompt.
11:22 < adh0c> Then, finally, the executing command, showing my path as well.
11:22 < pekster> Oh, k
11:22  * pekster needs more coffee or something
11:22 < adh0c> As do I. ;-)
11:23 < pekster> btw, opendns is horribe, but not your problem here. use googledns later, read about why at !opendns (they lie)
11:23 < pekster> Can you pastebin `openvpn --version` from the client?
11:23 < adh0c> I'm more paranoid about google than opendns.
11:23 < adh0c> Sure.
11:24 < pekster> or run your own recursor (but it won't be as fast as google.) opendns returns results that violate standards
11:24 < adh0c> That's the next step.
11:24 < adh0c> http://pastebin.com/bfYYQXAc
11:25 < pekster> Weird, it has all the right ssl parts compiled (SSL in the version header, and enable_crypto=yes)
11:25 < pekster> Oh, I see
11:26 < pekster> You need --config before your config
11:26 < pekster> THe _only_ time you may omit that is when the config file is the _only_ option
11:26 < pekster> Also, --dev tun0 on the CLI is worthless as you over-ride it in your config to `tun` (which lets the OS dynamically allocate a tun device, probably tun0 anyway unless tun0 is already in use)
11:27 < adh0c> Ah, yeah I kept getting a warning about not specifying the device on the command line.
11:27 < adh0c> Probably because I'm not specifying the config file though.
11:27 < pekster> Yup :)
11:29 < adh0c> Okay, that does allow me to connect now.
11:29 < adh0c> I'm still using my ISP's DNS resolvers though. :-\
11:29 < pekster> !pushdns
11:29 <@vpnHelper> "pushdns" is (#1) push dhcp-option DNS a.b.c.d to push dns to the client or (#2) For pushing DNS to a Windows client, see: !windns or (#3) Unix-alikes are required to process the env-var in an --up script; read about --dhcp-option in the manpage or (#4) For distros that use resolvconf(8) you can try the pull-resolv-conf script under the contrib/ source dir
11:30 < pekster> Need to handle the push with client-side scripts
11:30 < pekster> Check that the 'update-resolv-conf' is doing what you expect, but you'll need to debug there/that
11:30 -!- mback2k_ is now known as mback2k
11:30 < pekster> All OpenVPN does it set the relevant env-vars and invoke the script
11:31 -!- mback2k is now known as mback2k_
11:32 < adh0c> I'm using the update-resolv-conf from here
11:32 < adh0c> http://www.subvs.co.uk/openvpn_resolvconf
11:32 <@vpnHelper> Title: openvpn and resolv.conf | SubVS.co.uk (at www.subvs.co.uk)
11:32 < adh0c> It is executable as well.
11:32 < adh0c> The bash in there is a bit beyond me though.
11:33 <@krzee> !opendns
11:33 <@vpnHelper> "opendns" is You should avoid using OpenDNS for pushed DNS servers as they violate spec and send you to ad/search domains for mistyped URLs. Use GoogleDNS instead. See !dns for more info.
11:33 <@krzee> ahh
11:34 < pekster> https://github.com/OpenVPN/openvpn/tree/v2.3.3/contrib
11:34 <@vpnHelper> Title: openvpn/contrib at v2.3.3 · OpenVPN/openvpn · GitHub (at github.com)
11:34 < pekster> Don't use ancient random scripts from the web, unless it happens to do what you want
11:35 < pekster> Either way, even things from the 'contrib' directory are less well-vetted than parts of the openvpn core project, but they're more likely to do the right thing. It all depends on your resolvconf setup anyway
11:36 < pekster> contrib script tries to be smart and use resolvconf if you hvae it, otherwise backup+clobber your system resolv.conf file. Beware local DHCP clients that will fight with you over ownership, but that's a distro/client problem
11:37 < pekster> krzee: A while back comcast had some "opt-out DNS search helper" service thing that did the same, and it caused so much hassle for VPN users at the time. I realized it only had 1 IP for their ad/search service, so I redirected it over the VPN to a company page explaining how to un-fuck their ISP. Calls dropped to almost 0
11:38 < adh0c> Hm, the github up/down scripts don't do it either.
11:38 < adh0c> I just realized this may be due to my using netctl rather than networkmanager.
11:38 <@krzee> haha nice
11:38 <@krzee> well played pekster
11:38 < adh0c> It might not regenerate resolv.conf in the same way.
11:39 < pekster> Right, you need to integrate into whatever DNS system you are using
11:40 < pekster> krzee: Yea, I thought so. It wasn't so much the call volume as the fact that I'd burn up to an hour helping some non-tech sales person with the VPN that usually "just worked" and convnincing them that yes, they really did need to call Comcast, and no, I can't do it for you. I hate companies who violate standards for their own profit :(
11:41 < pekster> At least using opendns you have to ask to get screwed :P
11:43 < pekster> adh0c: Are you unlucky enough to be using ubuntu+dbus+dnsmasq+n-m?
11:44 < adh0c> pekster: No, I'm using Arch+dbus+netctl.
11:44 < adh0c> Going to swap out netctl for NetworkManager now though.
11:44 < adh0c> It's been giving me other problems anyway.
11:45 < pekster> 'eh, it's all a huge pile of abstraction which works. Until it doesn't.
11:45 < adh0c> That's what I'm coming to realize. ;-)
11:45 < pekster> Either way, you need to do "whatever your DNS subsystem" requires to update DNS servers
11:45 < adh0c> dnsmasq should be on the client, however?
11:45 < adh0c> Nm, I did install it client-side but never started the service.
11:45 < pekster> "Traditionally" this is just the flat resolv.conf file, but if you're using 127.0.0.1 or such, it means you have a forwarding recursor that you must integrate with
11:46 < adh0c> OK
11:46 < pekster> resolvconf helps "maintain" the resolv.conf file when >1 consumer wants access to it (think openvpn + DHCP client)
11:46 < pekster> Or other complex things, like integrating with dnsmasq ;)
11:47 <@krzee> ahh
11:47 < pekster> Sorry if it sounds vauge, but it is. "Do what you need to make it work" is the short answer
11:47 <@krzee> i had always meant to make an updown.sh that didnt need resolv.conf but now i see the purpose
11:48 < pekster> Yea, in theory it's kind of clever to only use remote-DNS for the domains that get pushed, but in practice hiding it behind a dbus backend that you can't look at when it goes wrong (ouside of writing C code to query it) is stupid
11:48 < pekster> Once again, n-m works, until it doesn't
11:49 <@krzee> i mean that didnt need resolvconf (the app)
11:49 <@krzee> my "resolv.conf" was typo ^
11:50 <@krzee> i had never actually thought about the fact that people run dhclient haha
11:51 < pekster> krzee: Enjoy the user-unfriendly evil: http://fpaste.org/95398/97926300/raw/
11:52 < pekster> udp too obviously, I just didn't show it there
11:52 < pekster> "It's okay, you never wanted to know your DNS servers anyway"
11:52 <@krzee> o.O
11:52 < pekster> dnsmasq.conf is empty, btw
11:53 <@krzee> ya that wont work for me
11:53 <@krzee> i like to know my system, if i need hacky crap ill do it myself
11:53 <@krzee> haha
11:54 < pekster> Aw, all you need to do is write some C code to interact with the org.freedesktop.NetworkManager.dnsmasq dbus backend and find out what its active config is; why would you possibly want text config files? :)
11:55 < pekster> Pure evil.
12:01 <@krzee> !woman
12:01 <@vpnHelper> "woman" is see !man but with a monthly attitude :D
12:04 -!- adh0c [~adh0c@ool-182fc1d0.dyn.optonline.net] has quit [Ping timeout: 245 seconds]
12:18 -!- Left_Turn [~Left_Turn@unaffiliated/turn-left/x-3739067] has quit [Ping timeout: 250 seconds]
12:23 -!- adh0c [~adh0c@li423-165.members.linode.com] has joined #openvpn
12:23 < adh0c> Alright: victory
12:23 < adh0c> All integrated with n-m, and I'm passing the dns leaktest.
12:24 < adh0c> I'm not certain if it's the up-scripts or manually setting the DNS nameservers in the n-m profile.
12:24 < adh0c> But I no longer see my ISP when looking up nonsense domains.
12:27 < pekster> You could have fixed that by using non-ISP DNS servers, like googleDNS
12:27 < pekster> (but not opendns, that does that shit anyway)
12:27 < pekster> (VPN notwithstanding, ofc)
12:28 < adh0c> How exactly is OpenDNS not kosher?
12:28 < adh0c> I won't use Google, but I'll investigate alternatives if ODNS is truly horrible.
12:28 -!- acu [~acu@50.244.13.215] has quit [Ping timeout: 252 seconds]
12:32 < pekster> adh0c: Becuase they're fucking retarted. http://fpaste.org/95400/97928702/raw/
12:33 < pekster> Oh look, 67.215.65.132 is registered to OpenDNS. So instead of NXDOMAIN, the *REQUIRED* and *MANDATED* reply, you get ad-search results. And yes, this breaks thing ont he Internet. Becuase OpenDNS, LLC feels the need to give you ads
12:33 <@Eugene> !cuz
12:33 <@Eugene> !why
12:33 <@vpnHelper> "why" is because screw you, that's why.
12:33 < pekster> Hey, they're making money off of every pool fool to uses them
12:33 < pekster> Great to be them
12:34 <@Eugene> If you have a philosphical problem with using GoogleDNS, then you ought to have a bigger problem with OpenDNS.
12:34 <@Eugene> Find a resolver you can trust or `apt-get install caching-resolver`
12:34 <@Eugene> If that is too complex then its time to rethink your morale stances
12:38 < adh0c> My problem is more the scale to which Google collects this type of data, and their demonstrated complicity with federal requests for that information.
12:39 < adh0c> Everyone's going to make money off of their services.  Though I guess OpenDNS would be just as complicit.
12:39 < pekster> No, google returns the required results. OpenDNS lies
12:39 < pekster> blah.veryverybogus.net is not a registered domain. Claiming it is is lying
12:40 < adh0c> Ah yeah, that is rather shady.
12:40 < pekster> If you ever ask me in the public how to get to Main street, and I send you the wrong way, is that right? What if I made you watch a 30 second ad first, and then did it to you?
12:40 < pekster> It's bullshit
12:40 < pekster> And the NSA has all your DNS queries anyway ;)
12:48 < adh0c> True that.  DNS is a rather archaic system anyway.
12:52 -!- mback2k_ is now known as mback2k
12:54 -!- Left_Turn [~Left_Turn@unaffiliated/turn-left/x-3739067] has joined #openvpn
13:12 <@krzee> you could always use .bit instead of you prefer
13:12 <@krzee> (namecoin domain)
13:25 -!- Guest83884 [~kolo@ip-125.net-82-216-83.rev.numericable.fr] has quit [Ping timeout: 258 seconds]
13:27 -!- Ko_lo [~kolo@ip-125.net-82-216-83.rev.numericable.fr] has joined #openvpn
13:27 -!- Ko_lo is now known as Guest48034
13:41 -!- Aliekezhi [~Aliekezhi@223.146.122.78.rev.sfr.net] has quit [Ping timeout: 250 seconds]
13:49 -!- petapetapeta [~Peter@130.225.165.43] has joined #openvpn
13:55 -!- AlexPortable [uid7568@gateway/web/irccloud.com/x-miszgsznprvhtaqw] has quit [Ping timeout: 258 seconds]
13:55 -!- troyt [~troyt@2601:7:6200:14c2:44dd:acff:fe85:9c8e] has quit [Ping timeout: 258 seconds]
13:55 -!- james41382 [~james@unaffiliated/james41382] has quit [Read error: Connection reset by peer]
13:55 -!- james41382_ [~james@unaffiliated/james41382] has joined #openvpn
13:56 -!- AlexPortable [uid7568@gateway/web/irccloud.com/x-owbzdgascjdabfeh] has joined #openvpn
13:56 -!- troyt [~troyt@2601:7:6200:14c2:44dd:acff:fe85:9c8e] has joined #openvpn
13:57 -!- Aliekezhi [~Aliekezhi@223.146.122.78.rev.sfr.net] has joined #openvpn
13:59 -!- Aliekezhi [~Aliekezhi@223.146.122.78.rev.sfr.net] has quit [Client Quit]
13:59 -!- Aliekezhi [~Aliekezhi@223.146.122.78.rev.sfr.net] has joined #openvpn
14:15 -!- kirin` [telex@gateway/shell/anapnea.net/x-mjnyesklrxmeilqs] has quit [Ping timeout: 258 seconds]
14:16 -!- kirin` [telex@gateway/shell/anapnea.net/x-jaehswktxvuxdndm] has joined #openvpn
14:23 -!- JPeterson [~JPeterson@81-233-152-121-no83.tbcn.telia.com] has joined #openvpn
14:38 -!- adh0c [~adh0c@li423-165.members.linode.com] has quit [Ping timeout: 276 seconds]
14:46 -!- adh0c [~adh0c@li423-165.members.linode.com] has joined #openvpn
14:46 < nattom> !ask
14:46 <@vpnHelper> "ask" is (#1) don't ask to ask, just ask your question please, see this link for how to get help on IRC: http://workaround.org/getting-help-on-irc or (#2) See also, How to ask questions the smart way here: http://catb.org/~esr/faqs/smart-questions.html
14:55 < nattom> !welcome
14:55 <@vpnHelper> "welcome" is (#1) Start by stating your goal, such as 'I would like to access the internet over my vpn' || new to IRC? see the link in !ask || we may need !logs and !configs and maybe !interface to help you. || See !howto for beginners. || See !route for lans behind openvpn. || !redirect for sending inet traffic through the server. || Also interesting: !man !/30 !topology !iporder !sample !forum
14:55 <@vpnHelper> !wiki !mitm or (#2) Don't use 192.168.1.0/24 or 192.168.0.0/24 (too much potential for conflict)
14:55 < nattom> !mitm
14:55 <@vpnHelper> "mitm" is (#1) http://openvpn.net/index.php/documentation/howto.html#mitm to know about stopping Man-in-the-Middle attacks by signing the server cert specially or (#2) use !servercert to generate the server cert manually or use the easy-rsa build-key-server script to build your server certificates or (#3) then use: remote-cert-tls server in the client config
14:56 < nattom> !wiki
14:56 <@vpnHelper> "wiki" is (#1) http://www.secure-computing.net/wiki/index.php/OpenVPN for the Unofficial wiki or (#2) https://community.openvpn.net/openvpn/wiki for the Official wiki
14:58 < nattom> hi. i am new to chat. does everyone have to look at the thing i type right after the "!" and the auto-response? or is it shown only to me?
15:00 < pekster> It's public, but feel free to use the bot (it's what it's there for.) You can also query it in privmsg; let's see if I remember the fact for that
15:00 < pekster> !msg
15:00 <@vpnHelper> "msg" is (#1) to see vpnHelper's factoids in msg instead of the channel, /msg vpnHelper factoids whatis #openvpn <key> or (#2) so to see !configs in msg, you would type /msg vpnHelper factoids whatis #openvpn configs or (#3) you can also just see !factoids for a link to the full list of what the bot knows
15:00 < nattom> i tried in a private window but got no response but an "ech" - a repeat.
15:01 < pekster> Syntax at #2 above
15:02 -!- danielbw [~danielbw@secured.monstertool.com] has quit [Ping timeout: 252 seconds]
15:03 < nattom> ok. thank you.
15:03 < nattom> !factoids
15:03 <@vpnHelper> "factoids" is A semi-regularly updated dump of factoids database is available at http://www.secure-computing.net/factoids.php
15:03 -!- acu [~acu@50.244.13.221] has joined #openvpn
15:06 -!- danielbw [~danielbw@70.167.122.27] has joined #openvpn
15:11 < nattom> i am new to chat but aware that comments of more than couple of sentances get cut off. i wish to get help after doing many hours of proper homework - yet wish to not offend with numerous comments in a row. since pastebin.com blocks tor - do you know of
15:11 < pekster> !paste
15:11 <@vpnHelper> "paste" is "pastebin" is (#1) please paste anything with more than 5 lines into a pastebin site or (#2) https://gist.github.com is recommended for fewest ads; try fpaste.org or paste.kde.org as backups or (#3) If you're pasting config files, see !configs for grep syntax to remove comments or (#4) gist allows multiple files per paste, useful if you have several files to show
15:12 < nattom> ator-friendly pastebin? or shall i state my goal and "?" and my "details..." ?
15:12 < pekster> A short idea of your problem+goal is a good place to start
15:12 < nattom> okay...
15:13 -!- petapetapeta [~Peter@130.225.165.43] has quit [Remote host closed the connection]
15:41 -!- JackWinter [~jack@vodsl-10810.vo.lu] has joined #openvpn
16:02 -!- petapetapeta [~Peter@130.225.165.43] has joined #openvpn
16:03 -!- petapetapeta [~Peter@130.225.165.43] has quit [Remote host closed the connection]
16:16 -!- acu [~acu@50.244.13.221] has quit [Ping timeout: 240 seconds]
16:18 -!- JackWinter [~jack@vodsl-10810.vo.lu] has quit [Quit: Konversation terminated!]
16:29 -!- acu [~acu@50.244.13.221] has joined #openvpn
16:51 -!- mback2k is now known as mback2k_
16:58 -!- michaelhart [~michaelha@192-0-240-20.cpe.teksavvy.com] has joined #openvpn
17:03 -!- joako [~joako@opensuse/member/joak0] has quit [Ping timeout: 245 seconds]
17:09 -!- joako [~joako@opensuse/member/joak0] has joined #openvpn
17:13 -!- JackWinter [~jack@vodsl-10810.vo.lu] has joined #openvpn
17:24 -!- JackWinter [~jack@vodsl-10810.vo.lu] has quit [Quit: Konversation terminated!]
17:38 -!- justinzane [~justinzan@host-12-172-184-180.nctv.com] has quit [Ping timeout: 240 seconds]
17:49 -!- VsioZashibis [~VsioZashi@unaffiliated/vsiozashibis] has quit [Read error: Connection reset by peer]
17:50 -!- joshh20-Away is now known as joshh20
18:20 -!- elfixit [~Icedove@77-58-251-72.dclient.hispeed.ch] has quit [Ping timeout: 250 seconds]
18:21 -!- elfixit [~Icedove@77-58-251-72.dclient.hispeed.ch] has joined #openvpn
18:22 -!- JackWinter [~jack@vodsl-10810.vo.lu] has joined #openvpn
18:27 < haasn> I remember asking in here a while ago about whether or not it was effectively possible to use OpenVPN without TLS
18:28 < haasn> Just wanted to point out that I found an interesting alternative, that has some pros and some cons compared to OpenVPN: cjdns. I'm wondering if anybody in here could provide some criticism of using cjdns for a personal/private VPN-type thing, perhaps from a security standpoint
18:29 < thefinn93> cant really speak security wise, but there are a few key differences
18:29 < thefinn93> primarily, openvpn is meant to have like a central authority
18:30 < haasn> What I noticed is that, in its normal mode of operation, relies on mutual trust of peers not to invite third parties into the network
18:30 < thefinn93> cjdns is meant to be decentralized and such
18:30 < haasn> So it's similar to sharing a static pre-shared key - if you assume it doesn't get leaked
18:30 < haasn> But safer in that it's still based on PKI between any two peers
18:30 < haasn> I realized the way to make it more centralized would likely to be to distribute an iptables configuration that makes my “central” server only route packets selectively allowed within the network
18:31 < haasn> It's also a custom routing layer so it doesn't give you IP or IPv6 or even anything below that, so there's no direct alternative to TAP-style routing
18:32 < haasn> thefinn93: However, I did stumble across the possibility of using cjdns' pluggable authentication with a TLS plugin that also checks peer certs against a known CA
18:33 < haasn> (Not that you'd want to, given the complexity of TLS and the fact that it's only a small convenience over normal peering)
18:43 -!- u0m3_ is now known as u0m3
18:56 -!- JackWinter [~jack@vodsl-10810.vo.lu] has quit [Quit: Konversation terminated!]
18:59 -!- joshh20 is now known as joshh20-Away
19:05 -!- JackWinter [~jack@vodsl-10810.vo.lu] has joined #openvpn
19:07 < nattom> pekster: i was scrolling up to see your comment to me and saw you ref to records of dns-queries. do i understand correctly - that they have them from back when we used the isp's dns servers, before we knew any better and back when we failed the dnsleaktest? and thay do Not have them from when
19:08 < nattom> we fixed our leaks - which was about the time we started with vpns...
19:09 < nattom> *they do Not have them from when*
19:12 < nattom> i mean, for the average person who does NOT use their isp's dns servers. do you think they are correlating all that?
19:12 < pekster> NSA? Yup. DNS is cheap to store
19:13 < pekster> Think of the NSA as the most prelevant passive listener; if it passes through a node they control (Room 641A at AT&T anyone?) they are privy to it, and all associated metadata from the IP headers
19:13 < nattom> i have long had the philosophy that best strategy is to at least do 100 things "right" and then THAT is a good start on your journey.
19:14  * pekster is amused that people are so "concerned" about DNS when they're probably 100% uniquely identifyable with their standard browser anyway. https://panopticlick.eff.org
19:15 < nattom> yes, i am familiar.
19:18 < nattom> Thank You, pekster... i have a feeling that anyone with a real name of Toaster, must be kind and generous! :)
19:18 < nattom> i have tried to create a concise summary. i will state my GOAL, what i have been doing and my past openvpn-strategy, here with 4 more lines/comments. the details - including specifics - are at hastebin .com /xasiwurare.vbs
19:18 < nattom> 1/4. i am new to chat, not perfect with grammer and think i can supply enough details to be helped if anyone here can help with our particular problem. our setup is NOT typical setup. our security-needs are NOT EITHER...
19:18 < nattom> hi. we need HELP - i am working hard, struggling through learning curve. my GOAL is TO RESTORE the important SAFETY-STRATEGY that has protected a mission workers and families - for more than a year - we have been using,
19:18 < nattom> with great success - a "vpn-over-tor" always - to work and stay alive. i love our work with my whole-heart because i MUST. it is why i am alive - so i have spent a few dozen hours in past few days, 18hrs/day, attempting
19:18 < nattom> to mitigate what i "think" to be an openvpn-bug. our use of "openvpn-over-tor" was BEAUTIFUL for over a year - and we felt safe to work. i worked very hard above my comprehension and after MUCH perseverance: success - with
19:20 < pekster> Then ask an on-target question instead of shooting the breeze over how much the NSA or your wifi coffee neighbor knows about your DNS queries
19:26 < nattom> concise openvpn/fail details are on hastebin page above. might anyone know what is wrong with what file?
19:28 < nattom> the page is /xasiwurare.vbs
19:28 < nattom> on the hastebin
19:34 -!- gffa [~unknown@unaffiliated/gffa] has quit [Quit: sleep]
19:35 < nattom> the details i gave, point to the openvpn files - or - the socks-proxy... might anyond here be familiar with this socks/Tor-issue?
19:47 -!- tiblock [~tiblock@23.252.106.118.16clouds.com] has joined #openvpn
19:47 < nattom> if anyone know the direction i should look - even a hint could be helpful after this few hundred hours. the tor-people said it is a openvpn bug. but
19:49 < nattom> i am thinking that the tor-dev who Wrote their socks-proxy might know how to fix it w/ a work-around.
19:49 < pekster> What "bug"? You've shown no configs and no logs, despite being told we'd probably need them. Am I supposed to read a giant wall of text with crappy "visual basic code formatting" ?
19:51 < pekster> Looks to me like you screwed up your configs, but since I haven't seen them, I haven't a clue
19:51 < pekster> Read !configs and !logs, and give me sane pastebins of them. Not endless walls of text
19:51 < nattom> i will copy more conigs - exacly. and i have never used a pastebine - ever - until this.
19:51 < nattom> *configs*
19:51 < pekster> !configs
19:51 <@vpnHelper> "configs" is (#1) please pastebin your client and server configs (with comments removed, you can use `grep -vE '^#|^;|^$' server.conf`), also include which OS and version of openvpn. or (#2) dont forget to include any ccd entries or (#3) on pfSense, see http://www.secure-computing.net/wiki/index.php/OpenVPN/pfSense to obtain your config
19:51 < pekster> !logs
19:51 <@vpnHelper> "logs" is (#1) please pastebin your logfiles from both client and server with verb set to 4 (only use 5 if asked) or (#2) In the Windows client(OpenVPN-GUI) right-click the status icon and pick View Log or (#3) In the OS X client(Tunnelblick) right-click it and select Copy log text to clipboard or (#4) if you dont know how to find your logs, see !logfile
19:52 < nattom> ok.
19:53 < nattom> !logfile
19:53 <@vpnHelper> "logfile" is (#1) If you want logging you can easily just specify your own logfile with: log /path/to/logfile or (#2) openvpn will log to syslog if started in daemon mode, but without any log-redirection options, openvpn sends output to stdout. or (#3) verb 3 is good for everyday usage, verb 5 for debugging. see --daemon --log and --verb in the manual (!man) for more info
19:54 -!- tiblock [~tiblock@23.252.106.118.16clouds.com] has left #openvpn []
19:59 < nattom> i don't know how to do half of what you said to do. i will learn it. so, yes - it does seem like a miracle that i ever got vpn-over-tor working in the first place.
19:59 -!- tuvok [tuvok@Photography.tuvok.eu] has quit [Quit: Serverwechsel]
20:01 < pekster> If you can't find the config files you're using, quite frankly you don't have enough skill to be doing a VPN over tor
20:03 -!- tuvok [tuvok@Photography.tuvok.eu] has joined #openvpn
20:05 < nattom> i thought that it would suffice to say that my configs had mostly the same lines as what worked for over a year. i am a newb, essentially and i am wrong, probably about a lot of things. i am trying and i WILL do what it takes to get my Goal accomplished-
20:06 < nattom> w/ another vpn provider. this one, sadly has no forum. thank you, for talking to me at all.
20:07 < nattom> i'll get configs and logs.
20:07 < nattom> ><
20:13 < _FBi> http://thehackernews.com/2014/04/hacker-exploits-heartbleed-bug-to.html
20:13 <@vpnHelper> Title: Hacker exploits Heartbleed bug to Hijack VPN Sessions - The Hacker News (at thehackernews.com)
20:17 < pekster> _FBi: Yup. openvpn running vulnerable TLS without use of --tls-auth (or when the tls-auth key has been compromised) is vulnerable like any other OpenSSL consumer
20:25 -!- Thermi_ [~Thermi@unaffiliated/thermi] has joined #openvpn
20:26 -!- Thermi [~Thermi@unaffiliated/thermi] has quit [Ping timeout: 246 seconds]
20:26 -!- Thermi_ is now known as Thermi
20:54 -!- acu [~acu@50.244.13.221] has quit [Ping timeout: 276 seconds]
21:27 -!- acu [~acu@50.244.13.221] has joined #openvpn
21:31 <@krzee> that article mentions openvpn, but it sounds to me like it was not openvpn
21:33 <@krzee> 1) it also mentions https, sounds like a https concentrator  2) vpn logs showed flip-flopping address seconds apart? unless dupes are allowed (not very common config) it would be knocking the real user off, and he would not reconnect until his keepalive, they would never be seconds apart
21:34 < haasn> The article doesn't even mention OpenVPN aside from a note about an OpenVPN security advisory
21:34 <@krzee> right
21:34 < _FBi> you get more hits with tags
21:42 -!- Left_Turn [~Left_Turn@unaffiliated/turn-left/x-3739067] has quit [Read error: Connection reset by peer]
21:59 -!- elfixit [~Icedove@77-58-251-72.dclient.hispeed.ch] has quit [Quit: elfixit]
22:01 -!- elfixit [~Icedove@77-58-251-72.dclient.hispeed.ch] has joined #openvpn
22:03 -!- elfixit [~Icedove@77-58-251-72.dclient.hispeed.ch] has quit [Client Quit]
22:17 -!- AlexPortable [uid7568@gateway/web/irccloud.com/x-owbzdgascjdabfeh] has quit [Quit: Connection closed for inactivity]
22:37 -!- takamichi [~takamichi@c107-107.i07-27.onvol.net] has quit [Ping timeout: 252 seconds]
22:41 -!- VsioZashibis [~VsioZashi@unaffiliated/vsiozashibis] has joined #openvpn
23:01 -!- Cpt-Oblivious [chatzilla@31-151-71-109.dynamic.upc.nl] has quit [Ping timeout: 240 seconds]
23:46 -!- truexfan81 is now known as truexfano_0
23:53 -!- Marlinc [~marlinc@ip1.weert.li.nl.cvo-technologies.com] has quit [Ping timeout: 246 seconds]
23:54 -!- heraclitus [~heraclitu@unaffiliated/heraclitis] has quit [Quit: Ping timeout: 221 seconds]
--- Day changed Sun Apr 20 2014
00:01 -!- paradox`` [~paradox@cpc21-brmb8-2-0-cust749.1-3.cable.virginm.net] has joined #openvpn
00:01 -!- ShadniX [dagger@p5DDFD3D8.dip0.t-ipconnect.de] has quit [Ping timeout: 252 seconds]
00:02 -!- ShadniX [dagger@p5DDFC07F.dip0.t-ipconnect.de] has joined #openvpn
00:04 -!- sunwind` [~paradox@cpc21-brmb8-2-0-cust749.1-3.cable.virginm.net] has quit [Ping timeout: 252 seconds]
00:25 -!- budmang [~budman@ip68-111-79-253.oc.oc.cox.net] has quit [Read error: Connection reset by peer]
00:25 -!- budmang [~budman@ip68-111-79-253.oc.oc.cox.net] has joined #openvpn
00:33 -!- snappy [nipnop@unaffiliated/snappy] has quit [Read error: Connection reset by peer]
00:49 -!- grep0r [grep0r@bitcoinshell.mooo.com] has quit [Ping timeout: 252 seconds]
00:51 -!- grep0r [grep0r@bitcoinshell.mooo.com] has joined #openvpn
00:53 -!- FatDarrel [~anandab@199.116.72.195] has joined #openvpn
01:01 < nattom> pekster: i realize that you may not still be here and available. you may be getting your beauty-sleep. i have been working on this and i have posted config and log files - that i think - are the ones you were looking for.
01:01 < nattom> if they are not - might someone/anyone - please tell me where to find them in debian? so for my socks-proxy problem connecting... my config/logs are on hastebin .com - and this page: /vukoqucoya.md -
01:01 < nattom> it seems easier to read, for me, and each line is numbered - but clicking on the "text-only" button changes the page to this black-text-on-white page: /raw/vukoqucoya ~ i appreciate your time - and
01:01 < nattom> any assistance you might feel will to give...
01:02 < nattom> feel *willing* to give...
01:03 -!- adh0c [~adh0c@li423-165.members.linode.com] has quit [Ping timeout: 240 seconds]
01:16 -!- adh0c [~adh0c@ool-182fc1d0.dyn.optonline.net] has joined #openvpn
01:25 -!- Guest48034 [~kolo@ip-125.net-82-216-83.rev.numericable.fr] has quit [Ping timeout: 258 seconds]
01:27 -!- Ko_lo [~kolo@ip-125.net-82-216-83.rev.numericable.fr] has joined #openvpn
01:27 -!- Ko_lo is now known as Guest53662
01:27 -!- FatDarrel [~anandab@199.116.72.195] has quit [Quit: FatDarrel]
01:31 -!- gardar [~gardar@bnc.giraffi.net] has quit [Ping timeout: 276 seconds]
01:33 -!- emid [~emid@107.170.54.127] has quit [Ping timeout: 240 seconds]
01:37 -!- gardar [~gardar@bnc.giraffi.net] has joined #openvpn
01:38 -!- emid [~emid@107.170.54.127] has joined #openvpn
01:49 < nattom> for anyone who might help me with a socks-proxy authorization [?] issue with connecting, that page - /vukoqucoya.md - is on hastebin.com and i will be checking in here, briefly, in several hours and then with moretime in 18-24 hours from now. i appreciate your time.
02:51 -!- acu [~acu@50.244.13.221] has quit [Quit: Leaving]
02:54 < nattom> tcpv5 is used for Tor socks-proxy...
03:29 -!- takamichi [~takamichi@c107-107.i07-27.onvol.net] has joined #openvpn
03:45 -!- mback2k_ is now known as mback2k
03:53 -!- gffa [~unknown@unaffiliated/gffa] has joined #openvpn
03:54 -!- mback2k is now known as mback2k_
04:11 -!- gry [~noone@freenode/staff/gry] has joined #openvpn
04:19 < reiffert> nattom: this is openvpn
04:20 < reiffert> !notovpn
04:20 <@vpnHelper> "notovpn" is (#1) "notopenvpn" is your problem is not about openvpn, and while we try to be helpful, you may have a better chance of finding your answer if you ask your question in a channel related to your problem or (#2) sorry, but we dont care. this channel is only for help with openvpn.
04:27 -!- AlexPortable [uid7568@gateway/web/irccloud.com/x-agkfppkoxmeziljf] has joined #openvpn
04:54 -!- Cybertinus [~Cybertinu@2a00:6960:1:1:0:24:107:1] has quit [Remote host closed the connection]
04:55 -!- Cybertinus [~Cybertinu@2a00:6960:1:1:0:24:107:1] has joined #openvpn
04:58 -!- gffa [~unknown@unaffiliated/gffa] has quit [Ping timeout: 240 seconds]
04:58 -!- Left_Turn [~Left_Turn@unaffiliated/turn-left/x-3739067] has joined #openvpn
05:01 -!- gffa [~unknown@unaffiliated/gffa] has joined #openvpn
05:01 -!- Cybertinus [~Cybertinu@2a00:6960:1:1:0:24:107:1] has quit [Remote host closed the connection]
05:02 -!- Cybertinus [~Cybertinu@cybertinus.customer.cloud.nl] has joined #openvpn
05:24 -!- mback2k_ is now known as mback2k
05:34 -!- gry [~noone@freenode/staff/gry] has left #openvpn []
05:47 -!- JackWinter [~jack@vodsl-10810.vo.lu] has quit [Quit: Konversation terminated!]
06:36 -!- _KaszpiR___ is now known as _KaszpiR_
06:47 -!- jackbrown [~se@93-44-38-152.ip95.fastwebnet.it] has joined #openvpn
06:48 -!- takamichi [~takamichi@c107-107.i07-27.onvol.net] has quit [Ping timeout: 240 seconds]
06:51 -!- JackWinter [~jack@vodsl-10810.vo.lu] has joined #openvpn
07:18 -!- joshh20-Away is now known as joshh20
07:21 -!- jackbrown [~se@93-44-38-152.ip95.fastwebnet.it] has quit [Quit: Sto andando via]
07:23 -!- mback2k is now known as mback2k_
07:29 -!- takamichi [~takamichi@c107-107.i07-27.onvol.net] has joined #openvpn
07:38 -!- michaelhart [~michaelha@192-0-240-20.cpe.teksavvy.com] has quit [Quit: michaelhart]
07:48 -!- wrongplace [~leicht@gateway/tor-sasl/martinphone] has joined #openvpn
08:44 -!- master_of_master [~master_of@p4FD7B0E2.dip0.t-ipconnect.de] has quit [Ping timeout: 276 seconds]
08:46 -!- master_of_master [~master_of@p4FD7B6DE.dip0.t-ipconnect.de] has joined #openvpn
08:51 -!- JackWinter [~jack@vodsl-10810.vo.lu] has quit [Quit: Konversation terminated!]
08:56 -!- JackWinter [~jack@vodsl-10810.vo.lu] has joined #openvpn
08:57 -!- joshh20 is now known as joshh20-Away
09:10 -!- JackWinter [~jack@vodsl-10810.vo.lu] has quit [Quit: Konversation terminated!]
09:37 -!- s7r [~s7r@openvpn/user/s7r] has quit [Remote host closed the connection]
09:38 -!- s7r [~s7r@openvpn/user/s7r] has joined #openvpn
09:38 -!- mode/#openvpn [+v s7r] by ChanServ
09:44 -!- mattock_afk is now known as mattock
09:54 -!- wrongplace [~leicht@gateway/tor-sasl/martinphone] has quit [Quit: gone]
10:15 -!- goldkatze [~nobody@unaffiliated/goldkatze] has joined #openvpn
10:15 -!- joshh20-Away is now known as joshh20
10:21 -!- mattock [~mattock@openvpn/corp/admin/mattock] has left #openvpn []
10:23 -!- ChrisH [~dg7pc@dslb-092-072-177-079.pools.arcor-ip.net] has quit [Ping timeout: 240 seconds]
10:25 -!- ChrisH [~dg7pc@dslb-088-077-171-181.pools.arcor-ip.net] has joined #openvpn
10:46 -!- star314 [~star314@starnet-xpirio.sinh.us] has joined #openvpn
10:49 -!- elfixit [~Icedove@77-58-251-72.dclient.hispeed.ch] has joined #openvpn
11:18 -!- elfixit [~Icedove@77-58-251-72.dclient.hispeed.ch] has quit [Quit: elfixit]
11:37 -!- star314 [~star314@starnet-xpirio.sinh.us] has quit [Quit: Leaving]
11:42 -!- JackWinter [~jack@vodsl-10810.vo.lu] has joined #openvpn
11:43 -!- f0cker [~f0cker@unaffiliated/f0cker] has quit [Ping timeout: 245 seconds]
11:43 -!- star314 [~star314@78.142.105.170] has joined #openvpn
11:56 -!- f0cker [~f0cker@host81-149-11-109.in-addr.btopenworld.com] has joined #openvpn
11:56 -!- f0cker [~f0cker@host81-149-11-109.in-addr.btopenworld.com] has quit [Changing host]
11:56 -!- f0cker [~f0cker@unaffiliated/f0cker] has joined #openvpn
12:11 -!- joshh20 is now known as joshh20-Away
12:17 -!- star314 [~star314@78.142.105.170] has quit [Quit: Leaving]
12:31 -!- truexfano_0 is now known as truexfan81
12:40 -!- Cpt-Oblivious [chatzilla@31-151-71-109.dynamic.upc.nl] has joined #openvpn
12:51 -!- f0cker [~f0cker@unaffiliated/f0cker] has quit [Ping timeout: 276 seconds]
13:02 -!- sontek [~sontek@opensuse/member/Sontek] has quit [Read error: Connection reset by peer]
13:03 -!- f0cker [~f0cker@host81-149-11-109.in-addr.btopenworld.com] has joined #openvpn
13:03 -!- f0cker [~f0cker@host81-149-11-109.in-addr.btopenworld.com] has quit [Changing host]
13:03 -!- f0cker [~f0cker@unaffiliated/f0cker] has joined #openvpn
13:21 -!- Pei [~pei@thinks.outside.theb0x.org] has quit [Ping timeout: 276 seconds]
13:21 -!- viperZ28_ [uid11066@gateway/web/irccloud.com/x-htzfiowltssxdwbj] has quit [Ping timeout: 264 seconds]
13:25 -!- Guest53662 [~kolo@ip-125.net-82-216-83.rev.numericable.fr] has quit [Ping timeout: 240 seconds]
13:25 -!- viperZ28_ [uid11066@gateway/web/irccloud.com/x-ugprdvkcibovcbxe] has joined #openvpn
13:27 -!- Ko_lo [~kolo@ip-125.net-82-216-83.rev.numericable.fr] has joined #openvpn
13:27 -!- Ko_lo is now known as Guest77836
13:28 -!- Pei [~pei@thinks.outside.theb0x.org] has joined #openvpn
13:47 -!- frenchface [~christie@24-181-72-200.dhcp.lgrn.ga.charter.com] has joined #openvpn
13:49 < frenchface> with the heart bleed bug, will there be an update to the client program, or is just replacing keys, certs etc all that is needed for the client side? ( I am running openbsd 5.4)
13:55 <@krzee> !hearbleed
13:55 <@krzee> !heartbleed
13:55 <@vpnHelper> "heartbleed" is (#1) only affects OpenSSL 1.0.1 through 1.0.1f. Does not affect polarssl or (#2) if running vuln openssl then both client and server keys not protected by tls-auth should be considered compromised. or (#3) android 4.1.2_r1 is the first one to have -DOPENSSL_NO_HEARTBEATS and it is still in master. android 4.1 and 4.1.1 are probably affected. or (#4)
13:55 <@vpnHelper> https://community.openvpn.net/openvpn/wiki/heartbleed or (#5) http://xkcd.com/1354/
14:26 -!- cyberspace- [20253@ninthfloor.org] has quit [Ping timeout: 250 seconds]
14:28 -!- cyberspace- [20253@ninthfloor.org] has joined #openvpn
15:15 -!- mback2k_ is now known as mback2k
15:24 -!- mback2k is now known as mback2k_
15:36 -!- gffa [~unknown@unaffiliated/gffa] has quit [Quit: sleep]
15:44 -!- frenchface [~christie@24-181-72-200.dhcp.lgrn.ga.charter.com] has left #openvpn ["Leaving"]
15:50 -!- cyberspace- [20253@ninthfloor.org] has quit [Remote host closed the connection]
15:52 -!- cyberspace- [20253@ninthfloor.org] has joined #openvpn
15:54 -!- elfixit [~Icedove@77-58-251-72.dclient.hispeed.ch] has joined #openvpn
15:59 -!- Latrina [~Latrina@ppp-144-52.26-151.libero.it] has quit [Ping timeout: 245 seconds]
16:00 -!- Latrina [~Latrina@ppp-18-2.26-151.libero.it] has joined #openvpn
17:00 -!- tal_aloni [~tal.aloni@37.142.211.14] has joined #openvpn
17:00 < pekster> tal_aloni: So, what is it exactly that you're trying to do? Normally with openvpn you create a _separate_ network range and use that
17:01 < tal_aloni> pekster: Thanks, I'm trying to set up an additional SMB server on the same machine
17:01 < pekster> So you're trying to give a machine 2 IPs, not 2 networks
17:01 < tal_aloni> yes, but this requires 2 adapters
17:02 < tal_aloni> because Windows will bind to all IPs of a selected adapter
17:02 < pekster> That's really stupid of the OS, but okay
17:02 < tal_aloni> pekster: true
17:02 < tal_aloni> tal_aloni: so for server-only, I can use the loopback adapter
17:02 < pekster> Ideally you reconfigure your software to bind to a secondary address on the same adapter, but let's for the moment assume Windows is brain-dead-stupid and can't do that
17:03 < pekster> Putting a 2nd address on your tun (or tap, but ideally you use tun for IP things) device can be done, but it requires some trickery on the server becuase that is normally disallowed
17:04 < pekster> It might just be easiest to use 2 openvpn tunnels for each of your instances if you're going to use routing
17:04 < pekster> What is your VPN topology here? You have a dedicated VPN network already?
17:04 < tal_aloni> Not yet
17:04 < pekster> Is that the goal? Or if not, what is the goal?
17:05 < tal_aloni> just getting the 2 SMB servers accessible to the network.
17:06 < pekster> So why use a VPN at all? Why not just install 2 NICs in this box and be done with it
17:06 < pekster> ie: you haven't explained your network topology at all
17:07 < tal_aloni> pekster: I'm not here for the VPN, just for the TAP driver
17:07 < reiffert> whats up with the tap driver?
17:07 < pekster> the adapter does no good without an endpoint to connect to
17:08 < tal_aloni> as I said, I'm a software developer, I wrote the SMB server, I can work with the TAP driver if needed.
17:08 < pekster> You can't just willy-nilly overlap networks like that
17:09 < tal_aloni> pekster: I realize that now, what I don't realize is how to expose both my server and the Windows server to the same network
17:09 < reiffert> tal_aloni: you are into samba?
17:09 < pekster> You can't do that with the WIN32-TAP device
17:09 < pekster> It will not work
17:09 < tal_aloni> reiffert: No, I'm the competition
17:11 < pekster> What you want is a 2nd adapter connected to your _actual_ network. IOW, install a 2nd NIC to your system. That's a really shitty solution and I have to imagine there's a sane way to do that in software, but it's really a ##windows problem at that point
17:12 < pekster> tal_aloni: Imagine the WIN32-TAP driver like this: it pretends it's an Ethernet device, but it's "just a wire hanging in space, not plugged into anything."
17:13 < pekster> It works exactly as well as connecting to a switch that doesn't go anywhere: it's worthless until you _connect_ it somewhere. Usually OpenVPN, although doing "something else" with it requires you write code to do something else. That's going to be a lot more work than the isatap device I suspect, but YMMV
17:13 < tal_aloni> pekster: I see, I had the impression that it has the flexibility to do as I intended, thanks for your help.
17:15 < pekster> The reason you lost network support is that this separate device can't route anywhere, so your packets go to the "disconncted virtual network card" and get lost. On a real network card, they go to the switch and get routed
17:17 < tal_aloni> how can this be be solved in software / virtual driver?
17:18 < pekster> Fix the fucked up application that can't bind to a single IP
17:18 -!- wrongplace [~leicht@gateway/tor-sasl/martinphone] has joined #openvpn
17:19 < pekster> Not really an openvpn issue either. You apparently have a problem with a Windows limitation. Maybe Microsoft wants you to spend more $$$$ on a 2nd server to do this, I have no idea
17:20 < pekster> Who the hell designs a network server that can bind to "all the IPs on any single NIC", and even "multiple servers to all the IPs on each individual NIC" but not "individual IPs"? That's just instanely stupid
17:21 < pekster> If that's what Windows is doing, maybe you'd like to consider a Linux or BSD server that runs Samba instead
17:22 < tal_aloni> pekster: I agree, the way the Windows SMB server forces itself upon every IP is truely awful.
17:23 < tal_aloni> pekster: thanks again for all the help.
17:25 < pekster> https://www.samba.org/samba/docs/man/manpages/smb.conf.5.html#INTERFACES
17:25 <@vpnHelper> Title: smb.conf (at www.samba.org)
17:26 < pekster> samba can do this just fine. If Windows can't, they're more limited in support of their own protocol than the open-source community is (at least in this case)
17:27 < pekster> Ask MSDN or ##windows for the "right" way to fix your problem, becuase I'm pretty sure there's a better one than hacking virtual adapters with WIN32-TAP
17:27 < tal_aloni> pekster: My SMB server can do this just fine too, I can disable Windows SMB server all together and do what I want, I just can't use both Windows SMB server and My SMB server, because the former will take over every IP address for the given adapter.
17:28 < tal_aloni> pekster: However, a virtual bridge adapter can be written to solve this issue.
17:28 < pekster> At that point, why not just virtualize one of these systems?
17:30 < tal_aloni> pekster: access to shadow copies, sorry for going off topic.
17:33 < pekster> Not a lot else going on anyway. To your original question, maybe you can use the WIN32-TAP driver, but not without a lot of glue-code to make a "virtual switch" to send the traffic back to your "real" NIC anyway
17:33 < pekster> (think what VMWare or VirtualBox does with their drivers for guest VMs that are bridged)
17:34 < tal_aloni> pekster: exactly.
17:34 < pekster> It won't magically work until you get that working, and routing becomes a bit of a challenage when you have >1 separate device on the same network segment. I do that on one of my boxes at home to keep traffic for 2 purposes on isolated NICs, but it requires policy routing
17:35 < pekster> No idea how Windows handles it. I don't do complex routing on Windows
17:37 < tal_aloni> I believe you can sey up complex routing policies.
17:37 < tal_aloni> set
17:38 < tal_aloni> I wonder how much work is that "virtual switch"...
17:41 < tal_aloni> thanks again for helping me realize what is required!
17:42 < pekster> I'd just virtualize your windows environment and then you can create "as many NICs as you want." But hey
17:44 < tal_aloni> pekster: my main server has >20TB of storage, so going virtual is going to have its downside.
17:45 < pekster> iSCSI works nicely for virtual hosts
17:45 < pekster> Implementation preference really
17:45 < tal_aloni> tell me about it, I wrote my own server too (iSCSI console)
17:50 < tal_aloni> pekster: anyway, it seems Microsoft is the root of all evil.
17:50 < tal_aloni> altough right now I'm working with them on perfecting the SMB specification and their surprisingly helpful.
17:51 < tal_aloni> they are
17:52 < tal_aloni> going to sleep now, good bye and thanks again.
17:54 -!- Latrina [~Latrina@ppp-18-2.26-151.libero.it] has quit [Ping timeout: 240 seconds]
17:58 -!- Latrina [~Latrina@ppp-43-0.26-151.libero.it] has joined #openvpn
18:03 -!- thorrr [sid26124@gateway/web/irccloud.com/x-zoeqwuhbzjppipsz] has joined #openvpn
18:24 -!- tal_aloni [~tal.aloni@37.142.211.14] has quit []
18:32 -!- s7r [~s7r@openvpn/user/s7r] has quit [Quit: changing servers]
18:33 -!- s7r [~s7r@openvpn/user/s7r] has joined #openvpn
18:33 -!- mode/#openvpn [+v s7r] by ChanServ
18:34 -!- gehaxelt [~gehaxelt@2001:41d0:2:6189::1] has joined #openvpn
18:34 < gehaxelt> Hi, is here anybody I could ask a question?
18:37 -!- AlexPortable [uid7568@gateway/web/irccloud.com/x-agkfppkoxmeziljf] has quit [Quit: Connection closed for inactivity]
18:39 < thorrr> If you just ask someone may get around to it  :)
18:43 < gehaxelt> Alright :)
18:44 <@Eugene> !ask
18:44 <@vpnHelper> "ask" is (#1) don't ask to ask, just ask your question please, see this link for how to get help on IRC: http://workaround.org/getting-help-on-irc or (#2) See also, How to ask questions the smart way here: http://catb.org/~esr/faqs/smart-questions.html
18:44 < gehaxelt> :)
18:44  * gehaxelt typing....
18:45 < gehaxelt> In general, I don't want openvpn to push the default route. I want to seperate the traffic (e.g default going through eth0 and VPN traffic going through tun0). A bit of googling brought me to the result that I can use --route-noexec and/or --route-nopull to stop openvpn from pushing the routes. However, that means that I have to define the routes for the seperate traffic manually, right?
18:46 < gehaxelt> Is that easy achieveable under a windows system (for my friends)?
18:46 <@Eugene> !route
18:46 <@vpnHelper> "route" is (#1) http://www.secure-computing.net/wiki/index.php/OpenVPN/Routing or https://community.openvpn.net/openvpn/wiki/RoutedLans (same page mirrored) if you have lans behind openvpn, read it DONT SKIM IT or (#2) READ IT DONT SKIM IT! or (#3) See !tcpip for a basic networking guide or (#4) See !serverlan or !clientlan for steps and troubleshooting flowcharts for LANs behind the server or
18:46 <@vpnHelper> client
18:47 <@Eugene> openvpn will only set up the routes you tell it to. --route-nopull is used when you don't control the server
18:48 < gehaxelt> ok. Thanks, I'll look at these links.
18:48 < thorrr> i followed this: https://community.openvpn.net/openvpn/wiki/IPv6 however i am unable to ping nay ipv6 addres from my client (windows) machine
18:48 <@vpnHelper> Title: IPv6 – OpenVPN Community (at community.openvpn.net)
18:48 < thorrr> any*
18:49 < pekster> thorrr: Have your configs (see: !configs) handy somewhere?
18:49 < thorrr> one sec ill pastebin them
18:52 < thorrr> client  http://privatepaste.com/5481d5410d  server  http://privatepaste.com/d5644d116a
18:57 < thorrr> i don't have ipv6 on my isp's network, which is why i am trying to tunnel it through vpn over ipv4, unless i completely missed something i am capable of doing this with openvpn?
18:59 -!- Cpt-Oblivious [chatzilla@31-151-71-109.dynamic.upc.nl] has quit [Read error: Connection reset by peer]
19:00 -!- Cpt-Oblivious [chatzilla@31-151-71-109.dynamic.upc.nl] has joined #openvpn
19:06 < pekster> thorrr: Is 2600:3c03:e000:0092::/64 routed to your server and a distinct network from anything else in your infrastructure?
19:08 < pekster> The 'push route' for the /64 should be removed; you don't need it, and I'm not sure if it'll cause you problems. You get that when the client assigns the addres on its side
19:09 < thorrr> it should be routed to me i am fairly certain
19:10 < pekster> Won't work if it's not. What are you allocated from your network provider?
19:10 < thorrr> removing the push route didnt change anything
19:10 < thorrr> 2600:3c03:e000:0092::/64 routed to 2600:3c03::f03c:91ff:fe96:5815
19:10 < thorrr> is what they gave me
19:11 < pekster> And you're not using this on any existing LAN?
19:11 < thorrr> i just got it issued yesterday
19:12 < thorrr> http://privatepaste.com/3e96c02c09 is my routing on the windows client pc
19:15 -!- wrongplace [~leicht@gateway/tor-sasl/martinphone] has quit [Quit: gone]
19:17 < pekster> The gateway on the tun device looks wrong at fe80::8
19:18 < pekster> Can you ping the server IP at 2600:3c03:e000:92::1 ?
19:18 < thorrr> not from the client
19:19 < thorrr> from where does it grab that gateway
19:19 < thorrr> fe80 is local link address i thought
19:20 < pekster> Yea, and in a tun setup it doesn't exist, but Windows fakes a "real" network device to the client
19:20 < thorrr> ah
19:21 -!- Guest25871 [~no_wai@131.Red-88-31-141.staticIP.rima-tde.net] has joined #openvpn
19:21 < pekster> I think you just need to push the gateway value to the client in the 2000::/3 route
19:22 < thorrr> how would i do that?
19:24 < pekster> manpage tells you: --route-ipv6 ipv6addr/bits [gateway] [metric]
19:24 < pekster> So simply define the optional gateway in your push statement to include the IP of your server on that network segment
19:27 < thorrr> as in like so: push "route-ipv6 2000::/3 2600:3c03::f03c:91ff:fe96:5815/64"
19:27 < pekster> No, it needs to be on the VPN network you're using
19:28 < pekster> So 2600:3c03:3000:92::1 for the server IP
19:28 < pekster> Gateways are always on the link to which th route applies
19:31 -!- Guest25871 [~no_wai@131.Red-88-31-141.staticIP.rima-tde.net] has quit [Remote host closed the connection]
19:31 < thorrr> doesnt seem to have any change
19:32 < pekster> The routing table on the client should at least be fixed; what does it look like now
19:32 < thorrr> it has not changed
19:33 < pekster> Did you restart the server, then your client?
19:33 < pekster> (the openvpn instances)
19:33 < thorrr> yeah i restarted the service and i dc/ed/ reconn on the client
19:34 < thorrr> Sun Apr 20 20:34:05 2014 PUSH: Received control message: 'PUSH_REPLY,ifconfig-ipv6 2600:3c03:e000:92::1000/64 2600:3c03:e000:92::1,redirect-gateway def1,dhcp-option DNS 10.8.0.1,route-ipv6 2000::/3 2600:3c03:3000:92::1,tun-ipv6,route 10.8.0.1,topology net30,ping 10,ping-restart 120,ifconfig 10.8.0.6 10.8.0.5'
19:35 < thorrr> i am receiving the new info
19:35 < pekster> 3000 != e000
19:35 < thorrr> heh
19:38 -!- thinkpad [~thinkpad@pool-173-56-43-197.nycmny.fios.verizon.net] has joined #openvpn
19:38 < thorrr> this is my log entry now: PUSH_REPLY,ifconfig-ipv6 2600:3c03:e000:92::1000/64 2600:3c03:e000:92::1,redirect-gateway def1,dhcp-option DNS 10.8.0.1,route-ipv6 2000::/3 2600:3c03:e000:92::1,tun-ipv6,route 10.8.0.1,topology net30,ping 10,ping-restart 120,ifconfig 10.8.0.6 10.8.0.5'
19:38 < thorrr> however it still gets 100% loss and the routing table looks the same
19:38 < thorrr> hmm
19:39 < thinkpad> hey all. anyone know what's wrong? i got a vpn server running on 1194 udp to which a client connects and brings with him his subnet. it's working great but now i want to run a second vpn server with tcp port 443 for better accessibility. however, when i run it, i can't access the other client's subnet anymore. what am i doing wrong?
19:41 < thorrr> i see the route infgo coming in but the windows command it issues is using fe80:8 http://privatepaste.com/b974d4d60d
19:42 < thorrr> even if i manually change the route it still times out
19:42 < joako> On a basic linux NAT router is it possible to run the OpenVpn client and write an iptables rule that bypasses NAT and sends traffic with a specific destination address through the VPN tun interface?
19:43 <@Eugene> iptables? No. Routing? Yes.
19:43 <@Eugene> !route
19:43 <@vpnHelper> "route" is (#1) http://www.secure-computing.net/wiki/index.php/OpenVPN/Routing or https://community.openvpn.net/openvpn/wiki/RoutedLans (same page mirrored) if you have lans behind openvpn, read it DONT SKIM IT or (#2) READ IT DONT SKIM IT! or (#3) See !tcpip for a basic networking guide or (#4) See !serverlan or !clientlan for steps and troubleshooting flowcharts for LANs behind the server or
19:43 <@vpnHelper> client
19:43 < pekster> joako: You have a firewall problem, and it's rude to ask the same thing in >1 channel
19:43 < pekster> Either way, you still haven't given me what I asked for earlier, your full Netfilter output from `iptables-save -c`
19:44 < joako> I dont have that command.
19:44 < pekster> So instead of answer the question about why in a channel more suited to help with your firewall problem you want to start all over?
19:44 < pekster> Try answering rob0's question that is very much on-topic. Then why don't we figure out _why_ your Linux system is missing a core piece of the Netfilter userland
19:47 < pekster> thorrr: Maybe the tap driver on windows is doing goofy things with the routes. I'll fire my VM up in a few here and see what it does on my working IPv6 VPN
19:47 < thorrr> alright that would be swell
19:48 -!- elfixit [~Icedove@77-58-251-72.dclient.hispeed.ch] has quit [Quit: elfixit]
19:50 -!- HectorBarbossa [uid7850@gateway/web/irccloud.com/x-yxcozwglbprsshdn] has joined #openvpn
19:50 < thorrr> my first try was with 6rd and pfsense, but there is a bug and it dont wont in 2.1 release :(
19:58 -!- Aliekezhi [~Aliekezhi@223.146.122.78.rev.sfr.net] has quit [Quit: Leaving]
19:59 -!- Aliekezhi [~Aliekezhi@223.146.122.78.rev.sfr.net] has joined #openvpn
20:01 -!- Aliekezhi [~Aliekezhi@223.146.122.78.rev.sfr.net] has quit [Client Quit]
20:16 < pekster> thorrr: Seems the fe80::8 address is the "fake gateway" for the WIN32-TAP adapter. Sounds like a firewal issue if you can't even ping your server's IP. Double-check that it's using the ::1 address as I don't use --server-ipv6 myself
20:20 < thorrr> hrm
20:22 -!- lj [~l@74.120.203.218] has joined #openvpn
20:31 -!- joshh20-Away is now known as joshh20
20:34 -!- lj [~l@74.120.203.218] has quit [Quit: Leaving.]
20:39 -!- JackWinter_ [~jack@vodsl-10810.vo.lu] has joined #openvpn
20:40 -!- JackWinter [~jack@vodsl-10810.vo.lu] has quit [Ping timeout: 252 seconds]
20:51 -!- elfixit [~Icedove@77-58-251-72.dclient.hispeed.ch] has joined #openvpn
20:57 -!- joshh20 is now known as joshh20-Away
21:14 -!- FatDarrel [~anandab@199.116.72.195] has joined #openvpn
21:15 -!- FatDarrel [~anandab@199.116.72.195] has quit [Client Quit]
21:56 -!- Guest___ [~textual@68.225.111.189] has joined #openvpn
21:56 -!- quebre [~asmogator@unaffiliated/asmogator] has joined #openvpn
21:57 < quebre> hello
21:57 < quebre> i have strange issue
21:58 < quebre> i have installed OpenVPN server and client, now when from Access Server i do: /# telnet 172.27.232.2 3389   - i can reach the Remote Desktop Protocol from Access Server under ssh
21:58 < quebre> and i did port forwarding via iptables: iptables -t nat -A PREROUTING -p tcp -d 1.2.3.4 --dport 3389 -j DNAT --to-destination 172.27.232.2:3389
21:59 < quebre> but it does not work for some reason...
21:59 < quebre> what im doing wrong ?
21:59 < quebre> i get connection refused when trying to access RDP over 1.2.3.4:3389
21:59 -!- HectorBarbossa [uid7850@gateway/web/irccloud.com/x-yxcozwglbprsshdn] has quit [Quit: Connection closed for inactivity]
22:20 -!- Guest___ [~textual@68.225.111.189] has quit [Quit: My MacBook has gone to sleep. ZZZzzz…]
22:24 < joako> Is there any recommended low-cost device that can be placed as a remote site to act as a router and openvpn client for the entire LAN?
22:34 <@Eugene> joako - various DD-WRT routers exist; I'm a big fan of a "true" x86 box. Small Atom-based units can be had affordably.
22:34 < joako> Eugene, dd-wrt can't route the traffic from the LAN to the VPN
22:34 <@Eugene> I personally shell out the "big" bucks for http://smile.amazon.com/dp/B004GKULFO
22:35 <@Eugene> No, your routing can't handle that ;-)
22:35 <@Eugene> TBQH I've never seriously used embedded linuxes like that, because the hardware is just so damned crap
22:35 < joako> Eugene, there is no information about how to set it up and the dd-wrt iptables is not standard
22:36 <@Eugene> Surprise. Buy a real machine. :-p
22:36 <@Eugene> If you're being cheap you can find Ye Olde Desktop on eBay with a P4 and drop in a second NIC.
22:39 -!- thefinn93 [~finn@unaffiliated/thefinn93] has quit [Ping timeout: 245 seconds]
22:40 -!- thefinn93 [~finn@unaffiliated/thefinn93] has joined #openvpn
22:40 -!- brianblaze420 [~admin@modemcable235.154-82-70.mc.videotron.ca] has joined #openvpn
22:40 -!- brianblaze420 [~admin@modemcable235.154-82-70.mc.videotron.ca] has quit [Changing host]
22:40 -!- brianblaze420 [~admin@unaffiliated/brianblaze] has joined #openvpn
22:40 -!- takamichi [~takamichi@c107-107.i07-27.onvol.net] has quit [Quit: Leaving]
22:41 < joako> So now the openvpn client doesnt get an ip address from the server, how can I fix this?
22:46 < joako> If the openvpn client isnt getting an ip address on the tun interface, how can I solve that?
22:47 <@Eugene> !logs
22:47 <@vpnHelper> "logs" is (#1) please pastebin your logfiles from both client and server with verb set to 4 (only use 5 if asked) or (#2) In the Windows client(OpenVPN-GUI) right-click the status icon and pick View Log or (#3) In the OS X client(Tunnelblick) right-click it and select Copy log text to clipboard or (#4) if you dont know how to find your logs, see !logfile
22:53 < joako> I have it getting an IP address now, but I get the error when I try to send traffic: write to TUN/TAP : Invalid argument (code=22)
22:59 < joako> I get the error when I try to send traffic from the client: write to TUN/TAP : Invalid argument (code=22) How can it be solved?
23:02 < quebre> Eugene: do you know what im doing wrong ?
23:03 -!- brianblaze420 [~admin@unaffiliated/brianblaze] has left #openvpn []
23:24 -!- Gues_____ [~textual@68.225.111.189] has joined #openvpn
23:26 -!- Left_Turn [~Left_Turn@unaffiliated/turn-left/x-3739067] has quit [Ping timeout: 250 seconds]
23:26 -!- Gues_____ [~textual@68.225.111.189] has quit [Client Quit]
23:27 -!- Gues_____ [~textual@68.225.111.189] has joined #openvpn
23:28 -!- Gues_____ [~textual@68.225.111.189] has quit [Client Quit]
23:29 -!- elfixit [~Icedove@77-58-251-72.dclient.hispeed.ch] has quit [Quit: elfixit]
23:39 < joako> My host and client are negociating the wrong ip addresses and this is blocking traffic. On the server I have a route with gateway of 10.50.100.2 but on the client the IP assigned is 10.50.100.5. how can I make these be the same?
23:48 -!- zoomequipd [~zoomequip@gateway/tor-sasl/zoomequipd] has quit [Ping timeout: 272 seconds]
23:49 -!- zoomequipd [~zoomequip@gateway/tor-sasl/zoomequipd] has joined #openvpn
23:50 -!- plaisthos [~arne@openvpn/community/developer/plaisthos] has quit [Ping timeout: 258 seconds]
23:53 -!- plaisthos [~arne@openvpn/community/developer/plaisthos] has joined #openvpn
23:53 -!- mode/#openvpn [+o plaisthos] by ChanServ
23:59 <@Eugene> !/30
--- Day changed Mon Apr 21 2014
00:00 <@vpnHelper> "/30" is (#1) http://goo.gl/SbKrT5 explains why routed clients each use 4 ips or (#2) you can avoid this behavior with by reading !topology
00:00 <@Eugene> !topology
00:00 <@vpnHelper> "topology" is (#1) it is possible to avoid the !/30 behavior if you use 2.1+ with the option: topology subnet This will end up being default in later versions. or (#2) Clients will receive addresses ending in .2, .3, .4, etc, instead of being divided into 2-host subnets. or (#3) details and examples at: https://community.openvpn.net/openvpn/wiki/Topology
00:00 <@Eugene> joako ^
00:00 <@Eugene> !as
00:00 < quebre> i have installed OpenVPN server and client, now when from Access Server i do: /# telnet 172.27.232.2 3389   - i can reach the Remote Desktop Protocol from Access Server under ssh
00:00 <@Eugene> quebre - yes, you're asking for Access-Server support in the GPL channel
00:00 <@Eugene> And where is the damned as factoid
00:00 <@Eugene> !as
00:01 < quebre> erm what ?
00:01 -!- sunwind` [~paradox@cpc21-brmb8-2-0-cust749.1-3.cable.virginm.net] has joined #openvpn
00:01 -!- ShadniX [dagger@p5DDFC07F.dip0.t-ipconnect.de] has quit [Ping timeout: 252 seconds]
00:01 <@Eugene> !access-server
00:01 <@vpnHelper> "access-server" is OpenVPN Access Server support is in #openvpn-as
00:01 < quebre> my home pc cannot be accessed outside normally, thats because of my ISP, can you give me some hint how to access remote desktop some way ? im sitting whole night without result..
00:01 <@Eugene> Ugh, I see what's going on, damned bot
00:02 < quebre> maybe i dont need access-server but something else instead, im not sure
00:02 -!- ShadniX [dagger@p5DDFC70F.dip0.t-ipconnect.de] has joined #openvpn
00:02 <@Eugene> !download
00:02 <@vpnHelper> "download" is (#1) http://openvpn.net/index.php/download/community-downloads.html to download openvpn or (#2) OpenVPN's Windows installer now includes OpenVPN GUI. Don't bother with http://openvpn.se anymore or (#3) Don't trust download.com at all. It provides an extremely old version with malware: http://insecure.org/news/download-com-fiasco.html or (#4) in the community version of openvpn (only
00:02 <@vpnHelper> thing supported here) there is no separate download for client/server, it is the same install with different configs
00:02 <@Eugene> That's what we discuss here ^. Sorry if the openvpn website isn't clear on the distinction, but we won't touch the cloused-sorce AS stuff
00:03 < quebre> lets leave the AS
00:03 < quebre> maybe i can do it the other way
00:03 < quebre> i have dedicated linux server that is accessible, maybe i can make some tunnel to access my VM
00:03 < quebre> or something
00:04 -!- paradox`` [~paradox@cpc21-brmb8-2-0-cust749.1-3.cable.virginm.net] has quit [Ping timeout: 240 seconds]
00:04 <@Eugene> !learn commercial as Please go to #OpenVPN-AS for help with commercial products from OpenVPN Technologies, including Access Server, Android Connect, etc
00:04 <@vpnHelper> Error: You don't have the factoids.learn capability. If you think that you should have this capability, be sure that you are identified before trying again. The 'whoami' command can tell you if you're identified.
00:04 <@Eugene> Damn you, bot.
00:05 < quebre> well, have a nice chat with the bot, i feel like i'm talking to a bot as well
00:05 <@Eugene> krzee - you broke the !as factoid. It interpreted it the as as "as"
00:05 <@Eugene> quebre - snark is not going to get you any help
00:05 <@krzee> !as
00:05 <@Eugene> !howto
00:05 <@vpnHelper> "howto" is (#1) OpenVPN comes with a great howto, http://openvpn.net/howto PLEASE READ IT! or (#2) http://www.secure-computing.net/openvpn/howto.php for a mirror
00:05 <@krzee> !forget as
00:05 <@vpnHelper> Error: There is no such factoid.
00:06 <@Eugene> Let's start over. Uninstall "access-erver" and start over with the howto
00:06 <@Eugene> krzee - See the first key, "" http://www.secure-computing.net/factoids.php ;-)
00:06 <@vpnHelper> Title: SCN: vpnHelper Factoids (at www.secure-computing.net)
00:06 <@krzee> !learn commercial as Please go to #OpenVPN-AS for help with commercial products from OpenVPN Technologies, including Access Server, Android Connect, etc
00:06 <@vpnHelper> Joo got it.
00:06 <@krzee> oh, ecrist will have to fix that in the sqlite db
00:06 <@Eugene> !""
00:06 <@vpnHelper> "" is (#1) as AS is a commercial product by OpenVPN Technologies Inc, and is NOT the same thing as the Community openvpn, which we support here. or (#2) as AS is a commercial product by OpenVPN Technologies Inc, and is NOT the same thing as the GPL OpenVPN codebase ("Community OpenVPN"), which we support here. or (#3) as please go to #OpenVPN-AS for help with Access-Server or any other closed source
00:06 <@vpnHelper> tech from openvpn technologies such as Connect.
00:06 <@Eugene> Try !forget ""
00:06 <@krzee> !learn as as Please go to #OpenVPN-AS for help with commercial products from OpenVPN Technologies, including Access Server, Android Connect, etc
00:06 <@vpnHelper> Joo got it.
00:06 <@krzee> !forget ""
00:06 <@vpnHelper> Error: You must not give the empty string as an argument.
00:07 <@Eugene> Lul
00:07 <@krzee> !forget "" *
00:07 <@vpnHelper> Error: You must not give the empty string as an argument.
00:07 <@krzee> !forget " " *
00:07 <@vpnHelper> Error: There is no such factoid.
00:07 <@krzee> !" "
00:07 <@krzee> !""
00:07 <@vpnHelper> "" is (#1) as AS is a commercial product by OpenVPN Technologies Inc, and is NOT the same thing as the Community openvpn, which we support here. or (#2) as AS is a commercial product by OpenVPN Technologies Inc, and is NOT the same thing as the GPL OpenVPN codebase ("Community OpenVPN"), which we support here. or (#3) as please go to #OpenVPN-AS for help with Access-Server or any other closed source
00:07 <@vpnHelper> tech from openvpn technologies such as Connect. or (#4) as Please go to #OpenVPN-AS for help with commercial products from OpenVPN Technologies, including Access Server, Android Connect, etc
00:07 <@krzee> hah
00:07 < Aketzu> heh
00:07 <@Eugene> Annnnnnd now its worse
00:07 <@Eugene> Just give up
00:08 <@Eugene> How about !learn "as" as "Some text"
00:10 <@krzee> !learn AS as Please go to #OpenVPN-AS for help with commercial products from OpenVPN Technologies, including Access Server, Android Connect, etc
00:10 <@vpnHelper> Joo got it.
00:10 <@krzee> !as
00:10 <@vpnHelper> "as" is Please go to #OpenVPN-AS for help with commercial products from OpenVPN Technologies, including Access Server, Android Connect, etc
00:10 <@Eugene> Heyyyyy
00:11 <@Eugene> Still no idea on fixing the other one
00:14 <@krzee> it'll have to be done via cmdline
00:20 < quebre> lol
00:21 < quebre> so i just made fucking ssh tunnel using middle server that i have and voila, works :p
00:23 -!- VsioZashibis [~VsioZashi@unaffiliated/vsiozashibis] has quit [Quit: closing IRC]
00:32 <@krzee> !serverlan
00:32 <@vpnHelper> "serverlan" is (#1) for a lan behind a server, the server must have ip forwarding enabled (!ipforward), the server needs to push a route for its lan to clients, and the router of the lan the server is on needs a route added to it (!route_outside_openvpn) or (#2) see !route for a better explanation or (#3) Handy troubleshooting flowchart: http://ircpimps.org/serverlan.png |
00:32 <@vpnHelper> http://pekster.sdf.org/misc/serverlan.png
00:32 <@krzee> !tcp
00:32 <@vpnHelper> "tcp" is (#1) Sometimes you cannot avoid tunneling over tcp, but if you can avoid it, DO. http://sites.inka.de/~bigred/devel/tcp-tcp.html Why TCP Over TCP Is A Bad Idea. or (#2) http://www.openvpn.net/papers/BLUG-talk/14.html for a presentation by James Yonan (OpenVPN lead developer) or (#3) if you must use tcp, you likely want --tcp-nodelay
00:32 <@krzee> ssh tunnels are tcp in tcp, yours is x3
00:40 < quebre> mine is x3 ?
00:40 < quebre> means tcp in tcp in tcp ? :p
00:40 <@krzee> tcp in tcp in tcp
00:40 <@krzee> ya
00:41 < quebre> but works ;D
00:41 <@krzee> =]
00:41 < quebre> better have x3 or x10 than not working at all, but i will study the links today when i wake up, for now i at least have solution that i can provide to client ;)
00:41 < quebre> if i make it working i will drop the tunnel
00:42 < quebre> if not, oh well, x3 doesn't sound THAT bad ..
00:45 -!- FatDarrel [~anandab@199.116.72.195] has joined #openvpn
00:45 -!- FatDarrel [~anandab@199.116.72.195] has quit [Client Quit]
01:14 -!- Cpt-Oblivious [chatzilla@31-151-71-109.dynamic.upc.nl] has quit [Ping timeout: 258 seconds]
01:25 -!- Guest77836 [~kolo@ip-125.net-82-216-83.rev.numericable.fr] has quit [Ping timeout: 250 seconds]
01:27 -!- Ko_lo [~kolo@ip-125.net-82-216-83.rev.numericable.fr] has joined #openvpn
01:27 -!- Ko_lo is now known as Guest84322
01:55 -!- f0cker [~f0cker@unaffiliated/f0cker] has quit [Ping timeout: 240 seconds]
02:06 -!- nattom [~nattom@5.104.224.195] has quit [Ping timeout: 258 seconds]
02:07 -!- nattom [~1freedom@afo2.torproject.afo-tm.org] has joined #openvpn
02:17 -!- acu [~acu@50.244.13.222] has joined #openvpn
02:19 -!- master_o1_master [~master_of@p4FF2438D.dip0.t-ipconnect.de] has joined #openvpn
02:21 -!- LumberCartel [~LumberCar@96.53.47.34] has joined #openvpn
02:22 -!- master_of_master [~master_of@p4FD7B6DE.dip0.t-ipconnect.de] has quit [Ping timeout: 250 seconds]
03:07 -!- f0cker [~f0cker@host81-149-11-109.in-addr.btopenworld.com] has joined #openvpn
03:07 -!- f0cker [~f0cker@host81-149-11-109.in-addr.btopenworld.com] has quit [Changing host]
03:07 -!- f0cker [~f0cker@unaffiliated/f0cker] has joined #openvpn
03:09 -!- LumberCartel [~LumberCar@96.53.47.34] has quit [Quit: Me fail English? That's unpossible.]
03:28 -!- Latrina [~Latrina@ppp-43-0.26-151.libero.it] has quit [Ping timeout: 276 seconds]
03:35 -!- Latrina [~Latrina@ppp-122-37.26-151.libero.it] has joined #openvpn
03:45 -!- kwork [~georg@unaffiliated/kwork] has quit [Remote host closed the connection]
03:46 -!- kwork [~georg@no.life.ee] has joined #openvpn
03:46 -!- kwork [~georg@no.life.ee] has quit [Changing host]
03:46 -!- kwork [~georg@unaffiliated/kwork] has joined #openvpn
03:46 -!- Linmu [~Linmu@203.70.194.104] has quit [Quit: leaving]
04:02 -!- Left_Turn [~Left_Turn@unaffiliated/turn-left/x-3739067] has joined #openvpn
04:32 -!- acu [~acu@50.244.13.222] has quit [Quit: Leaving]
04:39 -!- Sembei [~Sembei@unaffiliated/sembei] has quit [Quit: WeeChat 0.4.4-dev]
04:47 -!- Sembei [~Sembei@unaffiliated/sembei] has joined #openvpn
04:52 -!- Linmu [~Linmu@203.70.194.104] has joined #openvpn
05:34 -!- gffa [~unknown@unaffiliated/gffa] has joined #openvpn
--- Log closed Mon Apr 21 05:38:06 2014
--- Log opened Mon Apr 21 05:38:14 2014
05:38 -!- ecrist [~ecrist@token-black.secure-computing.net] has joined #openvpn
05:38 -!- Irssi: #openvpn: Total of 236 nicks [8 ops, 0 halfops, 3 voices, 225 normal]
05:38 -!- mode/#openvpn [+o ecrist] by ChanServ
05:38 -!- Irssi: Join to #openvpn was synced in 40 secs
05:40 -!- Zarrsh [~Zarrsh@198.167.138.150] has quit [Ping timeout: 240 seconds]
05:41 -!- stemid [~avatar@ns4.sydit.se] has quit [Ping timeout: 264 seconds]
05:41 -!- stemid [~avatar@ns4.sydit.se] has joined #openvpn
05:41 -!- Zarrsh [~Zarrsh@farari.paydayauto.biz] has joined #openvpn
05:58 -!- joshh20-Away is now known as joshh20
05:59 -!- zoomequipd [~zoomequip@gateway/tor-sasl/zoomequipd] has quit [Ping timeout: 272 seconds]
06:14 -!- nocturn [~nocturn@unaffiliated/nocturn] has quit [Ping timeout: 258 seconds]
06:27 -!- APTX [~APTX@unaffiliated/aptx] has quit [Quit: No Ping reply in 180 seconds.]
06:30 -!- APTX [~APTX@unaffiliated/aptx] has joined #openvpn
06:31 -!- jafeha [~jakobh@HSI-KBW-095-208-112-196.hsi5.kabel-badenwuerttemberg.de] has joined #openvpn
06:35 -!- jafeha [~jakobh@HSI-KBW-095-208-112-196.hsi5.kabel-badenwuerttemberg.de] has quit [Client Quit]
06:35 -!- jafeha [~winni@zankapfel.org] has joined #openvpn
06:37 -!- nocturn [~nocturn@unaffiliated/nocturn] has joined #openvpn
06:39 < jafeha> hello everybody, i'm currently using auth-ldap (basic debian wheezy configuration with openvpn-auth-ldap connecting to a remote openldap server) to authenticate my vpn users. i'd like to differentiate users based on their ldap attributes, separating them in different subnets. is there any smooth way to do this?
06:40 < jafeha> can i (and how can i) use the group section in the config file to achieve this goal?
06:46 < nattom> reiffert: perhaps you might help a newb...26 hours ago, you said: (09:19:53 AM) reiffert: nattom: this is openvpn... after i asked for feedback regarding tcpv5 being used by tor. [i am Not good at asking questions here, because i am new to irc.] but after i made a tiny change in my configs, attempting to
06:47 < nattom> reiffert: fix my openvpn, problem - then my openvpn logs suddenly had this line of feedback reflecting my failure to stay connected to my socksproxy:
06:52 < nattom> reiffert: [this is in one of my openvpn log files:] TCP connection established with [AF_INET]127.0.0.1:9150
06:54 -!- thinkpad [~thinkpad@pool-173-56-43-197.nycmny.fios.verizon.net] has quit [Ping timeout: 240 seconds]
06:55 -!- thinkpad [~thinkpad@pool-173-56-43-197.nycmny.fios.verizon.net] has joined #openvpn
06:55 < nattom> reiffert: and the following lines included: TCPv4_CLIENT link local: [undef] - and: TCPv4_CLIENT link remote: [AF_INET]127.0.0.1:9150
07:00 -!- JackWinter_ [~jack@vodsl-10810.vo.lu] has quit [Quit: Konversation terminated!]
07:01 -!- michaelhart [~michaelha@192.237.177.15] has joined #openvpn
07:01 -!- thinkpad [~thinkpad@pool-173-56-43-197.nycmny.fios.verizon.net] has quit [Ping timeout: 265 seconds]
07:02 < nattom> and i am trying to connect to a tcpv5 socks-proxy. my Goal, Here - is to re-create, the success that i had for more than a year, using vpn over tor. as a beginner, i worked very hard to learn/tweak enough - to set up an old ubuntu-box to use vpn over tor... and then heartbleed happened...
07:02 -!- JackWinter [~jack@vodsl-10810.vo.lu] has joined #openvpn
07:03 < nattom> and i changed computers, changed oss, and vpn-providers all changed their certificates and keys...
07:05 < nattom> and i am doing much more "due diligence" to re-create what has protected my mission workers and families from danger. i appreciate irc and openvpn and all of you. i am reading the manual today. [thank you, pekster.]
07:06 -!- ACKNAK [~regolith@79.133.97.154] has joined #openvpn
07:08 < nattom> ah- !heartbleed
07:14 -!- thinkpad [~thinkpad@pool-173-56-43-197.nycmny.fios.verizon.net] has joined #openvpn
07:25 < ACKNAK> !heartbleed
07:25 <@vpnHelper> "heartbleed" is (#1) only affects OpenSSL 1.0.1 through 1.0.1f. Does not affect polarssl or (#2) if running vuln openssl then both client and server keys not protected by tls-auth should be considered compromised. or (#3) android 4.1.2_r1 is the first one to have -DOPENSSL_NO_HEARTBEATS and it is still in master. android 4.1 and 4.1.1 are probably affected. or (#4)
07:25 <@vpnHelper> https://community.openvpn.net/openvpn/wiki/heartbleed or (#5) http://xkcd.com/1354/
07:25 < ACKNAK> xkcd :O
07:34 -!- phuzion [~phuzion@ipv6.irc.teh-server.com] has joined #openvpn
07:34 -!- thinkpad [~thinkpad@pool-173-56-43-197.nycmny.fios.verizon.net] has quit [Ping timeout: 252 seconds]
07:54 < nattom> ACKNAK: xkcd :D
07:55 < ACKNAK> aye, its good
07:59 < nattom> !101
07:59 <@vpnHelper> "101" is This channel is not a '101' replacement for any of the following topics or others: Networking, Firewalls, Routing, Your OS, Security, etc etc
08:15 < ACKNAK> its not replacement, its addition!
08:24 -!- acu [~acu@50.244.13.222] has joined #openvpn
08:41 <@ecrist> Eugene: that first key/as issue recurs and I don't know why
08:41 <@ecrist> I"ve fixed the database on multiple occasions
08:52 <@krzee> ecrist, we found why
08:52 <@krzee> one cannot add a key to "as"
08:52 <@krzee> must add / modify "AS"
08:53 <@krzee> adding it to "as" results in the empty record ""
09:01 -!- jafeha [~winni@zankapfel.org] has quit [Quit: leaving]
09:15 < nattom> ACKNAK: hi. omg! my entering that 101-thing was NOT directed at you.    :|   i was looking for myself. i have a big-noob, sort-of Problem....   ><
09:16 < nattom> & i needed a few moments on the xkcd-site.  :)
09:17 < ACKNAK> xD
09:24 -!- justinzane [~justinzan@24.49.184.3] has joined #openvpn
09:30 -!- JackWinter [~jack@vodsl-10810.vo.lu] has quit [Quit: Konversation terminated!]
09:33 <@krzee> http://xkcd.com/1350/
09:33 <@vpnHelper> Title: xkcd: Lorenz (at xkcd.com)
09:33 <@krzee> omg this one never ends
09:44 < ACKNAK> :O woah
09:50 -!- sauce [sauce@unaffiliated/sauce] has quit [Quit: sauce]
09:50 -!- sauce [sauce@ool-ad02ad20.dyn.optonline.net] has joined #openvpn
09:50 -!- sauce [sauce@ool-ad02ad20.dyn.optonline.net] has quit [Changing host]
09:50 -!- sauce [sauce@unaffiliated/sauce] has joined #openvpn
09:50 -!- sauce [sauce@unaffiliated/sauce] has quit [Excess Flood]
09:56 -!- sauce [sauce@ool-ad02ad20.dyn.optonline.net] has joined #openvpn
09:56 -!- sauce [sauce@ool-ad02ad20.dyn.optonline.net] has quit [Changing host]
09:56 -!- sauce [sauce@unaffiliated/sauce] has joined #openvpn
09:56 -!- sauce [sauce@unaffiliated/sauce] has quit [Excess Flood]
09:56 -!- AlexPortable [uid7568@gateway/web/irccloud.com/x-bfmrroslmltwcjla] has joined #openvpn
09:58 -!- sauce [sauce@unaffiliated/sauce] has joined #openvpn
10:00 -!- HectorBarbossa [uid7850@gateway/web/irccloud.com/x-byuwnywbgsutwgir] has joined #openvpn
10:07 -!- ACKNAK [~regolith@79.133.97.154] has quit [Ping timeout: 255 seconds]
10:12 -!- MyMind [~Sembei@unaffiliated/sembei] has joined #openvpn
10:14 -!- Sembei [~Sembei@unaffiliated/sembei] has quit [Ping timeout: 252 seconds]
10:20 -!- u0m3 [~u0m3@92.80.121.181] has quit [Read error: Connection reset by peer]
10:24 -!- u0m3 [~u0m3@109.96.138.238] has joined #openvpn
10:48 -!- JackWinter [~jack@vodsl-10810.vo.lu] has joined #openvpn
10:50 <@Eugene> ecrist - because supybot's parser is a piece of shit
10:53 <@ecrist> I don't doubt that, bug I'm guessing it's more the fault of sqlite
10:54 -!- JackWinter [~jack@vodsl-10810.vo.lu] has quit [Quit: Konversation terminated!]
10:56 -!- [diecast] [~diecast@unaffiliated/diecast/x-4821952] has joined #openvpn
11:03 -!- Gue______ [~textual@99-76-203-137.uvs.btrgla.sbcglobal.net] has joined #openvpn
11:08 -!- FatDarrel [~anandab@50.242.126.113] has joined #openvpn
11:11 -!- Gue______ [~textual@99-76-203-137.uvs.btrgla.sbcglobal.net] has quit [Quit: Textual IRC Client: www.textualapp.com]
11:11 -!- Guest___ [~textual@99-76-203-137.uvs.btrgla.sbcglobal.net] has joined #openvpn
11:11 -!- Guest___ [~textual@99-76-203-137.uvs.btrgla.sbcglobal.net] has left #openvpn []
11:11 -!- FatDarrel_ [~anandab@50.242.126.113] has joined #openvpn
11:12 -!- FatDarrel [~anandab@50.242.126.113] has quit [Ping timeout: 276 seconds]
11:12 -!- FatDarrel_ is now known as FatDarrel
11:17 <@krzee> i also blame supybot. its the "as" that breaks, because as is the seperator. !forget checks "" and doesnt allow it, but !learn takes the seperator and adds it as ""
11:17 -!- nlb [~nlb@ec2-54-213-101-245.us-west-2.compute.amazonaws.com] has quit [Changing host]
11:17 -!- nlb [~nlb@unaffiliated/nlb] has joined #openvpn
11:18 <@krzee> to correctly add "as" i must add to "AS" and then !as works
11:25 -!- TheNumbers [uid21212@gateway/web/irccloud.com/x-rqodeslyiulhagor] has quit [Quit: Connection closed for inactivity]
11:29 -!- Latrina [~Latrina@ppp-122-37.26-151.libero.it] has quit [Ping timeout: 245 seconds]
11:33 -!- Latrina [~Latrina@adsl-ull-254-247.45-151.net24.it] has joined #openvpn
11:35 -!- Guest84322 [~kolo@ip-125.net-82-216-83.rev.numericable.fr] has quit [Ping timeout: 276 seconds]
11:37 -!- Ko_lo [~kolo@ip-125.net-82-216-83.rev.numericable.fr] has joined #openvpn
11:37 -!- Ko_lo is now known as Guest39037
11:49 -!- joako [~joako@opensuse/member/joak0] has quit [Ping timeout: 250 seconds]
11:49 < pekster> If we eventually replace the bot, whatever #git uses is pretty fantastic
11:50 <@ecrist> find out what they use, let me know
11:50 <@ecrist> I'm not opposed to changing
11:52 <@krzee> it looks pretty custom for them
11:52 <@krzee> https://github.com/jast/gitinfo
11:52 <@vpnHelper> Title: jast/gitinfo · GitHub (at github.com)
11:52 <@krzee> i think supy is fine
11:52 <@ecrist> I have an IRC bot I wrote a long time ago, that was written for $work
11:52 <@ecrist> could just use that
11:53 <@krzee> or we could put feet on top of desks
11:53 <@krzee> lean back in the chair
11:53 <@krzee> maybe take a nap
11:53 <@ecrist> I do like that
11:54 <@ecrist> we've been using supybot for quite a few years at this point
11:54 <@krzee> yep vpnHelper is ready to start school by now
11:54 <@krzee> actually i guess he would have a couple yrs in school already
11:55 <@ecrist> 2nd grader I think.
11:55 <@krzee> ya sounds right
11:57 -!- joako [~joako@opensuse/member/joak0] has joined #openvpn
11:57 < joako> Is there any low cost device that's known to work as a router and OpenVpn client for the LAN?
11:59 < pekster> Sure, 'devel you know' works to. I'm a solid +0 to changing; if winds are right, sure, but we know how to make this one go (mostly :)
11:59 < pekster> devil*
12:03 <@krzee> joako, i guess whatever openwrt enabled device that you want (and has enough memory to use the rom with openvpn in it, unless you roll your own)
12:04 <@krzee> personally i buy cheap ones with low memory and roll my own, since i dont want web gui anyways
12:04 < pekster> I've had good luck running openwrt 12.09 (latest stable branch) on Netgear WNDR 3800's
12:04 -!- JackWinter [~jack@vodsl-10810.vo.lu] has joined #openvpn
12:05 <@ecrist> pfsense on anything x86
12:05 < pekster> It's got enough flash you can just use the stock image and add openvpn as a package, although I too build from source
12:05 < pekster> Yea, that works too; benefits to using a "real" CPU, especially if you can find one with AES-NI
12:08 -!- justinzane [~justinzan@24.49.184.3] has quit [Read error: Operation timed out]
12:08 < joako> I'm trying right now with OpenWrt and the connection is established and from OpenWrt itself I can access the VPN, but from the LAN I can not access the VPN
12:08 <@krzee> !serverlan
12:08 <@vpnHelper> "serverlan" is (#1) for a lan behind a server, the server must have ip forwarding enabled (!ipforward), the server needs to push a route for its lan to clients, and the router of the lan the server is on needs a route added to it (!route_outside_openvpn) or (#2) see !route for a better explanation or (#3) Handy troubleshooting flowchart: http://ircpimps.org/serverlan.png |
12:08 <@vpnHelper> http://pekster.sdf.org/misc/serverlan.png
12:08 <@krzee> !clientlan
12:08 <@vpnHelper> "clientlan" is (#1) for a lan behind a client, the client must have ip forwarding enabled (!ipforward), the server needs a route to the lan, the server needs to push a route for the lan to clients, the server needs a ccd (!ccd) file for the client with an iroute (!iroute) entry in it, and the router of the lan the client is on needs a route added to it (!route_outside_openvpn) or (#2) see !route for
12:08 <@vpnHelper> a better explanation or (#3) Handy troubleshooting flowchart: http://ircpimps.org/clientlan.png | http://pekster.sdf.org/misc/clientlan.png
12:08 <@krzee> follow the flowchart that applies
12:09 <@ecrist> joako: sounds like a routing issue
12:09 < joako> ecrist, What would be the correct way to solve that? The routing table appears to be correct.
12:10 <@krzee> follow the flowchart
12:10 <@krzee> its EXACTLY what we would walk you through
12:10 <@krzee> when you get to the answer, we can help you with it
12:11 < joako> krzee, When I SSH into the OpenWrt everything works 100%. The OpenWrt is the default gateway for the LAN but the LAN can't access the VPN
12:11 < pekster> And what did you learn from the helpful flowchart that tells you where your problem is?
12:11 <@krzee> seriously
12:12 -!- levifig [sid1908@gateway/web/irccloud.com/x-qzbtqupfbzxbncwo] has left #openvpn []
12:12 < joako> Well if I go by the results on the LAN then I need to fix the VPN
12:12 <@krzee> your vpn server cannot ping your vpn client by vpn ip? your vpn client cannot ping vpn server by vpn ip?
12:13 < joako> The server and client can ping each other.
12:13 <@krzee> if you cannot follow the flowchart i cannot help you.
12:13 <@krzee> ill give you another try.
12:13 < joako> The flow chart appears to be for a single client. Not when the client is routing for the entire LAN
12:14 <@krzee> *facepalm*
12:14 <@krzee> im pretty sure i cant help you
12:14 <@krzee> !read
12:14 <@vpnHelper> "read" is <krzee> ive been known to overreact when people look for 2 minutes and ask me to explain it to them
12:15 < joako> Both ends have the routes setup to each other.
12:16 <@krzee> if you cant follow my flowchart im not sure im willing to copy and paste every question from the flowchart for you
12:16 <@krzee> i mean, i did already take the time to help you help yourself
12:17 <@krzee> or is it maybe a language problem? do you not understand the questions it is asking you...?
12:22 < joako> When it says "you should see the iroute added in the server log"  will the server log say "iroute" ?
12:23 <@krzee> yes, did you add an iroute to a ccd entry for the client?
12:23 < joako> No, the server is pushing the routes to the client
12:24 <@krzee> you are sharing the clients lan to the server, right?
12:24 < joako> No the main goal is to access the server lan from the client lan. Accessing the client lan from the server lan is not a concern at this point.
12:24 <@krzee> then you need to share BOTH
12:25 < joako> Currently I can only access the server lan from the client machine.
12:25 <@krzee> !route
12:25 <@vpnHelper> "route" is (#1) http://www.secure-computing.net/wiki/index.php/OpenVPN/Routing or https://community.openvpn.net/openvpn/wiki/RoutedLans (same page mirrored) if you have lans behind openvpn, read it DONT SKIM IT or (#2) READ IT DONT SKIM IT! or (#3) See !tcpip for a basic networking guide or (#4) See !serverlan or !clientlan for steps and troubleshooting flowcharts for LANs behind the server or client
12:25 <@krzee> !iroute
12:25 <@vpnHelper> "iroute" is does not bypass or alter the kernel's routing table, it allows openvpn to know it should handle the routing when the kernel points to it but the network is not one that openvpn knows about. This is only needed when connecting a LAN which is behind a client, and therefor belongs in a ccd entry. Also see !route and !ccd
12:25 <@krzee> you need to add the iroute
12:31 -!- JackWinter [~jack@vodsl-10810.vo.lu] has quit [Quit: Konversation terminated!]
12:31 -!- le0 [~l30@unaffiliated/le0] has joined #openvpn
12:35 < joako> Is it valid if I put on the server push "iroute.... "?
12:35 <@krzee> !iroute
12:35 <@vpnHelper> "iroute" is does not bypass or alter the kernel's routing table, it allows openvpn to know it should handle the routing when the kernel points to it but the network is not one that openvpn knows about. This is only needed when connecting a LAN which is behind a client, and therefor belongs in a ccd entry. Also see !route and !ccd
12:35 <@krzee> read the whole thing
12:36 <@krzee> also, i clearly spell out how to use it in a) the flowchart and b) the link in !route
12:36 <@krzee> !read
12:36 <@vpnHelper> "read" is <krzee> ive been known to overreact when people look for 2 minutes and ask me to explain it to them
12:36 < joako> Based on that I don't believe it's needed because the LANs I am rounting between are directly attached to the client and server.
12:36 <@krzee> well guess what, you're wrong.
12:36 < joako> But can I push the iroute to the client or not?
12:36 <@krzee> which explains why it doesnt work...
12:36 <@krzee> thats not how iroute works
12:37 -!- joshh20 is now known as joshh20-Away
12:37 <@krzee> so, no.
12:37 <@krzee> it does not go in the client config, so you do not push it to clients
12:37 <@krzee> !push
12:37 <@vpnHelper> "push" is usage: push <command> , goes in the server config and makes the command act as if it was in the client config, can be used in ccd entries
12:37 <@krzee> !ccd
12:37 <@vpnHelper> "ccd" is (#1) entries that are basically included into server.conf, but only for the specified client based on common-name. use --client-config-dir <dir> to enable it, then put the config options for the client in <dir>/common-name or (#2) the ccd file is parsed each time the client connects.
12:37 <@krzee> see the difference?
12:37 < joako> I don't understand how I have done site-to-site vpn before without using the iroute option.
12:38 <@krzee> you only did it with server lan
12:38 <@krzee> client lans require iroute
12:38 < joako> So to be clear in the server ccd I put iroute with the client's LAN address?
12:38 <@krzee> you're sooo close to my ignore list
12:39 -!- HectorBarbossa [uid7850@gateway/web/irccloud.com/x-byuwnywbgsutwgir] has quit [Quit: Connection closed for inactivity]
12:40 <@krzee> !spoonfeeding
12:40 <@vpnHelper> "spoonfeeding" is http://www.mp3car.com/the-faq-emporium/53368-faq-what-is-spoon-feeding.html
12:41 <@krzee> the sad part about that link is that the people who its for will never read it ^
12:51 -!- elfixit [~Icedove@2001:1620:2018:11:5e51:4fff:fec8:5b90] has joined #openvpn
12:51 -!- justinzane [~justinzan@12.172.184.69] has joined #openvpn
12:54 -!- PJ- [uid22292@gateway/web/irccloud.com/x-plnlgiyabpakyqwd] has joined #openvpn
12:55 -!- elfixit [~Icedove@2001:1620:2018:11:5e51:4fff:fec8:5b90] has quit [Ping timeout: 252 seconds]
12:58 < PJ-> i recently download the latest version and everytime i tried installing it, its just stuck in the bg process and no installer windows appearing ( i'm using win7), has anyone encounter this problem? nor know a solution for this?
12:59 <@krzee> did you shut down the gui before running the installer?
13:03 -!- lj [~l@192.241.174.169] has joined #openvpn
13:06 < PJ-> the previous version was uninstalled before running the latest installer
13:10 -!- lj [~l@192.241.174.169] has quit [Quit: Leaving.]
13:13 -!- Latrina [~Latrina@adsl-ull-254-247.45-151.net24.it] has quit [Ping timeout: 264 seconds]
13:13 -!- b11d [~chat@234-200-29-134.hcc.mnscu.edu] has joined #openvpn
13:13 < b11d> hey all
13:14 < b11d> Just wanted to ask.... i should use a seperate machine as a CA than my actual openvpn server, right/
13:14 < b11d> it seems easiest to just run them together, but my gut says thats a bad idea
13:15 -!- mback2k_ is now known as mback2k
13:15 -!- lj [~l@66.94.192.181] has joined #openvpn
13:17 -!- stemid [~avatar@ns4.sydit.se] has left #openvpn []
13:18 -!- lj1 [~l@192.241.174.169] has joined #openvpn
13:19 -!- lj [~l@66.94.192.181] has quit [Ping timeout: 252 seconds]
13:21 -!- elfixit [~Icedove@2001:1620:2018:11:5e51:4fff:fec8:5b90] has joined #openvpn
13:25 -!- marlinc [~marlinc@ip1.weert.li.nl.cvo-technologies.com] has joined #openvpn
13:25 -!- Fusl [Fusl@unaffiliated/fusl] has quit [Quit: Contact: http://hallowe.lt/]
13:26 -!- phunyguy [~vortex@unaffiliated/phunyguy] has quit [Remote host closed the connection]
13:27 <@krzee> PJ-, are you talking about the installer from here?
13:27 <@krzee> !download
13:27 <@vpnHelper> "download" is (#1) http://openvpn.net/index.php/download/community-downloads.html to download openvpn or (#2) OpenVPN's Windows installer now includes OpenVPN GUI. Don't bother with http://openvpn.se anymore or (#3) Don't trust download.com at all. It provides an extremely old version with malware: http://insecure.org/news/download-com-fiasco.html or (#4) in the community version of openvpn (only
13:27 <@vpnHelper> thing supported here) there is no separate download for client/server, it is the same install with different configs
13:27 <@krzee> b11d, best security would be the CA signing server to have no network access, and shotgun security
13:27 <@krzee> !shotgun
13:27 <@vpnHelper> "shotgun" is (#1) the most effective form of physical security or (#2) <hyper_ch> shotgun security? <EugeneKay> If you try to physically attack my network, I chase you with a shotgun.
13:28 < b11d> haha
13:28 < b11d> yeah i know what you mean though... just copy them via USB or somethiong
13:28 < PJ-> yes the https://openvpn.net/index.php/open-source/downloads.html
13:28 <@vpnHelper> Title: Downloads (at openvpn.net)
13:28 <@krzee> yep
13:28 < b11d> keys are just a hassle... can i run openvpn without ssl or certificates?
13:28 < b11d> just kidding :)
13:29 <@krzee> PJ-, i have not heard of that being a problem for anyone else? weird
13:29 <@krzee> b11d, actually, yes
13:29 <@krzee> !statickey
13:29 <@vpnHelper> "statickey" is (#1) you can use static keys by using --secret </path/to/key> or (#2) static keys only work for ptp links, not client/server. They also do not provide forward encryption. A forward-secure encryption scheme (such as openvpn uses with certs) protects secret keys from exposure by evolving the keys with time. or (#3) see !forwardsecurity for more info
13:29 <@krzee> and of course
13:29 <@krzee> !noenc
13:29 <@vpnHelper> "noenc" is (#1) if you're going to disable encryption, you might as well build a GRE tunnel or (#2) but you would use cipher none or (#3) Reference --cipher in the manpage (--auth may also be useful to review)
13:29 <@krzee> ;]
13:29 < b11d> :)
13:29 < b11d> good to know i guess
13:31 -!- [diecast] [~diecast@unaffiliated/diecast/x-4821952] has quit []
13:31 <@krzee> of course you dont HAVE TO to an offline CA, im just going to the extreme for you
13:31 < b11d> i dont really have a dedicated, seperate, machien to run a CA on... the best I can do is put up another VM that isnt the vpn server and connect its interface to a private administrative vlan and restrict access via fw rules... better than nothing, eh
13:32 < PJ-> krzee, any suggestion to solve that issue?
13:32 <@krzee> demonstrating your point is correct and going further with it
13:32 -!- FatDarrel [~anandab@50.242.126.113] has quit [Quit: FatDarrel]
13:32 <@krzee> PJ, you have used openvpn before, right?
13:32 < PJ-> yes
13:33 <@krzee> so you know how to use the gui and whatnot..?
13:33 -!- FatDarrel [~anandab@50.242.126.113] has joined #openvpn
13:33 < PJ-> never had that problem
13:33 -!- marlinc [~marlinc@ip1.weert.li.nl.cvo-technologies.com] has quit [Quit: Byebye]
13:33 <@krzee> then ild say to make a trac ticket
13:33 <@krzee> community.openvpn.net
13:33 <@krzee> uses same l/p as forum
13:33 < PJ-> have*
13:33 < PJ-> okay
13:34 <@krzee> !trac
13:34 <@vpnHelper> "trac" is (#1) see https://community.openvpn.net for development information and bug tracker. or (#2) if you have a forum login, use that for trac, its the same database.
13:39 -!- marlinc [~marlinc@ip1.weert.li.nl.cvo-technologies.com] has joined #openvpn
13:41 -!- [diecast] [~diecast@unaffiliated/diecast/x-4821952] has joined #openvpn
13:45 -!- [diecast] [~diecast@unaffiliated/diecast/x-4821952] has quit [Client Quit]
13:49 -!- le0 [~l30@unaffiliated/le0] has quit [Quit: Leaving]
13:50 -!- joshh20-Away is now known as joshh20
14:00 -!- phunyguy [~vortex@unaffiliated/phunyguy] has joined #openvpn
14:00 -!- phunyguy [~vortex@unaffiliated/phunyguy] has quit [Remote host closed the connection]
14:03 -!- HectorBarbossa [uid7850@gateway/web/irccloud.com/x-mkisfmcjziixoolb] has joined #openvpn
14:06 -!- justinzane [~justinzan@12.172.184.69] has quit [Remote host closed the connection]
14:06 -!- phunyguy [~vortex@unaffiliated/phunyguy] has joined #openvpn
14:06 -!- justinzane [~justinzan@host-12-172-184-69.nctv.com] has joined #openvpn
14:06 -!- phunyguy [~vortex@unaffiliated/phunyguy] has quit [Read error: Connection reset by peer]
14:16 -!- wrongplace [~leicht@gateway/tor-sasl/martinphone] has joined #openvpn
14:24 -!- lj1 [~l@192.241.174.169] has quit [Quit: Leaving.]
14:24 -!- nattom [~1freedom@afo2.torproject.afo-tm.org] has quit [Ping timeout: 250 seconds]
14:27 -!- justinzane [~justinzan@host-12-172-184-69.nctv.com] has quit [Remote host closed the connection]
14:28 -!- justinzane [~justinzan@host-12-172-184-69.nctv.com] has joined #openvpn
14:34 -!- klein [~klein@177.101.105.94] has joined #openvpn
14:34 -!- klein [~klein@177.101.105.94] has quit [Changing host]
14:34 -!- klein [~klein@unaffiliated/klein] has joined #openvpn
14:43 -!- justinzane [~justinzan@host-12-172-184-69.nctv.com] has quit [Ping timeout: 252 seconds]
14:53 -!- b11d [~chat@234-200-29-134.hcc.mnscu.edu] has quit [Read error: Connection reset by peer]
14:59 -!- roentgen [~irc@openvpn/community/support/roentgen] has joined #openvpn
15:01 -!- justinzane [~justinzan@64.234.62.62] has joined #openvpn
15:05 <@Eugene> !lt2p
15:05 <@Eugene> !l2tp
15:05 <@Eugene> !factoids
15:05 <@vpnHelper> "factoids" is A semi-regularly updated dump of factoids database is available at http://www.secure-computing.net/factoids.php
15:05 < reiffert> !compat
15:05 < reiffert> !notcompat
15:05 <@vpnHelper> "notcompat" is (#1) IPsec, PPTP, & L2TP are _not_ compatible with OpenVPN. OpenVPN uses SSL whereas PPTP and IPSEC use their own protocols and therefore cannot be compatible. or (#2) OpenVPN connects only to OpenVPN
15:06 < reiffert> !factoids search --value l2tp
15:06 <@Eugene> I was looking for the one about how L2TP is crap
15:06 <@vpnHelper> "notcompat" is (#1) IPsec, PPTP, & L2TP are _not_ compatible with OpenVPN. OpenVPN uses SSL whereas PPTP and IPSEC use their own protocols and therefore cannot be compatible. or (#2) OpenVPN connects only to OpenVPN
15:08 <@krzee> !pptp
15:08 <@vpnHelper> "pptp" is (#1) PPTP is known to be a faulty protocol. The designers of the protocol, Microsoft, recommend not to use it due to the inherent risks. Lots of people use PPTP anyway due to ease of use, but that doesn't mean it is any less hazardous. The maintainers of PPTP Client and Poptop recommend using OpenVPN (SSL based) or IPSec instead. http://pptpclient.sourceforge.net/protocol-security.phtml to
15:08 <@vpnHelper> read about why to not use pptp or (#2) Why not to use it: http://en.wikipedia.org/wiki/Pptp#Security or (#3) https://www.cloudcracker.com/blog/2012/07/29/cracking-ms-chap-v2/
15:08 <@krzee> thats what you were thinking of
15:08 <@Eugene> So it is
15:08 < reiffert> we should add "crap" allowing us to search for crap the next time
15:08  * Eugene is dealing with an idiot who is convinced Cisco is the be-all-end-all to networking and vpns
15:09 < reiffert> Eugene: the idiot is right.
15:09 <@krzee> i wonder if he ever knew about the single icmp packet hack against cisco
15:10 <@Eugene> reiffert - then the idiot should know how to set up his phone without me ;-)
15:10 < reiffert> krzee: the fact that you don't know of a similar severe bug on openvpn makes it save I guess?
15:11 < reiffert> Eugene: :-)
15:11 <@krzee> well for 1 thing they do VERY different things
15:11 <@krzee> cisco does wayyyyy more than openvpn does
15:11 -!- joshh20 is now known as joshh20-Away
15:11 <@Eugene> The idocy and the cisco-loving are separate manners; Cisco does make good gear, but it isn't what this particular idiot needs.
15:12 < kenyon> !will
15:12 <@vpnHelper> "will" is Where there's a will, there's /away
15:12 <@Eugene> It's literally "I want to browse porn on my phone from work" :-|
15:12 < reiffert> Eugene: need to port openvpn on his cisco phone .. will it allow him to make phone calls?
15:12 < reiffert> :)
15:13 <@Eugene> Actually it's Android's fault now for "having a broken fukcing racoon client"
15:13 <@Eugene> (what the fuck is racoon?)
15:13 < reiffert> the only working ipsec vpn for linux
15:13 <@Eugene> Apparently not working
15:14 < reiffert> +cisco compatible
15:14 < reiffert> Eugene: it does .. you didnt try the others
15:14 <@Eugene> I don't actually care
15:14 <@Eugene> I'm just trying to find a shoulder to cry on after listening to this inanity
15:14 < reiffert> oh good, let's invite the idiot then and blame him
15:15 <@Eugene> Would if I could. "Freenode runs on non-free software"
15:15 < reiffert> sigh.
15:16 <@Eugene> Which would be justifiable, almost, if it were true.
15:16 < kenyon> is it RMS?
15:16 <@Eugene> No, this one actually bathes.
15:16 < reiffert> poor Eugene. Raise your hourly income .. helps when not having a helping shoulder
15:17 < reiffert> kenyon: not joinin irc b/c the intel NIC on the server comes with a propreitary binary module?
15:17 < reiffert> SCNR
15:18 < kenyon> yeah, or the BIOS runs nonfree software
15:19 <@ecrist> it's GNU/Linux, not Linux
15:19 <@Eugene> I only run on top-quality GNU/BSD
15:19 <@ecrist> RMS was coming to the twin cities a few years back, and the TCLUG asked him to join them for beers/discussion
15:20 <@Eugene> And my toaster is arduino powered, made by free trade laborers in the congo
15:20 <@ecrist> he refused unless they changed their name to TCGLUUG (from Twin Cities Linux Users Group to Twin Cities GNU Linux Users Group)
15:20 -!- elfixit [~Icedove@2001:1620:2018:11:5e51:4fff:fec8:5b90] has quit [Ping timeout: 252 seconds]
15:20 <@ecrist> s/TCGLUUG/TCGLIG/
15:20 <@ecrist> raar
15:21 <@ecrist> you get the point
15:21 <@Eugene> http://youtu.be/I25UeVXrEHQ
15:21 <@vpnHelper> Title: Richard Stallman Eats Something From His Foot - YouTube (at youtu.be)
15:21 < reiffert> :)
15:21 <@Eugene> All that really needs to be said about Stallman is in that video
15:22 -!- phunyguy [~vortex@unaffiliated/phunyguy] has joined #openvpn
15:22 <@ecrist> here's the start of insanity: http://archives.mn-linux.org/pipermail/tclug-list/2008-October/054986.html
15:22 <@vpnHelper> Title: [tclug-list] Richard Stallman Talking on UofM Campus 21 October (at archives.mn-linux.org)
15:22 <@ecrist> it's worth a read
15:24 <@Eugene> I rather enjoy pointing out the lack-of-freedoms that the GPL forces upon software developers
15:25 < Aketzu> Eugene: my experience with Cisco: it was nice VPN box at our foreign office... "little" bit flaky at times and then the head of that office drove a screwdriver few times through the box and we got somewhat better (&cheaper) VPN box
15:25 < Aketzu> i.e. ipsec sucks
15:25 -!- BlackBishop [dexter@ipv6.d3xt3r01.tk] has joined #openvpn
15:26 -!- pppingme [~pppingme@unaffiliated/pppingme] has quit [Ping timeout: 264 seconds]
15:26 < BlackBishop> is there anything I can do to not get my default gateway changed if the server pushes redirect-gateway ? ( I commented-out redirect-gateway def1 in my client.ovpn but it still gets changed )
15:26 -!- mback2k is now known as mback2k_
15:26 <@ecrist> Eugene: that is specifically brought up fairly early in the thread
15:26 <@Eugene> !nopull
15:26 <@vpnHelper> "nopull" is "route-nopull" is If you want to accept pushed options from the server but not apply the routes (including --redirect-gateway) you can use --route-nopull to ignore all pushed routes
15:28  * Eugene yawns
15:29 < BlackBishop> thanks.
15:29 <@Eugene> WTFPL is best PL
15:34 <@ecrist> here's the actual thread I was referring to wrt RMS: http://archives.mn-linux.org/pipermail/tclug-list/2008-October/055072.html
15:34 <@vpnHelper> Title: [tclug-list] Stallman wants to meet us, if we are TC*G*LUG (at archives.mn-linux.org)
15:39 -!- saint_ [~saint@c-50-166-85-78.hsd1.nj.comcast.net] has joined #openvpn
15:39 -!- pppingme [~pppingme@unaffiliated/pppingme] has joined #openvpn
15:50 -!- michaelhart [~michaelha@192.237.177.15] has quit [Quit: michaelhart]
15:52 -!- saint_ [~saint@c-50-166-85-78.hsd1.nj.comcast.net] has quit [Ping timeout: 265 seconds]
15:52 -!- saint__ [~saint@c-50-166-85-78.hsd1.nj.comcast.net] has joined #openvpn
15:56 -!- Fusl [Fusl@unaffiliated/fusl] has joined #openvpn
15:59 -!- lj [~l@192.241.174.169] has joined #openvpn
16:02 -!- saint__ [~saint@c-50-166-85-78.hsd1.nj.comcast.net] has left #openvpn ["UNIVERSE CORRUPTED. REBOOT (Y/N) ?"]
16:09 -!- [diecast] [~diecast@unaffiliated/diecast/x-4821952] has joined #openvpn
16:09 -!- HectorBarbossa [uid7850@gateway/web/irccloud.com/x-mkisfmcjziixoolb] has quit [Quit: Connection closed for inactivity]
16:19 -!- gffa [~unknown@unaffiliated/gffa] has quit [Quit: sleep]
16:29 -!- acu [~acu@50.244.13.222] has quit [Ping timeout: 252 seconds]
16:37 -!- lj [~l@192.241.174.169] has quit [Quit: Leaving.]
16:43 -!- roentgen [~irc@openvpn/community/support/roentgen] has quit [Remote host closed the connection]
16:47 -!- AlexPortable [uid7568@gateway/web/irccloud.com/x-bfmrroslmltwcjla] has quit [Quit: Connection closed for inactivity]
17:06 -!- wrongplace [~leicht@gateway/tor-sasl/martinphone] has quit [Quit: gone]
17:07 -!- Latrina [~Latrina@ppp-164-23.26-151.libero.it] has joined #openvpn
17:08 -!- elfixit [~Icedove@77-58-251-72.dclient.hispeed.ch] has joined #openvpn
17:15 -!- elfixit [~Icedove@77-58-251-72.dclient.hispeed.ch] has quit [Quit: elfixit]
17:19 -!- adh0c [~adh0c@ool-182fc1d0.dyn.optonline.net] has quit [Ping timeout: 252 seconds]
17:24 -!- sudormrf [~sudormrf@c-76-102-242-78.hsd1.ca.comcast.net] has joined #openvpn
17:32 -!- adh0c [~adh0c@li423-165.members.linode.com] has joined #openvpn
17:33 < sudormrf> hey guys, I am trying to test something with linux, openvpn and network-manager-openvpn.  what I am trying to test is a modification to the "ovpn" file, however one does not exist in this case.  it seems as though network-manager-openvpn is using the raw input and doing what it needs to do.  I don't see a way to tell network manager to use an ovpn file, nor do I see a way to find the settings that would normally appear in an ovpn
17:33 < sudormrf> file, although I am probably missing something.  This is being handled graphically by network manager.
17:34 < pekster> Pretty much. "You configure n-m by using n-m. Assistance provided by n-m documentation." On the other hand, openvpn uses a typical Unix-like config file as input
17:34 < pekster> Here we recommend you get your configs working with vanilla openvpn, then add on any GUI you want; that way you know your VPN setup works before you add layers of abstraction on top
17:35 < Mathias> sudormrf: iirc it just copies it another place. but i mayb be thinking of another thing :p
17:35 -!- joshh20-Away is now known as joshh20
17:35 < pekster> No, it has its own "process" for converting all the stupid radio buttons and checkboxes and the like to options
17:36 -!- acu [~acu@50.244.13.222] has joined #openvpn
17:37 < Mathias> do'h, i was thinking about asuswrt thrn, xD
17:38 -!- Latrina_ [~Latrina@ppp-246-32.26-151.libero.it] has joined #openvpn
17:38 < sudormrf> pekster, thanks.  I know the VPN works, now I would like to test a setting (redirect-gateway to be precise) on this particular machine.  I don't see a way to translate that in to the n-m gui.  suggestions?
17:39 < sudormrf> Mathias, I did a search for anything called *.ovpn and found nothing.  searched for anything called openvpn then looked in each of those folders and found nothing that looks like it did what I am trying to accomplish :O
17:39 < pekster> Don't use n-m
17:39 < pekster> On non-windows, we usually call the files something.conf
17:40 < pekster> But for all it mattters, call it my-config.jpg
17:40 -!- Latrina [~Latrina@ppp-164-23.26-151.libero.it] has quit [Ping timeout: 255 seconds]
17:40 < Mathias> unix-naming <3
17:40 < pekster> Again, n-m stores things "its own way."
17:40 < pekster> !netman
17:40 <@vpnHelper> "netman" is (#1) if you are using network manager for linux to configure your vpn, dont! http://openvpn.net/archive/openvpn-users/2008-01/msg00046.html to read the same thing from the author of the openvpn 2 cookbook on the mail list or (#2) Have OpenVPN working but not NetworkManager? Ask the n-m folks for help: http://projects.gnome.org/NetworkManager/
17:41 < sudormrf> lol
17:41 < sudormrf> in this case I cannot abandon NM :S.  am I up the creek without a paddle?
17:41 <@Eugene> Yes. Fuck NM.
17:41 < sudormrf> lol
17:42 < sudormrf> actually...shit.  I don't think this needs to be done on the client per this: "Add the following directive to the server configuration file:" well I am an idiot :D
17:43  * Mathias whispers "yes, you are"
17:43 < pekster> Anything the server can push the client can define locally
17:43 < pekster> (well, save IPs that are coordinated between both)
17:44 < sudormrf> pekster, oh, good to know.  in this case pushing from the server seems to be the better option, because NM.
17:44 < sudormrf> Mathias, thanks :P
17:45 -!- JackWinter [~jack@vodsl-10810.vo.lu] has joined #openvpn
17:46 < Mathias> sudormrf: now you'll remember the solution though :D
17:46 < sudormrf> it's true :)
17:52 < sudormrf> well now I can't wait to get home and test this.  yes, I am excited about stupid things :D
18:01 -!- Su7_ [~demerzel@2001:41d0:a:16::1] has joined #openvpn
18:01 -!- Su7 [~demerzel@2001:41d0:a:16::1] has quit [Read error: Connection reset by peer]
18:04 -!- JackWinter_ [~jack@vodsl-10810.vo.lu] has joined #openvpn
18:05 -!- JackWinter [~jack@vodsl-10810.vo.lu] has quit [Ping timeout: 265 seconds]
18:11 -!- Latrina_ is now known as Latrina
18:11 -!- Latrina is now known as Latrina_
18:11 -!- Latrina_ is now known as Latrina
18:17 -!- elfixit [~Icedove@77-58-251-72.dclient.hispeed.ch] has joined #openvpn
18:28 -!- h6w [~tudor@254.86.96.58.static.exetel.com.au] has joined #openvpn
18:32 -!- [diecast] [~diecast@unaffiliated/diecast/x-4821952] has quit []
18:41 -!- h6w [~tudor@254.86.96.58.static.exetel.com.au] has left #openvpn []
18:42 -!- hive-mind [pranq@mail.bbis.us] has quit [Ping timeout: 245 seconds]
18:44 -!- PJ- [uid22292@gateway/web/irccloud.com/x-plnlgiyabpakyqwd] has quit [Quit: Connection closed for inactivity]
18:46 -!- hive-mind [pranq@mail.bbis.us] has joined #openvpn
18:50 -!- FatDarrel [~anandab@50.242.126.113] has quit [Ping timeout: 276 seconds]
18:54 -!- davidmp [~davidmp@149.255.100.107] has quit [Quit: Cya suckers!]
19:00 -!- anika [~anika@tor.nordsupport.com] has joined #openvpn
19:00 -!- davidmp [~davidmp@149.255.100.107] has joined #openvpn
19:03 -!- s7r [~s7r@openvpn/user/s7r] has quit [Quit: Leaving]
19:10 -!- sauce [sauce@unaffiliated/sauce] has quit [Quit: sauce]
19:11 -!- michaelhart [~michaelha@192-0-240-20.cpe.teksavvy.com] has joined #openvpn
19:17 -!- michaelhart [~michaelha@192-0-240-20.cpe.teksavvy.com] has quit [Quit: michaelhart]
19:19 -!- budmang [~budman@ip68-111-79-253.oc.oc.cox.net] has quit []
19:42 -!- phunyguy [~vortex@unaffiliated/phunyguy] has quit [Read error: Connection reset by peer]
19:42 -!- phunyguy [~vortex@unaffiliated/phunyguy] has joined #openvpn
19:44 -!- thinkpad [~thinkpad@pool-173-56-43-197.nycmny.fios.verizon.net] has joined #openvpn
19:46 < thinkpad> trying to use OpenVPN Connect on iphone to get on my vpn but for some reason, it only works sometimes. I have 2 openvpn servers running on 1194 udp and 443 tcp. The one on UDP ocnnects every time but the TCP one only connects once in awhile. The connection just times out. Looking at the server log, it just gets stuck at "TLS: Initial packet from..."
19:46 < thinkpad> anyone know what could be the problem?
19:49 < thinkpad> it seems to be happening only when i try to connect from 3G. On wifi it works fine and immediately
19:50 < thinkpad> guess the service provider is up to no good?
19:55 -!- elricsfate_wrk [~elricsfat@aus-nat.datapipe.net] has left #openvpn ["Leaving"]
19:57 < pekster> Apparently
20:07 -!- lj [~l@adsl-99-155-20-27.dsl.peoril.sbcglobal.net] has joined #openvpn
20:07 -!- FatDarrel [~anandab@199.116.72.195] has joined #openvpn
20:17 -!- joshh20 is now known as joshh20-Away
20:18 -!- lj [~l@adsl-99-155-20-27.dsl.peoril.sbcglobal.net] has quit [Ping timeout: 252 seconds]
20:20 -!- lj [~l@adsl-99-155-19-117.dsl.peoril.sbcglobal.net] has joined #openvpn
20:21 -!- tessier [~treed@kernel-panic/copilotco] has left #openvpn []
20:33 -!- FatDarrel [~anandab@199.116.72.195] has quit [Quit: FatDarrel]
20:36 -!- charith [~charith@175.157.13.108] has joined #openvpn
20:36 < charith> hello
20:37 -!- FatDarrel [~anandab@199.116.72.195] has joined #openvpn
20:37 < charith> i wanted to delete an user from openvpn server
20:37 < charith> so i entered, ./clean-all
20:37 < charith> just to clean all
20:37 < charith> and I deleted server keys as well
20:38 < charith> bt still, i can connect to openvpn server using old keys
20:38 < pekster> 1) that deletes your entire PKI structure. 2) ideally you should never have server or client keys in your PKI
20:38 < charith> what is th reason?
20:38 < pekster> !intro-to-pki
20:38 <@vpnHelper> "intro-to-pki" is For an intro to PKI basics, see: https://github.com/OpenVPN/easy-rsa/blob/v3.0.0-rc1/doc/Intro-To-PKI.md
20:38 < pekster> The CA PKI isn't used except during signing operations involving the CA
20:40 < pekster> If you want to prevent an existing key from connecting, you should revoke it and publish a CRL to your server
20:40 < pekster> Or use a ccd (read: !ccd) file with the commonName of the client and the directive `disable` in the ccd file
20:42 < charith> !ccd
20:42 <@vpnHelper> "ccd" is (#1) entries that are basically included into server.conf, but only for the specified client based on common-name. use --client-config-dir <dir> to enable it, then put the config options for the client in <dir>/common-name or (#2) the ccd file is parsed each time the client connects.
20:42 -!- lj [~l@adsl-99-155-19-117.dsl.peoril.sbcglobal.net] has quit [Quit: Leaving.]
20:43 < charith> pekster, thanks, i tried to issue revoke-full username
20:43 < charith> but it failed
20:44 < charith> can u please gv me a link which has steps to revoke
20:44 < pekster> Without context that could be a number of things (lack of sourcing the mandatory 'vars' file, bad name, something else
20:44 < pekster> !revoke
20:45 < pekster> with easyrsa v2 it is the revoke-full frontend script, but the _reason_ for the failure is rather important
20:45 < pekster> At a high level you have the CA revoke the certificate, generate an updated CRL, and publish it to your server
20:45 < pekster> You must also have the server using --crl-verify option pointing to that CRL
20:47 < charith> !revoke
20:47 < pekster> !factoids search revoke
20:47 <@vpnHelper> No keys matched that query.
20:47 < pekster> Apparently the bot has nothing for that. Though if you ran clean-all, you need to restore from your backups
20:47 < pekster> (or start your PKI over)
20:49 < charith> actually i dont have setup actual CA in our vpnserver
20:49 < pekster> easyrsa maintains a PKI for you
20:49 < charith> we have just installed openvpn and created users
20:50 < charith> ok
20:50 < pekster> Reading that into doc I linked earlier should explain the basic concepts
20:50 < charith> yes, got it
20:51 < charith> would be great if any link with detailed steps for revoking a certificate
20:52 < pekster> Say, like the official howto?
20:52 < pekster> !howto
20:52 <@vpnHelper> "howto" is (#1) OpenVPN comes with a great howto, http://openvpn.net/howto PLEASE READ IT! or (#2) http://www.secure-computing.net/openvpn/howto.php for a mirror
20:53 < pekster> Note that with easyrsa v2 (what you're using now) the bit about sourcing vars must be performed in _every_ new shell you open
20:53 < pekster> Those set up variables that it will not function without
20:54 < charith> pekster, thanks a lot
20:54 < pekster> (my guess is that's what you didn't do originally when trying to revoke, but without the command & output, we won't know)
20:55 < charith> yes, i dont have the output now, will try with these steps
20:55 < charith> thanks again
20:57 < charith> pekster, it seems revode had worked correctly
20:57 < charith> i can remember it gave me error 23 at 0 depth lookup
20:57 < charith> i thought it was an error
20:57 < pekster> Yea, the way that script is written is a bit misleading (as it "tests the revocation for you" without really explaining what for)
20:58 -!- davidmp [~davidmp@149.255.100.107] has quit [Quit: Cya suckers!]
20:59 -!- charith [~charith@175.157.13.108] has quit [Quit: Leaving]
21:05 -!- FatDarrel [~anandab@199.116.72.195] has quit [Quit: FatDarrel]
21:08 -!- Ali_nz [~bigal.nz@60-234-250-18.bitstream.orcon.net.nz] has joined #openvpn
21:08 < Ali_nz> hpeoples
21:08 < Ali_nz> hi peoples
21:09 < Ali_nz> I assume that if I want a client to connect to more than one server simultaneously, the servers need to be on different vpn subnets (ie not all on 10.8.0.0)
21:11 -!- phunyguy [~vortex@unaffiliated/phunyguy] has quit [Remote host closed the connection]
21:12 -!- phunyguy [~vortex@unaffiliated/phunyguy] has joined #openvpn
21:12 < pekster> Ali_nz: Correct. There is some --client-nat feature, but I've never poked at it and you're far better off defining networks that don't overlap
21:13 -!- lj [~l@192.241.174.169] has joined #openvpn
21:16 < Ali_nz> pekster: sweet. Will just set the server vpn subnet to be 10.8.1.0
21:18 -!- phunyguy [~vortex@unaffiliated/phunyguy] has quit [Remote host closed the connection]
21:28 -!- lj [~l@192.241.174.169] has quit [Ping timeout: 252 seconds]
21:31 -!- tuvok is now known as tuvok-
21:32 -!- tuvok- is now known as tuvok
21:35 -!- elfixit [~Icedove@77-58-251-72.dclient.hispeed.ch] has quit [Quit: elfixit]
21:39 -!- lj [~l@192.241.174.169] has joined #openvpn
21:50 -!- michaelhart [~michaelha@162.209.54.120] has joined #openvpn
21:51 -!- lj [~l@192.241.174.169] has quit [Quit: Leaving.]
21:55 -!- phunyguy [~vortex@unaffiliated/phunyguy] has joined #openvpn
21:58 -!- sudormrf [~sudormrf@c-76-102-242-78.hsd1.ca.comcast.net] has quit [Read error: Connection reset by peer]
22:01 -!- lj [~l@192.241.174.169] has joined #openvpn
22:10 -!- klein [~klein@unaffiliated/klein] has quit [Ping timeout: 240 seconds]
22:11 -!- michaelhart_ [~michaelha@192-0-240-20.cpe.teksavvy.com] has joined #openvpn
22:11 -!- michaelhart [~michaelha@162.209.54.120] has quit [Ping timeout: 276 seconds]
22:11 -!- michaelhart_ is now known as michaelhart
22:22 -!- thinkpad [~thinkpad@pool-173-56-43-197.nycmny.fios.verizon.net] has quit [Quit: Leaving]
22:23 -!- sunwind` [~paradox@cpc21-brmb8-2-0-cust749.1-3.cable.virginm.net] has quit [Read error: Connection reset by peer]
22:24 -!- sunwind` [~paradox@cpc21-brmb8-2-0-cust749.1-3.cable.virginm.net] has joined #openvpn
22:26 -!- michaelhart [~michaelha@192-0-240-20.cpe.teksavvy.com] has quit [Quit: michaelhart]
23:07 -!- pppingme [~pppingme@unaffiliated/pppingme] has quit [Excess Flood]
23:08 -!- pppingme [~pppingme@unaffiliated/pppingme] has joined #openvpn
23:13 -!- pppingme [~pppingme@unaffiliated/pppingme] has quit [Max SendQ exceeded]
23:14 -!- pppingme [~pppingme@unaffiliated/pppingme] has joined #openvpn
23:17 -!- pppingme [~pppingme@unaffiliated/pppingme] has quit [Excess Flood]
23:37 -!- Guest39037 [~kolo@ip-125.net-82-216-83.rev.numericable.fr] has quit [Ping timeout: 255 seconds]
23:39 -!- Ko_lo [~kolo@ip-125.net-82-216-83.rev.numericable.fr] has joined #openvpn
23:39 -!- Ko_lo is now known as Guest72644
23:51 -!- pppingme [~pppingme@unaffiliated/pppingme] has joined #openvpn
23:58 -!- ShadniX [dagger@p5DDFC70F.dip0.t-ipconnect.de] has quit [Ping timeout: 252 seconds]
--- Day changed Tue Apr 22 2014
00:00 -!- ShadniX [dagger@p57941653.dip0.t-ipconnect.de] has joined #openvpn
00:02 -!- FatDarrel [~anandab@199.116.72.195] has joined #openvpn
00:30 -!- Diegosan [~chatzilla@S0106586d8f02c173.vn.shawcable.net] has quit [Read error: Connection reset by peer]
00:30 -!- Diegosan [~chatzilla@S0106586d8f02c173.vn.shawcable.net] has joined #openvpn
00:37 -!- FatDarrel [~anandab@199.116.72.195] has quit [Quit: FatDarrel]
00:48 -!- acu [~acu@50.244.13.222] has quit [Quit: Leaving]
00:52 -!- FatDarrel [~anandab@199.116.72.195] has joined #openvpn
01:00 -!- lj [~l@192.241.174.169] has quit [Ping timeout: 240 seconds]
01:01 -!- mattock_afk [~mattock@openvpn/corp/admin/mattock] has joined #openvpn
01:01 -!- mode/#openvpn [+o mattock_afk] by ChanServ
01:01 -!- mattock_afk is now known as mattock
01:01 -!- lj [~l@192.241.174.169] has joined #openvpn
01:06 -!- lj [~l@192.241.174.169] has quit [Ping timeout: 276 seconds]
01:15 -!- Zarrsh [~Zarrsh@farari.paydayauto.biz] has quit [Ping timeout: 250 seconds]
01:18 -!- Eagleman [~Eagleman@546BC8D0.cm-12-4d.dynamic.ziggo.nl] has quit [Ping timeout: 250 seconds]
01:18 -!- mushroomed [~mushroome@li173-111.members.linode.com] has quit [Ping timeout: 250 seconds]
01:20 -!- mushroomed [~mushroome@li173-111.members.linode.com] has joined #openvpn
01:23 -!- FatDarrel [~anandab@199.116.72.195] has quit [Quit: FatDarrel]
01:24 -!- Eagleman [~Eagleman@546BC8D0.cm-12-4d.dynamic.ziggo.nl] has joined #openvpn
01:25 -!- Zarrsh [~Zarrsh@198.167.138.150] has joined #openvpn
01:48 -!- lj [~l@74.120.203.218] has joined #openvpn
02:01 -!- AlexPortable [uid7568@gateway/web/irccloud.com/x-yhjrfqzntbjsaqtq] has joined #openvpn
02:07 -!- prettyrobots [~prettyrob@do.inputrc.com] has joined #openvpn
02:22 -!- ChrisH [~dg7pc@dslb-088-077-171-181.pools.arcor-ip.net] has quit [Ping timeout: 240 seconds]
02:22 -!- ChrisH [~dg7pc@dslb-088-077-171-181.pools.arcor-ip.net] has joined #openvpn
02:23 -!- master_o1_master [~master_of@p4FF2438D.dip0.t-ipconnect.de] has quit [Ping timeout: 276 seconds]
02:24 -!- Eagleman [~Eagleman@546BC8D0.cm-12-4d.dynamic.ziggo.nl] has quit [Ping timeout: 252 seconds]
02:24 -!- master_of_master [~master_of@p4FD7BD31.dip0.t-ipconnect.de] has joined #openvpn
02:29 -!- Eagleman [~Eagleman@546BC8D0.cm-12-4d.dynamic.ziggo.nl] has joined #openvpn
02:41 -!- ACKNAK [~regolith@79.133.97.154] has joined #openvpn
02:42 -!- le0 [~l30@unaffiliated/le0] has joined #openvpn
02:45 -!- anika [~anika@tor.nordsupport.com] has quit [Ping timeout: 252 seconds]
02:55 -!- vn [~sys6x@nostalgeek.net] has quit [Ping timeout: 240 seconds]
03:08 -!- toobluesc [~nitro@2001:558:6045:7b:3d70:c3df:18a:884] has quit [Ping timeout: 245 seconds]
03:08 -!- anika [~anika@128.204.203.103] has joined #openvpn
03:10 -!- iokill [~iokill@91.114.127.102] has joined #openvpn
03:14 -!- vn [~sys6x@nostalgeek.net] has joined #openvpn
03:15 -!- stemid [~avatar@ns4.sydit.se] has joined #openvpn
03:15 -!- Gadu [~Gadu@94.200.220.210] has joined #openvpn
03:16 < stemid> maybe a stretch asking here but I'm using openvpn tls-server on a Debian Wheezy server, and a Macintosh OS 10.9 client. I push def1 as default-route, my own dns. everything seems to work but the strange thing is that I can connect my Gtalk account, but not two XMPP accounts, nor my MSN account.
03:16 < stemid> ok now one XMPP account worked
03:17 < stemid> so two out of four IM accounts work over the VPN
03:17 < stemid> strangely
03:22 < Gadu> my internet traffic is not being routed through my vpn. terminal output http://pastebin.com/LfGwK8Yn
03:33 < Gadu> Config: http://pastebin.com/DNhrnG0M and Terminal output: http://pastebin.com/SXRwh6a7
03:34 -!- smellis [~stephan@24.49.219.131] has quit [Ping timeout: 250 seconds]
03:35 -!- toobluesc [~nitro@2001:558:6045:7b:3d70:c3df:18a:884] has joined #openvpn
03:43 -!- iokill_ [~iokill@91.114.127.102] has joined #openvpn
03:43 -!- xTz [~xTz@DeathStar.Techn0.eu] has joined #openvpn
03:44 -!- Morley93 [~Morley93@carmine.feralhosting.com] has quit [Ping timeout: 276 seconds]
03:44 -!- Morley93 [~Morley93@carmine.feralhosting.com] has joined #openvpn
03:45 -!- Ulrar [~Ulrar@luwin.ulrar.net] has quit [Ping timeout: 246 seconds]
03:46 -!- Ulrar [~Ulrar@luwin.ulrar.net] has joined #openvpn
03:46 -!- iokill [~iokill@91.114.127.102] has quit [Ping timeout: 252 seconds]
03:55 -!- afuentes [~afuentes@213.37.131.197.static.user.ono.com] has joined #openvpn
04:14 -!- fin__ [~l30@unaffiliated/le0] has joined #openvpn
04:18 -!- le0 [~l30@unaffiliated/le0] has quit [Ping timeout: 240 seconds]
04:18 -!- le0 [~l30@unaffiliated/le0] has joined #openvpn
04:19 -!- fin__ [~l30@unaffiliated/le0] has quit [Ping timeout: 265 seconds]
04:23 -!- smellis [~stephan@24.49.219.131] has joined #openvpn
04:32 -!- adh0c [~adh0c@li423-165.members.linode.com] has quit [Quit: Leaving]
04:41 -!- mattock is now known as mattock_afk
04:56 -!- nrgskill [~nrgskill@2.50.187.243] has joined #openvpn
05:03 -!- afuentes [~afuentes@213.37.131.197.static.user.ono.com] has quit [Read error: Operation timed out]
05:07 -!- u0m3_ [~u0m3@109.96.138.238] has joined #openvpn
05:08 -!- JackWinter_ [~jack@vodsl-10810.vo.lu] has quit [Excess Flood]
05:08 -!- matsh_ [divine@nanogene.org] has joined #openvpn
05:08 -!- JackWinter_ [~jack@vodsl-10810.vo.lu] has joined #openvpn
05:10 -!- matsh [divine@nanogene.org] has quit [Ping timeout: 255 seconds]
05:10 -!- matsh_ is now known as matsh
05:10 -!- u0m3 [~u0m3@109.96.138.238] has quit [Ping timeout: 255 seconds]
05:11 -!- afuentes [~afuentes@213.37.131.197.static.user.ono.com] has joined #openvpn
05:14 -!- iokill_ [~iokill@91.114.127.102] has quit [Ping timeout: 240 seconds]
05:15 -!- cyberspace- [20253@ninthfloor.org] has quit [Ping timeout: 250 seconds]
05:18 -!- maxiepax [max@locke.misse.org] has quit [Ping timeout: 240 seconds]
05:19 -!- afuentes_ [~afuentes@213.37.131.197.static.user.ono.com] has joined #openvpn
05:20 -!- afuentes_ [~afuentes@213.37.131.197.static.user.ono.com] has quit [Remote host closed the connection]
05:21 -!- maxiepax [~max@locke.misse.org] has joined #openvpn
05:34 -!- Left_Turn [~Left_Turn@unaffiliated/turn-left/x-3739067] has quit [Read error: Connection reset by peer]
05:34 -!- iokill [~iokill@91.114.127.102] has joined #openvpn
05:35 -!- cyberspace- [20253@ninthfloor.org] has joined #openvpn
05:37 -!- Left_Turn [~Left_Turn@unaffiliated/turn-left/x-3739067] has joined #openvpn
05:42 -!- wrongplace [~leicht@gateway/tor-sasl/martinphone] has joined #openvpn
05:51 -!- bertodsera [~quassel@97e48243.skybroadband.com] has joined #openvpn
06:01 -!- hamma [~hamma@41.225.98.54] has joined #openvpn
06:04 < hamma> Hello guys
06:05 < hamma> I am stuck setting up an openvpn tunnel between my PC(gentoo) and a vmware centos machine that runs on my PC too
06:06 < hamma> here is the server config http://pastebin.com/3weECJGM
06:06 < hamma> here is the client config http://pastebin.com/HGdrE3iR
06:08 < hamma> and these are the client errors http://pastebin.com/w5JVVJ5i
06:08 < hamma> Help please
06:13 < Martin`> why are you using openvpn? or do you also want connections from other computers?
06:14 -!- MyMind [~Sembei@unaffiliated/sembei] has quit [Excess Flood]
06:15 -!- MyMind [~Sembei@unaffiliated/sembei] has joined #openvpn
06:16 < hamma> Martin`, thanks for the answer, obviously i want to make a simple demo to convince  my director of using openvpn
06:17 < hamma> Martin`, I don't want other connections, just from my pc to the VM
06:20 < Martin`> hmm ok, I don't see what the problem is. Looks like a problem with the certificate or connection
06:21 < hamma> Martin`, yes i suspect that my VM dont allow port 1196
06:22 < hamma> ss -u -a give me nothing
06:22 < hamma> nmap tells me that 1196 is filtered
06:24 -!- JackWinter_ [~jack@vodsl-10810.vo.lu] has quit [Quit: Konversation terminated!]
06:35 < hamma> Martin`, do i have to regenerate the certificates again?
06:39 < Martin`> If port is filtered, I don't think that is the problem
06:41 < hamma> nmap -p 1194 -sU 192.168.13.2 -P0
06:41 < hamma> Starting Nmap 6.25 ( http://nmap.org ) at 2014-04-22 08:24 CET
06:41 < hamma> Nmap scan report for 192.168.13.2
06:41 < hamma> Host is up (0.00017s latency).
06:41 < hamma> PORT     STATE    SERVICE
06:41 < hamma> 1194/udp filtered openvpn
06:41 <@vpnHelper> Title: Nmap - Free Security Scanner For Network Exploration & Security Audits. (at nmap.org)
06:41 < hamma> MAC Address: 00:0C:29:9D:BC:34 (VMware)
06:41 < hamma> Nmap done: 1 IP address (1 host up) scanned in 0.51 seconds
06:42 -!- Aliekezhi [~Aliekezhi@LPoitiers-156-84-21-169.w193-248.abo.wanadoo.fr] has joined #openvpn
06:43 < hamma> Martin`, some people said to me that udp ports can't say they re opened
06:43 < Martin`> hmm ok, did not know that
06:44 < Martin`> hamma: do you see some information in the server log file?
06:44 < hamma> Martin`, it's as it is nothing there
06:45 < hamma> Wed Apr 16 17:15:18 2014 us=706272 /sbin/ifconfig tun0 192.168.12.1 pointopoint 192.168.12.2 mtu 1500
06:45 < hamma> Wed Apr 16 17:15:18 2014 us=709664 /sbin/route add -net 192.168.12.0 netmask 255.255.255.0 gw 192.168.12.2
06:45 < hamma> Wed Apr 16 17:15:18 2014 us=713726 Data Channel MTU parms [ L:1542 D:1450 EF:42 EB:135 ET:0 EL:0 AF:3/1 ]
06:45 < hamma> Wed Apr 16 17:15:18 2014 us=713981 GID set to nobody
06:45 < hamma> Wed Apr 16 17:15:18 2014 us=714007 UID set to nobody
06:45 < hamma> Wed Apr 16 17:15:18 2014 us=714025 UDPv4 link local (bound): [AF_INET]192.168.13.2:1194
06:45 < hamma> Wed Apr 16 17:15:18 2014 us=714032 UDPv4 link remote: [undef]
06:45 < hamma> Wed Apr 16 17:15:18 2014 us=714043 MULTI: multi_init called, r=256 v=256
06:45 < hamma> Wed Apr 16 17:15:18 2014 us=714076 IFCONFIG POOL: base=192.168.12.4 size=62, ipv6=0
06:45 < hamma> Wed Apr 16 17:15:18 2014 us=714108 IFCONFIG POOL LIST
06:45 < hamma> Wed Apr 16 17:15:18 2014 us=714131 Initialization Sequence Completed
06:45 -!- wrongplace [~leicht@gateway/tor-sasl/martinphone] has quit [Quit: gone]
06:46 < Aketzu> can you ping the server from the client?
06:47 < hamma> Aketzu, yes
06:48 < hamma> Aketzu, the server is a VM running on same machine connected via bridge device vmnet8
06:49 < Aketzu> anything in the server log?
06:49 < hamma> Aketzu,  Wed Apr 16 17:15:18 2014 us=706272 /sbin/ifconfig tun0 192.168.12.1 pointopoint 192.168.12.2 mtu 1500
06:49 < hamma> <hamma> Wed Apr 16 17:15:18 2014 us=709664 /sbin/route add -net 192.168.12.0 netmask 255.255.255.0 gw 192.168.12.2
06:49 < hamma> <hamma> Wed Apr 16 17:15:18 2014 us=713726 Data Channel MTU parms [ L:1542 D:1450 EF:42 EB:135 ET:0 EL:0 AF:3/1 ]
06:49 < hamma> <hamma> Wed Apr 16 17:15:18 2014 us=713981 GID set to nobody
06:49 < hamma> <hamma> Wed Apr 16 17:15:18 2014 us=714007 UID set to nobody
06:49 < hamma> <hamma> Wed Apr 16 17:15:18 2014 us=714025 UDPv4 link local (bound): [AF_INET]192.168.13.2:1194
06:49 < hamma> <hamma> Wed Apr 16 17:15:18 2014 us=714032 UDPv4 link remote: [undef]
06:49 < hamma> <hamma> Wed Apr 16 17:15:18 2014 us=714043 MULTI: multi_init called, r=256 v=256
06:49 -!- hamma was kicked from #openvpn by ecrist [hamma]
06:57 -!- klein [~klein@189-016-006-003.asselvi.edu.br] has joined #openvpn
06:57 -!- klein [~klein@189-016-006-003.asselvi.edu.br] has quit [Changing host]
06:57 -!- klein [~klein@unaffiliated/klein] has joined #openvpn
06:58 -!- mattock_afk is now known as mattock
06:59 -!- hamma [~hamma@41.225.98.54] has joined #openvpn
07:02 -!- elfixit [~Icedove@77-58-251-72.dclient.hispeed.ch] has joined #openvpn
07:09 -!- le0 [~l30@unaffiliated/le0] has quit [Quit: Leaving]
07:10 -!- michaelhart [~michaelha@192.237.177.15] has joined #openvpn
07:17 -!- s7r [~s7r@openvpn/user/s7r] has joined #openvpn
07:17 -!- mode/#openvpn [+v s7r] by ChanServ
07:18 -!- u0m3_ is now known as u0m3
07:32 -!- nrgskill [~nrgskill@2.50.187.243] has left #openvpn ["Leaving"]
07:34 -!- afuentes [~afuentes@213.37.131.197.static.user.ono.com] has quit [Ping timeout: 265 seconds]
07:36 -!- Aliekezhi [~Aliekezhi@LPoitiers-156-84-21-169.w193-248.abo.wanadoo.fr] has quit [Ping timeout: 264 seconds]
07:39 -!- lj [~l@74.120.203.218] has quit [Quit: Leaving.]
07:45 -!- lj [~l@74.120.203.218] has joined #openvpn
07:46 < hamma> Aketzu, i was kicked out, now am back again
07:47 -!- afuentes [~afuentes@213.37.131.197.static.user.ono.com] has joined #openvpn
07:57 -!- steveeJ [~junky@HSI-KBW-085-216-098-181.hsi.kabelbw.de] has joined #openvpn
08:00 < hamma> can anyone hear me?
08:00 -!- lj [~l@74.120.203.218] has quit [Quit: Leaving.]
08:01 -!- JackWinter [~jack@vodsl-10810.vo.lu] has joined #openvpn
08:02 < hamma> hey vpnHelper , can you help me :)
08:22 -!- sauce [sauce@unaffiliated/sauce] has joined #openvpn
08:24 -!- Left_Turn [~Left_Turn@unaffiliated/turn-left/x-3739067] has quit [Remote host closed the connection]
08:27 -!- Left_Turn [~Left_Turn@unaffiliated/turn-left/x-3739067] has joined #openvpn
08:27 <@ecrist> hamma: don't paste into the channel again
08:28 < hamma> ok, promise, i didn't know that
08:28 < hamma> would you help me ? :)
08:40 <@ecrist> !goal
08:40 <@vpnHelper> "goal" is Please clearly state your goal for your vpn: example, I would like to access the lan behind the server , I would like to access the internet over my vpn , I just want a secure connection between 2 computers , etc
08:40 <@ecrist> and
08:40 <@ecrist> !welcome
08:41 <@vpnHelper> "welcome" is (#1) Start by stating your goal, such as 'I would like to access the internet over my vpn' || new to IRC? see the link in !ask || we may need !logs and !configs and maybe !interface to help you. || See !howto for beginners. || See !route for lans behind openvpn. || !redirect for sending inet traffic through the server. || Also interesting: !man !/30 !topology !iporder !sample !forum
08:41 <@vpnHelper> !wiki !mitm or (#2) Don't use 192.168.1.0/24 or 192.168.0.0/24 (too much potential for conflict)
08:47 -!- Gadu [~Gadu@94.200.220.210] has quit [Quit: Leaving.]
08:48 -!- Gadu [~Gadu@94.200.220.210] has joined #openvpn
08:57 -!- AlexPortable [uid7568@gateway/web/irccloud.com/x-yhjrfqzntbjsaqtq] has quit [Quit: Connection closed for inactivity]
08:59 -!- elfixit [~Icedove@77-58-251-72.dclient.hispeed.ch] has quit [Quit: elfixit]
09:00 < SupaYoshi> Hi
09:01 < SupaYoshi> I have a VPN working, however I can access my LAn and everything vica versa.
09:01 < SupaYoshi> But I want certain clients, to be able to route all traffic over the VPN.
09:01 < SupaYoshi> How do I accomplish this?
09:01 < SupaYoshi> Can I push something in the client config?
09:01 < SupaYoshi> Or do I need to do it in the server config
09:01 < SupaYoshi> and can I use it as a diode?
09:02 -!- ade_b [~Ade@redhat/adeb] has joined #openvpn
09:02 -!- lj [~l@na-ad-guest-lwap-ar01.cat.com] has joined #openvpn
09:02 -!- lj [~l@na-ad-guest-lwap-ar01.cat.com] has quit [Client Quit]
09:03 -!- lj [~l@192.241.174.169] has joined #openvpn
09:07 -!- hamma [~hamma@41.225.98.54] has quit [Ping timeout: 240 seconds]
09:28 <@ecrist> SupaYoshi: you'll need to enable that on the vpn server side, likely with outbound NAT
09:28 < SupaYoshi> ey
09:28 < SupaYoshi> Okay
09:28 < SupaYoshi> cool :)
09:28 <@ecrist> then for each client you want to push default for, you'll want a CCD entry, and the following contents:
09:29 < SupaYoshi> Well, i want the vpn clients to have the same IP as the internal lan
09:29 < SupaYoshi> *outside ip)
09:29 <@ecrist> push "redirect-gateway def1"
09:29 <@ecrist> yes, they will
09:31 -!- ACKNAK [~regolith@79.133.97.154] has quit [Ping timeout: 252 seconds]
09:34 -!- [diecast] [~diecast@unaffiliated/diecast/x-4821952] has joined #openvpn
09:36 -!- AlexPortable [uid7568@gateway/web/irccloud.com/x-ryzajnjvzyzihzbb] has joined #openvpn
09:37 -!- deeville [~deeville@38.117.108.108] has joined #openvpn
09:38 -!- deeville [~deeville@38.117.108.108] has quit [Max SendQ exceeded]
09:38 -!- deeville [~deeville@38.117.108.108] has joined #openvpn
09:49 -!- FatDarrel [~anandab@199.116.72.195] has joined #openvpn
09:50 -!- Left_Turn [~Left_Turn@unaffiliated/turn-left/x-3739067] has quit [Read error: Operation timed out]
09:57 -!- FatDarrel [~anandab@199.116.72.195] has quit [Quit: FatDarrel]
10:01 < svg> Hi, I have setup a server that hands out ip's to clients based on ldap group membership; I have an ifconfig pool that handles the default users, and extra routes to specific ip's for specific groups
10:01 -!- FatDarrel [~anandab@199.116.72.195] has joined #openvpn
10:01 < svg> this all works as expected, only question I have is about getting this error/warning:
10:01 < svg> MULTI ERROR: primary virtual IP for user/10.0.48.178:20116 (10.10.100.2) violates tunnel network/netmask constraint (10.10.96.0/255.255.255.0)
10:02 < svg> not sure if this is severe or not
10:02 < svg> 10.10.100.2 is an ip pushed by a client connect script, 10.10.96.0/24 is teh ifconfig pool
10:03 < svg> most important config details are
10:03 < svg> topology subnet
10:03 < svg> server 10.10.96.0 255.255.255.0
10:03 < svg> route-gateway 10.10.96.1
10:03 < svg> route 10.10.100.0 255.255.255.0
10:04 -!- sudormrf [~sudormrf@12.235.42.129] has joined #openvpn
10:06 -!- Lolths [~Lolths@unaffiliated/lolths] has quit [Ping timeout: 250 seconds]
10:06 -!- Left_Turn [~Left_Turn@unaffiliated/turn-left/x-3739067] has joined #openvpn
10:06 -!- afuentes [~afuentes@213.37.131.197.static.user.ono.com] has quit [Read error: Operation timed out]
10:07 -!- VsioZashibis [~VsioZashi@unaffiliated/vsiozashibis] has joined #openvpn
10:08 -!- sauce [sauce@unaffiliated/sauce] has quit [Ping timeout: 264 seconds]
10:13 -!- iokill [~iokill@91.114.127.102] has quit [Read error: Connection reset by peer]
10:14 -!- FatDarrel [~anandab@199.116.72.195] has quit [Quit: FatDarrel]
10:21 -!- sauce_ [sauce@ool-ad02ad20.dyn.optonline.net] has joined #openvpn
10:21 -!- afuentes [~afuentes@213.37.131.197.static.user.ono.com] has joined #openvpn
10:30 -!- alphanet [~ircuser@shakotay.alphanet.ch] has joined #openvpn
10:30 < alphanet> hello, I get "Cannot accept new session request from [AF_INET]188.60.143.149:4998 due to session context expire or
10:30 < alphanet> +--single-session [2]"
10:30 < Aketzu> svg: openvpn supports only one subnet per process (=tunnel)
10:30 < alphanet> but I don't use --single-session, what could be the cause?  time out of range on the client?
10:31 < Aketzu> svg: but you could allocate /16 ifconfig pool/tunnel and then just route /24 parts
10:33 < Aketzu> !logs
10:33 <@vpnHelper> "logs" is (#1) please pastebin your logfiles from both client and server with verb set to 4 (only use 5 if asked) or (#2) In the Windows client(OpenVPN-GUI) right-click the status icon and pick View Log or (#3) In the OS X client(Tunnelblick) right-click it and select Copy log text to clipboard or (#4) if you dont know how to find your logs, see !logfile
10:33 < Aketzu> alphanet: ^
10:33 < Aketzu> also configs would be nice
10:33 < alphanet> Aketzu: so, you want more details?  I will get them for you.
10:37 < alphanet> Aketzu: although I cannot get the logs from the client, because OpenVPN doesn't work ._>$
10:37 < Aketzu> does restarting openvpn on server help?
10:38 < alphanet> Aketzu: the problem created itself by restarting the server.  I will explain the setup on a Wiki page.
10:42 -!- hamma [~hamma@41.225.98.54] has joined #openvpn
10:43 < lj> Anyone have any idea as to which of the following would be more efficient resource-wise: Running singular instance setups on multiple (relatively) low resource servers, or running multi-instance on a less, higher resource servers?
10:44 < lj> s/multi/multiple/
10:45 -!- Lolths [~Lolths@unaffiliated/lolths] has joined #openvpn
10:46 < Aketzu> lj: enough ip addresses?
10:46 < lj> That's the problem, I'd only be able to allocate one per server it's looking like given my current hosting situation (which I suppose would force me to use the former method)…
10:47 < lj> a* problem
10:48 < Aketzu> well... I'm currently running 5 openvpn instances... they all together eat about 70MB of memory and use <1% CPU
10:49 < lj> Really?
10:49 < lj> How many users?
10:49 < lj> (avg)
10:51 < Aketzu> 154 connected now
10:51 < Aketzu> mostly maintenance connections to devices but doesn't differ from mostly idling users
10:52 < alphanet> Aketzu: ok, sorry to bother you, that error message seemed completely unrelated to my problem.
10:52 < alphanet> Aketzu: it works now after openvpn restart
10:52 < Aketzu> :)
10:52 < Aketzu> at least for a while
10:52 < alphanet> Aketzu: so it could be a timing issue'
10:52 < alphanet> Aketzu: so it could be a timing issue?
10:53 < lj> Aketzu: What constitutes the need for a separate instance do you think?
10:53 < lj> At x users -> another instance etc.
10:53 < Aketzu> alphanet: maybe... after rekeying (1h default) or after some other reconnection it might break again
10:53 -!- JackWinter [~jack@vodsl-10810.vo.lu] has quit [Ping timeout: 255 seconds]
10:54 < alphanet> Aketzu: ok, this link was stable since october 2013 (gasp)
10:54 < Aketzu> then it really might some tls control channel expiration :)
10:54 < Aketzu> maybe the certificate expired :)
10:54 < alphanet> Aketzu: no :->
10:55 < Aketzu> lj: I've made new instances when I needed new subnets, tun/tap, different use cases (personel VPN, device VPN etc.)
10:55 < alphanet> Aketzu: it's a bizarre setup, because I have one central OpenVPN server (running on Debian wheezy) and three clients, one on wheezy (embedded alix), one on squeeze (normal PC) and one on "whatever" (dd-wrt).
10:55 < alphanet> Aketzu: the dd-wrt failed today.
10:55 < lj> Aketzu: I suppose a reasonable comparison would be: my case would likely be new instance per IP address.
10:56 < alphanet> Aketzu: after 2 restarts (and a fix in a connect-script) it works again, funny.
10:56 < lj> HRM
10:56 < lj> What're the specs of your current server like? And what would you recommend a safe… margin of error would be resource wise?
10:57 < Aketzu> my current server is HP DL360 G7... Xeon E5620 (quadcore, 2.4GHz) and 32GB RAM
10:57 < Aketzu> .. it's running much more than just openvpn :)
10:58 <@Eugene> !gigabit
10:58 <@vpnHelper> "gigabit" is https://community.openvpn.net/openvpn/wiki/Gigabit_Networks_Linux for JJK's writeup on getting the most out of openvpn over gigabit
10:58 <@Eugene> !scale
10:58 <@vpnHelper> "scale" is (#1) OpenVPN has no hard limits built in, but it is not recommended to run much more than 100 clients per process. or (#2) Also remember that it is single-threaded, so your throughput will be limited by the speed your CPU can do the crypto. or (#3) Both of these issues can be handled by running multiple server instances(on several IPs or ports) and having clients round-robin between them
10:59 <@Eugene> lj ^
11:00 < lj> That's a monster Aketzu.
11:01 < lj> :P
11:01 <@Eugene> That ain't shit.
11:01 < lj> Eugene: Ty for that. Wasn't aware of the 100 client recommendation.
11:01 < lj> I'll probably scale that to 50 lel.
11:01 <@Eugene> lj - "100" is just a number we picked out of a hat, on the principle that numbers with more than two digits are scary.
11:02 <@Eugene> Basically it's a context-switching thing; the more clients-per-process the more time you'll spend switching between handling them.
11:02 < alphanet> maybe some issue with a select on many fds?
11:02 <@Eugene> Indeed.
11:02 -!- ade_b [~Ade@redhat/adeb] has quit [Remote host closed the connection]
11:02 < lj> Eugene: lol'd.
11:03 < lj> And I see. *ponders*
11:03 < Aketzu> lj: also a few DL360p Gen8 servers with 2x E5-2620 + 64GB mem running 25 virtual machines each
11:04 < lj> I need a few for the basement.
11:04 <@Eugene> That's starting to sound more respectable
11:04 <@Eugene> eBay usually has cheap L5420-based boxes with 16GB of RAM
11:04 < lj> Aketzu: Personal proj stuff or for work?
11:04 < Aketzu> work
11:05  * lj is trying to up the homenet a bit
11:05 < lj> Eugene: Word. May have a look.
11:05 < lj> I have an army of pi's from a project a while back, but they barely cut it for testing basic stuff.
11:05 < lj> Definitely need some more substantial stuff for the house.
11:09 -!- hamma [~hamma@41.225.98.54] has quit [Quit: Leaving]
11:12 -!- gffa [~unknown@unaffiliated/gffa] has joined #openvpn
11:18 -!- sunwind [~paradox@cpc21-brmb8-2-0-cust749.1-3.cable.virginm.net] has joined #openvpn
11:19 -!- thefinn93 [~finn@unaffiliated/thefinn93] has quit [Ping timeout: 276 seconds]
11:19 -!- JackWinter [~jack@vodsl-10810.vo.lu] has joined #openvpn
11:19 -!- afuentes [~afuentes@213.37.131.197.static.user.ono.com] has quit [Ping timeout: 252 seconds]
11:21 -!- paradox`` [~paradox@cpc21-brmb8-2-0-cust749.1-3.cable.virginm.net] has joined #openvpn
11:21 -!- sunwind` [~paradox@cpc21-brmb8-2-0-cust749.1-3.cable.virginm.net] has quit [Ping timeout: 276 seconds]
11:24 -!- sunwind [~paradox@cpc21-brmb8-2-0-cust749.1-3.cable.virginm.net] has quit [Ping timeout: 276 seconds]
11:32 -!- wrongplace [~leicht@gateway/tor-sasl/martinphone] has joined #openvpn
11:33 -!- thefinn93 [~finn@unaffiliated/thefinn93] has joined #openvpn
11:34 -!- [diecast] [~diecast@unaffiliated/diecast/x-4821952] has quit []
11:37 -!- Guest72644 [~kolo@ip-125.net-82-216-83.rev.numericable.fr] has quit [Ping timeout: 240 seconds]
11:37 -!- FatDarrel [~anandab@199.116.72.195] has joined #openvpn
11:39 -!- [diecast] [~diecast@unaffiliated/diecast/x-4821952] has joined #openvpn
11:39 -!- Ko_lo [~kolo@ip-125.net-82-216-83.rev.numericable.fr] has joined #openvpn
11:39 -!- Ko_lo is now known as Guest39762
11:49 -!- phuzion [~phuzion@ipv6.irc.teh-server.com] has left #openvpn ["See ya"]
11:50 -!- FatDarrel [~anandab@199.116.72.195] has quit [Quit: FatDarrel]
11:57 -!- [diecast] [~diecast@unaffiliated/diecast/x-4821952] has quit []
12:03 -!- anika [~anika@128.204.203.103] has quit [K-Lined]
12:08 < svg> Aketzu: to be clear, the setup I described does work; it is as documented on http://openvpn.net/index.php/open-source/documentation/howto.html#policy where the extra routes are not contained in the 'server' spool
12:08 <@vpnHelper> Title: HOWTO (at openvpn.net)
12:10 -!- bertodsera [~quassel@97e48243.skybroadband.com] has quit [Remote host closed the connection]
12:10 < sudormrf> quick question about the steps here: https://openvpn.net/index.php/open-source/documentation/howto.html#pki does the "clean-all" command wipe out any current certs/keys on the server?
12:10 <@vpnHelper> Title: HOWTO (at openvpn.net)
12:11 -!- bertodsera [~quassel@97e48243.skybroadband.com] has joined #openvpn
12:11 < pekster> sudormrf: Yes. You only ever run that once to create your PKI, (or again later if you want to start over on that system)
12:11 < pekster> Ideally you don't keep your CA PKI on your server at all, although easyrsa v2 doesn't make PKI separation very easy
12:20 -!- Cpt-Oblivious [chatzilla@31-151-71-109.dynamic.upc.nl] has joined #openvpn
12:21 -!- [diecast] [~diecast@unaffiliated/diecast/x-4821952] has joined #openvpn
12:23 -!- [diecast] [~diecast@unaffiliated/diecast/x-4821952] has quit [Client Quit]
12:25 -!- Intensity [fNUidPCJAu@unaffiliated/intensity] has joined #openvpn
12:31 -!- NEone [~NEone@unaffiliated/neone] has joined #openvpn
12:32 < NEone> Hello. Any chance the Ubuntu PPA for openvpn (swupdate.openvpn.net) could add a version for Ubuntu 12.10 (codename "quantal"), please?
12:33 <@krzee> ecrist, tomorrow I will be on the weekly freeswitch developer conference to talk about my secure phones =]
12:34 -!- smellis [~stephan@24.49.219.131] has quit [Ping timeout: 276 seconds]
12:37 < sudormrf> pekster, thanks :)
12:38 <@ecrist> neat
12:42 <@krzee> ill see about getting a copy of it if you want to hear
12:48 -!- brianblaze420 [~admin@68.67.62.140] has joined #openvpn
12:48 -!- brianblaze420 [~admin@68.67.62.140] has quit [Changing host]
12:48 -!- brianblaze420 [~admin@unaffiliated/brianblaze] has joined #openvpn
12:55 -!- FatDarrel [~anandab@50.242.126.113] has joined #openvpn
13:07 -!- Gadu [~Gadu@94.200.220.210] has quit [Quit: Leaving.]
13:08 -!- NEone [~NEone@unaffiliated/neone] has left #openvpn ["Leaving"]
13:09 -!- VlperX [~VlperX@60-240-168-120.static.tpgi.com.au] has joined #openvpn
13:09 < VlperX> hey, I'm having issues starting my openvpn server
13:09 -!- Gadu [~Gadu@94.200.220.210] has joined #openvpn
13:09 <@krzee> !logs
13:09 <@vpnHelper> "logs" is (#1) please pastebin your logfiles from both client and server with verb set to 4 (only use 5 if asked) or (#2) In the Windows client(OpenVPN-GUI) right-click the status icon and pick View Log or (#3) In the OS X client(Tunnelblick) right-click it and select Copy log text to clipboard or (#4) if you dont know how to find your logs, see !logfile
13:09 < VlperX> : ERROR while getting interface flags: No such device
13:09 < VlperX> SIOCSIFDSTADDR: No such device
13:10 < VlperX> !logfile
13:10 <@vpnHelper> "logfile" is (#1) If you want logging you can easily just specify your own logfile with: log /path/to/logfile or (#2) openvpn will log to syslog if started in daemon mode, but without any log-redirection options, openvpn sends output to stdout. or (#3) verb 3 is good for everyday usage, verb 5 for debugging. see --daemon --log and --verb in the manual (!man) for more info
13:10 < VlperX> ah wut
13:11 -!- t0r [~textual@167.206.48.217] has joined #openvpn
13:11 <@krzee> are you starting it as root?
13:11 < VlperX> yes
13:12 < VlperX> http://ubuntuforums.org/showthread.php?t=2092265
13:12 <@vpnHelper> Title: [ubuntu] Openvpn server doesn't start (at ubuntuforums.org)
13:12 < VlperX> that was promising
13:12 < VlperX> except it didn't work
13:13 -!- julius_ [~julius_@static.88-198-127-82.clients.your-server.de] has joined #openvpn
13:13 < VlperX> I presume  * could not access PID file for VPN 'server' means it's not running?
13:13 < VlperX> or missing permissions?
13:13 -!- Gadu [~Gadu@94.200.220.210] has left #openvpn []
13:15 < VlperX> there's a openvpn-status.log
13:15 < VlperX> but nothing in it
13:19 < VlperX> does it help to know I'm using a hosted VPS?
13:19 <@krzee> you didnt post logfile
13:20 -!- [diecast] [~diecast@unaffiliated/diecast/x-4821952] has joined #openvpn
13:21 < VlperX> I honestly don't really know how to get it
13:21 <@krzee> !logfile
13:21 <@vpnHelper> "logfile" is (#1) If you want logging you can easily just specify your own logfile with: log /path/to/logfile or (#2) openvpn will log to syslog if started in daemon mode, but without any log-redirection options, openvpn sends output to stdout. or (#3) verb 3 is good for everyday usage, verb 5 for debugging. see --daemon --log and --verb in the manual (!man) for more info
13:21 < VlperX> I did read that.
13:21 <@krzee> so whats the problem
13:22 < VlperX> #1 is a command variable?
13:22 <@krzee> command variable? what does that even mean?
13:22 < VlperX> parameter? i don't know
13:23 <@krzee>  log /path/to/logfile
13:23 <@krzee> what do you not understand?
13:23 < VlperX> the path. I don't know it
13:23 <@krzee> !101
13:23 <@vpnHelper> "101" is This channel is not a '101' replacement for any of the following topics or others: Networking, Firewalls, Routing, Your OS, Security, etc etc
13:24 < VlperX> so I'm doing my best to understand all this, but does openvpn not write its own log?
13:24 < VlperX> I have to grab the system log?
13:25 <@krzee> it does if you tell it to
13:25 < VlperX> ok, but how?
13:25 <@krzee> !logfile
13:25 <@vpnHelper> "logfile" is (#1) If you want logging you can easily just specify your own logfile with: log /path/to/logfile or (#2) openvpn will log to syslog if started in daemon mode, but without any log-redirection options, openvpn sends output to stdout. or (#3) verb 3 is good for everyday usage, verb 5 for debugging. see --daemon --log and --verb in the manual (!man) for more info
13:25 <@krzee>  log /path/to/logfile
13:25 <@krzee> not sure what you dont understand
13:25 < VlperX> is that a command?
13:25 <@krzee> !man
13:25 <@vpnHelper> "man" is (#1) For man pages, see http://openvpn.net/index.php/open-source/documentation/manuals/ or (#2) the man pages are your friend! or (#3) Protip: you can search the manpage for a specific --option (with dashes) to find it quicker
13:25 <@krzee> see --log
13:28 -!- Su7_ is now known as Su7
13:28 -!- Su7 [~demerzel@2001:41d0:a:16::1] has quit []
13:29 -!- Cpt-Oblivious [chatzilla@31-151-71-109.dynamic.upc.nl] has quit [Remote host closed the connection]
13:30 -!- Su7 [~demerzel@2001:41d0:a:16::1] has joined #openvpn
13:30 < VlperX> this shit really isn't for beginners..
13:30 < VlperX> do I need to add --log to the start script?
13:35 < VlperX> does this help? http://paste.ubuntu.com/7308978/
13:38 < VlperX> krzee, you asked for a log, is that what you mean?
13:38 <@krzee> lol no
13:38 <@krzee> and no its not for beginners
13:38 <@krzee> you probably should not be administrating a vpn
13:39 < VlperX> gotta learn somehow
13:41 < VlperX> when is this channel mostly active?
13:45 < VlperX> krzee, can you refer me to someone who'd be more interested in helping me?
13:46 <@krzee> i would have helped you, but if you cant follow directions on getting a logfile you really should not be doing advanced networking
13:47 <@krzee> yes you gotta start somewhere, but probably not with openvpn
13:47 < VlperX> I'm not entirely new to linux. I'm just learnt everything needed along the way. Yes, I haven't tackled this project yet.
13:49 <@krzee> !as
13:49 <@vpnHelper> "as" is Please go to #OpenVPN-AS for help with commercial products from OpenVPN Technologies, including Access Server, Android Connect, etc
13:49 <@krzee> thats what i recommend for you
13:50 <@krzee> that makes everything easier
13:50 < VlperX> how does that apply to me?
13:50 <@krzee> and comes with corporate support
13:50 <@krzee> it applies to you because it does not require skills
13:51 < VlperX> that's very thoughtful of you.
13:55 < VlperX> "You will find logging and error messages in your syslog." https://help.ubuntu.com/13.10/serverguide/openvpn.html
13:55 <@vpnHelper> Title: OpenVPN (at help.ubuntu.com)
13:56 < VlperX> I just gave you my syslog
13:56 <@krzee> good luck
13:56 < VlperX> can you at least explain where I went wrong?
13:56 <@krzee> oh god, how did web even get back in here
13:56 <@krzee> that explains it
13:57 -!- mode/#openvpn [+q *!*@gateway/web/*] by krzee
13:57 <@krzee> there we go
13:57 <@krzee> ohh i see
13:57 < VlperX> um right. so as I was saying.. should I use a different string in the grep?
13:58 <@krzee> [14:59]  * #openvpn Banlist: Tue Apr  8 11:42:39 *!*@gateway/web/freenode/* morgan.freenode.net
13:58 <@krzee> no, you should tell openvpn to use its own logfile like !logfile said 4 times, and i pasted a few extra times
13:59 -!- mode/#openvpn [+b *!*@gateway/web/*] by krzee
13:59 < Ali_nz> your hard on him krzee....I remember finding openvpn really hard once
13:59 < Ali_nz> Your a guru remember!
13:59 <@krzee> Ali_nz, were you able to figure out how to use:
13:59 <@krzee> !logfile
13:59 < VlperX> hard on me? don't be silly
13:59 <@vpnHelper> "logfile" is (#1) If you want logging you can easily just specify your own logfile with: log /path/to/logfile or (#2) openvpn will log to syslog if started in daemon mode, but without any log-redirection options, openvpn sends output to stdout. or (#3) verb 3 is good for everyday usage, verb 5 for debugging. see --daemon --log and --verb in the manual (!man) for more info
13:59 -!- Ali_nz [~bigal.nz@60-234-250-18.bitstream.orcon.net.nz] has quit []
13:59 < VlperX> *insert sacasm here*
14:00 <@krzee> because really, if you cant figure out how to get the logfile after being told 5 times, you should not be a vpn admin
14:00 <@krzee> this is advanced shit
14:00 <@krzee> !101
14:00 <@vpnHelper> "101" is This channel is not a '101' replacement for any of the following topics or others: Networking, Firewalls, Routing, Your OS, Security, etc etc
14:00 -!- Ali_nz [~bigal.nz@60-234-250-18.bitstream.orcon.net.nz] has joined #openvpn
14:00 <@krzee> Ali_nz,
14:00 < VlperX> welcome back, and thank you for showing some support
14:00 < Ali_nz> sorry was out of channel for a sec
14:00 <@krzee> [15:01]  <krzee> because really, if you cant figure out how to get the logfile after being told 5 times, you should not be a vpn admin
14:00 <@krzee> [15:01]  <krzee> this is advanced shit
14:00 <@krzee> !101
14:00 <@vpnHelper> "101" is This channel is not a '101' replacement for any of the following topics or others: Networking, Firewalls, Routing, Your OS, Security, etc etc
14:00 < brianblaze420> lol
14:01 <@krzee> Ali_nz, we banned webchat long ago for this reason
14:02 <@krzee> stick around and help people for a few years? you'll come to the same conclusions im sure
14:02 < Ali_nz> krzee: hahaha - true...you always seem to be here
14:02 < Ali_nz> krzee: but you get paid heaps to be here right?
14:02 <@krzee> lol no
14:02 < VlperX> ^
14:02 <@krzee> we volunteer dude
14:02 <@krzee> who did you think was paying me?
14:02 < Ali_nz> krzee: sarcasm
14:02 < VlperX> that was a joke..
14:03 <@krzee> haha
14:03 <@krzee> well the people in this channel do:
14:03 <@krzee> !as
14:03 <@vpnHelper> "as" is Please go to #OpenVPN-AS for help with commercial products from OpenVPN Technologies, including Access Server, Android Connect, etc
14:03 <@krzee> those guys are paid support ^
14:03 < Aketzu> somebody needs to invent buying beers over irc :)
14:03  * jeev cancels krzee's last paycheck.
14:03 < VlperX> I'm not doing anything on a corporate scale.
14:03 <@krzee> viperZ28_, you dont need to be corporate to want things made easy
14:04 < VlperX> linux is simply a hobby for now, until I learn enough to make it more than that I suppose
14:04 <@krzee> oops that was for VlperX ^
14:04 < VlperX> nice highlight
14:05 <@krzee> AS comes with web config, automated installers, etc
14:05 < VlperX> I don't necessarily want this to be easy.
14:05 <@krzee> its normal openvpn with hella easy wrappers to make things easy for those who are not already skilled in computers / networking
14:05 <@krzee> otherwise, openvpn requires you to be very good in both of those
14:05 < VlperX> is it just the support I'd have to pay for?
14:05 <@krzee> !beginner
14:06 <@krzee> !factoids
14:06 <@vpnHelper> "factoids" is A semi-regularly updated dump of factoids database is available at http://www.secure-computing.net/factoids.php
14:06 <@krzee> VlperX, for questions about AS go to their channel
14:06 < VlperX> I don't think it's necessary to be 'very good' at anything you don't intend to do professionally
14:06 <@krzee> VlperX, well, you're wrong.
14:06 < VlperX> maybe
14:07 < VlperX> you could have answered that question
14:07 < VlperX> it would not have taken much effort
14:07 <@krzee> i dont know.
14:07 < VlperX> bah. I'm done arguing with you..
14:07 <@krzee> i dont do anything related to AS
14:07 <@krzee> goodluck.
14:07 < VlperX> that's all I needed
14:08 < VlperX> that's all you had to say, followed by ask them of course =P
14:08 <@krzee> i told you where to ask
14:08 <@krzee> THATS all i had to say
14:08 < VlperX> yes, yes you did
14:09 < VlperX> is anyone watching interested in seeing my initial reason for seeking assistance here?
14:09 < Aketzu> I'm still interested in the logs :)
14:10 <@krzee> :D
14:10 < VlperX> working on it
14:10 <@krzee> good answer ^
14:10 <@krzee> Aketzu++
14:10 < VlperX> can I please get an answer to this?: do I need to edit /etc/init.d/openvpn to write logs?
14:11 < VlperX> I'm not 100% sure how I'm supposed to implement --log
14:11 <@krzee> !--
14:11 <@vpnHelper> "--" is OpenVPN allows any option to be placed either on the command line or in a configuration file. Though all command line options are preceded by a double-leading-dash ("--"), this prefix is usually omitted when an option is placed in a configuration file.
14:11 < VlperX> ohh.
14:11 <@krzee> (as copied from the manual)
14:11 < VlperX> I think I get it
14:11 -!- brianblaze420_ [~admin@184.151.114.149] has joined #openvpn
14:11 -!- brianblaze420_ [~admin@184.151.114.149] has quit [Read error: Connection reset by peer]
14:11 -!- brianblaze420 [~admin@unaffiliated/brianblaze] has quit [Read error: Connection reset by peer]
14:15 < VlperX> yep, okay
14:15 < VlperX> http://paste.ubuntu.com/7309282/
14:16 <@krzee> you dont have tuntap in your kernel
14:16 <@krzee> need to compile the kernel module, or recompile it into your kernel
14:16 <@krzee> thats linux, not openvpn =]
14:16 < VlperX> I got that
14:17 < VlperX> thanks, I'll look in to it now
14:17 -!- Left_Turn [~Left_Turn@unaffiliated/turn-left/x-3739067] has quit [Remote host closed the connection]
14:18 < VlperX> btw, this is seriously the most effective way for me to learn; to just figure it out as I go
14:18 < VlperX> I'm guarunteed to remember it that way
14:18 <@krzee> figuring it out as you go includes things like the manual
14:18 < VlperX> that is a good point
14:19 <@krzee> had you been at all familiar with the manual --log would not have sounded so weird =]
14:19 < VlperX> well the problem is it meant something else to me
14:19 < VlperX> so I didn't think I'd need to look up how else it's used
14:20 <@krzee> it meant something else to you cause you didnt look at the manual.
14:20 < VlperX> to me, that just means another command parameter.. I wasn't aware I could throw it in the config while omitting the --
14:20 <@krzee> it *is* just another param
14:20 <@krzee> ALL config options are
14:20 -!- Left_Turn [~Left_Turn@unaffiliated/turn-left/x-3739067] has joined #openvpn
14:20 <@krzee> as the manual AND !-- says
14:20 < VlperX> simply put, I didn't know I needed to.. I thought something else was missing.. hard to explain I think
14:21 < VlperX> yes but as I said, I wasn't aware I could just throw it in the config
14:21 < VlperX> I like that
14:27 < VlperX> does this cover it in enough depth? http://backreference.org/2010/03/26/tuntap-interface-tutorial/
14:27 <@vpnHelper> Title: Tun/Tap interface tutorial « \1 (at backreference.org)
14:30 < VlperX> if this is all I needed to do,
14:30 < VlperX> # mkdir /dev/net
14:30 < VlperX> # mknod /dev/net/tun c 10 200
14:30 < VlperX> # chmod 666 /dev/net/tun
14:30 < VlperX> I already did that
14:34 < VlperX> cat: /dev/net/tun: Operation not permitted
14:34 < VlperX> what does that mean?
14:35 < VlperX> right, wrong channel..........
14:37 -!- mattock [~mattock@openvpn/corp/admin/mattock] has left #openvpn []
14:38 < Aketzu> it might be that your VPS provider hasn't included tun module at all
14:38 < VlperX> argh..
14:39 <@Eugene> !vz
14:39 < VlperX> I wonder what the likelihood is of them adding it for me
14:40 < Aketzu> depends... my provider required one email (some 5 years ago or so...)
14:41 < VlperX> yeah I'll see about that now
14:41 <@krzee> !openvz
14:41 <@vpnHelper> "openvz" is (#1) http://wiki.openvz.org/VPN_via_the_TUN/TAP_device to learn bout openvz specific stuff with regards to openvpn or (#2) It is usually less painful to switch to a host with better virtualization technology, eg KVM or Xen
14:42 <@Eugene> My recommendation? Move to a less-shitty provider. Linode treats me great.
14:42 <@krzee> [15:31]  <VlperX> if this is all I needed to do,
14:43 <@krzee> no, if thats what you needed to do i would not have told you its your kernel / lack of kernel module
14:43 < VlperX> They have KVM and Xen, only I'm not paying for that.
14:43 <@krzee> you got the right answer, kept looking until you found the wrong answer? and then asked if it was right
14:43 <@krzee> when in the first place you got the right answer
14:43 < VlperX> I guess if I ask them to enable the module, they'll refer me to one of those packages
14:43 <@Eugene> br0tip: pay more than $5/mo
14:44 < VlperX> I'm paying $10 +P
14:44 -!- acu [~acu@50.244.13.222] has joined #openvpn
14:44 < VlperX> I guess I'll upgrade then
14:44 <@Eugene> Then its time to shell out the Big Bucks for a linode.
14:45 < VlperX> it's like $5 more for a KVM, if I recall
14:45 < VlperX> so no need
14:45 <@Eugene> KVM is crap
14:45 < VlperX> how so?
14:46 < VlperX> I recall investigating Linode, they don't have Aus servers, do they?
14:47 <@Eugene> The big reason I dislike KVM is that it's working with "emulated" hardware. So is Xen-HVM, but not nearly so much. You get a much lower-level set of drivers and thus, better performance
14:47 <@Eugene> No, nothing in AU. Japan and Fremont are both fairly close, ping-wise.
14:47 < Aketzu> I like KVM approach 'every machine is just a process' so htop etc. report stats correctly
14:48 < Aketzu> xen just steals resources :)
14:48 < VlperX> I think I'm using OpenVZ
14:48 <@Eugene> VZ is crap. Utter shit.
14:48 <@Eugene> It isn't even virtualization, just chroot-on-steroids.
14:49 < VlperX> so like one step above shared hosting?
14:49 <@Eugene> Indeed.
14:50 < VlperX> damn.. Zen starts at $75
14:50 < VlperX> Xen*
14:50 -!- alphanet [~ircuser@shakotay.alphanet.ch] has quit [Remote host closed the connection]
14:51 < VlperX> so OpenVPN won't work on OpenVZ?
14:51 < Intensity> Hey. I'm wondering if anyone has had any experience using OpenVPN-NL.
14:52 < VlperX> waaait.. Xen starts at $15
14:53 <@Eugene> Not really, no
14:53 < VlperX> thoughts? http://www.exigent.com.au/servers/vds-essential-pricing.php
14:53 <@vpnHelper> Title: Virtual Servers, Dedicated Servers, Web Hosting, Domain Names, SSL Certificates | Exigent Enterprise (at www.exigent.com.au)
14:54 < VlperX> regarding ping, I use this server to host the occasional game server with a friend in NZ. It works out well for us to be in Sydney
14:54 < BlackBishop>  /window 9
14:54 < VlperX> at this stage, I have no good reason to rent two servers instead of just the one
14:57 <@krzee> openvpn works on openvz when setup right
14:57 <@krzee> but theres a few of caveats
14:57 < VlperX> such as?
14:57 <@krzee> such as it cannot handle nat correctly, and your provider must configure things to work right
14:58 <@krzee> you can hack around the nat issue, not the provider issue
14:58 < VlperX> so what do you think about me upgrading to VDS-L1 on that page?
14:58 < VlperX> Xen and all..
14:58 <@krzee> dunno, i dont mess with that stuff
14:58 <@krzee> i run my own servers
14:58 <@krzee> real servers
14:58 < VlperX> well this'll have to do for now..
15:00 < VlperX> but unless anyone thinks otherwise, I presume upgrading from OpenVZ to Xen will resolve my issue
15:08 <@Eugene> Yup.
15:08 < VlperX> thanks, Eugene
15:08 < VlperX> I think 6am is time for bed
15:08 < VlperX> adios
15:08 -!- VlperX [~VlperX@60-240-168-120.static.tpgi.com.au] has quit [Quit: Adios]
15:13 <@krzee> o.O
15:13 <@krzee> Intensity, whats your real question?
15:15 <@krzee> openvpn-nl is just openvpn with polarssl and some attempts to put a bulletproof vest over your feet in case you aim a gun at them
15:15 <@krzee> so go ahead and ask your question, maybe we can help ;]
15:19 <@syzzer> Intensity: feel free to ask any OpenVPN-NL questions, I'm be glad to help :)
15:19 <@krzee> oooo and you have him!
15:20 <@syzzer> I might be afk for a little while every now and then... but I'm the guy behind OpenVPN-NL
15:20 <@krzee> you're good to go now!
15:20 <@krzee> syzzer, was my description of openvpn-nl correct to you?
15:21 <@syzzer> very accurate even ;)
15:21 <@krzee> cool
15:27 -!- deeville [~deeville@38.117.108.108] has quit [Quit: This computer has gone to sleep]
15:34 < reiffert> Connect to /lost+found<y>? yes
15:35 < reiffert> Entry 'GIM-^ZM-GfM-MM-SM-5M-^Z6M-2M-fyM-^RM-fM-^E^M-SM->XM-sM-*FM-sfM-^MM-fM-m^KM-M{M-$M-fcM-^ZM-fM-s<M-MM-^W[M-^Zo^[5M-_M-^?i~:4M-?M-S5^]M-=5^?M-35M-^?M-nh;M-+M-4]MM-ZM-n^PmM-^OWM-Z^$m^LMM-['EM-[oM-^PM-6M-?@;PM- ^]<[;M-$R;LM-&M-^M^CiGNM-WM-^NM-2iM-cOkM-GM-NM-UM-^NM-_M-)M8M-"M-^]4O;M-yM-7vjwM-mM-4|M-m^LM-^R6iM-5vM-VCM-m^\M-^[v^^OM-; _M-;(M-*]M-|EM-;M-4JM-;|M-^UvM-ENmM-jRM-m*M-;vM-u}M-mM-ZSM-Zu%M-Z^MM-sM-4M-^[zj' in ??? (271622182) has invalid inod
15:35 < reiffert> see where my data is going to?
15:35 < reiffert> Let's call it a huge pastebin or lost+found or how long will it take to restore the backup
15:45 <@Eugene> Pwnt
15:49 <@syzzer> question for the guys helping people out on this channel: have you seen people having issues connecting with 2.3.3 (either server or client)?
15:49 -!- le0 [~l30@unaffiliated/le0] has joined #openvpn
15:57 < Aketzu> reiffert: flash memory is nice... I recently had data-xml in usb flash which had parts like: 2013-10%03 08:59:42 Read `ata but got 0 bytes string (ret 8)J20!3-10-03 08:49:42 Data senDing failed, file remains in queue
15:57 < Aketzu> random bit errors <3
15:58 <@plaisthos> flash memory is probabilstic storage
15:58 <@plaisthos> *every* flash
16:00 < reiffert> I have created RMAs for broken Seagate, Hitachi and WD last week. I dont think it's just flash memory that's storing on oppurtunistic basis
16:04 -!- michaelhart [~michaelha@192.237.177.15] has quit [Quit: michaelhart]
16:05 -!- sudormrf [~sudormrf@12.235.42.129] has quit [Quit: Well, I woke up with a clown's hand in my pants... That..that's what I did today.]
16:15 -!- VsioZashibis [~VsioZashi@unaffiliated/vsiozashibis] has quit [Quit: closing IRC]
16:17 <@plaisthos> reiffert: sure
16:17 <@plaisthos> reiffert: hdd do that too
16:17 <@plaisthos> all somewhat modern technologie does that
16:17 <@plaisthos> otherwise harddisk would be like 1 GB big :)
16:20 <@Eugene> Never trust any storage medium
16:20 < reiffert> upload my data to the amazoncloud then?
16:20 <@plaisthos>  -- ZFS
16:21 <@Eugene> Especially not Amazon
16:22 <@Eugene> "Warm" checks like zfs(also Netapp!) combined with offsite mirroring is the only way
16:23 <@Eugene> Also need to test the backup for integrity - not just good bits, but also that it got saved consistently to begin with
16:24 < reiffert> rsync does that for me.
16:25 -!- qwertyoruiop [~hax@1.shulgin.dc1.nl.tor.exit.node.qwertyoruiop.com] has joined #openvpn
16:26 <@Eugene> No, it checks the bits. Whether the file itself was saved corrupted is separate
16:27 <@Eugene> End-to-end, man.
16:28 < reiffert> rsync performs crc checks on the data.
16:30 -!- lj [~l@192.241.174.169] has quit [Quit: Leaving.]
16:32 < Aketzu> .. and then happily syncs your broken copy on top of nice backup
16:33 < reiffert> nah. differntial is the key.
16:34 < reiffert> hardlinks and all that
16:36 <@syzzer> btrfs sounds cool too
16:40 -!- [diecast] [~diecast@unaffiliated/diecast/x-4821952] has quit []
16:40 <@Eugene> That's versioning of brokenness
16:40 <@Eugene> My point is that you can't trust the original writing application
16:53 -!- Diegosan [~chatzilla@S0106586d8f02c173.vn.shawcable.net] has quit [Ping timeout: 265 seconds]
16:54 -!- jzaw [~jzaw@loki.dzki.co.uk] has quit [Quit: really? must I leave? aw pls let me stay!]
16:56 -!- Pisuke [~Sembei@unaffiliated/sembei] has joined #openvpn
16:57 -!- MyMind [~Sembei@unaffiliated/sembei] has quit [Ping timeout: 252 seconds]
16:57 -!- jzaw [~jzaw@loki.dzki.co.uk] has joined #openvpn
17:06 -!- le0 [~l30@unaffiliated/le0] has quit [Quit: Leaving]
17:19 -!- lj [~l@75-145-156-241-Illinois.hfc.comcastbusiness.net] has joined #openvpn
17:35 -!- gffa [~unknown@unaffiliated/gffa] has quit [Quit: sleep]
17:35 -!- KaaK [~Kevin@wsip-98-188-52-104.ks.ks.cox.net] has joined #openvpn
17:37 < KaaK> I have used openVPN for many personal uses, and I am quite familiar with its various modes and configurations. Recently I am tasked with securing a distributed network of several hundred devices. Has anyone here attempted such a large openVPN setup?
17:38 < KaaK> Specifically any pitfalls, or other hurdles you may have encountered, and how they were address.
17:41 <@syzzer> KaaK: what do you mean by 'distributed'? Should it be decentralised?
17:43 < KaaK> syzzer, Distributed in area.
17:44 -!- lj1 [~l@192.241.174.169] has joined #openvpn
17:44 -!- lj [~l@75-145-156-241-Illinois.hfc.comcastbusiness.net] has quit [Ping timeout: 252 seconds]
17:45 <@syzzer> I've seen OpenVPN setups with thousands of devices
17:46 < KaaK> Could you volunteer any of the details of the setup? From a first approach of the problem, I think one of my largest concerns is handling the certificate authority.
17:47 <@syzzer> OpenVPN can handle it just fine, depending on your bandwidth demands of course. Managing the CA is the b*tch...
17:47 < KaaK> any tips for the CA end of things?
17:48 <@syzzer> I didn't do the setup, but those maintainers already had a large scale CA in place.
17:48 < KaaK> ah ...
17:49 <@syzzer> but that certainly should be your main concern, finding proper PKI tooling.
17:49 -!- Diegosan [~chatzilla@S0106586d8f02c173.vn.shawcable.net] has joined #openvpn
17:50 < KaaK> I think my other major concern is gracefully failing over on the server end. I'm aware that clients can list multiple servers and randomly select which one to join, but I worry about balancing out this load.
17:50 < lj1> RR wouldn't be fine with doing so KaaK?
17:50 -!- lj1 is now known as lj
17:51 < KaaK> e.g. in a two server setup, if a sever is taken down, all clients should connect to the second -- but once the first comes up, you now have a very unbalanced situation (in terms of server loading)
17:51 < lj> iirc you can set a server hierarchy for which they should join.
17:52 < lj> Though they would still have to dc to get put back onto that previous one.
17:52 < Aketzu> well... the surviving node should be good enough to handle all the clients... otherwise multiple servers won't do much good if another one fails
17:52 <@syzzer> and it should stabilise itself over time again
17:54 <@syzzer> for these larger setups, you might want to poke openvpn tech for their access server. That comes with a lot of corporate features.
17:54 -!- Diegosan [~chatzilla@S0106586d8f02c173.vn.shawcable.net] has quit [Ping timeout: 264 seconds]
17:55 -!- james41382_ [~james@unaffiliated/james41382] has quit [Ping timeout: 252 seconds]
18:00 -!- Diegosan [~chatzilla@S0106586d8f02c173.vn.shawcable.net] has joined #openvpn
18:03 -!- exa [~exa@unaffiliated/exa] has quit [Quit: exa]
18:11 -!- heraclitus [~heraclitu@unaffiliated/heraclitis] has joined #openvpn
18:27 -!- joshh20-Away is now known as joshh20
18:30 < pekster> KaaK: Another option is a frontend NAT director (sending traffic to the least-subscribed server) or a similar technique with DNS and low-TTLs
18:38 -!- wrongplace [~leicht@gateway/tor-sasl/martinphone] has quit [Quit: gone]
18:44 -!- klein [~klein@unaffiliated/klein] has quit [Ping timeout: 276 seconds]
18:45 -!- lj [~l@192.241.174.169] has quit [Quit: Leaving.]
18:46 -!- lj [~l@75-145-156-241-Illinois.hfc.comcastbusiness.net] has joined #openvpn
18:47 -!- AlexPortable [uid7568@gateway/web/irccloud.com/x-ryzajnjvzyzihzbb] has quit [Quit: Connection closed for inactivity]
18:48 -!- lj [~l@75-145-156-241-Illinois.hfc.comcastbusiness.net] has quit [Client Quit]
18:49 -!- raidz is now known as raidz_away
18:56 -!- michaelhart [~michaelha@162.209.54.120] has joined #openvpn
19:04 -!- joshh20 is now known as joshh20-Away
19:17 -!- james41382 [~james@unaffiliated/james41382] has joined #openvpn
19:18 -!- mgorbach [~mgorbach@pool-108-20-78-135.bstnma.fios.verizon.net] has quit [Quit: ZNC - http://znc.in]
19:19 -!- u0m3 [~u0m3@109.96.138.238] has quit [Read error: Connection reset by peer]
19:19 -!- mgorbach [~mgorbach@pool-108-20-78-135.bstnma.fios.verizon.net] has joined #openvpn
19:26 -!- michaelhart [~michaelha@162.209.54.120] has quit [Quit: michaelhart]
19:32 -!- goldkatze [~nobody@unaffiliated/goldkatze] has quit [Ping timeout: 245 seconds]
19:47 -!- FatDarrel [~anandab@50.242.126.113] has quit [Quit: FatDarrel]
19:51 -!- Left_Turn [~Left_Turn@unaffiliated/turn-left/x-3739067] has quit [Ping timeout: 252 seconds]
19:57 -!- dos-freak [leecher@zentarim.0wnz.at] has quit [Read error: Operation timed out]
20:01 -!- klein [~klein@177.101.105.94] has joined #openvpn
20:01 -!- klein [~klein@177.101.105.94] has quit [Changing host]
20:01 -!- klein [~klein@unaffiliated/klein] has joined #openvpn
20:03 -!- dos-freak [leecher@zentarim.0wnz.at] has joined #openvpn
20:05 -!- [diecast] [~diecast@unaffiliated/diecast/x-4821952] has joined #openvpn
20:08 -!- [diecast] [~diecast@unaffiliated/diecast/x-4821952] has quit [Client Quit]
20:20 -!- [diecast] [~diecast@unaffiliated/diecast/x-4821952] has joined #openvpn
20:40 -!- lj [~l@192.241.174.169] has joined #openvpn
20:47 -!- VsioZashibis [~VsioZashi@unaffiliated/vsiozashibis] has joined #openvpn
21:12 -!- FatDarrel [~anandab@199.116.72.195] has joined #openvpn
21:12 -!- FatDarrel [~anandab@199.116.72.195] has quit [Client Quit]
21:13 -!- acu [~acu@50.244.13.222] has quit [Quit: Leaving]
21:16 -!- FatDarrel [~anandab@199.116.72.195] has joined #openvpn
21:24 -!- michaelhart [~michaelha@192-0-240-20.cpe.teksavvy.com] has joined #openvpn
21:25 -!- tdreyer1 [~tdreyer1@unaffiliated/tdreyer1] has quit [Ping timeout: 250 seconds]
21:30 -!- FatDarrel [~anandab@199.116.72.195] has quit [Quit: FatDarrel]
21:36 -!- tdreyer1 [~tdreyer1@unaffiliated/tdreyer1] has joined #openvpn
22:03 -!- Linmu_ [~Linmu@203.70.194.104] has joined #openvpn
22:03 -!- Linmu [~Linmu@203.70.194.104] has quit [Read error: Connection reset by peer]
22:07 -!- Linmu_ [~Linmu@203.70.194.104] has quit [Ping timeout: 240 seconds]
22:08 -!- Linmu [~Linmu@203.70.194.104] has joined #openvpn
22:09 -!- michaelhart [~michaelha@192-0-240-20.cpe.teksavvy.com] has quit [Quit: michaelhart]
22:10 -!- VlperX [~VlperX@60-240-168-120.static.tpgi.com.au] has joined #openvpn
22:13 -!- WinstonSmith [~WinstonSm@unaffiliated/winstonsmith] has joined #openvpn
22:15 -!- [1]JPeterson [~JPeterson@81-233-152-121-no83.tbcn.telia.com] has joined #openvpn
22:16 -!- WinstonSmith_ [~WinstonSm@bl13-192-220.dsl.telepac.pt] has quit [Ping timeout: 240 seconds]
22:18 -!- JPeterson [~JPeterson@81-233-152-121-no83.tbcn.telia.com] has quit [Ping timeout: 276 seconds]
22:25 -!- VsioZashibis [~VsioZashi@unaffiliated/vsiozashibis] has quit [Read error: Connection reset by peer]
22:47 -!- klein [~klein@unaffiliated/klein] has quit [Ping timeout: 252 seconds]
22:56 -!- JPeterson [~JPeterson@81-233-152-121-no83.tbcn.telia.com] has joined #openvpn
22:59 -!- [1]JPeterson [~JPeterson@81-233-152-121-no83.tbcn.telia.com] has quit [Ping timeout: 252 seconds]
23:00 < harlan> Is there a way I can see what sort of TCP sessions are running on an openvpn link on a client?  I suspect I could point wireshark on the client at the interface and watch, but I thought there might be a better way to do this.
23:05 < reiffert> netstat
23:06 < harlan> cool - I didn't realize that was available for windows, thanks!
23:06 -!- Gman32 [~Gman32@2607:2200:0:3400::5616:cdbc] has quit [Ping timeout: 252 seconds]
23:14 -!- Gman32 [~Gman32@2607:2200:0:3400::5616:cdbc] has joined #openvpn
23:29 -!- orion [~orion@unaffiliated/orion] has joined #openvpn
23:30 < orion> Hi. Where can I find the OpenVPN protocol specification?
23:36 -!- Linmu [~Linmu@203.70.194.104] has quit [Read error: Connection reset by peer]
23:36 -!- Linmu [~Linmu@203.70.194.104] has joined #openvpn
23:36 -!- Guest39762 [~kolo@ip-125.net-82-216-83.rev.numericable.fr] has quit [Ping timeout: 240 seconds]
23:39 -!- Ko_lo [~kolo@ip-125.net-82-216-83.rev.numericable.fr] has joined #openvpn
23:39 -!- Ko_lo is now known as Guest96602
23:49 -!- [diecast] [~diecast@unaffiliated/diecast/x-4821952] has quit []
23:56 -!- paradox`` [~paradox@cpc21-brmb8-2-0-cust749.1-3.cable.virginm.net] has quit [Ping timeout: 265 seconds]
23:59 -!- ShadniX [dagger@p57941653.dip0.t-ipconnect.de] has quit [Ping timeout: 252 seconds]
23:59 <@Eugene> orion - there isn't one, really. You can piece it together from the source code.
--- Day changed Wed Apr 23 2014
00:00 -!- goldkatze [~nobody@unaffiliated/goldkatze] has joined #openvpn
00:00 -!- ShadniX [dagger@p57941145.dip0.t-ipconnect.de] has joined #openvpn
00:04 -!- Linmu_ [~Linmu@203.70.194.104] has joined #openvpn
00:04 -!- Linmu [~Linmu@203.70.194.104] has quit [Read error: Connection reset by peer]
00:18 -!- phreakocious [~phreakoci@aesoterica.phreakocious.net] has quit [Ping timeout: 240 seconds]
00:19 -!- phreakocious [~phreakoci@aesoterica.phreakocious.net] has joined #openvpn
00:23 < orion> :(
00:23 -!- orion [~orion@unaffiliated/orion] has left #openvpn []
00:26 -!- sunwind [~paradox@cpc21-brmb8-2-0-cust749.1-3.cable.virginm.net] has joined #openvpn
00:31 -!- FatDarrel [~anandab@199.116.72.195] has joined #openvpn
01:09 -!- scanman [~scanman84@gateway/tor-sasl/scanman84] has joined #openvpn
01:19 -!- toobluesc [~nitro@2001:558:6045:7b:3d70:c3df:18a:884] has quit [Quit: Ex-Chat]
01:19 -!- lj [~l@192.241.174.169] has quit [Quit: Leaving.]
01:25 -!- Arr0way [arr0w@unaffiliated/arr0way] has quit [Ping timeout: 240 seconds]
01:26 -!- scanman [~scanman84@gateway/tor-sasl/scanman84] has quit [Quit: Segmentation fault...]
01:27 -!- Arr0way [arr0w@unaffiliated/arr0way] has joined #openvpn
01:29 -!- grep0r [grep0r@bitcoinshell.mooo.com] has quit [Ping timeout: 250 seconds]
01:30 -!- grep0r [grep0r@bitcoinshell.mooo.com] has joined #openvpn
01:31 -!- FatDarrel [~anandab@199.116.72.195] has quit [Quit: FatDarrel]
01:32 -!- FatDarrel [~anandab@199.116.72.195] has joined #openvpn
01:32 -!- FatDarrel [~anandab@199.116.72.195] has quit [Client Quit]
01:38 -!- Arr0way [arr0w@unaffiliated/arr0way] has quit [Ping timeout: 276 seconds]
01:39 -!- Arr0way [arr0w@unaffiliated/arr0way] has joined #openvpn
01:40 -!- kenyon [kenyon@darwin.kenyonralph.com] has quit [Quit: upgrades]
01:40 -!- JPeterson [~JPeterson@81-233-152-121-no83.tbcn.telia.com] has quit [Ping timeout: 276 seconds]
01:42 -!- ade_b [~Ade@redhat/adeb] has joined #openvpn
01:47 -!- Linmu_ [~Linmu@203.70.194.104] has quit [Quit: leaving]
01:47 -!- Linmu [~Linmu@203.70.194.104] has joined #openvpn
01:48 < Linmu> !heartbleed
01:48 <@vpnHelper> "heartbleed" is (#1) only affects OpenSSL 1.0.1 through 1.0.1f. Does not affect polarssl or (#2) if running vuln openssl then both client and server keys not protected by tls-auth should be considered compromised. or (#3) android 4.1.2_r1 is the first one to have -DOPENSSL_NO_HEARTBEATS and it is still in master. android 4.1 and 4.1.1 are probably affected. or (#4)
01:48 <@vpnHelper> https://community.openvpn.net/openvpn/wiki/heartbleed or (#5) http://xkcd.com/1354/
01:48 -!- Linmu [~Linmu@203.70.194.104] has quit [Client Quit]
01:49 -!- Linmu [~Linmu@203.70.194.104] has joined #openvpn
01:51 -!- Arr0way [arr0w@unaffiliated/arr0way] has quit [Ping timeout: 255 seconds]
01:52 -!- Arr0way [~arr0w@unaffiliated/arr0way] has joined #openvpn
01:56 -!- lj [~l@74.120.203.218] has joined #openvpn
02:04 -!- Linmu_ [~Linmu@203.70.194.104] has joined #openvpn
02:04 -!- Linmu [~Linmu@203.70.194.104] has quit [Read error: Connection reset by peer]
02:05 -!- afuentes [~afuentes@213.37.131.197.static.user.ono.com] has joined #openvpn
02:11 -!- FatDarrel [~anandab@199.116.72.195] has joined #openvpn
02:12 -!- FatDarrel [~anandab@199.116.72.195] has quit [Client Quit]
02:15 -!- lj [~l@74.120.203.218] has quit [Quit: Leaving.]
02:16 -!- kenyon [kenyon@darwin.kenyonralph.com] has joined #openvpn
02:20 -!- master_o1_master [~master_of@p4FF24566.dip0.t-ipconnect.de] has joined #openvpn
02:21 -!- afuentes [~afuentes@213.37.131.197.static.user.ono.com] has quit [Ping timeout: 240 seconds]
02:23 -!- master_of_master [~master_of@p4FD7BD31.dip0.t-ipconnect.de] has quit [Ping timeout: 240 seconds]
02:33 -!- afuentes [~afuentes@213.37.131.197.static.user.ono.com] has joined #openvpn
02:34 -!- ACKNAK [~regolith@79.133.97.154] has joined #openvpn
02:44 -!- Aliekezhi [~Aliekezhi@LPoitiers-156-84-21-170.w193-248.abo.wanadoo.fr] has joined #openvpn
02:53 -!- le0 [~l30@unaffiliated/le0] has joined #openvpn
02:58 -!- Linmu_ is now known as Linmu
03:16 -!- Left_Turn [~Left_Turn@unaffiliated/turn-left/x-3739067] has joined #openvpn
03:17 -!- VlperX [~VlperX@60-240-168-120.static.tpgi.com.au] has quit [Ping timeout: 252 seconds]
03:18 -!- VlperX [~VlperX@60-240-168-120.static.tpgi.com.au] has joined #openvpn
03:27 -!- dvl_ [~dvl@pdpc/supporter/active/dvl] has quit [Ping timeout: 245 seconds]
03:28 -!- VlperX [~VlperX@60-240-168-120.static.tpgi.com.au] has quit [Ping timeout: 252 seconds]
03:40 -!- Pisuke [~Sembei@unaffiliated/sembei] has quit [Read error: Connection reset by peer]
03:41 -!- Pisuke [~Sembei@unaffiliated/sembei] has joined #openvpn
04:03 -!- Linmu_ [~Linmu@203.70.194.104] has joined #openvpn
04:06 -!- Linmu [~Linmu@203.70.194.104] has quit [Ping timeout: 240 seconds]
04:36 -!- JackWinter [~jack@vodsl-10810.vo.lu] has quit [Quit: Konversation terminated!]
04:39 -!- JackWinter [~jack@vodsl-10810.vo.lu] has joined #openvpn
04:39 -!- Aliekezhi [~Aliekezhi@LPoitiers-156-84-21-170.w193-248.abo.wanadoo.fr] has quit [Read error: Operation timed out]
04:44 -!- wrongplace [~leicht@gateway/tor-sasl/martinphone] has joined #openvpn
04:49 -!- Linmu_ is now known as Linmu
04:54 -!- Aliekezhi [~Aliekezhi@LPoitiers-156-84-21-170.w193-248.abo.wanadoo.fr] has joined #openvpn
04:54 -!- Linmu is now known as Linmu_
04:55 -!- Linmu_ is now known as Linmu
04:57 -!- jzaw [~jzaw@loki.dzki.co.uk] has quit [Quit: really? must I leave? aw pls let me stay!]
04:59 -!- afuentes [~afuentes@213.37.131.197.static.user.ono.com] has quit [Ping timeout: 240 seconds]
05:02 -!- jzaw [~jzaw@loki.dzki.co.uk] has joined #openvpn
05:08 -!- Aliekezhi [~Aliekezhi@LPoitiers-156-84-21-170.w193-248.abo.wanadoo.fr] has quit [Quit: Leaving]
05:13 -!- afuentes [~afuentes@213.37.131.197.static.user.ono.com] has joined #openvpn
05:14 -!- JPeterson [~JPeterson@81-233-152-121-no83.tbcn.telia.com] has joined #openvpn
05:15 -!- Linmu [~Linmu@203.70.194.104] has quit [Read error: Connection reset by peer]
05:15 -!- Linmu [~Linmu@203.70.194.104] has joined #openvpn
05:25 -!- VlperX [~VlperX@60-240-168-120.static.tpgi.com.au] has joined #openvpn
05:26 -!- steveeJ [~junky@HSI-KBW-085-216-098-181.hsi.kabelbw.de] has quit [Remote host closed the connection]
05:41 -!- Left_Turn [~Left_Turn@unaffiliated/turn-left/x-3739067] has quit [Read error: Connection reset by peer]
05:51 -!- Left_Turn [~Left_Turn@unaffiliated/turn-left/x-3739067] has joined #openvpn
05:53 -!- wrongplace [~leicht@gateway/tor-sasl/martinphone] has quit [Quit: gone]
06:03 -!- pjschmitt [~parker@unaffiliated/schmitt953] has quit [Remote host closed the connection]
06:06 -!- Brando753 [~Brando753@unaffiliated/brando753] has quit [Ping timeout: 252 seconds]
06:13 -!- Linmu_ [~Linmu@203.70.194.104] has joined #openvpn
06:14 -!- Linmu [~Linmu@203.70.194.104] has quit [Read error: Connection reset by peer]
06:17 -!- Linmu_ [~Linmu@203.70.194.104] has quit [Read error: Connection reset by peer]
06:18 -!- Linmu [~Linmu@203.70.194.104] has joined #openvpn
06:33 -!- s7r [~s7r@openvpn/user/s7r] has quit [Write error: Connection reset by peer]
06:34 -!- Linmu [~Linmu@203.70.194.104] has quit [Read error: No route to host]
06:34 -!- Linmu_ [~Linmu@203.70.194.104] has joined #openvpn
06:34 -!- s7r [~s7r@openvpn/user/s7r] has joined #openvpn
06:34 -!- mode/#openvpn [+v s7r] by ChanServ
06:51 -!- wrongplace [~leicht@gateway/tor-sasl/martinphone] has joined #openvpn
06:53 -!- Aliekezhi [~Aliekezhi@LPoitiers-156-84-21-170.w193-248.abo.wanadoo.fr] has joined #openvpn
06:53 -!- elfixit [~Icedove@77-58-251-72.dclient.hispeed.ch] has joined #openvpn
06:54 -!- klein [~klein@189-016-006-003.asselvi.edu.br] has joined #openvpn
06:54 -!- klein [~klein@189-016-006-003.asselvi.edu.br] has quit [Changing host]
06:54 -!- klein [~klein@unaffiliated/klein] has joined #openvpn
06:56 -!- gffa [~unknown@unaffiliated/gffa] has joined #openvpn
07:07 -!- michaelhart [~michaelha@192.237.177.15] has joined #openvpn
07:17 -!- jave [~jave@h-235-102.a149.priv.bahnhof.se] has quit [Ping timeout: 276 seconds]
07:22 -!- jave [~jave@h-235-102.a149.priv.bahnhof.se] has joined #openvpn
07:29 -!- elfixit [~Icedove@77-58-251-72.dclient.hispeed.ch] has quit [Quit: elfixit]
07:55 -!- stemid [~avatar@ns4.sydit.se] has left #openvpn []
07:57 -!- afuentes [~afuentes@213.37.131.197.static.user.ono.com] has quit [Ping timeout: 264 seconds]
08:10 -!- afuentes [~afuentes@213.37.131.197.static.user.ono.com] has joined #openvpn
08:43 -!- Brando753 [~Brando753@unaffiliated/brando753] has joined #openvpn
08:50 -!- afuentes [~afuentes@213.37.131.197.static.user.ono.com] has quit [Ping timeout: 255 seconds]
08:51 -!- elfixit [~Icedove@2001:1620:2777:11:3e97:eff:fe7f:f3ad] has joined #openvpn
08:54 -!- ska [~ska@unaffiliated/ska] has joined #openvpn
08:54 < ska> Does nxproxy help over OVPN connection tween 2 linux boxen?
08:54 < ska> I'm running X apps using X11 forwarding but its not super fast.
09:08 -!- VsioZashibis [~VsioZashi@unaffiliated/vsiozashibis] has joined #openvpn
09:18 -!- elfixit [~Icedove@2001:1620:2777:11:3e97:eff:fe7f:f3ad] has quit [Quit: elfixit]
09:24 -!- MacGyver [~macgyver@unaffiliated/macgyvernl] has quit [Quit: Exiting]
09:29 -!- amsterdam [~Adium@carp660.acheron.dus.dg-i.net] has joined #openvpn
09:39 -!- afuentes [~afuentes@213.37.131.197.static.user.ono.com] has joined #openvpn
09:51 -!- Jonhss [test@190.15.156.221] has joined #openvpn
09:52 -!- Jonhss [test@190.15.156.221] has left #openvpn []
09:54 -!- Jonhss [test@190.15.156.221] has joined #openvpn
09:56 -!- Jonhss [test@190.15.156.221] has quit [Read error: Connection reset by peer]
09:57 -!- Jonhss [~mil@190.6.65.194] has joined #openvpn
09:58 < Jonhss> Hello , I´m looking for custom modification of openvpn , someone can do the job ?
09:58 < Jonhss> danke
10:00 < Jonhss> help
10:02 < Jonhss> hello
10:03 -!- MacGyver [~macgyver@2a01:4f8:202:63f2:509::1] has joined #openvpn
10:03 -!- MacGyver [~macgyver@2a01:4f8:202:63f2:509::1] has quit [Changing host]
10:03 -!- MacGyver [~macgyver@unaffiliated/macgyvernl] has joined #openvpn
10:07 -!- ACKNAK [~regolith@79.133.97.154] has quit [Ping timeout: 276 seconds]
10:08 -!- Jonhss [~mil@190.6.65.194] has left #openvpn []
10:12 -!- Jonhss [~mil@190.6.65.194] has joined #openvpn
10:13 -!- Jonhss [~mil@190.6.65.194] has quit [Quit: Jonhss]
10:13 -!- elfixit [~Icedove@2001:1620:2777:11:3e97:eff:fe7f:f3ad] has joined #openvpn
10:14 -!- afuentes [~afuentes@213.37.131.197.static.user.ono.com] has quit [Ping timeout: 240 seconds]
10:14 -!- Linmu [~Linmu@203.70.194.104] has joined #openvpn
10:15 -!- Linmu_ [~Linmu@203.70.194.104] has quit [Read error: Connection reset by peer]
10:15 -!- Linmu [~Linmu@203.70.194.104] has quit [Read error: Connection reset by peer]
10:16 -!- dimitry7 [~antonello@187.188.84.149] has joined #openvpn
10:19 -!- Linmu [~Linmu@203.70.194.104] has joined #openvpn
10:22 -!- Cpt-Oblivious [chatzilla@31-151-71-109.dynamic.upc.nl] has joined #openvpn
10:27 -!- Aliekezhi [~Aliekezhi@LPoitiers-156-84-21-170.w193-248.abo.wanadoo.fr] has quit [Remote host closed the connection]
10:33 -!- Linmu [~Linmu@203.70.194.104] has quit [Read error: Connection reset by peer]
10:33 -!- Linmu_ [~Linmu@203.70.194.104] has joined #openvpn
10:34 -!- amsterdam [~Adium@carp660.acheron.dus.dg-i.net] has quit [Quit: Leaving.]
10:57 -!- FatDarrel [~anandab@50.242.126.113] has joined #openvpn
11:08 -!- ade_b [~Ade@redhat/adeb] has quit [Ping timeout: 252 seconds]
11:09 -!- raidz_away is now known as raidz
11:11 -!- [diecast] [~diecast@unaffiliated/diecast/x-4821952] has joined #openvpn
11:13 -!- ron_ [~ron@ppp118-210-236-250.lns20.adl6.internode.on.net] has quit [Ping timeout: 240 seconds]
11:16 -!- wrongplace [~leicht@gateway/tor-sasl/martinphone] has quit [Quit: gone]
11:19 -!- ron_ [~ron@ppp118-210-9-147.lns20.adl2.internode.on.net] has joined #openvpn
11:34 -!- u0m3 [~u0m3@109.96.138.238] has joined #openvpn
11:37 -!- Guest96602 [~kolo@ip-125.net-82-216-83.rev.numericable.fr] has quit [Ping timeout: 255 seconds]
11:39 -!- Ko_lo [~kolo@ip-125.net-82-216-83.rev.numericable.fr] has joined #openvpn
11:39 -!- Ko_lo is now known as Guest43766
11:51 -!- Aliekezhi [~Aliekezhi@80.215.178.159] has joined #openvpn
11:52 -!- ade_b [~Ade@redhat/adeb] has joined #openvpn
12:03 -!- a [~d@iad1-vshost12.dreamhost.com] has joined #openvpn
12:04 -!- a is now known as Guest19195
12:12 -!- Guest19195 [~d@iad1-vshost12.dreamhost.com] has quit [Quit: leaving]
12:21 -!- a_ [~d@iad1-vshost12.dreamhost.com] has joined #openvpn
12:21 -!- a_ is now known as Guest15348
12:26 -!- pgib [~pgib@lmms/pgib] has joined #openvpn
12:27 -!- Linmu [~Linmu@203.70.194.104] has joined #openvpn
12:27 -!- Linmu_ [~Linmu@203.70.194.104] has quit [Read error: No route to host]
12:32 -!- Linmu_ [~Linmu@203.70.194.104] has joined #openvpn
12:33 -!- le0 [~l30@unaffiliated/le0] has quit [Quit: Leaving]
12:34 -!- lj [~l@192.241.174.169] has joined #openvpn
12:35 -!- Linmu [~Linmu@203.70.194.104] has quit [Ping timeout: 276 seconds]
12:37 < ska> Will removing a local storage pool in virt-manager delete the contents on the filesystem?
12:37 -!- ska [~ska@unaffiliated/ska] has left #openvpn ["Leaving"]
12:46 -!- Ali_nz [~bigal.nz@60-234-250-18.bitstream.orcon.net.nz] has quit []
12:47 -!- ade_b [~Ade@redhat/adeb] has quit [Quit: Too sexy for his shirt]
12:48 -!- Guest15348 [~d@iad1-vshost12.dreamhost.com] has quit [Quit: leaving]
13:05 -!- Left_Turn [~Left_Turn@unaffiliated/turn-left/x-3739067] has quit [Remote host closed the connection]
13:09 -!- elfixit [~Icedove@2001:1620:2777:11:3e97:eff:fe7f:f3ad] has quit [Quit: elfixit]
13:11 -!- Left_Turn [~Left_Turn@unaffiliated/turn-left/x-3739067] has joined #openvpn
13:14 -!- Linmu [~Linmu@203.70.194.104] has joined #openvpn
13:14 -!- Linmu_ [~Linmu@203.70.194.104] has quit [Read error: Connection reset by peer]
13:18 < BlackBishop> is there a flag to make openvpn daemonize after Initialization Sequence Completed ?
13:18 <@krzee> --daemon
13:18 <@krzee> !daemon
13:19 <@krzee> oops, but ya just put daemon in the config
13:19 < BlackBishop> yeah, I have it in the conf file, and it daemonizez instantly
13:19 <@krzee> those are the 2 options for that
13:20 <@krzee> if you use daemon you can view logs to see the stuff before sequence completed
13:21 < BlackBishop> openvpn --config ma.ovpn --daemon daemonizez without showing me anything or even waiting for the sequence to complete
13:21 < BlackBishop> ( same goes if I put daemon in the .ovpn file )
13:22 <@krzee> right
13:22 <@krzee> so i guess the answer to your original question is "no"
13:22 <@krzee> but just do that and look at the log to find what you want
13:22 -!- Linmu [~Linmu@203.70.194.104] has quit [Read error: Connection reset by peer]
13:23 -!- Linmu [~Linmu@203.70.194.104] has joined #openvpn
13:23 < BlackBishop> ok
13:23 <@krzee> !learn krzee as takes bonghits on the freeswitch teleconference
13:23 <@vpnHelper> Joo got it.
13:23 <@krzee> !krzee
13:23 <@vpnHelper> "krzee" is (#1) krzee says happy 4/20 or (#2) http://www.ircpimps.org/pics/krzee/blunt.jpg or (#3) location: moon base where he smokes moonajuana or (#4) takes bonghits on the freeswitch teleconference
13:31 -!- ChrisH [~dg7pc@dslb-088-077-171-181.pools.arcor-ip.net] has quit [Ping timeout: 252 seconds]
13:31 -!- Linmu_ [~Linmu@203.70.194.104] has joined #openvpn
13:31 -!- Linmu [~Linmu@203.70.194.104] has quit [Read error: Connection reset by peer]
13:31 -!- wrongplace [~leicht@gateway/tor-sasl/martinphone] has joined #openvpn
13:31 -!- ChrisH [~dg7pc@dslb-092-072-190-208.pools.arcor-ip.net] has joined #openvpn
13:42 -!- VlperX [~VlperX@60-240-168-120.static.tpgi.com.au] has quit [Ping timeout: 252 seconds]
13:42 -!- Sembei [~Sembei@unaffiliated/sembei] has joined #openvpn
13:46 -!- Pisuke [~Sembei@unaffiliated/sembei] has quit [Ping timeout: 252 seconds]
13:46 -!- lj [~l@192.241.174.169] has quit [Quit: Leaving.]
13:55 -!- Linmu [~Linmu@203.70.194.104] has joined #openvpn
13:55 -!- Linmu_ [~Linmu@203.70.194.104] has quit [Read error: Connection reset by peer]
14:04 -!- Sembei [~Sembei@unaffiliated/sembei] has quit [Read error: Connection reset by peer]
14:05 -!- Sembei [~Sembei@unaffiliated/sembei] has joined #openvpn
14:11 -!- cyberspace- [20253@ninthfloor.org] has quit [Remote host closed the connection]
14:12 -!- cyberspace- [20253@ninthfloor.org] has joined #openvpn
14:16 -!- [diecast] [~diecast@unaffiliated/diecast/x-4821952] has quit []
14:39 <@Eugene> I can't think of a better time to do so
14:40 <@Eugene> krzee - any recommendations on a vaporizer? GF's birthday is coming up, considering a Ploom Pax.
14:40 <@krzee> im not the biggest fan of vapes
14:40 <@krzee> but the volcano is always a winner
14:46 -!- [diecast] [~diecast@unaffiliated/diecast/x-4821952] has joined #openvpn
14:55 -!- [diecast] [~diecast@unaffiliated/diecast/x-4821952] has quit []
14:58 -!- [diecast] [~diecast@unaffiliated/diecast/x-4821952] has joined #openvpn
15:03 -!- wrongplace [~leicht@gateway/tor-sasl/martinphone] has quit [Quit: gone]
15:03 -!- joshh20-Away is now known as joshh20
15:14 -!- marshall [~marshall@modemcable071.115-162-184.mc.videotron.ca] has joined #openvpn
15:14 < marshall> hey openvpn
15:15 < marshall> I'm trying to run openvpn on my amazon EC2 instance, but every time I try, I get kicked out of my SSH session with "write failed". I'm kind of new to VPNs. is there something I'm missing?
15:15 <@krzee> are you running it as a client  on the ec2 machine?
15:16 <@krzee> marshall ^
15:17 < marshall> krzee: yeah, I'm trying to connect to a btguard's vpn
15:17 <@krzee> ?and using redirect-gateway?
15:17 <@krzee> !splitroute
15:17 <@vpnHelper> "splitroute" is (#1) https://forums.openvpn.net/topic7175.html to see how to add a second routing table so you can use --redirect-gateway AND still serve things to the internet or (#2) see !route_override for how to override --redirect-gateway for a certain subnet
15:18 < marshall> krzee: no. I don't think so. would that be in the ovpn conf?
15:18 <@krzee> well its probably coming from the server
15:18 <@krzee> the point is to redirect your internet traffic from ec2 through btguard, correct?
15:19 <@krzee> while still being able to ssh to the ec2 machine
15:19 < marshall> yes
15:19 < marshall> should I add "redirect-gateway def1" to my config?
15:20 <@krzee> no
15:20 <@krzee> the server is pushing it at you
15:20 <@krzee> which causes your ssh connection to redirect to come at you from btguard ip
15:20 <@krzee> but that breaks it
15:20 <@krzee> #1 from !splitroute is how you fix that
15:22 <@krzee> policy routing?
15:22 <@krzee> the only posts that you need to read are the first and second, note that it is his ip he uses in the second post
15:22 <@krzee> as seen in ifconfig in the first post
15:23 < marshall> ok so
15:24 < marshall> I'm fairly new to all this
15:25 < marshall> it looks like the OP is creating some IPTables rules to direct their ssh traffic?
15:26 <@krzee> what is happening is expected, and the solution is to have a second routing table and use policy routing
15:26 -!- Latrina [~Latrina@ppp-246-32.26-151.libero.it] has quit [Read error: Connection reset by peer]
15:26 <@krzee> and i dont see iptables used in that thread
15:27 <@krzee> pastebin your ifconfig -a
15:29 -!- Linmu [~Linmu@203.70.194.104] has quit [Read error: Connection reset by peer]
15:29 -!- Linmu_ [~Linmu@203.70.194.104] has joined #openvpn
15:30 < marshall> krzee: http://pastebin.com/ccY4spTn
15:31 -!- Latrina [~Latrina@ppp-246-32.26-151.libero.it] has joined #openvpn
15:36 -!- KaaK [~Kevin@wsip-98-188-52-104.ks.ks.cox.net] has quit [Quit: Leaving]
15:37 -!- joshh20 is now known as joshh20-Away
15:41 -!- lkthomas [~lkthomas@n218250153109.netvigator.com] has quit [Ping timeout: 264 seconds]
15:42 -!- lkthomas [~lkthomas@n058153105034.netvigator.com] has joined #openvpn
15:48 -!- Latrina [~Latrina@ppp-246-32.26-151.libero.it] has quit [Ping timeout: 276 seconds]
15:51 < marshall> are you there krzee?
15:54 -!- Latrina [~Latrina@ppp-246-32.26-151.libero.it] has joined #openvpn
16:07 -!- gffa [~unknown@unaffiliated/gffa] has quit [Quit: sleep]
16:15 -!- michaelhart [~michaelha@192.237.177.15] has quit [Quit: michaelhart]
16:17 -!- pgib [~pgib@lmms/pgib] has quit [Ping timeout: 265 seconds]
16:17 -!- wrongplace [~leicht@gateway/tor-sasl/martinphone] has joined #openvpn
16:19 -!- Champi [Champi@rootshell.fr] has quit [Ping timeout: 260 seconds]
16:25 -!- Champi [Champi@rootshell.fr] has joined #openvpn
16:29 -!- zoredache [~zoredache@pdpc/supporter/professional/zoredache] has joined #openvpn
16:30 -!- Latrina [~Latrina@ppp-246-32.26-151.libero.it] has quit [Read error: Connection reset by peer]
16:31 -!- Aliekezhi [~Aliekezhi@80.215.178.159] has quit [Quit: Leaving]
16:31 -!- Linmu_ [~Linmu@203.70.194.104] has quit [Read error: Connection reset by peer]
16:32 -!- Linmu [~Linmu@203.70.194.104] has joined #openvpn
16:32 -!- Linmu [~Linmu@203.70.194.104] has quit [Read error: Connection reset by peer]
16:34 < zoredache> Anyone have any hints why I would see a lot of IPv6 packet loss, but not IPv4?  If I do `fping6 -p 10 -i 1 ipv6_addr -c 100 -b 1400 -q` over my OpenVPN tunnel I am seeing 30-50% packet loss.  Compared to 0 loss for IPv4.
16:35 -!- Latrina [~Latrina@ppp-246-32.26-151.libero.it] has joined #openvpn
16:36 -!- Latrina [~Latrina@ppp-246-32.26-151.libero.it] has quit [Read error: Connection reset by peer]
16:36 -!- Latrina [~Latrina@ppp-246-32.26-151.libero.it] has joined #openvpn
16:36 -!- Linmu [~Linmu@203.70.194.104] has joined #openvpn
16:42 -!- acu [~acu@50.244.13.222] has joined #openvpn
16:44 -!- Linmu [~Linmu@203.70.194.104] has quit [Read error: Connection reset by peer]
16:44 -!- Linmu [~Linmu@203.70.194.104] has joined #openvpn
16:47 < pekster> zoredache: Pinging what? The IPv6 IP of the server over the tunnel?
16:49 < zoredache> pinging from a linux box on side, to a linux box on the other.  The test boxes are not those terminating the vpn.
16:50 < pekster> Right, but there's a lot in that path. Try limiting involved systems, starting by pinging between just the VPN endpoints over v6
16:51 < zoredache> I have tried that, same results.  Packet loss for IPv6, and none for IPv4.
16:53 < pekster> You might try setting --verb 5 on both ends, restart the VPN for the change (though with --management you can change verb level on the fly) and see if what gets sent down the physical wire at one end makes it to the other
16:54 < pekster> Do you know what the path-MTU is between the Internet path your VPNs are transiting?
16:55 -!- VsioZashibis [~VsioZashi@unaffiliated/vsiozashibis] has quit [Quit: closing IRC]
16:58 < zoredache> I used the --mtu-test switch, and it reported the mtu tested out to 1500.  AFAIK ICMP is not being filtered at any point between the to VPN endpoints.
17:01 <@krzee> marshall, sorry i had to leave for a bit, did you get it sorted?
17:03 -!- Champi [Champi@rootshell.fr] has quit [Ping timeout: 245 seconds]
17:04 -!- Champi [Champi@rootshell.fr] has joined #openvpn
17:06 < pekster> zoredache: As long as MTU isn't causing the v6-packet to get split into 2 by openvpn (ie: UDP or IP fragmentation of the tunneled packet) there's no good reason I can think of why you'd see that kind of loss simply across the tnnel
17:07 -!- Cpt-Oblivious [chatzilla@31-151-71-109.dynamic.upc.nl] has quit [Quit: ChatZilla 0.9.90.1-rdmsoft [XULRunner 22.0/20130619132145]]
17:07 < pekster> Did you verify that your --verb 5 per-packet output in the logs? The "wW" and "Rr" pairs should be pretty much exactly mirrored between peers
17:07 -!- joshh20-Away is now known as joshh20
17:07 < pekster> Also, ~100 pps is a lot of data when you're sending a 1400-byte data payload, plus headers
17:08 < zoredache> Sure, it is a lot, and I didn't expect it to be perfect, but a 30% loss compared to 0% for IPv4 is concerning.
17:09 < pekster> This might be fragmentation actually (which is why, now for the 3rd time, I'm encouraging you to look at that)
17:10 < pekster> 1400 + 4 (ICMPv6) + 40 (IPv6) + 8 (UDP, assuming UDP VPN transport for you) + 20 (IPv4, assuming v4 VPN transport) = 1476
17:10 < pekster> And that's before we even add in the openvpn header (plus crypto padding)
17:10 < zoredache> so lets assume it is fragementation, it isn't clear to me what the fix is.
17:11 < zoredache> use --tun-mtu and decrease the mtu, or?
17:11 < pekster> Reduce link-MTU so you're not sending packets so large they cause 1 full and 1 most-empty packet for each "real" packet you send
17:12 < pekster> If you disable compression on the VPN link you'll get a more accurate idea of resulting size
17:13 < pekster> Is your transport UDP+v4?
17:13 < zoredache> yes, udp+v4.
17:14 < zoredache> the link-mtu needs to be identical on each side, or can that be adjusted on the client only?
17:16 < pekster> It'll need to match, yea, otherwise you'll run into delivery problems
17:16 < pekster> Easy way to check if it's a problem is to disable compression, then send max-sized packets with the DF flag set
17:17 < zoredache> ah, goody, so this is going to be a PITA to test.  But I guess I'll figure out a way to give tha ta go.
17:18 < pekster> Or watch the packet delivery?
17:18 < pekster> tcpdump and/or --verb 5
17:26 -!- elfixit [~Icedove@77-58-251-72.dclient.hispeed.ch] has joined #openvpn
17:29 -!- wrongplace [~leicht@gateway/tor-sasl/martinphone] has quit [Quit: gone]
17:32 -!- [diecast] [~diecast@unaffiliated/diecast/x-4821952] has quit []
17:32 -!- [diecast] [~diecast@unaffiliated/diecast/x-4821952] has joined #openvpn
17:34 -!- Martin` [martin@shell.ipv6.octocore.net] has quit [Ping timeout: 245 seconds]
17:36 -!- Martin` [martin@shell.ipv6.octocore.net] has joined #openvpn
17:37 -!- goldkatze [~nobody@unaffiliated/goldkatze] has quit []
17:55 -!- [diecast] [~diecast@unaffiliated/diecast/x-4821952] has quit []
18:11 -!- Latrina [~Latrina@ppp-246-32.26-151.libero.it] has quit [Ping timeout: 276 seconds]
18:14 -!- Jonhss [~mil@65.111.167.46] has joined #openvpn
18:16 -!- Latrina [~Latrina@ppp-246-32.26-151.libero.it] has joined #openvpn
18:17 < Jonhss> help, I pay for some changes in openvpn
18:18 -!- Champi [Champi@rootshell.fr] has quit [Ping timeout: 245 seconds]
18:19 -!- Jonhss [~mil@65.111.167.46] has quit [Remote host closed the connection]
18:20 -!- Jonhss [~mil@65.111.167.46] has joined #openvpn
18:20 < Jonhss> !welcome
18:20 <@vpnHelper> "welcome" is (#1) Start by stating your goal, such as 'I would like to access the internet over my vpn' || new to IRC? see the link in !ask || we may need !logs and !configs and maybe !interface to help you. || See !howto for beginners. || See !route for lans behind openvpn. || !redirect for sending inet traffic through the server. || Also interesting: !man !/30 !topology !iporder !sample !forum
18:20 <@vpnHelper> !wiki !mitm or (#2) Don't use 192.168.1.0/24 or 192.168.0.0/24 (too much potential for conflict)
18:22 -!- Champi [Champi@rootshell.fr] has joined #openvpn
18:23 < Jonhss> !man
18:23 <@vpnHelper> "man" is (#1) For man pages, see http://openvpn.net/index.php/open-source/documentation/manuals/ or (#2) the man pages are your friend! or (#3) Protip: you can search the manpage for a specific --option (with dashes) to find it quicker
18:24 -!- klein [~klein@unaffiliated/klein] has quit [Ping timeout: 276 seconds]
18:25 < Jonhss> !wiki
18:25 <@vpnHelper> "wiki" is (#1) http://www.secure-computing.net/wiki/index.php/OpenVPN for the Unofficial wiki or (#2) https://community.openvpn.net/openvpn/wiki for the Official wiki
18:26 -!- Latrina [~Latrina@ppp-246-32.26-151.libero.it] has quit [Read error: Connection reset by peer]
18:27 -!- Jonhss [~mil@65.111.167.46] has left #openvpn []
18:31 -!- Latrina [~Latrina@ppp-246-32.26-151.libero.it] has joined #openvpn
18:33 -!- FatDarrel [~anandab@50.242.126.113] has quit [Ping timeout: 252 seconds]
18:35 -!- Latrina [~Latrina@ppp-246-32.26-151.libero.it] has quit [Read error: Operation timed out]
18:35 -!- Latrina [~Latrina@ppp-21-43.26-151.libero.it] has joined #openvpn
18:37 -!- Linmu_ [~Linmu@203.70.194.104] has joined #openvpn
18:37 -!- Linmu [~Linmu@203.70.194.104] has quit [Read error: Connection reset by peer]
18:41 -!- Latrina_ [~Latrina@ppp-11-62.26-151.libero.it] has joined #openvpn
18:43 -!- Latrina [~Latrina@ppp-21-43.26-151.libero.it] has quit [Ping timeout: 265 seconds]
18:43 -!- michaelhart [~michaelha@162.209.54.120] has joined #openvpn
18:45 -!- adh0c [~adh0c@li423-165.members.linode.com] has joined #openvpn
18:47 -!- Latrina_ [~Latrina@ppp-11-62.26-151.libero.it] has quit [Quit: ZNC - http://znc.in]
18:48 -!- nlb [~nlb@unaffiliated/nlb] has quit [Ping timeout: 258 seconds]
18:49 -!- nlb [~nlb@ec2-54-213-101-245.us-west-2.compute.amazonaws.com] has joined #openvpn
18:50 -!- Latrina [~Latrina@ppp-11-62.26-151.libero.it] has joined #openvpn
18:54 -!- dimitry7 [~antonello@187.188.84.149] has quit [Ping timeout: 260 seconds]
18:54 -!- eN_Joy [~zhou3594@dhcp-105-41.rccc.ou.edu] has joined #openvpn
18:55 -!- Latrina [~Latrina@ppp-11-62.26-151.libero.it] has quit [Ping timeout: 240 seconds]
18:55 -!- michaelhart [~michaelha@162.209.54.120] has quit [Quit: michaelhart]
18:58 -!- Latrina [~Latrina@ppp-41-37.26-151.libero.it] has joined #openvpn
18:58 -!- ChrisH [~dg7pc@dslb-092-072-190-208.pools.arcor-ip.net] has quit [Ping timeout: 240 seconds]
18:59 -!- ChrisH [~dg7pc@dslb-088-077-175-093.pools.arcor-ip.net] has joined #openvpn
19:12 -!- marshall [~marshall@modemcable071.115-162-184.mc.videotron.ca] has quit [Ping timeout: 255 seconds]
19:22 -!- Latrina [~Latrina@ppp-41-37.26-151.libero.it] has quit [Quit: ZNC - http://znc.in]
19:25 -!- Latrina [~Latrina@ppp-41-37.26-151.libero.it] has joined #openvpn
19:26 -!- Linmu [~Linmu@203.70.194.104] has joined #openvpn
19:26 -!- Linmu_ [~Linmu@203.70.194.104] has quit [Read error: Connection reset by peer]
19:30 -!- joshh20 is now known as joshh20-Away
19:31 -!- Linmu [~Linmu@203.70.194.104] has quit [Read error: Connection reset by peer]
19:31 -!- Linmu_ [~Linmu@203.70.194.104] has joined #openvpn
19:34 -!- elfixit [~Icedove@77-58-251-72.dclient.hispeed.ch] has quit [Ping timeout: 252 seconds]
19:38 -!- Latrina [~Latrina@ppp-41-37.26-151.libero.it] has quit [Read error: Connection reset by peer]
19:40 -!- Linmu [~Linmu@203.70.194.104] has joined #openvpn
19:40 -!- Linmu_ [~Linmu@203.70.194.104] has quit [Read error: Connection reset by peer]
19:41 -!- Linmu [~Linmu@203.70.194.104] has quit [Read error: Connection reset by peer]
19:43 -!- Latrina [~Latrina@ppp-41-37.26-151.libero.it] has joined #openvpn
19:45 -!- Linmu [~Linmu@203.70.194.104] has joined #openvpn
19:49 -!- FatDarrel [~anandab@199.116.72.195] has joined #openvpn
19:54 -!- Linmu_ [~Linmu@203.70.194.104] has joined #openvpn
19:54 -!- Linmu [~Linmu@203.70.194.104] has quit [Read error: Connection reset by peer]
19:54 -!- FatDarrel [~anandab@199.116.72.195] has quit [Client Quit]
19:58 -!- Pei [~pei@thinks.outside.theb0x.org] has quit [Ping timeout: 252 seconds]
20:00 -!- Linmu [~Linmu@203.70.194.104] has joined #openvpn
20:00 -!- Linmu [~Linmu@203.70.194.104] has quit [Read error: Connection reset by peer]
20:01 -!- Pei [~pei@thinks.outside.theb0x.org] has joined #openvpn
20:03 -!- Linmu_ [~Linmu@203.70.194.104] has quit [Ping timeout: 240 seconds]
20:03 -!- kenyon [kenyon@darwin.kenyonralph.com] has quit [Ping timeout: 252 seconds]
20:03 -!- kenyon [kenyon@darwin.kenyonralph.com] has joined #openvpn
20:05 -!- Linmu [~Linmu@203.70.194.104] has joined #openvpn
20:06 -!- FatDarrel [~anandab@199.116.72.195] has joined #openvpn
20:07 -!- Latrina [~Latrina@ppp-41-37.26-151.libero.it] has quit [Read error: Connection reset by peer]
20:08 -!- Fusl [Fusl@unaffiliated/fusl] has quit [Ping timeout: 252 seconds]
20:11 -!- Fusl [Fusl@unaffiliated/fusl] has joined #openvpn
20:12 -!- Latrina [~Latrina@ppp-41-37.26-151.libero.it] has joined #openvpn
20:15 -!- Linmu_ [~Linmu@203.70.194.104] has joined #openvpn
20:15 -!- Linmu [~Linmu@203.70.194.104] has quit [Read error: Connection reset by peer]
20:19 -!- klein [~klein@177.101.105.94] has joined #openvpn
20:19 -!- klein [~klein@177.101.105.94] has quit [Changing host]
20:19 -!- klein [~klein@unaffiliated/klein] has joined #openvpn
20:26 -!- marshall [~marshall@ip69-17-249-5.vif.net] has joined #openvpn
20:39 -!- batrick [batrick@nmap/developer/batrick] has quit [Ping timeout: 252 seconds]
20:40 -!- Fusl [Fusl@unaffiliated/fusl] has quit [Ping timeout: 252 seconds]
20:40 -!- MacGyver [~macgyver@unaffiliated/macgyvernl] has quit [Ping timeout: 252 seconds]
20:41 -!- marshall [~marshall@ip69-17-249-5.vif.net] has quit [Ping timeout: 276 seconds]
20:47 -!- michaelhart [~michaelha@192-0-240-20.cpe.teksavvy.com] has joined #openvpn
20:49 -!- batrick [batrick@nmap/developer/batrick] has joined #openvpn
20:49 -!- VlperX [~VlperX@60-240-168-120.static.tpgi.com.au] has joined #openvpn
20:50 -!- marshall [~marshall@ip69-17-249-5.vif.net] has joined #openvpn
20:52 -!- MacGyver [~macgyver@unaffiliated/macgyvernl] has joined #openvpn
20:52 -!- Fusl [Fusl@unaffiliated/fusl] has joined #openvpn
20:52 -!- FatDarrel [~anandab@199.116.72.195] has quit [Quit: FatDarrel]
20:53 -!- FatDarrel [~anandab@199.116.72.195] has joined #openvpn
21:00 -!- FatDarrel [~anandab@199.116.72.195] has quit [Quit: FatDarrel]
21:02 -!- acu [~acu@50.244.13.222] has quit [Quit: Leaving]
21:03 -!- Matir [~matir@ubuntu/member/matir] has quit [Ping timeout: 250 seconds]
21:04 -!- Matir [~matir@ubuntu/member/matir] has joined #openvpn
21:50 -!- michaelhart [~michaelha@192-0-240-20.cpe.teksavvy.com] has quit [Quit: michaelhart]
21:56 -!- Left_Turn [~Left_Turn@unaffiliated/turn-left/x-3739067] has quit [Read error: Connection reset by peer]
21:57 -!- s7r_n [~s7r@openvpn/user/s7r] has joined #openvpn
21:57 -!- mode/#openvpn [+v s7r_n] by ChanServ
21:58 -!- s7r [~s7r@openvpn/user/s7r] has quit [Ping timeout: 272 seconds]
22:17 < _FBi> http://thehackernews.com/2014/04/nist-removes-dualecdrbg-random-number.html
22:17 <@vpnHelper> Title: NIST Removes Dual_EC_DRBG Random Number Generator from Recommendations (at thehackernews.com)
22:17 -!- klein [~klein@unaffiliated/klein] has quit [Ping timeout: 276 seconds]
22:20 -!- VlperX [~VlperX@60-240-168-120.static.tpgi.com.au] has quit [Ping timeout: 255 seconds]
22:22 -!- hazardous [~hz@openvpn/user/hazardous] has quit [Ping timeout: 240 seconds]
22:31 -!- hazardous [~hz@openvpn/user/hazardous] has joined #openvpn
22:31 -!- mode/#openvpn [+v hazardous] by ChanServ
22:38 -!- hazardous [~hz@openvpn/user/hazardous] has quit [Ping timeout: 264 seconds]
22:40 -!- hazardous [~hz@openvpn/user/hazardous] has joined #openvpn
22:40 -!- mode/#openvpn [+v hazardous] by ChanServ
22:48 -!- dimitry7 [~antonello@189.179.25.145] has joined #openvpn
22:48 -!- JackWinter [~jack@vodsl-10810.vo.lu] has quit [Ping timeout: 265 seconds]
22:49 -!- dimitry7 [~antonello@189.179.25.145] has quit [Max SendQ exceeded]
22:50 -!- dimitry7 [~antonello@189.179.25.145] has joined #openvpn
22:50 -!- hazardous [~hz@openvpn/user/hazardous] has quit [Ping timeout: 240 seconds]
22:50 -!- JackWinter [~jack@vodsl-10810.vo.lu] has joined #openvpn
22:56 -!- hazardous [~hz@openvpn/user/hazardous] has joined #openvpn
22:56 -!- mode/#openvpn [+v hazardous] by ChanServ
22:58 -!- FatDarrel [~anandab@199.116.72.195] has joined #openvpn
23:22 -!- lj [~l@74.120.203.218] has joined #openvpn
23:23 -!- lj1 [~l@74.120.203.218] has joined #openvpn
23:23 -!- lj [~l@74.120.203.218] has quit [Read error: Connection reset by peer]
23:26 -!- lj [~l@192.241.174.169] has joined #openvpn
23:26 -!- dimitry7 [~antonello@189.179.25.145] has quit [Ping timeout: 260 seconds]
23:27 -!- lj1 [~l@74.120.203.218] has quit [Ping timeout: 240 seconds]
23:30 -!- waynr [~waynr@ma.sdf.org] has joined #openvpn
23:30 < waynr> howdy folks
23:31 < waynr> i'm getting an error 'tls_read_plaintext error: ... routines:SSL3_SERVER_CERTIFICATE:certificate verify failed' on the client side
23:32 < waynr> some initial googling showed led to recommendations that I verify the ca.crt generated by easy-rsa was copied over properly to both client and server
23:32 -!- dimitry7 [~antonello@189.179.5.90] has joined #openvpn
23:32 -!- hazardous [~hz@openvpn/user/hazardous] has quit [Ping timeout: 255 seconds]
23:33 < waynr> i have verified the ca.crt was correctly copied, i even went so far as to re generate ca.crt, server and client certs/keys
23:34 -!- hazardous [~hz@openvpn/user/hazardous] has joined #openvpn
23:34 -!- mode/#openvpn [+v hazardous] by ChanServ
23:36 -!- marshall [~marshall@ip69-17-249-5.vif.net] has quit [Ping timeout: 276 seconds]
23:37 -!- Guest43766 [~kolo@ip-125.net-82-216-83.rev.numericable.fr] has quit [Ping timeout: 255 seconds]
23:38 < waynr> i tried just to experiment using 'openvpn --tls-verify true --config server.conf' and 'openvpn --tls-verify true --config client1.conf'
23:38 < waynr> that works fine for the server, but the client doesn't seem to find the 'true' command
23:39 -!- Ko_lo [~kolo@ip-125.net-82-216-83.rev.numericable.fr] has joined #openvpn
23:39 -!- Ko_lo is now known as Guest39270
23:44 -!- haasn [~haasn@2a01:4f8:d13:5245::2] has quit [Ping timeout: 246 seconds]
23:45 -!- hazardous [~hz@openvpn/user/hazardous] has quit [Ping timeout: 276 seconds]
23:50 -!- hazardous [~hz@openvpn/user/hazardous] has joined #openvpn
23:50 -!- mode/#openvpn [+v hazardous] by ChanServ
23:55 -!- haasn [~haasn@2a01:4f8:d13:5245::2] has joined #openvpn
23:55 -!- sunwind [~paradox@cpc21-brmb8-2-0-cust749.1-3.cable.virginm.net] has quit [Ping timeout: 255 seconds]
23:57 -!- ShadniX [dagger@p57941145.dip0.t-ipconnect.de] has quit [Ping timeout: 252 seconds]
23:58 -!- ShadniX [dagger@p57941AB0.dip0.t-ipconnect.de] has joined #openvpn
--- Day changed Thu Apr 24 2014
00:11 -!- fremo [~fred@gw-salamandre.liazo.net] has quit [Ping timeout: 252 seconds]
00:14 -!- Linmu_ [~Linmu@203.70.194.104] has quit [Ping timeout: 276 seconds]
00:15 -!- Linmu [~Linmu@203.70.194.104] has joined #openvpn
00:19 -!- FatDarrel [~anandab@199.116.72.195] has quit [Quit: FatDarrel]
00:43 -!- dimitry7 [~antonello@189.179.5.90] has quit [Quit: Leaving]
01:19 -!- Morley93 [~Morley93@carmine.feralhosting.com] has quit [Ping timeout: 265 seconds]
01:26 -!- Diegosan [~chatzilla@S0106586d8f02c173.vn.shawcable.net] has quit [Quit: ChatZilla 0.9.90.1 [Firefox 17.0/20121120042814]]
01:40 -!- mattock_afk [~mattock@openvpn/corp/admin/mattock] has joined #openvpn
01:40 -!- mode/#openvpn [+o mattock_afk] by ChanServ
01:40 -!- mattock_afk is now known as mattock
02:01 -!- ade_b [~Ade@redhat/adeb] has joined #openvpn
02:01 -!- amsterdam [~Adium@xdsl-89-0-231-73.netcologne.de] has joined #openvpn
02:07 -!- james41382 [~james@unaffiliated/james41382] has quit [Ping timeout: 240 seconds]
02:09 -!- capri [svedrin@ketos.funzt-halt.net] has joined #openvpn
02:11 < capri> hey guys. i can connect to my openvpn server and also do ping/icmp and connect via RDP to the server, but i cant open the network shares. im using windows server 2003 and as client win7. any hint?
02:16 < capri> i tried tap device and now everything works fine. but speed is horrible. about 50kb/s
02:19 -!- le0 [~l30@unaffiliated/le0] has joined #openvpn
02:20 <@krzee> !wins
02:20 <@vpnHelper> "wins" is http://oreilly.com/catalog/samba/chapter/book/ch07_03.html is a good link for seeing how to run WINS on samba
02:20 <@krzee> tun with wins will be win
02:20 < capri> krzee, thx ill take a look. do you know why i cant open my network shares when im configured tun device?
02:21 -!- makara [~makara@41.164.22.218] has joined #openvpn
02:21 < capri> krzee, ping and rdp works like a charm, but share wont
02:22 <@krzee> right because you want wins
02:22 <@krzee> !wins
02:22 <@vpnHelper> "wins" is http://oreilly.com/catalog/samba/chapter/book/ch07_03.html is a good link for seeing how to run WINS on samba
02:22 < Aketzu> can you open shares with ip-address?
02:22 < capri> Aketzu, no i cant.
02:22 < capri> Aketzu, but if im switching to tap devices i can
02:23 <@krzee> oh then more is messed up than i thought
02:23 < Aketzu> mtu?
02:24 -!- master_o1_master [~master_of@p4FF24566.dip0.t-ipconnect.de] has quit [Ping timeout: 276 seconds]
02:25 < capri> mtu is fine
02:25 -!- master_of_master [~master_of@p4FF246FC.dip0.t-ipconnect.de] has joined #openvpn
02:26 < capri> im a little confused about i can do name resolution of the server if im using tap but i cant if im using tun
02:26 < capri> but also it should work with ipaddr
02:27 <@krzee> tap is layer2 and tun is layer3
02:27 <@krzee> windows shares use samba, which has netbios resolution
02:28 <@krzee> netbios resolution is layer2
02:28 <@krzee> otherwise theres wins which makes it over layer3 =]
02:28 <@krzee> <-- drunk and gunna leave internet. bbl
02:28 < capri> i think you´re right. ill give it a try :)
02:28 < capri> bbl
02:30 -!- Left_Turn [~Left_Turn@unaffiliated/turn-left/x-3739067] has joined #openvpn
02:30 -!- amsterdam [~Adium@xdsl-89-0-231-73.netcologne.de] has quit [Quit: Leaving.]
02:34 -!- kraut [~kraut@blackhole.netzdeponie.de] has quit [Ping timeout: 245 seconds]
02:37 -!- fremo [~fred@LAubervilliers-153-52-4-124.w217-128.abo.wanadoo.fr] has joined #openvpn
02:39 -!- afuentes [~afuentes@213.37.131.197.static.user.ono.com] has joined #openvpn
02:47 -!- fremo [~fred@LAubervilliers-153-52-4-124.w217-128.abo.wanadoo.fr] has quit [Ping timeout: 276 seconds]
02:47 -!- fremo [~fred@gw-salamandre.liazo.net] has joined #openvpn
02:53 -!- kraut [~kraut@blackhole.netzdeponie.de] has joined #openvpn
02:59 -!- adh0c [~adh0c@li423-165.members.linode.com] has quit [Quit: Leaving]
02:59 -!- ACKNAK [~regolith@79.133.97.154] has joined #openvpn
03:42 -!- Gl4di4t0r [~Gl4di4t0r@unaffiliated/gl4di4t0r] has joined #openvpn
03:43 -!- VlperX [~VlperX@60-240-168-120.static.tpgi.com.au] has joined #openvpn
03:43 -!- Gl4di4t0r [~Gl4di4t0r@unaffiliated/gl4di4t0r] has left #openvpn ["Leaving"]
03:47 -!- Pei [~pei@thinks.outside.theb0x.org] has quit [Ping timeout: 240 seconds]
03:51 -!- Pei [~pei@thinks.outside.theb0x.org] has joined #openvpn
03:57 -!- s7r_n is now known as s7r
04:05 -!- sunwind [~paradox@genld-224-235.t-mobile.co.uk] has joined #openvpn
04:24 -!- Left_Turn [~Left_Turn@unaffiliated/turn-left/x-3739067] has quit [Read error: Connection reset by peer]
04:47 -!- cryptonite [~jason@unaffiliated/cryptonite] has joined #openvpn
04:52 -!- RaiNerTsuFal [~RaiNerTsu@37.235.55.158] has joined #openvpn
04:55 -!- GabrieleV_ [~GabrieleV@host190-79-static.230-95-b.business.telecomitalia.it] has quit [Ping timeout: 276 seconds]
05:01 -!- sunwind` [~paradox@genld-224-235.t-mobile.co.uk] has joined #openvpn
05:04 -!- sunwind [~paradox@genld-224-235.t-mobile.co.uk] has quit [Ping timeout: 240 seconds]
05:06 -!- GabrieleV [~GabrieleV@host190-79-static.230-95-b.business.telecomitalia.it] has joined #openvpn
05:06 -!- Left_Turn [~Left_Turn@unaffiliated/turn-left/x-3739067] has joined #openvpn
05:07 -!- sunwind [~paradox@149.254.250.64] has joined #openvpn
05:08 -!- Left_Turn [~Left_Turn@unaffiliated/turn-left/x-3739067] has quit [Remote host closed the connection]
05:09 -!- sunwind` [~paradox@genld-224-235.t-mobile.co.uk] has quit [Ping timeout: 265 seconds]
05:10 -!- cryptonite [~jason@unaffiliated/cryptonite] has quit [Ping timeout: 240 seconds]
05:24 -!- Martin` [martin@shell.ipv6.octocore.net] has quit [Ping timeout: 246 seconds]
05:32 -!- cryptonite [~jason@unaffiliated/cryptonite] has joined #openvpn
05:32 < cryptonite> does openvpn server produce logs and if so where are they stored?and how can i chage that location?
05:36 <@plaisthos> see the manpage for --log
05:36 <@plaisthos> !log
05:36 <@vpnHelper> Error: You don't have the owner capability. If you think that you should have this capability, be sure that you are identified before trying again. The 'whoami' command can tell you if you're identified.
05:36 <@plaisthos> !WTF
05:37 <@plaisthos> !logs
05:37 <@vpnHelper> "logs" is (#1) please pastebin your logfiles from both client and server with verb set to 4 (only use 5 if asked) or (#2) In the Windows client(OpenVPN-GUI) right-click the status icon and pick View Log or (#3) In the OS X client(Tunnelblick) right-click it and select Copy log text to clipboard or (#4) if you dont know how to find your logs, see !logfile
05:57 -!- hyper_ch [~hyper_ch@149.154.159.210] has joined #openvpn
05:57 -!- Martin` [martin@shell.ipv6.octocore.net] has joined #openvpn
05:58 < hyper_ch> hmmmm, question: I have a server with IP 1.2.3.4 and a server with IP 6.7.8.9. On both servers I run openvpn server and would like to connect to both of them with my computer. I know they must provide different subnets as vpn but can I use same port and protocol on the client side? e.g. both server run on 1194 UDP? or would that conflict on me as client?
06:32 -!- sunwind [~paradox@149.254.250.64] has quit [Quit: sunwind]
06:35 -!- sunwind [~paradox@149.254.250.64] has joined #openvpn
06:40 -!- cryptonite [~jason@unaffiliated/cryptonite] has quit [Read error: Connection reset by peer]
06:41 -!- cryptonite [~jason@athedsl-423575.home.otenet.gr] has joined #openvpn
06:42 -!- marshall [~marshall@ip69-17-249-5.vif.net] has joined #openvpn
06:46 -!- cryptonite [~jason@athedsl-423575.home.otenet.gr] has quit [Ping timeout: 240 seconds]
06:47 -!- marshall [~marshall@ip69-17-249-5.vif.net] has quit [Quit: leaving]
07:06 -!- Voon [~voon@46-255-169-140.dyn.cable.fcom.ch] has joined #openvpn
07:07 < Voon> Erm ... is OpenVPN now called private tunnel? I'm a bit confused what I need now to have the latest (and heartbleed fixed)?
07:08 < heraclitus> no, openvpn is still openvpn
07:08 < heraclitus> and, if you're on windows, download the latest GUI client, and you'll be fine
07:09 < heraclitus> otherwise, your linux distribution ought have by now released a patched version of openssl (with TLS heartbeat disabled)
07:09 < heraclitus> just use your package manager to install this update
07:09 < heraclitus> if you run a server, it's recommended you revoke and redistribute all certificates and keys
07:10 < heraclitus> due to the nature of heartbleed, virtually anything may have been leaked, (certs, keys, etc)
07:10 < heraclitus> and it leaves no trace.
07:10 < heraclitus> http://community.openvpn.net/openvpn/wiki/heartbleed
07:11 <@vpnHelper> Title: heartbleed – OpenVPN Community (at community.openvpn.net)
07:11 < heraclitus> Voon ^
07:13 -!- Aliekezhi [~Aliekezhi@LPoitiers-156-84-21-170.w193-248.abo.wanadoo.fr] has joined #openvpn
07:13 < waynr> i am having trouble connecting to openvpn server, this is the error message I see: http://paste.debian.net/hidden/91ce9f63
07:14 < heraclitus> waynr, are you sure you're using the correct certificates for the server you are connecting to?
07:15 -!- sunwind` [~paradox@cpc21-brmb8-2-0-cust749.1-3.cable.virginm.net] has joined #openvpn
07:16 < ACKNAK> Hey, anybody knows how stable could configuration with STATIC IP CLIENTS and several instances of OpenVPN (SAME IP POOL RANGE!) would be?
07:16 -!- michaelhart [~michaelha@192.237.177.15] has joined #openvpn
07:17 < ACKNAK> I've found this article https://forums.openvpn.net/topic10473.html
07:17 <@vpnHelper> Title: OpenVPN Support Forum Server on several ports with same config? : Configuration (at forums.openvpn.net)
07:17 < waynr> heraclitus: yeah, i cleared everything out yesterday and regenerated the whole pki directory with easy-rsa
07:17 < heraclitus> I always have separate instances of openvpn for each port, ACKNAK
07:17 < ACKNAK> me too
07:17 < ACKNAK> but I want static IP so much
07:17 < heraclitus> especially if you plan to use multiple protocols
07:18 < ACKNAK> UDP only
07:18 < heraclitus> you can still use static IPs... but you have to configure for each instance
07:18 < Voon> its openvpn on windows (sorry had to go to our lab)
07:18 < Voon> cant find the downloadlink it seems on the vpn site
07:18 -!- sunwind [~paradox@149.254.250.64] has quit [Ping timeout: 240 seconds]
07:18 < heraclitus> one second... I'll find you the download, Voon
07:19 < Voon> ah here think i got it
07:19 < heraclitus> https://openvpn.net/index.php/open-source/downloads.html
07:19 <@vpnHelper> Title: Downloads (at openvpn.net)
07:19 < heraclitus> just choose your architecture
07:19 < heraclitus> :)
07:19 < Voon> http://openvpn.net/index.php/download/community-downloads.html .. ended up here
07:19 <@vpnHelper> Title: Community Downloads (at openvpn.net)
07:19 < heraclitus> or, build from source, if you feel up to it
07:19 < Voon> ah same thing
07:19 < Voon> uh no .. not on windows :)
07:19 < heraclitus> lol
07:19 < Voon> thanks
07:19 < heraclitus> np
07:20 < ACKNAK> heraclitus, I'm using random-remote to split load between instances, to split load. Static IP for each zone is useless =(
07:20 -!- Aliekezhi [~Aliekezhi@LPoitiers-156-84-21-170.w193-248.abo.wanadoo.fr] has quit [Read error: Connection reset by peer]
07:21 < waynr> heraclitus: i use the same ca.crt on both server and client, and have not changed the filenames when moving files to client
07:21 < waynr> should the client config reference the server cert? my understanding was that it shouldn't
07:21 < ACKNAK> I'll go test [learn-address] solution
07:22 -!- Voon2 [~voon@62-204-105-204.static.cable.fcom.ch] has joined #openvpn
07:22 < waynr> i tusing OpenVPN 2.2.1 on server, 2.3.2 on client
07:23 < heraclitus> waynr, the ca.crt should be your server certificate, if you're using a full TLS implementation, you should have a ca.crt, a client.crt, and a client.key for each client configuration. the ca.key (the server key) should only be used to sign new client keys.
07:23 < heraclitus> you recently revoked the server keys?
07:23 < heraclitus> keys/certs?
07:23 < heraclitus> if you did, you have to HUP the instance (SIGUSR1) to register the new keys/certs server-side
07:24 < waynr> this is my first time getting openvpn server running
07:24 -!- Voon2 [~voon@62-204-105-204.static.cable.fcom.ch] has quit [Client Quit]
07:24 -!- Voon [~voon@46-255-169-140.dyn.cable.fcom.ch] has quit [Ping timeout: 265 seconds]
07:25 < waynr> i cleared everythign out of the pki directory and deleted all server/client keys and certs after my first attempt because of this error
07:25 < ACKNAK> !scripting
07:25 <@vpnHelper> "scripting" is "script" is See SCRIPTING AND ENVIRONMENTAL VARIALBES in the manual for a list of places that scripts can hook into openvpn. Online reference at: https://community.openvpn.net/openvpn/wiki/Openvpn23ManPage#lbAR
07:25 < heraclitus> then something isn't right with your configuration. do you have the server/client configs handy?
07:25 < heraclitus> i'd like to take a look at them, please
07:26 < waynr> yeah let me remove all the comments real quick, i'll pastebin them
07:26 < heraclitus> okay
07:27 < heraclitus> grep -vE '^#|^;|^$' <file>
07:27 < heraclitus> ^ makes it a bit easier, waynr
07:36 < waynr> hmm i just got it working by removing 'ns-cert-type server' from the client config
07:36 < waynr> which means that the nsCertType in the server certificate wasn't set correctly?
07:36 < heraclitus> so, you're unable to verify the certificate on the server... something's wrong with your SSL configuration, then.
07:37 < heraclitus> yes, that's correct, ns-cert-type means that the client certificate has to match the server configuration
07:39 < heraclitus> iirc, it verifies the CN
07:42 < waynr> I used ./easy-rsa build-server-full <servername> to build the server key/cert pair and ./easy-rsa build-client-full <clientname> to build a client key/cert pair
07:42 < heraclitus> did you modify your vars file?
07:43 < waynr> yeah, for Country,Province,City,Org,Email, and OU
07:43 < waynr> oh and easyrsa keysize
07:43 < heraclitus> good, what's CN
07:44 < heraclitus> ?
07:45 < waynr> i haven't set that anywhere, from the comments in the file i thought that would be prompted interactively then i forgot about it when actually running the easy-rsa commands
07:46 < heraclitus> :)
07:47 < heraclitus> you can set it globally for the server stuff, but for the client stuff, you have to set it individually, you can also use the pki-tool like this:
07:47 < heraclitus> KEY_CN=<name> ./pkitool <name>
07:47 < heraclitus> gotta run, though
07:47 < waynr> okay, thanks for the help!
07:47 < eN_Joy> i have a question posted http://stackoverflow.com/questions/23258838/openvpn-routes-traffic-with-tcp-but-not-udp can someone take a look at it? thanks,
07:47 <@vpnHelper> Title: openvpn routes traffic with tcp, but not udp - Stack Overflow (at stackoverflow.com)
07:48 < heraclitus> good luck, will be back later
07:49 -!- heraclitus [~heraclitu@unaffiliated/heraclitis] has quit [Quit: Ping timeout: 221 seconds]
07:51 -!- klein [~klein@189-016-006-003.asselvi.edu.br] has joined #openvpn
07:51 -!- klein [~klein@189-016-006-003.asselvi.edu.br] has quit [Changing host]
07:51 -!- klein [~klein@unaffiliated/klein] has joined #openvpn
07:59 -!- lj [~l@192.241.174.169] has quit [Quit: Leaving.]
08:04 -!- treshoem2 [~treshoem@mnathani-1-pt.tunnel.tserv21.tor1.ipv6.he.net] has quit [Ping timeout: 246 seconds]
08:05 -!- moviuro__ [~moviuro@130.37.152.87] has joined #openvpn
08:07 < moviuro__> Hello! I'm trying to set up a nice VPN between myself and a server: however, 2 complications. My colleague wants a "layer 2" VPN and our server is behind a machine we'll call "sas". If I use a ssh connection to sas (ssh -Dmyport login@sas), I can reach my server using 127.0.0.1:myport as socks proxy. But I have really no idea how/what layer 2 is/does; my server is running OpenBSD 5.4 and clients will be running either OpenBSD 5.4, Archlinux or Android (
08:07 < moviuro__> > 4.2).
08:07 -!- treshoem2 [~treshoem@198-84-231-11.cpe.teksavvy.com] has joined #openvpn
08:08 -!- mode/#openvpn [-s] by mattock
08:08 < moviuro__> I had an old configuration which wasn't layer2, and thus (AFAIK) created a "tun0" device on all servers/clients
08:14 < moviuro__> brb
08:15 -!- moviuro__ [~moviuro@130.37.152.87] has quit [Quit: Bye!]
08:17 -!- moviuro__ [~moviuro@130.37.152.87] has joined #openvpn
08:19 < waynr> huh, i wonder if my server certificate was not signed correctly
08:20 < waynr> the issuer CN is the same for both client and server certs
08:21 -!- james41382 [~james@unaffiliated/james41382] has joined #openvpn
08:42 -!- FatDarrel [~anandab@199.116.72.195] has joined #openvpn
08:42 -!- FatDarrel [~anandab@199.116.72.195] has quit [Client Quit]
08:45 -!- MyMind [~Sembei@unaffiliated/sembei] has joined #openvpn
08:46 -!- Sembei [~Sembei@unaffiliated/sembei] has quit [Ping timeout: 240 seconds]
09:08 -!- makara [~makara@41.164.22.218] has quit [Read error: Operation timed out]
09:22 -!- lj [~l@192.241.174.169] has joined #openvpn
09:25 < hyper_ch> hmmmm, question: I have a server with IP 1.2.3.4 and a server with IP 6.7.8.9. On both servers I run openvpn server and would like to connect to both of them with my computer. I know they must provide different subnets as vpn but can I use same port and protocol on the client side? e.g. both server run on 1194 UDP? or would that conflict on me as client?
09:34 -!- ACKNAK [~regolith@79.133.97.154] has quit [Ping timeout: 252 seconds]
09:36 -!- nocturn [~nocturn@unaffiliated/nocturn] has left #openvpn ["Ex-Chat"]
09:38 -!- Left_Turn [~Left_Turn@unaffiliated/turn-left/x-3739067] has joined #openvpn
09:47 -!- goldkatze [~nobody@unaffiliated/goldkatze] has joined #openvpn
10:01 -!- wrongplace [~leicht@gateway/tor-sasl/martinphone] has joined #openvpn
10:05 -!- FatDarrel [~anandab@50.242.126.113] has joined #openvpn
10:05 -!- moviuro__ [~moviuro@130.37.152.87] has quit [Quit: Bye!]
10:06 -!- dimitry7 [~antonello@187.188.84.149] has joined #openvpn
10:09 -!- FatDarrel [~anandab@50.242.126.113] has quit [Ping timeout: 252 seconds]
10:11 -!- FatDarrel [~anandab@50.242.126.113] has joined #openvpn
10:11 -!- Morley93 [~Morley93@carmine.feralhosting.com] has joined #openvpn
10:14 -!- Left_Turn [~Left_Turn@unaffiliated/turn-left/x-3739067] has quit [Ping timeout: 252 seconds]
10:29 -!- phreakocious [~phreakoci@aesoterica.phreakocious.net] has quit [Ping timeout: 265 seconds]
10:29 -!- Left_Turn [~Left_Turn@unaffiliated/turn-left/x-3739067] has joined #openvpn
10:31 -!- phreakocious [~phreakoci@aesoterica.phreakocious.net] has joined #openvpn
10:33 -!- afuentes [~afuentes@213.37.131.197.static.user.ono.com] has quit [Ping timeout: 255 seconds]
10:40 -!- deeville [~deeville@38.117.108.108] has joined #openvpn
11:02 -!- dimitry7 [~antonello@187.188.84.149] has quit [Quit: Leaving]
11:04 -!- Mik3C [~miguelc@77.202.37.188.rev.vodafone.pt] has joined #openvpn
11:24 -!- happy_nodes [~happy_nod@193.172.141.217] has joined #openvpn
11:34 -!- ade_b [~Ade@redhat/adeb] has quit [Ping timeout: 265 seconds]
11:35 -!- Guest39270 [~kolo@ip-125.net-82-216-83.rev.numericable.fr] has quit [Read error: Operation timed out]
11:38 -!- mears11 [~mears11@c-71-237-20-112.hsd1.co.comcast.net] has joined #openvpn
11:39 -!- Ko_lo [~kolo@ip-125.net-82-216-83.rev.numericable.fr] has joined #openvpn
11:39 -!- Ko_lo is now known as Guest63307
11:40 -!- Aliekezhi [~Aliekezhi@80.215.210.65] has joined #openvpn
11:41 -!- happy_nodes [~happy_nod@193.172.141.217] has quit [Ping timeout: 240 seconds]
11:43 < mears11> nub question here...I have an OpenVPN network setup at home.  My private network is 192.168.1.x/24 and my VPN is 192.168.137.x/24.  When I connect a device to the VPN everything think works great *unless* the device is also on a private network configured as 192.168.1.x/24.  In this case, when the external device is connected to my VPN, it cannot connect to devices on my home network via IP as it attempts to reach devices on its own
11:43 < mears11>  private network
11:44 < mears11> is this the expected behavior or do I have a configuration problem?  I'm thinking about moving my home network off 192.168.1.x/24 to something a bit less standard to avoid such conflicts.
11:58 -!- Cpt-Oblivious [chatzilla@31-151-71-109.dynamic.upc.nl] has joined #openvpn
12:01 -!- eN_Joy [~zhou3594@dhcp-105-41.rccc.ou.edu] has quit [Quit: leaving]
12:02 -!- justinzane [~justinzan@64.234.62.62] has quit []
12:04 -!- justinzane [~justinzan@64.234.62.62] has joined #openvpn
12:23 -!- ade_b [~Ade@redhat/adeb] has joined #openvpn
12:41 -!- VunKruz [~hhhh@24-205-8-187.dhcp.mtpk.ca.charter.com] has quit [Ping timeout: 252 seconds]
12:45 -!- VunKruz [~hhhh@24-205-8-187.dhcp.mtpk.ca.charter.com] has joined #openvpn
12:50 -!- kaneonuskatew [~r@unaffiliated/kaneonuskatew] has joined #openvpn
12:54 < kaneonuskatew> Hi. I'm having this weird problem where I'm getting the message "CRL CHECK FAILED ... is REVOKED" when connecting to my OpenVPN server using the cert file I have just created. Does anyone know why this is happening?
12:58 -!- Sidewinder [~de@unaffiliated/sidewinder] has joined #openvpn
13:02 -!- ade_b [~Ade@redhat/adeb] has quit [Quit: Too sexy for his shirt]
13:03 -!- Sidewinder [~de@unaffiliated/sidewinder] has quit [Client Quit]
13:05 -!- Aliekezhi [~Aliekezhi@80.215.210.65] has quit [Ping timeout: 255 seconds]
13:07 -!- roentgen [~irc@openvpn/community/support/roentgen] has joined #openvpn
13:11 < roentgen> mattock: Hi, I would like to set up a build slave -- x64 Archlinux
13:11 < roentgen> if there is an actual need for such a common arch
13:12 <@mattock> roentgen: we don't have that one, so it would be welcome
13:12 < roentgen> nice to hear that
13:12 <@mattock> have builds on that platform been breaking by any chance?
13:12 < roentgen> I already have an account, roentgen
13:12 < roentgen> not really as much as I know
13:12 -!- Aliekezhi [~Aliekezhi@80.215.210.65] has joined #openvpn
13:19 -!- le0 [~l30@unaffiliated/le0] has quit [Quit: Leaving]
13:19 -!- ShadniX [dagger@p57941AB0.dip0.t-ipconnect.de] has quit [Ping timeout: 252 seconds]
13:20 < roentgen> mattock: how will this go? is it OK to have a build slave on that?
13:21 -!- ShadniX [dagger@p57941AB0.dip0.t-ipconnect.de] has joined #openvpn
13:21 <@mattock> roentgen: let me find the docs...
13:21 -!- kaneonuskatew [~r@unaffiliated/kaneonuskatew] has quit [Quit: leaving]
13:21 < roentgen> :) ok thanks
13:22 <@mattock> docs are here: https://community.openvpn.net/openvpn/wiki/SettingUpBuildslave
13:22 <@vpnHelper> Title: SettingUpBuildslave – OpenVPN Community (at community.openvpn.net)
13:22 -!- TheRealSjr [~sjr@216.239.45.71] has joined #openvpn
13:23 < roentgen> mattock: yes, I come here from there. I'm at 4. Configure buildslave (ask for instructions from samuli)
13:24 <@mattock> ok :)
13:24 <@mattock> I'm in the middle of a meeting
13:24 < roentgen> no hurry ;)
13:24 <@mattock> can you PM me your email or something so that I can send you the instructions, say, next monday?
13:24 <@mattock> I will need to update the buildslave docs too, they're somewhat out of date
13:24 -!- RaiNerTsuFal [~RaiNerTsu@37.235.55.158] has quit [Quit: Conversation terminated!]
13:35 -!- RaiNerTsuFal [~RaiNerTsu@37.235.55.158] has joined #openvpn
13:37 -!- Cpt-Oblivious [chatzilla@31-151-71-109.dynamic.upc.nl] has quit [Ping timeout: 252 seconds]
13:38 < pekster> mears11: Yes, you'll run into problems with duplicate networks, so you'd best avoid common nets for the VPN or LANs you're exposing over the VPN. You can do crazy things like bi-directional NAT, but that's just ugly
13:39 < pekster> recent openvpn versions offer a rather crude hack in the form of the --client-nat option, but if you can re-number, I'd suggest going that route
13:39 -!- wrongplace [~leicht@gateway/tor-sasl/martinphone] has quit [Quit: gone]
13:45 -!- deeville [~deeville@38.117.108.108] has quit [Ping timeout: 252 seconds]
13:53 -!- VlperX [~VlperX@60-240-168-120.static.tpgi.com.au] has quit [Ping timeout: 240 seconds]
13:57 -!- SupaYoshi [Elite9191@gateway/shell/elitebnc/x-hkzbxjzpzwipjfhw] has quit [Ping timeout: 258 seconds]
14:03 -!- SlutaTramsa [~SlutaTram@unaffiliated/slutatramsa] has quit [Ping timeout: 246 seconds]
14:04 -!- capri [svedrin@ketos.funzt-halt.net] has quit [Ping timeout: 246 seconds]
14:06 -!- m01_ [~quassel@2a02:2658:1011:1::2:4044] has joined #openvpn
14:07 -!- Beta2K_ [~Beta2K@2607:f1c0:841:4eff::120] has joined #openvpn
14:07 -!- haasn [~haasn@2a01:4f8:d13:5245::2] has quit [Ping timeout: 246 seconds]
14:07 -!- Ulrar [~Ulrar@luwin.ulrar.net] has quit [Ping timeout: 246 seconds]
14:07 -!- Beta2K [~Beta2K@2607:f1c0:841:4eff::120] has quit [Ping timeout: 246 seconds]
14:07 -!- truexfan81 [truexfan81@gateway/shell/cadoth.net/x-jxxqllbsqgxnzoss] has quit [Ping timeout: 246 seconds]
14:07 -!- codehero [codehero@i.have.ipv6.on.coding4coffee.org] has quit [Ping timeout: 246 seconds]
14:07 -!- m01 [~quassel@2a02:2658:1011:1::2:4044] has quit [Ping timeout: 246 seconds]
14:08 -!- Haigha [~root@dovahkiin.xomg.net] has quit [Ping timeout: 247 seconds]
14:08 -!- fred`` [fred@earthli.ng] has quit [Ping timeout: 247 seconds]
14:09 -!- mback2k__ [~freenode@2a00:1828:2000:378:1337:0:59ee:5431] has joined #openvpn
14:09 -!- mback2k_ [~freenode@2a00:1828:2000:378:1337:0:59ee:5431] has quit [Ping timeout: 247 seconds]
14:09 -!- mback2k__ is now known as mback2k_
14:10 -!- Chrisje [chris@2a03:f80:ed15:ed15:ed15:ed15:bc4c:4bfe] has quit [Ping timeout: 245 seconds]
14:10 -!- BlackBishop [dexter@ipv6.d3xt3r01.tk] has quit [Ping timeout: 246 seconds]
14:11 < mears11> pekster: thanks, I'll likely change my home network, but will peek at the --client-nat option.  Thanks for the response :)
14:11 -!- Cybertinus [~Cybertinu@cybertinus.customer.cloud.nl] has quit [Read error: Connection reset by peer]
14:12 -!- Cybertinus [~Cybertinu@cybertinus.customer.cloud.nl] has joined #openvpn
14:13 -!- SlutaTramsa [~SlutaTram@unaffiliated/slutatramsa] has joined #openvpn
14:13 -!- truexfan81 [truexfan81@gateway/shell/cadoth.net/x-xkrmqwesttsbdqob] has joined #openvpn
14:13 -!- codehero [codehero@i.have.ipv6.on.coding4coffee.org] has joined #openvpn
14:14 -!- Chrisje [chris@2a03:f80:ed15:ed15:ed15:ed15:bc4c:4bfe] has joined #openvpn
14:14 -!- Ulrar [~Ulrar@luwin.ulrar.net] has joined #openvpn
14:14 -!- Haigha [~root@dovahkiin.xomg.net] has joined #openvpn
14:14 -!- capri [svedrin@ketos.funzt-halt.net] has joined #openvpn
14:18 -!- roentgen [~irc@openvpn/community/support/roentgen] has quit [Ping timeout: 252 seconds]
14:19 -!- haasn [~haasn@2a01:4f8:d13:5245::2] has joined #openvpn
14:22 -!- fred`` [fred@earthli.ng] has joined #openvpn
14:23 -!- wrongplace [~leicht@gateway/tor-sasl/martinphone] has joined #openvpn
14:24 -!- SupaYoshi [Elite9191@gateway/shell/elitebnc/x-wkwarppjztnfimsp] has joined #openvpn
14:26 -!- BlackBishop [dexter@2001:470:1f0b:1186::1] has joined #openvpn
14:44 -!- lj [~l@192.241.174.169] has quit [Quit: Leaving.]
15:00 -!- JackWinter [~jack@vodsl-10810.vo.lu] has quit [Ping timeout: 252 seconds]
15:01 -!- mattock [~mattock@openvpn/corp/admin/mattock] has left #openvpn []
15:43 -!- le0 [~l30@unaffiliated/le0] has joined #openvpn
15:47 -!- michaelhart [~michaelha@192.237.177.15] has quit [Quit: michaelhart]
15:50 -!- hyper_ch [~hyper_ch@149.154.159.210] has left #openvpn ["Konversation terminated!"]
15:55 -!- Aliekezhi [~Aliekezhi@80.215.210.65] has quit [Remote host closed the connection]
16:05 -!- le0 [~l30@unaffiliated/le0] has quit [Quit: Leaving]
16:07 -!- klein [~klein@unaffiliated/klein] has quit [Ping timeout: 276 seconds]
16:34 -!- qwertyoruiop [~hax@1.shulgin.dc1.nl.tor.exit.node.qwertyoruiop.com] has quit [K-Lined]
16:43 -!- wrongplace [~leicht@gateway/tor-sasl/martinphone] has quit [Quit: gone]
16:49 -!- michaelhart [~michaelha@162.209.54.120] has joined #openvpn
16:53 -!- michaelhart [~michaelha@162.209.54.120] has quit [Client Quit]
17:09 -!- lj [~l@adsl-99-155-19-117.dsl.peoril.sbcglobal.net] has joined #openvpn
17:14 -!- grep0r [grep0r@bitcoinshell.mooo.com] has quit [Ping timeout: 252 seconds]
17:19 -!- grep0r [grep0r@bitcoinshell.mooo.com] has joined #openvpn
17:20 -!- lj [~l@adsl-99-155-19-117.dsl.peoril.sbcglobal.net] has quit [Ping timeout: 265 seconds]
17:22 -!- Cpt-Oblivious [chatzilla@31-151-71-109.dynamic.upc.nl] has joined #openvpn
17:30 -!- VunKruz [~hhhh@24-205-8-187.dhcp.mtpk.ca.charter.com] has quit [Quit: Leaving]
17:31 -!- wrongplace [~leicht@gateway/tor-sasl/martinphone] has joined #openvpn
17:37 -!- elfixit [~Icedove@2001:1620:2018:11:5e51:4fff:fec8:5b90] has joined #openvpn
17:46 -!- mears11 [~mears11@c-71-237-20-112.hsd1.co.comcast.net] has quit [Quit: Leaving]
17:51 -!- elfixit [~Icedove@2001:1620:2018:11:5e51:4fff:fec8:5b90] has quit [Ping timeout: 252 seconds]
17:57 -!- JackWinter [~jack@vodsl-10810.vo.lu] has joined #openvpn
17:58 -!- klein [~klein@177.101.105.94] has joined #openvpn
17:58 -!- klein [~klein@177.101.105.94] has quit [Changing host]
17:58 -!- klein [~klein@unaffiliated/klein] has joined #openvpn
17:58 -!- nutron [~nutron@unaffiliated/nutron] has quit [Quit: I must go eat my cheese!]
18:01 -!- Cpt-Oblivious [chatzilla@31-151-71-109.dynamic.upc.nl] has quit [Read error: Connection reset by peer]
18:01 -!- [1]JPeterson [~JPeterson@81-233-152-121-no83.tbcn.telia.com] has joined #openvpn
18:01 -!- Cpt-Oblivious [chatzilla@31-151-71-109.dynamic.upc.nl] has joined #openvpn
18:01 -!- Brando753 [~Brando753@unaffiliated/brando753] has quit [Read error: Operation timed out]
18:01 -!- JPeterson [~JPeterson@81-233-152-121-no83.tbcn.telia.com] has quit [Read error: Operation timed out]
18:02 -!- Brando753 [~Brando753@unaffiliated/brando753] has joined #openvpn
18:03 -!- nutron [~nutron@unaffiliated/nutron] has joined #openvpn
18:05 -!- wrongplace [~leicht@gateway/tor-sasl/martinphone] has quit [Quit: gone]
18:09 -!- funnel [~funnel@unaffiliated/espiral] has quit [Remote host closed the connection]
18:13 -!- james41382 [~james@unaffiliated/james41382] has quit [Ping timeout: 240 seconds]
18:13 -!- james41382 [~james@unaffiliated/james41382] has joined #openvpn
18:23 -!- elfixit [~Icedove@77-58-251-72.dclient.hispeed.ch] has joined #openvpn
18:30 -!- funnel [~funnel@unaffiliated/espiral] has joined #openvpn
18:49 -!- Cpt-Oblivious [chatzilla@31-151-71-109.dynamic.upc.nl] has quit [Remote host closed the connection]
19:03 -!- [MG]Proliner [~Proliner@kbl-tnz7242.zeelandnet.nl] has joined #openvpn
19:04 < [MG]Proliner> Oh hello there ladies and gentelmen
19:04 < [MG]Proliner> !welcome
19:04 <@vpnHelper> "welcome" is (#1) Start by stating your goal, such as 'I would like to access the internet over my vpn' || new to IRC? see the link in !ask || we may need !logs and !configs and maybe !interface to help you. || See !howto for beginners. || See !route for lans behind openvpn. || !redirect for sending inet traffic through the server. || Also interesting: !man !/30 !topology !iporder !sample
19:04 <@vpnHelper> !forum !wiki !mitm or (#2) Don't use 192.168.1.0/24 or 192.168.0.0/24 (too much potential for conflict)
19:04 < [MG]Proliner> !howto
19:04 <@vpnHelper> "howto" is (#1) OpenVPN comes with a great howto, http://openvpn.net/howto PLEASE READ IT! or (#2) http://www.secure-computing.net/openvpn/howto.php for a mirror
19:24 -!- FatDarrel [~anandab@50.242.126.113] has quit [Quit: FatDarrel]
19:29 -!- Chrisje [chris@2a03:f80:ed15:ed15:ed15:ed15:bc4c:4bfe] has quit [Ping timeout: 246 seconds]
19:34 -!- Chrisje [chris@2a03:f80:ed15:ed15:ed15:ed15:bc4c:4bfe] has joined #openvpn
19:39 -!- pnielsen_ [pnielsen@2a01:7e00::f03c:91ff:fedf:3a21] has joined #openvpn
19:40 -!- Morley93 [~Morley93@carmine.feralhosting.com] has quit [Quit: ZNC - http://znc.in]
19:42 -!- Thermi_ [~Thermi@unaffiliated/thermi] has joined #openvpn
19:42 -!- Martin`_ [martin@shell.ipv6.octocore.net] has joined #openvpn
19:48 -!- Thermi [~Thermi@unaffiliated/thermi] has quit [Ping timeout: 246 seconds]
19:48 -!- pnielsen [pnielsen@2a01:7e00::f03c:91ff:fedf:3a21] has quit [Quit: No Ping reply in 180 seconds.]
19:48 -!- Chrisje [chris@2a03:f80:ed15:ed15:ed15:ed15:bc4c:4bfe] has quit [Ping timeout: 246 seconds]
19:48 -!- SlutaTramsa [~SlutaTram@unaffiliated/slutatramsa] has quit [Ping timeout: 246 seconds]
19:48 -!- Martin` [martin@shell.ipv6.octocore.net] has quit [Ping timeout: 246 seconds]
19:48 -!- joako [~joako@opensuse/member/joak0] has quit [Ping timeout: 246 seconds]
19:48 -!- fred`` [fred@earthli.ng] has quit [Ping timeout: 246 seconds]
19:48 -!- Haigha [~root@dovahkiin.xomg.net] has quit [Ping timeout: 246 seconds]
19:48 -!- capri [svedrin@ketos.funzt-halt.net] has quit [Ping timeout: 246 seconds]
19:48 -!- codehero [codehero@i.have.ipv6.on.coding4coffee.org] has quit [Ping timeout: 246 seconds]
19:48 -!- Mathias [M@unaffiliated/mathias] has quit [Ping timeout: 246 seconds]
19:48 -!- Martin`_ is now known as Martin`
19:48 -!- Thermi_ is now known as Thermi
19:48 -!- haasn [~haasn@2a01:4f8:d13:5245::2] has quit [Ping timeout: 246 seconds]
19:48 -!- joako [~joako@opensuse/member/joak0] has joined #openvpn
19:48 -!- Mathias [M@unaffiliated/mathias] has joined #openvpn
19:50 -!- Ulrar [~Ulrar@luwin.ulrar.net] has quit [Ping timeout: 246 seconds]
19:51 -!- [MG]Proliner [~Proliner@kbl-tnz7242.zeelandnet.nl] has quit []
20:13 -!- SlutaTramsa [~SlutaTram@unaffiliated/slutatramsa] has joined #openvpn
20:14 -!- Ulrar [~Ulrar@luwin.ulrar.net] has joined #openvpn
20:14 -!- fred`` [fred@earthli.ng] has joined #openvpn
20:14 -!- codehero [codehero@i.have.ipv6.on.coding4coffee.org] has joined #openvpn
20:16 -!- capri [svedrin@ketos.funzt-halt.net] has joined #openvpn
20:17 -!- Chrisje [chris@2a03:f80:ed15:ed15:ed15:ed15:bc4c:4bfe] has joined #openvpn
20:19 -!- haasn [~haasn@2a01:4f8:d13:5245::2] has joined #openvpn
20:30 -!- elfixit [~Icedove@77-58-251-72.dclient.hispeed.ch] has quit [Quit: elfixit]
20:34 -!- qwertyoruiop [~hax@1.shulgin.dc1.nl.tor.exit.node.qwertyoruiop.com] has joined #openvpn
20:34 -!- qwertyoruiop is now known as Guest92930
20:39 -!- joshh20-Away [~joshh20@v-70-42-74-226.unman-vds.internap-nyc.nfoservers.com] has quit [Ping timeout: 240 seconds]
20:42 -!- joshh20-Away [~joshh20@v-70-42-74-226.unman-vds.internap-nyc.nfoservers.com] has joined #openvpn
20:58 -!- VunKruz [~hhhh@24-205-8-187.dhcp.mtpk.ca.charter.com] has joined #openvpn
20:59 -!- FatDarrel [~anandab@199.116.72.195] has joined #openvpn
20:59 -!- Left_Turn [~Left_Turn@unaffiliated/turn-left/x-3739067] has quit [Quit: Leaving]
21:00 -!- Mik3C [~miguelc@77.202.37.188.rev.vodafone.pt] has quit [Remote host closed the connection]
21:04 -!- aji [~alex@atheme/member/aji] has quit [Quit: Segmentation fault (aji dumped)]
21:07 -!- hazardous [~hz@openvpn/user/hazardous] has quit [Ping timeout: 240 seconds]
21:11 -!- hazardous [~hz@openvpn/user/hazardous] has joined #openvpn
21:11 -!- mode/#openvpn [+v hazardous] by ChanServ
21:14 -!- FatDarrel [~anandab@199.116.72.195] has quit [Quit: FatDarrel]
21:21 -!- hazardous [~hz@openvpn/user/hazardous] has quit [Ping timeout: 252 seconds]
21:22 -!- sunwind` [~paradox@cpc21-brmb8-2-0-cust749.1-3.cable.virginm.net] has quit [Read error: Connection reset by peer]
21:24 -!- sunwind [~paradox@cpc21-brmb8-2-0-cust749.1-3.cable.virginm.net] has joined #openvpn
21:24 -!- hazardous [~hz@openvpn/user/hazardous] has joined #openvpn
21:24 -!- mode/#openvpn [+v hazardous] by ChanServ
21:27 -!- agentbob [anonymoose@unaffiliated/agentbob] has quit [Ping timeout: 250 seconds]
21:28 -!- agentbob [anonymoose@unaffiliated/agentbob] has joined #openvpn
21:36 -!- sunwind [~paradox@cpc21-brmb8-2-0-cust749.1-3.cable.virginm.net] has quit [Quit: sunwind]
21:39 -!- Haigha [~root@dovahkiin.xomg.net] has joined #openvpn
21:44 -!- Guest92930 [~hax@1.shulgin.dc1.nl.tor.exit.node.qwertyoruiop.com] has left #openvpn []
21:45 -!- qwertyoruiop [~hax@1.shulgin.dc1.nl.tor.exit.node.qwertyoruiop.com] has joined #openvpn
21:47 -!- qwertyoruiop [~hax@1.shulgin.dc1.nl.tor.exit.node.qwertyoruiop.com] has quit [K-Lined]
22:04 -!- sunwind [~paradox@cpc21-brmb8-2-0-cust749.1-3.cable.virginm.net] has joined #openvpn
22:13 -!- Guest6680 [~hax@93.174.90.31] has joined #openvpn
22:45 -!- VlperX [~VlperX@60-240-168-120.static.tpgi.com.au] has joined #openvpn
22:47 -!- Guest6680 [~hax@93.174.90.31] has left #openvpn []
23:00 -!- thefinn93 [~finn@unaffiliated/thefinn93] has quit [Quit: cya]
23:20 -!- Psil0Cybin [~psil0cybi@unaffiliated/psil0cybin] has joined #openvpn
23:20 < Psil0Cybin> hey guys If I am using a VPN and it tells me to connect using openVPN and to set IPv4 settings to Automatic (VPN) Addresses Only - i have done this, but it does not work for me - but setting Automatic (VPN) does, does anyone know what the difference is? and why my VPN provider would suggest to pick Automatic (VPN) Addresses Only?
23:28 < Psil0Cybin> i am assuming it is because i am not specifiying a DNS?
23:28 < Psil0Cybin> so what is the difference between settings VPN Automatic and VPN automatic addressses only?
23:37 -!- Guest63307 [~kolo@ip-125.net-82-216-83.rev.numericable.fr] has quit [Ping timeout: 255 seconds]
23:39 -!- Ko_lo [~kolo@ip-125.net-82-216-83.rev.numericable.fr] has joined #openvpn
23:39 -!- Ko_lo is now known as Guest19288
23:44 -!- lj [~l@74.120.203.218] has joined #openvpn
23:52 -!- aji [~alex@atheme/member/aji] has joined #openvpn
23:56 -!- ShadniX [dagger@p57941AB0.dip0.t-ipconnect.de] has quit [Ping timeout: 252 seconds]
23:58 -!- ShadniX [dagger@p5DDFC98A.dip0.t-ipconnect.de] has joined #openvpn
--- Day changed Fri Apr 25 2014
00:06 -!- klein [~klein@unaffiliated/klein] has quit [Ping timeout: 240 seconds]
00:15 -!- mikkel [~mikkel@93.176.85.50] has joined #openvpn
00:55 -!- makara [~makara@41.164.22.218] has joined #openvpn
00:55 -!- nibbo [nibbo@gateway/shell/blinkenshell.org/x-skjtrmuqxjgeahdc] has quit [Read error: Operation timed out]
00:57 < mnathani> Whats the easiest way to generate an openvpn config file for my client that is connecting to a pfsense openvpn server?
00:59 -!- nibbo [nibbo@gateway/shell/blinkenshell.org/x-gnxlecjgaefbyygp] has joined #openvpn
00:59 -!- ISmithers_ [~ISmithers@mail.tinyillusion.com] has joined #openvpn
01:00 < ISmithers_> Hi all, to use OpenVPN on my android phone, are the only files I need the client.crt and the .ovpn config file?
01:01 -!- afuentes [~afuentes@213.37.131.197.static.user.ono.com] has joined #openvpn
01:03 < Psil0Cybin> hey guys If I am using a VPN and it tells me to connect using openVPN and to set IPv4 settings to Automatic (VPN) Addresses Only - i have done this, but it does not work for me - but setting Automatic (VPN) does, does anyone know what the difference is? and why my VPN provider would suggest to pick Automatic (VPN) Addresses Only?
01:03 < Psil0Cybin> how on Linux can I find out what DNS Server I am accessing
01:03 < Psil0Cybin> in order to find out if i have a DNS Leak?
01:07 -!- mattock_afk [~mattock@openvpn/corp/admin/mattock] has joined #openvpn
01:07 -!- mode/#openvpn [+o mattock_afk] by ChanServ
01:07 -!- mattock_afk is now known as mattock
01:18 -!- mattock [~mattock@openvpn/corp/admin/mattock] has left #openvpn []
01:32 -!- ACKNAK [~regolith@79.133.97.154] has joined #openvpn
02:05 -!- bertodsera [~quassel@97e48243.skybroadband.com] has quit [Remote host closed the connection]
02:06 -!- mattock [~mattock@openvpn/corp/admin/mattock] has joined #openvpn
02:06 -!- mode/#openvpn [+o mattock] by ChanServ
02:12 < Linmu> Psil0Cybin: maybe you can check /etc/resolv.conf for your current DNS servers
02:13 < ACKNAK> is still possible to use several instances with same "ifconfig-pool-persist"?
02:14 < ACKNAK> seems like instances overwrite it now o_O
02:14 < ACKNAK> and clients get same ip's
02:15 < Psil0Cybin> ty so much Linmu
02:16 < ACKNAK> baaawww...
02:19 -!- RaiNerTsuFal [~RaiNerTsu@37.235.55.158] has quit [Quit: Conversation terminated!]
02:20 -!- master_o1_master [~master_of@p4FF242D8.dip0.t-ipconnect.de] has joined #openvpn
02:21 -!- RaiNerTsuFal [~RaiNerTsu@37.235.55.158] has joined #openvpn
02:23 -!- master_of_master [~master_of@p4FF246FC.dip0.t-ipconnect.de] has quit [Ping timeout: 264 seconds]
02:26 < ACKNAK> but this was fine... https://forums.openvpn.net/topic10473.html
02:26 <@vpnHelper> Title: OpenVPN Support Forum Server on several ports with same config? : Configuration (at forums.openvpn.net)
02:26 < ACKNAK> I feel like I've used a bug and now it is fixed ._.
02:28 < ACKNAK> oh oh chmoded on ipp, something changed!
02:30 < ACKNAK> nah its still rewritten by last instance accessed it
02:31 < ISmithers_> Well this is annoying, I can connect via my phone to my vpn server, but it's not using any of my certs or anything. :<
02:32 < ISmithers_> I haven't even imported a certificate yet.
02:37 < ISmithers_> OK now it requires a cert.
02:41 < ACKNAK> cool, I still could use same address range on several instances with ifconfig-push in CCD
02:46 < ISmithers_> No I like, still not required it seems.
02:49 < ISmithers_> Anyone know how I specify that users must connect via valid ssl certs, and not let them connect via username/password credentials?
02:51 -!- kwork [~georg@unaffiliated/kwork] has quit [Ping timeout: 276 seconds]
02:52 -!- kwork [~georg@no.life.ee] has joined #openvpn
02:52 -!- kwork [~georg@no.life.ee] has quit [Changing host]
02:52 -!- kwork [~georg@unaffiliated/kwork] has joined #openvpn
02:56 < ACKNAK> how do you auth via user:passwd? :O
02:56 < ACKNAK> xD
02:57 < ISmithers_> Well this is on Android using the OpenVPN client. I import my ovpn profile file, which has my server address, then enter my user/pass and click connect. It connects successfully.
02:57 < ISmithers_> Should that not be ACKNAK?
02:58 < ACKNAK> I used it only for linux machines
02:58 < ISmithers_> Ah OK
02:58 < ISmithers_> Well it's pretty irritating because I want to use my certs.
02:58 < ISmithers_> But it seems to not even check for them.
02:59 < Aketzu> ACKNAK: umh... using same ip range for two openvpn instances is extremely hard to get working
02:59 < ACKNAK> Aketzu, I get lots of Route strings but it works fine with several clients
02:59 < Aketzu> because then operating system cannot route traffic anymore since there are two equal but different routes
03:00 < Aketzu> tap or tun?
03:00 < ACKNAK> tun\
03:00 < ACKNAK> 192.168.128.0   *               255.255.128.0   U     0      0        0 tun1
03:00 < ACKNAK> 192.168.128.0   *               255.255.128.0   U     0      0        0 tun2
03:00 < ACKNAK> etc..
03:00 < ACKNAK> but for clients I get direct static routes
03:00 < Aketzu> oh yes... you make routes for individual clients
03:00 < ACKNAK> 192.168.128.13  *               255.255.255.255 UH    0      0        0 tun3
03:00 < ACKNAK> yes
03:01 < ACKNAK> but I'm not sure if it would be still fine when I'd get 200+ clients
03:01 < Aketzu> I'd guess with more clients you end up having more conflicts
03:01 < Aketzu> why you couldn't have two different subnets?
03:02 < ACKNAK> I want to have database with static IPs of OpenVPN-Clients/routers so I'd be able to to SSH to 22 port and be PAT'ed to severer behind OpenVPN-Clients/routers
03:03 < ACKNAK> that tunnels for statistics and managment
03:03 < Aketzu> so no matter whether they connect by udp or tcp you want still the same address
03:04 < ACKNAK> I use only UDP because TCP is too slow
03:04 < Aketzu> well... I have "database" called DNS and I can use always the same name for same device no matter which IP it's using
03:05 < ACKNAK> oooh DNS...
03:05 < ACKNAK> that could do it :O
03:05 < Aketzu> added client-connect + client-disconnect script which just make dynamic dns update to local server
03:06 < ACKNAK> ccccc...could you show them please :D
03:06 < Aketzu> yeah... just making some cleanups
03:08 < Aketzu> ACKNAK: https://gist.github.com/Aketzu/11281584
03:08 <@vpnHelper> Title: OpenVPN DNS update script (at gist.github.com)
03:10 < ACKNAK> :3
03:10 < ACKNAK> wooooah thanks a lot!
03:11 < ACKNAK> yeah that would be much better than same IP range
03:12 -!- mattock is now known as mattock_afk
03:14 < ISmithers_> This is irritating. How do I disable username/password auth?
03:14 -!- Denial [Denial@176.250.235.182] has quit [Read error: Connection reset by peer]
03:17 -!- le0 [~l30@unaffiliated/le0] has joined #openvpn
03:22 -!- Denial [Denial@176.250.235.182] has joined #openvpn
03:33 -!- Psil0Cybin [~psil0cybi@unaffiliated/psil0cybin] has quit [Quit: You know you're gonna miss me when I'm gone]
03:36 -!- hyper_ch [~hyper_ch@149.154.159.210] has joined #openvpn
03:37 -!- hyper_ch [~hyper_ch@149.154.159.210] has left #openvpn ["Konversation terminated!"]
03:56 -!- tapout [~tapout@unaffiliated/tapout] has quit [Quit: ZNC - http://znc.sourceforge.net]
03:56 < ISmithers_> If I remove auth_user_pass from my ovpn profile file, then it removes the fields from the client, so there is no option to enter them.
03:57 < ISmithers_> But the user could just add that to that profile file. Then they can login with username and password again.
03:57 <@plaisthos> Yeah it is the server which decides which authentication is valid and not the client
04:01 < ISmithers_> Is that in server.conf plaisthos?
04:01 < ISmithers_> I've been searching for about 3 hours now, and cannot find it.
04:04 < ISmithers_> client-cert-not-required is commented out, and there is no auth-user-pass set anywhere.
04:08 -!- Left_Turn [~Left_Turn@unaffiliated/turn-left/x-3739067] has joined #openvpn
04:11 < ISmithers_> Well I have no idea, pretty ridiculous a user can just add that and circumvent needing a certificate!
04:15 -!- Aliekezhi [~Aliekezhi@LPoitiers-156-84-21-170.w193-248.abo.wanadoo.fr] has joined #openvpn
04:49 -!- steveeJ [~junky@client268.amh.kn.studentenwohnheim-bw.de] has joined #openvpn
04:56 -!- s7r [~s7r@openvpn/user/s7r] has quit [Quit: Leaving]
04:56 -!- Left_Turn [~Left_Turn@unaffiliated/turn-left/x-3739067] has quit [Read error: Connection reset by peer]
05:12 < ISmithers_> Ahah! Found it.
05:12 < ISmithers_> Bloody plugin, radius was doing it.
05:22 -!- mback2k_ is now known as mback2k
05:42 -!- u0m3 [~u0m3@109.96.138.238] has quit [Read error: Connection reset by peer]
05:46 -!- u0m3 [~u0m3@92.80.97.184] has joined #openvpn
05:53 -!- xMopxShell [~xMopxShel@198.27.127.96] has quit [Remote host closed the connection]
06:03 -!- u0m3 [~u0m3@92.80.97.184] has quit [Read error: Connection reset by peer]
06:04 -!- u0m3 [~u0m3@92.80.105.235] has joined #openvpn
06:05 -!- mattock_afk is now known as mattock
06:07 -!- u0m3_ [~u0m3@109.96.187.36] has joined #openvpn
06:10 -!- u0m3 [~u0m3@92.80.105.235] has quit [Ping timeout: 252 seconds]
06:12 -!- Rienzilla [rien@sinas.rename-it.nl] has joined #openvpn
06:16 < ISmithers_> How do IP ranges work with VPNs in relation to the LAN?
06:16 < ISmithers_> So I connect to my LAN which has the usual 192.168.1.x range and the VPN gives my device an IP in the 10.5.21.x range.
06:17 < ISmithers_> What do I need to do to view/see my LAN networks?
06:18 -!- dcorbin [~dcorbin@unaffiliated/dcorbin] has joined #openvpn
06:19 < dcorbin> I'm trying to setup my linux desktop as the server-end of an openvpn connection.
06:19 < dcorbin> I've been following the instructions here: http://blog.acmelab.org/2008/07/20/mac-os-x-openvpn-bridge-ssh-tunnel-vpn-goodness/
06:19 <@vpnHelper> Title: Mac OS X + OpenVPN bridge + SSH Tunnel = VPN goodness (at blog.acmelab.org)
06:20 < dcorbin> When I bring up "br0", my eth0 loses it's IP address. Suggestions for what I have misconfigured are welcome.
06:20 <@plaisthos> dcorbin: that is expected
06:21 < dcorbin> And general non-secure communication on my desktop will use what interface?
06:22 < dcorbin> (i.e., it wasn't expected by me, and I don't think it's what I want).
06:25 -!- mattock is now known as mattock_afk
06:25 < dcorbin> plaisthos, I'm simply trying to provide an alternative way to access my system/LAN.  I don't want other changes. I should be "additive".
06:29 <@plaisthos> yeah
06:29 <@plaisthos> but that is who linxu-bridge works
06:29 <@plaisthos> !notopenvpn
06:29 <@vpnHelper> "notopenvpn" is your problem is not about openvpn, and while we try to be helpful, you may have a better chance of finding your answer if you ask your question in a channel related to your problem
06:31 < pekster> dcorbin: Use a routed VPN
06:31 < pekster> If you bridge, you need to do the bridging in your OS, which requires distro-specific tasks
06:32 < pekster> bridging is best avoided becuase of that reason: it is more complicated. People think it's easier, but routing is actually easier since it has less moving parts
06:32 < pekster> !tunortap
06:32 <@vpnHelper> "tunortap" is (#1) you ONLY want tap if you need to pass layer2 traffic over the vpn (traffic destined for a MAC address). If you are using IP traffic you want tun. or (#2) and if your reason for wanting tap is windows shares, see !wins or use DNS or (#3) remember layer2 has no security, arp poisoning works over tap vpns or (#4) lan gaming? use tap! or (#5) Normal Android/iOS devices (not
06:32 <@vpnHelper> rooted/jailbroken) support only tun
06:37 < dcorbin> I think I really want bridge, but I'm still reading.  And I guess I'll have to understand linux-specific bridging
06:44 < pekster> Why do you need frame transport?
06:45 -!- dcorbin [~dcorbin@unaffiliated/dcorbin] has quit [Ping timeout: 265 seconds]
06:47 -!- ade_b [~Ade@redhat/adeb] has joined #openvpn
06:51 -!- dcorbin [~dcorbin@develop-60.np.zcorum.com] has joined #openvpn
06:52 -!- elfixit [~Icedove@2001:1620:2777:11:3e97:eff:fe7f:f3ad] has joined #openvpn
06:54 -!- dcorbin [~dcorbin@develop-60.np.zcorum.com] has quit [Changing host]
06:54 -!- dcorbin [~dcorbin@unaffiliated/dcorbin] has joined #openvpn
06:57 -!- dcorbin_ [~dcorbin@develop-56.np.zcorum.com] has joined #openvpn
06:58 -!- dcorbin_ [~dcorbin@develop-56.np.zcorum.com] has quit [Changing host]
06:58 -!- dcorbin_ [~dcorbin@unaffiliated/dcorbin] has joined #openvpn
06:58 -!- dcorbin [~dcorbin@unaffiliated/dcorbin] has left #openvpn ["Leaving"]
06:59 < dcorbin_> If there was a replay to my last question, please resend.  I "fear" I lost something while changing interfaces around.  (Now chatting on safe connection)
07:06 -!- kraut [~kraut@blackhole.netzdeponie.de] has quit [Ping timeout: 245 seconds]
07:06 -!- dcorbin [~dcorbin@unaffiliated/dcorbin] has joined #openvpn
07:07 -!- dcorbin [~dcorbin@unaffiliated/dcorbin] has quit [Remote host closed the connection]
07:13 -!- dcorbin_ [~dcorbin@unaffiliated/dcorbin] has quit [Quit: This computer has gone to sleep]
07:13 -!- tapout_ [~tapout@unaffiliated/tapout] has joined #openvpn
07:14 -!- kraut [~kraut@blackhole.netzdeponie.de] has joined #openvpn
07:21 -!- michaelhart [~michaelha@192.237.177.15] has joined #openvpn
07:22 -!- ChrisH [~dg7pc@dslb-088-077-175-093.pools.arcor-ip.net] has quit [Ping timeout: 276 seconds]
07:22 -!- IllOf [~arad@backtrack/hispanic-community-member/illuminatus] has joined #openvpn
07:23 -!- ChrisH [~dg7pc@dslb-092-072-165-245.pools.arcor-ip.net] has joined #openvpn
07:30 -!- lj [~l@74.120.203.218] has quit [Quit: Leaving.]
07:34 -!- ade_b [~Ade@redhat/adeb] has quit [Read error: Operation timed out]
07:37 -!- steveeJ [~junky@client268.amh.kn.studentenwohnheim-bw.de] has left #openvpn ["Leaving"]
07:39 -!- xMopxShell [~xMopxShel@dpedu.io] has joined #openvpn
07:52 -!- mattock_afk is now known as mattock
07:54 -!- ron_ [~ron@ppp118-210-9-147.lns20.adl2.internode.on.net] has quit [Ping timeout: 264 seconds]
07:58 -!- liviu [~lfx@self-aware.evilmachines.net] has joined #openvpn
08:01 -!- ron_ [~ron@ppp121-45-28-63.lns20.adl2.internode.on.net] has joined #openvpn
08:25 -!- makara [~makara@41.164.22.218] has quit [Quit: Leaving]
08:34 -!- afuentes [~afuentes@213.37.131.197.static.user.ono.com] has quit [Quit: Leaving]
08:40 -!- mikkel [~mikkel@93.176.85.50] has quit [Quit: Leaving]
08:47 -!- mback2k is now known as mback2k_
09:08 -!- gigo1980 [~Adium@178-25-23-87-dynip.superkabel.de] has joined #openvpn
09:08 < gigo1980> hi all
09:08 < gigo1980> i have small question how is it posible to say that an user should get an defined email ?
09:14 <@plaisthos> wrong channel?
09:14 <@plaisthos> I am not sure what email sending has to do with OpenVPN
09:14 -!- mode/#openvpn [-o plaisthos] by plaisthos
09:29 -!- Aliekezhi [~Aliekezhi@LPoitiers-156-84-21-170.w193-248.abo.wanadoo.fr] has quit [Quit: Leaving]
09:52 -!- ISmithers_ [~ISmithers@mail.tinyillusion.com] has left #openvpn []
10:10 < gigo1980> sorry i mean defined ip address ;)
10:13 -!- gigo1980 [~Adium@178-25-23-87-dynip.superkabel.de] has quit [Quit: Leaving.]
10:18 -!- ACKNAK [~regolith@79.133.97.154] has quit [Quit: Leaving]
10:29 -!- troyt [~troyt@2601:7:6200:14c2:44dd:acff:fe85:9c8e] has quit [Ping timeout: 258 seconds]
10:30 -!- troyt [~troyt@2601:7:6200:14c2:44dd:acff:fe85:9c8e] has joined #openvpn
10:36 -!- Netsplit *.net <-> *.split quits: capri, haasn, codehero, Chrisje, Olipro, Haigha, Ulrar, fred``, SlutaTramsa
10:45 -!- troyt [~troyt@2601:7:6200:14c2:44dd:acff:fe85:9c8e] has quit [Ping timeout: 240 seconds]
10:46 -!- Netsplit over, joins: codehero, Haigha, haasn, Chrisje, capri, fred``, Ulrar, SlutaTramsa
10:46 -!- troyt [~troyt@2601:7:6200:14c2:44dd:acff:fe85:9c8e] has joined #openvpn
10:47 -!- Olipro [~Olipro@uncyclopedia/pdpc.21for7.olipro] has joined #openvpn
10:47 -!- IllOf [~arad@backtrack/hispanic-community-member/illuminatus] has quit [Ping timeout: 240 seconds]
10:51 -!- troyt [~troyt@2601:7:6200:14c2:44dd:acff:fe85:9c8e] has quit [Ping timeout: 240 seconds]
10:56 -!- troyt [~troyt@c-67-161-211-139.hsd1.ut.comcast.net] has joined #openvpn
11:01 -!- gffa [~unknown@unaffiliated/gffa] has joined #openvpn
11:09 -!- gffa [~unknown@unaffiliated/gffa] has quit [Ping timeout: 276 seconds]
11:11 -!- gffa [~unknown@unaffiliated/gffa] has joined #openvpn
11:16 -!- [diecast] [~diecast@unaffiliated/diecast/x-4821952] has joined #openvpn
11:32 -!- s7r [~s7r@openvpn/user/s7r] has joined #openvpn
11:32 -!- mode/#openvpn [+v s7r] by ChanServ
11:36 -!- Guest19288 [~kolo@ip-125.net-82-216-83.rev.numericable.fr] has quit [Ping timeout: 240 seconds]
11:36 -!- MadTBone_ [~MadTBone@160.39.238.199] has quit [Remote host closed the connection]
11:39 -!- Ko_lo [~kolo@ip-125.net-82-216-83.rev.numericable.fr] has joined #openvpn
11:39 -!- [diecast] [~diecast@unaffiliated/diecast/x-4821952] has quit []
11:39 -!- Ko_lo is now known as Guest46083
11:42 -!- [diecast] [~diecast@unaffiliated/diecast/x-4821952] has joined #openvpn
11:42 -!- elfixit [~Icedove@2001:1620:2777:11:3e97:eff:fe7f:f3ad] has quit [Quit: elfixit]
11:48 -!- Cpt-Oblivious [chatzilla@31-151-71-109.dynamic.upc.nl] has joined #openvpn
11:56 -!- Aliekezhi [~Aliekezhi@57.141.122.78.rev.sfr.net] has joined #openvpn
12:13 -!- Left_Turn [~Left_Turn@unaffiliated/turn-left/x-3739067] has joined #openvpn
12:23 -!- u0m3_ [~u0m3@109.96.187.36] has quit [Read error: Connection reset by peer]
12:26 -!- lj [~l@na-ad-guest-lwap-ar01.cat.com] has joined #openvpn
12:27 -!- u0m3 [~u0m3@92.80.88.11] has joined #openvpn
12:30 -!- lj [~l@na-ad-guest-lwap-ar01.cat.com] has quit [Ping timeout: 240 seconds]
12:44 -!- jave [~jave@h-235-102.a149.priv.bahnhof.se] has quit [Quit: ZNC - http://znc.in]
12:45 -!- jave [~jave@h-235-102.a149.priv.bahnhof.se] has joined #openvpn
13:00 -!- pnielsen_ [pnielsen@2a01:7e00::f03c:91ff:fedf:3a21] has quit []
13:01 -!- pnielsen [pnielsen@2a01:7e00::f03c:91ff:fedf:3a21] has joined #openvpn
13:09 -!- [diecast] [~diecast@unaffiliated/diecast/x-4821952] has quit []
13:15 -!- deeville [~deeville@38.117.108.108] has joined #openvpn
13:16 -!- [diecast] [~diecast@unaffiliated/diecast/x-4821952] has joined #openvpn
13:32 < VlperX> ahoy, I'm having issues connecting to my vpn using ubuntu - http://paste.ubuntu.com/7331711/
13:37 -!- Aliekezhi [~Aliekezhi@57.141.122.78.rev.sfr.net] has quit [Remote host closed the connection]
13:49 -!- klein [~klein@189-016-006-003.asselvi.edu.br] has joined #openvpn
13:49 -!- klein [~klein@189-016-006-003.asselvi.edu.br] has quit [Changing host]
13:49 -!- klein [~klein@unaffiliated/klein] has joined #openvpn
13:57 -!- [diecast] [~diecast@unaffiliated/diecast/x-4821952] has quit []
14:03 -!- VlperX [~VlperX@60-240-168-120.static.tpgi.com.au] has quit [Ping timeout: 276 seconds]
14:08 <@krzee> if that guy comes back, tell him that a) that is NOT an openvpn log, b) pptp is NOT openvpn.
14:08 <@Eugene> Which one
14:08 <@krzee>  <VlperX> ahoy, I'm having issues connecting to my vpn using ubuntu - http://paste.ubuntu.com/7331711/
14:09 <@krzee> i wasted like an hour of my life trying to get his logfile the other day before deciding that he is hopeless and should not run a vpn
14:10 <@krzee> then we got his log finally and he didnt have tun in his openvz kernel, remember that?
14:11 -!- gigo1980 [~Adium@pD954C019.dip0.t-ipconnect.de] has joined #openvpn
14:13 -!- gigo1980 [~Adium@pD954C019.dip0.t-ipconnect.de] has quit [Client Quit]
14:31 <@Eugene> We get so many of those guys
14:31 <@Eugene> If people don't paste logs I immediately go to fuck 'em
14:31 <@Eugene> 99% of the problems in here can be solved by the bot
14:41 -!- [diecast] [~diecast@unaffiliated/diecast/x-4821952] has joined #openvpn
14:41 -!- michaelhart [~michaelha@192.237.177.15] has left #openvpn []
14:42 <@krzee> yep
14:43 <@krzee> and every now and then people join and do it? makes me happy every time
14:43 < Aketzu> e.g. restores faith in humanity :)
14:43 <@krzee> yes, it does
14:44 < Aketzu> I die a little every time when my relatives use google search bar to search for google and then type their query in www.google.com
14:45 <@Eugene> At least they aren't binging for www.google.com
14:46 <@Eugene> I will say this for GOogle: they've really established a brand there.
14:50 -!- [diecast] [~diecast@unaffiliated/diecast/x-4821952] has quit []
14:56 -!- jackbrown [~se@93-44-38-152.ip95.fastwebnet.it] has joined #openvpn
15:02 -!- Martin` [martin@shell.ipv6.octocore.net] has quit [Ping timeout: 252 seconds]
15:03 -!- [diecast] [~diecast@unaffiliated/diecast/x-4821952] has joined #openvpn
15:07 <@Eugene> !easy-rsa
15:07 <@vpnHelper> "easy-rsa" is (#1) easy-rsa is a certificate generation utility. or (#2) Download here: https://github.com/OpenVPN/easy-rsa/downloads or (#3) https://community.openvpn.net/openvpn/wiki/EasyRSA
15:09 -!- Martin` [martin@shell.ipv6.octocore.net] has joined #openvpn
15:12 -!- klein [~klein@unaffiliated/klein] has quit [Ping timeout: 265 seconds]
15:22 -!- jackbrown [~se@93-44-38-152.ip95.fastwebnet.it] has quit [Quit: Sto andando via]
15:29 -!- deeville [~deeville@38.117.108.108] has quit [Quit: Leaving]
15:39 -!- klein [~klein@189-016-006-003.asselvi.edu.br] has joined #openvpn
15:39 -!- klein [~klein@189-016-006-003.asselvi.edu.br] has quit [Changing host]
15:39 -!- klein [~klein@unaffiliated/klein] has joined #openvpn
15:39 -!- VunKruz [~hhhh@24-205-8-187.dhcp.mtpk.ca.charter.com] has quit [Quit: Leaving]
15:45 < jeev> krz0r, around ?
15:48 <@krzee> sup
15:53 -!- simon0181 [~vinise@78-23-152-207.access.telenet.be] has joined #openvpn
15:55 < simon0181> hi all, i'm trying to setup some fixed ip for some client ... i did add a client-config-dir with files with correct name but it doesn't take it into consideration any clue?
16:01 <@krzee> maybe wrong permissions on the file
16:01 <@krzee> it must be readable by the user/group that openvpn is running as, if you use --user / group that means that user/group
16:02 <@krzee> or maybe a chroot issue?
16:06 < simon0181> nobody/nogroup ... already did a chown on all openvpn folder
16:06 < simon0181> no success
16:08 < simon0181> chmod 777 an all folder doesnt change anythink
16:09 < simon0181> here is my server configuration : http://pastebin.com/312h300u
16:11 < Aketzu> I also tried to use tun+subnet+ccd static ip's but it didn't work for some reason
16:11 < Aketzu> then I setup DNS updates and was happier with it :)
16:12 < simon0181> what do you mean by dns updates?
16:12 < Aketzu> dynamic dns... when client connects it puts its name+ip to dns
16:13 < Aketzu> like this https://gist.github.com/Aketzu/11281584
16:13 <@vpnHelper> Title: OpenVPN DNS update script (at gist.github.com)
16:15 -!- kwork [~georg@unaffiliated/kwork] has quit [Ping timeout: 265 seconds]
16:16 < simon0181> Mmm it's not gonna be ok for me :/
16:16 -!- klein [~klein@unaffiliated/klein] has quit [Ping timeout: 240 seconds]
16:22 -!- VsioZashibis [~VsioZashi@unaffiliated/vsiozashibis] has joined #openvpn
16:27 -!- gffa [~unknown@unaffiliated/gffa] has quit [Quit: sleep]
16:29 -!- mexjerry [~jerry@64.31.33.64] has joined #openvpn
16:30 -!- mexjerry [~jerry@64.31.33.64] has quit [Quit: Konversation terminated!]
16:30 -!- mexjerry [~jerry@64.31.33.64] has joined #openvpn
16:30 -!- nlb [~nlb@ec2-54-213-101-245.us-west-2.compute.amazonaws.com] has quit [Changing host]
16:30 -!- nlb [~nlb@unaffiliated/nlb] has joined #openvpn
16:31 < mexjerry> any pointers for openvpn/hma howto?
16:31 < mexjerry> on a wireless router with dd-wrt
16:35 -!- simon0181 [~vinise@78-23-152-207.access.telenet.be] has quit [Ping timeout: 240 seconds]
16:36 -!- simon0181 [~vinise@78-23-152-207.access.telenet.be] has joined #openvpn
16:44 -!- simon0181 [~vinise@78-23-152-207.access.telenet.be] has quit []
16:53 -!- mattock is now known as mattock_afk
16:53 <@Eugene> !howto
16:53 -!- Mexjerry_ [~quassel@64.31.33.64] has joined #openvpn
16:53 <@vpnHelper> "howto" is (#1) OpenVPN comes with a great howto, http://openvpn.net/howto PLEASE READ IT! or (#2) http://www.secure-computing.net/openvpn/howto.php for a mirror
16:56 -!- justaguy [~justaguy@unaffiliated/justaguy] has joined #openvpn
16:59 -!- adh0c [~adh0c@li423-165.members.linode.com] has joined #openvpn
17:00 -!- [diecast] [~diecast@unaffiliated/diecast/x-4821952] has quit []
17:23 -!- Cpt-Oblivious [chatzilla@31-151-71-109.dynamic.upc.nl] has quit [Read error: Connection reset by peer]
17:28 -!- Cpt-Oblivious [chatzilla@31-151-71-109.dynamic.upc.nl] has joined #openvpn
17:39 -!- VsioZashibis [~VsioZashi@unaffiliated/vsiozashibis] has quit [Quit: closing IRC]
17:39 -!- Mexjerry_ [~quassel@64.31.33.64] has left #openvpn ["http://quassel-irc.org - Chat comfortably. Anywhere."]
17:49 -!- VunKruz [~hhhh@24-205-8-187.dhcp.mtpk.ca.charter.com] has joined #openvpn
18:04 -!- IllOf [~arad@245.Red-83-58-43.dynamicIP.rima-tde.net] has joined #openvpn
18:16 -!- le0 [~l30@unaffiliated/le0] has quit [Quit: Leaving]
18:22 -!- michaelhart [~michaelha@192-0-240-20.cpe.teksavvy.com] has joined #openvpn
18:45 -!- acu [~acu@50.244.13.222] has joined #openvpn
18:48 -!- BreadProduct [~chatzilla@S0106c8fb2641d325.vc.shawcable.net] has joined #openvpn
18:51 < BreadProduct> Hmm hmm. So https://www.privateinternetaccess.com/pages/client-support/#windows_openvpn I followed these instructions. And I successfully connected just fine but when I verify that it's working by checking what google thinks my ip is, it's unchanged. Window 7 64 bit, I am running openvpn as administrator.
18:51 <@vpnHelper> Title: Client Support Area | Private Internet Access VPN Service (at www.privateinternetaccess.com)
18:52 < pekster> You want to seek support from the vendor selling that service. #openvpn is for GPL (open-source) products. See the /TOPIC for support of commercial software
18:57 -!- VsioZashibis [~VsioZashi@unaffiliated/vsiozashibis] has joined #openvpn
18:57 -!- Linmu [~Linmu@203.70.194.104] has quit [Ping timeout: 264 seconds]
18:58 -!- Linmu [~Linmu@203.70.194.104] has joined #openvpn
19:03 -!- VsioZashibis [~VsioZashi@unaffiliated/vsiozashibis] has quit [Quit: closing IRC]
19:05 -!- VsioZashibis [~VsioZashi@unaffiliated/vsiozashibis] has joined #openvpn
19:09 -!- BreadProduct [~chatzilla@S0106c8fb2641d325.vc.shawcable.net] has quit [Quit: ChatZilla 0.9.90.1 [Firefox 28.0/20140314220517]]
19:10 -!- klein [~klein@177.101.105.94] has joined #openvpn
19:10 -!- klein [~klein@177.101.105.94] has quit [Changing host]
19:10 -!- klein [~klein@unaffiliated/klein] has joined #openvpn
19:12 -!- b0yz [~admin@222.124.213.90] has joined #openvpn
19:13 < b0yz> !configs
19:13 <@vpnHelper> "configs" is (#1) please pastebin your client and server configs (with comments removed, you can use `grep -vE '^#|^;|^$' server.conf`), also include which OS and version of openvpn. or (#2) dont forget to include any ccd entries or (#3) on pfSense, see http://www.secure-computing.net/wiki/index.php/OpenVPN/pfSense to obtain your config
19:13 -!- b0yz [~admin@222.124.213.90] has left #openvpn []
19:13 -!- IllOf [~arad@245.Red-83-58-43.dynamicIP.rima-tde.net] has quit [Quit: leaving]
19:27 -!- [diecast] [~diecast@unaffiliated/diecast/x-4821952] has joined #openvpn
19:31 -!- mexjerry [~jerry@64.31.33.64] has quit [Ping timeout: 240 seconds]
19:54 -!- elfixit [~Icedove@77-58-251-72.dclient.hispeed.ch] has joined #openvpn
19:55 -!- suzylee [~mariannee@unaffiliated/mariannee] has joined #openvpn
20:01 -!- goldkatze [~nobody@unaffiliated/goldkatze] has quit [Read error: Operation timed out]
20:27 -!- defswork [~andy@141.0.50.105] has quit [Ping timeout: 264 seconds]
20:32 -!- defswork [~andy@141.0.50.105] has joined #openvpn
20:41 -!- adh0c [~adh0c@li423-165.members.linode.com] has quit [Quit: Leaving]
21:00 -!- Cpt-Oblivious [chatzilla@31-151-71-109.dynamic.upc.nl] has quit [Remote host closed the connection]
21:08 -!- suzylee is now known as oppie
21:08 -!- oppie is now known as LadyGaga
21:08 -!- LadyGaga is now known as suzylee
21:11 -!- suzylee [~mariannee@unaffiliated/mariannee] has quit [Read error: Connection reset by peer]
21:12 -!- m000gle [~m000gle@24-52-214-2.cable.teksavvy.com] has joined #openvpn
21:14 -!- m000gle [~m000gle@24-52-214-2.cable.teksavvy.com] has left #openvpn ["Leaving"]
21:29 -!- YokoOno [~mariannee@unaffiliated/mariannee] has joined #openvpn
21:46 -!- JackWinter [~jack@vodsl-10810.vo.lu] has quit [Ping timeout: 240 seconds]
22:03 < waynr> the example client config in debian 8 openvpn package includes a setting that I think may be incompatible with openvpn >= 2.1
22:04 < waynr> it sets 'ns-server-type server' rather than 'remote-cert-tls server' which according to https://openvpn.net/index.php/open-source/documentation/howto.html#pki is incorrect (i think)
22:04 <@vpnHelper> Title: HOWTO (at openvpn.net)
22:04 < waynr> just wanted to check in with more knowledgable folks here before posting a bug
22:05 < waynr> (on debian bug tracker that is)
22:08 -!- zoomequipd [~zoomequip@gateway/tor-sasl/zoomequipd] has joined #openvpn
22:16 -!- YokoOno [~mariannee@unaffiliated/mariannee] has quit [Quit: Leaving]
22:21 -!- VsioZashibis [~VsioZashi@unaffiliated/vsiozashibis] has quit [Quit: closing IRC]
22:33 -!- klein [~klein@unaffiliated/klein] has quit [Ping timeout: 255 seconds]
22:50 -!- michaelhart [~michaelha@192-0-240-20.cpe.teksavvy.com] has quit [Quit: michaelhart]
22:53 -!- d10n [~d10n@unaffiliated/d10n] has left #openvpn ["Leaving"]
22:56 -!- acu [~acu@50.244.13.222] has quit [Remote host closed the connection]
22:58 -!- ShadniX [dagger@p5DDFC98A.dip0.t-ipconnect.de] has quit [Ping timeout: 252 seconds]
22:59 -!- ShadniX [dagger@p5DDFC98A.dip0.t-ipconnect.de] has joined #openvpn
23:01 -!- maskedlua is now known as auldeksam
23:06 -!- LadyJane [~mariannee@unaffiliated/mariannee] has joined #openvpn
23:06 -!- VlperX [~VlperX@60-240-168-120.static.tpgi.com.au] has joined #openvpn
23:17 -!- LadyJane [~mariannee@unaffiliated/mariannee] has quit [Quit: Leaving]
23:22 -!- gigo1980 [~Adium@p54854564.dip0.t-ipconnect.de] has joined #openvpn
23:31 -!- Left_Turn [~Left_Turn@unaffiliated/turn-left/x-3739067] has quit [Ping timeout: 252 seconds]
23:34 -!- elfixit [~Icedove@77-58-251-72.dclient.hispeed.ch] has quit [Ping timeout: 252 seconds]
23:36 -!- Guest46083 [~kolo@ip-125.net-82-216-83.rev.numericable.fr] has quit [Ping timeout: 252 seconds]
23:38 -!- Ko_lo [~kolo@ip-125.net-82-216-83.rev.numericable.fr] has joined #openvpn
23:39 -!- Ko_lo is now known as Guest22080
23:55 -!- ShadniX [dagger@p5DDFC98A.dip0.t-ipconnect.de] has quit [Ping timeout: 252 seconds]
23:57 -!- ShadniX [dagger@p5481CFAA.dip0.t-ipconnect.de] has joined #openvpn
--- Day changed Sat Apr 26 2014
00:00 -!- goldkatze [~nobody@unaffiliated/goldkatze] has joined #openvpn
00:00 < Fudge> hi, i have a config  file given to me by a friend and we are trying to communicate on a VPN together, but when I openvpn --config file all my traffic seems to use his connection and I only have that available, am I not understanding things correctly?
00:04 -!- gigo1980 [~Adium@p54854564.dip0.t-ipconnect.de] has quit [Quit: Leaving.]
00:09 -!- _quadDam1ge [~EmperorTo@boom.blissfulidiot.com] has joined #openvpn
00:10 -!- _quadDamage [~EmperorTo@boom.blissfulidiot.com] has quit [Read error: Connection reset by peer]
00:30 -!- hive-mind [pranq@mail.bbis.us] has quit [Ping timeout: 252 seconds]
00:42 -!- hive-mind [pranq@mail.bbis.us] has joined #openvpn
00:43 -!- tapout_ is now known as tapout
00:48 -!- Intensity [fNUidPCJAu@unaffiliated/intensity] has quit [Ping timeout: 246 seconds]
01:18 <@Eugene> !redirect
01:18 <@vpnHelper> "redirect" is (#1) to make all inet traffic flow through the vpn, you will need --redirect-gateway (see !def1), as well as IP forwarding (see !ipforward) and NAT (see !nat) enabled on the server. or (#2) you may need to use a different dns server when redirecting gateway, see !dns or !pushdns or (#3) if using ipv6 try: route-ipv6 2000::/3 or (#4) Handy troubleshooting flowchart:
01:18 <@vpnHelper> http://ircpimps.org/redirect.png | http://pekster.sdf.org/misc/redirect.png
01:18 <@Eugene> Fudge - you're doing that ^. You want to not be.
01:27 < Fudge> please tell me what I am doing wrong loL sorry for such a noob question. The same thing happens on my  phone
01:46 -!- Martin` [martin@shell.ipv6.octocore.net] has quit [Ping timeout: 240 seconds]
01:55 -!- justinzane [~justinzan@64.234.62.62] has quit []
02:18 -!- Latrina [~Latrina@ppp-41-37.26-151.libero.it] has quit [Ping timeout: 264 seconds]
02:20 -!- Latrina [~Latrina@adsl-ull-188-198.50-151.net24.it] has joined #openvpn
02:24 -!- master_o1_master [~master_of@p4FF242D8.dip0.t-ipconnect.de] has quit [Ping timeout: 276 seconds]
02:25 -!- master_of_master [~master_of@p4FD7BAD4.dip0.t-ipconnect.de] has joined #openvpn
02:30 -!- Martin` [martin@shell.ipv6.octocore.net] has joined #openvpn
02:39 -!- mattock_afk is now known as mattock
03:04 -!- [diecast] [~diecast@unaffiliated/diecast/x-4821952] has quit []
03:16 < Fudge> Eugene: ?
03:17 -!- Cybertinus [~Cybertinu@cybertinus.customer.cloud.nl] has quit [Remote host closed the connection]
03:26 -!- Cybertinus [~Cybertinu@cybertinus.customer.cloud.nl] has joined #openvpn
03:31 -!- wrongplace [~leicht@gateway/tor-sasl/martinphone] has joined #openvpn
03:35 -!- ron__ [~ron@ppp118-210-240-193.lns20.adl6.internode.on.net] has joined #openvpn
03:38 -!- tuvok [tuvok@Photography.tuvok.eu] has quit [Ping timeout: 252 seconds]
03:38 -!- ron_ [~ron@ppp121-45-28-63.lns20.adl2.internode.on.net] has quit [Ping timeout: 240 seconds]
03:39 -!- Mimi_ [~mimi@akita.vtlx.cn] has joined #openvpn
03:40 -!- Mimi_ [~mimi@akita.vtlx.cn] has quit [Client Quit]
03:54 -!- mback2k_ is now known as mback2k
03:56 -!- tuvok [tuvok@Photography.tuvok.eu] has joined #openvpn
04:27 -!- mattock is now known as mattock_afk
04:48 -!- mback2k is now known as mback2k_
04:58 -!- hazardous [~hz@openvpn/user/hazardous] has quit [Ping timeout: 276 seconds]
05:05 -!- hazardous [~hz@openvpn/user/hazardous] has joined #openvpn
05:05 -!- mode/#openvpn [+v hazardous] by ChanServ
05:06 -!- sunwind [~paradox@cpc21-brmb8-2-0-cust749.1-3.cable.virginm.net] has quit [Quit: sunwind]
05:11 -!- hazardous [~hz@openvpn/user/hazardous] has quit [Ping timeout: 264 seconds]
05:14 -!- hazardous [~hz@openvpn/user/hazardous] has joined #openvpn
05:14 -!- mode/#openvpn [+v hazardous] by ChanServ
05:17 -!- Left_Turn [~Left_Turn@unaffiliated/turn-left/x-3739067] has joined #openvpn
05:17 -!- sunwind [~paradox@cpc21-brmb8-2-0-cust749.1-3.cable.virginm.net] has joined #openvpn
05:21 -!- hazardous [~hz@openvpn/user/hazardous] has quit [Ping timeout: 264 seconds]
05:23 -!- VunKruz [~hhhh@24-205-8-187.dhcp.mtpk.ca.charter.com] has quit [Quit: Leaving]
05:27 -!- mattock_afk is now known as mattock
05:27 -!- _VlperX_ [~VlperX@60-240-168-120.static.tpgi.com.au] has joined #openvpn
05:29 -!- VlperX [~VlperX@60-240-168-120.static.tpgi.com.au] has quit [Ping timeout: 252 seconds]
05:32 -!- VunKruz [~hhhh@24-205-8-187.dhcp.mtpk.ca.charter.com] has joined #openvpn
05:33 -!- hazardous [~hz@openvpn/user/hazardous] has joined #openvpn
05:33 -!- mode/#openvpn [+v hazardous] by ChanServ
05:36 -!- mattock is now known as mattock_afk
05:37 -!- geeko [~geeko@1.23.228.152] has joined #openvpn
05:37 < Fudge> oh sorry I didnt see the post from the bot, I agree I dont want to do that loL
05:38 -!- Aliekezhi [~Aliekezhi@57.141.122.78.rev.sfr.net] has joined #openvpn
05:38 -!- hazardous [~hz@openvpn/user/hazardous] has quit [Ping timeout: 276 seconds]
05:44 -!- hazardous [~hz@openvpn/user/hazardous] has joined #openvpn
05:44 -!- mode/#openvpn [+v hazardous] by ChanServ
05:59 -!- hazardous [~hz@openvpn/user/hazardous] has quit [Ping timeout: 264 seconds]
06:02 -!- hazardous [~hz@openvpn/user/hazardous] has joined #openvpn
06:02 -!- mode/#openvpn [+v hazardous] by ChanServ
06:12 -!- qwertyoruiop [~hax@93.174.90.31] has joined #openvpn
06:12 -!- wrongplace [~leicht@gateway/tor-sasl/martinphone] has quit [Quit: gone]
06:14 -!- geeko [~geeko@1.23.228.152] has quit [Ping timeout: 240 seconds]
06:18 -!- le0 [~l30@unaffiliated/le0] has joined #openvpn
06:21 -!- gffa [~unknown@unaffiliated/gffa] has joined #openvpn
06:22 -!- ron__ is now known as ron_
06:23 -!- geeko [~geeko@1.23.228.152] has joined #openvpn
06:41 -!- clu5ter [~staff@unaffiliated/clu5ter] has quit [Ping timeout: 260 seconds]
06:42 -!- clu5ter [~staff@unaffiliated/clu5ter] has joined #openvpn
06:42 -!- mattock_afk is now known as mattock
07:04 -!- klein [~klein@177.101.105.94] has joined #openvpn
07:04 -!- klein [~klein@177.101.105.94] has quit [Changing host]
07:04 -!- klein [~klein@unaffiliated/klein] has joined #openvpn
07:10 -!- JackWinter [~jack@vodsl-10810.vo.lu] has joined #openvpn
07:10 -!- MyMind [~Sembei@unaffiliated/sembei] has quit [Ping timeout: 252 seconds]
07:12 -!- MyMind [~Sembei@unaffiliated/sembei] has joined #openvpn
07:14 -!- MyMind is now known as Sembei
07:20 -!- justaguy [~justaguy@unaffiliated/justaguy] has quit []
07:21 -!- justaguy [~justaguy@gateway/tor-sasl/justaguy] has joined #openvpn
07:44 -!- michaelhart [~michaelha@192-0-240-20.cpe.teksavvy.com] has joined #openvpn
07:45 -!- michaelhart [~michaelha@192-0-240-20.cpe.teksavvy.com] has quit [Client Quit]
07:50 -!- michaelhart [~michaelha@192-0-240-20.cpe.teksavvy.com] has joined #openvpn
07:51 -!- Sembei [~Sembei@unaffiliated/sembei] has quit [Ping timeout: 265 seconds]
07:53 -!- Sembei [~Sembei@unaffiliated/sembei] has joined #openvpn
07:57 -!- Sembei [~Sembei@unaffiliated/sembei] has quit [Read error: No route to host]
07:58 -!- Sembei [~Sembei@unaffiliated/sembei] has joined #openvpn
08:10 -!- gigo1980 [~Adium@p54854564.dip0.t-ipconnect.de] has joined #openvpn
08:26 -!- gigo1980 [~Adium@p54854564.dip0.t-ipconnect.de] has quit [Quit: Leaving.]
08:27 -!- michaelhart_ [~michaelha@192-0-240-20.cpe.teksavvy.com] has joined #openvpn
08:27 -!- michaelhart [~michaelha@192-0-240-20.cpe.teksavvy.com] has quit [Ping timeout: 265 seconds]
08:27 -!- michaelhart_ is now known as michaelhart
08:28 -!- Beta2K_ [~Beta2K@2607:f1c0:841:4eff::120] has quit [Ping timeout: 265 seconds]
08:28 -!- Beta2K [~Beta2K@2607:f1c0:841:4eff::120] has joined #openvpn
08:29 -!- gehaxelt [~gehaxelt@2001:41d0:2:6189::1] has quit [Ping timeout: 240 seconds]
08:56 -!- vjacob [~vjacob@31.6.31.25] has joined #openvpn
09:01 -!- mattock is now known as mattock_afk
09:10 -!- d0wn_blog [~d0wn@business-ip-188-165-34-74.static.lu] has joined #openvpn
09:10 < d0wn_blog> hi
09:12 < d0wn_blog> did someone know how i could bind openvpn to an interface... at the end it should look like eth0 routes NOT! through vpn but eth1 routes through the vpn server...
09:12 < d0wn_blog> this should be done on a debian system
09:14 -!- le0 [~l30@unaffiliated/le0] has quit [Ping timeout: 264 seconds]
09:15 -!- klein [~klein@unaffiliated/klein] has quit [Ping timeout: 276 seconds]
09:18 < plaisthos> that sound like policy routing
09:18 < plaisthos> !search policy
09:18 <@vpnHelper> There were no matching configuration variables.
09:23 -!- Cpt-Oblivious [chatzilla@31-151-71-109.dynamic.upc.nl] has joined #openvpn
09:26 -!- le0 [~l30@cpc20-bele8-2-0-cust576.2-1.cable.virginm.net] has joined #openvpn
09:26 -!- le0 [~l30@cpc20-bele8-2-0-cust576.2-1.cable.virginm.net] has quit [Changing host]
09:26 -!- le0 [~l30@unaffiliated/le0] has joined #openvpn
09:35 -!- Martin` [martin@shell.ipv6.octocore.net] has quit [Ping timeout: 252 seconds]
09:43 < pekster> d0wn_blog: Routes are determined by the system's routing table. If you want some traffic to go via one gateway, and other traffic to go via another, you need multiple routing tables and rules to identify the traffic to send to non-default tables
09:43 < pekster> And on Linux you'll probably need to turn rp_filter off (it's a sysctl knob)
09:44 < d0wn_blog> pekster: hmm okay thanks for your help but it thing i should do it on another way :D
09:45 < pekster> There isn't another way. Policy routing on Linux requires at the very least a secondary routing table with a different default route, and at least 1 rule to send traffic there
09:45 < d0wn_blog> with another i mean withoug vpn ^^
09:47 -!- Martin` [martin@shell.ipv6.octocore.net] has joined #openvpn
09:48 -!- mexjerry [~jerry@189.165.8.18] has joined #openvpn
09:51 -!- wrongplace [~leicht@gateway/tor-sasl/martinphone] has joined #openvpn
10:06 -!- le0 [~l30@unaffiliated/le0] has quit [Quit: Leaving]
10:06 -!- mexjerry [~jerry@189.165.8.18] has quit [Ping timeout: 252 seconds]
10:09 -!- mexjerry [~jerry@189.165.91.192] has joined #openvpn
10:15 -!- JackWinter [~jack@vodsl-10810.vo.lu] has quit [Quit: Konversation terminated!]
10:24 -!- lazarus477 [~lazarus@78-72-29-198-no191.tbcn.telia.com] has joined #openvpn
10:25 < lazarus477> I am having a slight issue with routing on a TUN based setup. I have two LANs, one on either side of the VPN. Both work fine. Problem is when trying to reach a 3rd LAN at the client end.
10:26 < lazarus477> The client end is a router device that allows local and remote traffic to route over the VPN connection, works like a charm.
10:26 < lazarus477> But at the client end is one more router and behind it a 3rd subnet. I am unable to reach that.
10:27 < plaisthos> !iroute
10:27 <@vpnHelper> "iroute" is does not bypass or alter the kernel's routing table, it allows openvpn to know it should handle the routing when the kernel points to it but the network is not one that openvpn knows about. This is only needed when connecting a LAN which is behind a client, and therefor belongs in a ccd entry. Also see !route and !ccd
10:27 < lazarus477> I think the problem is routing and that I need to add a static route somewhere.
10:27 < plaisthos> that too probably
10:27 -!- ron___ [~ron@ppp118-210-183-6.lns20.adl6.internode.on.net] has joined #openvpn
10:28 < lazarus477> plaisthos: thanks, I shall check up on that. Adding the route to the kernel using "ip route add" did not help so I figured it must be a OVPN setting on the server.
10:30 -!- ron_ [~ron@ppp118-210-240-193.lns20.adl6.internode.on.net] has quit [Ping timeout: 240 seconds]
10:32 < pekster> The server needs an iroute in the ccd file (or --client-connect script, as an advanced alternative) for the route behind the VPN client (all routes.) The server itself also needs that route in a --route statement in the main config
10:33 < pekster> And if you wish to expose that client's route to other clients, don't forget to push it (or optionally define it in the other client's configs directly, though that's not as useful)
10:33 < pekster> The !iroute and !route references above are good starting resources
10:35 -!- mexjerry [~jerry@189.165.91.192] has quit [Ping timeout: 265 seconds]
10:40 -!- ron___ is now known as ron_
10:41 -!- samael [~earendil@multivac.valis-e.com] has joined #openvpn
10:41 < samael> hello
10:41 < waynr> hey how's it going pekster
10:42 < samael> !heartbleed
10:42 <@vpnHelper> "heartbleed" is (#1) only affects OpenSSL 1.0.1 through 1.0.1f. Does not affect polarssl or (#2) if running vuln openssl then both client and server keys not protected by tls-auth should be considered compromised. or (#3) android 4.1.2_r1 is the first one to have -DOPENSSL_NO_HEARTBEATS and it is still in master. android 4.1 and 4.1.1 are probably affected. or (#4)
10:42 <@vpnHelper> https://community.openvpn.net/openvpn/wiki/heartbleed or (#5) http://xkcd.com/1354/
10:46 -!- vjacob [~vjacob@31.6.31.25] has quit [Ping timeout: 255 seconds]
10:55 < lazarus477> pekster: Thanks. I think I got the doc I need now. Since I already have things working between two LANs with VPN in the middle of it, I should be able to tackle this. It's just another subnet after all.
10:56 < pekster> Right. Just ensure the routing is correct on each system and you should be fine. The OpenVPN directives are just the --route and --iroute stuff (and of course pushing them to the right places)
10:56 < pekster> Other than that, it's all "just routing"
11:05 < samael> i'd like to have a clarification. i have an old openvpn server which uses a non-vulnerable openssl. but then i have some windows and android clients likely to be vulnerable. i use tls but i'm not 100% sure about some clients' integrity. what is advised to do in such a situation?
11:05 -!- Left_Turn [~Left_Turn@unaffiliated/turn-left/x-3739067] has quit [Read error: Connection reset by peer]
11:06 -!- Intensity [yuPDSdiPRA@unaffiliated/intensity] has joined #openvpn
11:06 < samael> i understand i have to re-generate the keys used in the windows/android clients. is it enough to update them to a safe version, and re-issue *only* their keys?
11:08 < pekster> Yes, so long as your server keys were never vulnerable its keypair is safe. Your CA isn't impacted, so as long as your CA PKI security is still in tact (unrelated to this bug) all you need to do is revoke & re-issue client certs (obviously using new keypairs -- a new cert with the same keypair doesn't do any good)
11:09 < samael> i assume that since the client is vulnerable, but the server isn't, a successful attacker could have accessed client's data, but server side is still safe. am I wrong?
11:09 -!- Left_Turn [~Left_Turn@unaffiliated/turn-left/x-3739067] has joined #openvpn
11:10 < pekster> I'm not as familiar with how heartbleed can be used against TLS clients, but it might be possible for client private keys and session keys to have been leaked. This does potentially expose data over the pipe if you were attacked (including transit data, auth credentials with --auth-user-pass, or plaintext auth inside your tunnel)
11:11 < pekster> So, 1) upgrade your clients to safe versions, then have them re-generate new keypairs and have your CA issue fresh certs. Revoke the old ones and publish the CRL to your server. 2) if you used any authentication over the VPN that wasn't protected by a known-safe layer of encryption, best to change those passwords once the clients are protected
11:12 < pekster> #2 only matters "if you were attacked", but the paranoid assume a fatal bug for 2 years might have been leveraged against you
11:14 < samael> uhm, generating a new keypair server-side will impact my already working (and safe) clients in the same vpn?
11:15 < pekster> huh? Ideally you don't generate client-keys on your server. This said, people do out of convenience (it's basically a form of key-escrow) but that's your choice. General hardening recommendations on the wiki at !hardening if you want PKI advice
11:15 < pekster> It's not a security problem to the extent you trust the generation, storage, transport, and exchange of any key passphrases used
11:19 < samael> ok, i see. i historically had the pki on this vpn server itself because it's a simple way to share them to the admin staff. given this vpn/services architecture, if you access the server then a lot more than the pki itself is compromised, so it was deemed acceptable.
11:19 -!- JackWinter [~jack@vodsl-10810.vo.lu] has joined #openvpn
11:20 < samael> pekster: many thanks!
11:21 < pekster> Right, and some people like having all the eggs in 1 basket. It works unless you basket has holes, or someone steals your eggs when you copy them elsewhere :P
11:22 < pekster> "But wait, we put our eggs in an armored car. It's foolproof!" Al Capone: "heh."
11:30 -!- JackWinter [~jack@vodsl-10810.vo.lu] has quit [Quit: Konversation terminated!]
11:35 -!- Guest22080 [~kolo@ip-125.net-82-216-83.rev.numericable.fr] has quit [Read error: Operation timed out]
11:39 < samael> pekster: :)
11:39 -!- Ko_lo [~kolo@ip-125.net-82-216-83.rev.numericable.fr] has joined #openvpn
11:40 -!- Ko_lo is now known as Guest29334
11:47 -!- jzaw [~jzaw@loki.dzki.co.uk] has quit [Ping timeout: 240 seconds]
11:53 -!- VsioZashibis [~VsioZashi@unaffiliated/vsiozashibis] has joined #openvpn
11:54 -!- julius_ [~julius_@static.88-198-127-82.clients.your-server.de] has left #openvpn ["Verlassend"]
12:05 -!- Latrina [~Latrina@adsl-ull-188-198.50-151.net24.it] has quit [Ping timeout: 265 seconds]
12:08 -!- Latrina [~Latrina@adsl-ull-24-177.50-151.net24.it] has joined #openvpn
12:20 -!- sunwind` [~paradox@cpc21-brmb8-2-0-cust749.1-3.cable.virginm.net] has joined #openvpn
12:21 -!- sunwind [~paradox@cpc21-brmb8-2-0-cust749.1-3.cable.virginm.net] has quit [Read error: Operation timed out]
12:44 -!- Latrina [~Latrina@adsl-ull-24-177.50-151.net24.it] has quit [Ping timeout: 240 seconds]
12:50 -!- Latrina [~Latrina@adsl-ull-170-184.50-151.net24.it] has joined #openvpn
12:53 < lazarus477> pekster: I got it working.
12:54 < lazarus477> pekster: I also noticed I did something strange back when I originally set things up. I appear to have set the cilent end to bridged mode even though I run tun mode on the server end of things.
12:54 < lazarus477> pekster: I will have to try resetting the client to tun at some oportunity.
13:10 -!- acu [~acu@50.244.13.222] has joined #openvpn
13:13 -!- vjacob [~vjacob@ip1.c4605.amb314.cust.comxnet.dk] has joined #openvpn
13:33 < pekster> You don't bridge tun
13:33 < pekster> You also can't mix-and-match tun vs tap; tun is OSI L3 (IP packets) while tap is OSI L2 (Ethernet frames)
13:34 < pekster> Anyway, sounds like it's up and running now
13:44 -!- vjacob [~vjacob@ip1.c4605.amb314.cust.comxnet.dk] has quit [Quit: This computer has gone to sleep]
13:46 -!- vjacob [~vjacob@ip1.c4605.amb314.cust.comxnet.dk] has joined #openvpn
13:58 -!- master_o1_master [~master_of@p4FF24A36.dip0.t-ipconnect.de] has joined #openvpn
14:00 -!- tony1 [~tony1@cpe-66-66-6-48.rochester.res.rr.com] has joined #openvpn
14:02 -!- master_of_master [~master_of@p4FD7BAD4.dip0.t-ipconnect.de] has quit [Ping timeout: 264 seconds]
14:15 -!- wrongplace [~leicht@gateway/tor-sasl/martinphone] has quit [Quit: gone]
14:16 -!- cyberspace- [20253@ninthfloor.org] has quit [Remote host closed the connection]
14:17 -!- heraclitus [~heraclitu@unaffiliated/heraclitis] has joined #openvpn
14:18 -!- cyberspace- [20253@ninthfloor.org] has joined #openvpn
14:38 -!- mobilemeyhem [~AndChat48@2600:100e:b015:d858:143e:55d8:6f9c:a66a] has joined #openvpn
14:38 -!- soapee01 [~soapee01@65-36-104-170.dyn.grandenetworks.net] has quit [Ping timeout: 264 seconds]
14:38 < mobilemeyhem> Hello
14:38 -!- hazardous [~hz@openvpn/user/hazardous] has quit [Ping timeout: 252 seconds]
14:39 -!- soapee01 [~soapee01@65-36-104-170.dyn.grandenetworks.net] has joined #openvpn
14:43 -!- VsioZashibis [~VsioZashi@unaffiliated/vsiozashibis] has quit [Quit: closing IRC]
14:43 -!- VsioZashibis [~VsioZashi@unaffiliated/vsiozashibis] has joined #openvpn
14:44 -!- hazardous [~hz@openvpn/user/hazardous] has joined #openvpn
14:44 -!- mode/#openvpn [+v hazardous] by ChanServ
14:45 -!- JackWinter [~jack@vodsl-10810.vo.lu] has joined #openvpn
14:46 < mobilemeyhem> Anybody in here have experience with proxpn? I'm trying to connect via openvpn but I don't know where to get the certificates
14:47 -!- soapee01 [~soapee01@65-36-104-170.dyn.grandenetworks.net] has quit [Ping timeout: 240 seconds]
14:47 -!- soapee01 [~soapee01@65-36-104-170.dyn.grandenetworks.net] has joined #openvpn
14:51 -!- jzaw [~jzaw@loki.dzki.co.uk] has joined #openvpn
14:53 -!- mobilemeyhem [~AndChat48@2600:100e:b015:d858:143e:55d8:6f9c:a66a] has quit [Quit: Bye]
14:53 -!- hazardous [~hz@openvpn/user/hazardous] has quit [Ping timeout: 240 seconds]
14:58 -!- hazardous [~hz@openvpn/user/hazardous] has joined #openvpn
14:58 -!- mode/#openvpn [+v hazardous] by ChanServ
15:02 -!- JackWinter [~jack@vodsl-10810.vo.lu] has quit [Quit: Konversation terminated!]
15:06 -!- vjacob_ [~vjacob@94.191.188.56.bredband.3.dk] has joined #openvpn
15:09 -!- vjacob [~vjacob@ip1.c4605.amb314.cust.comxnet.dk] has quit [Ping timeout: 240 seconds]
15:10 -!- vjacob_ is now known as vjacob
15:13 -!- _VlperX_ [~VlperX@60-240-168-120.static.tpgi.com.au] has quit [Ping timeout: 240 seconds]
15:26 -!- geeko [~geeko@1.23.228.152] has quit [Quit: Konversation terminated!]
15:37 -!- Proshot [~FSM@5ED1E519.cm-7-2d.dynamic.ziggo.nl] has joined #openvpn
15:59 -!- chingus [~jerry@64.31.33.156] has joined #openvpn
16:04 < lazarus477> Does iroute in a ccd config file get inserted into the kernel routing table at some point or do I need to add these routes manually to the servers OS:s network configuration?
16:17 -!- heraclitus__ [~heraclitu@208.64.66.92] has joined #openvpn
16:17 -!- heraclitus [~heraclitu@unaffiliated/heraclitis] has quit [Disconnected by services]
16:17 -!- heraclitus__ is now known as heraclitus
16:17 -!- heraclitus [~heraclitu@208.64.66.92] has quit [Changing host]
16:17 -!- heraclitus [~heraclitu@unaffiliated/heraclitis] has joined #openvpn
16:39 -!- elfixit [~Icedove@77-58-251-72.dclient.hispeed.ch] has joined #openvpn
16:44 -!- elfixit [~Icedove@77-58-251-72.dclient.hispeed.ch] has quit [Client Quit]
16:54 -!- vjacob [~vjacob@94.191.188.56.bredband.3.dk] has quit [Quit: This computer has gone to sleep]
16:54 -!- master_o1_master [~master_of@p4FF24A36.dip0.t-ipconnect.de] has quit [Ping timeout: 276 seconds]
16:55 -!- master_of_master [~master_of@p4FD7BA84.dip0.t-ipconnect.de] has joined #openvpn
17:00 -!- vjacob [~vjacob@94.191.188.56.bredband.3.dk] has joined #openvpn
17:02 -!- VsioZashibis [~VsioZashi@unaffiliated/vsiozashibis] has quit [Quit: closing IRC]
17:03 -!- bears_ [~bears@unaffiliated/bears] has joined #openvpn
17:04 -!- joako [~joako@opensuse/member/joak0] has quit [Ping timeout: 245 seconds]
17:05 -!- bears_ is now known as bears
17:11 -!- joako [~joako@opensuse/member/joak0] has joined #openvpn
17:21 <@krzee> lazarus477, iroute has nothing to do with the kernel routing table whatsoever
17:21 <@krzee> !iroute
17:21 <@vpnHelper> "iroute" is does not bypass or alter the kernel's routing table, it allows openvpn to know it should handle the routing when the kernel points to it but the network is not one that openvpn knows about. This is only needed when connecting a LAN which is behind a client, and therefor belongs in a ccd entry. Also see !route and !ccd
17:21 <@krzee> !route
17:21 <@vpnHelper> "route" is (#1) http://www.secure-computing.net/wiki/index.php/OpenVPN/Routing or https://community.openvpn.net/openvpn/wiki/RoutedLans (same page mirrored) if you have lans behind openvpn, read it DONT SKIM IT or (#2) READ IT DONT SKIM IT! or (#3) See !tcpip for a basic networking guide or (#4) See !serverlan or !clientlan for steps and troubleshooting flowcharts for LANs behind the server or client
17:33 -!- gffa [~unknown@unaffiliated/gffa] has quit [Quit: sleep]
17:34 -!- averagecase [~anon@dslb-092-072-141-147.pools.arcor-ip.net] has joined #openvpn
17:37 -!- vjacob [~vjacob@94.191.188.56.bredband.3.dk] has quit [Ping timeout: 240 seconds]
17:43 -!- vjacob [~vjacob@ip1.c4605.amb314.cust.comxnet.dk] has joined #openvpn
17:59 -!- paradox`` [~paradox@genld-224-226.t-mobile.co.uk] has joined #openvpn
18:01 -!- sunwind` [~paradox@cpc21-brmb8-2-0-cust749.1-3.cable.virginm.net] has quit [Read error: Operation timed out]
18:02 -!- sunwind` [~paradox@cpc21-brmb8-2-0-cust749.1-3.cable.virginm.net] has joined #openvpn
18:05 -!- paradox`` [~paradox@genld-224-226.t-mobile.co.uk] has quit [Ping timeout: 240 seconds]
18:13 -!- gigo1980 [~Adium@p54854564.dip0.t-ipconnect.de] has joined #openvpn
18:13 -!- gigo1980 [~Adium@p54854564.dip0.t-ipconnect.de] has quit [Client Quit]
18:44 -!- michaelhart [~michaelha@192-0-240-20.cpe.teksavvy.com] has quit [Quit: michaelhart]
18:47 -!- adh0c [~adh0c@li423-165.members.linode.com] has joined #openvpn
18:53 -!- Martin` [martin@shell.ipv6.octocore.net] has quit [Ping timeout: 252 seconds]
18:55 -!- Martin` [martin@shell.ipv6.octocore.net] has joined #openvpn
19:01 -!- brianblaze420 [~admin@bas4-montreal45-1177916022.dsl.bell.ca] has joined #openvpn
19:01 -!- brianblaze420 [~admin@bas4-montreal45-1177916022.dsl.bell.ca] has quit [Changing host]
19:01 -!- brianblaze420 [~admin@unaffiliated/brianblaze] has joined #openvpn
19:03 -!- brianblaze420 [~admin@unaffiliated/brianblaze] has quit [Remote host closed the connection]
19:03 -!- brianblaze420 [~admin@bas4-montreal45-1177916022.dsl.bell.ca] has joined #openvpn
19:03 -!- brianblaze420 [~admin@bas4-montreal45-1177916022.dsl.bell.ca] has quit [Changing host]
19:03 -!- brianblaze420 [~admin@unaffiliated/brianblaze] has joined #openvpn
19:13 -!- JackWinter [~jack@vodsl-10810.vo.lu] has joined #openvpn
19:15 -!- brianblaze420 [~admin@unaffiliated/brianblaze] has quit [Remote host closed the connection]
19:16 -!- brianblaze420 [~admin@bas4-montreal45-1177916022.dsl.bell.ca] has joined #openvpn
19:16 -!- brianblaze420 [~admin@bas4-montreal45-1177916022.dsl.bell.ca] has quit [Changing host]
19:16 -!- brianblaze420 [~admin@unaffiliated/brianblaze] has joined #openvpn
19:16 -!- JackWinter [~jack@vodsl-10810.vo.lu] has quit [Client Quit]
19:26 -!- fol_tempus [~tempus@gateway/tor-sasl/foltempus] has joined #openvpn
19:26 -!- Cpt-Oblivious [chatzilla@31-151-71-109.dynamic.upc.nl] has quit [Read error: Connection reset by peer]
19:27 -!- JackWinter [~jack@vodsl-10810.vo.lu] has joined #openvpn
19:29 -!- brianblaze420 [~admin@unaffiliated/brianblaze] has quit [Remote host closed the connection]
19:30 -!- michaelhart [~michaelha@192-0-240-20.cpe.teksavvy.com] has joined #openvpn
19:37 -!- vjacob [~vjacob@ip1.c4605.amb314.cust.comxnet.dk] has quit [Quit: This computer has gone to sleep]
19:37 -!- brianblaze420 [~admin@bas4-montreal45-1177916022.dsl.bell.ca] has joined #openvpn
19:37 -!- brianblaze420 [~admin@bas4-montreal45-1177916022.dsl.bell.ca] has quit [Changing host]
19:37 -!- brianblaze420 [~admin@unaffiliated/brianblaze] has joined #openvpn
19:38 -!- vjacob [~vjacob@ip1.c4605.amb314.cust.comxnet.dk] has joined #openvpn
19:40 -!- vjacob [~vjacob@ip1.c4605.amb314.cust.comxnet.dk] has quit [Client Quit]
19:43 -!- brianblaze420 [~admin@unaffiliated/brianblaze] has quit [Quit: brianblaze420]
19:43 -!- brianblaze [~admin@bas4-montreal45-1177916022.dsl.bell.ca] has joined #openvpn
19:43 -!- brianblaze [~admin@bas4-montreal45-1177916022.dsl.bell.ca] has quit [Changing host]
19:43 -!- brianblaze [~admin@unaffiliated/brianblaze] has joined #openvpn
19:43 -!- master_of_master [~master_of@p4FD7BA84.dip0.t-ipconnect.de] has quit [Ping timeout: 276 seconds]
19:45 -!- master_of_master [~master_of@p4FD7B03D.dip0.t-ipconnect.de] has joined #openvpn
19:53 -!- Left_Turn [~Left_Turn@unaffiliated/turn-left/x-3739067] has quit [Remote host closed the connection]
19:55 -!- vjacob [~vjacob@ip1.c4605.amb314.cust.comxnet.dk] has joined #openvpn
19:58 -!- vjacob [~vjacob@ip1.c4605.amb314.cust.comxnet.dk] has quit [Remote host closed the connection]
19:59 -!- Linux_Asylum [~Left_Turn@unaffiliated/turn-left/x-3739067] has joined #openvpn
19:59 -!- Linux_Asylum [~Left_Turn@unaffiliated/turn-left/x-3739067] has quit [Read error: Connection reset by peer]
20:01 -!- Linux_Asylum [~Left_Turn@unaffiliated/turn-left/x-3739067] has joined #openvpn
20:03 -!- [diecast] [~diecast@unaffiliated/diecast/x-4821952] has joined #openvpn
20:04 < fol_tempus> Hello, I'm investigating slow uploads with openvpn. Here is the config file, server side: http://fpaste.org/97215/85603831/raw/ . Downloads happen at full speed. Uploading works, unless they're too big. If a single upload is bigger than ~1MB, that single upload hangs. I've tried with the default cipher and auth as well, so it shouldn't be a auth/cipher issue. I've also checked the server load (VPS), it's never over 5%.
20:06 < brianblaze> firewwall rule or something maybe?
20:06 < brianblaze> lol sorry for the lack of help
20:07 < fol_tempus> I don't believe to have anything fancy in iptables
20:08 < brianblaze> maybe the server has somethin fancy?
20:08 < brianblaze> i guess thats what u meant tho
20:09 < fol_tempus> well, if I ssh to the server and I try to upload something from there, it works fine
20:09 < brianblaze> so def not that
20:11 -!- averagecase [~anon@dslb-092-072-141-147.pools.arcor-ip.net] has quit [Quit: Verlassend]
20:12 < brianblaze> i as well have an iritating issue of it not working on my mac but i use my openvpn config file on my ipad and it works no problem
20:14 < brianblaze> anyone know what this means? 2014-04-26 21:12:02 *Tunnelblick: openvpnstart start school.tblk 1337 1 0 1 0 307 -ptADGNWradsgnw 2.2.1
20:14 < brianblaze>                                         Options error: Unrecognized option or missing parameter(s) in /Library/Application Support/Tunnelblick/Users/admin/school.tblk/Contents/Resources/config.ovpn:10: verify-x509-name (2.2.1)
20:14 < brianblaze>                                         Use --help for more information.
20:14 < brianblaze> 2014-04-26 21:12:02 *Tunnelblick: openvpnstart starting OpenVPN
20:17 -!- Jaimbo [~Jay@97e4034a.skybroadband.com] has joined #openvpn
20:17 < Jaimbo> Hi guys :) Finally got around to setting up OpenVPN on my server , hooray!
20:18 < Jaimbo> But I had a few questions, if someone would be so kind as to help?
20:19 < fol_tempus> brianblaze: From the openvpn manual, I read that "verify-x509-name" deprecates "tls-remote" in either OpenVPN 2.4 or 2.5. It seems you're using an older version of openvpn, that may not recognize that option in the ovpn file
20:20 < brianblaze> no way… i sweat i am using the latest version of tunnelblick
20:20 < brianblaze> swear*
20:20 < brianblaze> i am usimng the beta that is for mavericks
20:21 < brianblaze> maybe that is why
20:21 < fol_tempus> probably they are not using the last openvpn. Anyway, you may correct your .ovpn and replace verify-x509-name with tls-remote
20:23 < Jaimbo> I have been able to get my Android phone connecting to my OpenVPN but cannot seem to access any LAN elements over VPN?
20:27 -!- elfixit [~Icedove@77-58-251-72.dclient.hispeed.ch] has joined #openvpn
20:33 -!- adh0c [~adh0c@li423-165.members.linode.com] has quit [Quit: Leaving]
20:42 -!- Jaimbo [~Jay@97e4034a.skybroadband.com] has quit [Quit: Leaving]
20:52 < brianblaze> after changing to tls-remote
20:52 < brianblaze> Options error: Unrecognized option or missing parameter(s) in /Library/Application Support/Tunnelblick/Users/admin/school.tblk/Contents/Resources/config.ovpn:11: tls-remote (2.2.1)
20:52 < brianblaze>                                         Use --help for more information.
20:52 < brianblaze> 2014-04-26 21:52:25 *Tunnelblick: openvpnstart starting OpenVPN
20:58 -!- Martin` [martin@shell.ipv6.octocore.net] has quit [Ping timeout: 246 seconds]
21:01 < brianblaze> so it’s probably the ersion of the openvpn server is what i gather
21:05 -!- Martin` [martin@shell.ipv6.octocore.net] has joined #openvpn
21:13 -!- ron__ [~ron@ppp118-210-178-8.lns20.adl6.internode.on.net] has joined #openvpn
21:15 -!- ron_ [~ron@ppp118-210-183-6.lns20.adl6.internode.on.net] has quit [Ping timeout: 255 seconds]
21:25 -!- Monotoko [~Monotoko@unaffiliated/monotoko] has joined #openvpn
21:27 < Monotoko> hey - I have 192.168.10.0/24 routed through my OpenVPN connection, everything else should route through my regular gateway (and does) but when I'm connected my torrents won't download/upload and slow to a crawl
21:51 -!- master_o1_master [~master_of@p4FF24D74.dip0.t-ipconnect.de] has joined #openvpn
21:55 -!- master_of_master [~master_of@p4FD7B03D.dip0.t-ipconnect.de] has quit [Ping timeout: 255 seconds]
21:57 -!- Cpt-Oblivious [~chatzilla@31.220.44.21] has joined #openvpn
22:09 -!- Linux_Asylum [~Left_Turn@unaffiliated/turn-left/x-3739067] has quit [Read error: Connection reset by peer]
22:14 -!- ron__ is now known as ron_
22:16 -!- WinstonSmith [~WinstonSm@unaffiliated/winstonsmith] has quit [Ping timeout: 240 seconds]
22:17 -!- WinstonSmith [~WinstonSm@unaffiliated/winstonsmith] has joined #openvpn
22:25 -!- brianblaze [~admin@unaffiliated/brianblaze] has left #openvpn []
22:26 -!- _VlperX_ [~VlperX@60-240-168-120.static.tpgi.com.au] has joined #openvpn
22:28 -!- [diecast] [~diecast@unaffiliated/diecast/x-4821952] has quit []
22:29 -!- michaelhart [~michaelha@192-0-240-20.cpe.teksavvy.com] has quit [Quit: michaelhart]
22:31 -!- sunwind` [~paradox@cpc21-brmb8-2-0-cust749.1-3.cable.virginm.net] has quit [Quit: sunwind`]
22:32 -!- sunwind [~paradox@cpc21-brmb8-2-0-cust749.1-3.cable.virginm.net] has joined #openvpn
23:23 -!- goldkatze [~nobody@unaffiliated/goldkatze] has quit []
23:35 -!- elfixit [~Icedove@77-58-251-72.dclient.hispeed.ch] has quit [Remote host closed the connection]
23:35 -!- elfixit [~Icedove@77-58-251-72.dclient.hispeed.ch] has joined #openvpn
23:37 -!- Guest29334 [~kolo@ip-125.net-82-216-83.rev.numericable.fr] has quit [Ping timeout: 252 seconds]
23:39 -!- Ko_lo [~kolo@ip-125.net-82-216-83.rev.numericable.fr] has joined #openvpn
23:40 -!- Ko_lo is now known as Guest63806
23:54 -!- ShadniX [dagger@p5481CFAA.dip0.t-ipconnect.de] has quit [Ping timeout: 252 seconds]
23:55 -!- ShadniX [dagger@p5DDFF50D.dip0.t-ipconnect.de] has joined #openvpn
--- Day changed Sun Apr 27 2014
00:02 -!- ron___ [~ron@ppp118-210-45-210.lns20.adl2.internode.on.net] has joined #openvpn
00:05 -!- ron_ [~ron@ppp118-210-178-8.lns20.adl6.internode.on.net] has quit [Ping timeout: 264 seconds]
00:10 -!- _VlperX_ [~VlperX@60-240-168-120.static.tpgi.com.au] has quit [Read error: Connection reset by peer]
00:12 -!- _VlperX_ [~VlperX@60-240-168-120.static.tpgi.com.au] has joined #openvpn
00:14 -!- tharkun [~0@unaffiliated/tharkun] has quit [Ping timeout: 264 seconds]
00:15 -!- tharkun [~0@187.188.94.182] has joined #openvpn
00:17 -!- ron___ is now known as ron_
00:23 -!- Cpt-Oblivious [~chatzilla@31.220.44.21] has quit [Remote host closed the connection]
00:28 -!- Intensity [yuPDSdiPRA@unaffiliated/intensity] has quit [Ping timeout: 246 seconds]
00:30 -!- daniear [~daniear@101.228.254.108] has joined #openvpn
00:30 < daniear> hi
00:30 < daniear> could someone please help me to get the windows installer for openvpn
00:31 < daniear> i can't access the openvpn website from china
00:31 < daniear> am running laptop with windows 7 32b
00:48 < daniear> anyone here
01:02 < daniear> found the client
01:02 < daniear> but its stuck on
01:02 < daniear> Sun Apr 27 14:01:52 2014 MANAGEMENT: >STATE:1398578512,WAIT,,,
01:03 < daniear> Sun Apr 27 14:02:52 2014 TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity)
01:03 < daniear> can ping the server just fine...
01:17 -!- rtsq [~rickard@m83-190-136-190.cust.tele2.se] has joined #openvpn
01:26 -!- rtsq [~rickard@m83-190-136-190.cust.tele2.se] has quit [Ping timeout: 264 seconds]
01:37 -!- rtsq [~rickard@88.131.107.5] has joined #openvpn
01:45 -!- mexjerry [~jerry@64.31.33.123] has joined #openvpn
01:45 -!- chingus [~jerry@64.31.33.156] has quit [Ping timeout: 264 seconds]
01:48 -!- rtsq [~rickard@88.131.107.5] has quit [Ping timeout: 240 seconds]
02:02 -!- rtsq [~rickard@88.131.107.5] has joined #openvpn
02:05 -!- xMopxShell [~xMopxShel@dpedu.io] has quit [Ping timeout: 252 seconds]
02:08 -!- xMopxShell [~xMopxShel@dpedu.io] has joined #openvpn
02:11 -!- justaguy [~justaguy@gateway/tor-sasl/justaguy] has left #openvpn []
02:14 <@krzee> !timeout
02:14 <@vpnHelper> "timeout" is if you see TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity) then your problem is likely one of the following: either the server isnt running, your client is connecting to the wrong ip/port/protocol, the server's firewall/nat has an issue, or the client's isp blocks it
02:14 <@krzee> !obfs
02:14 <@vpnHelper> "obfs" is (#1) if you are looking to obfuscate your traffic to get through a firewall that recognizes and blocks openvpn, try using this proxy: obfsproxy https://www.torproject.org/projects/obfsproxy.html.en to encapsulate your packets in other protocols or (#2) http://community.openvpn.net/openvpn/wiki/TrafficObfuscation or (#3) in client/server mode an admin can know that openvpn is being used. in
02:14 <@vpnHelper> static-key mode they only know that it is some encrypted data, but not specifically openvpn; however with static-key you lose forward security (!forwardsecurity)
02:19 -!- grep0r [grep0r@bitcoinshell.mooo.com] has quit [Ping timeout: 252 seconds]
02:44 -!- grep0r [grep0r@bitcoinshell.mooo.com] has joined #openvpn
02:48 -!- xTz [~xTz@DeathStar.Techn0.eu] has quit [Remote host closed the connection]
03:05 -!- mback2k_ is now known as mback2k
03:13 -!- grinex [~grinex@unaffiliated/grinex] has joined #openvpn
03:14 < grinex> wondering if anyone has experience my issue, my vpn disconnects whenever i move more than 4ft away from my router on wireless connection
03:16 <@krzee> likely some bad hardware, either the router or the wifi adapter
03:16 <@krzee> thats my guess
03:22 -!- infinitum [~infinitum@df-001f-1a30-0005.10ge.i6.sungai.nl] has joined #openvpn
03:30 -!- mback2k is now known as mback2k_
03:31 < daniear> anyone have a good tut on setting up obfsproxy with openvpn
03:32 <@krzee> you mean the obfsproxy part?
03:33 <@krzee> or the openvpn part?
03:34 < daniear> openvpn part
03:34 < daniear> i have obfsproxy listening already on the server
03:34 <@krzee> #2
03:34 <@krzee> !obfs
03:34 <@vpnHelper> "obfs" is (#1) if you are looking to obfuscate your traffic to get through a firewall that recognizes and blocks openvpn, try using this proxy: obfsproxy https://www.torproject.org/projects/obfsproxy.html.en to encapsulate your packets in other protocols or (#2) http://community.openvpn.net/openvpn/wiki/TrafficObfuscation or (#3) in client/server mode an admin can know that openvpn is being used. in
03:34 <@vpnHelper> static-key mode they only know that it is some encrypted data, but not specifically openvpn; however with static-key you lose forward security (!forwardsecurity)
03:34 < daniear> only have one server so both obfs and openvpn are on there
03:35 < daniear> ofsproxy also hides the hourly tls handshake?
03:35 < daniear> i think china is slowing down my vpn using dpi
03:36 <@krzee> its a totally different tunnel, hides everything
03:39 < daniear> k in openvpn client in getting this error
03:44 < daniear> one secarooo
03:47 < daniear> http://pastebin.com/aKkc4PMm
03:47 < daniear> mainly my Q is... is this a server side issue not related to openvpn
03:48 -!- hazardous [~hz@openvpn/user/hazardous] has quit [Ping timeout: 264 seconds]
03:50 < daniear> it appears to be running on the server
03:50 < daniear> http://pastebin.com/yJZpcskR
03:51 -!- hazardous [~hz@openvpn/user/hazardous] has joined #openvpn
03:51 -!- mode/#openvpn [+v hazardous] by ChanServ
03:54 -!- Linux_Asylum [~Left_Turn@unaffiliated/turn-left/x-3739067] has joined #openvpn
03:55 <@krzee> recv_socks_reply: Socks proxy returned bad reply
03:55 <@krzee> ya it didnt like the reply from the socks server
03:57 <@krzee> you mentioned obfsproxy is listening on the server, is it also running on the client?
04:01 < daniear> yea, as a service
04:01 < daniear> windows 7
04:01 < daniear> however i just installed obfsproxy... didn't configure it to do anything
04:01 < daniear> like foreward to openvpn
04:02 < daniear> couldn't find a tut about that
04:06 <@krzee> umm
04:06 <@krzee> i linked it to you
04:07 <@krzee> [04:36]  <krzee> #2
04:07 <@krzee> [04:36]  <krzee> !obfs
04:07 <@krzee> (#2) http://community.openvpn.net/openvpn/wiki/TrafficObfuscation
04:07 <@vpnHelper> Title: TrafficObfuscation – OpenVPN Community (at community.openvpn.net)
04:08 < daniear> ah cheers
04:17 -!- zifxify [~pieter-ja@d54C072A9.access.telenet.be] has joined #openvpn
04:18 < zifxify> !welcome
04:18 <@vpnHelper> "welcome" is (#1) Start by stating your goal, such as 'I would like to access the internet over my vpn' || new to IRC? see the link in !ask || we may need !logs and !configs and maybe !interface to help you. || See !howto for beginners. || See !route for lans behind openvpn. || !redirect for sending inet traffic through the server. || Also interesting: !man !/30 !topology !iporder !sample !forum
04:18 <@vpnHelper> !wiki !mitm or (#2) Don't use 192.168.1.0/24 or 192.168.0.0/24 (too much potential for conflict)
04:19 < zifxify> !goal
04:19 <@vpnHelper> "goal" is Please clearly state your goal for your vpn: example, I would like to access the lan behind the server , I would like to access the internet over my vpn , I just want a secure connection between 2 computers , etc
04:19 -!- hazardous [~hz@openvpn/user/hazardous] has quit [Ping timeout: 240 seconds]
04:21 -!- hazardous [~hz@openvpn/user/hazardous] has joined #openvpn
04:21 -!- mode/#openvpn [+v hazardous] by ChanServ
04:21 -!- catsup [~d@iad1-vshost12.dreamhost.com] has quit [Remote host closed the connection]
04:21 -!- catsup [~d@iad1-vshost12.dreamhost.com] has joined #openvpn
04:22 -!- mexjerry [~jerry@64.31.33.123] has quit [Remote host closed the connection]
04:23 < zifxify> !factoids
04:23 <@vpnHelper> "factoids" is A semi-regularly updated dump of factoids database is available at http://www.secure-computing.net/factoids.php
04:23 -!- mexjerry [~jerry@64.31.33.5] has joined #openvpn
04:27 -!- daniear [~daniear@101.228.254.108] has quit [Read error: Connection reset by peer]
04:33 < zifxify> !paste
04:33 <@vpnHelper> "paste" is "pastebin" is (#1) please paste anything with more than 5 lines into a pastebin site or (#2) https://gist.github.com is recommended for fewest ads; try fpaste.org or paste.kde.org as backups or (#3) If you're pasting config files, see !configs for grep syntax to remove comments or (#4) gist allows multiple files per paste, useful if you have several files to show
04:35 < zifxify> !configs
04:35 <@vpnHelper> "configs" is (#1) please pastebin your client and server configs (with comments removed, you can use `grep -vE '^#|^;|^$' server.conf`), also include which OS and version of openvpn. or (#2) dont forget to include any ccd entries or (#3) on pfSense, see http://www.secure-computing.net/wiki/index.php/OpenVPN/pfSense to obtain your config
04:35 < zifxify> !logs
04:35 <@vpnHelper> "logs" is (#1) please pastebin your logfiles from both client and server with verb set to 4 (only use 5 if asked) or (#2) In the Windows client(OpenVPN-GUI) right-click the status icon and pick View Log or (#3) In the OS X client(Tunnelblick) right-click it and select Copy log text to clipboard or (#4) if you dont know how to find your logs, see !logfile
04:35 < zifxify> !logfile
04:35 <@vpnHelper> "logfile" is (#1) If you want logging you can easily just specify your own logfile with: log /path/to/logfile or (#2) openvpn will log to syslog if started in daemon mode, but without any log-redirection options, openvpn sends output to stdout. or (#3) verb 3 is good for everyday usage, verb 5 for debugging. see --daemon --log and --verb in the manual (!man) for more info
04:42 < zifxify> !topology
04:42 <@vpnHelper> "topology" is (#1) it is possible to avoid the !/30 behavior if you use 2.1+ with the option: topology subnet This will end up being default in later versions. or (#2) Clients will receive addresses ending in .2, .3, .4, etc, instead of being divided into 2-host subnets. or (#3) details and examples at: https://community.openvpn.net/openvpn/wiki/Topology
04:56 -!- ade_b [~Ade@redhat/adeb] has joined #openvpn
04:58 -!- gffa [~unknown@unaffiliated/gffa] has joined #openvpn
05:03 -!- zifxify [~pieter-ja@d54C072A9.access.telenet.be] has left #openvpn ["Leaving"]
05:20 -!- zifxify [~pieter-ja@d54C072A9.access.telenet.be] has joined #openvpn
06:21 -!- vjacob [~vjacob@ip1.c4605.amb314.cust.comxnet.dk] has joined #openvpn
06:45 -!- Martin` [martin@shell.ipv6.octocore.net] has quit [Ping timeout: 245 seconds]
06:52 -!- Martin` [martin@shell.ipv6.octocore.net] has joined #openvpn
06:57 < zifxify> !howto
06:57 <@vpnHelper> "howto" is (#1) OpenVPN comes with a great howto, http://openvpn.net/howto PLEASE READ IT! or (#2) http://www.secure-computing.net/openvpn/howto.php for a mirror
06:58 -!- Lolths [~Lolths@unaffiliated/lolths] has quit [Quit: Leaving]
07:01 -!- suzylee [~mariannee@unaffiliated/mariannee] has joined #openvpn
07:06 -!- zifxify [~pieter-ja@d54C072A9.access.telenet.be] has left #openvpn ["Leaving"]
07:29 -!- _jareth_ [~jareth_@2001:980:e1c0:1:219:66ff:fea0:a502] has quit [Quit: ZNC - http://znc.in]
07:31 -!- jareth_ [~jareth_@2001:980:e1c0:1:219:66ff:fea0:a502] has joined #openvpn
07:35 -!- suzylee [~mariannee@unaffiliated/mariannee] has quit [Quit: Leaving]
07:37 -!- michaelhart [~michaelha@192-0-240-20.cpe.teksavvy.com] has joined #openvpn
07:41 -!- michaelhart [~michaelha@192-0-240-20.cpe.teksavvy.com] has quit [Client Quit]
07:46 -!- jareth_ [~jareth_@2001:980:e1c0:1:219:66ff:fea0:a502] has quit [Quit: ZNC - http://znc.in]
07:54 -!- jareth_ [~jareth_@2001:980:e1c0:1:219:66ff:fea0:a502] has joined #openvpn
08:14 -!- Cpt-Oblivious [chatzilla@31-151-71-109.dynamic.upc.nl] has joined #openvpn
08:14 -!- jareth_ [~jareth_@2001:980:e1c0:1:219:66ff:fea0:a502] has quit [Read error: Connection reset by peer]
08:15 -!- _jareth_ [~jareth_@2001:980:e1c0:1:219:66ff:fea0:a502] has joined #openvpn
08:17 -!- JackWinter [~jack@vodsl-10810.vo.lu] has quit [Quit: Konversation terminated!]
08:33 -!- JackWinter [~jack@vodsl-10810.vo.lu] has joined #openvpn
08:47 -!- rypervenche [~rypervenc@unaffiliated/rypervenche] has joined #openvpn
08:49 -!- goeo_ [~goeo_@unaffiliated/goeo] has joined #openvpn
08:49 < goeo_> hello
08:50 < goeo_> http://paste.ubuntu.com/7344797/
08:50 < goeo_> ^what should i do?
08:51 < goeo_> i asked in #ubuntu first, they redirected me to here
08:52 < goeo_> !welcome
08:52 <@vpnHelper> "welcome" is (#1) Start by stating your goal, such as 'I would like to access the internet over my vpn' || new to IRC? see the link in !ask || we may need !logs and !configs and maybe !interface to help you. || See !howto for beginners. || See !route for lans behind openvpn. || !redirect for sending inet traffic through the server. || Also interesting: !man !/30 !topology !iporder !sample !forum
08:52 <@vpnHelper> !wiki !mitm or (#2) Don't use 192.168.1.0/24 or 192.168.0.0/24 (too much potential for conflict)
08:53 -!- Martin` [martin@shell.ipv6.octocore.net] has quit [Ping timeout: 240 seconds]
08:53 < mexjerry> goeo_: http://www.techfleece.com/2012/12/30/how-to-fix-a-dns-leak-when-connected-to-your-vpn/
08:53 <@vpnHelper> Title: How To Fix A DNS Leak When Connected To Your VPN (at www.techfleece.com)
08:53 < goeo_> !goal get connected to my vpn and send the whle connection through it
08:53 < goeo_> mexjerry: i'm on ubuntu
08:55 < mexjerry> goeo_: it is the same, just follow the instructions
08:55 < rypervenche> mexjerry: That shows how to use DNS servers that aren't your ISPs, but it doesn't show how to use your tunnel's, unless I skimmed over it too quickly.
08:56 < mexjerry> goeo_: use google or opendns as your preffered server
08:56 < goeo_> but my vpn has a dns too
08:56 < mexjerry> it works, give it a try, then do dnsleaktest
08:57 < rypervenche> mexjerry: That's not what he's wanting to do.
08:57 < rypervenche> goeo_: I'll see if I can find something. I need to set this up too. If anyone here knows how to do this offhand, please let us know.
08:58 -!- JackWinter [~jack@vodsl-10810.vo.lu] has quit [Quit: Konversation terminated!]
08:59 < goeo_> by the way, weird thing is, this works *perfectly* on iOS' ovpn
08:59 < mexjerry> how are you connecting to the internet, wireless or wired
09:00 -!- Martin` [martin@shell.ipv6.octocore.net] has joined #openvpn
09:00 < goeo_> wireless
09:00 -!- vjacob [~vjacob@ip1.c4605.amb314.cust.comxnet.dk] has quit [Quit: This computer has gone to sleep]
09:00 < mexjerry> so you have a wireless router, is it seperate from the modem
09:01 -!- joshh20-Away is now known as joshh20
09:02 < rypervenche> goeo_: You may be able to add 'push "dhcp-option DNS 192.168.1.1"', but I suppose you have to specific tell it to use your router's DNS that way.
09:04 < goeo_> rypervenche: what? add that to the config?
09:05 < rypervenche> goeo_: Yes, to the server's configuration. I can't test it though, but I think that would work.
09:05 < rypervenche> goeo_: YOu will have to check your /etc/resolv.conf before and afterward.
09:06 < Aketzu> !pushdns
09:06 <@vpnHelper> "pushdns" is (#1) push dhcp-option DNS a.b.c.d to push dns to the client or (#2) For pushing DNS to a Windows client, see: !windns or (#3) Unix-alikes are required to process the env-var in an --up script; read about --dhcp-option in the manpage or (#4) For distros that use resolvconf(8) you can try the pull-resolv-conf script under the contrib/ source dir
09:07 -!- zifxify [~pieter-ja@d54C072A9.access.telenet.be] has joined #openvpn
09:08 < goeo_> Aketzu: I think I'll do #4, but how can I use that script?
09:08 -!- tony1 [~tony1@cpe-66-66-6-48.rochester.res.rr.com] has left #openvpn []
09:08 < Aketzu> read the script
09:12 < goeo_> so yeah, one .up and one .down
09:12 < goeo_> Do I add them to the config?
09:13 < Aketzu> did you read the script?
09:13 < goeo_> read what script?
09:14 < Aketzu> pull-resolv-conf
09:17 -!- modyn [~modyn@37.235.55.127] has joined #openvpn
09:17 < modyn> hi
09:17 < modyn> <GJPMiningco> well you have to gen 1 for each client
09:17 < modyn> how do i make so all users, using SAME cert?
09:17 -!- vjacob [~vjacob@ip1.c4605.amb314.cust.comxnet.dk] has joined #openvpn
09:18 < Aketzu> generate one cert, copy it to everybody and add duplicate-cn config
09:20 < modyn> what do you mean by add duplicate-cn config?
09:20 < zifxify> Just add that option in server.conf
09:20 < goeo_> Aketzu: done, Sun Apr 27 17:20:37 2014 WARNING: Failed running command (--up/--down): external program fork failed
09:21 < modyn> should i give one cert, pem, ovpn files to all users?
09:21 < Aketzu> modyn: yes
09:21 < Aketzu> goeo_: is it executable?
09:21 < goeo_> is what executable?
09:21 < goeo_> oh, you mean permission
09:22 < goeo_> yes, it is.
09:22 < Aketzu> anything else in logs?
09:22 < Aketzu> do you chroot?
09:23 < goeo_> oh wait one other warning
09:23 < goeo_> Sun Apr 27 17:20:37 2014 WARNING: External program may not be called unless '--script-security 2' or higher is enabled. See --help text or man page for detailed info.
09:23 < goeo_> i see..
09:23 < goeo_> should i do that?
09:24 < goeo_> what is two or higher?
09:24 < Aketzu> ...
09:25 < goeo_> lol and now, fixed it, resolvconf: Error: Command not recognized
09:25 < goeo_> Usage: resolvconf (-d IFACE|-a IFACE|-u|--enable-updates|--disable-updates|--updates-are-enabled|--create-runtime-directories|--wipe-runtime-directories)
09:29 -!- jackbrown [~se@93-44-38-152.ip95.fastwebnet.it] has joined #openvpn
09:34 < zifxify> would someone check my routing table?
09:34 < zifxify> http://pastie.org/9117276#14-15
09:35 < zifxify> Its a custom pre-packaged openvpn client (tap) I have got to connect to an esxi server (172.30.30.8)
09:35 < zifxify> The problem I'm facing with is that I can not connect (SSH) to 172.16.220.100 but the appropriate route are created
09:37 < Aketzu> do you really route vpn server through the vpn?
09:39 < zifxify> no not as far I know :)
09:39 < Aketzu> there is 172.30.30.0/24 route
09:40 < modyn> I need somebody who are good in Linux . I gonna pay you /msg me
09:41 -!- vjacob [~vjacob@ip1.c4605.amb314.cust.comxnet.dk] has quit [Quit: This computer has gone to sleep]
09:42 < zifxify> That's the range the esxi servers are but the vsphere client make again a secure tunnel
09:44 < zifxify> I'm not sure how it's routed internally I only have the client
09:45 < Aketzu> it's routed just as routing table shows it
09:45 < Aketzu> you try to access vpn server through the vpn you just connected
09:47 < zifxify> I do can connect to the vsphere client but I'm unable to reach the other ranges (172.16.220.0,172.16.240.0) through SSH which should also be possible right?
09:49 -!- jackbrown [~se@93-44-38-152.ip95.fastwebnet.it] has quit [Quit: Sto andando via]
09:49 < zifxify> There is a openbsd firewall running on the esxi with external IP 172.16.220.100
09:52 -!- zifxify [~pieter-ja@d54C072A9.access.telenet.be] has quit [Quit: Leaving]
09:59 -!- _VlperX_ [~VlperX@60-240-168-120.static.tpgi.com.au] has quit [Ping timeout: 265 seconds]
10:02 -!- zifxify [~zifxify@d54C072A9.access.telenet.be] has joined #openvpn
10:11 -!- zifxify [~zifxify@d54C072A9.access.telenet.be] has quit []
10:20 -!- ron___ [~ron@ppp118-210-209-179.lns20.adl6.internode.on.net] has joined #openvpn
10:21 -!- _VlperX_ [~VlperX@60-240-168-120.static.tpgi.com.au] has joined #openvpn
10:23 -!- ron_ [~ron@ppp118-210-45-210.lns20.adl2.internode.on.net] has quit [Ping timeout: 252 seconds]
10:26 -!- zifxify [~pieter-ja@d54C072A9.access.telenet.be] has joined #openvpn
10:27 -!- marlinc is now known as KuchKuch
10:27 -!- KuchKuch is now known as Marlinc
10:28 -!- vjacob [~vjacob@ip1.c4605.amb314.cust.comxnet.dk] has joined #openvpn
10:32 -!- ChrisH [~dg7pc@dslb-092-072-165-245.pools.arcor-ip.net] has quit [Ping timeout: 240 seconds]
10:34 -!- ChrisH [~dg7pc@dslb-188-109-003-182.pools.arcor-ip.net] has joined #openvpn
10:34 -!- bears [~bears@unaffiliated/bears] has quit [Quit: closing IRC]
10:34 -!- bears [~bears@unaffiliated/bears] has joined #openvpn
10:38 -!- Cpt-Oblivious [chatzilla@31-151-71-109.dynamic.upc.nl] has quit [Remote host closed the connection]
10:44 -!- Proshot [~FSM@5ED1E519.cm-7-2d.dynamic.ziggo.nl] has quit [Ping timeout: 276 seconds]
10:48 -!- elfixit [~Icedove@77-58-251-72.dclient.hispeed.ch] has quit [Quit: elfixit]
10:53 -!- modyn [~modyn@37.235.55.127] has quit []
10:53 -!- bdak [~bdak@37.235.55.127] has joined #openvpn
10:53 -!- bdak [~bdak@37.235.55.127] has quit [Client Quit]
10:54 -!- ndak [~ndak@37.235.55.127] has joined #openvpn
10:54 -!- ndak [~ndak@37.235.55.127] has quit [Client Quit]
10:55 -!- ndak [~ndak@5.134.1.30] has joined #openvpn
10:57 -!- ndak [~ndak@5.134.1.30] has quit [Client Quit]
10:58 -!- ndak [~ndak@46.249.59.214] has joined #openvpn
11:10 < ndak> hi
11:10 < ndak> anybody here?
11:11 -!- Intensity [VYmgMO73Uk@unaffiliated/intensity] has joined #openvpn
11:15 -!- s7r [~s7r@openvpn/user/s7r] has quit [Remote host closed the connection]
11:16 -!- s7r [~s7r@openvpn/user/s7r] has joined #openvpn
11:16 -!- mode/#openvpn [+v s7r] by ChanServ
11:17 < ndak> hi i need to install openvpn server with PEM. I gonna pay you for the help /msg me
11:17 -!- _VlperX_ [~VlperX@60-240-168-120.static.tpgi.com.au] has quit [Ping timeout: 276 seconds]
11:22 -!- ade_b [~Ade@redhat/adeb] has quit [Quit: Too sexy for his shirt]
11:25 < thumbs> ndak: good luck with that.
11:30 -!- vjacob [~vjacob@ip1.c4605.amb314.cust.comxnet.dk] has quit [Quit: This computer has gone to sleep]
11:31 -!- vjacob [~vjacob@ip1.c4605.amb314.cust.comxnet.dk] has joined #openvpn
11:37 -!- Guest63806 [~kolo@ip-125.net-82-216-83.rev.numericable.fr] has quit [Ping timeout: 255 seconds]
11:39 -!- waynr [~waynr@ma.sdf.org] has quit [Quit: WeeChat 0.4.2]
11:39 -!- Ko_lo [~kolo@ip-125.net-82-216-83.rev.numericable.fr] has joined #openvpn
11:40 -!- Ko_lo is now known as Guest85885
11:44 -!- joshh20 is now known as joshh20-Away
11:56 -!- gehaxelt [~gehaxelt@s1.gehaxelt.in] has joined #openvpn
11:57 -!- bears [~bears@unaffiliated/bears] has quit [Quit: closing IRC]
11:58 -!- bears [~bears@unaffiliated/bears] has joined #openvpn
12:00 -!- zifxify [~pieter-ja@d54C072A9.access.telenet.be] has quit [Quit: Leaving]
12:00 -!- ron___ is now known as ron_
12:15 -!- mexjerry [~jerry@64.31.33.5] has quit [Ping timeout: 240 seconds]
12:26 -!- zifxify [~pieter-ja@d54C072A9.access.telenet.be] has joined #openvpn
12:26 -!- zifxify [~pieter-ja@d54C072A9.access.telenet.be] has quit [Client Quit]
12:43 -!- codehero is now known as codile
12:43 -!- codile is now known as Americat
12:45 -!- Americat is now known as codehero
12:57 -!- bears [~bears@unaffiliated/bears] has quit [Quit: closing IRC]
12:57 -!- bears [~bears@unaffiliated/bears] has joined #openvpn
13:04 -!- ChrisH [~dg7pc@dslb-188-109-003-182.pools.arcor-ip.net] has quit [Ping timeout: 240 seconds]
13:05 -!- ChrisH [~dg7pc@dslb-088-076-103-044.pools.arcor-ip.net] has joined #openvpn
13:13 -!- rtsq [~rickard@88.131.107.5] has quit [Ping timeout: 252 seconds]
13:25 -!- rob0 [rob0@pdpc/valentine/postfixninja/rob0] has joined #openvpn
13:28 -!- bgs4269 [~bgs@84-236-98-154.pool.digikabel.hu] has joined #openvpn
13:31 -!- rtsq [~rickard@88.131.107.5] has joined #openvpn
13:36 -!- JackWinter [~jack@vodsl-10810.vo.lu] has joined #openvpn
13:36 < bgs4269> Hi! I have a strange compilation problem. I dl'ed the latest version and tried to compile, but when it gets to the linking step it give a "undefined reference to `print_default_gateway'" error even though route.o is compiled and on the libtool line.
13:37 < bgs4269> The only thing different from before is that I'm compiling on an arm.
13:40 < bgs4269> Any ideas  what's the prob?
13:41 -!- busch [~busch@datenschleuder.com] has quit [Ping timeout: 252 seconds]
13:51 -!- busch [~busch@datenschleuder.com] has joined #openvpn
13:56 -!- joshh20-Away is now known as joshh20
13:56 -!- SCHAAP137 [dorian@77-173-0-137.ip.telfort.nl] has joined #openvpn
13:56 -!- vjacob [~vjacob@ip1.c4605.amb314.cust.comxnet.dk] has quit [Quit: This computer has gone to sleep]
13:59 -!- busch [~busch@datenschleuder.com] has quit [Ping timeout: 265 seconds]
13:59 -!- vjacob [~vjacob@ip1.c4605.amb314.cust.comxnet.dk] has joined #openvpn
14:03 -!- vjacob [~vjacob@ip1.c4605.amb314.cust.comxnet.dk] has quit [Remote host closed the connection]
14:13 -!- busch [~busch@datenschleuder.com] has joined #openvpn
14:14 -!- rypervenche [~rypervenc@unaffiliated/rypervenche] has quit [Ping timeout: 240 seconds]
14:15 -!- rypervenche [~rypervenc@unaffiliated/rypervenche] has joined #openvpn
14:19 -!- oppie [~mariannee@unaffiliated/mariannee] has joined #openvpn
14:35 -!- JackWinter [~jack@vodsl-10810.vo.lu] has quit [Quit: Konversation terminated!]
14:35 -!- oppie [~mariannee@unaffiliated/mariannee] has quit [Quit: Leaving.]
14:41 -!- gizmobob [~gizmobob@cpc1-kemp7-2-0-cust187.9-2.cable.virginm.net] has joined #openvpn
14:42 < gizmobob> any idea why viscosity kills my network connection on disconnection from a UDP Tun openvpn connection?
14:43 < gizmobob> it works fine when i turn my wifi off and on again
14:46 -!- Aliekezhi [~Aliekezhi@57.141.122.78.rev.sfr.net] has quit [Remote host closed the connection]
14:50 -!- ndak [~ndak@46.249.59.214] has quit [Excess Flood]
14:50 -!- ndak [~ndak@46.249.59.214] has joined #openvpn
15:04 -!- gizmobob [~gizmobob@cpc1-kemp7-2-0-cust187.9-2.cable.virginm.net] has quit [Ping timeout: 240 seconds]
15:40 -!- wrongplace [~leicht@gateway/tor-sasl/martinphone] has joined #openvpn
15:58 -!- Mayor [~Reza@109.95.59.122] has joined #openvpn
15:59 < Mayor> hi guys i need some info about openvpn pls
15:59 < Mayor> what is open source vpn never used it
15:59 < Mayor> pls someone help me
16:02 -!- JackWinter [~jack@vodsl-10810.vo.lu] has joined #openvpn
16:02 < Aketzu> collection of bits and pieces that allow secure way of relaying communications
16:22 -!- gffa [~unknown@unaffiliated/gffa] has quit [Quit: sleep]
16:57 -!- ndak [~ndak@46.249.59.214] has quit []
16:59 -!- maxiepax [~max@locke.misse.org] has quit [Ping timeout: 245 seconds]
17:00 -!- maxiepax [max@locke.misse.org] has joined #openvpn
17:43 -!- busch [~busch@datenschleuder.com] has quit [Ping timeout: 252 seconds]
17:54 -!- busch [~busch@datenschleuder.com] has joined #openvpn
18:01 -!- Lycaon [~Lycaon@host-72-175-186-119.stn-co.client.bresnan.net] has joined #openvpn
18:02 < Lycaon> Hey guys.  I'm not sure if the howto page is outdated, but I downloaded the easyrsa zip from github and there is no init-config in it
18:02 < pekster> Depends on the version you're using. See the wiki page for details:
18:02 < pekster> !easyrsa
18:02 <@vpnHelper> "easyrsa" is (#1) easy-rsa is a certificate generation utility. or (#2) Download here: https://github.com/OpenVPN/easy-rsa/releases or (#3) Source checkouts available from the github project; current official release download is 2.2.2 with 3.x code in git-master. or (#4) Helpful wiki info about easyrsa at: https://community.openvpn.net/openvpn/wiki/EasyRSA
18:03 < pekster> #4 has the wiki; the current howto has the v2 instructions, and the wiki has the v3 instructions
18:09 < Lycaon> Already ran into an error.  Following the steps to generate a cert for the server, I enter the server name when asked, then it goes "Error loading extension section req_extra"
18:09 -!- wrongplace [~leicht@gateway/tor-sasl/martinphone] has quit [Quit: gone]
18:09 < Lycaon> Using v3 of easyrsa and following the guide linked at the top of the wiki page under the v3 section
18:10 < pekster> Known issue with openssl <1.0. Either use the -master copy, or a newer openssl
18:11 < Lycaon> I don't recall intentionally installing openssl
18:12 < pekster> It's a part of most distributions by default. I'll link you to the commit that fixes it if you'd like to use that
18:12 < Lycaon> Sure
18:12 < pekster> https://github.com/OpenVPN/easy-rsa/commit/8b1fe01
18:12 <@vpnHelper> Title: Support OpenSSL-0.9.8 with the EXTRA_EXTS feature · 8b1fe01 · OpenVPN/easy-rsa · GitHub (at github.com)
18:12 < Lycaon> Actually it looks like the openssl bin i have was installed by Git
18:13 < pekster> "installed by git" ?? git is a tool for dealing with source code; openssl is a C program that requires a compiler and installation
18:15 < Lycaon> I know what the difference is :)  I meant git installer
18:16 < Lycaon> Whatever did it, it's in c:\program files\git\bin
18:16  * Lycaon shrugs
18:17 < pekster> Oh, you're on Windows? It leaves installation of openssl up to you, though the documentation links to shining light productions' binaries
18:20 < pekster> Easiest is to just grab openssl 1.0.1g from: http://slproweb.com/products/Win32OpenSSL.html
18:20 <@vpnHelper> Title: Shining Light Productions - Win32 OpenSSL (at slproweb.com)
18:21 < Lycaon> Yeah, installed that, still getting the error :
18:21 < Lycaon> :\
18:21 < pekster> Check your PATH
18:21 < pekster> Or set it in the vars file
18:22 < pekster> You're proably still using the goofy "git\bin" thing you managed to insert into your PATH, probably with a higher priority
18:23 < Lycaon> Yeah
18:23 < pekster> See: https://github.com/OpenVPN/easy-rsa/blob/v3.0.0-rc1/easyrsa3/vars.example#L57
18:23 <@vpnHelper> Title: easy-rsa/easyrsa3/vars.example at v3.0.0-rc1 · OpenVPN/easy-rsa · GitHub (at github.com)
18:39 -!- elfixit [~Icedove@77-58-251-72.dclient.hispeed.ch] has joined #openvpn
19:08 -!- Latrina [~Latrina@adsl-ull-170-184.50-151.net24.it] has quit [Ping timeout: 265 seconds]
19:10 -!- Latrina [~Latrina@ppp-70-10.26-151.libero.it] has joined #openvpn
19:18 < Lycaon> What does TLS Error: unroutable control packet received mean, being spammed in the client console
19:20 -!- SCHAAP137 [dorian@77-173-0-137.ip.telfort.nl] has quit [Remote host closed the connection]
19:39 < Lycaon> Ah.  The server cert apparently has to have nsCertType set to server, but the script doesn't do that
19:39 < Lycaon> and there is no build-key-server in this version
19:49 < pekster> Don't use the deprecated "Netscape extensions" if you can avoid it
19:49 < pekster> !mitm
19:49 <@vpnHelper> "mitm" is (#1) http://openvpn.net/index.php/documentation/howto.html#mitm to know about stopping Man-in-the-Middle attacks by signing the server cert specially or (#2) use !servercert to generate the server cert manually or use the easy-rsa build-key-server script to build your server certificates or (#3) then use: remote-cert-tls server in the client config
19:49 < pekster> See #3; use remote-cert-tls instead
19:49 < pekster> (instead of the deprecated and not-recommended --ns-cert-type. Yes, the howto is also outdated here, it probably needs to be rewritten)
20:04 < Lycaon> This is so frustrating, heh
20:06 < pekster> Just update `--ns-cert-type server` in your client configs to read `--remote-cert-tls server` and it'll work
20:07 -!- lazarus477 [~lazarus@78-72-29-198-no191.tbcn.telia.com] has quit [Quit: leaving]
20:10 -!- _VlperX_ [~VlperX@60-240-168-120.static.tpgi.com.au] has joined #openvpn
20:13 -!- joshh20 is now known as joshh20-Away
20:17 < Lycaon> Got it going :)
20:17 < Lycaon> Well, as well as I can when the server's on the same network
20:17 < Lycaon> Just have to go to a remote location at some point and give it a go
20:33 -!- elfixit [~Icedove@77-58-251-72.dclient.hispeed.ch] has quit [Quit: elfixit]
20:35 -!- bears [~bears@unaffiliated/bears] has quit [Quit: closing IRC]
20:47 < bgs4269> Hi! I have a strange compilation problem. I dl'ed the latest version and tried to compile, but when it gets to the linking step it give a "undefined reference to `print_default_gateway'" error even though route.o is compiled and on the libtool line.
20:52 < pekster> 2.3.3? What platform, and what configure arguments are you using? And CFLAGS?
20:55 -!- _VlperX_ [~VlperX@60-240-168-120.static.tpgi.com.au] has quit [Ping timeout: 265 seconds]
20:58 < bgs4269> yep, 2.3.3, arm
20:59 < bgs4269> ./configure --disable-server --enable-plugins --disable-socks --enable-small --enable-iproute2 --enable-static
20:59 -!- liriel [~liriel@aphrodite.feralhosting.com] has quit [Ping timeout: 246 seconds]
21:02 -!- liriel [~liriel@aphrodite.feralhosting.com] has joined #openvpn
21:08 < pekster> I can reproduce that error on a Linux amd64 platform too; it's probably a combination of configure flags that causes an incompatible set of #ifdefs to be put into play
21:09 < pekster> I'm trying a few permutations to see if it can be narrowed down, but you probably should open a bug on the tracker and include the configure line, your OS/platform, and the end of the compile output starting with the first error
21:11 < bgs4269> ok, got it
21:12 < bgs4269> I will document i and try some variations as well
21:12 < bgs4269> thanks
21:12 < pekster> Oh, okay, with --enable-small you need --disable-debug
21:12 < pekster> I think. Re-running the make now :)
21:12 -!- Lolths [~Lolths@unaffiliated/lolths] has joined #openvpn
21:14 < bgs4269> thougt it was disabled by default :)
21:14 < pekster> I did too, but apparently not
21:14 < pekster> Some of that code has gone through some iterations recently
21:17 < bgs4269> it compiled without a glitch now :)
21:18 < pekster> Yea, using debug with small doesn't make sense, but the configure system should compile rather than wait for the compile to fail
21:20 < bgs4269> Thanks for the idea!
21:22 < pekster> Erm, should complain (not compile :P )
21:22 < bgs4269> got you meaning ;)
21:28 -!- _VlperX_ [~VlperX@CPE-121-210-202-156.azql1.woo.bigpond.net.au] has joined #openvpn
21:31 -!- Martin` [martin@shell.ipv6.octocore.net] has quit [Ping timeout: 240 seconds]
21:31 -!- bgs4269 [~bgs@84-236-98-154.pool.digikabel.hu] has left #openvpn []
21:52 -!- master_of_master [~master_of@p4FD7BFDB.dip0.t-ipconnect.de] has joined #openvpn
21:52 -!- _VlperX_ [~VlperX@CPE-121-210-202-156.azql1.woo.bigpond.net.au] has quit [Ping timeout: 264 seconds]
21:55 -!- master_o1_master [~master_of@p4FF24D74.dip0.t-ipconnect.de] has quit [Ping timeout: 240 seconds]
21:58 -!- Linux_Asylum [~Left_Turn@unaffiliated/turn-left/x-3739067] has quit [Read error: Connection reset by peer]
22:16 -!- _VlperX_ [~VlperX@CPE-121-210-202-156.azql1.woo.bigpond.net.au] has joined #openvpn
22:21 -!- _VlperX_ [~VlperX@CPE-121-210-202-156.azql1.woo.bigpond.net.au] has quit [Ping timeout: 264 seconds]
22:21 -!- lkthomas [~lkthomas@n058153105034.netvigator.com] has left #openvpn []
22:34 -!- Martin` [martin@shell.ipv6.octocore.net] has joined #openvpn
22:35 -!- _VlperX_ [~VlperX@CPE-121-210-202-156.azql1.woo.bigpond.net.au] has joined #openvpn
22:39 -!- acu [~acu@50.244.13.222] has quit [Ping timeout: 240 seconds]
22:54 -!- Lycao [~Lycaon@host-69-145-22-159.stn-co.client.bresnan.net] has joined #openvpn
22:56 -!- acu [~acu@50.244.13.222] has joined #openvpn
22:57 -!- Lycaon [~Lycaon@host-72-175-186-119.stn-co.client.bresnan.net] has quit [Ping timeout: 252 seconds]
22:58 -!- ahhMichael [~ahhMichae@bas2-oakville30-1176307148.dsl.bell.ca] has joined #openvpn
23:06 -!- ahhMichael [~ahhMichae@bas2-oakville30-1176307148.dsl.bell.ca] has quit [Ping timeout: 246 seconds]
23:06 -!- VlperX [~VlperX@CPE-121-210-202-156.azql1.woo.bigpond.net.au] has joined #openvpn
23:07 -!- _VlperX_ [~VlperX@CPE-121-210-202-156.azql1.woo.bigpond.net.au] has quit [Ping timeout: 264 seconds]
23:26 < acu> !heartbleed
23:26 <@vpnHelper> "heartbleed" is (#1) only affects OpenSSL 1.0.1 through 1.0.1f. Does not affect polarssl or (#2) if running vuln openssl then both client and server keys not protected by tls-auth should be considered compromised. or (#3) android 4.1.2_r1 is the first one to have -DOPENSSL_NO_HEARTBEATS and it is still in master. android 4.1 and 4.1.1 are probably affected. or (#4)
23:26 <@vpnHelper> https://community.openvpn.net/openvpn/wiki/heartbleed or (#5) http://xkcd.com/1354/
23:28 -!- UnicornGod [~UnicornGo@c-71-229-93-248.hsd1.in.comcast.net] has joined #openvpn
23:30 < UnicornGod> anyone here have some experience with pfsense and dd-wrt?
23:31 <@krzee> !ddwrt
23:31 <@krzee> !pfsense
23:31 <@vpnHelper> "pfsense" is dont use the web gui for configuring openvpn, you need to understand the config and logfiles
23:31 <@krzee> !openwrt
23:31 <@vpnHelper> "openwrt" is In OpenWRT, the easiest way to supply configs with the stock init is to use the `option config /path/to/your/openvpn.conf` in your UCI stanza. This allows you to maintain a standard config file that OpenWRT can launch for you.
23:32 <@krzee> !factoids search dd
23:32 <@vpnHelper> 'dd-wrt' and 'addressing'
23:32 <@krzee> !dd-wrt
23:32 <@vpnHelper> "dd-wrt" is (#1) While some users have success with dd-wrt, the build system isn't very accessible to users and there have been security issues with the distro. Consider carefully if this is the platform you want to use for OpenVPN or (#2) Firewall oopsie : http://www.dd-wrt.com/phpBB2/viewtopic.php?t=35783 or (#3) more issues: http://www.dd-wrt.com/phpBB2/viewtopic.php?t=84536
23:35 -!- acu [~acu@50.244.13.222] has quit [Quit: Leaving]
23:37 <@krzee> pekster, as for the build env for dd-wrt, http://dd-wrt.com/wiki/index.php/Development
23:37 <@vpnHelper> Title: Development - DD-WRT Wiki (at dd-wrt.com)
23:37 -!- Guest85885 [~kolo@ip-125.net-82-216-83.rev.numericable.fr] has quit [Ping timeout: 240 seconds]
23:39 -!- Ko_lo [~kolo@ip-125.net-82-216-83.rev.numericable.fr] has joined #openvpn
23:40 -!- Ko_lo is now known as Guest3866
23:42 -!- heraclitus [~heraclitu@unaffiliated/heraclitis] has quit [Remote host closed the connection]
23:54 -!- elfixit [~Icedove@77-58-251-72.dclient.hispeed.ch] has joined #openvpn
23:54 -!- ShadniX [dagger@p5DDFF50D.dip0.t-ipconnect.de] has quit [Ping timeout: 252 seconds]
23:55 -!- ShadniX [dagger@p5481CE76.dip0.t-ipconnect.de] has joined #openvpn
23:59 -!- VlperX [~VlperX@CPE-121-210-202-156.azql1.woo.bigpond.net.au] has quit [Ping timeout: 264 seconds]
--- Day changed Mon Apr 28 2014
00:07 -!- elfixit [~Icedove@77-58-251-72.dclient.hispeed.ch] has quit [Quit: elfixit]
00:12 -!- lj [~l@192.241.174.169] has joined #openvpn
00:17 -!- adh0c [~adh0c@li423-165.members.linode.com] has joined #openvpn
00:25 -!- UnicornGod [~UnicornGo@c-71-229-93-248.hsd1.in.comcast.net] has left #openvpn []
00:43 -!- Linmu [~Linmu@203.70.194.104] has quit [Quit: leaving]
00:47 -!- adh0c [~adh0c@li423-165.members.linode.com] has quit [Ping timeout: 252 seconds]
00:49 -!- Linmu [~Linmu@203.70.194.104] has joined #openvpn
00:51 -!- acu [~acu@50.244.13.222] has joined #openvpn
00:59 -!- VlperX [~VlperX@124-170-84-80.dyn.iinet.net.au] has joined #openvpn
01:01 -!- adh0c [~adh0c@ool-182fc1d0.dyn.optonline.net] has joined #openvpn
01:07 -!- rtsq [~rickard@88.131.107.5] has quit [Ping timeout: 252 seconds]
01:14 -!- waynr [~waynr@ma.sdf.org] has joined #openvpn
01:14 -!- waynr [~waynr@ma.sdf.org] has left #openvpn []
01:14 -!- waynr [~waynr@ma.sdf.org] has joined #openvpn
01:27 -!- supergauntlet [~supergaun@unaffiliated/supergauntlet] has quit [Ping timeout: 264 seconds]
01:28 -!- _VlperX_ [~VlperX@124-170-84-80.dyn.iinet.net.au] has joined #openvpn
01:29 -!- alexxtasi [~alex@unaffiliated/alexxtasi] has joined #openvpn
01:29 -!- VlperX [~VlperX@124-170-84-80.dyn.iinet.net.au] has quit [Ping timeout: 264 seconds]
01:36 -!- supergauntlet [~supergaun@unaffiliated/supergauntlet] has joined #openvpn
01:56 -!- mattock_afk is now known as mattock
02:02 -!- Mike-- [mad@mx.probie.nl] has quit [Read error: Connection reset by peer]
02:02 -!- Mike-- [mad@mx.probie.nl] has joined #openvpn
02:09 -!- VlperX [~VlperX@124-171-209-17.dyn.iinet.net.au] has joined #openvpn
02:12 -!- _VlperX_ [~VlperX@124-170-84-80.dyn.iinet.net.au] has quit [Ping timeout: 264 seconds]
02:17 -!- goldkatze [~nobody@unaffiliated/goldkatze] has joined #openvpn
02:29 -!- _VlperX_ [~VlperX@124-171-209-17.dyn.iinet.net.au] has joined #openvpn
02:33 -!- VlperX [~VlperX@124-171-209-17.dyn.iinet.net.au] has quit [Ping timeout: 264 seconds]
02:45 -!- _VlperX_ [~VlperX@124-171-209-17.dyn.iinet.net.au] has quit [Ping timeout: 240 seconds]
02:52 -!- rtsq [~rickard@88.131.107.5] has joined #openvpn
02:56 -!- VlperX [~VlperX@124-171-205-90.dyn.iinet.net.au] has joined #openvpn
03:02 -!- le0 [~l30@unaffiliated/le0] has joined #openvpn
03:10 -!- ndak [~ndak@46.249.59.214] has joined #openvpn
03:21 -!- mikkel [~mikkel@93.176.85.50] has joined #openvpn
03:26 -!- tuvok [tuvok@Photography.tuvok.eu] has quit [Excess Flood]
03:27 -!- tuvok [tuvok@Photography.tuvok.eu] has joined #openvpn
03:29 -!- ade_b [~Ade@redhat/adeb] has joined #openvpn
03:42 -!- Sembei [~Sembei@unaffiliated/sembei] has quit [Ping timeout: 264 seconds]
03:42 -!- MyMind [~Sembei@unaffiliated/sembei] has joined #openvpn
03:45 -!- Danu [~Danu@195.37.254.130] has joined #openvpn
03:59 -!- lj [~l@192.241.174.169] has quit [Quit: Leaving.]
03:59 -!- gigo1980 [~Adium@178-25-23-87-dynip.superkabel.de] has joined #openvpn
04:05 -!- Lycao [~Lycaon@host-69-145-22-159.stn-co.client.bresnan.net] has quit []
04:10 -!- MyMind [~Sembei@unaffiliated/sembei] has quit [Read error: Connection reset by peer]
04:12 -!- MyMind [~Sembei@unaffiliated/sembei] has joined #openvpn
04:14 -!- Linux_Asylum [~Left_Turn@unaffiliated/turn-left/x-3739067] has joined #openvpn
04:16 -!- wrongplace [~leicht@gateway/tor-sasl/martinphone] has joined #openvpn
04:22 -!- rtsq [~rickard@88.131.107.5] has quit [Ping timeout: 255 seconds]
04:35 -!- rtsq [~rickard@217.151.207.31] has joined #openvpn
04:36 -!- Aliekezhi [~Aliekezhi@LPoitiers-156-84-21-170.w193-248.abo.wanadoo.fr] has joined #openvpn
04:40 -!- Arnie [~niels@merg.okkernoot.net] has joined #openvpn
04:41 < Arnie> Hi, I just installed openvpn-gui, am running it as administrator, and have a config in place, but when I try to connect, nothing at all is happening, and I get no feedback whatsoever from the client about what could be wrong
04:42 < Arnie> I just got the 2.3.3 64-bit installer from openvpn.net
04:43 < Arnie> I'm running wireshark and there isn't a connection attempt going on, firewall disabled, any virusscanners disabled as well
04:43 < Arnie> just says 'current state: connecting' and the log window stays empty
04:44 < Arnie> so I'm hoping someone has some tips for me
04:44 -!- lbft [~lbft@unaffiliated/lbft] has quit [Quit: Bye]
04:46 -!- lbft [~lbft@unaffiliated/lbft] has joined #openvpn
04:49 -!- ron__ [~ron@ppp121-45-33-144.lns20.adl2.internode.on.net] has joined #openvpn
04:49 -!- le0 [~l30@unaffiliated/le0] has quit [Quit: Leaving]
04:51 -!- ron_ [~ron@ppp118-210-209-179.lns20.adl6.internode.on.net] has quit [Ping timeout: 252 seconds]
04:56 -!- le0 [~l30@unaffiliated/le0] has joined #openvpn
04:59 -!- lj [~l@74.120.203.218] has joined #openvpn
05:00 -!- lj [~l@74.120.203.218] has quit [Client Quit]
05:05 -!- zifxify [~zifxify@176.62.136.225] has joined #openvpn
05:09 -!- jackbrown1 [~se@93-44-38-152.ip95.fastwebnet.it] has joined #openvpn
05:12 -!- APTX [~APTX@unaffiliated/aptx] has quit [Ping timeout: 252 seconds]
05:16 -!- APTX [~APTX@unaffiliated/aptx] has joined #openvpn
05:17 -!- jackbrown1 [~se@93-44-38-152.ip95.fastwebnet.it] has quit [Quit: Sto andando via]
05:25 < Arnie> ah
05:25 < Arnie> problem identified: issue with backslash in configuration file, and openvn-gui does not report this somehow
05:25 < Arnie> related: http://superuser.com/questions/666452/openvpn-gui-window-is-empty-why-cant-i-connect-to-my-vpn
05:25 <@vpnHelper> Title: OpenVPN GUI window is empty. Why cant I connect to my VPN? - Super User (at superuser.com)
05:27 < ndak> hi. i want to install a Openvpnserver + PEM for my VPS. I am new and i need this asap, I want use my own VPN because its cheaper. :) I will pay you for the work /msg me
05:28 < ndak> i am using debian 7
05:28 -!- _VlperX_ [~VlperX@124-171-205-90.dyn.iinet.net.au] has joined #openvpn
05:28 < svg> Is there a mac client that is recommended?
05:31 -!- VlperX [~VlperX@124-171-205-90.dyn.iinet.net.au] has quit [Ping timeout: 264 seconds]
05:31 -!- grinex [~grinex@unaffiliated/grinex] has quit [Ping timeout: 250 seconds]
05:32 -!- grinex [~grinex@207.12.89.115] has joined #openvpn
05:32 -!- grinex [~grinex@207.12.89.115] has quit [Changing host]
05:32 -!- grinex [~grinex@unaffiliated/grinex] has joined #openvpn
05:40 -!- Linux_Asylum [~Left_Turn@unaffiliated/turn-left/x-3739067] has quit [Read error: Connection reset by peer]
05:47 <+hazardous> svg: i think the general choice is tunnelblick or i forget the other name
05:47 <+hazardous> i use tunnelblick and occasionally just openvpn <file.ovpn> in term depending on needs
05:47 < svg> thx
05:50 -!- Arnie [~niels@merg.okkernoot.net] has left #openvpn []
05:59 < ndak> hi. i want to install a Openvpnserver + PEM for my VPS. I am new and i need this asap, I want use my own VPN because its cheaper. :) I will pay you for the work /msg me
05:59 -!- budman [~budman@ip68-111-79-253.oc.oc.cox.net] has joined #openvpn
06:04 < gigo1980> hi together. i try to assign an static ip with the connect.sh scripting hook. but it will not work. i use mysql authentification
06:04 < plaisthos> I am not sure most people will go through all that legal stuff for a 1h job
06:05 < gigo1980> so authentification and logging works. but i can not asign a specific ip to an sepcific user
06:12 -!- wrongplace [~leicht@gateway/tor-sasl/martinphone] has quit [Quit: gone]
06:12 -!- ndak [~ndak@46.249.59.214] has quit []
06:12 -!- ndak [~ndak@46.249.59.214] has joined #openvpn
06:14 -!- elfixit [~Icedove@77-58-251-72.dclient.hispeed.ch] has joined #openvpn
06:16 -!- michaelhart [~michaelha@162.209.54.120] has joined #openvpn
06:18 -!- divergent [~mariannee@unaffiliated/mariannee] has joined #openvpn
06:26 -!- michaelhart_ [~michaelha@192-0-240-20.cpe.teksavvy.com] has joined #openvpn
06:26 -!- michaelhart [~michaelha@162.209.54.120] has quit [Ping timeout: 240 seconds]
06:26 -!- michaelhart_ is now known as michaelhart
06:27 -!- _VlperX_ [~VlperX@124-171-205-90.dyn.iinet.net.au] has quit [Ping timeout: 264 seconds]
06:32 -!- divergent [~mariannee@unaffiliated/mariannee] has quit [Quit: Leaving.]
06:33 -!- elfixit [~Icedove@77-58-251-72.dclient.hispeed.ch] has quit [Ping timeout: 252 seconds]
06:34 -!- cpm [~Chip@216.169.175.102] has joined #openvpn
06:34 -!- cpm [~Chip@216.169.175.102] has quit [Changing host]
06:34 -!- cpm [~Chip@pdpc/supporter/active/cpm] has joined #openvpn
06:42 < gigo1980> https://forums.openvpn.net/topic8005.html  <— does anyone has an solution for that
06:42 <@vpnHelper> Title: OpenVPN Support Forum static IP for auth-pam or mysql auth : Authentication Scripts (at forums.openvpn.net)
06:42 < gigo1980> i have the same problem
06:57 -!- _VlperX_ [~VlperX@60-240-168-120.static.tpgi.com.au] has joined #openvpn
07:00 -!- klein [~klein@189-016-006-003.asselvi.edu.br] has joined #openvpn
07:00 -!- klein [~klein@189-016-006-003.asselvi.edu.br] has quit [Changing host]
07:01 -!- klein [~klein@unaffiliated/klein] has joined #openvpn
07:08 -!- ISmithers [~ISmithers@mail.tinyillusion.com] has joined #openvpn
07:08 < ISmithers> What is a pem file?
07:12 -!- mikkel [~mikkel@93.176.85.50] has quit [Quit: Leaving]
07:15 -!- GabrieleV [~GabrieleV@host190-79-static.230-95-b.business.telecomitalia.it] has quit [Ping timeout: 240 seconds]
07:20 -!- jackbrown [~se@93-44-38-152.ip95.fastwebnet.it] has joined #openvpn
07:23 -!- gehaxelt [~gehaxelt@s1.gehaxelt.in] has left #openvpn ["Verlassend"]
07:29 < reiffert> !google pem file
07:29 <@vpnHelper> security - What is a Pem file and how does it differ from other ...: <http://serverfault.com/questions/9708/what-is-a-pem-file-and-how-does-it-differ-from-other-openssl-generated-key-file>; How to SSL - PEM Files: <http://how2ssl.com/articles/working_with_pem_files/>; How to Create a .pem File for SSL Certificate Installations - DigiCert: <http://www.digicert.com/ssl-support/pem-ssl-
07:29 <@vpnHelper> creation.htm>
07:33 < ISmithers> God maybe my search engine is bad or something, I have been looking. Scouts honour!
07:39 -!- fin__ [~l30@cpc20-bele8-2-0-cust576.2-1.cable.virginm.net] has joined #openvpn
07:39 -!- fin__ [~l30@cpc20-bele8-2-0-cust576.2-1.cable.virginm.net] has quit [Changing host]
07:39 -!- fin__ [~l30@unaffiliated/le0] has joined #openvpn
07:40 -!- fin__ [~l30@unaffiliated/le0] has quit [Read error: Connection reset by peer]
07:42 -!- jzaw [~jzaw@loki.dzki.co.uk] has quit [Quit: really? must I leave? aw pls let me stay!]
07:42 -!- le0 [~l30@unaffiliated/le0] has quit [Ping timeout: 252 seconds]
07:43 < ISmithers> When enabling user-auth does that auth via the unix user system?
07:46 -!- elfixit [~Icedove@2001:1620:2777:11:3e97:eff:fe7f:f3ad] has joined #openvpn
07:51 -!- ndak2 [~ndak@37.235.53.237] has joined #openvpn
07:51 -!- jzaw [~jzaw@loki.dzki.co.uk] has joined #openvpn
07:53 -!- ndak [~ndak@46.249.59.214] has quit [Ping timeout: 252 seconds]
07:57 < ndak2> <ISmithers> What is a pem file?
07:57 < ndak2> HAHAHAHA
07:57 < ndak2> You want 200$$$ YOU DONT KNOW WHAT PEM FILE IS?
07:57 < ndak2> OMG
07:58 -!- GabrieleV [~GabrieleV@host190-79-static.230-95-b.business.telecomitalia.it] has joined #openvpn
07:58 < ndak2> <ISmithers> Is $200 US fair?
07:58 < ndak2> <ISmithers> If it's so easy, you do it. The truth is, it isn't that easy, so you want someone else to do it. I can do it, and it takes time, and time is money. I'm happy to negotiate, but I don't work for free or McDonald's rates. :)
07:59 < ndak2> <ISmithers> Everyone says that, then never does. :p So I take 1/2 to start the work, and then 1/2 on completion. Is that fair?
07:59 < ndak2> OWOWOWO
07:59 < ndak2> he wants 100$ before he EVEN STARTS
07:59 < ndak2> <ISmithers> I mean lets say I charge $200 US. Then you pay me $100 and I start the work. Then when I am finished and you see it working, you pay me another $100.
07:59 < ndak2> AND
07:59 < ndak2> <ISmithers> I'm in Australia and it's almost 11pm. So it will be at least 1 day. I can probably get it done all tomorrow evening.
07:59 < ndak2> "i do it tomorrow"
07:59 < rob0> hmm?
08:00 < ndak2> 1, he wants 200$ 2, he wants 100$ FIRST before even start ( i dont know him even) 3, He starts tomorrow
08:00 -!- ron__ is now known as ron_
08:00 < ndak2> i hope this guy one day working for macdonalds
08:03 < rob0> I see your point in that the questions asked here could undermine your confidence in ISmithers, but I do not approve of copying private messages into the channel. Furthermore ...
08:03 < rob0> ... what he's saying is reasonable. US$200 for an openvpn server setup is cheap.
08:04 < rob0> And I too have been burned on IRC-obtained jobs, so half up front makes sense.
08:04 < rob0> (I no longer seek/accept such jobs, BTW.)
08:04 < ISmithers> Oh I didn't know he was having a cry in here.
08:05 < ISmithers> 1) I had not encountered a pem file before, and so wanted to know what it was. Yes, when I don't know something, I ask questions.
08:05 < ISmithers> 2) I asked around for fair prices and that was what I was told, I didn't demand it, I asked if you thought it was *FAIR* and you went psycho.
08:05 < ISmithers> 3) I do a lot of freelance work and always get 1/2 up front, 1/2 on completion. Fin.
08:09 -!- jackbrown [~se@93-44-38-152.ip95.fastwebnet.it] has quit [Ping timeout: 240 seconds]
08:12 -!- rtsq [~rickard@217.151.207.31] has quit [Ping timeout: 276 seconds]
08:12 < rob0> One more thing I'd add: ndak2's chances of hiring someone are decreasing.
08:13 -!- cpm [~Chip@pdpc/supporter/active/cpm] has quit [Ping timeout: 252 seconds]
08:13 -!- Danu [~Danu@195.37.254.130] has quit [Ping timeout: 252 seconds]
08:14 -!- Reza [~Reza@109.95.59.122] has joined #openvpn
08:15 -!- Danu [~Danu@195.37.254.130] has joined #openvpn
08:16 -!- Mayor [~Reza@109.95.59.122] has quit [Ping timeout: 276 seconds]
08:17  * plaisthos collects free VPN service accounts :)
08:18 < samael> still have a doubt about heartbleed: if my server is and was safe, but some of my clients are not due to their ssl version, why should I concern about them? they don't listen on any port, and have always been connecting to a safe server, so where's the trouble with them? i miss the reason to bother re-issuing their keys/certificates, other than being paranoid about security (which is always a good thing)
08:20 < ISmithers> Not 100% sure samael but is the issue that perhaps if they are lucky an exploiter can get access to your CA certificate and then use it to sign their own?
08:25 -!- rtsq [~rickard@88.131.107.5] has joined #openvpn
08:41 <@ecrist> samael: any time there is two-way communication between a client and server, both ends are listening for incoming connections
08:41 <@ecrist> the client end uses a dynamic port, however
08:42 <@ecrist> ndak2: requiring 50% up front is a normal business practice, particularly when dealing with IRC trolls
08:43 -!- danielbw [~danielbw@70.167.122.27] has quit [Ping timeout: 245 seconds]
08:43 < ndak2> rob0: Listen, i tell you this only one time. NEVER.. NEVER tell me what to do or not what to do. I Copy PM how much i want to.. IF you want openvpnserver installed for 200$ ask him. its cheap
08:43 -!- ndak2 was kicked from #openvpn by ecrist [fuck off mate]
08:43 -!- ndak2 [~ndak@37.235.53.237] has joined #openvpn
08:43 < ndak2> ecrist
08:43 -!- ndak2 was kicked from #openvpn by Eugene [lololo]
08:43 -!- ndak2 [~ndak@37.235.53.237] has joined #openvpn
08:43 <@ecrist> heh
08:43 < ndak2> ecrist
08:43 -!- danielbw [~danielbw@70.167.122.27] has joined #openvpn
08:44 < ndak2> because Eugene is a asslicker :)
08:44 < ndak2> hahaha
08:44 -!- ndak2 was kicked from #openvpn by Eugene [i <3 penis]
08:44 -!- mode/#openvpn [+b *!*@37.235.53.237] by ecrist
08:44 <@Eugene> That's so satisfying early on the morning
08:44 < rob0> thanks :)
08:45 <@ecrist> I know what I'll do this morning, join an IRC channel, seek help, and piss off all the ops before breakfast.
08:45 < rob0> I would have done it if I had been looking.
08:45 <@Eugene> Haha, he's gonna "get my OP removed. I know the owner."
08:45 <@Eugene> Good one, guys
08:46 <@Eugene> !beer
08:46 < rob0> tell him I'm an op too :)
08:46 <@vpnHelper> "beer" is what's for dinner (and occasionally breakfast)
08:46 <@ecrist> did he say that to you?
08:46 <@Eugene> Pm, yeah
08:46 < rob0> what a moron
08:47 < rob0> Eugene, so I guess the whiry clouds missed you?
08:47 < rob0> *whirly
08:47 <@Eugene> I moved to Seattle in October, but they did miss the AR house yeah
08:47 <@ecrist> now that silly fucker is telling me I'll lose my op, too, becuase he knows the owner
08:48 < rob0> HAHA
08:48 < Aketzu> owner of the internets
08:50 <@Eugene> Let's unban him, just so we can kick some more
08:50 < ISmithers> I thought he had left, but now he is spamming me because "YOU maked me ban" apparently. Where YOU == me.
08:50 -!- s7r [~s7r@openvpn/user/s7r] has quit [Remote host closed the connection]
08:50 -!- s7r_v [~s7r@openvpn/user/s7r] has joined #openvpn
08:50 -!- mode/#openvpn [+v s7r_v] by ChanServ
08:51 < plaisthos> Eugene: take this
08:51 < plaisthos> 15:51:18 -!- #openvpn You're not a channel operator
08:51 < plaisthos> damn!
08:51 -!- mode/#openvpn [-o Eugene] by ChanServ
08:51 < plaisthos> HA!
08:52  * plaisthos found /cs deop #chan user
08:52 -!- mode/#openvpn [+o Eugene] by ChanServ
08:52 -!- plaisthos was kicked from #openvpn by Eugene [Treasonous scum!]
08:52 -!- Eugene was kicked from #openvpn by Eugene [murderer!]
08:52 -!- Eugene [eugene@itvends.com] has joined #openvpn
08:52 -!- plaisthos [~arne@openvpn/community/developer/plaisthos] has joined #openvpn
08:52 -!- mode/#openvpn [+o plaisthos] by ChanServ
08:52 -!- mode/#openvpn [-o plaisthos] by ChanServ
08:52  * plaisthos hids
08:53 < Eugene> We need a hobby.
08:53 -!- Latrina [~Latrina@ppp-70-10.26-151.libero.it] has quit [Ping timeout: 276 seconds]
08:53 < plaisthos> Hm /cs kick #openvpn plaisthos Can chanserv also kick user? does not work
08:54 < plaisthos> perhaps you cannot hide all your op actions behind Chanserv
08:54 < Eugene> Nope. Gotta wear the hat for that one
08:55 < Eugene> Or set up the bot for it
08:55 -!- ketas- [ketas@ketas6-sixxs.si.pri.ee] has joined #openvpn
08:55 < plaisthos> you can setup an autokick with a really small expiration time however
08:56 <@ecrist> Eugene: you'd be welcome to setup the bot for it, but I've never bothered figuring it out
08:56 < Eugene> Supybot sucks pretty hard
08:56 -!- ketas [ketas@ketas6-sixxs.si.pri.ee] has quit [Ping timeout: 245 seconds]
08:56 < Eugene> Giving one op is pretty dangerous
08:57 < Eugene> I've moved to the gitinfo codebase. Much nicer triggers system
08:58 -!- Latrina [~Latrina@ppp-70-10.26-151.libero.it] has joined #openvpn
09:01 -!- Latrina [~Latrina@ppp-70-10.26-151.libero.it] has quit [Read error: Connection reset by peer]
09:02 < Aketzu> hmm... how about kicking with git commit.... trigger sends commands to bot etc.
09:02 <@ecrist> what?
09:02 -!- ketas- is now known as ketas
09:02 < Aketzu> I have no idea why I'm thinking that :)
09:03 < Aketzu> seems almost as useful as psdoom
09:03 < _quadDam1ge> That was classic. Sometimes I need a refresher on how not to behave on IRC. Just yesterday I was thinking of soliciting low wage help in this channel. The only reason I didn't was I could decide on the best tactic to lead off with ...insulting the admins, or pasting my current config directly to channel.
09:03 <@ecrist> verb 5 logs is usually ideal, _quadDam1ge 
09:03 -!- ahhMichael [~ahhMichae@bas2-oakville30-1176307148.dsl.bell.ca] has joined #openvpn
09:04 < _quadDam1ge> It seems my odds are better with the latter, save the insults for lvl 2.
09:04 < _quadDam1ge> ...after they have access to my network
09:06 -!- Latrina [~Latrina@ppp-70-10.26-151.libero.it] has joined #openvpn
09:06 < ISmithers> He is stlil pm'ing me :<
09:07 -!- _quadDam1ge is now known as _quadDamage
09:07 <@ecrist> ISmithers: /ignore ndak2
09:07 < rob0> ISmithers, nothing you can do but /ignore
09:07 < Eugene> Feel free to talk to #freenode or just /ignore
09:07 < rob0> #freenode will tell you the same :)
09:08 <@ecrist> secure-computing.net/files/ndak2.txt
09:08 -!- gigo1980 [~Adium@178-25-23-87-dynip.superkabel.de] has quit [Quit: Leaving.]
09:09 < Eugene> If it's habitual and/or truly offensive you can sometimes get a kline
09:09 -!- gigo1980 [~Adium@178-25-23-87-dynip.superkabel.de] has joined #openvpn
09:09 < ISmithers> I thought I did that, but I think I added ndak2 (his other persona) and so when he pm'ed me again I just thought my IRC client didn't support that command.
09:09 < Eugene> It helps to have friends in the ops
09:10 -!- gigo1980 [~Adium@178-25-23-87-dynip.superkabel.de] has quit [Client Quit]
09:10 < rob0> HAHA ecrist that's great
09:10 < rob0> Always nice to know that a personality like that is having a bad day.
09:11 < ISmithers> I actually just realised I have all his certs and keys. He pastebin'ed them to me.
09:11 < ISmithers> *headdesk*
09:11 < rob0> whoa
09:12 < Eugene> The worst part is some people actually have brains that work like that
09:12 < Eugene> Ooooooh
09:12 -!- ron_ [~ron@ppp121-45-33-144.lns20.adl2.internode.on.net] has quit [Ping timeout: 276 seconds]
09:12 < Eugene> Do you have any ips?
09:13 < Eugene> For..... Scientific purposes
09:13 <@ecrist> lol
09:13 <@ecrist> log in to his server, change certificate structure and CA
09:13 -!- ron_ [~ron@ppp118-210-178-111.lns20.adl6.internode.on.net] has joined #openvpn
09:13 < Eugene> And set up a tor exit node
09:15 < ISmithers> No just the cert files. He actually *JUST* took down the pastebins but he also pasted them into the chat window. So I still have the ca.pem but nothing more.
09:15 < rob0> we have IP addresses in the channel scrollback
09:17 -!- ahhMichael [~ahhMichae@bas2-oakville30-1176307148.dsl.bell.ca] has quit [Ping timeout: 246 seconds]
09:17 < Eugene> Dang
09:18 < Eugene> Check your browser's temp space
09:19 < ISmithers> Will the files have a sane name?
09:19 < Eugene> Unlikely. That's what grep is for
09:19 -!- zifxify [~zifxify@176.62.136.225] has quit [Ping timeout: 265 seconds]
09:23 < ISmithers> You made him leave Freenode http://pastie.org/private/lqawwcmiqk9ww8qziudzg
09:23 < ISmithers> @ecrist
09:23 <@ecrist> lol
09:24 < Aketzu> "that was easy"
09:24 <@ecrist> I'll still sleep OK tonight.
09:24 <@ecrist> but just barely
09:24 -!- alexxtasi [~alex@unaffiliated/alexxtasi] has left #openvpn []
09:27 -!- rtsq [~rickard@88.131.107.5] has quit [Ping timeout: 240 seconds]
09:34 -!- pnielsen [pnielsen@2a01:7e00::f03c:91ff:fedf:3a21] has quit [Read error: Connection reset by peer]
09:40 -!- rtsq [~rickard@217.151.207.31] has joined #openvpn
09:40 -!- t0r [~textual@167.206.48.217] has quit [Quit: Textual IRC Client: www.textualapp.com]
09:41 -!- pnielsen [pnielsen@2a01:7e00::f03c:91ff:fedf:3a21] has joined #openvpn
09:42 -!- Danu [~Danu@195.37.254.130] has quit [Ping timeout: 240 seconds]
09:44 < ISmithers> Well I tried to find it in the tmp space but no joy I'm afraid.
09:45 -!- jackbrown [~se@93-44-38-152.ip95.fastwebnet.it] has joined #openvpn
09:45 < rob0> oh well, he's not worth the bother
09:45 < ISmithers> Yup. Was an interesting night tho! :)
09:46 -!- ACKNAK [~regolith@79.133.97.154] has joined #openvpn
09:46 -!- pnielsen [pnielsen@2a01:7e00::f03c:91ff:fedf:3a21] has quit [Ping timeout: 246 seconds]
09:58 -!- budman_ [~budman@ip68-111-79-253.oc.oc.cox.net] has joined #openvpn
09:59 -!- s7r_v is now known as s7r
10:00 -!- ACKNAK [~regolith@79.133.97.154] has quit [Quit: Leaving]
10:00 -!- budman [~budman@ip68-111-79-253.oc.oc.cox.net] has quit [Ping timeout: 240 seconds]
10:15 -!- MadTBone [~MadTBone@160.39.238.199] has joined #openvpn
10:15 < fol_tempus> Hello, I've tried to ask about this a couple of days ago, I'll try again. I'm having slow uploads with openvpn. Here is the config file, server side: http://fpaste.org/97215/85603831/raw/ . Downloads happen at full speed. Uploading works, unless they're too big. If a single upload is bigger than ~1MB, that single upload hangs. I've tried with the default cipher and auth as well, so it shouldn't be a auth/cipher issue. I've also checked the
10:15 < fol_tempus> server load (VPS), it's never over 5%
10:18 -!- jackbrown [~se@93-44-38-152.ip95.fastwebnet.it] has quit [Quit: Sto andando via]
10:21 -!- acu [~acu@50.244.13.222] has quit [Quit: Leaving]
10:22 -!- acu [~acu@50.244.13.222] has joined #openvpn
10:26 -!- zifxify [~zifxify@d54C072A9.access.telenet.be] has joined #openvpn
10:26 -!- MyMind [~Sembei@unaffiliated/sembei] has quit [Read error: Connection reset by peer]
10:31 -!- Pisuke [~Sembei@unaffiliated/sembei] has joined #openvpn
10:31 -!- defswork [~andy@141.0.50.105] has quit [Ping timeout: 240 seconds]
10:31 <@krzee> !mtu
10:31 <@vpnHelper> "mtu" is (#1) see --mtu-test to learn how to test your MTU settings. Basically you just use --mtu-test in your normal client config or (#2) mtu debugging guide: http://www.secure-computing.net/wiki/index.php/OpenVPN/Troubleshooting
10:32 -!- gffa [~unknown@unaffiliated/gffa] has joined #openvpn
10:33 -!- ISmithers [~ISmithers@mail.tinyillusion.com] has quit [Quit: ~ Trillian - www.trillian.im ~]
10:35 -!- Aliekezhi [~Aliekezhi@LPoitiers-156-84-21-170.w193-248.abo.wanadoo.fr] has quit [Ping timeout: 255 seconds]
10:43 -!- rtsq [~rickard@217.151.207.31] has quit [Ping timeout: 252 seconds]
10:44 -!- Gmt_dh_2918 [~script0r@53547430.cm-6-5b.dynamic.ziggo.nl] has joined #openvpn
10:44 -!- defswork [~andy@141.0.50.105] has joined #openvpn
10:44 -!- pnielsen [pnielsen@2a01:7e00::f03c:91ff:fedf:3a21] has joined #openvpn
10:45 < Gmt_dh_2918> Hello , good afternoon , could i ask you guys for some advice that i have been trying to figure out all day ?
10:46 < Gmt_dh_2918> i setup openvpn , everything works , inet forwarding , connecting and making the tunnel over an ssh connection , everything works perfect.
10:47 < Gmt_dh_2918> however at 1 of my employers , we have a proxy that we have to connect to to even get outside. i can setup corkscrew for the proxy and ssh out , i can connect to the vpn (linux client) and that goes ok . no errors. The only issue is that it drops after 2 seconds.
10:48 -!- FatDarrel [~anandab@50.242.126.113] has joined #openvpn
10:48 < Gmt_dh_2918> I figured out that if i lets say boot a windows host , run a virtual linux client and setup the SSH tunnel on the windows host and then let the linux client connect to windowshost.ip:vpnportforwarded it works flawless
10:49 < Gmt_dh_2918> however when i do it from a linux host it "overtakes" my initial ssh tunnel and the entire thing collapses.
10:50 -!- [diecast] [~diecast@unaffiliated/diecast/x-4821952] has joined #openvpn
10:51 < Gmt_dh_2918> the SSH tunnel times out becouse the vpn is active and i think? its trying to keep the ssh tunnel alive over the vpn or connect to the proxy over the vpn (while the proxy is networked here at my empoyer). my question , is there anything i can do to sort this out ? i have been googling all day and still havent gotten further then all the troubleshooting.
10:55 < rob0> tunnel over ssh? Huh?
10:55 -!- simon0181 [~vinise@109.129.211.105] has joined #openvpn
10:55 < Gmt_dh_2918> it works like this :
10:55 < rob0> oh ssh in and start openvpn?
10:56 < Gmt_dh_2918> secure location (vpnserver) with only port 22 accessable
10:56 < Gmt_dh_2918> yeh
10:56 < Gmt_dh_2918> i work freelance for the government so its kinda a no go to let me connect to anything else then 22 :(
10:57 < Gmt_dh_2918> well at least in that building haha, even thou its nothing to fancy , the restriction rules are so tight haha.
10:58 < rob0> yes, if you redirect the gateway while connections are up, you will kill those connections.
10:58 < Gmt_dh_2918> Works : win7[SSH in , set portforward 1194 localhost 1194  -> linux vm [ Vpn to win7 1194] -> [connected without issues]
10:58 -!- _VlperX_ [~VlperX@60-240-168-120.static.tpgi.com.au] has quit [Read error: Connection reset by peer]
10:59 < Gmt_dh_2918> works : win7 [ssh in ] - enable vpn -> and i can still reach both my employers lan and my vpn.
10:59 < Gmt_dh_2918> not working : linux client [ ssh in] - enable vpn -> [  dead ssh tunnel so vpn drops ]
10:59 < Gmt_dh_2918> The thing is , due to policies i need to push my gateway so certain traffic and certain applications / monitors can inform me whenever i need to make an emergency visit to another company.
11:00 < rob0> See "daemon" in the manual. In daemon mode, openvpn detaches from the terminal, so the connection should survive the collapse of the parent terminal (ssh).
11:00 < rob0> !daemon
11:00 < Gmt_dh_2918> !daemon
11:01 < rob0> that's --daemon in the manual of course
11:01 < Gmt_dh_2918> was hoping the openvpn bot in here would spam me right about now with messages :(
11:01 < Gmt_dh_2918> at least i got an idea where i could have a look. I was thinking i might have to "change" something to the iptables. so i can reach my vpn and my employers network at the same time
11:02 -!- SCHAAP137 [dorian@77-173-0-137.ip.telfort.nl] has joined #openvpn
11:02 < Gmt_dh_2918> since my gut feeling tells me the --daemon will keep the vpn alive but make the rest of the network inaccessable. my thoughts were going like that i needed some split iptables or something. Im already googleing now for the --daemon function and having a look at that , so thanks for that information ! :D
11:02 < rob0> main thing you need is non-overlapping IP space
11:03 < rob0> Google not, I did say the MANUAL
11:03 < simon0181> hi all, i did make multiple server instance on same server, as i have multiplel ca.crt & ca.key, ho to specifyed them before calling build-key? is there vars for that? thanks
11:03 -!- [diecast] [~diecast@unaffiliated/diecast/x-4821952] has quit []
11:03 < Gmt_dh_2918> ./easyrsa build-client-full clientname?
11:04 < Gmt_dh_2918> ./easyrsa build-server-full server servername? . or well that worked for me when i used the latest easyrsa.
11:04 < Gmt_dh_2918> ye i googled for the manual rob ;p
11:04 -!- wrongplace [~leicht@gateway/tor-sasl/martinphone] has joined #openvpn
11:05 < rob0> !man
11:05 <@vpnHelper> "man" is (#1) For man pages, see http://openvpn.net/index.php/open-source/documentation/manuals/ or (#2) the man pages are your friend! or (#3) Protip: you can search the manpage for a specific --option (with dashes) to find it quicker
11:05 < Gmt_dh_2918> this box that im on now does not have openvpn installed. and i dont have install rights.
11:05 < Gmt_dh_2918> so man openvpn only works once its installed right ?
11:05 < Gmt_dh_2918> or am i stupid haha
11:08 < rob0> probably does require openvpn to be installed, yes
11:09 < Gmt_dh_2918> ^^ , anyway rob0 thanks for your help , ill have a look at it , there has to be a way so ill do my best to figure it out :D
11:11 -!- zifxify [~zifxify@d54C072A9.access.telenet.be] has quit [Ping timeout: 240 seconds]
11:14 -!- Gmt_dh_2918 [~script0r@53547430.cm-6-5b.dynamic.ziggo.nl] has quit [Quit: Ik ga weg]
11:20 -!- FatDarrel [~anandab@50.242.126.113] has quit [Read error: Connection reset by peer]
11:20 -!- FatDarrel [~anandab@50.242.126.113] has joined #openvpn
11:23 -!- MadTBone [~MadTBone@160.39.238.199] has quit [Remote host closed the connection]
11:23 -!- wrongplace [~leicht@gateway/tor-sasl/martinphone] has quit [Quit: gone]
11:26 -!- [diecast] [~diecast@unaffiliated/diecast/x-4821952] has joined #openvpn
11:30 -!- simon0181 [~vinise@109.129.211.105] has quit [Ping timeout: 252 seconds]
11:35 -!- Intensity [VYmgMO73Uk@unaffiliated/intensity] has quit [Ping timeout: 246 seconds]
11:38 -!- Guest3866 [~kolo@ip-125.net-82-216-83.rev.numericable.fr] has quit [Ping timeout: 265 seconds]
11:39 -!- Ko_lo [~kolo@ip-125.net-82-216-83.rev.numericable.fr] has joined #openvpn
11:40 -!- Ko_lo is now known as Guest53778
11:40 -!- Reza [~Reza@109.95.59.122] has quit []
11:44 -!- s7r [~s7r@openvpn/user/s7r] has quit [Quit: Leaving]
11:47 -!- FatDarrel [~anandab@50.242.126.113] has quit [Ping timeout: 240 seconds]
11:55 -!- Aliekezhi [~Aliekezhi@80.215.178.149] has joined #openvpn
11:57 -!- Aliekezhi [~Aliekezhi@80.215.178.149] has quit [Remote host closed the connection]
12:08 -!- lj [~l@192.241.174.169] has joined #openvpn
12:08 -!- lj [~l@192.241.174.169] has quit [Client Quit]
12:19 -!- suzylee [~mariannee@unaffiliated/mariannee] has joined #openvpn
12:21 -!- adh0c [~adh0c@ool-182fc1d0.dyn.optonline.net] has quit [Ping timeout: 252 seconds]
12:22 -!- suzylee [~mariannee@unaffiliated/mariannee] has left #openvpn []
12:38 -!- gigo1980 [~Adium@pD954C353.dip0.t-ipconnect.de] has joined #openvpn
12:44 -!- Aliekezhi [~Aliekezhi@80.215.178.149] has joined #openvpn
12:50 -!- simon0181 [~vinise@78-23-152-207.access.telenet.be] has joined #openvpn
13:03 -!- gigo1980 [~Adium@pD954C353.dip0.t-ipconnect.de] has quit [Quit: Leaving.]
13:07 -!- Intensity [ptEAej2rRQ@unaffiliated/intensity] has joined #openvpn
13:10 -!- Linux_Asylum [~Left_Turn@unaffiliated/turn-left/x-3739067] has joined #openvpn
13:14 -!- gigo1980 [~Adium@pD954C353.dip0.t-ipconnect.de] has joined #openvpn
13:18 -!- [diecast] [~diecast@unaffiliated/diecast/x-4821952] has quit []
13:25 -!- ade_b [~Ade@redhat/adeb] has quit [Read error: Operation timed out]
13:35 -!- pnielsen [pnielsen@2a01:7e00::f03c:91ff:fedf:3a21] has quit [Remote host closed the connection]
13:47 -!- ndak [~ndak@37.235.55.127] has joined #openvpn
13:53 -!- batrick [batrick@nmap/developer/batrick] has quit [Remote host closed the connection]
13:55 -!- Aliekezhi [~Aliekezhi@80.215.178.149] has quit [Remote host closed the connection]
14:02 -!- [diecast] [~diecast@unaffiliated/diecast/x-4821952] has joined #openvpn
14:02 -!- [diecast] [~diecast@unaffiliated/diecast/x-4821952] has quit [Max SendQ exceeded]
14:03 -!- batrick [batrick@nmap/developer/batrick] has joined #openvpn
14:03 -!- gigo1980 [~Adium@pD954C353.dip0.t-ipconnect.de] has quit [Quit: Leaving.]
14:04 -!- roentgen [~irc@openvpn/community/support/roentgen] has joined #openvpn
14:05 -!- gigo1980 [~Adium@pD954C353.dip0.t-ipconnect.de] has joined #openvpn
14:06 -!- [diecast] [~diecast@unaffiliated/diecast/x-4821952] has joined #openvpn
14:06 < Latrina> Hello people ..
14:06 < reiffert> yo Latrina
14:06 < Latrina> I have set up an openvpn server on Tun
14:06 < Latrina> brb
14:08 < Latrina> back
14:08 < Latrina> hey reiffert
14:09 < Latrina> so essentially the problem is that clients connected to the OpenVPN server can ping any clients connected on the OpenVPN private subnet 10.8.0.0
14:09 < Latrina> but cannot ping clients connected to the LAN network 192.168.1.0/24
14:10 < Latrina> clients connected on the LAN network can however ping clients connected to the OpenVPN network
14:10 < Latrina> any hints?
14:10 < roentgen> Latrina: the server LAN network that is?
14:11 < Latrina> the router in this case
14:11 < Latrina> which is the OpenVPN server
14:11 < Latrina> here's my iptables
14:11 < Latrina> http://pastie.org/9120633
14:11 < Latrina> oh it's OpenWrt Linux
14:12 < Latrina> and the server conf
14:12 < Latrina> http://pastie.org/9120641
14:12 < roentgen> Latrina: you could use a client config to push additional IPs or routes
14:13 < roentgen> search for openvpn ccd
14:13 < Latrina> roentgen: such as ?
14:14 < roentgen> you could also push routes from the main server config
14:14 < Latrina> essentially I need to be able to access to my NAS from remotely
14:14 < Latrina> roentgen: that sounds like a better idea
14:14 < Latrina> without the need to add further conf to the client configuration
14:14 < roentgen> untested, but something like "push route 192.168.15.16 255.255.255.0"
14:15 < roentgen> you add the ccd to the server not on the client
14:15 < Latrina> I think I do have it already
14:15 < Latrina> push "route 192.168.1.0 255.255.255.0"
14:15 < Latrina> oh okay
14:16 < roentgen> are you sure the route is not stepping on the client normal route?
14:16 < roentgen> it's too common
14:16 < Latrina> if I am not mistaken push "route 192.168.1.0 255.255.255.0" tells the OpenVPN server to router OpenVPN clients to the LAN subnet
14:16 < Latrina> right?
14:16 -!- ndak [~ndak@37.235.55.127] has quit []
14:16 < Latrina> roentgen: I am not sure what u mean by that ..
14:16 < Latrina> it would be an advantage for me to read an example
14:17 < Latrina> something .. so that I can better understand what I need
14:17 < Latrina> I am not that great with routing
14:17 < Latrina> :/
14:17 < roentgen> paste somewhere a client log and the routing table
14:18 < Latrina> sure
14:18 < Latrina> roentgen: the routing table of the client or the server?
14:18 < roentgen> the client's
14:19 < Latrina> http://pastie.org/9120656
14:19 -!- MadTBone [~MadTBone@160.39.238.199] has joined #openvpn
14:20 < Latrina> 1 sec and I will get the routing table for the client
14:20 < Latrina> however I am connected locally to the VPN in this case
14:21 < Latrina> http://pastie.org/9120660
14:22 < Latrina> I was thinking of adding a static route
14:22 < Latrina> to the server
14:22 < roentgen> would help more if you could get the *log* from a remote client
14:22 < Latrina> something that makes 10.8.0.0/16 point out to 192.168.1.0/24
14:23 < Latrina> roentgen: unfortunately I do not have access to any machine remotely
14:23 < Latrina> :(
14:23 < Latrina> I can do it tomorrow for sure ..
14:24 < Latrina> but in your mind, what a possibile solution might be??
14:24 < Latrina> so that in the meantime I can have a loot at it
14:26 < Latrina> http://openvpn.net/index.php/open-source/documentation/howto.html#scope
14:26 <@vpnHelper> Title: HOWTO (at openvpn.net)
14:26 < Latrina> maybe this can help
14:30 < roentgen> Latrina: it looks like the route gets added
14:31 < Latrina> seems like from what I can understand
14:31 < roentgen> maybe it just clashes with the remote client's internal route, like I said before
14:32 -!- simon0181 [~vinise@78-23-152-207.access.telenet.be] has quit []
14:33 < Latrina> roentgen: but it doesn't work from remotely either
14:34 < Latrina> perhaps an iroute from the client to the LAN could be a solution ?
14:35 < roentgen> no... that's for IPs behind the client, not the server
14:35 < roentgen> do you know the remote client LAN IP and gateway?
14:36 < Latrina> it is normally 192.168.1.1
14:36 < Latrina> the gw
14:36 < Latrina> subnet 192.168.1.0/24
14:36 < Latrina> same scenario really
14:36 < roentgen> that seems to be the problem then
14:37 < roentgen> you can't really push a route that overwrites the client's internal routes
14:37 < Latrina> I can hock up to a VLAN doing nat on 192.168.2.0/24 here
14:37 < Latrina> and see if it makes any difference
14:38 < Latrina> roentgen: oh it's like it mismatch ??
14:38 < roentgen> you should pick a more exotic LAN range on the openvpn server
14:38 < Latrina> such as ?
14:38 < Latrina> alyways under 192.168.X.X ?
14:39 < Latrina> if that's the case it is brilliant
14:39 < roentgen> more like 10.83.83.0/24
14:40 -!- gigo1980 [~Adium@pD954C353.dip0.t-ipconnect.de] has quit [Quit: Leaving.]
14:41 < rob0> !welcome
14:41 <@vpnHelper> "welcome" is (#1) Start by stating your goal, such as 'I would like to access the internet over my vpn' || new to IRC? see the link in !ask || we may need !logs and !configs and maybe !interface to help you. || See !howto for beginners. || See !route for lans behind openvpn. || !redirect for sending inet traffic through the server. || Also interesting: !man !/30 !topology !iporder !sample !forum !wiki
14:41 <@vpnHelper> !mitm or (#2) Don't use 192.168.1.0/24 or 192.168.0.0/24 (too much potential for conflict)
14:41 < Latrina> Can't I remain under 192.168.X.X/24 ?
14:41 < Latrina> like 192.168.5.0/24 for instance
14:41 < rob0> It must not conflict with any networks to/from which you wish to connect.
14:41 < Latrina> most of the router I use to connect to remotely are all under 192.168.0.0/24 192.168.0.1/24
14:42 < rob0> That's why !welcome #2 exists.
14:43 < Latrina> !mitm or (#2) Don't use 192.168.1.0/24 or 192.168.0.0/24 (too much potential for conflict)
14:43 < Latrina> it says it all
14:43 < Latrina> but isn't 10.83.83.0/24 public IP range ?
14:45 < roentgen> https://en.wikipedia.org/wiki/Private_network
14:45 <@vpnHelper> Title: Private network - Wikipedia, the free encyclopedia (at en.wikipedia.org)
14:46 < Latrina> thanks once again :)
14:46 < Latrina> you guys are super
14:47 < Latrina> dinner time :)
14:47 < rob0> !subnet
14:47 <@vpnHelper> "subnet" is (#1) http://www.subnet-calculator.com/ or http://en.wikipedia.org/wiki/Subnetwork or (#2) Want a random subnet generator? See: !randomsubnet
14:48 < rob0> !randomsubnet
14:48 <@vpnHelper> "randomsubnet" is (#1) http://scarydevilmonastery.net/subnet.cgi for a random !1918 subnet or (#2) If your shell has $RANDOM support, perhaps try this: `echo 10.$((RANDOM%256)).$((RANDOM%256)).0/24 `
14:49 -!- Aliekezhi [~Aliekezhi@80.215.178.149] has joined #openvpn
14:51 -!- gigo1980 [~Adium@pD954C353.dip0.t-ipconnect.de] has joined #openvpn
14:53 -!- d0wn_blog [~d0wn@business-ip-188-165-34-74.static.lu] has left #openvpn ["Leaving"]
15:00 -!- amsterdam [~Adium@xdsl-85-197-6-108.netcologne.de] has joined #openvpn
15:00 -!- amsterdam [~Adium@xdsl-85-197-6-108.netcologne.de] has quit [Client Quit]
15:07 -!- jackbrown [~se@93-44-41-0.ip95.fastwebnet.it] has joined #openvpn
15:16 -!- stemid [~avatar@ns4.sydit.se] has joined #openvpn
15:17 < stemid> where can I find docs on ovpn profiles? I've only found scant examples so far and I'm missing how to input DH data and a tls static key into them.
15:19 -!- gffa [~unknown@unaffiliated/gffa] has quit [Quit: sleep]
15:21 -!- mattock is now known as mattock_afk
15:21 -!- Pisuke is now known as Sembei
15:23 < stemid> http://pastebin.com/VEYYdBws found this example but it contains no DH data
15:33 -!- zoomequipd [~zoomequip@gateway/tor-sasl/zoomequipd] has quit [Remote host closed the connection]
15:34 -!- zoomequipd [~zoomequip@gateway/tor-sasl/zoomequipd] has joined #openvpn
15:34 <@krzee> DH is only for the server
15:34 -!- gringao [~gringao@212-198-219-28.rev.numericable.fr] has joined #openvpn
15:35 -!- gringao [~gringao@212-198-219-28.rev.numericable.fr] has quit [Quit: Quitte]
15:36 -!- gringao [~gringao@212-198-219-28.rev.numericable.fr] has joined #openvpn
15:36 < stemid> oh snap, I've been adding the dh parameter to my client confs too
15:36 < stemid> also the file
15:37 -!- jackbrown [~se@93-44-41-0.ip95.fastwebnet.it] has quit [Quit: Sto andando via]
15:37 -!- BladedThesis [~BladedThe@2001:1af8:4010:a027:3::] has joined #openvpn
15:37 -!- elfixit1 [~Icedove@77-58-251-72.dclient.hispeed.ch] has joined #openvpn
15:49 -!- Latrina [~Latrina@ppp-70-10.26-151.libero.it] has quit [Ping timeout: 276 seconds]
15:51 -!- Aliekezhi [~Aliekezhi@80.215.178.149] has quit [Remote host closed the connection]
16:06 -!- klein [~klein@unaffiliated/klein] has quit [Ping timeout: 240 seconds]
16:13 -!- elfixit1 [~Icedove@77-58-251-72.dclient.hispeed.ch] has quit [Quit: elfixit1]
16:18 -!- goldkatze [~nobody@unaffiliated/goldkatze] has quit []
16:29 -!- s7r [~s7r@openvpn/user/s7r] has joined #openvpn
16:29 -!- mode/#openvpn [+v s7r] by ChanServ
16:32 < _FBi> !radius
16:33 < _FBi> !freeradius
16:35 -!- sunwind [~paradox@cpc21-brmb8-2-0-cust749.1-3.cable.virginm.net] has quit [Quit: sunwind]
16:36 -!- Linmu [~Linmu@203.70.194.104] has quit [Ping timeout: 265 seconds]
16:36 -!- Linmu [~Linmu@203.70.194.104] has joined #openvpn
16:47 -!- gigo1980 [~Adium@pD954C353.dip0.t-ipconnect.de] has quit [Quit: Leaving.]
16:59 -!- funnel [~funnel@unaffiliated/espiral] has quit [Remote host closed the connection]
17:00 -!- funnel [~funnel@unaffiliated/espiral] has joined #openvpn
17:00 -!- pnielsen [pnielsen@2600:3c03::f03c:91ff:fe6e:5d41] has joined #openvpn
17:13 -!- funnel [~funnel@unaffiliated/espiral] has quit [Remote host closed the connection]
17:20 -!- nutron [~nutron@unaffiliated/nutron] has quit [Ping timeout: 252 seconds]
17:29 -!- [diecast] [~diecast@unaffiliated/diecast/x-4821952] has quit []
17:30 -!- [diecast] [~diecast@unaffiliated/diecast/x-4821952] has joined #openvpn
17:30 -!- funnel [~funnel@unaffiliated/espiral] has joined #openvpn
17:30 -!- funnel [~funnel@unaffiliated/espiral] has quit [Remote host closed the connection]
17:32 -!- wrongplace [~leicht@gateway/tor-sasl/martinphone] has joined #openvpn
17:38 -!- SCHAAP137 [dorian@77-173-0-137.ip.telfort.nl] has quit [Remote host closed the connection]
17:38 -!- nutron [~nutron@unaffiliated/nutron] has joined #openvpn
17:41 -!- joshh20-Away is now known as joshh20
17:46 -!- [diecast] [~diecast@unaffiliated/diecast/x-4821952] has quit []
17:58 -!- esde [~esde@unaffiliated/esde] has quit [Ping timeout: 240 seconds]
17:59 -!- bears [~bears@unaffiliated/bears] has joined #openvpn
17:59 -!- esde [~esde@where.is.thatmobileitguy.com] has joined #openvpn
17:59 -!- pnielsen [pnielsen@2600:3c03::f03c:91ff:fe6e:5d41] has quit [Ping timeout: 240 seconds]
18:00 -!- funnel [~funnel@unaffiliated/espiral] has joined #openvpn
18:02 -!- pnielsen [pnielsen@2600:3c03::f03c:91ff:fe6e:5d41] has joined #openvpn
18:10 -!- wrongplace [~leicht@gateway/tor-sasl/martinphone] has quit [Quit: gone]
18:12 <+s7r> !freebsd
18:12 <@vpnHelper> "freebsd" is http://www.secure-computing.net/wiki/index.php/OpenVPN_Server
18:12 <+s7r> !current
18:12 <@vpnHelper> "current" is (#1) Our policy is to only support current versions of software. If your Linux distribution's repository doesn't have the latest, you'll need to compile from source. See /topic for the latest versions of OpenVPN software (usually at the beginning). Anything earlier than these, and you'll be REQUIRED to upgrade before we offer assistance. or (#2) The current version of OpenVPN can be
18:12 <@vpnHelper> downloaded from http://openvpn.net/index.php/open-source/downloads.html for RELEASE and BETA versions, and a tarball snapshot of the development tree can be had from ftp://ftp.secure-computing.net/pub/openvpn/
18:20 -!- ISmithers__ [~ISmithers@78.207.70.115.static.exetel.com.au] has joined #openvpn
18:26 -!- michaelhart [~michaelha@192-0-240-20.cpe.teksavvy.com] has quit [Quit: michaelhart]
18:27 -!- adh0c [~adh0c@li423-165.members.linode.com] has joined #openvpn
18:40 -!- harlan [~harlan@ntp/pmgr/harlan] has quit [Remote host closed the connection]
18:45 -!- Latrina [~Latrina@ppp-141-35.26-151.libero.it] has joined #openvpn
18:50 -!- c0ded [~c0ded@unaffiliated/c0ded] has quit [Quit: I Was Just De-c0ded!]
19:01 -!- esde [~esde@where.is.thatmobileitguy.com] has quit [Changing host]
19:01 -!- esde [~esde@unaffiliated/esde] has joined #openvpn
19:06 -!- grep0r [grep0r@bitcoinshell.mooo.com] has quit [Ping timeout: 252 seconds]
19:08 -!- grep0r [grep0r@bitcoinshell.mooo.com] has joined #openvpn
19:11 -!- dren__ [dren@access.not.allowed.org] has quit [Ping timeout: 264 seconds]
19:11 -!- dren__ [dren@69.163.43.35] has joined #openvpn
19:14 -!- ISmithers__ [~ISmithers@78.207.70.115.static.exetel.com.au] has quit [Quit: ~ Trillian - www.trillian.im ~]
19:27 -!- sunwind [~paradox@cpc21-brmb8-2-0-cust749.1-3.cable.virginm.net] has joined #openvpn
19:28 -!- joshh20 is now known as joshh20-Away
19:33 -!- joshh20-Away is now known as joshh20
19:33 -!- roentgen [~irc@openvpn/community/support/roentgen] has quit [Ping timeout: 240 seconds]
19:39 -!- hazardous [~hz@openvpn/user/hazardous] has quit [Ping timeout: 255 seconds]
19:46 -!- hazardous [~hz@openvpn/user/hazardous] has joined #openvpn
19:46 -!- mode/#openvpn [+v hazardous] by ChanServ
19:52 -!- Linux_Asylum [~Left_Turn@unaffiliated/turn-left/x-3739067] has quit [Read error: Connection reset by peer]
19:52 -!- Linux_Asylum [~Left_Turn@unaffiliated/turn-left/x-3739067] has joined #openvpn
20:00 -!- DQSII [~DQSII@gateway/tor-sasl/dqsii] has joined #openvpn
20:09 -!- klein [~klein@177.101.105.94] has joined #openvpn
20:09 -!- klein [~klein@177.101.105.94] has quit [Changing host]
20:09 -!- klein [~klein@unaffiliated/klein] has joined #openvpn
20:12 -!- elfixit1 [~Icedove@77-58-251-72.dclient.hispeed.ch] has joined #openvpn
20:18 -!- ISmithers [~ISmithers@78.207.70.115.static.exetel.com.au] has joined #openvpn
20:22 -!- joshh20 is now known as joshh20-Away
20:36 -!- elfixit1 [~Icedove@77-58-251-72.dclient.hispeed.ch] has quit [Ping timeout: 265 seconds]
20:38 -!- Pei [~pei@thinks.outside.theb0x.org] has quit [Ping timeout: 255 seconds]
20:44 -!- Pei [~pei@thinks.outside.theb0x.org] has joined #openvpn
21:07 -!- Linux_Asylum [~Left_Turn@unaffiliated/turn-left/x-3739067] has quit [Ping timeout: 252 seconds]
21:08 -!- Linux_Asylum [~Left_Turn@unaffiliated/turn-left/x-3739067] has joined #openvpn
21:33 -!- bears [~bears@unaffiliated/bears] has quit [Read error: Connection reset by peer]
21:51 -!- master_o1_master [~master_of@p4FD7BA25.dip0.t-ipconnect.de] has joined #openvpn
21:51 -!- ruben23 [~OpenDIAL@112.198.90.132] has joined #openvpn
21:51 < ruben23> hi guys.. i have a publci  Server where it runs a web access and telephony server...im worried for attack and exploits does VPN works for this...but how do i setup..? shoudl it be separate server VPN or just built on teh same server..? does it require more bandiwidth
21:54 < ruben23> any idea guys..?
21:54 -!- master_of_master [~master_of@p4FD7BFDB.dip0.t-ipconnect.de] has quit [Ping timeout: 264 seconds]
22:08 -!- hazardous [~hz@openvpn/user/hazardous] has quit [Ping timeout: 240 seconds]
22:09 -!- pnielsen [pnielsen@2600:3c03::f03c:91ff:fe6e:5d41] has quit [Ping timeout: 240 seconds]
22:12 -!- pnielsen [pnielsen@2600:3c03::f03c:91ff:fe6e:5d41] has joined #openvpn
22:15 -!- hazardous [~hz@openvpn/user/hazardous] has joined #openvpn
22:15 -!- mode/#openvpn [+v hazardous] by ChanServ
22:18 -!- klein [~klein@unaffiliated/klein] has quit [Ping timeout: 252 seconds]
22:19 -!- pnielsen [pnielsen@2600:3c03::f03c:91ff:fe6e:5d41] has quit [Ping timeout: 240 seconds]
22:22 -!- Linux_Asylum [~Left_Turn@unaffiliated/turn-left/x-3739067] has quit [Quit: Leaving]
22:22 -!- pnielsen [pnielsen@2600:3c03::f03c:91ff:fe6e:5d41] has joined #openvpn
22:25 -!- fol_tempus [~tempus@gateway/tor-sasl/foltempus] has quit [Remote host closed the connection]
22:25 -!- zoomequipd [~zoomequip@gateway/tor-sasl/zoomequipd] has quit [Remote host closed the connection]
22:25 -!- DQSII [~DQSII@gateway/tor-sasl/dqsii] has quit [Write error: Broken pipe]
22:25 -!- s7r [~s7r@openvpn/user/s7r] has quit [Write error: Broken pipe]
22:27 -!- sunwind [~paradox@cpc21-brmb8-2-0-cust749.1-3.cable.virginm.net] has quit [Quit: sunwind]
22:41 < ISmithers> Hey ruben23, forgive me if I underestimate your knowledge on the subject but just to throw in some info a VPN is a secure tunnel through the network. Image a hostile ocean full of sharks - that's the internet.
22:41 < ISmithers> You need to get to a tropical island just a short distance away, you could swim (which is a bad idea) or you could build a tunnel and walk through in relative safety - that's a VPN.
22:42 < ISmithers> So you set up something like VPN on your server, and then you create a profile for that connection, give it to your clients (or you) and then you use it with OpenVPN's client application to connect to your server.
22:43 -!- joako [~joako@opensuse/member/joak0] has quit [Ping timeout: 250 seconds]
22:43 < ISmithers> Once you do that, it's as if you were on the local server. There are a bunch of options you can layer on top of that if you so wish, such as using SSL certificates for authentication, and routing and so on.
22:44 < ISmithers> I don't know about the bandwidth implications, I doubt they are significant however.
22:45 < ISmithers> In regards to installing it you can install it on your main server, which should be fine for your purposes.
22:45 -!- budman_ [~budman@ip68-111-79-253.oc.oc.cox.net] has quit [Ping timeout: 240 seconds]
22:46 -!- joako [~joako@opensuse/member/joak0] has joined #openvpn
22:46 -!- budman [~budman@ip68-111-79-253.oc.oc.cox.net] has joined #openvpn
22:47 < ISmithers> In regards to your concern about attacks/exploits it depends on what sort of attacks/exploits you are talking about. Ones that target apache say, won't be stopped by installing OpenVPN.
22:48 < ISmithers> I think it's good to read the OpenVPN docs a little, as they cover the whys and hows. Start here https://openvpn.net/index.php/open-source/documentation.html
22:48 <@vpnHelper> Title: Documentation (at openvpn.net)
22:55 -!- acu [~acu@50.244.13.222] has quit [Quit: Leaving]
22:59 -!- sunwind [~paradox@cpc21-brmb8-2-0-cust749.1-3.cable.virginm.net] has joined #openvpn
23:03 -!- pnielsen [pnielsen@2600:3c03::f03c:91ff:fe6e:5d41] has quit [Ping timeout: 240 seconds]
23:05 -!- pnielsen [pnielsen@2600:3c03::f03c:91ff:fe6e:5d41] has joined #openvpn
23:09 -!- c0ded [~c0ded@2607:5300:60:350:c0d3:c0d3:c0d3:c0d3] has joined #openvpn
23:09 -!- c0ded [~c0ded@2607:5300:60:350:c0d3:c0d3:c0d3:c0d3] has quit [Changing host]
23:09 -!- c0ded [~c0ded@unaffiliated/c0ded] has joined #openvpn
23:10 -!- zoomequipd [~zoomequip@gateway/tor-sasl/zoomequipd] has joined #openvpn
23:10 -!- fol_tempus [~tempus@gateway/tor-sasl/foltempus] has joined #openvpn
23:17 -!- VlperX [~VlperX@60-240-168-120.static.tpgi.com.au] has joined #openvpn
23:18 -!- plaisthos [~arne@openvpn/community/developer/plaisthos] has quit [Ping timeout: 245 seconds]
23:24 < ruben23> Smithers: this is a very great help..
23:25 -!- plaisthos [~arne@openvpn/community/developer/plaisthos] has joined #openvpn
23:26 -!- mode/#openvpn [+o plaisthos] by ChanServ
23:28 < ISmithers> :)
23:32 -!- hazardous [~hz@openvpn/user/hazardous] has quit [Ping timeout: 252 seconds]
23:35 -!- hazardous [~hz@openvpn/user/hazardous] has joined #openvpn
23:35 -!- mode/#openvpn [+v hazardous] by ChanServ
23:37 -!- Guest53778 [~kolo@ip-125.net-82-216-83.rev.numericable.fr] has quit [Ping timeout: 255 seconds]
23:39 -!- Ko_lo [~kolo@ip-125.net-82-216-83.rev.numericable.fr] has joined #openvpn
23:40 -!- Ko_lo is now known as Guest39271
23:48 -!- pnielsen [pnielsen@2600:3c03::f03c:91ff:fe6e:5d41] has quit [Ping timeout: 240 seconds]
23:51 -!- hazardous [~hz@openvpn/user/hazardous] has quit [Ping timeout: 265 seconds]
23:51 -!- pnielsen [pnielsen@2600:3c03::f03c:91ff:fe6e:5d41] has joined #openvpn
23:53 -!- hazardous [~hz@openvpn/user/hazardous] has joined #openvpn
23:53 -!- mode/#openvpn [+v hazardous] by ChanServ
23:54 -!- ShadniX [dagger@p5481CE76.dip0.t-ipconnect.de] has quit [Ping timeout: 252 seconds]
23:55 -!- ShadniX [dagger@p5DDFC6FA.dip0.t-ipconnect.de] has joined #openvpn
23:58 -!- hazardous [~hz@openvpn/user/hazardous] has quit [Ping timeout: 252 seconds]
23:58 -!- toobluesc [~nitro@2001:558:6045:7b:c94:cdd6:b099:5cbe] has joined #openvpn
--- Day changed Tue Apr 29 2014
00:00 -!- mgorbach [~mgorbach@pool-108-20-78-135.bstnma.fios.verizon.net] has quit [Ping timeout: 252 seconds]
00:01 -!- hazardous [~hz@openvpn/user/hazardous] has joined #openvpn
00:01 -!- mode/#openvpn [+v hazardous] by ChanServ
00:01 -!- sunwind` [~paradox@cpc21-brmb8-2-0-cust749.1-3.cable.virginm.net] has joined #openvpn
00:02 -!- sunwind [~paradox@cpc21-brmb8-2-0-cust749.1-3.cable.virginm.net] has quit [Read error: Operation timed out]
00:05 -!- mgorbach [~mgorbach@pool-108-20-78-135.bstnma.fios.verizon.net] has joined #openvpn
00:12 -!- acu [~acu@50.244.13.222] has joined #openvpn
00:25 -!- ruben23 [~OpenDIAL@112.198.90.132] has quit [Ping timeout: 252 seconds]
00:50 -!- R2_2k [Ammon@c-67-184-214-253.hsd1.il.comcast.net] has joined #openvpn
00:58 -!- R2_2k [Ammon@c-67-184-214-253.hsd1.il.comcast.net] has quit [Quit: • IRcap • 8.71 •]
01:07 -!- mattock_afk is now known as mattock
01:08 <@krzee> !dh
01:08 <@vpnHelper> "dh" is (#1) build-dh from easy-rsa and option dh in ssl-admin, creates a file which is a prime number the size of bits you defined (1024 default) which is used in the diffie-hellman algorithm to provide a method to negotiate a secure connection over an insecure channel. just one of the layers of encryption available to you in your VPN or (#2) openssl gendh [numbits]
01:24 -!- alexxtasi [~alex@unaffiliated/alexxtasi] has joined #openvpn
01:38 <@krzee> !certinfo
01:38 <@vpnHelper> "certinfo" is run `openssl x509 -in <file> -noout -text` for info from your cert file
01:45 -!- toobluesc [~nitro@2001:558:6045:7b:c94:cdd6:b099:5cbe] has quit [Quit: Ex-Chat]
01:50 -!- ade_b [~Ade@redhat/adeb] has joined #openvpn
01:52 -!- sunwind` [~paradox@cpc21-brmb8-2-0-cust749.1-3.cable.virginm.net] has quit [Quit: sunwind`]
01:54 -!- pppingme [~pppingme@unaffiliated/pppingme] has quit [Excess Flood]
01:55 -!- pppingme [~pppingme@unaffiliated/pppingme] has joined #openvpn
01:56 -!- makara [~makara@41.164.22.218] has joined #openvpn
01:58 -!- gigo1980 [~Adium@p54857CFD.dip0.t-ipconnect.de] has joined #openvpn
02:08 -!- mirco [~mirco@ip-5-146-126-177.unitymediagroup.de] has quit [Ping timeout: 276 seconds]
02:10 -!- phunyguy [~vortex@unaffiliated/phunyguy] has quit [Remote host closed the connection]
02:12 -!- mirco [~mirco@ip-5-146-126-177.unitymediagroup.de] has joined #openvpn
02:19 -!- le0 [~l30@unaffiliated/le0] has joined #openvpn
02:19 -!- syzzer [~syzzer@openvpn/community/developer/syzzer] has quit [Ping timeout: 245 seconds]
02:22 -!- tuvok [tuvok@Photography.tuvok.eu] has quit [Ping timeout: 252 seconds]
02:24 -!- gigo1980 [~Adium@p54857CFD.dip0.t-ipconnect.de] has quit [Ping timeout: 252 seconds]
02:26 -!- mirco [~mirco@ip-5-146-126-177.unitymediagroup.de] has quit [Quit: mirco]
02:30 -!- Aliekezhi [~Aliekezhi@LPoitiers-156-84-21-169.w193-248.abo.wanadoo.fr] has joined #openvpn
02:44 -!- jackbrown [~se@93-44-41-0.ip95.fastwebnet.it] has joined #openvpn
02:53 -!- jackbrown [~se@93-44-41-0.ip95.fastwebnet.it] has quit [Quit: Sto andando via]
03:14 -!- gigo1980 [~Adium@178-25-23-87-dynip.superkabel.de] has joined #openvpn
03:17 < gigo1980> https://www.youtube.com/watch?v=z_ZKYfKK2pU#t=65  <— so kann man sogar helene fischer hören, nur die stimme könnte noch etwas verzerter sein *G*
03:17 <@vpnHelper> Title: Helene Fischer - Atemlos (HD) [Metal Cover by UMC] - YouTube (at www.youtube.com)
03:24 -!- liviu is now known as lfx
03:25 -!- plaisthos [~arne@openvpn/community/developer/plaisthos] has quit [Ping timeout: 246 seconds]
03:28 -!- plaisthos [~arne@openvpn/community/developer/plaisthos] has joined #openvpn
03:28 -!- mode/#openvpn [+o plaisthos] by ChanServ
03:33 -!- mirco [~mirco@pd95b6029.dip0.t-ipconnect.de] has joined #openvpn
03:34 < samael> just created by mistake certificates for a 'wrong' host. what if i'd like to 'rollback' the last ./build-key command? is it enough to revert back keys/index and keys/serial with the values in their .old files, and delete $cn.{key,crt,csr} and the $serial.pem file?
03:35 < samael> will i break something?
03:35 <@krzee> most likely
03:35 <@krzee> better off just making the new keys and accept a serial exists that isnt in use
03:36 <@krzee> but also, the cn does not need to match hostname or anything like that
03:38 -!- roentgen [~irc@openvpn/community/support/roentgen] has joined #openvpn
03:39 < samael> ok, i'll just keep them without creating a ccd file then. thank you
03:43 -!- Left_Turn [~Left_Turn@unaffiliated/turn-left/x-3739067] has joined #openvpn
03:48 < roentgen> Hi mattock
03:48 < roentgen> I can't seem to connect to the buildbot
03:49 < roentgen> "connection attempt timed out" even though ping works
03:50 -!- VlperX [~VlperX@60-240-168-120.static.tpgi.com.au] has quit [Read error: Connection reset by peer]
03:52 -!- VlperX [~VlperX@60-240-168-120.static.tpgi.com.au] has joined #openvpn
03:56 -!- syzzer [~syzzer@openvpn/community/developer/syzzer] has joined #openvpn
03:56 -!- mode/#openvpn [+o syzzer] by ChanServ
04:08 -!- ISmithers [~ISmithers@78.207.70.115.static.exetel.com.au] has quit [Quit: ~ Trillian - www.trillian.im ~]
04:09 -!- mirco [~mirco@pd95b6029.dip0.t-ipconnect.de] has quit [Ping timeout: 265 seconds]
04:12 -!- svg [~svg@hydargos.ginsys.net] has quit [Ping timeout: 264 seconds]
04:20 -!- daemon [~daemon@cpc4-linc11-2-0-cust134.12-1.cable.virginm.net] has joined #openvpn
04:20 < daemon> hey all on my server I keep getting: http://pastebin.com/raw.php?i=fdwrDxfT what cert did I get in the wrong place,
04:22 -!- tuvok [tuvok@Photography.tuvok.eu] has joined #openvpn
04:35 -!- adh0c [~adh0c@li423-165.members.linode.com] has quit [Remote host closed the connection]
04:40 -!- jackbrown [~se@93-44-41-0.ip95.fastwebnet.it] has joined #openvpn
04:57 -!- wrongplace [~leicht@gateway/tor-sasl/martinphone] has joined #openvpn
05:00 -!- UnicornGod [~cmsns@unaffiliated/unicorngod] has joined #openvpn
05:00 < UnicornGod> anyone around to help me with an issue I'm having?
05:12 -!- wrongplace [~leicht@gateway/tor-sasl/martinphone] has quit [Quit: gone]
05:14 -!- indy [~indy@shadow.kastnerove.cz] has quit [Ping timeout: 276 seconds]
05:17 -!- svg [~svg@ns.milieuinfo.be] has joined #openvpn
05:18 -!- Latrina [~Latrina@ppp-141-35.26-151.libero.it] has quit [Read error: Operation timed out]
05:21 -!- Latrina [~Latrina@adsl-ull-228-247.45-151.net24.it] has joined #openvpn
05:24 -!- tamazaki [~tamazaki@95.85.35.109] has joined #openvpn
05:25 -!- tamazaki [~tamazaki@95.85.35.109] has quit [Client Quit]
05:25 -!- tamazaki [~tamazaki@95.85.35.109] has joined #openvpn
05:32 -!- UnicornGod [~cmsns@unaffiliated/unicorngod] has left #openvpn []
05:49 -!- suzylee [~mariannee@unaffiliated/mariannee] has joined #openvpn
05:53 < daemon> hi can anyone please give me a hand with this: http://pastebin.com/raw.php?i=KxuGm53g
05:53 < daemon> I have no idea whats causing it and google aint helping
05:55 < daemon> here is the client: http://pastebin.com/raw.php?i=YsgkfzsG
05:55 -!- suzylee [~mariannee@unaffiliated/mariannee] has left #openvpn []
05:56 < daemon> there is no firewall
05:56 < daemon> tincd works perfectly
06:20 -!- elfixit1 [~Icedove@77-58-251-72.dclient.hispeed.ch] has joined #openvpn
06:25 -!- michaelhart [~michaelha@192.237.177.15] has joined #openvpn
06:27 -!- klein [~klein@189-016-006-003.asselvi.edu.br] has joined #openvpn
06:27 -!- klein [~klein@189-016-006-003.asselvi.edu.br] has quit [Changing host]
06:27 -!- klein [~klein@unaffiliated/klein] has joined #openvpn
06:43 -!- grep0r [grep0r@bitcoinshell.mooo.com] has quit [Ping timeout: 252 seconds]
06:47 -!- grep0r [grep0r@bitcoinshell.mooo.com] has joined #openvpn
06:53 < rob0> daemon, you're using TCP and tap, why and why? Both are not recommended.
06:56 < daemon> I tried every combination this one gave me the most debugging information
06:56 < daemon> I assume any will work once I get it to establish
07:17 -!- ISmithers [~ISmithers@mail.tinyillusion.com] has joined #openvpn
07:17 < ISmithers> Greetings
07:18 -!- grep0r [grep0r@bitcoinshell.mooo.com] has quit [Ping timeout: 252 seconds]
07:23 -!- grep0r [grep0r@bitcoinshell.mooo.com] has joined #openvpn
07:30 -!- indy [~indy@shadow.kastnerove.cz] has joined #openvpn
07:40 -!- VlperX [~VlperX@60-240-168-120.static.tpgi.com.au] has quit [Quit: Adios]
08:01 -!- zoomequipd [~zoomequip@gateway/tor-sasl/zoomequipd] has quit [Ping timeout: 272 seconds]
08:03 -!- VlperX [~VlperX@60-240-168-120.static.tpgi.com.au] has joined #openvpn
08:05 -!- zoomequipd [~zoomequip@gateway/tor-sasl/zoomequipd] has joined #openvpn
08:06 -!- grep0r [grep0r@bitcoinshell.mooo.com] has quit [Ping timeout: 252 seconds]
08:09 -!- jackbrown [~se@93-44-41-0.ip95.fastwebnet.it] has quit [Ping timeout: 240 seconds]
08:09 -!- grep0r [grep0r@bitcoinshell.mooo.com] has joined #openvpn
08:19 -!- svg [~svg@ns.milieuinfo.be] has quit [Quit: Lost terminal]
08:19 -!- svg_ [~svg@hydargos.ginsys.net] has joined #openvpn
08:19 -!- s7r [~s7r@openvpn/user/s7r] has joined #openvpn
08:19 -!- mode/#openvpn [+v s7r] by ChanServ
08:19 -!- svg_ is now known as svg
08:21 -!- __YKY__ [~immortal@42-3-192-066.static.netvigator.com] has joined #openvpn
08:21 < __YKY__> where can I find the client`s IP address?
08:21 < __YKY__> is it 10.8.0.one?
08:22 < __YKY__> is it 10.8.0.1?
08:25 -!- Aliekezhi [~Aliekezhi@LPoitiers-156-84-21-169.w193-248.abo.wanadoo.fr] has quit [Ping timeout: 252 seconds]
08:27 < daemon> the server will be 10.8.0.1
08:28 < daemon> on the client just type 'ifconfig tun0'
08:28 < daemon> assuming tun0 is the device your using
08:28 < daemon> you will see something like:
08:28 < daemon>         inet 10.0.0.1 --> 10.0.0.2 netmask 0xffffffff
08:28 -!- michaelhart [~michaelha@192.237.177.15] has left #openvpn []
08:28 < daemon> err wait thats the server
08:28 < daemon>         inet 10.0.0.6 --> 10.0.0.5 netmask 0xffffffff
08:28 < daemon> 10.0.0.6 is its
08:28 -!- michaelhart [~michaelha@192.237.177.15] has joined #openvpn
08:28 < daemon> ip
08:31 < __YKY__> under tun0 there is:
08:31 < __YKY__> inet addr:10.8.0.1  P-t-P:10.8.0.2  Mask:255.255.255.255
08:37 < daemon> thats your server, its ip is 10.8.0.1 from the client you should be able to ping it
08:42 -!- elfixit1 [~Icedove@77-58-251-72.dclient.hispeed.ch] has quit [Quit: elfixit1]
08:42 -!- elfixit1 [~Icedove@77-58-251-72.dclient.hispeed.ch] has joined #openvpn
08:43 -!- klein [~klein@unaffiliated/klein] has quit [Ping timeout: 265 seconds]
08:51 -!- Bainwa [~benoits@195.88.84.152] has joined #openvpn
08:51 -!- elfixit1 [~Icedove@77-58-251-72.dclient.hispeed.ch] has quit [Quit: elfixit1]
08:52 -!- pnielsen [pnielsen@2600:3c03::f03c:91ff:fe6e:5d41] has quit [Ping timeout: 240 seconds]
08:55 -!- klein [~klein@189-016-006-003.asselvi.edu.br] has joined #openvpn
08:55 -!- klein [~klein@189-016-006-003.asselvi.edu.br] has quit [Changing host]
08:55 -!- klein [~klein@unaffiliated/klein] has joined #openvpn
08:55 -!- pnielsen [pnielsen@2600:3c03::f03c:91ff:fe6e:5d41] has joined #openvpn
09:15 -!- alexxtasi [~alex@unaffiliated/alexxtasi] has left #openvpn []
09:26 -!- gigo1980 [~Adium@178-25-23-87-dynip.superkabel.de] has quit [Ping timeout: 252 seconds]
09:41 -!- makara [~makara@41.164.22.218] has quit [Ping timeout: 252 seconds]
09:53 -!- elfixit1 [~Icedove@77-58-251-72.dclient.hispeed.ch] has joined #openvpn
10:06 -!- sunwind [~paradox@cpc21-brmb8-2-0-cust749.1-3.cable.virginm.net] has joined #openvpn
10:17 -!- roentgen [~irc@openvpn/community/support/roentgen] has quit [Ping timeout: 265 seconds]
10:22 -!- pppingme [~pppingme@unaffiliated/pppingme] has quit [Ping timeout: 264 seconds]
10:26 -!- zifxify [~zifxify@d54C072A9.access.telenet.be] has joined #openvpn
10:27 -!- elfixit1 [~Icedove@77-58-251-72.dclient.hispeed.ch] has quit [Ping timeout: 264 seconds]
10:28 -!- pppingme [~pppingme@unaffiliated/pppingme] has joined #openvpn
10:33 -!- c0ded [~c0ded@unaffiliated/c0ded] has quit [Quit: I Was Just De-c0ded!]
10:38 -!- budman_ [~budman@ip68-111-79-253.oc.oc.cox.net] has joined #openvpn
10:41 -!- budman [~budman@ip68-111-79-253.oc.oc.cox.net] has quit [Ping timeout: 276 seconds]
10:42 -!- Aliekezhi [~Aliekezhi@80.215.210.138] has joined #openvpn
10:43 -!- roentgen [~irc@openvpn/community/support/roentgen] has joined #openvpn
10:46 -!- roentgen [~irc@openvpn/community/support/roentgen] has quit [Read error: Connection reset by peer]
10:47 -!- roentgen [~irc@openvpn/community/support/roentgen] has joined #openvpn
11:02 -!- c0ded [~c0ded@2607:5300:60:350:c0d3:c0d3:c0d3:c0d3] has joined #openvpn
11:02 -!- VlperX [~VlperX@60-240-168-120.static.tpgi.com.au] has quit [Ping timeout: 255 seconds]
11:02 -!- c0ded [~c0ded@2607:5300:60:350:c0d3:c0d3:c0d3:c0d3] has quit [Changing host]
11:02 -!- c0ded [~c0ded@unaffiliated/c0ded] has joined #openvpn
11:04 -!- zifxify [~zifxify@d54C072A9.access.telenet.be] has left #openvpn []
11:07 -!- sauce_ is now known as sauce
11:07 -!- sauce [sauce@ool-ad02ad20.dyn.optonline.net] has quit [Changing host]
11:07 -!- sauce [sauce@unaffiliated/sauce] has joined #openvpn
11:14 -!- ISmithers [~ISmithers@mail.tinyillusion.com] has left #openvpn []
11:33 -!- DQSII [~DQSII@gateway/tor-sasl/dqsii] has joined #openvpn
11:34 < DQSII> k im curious i use open vpn in both windows and ubuntu i dual boot but does the flash rule apply the same in open vpn as it does with tor are u not supposed to use flash at all
11:35 -!- Guest39271 [~kolo@ip-125.net-82-216-83.rev.numericable.fr] has quit [Read error: Operation timed out]
11:39 -!- Ko_lo [~kolo@ip-125.net-82-216-83.rev.numericable.fr] has joined #openvpn
11:40 -!- Ko_lo is now known as Guest46250
11:41 < DQSII> anybody know if u are allowed to use adobe flash or not in open vpn ??
11:42 <@krzee> openvpn doesnt care what the traffic is, if it is set to route over openvpn then openvpn sends it
11:44 < DQSII> ok just making sure cause tor dosent like flash
11:45 -!- goldkatze [~nobody@unaffiliated/goldkatze] has joined #openvpn
11:45 -!- gffa [~unknown@unaffiliated/gffa] has joined #openvpn
11:46 <@krzee> ya openvpn just lets the OS route based on the kernel routing table
11:47 <@krzee> tor is different, acts as a socks proxy iirc
11:48 < DQSII> yeah i use tor for my irc only and open vpn for browsing
11:49 <@krzee> unrelated, but based on your usage you might enjoy something like this:
11:49 <@krzee> !routebyapp
11:49 <@vpnHelper> "routebyapp" is (#1) if you want to send only certain apps over the VPN you need to run a socks server on the internal VPN subnet (see !sockd) then get an app like proxifier (windows, osx) or tsocks (linux, BSD) to selectively route traffic over the socks proxy based on port/app/subnet or any combination. or (#2) Alternatively, read up about Policy Routing to make routing decisions based on defined
11:49 <@vpnHelper> policies you set. For Linux, read about !lartc
11:49 <@krzee> if you run a socks server on the vpn server, on the vpn ip, then you can selectively route apps over openvpn (instead of only subnets)
11:52 -!- derRichard [~derRichar@pippin.sigma-star.at] has joined #openvpn
11:52 < derRichard> krzee: there i am :D
11:52 <@krzee> =]
11:52 <@krzee> this way we dont wake the devs
11:52 < derRichard> so, "openvpn connect" is closed source?
11:56 <@krzee> some of it is
11:56 <@krzee> some of it is available here:   http://staging.openvpn.net/openvpn3/
11:56 <@vpnHelper> Title: OpenVPN 3 (at staging.openvpn.net)
11:56 <@krzee> but https://forums.openvpn.net/topic12800.html
11:56 <@vpnHelper> Title: OpenVPN Support Forum OpenVPN Connect Source Code : OpenVPN Connect (iOS) (at forums.openvpn.net)
11:56 <@krzee> Note that OpenVPN Tech. cannot release the code that implements the integration between OpenVPN and the iOS VPN Framework because it's under NDA.
11:57 < derRichard> very cool. thanks a lot krzee
11:57 <@krzee> yw
11:57 <@krzee> !connect
11:57 <@vpnHelper> "connect" is (#1) OpenVPN Connect is part of the commercial, non-free (non-GPL) corporate offering; see #openvpn-as for help with these. For the community-maintained GPL OpenVPN, see !download for download links, !android for GPL-openvpn on Android, or !howto for the beginner how-to guide or (#2) https://forums.openvpn.net/post34969.html#p34969
11:58 <@krzee> !learn connect as the source is here: http://staging.openvpn.net/openvpn3/  except for the portion that may not be released because of NDA with apple (for its vpn API)
11:58 <@vpnHelper> Joo got it.
12:00 -!- t0r [~textual@167.206.48.217] has joined #openvpn
12:03 -!- t0r [~textual@167.206.48.217] has quit [Client Quit]
12:04 -!- prwilson [~prwilson@167.206.48.217] has joined #openvpn
12:07 < derRichard> krzee: btw: would be nice to find that links on http://openvpn.net/index.php/open-source.html too
12:07 <@vpnHelper> Title: OpenVPN Community Software (at openvpn.net)
12:07 <@krzee> i cant modify anything outside of community.openvpn.net, but i'll toss something up there
12:08 < derRichard> okay :)
12:09 < derRichard> btw: do you know why c++ was chosen for the openvpn3 library?
12:10 <@krzee> i do not, it could be as simple as "james felt like it" although i suspect he has his reasons
12:10 < derRichard> hehe :D
12:10 < Eugene> openvpn3? o.O
12:11 < derRichard> i'm asking because the openvpn c code is very clean and c++ is IHMO not needed
12:11 < derRichard> Eugene: http://staging.openvpn.net/openvpn3/
12:11 <@vpnHelper> Title: OpenVPN 3 (at staging.openvpn.net)
12:11 <@krzee> Eugene, ya they further confused things? now the roadmap's openvpn3 is openvpn4
12:11 < Eugene> Aieee.
12:12 < Eugene> re:usage of C++; iOS and Android ;-)
12:12 < derRichard> can't you use c on ios? :P
12:12 <@krzee> derRichard, if you go to the link you gave me, and then go to the tab "community" and then to "source code" you end up here:  https://community.openvpn.net/openvpn/wiki/TesterDocumentation
12:12 <@vpnHelper> Title: TesterDocumentation – OpenVPN Community (at community.openvpn.net)
12:13 <@krzee> so i will add the links i gave you to that page =]
12:13 -!- le0 [~l30@unaffiliated/le0] has quit [Quit: Leaving]
12:15 < derRichard> nice :)
12:20 <@krzee> aaaaaand updated.
12:21 <@krzee> Eugene, it is noteworthy that openvpn3 could be a giant step in the roadmap to openvpn4 (previously envisioned as openvpn3 in the roadmap)
12:21 <@krzee> since basically it makes openvpn a lib
12:22 < Eugene> Eg, makign the GUI integrations a lot less-shitty?
12:22 <@krzee> unrelated actually
12:22 <@krzee> !roadmap
12:22 <@vpnHelper> "roadmap" is https://community.openvpn.net/openvpn/wiki/RoadMap for the roadmap for OpenVPN 3
12:22 < Eugene> s/3/4 :-p
12:22 <@krzee> right ;]
12:22 < Eugene> So is the "openvpn3" sauce new?
12:22 < n13l> C++ is evil
12:22 < Eugene> I hadn't seen it before
12:22 < Eugene> Fuck off, Linus.
12:24 -!- _jareth_ is now known as jareth_
12:37 -!- vinise [~vinise@78-23-152-207.access.telenet.be] has joined #openvpn
12:43 -!- DQSII [~DQSII@gateway/tor-sasl/dqsii] has quit [Remote host closed the connection]
12:44 -!- DQSII [~DQSII@gateway/tor-sasl/dqsii] has joined #openvpn
12:55 -!- s7r_g [~s7r@openvpn/user/s7r] has joined #openvpn
12:55 -!- mode/#openvpn [+v s7r_g] by ChanServ
12:55 -!- s7r [~s7r@openvpn/user/s7r] has quit [Ping timeout: 272 seconds]
13:05 -!- dren__ is now known as dren
13:09 -!- nutron [~nutron@unaffiliated/nutron] has quit [Quit: I must go eat my cheese!]
13:13 -!- dren [dren@69.163.43.35] has quit [Quit: BitchX-1.1-final -- just do it.]
13:14 -!- gigo1980 [~Adium@p54857CFD.dip0.t-ipconnect.de] has joined #openvpn
13:17 -!- acu [~acu@50.244.13.222] has quit [Ping timeout: 265 seconds]
13:24 -!- s7r_g is now known as s7r
13:27 -!- sunwind [~paradox@cpc21-brmb8-2-0-cust749.1-3.cable.virginm.net] has quit [Quit: sunwind]
13:29 -!- kirin` [telex@gateway/shell/anapnea.net/x-jaehswktxvuxdndm] has quit [Ping timeout: 252 seconds]
13:29 -!- klein [~klein@unaffiliated/klein] has quit [Ping timeout: 240 seconds]
13:36 -!- sunwind [~paradox@cpc21-brmb8-2-0-cust749.1-3.cable.virginm.net] has joined #openvpn
13:39 -!- ndak [~ndak@unaffiliated/ndak] has joined #openvpn
13:39 < ndak> hi i need to setup a openvpn server with PEM. Do you have time? I gonna pay you /msg me
13:43 -!- mode/#openvpn [+o rob0] by ChanServ
13:44 -!- mode/#openvpn [+b ndak!*@*] by rob0
13:44 -!- ndak was kicked from #openvpn by rob0 [ban evader]
13:44 <@rob0> I would highly recommend that anyone here avoid doing business with this character
13:45 -!- mode/#openvpn [+b $a:ndak] by rob0
13:46 -!- klein [~klein@189-016-006-003.asselvi.edu.br] has joined #openvpn
13:46 -!- klein [~klein@189-016-006-003.asselvi.edu.br] has quit [Changing host]
13:46 -!- klein [~klein@unaffiliated/klein] has joined #openvpn
13:46 -!- peper [~peper@gentoo/developer/peper] has quit [Ping timeout: 252 seconds]
13:50 -!- mode/#openvpn [-bbo $a:ndak ndak!*@* rob0] by rob0
13:51 -!- ndak [~ndak@unaffiliated/ndak] has joined #openvpn
13:51 < rob0> Apparently the dispute from yesterday was resolved, so the ban is removed.
13:52 < ndak> We're not psychic.
13:52 < ndak> :)
14:01 -!- roentgen_ [~irc@openvpn/community/support/roentgen] has joined #openvpn
14:03 -!- roentgen [~irc@openvpn/community/support/roentgen] has quit [Ping timeout: 276 seconds]
14:03 -!- __YKY__ [~immortal@42-3-192-066.static.netvigator.com] has quit [Ping timeout: 264 seconds]
14:05 <@krzee> whats PEM?
14:06 <@krzee> you just mean PKI?
14:08 < ndak> no
14:08 < ndak> PEM
14:09 < Eugene> Is this the same clown who called me an asslicker
14:09 <@krzee> then answer the question, what is PEM
14:10 <@krzee> Eugene, how'd he know!? you forget to put tape over your webcam?
14:10 -!- acu [~acu@50.244.13.222] has joined #openvpn
14:10 < Eugene> No, that's what /makes/ me an asslicker. It's calling me one that I take offense to
14:11 < Eugene> See also the old joke: "Does liking pop music make me gay?" "No, sucking cock does."
14:15 -!- roentgen_ [~irc@openvpn/community/support/roentgen] has quit [Remote host closed the connection]
14:16 < ndak> Eugene: who are you talking about? do you talking about youself? :)
14:17 <@krzee> ndak, you going to answer the question or not?
14:17 < ndak> krzee: it is PEM
14:17 <@krzee> i say what is pem, you answer "it is pem"
14:17 <@krzee> so obviously you dont want help, what are you doing here?
14:18 < Eugene> Licking asses, it would seem.
14:19 < ndak> Eugene: maybe your mama licking my asS?
14:19 < ndak> haha
14:19 -!- mode/#openvpn [+o Eugene] by ChanServ
14:19 -!- roentgen [~irc@openvpn/community/support/roentgen] has joined #openvpn
14:19 -!- ndak was kicked from #openvpn by Eugene [Bye]
14:19 <@krzee> beat me to it
14:19 <@krzee> rob0, who is that guy?
14:20 -!- ndak [~ndak@unaffiliated/ndak] has joined #openvpn
14:20 -!- ndak [~ndak@unaffiliated/ndak] has left #openvpn []
14:20 -!- mode/#openvpn [+b *!*@unaffiliated/ndak] by krzee
14:20 <@Eugene> He was here yesterday, around 1400UTC. Check logs if you want a full story
14:20 <@krzee> dont have logs
14:20 <@Eugene> !logs
14:21 <@vpnHelper> "logs" is (#1) please pastebin your logfiles from both client and server with verb set to 4 (only use 5 if asked) or (#2) In the Windows client(OpenVPN-GUI) right-click the status icon and pick View Log or (#3) In the OS X client(Tunnelblick) right-click it and select Copy log text to clipboard or (#4) if you dont know how to find your logs, see !logfile
14:21 <@Eugene> !factoids search logs
14:21 <@vpnHelper> 'irclogs' and 'logs'
14:21 <@Eugene> !irclogs
14:21 <@vpnHelper> "irclogs" is Channel logs are available at http://secure-computing.net/logs/#openvpn.log and http://secure-computing.net/logs/#openvpn-devel.log and are updated every three hours.
14:22 <@krzee> last i know those arent up to date for years and goes back to like 2007
14:22 <@krzee> now all i see is "refresh for more"
14:22 <@Eugene> Well i can't be fucked to post my copy
14:22 <@Eugene> tl;dr I'm an asslicker
14:23 <@krzee> my scrollback buffer doesnt show ndak at all
14:26 -!- ade_b [~Ade@redhat/adeb] has quit [Quit: Too sexy for his shirt]
14:27 < rob0> ecrist posted his PM with him, which was very amusing
14:28 -!- jackbrown [~se@93-44-41-0.ip95.fastwebnet.it] has joined #openvpn
14:29 < rob0> http://secure-computing.net/files/ndak2.txt
14:32 <@krzee> [15:32]  <ndak> i am gonna join #openvpn if i need to
14:32 <@krzee> [15:32]  <ndak> dont worry :)
14:33 <@krzee> that was before i added him to /ignore for privmsg
14:33 < rob0> he'll be easily recognizable in other incarnations
14:33 <@krzee> ya i suspect that if he could control his personality he would have already done it
14:35 < rob0> :)
14:36 <@krzee> haha thanks for posting the log
14:36 <@krzee> wow, ecrist banned him yesterday and he got rebanned by me moments after re-joining
14:36 <@krzee> some people just cant use irc
14:36 -!- Sembei [~Sembei@unaffiliated/sembei] has quit [Read error: Connection reset by peer]
14:37 -!- MyMind [~Sembei@unaffiliated/sembei] has joined #openvpn
14:40 -!- dendi [~dendi@109.238.179.246] has joined #openvpn
14:40 < dendi> Look. I gonna join this channel WHENEVER i want trust me. Eugene and krzee I FUCK YOUR MOTHERS SO GOOD! SO NOW YOU NEED TO BAN ME! ;)
14:40 < dendi> you have no power thats why
14:40 < dendi> IRL
14:40 < dendi> thats why you need to ban me here
14:41 < dendi> capish?
14:41 < dendi> losers :)
14:41 -!- mode/#openvpn [+r] by krzee
14:41 -!- dendi was kicked from #openvpn by krzee [dendi]
14:41 < derRichard> hm, this seems to be a rather rude channel
14:42 <@krzee> nor normally trolls here
14:42 <@krzee> not*
14:43 < derRichard> TBH, i found this statement also not okay: 19:22 < Eugene> Fuck off, Linus.
14:43 <@krzee> we all have our days ;]
14:43 <@krzee> hes been here helping people for years
14:44 < derRichard> :-)
14:44 -!- AsadH [~AsadH@unaffiliated/asadh] has quit [Ping timeout: 246 seconds]
14:45 <@krzee> !ircstats
14:45 <@vpnHelper> "ircstats" is (#1) See http://secure-computing.net/logs/openvpn.html for all-time IRC stats. or (#2) See http://secure-computing.net/logs/openvpn-devel.html for all-time dev channel IRC stats.
14:45  * krzee notes he has the second highest channel karma
14:47 < derRichard> i have a question on --server, manpage states "The server itself will take the ".1" address of the given network...". can i change that? i'd like to give the server an address different thant .1 to have a smaller vpn network. like /30
14:48 <@krzee> sure, you dont have to actually use --server
14:48 <@krzee> it is a helper directive that simply uses other config options, you can do it yourself instead
14:49 < derRichard> oh!
14:49 <@krzee> the part of the manpage you mentioned is where you figure out what to use in its place =]
14:49 < derRichard> i always thought "For example, --server 10.8.0.0 255.255.255.0 expands as follows" is kind of pseudo code...
14:49 -!- vinise [~vinise@78-23-152-207.access.telenet.be] has quit [Ping timeout: 240 seconds]
14:50 <@krzee> yes, it simply makes configuring openvpn easier, some people here recommend to not use it so you know better how you are configured
14:50 <@krzee> personally, i just use it
14:50 <@krzee> may i ask why you want a smaller vpn subnet?
14:50 <@krzee> you do not plan on putting it inside a subnet that is already in use, right?
14:50 -!- le0 [~l30@unaffiliated/le0] has joined #openvpn
14:51 < derRichard> because my server has many openvpn daemons. they connect many sites. i don't want to waste a full /24 network only for each site-to-site tunnel
14:53 -!- joshh20-Away is now known as joshh20
14:53 < derRichard> i.e. i want to connect site a (1.0.0.0/24) to site b (2.0.0.0/24). to make openvpn work i need als a vpn net like 10.8.0.0/24 where 10.8.0.1 is the server. as there is alway only one server and one client. 10.8.0.0/24 is too big.
14:55 -!- AsadH [~AsadH@unaffiliated/asadh] has joined #openvpn
15:01 <@Eugene> derRichard - the word "fuck" or the sentiment that "Linus is an idiot for not liking C++" ?
15:02 < derRichard> Eugene: hehe, the combination of both ;)
15:03 <@Eugene> 10 FUCK OFF
15:03 <@Eugene> 20 GOTO 10
15:04 < derRichard> i'm too young for BASIC, so i cannot follow ;)
15:04 <@Eugene> Anyway, the good news about /24s out of 10/8 is that there's a lot of them. Don't worry about it.
15:05 <@Eugene> If you really want you could establish a pile of /30s for PtP links, but ugh numbering
15:06 -!- pppingme [~pppingme@unaffiliated/pppingme] has quit [Ping timeout: 264 seconds]
15:06 -!- sunwind [~paradox@cpc21-brmb8-2-0-cust749.1-3.cable.virginm.net] has quit [Ping timeout: 255 seconds]
15:06 <@krzee> derRichard, if there is for SURE only 1 server and 1 client, you dont need an address pool at all
15:06 <@krzee> you can simply ifconfig both sides
15:07 <@krzee> but ya, using a larger pool hurts nothing
15:07 < derRichard> yeah, i can deal with the numbering and i'm sure there there will be exactly one client
15:08 < derRichard> but i understand your point too. maybe i make 10.8.x.y/24 my vpn net
15:08 <@krzee> !randomsubnet
15:08 <@vpnHelper> "randomsubnet" is (#1) http://scarydevilmonastery.net/subnet.cgi for a random !1918 subnet or (#2) If your shell has $RANDOM support, perhaps try this: `echo 10.$((RANDOM%256)).$((RANDOM%256)).0/24 `
15:08 -!- DQSII [~DQSII@gateway/tor-sasl/dqsii] has quit [Quit: Leaving]
15:09 <@krzee> and of course, if you want a very small pool go ahead? i cant promise it has been tested much but it should be fine
15:09 -!- DQSII [~DQSII@gateway/tor-sasl/dqsii] has joined #openvpn
15:09 <@krzee> but you gain nothing from it
15:09 < rob0> If you tell a C programmer to go to hell, he's more offended at the GOTO than at the destination.
15:10 -!- DQSII [~DQSII@gateway/tor-sasl/dqsii] has quit [Client Quit]
15:10 -!- pppingme [~pppingme@unaffiliated/pppingme] has joined #openvpn
15:10 -!- DQSII [~DQSII@gateway/tor-sasl/dqsii] has joined #openvpn
15:19 -!- prwilson [~prwilson@167.206.48.217] has quit [Quit: Textual IRC Client: www.textualapp.com]
15:20 -!- prwilson [~prwilson@167.206.48.217] has joined #openvpn
15:20 -!- prwilson [~prwilson@167.206.48.217] has left #openvpn []
15:24 -!- peper [~peper@gentoo/developer/peper] has joined #openvpn
15:25 -!- pekster [~rewt@openvpn/community/support/pekster] has quit [Ping timeout: 252 seconds]
15:27 -!- pekster [~rewt@openvpn/community/support/pekster] has joined #openvpn
15:29 -!- michaelhart [~michaelha@192.237.177.15] has quit [Quit: michaelhart]
15:30 -!- peper [~peper@gentoo/developer/peper] has quit [Ping timeout: 276 seconds]
15:31 -!- peper [~peper@gentoo/developer/peper] has joined #openvpn
15:35 -!- peper [~peper@gentoo/developer/peper] has quit [Ping timeout: 252 seconds]
15:37 -!- peper [~peper@gentoo/developer/peper] has joined #openvpn
15:41 <@Eugene> Badum-tish.
15:42 -!- peper [~peper@gentoo/developer/peper] has quit [Ping timeout: 252 seconds]
15:43 -!- peper [~peper@gentoo/developer/peper] has joined #openvpn
15:44 -!- le0 [~l30@unaffiliated/le0] has quit [Quit: Leaving]
15:48 -!- peper [~peper@gentoo/developer/peper] has quit [Ping timeout: 252 seconds]
15:50 -!- peper [~peper@gentoo/developer/peper] has joined #openvpn
15:54 -!- br4ndon [~br4ndon@mic92-6-82-227-94-156.fbx.proxad.net] has joined #openvpn
15:54 -!- peper [~peper@gentoo/developer/peper] has quit [Ping timeout: 252 seconds]
15:56 -!- peper [~peper@gentoo/developer/peper] has joined #openvpn
16:02 -!- peper [~peper@gentoo/developer/peper] has quit [Ping timeout: 264 seconds]
16:03 -!- peper [~peper@gentoo/developer/peper] has joined #openvpn
16:06 -!- klein [~klein@unaffiliated/klein] has quit [Ping timeout: 276 seconds]
16:08 -!- peper [~peper@gentoo/developer/peper] has quit [Ping timeout: 252 seconds]
16:10 -!- peper [~peper@gentoo/developer/peper] has joined #openvpn
16:15 -!- peper [~peper@gentoo/developer/peper] has quit [Ping timeout: 252 seconds]
16:17 -!- peper [~peper@gentoo/developer/peper] has joined #openvpn
16:22 -!- peper [~peper@gentoo/developer/peper] has quit [Ping timeout: 264 seconds]
16:24 -!- peper [~peper@gentoo/developer/peper] has joined #openvpn
16:25 -!- jackbrown [~se@93-44-41-0.ip95.fastwebnet.it] has quit [Ping timeout: 265 seconds]
16:29 -!- peper [~peper@gentoo/developer/peper] has quit [Ping timeout: 252 seconds]
16:30 -!- peper [~peper@gentoo/developer/peper] has joined #openvpn
16:35 -!- peper [~peper@gentoo/developer/peper] has quit [Ping timeout: 264 seconds]
16:37 -!- peper [~peper@gentoo/developer/peper] has joined #openvpn
16:39 -!- kirin` [telex@gateway/shell/anapnea.net/x-ktzxxewiuapygiut] has joined #openvpn
16:42 -!- peper [~peper@gentoo/developer/peper] has quit [Ping timeout: 252 seconds]
16:43 -!- peper [~peper@gentoo/developer/peper] has joined #openvpn
16:45 -!- DQSII [~DQSII@gateway/tor-sasl/dqsii] has quit [Remote host closed the connection]
16:46 -!- DQSII [~DQSII@gateway/tor-sasl/dqsii] has joined #openvpn
16:48 -!- peper [~peper@gentoo/developer/peper] has quit [Ping timeout: 265 seconds]
16:49 -!- peper [~peper@gentoo/developer/peper] has joined #openvpn
16:52 -!- DQSII [~DQSII@gateway/tor-sasl/dqsii] has quit [Quit: Leaving]
16:54 < reiffert> ?
16:54 -!- peper [~peper@gentoo/developer/peper] has quit [Ping timeout: 265 seconds]
16:56 -!- peper [~peper@gentoo/developer/peper] has joined #openvpn
17:01 -!- peper [~peper@gentoo/developer/peper] has quit [Ping timeout: 252 seconds]
17:01 -!- Aliekezhi [~Aliekezhi@80.215.210.138] has quit [Quit: Leaving]
17:03 -!- peper [~peper@gentoo/developer/peper] has joined #openvpn
17:07 -!- peper [~peper@gentoo/developer/peper] has quit [Ping timeout: 252 seconds]
17:09 -!- peper [~peper@gentoo/developer/peper] has joined #openvpn
17:10 -!- Left_Turn [~Left_Turn@unaffiliated/turn-left/x-3739067] has quit [Read error: Connection reset by peer]
17:14 -!- peper [~peper@gentoo/developer/peper] has quit [Ping timeout: 264 seconds]
17:14 -!- DQSII [~DQSII@gateway/tor-sasl/dqsii] has joined #openvpn
17:15 -!- peper [~peper@gentoo/developer/peper] has joined #openvpn
17:20 -!- peper [~peper@gentoo/developer/peper] has quit [Ping timeout: 240 seconds]
17:21 -!- gigo1980 [~Adium@p54857CFD.dip0.t-ipconnect.de] has quit [Quit: Leaving.]
17:22 -!- peper [~peper@gentoo/developer/peper] has joined #openvpn
17:24 -!- Left_Turn [~Left_Turn@unaffiliated/turn-left/x-3739067] has joined #openvpn
17:25 -!- Left_Turn [~Left_Turn@unaffiliated/turn-left/x-3739067] has quit [Read error: Connection reset by peer]
17:25 -!- Left_Turn [~Left_Turn@unaffiliated/turn-left/x-3739067] has joined #openvpn
17:26 -!- gffa [~unknown@unaffiliated/gffa] has quit [Quit: sleep]
17:36 -!- frank-- [1000@unaffiliated/thumbs] has joined #openvpn
17:37 -!- krzee [~k@openvpn/community/support/krzee] has quit [Read error: Connection reset by peer]
17:37 -!- thumbs [1000@unaffiliated/thumbs] has quit [Ping timeout: 258 seconds]
17:37 -!- pa [~pa@unaffiliated/pa] has quit [Ping timeout: 258 seconds]
17:37 -!- frank-- is now known as thumbs
17:37 -!- krzee [~k@openvpn/community/support/krzee] has joined #openvpn
17:38 -!- mode/#openvpn [+o krzee] by ChanServ
17:38 -!- DQSII [~DQSII@gateway/tor-sasl/dqsii] has quit [Ping timeout: 272 seconds]
17:40 -!- br4ndon [~br4ndon@mic92-6-82-227-94-156.fbx.proxad.net] has quit [Quit: br4ndon]
17:47 -!- pa [~pa@unaffiliated/pa] has joined #openvpn
17:53 -!- tharkun [~0@187.188.94.182] has quit [Changing host]
17:53 -!- tharkun [~0@unaffiliated/tharkun] has joined #openvpn
17:56 -!- sauce [sauce@unaffiliated/sauce] has quit [Remote host closed the connection]
17:56 -!- _FBi [B@i.use.pentoo.when.ihack.in] has quit [Ping timeout: 258 seconds]
17:57 -!- wrongplace [~leicht@gateway/tor-sasl/martinphone] has joined #openvpn
17:58 -!- sauce [sauce@unaffiliated/sauce] has joined #openvpn
18:01 -!- roentgen [~irc@openvpn/community/support/roentgen] has quit [Ping timeout: 265 seconds]
18:04 -!- Mike-- [mad@mx.probie.nl] has quit [Ping timeout: 252 seconds]
18:13 -!- ISmithers [~ISmithers@78.207.70.115.static.exetel.com.au] has joined #openvpn
18:14 < ISmithers> Hey all
18:18 -!- goldkatze [~nobody@unaffiliated/goldkatze] has quit [Ping timeout: 240 seconds]
18:22 -!- wrongplace [~leicht@gateway/tor-sasl/martinphone] has quit [Quit: gone]
18:31 -!- EvenSteven [~EvenSteve@109.201.154.222] has joined #openvpn
18:34 < EvenSteven> is it easy to setup a profile for an android smartphone ?
18:39 < ISmithers> Yeah EvenSteven
18:39 < ISmithers> Most OpenVPN installs will come with a default ovpn profile file, and you edit that.
18:40 < pekster> Actually, none do. You need to create the configuration yourself, but importing it into the android app is trivial
18:40 < pekster> !howto
18:40 <@vpnHelper> "howto" is (#1) OpenVPN comes with a great howto, http://openvpn.net/howto PLEASE READ IT! or (#2) http://www.secure-computing.net/openvpn/howto.php for a mirror
18:40 < EvenSteven> Currently i have the vpnas setup. II can connect to the server from wifi but not over celluar. Have any suggestions?
18:40 < pekster> And once you hae your configs, you can import inline configs
18:40 < ISmithers> Mine came with it pekster
18:40 < pekster> !android
18:40 <@vpnHelper> "android" is (#1) an open source OpenVPN client for ICS is available in Google Play, look for OpenVPN for Android. FAQ is here: http://code.google.com/p/ics-openvpn/wiki/FAQ or (#2) Direct Play link: https://play.google.com/store/apps/details?id=de.blinkt.openvpn or (#3) Old (pre-ICS) device? See: !android-old
18:41 < pekster> ISmithers: OpenVPN does not come with a config; it's your job to create one
18:41 < ISmithers> pekster *MINE* came with one.
18:41 < EvenSteven> I was able to import the profile however it shows a lan based ip address
18:41 < pekster> THen you downloaded some bullshit
18:41 < pekster> !download
18:41 <@vpnHelper> "download" is (#1) http://openvpn.net/index.php/download/community-downloads.html to download openvpn or (#2) OpenVPN's Windows installer now includes OpenVPN GUI. Don't bother with http://openvpn.se anymore or (#3) Don't trust download.com at all. It provides an extremely old version with malware: http://insecure.org/news/download-com-fiasco.html or (#4) in the community version of openvpn (only
18:41 <@vpnHelper> thing supported here) there is no separate download for client/server, it is the same install with different configs
18:41 < pekster> Or are you an AS user or been given a config someone _else_ prepared?
18:42 -!- early [~early@192.241.198.49] has joined #openvpn
18:42 < ISmithers> Anyway it's quite easy to generate one EvenSteven, I was able to get mine running pretty quickly.
18:42 < ISmithers> There is a minimum of options you need, and then you can layer on additional things as you see fit. The documentation is pretty good.
18:42 < ISmithers> There are lots of example files online too.
18:43 < EvenSteven> I was just able to import the profile however, its trying to connect to a lan based ip, is there way to configure it to work from a celluar connection
18:43 < pekster> EvenSteven: You're using something that's not openvpn if you have a "profile"
18:44 < ISmithers> Well the connection is largely irrelevant EvenSteven, it will just seek the address you specify.
18:44 < EvenSteven> should i be using the openvpn connect ?
18:44 < pekster> That's not openvpn, no
18:44 < pekster> !connect
18:44 <@vpnHelper> "connect" is (#1) OpenVPN Connect is part of the commercial, non-free (non-GPL) corporate offering; see #openvpn-as for help with these. For the community-maintained GPL OpenVPN, see !download for download links, !android for GPL-openvpn on Android, or !howto for the beginner how-to guide or (#2) https://forums.openvpn.net/post34969.html#p34969 or (#3) the source is here:
18:44 <@vpnHelper> http://staging.openvpn.net/openvpn3/ except for the portion that may not be released because of NDA with apple (for its vpn API)
18:44 < ISmithers> It's the community package EvenSteven
18:44 < ISmithers> That's what I use.
18:45 < EvenSteven> is there an alternative then
18:45 < pekster> forum post explains the difference. The open-source community can't provide support for commercial solutions
18:46 < pekster> If you choose to use a commercial product, seek the vendor for assistance
18:46 < pekster> I already gave you the android download link, right before you tried to tell me how wrong I was ;)
18:46 < ISmithers> If it's for personal use EvenSteven then the community package is what a lot of people use, and a lot of companies too as it's free.
18:47 < pekster> It's even bundled as part of some commercial VPN/firewall products (so long as they comply with the GPL requirements, it's all legal, and doesn't require license fees)
18:47 < rob0> I think there are a few bells & whistles in OpenVPN-AS that we don't have, but they're not features which are likely to appeal to geeks.
18:47 < EvenSteven> ok im working on that right now
18:47 < pekster> AS does require license fees, but they offer some other unique services that some people feel worth paying for
18:47 < rob0> like a pointy-clicky GUI to manage things
18:48 < pekster> Matches the pointy-haired boss :)
18:49 < rob0> zackly!
18:51 < EvenSteven> Thankyou everyone for the help.
18:52 -!- rawburt [~irc@pdpc/supporter/professional/rawburt] has joined #openvpn
18:53 < rawburt> for a point-to-point OpenVPN connection, using static keys, is there something I can do to further improve the encryption?
18:54 -!- SCHAAP137 [dorian@77-173-0-137.ip.telfort.nl] has joined #openvpn
18:54 < pekster> Nope; by nature of a static key, if the key is ever leaked, any sessions (even past ones that were captured) can be decrypted
18:55 < pekster> This is why TLS is the more popular solution as it offers forward-secrecy and the ability to revoke or renew just certain keys when you need
18:56 < pekster> You can use TLS with point-to-point, by the way
18:56 < rawburt> ok
18:56 < SCHAAP137> not with all ciphers though
18:56 < pekster> The data crypto has nothing to do with use of TLS
18:57 < pekster> So, "yes, with all ciphers"
18:57 < SCHAAP137> true
18:58 < rawburt> thanks pekster
18:59 < EvenSteven> When i try to connect im getting an Error : Options error: --ca fails with 'missing': no such file or directory. Any suggestions?
19:04 -!- SCHAAP137 [dorian@77-173-0-137.ip.telfort.nl] has quit [Remote host closed the connection]
19:08 < pekster> Invalid path to your CA it sounds like. If this is a mobile platform you should be using !inline for your ca and any client key+cert files
19:09 < pekster> --ca must point to a valid path, or read about !inline here
19:11 < EvenSteven> the error is on my Galaxy S4
19:12 < EvenSteven> !inline
19:12 <@vpnHelper> "inline" is (#1) Inline files (e.g. <ca> ... </ca> are supported since OpenVPN 2.1rc1 and documented in the OpenVPN 2.3 man page at https://community.openvpn.net/openvpn/wiki/Openvpn23ManPage#lbAV or (#2) https://community.openvpn.net/openvpn/wiki/IOSinline for a writeup that includes how to use inline certs
19:16 < EvenSteven> is there an easy to generate an inline ca for android ?
19:19 < EvenSteven> stupid question. Is there a particular way to generate a certificate for android ?
19:21 < EvenSteven> do i even need a cert if im using user / pass combo ?
19:26 < rawburt> pekster: to do TLS do I need to setup a CA?
19:27 -!- _FBi [B@Aircrack-NG/User] has joined #openvpn
19:30 < rawburt> I guess the thing to do there is get a real cert
19:37 -!- m0rd3cai [~c@76.177.151.99] has joined #openvpn
19:37 -!- m0rd3cai [~c@76.177.151.99] has left #openvpn []
19:49 -!- EvenSteven [~EvenSteve@109.201.154.222] has quit [Quit: Leaving]
19:53 -!- elfixit [~Icedove@2001:1620:2777:11:3e97:eff:fe7f:f3ad] has quit [Ping timeout: 252 seconds]
19:53 -!- plaisthos [~arne@openvpn/community/developer/plaisthos] has quit [Ping timeout: 252 seconds]
19:53 -!- Fusl [Fusl@unaffiliated/fusl] has quit [Ping timeout: 252 seconds]
19:53 -!- plaisthos [~arne@openvpn/community/developer/plaisthos] has joined #openvpn
19:53 -!- mode/#openvpn [+o plaisthos] by ChanServ
19:53 -!- rypervenche [~rypervenc@unaffiliated/rypervenche] has quit [Ping timeout: 252 seconds]
19:54 -!- ketas- [ketas@ketas6-sixxs.si.pri.ee] has joined #openvpn
19:54 -!- ketas [ketas@ketas6-sixxs.si.pri.ee] has quit [Ping timeout: 252 seconds]
19:56 -!- elfixit [~Icedove@2001:1620:2777:11:3e97:eff:fe7f:f3ad] has joined #openvpn
20:00 -!- Fusl [Fusl@unaffiliated/fusl] has joined #openvpn
20:01 -!- rypervenche [~rypervenc@unaffiliated/rypervenche] has joined #openvpn
20:07 -!- bears [~bears@unaffiliated/bears] has joined #openvpn
20:09 -!- phunyguy [~vortex@unaffiliated/phunyguy] has joined #openvpn
20:10 -!- joshh20 is now known as joshh20-Away
20:30 < pekster> rawburt: "real" cert? You shouldn't "buy" one (as that actually causes you all sorts of other problems)
20:30 < pekster> !certman
20:30 <@vpnHelper> "certman" is (#1) Various frontends can help you manage your PKI (certs & keys.) !easy-rsa is the officially supported one for OpenVPN. or (#2) Other choices include: !xca, !ssladmin, and probably others online
20:44 -!- brockp [~brockp@c-98-209-119-190.hsd1.mi.comcast.net] has joined #openvpn
20:45 < brockp> !welcome
20:45 <@vpnHelper> "welcome" is (#1) Start by stating your goal, such as 'I would like to access the internet over my vpn' || new to IRC? see the link in !ask || we may need !logs and !configs and maybe !interface to help you. || See !howto for beginners. || See !route for lans behind openvpn. || !redirect for sending inet traffic through the server. || Also interesting: !man !/30 !topology !iporder !sample !forum
20:45 <@vpnHelper> !wiki !mitm or (#2) Don't use 192.168.1.0/24 or 192.168.0.0/24 (too much potential for conflict)
20:47 < brockp> Longtime simple OpenVPN user, I have a simple lan at the office that runs OpenVPN server, what I am trying todo now is set it up such that the router running OpenVPN on that site can talk to our amazon AWS instance (only one at this time) which is a normal OpenVPN client, but if we refer to this machine by its public IP, not its internal VPN ip,
20:48 < brockp> I followed the instructions here: http://community.openvpn.net/openvpn/wiki/RoutedLans
20:48 <@vpnHelper> Title: RoutedLans – OpenVPN Community (at community.openvpn.net)
20:48 < brockp> but I get errors and can’t connect to the host with: TLS Error: TLS key negotiation failed to occur within 60 seconds
20:49 < brockp> I almost feel like this is a chiken and the egg problem, the route table on the router sets the public IP to be routed to the tun0 device, but it isn’t setup yet, so how can it reply?
21:03 -!- ketas- is now known as ketas
21:24 -!- pnielsen [pnielsen@2600:3c03::f03c:91ff:fe6e:5d41] has quit [Ping timeout: 240 seconds]
21:27 -!- pnielsen [pnielsen@2600:3c03::f03c:91ff:fe6e:5d41] has joined #openvpn
21:32 -!- Fusl [Fusl@unaffiliated/fusl] has quit [Ping timeout: 252 seconds]
21:36 -!- Fusl [Fusl@unaffiliated/fusl] has joined #openvpn
21:39 -!- ISmithers [~ISmithers@78.207.70.115.static.exetel.com.au] has left #openvpn []
21:51 -!- master_of_master [~master_of@p4FD7B64C.dip0.t-ipconnect.de] has joined #openvpn
21:52 -!- brockp [~brockp@c-98-209-119-190.hsd1.mi.comcast.net] has quit [Read error: Connection reset by peer]
21:53 -!- Fusl [Fusl@unaffiliated/fusl] has quit [Ping timeout: 252 seconds]
21:54 -!- master_o1_master [~master_of@p4FD7BA25.dip0.t-ipconnect.de] has quit [Ping timeout: 240 seconds]
21:59 -!- brockp [~brockp@c-98-209-119-190.hsd1.mi.comcast.net] has joined #openvpn
22:00 < brockp> So I upped my logging, and I see the server keeps trying to send a packet to the client, but the client never gets it
22:00 < brockp> Server: openvpn[12268]: 54.214.239.236:50909 UDPv4 WRITE [14] to 54.214.239.236:50909: P_CONTROL_HARD_RESET_SERVER_V2 kid=0 [ ] pid=0 DATA len=0
22:01 < brockp> Server config: http://pastebin.com/CpyZqtHs
22:02 -!- Fusl [Fusl@unaffiliated/fusl] has joined #openvpn
22:16 -!- elfixit1 [~Icedove@77-58-251-72.dclient.hispeed.ch] has joined #openvpn
22:18 -!- Left_Turn [~Left_Turn@unaffiliated/turn-left/x-3739067] has quit [Read error: Connection reset by peer]
22:29 -!- elfixit1 [~Icedove@77-58-251-72.dclient.hispeed.ch] has quit [Quit: elfixit1]
22:50 -!- agorecki [~agorecki@S0106b8a38657b866.ok.shawcable.net] has joined #openvpn
22:55 -!- esde [~esde@unaffiliated/esde] has quit [Read error: Operation timed out]
22:56 -!- Fusl [Fusl@unaffiliated/fusl] has quit [Ping timeout: 252 seconds]
23:30 -!- adh0c [~adh0c@li423-165.members.linode.com] has joined #openvpn
23:34 -!- eN_Joy [~zhou3594@zjd2014.srtc.ou.edu] has joined #openvpn
23:35 -!- DQSII [~DQSII@gateway/tor-sasl/dqsii] has joined #openvpn
23:35 < eN_Joy> i am getting ` WARNING: 'tun-mtu' is used inconsistently, local='tun-mtu 1532', remote='tun-mtu 1500'` even though i have `tun-mtu 1500` in both server.conf and client.conf, why is that?
23:37 -!- Guest46250 [~kolo@ip-125.net-82-216-83.rev.numericable.fr] has quit [Ping timeout: 252 seconds]
23:40 -!- Fusl [Fusl@unaffiliated/fusl] has joined #openvpn
23:41 -!- DQSII [~DQSII@gateway/tor-sasl/dqsii] has quit [Ping timeout: 272 seconds]
23:46 -!- crus [~crusader@2001:44b8:319e:2900:886c:563b:39fa:6ddd] has joined #openvpn
23:53 -!- ShadniX [dagger@p5DDFC6FA.dip0.t-ipconnect.de] has quit [Ping timeout: 252 seconds]
23:54 -!- ShadniX [dagger@p57941F6B.dip0.t-ipconnect.de] has joined #openvpn
--- Day changed Wed Apr 30 2014
00:00 -!- goldkatze [~nobody@unaffiliated/goldkatze] has joined #openvpn
00:28 -!- pppingme [~pppingme@unaffiliated/pppingme] has quit [Ping timeout: 264 seconds]
00:31 -!- roentgen [~irc@openvpn/community/support/roentgen] has joined #openvpn
00:38 -!- makara [~makara@41.164.22.218] has joined #openvpn
00:42 -!- pppingme [~pppingme@unaffiliated/pppingme] has joined #openvpn
00:43 -!- Linmu [~Linmu@203.70.194.104] has quit [Quit: leaving]
00:44 -!- adh0c [~adh0c@li423-165.members.linode.com] has quit [Quit: Leaving]
00:50 -!- ade_b [~Ade@redhat/adeb] has joined #openvpn
00:53 -!- grep0r [grep0r@bitcoinshell.mooo.com] has quit [Ping timeout: 252 seconds]
00:59 -!- agorecki [~agorecki@S0106b8a38657b866.ok.shawcable.net] has quit [Quit: Leaving]
01:06 -!- pekster [~rewt@openvpn/community/support/pekster] has quit [Ping timeout: 265 seconds]
01:07 -!- budman_ [~budman@ip68-111-79-253.oc.oc.cox.net] has quit [Ping timeout: 265 seconds]
01:08 -!- cyberspace- [20253@ninthfloor.org] has quit [Remote host closed the connection]
01:10 -!- cyberspace- [20253@ninthfloor.org] has joined #openvpn
01:13 -!- pekster [~rewt@openvpn/community/support/pekster] has joined #openvpn
01:15 -!- batrick [batrick@nmap/developer/batrick] has quit [Ping timeout: 246 seconds]
01:18 -!- Lolths [~Lolths@unaffiliated/lolths] has quit [Ping timeout: 252 seconds]
01:24 -!- Lolths [~Lolths@unaffiliated/lolths] has joined #openvpn
01:30 -!- alexxtasi [~alex@unaffiliated/alexxtasi] has joined #openvpn
01:43 -!- batrick [batrick@nmap/developer/batrick] has joined #openvpn
01:51 -!- mattock [~mattock@openvpn/corp/admin/mattock] has left #openvpn []
01:52 -!- mattock [~mattock@openvpn/corp/admin/mattock] has joined #openvpn
01:52 -!- mode/#openvpn [+o mattock] by ChanServ
01:59 -!- ketas [ketas@ketas6-sixxs.si.pri.ee] has quit [Ping timeout: 240 seconds]
02:17 -!- le0 [~l30@unaffiliated/le0] has joined #openvpn
02:35 -!- m01_ is now known as m01
02:37 -!- jackbrown [~se@93-44-41-0.ip95.fastwebnet.it] has joined #openvpn
02:37 -!- jackbrown [~se@93-44-41-0.ip95.fastwebnet.it] has quit [Read error: Connection reset by peer]
02:47 -!- GabrieleV [~GabrieleV@host190-79-static.230-95-b.business.telecomitalia.it] has quit [Read error: Operation timed out]
02:48 -!- wrongplace [~leicht@gateway/tor-sasl/martinphone] has joined #openvpn
02:52 -!- Lolths [~Lolths@unaffiliated/lolths] has quit [Ping timeout: 252 seconds]
03:00 -!- pppingme [~pppingme@unaffiliated/pppingme] has quit [Ping timeout: 264 seconds]
03:06 -!- Lolths [~Lolths@unaffiliated/lolths] has joined #openvpn
03:10 -!- ketas [ketas@ketas6-sixxs.si.pri.ee] has joined #openvpn
03:12 -!- pppingme [~pppingme@unaffiliated/pppingme] has joined #openvpn
03:27 -!- james41382 [~james@unaffiliated/james41382] has quit [Read error: Connection reset by peer]
03:27 -!- james41382 [~james@unaffiliated/james41382] has joined #openvpn
03:40 -!- ketas [ketas@ketas6-sixxs.si.pri.ee] has quit [Ping timeout: 240 seconds]
03:43 -!- ketas [ketas@ketas6-sixxs.si.pri.ee] has joined #openvpn
03:55 -!- Linux_Asylum [~Left_Turn@unaffiliated/turn-left/x-3739067] has joined #openvpn
03:55 -!- Linux_Asylum [~Left_Turn@unaffiliated/turn-left/x-3739067] has quit [Client Quit]
03:56 -!- Left_Turn [~Left_Turn@unaffiliated/turn-left/x-3739067] has joined #openvpn
03:56 -!- Mike-- [mad@mx.probie.nl] has joined #openvpn
04:05 -!- _YKY_ [~immortal@unaffiliated/-ky-/x-0649748] has joined #openvpn
04:22 -!- pppingme [~pppingme@unaffiliated/pppingme] has quit [Ping timeout: 264 seconds]
04:32 -!- truexfan81 [truexfan81@gateway/shell/cadoth.net/x-xkrmqwesttsbdqob] has left #openvpn ["K-Lined"]
04:36 -!- pppingme [~pppingme@unaffiliated/pppingme] has joined #openvpn
05:00 -!- Ulrar [~Ulrar@luwin.ulrar.net] has quit [Ping timeout: 246 seconds]
05:01 -!- pppingme [~pppingme@unaffiliated/pppingme] has quit [Ping timeout: 264 seconds]
05:02 -!- steveeJ [~junky@client268.amh.kn.studentenwohnheim-bw.de] has joined #openvpn
05:05 < _YKY_> http://pastebin.com/6ft3n6m7
05:05 < _YKY_> can someone look at my config and see whats wrong?
05:06 < _YKY_> setting up OVPN with an Android client
05:11 -!- ade_b [~Ade@redhat/adeb] has quit [Ping timeout: 240 seconds]
05:14 -!- pppingme [~pppingme@unaffiliated/pppingme] has joined #openvpn
05:14 < steveeJ> trying to build a mesh network with 3 nodes. everything goes well as long i as i stick to a chain a<-->b<-->c. but when i connect a to c too, STP goes crazy
05:15 < steveeJ> STP causes very long lasting lags on the network
05:16 -!- Ulrar [~Ulrar@luwin.ulrar.net] has joined #openvpn
05:16 < steveeJ> but as i understand STP is what i need for connections like that. or should i just not bridge everything together?
05:22 -!- ISmithers [~ISmithers@mail.tinyillusion.com] has joined #openvpn
05:26 -!- ade_b [~Ade@redhat/adeb] has joined #openvpn
05:51 -!- jackbrown [~se@93-44-41-0.ip95.fastwebnet.it] has joined #openvpn
05:51 <@plaisthos> _YKY_: secret and together in one configuration makes no sense
05:55 -!- gffa [~unknown@unaffiliated/gffa] has joined #openvpn
06:16 -!- jackbrown [~se@93-44-41-0.ip95.fastwebnet.it] has quit [Ping timeout: 252 seconds]
06:17 -!- jackbrown [~se@93-44-41-0.ip95.fastwebnet.it] has joined #openvpn
06:27 -!- jackbrown [~se@93-44-41-0.ip95.fastwebnet.it] has quit [Excess Flood]
06:28 -!- jackbrown [~se@93-44-41-0.ip95.fastwebnet.it] has joined #openvpn
06:30 -!- elfixit1 [~Icedove@77-58-251-72.dclient.hispeed.ch] has joined #openvpn
06:35 < _YKY_> plaisthos: secret and what?
06:36 <@plaisthos> and ca
06:37 -!- dflt [~dflt@178-36-163-14.adsl.inetia.pl] has joined #openvpn
06:41 < dflt> if I have openvpn server and a user who has two computers, should I generate key for each computer? user will sometimes use simultaneously both computers
06:41 < derRichard> yes
06:42 < derRichard> but it depends on your policy. it is not uncommon to have one cert per user/computer
06:42 < _YKY_> plaisthos: but if I don`t include the <ca> it complains
06:43 -!- steveeJ [~junky@client268.amh.kn.studentenwohnheim-bw.de] has quit [Remote host closed the connection]
06:47 -!- jackbrown [~se@93-44-41-0.ip95.fastwebnet.it] has quit [Ping timeout: 240 seconds]
06:58 < dflt> derRichard: thanks for answer
06:58 -!- michaelhart [~michaelha@192.237.177.15] has joined #openvpn
06:58 < dflt> what are cons for using the same key for each computer?
06:58 < dflt> it's probably less secure
06:59 < derRichard> you'd have to set --duplicate-cn
06:59 < derRichard> this can be a problem depending on your firewall settings
07:00 < derRichard> and other policies
07:01 -!- JSharpe [~JSharpe@31.205.60.241] has quit [Read error: Connection reset by peer]
07:02 -!- elfixit1 [~Icedove@77-58-251-72.dclient.hispeed.ch] has quit [Ping timeout: 250 seconds]
07:03 -!- jackbrown [~se@93-44-41-0.ip95.fastwebnet.it] has joined #openvpn
07:05 < dflt> so it's probably less hassle to user separate key for each computer
07:05 < dflt> derRichard: thanks for help! :)
07:06 -!- dflt [~dflt@178-36-163-14.adsl.inetia.pl] has quit [Quit: WeeChat 0.4.3]
07:07 -!- wrongplace [~leicht@gateway/tor-sasl/martinphone] has quit [Quit: gone]
07:38 -!- Mik3C [~miguelc@77.202.37.188.rev.vodafone.pt] has joined #openvpn
07:38 -!- Mik3C [~miguelc@77.202.37.188.rev.vodafone.pt] has quit [Client Quit]
07:47 -!- bears [~bears@unaffiliated/bears] has quit [Read error: Connection reset by peer]
07:55 -!- eZpl0it [~eZpl0it@193.234.224.171] has joined #openvpn
07:55 < eZpl0it> !welcome
07:55 <@vpnHelper> "welcome" is (#1) Start by stating your goal, such as 'I would like to access the internet over my vpn' || new to IRC? see the link in !ask || we may need !logs and !configs and maybe !interface to help you. || See !howto for beginners. || See !route for lans behind openvpn. || !redirect for sending inet traffic through the server. || Also interesting: !man !/30 !topology !iporder !sample !forum
07:55 <@vpnHelper> !wiki !mitm or (#2) Don't use 192.168.1.0/24 or 192.168.0.0/24 (too much potential for conflict)
07:55 < eZpl0it> !route
07:55 <@vpnHelper> "route" is (#1) http://www.secure-computing.net/wiki/index.php/OpenVPN/Routing or https://community.openvpn.net/openvpn/wiki/RoutedLans (same page mirrored) if you have lans behind openvpn, read it DONT SKIM IT or (#2) READ IT DONT SKIM IT! or (#3) See !tcpip for a basic networking guide or (#4) See !serverlan or !clientlan for steps and troubleshooting flowcharts for LANs behind the server or
07:55 <@vpnHelper> client
07:56 < eZpl0it> !serverlan
07:56 <@vpnHelper> "serverlan" is (#1) for a lan behind a server, the server must have ip forwarding enabled (!ipforward), the server needs to push a route for its lan to clients, and the router of the lan the server is on needs a route added to it (!route_outside_openvpn) or (#2) see !route for a better explanation or (#3) Handy troubleshooting flowchart: http://ircpimps.org/serverlan.png |
07:56 <@vpnHelper> http://pekster.sdf.org/misc/serverlan.png
07:56 < eZpl0it> !ipforward
07:56 <@vpnHelper> "ipforward" is (#1) ip forwarding is needed any time you want packets to flow from 1 interface to another, so from tun to eth, eth to tun, tun to tun, etc etc. it must be enabled in the kernel AND allowed in the firewall or (#2) please choose between !linipforward !winipforward !osxipforward and !fbsdipforward
07:57 < eZpl0it> !linipforward
07:57 <@vpnHelper> "linipforward" is (#1) echo 1 > /proc/sys/net/ipv4/ip_forward for a temp solution (til reboot) or set net.ipv4.ip_forward = 1 in sysctl.conf for perm solution or (#2) chmod +x /etc/rc.d/rc.ip_forward for perm solution in slackware or (#3) you also must allow forwarding in your forward chain in iptables. iptables -I FORWARD -i tun+ -j ACCEPT
07:59 -!- Denial [Denial@176.250.235.182] has quit []
08:05 -!- mattock [~mattock@openvpn/corp/admin/mattock] has left #openvpn []
08:05 -!- mattock [~mattock@openvpn/corp/admin/mattock] has joined #openvpn
08:05 -!- mode/#openvpn [+o mattock] by ChanServ
08:08 -!- kron4eg [~kron4eg2@unaffiliated/kron4eg] has joined #openvpn
08:10 < eZpl0it> I have a subnet 134.147.192.0 and I want the vpn clients to be in the same subnet. I have made an ethernet bridge br0 on the vpn server and have this in the config: "server-bridge 134.147.192.1 255.255.255.0 134.147.192.105 134.147.192.110". Initially I wanted the vpn clients to get the IPs by the DHCP of the main network but couldn't get it to work so I just reserver 105 to 110 and used that server setting. I get a warning: remote address [134.147.192.2
08:11 -!- kron4eg [~kron4eg2@unaffiliated/kron4eg] has left #openvpn []
08:36 < _YKY_> I`m using secret static key but Android keeps complaining "PolarSSL: ca certificate undefined", why?
08:40 -!- pnielsen [pnielsen@2600:3c03::f03c:91ff:fe6e:5d41] has quit [Ping timeout: 240 seconds]
08:40 <@krzee> hmm im not sure if the android client can do statickey
08:41 <@krzee> want to show your config?
08:41 -!- fin__ [~l30@unaffiliated/le0] has joined #openvpn
08:43 -!- pnielsen [pnielsen@2600:3c03::f03c:91ff:fe6e:5d41] has joined #openvpn
08:44 -!- le0 [~l30@unaffiliated/le0] has quit [Ping timeout: 252 seconds]
08:45 -!- makara [~makara@41.164.22.218] has quit [Quit: Leaving]
08:48 -!- Left_Turn [~Left_Turn@unaffiliated/turn-left/x-3739067] has quit [Read error: Connection reset by peer]
08:51 < _YKY_> according to this, static key is not supported because Android uses PolarSSL
08:51 < _YKY_> https://forums.openvpn.net/topic13066.html
08:51 <@vpnHelper> Title: OpenVPN Support Forum Preshared Key, Secret directive, Static key, version 1.0.1 : OpenVPN Connect (iOS) (at forums.openvpn.net)
08:51 < _YKY_> perhaps I should change to use <ca>?
08:56 -!- KaiForce [~chatzilla@107-223-70-10.lightspeed.bcvloh.sbcglobal.net] has joined #openvpn
08:59 -!- brockp [~brockp@c-98-209-119-190.hsd1.mi.comcast.net] has quit [Quit: brockp]
09:05 -!- ISmithers [~ISmithers@mail.tinyillusion.com] has quit [Quit: ~ Trillian - www.trillian.im ~]
09:05 -!- mattock is now known as mattock_afk
09:11 -!- alexxtasi [~alex@unaffiliated/alexxtasi] has left #openvpn []
09:17 <@Eugene> PKI is a good idea anyway because it uses session crypto keys
09:53 -!- aPollO2k [znc1@unaffiliated/apollo2k] has joined #openvpn
09:54 < aPollO2k> !welcome
09:54 <@vpnHelper> "welcome" is (#1) Start by stating your goal, such as 'I would like to access the internet over my vpn' || new to IRC? see the link in !ask || we may need !logs and !configs and maybe !interface to help you. || See !howto for beginners. || See !route for lans behind openvpn. || !redirect for sending inet traffic through the server. || Also interesting: !man !/30 !topology !iporder !sample !forum
09:54 <@vpnHelper> !wiki !mitm or (#2) Don't use 192.168.1.0/24 or 192.168.0.0/24 (too much potential for conflict)
10:02 -!- rypervenche [~rypervenc@unaffiliated/rypervenche] has quit [Quit: new kernel!]
10:03 -!- MadTBone [~MadTBone@160.39.238.199] has quit [Quit: Leaving]
10:09 -!- roentgen [~irc@openvpn/community/support/roentgen] has quit [Remote host closed the connection]
10:21 -!- jackbrown [~se@93-44-41-0.ip95.fastwebnet.it] has quit [Ping timeout: 265 seconds]
10:25 -!- Denial [Denial@176.250.235.182] has joined #openvpn
10:38 -!- jackbrown [~se@93-44-41-0.ip95.fastwebnet.it] has joined #openvpn
10:42 -!- roentgen [~irc@openvpn/community/support/roentgen] has joined #openvpn
10:43 -!- catsup [~d@iad1-vshost12.dreamhost.com] has quit [Remote host closed the connection]
10:53 -!- catsup [~d@iad1-vshost12.dreamhost.com] has joined #openvpn
11:02 -!- SCHAAP137 [dorian@77-173-0-137.ip.telfort.nl] has joined #openvpn
11:08 -!- pnielsen [pnielsen@2600:3c03::f03c:91ff:fe6e:5d41] has quit [Ping timeout: 240 seconds]
11:11 -!- pnielsen [pnielsen@2600:3c03::f03c:91ff:fe6e:5d41] has joined #openvpn
11:13 -!- Left_Turn [~Left_Turn@unaffiliated/turn-left/x-3739067] has joined #openvpn
11:15 -!- [diecast] [~diecast@unaffiliated/diecast/x-4821952] has joined #openvpn
11:27 -!- jackbrown [~se@93-44-41-0.ip95.fastwebnet.it] has quit [Ping timeout: 246 seconds]
11:38 -!- jackbrown [~se@93-44-41-0.ip95.fastwebnet.it] has joined #openvpn
11:53 -!- Left_Turn [~Left_Turn@unaffiliated/turn-left/x-3739067] has quit [Read error: No route to host]
11:53 -!- DQSII [~DQSII@gateway/tor-sasl/dqsii] has joined #openvpn
11:53 -!- wrongplace [~leicht@gateway/tor-sasl/martinphone] has joined #openvpn
11:55 -!- jackbrown [~se@93-44-41-0.ip95.fastwebnet.it] has quit [Quit: Sto andando via]
11:58 -!- fin__ [~l30@unaffiliated/le0] has quit [Ping timeout: 252 seconds]
12:01 -!- GrecKo [~GrecKo@2001:41d0:1:cb16::1] has quit []
12:02 <@plaisthos> _YKY_: there is more than one android app
12:03 <@plaisthos> OpenVPN for Android does support static key
12:03 < _YKY_> its the one using PolarSSL
12:04 < _YKY_> its OpenVPN
12:04 < _YKY_> but it fails
12:11 <@plaisthos> _YKY_: <@plaisthos> _YKY_: there is more than one android app
12:11 <@plaisthos> _YKY_:  <@plaisthos> OpenVPN for Android does support static key
12:12 -!- pseudo_ [~pseudo@65.204.49.74] has joined #openvpn
12:12 <@plaisthos> OpenVPN Connect does not
12:12 <@plaisthos> and it is not PolarSSL vs OpenSSL
12:15 < _YKY_> I see
12:16 < _YKY_> I`m using OpenVPN Connet
12:18 < pseudo_> hi guys - could i get some help troubleshooting this? client config: http://lpaste.net/103418 server config: http://lpaste.net/103419 logfile: http://lpaste.net/103420
12:22 < pseudo_> and if it helps, the client's output: http://lpaste.net/103422
12:23 -!- mirco [~mirco@ip-5-146-126-177.unitymediagroup.de] has joined #openvpn
12:32 -!- fin__ [~l30@unaffiliated/le0] has joined #openvpn
12:40 <@Eugene> Firewall.
12:41 <@Eugene> Is the client behind a NAT device of some sort?
12:42 <@Eugene> Also, bridging is usually wrong, ESPECIALLY on 192.168.1.0/24(conflicts with 99% of home firewall/router/nat devices)
12:42 < pseudo_> my home network is on 172.21.7.0/24, but both the client and server are behind NATs
12:42 < pseudo_> i am forwarding udp 1194 to the server
12:44 <@Eugene> So the server does not have a direct external(public) IP?
12:44 < pseudo_> correct
12:44 <@Eugene> Definitely a NAT-related issue, then.
12:45 < pseudo_> i am open to suggestions - the NAT is working fine. if i need to forward more ports/setup the config differently, i am all ears
12:45 -!- wrongplace [~leicht@gateway/tor-sasl/martinphone] has quit [Quit: gone]
12:45 <@Eugene> No, the NAT is not working fine - you're not getting a good UDP biderectional stream.
12:46 <@Eugene> My suggestion? Replace your "router" with something less-shitty. A second NIC in an old desktop turns it into a great candidate for a real *nix box.
12:46 < pseudo_> iptables -t nat -A PREROUTING -d 10.30.0.22 -p udp --dport 1194 -j DNAT --to 10.30.0.33:1194
12:46 < pseudo_> iptables -t nat -A POSTROUTING -p tcp -j MASQUERADE
12:46 <@Eugene> Tada, there's your issue
12:47 <@Eugene> Hint: "-p tcp"
12:47 < pseudo_> i also have:
12:47 < pseudo_> iptables -t nat -A PREROUTING -d 10.30.0.22 -p tcp --dport 1194 -j DNAT --to 10.30.0.33:1194
12:48 <@Eugene> Please stop and bother to READ
12:48 <@Eugene> "proto udp" in your config
12:48 <@Eugene> "-p tcp" in your iptables NAT
12:48 <@Eugene> One of these things is not like the other
12:48 <@Eugene> The initial packet is making it from client --> nat --> internet --> nat --> server
12:49 <@Eugene> The response packet is going server --> nat --> blackhole
12:49 < pseudo_> ah, my bad. i thought u were talking about my PREROUTING rule
12:49 < pseudo_> thank you!
12:49 <@Eugene> But it's still a crappy way to lay out the network ;-)
12:49 < pseudo_> if i had any control of it, you know i would change it ;)
12:50 <@Eugene> I know nothing, Jon Snow.
12:50 < pseudo_> that nat is actually behind another nat
12:50 < pseudo_> my upstream it guy cant figure out how to port forward a nat to different ip addresses
12:50 < pseudo_> so i told him to send it all to one box
12:53 < pseudo_> anyways, thanks again Eugene. you were a big help
12:54 <@Eugene> A second pair of eyes helps
12:54 <@Eugene> And oh dear god what
12:56 < pseudo_> yeah, they must have forgot to add that menu option to the firewall gui that he uses
13:03 -!- u0m3 [~u0m3@92.80.88.11] has quit [Ping timeout: 264 seconds]
13:03 -!- pnielsen [pnielsen@2600:3c03::f03c:91ff:fe6e:5d41] has quit [Ping timeout: 240 seconds]
13:06 -!- pnielsen [pnielsen@2600:3c03::f03c:91ff:fe6e:5d41] has joined #openvpn
13:19 -!- RaiNerTsuFal [~RaiNerTsu@37.235.55.158] has quit [Ping timeout: 240 seconds]
13:22 -!- RaiNerTsuFal [~RaiNerTsu@akita.vtlx.cn] has joined #openvpn
13:32 -!- fin__ [~l30@unaffiliated/le0] has quit [Quit: Leaving]
13:41 -!- pseudo_ [~pseudo@65.204.49.74] has quit [Quit: leaving]
13:46 -!- elfixit [~Icedove@2001:1620:2777:11:3e97:eff:fe7f:f3ad] has quit [Quit: elfixit]
14:02 -!- someone [someone@2600:3c01::f03c:91ff:fedf:feb8] has quit [Ping timeout: 258 seconds]
14:03 -!- krzee [~k@openvpn/community/support/krzee] has quit [Read error: Connection reset by peer]
14:03 -!- krzie [~k@openvpn/community/support/krzee] has joined #openvpn
14:03 -!- mode/#openvpn [+o krzie] by ChanServ
14:03 -!- krzie is now known as krzee
14:30 -!- le0 [~l30@unaffiliated/le0] has joined #openvpn
14:34 -!- SCHAAP137 [dorian@77-173-0-137.ip.telfort.nl] has quit [Remote host closed the connection]
14:34 -!- SCHAAP137 [dorian@77-173-0-137.ip.telfort.nl] has joined #openvpn
14:41 -!- [diecast] [~diecast@unaffiliated/diecast/x-4821952] has quit []
14:42 -!- [diecast] [~diecast@unaffiliated/diecast/x-4821952] has joined #openvpn
14:46 -!- SCHAAP137 [dorian@77-173-0-137.ip.telfort.nl] has quit [Ping timeout: 265 seconds]
14:47 -!- SCHAAP137 [dorian@77-173-0-137.ip.telfort.nl] has joined #openvpn
14:52 -!- elfixit [~Icedove@2001:1620:2018:11:5e51:4fff:fec8:5b90] has joined #openvpn
14:53 -!- joshh20-Away is now known as joshh20
14:56 -!- edge226 [~quassel@unaffiliated/edge226] has quit [Remote host closed the connection]
14:58 -!- edge226 [~quassel@unaffiliated/edge226] has joined #openvpn
15:05 -!- ade_b [~Ade@redhat/adeb] has quit [Ping timeout: 240 seconds]
15:06 -!- elfixit [~Icedove@2001:1620:2018:11:5e51:4fff:fec8:5b90] has quit [Ping timeout: 252 seconds]
15:06 -!- mirco [~mirco@ip-5-146-126-177.unitymediagroup.de] has quit [Quit: mirco]
15:15 -!- ade_b [~Ade@redhat/adeb] has joined #openvpn
15:18 -!- mattock_afk is now known as mattock
15:21 -!- DQSII [~DQSII@gateway/tor-sasl/dqsii] has quit [Remote host closed the connection]
15:27 -!- ade_b [~Ade@redhat/adeb] has quit [Quit: Too sexy for his shirt]
15:29 -!- DQSII [~DQSII@gateway/tor-sasl/dqsii] has joined #openvpn
15:42 -!- KaiForce [~chatzilla@107-223-70-10.lightspeed.bcvloh.sbcglobal.net] has quit [Quit: ChatZilla 0.9.90.1 [Firefox 28.0/20140314220517]]
15:51 -!- mattock is now known as mattock_afk
15:53 -!- jackbrown [~se@93-44-41-0.ip95.fastwebnet.it] has joined #openvpn
15:57 -!- michaelhart [~michaelha@192.237.177.15] has quit [Quit: michaelhart]
16:00 -!- DQSII [~DQSII@gateway/tor-sasl/dqsii] has quit [Remote host closed the connection]
16:00 -!- DQSII [~DQSII@gateway/tor-sasl/dqsii] has joined #openvpn
16:16 <+s7r> anyone here knows if NIST increased the number of rounds for aes all 128, 192 and 256 versions?
16:17 -!- jackbrown [~se@93-44-41-0.ip95.fastwebnet.it] has quit [Quit: Sto andando via]
16:18 -!- roentgen [~irc@openvpn/community/support/roentgen] has quit [Ping timeout: 240 seconds]
16:22 -!- stemid [~avatar@ns4.sydit.se] has left #openvpn []
16:23 -!- JackWinter [~jack@vodsl-10810.vo.lu] has quit [Quit: Konversation terminated!]
16:25 -!- JackWinter [~jack@vodsl-10810.vo.lu] has joined #openvpn
16:39 -!- levifig [~levifig@hakr.io] has joined #openvpn
16:42 -!- akasoldats [~akasoldat@unaffiliated/akasoldats] has joined #openvpn
16:50 <+s7r> !cipher
16:50 <+s7r> !ciphers
16:53 < pekster> "increased the rounds"? You can't change a fundamental component of a cipher like that without it being baked into the protocol
16:53 -!- gffa [~unknown@unaffiliated/gffa] has quit [Quit: sleep]
16:55 <+s7r> yeah
16:55 <+s7r> that is why i asked if NIST changed it  or increased it
16:55 <+s7r> otherwise it cannot be happening just in openvpn / openssl / whatever other ciphersuite
16:55 -!- cesurasean [~Sean@c-71-207-242-72.hsd1.al.comcast.net] has joined #openvpn
16:56 < cesurasean> is there a way to make a connection completely stop if an openvpn server goes offline
16:56 < cesurasean> ?
16:57 < pekster> firewall. You might use the --up and --down hooks for that, and maybe --up-restart depending on your implementation
16:57 < cesurasean> this is a windows openvpn server with an asus router as a client.
16:58 < cesurasean> pekster, can you give me an example to force the firewall to completely kick off the connection?
16:58 < pekster> It's highly implementation and OS/distro specific. You need to integrate the solution based on our own needs
16:59 < cesurasean> I still don't understand or see an example of what you are talking about. how does it work? server side, or client side?
16:59 < pekster> !scripts
16:59 <@vpnHelper> "scripts" is "script" is See SCRIPTING AND ENVIRONMENTAL VARIALBES in the manual for a list of places that scripts can hook into openvpn. Online reference at: https://community.openvpn.net/openvpn/wiki/Openvpn23ManPage#lbAR
16:59 < cesurasean> i want the clients to stop routing ALL internet if the openvpn server disconnects.
16:59 < pekster> Learn about the dynamic hooks you get access to. Then "all" you need to do is write code to do what you want
16:59 < pekster> It's not really that hard -- check the env-vars you get, or just dump `env` to a temp file and the contents should be pretty self-explanatory
17:00 -!- DQSII [~DQSII@gateway/tor-sasl/dqsii] has quit [Remote host closed the connection]
17:00 < cesurasean> is there not already a solution for this posted on the web?
17:00 < pekster> No idea
17:00 -!- DQSII [~DQSII@gateway/tor-sasl/dqsii] has joined #openvpn
17:01 < pekster> Since this is implementation specific I'd guess not, at least none that I would use. If you're unfamiliar with writing basic shell scripts (under 50 lines is all you need) then you probably need more fundamental skill first
17:01 < pekster> Use the env-vars you get, pull the remote host IP (and port, if you'd like) of the outside tunnel, allow it, block the rest, you're done
17:02 < pekster> And presumably some way to undo it, but you didn't mention that, heh
17:06 -!- le0 [~l30@unaffiliated/le0] has quit [Quit: Leaving]
17:18 -!- outofbounds [~outofboun@198.199.109.226] has joined #openvpn
17:23 -!- outofbounds [~outofboun@198.199.109.226] has quit [Ping timeout: 252 seconds]
17:24 -!- cesurasean [~Sean@c-71-207-242-72.hsd1.al.comcast.net] has left #openvpn []
17:28 -!- [diecast] [~diecast@unaffiliated/diecast/x-4821952] has quit []
17:33 -!- [diecast] [~diecast@unaffiliated/diecast/x-4821952] has joined #openvpn
17:48 -!- bears [~bears@unaffiliated/bears] has joined #openvpn
18:03 -!- SCHAAP137 [dorian@77-173-0-137.ip.telfort.nl] has quit [Ping timeout: 240 seconds]
18:04 -!- outofbounds [~outofboun@198.199.109.226] has joined #openvpn
18:08 -!- outofbounds [~outofboun@198.199.109.226] has quit [Ping timeout: 240 seconds]
18:10 -!- jzaw [~jzaw@loki.dzki.co.uk] has quit [Quit: really? must I leave? aw pls let me stay!]
18:16 -!- Modestini [~synzvato@se4x.mullvad.net] has joined #openvpn
18:16 -!- outofbounds [~outofboun@198.199.109.226] has joined #openvpn
18:17 -!- [diecast] [~diecast@unaffiliated/diecast/x-4821952] has quit []
18:18 < Modestini> Hey! I have a quick question. I've been trying to combine OpenVPN for iOS with an automatic proxy (PAC) and I'm not quite sure how to do it. Is there something I can add to the .ovpn file to tell it to use an auto proxy?
18:19 < eZpl0it> hey my external ip of the vpn server is 134.147.YY.XX, im using server-bridge and say that it distributes IPs from the same subnet
18:19 < eZpl0it> can this work?
18:19 -!- jzaw [~jzaw@loki.dzki.co.uk] has joined #openvpn
18:20 -!- michaelhart [~michaelha@192-0-240-20.cpe.teksavvy.com] has joined #openvpn
18:20 < eZpl0it> it says Thu May  1 01:18:27 2014 us=346598 WARNING: --remote address [134.147.192.22] conflicts with --ifconfig subnet
18:20 < eZpl0it> and i get  read UDPv4 [ECONNREFUSED]: Connection refused (code=113) and no route to host
18:21 < eZpl0it> if i set it to an other subnet the errors go away at least
18:21 < eZpl0it> but i actually want the vpn users to be in the same subnet to reach the computers there
18:21 < pekster> You're overlapping networks? Have you pasted configs with blanks/comments removed on a pastebin somewhere? From _both_ sides? (grep syntax to remove non-directives at: !configs)
18:23 < pekster> Oh, no, you can't bridge to the "same" network you're connecting to like that. What stops you from routing?
18:23 < pekster> on-link routes are preferred more than routed ones (as they're "directly" connected.) tap is almost always best avoided
18:24 < eZpl0it> i wanted to get their ips by the dhcp server and i read somewhere that i should make a tap device and a bridge
18:24 < eZpl0it> but i never got and ip from the dhcp then
18:24 < eZpl0it> then i tried the server-bridge command including the ips
18:25 < pekster> Just route normally. If you're on some stupid provider who hasn't a clue about routing, find one who does
18:25 < pekster> Get a routed block, and assign that to a VPN. Use the IPs however you want then
18:26 < eZpl0it> it seems like my boss thinks that is too easy
18:26 < eZpl0it> they want the vpn clients to be in the same subnet as the servers for administration, yes i could make normal routing
18:26 < pekster> THat's fucked up
18:26 < eZpl0it> but i dont understand why briding shouldnt work
18:27 < eZpl0it> is it normal that the tap device stays "down" after the connection was initiated?
18:27 < pekster> And that's why it doesn't work. tap is for transporting raw ethernet frames. you do not need that
18:27 < eZpl0it> on client side
18:27 < eZpl0it> i know and understand that about tap
18:28 < pekster> Apparently you don't know much about how routing decisions work. WHen you put something on link (yes, even a tap) it's preferred. YOu break the tunnel. COngrats
18:28 < pekster> Again, use routing, your problem goes away. Sounds like your ISP and boss are idiots
18:28 < eZpl0it> hmm
18:28 < eZpl0it> i had it already finished with routing like a week ago
18:29 < eZpl0it> read this and thought, why not http://openvpn.net/index.php/open-source/faq/77-server/323-i-want-to-set-up-an-ethernet-bridge-on-the-1921681024-subnet-existing-dhcp.html
18:29 <@vpnHelper> Title: I want to set up an ethernet bridge on the 192.168.1.0/24 subnet. existing DHCP. (at openvpn.net)
18:30 < Modestini> Could anyone please look into this: I've been trying to combine OpenVPN for iOS with an automatic proxy (PAC) and I'm not quite sure how to do it. Is there something I can add to the .ovpn file to tell it to use an auto proxy?
18:31 < Modestini> I did some personal research and checked the documentation, but I could only find stuff like "http-proxy"
18:31 < pekster> Modestini: Not openvpn's problem
18:31 -!- wrongplace [~leicht@gateway/tor-sasl/martinphone] has joined #openvpn
18:31 < pekster> OpenVPN is "just" a link between 2 endpoints. It has no care what application-level traffic you send over it (tftp, PAC, bootp, etc)
18:32 < pekster> If you want to script "arbitrary things" to happen before/after the VPN comes up (or down) read about: !scripts
18:32 < Modestini> So there is no way to refer to a PAC script from a OVPN file? Hmm, that's too bad, I got confused when I read there was an "http-proxy"command. I'm not into networking, just someone who's trying to link an tracker blocker up to a VPN connection
18:33 < Modestini> Hmm okay, this might be the wrong place to ask for this question, but I assume I'm going to have a hard time achieving this on a non-jailbroken iOS device? :(
18:34 < pekster> Probably. Your only client option is the closed-source "connect" client, and the platform is not friendly to writing real scripts/code for
18:34 < pekster> Plus the client itself isn't even open-source
18:34 < pekster> No clue what "things" you can do with script hooks, if any
18:38 -!- Left_Turn [~Left_Turn@unaffiliated/turn-left/x-3739067] has joined #openvpn
18:40 < Modestini> My only alternative seems to be PPTP, but I heard that's proven to be cryptographically broken :| Anyway, thanks a lot for your help, I'll try to do something with script hooks if at all possible :)
18:40 -!- levifig [~levifig@hakr.io] has left #openvpn ["444 Server returns no information and closes the connection"]
18:42 < pekster> MS-CHAPv2 is broken, yes
18:42 < pekster> $100 is 100% gaurenteed to break it ;) https://www.cloudcracker.com
18:42 <@vpnHelper> Title: CloudCracker :: Online Hash Cracker (at www.cloudcracker.com)
18:59 -!- daemon [~daemon@cpc4-linc11-2-0-cust134.12-1.cable.virginm.net] has quit [Read error: Connection reset by peer]
19:00 -!- Latrina [~Latrina@adsl-ull-228-247.45-151.net24.it] has quit [Ping timeout: 240 seconds]
19:01 -!- Latrina [~Latrina@ppp-254-40.26-151.libero.it] has joined #openvpn
19:02 -!- wrongplace [~leicht@gateway/tor-sasl/martinphone] has quit [Quit: gone]
19:05 < Modestini> Interesting, saves me from ever thinking about using PPTP again :P By the way, I managed to fix the problem. Apparently adding "dhcp-option PROXY_AUTO_CONFIG_URL < PAC URL >" to the .ovpn file worked for me somehow.
19:10 < pekster> --dhcp-option just blindly sets some env-vars on non-windows hosts. Apparently your "closed source app us open-source hackers know nothing about" does magic
19:10 < pekster> But naturally, when you're using a vendor's produt without source, _you_ are not allowed to know ;)
19:15 < Modestini> Haha, yes indeed, I was lucky to find it in one of their changelogs :P I had already assumed it was custom, since the official OpenVPN documentation didn't mention it
19:15 < Modestini> Now let's hope it doesn't have a few magic backdoors :P
19:15 -!- cesurasean [~Sean@c-71-207-242-72.hsd1.al.comcast.net] has joined #openvpn
19:15 < cesurasean> is it possible to run openvpn over icmp?
19:18 < pekster> No. Maybe you can use a tunneling protocol/software like obfs: see !obfs
19:20 -!- u0m3 [~u0m3@92.80.103.137] has joined #openvpn
19:21 -!- pnielsen [pnielsen@2600:3c03::f03c:91ff:fe6e:5d41] has quit [Ping timeout: 240 seconds]
19:22 -!- goldkatze [~nobody@unaffiliated/goldkatze] has quit []
19:24 -!- pnielsen [pnielsen@2600:3c03::f03c:91ff:fe6e:5d41] has joined #openvpn
19:27 < cesurasean> !obfs
19:27 <@vpnHelper> "obfs" is (#1) if you are looking to obfuscate your traffic to get through a firewall that recognizes and blocks openvpn, try using this proxy: obfsproxy https://www.torproject.org/projects/obfsproxy.html.en to encapsulate your packets in other protocols or (#2) http://community.openvpn.net/openvpn/wiki/TrafficObfuscation or (#3) in client/server mode an admin can know that openvpn is being
19:27 <@vpnHelper> used. in static-key mode they only know that it is some encrypted data, but not specifically openvpn; however with static-key you lose forward security (!forwardsecurity)
19:28 < cesurasean> pekster, are there not an examples of that?
19:28 < pekster> Not an openvpn problem. Try a web browser or a forum dedicated to obfs? Mailing list? Project website?
19:28 < pekster> OpenVPN will only operate over UDP or TCP
19:33 <@ecrist> !notovpn
19:33 <@vpnHelper> "notovpn" is (#1) "notopenvpn" is your problem is not about openvpn, and while we try to be helpful, you may have a better chance of finding your answer if you ask your question in a channel related to your problem or (#2) sorry, but we dont care. this channel is only for help with openvpn.
19:35 -!- michaelhart [~michaelha@192-0-240-20.cpe.teksavvy.com] has quit [Quit: michaelhart]
19:38 -!- joshh20 is now known as joshh20-Away
19:39 < eZpl0it> pekster: thanks again it seems to work with routing
19:41 < eZpl0it> i pushed a route to an other subnet 134.147.194.0 to the client, the server is at 134.147.192.0. When i push the route the tunnel would break down, which sounds logical. Do i need to push a specific route for the vpn server so that everything for the vpn server still goes through the default gateway?
19:42 <@krzee> yes, if you look at --redirect-gateway in the manual you'll see they do exactly that
19:44 <@krzee> cesurasean, note that there is an app known as icmptx, you can run openvpn over that? but using icmptx is outside the scope of this channel
19:46 -!- joshh20-Away is now known as joshh20
19:47 < eZpl0it> great krzee
19:47 < eZpl0it> love you guys
19:47 < eZpl0it> thanks and good night
19:58 -!- Eagleman [~Eagleman@546BC8D0.cm-12-4d.dynamic.ziggo.nl] has quit [Ping timeout: 255 seconds]
20:06 < pekster> eZpl0it: due to how --redirect-gateway works, anything sent to the IP of the system you connected to is _not_ routed over the VPN. You need to set up policy routing if you have more advanced needs
20:07 -!- pnielsen [pnielsen@2600:3c03::f03c:91ff:fe6e:5d41] has quit [Ping timeout: 240 seconds]
20:07 -!- joshh20 is now known as joshh20-Away
20:10 -!- DQSII [~DQSII@gateway/tor-sasl/dqsii] has quit [Ping timeout: 272 seconds]
20:10 -!- pnielsen [pnielsen@2600:3c03::f03c:91ff:fe6e:5d41] has joined #openvpn
20:11 < eZpl0it> Thanks. This is all a bit new to me. Since I added redirect-gateway, I can also connect to the subnet of where the vpn is connected to. Only thing is that my outgoing traffic goes also over the vpn now
20:13 < pekster> Yup. Read the manpage description for why
20:13 < eZpl0it> yes i read it and think i understood the steps involved
20:15 < eZpl0it> i could replicate it manually by pushing route commands, too, right?
20:21 < pekster> Sure. If you don't want "all" Internet traffic to go through, just push the routes you do want to expose
20:23 < eZpl0it> okay i will try to get something working tomorrow
20:30 -!- elfixit [~Icedove@77-58-251-72.dclient.hispeed.ch] has joined #openvpn
21:16 -!- Left_Turn [~Left_Turn@unaffiliated/turn-left/x-3739067] has quit [Remote host closed the connection]
21:30 -!- phunyguy [~vortex@unaffiliated/phunyguy] has quit [Quit: rebooting server... brb]
21:40 -!- phunyguy [~vortex@unaffiliated/phunyguy] has joined #openvpn
21:51 -!- master_o1_master [~master_of@p4FD7B9FB.dip0.t-ipconnect.de] has joined #openvpn
21:55 -!- master_of_master [~master_of@p4FD7B64C.dip0.t-ipconnect.de] has quit [Ping timeout: 255 seconds]
21:59 -!- elfixit [~Icedove@77-58-251-72.dclient.hispeed.ch] has quit [Quit: elfixit]
22:07 -!- cesurasean [~Sean@c-71-207-242-72.hsd1.al.comcast.net] has quit [Quit: Leaving.]
22:15 -!- WinstonSmith [~WinstonSm@unaffiliated/winstonsmith] has quit [Ping timeout: 252 seconds]
22:18 -!- WinstonSmith [~WinstonSm@unaffiliated/winstonsmith] has joined #openvpn
22:22 -!- EmLeX [~emx@unaffiliated/emlex] has quit [Ping timeout: 250 seconds]
23:11 -!- crashher [~daniear@114.94.54.140] has joined #openvpn
23:11 < crashher> hi
23:11 < crashher> my server was hacked, the provider had to cut it off because it was using 1gb/s bandwidth
23:11 < crashher>  now that i have a new server setup, i have a problem which is
23:11 < crashher> i can't access openvpn.net
23:12 < crashher> need a link to the openvpn repo for redhat
23:12 < crashher> 64bit
23:13 < crashher> i can't visit https://community.openvpn.net/openvpn/wiki/OpenvpnSoftwareRepos
23:13 <@vpnHelper> Title: OpenvpnSoftwareRepos – OpenVPN Community (at community.openvpn.net)
23:13 < crashher> (China)
23:16 -!- heraclitus [~heraclitu@unaffiliated/heraclitis] has joined #openvpn
23:16 -!- elfixit [~Icedove@77-58-251-72.dclient.hispeed.ch] has joined #openvpn
23:17 -!- elfixit [~Icedove@77-58-251-72.dclient.hispeed.ch] has quit [Client Quit]
23:22 -!- heraclitus [~heraclitu@unaffiliated/heraclitis] has quit [Remote host closed the connection]
23:23 -!- heraclitus [~heraclitu@unaffiliated/heraclitis] has joined #openvpn
23:23 -!- heraclitus [~heraclitu@unaffiliated/heraclitis] has quit [Client Quit]
23:33 -!- phunyguy [~vortex@unaffiliated/phunyguy] has quit [Remote host closed the connection]
23:51 -!- ShadniX [dagger@p57941F6B.dip0.t-ipconnect.de] has quit [Ping timeout: 252 seconds]
23:52 -!- ShadniX [dagger@p5DDFC741.dip0.t-ipconnect.de] has joined #openvpn
23:56 -!- agorecki [~agorecki@S0106b8a38657b866.ok.shawcable.net] has joined #openvpn
23:58 -!- agorecki [~agorecki@S0106b8a38657b866.ok.shawcable.net] has quit [Quit: Leaving]
23:58 -!- agorecki [~agorecki@S0106b8a38657b866.ok.shawcable.net] has joined #openvpn
--- Day changed Thu May 01 2014
00:01 -!- bogie [bogie@mail.epow0.org] has quit [Ping timeout: 252 seconds]
00:24 < crashher> any1 here?
01:00 -!- agorecki [~agorecki@S0106b8a38657b866.ok.shawcable.net] has quit [Quit: Leaving]
01:16 < crashher> openvpn.net is down?
01:19 -!- crashher [~daniear@114.94.54.140] has quit []
01:27 -!- soapee01 [~soapee01@65-36-104-170.dyn.grandenetworks.net] has quit [Excess Flood]
01:27 -!- soapee01 [~soapee01@65-36-104-170.dyn.grandenetworks.net] has joined #openvpn
01:30 -!- ron_ [~ron@ppp118-210-178-111.lns20.adl6.internode.on.net] has quit [Ping timeout: 252 seconds]
01:34 -!- netyire [~netyire@unaffiliated/netyire] has joined #openvpn
02:05 -!- _YKY_ [~immortal@unaffiliated/-ky-/x-0649748] has quit [Ping timeout: 240 seconds]
02:06 -!- hazardous [~hz@openvpn/user/hazardous] has quit [Ping timeout: 265 seconds]
02:10 -!- hazardous [~hz@openvpn/user/hazardous] has joined #openvpn
02:10 -!- mode/#openvpn [+v hazardous] by ChanServ
02:17 -!- le0 [~l30@unaffiliated/le0] has joined #openvpn
02:22 -!- hazardous [~hz@openvpn/user/hazardous] has quit [Ping timeout: 255 seconds]
02:28 -!- hazardous [~hz@openvpn/user/hazardous] has joined #openvpn
02:28 -!- mode/#openvpn [+v hazardous] by ChanServ
02:30 -!- Latrina [~Latrina@ppp-254-40.26-151.libero.it] has quit [Ping timeout: 255 seconds]
02:30 -!- Latrina [~Latrina@adsl-ull-84-250.45-151.net24.it] has joined #openvpn
02:35 -!- hazardous [~hz@openvpn/user/hazardous] has quit [Ping timeout: 252 seconds]
02:38 -!- makara [~makara@105-208-236-149.access.mtnbusiness.co.za] has joined #openvpn
02:41 -!- makara [~makara@105-208-236-149.access.mtnbusiness.co.za] has quit [Read error: Connection reset by peer]
02:46 -!- hazardous [~hz@openvpn/user/hazardous] has joined #openvpn
02:46 -!- mode/#openvpn [+v hazardous] by ChanServ
02:50 -!- hazardous [~hz@openvpn/user/hazardous] has quit [Ping timeout: 245 seconds]
02:55 -!- hazardous [~hz@openvpn/user/hazardous] has joined #openvpn
02:55 -!- mode/#openvpn [+v hazardous] by ChanServ
03:00 -!- hazardous [~hz@openvpn/user/hazardous] has quit [Ping timeout: 245 seconds]
03:03 -!- hazardous [~hz@openvpn/user/hazardous] has joined #openvpn
03:03 -!- mode/#openvpn [+v hazardous] by ChanServ
03:16 -!- hazardous [~hz@openvpn/user/hazardous] has quit [Ping timeout: 240 seconds]
03:23 -!- hazardous [~hz@openvpn/user/hazardous] has joined #openvpn
03:23 -!- mode/#openvpn [+v hazardous] by ChanServ
03:28 -!- cesurasean [~Sean@c-71-207-242-72.hsd1.al.comcast.net] has joined #openvpn
03:31 -!- hazardous [~hz@openvpn/user/hazardous] has quit [Ping timeout: 246 seconds]
03:32 < acu> I have a openvpn client and it disconnects almost always in the morning, before was running fine, I wonder where should I look for the cause ? I run debian wheezy
03:33 < derRichard> what about the server and client logs?
03:33 < derRichard> first find out who initiates the disconnect
03:34 < acu> derRichard, so which log should I look, in /var/logs ? or dmesg ?
03:34 < derRichard> openvpn logs
03:35 < derRichard> depends how you have configured openvpn...
03:35 < derRichard> see manual
03:40 -!- hazardous [~hz@openvpn/user/hazardous] has joined #openvpn
03:40 -!- mode/#openvpn [+v hazardous] by ChanServ
03:46 -!- jackbrown [~se@93-44-41-0.ip95.fastwebnet.it] has joined #openvpn
03:47 -!- Linux_Asylum [~Left_Turn@unaffiliated/turn-left/x-3739067] has joined #openvpn
03:47 -!- Linux_Asylum [~Left_Turn@unaffiliated/turn-left/x-3739067] has quit [Client Quit]
03:48 -!- Left_Turn [~Left_Turn@unaffiliated/turn-left/x-3739067] has joined #openvpn
03:52 -!- hazardous [~hz@openvpn/user/hazardous] has quit [Ping timeout: 265 seconds]
03:56 -!- hazardous [~hz@openvpn/user/hazardous] has joined #openvpn
03:56 -!- mode/#openvpn [+v hazardous] by ChanServ
04:07 -!- hazardous [~hz@openvpn/user/hazardous] has quit [Ping timeout: 252 seconds]
04:12 -!- hazardous [~hz@openvpn/user/hazardous] has joined #openvpn
04:13 -!- mode/#openvpn [+v hazardous] by ChanServ
04:13 -!- soapee01 [~soapee01@65-36-104-170.dyn.grandenetworks.net] has quit [Excess Flood]
04:15 -!- soapee01 [~soapee01@65-36-104-170.dyn.grandenetworks.net] has joined #openvpn
04:18 -!- hazardous [~hz@openvpn/user/hazardous] has quit [Ping timeout: 276 seconds]
04:21 -!- gringao [~gringao@212-198-219-28.rev.numericable.fr] has quit [Remote host closed the connection]
04:22 -!- mattock_afk is now known as mattock
04:23 -!- jackbrown [~se@93-44-41-0.ip95.fastwebnet.it] has quit [Quit: Sto andando via]
04:24 -!- hazardous [~hz@openvpn/user/hazardous] has joined #openvpn
04:24 -!- mode/#openvpn [+v hazardous] by ChanServ
04:25 -!- acu [~acu@50.244.13.222] has quit [Quit: Leaving]
04:30 -!- soapee01 [~soapee01@65-36-104-170.dyn.grandenetworks.net] has quit [Excess Flood]
04:31 -!- soapee01 [~soapee01@65-36-104-170.dyn.grandenetworks.net] has joined #openvpn
04:31 -!- hazardous [~hz@openvpn/user/hazardous] has quit [Ping timeout: 240 seconds]
04:34 -!- cesurasean [~Sean@c-71-207-242-72.hsd1.al.comcast.net] has quit [Quit: Leaving.]
04:35 -!- hazardous [~hz@openvpn/user/hazardous] has joined #openvpn
04:36 -!- mode/#openvpn [+v hazardous] by ChanServ
04:41 -!- hazardous [~hz@openvpn/user/hazardous] has quit [Ping timeout: 252 seconds]
04:42 -!- hazardous [~hz@openvpn/user/hazardous] has joined #openvpn
04:42 -!- mode/#openvpn [+v hazardous] by ChanServ
04:48 -!- hazardous [~hz@openvpn/user/hazardous] has quit [Ping timeout: 246 seconds]
04:52 -!- hazardous [~hz@openvpn/user/hazardous] has joined #openvpn
04:52 -!- mode/#openvpn [+v hazardous] by ChanServ
04:54 -!- jackbrown [~se@93-44-41-0.ip95.fastwebnet.it] has joined #openvpn
05:00 -!- hazardous [~hz@openvpn/user/hazardous] has quit [Ping timeout: 240 seconds]
05:01 -!- ade_b [~Ade@redhat/adeb] has joined #openvpn
05:03 -!- james41382_ [~james@unaffiliated/james41382] has joined #openvpn
05:05 -!- hazardous [~hz@openvpn/user/hazardous] has joined #openvpn
05:05 -!- mode/#openvpn [+v hazardous] by ChanServ
05:06 -!- james41382 [~james@unaffiliated/james41382] has quit [Ping timeout: 240 seconds]
05:18 -!- hazardous [~hz@openvpn/user/hazardous] has quit [Ping timeout: 276 seconds]
05:26 -!- hazardous [~hz@openvpn/user/hazardous] has joined #openvpn
05:26 -!- mode/#openvpn [+v hazardous] by ChanServ
05:36 -!- hazardous [~hz@openvpn/user/hazardous] has quit [Ping timeout: 276 seconds]
05:44 -!- hazardous [~hz@openvpn/user/hazardous] has joined #openvpn
05:44 -!- mode/#openvpn [+v hazardous] by ChanServ
05:51 -!- hazardous [~hz@openvpn/user/hazardous] has quit [Ping timeout: 252 seconds]
05:52 -!- _KaszpiR_ [~quassel@unaffiliated/kaszpir/x-3157048] has quit [Read error: Connection reset by peer]
05:53 -!- hazardous [~hz@openvpn/user/hazardous] has joined #openvpn
05:53 -!- mode/#openvpn [+v hazardous] by ChanServ
05:59 -!- hazardous [~hz@openvpn/user/hazardous] has quit [Ping timeout: 240 seconds]
06:03 -!- _KaszpiR_ [~quassel@unaffiliated/kaszpir/x-3157048] has joined #openvpn
06:08 -!- hazardous [~hz@openvpn/user/hazardous] has joined #openvpn
06:08 -!- mode/#openvpn [+v hazardous] by ChanServ
06:16 -!- JackWinter [~jack@vodsl-10810.vo.lu] has quit [Quit: Konversation terminated!]
06:16 -!- hazardous [~hz@openvpn/user/hazardous] has quit [Ping timeout: 240 seconds]
06:17 -!- JackWinter [~jack@vodsl-10810.vo.lu] has joined #openvpn
06:17 < aPollO2k> moin
06:20 -!- hazardous [~hz@openvpn/user/hazardous] has joined #openvpn
06:20 -!- mode/#openvpn [+v hazardous] by ChanServ
06:24 -!- hazardous [~hz@openvpn/user/hazardous] has quit [Ping timeout: 246 seconds]
06:35 -!- hazardous [~hz@openvpn/user/hazardous] has joined #openvpn
06:35 -!- mode/#openvpn [+v hazardous] by ChanServ
06:42 -!- qwertyoruiop [~hax@93.174.90.31] has quit [Ping timeout: 240 seconds]
06:50 -!- michaelhart [~michaelha@192-0-240-20.cpe.teksavvy.com] has joined #openvpn
07:26 -!- RaiNerTsuFal [~RaiNerTsu@akita.vtlx.cn] has quit [Quit: Conversation terminated!]
07:32 -!- ShadniX [dagger@p5DDFC741.dip0.t-ipconnect.de] has quit [Quit: Bye.]
07:34 -!- ShadniX [dagger@p5DDFC741.dip0.t-ipconnect.de] has joined #openvpn
07:35 -!- goldkatze [~nobody@unaffiliated/goldkatze] has joined #openvpn
07:40 -!- bears [~bears@unaffiliated/bears] has quit [Read error: Connection reset by peer]
07:53 -!- jackbrown [~se@93-44-41-0.ip95.fastwebnet.it] has quit [Quit: Sto andando via]
08:24 -!- xTz [~xTz@DeathStar.Techn0.eu] has joined #openvpn
08:35 -!- BlackBishop [dexter@2001:470:1f0b:1186::1] has left #openvpn []
08:43 -!- pnielsen [pnielsen@2600:3c03::f03c:91ff:fe6e:5d41] has quit [Ping timeout: 240 seconds]
08:46 -!- pnielsen [pnielsen@2600:3c03::f03c:91ff:fe6e:5d41] has joined #openvpn
09:15 -!- mjkr [jzhmer@gateway/shell/blinkenshell.org/x-txrdiqljttokmqrt] has joined #openvpn
09:15 < mjkr> how does one get a openvpn/user cloak?
09:29 <@ecrist> you ask me
09:30 < reiffert> no, he specifically was asking everybody. I'm sure.
09:31 < mjkr> well, whoever knows the answer to the question
09:31 <@ecrist> that was the answer
09:31 <@ecrist> I'm the bestower of the openvpn cloak
09:32 < mjkr> ecrist: ok. sir. i just saw a guy with openvpn/user/ cloak. i wonder what must one undergo to get one?
09:32 <@ecrist> you want one?
09:32 < mjkr> just curious
09:33 <@ecrist> you can have one, if you want, just make up your mind.
09:33 <@krzee> all you have to do is want one and ask ecrist.
09:33 <@krzee> which is why his answer was: <ecrist> you ask me
09:33 < mjkr> so, the cloak doesn not signify that the user is in anyway associated with the project/team?
09:33 <@krzee> not the user cloak
09:34 < mjkr> nor donation?
09:34 <@ecrist> nope
09:34 <@krzee> the community / corp   cloaks signify stuff, the user cloak means you like openvpn a lot i guess ;]
09:34 < reiffert> you missed the chance of making him donate
09:34 <@krzee> !donate
09:34 <@vpnHelper> "donate" is (#1) send monetary donations to openvpn@secure-computing.net via paypal. All money donated goes to staff toward development of the community wiki, forum, and this IRC channel. or (#2) Contributions to this address do *NOT* directly benefit OpenVPN Technologies, Inc. or (#3) http://www.secure-computing.net/wiki/index.php/OpenVPN/Donations for Contribution totals and benefactors
09:34 <@krzee> you still *can* if you like
09:35 < mjkr> well the last question but one is what i really seeks.
09:35 <@ecrist> ok, so you want openvpn/user/mjkr?
09:35 <@krzee> huh?
09:36 < mjkr> nope, thank you. i asked just to determine the amount of trust i can put on another wearer of the cloak earlier.
09:36 < rob0> IIUC a gateway cloak overrides a regular one, ask at #freenode about that.
09:36 < mjkr> thanks for the clarification, folks.
09:37 <@ecrist> mjkr: I would place exactly ZERO trust in openvpn/user/* cloaks
09:37 < mjkr> sorry to rouse you in the middle of the night
09:37 <@ecrist> but high trust in openvpn/[corp|community]/* cloaks
09:38 <@ecrist> it's 0937 here.
09:38 < mjkr> however, i do have a real question concerning openvpn, however.
09:39 < mjkr> that is, how well does openvpn operates with a softether client/server?
09:39 <@ecrist> a what?
09:39 < mjkr> softether supports both an openvpn client and server.
09:39 <@krzee> heh
09:40 <@ecrist> the fuck is softether?
09:40 < mjkr> and does openvpn support, or plan to support windows integration via ndis?
09:40 <@ecrist> what type of integration are you seeking?
09:40 <@ecrist> there's a beta for NDIS 6 driver
09:40 < mjkr> ecrist: some japanese gpl vpn server+cloent that support a multitude of vpn protocols
09:41 <@ecrist> oh
09:41 < mjkr> including openvpn
09:41 <@ecrist> !notovpn
09:41 <@vpnHelper> "notovpn" is (#1) "notopenvpn" is your problem is not about openvpn, and while we try to be helpful, you may have a better chance of finding your answer if you ask your question in a channel related to your problem or (#2) sorry, but we dont care. this channel is only for help with openvpn.
09:41 <@ecrist> :)
09:41 <@Eugene> ecrist - http://en.wikipedia.org/wiki/Diethyl_ether
09:41 <@vpnHelper> Title: Diethyl ether - Wikipedia, the free encyclopedia (at en.wikipedia.org)
09:41 <@ecrist> see here <http://build.openvpn.net/downloads/releases/tap-windows-9.21.0.exe> and <http://build.openvpn.net/downloads/releases/tap-windows-9.21.0.exe.txt>
09:41 <@ecrist> for NDIS 6 beta
09:41 < mjkr> that one would eliminate the need for tuntap, right?
09:41 <@ecrist> remember, it is BETA
09:42 < mjkr> hmm doesn't say in the txt
09:43 <@ecrist> mattock would be the one to aask
09:43 <@ecrist> ask*
09:47 < mjkr> mattock: ping
09:47 < mjkr> ecrist: and actually openvpn does not deal with interoperability with other openvpn clients/servers?
09:48 < mjkr> i mean other clients/servers claiming to be using the openvpn protocol
10:01 <@ecrist> no
10:01 -!- fol_tempus [~tempus@gateway/tor-sasl/foltempus] has quit [Remote host closed the connection]
10:02 <@ecrist> we are the provider of the protocol.  it's up to others to make sure they work with us, not the other way around
10:03 -!- fol_tempus [~tempus@gateway/tor-sasl/foltempus] has joined #openvpn
10:05 -!- Left_Turn [~Left_Turn@unaffiliated/turn-left/x-3739067] has quit [Quit: Leaving]
10:18 -!- cesurasean [~Sean@c-71-207-242-72.hsd1.al.comcast.net] has joined #openvpn
10:20 -!- phunyguy [~vortex@unaffiliated/phunyguy] has joined #openvpn
10:57 -!- gffa [~unknown@unaffiliated/gffa] has joined #openvpn
10:59 -!- elfixit [~Icedove@77-58-251-72.dclient.hispeed.ch] has joined #openvpn
11:00 -!- fol_tempus [~tempus@gateway/tor-sasl/foltempus] has quit [Remote host closed the connection]
11:00 -!- fol_tempus [~tempus@gateway/tor-sasl/foltempus] has joined #openvpn
11:05 -!- elfixit [~Icedove@77-58-251-72.dclient.hispeed.ch] has quit [Quit: elfixit]
11:23 -!- gffa [~unknown@unaffiliated/gffa] has quit [Read error: Connection reset by peer]
12:00 -!- fol_tempus [~tempus@gateway/tor-sasl/foltempus] has quit [Remote host closed the connection]
12:00 -!- fol_tempus [~tempus@gateway/tor-sasl/foltempus] has joined #openvpn
12:06 -!- cesurasean [~Sean@c-71-207-242-72.hsd1.al.comcast.net] has left #openvpn []
12:13 -!- Cpt-Oblivious [chatzilla@31-151-71-109.dynamic.upc.nl] has joined #openvpn
12:15 -!- RaiNerTsuFal [~RaiNerTsu@akita.vtlx.cn] has joined #openvpn
12:36 -!- [diecast] [~diecast@unaffiliated/diecast/x-4821952] has joined #openvpn
12:37 -!- le0 [~l30@unaffiliated/le0] has quit [Quit: Leaving]
12:40 -!- zoomequipd [~zoomequip@gateway/tor-sasl/zoomequipd] has quit [Remote host closed the connection]
12:41 -!- zoomequipd [~zoomequip@gateway/tor-sasl/zoomequipd] has joined #openvpn
12:43 -!- zoomequipd [~zoomequip@gateway/tor-sasl/zoomequipd] has quit [Remote host closed the connection]
12:43 -!- ChrisH is now known as Guest85946
12:43 -!- ChrisH__ [~dg7pc@dslb-088-078-248-126.pools.arcor-ip.net] has joined #openvpn
12:44 -!- zoomequipd [~zoomequip@gateway/tor-sasl/zoomequipd] has joined #openvpn
12:44 -!- Guest85946 [~dg7pc@dslb-088-076-103-044.pools.arcor-ip.net] has quit [Ping timeout: 252 seconds]
12:50 -!- chimeric [~surreal@206.191.57.58] has quit [Ping timeout: 250 seconds]
12:51 -!- gffa [~unknown@unaffiliated/gffa] has joined #openvpn
12:53 -!- SCHAAP137 [dorian@77-173-0-137.ip.telfort.nl] has joined #openvpn
13:11 -!- KaiForce [~chatzilla@107-223-70-10.lightspeed.bcvloh.sbcglobal.net] has joined #openvpn
13:15 -!- Kamshak [~Kamshak@93.190.90.164] has joined #openvpn
13:15 < Kamshak> !welcome
13:15 <@vpnHelper> "welcome" is (#1) Start by stating your goal, such as 'I would like to access the internet over my vpn' || new to IRC? see the link in !ask || we may need !logs and !configs and maybe !interface to help you. || See !howto for beginners. || See !route for lans behind openvpn. || !redirect for sending inet traffic through the server. || Also interesting: !man !/30 !topology !iporder !sample !forum
13:15 <@vpnHelper> !wiki !mitm or (#2) Don't use 192.168.1.0/24 or 192.168.0.0/24 (too much potential for conflict)
13:15 < Kamshak> !redirect
13:15 <@vpnHelper> "redirect" is (#1) to make all inet traffic flow through the vpn, you will need --redirect-gateway (see !def1), as well as IP forwarding (see !ipforward) and NAT (see !nat) enabled on the server. or (#2) you may need to use a different dns server when redirecting gateway, see !dns or !pushdns or (#3) if using ipv6 try: route-ipv6 2000::/3 or (#4) Handy troubleshooting flowchart:
13:15 <@vpnHelper> http://ircpimps.org/redirect.png | http://pekster.sdf.org/misc/redirect.png
13:16 < Kamshak> !ipforward
13:16 <@vpnHelper> "ipforward" is (#1) ip forwarding is needed any time you want packets to flow from 1 interface to another, so from tun to eth, eth to tun, tun to tun, etc etc. it must be enabled in the kernel AND allowed in the firewall or (#2) please choose between !linipforward !winipforward !osxipforward and !fbsdipforward
13:16 < Kamshak> !nat
13:16 <@vpnHelper> "nat" is (#1) http://openvpn.net/howto.html#redirect for an explanation of NAT as it applies to openvpn or (#2) http://www.secure-computing.net/wiki/index.php/OpenVPN/FAQ#Traffic_forwarding_doesn.27t_work_when_using_client_specific_access_rules or (#3) dont forget to turn on ip forwarding or (#4) please choose between !linnat !openvznat !winnat and !fbsdnat for specific howto
13:16 < Kamshak> !openvznat
13:16 <@vpnHelper> "openvznat" is (#1) a user reported success with this command: iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -j SNAT --to <PUBLIC-IP> or (#2) someone else got it working with: iptables -t nat -A POSTROUTING -s <vpn_subnet>/<netmask> -o eth<public> -j SNAT --to <public ip>
13:19 < Kamshak> I would like to be able to use openvpn as a way to portforward, i'm trying to host a local server and would like others to be able to connect to it using the external ip of the vpn i am connected to. I set forwarding and nat up and can access the internet fine through vpn, however it is not possible for others to connect to the server. Do i need to setup special routing for this?
13:21 <@ecrist> short answer, yes
13:21 < pekster> Kamshak: Right, you need fancy routing (ie: policy routing) to avoid the VPN client you've NATed to from sending the reply over _its_ uplink. You usually do this by policy routing rules that keep traffic that originated over the VPN device going back over it. On Linux, the easiest way is a 2nd routing table for the VPN, use conntrack to apply ctmark to all --ctstate NEW packets, then --restore-mark to the fwmark, and have `ip rule` ...
13:21 < pekster> ... key off that
13:21 <@ecrist> you need to have the firewall on the VPN server forward the traffic to the client
13:22 < pekster> Some starting resources for you:
13:22 < pekster> !lartc
13:22 <@vpnHelper> "lartc" is LARTC is the de-facto guide to policy routing and QoS (tc, or traffic control) on Linux. http://lartc.org/howto/ . Policy routing in Ch. 4, QoS in Ch. 9. Start at the beginning if you're new to advanced routing on Linux
13:22 < pekster> #Netfilter is probably the best channel here if you have questgions after reading that
13:22 <@ecrist> what is your server/firewall?
13:22 < Kamshak> thank you, i'll read that
13:22 < Kamshak> it's a Debian server with iptables
13:24 < Kamshak> more specifically an OpenVZ Debian server
13:24 -!- fol_tempus [~tempus@gateway/tor-sasl/foltempus] has quit [Ping timeout: 272 seconds]
13:25 -!- fol_tempus [~tempus@gateway/tor-sasl/foltempus] has joined #openvpn
13:25 < rob0> !openvz
13:25 <@vpnHelper> "openvz" is (#1) http://wiki.openvz.org/VPN_via_the_TUN/TAP_device to learn bout openvz specific stuff with regards to openvpn or (#2) It is usually less painful to switch to a host with better virtualization technology, eg KVM or Xen
13:26 < pekster> All the OpenVZ server should need is support for DNAT and a routed tun setup. The client is the one with goofy return-routing needs
13:27 < pekster> Of course, with a VPS you get only as much as they offer, which tends to be crap
13:28 -!- jackbrown [~se@93-44-41-0.ip95.fastwebnet.it] has joined #openvpn
13:30 < Kamshak> Haw can i test for DNAT support? Adding rules with -j DNAT doesn't give any error messages. The client is a windows7, is this setup possible with windows as well?
13:48 -!- BenLue [NoMail@unaffiliated/benlue] has joined #openvpn
13:52 < BenLue> !welcome
13:52 <@vpnHelper> "welcome" is (#1) Start by stating your goal, such as 'I would like to access the internet over my vpn' || new to IRC? see the link in !ask || we may need !logs and !configs and maybe !interface to help you. || See !howto for beginners. || See !route for lans behind openvpn. || !redirect for sending inet traffic through the server. || Also interesting: !man !/30 !topology !iporder !sample !forum
13:52 <@vpnHelper> !wiki !mitm or (#2) Don't use 192.168.1.0/24 or 192.168.0.0/24 (too much potential for conflict)
13:53 < BenLue> !route
13:53 <@vpnHelper> "route" is (#1) http://www.secure-computing.net/wiki/index.php/OpenVPN/Routing or https://community.openvpn.net/openvpn/wiki/RoutedLans (same page mirrored) if you have lans behind openvpn, read it DONT SKIM IT or (#2) READ IT DONT SKIM IT! or (#3) See !tcpip for a basic networking guide or (#4) See !serverlan or !clientlan for steps and troubleshooting flowcharts for LANs behind the server or
13:53 <@vpnHelper> client
13:53 < Kamshak> pekster: i read the chapers you linked, using iptables -t nat -A PREROUTING -d <VPN-EXTERNAL-IP> -p tcp --dport 80 -j DNAT --to-dest <CLIENT-IP> it works for the webserver but not for the server i would like to forward (a source web server). I've done the same for udp for the port needed, however i didn't fully understand the part needed on the client. The server running on the client is bound to the TUN device's
13:53 < Kamshak>  ip. Since i tunnel all traffic to the vpn at the moment i don't understand what kind of client routes i would need
13:54 < BenLue> !tcpip
13:54 <@vpnHelper> "tcpip" is http://www.redbooks.ibm.com/redbooks/pdfs/gg243376.pdf See chapter 3.1 for useful basic TCP/IP networking knowledge you should probably know
14:06 -!- mallxs [~mallxs@84.246.31.190] has joined #openvpn
14:10 -!- le0 [~l30@unaffiliated/le0] has joined #openvpn
14:10 -!- mjkr [jzhmer@gateway/shell/blinkenshell.org/x-txrdiqljttokmqrt] has quit [Quit: WeeChat 0.4.2]
14:12 -!- DQSII [~DQSII@gateway/tor-sasl/dqsii] has joined #openvpn
14:13 -!- joako [~joako@opensuse/member/joak0] has quit [Ping timeout: 246 seconds]
14:16 -!- [diecast] [~diecast@unaffiliated/diecast/x-4821952] has quit []
14:16 < mallxs> does openvpn works to a host if the icmp is blocked to that host ?
14:21 <@ecrist> openvpn does not depend upon icmp
14:24 < mallxs> thx ecrist then the doc's confused me with the --ping and --ping-restart option
14:25 < derRichard> openvpn's ping is not an icmp ping
14:25 -!- [diecast] [~diecast@unaffiliated/diecast/x-4821952] has joined #openvpn
14:25 < mallxs> ha ok thx
14:27 -!- joako [~joako@opensuse/member/joak0] has joined #openvpn
14:37 -!- roentgen [~irc@openvpn/community/support/roentgen] has joined #openvpn
14:39 -!- jackbrown [~se@93-44-41-0.ip95.fastwebnet.it] has quit [Ping timeout: 240 seconds]
14:40 -!- joako [~joako@opensuse/member/joak0] has quit [Ping timeout: 250 seconds]
14:41 -!- jackbrown [~se@93-44-41-0.ip95.fastwebnet.it] has joined #openvpn
14:50 -!- joako [~joako@opensuse/member/joak0] has joined #openvpn
14:54 -!- ShadniX [dagger@p5DDFC741.dip0.t-ipconnect.de] has quit [Quit: Bye.]
14:55 -!- ShadniX [dagger@p5DDFC741.dip0.t-ipconnect.de] has joined #openvpn
14:55 -!- Kamshak [~Kamshak@93.190.90.164] has quit [Read error: Connection reset by peer]
14:55 -!- Kamshak [~Kamshak@93.190.90.164] has joined #openvpn
14:58 -!- linuxrocks [~linuxrock@209.251.154.51] has joined #openvpn
14:59 < linuxrocks> I have pfSense (2.1.2-RELEASE) as OpenVPN server with LAN network as 10.0.0.0/24, latest DD-WRT router as OpenVPN client with LAN as 10.10.186.0/24, VPN network as 172.16.0.0/24. Using SSL with certificates (AES-256-CBC). The OpenVPN client connects and is able to ping the OpenVPN LAN (both the server 10.0.0.2 and a client 10.0.0.10). The OpenVPN client is able to ping both the VPN endpoints...
14:59 < linuxrocks> ...172.16.0.1 (server) and 172.16.0.6 (client). The OpenVPN (server and LAN client 10.0.0.10) can also ping both VPN endpoints, but cannot ping anything on the OpenVPN client side LAN 10.10.186.0/24 network? I have added in pfSense OpenVPN (advanced) this: route 10.10.186.0 255.255.255.0 172.16.0.2 - any ideas on where I'm failing?
15:00 <@ecrist> lolololol
15:00 <@ecrist> nickname of linuxrocks using pfSense
15:00 < linuxrocks> yeah - I know ;-)
15:01 <@ecrist> see here:
15:01 <@ecrist> !route
15:01 <@vpnHelper> "route" is (#1) http://www.secure-computing.net/wiki/index.php/OpenVPN/Routing or https://community.openvpn.net/openvpn/wiki/RoutedLans (same page mirrored) if you have lans behind openvpn, read it DONT SKIM IT or (#2) READ IT DONT SKIM IT! or (#3) See !tcpip for a basic networking guide or (#4) See !serverlan or !clientlan for steps and troubleshooting flowcharts for LANs behind the server or
15:01 <@ecrist> !iroute
15:01 <@vpnHelper> client
15:01 <@vpnHelper> "iroute" is does not bypass or alter the kernel's routing table, it allows openvpn to know it should handle the routing when the kernel points to it but the network is not one that openvpn knows about. This is only needed when connecting a LAN which is behind a client, and therefor belongs in a ccd entry. Also see !route and !ccd
15:01 < derRichard> linuxrocks: find out where your packets get dropped. tcpdump can help you. i.e. listen at different interfaces and look where you can spot your pings
15:03 -!- DQSII [~DQSII@gateway/tor-sasl/dqsii] has quit [Ping timeout: 272 seconds]
15:04 < rob0> 172.16.0.2 is what?
15:04 -!- [diecast] [~diecast@unaffiliated/diecast/x-4821952] has quit []
15:05 < linuxrocks> To better understand, on my pfSense OpenVPN server I have this in the log: openvpn[38013]: /sbin/ifconfig ovpns1 172.16.0.1 172.16.0.2 mtu 1500 netmask 255.255.255.255 up, openvpn[38013]: /usr/local/sbin/ovpn-linkup ovpns1 1500 1558 172.16.0.1 172.16.0.2 init, is 172.16.0.1 the server and 172.16.0.2 the gateway to the VPN network?
15:06 -!- joako [~joako@opensuse/member/joak0] has quit [Ping timeout: 245 seconds]
15:07 -!- goldkatze [~nobody@unaffiliated/goldkatze] has quit []
15:08 -!- roentgen [~irc@openvpn/community/support/roentgen] has quit [Remote host closed the connection]
15:12 -!- joako [~joako@opensuse/member/joak0] has joined #openvpn
15:13 -!- mattock is now known as mattock_afk
15:14 < linuxrocks> rob0, the comment 'To better understand' was directed at myself... I think it is the gateway on the VPN (server side)
15:19 -!- jackbrown [~se@93-44-41-0.ip95.fastwebnet.it] has quit [Ping timeout: 252 seconds]
15:23 -!- ade_b [~Ade@redhat/adeb] has quit [Ping timeout: 240 seconds]
15:25 -!- roentgen [~irc@openvpn/community/support/roentgen] has joined #openvpn
15:27 -!- joako [~joako@opensuse/member/joak0] has quit [Ping timeout: 250 seconds]
15:34 -!- joako [~joako@opensuse/member/joak0] has joined #openvpn
15:43 -!- wrongplace [~leicht@gateway/tor-sasl/martinphone] has joined #openvpn
15:46 -!- Aketzu [akolehma@kelvin.aketzu.net] has quit [Ping timeout: 264 seconds]
15:48 -!- aji [~alex@atheme/member/aji] has quit [Ping timeout: 264 seconds]
15:49 -!- justinzane [~justinzan@64.234.62.62] has joined #openvpn
15:49 -!- Kamshak [~Kamshak@93.190.90.164] has quit [Ping timeout: 250 seconds]
15:50 -!- joako [~joako@opensuse/member/joak0] has quit [Ping timeout: 246 seconds]
15:50 -!- [diecast] [~diecast@unaffiliated/diecast/x-4821952] has joined #openvpn
15:53 -!- KaiForce [~chatzilla@107-223-70-10.lightspeed.bcvloh.sbcglobal.net] has quit [Quit: ChatZilla 0.9.90.1 [Firefox 28.0/20140314220517]]
15:59 -!- zoomequipd [~zoomequip@gateway/tor-sasl/zoomequipd] has quit [Remote host closed the connection]
16:00 -!- zoomequipd [~zoomequip@gateway/tor-sasl/zoomequipd] has joined #openvpn
16:07 -!- le0 [~l30@unaffiliated/le0] has quit [Quit: Leaving]
16:11 -!- le0 [~l30@unaffiliated/le0] has joined #openvpn
16:13 -!- jackbrown [~se@93-44-41-0.ip95.fastwebnet.it] has joined #openvpn
16:15 -!- aji [~alex@atheme/member/aji] has joined #openvpn
16:19 -!- joako [~joako@opensuse/member/joak0] has joined #openvpn
16:20 -!- br4ndon [~br4ndon@mic92-6-82-227-94-156.fbx.proxad.net] has joined #openvpn
16:25 -!- le0 [~l30@unaffiliated/le0] has quit [Quit: Leaving]
16:27 -!- roentgen [~irc@openvpn/community/support/roentgen] has quit [Ping timeout: 245 seconds]
16:29 -!- jackbrown [~se@93-44-41-0.ip95.fastwebnet.it] has quit [Ping timeout: 252 seconds]
16:29 -!- joako [~joako@opensuse/member/joak0] has quit [Ping timeout: 246 seconds]
16:32 -!- Left_Turn [~Left_Turn@unaffiliated/turn-left/x-3739067] has joined #openvpn
16:40 -!- joako [~joako@opensuse/member/joak0] has joined #openvpn
16:41 -!- jackbrown [~se@93-44-41-0.ip95.fastwebnet.it] has joined #openvpn
16:47 -!- joako [~joako@opensuse/member/joak0] has quit [Ping timeout: 245 seconds]
16:51 -!- Latrina [~Latrina@adsl-ull-84-250.45-151.net24.it] has quit [Ping timeout: 255 seconds]
16:52 -!- Latrina [~Latrina@ppp-148-2.26-151.libero.it] has joined #openvpn
16:59 -!- gffa [~unknown@unaffiliated/gffa] has quit [Quit: sleep]
17:00 -!- joako [~joako@opensuse/member/joak0] has joined #openvpn
17:11 -!- jackbrown [~se@93-44-41-0.ip95.fastwebnet.it] has quit [Ping timeout: 276 seconds]
17:11 -!- Aketzu [akolehma@kelvin.aketzu.net] has joined #openvpn
17:21 < linuxrocks> !clientlan
17:21 <@vpnHelper> "clientlan" is (#1) for a lan behind a client, the client must have ip forwarding enabled (!ipforward), the server needs a route to the lan, the server needs to push a route for the lan to clients, the server needs a ccd (!ccd) file for the client with an iroute (!iroute) entry in it, and the router of the lan the client is on needs a route added to it (!route_outside_openvpn) or (#2) see !route
17:21 <@vpnHelper> for a better explanation or (#3) Handy troubleshooting flowchart: http://ircpimps.org/clientlan.png | http://pekster.sdf.org/misc/clientlan.png
17:26 -!- joako [~joako@opensuse/member/joak0] has quit [Ping timeout: 250 seconds]
17:31 -!- Aketzu [akolehma@kelvin.aketzu.net] has quit [Remote host closed the connection]
17:32 < linuxrocks> !route_outside_openvpn
17:32 <@vpnHelper> "route_outside_openvpn" is (#1) If your server is not the default gateway for the LAN, you will need to add routes to your gateway. See ROUTES TO ADD OUTSIDE OPENVPN in !route or (#2) Here are 2 diagrams that explain how this works: http://www.secure-computing.net/wiki/index.php/Graph http://i.imgur.com/BM9r1.png
17:33 -!- vinise [~vinise@78-23-152-207.access.telenet.be] has joined #openvpn
17:34 < linuxrocks> !ipforward
17:34 <@vpnHelper> "ipforward" is (#1) ip forwarding is needed any time you want packets to flow from 1 interface to another, so from tun to eth, eth to tun, tun to tun, etc etc. it must be enabled in the kernel AND allowed in the firewall or (#2) please choose between !linipforward !winipforward !osxipforward and !fbsdipforward
17:34 -!- goldkatze [~nobody@unaffiliated/goldkatze] has joined #openvpn
17:34 < linuxrocks> !linipforward
17:35 <@vpnHelper> "linipforward" is (#1) echo 1 > /proc/sys/net/ipv4/ip_forward for a temp solution (til reboot) or set net.ipv4.ip_forward = 1 in sysctl.conf for perm solution or (#2) chmod +x /etc/rc.d/rc.ip_forward for perm solution in slackware or (#3) you also must allow forwarding in your forward chain in iptables. iptables -I FORWARD -i tun+ -j ACCEPT
17:35 < vinise> hi all i'm stuck with routing since a while and can't get it working here is my config http://pastebin.com/q5me07iU can someone help me?
17:35 -!- joako [~joako@opensuse/member/joak0] has joined #openvpn
17:40 -!- aji [~alex@atheme/member/aji] has quit [Ping timeout: 240 seconds]
17:42 < linuxrocks> !ccd
17:42 <@vpnHelper> "ccd" is (#1) entries that are basically included into server.conf, but only for the specified client based on common-name. use --client-config-dir <dir> to enable it, then put the config options for the client in <dir>/common-name or (#2) the ccd file is parsed each time the client connects.
17:42 -!- br4ndon [~br4ndon@mic92-6-82-227-94-156.fbx.proxad.net] has quit [Quit: br4ndon]
17:43 < pekster> vinise: Seems fine, but you haven't explained your !goal or the client !configs
17:43 -!- joako [~joako@opensuse/member/joak0] has quit [Ping timeout: 246 seconds]
17:44 < vinise> goal is that all vpn client can acces in routing all network 10.0.0.0/24
17:44 < pekster> That's a horrible network as it's very common; if clients are own their own "version" of that network, things break
17:46 < vinise> yes but i'm not on same "version" ;)
17:46 < vinise> here is my client conf : http://pastebin.com/UN6f08HB
17:47 < pekster> So you're 100% sure no one will ever be on 10.0.0/24?
17:47 < vinise> when connected to vpn client can access 10.0.0.1 but not the rest of netxork
17:48 < vinise> pekster, whats the point? i should not make routing??
17:49 -!- bears [~bears@unaffiliated/bears] has joined #openvpn
17:50 < pekster> You never answered my last question. Do you know that none of your clients will ever use that as their local network? If you can't gaurentee that, use a smarter network (see: !randomsubnet)
17:51 < pekster> The openvpn config is otherwise fine to allow that; your firewall and routing need to handle a server-side network though
17:51 < pekster> YOu want to follow:
17:51 < pekster> !serverlan
17:51 <@vpnHelper> "serverlan" is (#1) for a lan behind a server, the server must have ip forwarding enabled (!ipforward), the server needs to push a route for its lan to clients, and the router of the lan the server is on needs a route added to it (!route_outside_openvpn) or (#2) see !route for a better explanation or (#3) Handy troubleshooting flowchart: http://ircpimps.org/serverlan.png |
17:51 <@vpnHelper> http://pekster.sdf.org/misc/serverlan.png
17:52 < vinise> for the moment no i can't garanty you that no one can ...
17:52 -!- joako [~joako@opensuse/member/joak0] has joined #openvpn
17:52 < pekster> Right. So why use one of the top 5 most common /24 networks on the planet?
17:53 < vinise> for test ...
17:53 < vinise> i'm not gonna use that in real situation...
17:53 < pekster> Fix it later if you want. Either way, you need firewall & return routing to work. Reference the above flowchart
17:54 -!- michaelhart [~michaelha@192-0-240-20.cpe.teksavvy.com] has quit [Quit: michaelhart]
17:56 < linuxrocks> ecrist thanks for all the info.  I have added iroute to my ccd and I'm now able to ping the LAN side of the vpn client (the dd-wrt router gateway IP 10.10.186.1) from server-side LAN, but I cannot ping any other client on the the VPN client LAN like 10.10.186.2?  When SSHed into 10.10.186.1 I can ping everything on the server side LAN.  I saw !ipforward, but wouldn't a dd-wrt router already...
17:56 < linuxrocks> ...be set to forward packets?
17:57 < pekster> smells like firewall
18:01 -!- DQSII [~DQSII@gateway/tor-sasl/dqsii] has joined #openvpn
18:05 < vinise> a route is correctly added to my client and server ... so i don"t see wy it's not working  "10.0.0.0    255.255.255.0        10.0.10.5"
18:08 < pekster> Good news is that the flowchart has a lot more than just the route
18:09 -!- joako [~joako@opensuse/member/joak0] has quit [Ping timeout: 245 seconds]
18:10 -!- SCHAAP137 [dorian@77-173-0-137.ip.telfort.nl] has quit [Remote host closed the connection]
18:12 -!- netyire [~netyire@unaffiliated/netyire] has quit [Ping timeout: 245 seconds]
18:12 < vinise> i pong vpn adress... I give client route... i ping server lan ip... can't ping other machine in lan ==> i'm ON router ==> add route ... so what am I doing wrong?
18:12 -!- wrongplace [~leicht@gateway/tor-sasl/martinphone] has quit [Quit: gone]
18:16 -!- max__ [~max@c-71-231-120-93.hsd1.wa.comcast.net] has joined #openvpn
18:17 -!- max__ is now known as Guest99731
18:17 -!- aji [~alex@atheme/member/aji] has joined #openvpn
18:17 -!- elfixit [~Icedove@77-58-251-72.dclient.hispeed.ch] has joined #openvpn
18:19 -!- Guest99731 [~max@c-71-231-120-93.hsd1.wa.comcast.net] has quit [Read error: Connection reset by peer]
18:23 -!- joako [~joako@opensuse/member/joak0] has joined #openvpn
18:27 -!- joako [~joako@opensuse/member/joak0] has quit [Ping timeout: 246 seconds]
18:41 -!- [diecast] [~diecast@unaffiliated/diecast/x-4821952] has quit []
18:44 < pekster> The route you listed above isn't for the VPN
18:45 -!- [diecast] [~diecast@unaffiliated/diecast/x-4821952] has joined #openvpn
18:47 < pekster> Your 10.0.0/24 LAN (the gateway on _it_) needs a route back to the VPN network you have on 10.0.10/24
18:48 < vinise> so i should push route 10.0.10.0/24 ?
18:49 -!- joako [~joako@opensuse/member/joak0] has joined #openvpn
18:50 < pekster> No. You push a route for the LAN you're exposing
18:50 < pekster> You still need to route properly
18:51 < vinise> i don't understand .. can you geve me a concreet example?
18:51 < pekster> If "Add a route to the router so it knows how to reach the VPN subnet" on the flowchart doesn't help you, you need some basic skill first
18:52 < pekster> Add a route _for_ the VPN subnet routed _via_ the VPN server. That's requied when the server-side-LAN router is not the VPN server
18:55 < pekster> Maybe you'll find more of the concept explained here:
18:55 < pekster> !route
18:55 <@vpnHelper> "route" is (#1) http://www.secure-computing.net/wiki/index.php/OpenVPN/Routing or https://community.openvpn.net/openvpn/wiki/RoutedLans (same page mirrored) if you have lans behind openvpn, read it DONT SKIM IT or (#2) READ IT DONT SKIM IT! or (#3) See !tcpip for a basic networking guide or (#4) See !serverlan or !clientlan for steps and troubleshooting flowcharts for LANs behind the server or
18:55 <@vpnHelper> client
18:57 < vinise> but server side lan is vpn router and there is a route to vpn : 10.0.10.0       10.0.10.2       255.255.255.0
18:59 < pekster> Then you have a firewall problem
19:00 -!- DQSII [~DQSII@gateway/tor-sasl/dqsii] has quit [Remote host closed the connection]
19:00 < vinise> in/out/fw => ACCEPT     all  --  anywhere             anywhere
19:00 -!- DQSII [~DQSII@gateway/tor-sasl/dqsii] has joined #openvpn
19:00 < pekster> No, don't use "-L" output. It's incomplete, it's broken, and you're hiding both context and actual details
19:01 < pekster> #Netfilter is probably where you want to go for Netfilter questions, but either way you'll need the output of `iptables-save -c`. If it's not infested with some badly-designed distro generator I'll look
19:01 < pekster> If it is, I usually don't bother (and suggest you seek advice from the vendor of your system, or FOSS group that maintains it)
19:02 -!- aji [~alex@atheme/member/aji] has quit [Ping timeout: 250 seconds]
19:02 < linuxrocks> pekster, "smells like firewall", so I disabled the firewall SPI in dd-wrt and now packets (at least pings) are finally routing properly! Thanks for your help.  I'll try to look through dd-wrt forums on how to allow openVPN client traffic specifically.
19:02 < pekster> dd-wrt is crap; ymmv, but I strongly suggest using non-broken things
19:02 < pekster> !dd-wrt
19:02 <@vpnHelper> "dd-wrt" is (#1) While some users have success with dd-wrt, the build system isn't very accessible to users and there have been security issues with the distro. Consider carefully if this is the platform you want to use for OpenVPN or (#2) Firewall oopsie : http://www.dd-wrt.com/phpBB2/viewtopic.php?t=35783 or (#3) more issues: http://www.dd-wrt.com/phpBB2/viewtopic.php?t=84536
19:03 < pekster> Also, dd-wrt managed to break the busybox version of the iptables userland binary so badly it refuses to perform either iptables-save, or iptables-restore functionality, even if you create a symlink target
19:04 < pekster> Google LittleBlackBox project ;)
19:04 <@Eugene> phpbb lololo
19:06 < vinise> firewall => http://pastebin.com/ryGjxpWm
19:07 -!- Left_Turn [~Left_Turn@unaffiliated/turn-left/x-3739067] has quit [Read error: Connection reset by peer]
19:08 < pekster> You're not dropping anything on that. It should pass all traffic going anywhere
19:08 < pekster> Apparently whatever lan-side system you're pinging isn't responding
19:08 < pekster> You should tcpdump to see where on the LAN it gets lost, but it's probably that box's fault if you can ping 10.0.0.1 (or w/e the router's IP is on the downstream LAN) but not another box
19:10 < vinise> i treach 10.0.10.1 => and stuck there
19:11 < pekster> From what, your VPN client?
19:11 -!- Left_Turn [~Left_Turn@unaffiliated/turn-left/x-3739067] has joined #openvpn
19:11 < vinise> yep
19:11 < pekster> That means your VPN isn't working
19:11 < linuxrocks> pekster, thanks for all the security info regarding dd-wrt, I'm glad I mentioned it even if it is not good news, now I know.  BTW I only use SSH access to loopback to the web gui - makes me feel a tiny bit more comfortable ;-)
19:11 < pekster> YOu didn't even do the first step on the flowchart vinise :(
19:12 < pekster> "Can you ping the vpn ip of the server?" NO? "Fix your VPN"
19:12 < pekster> !logs
19:12 <@vpnHelper> "logs" is (#1) please pastebin your logfiles from both client and server with verb set to 4 (only use 5 if asked) or (#2) In the Windows client(OpenVPN-GUI) right-click the status icon and pick View Log or (#3) In the OS X client(Tunnelblick) right-click it and select Copy log text to clipboard or (#4) if you dont know how to find your logs, see !logfile
19:13 < vinise> ping 10.0.10.1
19:13 < vinise> Envoi d’une requête 'Ping'  10.0.10.1 avec 32 octets de données :
19:13 < vinise> Réponse de 10.0.10.1 : octets=32 temps=19 ms TTL=64
19:13 < vinise> Réponse de 10.0.10.1 : octets=32 temps=15 ms TTL=64
19:13 < pekster> Then why the fuck tell me you're stuck there?
19:14 < pekster> So, you're _not_ stuck there?
19:14 < vinise> when trying to reach 10.0.0.11
19:14 < pekster> So tcpdump the downstream interface?
19:14 < pekster> Your firewall allows it, and if you can already ping 10.0.0.1 (as you said you can) from the VPN client, you know IP forwarding is on
19:15 < vinise> net.ipv4.ip_forward=1
19:16 -!- u0m3 [~u0m3@92.80.103.137] has quit [Read error: Connection reset by peer]
19:16 < vinise> >ping 10.0.0.1  =>  Réponse de 10.0.0.1 : octets=32 temps=17 ms TTL=64
19:16 < vinise> i just don't understand ^^
19:16 < vinise> i'm sure i must miss somthing obvious but don't know what :p
19:17 -!- pentiumone133 [will@173.243.115.75] has joined #openvpn
19:17 < pekster> But you can't ping another IP in the 10.0.0/24 network from the VPN client that the VPN server can, right?
19:17 < pekster> 10.0.0.11, apparently?
19:17 < pentiumone133> im using the client export package on pfsense, can someone tell me where the openvpn installer defaults to for the client config file ?  its not in the program files folder with the executable
19:17 < vinise> from vpn server
19:17 < vinise> ing 10.0.0.11
19:17 < vinise> PING 10.0.0.11 (10.0.0.11) 56(84) bytes of data.
19:17 < vinise> 64 bytes from 10.0.0.11: icmp_req=1 ttl=64 time=0.706 ms
19:18 < pekster> But not from your client?
19:18 < vinise> nop
19:18 < pekster> Have a client log handy? If not, add --verb 4 to your client config, disconnect, reconnect, and pastebin the log
19:19 -!- defswork [~andy@141.0.50.105] has quit [Ping timeout: 255 seconds]
19:21 -!- defswork [~andy@141.0.50.105] has joined #openvpn
19:27 < vinise> not handy for me.. any way i need unfortunatly to go (already 2.30 AM here) i'll keep trying and investigates all logs if i don't find any solution i might come back here tomorow
19:27 < vinise> Real Big thanks for you help and patience pekster !!!
19:29 -!- elfixit [~Icedove@77-58-251-72.dclient.hispeed.ch] has quit [Quit: elfixit]
19:30 -!- elfixit [~Icedove@77-58-251-72.dclient.hispeed.ch] has joined #openvpn
19:35 -!- mulvane [mulvane@freebsd/user/mulvane] has joined #openvpn
19:35 -!- Cpt-Oblivious [chatzilla@31-151-71-109.dynamic.upc.nl] has quit [Ping timeout: 240 seconds]
19:36 -!- joako [~joako@opensuse/member/joak0] has quit [Ping timeout: 250 seconds]
19:36 < mulvane> MULTI: bad source address from client [63.142.75.70]     I keep getting this. Weird though because that is my ISP provided public IP.
19:37 < pekster> Right, and it's obviously invalid as the _inside_ source address
19:37 < pekster> That's usually caused by some broken application on the sending side
19:37 -!- vinise [~vinise@78-23-152-207.access.telenet.be] has quit []
19:38 < mulvane> I didn't have this problem with same setup until I upgraded my openvpn setup..
19:38 < pekster> Ignore it or tcpdump the traffic to get hints as to what broken application you need to fix
19:39 -!- DQSII [~DQSII@gateway/tor-sasl/dqsii] has quit [Remote host closed the connection]
19:39 < mulvane> Here is serverl.cong  http://pastebin.com/Mq1P6Eer
19:39 < mulvane> It's ALL traffic causing it.
19:39 < mulvane> The client is a pfsense firewall setting it up.
19:39 < pekster> If that was the case then nothing would work
19:39 < pekster> It's _only_ dropping addresses badly sourced
19:39 < mulvane> Nothing is working.
19:39 < pekster> If that's all of them, you managed to configure NAT so broken
19:40 < mulvane> firewall handling nat on server http://pastebin.com/pXikQ9PU
19:40 < pekster> overlapping networks maybe? 192.168.1/24 is a horrible choice and breaks if a client ever is on the same LAN
19:40 < pekster> Best to use !randomsubnet (bot has info for you) and pick a properly random one
19:41 < pekster> This would be NAT on the client to set a bogus address ;)
19:41 < pekster> OpenVPN is saying your _client_ has selected an illegal address
19:41 < pekster> It's just as broken as trying to use 203.0.113.8 on your 192.168.1/24 LAN
19:41 < pekster> Not allowed, and will be ignored
19:42 < mulvane> The 192 subnet is just for a quick setup until I work out the bug.
19:43 < mulvane> Quick network I built on one of my esxi hosts
19:43 < pekster> It works so long as no client ever is on that same LAN itself
19:43 < pekster> Also, later fix opendns; it's foul
19:43 < pekster> !opendns
19:43 <@vpnHelper> "opendns" is You should avoid using OpenDNS for pushed DNS servers as they violate spec and send you to ad/search domains for mistyped URLs. Use GoogleDNS instead. See !dns for more info.
19:44 < mulvane> Yeah, I never did remove that line. Its commented though
19:45 < pekster> Yup. Just a general warning against stupid companies that violate spec for profit
19:45 < pekster> Google might be a business, but they tend to not break the Internet doing it
19:45 < mulvane> Yeah. I used to use them. Started noticing problems
19:45 -!- [diecast] [~diecast@unaffiliated/diecast/x-4821952] has quit []
19:46 < pekster> I've seen it break corp VPNs that rely on split-DNS when opendns sends them to ad domains instead of letting the client retry the inside DNS
19:46 < pekster> Plus, who wants ads when you typo? :\
19:48 -!- joako [~joako@opensuse/member/joak0] has joined #openvpn
19:48 -!- aji [~alex@atheme/member/aji] has joined #openvpn
19:52 -!- joako [~joako@opensuse/member/joak0] has quit [Ping timeout: 246 seconds]
19:59 -!- DQSII [~DQSII@gateway/tor-sasl/dqsii] has joined #openvpn
19:59 -!- marshall [~marshall@modemcable071.115-162-184.mc.videotron.ca] has joined #openvpn
19:59 < marshall> hey openvpn
20:00 -!- DQSII [~DQSII@gateway/tor-sasl/dqsii] has quit [Remote host closed the connection]
20:00 -!- DQSII [~DQSII@gateway/tor-sasl/dqsii] has joined #openvpn
20:00 < marshall> I think I have to set up a redirect gateway for ssh on a server I'm accessing, but I'm not sure exactly how to do it
20:03 -!- joako [~joako@opensuse/member/joak0] has joined #openvpn
20:12 -!- crus [~crusader@2001:44b8:319e:2900:886c:563b:39fa:6ddd] has quit [Read error: Connection reset by peer]
20:30 -!- Linmu [~Linmu@203.70.194.104] has joined #openvpn
20:32 -!- joako [~joako@opensuse/member/joak0] has quit [Ping timeout: 245 seconds]
20:33 -!- aji [~alex@atheme/member/aji] has quit [Ping timeout: 250 seconds]
20:41 -!- aji [~alex@atheme/member/aji] has joined #openvpn
20:43 <@ecrist> !irclogs
20:43 <@vpnHelper> "irclogs" is Channel logs are available at http://secure-computing.net/logs/#openvpn.log and http://secure-computing.net/logs/#openvpn-devel.log and are updated every three hours.
20:46 -!- michaelhart [~michaelha@192-0-240-20.cpe.teksavvy.com] has joined #openvpn
20:46 -!- joako [~joako@opensuse/member/joak0] has joined #openvpn
20:47 < marshall> I'm trying to connect to a vpn from my cloud server, but as soon as a connection is established, my SSH session is killed. here's the output: http://pastebin.com/HqD2cUiJ. what should I do?
20:47 <@ecrist> ping krzee 
20:47 < pekster> marshall: ssh from where to what?
20:49 <@ecrist> !irclogs
20:49 <@ecrist> !irclogs
20:49 <@ecrist> raar
20:49 < pekster> bot needs to lay off the booze ;)
20:49 -!- treshoem2 [~treshoem@198-84-231-11.cpe.teksavvy.com] has quit [Ping timeout: 240 seconds]
20:50 <@vpnHelper> "irclogs" is Channel logs are available at http://secure-computing.net/logs/openvpn.log and http://secure-computing.net/logs/openvpn-devel.log and are updated every three hours.
20:50 <@vpnHelper> "irclogs" is Channel logs are available at http://secure-computing.net/logs/openvpn.log and http://secure-computing.net/logs/openvpn-devel.log and are updated every three hours.
20:50 <@ecrist> I updated the database directly, and now it seems unhappy
20:50 <@ecrist> oh, there it goes
20:55 < rob0> !latency
20:55 <@ecrist> !ping
20:55 <@vpnHelper> pong
20:56 <@ecrist> I think I had a DB lock that supybot is programmed to wait for
20:56 < rob0> oh
20:58 -!- joako [~joako@opensuse/member/joak0] has quit [Ping timeout: 246 seconds]
21:04 <@krzee> ecrist, pong
21:04 <@ecrist> nm, you keep stealing the bot from my screen session
21:05 <@ecrist> I thought it needed to be kicked
21:05 <@krzee> lol
21:05 <@ecrist> I've resorted, at this point, to simply editing the DB by hand now a days
21:05 <@ecrist> since it doesn't like my cloak
21:07 -!- joako [~joako@opensuse/member/joak0] has joined #openvpn
21:10 -!- elfixit [~Icedove@77-58-251-72.dclient.hispeed.ch] has quit [Quit: elfixit]
21:11  * ecrist notes user disparity between here and #freeswitch krzee
21:12 <@krzee> ehh?
21:12 <@ecrist> 218 vs 231
21:12 <@krzee> ahh right
21:12 <@krzee> i thought you meant disperity between #openvpn krzee and #freeswitch krzee
21:12 <@krzee> haha
21:13 <@ecrist> oh, no
21:13 <@ecrist> I'm speaking on the conf call on May 28, btw
21:14 <@ecrist> how did your talk go?  I didn't have time to tune it
21:14 <@ecrist> in*
21:14 <@Eugene> Something something I can just spin up a gitinfo-bot instance :v
21:14 <@Eugene> (or you could)
21:15 <@ecrist> so do it already, sell us on it
21:15 <@ecrist> :)
21:15 <@Eugene> !triggers
21:15 <@Eugene> !factoids
21:15 <@vpnHelper> "factoids" is A semi-regularly updated dump of factoids database is available at http://www.secure-computing.net/factoids.php
21:15 <@ecrist> You can download the whole DB if you like
21:16 <@ecrist> http://secure-computing.net/files/Fatoids.db
21:16 <@ecrist> sqlite3
21:16 <@Eugene> Effort.
21:16 <@ecrist> Apathy
21:16 <@Eugene> I'm taking a dump
21:16 <@ecrist> sums up your usual contribution in #openvpn
21:17  * ecrist ducks
21:17 <@Eugene> Hey now. Sometimes I do it on /other/ people.
21:17  * ecrist poofs - time to watch some Game of Thrones
21:17 <@Eugene> Girlfriend wants me to do the same
21:18 < pekster> Tell her you're going to sit on your own :P
21:20 -!- joako [~joako@opensuse/member/joak0] has quit [Ping timeout: 245 seconds]
21:25 -!- marshall [~marshall@modemcable071.115-162-184.mc.videotron.ca] has quit [Ping timeout: 240 seconds]
21:27 -!- joako [~joako@opensuse/member/joak0] has joined #openvpn
21:31 -!- krzie [~k@openvpn/community/support/krzee] has joined #openvpn
21:31 -!- mode/#openvpn [+o krzie] by ChanServ
21:32 -!- krzee [~k@openvpn/community/support/krzee] has quit [Read error: Connection reset by peer]
21:32 -!- krzie is now known as krzee
21:35 -!- Dan39 [~ddan39@unaffiliated/dan39] has quit [Quit: brb soon hopefuly]
21:36 -!- [diecast] [~diecast@unaffiliated/diecast/x-4821952] has joined #openvpn
21:52 -!- master_of_master [~master_of@p4FD7B92A.dip0.t-ipconnect.de] has joined #openvpn
21:54 -!- michaelhart [~michaelha@192-0-240-20.cpe.teksavvy.com] has quit [Quit: michaelhart]
21:55 -!- master_o1_master [~master_of@p4FD7B9FB.dip0.t-ipconnect.de] has quit [Ping timeout: 246 seconds]
22:17 -!- goldkatze [~nobody@unaffiliated/goldkatze] has quit []
22:21 -!- daniear [~daniear@114.94.54.140] has joined #openvpn
22:23 < daniear> any ideas?
22:24 < daniear> http://pastebin.com/EGPyrXsq
22:30 < daniear> ahhhhh
22:30 < daniear> maybe i can't 'wrap' tcp around udp
22:30 < daniear> openvpn is running in udp mode
22:30 < daniear> obfsproxy is tcp
22:32 < pekster> Right, they're separate protocols
22:34 < daniear> one step closer:
22:34 < daniear> http://pastebin.com/5t4Ha6GD
22:36 < daniear> only info i could dig up http://comments.gmane.org/gmane.network.openvpn.user/26898
22:36 <@vpnHelper> Title: OpenVPN users list (at comments.gmane.org)
22:36 < daniear> mentions some bug in openvpn
22:41 < daniear> found the code here
22:41 < daniear> https://fossies.org/windows/misc/openvpn-2.3.3.zip/openvpn-2.3.3/src/openvpn/socks.c
22:41 <@vpnHelper> Title: openvpn-2.3.3.zip: .../src/openvpn/socks.c | Fossies Archive (at fossies.org)
22:41 < daniear> that gives that error message
22:41 < daniear> line 339
22:43 < pekster> daniear: Hard to believe there's a bug there; that seems to only happen when you get nothing back on from the socks peer
22:44 < pekster> Note that --socks-proxy in openvpn uses socks5
22:45 < pekster> https://trac.torproject.org/projects/tor/ticket/9221
22:45 < pekster> Blame tor
22:45 <@vpnHelper> Title: #9221 (obfsproxy does not have a SOCKS5 listener) – Tor Bug Tracker & Wiki (at trac.torproject.org)
22:45  * Eugene is not wearing socks
22:45 -!- mulvane [mulvane@freebsd/user/mulvane] has quit []
22:46 < pekster> Try merging in commit fe3a0 from that bug and see if it fixes things
22:46 < daniear> merging in? above my level of know-how
22:47 < pekster> or better, grab the branch in comment 19
22:47 < pekster> Then wait for a release that includes it? Merged by asn in comment 20
22:47 < pekster> openvpn can't help if some 3rd party component you're using has a bug that you don't have a fix in place for
22:48 < daniear> then why does openvpn have a page for the 3rd party component? http://community.openvpn.net/openvpn/wiki/TrafficObfuscation
22:48 <@vpnHelper> Title: TrafficObfuscation – OpenVPN Community (at community.openvpn.net)
22:48 < daniear> with clear instructions
22:48 < pekster> It's a wiki. Feel free to edit it
22:49 < daniear> gonna try the wiki guy's bundled installer
22:49 < pekster> Looks like 0.2.9 has the Twisted code fix
22:51 < daniear> that's what the server is running
22:51 < daniear> not sure what the client side is
22:52 -!- agorecki [~agorecki@S0106b8a38657b866.ok.shawcable.net] has joined #openvpn
22:55 -!- goeo_ is now known as microbytes
23:08 < daniear> guess i have to wait
23:08 < daniear> https://lists.torproject.org/pipermail/tor-dev/2014-March/006427.html
23:09 <@vpnHelper> Title: [tor-dev] Combining obfsproxy+scramblesuit with OpenVPN (at lists.torproject.org)
23:10 -!- microbytes is now known as iFlasex
23:11 -!- iFlasex is now known as goeo_
23:33 -!- Left_Turn [~Left_Turn@unaffiliated/turn-left/x-3739067] has quit [Ping timeout: 250 seconds]
23:41 -!- [diecast] [~diecast@unaffiliated/diecast/x-4821952] has quit []
23:48 -!- joako [~joako@opensuse/member/joak0] has quit [Ping timeout: 250 seconds]
23:52 -!- ShadniX [dagger@p5DDFC741.dip0.t-ipconnect.de] has quit [Ping timeout: 252 seconds]
23:52 -!- treshoem2 [~treshoem@198-84-231-11.cpe.teksavvy.com] has joined #openvpn
23:52 -!- ade_b [~Ade@redhat/adeb] has joined #openvpn
23:53 -!- ShadniX [dagger@p5DDFC95D.dip0.t-ipconnect.de] has joined #openvpn
23:54 -!- Beta2K [~Beta2K@2607:f1c0:841:4eff::120] has quit [Ping timeout: 245 seconds]
23:58 -!- joako [~joako@opensuse/member/joak0] has joined #openvpn
23:59 -!- ade_b [~Ade@redhat/adeb] has quit [Quit: Too sexy for his shirt]
--- Day changed Fri May 02 2014
00:07 -!- joako [~joako@opensuse/member/joak0] has quit [Ping timeout: 246 seconds]
00:13 -!- daniear [~daniear@114.94.54.140] has quit []
00:13 -!- joako [~joako@opensuse/member/joak0] has joined #openvpn
00:22 -!- joako [~joako@opensuse/member/joak0] has quit [Ping timeout: 245 seconds]
00:24 -!- Aketzu [akolehma@kelvin.aketzu.net] has joined #openvpn
00:32 -!- joako [~joako@opensuse/member/joak0] has joined #openvpn
00:38 -!- joako [~joako@opensuse/member/joak0] has quit [Ping timeout: 250 seconds]
00:45 -!- mattock_afk is now known as mattock
00:47 -!- joako [~joako@opensuse/member/joak0] has joined #openvpn
01:01 -!- james41382_ [~james@unaffiliated/james41382] has quit [Ping timeout: 240 seconds]
01:02 -!- james41382 [~james@unaffiliated/james41382] has joined #openvpn
01:15 -!- joako [~joako@opensuse/member/joak0] has quit [Ping timeout: 246 seconds]
01:22 -!- Aketzu [akolehma@kelvin.aketzu.net] has quit [Ping timeout: 250 seconds]
01:29 -!- joako [~joako@opensuse/member/joak0] has joined #openvpn
01:30 -!- agorecki [~agorecki@S0106b8a38657b866.ok.shawcable.net] has quit [Quit: Leaving]
01:34 -!- joako [~joako@opensuse/member/joak0] has quit [Ping timeout: 245 seconds]
01:39 -!- Synthead [~max@c-71-231-120-93.hsd1.wa.comcast.net] has joined #openvpn
01:40 -!- joako [~joako@opensuse/member/joak0] has joined #openvpn
01:45 -!- Aketzu [akolehma@kelvin.aketzu.net] has joined #openvpn
01:51 -!- joako [~joako@opensuse/member/joak0] has quit [Ping timeout: 250 seconds]
01:55 -!- Aketzu [akolehma@kelvin.aketzu.net] has quit [Read error: Connection reset by peer]
02:05 -!- Aketzu [akolehma@kelvin.aketzu.net] has joined #openvpn
02:05 -!- joako [~joako@opensuse/member/joak0] has joined #openvpn
02:14 -!- Cybertinus [~Cybertinu@cybertinus.customer.cloud.nl] has quit [Remote host closed the connection]
02:15 -!- Cybertinus [~Cybertinu@cybertinus.customer.cloud.nl] has joined #openvpn
02:17 -!- james41382 [~james@unaffiliated/james41382] has quit [Read error: Connection reset by peer]
02:17 -!- james41382_ [~james@unaffiliated/james41382] has joined #openvpn
02:21 -!- joako [~joako@opensuse/member/joak0] has quit [Ping timeout: 245 seconds]
02:27 -!- alexxtasi [~alex@unaffiliated/alexxtasi] has joined #openvpn
02:33 -!- le0 [~l30@unaffiliated/le0] has joined #openvpn
02:36 -!- joako [~joako@opensuse/member/joak0] has joined #openvpn
02:44 -!- Arr0way [~arr0w@unaffiliated/arr0way] has left #openvpn []
02:44 -!- joako [~joako@opensuse/member/joak0] has quit [Ping timeout: 246 seconds]
02:50 -!- joako [~joako@opensuse/member/joak0] has joined #openvpn
02:54 -!- joako [~joako@opensuse/member/joak0] has quit [Ping timeout: 245 seconds]
03:04 -!- DQSII [~DQSII@gateway/tor-sasl/dqsii] has quit [Remote host closed the connection]
03:07 -!- joako [~joako@opensuse/member/joak0] has joined #openvpn
03:09 -!- ChrisH__ is now known as ChrisH
03:17 -!- JPeterson [~JPeterson@81-233-152-121-no83.tbcn.telia.com] has joined #openvpn
03:17 -!- Aketzu [akolehma@kelvin.aketzu.net] has quit [Ping timeout: 255 seconds]
03:18 -!- Pisuke [~Sembei@unaffiliated/sembei] has joined #openvpn
03:19 -!- goeo_ [~goeo_@unaffiliated/goeo] has quit [Ping timeout: 265 seconds]
03:20 -!- Zarrsh [~Zarrsh@198.167.138.150] has quit [Ping timeout: 265 seconds]
03:21 -!- Modestini [~synzvato@se4x.mullvad.net] has quit [Ping timeout: 265 seconds]
03:21 -!- jareth_ [~jareth_@2001:980:e1c0:1:219:66ff:fea0:a502] has quit [Ping timeout: 265 seconds]
03:21 -!- [1]JPeterson [~JPeterson@81-233-152-121-no83.tbcn.telia.com] has quit [Ping timeout: 265 seconds]
03:22 -!- howto [~goeo_@unaffiliated/goeo] has joined #openvpn
03:23 -!- Matir_ [~matir@ubuntu/member/matir] has joined #openvpn
03:23 -!- howto is now known as goeo_
03:23 -!- zoredache_ [~zoredache@pdpc/supporter/professional/zoredache] has joined #openvpn
03:24 -!- joako [~joako@opensuse/member/joak0] has quit [Ping timeout: 246 seconds]
03:27 -!- jareth_ [~jareth_@2001:980:e1c0:1:219:66ff:fea0:a502] has joined #openvpn
03:30 -!- james41382_ [~james@unaffiliated/james41382] has quit [Ping timeout: 240 seconds]
03:31 -!- joako [~joako@opensuse/member/joak0] has joined #openvpn
03:31 -!- mallxs_ [~mallxs@84.246.31.190] has joined #openvpn
03:34 -!- Netsplit *.net <-> *.split quits: treshoem2, Marlinc, mitz, Nothing4You, matsh, vn
03:35 -!- Netsplit *.net <-> *.split quits: Linmu, waynr, _quadDamage, mallxs, mushroomed, Matir, edge226, m01, MyMind, zoredache,  (+2 more, use /NETSPLIT to show all of them)
03:35 -!- mallxs_ is now known as mallxs
03:35 -!- Nothing4You [N4Y@Nothing4You.w.tf-w.tf] has joined #openvpn
03:35 -!- propheticsquiddy [~Proph@unaffiliated/propheticsquiddy] has joined #openvpn
03:36 -!- joako [~joako@opensuse/member/joak0] has quit [Ping timeout: 246 seconds]
03:44 -!- joako [~joako@opensuse/member/joak0] has joined #openvpn
03:53 -!- treshoem2 [~treshoem@198-84-231-11.cpe.teksavvy.com] has joined #openvpn
03:53 -!- mitz [~mitz@rt.miraclelinux.com] has joined #openvpn
03:53 -!- mitz [~mitz@rt.miraclelinux.com] has quit [Max SendQ exceeded]
03:55 -!- joako [~joako@opensuse/member/joak0] has quit [Ping timeout: 250 seconds]
04:03 -!- joako [~joako@opensuse/member/joak0] has joined #openvpn
04:07 -!- jackbrown [~se@93-44-41-0.ip95.fastwebnet.it] has joined #openvpn
04:19 -!- joako [~joako@opensuse/member/joak0] has quit [Ping timeout: 245 seconds]
04:24 -!- Left_Turn [~Left_Turn@unaffiliated/turn-left/x-3739067] has joined #openvpn
04:30 -!- joako [~joako@opensuse/member/joak0] has joined #openvpn
04:35 -!- goldkatze [~nobody@unaffiliated/goldkatze] has joined #openvpn
04:40 -!- joako [~joako@opensuse/member/joak0] has quit [Quit: Goodbye!]
04:46 -!- jackbrown [~se@93-44-41-0.ip95.fastwebnet.it] has quit [Quit: Sto andando via]
04:47 -!- jackbrown [~se@93-44-41-0.ip95.fastwebnet.it] has joined #openvpn
04:47 -!- joako [~joako@opensuse/member/joak0] has joined #openvpn
04:55 -!- jackbrown [~se@93-44-41-0.ip95.fastwebnet.it] has quit [Quit: Sto andando via]
04:59 -!- joako [~joako@opensuse/member/joak0] has quit [Ping timeout: 250 seconds]
05:07 -!- ade_b [~Ade@redhat/adeb] has joined #openvpn
05:12 -!- joako [~joako@opensuse/member/joak0] has joined #openvpn
05:17 -!- joako [~joako@opensuse/member/joak0] has quit [Ping timeout: 245 seconds]
05:19 < mallxs> hi .. i get the "failed to obtain options consistency info from peer" message in my daemon.log
05:20 < mallxs> the only diff is see between Local Options String and Expected is it swaps the P-t-P addresses:  10.1.0.11 10.1.0.12
05:20 < mallxs> is that normal ?
05:22 -!- chrisb [~chrisb@li482-205.members.linode.com] has joined #openvpn
05:24 -!- b4ggi0 [~b4ggi0@58.229.184.213] has joined #openvpn
05:26 -!- joako [~joako@opensuse/member/joak0] has joined #openvpn
05:39 -!- alexw [~textual@unaffiliated/alexw] has joined #openvpn
05:47 -!- jackbrown [~se@93-44-41-0.ip95.fastwebnet.it] has joined #openvpn
05:59 -!- joako [~joako@opensuse/member/joak0] has quit [Ping timeout: 246 seconds]
06:02 -!- Voyage [~Voyage@WimaxUser3971-56.wateen.net] has joined #openvpn
06:02 < Voyage> Hi
06:03 < Voyage> I just did this http://pastie.org/9133229  on a remote VPS server. this VPS further connects to a vpn (in the paste). But now I cannot connect to the VPS from another command shell.  any issue you think?
06:05 <@krzee> ecrist, cool, after my conf call with them i actually pointed you out as someone who did something pretty non-standard and cool with freeswitch
06:08 <@krzee> Voyage, you are probably redirecting internet in that vpn config
06:08 <@krzee> !splitroute
06:08 <@vpnHelper> "splitroute" is (#1) https://forums.openvpn.net/topic7175.html to see how to add a second routing table so you can use --redirect-gateway AND still serve things to the internet or (#2) see !route_override for how to override --redirect-gateway for a certain subnet
06:09 <@krzee> in which case, you need policy routing to still be able to connect to the VPS on its normal IP address while it redirects internet
06:11 < Voyage> krzee,  this 96.47.70.253 is my VPS ip, the VPN is something else.  now is see nmap, the VPS has bazzillions of ports open. I think its because of the openvpn client?
06:11 < rob0> mallxs, I bet it means you have specified the same --ifconfig on each side.
06:11 <@krzee> Voyage, your vps server is acting as a vpn client
06:12 < Voyage> yes
06:12 <@krzee> the vpn is redirecting its internet over the vpn
06:12 <@krzee> so when you ssh to it, it replies over the vpn
06:12 <@krzee> a connection cannot be made
06:12 <@krzee> the solution is policy routing, like i already said =]
06:12 < Voyage> but my vps is a vpn client now. why so many ports are opened on the vps
06:12 < Voyage> krzee,  oh
06:12 <@krzee> dunno, but the answer to the problem is policy routing.
06:13 < Voyage> how can I policy rout?
06:13 <@krzee> !splitroute
06:13 -!- joako [~joako@opensuse/member/joak0] has joined #openvpn
06:13 <@vpnHelper> "splitroute" is (#1) https://forums.openvpn.net/topic7175.html to see how to add a second routing table so you can use --redirect-gateway AND still serve things to the internet or (#2) see !route_override for how to override --redirect-gateway for a certain subnet
06:13 < Voyage> k
06:15 < Voyage> krzee,  well, I have lost the access in the first place. so how to ssh the vps and shutdown the openvpn?
06:15 <@krzee> got a web interface to the vps company?
06:16 <@krzee> they prolly give you a way to reboot it.
06:17 < Voyage> krzee,  nop
06:17 < Voyage> krzee,   the openvpn said. Peer Connection Initiated with [AF_INET]69.65.43.205:1443
06:17 < Voyage>          so I can connect to this ip instead?
06:18 <@krzee> sucks for you
06:18 < Voyage> krzee,  so inshort, I am doomed?
06:18 -!- joako [~joako@opensuse/member/joak0] has quit [Ping timeout: 245 seconds]
06:18 <@krzee> Voyage, i dont know
06:18 <@krzee> should prolly ask them
06:18 <@krzee> i cant support the vps itself
06:19 -!- goldkatze [~nobody@unaffiliated/goldkatze] has quit []
06:23 -!- joako [~joako@opensuse/member/joak0] has joined #openvpn
06:24 -!- chrisb [~chrisb@li482-205.members.linode.com] has quit [Ping timeout: 240 seconds]
06:26 < Voyage> krzee,  so normally, theres no way?
06:27 <@krzee> normally no there is not
06:27 <@krzee> well
06:28 <@krzee> normally the vps company makes it easy to reboot your vps
06:28 <@krzee> which will do the trick
06:34 -!- joako [~joako@opensuse/member/joak0] has quit [Ping timeout: 250 seconds]
06:39 < fol_tempus> Hello, I did ask this a few days ago, I'll try a last time. I'm having slow uploads with openvpn. Here is the config file, server side: http://fpaste.org/97215/85603831/raw/ . Downloads happen at full speed. Uploading is fine, except for single big uploads. If a single upload is bigger than ~1MB, that single upload hangs. I've tried with the default cipher and auth as well, so it shouldn't be a auth/cipher issue. I've also checked the
06:39 < fol_tempus> server load (VPS), it's never over 5%. krzee also thrown a !mtu at vpnhelper last time (I figured it out it was for me) but sadly it didn't help. I've commented out tun-mtu, fragment and mssfix option and performed the test. I've attempted to use the given value (1601) and lowered it back to 1400 (with and without the fragment and mss-fix switch), with no luck.
06:41 < Voyage> krzee,  thanks
06:41 -!- joako [~joako@opensuse/member/joak0] has joined #openvpn
06:42 < mallxs> fol_tempus: is there a adsl line in your connection ?
06:43 < fol_tempus> mallxs: yes
06:44 < mallxs> fol_tempus: and how is the Uploading over the that line with out the vpn ?
06:44 < fol_tempus> mallxs: just fine, it doesn't hang
06:45 < fol_tempus> mallxs: I've also tried to upload from the server (via ssh), it doesn't hang as well
06:49 < mallxs> fol_tempus: sorry that was all i could think off ... to many bad packages so to many retries;
06:50 < fol_tempus> thank you anyways :)
06:50 -!- michaelhart [~michaelha@192.237.177.15] has joined #openvpn
06:53 -!- Inst [~aleph@unaffiliated/inst] has joined #openvpn
06:54 < Inst> hi, could someone please help me out?
06:54 -!- elfixit [~Icedove@77-58-251-72.dclient.hispeed.ch] has joined #openvpn
06:56 < rob0> Yes. You type "/quit" and hit enter, your IRC client will exit. ;)
06:58 < mallxs> Inst: just ask
06:58 < Inst> well, looking for a diagnostic
06:58 < Inst> not sure what the problem is, maybe it's just that my cert is broken
06:58 -!- joako [~joako@opensuse/member/joak0] has quit [Ping timeout: 246 seconds]
06:58 < Inst> hmmm, maybe i'll try that
06:59 < Inst> and see if i can connect by disabling my encryption certificates
06:59 < Inst> the unusual case is that my client is rejecting my certificate as being "too new"
06:59 < Inst> so i'm artificaly adjusting the date
07:00 < mallxs> lol that a bad idea; was just about to advice to use ntp
07:05 < Inst> the problem is basically that if i use the test configuration here, my connection works
07:05 < Inst> https://wiki.debian.org/OpenVPN#Configuration
07:05 <@vpnHelper> Title: OpenVPN - Debian Wiki (at wiki.debian.org)
07:06 < Inst> but if i use an actual configuration i can't ping client from server or vice versa
07:07 -!- bears [~bears@unaffiliated/bears] has quit [Read error: Connection reset by peer]
07:10 -!- joako [~joako@opensuse/member/joak0] has joined #openvpn
07:13 < mallxs> Inst: i have the same problem: one connection is working and the other does not make a peer connection, a nmap -p1195 myhost.com shows  "1195/tcp filtered unknown" guess there is a file wall in between
07:13 < Inst> i can get the tap adapter to do a full connection
07:14 < Inst> erm, a technical connection, but the system won't let me ping the other device
07:14 < Inst> and it won't pass traffic through the network
07:16 < mallxs> Inst: does your daemon.log  shows "Peer Connection Initiated ...." ?
07:16 < Inst> daemon.log?
07:16 < Inst> i have openvpn outputting to terminal
07:21 < fol_tempus> small update: I've changed tun-mtu to 1601, fragment to 1492 and mssfix to 1492 - and now uploads seems to "hang" a little less (the max upload speed is hampered anyway)
07:35 -!- joako [~joako@opensuse/member/joak0] has quit [Ping timeout: 245 seconds]
07:37 < Inst> well, server seems to have been fixed now that i've resynced the clocks
07:37 < Inst> my VPS provider seemed to have totally fubared the clock on my VPS
07:37 < Inst> weird
07:44 < Voyage> krzee,  the link you gave.    for ip rule add from 91.121.199.129 table 10   and   ip route add default via 91.121.199.254 table 10   the first is the WAN public ip of the vps (vpn client) and the second is the gateway it uses?
07:44 < Inst> there, i think i see the problem
07:45 < Inst> i'm running an ancient client of opnevpn for some reason
07:45 < Inst> dumb
07:45 -!- joako [~joako@opensuse/member/joak0] has joined #openvpn
07:46 -!- alexw [~textual@unaffiliated/alexw] has quit [Ping timeout: 240 seconds]
07:48 -!- alexw [~textual@unaffiliated/alexw] has joined #openvpn
07:55 -!- alexw [~textual@unaffiliated/alexw] has quit [Ping timeout: 240 seconds]
07:56 < Inst> lol @ openvpn
07:56 < Inst> every time i set up a new openvpn server i always allocate 48 hours to get it working
07:56  * Inst sighs
07:58 < Rienzilla> i allocate approximately 10 minutes :)
07:59 -!- alexw [~textual@unaffiliated/alexw] has joined #openvpn
07:59 -!- joako [~joako@opensuse/member/joak0] has quit [Ping timeout: 246 seconds]
08:01 < Voyage>  this 96.47.70.253 is my VPS ip, the VPN is something else.  now is see nmap, the VPS has bazzillions of ports open. I think its because of the openvpn client?
08:01 < Voyage> If I didnt installed any servers/daemons, why the ports are open? is there a security risK?
08:03 -!- alexw [~textual@unaffiliated/alexw] has quit [Ping timeout: 252 seconds]
08:04 -!- justinzane [~justinzan@64.234.62.62] has joined #openvpn
08:04 -!- justinzane [~justinzan@64.234.62.62] has quit [Remote host closed the connection]
08:04 -!- alexw [~textual@unaffiliated/alexw] has joined #openvpn
08:04 -!- justinzane [~justinzan@64.234.62.62] has joined #openvpn
08:14 <@krzee> Voyage, see his ifconfig in post #1
08:16 < Voyage> krzee,  ok. doing that.
08:16 < Voyage> krzee,  why do you think that  96.47.70.253  the vpn client has so many ports oopeN/
08:22 <@krzee> thats their ip, right?
08:22 <@krzee> its prolly not your client's ports, its their machine's
08:23 < Voyage> 96.47.70.253  is my vps/ vpn client
08:24 < Voyage> krzee,  ya, its their machins. but why showing on MY vps ?
08:27 -!- joako [~joako@opensuse/member/joak0] has joined #openvpn
08:32 -!- Voyage [~Voyage@WimaxUser3971-56.wateen.net] has quit [Ping timeout: 250 seconds]
08:37 -!- joako [~joako@opensuse/member/joak0] has quit [Ping timeout: 246 seconds]
08:42 -!- joako [~joako@opensuse/member/joak0] has joined #openvpn
08:48 -!- GrecKo [~GrecKo@2001:41d0:1:cb16::1] has joined #openvpn
08:49 -!- tamazaki [~tamazaki@95.85.35.109] has quit [Ping timeout: 252 seconds]
08:52 -!- s7r [~s7r@openvpn/user/s7r] has quit [Quit: Leaving]
08:52 -!- alexw [~textual@unaffiliated/alexw] has quit [Ping timeout: 252 seconds]
08:54 -!- Synthead [~max@c-71-231-120-93.hsd1.wa.comcast.net] has quit [Ping timeout: 246 seconds]
08:56 -!- alexw [~textual@unaffiliated/alexw] has joined #openvpn
08:59 -!- pnielsen [pnielsen@2600:3c03::f03c:91ff:fe6e:5d41] has quit [Ping timeout: 240 seconds]
09:01 -!- alexw [~textual@unaffiliated/alexw] has quit [Ping timeout: 245 seconds]
09:02 -!- pnielsen [pnielsen@2600:3c03::f03c:91ff:fe6e:5d41] has joined #openvpn
09:05 -!- alexw [~textual@unaffiliated/alexw] has joined #openvpn
09:10 -!- alexw [~textual@unaffiliated/alexw] has quit [Ping timeout: 245 seconds]
09:10 -!- krzee changed the topic of #openvpn to: OpenVPN Community Support Channel || PLEASE read entire topic || Current Release: 2.3.4 (02 May 2014) || First time? Use !welcome and !goal || Access-Server? /join #openvpn-as || We're not psychic - please !paste your !configs and !logs and a description of the issue  || Your problem is probably firewall, Really || Heartbleed info: see !heartbleed
09:16 -!- s7r [~s7r@openvpn/user/s7r] has joined #openvpn
09:16 -!- mode/#openvpn [+v s7r] by ChanServ
09:20 -!- wrongplace [~leicht@gateway/tor-sasl/martinphone] has joined #openvpn
09:20 -!- stickpin [~bam@rrcs-67-79-122-146.se.biz.rr.com] has joined #openvpn
09:21 -!- Inst [~aleph@unaffiliated/inst] has quit [Read error: Connection reset by peer]
09:35 -!- alexxtasi [~alex@unaffiliated/alexxtasi] has left #openvpn []
09:38 -!- goldkatze [~nobody@unaffiliated/goldkatze] has joined #openvpn
09:48 -!- joako [~joako@opensuse/member/joak0] has quit [Ping timeout: 250 seconds]
09:59 -!- b4ggi0 [~b4ggi0@58.229.184.213] has quit [Quit: Leaving]
10:05 -!- ChrisH [~dg7pc@dslb-088-078-248-126.pools.arcor-ip.net] has quit [Ping timeout: 276 seconds]
10:06 -!- ChrisH [~dg7pc@dslb-088-076-096-141.pools.arcor-ip.net] has joined #openvpn
10:10 -!- Inst [~aleph@unaffiliated/inst] has joined #openvpn
10:10 < Inst> hey
10:10 < Inst> could i get some help with this?
10:10 < Inst> Fri May 02 23:07:41 2014 us=703256 PUSH: Received control message: 'PUSH_REPLY,route 10.90.0.1,topology net30,ping 10,ping-restart 120,ifconfig 10.90.0.6 10.90.0.5'
10:10 < Inst> this looks wrong
10:11 < Inst> shouldn't it be ifconfig 10.90.0.6 10.90.0.1 instead of 10.90.0.5?
10:11 <@krzee> !net30
10:11 <@vpnHelper> "net30" is "/30" is (#1) http://openvpn.net/index.php/documentation/faq.html#slash30 explains why routed clients each use 4 ips, or (#2) you can avoid this behavior with by reading !topology
10:13 < Inst> ummm, i'm using a VPN because my internet is blocked
10:13 < Inst> :(
10:16 -!- gffa [~unknown@unaffiliated/gffa] has joined #openvpn
10:17 -!- elfixit [~Icedove@77-58-251-72.dclient.hispeed.ch] has quit [Quit: elfixit]
10:20 < rob0> but why net30 after all these years? Let it die in peace.
10:24 <@ecrist> rob0: the first line probably says: OpenVPN 2.0.9 compiled....
10:32 -!- ade_b [~Ade@redhat/adeb] has quit [Ping timeout: 240 seconds]
10:39 -!- ronnocol [~lance@mail.monkeymental.com] has joined #openvpn
10:40 < ronnocol> Hey, just wanted to stop by and say I'm very happy with the performance and scalability of ovpn; you guys are doing a great job: nclients=30568,bytesin=78475738061489,bytesout=3522366041764
10:50 -!- TheRealSjr [~sjr@216.239.45.71] has quit [Remote host closed the connection]
10:57 -!- SCHAAP137 [dorian@77-173-0-137.ip.telfort.nl] has joined #openvpn
11:03 <@krzee> ronnocol,
11:04 <@krzee> nclients? what is that var representing?
11:08 < Tykling> number of clients ? :)
11:09 <@krzee> thats what it looks like? except he has 30K
11:09 <@krzee> which, if he says he really has connected to a single server, i want to know a lot more
11:09 < Tykling> I guess that is why he says it scales well :)
11:09 <@krzee> because that shouldnt be possible as far as i thought i know
11:10 <@krzee> no kidding lol
11:10 <@ecrist> ~200 or so and you run into context switching issues
11:10 <@krzee> ive heard as high as 500 on nice hw
11:10 <@krzee> but 30K? if he really has that i have a few questions..
11:11 < ronnocol> krzee: It's 30K clients on 2 servers, each running 5 instances of ovpn server
11:11 <@ecrist> so, ~300 each
11:11 <@krzee> still, ~3k clients per process?
11:11 <@ecrist> erm, yeah, I'm off
11:11 <@krzee> 10 servers 30,000 clients
11:12 <@ecrist> fuck you and your maths
11:12 <@krzee> my maths says how the hell does he have 30k clients!?
11:12 < ronnocol> 10 processes on 2 servers, each ovpn server process is doing ~3K clients
11:12 <@krzee> fucking WOW
11:12 <@krzee> what kind of hardware man?
11:12 <@ecrist> yeah, what's the spec on that?
11:13 <@ecrist> it'd be interesting to know what ciphers/etc you're using
11:13 <@ecrist> could you share your server configs, perhaps?
11:13 <@krzee> and can you document this somewhere? we have 2 wiki's for your convenience!
11:13 <@krzee> basically, if you have 30k clients on 10 processes, i want to be like you!
11:13 -!- mode/#openvpn [-o krzee] by ecrist
11:14 <@ecrist> fanboi
11:14 < krzee> lol
11:14 < krzee> you're just jealous ;]
11:14 < ronnocol> HP blades w/ ~100GB of RAM, dual 8-core E5-2650 processors
11:14 < krzee> hmmm i wonder why that is performing so well
11:15 < krzee> do HP blades make the software/os only see a single cpu core somehow?
11:15 < krzee> cause openvpn is single threaded it should only be running on a single core per server instance, and that means each blade should have 11 cores that are not helping with openvpn
11:17 < ronnocol> nope, you're right, There are ~11 cores that are not helping ovpn, but are used for other things
11:17 < krzee> wow
11:17 < ronnocol> servers are 98% idle
11:17 < krzee> i wonder wtf makes your blade able to handle so much
11:17 < krzee> like ecrist said we normally see context switching issues around 200-300 clients
11:21 -!- zoomequipd [~zoomequip@gateway/tor-sasl/zoomequipd] has quit [Ping timeout: 272 seconds]
11:21 < ronnocol> http://pastebin.com/NPA9gjNS <-- server config for one instance (slightly redacted)
11:21 -!- zoomequipd [~zoomequip@gateway/tor-sasl/zoomequipd] has joined #openvpn
11:22 -!- jackbrown [~se@93-44-41-0.ip95.fastwebnet.it] has quit [Ping timeout: 250 seconds]
11:22 < Rienzilla> cipher none ?
11:23 < ronnocol> Data is pre-encrypted before hitting the tunnel
11:23 < Rienzilla> well that's probably helping performance :)
11:24 < krzee> errr
11:24 < krzee> how/why?
11:25 < krzee> generally people use openvpn for crypto, if using cipher none why add big bad openvpn instead of using lil ol' GRE tunnels
11:26 < ronnocol> krzee: The clients are embedded devices and I had to turn up an architecture really quickly, so I went with what I knew.
11:26 < krzee> werd
11:27 < ronnocol> I had used ovpn on this stack before for another project, so I knew the client would run on the platform, and we had a management infrastructure for it.
11:27 < krzee> gotchya, seems to be working well
11:28 < krzee> i wonder if cipher none is really that big to let 10x the clients work
11:28 -!- cransom [~cransom@petit.hubns.net] has joined #openvpn
11:28 < ronnocol> In the other project, we used crypto (still embedded, but more powerful than this chipset) and we scaled it out to about 1200 clients/process (server didn't seem to stress, but that was the target, so we stopped)
11:29 < ronnocol> oh look, the best network engineer I've ever worked with just joined the channel (he helped design the network for the 1st project)
11:30 < cransom> well, i really just said 'just go use openvpn' and then i quit my job.
11:30 < krzee> haha
11:32 < krzee> ronnocol, would you message me your email so i can send it to jjk (author of the openvpn cookbook), because he has done some load testing iirc and never got near that, im pasting some of this convo to him and i think it would be cool to leave him contact info in case he has any questions
11:32 < krzee> !book
11:32 <@vpnHelper> "book" is http://www.packtpub.com/openvpn-2-cookbook/book check out JJK's awesome cookbook for openvpn 2!
11:32 < ronnocol> However, the not well documented max-clients=1024 if no other value is set bit me in the ass.
11:33 < krzee> hah what a nice problem to have
11:35 -!- jackbrown [~se@93-44-41-0.ip95.fastwebnet.it] has joined #openvpn
11:36 < krzee> thank you =]
11:36 -!- jackbrown [~se@93-44-41-0.ip95.fastwebnet.it] has quit [Read error: Connection reset by peer]
11:37 < ronnocol> sure. I'm going to be out of town for a few days, but will be back next week.
11:52 -!- SCHAAP137 [dorian@77-173-0-137.ip.telfort.nl] has quit [Remote host closed the connection]
12:00 -!- edge226 [~quassel@unaffiliated/edge226] has joined #openvpn
12:19 -!- roentgen [~irc@openvpn/community/support/roentgen] has joined #openvpn
12:22 -!- [diecast] [~diecast@unaffiliated/diecast/x-4821952] has joined #openvpn
12:40 -!- Voyage [~Voyage@pool2-80-213.brain.net.pk] has joined #openvpn
12:43 < Voyage> krzee, heres my ifconfig http://pastie.org/9134287 I want to setup this server (its a vps) as a vpn client. But I dont want to loose ssh and port 8080 access (which does happens when I conenct to vpn server. it looses direct connectivity).  What should be the ips in the rules ip rule add from IP-HERE table 10        ip route add default via IP-HERE table 10
12:44 < Voyage> anyone?
12:44 < Voyage> I dont want to mess up again
12:50 -!- miruoy [~quassel@d51A44BA8.access.telenet.be] has quit [Remote host closed the connection]
12:52 -!- Kamshak [~kamsahk@aftr-37-201-225-189.unity-media.net] has joined #openvpn
12:53 -!- u0m3 [~u0m3@92.80.87.128] has joined #openvpn
12:58 -!- Kamshak [~kamsahk@aftr-37-201-225-189.unity-media.net] has quit [Ping timeout: 252 seconds]
13:03 -!- Kamshak [~kamsahk@aftr-37-201-225-189.unity-media.net] has joined #openvpn
13:03 -!- [diecast] [~diecast@unaffiliated/diecast/x-4821952] has quit []
13:05 -!- pekster [~rewt@openvpn/community/support/pekster] has quit [Ping timeout: 252 seconds]
13:11 -!- Cpt-Oblivious [chatzilla@31-151-71-109.dynamic.upc.nl] has joined #openvpn
13:12 < Kamshak> I set up openvpn on my openvz debian vps, i can connect fine and ping the server from the client, but the server can't ping the client. I don't want to use the vpn for internet connection. What could be the reason? I set up these iptable rules, venet0 is the external interface, tun0 the tunnel http://privatepaste.com/19852fde6a
13:12 -!- pekster [~rewt@openvpn/community/support/pekster] has joined #openvpn
13:15 -!- [diecast] [~diecast@unaffiliated/diecast/x-4821952] has joined #openvpn
13:32 -!- treshoem2 [~treshoem@198-84-231-11.cpe.teksavvy.com] has quit [Ping timeout: 255 seconds]
13:33 -!- treshoem2 [~treshoem@mnathani-1-pt.tunnel.tserv21.tor1.ipv6.he.net] has joined #openvpn
13:34 -!- roentgen [~irc@openvpn/community/support/roentgen] has quit [Ping timeout: 252 seconds]
13:53 < Kamshak> !configs
13:53 <@vpnHelper> "configs" is (#1) please pastebin your client and server configs (with comments removed, you can use `grep -vE '^#|^;|^$' server.conf`), also include which OS and version of openvpn. or (#2) dont forget to include any ccd entries or (#3) on pfSense, see http://www.secure-computing.net/wiki/index.php/OpenVPN/pfSense to obtain your config
13:53 < Kamshak> !logs
13:53 <@vpnHelper> "logs" is (#1) please pastebin your logfiles from both client and server with verb set to 4 (only use 5 if asked) or (#2) In the Windows client(OpenVPN-GUI) right-click the status icon and pick View Log or (#3) In the OS X client(Tunnelblick) right-click it and select Copy log text to clipboard or (#4) if you dont know how to find your logs, see !logfile
13:55 -!- BenLue [NoMail@unaffiliated/benlue] has quit [Ping timeout: 246 seconds]
13:58 -!- SCHAAP137 [dorian@77-173-0-137.ip.telfort.nl] has joined #openvpn
14:05 < Voyage>  after this http://pastie.org/9134455      I cannot do ping google.com from the vps. but I can how ever do  mylocal pc > -D 8080 Vps (which is VPN client) > vpn server. works fine.       but when I ssh to my vps, ping google or do wget or curl. Resolving google.com (google.com)... failed: Temporary failure in name resolution.
14:15 < Kamshak> Can anyone help me with a little problem i'm having? I set up a vpn server on my vps which hosts a web server. I want it to proxy a certain alias to my home pc(vpn client). Connecting to the vpn works fine, the client can also ping the server but the server can't ping the client. Little image to illustrate: https://hostr.co/MUDuuMdHtbHl Server config: http://privatepaste.com/0449c5b8c7 Client Config: http://privatepaste.com/fe35420932
14:15 < Kamshak>  Client log: http://privatepaste.com/507c10b4a8 Server Log: http://privatepaste.com/0dd5960e22 any help would be much appreciated.
14:15 <@vpnHelper> Title: Screenshot-on-2014-05-02-at-21.04.27.png - Hostr (at hostr.co)
14:26 -!- elfixit [~Icedove@77-58-251-72.dclient.hispeed.ch] has joined #openvpn
14:59 -!- SCHAAP137 [dorian@77-173-0-137.ip.telfort.nl] has quit [Remote host closed the connection]
15:07 -!- mattock [~mattock@openvpn/corp/admin/mattock] has left #openvpn []
15:16 -!- Kamshak [~kamsahk@aftr-37-201-225-189.unity-media.net] has quit [Ping timeout: 250 seconds]
15:17 -!- michaelhart [~michaelha@192.237.177.15] has quit [Quit: michaelhart]
15:25 -!- Voyage [~Voyage@pool2-80-213.brain.net.pk] has quit [Ping timeout: 240 seconds]
15:28 < krzee> just went to answer 2 people, but they both left...
15:32 -!- Voyage [~Voyage@pool2-80-213.brain.net.pk] has joined #openvpn
15:33 -!- SCHAAP137 [dorian@77-173-0-137.ip.telfort.nl] has joined #openvpn
15:34 -!- Kamshak [~kamsahk@aftr-37-201-225-189.unity-media.net] has joined #openvpn
15:35 -!- elfixit [~Icedove@77-58-251-72.dclient.hispeed.ch] has quit [Remote host closed the connection]
15:40 -!- pppingme [~pppingme@unaffiliated/pppingme] has quit [Ping timeout: 264 seconds]
15:41 -!- Kamshak [~kamsahk@aftr-37-201-225-189.unity-media.net] has quit [Read error: Connection reset by peer]
15:57 < Inst> hi
15:57 < Inst> could someone please help me out?
15:57 < Inst> i'm not sure if this is the problem, but my openvpn client / tap adapter is setting the wrong DHCP server
15:57 < Inst> it's on win8
15:58 -!- le0 [~l30@unaffiliated/le0] has quit [Quit: Leaving]
15:58 < Inst> and i can't ping either client or server from server or client respectively
16:03 < krzee> Inst,
16:03 < krzee> !goal
16:03 <@vpnHelper> "goal" is Please clearly state your goal for your vpn: example, I would like to access the lan behind the server , I would like to access the internet over my vpn , I just want a secure connection between 2 computers , etc
16:03 < Inst> I'm in a country with restricted internet access, and I'm configuring a VPS in another country to function as a private VPN service.
16:04 < krzee> ok so you want tun not tap
16:05 < Inst> excuse me, it's running tun, not tap
16:05 < Inst> my mistake
16:05 < krzee> ok, lets see your configs and logs, as directed by the bot here:
16:05 < krzee> !logs
16:05 <@vpnHelper> "logs" is (#1) please pastebin your logfiles from both client and server with verb set to 4 (only use 5 if asked) or (#2) In the Windows client(OpenVPN-GUI) right-click the status icon and pick View Log or (#3) In the OS X client(Tunnelblick) right-click it and select Copy log text to clipboard or (#4) if you dont know how to find your logs, see !logfile
16:05 < krzee> !configs
16:05 <@vpnHelper> "configs" is (#1) please pastebin your client and server configs (with comments removed, you can use `grep -vE '^#|^;|^$' server.conf`), also include which OS and version of openvpn. or (#2) dont forget to include any ccd entries or (#3) on pfSense, see http://www.secure-computing.net/wiki/index.php/OpenVPN/pfSense to obtain your config
16:07 < Inst> oh hey, pastebin is blocked
16:07 < Inst> that's hilarious
16:07 < krzee> haha dont worry theres plenty of those sites
16:07 < Inst> i miss omploader
16:13 < Inst> =oh groan
16:13 < Inst> pasteking just ate my info
16:18 < Inst> http://tny.cz/23fc76a6
16:18 <@vpnHelper> Title: The easiest way to host your text (at tny.cz)
16:18 < Inst> pass is hatecake
16:23 < krzee> you didnt follow the directions
16:23 < krzee> comments removed please
16:23 <@Eugene> I'm  surprised you bothered to click a link that asked for a password, really.
16:23 < krzee> adding a comment for server / client is fine, but half that post is comments
16:24 < krzee> Eugene, i support password protecting it
16:24 <@Eugene> There's no excuse for that garbage, we don't care.
16:24 <@Eugene> Security through annoyance? :p
16:24 < krzee> dont obfuscate it, but do encrypt / pw protect it  if you like
16:25 < krzee> if you start changing the info, then ill prolly stop looking
16:25 < krzee> cause that harms my ability to help ;]
16:25 < Inst> done
16:25 < Inst> http://tny.cz/16caa1d6
16:25 <@vpnHelper> Title: The easiest way to host your text (at tny.cz)
16:26 < pekster> !search RFC5737
16:26 <@vpnHelper> There were no matching configuration variables.
16:26 < pekster> !search --values RFC5737
16:26 <@vpnHelper> (search <word>) -- Searches for <word> in the current configuration variables.
16:26 < pekster> !factoids search RFC5737
16:26 <@vpnHelper> No keys matched that query.
16:26 < pekster> !factoids search --values RFC5737
16:26 <@vpnHelper> '5737' and 'topsecret'
16:26 < pekster> !5737
16:26 <@vpnHelper> "5737" is Clever readers may attempt to use RFC5737 to represent arbitrary public IPs one wishes to hide; unclever attempts may be ignored with prejudice.
16:27 < krzee> ya thats fine if they are actually clever, usually they are not
16:27  * Eugene blackholes all bogan routes at the edge
16:27 <@Eugene> (Yes, with an a)
16:27 < pekster> I have a daily script to pull bogons from Team Cyrmu's full list
16:28 < pekster> Though ironically I'm not to happy with them right now for an unrelated reason (they're my IPv6 tunnel PoP, and they have a routing screwup)
16:29 <@Eugene> I was making a joke on Australians
16:30 <@Eugene> I only bother to block rfc blocks, mostly so 10/8 won't escape and annoy my ISP
16:30 < pekster> Oh, I get packets _from_ my next-hop sourced from 10/8 :(
16:30 < pekster> Comcast "feature"
16:31 < krzee> Inst, your client is linux?
16:31 < Inst> client is on win8
16:31 <@Eugene> Yeah, same here. Fuckers.
16:31 < krzee> ok cool, with windows clients you shouldnt have to do much special to have pushing DNS work
16:32 < Inst> what's wrong right now is that i can't ping server from client or client from server
16:34 < krzee> !logs
16:34 <@vpnHelper> "logs" is (#1) please pastebin your logfiles from both client and server with verb set to 4 (only use 5 if asked) or (#2) In the Windows client(OpenVPN-GUI) right-click the status icon and pick View Log or (#3) In the OS X client(Tunnelblick) right-click it and select Copy log text to clipboard or (#4) if you dont know how to find your logs, see !logfile
16:34 -!- alexw [~textual@unaffiliated/alexw] has joined #openvpn
16:34 < Inst> i'm also not pushing route all traffic to VPS settings because that kills my connections
16:34 < Inst> okay, give me a second
16:34 < krzee> and go to verb 5
16:34 < krzee> on both sides
16:35 < Inst> k, restarting crap
16:38 -!- alexw_ [~textual@unaffiliated/alexw] has joined #openvpn
16:38 -!- alexw [~textual@unaffiliated/alexw] has quit [Ping timeout: 245 seconds]
16:39 < Inst> starting connection
16:42 -!- alexw_ [~textual@unaffiliated/alexw] has quit [Ping timeout: 240 seconds]
16:46 < Inst> http://tny.cz/856cf6e9
16:46 <@vpnHelper> Title: The easiest way to host your text (at tny.cz)
16:46 < Inst> same password as before
16:47 -!- [diecast] [~diecast@unaffiliated/diecast/x-4821952] has quit []
16:51 -!- pppingme [~pppingme@unaffiliated/pppingme] has joined #openvpn
16:52 -!- Voyage [~Voyage@pool2-80-213.brain.net.pk] has quit [Ping timeout: 245 seconds]
16:54 -!- [diecast] [~diecast@unaffiliated/diecast/x-4821952] has joined #openvpn
16:56 -!- pppingme [~pppingme@unaffiliated/pppingme] has quit [Ping timeout: 264 seconds]
16:59 < krzee> its blank
16:59 < Inst> try downloading it and opening it
16:59 < Inst> it'll show
17:00 < krzee> umm no
17:00 < krzee> haha
17:00 -!- [diecast] [~diecast@unaffiliated/diecast/x-4821952] has quit []
17:00 -!- alexw [~textual@unaffiliated/alexw] has joined #openvpn
17:00 < Inst> http://tny.cz/856cf6e9/save.php?hash=7a75b1d42e3761d6d7b7b74dfd8fdd6d
17:00 < krzee> post your logs to a pastebin-like site, im not downloading anything
17:00 <@vpnHelper> Title: The easiest way to host your text (at tny.cz)
17:00 < krzee> again, no.
17:00 < Inst> all of the logs aren't working?
17:01 < Inst> or just the log logs, not the conf file?
17:01 < pekster> Download? I just ignored that when I was shown a blank file
17:01 < krzee> you keep trying to get me to download files, and i am not
17:01 < pekster> Must be adblockplus doing its thing
17:01 < krzee> so post the logs like you posted the configs
17:02 < Inst> no, i posted the logs just like i posted the configs, it's something wrong with the site
17:03 < krzee> ok
17:03 < krzee> well when you figure it out let me know
17:04 < Inst> what's wrong with downloading files anyways?
17:04 < Inst> i had someone who got freaked out when i sent him a .rtf file once, i told him to change it to a text editor
17:04 < krzee> just that im not going to do it
17:04 < Inst> later i discovered that in windows native notepad has executable code exploits
17:04 < Inst> which is hilarious
17:05 < pekster> We don't want to download it for the same reason converting this is painful, even if you know what it is:
17:05 < pekster> RW5jb2RlZCBmaWxlcyBhcmUgYW5ub3lpbmcgYXMgZnVjaw==
17:07 < Inst> http://chopapp.com/#iiuuqg5g
17:07 <@vpnHelper> Title: Chop Post code, write notes and share feedback (at chopapp.com)
17:07 < Inst> well i'm still running opera 12.5 which still lets me open files in browsers instead of having to download them
17:07 < Inst> i haven't used firefox in a while, but chrome / chrompera forces downloads
17:08 -!- pppingme [~pppingme@unaffiliated/pppingme] has joined #openvpn
17:11 < krzee> your server needs to allow traffic to tun interface
17:12 < krzee> firewall issue on server
17:13 < Inst> how do i get iptables to run a load-out?
17:13 < krzee> post iptables-save
17:14 < Inst> http://chopapp.com/#rijipekt
17:14 <@vpnHelper> Title: Chop Post code, write notes and share feedback (at chopapp.com)
17:15 -!- [diecast] [~diecast@unaffiliated/diecast/x-4821952] has joined #openvpn
17:16 < Inst> it's a VPS, possible that the blockage is at the data center level?
17:16 < Inst> because i ran the direct connection on the debian openvpn wiki and that worked
17:16 < Inst> :/
17:17 < krzee> ohh
17:17 < krzee> delete this:  -A POSTROUTING -s 10.8.0.0/24 -o eth0 -j MASQUERADE
17:17 < krzee> !linnat
17:17 <@vpnHelper> "linnat" is (#1) for a basic iptables NAT where 10.8.0.x is the vpn network: iptables -t nat -I POSTROUTING -s 10.8.0.0/24 -o eth0 -j MASQUERADE or (#2) to choose what IP address to NAT as, you can use iptables -t nat -I POSTROUTING -o eth0 -j SNAT --to <IP ADDRESS> or (#3) http://netfilter.org/documentation/HOWTO//NAT-HOWTO.html for more info or (#4) openvz see !openvzlinnat
17:17 < krzee> oh no nevermind thats fine
17:17 < krzee> hmm ya your firewall does look fine
17:17 < pekster> So long as that's the actual interface
17:18 < pekster> I usually ask for `iptables-save -c` so you can also check hitcounters ;)
17:18 < krzee> ya, do that ^^
17:19 < Inst> the funny thing is, is it possible that the local authorities just upgraded their firewall kit?
17:19 < Inst> i haven't been here in a year
17:20 < Inst> but before i left they were using DPI to detect and kill openvpn connections on my ISP
17:20 < krzee> oh
17:20 < Inst> so i'm speculating they've upgraded their methods to selectively filter out openvpn packets instead of blocking IPs
17:20 < krzee> what country?
17:20 < Inst> china
17:20 < krzee> i think they did actually
17:20 < krzee> have you looked at:
17:20 < krzee> !obfs
17:20 <@vpnHelper> "obfs" is (#1) if you are looking to obfuscate your traffic to get through a firewall that recognizes and blocks openvpn, try using this proxy: obfsproxy https://www.torproject.org/projects/obfsproxy.html.en to encapsulate your packets in other protocols or (#2) http://community.openvpn.net/openvpn/wiki/TrafficObfuscation or (#3) in client/server mode an admin can know that openvpn is being used. in
17:20 <@vpnHelper> static-key mode they only know that it is some encrypted data, but not specifically openvpn; however with static-key you lose forward security (!forwardsecurity)
17:20 < Inst> yeah, i've used obfs in the past
17:20 < krzee> also if you dont need multiple clients, you can go static key
17:21 < Inst> the weird thing is that
17:21 < Inst> https://wiki.debian.org/OpenVPN
17:21 <@vpnHelper> Title: OpenVPN - Debian Wiki (at wiki.debian.org)
17:21 < Inst> https://wiki.debian.org/OpenVPN#Test_VPN
17:21 <@vpnHelper> Title: OpenVPN - Debian Wiki (at wiki.debian.org)
17:21 < Inst> the test aspect works
17:21 < krzee> theres no tls
17:22 < krzee> it might not trigger their fingerprinting
17:27 < Inst> obfsproxy sucks, btw
17:27 < Inst> apparently torproject is run by a bunch of pricks
17:27 < Inst> or maybe it's just that my google-fu sucks
17:28 < Inst> they upgraded their stuff to a python-based obfsproxy and my obfs setup stopped working
17:29 -!- [diecast] [~diecast@unaffiliated/diecast/x-4821952] has quit []
17:29 -!- alexw [~textual@unaffiliated/alexw] has quit [Quit: My MacBook Pro has gone to sleep. ZZZzzz…]
17:36 -!- elfixit [~Icedove@77-58-251-72.dclient.hispeed.ch] has joined #openvpn
17:37 < Inst> static key method isn't working
17:37  * Inst sighs
17:37 < Inst> no route to host error
17:39 < Inst> going to try to remove iptables and see how well that works out
17:44 -!- pnielsen [pnielsen@2600:3c03::f03c:91ff:fe6e:5d41] has quit [Ping timeout: 240 seconds]
17:45 -!- stickpin [~bam@rrcs-67-79-122-146.se.biz.rr.com] has left #openvpn []
17:47 -!- pnielsen [pnielsen@2600:3c03::f03c:91ff:fe6e:5d41] has joined #openvpn
17:55 < krzee> your default policies are already ACCEPT
17:55 < krzee> your firewall is fine, theres another firewall involved
17:56 -!- DQSII [~DQSII@gateway/tor-sasl/dqsii] has joined #openvpn
18:10 < Inst> which is weird, then
18:10 < Inst> is it the ISP firewall or the datacenter firewall?
18:10  * Inst throws his hands up
18:11 -!- alexw [~textual@unaffiliated/alexw] has joined #openvpn
18:14 < krzee> no way i could know, but i guess its easy enough to find out if you test from somewhere else
18:16 -!- alexw [~textual@unaffiliated/alexw] has quit [Ping timeout: 252 seconds]
18:17 -!- goldkatze [~nobody@unaffiliated/goldkatze] has quit [Ping timeout: 252 seconds]
18:19 -!- bears [~bears@unaffiliated/bears] has joined #openvpn
18:20 -!- alexw [~textual@unaffiliated/alexw] has joined #openvpn
18:20 -!- wrongplace [~leicht@gateway/tor-sasl/martinphone] has quit [Quit: gone]
18:20 -!- Synthead [~max@c-71-231-120-93.hsd1.wa.comcast.net] has joined #openvpn
18:23 -!- u0m3 [~u0m3@92.80.87.128] has quit [Quit: Leaving]
18:30 -!- DQSII [~DQSII@gateway/tor-sasl/dqsii] has quit [Remote host closed the connection]
18:51 < Inst> okay, now this is getting retarded
18:51 < Inst> if this hack works then it means i can connect via a command line command but not the gui
18:52 < Inst> yup, this is totally stupid
18:52 < pekster> GUIs tend to have problems as most of them try to be the kitchen sink
18:52 -!- DQSII [~DQSII@gateway/tor-sasl/dqsii] has joined #openvpn
18:52 < pekster> n-m is especially bad in this regard
18:55 < Inst> do you know how to get my system to route traffic through the VPS?
18:55 < Inst> http://chopapp.com/#v8z6qss1
18:55 <@vpnHelper> Title: Chop Post code, write notes and share feedback (at chopapp.com)
18:56 < Inst> that's the command strings i'm using right now, is there something i need to add to the client side commands to get them to route traffic through the VPS? I mean, it's been a huge improvement that i can now ping the server host
18:57 < krzee> !redirect
18:57 <@vpnHelper> "redirect" is (#1) to make all inet traffic flow through the vpn, you will need --redirect-gateway (see !def1), as well as IP forwarding (see !ipforward) and NAT (see !nat) enabled on the server. or (#2) you may need to use a different dns server when redirecting gateway, see !dns or !pushdns or (#3) if using ipv6 try: route-ipv6 2000::/3 or (#4) Handy troubleshooting flowchart:
18:57 <@vpnHelper> http://ircpimps.org/redirect.png | http://pekster.sdf.org/misc/redirect.png
18:57 < Inst> thanks
18:57 < pekster> !redirect
18:57 <@vpnHelper> "redirect" is (#1) to make all inet traffic flow through the vpn, you will need --redirect-gateway (see !def1), as well as IP forwarding (see !ipforward) and NAT (see !nat) enabled on the server. or (#2) you may need to use a different dns server when redirecting gateway, see !dns or !pushdns or (#3) if using ipv6 try: route-ipv6 2000::/3 or (#4) Handy troubleshooting flowchart:
18:57 <@vpnHelper> http://ircpimps.org/redirect.png | http://pekster.sdf.org/misc/redirect.png
18:57 < pekster> Oh, bah
19:04 < Inst> nah, it's okay, i can't get the connection to reactivate anymore
19:04 < Inst> weird
19:04 < Inst> grr, so much for tinfoil hatting and getting russian ISPs
19:05 < Inst> hostkey gave me similar shit when their service would randomly cut out
19:05 < Inst> erm, russian VPS
19:07 < Inst> even stateside their service would die
19:09 < Inst> !def1
19:09 <@vpnHelper> "def1" is (#1) used in redirect-gateway, Add the def1 flag to override the default gateway by using 0.0.0.0/1 and 128.0.0.0/1 rather than 0.0.0.0/0. This has the benefit of overriding but not wiping out the original default gateway. or (#2) please see --redirect-gateway in the man page ( !man ) to fully understand or (#3) push "redirect-gateway def1"
19:14 -!- gffa [~unknown@unaffiliated/gffa] has quit [Quit: sleep]
19:17 < Inst> !bypass_dhcp
19:34 -!- xTz [~xTz@DeathStar.Techn0.eu] has quit [Remote host closed the connection]
19:40 -!- xTz [~xTz@DeathStar.Techn0.eu] has joined #openvpn
20:22 -!- Eugene [eugene@itvends.com] has quit [Quit: ZNC - http://znc.sourceforge.net]
20:24 -!- Eugene [eugene@badcryp.to] has joined #openvpn
20:28 -!- thefinn93 [~finn@unaffiliated/thefinn93] has joined #openvpn
20:29 < thefinn93> is there a way to have a script execute server-side whenever a client connects?
20:29 < pekster> thefinn93: --client-connect. See also:
20:30 < pekster> !scripts
20:30 <@vpnHelper> "scripts" is "script" is See SCRIPTING AND ENVIRONMENTAL VARIALBES in the manual for a list of places that scripts can hook into openvpn. Online reference at: https://community.openvpn.net/openvpn/wiki/Openvpn23ManPage#lbAR
20:30 < thefinn93> perfect
20:30 < thefinn93> thanks
20:31 -!- Inst [~aleph@unaffiliated/inst] has quit [Ping timeout: 240 seconds]
20:31 -!- Left_Turn [~Left_Turn@unaffiliated/turn-left/x-3739067] has quit [Read error: Connection reset by peer]
20:34 -!- Left_Turn [~Left_Turn@unaffiliated/turn-left/x-3739067] has joined #openvpn
20:35 -!- _quadDamage [~EmperorTo@boom.blissfulidiot.com] has joined #openvpn
20:51 -!- alexw [~textual@unaffiliated/alexw] has quit [Ping timeout: 245 seconds]
20:55 -!- alexw [~textual@unaffiliated/alexw] has joined #openvpn
20:59 -!- Cpt-Oblivious [chatzilla@31-151-71-109.dynamic.upc.nl] has quit [Ping timeout: 240 seconds]
21:05 -!- alexw [~textual@unaffiliated/alexw] has left #openvpn ["Textual IRC Client: www.textualapp.com"]
21:08 -!- SCHAAP137 [dorian@77-173-0-137.ip.telfort.nl] has quit [Remote host closed the connection]
21:17 -!- Devastator [~devas@unaffiliated/devastator] has joined #openvpn
21:40 -!- kadafi [~kadafi@ninjas.asia] has joined #openvpn
21:40 -!- kadafi [~kadafi@ninjas.asia] has left #openvpn []
21:49 -!- justinzane [~justinzan@64.234.62.62] has quit [Read error: Connection reset by peer]
21:52 -!- master_o1_master [~master_of@p4FF24D94.dip0.t-ipconnect.de] has joined #openvpn
21:52 -!- Magiobiwan [IRC@unaffiliated/magiobiwan] has joined #openvpn
21:52 -!- michaelhart [~michaelha@192-0-240-20.cpe.teksavvy.com] has joined #openvpn
21:54 -!- Magiobiwan [IRC@unaffiliated/magiobiwan] has quit [Quit: ZOMBIES!]
21:55 -!- master_of_master [~master_of@p4FD7B92A.dip0.t-ipconnect.de] has quit [Ping timeout: 245 seconds]
21:59 -!- Magiobiwan [IRC@unaffiliated/magiobiwan] has joined #openvpn
22:01 -!- justinzane [~justinzan@64.234.62.62] has joined #openvpn
22:09 -!- Inst [~aleph@unaffiliated/inst] has joined #openvpn
22:09 < Inst> groan
22:09 < Inst> now i'm using tor
22:16 -!- Left_Turn [~Left_Turn@unaffiliated/turn-left/x-3739067] has quit [Read error: Connection reset by peer]
22:19 -!- troj [~xxx@2001:470:1f15:107a::50f7] has quit [Ping timeout: 252 seconds]
22:22 -!- troj [~xxx@2001:470:1f15:107a::50f7] has joined #openvpn
22:25 -!- alexw [~textual@unaffiliated/alexw] has joined #openvpn
22:27 -!- phunyguy [~vortex@unaffiliated/phunyguy] has quit [Quit: brb reinstalling server]
22:31 -!- michaelhart [~michaelha@192-0-240-20.cpe.teksavvy.com] has quit [Quit: michaelhart]
22:42 -!- mode/#openvpn [+o Eugene] by ChanServ
22:57 -!- Synthead [~max@c-71-231-120-93.hsd1.wa.comcast.net] has quit [Ping timeout: 246 seconds]
23:01 -!- elfixit [~Icedove@77-58-251-72.dclient.hispeed.ch] has quit [Quit: elfixit]
23:04 -!- raspberrypifan [~textual@71-22-220-224.gar.clearwire-wmx.net] has joined #openvpn
23:04 < raspberrypifan> hello everyone
23:15 -!- viperZ28_ [uid11066@gateway/web/irccloud.com/x-ugprdvkcibovcbxe] has quit [Ping timeout: 240 seconds]
23:15 -!- thorrr [sid26124@gateway/web/irccloud.com/x-zoeqwuhbzjppipsz] has quit [Ping timeout: 245 seconds]
23:15 -!- red_racer12____ [sid20963@gateway/web/irccloud.com/x-sbrhsqxpyfdchdfk] has quit [Ping timeout: 245 seconds]
23:15 < raspberrypifan> has anyone used vpnbook
23:15 -!- kwmiebach [sid16855@gateway/web/irccloud.com/x-uazriwxffbhmrjta] has quit [Ping timeout: 240 seconds]
23:15 -!- XJR-9 [sid2977@pdpc/supporter/active/xjr-9] has quit [Ping timeout: 245 seconds]
23:18 -!- edge226 [~quassel@unaffiliated/edge226] has quit [Read error: Connection reset by peer]
23:30 -!- XJR-9 [sid2977@pdpc/supporter/active/xjr-9] has joined #openvpn
23:50 -!- ShadniX [dagger@p5DDFC95D.dip0.t-ipconnect.de] has quit [Ping timeout: 252 seconds]
23:52 -!- ShadniX [dagger@p5481D08D.dip0.t-ipconnect.de] has joined #openvpn
23:55 -!- raspberrypifan [~textual@71-22-220-224.gar.clearwire-wmx.net] has quit [Quit: Textual IRC Client: www.textualapp.com]
--- Day changed Sat May 03 2014
00:00 < DQSII> ive used it but im also using tor
00:08 -!- phreakocious [~phreakoci@aesoterica.phreakocious.net] has quit [Ping timeout: 252 seconds]
00:13 -!- phunyguy [~vortex@unaffiliated/phunyguy] has joined #openvpn
00:19 -!- Inst [~aleph@unaffiliated/inst] has quit [Ping timeout: 245 seconds]
00:29 -!- agorecki [~agorecki@S0106b8a38657b866.ok.shawcable.net] has joined #openvpn
00:32 -!- Latrina [~Latrina@ppp-148-2.26-151.libero.it] has quit [Ping timeout: 240 seconds]
00:34 -!- Latrina [~Latrina@adsl-ull-230-221.50-151.net24.it] has joined #openvpn
00:42 -!- hazardous [~hz@openvpn/user/hazardous] has quit [Ping timeout: 252 seconds]
00:44 -!- hazardous [~hz@openvpn/user/hazardous] has joined #openvpn
00:44 -!- mode/#openvpn [+v hazardous] by ChanServ
00:50 -!- Latrina [~Latrina@adsl-ull-230-221.50-151.net24.it] has quit [Ping timeout: 252 seconds]
00:51 -!- Latrina [~Latrina@adsl-ull-76-200.50-151.net24.it] has joined #openvpn
01:21 -!- agorecki [~agorecki@S0106b8a38657b866.ok.shawcable.net] has quit [Quit: Leaving]
01:26 -!- phunyguy [~vortex@unaffiliated/phunyguy] has quit [Remote host closed the connection]
01:39 -!- phunyguy [~vortex@unaffiliated/phunyguy] has joined #openvpn
01:57 -!- mattock_afk [~mattock@openvpn/corp/admin/mattock] has joined #openvpn
01:57 -!- mode/#openvpn [+o mattock_afk] by ChanServ
01:57 -!- mattock_afk is now known as mattock
01:58 -!- linuxrocks [~linuxrock@209.251.154.51] has quit [Ping timeout: 276 seconds]
02:21 -!- NeedNetworkHelp [~PJ@c-98-244-45-231.hsd1.ca.comcast.net] has joined #openvpn
02:22 < NeedNetworkHelp> Am I supposed to create users on the ovpn server, more than simply issue certificates?
02:23 <@Eugene> No
02:23 < NeedNetworkHelp> So just make the certificate and I should be golden?
02:24 <@Eugene> Usually, yes. I don't know your particular situation of course, but if you're using a Typical setup(ie, per the HOWTO), then yup.
02:24 < NeedNetworkHelp> Why does OpenVPN-GUI ask for user/pass?
02:28 < NeedNetworkHelp> Eugene?
02:29 <@Eugene> Because you've inadvertently downloaded the AS client, not the GPL openvpn
02:29 <@Eugene> !download
02:29 <@vpnHelper> "download" is (#1) http://openvpn.net/index.php/download/community-downloads.html to download openvpn or (#2) OpenVPN's Windows installer now includes OpenVPN GUI. Don't bother with http://openvpn.se anymore or (#3) Don't trust download.com at all. It provides an extremely old version with malware: http://insecure.org/news/download-com-fiasco.html or (#4) in the community version of openvpn (only
02:29 <@vpnHelper> thing supported here) there is no separate download for client/server, it is the same install with different configs
02:29 < NeedNetworkHelp> Gaaaahhhhhhhhh
02:29 < NeedNetworkHelp> Thanks
02:30 -!- goldkatze [~nobody@unaffiliated/goldkatze] has joined #openvpn
02:48 -!- NeedNetworkHelp [~PJ@c-98-244-45-231.hsd1.ca.comcast.net] has quit [Ping timeout: 240 seconds]
02:49 -!- alexw [~textual@unaffiliated/alexw] has quit [Quit: My MacBook Pro has gone to sleep. ZZZzzz…]
03:04 -!- Netsplit *.net <-> *.split quits: antihero, Samopotamus, early, Fudge, Matir_, Fiouz, ronnocol, emid, pekster, joshh20-Away,  (+30 more, use /NETSPLIT to show all of them)
03:06 -!- Netsplit over, joins: Magiobiwan, ronnocol, propheticsquiddy, mallxs, Matir_, JackWinter, svg, rob0, xMopxShell
03:06 -!- hive-mind [pranq@mail.bbis.us] has joined #openvpn
03:07 -!- Netsplit over, joins: riddle, emid, joshh20-Away, SquirrelCZECH, n2deep, pcdummy, seba, simcop2387
03:07 -!- Tykling [tykling@gibfest.dk] has joined #openvpn
03:09 -!- DQSII [~DQSII@gateway/tor-sasl/dqsii] has quit [Remote host closed the connection]
03:09 -!- DQSII [~DQSII@gateway/tor-sasl/dqsii] has joined #openvpn
03:11 -!- XJR-9 [sid2977@pdpc/supporter/active/xjr-9] has joined #openvpn
03:11 -!- _quadDamage [~EmperorTo@boom.blissfulidiot.com] has joined #openvpn
03:11 -!- pnielsen [pnielsen@2600:3c03::f03c:91ff:fe6e:5d41] has joined #openvpn
03:11 -!- pekster [~rewt@openvpn/community/support/pekster] has joined #openvpn
03:11 -!- krzee [~k@openvpn/community/support/krzee] has joined #openvpn
03:11 -!- eZpl0it [~eZpl0it@193.234.224.171] has joined #openvpn
03:11 -!- early [~early@192.241.198.49] has joined #openvpn
03:11 -!- c0ded [~c0ded@unaffiliated/c0ded] has joined #openvpn
03:11 -!- clu5ter [~staff@unaffiliated/clu5ter] has joined #openvpn
03:11 -!- Gman32 [~Gman32@2607:2200:0:3400::5616:cdbc] has joined #openvpn
03:11 -!- antihero [~antihero@37.139.5.204] has joined #openvpn
03:11 -!- Roa [~roa@ns4009357.ip-192-99-8.net] has joined #openvpn
03:11 -!- auldeksam [~quassel@unaffiliated/themaskedlua] has joined #openvpn
03:11 -!- vpnHelper [~vpnHelper@openvpn/bot/vpnHelper] has joined #openvpn
03:11 -!- omrib [~omrib@ec2-50-17-197-161.compute-1.amazonaws.com] has joined #openvpn
03:11 -!- mete [~mete@91.247.253.160] has joined #openvpn
03:11 -!- ServerMode/#openvpn [+o vpnHelper] by leguin.freenode.net
03:12 -!- mode/#openvpn [+o krzee] by ChanServ
03:12 -!- Cr4zi3 [killaz@staff.xbins.org] has quit [Excess Flood]
03:16 -!- Olipro [~Olipro@uncyclopedia/pdpc.21for7.olipro] has quit [Max SendQ exceeded]
03:18 -!- Aketzu [akolehma@kelvin.aketzu.net] has joined #openvpn
03:18 -!- alexw_ [~textual@unaffiliated/alexw] has joined #openvpn
03:18 -!- ronnocol [~lance@mail.monkeymental.com] has quit [Ping timeout: 276 seconds]
03:20 -!- alexw_ [~textual@unaffiliated/alexw] has quit [Client Quit]
03:23 -!- Olipro [~Olipro@uncyclopedia/pdpc.21for7.olipro] has joined #openvpn
03:25 -!- _FBi [B@i.use.pentoo.when.ihack.in] has joined #openvpn
03:32 -!- Pisuke [~Sembei@unaffiliated/sembei] has quit [Read error: Connection reset by peer]
03:33 -!- Left_Turn [~Left_Turn@unaffiliated/turn-left/x-3739067] has joined #openvpn
03:38 -!- Synthead [~max@c-71-231-120-93.hsd1.wa.comcast.net] has joined #openvpn
04:00 -!- DQSII [~DQSII@gateway/tor-sasl/dqsii] has quit [Remote host closed the connection]
04:00 -!- DQSII [~DQSII@gateway/tor-sasl/dqsii] has joined #openvpn
04:02 -!- Inst [~aleph@unaffiliated/inst] has joined #openvpn
04:02 < Inst> well this is awesome
04:02 < Inst> i'm tunneled into openvpn through a PPTP proxy
04:02 < Inst> 10/10 would try again, but it suggests it's definitely custom firewalling on my side
04:03 < Inst> !obfs
04:03 <@vpnHelper> "obfs" is (#1) if you are looking to obfuscate your traffic to get through a firewall that recognizes and blocks openvpn, try using this proxy: obfsproxy https://www.torproject.org/projects/obfsproxy.html.en to encapsulate your packets in other protocols or (#2) http://community.openvpn.net/openvpn/wiki/TrafficObfuscation or (#3) in client/server mode an admin can know that openvpn is being used. in
04:03 <@vpnHelper> static-key mode they only know that it is some encrypted data, but not specifically openvpn; however with static-key you lose forward security (!forwardsecurity)
04:11 -!- Synthead [~max@c-71-231-120-93.hsd1.wa.comcast.net] has quit [Ping timeout: 246 seconds]
04:23 -!- Sembei [~Sembei@unaffiliated/sembei] has joined #openvpn
04:29 -!- getup [~textual@r1.sensson.net] has joined #openvpn
04:30 < getup> hi, i have a public network on eth0, a private network on eth1 (10.1.1.0) and openvpn runs on 10.2.1.0. When I'm connected to it I can reach the internet and the openvpn range, but I can't access the range on eth1, I'm obviously missing something but I'm not sure what. Any pointers?
04:30 -!- gffa [~unknown@unaffiliated/gffa] has joined #openvpn
04:33 < getup> http://pastebin.com/uESJsSPK is the current config
04:47 -!- getup [~textual@r1.sensson.net] has quit [Ping timeout: 240 seconds]
04:55 -!- SCHAAP137 [dorian@77-173-0-137.ip.telfort.nl] has joined #openvpn
05:03 -!- AsadH [~AsadH@unaffiliated/asadh] has quit [Ping timeout: 246 seconds]
05:11 -!- AsadH [~AsadH@unaffiliated/asadh] has joined #openvpn
06:26 -!- elfixit [~Icedove@77-58-251-72.dclient.hispeed.ch] has joined #openvpn
06:47 -!- RaiNerTsuFal [~RaiNerTsu@akita.vtlx.cn] has quit [Quit: Conversation terminated!]
06:58 -!- RaiNerTsuFal [~RaiNerTsu@akita.vtlx.cn] has joined #openvpn
06:58 -!- Sembei [~Sembei@unaffiliated/sembei] has quit [Read error: No route to host]
06:58 -!- MyMind [~Sembei@unaffiliated/sembei] has joined #openvpn
07:10 -!- Pisuke [~Sembei@unaffiliated/sembei] has joined #openvpn
07:11 -!- qwertyoruiop [~hax@93.174.90.31] has joined #openvpn
07:12 -!- MyMind [~Sembei@unaffiliated/sembei] has quit [Ping timeout: 276 seconds]
07:34 -!- propheticsquiddy [~Proph@unaffiliated/propheticsquiddy] has quit [Quit: Leaving]
07:58 -!- BenLue [NoMail@unaffiliated/benlue] has joined #openvpn
07:59 -!- monsti [~i@m11s12.vlinux.de] has joined #openvpn
08:00 < monsti> hi
08:00 < monsti> are there some devs around here? i think i found a bug
08:20 -!- Pisuke [~Sembei@unaffiliated/sembei] has quit [Quit: WeeChat 1.0-dev]
08:21 -!- Sembei [~Sembei@unaffiliated/sembei] has joined #openvpn
08:46 < Aketzu> monsti: what kind of bug?
08:47 < monsti> ticket 399 in track
08:47 < monsti> a win 8.1 issue with register-dns
08:48 < monsti> stupid crazy M$ engeneers added a strict permission handling for this in  win 8.1
08:48 < monsti> openvon runs with no evelated permissions some cmd line based postscripts ... also the /registerdns option ... so it needs to be fixed :(
08:52 < Aketzu> so you have your own route-up script?
08:52 < monsti> no it's a different thing
08:52 < monsti> it's the windows only register-dns command
08:53 < monsti> i might add a patch, because i doubt the openvpn dev's are on win 8.1 machines...
08:54 < Aketzu> I don't remember seeing that on my Win8.1 laptop
08:54 < monsti> you might need no reigster-dns ;) but i need it for my setup
08:55 < Aketzu> I do DNS registration serverside
08:55 < monsti> i rely on an ancient "hardware router" :(
08:56 < monsti> i am the only win 8.1 user and i have to be clever ... or reinstall win 7
08:57 < Aketzu> I don't even get those Start net commands... things
08:57 < Aketzu> is it default or some specific config?
08:58 < Aketzu> and which openvpn version
08:58 < monsti> most recent
08:58 < monsti> again
08:58 < monsti> the vpn is started
08:58 < monsti> it works
08:58 < monsti> and i can call the registerdns in an admin console
08:59 < monsti> but (!) the autocall of register dns (via the register-dns config parameter) fails
08:59 -!- Left_Turn [~Left_Turn@unaffiliated/turn-left/x-3739067] has quit [Read error: Connection reset by peer]
09:01 -!- XJR-9 [sid2977@pdpc/supporter/active/xjr-9] has quit [Read error: Connection reset by peer]
09:02 -!- XJR-9 [sid2977@pdpc/supporter/active/xjr-9] has joined #openvpn
09:07 -!- edge226 [~quassel@unaffiliated/edge226] has joined #openvpn
09:24 < Aketzu> monsti: how does ipconfig execution differ from route.exe or net.exe execution... they work
09:24 < Aketzu> (since you looked at the code already)
09:49 -!- RaiNerTsuFal [~RaiNerTsu@akita.vtlx.cn] has quit [Ping timeout: 240 seconds]
09:52 -!- pekster [~rewt@openvpn/community/support/pekster] has quit [Quit: AF_INET -> AF_INET6]
09:53 -!- pekster [~rewt@openvpn/community/support/pekster] has joined #openvpn
10:19 -!- cyberspace- [20253@ninthfloor.org] has quit [Remote host closed the connection]
10:20 -!- cyberspace- [20253@ninthfloor.org] has joined #openvpn
10:23 -!- joshh20-Away is now known as joshh20
10:27 -!- justinzane [~justinzan@64.234.62.62] has quit [Ping timeout: 252 seconds]
10:28 -!- justinzane [~justinzan@64.234.62.62] has joined #openvpn
10:33 < monsti> Aketzu: no idea why there is no elevation - i'll check this in a few hours
10:35 -!- wrongplace [~leicht@gateway/tor-sasl/martinphone] has joined #openvpn
10:35 < pekster> monsti: Elevation to what? Any of the system calls after you launch openvpn will inherit its running context
10:36 < pekster> Since it needs to do things like touch routes (in almost all usecases anyway) this effectively means you have to run openvpn in an 'Administrator' elevated context
10:37 < SCHAAP137> it pbly has to do with flushing the ARP table and setting a custom gateway IP for a network adapter
10:37 < SCHAAP137> try it in non-admin mode and see where it fails
10:37 < pekster> Except that from a rounting standpoint, gateways are not "adapter-specific"
10:38 < pekster> A routing table is consulted until there is a match. If there isn't, it'll continue to any other routing tables that advanced routing sends it to (NFI how that works on Windows.) Failing all of that, you can't route it
10:57 -!- [diecast] [~diecast@unaffiliated/diecast/x-4821952] has joined #openvpn
11:02 -!- AsadH [~AsadH@unaffiliated/asadh] has quit [Ping timeout: 258 seconds]
11:03 -!- AsadH [~AsadH@unaffiliated/asadh] has joined #openvpn
11:04 -!- br4ndon [~br4ndon@mic92-6-82-226-128-64.fbx.proxad.net] has joined #openvpn
11:11 -!- _FBi [B@i.use.pentoo.when.ihack.in] has quit [Ping timeout: 258 seconds]
11:30 -!- wrongplace [~leicht@gateway/tor-sasl/martinphone] has quit [Quit: gone]
11:38 -!- adh0c [~adh0c@li423-165.members.linode.com] has joined #openvpn
11:44 -!- Cpt-Oblivious [chatzilla@31-151-71-109.dynamic.upc.nl] has joined #openvpn
11:52 <+s7r> hey is it possible to generate a CA valid for a single domain name?
11:53 <+s7r> using easy-rsa or whatever?
11:54 < pekster> Nope, a CA will be trusted for anything it signs. Of course, you're free to simply only sign requests from a particular domain
11:54 -!- roentgen [~irc@openvpn/community/support/roentgen] has joined #openvpn
11:54 -!- roentgen [~irc@openvpn/community/support/roentgen] has quit [Remote host closed the connection]
11:55 < pekster> There are some standards like DANE and certificate-pinning that allow website owners who control their DNS to add additional layers of security, but these aren't widely supported and have their own management overhead
11:55 <+s7r> pekster yeah, i know. i just wanted an approach to the users importing it in their browser to be assured that it won't be used for a particular domain name
11:56 <+s7r> DANE is not a standard yet. i mean it's not supported by everything
11:56 < pekster> They don't have that. Basically, when you install a CA into a modern browser, it's explicitly trusted as the "ultimate" resource. And this is why things like DANE et al are such a big deal, becuase the "worst" CA could sign a cert for google and really mess things up
11:56 <+s7r> and what's the plan for DANE to repalce TLS/SSL and commercial CAs or just to add an additional layer of security?
11:57 < pekster> An additional layer. Basically the website has some DNS glue that says "I am only to be trusted if you get a cert that is signed by _this_ CA"
11:57 <+s7r> so it will work in parallel with the current ssl/tls and commercial CAs
11:57 <+s7r> ?
11:57 < pekster> That way some evil/compromised CA can't sign an otherwise-valid cert for a domain they shouldn't. Welcome to what's wrong with the global CA structure
11:57 < pekster> Right
11:58 <+s7r> got it
11:58 < pekster> In your case, you either need a "globally trusted" cert from a reseller, or put your own internal CA on all clients
11:58 <+s7r> how advanced DANE development is ?
11:58 < pekster> Not at all ;)
11:59 < pekster> http://tools.ietf.org/wg/dane/
11:59 <@vpnHelper> Title: Dane Status Pages (at tools.ietf.org)
11:59 < pekster> It's still an IETF working-group project
11:59 <+s7r> right now, google uses cert signed by themsevels google INC. if someone doing MITM between me and google has a valid cert signed by Godaddy, then my browser will not return any error
11:59 <+s7r> ?
11:59 -!- br4ndon [~br4ndon@mic92-6-82-226-128-64.fbx.proxad.net] has quit [Quit: br4ndon]
11:59 < n13l> TLSA / dns-sec is available atleasts here in czech republic
12:00 < pekster> huh? Google (for me anyway) has a cert signed by the "GeoTrust Global CA"
12:00 < pekster> Google is not a root-CA
12:00 <+s7r> ah no i ment gmail.com - sorry
12:00 < pekster> I'm on gmail.com
12:00 <+s7r> anyway doesn't matter, the point standds
12:00 < pekster> GOogle did not "sign their own cert"
12:01 < pekster> accounts.google.com is signed by "Google Internet Authority G2" which is signed by the root-CA "GeoTrust Global CA"
12:01 < pekster> The G2 cert is an intermediate
12:01 <+s7r> yeah you are right i was looking at something else.
12:01 <+s7r> anyway it doesn't matter, i got the point
12:01 < pekster> But yea, if the owner there is evil, they could sign a cert for say hotmail.com
12:02 <+s7r> you are right this is what is wrong with current CA systems
12:02 < pekster> Your browser would happily accept it
12:02 <+s7r> why ar theese CAs to be trusted anyway? because they have fancy names? can't they be compromised?
12:02 <+s7r> it's too much power to third parties
12:02 <@Eugene> Yup, the system sucks. That's why openvpn doesn't use it.
12:02 < pekster> "Because there's no better system in place yet"
12:03 < pekster> Get involved with the current standards groups if you have ideas ;)
12:03 <+s7r> yeah openvpn uses self generated CAs
12:03 <+s7r> at least it's safer
12:03 <+s7r> nobody can impersonate you
12:03 < pekster> That, and you don't allow something like "All users who are customers of GeoTrust Global" to connect to your VPN
12:03 <+s7r> if someone with a legal warrant wants to impersonate gmail.com to get my account, they can do it by just sending a fax to CA to issue a cert and MITM me
12:04 <+s7r> at least in openvpn arhitecture, nobody can do this
12:04 < pekster> In practice, I doubt that happens; google has other ways to hand over data besides issuing bad certs. (though other companies may have worse morals)
12:05 < pekster> It's against google's interest to have accepted certs that aren't theirs floating around
12:10 -!- troyt [~troyt@c-67-161-211-139.hsd1.ut.comcast.net] has quit [Quit: AAAGH!  IT BURNS!]
12:11 -!- troyt [~troyt@2601:7:6200:1362:44dd:acff:fe85:9c8e] has joined #openvpn
12:14 -!- roentgen [~quassel@openvpn/community/support/roentgen] has joined #openvpn
12:23 -!- Synthead [~max@c-71-231-120-93.hsd1.wa.comcast.net] has joined #openvpn
12:29 -!- zoomequipd [~zoomequip@gateway/tor-sasl/zoomequipd] has quit [Ping timeout: 272 seconds]
12:29 -!- zoomequipd [~zoomequip@gateway/tor-sasl/zoomequipd] has joined #openvpn
12:41 -!- roentgen [~quassel@openvpn/community/support/roentgen] has quit []
12:52 -!- roentgen [~none@openvpn/community/support/roentgen] has joined #openvpn
13:09 -!- monsti [~i@m11s12.vlinux.de] has left #openvpn []
13:12 -!- goldkatze [~nobody@unaffiliated/goldkatze] has quit []
13:22 -!- phunyguy [~vortex@unaffiliated/phunyguy] has quit [Remote host closed the connection]
13:26 -!- elfixit [~Icedove@77-58-251-72.dclient.hispeed.ch] has quit [Ping timeout: 252 seconds]
13:54 -!- valentt [~valent@208-207.dsl.iskon.hr] has joined #openvpn
13:54 < valentt> hellou
13:55 < valentt> I'm having issues with tcp connection freezes/hangs when cat-ing a long log file or when coping over ssh files...
13:55 < valentt> same issue as this guy - http://serverfault.com/questions/488893/how-do-i-prevent-tcp-connection-freezes-over-an-openvpn-network
13:55 <@vpnHelper> Title: vpn - How do I prevent TCP connection freezes over an OpenVPN network? - Server Fault (at serverfault.com)
13:55 -!- u0m3 [~u0m3@92.80.87.128] has joined #openvpn
14:03 < valentt> server is openvpn 2.2.1 and client is 2.3.2
14:03 < valentt> both linux
14:18 -!- infinitum [~infinitum@df-001f-1a30-0005.10ge.i6.sungai.nl] has left #openvpn ["Leaving"]
14:19 -!- phunyguy [~vortex@unaffiliated/phunyguy] has joined #openvpn
14:21 < pekster> Sounds a bit like MTU problems. Maybe try a sledge-hammer approach like adding `--link-mtu 1200` to both ends? If that fixes it, you probably need to fix the ultimate cause, but that's a somewhat quick way to hide the problem
14:29 -!- valentt [~valent@208-207.dsl.iskon.hr] has quit [Ping timeout: 276 seconds]
14:31 -!- roentgen [~none@openvpn/community/support/roentgen] has quit []
14:33 -!- roentgen [~none@openvpn/community/support/roentgen] has joined #openvpn
14:53 -!- [diecast] [~diecast@unaffiliated/diecast/x-4821952] has quit [Ping timeout: 252 seconds]
15:06 -!- joshh20 is now known as joshh20-Away
15:07 -!- Synthead [~max@c-71-231-120-93.hsd1.wa.comcast.net] has quit [Ping timeout: 246 seconds]
15:16 -!- Eugene [eugene@badcryp.to] has quit [Quit: ZNC - http://znc.sourceforge.net]
15:16 -!- Netsplit *.net <-> *.split quits: troyt
15:19 -!- Eugene [eugene@badcryp.to] has joined #openvpn
15:21 -!- mode/#openvpn [+o Eugene] by ChanServ
15:23 -!- james41382 [~james@unaffiliated/james41382] has joined #openvpn
15:25 -!- Netsplit over, joins: troyt
15:26 -!- valentt [~valent@222-28.dsl.iskon.hr] has joined #openvpn
15:26 < valentt> pekster: thanks, will do that
15:35 < valentt> scp still hangs and needs over minute to finish copying 250k file after it shows 100% done... really strange
15:36 -!- james41382 [~james@unaffiliated/james41382] has quit [Quit: Leaving]
15:37 -!- james41382 [~james@unaffiliated/james41382] has joined #openvpn
15:39 -!- Left_Turn [~Left_Turn@unaffiliated/turn-left/x-3739067] has joined #openvpn
15:40 -!- adh0c [~adh0c@li423-165.members.linode.com] has quit [Ping timeout: 276 seconds]
15:50 -!- Guest8853 [~antix@unaffiliated/malfy] has joined #openvpn
15:53 -!- roentgen [~none@openvpn/community/support/roentgen] has quit [Remote host closed the connection]
15:54 -!- roentgen [~none@openvpn/community/support/roentgen] has joined #openvpn
15:59 -!- valentt [~valent@222-28.dsl.iskon.hr] has quit [Ping timeout: 240 seconds]
15:59 < roentgen> !heartbleed
15:59 <@vpnHelper> "heartbleed" is (#1) only affects OpenSSL 1.0.1 through 1.0.1f. Does not affect polarssl or (#2) if running vuln openssl then both client and server keys not protected by tls-auth should be considered compromised. or (#3) android 4.1.2_r1 is the first one to have -DOPENSSL_NO_HEARTBEATS and it is still in master. android 4.1 and 4.1.1 are probably affected. or (#4)
15:59 <@vpnHelper> https://community.openvpn.net/openvpn/wiki/heartbleed or (#5) http://xkcd.com/1354/
16:37 -!- joshh20-Away is now known as joshh20
16:56 -!- wrongplace [~leicht@gateway/tor-sasl/martinphone] has joined #openvpn
17:00 -!- wrongplace [~leicht@gateway/tor-sasl/martinphone] has quit [Remote host closed the connection]
17:00 -!- wrongplace [~leicht@gateway/tor-sasl/martinphone] has joined #openvpn
17:04 -!- tony1 [~tony1@cpe-66-66-6-48.rochester.res.rr.com] has joined #openvpn
17:04 -!- asturel [~asturel@unaffiliated/asturel] has joined #openvpn
17:04 < asturel> hi, i have a network which allows only http (maybe proxied?) is it possible to use openvpn if they use proxy?
17:05 -!- SCHAAP137 [dorian@77-173-0-137.ip.telfort.nl] has quit [Remote host closed the connection]
17:06 < asturel> hmm i see https://openvpn.net/index.php/open-source/documentation/howto.html#http
17:06 <@vpnHelper> Title: HOWTO (at openvpn.net)
17:11 -!- SCHAAP137 [dorian@77-173-0-137.ip.telfort.nl] has joined #openvpn
17:34 -!- adh0c [~adh0c@li423-165.members.linode.com] has joined #openvpn
17:44 -!- Left_Turn [~Left_Turn@unaffiliated/turn-left/x-3739067] has quit [Ping timeout: 276 seconds]
17:55 -!- Left_Turn [~Left_Turn@unaffiliated/turn-left/x-3739067] has joined #openvpn
18:00 -!- wrongplace [~leicht@gateway/tor-sasl/martinphone] has quit [Remote host closed the connection]
18:00 -!- wrongplace [~leicht@gateway/tor-sasl/martinphone] has joined #openvpn
18:01 -!- goeo_ is now known as minetape
18:01 -!- minetape is now known as goeo_
18:12 -!- goeo_ is now known as goeo_sleeping
18:32 -!- elfixit [~Icedove@77-58-251-72.dclient.hispeed.ch] has joined #openvpn
18:39 -!- gffa [~unknown@unaffiliated/gffa] has quit [Quit: sleep]
18:41 -!- mikeybs [~michael@cpe-74-70-48-112.nycap.res.rr.com] has joined #openvpn
18:48 < mikeybs> hi all, I'm running an openvpn server on debian wheezy x64 behind a router with 1194 udp forwarded to it, I'm using a "push route" so clients can connect to the server LAN, all was working fine, I then replaced the router with a pfsense router and server LAN connectivity is not working correctly... I can ping all the hosts on the server LAN from a client, but I can't ssh to them or connect to their web servers etc... UNLESS I begin pin
18:48 < mikeybs> ging the host on server LAN from the client and then while the ping is running I am able to ssh to that host or open web pages on its web server
18:48 < mikeybs> bizarre...
18:48 < mikeybs> anyone have any ideas?
18:53 -!- adh0c [~adh0c@li423-165.members.linode.com] has quit [Quit: Leaving]
18:57 < pekster> Sounds like a badly screwed up firewall
19:02 < mikeybs> yeah, I'm certainly pointing my finger at it.... but it's a pretty basic setup, just a few port forwards and I added a static route for the openvpn client network, aside from what is happening with my openvpn setup firewall is working perfectly
19:03 < mikeybs> I replaced my stock verizon fios home router with the pfsense box...
19:04 < mikeybs> I just figured I'd ask in here since the issue only affects openvpn, even though it is clearly a router configuration issue.... wondering if anyone might have any idea what setting(s) might cause such behavior and not affect anything else
19:06 -!- esde [~esde@unaffiliated/esde] has joined #openvpn
19:07 -!- elfixit [~Icedove@77-58-251-72.dclient.hispeed.ch] has quit [Quit: elfixit]
19:29 -!- wrongplace [~leicht@gateway/tor-sasl/martinphone] has quit [Quit: gone]
19:33 -!- elfixit [~Icedove@77-58-251-72.dclient.hispeed.ch] has joined #openvpn
19:34 -!- oceanquake [~quassel@pool-108-31-73-29.washdc.fios.verizon.net] has joined #openvpn
19:34 -!- Left_Turn [~Left_Turn@unaffiliated/turn-left/x-3739067] has quit [Remote host closed the connection]
19:36 < oceanquake> Hello all, just wanted to know, if I use chroot directive in my server conf file, do I have to put things like certificate-related files in the chroot target, or are they just read at startup?  There will be no client-specific configurations.
19:37 -!- Left_Turn [~Left_Turn@unaffiliated/turn-left/x-3739067] has joined #openvpn
19:38 < pekster> You'll need at minimum these files avialable in the chroot: --crl, --ca, --log[-append], --status, and of course any script files
19:38 < pekster> You also won't be able to HUP unless you put the key/cert files in the chroot, or use some of the --persist options
19:39 < pekster> I don't think the --dh param is read from disk each time, but you'll want to check that one
19:39 < oceanquake> ok, I guess if I want to use syslog, I'll have put a syslog socket in the chroot as well
19:40 < oceanquake> s/have/have to/
19:40 < pekster> That should just work; syslog(3) is a system call
19:46 -!- raspberrypifan [~textual@71-22-220-224.gar.clearwire-wmx.net] has joined #openvpn
19:46 -!- raspberrypifan [~textual@71-22-220-224.gar.clearwire-wmx.net] has quit [Max SendQ exceeded]
19:47 -!- raspberrypifan [~textual@71-22-220-224.gar.clearwire-wmx.net] has joined #openvpn
19:47 -!- raspberrypifan [~textual@71-22-220-224.gar.clearwire-wmx.net] has quit [Max SendQ exceeded]
19:53 < oceanquake> Hmm: http://openvpn.net/index.php/open-source/documentation/howto.html indicates ca is not necessary on server side machine?
19:53 <@vpnHelper> Title: HOWTO (at openvpn.net)
19:54 < oceanquake> "Keep the root key (ca.key) on a standalone machine without a network connection"
19:55 < oceanquake> nevermind, confusing cert and key
20:02 -!- raspberrypifan [~textual@71-22-220-224.gar.clearwire-wmx.net] has joined #openvpn
20:02 -!- raspberrypifan [~textual@71-22-220-224.gar.clearwire-wmx.net] has quit [Max SendQ exceeded]
20:11 -!- raspberrypifan [~textual@71-22-220-224.gar.clearwire-wmx.net] has joined #openvpn
20:11 -!- raspberrypifan [~textual@71-22-220-224.gar.clearwire-wmx.net] has quit [Max SendQ exceeded]
20:39 -!- mikeybs [~michael@cpe-74-70-48-112.nycap.res.rr.com] has quit [Ping timeout: 245 seconds]
20:44 -!- oceanquake [~quassel@pool-108-31-73-29.washdc.fios.verizon.net] has quit [Changing host]
20:44 -!- oceanquake [~quassel@unaffiliated/oceanquake] has joined #openvpn
20:45 -!- chrisballinger [~chrisbal@108-78-250-169.lightspeed.sntcca.sbcglobal.net] has joined #openvpn
20:46 -!- BenLue [NoMail@unaffiliated/benlue] has quit [Ping timeout: 252 seconds]
20:52 -!- mikeybs [~michael@cpe-74-70-48-112.nycap.res.rr.com] has joined #openvpn
21:02 -!- DQSII [~DQSII@gateway/tor-sasl/dqsii] has quit [Remote host closed the connection]
21:02 -!- Inst [~aleph@unaffiliated/inst] has quit [Ping timeout: 252 seconds]
21:06 -!- Magiobiwan [IRC@unaffiliated/magiobiwan] has quit [Quit: ZOMBIES!]
21:25 -!- Poster [~poster@cpe-184-57-112-154.columbus.res.rr.com] has joined #openvpn
21:27 -!- dazo [~dazo@openvpn/community/developer/dazo] has quit [Quit: Ciao]
21:30 -!- SCHAAP137 [dorian@77-173-0-137.ip.telfort.nl] has quit [Remote host closed the connection]
21:44 -!- chrisballinger [~chrisbal@108-78-250-169.lightspeed.sntcca.sbcglobal.net] has quit [Quit: Leaving.]
21:50 -!- chrisballinger [~chrisbal@108-78-250-169.lightspeed.sntcca.sbcglobal.net] has joined #openvpn
21:52 -!- master_of_master [~master_of@p4FF2426B.dip0.t-ipconnect.de] has joined #openvpn
21:53 -!- Left_Turn [~Left_Turn@unaffiliated/turn-left/x-3739067] has quit [Read error: Connection reset by peer]
21:55 -!- master_o1_master [~master_of@p4FF24D94.dip0.t-ipconnect.de] has quit [Ping timeout: 240 seconds]
21:57 -!- chrisballinger [~chrisbal@108-78-250-169.lightspeed.sntcca.sbcglobal.net] has quit [Quit: Leaving.]
22:02 -!- delerium_ [~delerium_@modemcable248.201-203-24.mc.videotron.ca] has joined #openvpn
22:03 -!- Magiobiwan [IRC@unaffiliated/magiobiwan] has joined #openvpn
22:42 -!- joshh20 is now known as joshh20-Away
22:49 -!- raspberrypifan [~textual@71-22-220-224.gar.clearwire-wmx.net] has joined #openvpn
22:57 -!- chrisballinger [~chrisbal@108-78-250-169.lightspeed.sntcca.sbcglobal.net] has joined #openvpn
23:02 -!- Synthead [~max@c-71-231-120-93.hsd1.wa.comcast.net] has joined #openvpn
23:18 -!- chrisballinger [~chrisbal@108-78-250-169.lightspeed.sntcca.sbcglobal.net] has quit [Quit: Leaving.]
23:31 -!- Inst [~aleph@unaffiliated/inst] has joined #openvpn
23:31 < Inst> hai
23:32 < Inst> does anyone know how to set a socks password in the openvpn config file?
23:32 < Inst> or is that not natively supported?
23:33 -!- elfixit [~Icedove@77-58-251-72.dclient.hispeed.ch] has quit [Ping timeout: 245 seconds]
23:34 -!- chrisballinger [~chrisbal@c-76-126-160-147.hsd1.ca.comcast.net] has joined #openvpn
23:37 < Inst> there's a known openvpn bug i can't get around
23:37 < Inst> is there a way to specify a username password in the openvpn config files for socks proxies?
23:45 -!- raspberrypifan [~textual@71-22-220-224.gar.clearwire-wmx.net] has quit [Quit: Textual IRC Client: www.textualapp.com]
23:50 -!- ShadniX [dagger@p5481D08D.dip0.t-ipconnect.de] has quit [Ping timeout: 252 seconds]
23:51 -!- ShadniX [dagger@p5DDFEB94.dip0.t-ipconnect.de] has joined #openvpn
--- Day changed Sun May 04 2014
00:02 < Inst> okay, found it
00:02 < Inst> have to create an authfile
00:03 -!- chrisballinger [~chrisbal@c-76-126-160-147.hsd1.ca.comcast.net] has quit [Quit: Leaving.]
00:11 -!- pppingme [~pppingme@unaffiliated/pppingme] has quit [Read error: Connection reset by peer]
00:16 -!- pppingme [~pppingme@unaffiliated/pppingme] has joined #openvpn
00:21 -!- agorecki [~agorecki@S0106b8a38657b866.ok.shawcable.net] has joined #openvpn
00:40 -!- Inst [~aleph@unaffiliated/inst] has quit [Ping timeout: 250 seconds]
00:48 -!- krzee [~k@openvpn/community/support/krzee] has quit [Ping timeout: 240 seconds]
00:50 -!- krzee [~k@openvpn/community/support/krzee] has joined #openvpn
00:50 -!- mode/#openvpn [+o krzee] by ChanServ
01:12 -!- agorecki [~agorecki@S0106b8a38657b866.ok.shawcable.net] has quit [Quit: Leaving]
01:24 -!- krzee [~k@openvpn/community/support/krzee] has quit [Excess Flood]
01:24 -!- krzee [~k@openvpn/community/support/krzee] has joined #openvpn
01:24 -!- mode/#openvpn [+o krzee] by ChanServ
01:25 -!- oceanquake [~quassel@unaffiliated/oceanquake] has quit []
01:45 -!- james41382 [~james@unaffiliated/james41382] has quit [Quit: Leaving]
01:50 -!- Fudge [~Rob@static-173-53-104-240.netstablellc.com] has joined #openvpn
02:10 -!- james41382 [~james@unaffiliated/james41382] has joined #openvpn
02:16 -!- miruoy [~quassel@d51A44BA8.access.telenet.be] has joined #openvpn
02:39 -!- goeo_sleeping is now known as goeo_
02:50 -!- jackbrown [~se@93-44-41-0.ip95.fastwebnet.it] has joined #openvpn
03:06 -!- manitu [~manitu@static.88-198-15-112.clients.your-server.de] has quit [Ping timeout: 252 seconds]
03:08 -!- manitu [~manitu@static.88-198-15-112.clients.your-server.de] has joined #openvpn
03:19 -!- Inst [~aleph@unaffiliated/inst] has joined #openvpn
03:20 < Inst> does anyone know how to improve openvpn performance?
03:20 < Inst> for some reason i'm getting 1000 second pings
03:20 < Inst> is this TCP vs UDP related?
03:20 < Inst> 1000 ms pings
03:34 < Aketzu> I get 3ms pings
03:34 < Aketzu> want to tell more about your setup?
04:09 -!- ade_b [~Ade@redhat/adeb] has joined #openvpn
04:14 -!- Left_Turn [~Left_Turn@unaffiliated/turn-left/x-3739067] has joined #openvpn
04:19 -!- catsup [~d@iad1-vshost12.dreamhost.com] has quit [Read error: Connection reset by peer]
04:19 -!- catsup [~d@iad1-vshost12.dreamhost.com] has joined #openvpn
04:33 -!- Synthead [~max@c-71-231-120-93.hsd1.wa.comcast.net] has quit [Ping timeout: 246 seconds]
04:40 -!- gffa [~unknown@unaffiliated/gffa] has joined #openvpn
04:47 < Inst> obfsproxy
04:47 < Inst> 3ms pings seem unnatural, though
04:47 < Inst> beijing -> rus VPS
04:48 < Inst> ping to server is about 400 ms, ping from server is 600-2500 ms
04:48 < Inst> avg 800
04:49 < Aketzu> I have ethernet/fiber in both ends and probably ~50km wire distance so 3ms is pretty normal :)
04:50 < Aketzu> are you running openvpn on tcp or udp?
04:51 < Aketzu> both are equally fast but if there is packet loss then tcp will have very long pings
04:53 < Inst> tcp over obfsproxy
04:53 < Inst> i don't think you can run udp through obfsproxy, unfortunately
04:55 -!- getup [~textual@dhcp-077-251-206-162.chello.nl] has joined #openvpn
04:59 < getup> hi, when a client connects to the openvpn server it gets an ipv6 address, but i need to manually run the ip -6 neigh command, is there a way to get the IP that was assigned to the client and execute it automatically?
05:07 -!- wrongplace [~leicht@gateway/tor-sasl/martinphone] has joined #openvpn
05:07 < Aketzu> route-up script (or similar) should get it as environment variable
05:24 -!- SCHAAP137 [dorian@77-173-0-137.ip.telfort.nl] has joined #openvpn
05:25 < getup> thanks, i'll have another look at that
05:25 -!- getup [~textual@dhcp-077-251-206-162.chello.nl] has quit [Quit: Textual IRC Client: www.textualapp.com]
05:45 -!- Fudge [~Rob@static-173-53-104-240.netstablellc.com] has left #openvpn ["irsii"]
06:34 -!- zck [~j@unaffiliated/zck] has joined #openvpn
06:34 < zck> hi there guys
06:34 < Aketzu> hi
06:35 < zck> !welcome
06:35 <@vpnHelper> "welcome" is (#1) Start by stating your goal, such as 'I would like to access the internet over my vpn' || new to IRC? see the link in !ask || we may need !logs and !configs and maybe !interface to help you. || See !howto for beginners. || See !route for lans behind openvpn. || !redirect for sending inet traffic through the server. || Also interesting: !man !/30 !topology !iporder !sample !forum !wiki
06:35 <@vpnHelper> !mitm or (#2) Don't use 192.168.1.0/24 or 192.168.0.0/24 (too much potential for conflict)
06:35 < zck> !goal
06:35 <@vpnHelper> "goal" is Please clearly state your goal for your vpn: example, I would like to access the lan behind the server , I would like to access the internet over my vpn , I just want a secure connection between 2 computers , etc
06:36 < zck> !route
06:36 <@vpnHelper> "route" is (#1) http://www.secure-computing.net/wiki/index.php/OpenVPN/Routing or https://community.openvpn.net/openvpn/wiki/RoutedLans (same page mirrored) if you have lans behind openvpn, read it DONT SKIM IT or (#2) READ IT DONT SKIM IT! or (#3) See !tcpip for a basic networking guide or (#4) See !serverlan or !clientlan for steps and troubleshooting flowcharts for LANs behind the server or client
06:37 < zck> !howto
06:37 <@vpnHelper> "howto" is (#1) OpenVPN comes with a great howto, http://openvpn.net/howto PLEASE READ IT! or (#2) http://www.secure-computing.net/openvpn/howto.php for a mirror
06:38 -!- jackbrown [~se@93-44-41-0.ip95.fastwebnet.it] has quit [Quit: Sto andando via]
06:45 -!- mikeybs [~michael@cpe-74-70-48-112.nycap.res.rr.com] has quit [Ping timeout: 250 seconds]
06:46 -!- mikeybs [~michael@cpe-74-70-48-112.nycap.res.rr.com] has joined #openvpn
06:50 -!- joshh20-Away is now known as joshh20
06:52 -!- Poster|x [~poster@cpe-184-57-112-154.columbus.res.rr.com] has joined #openvpn
06:55 -!- Poster [~poster@cpe-184-57-112-154.columbus.res.rr.com] has quit [Ping timeout: 240 seconds]
07:24 -!- _KaszpiR_ [~quassel@unaffiliated/kaszpir/x-3157048] has quit [Ping timeout: 252 seconds]
07:30 -!- _KaszpiR_ [~quassel@unaffiliated/kaszpir/x-3157048] has joined #openvpn
07:34 -!- valentt [~valent@222-28.dsl.iskon.hr] has joined #openvpn
07:58 -!- elfixit [~Icedove@77-58-251-72.dclient.hispeed.ch] has joined #openvpn
08:14 -!- s7r [~s7r@openvpn/user/s7r] has quit [Quit: Leaving]
08:16 -!- mikeybs [~michael@cpe-74-70-48-112.nycap.res.rr.com] has quit [Ping timeout: 250 seconds]
08:16 -!- mikeybs [~michael@cpe-74-70-48-112.nycap.res.rr.com] has joined #openvpn
08:29 -!- Dry_Lips [~cuneiform@unaffiliated/dry-lips/x-3531376] has joined #openvpn
08:53 -!- Fusl [Fusl@unaffiliated/fusl] has quit [Quit: Contact: http://hallowe.lt/]
08:59 -!- JackWinter [~jack@vodsl-10810.vo.lu] has quit [Quit: Konversation terminated!]
09:06 -!- JackWinter [~jack@vodsl-10810.vo.lu] has joined #openvpn
09:13 < Dry_Lips> !welcome
09:13 <@vpnHelper> "welcome" is (#1) Start by stating your goal, such as 'I would like to access the internet over my vpn' || new to IRC? see the link in !ask || we may need !logs and !configs and maybe !interface to help you. || See !howto for beginners. || See !route for lans behind openvpn. || !redirect for sending inet traffic through the server. || Also interesting: !man !/30 !topology !iporder !sample !forum
09:13 <@vpnHelper> !wiki !mitm or (#2) Don't use 192.168.1.0/24 or 192.168.0.0/24 (too much potential for conflict)
09:13 < Dry_Lips> !howto
09:13 <@vpnHelper> "howto" is (#1) OpenVPN comes with a great howto, http://openvpn.net/howto PLEASE READ IT! or (#2) http://www.secure-computing.net/openvpn/howto.php for a mirror
09:26 -!- ade_b [~Ade@redhat/adeb] has quit [Quit: Too sexy for his shirt]
09:34 -!- Fusl [~Fusl@unaffiliated/fusl] has joined #openvpn
09:35 -!- elfixit [~Icedove@77-58-251-72.dclient.hispeed.ch] has quit [Quit: elfixit]
09:36 -!- Fusl [~Fusl@unaffiliated/fusl] has quit [Remote host closed the connection]
09:52 -!- Fusl [Fusl@unaffiliated/fusl] has joined #openvpn
09:58 -!- s7r [~s7r@openvpn/user/s7r] has joined #openvpn
09:58 -!- mode/#openvpn [+v s7r] by ChanServ
10:00 -!- goeo_ is now known as dan|el
10:03 -!- elfixit [~Icedove@77-58-251-72.dclient.hispeed.ch] has joined #openvpn
10:08 -!- elfixit [~Icedove@77-58-251-72.dclient.hispeed.ch] has quit [Ping timeout: 264 seconds]
10:09 -!- dan|el is now known as goeo_
10:10 -!- ade_b [~Ade@redhat/adeb] has joined #openvpn
10:19 -!- wrongplace [~leicht@gateway/tor-sasl/martinphone] has quit [Quit: gone]
10:20 < asturel> i cant use openvpn with password auth?
10:23 < pekster> !authpass
10:23 <@vpnHelper> "authpass" is (#1) please see --auth-user-pass-verify in the manual to learn how to force clients to use passwords in addition to certs or (#2) or to ONLY use passwords (no certs, highly NOT recommended) also use --client-cert-not-required or (#3) and if you want the login name to be used as the common-name for things like ccd entries, use --username-as-common-name
10:29 -!- goeo_ is now known as howto
10:30 -!- howto is now known as goeo_
10:36 < delerium_> Hi ... I got OpenVPN working.  Server A have a internet IP (reachable to everyone) and it's running the OpenVPN Server.  Server B is a Win2012 running the client on my home network.  Connection if working fine.  Is it possible to route incoming traffic from server A to Server B ? (ie: have a webserver on my home server)
10:47 -!- mikeybs [~michael@cpe-74-70-48-112.nycap.res.rr.com] has quit [Ping timeout: 264 seconds]
10:52 -!- mikeybs [~michael@cpe-74-70-48-112.nycap.res.rr.com] has joined #openvpn
10:54 < Aketzu> yes
10:55 < Aketzu> I would put apache/nginx as reverse proxy on server A and forward only needed URLs to server B
10:55 -!- Six6siX [~Devil@jasmine.sammybakar.com] has quit [Quit: ZNC - http://znc.in]
10:55 < pekster> That has the obvious disavantage of sever B seeing _all_ inbound connections coming from server A's VPN IP, not the real IP, otherwise you can do that
10:56 < pekster> That fails with SSL of course, unless you don't mind terminating the SSL on the `A` system
10:56 < Aketzu> there is X-Forwarded-For which works in most cases
10:57 < pekster> Not with SSL, no, becuase a proxy needs to send the request itself
10:57 -!- joshh20 is now known as joshh20-Away
10:57 < pekster> You don't get to muck with headers when the request is encrypted from the client. Unless of course you're simply routing it, not proxying it
10:58 < delerium_> Thanks guy for the answer.. I'll read them in a few... just got paged :(
10:58 < pekster> There are 3 basic options here. 1) Route it in from `A` to `B`, and set up policy routing on `B` to send VPN-originating traffic back
10:58 -!- Six6siX [~Devil@jasmine.sammybakar.com] has joined #openvpn
10:59 < Aketzu> I wonder if windows can do policy routing :)
10:59 < pekster> 2) Route from `A` to `B` and redirect all outbound Internet-traffic from `B` back to `A` (read !redirect)
10:59 < pekster> 3) proxy the requets, and in the case of SSL, this means terminating them on `A` (a possible security problem)
11:00 < pekster> delerium_: The sane thing to do here is just send clients directly to B and don't mess with a VPN, which avoids all 3 solutions above ;)
11:01 < pekster> Aketzu: Yea, no idea. The "IAS" flavor of servers might do it, but the "RRAS" junk is really painful in Windows last I looked. There's a reason people run a variety of Unix-alikes as routers, not Windows :P
11:02 < Aketzu> I have a feeling that B is firewalled, NATted and dhcp
11:02 < pekster> IPv6 then
11:02 < delerium_> Aketzu, Good feeling ;)
11:02 < pekster> Grab a tunnel broker, and it even works behind NAT+dhcp if you sign up wtih sixxs as they have a utility to handle that. OpenVPN works too if you provide v6, but you run it yourself then
11:03 < pekster> v4 NAT overloading is a 2-decade old hack we're (still!) recovering from
11:03 < Mathias> a
11:03 < Mathias> err
11:09 -!- zck [~j@unaffiliated/zck] has quit [Quit: Leaving]
11:19 -!- fol_tempus [~tempus@gateway/tor-sasl/foltempus] has quit [Remote host closed the connection]
11:20 -!- fol_tempus [~tempus@gateway/tor-sasl/foltempus] has joined #openvpn
11:26 -!- ChrisH [~dg7pc@dslb-088-076-096-141.pools.arcor-ip.net] has quit [Ping timeout: 240 seconds]
11:28 -!- ChrisH [~dg7pc@dslb-088-078-146-133.pools.arcor-ip.net] has joined #openvpn
11:33 -!- Hes [AHO65@tunkki.fi] has quit [Ping timeout: 240 seconds]
11:37 < Haigha> hi, is there a way to (not) use client-to-client on only one client?
11:38 < pekster> Nope. That directive impacts how the server handles VPN-to-same-VPN traffic. Even if you use --push-reset in a ccd file, the client could just add it in and skip the firewall
11:38 < pekster> What you want to do is remove that option, push the route to clients you want to have it, and firewall normally
11:40 < Haigha> thanks :)
11:42 -!- mikeybs [~michael@cpe-74-70-48-112.nycap.res.rr.com] has quit [Ping timeout: 250 seconds]
11:42 -!- JackWinter [~jack@vodsl-10810.vo.lu] has quit [Quit: Konversation terminated!]
11:44 -!- JackWinter [~jack@vodsl-10810.vo.lu] has joined #openvpn
11:48 -!- JackWinter [~jack@vodsl-10810.vo.lu] has quit [Read error: Connection reset by peer]
11:48 -!- RaiNerTsuFal [~RaiNerTsu@akita.vtlx.cn] has joined #openvpn
11:49 -!- JackWinter [~jack@vodsl-10810.vo.lu] has joined #openvpn
11:52 -!- mikeybs [~michael@cpe-74-70-48-112.nycap.res.rr.com] has joined #openvpn
11:58 -!- mikeybs [~michael@cpe-74-70-48-112.nycap.res.rr.com] has quit [Ping timeout: 240 seconds]
12:22 < delerium_> pekster, Aketzu:  Thanks for taking the time to answer.  Basically, I was just toying with openVPN and was wondering if it was possible.  If I want to host a website, I'll put in directly on Server A. ;)
12:22 -!- phreakocious [~phreakoci@aesoterica.phreakocious.net] has joined #openvpn
12:22 -!- james41382 [~james@unaffiliated/james41382] has quit [Quit: Leaving]
12:32 -!- james41382 [~james@unaffiliated/james41382] has joined #openvpn
12:41 -!- JackWinter [~jack@vodsl-10810.vo.lu] has quit [Quit: Konversation terminated!]
12:46 < Dry_Lips> Hi... I'm following a tutorial in order to set up openvpn on my vps, but I must be doing something wrong, because when I restart openvpn the daemon fails to start... syslog: http://pastebin.com/HVEWziu0    server.conf: http://pastebin.com/2XK313rt
12:46 -!- tony1 [~tony1@cpe-66-66-6-48.rochester.res.rr.com] has left #openvpn []
12:48 < pekster> There is no dns entry for "server."
12:48 -!- JackWinter [~jack@vodsl-10810.vo.lu] has joined #openvpn
12:48 < pekster> Line is a typo: you have the `server` directive twice
12:48 -!- delerium_ [~delerium_@modemcable248.201-203-24.mc.videotron.ca] has quit [Quit:  HydraIRC -> http://www.hydrairc.com <-]
12:48 < pekster> Careful with such a high keepalive too; that will break most stateful UDP firewalls
12:49 < Dry_Lips> thanks a lot... silly me, there's always something I'm overlooking ;-)
12:50 < Dry_Lips> thanks for the advice pekster, I'll lower the keepalive
12:51 < pekster> I'd recommend no higher than 60, and TBH values between 10 and 30 are probably better
12:51 < pekster> try `--keepalive 10 120` as a good starting point
12:51 < Dry_Lips> ok, will do! :)
12:52 < Dry_Lips> first time I'm setting up openvpn, so I bet there's a few pitfalls
12:53 < pekster> The reason for --keepalive is 2-fold: 1) it keeps stateful firewalls open, which usually have timeouts set to between 1 and 5 minutes. 2) it allows either end (client or server) to know if the remote end suddenly closed connectivity
12:55 -!- mikeybs [~michael@cpe-74-70-48-112.nycap.res.rr.com] has joined #openvpn
12:58 < Dry_Lips> hey pekster, firewalls isn't my strong side... does these iptables rules look allright to you? This is the tutorial I've been following ---> http://d.stavrovski.net/blog/post/how-to-install-and-set-up-openvpn-in-debian-7-wheezy#set-up-fwall
12:58 <@vpnHelper> Title: How to install and set-up OpenVPN in Debian 7 (Wheezy) - The Worst Website - Stavrovski.Net (at d.stavrovski.net)
12:59 -!- joshh20-Away is now known as joshh20
12:59 < pekster> Since that guide is not using iptables-restore(8) to load rules it's implicitly wrong and I won't even review it
13:00 < pekster> Calling `iptables` is slow, non-atomic, and ripe with problems. Plus every sane distro has a frontend using iptables-restore(8) anyway
13:00 < Dry_Lips> right...
13:01 < pekster> You'll probably have more success with firewall questions in #Netfilter. I do have some samples you can learn from, although followup is probably better there for general assistance with firewalling. My samples: https://github.com/QueuingKoala/netfilter-samples
13:01 <@vpnHelper> Title: QueuingKoala/netfilter-samples · GitHub (at github.com)
13:02 < Dry_Lips> Many thanks... I'll have a look at those samples! :)
13:02 -!- JackWinter [~jack@vodsl-10810.vo.lu] has quit [Quit: Konversation terminated!]
13:02 < pekster> You can start with something like my rules-edge-router, but you'll have to make adjustments for the VPN network too in the filter/FORWARD chain. I'm in #Netfitler too, so feel free to pop in (a number of other experts hang out too)
13:04 < Dry_Lips> Yeah, I've already joined #Netfilter, I'll definitively idle there from now on!
13:06 -!- JackWinter [~jack@vodsl-10810.vo.lu] has joined #openvpn
13:14 -!- valentt [~valent@222-28.dsl.iskon.hr] has quit [Read error: Connection reset by peer]
13:35 -!- ade_b [~Ade@redhat/adeb] has quit [Quit: Too sexy for his shirt]
13:38 -!- JackWinter [~jack@vodsl-10810.vo.lu] has quit [Quit: Konversation terminated!]
13:39 -!- JackWinter [~jack@vodsl-10810.vo.lu] has joined #openvpn
13:46 -!- rustem is now known as raphael
13:46 -!- raphael is now known as rustem
13:47 -!- rustem is now known as jegudiel
13:55 -!- jegudiel is now known as rustem
14:01 -!- Synthead [~max@c-71-231-120-93.hsd1.wa.comcast.net] has joined #openvpn
14:16 -!- mikeybs [~michael@cpe-74-70-48-112.nycap.res.rr.com] has quit [Ping timeout: 255 seconds]
14:18 -!- asturel [~asturel@unaffiliated/asturel] has quit [Remote host closed the connection]
14:19 -!- asturel [~asturel@unaffiliated/asturel] has joined #openvpn
14:27 -!- mikeybs [~michael@rrcs-208-125-126-218.nys.biz.rr.com] has joined #openvpn
14:29 -!- Cpt-Oblivious [chatzilla@31-151-71-109.dynamic.upc.nl] has quit [Read error: Connection reset by peer]
14:34 -!- Cpt-Oblivious [chatzilla@31-151-71-109.dynamic.upc.nl] has joined #openvpn
14:40 -!- mikeybs [~michael@rrcs-208-125-126-218.nys.biz.rr.com] has quit [Ping timeout: 264 seconds]
14:45 -!- Sidewinder [~de@unaffiliated/sidewinder] has joined #openvpn
14:50 -!- Sidewinder [~de@unaffiliated/sidewinder] has quit [Quit: Leaving]
15:01 -!- mikeybs [~michael@cpe-74-70-48-112.nycap.res.rr.com] has joined #openvpn
15:22 -!- troyt [~troyt@2601:7:6200:1362:44dd:acff:fe85:9c8e] has quit [Ping timeout: 240 seconds]
15:24 -!- goldkatze [~nobody@unaffiliated/goldkatze] has joined #openvpn
15:26 -!- indy [~indy@shadow.kastnerove.cz] has quit [Quit: ZNC - http://znc.sourceforge.net]
15:28 -!- indy [~indy@shadow.kastnerove.cz] has joined #openvpn
15:39 -!- mikeybs [~michael@cpe-74-70-48-112.nycap.res.rr.com] has quit [Quit: mikeybs]
15:43 -!- wrongplace [~leicht@gateway/tor-sasl/martinphone] has joined #openvpn
15:53 -!- elfixit [~Icedove@77-58-251-72.dclient.hispeed.ch] has joined #openvpn
15:56 -!- wrongplace [~leicht@gateway/tor-sasl/martinphone] has quit [Ping timeout: 272 seconds]
15:57 -!- wrongplace [~leicht@gateway/tor-sasl/martinphone] has joined #openvpn
16:14 -!- Guest8853 [~antix@unaffiliated/malfy] has quit [Ping timeout: 252 seconds]
16:15 -!- JackWinter [~jack@vodsl-10810.vo.lu] has quit [Quit: Konversation terminated!]
16:15 -!- mikeybs [~michael@cpe-108-183-6-91.nycap.res.rr.com] has joined #openvpn
16:17 -!- JackWinter [~jack@vodsl-10810.vo.lu] has joined #openvpn
16:18 -!- SCHAAP137 [dorian@77-173-0-137.ip.telfort.nl] has quit [Remote host closed the connection]
16:43 -!- pnielsen [pnielsen@2600:3c03::f03c:91ff:fe6e:5d41] has quit [Ping timeout: 240 seconds]
16:47 -!- pnielsen [pnielsen@2600:3c03::f03c:91ff:fe6e:5d41] has joined #openvpn
16:50 -!- edge226 [~quassel@unaffiliated/edge226] has quit [Remote host closed the connection]
16:53 -!- troyt [~troyt@2601:7:6200:1362:44dd:acff:fe85:9c8e] has joined #openvpn
17:06 -!- mikeybs [~michael@cpe-108-183-6-91.nycap.res.rr.com] has quit [Quit: mikeybs]
17:10 -!- codehero is now known as bugslayer
17:11 -!- bugslayer is now known as BugSlayer
17:11 -!- BugSlayer is now known as codehero
17:19 -!- mikeybs [~michael@cpe-108-183-6-91.nycap.res.rr.com] has joined #openvpn
17:19 -!- elfixit [~Icedove@77-58-251-72.dclient.hispeed.ch] has quit [Quit: elfixit]
17:22 -!- JackWinter [~jack@vodsl-10810.vo.lu] has quit [Excess Flood]
17:22 -!- JackWinter [~jack@vodsl-10810.vo.lu] has joined #openvpn
17:22 -!- mikeybs [~michael@cpe-108-183-6-91.nycap.res.rr.com] has quit [Client Quit]
18:12 -!- justinzane [~justinzan@64.234.62.62] has quit [Ping timeout: 252 seconds]
18:24 -!- wrongplace [~leicht@gateway/tor-sasl/martinphone] has quit [Quit: gone]
18:24 -!- gffa [~unknown@unaffiliated/gffa] has quit [Quit: sleep]
18:26 -!- alexw [~textual@unaffiliated/alexw] has joined #openvpn
18:27 -!- alexw [~textual@unaffiliated/alexw] has left #openvpn []
18:30 -!- micko [~micko@203-219-65-120.static.tpgi.com.au] has joined #openvpn
18:35 -!- mikeybs [~michael@cpe-74-70-48-112.nycap.res.rr.com] has joined #openvpn
18:39 -!- mikeybs [~michael@cpe-74-70-48-112.nycap.res.rr.com] has quit [Ping timeout: 252 seconds]
18:46 -!- mikeybs [~michael@cpe-74-70-48-112.nycap.res.rr.com] has joined #openvpn
19:01 -!- justinzane [~justinzan@host-69-59-81-83.nctv.com] has joined #openvpn
19:44 -!- elfixit [~Icedove@77-58-251-72.dclient.hispeed.ch] has joined #openvpn
19:45 -!- plugwash [~plugwash@97e03ff4.skybroadband.com] has joined #openvpn
19:56 -!- goldkatze [~nobody@unaffiliated/goldkatze] has quit [Ping timeout: 265 seconds]
20:07 -!- joshh20 is now known as joshh20-Away
20:19 < plugwash> !heartbleed
20:19 <@vpnHelper> "heartbleed" is (#1) only affects OpenSSL 1.0.1 through 1.0.1f. Does not affect polarssl or (#2) if running vuln openssl then both client and server keys not protected by tls-auth should be considered compromised. or (#3) android 4.1.2_r1 is the first one to have -DOPENSSL_NO_HEARTBEATS and it is still in master. android 4.1 and 4.1.1 are probably affected. or (#4)
20:19 <@vpnHelper> https://community.openvpn.net/openvpn/wiki/heartbleed or (#5) http://xkcd.com/1354/
20:26 -!- raspberrypifan [~textual@71-22-220-224.gar.clearwire-wmx.net] has joined #openvpn
20:30 < plugwash> anyone have a ballpark figure for how long it's likely to take to generate a 4096 bit prime for dh?
20:31 < pekster> A while. Quite frankly, you're better off using 2048 bit keys everywhere and coming up with a way to roll issued certs more frequently
20:31 < pekster> !hardening
20:31 <@vpnHelper> "hardening" is https://community.openvpn.net/openvpn/wiki/Hardening
20:40 <@krzee> =a few hours
20:42 < pekster> IMO 4096 verses mid-2000's for a keysize is as silly as adding a tinfoil hat to your security scheme. YMMV.
20:43  * plugwash wonders if using power of two keysizes is just a convention or has some reason behind it
20:45 < pekster> My current gpg key is 3072 bits. It's a balance between decryption/handshake time against threat and how long you plan to use it
20:47 -!- Cpt-Oblivious [chatzilla@31-151-71-109.dynamic.upc.nl] has quit [Read error: Connection reset by peer]
20:52 -!- Cpt-Oblivious [chatzilla@31-151-71-109.dynamic.upc.nl] has joined #openvpn
20:54  * pekster offers obscure-openssl-feature SSL_CTX_set_tmp_dh_callback(3) as the Library Call Of The Night
20:56 -!- Synthead [~max@c-71-231-120-93.hsd1.wa.comcast.net] has quit [Ping timeout: 246 seconds]
21:06 < pekster> krzee: Interesting, I'm not well-versed on the possible pitfalls, but since OpenVPN uses SSL_OP_SINGLE_DH_USE (that causes a new DH key to be generated each TLS negotiation) it seems that use of -dsaparam to the `dhparam` call can speed up generation significantly. The parameter exponent is lower as a result, so that option flag is mandatory for security
21:07 <@krzee> the generation time does not bother me, it is a 1-time process
21:07 < pekster> Sure, I'm more curious about the crypto internals of yet-another-obscure-library option :P
21:07 < rob0> ROT-26
21:08 <@krzee> ahh sure
21:08  * krzee hands rob0 a beer
21:08 <@krzee> !beer
21:08 <@vpnHelper> "beer" is what's for dinner (and occasionally breakfast)
21:08 < rob0> thanks, don't mind if I do!
21:09 < pekster> wow: openssl dhparam -dsaparam -out dh4096 4096  10.75s user 0.03s system 99% cpu 10.870 total
21:09 < pekster> Note that I'm not advocating its use without careful review of the security implications, but.. :)
21:10 <@krzee> i wonder if syzzer could add anything to this conversation
21:10 -!- Devastator [~devas@unaffiliated/devastator] has quit [Read error: Connection reset by peer]
21:12 < rob0> What more do we need? You, me and the pekster, plus all the beer we can virtually drink!
21:12 <@krzee> actually vim literally drinking, and smoking
21:12 <@krzee> s/v//
21:12 < pekster> Well, someone who's spent more than 10 minutes reviewing these keys might be nice. Although after another 4 beers I might care less; better wait until Friday though :P
21:13 <@krzee> haha sounds like pekster is literally drinking too
21:13 <@krzee> better get some beer rob!
21:14 < rob0> yup, on it
21:14 <@krzee> this should be a fun place to get help in 2 hours :D
21:14 < rob0> Oh I'll be out before that. I have a busy week coming up.
21:16 <@krzee> well ill be hammered, and according to my clock so will Eugene, and it sounds like pekster is on his way too
21:16 <@Eugene> I'm behind today, but I do need to poop, so it's a great time to get a freshie
21:17 <@Eugene> Also, I'll be driving along the I-90 corrider from Chicago to Seattle around Memorial Day-ish.
21:17 <@Eugene> If anybody is on that line, holla
21:18 < rob0> I'll be performing at SELF (Southeast LinuxFest), Charlotte, NC, June 20-22
21:20 < pekster> Another fun fact: s_server in openssl (as of 1.0.1g, apps/s_server.c:217) uses a _512_ bit DH key
21:21 < pekster> Probably unwise to connect to things you care about if you'll be exchanging login info that way without providing a stronger key
21:24 < pekster> 512 bits and hardcoded. But I'm sure they haven't been hacked!
21:25 < raspberrypifan> anoyne use vpnbook
21:29 <@Eugene> I'm really glad that openssl etc are getting a serious look-through
21:29 <@Eugene> Only 20 years overdue
21:30 <@krzee> rob0, you gunna video it?
21:33 -!- raspberrypifan [~textual@71-22-220-224.gar.clearwire-wmx.net] has quit [Ping timeout: 240 seconds]
21:37 < pekster> Eugene: Well, in this case the s_server app probably isn't (we hope) used by anyone to exchange credentials; I'm more surprised that when even MTAs aiming to handle the most broken other MTAs out there are using 1024 as a minimum, s_client sticks with 512
21:37 <@Eugene> "Because fuck you, that's why."
21:38 < pekster> lower DH than X509 keypairs reduce effective security, so negotiating 2048 bit (or 4096) with 512 reduces effective security to 512. From a well-published group :P
21:41 < pekster> Eugene: oh, it's okay. That manpage says they "were generated verifiably pseudo-randomly." :D
21:41 < pekster> #include warm-fuzzy-feelings.h
21:42 < pekster> At least this advice is sound: "The generation of DH parameters during installation is therefore recommended."
21:43 -!- krzie [~k@openvpn/community/support/krzee] has joined #openvpn
21:43 -!- mode/#openvpn [+o krzie] by ChanServ
21:44 -!- krzee [~k@openvpn/community/support/krzee] has quit [Read error: Connection reset by peer]
21:44 -!- krzie is now known as krzee
21:52 -!- master_o1_master [~master_of@79.215.186.41] has joined #openvpn
21:54 -!- Synthead [~max@c-71-231-120-93.hsd1.wa.comcast.net] has joined #openvpn
21:55 -!- master_of_master [~master_of@p4FF2426B.dip0.t-ipconnect.de] has quit [Ping timeout: 245 seconds]
22:06 < rob0> krzee, SELF records all of them on video.
22:07 < rob0> I've done presentations each of the previous 3 years, also.
22:08 <@krzee> oh i'll have to check them out
22:10 < rob0> hehe, yes, when you're ready for bed, I will put you to sleep! :)
22:11 <@krzee> what do you talk on?
22:11 -!- someone [someone@2600:3c01::f03c:91ff:fedf:feb8] has joined #openvpn
22:12 < rob0> Postfix and spam, last 3. DNSSEC this time, "The Joy of DNSSECs" (if they approve it, have not seen the schedule.)
22:13 < rob0> will be a really low-end intro to DNSSEC
22:16 -!- WinstonSmith [~WinstonSm@unaffiliated/winstonsmith] has quit [Ping timeout: 252 seconds]
22:18 -!- WinstonSmith [~WinstonSm@unaffiliated/winstonsmith] has joined #openvpn
22:25 -!- fol_tempus [~tempus@gateway/tor-sasl/foltempus] has quit [Remote host closed the connection]
22:25 -!- zoomequipd [~zoomequip@gateway/tor-sasl/zoomequipd] has quit [Remote host closed the connection]
22:25 -!- s7r [~s7r@openvpn/user/s7r] has quit [Write error: Connection reset by peer]
22:32 -!- s7r [~s7r@openvpn/user/s7r] has joined #openvpn
22:32 -!- mode/#openvpn [+v s7r] by ChanServ
22:32 -!- zoomequipd [~zoomequip@gateway/tor-sasl/zoomequipd] has joined #openvpn
22:33 -!- fol_tempus [~tempus@gateway/tor-sasl/foltempus] has joined #openvpn
22:35 <@krzee> i think ill like them
22:35 <@krzee> ill let you know
22:38 -!- plugwash [~plugwash@97e03ff4.skybroadband.com] has quit [Remote host closed the connection]
22:40 -!- _FBi [B@Aircrack-NG/User] has joined #openvpn
22:40 < _FBi> aloha
22:46 -!- mode/#openvpn [+v _FBi] by krzee
22:46 <@krzee> bienvenidos
22:46 <+_FBi> comos sta bitches
22:46 -!- Synthead [~max@c-71-231-120-93.hsd1.wa.comcast.net] has quit [Ping timeout: 246 seconds]
22:47  * _FBi sports guy chest bumps krzee 
23:00 -!- fol_tempus [~tempus@gateway/tor-sasl/foltempus] has quit [Read error: Connection reset by peer]
23:00 -!- fol_tempus [~tempus@gateway/tor-sasl/foltempus] has joined #openvpn
23:07 -!- pekster [~rewt@openvpn/community/support/pekster] has quit [Ping timeout: 252 seconds]
23:07 -!- Fusl [Fusl@unaffiliated/fusl] has quit [Ping timeout: 252 seconds]
23:08 -!- GrecKo [~GrecKo@2001:41d0:1:cb16::1] has quit [Ping timeout: 252 seconds]
23:09 -!- pekster [~rewt@openvpn/community/support/pekster] has joined #openvpn
23:22 -!- Fusl [Fusl@unaffiliated/fusl] has joined #openvpn
23:26 -!- krzee [~k@openvpn/community/support/krzee] has quit [Ping timeout: 240 seconds]
23:26 -!- krzee [~k@openvpn/community/support/krzee] has joined #openvpn
23:26 -!- mode/#openvpn [+o krzee] by ChanServ
23:32 -!- kirin` [telex@gateway/shell/anapnea.net/x-ktzxxewiuapygiut] has quit [Ping timeout: 264 seconds]
23:32 -!- elfixit [~Icedove@77-58-251-72.dclient.hispeed.ch] has quit [Ping timeout: 240 seconds]
23:34 -!- trolley [~trolley@1.156.83.254] has joined #openvpn
23:35 -!- elfixit [~Icedove@77-58-251-72.dclient.hispeed.ch] has joined #openvpn
23:35 < trolley> !welcome
23:35 <@vpnHelper> "welcome" is (#1) Start by stating your goal, such as 'I would like to access the internet over my vpn' || new to IRC? see the link in !ask || we may need !logs and !configs and maybe !interface to help you. || See !howto for beginners. || See !route for lans behind openvpn. || !redirect for sending inet traffic through the server. || Also interesting: !man !/30 !topology !iporder !sample !forum
23:35 <@vpnHelper> !wiki !mitm or (#2) Don't use 192.168.1.0/24 or 192.168.0.0/24 (too much potential for conflict)
23:36 < trolley> !goal
23:36 <@vpnHelper> "goal" is Please clearly state your goal for your vpn: example, I would like to access the lan behind the server , I would like to access the internet over my vpn , I just want a secure connection between 2 computers , etc
23:37 < trolley> !howto
23:37 <@vpnHelper> "howto" is (#1) OpenVPN comes with a great howto, http://openvpn.net/howto PLEASE READ IT! or (#2) http://www.secure-computing.net/openvpn/howto.php for a mirror
23:37 -!- kirin` [telex@gateway/shell/anapnea.net/x-xwkqwicgcdnhjhbo] has joined #openvpn
23:37 < trolley> !route
23:37 <@vpnHelper> "route" is (#1) http://www.secure-computing.net/wiki/index.php/OpenVPN/Routing or https://community.openvpn.net/openvpn/wiki/RoutedLans (same page mirrored) if you have lans behind openvpn, read it DONT SKIM IT or (#2) READ IT DONT SKIM IT! or (#3) See !tcpip for a basic networking guide or (#4) See !serverlan or !clientlan for steps and troubleshooting flowcharts for LANs behind the server or
23:37 <@vpnHelper> client
23:39 -!- Fudge [~Rob@static-173-53-104-240.netstablellc.com] has joined #openvpn
23:39 -!- elfixit [~Icedove@77-58-251-72.dclient.hispeed.ch] has quit [Client Quit]
23:40 < trolley> !redirect
23:40 <@vpnHelper> "redirect" is (#1) to make all inet traffic flow through the vpn, you will need --redirect-gateway (see !def1), as well as IP forwarding (see !ipforward) and NAT (see !nat) enabled on the server. or (#2) you may need to use a different dns server when redirecting gateway, see !dns or !pushdns or (#3) if using ipv6 try: route-ipv6 2000::/3 or (#4) Handy troubleshooting flowchart:
23:40 <@vpnHelper> http://ircpimps.org/redirect.png | http://pekster.sdf.org/misc/redirect.png
23:48 -!- ShadniX [dagger@p5DDFEB94.dip0.t-ipconnect.de] has quit [Ping timeout: 252 seconds]
23:49 -!- ShadniX [dagger@p5DDFE6E3.dip0.t-ipconnect.de] has joined #openvpn
--- Day changed Mon May 05 2014
00:00 -!- goldkatze [~nobody@unaffiliated/goldkatze] has joined #openvpn
00:46 -!- Fudge [~Rob@static-173-53-104-240.netstablellc.com] has quit [Ping timeout: 240 seconds]
00:50 -!- Cpt-Oblivious [chatzilla@31-151-71-109.dynamic.upc.nl] has quit [Remote host closed the connection]
00:51 -!- goeo_ is now known as hax
00:59 -!- goldkatze [~nobody@unaffiliated/goldkatze] has quit []
01:25 -!- alexxtasi [~alex@unaffiliated/alexxtasi] has joined #openvpn
01:43 -!- Synthead [~max@c-71-231-120-93.hsd1.wa.comcast.net] has joined #openvpn
02:51 -!- esde [~esde@unaffiliated/esde] has quit [Ping timeout: 240 seconds]
02:51 -!- trolley [~trolley@1.156.83.254] has quit [Ping timeout: 276 seconds]
03:02 -!- pnielsen_ [~pnielsen@li301-93.members.linode.com] has joined #openvpn
03:12 -!- Synthead [~max@c-71-231-120-93.hsd1.wa.comcast.net] has quit [Ping timeout: 246 seconds]
03:54 -!- roger_rabbit [~roger_rab@unaffiliated/roger-rabbit/x-7769789] has joined #openvpn
04:07 -!- goldkatze [~nobody@unaffiliated/goldkatze] has joined #openvpn
04:19 -!- zifxify [~zifxify@176.62.136.225] has joined #openvpn
04:19 -!- wink [fhtagn@unaffiliated/winkiller] has joined #openvpn
04:21 < wink> hi, I got kind of a weird problem here. Debian client/Ubuntu server (both 2.2.1) can't copy files >=1250b, sounds like MTU issue. ip link says 1500, unless I put tun-mtu 1400 (which the server also has) but that doesn't fix it. It worked last week and I am out of ideas
04:27 < Aketzu> anything in client+server logs?
04:29 -!- samael [~earendil@multivac.valis-e.com] has quit [Quit: Changing server]
04:31 -!- dazo_afk [~dazo@openvpn/community/developer/dazo] has joined #openvpn
04:31 -!- mode/#openvpn [+o dazo_afk] by ChanServ
04:31 -!- dazo_afk is now known as dazo
04:33 < wink> Aketzu: no, nothing that screams error. only if I set fragment/mssfix
04:33 < wink> and I didnt have that in the past either
04:34 -!- esde [~esde@unaffiliated/esde] has joined #openvpn
04:35 < wink> apart from  WARNING: normally if you use --mssfix and/or --fragment, you should also set --tun-mtu 1500 (currently it is 1400) - which I didn't set actually
04:38 < wink> oh, tun-mtu 1200 on the client actually seems to fix it despite the warnings on the server. fixes the symptoms, but I am not any wiser
04:40 < Aketzu> did you try mtu-test ?
04:40 < Aketzu> I've seen a few very broken networks where I needed really low mtu
04:41 < wink> but the mac is near me, same network
04:41 < wink> why woudl it break over the weekend
04:41 < wink> NOTE: Empirical MTU test completed [Tried,Actual] local->remote=[1437,1389] remote->local=[1437,1437]
04:41 < wink> but as I said, fragment/mssfix totally break it
04:42 < wink> tun-mtu 1200 helpe with the problem, despite:
04:42 < wink>  'link-mtu' is used inconsistently, local='link-mtu 1442', remote='link-mtu 1242' 'tun-mtu' is used inconsistently, local='tun-mtu 1400', remote='tun-mtu 1200'
04:42 < wink> off for lunch. still happy for ideas in the backlog :)
04:44 -!- zifxify [~zifxify@176.62.136.225] has quit []
04:45 -!- dazo is now known as dazo_afk
04:45 -!- dazo_afk is now known as dazo
04:57 -!- fol_tempus [~tempus@gateway/tor-sasl/foltempus] has quit [Remote host closed the connection]
05:04 -!- fol_tempus [~tempus@gateway/tor-sasl/foltempus] has joined #openvpn
05:42 -!- jareth_ [~jareth_@2001:980:e1c0:1:219:66ff:fea0:a502] has quit [Ping timeout: 245 seconds]
05:49 -!- jareth_ [~jareth_@2001:980:e1c0:1:219:66ff:fea0:a502] has joined #openvpn
06:00 -!- fol_tempus [~tempus@gateway/tor-sasl/foltempus] has quit [Remote host closed the connection]
06:00 -!- fol_tempus [~tempus@gateway/tor-sasl/foltempus] has joined #openvpn
06:29 -!- eristisk [~eristisk@gateway/tor-sasl/eristisk] has joined #openvpn
06:29 < eristisk> Hi all, I think I have run into this bug here https://community.openvpn.net/openvpn/ticket/328
06:29 <@vpnHelper> Title: #328 (openvpn client gives up instead of retrying when proxy server is slow) – OpenVPN Community (at community.openvpn.net)
06:30 < eristisk> I try to proxy via SOCKS proxy on localhost and openvpn fails VERY quickly, giving this error:
06:30 < eristisk> recv_socks_reply: TCP port read timeout expired: Operation now in progress (errno=115)
06:41 -!- michaelhart [~michaelha@192.237.177.15] has joined #openvpn
07:34 -!- GrecKo [~GrecKo@2001:41d0:1:cb16::1] has joined #openvpn
07:44 -!- u0m3_ [~u0m3@92.80.87.128] has joined #openvpn
07:47 -!- u0m3 [~u0m3@92.80.87.128] has quit [Ping timeout: 240 seconds]
07:47 -!- u0m3_ is now known as u0m3
07:59 -!- bears [~bears@unaffiliated/bears] has quit [Read error: Connection reset by peer]
08:03 -!- gffa [~unknown@unaffiliated/gffa] has joined #openvpn
08:08 -!- livelace [~livelace@94.199.74.142] has joined #openvpn
08:08 -!- Inst [~aleph@unaffiliated/inst] has quit [Read error: Connection reset by peer]
08:09 -!- Inst [~aleph@unaffiliated/inst] has joined #openvpn
08:10 < wink> to add to my former problem, this also seemed to work: link-mtu 1400 which yields: 'link-mtu' is used inconsistently, local='link-mtu 1442', remote='link-mtu 1400' 'tun-mtu' is used inconsistently, local='tun-mtu 1400', remote='tun-mtu 1358' - but when I set link-mtu 1442 to remove the warnigns, I can't scp anymore
08:10 < livelace> Hello. Why OpenVPN not connect to next server (with multiple --remote options), if --client-connect return 1 on first server in list ?
08:14 -!- Inst [~aleph@unaffiliated/inst] has quit [Ping timeout: 240 seconds]
08:14 -!- andi [~andi@unaffiliated/fr00d] has quit [Ping timeout: 264 seconds]
08:15 -!- andi [~andi@unaffiliated/fr00d] has joined #openvpn
08:17 < livelace> Wow. Find in Changelog:
08:18 < livelace> Don't advance to the next connection profile on AUTH_FAILED errors.
08:22 -!- justinzane [~justinzan@host-69-59-81-83.nctv.com] has quit [Ping timeout: 252 seconds]
08:23 <@ecrist> livelace: because if the authentication failed, what's the point in connecting to the next server?
08:24 < livelace> O_o
08:27 < livelace> For example:
08:27 < livelace> Some servers exist in world. Servers connect to database for authentication. One server lost link with database, but other can working.
08:30 <@ecrist> if you don't like it, submit a patch. :)
08:31 < livelace> Multiple servers - important advantages of Openvpn. And he has to try until it reaches success.
08:31 <@ecrist> if the server loses DB connection, don't return auth failed
08:32 <@ecrist> or do something like using ldap instead, and run local ldap instances
08:32 < livelace> Ok. Next example:
08:34 < livelace> I do not want that user can connect to specified server, I want that  try all servers and connect to white listed
08:34 <@ecrist> non-enabled servers shouldn't be in that users server list
08:34 < livelace> Ha-ha
08:36 < livelace> You suggest me that I change configuration files all users ?
08:36 <@ecrist> you suggest we modify the source for every user in the world just because you're a shitty vpn manager?
08:38 < livelace> ecrist, Where I suggest anything ?
08:38 <@plaisthos> livelace: feel free to write a patch that signal TEMPORARY_AUTH_FAILURE that tells the client to mark that remote as unavailable
08:39 <@ecrist> let's say you provide a VPN service, and provide those configs to your users.  those configs should ONLY contain servers they have access to.
08:39 <@ecrist> it'd be easy enought to auto-generate configs based on a set of rules
08:40 < livelace> ecrist, You have already shown their abilities, thanks.
08:40 <@ecrist> what?
08:40 < livelace> plaisthos, Ok, thanks.
08:42 <@plaisthos> livelace: A warning before. The connection managing stuff changed between 2.3 and 2.4 and also you need to think to keep backward compatbility when implementing the feature to have any canche to get your patch accepted
08:43 <@plaisthos> there is already some logic in OpenVPN for marking connections disabled
08:43 <@ecrist> a --continue-after-auth-fail option would probably be the best course
08:44 < livelace> plaisthos, More detail about logic,please ? Management interface ?
08:45 <@plaisthos> livelace: as in --proto-force udp|tcp
08:46 <@plaisthos> also --query-management-remote
08:46 <@plaisthos> also that probably won't help you here
08:47 < eristisk> ecrist: plaisthos: Any idea about bug #328, or my error?
08:47 < eristisk> recv_socks_reply: TCP port read timeout expired: Operation now in progress (errno=115)
08:47 < livelace> plaisthos, not my case, thanks :)
08:50 -!- s7r [~s7r@openvpn/user/s7r] has quit [Ping timeout: 272 seconds]
08:50 <@plaisthos> eristisk: without looking at the bug, iirc the timeout for the initial socks connection is 5 or 10 seconds
08:51 < eristisk> plaisthos: Well I guess it's not long enough.  Can I raise it with a config option in my conf file?
08:51 -!- s7r [~s7r@openvpn/user/s7r] has joined #openvpn
08:51 -!- mode/#openvpn [+v s7r] by ChanServ
08:53 <@plaisthos> eristisk: no it is hardcoded
08:54 < eristisk> So... is there any other way past this error?
08:54 <@plaisthos> there is a patch floating around to make it configurable
08:54 <@plaisthos> eristisk: not without changing the source code if that is your problem
08:55 < eristisk> I would imagine more people would have this problem when trying to proxy an OpenVPN connection via Tor
08:55 < eristisk> Rather, I'm not sure how anyone would get it to work at all otherwise
08:56 <@plaisthos> I have on my todo list to introduce a connection timeout that cover the whole connect to connection established instead of all these mini timeouts
08:56 <@plaisthos> but no eta on that
08:56 -!- chrisb [~chrisb@li482-205.members.linode.com] has joined #openvpn
09:16 -!- alexxtasi [~alex@unaffiliated/alexxtasi] has left #openvpn []
09:19 -!- EvilRoey [~roey@flame-n.senet-int.com] has quit [Read error: Connection reset by peer]
09:20 -!- ribasushi [~riba@mujunyku.leporine.io] has quit [Ping timeout: 240 seconds]
09:21 -!- miruoy [~quassel@d51A44BA8.access.telenet.be] has quit [Remote host closed the connection]
09:24 -!- Wolfbutt [~quassel@sona-gaming.com] has quit [Remote host closed the connection]
09:28 -!- ribasushi [~riba@mujunyku.leporine.io] has joined #openvpn
09:30 -!- Jeroen52 [~quassel@sona-gaming.com] has joined #openvpn
09:34 -!- eristisk [~eristisk@gateway/tor-sasl/eristisk] has quit [Ping timeout: 272 seconds]
09:36 -!- pnielsen [pnielsen@2600:3c03::f03c:91ff:fe6e:5d41] has quit [Ping timeout: 240 seconds]
09:39 -!- pnielsen [pnielsen@2600:3c03::f03c:91ff:fe6e:5d41] has joined #openvpn
09:45 -!- digilink [~weechat@unaffiliated/digilink] has joined #openvpn
09:45 -!- eristisk [~eristisk@gateway/tor-sasl/eristisk] has joined #openvpn
09:52 < digilink> what's the best way to assign static addresses to clients? I have a subnet declared for OpenVPN as 10.16.100.0/24 and will have about 7-10 servers connecting to it and would like to statically assign addresses, but I am not sure the best way to do it? I've read about ipp.txt and the ccd directory, but there seems to be some conflicting issues. For instance, I only have one client connected currently, and it
09:52 < digilink> got assigned an address of 10.16.100.6, yet ipp.txt shows 10.16.100.4
09:54 -!- justinzane [~justinzan@67.21.190.20] has joined #openvpn
09:54 -!- Bainwa [~benoits@195.88.84.152] has left #openvpn []
10:11 -!- ChrisH is now known as Guest52273
10:11 <@krzee> !static
10:11 <@vpnHelper> "static" is (#1) use --ifconfig-push in a ccd entry for a static ip for the vpn client or (#2) example in net30 (default): ifconfig-push 10.8.0.6 10.8.0.5 example in subnet (see !topology) or tap (see !tunortap): ifconfig-push 10.8.0.5 255.255.255.0 or (#3) also see !ccd and !iporder or (#4) when pushing static IPs, you should also limit your --ifconfig-pool to exclude the static range or (#5) See
10:11 -!- ChrisH__ [~dg7pc@dslb-188-109-004-204.pools.arcor-ip.net] has joined #openvpn
10:11 <@vpnHelper> also: !addressing
10:11 <@krzee> !ipp
10:11 <@vpnHelper> "ipp" is (#1) the option --ifconfig-pool-persist ipp.txt does NOT create static ips or (#2) Note that the entries in this file are treated by OpenVPN as suggestions only, based on past associations between a common name and IP address. They do not guarantee that the given common name will always receive the given IP address. If you want guaranteed assignment, see !iporder and !static
10:12 <@krzee> !net30
10:12 -!- Guest52273 [~dg7pc@dslb-088-078-146-133.pools.arcor-ip.net] has quit [Ping timeout: 264 seconds]
10:12 <@vpnHelper> "net30" is "/30" is (#1) http://openvpn.net/index.php/documentation/faq.html#slash30 explains why routed clients each use 4 ips, or (#2) you can avoid this behavior with by reading !topology
10:12 <@krzee> digilink, ^^^
10:13 < digilink> !topology
10:13 <@vpnHelper> "topology" is (#1) it is possible to avoid the !/30 behavior if you use 2.1+ with the option: topology subnet This will end up being default in later versions. or (#2) Clients will receive addresses ending in .2, .3, .4, etc, instead of being divided into 2-host subnets. or (#3) details and examples at: https://community.openvpn.net/openvpn/wiki/Topology
10:16 < digilink> @krzee thank you, the topology subnet statement seems to be what I was missing :)
10:17 <@krzee> np =]
10:27 -!- gac [~gavin@196.108.255.149.in-addr.arpa] has joined #openvpn
10:27 -!- ChrisH__ is now known as ChrisH
10:27 -!- elfixit [~Icedove@2001:1620:2777:11:3e97:eff:fe7f:f3ad] has joined #openvpn
10:29 < gac> quick question (while lacking some details, i need to collect logs etc) - has anyone noticed any unreliability with windows 8.1 following any recent updates? seeing a couple of instances of TAP drivers failing to come up during Route:/TEST ROUTES in the past few days?
10:41 -!- _Tassadar [~tassadar@D57DEE42.static.ziggozakelijk.nl] has joined #openvpn
10:41 < _Tassadar> hi
10:41 < _Tassadar> why does openvpn open the udp/49955 port?
10:42 < _Tassadar> this is in client mode, even
10:44 <@plaisthos> _Tassadar: because it needs to open a port for udp
10:45 -!- mode/#openvpn [-o plaisthos] by ChanServ
10:50 -!- [diecast] [~diecast@unaffiliated/diecast/x-4821952] has joined #openvpn
10:50 < _Tassadar> ... ofcrz lol
10:51 < _Tassadar> yeah i understand
10:51 < _Tassadar> thanks and excuse the n00b question
10:51 -!- _Tassadar [~tassadar@D57DEE42.static.ziggozakelijk.nl] has left #openvpn ["next time, a smarter question ;)"]
10:55 -!- elfixit [~Icedove@2001:1620:2777:11:3e97:eff:fe7f:f3ad] has quit [Quit: elfixit]
11:01 -!- [diecast] [~diecast@unaffiliated/diecast/x-4821952] has quit []
11:03 -!- [diecast] [~diecast@unaffiliated/diecast/x-4821952] has joined #openvpn
11:26 < reiffert> http://www.whoismcafee.com/the-mcafee-guide-to-uninstall-mcafee/
11:26 <@vpnHelper> Title: The McAfee guide to uninstalling McAfee Antivirus | John McAfee (at www.whoismcafee.com)
11:36 -!- Synthead [~max@m972036d0.tmodns.net] has joined #openvpn
12:10 <@ecrist> !love
12:10 <@ecrist> krzee: can you add this, please:
12:10 <@ecrist> !learn love as http://secure-computing.net/files/zebra.jpg
12:10 <@vpnHelper> Error: You don't have the factoids.learn capability. If you think that you should have this capability, be sure that you are identified before trying again. The 'whoami' command can tell you if you're identified.
--- Log closed Mon May 05 12:19:44 2014
--- Log opened Mon May 05 14:29:58 2014
14:29 -!- ecrist [~ecrist@freebsd/contributor/openvpn.community.support.ecrist] has joined #openvpn
14:29 -!- Irssi: #openvpn: Total of 218 nicks [8 ops, 0 halfops, 3 voices, 207 normal]
14:29 -!- mode/#openvpn [+o ecrist] by ChanServ
14:29 -!- Irssi: Join to #openvpn was synced in 1 secs
14:30 <@ecrist> da fook?
14:30 <@ecrist> !love
14:30 <@vpnHelper> "love" is http://secure-computing.net/files/zebra.jpg
14:30 <@ecrist> :D
14:33 <+s7r> is it a common practice for ISPs to block max. allowed simultaneous connections? I mean, isn't the same consumption for them to have a client having 1 connection of 1 MB/s or 10 connections of 100 KB/s each, isn't it the same for them? does it make any sense to block max. allowed simultaneous connections?
14:34 < cransom> definitely not common
14:36 < cransom> they could have decided to put you through a traffic shaping device which could limit that, but, again, no reason they'd limit that unless they are paranoid about p2p or ddos traffic or something
14:37 <+s7r> culd be
14:37 <+s7r> could be ..
14:37 <+s7r> i am asking this in the context where i run at a datacenter a Tor exit router
14:37 <+s7r> making over 1500 circuits simultaneous and 200 - 300 GB per day traffic
14:38 <+s7r> and i realised now the server has no more than 500 simultaneous connections
14:38 < cransom> 500 simultaneous isn't really all that interesting for an isp
14:41 <+s7r> hmm
14:41 <+s7r> i don't think it makes any sense to throttle that
14:42 <+s7r> if they want to limit anything they cap bandwidth
14:50 -!- joshh20-Away is now known as joshh20
14:57 -!- fol_tempus [~tempus@gateway/tor-sasl/foltempus] has quit [Ping timeout: 272 seconds]
14:59 -!- MoPac [~MoPac@unaffiliated/mopac] has joined #openvpn
15:03 -!- BladedThesis [~BladedThe@2001:1af8:4010:a027:3::] has quit [Remote host closed the connection]
15:04 -!- fol_tempus [~tempus@gateway/tor-sasl/foltempus] has joined #openvpn
15:04 -!- BladedThesis [~BladedThe@2001:1af8:4010:a027:3::] has joined #openvpn
15:04 -!- BladedThesis [~BladedThe@2001:1af8:4010:a027:3::] has quit [Excess Flood]
15:04 -!- BladedThesis [~BladedThe@2001:1af8:4010:a027:3::] has joined #openvpn
15:07 -!- wrongplace [~leicht@gateway/tor-sasl/martinphone] has joined #openvpn
15:08 -!- MoPac [~MoPac@unaffiliated/mopac] has quit [Ping timeout: 240 seconds]
15:13 < roger_rabbit> hey, so I've done some googling and have hit a wall trying to configure something really simple... perhaps I am using the wrong search terms... there are too many results for SSH server while  connected to VPN.
15:14 < plaisthos> !goal
15:14 <@vpnHelper> "goal" is Please clearly state your goal for your vpn: example, I would like to access the lan behind the server , I would like to access the internet over my vpn , I just want a secure connection between 2 computers , etc
15:14 < roger_rabbit> basically I just want to be able to continue to have the ability to SSH into my server, while routing the traffic (other than the SSH ) over the VPN
15:15 -!- michaelhart [~michaelha@192.237.177.15] has quit [Quit: michaelhart]
15:15 < roger_rabbit> is there perhaps a guide that someone might have handy which would be applicable
15:25 < rob0> Oh. That's not simple, but depending on OS, might be doable.
15:25 -!- bb0x [~bb0x@89.123.105.121] has joined #openvpn
15:26 -!- eristisk [~eristisk@gateway/tor-sasl/eristisk] has quit [Ping timeout: 272 seconds]
15:27 < bb0x> hi guys, I have a openvpn server using an older version ... it looks it doesn't allow more than 5 clients to be connected simultaneously
15:27 < bb0x> do you have any idea what may be configured wrong ?
15:27 -!- mikeybs [~michael@cpe-74-70-48-112.nycap.res.rr.com] has quit [Read error: Connection reset by peer]
15:27 -!- mikeybs [~michael@cpe-74-70-48-112.nycap.res.rr.com] has joined #openvpn
15:29 -!- mikeybs [~michael@cpe-74-70-48-112.nycap.res.rr.com] has quit [Client Quit]
15:29 -!- mikeybs [~michael@cpe-74-70-48-112.nycap.res.rr.com] has joined #openvpn
15:30 -!- gffa [~unknown@unaffiliated/gffa] has quit [Quit: sleep]
15:32 < roger_rabbit> rob0: thanks, I am fairly skilled with networking what I want to do is super easy to setup with openWRT, but proving to be more difficult on a full fledged debian install
15:33 -!- eristisk [~eristisk@gateway/tor-sasl/eristisk] has joined #openvpn
15:35 < bb0x> any ideas to my question ? thanks
15:36 -!- mikeybs [~michael@cpe-74-70-48-112.nycap.res.rr.com] has quit [Ping timeout: 264 seconds]
15:43 -!- mikeybs [~michael@cpe-74-70-48-112.nycap.res.rr.com] has joined #openvpn
15:45 < reiffert> guys, I need you to watch this
15:45 < reiffert> http://www.whoismcafee.com/the-mcafee-guide-to-uninstall-mcafee/
15:45 <@vpnHelper> Title: The McAfee guide to uninstalling McAfee Antivirus | John McAfee (at www.whoismcafee.com)
15:49 -!- mikeybs [~michael@cpe-74-70-48-112.nycap.res.rr.com] has quit [Ping timeout: 252 seconds]
15:50 -!- mikeybs [~michael@cpe-74-70-48-112.nycap.res.rr.com] has joined #openvpn
16:00 -!- wrongplace [~leicht@gateway/tor-sasl/martinphone] has quit [Read error: Connection reset by peer]
16:00 -!- eristisk [~eristisk@gateway/tor-sasl/eristisk] has quit [Remote host closed the connection]
16:00 -!- eristisk [~eristisk@gateway/tor-sasl/eristisk] has joined #openvpn
16:00 -!- wrongplace [~leicht@gateway/tor-sasl/martinphone] has joined #openvpn
16:04 -!- br4ndon [~br4ndon@mic92-6-82-226-128-64.fbx.proxad.net] has joined #openvpn
16:04 -!- br4ndon [~br4ndon@mic92-6-82-226-128-64.fbx.proxad.net] has quit [Client Quit]
16:09 -!- Synthead [~max@m972036d0.tmodns.net] has quit [Ping timeout: 246 seconds]
16:11 -!- JackWinter [~jack@vodsl-10810.vo.lu] has quit [Quit: Konversation terminated!]
16:13 -!- JackWinter [~jack@vodsl-10810.vo.lu] has joined #openvpn
16:15 < bb0x> found it, it looks ifconfig-pool 10.2.0.4 10.2.0.16 was too small
16:16 -!- [diecast] [~diecast@unaffiliated/diecast/x-4821952] has joined #openvpn
16:17 < pekster> bb0x: Try the 'subnet' topology and you avoid the 75% address space waste. Read at:
16:17 < pekster> !topology
16:17 <@vpnHelper> "topology" is (#1) it is possible to avoid the !/30 behavior if you use 2.1+ with the option: topology subnet This will end up being default in later versions. or (#2) Clients will receive addresses ending in .2, .3, .4, etc, instead of being divided into 2-host subnets. or (#3) details and examples at: https://community.openvpn.net/openvpn/wiki/Topology
16:18 < bb0x> pekster, thanks, I'll take a look ... it seems to be supported since I'm running openvpn-2.1.1-2.el5
16:19 < bb0x> for now I change the ifconfig-pool from 0.4 to 0.64
16:20 < bb0x> I have only 10 users
16:24 < pekster> subnet works on >=2.1, but why use a version over 4 years out of date? :\
16:25 < plaisthos> pekster: the el5 part
16:25 < bb0x> :) and also works for what I need ... never think to update it
16:25 < pekster> repoforge
16:26 < pekster> But if it works and you don't need any new features, I supose
16:27 -!- s7r [~s7r@openvpn/user/s7r] has quit [Read error: Connection reset by peer]
16:27 -!- fol_tempus [~tempus@gateway/tor-sasl/foltempus] has quit [Write error: Connection reset by peer]
16:27 -!- s7r [~s7r@openvpn/user/s7r] has joined #openvpn
16:27 -!- mode/#openvpn [+v s7r] by ChanServ
16:27 -!- fol_tempus [~tempus@gateway/tor-sasl/foltempus] has joined #openvpn
16:27 < bb0x> it works fine, the only problem I had was that only 5 users were able to connect simultaneously, checking the config it looks the poll of IPs was too small
16:38 < lfx> !heartbleed
16:38 <@vpnHelper> "heartbleed" is (#1) only affects OpenSSL 1.0.1 through 1.0.1f. Does not affect polarssl or (#2) if running vuln openssl then both client and server keys not protected by tls-auth should be considered compromised. or (#3) android 4.1.2_r1 is the first one to have -DOPENSSL_NO_HEARTBEATS and it is still in master. android 4.1 and 4.1.1 are probably affected. or (#4)
16:38 <@vpnHelper> https://community.openvpn.net/openvpn/wiki/heartbleed or (#5) http://xkcd.com/1354/
16:38 -!- bears [~bears@unaffiliated/bears] has joined #openvpn
16:48 -!- u0m3_ is now known as u0m3
16:54 < rob0> roger_rabbit, sorry for the incomplete answer earlier. You need "policy routing" and the howto is at LARTC.org.
16:56 -!- Synthead [~max@m972036d0.tmodns.net] has joined #openvpn
16:56 < bb0x> good night
16:57 -!- bb0x [~bb0x@89.123.105.121] has left #openvpn ["Leaving"]
16:59 -!- JackWinter [~jack@vodsl-10810.vo.lu] has quit [Quit: Konversation terminated!]
17:01 -!- JackWinter [~jack@vodsl-10810.vo.lu] has joined #openvpn
18:09 -!- ralphtice [~ralphtice@cpe-72-182-88-26.austin.res.rr.com] has joined #openvpn
18:09 < ralphtice> !welcome
18:10 <@vpnHelper> "welcome" is (#1) Start by stating your goal, such as 'I would like to access the internet over my vpn' || new to IRC? see the link in !ask || we may need !logs and !configs and maybe !interface to help you. || See !howto for beginners. || See !route for lans behind openvpn. || !redirect for sending inet traffic through the server. || Also interesting: !man !/30 !topology !iporder !sample !forum
18:10 <@vpnHelper> !wiki !mitm or (#2) Don't use 192.168.1.0/24 or 192.168.0.0/24 (too much potential for conflict)
18:10 < ralphtice> !route
18:10 <@vpnHelper> "route" is (#1) http://www.secure-computing.net/wiki/index.php/OpenVPN/Routing or https://community.openvpn.net/openvpn/wiki/RoutedLans (same page mirrored) if you have lans behind openvpn, read it DONT SKIM IT or (#2) READ IT DONT SKIM IT! or (#3) See !tcpip for a basic networking guide or (#4) See !serverlan or !clientlan for steps and troubleshooting flowcharts for LANs behind the server or
18:10 <@vpnHelper> client
18:15 < Left_Turn> !tcpip
18:15 <@vpnHelper> "tcpip" is http://www.redbooks.ibm.com/redbooks/pdfs/gg243376.pdf See chapter 3.1 for useful basic TCP/IP networking knowledge you should probably know
18:16 < Left_Turn> nice bot:)
18:16 < ralphtice> hmmmm, what's the name for when i want to map a CIDR to account for overlapping private ranges ?
18:16 < pekster> Insane?
18:17 < pekster> You can play with dirty hacks like --client-nag, but every time you use it, 3 kittens die
18:17 < pekster> --client-nat that is
18:17 < ralphtice> if i have two 10.x networks i can't map clients to 172.x each way ?
18:17 < pekster> 10.x? As in 10/8?
18:17 < pekster> !randomsunet
18:17 < ralphtice> i'm doing a migration from ec2 classic to vpc :(
18:18 < pekster> 1) do not use giant subnets like 10/8. You really have no need for 256^3 hosts on a network. 2) use _random_ subnets when you need to route, or at least unpopular ones
18:18 < pekster> !randomsubnet
18:18 <@vpnHelper> "randomsubnet" is (#1) http://scarydevilmonastery.net/subnet.cgi for a random !1918 subnet or (#2) If your shell has $RANDOM support, perhaps try this: `echo 10.$((RANDOM%256)).$((RANDOM%256)).0/24 `
18:18 < ralphtice> the ec2 classic side is effectively 10/8, vpc i control, but i have other private networks that make it compelling to use 10.x
18:18 < pekster> Ugh. NAT-hack the shit out of it then :\
18:21 < ralphtice> if 'NAT-hack' is the proper terminology, any references on it for openvpn?  also, i only really need this to be one direction...
18:22 < pekster> The one I gave you
18:22 < pekster> It's basically  just a "builtin bi-directional NAT" method
18:22 < pekster> (and it's an awful, dirty hack, but that's what you apparently need.)
18:22 < pekster> Also, IPv6 fixes your problem, but AWS is alergic to it
18:24 < ralphtice> sorry, which one did you give me ? i only see the scarydevilmonastery link
18:24 < ralphtice> oh, --client-nat ?
18:24 < pekster> Right
18:25 < ralphtice> hah, it is even labeled nathack in wiki https://community.openvpn.net/openvpn/wiki/NatHack
18:25 <@vpnHelper> Title: NatHack – OpenVPN Community (at community.openvpn.net)
18:31 -!- Synthead [~max@m972036d0.tmodns.net] has quit [Read error: Connection reset by peer]
18:36 -!- wrongplace [~leicht@gateway/tor-sasl/martinphone] has quit [Quit: gone]
18:38 -!- treshoem2 [~treshoem@mnathani-1-pt.tunnel.tserv21.tor1.ipv6.he.net] has quit [Ping timeout: 252 seconds]
18:43 -!- treshoem2 [~treshoem@mnathani-1-pt.tunnel.tserv21.tor1.ipv6.he.net] has joined #openvpn
18:59 -!- elfixit [~Icedove@77-58-251-72.dclient.hispeed.ch] has joined #openvpn
19:03 -!- digilink [~weechat@unaffiliated/digilink] has quit [Quit: WeeChat 0.4.3]
19:22 -!- rulezzz [~rulezzz@189-211-115-121.dynamic.axtel.net] has joined #openvpn
19:24 -!- rustem is now known as jonmudaklol
19:24 -!- jonmudaklol is now known as rustem
19:29 -!- esde [~esde@unaffiliated/esde] has quit [Ping timeout: 250 seconds]
19:33 -!- goldkatze [~nobody@unaffiliated/goldkatze] has quit [Ping timeout: 245 seconds]
19:40 -!- [diecast] [~diecast@unaffiliated/diecast/x-4821952] has quit []
19:50 -!- [diecast] [~diecast@unaffiliated/diecast/x-4821952] has joined #openvpn
19:56 -!- bears [~bears@unaffiliated/bears] has quit [Read error: Connection reset by peer]
19:59 -!- joshh20 is now known as joshh20-Away
20:04 -!- troj [~xxx@2001:470:1f15:107a::50f7] has quit [Ping timeout: 245 seconds]
20:08 -!- troj [~xxx@2001:470:1f15:107a::50f7] has joined #openvpn
20:08 -!- esde [~esde@unaffiliated/esde] has joined #openvpn
20:15 -!- jave [~jave@h-235-102.a149.priv.bahnhof.se] has quit [Ping timeout: 264 seconds]
20:22 -!- ralphtice [~ralphtice@cpe-72-182-88-26.austin.res.rr.com] has quit [Quit: ralphtice]
20:25 -!- ngharo [~ngharo@nexus.sypherz.com] has quit [Ping timeout: 245 seconds]
20:30 -!- michaelhart [~michaelha@162.209.54.120] has joined #openvpn
20:38 -!- busch [~busch@datenschleuder.com] has quit [Ping timeout: 246 seconds]
20:47 -!- busch [~busch@datenschleuder.com] has joined #openvpn
20:52 -!- s7r [~s7r@openvpn/user/s7r] has quit [Quit: Leaving]
20:57 -!- raspberrypifan [~textual@71-22-220-224.gar.clearwire-wmx.net] has joined #openvpn
21:05 -!- michaelhart [~michaelha@162.209.54.120] has quit [Quit: michaelhart]
21:14 -!- eristisk [~eristisk@gateway/tor-sasl/eristisk] has quit [Ping timeout: 272 seconds]
21:33 < roger_rabbit> rob0: thanks!
21:47 -!- bears [~bears@unaffiliated/bears] has joined #openvpn
21:52 -!- master_of_master [~master_of@p4FD7B5A7.dip0.t-ipconnect.de] has joined #openvpn
21:55 -!- master_o1_master [~master_of@79.215.186.41] has quit [Ping timeout: 258 seconds]
22:08 <@krzee> !nathack
22:08 <@vpnHelper> "nathack" is see https://community.openvpn.net/openvpn/wiki/NatHack for info on how to solve the problem when you need !route_outside_ovpn but cant add a route to the gateway or the lan machines
22:22 -!- Left_Turn [~Left_Turn@unaffiliated/turn-left/x-3739067] has quit [Read error: Connection reset by peer]
22:25 -!- fol_tempus [~tempus@gateway/tor-sasl/foltempus] has quit [Remote host closed the connection]
22:25 -!- zoomequipd [~zoomequip@gateway/tor-sasl/zoomequipd] has quit [Remote host closed the connection]
22:34 -!- fol_tempus [~tempus@gateway/tor-sasl/foltempus] has joined #openvpn
22:34 -!- zoomequipd [~zoomequip@gateway/tor-sasl/zoomequipd] has joined #openvpn
23:33 -!- raspberrypifan [~textual@71-22-220-224.gar.clearwire-wmx.net] has quit [Quit: My MacBook Pro has gone to sleep. ZZZzzz…]
23:34 -!- elfixit [~Icedove@77-58-251-72.dclient.hispeed.ch] has quit [Ping timeout: 255 seconds]
23:48 -!- ShadniX [dagger@p5DDFE6E3.dip0.t-ipconnect.de] has quit [Ping timeout: 252 seconds]
23:49 -!- ShadniX [dagger@p5481D382.dip0.t-ipconnect.de] has joined #openvpn
--- Day changed Tue May 06 2014
00:16 -!- [diecast] [~diecast@unaffiliated/diecast/x-4821952] has quit []
00:34 -!- eristisk [~eristisk@gateway/tor-sasl/eristisk] has joined #openvpn
00:41 -!- rulezzz [~rulezzz@189-211-115-121.dynamic.axtel.net] has quit [Quit: Leaving]
00:45 -!- Cpt-Oblivious [chatzilla@31-151-71-109.dynamic.upc.nl] has quit [Remote host closed the connection]
01:16 -!- micko [~micko@203-219-65-120.static.tpgi.com.au] has quit [Ping timeout: 276 seconds]
01:22 -!- micko [~micko@203-219-65-120.static.tpgi.com.au] has joined #openvpn
01:23 -!- makara [~makara@41.164.22.218] has joined #openvpn
01:37 -!- alexxtasi [~alex@unaffiliated/alexxtasi] has joined #openvpn
01:41 -!- mattock is now known as mattock_afk
01:48 -!- mattock_afk is now known as mattock
02:00 -!- goldkatze [~nobody@unaffiliated/goldkatze] has joined #openvpn
02:24 -!- tharkun [~0@unaffiliated/tharkun] has quit [Ping timeout: 264 seconds]
02:30 -!- livelace [~livelace@94.199.74.142] has joined #openvpn
02:32 < livelace> plaisthos, Thanks, I send to client control message "TEMPORARY_AUTH_FAILURE" and now user reconnect to next server in list. :)
03:10 -!- f0cker [~f0cker@unaffiliated/f0cker] has quit [Ping timeout: 240 seconds]
03:22 -!- jackbrown [~se@93-44-41-0.ip95.fastwebnet.it] has joined #openvpn
03:32 -!- wink [fhtagn@unaffiliated/winkiller] has left #openvpn ["http://quassel-irc.org - Chat comfortably. Anywhere."]
03:48 -!- jackbrown [~se@93-44-41-0.ip95.fastwebnet.it] has quit [Quit: Sto andando via]
03:56 -!- Left_Turn [~Left_Turn@unaffiliated/turn-left/x-3739067] has joined #openvpn
04:08 -!- james41382 [~james@unaffiliated/james41382] has quit [Read error: Connection reset by peer]
04:09 -!- james41382 [~james@unaffiliated/james41382] has joined #openvpn
04:24 -!- ade_b [~Ade@redhat/adeb] has joined #openvpn
04:25 -!- trolley [~trolley@nichol76.lnk.telstra.net] has joined #openvpn
04:28 -!- svg [~svg@hydargos.ginsys.net] has left #openvpn []
04:30 < trolley> Hello all. Is there a simple tutorial available for newbies?
04:44 -!- pekster [~rewt@openvpn/community/support/pekster] has quit [Ping timeout: 245 seconds]
04:44 < Aketzu> did you read http://openvpn.net/howto
04:50 -!- Netsplit *.net <-> *.split quits: yoavz, AsadH, tapout, Fruckiwacki, Intensity, outofbounds
04:51 -!- dos-freak [leecher@zentarim.0wnz.at] has quit [Ping timeout: 240 seconds]
04:51 -!- Netsplit over, joins: yoavz
04:57 -!- AsadH [~AsadH@unaffiliated/asadh] has joined #openvpn
04:59 -!- wrongplace [~leicht@gateway/tor-sasl/martinphone] has joined #openvpn
05:14 < trolley> Aketzu, I found the HOWTO very confusing.
05:14 -!- pekster [~rewt@openvpn/community/support/pekster] has joined #openvpn
05:24 -!- le0 [~l30@unaffiliated/le0] has joined #openvpn
05:28 < Aketzu> trolley: what do you want to achieve
05:28 -!- justinzane [~justinzan@67.21.190.20] has quit [Remote host closed the connection]
05:30 -!- wrongplace [~leicht@gateway/tor-sasl/martinphone] has quit [Quit: gone]
05:33 < trolley> Aketzu, I am just trying out the static key mini howto. We are trying to set up a VPN at a local business so a technician can log into a piece of machinery to make some changes.
05:35 < Aketzu> teamviewer is easier
05:38 -!- tapout [~tapout@unaffiliated/tapout] has joined #openvpn
05:39 < trolley> yes, but teamviewer does not do the networking we need to do.
05:43 -!- le0 [~l30@unaffiliated/le0] has quit [Quit: Leaving]
05:54 -!- jareth_ [~jareth_@2001:980:e1c0:1:219:66ff:fea0:a502] has quit [Ping timeout: 240 seconds]
05:56 -!- jareth_ [~jareth_@2001:980:e1c0:1:219:66ff:fea0:a502] has joined #openvpn
06:11 -!- trolley [~trolley@nichol76.lnk.telstra.net] has quit []
06:23 -!- JackWinter [~jack@vodsl-10810.vo.lu] has quit [Quit: Konversation terminated!]
06:26 -!- JackWinter [~jack@vodsl-10810.vo.lu] has joined #openvpn
06:45 -!- makara [~makara@41.164.22.218] has quit [Quit: Leaving]
06:47 -!- AsadH [~AsadH@unaffiliated/asadh] has quit [Ping timeout: 258 seconds]
06:49 -!- _FBi [B@Aircrack-NG/User] has quit [Ping timeout: 258 seconds]
06:49 -!- edge226 [~quassel@unaffiliated/edge226] has quit [Read error: Connection reset by peer]
06:49 -!- yoavz [yoavz@yoavz.net] has quit [Ping timeout: 258 seconds]
06:50 -!- esde [~esde@unaffiliated/esde] has quit [Ping timeout: 258 seconds]
06:52 -!- yoavz [yoavz@yoavz.net] has joined #openvpn
06:56 -!- michaelhart [~michaelha@192.237.177.15] has joined #openvpn
06:59 -!- livelace [~livelace@94.199.74.142] has quit [Quit: Leaving]
07:01 -!- AsadH [~AsadH@unaffiliated/asadh] has joined #openvpn
07:10 -!- dazo_afk is now known as dazo
07:10 -!- esde [~esde@unaffiliated/esde] has joined #openvpn
07:11 -!- VunKruz [~hhhh@24-205-8-187.dhcp.mtpk.ca.charter.com] has quit [Ping timeout: 252 seconds]
07:30 -!- AsadH [~AsadH@unaffiliated/asadh] has quit [Ping timeout: 258 seconds]
07:46 -!- v0lZy [~Thunderbi@BSN-77-81-109.static.dsl.siol.net] has joined #openvpn
07:46 < v0lZy> Hello
07:47 < v0lZy> I have a question for the windows openvpn client
07:47 < v0lZy> I understnad it installs a tap driver and copies some files into a destination directory...
07:48 < v0lZy> can the installer be controlled through the command line?
07:52 <@ecrist> I'm not sure.  What are you wanting to do?
07:53 -!- Proshot [~FSM@5ED1E519.cm-7-2d.dynamic.ziggo.nl] has joined #openvpn
07:54 < Proshot> guys i have a problem, i am trying to revoke clients access to a my vpn server, but i encounter this problem https://gist.github.com/anonymous/0c01093641458163347e
07:54 <@vpnHelper> Title: revoke problem (at gist.github.com)
07:56 -!- Intensity [Iqewdyrkvi@unaffiliated/intensity] has joined #openvpn
07:57 < reiffert> gues ssomething went wrong with yours Using configuration from /etc/openvpn/easy-rsa/openssl-1.0.0.cnf
07:57 < Proshot> oke reiffert but what could i do about it
07:57 < Proshot> i am kinda new in the openvpn arena
07:58 < v0lZy> ecrist: i want to automate the install
07:58 < v0lZy> i found a page
07:58 < v0lZy> but /S doesnt seem to wokr
07:58 < v0lZy> http://justcheckingonall.wordpress.com/2013/03/11/command-line-installation-of-openvpn/
07:59 < reiffert> Proshot: paste contents of your vars and openssl-1.0.0.cnf file
07:59 <@ecrist> v0lZy: mattock would be a better one to ask.  He's responsible for the windows installer
07:59 -!- AsadH [~AsadH@unaffiliated/asadh] has joined #openvpn
08:01 <@mattock> v0lZy: did you try 2.3.4 or 2.3.3?
08:01 < v0lZy> actually
08:01 <@mattock> or something else entirely
08:01 < v0lZy> got a silent install now
08:01 < v0lZy> i was using pfsense's package...
08:01 <@mattock> ok
08:01 < v0lZy> problem thoughk, it asks me to install the tap driver...
08:01 < v0lZy> wonder if theres a way to prevent that
08:02 <@mattock> in the official installers the tap-windows driver is in it's own, separate NSIS installer
08:02 <@mattock> maybe that installer is not silent, or the "be silent" flags are not passed on to it
08:02 <@mattock> not sure
08:03 < v0lZy> hm
08:04 < v0lZy> i just downlaoded from http://openvpn.net/index.php/download/community-downloads.html
08:04 <@vpnHelper> Title: Community Downloads (at openvpn.net)
08:04 < v0lZy> Windows Installer 64-bit
08:04 < v0lZy> i didnt get a separate file for tap
08:06 < Proshot> reiffert, i pasted a link to you in private to the files
08:06 < reiffert>  there is no sensitive information in it. I'd go for pasting it in the channel
08:08 < reiffert> to me these two files look pretty standard and unmodified right?
08:08 < reiffert> can you compare them with your backup or something?
08:08 < Proshot> i think so yes, i did not modify them
08:09 < Proshot> ehm a backup no not realy, i just set this up then left it alone and now i want to revoke some certificate, but the server running openvpn was offline for most of the time
08:09 < Proshot> but what i do have is multiple openssl files
08:10 < reiffert> openssl.cnf files you mean?
08:10 < Proshot> yes
08:10 < Proshot> the 0.9.8 and the 0.9.6
08:10 < reiffert> hmm. diff them
08:10 < reiffert> diff -u old new
08:10 < Proshot> with the 1 version
08:11 < reiffert> yeah
08:13 < reiffert> root@MediaServer:/etc/openvpn/easy-rsa# ./revoke-full FFMB10
08:13 < reiffert> Using configuration from /etc/openvpn/easy-rsa/openssl-1.0.0.cnf
08:13 < reiffert> unable to load certificate
08:14 < reiffert> I think it would try to load /etc/openvpn/easy-rsa/keys/FFMB10.crt and ca.crt from the same place
08:14 < Proshot> https://gist.github.com/anonymous/ef804ef4de1bb7289cd1 the diff link https://gist.github.com/anonymous/ef804ef4de1bb7289cd1
08:14 <@vpnHelper> Title: diff different openssl config versions (at gist.github.com)
08:14 < _bt> <v0lZy> problem thoughk, it asks me to install the tap driver... << this is a windows prompt isn't it? not an installer one
08:14 < reiffert> can you check if they are at this place?
08:15 < reiffert> the diff looks okay to me ..
08:15 < v0lZy> vpnHelper: yes, I think its a windows prompt.. not sure how to disable it
08:15 < _bt> i dont think you can
08:15 < _bt> because it is a driver install
08:16 < Proshot> they are both in the keys directotry reiffert
08:17 < reiffert> hmmm...
08:18 <@ecrist> v0lZy: vpnHelper is a bot.
08:19 < v0lZy> sorry, i ment _bt :D
08:19 < reiffert> Proshot: edit revoke-full and add
08:19 < reiffert> "set -x" as the 2nd line
08:19 < reiffert> then run it again
08:20 < v0lZy> hm... _bt so it cant be installed remotely without user intervention?
08:21 -!- elfixit [~Icedove@77-58-251-72.dclient.hispeed.ch] has joined #openvpn
08:21 < _bt> the TAP adapter probably cannot
08:22 < Proshot> no luck reiffert, but i was wondering where is revoke-full looking for that certificate
08:23 < v0lZy> hm
08:23 < v0lZy> guess that needs manual setup then... oh well.
08:23 < v0lZy> another quesiton, not strictly openvpn
08:23 < v0lZy> anyone know how to use plink to communicate with openvpn.. i need to make it wait or something
08:23 < reiffert> Proshot: having set -x should give you some more debug output right?
08:23 < v0lZy> right now i get the prompt but plink i think is too fast.
08:23 < Proshot> yes
08:23 < Proshot> let me paste it reiffert
08:23 < v0lZy> it probbably sends commands before it finishes
08:24 < Proshot> reiffert, https://gist.github.com/anonymous/589a3d2ab7d05e84d6e6 debug information
08:24 <@vpnHelper> Title: sex -x debug to revoke-full (at gist.github.com)
08:25 < reiffert> allright so
08:25 < reiffert> openssl ca -revoke FFMB10.crt -config /etc/openvpn/easy-rsa/openssl-1.0.0.cnf
08:25 < reiffert> this fails
08:25 < reiffert> glad we have nailed it down :)
08:26 < reiffert> could you do me a favor and paste ls -al /etc/openvpn/easy-rsa/keys/FFMB10.crt
08:26 < reiffert> I have a slight feeling it's an empty file
08:30 < reiffert> you could also try openssl ca -verbose -revoke FFMB10.crt -config /etc/openvpn/easy-rsa/openssl-1.0.0.cnf
08:31 < reiffert> and if that doesnt help ...
08:31 < Proshot> oke
08:31 < Proshot> let me do that reiffert
08:31 < reiffert> strace -f -s1024 -o/tmp/out openssl ca -verbose -revoke FFMB10.crt -config /etc/openvpn/easy-rsa/openssl-1.0.0.cnf
08:31 < reiffert> and paste /tmp/out
08:33 < Proshot> you are correct its an empty file the FFMB10.crt
08:33 < reiffert> ouch.
08:33 < reiffert> guess you are unable to revoke it then.
08:33 < reiffert> back to "you dont have a backup" right?
08:34 < Proshot> lol, no i don't have it, but what are the implications of that empty FFMB10.crt file
08:34 < reiffert> something or someone made it being an empty file instead of containing a pub certificate
08:35 < reiffert> see ls -al for the latest modification timestamp
08:35 < Proshot> well that would be me, i tried to create the client certificates via a script so i could auto generate a lot of clients
08:36 < reiffert> problem solved then I guess
08:38 < Proshot> yep, i recreated manually again and then i could revoke it
08:38 < Proshot> error 23 at 0 depth lookup:certificate revoked
08:39 < Proshot> that is a good thing :)
08:39 < reiffert> :-)
08:39 < Proshot> thanks reiffert for all the help i have to look over my bash script again
08:40 < reiffert> yw
08:40 < reiffert> send me some stroop waffels and some fla
08:40 < reiffert> Douwe Egberts Espresso would work too
08:40 < Proshot> ah :)
08:41 < reiffert> just recently got some when I was in Belgium on Saturday
08:41 < Proshot> you know a couple of things of the dutch
08:41 < Proshot> oh well the Belgium too i guess :)
08:41 < reiffert> :-)
08:41 < Proshot> but where are you located yourself reiffert
08:41 < reiffert> Close to Wiesbaden next to Frankfurt
08:43 < Proshot> ah, well in that case, you can drive over to the boarders and buy everything you want :)
08:43 < reiffert> :-) End of July hopefully will be another visit
08:43 < reiffert> 24hrs of Spa
08:45 -!- raspberrypifan [~textual@71-22-220-224.gar.clearwire-wmx.net] has joined #openvpn
08:47 < v0lZy> darn plink
08:47 < v0lZy> can openvpn bi set to listen as ssh ...
08:47 < v0lZy> instead of telnet?
08:48 < Aketzu> management interface?
08:48 < Aketzu> just do ssh port forward
08:48 < Proshot> oke, but spa is Belgium, you should also visit the Netherlands reiffert
08:48 < reiffert> Proshot: been there a couple of years ago to meet some perl monks
08:49 < reiffert> Ton Hospel is one I remember well
08:49 < reiffert> The Hague
08:49 < v0lZy> Aketzu: im trying to bind the managment interface to 127.0.0.1
08:49 < v0lZy> and it does soo
08:49 < v0lZy> but thein i use plink
08:49 < v0lZy> and it connects
08:49 < v0lZy> but i cant type in anything.
08:50 < Proshot> I nice i am in The Hague
08:50 < Proshot> btw this was the script i was using, i found it on github reiffert
08:50 < reiffert> Proshot: one of my geocaching friends was grown up in the Netherlands, she knows all these nice food things :)
08:51 < reiffert> Proshot: oh funny. You might know Ton then :)
08:51 < reiffert> I think he's also in the local unix groups
08:51 < Proshot> ehm i only visit the the local Hackerspace now and then
08:52 < Proshot> but Holland is a big country and there are a lot of Ton's living overhere, but then again perl linux it could be :)
08:52 < Proshot> this was the script i was using reiffert https://gist.github.com/anonymous/7bd15ca69288fdbec306
08:52 <@vpnHelper> Title: multiple clients openvpn script (at gist.github.com)
08:53 < reiffert> Proshot: he's also in Chess and Go
08:53 < Proshot> ah well i was in chess as a child, but that is long long time ago
08:54 < reiffert> From what I remember Ton's been the Belgium junior chess champion back in the days .. 80s maybe
08:54 < reiffert> Proshot: I have no idea about whatsoever bash scripts somebody is shareing somewhere. I'd recommend to do it for yourself.
08:55 < Proshot> ok cool so he is a good one
08:55 < reiffert> didnt see him on irc for some time, would be nice to know if he's doing well
09:03 -!- raspberrypifan [~textual@71-22-220-224.gar.clearwire-wmx.net] has quit [Quit: Textual IRC Client: www.textualapp.com]
09:18 -!- alexxtasi [~alex@unaffiliated/alexxtasi] has left #openvpn []
09:31 -!- elfixit [~Icedove@77-58-251-72.dclient.hispeed.ch] has quit [Ping timeout: 252 seconds]
09:32 < Proshot> oke reiffert i found why the script generted an empty certificate
09:32 < Proshot> since the script was not changing the CN so it was not unique anymore
09:33 < Proshot> so i added it to change the CN name in the script
09:36 -!- james41382 [~james@unaffiliated/james41382] has quit [Read error: Connection reset by peer]
09:37 -!- james41382 [~james@unaffiliated/james41382] has joined #openvpn
09:41 -!- Flats [~Flats@107-0-160-152-ip-static.hfc.comcastbusiness.net] has joined #openvpn
09:42 < Flats> Hello I am running CentOS 6.5 64 bit and just installed openvpn using this guide http://www.servermom.org/how-to-build-openvpn-server-on-centos-6-x/732/. While it configured properly I have a few issues I need help with
09:42 <@vpnHelper> Title: How to Build OpenVPN Server on CentOS 6.x (Install, Setup, Config) (at www.servermom.org)
09:42 < Flats> first, my entire network is 192.168.204.X so I need to be sure I can access that network
09:42 < Flats> I'm not sure where I would set that at
09:44 < Flats> I want to connect to this network from home. My centOS vpn server is on the same network as well
09:45 < Flats> The second issue is since it is just me using the vpn I would like to get the same IP assigned each time I connect with my login name
09:46 < Flats> I did see a tutorial setting up a ccd file and adding an ifconfig-push statement and then in the openvpn.conf file adding a client-config-dir ccd
09:48 < rob0> if it's just you, maybe you want peer mode -- see the 1.x howto and static key howto (you can add in the TLS CA bits if you need forward secrecy)
09:48 < rob0> and I think you are asking about:
09:48 < rob0> !route
09:48 <@vpnHelper> "route" is (#1) http://www.secure-computing.net/wiki/index.php/OpenVPN/Routing or https://community.openvpn.net/openvpn/wiki/RoutedLans (same page mirrored) if you have lans behind openvpn, read it DONT SKIM IT or (#2) READ IT DONT SKIM IT! or (#3) See !tcpip for a basic networking guide or (#4) See !serverlan or !clientlan for steps and troubleshooting flowcharts for LANs behind the server or client
09:49 < Flats> peer mode sounds good
09:50 < rob0> not sure if you want !serverlan or !clientlan (client/server isn't relevant in peer mode, but routing is similar in any case)
09:50 -!- dimitry7 [~antonello@187.188.84.149] has joined #openvpn
09:52 < Flats> Ijust want access to the 192.168.204.X network from home or mobile or tablet. Just me, nobody else
09:52 < Flats> whichever is the easiest way to do that
09:54 < Flats> Am I looking for peervpn or does openvpn capable of a peer type vpn?
10:03 < v0lZy> im about too shoot my monitor
10:03 < v0lZy> why cant i script the managment consoel via telnet
10:03 < v0lZy> anyone have nay tips on that?
10:05 < rob0> Flats, again, routing is routing.
10:05 < rob0> !serverlan
10:05 <@vpnHelper> "serverlan" is (#1) for a lan behind a server, the server must have ip forwarding enabled (!ipforward), the server needs to push a route for its lan to clients, and the router of the lan the server is on needs a route added to it (!route_outside_openvpn) or (#2) see !route for a better explanation or (#3) Handy troubleshooting flowchart: http://ircpimps.org/serverlan.png |
10:05 <@vpnHelper> http://pekster.sdf.org/misc/serverlan.png
10:06 < rob0> where here "server" means "the peer on the side which has that 192.168.204.0/24 network"
10:07 < Flats> These settings are all done in server.conf I presume?
10:10 -!- outofbounds_ [~outofboun@198.199.109.226] has joined #openvpn
10:10 -!- outofbounds_ is now known as outofbounds
10:21 -!- Flats [~Flats@107-0-160-152-ip-static.hfc.comcastbusiness.net] has quit []
10:26 -!- tharkun [~0@unaffiliated/tharkun] has joined #openvpn
10:28 < tharkun> Good $date, I have this nice little gateway that recieves traffic for most of our users. Problem now is that I need this gateway to connect to a different server as a client. Are there any caveats I should be aware so services are not interrupted?
10:32 < v0lZy> guys
10:32 < v0lZy> really need some help with openvpn managment console
10:32 < v0lZy> i cant for the love of god automate the bastard
10:35 < v0lZy> i can telnet into it and manually send signal SIGTERM to it
10:35 < v0lZy> but in no way can i automate this
10:35 < v0lZy> ideaS?
10:36 -!- justinzane [~justinzan@67.21.190.20] has joined #openvpn
10:38 -!- P4k3 [~P4k3@c-d334e255.026-8-6b6c7810.cust.bredbandsbolaget.se] has quit [Quit: ZNC - http://znc.in]
10:45 -!- micko [~micko@203-219-65-120.static.tpgi.com.au] has quit [Ping timeout: 276 seconds]
10:50 -!- micko [~micko@203-219-65-120.static.tpgi.com.au] has joined #openvpn
10:53 -!- Proshot [~FSM@5ED1E519.cm-7-2d.dynamic.ziggo.nl] has quit [Quit: Leaving]
10:57 <@dazo> v0lZy: you need to write a script, which connects to the management port and sends the commands and reads the responses.  Won't be that easy and you need some programming skills
10:59 <@dazo> tharkun: really hard to say, as it depends on your config/setup and your expectations ... watch out for routing tables, that's the thing which really mess up things
10:59 < cransom> if you can manually do it, just wrap it in expect
10:59 < v0lZy> dazo: hehe, i raped it
11:00 < v0lZy> i created a file with 100 lines of 'signal SIGTERM'
11:00 < v0lZy> and then type SIGTERM.txt | plink -raw -P 23000 127.0.0.1
11:00 < v0lZy> and it finally got the message :D
11:00 <@dazo> expect is lame and horrific, esp. when there's a sane API .... but it works for simple stuff
11:00 < v0lZy> yeah, terrible workaround
11:00 < v0lZy> but heh, works :D
11:01 < v0lZy> cransom: on windows here
11:01 < tharkun> dazo: Thanks
11:01 < v0lZy> sigterm i suppose gracefully removes the routes?
11:04 < cransom> dazo: no arguments about it's lameness, but it is functional if you aren't able to fix your current problem properly and need to get onto other things
11:05 <@dazo> v0lZy: sigterm ... doens't that kill your vpn server?  If you wanted to disconnect clients, you should use 'kill' together with the client info
11:05 <@dazo> with sigterm, you could just as well just stopped the openvpn process via the task manager
11:06 <@dazo> cransom: I'm more a developer than a sys-admin ... so I'll never fully understand shortcuts and only able to grasp over-engineered solutions for simple tasks
11:08 < v0lZy> dazo i see
11:10 < v0lZy> dazo: i want to close the tunnel and the application
11:10 -!- gffa [~unknown@unaffiliated/gffa] has joined #openvpn
11:10 <@dazo> v0lZy: running as a client?
11:10 < v0lZy> dazo: question is, how do i tell which clients are runnning
11:10 < v0lZy> yeah, running as client
11:10 < v0lZy> what im doing is, remotely triggering openvpn to dial out
11:10 < v0lZy> then sending a signal to kill it.
11:11 < v0lZy> so .. scripting the client to automatically dial out to my server.
11:11 <@dazo> Not sure I understand your setup at all ...
11:11 -!- raidz is now known as raidz_away
11:12 -!- s7r [~s7r@openvpn/user/s7r] has joined #openvpn
11:12 -!- mode/#openvpn [+v s7r] by ChanServ
11:13 < v0lZy> dazo: think of it as a web service on iis listening for a connection string
11:13 < v0lZy> when it gets a connection string it triggers an openVPN client to go connect to a server
11:14 < v0lZy> then for shutdwon, the web service receives a different connection string
11:14 <@dazo> okay ... why not just disconnect automatically if there's no traffic happening on the link for X seconds?
11:14 < v0lZy> and sends a signal to the managment console the client VPN app is running that shuts the application down, terminating the tunnel
11:14 -!- raidz_away is now known as raidz
11:15 < v0lZy> i dont want to only disconenct it
11:15 < v0lZy> i want to terminate the application as well
11:15 < v0lZy> so far i can do that with signal SIGTERM
11:15 < v0lZy> but im wondering if that sufficiently disables all the routes etc
11:15 < v0lZy> seems to wokr
11:15 < v0lZy> just dont want to launch this and cuk up
11:15 < v0lZy> fuck*
11:15 <@dazo> well, on client side, that can just as well mean terminate (--single-session)
11:16 <@dazo> together with --inactive could solve this
11:18 <@dazo> but yes, stopping openvpn gracefully (sigterm) will make openvpn clean up the routes
11:18 < v0lZy> excellent
11:18 <@dazo> as well as --single-session + --inactive
11:18 < v0lZy> yeah, might use those 2
11:19 -!- treshoem2 [~treshoem@mnathani-1-pt.tunnel.tserv21.tor1.ipv6.he.net] has quit [Ping timeout: 252 seconds]
11:24 -!- james41382 [~james@unaffiliated/james41382] has quit [Read error: Connection reset by peer]
11:24 -!- james41382_ [~james@unaffiliated/james41382] has joined #openvpn
11:28 -!- treshoem2 [~treshoem@mnathani-1-pt.tunnel.tserv21.tor1.ipv6.he.net] has joined #openvpn
11:30 -!- ade_b [~Ade@redhat/adeb] has quit [Ping timeout: 240 seconds]
11:51 -!- Denial [Denial@176.250.235.182] has quit []
12:14 < pekster> reiffert: easy-rsa uses a highly customzied openssl config file that you cannot arbitrarly call with openssl
12:14 -!- Denial [Denial@176.250.235.182] has joined #openvpn
12:47 -!- ChrisH [~dg7pc@dslb-188-109-004-204.pools.arcor-ip.net] has quit [Ping timeout: 245 seconds]
12:48 -!- ChrisH [~dg7pc@dslb-088-076-101-114.pools.arcor-ip.net] has joined #openvpn
13:27 -!- ade_b [~Ade@redhat/adeb] has joined #openvpn
13:30 -!- v0lZy [~Thunderbi@BSN-77-81-109.static.dsl.siol.net] has quit [Quit: v0lZy]
13:30 -!- ananke [~ananke@about/linux/regular/ananke] has joined #openvpn
13:34 < ananke> i'm trying to figure out if it's possible, and if so how, to use multiple authentication methods with openvpn server. to be specific, i'd like to use certificates for a few automated services, and add LDAP authentication for normal users
13:34 < ananke> it seems that once i enable LDAP authentication, my certificate based systems can't connect, because they don't provide ldap credentials
13:52 -!- mikeybs [~michael@cpe-74-70-48-112.nycap.res.rr.com] has left #openvpn []
14:03 <@mattock> ananke: I've used LDAP auth also for devices
14:03 -!- le0 [~l30@unaffiliated/le0] has joined #openvpn
14:03 <@mattock> I typically store them in ou=Devices,dc=domain,dc=com and just adapt the search filter to search from there as well as from ou=People
14:04 <@mattock> not that this answers your question, but there it is :P
14:19 < ananke> mattock: how do you deal with ldap password?
14:19 <@mattock> ananke: auth-user-pass <password file>
14:19 <@mattock> with strict permissions of course
14:19 < ananke> ahh
14:20 <@mattock> on the password file
14:20 <@mattock> I also use TLS auth key, but that's the standard advise anyways
14:21 < ananke> yeah, i was using that too. i was just hoping i'd avoid having to go through an extra step
14:22 -!- james41382_ [~james@unaffiliated/james41382] has quit [Ping timeout: 276 seconds]
14:22 < ananke> but that may actually work
14:44 -!- ade_b [~Ade@redhat/adeb] has quit [Quit: Too sexy for his shirt]
14:53 -!- aji [~alex@atheme/member/aji] has quit [Ping timeout: 252 seconds]
14:53 -!- Left_Turn [~Left_Turn@unaffiliated/turn-left/x-3739067] has quit [Read error: Connection reset by peer]
14:56 -!- Left_Turn [~Left_Turn@unaffiliated/turn-left/x-3739067] has joined #openvpn
14:59 -!- mattock [~mattock@openvpn/corp/admin/mattock] has left #openvpn []
14:59 -!- joshh20-Away is now known as joshh20
15:16 -!- dazo is now known as dazo_afk
15:23 -!- wrongplace [~leicht@gateway/tor-sasl/martinphone] has joined #openvpn
15:43 -!- edge226 [~quassel@unaffiliated/edge226] has joined #openvpn
15:53 -!- aji [~alex@atheme/member/aji] has joined #openvpn
15:58 -!- michaelhart [~michaelha@192.237.177.15] has quit [Quit: michaelhart]
16:00 -!- le0 [~l30@unaffiliated/le0] has quit [Quit: Leaving]
16:01 -!- hax is now known as _
16:01 -!- _ is now known as hax
16:02 -!- JPeterson [~JPeterson@81-233-152-121-no83.tbcn.telia.com] has quit [Ping timeout: 245 seconds]
16:05 -!- pentiumone133 [will@173.243.115.75] has quit [Ping timeout: 240 seconds]
16:05 -!- guntha` [~guntha@guntha.thecagedog.com] has quit [Ping timeout: 240 seconds]
16:07 -!- pcdummy [~pcdummy@unaffiliated/pcdummy] has quit [Ping timeout: 276 seconds]
16:07 -!- JPeterson [~JPeterson@81-233-152-121-no83.tbcn.telia.com] has joined #openvpn
16:35 -!- SCHAAP137 [dorian@77-173-0-137.ip.telfort.nl] has joined #openvpn
16:35 -!- mushroomed [~mushroome@li173-111.members.linode.com] has joined #openvpn
17:16 -!- Left_Turn [~Left_Turn@unaffiliated/turn-left/x-3739067] has quit [Remote host closed the connection]
17:17 -!- gffa [~unknown@unaffiliated/gffa] has quit [Quit: sleep]
17:20 -!- Left_Turn [~Left_Turn@unaffiliated/turn-left/x-3739067] has joined #openvpn
17:22 -!- SupaYoshi [Elite9191@gateway/shell/elitebnc/x-wkwarppjztnfimsp] has quit [Remote host closed the connection]
17:55 -!- Fudge [~Rob@static-173-53-104-240.netstablellc.com] has joined #openvpn
18:05 -!- jareth_ [~jareth_@2001:980:e1c0:1:219:66ff:fea0:a502] has quit [Ping timeout: 252 seconds]
18:10 -!- Fudge [~Rob@static-173-53-104-240.netstablellc.com] has left #openvpn ["irsii"]
18:12 -!- jareth_ [~jareth_@bak.project-treadstone.nl] has joined #openvpn
18:27 -!- mallxs [~mallxs@84.246.31.190] has quit [Ping timeout: 276 seconds]
18:31 -!- SCHAAP137 [dorian@77-173-0-137.ip.telfort.nl] has quit [Remote host closed the connection]
18:31 -!- elfixit [~Icedove@77-58-251-72.dclient.hispeed.ch] has joined #openvpn
18:34 -!- mallxs [~mallxs@84.246.31.190] has joined #openvpn
18:34 -!- raspberrypifan [~textual@71-22-220-224.gar.clearwire-wmx.net] has joined #openvpn
18:39 -!- jareth_ [~jareth_@bak.project-treadstone.nl] has quit [Ping timeout: 252 seconds]
18:40 -!- adh0c [~adh0c@li423-165.members.linode.com] has joined #openvpn
18:42 -!- wrongplace [~leicht@gateway/tor-sasl/martinphone] has quit [Quit: gone]
18:48 -!- jareth_ [~jareth_@2001:980:e1c0:1:219:66ff:fea0:a502] has joined #openvpn
19:13 -!- s7r_e [~s7r@openvpn/user/s7r] has joined #openvpn
19:13 -!- mode/#openvpn [+v s7r_e] by ChanServ
19:13 -!- s7r [~s7r@openvpn/user/s7r] has quit [Disconnected by services]
19:13 -!- s7r_e is now known as s7r
19:13 -!- mallxs [~mallxs@84.246.31.190] has quit [Read error: Connection reset by peer]
19:22 -!- mallxs [~mallxs@84.246.31.190] has joined #openvpn
19:29 -!- dimitry7 [~antonello@187.188.84.149] has quit [Ping timeout: 260 seconds]
19:35 -!- goldkatze [~nobody@unaffiliated/goldkatze] has quit [Ping timeout: 265 seconds]
20:01 -!- adh0c [~adh0c@li423-165.members.linode.com] has quit [Ping timeout: 252 seconds]
20:02 -!- joshh20 is now known as joshh20-Away
20:06 -!- cyberspace- [20253@ninthfloor.org] has quit [Remote host closed the connection]
20:06 -!- cyberspace- [20253@ninthfloor.org] has joined #openvpn
20:10 -!- propheticsquiddy [~Proph@unaffiliated/propheticsquiddy] has joined #openvpn
20:20 -!- xup [~xup@unaffiliated/othermth] has joined #openvpn
20:20 < xup> hi, anyway I specify the password for the client using an file?
20:21 -!- xup [~xup@unaffiliated/othermth] has left #openvpn []
20:36 -!- jareth_ [~jareth_@2001:980:e1c0:1:219:66ff:fea0:a502] has quit [Ping timeout: 240 seconds]
20:45 -!- jareth_ [~jareth_@2001:980:e1c0:1:219:66ff:fea0:a502] has joined #openvpn
20:45 -!- adh0c [~adh0c@li423-165.members.linode.com] has joined #openvpn
20:51 -!- eristisk [~eristisk@gateway/tor-sasl/eristisk] has quit [Ping timeout: 272 seconds]
20:55 -!- mallxs [~mallxs@84.246.31.190] has quit [Read error: Connection reset by peer]
21:02 -!- james41382 [~james@unaffiliated/james41382] has joined #openvpn
21:06 -!- mallxs [~mallxs@84.246.31.190] has joined #openvpn
21:10 -!- elfixit [~Icedove@77-58-251-72.dclient.hispeed.ch] has quit [Quit: elfixit]
21:31 -!- max__ [~max@c-71-231-120-93.hsd1.wa.comcast.net] has joined #openvpn
21:31 -!- max__ is now known as Guest33794
21:35 -!- Left_Turn [~Left_Turn@unaffiliated/turn-left/x-3739067] has quit [Ping timeout: 250 seconds]
21:52 -!- master_o1_master [~master_of@p4FD7B303.dip0.t-ipconnect.de] has joined #openvpn
21:55 -!- master_of_master [~master_of@p4FD7B5A7.dip0.t-ipconnect.de] has quit [Ping timeout: 252 seconds]
22:15 -!- propheticsquiddy [~Proph@unaffiliated/propheticsquiddy] has quit [Quit: Leaving]
22:25 -!- fol_tempus [~tempus@gateway/tor-sasl/foltempus] has quit [Remote host closed the connection]
22:25 -!- zoomequipd [~zoomequip@gateway/tor-sasl/zoomequipd] has quit [Remote host closed the connection]
22:25 -!- s7r [~s7r@openvpn/user/s7r] has quit [Write error: Connection reset by peer]
22:33 -!- s7r [~s7r@openvpn/user/s7r] has joined #openvpn
22:33 -!- mode/#openvpn [+v s7r] by ChanServ
22:33 -!- fol_tempus [~tempus@gateway/tor-sasl/foltempus] has joined #openvpn
22:34 -!- zoomequipd [~zoomequip@gateway/tor-sasl/zoomequipd] has joined #openvpn
23:05 -!- Guest33794 [~max@c-71-231-120-93.hsd1.wa.comcast.net] has quit [Ping timeout: 255 seconds]
23:08 -!- BladedThesis [~BladedThe@2001:1af8:4010:a027:3::] has quit [Excess Flood]
23:09 -!- BladedThesis [~BladedThe@2001:1af8:4010:a027:3::] has joined #openvpn
23:09 -!- BladedThesis [~BladedThe@2001:1af8:4010:a027:3::] has quit [Excess Flood]
23:10 -!- BladedThesis [~BladedThe@2001:1af8:4010:a027:3::] has joined #openvpn
23:10 -!- BladedThesis [~BladedThe@2001:1af8:4010:a027:3::] has quit [Excess Flood]
23:10 -!- BladedThesis [~BladedThe@2001:1af8:4010:a027:3::] has joined #openvpn
23:10 -!- BladedThesis [~BladedThe@2001:1af8:4010:a027:3::] has quit [Excess Flood]
23:11 -!- BladedThesis [~BladedThe@2001:1af8:4010:a027:3::] has joined #openvpn
23:11 -!- BladedThesis [~BladedThe@2001:1af8:4010:a027:3::] has quit [Excess Flood]
23:11 -!- BladedThesis [~BladedThe@2001:1af8:4010:a027:3::] has joined #openvpn
23:11 -!- BladedThesis [~BladedThe@2001:1af8:4010:a027:3::] has quit [Excess Flood]
23:12 -!- BladedThesis [~BladedThe@2001:1af8:4010:a027:3::] has joined #openvpn
23:12 -!- BladedThesis [~BladedThe@2001:1af8:4010:a027:3::] has quit [Excess Flood]
23:12 -!- BladedThesis [~BladedThe@2001:1af8:4010:a027:3::] has joined #openvpn
23:12 -!- BladedThesis [~BladedThe@2001:1af8:4010:a027:3::] has quit [Excess Flood]
23:12 -!- Guest33794 [~max@c-71-231-120-93.hsd1.wa.comcast.net] has joined #openvpn
23:13 -!- BladedThesis [~BladedThe@2001:1af8:4010:a027:3::] has joined #openvpn
23:13 -!- BladedThesis [~BladedThe@2001:1af8:4010:a027:3::] has quit [Excess Flood]
23:13 -!- BladedThesis [~BladedThe@2001:1af8:4010:a027:3::] has joined #openvpn
23:13 -!- BladedThesis [~BladedThe@2001:1af8:4010:a027:3::] has quit [Excess Flood]
23:15 -!- BladedThesis [~BladedThe@2001:1af8:4010:a027:3::] has joined #openvpn
23:15 -!- BladedThesis [~BladedThe@2001:1af8:4010:a027:3::] has quit [Excess Flood]
23:16 -!- BladedThesis [~BladedThe@2001:1af8:4010:a027:3::] has joined #openvpn
23:16 -!- BladedThesis [~BladedThe@2001:1af8:4010:a027:3::] has quit [Excess Flood]
23:16 -!- BladedThesis [~BladedThe@2001:1af8:4010:a027:3::] has joined #openvpn
23:16 -!- BladedThesis [~BladedThe@2001:1af8:4010:a027:3::] has quit [Excess Flood]
23:17 -!- BladedThesis [~BladedThe@2001:1af8:4010:a027:3::] has joined #openvpn
23:17 -!- BladedThesis [~BladedThe@2001:1af8:4010:a027:3::] has quit [Excess Flood]
23:17 -!- BladedThesis [~BladedThe@2001:1af8:4010:a027:3::] has joined #openvpn
23:21 -!- jareth_ [~jareth_@2001:980:e1c0:1:219:66ff:fea0:a502] has quit [Ping timeout: 240 seconds]
23:24 -!- jareth_ [~jareth_@2001:980:e1c0:1:219:66ff:fea0:a502] has joined #openvpn
23:27 -!- BladedThesis [~BladedThe@2001:1af8:4010:a027:3::] has quit [Quit: You shouldn't be seeing this]
23:40 -!- _FBi [B@Aircrack-NG/User] has joined #openvpn
23:40 -!- Cpt-Oblivious [chatzilla@31-151-71-109.dynamic.upc.nl] has joined #openvpn
23:43 -!- jareth_ [~jareth_@2001:980:e1c0:1:219:66ff:fea0:a502] has quit [Ping timeout: 246 seconds]
23:47 -!- jareth_ [~jareth_@2001:980:e1c0:1:219:66ff:fea0:a502] has joined #openvpn
23:48 -!- ShadniX [dagger@p5481D382.dip0.t-ipconnect.de] has quit [Ping timeout: 252 seconds]
23:48 -!- raspberrypifan [~textual@71-22-220-224.gar.clearwire-wmx.net] has quit [Quit: Textual IRC Client: www.textualapp.com]
23:49 -!- ShadniX [dagger@p5DDFD313.dip0.t-ipconnect.de] has joined #openvpn
--- Day changed Wed May 07 2014
00:08 -!- trolley [~trolley@nichol76.lnk.telstra.net] has joined #openvpn
00:19 -!- trolley [~trolley@nichol76.lnk.telstra.net] has quit [Ping timeout: 252 seconds]
00:34 -!- mallxs [~mallxs@84.246.31.190] has quit [Read error: Connection reset by peer]
00:35 -!- mallxs [~mallxs@84.246.31.190] has joined #openvpn
00:36 -!- trolley [~trolley@nichol76.lnk.telstra.net] has joined #openvpn
00:37 < trolley> !welcome
00:37 <@vpnHelper> "welcome" is (#1) Start by stating your goal, such as 'I would like to access the internet over my vpn' || new to IRC? see the link in !ask || we may need !logs and !configs and maybe !interface to help you. || See !howto for beginners. || See !route for lans behind openvpn. || !redirect for sending inet traffic through the server. || Also interesting: !man !/30 !topology !iporder !sample !forum
00:37 <@vpnHelper> !wiki !mitm or (#2) Don't use 192.168.1.0/24 or 192.168.0.0/24 (too much potential for conflict)
00:37 < trolley> !howto
00:37 <@vpnHelper> "howto" is (#1) OpenVPN comes with a great howto, http://openvpn.net/howto PLEASE READ IT! or (#2) http://www.secure-computing.net/openvpn/howto.php for a mirror
00:38 < trolley> !forum
00:38 <@vpnHelper> "forum" is (#1) The official OpenVPN support forum is available at http://forums.openvpn.net or (#2) you can join #OpenVPN-Forum to see the forum-feed announcements if you want to.
00:39 -!- Guest33794 [~max@c-71-231-120-93.hsd1.wa.comcast.net] has quit [Quit: p33 ba115]
00:40 -!- max__ [~max@c-71-231-120-93.hsd1.wa.comcast.net] has joined #openvpn
00:40 -!- max__ is now known as Guest99938
00:42 < trolley> Hello all. I have been looking at the static key mini howto and trying out the sample setup but cannot get it to work. The config files i am using are as per the mini howto, but i cannot ping either the server or the client. Any idea what my next step shoulod be?
00:50 -!- Cpt-Oblivious [chatzilla@31-151-71-109.dynamic.upc.nl] has quit [Remote host closed the connection]
00:57 < trolley> FYI. I turned off firewall completely on both computers and can now ping.
01:18 -!- alexxtasi [~alex@unaffiliated/alexxtasi] has joined #openvpn
01:33 -!- adh0c [~adh0c@li423-165.members.linode.com] has quit [Quit: Leaving]
01:45 -!- ade_b [~Ade@redhat/adeb] has joined #openvpn
02:00 -!- goldkatze [~nobody@unaffiliated/goldkatze] has joined #openvpn
02:01 -!- Guest99938 [~max@c-71-231-120-93.hsd1.wa.comcast.net] has quit [Quit: p33 ba115]
02:56 -!- |spathi| [~spathi@chillstage.com] has joined #openvpn
02:56 < |spathi|> hi
02:56 < |spathi|> I have managed installing openvpn on my vps (centos)
02:56 < |spathi|> everything works great
02:57 < |spathi|> how do I add additional accounts that would be able to connect?
02:58 < |spathi|> right now I can connect only with the single account I have on my vps
03:02 -!- trolley [~trolley@nichol76.lnk.telstra.net] has quit []
03:09 -!- Left_Turn [~Left_Turn@unaffiliated/turn-left/x-3739067] has joined #openvpn
03:15 -!- Proshot [~FSM@5ED1E519.cm-7-2d.dynamic.ziggo.nl] has joined #openvpn
03:15 < Proshot> join #ansible
03:15 < Proshot> sorry
03:15 < Proshot> mornig everybody
03:40 < gac> i don't suppose there is such a thing as a "rebranding" guide? i.e. if I've checked out the source from github, what needs to be changed to make a custom app, which copyrights need to remain, which need to be removed, how to avoid using any proprietary artwork, etc?
03:42 -!- VlperX [~VlperX@60-240-168-120.static.tpgi.com.au] has joined #openvpn
03:47 -!- VlperX [~VlperX@60-240-168-120.static.tpgi.com.au] has quit [Ping timeout: 258 seconds]
03:52 -!- malc0re_ [mc@unaffiliated/csdsss] has joined #openvpn
03:54 -!- xTz [~xTz@DeathStar.Techn0.eu] has quit [Ping timeout: 245 seconds]
03:56 < malc0re_> hi
03:59 < malc0re_> using ccd and ifconfig-push I can assign static IPs to certain clients, but is it possible to assign them random adresses from given subnet instead?
03:59 -!- s7r [~s7r@openvpn/user/s7r] has quit [Remote host closed the connection]
03:59 -!- clu5ter [~staff@unaffiliated/clu5ter] has quit [Ping timeout: 240 seconds]
03:59 -!- s7r [~s7r@openvpn/user/s7r] has joined #openvpn
04:00 -!- mode/#openvpn [+v s7r] by ChanServ
04:00 < malc0re_> for example I want for client1 to have address from 10.0.1.0/24 while client2 have address from 10.0.2.0/24
04:01 < malc0re_> it's similar to https://openvpn.net/index.php/open-source/documentation/howto.html#policy but in my case I want to have variable number of contractors/system administrators
04:01 <@vpnHelper> Title: HOWTO (at openvpn.net)
04:02 < malc0re_> sure I can run multiple instances of OpenVPN but I don't want to do this if it's not necessary
04:02 -!- clu5ter [~staff@unaffiliated/clu5ter] has joined #openvpn
04:03 -!- Left_Turn [~Left_Turn@unaffiliated/turn-left/x-3739067] has quit [Read error: Connection reset by peer]
04:05 -!- le0 [~l30@unaffiliated/le0] has joined #openvpn
04:07 -!- Left_Turn [~Left_Turn@unaffiliated/turn-left/x-3739067] has joined #openvpn
04:12 -!- Proshot [~FSM@5ED1E519.cm-7-2d.dynamic.ziggo.nl] has quit [Quit: Leaving]
05:07 -!- kirin` [telex@gateway/shell/anapnea.net/x-xwkqwicgcdnhjhbo] has quit [Ping timeout: 240 seconds]
05:08 -!- kirin` [telex@gateway/shell/anapnea.net/x-vvnodiaxpcdutlsf] has joined #openvpn
05:14 -!- Corey [~Corey@freenode/staff/corey] has quit [Remote host closed the connection]
05:22 -!- Pei [~pei@thinks.outside.theb0x.org] has quit [Ping timeout: 240 seconds]
05:37 -!- elfixit [~Icedove@77-58-251-72.dclient.hispeed.ch] has joined #openvpn
05:43 -!- dazo_afk is now known as dazo
05:59 -!- ACKNAK [~regolith@79.133.97.154] has joined #openvpn
06:05 -!- gffa [~unknown@unaffiliated/gffa] has joined #openvpn
06:21 < ACKNAK> !scripting
06:21 <@vpnHelper> "scripting" is "script" is See SCRIPTING AND ENVIRONMENTAL VARIALBES in the manual for a list of places that scripts can hook into openvpn. Online reference at: https://community.openvpn.net/openvpn/wiki/Openvpn23ManPage#lbAR
06:42 -!- michaelhart [~michaelha@192.237.177.15] has joined #openvpn
07:02 -!- lazzer [~mattias@213.132.98.41] has quit [Ping timeout: 252 seconds]
07:15 -!- bears [~bears@unaffiliated/bears] has quit [Quit: closing IRC]
07:18 -!- goldkatze [~nobody@unaffiliated/goldkatze] has quit []
07:23 -!- goldkatze [~nobody@unaffiliated/goldkatze] has joined #openvpn
08:06 -!- ChrisH [~dg7pc@dslb-088-076-101-114.pools.arcor-ip.net] has quit [Ping timeout: 252 seconds]
08:11 -!- Mik3C [~miguelc@77.202.37.188.rev.vodafone.pt] has joined #openvpn
08:22 -!- Mik3C [~miguelc@77.202.37.188.rev.vodafone.pt] has quit [Quit: leaving]
09:08 -!- fred`` [fred@earthli.ng] has quit [Ping timeout: 246 seconds]
09:09 <@krzee> malc0re_,
09:09 <@krzee> !client-connect
09:09 <@vpnHelper> "client-connect" is --client-connect <script>, runs script on client connection. This can be useful for generating firewall rules dynamicly, or for assigning static ips. This can do anything that a ccd (see !ccd) entry can do, but dynamicly... to use it that way, you should write your dynamic ccd commands to the file named by $1.
09:09 <@krzee> you can script it up to do anything you want, including random ips
09:09 <@krzee> no idea why youd want that, but yes you can do it =]
09:14 -!- alexxtasi [~alex@unaffiliated/alexxtasi] has left #openvpn []
09:17 < malc0re_> krzee: thank you
09:19 < malc0re_> krzee: it's for some type of exercises in which separate teams operate in different subnets needing different access policies
09:21 -!- le0 [~l30@unaffiliated/le0] has quit [Quit: Leaving]
09:23 <@krzee> ahh. some sort of networking/security class?
09:26 < malc0re_> yes, I don't know number of members in each team so I thought it would be possible to share one key/cert per team
09:26 < malc0re_> but still had to do sth about ip conflicts
09:30 -!- RaiNerTsuFal [~RaiNerTsu@akita.vtlx.cn] has quit [Quit: Conversation terminated!]
09:36 -!- RaiNerTsuFal [~RaiNerTsu@akita.vtlx.cn] has joined #openvpn
10:10 -!- elfixit [~Icedove@77-58-251-72.dclient.hispeed.ch] has quit [Ping timeout: 240 seconds]
10:13 -!- RaiNerTsuFal [~RaiNerTsu@akita.vtlx.cn] has quit [Quit: Conversation terminated!]
10:18 -!- Cpt-Oblivious [chatzilla@31-151-71-109.dynamic.upc.nl] has joined #openvpn
10:27 -!- ade_b [~Ade@redhat/adeb] has quit [Quit: Too sexy for his shirt]
10:28 -!- Olipro [~Olipro@uncyclopedia/pdpc.21for7.olipro] has quit [Ping timeout: 246 seconds]
11:05 -!- SCHAAP137 [dorian@77-173-0-137.ip.telfort.nl] has joined #openvpn
11:05 -!- Guest62618 [~quassel@corkblock.jefferai.org] has quit [Read error: No route to host]
11:09 -!- fejjerai [~quassel@kde/mitchell] has joined #openvpn
11:13 -!- RaiNerTsuFal [~RaiNerTsu@akita.vtlx.cn] has joined #openvpn
11:17 < esde> !configs
11:17 <@vpnHelper> "configs" is (#1) please pastebin your client and server configs (with comments removed, you can use `grep -vE '^#|^;|^$' server.conf`), also include which OS and version of openvpn. or (#2) dont forget to include any ccd entries or (#3) on pfSense, see http://www.secure-computing.net/wiki/index.php/OpenVPN/pfSense to obtain your config
11:21 <@krzee> !dupe
11:21 <@vpnHelper> "dupe" is (#1) see --duplicate-cn in the manual (!man) to see how to allow multiple clients to use the same key (NOT recommended) or (#2) instead, use !pki to make a cert for each user
11:22 <@krzee> !route
11:22 <@vpnHelper> "route" is (#1) http://www.secure-computing.net/wiki/index.php/OpenVPN/Routing or https://community.openvpn.net/openvpn/wiki/RoutedLans (same page mirrored) if you have lans behind openvpn, read it DONT SKIM IT or (#2) READ IT DONT SKIM IT! or (#3) See !tcpip for a basic networking guide or (#4) See !serverlan or !clientlan for steps and troubleshooting flowcharts for LANs behind the server or client
11:22 <@krzee> (if they are on the same lan you can route the lan over the vpn)
11:30 -!- batrick [batrick@nmap/developer/batrick] has quit [Quit: WeeChat 0.4.3]
11:31 -!- BladedThesis [~BladedThe@2001:1af8:4010:a027:3::] has joined #openvpn
11:31 -!- BladedThesis [~BladedThe@2001:1af8:4010:a027:3::] has quit [Excess Flood]
11:32 -!- batrick [batrick@nmap/developer/batrick] has joined #openvpn
11:33 < esde> !openvpngui
11:33 < esde> damn no luck
11:33 < esde> whats the trigger for the official openvpn gui for win?
11:33 < plaisthos> !factoids
11:33 <@vpnHelper> "factoids" is A semi-regularly updated dump of factoids database is available at http://www.secure-computing.net/factoids.php
11:33 < plaisthos> !gui
11:33 <@vpnHelper> "gui" is (#1) The only official GUI is the OpenVPN-GUI for Windows (see https://community.openvpn.net/openvpn/wiki/OpenVPN-GUI .) While there are other 3rd party GUIs, they may cause unexpected issues or (#2) If you're having problems starting OpenVPN through an unoffiical GUI, try launching it on the command line; if that works, the GUI is your problem
11:34 -!- fred`` [fred@earthli.ng] has joined #openvpn
11:34 < esde> ty plaisthos
11:40 -!- fol_tempus [~tempus@gateway/tor-sasl/foltempus] has quit [Remote host closed the connection]
11:40 -!- zoomequipd [~zoomequip@gateway/tor-sasl/zoomequipd] has quit [Read error: Connection reset by peer]
11:40 -!- s7r [~s7r@openvpn/user/s7r] has quit [Remote host closed the connection]
11:42 < esde> is this an official openvpn link? http://swupdate.openvpn.org/community/releases/openvpn-install-2.3.4-I001-i686.exe
11:43 < plaisthos> !download
11:43 <@vpnHelper> "download" is (#1) http://openvpn.net/index.php/download/community-downloads.html to download openvpn or (#2) OpenVPN's Windows installer now includes OpenVPN GUI. Don't bother with http://openvpn.se anymore or (#3) Don't trust download.com at all. It provides an extremely old version with malware: http://insecure.org/news/download-com-fiasco.html or (#4) in the community version of openvpn (only
11:43 <@vpnHelper> thing supported here) there is no separate download for client/server, it is the same install with different configs
11:43 < esde> plaisthos, i know. im trying to understand where the user got that url. he says openvpn.net >  openvpn.org and ended up with that url for download
11:44 -!- zoomequipd [~zoomequip@gateway/tor-sasl/zoomequipd] has joined #openvpn
11:44 < esde> ah it does forward to ,.org
11:51 -!- fol_tempus [~tempus@gateway/tor-sasl/foltempus] has joined #openvpn
11:53 -!- [diecast] [~diecast@unaffiliated/diecast/x-4821952] has joined #openvpn
11:57 -!- s7r [~s7r@openvpn/user/s7r] has joined #openvpn
11:57 -!- mode/#openvpn [+v s7r] by ChanServ
11:57 -!- SCHAPiE [dorian@77-173-0-137.ip.telfort.nl] has joined #openvpn
11:58 -!- SCHAAP137 [dorian@77-173-0-137.ip.telfort.nl] has quit [Ping timeout: 240 seconds]
11:58 -!- SCHAPiE [dorian@77-173-0-137.ip.telfort.nl] has quit [Remote host closed the connection]
12:01 -!- SCHAAP137 [dorian@77-173-0-137.ip.telfort.nl] has joined #openvpn
12:02 <@krzee> esde, yes, as you can see that is the link from the page in !download
12:02 < esde> right
12:02 < esde> was a bit suspicious at first when openvpn.org wouldnt load
12:03 < esde> but after checking the official link, i realized that url is in fact, legit
12:03 < pekster> They're signed with GPG keys too
12:03 < pekster> Once you have a trusted public key, you can just use that to verify future downloads
12:06 -!- xup [~xup@unaffiliated/othermth] has joined #openvpn
12:07 < xup> !heartbleed
12:07 <@vpnHelper> "heartbleed" is (#1) only affects OpenSSL 1.0.1 through 1.0.1f. Does not affect polarssl or (#2) if running vuln openssl then both client and server keys not protected by tls-auth should be considered compromised. or (#3) android 4.1.2_r1 is the first one to have -DOPENSSL_NO_HEARTBEATS and it is still in master. android 4.1 and 4.1.1 are probably affected. or (#4)
12:07 <@vpnHelper> https://community.openvpn.net/openvpn/wiki/heartbleed or (#5) http://xkcd.com/1354/
12:17 < xup> !cipher
12:23 -!- xup [~xup@unaffiliated/othermth] has quit [Read error: Connection reset by peer]
12:28 -!- Olipro [~Olipro@uncyclopedia/pdpc.21for7.olipro] has joined #openvpn
12:32 -!- Cpt-Oblivious [chatzilla@31-151-71-109.dynamic.upc.nl] has quit [Remote host closed the connection]
12:33 -!- [diecast] [~diecast@unaffiliated/diecast/x-4821952] has quit []
12:33 -!- Olipro [~Olipro@uncyclopedia/pdpc.21for7.olipro] has quit [Ping timeout: 246 seconds]
12:46 -!- elfixit [~Icedove@77-58-251-72.dclient.hispeed.ch] has joined #openvpn
13:06 -!- Sidewinder [~de@unaffiliated/sidewinder] has joined #openvpn
13:07 -!- Sidewinder [~de@unaffiliated/sidewinder] has quit [Client Quit]
13:15 -!- Left_Turn [~Left_Turn@unaffiliated/turn-left/x-3739067] has quit [Read error: Connection reset by peer]
13:16 -!- simcop2387 [~simcop238@p3m/member/simcop2387] has quit [Excess Flood]
13:17 -!- Left_Turn [~Left_Turn@unaffiliated/turn-left/x-3739067] has joined #openvpn
13:20 -!- simcop2387 [~simcop238@p3m/member/simcop2387] has joined #openvpn
13:23 -!- Left_Turn [~Left_Turn@unaffiliated/turn-left/x-3739067] has quit [Quit: Leaving]
13:26 -!- |spathi| [~spathi@chillstage.com] has quit [Ping timeout: 252 seconds]
13:28 -!- Left_Turn [~Left_Turn@unaffiliated/turn-left/x-3739067] has joined #openvpn
13:35 -!- Rug [~matt@50.115.176.66] has joined #openvpn
13:36 < Rug> I am suffering from a brian fart and need help with routing (I think).  I can connect my client to my server.  Client & server can ping each other.  Client cannot ping LAN.  Which system do I add the route to?
13:37 < rob0> LAN behind the server, I assume?
13:37 < rob0> !serverlan
13:37 <@vpnHelper> "serverlan" is (#1) for a lan behind a server, the server must have ip forwarding enabled (!ipforward), the server needs to push a route for its lan to clients, and the router of the lan the server is on needs a route added to it (!route_outside_openvpn) or (#2) see !route for a better explanation or (#3) Handy troubleshooting flowchart: http://ircpimps.org/serverlan.png |
13:37 <@vpnHelper> http://pekster.sdf.org/misc/serverlan.png
13:38 < Rug> rob0: yes
13:38 < rob0> The flowchart covers it.
13:54 < Rug> rob0: neither flow-chart is loading, but I don't think I need it.  I have ip-forwarding turned on. and I have added the route (on the server):    route add -net 10.9.8.0 netmask 255.255.255.0 gw 10.9.8.2    but my client still cannot ping 192.168.0.ANY
13:55 < Rug> LAN=192.168.0.x  VPN=10.9.8.x  client=192.168.1.x
13:57 < reiffert> who is Brian?
13:58 < rob0> a flatulent fellow
13:58 < Rug> hehe
13:58 < reiffert> make him fix it
13:58 < rob0> Trust me, you do not want to be sitting next to Brian right now.
14:04 -!- [diecast] [~diecast@unaffiliated/diecast/x-4821952] has joined #openvpn
14:32 -!- JackWinter [~jack@vodsl-10810.vo.lu] has quit [Quit: Konversation terminated!]
14:33 -!- dazo is now known as dazo_afk
14:33 -!- JackWinter [~jack@vodsl-10810.vo.lu] has joined #openvpn
14:38 -!- s7r [~s7r@openvpn/user/s7r] has quit [Remote host closed the connection]
14:39 -!- s7r [~s7r@openvpn/user/s7r] has joined #openvpn
14:39 -!- mode/#openvpn [+v s7r] by ChanServ
14:42 -!- sonOfRa [sonOfRa@btbn.de] has joined #openvpn
14:57 -!- earthian [~ea@gw.uk.fostral.net] has joined #openvpn
14:58 < earthian> wow.. so much work to join an irc channel.. felt like it's 80s again. :/
14:58 < earthian> Hello.
14:58 -!- JPeterson [~JPeterson@81-233-152-121-no83.tbcn.telia.com] has quit [Ping timeout: 276 seconds]
14:59 < earthian> I am unable to connect to my vpn server. openvpn connect for android gives the following error: OpenVPN core error: PolarSSL: error parsin ca certificate: RSA - Key failed to pass the libraries validity check. What does it mean?
15:00 < earthian> the key is 4kb, ca is certificate of the CA authority, crt is signed by that CA authority too...
15:02 <@Eugene> Is it valid? Check your clocks
15:02 <@Eugene> !factoids search valid
15:02 <@vpnHelper> No keys matched that query.
15:03 <@Eugene> !factoids search keys valid
15:03 <@vpnHelper> No keys matched that query.
15:03 <@Eugene> Useless bot
15:09 -!- JPeterson [~JPeterson@81-233-152-121-no83.tbcn.telia.com] has joined #openvpn
15:09 -!- wrongplace [~leicht@gateway/tor-sasl/martinphone] has joined #openvpn
15:11 -!- Synthead [~max@172.56.33.200] has joined #openvpn
15:14 <@krzee> http://pekster.sdf.org/misc/serverlan.png
15:14 <@krzee> works here
15:14 <@krzee> !time
15:14 <@vpnHelper> "time" is if you see VERIFY ERROR: depth=1, error=certificate is not yet valid: then make sure you update the clocks of your client,server,ca via ntp
15:14 <@krzee> !certverify
15:14 <@vpnHelper> "certverify" is (#1) verify your certs are signed correctly by running `openssl verify -CAfile <ca.crt> <client.crt>` for client.crt and server.crt or (#2) also make sure you use the same ca.crt on both sides by checking their md5
15:19 -!- SCHAAP137 [dorian@77-173-0-137.ip.telfort.nl] has quit [Remote host closed the connection]
15:28 -!- SCHAAP137 [dorian@77-173-0-137.ip.telfort.nl] has joined #openvpn
15:32 -!- JPeterson [~JPeterson@81-233-152-121-no83.tbcn.telia.com] has quit [Ping timeout: 258 seconds]
15:34 -!- JPeterson [~JPeterson@81-233-152-121-no83.tbcn.telia.com] has joined #openvpn
15:34 -!- BladedThesis [~BladedThe@2001:1af8:4010:a027:3::] has joined #openvpn
15:34 -!- BladedThesis [~BladedThe@2001:1af8:4010:a027:3::] has quit [Excess Flood]
15:37 -!- michaelhart [~michaelha@192.237.177.15] has quit [Quit: michaelhart]
15:48 -!- rulezzz [~rulezzz@187.244.199.27] has joined #openvpn
16:02 -!- Poster|x [~poster@cpe-184-57-112-154.columbus.res.rr.com] has quit [Read error: Connection reset by peer]
16:03 -!- Poster [~poster@cpe-184-57-112-154.columbus.res.rr.com] has joined #openvpn
16:09 -!- Cpt-Oblivious [chatzilla@31-151-71-109.dynamic.upc.nl] has joined #openvpn
16:11 -!- [diecast] [~diecast@unaffiliated/diecast/x-4821952] has quit []
16:12 -!- gffa [~unknown@unaffiliated/gffa] has quit [Quit: sleep]
16:13 < earthian> Hi again, the date and time of the device and the server is correct. But I still get "OpenVPN core error: PolarSSL: error parsin ca certificate: RSA - Key failed to pass the libraries validity check". Should I maybe ask PolarSSL instead?
16:14 -!- sonOfRa [sonOfRa@btbn.de] has left #openvpn ["Leaving"]
16:16 -!- EmLeX [~emx@unaffiliated/emlex] has joined #openvpn
16:19 -!- EmLeX [~emx@unaffiliated/emlex] has quit [Client Quit]
16:24 -!- EmLeX [~emx@unaffiliated/emlex] has joined #openvpn
16:24 -!- [diecast] [~diecast@unaffiliated/diecast/x-4821952] has joined #openvpn
16:26 -!- EmLeX [~emx@unaffiliated/emlex] has quit [Client Quit]
16:27 -!- EmLeX [~emx@unaffiliated/emlex] has joined #openvpn
16:29 -!- BladedThesis [~BladedThe@2001:1af8:4010:a027:3::] has joined #openvpn
16:29 -!- BladedThesis [~BladedThe@2001:1af8:4010:a027:3::] has quit [Excess Flood]
16:32 -!- BladedThesis [~BladedThe@lamp.whatbox.ca] has joined #openvpn
16:32 -!- BladedThesis [~BladedThe@lamp.whatbox.ca] has quit [Excess Flood]
16:41 -!- bears [~bears@unaffiliated/bears] has joined #openvpn
16:41 -!- indy [~indy@shadow.kastnerove.cz] has quit [Ping timeout: 240 seconds]
16:43 -!- zoomequipd [~zoomequip@gateway/tor-sasl/zoomequipd] has quit [Ping timeout: 272 seconds]
16:43 -!- indy [~indy@shadow.kastnerove.cz] has joined #openvpn
16:46 -!- zoomequipd [~zoomequip@gateway/tor-sasl/zoomequipd] has joined #openvpn
16:48 -!- Cpt-Oblivious [chatzilla@31-151-71-109.dynamic.upc.nl] has quit [Remote host closed the connection]
16:48 < earthian> Also the log does not show any attempt to connect - looks like the ssl library is not happy with the ca.crt :/
16:56 -!- pgib [~pgib@lmms/pgib] has joined #openvpn
16:56 -!- pgib [~pgib@lmms/pgib] has left #openvpn []
17:12 -!- [diecast] [~diecast@unaffiliated/diecast/x-4821952] has quit []
17:17 -!- earthian [~ea@gw.uk.fostral.net] has quit [Ping timeout: 258 seconds]
17:18 -!- [diecast] [~diecast@unaffiliated/diecast/x-4821952] has joined #openvpn
17:24 -!- BladedThesis [~BladedThe@lamp.whatbox.ca] has joined #openvpn
17:35 -!- BladedThesis [~BladedThe@lamp.whatbox.ca] has quit [Quit: You shouldn't be seeing this]
17:37 -!- BladedThesis [~BladedThe@2001:1af8:4010:a027:3::] has joined #openvpn
17:42 -!- wrongplace [~leicht@gateway/tor-sasl/martinphone] has quit [Quit: gone]
17:43 -!- elfixit [~Icedove@77-58-251-72.dclient.hispeed.ch] has quit [Quit: elfixit]
17:51 -!- raspberrypifan [~textual@71-22-220-224.gar.clearwire-wmx.net] has joined #openvpn
17:53 -!- SCHAAP137 [dorian@77-173-0-137.ip.telfort.nl] has quit [Remote host closed the connection]
17:58 -!- lbft [~lbft@unaffiliated/lbft] has quit [Ping timeout: 264 seconds]
18:02 -!- lbft [~lbft@unaffiliated/lbft] has joined #openvpn
18:11 -!- EmLeX [~emx@unaffiliated/emlex] has quit [Ping timeout: 252 seconds]
18:13 -!- rulezzz [~rulezzz@187.244.199.27] has quit [Ping timeout: 265 seconds]
18:16 -!- fol_tempus [~tempus@gateway/tor-sasl/foltempus] has quit [Quit: Bouncing away]
18:17 -!- fol_tempus [~tempus@gateway/tor-sasl/foltempus] has joined #openvpn
18:20 -!- EmLeX [~emx@unaffiliated/emlex] has joined #openvpn
18:23 -!- Olipro [~Olipro@uncyclopedia/pdpc.21for7.olipro] has joined #openvpn
18:28 -!- [diecast] [~diecast@unaffiliated/diecast/x-4821952] has quit []
18:36 -!- Monotoko [~Monotoko@unaffiliated/monotoko] has quit [Ping timeout: 240 seconds]
18:56 < james41382> What's this business about? -> http://paste.debian.net/98123/
18:56 < james41382> I have updated the firmware twice in a the six months hoping this message would go away, but it still persists. What does it mean exactly?
18:57 -!- kirin` [telex@gateway/shell/anapnea.net/x-vvnodiaxpcdutlsf] has quit [Ping timeout: 252 seconds]
18:58 -!- kirin` [telex@gateway/shell/anapnea.net/x-roftipmipdhlcrmn] has joined #openvpn
19:00 -!- Synthead [~max@172.56.33.200] has quit [Ping timeout: 255 seconds]
19:05 -!- michaelhart [~michaelha@192-0-240-20.cpe.teksavvy.com] has joined #openvpn
19:05 < james41382> oops wrong channel.. sorry.
19:14 -!- michaelhart [~michaelha@192-0-240-20.cpe.teksavvy.com] has quit [Quit: michaelhart]
19:19 -!- joshh20-Away is now known as joshh20
19:29 -!- asturel [~asturel@unaffiliated/asturel] has quit [Ping timeout: 265 seconds]
19:30 -!- asturel [~asturel@unaffiliated/asturel] has joined #openvpn
19:35 -!- s7r [~s7r@openvpn/user/s7r] has quit [Quit: Leaving]
19:39 -!- elfixit [~Icedove@77-58-251-72.dclient.hispeed.ch] has joined #openvpn
19:43 -!- hive-mind [pranq@mail.bbis.us] has quit [Remote host closed the connection]
19:44 -!- hive-mind [pranq@mail.bbis.us] has joined #openvpn
19:49 -!- klein [~klein@unaffiliated/klein] has joined #openvpn
19:51 -!- master_o1_master [~master_of@p4FD7B303.dip0.t-ipconnect.de] has quit [Ping timeout: 240 seconds]
19:52 -!- asturel [~asturel@unaffiliated/asturel] has quit [Read error: Connection reset by peer]
19:52 -!- master_of_master [~master_of@p4FD7B303.dip0.t-ipconnect.de] has joined #openvpn
19:53 -!- asturel [~asturel@unaffiliated/asturel] has joined #openvpn
19:58 -!- klein [~klein@unaffiliated/klein] has quit [Ping timeout: 258 seconds]
20:00 -!- Synthead [~max@172.56.33.200] has joined #openvpn
20:06 -!- Thermi [~Thermi@unaffiliated/thermi] has quit [Ping timeout: 240 seconds]
20:10 -!- Thermi [~Thermi@unaffiliated/thermi] has joined #openvpn
20:16 -!- Poster [~poster@cpe-184-57-112-154.columbus.res.rr.com] has quit [Remote host closed the connection]
20:20 -!- joshh20 is now known as joshh20-Away
20:43 -!- Synthead [~max@172.56.33.200] has quit [Ping timeout: 255 seconds]
20:48 -!- elfixit [~Icedove@77-58-251-72.dclient.hispeed.ch] has quit [Quit: elfixit]
20:56 -!- elfixit [~Icedove@77-58-251-72.dclient.hispeed.ch] has joined #openvpn
20:56 -!- Synthead [~max@c-71-231-120-93.hsd1.wa.comcast.net] has joined #openvpn
20:57 -!- elfixit [~Icedove@77-58-251-72.dclient.hispeed.ch] has quit [Client Quit]
21:20 -!- Poster [~poster@cpe-184-57-112-154.columbus.res.rr.com] has joined #openvpn
21:27 -!- justinzane [~justinzan@67.21.190.20] has quit []
21:29 -!- justinzane [~justinzan@67.21.190.20] has joined #openvpn
21:41 -!- funnel [~funnel@unaffiliated/espiral] has quit [Ping timeout: 240 seconds]
21:41 -!- Synthead [~max@c-71-231-120-93.hsd1.wa.comcast.net] has quit [Ping timeout: 255 seconds]
21:42 -!- funnel [~funnel@unaffiliated/espiral] has joined #openvpn
21:53 -!- master_o1_master [~master_of@p4FD7BDA5.dip0.t-ipconnect.de] has joined #openvpn
21:55 -!- Synthead [~max@m862036d0.tmodns.net] has joined #openvpn
21:56 -!- master_of_master [~master_of@p4FD7B303.dip0.t-ipconnect.de] has quit [Ping timeout: 250 seconds]
22:18 -!- Left_Turn [~Left_Turn@unaffiliated/turn-left/x-3739067] has quit [Quit: Leaving]
22:25 -!- fol_tempus [~tempus@gateway/tor-sasl/foltempus] has quit [Remote host closed the connection]
22:25 -!- zoomequipd [~zoomequip@gateway/tor-sasl/zoomequipd] has quit [Remote host closed the connection]
22:25 -!- Synthead [~max@m862036d0.tmodns.net] has quit [Ping timeout: 255 seconds]
22:33 -!- zoomequipd [~zoomequip@gateway/tor-sasl/zoomequipd] has joined #openvpn
22:33 -!- fol_tempus [~tempus@gateway/tor-sasl/foltempus] has joined #openvpn
22:38 -!- Synthead [~max@c-71-231-120-93.hsd1.wa.comcast.net] has joined #openvpn
22:56 -!- raspberrypifan [~textual@71-22-220-224.gar.clearwire-wmx.net] has quit [Quit: Textual IRC Client: www.textualapp.com]
23:45 -!- ShadniX [dagger@p5DDFD313.dip0.t-ipconnect.de] has quit [Ping timeout: 252 seconds]
23:45 -!- ShadniX [dagger@p5DDFCD37.dip0.t-ipconnect.de] has joined #openvpn
--- Day changed Thu May 08 2014
00:22 -!- Cpt-Oblivious [chatzilla@31-151-71-109.dynamic.upc.nl] has joined #openvpn
00:42 -!- Synthead [~max@c-71-231-120-93.hsd1.wa.comcast.net] has quit [Ping timeout: 255 seconds]
00:44 -!- mattock_afk [~mattock@openvpn/corp/admin/mattock] has joined #openvpn
00:44 -!- mode/#openvpn [+o mattock_afk] by ChanServ
00:44 -!- mattock_afk is now known as mattock
01:16 -!- tunage [~bastard@ool-435339b8.dyn.optonline.net] has joined #openvpn
01:18 < tunage> I cannot connect to my server. google says check network and firewall. all good and firewalls are off. http://paste.ee/p/uDIbZ
01:20 < tunage> http://paste.ee/p/vaiJK  better output
01:27 -!- alexxtasi [~alex@unaffiliated/alexxtasi] has joined #openvpn
01:50 -!- alexxtasi [~alex@unaffiliated/alexxtasi] has quit [Ping timeout: 264 seconds]
01:50 -!- Cpt-Oblivious [chatzilla@31-151-71-109.dynamic.upc.nl] has quit [Ping timeout: 240 seconds]
02:06 -!- tharkun [~0@unaffiliated/tharkun] has quit [Ping timeout: 264 seconds]
02:33 -!- le0 [~l30@unaffiliated/le0] has joined #openvpn
03:10 -!- JackWinter [~jack@vodsl-10810.vo.lu] has quit [Quit: Konversation terminated!]
03:12 -!- JackWinter [~jack@vodsl-10810.vo.lu] has joined #openvpn
03:35 -!- Left_Turn [~Left_Turn@unaffiliated/turn-left/x-3739067] has joined #openvpn
03:36 -!- ShadniX [dagger@p5DDFCD37.dip0.t-ipconnect.de] has quit [Quit: Bye.]
03:37 -!- ShadniX [dagger@p5DDFCD37.dip0.t-ipconnect.de] has joined #openvpn
04:04 -!- ade_b [~Ade@redhat/adeb] has joined #openvpn
04:39 -!- dazo_afk is now known as dazo
04:52 -!- micko [~micko@203-219-65-120.static.tpgi.com.au] has quit [Ping timeout: 250 seconds]
04:57 -!- micko [~micko@203-219-65-120.static.tpgi.com.au] has joined #openvpn
05:12 -!- Proshot [~FSM@5ED1E519.cm-7-2d.dynamic.ziggo.nl] has joined #openvpn
05:20 -!- mirco [~mirco@ip-5-146-126-177.unitymediagroup.de] has joined #openvpn
05:24 -!- fin__ [~l30@unaffiliated/le0] has joined #openvpn
05:28 -!- le0 [~l30@unaffiliated/le0] has quit [Ping timeout: 265 seconds]
05:29 -!- Proshot [~FSM@5ED1E519.cm-7-2d.dynamic.ziggo.nl] has quit [Quit: Leaving]
05:31 -!- fin__ [~l30@unaffiliated/le0] has quit [Quit: Leaving]
05:50 -!- cyberspace- [20253@ninthfloor.org] has quit [Disconnected by services]
05:51 -!- cyberspace- [20253@ninthfloor.org] has joined #openvpn
05:51 -!- frank-- [1000@unaffiliated/thumbs] has joined #openvpn
05:54 -!- Brando753-o_O_o [~Brando753@unaffiliated/brando753] has joined #openvpn
05:55 -!- outofbounds [~outofboun@198.199.109.226] has quit [Ping timeout: 252 seconds]
05:55 -!- Brando753 [~Brando753@unaffiliated/brando753] has quit [Ping timeout: 252 seconds]
05:55 -!- thumbs [1000@unaffiliated/thumbs] has quit [Ping timeout: 252 seconds]
05:55 -!- supergauntlet [~supergaun@unaffiliated/supergauntlet] has quit [Ping timeout: 252 seconds]
05:55 -!- Verdi [~dagda@ip1.thgersdorf.net] has quit [Ping timeout: 252 seconds]
05:55 -!- mnathani [~mnathani@constance.winvive.com] has quit [Ping timeout: 252 seconds]
05:55 -!- ljvb [~jason@us.vps.vanbrecht.com] has quit [Ping timeout: 252 seconds]
05:55 -!- mnathani1 [~mnathani@constance.winvive.com] has joined #openvpn
05:56 -!- Brando753-o_O_o is now known as Brando753
05:59 -!- Olipro [~Olipro@uncyclopedia/pdpc.21for7.olipro] has quit [Ping timeout: 246 seconds]
06:01 -!- Olipro [~Olipro@uncyclopedia/pdpc.21for7.olipro] has joined #openvpn
06:04 -!- master_of_master [~master_of@p4FD7BDA5.dip0.t-ipconnect.de] has joined #openvpn
06:04 -!- Proshot [~FSM@5ED1E519.cm-7-2d.dynamic.ziggo.nl] has joined #openvpn
06:05 < Proshot> guys i was wondering, is it possible to create a new certificate and key for an existing client
06:12 -!- jackbrown [~se@93-44-41-0.ip95.fastwebnet.it] has joined #openvpn
06:20 -!- xTz [~xTz@DeathStar.Techn0.eu] has joined #openvpn
06:21 < xTz> hey guys
06:21 < xTz> VERIFY ERROR: depth=0, error=unsupported certificate purpose
06:21 < xTz> any ideas how do I get into this?
06:23 -!- Netsplit *.net <-> *.split quits: master_o1_master, justinzane, bears, Six6siX
06:40 -!- bears [~bears@unaffiliated/bears] has joined #openvpn
06:46 -!- frank-- is now known as thumbs
06:48 -!- hax is now known as goeo_
06:51 -!- ACKNAK [~regolith@79.133.97.154] has quit [Ping timeout: 276 seconds]
06:54 -!- jackbrown [~se@93-44-41-0.ip95.fastwebnet.it] has quit [Quit: Sto andando via]
07:04 -!- Netsplit *.net <-> *.split quits: capri, haasn, codehero, clu5ter, Chrisje, Olipro, pekster, Haigha, fred``, Ulrar,  (+4 more, use /NETSPLIT to show all of them)
07:10 -!- le0 [~l30@unaffiliated/le0] has joined #openvpn
07:13 -!- michaelhart [~michaelha@192.237.177.15] has joined #openvpn
07:13 -!- sauce [sauce@unaffiliated/sauce] has quit [Quit: sauce]
07:14 -!- sauce [sauce@unaffiliated/sauce] has joined #openvpn
07:15 -!- bears [~bears@unaffiliated/bears] has quit [Quit: closing IRC]
07:18 -!- Netsplit over, joins: pekster, fred``, clu5ter
07:18 -!- Cybertinus [~Cybertinu@cybertinus.customer.cloud.nl] has joined #openvpn
07:18 -!- Netsplit over, joins: plaisthos, Ulrar, ketas, codehero, Haigha, haasn, Chrisje, capri, SlutaTramsa
07:18 -!- mode/#openvpn [+o plaisthos] by ChanServ
07:19 -!- ketas [ketas@ketas6-sixxs.si.pri.ee] has quit [Max SendQ exceeded]
07:19 -!- ketas [ketas@ketas6-sixxs.si.pri.ee] has joined #openvpn
07:31 -!- Brando753 [~Brando753@unaffiliated/brando753] has quit [Ping timeout: 240 seconds]
07:33 -!- Latrina [~Latrina@adsl-ull-76-200.50-151.net24.it] has quit [Ping timeout: 250 seconds]
07:36 -!- Brando753 [~Brando753@unaffiliated/brando753] has joined #openvpn
07:42 -!- leO [~l30@unaffiliated/le0] has joined #openvpn
07:45 -!- le0 [~l30@unaffiliated/le0] has quit [Ping timeout: 264 seconds]
07:56 -!- Mike-- [mad@mx.probie.nl] has joined #openvpn
08:01 -!- ade_b [~Ade@redhat/adeb] has quit [Ping timeout: 240 seconds]
08:20 -!- goldkatze [~nobody@unaffiliated/goldkatze] has quit []
08:49 -!- pnielsen [pnielsen@2600:3c03::f03c:91ff:fe6e:5d41] has quit [Ping timeout: 240 seconds]
08:53 -!- pnielsen [pnielsen@2600:3c03::f03c:91ff:fe6e:5d41] has joined #openvpn
09:03 -!- Rug [~matt@50.115.176.66] has quit [Quit: leaving]
09:11 -!- michaelhart_ [~michaelha@192.237.177.15] has joined #openvpn
09:13 -!- michaelhart [~michaelha@192.237.177.15] has quit [Ping timeout: 258 seconds]
09:13 -!- michaelhart_ is now known as michaelhart
09:20 -!- [diecast] [~diecast@unaffiliated/diecast/x-4821952] has joined #openvpn
09:25 -!- Latrina [~Latrina@ppp-236-31.26-151.libero.it] has joined #openvpn
09:57 -!- elfixit [~Icedove@2001:1620:2777:11:3e97:eff:fe7f:f3ad] has joined #openvpn
10:05 -!- fol_tempus is now known as tempus_fol
10:38 -!- tempus_fol is now known as foltempus
10:39 -!- foltempus is now known as tempus_fol
10:40 -!- dazo is now known as dazo_afk
10:55 -!- Proshot [~FSM@5ED1E519.cm-7-2d.dynamic.ziggo.nl] has quit [Quit: Leaving]
11:08 -!- gffa [~unknown@unaffiliated/gffa] has joined #openvpn
11:26 -!- SCHAAP137 [dorian@77-173-0-137.ip.telfort.nl] has joined #openvpn
11:36 -!- [diecast] [~diecast@unaffiliated/diecast/x-4821952] has quit []
11:37 -!- [diecast] [~diecast@unaffiliated/diecast/x-4821952] has joined #openvpn
11:37 -!- bears [~bears@unaffiliated/bears] has joined #openvpn
11:42 -!- SCHAAP137 [dorian@77-173-0-137.ip.telfort.nl] has quit [Remote host closed the connection]
11:49 -!- [diecast] [~diecast@unaffiliated/diecast/x-4821952] has quit []
11:50 -!- Cpt-Oblivious [chatzilla@31-151-71-109.dynamic.upc.nl] has joined #openvpn
11:52 -!- bears [~bears@unaffiliated/bears] has quit [Quit: closing IRC]
12:04 -!- prettyrobots [~prettyrob@do.inputrc.com] has quit [Ping timeout: 264 seconds]
12:13 -!- [diecast] [~diecast@unaffiliated/diecast/x-4821952] has joined #openvpn
12:13 -!- batrick [batrick@nmap/developer/batrick] has quit [Quit: WeeChat 0.4.3]
12:13 -!- batrick [batrick@nmap/developer/batrick] has joined #openvpn
12:16 -!- Cpt-Oblivious [chatzilla@31-151-71-109.dynamic.upc.nl] has quit [Ping timeout: 240 seconds]
12:27 -!- tunage [~bastard@ool-435339b8.dyn.optonline.net] has left #openvpn []
12:38 -!- [diecast] [~diecast@unaffiliated/diecast/x-4821952] has quit []
12:44 -!- Cpt-Oblivious [~chatzilla@31-151-71-109.dynamic.upc.nl] has joined #openvpn
12:45 -!- leO [~l30@unaffiliated/le0] has quit [Quit: Leaving]
12:46 -!- [diecast] [~diecast@unaffiliated/diecast/x-4821952] has joined #openvpn
12:51 -!- earthian [~ea@gw.uk.fostral.net] has joined #openvpn
13:07 -!- AsadH [~AsadH@unaffiliated/asadh] has quit [Ping timeout: 258 seconds]
13:11 -!- asturel [~asturel@unaffiliated/asturel] has quit [Ping timeout: 258 seconds]
13:12 -!- asturel [~asturel@unaffiliated/asturel] has joined #openvpn
13:13 -!- AsadH [~AsadH@unaffiliated/asadh] has joined #openvpn
13:13 -!- xTz [~xTz@DeathStar.Techn0.eu] has quit [Ping timeout: 258 seconds]
13:24 -!- goeo_ is now known as NationalSecurity
13:26 -!- goldkatze [~nobody@unaffiliated/goldkatze] has joined #openvpn
13:40 -!- Cpt-Oblivious [~chatzilla@31-151-71-109.dynamic.upc.nl] has quit [Ping timeout: 240 seconds]
13:41 -!- heraclitus [~halcyon@unaffiliated/heraclitis] has joined #openvpn
13:57 -!- NationalSecurity is now known as goeo_
14:16 -!- wrongplace [~leicht@gateway/tor-sasl/martinphone] has joined #openvpn
14:47 -!- joshh20-Away is now known as joshh20
14:51 -!- akurilin [~alex@c-98-234-90-17.hsd1.ca.comcast.net] has joined #openvpn
14:55 -!- mattock [~mattock@openvpn/corp/admin/mattock] has left #openvpn []
15:07 < RaiNerTsuFal> Hello, is it possible that --show-tls list e.g. TLS-ECDHE-RSA-WITH-AES-256-GCM-SHA384 but it's not supportet by openvpn?
15:12 < earthian> !heartbleed
15:12 <@vpnHelper> "heartbleed" is (#1) only affects OpenSSL 1.0.1 through 1.0.1f. Does not affect polarssl or (#2) if running vuln openssl then both client and server keys not protected by tls-auth should be considered compromised. or (#3) android 4.1.2_r1 is the first one to have -DOPENSSL_NO_HEARTBEATS and it is still in master. android 4.1 and 4.1.1 are probably affected. or (#4)
15:12 <@vpnHelper> https://community.openvpn.net/openvpn/wiki/heartbleed or (#5) http://xkcd.com/1354/
15:12 < earthian> Hello, where is #polarssl channel? :/
15:23 -!- SlutaTramsa [~SlutaTram@unaffiliated/slutatramsa] has quit [Ping timeout: 246 seconds]
15:24 -!- SlutaTramsa [~SlutaTram@unaffiliated/slutatramsa] has joined #openvpn
15:31 -!- justinzane [~justinzan@67.21.190.20] has joined #openvpn
15:34 -!- chrisb [~chrisb@pool-71-175-248-123.phlapa.east.verizon.net] has joined #openvpn
15:35 -!- SlutaTramsa [~SlutaTram@unaffiliated/slutatramsa] has quit [Ping timeout: 246 seconds]
15:40 <@krzee> earthian, there isnt one, if you goto https://polarssl.org you can see their support services
15:40 <@vpnHelper> Title: SSL Library PolarSSL: Download for free or buy a commercial license (at polarssl.org)
15:40 <@krzee> knowledge base, support forum, direct email
15:41 -!- elfixit [~Icedove@2001:1620:2777:11:3e97:eff:fe7f:f3ad] has quit [Ping timeout: 252 seconds]
15:41 < earthian> I see, thanks!
15:41 <@krzee> np
15:42 -!- SlutaTramsa [~SlutaTram@unaffiliated/slutatramsa] has joined #openvpn
15:44 -!- joshh20 is now known as joshh20-Away
15:44 -!- michaelhart [~michaelha@192.237.177.15] has quit [Quit: michaelhart]
15:57 -!- chrisb [~chrisb@pool-71-175-248-123.phlapa.east.verizon.net] has quit [Ping timeout: 245 seconds]
15:59 -!- earthian [~ea@gw.uk.fostral.net] has quit [Ping timeout: 252 seconds]
16:05 -!- SCHAAP137 [dorian@77-173-0-137.ip.telfort.nl] has joined #openvpn
16:26 -!- irated [~irated@unaffiliated/irated] has joined #openvpn
16:26 -!- irated [~irated@unaffiliated/irated] has left #openvpn ["Leaving"]
16:28 -!- DQSII [~DQSII@gateway/tor-sasl/dqsii] has joined #openvpn
16:30 -!- gffa [~unknown@unaffiliated/gffa] has quit [Quit: sleep]
16:41 -!- elfixit [~Icedove@2001:1620:2777:11:3e97:eff:fe7f:f3ad] has joined #openvpn
17:09 -!- joshh20-Away is now known as joshh20
17:10 -!- Cpt-Oblivious [~chatzilla@31-151-71-109.dynamic.upc.nl] has joined #openvpn
17:13 -!- toastedpenguin [~David_Chr@c-67-173-129-98.hsd1.il.comcast.net] has joined #openvpn
17:14 < toastedpenguin> is it possible to to have a 3rd party CA signed cert on an access server and use self signed certs for clients?
17:15 < toastedpenguin> doh wrong room....
17:28 -!- Cpt-Oblivious [~chatzilla@31-151-71-109.dynamic.upc.nl] has quit [Remote host closed the connection]
17:28 < rob0> Yes. Nonetheless I am pretty sure that in AS as well as here, the CA cert has to be the same on the server as on the clients.
17:38 -!- wrongplace [~leicht@gateway/tor-sasl/martinphone] has quit [Quit: gone]
17:38 -!- Proshot [~FSM@5ED1E519.cm-7-2d.dynamic.ziggo.nl] has joined #openvpn
17:38 < Proshot> could somebody point me to the documentation where i can find how to set up a second openvpn server within an already existing network
17:41 -!- u0m3_ [~u0m3@92.80.96.59] has joined #openvpn
17:43 -!- u0m3 [~u0m3@109.96.139.150] has quit [Ping timeout: 250 seconds]
17:51 < rob0> There is no problem running any number of instances of openvpn on the same host; but routing confusion might arise if you're careless.
17:51 < rob0> No, I doubt there is anything specifically documented about it.
17:59 < reiffert> it's limited to 2^32-3 connections per ip address.
17:59 < reiffert> sorry, I fucked it up
18:00 < reiffert> do the math yourself
18:01 < rob0> well, I bet you'd hit system limits well before that ... not to mention limits of the admin's sanity :)
18:02 -!- fejjerai [~quassel@kde/mitchell] has quit [Ping timeout: 240 seconds]
18:05 -!- Lorphos [~sven@unaffiliated/lorphos] has joined #openvpn
18:05 < Lorphos> !welcome
18:05 <@vpnHelper> "welcome" is (#1) Start by stating your goal, such as 'I would like to access the internet over my vpn' || new to IRC? see the link in !ask || we may need !logs and !configs and maybe !interface to help you. || See !howto for beginners. || See !route for lans behind openvpn. || !redirect for sending inet traffic through the server. || Also interesting: !man !/30 !topology !iporder !sample !forum
18:05 <@vpnHelper> !wiki !mitm or (#2) Don't use 192.168.1.0/24 or 192.168.0.0/24 (too much potential for conflict)
18:06 < Lorphos> Hi, I have OpenVPN setup on my openwrt router as a client to a VPS as the server. I'd like to route one device in my home lan via openvpn now (with NAT)
18:08 < Lorphos> i tried adding a route table and a ip rule that does a lookup for this table for certain ip addresses
18:08 < Lorphos> those ip addresses could no longer access the internet so I know it did *something*
18:09 -!- pa [~pa@unaffiliated/pa] has quit [Ping timeout: 240 seconds]
18:09 < Lorphos> but i would have preferred that they could access the internet through the openvpn tunnel
18:09 < Lorphos> !redirect
18:09 <@vpnHelper> "redirect" is (#1) to make all inet traffic flow through the vpn, you will need --redirect-gateway (see !def1), as well as IP forwarding (see !ipforward) and NAT (see !nat) enabled on the server. or (#2) you may need to use a different dns server when redirecting gateway, see !dns or !pushdns or (#3) if using ipv6 try: route-ipv6 2000::/3 or (#4) Handy troubleshooting flowchart:
18:09 <@vpnHelper> http://ircpimps.org/redirect.png | http://pekster.sdf.org/misc/redirect.png
18:10 < Lorphos> !nat
18:10 <@vpnHelper> "nat" is (#1) http://openvpn.net/howto.html#redirect for an explanation of NAT as it applies to openvpn or (#2) http://www.secure-computing.net/wiki/index.php/OpenVPN/FAQ#Traffic_forwarding_doesn.27t_work_when_using_client_specific_access_rules or (#3) dont forget to turn on ip forwarding or (#4) please choose between !linnat !openvznat !winnat and !fbsdnat for specific howto
18:31 -!- SCHAAP137 [dorian@77-173-0-137.ip.telfort.nl] has quit [Remote host closed the connection]
18:34 -!- mirco [~mirco@ip-5-146-126-177.unitymediagroup.de] has quit [Ping timeout: 252 seconds]
18:37 -!- heraclitus [~halcyon@unaffiliated/heraclitis] has quit [Quit: Ping timeout: 221 seconds]
18:53 -!- goldkatze [~nobody@unaffiliated/goldkatze] has quit []
18:56 -!- pa [~pa@unaffiliated/pa] has joined #openvpn
19:14 -!- ShadniX [dagger@p5DDFCD37.dip0.t-ipconnect.de] has quit [Ping timeout: 252 seconds]
19:14 -!- ShadniX [dagger@p5DDFCD37.dip0.t-ipconnect.de] has joined #openvpn
19:19 -!- mirco [~mirco@ip-109-90-230-218.unitymediagroup.de] has joined #openvpn
19:21 -!- DQSII [~DQSII@gateway/tor-sasl/dqsii] has quit [Quit: Leaving]
19:32 -!- [diecast] [~diecast@unaffiliated/diecast/x-4821952] has quit []
19:33 -!- joshh20 is now known as joshh20-Away
19:34 -!- Lorphos [~sven@unaffiliated/lorphos] has quit [Remote host closed the connection]
19:40 -!- outofbounds_ [~outofboun@198.199.109.226] has joined #openvpn
19:40 -!- outofbounds_ is now known as outofbounds
19:42 -!- tony1 [~tony1@cpe-66-66-6-48.rochester.res.rr.com] has joined #openvpn
19:47 -!- elfixit1 [~Icedove@77-58-251-72.dclient.hispeed.ch] has joined #openvpn
19:48 -!- elfixit1 [~Icedove@77-58-251-72.dclient.hispeed.ch] has quit [Client Quit]
19:49 -!- tony1 [~tony1@cpe-66-66-6-48.rochester.res.rr.com] has left #openvpn []
20:13 -!- mirco [~mirco@ip-109-90-230-218.unitymediagroup.de] has quit [Quit: mirco]
20:22 -!- chrisb [~chrisb@li482-205.members.linode.com] has joined #openvpn
20:24 < chrisb> what do CA_EXT and REQ_EXT mean in pkitool in easy-rsa?  do they set the 1. intermediate CA cert and 2. the server extensions to x509 extended key usage and specific key usage?
20:37 < pekster> chrisb: extensions section and request extensions a concept of the openssl "cnf" file
20:38 < pekster> If you're doing batch processing, you might find the concepts (and reference readme files) more useful in the 3.x codebase on git-master
20:39 -!- fejjerai [~quassel@kde/mitchell] has joined #openvpn
20:54 < chrisb> pekster: thanks for responding
20:54 < chrisb> pekster: i am working on openwrt, so im limited to 2.0
20:55 < pekster> It's POSIX sh. Just extract the git-master sources to the device and run it
20:56 < pekster> Depends on what you're doing I suppose. Are you trying to do batch/automated processing in some way?
20:56 < pekster> If not, you probably don't need to muck with things like extension sections
20:57 < chrisb> i am not doing batch.  i will pull 3.0, but for now, i want to finish setting up an intermediate CA devoted to server certs and another to client certs
20:57 < chrisb> do i change openssl.cnf in each intermediate CA?
20:58 < pekster> The v3 sourcebase is designed to handle that setup a lot better than the 2.0 code was
20:58 < pekster> v3 has a "ca" signing type specifiaclly for sub-cas
20:58 < chrisb> to get the server extensions and client extensions properly
20:58 < chrisb> pekster: ok, i will pull it.  are you hanging around?
20:58 < chrisb> :)
20:59 < pekster> For v2, you need to look at the --inter flag, but that script is a bit of a mess to read
20:59 < pekster> Yea, I'm online for a bit, and idle here as long as my power and tubes are cooperating
21:01 < pekster> The `quick and dirty` way to put v3 on your openwrt is like this: `cd ~/wherever; git clone https://github.com/OpenVPN/easy-rsa.git; cd easy-rsa; tar czf ~/easyrsa3-git.tgz easyrsa3` -- then scp that to your openwrt, extract and profit
21:03 < pekster> What's your end-goal here? Offline CA with an intermediate on the openwrt?
21:04 < chrisb> pekster: yes
21:05 < chrisb> pekster: opkg install git ; git clone https://github.com/OpenVPN/easy-rsa.git gives "unable to find remote helper for https"
21:06 <@vpnHelper> Title: OpenVPN/easy-rsa · GitHub (at github.com)
21:06 < pekster> No, clone it on a real OS
21:06 < pekster> Just untar it on the openwrt (treat it as more of an "appliance" than a full-OS)
21:15 < chrisb> ok, this v3 looks very nice
21:19 < chrisb> nice to get sha256 as the default digest
21:29 < pekster> chrisb: A quick test here using easyrsa3 in a sub-ca setup with openvpn seems to work fine, just don't forget to include the sub-ca in the _entity_ local cert, ie: the one you specify with --cert in the ovpn config
21:30 < pekster> So, basically the same way you'd configure a web server. Note that --ca should contain just the root-CA, not sub-CAs (since each end is expected to provide a full chain that validates up to the trusted root)
21:35 < chrisb> pekster: i haven't yet seen how i gen the csr for a sub-ca
21:37 < chrisb> x509-types/ is very nice
21:38 < pekster> ./easyrsa gen-req shortNameHere
21:38 < pekster> See `./easyrsa help gen-req` for details. inline help is fairly, um, "helpful" now ;)
21:42 < pekster> chrisb: From my shell history of the setup, with comments added: https://gist.github.com/QueuingKoala/e2c1c067a312384915b5
21:43 <@vpnHelper> Title: Sub-CA example (at gist.github.com)
21:43  * chrisb takes a look
21:50 < pekster> Oh, I see what you were getting at before. easyrsa takes a simplistic view of a PKI dir; each one holds a _single_ PKI with only 1 CA. So the sub-CA gets a separate directory and simply doesn't sign its own reuest
21:53 -!- master_o1_master [~master_of@p4FD7BA87.dip0.t-ipconnect.de] has joined #openvpn
21:53 -!- edge226 [~quassel@unaffiliated/edge226] has quit [Ping timeout: 240 seconds]
21:56 -!- master_of_master [~master_of@p4FD7BDA5.dip0.t-ipconnect.de] has quit [Ping timeout: 252 seconds]
22:02 < chrisb> pekster: wow, that was very nice
22:04 < chrisb> is dh2048.pem needed during cert and key generation? or only during TLS?
22:06 < chrisb> pekster: very nice rewrite
22:07 < pekster> Only by a TLS server
22:10 < chrisb> pekster: because you have the x509-types/  the remote-cert-tls server  openvpn config directive will be effective
22:11 < chrisb> pekster: the eKu directives
22:15 -!- Left_Turn [~Left_Turn@unaffiliated/turn-left/x-3739067] has quit [Read error: Connection reset by peer]
22:16 -!- WinstonSmith [~WinstonSm@unaffiliated/winstonsmith] has quit [Ping timeout: 250 seconds]
22:18 -!- WinstonSmith [~WinstonSm@unaffiliated/winstonsmith] has joined #openvpn
22:19 < chrisb> pekster: at some point we have to do a cat offline/ca.crt sub/ca.crt > ca_subca.crt  to go in the CApath on the client and server, right?
22:20 < chrisb> or is sub/ca.crt "good enough" to go in the CApath?
22:24 < chrisb> using easyrsa3 here: http://www.raspberrypi.org/forums/viewtopic.php?f=36&t=70594
22:24 <@vpnHelper> Title: Raspberry Pi View topic - [howto] Openvpn server, using easy-rsa3 (at www.raspberrypi.org)
22:25 -!- zoomequipd [~zoomequip@gateway/tor-sasl/zoomequipd] has quit [Remote host closed the connection]
22:25 -!- tempus_fol [~tempus@gateway/tor-sasl/foltempus] has quit [Remote host closed the connection]
22:32 -!- fol_tempus [~tempus@gateway/tor-sasl/foltempus] has joined #openvpn
22:32 -!- zoomequipd [~zoomequip@gateway/tor-sasl/zoomequipd] has joined #openvpn
22:53 -!- Brando753 [~Brando753@unaffiliated/brando753] has quit [Read error: Operation timed out]
22:54 -!- Brando753 [~Brando753@unaffiliated/brando753] has joined #openvpn
23:45 -!- ShadniX [dagger@p5DDFCD37.dip0.t-ipconnect.de] has quit [Ping timeout: 252 seconds]
23:46 -!- ShadniX [dagger@p5DDFC76F.dip0.t-ipconnect.de] has joined #openvpn
23:48 -!- james41382 [~james@unaffiliated/james41382] has quit [Read error: Connection reset by peer]
23:59 -!- DQSII [~DQSII@gateway/tor-sasl/dqsii] has joined #openvpn
23:59 -!- james41382 [~james@unaffiliated/james41382] has joined #openvpn
--- Day changed Fri May 09 2014
00:00 -!- DQSII [~DQSII@gateway/tor-sasl/dqsii] has quit [Client Quit]
00:05 -!- chrisb [~chrisb@li482-205.members.linode.com] has quit [Ping timeout: 240 seconds]
00:12 -!- timmmaaaayyy [~timmmaaaa@207.224.126.188] has joined #openvpn
00:13 -!- vpnHelper [~vpnHelper@openvpn/bot/vpnHelper] has quit [Remote host closed the connection]
00:30 -!- RaiNerTsuFal [~RaiNerTsu@akita.vtlx.cn] has quit [Quit: Conversation terminated!]
00:34 -!- RaiNerTsuFal [~RaiNerTsu@akita.vtlx.cn] has joined #openvpn
01:10 -!- mattock_afk [~mattock@openvpn/corp/admin/mattock] has joined #openvpn
01:10 -!- mode/#openvpn [+o mattock_afk] by ChanServ
01:10 -!- mattock_afk is now known as mattock
01:18 -!- alexxtasi [~alex@unaffiliated/alexxtasi] has joined #openvpn
01:56 -!- asturel [~asturel@unaffiliated/asturel] has quit [Read error: Connection reset by peer]
01:56 -!- JackWinter [~jack@vodsl-10810.vo.lu] has quit [Excess Flood]
01:57 -!- le0 [~l30@unaffiliated/le0] has joined #openvpn
01:57 -!- zoomequipd [~zoomequip@gateway/tor-sasl/zoomequipd] has quit [Remote host closed the connection]
01:57 -!- JackWinter_ [~jack@vodsl-10810.vo.lu] has joined #openvpn
02:03 -!- zoomequipd [~zoomequip@gateway/tor-sasl/zoomequipd] has joined #openvpn
02:31 -!- dazo_afk is now known as dazo
03:20 -!- JyZyXEL [~foo@a88-112-64-35.elisa-laajakaista.fi] has joined #openvpn
03:26 < JyZyXEL> i don't know which protocol and port my remote openvpn server is running, is there a way to confirm it?
03:30 < JyZyXEL> what do i need to echo to the port to get it saying something?
03:50 -!- Left_Turn [~Left_Turn@unaffiliated/turn-left/x-3739067] has joined #openvpn
04:25 -!- jackbrown [~se@93-44-41-0.ip95.fastwebnet.it] has joined #openvpn
04:29 -!- makara [~makara@41.164.22.218] has joined #openvpn
04:33 -!- jackbrown [~se@93-44-41-0.ip95.fastwebnet.it] has quit [Quit: Sto andando via]
05:29 -!- jackbrown [~se@93-44-41-0.ip95.fastwebnet.it] has joined #openvpn
05:47 < Proshot> hi there reiffert, how are you today
05:48 -!- earthian [~ea@cpc12-rdng20-2-0-cust14.15-3.cable.virginm.net] has joined #openvpn
05:49 < earthian> Hello, what is the maximum ca.crt rsa key size is complied in the Android openvpn client?
05:50 < earthian> My ca key is 8kbit and somebody from PolarSSL thinks that my issue is POLARSSL_MPI_MAX_SIZE which is set to default value - 4kbit
06:35 -!- jackbrown [~se@93-44-41-0.ip95.fastwebnet.it] has quit [Quit: Sto andando via]
06:45 -!- michaelhart [~michaelha@192.237.177.15] has joined #openvpn
06:48 -!- mirco [~mirco@ip-109-90-230-218.unitymediagroup.de] has joined #openvpn
06:48 -!- goldkatze [~nobody@unaffiliated/goldkatze] has joined #openvpn
06:51 -!- spiekey [~admin@projekte.imos.net] has joined #openvpn
06:51 < spiekey> hello!
06:52 < spiekey> has anyone a vanilla openvpn client running with Sophos UTM9?
06:52 < spiekey> i seem to get the stuff out of the .apc file wrong :/
07:30 -!- Proshot [~FSM@5ED1E519.cm-7-2d.dynamic.ziggo.nl] has quit [Quit: Leaving]
07:46 -!- JyZyXEL [~foo@a88-112-64-35.elisa-laajakaista.fi] has left #openvpn []
08:11 -!- MyMind [~Sembei@unaffiliated/sembei] has joined #openvpn
08:11 -!- Sembei [~Sembei@unaffiliated/sembei] has quit [Read error: Connection reset by peer]
08:34 -!- tuvok [tuvok@Photography.tuvok.eu] has quit [Quit: Serverwechsel]
08:40 -!- zoomequipd [~zoomequip@gateway/tor-sasl/zoomequipd] has quit [Read error: Connection reset by peer]
08:42 -!- zoomequipd [~zoomequip@gateway/tor-sasl/zoomequipd] has joined #openvpn
08:43 -!- justinzane [~justinzan@67.21.190.20] has quit [Ping timeout: 255 seconds]
08:43 -!- makara [~makara@41.164.22.218] has quit [Ping timeout: 245 seconds]
08:44 -!- chrisb [~chrisb@li482-205.members.linode.com] has joined #openvpn
08:53 -!- Cpt-Oblivious [~chatzilla@31-151-71-109.dynamic.upc.nl] has joined #openvpn
08:58 -!- [diecast] [~diecast@unaffiliated/diecast/x-4821952] has joined #openvpn
09:02 -!- [diecast] [~diecast@unaffiliated/diecast/x-4821952] has quit [Client Quit]
09:06 -!- Cpt-Oblivious [~chatzilla@31-151-71-109.dynamic.upc.nl] has quit [Ping timeout: 250 seconds]
09:09 -!- dazo is now known as dazo_afk
09:15 -!- s7r [~s7r@openvpn/user/s7r] has joined #openvpn
09:15 -!- mode/#openvpn [+v s7r] by ChanServ
09:18 -!- alexxtasi [~alex@unaffiliated/alexxtasi] has left #openvpn []
09:22 -!- pnielsen [pnielsen@2600:3c03::f03c:91ff:fe6e:5d41] has quit [Remote host closed the connection]
09:25 -!- justinzane [~justinzan@12.172.184.69] has joined #openvpn
09:26 -!- chrisb [~chrisb@li482-205.members.linode.com] has quit [Ping timeout: 250 seconds]
09:26 -!- pnielsen [pnielsen@2600:3c03::f03c:91ff:fe6e:5d41] has joined #openvpn
09:28 -!- agentbob [anonymoose@unaffiliated/agentbob] has quit [Ping timeout: 252 seconds]
09:28 -!- agentbob [anonymoose@unaffiliated/agentbob] has joined #openvpn
09:32 -!- pnielsen [pnielsen@2600:3c03::f03c:91ff:fe6e:5d41] has quit [Quit: No Ping reply in 180 seconds.]
09:34 -!- pnielsen [pnielsen@2600:3c03::f03c:91ff:fe6e:5d41] has joined #openvpn
09:35 -!- spiekey [~admin@projekte.imos.net] has quit [Read error: No route to host]
09:35 -!- spiekey [~admin@projekte.imos.net] has joined #openvpn
09:52 -!- [diecast] [~diecast@unaffiliated/diecast/x-4821952] has joined #openvpn
10:13 -!- gffa [~unknown@unaffiliated/gffa] has joined #openvpn
10:13 -!- mattock is now known as mattock_afk
10:22 <@krzee> earthian, well did you try a 4096 pki?
10:22 <@krzee> should be easy enough to test
10:22 <@krzee> or of course you could check the code
10:22 <@krzee> !android
10:23 <@krzee> ecrist, this is why i keep hijacking the bot's screen
10:25 <@krzee> ecrist, i think your ipv6 broke yet again
10:27 -!- vpnHelper [~vpnHelper@openvpn/bot/vpnHelper] has joined #openvpn
10:27 -!- mode/#openvpn [+o vpnHelper] by ChanServ
10:27 <@krzee> i put an ip in the config for irc servers, lol
10:28 <@krzee> !android
10:28 <@vpnHelper> "android" is (#1) an open source OpenVPN client for ICS is available in Google Play, look for OpenVPN for Android. FAQ is here: http://code.google.com/p/ics-openvpn/wiki/FAQ or (#2) Direct Play link: https://play.google.com/store/apps/details?id=de.blinkt.openvpn or (#3) Old (pre-ICS) device? See: !android-old
10:28 <@krzee> !androidsource
10:28 <@krzee> !factoids search --values source
10:28 <@vpnHelper> 'mail', 'tls-cipher', 'mactuntap', 'webgui', 'dev', 'sudowin', 'bcast', 'pptp', 'win_tcplimit', 'cisco', 'webgui', 'winsudo', 'pki', 'vpn', 'new_win_gui', 'current', 'current', 'ebtables', 'bridge-fw', 'release-notes', 'gvpe', 'git', 'git', 'git', 'man', 'android', 'provider', 'changelog', 'winroute', 'entropy', 'aws', 'easyrsa', 'license', 'pushdns', 'polarssl', '', and 'connect'
10:29 <@krzee> hmm i thought i made a factoid for that
10:30 <@krzee> !learn androidsource The source for OpenVPN connect for android/IOS is here: http://staging.openvpn.net/openvpn3/
10:30 <@vpnHelper> (learn [<channel>] <key> as <value>) -- Associates <key> with <value>. <channel> is only necessary if the message isn't sent on the channel itself. The word 'as' is necessary to separate the key from the value. It can be changed to another word via the learnSeparator registry value.
10:30 <@krzee> !learn androidsource as The source for OpenVPN connect for android/IOS is here: http://staging.openvpn.net/openvpn3/
10:30 <@vpnHelper> Joo got it.
10:33 <@krzee> !learn androidsource as The source for OpenVPN For Android is here: http://code.google.com/p/ics-openvpn/source/checkout
10:33 <@vpnHelper> Joo got it.
10:34 <@krzee> !forget androidsource 1
10:34 <@vpnHelper> Joo got it.
10:34 <@krzee> !learn androidsource as The source for some of OpenVPN connect for android/IOS is here: http://staging.openvpn.net/openvpn3/
10:34 <@vpnHelper> Joo got it.
10:41 -!- edge226 [~quassel@unaffiliated/edge226] has joined #openvpn
10:51 -!- spiekey [~admin@projekte.imos.net] has left #openvpn []
11:16 -!- SCHAAP137 [dorian@77-173-0-137.ip.telfort.nl] has joined #openvpn
12:00 -!- [diecast] [~diecast@unaffiliated/diecast/x-4821952] has quit []
12:02 -!- ananke [~ananke@about/linux/regular/ananke] has left #openvpn []
12:05 -!- Left_Turn [~Left_Turn@unaffiliated/turn-left/x-3739067] has quit [Quit: Leaving]
12:11 -!- Left_Turn [~Left_Turn@unaffiliated/turn-left/x-3739067] has joined #openvpn
12:21 <@plaisthos> krzee: I am not sure if the openvpn3 core source is public or not
12:21 <@plaisthos> krzee: you might ask James if he wants the source to be distributied
12:22 -!- [diecast] [~diecast@unaffiliated/diecast/x-4821952] has joined #openvpn
12:23 <@ecrist> krzee: yeah
12:23 <@ecrist> token's v6 breaks all the time, I have no idea why
12:50 -!- elfixit [~Icedove@2001:1620:2777:11:3e97:eff:fe7f:f3ad] has quit [Quit: elfixit]
12:55 -!- fejjerai [~quassel@kde/mitchell] has quit [Read error: Connection reset by peer]
12:55 -!- elfixit [~Icedove@2001:1620:2777:11:3e97:eff:fe7f:f3ad] has joined #openvpn
12:59 -!- fejjerai [~quassel@kde/mitchell] has joined #openvpn
13:26 -!- edge226 [~quassel@unaffiliated/edge226] has quit [Remote host closed the connection]
13:27 < earthian> krzee, I can not change the CA key, because the CA is the company's policy. Also that crt is used in various other services without a single issue!
13:28 < earthian> i ment the CA.crt
13:33 -!- s7r [~s7r@openvpn/user/s7r] has quit [Quit: Leaving]
13:36 -!- goldkatze [~nobody@unaffiliated/goldkatze] has quit []
13:57 -!- chrisb [~chrisb@li482-205.members.linode.com] has joined #openvpn
14:13 -!- samu [s@unaffiliated/samaelszafran] has joined #openvpn
14:13 < samu> Hello ;-)
14:13 < samu> I have a rather weird question
14:13 <@ecrist> !ask
14:13 <@vpnHelper> "ask" is (#1) don't ask to ask, just ask your question please, see this link for how to get help on IRC: http://workaround.org/getting-help-on-irc or (#2) See also, How to ask questions the smart way here: http://catb.org/~esr/faqs/smart-questions.html
14:13 < samu> Don't worry, I will ask, I'm just making an introduction :D
14:13 < samu> ok, to the point
14:13 < samu> I have one openvpn instance with multiple clients
14:13 -!- jackbrown [~se@93-44-41-0.ip95.fastwebnet.it] has joined #openvpn
14:14 < samu> now, this is not really something I want to do asap, but more a curiosity
14:14 < samu> My customers can see and talk to each other (meaning that connectivity between peers is fully enabled)
14:15 < samu> BUT, let's suppose I'd like to divide them into groups. I don't wan't to separate each client from any other, but I'd like to create small, isolated groups that would be able to communicate with each other, but not with any other group
14:15 < samu> something like a vlan.
14:15 < samu> Now, I know that separate openvpn instance would to this, but because I'm curious, is it possible to do it with openvpn?
14:15 < samu> sorry, correction: with one instance of openvpn
14:16 -!- earthian [~ea@cpc12-rdng20-2-0-cust14.15-3.cable.virginm.net] has quit [Ping timeout: 250 seconds]
14:28 -!- jackbrown [~se@93-44-41-0.ip95.fastwebnet.it] has quit [Quit: Sto andando via]
14:36 -!- SCHAAP137 [dorian@77-173-0-137.ip.telfort.nl] has quit [Ping timeout: 252 seconds]
14:38 -!- le0 [~l30@unaffiliated/le0] has quit [Ping timeout: 250 seconds]
14:46 <@krzee> plaisthos, if he does not, he should have us take down the forum post that points to it
14:47 <@krzee> actually, nevermind
14:47 <@krzee> he posted it himself
14:47 <@krzee> https://forums.openvpn.net/topic12800.html
14:47 <@krzee> so no, james does not mind.
14:47 <@vpnHelper> Title: OpenVPN Support Forum OpenVPN Connect Source Code : OpenVPN Connect (iOS) (at forums.openvpn.net)
14:49 -!- [diecast] [~diecast@unaffiliated/diecast/x-4821952] has quit []
14:58 -!- [diecast] [~diecast@unaffiliated/diecast/x-4821952] has joined #openvpn
15:07 -!- chrisb [~chrisb@li482-205.members.linode.com] has quit [Ping timeout: 252 seconds]
15:18 -!- michaelhart [~michaelha@192.237.177.15] has quit [Quit: michaelhart]
15:35 -!- gffa [~unknown@unaffiliated/gffa] has quit [Quit: sleep]
16:01 -!- nibbo [nibbo@gateway/shell/blinkenshell.org/x-gnxlecjgaefbyygp] has quit [Ping timeout: 264 seconds]
16:07 <@plaisthos> krzee: ah okay, did not know that
16:25 -!- toastedpenguin [~David_Chr@c-67-173-129-98.hsd1.il.comcast.net] has quit [Ping timeout: 252 seconds]
16:26 -!- JackWinter_ [~jack@vodsl-10810.vo.lu] has quit [Quit: Konversation terminated!]
16:33 -!- JackWinter [~jack@vodsl-10810.vo.lu] has joined #openvpn
16:51 -!- wrongplace [~leicht@gateway/tor-sasl/martinphone] has joined #openvpn
16:53 -!- EmLeX [~emx@unaffiliated/emlex] has quit [Ping timeout: 252 seconds]
16:59 -!- EmLeX [~emx@unaffiliated/emlex] has joined #openvpn
17:00 -!- joshh20-Away is now known as joshh20
17:01 -!- Jeroen52 [~quassel@sona-gaming.com] has quit [Remote host closed the connection]
17:03 -!- [diecast] [~diecast@unaffiliated/diecast/x-4821952] has quit []
17:03 -!- SCHAAP137 [dorian@77-173-0-137.ip.telfort.nl] has joined #openvpn
17:06 -!- SCHAAP137 [dorian@77-173-0-137.ip.telfort.nl] has quit [Remote host closed the connection]
17:21 -!- Jeroen52 [~quassel@milkyway.jeroendeneef.eu] has joined #openvpn
17:25 -!- SCHAAP137 [dorian@77-173-0-137.ip.telfort.nl] has joined #openvpn
17:34 -!- [diecast] [~diecast@unaffiliated/diecast/x-4821952] has joined #openvpn
17:37 -!- chrisb [~chrisb@li482-205.members.linode.com] has joined #openvpn
17:45 -!- earthian [~ea@gw.uk.fostral.net] has joined #openvpn
18:01 -!- [diecast] [~diecast@unaffiliated/diecast/x-4821952] has quit []
18:02 -!- michaelhart [~michaelha@192-0-240-20.cpe.teksavvy.com] has joined #openvpn
18:03 -!- michaelhart [~michaelha@192-0-240-20.cpe.teksavvy.com] has quit [Client Quit]
18:03 -!- [diecast] [~diecast@unaffiliated/diecast/x-4821952] has joined #openvpn
18:04 -!- mirco [~mirco@ip-109-90-230-218.unitymediagroup.de] has quit [Ping timeout: 258 seconds]
18:07 -!- s7r [~s7r@openvpn/user/s7r] has joined #openvpn
18:07 -!- mode/#openvpn [+v s7r] by ChanServ
18:08 -!- [diecast] [~diecast@unaffiliated/diecast/x-4821952] has quit [Client Quit]
18:19 -!- bears [~bears@unaffiliated/bears] has joined #openvpn
18:31 -!- joshh20 is now known as joshh20-Away
18:33 -!- mirco [~mirco@ip-109-90-230-218.unitymediagroup.de] has joined #openvpn
18:35 -!- MyMind [~Sembei@unaffiliated/sembei] has quit [Ping timeout: 264 seconds]
18:37 -!- MyMind [~Sembei@unaffiliated/sembei] has joined #openvpn
18:44 -!- [diecast] [~diecast@unaffiliated/diecast/x-4821952] has joined #openvpn
19:08 -!- aji [~alex@atheme/member/aji] has quit [Ping timeout: 240 seconds]
19:18 -!- propheticsquiddy [~Proph@unaffiliated/propheticsquiddy] has joined #openvpn
19:21 -!- wrongplace [~leicht@gateway/tor-sasl/martinphone] has quit [Read error: Connection reset by peer]
19:22 -!- wrongplace [~leicht@gateway/tor-sasl/martinphone] has joined #openvpn
19:30 -!- elfixit1 [~Icedove@77-58-251-72.dclient.hispeed.ch] has joined #openvpn
19:32 -!- aji [~alex@atheme/member/aji] has joined #openvpn
19:35 -!- eristisk [~eristisk@gateway/tor-sasl/eristisk] has joined #openvpn
19:38 < eristisk> I would like to make it so that it's not possible to route traffic via my wlan0 interface unless openvpn is working and connected.  How can I do this?
19:38 -!- [diecast] [~diecast@unaffiliated/diecast/x-4821952] has quit []
19:40 < pekster> a firewall
19:43 -!- joshh20-Away is now known as joshh20
19:55 -!- wrongplace [~leicht@gateway/tor-sasl/martinphone] has quit [Quit: gone]
20:02 -!- BenLue [NoMail@unaffiliated/benlue] has joined #openvpn
20:02 < BenLue> !logfile
20:02 <@vpnHelper> "logfile" is (#1) If you want logging you can easily just specify your own logfile with: log /path/to/logfile or (#2) openvpn will log to syslog if started in daemon mode, but without any log-redirection options, openvpn sends output to stdout. or (#3) verb 3 is good for everyday usage, verb 5 for debugging. see --daemon --log and --verb in the manual (!man) for more info
20:07 < BenLue> pekster; i have create an entry option 'log' '/etc/openvpn/s3system-openwrt' but i cant find the log when i ovpn start
20:07 < pekster> What is "ovpn start" ?
20:08 < pekster> If `ovpn` is a program in your system $PATH, verify what it is doing as you can change the log location or output type with later command-line options
20:08 < BenLue> when i start openvpn client with /etc/init.d/openvpn start
20:09 < pekster> So what's the comand you're starting openvpn with? Maybe `ps auxw | grep openvpn` will provide clues
20:09 < pekster> I think openwrt appends the --syslog option, which would put it in your system log (and on that platform, you read the circular ring-buffer with the `logread` utility)
20:10 < BenLue> i canot find some entry about openvpn in my syslog
20:11 < pekster> Without the configs and and logs, there's probably not much we can do
20:11 < pekster> Do you have a pastebin of the openvpn config you're using?
20:12 < BenLue> sure wait a second please
20:12 < BenLue> syslog: http://paste.debian.net/98586/
20:13 < pekster> Right, nothing at all related to openvpn there
20:13 < BenLue> Client config http://paste.debian.net/98587/
20:14 < pekster> That is not an openvpn config. It's an openwrt "UCI" stanza that is digested by their initscript
20:14 < pekster> What you probably want to do is create a real openvpn config, and call it from openwrt with the option 'config' directive
20:14 < pekster> !openwrt
20:14 <@vpnHelper> "openwrt" is In OpenWRT, the easiest way to supply configs with the stock init is to use the `option config /path/to/your/openvpn.conf` in your UCI stanza. This allows you to maintain a standard config file that OpenWRT can launch for you.
20:15 < BenLue> My Server Config: http://paste.debian.net/98588/
20:15 < pekster> And that's bogus becuase you mix-and-match UCI with openvpn config syntax
20:15 < BenLue> ahh okay
20:16 < pekster> Fix your configs, ideally by using a real openvpn config file. Ask downstream (ie: openwrt) if you insist on using UCI, but I strongly discourage that since they support a far more sane method of calling a real config ;)
20:16 < pekster> So, `option proto udp` in UCI turns into `proto udp` in a real config file. Most of this should be fairly obvious, although be careful with the UCI bools that have no "1" or "true" flag
20:16 < BenLue> i have seen the config on http://wiki.openwrt.org/doc/howto/vpn.client.openvpn.tap
20:16 < pekster> Don't use tap
20:16 < pekster> !tunortap
20:16 <@vpnHelper> "tunortap" is (#1) you ONLY want tap if you need to pass layer2 traffic over the vpn (traffic destined for a MAC address). If you are using IP traffic you want tun. or (#2) and if your reason for wanting tap is windows shares, see !wins or use DNS or (#3) remember layer2 has no security, arp poisoning works over tap vpns or (#4) lan gaming? use tap! or (#5) Normal Android/iOS devices (not
20:16 <@vpnHelper> rooted/jailbroken) support only tun
20:17 < pekster> Unless you can explain to me why you need tap after reading it, you don't need it. Use tun.
20:18 < pekster> And be very careful pushing routes to common networks, like 192.168.1.0/24. If any of your clients (including ones you don't control) are on that network, stuff breaks
20:18 < pekster> Pick a properly random subnet (read: !randomsubnet for a shell-based generation method)
20:21 < BenLue> !randomsubnet
20:21 <@vpnHelper> "randomsubnet" is (#1) http://scarydevilmonastery.net/subnet.cgi for a random !1918 subnet or (#2) If your shell has $RANDOM support, perhaps try this: `echo 10.$((RANDOM%256)).$((RANDOM%256)).0/24 `
20:27 -!- SCHAAP137 [dorian@77-173-0-137.ip.telfort.nl] has quit [Remote host closed the connection]
20:30 < BenLue> pekster; any ideas? http://paste.debian.net/98589/
20:34 < pekster> tun1? The "File exists" error suggests you already have a link up with 10.0.0.14 -> 10.0.0.13/32
20:35 < pekster> Check `ip addr show` for clues
20:37 < BenLue> http://paste.debian.net/98592/
20:37 < BenLue> omg 2 tun interfaces?
20:37 < pekster> That's what happens when you run 2 openvpn instances
20:37 < pekster> You could just as easily run 200 at once
20:43 < BenLue> hehe
20:45 < BenLue> hmm pekster i dount under stand to start as service! When i start with root@S3SYSTEM-OpenWrt:/etc/openvpn# openvpn client.conf its working
20:46 < BenLue> -#
20:46 < pekster> Then your problem is the distro-centric init
20:46 < BenLue> how can i solve the Problem?
20:46 < pekster> On openwrt, simply calling your config with a stanza that contains _nothing_ except the config file will launch just your config
20:46 < pekster> So you solve it by ripping out all the UCI-ified config
20:46 < pekster> Which is what I told you before:
20:46 < pekster> !openwrt
20:46 <@vpnHelper> "openwrt" is In OpenWRT, the easiest way to supply configs with the stock init is to use the `option config /path/to/your/openvpn.conf` in your UCI stanza. This allows you to maintain a standard config file that OpenWRT can launch for you.
20:47 < pekster> You have apparently not done that and are still running _another_ instance with all your old details. Don't do that
20:52 < BenLue> hmm i dount understand! Can you post me an sample config?
20:54 < BenLue> in /etc/config/openvpn option config /etc/openvpn/client.conf?
20:54 < pekster> Right. And _only_ that option (under the stanza definition)
20:54 < pekster> If it's easier for you, feel free to pastebin what you're using now
20:55 < BenLue> http://paste.debian.net/98595/
20:56 -!- Left_Turn [~Left_Turn@unaffiliated/turn-left/x-3739067] has quit [Ping timeout: 250 seconds]
20:57 < pekster> Remove line 2 (it's implied by line 1.) Also remove line 13 as DH params are not used by clients
20:57 < pekster> Otherwise looks fine, if paired with an appropriate server config. Does it work now when invoked directly with `openvpn` ?
20:58 < BenLue> http://paste.debian.net/98596/
20:58 < pekster> Right
21:01 < BenLue> and option 'config' /etc/openvpn/client.conf is correct?
21:03 < pekster> Just pastebin the entire UCI config as I suggested earlier
21:06 < BenLue> in /etc/config/openvpn i have only option config /etc/openvpn/client.conf
21:06 < BenLue> but the service will not start
21:06 < pekster> Right. THat's not valid
21:06 < pekster> You need a complete stanza, not just that line
21:06 < BenLue> i dount understand the stanza definition
21:07 < pekster> Here's what I'm using on an openwrt device: http://fpaste.org/100682/39968764/raw/
21:10 < BenLue> http://paste.debian.net/98597/
21:10 < BenLue> (o;
21:10 < pekster> Yea, ifconfig is awful
21:10 < pekster> But otherwise seems to be running
21:11 < pekster> ifconfig is sane on BSDs. On Linux, it's old and stupid. I mean, unless you like looking at stupid print-outs of zeros :\
21:14 < BenLue> (o;
21:14 < rob0> like ascii pr0n?
21:25 < BenLue> pekster its possible when im login via wlan to use the traffic over the vpntunnel
21:30 -!- joshh20 is now known as joshh20-Away
21:45 -!- eristisk [~eristisk@gateway/tor-sasl/eristisk] has quit [Ping timeout: 272 seconds]
21:49 -!- chrisb [~chrisb@li482-205.members.linode.com] has quit [Ping timeout: 276 seconds]
21:53 -!- earthian [~ea@gw.uk.fostral.net] has quit [Ping timeout: 276 seconds]
21:53 -!- fol_tempus [~tempus@gateway/tor-sasl/foltempus] has quit [Remote host closed the connection]
21:54 -!- Poster|x [~poster@cpe-184-57-112-154.columbus.res.rr.com] has joined #openvpn
21:56 -!- master_o1_master [~master_of@p4FD7BA87.dip0.t-ipconnect.de] has quit [Ping timeout: 276 seconds]
21:58 -!- master_of_master [~master_of@p4FF24E55.dip0.t-ipconnect.de] has joined #openvpn
21:58 -!- Poster [~poster@cpe-184-57-112-154.columbus.res.rr.com] has quit [Ping timeout: 258 seconds]
22:00 < pekster> BenLue: Read about:
22:00 < pekster> !redirect
22:00 <@vpnHelper> "redirect" is (#1) to make all inet traffic flow through the vpn, you will need --redirect-gateway (see !def1), as well as IP forwarding (see !ipforward) and NAT (see !nat) enabled on the server. or (#2) you may need to use a different dns server when redirecting gateway, see !dns or !pushdns or (#3) if using ipv6 try: route-ipv6 2000::/3 or (#4) Handy troubleshooting flowchart:
22:00 <@vpnHelper> http://ircpimps.org/redirect.png | http://pekster.sdf.org/misc/redirect.png
22:02 -!- elfixit1 [~Icedove@77-58-251-72.dclient.hispeed.ch] has quit [Quit: elfixit1]
22:25 -!- zoomequipd [~zoomequip@gateway/tor-sasl/zoomequipd] has quit [Remote host closed the connection]
22:25 -!- s7r [~s7r@openvpn/user/s7r] has quit [Write error: Connection reset by peer]
22:31 -!- xTz [~xTz@DeathStar.Techn0.eu] has joined #openvpn
22:33 -!- s7r [~s7r@openvpn/user/s7r] has joined #openvpn
22:33 -!- mode/#openvpn [+v s7r] by ChanServ
22:34 -!- zoomequipd [~zoomequip@gateway/tor-sasl/zoomequipd] has joined #openvpn
22:57 -!- EmLeX [~emx@unaffiliated/emlex] has quit [Ping timeout: 252 seconds]
22:57 -!- EmLeX [~emx@unaffiliated/emlex] has joined #openvpn
23:18 -!- elfixit1 [~Icedove@77-58-251-72.dclient.hispeed.ch] has joined #openvpn
23:20 -!- temporary_questi [~temp@unaffiliated/temporary-questi/x-9097157] has joined #openvpn
23:22 < temporary_questi> hi, how can i route all dns requests through a vpn?
23:25 -!- elfixit1 [~Icedove@77-58-251-72.dclient.hispeed.ch] has quit [Quit: elfixit1]
23:45 -!- ShadniX [dagger@p5DDFC76F.dip0.t-ipconnect.de] has quit [Ping timeout: 252 seconds]
23:46 -!- ShadniX [dagger@p5481D8BE.dip0.t-ipconnect.de] has joined #openvpn
--- Day changed Sat May 10 2014
00:53 -!- tuvok [tuvok@2a01:d0:87dd::5] has joined #openvpn
01:22 -!- mears11 [~mears11@c-71-237-20-112.hsd1.co.comcast.net] has joined #openvpn
01:27 < mears11> so, from everything I've read, it seems like it's non-trivial to get remote clients to register their VPN assigned ip and hostname via the local LANs DNS server.  Is that correct?
01:27 < Aketzu> openvpn client itself doesn't do any registrations... client operating systems might do it
01:28 < Aketzu> I did it that server registers them
01:28 < Aketzu> https://gist.github.com/Aketzu/11281584
01:28 <@vpnHelper> Title: OpenVPN DNS update script (at gist.github.com)
01:30 < mears11> very cool
01:31 < mears11> by chance have you attempted to run that for a Windows client using msys or cygwin?
01:32 < Aketzu> "yesno"
01:32 < Aketzu> server is linux, clients are windows
01:32 < mears11> ahhhh...I was reading it backwards.  Thought that was going into the client config file
01:33 < Aketzu> in theory should also work there (for linux clients) but allowing dns updates from everywhere isn't very good
02:39 -!- ferai [~quassel@kde/mitchell] has joined #openvpn
02:40 < rob0> You can use TSIG keys, or just give the server ONE key and let it handle the nsupdate(8) script.
02:40 < rob0> or, maybe easier to work with,
02:40 < rob0> !dnsmasq
02:40 <@vpnHelper> "dnsmasq" is http://rob0.nodns4.us/dnsmasq.html for a writeup on how to handle DNS for lans shared with !route
02:41 < rob0> either way, you need to do some scripting for dynamic updates.
02:41 -!- _FBi [B@Aircrack-NG/User] has quit [Ping timeout: 258 seconds]
02:45 -!- fejjerai [~quassel@kde/mitchell] has quit [Ping timeout: 258 seconds]
02:47 -!- mnathani1 [~mnathani@constance.winvive.com] has quit [Ping timeout: 258 seconds]
02:48 -!- mnathani1 [~mnathani@constance.winvive.com] has joined #openvpn
03:18 -!- Netsplit *.net <-> *.split quits: capri, haasn, codehero, pekster, clu5ter, Chrisje, Haigha, fred``, Cybertinus, SlutaTramsa,  (+2 more, use /NETSPLIT to show all of them)
03:20 < temporary_questi> how can I route all DNS requests through a VPN? is this easy to do with OpenVPN?
03:29 -!- Netsplit over, joins: pekster, SlutaTramsa, fred``, clu5ter
03:29 -!- Cybertinus [~Cybertinu@cybertinus.customer.cloud.nl] has joined #openvpn
03:29 -!- Netsplit over, joins: @plaisthos, Ulrar, codehero, Haigha, haasn, Chrisje, capri
03:29 -!- Cybertinus [~Cybertinu@cybertinus.customer.cloud.nl] has quit [Max SendQ exceeded]
03:30 -!- Cybertinus [~Cybertinu@cybertinus.customer.cloud.nl] has joined #openvpn
03:31 < Thermi> temporary_questi: Yes.
03:36 < temporary_questi> Thermi: how can I do this? I've been googling for a while, but all I've found are guides for Windows or not actually explaining it.
03:37 < Thermi> Well, you have a DNS server A and a tunnel between yourself and the DNS server
03:37 < Thermi> Then you just create the tunnel and set nameserver a in /etc/resolv.conf
03:37 < Thermi> Done
03:38 -!- SCHAAP137 [dorian@77-173-0-137.ip.telfort.nl] has joined #openvpn
03:39 < temporary_questi> Thermi: sorry, I'm kind of a noob. How do I create the tunnel? I already have a DNS server in /etc/resolv.conf
03:39 < Thermi> Well, you look at this: https://community.openvpn.net/openvpn/wiki/Openvpn23ManPage
03:39 <@vpnHelper> Title: Openvpn23ManPage – OpenVPN Community (at community.openvpn.net)
03:40 < temporary_questi> I'll give it a look, thanks.
03:40 < Thermi> Also https://openvpn.net/index.php/open-source/documentation/howto.html#examples
03:40 <@vpnHelper> Title: HOWTO (at openvpn.net)
03:40 < temporary_questi> Thanks.
03:41 < Thermi> If you want to tunnel DNS reqeusts through the tunnel, you need to either use a DNS server om the endpoint or route your DNS traffic through the VPN.
03:42 < temporary_questi> That's what I want to know, how to route the DNS traffic through the VPN.
03:43 < Thermi> Ah, well. That's a networking problem. I have to go, sry!
03:43 < Thermi> I'm sure someone else will help you
03:44 < temporary_questi> Alright, thanks for linking to the manpage and example though, I'll read through that while I white for someone else
03:52 -!- Left_Turn [~Left_Turn@unaffiliated/turn-left/x-3739067] has joined #openvpn
03:53 < Aketzu> !pushdns
03:53 <@vpnHelper> "pushdns" is (#1) push dhcp-option DNS a.b.c.d to push dns to the client or (#2) For pushing DNS to a Windows client, see: !windns or (#3) Unix-alikes are required to process the env-var in an --up script; read about --dhcp-option in the manpage or (#4) For distros that use resolvconf(8) you can try the pull-resolv-conf script under the contrib/ source dir
03:54 -!- SCHAAP137 [dorian@77-173-0-137.ip.telfort.nl] has quit [Remote host closed the connection]
03:57 -!- Vindicar [~vindicar@204.44.119.193] has joined #openvpn
03:57 < Vindicar> !welcome
03:57 <@vpnHelper> "welcome" is (#1) Start by stating your goal, such as 'I would like to access the internet over my vpn' || new to IRC? see the link in !ask || we may need !logs and !configs and maybe !interface to help you. || See !howto for beginners. || See !route for lans behind openvpn. || !redirect for sending inet traffic through the server. || Also interesting: !man !/30 !topology !iporder !sample !forum
03:57 <@vpnHelper> !wiki !mitm or (#2) Don't use 192.168.1.0/24 or 192.168.0.0/24 (too much potential for conflict)
03:58 < temporary_questi> Aketzu: If I use resolvconf, am I still able to use --dhcp-option/dhcp-option DNS a.b.c.d?
04:01 < Aketzu> yes
04:01 < temporary_questi> Alright, thanks. I'm going to give that a try right now.
04:01 -!- temporary_questi [~temp@unaffiliated/temporary-questi/x-9097157] has left #openvpn ["brb"]
04:05 -!- temporary_questi [~temp@unaffiliated/temporary-questi/x-9097157] has joined #openvpn
04:05 -!- jackbrown [~se@93-44-41-0.ip95.fastwebnet.it] has joined #openvpn
04:06 < temporary_questi> Hmm, I passed the '--dhcp-option a.b.c.d' option when I started openvpn, and dnsleaktest.com still shows the IP I have set /etc/resolv.conf. Is there something I'm doing wrong?
04:08 < Vindicar> !configs
04:08 <@vpnHelper> "configs" is (#1) please pastebin your client and server configs (with comments removed, you can use `grep -vE '^#|^;|^$' server.conf`), also include which OS and version of openvpn. or (#2) dont forget to include any ccd entries or (#3) on pfSense, see http://www.secure-computing.net/wiki/index.php/OpenVPN/pfSense to obtain your config
04:10 < temporary_questi> Vindicar: I just have the default configs that came with my VPN provider, I haven't changed them at all. I'm using Debian and openVPN version 2.3.2
04:12 < Vindicar> temporary_questi: sorry, I've just joined. I was going to ask my own question, but resolved it myself. It's a weird one though.
04:12 < temporary_questi> Vindicar: Oh, sorry, I thought you were talking to me :)
04:14 < Vindicar> no, I'm getting familiar. Turned out, under win7x64 having two a config in Program Files/OpenVPN/config and an identical one left in Program Files (x86)/OpenVPN/config can mess DNS up.
04:15 -!- Vindicar [~vindicar@204.44.119.193] has left #openvpn ["I'm a happy Miranda IM user! Get it here: http://miranda-im.org"]
04:20 -!- temporary_questi [~temp@unaffiliated/temporary-questi/x-9097157] has left #openvpn []
04:25 -!- Netsplit *.net <-> *.split quits: capri, haasn, codehero, pekster, clu5ter, Chrisje, Haigha, fred``, Cybertinus, SlutaTramsa,  (+2 more, use /NETSPLIT to show all of them)
04:26 -!- jackbrown [~se@93-44-41-0.ip95.fastwebnet.it] has quit [Quit: Sto andando via]
04:28 -!- wrongplace [~leicht@gateway/tor-sasl/martinphone] has joined #openvpn
04:36 -!- Cybertinus [~Cybertinu@cybertinus.customer.cloud.nl] has joined #openvpn
04:36 -!- Netsplit over, joins: pekster, @plaisthos, SlutaTramsa, fred``, clu5ter, Ulrar, codehero, Haigha, haasn, Chrisje (+1 more)
04:36 -!- Cybertinus [~Cybertinu@cybertinus.customer.cloud.nl] has quit [Max SendQ exceeded]
04:36 -!- Cybertinus [~Cybertinu@cybertinus.customer.cloud.nl] has joined #openvpn
04:45 -!- wrongplace [~leicht@gateway/tor-sasl/martinphone] has quit [Ping timeout: 272 seconds]
04:59 -!- Cybert1nus [~Cybertinu@cybertinus.customer.cloud.nl] has joined #openvpn
04:59 -!- SCHAAP137 [dorian@77-173-0-137.ip.telfort.nl] has joined #openvpn
05:00 -!- Cybertinus [~Cybertinu@cybertinus.customer.cloud.nl] has quit [Ping timeout: 246 seconds]
05:10 -!- michaelhart [~michaelha@192-0-240-20.cpe.teksavvy.com] has joined #openvpn
05:10 -!- kraut [~kraut@blackhole.netzdeponie.de] has quit [Ping timeout: 245 seconds]
05:16 -!- gffa [~unknown@unaffiliated/gffa] has joined #openvpn
05:54 -!- Netsplit *.net <-> *.split quits: capri, haasn, codehero, Cybert1nus, clu5ter, Chrisje, pekster, Haigha, fred``, Ulrar,  (+2 more, use /NETSPLIT to show all of them)
06:04 -!- MyMind [~Sembei@unaffiliated/sembei] has quit [Quit: WeeChat 1.0-dev]
06:05 -!- Cybert1nus [~Cybertinu@cybertinus.customer.cloud.nl] has joined #openvpn
06:05 -!- Netsplit over, joins: pekster, @plaisthos, SlutaTramsa, fred``, clu5ter, Ulrar, codehero, Haigha, haasn, Chrisje (+1 more)
06:06 -!- Cybert1nus [~Cybertinu@cybertinus.customer.cloud.nl] has quit [Max SendQ exceeded]
06:06 -!- Cybertinus [~Cybertinu@cybertinus.customer.cloud.nl] has joined #openvpn
06:09 -!- kraut [~kraut@blackhole.netzdeponie.de] has joined #openvpn
06:16 -!- michaelhart [~michaelha@192-0-240-20.cpe.teksavvy.com] has quit [Quit: michaelhart]
06:22 -!- dschoepe [~dschoepe@unaffiliated/dschoepe] has quit [Ping timeout: 252 seconds]
06:37 -!- u0m3_ [~u0m3@92.80.96.59] has quit [Read error: Connection reset by peer]
06:53 -!- Sembei [~Sembei@unaffiliated/sembei] has joined #openvpn
07:12 -!- Cpt-Oblivious [~chatzilla@31-151-71-109.dynamic.upc.nl] has joined #openvpn
07:17 -!- elfixit1 [~Icedove@77-58-251-72.dclient.hispeed.ch] has joined #openvpn
07:58 -!- joshh20-Away is now known as joshh20
08:07 -!- jackbrown [~se@93-44-41-0.ip95.fastwebnet.it] has joined #openvpn
08:36 -!- sniper7kills [~Sniper7Ki@184.105.255.227] has joined #openvpn
08:37 < sniper7kills> Hey all, I was wondering if anyone has set up a server with a openvpn server routing traffic through an openvpn client
08:45 < pekster> Nothing stops you from doing that, although you'd probably need some --client-connect script to handle the routing changes
08:49 -!- propheticsquiddy [~Proph@unaffiliated/propheticsquiddy] has quit [Quit: Leaving]
08:53 < sniper7kills> Well I have it setup but once the openvpn client starts I lose the ability to connect with the server on eth0
08:53 < sniper7kills> so I can't connect to the server
08:55 < pekster> Right, becuase it's doing exactly what you've asked and routing _all_ traffic through the VPN. ie: you broke return routing for non-VPN (externally-sourced) requests
08:55 < pekster> You'll need policy routing to fix that, which is defining routing on the server to send back anything that arrives on the physical interface to the LAN gateway, not via the VPN
09:00 < sniper7kills> any chance you have a link with additional information? or would it just be an iptables route I should add?
09:01 < pekster> 2nd routing table, a routing rule, and a couple of conntrack rules to set up the connection tracking/marking
09:01 < pekster> Plus no rp_filter in your kernel
09:02 -!- elfixit1 [~Icedove@77-58-251-72.dclient.hispeed.ch] has quit [Ping timeout: 276 seconds]
09:07 < pekster> I'll see about throwing together a wiki page for that as none exists nwo
09:30 -!- wrongplace [~leicht@gateway/tor-sasl/martinphone] has joined #openvpn
09:30 < sniper7kills> that would be amazing. Thank you!
09:31 < sniper7kills> If I may add, https://gist.github.com/codemoran/8309269 would be a great resource to add for installing conntrack rules to centos
09:31 <@vpnHelper> Title: Install conntrack-tools on CentOS (at gist.github.com)
09:47 -!- jackbrown [~se@93-44-41-0.ip95.fastwebnet.it] has quit [Quit: Sto andando via]
09:48 -!- da0s [~rage@201.210.91.175] has joined #openvpn
09:48 < da0s> if the server pushes the gateway redirect for all clients automatically, how can a client refuse to have its gateway redirected towards the vpn server?
09:52 -!- [diecast] [~diecast@unaffiliated/diecast/x-4821952] has joined #openvpn
10:03 -!- Left_Turn [~Left_Turn@unaffiliated/turn-left/x-3739067] has quit [Read error: Connection reset by peer]
10:04 -!- joshh20 is now known as joshh20-Away
10:05 -!- goeo_ [~goeo_@unaffiliated/goeo] has quit [Quit: uh my server probably has issues]
10:09 -!- justinzane [~justinzan@12.172.184.69] has quit [Ping timeout: 252 seconds]
10:24 -!- [diecast] [~diecast@unaffiliated/diecast/x-4821952] has quit [Ping timeout: 240 seconds]
10:24 -!- Left_Turn [~Left_Turn@unaffiliated/turn-left/x-3739067] has joined #openvpn
10:32 -!- justinzane [~justinzan@host-12-172-184-42.nctv.com] has joined #openvpn
10:41 -!- halothe23 [~halothe23@freenode/sponsor/halothe23] has joined #openvpn
10:45 < halothe23> !welcome
10:45 <@vpnHelper> "welcome" is (#1) Start by stating your goal, such as 'I would like to access the internet over my vpn' || new to IRC? see the link in !ask || we may need !logs and !configs and maybe !interface to help you. || See !howto for beginners. || See !route for lans behind openvpn. || !redirect for sending inet traffic through the server. || Also interesting: !man !/30 !topology !iporder !sample !forum
10:45 <@vpnHelper> !wiki !mitm or (#2) Don't use 192.168.1.0/24 or 192.168.0.0/24 (too much potential for conflict)
10:51 < da0s> !route
10:51 <@vpnHelper> "route" is (#1) http://www.secure-computing.net/wiki/index.php/OpenVPN/Routing or https://community.openvpn.net/openvpn/wiki/RoutedLans (same page mirrored) if you have lans behind openvpn, read it DONT SKIM IT or (#2) READ IT DONT SKIM IT! or (#3) See !tcpip for a basic networking guide or (#4) See !serverlan or !clientlan for steps and troubleshooting flowcharts for LANs behind the server or client
10:56 -!- EmLeX [~emx@unaffiliated/emlex] has quit [Ping timeout: 252 seconds]
10:56 -!- EmLeX [~emx@unaffiliated/emlex] has joined #openvpn
10:57 < da0s> !redirect
10:57 <@vpnHelper> "redirect" is (#1) to make all inet traffic flow through the vpn, you will need --redirect-gateway (see !def1), as well as IP forwarding (see !ipforward) and NAT (see !nat) enabled on the server. or (#2) you may need to use a different dns server when redirecting gateway, see !dns or !pushdns or (#3) if using ipv6 try: route-ipv6 2000::/3 or (#4) Handy troubleshooting flowchart:
10:57 <@vpnHelper> http://ircpimps.org/redirect.png | http://pekster.sdf.org/misc/redirect.png
10:57 < da0s> !def1
10:57 <@vpnHelper> "def1" is (#1) used in redirect-gateway, Add the def1 flag to override the default gateway by using 0.0.0.0/1 and 128.0.0.0/1 rather than 0.0.0.0/0. This has the benefit of overriding but not wiping out the original default gateway. or (#2) please see --redirect-gateway in the man page ( !man ) to fully understand or (#3) push "redirect-gateway def1"
11:03 -!- fol_tempus [~tempus@gateway/tor-sasl/foltempus] has joined #openvpn
11:26 -!- Netsplit *.net <-> *.split quits: capri, haasn, codehero, pekster, clu5ter, Chrisje, Haigha, fred``, Cybertinus, SlutaTramsa,  (+2 more, use /NETSPLIT to show all of them)
11:29 <@krzee> !factoids search redirect
11:29 <@vpnHelper> 'redirect', 'redirect_ips', 'redirect-policy', and 'redirect_ignore'
11:29 <@krzee> !redirect_ignore
11:29 <@vpnHelper> "redirect_ignore" is if you want to ignore --redirect-gateway (because you do not run the server, and the server pushes it to you) then you can use route-nopull and use a script to add the routes that are needed
11:38 -!- Cybertinus [~Cybertinu@cybertinus.customer.cloud.nl] has joined #openvpn
11:38 -!- Netsplit over, joins: pekster, @plaisthos, SlutaTramsa, fred``, clu5ter, Ulrar, codehero, Haigha, haasn, Chrisje (+1 more)
11:38 -!- haasn [~haasn@2a01:4f8:d13:5245::2] has quit [Max SendQ exceeded]
11:38 -!- Chrisje [chris@2a03:f80:ed15:ed15:ed15:ed15:bc4c:4bfe] has quit [Max SendQ exceeded]
11:41 -!- Chrisje [chris@2a03:f80:ed15:ed15:ed15:ed15:bc4c:4bfe] has joined #openvpn
11:42 -!- haasn [~haasn@2a01:4f8:d13:5245::2] has joined #openvpn
11:55 -!- wrongplace [~leicht@gateway/tor-sasl/martinphone] has quit [Quit: gone]
12:02 -!- dvl_ [~dvl@pdpc/supporter/active/dvl] has joined #openvpn
12:03 -!- dvl [~dan@pdpc/supporter/active/dvl] has left #openvpn ["Leaving"]
12:03 -!- dvl_ is now known as dvl
12:05 -!- joshh20-Away is now known as joshh20
12:08 -!- roentgen [~none@openvpn/community/support/roentgen] has quit [Read error: Connection reset by peer]
12:10 -!- roentgen [~none@openvpn/community/support/roentgen] has joined #openvpn
12:15 -!- fol_tempus is now known as tempus_fol
12:36 -!- wrongplace [~leicht@gateway/tor-sasl/martinphone] has joined #openvpn
12:50 -!- wrongplace [~leicht@gateway/tor-sasl/martinphone] has quit [Quit: gone]
13:03 -!- joshh20 is now known as joshh20-Away
13:33 -!- joshh20-Away is now known as joshh20
13:50 -!- mgorbach [~mgorbach@pool-108-20-78-135.bstnma.fios.verizon.net] has quit [Max SendQ exceeded]
13:52 -!- mgorbach [~mgorbach@pool-108-20-78-135.bstnma.fios.verizon.net] has joined #openvpn
13:55 <@krzee> !obfs
13:55 <@vpnHelper> "obfs" is (#1) if you are looking to obfuscate your traffic to get through a firewall that recognizes and blocks openvpn, try using this proxy: obfsproxy https://www.torproject.org/projects/obfsproxy.html.en to encapsulate your packets in other protocols or (#2) http://community.openvpn.net/openvpn/wiki/TrafficObfuscation or (#3) in client/server mode an admin can know that openvpn is being used. in
13:55 <@vpnHelper> static-key mode they only know that it is some encrypted data, but not specifically openvpn; however with static-key you lose forward security (!forwardsecurity)
13:56 -!- Netsplit *.net <-> *.split quits: capri, haasn, codehero, pekster, clu5ter, Chrisje, Haigha, fred``, Ulrar, Cybertinus,  (+2 more, use /NETSPLIT to show all of them)
14:07 -!- Netsplit over, joins: haasn, Chrisje
14:07 -!- Cybertinus [~Cybertinu@cybertinus.customer.cloud.nl] has joined #openvpn
14:07 -!- Netsplit over, joins: pekster, @plaisthos, SlutaTramsa, fred``, clu5ter, Ulrar, codehero, Haigha, capri
14:12 -!- cyberspace- [20253@ninthfloor.org] has quit [Remote host closed the connection]
14:14 -!- cyberspace- [20253@ninthfloor.org] has joined #openvpn
14:20 -!- Cpt-Oblivious [~chatzilla@31-151-71-109.dynamic.upc.nl] has quit [Quit: ChatZilla 0.9.90.1-rdmsoft [XULRunner 22.0/20130619132145]]
14:21 -!- Netsplit *.net <-> *.split quits: capri, haasn, codehero, pekster, clu5ter, Chrisje, Haigha, fred``, Ulrar, Cybertinus,  (+2 more, use /NETSPLIT to show all of them)
14:30 -!- eristisk [~eristisk@gateway/tor-sasl/eristisk] has joined #openvpn
14:32 -!- jtrucks [jtrucks@freenode/staff/lopsa.foundingmember.jtrucks] has quit [Remote host closed the connection]
14:32 -!- Netsplit over, joins: haasn, Chrisje
14:32 -!- Cybertinus [~Cybertinu@cybertinus.customer.cloud.nl] has joined #openvpn
14:32 -!- Netsplit over, joins: pekster, @plaisthos, SlutaTramsa, fred``, clu5ter, Ulrar, codehero, Haigha, capri
14:33 -!- jtrucks [jtrucks@freenode/staff/lopsa.foundingmember.jtrucks] has joined #openvpn
14:43 -!- Netsplit *.net <-> *.split quits: capri, haasn, codehero, pekster, clu5ter, Chrisje, Haigha, fred``, Ulrar, Cybertinus,  (+2 more, use /NETSPLIT to show all of them)
14:46 -!- savid [~savid@capstone.md] has joined #openvpn
14:47 < savid> Do downloaded certs have to be installed in /etc/openvpn? Can I keep them in ~/.openvpn?
14:53 -!- Netsplit over, joins: Haigha
14:54 -!- horses_ftw [~wansumkok@2a04:1980:3100:1aac:21b:21ff:feda:4d20] has joined #openvpn
14:54 -!- haasn [~haasn@2a01:4f8:d13:5245::2] has joined #openvpn
14:54 -!- Chrisje [chris@2a03:f80:ed15:ed15:ed15:ed15:bc4c:4bfe] has joined #openvpn
14:54 -!- Cybertinus [~Cybertinu@cybertinus.customer.cloud.nl] has joined #openvpn
14:54 -!- SlutaTramsa [~SlutaTram@unaffiliated/slutatramsa] has joined #openvpn
14:54 -!- fred`` [fred@earthli.ng] has joined #openvpn
14:54 -!- clu5ter [~staff@unaffiliated/clu5ter] has joined #openvpn
14:54 -!- pekster [~rewt@openvpn/community/support/pekster] has joined #openvpn
14:54 -!- Ulrar [~Ulrar@luwin.ulrar.net] has joined #openvpn
14:54 -!- plaisthos [~arne@openvpn/community/developer/plaisthos] has joined #openvpn
14:54 -!- codehero [codehero@i.have.ipv6.on.coding4coffee.org] has joined #openvpn
14:54 -!- capri [svedrin@ketos.funzt-halt.net] has joined #openvpn
14:54 -!- ServerMode/#openvpn [+o plaisthos] by wilhelm.freenode.net
14:54 -!- haasn [~haasn@2a01:4f8:d13:5245::2] has quit [Max SendQ exceeded]
14:54 -!- haasn [~haasn@2a01:4f8:d13:5245::2] has joined #openvpn
14:59 <@krzee> savid, keep them wherever you want, but make sure your config knows where to find them and the user (if you use --user / --group) has access to them or you use the proper persist options
15:04 -!- chrisb [~chrisb@li482-205.members.linode.com] has joined #openvpn
15:10 -!- Netsplit *.net <-> *.split quits: capri, haasn, codehero, pekster, clu5ter, Chrisje, fred``, Ulrar, Cybertinus, SlutaTramsa,  (+2 more, use /NETSPLIT to show all of them)
15:17 -!- chrisb [~chrisb@li482-205.members.linode.com] has quit [Ping timeout: 255 seconds]
15:22 < tempus_fol> Hello, in the past weeks I tried to fix an upload issue with my openvpn setup. I did use a similar setup on my previous VPS provider, it worked fine. In the past weeks I had issues uploading large files, whilst downloading was perfectly fine. Any file larger than ~1MB would have hung forever. Since yesterday, it got awfully worse. Now it seems that I can't even browse. I did try to use mtu-test, it says everything is fine (1601 MTU measured)
15:22 < tempus_fol> . I tried and tried to tweak "fragment" and  "mssfix", with no real results. The actual config (without comments) server side: http://fpaste.org/100771/53286139/raw/ ; I did try to use tcp and change ports, with no luck; I've also tried to use default auth and cipher as well.
15:25 -!- SlutaTramsa [~SlutaTram@unaffiliated/slutatramsa] has joined #openvpn
15:25 < tempus_fol> (the paste shows auth SHA51, it's actually auth SHA512)
15:26 -!- plaisthos [~arne@openvpn/community/developer/plaisthos] has joined #openvpn
15:26 -!- mode/#openvpn [+o plaisthos] by ChanServ
15:26 -!- codehero [codehero@i.have.ipv6.on.coding4coffee.org] has joined #openvpn
15:26 -!- clu5ter [~staff@unaffiliated/clu5ter] has joined #openvpn
15:26 < tempus_fol> I checked the connection both from the client and from the server, it's perfectly fine (I did use speedtest-cli on both)
15:27 -!- troyt [~troyt@2601:7:6200:1362:44dd:acff:fe85:9c8e] has quit [Ping timeout: 240 seconds]
15:27 -!- Cybertinus [~Cybertinu@cybertinus.customer.cloud.nl] has joined #openvpn
15:31 -!- haasn [~haasn@2a01:4f8:d13:5245::2] has joined #openvpn
15:33 -!- pekster [~rewt@openvpn/community/support/pekster] has joined #openvpn
15:35 < tempus_fol> I'll try to give the server a reboot (sigh), brb
15:36 -!- tempus_fol [~tempus@gateway/tor-sasl/foltempus] has quit [Remote host closed the connection]
15:39 -!- SCHAAP137 [dorian@77-173-0-137.ip.telfort.nl] has quit [Remote host closed the connection]
15:41 -!- SCHAAP137 [dorian@77-173-0-137.ip.telfort.nl] has joined #openvpn
15:50 -!- tempus_fol [~tempus@gateway/tor-sasl/foltempus] has joined #openvpn
16:14 -!- troyt [~troyt@2601:7:6200:1362:44dd:acff:fe85:9c8e] has joined #openvpn
16:18 < tempus_fol> So, I did reboot the server, and I found that there were some fsck issues... after the reboot openvpn works as usual (downloading is fine, uploading hangs). So, I'm still stuck with my original problem
16:51 < pekster> sniper7kills: https://community.openvpn.net/openvpn/wiki/Concepts-PolicyRouting-Linux
16:51 <@vpnHelper> Title: Concepts-PolicyRouting-Linux – OpenVPN Community (at community.openvpn.net)
17:00 < sniper7kills> pekster
17:01 < sniper7kills> thank you VERY much!
17:01 < pekster> Sure, I've spent so much time explaining this to other people it needed to be made a wiki anyway. I just never got around to it until now
17:02 < pekster> fwiw, you might also need a link-local route on the secondary table for your LAN, ie `iproute add 192.168.0.0/24 dev eth0 scope link` (I don't have my VMs handy at the moment to test it)
17:02 < pekster> or w/e your lan is of course
17:10 -!- rawburt [~irc@pdpc/supporter/professional/rawburt] has left #openvpn []
17:34 < BenLue> I need to use the VPN Connection when im on WLAN
17:35 < BenLue> I have set some Firewall Rules likes: http://paste.debian.net/98753/
17:36 < BenLue> config forwarding was removed
17:36 < BenLue> i need some settings more?
17:36 -!- Ulrar [~Ulrar@luwin.ulrar.net] has joined #openvpn
17:36 -!- fred`` [fred@earthli.ng] has joined #openvpn
17:38 -!- Chrisje [chris@2a03:f80:ed15:ed15:ed15:ed15:bc4c:4bfe] has joined #openvpn
17:41 < BenLue> VPN via WLAN is not working atm
18:28 < BenLue> gn8 @all
18:34 -!- sniper7kills [~Sniper7Ki@184.105.255.227] has quit [Read error: Connection reset by peer]
18:41 -!- propheticsquiddy [~Proph@unaffiliated/propheticsquiddy] has joined #openvpn
18:44 -!- Olipro [~Olipro@uncyclopedia/pdpc.21for7.olipro] has joined #openvpn
18:57 -!- Devastator [~devas@unaffiliated/devastator] has joined #openvpn
19:02 -!- sniper7kills [~Sniper7Ki@184.105.255.227] has joined #openvpn
19:02 < sniper7kills> hey all, pekster was helping me out with an issue I was having
19:02 < sniper7kills> and he said I should post the link to the post I made here incase anyone else had any insite
19:02 < sniper7kills> https://forums.openvpn.net/post41075.html#p41075
19:02 <@vpnHelper> Title: OpenVPN Support Forum Server passing traffic to client : Configuration (at forums.openvpn.net)
19:03 < pekster> Is your server also the router for your network, or is it behind a NAT router?
19:03 < sniper7kills> Its a VPS
19:03 < sniper7kills> and no to both I think
19:03 < pekster> So the uplink on the VPN server has a public IP?
19:03 < sniper7kills> I mean it should be behind a NAT route as its a static IP
19:04 < sniper7kills> yes
19:04 -!- Left_Turn [~Left_Turn@unaffiliated/turn-left/x-3739067] has quit [Remote host closed the connection]
19:04 < sniper7kills> *shouldn't be bhind a NAT router
19:06 < pekster> You might still need that link-local entry
19:06 < sniper7kills> ok
19:06 < pekster> Take the CIDR network on eth0 (or w/e that is), let's just call it 192.168.0.0/24 unless you are confused, in which case post `ip addr show` to a pastebin. For my example eth0 network, do `ip route add 192.168.0.0/24 dev eth0 scope link`
19:06 < pekster> See if that fixes things
19:07 < pekster> This VPS is acting as your VPN client? Or did I not understand your setup
19:07 < pekster> Or you have a client somewhere connecting to this VPS that is your server?
19:07 < sniper7kills> both
19:07 < pekster> VPS at both ends? :P
19:08 < sniper7kills> when I'm in the states I use it to check my banks, but now I'm in Iraq, and want to watch netflix at work
19:08 < sniper7kills> the vps is in canada
19:08 < pekster> RIght, so your VPN client is your own PC?
19:08 < sniper7kills> and I'd rather just keep my laptop settings
19:08 < sniper7kills> yes my laptop is VPN'ing into the server
19:08 < sniper7kills> in canada
19:08 -!- Left_Turn [~Left_Turn@unaffiliated/turn-left/x-3739067] has joined #openvpn
19:08 < sniper7kills> and now I want the server to VPN to the states
19:09 < pekster> And just to verify I understand your problem, you want to use --redirect-gateway to redirect Internet traffic, but also want to accept ssh (or whatever) to your laptop from the Internet?
19:09 < sniper7kills> (overly complicated but its a chance to learn)
19:09 < pekster> Oh, wait, what's this about the server to VPN to the states?
19:09 < sniper7kills> yes
19:09 < sniper7kills> the VPS is a server AND client
19:09 < tempus_fol> "VPN-chain"
19:09 < pekster> Right, now I get what you're doing
19:10 < pekster> So yea, add that link-local route to the $uplink_interface network to your secondary table (100 in my example)
19:10 < sniper7kills> ok
19:10 -!- adh0c [~adh0c@ool-182fc1d0.dyn.optonline.net] has joined #openvpn
19:10 < adh0c> Hi i recently bought a VPS to run OpenVPN on, but it turns out the service provider does not support the ipt_MASQUERADE module required for OpenVPN's firewall rules.
19:11 < adh0c> They recommended that I can use SNAT in place of MASQUERADE - does anyone have a decent guide as to how to write these rules?
19:12 < pekster> Have you read SNAT from iptables-extensions(8)? What did you learn? What are you still confused about?
19:13 < sniper7kills>  ip route add 162.248.163.0/24 dev eth0 scope link
19:13 < sniper7kills> RTNETLINK answers: File exists
19:13 < sniper7kills> so it should already be in there
19:13 < pekster> table 100
19:13 < sniper7kills> ok
19:13 < sniper7kills> I miss the little things at 3 aM
19:14 < sniper7kills> added it but still no-go
19:14 < pekster> Can you still initiate ssh connections to your VPS?
19:14 < sniper7kills> yes I can
19:16 < sniper7kills> so this is interesting
19:16 < sniper7kills> I did an ls of /etc/openvpn
19:16 < sniper7kills> and now I have a bunch of files with numbers
19:16 < sniper7kills> AKA file names that are numbers
19:16 < pekster> No idea; that's completely unrelated to the routing change
19:17 < sniper7kills> ok, I'm ignoring that as they are all empty
19:17 -!- gffa [~unknown@unaffiliated/gffa] has quit [Quit: sleep]
19:21 -!- mech422 [~steve@ip68-2-159-8.ph.ph.cox.net] has joined #openvpn
19:22 < mech422> Does anyone know - when you use a 'full' certificate based auth setup - are the client certs bound to a specific client in some way (hostname?ip?). You can't just copy them to any old client machine can you ?
19:22 -!- elfixit1 [~Icedove@77-58-251-72.dclient.hispeed.ch] has joined #openvpn
19:23 < sniper7kills> I don't believe they are linked to a client in any way other than you saying "hey these are yours"
19:23 < mech422> dam, I lose
19:23 < sniper7kills> Don't quote me on it though
19:24 < mech422> I had a bet with a co-worker...I thought they were like ssl web server certs and bound a particular machine
19:24 < mech422> thanks!
19:28 < pekster> mech422: full?
19:29 < mech422> pekster: nah - just a lil peckish
19:30 < pekster> Oh, full as in X.509 instead of strictly user/pass?
19:30 < pekster> From the server's perspective it doesn't really care what you use so long as all the auth methods you're using return success
19:31 < mech422> ok... for some reason, I thought they were bound to a machine.  Thanks!
19:32 < pekster> No, although you shouldn't transport your private keys
19:32 < pekster> Always generate them on the target system
19:32 < pekster> See the easyrsa v3 howto on the wiki for details and the recommended procedure:
19:32 < pekster> !easyrsa
19:32 <@vpnHelper> "easyrsa" is (#1) easy-rsa is a certificate generation utility. or (#2) Download here: https://github.com/OpenVPN/easy-rsa/releases or (#3) Source checkouts available from the github project; current official release download is 2.2.2 with 3.x code in git-master. or (#4) Helpful wiki info about easyrsa at: https://community.openvpn.net/openvpn/wiki/EasyRSA
19:32 < mech422> pekster: thanks - this was for an actual install - just an office bet...turns out, I lost
19:32 < mech422> *wasn't
19:33 < pekster> Ah, I see. Yea, the key merely contains the private (and public too) parts of the keypair. The cert is simply a signed copy of the public key along with some fields identifying the client. There's nothing magic about the files themselves, so you can copy them elsewhere
19:35 < Aketzu> windows has some magic in its certificate store where you can mark keys as non-exportable
19:35 < mech422> ahh well...maybe I can get some salt when I eat crow...
19:36 < pekster> Yea, but that's windows :P
19:36 < pekster> And nothing stops you from making a copy of the raw file you imported first :P
19:37 < Aketzu> in a way client certs are tied "just as web server certs" since they (can) have common names... "John Doe" certificate belongs to single person (/machine) just as "www.example.com" belongs to said web server
19:37 < Aketzu> unless you do keygen & cert req in windows cert store
19:38 < pekster> CN is just another field. By default openssl won't let you dupe them, but you can if you disable that protection
19:38 < pekster> It's the serial number of the issued cert that is truely unique
19:38 < Aketzu> yeah... and verifying whether that "person" is really using that is somewhat impossible
19:38 < mech422> well, thanks for the help
19:39 < mech422> suppose I should go face the music....
19:39 -!- mech422 [~steve@ip68-2-159-8.ph.ph.cox.net] has left #openvpn ["Konversation terminated!"]
19:39 < pekster> Right. You attempt to secure them with passphrases and instill fear into the key holder, but nothing stops them from giving both away at that big party after too much booze ;)
19:39 < Aketzu> eurovision contest just ended :)
19:41 < rob0> PARTY!
19:41 < rob0> open bar?
20:10 -!- da0s [~rage@201.210.91.175] has quit [Ping timeout: 240 seconds]
20:29 -!- da0s [~rage@201.210.91.175] has joined #openvpn
20:30 -!- michaelhart [~michaelha@192-0-240-20.cpe.teksavvy.com] has joined #openvpn
20:32 -!- da0s is now known as discardedipsofac
20:32 -!- discardedipsofac is now known as ChadMcBrad
20:32 -!- ChadMcBrad is now known as Chad_McBrad
21:35 -!- SCHAAP137 [dorian@77-173-0-137.ip.telfort.nl] has quit [Remote host closed the connection]
21:39 -!- krzee [~k@openvpn/community/support/krzee] has quit [Read error: Connection reset by peer]
21:39 -!- krzie [~k@openvpn/community/support/krzee] has joined #openvpn
21:39 -!- mode/#openvpn [+o krzie] by ChanServ
21:39 -!- krzie is now known as krzee
21:57 -!- master_of_master [~master_of@p4FF24E55.dip0.t-ipconnect.de] has quit [Ping timeout: 264 seconds]
22:00 -!- michaelhart [~michaelha@192-0-240-20.cpe.teksavvy.com] has quit [Quit: michaelhart]
22:01 -!- VlperX [~VlperX@60-240-168-120.static.tpgi.com.au] has joined #openvpn
22:04 -!- savid [~savid@capstone.md] has left #openvpn []
22:15 < akurilin> Quick question: I have an older openvpn machine and I instantiated a new beefier one in the same subnet
22:15 < akurilin> all the same configs
22:15 < akurilin> syslog confirms I can establish a tunnel to it
22:15 < akurilin> howevr I can't seem to be able to ssh into any of the machines int eh same subnet any longer
22:20 -!- elfixit1 [~Icedove@77-58-251-72.dclient.hispeed.ch] has quit [Quit: elfixit1]
22:28 -!- joshh20 is now known as joshh20-Away
22:28 -!- DarylXian [mOvDEZpg4W@bolt.sonic.net] has joined #openvpn
22:30 < DarylXian> Hi.  What's the current status of ECC support in OpenVPN?  I've found scattered discussions, comments, and a patch -- but nothing definitive.  Yet.  IS it supported?  If so, are there docs for its use?
22:37 -!- Left_Turn [~Left_Turn@unaffiliated/turn-left/x-3739067] has quit [Ping timeout: 250 seconds]
22:44 -!- DarylXian [mOvDEZpg4W@bolt.sonic.net] has quit [Quit: DarylXian]
23:43 -!- ShadniX [dagger@p5481D8BE.dip0.t-ipconnect.de] has quit [Ping timeout: 252 seconds]
23:45 -!- ShadniX [dagger@p5481D387.dip0.t-ipconnect.de] has joined #openvpn
--- Day changed Sun May 11 2014
01:01 -!- justinzane [~justinzan@host-12-172-184-42.nctv.com] has quit []
01:09 -!- justinzane [~justinzan@host-12-172-184-42.nctv.com] has joined #openvpn
01:50 -!- adh0c [~adh0c@ool-182fc1d0.dyn.optonline.net] has quit [Read error: Connection reset by peer]
01:51 -!- tempus_fol [~tempus@gateway/tor-sasl/foltempus] has quit [Ping timeout: 272 seconds]
01:55 -!- tempus_fol [~tempus@gateway/tor-sasl/foltempus] has joined #openvpn
02:03 -!- sniper7kills [~Sniper7Ki@184.105.255.227] has quit [Read error: Connection reset by peer]
02:07 -!- Netsplit *.net <-> *.split quits: fred``, Ulrar, Olipro, Chrisje
02:09 -!- Netsplit over, joins: Chrisje, fred``, Ulrar
02:10 -!- Netsplit *.net <-> *.split quits: fred``, Ulrar, Chrisje
02:12 -!- Netsplit over, joins: Chrisje, fred``, Ulrar
02:14 -!- Olipro [~Olipro@uncyclopedia/pdpc.21for7.olipro] has joined #openvpn
02:21 -!- bicranial [~bicranial@147.69.11.205] has joined #openvpn
02:50 -!- Netsplit *.net <-> *.split quits: Ulrar, fred``, Olipro, Chrisje
03:06 -!- Netsplit over, joins: Chrisje, fred``, Ulrar
03:47 -!- Left_Turn [~Left_Turn@unaffiliated/turn-left/x-3739067] has joined #openvpn
04:17 -!- bicranial [~bicranial@147.69.11.205] has quit [Ping timeout: 240 seconds]
04:23 -!- Fusl [Fusl@unaffiliated/fusl] has quit [Remote host closed the connection]
04:26 -!- Fusl [Fusl@unaffiliated/fusl] has joined #openvpn
04:33 < akurilin> so nvm, didn't set up forwarding to the opevpn server :)
04:33 -!- gffa [~unknown@unaffiliated/gffa] has joined #openvpn
04:54 -!- VlperX [~VlperX@60-240-168-120.static.tpgi.com.au] has quit [Read error: Connection reset by peer]
04:54 -!- VlperX [~VlperX@60-240-168-120.static.tpgi.com.au] has joined #openvpn
05:41 -!- VlperX [~VlperX@60-240-168-120.static.tpgi.com.au] has quit [Read error: Connection reset by peer]
05:43 -!- micko [~micko@203-219-65-120.static.tpgi.com.au] has quit [Ping timeout: 250 seconds]
05:44 -!- phreakocious [~phreakoci@aesoterica.phreakocious.net] has quit [Ping timeout: 245 seconds]
05:44 -!- catsup [~d@iad1-vshost12.dreamhost.com] has quit [Ping timeout: 240 seconds]
05:46 -!- micko [~micko@203-219-65-120.static.tpgi.com.au] has joined #openvpn
05:46 -!- catsup [~d@iad1-vshost12.dreamhost.com] has joined #openvpn
05:52 -!- micko [~micko@203-219-65-120.static.tpgi.com.au] has quit [Ping timeout: 240 seconds]
05:54 -!- micko [~micko@203-219-65-120.static.tpgi.com.au] has joined #openvpn
06:29 -!- chrisb [~chrisb@50.116.63.205] has joined #openvpn
08:02 -!- jackbrown [~se@93-44-41-0.ip95.fastwebnet.it] has joined #openvpn
08:06 -!- Netsplit *.net <-> *.split quits: fred``, Ulrar, Chrisje
08:12 -!- eristisk [~eristisk@gateway/tor-sasl/eristisk] has quit [Remote host closed the connection]
08:13 -!- eristisk [~eristisk@gateway/tor-sasl/eristisk] has joined #openvpn
08:14 -!- jackbrown [~se@93-44-41-0.ip95.fastwebnet.it] has quit [Quit: Sto andando via]
08:17 -!- Netsplit over, joins: Chrisje, fred``, Ulrar
08:28 -!- joshh20-Away is now known as joshh20
08:34 -!- Netsplit *.net <-> *.split quits: fred``, Ulrar, Chrisje
08:41 -!- Thermi [~Thermi@unaffiliated/thermi] has quit [Quit: Meet your opposition - Profane and disciplined - Take back your pride - With a pounding hammer]
08:43 -!- Rienzilla [rien@sinas.rename-it.nl] has left #openvpn []
08:44 -!- Netsplit over, joins: Chrisje, fred``, Ulrar
08:44 -!- Thermi [~Thermi@unaffiliated/thermi] has joined #openvpn
08:45 -!- Netsplit *.net <-> *.split quits: fred``, Ulrar, Chrisje
08:55 -!- tempus_fol [~tempus@gateway/tor-sasl/foltempus] has quit [Remote host closed the connection]
09:14 -!- _FBi [B@Aircrack-NG/User] has joined #openvpn
09:21 -!- hive-mind [pranq@mail.bbis.us] has quit [Ping timeout: 255 seconds]
09:51 <+s7r> if i use openvpn to connect to a computer, via an intranet IP let's say 10.0.2.1 and the vpn server also has a public internet IP address, but it is not shared with the vpn in anyway... can i find out that public IP address via some exploits in openvpn?
09:53 -!- le0 [~l30@unaffiliated/le0] has joined #openvpn
10:01 <+s7r> novaflash have any idea? :)
10:16 -!- tempus_fol [~tempus@gateway/tor-sasl/foltempus] has joined #openvpn
10:19 -!- le0 [~l30@unaffiliated/le0] has quit [Quit: Leaving]
10:22 -!- u0m3 [~u0m3@92.80.118.155] has joined #openvpn
10:22 -!- hive-mind [pranq@mail.bbis.us] has joined #openvpn
10:37 -!- chrisb [~chrisb@50.116.63.205] has quit [Ping timeout: 258 seconds]
10:39 -!- Samopotamus [~IRCIdent@2607:5300:60:a0d::1] has joined #openvpn
10:56 < dvl> s7r: You're asking us to help you with exploiting OpenVPN? o.O
10:58 <+s7r> no way
10:58 <+s7r> i just want to make sure it's not possible
10:58 <+s7r> :)
11:06 -!- chrisb [~chrisb@li482-205.members.linode.com] has joined #openvpn
11:07 -!- elfixit1 [~Icedove@77-58-251-72.dclient.hispeed.ch] has joined #openvpn
11:17 < Chad_McBrad> s7r, do you want to know the public ip address of the machine that's actually hosting the vpn server/process? or do you want to know the public ip address of some other computer whose routes are also available through the vpn, but you know nothing about it except its LAN ip ex:(10.0.2.1)
11:18 <+s7r> Chad_McBrad the public IP of the machine that is actually hosting the vpn server / process
11:20 -!- wrongplace [~leicht@gateway/tor-sasl/martinphone] has joined #openvpn
11:25 -!- JackWinter [~jack@vodsl-10810.vo.lu] has quit [Ping timeout: 240 seconds]
11:26 -!- JackWinter [~jack@vodsl-10810.vo.lu] has joined #openvpn
11:26 <+s7r> I mean, better to say I want to make sure nobody can find out that (when I am running the openvpn server / process)
11:48 -!- aji [~alex@atheme/member/aji] has quit [Ping timeout: 240 seconds]
11:50 -!- aji [~alex@atheme/member/aji] has joined #openvpn
11:57 -!- joshh20 is now known as joshh20-Away
11:58 < chrisb> why does the client.conf need access to the key for its own public, signed cert?  why doesn't it need a copy of the public key of the server to which it is connecting, so that it can "pin" that cert?
12:01 <@krzee> chrisb, you need to understand how PKI works
12:01 <@krzee> !pki
12:01 <@vpnHelper> "pki" is (#1) http://openvpn.net/index.php/open-source/documentation/howto.html#pki for how to make your PKI stuff (ca, and certs) or (#2) Heres a basic rundown of how it works... The server, client, and ca certs are all signed by the same ca.key. The server and client use the ca.crt to check that eachother were signed by the right ca.key. Optionally, the client also checks that the server cert was
12:01 <@vpnHelper> signed specially as a server (see !servercert) or (#3) See !certman for various PKI management frontends
12:02 <@krzee> s7r, why would you bother attacking openvpn? you're already on the same LAN as the target
12:03 <@krzee> why not do some l2 attacks to find the IP?  like arp poisoning between the target and its router for example
12:05 <+s7r> krzee the vpn server will be hidden from the client. client will connect to a .bit domain which will help him connect to the server.
12:05 <+s7r> via namecoin :)
12:05 <@krzee> well thats quite a bit different than what you said
12:05 <+s7r> client will get 10.0.2.2 IP and server will have 10.0.2.1
12:05 <@krzee> you said he was connecting TO an intranet ip
12:05 <+s7r> and i don't want the client to be able to find out the real public IP address of the server
12:06 <+s7r> can this be found out via openvpn?
12:06 <+s7r> no, he will GET an internal IP my BAD
12:06 <@krzee> not via openvpn, possibly through other misconfigured stuff
12:06 <+s7r> sorry for the mistake
12:06 <+s7r> ok only this i wanted to know if there is any poisoning client can do via openvpn and find out the real ip address
12:06 <@krzee> not that we know of
12:06 <+s7r> if not, than it's great. your word is enough
12:07 <+s7r> thank you
12:07 <@krzee> np
12:07 < chrisb> krzee: thanks for responding.  i don't see why openvpn/TLS on the client needs the secret client.key
12:07 <@krzee> ?its a tun vpn, right?
12:08 <@krzee> chrisb, a simplified view of how pki works:  the server sends traffic to the client encrypted with its public key, the private key is able to decrypt it
12:09 <@krzee> the client sends traffic to server with its public cert, the server uses its private key to decrypt
12:09 <@krzee> openvpn goes a little more in depth with forward security and whatnot, but thats a simplified view of PKI
12:09 < chrisb> krzee: then why doesn't the server present the *client's* public key to the client so that the client can verify it with both ca.crt and private client.key?
12:09 <@krzee> s7r, you are using tun, correct?
12:10 <@krzee> chrisb, each side gives the other its public cert,. the server then checks the clients cert is signed by the same ca.key that signed the servers ca.crt
12:10 <@krzee> and client also does that exact check on the server
12:11 <@krzee> then each side uses the other sides cert to encrypt some traffic to the other
12:11 <+s7r> krzee tun yes. no --redirect-gateway no nothing.
12:11 <@krzee> the other side can only read it using their private .key
12:11 <@krzee> s7r, good, you dont want tap.
12:11 <+s7r> i know tap is l2 (bridge), correct/
12:11 <+s7r> so it's not suitable for my model
12:12 <@krzee> tap doesnt have to be a bridge, but its always layer2
12:12 <+s7r> tun is upper layer always,
12:12 <@krzee> still not suitable for your model
12:12 <+s7r> it cannot be changed by an attacker into ttap?
12:12 <@krzee> yes
12:12 <@krzee> no, it cannot
12:13 < chrisb> krzee: ah, ok, so even the public keys are expected to be exchanged over the channel, no pinning is possible, but eKu fields are checked, and a plugin can be used to do further checking
12:13 < chrisb> krzee: are the public keys exchanged over an HMAC or TLS channel?
12:14 <@krzee> well HMAC (when used) exist on every packet
12:15 <@krzee> thats not really crypto, its more of a hash to be sure the packet is meant for openvpn
12:15 <@krzee> im not sure what you mean by "pinning"
12:15 <@krzee> if you're asking if public certs are REALLY public, yes they are.
12:16 <@krzee> the .crt files are very much public
12:16 <@krzee> and the .key files are very much private
12:17 < chrisb> pinning: https://www.owasp.org/index.php/Certificate_and_Public_Key_Pinning
12:18 <@vpnHelper> Title: Certificate and Public Key Pinning - OWASP (at www.owasp.org)
12:18 < chrisb> krzee: so do client.crt and server.crt go in the clear before the enc channel is established?
12:19 < chrisb> pinning gets around the possibility of a forged public cert
12:20 < chrisb> even if the CA is compromised
12:21 <@krzee> chrisb, i would want plaisthos syzzer cron mattock raidz pekster or dazo to confirm my answer, but i think they are sent clear
12:21 <@krzee> im not 100% so do get verification on it.
12:23 < chrisb> pinning relies on a trusted, out-of-band exchange of public crts/keys
12:24 <@krzee> !security
12:25 <@vpnHelper> "security" is "secure" is (#1) http://openvpn.net/howto.html#security for hardening, or (#2) http://openvpn.net/index.php/documentation/security-overview.html for security overview
12:25 <@krzee> see if #2 helps you at all
12:45 < chrisb> krzee: thanks
12:45 <@krzee> np
13:21 -!- u0m3 [~u0m3@92.80.118.155] has quit [Read error: Connection reset by peer]
13:24 -!- u0m3 [~u0m3@92.80.125.133] has joined #openvpn
13:57 -!- gffa [~unknown@unaffiliated/gffa] has quit [Quit: quit]
14:37 -!- SquirrelCZECH [~squirrel@ip-89-103-45-17.net.upcbroadband.cz] has quit [Remote host closed the connection]
14:39 < pekster> chrisb: I don't understand what you're getting at. The certificate is sent in the clear in TLS (thus all fields are visible to a MITM.) But it's worthless unless the MITM also posesses the private key
14:49 -!- elfixit1 [~Icedove@77-58-251-72.dclient.hispeed.ch] has quit [Quit: elfixit1]
14:51 -!- mnathani1 is now known as mnathani
15:08 -!- chrisb [~chrisb@li482-205.members.linode.com] has quit [Ping timeout: 252 seconds]
15:09 -!- Ulrar [~Ulrar@luwin.ulrar.net] has joined #openvpn
15:10 -!- fred`` [fred@earthli.ng] has joined #openvpn
15:12 -!- Chrisje [chris@2a03:f80:ed15:ed15:ed15:ed15:bc4c:4bfe] has joined #openvpn
15:18 -!- JackWinter [~jack@vodsl-10810.vo.lu] has quit [Remote host closed the connection]
15:21 -!- JackWinter [~jack@vodsl-10810.vo.lu] has joined #openvpn
15:26 -!- Olipro [~Olipro@uncyclopedia/pdpc.21for7.olipro] has joined #openvpn
15:35 -!- elfixit1 [~Icedove@77-58-251-72.dclient.hispeed.ch] has joined #openvpn
15:46 -!- amwt [~amwt@unaffiliated/amwt] has joined #openvpn
15:47 < amwt> !factoids
15:47 <@vpnHelper> "factoids" is A semi-regularly updated dump of factoids database is available at http://www.secure-computing.net/factoids.php
15:48 < amwt> hi all, is this a dev or user support channel?
15:49 < rob0> there are developers here, but they also have #openvpn-devel
15:49 < amwt> I have trouble accessing SMB shares over openvpn on Android. The same config works on Windows and iOS clients accessing the same SMB servers
15:50 < amwt> and on Android I can ping, and RDP machines
15:51 < amwt> the Anroid SMB client works when connected to the LAN directly.
15:55 -!- _KaszpiR_ [~quassel@unaffiliated/kaszpir/x-3157048] has quit [Ping timeout: 264 seconds]
16:02 -!- _KaszpiR_ [~quassel@unaffiliated/kaszpir/x-3157048] has joined #openvpn
16:13 -!- Netsplit *.net <-> *.split quits: Ulrar, fred``, Olipro, Chrisje
16:18 -!- elfixit1 [~Icedove@77-58-251-72.dclient.hispeed.ch] has quit [Quit: elfixit1]
16:23 -!- Netsplit over, joins: Chrisje, fred``, Ulrar
16:25 -!- Olipro [~Olipro@uncyclopedia/pdpc.21for7.olipro] has joined #openvpn
16:29 -!- amwt [~amwt@unaffiliated/amwt] has left #openvpn []
16:40 -!- ender| [krneki@2a01:260:4094:1:42:42:42:42] has joined #openvpn
16:50 -!- u0m3_ [~u0m3@92.80.103.245] has joined #openvpn
16:51 -!- APTX [~APTX@unaffiliated/aptx] has quit [Ping timeout: 252 seconds]
16:52 -!- u0m3 [~u0m3@92.80.125.133] has quit [Ping timeout: 240 seconds]
16:56 -!- APTX [~APTX@unaffiliated/aptx] has joined #openvpn
17:03 -!- Olipro [~Olipro@uncyclopedia/pdpc.21for7.olipro] has quit [Ping timeout: 246 seconds]
17:07 -!- JPeterson [~JPeterson@81-233-152-121-no83.tbcn.telia.com] has quit [Ping timeout: 276 seconds]
17:08 -!- JPeterson [~JPeterson@81-233-152-121-no83.tbcn.telia.com] has joined #openvpn
17:36 -!- n13l [~Daniel@aaa.anect.cz] has quit [Ping timeout: 245 seconds]
17:44 -!- elfixit1 [~Icedove@77-58-251-72.dclient.hispeed.ch] has joined #openvpn
17:55 -!- Olipro [~Olipro@uncyclopedia/pdpc.21for7.olipro] has joined #openvpn
18:00 -!- zoomequipd [~zoomequip@gateway/tor-sasl/zoomequipd] has quit [Remote host closed the connection]
18:01 -!- zoomequipd [~zoomequip@gateway/tor-sasl/zoomequipd] has joined #openvpn
18:36 -!- elfixit1 [~Icedove@77-58-251-72.dclient.hispeed.ch] has quit [Quit: elfixit1]
19:22 -!- Netsplit *.net <-> *.split quits: Ulrar, fred``, Olipro, Chrisje
19:32 -!- Netsplit over, joins: Chrisje, fred``, Ulrar
19:34 -!- Olipro [~Olipro@uncyclopedia/pdpc.21for7.olipro] has joined #openvpn
19:36 -!- Olipro [~Olipro@uncyclopedia/pdpc.21for7.olipro] has quit [Max SendQ exceeded]
19:39 -!- Olipro [~Olipro@uncyclopedia/pdpc.21for7.olipro] has joined #openvpn
19:42 -!- wrongplace [~leicht@gateway/tor-sasl/martinphone] has quit [Quit: gone]
19:49 -!- Olipro [~Olipro@uncyclopedia/pdpc.21for7.olipro] has quit [Read error: Connection reset by peer]
19:49 -!- samu_ [s@unaffiliated/samaelszafran] has joined #openvpn
19:51 -!- _KaszpiR___ [~quassel@unaffiliated/kaszpir/x-3157048] has joined #openvpn
19:51 -!- WinstonSmith [~WinstonSm@unaffiliated/winstonsmith] has quit [Ping timeout: 240 seconds]
19:51 -!- RaiNerTsuFal [~RaiNerTsu@akita.vtlx.cn] has quit [Ping timeout: 240 seconds]
19:51 -!- meepmeep [meepmeep@end.of.cylind.re] has quit [Ping timeout: 240 seconds]
19:51 -!- Thermi [~Thermi@unaffiliated/thermi] has quit [Ping timeout: 240 seconds]
19:51 -!- mushroomed [~mushroome@li173-111.members.linode.com] has quit [Ping timeout: 240 seconds]
19:51 -!- samu [s@unaffiliated/samaelszafran] has quit [Ping timeout: 240 seconds]
19:51 -!- MatToufoutu [~MaT@unaffiliated/mattoufoutu] has quit [Ping timeout: 240 seconds]
19:51 -!- _KaszpiR_ [~quassel@unaffiliated/kaszpir/x-3157048] has quit [Ping timeout: 240 seconds]
19:51 -!- krphop [~krphop@watch.out.the.feds.are.rightbehind.us] has quit [Ping timeout: 240 seconds]
19:51 -!- esde [~esde@unaffiliated/esde] has quit [Ping timeout: 240 seconds]
19:51 -!- andi [~andi@unaffiliated/fr00d] has quit [Ping timeout: 240 seconds]
19:52 -!- yauz [9571c35871@osgiliath.yauz.de] has quit [Ping timeout: 240 seconds]
19:52 -!- andi [~andi@unaffiliated/fr00d] has joined #openvpn
19:52 -!- MatToufoutu [~MaT@unaffiliated/mattoufoutu] has joined #openvpn
19:52 -!- esde [~esde@unaffiliated/esde] has joined #openvpn
19:52 -!- MatToufoutu [~MaT@unaffiliated/mattoufoutu] has quit [Excess Flood]
19:52 -!- WinstonSmith [~WinstonSm@unaffiliated/winstonsmith] has joined #openvpn
19:53 -!- Thermi [~Thermi@unaffiliated/thermi] has joined #openvpn
19:53 -!- meepmeep [meepmeep@end.of.cylind.re] has joined #openvpn
19:54 -!- mushroomed [~mushroome@li173-111.members.linode.com] has joined #openvpn
19:54 -!- u0m3_ [~u0m3@92.80.103.245] has quit [Quit: Leaving]
20:13 -!- elfixit1 [~Icedove@77-58-251-72.dclient.hispeed.ch] has joined #openvpn
20:25 -!- BenLue [NoMail@unaffiliated/benlue] has quit []
20:49 -!- Denial- [Denial@176.250.235.182] has joined #openvpn
20:50 -!- MatToufoutu [~MaT@unaffiliated/mattoufoutu] has joined #openvpn
20:50 -!- MatToufoutu [~MaT@unaffiliated/mattoufoutu] has quit [Excess Flood]
20:50 -!- JackWinter_ [~jack@vodsl-10810.vo.lu] has joined #openvpn
20:50 -!- fejjerai [~quassel@kde/mitchell] has joined #openvpn
20:51 -!- jgeboski [~jgeboski@unaffiliated/jgeboski] has quit [Ping timeout: 240 seconds]
20:51 -!- raidz [~raidz@openvpn/corp/admin/andrew] has quit [Ping timeout: 240 seconds]
20:51 -!- outofbounds [~outofboun@198.199.109.226] has quit [Ping timeout: 240 seconds]
20:51 -!- qwertyoruiop [~hax@93.174.90.31] has quit [Ping timeout: 240 seconds]
20:51 -!- _bt [~bt@unaffiliated/bt/x-192343] has quit [Ping timeout: 240 seconds]
20:51 -!- JackWinter [~jack@vodsl-10810.vo.lu] has quit [Excess Flood]
20:51 -!- Denial [Denial@176.250.235.182] has quit [Ping timeout: 240 seconds]
20:51 -!- yoavz [yoavz@yoavz.net] has quit [Ping timeout: 240 seconds]
20:51 -!- Lolths [~Lolths@unaffiliated/lolths] has quit [Ping timeout: 240 seconds]
20:51 -!- thumbs [1000@unaffiliated/thumbs] has quit [Ping timeout: 240 seconds]
20:51 -!- simcop2387 [~simcop238@p3m/member/simcop2387] has quit [Ping timeout: 240 seconds]
20:51 -!- soapee01 [~soapee01@65-36-104-170.dyn.grandenetworks.net] has quit [Ping timeout: 240 seconds]
20:51 -!- Varazir [~mircwars@c-94-255-128-92.cust.bredband2.com] has quit [Ping timeout: 240 seconds]
20:51 -!- rooth [tomte@stuck.in.the.basement.at.fritzl.nu] has quit [Ping timeout: 240 seconds]
20:51 -!- Denial- is now known as Denial
20:51 -!- soapee01_ [~soapee01@65-36-104-170.dyn.grandenetworks.net] has joined #openvpn
20:52 -!- agentbob_ [anonymoose@unaffiliated/agentbob] has joined #openvpn
20:52 -!- indy [~indy@shadow.kastnerove.cz] has quit [Ping timeout: 276 seconds]
20:52 -!- ferai [~quassel@kde/mitchell] has quit [Quit: No Ping reply in 180 seconds.]
20:52 -!- Dry_Lips [~cuneiform@unaffiliated/dry-lips/x-3531376] has quit [Ping timeout: 276 seconds]
20:52 -!- Mike-- [mad@mx.probie.nl] has quit [Ping timeout: 276 seconds]
20:52 -!- agentbob [anonymoose@unaffiliated/agentbob] has quit [Ping timeout: 276 seconds]
20:52 -!- riddle [riddle@us.yunix.net] has quit [Ping timeout: 276 seconds]
20:52 -!- jtrucks [jtrucks@freenode/staff/lopsa.foundingmember.jtrucks] has quit [Remote host closed the connection]
20:53 -!- simcop2387 [~simcop238@p3m/member/simcop2387] has joined #openvpn
20:53 -!- riddle [riddle@us.yunix.net] has joined #openvpn
20:53 -!- jtrucks [jtrucks@freenode/staff/lopsa.foundingmember.jtrucks] has joined #openvpn
20:55 -!- raidz [~raidz@openvpn/corp/admin/andrew] has joined #openvpn
20:55 -!- mode/#openvpn [+o raidz] by ChanServ
20:55 -!- Dry_Lips [~cuneiform@unaffiliated/dry-lips/x-3531376] has joined #openvpn
20:55 -!- yoavz [yoavz@yoavz.net] has joined #openvpn
20:56 -!- jgeboski [~jgeboski@unaffiliated/jgeboski] has joined #openvpn
20:56 -!- outofbounds [~outofboun@198.199.109.226] has joined #openvpn
20:57 -!- thumbs [1000@unaffiliated/thumbs] has joined #openvpn
20:58 -!- indy [~indy@shadow.kastnerove.cz] has joined #openvpn
21:04 -!- Lolths [~Lolths@unaffiliated/lolths] has joined #openvpn
21:09 -!- Cpt-Oblivious [~chatzilla@31-151-71-109.dynamic.upc.nl] has joined #openvpn
21:32 -!- goldkatze [~nobody@unaffiliated/goldkatze] has joined #openvpn
21:59 -!- eristisk [~eristisk@gateway/tor-sasl/eristisk] has quit [Remote host closed the connection]
22:07 -!- goldkatze [~nobody@unaffiliated/goldkatze] has quit [Ping timeout: 240 seconds]
22:19 -!- pnielsen [pnielsen@2600:3c03::f03c:91ff:fe6e:5d41] has quit [Remote host closed the connection]
22:28 -!- pnielsen [~pnielsen@li126-205.members.linode.com] has joined #openvpn
22:32 -!- MatToufoutu [~MaT@unaffiliated/mattoufoutu] has joined #openvpn
22:32 -!- MatToufoutu [~MaT@unaffiliated/mattoufoutu] has quit [Excess Flood]
22:50 -!- savid [~savid@capstone.md] has joined #openvpn
22:52 < savid> When I connect to my vpn, I get the warning: "WARNING: No server certificate verification method has been enabled.". I'm not sure what I need to do about that, seems like I should take it seriously. My VPN provider gave me their CA cert, but provide nothing else. I've configured that cert using the "ca" option in my config.
23:12 -!- Left_Turn [~Left_Turn@unaffiliated/turn-left/x-3739067] has quit [Ping timeout: 250 seconds]
23:13 -!- jtrucks [jtrucks@freenode/staff/lopsa.foundingmember.jtrucks] has quit [Remote host closed the connection]
23:18 -!- jtrucks [jtrucks@freenode/staff/lopsa.foundingmember.jtrucks] has joined #openvpn
23:19 -!- hive-mind [pranq@mail.bbis.us] has quit [Ping timeout: 252 seconds]
23:26 -!- hive-mind [pranq@mail.bbis.us] has joined #openvpn
23:29 -!- Devastator [~devas@unaffiliated/devastator] has quit [Read error: Connection reset by peer]
23:33 -!- MatToufoutu [~MaT@unaffiliated/mattoufoutu] has joined #openvpn
23:33 -!- MatToufoutu [~MaT@unaffiliated/mattoufoutu] has quit [Excess Flood]
23:34 -!- elfixit1 [~Icedove@77-58-251-72.dclient.hispeed.ch] has quit [Ping timeout: 250 seconds]
23:42 -!- ShadniX [dagger@p5481D387.dip0.t-ipconnect.de] has quit [Ping timeout: 252 seconds]
23:43 -!- ShadniX [dagger@p5DDFE5FC.dip0.t-ipconnect.de] has joined #openvpn
23:46 -!- bears [~bears@unaffiliated/bears] has quit [Read error: Connection reset by peer]
23:49 -!- propheticsquiddy [~Proph@unaffiliated/propheticsquiddy] has quit [Ping timeout: 252 seconds]
--- Day changed Mon May 12 2014
00:32 -!- MatToufoutu [~MaT@unaffiliated/mattoufoutu] has joined #openvpn
00:32 -!- MatToufoutu [~MaT@unaffiliated/mattoufoutu] has quit [Excess Flood]
00:37 -!- Olipro [~Olipro@uncyclopedia/pdpc.21for7.olipro] has joined #openvpn
00:55 -!- Cpt-Oblivious [~chatzilla@31-151-71-109.dynamic.upc.nl] has quit [Remote host closed the connection]
00:57 -!- mattock_afk is now known as mattock
01:26 -!- alexxtasi [~alex@unaffiliated/alexxtasi] has joined #openvpn
01:34 -!- MatToufoutu [~MaT@unaffiliated/mattoufoutu] has joined #openvpn
01:34 -!- MatToufoutu [~MaT@unaffiliated/mattoufoutu] has quit [Excess Flood]
01:47 -!- lbft [~lbft@unaffiliated/lbft] has quit [Ping timeout: 255 seconds]
01:53 -!- lbft [~lbft@unaffiliated/lbft] has joined #openvpn
02:20 -!- _FBi [B@Aircrack-NG/User] has quit [Ping timeout: 258 seconds]
02:23 -!- tempus_fol [~tempus@gateway/tor-sasl/foltempus] has quit [Ping timeout: 272 seconds]
02:29 -!- tempus_fol [~tempus@gateway/tor-sasl/foltempus] has joined #openvpn
02:34 -!- MatToufoutu [~MaT@unaffiliated/mattoufoutu] has joined #openvpn
02:34 -!- MatToufoutu [~MaT@unaffiliated/mattoufoutu] has quit [Excess Flood]
02:43 -!- VlperX [~VlperX@60-240-168-120.static.tpgi.com.au] has joined #openvpn
02:45 -!- _bt [~bt@unaffiliated/bt/x-192343] has joined #openvpn
02:47 -!- le0 [~l30@unaffiliated/le0] has joined #openvpn
03:03 -!- lkthomas [~lkthomas@n11649139179.netvigator.com] has joined #openvpn
03:04 < lkthomas> hey guys, can I sign a CA without CAkey ?
03:04 < ender|> CAs are self-signed
03:05 < lkthomas> ender|: and how could I create key and crt with that CA ?
03:05 < ender|> lkthomas: easiest is if you just use easy-rsa and follow the howto on openvpn.org
03:08 < lkthomas> I don't get it
03:08 < lkthomas> I have CA cert ready to use
03:08 < lkthomas> so how could I use it ?
03:09 < ender|> https://openvpn.net/index.php/open-source/documentation/howto.html#pki
03:09 <@vpnHelper> Title: HOWTO (at openvpn.net)
03:10 < lkthomas> let me staste it the third time, I have ca cert on hand
03:10 < lkthomas> how could I REUSE it
03:10 < lkthomas> keep sending me guide to build CA doesn't help you know
03:11 < ender|> you need the private key - that's the whole point
03:11 < lkthomas> are you saying the private key of CA ?
03:11 < ender|> yes
03:11 < lkthomas> then I need to ask a proper person about the key as it doesn't exists
03:11 < lkthomas> thanks
03:11 < lkthomas> that's all I need to know
03:11 < ender|> without the private key you can just verify that the CA signed a particular certificate
03:12 < Aketzu> yeah... in pki everything new is created with private key and all verifications are done with public keys
03:13 < Aketzu> although private keys can be derived from public keys it's rather hard process
03:13 < lkthomas> Aketzu: well, I only have CA cert on hand
03:14 < Aketzu> OK, it only takes a few billion years to calculate the private key
03:14 < lkthomas> that's easy
03:28 < lkthomas> how do I know if .crt is from same CA ?
03:31 < Aketzu> its "issuer" field should match CA
03:31 < lkthomas> OK, and how could I know which files is the CA ?
03:32 -!- mattock [~mattock@openvpn/corp/admin/mattock] has left #openvpn []
03:32 < Aketzu> CA is self-signed
03:32 < Aketzu> and probably has CA attribute
03:32 < lkthomas> I am trying to setup a new OpenVPN connection, and there are some existing one
03:33 < lkthomas> those existing one is using ca ca-new.crt
03:33 < lkthomas> does it means ca-new.crt IS indeed the CA ?
03:33 < Aketzu> probably
03:33 < lkthomas> "probably" ?
03:33 < Aketzu> do you actually need to use the old/existing CA structure?
03:33 < lkthomas> what's the variable here ?
03:34 < lkthomas> yes
03:34 < lkthomas> better reuse
03:34 < lkthomas> I know what you mean
03:34 < lkthomas> regenerate new one
03:34 < lkthomas> but I tend to find out where is the old one :P
03:34 < Aketzu> it would (much) easier just to make new CA only for vpn
03:34 < lkthomas> yeah I know
03:34 < Aketzu> filename is just a filename. I could put my CA cert into fubar.crt
03:35 < lkthomas> so I wouldn't be able to know which one is CA cert ?
03:36 -!- MatToufoutu [~MaT@unaffiliated/mattoufoutu] has joined #openvpn
03:36 -!- MatToufoutu [~MaT@unaffiliated/mattoufoutu] has quit [Excess Flood]
03:37 -!- dazo_afk is now known as dazo
03:38 < Aketzu> look in the contents
03:38 < Aketzu> openssl x509 -text < ca.crt
03:38 < lkthomas>             X509v3 Basic Constraints:
03:38 < lkthomas>                 CA:TRUE
03:39 < lkthomas> that one ?
03:39 < Aketzu> it's a CA
03:39 < Aketzu> do you have any other CA's there?
03:39 < lkthomas> not that I aware of
03:39 < lkthomas> I see dh1024.pem file
03:40 < lkthomas> maybe it's not related ?
03:40 < Aketzu> it's DH parameters
03:40 < Aketzu> totally unrelated to CA but might be related to VPN
03:41 < Aketzu> or some other server
03:41 < lkthomas> haha, damn
03:41 < lkthomas> so I don't have the key
03:44 -!- Left_Turn [~Left_Turn@unaffiliated/turn-left/x-3739067] has joined #openvpn
03:45 < lkthomas> fucking hell
03:45 < lkthomas> found it
03:47 < lkthomas> just verified
03:47 < lkthomas> it's the correct key
04:02 -!- mattock_afk [~mattock@openvpn/corp/admin/mattock] has joined #openvpn
04:02 -!- mode/#openvpn [+o mattock_afk] by ChanServ
04:03 -!- mattock_afk is now known as mattock
04:15 < lkthomas> one question, when tunnel connected, am I suppose be able to ping p-t-p ip ?
04:53 < ender|> any idea why are my openvpn connections suddenly have extremely slow upload - around 50kB/s instead of 1-2MB/s? i upgraded kernel (to 3.14.3) and openvpn (2.3.4) yesterday. download speeds are still fine (and upload is also fine if it doesn't go through openvpn)
05:04 < lkthomas> ~~~~guys
05:04 < lkthomas> I got this problem
05:04 < lkthomas> Options error: --server directive network/netmask combination is invalid
05:05 < lkthomas> anyone have idea how to fix it ?
05:06 < lkthomas> nevermind
05:06 < lkthomas> I have to define network address
05:06 < lkthomas> not IP
05:13 < lkthomas> :)
05:25 -!- elfixit1 [~Icedove@77-58-251-72.dclient.hispeed.ch] has joined #openvpn
05:26 -!- elfixit1 [~Icedove@77-58-251-72.dclient.hispeed.ch] has quit [Client Quit]
05:27 < ender|> ok, looks like it was this bug: https://git.kernel.org/cgit/linux/kernel/git/stable/linux-stable.git/commit/?id=1e785f48d29a09b6cf96db7b49b6320dada332e1
05:27 <@vpnHelper> Title: kernel/git/stable/linux-stable.git - Linux kernel stable tree (at git.kernel.org)
05:38 -!- wrongplace [~leicht@gateway/tor-sasl/martinphone] has joined #openvpn
05:47 -!- haasn [~haasn@2a01:4f8:d13:5245::2] has quit [Ping timeout: 265 seconds]
06:17 -!- mattock [~mattock@openvpn/corp/admin/mattock] has left #openvpn []
06:48 -!- Chad_McBrad [~rage@201.210.91.175] has quit [Ping timeout: 265 seconds]
06:59 -!- michaelhart [~michaelha@192.237.177.15] has joined #openvpn
07:03 -!- haasn [~haasn@2a01:4f8:d13:5245::2] has joined #openvpn
07:08 -!- defswork [~andy@141.0.50.105] has quit [Remote host closed the connection]
07:17 -!- Latrina [~Latrina@ppp-236-31.26-151.libero.it] has quit [Ping timeout: 245 seconds]
07:18 -!- Latrina [~Latrina@adsl-ull-81-212.50-151.net24.it] has joined #openvpn
07:41 -!- goldkatze [~nobody@unaffiliated/goldkatze] has joined #openvpn
08:11 -!- u0m3 [~u0m3@92.80.103.245] has joined #openvpn
08:19 -!- VlperX [~VlperX@60-240-168-120.static.tpgi.com.au] has quit [Ping timeout: 245 seconds]
09:15 -!- elfixit [~Icedove@2001:1620:2777:11:3e97:eff:fe7f:f3ad] has quit [Ping timeout: 252 seconds]
09:20 -!- alexxtasi [~alex@unaffiliated/alexxtasi] has left #openvpn []
09:40 -!- phreakocious [~phreakoci@aesoterica.phreakocious.net] has joined #openvpn
09:42 -!- rooth [tomte@stuck.in.the.basement.at.fritzl.nu] has joined #openvpn
10:28 -!- elfixit [~Icedove@2001:1620:2777:11:3e97:eff:fe7f:f3ad] has joined #openvpn
10:32 -!- samu_ is now known as samu
10:56 -!- [diecast] [~diecast@unaffiliated/diecast/x-4821952] has joined #openvpn
11:01 -!- elfixit [~Icedove@2001:1620:2777:11:3e97:eff:fe7f:f3ad] has quit [Ping timeout: 252 seconds]
11:14 -!- james41382 [~james@unaffiliated/james41382] has quit [Ping timeout: 252 seconds]
11:20 -!- Troggie0092 [~dkorras@105-237-97-146.access.mtnbusiness.co.za] has joined #openvpn
11:20 < Troggie0092> good day all.
11:21 < Troggie0092> i was wondering if it is possible to have a OpenVPN client connect to a OpenVPN server (SIte-to-Site) but NOT have the client OpenVPN as the router
11:21 < Troggie0092> as router in the client network
11:21 <@dazo> Troggie0092: yes
11:22 <@dazo> Troggie0092: it's all about routing
11:23 < rob0> If you're doing site-to-site, it's easier when the openvpn endpoints are the routers for their respective LAN networks.
11:23 < rob0> But sure, you can use static routes.
11:23 <@dazo> Troggie0092: on the default gateway (client network router) you need to route the LAN behind the openvpn server via the client LAN IP address of the VPN client
11:24 < Troggie0092> many thanks for the advice. i am very new to this so any advice is greatly appriciated
11:24 <@dazo> But you also need on the VPN server to route the client LAN network via the VPN too, to get the return traffic back to the LAN
11:25 < Troggie0092> on my client network, i am using a Raspberry Pi as openVPn client
11:25 < Troggie0092> and the opneVPN server is PFSense
11:25 < Troggie0092> what entries do i put on the client's router for the routing table
11:25 <@dazo> Troggie0092: This one is written as the VPN server perspective, so it needs some minor adjustments to work from a client perspective: https://community.openvpn.net/openvpn/wiki/BridgingAndRouting#UsingroutingandOpenVPNnotrunningonthedefaultgateway
11:25 <@vpnHelper> Title: BridgingAndRouting – OpenVPN Community (at community.openvpn.net)
11:26 <@dazo> Troggie0092: If your server LAN is 192.168.0.0/24, your VPN subnet is 10.8.0.0/24 and your client LAN is 192.168.100.0/24
11:28 <@dazo> I'm having the VPN client's local IP address as 192.168.100.10 in this example, with VPN IP address 10.8.0.5  ... and VPN server's LAN IP address 192.168.100.50 and VPN IP address 10.8.0.1
11:29 -!- raidz is now known as raidz_away
11:29 <@dazo> sorry!  Mixed some numbers now .... I'll give it another try :)
11:29 < Troggie0092> dazo, thank you so much for helping me
11:29 -!- raidz_away is now known as raidz
11:29 <@dazo> I'm having the VPN client's local IP address as 192.168.0.10 (fixed) in this example, with VPN IP address 10.8.0.5  ... and VPN server's LAN IP address 192.168.100.50 and VPN IP address 10.8.0.1
11:29 <@dazo> So your client LAN router needs a route which says:  192.168.100/24 (or 255.255.255.0) is to be routed via 192.168.0.10
11:30 <@dazo> The server LAN gateway needs to route 192.168.100.0/24 via  192.168.100.50
11:30 <@dazo> The VPN client must router 192.168.100.0/24 via 10.8.0.1
11:31 <@dazo> And the VPN server must route  192.168.0.0/24 via 10.8.0.5
11:31 < Troggie0092> let me give you a breakdown of my network please ...
11:31 < Troggie0092> Internet -> Router (10.0.0.2) -> switch
11:31 < Troggie0092> OpenVPN ServerIP is 10.0.0.5
11:31 < Troggie0092> thats on the client network
11:31 < Troggie0092> and on the OpenVPN Server
11:32 < Troggie0092> VPN SUbnet is 10.0.5.0/24
11:32 < rob0> !clientlan
11:32 <@vpnHelper> "clientlan" is (#1) for a lan behind a client, the client must have ip forwarding enabled (!ipforward), the server needs a route to the lan, the server needs to push a route for the lan to clients, the server needs a ccd (!ccd) file for the client with an iroute (!iroute) entry in it, and the router of the lan the client is on needs a route added to it (!route_outside_openvpn) or (#2) see !route for a
11:32 <@vpnHelper> better explanation or (#3) Handy troubleshooting flowchart: http://ircpimps.org/clientlan.png | http://pekster.sdf.org/misc/clientlan.png
11:32 < rob0> see also !serverlan
11:32 < rob0> The flowcharts are useful.
11:33 <@dazo> yeah, you need iroute too ... I had forgotten that detail now
11:34 <@dazo> Troggie0092: bottom line is ... you need to understand TCP/IP routing quite well ... then this is fairly easy
11:34 < Troggie0092> dazo, i have never had the oppourtunity to get this in depth with routing though ..
11:34 -!- SCHAAP137 [dorian@77-173-0-137.ip.telfort.nl] has joined #openvpn
11:35 <@dazo> Troggie0092: then spend some time reading up on routing ... because you really need knowledge this to make this doable
11:35 <@dazo> !tcpip
11:35 <@vpnHelper> "tcpip" is http://www.redbooks.ibm.com/redbooks/pdfs/gg243376.pdf See chapter 3.1 for useful basic TCP/IP networking knowledge you should probably know
11:35 < Troggie0092> the one problemi i see is that the openVPN Server WAN (PFsense) subnet is the same as my clients subnet .. i will change the Ips so it will make it easier as well
11:36 <@dazo> Troggie0092: client LAN and server LAN should ideally be different ... newer openvpn versions have some hacks to work around this, but I recommend not doing this before you understand the basic routing first
11:40 -!- Troggie0092 [~dkorras@105-237-97-146.access.mtnbusiness.co.za] has quit [Ping timeout: 265 seconds]
11:42 -!- Troggie0092 [~dkorras@105-237-97-146.access.mtnbusiness.co.za] has joined #openvpn
11:42 < Troggie0092> hi guys sorry about that
11:42 < Troggie0092> oki have change the local IP of the clients network
11:43 < Troggie0092> i have added the router 10.0.5.0/24 to use OpneVPN client machine 192.168.1.3
11:43 < Troggie0092> do i have to add routes to the server side?
11:43 < Troggie0092> will netbios names and dns names be avalible over the topology i am looking at installing
11:44 -!- s7r [~s7r@openvpn/user/s7r] has quit [Remote host closed the connection]
11:44 -!- s7r [~s7r@openvpn/user/s7r] has joined #openvpn
11:44 -!- mode/#openvpn [+v s7r] by ChanServ
11:50 -!- gffa [~unknown@unaffiliated/gffa] has joined #openvpn
12:04 < Troggie0092> hi again
12:05 < Troggie0092> i have tested my setup and if on the client network i set my pc's default gateway to the openvpn client address i get all the info i need.
12:05 < Troggie0092> so from my experience the routing only now needs to be configured from the clients side to get the data following correctly
12:06 <@dazo> Troggie0092: please don't rush this ... your setup requires good understanding of routing tables ... and you do need to think about return routes (which means routes pointing back to the client lan on the server side)
12:07 <@dazo> we don't hold hands here ... but point you in the direction with the info you need to accomplish your task
12:07 < Troggie0092> thank you dazo
12:07 < rob0> Did you try the flowcharts yet? Where did you get stuck?
12:07 < Troggie0092> rob0, the flow charts link isnt working
12:09 < rob0> http://pekster.sdf.org/misc/clientlan.png WFM (also serverlan.png), but indeed, ircpimps.org is not answering.
12:09 < Troggie0092> what i have noticed that if i ping the server's IP from the OpenVPN client box i get a reply but not from the LAN side
12:09 < rob0> krzee, ^^
12:13 < Troggie0092> rob0, i suspect its iptables on the OpenVPN client machine thats not passing the traffic to the PC's on the clients LAN
12:15 < rob0> pastebin "iptables-save -c" from the client
12:15 < rob0> !iptables
12:15 <@vpnHelper> "iptables" is (#1) To test if netfilter ("iptables rules") are your problem, disable all rules with an ACCEPT policy. See https://github.com/QueuingKoala/netfilter-samples/tree/master/reset-rules for a script to do this. or (#2) See also the manpage section on firewalls at this link: https://community.openvpn.net/openvpn/wiki/Openvpn23ManPage#lbBG or (#3) These are just the basics to get you started
12:15 <@vpnHelper> as firewall design is beyond this channel's scope; you can also see #netfilter
12:15 < Troggie0092> will send it now rob
12:16 < rob0> #1 covers your situation, FWIW; just clear out the rules and set ACCEPT on all policies.
12:18 < Troggie0092> ok i have cleared the iptables
12:27 -!- chrisb [~chrisb@li482-205.members.linode.com] has joined #openvpn
12:30 < Troggie0092> oh i forgot
12:30 < Troggie0092> here is the network layout of my OpenVPN server , on the server site
12:31 < Troggie0092> Internet --> Router (10.0.0.1) --> PFsense (OpenVpn) 2 NICS  #1=10.0.0.3 (WAN) #2 = 192.168.0.0/24 (LAN) -->Switch
12:33 < rob0> (both of those are bad choices because of potential overlap)
12:33 < rob0> did you ever do that pastebin?
12:34 < Troggie0092> nothing showed up on that command you told me to do
12:34 < Troggie0092> where would it over lap?
12:46 <@krzee> Troggie0092, it's that if you ever want to share those lans the vpn clients will likely find themselves on those lans as well
12:46 <@krzee> since you are choosing the most common subnets EVER
12:46 <@krzee> !randomsubnet
12:46 <@vpnHelper> "randomsubnet" is (#1) http://scarydevilmonastery.net/subnet.cgi for a random !1918 subnet or (#2) If your shell has $RANDOM support, perhaps try this: `echo 10.$((RANDOM%256)).$((RANDOM%256)).0/24 `
12:46 -!- Netsplit *.net <-> *.split quits: fred``, Ulrar, Olipro, Chrisje
12:46 <@krzee> !1918
12:46 <@vpnHelper> "1918" is (#1) RFC1918 makes three unique netblocks available for private use: 10.0.0.0/8, 172.16.0.0/12, and 192.168.0.0/16 or (#2) see also: http://en.wikipedia.org/wiki/Private_network or http://www.faqs.org/rfcs/rfc1918.html or (#3) Too lazy to find your own subnet? Try this one: http://scarydevilmonastery.net/subnet.cgi or (#4) See !5737 for addresses to use for examples and documentation
12:47 < Troggie0092> oh ok i understand that .. would it cause any issues?
12:55 < rob0> If nothing showed up with "iptables-save -c", you have no iptables rules.
12:56 < Troggie0092> then there is no rules i suppose. i suspect the routing on the router
12:57 -!- Netsplit over, joins: Chrisje, fred``, Ulrar
12:59 -!- Olipro [~Olipro@uncyclopedia/pdpc.21for7.olipro] has joined #openvpn
12:59 < Troggie0092> http://pastebin.com/bVBdhR47 the routing table on the OpenVpn Client that is working
13:00 <@krzee> !route
13:00 <@vpnHelper> "route" is (#1) http://www.secure-computing.net/wiki/index.php/OpenVPN/Routing or https://community.openvpn.net/openvpn/wiki/RoutedLans (same page mirrored) if you have lans behind openvpn, read it DONT SKIM IT or (#2) READ IT DONT SKIM IT! or (#3) See !tcpip for a basic networking guide or (#4) See !serverlan or !clientlan for steps and troubleshooting flowcharts for LANs behind the server or client
13:00 <@krzee> im not sure if anyone had you read that or not
13:01 <@krzee> but if you have not, and it applies to you, then read it a few times
13:04 -!- le0 [~l30@unaffiliated/le0] has quit [Quit: Leaving]
13:07 -!- Troggie0092 [~dkorras@105-237-97-146.access.mtnbusiness.co.za] has quit [Quit: Leaving]
13:08 -!- Troggie0092 [~dkorras@105-237-97-146.access.mtnbusiness.co.za] has joined #openvpn
13:08 < Troggie0092> sorry about that
13:10 -!- Cpt-Oblivious [~chatzilla@31-151-71-109.dynamic.upc.nl] has joined #openvpn
13:11 < tempus_fol> !tcpip
13:11 <@vpnHelper> "tcpip" is http://www.redbooks.ibm.com/redbooks/pdfs/gg243376.pdf See chapter 3.1 for useful basic TCP/IP networking knowledge you should probably know
13:14 < roger_rabbit> !parkour
13:22 -!- chrisb [~chrisb@li482-205.members.linode.com] has quit [Ping timeout: 240 seconds]
13:29 -!- Troggie0092 [~dkorras@105-237-97-146.access.mtnbusiness.co.za] has quit [Ping timeout: 240 seconds]
13:35 -!- mattock [~mattock@openvpn/corp/admin/mattock] has joined #openvpn
13:35 -!- mode/#openvpn [+o mattock] by ChanServ
13:37 -!- Troggie0092 [~dkorras@105-237-97-146.access.mtnbusiness.co.za] has joined #openvpn
13:38 < Troggie0092> hi again. on the PFsense server .. there are few options #1 Remote Access (shared Key) , #2 Remote Access SSL/TLS #3 Peer-to-Peer Shared Key #4 Peer-to_peer SSL should i change to one of those options
13:40 -!- SCHAAP137 [dorian@77-173-0-137.ip.telfort.nl] has quit [Remote host closed the connection]
13:43 -!- ShadniX [dagger@p5DDFE5FC.dip0.t-ipconnect.de] has quit [Quit: Bye.]
13:43 -!- Intensity [Iqewdyrkvi@unaffiliated/intensity] has quit [Remote host closed the connection]
13:44 -!- Troggie0092 [~dkorras@105-237-97-146.access.mtnbusiness.co.za] has quit [Quit: Leaving]
13:45 -!- mattock is now known as mattock_afk
13:47 -!- ShadniX [dagger@p5DDFE5FC.dip0.t-ipconnect.de] has joined #openvpn
13:49 -!- Intensity [mgw1-4eRNd@unaffiliated/intensity] has joined #openvpn
14:14 -!- mback2k_ [~freenode@2a00:1828:2000:378:1337:0:59ee:5431] has quit [Remote host closed the connection]
14:39 -!- micah [~micah@debian/developer/micah] has joined #openvpn
14:40 < micah> i have my openvpn server configured to setup a ipv6 address, but this fails on systems that have disabled ipv6 with "RTNETLINK answers: Permission denied
14:40 < micah> "Linux ip -6 addr add failed: external program exited with error status: 2
14:40 < micah> is there a way I can ask the client not to die when that happens?
14:42 -!- APTX [~APTX@unaffiliated/aptx] has quit [Ping timeout: 245 seconds]
14:45 -!- APTX [~APTX@unaffiliated/aptx] has joined #openvpn
14:52 -!- dazo is now known as dazo_afk
14:57 -!- Guest89075 [~fellayabo@unaffiliated/fellayaboy] has joined #openvpn
14:58 -!- joshh20-Away is now known as joshh20
15:00 -!- Guest89075 [~fellayabo@unaffiliated/fellayaboy] has quit [Client Quit]
15:01 -!- moomaboma [~fellayabo@unaffiliated/fellayaboy] has joined #openvpn
15:01 < moomaboma> can anyone help
15:03 -!- moomaboma [~fellayabo@unaffiliated/fellayaboy] has quit [Client Quit]
15:13 -!- gffa [~unknown@unaffiliated/gffa] has quit [Quit: sleep]
15:42 -!- michaelhart [~michaelha@192.237.177.15] has quit [Quit: michaelhart]
15:56 -!- Cpt-Oblivious [~chatzilla@31-151-71-109.dynamic.upc.nl] has quit [Quit: ChatZilla 0.9.90.1-rdmsoft [XULRunner 22.0/20130619132145]]
16:14 -!- _KaszpiR___ is now known as _KaszpiR_
16:30 -!- MacGyver [~macgyver@unaffiliated/macgyvernl] has quit [Quit: Exiting]
16:32 -!- MacGyver [~macgyver@unaffiliated/macgyvernl] has joined #openvpn
17:06 -!- svg [~svg@hydargos.ginsys.net] has joined #openvpn
17:07 < svg> Is there a way to overrule on the client, the server pushing the default gateway?
17:10 -!- eristisk [~eristisk@gateway/tor-sasl/eristisk] has joined #openvpn
17:15 -!- novaflash is now known as novaflash_away
17:18 -!- [diecast] [~diecast@unaffiliated/diecast/x-4821952] has quit []
17:34 -!- wrongplace [~leicht@gateway/tor-sasl/martinphone] has quit [Quit: gone]
17:48 -!- novaflash_away is now known as novaflash
17:49 -!- michaelhart [~michaelha@192-0-240-20.cpe.teksavvy.com] has joined #openvpn
18:18 -!- bears [~bears@unaffiliated/bears] has joined #openvpn
18:24 -!- codehero [codehero@i.have.ipv6.on.coding4coffee.org] has quit [Read error: Connection reset by peer]
18:28 -!- fiasco_averted [glen-a@64.125.189.90] has joined #openvpn
18:30 -!- codehero [codehero@i.have.ipv6.on.coding4coffee.org] has joined #openvpn
18:37 -!- goldkatze [~nobody@unaffiliated/goldkatze] has quit [Ping timeout: 265 seconds]
18:53 -!- u0m3 [~u0m3@92.80.103.245] has quit [Ping timeout: 240 seconds]
19:53 <@krzee> svg,
19:53 <@krzee> !factoids search redirect
19:53 <@vpnHelper> 'redirect', 'redirect_ips', 'redirect-policy', and 'redirect_ignore'
19:53 <@krzee> !redirect_ignore
19:53 <@vpnHelper> "redirect_ignore" is if you want to ignore --redirect-gateway (because you do not run the server, and the server pushes it to you) then you can use route-nopull and use a script to add the routes that are needed
19:54 <@krzee> i think i will make a small writeup on the wiki about it, because there is another easier way but the explanation would be too long or confusing for the bot
20:11 -!- fred`` [fred@earthli.ng] has quit [Ping timeout: 246 seconds]
20:15 -!- joshh20 is now known as joshh20-Away
20:20 <@krzee> svg, there you go:  https://community.openvpn.net/openvpn/wiki/IgnoreRedirectGateway
20:20 <@vpnHelper> Title: IgnoreRedirectGateway – OpenVPN Community (at community.openvpn.net)
20:20 <@krzee> thats a rough draft, but has the info i would have given you
20:20 <@krzee> !forget redirect_ignore
20:20 <@vpnHelper> Joo got it.
20:21 <@krzee> !learn redirect_ignore as you can ignore --redirect-gateway (because you do not run the server, and the server pushes it to you) by reading the info at this page: https://community.openvpn.net/openvpn/wiki/IgnoreRedirectGateway
20:21 <@vpnHelper> Joo got it.
20:21 <@krzee> pekster, if you're around could you take a peek at that page?
20:24 -!- michaelhart [~michaelha@192-0-240-20.cpe.teksavvy.com] has quit [Quit: michaelhart]
20:26 -!- fiasco_averted [glen-a@64.125.189.90] has quit [Quit: Leaving.]
20:26 -!- michaelhart [~michaelha@192-0-240-20.cpe.teksavvy.com] has joined #openvpn
20:30 < rob0> Or pek can take a peekster
20:31 < rob0> krzee, Method 2, second example, s.NOT..
20:32 < rob0> You use the /2 routes to override the def1 /1 routes.
20:35 <@krzee> good eye, bad copy/paste. thanks. fixed.
20:36 <@krzee> i would expand on method 1 but i have never used those options so i cant expand too much on them
20:36 <@krzee> i also never used method 2, but it's easier ;]
20:37 <@krzee> also added:  "Note that net_gateway is an internal variable to openvpn and does not need to be changed to anything."
20:45 -!- fiasco_averted [~glen-a@8.22.9.108] has joined #openvpn
20:45 < fiasco_averted> anyone using openvpn with aes-gcm? is that available in master? I see ticket 301 https://community.openvpn.net/openvpn/ticket/301 has patches for it (but that patch also adds support for AES-XTS, which is stpid for network transport).
20:45 <@vpnHelper> Title: #301 (Support AEAD cipher modes) – OpenVPN Community (at community.openvpn.net)
20:46 < fiasco_averted> that is a helpful bot :).
20:48 <@krzee> to be honest i dont know if that patch is merged? if you stick around im sure someone who knows will pop in
20:52 <@krzee> and thanks, i love that bot :D
20:53 < rob0> !botsnack
20:53 <@vpnHelper> "botsnack" is Om nom nom!
20:56 < fiasco_averted> thanks krzee, I'm pretty sure syzzer commented on one thread where aesgcm is discussed, but can't find the link right now.
20:56 <@krzee> that would be the person whose comments you want to see.
20:57 <@krzee> lol @ botnsack
20:57 <@krzee> botsnack too
20:57 -!- Left_Turn [~Left_Turn@unaffiliated/turn-left/x-3739067] has quit [Ping timeout: 250 seconds]
21:00 <@krzee> thanks for giving that page a read rob
21:01 < rob0> sure, thank YOU for writing it :)
21:05 <@krzee> =]
21:11 -!- fred`` [fred@earthli.ng] has joined #openvpn
21:13 -!- elfixit [~Icedove@77-58-251-72.dclient.hispeed.ch] has joined #openvpn
21:14 -!- fiasco_averted [~glen-a@8.22.9.108] has quit [Quit: Leaving.]
21:33 -!- [diecast] [~diecast@unaffiliated/diecast/x-4821952] has joined #openvpn
21:49 -!- [diecast] [~diecast@unaffiliated/diecast/x-4821952] has quit []
21:50 -!- eristisk [~eristisk@gateway/tor-sasl/eristisk] has quit [Ping timeout: 272 seconds]
22:00 -!- auldeksam [~quassel@unaffiliated/themaskedlua] has quit [Quit: http://quassel-irc.org - Chat comfortably. Anywhere.]
22:02 -!- michaelhart [~michaelha@192-0-240-20.cpe.teksavvy.com] has quit [Quit: michaelhart]
22:16 -!- eristisk [~eristisk@gateway/tor-sasl/eristisk] has joined #openvpn
22:18 -!- WinstonSmith [~WinstonSm@unaffiliated/winstonsmith] has quit [Ping timeout: 250 seconds]
22:19 -!- WinstonSmith [~WinstonSm@unaffiliated/winstonsmith] has joined #openvpn
22:24 -!- raspberrypifan [~textual@71-22-220-224.gar.clearwire-wmx.net] has joined #openvpn
22:25 -!- zoomequipd [~zoomequip@gateway/tor-sasl/zoomequipd] has quit [Remote host closed the connection]
22:25 -!- tempus_fol [~tempus@gateway/tor-sasl/foltempus] has quit [Remote host closed the connection]
22:25 -!- eristisk [~eristisk@gateway/tor-sasl/eristisk] has quit [Write error: Connection reset by peer]
22:25 -!- s7r [~s7r@openvpn/user/s7r] has quit [Write error: Broken pipe]
22:29 -!- bears [~bears@unaffiliated/bears] has quit [Read error: Connection reset by peer]
22:32 -!- s7r [~s7r@openvpn/user/s7r] has joined #openvpn
22:32 -!- mode/#openvpn [+v s7r] by ChanServ
22:32 -!- elfixit [~Icedove@77-58-251-72.dclient.hispeed.ch] has quit [Quit: elfixit]
22:33 -!- zoomequipd [~zoomequip@gateway/tor-sasl/zoomequipd] has joined #openvpn
22:33 -!- tempus_fol [~tempus@gateway/tor-sasl/foltempus] has joined #openvpn
22:34 -!- elfixit [~Icedove@77-58-251-72.dclient.hispeed.ch] has joined #openvpn
22:38 -!- elfixit [~Icedove@77-58-251-72.dclient.hispeed.ch] has quit [Client Quit]
22:43 -!- roentgen [~none@openvpn/community/support/roentgen] has quit [Remote host closed the connection]
22:45 -!- roentgen [~none@openvpn/community/support/roentgen] has joined #openvpn
22:55 -!- maskedlua [~maskedlua@unaffiliated/themaskedlua] has joined #openvpn
23:07 -!- fiasco_averted [~glen-a@c-98-210-157-215.hsd1.ca.comcast.net] has joined #openvpn
23:07 -!- mears11 [~mears11@c-71-237-20-112.hsd1.co.comcast.net] has quit [Quit: Leaving]
23:14 < fiasco_averted> shoot, I got kicked for a bit, did anyone respond regarding aes-gcm support? I posted about 2 hours ago.
23:15 < fiasco_averted> I'm currently looking through the openvpn-devel logs as well for more info.
23:17 < pekster> CBC ciphers only, unless you explicitly enable CFB or OFB modes with a compile-time define. See crypto_openssl.c:291
23:17 < pekster> As of c29e08a anyway
23:19 < pekster> I'm not that up on the code changes or proposed patches so far to bring that support in; it requires some re-working of the code bits that touch the ctx structures, but more than that I haven't dug into
23:23 < fiasco_averted> there's a ticket 301 that has a proposed patch, but there are some poor choices with the patch (XTS mode for network transfer, seriously?) and I'm not aware that it's implemented. Currently openssl and polarssl both support GCM modes and I know that openssl gets awesome performance increases with aes-ni and clmul intel instruction sets.
23:23 < fiasco_averted> ticket: https://community.openvpn.net/openvpn/ticket/301
23:23 <@vpnHelper> Title: #301 (Support AEAD cipher modes) – OpenVPN Community (at community.openvpn.net)
23:23 < pekster> It's not a matter of openssl not supporting it, but doing it properly in openvpn
23:24 < fiasco_averted> yes
23:24 < fiasco_averted> agreed.
23:25 < pekster> http://sourceforge.net/p/openvpn/mailman/search/?q=AES-GCM
23:25 <@vpnHelper> Title: OpenVPN / Mailing Lists / Search (at sourceforge.net)
23:41 -!- ShadniX [dagger@p5DDFE5FC.dip0.t-ipconnect.de] has quit [Ping timeout: 252 seconds]
23:42 -!- ShadniX [dagger@p5DDFE962.dip0.t-ipconnect.de] has joined #openvpn
23:46 < fiasco_averted> thanks
23:47 -!- msn [~kvirc@125.234.96.10] has joined #openvpn
23:47 < msn> i am using openvpn-auth-ldap and everything is working except the certificate and user/passwords are not connected, any user can use any certificate as long the user/password matches. is there a way to change the search filter to something which is part of the certificate ?
23:47 < msn> like CN
--- Day changed Tue May 13 2014
00:00 -!- goldkatze [~nobody@unaffiliated/goldkatze] has joined #openvpn
00:00 -!- raspberrypifan [~textual@71-22-220-224.gar.clearwire-wmx.net] has quit [Quit: Textual IRC Client: www.textualapp.com]
00:28 -!- Cpt-Oblivious [~chatzilla@31-151-71-109.dynamic.upc.nl] has joined #openvpn
00:50 -!- Cpt-Oblivious [~chatzilla@31-151-71-109.dynamic.upc.nl] has quit [Remote host closed the connection]
01:02 -!- raspberrypifan [~textual@71-22-220-224.gar.clearwire-wmx.net] has joined #openvpn
01:04 -!- raspberrypifan [~textual@71-22-220-224.gar.clearwire-wmx.net] has quit [Client Quit]
01:05 -!- raspberrypifan [~textual@71-22-220-224.gar.clearwire-wmx.net] has joined #openvpn
01:14 < msn> !welcome
01:14 <@vpnHelper> "welcome" is (#1) Start by stating your goal, such as 'I would like to access the internet over my vpn' || new to IRC? see the link in !ask || we may need !logs and !configs and maybe !interface to help you. || See !howto for beginners. || See !route for lans behind openvpn. || !redirect for sending inet traffic through the server. || Also interesting: !man !/30 !topology !iporder !sample !forum !wiki
01:14 <@vpnHelper> !mitm or (#2) Don't use 192.168.1.0/24 or 192.168.0.0/24 (too much potential for conflict)
01:16 -!- fiasco_averted [~glen-a@c-98-210-157-215.hsd1.ca.comcast.net] has quit [Ping timeout: 250 seconds]
01:19 -!- raspberrypifan [~textual@71-22-220-224.gar.clearwire-wmx.net] has quit [Quit: Textual IRC Client: www.textualapp.com]
01:21 -!- mattock_afk is now known as mattock
01:26 -!- alexxtasi [~alex@unaffiliated/alexxtasi] has joined #openvpn
01:48 -!- le0 [~l30@unaffiliated/le0] has joined #openvpn
01:55 -!- ade_b [~Ade@redhat/adeb] has joined #openvpn
02:09 -!- peper [~peper@gentoo/developer/peper] has quit [Ping timeout: 264 seconds]
02:09 -!- msn [~kvirc@125.234.96.10] has quit [Quit: KVIrc 4.2.0 Equilibrium http://www.kvirc.net/]
02:11 -!- peper [~peper@gentoo/developer/peper] has joined #openvpn
02:12 -!- jtrucks_ [jtrucks@freenode/staff/lopsa.foundingmember.jtrucks] has joined #openvpn
02:13 -!- jtrucks [jtrucks@freenode/staff/lopsa.foundingmember.jtrucks] has quit [Read error: Connection reset by peer]
02:31 -!- fiasco_averted [~glen-a@c-98-210-157-215.hsd1.ca.comcast.net] has joined #openvpn
03:04 -!- fiasco_averted [~glen-a@c-98-210-157-215.hsd1.ca.comcast.net] has quit [Ping timeout: 252 seconds]
03:18 -!- Left_Turn [~Left_Turn@unaffiliated/turn-left/x-3739067] has joined #openvpn
03:50 -!- dazo_afk is now known as dazo
04:00 -!- Latrina [~Latrina@adsl-ull-81-212.50-151.net24.it] has quit [Ping timeout: 264 seconds]
04:01 -!- Latrina [~Latrina@ppp-135-10.26-151.libero.it] has joined #openvpn
04:07 -!- ade_b [~Ade@redhat/adeb] has quit [Ping timeout: 265 seconds]
04:18 -!- astrozyk [~astrozyk@bflo.corp.synacor.com] has joined #openvpn
04:53 -!- ade_b [~Ade@redhat/adeb] has joined #openvpn
05:01 -!- cap3lla [~cap3lla@HSI-KBW-109-192-191-115.hsi6.kabel-badenwuerttemberg.de] has joined #openvpn
05:01 < cap3lla> hello everybody.
05:03 < cap3lla> I have host "alpha" on siteA running an OpenVPN multi-server-client instance (tun) and host "bravo" on siteB running OpenVPN as client node. Bravo is connecting to Alpha. On Alpha I am using "iroute" so all the clients on siteB can access the clients on siteA.
05:04 < cap3lla> that works fine, but: clients on siteA can also access all the clients behind Bravo, that mean all the clients on siteB. I would like to prevent that. Can I do that somehow with iptables on Bravo?
05:05 < cap3lla> I even cannot understand why the clients behind Bravo on siteB are accessible ?? I don't use any iroute command on Bravo(
05:08 <@dazo> cap3lla: iirc, you only need iroute to allow the LAN behind the server to access the LAN behind the client
05:10 <@dazo> cap3lla: but yeah, you should always block access in firewalls as well ... then you just add in the FORWARD filter table a rule that blocks traffic initiated from the tun device
05:11 <@dazo> something like: iptables -A FORWARD -i tun+ -m conntrack --ctstate NEW -j DROP
05:11 < cap3lla> dazo: I remember that differently, the other way. iroute is used on servers side, so the client is allowed to reach not only the ovpn-server itself but also the clients behind it. Of course ip_forward=1 is necessary therefore.
05:12 <@dazo> cap3lla: to access LAN behind the server, pure routing should be enough I believe
05:12 <@dazo> but it might be it's needed to get the return route working, though ... it's a while since I set up such a network
05:13 < cap3lla> dazo: I only can adjust iptables on BRAVO, I have no acess to ALPHA host. So on BRAVO I tried various iptables like "iptables -A FORWARD -i tun0 -o br0 -j DROP" but that dropped my whole OpenVPN connection to ALPHA. I don't understand why. I just want to prevent that any host of siteA can access hosts of siteB
05:13 <@dazo> bravo is the VPN client, right?
05:14 < cap3lla> dazo: yes
05:14 <@dazo> Then that example rule should fit pretty well on Bravo ... you should add some subnet filtering and maybe not tun+ (which means all devices named tun)
05:14 <@dazo> but that's the principle
05:15 < cap3lla> tun0 is the interface I am talking about (in my case), I don't use tun+ at all
05:15 <@dazo> well, tun+ includes tun0
05:15 <@dazo> + is a wildcard in the netfilter world
05:15 < cap3lla> yes, but tun+ would break my other tun-interfaces :)
05:15 <@dazo> right :)
05:17 < cap3lla> "iptables -A FORWARD -i tun0 -m conntrack --ctstate NEW -j DROP" did not help. I am running a new command "ping any-client.siteB.local" from a host on siteA and I get pongs
05:18 <@dazo> you may need to insert that rule higher up in the FORWARD chain, if you have other rules there
05:18 <@dazo> another rule before this one may match and be executed instead
05:18 < cap3lla> it was the only rule on my iptables on BRAVO, I have no other rules.
05:19 <@dazo> that's really odd ... try changing -i tun0 to -s $subnet-of-siteA
05:20 < cap3lla> so I deleted that rule again and executed a new test rule "iptables -A FORWARD -i tun0 -j DROP". But with this command my OpenVPN connection completely disconnects
05:21 <@dazo> exactly, because it blocks traffic initiated from siteB -> siteA as well
05:21 <@dazo> when siteB connects to siteA, the packet status is NEW
05:22 <@dazo> when siteA responds back to siteB, the packet status is ESTABLISHED (or in some cases, like with ftp, RELATED)
05:23 <@dazo> that's the reason for having --m conntrack --ctstate NEW ... to only block new connections from siteA to siteB, but not packets which is returning back to siteB based on a connection initiated on siteB
05:23 <@dazo> that's the principle of stateful firewalling (SPI)
05:24 < cap3lla> so what's the correct rule? the first one you told me and which I tried, did not work unfortunately :(
05:26 <@dazo> as I suggested, try replacing -i tun0 with -s $SUBNET_OF_SITEA
05:27 <@dazo> if siteA uses 192.168.1.0/24 ... then it will be:  iptables -A FORWARD -s 192.168.1.0/24 -m conntrack --ctstate NEW -j DROP
05:29 < cap3lla> let me try ...
05:30 < cap3lla> that seems to work :)
05:32 < cap3lla> would instead of that also work this command here ? "iptables -A FORWARD -d 10.20.30.0/24 -m conntrack --ctstate NEW -j DROP" ?? 10.20.30.0/24 is the subnet of siteB
05:33 < cap3lla> I tried, no it doesn't. But why?
05:33 <@dazo> yeah, that can work ... unless you have some services on some other subnets/interfaces which should be allowed to access host(s) on 10.20.30.0/24
05:34 <@dazo> you can add some logging after these DROP lines, to catch what passes through (again, I would then match with --ctstate NEW) .. that can help you understand why it passes through
05:36 < cap3lla> no, there are no services on siteB. I don't want ot have siteB accessible from siteA at all. That's my aim
05:37 <@dazo> if you only want to restrict siteA accessing siteB, then  -s 192.168.1.0/24 fits better, as it declares siteA as unwanted
05:37 <@dazo> using -d 10.20.30.0/24 declares *anything* accessing siteB is not allowed
05:37 <@dazo> you see the difference?
05:38 <@dazo> you could though use something like: -s 192.168.1.0/24 -d 10.20.30.0/24 ... which would literally say: (only) siteA is not allwed to access (only) siteB
05:39 <@dazo> (that is combining those two filters)
05:39 < cap3lla> there are many other subnets on siteA behind the gateway, so I would have to include all of them (but I don't know all of them). siteA is not managed by me, but siteB is. So my though was to block uite everyting from directory siteA-->siteB
05:40 < cap3lla> If I would use solely -s 192.168.1.0/24 then this subnet of siteA will be blocked of course. But if any machine behind siteA with IP 172.20.123.123 would connect to siteB it would succeed. I want to prevent that
05:40 <@dazo> right, then -d 10.20.30.0/24 would be a better (and wider) match
05:40 < cap3lla> but: -d 10.20.30.0/24 did not work. Pings still arrive when I test it
05:48 -!- eristisk [~eristisk@gateway/tor-sasl/eristisk] has joined #openvpn
05:49 <@dazo> cap3lla: try to use tcpdump on the LAN interface on the VPN client (Bravo) ... see which IP address shows up there on those pings
05:50 < cap3lla> dazo: now it works. I had to kill my openvpn process on BRAVO and restart it. I think it's because the -m conntrack --ctstate NEW part
05:50 <@dazo> could be
05:51 < cap3lla> now I can ping from some.host.siteB to any.host.siteA and get a pong. And pings from notequal.alpha.siteA to notequal.bravo.siteB outputs no PONGS. That's it!
05:51 < cap3lla> thank you so much
05:51 <@dazo> you're welcome!
05:52 < cap3lla> wish you a nice day. Bye
05:52 <@dazo> u2
05:52 < cap3lla> thx :p
05:52 -!- cap3lla [~cap3lla@HSI-KBW-109-192-191-115.hsi6.kabel-badenwuerttemberg.de] has quit [Quit: leaving]
05:59 -!- elfixit [~Icedove@77-58-251-72.dclient.hispeed.ch] has joined #openvpn
06:04 -!- astrozyk [~astrozyk@bflo.corp.synacor.com] has quit [Remote host closed the connection]
06:29 -!- eN_Joy [~zhou3594@zjd2014.srtc.ou.edu] has left #openvpn []
06:46 -!- Chrisje [chris@2a03:f80:ed15:ed15:ed15:ed15:bc4c:4bfe] has quit [Read error: Connection reset by peer]
07:01 -!- aPollO2k [znc1@unaffiliated/apollo2k] has quit [Remote host closed the connection]
07:01 -!- u0m3 [~u0m3@92.80.72.79] has joined #openvpn
07:14 -!- michaelhart [~michaelha@192.237.177.15] has joined #openvpn
08:15 -!- MatToufoutu [~MaT@unaffiliated/mattoufoutu] has joined #openvpn
08:23 -!- zapotek6 [~zap@mail.comelit.it] has joined #openvpn
08:26 -!- justinzane [~justinzan@host-12-172-184-42.nctv.com] has quit [Read error: No route to host]
08:26 -!- justinzane [~justinzan@12.172.184.42] has joined #openvpn
08:35 -!- Teduardo [~Teduardo@57.0.be.static.xlhost.com] has joined #openvpn
08:35 < Teduardo> is there any way to attach a restful API to openvpn for configuring it?
08:46 -!- elfixit [~Icedove@77-58-251-72.dclient.hispeed.ch] has quit [Ping timeout: 240 seconds]
09:08 <@Eugene> !management
09:08 <@vpnHelper> "management" is (#1) see http://openvpn.net/management for doc on management interface or (#2) read https://github.com/OpenVPN/openvpn/blob/release/2.3/doc/management-notes.txt if you are a programmer making a GUI that will interact with OpenVPN or (#3) Enable with `--management 127.0.0.1 1234` (adjust port to taste.) See the manpage for pw and socket options
09:16 -!- alexxtasi [~alex@unaffiliated/alexxtasi] has left #openvpn []
09:16 -!- P-NuT [~P-NuT@194.12.3.78] has joined #openvpn
09:17 < P-NuT> Hi all, is it possible to include the certificates inside the .ovpn file or do you have to always define a path to them?
09:19 < Aketzu> yes, it's possible to include them
09:19 < Aketzu> manpage has "inline file support" part
09:20 < Aketzu> !inline
09:20 <@vpnHelper> "inline" is (#1) Inline files (e.g. <ca> ... </ca> are supported since OpenVPN 2.1rc1 and documented in the OpenVPN 2.3 man page at https://community.openvpn.net/openvpn/wiki/Openvpn23ManPage#lbAV or (#2) https://community.openvpn.net/openvpn/wiki/IOSinline for a writeup that includes how to use inline certs
09:23 < micah>  i have my openvpn server configured to setup a ipv6 address, but this fails on systems that have disabled ipv6 (RTNETLINK answers: Permission denied and then ip -6 addr add failed: external program exited with error status: 2) - is there a way I can ask the client not to die when that happens?
09:50 -!- Left_Turn [~Left_Turn@unaffiliated/turn-left/x-3739067] has quit [Read error: Connection reset by peer]
10:11 -!- Cpt-Oblivious [~chatzilla@31-151-71-109.dynamic.upc.nl] has joined #openvpn
10:13 -!- [diecast] [~diecast@unaffiliated/diecast/x-4821952] has joined #openvpn
10:14 -!- [diecast] [~diecast@unaffiliated/diecast/x-4821952] has quit [Client Quit]
10:21 -!- [diecast] [~diecast@unaffiliated/diecast/x-4821952] has joined #openvpn
10:45 -!- zapotek6 [~zap@mail.comelit.it] has quit [Ping timeout: 265 seconds]
10:54 -!- ade_b [~Ade@redhat/adeb] has quit [Quit: Too sexy for his shirt]
10:57 -!- edge226 [~quassel@unaffiliated/edge226] has joined #openvpn
10:58 -!- P-NuT [~P-NuT@194.12.3.78] has quit [Quit: Leaving]
11:11 -!- esde [~esde@unaffiliated/esde] has quit [Disconnected by services]
11:14 -!- esde [~esde@unaffiliated/esde] has joined #openvpn
11:25 -!- michaelhart [~michaelha@192.237.177.15] has quit [Quit: michaelhart]
11:47 -!- [diecast] [~diecast@unaffiliated/diecast/x-4821952] has quit []
11:55 -!- [diecast] [~diecast@unaffiliated/diecast/x-4821952] has joined #openvpn
12:01 -!- [diecast] [~diecast@unaffiliated/diecast/x-4821952] has quit []
12:06 -!- [diecast] [~diecast@unaffiliated/diecast/x-4821952] has joined #openvpn
12:13 -!- DomiX [~dom@rai93-2-82-231-187-222.fbx.proxad.net] has joined #openvpn
12:15 -!- u0m3_ [~u0m3@92.80.72.79] has joined #openvpn
12:17 -!- u0m3__ [~u0m3@92.80.72.79] has joined #openvpn
12:18 -!- u0m3 [~u0m3@92.80.72.79] has quit [Ping timeout: 240 seconds]
12:21 -!- u0m3_ [~u0m3@92.80.72.79] has quit [Ping timeout: 255 seconds]
12:26 < DomiX> hi, I created a tunnel in bridge mode, so far it works. Is this possible to not pass web traffic trought the tunnel ?
12:27 < DomiX> !heartbleed
12:27 <@vpnHelper> "heartbleed" is (#1) only affects OpenSSL 1.0.1 through 1.0.1f. Does not affect polarssl or (#2) if running vuln openssl then both client and server keys not protected by tls-auth should be considered compromised. or (#3) android 4.1.2_r1 is the first one to have -DOPENSSL_NO_HEARTBEATS and it is still in master. android 4.1 and 4.1.1 are probably affected. or (#4)
12:27 <@vpnHelper> https://community.openvpn.net/openvpn/wiki/heartbleed or (#5) http://xkcd.com/1354/
12:32 -!- u0m3__ is now known as u0m3
12:49 -!- fiasco_averted [glen-a@64.125.189.90] has joined #openvpn
12:50 -!- NucWin [~nucwin@unaffiliated/nucwin] has joined #openvpn
12:51 < NucWin> is it possible to override the metric on the default route openvpn creates in tap mode?
12:52 < NucWin> i tried  'push "route-metric 1"' on its own but didnt have any effect
12:55 < DomiX> I guess it's because in tap mode (bridge) route have no effect ?
12:56 -!- Left_Turn [~Left_Turn@unaffiliated/turn-left/x-3739067] has joined #openvpn
12:56 < NucWin> if i add 'push "route 10.8.0.0 255.255.255.0"' above it creates a second route with metric as 1 and default gateway as openvpn interface
13:08 -!- esde [~esde@unaffiliated/esde] has quit [Ping timeout: 252 seconds]
13:15 -!- eristisk [~eristisk@gateway/tor-sasl/eristisk] has quit [Ping timeout: 272 seconds]
13:21 < NucWin> ok another question/ approach. is it possible to get so no routes are added by default so i can manually add the routes i want
13:23 -!- Troggie0092 [~dkorras@105-236-98-18.access.mtnbusiness.co.za] has joined #openvpn
13:24 < Troggie0092> hi all, its me again
13:24 < Troggie0092> I spent the entire day trying the routing thing and nothing is allowing my client's network client pc's communicate with the server LAn clients.
13:24 < Troggie0092> I read up i should add iroute server lan/24 ?
13:27 < Troggie0092> is there anyone who can help me with my setup?
13:28 -!- qwertyoruiop [~hax@93.174.90.31] has joined #openvpn
13:29 -!- le0 [~l30@unaffiliated/le0] has quit [Ping timeout: 265 seconds]
13:29 -!- [diecast] [~diecast@unaffiliated/diecast/x-4821952] has quit []
13:33 < NucWin> sounds like you need to add the gateway and routing info to the dhcp server for the clients not running openvpn
13:34 < Troggie0092> can i give you some form of a flow chart of the network i have and please help me regarding routing
13:35 < Troggie0092> i have tried adding all the routes and nothing seems to work
13:35 < Troggie0092> bascially my "client" VPN server wont be a gateway machine but a seperate machine on the network ..
13:35 < Troggie0092> https://community.openvpn.net/openvpn/wiki/BridgingAndRouting
13:35 <@vpnHelper> Title: BridgingAndRouting – OpenVPN Community (at community.openvpn.net)
13:36 < Troggie0092> "Using routing and OpenVPN not running on the default gateway"
13:36 < Troggie0092> here is my setup
13:38 < Troggie0092> LAN (192.168.0.0/24) --> (Pfsense OpenVPN Server(eth0 = 192.168.0.1/24) <<===>> eth1 (10.0.0.3/8) ---> Router (10.0.0.1/8) -- Internet --- <--- Router (192.168.1.0/24) <-- Ubuntu openVPN Client (192.168.1.3/24) inline with a switch on the network 192.168.1.0/24
13:38 < Troggie0092> oh the VPN Ip is 10.0.5.0/29
13:40 < Troggie0092> if i set my clients network to use the OpenVPN "client" server as the gateway i can get all the info i need, but as soon as i use the router as the default gateway i cannot ping the Server's lan address
13:41 < NucWin> you need to edit the dhcp server that serves out 192.168.0.0/24 so that it knows the 192.168.0.1 is the default gateway for 10.0.5.0/29
13:42 < NucWin> if you are only using pfsense for vpn duties you shouldnt need 2 interfaces only LAN and TAP
13:42 < Troggie0092> on the server side or the client side?
13:42 < Troggie0092> no the pfsense is firewall, filters, squid etc
13:43 < NucWin> where does dhcp come from?
13:43 < Troggie0092> on the LAN server side a 2008 r2 server and on the clients side i use the router as the DHCP
13:44 < Troggie0092> server 2008 r2 = 192.168.0.0/24 and 192.168.1.0/24 the router
13:44 < NucWin> you need to edit both dhcp's so that the dhcp instructs the clients which lan ip routes the vpn's subnet
13:45 < Troggie0092> i.e add routing to the routing tables?
13:46 < NucWin> yes
13:46 < NucWin> all the clients need to know which network card can route the packets over the vpn
13:46 < Troggie0092> ok that's where i get i have added the following routes to clients network routing table
13:47 < Troggie0092> 192.168.0.0/24 to gateway 192.168.1.3/24 (i.e anything destined for 192.168.0.0 to be sent via the OpenVPN Client server)
13:47 < Troggie0092> and on the server side do it add 192.1681.0/24 via 192.168.0.1/24
13:49 < Troggie0092> what i dont understand is that how come on the client side when i sent the client pc to the openvpn server as a gateway all works and when i set it back to the routers IP it does, surely that means i just need to add a route to the clients router?
13:52 -!- pcdummy [~pcdummy@unaffiliated/pcdummy] has joined #openvpn
13:54 < pcdummy> !heartbleed
13:54 <@vpnHelper> "heartbleed" is (#1) only affects OpenSSL 1.0.1 through 1.0.1f. Does not affect polarssl or (#2) if running vuln openssl then both client and server keys not protected by tls-auth should be considered compromised. or (#3) android 4.1.2_r1 is the first one to have -DOPENSSL_NO_HEARTBEATS and it is still in master. android 4.1 and 4.1.1 are probably affected. or (#4)
13:54 <@vpnHelper> https://community.openvpn.net/openvpn/wiki/heartbleed or (#5) http://xkcd.com/1354/
14:01 < NucWin> it could be a metrics thing
14:01 < NucWin> try pinging the far side of the vpn but not one of the clients
14:01 < NucWin> if that doesnt work try pinging local side of the vpn
14:01 < NucWin> you need to narrow down how far the packets are getting
14:02 < NucWin> not quite sure why you have gone for two routers tbh
14:02 < Troggie0092> basically site-to-site .. i have clients on both sides
14:03 < Troggie0092> what would you recommend
14:04 < NucWin> pfsense as default gateway at boths ends. internet IP's on both WAN interfaces
14:04 < NucWin> if possible
14:05 < NucWin> also take a look at the output of "route print" on one of your clients
14:06 < Troggie0092> problem is i dont think the clients on the client network know about the vpn only the router is routing the traffic there
14:08 < Troggie0092> is there any possibility of giving me an exmple of what the routing tables should look like
14:08 <@Eugene> Sure, sec.
14:09 <@Eugene> https://gist.github.com/EugeneKay/6e9bca398a0f52e4c645
14:09 <@vpnHelper> Title: gist:6e9bca398a0f52e4c645 (at gist.github.com)
14:10 <@Eugene> This is essentially what we have listed in the !route factoid
14:10 < Troggie0092> thank you
14:10 <@Eugene> That's from one of my company's gateway/router boxen
14:11 < Troggie0092> i have a scenario of a potential client who is looking for a VPN solution to connect 5 of their satelite branches
14:11 <@Eugene> openvpn does that great
14:11 <@Eugene> Hard part is usually getting all the right(good quality) hardware in place
14:11 < Troggie0092> i have 5 ubuntu servers as clients and i have a VM server as the VPN bridge... can you give me the ebst way i would go about doing this?
14:11 < Troggie0092> best*
14:11 <@Eugene> !route
14:11 <@vpnHelper> "route" is (#1) http://www.secure-computing.net/wiki/index.php/OpenVPN/Routing or https://community.openvpn.net/openvpn/wiki/RoutedLans (same page mirrored) if you have lans behind openvpn, read it DONT SKIM IT or (#2) READ IT DONT SKIM IT! or (#3) See !tcpip for a basic networking guide or (#4) See !serverlan or !clientlan for steps and troubleshooting flowcharts for LANs behind the server or
14:11 <@vpnHelper> client
14:11 <@Eugene> !clientlan
14:11 <@vpnHelper> "clientlan" is (#1) for a lan behind a client, the client must have ip forwarding enabled (!ipforward), the server needs a route to the lan, the server needs to push a route for the lan to clients, the server needs a ccd (!ccd) file for the client with an iroute (!iroute) entry in it, and the router of the lan the client is on needs a route added to it (!route_outside_openvpn) or (#2) see !route for
14:12 <@vpnHelper> a better explanation or (#3) Handy troubleshooting flowchart: http://ircpimps.org/clientlan.png | http://pekster.sdf.org/misc/clientlan.png
14:13 <@Eugene> Like I said, openvpn is the hard part. Getting your "client" machines installed properly at each site is usually the trouble
14:14 <@Eugene> The best/easiest way is to make it a generic "linux gateway" box, there are dozens of guides for MASQUERADE nat that are essentially what you want
14:14 <@Eugene> (and throw out whatever garbage WiFi "router" your ISP gives you)
14:14 < Troggie0092> would pfsense server box be the best server for OpenVPN Bridge?
14:14 <@Eugene> I've not used pfsense myself. It is highly recommended by others in here
14:15 <@Eugene> I was raised with Red Hat since being a wee lad; CentOS is the linux flavor I roll with now
14:16 < Troggie0092> do you know if i can add iroute to pfsense openvpn? probably in the advanced box
14:16 <@Eugene> Beats me.
14:16 < Troggie0092> pfsense is a BSD distro .. as far as i know
14:17 < Troggie0092> i suppose this is going to be a trial and error experience .. once i know exatly how it works
14:18 <@Eugene> Best way, yup.
14:18 < Troggie0092> thank you for all your help
14:19 < Troggie0092> another thin, sorry man.
14:19 < Troggie0092> thing*
14:19 < Troggie0092> on the router of the clients LAN, do i add the local Ip of the other networks and route it via the local ip of the VPN "client" gateway
14:21 <@Eugene> The idea is that the LAN machines behind each client don't know anything about the VPN
14:21 <@Eugene> Their "default" route via the gateway/vpn client covers it
14:22 <@Eugene> The gateway knows in its ruting table to send vpn-specific traffic via the server, or out to the internet at large.
14:22 <@Eugene> And then the server has a list of client-->LANs(the iroute ccd entries in the wiki guide above) so it knows how to get the traffic to the right place
14:23 <@Eugene> Note: you do NOT want a bridge. Common first mistake.
14:23 < Troggie0092> so basically 192.168.0.0/24 ==> 192.168.1.3/24 (LAN ip of OpneVPN server)
14:23 <@Eugene> (and by bridge, I mean ethernet bridging, aka br0)
14:23 <@Eugene> Don't need to have a LAN behind the server at all if you don't want to
14:24 <@Eugene> It's a hub+spoke network, essentially
14:24 < Troggie0092> i need to have LAN behind the client VPn server because it's an entire branch of people
14:24 <@Eugene> When I say "vpn server" I mean your VPS that glues it all together
14:25 < Troggie0092> the reason i want the VPS server is because the client is looking for a proxy server and SARG reports for traffic on the net
14:26 < Troggie0092> all other traffic must be sent via the local gateway and only internet traffic via the VPn and windows folder sharing via PN
14:27 <@Eugene> Yup, that's the idea.
14:27 < Troggie0092> so the VPS is still a good idea?
14:27 <@Eugene> Yeah, have a central location with high bandwidth & low latency
14:27 <@Eugene> ALso, you say windows. Is this a Workgroup or a Domain?
14:27 < Troggie0092> that's exactly what I have .. its a workgroup
14:28 <@Eugene> !wins
14:28 <@vpnHelper> "wins" is http://oreilly.com/catalog/samba/chapter/book/ch07_03.html is a good link for seeing how to run WINS on samba
14:28 <@Eugene> You'll want to set that up so \\name will "just work"
14:28 < Troggie0092> all 5 branches arent on domains, just single machines on a lLAN
14:28 <@Eugene> Or, realistically, go get a Server license and build a domain.
14:28 <@Eugene> Initial setup is a pain, but worth it.
14:29 < Troggie0092> i will add that to the proposal when i have a meeting with him
14:29 < Troggie0092> man i cant thank you for all the advice
14:30 < Troggie0092> i just hope what i have as the image to get it to work.. actually works ..
14:32 <@Eugene> Sounds like you have the right idea
14:32  * Eugene wanders off to family.
14:33 < Troggie0092> thanks man i cannot thank you enough
14:33 < Troggie0092> many many thanks!
14:39 -!- dazo is now known as dazo_afk
14:43 -!- Troggie0092 [~dkorras@105-236-98-18.access.mtnbusiness.co.za] has quit [Quit: Leaving]
14:44 -!- Netsplit *.net <-> *.split quits: fred``, Ulrar, Olipro
14:45 -!- kirin` [telex@gateway/shell/anapnea.net/x-roftipmipdhlcrmn] has quit [Read error: Connection reset by peer]
14:45 -!- qwertyoruiop [~hax@93.174.90.31] has quit [Ping timeout: 245 seconds]
14:51 -!- le0 [~l30@unaffiliated/le0] has joined #openvpn
14:52 -!- le0 [~l30@unaffiliated/le0] has quit [Read error: Connection reset by peer]
14:52 -!- michaelhart [~michaelha@192.237.177.15] has joined #openvpn
14:55 -!- Netsplit over, joins: fred``, Ulrar
14:56 -!- Olipro [~Olipro@uncyclopedia/pdpc.21for7.olipro] has joined #openvpn
15:01 -!- joshh20-Away is now known as joshh20
15:07 -!- le0 [~l30@unaffiliated/le0] has joined #openvpn
15:09 < NucWin> is it possible to override the metric on the default routes?
15:10 < NucWin> preferably in server or client configs but somewhere else in windows would be fine as long as its peristant
15:11 < NucWin> i can get it working by adding extra routes but cant seem to affect the default routes
15:17 -!- WinstonSmith [~WinstonSm@unaffiliated/winstonsmith] has quit [Ping timeout: 264 seconds]
15:18 -!- WinstonSmith [~WinstonSm@unaffiliated/winstonsmith] has joined #openvpn
15:19 -!- eristisk [~eristisk@gateway/tor-sasl/eristisk] has joined #openvpn
15:32 -!- michaelhart [~michaelha@192.237.177.15] has quit [Quit: michaelhart]
15:34 -!- NucWin [~nucwin@unaffiliated/nucwin] has quit [Quit: ttfn]
15:35 -!- NucWin [~nucwin@unaffiliated/nucwin] has joined #openvpn
15:35 -!- jackbrown [~se@93-44-41-0.ip95.fastwebnet.it] has joined #openvpn
15:39 -!- NucWin [~nucwin@unaffiliated/nucwin] has quit [Client Quit]
15:40 -!- NucWin [~nucwin@unaffiliated/nucwin] has joined #openvpn
15:46 -!- DomiX [~dom@rai93-2-82-231-187-222.fbx.proxad.net] has quit [Quit: Quitte]
15:51 -!- soapee01_ is now known as soapee01
15:53 -!- NucWin [~nucwin@unaffiliated/nucwin] has quit [Quit: ttfn]
15:53 -!- NucWin [~nucwin@unaffiliated/nucwin] has joined #openvpn
15:55 -!- le0 [~l30@unaffiliated/le0] has quit [Ping timeout: 255 seconds]
16:04 -!- [diecast] [~diecast@unaffiliated/diecast/x-4821952] has joined #openvpn
16:04 < NucWin> how can i run "iptables -A INPUT -j DROP -i tap0" after the tap0 interface has been created?
16:05 -!- Eugene [eugene@badcryp.to] has quit [Ping timeout: 252 seconds]
16:07 -!- kenyon [kenyon@darwin.kenyonralph.com] has quit [Ping timeout: 245 seconds]
16:15 < rob0> iptables(8) -i/-o does some minimal checking to see that the string given COULD be an interface name, but it does not verify that it IS an actual interface. Try it yourself: "iptables -vA INPUT -i invalidif"
16:17 -!- NucWin [~nucwin@unaffiliated/nucwin] has quit [Quit: ttfn]
16:18 -!- NucWin [~nucwin@unaffiliated/nucwin] has joined #openvpn
16:19 < NucWin> nice thanks just added it to rc.local
16:19 -!- kenyon [kenyon@darwin.kenyonralph.com] has joined #openvpn
16:20 < NucWin> i had been trying to add it to /etc/network/interfaces as an up statement but that didnt seem to ever run it
16:20 -!- jackbrown [~se@93-44-41-0.ip95.fastwebnet.it] has quit [Quit: Sto andando via]
16:32 < pekster> NucWin: IMO, that's far less useful than just putting it in your OS firewall setup to begin with and naming the interface statically
16:32 -!- eristisk [~eristisk@gateway/tor-sasl/eristisk] has quit [Ping timeout: 272 seconds]
16:34 < pekster> Debian developers are more interested in fighting than coming up with a real solution, but you can see the iptables-persistent package, or my far simplier solution here: https://github.com/QueuingKoala/distro-scripts/blob/master/ubuntu/netfilter/05-iptables
16:34 <@vpnHelper> Title: distro-scripts/ubuntu/netfilter/05-iptables at master · QueuingKoala/distro-scripts · GitHub (at github.com)
16:40 -!- Eugene [eugene@badcryp.to] has joined #openvpn
16:49 -!- Eugene [eugene@badcryp.to] has quit [Ping timeout: 245 seconds]
16:54 -!- Eugene [eugene@badcryp.to] has joined #openvpn
16:57 -!- joshh20 is now known as joshh20-Away
17:00 -!- Cpt-Oblivious [~chatzilla@31-151-71-109.dynamic.upc.nl] has quit [Remote host closed the connection]
17:07 -!- eristisk [~eristisk@gateway/tor-sasl/eristisk] has joined #openvpn
17:16 -!- [diecast] [~diecast@unaffiliated/diecast/x-4821952] has quit []
17:20 -!- elfixit [~Icedove@77-58-251-72.dclient.hispeed.ch] has joined #openvpn
17:26 -!- [diecast] [~diecast@unaffiliated/diecast/x-4821952] has joined #openvpn
17:40 -!- eristisk [~eristisk@gateway/tor-sasl/eristisk] has quit [Ping timeout: 272 seconds]
17:44 -!- wrongplace [~leicht@gateway/tor-sasl/martinphone] has joined #openvpn
17:56 -!- wrongplace [~leicht@gateway/tor-sasl/martinphone] has quit [Quit: gone]
18:10 -!- eristisk [~eristisk@gateway/tor-sasl/eristisk] has joined #openvpn
18:23 -!- Left_Turn [~Left_Turn@unaffiliated/turn-left/x-3739067] has quit [Remote host closed the connection]
18:28 -!- eristisk [~eristisk@gateway/tor-sasl/eristisk] has quit [Remote host closed the connection]
18:28 -!- Left_Turn [~Left_Turn@unaffiliated/turn-left/x-3739067] has joined #openvpn
18:34 -!- eristisk [~eristisk@gateway/tor-sasl/eristisk] has joined #openvpn
18:42 -!- raspberrypifan [~textual@71-22-220-224.gar.clearwire-wmx.net] has joined #openvpn
18:42 -!- fiasco_averted [glen-a@64.125.189.90] has quit [Read error: Connection reset by peer]
18:48 -!- fiasco_averted [glen-a@64.125.189.90] has joined #openvpn
19:03 -!- Intensity [mgw1-4eRNd@unaffiliated/intensity] has quit [Ping timeout: 255 seconds]
19:15 -!- joshh20-Away is now known as joshh20
19:24 -!- cyberspace- [20253@ninthfloor.org] has quit [Remote host closed the connection]
19:24 -!- Soliah [~Soliah@kin1287146.lnk.telstra.net] has joined #openvpn
19:24 < Soliah> !welcome
19:24 <@vpnHelper> "welcome" is (#1) Start by stating your goal, such as 'I would like to access the internet over my vpn' || new to IRC? see the link in !ask || we may need !logs and !configs and maybe !interface to help you. || See !howto for beginners. || See !route for lans behind openvpn. || !redirect for sending inet traffic through the server. || Also interesting: !man !/30 !topology !iporder !sample !forum
19:24 <@vpnHelper> !wiki !mitm or (#2) Don't use 192.168.1.0/24 or 192.168.0.0/24 (too much potential for conflict)
19:25 < Soliah> !route
19:25 <@vpnHelper> "route" is (#1) http://www.secure-computing.net/wiki/index.php/OpenVPN/Routing or https://community.openvpn.net/openvpn/wiki/RoutedLans (same page mirrored) if you have lans behind openvpn, read it DONT SKIM IT or (#2) READ IT DONT SKIM IT! or (#3) See !tcpip for a basic networking guide or (#4) See !serverlan or !clientlan for steps and troubleshooting flowcharts for LANs behind the server or
19:25 <@vpnHelper> client
19:26 -!- cyberspace- [20253@ninthfloor.org] has joined #openvpn
19:29 < Soliah> !serverlan
19:29 <@vpnHelper> "serverlan" is (#1) for a lan behind a server, the server must have ip forwarding enabled (!ipforward), the server needs to push a route for its lan to clients, and the router of the lan the server is on needs a route added to it (!route_outside_openvpn) or (#2) see !route for a better explanation or (#3) Handy troubleshooting flowchart: http://ircpimps.org/serverlan.png |
19:29 <@vpnHelper> http://pekster.sdf.org/misc/serverlan.png
19:47 <@krzee> Soliah, did the bot help you get it figured out?
19:48 -!- bears [~bears@unaffiliated/bears] has joined #openvpn
19:53 < Soliah> krzee still reading :)
19:58 < Soliah> !route
19:58 <@vpnHelper> "route" is (#1) http://www.secure-computing.net/wiki/index.php/OpenVPN/Routing or https://community.openvpn.net/openvpn/wiki/RoutedLans (same page mirrored) if you have lans behind openvpn, read it DONT SKIM IT or (#2) READ IT DONT SKIM IT! or (#3) See !tcpip for a basic networking guide or (#4) See !serverlan or !clientlan for steps and troubleshooting flowcharts for LANs behind the server or
19:58 <@vpnHelper> client
19:58 < Soliah> !route_outside_openvpn
19:58 <@vpnHelper> "route_outside_openvpn" is (#1) If your server is not the default gateway for the LAN, you will need to add routes to your gateway. See ROUTES TO ADD OUTSIDE OPENVPN in !route or (#2) Here are 2 diagrams that explain how this works: http://www.secure-computing.net/wiki/index.php/Graph http://i.imgur.com/BM9r1.png
20:05 -!- goldkatze [~nobody@unaffiliated/goldkatze] has quit [Ping timeout: 258 seconds]
20:10 -!- bears [~bears@unaffiliated/bears] has quit [Read error: Connection reset by peer]
20:10 <@krzee> Soliah++
20:10 <@krzee> =]
20:15 -!- joshh20 is now known as joshh20-Away
20:20 -!- pisto [~pisto@95.85.48.85] has joined #openvpn
20:20 < pisto> !openvz
20:20 <@vpnHelper> "openvz" is (#1) http://wiki.openvz.org/VPN_via_the_TUN/TAP_device to learn bout openvz specific stuff with regards to openvpn or (#2) It is usually less painful to switch to a host with better virtualization technology, eg KVM or Xen
20:25 -!- fiasco_averted [glen-a@64.125.189.90] has quit [Quit: Leaving.]
20:29 < Soliah> krzee figured it out :) Had the wrong route setup in the private LAN's gateway.
20:32 <@krzee> good job man!
20:33 <@krzee> i love when people properly use the bot and solve their own problem like that, especially a problem such as the one you had which really does take a bit of troubleshooting
20:53 -!- [diecast] [~diecast@unaffiliated/diecast/x-4821952] has quit []
21:12 -!- _FBi [B@Aircrack-NG/User] has joined #openvpn
21:38 -!- agorecki [~agorecki@S0106b8a38657b866.ok.shawcable.net] has joined #openvpn
21:49 -!- eristisk [~eristisk@gateway/tor-sasl/eristisk] has quit [Ping timeout: 272 seconds]
22:08 -!- Left_Turn [~Left_Turn@unaffiliated/turn-left/x-3739067] has quit [Read error: Connection reset by peer]
22:17 -!- raspberrypifan [~textual@71-22-220-224.gar.clearwire-wmx.net] has quit [Quit: Textual IRC Client: www.textualapp.com]
22:25 -!- zoomequipd [~zoomequip@gateway/tor-sasl/zoomequipd] has quit [Remote host closed the connection]
22:25 -!- tempus_fol [~tempus@gateway/tor-sasl/foltempus] has quit [Remote host closed the connection]
22:25 -!- s7r [~s7r@openvpn/user/s7r] has quit [Write error: Broken pipe]
22:29 -!- KaaK [~kelledge@ip98-164-6-237.ks.ks.cox.net] has joined #openvpn
22:30 < KaaK> I'm having a terrible time getting a know-working (on linux, ios) config to work on windows... the logs tell me it can not find my certs and keys, despite trying ever possible way of specifying them
22:31 <@krzee> !winpath
22:31 <@vpnHelper> "winpath" is (#1) Remember on Windows to quote pathnames and use double backslashes, e.g.: "C:\\Program Files\\OpenVPN\\config\\foo.key" or (#2) also, you can use forward slashes to avoid needing double backslashes, but you still need quotes, e.g.: C:/Program Files/OpenVPN/config/foo.key (but surrounded by quotes)
22:31 < KaaK> ive tried both forward and back slashes, both quoted and unquoated
22:32 <@krzee> show me logs of it while its how the bot said, also show the config
22:34 -!- s7r [~s7r@openvpn/user/s7r] has joined #openvpn
22:34 -!- mode/#openvpn [+v s7r] by ChanServ
22:34 -!- tempus_fol [~tempus@gateway/tor-sasl/foltempus] has joined #openvpn
22:34 -!- zoomequipd [~zoomequip@gateway/tor-sasl/zoomequipd] has joined #openvpn
22:56 -!- agorecki [~agorecki@S0106b8a38657b866.ok.shawcable.net] has quit [Quit: Leaving]
23:07 -!- KaaK [~kelledge@ip98-164-6-237.ks.ks.cox.net] has quit [Remote host closed the connection]
23:33 -!- elfixit [~Icedove@77-58-251-72.dclient.hispeed.ch] has quit [Ping timeout: 240 seconds]
23:41 -!- ShadniX [dagger@p5DDFE962.dip0.t-ipconnect.de] has quit [Ping timeout: 252 seconds]
23:42 -!- ShadniX [dagger@p5DDFED37.dip0.t-ipconnect.de] has joined #openvpn
--- Day changed Wed May 14 2014
00:56 -!- RaiNerTsuFal [~RaiNerTsu@akita.vtlx.cn] has joined #openvpn
01:08 -!- mirco [~mirco@ip-109-90-230-218.unitymediagroup.de] has quit [Quit: mirco]
01:11 -!- mirco [~mirco@ip-109-90-230-218.unitymediagroup.de] has joined #openvpn
01:17 -!- dazo_afk is now known as dazo
01:25 -!- alexxtasi [~alex@unaffiliated/alexxtasi] has joined #openvpn
01:37 -!- zapotek6 [~zap@mail.comelit.it] has joined #openvpn
01:37 -!- zapotek6 [~zap@mail.comelit.it] has quit [Max SendQ exceeded]
01:48 -!- busch [~busch@datenschleuder.com] has quit [Quit: Bye]
02:00 -!- goldkatze [~nobody@unaffiliated/goldkatze] has joined #openvpn
02:12 -!- le0 [~l30@unaffiliated/le0] has joined #openvpn
02:12 -!- Cultist [~CultOfThe@c-67-186-111-33.hsd1.il.comcast.net] has quit [Ping timeout: 264 seconds]
02:26 -!- Cultist [~CultOfThe@c-67-186-111-33.hsd1.il.comcast.net] has joined #openvpn
02:38 -!- zapotek6 [~zap@mail.comelit.it] has joined #openvpn
02:40 -!- Left_Turn [~Left_Turn@unaffiliated/turn-left/x-3739067] has joined #openvpn
03:12 -!- Poster|x [~poster@cpe-184-57-112-154.columbus.res.rr.com] has quit [Remote host closed the connection]
03:15 -!- dazo is now known as dazo_afk
03:20 -!- Clone [~Clone@2001:470:d3a1::fa:cade] has joined #openvpn
03:20 < Clone> !welcome
03:20 <@vpnHelper> "welcome" is (#1) Start by stating your goal, such as 'I would like to access the internet over my vpn' || new to IRC? see the link in !ask || we may need !logs and !configs and maybe !interface to help you. || See !howto for beginners. || See !route for lans behind openvpn. || !redirect for sending inet traffic through the server. || Also interesting: !man !/30 !topology !iporder !sample !forum
03:20 <@vpnHelper> !wiki !mitm or (#2) Don't use 192.168.1.0/24 or 192.168.0.0/24 (too much potential for conflict)
03:21 < Clone> !goal
03:21 <@vpnHelper> "goal" is Please clearly state your goal for your vpn: example, I would like to access the lan behind the server , I would like to access the internet over my vpn , I just want a secure connection between 2 computers , etc
03:22 < Clone> I would like to have my openvpn server accept udp, but also tcp as fallback. Does this mean I have to configure two seperate openvpn daemons (I know this was the case in the past)?
03:26 <@plaisthos> Clone: yes
03:26  * Clone snaps his fingers.
03:26 < Clone> thanks.
03:37 -!- kirin` [telex@gateway/shell/anapnea.net/x-ltxlkdkyictbokgc] has joined #openvpn
03:40 -!- pisto [~pisto@95.85.48.85] has left #openvpn ["Leaving"]
03:50 -!- Left_Turn [~Left_Turn@unaffiliated/turn-left/x-3739067] has quit [Ping timeout: 264 seconds]
04:06 -!- timmmaaaayyy [~timmmaaaa@207.224.126.188] has quit [Ping timeout: 250 seconds]
04:09 -!- Left_Turn [~Left_Turn@unaffiliated/turn-left/x-3739067] has joined #openvpn
05:25 -!- defswork [~andy@141.0.50.105] has joined #openvpn
05:42 -!- eristisk [~eristisk@gateway/tor-sasl/eristisk] has joined #openvpn
06:11 -!- Teduardo [~Teduardo@57.0.be.static.xlhost.com] has quit []
06:24 -!- SCHAAP137 [dorian@77-173-0-137.ip.telfort.nl] has joined #openvpn
06:33 -!- Cpt-Oblivious [~chatzilla@31-151-71-109.dynamic.upc.nl] has joined #openvpn
06:41 -!- RaiNerTsuFal [~RaiNerTsu@akita.vtlx.cn] has quit [Ping timeout: 240 seconds]
06:42 -!- RaiNerTsuFal [~RaiNerTsu@akita.vtlx.cn] has joined #openvpn
06:48 -!- RaiNerTsuFal [~RaiNerTsu@akita.vtlx.cn] has quit [Quit: Conversation terminated!]
06:55 -!- zetheroo1 [~zeth@2a02:1205:5013:d350:8cc6:ff2f:e6f6:c129] has joined #openvpn
06:57 -!- gffa [~unknown@unaffiliated/gffa] has joined #openvpn
06:57 < zetheroo1> I think I have gotten an openvpn connection connected, however I am not able to ping remote IP's or hostnames ... this is what my connection output looks like: http://paste.ubuntu.com/7462355/
06:58 < zetheroo1> I have been struggling with this for weeks. And assistance is greatly appreciated
07:00 < zetheroo1> output of route: http://paste.ubuntu.com/7462367/
07:01 < zetheroo1> my config file: http://paste.ubuntu.com/7462369/
07:02 < zetheroo1> output of ifconfig: http://paste.ubuntu.com/7462383/
07:04 < zetheroo1> last bit of syslog: http://paste.ubuntu.com/7462393/
07:05 < zetheroo1> Not sure what else is needed ...
07:08 -!- michaelhart [~michaelha@192.237.177.15] has joined #openvpn
07:09 -!- wrongplace [~leicht@gateway/tor-sasl/martinphone] has joined #openvpn
07:26 -!- SCHAAP137 [dorian@77-173-0-137.ip.telfort.nl] has quit [Remote host closed the connection]
07:29 -!- SCHAAP137 [dorian@77-173-0-137.ip.telfort.nl] has joined #openvpn
07:44 -!- elfixit [~Icedove@2001:1620:2777:11:3e97:eff:fe7f:f3ad] has joined #openvpn
07:48 -!- BlackBishop [~dexter@84.232.192.141] has joined #openvpn
07:50 -!- elfixit [~Icedove@2001:1620:2777:11:3e97:eff:fe7f:f3ad] has quit [Ping timeout: 252 seconds]
07:52 -!- elfixit [~Icedove@2001:1620:2777:11:3e97:eff:fe7f:f3ad] has joined #openvpn
07:54 < BlackBishop> Can anyone take a look at .. http://pastebin.com/5BLCNK7r .. There's something I'm probably doing wrong with the route
07:55 < BlackBishop> I don't see the packets on the client interface, altough I can see them on the server tun0 interface ..
08:08 -!- BlackBishop [~dexter@84.232.192.141] has quit [Ping timeout: 252 seconds]
08:11 -!- BlackBishop [~dexter@84.232.192.237] has joined #openvpn
08:17 < defswork> BlackBishop, you have to have a iroute
08:17 < defswork> so openvpn will allow remote subnet traffic
08:17 < BlackBishop> on the client or the server ?
08:17 < defswork> and learn the ips behind it
08:17 < defswork> server
08:17 < defswork> you are trying to route a client side subnet yes ?
08:18 < BlackBishop> nope, a server side subnet !
08:18 < defswork> why are you adding a route on the server then ?
08:18 < BlackBishop> There is class/29 which should get to the client and the client to be use it in his network
08:18 < defswork> down the vpn tunnel
08:18 < defswork> you are routing backwards
08:18 < BlackBishop> nope .. I have a dynamic ip
08:19 < BlackBishop> I also have access to a server which has a class from which I want to route a /29 to the client via openvpn
08:19 < BlackBishop> so I can use the static ips on the client's network :)
08:19 < defswork> On the server I have this:
08:19 < defswork> openvpn # ip ro add 89.43.class/29 via 10.8.0.8 dev tun0
08:20 < defswork> what are you trying to do with that then ?
08:20 < defswork> that tells your server that to get to 89.43 chuck the packets to 10.8.0.8
08:20 < BlackBishop> YES !
08:20 < BlackBishop> perfect ..
08:20 < BlackBishop> but I don't see them on the tun0 client side interface
08:21 < defswork> so 89.43 is on the client side ?
08:21 < BlackBishop> yes, that part
08:21 < defswork> ok - lets start again
08:21 < defswork>  you are trying to route a client side subnet yes ?
08:22 < BlackBishop> :| .. yes ? :)
08:23 < defswork> in the ccd file for client's cn add iroute 89.43.x.y 255.255.255.248
08:23 < defswork> use the correct IP addresses
08:23 < defswork> this tells openvpn that 89.43.x.y/29 is ----> over there! and to allow the traffic through
08:24 < BlackBishop> ok .. one sec ! :D
08:25 < BlackBishop> Can I PM you a sec ?
08:38 -!- Popsikle [~popsikle@pool-108-27-211-233.nycmny.fios.verizon.net] has joined #openvpn
08:39 -!- mattock is now known as mattock_afk
08:40 < BlackBishop> So, for the record .. I needed the iroute in ccd/dexter and also the ip ro add .. thing :)
08:41 < Popsikle> anyone have any luck getting a chromebook to connect to openvpn with tls enabled?
08:44 < rob0> chromebook is what, a Linux? Should work fine if the tun module is enabled & loaded.
08:50 -!- chrisb [~chrisb@li482-205.members.linode.com] has joined #openvpn
09:04 < Eugene> I don't own one(my mother does). Never set it up, but I have heard people doing it in here.
09:05 < Eugene> I know you need to have Developer mode enabled, and then fiddle with your tun devices
09:05 < Eugene> Honestly though, it's meant to be an appliance machine, not a general purpose linux box. It's locked-down by design
09:07 < zetheroo1> can anyone help with my issue?
09:19 -!- chrisb [~chrisb@li482-205.members.linode.com] has quit [Ping timeout: 276 seconds]
09:20 -!- jtrucks_ is now known as jtrucks
09:20 -!- alexxtasi [~alex@unaffiliated/alexxtasi] has left #openvpn []
09:30 -!- cyberspace- [20253@ninthfloor.org] has quit [Ping timeout: 265 seconds]
09:30 -!- cyberspace- [20253@ninthfloor.org] has joined #openvpn
09:43 < defswork> zetheroo1, what issue ?
09:59 < zetheroo1> defswork: I posted a bunch of info earlier ... but maybe nobody saw it ...
10:00 < defswork> in brief - what is your setup ?
10:00 < defswork> not config but what you are trying to do
10:01 < zetheroo1> trying to connect to the openvpn connection at work from home
10:01 < defswork> if you cannot ping IPs then check client has routes to IPs, check that openvpn know about the subnet it's sharing
10:01 < defswork> check that you have ip_forwarding enabled
10:02 < defswork> you are changing the default gateway on the clients ?
10:02 < zetheroo1> thing is that it was working before performing a fresh install of Ubuntu 14.04 .... and I didn't do anything special to get it working before ...
10:02 < defswork> you have ip_forward set ?
10:03 < zetheroo1> not that I know of
10:03 < defswork> net.ipv4.ip_forward=1 in /etc/sysctl.conf
10:03 < zetheroo1> from Windows it seems to work out of the box with the OpenVPN client ... but in Linux its not that way
10:04 < defswork> you've lost me now
10:04 < defswork> so it's a client only issue ?
10:04 < defswork> you have other clients working ok ?
10:04 < zetheroo1> users are using this connection in Windows with the OpenVPN client and its working great
10:04 < zetheroo1> but I use Linux :P
10:05 < defswork> using ubuntu's built in openvpn config ?
10:05 < defswork> network manager plugin ?
10:05 < zetheroo1> yes and no ...
10:05 < zetheroo1> I used the network manager with Ubuntu 12.04 and it worked great ...\
10:05 < zetheroo1> in 14.04 I can only connect and then nothing more
10:05 < defswork> Wed May 14 13:47:45 2014 /sbin/ip addr add dev tun0 local 10.0.100.6 peer 10.0.100.5
10:05 < defswork> RTNETLINK answers: Invalid argument
10:05 < defswork> Wed May 14 13:47:45 2014 ERROR: Linux route add command failed: external program exited with error status: 2
10:06 < defswork> that is your problem
10:06 < zetheroo1> so I tried the manual method within /etc/openvpn/
10:06 < zetheroo1> and it also connects but then also nothing more
10:07 < zetheroo1> I read a lot about routing and there seems to be a route missing ... I just don't know what should be routed to what
10:08 -!- fin__ [~l30@unaffiliated/le0] has joined #openvpn
10:08 < zetheroo1> should my 192.168.1.0 traffic be routed to 10.0.100.5 ?
10:08 < defswork> that depends on your subnets and routes
10:08 < zetheroo1> my local subnet is 192.168.1.0
10:09 < zetheroo1> the remote ip I am connecting to seems to be 10.0.100.5
10:09 < zetheroo1> and the tun is given 10.0.100.6
10:09 < zetheroo1> if I am reading the info I posted above correctly ...
10:09 < zetheroo1> which I may very well not be :P
10:10 -!- le0 [~l30@unaffiliated/le0] has quit [Ping timeout: 252 seconds]
10:10 < defswork> it's failing
10:12 -!- [diecast] [~diecast@unaffiliated/diecast/x-4821952] has joined #openvpn
10:13 < zetheroo1> ah ... that worked! I added the above route in the network manager in the openvpn profile and now I can ping remote hosts :)
10:20 -!- Intensity [eLAOKFFdr_@unaffiliated/intensity] has joined #openvpn
10:25 -!- micko [~micko@203-219-65-120.static.tpgi.com.au] has quit [Ping timeout: 258 seconds]
10:25 -!- phreakocious [~phreakoci@aesoterica.phreakocious.net] has quit [Ping timeout: 258 seconds]
10:26 -!- SCHAAP137 [dorian@77-173-0-137.ip.telfort.nl] has quit [Remote host closed the connection]
10:26 -!- fin__ [~l30@unaffiliated/le0] has quit [Ping timeout: 258 seconds]
10:26 -!- SCHAAP137 [dorian@77-173-0-137.ip.telfort.nl] has joined #openvpn
10:27 -!- simcop2387 [~simcop238@p3m/member/simcop2387] has quit [Excess Flood]
10:27 -!- micko [~micko@203-219-65-120.static.tpgi.com.au] has joined #openvpn
10:27 -!- simcop2387 [~simcop238@p3m/member/simcop2387] has joined #openvpn
10:29 -!- zetheroo1 [~zeth@2a02:1205:5013:d350:8cc6:ff2f:e6f6:c129] has left #openvpn []
10:29 -!- inad922 [~dani@109-74-55-203.acetelecom.hu] has joined #openvpn
10:29 < inad922> hello
10:30 < inad922> I use openvpn to connect to the network that the company I work with is using
10:30 < inad922> The problem is that it doesn't add the dns server to resolv.conf
10:30 < inad922> How can I make it do that by modifying the configuration file?
10:32 -!- BlackBishop [~dexter@84.232.192.237] has quit [Remote host closed the connection]
10:34 -!- raspberrypifan [~textual@71-22-220-224.gar.clearwire-wmx.net] has joined #openvpn
10:39 -!- raspberrypifan [~textual@71-22-220-224.gar.clearwire-wmx.net] has quit [Quit: Textual IRC Client: www.textualapp.com]
10:48 -!- jmpf [~jmpf@66-162-33-27.static.twtelecom.net] has joined #openvpn
10:54 <@krzee> inad922, what OS are you using?
10:54 <@krzee> nevermind resolv.conf obviously a linux or unix
10:54 <@krzee> !pushdns
10:54 <@vpnHelper> "pushdns" is (#1) push dhcp-option DNS a.b.c.d to push dns to the client or (#2) For pushing DNS to a Windows client, see: !windns or (#3) Unix-alikes are required to process the env-var in an --up script; read about --dhcp-option in the manpage or (#4) For distros that use resolvconf(8) you can try the pull-resolv-conf script under the contrib/ source dir
10:54 <@krzee> see #4
10:54 <@krzee> well #3 and #4
10:55 < inad922> krzee: Arch linux
10:55 < inad922> uh
10:56 < inad922> Ok I try to find this pushdns in the doc's config section
10:57 < inad922> you mean I have to add something like this -> push “dhcp-option DNS 10.10.49.1″ to the config file?
10:58 < jmpf> not quite an openvpn question but hoping someone might know - I have a vpn connection between aws ireland/norcal and that works fine for the client but I'd like other instances on the client network to access it as well - I added a gw route to the client and allowed ip forwarding but it doesn't seem to be coming through the client so I can forward it out the vpn connection
10:59 < inad922> well that config line didn't really worl
10:59 < inad922> work*
11:03 -!- zapotek6 [~zap@mail.comelit.it] has quit [Ping timeout: 258 seconds]
11:04 < reiffert> jmpf: run nat on the client.
11:05 < reiffert> jmpf: and dont forget to tell the client lans gateway to direct these packages to the client by adding a static route. and you should be all set.
11:06 < jmpf> reiffert: yeh - I thought I was doing that but I guess I must've screwed something up
11:06 < reiffert> ah well .. then simply fix it.
11:07 < jmpf> heh! one thing I noticed -- http://pastie.org/private/cvqb1fy2x92epkc78rzdzw I'm going to switch out those subnets to diff. one but could that first 10.0.0.0 route be blocking the two I added underneath it?
11:07 < jmpf> I was under the impression that since the destination path is more explicit it'd take priority
11:08 < reiffert> this is your vpn client, the lan gateway, the other client in the same lan as the vpn client?
11:09 < reiffert> A B or C?
11:09 < reiffert> god damnit it cant take you so long to reply
11:10 < jmpf> this is a host I'm trying to piggy back on the vpn client connection -- ip-10-0-0-217 is the client
11:10 < reiffert> I'm assuming C
11:10 < jmpf> right
11:10 < reiffert> jmpf: remove everything that you did to C
11:10 < reiffert> let it talk to its LAN gateway
11:10 < reiffert> on your LAN gateway add  a static route:
11:11 < reiffert> route add -net vpn.subnet 255.255.255.0 gw lanipofvpnclient
11:11 < reiffert> so have B point to A when C wants to talk to the vpn
11:12 < reiffert> on A do iptables -t nat -I POSTROUTING -o tun0 -j MASQUERADE
11:12 < reiffert> done
11:13 -!- Left_Turn [~Left_Turn@unaffiliated/turn-left/x-3739067] has quit [Read error: Connection reset by peer]
11:13 < reiffert> C will send a "will talk to vpn subnet" packet to B
11:13 < reiffert> B will tell it to go to A via icmp redirect
11:13 < reiffert> C will send it to A
11:13 < reiffert> A will know where to go and NAT the packet
11:13 < reiffert> the return packet will make it through the nat table and A will know how to get to C
11:13 < reiffert> s,will,want,
11:14 < reiffert> dont tell me it doesnt work. It's your fault.
11:14 < jmpf> heh,thnx
11:16 -!- Left_Turn [~Left_Turn@unaffiliated/turn-left/x-3739067] has joined #openvpn
11:23 -!- inad922 [~dani@109-74-55-203.acetelecom.hu] has quit [Quit: Leaving]
11:23 -!- [diecast] [~diecast@unaffiliated/diecast/x-4821952] has quit []
11:28 -!- jackbrown [~se@93-44-41-0.ip95.fastwebnet.it] has joined #openvpn
11:33 <@krzee> basically that is: !route_outside_ovpn and !linnat
11:33 -!- jackbrown [~se@93-44-41-0.ip95.fastwebnet.it] has quit [Quit: Sto andando via]
11:33 < reiffert> krzee: impressive, how could you know that?
11:34 < reiffert> :D
11:34 <@krzee> you taught me how to make the graph at !route_outside_ovpn
11:35 < reiffert> I remember some dotgraph foo
11:38 < reiffert> it took me 6 hours today to struggle with dummy bad bullshit templating shit that comes with cacti.
11:39 < reiffert> The scripting itself has been fun but clicking the webui .. drove me crazy
11:39 < reiffert> time to bug their irc channel
11:48 -!- slooth [~sl@unaffiliated/slooth] has joined #openvpn
11:49 -!- jackbrown [~se@93-44-41-0.ip95.fastwebnet.it] has joined #openvpn
11:49 -!- slooth [~sl@unaffiliated/slooth] has left #openvpn []
11:55 -!- Popsikle [~popsikle@pool-108-27-211-233.nycmny.fios.verizon.net] has quit [Read error: Connection reset by peer]
12:08 -!- jackbrown [~se@93-44-41-0.ip95.fastwebnet.it] has quit [Quit: Sto andando via]
12:09 -!- [diecast] [~diecast@unaffiliated/diecast/x-4821952] has joined #openvpn
12:10 -!- Popsikle [~popsikle@pool-108-27-211-233.nycmny.fios.verizon.net] has joined #openvpn
12:23 -!- [diecast] [~diecast@unaffiliated/diecast/x-4821952] has quit []
12:29 -!- s7r [~s7r@openvpn/user/s7r] has quit [Remote host closed the connection]
12:30 -!- s7r [~s7r@openvpn/user/s7r] has joined #openvpn
12:30 -!- mode/#openvpn [+v s7r] by ChanServ
12:37 -!- [diecast] [~diecast@unaffiliated/diecast/x-4821952] has joined #openvpn
12:52 -!- chrisb [~chrisb@li482-205.members.linode.com] has joined #openvpn
12:59 -!- le0 [~l30@unaffiliated/le0] has joined #openvpn
13:03 -!- jmpf [~jmpf@66-162-33-27.static.twtelecom.net] has quit [Quit: leaving]
13:43 -!- elfixit [~Icedove@2001:1620:2777:11:3e97:eff:fe7f:f3ad] has quit [Quit: elfixit]
14:02 -!- chrisb [~chrisb@li482-205.members.linode.com] has quit [Ping timeout: 245 seconds]
14:08 -!- le0 [~l30@unaffiliated/le0] has quit [Quit: Leaving]
14:24 -!- brianblaze420 [~brianblaz@unaffiliated/brianblaze] has joined #openvpn
14:53 -!- joshh20-Away is now known as joshh20
15:03 -!- brianblaze420 [~brianblaz@unaffiliated/brianblaze] has quit [Quit: Leaving...]
15:06 -!- u0m3_ [~u0m3@92.80.72.79] has joined #openvpn
15:09 -!- u0m3 [~u0m3@92.80.72.79] has quit [Ping timeout: 252 seconds]
15:24 -!- michaelhart [~michaelha@192.237.177.15] has quit [Quit: michaelhart]
15:39 -!- bears [~bears@unaffiliated/bears] has joined #openvpn
15:52 -!- Popsikle [~popsikle@pool-108-27-211-233.nycmny.fios.verizon.net] has quit [Remote host closed the connection]
16:05 -!- Popsikle [~popsikle@pool-108-27-211-233.nycmny.fios.verizon.net] has joined #openvpn
16:08 -!- Dry_Lips [~cuneiform@unaffiliated/dry-lips/x-3531376] has quit [Ping timeout: 245 seconds]
16:09 -!- eristisk [~eristisk@gateway/tor-sasl/eristisk] has quit [Ping timeout: 272 seconds]
16:09 -!- Popsikle [~popsikle@pool-108-27-211-233.nycmny.fios.verizon.net] has quit [Ping timeout: 240 seconds]
16:20 -!- Dry_Lips [~cuneiform@unaffiliated/dry-lips/x-3531376] has joined #openvpn
16:21 -!- eristisk [~eristisk@gateway/tor-sasl/eristisk] has joined #openvpn
16:34 -!- Left_Turn [~Left_Turn@unaffiliated/turn-left/x-3739067] has quit [Remote host closed the connection]
16:34 -!- gffa [~unknown@unaffiliated/gffa] has quit [Quit: sleep]
16:39 -!- Left_Turn [~Left_Turn@unaffiliated/turn-left/x-3739067] has joined #openvpn
16:50 -!- Cultist [~CultOfThe@c-67-186-111-33.hsd1.il.comcast.net] has quit [Ping timeout: 255 seconds]
16:52 -!- SCHAAP137 [dorian@77-173-0-137.ip.telfort.nl] has quit [Remote host closed the connection]
16:58 -!- APTX [~APTX@unaffiliated/aptx] has quit [Ping timeout: 250 seconds]
17:00 -!- webx [~billb@107.1.75.186] has joined #openvpn
17:01 -!- webx [~billb@107.1.75.186] has left #openvpn []
17:05 -!- [diecast] [~diecast@unaffiliated/diecast/x-4821952] has quit []
17:10 -!- [diecast] [~diecast@unaffiliated/diecast/x-4821952] has joined #openvpn
17:12 -!- Cpt-Oblivious [~chatzilla@31-151-71-109.dynamic.upc.nl] has quit [Remote host closed the connection]
17:16 -!- webx [~billb@107.1.75.186] has joined #openvpn
17:21 -!- Cultist [~CultOfThe@c-98-223-211-32.hsd1.il.comcast.net] has joined #openvpn
17:24 -!- Popsikle [~popsikle@pool-108-27-211-233.nycmny.fios.verizon.net] has joined #openvpn
17:28 -!- Cultist [~CultOfThe@c-98-223-211-32.hsd1.il.comcast.net] has quit [Ping timeout: 255 seconds]
17:29 -!- Popsikle [~popsikle@pool-108-27-211-233.nycmny.fios.verizon.net] has quit [Ping timeout: 245 seconds]
17:29 -!- Cultist [~CultOfThe@c-98-223-211-32.hsd1.il.comcast.net] has joined #openvpn
17:35 -!- [diecast] [~diecast@unaffiliated/diecast/x-4821952] has quit []
17:41 -!- webx [~billb@107.1.75.186] has left #openvpn []
17:48 -!- webx [~billb@107-1-75-186-ip-static.hfc.comcastbusiness.net] has joined #openvpn
17:48 -!- james41382 [~james@unaffiliated/james41382] has joined #openvpn
18:01 -!- webx [~billb@107-1-75-186-ip-static.hfc.comcastbusiness.net] has quit [Quit: Lost terminal]
18:04 -!- wrongplace [~leicht@gateway/tor-sasl/martinphone] has quit [Quit: gone]
18:04 -!- fred`` [fred@earthli.ng] has quit [Quit: +++ATH0]
18:08 -!- elfixit [~Icedove@77-58-251-72.dclient.hispeed.ch] has joined #openvpn
18:26 -!- goldkatze [~nobody@unaffiliated/goldkatze] has quit [Ping timeout: 240 seconds]
18:27 -!- fred`` [fred@earthli.ng] has joined #openvpn
18:33 -!- u0m3_ [~u0m3@92.80.72.79] has quit [Ping timeout: 240 seconds]
18:42 -!- jgeboski [~jgeboski@unaffiliated/jgeboski] has quit [Quit: Leaving]
18:51 -!- jgeboski [~jgeboski@unaffiliated/jgeboski] has joined #openvpn
19:00 -!- elfixit [~Icedove@77-58-251-72.dclient.hispeed.ch] has quit [Ping timeout: 252 seconds]
19:40 -!- joshh20 is now known as joshh20-Away
19:45 -!- clu5ter [~staff@unaffiliated/clu5ter] has quit [Quit: ||||||||||||||||||||||||||||||||||||||||||||||| 99%]
19:47 -!- clu5ter [~staff@unaffiliated/clu5ter] has joined #openvpn
19:54 -!- raspberrypifan [~textual@71-22-220-224.gar.clearwire-wmx.net] has joined #openvpn
19:54 -!- raspberrypifan [~textual@71-22-220-224.gar.clearwire-wmx.net] has quit [Max SendQ exceeded]
19:56 -!- raspberrypifan [~textual@71-22-220-224.gar.clearwire-wmx.net] has joined #openvpn
19:59 -!- james41382_ [~james@unaffiliated/james41382] has joined #openvpn
20:01 -!- james41382 [~james@unaffiliated/james41382] has quit [Ping timeout: 252 seconds]
20:14 -!- elfixit [~Icedove@77-58-251-72.dclient.hispeed.ch] has joined #openvpn
20:26 -!- batrick [batrick@nmap/developer/batrick] has quit [Quit: WeeChat 0.4.3]
20:28 -!- batrick [batrick@nmap/developer/batrick] has joined #openvpn
20:56 -!- bears [~bears@unaffiliated/bears] has quit [Read error: Connection reset by peer]
21:11 < akurilin> I have a problem. All of the machines in an AWS VPC subnet are happily talking to my office network through the openvpn server, but one of them for some reason will not comply. Can't ping it at all through the tunnel
21:11 < akurilin> local machines in the network can though
21:12 -!- Popsikle [~popsikle@pool-108-27-211-233.nycmny.fios.verizon.net] has joined #openvpn
21:15 < akurilin> Ok DERP, apparently that machine had an openvpn server installed on it, so 10.8.0.1 was not what I was hoping :)
21:16 -!- sauce [sauce@unaffiliated/sauce] has quit [Quit: sauce]
21:18 -!- sauce [sauce@unaffiliated/sauce] has joined #openvpn
21:47 -!- eristisk [~eristisk@gateway/tor-sasl/eristisk] has quit [Ping timeout: 272 seconds]
22:01 -!- eristisk [~eristisk@gateway/tor-sasl/eristisk] has joined #openvpn
22:10 -!- Left_Turn [~Left_Turn@unaffiliated/turn-left/x-3739067] has quit [Quit: Leaving]
22:11 -!- Popsikle [~popsikle@pool-108-27-211-233.nycmny.fios.verizon.net] has quit [Remote host closed the connection]
22:30 -!- chrisb [~chrisb@li482-205.members.linode.com] has joined #openvpn
22:34 -!- raspberrypifan [~textual@71-22-220-224.gar.clearwire-wmx.net] has quit [Read error: Connection reset by peer]
22:35 -!- raspberrypifan [~textual@71-22-220-224.gar.clearwire-wmx.net] has joined #openvpn
23:21 < pekster> akurilin: Yea, if you want a lower-risk of network collisions, consider random subnets:
23:21 < pekster> !randomsubnet
23:21 <@vpnHelper> "randomsubnet" is (#1) http://scarydevilmonastery.net/subnet.cgi for a random !1918 subnet or (#2) If your shell has $RANDOM support, perhaps try this: `echo 10.$((RANDOM%256)).$((RANDOM%256)).0/24 `
23:30 < akurilin> That's cool, good to know about that one
23:34 < pekster> Works in many/most modern shells (bash, mksh, zsh, dash, and many others)
23:34 -!- elfixit [~Icedove@77-58-251-72.dclient.hispeed.ch] has quit [Ping timeout: 240 seconds]
23:35 -!- elfixit [~Icedove@77-58-251-72.dclient.hispeed.ch] has joined #openvpn
23:40 -!- ShadniX [dagger@p5DDFED37.dip0.t-ipconnect.de] has quit [Ping timeout: 252 seconds]
23:42 -!- ShadniX [dagger@p5DDFCF1A.dip0.t-ipconnect.de] has joined #openvpn
--- Day changed Thu May 15 2014
00:00 -!- goldkatze [~nobody@unaffiliated/goldkatze] has joined #openvpn
00:53 -!- Latrina [~Latrina@ppp-135-10.26-151.libero.it] has quit [Ping timeout: 276 seconds]
00:57 -!- Latrina [~Latrina@adsl-ull-53-223.50-151.net24.it] has joined #openvpn
01:07 -!- hazardous [~hz@openvpn/user/hazardous] has quit [Ping timeout: 245 seconds]
01:09 -!- hazardous [~hz@openvpn/user/hazardous] has joined #openvpn
01:09 -!- mode/#openvpn [+v hazardous] by ChanServ
01:24 -!- chrisb [~chrisb@li482-205.members.linode.com] has quit [Ping timeout: 258 seconds]
01:31 -!- alexxtasi [~alex@unaffiliated/alexxtasi] has joined #openvpn
01:39 -!- Lolths [~Lolths@unaffiliated/lolths] has quit [Ping timeout: 240 seconds]
01:47 -!- eristisk [~eristisk@gateway/tor-sasl/eristisk] has quit [Ping timeout: 272 seconds]
02:03 -!- raspberrypifan [~textual@71-22-220-224.gar.clearwire-wmx.net] has quit [Quit: Textual IRC Client: www.textualapp.com]
02:05 < svg> NucWin: see    --up   Executed after TCP/UDP socket bind and TUN/TAP open
02:05 -!- ade_b [~Ade@redhat/adeb] has joined #openvpn
02:06 < svg> urf, sorry, my chat log was scrolled back it appeared, answwering something old :)
02:15 -!- Lolths [~Lolths@unaffiliated/lolths] has joined #openvpn
02:16 -!- le0 [~l30@unaffiliated/le0] has joined #openvpn
03:46 -!- Left_Turn [~Left_Turn@unaffiliated/turn-left/x-3739067] has joined #openvpn
05:23 -!- eristisk [~eristisk@gateway/tor-sasl/eristisk] has joined #openvpn
05:43 -!- dazo_afk is now known as dazo
06:30 -!- mirco [~mirco@ip-109-90-230-218.unitymediagroup.de] has quit [Quit: mirco]
06:31 -!- mirco [~mirco@ip-109-90-230-218.unitymediagroup.de] has joined #openvpn
06:49 -!- michaelhart [~michaelha@192.237.177.15] has joined #openvpn
06:59 -!- tarnfeld [~tom@cpc2-colc6-2-0-cust599.7-4.cable.virginm.net] has joined #openvpn
07:00 < tarnfeld> hey - has anyone successfully setup OpenVPN <> Amazon VPC?
07:00 < tarnfeld> I’ve been following https://docs.openvpn.net/how-to-tutorialsguides/administration/extending-vpn-connectivity-to-amazon-aws-vpc-using-aws-vpc-vpn-gateway-service/ but having trouble
07:00 <@vpnHelper> Title: Extending VPN Connectivity to Amazon AWS VPC using AWS VPC VPN Gateway Service | Documentation (at docs.openvpn.net)
07:04 -!- zapotek6 [~zap@mail.comelit.it] has joined #openvpn
07:04 -!- zapotek6 [~zap@mail.comelit.it] has left #openvpn []
07:15 -!- elfixit [~Icedove@77-58-251-72.dclient.hispeed.ch] has quit [Ping timeout: 255 seconds]
07:20 -!- Suterusu [~Suterusu@unaffiliated/suterusu] has joined #openvpn
07:22 < Suterusu> Hi, I'm aware this isn't precisely an OpenVPN issue,  But would anyone know how to enforce the VPN's gateway is used, after disconnection from the VPN? (so, unsolcitied disconnection results in 0 traffic leaving the local system. ie: network transport only possible over VPN) Or at least somewhere where one could learn such trickery?
07:28 -!- xsyn [~Adium@105-236-99-52.access.mtnbusiness.co.za] has joined #openvpn
07:28 < xsyn> Please could someone help me, I've been struggling with this all day.
07:28 < xsyn> http://pastebin.com/JCV7wNCK
07:28 < xsyn> My confs are there
07:28 < xsyn> with routes
07:29 < xsyn> Everything seems to work
07:29 < xsyn> it connects
07:29 < xsyn> but I can't ping even the local interface
07:29 < xsyn> nevermind the servers local interface
07:29 < xsyn> so the client ip is 192.168.1.2
07:29 < xsyn> I cannot ping that
07:29 < xsyn> nor can I ping the server
07:29 < xsyn> any ideas?
07:38 -!- eristisk [~eristisk@gateway/tor-sasl/eristisk] has quit [Ping timeout: 272 seconds]
08:02 -!- xsyn [~Adium@105-236-99-52.access.mtnbusiness.co.za] has quit [Ping timeout: 240 seconds]
08:06 -!- xsyn [~Adium@105-236-99-52.access.mtnbusiness.co.za] has joined #openvpn
08:12 -!- eristisk [~eristisk@gateway/tor-sasl/eristisk] has joined #openvpn
08:19 -!- xsyn [~Adium@105-236-99-52.access.mtnbusiness.co.za] has quit [Ping timeout: 245 seconds]
08:20 -!- xsyn [~Adium@105-236-99-52.access.mtnbusiness.co.za] has joined #openvpn
08:27 -!- eristisk [~eristisk@gateway/tor-sasl/eristisk] has quit [Remote host closed the connection]
08:27 -!- eristisk [~eristisk@gateway/tor-sasl/eristisk] has joined #openvpn
08:29 -!- xsyn [~Adium@105-236-99-52.access.mtnbusiness.co.za] has quit [Read error: Connection reset by peer]
08:32 -!- Turn_Left [~Left_Turn@unaffiliated/turn-left/x-3739067] has joined #openvpn
08:33 -!- Left_Turn [~Left_Turn@unaffiliated/turn-left/x-3739067] has quit [Ping timeout: 240 seconds]
08:35 -!- Kingsy [~chris@unaffiliated/kingsy101] has joined #openvpn
08:35 < Kingsy> I have just setup openvpn server.. I was hoping for a few pointers.
08:35 < Kingsy> if someone is around
08:37 < svg> Kingsy: just ask
08:38 < Kingsy> well, the server is setup.. there is a tun0 adaptor listed in ifconfig... what ports do I need to open and forward to the server machine?
08:39 -!- eristisk [~eristisk@gateway/tor-sasl/eristisk] has quit [Quit: killall -9 irc]
08:41 < Kingsy> is it even possible to test openvpn from inside the network? that would be useful
08:44 < Kingsy> its strange tho, I don't remember the server being like this last time I set one up.. does it have a web interface?
08:45 -!- LordDrako [~felix@dslb-088-074-088-023.pools.arcor-ip.net] has joined #openvpn
08:46 -!- tarnfeld [~tom@cpc2-colc6-2-0-cust599.7-4.cable.virginm.net] has quit [Quit: tarnfeld]
08:48 < rob0> How can anyone possibly tell you what ports to open and forward? We don't know what you want to do.
08:51 < Kingsy> I just want to connect to my openvpn server.. I vaguely remember there being a web interface for the server?
08:52 < rob0> so your server is behind NAT, and you want to connect to it from outside?
08:52 < rob0> No, there is no "web interface".
08:53 < rob0> By default openvpn listens on UDP port 1194.
08:53 < rob0> If you changed that default, you would want to forward the protocol:port you changed it to.
08:54 < rob0> Typically you'd want UDP port 1194.
08:57 < Kingsy> yeah its set to 1194 in the config there
08:57 < Kingsy> so is there a way of testing this locally?
08:57 < Kingsy> umm I am trying to think if I have a machine I can remote into
09:05 -!- chrisb [~chrisb@li482-205.members.linode.com] has joined #openvpn
09:05 -!- KaiForce [~chatzilla@107-223-70-10.lightspeed.bcvloh.sbcglobal.net] has joined #openvpn
09:07 -!- Popsikle [~popsikle@rrcs-24-103-53-46.nyc.biz.rr.com] has joined #openvpn
09:13 -!- u0m3 [~u0m3@92.80.99.171] has joined #openvpn
09:13 < chrisb> pekster: can i use easyrsa3 with new x509-types/ files to create PKINIT cert requests for kerberos?  http://k5wiki.kerberos.org/wiki/Pkinit_configuration
09:13 <@vpnHelper> Title: Pkinit configuration - K5Wiki (at k5wiki.kerberos.org)
09:23 -!- alexxtasi [~alex@unaffiliated/alexxtasi] has left #openvpn []
09:29 -!- tarnfeld [~tom@cpc2-colc6-2-0-cust599.7-4.cable.virginm.net] has joined #openvpn
09:58 -!- kami [~user@unaffiliated/kami-] has joined #openvpn
09:59 < kami> Hello #openvpn
09:59 < kami> I have a strange problem with openvpn 2.3.2 on openwrt
10:00 -!- reiffert [~thomas@mail.reifferscheid.org] has quit [Ping timeout: 240 seconds]
10:00 < kami> The connection is brought up, I see 'initialization sequence completed' in the log
10:01 -!- elfixit [~Icedove@77-58-251-72.dclient.hispeed.ch] has joined #openvpn
10:01 < kami> ping from client to server appears in tcpdump of the tun device on the server
10:01 < kami> response udp packets can be captured at the public interface of the client
10:02 < kami> but no icmp packets come out of the tun device on the client
10:07 -!- Svenska [~Svenska@piratenpartei/st/Svenska] has joined #openvpn
10:08 < Svenska> hi. i'm running a small VPN (1 server, 2 clients) using server-bridge and would like to assign static IPs to both clients
10:08 < Svenska> right now the first client connecting grabs the first free address of the pool, which is somewhat annoying
10:09 < kami> Svenska: create a /etc/openvpn/clients directory on the server
10:09 < Svenska> i have. it seems to be ignored and i don't know why
10:09 < kami> do you have client-config-dir in your server config?
10:09 < Svenska> the file /etc/openvpn/clients/qnap contains one line: "ifconfig-push 10.252.252.14 255.255.255.0" (which is part of the pool)
10:10 < Svenska> yes, "client-config-dir /etc/openvpn/clients"
10:10 < Svenska> the log does not show anything being used on the server
10:10 < kami> and the certificate name is qnap ?
10:10 < Svenska> CN, yes
10:11 < kami> do you have messages in syslog?
10:11 < Svenska> the log states "ovpn-openvpn[pid]: xx.xx.xx.xx:xxxx [qnap] Peer Connection Initiated with [AF_INET]xx.xx.xxx.x"
10:12 < Svenska> so I assume "qnap" is correct
10:12 < kami> in my syslog, the immediately next line is
10:13 < kami>  OPTIONS IMPORT: reading client specific options from: clients/<CN>
10:13 < Svenska> that's interesting... to me there is no line after that...
10:13 < Svenska> do I need to make the ccd world-readable?
10:13 < kami> let me chek my verb setting
10:14 < kami> verb 3
10:15 < Svenska> much log output, i'll check
10:15  * kami checks the permissions of the clients dir
10:16 < Svenska> well, it does not try to read client configuration
10:16 < Svenska> it gets a PUSH_REQUEST though, with the default ip from the pool ...
10:16 < kami> drwx------   2 root root     60 2014-05-12 09:00 clients
10:18 < Svenska> is it a problem that i'm running with "server-bridge" and no special other features?
10:18 < Svenska> (on the server tap0 is not bridged to anything, especially not to the internet)
10:20 < kami> Svenska: I don't use server-bridge, so cannot comment on that
10:21 < Svenska> relevant parts:
10:21 < Svenska> server-bridge 10.252.252.1 255.255.255.0 10.252.252.10 10.252.252.50
10:21 < Svenska> ifconfig 10.252.252.1 255.255.255.0
10:21 < Svenska> client-to-client
10:22 < Svenska> dev tap
10:22 < Svenska> --> that's all
10:27 < kami> Svenska: that's my config http://pastie.org/9178868
10:27 < kami> if that helps
10:29 < Svenska> mh, maybe i can use the persistent-stuff instead...
10:29 < Svenska> if it works with bridges
10:30 < kami> never tried
10:30 < kami> (with bridges, that is)
10:31 < Svenska> seems to work
10:31 < Svenska> yes, works. :-D
10:31 < Svenska> thanks for the hint and your help!
10:32 < Svenska> unfortunately it requires the static leases to be inside the IP pool
10:34 -!- elfixit [~Icedove@77-58-251-72.dclient.hispeed.ch] has quit [Quit: elfixit]
10:36 -!- chrisb [~chrisb@li482-205.members.linode.com] has quit [Ping timeout: 255 seconds]
10:36 < kami> Svenska: is that a big problem?
10:36 < Svenska> no
10:36 < kami> :)
10:36 < Svenska> do you understand the easy-rsa index stuff?
10:36 < kami> I have used easy-rsa in the past but don't know what 'index stuff' is?
10:36 < Svenska> i have some old certificates on the server, where the machines don't exist anymore
10:37 < Svenska> revoking those certificates would be useless, but removing them... i don't know if i can do it
10:37 < Svenska> because i have 0{1,2,3,4}.pem and index.{txt,txt.attr} and so
10:38 -!- pisto [~pisto@95.85.48.85] has joined #openvpn
10:38 < pisto> hello. is there a way to have iptables u32 or bpf style matches in openvpn?
10:39 < pisto> I need to discard some packets that match some patterns, but unfortunately my vps is openvz based and I don't have the right xtables module loaded
10:39 < Svenska> anyway, it works now and i can generate new keys when i can access the machines without the VPN. :-D
10:39 < Svenska> thank you!
10:39 < kami> Svenska: I don't know. I always use names for the certificates which I (or a colleague) can recognise.
10:39 < Svenska> yeah, i didn't do that some years ago :-D
10:52 -!- LordDrako [~felix@dslb-088-074-088-023.pools.arcor-ip.net] has quit [Quit: Verlassend]
10:52 -!- Cpt-Oblivious [~chatzilla@31-151-71-109.dynamic.upc.nl] has joined #openvpn
10:53 -!- Cpt-Oblivious [~chatzilla@31-151-71-109.dynamic.upc.nl] has quit [Client Quit]
10:53 -!- Svenska [~Svenska@piratenpartei/st/Svenska] has quit [Quit: Verlassend]
10:57 -!- SCHAAP137 [dorian@77-173-0-137.ip.telfort.nl] has joined #openvpn
11:01 -!- pisto [~pisto@95.85.48.85] has left #openvpn ["Leaving"]
11:04 < pekster> kami: I saw OP left, but if you're curious you can technically duplicate CN (or even the full DN) in your certs, but you shouldn't. OpenSSL won't let you by default, but it is possible. Certs are uniquely identified by the serial number which may not overlap (you'd have to do clever manipulation of the index DB to do that, and that would be Very Bad)
11:05 < pekster> If you were curious
11:09 -!- swebb [~swebb@c-76-120-34-202.hsd1.co.comcast.net] has joined #openvpn
11:11 < kami> pekster: thank you for the heads up
11:11 < kami> I usually revoke certs.
11:12 < kami> pekster: have you read my question about my own problems?
11:15 < pekster> You verified that the server is sending the icmp-echo-reply back out its tun device? Some of the inbound UDP stuff will be keepalive traffic
11:18 -!- ade_b [~Ade@redhat/adeb] has quit [Ping timeout: 258 seconds]
11:18 < kami> pekster: I /think/ I verified that bit, too, but let me check again.
11:22 < kami> I just pinged the client from the server: icmp packets go out through the tun device.
11:27 < kami> pekster: watching the log without pinging, I can see the keepalive traffic. When I start pinging, additional packets (with different size) come in one per second. After the ping count, the pattern returns back to keepalive packets every 10 seconds
11:33 < pekster> And you don't see them on the client's tun interface? The echo-reply packets?
11:33 < pekster> Outside of something where the packet is dropped (due to failing a security check, like the HMAC signature) what comes in should be decrypted and handed to the tun device
11:33 < pekster> A firewall might drop them, but tcpdump will still show them anyway
11:34 < kami> pekster: the packets appear at the UDP port of the external interface, the openvpn log at verb 9 says that they are read.
11:34 < kami> but then don't appear in the INPUT chain of iptables
11:34 < kami> s/then/they/
11:35 < kami> I added a LOG entry in iptables
11:35 < kami> for any icmp packet
11:35 -!- jgeboski [~jgeboski@unaffiliated/jgeboski] has quit [Ping timeout: 240 seconds]
11:35 < pekster> Don't "Append"
11:35 -!- clu5ter [~staff@unaffiliated/clu5ter] has quit [Ping timeout: 255 seconds]
11:35 < pekster> If you need Netfilter ruleset help, you generally need to paste the entire ruleset; conntext and ordering matter. `iptables-save -c`
11:36 < pekster> #Netfilter will tell you the same thing ;)
11:36 < kami> pekster: I used iptables -I INPUT 1
11:36 -!- clu5ter [~staff@unaffiliated/clu5ter] has joined #openvpn
11:36 < kami> and I see log entries of other icmp packets
11:36 < pekster> that should work so long as it's not dropped in the raw table or similar
11:36 < kami> pekster: I see.
11:37 < pekster> That's usually a bad idea, but you can use it for useful things like "early-drop" before packets consume resources in conntrack
11:37 < kami> pekster: is there a way to make openvpn report whether the packet is unpacked and passed on?
11:37 < pekster> verb 5 shows that
11:37 < pekster> Don't use 9; levels above 5 are for developers who build special debug-enabled builds
11:38 < kami> OK. I'll revert to 5 and try again
11:38 < pekster> 9 is just dumping spam to your logs ;)
11:38 < pekster> See the manpage; you get rwRW printouts of per-packet (both inside & outside packets)
11:38 -!- justinzane [~justinzan@12.172.184.42] has quit [Ping timeout: 252 seconds]
11:40 -!- jgeboski [~jgeboski@unaffiliated/jgeboski] has joined #openvpn
11:41 < kami> pekster: I have rwRW during the intitialisation.
11:43 < kami> sorry a lot of RRWW (no lower case)
11:43 < kami> at the end: Initialization Sequence Completed
11:43 < kami> WWRWRWRRWRWWRWR
11:44 < kami> then Thu May 15 16:41:58 2014 us=610804 Initialization Sequence Completed
11:44 < kami> WWRWRWRRWRWWRWRRWRWWRWRThu May 15 16:43:58 2014 us=696684 [server] Inactivity timeout (--ping-restart), restarting
11:44 < kami> because the client doesn't respond to the server pings?
11:45 < kami> > SIGUSR1[soft,ping-restart] received, process restarting
11:46 < kami> So, this means essentially: udp communication between the openvpn process on the client and the server is possible.
11:46 < kami> outside packets are read and written (R and W) ?
11:52 < kami> pekster: when I ping the IP which was provided by the server from the server side (which definitely go into the tun device and arrive at the UDP port of the client), shouldn't there be also some lowercase rw?
11:56 < kami> when I ping -c 3 the server from the client side, there are three lower case r: WRWRWWRrWrWrWR
11:59 -!- le0 [~l30@unaffiliated/le0] has quit [Quit: Leaving]
12:01 < kami> pekster: and when I flood ping from the server side with 30 packets, I get WWRRWWRWRRWRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRW
12:01 < kami> no single lowercase w
12:07 < pekster> Then something is wrong. From the client end, a single ping-from-client-to-server should report: rWRw, which means "read a pkt from the tun device, wrote one to the link, read one from the link, and wrote one to the tun device"
12:11 -!- chrisb [~chrisb@li482-205.members.linode.com] has joined #openvpn
12:14 -!- Kingsy [~chris@unaffiliated/kingsy101] has left #openvpn []
12:15 -!- Kingsy [~chris@unaffiliated/kingsy101] has joined #openvpn
12:16 < Kingsy> I have this really weird problem, I have a VPN setup, it works perfectly, I can connect to the machine using SSH just fine. However when I connect via SFTP (same address username and password) SOME folders give me a "connection timed out" error message
12:17 < Kingsy> originally I thought this was samba but its happening over SFTP.. I just don't understand it..
12:17 < Kingsy> could it be I need to add something to my hosts file?
12:17 < Kingsy> it feels like a DNS issue or something because it times out, almost like its attempting to lookup or something?
12:24 < kami> Kingsy: I have seen such issues with MTU problems over PPPoE DSL connections
12:26 < Kingsy> kami: can you suggest anything I can try?
12:26 < kami> wait a sec
12:27 < kami> to diagnose, have a look at the answers here: http://us.generation-nt.com/answer/openswan-freeswan-mtu-size-problem-help-184615761.html
12:27 <@vpnHelper> Title: Answer : OpenSwan FreeSwan mtu size problem (at us.generation-nt.com)
12:27 < kami> ping -M do -s ...
12:27 < kami> is the tool
12:28 < Kingsy> the problem doesnt happen when I upload large files
12:29 < Kingsy> it happens when I attempt to cd into another directory using sftp
12:29 < Kingsy> it works perfectly using ssh
12:29 < Kingsy> and it only happens using SOME folders.. other work file
12:30 < kami> Kingsy: then forget my noise
12:30 < Kingsy> kami: can you suggest anything else
12:30 < Kingsy> its a weird issue
12:31 < kami> Kingsy: sorry, no other idea
12:33 < kami> pekster: I wrote above, that I'm on openwrt (http://openwrt.org/), the development branch. So there might well be a problem with the kernel/modules/the openvpn build params etc.
12:33 <@vpnHelper> Title: OpenWrt (at openwrt.org)
12:33 < kami> pekster: Do you have any idea what to look for, next?
12:34 < kami> I can create a custom build (debug-enabled), debug with gdb, whatever might be necessary.
12:34 < kami> I'm using openwrt since years and would be happy to contribute something back.
12:39 -!- kami` [~user@unaffiliated/kami-] has joined #openvpn
12:40 -!- tuvok is now known as tuvok-
12:41 < Eugene> There's a question we need a factoid for: what's a good(cheapish) embedded device for serving as an openvpn/gateway/wifi router thing.
12:41 < Eugene> Preferably with an Amazon link
12:42 -!- kami [~user@unaffiliated/kami-] has quit [Ping timeout: 276 seconds]
12:42 < Thermi> TP-Link TL-1043ND
12:42 < kami`> Eugene: there are a ton of devices
12:42 < kami`> It really depends on your requirements.
12:43 < kami`> I just pasted a link to http://openwrt.org/
12:43 <@vpnHelper> Title: OpenWrt (at openwrt.org)
12:43 < Eugene> I know that, I'm saying that's why we need to have a "this is usually great" box to point at.
12:43 < kami`> I see.
12:43 < kami`> Nlw
12:43 < kami`> sorry
12:44 < kami`> How cheap is 'cheapish' ?
12:44 < Eugene> I usually use whatever x86 box I have laying around. Recent Atoms are great.
12:44 -!- kami` is now known as kami
12:44 -!- eristisk [~eristisk@gateway/tor-sasl/eristisk] has joined #openvpn
12:44 < Eugene> I'd say <$50, with at least 2 ethrent ports, and WiFi-N whatever.
12:44 < Eugene> TP-Link is pretty good gear, but I haven't bothered to screw around with changing the firmware, ever.
12:46 < kami> Do you need Gigabit Ethernet?
12:46 < Eugene> WR1043ND looks pretty nice.
12:46 < Eugene> You're misunderstanding the question
12:46 < Eugene> It's not for /me/
12:46 < Eugene> It's so we can have a recommendation for the channel, since its such a common one people ask
12:47 < kami> Eugene: sorry, for being dense
12:48 < kami> I use the WDR4300 since some months
12:48 -!- tarnfeld [~tom@cpc2-colc6-2-0-cust599.7-4.cable.virginm.net] has quit [Quit: tarnfeld]
12:49 < kami> with OpenWRT release version (Attitude Adjustment)
12:49 < kami> without any problems
12:49 < kami> gotta run, bbl
12:51 -!- mattock_afk is now known as mattock
13:08 -!- APTX [~APTX@unaffiliated/aptx] has joined #openvpn
13:30 -!- justinzane [~justinzan@24.49.207.77] has joined #openvpn
13:31 -!- Turn_Left is now known as Left_Turn
13:34 -!- clu5ter [~staff@unaffiliated/clu5ter] has quit [Ping timeout: 245 seconds]
13:35 -!- tarnfeld [~tom@cpc2-colc6-2-0-cust599.7-4.cable.virginm.net] has joined #openvpn
13:37 -!- clu5ter [~staff@unaffiliated/clu5ter] has joined #openvpn
13:49 < Popsikle>  /j #bpython
13:49 < Popsikle> wheps
13:50 -!- reiffert [~thomas@mail.reifferscheid.org] has joined #openvpn
14:03 < kami> pekster: ping
14:26 -!- eristisk [~eristisk@gateway/tor-sasl/eristisk] has quit [Ping timeout: 272 seconds]
14:28 -!- eristisk [~eristisk@gateway/tor-sasl/eristisk] has joined #openvpn
14:39 -!- tuvok- is now known as tuvok
14:41 -!- tuvok is now known as tuvok-
14:47 -!- joshh20-Away is now known as joshh20
14:57 -!- Left_Turn [~Left_Turn@unaffiliated/turn-left/x-3739067] has quit [Ping timeout: 245 seconds]
15:01 -!- mattock [~mattock@openvpn/corp/admin/mattock] has left #openvpn []
15:17 -!- chrisb [~chrisb@li482-205.members.linode.com] has quit [Ping timeout: 258 seconds]
15:19 -!- Left_Turn [~Left_Turn@unaffiliated/turn-left/x-3739067] has joined #openvpn
15:26 -!- brianblaze420 [~brianblaz@unaffiliated/brianblaze] has joined #openvpn
15:34 -!- dazo is now known as dazo_afk
16:10 -!- double-you [~Miranda@178-26-153-234-dynip.superkabel.de] has joined #openvpn
16:11 < double-you> I want to access my router and other pcs over vpn, but I can't ping them, what's wrong?
16:13 -!- XJR-9 [sid2977@pdpc/supporter/active/xjr-9] has quit [Ping timeout: 240 seconds]
16:17 < reiffert> double-you: crystall ball broke again
16:17 < double-you> reiffert: can I show you the config file?
16:18 < reiffert> !configs
16:18 <@vpnHelper> "configs" is (#1) please pastebin your client and server configs (with comments removed, you can use `grep -vE '^#|^;|^$' server.conf`), also include which OS and version of openvpn. or (#2) dont forget to include any ccd entries or (#3) on pfSense, see http://www.secure-computing.net/wiki/index.php/OpenVPN/pfSense to obtain your config
16:20 -!- kami [~user@unaffiliated/kami-] has quit [Ping timeout: 240 seconds]
16:22 < double-you> there we go: http://pastebin.com/YQVRDvtd
16:22 -!- XJR-9 [sid2977@pdpc/supporter/active/xjr-9] has joined #openvpn
16:23 < double-you> push "route ..." or something?
16:24 < reiffert> pretty standard server config
16:25 < reiffert> guys, does spiegel.de currently work for you?
16:26 < double-you> yes
16:29 < reiffert> looks like I cannot get a SYN ACK
16:29 < reiffert> listening on en1, link-type EN10MB (Ethernet), capture size 65535 bytes
16:29 < reiffert> 23:28:46.891094 IP 10.20.0.184.58218 > 62.138.116.3.80: Flags [S], seq 2231784225, win 65535, options [mss 1460,nop,wscale 4,nop,nop,TS val 341181157 ecr 0,sackOK,eol], length 0
16:29 < reiffert> 23:28:47.996964 IP 10.20.0.184.58218 > 62.138.116.3.80: Flags [S], seq 2231784225, win 65535, options [mss 1460,nop,wscale 4,nop,nop,TS val 341182256 ecr 0,sackOK,eol], length 0
16:29 < reiffert> 23:28:49.002901 IP 10.20.0.184.58218 > 62.138.116.3.80: Flags [S], seq 2231784225, win 65535, options [mss 1460,nop,wscale 4,nop,nop,TS val 341183257 ecr 0,sackOK,eol], length 0
16:34 < double-you> ok made again the push "route blaaa" and now it works, great
16:52 -!- brianblaze420 [~brianblaz@unaffiliated/brianblaze] has quit [Quit: Leaving...]
16:56 -!- lamba [~lamba@unaffiliated/lamba] has quit [Quit: leaving]
17:01 < tempus_fol> Hello, I've tried in the past weeks to fix an issue with my actual Openvpn setup. I've pasted my configs several times, I've been suggested to run mtu-test, I did it, with no success. Download and browsing works just fine. Uploading works fine, unless it's an upload bigger than ~1MB (actually, even more than ~200KB is enough to trigger this issue). Multiple, small uploads are handled fine. There are no MTU issues, I've tried to tweak mssfix
17:01 < tempus_fol> and fragment with no real results. I've tried to monitor an upload in wireshark; without the VPN the win size is 65535, whilst with the VPN the win size decrease until it reaches 501 from the server to the me, and 1444 from me to the destination server. I don't really any more ideas...
17:03 < tempus_fol> I don't know how to debug more
17:18 -!- michaelhart [~michaelha@192.237.177.15] has quit [Quit: michaelhart]
17:29 -!- SCHAAP137 [dorian@77-173-0-137.ip.telfort.nl] has quit [Remote host closed the connection]
17:47 -!- Popsikle [~popsikle@rrcs-24-103-53-46.nyc.biz.rr.com] has quit [Remote host closed the connection]
17:50 <@krzee> reiffert, works here
18:07 -!- justinzane [~justinzan@24.49.207.77] has quit [Ping timeout: 276 seconds]
18:12 -!- justinzane [~justinzan@64.234.62.23] has joined #openvpn
18:12 -!- swebb [~swebb@c-76-120-34-202.hsd1.co.comcast.net] has quit [Excess Flood]
18:18 -!- elfixit [~Icedove@cust.static.46-14-206-196.swisscomdata.ch] has joined #openvpn
18:56 -!- double-you [~Miranda@178-26-153-234-dynip.superkabel.de] has quit [Quit: ja]
19:35 -!- joshh20 is now known as joshh20-Away
19:45 -!- Poster [~poster@oh-67-77-115-177.sta.embarqhsd.net] has joined #openvpn
19:48 -!- elfixit [~Icedove@cust.static.46-14-206-196.swisscomdata.ch] has quit [Ping timeout: 252 seconds]
20:03 -!- tarnfeld [~tom@cpc2-colc6-2-0-cust599.7-4.cable.virginm.net] has quit [Quit: tarnfeld]
20:21 -!- Suterusu [~Suterusu@unaffiliated/suterusu] has quit [Ping timeout: 258 seconds]
20:24 -!- tuvok- is now known as tuvok
20:33 -!- [diecast] [~diecast@unaffiliated/diecast/x-4821952] has joined #openvpn
20:35 -!- Suterusu [~Suterusu@unaffiliated/suterusu] has joined #openvpn
20:36 -!- elfixit [~Icedove@77-58-251-72.dclient.hispeed.ch] has joined #openvpn
20:41 -!- Latrina [~Latrina@adsl-ull-53-223.50-151.net24.it] has quit [Ping timeout: 240 seconds]
20:46 -!- Latrina [~Latrina@ppp-89-49.26-151.libero.it] has joined #openvpn
21:06 -!- [diecast] [~diecast@unaffiliated/diecast/x-4821952] has quit []
21:12  * maskedlua will likely be away for 3 to 5 days... if you wonder why PM me
21:22 -!- clu5ter [~staff@unaffiliated/clu5ter] has quit [Ping timeout: 256 seconds]
21:24 -!- clu5ter [~staff@unaffiliated/clu5ter] has joined #openvpn
21:46 -!- eristisk [~eristisk@gateway/tor-sasl/eristisk] has quit [Ping timeout: 272 seconds]
22:00 -!- eristisk [~eristisk@gateway/tor-sasl/eristisk] has joined #openvpn
22:05 -!- elfixit [~Icedove@77-58-251-72.dclient.hispeed.ch] has quit [Quit: elfixit]
22:09 -!- agorecki [~agorecki@S0106b8a38657b866.ok.shawcable.net] has joined #openvpn
22:14 -!- agorecki [~agorecki@S0106b8a38657b866.ok.shawcable.net] has quit [Quit: Leaving]
23:10 -!- justinzane [~justinzan@64.234.62.23] has quit [Ping timeout: 252 seconds]
23:11 -!- Popsikle [~popsikle@pool-108-27-211-233.nycmny.fios.verizon.net] has joined #openvpn
23:27 -!- justinzane [~justinzan@64.234.62.23] has joined #openvpn
23:31 -!- u0m3 [~u0m3@92.80.99.171] has quit [Read error: Connection reset by peer]
23:33 -!- Popsikle [~popsikle@pool-108-27-211-233.nycmny.fios.verizon.net] has quit [Remote host closed the connection]
23:39 -!- Popsikle [~popsikle@pool-108-27-211-233.nycmny.fios.verizon.net] has joined #openvpn
23:40 -!- ShadniX [dagger@p5DDFCF1A.dip0.t-ipconnect.de] has quit [Ping timeout: 252 seconds]
23:41 -!- ShadniX [dagger@p5DDFCF8F.dip0.t-ipconnect.de] has joined #openvpn
--- Day changed Fri May 16 2014
00:24 -!- justinzane [~justinzan@64.234.62.23] has quit []
00:40 -!- tarnfeld [~tom@cpc2-colc6-2-0-cust599.7-4.cable.virginm.net] has joined #openvpn
00:42 -!- Popsikle [~popsikle@pool-108-27-211-233.nycmny.fios.verizon.net] has quit [Remote host closed the connection]
00:43 -!- tarnfeld [~tom@cpc2-colc6-2-0-cust599.7-4.cable.virginm.net] has quit [Client Quit]
01:26 -!- alexxtasi [~alex@unaffiliated/alexxtasi] has joined #openvpn
02:14 -!- APTX [~APTX@unaffiliated/aptx] has quit [Ping timeout: 245 seconds]
02:15 -!- le0 [~l30@unaffiliated/le0] has joined #openvpn
02:16 -!- APTX [~APTX@unaffiliated/aptx] has joined #openvpn
02:17 -!- Poster [~poster@oh-67-77-115-177.sta.embarqhsd.net] has quit [Remote host closed the connection]
02:27 -!- APTX [~APTX@unaffiliated/aptx] has quit [Ping timeout: 245 seconds]
02:29 -!- APTX [~APTX@unaffiliated/aptx] has joined #openvpn
02:52 -!- jareth_ [~jareth_@2001:980:e1c0:1:219:66ff:fea0:a502] has quit [Quit: ZNC - http://znc.in]
02:56 -!- elfixit [~Icedove@77-58-251-72.dclient.hispeed.ch] has joined #openvpn
03:01 -!- ade_b [~Ade@redhat/adeb] has joined #openvpn
03:30 -!- okvchris [~christian@c-94-255-207-23.cust.bredband2.com] has joined #openvpn
03:31 < okvchris> !welcome
03:31 <@vpnHelper> "welcome" is (#1) Start by stating your goal, such as 'I would like to access the internet over my vpn' || new to IRC? see the link in !ask || we may need !logs and !configs and maybe !interface to help you. || See !howto for beginners. || See !route for lans behind openvpn. || !redirect for sending inet traffic through the server. || Also interesting: !man !/30 !topology !iporder !sample !forum
03:31 <@vpnHelper> !wiki !mitm or (#2) Don't use 192.168.1.0/24 or 192.168.0.0/24 (too much potential for conflict)
03:32 < okvchris> well, i'm just wondering if it's possible to use a static key with more then one client. i am aware of the implications of using a static key, just want to know if it's possible
03:42 -!- APTX [~APTX@unaffiliated/aptx] has quit [Ping timeout: 245 seconds]
03:44 -!- APTX [~APTX@unaffiliated/aptx] has joined #openvpn
03:49 < svg> Hi, I have a setup with two servers, same config, difference is only tcp/udp; clients get disconnected after an hour - I *think* it only happens on the udp server, but not entirely sure yet. some logs  config at http://pastebin.com/index/u85hBEf9 ; any pointers appreciated
03:49 -!- dazo_afk is now known as dazo
03:52 -!- Kingsy [~chris@unaffiliated/kingsy101] has left #openvpn []
03:53 -!- hobbily [~hobbs@unaffiliated/hobbily] has joined #openvpn
03:53 < hobbily> hello
03:54 < hobbily> i have a vps and a decent sized DMZ, I would like to run openvpn on the vps to forward traffic to machines on the dmz, is this even possible with openvpn?
03:55 < hobbily> essentially the user would resolve something.mysite.com to one of the vps's public ip address which would then forward down the vpn to to NAT with the firewall to the appropriate DMZ server
03:56 < hobbily> so the user has no idea where my DMZ is, at least that is the objective
04:00 -!- elfixit [~Icedove@77-58-251-72.dclient.hispeed.ch] has quit [Quit: elfixit]
04:01 -!- APTX_ [~APTX@unaffiliated/aptx] has joined #openvpn
04:03 -!- APTX [~APTX@unaffiliated/aptx] has quit [Ping timeout: 245 seconds]
04:04 -!- Latrina [~Latrina@ppp-89-49.26-151.libero.it] has quit [Ping timeout: 258 seconds]
04:08 -!- Latrina [~Latrina@ppp-17-36.26-151.libero.it] has joined #openvpn
04:09 < svg> hobbily: should be possible, just keep in mind that openvpn primarily is just about setting up a tunnen betwen 2 hosts, al the extra routing/nat stuff you need, you have to set up yourself
04:10 -!- mattock_afk [~mattock@openvpn/corp/admin/mattock] has joined #openvpn
04:10 -!- mode/#openvpn [+o mattock_afk] by ChanServ
04:10 -!- mattock_afk is now known as mattock
04:16 -!- VlperX [~VlperX@60-240-168-120.static.tpgi.com.au] has joined #openvpn
04:21 -!- tarnfeld [~tom@176.12.107.140] has joined #openvpn
04:28 -!- tarnfeld [~tom@176.12.107.140] has quit [Quit: tarnfeld]
04:47 -!- Left_Turn [~Left_Turn@unaffiliated/turn-left/x-3739067] has quit [Read error: Connection reset by peer]
04:50 -!- hobbily [~hobbs@unaffiliated/hobbily] has left #openvpn []
04:51 -!- Left_Turn [~Left_Turn@unaffiliated/turn-left/x-3739067] has joined #openvpn
04:55 -!- tarnfeld [~tom@cpc2-colc6-2-0-cust599.7-4.cable.virginm.net] has joined #openvpn
05:08 -!- okvchris [~christian@c-94-255-207-23.cust.bredband2.com] has quit [Ping timeout: 252 seconds]
05:15 -!- aPollO2k [znc1@unaffiliated/apollo2k] has joined #openvpn
05:16 < aPollO2k> hallo welt
05:18 -!- Suterusu [~Suterusu@unaffiliated/suterusu] has quit [Ping timeout: 252 seconds]
05:26 -!- elfixit [~Icedove@2001:1620:2777:11:3e97:eff:fe7f:f3ad] has joined #openvpn
05:27 < ender|> tempus_fol: do you use kernel 3.14?
05:36 -!- Suterusu [~Suterusu@unaffiliated/suterusu] has joined #openvpn
06:52 -!- ade_b [~Ade@redhat/adeb] has quit [Quit: Too sexy for his shirt]
07:19 -!- Suterusu [~Suterusu@unaffiliated/suterusu] has quit [Ping timeout: 252 seconds]
07:21 -!- s7r [~s7r@openvpn/user/s7r] has quit [Quit: changing hosts]
07:21 -!- Suterusu [~Suterusu@unaffiliated/suterusu] has joined #openvpn
07:22 -!- le0 [~l30@unaffiliated/le0] has quit [Ping timeout: 252 seconds]
07:27 -!- le0 [~l30@unaffiliated/le0] has joined #openvpn
07:46 -!- trispace [~rf@unaffiliated/trispace] has joined #openvpn
07:47 < trispace> can I set the bundled OpenVPN-GUI to not start openvpn directly and not try to start the OpenVPN service, but releasing the connection via the management interface?
07:51 -!- mattock [~mattock@openvpn/corp/admin/mattock] has left #openvpn []
07:58 <@plaisthos> trispace: well the gui uses the management interface to control openvpn
07:58 <@plaisthos> so no
07:59 < trispace> plaisthos: ok. I thought about autostarting the OpenVPN service, and then use the OpenVPN GUI to release the waiting OpenVPN service (and supply needed username/passwords) as needed.
08:04 < trispace> If I read the source code correctly with default settings, the OpenVPN GUI tries to start the openvpn.exe. If service_only is set it tries to start the OpenVPN service. AFAIK, both methods don't work for a plain non-admin Windows user
08:09 -!- JackWinter_ [~jack@vodsl-10810.vo.lu] has quit [Quit: Konversation terminated!]
08:09 -!- michaelhart [~michaelha@162.209.54.120] has joined #openvpn
08:11 -!- JackWinter [~jack@vodsl-10810.vo.lu] has joined #openvpn
08:12 -!- brianblaze420 [~brianblaz@unaffiliated/brianblaze] has joined #openvpn
08:26 -!- mirco [~mirco@ip-109-90-230-218.unitymediagroup.de] has quit [Ping timeout: 276 seconds]
08:27 -!- elfixit1 [~Icedove@cust.static.46-14-206-196.swisscomdata.ch] has joined #openvpn
08:30 -!- zapotek6 [~zap@mail.comelit.it] has joined #openvpn
08:41 -!- eristisk [~eristisk@gateway/tor-sasl/eristisk] has quit [Ping timeout: 272 seconds]
08:41 -!- zapotek6 [~zap@mail.comelit.it] has quit [Ping timeout: 255 seconds]
08:41 -!- michaelhart [~michaelha@162.209.54.120] has quit [Quit: michaelhart]
08:46 -!- Netsplit *.net <-> *.split quits: kloeri, meepmeep, soapee01, bashusr, phunyguy, ribasushi, samu
08:46 -!- Netsplit over, joins: samu, phunyguy, meepmeep
08:46 -!- Netsplit over, joins: kloeri
08:46 -!- Netsplit over, joins: soapee01
08:46 -!- Netsplit over, joins: bashusr
08:49 -!- ribasushi [~riba@mujunyku.leporine.io] has joined #openvpn
08:55 -!- Left_Turn [~Left_Turn@unaffiliated/turn-left/x-3739067] has quit [Remote host closed the connection]
08:58 -!- tarnfeld [~tom@cpc2-colc6-2-0-cust599.7-4.cable.virginm.net] has left #openvpn []
09:00 -!- Left_Turn [~Left_Turn@unaffiliated/turn-left/x-3739067] has joined #openvpn
09:01 -!- u0m3 [~u0m3@92.80.99.171] has joined #openvpn
09:10 -!- trispace [~rf@unaffiliated/trispace] has quit [Quit: trispace]
09:28 -!- alexxtasi [~alex@unaffiliated/alexxtasi] has left #openvpn []
09:30 -!- catsup [~d@iad1-vshost12.dreamhost.com] has quit [Remote host closed the connection]
09:43 -!- catsup [d@ps38852.dreamhost.com] has joined #openvpn
09:51 -!- brianblaze420 [~brianblaz@unaffiliated/brianblaze] has quit [Read error: Connection reset by peer]
10:10 -!- zoomequipd [~zoomequip@gateway/tor-sasl/zoomequipd] has quit [Remote host closed the connection]
10:10 -!- Sembei [~Sembei@unaffiliated/sembei] has quit [Read error: Connection reset by peer]
10:10 -!- zoomequipd [~zoomequip@gateway/tor-sasl/zoomequipd] has joined #openvpn
10:12 -!- Sembei [~Sembei@unaffiliated/sembei] has joined #openvpn
10:19 -!- Latrina [~Latrina@ppp-17-36.26-151.libero.it] has quit [Ping timeout: 245 seconds]
10:24 -!- Latrina [~Latrina@ppp-253-55.26-151.libero.it] has joined #openvpn
10:30 -!- Latrina [~Latrina@ppp-253-55.26-151.libero.it] has quit [Ping timeout: 276 seconds]
10:34 -!- Latrina [~Latrina@adsl-ull-66-244.45-151.net24.it] has joined #openvpn
11:01 -!- SCHAAP137 [dorian@77-173-0-137.ip.telfort.nl] has joined #openvpn
11:06 -!- brianblaze420 [~brianblaz@unaffiliated/brianblaze] has joined #openvpn
11:07 -!- elfixit1 [~Icedove@cust.static.46-14-206-196.swisscomdata.ch] has quit [Ping timeout: 265 seconds]
11:07 -!- gffa [~unknown@unaffiliated/gffa] has joined #openvpn
11:14 -!- ildefonso [~ilde123@201.185.229.85] has joined #openvpn
11:15 < ildefonso> !welcome
11:15 <@vpnHelper> "welcome" is (#1) Start by stating your goal, such as 'I would like to access the internet over my vpn' || new to IRC? see the link in !ask || we may need !logs and !configs and maybe !interface to help you. || See !howto for beginners. || See !route for lans behind openvpn. || !redirect for sending inet traffic through the server. || Also interesting: !man !/30 !topology !iporder !sample !forum
11:15 <@vpnHelper> !wiki !mitm or (#2) Don't use 192.168.1.0/24 or 192.168.0.0/24 (too much potential for conflict)
11:16 < ildefonso> !paste
11:16 <@vpnHelper> "paste" is "pastebin" is (#1) please paste anything with more than 5 lines into a pastebin site or (#2) https://gist.github.com is recommended for fewest ads; try fpaste.org or paste.kde.org as backups or (#3) If you're pasting config files, see !configs for grep syntax to remove comments or (#4) gist allows multiple files per paste, useful if you have several files to show
11:16 < ildefonso> hi all
11:17 < ildefonso> well, following the advice on the topic: my goal is to connect my 2.3-based client to my 2.2 server.
11:17 < ildefonso> this is the deal: I upgraded to 2.3.2 (as provided by ubuntu 14.04), and tried to connect using the configuration that were working *before* the update.
11:17 < ildefonso> in short: it doesn't work anymore.
11:18 < ildefonso> I am using "fragment" and "comp-lzo", and I can't just change server configuration, because it would imply changing multiple 2.2 clients that are currently connected.
11:18 < ildefonso> is this a known issue?
11:19 -!- VlperX [~VlperX@60-240-168-120.static.tpgi.com.au] has quit [Ping timeout: 245 seconds]
11:20 < ildefonso> it looks like, for some reason, the packet size is no longer the same..... I get this in server log: FRAG_IN error flags=0x66001e01: bad fragment size
11:20 < ildefonso> and also these: Bad LZO decompression header byte: 0
11:20 < ildefonso> and finally this one: FRAG_IN error flags=0xfaffffff: FRAG_TEST not implemented
11:21 < ildefonso> server is 2.2.1
11:23 < ildefonso> on client (2.3.2), I would get multiple of these: "Bad LZO decompression header byte: 0", and it will eventually timeout and restart.
11:24 < ildefonso> and this is interesting, also on client: WARNING: 'link-mtu' is used inconsistently, local='link-mtu 1574', remote='link-mtu 1578'
11:24 < ildefonso> WARNING: 'mtu-dynamic' is present in remote config but missing in local config, remote='mtu-dynamic'
11:24 < ildefonso> any ideas?
11:26 < ildefonso> also, would this be expected? PID_ERR replay-window backtrack occurred [2] [TLS_AUTH-0] [00_0] 1400257363:4 1400257363:2 t=1400257356[0] r=[0,64,15,2,1] sl=[60,4,64,528]
11:32 -!- swebb [~swebb@c-76-120-34-202.hsd1.co.comcast.net] has joined #openvpn
11:33 < ildefonso> client configuration is here: https://gist.github.com/soulhunter/35892c75c398d97e7169  (of course, I changed names and stuff).
11:33 <@vpnHelper> Title: gist:35892c75c398d97e7169 (at gist.github.com)
11:37 < ildefonso> I just updated that gist, to include server configuration as well.
11:39 -!- AsadH [~AsadH@unaffiliated/asadh] has quit [Ping timeout: 255 seconds]
11:43 -!- justinzane [~justinzan@64.234.62.23] has joined #openvpn
11:50 -!- le0 [~l30@unaffiliated/le0] has quit [Quit: Leaving]
11:57 -!- AsadH [~AsadH@unaffiliated/asadh] has joined #openvpn
12:01 -!- adaptr [~jgeilman@unaffiliated/adaptr] has joined #openvpn
12:02 < adaptr> I put up a P2P tunnel yesterday, and now I can't ping across it from the server; only the client initiates traffic (after that, the server can ping). is there a server option that fixes this ?
12:03 < adaptr> (it wasn't in the very-quick-start-howto)
12:08 -!- micah [~micah@debian/developer/micah] has quit [Ping timeout: 276 seconds]
12:09 < rob0> nitpick, there IS no client and no server in p2p mode.
12:09 < rob0> If each peer has a "remote" set, each will try to initiate the connection.
12:10 < rob0> That might not be appropriate if one peer is on a dynamic IP. But maybe you can use dynamic DNS and --resolv-retry infinite
12:11 < adaptr> rob0: that's not what the documentation says.
12:12 < adaptr> it equates P2P with static client-server, i.e. ONE client, and ONE server. in endpoint terms, that is a point-to-point tunnel
12:12 < adaptr> and they cannot be configured identically
12:13 < rob0> I think --ifconfig is the only thing that must differ.
12:13 < adaptr> if you set a remote, that side won't listen. so how can they connect?
12:13 < rob0> (reversed)
12:14 < adaptr> yes, I get that part, but I configured the server, and started it in daemon mode. it started listening. the client does not listen. at least one of them must listen :)
12:14 -!- michaelhart [~michaelha@192-0-240-20.cpe.teksavvy.com] has joined #openvpn
12:17 < rob0> udp is connectionless
12:17 < rob0> each side sends a stream of packets to the other
12:17 < rob0> it works. You're talking about TCP, which is a Bad Idea for openvpn.
12:18 < adaptr> trudat. however, if it DOESN'T LISTEN, it won't get any of those packets.
12:18 -!- clu5ter [~staff@unaffiliated/clu5ter] has quit [Read error: No route to host]
12:18 < adaptr> are you suggesting p2p makes 2 half tunnels ? both sides would send to 1192, or whatever it is
12:18 < rob0> does. The source.ip:port matches what is expected.
12:19 < adaptr> and openvpn just... understands?
12:19 < rob0> See, each side opens a UDP socket with my.source:port going to other.side:port
12:20 < rob0> when we see packets from other.side:port going to my.source:port we think they are replies.
12:20 < rob0> This is how openvpn fools a firewall.
12:20 < adaptr> that's... not how networking normally works.
12:21 < adaptr> it also precludes multiple tunnels between 2 sockets
12:22 < adaptr> (which isn't possible with ipsec VPN's either, but OpenVPN is supposed to be better !)
12:22 < rob0> you have to use a different port for different tunnels
12:22 -!- clu5ter [~staff@unaffiliated/clu5ter] has joined #openvpn
12:22 < adaptr> oh, there's no separate secure channel ?
12:22 < rob0> I set up a 6.5-endpoint full mesh VPN for Corey.
12:23 < rob0> with these p2p tunnels
12:23 < adaptr> fun with flags^H^H^H^H^Hrouting
12:23 < rob0> openvpn's entire connection is on a single port, right
12:23 < adaptr> centralized PKI wasn't more.. efficient? interesting? nerdy?
12:27 < adaptr> rob0: so the way to do normal headend keepalive is to set a remote on both systems?
12:31 < Eugene> What?
12:38 < adaptr> hmm?
12:39 < adaptr> I have a static key server (daemon) / client (not a daemon) with the options from the quickstart howto set. still, after a night of no activity, I cannot initiate from the headend (the server).
12:40 < adaptr> just one bump from the client is enough to trigger the interface, but it was in state UNKNOWN before I pinged the server.
12:40 < adaptr> according to rob0, I just have to set a remote on the server as well.
12:42 < rob0> There he goes again, using that word, "server."
12:42 < adaptr> so, that's a "no" on the server then
12:42 < adaptr> let me see
12:42 < rob0> Trust thou in thine rob0, who shalt not mislead thee.
12:43 < adaptr> I was misled by the arch wiki, and systemd. which should come as no surprise, really
12:45 < adaptr> rob0: oh wait, NOW I remember why. the client is behind NAT, and udp 119x is not forwarded.
12:45 < adaptr> meh, I'll just pinng the server once a minute. ENOCARE
12:45 < rob0> it works through nat!
12:46 < rob0> In my Father's house are many tunnels. If it were not so, I would have told ye.
12:46 < adaptr> of course it works! but not if I don't forward UDP 119x from the outside!
12:46 < rob0> With *some* nat you might need --float
12:47 < adaptr> dude. if-no-forward, how will my internal machine ever receive traffic for UDP 119x?
12:47 < adaptr> it has to be initiated from the client to the machine that IS accessible.
12:48 < rob0> Forwarding from the outside should not matter. The firewall sees one.peer:1194 going to other.peer:1194 and sees "replies" going in the other direction. It figures out that they want to talk.
12:48 < adaptr> oh, it works like NTP?
12:48 < adaptr> why U no sayso?
12:48 < adaptr> so, hence, IT NEEDS TRAFFIC. such mappings expire.
12:48 < adaptr> I'l ljust ping every minute, mmkay
12:49 < adaptr> I would assume there woudl be a keepalive option such as is standard in IPsec implementations
12:51 < adaptr> these exist for the explicit reason to keep UDP xlates  up
12:51 -!- Cpt-Oblivious [~chatzilla@31-151-71-109.dynamic.upc.nl] has joined #openvpn
12:59 < rob0> You can use the --ping* options in openvpn
12:59 < adaptr> thanks, I will take a look at those
13:20 -!- KaiForce [~chatzilla@107-223-70-10.lightspeed.bcvloh.sbcglobal.net] has quit [Quit: ChatZilla 0.9.90.1 [Firefox 28.0/20140314220517]]
13:28 -!- jareth_ [~jareth_@2001:980:e1c0:1:219:66ff:fea0:a502] has joined #openvpn
13:36 -!- brianblaze420 [~brianblaz@unaffiliated/brianblaze] has quit [Quit: Leaving...]
13:39 -!- micko [~micko@203-219-65-120.static.tpgi.com.au] has quit [Ping timeout: 240 seconds]
13:41 -!- tempus_fol [~tempus@gateway/tor-sasl/foltempus] has quit [Ping timeout: 272 seconds]
13:43 -!- jtrucks [jtrucks@freenode/staff/lopsa.foundingmember.jtrucks] has quit [Remote host closed the connection]
13:45 -!- micko [~micko@203-219-65-120.static.tpgi.com.au] has joined #openvpn
13:45 -!- jtrucks [jtrucks@freenode/staff/lopsa.foundingmember.jtrucks] has joined #openvpn
13:46 -!- tempus_fol [~tempus@gateway/tor-sasl/foltempus] has joined #openvpn
14:10  * ildefonso feels his question was not interesting enough :( 
14:10 -!- dazo is now known as dazo_afk
14:15 -!- s7r [~s7r@openvpn/user/s7r] has joined #openvpn
14:15 -!- mode/#openvpn [+v s7r] by ChanServ
14:47 -!- joshh20-Away is now known as joshh20
14:49 -!- friese [~anonfries@p5481843D.dip0.t-ipconnect.de] has joined #openvpn
14:49 < friese> hi guys
14:50 -!- temuccio [~teme@87.18.183.11] has joined #openvpn
14:51 < temuccio> !welcome
14:51 <@vpnHelper> "welcome" is (#1) Start by stating your goal, such as 'I would like to access the internet over my vpn' || new to IRC? see the link in !ask || we may need !logs and !configs and maybe !interface to help you. || See !howto for beginners. || See !route for lans behind openvpn. || !redirect for sending inet traffic through the server. || Also interesting: !man !/30 !topology !iporder !sample !forum
14:51 <@vpnHelper> !wiki !mitm or (#2) Don't use 192.168.1.0/24 or 192.168.0.0/24 (too much potential for conflict)
14:51 < friese> i'm running a hosted kvm-server with a single ipv4-ip. i want to create a bridged vpn-server to which clients can connect and bridge their networking, but in that configuration i can't get internet access through the external gateway to work
14:51 < temuccio> Hello, I'm installing openvpn on my server debian
14:52 < temuccio> I have make the certified and from windows I connect on my server via vpn
14:52 < temuccio> it's work
14:52 < temuccio> but the network of vpn don't see the network eth0 of my server
14:52 < friese> right now i can either do bridging and clients can connect and communicate together or i do routing and i get internet access, but clients can only use routable protocols...
14:52 < temuccio> can you help me?
14:53 < friese> if i use the bridge-start script, basically my whole eth0-interface goes down...
14:53 < friese> ideally i'd like bridging between clients and routing from the tap0 in the server to internet (together with nat), is that even possible?
15:05 < ildefonso> friese, yes, it is possible.
15:05 < ildefonso> temuccio, likely ip_forward value.
15:06 < friese> and how? are there any guides?
15:07 -!- eristisk [~eristisk@gateway/tor-sasl/eristisk] has joined #openvpn
15:07 < ildefonso> friese, I am not sure if I fully understand you, usually client-to-client should allow clients to "talk" to each other, and it shouldn't affect the ability of the server to route traffic and do NAT.
15:08 < friese> yeah, thats right, and in both - routing and bridging - clients can communicate to each other
15:09 < friese> in brdging mode, everything is perfect then, but in routing mode - as the name says - only routable projects on the ip-layer are sent
15:09 < friese> however, i want clients to communicate with each other, but i also want internet access through the vpn gateway
15:10 < friese> for that, all guides say i should bridge the tap-interface to my ethernet-interface
15:10 < friese> if i try to do that, nothing works...
15:11 < friese> and it doesn't seem very logical to me, since i'd just blow packets to eth0 with the internal ip adresses, i'm quite sure i need some form of routing & natting there...
15:11 < ildefonso> friese, of course you need it.
15:12 < ildefonso> friese, can you describe exactly what you need?  because, as far as I can tell, by using just client-to-client, you should be able to allow clients to talk to each other, and the rest is handled by the NAT.....
15:12 < rob0> !serverlan
15:12 <@vpnHelper> "serverlan" is (#1) for a lan behind a server, the server must have ip forwarding enabled (!ipforward), the server needs to push a route for its lan to clients, and the router of the lan the server is on needs a route added to it (!route_outside_openvpn) or (#2) see !route for a better explanation or (#3) Handy troubleshooting flowchart: http://ircpimps.org/serverlan.png |
15:12 <@vpnHelper> http://pekster.sdf.org/misc/serverlan.png
15:12 < rob0> temuccio, ^^ flowchart should help
15:12 < ildefonso> rob0, am I right? client-to-client should "bridge" together the clients?
15:13 < temuccio> rob0, I have changed the conf and now don't work
15:14 < friese> okay, ip forwarding is enabled, so its a route i need...
15:14 < friese> !route_outside_openvpn
15:14 <@vpnHelper> "route_outside_openvpn" is (#1) If your server is not the default gateway for the LAN, you will need to add routes to your gateway. See ROUTES TO ADD OUTSIDE OPENVPN in !route or (#2) Here are 2 diagrams that explain how this works: http://www.secure-computing.net/wiki/index.php/Graph http://i.imgur.com/BM9r1.png
15:14 < rob0> client-to-client simply says for openvpn to route those packets internally. Without it, client-to-client communication might still work, unless blocked by your firewall.
15:14 < friese> yeah, understood that
15:14 < friese> so client-to-client wise everything works perfectly
15:15 < rob0> What kind of non-IP protocols do you need?
15:15 < rob0> ildefonso, I saw your question, I don't know.
15:16 < friese> things like ipx for example, maybe also some others, i basically want to use it as a private gaming vpn, so lots of strange protocols ;)
15:16 < ildefonso> friese, wow, IPX.... long time not hearing about that.
15:16 < friese> good old times, eh? ;)
15:17 < ildefonso> friese, the only why I was able to make IPX go through OpenVPN was by using a "bridge" machine, so, it would have:
15:17 < ildefonso> eth0 -- Internet
15:17 < ildefonso> eth1 --- Local network (likely to the PC or thing you will game on)
15:17 < ildefonso> tap0 --- the OpenVPN interface.
15:17 < ildefonso> br0 : bridge with eth1 and tap0 as members.
15:18 < friese> okay...
15:18 < ildefonso> of course, br0 should be up, and will usually have an IP (but is not necessary, as we are interested on L2 forwarding).
15:18 < ildefonso> you will also likely need to add some ebtables rules to avoid some things, like DHCP or other  noisy protocols, to go to the other side.
15:19 < friese> basically i'd imagine something like not having that eth1 at all, tap0 doing layer2-stuff with the openvpn-clients and also having a regular ip that routes to the eth0 internet
15:19 < ildefonso> friese, I feel that it, somehow, will not work.
15:19 < friese> yep, i'm fearing that too :)
15:19 < ildefonso> friese, not sure on why, though.....
15:20 < ildefonso> rob0, my long question about interaction between 2.2 and 2.3?
15:20 < rob0> yes
15:20 < rob0> !routed_tap
15:20 < ildefonso> rob0, thanks!
15:20 < rob0> !factoids search routed
15:20 <@vpnHelper> No keys matched that query.
15:20 < rob0> !factoids search tap
15:20 <@vpnHelper> 'tap', 'mactuntap', 'wintaphide', 'obsdtap', and 'tunortap'
15:21 < rob0> !tap
15:21 <@vpnHelper> "tap" is (#1) "bridge" is (#1) http://openvpn.net/index.php/documentation/faq.html#bridge1, or (#2) http://openvpn.net/index.php/documentation/miscellaneous/ethernet-bridging.html, or (#3) Bridging looks like a good choice to people who don't know how to set up IP routing, but to learn routing is generally far better., or (#4) useful for windows sharing (without wins server) and LAN gaming, anything
15:21 <@vpnHelper> where the protocol uses MAC addresses instead of IP addresses. or (#2) For tun/tap and route/bridge comparing, see https://community.openvpn.net/openvpn/wiki/BridgingAndRouting
15:21 < friese> humm, another idea...
15:21 < rob0> friese, you can probably use a routed tap setup (without bridging)
15:23 < friese> so how would that work? the "server ..." line like for routing but with a "dev tap"?
15:23 < Eugene> dev tun / dev tap just decides which device driver is used
15:23 < Eugene> With dev tun, only Layer3(IP protocol) packets are passed, which is 99% of what people want
15:24 < Eugene> With dev tap, IP packets are sent with an encapsulating header, and other L2 protos can be sent
15:25 -!- mirco [~mirco@p50802754.dip0.t-ipconnect.de] has joined #openvpn
15:25 < Eugene> You really don't need to set up IP at all, if you just want to use other protos
15:26 -!- mirco [~mirco@p50802754.dip0.t-ipconnect.de] has quit [Client Quit]
15:31 -!- wrongplace [~leicht@gateway/tor-sasl/martinphone] has joined #openvpn
16:18 -!- friese [~anonfries@p5481843D.dip0.t-ipconnect.de] has quit [Ping timeout: 245 seconds]
16:31 -!- Chrisje [chris@2a03:f80:ed15:ed15:ed15:ed15:bc4c:4bfe] has joined #openvpn
16:40 -!- temuccio [~teme@87.18.183.11] has quit [Quit: Sto andando via]
16:56 -!- APTX_ is now known as APTX
17:02 -!- Cpt-Oblivious [~chatzilla@31-151-71-109.dynamic.upc.nl] has quit [Remote host closed the connection]
17:35 -!- Netsplit *.net <-> *.split quits: early, @krzee, Samopotamus, ketas, tapout, omrib, someone, batrick, _quadDamage, @plaisthos,  (+8 more, use /NETSPLIT to show all of them)
17:35 -!- Netsplit *.net <-> *.split quits: mushroomed, pppingme, jeev, soapee01, yoavz, Cultist, kirin`, dvl, @vpnHelper, simcop2387,  (+4 more, use /NETSPLIT to show all of them)
17:36 -!- Netsplit over, joins: _quadDamage, batrick, Clone, kenyon, Samopotamus, @krzee, troyt, @plaisthos, ketas, tapout (+22 more)
17:36 -!- ketas [ketas@ketas6-sixxs.si.pri.ee] has quit [Max SendQ exceeded]
17:36 -!- kirin` [telex@gateway/shell/anapnea.net/x-ltxlkdkyictbokgc] has quit [Max SendQ exceeded]
17:36 -!- ketas [ketas@ketas6-sixxs.si.pri.ee] has joined #openvpn
17:37 -!- goldkatze [~nobody@unaffiliated/goldkatze] has quit [Excess Flood]
17:37 -!- kirin` [telex@gateway/shell/anapnea.net/x-gastkqwfqdcvtpoe] has joined #openvpn
17:37 -!- AsadH [~AsadH@unaffiliated/asadh] has quit [Excess Flood]
17:39 -!- goldkatze [~nobody@unaffiliated/goldkatze] has joined #openvpn
17:42 -!- AsadH [~AsadH@unaffiliated/asadh] has joined #openvpn
17:51 -!- gffa [~unknown@unaffiliated/gffa] has quit [Quit: sleep]
18:15 -!- qwertyoruiop [~hax@93.174.90.31] has joined #openvpn
18:24 -!- Left_Turn [~Left_Turn@unaffiliated/turn-left/x-3739067] has quit [Read error: Connection reset by peer]
18:25 -!- wrongplace [~leicht@gateway/tor-sasl/martinphone] has quit [Quit: gone]
18:28 -!- brianblaze420 [~brianblaz@unaffiliated/brianblaze] has joined #openvpn
18:30 -!- Left_Turn [~Left_Turn@unaffiliated/turn-left/x-3739067] has joined #openvpn
18:31 -!- tuvok [tuvok@2a01:d0:87dd::5] has quit [Excess Flood]
18:53 -!- ildefonso [~ilde123@201.185.229.85] has quit [Ping timeout: 245 seconds]
18:55 -!- tiller [~tiller@kim.tiller.fr] has joined #openvpn
18:55 < tiller> ello!
18:55 < tiller> Hello*
18:55 -!- brianblaze420 [~brianblaz@unaffiliated/brianblaze] has quit [Quit: Leaving...]
18:58 < tiller> Hey, I'd like to know: I've been using openvpn for quite a while but not in an advanced way, just to use my server as "proxy". But now I'd like to do something else: I want to build a "LAN" over my vpn. I mean that for example, if 2 PCs are connected to the VPN it would appears for them as they are on the same LAN (and can share file throught Windows for example). So I just would like to know: Is it something I can do with OpenVPN or not?
19:04 -!- brianblaze420 [~brianblaz@unaffiliated/brianblaze] has joined #openvpn
19:06 -!- tiller [~tiller@kim.tiller.fr] has quit [Ping timeout: 240 seconds]
19:09 -!- brianblaze420 [~brianblaz@unaffiliated/brianblaze] has quit [Ping timeout: 264 seconds]
19:23 -!- ildefonso [~ilde123@201.185.229.85] has joined #openvpn
19:34 -!- Poster [~poster@oh-67-77-115-177.sta.embarqhsd.net] has joined #openvpn
19:40 -!- s7r [~s7r@openvpn/user/s7r] has quit [Ping timeout: 272 seconds]
19:42 -!- s7r [~s7r@openvpn/user/s7r] has joined #openvpn
19:42 -!- mode/#openvpn [+v s7r] by ChanServ
19:50 -!- Sembei [~Sembei@unaffiliated/sembei] has quit [Read error: Connection reset by peer]
19:52 -!- Matir_ is now known as Matir
19:52 -!- Sembei [~Sembei@unaffiliated/sembei] has joined #openvpn
19:54 -!- elfixit1 [~Icedove@77-58-251-72.dclient.hispeed.ch] has joined #openvpn
20:17 -!- james41382__ [~james@unaffiliated/james41382] has joined #openvpn
20:18 -!- james41382_ [~james@unaffiliated/james41382] has quit [Ping timeout: 252 seconds]
20:34 -!- SCHAAP137 [dorian@77-173-0-137.ip.telfort.nl] has quit [Remote host closed the connection]
20:36 -!- justinzane [~justinzan@64.234.62.23] has quit [Ping timeout: 252 seconds]
20:41 -!- Xulai_ [~Xulai@90.193.64.196] has joined #openvpn
20:42 -!- elfixit1 [~Icedove@77-58-251-72.dclient.hispeed.ch] has quit [Quit: elfixit1]
20:47 -!- justinzane [~justinzan@24.49.184.42] has joined #openvpn
21:00 < _FBi> tiller, yes
21:02 -!- jareth_ [~jareth_@2001:980:e1c0:1:219:66ff:fea0:a502] has quit [Ping timeout: 245 seconds]
21:04 -!- jareth_ [~jareth_@2001:980:e1c0:1:219:66ff:fea0:a502] has joined #openvpn
21:05 -!- akurilin [~alex@c-98-234-90-17.hsd1.ca.comcast.net] has quit [Ping timeout: 245 seconds]
21:26 -!- joshh20 is now known as joshh20-Away
21:56 -!- savid [~savid@capstone.md] has left #openvpn []
22:13 -!- james41382_ [~james@unaffiliated/james41382] has joined #openvpn
22:16 -!- james41382__ [~james@unaffiliated/james41382] has quit [Ping timeout: 240 seconds]
22:25 -!- zoomequipd [~zoomequip@gateway/tor-sasl/zoomequipd] has quit [Remote host closed the connection]
22:25 -!- tempus_fol [~tempus@gateway/tor-sasl/foltempus] has quit [Remote host closed the connection]
22:25 -!- eristisk [~eristisk@gateway/tor-sasl/eristisk] has quit [Write error: Connection reset by peer]
22:25 -!- s7r [~s7r@openvpn/user/s7r] has quit [Write error: Connection reset by peer]
22:34 -!- s7r [~s7r@openvpn/user/s7r] has joined #openvpn
22:34 -!- mode/#openvpn [+v s7r] by ChanServ
22:34 -!- tempus_fol [~tempus@gateway/tor-sasl/foltempus] has joined #openvpn
22:34 -!- zoomequipd [~zoomequip@gateway/tor-sasl/zoomequipd] has joined #openvpn
22:54 -!- james41382 [~james@unaffiliated/james41382] has joined #openvpn
22:54 -!- james41382_ [~james@unaffiliated/james41382] has quit [Ping timeout: 255 seconds]
23:02 -!- s7r_z [~s7r@openvpn/user/s7r] has joined #openvpn
23:02 -!- mode/#openvpn [+v s7r_z] by ChanServ
23:04 -!- s7r [~s7r@openvpn/user/s7r] has quit [Ping timeout: 272 seconds]
23:11 -!- RBecker [~Ryan@unaffiliated/rbecker] has joined #openvpn
23:12 < RBecker> !welcome
23:12 <@vpnHelper> "welcome" is (#1) Start by stating your goal, such as 'I would like to access the internet over my vpn' || new to IRC? see the link in !ask || we may need !logs and !configs and maybe !interface to help you. || See !howto for beginners. || See !route for lans behind openvpn. || !redirect for sending inet traffic through the server. || Also interesting: !man !/30 !topology !iporder !sample !forum
23:12 <@vpnHelper> !wiki !mitm or (#2) Don't use 192.168.1.0/24 or 192.168.0.0/24 (too much potential for conflict)
23:18 -!- krzee [~k@openvpn/community/support/krzee] has quit [Ping timeout: 240 seconds]
23:19 -!- krzee [~k@openvpn/community/support/krzee] has joined #openvpn
23:19 -!- mode/#openvpn [+o krzee] by ChanServ
23:19 -!- AsadH [~AsadH@unaffiliated/asadh] has quit [Ping timeout: 258 seconds]
23:26 -!- james41382 [~james@unaffiliated/james41382] has quit [Ping timeout: 240 seconds]
23:27 -!- AsadH [~AsadH@unaffiliated/asadh] has joined #openvpn
23:28 -!- Suterusu [~Suterusu@unaffiliated/suterusu] has quit [Ping timeout: 276 seconds]
23:29 -!- michaelhart [~michaelha@192-0-240-20.cpe.teksavvy.com] has quit [Quit: michaelhart]
23:30 -!- michaelhart [~michaelha@192.0.240.20] has joined #openvpn
23:30 -!- michaelhart [~michaelha@192.0.240.20] has quit [Client Quit]
23:34 -!- james41382 [~james@unaffiliated/james41382] has joined #openvpn
23:39 -!- ShadniX [dagger@p5DDFCF8F.dip0.t-ipconnect.de] has quit [Ping timeout: 252 seconds]
23:40 -!- ShadniX [dagger@p57941EB3.dip0.t-ipconnect.de] has joined #openvpn
23:51 -!- Suterusu [~Suterusu@unaffiliated/suterusu] has joined #openvpn
--- Day changed Sat May 17 2014
01:11 -!- Matir [~matir@ubuntu/member/matir] has quit [Ping timeout: 276 seconds]
01:29 -!- Matir [~matir@ubuntu/member/matir] has joined #openvpn
02:12 -!- krzee [~k@openvpn/community/support/krzee] has quit [Ping timeout: 240 seconds]
02:15 -!- Poster [~poster@oh-67-77-115-177.sta.embarqhsd.net] has quit [Remote host closed the connection]
02:15 -!- _FBi [B@Aircrack-NG/User] has quit [Ping timeout: 258 seconds]
02:17 -!- krzee [~k@openvpn/community/support/krzee] has joined #openvpn
02:17 -!- mode/#openvpn [+o krzee] by ChanServ
02:24 -!- hazardous [~hz@openvpn/user/hazardous] has quit [Ping timeout: 258 seconds]
02:25 -!- propheticsquiddy [~Proph@unaffiliated/propheticsquiddy] has joined #openvpn
02:25 -!- jgeboski [~jgeboski@unaffiliated/jgeboski] has quit [Ping timeout: 258 seconds]
02:30 -!- jgeboski [~jgeboski@unaffiliated/jgeboski] has joined #openvpn
02:30 -!- hazardous [~hz@openvpn/user/hazardous] has joined #openvpn
02:30 -!- mode/#openvpn [+v hazardous] by ChanServ
02:40 -!- propheticsquiddy [~Proph@unaffiliated/propheticsquiddy] has quit [Quit: Leaving]
03:10 -!- cyberspace- [20253@ninthfloor.org] has quit [Remote host closed the connection]
03:12 -!- cyberspace- [20253@ninthfloor.org] has joined #openvpn
03:24 -!- Suterusu [~Suterusu@unaffiliated/suterusu] has quit [Ping timeout: 252 seconds]
03:48 -!- VlperX [~VlperX@1.132.71.43] has joined #openvpn
03:50 -!- VlperX [~VlperX@1.132.71.43] has quit [Read error: Connection reset by peer]
03:51 -!- VlperX [~VlperX@1.132.71.43] has joined #openvpn
03:54 -!- Left_Turn [~Left_Turn@unaffiliated/turn-left/x-3739067] has quit [Remote host closed the connection]
03:54 -!- jareth_ [~jareth_@2001:980:e1c0:1:219:66ff:fea0:a502] has quit [Ping timeout: 252 seconds]
03:56 -!- cyberspace- [20253@ninthfloor.org] has quit [Read error: Connection reset by peer]
03:56 -!- cyberspace- [20253@ninthfloor.org] has joined #openvpn
03:56 -!- jareth_ [~jareth_@2001:980:e1c0:1:219:66ff:fea0:a502] has joined #openvpn
03:58 -!- Left_Turn [~Left_Turn@unaffiliated/turn-left/x-3739067] has joined #openvpn
04:00 -!- gffa [~unknown@unaffiliated/gffa] has joined #openvpn
04:13 -!- jeev [~jeev@unaffiliated/jeev] has quit [Ping timeout: 264 seconds]
04:26 -!- jeev [~jeev@unaffiliated/jeev] has joined #openvpn
04:36 -!- jeev [~jeev@unaffiliated/jeev] has quit [Ping timeout: 264 seconds]
04:41 -!- VlperX [~VlperX@1.132.71.43] has quit [Ping timeout: 264 seconds]
04:44 -!- jareth_ [~jareth_@2001:980:e1c0:1:219:66ff:fea0:a502] has quit [Ping timeout: 252 seconds]
04:45 -!- jeev [~jeev@unaffiliated/jeev] has joined #openvpn
04:47 -!- jareth_ [~jareth_@2001:980:e1c0:1:219:66ff:fea0:a502] has joined #openvpn
04:50 -!- jeev [~jeev@unaffiliated/jeev] has quit [Ping timeout: 264 seconds]
04:59 -!- SCHAAP137 [dorian@77-173-0-137.ip.telfort.nl] has joined #openvpn
05:01 -!- jareth_ [~jareth_@2001:980:e1c0:1:219:66ff:fea0:a502] has quit [Ping timeout: 265 seconds]
05:01 -!- jeev [~jeev@unaffiliated/jeev] has joined #openvpn
05:03 -!- jareth_ [~jareth_@2001:980:e1c0:1:219:66ff:fea0:a502] has joined #openvpn
05:50 -!- daemon89 [~daemon89@p5DC4DF8C.dip0.t-ipconnect.de] has joined #openvpn
06:08 -!- daemon89 [~daemon89@p5DC4DF8C.dip0.t-ipconnect.de] has left #openvpn ["Leaving"]
06:18 -!- s7r_z is now known as s7r
06:54 -!- jackbrown [~se@93-44-41-0.ip95.fastwebnet.it] has joined #openvpn
07:18 -!- jackbrown [~se@93-44-41-0.ip95.fastwebnet.it] has quit [Ping timeout: 240 seconds]
07:21 -!- jerrcs [jeremy@dogpound.sliqua.com] has joined #openvpn
07:24 -!- jackbrown [~se@93-44-41-0.ip95.fastwebnet.it] has joined #openvpn
07:49 -!- samu [s@unaffiliated/samaelszafran] has left #openvpn []
08:08 -!- joshh20-Away is now known as joshh20
08:23 -!- jackbrown [~se@93-44-41-0.ip95.fastwebnet.it] has quit [Quit: Sto andando via]
08:24 -!- elfixit1 [~Icedove@cust.static.46-14-206-196.swisscomdata.ch] has joined #openvpn
08:28 -!- bears [~bears@unaffiliated/bears] has joined #openvpn
08:38 -!- jackbrown [~se@93-44-41-0.ip95.fastwebnet.it] has joined #openvpn
08:40 -!- jackbrown [~se@93-44-41-0.ip95.fastwebnet.it] has quit [Client Quit]
08:41 -!- eugenmayer [~EugenMaye@HSI-KBW-134-3-101-151.hsi14.kabel-badenwuerttemberg.de] has joined #openvpn
08:41 -!- JackWinter [~jack@vodsl-10810.vo.lu] has quit [Quit: Konversation terminated!]
08:42 < eugenmayer> hello. One client of my VPN network seem to have connection issues and i dont understand why. This client connects to 3 different VPNs, every connection fails. The client config is deployed by chef and equal on all clients. all other clients work though.
08:42 -!- jackbrown [~se@93-44-41-0.ip95.fastwebnet.it] has joined #openvpn
08:42 < eugenmayer> Network connection in general works, , when using verb8 on the client i see:
08:43 < eugenmayer> TLS Error: no data channel send key available:
08:43 -!- JackWinter [~jack@vodsl-10810.vo.lu] has joined #openvpn
08:43 < eugenmayer> the server is in verb5 and only writes wwrrw during that time, so no real information on the server side
08:45 < eugenmayer> even with verb 8 on the server i cant see any connection attempt even happening
08:50 < eugenmayer> ok, it seems like a network issue, i cannot even telnet to the TCP server
08:50 -!- _FBi [B@Aircrack-NG/User] has joined #openvpn
08:51 < eugenmayer> nvm, no ovpn issue most probably then
08:51 < _FBi> sup players and haters?
08:57 -!- jackbrown [~se@93-44-41-0.ip95.fastwebnet.it] has quit [Quit: Sto andando via]
09:00 -!- eugenmayer [~EugenMaye@HSI-KBW-134-3-101-151.hsi14.kabel-badenwuerttemberg.de] has quit [Read error: Connection reset by peer]
09:03 -!- jackbrown [~se@93-44-41-0.ip95.fastwebnet.it] has joined #openvpn
09:09 -!- ciscam [~ciscam@p5790904E.dip0.t-ipconnect.de] has joined #openvpn
09:11 < ciscam> how is it possible for an OpenVPN configuration to work in one network but not the other? The connection is established and recognized as working and connected to the internet but at home the tunnel doesn't relay anything whereas at work the tunnel works like a charm
09:12 < rob0> I can think of a few dozen reasons why that might be so.
09:13 -!- jackbrown [~se@93-44-41-0.ip95.fastwebnet.it] has quit [Ping timeout: 258 seconds]
09:20 -!- jackbrown [~se@93-44-41-0.ip95.fastwebnet.it] has joined #openvpn
09:58 -!- jackbrown [~se@93-44-41-0.ip95.fastwebnet.it] has quit [Ping timeout: 258 seconds]
10:09 -!- ShadniX_ [dagger@p5DDFFBCC.dip0.t-ipconnect.de] has joined #openvpn
10:11 -!- ShadniX [dagger@p57941EB3.dip0.t-ipconnect.de] has quit [Ping timeout: 252 seconds]
10:11 -!- ShadniX_ is now known as ShadniX
10:43 -!- joshh20 is now known as joshh20-Away
11:05 -!- jackbrown [~se@93-44-41-0.ip95.fastwebnet.it] has joined #openvpn
11:11 < ciscam> rob0 and what would that be?
11:13 < dvl> ciscam: Both connection locations are to a third location?
11:13 < ciscam> yes, of course
11:18 -!- ciscam [~ciscam@p5790904E.dip0.t-ipconnect.de] has quit [Ping timeout: 240 seconds]
11:18 < rob0> grr, started typing and ^^
11:19 -!- ciscam [~ciscam@p5790904E.dip0.t-ipconnect.de] has joined #openvpn
11:19 < ciscam> sorry, did you write something? I tried it and lost internet connection
11:19 < dvl> he did...
11:20 < rob0> I would suggest that you do the work of making a pastebin rather than having us playing a guessing game.
11:20 < rob0> !welcome
11:20 <@vpnHelper> "welcome" is (#1) Start by stating your goal, such as 'I would like to access the internet over my vpn' || new to IRC? see the link in !ask || we may need !logs and !configs and maybe !interface to help you. || See !howto for beginners. || See !route for lans behind openvpn. || !redirect for sending inet traffic through the server. || Also interesting: !man !/30 !topology !iporder !sample !forum !wiki
11:20 <@vpnHelper> !mitm or (#2) Don't use 192.168.1.0/24 or 192.168.0.0/24 (too much potential for conflict)
11:21 < rob0> (The first of my guesses would have been welcome-#2 conflicts.)
11:27 -!- s7r [~s7r@openvpn/user/s7r] has quit [Remote host closed the connection]
11:28 -!- s7r [~s7r@openvpn/user/s7r] has joined #openvpn
11:28 -!- mode/#openvpn [+v s7r] by ChanServ
11:29 < ciscam> the vpn server uses 10.8.0.0/24
11:30 < ciscam> whereas the company where it worked uses 172.27.18.0/24
11:30 < ciscam> and at home it's 192.168.1.0/24 in both cases
11:31 < ciscam> the server network uses 192.168.0.0/21
11:31 < ciscam> although vpn clients are put into 10.8.0.0/24.. might that be the cause?
11:45 -!- jackbrown [~se@93-44-41-0.ip95.fastwebnet.it] has quit [Ping timeout: 276 seconds]
11:57 -!- Cpt-Oblivious [~chatzilla@31-151-71-109.dynamic.upc.nl] has joined #openvpn
12:29 -!- ciscam [~ciscam@p5790904E.dip0.t-ipconnect.de] has quit [Ping timeout: 264 seconds]
12:35 -!- Popsikle [~popsikle@pool-108-27-211-233.nycmny.fios.verizon.net] has joined #openvpn
12:48 -!- ciscam [~ciscam@p5090619B.dip0.t-ipconnect.de] has joined #openvpn
12:50 -!- Left_Turn [~Left_Turn@unaffiliated/turn-left/x-3739067] has quit [Read error: Connection reset by peer]
12:54 -!- Left_Turn [~Left_Turn@unaffiliated/turn-left/x-3739067] has joined #openvpn
12:56 -!- joshh20-Away is now known as joshh20
12:56 -!- Popsikle [~popsikle@pool-108-27-211-233.nycmny.fios.verizon.net] has quit [Remote host closed the connection]
13:25 -!- michaelhart [~michaelha@162.209.54.120] has joined #openvpn
13:40 -!- slooth [~sl@unaffiliated/slooth] has joined #openvpn
13:41 < slooth> Hello. I've configured openvpn client/server and it works great. I need to force a certain client named x_1 to have a (vpn) address of my choosing. How can I do this? (and also make sure noone else thats connects to the vpn has that address). Thanks. Windows/Linux client, Linux server.
13:57 < dvl> slooth: read up on CCD ( I think that's it)
13:57 < dvl> !ccd
13:57 <@vpnHelper> "ccd" is (#1) entries that are basically included into server.conf, but only for the specified client based on common-name. use --client-config-dir <dir> to enable it, then put the config options for the client in <dir>/common-name or (#2) the ccd file is parsed each time the client connects.
13:57 < dvl> hth
13:59 < slooth> dvl thanks!
14:09 < dvl> It works well.  I use it for all my hosts.
14:13 -!- Xulai_ is now known as Xulai
14:14 < Xulai> Is there a good link for seeing examples of working firewalls set up for openVPN? I think I've messed mine up.
14:19 -!- slooth [~sl@unaffiliated/slooth] has quit [Ping timeout: 252 seconds]
14:19 < rob0> well, we have an example testing, if it's Linux
14:19 < rob0> !iptables
14:19 <@vpnHelper> "iptables" is (#1) To test if netfilter ("iptables rules") are your problem, disable all rules with an ACCEPT policy. See https://github.com/QueuingKoala/netfilter-samples/tree/master/reset-rules for a script to do this. or (#2) See also the manpage section on firewalls at this link: https://community.openvpn.net/openvpn/wiki/Openvpn23ManPage#lbBG or (#3) These are just the basics to get you started
14:19 <@vpnHelper> as firewall design is beyond this channel's scope; you can also see #netfilter
14:19 < Xulai> Ah okay thanks rob0
14:20 < rob0> basically you need ACCEPT rules for tun0 in each of INPUT and FORWARD (and OUTPUT if you're blocking there for some silly reason)
14:21 -!- tempus_fol [~tempus@gateway/tor-sasl/foltempus] has quit [Excess Flood]
14:21 -!- tempus_fol [~tempus@gateway/tor-sasl/foltempus] has joined #openvpn
14:22 < Xulai> Yeah I think I'm pretty sure mine is set up like that but the client can't get connected. But best go through the test I suppose.
14:22 -!- jackbrown [~se@93-44-41-0.ip95.fastwebnet.it] has joined #openvpn
14:22 < jackbrown> hello
14:22 < jackbrown> anyone there?
14:22 < Xulai> Patience is a virtue and of course.
14:24 < jackbrown> Xulai: hi sorry if I was rude
14:26 < jackbrown> Could anybody help me to flash my router to the last available version ? thanks for attention
14:26 < rob0> I think you are in the wrong channel.
14:27 < jackbrown> rob0: no sorry I'm talking about thel ast OpenWRT version
14:27 < jackbrown> actually I'm running Backfire (10.03, r24977)
14:28 < rob0> this is #openVPN not #openWRT
14:28 < jackbrown> OPS
14:28 < jackbrown> sorry
14:28 < rob0> :)
14:31 < Xulai> rob0 Is there a better way to see the iptables than -L it doesn't display interface which is annoying.
14:33 < reiffert> go away
14:33 < reiffert> !notovpn
14:33 <@vpnHelper> "notovpn" is (#1) "notopenvpn" is your problem is not about openvpn, and while we try to be helpful, you may have a better chance of finding your answer if you ask your question in a channel related to your problem or (#2) sorry, but we dont care. this channel is only for help with openvpn.
14:34 < reiffert> Xulai: -v -n
14:34 -!- Xulai [~Xulai@90.193.64.196] has left #openvpn ["Leaving"]
14:36 < rob0> iptables-save [-c]
14:37 < rob0> ha
14:59 -!- michaelhart [~michaelha@162.209.54.120] has quit [Quit: michaelhart]
15:10 -!- ciscam [~ciscam@p5090619B.dip0.t-ipconnect.de] has quit [Quit: Verlassend]
15:12 -!- jackbrown [~se@93-44-41-0.ip95.fastwebnet.it] has quit [Quit: Sto andando via]
15:19 -!- Cpt-Oblivious [~chatzilla@31-151-71-109.dynamic.upc.nl] has quit [Remote host closed the connection]
15:22 -!- elfixit1 [~Icedove@cust.static.46-14-206-196.swisscomdata.ch] has quit [Ping timeout: 252 seconds]
15:43 -!- agorecki [~agorecki@S0106b8a38657b866.ok.shawcable.net] has joined #openvpn
15:56 -!- hiyo [~Logan@unaffiliated/hiyo] has joined #openvpn
15:56 < hiyo> !heartbleed
15:56 <@vpnHelper> "heartbleed" is (#1) only affects OpenSSL 1.0.1 through 1.0.1f. Does not affect polarssl or (#2) if running vuln openssl then both client and server keys not protected by tls-auth should be considered compromised. or (#3) android 4.1.2_r1 is the first one to have -DOPENSSL_NO_HEARTBEATS and it is still in master. android 4.1 and 4.1.1 are probably affected. or (#4)
15:56 <@vpnHelper> https://community.openvpn.net/openvpn/wiki/heartbleed or (#5) http://xkcd.com/1354/
15:58 < hiyo> Hello I want to configure my vpn so that it pushes a DNS server running on the same box rather than the ISP DNS server as I have it configured now
16:03 < ender|> push "dhcp-option DNS x.y.z.q"
16:04 < hiyo> ender|: yes I have that set already, but to my ISP IP address
16:04 -!- gffa [~unknown@unaffiliated/gffa] has quit [Ping timeout: 255 seconds]
16:04 < ender|> so change it to the box address
16:04 < hiyo> I want to know how to do it to my box, I was wondering whether setting it to localhost/127.0.0.1 would make the client refer back to itself for dns queries
16:05 < hiyo> it's internal VPN address or the external address?
16:05 < hiyo> or do I just set it to localhost since both the DS and VPN are running from the same place
16:05 < ender|> no, you need to use either the LAN address of your box, or the openvpn interface address
16:06 < ender|> if you push 127.0.0.1, the client will try to look for DNS running locally
16:06 < hiyo> okay
16:11 < hiyo> thank you
16:11 < hiyo> I'll try that
16:12 -!- hiyo [~Logan@unaffiliated/hiyo] has left #openvpn []
16:12 -!- gffa [~unknown@unaffiliated/gffa] has joined #openvpn
16:13 -!- gffa [~unknown@unaffiliated/gffa] has quit [Client Quit]
16:14 -!- gffa [~unknown@unaffiliated/gffa] has joined #openvpn
16:45 -!- agorecki [~agorecki@S0106b8a38657b866.ok.shawcable.net] has quit [Quit: Leaving]
17:00 -!- eristisk [~eristisk@gateway/tor-sasl/eristisk] has joined #openvpn
17:21 -!- zoomequipd [~zoomequip@gateway/tor-sasl/zoomequipd] has quit [Remote host closed the connection]
17:21 -!- zoomequipd [~zoomequip@gateway/tor-sasl/zoomequipd] has joined #openvpn
17:37 -!- ahf [~ahf@irssi/staff/ahf] has joined #openvpn
17:44 -!- james41382 [~james@unaffiliated/james41382] has quit [Quit: Leaving]
17:51 -!- james41382 [~james@unaffiliated/james41382] has joined #openvpn
17:54 -!- AsadH [~AsadH@unaffiliated/asadh] has quit [Excess Flood]
18:01 -!- AsadH [~AsadH@unaffiliated/asadh] has joined #openvpn
18:08 -!- eristisk [~eristisk@gateway/tor-sasl/eristisk] has quit [Ping timeout: 272 seconds]
18:28 -!- eristisk [~eristisk@gateway/tor-sasl/eristisk] has joined #openvpn
18:28 -!- james41382 [~james@unaffiliated/james41382] has quit [Ping timeout: 265 seconds]
18:43 -!- Left_Turn [~Left_Turn@unaffiliated/turn-left/x-3739067] has quit [Remote host closed the connection]
18:48 -!- Left_Turn [~Left_Turn@unaffiliated/turn-left/x-3739067] has joined #openvpn
19:05 -!- bears [~bears@unaffiliated/bears] has quit [Ping timeout: 252 seconds]
19:15 -!- grinex [~grinex@unaffiliated/grinex] has quit [Ping timeout: 240 seconds]
19:15 -!- elfixit1 [~Icedove@77-58-251-72.dclient.hispeed.ch] has joined #openvpn
19:27 -!- wrongplace [~leicht@gateway/tor-sasl/martinphone] has joined #openvpn
19:27 -!- wrongplace [~leicht@gateway/tor-sasl/martinphone] has quit [Remote host closed the connection]
19:33 -!- harpyon [~harpyon@harpyon.com] has joined #openvpn
19:34 < harpyon> I downloaded a 1.5GB file through openvpn, and my bandwidth monitor increased by 2.3GB (nothing else using internet). Is this normal?
19:35 -!- esde [~esde@unaffiliated/esde] has joined #openvpn
19:41 -!- james41382 [~james@unaffiliated/james41382] has joined #openvpn
19:59 -!- james41382 [~james@unaffiliated/james41382] has quit [Ping timeout: 252 seconds]
20:00 -!- james41382 [~james@unaffiliated/james41382] has joined #openvpn
20:04 -!- Latrina [~Latrina@adsl-ull-66-244.45-151.net24.it] has quit [Ping timeout: 240 seconds]
20:10 -!- Latrina [~Latrina@ppp-50-30.26-151.libero.it] has joined #openvpn
20:14 -!- james41382 [~james@unaffiliated/james41382] has quit [Read error: Connection reset by peer]
20:14 -!- joshh20 is now known as joshh20-Away
20:15 -!- james41382 [~james@unaffiliated/james41382] has joined #openvpn
20:19 -!- WinstonSmith [~WinstonSm@unaffiliated/winstonsmith] has quit [Ping timeout: 265 seconds]
20:21 -!- WinstonSmith [~WinstonSm@unaffiliated/winstonsmith] has joined #openvpn
20:24 -!- james41382 [~james@unaffiliated/james41382] has quit [Ping timeout: 264 seconds]
20:24 -!- SCHAAP137 [dorian@77-173-0-137.ip.telfort.nl] has quit [Remote host closed the connection]
20:30 -!- elfixit1 [~Icedove@77-58-251-72.dclient.hispeed.ch] has quit [Quit: elfixit1]
20:31 -!- Latrina [~Latrina@ppp-50-30.26-151.libero.it] has quit [Ping timeout: 252 seconds]
20:33 -!- Latrina [~Latrina@ppp-13-54.26-151.libero.it] has joined #openvpn
21:01 -!- gffa [~unknown@unaffiliated/gffa] has quit [Quit: sleep]
21:03 -!- phunyguy [~vortex@unaffiliated/phunyguy] has quit [Quit: Goodbye cruel world!]
21:18 -!- Left_Turn [~Left_Turn@unaffiliated/turn-left/x-3739067] has quit [Quit: Leaving]
21:34 -!- bears [~bears@unaffiliated/bears] has joined #openvpn
21:39 -!- bears [~bears@unaffiliated/bears] has quit [Quit: closing IRC]
21:45 -!- bears [~bears@unaffiliated/bears] has joined #openvpn
21:47 -!- Latrina [~Latrina@ppp-13-54.26-151.libero.it] has quit [Ping timeout: 258 seconds]
21:49 -!- Latrina [~Latrina@ppp-239-50.26-151.libero.it] has joined #openvpn
22:45 -!- agorecki [~agorecki@S0106b8a38657b866.ok.shawcable.net] has joined #openvpn
22:50 < ildefonso> harpyon, possibly, it is expected that encrypted that will be bigger than plain data.  I don't know exactly  how much bigger, but it is indeed expected.
22:51 < rob0> Depends on compressibility. If it's compressible like plain text or certain image types, encryption might shrink it.
23:15 -!- ShadniX [dagger@p5DDFFBCC.dip0.t-ipconnect.de] has quit [Ping timeout: 252 seconds]
23:16 -!- ShadniX [dagger@p579414E2.dip0.t-ipconnect.de] has joined #openvpn
23:24 -!- jeev [~jeev@unaffiliated/jeev] has quit [Ping timeout: 264 seconds]
23:28 -!- jeev [~jeev@unaffiliated/jeev] has joined #openvpn
23:29 -!- maskedlua [~maskedlua@unaffiliated/themaskedlua] has quit [Excess Flood]
23:31 -!- maskedlua [~maskedlua@unaffiliated/themaskedlua] has joined #openvpn
23:36 -!- jeev [~jeev@unaffiliated/jeev] has quit [Ping timeout: 264 seconds]
23:44 -!- agorecki [~agorecki@S0106b8a38657b866.ok.shawcable.net] has quit [Read error: Connection reset by peer]
23:44 -!- jeev [~jeev@unaffiliated/jeev] has joined #openvpn
23:45 -!- agorecki [~agorecki@S0106b8a38657b866.ok.shawcable.net] has joined #openvpn
23:58 -!- bears [~bears@unaffiliated/bears] has quit [Read error: Connection reset by peer]
--- Day changed Sun May 18 2014
00:01 -!- agorecki [~agorecki@S0106b8a38657b866.ok.shawcable.net] has quit [Quit: Leaving]
00:02 -!- jeev [~jeev@unaffiliated/jeev] has quit [Ping timeout: 264 seconds]
00:21 -!- jeev [~jeev@unaffiliated/jeev] has joined #openvpn
01:44 -!- jackbrown [~se@93-44-41-0.ip95.fastwebnet.it] has joined #openvpn
01:53 -!- AsadH [~AsadH@unaffiliated/asadh] has quit [Ping timeout: 258 seconds]
01:56 -!- Dimtree [~Dimitri@r75-110-135-121.nbrncmtc01.nwbrnc.ab.dh.suddenlink.net] has joined #openvpn
02:00 -!- Dimtree [~Dimitri@r75-110-135-121.nbrncmtc01.nwbrnc.ab.dh.suddenlink.net] has quit [Quit: Leaving.]
02:02 -!- AsadH [~AsadH@unaffiliated/asadh] has joined #openvpn
02:07 -!- RBecker [~Ryan@unaffiliated/rbecker] has quit [Quit: Quit]
02:15 -!- RBecker [~Ryan@unaffiliated/rbecker] has joined #openvpn
02:42 -!- jeev [~jeev@unaffiliated/jeev] has quit [Ping timeout: 264 seconds]
02:48 -!- jeev [~jeev@unaffiliated/jeev] has joined #openvpn
02:56 -!- jeev [~jeev@unaffiliated/jeev] has quit [Ping timeout: 264 seconds]
03:01 -!- jeev [~jeev@unaffiliated/jeev] has joined #openvpn
03:26 -!- jackbrown [~se@93-44-41-0.ip95.fastwebnet.it] has quit [Ping timeout: 240 seconds]
03:28 -!- jeev [~jeev@unaffiliated/jeev] has quit [Ping timeout: 264 seconds]
03:31 -!- jeev [~jeev@unaffiliated/jeev] has joined #openvpn
03:36 -!- SCHAAP137 [dorian@77-173-0-137.ip.telfort.nl] has joined #openvpn
03:42 -!- jackbrown [~se@93-44-41-0.ip95.fastwebnet.it] has joined #openvpn
03:44 -!- jeev [~jeev@unaffiliated/jeev] has quit [Ping timeout: 264 seconds]
03:47 -!- jeev [~jeev@unaffiliated/jeev] has joined #openvpn
03:58 -!- Left_Turn [~Left_Turn@unaffiliated/turn-left/x-3739067] has joined #openvpn
04:06 -!- jeev [~jeev@unaffiliated/jeev] has quit [Ping timeout: 264 seconds]
04:18 -!- jackbrown [~se@93-44-41-0.ip95.fastwebnet.it] has quit [Quit: Sto andando via]
04:19 -!- jackbrown [~se@93-44-41-0.ip95.fastwebnet.it] has joined #openvpn
04:20 -!- jeev [~jeev@unaffiliated/jeev] has joined #openvpn
04:20 -!- catsup [d@ps38852.dreamhost.com] has quit [Ping timeout: 252 seconds]
04:24 -!- jeev [~jeev@unaffiliated/jeev] has quit [Excess Flood]
04:29 -!- jeev [~jeev@unaffiliated/jeev] has joined #openvpn
05:11 -!- gffa [~unknown@unaffiliated/gffa] has joined #openvpn
05:50 -!- elfixit1 [~Icedove@77-58-251-72.dclient.hispeed.ch] has joined #openvpn
05:50 -!- ShadniX_ [dagger@p5DDFC3AF.dip0.t-ipconnect.de] has joined #openvpn
05:53 -!- ShadniX [dagger@p579414E2.dip0.t-ipconnect.de] has quit [Ping timeout: 252 seconds]
05:53 -!- ShadniX_ is now known as ShadniX
06:06 -!- wrongplace [~leicht@gateway/tor-sasl/martinphone] has joined #openvpn
06:35 -!- SCHAAP137 [dorian@77-173-0-137.ip.telfort.nl] has quit [Remote host closed the connection]
06:50 -!- micko [~micko@203-219-65-120.static.tpgi.com.au] has quit [Ping timeout: 265 seconds]
06:52 -!- catsup [~d@iad1-vshost12.dreamhost.com] has joined #openvpn
06:53 -!- catsup [~d@iad1-vshost12.dreamhost.com] has quit [Read error: Connection reset by peer]
06:53 -!- catsup [~d@iad1-vshost12.dreamhost.com] has joined #openvpn
06:54 -!- catsup [~d@iad1-vshost12.dreamhost.com] has quit [Read error: Connection reset by peer]
06:55 -!- micko [~micko@203-219-65-120.static.tpgi.com.au] has joined #openvpn
07:01 -!- catsup [~d@iad1-vshost12.dreamhost.com] has joined #openvpn
07:32 -!- Left_Turn [~Left_Turn@unaffiliated/turn-left/x-3739067] has quit [Quit: Leaving]
07:55 -!- elfixit1 [~Icedove@77-58-251-72.dclient.hispeed.ch] has quit [Quit: elfixit1]
07:58 -!- eristisk [~eristisk@gateway/tor-sasl/eristisk] has quit [Remote host closed the connection]
07:59 -!- eristisk [~eristisk@gateway/tor-sasl/eristisk] has joined #openvpn
08:08 -!- hypfer [~hypfer@unaffiliated/hypfer] has joined #openvpn
08:09 < hypfer> uhm. hi
08:09 < hypfer> I want to setup openvpn to bridge my local network to my vps so I can connect my phone to the vps to get into my home network.
08:10 < hypfer> I don't want my phone to route everything through my vps if i'm in my home network
08:10 < hypfer> how do I do that?
08:31 < rob0> why do you think bridging is necessary? Why do you think it's better than routing?
08:31 < rob0> If you don't want to redirect the gateway, don't use --redirect-gateway.
08:34 < hypfer> not neccessarily bridging
08:34 < hypfer> I just didn't know how to call it
08:34 -!- Latrina [~Latrina@ppp-239-50.26-151.libero.it] has quit [Ping timeout: 252 seconds]
08:35 -!- Latrina [~Latrina@adsl-ull-86-200.50-151.net24.it] has joined #openvpn
08:44 -!- jackbrown [~se@93-44-41-0.ip95.fastwebnet.it] has quit [Ping timeout: 258 seconds]
08:44 -!- s7r [~s7r@openvpn/user/s7r] has quit [Quit: Leaving]
08:48 -!- jackbrown [~se@93-44-41-0.ip95.fastwebnet.it] has joined #openvpn
08:51 -!- hypfer [~hypfer@unaffiliated/hypfer] has quit [Quit: leaving]
09:11 -!- hypfer [~hypfer@unaffiliated/hypfer] has joined #openvpn
09:11 < hypfer> okay, I'm back
09:12 < hypfer> well.. one android client even provides the option to bypass vpn for netzworks which are accessible from local network
09:12 < hypfer> what is that option called?
09:13 -!- goldkatze [~nobody@unaffiliated/goldkatze] has quit []
09:23 -!- joshh20-Away is now known as joshh20
09:25 -!- eZpl0it [~eZpl0it@193.234.224.171] has left #openvpn []
09:25 -!- Cpt-Oblivious [~chatzilla@31-151-71-109.dynamic.upc.nl] has joined #openvpn
09:32 -!- elfixit1 [~Icedove@cust.static.46-14-206-196.swisscomdata.ch] has joined #openvpn
09:50 -!- jackbrown [~se@93-44-41-0.ip95.fastwebnet.it] has quit [Quit: Sto andando via]
09:53 -!- jackbrown [~se@93-44-41-0.ip95.fastwebnet.it] has joined #openvpn
10:00 -!- eristisk [~eristisk@gateway/tor-sasl/eristisk] has quit [Ping timeout: 272 seconds]
10:06 < hypfer> okay, lets try something different
10:06 < hypfer> how do I get a static host entry into my openVPN
10:07 < pekster> !static
10:07 <@vpnHelper> "static" is (#1) use --ifconfig-push in a ccd entry for a static ip for the vpn client or (#2) example in net30 (default): ifconfig-push 10.8.0.6 10.8.0.5 example in subnet (see !topology) or tap (see !tunortap): ifconfig-push 10.8.0.5 255.255.255.0 or (#3) also see !ccd and !iporder or (#4) when pushing static IPs, you should also limit your --ifconfig-pool to exclude the static range or (#5) See
10:07 <@vpnHelper> also: !addressing
10:07 < pekster> Wiki link at !addressing has examples
10:08 < hypfer> not just a static ip!
10:08 < hypfer> a hostname to that ip
10:08 < hypfer> basically dns
10:10 < pekster> So set up DNS?
10:10 < hypfer> I can't
10:10 < hypfer> it ignores it
10:10 < pekster> "it"
10:11 < hypfer> android.
10:11 -!- eristisk [~eristisk@gateway/tor-sasl/eristisk] has joined #openvpn
10:11 < pekster> !pushdns
10:11 <@vpnHelper> "pushdns" is (#1) push dhcp-option DNS a.b.c.d to push dns to the client or (#2) For pushing DNS to a Windows client, see: !windns or (#3) Unix-alikes are required to process the env-var in an --up script; read about --dhcp-option in the manpage or (#4) For distros that use resolvconf(8) you can try the pull-resolv-conf script under the contrib/ source dir
10:11 < hypfer> pekster: it ignores the pushdns and uses 8.8.4.4 instead
10:11 < pekster> The GPL "OpenVPN for Android" should do the right thing there. All bets are off if you're using the commercial, non-open client
10:12 < hypfer> i'm using ics-openvpn
10:12 < hypfer> i'll try the GPL one again
10:13 < pekster> More android info for you:
10:13 < pekster> !android
10:13 <@vpnHelper> "android" is (#1) an open source OpenVPN client for ICS is available in Google Play, look for OpenVPN for Android. FAQ is here: http://code.google.com/p/ics-openvpn/wiki/FAQ or (#2) Direct Play link: https://play.google.com/store/apps/details?id=de.blinkt.openvpn or (#3) Old (pre-ICS) device? See: !android-old
10:20 < hypfer> pekster: nope. tried both clients available
10:20 < hypfer> nothing.
10:20 < hypfer> still uses fucking google dns
10:20 < hypfer> because reasons
10:20 < hypfer> -.-
10:21 < pekster> Did I miss your server config paste?
10:21 < pekster> !configs
10:21 <@vpnHelper> "configs" is (#1) please pastebin your client and server configs (with comments removed, you can use `grep -vE '^#|^;|^$' server.conf`), also include which OS and version of openvpn. or (#2) dont forget to include any ccd entries or (#3) on pfSense, see http://www.secure-computing.net/wiki/index.php/OpenVPN/pfSense to obtain your config
10:24 < hypfer> pekster: http://paste.debian.net/100437/
10:24 < hypfer> debian wheezy with repo version
10:24 < hypfer> for both client and server with the dns
10:28 < pekster> Why push a DNS entry that gets assigned to the "2nd VPN client to connect" ?
10:28 < pekster> That's.. odd
10:29 < pekster> If the client is using --pull (implied by --client) then AFAIK that should get eaten by the android client. plaisthos might know more if you stick around, although it wouldn't hurt to add `verb 4` to the client and verify it gets received properly
10:30 < hypfer> pekster: because the vpn server is more or less just.. there to connect the 2nd vpn client to the first one
10:30 < hypfer> I can't run openvpn server on the client
10:31 < hypfer> I wouldn't need that if I could just push hostname=this ip
10:31 < hypfer> but thats not possible I guess
10:32 < hypfer> here's the client config of the one running the dns server: http://paste.debian.net/100439/
10:33 < pekster> huh? If you want that why not use _real_ DNS here?
10:33 < hypfer> huh?
10:33 < pekster> Domains are cheap, and running a DNS server isn't hard. If you don't like that idea. Amazon Route 53 does it for about $0.50/m
10:33 < hypfer> because the name I want to resolv is NOT a real domain. its an internal hostname
10:34 < hypfer> you see, the client is my microserver/NAS/whatever
10:34 < pekster> Right. And?
10:34 < pekster> nas.internal.yourdomain.com
10:34 < pekster> Done
10:34 < hypfer> I don't get it.
10:34 < pekster> You can use RFC1918 in public DNS just fine (we do it at $work)
10:34 < hypfer> the nas is not reachable via the internet
10:35 < hypfer> and should never be
10:35 < pekster> It's DNS due
10:35 < pekster> It turns names to IPs; that's what youw ant
10:35 < hypfer> no
10:35 < hypfer> yes
10:35 < hypfer> but
10:35 < hypfer> that sounds wrong
10:35 < hypfer> and I don't understand it
10:35 < hypfer> its probably not what I need
10:35 < pekster> 1) register hypfer.com (or whatever is free)
10:36 < hypfer> i have the domain hypfer.de ;)
10:36 < pekster> So add a subdomain for internal.hypfer.de
10:36 < hypfer> thats where the openvpn server is running
10:36 < pekster> Or vpn or whatever
10:36 < pekster> Add an A RR for nas.vpn.hypfer.de set to 10.227.0.1, or wherver it lives
10:36 < hypfer> but then the A record for that subdomain would be 192.something? or 10.something?
10:36 < pekster> THe IP you want to resolve...
10:36 < pekster> This is how DNS works
10:36 < hypfer> yeah but then I'd still have to change my config
10:37 < pekster> Nope
10:37 < pekster> It'll be in PUBLIC DNS
10:37 < hypfer> yes.
10:37 < hypfer> nono
10:37 < pekster> So no config changes
10:37 < hypfer> you don't understand
10:37 < hypfer> I currently mount nfs and stuff via nas:/whatevershare
10:37 < hypfer> I want the same thing to be functional even in vpn
10:37 < hypfer> without some subdomain whatever
10:37 < hypfer> just
10:38 < hypfer> nas should resolv to the openvpn ip
10:38 < pekster> Then mess with stupid split-DNS setups
10:38 < pekster> It's painful, and here won't work until you fix why the pull doesn't get applied
10:38 < pekster> Look at the logs like I suggested for clues
10:39 < pekster> It's really less painful to use _real_ DNS and reference that
10:39 < pekster> Or push the DHCP-DOMAIN value
10:39 < pekster> (if that gets picked up) then nas will get checked against nas.hypfer.de as well
10:39 -!- jackbrown [~se@93-44-41-0.ip95.fastwebnet.it] has quit [Remote host closed the connection]
10:40 < pekster> TTLs matter too
10:40 < hypfer> whats the option for that?
10:41 < pekster> Read your DNS docs, or ask ##networking
10:41 < hypfer> I've added verb 4 now
10:41 < pekster> OpenVPN doesn't care about such things. The BIND ARM has details about how zonefiles and TTLs work
10:42 < pekster> Or the domain is simply --dhcp-option DOMAIN
10:42 < pekster> ie: `--push dhcp-option DOMAIN` but no good if you insist on split-DNS anyway
10:42  * pekster shrugs
10:43 < hypfer> well thats interesting
10:43 < hypfer> if I'm in my wifi i can connect to my nas at nas
10:43 < hypfer> but if i'm on my wifi with vpn turned on i cannot resolv it
10:44 < pekster> DOn't use the VPN at home then...
10:44 < pekster> Or fix why your DNS is screwed up when you do
10:44 < hypfer> this is confusing :(
10:44 < pekster> And also fix why on earth you're using 10.227.0.10
10:45 < pekster> Your server is configured to hand that IP to the 2nd client that connects. Thta's insane
10:45 < pekster> Why on earth would you push that as DNS? Do you _really_ have a client there at that IP?
10:45 < pekster> You obviously haven't read the link on static VPN assignments either, becuase you can't use --server like that if you plan to assign that as a static IP
10:46 < pekster> I've NFI what you're trying to do, but it's not right at all
10:46 < pekster> !configs
10:46 <@vpnHelper> "configs" is (#1) please pastebin your client and server configs (with comments removed, you can use `grep -vE '^#|^;|^$' server.conf`), also include which OS and version of openvpn. or (#2) dont forget to include any ccd entries or (#3) on pfSense, see http://www.secure-computing.net/wiki/index.php/OpenVPN/pfSense to obtain your config
10:46 < pekster> No ccd files
10:46 < pekster> No reference where your DNS is
10:46 < pekster> !addressing
10:46 <@vpnHelper> "addressing" is For information about IP addressing in OpenVPN, see: https://community.openvpn.net/openvpn/wiki/Concepts-Addressing
10:47 < pekster> That is how you do static VPN assignment, but why is a VPN _client_ running DNS for your _server_ side LAN?
10:48 < hypfer> I just want to access that nas, but I can't port forward so I need the VPS to run the server
10:49 < pekster> huh?
10:49 < hypfer> It would be a lot easier if I could just port forward, right?
10:49 < pekster> !serverlan
10:49 <@vpnHelper> "serverlan" is (#1) for a lan behind a server, the server must have ip forwarding enabled (!ipforward), the server needs to push a route for its lan to clients, and the router of the lan the server is on needs a route added to it (!route_outside_openvpn) or (#2) see !route for a better explanation or (#3) Handy troubleshooting flowchart: http://ircpimps.org/serverlan.png |
10:49 <@vpnHelper> http://pekster.sdf.org/misc/serverlan.png
10:50 < pekster> Follow that if you want to access server-LAN resources
10:50 < pekster> And FFS, don't push 10.227.0.10 as a DNS unless you make it a _static_ addressing. You haven't done that
10:50 < pekster> Read the references I gave you if you want/need that
10:50 < hypfer> Okay, will do
10:50 < pekster> Or just stop all this insanity and put your _real_ NAS IP (yes, the RFC1918 one) in public DNS, and push a route to your LAN
10:51 < hypfer> I think i'll try again tomorrow with a fresh start and more information
10:51 < pekster> RIght. You've given me almost nothing I've asked for, but your needs sound simple. Stop using "nas." as your FQDN. Use "nas.mylan.hypfer.de" or the like, and then it all works with real routing
10:51 < pekster> No stilly split DNS needed
10:52 -!- adamben [~Adam@binpress/adamben] has joined #openvpn
10:53 -!- adamben [~Adam@binpress/adamben] has quit [Quit: Computer has gone to sleep.]
10:54 < hypfer> uhm.. what IP shall I set for that? because if I get this right I have to put the vpn IP there, but if I put the VPN IP there I would be unable to connect to that hostname without the vpn
10:54 < pekster> No. Route to your LAN
10:54 < pekster> Your LAN-side VPN endpoint is the VPN server, or the VPN client?
10:54 < pekster> Either way, see !serverlan or !clientlan
10:55 < hypfer> the LAN-Side VPN endpoint is the NAS and the nas is the VPN Client
10:55 < pekster> !clientlan
10:55 <@vpnHelper> "clientlan" is (#1) for a lan behind a client, the client must have ip forwarding enabled (!ipforward), the server needs a route to the lan, the server needs to push a route for the lan to clients, the server needs a ccd (!ccd) file for the client with an iroute (!iroute) entry in it, and the router of the lan the client is on needs a route added to it (!route_outside_openvpn) or (#2) see !route
10:55 <@vpnHelper> for a better explanation or (#3) Handy troubleshooting flowchart: http://ircpimps.org/clientlan.png | http://pekster.sdf.org/misc/clientlan.png
10:55 < pekster> Do that, then put your _LAN_ IP for the NAS in DNS
10:55 < pekster> It'll work properly everywhere then
10:55 < hypfer> ah!
10:55 < hypfer> yeah, that makes sense :)
10:56 < hypfer> thanks!
10:59 < hypfer> uhm.. and there is nothing wrong with a global DNS entry which resolves to a 192.168.something IP?
10:59 < pekster> nope
11:00 < pekster> It obviously don't be of any use unless you're on the LAN or a VPN with access, but that's the whole point
11:00 < pekster> won't*
11:01 < hypfer> okay, well then I just have to find the folder with the credentials for the domain hsoter/provider/whatever
11:08 < hypfer> tbh it makes much more sense to me to use this real domain scheme
11:08 < hypfer> why didn't I use it in the first place?
11:14 < pekster> People get the misconception that RFC1918 is special. Besides the fact that it's not globally unique, it's not special at all
11:17 < hypfer> can I somehow get dnsmasq to update the global records then? (a bit OT)
11:27 < pekster> You should use static addressing for systems acting as servers
11:32 -!- s7r [~s7r@openvpn/user/s7r] has joined #openvpn
11:32 -!- mode/#openvpn [+v s7r] by ChanServ
11:39 -!- Popsikle [~popsikle@pool-108-27-211-233.nycmny.fios.verizon.net] has joined #openvpn
11:40 -!- elfixit1 [~Icedove@cust.static.46-14-206-196.swisscomdata.ch] has quit [Quit: elfixit1]
12:13 -!- Popsikle [~popsikle@pool-108-27-211-233.nycmny.fios.verizon.net] has quit [Remote host closed the connection]
12:29 -!- joshh20 is now known as joshh20-Away
12:42 -!- elfixit1 [~Icedove@cust.static.46-14-206-196.swisscomdata.ch] has joined #openvpn
12:43 -!- goldkatze [~nobody@unaffiliated/goldkatze] has joined #openvpn
12:58 -!- JackWinter [~jack@vodsl-10810.vo.lu] has quit [Quit: Konversation terminated!]
13:00 -!- JackWinter [~jack@vodsl-10810.vo.lu] has joined #openvpn
13:02 -!- Latrina [~Latrina@adsl-ull-86-200.50-151.net24.it] has quit [Ping timeout: 252 seconds]
13:03 -!- Latrina [~Latrina@151.56.177.135] has joined #openvpn
13:07 -!- elfixit1 [~Icedove@cust.static.46-14-206-196.swisscomdata.ch] has quit [Ping timeout: 265 seconds]
13:24 -!- wrongplace [~leicht@gateway/tor-sasl/martinphone] has quit [Quit: gone]
13:54 -!- brianblaze420 [~brianblaz@unaffiliated/brianblaze] has joined #openvpn
13:56 -!- s7r [~s7r@openvpn/user/s7r] has quit [Remote host closed the connection]
13:56 -!- s7r [~s7r@openvpn/user/s7r] has joined #openvpn
13:56 -!- mode/#openvpn [+v s7r] by ChanServ
14:12 < Aketzu> db down taitaakin tarkottaa too many connections
14:12 < Aketzu> meh, wrong window
14:12 < Aketzu> note to self: don't delete windows
14:35 -!- RBecker [~Ryan@unaffiliated/rbecker] has quit [Ping timeout: 240 seconds]
14:40 -!- RBecker [~Ryan@unaffiliated/rbecker] has joined #openvpn
14:47 -!- joshh20-Away is now known as joshh20
14:57 -!- james41382 [~james@unaffiliated/james41382] has joined #openvpn
14:57 -!- james41382 [~james@unaffiliated/james41382] has quit [Read error: Connection reset by peer]
14:58 -!- james41382 [~james@unaffiliated/james41382] has joined #openvpn
15:16 -!- Left_Turn [~Left_Turn@unaffiliated/turn-left/x-3739067] has joined #openvpn
15:21 -!- james41382_ [~james@unaffiliated/james41382] has joined #openvpn
15:23 -!- james41382 [~james@unaffiliated/james41382] has quit [Ping timeout: 240 seconds]
15:24 -!- SCHAAP137 [dorian@77-173-0-137.ip.telfort.nl] has joined #openvpn
15:39 -!- goldkatze [~nobody@unaffiliated/goldkatze] has quit [Ping timeout: 276 seconds]
15:44 -!- michaelhart [~michaelha@162.209.54.120] has joined #openvpn
16:13 -!- gffa [~unknown@unaffiliated/gffa] has quit [Quit: sleep]
16:32 -!- SCHAAP137 [dorian@77-173-0-137.ip.telfort.nl] has quit [Remote host closed the connection]
16:56 -!- mapps [~map@4e6909d1.skybroadband.com] has joined #openvpn
16:56 < mapps> hey y'all
16:56 < mapps> i asked in here before and posted on the forum and tweeted..alas no replies..i run openvpn on my box and it works fine.however when using it on my ios device it will say pause (network unavaliable) when say the phone locks..
16:57 < mapps> but the network isnt down and you can discnnect/reconnect immediately
17:13 -!- Netsplit *.net <-> *.split quits: @raidz, @krzee, XJR-9, troyt, mushroomed, jareth_, dvl, tapout, ahf, _FBi,  (+36 more, use /NETSPLIT to show all of them)
17:15 -!- Netsplit over, joins: peper
17:16 -!- Kephael [~Kephael@unaffiliated/kephael] has joined #openvpn
17:18 -!- APTX [~APTX@unaffiliated/aptx] has quit [Ping timeout: 252 seconds]
17:19 -!- 18VAAWOQI [ahf@irssi/staff/ahf] has joined #openvpn
17:19 -!- michaelhart [~michaelha@162.209.54.120] has joined #openvpn
17:19 -!- jeev [~jeev@unaffiliated/jeev] has joined #openvpn
17:19 -!- AsadH [~AsadH@unaffiliated/asadh] has joined #openvpn
17:19 -!- maskedlua [~maskedlua@unaffiliated/themaskedlua] has joined #openvpn
17:19 -!- esde [~esde@unaffiliated/esde] has joined #openvpn
17:19 -!- ahf [~ahf@irssi/staff/ahf] has joined #openvpn
17:19 -!- _FBi [B@Aircrack-NG/User] has joined #openvpn
17:19 -!- jareth_ [~jareth_@2001:980:e1c0:1:219:66ff:fea0:a502] has joined #openvpn
17:19 -!- jgeboski [~jgeboski@unaffiliated/jgeboski] has joined #openvpn
17:19 -!- krzee [~k@openvpn/community/support/krzee] has joined #openvpn
17:19 -!- pppingme [~pppingme@unaffiliated/pppingme] has joined #openvpn
17:19 -!- pnielsen_ [~pnielsen@li301-93.members.linode.com] has joined #openvpn
17:19 -!- vpnHelper [~vpnHelper@openvpn/bot/vpnHelper] has joined #openvpn
17:19 -!- dvl [~dvl@pdpc/supporter/active/dvl] has joined #openvpn
17:19 -!- _KaszpiR_ [~quassel@unaffiliated/kaszpir/x-3157048] has joined #openvpn
17:19 -!- mushroomed [~mushroome@li173-111.members.linode.com] has joined #openvpn
17:19 -!- agentbob_ [anonymoose@unaffiliated/agentbob] has joined #openvpn
17:19 -!- yoavz [yoavz@yoavz.net] has joined #openvpn
17:19 -!- simcop2387 [~simcop238@p3m/member/simcop2387] has joined #openvpn
17:19 -!- Dry_Lips [~cuneiform@unaffiliated/dry-lips/x-3531376] has joined #openvpn
17:19 -!- Cultist [~CultOfThe@c-98-223-211-32.hsd1.il.comcast.net] has joined #openvpn
17:19 -!- soapee01 [~soapee01@65-36-104-170.dyn.grandenetworks.net] has joined #openvpn
17:19 -!- omrib [~omrib@ec2-50-17-197-161.compute-1.amazonaws.com] has joined #openvpn
17:19 -!- Roa [~roa@ns4009357.ip-192-99-8.net] has joined #openvpn
17:19 -!- antihero [~antihero@37.139.5.204] has joined #openvpn
17:19 -!- Gman32 [~Gman32@2607:2200:0:3400::5616:cdbc] has joined #openvpn
17:19 -!- c0ded [~c0ded@unaffiliated/c0ded] has joined #openvpn
17:19 -!- early [~early@192.241.198.49] has joined #openvpn
17:19 -!- _quadDamage [~EmperorTo@boom.blissfulidiot.com] has joined #openvpn
17:19 -!- someone [someone@2600:3c01::f03c:91ff:fedf:feb8] has joined #openvpn
17:19 -!- tapout [~tapout@unaffiliated/tapout] has joined #openvpn
17:19 -!- plaisthos [~arne@openvpn/community/developer/plaisthos] has joined #openvpn
17:19 -!- troyt [~troyt@2601:7:6200:1362:44dd:acff:fe85:9c8e] has joined #openvpn
17:19 -!- Samopotamus [~IRCIdent@2607:5300:60:a0d::1] has joined #openvpn
17:19 -!- kenyon [kenyon@darwin.kenyonralph.com] has joined #openvpn
17:19 -!- Clone [~Clone@2001:470:d3a1::fa:cade] has joined #openvpn
17:19 -!- batrick [batrick@nmap/developer/batrick] has joined #openvpn
17:19 -!- XJR-9 [sid2977@pdpc/supporter/active/xjr-9] has joined #openvpn
17:19 -!- sauce [sauce@unaffiliated/sauce] has joined #openvpn
17:19 -!- Intensity [eLAOKFFdr_@unaffiliated/intensity] has joined #openvpn
17:19 -!- _bt [~bt@unaffiliated/bt/x-192343] has joined #openvpn
17:19 -!- lbft [~lbft@unaffiliated/lbft] has joined #openvpn
17:19 -!- raidz [~raidz@openvpn/corp/admin/andrew] has joined #openvpn
17:19 -!- ServerMode/#openvpn [+oooo krzee vpnHelper plaisthos raidz] by wilhelm.freenode.net
17:19 -!- andi [~andi@unaffiliated/fr00d] has joined #openvpn
17:20 -!- Olipro [~Olipro@uncyclopedia/pdpc.21for7.olipro] has quit [Max SendQ exceeded]
17:20 -!- AsadH [~AsadH@unaffiliated/asadh] has quit [Excess Flood]
17:20 -!- c0ded [~c0ded@unaffiliated/c0ded] has quit [Max SendQ exceeded]
17:20 -!- Intensity [eLAOKFFdr_@unaffiliated/intensity] has quit [Write error: Broken pipe]
17:20 -!- andi [~andi@unaffiliated/fr00d] has quit [Write error: Broken pipe]
17:20 -!- jgeboski [~jgeboski@unaffiliated/jgeboski] has quit [Excess Flood]
17:20 -!- jgeboski [~jgeboski@unaffiliated/jgeboski] has joined #openvpn
17:21 -!- JPeterson [~JPeterson@81-233-152-121-no83.tbcn.telia.com] has joined #openvpn
17:22 -!- c0ded [~c0ded@unaffiliated/c0ded] has joined #openvpn
17:22 -!- tempus_fol [~tempus@gateway/tor-sasl/foltempus] has quit [Ping timeout: 272 seconds]
17:23 -!- 18VAAWOQI is now known as ahf_
17:23 -!- ahf [~ahf@irssi/staff/ahf] has quit [Write error: Connection reset by peer]
17:23 -!- ahf_ is now known as ahf
17:23 -!- APTX [~APTX@unaffiliated/aptx] has joined #openvpn
17:24 -!- AsadH [~AsadH@unaffiliated/asadh] has joined #openvpn
17:27 -!- tempus_fol [~tempus@gateway/tor-sasl/foltempus] has joined #openvpn
17:30 -!- Olipro [~Olipro@uncyclopedia/pdpc.21for7.olipro] has joined #openvpn
17:33 -!- Verdi [~dagda@ip1.thgersdorf.net] has joined #openvpn
17:49 -!- Cpt-Oblivious [~chatzilla@31-151-71-109.dynamic.upc.nl] has quit [Remote host closed the connection]
17:52 -!- Poster [~poster@oh-67-77-115-177.sta.embarqhsd.net] has joined #openvpn
18:06 -!- adamben [~Adam@binpress/adamben] has joined #openvpn
18:13 -!- Soliah [~Soliah@kin1287146.lnk.telstra.net] has quit [Quit: Soliah]
18:38 -!- RBecker [~Ryan@unaffiliated/rbecker] has quit [Excess Flood]
18:41 -!- RBecker [~Ryan@unaffiliated/rbecker] has joined #openvpn
18:45 -!- adamben is now known as alch
18:45 -!- alch is now known as [alch]
18:52 -!- RBecker [~Ryan@unaffiliated/rbecker] has quit [Excess Flood]
18:54 -!- RBecker [~Ryan@unaffiliated/rbecker] has joined #openvpn
19:00 -!- jeev [~jeev@unaffiliated/jeev] has quit [Ping timeout: 264 seconds]
19:09 -!- jeev [~jeev@unaffiliated/jeev] has joined #openvpn
19:18 -!- bears [~bears@unaffiliated/bears] has joined #openvpn
19:26 -!- jeev [~jeev@unaffiliated/jeev] has quit [Ping timeout: 264 seconds]
19:27 -!- Falcon| [andreas@shell.lamerschool.net] has quit [Ping timeout: 245 seconds]
19:30 -!- Falcon| [andreas@shell.lamerschool.net] has joined #openvpn
19:34 -!- elfixit1 [~Icedove@77-58-251-72.dclient.hispeed.ch] has joined #openvpn
19:34 -!- jeev [~jeev@unaffiliated/jeev] has joined #openvpn
19:35 -!- joshh20 is now known as joshh20-Away
20:11 -!- esde [~esde@unaffiliated/esde] has quit [Ping timeout: 240 seconds]
20:21 -!- oceanquake [~quassel@unaffiliated/oceanquake] has joined #openvpn
20:22 < oceanquake> is it possible to get one openvpn server instance to listen for both udp and tcp on the same interface?
20:23 < pekster> No, you'd need 2 instances for that
20:31 < _FBi> ^
20:54 -!- [alch] [~Adam@binpress/adamben] has quit [Quit: Computer has gone to sleep.]
20:55 < oceanquake> pekster: thanks
20:55 -!- Left_Turn [~Left_Turn@unaffiliated/turn-left/x-3739067] has quit [Ping timeout: 252 seconds]
20:57 -!- Left_Turn [~Left_Turn@unaffiliated/turn-left/x-3739067] has joined #openvpn
20:59 -!- max__ [~max@c-71-231-120-93.hsd1.wa.comcast.net] has joined #openvpn
20:59 -!- max__ is now known as Guest7706
21:00 -!- Guest7706 [~max@c-71-231-120-93.hsd1.wa.comcast.net] has left #openvpn []
21:09 -!- michaelhart_ [~michaelha@192-0-240-20.cpe.teksavvy.com] has joined #openvpn
21:11 -!- warewolf [warewolf@warewolf.org] has joined #openvpn
21:11 < warewolf> huh, ok
21:11 < warewolf> !welcome
21:11 <@vpnHelper> "welcome" is (#1) Start by stating your goal, such as 'I would like to access the internet over my vpn' || new to IRC? see the link in !ask || we may need !logs and !configs and maybe !interface to help you. || See !howto for beginners. || See !route for lans behind openvpn. || !redirect for sending inet traffic through the server. || Also interesting: !man !/30 !topology !iporder !sample !forum
21:11 <@vpnHelper> !wiki !mitm or (#2) Don't use 192.168.1.0/24 or 192.168.0.0/24 (too much potential for conflict)
21:12 < warewolf> !goal
21:12 <@vpnHelper> "goal" is Please clearly state your goal for your vpn: example, I would like to access the lan behind the server , I would like to access the internet over my vpn , I just want a secure connection between 2 computers , etc
21:12 < warewolf> ok, nothing special beyond "don't ask to ask" & be clear.  No problem.
21:13 < warewolf> I'm trying to set up a virtual penetration testing lab.  I expect to have a bunch of bridge interfaces (linux br0, etc) that I want to tap into w/ openvpn
21:13 -!- michaelhart [~michaelha@162.209.54.120] has quit [Ping timeout: 258 seconds]
21:13 -!- michaelhart_ is now known as michaelhart
21:14 < warewolf> considering using xinetd and multiple servers; because I'm not sure if openvpn in multi-client mode can specify which tap interface to connect to.
21:15 < pekster> --dev tapWhatever
21:15 < warewolf> I want to use taps because I want to use separate openvswitch bridges
21:15 < warewolf> pekster: yeah
21:16 < warewolf> pekster: the difficult or interesting part is the dynamic allocation of the tap (openvswitch bridge) interfaces, and telling openvpn connect to them
21:16 < warewolf> pekster: I'm not sure if the --dev tapWhatever can be used in a CCD?
21:16 < pekster> No, it's a _per_ instance thing
21:17 < pekster> If you can do what you want at the IP (OSI L3) layer, you could use policy routing
21:17 < warewolf> hrm, and I won't know which client has connected until *after* openvpn has stood up.
21:17 < pekster> ie: depending on the client connecting, set the IP up with policy routing rules to send it to a particular network
21:17 < warewolf> right
21:18 < warewolf> openvswitch is l2 though :/
21:18 < pekster> Just have your clients connect to a unique instance
21:18 < warewolf> separate ports?
21:19 < pekster> It sounds like you're already identifying them by X509 CN anyway, so you don't lose anything by just sending them to a different instance to begin with
21:19 < pekster> That, or clever NAT if you have some other way to differentiate your source connections
21:19 < warewolf> yeah, full blown x509 is where I expect to be - for identification, and for revocotation of access
21:19 < pekster> Either way it's a client-side change. What does it matter if you do it by the port in the client config, or cert?
21:20 < pekster> You're making this more complicated by trying to bind the CN to a particular VLAN
21:20 < warewolf> you just read my mind :) I was about to ask that next
21:21 < pekster> `remote your.server.sexy 1194` verses `remote your.server.sexy 1195` for instance (yes, that's a new gTLD ;)
21:21 < warewolf> but then that port has the same value/effectiveness as the x509 CN
21:22 < pekster> Except that it actually works without hackary
21:22 < warewolf> I don't mind hackery, aslong as I can automate it
21:23 < warewolf> iptables, ebtables, vlans, etc are all at my disposal, just not sure how just yet.
21:25 < pekster> Just use the port. What's so special about "magically" doing this by CN verses "magically" doing it by port number in the config?
21:25 < pekster> Better yet, just give each client its own unique port to connect to with a unique tap (you need that anyway it sounds like.) Bind each instance (ie: "client") to a VLAN on your vSwitch by bridging it where you want it
21:26 < pekster> Each instance only eats about ~4MB of RAM, so that should be no big deal on modern hardware
21:26 < warewolf> right. hmm.
21:28 < warewolf> I guess I want this to be as stupid-simple as possible for the clients, having to tell someone "Oh, change the port from 1194 to 1200" if someone else gets attached to 1194
21:29 < pekster> Don't duplicate them. Problem solved
21:29 < pekster> How on earth is generating a new RSA keypair, signing a new X509 cert, and sending it back "easier" than a port change?
21:29 < pekster> (hint: it's not)
21:30 -!- michaelhart [~michaelha@192-0-240-20.cpe.teksavvy.com] has quit [Ping timeout: 265 seconds]
21:33 < warewolf> but then at some point I run out of ports.
21:34 < warewolf> this setup is going to start out small - so that will scale for some period of time, but I don't know how large it will become
21:34 -!- michaelhart [~michaelha@162.209.54.120] has joined #openvpn
21:34 < pekster> Add an IP. IPv6 gives you 2**64 IPs, each of which can have 65,535 usable ports
21:34 < pekster> Pretty sure you'll run out of resources before that
21:35 < pekster> Unless you need more than 2**64*65535 instance, or 1208907372870555465154560 of them. Is that enough?
21:35 < warewolf> the math lesson was unnecessary :P
21:36 < warewolf> yes I get it I'm being somewhat obtuse :)
21:36 < warewolf> I do want it to be dynamic, as simple as possible for clients, and I want to control access via recocation of certs
21:37 < pekster> Maybe dynamic NAT (so each client points to the same port, but gets NAT'd do the "next free server instance") and then you take the floating tap device on that instance a bridge it dynamically based on the CN
21:38 < pekster> You'd need to figure out how to get the NAT to work properly, but tap devices don't have to "go" anywhere upfront, and can be relocated by your OS bridging tools as you want
21:38 < warewolf> right
21:38 < warewolf> I could pre-allocate like 30 tap/ovs bridges
21:38 < pekster> I really don't get your backend use-case, but I'm content to ignore that
21:39 < warewolf> then as a client connects, do the virtual machine stuff I need to do
21:40 -!- Left_Turn [~Left_Turn@unaffiliated/turn-left/x-3739067] has quit [Quit: Leaving]
22:07 -!- bears [~bears@unaffiliated/bears] has quit [Read error: Connection reset by peer]
22:14 -!- joako [~joako@opensuse/member/joak0] has joined #openvpn
22:16 < joako> If a server hosts two openvpn connections is it possible to route traffic from one remote end to another?
22:16 < pekster> You just described routing
22:17 < warewolf> hah
22:18 < joako> What would be the correct way to configure it? Right now the traffic is passing one way, for e.g. in a packet capture I see the ping sent from server to client, but the client does not respond.
22:19 < joako> I tried to add a push route on the server but when I add that the client connection starts to cycle on and off constantly.
22:20 < pekster> Set up routes on both ends such that they get pushed routes to the other
22:21 < joako> Client #1 is already sent to route all the traffic through openVPN. But when I add the push route in client #2 then client #2 connection does not stay active.
22:29 -!- u0m3 [~u0m3@92.80.99.171] has quit [Ping timeout: 265 seconds]
22:58 -!- michaelhart [~michaelha@162.209.54.120] has quit [Quit: michaelhart]
23:33 -!- elfixit1 [~Icedove@77-58-251-72.dclient.hispeed.ch] has quit [Ping timeout: 240 seconds]
23:57 -!- ShadniX [dagger@p5DDFC3AF.dip0.t-ipconnect.de] has quit [Ping timeout: 252 seconds]
23:59 -!- ShadniX [dagger@p5DDFDB41.dip0.t-ipconnect.de] has joined #openvpn
--- Day changed Mon May 19 2014
00:00 -!- goldkatze [~nobody@unaffiliated/goldkatze] has joined #openvpn
00:10 < aPollO2k> guten morgen
00:10 -!- xTz [~xTz@DeathStar.Techn0.eu] has quit [Ping timeout: 252 seconds]
00:27 < _FBi> :)
00:29 -!- pekster [~rewt@openvpn/community/support/pekster] has quit [Ping timeout: 252 seconds]
00:35 -!- oceanquake [~quassel@unaffiliated/oceanquake] has quit [Remote host closed the connection]
00:36 -!- pekster [~rewt@openvpn/community/support/pekster] has joined #openvpn
01:21 -!- alexxtasi [~alex@unaffiliated/alexxtasi] has joined #openvpn
01:32 -!- james41382_ [~james@unaffiliated/james41382] has quit [Ping timeout: 276 seconds]
01:34 -!- james41382 [~james@unaffiliated/james41382] has joined #openvpn
01:36 < james41382> I want to setup my router (openwrt) to connect to a vpn and then have all the traffic go through that connection.
01:36 < james41382> I am able to connect to the vpn as a client with the router and when I edit /tmp/resolv.conf.auto with the dns server entries for the vpn i can query the router to get an address fine, but it can't get out to the internet.
01:37 < james41382> Any ideas?
02:08 -!- james41382 [~james@unaffiliated/james41382] has quit [Read error: Connection reset by peer]
02:09 -!- james41382 [~james@unaffiliated/james41382] has joined #openvpn
02:19 -!- le0 [~l30@unaffiliated/le0] has joined #openvpn
02:23 -!- prettyrobots [~prettyrob@do.inputrc.com] has joined #openvpn
02:27 -!- james41382 [~james@unaffiliated/james41382] has quit [Ping timeout: 265 seconds]
02:40 -!- Kephael [~Kephael@unaffiliated/kephael] has quit []
02:51 -!- james41382 [~james@unaffiliated/james41382] has joined #openvpn
03:03 -!- james41382 [~james@unaffiliated/james41382] has quit [Ping timeout: 240 seconds]
03:11 -!- james41382 [~james@unaffiliated/james41382] has joined #openvpn
03:11 -!- dazo_afk is now known as dazo
03:12 -!- mattock [~mattock@openvpn/corp/admin/mattock] has joined #openvpn
03:12 -!- mode/#openvpn [+o mattock] by ChanServ
03:15 -!- james41382 [~james@unaffiliated/james41382] has quit [Client Quit]
03:19 -!- james41382 [~james@unaffiliated/james41382] has joined #openvpn
04:20 -!- Left_Turn [~Left_Turn@unaffiliated/turn-left/x-3739067] has joined #openvpn
04:47 -!- pppingme [~pppingme@unaffiliated/pppingme] has quit [Read error: Connection reset by peer]
04:49 -!- pppingme [~pppingme@unaffiliated/pppingme] has joined #openvpn
05:15 -!- JackWinter [~jack@vodsl-10810.vo.lu] has quit [Quit: Konversation terminated!]
05:17 -!- JackWinter [~jack@vodsl-10810.vo.lu] has joined #openvpn
05:26 -!- Latrina [~Latrina@151.56.177.135] has quit [Ping timeout: 240 seconds]
05:35 -!- Latrina [~Latrina@adsl-ull-184-255.45-151.net24.it] has joined #openvpn
05:42 -!- u0m3 [~u0m3@92.80.103.166] has joined #openvpn
06:34 -!- le0 [~l30@unaffiliated/le0] has quit [Quit: Leaving]
07:00 -!- Cpt-Oblivious [~chatzilla@31-151-71-109.dynamic.upc.nl] has joined #openvpn
07:29 -!- early [~early@192.241.198.49] has quit [Quit: ERC Version 5.3 (IRC client for Emacs)]
07:32 -!- early [~early@192.241.198.49] has joined #openvpn
07:32 -!- mattock [~mattock@openvpn/corp/admin/mattock] has left #openvpn []
07:49 -!- KaiForce [~chatzilla@107-223-70-10.lightspeed.bcvloh.sbcglobal.net] has joined #openvpn
07:51 -!- Oliver_Hart [~Oliver@unaffiliated/oliver-hart/x-1433647] has joined #openvpn
07:55 -!- Oliver_Hart is now known as olih
08:00 -!- Thermi [~Thermi@unaffiliated/thermi] has quit [Quit: Meet your opposition - Profane and disciplined - Take back your pride - With a pounding hammer]
08:03 -!- Thermi [~Thermi@unaffiliated/thermi] has joined #openvpn
08:39 -!- pnielsen [~pnielsen@li126-205.members.linode.com] has quit [Ping timeout: 240 seconds]
08:43 -!- pnielsen [pnielsen@2600:3c03::f03c:91ff:fe6e:5d41] has joined #openvpn
09:03 -!- Cultist [~CultOfThe@c-98-223-211-32.hsd1.il.comcast.net] has quit [Ping timeout: 264 seconds]
09:06 < soapee01> I've got two different installs of openvpn.  Both sites have a client/server database driven app (mssql on one, not sure the other). Remote VPN client's connections are insanely slow.  RDP on the other hand to a desktop on the LAN which runs the client is very quick. Can anyone offer pointers as to where I can look to find what's causing db connections to be so slow? Seems like a few sql queries should be significantly faster tha
09:06 < soapee01> n a full remote desktop session.
09:21 -!- alexxtasi [~alex@unaffiliated/alexxtasi] has left #openvpn []
09:31 <@ecrist> sounds like reverse DNS or crummy routing
09:32 < soapee01> ecrist reverse dns?
09:32 <@ecrist> many applications like to look up reverse DNS on IPs upon connection
09:32 <@ecrist> VPN IPs routinely have no valid reverse DNS
09:33 <@ecrist> just a guess with no real imperical data other than you thinking they're slow.
09:33 < soapee01> dns should be pushed via the vpn.
09:33 < soapee01> i'm trying to get ahold of the vendor and see how they configured the client
09:33 < soapee01> figured going by ip if it's not set up that way would be better
10:26 -!- JackWinter [~jack@vodsl-10810.vo.lu] has quit [Quit: Konversation terminated!]
10:28 -!- JackWinter [~jack@vodsl-10810.vo.lu] has joined #openvpn
10:35 -!- pEYEd [~bastard@ool-435339b8.dyn.optonline.net] has joined #openvpn
10:35 < pEYEd> following an update, openvpn is down and the error tells me little in debug mode   http://paste.ee/p/RgmF7
10:41 < reiffert> May 19 15:32:27 router1 openvpn[19346]: Exiting due to fatal error
10:41 < reiffert> ouch
10:42 < reiffert> run it through strace
10:42 < reiffert> strace -f -s 1024 -o/tmp/out openvpn --daemon --config /etc/openvpn/you-server-config.ovpn
10:43 < reiffert> does it also crash?
10:49 -!- SCHAAP137 [dorian@77-173-0-137.ip.telfort.nl] has joined #openvpn
11:01 -!- james41382_ [~james@unaffiliated/james41382] has joined #openvpn
11:01 -!- Kephael [~Kephael@unaffiliated/kephael] has joined #openvpn
11:03 -!- brianblaze420 [~brianblaz@unaffiliated/brianblaze] has quit [Quit: Leaving...]
11:04 -!- james41382 [~james@unaffiliated/james41382] has quit [Ping timeout: 258 seconds]
11:07 -!- Himmler [~Heinrich@0x3e2c873c.mobile.telia.dk] has joined #openvpn
11:07 < Himmler> !welcome
11:07 <@vpnHelper> "welcome" is (#1) Start by stating your goal, such as 'I would like to access the internet over my vpn' || new to IRC? see the link in !ask || we may need !logs and !configs and maybe !interface to help you. || See !howto for beginners. || See !route for lans behind openvpn. || !redirect for sending inet traffic through the server. || Also interesting: !man !/30 !topology !iporder !sample !forum
11:07 <@vpnHelper> !wiki !mitm or (#2) Don't use 192.168.1.0/24 or 192.168.0.0/24 (too much potential for conflict)
11:10 < Himmler> I am attempting to do a "Linux > OpenVPN client > Tor > OpenVPN server > Internet" setup. Im using the socks-proxy setting for this. It connects without problems. But once the routing is done, it breaks. My guess is that a loop is created since tor listens on 127.0.0.1. How do I get around this? I am using Liberte Linux.
11:13 < Himmler> !route
11:13 <@vpnHelper> "route" is (#1) http://www.secure-computing.net/wiki/index.php/OpenVPN/Routing or https://community.openvpn.net/openvpn/wiki/RoutedLans (same page mirrored) if you have lans behind openvpn, read it DONT SKIM IT or (#2) READ IT DONT SKIM IT! or (#3) See !tcpip for a basic networking guide or (#4) See !serverlan or !clientlan for steps and troubleshooting flowcharts for LANs behind the server or
11:13 <@vpnHelper> client
11:20 -!- raidz is now known as raidz_away
11:22 -!- Himmler [~Heinrich@0x3e2c873c.mobile.telia.dk] has quit []
11:28 -!- james41382_ [~james@unaffiliated/james41382] has quit [Read error: Connection reset by peer]
11:29 -!- james41382_ [~james@unaffiliated/james41382] has joined #openvpn
11:52 -!- MyMind [~Sembei@unaffiliated/sembei] has joined #openvpn
11:53 -!- Sembei [~Sembei@unaffiliated/sembei] has quit [Read error: Connection reset by peer]
11:53 -!- mapps [~map@4e6909d1.skybroadband.com] has quit [Ping timeout: 240 seconds]
11:53 -!- james41382_ [~james@unaffiliated/james41382] has quit [Ping timeout: 258 seconds]
11:54 -!- mapps [~map@2e40ec71.skybroadband.com] has joined #openvpn
11:56 -!- Pisuke [~Sembei@unaffiliated/sembei] has joined #openvpn
11:58 -!- MyMind [~Sembei@unaffiliated/sembei] has quit [Ping timeout: 276 seconds]
12:04 <@dazo> krzee: Seen this one?  https://twitter.com/ggreenwald/statuses/468435860153987072
12:04 <@vpnHelper> Title: Twitter / ggreenwald: Also REVEALED: The names of ... (at twitter.com)
12:05 -!- Cultist [~CultOfThe@c-98-223-211-32.hsd1.il.comcast.net] has joined #openvpn
12:15 -!- Kephael [~Kephael@unaffiliated/kephael] has quit []
12:58 -!- roentgen [~none@openvpn/community/support/roentgen] has quit [Remote host closed the connection]
13:00 -!- roentgen [~none@openvpn/community/support/roentgen] has joined #openvpn
13:15 -!- elfixit [~Icedove@2001:1620:2777:11:3e97:eff:fe7f:f3ad] has quit [Quit: elfixit]
13:46 -!- james41382 [~james@unaffiliated/james41382] has joined #openvpn
13:52 -!- james41382 [~james@unaffiliated/james41382] has quit [Read error: Connection reset by peer]
13:59 -!- brianblaze420 [~brianblaz@unaffiliated/brianblaze] has joined #openvpn
14:10 -!- Mike-- [mad@mx.probie.nl] has joined #openvpn
14:10 < Mike--> !configs
14:10 <@vpnHelper> "configs" is (#1) please pastebin your client and server configs (with comments removed, you can use `grep -vE '^#|^;|^$' server.conf`), also include which OS and version of openvpn. or (#2) dont forget to include any ccd entries or (#3) on pfSense, see http://www.secure-computing.net/wiki/index.php/OpenVPN/pfSense to obtain your config
14:10 < Mike--> !goal
14:10 <@vpnHelper> "goal" is Please clearly state your goal for your vpn: example, I would like to access the lan behind the server , I would like to access the internet over my vpn , I just want a secure connection between 2 computers , etc
14:10 < Mike--> !ccd
14:10 <@vpnHelper> "ccd" is (#1) entries that are basically included into server.conf, but only for the specified client based on common-name. use --client-config-dir <dir> to enable it, then put the config options for the client in <dir>/common-name or (#2) the ccd file is parsed each time the client connects.
14:11 < Mike--> !server
14:11 <@krzee> dazo, i had not seen it, thanks
14:12 < Mike--> is there an elaborate example/howto for ccd with ccd-exclusive
14:12 <@dazo> krzee: I guess your own voip service can benefit from this :-P
14:13 <@dazo> Mike--: ehm .... you put ccd-exclusive in your main server config ... and all clients must have a --ccd file to be able to connect
14:13 < Mike--> I know
14:13 < Mike--> I was looking for the ranges
14:13 <@dazo> Ranges?
14:13 < Mike--> if I setup server 172.16.0.0 255.255.0.0
14:13 < Mike--> do I just pick /30's from that range
14:13 < Mike--> ?
14:13 <@dazo> --ccd-exclusive has nothing to do with IP addresses
14:14 < Mike--> let me put it differently
14:14 < Mike--> I am setting up a vpn server
14:14 < Mike--> using tcp and tun
14:14 < Mike--> and I require every client to have a ccd
14:14 < Mike--> based on certificates
14:14 < Mike--> and those clients get a static ip
14:14 < Mike--> so I need to know if I need to define an extra range in the config
14:15 < Mike--> or if I can use the 'server 172.16.0.0 255.255.0.0' range for that
14:15 <@dazo> no, it all goes from the same pool you already have
14:15 <@krzee> or you could script the static ips
14:15 <@dazo> if you want particular clients to get a specific address or outside that range ... you need to script it
14:15 <@krzee> if you wish
14:15 < Mike--> in the example I setup the openvpn server without '--ccd-exclusive'. How does it know which ip's are taken?
14:15 <@krzee> !client-connect
14:15 <@vpnHelper> "client-connect" is --client-connect <script>, runs script on client connection. This can be useful for generating firewall rules dynamicly, or for assigning static ips. This can do anything that a ccd (see !ccd) entry can do, but dynamicly... to use it that way, you should write your dynamic ccd commands to the file named by $1.
14:16 <@dazo> Mike--: OpenVPN server keeps track of which IP addresses it has used .... if you want static IPs, you need to script it with --client-connect
14:16 <@krzee> if you dont want to deal with ccd entries for every single cert, you can build whatever sort of management system you want with that ^ db driven or single flat file, whatever you can script up
14:17 < Mike--> I understand you, maybe I'm asking the question wrong
14:17 < Mike--> let's say I have dynamic ip clients and static ip clients
14:17 < Mike--> can I use ccd for that?
14:17 <@dazo> Mike--: not sure what you really try to accomplish, but I went in something similar to you many years ago .... and ended up writing !eurephia instead
14:17 <@krzee> it doesnt, do not give out static ips from your dynamic pool
14:17 <@krzee> just like with dhcp
14:18 <@dazo> Mike--: and with eurephia, I didn't need to care for static IPs any more
14:18 <@krzee> dazo, what happens if dynamic client gets .2 and then a client with static ip .2 comes onto the vpn?
14:18 < Mike--> krzee: ok. So I need to add a seperate 'route' entry for the static ip pool
14:19 <@krzee> if someone does not properly give a static ip from another subnet than their dynamic pool (which is wrong)
14:19 < Mike--> krzee: that's the scenario I was talking about
14:19 <@dazo> krzee: oh, I see ... I dunno how to really avoid that, except scripting it
14:19 <@krzee> Mike--, or a single route which covers the entire static subnet
14:19 <@krzee> like they do here:
14:19 <@krzee> !policy
14:19 <@vpnHelper> "policy" is (#1) http://openvpn.net/howto.html#policy for Configuring client-specific rules and access policies or (#2) http://www.secure-computing.net/wiki/index.php/OpenVPN/FAQ#Traffic_forwarding_doesn.27t_work_when_using_client_specific_access_rules for a lil writeup by mario or (#3) dynamic OpenVPN policy github project: https://github.com/QueuingKoala/openvpn-dynamic
14:19 <@krzee> #1 (from howto)
14:20 < Mike--> that's it krzee
14:20 < Mike--> I knew I read it somewhere, couldn't find it
14:20 <@krzee> dazo, right, but what happens?
14:20 < Mike--> thanks
14:20 <@krzee> does dynamic .2 get booted?
14:20 <@krzee> do they fight over it?
14:20 <@krzee> does the server choke and die?
14:20 -!- tempus_fol [~tempus@gateway/tor-sasl/foltempus] has quit [Remote host closed the connection]
14:20 <@dazo> krzee: I honestly have no idea ... I guess the static client gets another dynamic IP instead
14:21 <@krzee> i have never ran into it in the years i been here, i guess you have not either
14:21 -!- tempus_fol [~tempus@gateway/tor-sasl/foltempus] has joined #openvpn
14:21 <@krzee> thats what we get for doing things correctly lol
14:21 <@dazo> krzee: as I said, I wrote eurephia to avoid these issues :)
14:21 < Mike--> krzee: in the scenario where I use ccd-exclusive. Is there a reason I would want to add 'server 172.16.0.0 255.255.0.0' ?
14:21 < Mike--> other than it configures the tun0 with the first ip?
14:21 <@krzee> and you named it for confusion!
14:21 <@krzee> hahaha
14:22 <@dazo> hehe :)
14:22 <@dazo> I considered openvpn-enterprise .... but thought that would give me too much trouble :-P
14:22 <@krzee> Mike--, not especially, you can look at --server and replace it with the entries it uses (as they apply to your config)
14:22 <@krzee> --server is simply a helper option, it expands to many other config options
14:23 < Mike--> ok
14:23 <@krzee> instead of --server you may simply use those options that --server calls, and then you can modify them
14:23 < Mike--> will need to deep dive into that
14:23 <@krzee> !man
14:23 <@vpnHelper> "man" is (#1) For man pages, see http://openvpn.net/index.php/open-source/documentation/manuals/ or (#2) the man pages are your friend! or (#3) Protip: you can search the manpage for a specific --option (with dashes) to find it quicker
14:23 <@krzee> ^ there
14:24 <@krzee> dazo, did you ever get a chance to look at this:
14:24 <@krzee> !redirect_override
14:24 <@krzee> !redirect_ignore
14:24 <@vpnHelper> "redirect_ignore" is you can ignore --redirect-gateway (because you do not run the server, and the server pushes it to you) by reading the info at this page: https://community.openvpn.net/openvpn/wiki/IgnoreRedirectGateway
14:25 <@krzee> im sure method 1 needs more explanation and maybe examples (ive never used those options)? but overall how does it look
14:26 <@dazo> heh ... method 2 is clever
14:26 <@dazo> actually, the second 4 rules would work no matter what
14:27 <@dazo> you might even be able to set: route 0.0.0.0 0.0.0.0 net_gateway
14:27 <@krzee> hey hey i didnt think about the fact that thesecond example from method 2 always works
14:28 <@krzee> hmm i wonder if route 0.0.0.0 0.0.0.0 net_gateway would work? or if it would be overwritten by pushed options from the server
14:28 <@krzee> i guess if they use def1 it would not work either way tho
14:28 <@dazo> otherwise, this looks reasonably good ... but, yeah, method 1 needs some more info ... but it drafts a frame for how to solve it
14:28 <@krzee> since even if it runs the command it would be overridden
14:29 <@krzee> ya i figured if i put a stub for method 1 someone else could pretty it up, since i cannot
14:29 < Mike--> in topology subnet, every client could connect to another client. is this still regulated by the 'client-to-client' directive?
14:29 < reiffert> get a routing protocol
14:29 <@krzee> Mike--,
14:29 <@krzee> !c2c
14:29 <@vpnHelper> "c2c" is "client-to-client" is with this option packets from 1 client to another are routed inside the server process. without it packets leave the server process, hit the kernel (firewall, routing table) and if allowed by firewall and routed back to server process, they go to the client. you use this option when you do not want to use selective firewall rules on what clients can access things behind
14:29 <@vpnHelper> other clients
14:29 <@krzee> topology does not change that
14:29 <@dazo> or you can use --route-up script to remove the default gateway ... but then it's probably easier to use a --route-up which filters the default gateway
14:30 <@krzee> the thing with removing is knowing if its def1 or not
14:30 <@krzee> filtering would be easier methinks
14:30 <@dazo> agreed
14:31 <@krzee> i like the point you made that the 4 routes *always* works
14:31 <@krzee> i must mention that in the page
14:31 < Mike--> ok, so as long as client-to-client is not enabled and ip_forwarding=0 the clients should not be able to reach eachother?
14:31 <@krzee> Mike--, correct, but why not make a firewall rule on the server as well just for fun
14:31 <@krzee> in the forward chain
14:32 < Mike--> totally
14:32 <@dazo> Mike--: with ip_forwarding, nobody will be able to access anything else than your vpn server
14:32 < Mike--> but just covering my basics
14:32 <@krzee> that way if you add forwarding some day, you are still cool
14:32 <@krzee> dazo, you mean without ^
14:32 <@dazo> Mike--: no network behind the VPN server at
14:32 <@dazo> yeah, without!
14:33 <@dazo> fingers are slower than brain :)
14:33 < Mike--> thanks guys. Just need to cover my bases to get this correct
14:35 < Mike--> am I missing something or is there a part missing about tun and topology subnet in the --server manual page?
14:35 <@krzee> yw
14:35 < Mike--> wait
14:35 < Mike--> just found it
14:35 < Mike--> if dev tap OR (dev tun AND topology == subnet):
14:35 < Mike--> read dev tap AND
14:35 < Mike--> my bad
14:36 <@dazo> Mike--: the default is --topology net30 ... which can be quite confusing to work with (but the traditional way) ... using --topology subnet helps and provides more efficient use of the ip range
14:36 <@krzee> there, page updated to reflect method 2 with 4 routes ALWAYS works
14:37 < Mike--> dazo: read that :)
14:37 < Mike--> Subnet topology is the current recommended topology; it is not the default as of OpenVPN 2.3 for reasons of backwards-compatibility with 2.0.9-era configs. It is safe and recommended to use subnet topology when no old/outdated clients exist that are running OpenVPN 2.0.9 under Windows.
14:37 <@krzee> dazo, i thought up method 2 while explaining to someone how to chain VPNs using only vpn providers you do not run the servers of
14:37 < Mike--> I am setting up  a new archictecture
14:37 < Mike--> so all clients will be newer
14:37 <@krzee> with nothing more than creative routing
14:37  * dazo sees he speaks in partial sentences ... so he decides to call it a day :)
14:37 < Mike--> so I'm going for subnet :)
14:38 <@dazo> makes sense!
14:38 <@krzee> ya topology net30 really never makes sense anymore
14:38 <@krzee> it only exists because before topology subnet was invented there was no other way to handle windows client addressing correctly
14:38 <@krzee> and now its default for backwards compatibility
14:39 < Mike--> I would hope that the default changes in 3.0 ;)
14:39 <@krzee> i hoped it would in like 2.2
14:39 <@krzee> im not holding my breath
14:39 <@krzee> haha
14:40 <@krzee> it has been talked about, it's not a new idea
14:40 < Mike--> hehe
14:40 <@krzee> but the reason not to makes plenty sense
14:41 <@krzee> people have existing setups that might depend on the addressing, care is taken to ensure that upgrading will not explode their setups unless absolutely necessary
14:41 < Mike--> I understand :)
14:41 <@dazo> James is not really happy about changing defaults ... he hates breaking setups, as that gives them a support storm never ending dimensions
14:41 < Mike--> but changing major version normally means there will something that breaks
14:42 <@dazo> we tried that with 2.3 ... and 2.3.1 came pretty quick
14:42 < adaptr> dazo: so openvpn works over string theory, then?
14:42 <@krzee> ild assume we'ld take the brunt of that support storm
14:42 <@dazo> adaptr: openvpn eats string therory for breakfast
14:42 <@krzee> jjk would go days without sleep
14:42 <@krzee> hahaha
14:42 < adaptr> "never ending dimensions"
14:42 <@dazo> :)
14:47 -!- dazo is now known as dazo_afk
14:52 -!- bashusr [~bashusr@unaffiliated/bashusr] has quit [Ping timeout: 245 seconds]
14:53 -!- mnathani [~mnathani@constance.winvive.com] has quit [Ping timeout: 240 seconds]
14:54 -!- tempus_fol [~tempus@gateway/tor-sasl/foltempus] has quit [Ping timeout: 272 seconds]
14:54 -!- outofbounds [~outofboun@198.199.109.226] has quit [Ping timeout: 252 seconds]
14:54 -!- roger_rabbit [~roger_rab@unaffiliated/roger-rabbit/x-7769789] has quit [Ping timeout: 245 seconds]
14:55 -!- tempus_fol [~tempus@gateway/tor-sasl/foltempus] has joined #openvpn
14:55 -!- bashusr [~bashusr@unaffiliated/bashusr] has joined #openvpn
14:55 -!- joshh20-Away is now known as joshh20
14:57 -!- APTX [~APTX@unaffiliated/aptx] has quit [Read error: Connection reset by peer]
14:57 -!- eristisk [~eristisk@gateway/tor-sasl/eristisk] has quit [Ping timeout: 272 seconds]
14:57 -!- APTX [~APTX@unaffiliated/aptx] has joined #openvpn
14:58 -!- raidz_away is now known as raidz
15:00 -!- outofbounds [~outofboun@198.199.109.226] has joined #openvpn
15:01 -!- Brando753 [~Brando753@unaffiliated/brando753] has quit [Ping timeout: 252 seconds]
15:04 < Mike--> krzee: is it correct that "topology subnet" is missing from that example in manual?
15:04 <@krzee> its not part of --server
15:05 <@krzee> thats under --topology
15:05 < Mike--> I thought it was
15:05 < Mike--> my bad
15:05 < Mike--> thanks
15:05 < Mike--> openvpn server starts :>
15:05 < Mike--> wee
15:06 -!- Brando753 [~Brando753@unaffiliated/brando753] has joined #openvpn
15:08 -!- mnathani [~mnathani@constance.winvive.com] has joined #openvpn
15:08 -!- ahf [ahf@irssi/staff/ahf] has left #openvpn []
15:21 -!- eristisk [~eristisk@gateway/tor-sasl/eristisk] has joined #openvpn
15:54 -!- SCHAAP137 [dorian@77-173-0-137.ip.telfort.nl] has quit [Ping timeout: 258 seconds]
15:58 -!- SCHAAP137 [dorian@77-173-0-137.ip.telfort.nl] has joined #openvpn
15:59 -!- hiyo [~Puppy@unaffiliated/hiyo] has joined #openvpn
16:00 < hiyo> I am having trouble connecting my VPN though a firewalled network, is it possible that it is being actively blocked even though it is running on port 443 and the firewall allows HTTPS traffic?
16:11 -!- james41382 [~james@unaffiliated/james41382] has joined #openvpn
16:15 -!- Saul775 [~Saul@12.6.176.106] has joined #openvpn
16:34 -!- br4ndon [~br4ndon@mic92-6-82-227-94-156.fbx.proxad.net] has joined #openvpn
16:41 -!- KaiForce [~chatzilla@107-223-70-10.lightspeed.bcvloh.sbcglobal.net] has quit [Quit: ChatZilla 0.9.90.1 [Firefox 29.0.1/20140506152807]]
17:01 -!- SCHAAP137 [dorian@77-173-0-137.ip.telfort.nl] has quit [Remote host closed the connection]
17:06 -!- br4ndon [~br4ndon@mic92-6-82-227-94-156.fbx.proxad.net] has quit [Quit: br4ndon]
17:26 -!- hiyo [~Puppy@unaffiliated/hiyo] has left #openvpn []
17:29 < _FBi> sup krzee
17:45 -!- RBecker [~Ryan@unaffiliated/rbecker] has quit [Excess Flood]
17:51 -!- RBecker [~Ryan@unaffiliated/rbecker] has joined #openvpn
18:04 -!- elfixit [~Icedove@77-58-251-72.dclient.hispeed.ch] has joined #openvpn
18:06 <@krzee> sup man
18:15 -!- Cpt-Oblivious [~chatzilla@31-151-71-109.dynamic.upc.nl] has quit [Remote host closed the connection]
18:54 < brianblaze420> can someone explain generating keys for my openvpn server
18:54 < brianblaze420> on ubuntu
18:55 < brianblaze420> I am kind of a noob to this and am not sure what to do with my /etc/openvpn/easy-rsa/ directory
18:56 -!- goldkatze [~nobody@unaffiliated/goldkatze] has quit []
19:01 < rob0> For one thing, I would not put it there. I would get it in a non-root-owned place on a machine other than the server. (Preferably not even a client.)
19:01 < rob0> I don't actually use easy-rsa, but I think it is documented.
19:02 < brianblaze420> ya i found more stuff on it
19:02 < brianblaze420> what do u reccommend
19:03 < brianblaze420> I am open for suggestions haha
19:03 < rob0> I don't recommend NOT using easy-rsa. I recommend NOT using easy-rsa as root and NOT on the server.
19:03 < rob0> all tied up in NOTs
19:04 -!- Kephael [~Kephael@unaffiliated/kephael] has joined #openvpn
19:05 < brianblaze420> oh ok
19:05 < brianblaze420> i feel u like not using ssh keys as root lol
19:15 <@krzee> also, if i were you and i was going to use easy-rsa, i would use easy-rsa3
19:15 <@krzee> !easy-rsa
19:15 <@vpnHelper> "easy-rsa" is (#1) easy-rsa is a certificate generation utility. or (#2) Download here: https://github.com/OpenVPN/easy-rsa/downloads or (#3) https://community.openvpn.net/openvpn/wiki/EasyRSA
19:15 <@krzee> its not the version bundled by your OS
19:15 < brianblaze420> cool
19:15 < brianblaze420> but what do u mean by not running it on my server
19:15 < brianblaze420> where else woudl i run it?
19:15 -!- eristisk [~eristisk@gateway/tor-sasl/eristisk] has quit [Remote host closed the connection]
19:16 < brianblaze420> thanks for the info by the way :)
19:16 -!- eristisk [~eristisk@gateway/tor-sasl/eristisk] has joined #openvpn
19:20 < pekster> See the wiki howto linked from the above URL. Keep your CA on a secure environment
19:21 -!- NChief [~nchief@unaffiliated/nchief] has quit [Ping timeout: 240 seconds]
19:21 < pekster> At the very least it should be under a secured account, but if you have a server you almost never want your CA key on that
19:21 -!- elfixit [~Icedove@77-58-251-72.dclient.hispeed.ch] has quit [Quit: elfixit]
19:29 < brianblaze420> good to know for sure i'll look into it thanks
19:32 < brianblaze420> so if i can make a ca key on another pc in my network and direct it from my srever to that?
19:43 < brianblaze420> igh i got so much to learn :)
19:43 < brianblaze420> *sigh*
19:54 -!- Popsikle [~popsikle@pool-108-27-211-233.nycmny.fios.verizon.net] has joined #openvpn
19:56 -!- joshh20 is now known as joshh20-Away
20:09 -!- Popsikle [~popsikle@pool-108-27-211-233.nycmny.fios.verizon.net] has quit [Remote host closed the connection]
20:09 -!- max__ [~max@c-71-231-120-93.hsd1.wa.comcast.net] has joined #openvpn
20:10 -!- max__ is now known as Synthead
20:27 -!- NChief [~nchief@unaffiliated/nchief] has joined #openvpn
21:10 -!- eristisk [~eristisk@gateway/tor-sasl/eristisk] has quit [Ping timeout: 272 seconds]
21:30 -!- RaiNerTsuFal [~RaiNerTsu@akita.vtlx.cn] has joined #openvpn
21:35 -!- eristisk [~eristisk@gateway/tor-sasl/eristisk] has joined #openvpn
21:45 -!- mapps [~map@2e40ec71.skybroadband.com] has quit [Ping timeout: 240 seconds]
21:46 < warewolf> pekster: I think I settled on a solution - at least a concept that is viable for what I want
21:46 -!- mapps [~map@5ec206a7.skybroadband.com] has joined #openvpn
21:46 < warewolf> pekster: inetd nowait, tcp server, tap, custom --up script that attaches a tap device to an openvswitch as an "access port" on a particular vlan.
21:47 < warewolf> pekster: thanks for getting me reading the docs more :)
21:49 -!- brianblaze420 [~brianblaz@unaffiliated/brianblaze] has quit [Quit: Leaving...]
22:02 -!- Left_Turn [~Left_Turn@unaffiliated/turn-left/x-3739067] has quit [Quit: Leaving]
22:18 -!- pEYEd [~bastard@ool-435339b8.dyn.optonline.net] has left #openvpn []
23:26 -!- justinzane [~justinzan@24.49.184.42] has quit [Ping timeout: 240 seconds]
23:27 -!- justinzane [~justinzan@24.49.184.42] has joined #openvpn
23:57 -!- ShadniX [dagger@p5DDFDB41.dip0.t-ipconnect.de] has quit [Ping timeout: 252 seconds]
23:58 -!- ShadniX [dagger@p5DDFE20E.dip0.t-ipconnect.de] has joined #openvpn
--- Day changed Tue May 20 2014
00:52 -!- Iniag [~Niagara@l37-193-108-45.novotelecom.ru] has joined #openvpn
00:53 < Iniag> !welcome
00:53 <@vpnHelper> "welcome" is (#1) Start by stating your goal, such as 'I would like to access the internet over my vpn' || new to IRC? see the link in !ask || we may need !logs and !configs and maybe !interface to help you. || See !howto for beginners. || See !route for lans behind openvpn. || !redirect for sending inet traffic through the server. || Also interesting: !man !/30 !topology !iporder !sample !forum
00:53 <@vpnHelper> !wiki !mitm or (#2) Don't use 192.168.1.0/24 or 192.168.0.0/24 (too much potential for conflict)
00:57 -!- jackbrown [~se@93-44-41-0.ip95.fastwebnet.it] has joined #openvpn
01:01 < Iniag> !howto
01:01 <@vpnHelper> "howto" is (#1) OpenVPN comes with a great howto, http://openvpn.net/howto PLEASE READ IT! or (#2) http://www.secure-computing.net/openvpn/howto.php for a mirror
01:04 -!- Kephael [~Kephael@unaffiliated/kephael] has quit []
01:21 -!- RBecker [~Ryan@unaffiliated/rbecker] has quit [Ping timeout: 240 seconds]
01:30 -!- RBecker [~Ryan@unaffiliated/rbecker] has joined #openvpn
01:31 -!- SCHAAP137 [dorian@77-173-0-137.ip.telfort.nl] has joined #openvpn
01:33 -!- alexxtasi [~alex@unaffiliated/alexxtasi] has joined #openvpn
01:35 -!- SCHAAP137 [dorian@77-173-0-137.ip.telfort.nl] has quit [Remote host closed the connection]
01:43 -!- jackbrown [~se@93-44-41-0.ip95.fastwebnet.it] has quit [Quit: Sto andando via]
02:14 -!- le0 [~l30@unaffiliated/le0] has joined #openvpn
02:18 -!- le0 [~l30@unaffiliated/le0] has quit [Ping timeout: 252 seconds]
02:21 -!- le0 [~l30@unaffiliated/le0] has joined #openvpn
02:37 -!- Netsplit *.net <-> *.split quits: bashusr, clu5ter, alexxtasi, outofbounds
02:38 -!- Netsplit over, joins: bashusr
02:51 -!- mcp [~mcp@wolk-project.de] has quit [Read error: Operation timed out]
02:51 -!- Thermi [~Thermi@unaffiliated/thermi] has quit [Read error: Operation timed out]
02:51 -!- Thermi [~Thermi@unaffiliated/thermi] has joined #openvpn
02:56 -!- mattock_afk [~mattock@openvpn/corp/admin/mattock] has joined #openvpn
02:56 -!- mode/#openvpn [+o mattock_afk] by ChanServ
02:56 -!- mattock_afk is now known as mattock
02:56 -!- clu5ter [~staff@unaffiliated/clu5ter] has joined #openvpn
03:03 -!- mapps [~map@5ec206a7.skybroadband.com] has quit [Ping timeout: 240 seconds]
03:03 -!- mapps [~map@5ec33f26.skybroadband.com] has joined #openvpn
03:31 -!- Synthead [~max@c-71-231-120-93.hsd1.wa.comcast.net] has quit [Ping timeout: 255 seconds]
03:39 -!- dazo_afk is now known as dazo
04:20 -!- Left_Turn [~Left_Turn@unaffiliated/turn-left/x-3739067] has joined #openvpn
04:42 -!- troyt [~troyt@2601:7:6200:1362:44dd:acff:fe85:9c8e] has quit [Ping timeout: 240 seconds]
04:43 -!- aPollO2k [znc1@unaffiliated/apollo2k] has quit [Quit: irc panic]
04:43 -!- aPollO2k [znc1@unaffiliated/apollo2k] has joined #openvpn
04:47 -!- temporary_questi [~temporary@unaffiliated/temporary-questi/x-9097157] has joined #openvpn
04:48 < temporary_questi> hi, if i have multiple different configuration files for different VPN servers (say, one in france, rome, italy and germany), how can i have openvpn connect to a one of the servers at random? would i have to change up/down.sh to do that, or is there an option i can set?
05:05 <@dazo> temporary_questi: have multiple --remote statements (or <connection> blocks) in your client config and add --remote-random
05:05 <@dazo> see man page for more info
05:05 <@dazo> !man
05:05 <@vpnHelper> "man" is (#1) For man pages, see http://openvpn.net/index.php/open-source/documentation/manuals/ or (#2) the man pages are your friend! or (#3) Protip: you can search the manpage for a specific --option (with dashes) to find it quicker
05:06 -!- olih [~Oliver@unaffiliated/oliver-hart/x-1433647] has quit [Ping timeout: 252 seconds]
05:11 < temporary_questi> whoops, i misspoke. i meant, how can i connect to a random server when i connect, would --remote and --remote-random still be useful? what i want is to be able to type "sudo openvpn" or something, and have it use a random one of the config files
05:12 <@dazo> yes, exactly ... using multiple --remote will make openvpn connect to the first one it gets contact with ... using --remote-random, it will "reorder" that list each time openvpn starts, so which server it chooses will be more "unpredictable"
05:43 -!- mattock [~mattock@openvpn/corp/admin/mattock] has left #openvpn []
05:44 -!- jeev [~jeev@unaffiliated/jeev] has quit [Ping timeout: 264 seconds]
05:44 -!- tempus_fol [~tempus@gateway/tor-sasl/foltempus] has quit [Ping timeout: 272 seconds]
05:49 -!- tempus_fol [~tempus@gateway/tor-sasl/foltempus] has joined #openvpn
05:52 -!- elfixit [~Icedove@cust.static.46-14-206-196.swisscomdata.ch] has joined #openvpn
05:57 -!- Iniag [~Niagara@l37-193-108-45.novotelecom.ru] has left #openvpn []
06:04 -!- kossy [a@unaffiliated/kossy] has joined #openvpn
06:14 -!- troyt [~troyt@2601:7:6200:1362:44dd:acff:fe85:9c8e] has joined #openvpn
06:23 -!- dajoker [~dajoker@unaffiliated/dajoker] has joined #openvpn
06:24 < dajoker> Silly question: Is the source for OpenVPN Access Server available, or is that a closed-source project?  I have not found it yet, but am not sure if it'd be in the main OpenVPN git repo even if it was available.
06:27 <@plaisthos> dajoker: it is closed source
06:28 <@plaisthos> the openvpn part is GPL'ed and identical to the git source code
06:30 < dajoker> plaisthos: thanks for the reply
06:38 -!- goldkatze [~nobody@unaffiliated/goldkatze] has joined #openvpn
06:39 -!- dajoker [~dajoker@unaffiliated/dajoker] has left #openvpn []
06:54 -!- michaelhart [~michaelha@192.237.177.15] has joined #openvpn
07:23 -!- brianblaze420 [~brianblaz@unaffiliated/brianblaze] has joined #openvpn
08:30 -!- derRichard [~derRichar@pippin.sigma-star.at] has left #openvpn []
08:43 -!- plaisthos [~arne@openvpn/community/developer/plaisthos] has quit [Ping timeout: 240 seconds]
08:51 -!- zapotek6 [~zap@213.149.219.85] has joined #openvpn
08:53 -!- zapotek6 [~zap@213.149.219.85] has quit [Max SendQ exceeded]
09:00 -!- Kephael [~Kephael@unaffiliated/kephael] has joined #openvpn
09:14 -!- elfixit [~Icedove@cust.static.46-14-206-196.swisscomdata.ch] has quit [Ping timeout: 252 seconds]
09:17 -!- plaisthos [~arne@openvpn/community/developer/plaisthos] has joined #openvpn
09:17 -!- mode/#openvpn [+o plaisthos] by ChanServ
09:27 -!- monkeyhybrid [~monkeyhyb@unaffiliated/monkeyhybrid] has joined #openvpn
09:29 < monkeyhybrid> What is the different purpsoes of the 'cipher' and 'tls-cipher' options? Is one for authentication and the other for payload encryption? Or does one make the other redundant?
09:30 -!- joshh20-Away [~joshh20@v-70-42-74-226.unman-vds.internap-nyc.nfoservers.com] has quit [Ping timeout: 276 seconds]
09:40 <@plaisthos> monkeyhybrid: data and control channel
09:40 <@plaisthos> !cipher
09:40 <@plaisthos> !tls-cipher
09:40 <@vpnHelper> "tls-cipher" is http://sourceforge.net/mailarchive/forum.php?thread_name=48B01B33.6030806%40usa.net&forum_name=openvpn-users
09:40 <@plaisthos> hm
09:40 <@plaisthos> no factoid for that
09:41 < monkeyhybrid> !cipher
09:46 < monkeyhybrid> interesting read, thanks for the info guys
09:46 -!- elfixit [~Icedove@cust.static.46-14-206-196.swisscomdata.ch] has joined #openvpn
09:47 -!- Daemoen [~quassel@2607:ff68:100:1e:20e:2eff:fee8:e5c5] has joined #openvpn
09:48 < Daemoen> hmmm, have an interesting situation, curious if anyone else has any ideas where to look.  have openvpn server running on fedora 20... this is behind a juniper SRX firewall.  it is setup via routing, the openvpn network is added as a static route on the juniper so that all hosts are able to reach the vpn and the vpn can reach all hosts...
09:49 < Daemoen> it starts getting interesting because the openvpn server is a *vm* on another machine, and it can ssh to the openvpn server, it can ssh to *most* other hosts, but it cannot do anything other than ping to the vm host that hosts it, or any of the other vms on that box... so ping works, no ssh, no http, no https
09:49 < Daemoen> not sure if i need to enable promiscuos on the bare interface of the vmhost or not.... given that it is pinging... traffic is flowing
09:54 -!- troyt [~troyt@2601:7:6200:1362:44dd:acff:fe85:9c8e] has quit [Ping timeout: 240 seconds]
09:55 -!- troyt [~troyt@2601:7:6200:1362:44dd:acff:fe85:9c8e] has joined #openvpn
09:59 -!- Cpt-Oblivious [~chatzilla@31-151-71-109.dynamic.upc.nl] has joined #openvpn
10:07 -!- zapotek6 [~zap@213.149.219.85] has joined #openvpn
10:18 -!- zapotek6 [~zap@213.149.219.85] has quit [Ping timeout: 258 seconds]
10:51 -!- Denial [Denial@176.250.235.182] has quit []
11:00 -!- Denial [Denial@176.250.235.182] has joined #openvpn
11:05 -!- Kephael [~Kephael@unaffiliated/kephael] has quit []
11:14 -!- troyt [~troyt@2601:7:6200:1362:44dd:acff:fe85:9c8e] has quit [Ping timeout: 240 seconds]
11:18 -!- troyt [~troyt@2601:7:6200:1362:44dd:acff:fe85:9c8e] has joined #openvpn
11:26 -!- monkeyhybrid [~monkeyhyb@unaffiliated/monkeyhybrid] has quit [Quit: Be seeing you.]
11:37 -!- troyt [~troyt@2601:7:6200:1362:44dd:acff:fe85:9c8e] has quit [Ping timeout: 240 seconds]
11:40 -!- troyt [~troyt@2601:7:6200:1362:44dd:acff:fe85:9c8e] has joined #openvpn
11:42 -!- troyt [~troyt@2601:7:6200:1362:44dd:acff:fe85:9c8e] has quit [Excess Flood]
11:42 -!- troyt [~troyt@2601:7:6200:1362:44dd:acff:fe85:9c8e] has joined #openvpn
11:58 -!- le0 [~l30@unaffiliated/le0] has quit [Quit: Leaving]
12:11 -!- Pisuke is now known as Sembei
12:18 -!- gffa [~unknown@unaffiliated/gffa] has joined #openvpn
12:21 -!- zapotek6 [~zap@host145-84-dynamic.8-87-r.retail.telecomitalia.it] has joined #openvpn
12:42 -!- zapotek6 [~zap@host145-84-dynamic.8-87-r.retail.telecomitalia.it] has quit [Quit: Leaving.]
12:43 -!- Denial [Denial@176.250.235.182] has quit []
12:46 <@krzee> if ping works and other traffic does not, i would look at firewalls
12:50 -!- elfixit [~Icedove@cust.static.46-14-206-196.swisscomdata.ch] has quit [Ping timeout: 240 seconds]
12:50 -!- Denial [Denial@176.250.235.182] has joined #openvpn
13:21 -!- stemid [~avatar@ns4.sydit.se] has joined #openvpn
13:32 <@ecrist> indeed
13:34 < Eugene> i would look at boobie photos on the internet, but that's be
13:34 < Eugene> me.
13:35 < stemid> I'm only wondering if openvpn is capable of solving my problem, I have an annoying proprietary VPN software I have to use in a VM because when it's on it redirects default gw. my goal is to setup my own openvpn server in this vm (windows 7) to which I can connect from the Host machine and access the guest machines internet as if I was on the proprietary vpn.
13:36 < stemid> so to run them simultaneously. and this closed product is juniper networkconnect.
13:37 < Eugene> so you want to redirect your vm hosts network via a guests (other product) vpn?
13:37 < stemid> well on my vm host I'd be able to only redirect certain routes. it's only the juniper cline that needlessly takes over default route.
13:37 < stemid> but yes
13:37 < stemid> that's the gist
13:37 < Eugene> openvpn isn't needed there. just set up routing on the Host to the Guest, and have the guest do ip masquerading
13:38 < stemid> ok thanks I will look into that.
13:38 < Eugene> i mean, you could. but needlessly complex
13:38 < stemid> I'm not expecting it to be easy to set this up on a windows guest. I know very little about windows.
13:39 < Eugene> oh, windows as a routing box. expect pain.
13:39 < stemid> lol
13:40 < stemid> just a few days ago I found out something brand new about windows when an intern decided to try and make a gateway in a lab vm in a live vmware environment. he didn't google, he just instinctively selected all NICs, and bridged them. the whole ESX host went down because the VM started sending spanning tree packets and the switch ports closed :D
13:40 < stemid> anyways, time to google
13:40 < Eugene> yup, hilarity ensues
13:46 < stemid> I assume you mean the VM in bridging mode then?
13:46 < stemid> not sure if the virtual NAT would work
13:46 < stemid> since the hypervisor needs to explicitly forward ports
13:49 < stemid> actually private LAN to the hypervisor and the guest seems best. nevermind
13:51 -!- dazo is now known as dazo_afk
13:56 -!- NucWin [~nucwin@unaffiliated/nucwin] has quit [Quit: ttfn]
14:10 -!- Kephael [~Kephael@unaffiliated/kephael] has joined #openvpn
14:21 -!- vaxerdec [~smcdermot@c-174-62-90-169.hsd1.ca.comcast.net] has joined #openvpn
14:29 -!- brianblaze420 [~brianblaz@unaffiliated/brianblaze] has quit [Quit: Leaving...]
14:29 -!- XJR-9 [sid2977@pdpc/supporter/active/xjr-9] has quit [Ping timeout: 258 seconds]
14:30 -!- XJR-9 [sid2977@pdpc/supporter/active/xjr-9] has joined #openvpn
14:33 -!- cyberspace- [20253@ninthfloor.org] has quit [Remote host closed the connection]
14:34 -!- cyberspace- [20253@ninthfloor.org] has joined #openvpn
14:46 -!- KaiForce [~chatzilla@107-223-70-10.lightspeed.bcvloh.sbcglobal.net] has joined #openvpn
14:50 -!- mattock_afk [~mattock@openvpn/corp/admin/mattock] has joined #openvpn
14:50 -!- mode/#openvpn [+o mattock_afk] by ChanServ
14:50 -!- mattock_afk is now known as mattock
15:01 -!- joshh20 [~joshh20@v-70-42-74-226.unman-vds.internap-nyc.nfoservers.com] has joined #openvpn
15:01 -!- Olipro [~Olipro@uncyclopedia/pdpc.21for7.olipro] has quit [Ping timeout: 246 seconds]
15:06 -!- NucWin [~nucwin@unaffiliated/nucwin] has joined #openvpn
15:06 -!- Olipro [~Olipro@uncyclopedia/pdpc.21for7.olipro] has joined #openvpn
15:20 -!- joshh20 is now known as joshh20-Away
15:21 -!- NucWin [~nucwin@unaffiliated/nucwin] has quit [Quit: ttfn]
15:22 -!- NucWin [~nucwin@unaffiliated/nucwin] has joined #openvpn
15:27 -!- eristisk [~eristisk@gateway/tor-sasl/eristisk] has quit [Remote host closed the connection]
15:27 -!- tempus_fol [~tempus@gateway/tor-sasl/foltempus] has quit [Remote host closed the connection]
15:27 -!- Daniel_Chan [~Daniel_Ch@CPEf46d0499190e-CMbc1401311080.cpe.net.cable.rogers.com] has joined #openvpn
15:27 -!- eristisk [~eristisk@gateway/tor-sasl/eristisk] has joined #openvpn
15:27 < Daniel_Chan> After reading all day about tap / dhcp I've yet to answer whether all traffic is routed if bridging eth1 / tap0
15:28 -!- tempus_fol [~tempus@gateway/tor-sasl/foltempus] has joined #openvpn
15:28 < Daniel_Chan> I'm assuming it does in fact route all traffic - the question is does it have to?
15:30 < reiffert> the question is do you want it to?
15:30 < Daniel_Chan> I'm trying to have the same subnet for two remote locations using a single dhcp server, yet only route traffic destined for the bridged nets whilst internet traffic goes to the internet - without passing through the other VPN server
15:31 < reiffert> same subnet, one dhcp server makes me think there are two gateways one on either end
15:32 < reiffert> questions answered I guess.
15:32 < Daniel_Chan> say office1 (ovpn server) is 10.0.1.0/16 and office2 (ovpn client) is 10.0.2.0/16 -- I've network services in the 10.0.1.0/16 but I don't want to route google.com to 10.0.1.0/16 (ovpn server)
15:33 < Daniel_Chan> to should read through in that last sentence.
15:33 < Daniel_Chan> I should be able to hit www.mydomain.com (10.0.1.100) from the 10.0.2.0/network
15:33 < reiffert> the dhcp server will hand office1-gateway to office2 clients.
15:33 < Daniel_Chan> reiffert: yes, that is ideal
15:34 < reiffert> it's not.
15:34 < Daniel_Chan> However I don't want to route office2 internet traffic through office1
15:34 < reiffert> the dhcp server .. is it running on your bridge?
15:34 < Daniel_Chan> I want a centralized dhcp server and to send broadcast stuff (arp, mdns, etc) through
15:35 < reiffert> I fully understand. So here's the deal.
15:35 < Daniel_Chan> It's currently just tun0 with server at 10.55.x.x - it routes fine but both gateways have different dhcp pools and printers / mDNS are not shared.
15:35 < reiffert> the bridge will know from which interface the dhcp requests are coming from
15:35 < reiffert> y/n?
15:36 < adaptr> the bridge will know the MAC. it doesn't care about "interfaces"
15:36 < Daniel_Chan> I believe so - office1 has two physical ifaces (eth{0,1}) -- 0 is public dhcp from rogers, 1 is 192.168.1.1
15:36 < reiffert> adaptr: good point.
15:36 < Daniel_Chan> tap is layer2 I understand.
15:37 < reiffert> adaptr: my point is to have all those dhcp requests entering the bridge via tap0 hit different dhcp settings
15:37 < Daniel_Chan> If eth1 (local ethernet) is bridged to tap0 - would traffic destined for inter go through the firewall or just straight out (I think that's the real question).
15:37 < Daniel_Chan> I can have dhcpd listen on iface tap0 and eth1
15:37 < adaptr> reiffert: that will only happen if you hard-code the hosts (by MAC). it will still only be one range.
15:37 < reiffert> adaptr: which would then allow to offer the local gateway to both scopes.
15:38 < reiffert> adaptr: you can split ranges.
15:39 < reiffert> adaptr: ebtables should be able to do that for you
15:39 < adaptr> ah, yes.
15:39 < adaptr> userspace, so expensive as fuck, but that hardly matters for the DHCP slowboat.
15:40 < adaptr> you can do a thousand DISCOFFERACKS a second in userspace
15:40 < reiffert> should be enough for his /24 VLS
15:40 < reiffert> N
15:41 < Daniel_Chan> Following the official OpenVPNBridging guide it does not specify if internet traffic is routed straight through the internet or is forced through the bridge...
15:41 < reiffert> you get the ide Daniel_Chan do you?
15:41 < reiffert> ide=idea
15:41 < Daniel_Chan> Not exactly, no.
15:41 < reiffert> where's your dhcp server running?
15:41 < Daniel_Chan> office1
15:42 < reiffert> on the layer 2 bridge itself?
15:42 < Daniel_Chan> Yes - I'll be bridging eth1 (local) to tap0
15:42 < reiffert> does the dhcp server run on the same box?
15:42 < Daniel_Chan> Yes.
15:42 < Daniel_Chan> DHCPd will listen on br0
15:43 < reiffert> good. split the scope into 10.0.1.0/24 and 10.0.2.0/24
15:43 < Daniel_Chan> Yes - that wont be a problem.
15:43 -!- michaelhart [~michaelha@192.237.177.15] has quit [Quit: michaelhart]
15:43 < reiffert> tell dhcpd to answer all dhcp requests entering the bridge via eth1 to answer with 10.0.1.0/24 settings
15:43 < Daniel_Chan> Right.
15:43 < reiffert> tell dhcpd to answer all dhcp requests entering the bridge via tap0 to answer with 10.0.2.0/24 settings
15:43 < reiffert> ebtables will help you.
15:44 < reiffert> assuming your bridge is running linux
15:44 < Daniel_Chan> I'm using shorewall (sorry if that is offensive to anyone)
15:45 < Daniel_Chan> OK so say I'm hadning out these leases and everything is happy.  Office2 is getting leases on their tap0 from office1 and all is well.
15:46 < Daniel_Chan> Will external network traffic destined for hosts outside of my subnet be routed directly to the net over would they emerge from office1 ?
15:46 < reiffert> come one ...
15:46 < reiffert> office has a local gateway
15:46 < reiffert> let's say 10.0.1.254
15:46 < reiffert> let's say office 1 lan gateway is 10.0.1.254
15:46 < reiffert> let's say office 2 lan gateway is 10.0.2.254
15:47 < Daniel_Chan> Understood.
15:47 < reiffert> the dhcp server will tell that to the clients
15:47 < Daniel_Chan> Understood.
15:47 < reiffert> let me rethink the ebtables part.
15:48 < reiffert> what would also work is redirecting the dhcp broadcast requests via unicast to a dhcp server that is *not* running on the bridge
15:48 < Daniel_Chan> I think with a 10.0.1.0/24 and a 10.0.2.0/24 we wouldn't get all of the mDNS / printer sharing / smb / avahi business talking over the tap's
15:48 < reiffert> similar to the ip helper stuff on cisco
15:48 < reiffert> Daniel_Chan: these are just the split scopes for your dhcp
15:49 < Daniel_Chan> OK perhaps I don't understand this subnettingt as well as I should.
15:49 < reiffert> /16 as well
15:50 < reiffert> however you make the dhcp use a split scope
15:50 < reiffert> the scopes will be office1 10.0.1.1 - 10.0.1.254 if you like
15:50 < Daniel_Chan> Yes - with a /16 it makes sense.
15:50 < reiffert> and office2 10.0.2.1 - 10.0.2.254
15:50 < reiffert> which I was referring to as /24
15:50 < Daniel_Chan> But not with a /24 - that's where I got a little confused.
15:51 < reiffert> so it will also work using dhcp-relay on office2 gateway
15:51 < reiffert> relaying them to office 1 dhcp server
15:52 < reiffert> in addition you would need to block all further dhcp requests on the bridge that do not originate from the mac address of the office2 gateway
15:52 < reiffert> done
15:52 < reiffert> plenty of ways to do it
15:52 < reiffert> I've been through all this and I reverted to a routed setup and advertising remote site services through avahi
15:53 < reiffert> have fun
15:53 < reiffert> l8er
15:53 < Daniel_Chan> Thank you very much for your help / time reiffert
15:54 < reiffert> bcrelay will also help
15:54 < reiffert> it's part of the ppp package
15:54 < reiffert> yw
15:56 -!- KaiForce [~chatzilla@107-223-70-10.lightspeed.bcvloh.sbcglobal.net] has quit [Quit: ChatZilla 0.9.90.1 [Firefox 29.0.1/20140506152807]]
16:00 -!- Daniel_Chan [~Daniel_Ch@CPEf46d0499190e-CMbc1401311080.cpe.net.cable.rogers.com] has quit [Ping timeout: 240 seconds]
16:11 -!- mattock [~mattock@openvpn/corp/admin/mattock] has left #openvpn []
16:23 -!- wrongplace [~leicht@gateway/tor-sasl/martinphone] has joined #openvpn
16:52 -!- michaelhart [~michaelha@192-0-240-20.cpe.teksavvy.com] has joined #openvpn
17:17 -!- Kephael [~Kephael@unaffiliated/kephael] has quit []
17:18 -!- wrongplace [~leicht@gateway/tor-sasl/martinphone] has quit [Quit: gone]
17:29 -!- gffa [~unknown@unaffiliated/gffa] has quit [Quit: sleep]
17:39 -!- Cpt-Oblivious [~chatzilla@31-151-71-109.dynamic.upc.nl] has quit [Remote host closed the connection]
17:41 -!- Kephael [~Kephael@unaffiliated/kephael] has joined #openvpn
18:00 -!- joshh20-Away is now known as joshh20
18:30 -!- CaTtleyA [~CaTtleyA@put92-2-82-66-41-53.fbx.proxad.net] has joined #openvpn
18:31 -!- CaTtleyA [~CaTtleyA@put92-2-82-66-41-53.fbx.proxad.net] has quit [Client Quit]
18:38 -!- joshh20 [~joshh20@v-70-42-74-226.unman-vds.internap-nyc.nfoservers.com] has quit [Ping timeout: 240 seconds]
18:39 -!- JPeterson [~JPeterson@81-233-152-121-no83.tbcn.telia.com] has quit [Ping timeout: 252 seconds]
18:45 -!- CaTtleyA [~CaTtleyA@put92-2-82-66-41-53.fbx.proxad.net] has joined #openvpn
18:46 -!- JPeterson [~JPeterson@81-233-152-121-no83.tbcn.telia.com] has joined #openvpn
18:48 -!- goldkatze [~nobody@unaffiliated/goldkatze] has quit []
18:54 -!- cyberanger [cyberanger@swissknife/adak/infocop411] has joined #openvpn
18:54 < cyberanger> !heartbleed
18:54 <@vpnHelper> "heartbleed" is (#1) only affects OpenSSL 1.0.1 through 1.0.1f. Does not affect polarssl or (#2) if running vuln openssl then both client and server keys not protected by tls-auth should be considered compromised. or (#3) android 4.1.2_r1 is the first one to have -DOPENSSL_NO_HEARTBEATS and it is still in master. android 4.1 and 4.1.1 are probably affected. or (#4)
18:54 <@vpnHelper> https://community.openvpn.net/openvpn/wiki/heartbleed or (#5) http://xkcd.com/1354/
18:58 -!- JPeterson [~JPeterson@81-233-152-121-no83.tbcn.telia.com] has quit [Ping timeout: 252 seconds]
19:06 -!- liriel [~liriel@aphrodite.feralhosting.com] has quit [Ping timeout: 252 seconds]
19:07 -!- liriel [~liriel@aphrodite.feralhosting.com] has joined #openvpn
19:17 -!- jgeboski [~jgeboski@unaffiliated/jgeboski] has quit [Quit: Leaving]
19:19 -!- jgeboski [~jgeboski@unaffiliated/jgeboski] has joined #openvpn
19:29 -!- APTX [~APTX@unaffiliated/aptx] has quit [Ping timeout: 252 seconds]
19:33 -!- APTX [~APTX@unaffiliated/aptx] has joined #openvpn
20:14 -!- jgeboski [~jgeboski@unaffiliated/jgeboski] has quit [Quit: Leaving]
20:16 -!- jgeboski [~jgeboski@unaffiliated/jgeboski] has joined #openvpn
20:40 -!- vaxerdec [~smcdermot@c-174-62-90-169.hsd1.ca.comcast.net] has quit [Ping timeout: 252 seconds]
21:37  * warewolf cringes at inaccuracies in that statement
21:42 <@krzee> warewolf, what statement?
21:43 < warewolf> that tls-auth prevents heartbleed.  It prevents *unauthenticated* heartbleed.
22:03 -!- Left_Turn [~Left_Turn@unaffiliated/turn-left/x-3739067] has quit [Ping timeout: 252 seconds]
22:05 -!- tempus_fol [~tempus@gateway/tor-sasl/foltempus] has quit [Ping timeout: 272 seconds]
22:10 -!- tempus_fol [~tempus@gateway/tor-sasl/foltempus] has joined #openvpn
22:14 -!- james41382_ [~james@unaffiliated/james41382] has joined #openvpn
22:25 -!- zoomequipd [~zoomequip@gateway/tor-sasl/zoomequipd] has quit [Remote host closed the connection]
22:25 -!- tempus_fol [~tempus@gateway/tor-sasl/foltempus] has quit [Read error: Connection reset by peer]
22:25 -!- s7r [~s7r@openvpn/user/s7r] has quit [Write error: Connection reset by peer]
22:25 -!- eristisk [~eristisk@gateway/tor-sasl/eristisk] has quit [Write error: Connection reset by peer]
22:33 -!- s7r [~s7r@openvpn/user/s7r] has joined #openvpn
22:33 -!- mode/#openvpn [+v s7r] by ChanServ
22:33 -!- tempus_fol [~tempus@gateway/tor-sasl/foltempus] has joined #openvpn
22:34 -!- zoomequipd [~zoomequip@gateway/tor-sasl/zoomequipd] has joined #openvpn
22:50 -!- james41382_ [~james@unaffiliated/james41382] has quit [Remote host closed the connection]
22:54 -!- temporary_questi [~temporary@unaffiliated/temporary-questi/x-9097157] has quit [Quit: Lost terminal]
23:03 -!- SamanthaD [~SamanthaD@unaffiliated/samanthad] has joined #openvpn
23:05 < SamanthaD> I'm having trouble getting OpenVPN to reconnect after the network has been dropped. I'm using --persist-tun and if I pull out the ethernet cord and plug it back in it fails to reassociate
23:05 < SamanthaD> the thing that I find odd is that if I pass it the SIGUSR1 signal it reassociates successfully.
23:19 < SamanthaD> I get a "TLS key negotiation failed to occur within 60 seconds" error
23:26 < SamanthaD> by the way, when I don't use --persist-tun things work just fine but then I can't drop permissions
23:27 < SamanthaD> ... and I don't understand why using --persist-tun breaks anything.
23:29 -!- gor_zilla [~gorzilla@78.129.180.165] has joined #openvpn
23:30 -!- gor_zilla [~gorzilla@78.129.180.165] has left #openvpn []
23:35 < james41382> I have found that when I connect to my openvpn server using linux (network-manager or openvpn with update-resolv-conf) I am routed out through the openvpn servers gateway, but when I connect using the openvpn client for windows I am not being routed through the openvpn servers gateway. Why could this be?
23:56 -!- ShadniX [dagger@p5DDFE20E.dip0.t-ipconnect.de] has quit [Ping timeout: 252 seconds]
23:56 -!- ShadniX [dagger@p5DDFF8EE.dip0.t-ipconnect.de] has joined #openvpn
--- Day changed Wed May 21 2014
00:13 -!- CaTtleyA [~CaTtleyA@put92-2-82-66-41-53.fbx.proxad.net] has quit [Ping timeout: 256 seconds]
00:25 -!- SamanthaD [~SamanthaD@unaffiliated/samanthad] has quit [Quit: Leaving]
00:30 -!- SamanthaD [~SamanthaD@unaffiliated/samanthad] has joined #openvpn
00:33 -!- Kephael [~Kephael@unaffiliated/kephael] has quit []
00:43 -!- SamanthaD [~SamanthaD@unaffiliated/samanthad] has quit [Ping timeout: 252 seconds]
00:50 < james41382> Is it possible that the different between dev tun and dev tap in the client.ovpn file could be the difference? And if so.. why?
00:55 < james41382> I am thinking this could be the issue because the other clients are redirected through the gateway fine, but I just came across this (http://openvpn.net/index.php/open-source/documentation/manuals/65-openvpn-20x-manpage.html) and reading the --server directive there is a little if-else bit that implies the two (tun or tap) may be treated differently. I suppose I don't understand the fundamental difference between the two.
00:55 <@vpnHelper> Title: OpenVPN 2.0.x (at openvpn.net)
00:56 -!- Mathias [M@unaffiliated/mathias] has left #openvpn ["..."]
00:56 < james41382> I idle here all the time... and I have a large scrollback so if anyone who knows reads this please respond. I'll check it tomorrow... thanks guys. Goodnight! =]
01:02 < james41382> Oh okay I answered my own question... tun is for routing and tap is for bridging... I just got confused because in windows name of the adapter is tap... thanks again.
01:21 <@krzee> tun is layer3 tap is layer2
01:21 <@krzee> you can use tap without bridging
01:22 <@krzee> tun tunnels ip packets and tap tunnels ethernet frames
01:28 -!- alexxtasi [~alex@unaffiliated/alexxtasi] has joined #openvpn
01:37 -!- SamanthaD [~SamanthaD@unaffiliated/samanthad] has joined #openvpn
01:46 -!- CaTtleyA [~CaTtleyA@185.24.142.82] has joined #openvpn
02:06 -!- le0 [~l30@unaffiliated/le0] has joined #openvpn
02:36 -!- Left_Turn [~Left_Turn@unaffiliated/turn-left/x-3739067] has joined #openvpn
02:53 -!- mattock_afk [~mattock@openvpn/corp/admin/mattock] has joined #openvpn
02:53 -!- mode/#openvpn [+o mattock_afk] by ChanServ
02:53 -!- mattock_afk is now known as mattock
03:14 -!- goldkatze [~nobody@unaffiliated/goldkatze] has joined #openvpn
03:25 -!- Poster|x [~poster@oh-67-77-115-177.sta.embarqhsd.net] has joined #openvpn
03:28 -!- Poster [~poster@oh-67-77-115-177.sta.embarqhsd.net] has quit [Ping timeout: 258 seconds]
03:37 -!- dazo_afk is now known as dazo
03:46 -!- gffa [~unknown@unaffiliated/gffa] has joined #openvpn
03:50 -!- SamanthaD [~SamanthaD@unaffiliated/samanthad] has quit [Remote host closed the connection]
04:13 -!- asio [asio@109-74-7-223-static.serverhotell.net] has joined #openvpn
04:13 -!- DrMacinyasha [0@unaffiliated/drmacinyasha] has joined #openvpn
04:13 < asio> !welcome
04:13 <@vpnHelper> "welcome" is (#1) Start by stating your goal, such as 'I would like to access the internet over my vpn' || new to IRC? see the link in !ask || we may need !logs and !configs and maybe !interface to help you. || See !howto for beginners. || See !route for lans behind openvpn. || !redirect for sending inet traffic through the server. || Also interesting: !man !/30 !topology !iporder !sample !forum !wiki
04:13 <@vpnHelper> !mitm or (#2) Don't use 192.168.1.0/24 or 192.168.0.0/24 (too much potential for conflict)
04:13 -!- Roa [~roa@ns4009357.ip-192-99-8.net] has quit [Ping timeout: 240 seconds]
04:14 < asio> !goal
04:14 <@vpnHelper> "goal" is Please clearly state your goal for your vpn: example, I would like to access the lan behind the server , I would like to access the internet over my vpn , I just want a secure connection between 2 computers , etc
04:26 < asio> !logs
04:26 <@vpnHelper> "logs" is (#1) please pastebin your logfiles from both client and server with verb set to 4 (only use 5 if asked) or (#2) In the Windows client(OpenVPN-GUI) right-click the status icon and pick View Log or (#3) In the OS X client(Tunnelblick) right-click it and select Copy log text to clipboard or (#4) if you dont know how to find your logs, see !logfile
04:27 < asio> !configs
04:27 <@vpnHelper> "configs" is (#1) please pastebin your client and server configs (with comments removed, you can use `grep -vE '^#|^;|^$' server.conf`), also include which OS and version of openvpn. or (#2) dont forget to include any ccd entries or (#3) on pfSense, see http://www.secure-computing.net/wiki/index.php/OpenVPN/pfSense to obtain your config
04:27 < asio> !interface
04:27 <@vpnHelper> "interface" is (#1) paste interface configuration from both client and server, while being disconnected and when beeing connected. Be sure to also add the routing tables for both situations from client and from server or (#2) For Windows: iface: 'ipconfig /all' routing: 'route print' (add -4 or -6 for just IPv4 or v6) or (#3) For Unix: iface: 'ifconfig -a' routing: 'netstat -rn' or (#4) For Linux:
04:27 <@vpnHelper> iface: 'ip a' routing: 'ip r' (use ip -6 for IPv6 routes)
04:49 < asio> !howto
04:49 <@vpnHelper> "howto" is (#1) OpenVPN comes with a great howto, http://openvpn.net/howto PLEASE READ IT! or (#2) http://www.secure-computing.net/openvpn/howto.php for a mirror
04:57 < asio> I'm trying to setup openvpn on openbsd so I can access the internet and server behind when traveling using a secure connection...but I get an ssl error in server log...configuration files and logs are available here: https://www.asio.se/openvpn/
04:57 <@vpnHelper> Title: Index of /openvpn/ (at www.asio.se)
04:58 < asio> anyone got any pointers on how to fix this?
05:59 -!- michaelhart [~michaelha@192-0-240-20.cpe.teksavvy.com] has quit [Quit: michaelhart]
06:01 -!- ACKNAK [~regolith@79.133.97.154] has joined #openvpn
06:16 < ACKNAK> Hello! uhm I don't know how to ask correctly, but how does addressing works? for example I have topology subnet and address pool is 192.168.1.0/24.
06:17 < ACKNAK> Do they get addresses in uhm... arithmetic progression or just randomly?
06:17 < ACKNAK> they - clients
06:17 < ACKNAK> derp
06:20 -!- goldkatze [~nobody@unaffiliated/goldkatze] has quit []
06:23 -!- Cpt-Oblivious [~chatzilla@31-151-71-109.dynamic.upc.nl] has joined #openvpn
06:33 -!- elfixit [~Icedove@2001:1620:2777:11:3e97:eff:fe7f:f3ad] has joined #openvpn
06:44 -!- michaelhart [~michaelha@192.237.177.15] has joined #openvpn
06:54 -!- jackbrown [~se@93-44-41-0.ip95.fastwebnet.it] has joined #openvpn
07:15 -!- jackbrown [~se@93-44-41-0.ip95.fastwebnet.it] has quit [Remote host closed the connection]
07:15 -!- jackbrown [~se@93-44-41-0.ip95.fastwebnet.it] has joined #openvpn
07:21 -!- goldkatze [~nobody@unaffiliated/goldkatze] has joined #openvpn
07:28 -!- jackbrown [~se@93-44-41-0.ip95.fastwebnet.it] has quit [Quit: Sto andando via]
07:47 < ACKNAK> anybody knows? :(
07:48 <@ecrist> !topology
07:48 <@vpnHelper> "topology" is (#1) it is possible to avoid the !/30 behavior if you use 2.1+ with the option: topology subnet This will end up being default in later versions. or (#2) Clients will receive addresses ending in .2, .3, .4, etc, instead of being divided into 2-host subnets. or (#3) details and examples at: https://community.openvpn.net/openvpn/wiki/Topology
07:48 <@ecrist> ACKNAK: see above
07:50 < rob0> 1. Why does it matter how addresses are handed out? 2. !welcome specifically recommends against using 192.168.1.0/24.
07:51 <@ecrist> !1918
07:51 <@vpnHelper> "1918" is (#1) RFC1918 makes three unique netblocks available for private use: 10.0.0.0/8, 172.16.0.0/12, and 192.168.0.0/16 or (#2) see also: http://en.wikipedia.org/wiki/Private_network or http://www.faqs.org/rfcs/rfc1918.html or (#3) Too lazy to find your own subnet? Try this one: http://scarydevilmonastery.net/subnet.cgi or (#4) See !5737 for addresses to use for examples and documentation
07:51 < ACKNAK> ecrist, I'm insterested only in order how addresses aare handed out :)
07:51 <@ecrist> people often want to know how things work when it doesn't matter.
07:51 <@ecrist> ACKNAK: there's a lot of logic involved
07:52 < ACKNAK> ooooh
07:52 <@ecrist> topology is a start, then openvpn has to figure out whether we're persisting IP assignments, and the timeout of those, and if the connecting client has one, etc.
07:52 <@ecrist> if you really want to know, I'd suggest reading the code yourself
07:53 < ACKNAK> ah thats okay
07:53 < ACKNAK> thanks!
07:53 < rob0> or ... try it and see
07:54 < ACKNAK> rob0, already tried thats how I got this question
07:54 < ACKNAK> and its okay to use 192.168.1.0/24 in my case ^^
07:57 <@ecrist> no, really it's not
07:57 <@ecrist> but we're not going to beat you up about it
07:58 < ACKNAK> now Im curious why its not ._.
07:58 < ACKNAK> conflict with wan side? not possible
07:58 < ACKNAK> what else?
07:59 <@ecrist> it's over-used on private LANs
08:00 <@ecrist> it's possible for you, as an example, to be at a friend's house (if you have friends) and his/her network will use that default 1918 address space.  if you use it on your VPN, and you connect out from his/her network to your VPN and your VPN is pushing a route for that same subnet, you'll lose access to the local LAN
08:01 < ACKNAK> I'll tell my friend to change his network addressing or add NAT before mine device.
08:01 < ACKNAK> so there would be no conflict, if there would be - not my problem ^^
08:02 < rob0> heh
08:02 <@ecrist> you're retarded
08:02 < ACKNAK> I see...
08:22 -!- KaiForce [~chatzilla@107-223-70-10.lightspeed.bcvloh.sbcglobal.net] has joined #openvpn
08:30 -!- jackbrown [~se@93-44-41-0.ip95.fastwebnet.it] has joined #openvpn
08:42 -!- jackbrown [~se@93-44-41-0.ip95.fastwebnet.it] has quit [Ping timeout: 240 seconds]
08:47 < ACKNAK> so nothing could happened :)
08:53 <@krzee> lol
08:53  * krzee pictures him telling EVERY lan he joins to choose a new subnet
08:55 -!- Aketzu [akolehma@kelvin.aketzu.net] has quit [Ping timeout: 276 seconds]
08:56 < ACKNAK> :D
09:00 < ACKNAK> krzee, that would not be me actually, but these LANs would have to obey. -_-
09:01 < ACKNAK> ОВЕЧ
09:01 -!- mode/#openvpn [+o Eugene] by ChanServ
09:25 -!- alexxtasi [~alex@unaffiliated/alexxtasi] has left #openvpn []
09:32 -!- Kephael [~Kephael@unaffiliated/kephael] has joined #openvpn
09:51 -!- outofbounds [~outofboun@198.199.109.226] has joined #openvpn
10:03 -!- ACKNAK [~regolith@79.133.97.154] has quit [Ping timeout: 252 seconds]
10:06 < rob0> krzee, I picture him having no friends :)
10:06 <@krzee> ya thats prolly more accurate
10:13 < warewolf> saw an e-mail at work earlier this week "Help! I'm on your blacklist. My IP is 192.168.100.1"
10:14 < rob0> haha
10:26 <@ecrist> heh
10:28 -!- larryone [~larryone@185.32.152.150] has joined #openvpn
10:28 < larryone> hallow everybody
10:30 < larryone> I have a pair of vpn severs running...  with udp
10:30 < larryone> is there any way for me to tell how many clients are connected through it?
10:30 <@Eugene> ! management
10:30 <@vpnHelper> "management" is (#1) see http://openvpn.net/management for doc on management interface or (#2) read https://github.com/OpenVPN/openvpn/blob/release/2.3/doc/management-notes.txt if you are a programmer making a GUI that will interact with OpenVPN or (#3) Enable with `--management 127.0.0.1 1234` (adjust port to taste.) See the manpage for pw and socket options
10:32 < larryone> thanks Eugene
10:32 < larryone> but to enable --management I'd need to restart the service, yes?
10:33 <@Eugene> yup.
10:33 < larryone> I was looking for a way to check connections because I wanted to restart the service
10:34 < larryone> want to restart on the server that has the least current usage
10:34 < warewolf> there's uh ... sec
10:34 < warewolf> --status-file $n_seconds
10:34 < warewolf> Eugene: would a HUP to reload the server's config pull in that setting and start writing the status file?
10:35 < warewolf> larryone: FWIW, I use the status file to see what clients are currently conected.
10:35 < larryone> ok, will take a pokey at that
10:35 < warewolf> er, not --status-file, --status /path/to/file some_number_of_Seconds_here
10:38 -!- CaTtleyA [~CaTtleyA@185.24.142.82] has quit [Ping timeout: 256 seconds]
10:40 <@ecrist> larryone: your best best is to enable management as well as the status file with a refresh cycle, and possibly a client connect/disconnect script
10:40 <@ecrist> with all that, there's a lot of tracking you can do per client
10:41 < larryone> aye, but nothing I can figure out for now
10:41 < larryone> just going to have to wait till the dead of the night to restart it
10:42 -!- tief_ [~tief@tb178-248-30-132.cust.teknikbyran.com] has joined #openvpn
10:42 <@ecrist> meh, let 'er buck.  what's the worst that could happen?
10:42  * ecrist grabs popcorn
10:43 < larryone> =0)
10:43 < larryone> I get murdered by the devs in work
10:43 < larryone> perhaps
10:44 < tief_> How do I make sure that all protocols are going over openvpn? If I use FTP for example.
10:45 <@ecrist> openvpn doesn't discriminate on protocol, but on routing
10:45 <@ecrist> so, if the next-hop for the IP you're connecting to is over the VPN, that's where it will go
10:46 <@ecrist> there's nothing in openvpn forcing all FTP traffic, etc
10:52 -!- SCHAAP137 [dorian@77-173-0-137.ip.telfort.nl] has joined #openvpn
11:02 <@Eugene> you can "make sure" by crafting your firewall rules carefully to drop outgoing traffic that isn't openvpn
11:02 -!- james41382 [~james@unaffiliated/james41382] has quit [Quit: Leaving]
11:05 -!- larryone [~larryone@185.32.152.150] has quit [Read error: Connection reset by peer]
11:11 -!- edge226 [~quassel@unaffiliated/edge226] has quit [Remote host closed the connection]
11:12 -!- Megaf_ [~Megaf@unaffiliated/megaf] has joined #openvpn
11:15 -!- edge226 [~quassel@unaffiliated/edge226] has joined #openvpn
11:16 -!- s7r [~s7r@openvpn/user/s7r] has quit [Remote host closed the connection]
11:51 -!- jackbrown [~se@93-44-41-0.ip95.fastwebnet.it] has joined #openvpn
11:54 -!- Popsikle [~popsikle@pool-108-27-211-233.nycmny.fios.verizon.net] has joined #openvpn
11:59 -!- Popsikle [~popsikle@pool-108-27-211-233.nycmny.fios.verizon.net] has quit [Ping timeout: 276 seconds]
12:00 -!- jackbrown [~se@93-44-41-0.ip95.fastwebnet.it] has quit [Quit: Sto andando via]
12:02 -!- eristisk [~eristisk@gateway/tor-sasl/eristisk] has joined #openvpn
12:08 -!- Kephael [~Kephael@unaffiliated/kephael] has quit []
12:26 -!- Popsikle [~popsikle@pool-108-27-211-233.nycmny.fios.verizon.net] has joined #openvpn
12:33 -!- Popsikle [~popsikle@pool-108-27-211-233.nycmny.fios.verizon.net] has quit [Ping timeout: 258 seconds]
12:38 -!- dazo is now known as dazo_afk
12:41 -!- tief_ [~tief@tb178-248-30-132.cust.teknikbyran.com] has quit [Ping timeout: 240 seconds]
12:45 -!- Latrina [~Latrina@adsl-ull-184-255.45-151.net24.it] has quit [Ping timeout: 240 seconds]
12:49 -!- mcp [~mcp@wolk-project.de] has joined #openvpn
12:50 -!- Latrina [~Latrina@adsl-ull-143-177.50-151.net24.it] has joined #openvpn
12:55 -!- Latrina [~Latrina@adsl-ull-143-177.50-151.net24.it] has quit [Read error: Connection reset by peer]
12:58 -!- Latrina [~Latrina@adsl-ull-196-198.50-151.net24.it] has joined #openvpn
13:01 -!- elfixit [~Icedove@2001:1620:2777:11:3e97:eff:fe7f:f3ad] has quit [Quit: elfixit]
13:02 -!- u0m3 [~u0m3@92.80.103.166] has quit [Ping timeout: 264 seconds]
13:03 -!- Latrina [~Latrina@adsl-ull-196-198.50-151.net24.it] has quit [Ping timeout: 240 seconds]
13:13 -!- TheSov [~TheSov4@50-76-75-45-static.hfc.comcastbusiness.net] has joined #openvpn
13:14 < TheSov> hey guys does anyone know how I would install on debian/ubuntu the right version of openssl so it uses the cpu's on die AES coprocessor?
13:16 -!- u0m3 [~u0m3@92.80.115.246] has joined #openvpn
13:27 < reiffert> http://openssl.6102.n7.nabble.com/How-can-I-enable-aes-ni-in-openssl-on-Linux-td47582.html
13:27 <@vpnHelper> Title: OpenSSL - User - How can I enable aes-ni in (at openssl.6102.n7.nabble.com)
13:30 -!- Latrina [~Latrina@adsl-ull-164-247.45-151.net24.it] has joined #openvpn
13:35 < TheSov> thanks!
13:44 < TheSov> i have a question, does aes_x86_64             17255  1 aesni_intel need to be on both machines?
13:46 -!- Denial [Denial@176.250.235.182] has quit []
13:52 -!- Denial [Denial@176.250.235.182] has joined #openvpn
14:00 -!- eristisk [~eristisk@gateway/tor-sasl/eristisk] has quit [Ping timeout: 272 seconds]
14:00 -!- yoavz [yoavz@yoavz.net] has quit [Ping timeout: 264 seconds]
14:03 -!- yoavz [yoavz@yoavz.net] has joined #openvpn
14:05 -!- eristisk [~eristisk@gateway/tor-sasl/eristisk] has joined #openvpn
14:06 -!- reiffert [~thomas@mail.reifferscheid.org] has quit [Quit: leaving]
14:07 -!- reiffert [~thomas@mail.reifferscheid.org] has joined #openvpn
14:11 -!- eduhat [~eduhat@unaffiliated/eduhat] has joined #openvpn
14:11 < eduhat> can I use the same certificate at multiple locations for the client? I can connect to my vpn server fine, but I copied the certificate to another computer and I am getting handshake errors
14:13 < reiffert> which are the files that you were copying to the other client PC?
14:14 < eduhat> same ones that worked on the original client PC
14:14 < reiffert> !logs
14:14 <@vpnHelper> "logs" is (#1) please pastebin your logfiles from both client and server with verb set to 4 (only use 5 if asked) or (#2) In the Windows client(OpenVPN-GUI) right-click the status icon and pick View Log or (#3) In the OS X client(Tunnelblick) right-click it and select Copy log text to clipboard or (#4) if you dont know how to find your logs, see !logfile
14:17 -!- Megaf_ is now known as Megaf
14:20 -!- Mike-- [mad@mx.probie.nl] has quit []
14:31 < eduhat> reiffert: I will post them on a pastebin and be right back
14:33 -!- Latrina [~Latrina@adsl-ull-164-247.45-151.net24.it] has quit [Ping timeout: 240 seconds]
14:36 -!- Latrina [~Latrina@adsl-ull-185-254.45-151.net24.it] has joined #openvpn
14:39 < eduhat> reiffert: client - https://gist.github.com/anonymous/8ad0af9df5050ab1bd16 ; server - https://gist.github.com/anonymous/c1183ae1b8c93167fdc2
14:39 <@vpnHelper> Title: gist:8ad0af9df5050ab1bd16 (at gist.github.com)
14:40 < eduhat> but this same certificate and key work from the PC im sitting in front of
14:41 < eduhat> !logfile
14:41 <@vpnHelper> "logfile" is (#1) If you want logging you can easily just specify your own logfile with: log /path/to/logfile or (#2) openvpn will log to syslog if started in daemon mode, but without any log-redirection options, openvpn sends output to stdout. or (#3) verb 3 is good for everyday usage, verb 5 for debugging. see --daemon --log and --verb in the manual (!man) for more info
14:43 < reiffert> !factoids search verify
14:43 <@vpnHelper> 'certverify' and 'verify'
14:43 < reiffert> !verify
14:43 <@vpnHelper> "verify" is (#1) If you receive certificate-based 'VERIFY ERROR' messages, you can manually verify the remote cert against a local CA using openssl: `openssl verify -verbose -CAfile /local/ca.crt /remote/copy/of/other.crt` or (#2) Note that this requires you to manually transfer the remote certificate to the local system for testing or (#3) You can also manually check issuer fingerprints with
14:43 <@vpnHelper> detailed cert output: `openssl x509 -in /some/cert.crt -noout -text` and compare against the CA cert fingerprint
14:43 < reiffert> !certverify
14:43 <@vpnHelper> "certverify" is (#1) verify your certs are signed correctly by running `openssl verify -CAfile <ca.crt> <client.crt>` for client.crt and server.crt or (#2) also make sure you use the same ca.crt on both sides by checking their md5
14:43 < eduhat> reiffert: wouldn't they be verified if they already work?
14:44 < eduhat> reiffert: all I did was copy them to my laptop and use the same certificates.
14:46 < reiffert> Wed May 21 15:33:56 2014 WARNING: No server certificate verification method has been enabled.  See http://openvpn.net/howto.html#mitm for more info.
14:46 < reiffert> !configs
14:46 <@vpnHelper> "configs" is (#1) please pastebin your client and server configs (with comments removed, you can use `grep -vE '^#|^;|^$' server.conf`), also include which OS and version of openvpn. or (#2) dont forget to include any ccd entries or (#3) on pfSense, see http://www.secure-computing.net/wiki/index.php/OpenVPN/pfSense to obtain your config
14:47 < reiffert> eduhat: I keep reading what you type ... so far no idea
14:48 -!- joshh20-Away [~joshh20@v-70-42-74-226.unman-vds.internap-nyc.nfoservers.com] has joined #openvpn
14:48 -!- joshh20-Away is now known as joshh20
14:48 < reiffert> eduhat: what's the openssl version on the other client?
14:49 < eduhat> reiffert: both are the same: OpenVPN 2.3.4
14:49 < reiffert> openssl
14:50 < eduhat> reiffert: sorry, both are the same OpenSSL 1.0.1g 7 Apr 2014
14:50 < reiffert> raise verbose level. if it doesnt help use strace
14:50 < reiffert> and dont forget to paste your configs
14:54 -!- DrMacinyasha [0@unaffiliated/drmacinyasha] has left #openvpn []
15:29 -!- Mike-- [mad@mx.probie.nl] has joined #openvpn
15:30 -!- le0 [~l30@unaffiliated/le0] has quit [Quit: Leaving]
15:36 -!- le0 [~l30@unaffiliated/le0] has joined #openvpn
15:37 < Saul775> Hello.  I've a VPS that has ONE IP address.  I also live in the mountains, so I don't have a standard ISP; in fact, I'm NATed.  Well, I purchased my VPS, so I could setup OpenVPN on the VPS and have my server at my house connect to it, forwarding traffic to my server.  Would I need two IP addresses to accomplish this?
15:38 -!- Kephael [~Kephael@unaffiliated/kephael] has joined #openvpn
15:40 -!- Left_Turn [~Left_Turn@unaffiliated/turn-left/x-3739067] has quit [Read error: Connection reset by peer]
15:43 -!- mattock [~mattock@openvpn/corp/admin/mattock] has left #openvpn []
15:44 -!- Left_Turn [~Left_Turn@unaffiliated/turn-left/x-3739067] has joined #openvpn
15:44 < kenyon> Saul775: well, what is your goal? to not have NAT?
15:44 < kenyon> Saul775: not have NAT for your home network, I mean.
15:47 -!- mapps [~map@5ec33f26.skybroadband.com] has quit [Ping timeout: 252 seconds]
15:48 -!- mapps [~map@5ec33f26.skybroadband.com] has joined #openvpn
15:50 -!- michaelhart [~michaelha@192.237.177.15] has quit [Quit: michaelhart]
15:53 -!- mapps [~map@5ec33f26.skybroadband.com] has quit [Ping timeout: 276 seconds]
15:53 < Saul775> Pretty much.
15:53 < Saul775> Sorry, I was called away.
15:53 -!- mapps [~map@5ec33f26.skybroadband.com] has joined #openvpn
15:53 < Saul775> kenyon, yes, I want to be able to access my home computer from the Internet.
15:54 < kenyon> Saul775: you'd need a routed block of IP addresses to escape NAT that way
15:54 < kenyon> Saul775: accessing your home computer from the Internet could probably be done without openvpn
15:55 < kenyon> Saul775: if you can do port forwarding, but maybe you can't control the ISP NAT at all
15:55 < Saul775> Couldn't I use OpenVPN?  I'll setup OpenVPN on the VPS.  Then I'll have my home computer connect to the OpenVPN and then have all IP traffic funnel to the connected client.
15:56 < kenyon> Saul775: yeah, not "all IP traffic" though, you'd have to do some NAT junk with your VPS
15:58 < kenyon> Saul775: IMO the best solution is to get IPv6 everywhere (home, your VPS, and your laptop when you're traveling), possibly using openvpn in places. that's how I do it.
15:58 < kenyon> IPv4 is just too limiting and kludgy due to lack of address space
16:00  * Saul775 nods.
16:01 < Saul775> When will IPv6 catch on a little more?  It seems like it's taking forever.
16:02 < kenyon> Saul775: it's catching on a lot, but you don't have to wait for your ISP to provide it
16:03 < kenyon> your VPS should already have it. if not, that's a terrible VPS provider and you should switch
16:05 < Saul775> I do have it, but I'm just wondering when it will take off in general.  A lot of things are still IPv4.
16:10 < pekster> VPS providers are in general terriable and violate RFC6177
16:10 < kenyon> Saul775: doesn't really matter, just start using it, makes everything so much easier
16:11 < pekster> Apparently it's hard to be a good netzien and provider customers with a /56 on demand
16:11 -!- elfixit [~Icedove@77-58-251-72.dclient.hispeed.ch] has joined #openvpn
16:11 < pekster> If you're being given anything less than a /56 (or _maybe_ a /60, but really there's no excuse for a company to hand out /56's to anyone who asks) you have a shitty network provider
16:11 < pekster> _not_ to hand out, that is
16:15 -!- wrongplace [~leicht@gateway/tor-sasl/martinphone] has joined #openvpn
16:21 < cransom> timewarner delivered native ipv6 and they only give me a /64
16:23 < pekster> Then sucks to be you if you have any need for a 2nd LAN. Think a guest wifi, or network for your appliances (thermostat, etc) for security. Or just for a test/lab environment
16:23 < pekster> RFC6177 specifically says that a single /64 to end-sites is too small. Guess they're in the "idiots and fools" category too
16:24 < pekster> And more on topic with OpenVPN, it means you can't allocate a routed network for VPN clients if you use SLAAC on your LAN
16:24 -!- joshh20 is now known as joshh20-Away
16:25 < cransom> i used to have a separate wireless segment until i started bridging again because of rendezvous/etc
16:31 < Saul775> I think my VPS prefix is a /64.
16:31 < Saul775> Actually, how do you tell?
16:33 < pekster> Not the on-link bullshit; you'd be given a routed allocation if the provider is worth paying for
16:33 < pekster> Any network provider who puts your /56 (or whatever) on-link is dumb as rocks
16:34 < pekster> You'd have to be told what you're routed allocation is
16:34 < Saul775> I think I just figured it out.  I suppose I should brush up more on my networking.  I'm a software engineer and know little about networking.  *laughs*
16:34 -!- goldkatze [~nobody@unaffiliated/goldkatze] has quit [Ping timeout: 255 seconds]
16:36 < Saul775> Okay, I'm confused again.  *laughs*
16:37 < Saul775> Here's what I got in my email: I've had the following added to my VPS:  2602:FFEA:A::AF2C:179D     and 2602::FFEA:A::E1CF:30F9.
16:38 -!- gffa [~unknown@unaffiliated/gffa] has quit [Quit: sleep]
16:42 -!- Latrina [~Latrina@adsl-ull-185-254.45-151.net24.it] has quit [Ping timeout: 265 seconds]
16:44 -!- Latrina [~Latrina@ppp-193-23.26-151.libero.it] has joined #openvpn
16:52 -!- Latrina [~Latrina@ppp-193-23.26-151.libero.it] has quit [Ping timeout: 255 seconds]
16:53 -!- Latrina [~Latrina@ppp-63-25.26-151.libero.it] has joined #openvpn
16:55 -!- mapps [~map@5ec33f26.skybroadband.com] has quit [Read error: Connection reset by peer]
16:56 -!- mapps [~map@5ec33f26.skybroadband.com] has joined #openvpn
16:56 -!- wrongplace [~leicht@gateway/tor-sasl/martinphone] has quit [Quit: gone]
16:56 -!- asio [asio@109-74-7-223-static.serverhotell.net] has quit [Ping timeout: 252 seconds]
17:03 -!- Latrina [~Latrina@ppp-63-25.26-151.libero.it] has quit [Ping timeout: 258 seconds]
17:03 -!- Latrina [~Latrina@ppp-92-55.26-151.libero.it] has joined #openvpn
17:04 -!- le0 [~l30@unaffiliated/le0] has quit [Quit: Leaving]
17:05 -!- eduhat [~eduhat@unaffiliated/eduhat] has quit [Quit: Leaving]
17:13 -!- Latrina [~Latrina@ppp-92-55.26-151.libero.it] has quit [Ping timeout: 258 seconds]
17:15 -!- Latrina [~Latrina@ppp-14-54.26-151.libero.it] has joined #openvpn
17:18 -!- swebb is now known as zz_swebb
17:20 -!- Latrina [~Latrina@ppp-14-54.26-151.libero.it] has quit [Ping timeout: 252 seconds]
17:23 -!- Latrina [~Latrina@ppp-27-61.26-151.libero.it] has joined #openvpn
17:25 -!- rooth [tomte@stuck.in.the.basement.at.fritzl.nu] has quit [Ping timeout: 265 seconds]
17:29 -!- Eugene [eugene@badcryp.to] has quit [Ping timeout: 245 seconds]
17:29 -!- manitu [~manitu@static.88-198-15-112.clients.your-server.de] has quit [Ping timeout: 245 seconds]
17:30 < kenyon> Saul775: that's pretty useless
17:30 -!- gac [~gavin@196.108.255.149.in-addr.arpa] has quit [Ping timeout: 245 seconds]
17:31 -!- ketas- [ketas@ketas6-sixxs.si.pri.ee] has joined #openvpn
17:31 -!- Nothing4You [N4Y@Nothing4You.w.tf-w.tf] has quit [Ping timeout: 245 seconds]
17:31 -!- Cybert1nus [~Cybertinu@cybertinus.customer.cloud.nl] has joined #openvpn
17:31 -!- Eugene [eugene@badcryp.to] has joined #openvpn
17:31 -!- gac [~gavin@196.108.255.149.in-addr.arpa] has joined #openvpn
17:31 -!- aji [~alex@atheme/member/aji] has quit [Ping timeout: 245 seconds]
17:32 -!- kirin` [telex@gateway/shell/anapnea.net/x-gastkqwfqdcvtpoe] has quit [Disconnected by services]
17:33 -!- kirin` [telex@gateway/shell/anapnea.net/x-ozsfslkbtyxdxwtx] has joined #openvpn
17:33 -!- Falcon| [andreas@shell.lamerschool.net] has quit [Ping timeout: 245 seconds]
17:33 -!- jerrcs [jeremy@dogpound.sliqua.com] has quit [Ping timeout: 265 seconds]
17:33 -!- ribasushi [~riba@mujunyku.leporine.io] has quit [Ping timeout: 265 seconds]
17:33 -!- codehero [codehero@i.have.ipv6.on.coding4coffee.org] has quit [Ping timeout: 265 seconds]
17:33 -!- SlutaTramsa [~SlutaTram@unaffiliated/slutatramsa] has quit [Ping timeout: 265 seconds]
17:33 -!- aPollO2k [znc1@unaffiliated/apollo2k] has quit [Ping timeout: 265 seconds]
17:34 -!- codehero [codehero@i.have.ipv6.on.coding4coffee.org] has joined #openvpn
17:34 -!- cyberanger1 [~cyberange@swissknife/adak/infocop411] has joined #openvpn
17:34 -!- ribasushi [~riba@mujunyku.leporine.io] has joined #openvpn
17:34 -!- aPollO2k [znc1@unaffiliated/apollo2k] has joined #openvpn
17:34 -!- Su7 [~demerzel@2001:41d0:a:16::1] has quit [Ping timeout: 245 seconds]
17:35 -!- manitu [~manitu@static.88-198-15-112.clients.your-server.de] has joined #openvpn
17:35 -!- harpyon [~harpyon@harpyon.com] has quit [Ping timeout: 245 seconds]
17:35 -!- harpyon [~harpyon@harpyon.com] has joined #openvpn
17:35 -!- Haigha [~root@dovahkiin.xomg.net] has quit [Ping timeout: 245 seconds]
17:36 -!- aji [~alex@atheme/member/aji] has joined #openvpn
17:38 -!- reiffert [~thomas@mail.reifferscheid.org] has quit [Ping timeout: 265 seconds]
17:38 -!- plaisthos [~arne@openvpn/community/developer/plaisthos] has quit [Ping timeout: 265 seconds]
17:38 -!- haasn [~haasn@2a01:4f8:d13:5245::2] has quit [Ping timeout: 265 seconds]
17:38 -!- cyberanger [cyberanger@swissknife/adak/infocop411] has quit [Ping timeout: 265 seconds]
17:38 -!- Cybertinus [~Cybertinu@cybertinus.customer.cloud.nl] has quit [Ping timeout: 265 seconds]
17:38 -!- ketas [ketas@ketas6-sixxs.si.pri.ee] has quit [Ping timeout: 265 seconds]
17:38 -!- ender| [krneki@2a01:260:4094:1:42:42:42:42] has quit [Ping timeout: 265 seconds]
17:38 -!- Left_Turn [~Left_Turn@unaffiliated/turn-left/x-3739067] has quit [Ping timeout: 265 seconds]
17:38 -!- mcp [~mcp@wolk-project.de] has quit [Ping timeout: 265 seconds]
17:38 -!- mallxs [~mallxs@84.246.31.190] has quit [Ping timeout: 265 seconds]
17:38 -!- hypfer [~hypfer@unaffiliated/hypfer] has quit [Ping timeout: 265 seconds]
17:38 -!- Left_Turn [~Left_Turn@unaffiliated/turn-left/x-3739067] has joined #openvpn
17:38 -!- ender| [krneki@2a01:260:4094:1:42:42:42:42] has joined #openvpn
17:39 < Saul775> kenyon, ehhh?
17:39 -!- Nothing4You [N4Y@Nothing4You.w.tf-w.tf] has joined #openvpn
17:42 < kenyon> Saul775: they have no prefix length
17:43 -!- Denial- [Denial@176.250.235.182] has joined #openvpn
17:43 -!- bears [~bears@unaffiliated/bears] has joined #openvpn
17:45 -!- JackWinter_ [~jack@vodsl-10810.vo.lu] has joined #openvpn
17:47 -!- Netsplit *.net <-> *.split quits: Chrisje, Ulrar, fred``, Olipro
17:49 -!- Netsplit *.net <-> *.split quits: elfixit, KaiForce, cyberanger1, Denial, Thermi, mapps
17:49 -!- Denial- is now known as Denial
17:49 -!- Netsplit over, joins: mapps
17:51 -!- cyberanger [cyberanger@swissknife/adak/infocop411] has joined #openvpn
17:53 -!- Thermi [~Thermi@unaffiliated/thermi] has joined #openvpn
17:54 -!- JackWinter [~jack@vodsl-10810.vo.lu] has quit [Write error: Broken pipe]
17:55 < Saul775> So I need a prefix length?  I will contact them and ask them for the prefix.
17:57 -!- Chrisje [chris@2a03:f80:ed15:ed15:ed15:ed15:bc4c:4bfe] has joined #openvpn
17:57 -!- fred`` [fred@earthli.ng] has joined #openvpn
17:57 -!- Ulrar [~Ulrar@luwin.ulrar.net] has joined #openvpn
17:58 -!- Olipro [~Olipro@uncyclopedia/pdpc.21for7.olipro] has joined #openvpn
18:01 < Saul775> kenyon, I received a response: "The VPSs are bound by default being OpenVZ.  However, the host binds out of 2602:ffea:a::/48."
18:03 -!- joshh20-Away is now known as joshh20
18:07 -!- tony1 [~tony1@cpe-66-66-6-48.rochester.res.rr.com] has joined #openvpn
18:11 -!- JPeterson [~JPeterson@81-233-152-121-no83.tbcn.telia.com] has joined #openvpn
18:11 -!- mallxs_ [~mallxs@84.246.31.190] has joined #openvpn
18:11 -!- mallxs_ is now known as mallxs
18:13 -!- KaiForce [~chatzilla@107-223-70-10.lightspeed.bcvloh.sbcglobal.net] has joined #openvpn
18:16 -!- NucWin [~nucwin@unaffiliated/nucwin] has quit [Ping timeout: 240 seconds]
18:18 -!- s7r [~s7r@openvpn/user/s7r] has joined #openvpn
18:19 -!- mode/#openvpn [+v s7r] by ChanServ
18:27 -!- Soliah [~Soliah@kin1287146.lnk.telstra.net] has joined #openvpn
18:27 -!- NucWin [~nucwin@unaffiliated/nucwin] has joined #openvpn
18:34 -!- Cpt-Oblivious [~chatzilla@31-151-71-109.dynamic.upc.nl] has quit [Quit: ChatZilla 0.9.90.1-rdmsoft [XULRunner 22.0/20130619132145]]
18:38 -!- pnielsen_ [~pnielsen@li301-93.members.linode.com] has quit [Quit: No Ping reply in 180 seconds.]
18:40 -!- tempus_fol [~tempus@gateway/tor-sasl/foltempus] has quit [Remote host closed the connection]
18:41 -!- pnielsen_ [pnielsen@2a01:7e00::f03c:91ff:fedf:3a21] has joined #openvpn
18:41 -!- Saul775 [~Saul@12.6.176.106] has quit [Ping timeout: 255 seconds]
18:42 -!- Saul775 [~Saul@12.6.176.106] has joined #openvpn
18:46 < pekster> Saul775: In other words they're idiots. Ask them for a /56 (or larger) allocation that is routed to you
18:46 < pekster> If you need it, anyway
18:47 -!- tempus_fol [~tempus@gateway/tor-sasl/foltempus] has joined #openvpn
18:49 < pekster> The summary in RFC6177 is fairly self-explanatory, but every network in IPv6 is a /64 by convention (although you can use smaller ones on non-SLAAC LANs, you often just use a /64 there anyway)
18:49 < Saul775> Hehehe.  You lost me, but that's okay.  I'm new to IPv6.
18:49 < Saul775> I'm not a networking guy by any means; I'm a software developer.
18:50 < pekster> #ipv6 might offer some help with the basics if you need it
18:50 < Saul775> Thank you, pester.
19:02 -!- Olipro [~Olipro@uncyclopedia/pdpc.21for7.olipro] has quit [Ping timeout: 246 seconds]
19:08 -!- Olipro [~Olipro@uncyclopedia/pdpc.21for7.olipro] has joined #openvpn
19:16 -!- tony1 [~tony1@cpe-66-66-6-48.rochester.res.rr.com] has left #openvpn []
19:21 -!- SCHAAP137 [dorian@77-173-0-137.ip.telfort.nl] has quit [Remote host closed the connection]
19:26 -!- Olipro [~Olipro@uncyclopedia/pdpc.21for7.olipro] has quit [Ping timeout: 246 seconds]
19:29 -!- mlariv [~mlariv@dhcp-e0-46-9a-34-3a-81.cpe.townisp.com] has joined #openvpn
19:29 < mlariv> Hi I need a quick hand with my dd-wrt ovpn setup. I have a basic tunnel working
19:30 < mlariv> !heartbleed
19:30 <@vpnHelper> "heartbleed" is (#1) only affects OpenSSL 1.0.1 through 1.0.1f. Does not affect polarssl or (#2) if running vuln openssl then both client and server keys not protected by tls-auth should be considered compromised. or (#3) android 4.1.2_r1 is the first one to have -DOPENSSL_NO_HEARTBEATS and it is still in master. android 4.1 and 4.1.1 are probably affected. or (#4)
19:30 <@vpnHelper> https://community.openvpn.net/openvpn/wiki/heartbleed or (#5) http://xkcd.com/1354/
19:30 < pekster> dd-wrt has issues. It won't preclude use with openvpn, but you might re-consider your platform choice
19:30 < pekster> !dd-wrt
19:30 <@vpnHelper> "dd-wrt" is (#1) While some users have success with dd-wrt, the build system isn't very accessible to users and there have been security issues with the distro. Consider carefully if this is the platform you want to use for OpenVPN or (#2) Firewall oopsie : http://www.dd-wrt.com/phpBB2/viewtopic.php?t=35783 or (#3) more issues: http://www.dd-wrt.com/phpBB2/viewtopic.php?t=84536
19:31 < mlariv> My setup is pretty basic. I have a seedbox on 10.1.1.2 and dd-wrt hosting 10.1.1.0/24 I just want a single static route to my seedbox
19:31 -!- Olipro [~Olipro@uncyclopedia/pdpc.21for7.olipro] has joined #openvpn
19:31 < mlariv> !paste
19:31 <@vpnHelper> "paste" is "pastebin" is (#1) please paste anything with more than 5 lines into a pastebin site or (#2) https://gist.github.com is recommended for fewest ads; try fpaste.org or paste.kde.org as backups or (#3) If you're pasting config files, see !configs for grep syntax to remove comments or (#4) gist allows multiple files per paste, useful if you have several files to show
19:32 < pekster> !serverlan
19:32 <@vpnHelper> "serverlan" is (#1) for a lan behind a server, the server must have ip forwarding enabled (!ipforward), the server needs to push a route for its lan to clients, and the router of the lan the server is on needs a route added to it (!route_outside_openvpn) or (#2) see !route for a better explanation or (#3) Handy troubleshooting flowchart: http://ircpimps.org/serverlan.png |
19:32 <@vpnHelper> http://pekster.sdf.org/misc/serverlan.png
19:32 < pekster> You probably want that
19:33 < mlariv> Im trying to figure out how to test if the tunnel is split or full on my nexus 7
19:35 < mlariv> http://fpaste.org/103992/18893140/ basic client cfg
19:35 -!- Haigha [~root@dovahkiin.xomg.net] has joined #openvpn
19:36 < mlariv> http://fpaste.org/103993/14007189/
19:36 < mlariv> if I drop the dhcp dns option will i get what I'm looking for?
19:37 < pekster> DNS doesn't have anything to do with accessing an IP, which is what you described as your goal
19:37 < mlariv> right now i think all traffic is going over the vpn but I'm not too good with networking
19:37 < mlariv> I just want 10.1.1.x traffic to flow over the vpn
19:38 < pekster> That's what you have
19:38 < pekster> You have to explicitly ask for "all" traffic to go over the VPN, and you're not doing that. Read !redirect if that's what you want
19:38 < mlariv> it seems slow.. am i missing some settings that improve performance?
19:39 < mlariv> !redirect
19:39 <@vpnHelper> "redirect" is (#1) to make all inet traffic flow through the vpn, you will need --redirect-gateway (see !def1), as well as IP forwarding (see !ipforward) and NAT (see !nat) enabled on the server. or (#2) you may need to use a different dns server when redirecting gateway, see !dns or !pushdns or (#3) if using ipv6 try: route-ipv6 2000::/3 or (#4) Handy troubleshooting flowchart:
19:39 <@vpnHelper> http://ircpimps.org/redirect.png | http://pekster.sdf.org/misc/redirect.png
19:41 < mlariv> so im guessing I should push dns 8.8.8.8
19:42 < pekster> Don't fuck with DNS at all
19:42 < pekster> You're accessing an _IP_ ? Why do you think setting a DNS server will help you at all?
19:42 -!- Left_Turn [~Left_Turn@unaffiliated/turn-left/x-3739067] has quit [Remote host closed the connection]
19:42 < mlariv> thanks pekster
19:42 < pekster> And it won't even work unless you have client-side scripts to manipulate your local resolver
19:42 -!- mlariv [~mlariv@dhcp-e0-46-9a-34-3a-81.cpe.townisp.com] has quit []
19:42 < pekster> !pushdns
19:42 <@vpnHelper> "pushdns" is (#1) push dhcp-option DNS a.b.c.d to push dns to the client or (#2) For pushing DNS to a Windows client, see: !windns or (#3) Unix-alikes are required to process the env-var in an --up script; read about --dhcp-option in the manpage or (#4) For distros that use resolvconf(8) you can try the pull-resolv-conf script under the contrib/ source dir
19:46 -!- Left_Turn [~Left_Turn@unaffiliated/turn-left/x-3739067] has joined #openvpn
20:07 -!- joshh20 is now known as joshh20-Away
20:19 -!- WinstonSmith [~WinstonSm@unaffiliated/winstonsmith] has quit [Ping timeout: 240 seconds]
20:22 -!- scanman84 [~scanman84@gateway/tor-sasl/scanman84] has joined #openvpn
20:25 -!- WinstonSmith [~WinstonSm@unaffiliated/winstonsmith] has joined #openvpn
20:26 -!- Latrina [~Latrina@ppp-27-61.26-151.libero.it] has quit [Ping timeout: 252 seconds]
20:29 -!- Latrina [~Latrina@ppp-212-60.26-151.libero.it] has joined #openvpn
20:34 -!- ildefonso [~ilde123@201.185.229.85] has quit [Ping timeout: 252 seconds]
20:54 < _FBi> heya pekster
20:59 -!- scanman84 [~scanman84@gateway/tor-sasl/scanman84] has quit [Quit: Segmentation fault...]
21:27 -!- bears [~bears@unaffiliated/bears] has quit [Read error: Connection reset by peer]
21:36 -!- ildefonso [~ilde123@201.185.229.85] has joined #openvpn
21:37 -!- michaelhart [~michaelha@162.209.54.120] has joined #openvpn
21:39 -!- Left_Turn [~Left_Turn@unaffiliated/turn-left/x-3739067] has quit [Quit: Leaving]
21:54 -!- Poster [~poster@oh-67-77-115-177.sta.embarqhsd.net] has joined #openvpn
21:57 -!- mallxs_ [~mallxs@84.246.31.190] has joined #openvpn
22:02 -!- harpyon_ [~harpyon@harpyon.com] has joined #openvpn
22:03 -!- kossy [a@unaffiliated/kossy] has quit [Ping timeout: 258 seconds]
22:03 -!- AsadH [~AsadH@unaffiliated/asadh] has quit [Ping timeout: 258 seconds]
22:03 -!- Poster|x [~poster@oh-67-77-115-177.sta.embarqhsd.net] has quit [Ping timeout: 258 seconds]
22:03 -!- _FBi [B@Aircrack-NG/User] has quit [Ping timeout: 258 seconds]
22:03 -!- NucWin [~nucwin@unaffiliated/nucwin] has quit [Ping timeout: 258 seconds]
22:03 -!- _bt [~bt@unaffiliated/bt/x-192343] has quit [Ping timeout: 258 seconds]
22:03 -!- aji [~alex@atheme/member/aji] has quit [Ping timeout: 258 seconds]
22:03 -!- harpyon [~harpyon@harpyon.com] has quit [Ping timeout: 258 seconds]
22:03 -!- edge226 [~quassel@unaffiliated/edge226] has quit [Ping timeout: 258 seconds]
22:03 -!- sauce [sauce@unaffiliated/sauce] has quit [Ping timeout: 258 seconds]
22:03 -!- maskedlua [~maskedlua@unaffiliated/themaskedlua] has quit [Ping timeout: 258 seconds]
22:03 -!- harpyon_ is now known as harpyon
22:03 -!- NucWin [~nucwin@unaffiliated/nucwin] has joined #openvpn
22:04 -!- _Saul775 [~Saul@12.6.176.106] has joined #openvpn
22:04 -!- _FBi [B@Aircrack-NG/User] has joined #openvpn
22:05 -!- aji [~alex@atheme/member/aji] has joined #openvpn
22:07 -!- maskedlua [~maskedlua@unaffiliated/themaskedlua] has joined #openvpn
22:07 -!- Latrina [~Latrina@ppp-212-60.26-151.libero.it] has quit [Ping timeout: 252 seconds]
22:07 -!- manitu [~manitu@static.88-198-15-112.clients.your-server.de] has quit [Ping timeout: 252 seconds]
22:07 -!- michaelhart [~michaelha@162.209.54.120] has quit [Quit: michaelhart]
22:07 -!- kirin` [telex@gateway/shell/anapnea.net/x-ozsfslkbtyxdxwtx] has quit [Ping timeout: 252 seconds]
22:07 -!- james41382 [~james@unaffiliated/james41382] has joined #openvpn
22:08 -!- peper [~peper@gentoo/developer/peper] has quit [Ping timeout: 256 seconds]
22:08 -!- kirin` [telex@gateway/shell/anapnea.net/x-mggaxrsjuxwdqucf] has joined #openvpn
22:09 -!- peper [~peper@gentoo/developer/peper] has joined #openvpn
22:09 -!- Netsplit *.net <-> *.split quits: pnielsen_, Saul775, mallxs
22:13 -!- AsadH [~AsadH@unaffiliated/asadh] has joined #openvpn
22:15 -!- Netsplit *.net <-> *.split quits: KaiForce
22:25 -!- zoomequipd [~zoomequip@gateway/tor-sasl/zoomequipd] has quit [Remote host closed the connection]
22:25 -!- tempus_fol [~tempus@gateway/tor-sasl/foltempus] has quit [Remote host closed the connection]
22:25 -!- s7r [~s7r@openvpn/user/s7r] has quit [Write error: Connection reset by peer]
22:25 -!- eristisk [~eristisk@gateway/tor-sasl/eristisk] has quit [Write error: Connection reset by peer]
22:32 -!- s7r [~s7r@openvpn/user/s7r] has joined #openvpn
22:33 -!- mode/#openvpn [+v s7r] by ChanServ
22:33 -!- zoomequipd [~zoomequip@gateway/tor-sasl/zoomequipd] has joined #openvpn
22:34 -!- tempus_fol [~tempus@gateway/tor-sasl/foltempus] has joined #openvpn
22:57 -!- Netsplit over, joins: KaiForce
23:03 -!- KaiForce [~chatzilla@107-223-70-10.lightspeed.bcvloh.sbcglobal.net] has quit [Ping timeout: 255 seconds]
23:07 -!- Megaf [~Megaf@unaffiliated/megaf] has quit [Ping timeout: 276 seconds]
23:50 -!- Latrina [~Latrina@ppp-212-60.26-151.libero.it] has joined #openvpn
23:55 -!- ShadniX [dagger@p5DDFF8EE.dip0.t-ipconnect.de] has quit [Ping timeout: 252 seconds]
23:57 -!- ShadniX [dagger@p5DDFC86A.dip0.t-ipconnect.de] has joined #openvpn
--- Day changed Thu May 22 2014
00:00 -!- goldkatze [~nobody@unaffiliated/goldkatze] has joined #openvpn
00:11 -!- Latrina [~Latrina@ppp-212-60.26-151.libero.it] has quit [Ping timeout: 276 seconds]
00:16 -!- Latrina [~Latrina@ppp-106-22.26-151.libero.it] has joined #openvpn
00:37 -!- jackbrown [~se@93-44-41-0.ip95.fastwebnet.it] has joined #openvpn
00:50 -!- zz_swebb is now known as swebb
01:01 -!- Kephael [~Kephael@unaffiliated/kephael] has quit []
01:21 -!- alexxtasi [~alex@unaffiliated/alexxtasi] has joined #openvpn
01:27 -!- Latrina [~Latrina@ppp-106-22.26-151.libero.it] has quit [Ping timeout: 252 seconds]
01:28 -!- Latrina [~Latrina@adsl-ull-188-204.50-151.net24.it] has joined #openvpn
01:34 -!- le0 [~l30@unaffiliated/le0] has joined #openvpn
01:59 -!- Soliah [~Soliah@kin1287146.lnk.telstra.net] has quit [Quit: Soliah]
02:13 -!- Cybert1nus is now known as Cybertinus
02:14 -!- Mike-- [mad@mx.probie.nl] has quit [Read error: Connection reset by peer]
02:31 -!- Mike-- [mad@mx.probie.nl] has joined #openvpn
02:36 < lkthomas> hey guys
02:36 < lkthomas> does openvpn be able to split traffic into multiple threads in terms of ports ?
02:36 < lkthomas> our ISP seems limit how much bandwidth could be use per port per session
02:41 -!- mattock_afk [~mattock@openvpn/corp/admin/mattock] has joined #openvpn
02:41 -!- mode/#openvpn [+o mattock_afk] by ChanServ
02:42 -!- mattock_afk is now known as mattock
03:02 -!- ketas- is now known as ketas
03:12 -!- Latrina [~Latrina@adsl-ull-188-204.50-151.net24.it] has quit [Ping timeout: 276 seconds]
03:16 -!- Latrina [~Latrina@ppp-48-20.26-151.libero.it] has joined #openvpn
03:20 -!- wrongplace [~leicht@gateway/tor-sasl/martinphone] has joined #openvpn
03:22 -!- mushroomed [~mushroome@li173-111.members.linode.com] has left #openvpn []
03:48 -!- wrongplace [~leicht@gateway/tor-sasl/martinphone] has quit [Quit: gone]
03:49 -!- plaisthos [~arne@openvpn/community/developer/plaisthos] has joined #openvpn
03:49 -!- mode/#openvpn [+o plaisthos] by ChanServ
04:15 -!- zoomequipd [~zoomequip@gateway/tor-sasl/zoomequipd] has quit [Ping timeout: 272 seconds]
04:18 -!- jackbrown [~se@93-44-41-0.ip95.fastwebnet.it] has quit [Ping timeout: 240 seconds]
04:21 -!- tempus_fol [~tempus@gateway/tor-sasl/foltempus] has quit [Ping timeout: 272 seconds]
04:22 -!- zoomequipd [~zoomequip@gateway/tor-sasl/zoomequipd] has joined #openvpn
04:23 -!- tempus_fol [~tempus@gateway/tor-sasl/foltempus] has joined #openvpn
04:43 -!- mattock [~mattock@openvpn/corp/admin/mattock] has left #openvpn []
05:03 -!- mapps [~map@5ec33f26.skybroadband.com] has quit [Ping timeout: 240 seconds]
05:05 -!- mapps [~map@5ec33f26.skybroadband.com] has joined #openvpn
05:12 -!- mapps [~map@5ec33f26.skybroadband.com] has quit [Ping timeout: 264 seconds]
05:13 -!- mapps [~map@5ec33f26.skybroadband.com] has joined #openvpn
05:16 -!- Left_Turn [~Left_Turn@unaffiliated/turn-left/x-3739067] has joined #openvpn
05:25 -!- mapps [~map@5ec33f26.skybroadband.com] has quit [Ping timeout: 240 seconds]
05:36 -!- mapps [~map@5ec33f26.skybroadband.com] has joined #openvpn
05:40 -!- mapps [~map@5ec33f26.skybroadband.com] has quit [Ping timeout: 258 seconds]
05:45 -!- mapps [~map@5ec33f26.skybroadband.com] has joined #openvpn
05:49 -!- mapps [~map@5ec33f26.skybroadband.com] has quit [Ping timeout: 240 seconds]
05:53 -!- mapps [~map@5ec33f26.skybroadband.com] has joined #openvpn
05:58 -!- mapps [~map@5ec33f26.skybroadband.com] has quit [Read error: Connection reset by peer]
05:58 -!- mapps [~map@5ec33f26.skybroadband.com] has joined #openvpn
06:02 -!- jackbrown [~se@93-44-41-0.ip95.fastwebnet.it] has joined #openvpn
06:03 -!- mapps [~map@5ec33f26.skybroadband.com] has quit [Ping timeout: 252 seconds]
06:05 -!- mapps [~map@5ec33f26.skybroadband.com] has joined #openvpn
06:05 -!- KaiForce [~chatzilla@107-223-70-10.lightspeed.bcvloh.sbcglobal.net] has joined #openvpn
06:09 -!- mapps [~map@5ec33f26.skybroadband.com] has quit [Ping timeout: 252 seconds]
06:12 -!- mapps [~map@5ec33f26.skybroadband.com] has joined #openvpn
06:17 -!- mapps [~map@5ec33f26.skybroadband.com] has quit [Ping timeout: 258 seconds]
06:18 -!- mapps [~map@5ec33f26.skybroadband.com] has joined #openvpn
06:23 -!- mapps [~map@5ec33f26.skybroadband.com] has quit [Ping timeout: 276 seconds]
06:34 -!- RobertoBenzi [~RobertoBe@109.54.14.77] has joined #openvpn
06:36 < RobertoBenzi> hello there, I have set a OpenVPN network between my OpenWRT router and some clients, I'd like to use to option to expans the network to subnet of the connected devices
06:37 < RobertoBenzi> and I was wondering how can I set theopenvpn network addresses for those clients
06:37 < RobertoBenzi> usually to manually set the addres I use ccd and a file with the client common name
06:38 < RobertoBenzi> but for the "extended" clients do not havea CN
06:38 < RobertoBenzi> so how do I set their addresses?
06:42 -!- mapps [~map@5ec33f26.skybroadband.com] has joined #openvpn
06:47 -!- mapps [~map@5ec33f26.skybroadband.com] has quit [Ping timeout: 276 seconds]
06:48 -!- mapps [~map@5ec33f26.skybroadband.com] has joined #openvpn
06:54 < RobertoBenzi> !welcome
06:54 <@vpnHelper> "welcome" is (#1) Start by stating your goal, such as 'I would like to access the internet over my vpn' || new to IRC? see the link in !ask || we may need !logs and !configs and maybe !interface to help you. || See !howto for beginners. || See !route for lans behind openvpn. || !redirect for sending inet traffic through the server. || Also interesting: !man !/30 !topology !iporder !sample
06:55 <@vpnHelper> !forum !wiki !mitm or (#2) Don't use 192.168.1.0/24 or 192.168.0.0/24 (too much potential for conflict)
06:55 < RobertoBenzi> !howto
06:55 <@vpnHelper> "howto" is (#1) OpenVPN comes with a great howto, http://openvpn.net/howto PLEASE READ IT! or (#2) http://www.secure-computing.net/openvpn/howto.php for a mirror
06:56 < RobertoBenzi> !route
06:56 <@vpnHelper> "route" is (#1) http://www.secure-computing.net/wiki/index.php/OpenVPN/Routing or https://community.openvpn.net/openvpn/wiki/RoutedLans (same page mirrored) if you have lans behind openvpn, read it DONT SKIM IT or (#2) READ IT DONT SKIM IT! or (#3) See !tcpip for a basic networking guide or (#4) See !serverlan or !clientlan for steps and troubleshooting flowcharts for LANs behind the server or
06:56 <@vpnHelper> client
07:16 -!- michaelhart [~michaelha@192.237.177.15] has joined #openvpn
07:18 -!- RobertoBenzi [~RobertoBe@109.54.14.77] has quit [Remote host closed the connection]
07:24 -!- mode/#openvpn [-o plaisthos] by plaisthos
07:27 -!- mattock_afk [~mattock@openvpn/corp/admin/mattock] has joined #openvpn
07:27 -!- mode/#openvpn [+o mattock_afk] by ChanServ
07:27 -!- mattock_afk is now known as mattock
07:37 -!- iokill [~iokill@91.114.127.102] has joined #openvpn
07:40 -!- jackbrown [~se@93-44-41-0.ip95.fastwebnet.it] has quit [Ping timeout: 252 seconds]
07:42 -!- mode/#openvpn [-b $a:m10t] by ecrist
07:45 -!- jackbrown [~se@93-44-41-0.ip95.fastwebnet.it] has joined #openvpn
07:45 <@krzee> sorry guys im gunna ignore him so i wont be seeing when its time to re-ban him
07:57 -!- wrongplace [~leicht@gateway/tor-sasl/martinphone] has joined #openvpn
08:04 -!- wrongplace [~leicht@gateway/tor-sasl/martinphone] has quit [Quit: gone]
08:24 -!- APTX [~APTX@unaffiliated/aptx] has quit [Ping timeout: 252 seconds]
08:24 -!- eristisk [~eristisk@gateway/tor-sasl/eristisk] has joined #openvpn
08:28 -!- APTX [~APTX@unaffiliated/aptx] has joined #openvpn
08:31 -!- eristisk [~eristisk@gateway/tor-sasl/eristisk] has quit [Ping timeout: 272 seconds]
08:32 -!- eristisk [~eristisk@gateway/tor-sasl/eristisk] has joined #openvpn
08:35 <@ecrist> heh
08:39 <@mattock> OpenVPN FAQ now editable by community members: https://community.openvpn.net/openvpn/wiki/FAQ
08:39 <@vpnHelper> Title: FAQ – OpenVPN Community (at community.openvpn.net)
08:39 <@mattock> the new FAQ should soon show up as #1 in search engines
08:42 -!- Megaf [~Megaf@unaffiliated/megaf] has joined #openvpn
08:45 <@ecrist> nice
08:47 < plaisthos> apart from my FAQ I sneaked in
08:47 < plaisthos> *ducks*
08:49 <@mattock> plaisthos: good that you sneaked your FAQ in
08:49 <@mattock> there can never be too many FAQ items :P
08:59 -!- jackbrown [~se@93-44-41-0.ip95.fastwebnet.it] has quit [Ping timeout: 276 seconds]
09:05 -!- reiffert [~thomas@mail.reifferscheid.org] has joined #openvpn
09:07 -!- kossy [a@unaffiliated/kossy] has joined #openvpn
09:07 -!- Cpt-Oblivious [~chatzilla@31-151-71-109.dynamic.upc.nl] has joined #openvpn
09:19 -!- jackbrown [~se@93-44-41-0.ip95.fastwebnet.it] has joined #openvpn
09:21 -!- alexxtasi [~alex@unaffiliated/alexxtasi] has left #openvpn []
09:23 -!- Popsikle [~popsikle@pool-108-27-211-233.nycmny.fios.verizon.net] has joined #openvpn
09:24 -!- Popsikle [~popsikle@pool-108-27-211-233.nycmny.fios.verizon.net] has quit [Remote host closed the connection]
09:29 -!- edge226 [~quassel@unaffiliated/edge226] has joined #openvpn
09:38 -!- eristisk [~eristisk@gateway/tor-sasl/eristisk] has quit [Quit: killall -9 irc]
09:58 -!- maoi2 [~maoi4@203-174-86-88.rev.ne.com.sg] has joined #openvpn
10:18 < maoi2> Is there a way I can determine if a user account is locked/banned from CLI?
10:19 -!- iokill [~iokill@91.114.127.102] has quit [Ping timeout: 252 seconds]
10:19 < Eugene> There is no mechanism for that in the gpl openvpn. you can build it with scripts, but perhaps you mean the commercial Access Server product?
10:19 < Eugene> !as
10:20 <@vpnHelper> "as" is Please go to #OpenVPN-AS for help with commercial products from OpenVPN Technologies, including Access Server, Android Connect, etc
10:20 < maoi2> thanks guys. im shooting in the dark with a terrible vendor. ill head over to openvpn-as
10:27 -!- larryone [~larryone@185.32.152.150] has joined #openvpn
10:28 < larryone> Eugene, warewolf, ecrist, thanks for your advice the other day wrt the management console foo
10:28 < larryone> sehr helpful
10:30 <@ecrist> no problem.
10:34 -!- mattock is now known as mattock_afk
10:43 -!- Latrina [~Latrina@ppp-48-20.26-151.libero.it] has quit [Ping timeout: 245 seconds]
10:45 -!- mattock_afk is now known as mattock
10:45 -!- Latrina [~Latrina@ppp-240-1.26-151.libero.it] has joined #openvpn
10:49 -!- jackbrown [~se@93-44-41-0.ip95.fastwebnet.it] has quit [Ping timeout: 245 seconds]
10:56 -!- SCHAAP137 [dorian@77-173-0-137.ip.telfort.nl] has joined #openvpn
10:57 -!- larryone [~larryone@185.32.152.150] has quit [Ping timeout: 264 seconds]
11:12 -!- wrongplace [~leicht@gateway/tor-sasl/martinphone] has joined #openvpn
11:17 -!- _Saul775 is now known as Saul775
11:17 -!- [diecast] [~diecast@unaffiliated/diecast/x-4821952] has joined #openvpn
11:18 -!- [diecast] [~diecast@unaffiliated/diecast/x-4821952] has quit [Client Quit]
11:27 < Megaf> Hi eveyone, how are things?
11:29 < stemid> grrrreat
11:30 < Megaf> I followed this tutorial https://wiki.debian.org/OpenVPN to setup a "Static-Key VPN" VPN, problem is, that way I get a TUN interface, how do I use in TAP mode?
11:30 <@vpnHelper> Title: OpenVPN - Debian Wiki (at wiki.debian.org)
11:32 < mapps> hey
11:32 < mapps> hm
11:32 -!- Kephael [~Kephael@unaffiliated/kephael] has joined #openvpn
11:33 < reiffert> !tap
11:33 <@vpnHelper> "tap" is (#1) "bridge" is (#1) http://openvpn.net/index.php/documentation/faq.html#bridge1, or (#2) http://openvpn.net/index.php/documentation/miscellaneous/ethernet-bridging.html, or (#3) Bridging looks like a good choice to people who don't know how to set up IP routing, but to learn routing is generally far better., or (#4) useful for windows sharing (without wins server) and LAN gaming,
11:33 <@vpnHelper> anything where the protocol uses MAC addresses instead of IP addresses. or (#2) For tun/tap and route/bridge comparing, see https://community.openvpn.net/openvpn/wiki/BridgingAndRouting
11:33 < reiffert> !tunortap
11:33 <@vpnHelper> "tunortap" is (#1) you ONLY want tap if you need to pass layer2 traffic over the vpn (traffic destined for a MAC address). If you are using IP traffic you want tun. or (#2) and if your reason for wanting tap is windows shares, see !wins or use DNS or (#3) remember layer2 has no security, arp poisoning works over tap vpns or (#4) lan gaming? use tap! or (#5) Normal Android/iOS devices (not
11:33 <@vpnHelper> rooted/jailbroken) support only tun
11:34 < Megaf> Yep, in my case I case a CIFS sharing
11:35 < Megaf> I need it to work smoothly and out of the box with OpenVPN
11:37 -!- gffa [~unknown@unaffiliated/gffa] has joined #openvpn
11:40 < Megaf> !ins
11:40 < Megaf> !wins
11:40 <@vpnHelper> "wins" is http://oreilly.com/catalog/samba/chapter/book/ch07_03.html is a good link for seeing how to run WINS on samba
11:48 -!- mattock is now known as mattock_afk
12:00 -!- mattock_afk is now known as mattock
12:03 -!- Cpt-Oblivious [~chatzilla@31-151-71-109.dynamic.upc.nl] has quit [Ping timeout: 252 seconds]
12:03 -!- Rootza [Rootza@cpc8-sotn11-2-0-cust216.15-1.cable.virginm.net] has joined #openvpn
12:15 -!- RobertoBenzi [~RobertoBe@2-238-129-180.ip244.fastwebnet.it] has joined #openvpn
12:15 < RobertoBenzi> In setting up client s
12:16 < RobertoBenzi> *client-side extension of the VPN
12:17 < RobertoBenzi> is there a way to give other computers an address in the vpn range?
12:17 -!- moh [~mort@darwin.bork.org] has joined #openvpn
12:17 < RobertoBenzi> let's say my vpn addresses are 10.0.0.0, and the client lan is 192.168.1.0
12:18 < RobertoBenzi> may I give other deices in the client lan addresses in the 10.0.0.0 range?
12:18 < rob0> why?
12:19 < rob0> !clientlan
12:19 <@vpnHelper> "clientlan" is (#1) for a lan behind a client, the client must have ip forwarding enabled (!ipforward), the server needs a route to the lan, the server needs to push a route for the lan to clients, the server needs a ccd (!ccd) file for the client with an iroute (!iroute) entry in it, and the router of the lan the client is on needs a route added to it (!route_outside_openvpn) or (#2) see !route for a
12:19 <@vpnHelper> better explanation or (#3) Handy troubleshooting flowchart: http://ircpimps.org/clientlan.png | http://pekster.sdf.org/misc/clientlan.png
12:19 < RobertoBenzi> easier to manage/remember
12:20 < moh> I've got openvpn set up as a test without doing encryption (cipher: none) and using FTPs over the tunnel link.  I'm seeing good performance in one direction (6-7MB/s) and bad performance in the other (0.5MB/s).  Any suggestions on what I could try tweaking?  Looking at strace output on the FTP server end looks reasonable to me, server does a big sendfile(), and openvpn seems to read/write in fairly big chunks but it's really slow...
12:20 < Rootza> is anybody avilable to help me with my server?
12:21 < RobertoBenzi> well, let's say client1 is the openvpn c
12:21 -!- KaiForce [~chatzilla@107-223-70-10.lightspeed.bcvloh.sbcglobal.net] has quit [Read error: Connection reset by peer]
12:21 < RobertoBenzi> ient, amd c
12:21 < RobertoBenzi> sorry,keyboard issues
12:22 < RobertoBenzi> let's say client1 is the openvpn client
12:22 < RobertoBenzi> and client2 is a client in the same lan as client1, but without the openvpn client software
12:23 -!- RobertoBenzi [~RobertoBe@2-238-129-180.ip244.fastwebnet.it] has quit [Remote host closed the connection]
12:23 -!- maoi2 [~maoi4@203-174-86-88.rev.ne.com.sg] has quit [Ping timeout: 240 seconds]
12:25 -!- RobertoBenzi [~RobertoBe@2-238-129-180.ip244.fastwebnet.it] has joined #openvpn
12:25 < RobertoBenzi> connection dropped
12:26 < RobertoBenzi> btw I was saying
12:26 < RobertoBenzi> client2 following the documenttion would receive an IP in the clients range, and to access it I should use IP in those range
12:27 < RobertoBenzi> r,eaning that if the
12:27 < RobertoBenzi> lan has dynamic IP, that would always change
12:27 -!- Kephael [~Kephael@unaffiliated/kephael] has quit []
12:28 < RobertoBenzi> giving client2 an IP in the openvpn rNge and setting it sttic
12:28 < RobertoBenzi> I would need to notedown only the openvpn ip
12:28 < RobertoBenzi> that's whyi would need such a thing
12:29 < RobertoBenzi> is it doab
12:29 < RobertoBenzi> * can this be done?
12:51 -!- treshoem2 [~treshoem@mnathani-1-pt.tunnel.tserv21.tor1.ipv6.he.net] has quit [Ping timeout: 245 seconds]
13:07 -!- wrongplace [~leicht@gateway/tor-sasl/martinphone] has quit [Quit: gone]
13:17 -!- treshoem2 [~treshoem@mnathani-1-pt.tunnel.tserv21.tor1.ipv6.he.net] has joined #openvpn
13:20 -!- RobertoBenzi [~RobertoBe@2-238-129-180.ip244.fastwebnet.it] has quit [Remote host closed the connection]
13:20 -!- RobertoBenzi [~RobertoBe@2-238-129-180.ip244.fastwebnet.it] has joined #openvpn
13:21 -!- Saul775 [~Saul@12.6.176.106] has quit [Quit: Leaving]
13:21 -!- debbie10t [~ma1com10t@host-2-99-68-141.as13285.net] has joined #openvpn
13:50 -!- Popsikle [~popsikle@pool-108-27-211-233.nycmny.fios.verizon.net] has joined #openvpn
13:54 -!- Popsikle [~popsikle@pool-108-27-211-233.nycmny.fios.verizon.net] has quit [Ping timeout: 245 seconds]
13:57 -!- larryone [~larryone@176.61.1.155] has joined #openvpn
13:59 -!- Saul775 [~Saul@12.6.176.106] has joined #openvpn
14:05 -!- Rootza [Rootza@cpc8-sotn11-2-0-cust216.15-1.cable.virginm.net] has quit [Ping timeout: 240 seconds]
14:12 -!- mattock [~mattock@openvpn/corp/admin/mattock] has left #openvpn []
14:17 -!- Rootza [Rootza@cpc8-sotn11-2-0-cust216.15-1.cable.virginm.net] has joined #openvpn
14:18 < Rootza> can anybody help me with my server setup?
14:20 < Rootza> please ;( i used the example config which i can post to pastebin if needed but i also followed some instructions from http://lintut.com/how-to-install-and-configure-openvpn-server-on-centos-6-4-linux/ openvpn starts and the port is open according to netstat however i cannot connect using http://91.231.144.203:1194/admin
14:20 <@vpnHelper> Title: How to install and configure openVPN server on CentOS 6.4 linux | lintut.com - Linux Howtos Guide (at lintut.com)
14:34 -!- RobertoBenzi [~RobertoBe@2-238-129-180.ip244.fastwebnet.it] has quit [Remote host closed the connection]
14:40 -!- Left_Turn [~Left_Turn@unaffiliated/turn-left/x-3739067] has quit [Read error: Connection reset by peer]
14:44 -!- Left_Turn [~Left_Turn@unaffiliated/turn-left/x-3739067] has joined #openvpn
14:50 -!- Popsikle [~popsikle@pool-108-27-211-233.nycmny.fios.verizon.net] has joined #openvpn
14:52 -!- mallxs [~mallxs@84.246.31.190] has joined #openvpn
14:53 -!- mapps [~map@5ec33f26.skybroadband.com] has quit [Ping timeout: 264 seconds]
14:54 -!- mallxs_ [~mallxs@84.246.31.190] has quit [Ping timeout: 240 seconds]
14:55 -!- Popsikle [~popsikle@pool-108-27-211-233.nycmny.fios.verizon.net] has quit [Ping timeout: 245 seconds]
14:55 -!- joshh20-Away is now known as joshh20
14:58 -!- mapps [~map@5ec33f26.skybroadband.com] has joined #openvpn
15:06 -!- gffa [~unknown@unaffiliated/gffa] has quit [Ping timeout: 252 seconds]
15:06 -!- gffa [~unknown@unaffiliated/gffa] has joined #openvpn
15:12 <@ecrist> moh: I'm guessing the connection is slow in that directly (i.e. DSL)
15:25 < debbie10t> With regard to EasyRSA3: Is "build-server-full server nopass" supposed to create a server cert/key pair with nsCertType designation of Server ? (Currently, it does not)
15:56 -!- lbft is now known as ibft
15:56 -!- ibft is now known as Ibft
15:57 -!- michaelhart [~michaelha@192.237.177.15] has quit [Quit: michaelhart]
15:59 -!- Ibft is now known as lbft
16:13 -!- Popsikle [~popsikle@pool-108-27-211-233.nycmny.fios.verizon.net] has joined #openvpn
16:18 -!- joshh20 is now known as joshh20-Away
16:21 -!- Popsikle [~popsikle@pool-108-27-211-233.nycmny.fios.verizon.net] has quit [Ping timeout: 264 seconds]
16:25 -!- kirin` [telex@gateway/shell/anapnea.net/x-mggaxrsjuxwdqucf] has quit [Ping timeout: 252 seconds]
16:29 -!- Left_Turn [~Left_Turn@unaffiliated/turn-left/x-3739067] has quit [Remote host closed the connection]
16:31 -!- Popsikle [~popsikle@pool-108-27-211-233.nycmny.fios.verizon.net] has joined #openvpn
16:33 -!- Left_Turn [~Left_Turn@unaffiliated/turn-left/x-3739067] has joined #openvpn
16:36 -!- kirin` [telex@gateway/shell/anapnea.net/x-quiqsffkeyruuhta] has joined #openvpn
16:45 -!- Latrina [~Latrina@ppp-240-1.26-151.libero.it] has quit [Ping timeout: 276 seconds]
16:47 -!- Popsikle [~popsikle@pool-108-27-211-233.nycmny.fios.verizon.net] has quit [Remote host closed the connection]
16:48 -!- gffa [~unknown@unaffiliated/gffa] has quit [Quit: sleep]
16:49 -!- wrongplace [~leicht@gateway/tor-sasl/martinphone] has joined #openvpn
16:51 -!- Latrina [~Latrina@ppp-228-57.26-151.libero.it] has joined #openvpn
16:53 -!- SCHAAP137 [dorian@77-173-0-137.ip.telfort.nl] has quit [Remote host closed the connection]
16:56 -!- michaelhart [~michaelha@162.209.54.120] has joined #openvpn
17:00 -!- Popsikle [~popsikle@pool-108-27-211-233.nycmny.fios.verizon.net] has joined #openvpn
17:09 -!- mallxs [~mallxs@84.246.31.190] has quit [Read error: Connection reset by peer]
17:10 -!- mallxs [~mallxs@84.246.31.190] has joined #openvpn
17:15 < pekster> debbie10t: No, it's not. Read 'vars.example' if you want the old-and-deprecated "Netscape Extensions" support. I have a readme update I need to push into a new rc release "soon-ish"
17:16 < pekster> Better would be to avoid use of deprecated things by reading:
17:16 < pekster> !mitm
17:16 <@vpnHelper> "mitm" is (#1) http://openvpn.net/index.php/documentation/howto.html#mitm to know about stopping Man-in-the-Middle attacks by signing the server cert specially or (#2) use !servercert to generate the server cert manually or use the easy-rsa build-key-server script to build your server certificates or (#3) then use: remote-cert-tls server in the client config
17:18 < debbie10t> pekster: thanks
17:22 -!- Latrina [~Latrina@ppp-228-57.26-151.libero.it] has quit [Ping timeout: 252 seconds]
17:23 < debbie10t> Pekster: did you see the text in #openvpn-devel about easyrsa3-beta2 - "build-client-full client nopass" fails with no warning or error and drops out of the shell ?
17:24 -!- Cpt-Oblivious [~chatzilla@31-151-71-109.dynamic.upc.nl] has joined #openvpn
17:24 -!- Latrina [~Latrina@ppp-78-16.26-151.libero.it] has joined #openvpn
17:25 < debbie10t> Easyrsa3-rc1 worked ok
17:26 -!- Popsikle [~popsikle@pool-108-27-211-233.nycmny.fios.verizon.net] has quit [Remote host closed the connection]
17:28 -!- SCHAAP137 [dorian@77-173-0-137.ip.telfort.nl] has joined #openvpn
17:37 < pekster> old stuff is old and not updated
17:38 < pekster> In case you're not familiar, a release version > rc version > beta version > alpha version > development version (usually)
17:42 -!- goldkatze [~nobody@unaffiliated/goldkatze] has quit []
17:45 -!- Latrina [~Latrina@ppp-78-16.26-151.libero.it] has quit [Ping timeout: 258 seconds]
17:46 -!- Latrina [~Latrina@ppp-84-42.26-151.libero.it] has joined #openvpn
17:55 < larryone> so I can now get status info from the management console
17:56 < pekster> 'status'
17:56 < larryone> yes
17:56 < larryone> as a command to the management console
17:56 -!- Cpt-Oblivious [~chatzilla@31-151-71-109.dynamic.upc.nl] has quit [Remote host closed the connection]
17:56 < pekster> That is a command to the management console
17:56 < larryone> nc 0 7505 <<< 'status 0'
17:56 < larryone> so I can get status info there
17:57 < larryone> but in terms of getting that logged to a file
17:57 < pekster> Not openvpn's problem. Try some form of I/O redirection in your preferred programming language
17:58 < larryone> there is a config setting the looks like it flushed the info to a file every n seconds
17:58 < pekster> Right, --status
17:59 < pekster> That's not via the management interface though (which is what you originally aksed for.) If you're happy to have it update on a set cycle, use that
17:59 < larryone> hmmm
18:00 < larryone> so there's no easy way to get the server to dump status to file everytime a client connects?
18:03 < pekster> What are you actually trying to do? If you want on-connect / on-disconnect logging, do that instead, not abuse the status file for it
18:03 < pekster> !dynamic
18:03 < pekster> !factoids search dynamic
18:03 <@vpnHelper> "dynamicfirewall" is to learn how to modify the firewall based on which client has which ip, please read --learn-address in the manpage (!man)
18:03 -!- larryone [~larryone@176.61.1.155] has quit [Quit: This computer has gone to sleep]
18:03 < pekster> https://github.com/QueuingKoala/openvpn-dynamic
18:03 <@vpnHelper> Title: QueuingKoala/openvpn-dynamic · GitHub (at github.com)
18:03 < pekster> See the user-accounting section there
18:04 -!- haasn [~haasn@2a01:4f8:d13:5245::2] has joined #openvpn
18:04 < debbie10t> Pekster: thanks again .. altho i am familiar with the usual order I must admit that this time i missed it, also i thought your website would be more upto date  -  in fact there is a lot to learn for me and as openvpn/ssl/easyrsa etc is moving rather fast atm i am bearly even keeping up.
18:10 -!- Rootza [Rootza@cpc8-sotn11-2-0-cust216.15-1.cable.virginm.net] has quit [Quit: Leaving]
18:11 -!- debbie10t [~ma1com10t@host-2-99-68-141.as13285.net] has left #openvpn []
18:18 -!- Kephael [~Kephael@unaffiliated/kephael] has joined #openvpn
18:22 -!- SCHAAP137 [dorian@77-173-0-137.ip.telfort.nl] has quit [Remote host closed the connection]
18:22 -!- larryone [~larryone@176.61.1.155] has joined #openvpn
18:23 < larryone> pekster, I think I need to RTFM a bit more
18:23 < larryone> have kindof inherited the current setup
18:25 < pekster> It boils down to properly defining what you're trying to do. If you want on-connect details, you don't want anything to do with the tcp management interface socket
18:37 -!- wrongplace [~leicht@gateway/tor-sasl/martinphone] has quit [Quit: gone]
18:39 -!- le0 [~l30@unaffiliated/le0] has quit [Quit: Leaving]
18:39 < larryone> ok
18:39 < larryone> thanks pekster
18:39 < larryone> am going to call it a night
18:41 < larryone> probably wont have time to do more with it over the next few months - lots of database fun to keep me busy instead
18:41 -!- mapps [~map@5ec33f26.skybroadband.com] has quit [Ping timeout: 245 seconds]
18:41 < larryone> take it easy
18:41 -!- larryone [~larryone@176.61.1.155] has quit [Quit: Leaving]
19:32 -!- akasoldats [~akasoldat@unaffiliated/akasoldats] has quit [Quit: WeeChat 0.4.1-dev]
19:46 -!- eristisk [~eristisk@gateway/tor-sasl/eristisk] has joined #openvpn
19:55 -!- brianblaze420 [~brianblaz@unaffiliated/brianblaze] has joined #openvpn
20:50 -!- Megaf_ [~Megaf@unaffiliated/megaf] has joined #openvpn
20:58 -!- Netsplit *.net <-> *.split quits: Megaf, haasn, Mike--
21:04 -!- chris062689 [~quassel@6532244hfc170.tampabay.res.rr.com] has joined #openvpn
21:04 -!- haasn [~haasn@2a01:4f8:d13:5245::2] has joined #openvpn
21:09 -!- brianblaze420 [~brianblaz@unaffiliated/brianblaze] has quit [Quit: Leaving...]
21:11 < chris062689> Hello! I setup openvpn via a TurnKey Linux installation, but am having trouble setting up routing to where I can access my internal network from my VPN.
21:12 < pekster> Accessing a network behind the server? You want:
21:12 < pekster> !serverlan
21:12 <@vpnHelper> "serverlan" is (#1) for a lan behind a server, the server must have ip forwarding enabled (!ipforward), the server needs to push a route for its lan to clients, and the router of the lan the server is on needs a route added to it (!route_outside_openvpn) or (#2) see !route for a better explanation or (#3) Handy troubleshooting flowchart: http://ircpimps.org/serverlan.png |
21:12 <@vpnHelper> http://pekster.sdf.org/misc/serverlan.png
21:13 < chris062689> Thank you.
21:20 < chris062689> Is it possible to setup a netgear router to have that kind of route though?
21:21 < pekster> Depends on the OS you're running. I've used the GPL OpenWRT firmware on Netgear WNDR-3800 models with lovely results
21:22 < chris062689> It's running stock x_x;
21:22 < pekster> Oh, it's not the VPN server? All you need is a static route on it then
21:23 < pekster> Most vendors' firmwares support that
21:23 < pekster> If not, see if you can flash a proper OS on it (like openwrt) or spend $40-$60 on a better piece of hardware that can run openwrt
21:24  * pekster recommends avoiding dd-wrt due to the many things they do wrong. Security problems at !dd-wrt, and they manage to gimp Netfilter userland too)
21:24 < chris062689> No pekster, I have openvpn running inside of a VM.
21:26 < pekster> I mean if you look at a replacement embedded router platform
21:26 < pekster> openwrt can also run openvpn too :P
21:39 -!- joshh20-Away [~joshh20@v-70-42-74-226.unman-vds.internap-nyc.nfoservers.com] has quit [Ping timeout: 252 seconds]
21:46 < _FBi> +1 openwrt
21:47 < _FBi> dd-wrt < openwrt
21:48 -!- chris062689 [~quassel@6532244hfc170.tampabay.res.rr.com] has quit [Ping timeout: 240 seconds]
21:49 -!- alexw [~textual@unaffiliated/alexw] has joined #openvpn
21:49 < alexw> Is it just me or does iMessage have issues when running over VPN?
22:05 -!- alexw [~textual@unaffiliated/alexw] has quit [Ping timeout: 240 seconds]
22:09 -!- alexw [~textual@unaffiliated/alexw] has joined #openvpn
22:20 -!- alexw [~textual@unaffiliated/alexw] has quit [Ping timeout: 252 seconds]
22:25 -!- s7r [~s7r@openvpn/user/s7r] has quit [Remote host closed the connection]
22:25 -!- zoomequipd [~zoomequip@gateway/tor-sasl/zoomequipd] has quit [Remote host closed the connection]
22:25 -!- tempus_fol [~tempus@gateway/tor-sasl/foltempus] has quit [Remote host closed the connection]
22:25 -!- eristisk [~eristisk@gateway/tor-sasl/eristisk] has quit [Write error: Connection reset by peer]
22:34 -!- s7r [~s7r@openvpn/user/s7r] has joined #openvpn
22:34 -!- mode/#openvpn [+v s7r] by ChanServ
22:34 -!- tempus_fol [~tempus@gateway/tor-sasl/foltempus] has joined #openvpn
22:34 -!- zoomequipd [~zoomequip@gateway/tor-sasl/zoomequipd] has joined #openvpn
22:35 -!- Left_Turn [~Left_Turn@unaffiliated/turn-left/x-3739067] has quit [Ping timeout: 252 seconds]
22:38 -!- Megaf_ [~Megaf@unaffiliated/megaf] has quit [Ping timeout: 252 seconds]
22:38 -!- Popsikle [~popsikle@pool-108-27-211-233.nycmny.fios.verizon.net] has joined #openvpn
23:22 < lkthomas> hey guys
23:23 < lkthomas> anyone running OpenVPN with OSPF ?
23:25 -!- chris062689 [~quassel@65.33.85.92] has joined #openvpn
23:36 -!- brianblaze420 [~brianblaz@unaffiliated/brianblaze] has joined #openvpn
23:50 -!- Latrina [~Latrina@ppp-84-42.26-151.libero.it] has quit [Read error: Connection reset by peer]
23:53 -!- Popsikle [~popsikle@pool-108-27-211-233.nycmny.fios.verizon.net] has quit [Remote host closed the connection]
23:55 -!- Latrina [~Latrina@adsl-ull-132-197.50-151.net24.it] has joined #openvpn
23:55 -!- ShadniX [dagger@p5DDFC86A.dip0.t-ipconnect.de] has quit [Ping timeout: 252 seconds]
23:56 -!- ShadniX [dagger@p5DDFC33E.dip0.t-ipconnect.de] has joined #openvpn
--- Day changed Fri May 23 2014
00:02 -!- james41382 [~james@unaffiliated/james41382] has quit [Quit: Leaving]
00:05 -!- joako [~joako@opensuse/member/joak0] has quit [Ping timeout: 240 seconds]
00:11 < lkthomas> anyone still alive ?
00:12 -!- joako [~joako@opensuse/member/joak0] has joined #openvpn
00:14 -!- james41382 [~james@unaffiliated/james41382] has joined #openvpn
00:15 -!- chris062689 [~quassel@65.33.85.92] has quit [Remote host closed the connection]
00:23 < james41382> When I am connected to my lan I can connect to my desktop with my laptop (both windows 8) and access files in either the folder of the user I am logged on as or public files. I want to be able to do this when I connect to my lan via openvpn from a remote location. Should I set it up on a bridge? The router running the openvpn server is openwrt and the ethernet lan ports are bridged to the multiple wifi antennaes. So if I bridge the openvpn vir
00:23 < james41382> tual device to that same bridge they'll all be on the same subnet and should have access just as if I was at home connected to wifi or ethernet I think.
00:25 < james41382> As is the openvpn virtual device is not bridged to the other stuff and is on a separate subnet. I can ping the desktop from the vpn subnet, but I don't see the desktop in windows networking (can't access files).
00:34 -!- jgeboski [~jgeboski@unaffiliated/jgeboski] has quit [Quit: Leaving]
00:35 -!- jgeboski [~jgeboski@unaffiliated/jgeboski] has joined #openvpn
00:49 -!- james41382 [~james@unaffiliated/james41382] has quit [Quit: Leaving]
00:50 -!- qwertyoruiop [~hax@93.174.90.31] has quit [Ping timeout: 240 seconds]
01:02 -!- iokill [~iokill@178-190-35-48.adsl.highway.telekom.at] has joined #openvpn
01:02 -!- iokill [~iokill@178-190-35-48.adsl.highway.telekom.at] has quit [Client Quit]
01:10 -!- Popsikle [~popsikle@pool-108-27-211-233.nycmny.fios.verizon.net] has joined #openvpn
01:11 -!- Kephael [~Kephael@unaffiliated/kephael] has quit []
01:14 -!- Popsikle [~popsikle@pool-108-27-211-233.nycmny.fios.verizon.net] has quit [Remote host closed the connection]
01:30 -!- Mike-- [mad@mx.probie.nl] has joined #openvpn
01:31 -!- alexxtasi [~alex@unaffiliated/alexxtasi] has joined #openvpn
01:35 -!- jackbrown [~se@93-44-41-0.ip95.fastwebnet.it] has joined #openvpn
01:42 -!- james41382 [~james@unaffiliated/james41382] has joined #openvpn
02:03 -!- jackbrown [~se@93-44-41-0.ip95.fastwebnet.it] has quit [Quit: Sto andando via]
02:07 -!- ayaz [~Ayaz@linuxpakistan/ayaz] has joined #openvpn
02:08 < ayaz> Hello. May I know why the 2.3.3 release isn't listed on the download page here: http://openvpn.net/index.php/open-source/downloads.html?
02:08 <@vpnHelper> Title: Downloads (at openvpn.net)
02:43 -!- eristisk [~eristisk@gateway/tor-sasl/eristisk] has joined #openvpn
03:02 -!- le0 [~l30@unaffiliated/le0] has joined #openvpn
03:11 -!- kirin` [telex@gateway/shell/anapnea.net/x-quiqsffkeyruuhta] has quit [Ping timeout: 245 seconds]
03:12 -!- kirin` [telex@gateway/shell/anapnea.net/x-kiwpbdpqkiakherf] has joined #openvpn
03:17 -!- ayaz [~Ayaz@linuxpakistan/ayaz] has quit [Quit: My MacBook Pro has gone to sleep. ZZZzzz…]
03:31 -!- jackbrown [~se@93-44-41-0.ip95.fastwebnet.it] has joined #openvpn
03:56 -!- ayaz [~Ayaz@linuxpakistan/ayaz] has joined #openvpn
04:05 -!- dazo_afk is now known as dazo
04:23 -!- Left_Turn [~Left_Turn@unaffiliated/turn-left/x-3739067] has joined #openvpn
04:27 -!- le0 [~l30@unaffiliated/le0] has quit [Quit: Leaving]
04:31 -!- le0 [~l30@unaffiliated/le0] has joined #openvpn
05:17 -!- swebb is now known as zz_swebb
05:18 -!- jackbrown [~se@93-44-41-0.ip95.fastwebnet.it] has quit [Ping timeout: 276 seconds]
05:26 -!- debbie10t [~ma1com10t@host-2-99-68-141.as13285.net] has joined #openvpn
05:26 -!- ayaz [~Ayaz@linuxpakistan/ayaz] has quit [Ping timeout: 240 seconds]
05:31 -!- ayaz [~Ayaz@linuxpakistan/ayaz] has joined #openvpn
05:43 -!- mattock_afk [~mattock@openvpn/corp/admin/mattock] has joined #openvpn
05:43 -!- mode/#openvpn [+o mattock_afk] by ChanServ
05:43 -!- mattock_afk is now known as mattock
05:50 -!- jackbrown [~se@93-44-41-0.ip95.fastwebnet.it] has joined #openvpn
06:03 -!- elfixit [~Icedove@77-58-251-72.dclient.hispeed.ch] has joined #openvpn
06:03 -!- le0 [~l30@unaffiliated/le0] has quit [Quit: Leaving]
06:08 -!- Cpt-Oblivious [~chatzilla@31-151-71-109.dynamic.upc.nl] has joined #openvpn
06:15 < ender|> !dd-wrt
06:15 <@vpnHelper> "dd-wrt" is (#1) While some users have success with dd-wrt, the build system isn't very accessible to users and there have been security issues with the distro. Consider carefully if this is the platform you want to use for OpenVPN or (#2) Firewall oopsie : http://www.dd-wrt.com/phpBB2/viewtopic.php?t=35783 or (#3) more issues: http://www.dd-wrt.com/phpBB2/viewtopic.php?t=84536
06:15 -!- brianblaze420 [~brianblaz@unaffiliated/brianblaze] has quit [Quit: Leaving...]
06:15 -!- michaelhart [~michaelha@162.209.54.120] has quit [Quit: michaelhart]
06:38 -!- jackbrown [~se@93-44-41-0.ip95.fastwebnet.it] has quit [Ping timeout: 252 seconds]
06:42 -!- ayaz [~Ayaz@linuxpakistan/ayaz] has quit [Read error: Connection reset by peer]
06:43 -!- Megaf [~Megaf@unaffiliated/megaf] has joined #openvpn
06:53 -!- jackbrown [~se@93-44-41-0.ip95.fastwebnet.it] has joined #openvpn
06:54 -!- jackbrown [~se@93-44-41-0.ip95.fastwebnet.it] has quit [Read error: Connection reset by peer]
06:54 -!- Popsikle [~popsikle@pool-108-27-211-233.nycmny.fios.verizon.net] has joined #openvpn
07:00 -!- Megaf_ [~Megaf@unaffiliated/megaf] has joined #openvpn
07:02 -!- Megaf [~Megaf@unaffiliated/megaf] has quit [Ping timeout: 245 seconds]
07:05 -!- michaelhart [~michaelha@192.237.177.15] has joined #openvpn
07:11 -!- elfixit [~Icedove@77-58-251-72.dclient.hispeed.ch] has quit [Ping timeout: 240 seconds]
07:15 -!- tempus_fol [~tempus@gateway/tor-sasl/foltempus] has quit [Ping timeout: 272 seconds]
07:15 -!- AsadH [~AsadH@unaffiliated/asadh] has quit [Ping timeout: 255 seconds]
07:15 -!- tempus_fol [~tempus@gateway/tor-sasl/foltempus] has joined #openvpn
07:17 -!- TTimoNN [~ttimonn@5352E966.cm-6-3d.dynamic.ziggo.nl] has joined #openvpn
07:19 < TTimoNN> Hi all, I was wondering if it is possible to bind the OpenVPN GUI client for windows to only 1 application?
07:27 -!- AsadH [~AsadH@unaffiliated/asadh] has joined #openvpn
07:28 -!- eristisk [~eristisk@gateway/tor-sasl/eristisk] has quit [Remote host closed the connection]
07:42 -!- eristisk [~eristisk@gateway/tor-sasl/eristisk] has joined #openvpn
08:16 -!- ayaz [~Ayaz@linuxpakistan/ayaz] has joined #openvpn
08:26 <@ecrist> TTimoNN: not with just openvpn
08:26 <@ecrist> you'd need a policy route in the system firewall to do that
08:45 -!- alexxtasi [~alex@unaffiliated/alexxtasi] has left #openvpn []
09:48 -!- Popsikle [~popsikle@pool-108-27-211-233.nycmny.fios.verizon.net] has quit [Remote host closed the connection]
10:12 -!- ayaz [~Ayaz@linuxpakistan/ayaz] has quit [Quit: Textual IRC Client: www.textualapp.com]
10:14 -!- gffa [~unknown@unaffiliated/gffa] has joined #openvpn
10:20 -!- spatials [~vertical@192.94.73.194] has joined #openvpn
10:29 -!- Megaf [~Megaf@unaffiliated/megaf] has joined #openvpn
10:29 -!- Megaf_ [~Megaf@unaffiliated/megaf] has quit [Ping timeout: 240 seconds]
10:30 -!- zz_swebb is now known as swebb
10:40 -!- dimitry7 [~antonello@187.188.84.149] has joined #openvpn
10:40 < dimitry7> Hi everyone. I've set up a VPN with Open VPN following the docs and working with two dedicated links, (and two public IPs). Y have networks 192.168.78.0/24 on one side and 192.168.77.0/24 on the other side. one OS is OpenBSD, the other is Debian Stable. When I ping from 78.0 (BSD) to 77.0(Debian), ping works both sides, but after a minute ping won't work from Debian to BSD
10:40 < dimitry7> and if I start pinging againt from BSD to Debian, the ping starts working both sides again....
10:41 < dimitry7> but after a minute fails from debian to BSD again... what could be happening?
10:42 -!- tormen [~me@90-83-190-109.dsl.ovh.fr] has joined #openvpn
10:45 < tormen> Hi. Is it possible that a windows openvpn client 2.2.2 only interprets the FIRST "route" config option from the server ??
10:45 < tormen> I don't get it. I have one "route" option. This works fine for both Linux + Windows clients.
10:46 < tormen> I add a second "route" below. Linux works as expected (gets the 2 routes). Linux in the log only talks about the one route ... (and no route failed or something)
10:47 < tormen> I am puzzled :(
10:47 < tormen> :)
10:48 < TTimoNN> thanks ecrist
10:51 -!- swebb is now known as zz_swebb
11:01 < dimitry7> socket bind failed on local address undef address already in use
11:01 < dimitry7> what does that mean?
11:03 -!- spatials [~vertical@192.94.73.194] has quit [Quit: leaving]
11:07 -!- Kephael [~Kephael@unaffiliated/kephael] has joined #openvpn
11:16 -!- wrongplace [~leicht@gateway/tor-sasl/martinphone] has joined #openvpn
11:19 < tormen> okey... push route "192.168.192.0 255.255.255.0" instead of route 192.168.192.0 255.255.255.0 successfully gets the SECOND route to the windows client even though the FIRST route worked for the windows client in THIS format "route 172.27.27.0 255.255.255.0" ...
11:20 < tormen> I guess I don't have to understand everything ^^
11:20 -!- wrongplace [~leicht@gateway/tor-sasl/martinphone] has quit [Client Quit]
11:24 < debbie10t> @dimitry7 : address already in use = OpenVPN is already running ... shut it down and start again
11:25 < debbie10t> @tormenv - route will only effect the server ... push route will only effect the client (if the client imports routes from the server push)
11:28 < debbie10t> @tormen - if you do not PUSH the route to the client then it will have no effect on the client
11:29 < tormen> but it did on my linux client ... or maybe I missed something
11:30 < debbie10t> you obviously missed something .....
11:30 < tormen> debbie10t: ;) thanks !!
11:30 < debbie10t> so you just worked it out ???
11:31 < tormen> okey yes my bad I was too quick before.
11:31 < debbie10t> lol ;)
11:31 < tormen> debbie10t: I had found that the push worked in-between......
11:32 < debbie10t> inbetween what .. like a slice of cheese in a sandwich ?
11:32 < tormen> Inbetween my first question at [2014-05-23 18:01]  and my reply at [2014-05-23 18:19]
11:32 < tormen> ;)
11:32 < dimitry7> No server certificate verification method has been enabled.
11:32 < dimitry7> what does that mean?
11:33 < dimitry7> debbie10t, thanks Debbie
11:33 < tormen> debbie10t: So I am good. Thanks again :))
11:33 < debbie10t> sure
11:34 < debbie10t> if you want to effect your client route table you _must_ push it to the client or define it on the client
11:34 < debbie10t> using "puste x.x.x.x x.x.x.x" on the server will only effect the server
11:34 < debbie10t> what ever you saw in your client route table was wrong ..
11:35 < debbie10t> may be you just restarted openvpn too quickly
11:35 < debbie10t> as for the cert verify: see --nsCertType Server/Client in the Manual
11:36 < debbie10t> !remote-tls
11:36 < debbie10t> awww
11:37 < debbie10t> <debbie10t>using "***puste x.x.x.x x.x.x.x" on the server will only effect the server ---- ***route
11:38 < debbie10t> !triggers
11:38 < debbie10t> !help
11:38 < debbie10t> !paste
11:39 < debbie10t> !configs
11:39 < debbie10t> !logs
11:39 < dimitry7> No server certificate verification method has been enabled.
11:39 < dimitry7> how can I enable it?
11:40 < debbie10t>  see --nsCertType Server/Client in the Manual
11:40 < dimitry7> I added ns-cert-type , but wont worl
11:40 < debbie10t> ahh
11:40 < dimitry7> ns-cert-type client
11:40 < debbie10t> have you created your server cert with server designation ?
11:40 < dimitry7> I added that to my config
11:40 <@vpnHelper> (help [<plugin>] [<command>]) -- This command gives a useful description of what <command> does. <plugin> is only necessary if the command is in more than one plugin.
11:40 <@vpnHelper> "paste" is "pastebin" is (#1) please paste anything with more than 5 lines into a pastebin site or (#2) https://gist.github.com is recommended for fewest ads; try fpaste.org or paste.kde.org as backups or (#3) If you're pasting config files, see !configs for grep syntax to remove comments or (#4) gist allows multiple files per paste, useful if you have several files to show
11:40 <@vpnHelper> "configs" is (#1) please pastebin your client and server configs (with comments removed, you can use `grep -vE '^#|^;|^$' server.conf`), also include which OS and version of openvpn. or (#2) dont forget to include any ccd entries or (#3) on pfSense, see http://www.secure-computing.net/wiki/index.php/OpenVPN/pfSense to obtain your config
11:40 <@vpnHelper> "logs" is (#1) please pastebin your logfiles from both client and server with verb set to 4 (only use 5 if asked) or (#2) In the Windows client(OpenVPN-GUI) right-click the status icon and pick View Log or (#3) In the OS X client(Tunnelblick) right-click it and select Copy log text to clipboard or (#4) if you dont know how to find your logs, see !logfile
11:40 < dimitry7> nop
11:41 < dimitry7> debbie10t, do you think that is why my connections drop???
11:41 < debbie10t> using EasyRSA .. you create your server.crt/key using build-key-server
11:41 < dimitry7> yes exactly
11:41 < dimitry7> just as the docs say
11:42 < dimitry7> but I didn't added the ns-cert-type
11:43 < dimitry7> that option is not in the openssl-1.0.0.cnf
11:43 < debbie10t> dimitry7 : in your clinet.conf add the line "nsCertType SERVER"
11:43 < dimitry7> okay
11:43 < debbie10t> this tells your client what the other side is meant to be
11:43 < dimitry7> oooh
11:43 < dimitry7> let me see
11:43 < debbie10t> ie: a server
11:43 < dimitry7> goooood, it worked :-D
11:44 < debbie10t> ok
11:44 < dimitry7> debbie10t, you'll see
11:44 < dimitry7> my connections drop
11:44 < dimitry7> all the time
11:44 < debbie10t> ok
11:45 < dimitry7> I have networks 192.168.78.0/24 on one side and 192.168.77.0/24 on the other side. one OS is OpenBSD, the other is Debian Stable. When I ping from 78.0 (BSD) to 77.0(Debian), ping works both sides, but after a minute ping won't work from Debian to BSD
11:45 < dimitry7> and if I start pinging againt from BSD to Debian, the ping starts working both sides again....
11:45 < dimitry7> but after a minute fails from debian to BSD again... what could be happening?
11:46 < dimitry7> In my firewall I have tun0 enabled for in and out
11:46 < dimitry7> both firewalls
11:47 -!- SCHAAP137 [dorian@77-173-0-137.ip.telfort.nl] has joined #openvpn
11:47 < debbie10t> dunno .. did you read about: how are we supposed to know if you dont show us your configs ? --  https://forums.openvpn.net/topic14565.html
11:47 <@vpnHelper> Title: OpenVPN Support Forum QUIZ: Why we ask you to post your configs and logs : Tutorials (at forums.openvpn.net)
11:49 < dimitry7> oh sorry: I will send them
11:49 < debbie10t> !configs
11:49 <@vpnHelper> "configs" is (#1) please pastebin your client and server configs (with comments removed, you can use `grep -vE '^#|^;|^$' server.conf`), also include which OS and version of openvpn. or (#2) dont forget to include any ccd entries or (#3) on pfSense, see http://www.secure-computing.net/wiki/index.php/OpenVPN/pfSense to obtain your config
11:49 < debbie10t> !logs
11:49 <@vpnHelper> "logs" is (#1) please pastebin your logfiles from both client and server with verb set to 4 (only use 5 if asked) or (#2) In the Windows client(OpenVPN-GUI) right-click the status icon and pick View Log or (#3) In the OS X client(Tunnelblick) right-click it and select Copy log text to clipboard or (#4) if you dont know how to find your logs, see !logfile
11:49 < debbie10t> !paste
11:49 <@vpnHelper> "paste" is "pastebin" is (#1) please paste anything with more than 5 lines into a pastebin site or (#2) https://gist.github.com is recommended for fewest ads; try fpaste.org or paste.kde.org as backups or (#3) If you're pasting config files, see !configs for grep syntax to remove comments or (#4) gist allows multiple files per paste, useful if you have several files to show
11:50 < dimitry7> debbie10t, CLient: http://pastebin.com/Ruix2fqX
11:51 < dimitry7> debbie10t, Server: http://pastebin.com/MLafVUYd
11:51 < debbie10t> add --pull to your client
11:51 < dimitry7> okay
11:51 < debbie10t> even better .. read about --client in the manual
11:51 -!- zgreg [~greg@pygmy.kinoho.net] has joined #openvpn
11:52 < zgreg> I have a weird problem with the openvpn windows client, the openvpn gui
11:52 < zgreg> I installed it, dropped the config into the right directory, but connecting doesn't work at all
11:52 < dimitry7>  WARNING: using --pull/--client and --ifconfig together is probably not what you want
11:53 < dimitry7> okay
11:53 < zgreg> when I instruct the GUI to connect, it just says "connecting to ... has failed", and there's no log, and no connection attempt is visible at my openvpn server
11:53 < zgreg> meanwhile, it works fine from linux and android in the same network
11:54 < debbie10t> dimitry7 : pull vs ifconfig .. it is a dilema .. or you push ALL the options from the server
11:55 < dimitry7> well, I prefer to use ifconfig, while I try pull
11:55 < debbie10t> zgreg .. windows version ?
11:55 < debbie10t> dimitry - just push it from the server
11:55 < dimitry7> debbie10t, okay
11:56 < zgreg> debbie10t, yes, like I wrote
11:56 < debbie10t> dimitry7 - if you have contro of the server .. surely it feels better to push EVERYTHING from the server for security reasons
11:57 < dimitry7> how do I push them?
11:57 < debbie10t> --ifconfig-push bla bla
11:57 < dimitry7> ok ok ok
11:57 < debbie10t> or many other ways
11:57 < dimitry7> okay
11:58 < debbie10t> dimitry7 - have you read the manual or the sample configs ?
11:58 < debbie10t> !manual
11:59 < debbie10t> aww .. come on .. that has to be a given !
11:59 < debbie10t> !learn manual http://openvpn.net/index.php/open-source/documentation/manuals.html
11:59 <@vpnHelper> Error: You don't have the factoids.learn capability. If you think that you should have this capability, be sure that you are identified before trying again. The 'whoami' command can tell you if you're identified.
11:59 < debbie10t> lol
12:00 < zgreg> ok, removing "mtu-disc" from the options fixed it. but the behavior of openvpn gui is super lame
12:00 < zgreg> nonsense error message, no logs, etc.
12:00 -!- larryone [~larryone@178.167.254.75.threembb.ie] has joined #openvpn
12:01 < debbie10t> zgreg - what "nonsense error message" do you mean ?
12:01 < dimitry7> debbie10t, okay thanks, let me try
12:01 -!- larryone [~larryone@178.167.254.75.threembb.ie] has quit [Max SendQ exceeded]
12:02 < dimitry7> debbie10t, where can I see what range of ports can I use for openvpn?
12:02 -!- larryone [~larryone@178.167.254.75.threembb.ie] has joined #openvpn
12:02 < debbie10t> dimitry7 - you can use any port your oOS allows you to
12:03 < debbie10t> *Operating System
12:03 < zgreg> debbie10t: "connecting has failed", it's pretty much not possible to be any more generic
12:03 < debbie10t> !logs
12:03 < dimitry7> okay
12:03 <@vpnHelper> "logs" is (#1) please pastebin your logfiles from both client and server with verb set to 4 (only use 5 if asked) or (#2) In the Windows client(OpenVPN-GUI) right-click the status icon and pick View Log or (#3) In the OS X client(Tunnelblick) right-click it and select Copy log text to clipboard or (#4) if you dont know how to find your logs, see !logfile
12:03 < zgreg> debbie10t: uhm, your point?
12:04 < debbie10t> the connection failed .. OpenVPN is not psychic
12:04 < zgreg> debbie10t: like I said, no log file was created for some reason
12:04 < debbie10t> zgerg - you are using the "openVPN GUI" ?
12:04 < zgreg> yes
12:05 < debbie10t> so there is a log on screen ? or at least a blank window owned by openvpnGui ?
12:05 < zgreg> blank window, yes
12:05 < debbie10t> ok
12:06 < zgreg> well, nevermind, it works now. but the error reporting is bad in some cases.
12:06 < debbie10t> user error cannot be anticipated .. sorry
12:06 < zgreg> well it "works" in the sense that it actually tries to connect now. but it fails to set up the ipv6 address
12:07 < zgreg> why is this such a broken mess? :p
12:07 < debbie10t> ahh .. so you have a functional VPN .. but no IPv6 ?
12:08 < zgreg> I have a VPN that I set up myself, and it works great for linux and android clients
12:09 < zgreg> it transports both ipv4 and ipv6 connectivity
12:10 < debbie10t> do you use --duplicate-cn on your server to share client certificates ?
12:10 < zgreg> no
12:10 < zgreg> it fails with a netsh command, sec
12:11 < debbie10t> brrrrrrrrrr
12:11 < zgreg> Fri May 23 19:10:13 2014 NETSH: C:\Windows\system32\netsh.exe interface ipv6 set address LAN-Verbindung 2 2a03:XXXX:XXXX:XX:X::XXXX store=active
12:12 < zgreg> Fri May 23 19:10:13 2014 ERROR: netsh command failed: returned error code 1
12:12 < zgreg> I masked out the actual address
12:12 < zgreg> not sure what to make of this
12:12 < debbie10t> !configs
12:12 <@vpnHelper> "configs" is (#1) please pastebin your client and server configs (with comments removed, you can use `grep -vE '^#|^;|^$' server.conf`), also include which OS and version of openvpn. or (#2) dont forget to include any ccd entries or (#3) on pfSense, see http://www.secure-computing.net/wiki/index.php/OpenVPN/pfSense to obtain your config
12:13 < debbie10t> !maual
12:14 < debbie10t> !learn manual http://openvpn.net/index.php/open-source/documentation/manuals.html
12:14 <@vpnHelper> Error: You don't have the factoids.learn capability. If you think that you should have this capability, be sure that you are identified before trying again. The 'whoami' command can tell you if you're identified.
12:16 < debbie10t> zgreg:  ERROR: netsh command failed: returned error code 1- suggests you are not running OpenVPNGUI as administrator ....
12:19 < zgreg> isn't that the point of the service, that you don't need administrator privileges?
12:19 < debbie10t> yes .. that is the point
12:19 < zgreg> or maybe I am misunderstanding something
12:19 < debbie10t> nope you are right
12:19 < zgreg> so the GUi is not communicating with the openvpn service, but running openvpn directly?
12:19 < debbie10t> but the service has NOTHING to do with the GUI
12:19 < debbie10t> one or the other
12:19 < zgreg> oh, okay
12:20 < debbie10t> the service will run ALL ovpn file in your config directory
12:20 < debbie10t> the GUI will run your choice .. but it MUST be "as Admin"
12:21 < zgreg> yeah, okay, got it. the last time I used openvpn on windows was many years ago, I didn't remember it to be that confusing ;)
12:21 < debbie10t> it is not confusing
12:22 < debbie10t> if you want to add routes to the WINDOWS OS you MUST HAVE ADMIN PRIVELEGE
12:22 < debbie10t> and so ..
12:23 < debbie10t> the service wiol run with sufficient privelege bvut the GUI will not ..unless you (the user ) have admin privelege
12:24 < debbie10t> OpenVPN is working on possible solutions .. but things are tricky
12:25 < zgreg> I assumed the GUI is using some IPC mechanism to communicate with the service, because that's the sensible thing to do...
12:25 < zgreg> also, how are you going to input a passphrase with a non-interactive service?
12:27 < debbie10t> dont assume anything
12:27 < dimitry7> debbie10t, I see it is useless to use remote on the server side...
12:28 -!- GrantK [F8QGeac2jI@bolt.sonic.net] has joined #openvpn
12:29 < zgreg> debbie10t: I thought that is how it worked ~2008 already, but obviously my memory is a bit hazy :)
12:30 <@krzee> debbie10t> [12:25:22] if you want to add routes to the WINDOWS OS you MUST HAVE ADMIN PRIVELEGE   <-- not true
12:30 <@krzee> !win_noadmin
12:30 <@vpnHelper> "win_noadmin" is (#1) http://openvpn.se/files/howto/openvpn-howto_run_openvpn_as_nonadmin-Rev1.1.html for HowTo Run OpenVPN as a non-admin user in Windows or (#2) and http://article.gmane.org/gmane.network.openvpn.user/24873 for vista
12:32 < debbie10t> krzee: i am not trying to support windows .. but a windows "user" does not have access to the routing table
12:32 < debbie10t> in write
12:32 <@krzee> does if member of network operators group, and i havnt used windows in over 10 yrs
12:32 < debbie10t> this is trickery to fool the user
12:32 < debbie10t> krzee: yes but i am not here to teach windows
12:33 <@krzee> shit i forgot to readd you to ignore when you came back
12:34 <@krzee> fixed
12:34 < debbie10t> leaving
12:34 < rob0> Eastern Georgia General Network Operators Group (EGGNOG)
12:35 < debbie10t> a typical user does not have access to change the route table
12:35 < GrantK> I'm building OpenVPN git/head to get EC cipher support.  I'm looking for some docs to understand what to do with openvpn config security options when using EC.  e.g.: dh, auth, cipher, tls-cipher.
12:35 < GrantK> checking `openvpn` with "--show-ciphers", "--show-digests", & "--show-engines" options doesn't show any ECC support; only "--show-tls" does.
12:35 < debbie10t> like me or lump it
12:36 -!- debbie10t [~ma1com10t@host-2-99-68-141.as13285.net] has left #openvpn []
12:37 < GrantK> What should those settings be when using EC?  undef?  other?
12:39 -!- jason_rad [~jason_rad@208.86.45.162] has joined #openvpn
12:40 < jason_rad> I have a linux client which connects to an openvpn server.  However, when I initiate the linux client to connect to VPN ( openvpn client.config) I lose access to ssh back into it ( the client) .  How do i fix this
12:41 <@krzee> !splitroute
12:41 <@vpnHelper> "splitroute" is (#1) https://forums.openvpn.net/topic7175.html to see how to add a second routing table so you can use --redirect-gateway AND still serve things to the internet or (#2) see !route_override for how to override --redirect-gateway for a certain subnet
12:41 <@krzee> jason_rad, ^^
12:42 <@krzee> dont go past the second post on the first link
12:42 <@krzee> all info you need is actually in the first and second post
12:43 < jason_rad> krzee: thank you
12:43 <@krzee> no problem
12:43 <@krzee> if you wish to learn more on the subject, it is called policy routing
12:45 <@krzee> this seems like a good policy routing doc  http://www.inetdoc.net/pdf/Policy_Routing_in_Linux_ENG.pdf
12:46 <@krzee> i just gave it a quick skim
12:46 <@krzee> GrantK, sorry im not well versed in the ECC usage but stick around someone will come around who knows
12:46 <@krzee> i know theres people here who use it
12:47 <@krzee> <zgreg> isn't that the point of the service, that you don't need administrator privileges?   <-- that is one advantage. i think another biggie is that it can start on boot, so its seemless for the user.
12:48 <@krzee> if you simply dont want to start as admin (but you have admin privs) then see !win_noadmin
12:48 < GrantK> krzee: thanks
12:49 <@krzee> np sorry i dont have more for ya
12:50 < GrantK> krzee: anyone in particular? or just lurk?
12:51 <@krzee> pekster ecrist plaisthos syzzer dazo for sure, but i'ld bet theres plenty of lurkers who know too
12:52 <@krzee> (sorry for pinging you guys, just pointing out who to watch for!)
12:52 < GrantK> heh. thx ...
12:52 <@dazo> GrantK: iirc, EC support is not fully merged into master ... patches are on a review list
12:52 <@krzee> =]
12:52 <@dazo> (unless I'm outdated ... haven't had time to catch up in a little while)
12:53 < GrantK> dazo this: [Openvpn-devel] [PATCH 1/2] Add support for elliptic curve diffie-hellmann key exchange (ECDH), http://sourceforge.net/p/openvpn/mailman/message/32026769/
12:53 <@vpnHelper> Title: OpenVPN / Mailing Lists (at sourceforge.net)
12:53 < GrantK> appears to have appeared at https://github.com/OpenVPN/openvpn/tree/master/src/openvpn
12:53 <@vpnHelper> Title: openvpn/src/openvpn at master · OpenVPN/openvpn · GitHub (at github.com)
12:53 < zgreg> krzee: yeah, but unfortunately that doesn't work if the user needs to input a passphrase
12:53 < GrantK> not 100% sure, of course
12:53 < zgreg> as far as I can see at the moment the service is actually useless in these cases
12:53 -!- debbie10t [~ma1com10t@host-2-99-68-141.as13285.net] has joined #openvpn
12:54 <@krzee> zgreg, correct, you must remove the passphrase from the cert to have it automagically login.
12:54 <@krzee> encrypting your private key (requiring a passphrase) means you WANT interactive login.
12:55 < zgreg> regarding performance, by the way, I have some problems
12:55 < zgreg> the internal fragmentation in openvpn seems to be a bit slow
12:56 < zgreg> if I disable it and rely on the OS to fragment the packets, I get much improved throughput, 20 vs 50 mbps
12:56 < zgreg> however, the openvpn connect for android doesn't support that apparently...
12:56 <@krzee> of course im assuming you mean the private keys passphrase? if you're talking about a password that the server is configured to require, that can be saved like this:
12:56 <@krzee> !pwfile
12:57 <@vpnHelper> "pwfile" is (#1) OpenVPN will only read passwords from a file if it has been built with the --enable-password-save configure option, or on Windows by defining ENABLE_PASSWORD_SAVE in config-win32.h or (#2) see --auth-user-pass in the manual (!man) for more info or (#3) if you're using this with the windows service, you will need --askpass
12:57 <@ecrist> what am I accused of knowing?
12:57 <@dazo> GrantK: Ahh ... yeah, it seems the patches are merged ... AFAIU, EC won't be enabled on the data channel (--show-ciphers) ... it only does EC for key exchange and authentication
12:57 <@krzee> zgreg, try "openvpn for android"
12:57 <@krzee> ecrist, using ECC with openvpn
12:57 <@krzee> but dazo popped in
12:57 < zgreg> it's better than the "official" client? :)
12:57 <@krzee> !android
12:57 <@vpnHelper> "android" is (#1) an open source OpenVPN client for ICS is available in Google Play, look for OpenVPN for Android. FAQ is here: http://code.google.com/p/ics-openvpn/wiki/FAQ or (#2) Direct Play link: https://play.google.com/store/apps/details?id=de.blinkt.openvpn or (#3) Old (pre-ICS) device? See: !android-old
12:58 <@krzee> !connect
12:58 <@vpnHelper> "connect" is (#1) OpenVPN Connect is part of the commercial, non-free (non-GPL) corporate offering; see #openvpn-as for help with these. For the community-maintained GPL OpenVPN, see !download for download links, !android for GPL-openvpn on Android, or !howto for the beginner how-to guide or (#2) https://forums.openvpn.net/post34969.html#p34969 or (#3) the source is here:
12:58 <@vpnHelper> http://staging.openvpn.net/openvpn3/ except for the portion that may not be released because of NDA with apple (for its vpn API)
12:58 <@krzee> TLDR; openvpn connect is corporate, openvpn for android is 100% opensource GPL
12:59 < GrantK> dazo: hm.  so I need TWO sets of keys?  one EC for auth/kex, and one !EC for data?
12:59 <@dazo> GrantK: no, no
12:59 < zgreg> krzee: interesting, wasn't really aware of that. but the ads in android connect put me off a little for sure.
12:59 <@krzee> as 'openvpn for android' is developed by a member of the dev team, i dont see it as less "official" even though corporate is behind connect "officially"
13:00 <@dazo> GrantK: AFAIK, there are no EC possibilities for symmetric encryption (which the data channel uses) ... EC is only useful on the asymmetric part.  The Key Exchange process agrees on a symmetric key which is used for the data channel.  And that process makes use of EC
13:00 <@krzee> !androidsource
13:00 <@vpnHelper> "androidsource" is (#1) The source for OpenVPN For Android is here: http://code.google.com/p/ics-openvpn/source/checkout or (#2) The source for some of OpenVPN connect for android/IOS is here: http://staging.openvpn.net/openvpn3/
13:00 <@dazo> GrantK: The key exchange process uses the certs and key files to agree on a random symmetric key
13:01 <@dazo> syzzer: please correct me if I'm wrong :)
13:01 <@dazo> (syzzer is our crypto geek)
13:03 < GrantK> dazo: ok.  i'd assume then that the symmetric key is derived from the EC.  I'd _thought_ that that meant that the derived key also was EC -- perhaps not.
13:03 -!- larryone [~larryone@178.167.254.75.threembb.ie] has quit [Quit: This computer has gone to sleep]
13:08 < zgreg> "openvpn for android" is quite a bit less polished, apparently
13:08 < zgreg> the config file import didn't really work that well
13:09 <@dazo> GrantK: I'm quite new to the EC world ... but that's not how OpenVPN works, how I see it from the patches.  It just enables EC support in the asymmetric code paths, which derives a symmetric key.  I've not read about symmetric EC
13:09 < zgreg> it completely ignored the ipv6 routes from my config
13:11 < zgreg> it also ignored the DNS settings
13:11 < debbie10t> krzee: i apologies if you feel the need to ignore me .. however, technically, a typical windows user does not have write access to the route table and so the fact is without access to the route table OpenVPN will not work for a standard user .. I realise, and even called attention to, the fact that there are clever ways around this .. including that OpenVPN are working on it
13:13 < GrantK> dazo: heh, I think most of us are 'quite new to the EC' world ;-)  Looking at code -- and trying not to go completely cross-eyed -- and taking these params one a at a time, I _think_ the "dh" paramter needs to point to my EC-keygen generated "secp521r1.pem" rather than the pre-EC "dh2048.pem"
13:14 <@dazo> it's a different option for the ECDH ... you need a special DH file with EC parameters
13:15 < GrantK> right ... the secp521r1.pem
13:17 <@dazo> GrantK: check out README.ec for more info
13:17 <@dazo> it actually describes your questions :)
13:18 < GrantK> dazo: yep, already done.  that's where I actually figured out that there WAS an EasyRSA *v3* !
13:18 <@dazo> :)
13:19 <@krzee> v3 has better defaults btw
13:19 <@krzee> if you didnt mod your openssl.cnf i would say start over with v3 if you can without too much annoyance
13:20 < GrantK> dazo I to note only the mention of ECDSA support, not of newer/preferred tech e.g. chacha20-poly1305 cipher and curve25519-sha256 kex algo.
13:21 < GrantK> krzee: yup, already did.
13:21 <@krzee> =]
13:22 < GrantK> (still lost time looking for pkitool, though ...)
13:23 < pekster> debbie10t: FYI, using the "-full" commands in easyrsa (at least as of v3) is almost always the Wrong Way to do things
13:24 < pekster> The howto on the wiki (not the old openvpn.net howto for v2) demonstrates the right way, which is to use _separate_ PKI environments. Key escrow is a very bad thing
13:28 -!- fiasco_averted [glen-a@64.125.189.90] has joined #openvpn
13:33 < fiasco_averted> for whatever reason I'm a doofus and can't figure out how to statically compile in OpenSSL into OpenVPN on OSX. I have it working with OpenSSL installed and not statically compiled on an updated version I installed using brew install openssl (installs 1.0.1g), but If I remove that version and just have the default 0.9.x, the same binary fails to work. Any idea where I pass flags like -static or something else to make this work?
13:33 < fiasco_averted> Currently my build process that works on current git-master is roughly:
13:33 < fiasco_averted> autoreconf -iv && ./configure --disable-lzo --disable-snappy && make
13:36 < GrantK> fiasco_averted: do you NEED static, or do you just want to ensure that openvpn dynamically links against the CORRECT openssl libs?
13:40 < fiasco_averted> I'd like to force the latest version, and not stomp on the installed version since developers may necessitate weird openssl versions installed on their machines. I'd like to support aes-gcm once openvpn supports it (I believe its slated for the 2.4 release), and Apple's default OpenSSL install is below 1.0 doesn't support this cipher-suite. I think that static is the way to go with these restrictions unless you have reason to believe otherwise.
13:42 < GrantK> You don't have to do static at all, you just need to make sure that you link to the correct libs, dynamicall.  That's what I do.  My openssl is installed in /usr/local/ssl, system's in /usr/...; openvpn correctly links against 'mine'.
13:42 < GrantK> fiasco_averted: ^^
13:45 -!- jason_rad [~jason_rad@208.86.45.162] has quit [Quit: leaving]
13:47 < zgreg> debbie10t: anyway, thanks for the help, and sorry for assuming so much. I shouldn't try to rely on memory from many years ago. :)
13:48 < GrantK> fiasco_averted: fyi, http://pastebin.com/9bKb42BT
13:48 < fiasco_averted> GrantK: If the machine it's running on only openssl 0.9.8 (default on macs), will I be able to do EC certs or Aes-gcm, or use the aes-ni instruction set which is only available on more recent versions?
13:48 -!- zgreg [~greg@pygmy.kinoho.net] has left #openvpn []
13:48 < debbie10t> Pekster: yes, I understand that I used a < recommended methodology - it was my intention to investigate this post https://forums.openvpn.net/topic15909.html - I contructed a PKI with EasyRSA3 and replicated the problem. My issue was my (poor) assumption that "build-server-full x y" implied the NSCertType.
13:48 <@vpnHelper> Title: OpenVPN Support Forum Cert Errors Openvpn 2.3.4 : Easy-RSA (at forums.openvpn.net)
13:48 < GrantK> 0.9.8? no, no EC there.  read the CHANGELOGS.  Time to install a newer SSL.
13:51 < fiasco_averted> GrantK: Thanks for the paste. I agree, but don't want to fuck with user's machines more than necessary (and it's not necessary). For curiosity's sake 2 questions: 1) how would I do static compilation (this will help me with other unrelated projects where the user doesn't have the lib in question at all) 2) So each -I"/path/to/lib/folder" is a subsequent place it'll search, in order of whichever -I is declared first?
13:52 < fiasco_averted> language, sorry.
13:53 < GrantK> fiasco_averted: (1) no idea, I don't statically compile, (2) generally yes, unless ld.so.conf(.d/*) is horked.  build-time flags are supposed to take precedence.
13:55 -!- elfixit [~Icedove@cust.static.46-14-206-196.swisscomdata.ch] has joined #openvpn
14:08 -!- d0rkl0rd [~d0rkl0rd@pool-74-103-77-228.bltmmd.fios.verizon.net] has joined #openvpn
14:10 -!- jackbrown [~se@93-44-41-0.ip95.fastwebnet.it] has joined #openvpn
14:11 < d0rkl0rd> i have a question about encryption used in the control channel
14:11 < d0rkl0rd> i.e. messages marked P_CONTROL_V1
14:13 < d0rkl0rd> is the encryption algorithm the same used as in the data channel, i.e. stream cipher, but using the premaster key instead of the master data key?
14:14 < d0rkl0rd> or is application data passed in the control channel encrypted using rsa?
14:23 -!- d0rkl0rd [~d0rkl0rd@pool-74-103-77-228.bltmmd.fios.verizon.net] has quit [Quit: leaving]
14:24 -!- Rug [~matt@d50-115-176-66.static.comm.cgocable.net] has joined #openvpn
14:24 < Rug> Howdy all
14:45 < Rug> Is there any reason that OpenVPn couldn't work in a VirtualBox guest session?
14:45 <@krzee> not that i have ever heard of
14:46 <@krzee> and after all these years i suspect i would have heard something by now if there was a problem
14:46 <@krzee> for example i have never seen openvz in person but i know the openvpn pitfalls when using it
14:46 < Rug> krzee: ok thanks
14:46 <@krzee> np
14:47 < Rug> I just keep hitting my head against a wall (I suspect it's a routeing issue) but I just can't seem to get it working correctly.
14:47 < Rug> I can connect to the server, but to nothing on the LAN.
14:47 <@krzee> !serverlan
14:47 <@vpnHelper> "serverlan" is (#1) for a lan behind a server, the server must have ip forwarding enabled (!ipforward), the server needs to push a route for its lan to clients, and the router of the lan the server is on needs a route added to it (!route_outside_openvpn) or (#2) see !route for a better explanation or (#3) Handy troubleshooting flowchart: http://ircpimps.org/serverlan.png |
14:47 <@vpnHelper> http://pekster.sdf.org/misc/serverlan.png
14:47 <@krzee> try the troubleshooting flowchart
14:47 <@krzee> (second link of #3)
14:49 < Rug> thanks
14:58 -!- jackbrown [~se@93-44-41-0.ip95.fastwebnet.it] has quit [Quit: Sto andando via]
15:00 <@krzee> np
15:02 -!- cyberspace- [20253@ninthfloor.org] has quit [Remote host closed the connection]
15:04 -!- cyberspace- [20253@ninthfloor.org] has joined #openvpn
15:13 -!- joshh20 [~joshh20@v-70-42-74-226.unman-vds.internap-nyc.nfoservers.com] has joined #openvpn
15:13 -!- dazo is now known as dazo_afk
15:26 -!- wrongplace [~leicht@gateway/tor-sasl/martinphone] has joined #openvpn
15:27 -!- dimitry7 [~antonello@187.188.84.149] has quit [Read error: Connection reset by peer]
15:31 -!- elfixit [~Icedove@cust.static.46-14-206-196.swisscomdata.ch] has quit [Ping timeout: 264 seconds]
15:37 -!- michaelhart [~michaelha@192.237.177.15] has quit [Quit: michaelhart]
15:38 -!- kron4eg [~kron4eg2@unaffiliated/kron4eg] has joined #openvpn
15:40 -!- bears [~bears@unaffiliated/bears] has joined #openvpn
15:45 -!- kron4eg [~kron4eg2@unaffiliated/kron4eg] has left #openvpn []
15:49 -!- debbie10t [~ma1com10t@host-2-99-68-141.as13285.net] has left #openvpn []
16:03 -!- Rug [~matt@d50-115-176-66.static.comm.cgocable.net] has left #openvpn []
16:08 -!- eduhat [~eduhat@unaffiliated/eduhat] has joined #openvpn
16:19 -!- eduhat [~eduhat@unaffiliated/eduhat] has quit []
16:26 -!- bears [~bears@unaffiliated/bears] has quit [Ping timeout: 265 seconds]
16:27 -!- GrantK [F8QGeac2jI@bolt.sonic.net] has quit [Quit: GrantK]
16:28 -!- tormen [~me@90-83-190-109.dsl.ovh.fr] has quit [Ping timeout: 245 seconds]
16:30 -!- indy [~indy@shadow.kastnerove.cz] has quit [Ping timeout: 276 seconds]
16:42 -!- TTimoNN [~ttimonn@5352E966.cm-6-3d.dynamic.ziggo.nl] has quit [Quit: Nettalk6 - www.ntalk.de]
16:42 -!- JackWinter_ [~jack@vodsl-10810.vo.lu] has quit [Excess Flood]
16:43 -!- JackWinter_ [~jack@vodsl-10810.vo.lu] has joined #openvpn
16:49 -!- michaelhart [~michaelha@192-0-240-20.cpe.teksavvy.com] has joined #openvpn
16:57 -!- koniiiik [johnny64@phoenix.wheel.sk] has joined #openvpn
16:58 -!- jason_rad [~jason_rad@208.86.45.162] has joined #openvpn
16:58 < jason_rad> What does client-to-client mean in openvpn server config?
16:58 < jason_rad> nm
16:58 < jason_rad> found it
17:00 < koniiiik> Hi people, can anyone point me to an explanation of what digests like RSA-something or DSA-something mean?
17:00 -!- jason_rad [~jason_rad@208.86.45.162] has quit [Quit: Lost terminal]
17:02 -!- jlim [~jlim@unaffiliated/jlim] has joined #openvpn
17:02 < jlim> hello
17:03 < jlim> for some reason i connect to a vpn server and it shows a successful connect. but i have no internet connection on the machine
17:03 < jlim> using openvpn
17:07 < pekster> Read !welcome, !configs, and !logs
17:08 < pekster> And the rest of the /TOPIC you apparently missed
17:10 -!- debbie10t [~ma1com10t@host-2-99-68-141.as13285.net] has joined #openvpn
17:10 -!- Megaf_ [~Megaf@unaffiliated/megaf] has joined #openvpn
17:12 -!- haasn [~haasn@2a01:4f8:d13:5245::2] has quit [Ping timeout: 265 seconds]
17:13 -!- Megaf [~Megaf@unaffiliated/megaf] has quit [Ping timeout: 265 seconds]
17:18 -!- haasn [~haasn@2a01:4f8:d13:5245::2] has joined #openvpn
17:18 -!- mattock is now known as mattock_afk
17:29 -!- Latrina [~Latrina@adsl-ull-132-197.50-151.net24.it] has quit [Ping timeout: 240 seconds]
17:29 -!- Cpt-Oblivious [~chatzilla@31-151-71-109.dynamic.upc.nl] has quit [Ping timeout: 258 seconds]
17:34 -!- Latrina [~Latrina@ppp-32-12.26-151.libero.it] has joined #openvpn
17:34 -!- indy [~indy@shadow.kastnerove.cz] has joined #openvpn
17:38 -!- bears [~bears@unaffiliated/bears] has joined #openvpn
17:41 < warewolf> hm. there isn't a way to do dynamic configuration, when you're in inetd mode at all, is there
17:45 -!- bears [~bears@unaffiliated/bears] has quit [Quit: closing IRC]
17:46 -!- bears [~bears@unaffiliated/bears] has joined #openvpn
18:00 -!- bonjurkes [~julia@192.34.58.231] has joined #openvpn
18:01 < bonjurkes> ahoy, I am trying to make settings on my dd-wrt router for openvpn. The issue si I am getting tls handshake error after 60 seconds. Is it connectivity issue, or misconfigured encrpytion etc. setting?
18:02 -!- wrongplace [~leicht@gateway/tor-sasl/martinphone] has quit [Quit: gone]
18:02 < warewolf> bonjurkes: oh I've run into this before, on the server and client side get openvpn to dump what the supported ciphers and hashes are.
18:02 < warewolf> bonjurkes: find a cipher and hash both sides support
18:03 < warewolf> do uh ... openvpn --show-ciphers
18:03 < bonjurkes> warewolf I guess I will have that issue for sure. But I am not realy sure, if I am having a connectivity issue on the first hand
18:03 < bonjurkes> TLS handshake error can be because of connectivity ? or cipher issues?
18:03 < warewolf> both
18:03 < bonjurkes> that's crap
18:03 < warewolf> bonjurkes: on my dd-wrt router I ended up using SHA1 for the hash, and BF-CBC for the cipher.
18:04 < bonjurkes> can this be an issue ? UDPv4 link local: [undef]
18:05 < warewolf> you'll need to (not paste here, paste elsewhere) paste more logs to be able to troubleshoot
18:05 < warewolf> get logs from both sides, server & client
18:05 < bonjurkes> i turned off the firewall and I can ping the openvpn server ip so not sure if it's connectivity
18:05 < bonjurkes> yeah, ofc. I forgot server side logs
18:06 < bonjurkes> client side log http://pastebin.com/z8U0RqNq quite short
18:07 < warewolf> may want to up the verbose level if it's really short
18:07 < warewolf> yeah, key negotiation failed
18:07 < warewolf> check ciphers.
18:08 -!- alexw [~textual@unaffiliated/alexw] has joined #openvpn
18:08 < pekster> The reason why is important
18:09 < pekster> It might be a timeout in which case you need to review logs on the opposing side
18:09 < pekster> Maybe packets don't arrive, or maybe it's rejected for a reason only the remote knows
18:09 < pekster> /TOPIC suggests you review the !configs and !logs output
18:10 < pekster> Right, so "nothing happened in 60 seconds" -- that's not a cipher problem at all
18:10 < bonjurkes> that's what I wonder, let's increase verbose level, if I can
18:10 < pekster> No "initial packet revieved", so you packets aren't even getting replied to. Configs would help
18:11 < pekster> !verb
18:11 <@vpnHelper> "verb" is (#1) verb command is for setting log verbosity, see --verb in the manual (!man) for more info or (#2) verb 5 is good for finding firewall problems, verb 4 for troubleshooting anything else, and 3 is good for every day usage. or (#3) Anything more than 5 is for developer debugging only
18:11 < pekster> !logs
18:11 <@vpnHelper> "logs" is (#1) please pastebin your logfiles from both client and server with verb set to 4 (only use 5 if asked) or (#2) In the Windows client(OpenVPN-GUI) right-click the status icon and pick View Log or (#3) In the OS X client(Tunnelblick) right-click it and select Copy log text to clipboard or (#4) if you dont know how to find your logs, see !logfile
18:11 < pekster> !configs
18:11 <@vpnHelper> "configs" is (#1) please pastebin your client and server configs (with comments removed, you can use `grep -vE '^#|^;|^$' server.conf`), also include which OS and version of openvpn. or (#2) dont forget to include any ccd entries or (#3) on pfSense, see http://www.secure-computing.net/wiki/index.php/OpenVPN/pfSense to obtain your config
18:11 < pekster> Please see !configs above. YOu haven't provided them, nor have you provided the server-side logs of a connection
18:12 < bonjurkes> pekster, openvpn-status.log is simply empty, I guess I should increase verb on server side
18:12 < bonjurkes> warewolf do you know how to increast verb level on dd-wrt side
18:12 < pekster> status has nothing to do with what I asked
18:13 < pekster> Read --verb above
18:13 < pekster> All the info you need is above
18:13 < pekster> If your distro doesn't expose this to you, then complain to them
18:13 < warewolf> bonjurkes: I don't have access to the dd-wrt router I put openvpn on, I think it's in nvram settings? (warning: that's advanced territory)
18:14 < pekster> If you don't have a proper openvpn config, then you're not asking for openvpn help. Also, nvram-based storage is old-school. openwrt uses jffs2 and has real config files ;)
18:15 < bonjurkes> I have a new error now
18:21 -!- bonjurkes [~julia@192.34.58.231] has quit [Ping timeout: 245 seconds]
18:22 -!- bonjurkes [~julia@24.133.108.106] has joined #openvpn
18:22 < bonjurkes> gosh
18:23 < bonjurkes> where can I see the logs of verb 5 on server?
18:24 < warewolf> depends on your config.  It may be in syslogs.  Try looking in /var/log/messages?
18:24 < bonjurkes> log-append openvpn.log
18:24 < warewolf> so find that file
18:24 < warewolf> it may be in /etc/openvpn
18:26 < bonjurkes> yay
18:26 < bonjurkes> breadcrumbs!
18:27 < bonjurkes> TLS Error: incoming packet authentication failed from [AF_INET]
18:27 < bonjurkes> Authenticate/Decrypt packet error: packet HMAC authentication failed
18:29 < bonjurkes> brb
18:29 -!- bonjurkes [~julia@24.133.108.106] has left #openvpn []
18:29 -!- bonjurkes [~julia@24.133.108.106] has joined #openvpn
18:30 < pekster> Your configs would have shown a miss-match of --tls-auth probably
18:31 < pekster> Of course, without seeing them it's just a guess. This is why the /TOPIC asks for configs from both sides
18:34 < bonjurkes> pekster I am not trying to hide anything, just trying to find them
18:35 -!- gffa [~unknown@unaffiliated/gffa] has quit [Quit: sleep]
18:37 < bonjurkes> pekster http://pastebin.com/h65fpuuU
18:37 < pekster> Right, I'm more suggesting your platform may not be the best choice if it hides them from _you_
18:37 < bonjurkes> well I am just learning )
18:37 < pekster> Looks right, although you can use the grep to strip the comments & blanks next time. I can do that for you here
18:38 < bonjurkes> sorry about that
18:43 < bonjurkes> and this is the settings page http://i.imgur.com/K7EUaMA.png
18:43 < pekster> You've mis-mathed --auth settings. MD5 doesn't match the server's default of SHA1
18:43 < pekster> Yea, I don't care about web frontends
18:46 < pekster> Also tun-ipv6 doesn't make much sense on the client when you don't push v6 settings from teh server; just remove it
18:47 -!- tempus_fol [~tempus@gateway/tor-sasl/foltempus] has quit [Ping timeout: 272 seconds]
18:47 -!- bonjurkes [~julia@24.133.108.106] has quit [Read error: Connection reset by peer]
18:48 -!- tempus_fol [~tempus@gateway/tor-sasl/foltempus] has joined #openvpn
18:48 -!- bonjurkes [~julia@24.133.108.106] has joined #openvpn
18:49 < bonjurkes> MULTI: bad source address from client
18:50 < bonjurkes> so I should arrange iptables rule from the server
18:52 < pekster> That means your client is sending bogus packets down the link
18:52 < pekster> Fix whatever broken client application is doing that, or just ignore it so long as IP traffic is working properly
18:53 < bonjurkes> well ip works good, as I can connect to server
18:53 < bonjurkes> but probably dns is the problem
18:54 < pekster> For that error? No that's completely the client's fault
18:54 < pekster> You can't just willy-nilly pick IPs to use. I could claim my IP is from the white house, but that doesn't make it so
18:56 < bonjurkes> I have a nice message too long error 97 on client log
18:56 < bonjurkes> probably it's about the bad source address from client error
18:59 < bonjurkes> so probably i should define some iptables rules on client side
19:00 -!- GrantK [JqPx3ZIAu5@bolt.sonic.net] has joined #openvpn
19:01 -!- alexw [~textual@unaffiliated/alexw] has quit [Ping timeout: 252 seconds]
19:03 < bonjurkes> pekster thanks a lot for your help
19:03 -!- fiasco_averted [glen-a@64.125.189.90] has quit [Quit: Leaving.]
19:04 -!- alexw [~textual@unaffiliated/alexw] has joined #openvpn
19:06 -!- bonjurkes [~julia@24.133.108.106] has quit [Quit: AnacønÐa · "You get the most of what you need the least"]
19:13 -!- debbie10t [~ma1com10t@host-2-99-68-141.as13285.net] has left #openvpn []
19:13 -!- alexw [~textual@unaffiliated/alexw] has quit [Ping timeout: 265 seconds]
19:16 -!- alexw [~textual@unaffiliated/alexw] has joined #openvpn
19:22 -!- alexw [~textual@unaffiliated/alexw] has quit [Ping timeout: 252 seconds]
19:25 < GrantK> ping syzzer
19:28 -!- alexw [~textual@unaffiliated/alexw] has joined #openvpn
19:30 -!- alexw [~textual@unaffiliated/alexw] has quit [Client Quit]
19:31 -!- alexw [~textual@unaffiliated/alexw] has joined #openvpn
19:34 -!- alexw [~textual@unaffiliated/alexw] has quit [Client Quit]
19:37 -!- michaelhart [~michaelha@192-0-240-20.cpe.teksavvy.com] has quit [Ping timeout: 252 seconds]
19:37 -!- michaelhart [~michaelha@162.209.54.120] has joined #openvpn
19:39 -!- elfixit [~Icedove@77-58-251-72.dclient.hispeed.ch] has joined #openvpn
20:18 < jlim> openvpn connects to server but no internet access on the machine??
20:18 < jlim> anybody know anything about this
20:18 < jlim> ?
20:29 < pekster> OpenVPN does not "provide Internet access" (that would be whan an ISP does)
20:29 < pekster> !goal
20:29 <@vpnHelper> "goal" is Please clearly state your goal for your vpn: example, I would like to access the lan behind the server , I would like to access the internet over my vpn , I just want a secure connection between 2 computers , etc
20:37 -!- michaelhart [~michaelha@162.209.54.120] has quit [Quit: michaelhart]
20:52 -!- brianblaze420 [~brianblaz@unaffiliated/brianblaze] has joined #openvpn
20:52 < GrantK> When I start OpenVPN, in syslog I see: "2014-05-23T18:50:23.164306-07:00 test systemd[1]: Started OpenVPN Server."  Note the timestamp -- it's correct for my timezone.  But in /var/log/openvpn/openvpn.log, I see:
20:53 < GrantK> Sat May 24 01:50:23 2014 Initialization Sequence Completed
20:53 < GrantK> Note -- UTC time.  How do I get Openvpn's log to use 'my' time, like the syslog entries?
20:59 -!- SCHAAP137 [dorian@77-173-0-137.ip.telfort.nl] has quit [Remote host closed the connection]
21:04 < GrantK> It's run in a chroot; cp'ing /etc/localtime to $CHROOT/etc/localtime makes no difference.
21:06 -!- GrantK [JqPx3ZIAu5@bolt.sonic.net] has quit [Quit: GrantK]
21:22 < pekster> systemd: making things as basic as time painfull all over again. Becuase progress!
21:44 -!- joshh20 is now known as joshh20-Away
22:06 < _FBi> hello pekster
22:14 -!- Left_Turn [~Left_Turn@unaffiliated/turn-left/x-3739067] has quit [Read error: Connection reset by peer]
22:23 -!- eristisk [~eristisk@gateway/tor-sasl/eristisk] has quit [Ping timeout: 272 seconds]
22:47 -!- eristisk [~eristisk@gateway/tor-sasl/eristisk] has joined #openvpn
22:49 -!- average [~stefan@unaffiliated/average] has joined #openvpn
23:10 -!- roger_rabbit [~admin@unaffiliated/roger-rabbit/x-7769789] has joined #openvpn
23:10 -!- eristisk [~eristisk@gateway/tor-sasl/eristisk] has quit [Ping timeout: 272 seconds]
23:33 -!- elfixit [~Icedove@77-58-251-72.dclient.hispeed.ch] has quit [Ping timeout: 265 seconds]
23:46 -!- ildefonso [~ilde123@201.185.229.85] has quit [Quit: Leaving]
23:53 -!- ShadniX [dagger@p5DDFC33E.dip0.t-ipconnect.de] has quit [Ping timeout: 252 seconds]
23:54 -!- ShadniX [dagger@p5DDFD96C.dip0.t-ipconnect.de] has joined #openvpn
23:58 -!- Megaf_ is now known as MegAFK
--- Day changed Sat May 24 2014
00:19 -!- Popsikle [~popsikle@pool-108-27-211-233.nycmny.fios.verizon.net] has joined #openvpn
00:32 -!- Popsikle [~popsikle@pool-108-27-211-233.nycmny.fios.verizon.net] has quit [Remote host closed the connection]
00:34 -!- MegAFK [~Megaf@unaffiliated/megaf] has quit [Ping timeout: 240 seconds]
00:57 -!- GrantK [444OJSZhXR@bolt.sonic.net] has joined #openvpn
01:15 -!- Kephael [~Kephael@unaffiliated/kephael] has quit []
01:35 -!- GrantK [444OJSZhXR@bolt.sonic.net] has quit [Quit: GrantK]
02:52 -!- Cultist [~CultOfThe@c-98-223-211-32.hsd1.il.comcast.net] has quit [Ping timeout: 255 seconds]
02:59 -!- average [~stefan@unaffiliated/average] has quit [Ping timeout: 252 seconds]
03:02 -!- Cultist [~CultOfThe@c-98-223-211-32.hsd1.il.comcast.net] has joined #openvpn
03:10 -!- mattock_afk is now known as mattock
03:25 -!- gffa [~unknown@unaffiliated/gffa] has joined #openvpn
03:45 -!- mattock is now known as mattock_afk
04:05 -!- fuzzydolphin [~fuzzydolp@99-104-126-19.lightspeed.sntcca.sbcglobal.net] has joined #openvpn
04:07 -!- CaTtleyA [~CaTtleyA@put92-2-82-66-41-53.fbx.proxad.net] has joined #openvpn
04:09 -!- CaTtleyA [~CaTtleyA@put92-2-82-66-41-53.fbx.proxad.net] has quit [Remote host closed the connection]
04:13 -!- CaTtleyA [~CaTtleyA@put92-2-82-66-41-53.fbx.proxad.net] has joined #openvpn
04:22 -!- SCHAAP137 [dorian@77-173-0-137.ip.telfort.nl] has joined #openvpn
04:28 -!- jackbrown [~se@93-44-41-0.ip95.fastwebnet.it] has joined #openvpn
04:28 -!- fuzzydolphin [~fuzzydolp@99-104-126-19.lightspeed.sntcca.sbcglobal.net] has quit [Quit: fuzzydolphin]
04:33 -!- Left_Turn [~Left_Turn@unaffiliated/turn-left/x-3739067] has joined #openvpn
04:57 -!- Latrina [~Latrina@ppp-32-12.26-151.libero.it] has quit [Ping timeout: 252 seconds]
04:58 -!- Latrina [~Latrina@151.56.180.171] has joined #openvpn
05:03 -!- Latrina [~Latrina@151.56.180.171] has quit [Ping timeout: 240 seconds]
05:04 -!- Latrina [~Latrina@151.56.181.34] has joined #openvpn
05:12 -!- TTimoNN [~ttimonn@5352E966.cm-6-3d.dynamic.ziggo.nl] has joined #openvpn
05:12 -!- jzaw [~jzaw@loki.dzki.co.uk] has quit [Quit: really? must I leave? aw pls let me stay!]
05:13 -!- jzaw [~jzaw@loki.dzki.co.uk] has joined #openvpn
05:23 -!- jackbrown [~se@93-44-41-0.ip95.fastwebnet.it] has quit [Ping timeout: 240 seconds]
05:37 -!- tempus_fol [~tempus@gateway/tor-sasl/foltempus] has quit [Remote host closed the connection]
05:38 -!- tempus_fol [~tempus@gateway/tor-sasl/foltempus] has joined #openvpn
05:41 -!- eristisk [~eristisk@gateway/tor-sasl/eristisk] has joined #openvpn
06:01 -!- TTimoNN [~ttimonn@5352E966.cm-6-3d.dynamic.ziggo.nl] has quit [Ping timeout: 240 seconds]
06:02 < jlim> hey guys
06:03 < jlim> having trouble with openvpn
06:06 -!- TTimoNN [~ttimonn@5352E966.cm-6-3d.dynamic.ziggo.nl] has joined #openvpn
06:16 -!- jackbrown [~se@93-44-41-0.ip95.fastwebnet.it] has joined #openvpn
06:26 -!- TTimoNN [~ttimonn@5352E966.cm-6-3d.dynamic.ziggo.nl] has quit [Ping timeout: 258 seconds]
06:32 -!- TTimoNN [~ttimonn@5352E966.cm-6-3d.dynamic.ziggo.nl] has joined #openvpn
07:15 -!- jackbrown [~se@93-44-41-0.ip95.fastwebnet.it] has quit [Ping timeout: 252 seconds]
07:27 -!- hydrajump [~hydrajump@unaffiliated/hydrajump] has joined #openvpn
07:28 < hydrajump> hi is there any advantage to running an openvpn server inside a docker container on an ubuntu ec2 instance versus running openvpn directly on the ec2 instance?
07:46 < jlim> don't know,, i wish that i could just get openvpn working
07:51 < jlim> i can connect to my openvpn server but there is no internet on the client maching.. connection hangs.... have to reboot the maching to unlock internet
07:51 < jlim> can=can't
08:10 -!- mete [~mete@91.247.253.160] has quit [Quit: .]
08:10 -!- mete [~mete@91.247.253.160] has joined #openvpn
08:21 -!- harpyon [~harpyon@harpyon.com] has left #openvpn ["Leaving"]
08:32 -!- le0 [~l30@unaffiliated/le0] has joined #openvpn
08:38 -!- s7r [~s7r@openvpn/user/s7r] has quit [Quit: Leaving]
08:45 < jlim> is there anybody willing to help me with my openvpn problems?
08:45 -!- joshh20-Away is now known as joshh20
08:51 < pekster> Why do you think the answer today is any different than when you asked the exact same question yesterday and didn't read the /TOPIC or my question?
08:52 < pekster> 2014-05-23 20:29< pekster> OpenVPN does not "provide Internet access" (that would be whan an ISP does)
08:52 < pekster> !goal
08:52 <@vpnHelper> "goal" is Please clearly state your goal for your vpn: example, I would like to access the lan behind the server , I would like to access the internet over my vpn , I just want a secure connection between 2 computers , etc
08:54 -!- s7r [~s7r@openvpn/user/s7r] has joined #openvpn
08:54 -!- mode/#openvpn [+v s7r] by ChanServ
09:01 -!- GrantK [qiuHnljCaH@bolt.sonic.net] has joined #openvpn
09:03 -!- Kephael [~Kephael@unaffiliated/kephael] has joined #openvpn
09:04 -!- GrantK [qiuHnljCaH@bolt.sonic.net] has quit [Client Quit]
09:09 -!- Heavylobster [~HL@cs181005083.pp.htv.fi] has joined #openvpn
09:11 < Heavylobster> hey! openvpn newbie here.. I've set up port forwarding from my server to a client and I'd like to make sure, will openvpn automatically give the client the same IP every time or should I set up some kind of static ip for it?
09:11 < pekster> !static
09:11 <@vpnHelper> "static" is (#1) use --ifconfig-push in a ccd entry for a static ip for the vpn client or (#2) example in net30 (default): ifconfig-push 10.8.0.6 10.8.0.5 example in subnet (see !topology) or tap (see !tunortap): ifconfig-push 10.8.0.5 255.255.255.0 or (#3) also see !ccd and !iporder or (#4) when pushing static IPs, you should also limit your --ifconfig-pool to exclude the static range or (#5) See
09:11 <@vpnHelper> also: !addressing
09:12 < pekster> There are examples on the wiki doc you can find at !addressing
09:12 < pekster> Mind the return-path too; if you're forwarding in arbitrary connections from the server, you either need to be using !redirect, or policy routing on the client
09:13 < Heavylobster> yeah I looked into how does one set such a static ip for example in the howto at http://www.leonardoborda.com/blog/how-to-assign-a-fixed-ip-address-to-a-openvpn-user-lan-to-lan-connection/
09:13 <@vpnHelper> Title: How to assign a fixed ip-address to an openvpn user / lan-to-lan connection? Leonardo Borda (at www.leonardoborda.com)
09:13 < Heavylobster> i have another problem doing that though
09:13 < pekster> We don't support random blogs
09:13 < pekster> Did you read the link we do check over?
09:13 < pekster> Apparently not, since you didn't even look at the reference I gave youi
09:13 < pekster> !addressing
09:13 <@vpnHelper> "addressing" is For information about IP addressing in OpenVPN, see: https://community.openvpn.net/openvpn/wiki/Concepts-Addressing
09:14 < pekster> Read harder, ask questions if you're still confused. Don't ask me to read someone else's blog, since they're usually wrong
09:14 < Heavylobster> let me finish please, looking at that my question will still apply :P
09:15 -!- Megaf [~Megaf@unaffiliated/megaf] has joined #openvpn
09:15 < Heavylobster> I set up my keys using easyrsa, and to make that client specific config I'll need the common name
09:15 < Heavylobster> easyrsa put a bunch of special characters in there it seems like / acouple of times which I dont think I can put in the file name
09:16 < Heavylobster> so any way around that or should I just make new keys?
09:17 < Heavylobster> (also, my original question was whether I need to do that in the first place or will openvpn give me the same IP all the time as long as I use the same computer)
09:18 < pekster> You'd best fix that
09:19 < pekster> You can technically use a --client-connect script instead of a CCD file to push options like IPs, but don't us characters disallowed by your filesystem in the CN of a cert
09:19 < Heavylobster> so, it's best to just generate new keys and properly this time?
09:19 < pekster> It's not the key that's the problem but the cert
09:19 < Heavylobster> cert then
09:20 < pekster> Technically you could keep the key on the client and issue a new CSR with it, but it's probably easier just to redo the entire keypair
09:21 < Heavylobster> i take it its enough just to redo them for the client?
09:21 < pekster> Yea
09:22 < Heavylobster> great, i shall get to it, thanks!
09:22 < pekster> Also, easyrsa doens't "put" characters in there -- you have to ask it to :P
09:24 < Heavylobster> well it looks like it set my CN as "client1/name=EasyRSA/emailAddress=<removed>"
09:25 < pekster> That's the DN, not the CN
09:25 < pekster> Also, easyrsa3 fixes this by not including such stupid things as an email, city, state, orgization, orgizational unit, etc in your certs
09:26 < pekster> It's _just_ the CN that goes into the DN (by default -- you can add org fields if you really want, but they just look messy, and sort of leak info that you put in them to anyone watching your connection)
09:27 < pekster> The CN is _just_ the CN part of your cert. easyrsa3 (as of git -master) can show you the request details, but since you're using v2, you'd need to run: `openssl x509 -in /path/to/your.crt -noout -text -nameopt multiline`
09:27 < pekster> Run that above command with the multiline display as I think it'll clear much up for you
09:29 < Heavylobster> ooh that looks more sensible
09:29 < Heavylobster> I guess the blog -was- wrong then, with their script to check what my CN is :P
09:29 < Heavylobster> your script says its just client1
09:29 < Heavylobster> well, command*
09:29 < pekster> An X.509 commonName is one field that makes up the distinguishedName
09:30 < pekster> The DN must be unique, although the commonName need not be. In terms of OpenVPN, you should always ensure that all valid certs (those not expired or revoked) never duplicate the CN, and by default openssl (and by extension easyrsa) will disallow that
09:30 < pekster> So in your case, the CCD file just needs to be 'client1'
09:31 < Heavylobster> great
09:32 < Heavylobster> problem is solved then, rest of the setup should be no problem
09:32 < Heavylobster> thanks!
09:42 -!- Heavylobster [~HL@cs181005083.pp.htv.fi] has left #openvpn []
10:00 -!- le0 [~l30@unaffiliated/le0] has quit [Quit: Leaving]
10:12 -!- jackbrown [~se@93-44-41-0.ip95.fastwebnet.it] has joined #openvpn
10:35 -!- Matir [~matir@ubuntu/member/matir] has quit [Ping timeout: 240 seconds]
10:35 -!- funnel [~funnel@unaffiliated/espiral] has quit [Ping timeout: 252 seconds]
10:52 < Haigha> hi, a client has a problem with openvpn on Xubuntu (12.04 or 14.04)
10:52 < Haigha> ERROR: Cannot ioctl TUNSETIFF tun0: Device or resource busy (errno=16)
10:52 < Haigha> "openvpn --mktun --dev tun0" seems to fix the proble
10:52 < Haigha> what can cause this problem?
10:53 -!- jackbrown [~se@93-44-41-0.ip95.fastwebnet.it] has quit [Quit: Sto andando via]
10:54 -!- Matir [~matir@ubuntu/member/matir] has joined #openvpn
10:57 -!- CaTtleyA [~CaTtleyA@put92-2-82-66-41-53.fbx.proxad.net] has quit [Ping timeout: 256 seconds]
10:58 -!- peper [~peper@gentoo/developer/peper] has quit [Ping timeout: 252 seconds]
11:00 -!- funnel [~funnel@unaffiliated/espiral] has joined #openvpn
11:01 -!- peper [~peper@gentoo/developer/peper] has joined #openvpn
11:30 < Haigha> looks like "dev tun" instead of "dev tun0" fixed it
11:46 -!- debbie10t [~ma1com10t@host-2-99-68-141.as13285.net] has joined #openvpn
12:16 -!- eristisk [~eristisk@gateway/tor-sasl/eristisk] has quit [Quit: killall -9 irc]
12:20 -!- eristisk [~eristisk@gateway/tor-sasl/eristisk] has joined #openvpn
12:25 -!- eristisk [~eristisk@gateway/tor-sasl/eristisk] has quit [Ping timeout: 272 seconds]
12:37 -!- eristisk [~eristisk@gateway/tor-sasl/eristisk] has joined #openvpn
12:47 -!- eristisk [~eristisk@gateway/tor-sasl/eristisk] has quit [Ping timeout: 272 seconds]
13:02 -!- cransom [~cransom@petit.hubns.net] has quit [Quit: Changing server]
13:12 -!- eristisk [~eristisk@gateway/tor-sasl/eristisk] has joined #openvpn
13:36 -!- jerrcs [jeremy@dogpound.sliqua.com] has joined #openvpn
13:39 -!- roger_rabbit [~admin@unaffiliated/roger-rabbit/x-7769789] has quit [Quit: WeeChat 0.3.8]
13:41 -!- eristisk [~eristisk@gateway/tor-sasl/eristisk] has quit [Ping timeout: 272 seconds]
13:45 < rob0> !tcp
13:45 <@vpnHelper> "tcp" is (#1) Sometimes you cannot avoid tunneling over tcp, but if you can avoid it, DO. http://sites.inka.de/~bigred/devel/tcp-tcp.html Why TCP Over TCP Is A Bad Idea. or (#2) http://www.openvpn.net/papers/BLUG-talk/14.html for a presentation by James Yonan (OpenVPN lead developer) or (#3) if you must use tcp, you likely want --tcp-nodelay
13:48 -!- eristisk [~eristisk@gateway/tor-sasl/eristisk] has joined #openvpn
14:04 -!- Cpt-Oblivious [~chatzilla@31-151-71-109.dynamic.upc.nl] has joined #openvpn
14:28 -!- joshh20 is now known as joshh20-Away
14:36 -!- zz_swebb is now known as swebb
14:52 -!- brianblaze420 [~brianblaz@unaffiliated/brianblaze] has quit [Quit: Leaving...]
15:00 -!- Kephael [~Kephael@unaffiliated/kephael] has quit []
15:08 -!- dougiel [~doug@S0106744401495b56.wp.shawcable.net] has joined #openvpn
15:08 < dougiel> !welcome
15:08 <@vpnHelper> "welcome" is (#1) Start by stating your goal, such as 'I would like to access the internet over my vpn' || new to IRC? see the link in !ask || we may need !logs and !configs and maybe !interface to help you. || See !howto for beginners. || See !route for lans behind openvpn. || !redirect for sending inet traffic through the server. || Also interesting: !man !/30 !topology !iporder !sample !forum
15:08 <@vpnHelper> !wiki !mitm or (#2) Don't use 192.168.1.0/24 or 192.168.0.0/24 (too much potential for conflict)
15:10 < dougiel> !goal
15:10 <@vpnHelper> "goal" is Please clearly state your goal for your vpn: example, I would like to access the lan behind the server , I would like to access the internet over my vpn , I just want a secure connection between 2 computers , etc
15:11 -!- larryone [~larryone@89.100.23.131] has joined #openvpn
15:12 < dougiel> I would like my notebook to act as if it were connected to my lan when I am tunneled in thru my iphone hotspot.
15:13 < dougiel> !paste
15:13 <@vpnHelper> "paste" is "pastebin" is (#1) please paste anything with more than 5 lines into a pastebin site or (#2) https://gist.github.com is recommended for fewest ads; try fpaste.org or paste.kde.org as backups or (#3) If you're pasting config files, see !configs for grep syntax to remove comments or (#4) gist allows multiple files per paste, useful if you have several files to show
15:14  * dougiel walks up to the bar... reaches over for a bottle and a glass and pour himself a drink...
15:16 < rob0> So, you got a server set up at home, and a client on the notebook? That works?
15:16  * dougiel takes out a pack of rolling papers and start constructing one large roll....
15:16 < dougiel> rob0, yes
15:16 < rob0> !serverlan
15:16 <@vpnHelper> "serverlan" is (#1) for a lan behind a server, the server must have ip forwarding enabled (!ipforward), the server needs to push a route for its lan to clients, and the router of the lan the server is on needs a route added to it (!route_outside_openvpn) or (#2) see !route for a better explanation or (#3) Handy troubleshooting flowchart: http://ircpimps.org/serverlan.png |
15:16 <@vpnHelper> http://pekster.sdf.org/misc/serverlan.png
15:17 < rob0> and connecting to the LAN at home is not working?
15:18 < dougiel> followed the howto to a troubleshooting point and never got any errors just need something else to follwo/read but don t know what
15:18 < pekster> The flowchart you were linked 2 minutes ago, herpahs?
15:18 < pekster> perhaps*
15:19 < dougiel> rob0 never did that stuff...
15:19 < dougiel> pekster, are you yoda or something... did I miss something I was supposed to do?
15:21 < dougiel> I don't recall a flowchart?
15:23 < dougiel> !ipforward
15:23 <@vpnHelper> "ipforward" is (#1) ip forwarding is needed any time you want packets to flow from 1 interface to another, so from tun to eth, eth to tun, tun to tun, etc etc. it must be enabled in the kernel AND allowed in the firewall or (#2) please choose between !linipforward !winipforward !osxipforward and !fbsdipforward
15:24 < dougiel> !linipforward
15:24 <@vpnHelper> "linipforward" is (#1) echo 1 > /proc/sys/net/ipv4/ip_forward for a temp solution (til reboot) or set net.ipv4.ip_forward = 1 in sysctl.conf for perm solution or (#2) chmod +x /etc/rc.d/rc.ip_forward for perm solution in slackware or (#3) you also must allow forwarding in your forward chain in iptables. iptables -I FORWARD -i tun+ -j ACCEPT
15:25 < debbie10t> dougiel: pekster meant this: http://pekster.sdf.org/misc/serverlan.png
15:28 < dougiel> debbie10t, pekster thanks... that is worth running down to the printer for -> really appreciate the help, rob0 too. Not sure if this is beyond my capabilities or not... brb
15:34 -!- larryone [~larryone@89.100.23.131] has quit [Quit: This computer has gone to sleep]
15:36 -!- Cpt-Oblivious [~chatzilla@31-151-71-109.dynamic.upc.nl] has quit [Ping timeout: 258 seconds]
15:41 < dougiel> on that spread sheet I substitute my lan info for 10.10.10.0 right?
15:42 < pekster> yes
15:43 < dougiel> thanks pekster :)
15:47  * dougiel blushes as he sees the obvious genius of the channel...
15:47 < dougiel> Nice channel!
15:56 -!- dougiel [~doug@S0106744401495b56.wp.shawcable.net] has quit [Ping timeout: 252 seconds]
15:56 -!- micko [~micko@203-219-65-120.static.tpgi.com.au] has quit [Ping timeout: 240 seconds]
16:00 -!- micko [~micko@203-219-65-120.static.tpgi.com.au] has joined #openvpn
16:22 -!- dougiel [~doug@24.114.36.73] has joined #openvpn
16:27 -!- dougiel [~doug@24.114.36.73] has quit [Ping timeout: 240 seconds]
16:31 -!- Kephael [~Kephael@unaffiliated/kephael] has joined #openvpn
16:33 -!- Popsikle [~popsikle@pool-108-27-211-233.nycmny.fios.verizon.net] has joined #openvpn
16:49 -!- Popsikle [~popsikle@pool-108-27-211-233.nycmny.fios.verizon.net] has quit [Remote host closed the connection]
17:04 -!- joako [~joako@opensuse/member/joak0] has quit [Ping timeout: 245 seconds]
17:09 -!- dougiel [~doug@S0106744401495b56.wp.shawcable.net] has joined #openvpn
17:09 < dougiel> lol
17:11 < dougiel> I would like to add a route to the router so it knows how to reach the vpn subnet
17:11 -!- joako [~joako@opensuse/member/joak0] has joined #openvpn
17:13 < dougiel> !goal
17:13 <@vpnHelper> "goal" is Please clearly state your goal for your vpn: example, I would like to access the lan behind the server , I would like to access the internet over my vpn , I just want a secure connection between 2 computers , etc
17:13 < dougiel> I would like to add a route to the router so it knows how to reach the vpn subnet
17:13 < pekster> So do that
17:13 -!- Popsikle [~popsikle@pool-108-27-211-233.nycmny.fios.verizon.net] has joined #openvpn
17:13 < pekster> !route_outside_openvpn
17:13 <@vpnHelper> "route_outside_openvpn" is (#1) If your server is not the default gateway for the LAN, you will need to add routes to your gateway. See ROUTES TO ADD OUTSIDE OPENVPN in !route or (#2) Here are 2 diagrams that explain how this works: http://www.secure-computing.net/wiki/index.php/Graph http://i.imgur.com/BM9r1.png
17:14 < pekster> It's your job to read the system documentation for this device if it's not the one running openvpn
17:14 < warewolf> pekster: hey, any idea if there is a way to dynamically add config statements (e.g. like CCD) in inetd mode?
17:14 < dougiel> pekster, I did but I think I did it wrong and thot there was a bot complimenting the flowchart in some awesome way.
17:15 < warewolf> pekster: or am I going to need to like, make a 'config /path/to/some/file' that is a fifo that something writes to as a hack
17:15 < pekster> warewolf: I doubt it. That's silly anyway, becuase if you want a "dynamic ccd" what you really want is to use the stdout feature of --client-connect
17:15 < dougiel> !route
17:15 <@vpnHelper> "route" is (#1) http://www.secure-computing.net/wiki/index.php/OpenVPN/Routing or https://community.openvpn.net/openvpn/wiki/RoutedLans (same page mirrored) if you have lans behind openvpn, read it DONT SKIM IT or (#2) READ IT DONT SKIM IT! or (#3) See !tcpip for a basic networking guide or (#4) See !serverlan or !clientlan for steps and troubleshooting flowcharts for LANs behind the server or
17:15 <@vpnHelper> client
17:15 < warewolf> pekster: client-connect doesn't work in inetd mode :/
17:15 < pekster> The --client-connect option? Really?
17:16 < warewolf> yeah
17:16 < warewolf> appears to be a multi-mode only feature
17:16 < pekster> I think inetd gets almost no testing/support these-days. What are you trying to do with it?
17:16 < pekster> You shouldn't really need to use it at all since it's not like having an openvpn daemon running hurts anything (it eats something like 4MB RAM at idle)
17:17 < warewolf> clients on separate vlans
17:17 < warewolf> separate TAP devices each
17:17 < pekster> Why not use tun and firewall between them?
17:24 -!- dougiel [~doug@S0106744401495b56.wp.shawcable.net] has quit [Ping timeout: 258 seconds]
17:33 -!- Popsikle [~popsikle@pool-108-27-211-233.nycmny.fios.verizon.net] has quit [Remote host closed the connection]
17:40 < jlim> i am getting intermitant connection drops on the client side,, anybody got any advice?
17:48 -!- warewolf [warewolf@warewolf.org] has left #openvpn []
17:48 -!- joshh20-Away is now known as joshh20
17:50 -!- dougiel [~doug@S0106744401495b56.wp.shawcable.net] has joined #openvpn
17:57 < dougiel> I would like to add a route to the router so it knows how to reach the vpn subnet
17:57 < dougiel> pekster, I do that via server.conf correct?
17:58 < debbie10t> dougiel: is the router running openvpn or not ?
17:59 < dougiel> debbie10t, no is just a netgear router that has a spot for static routes that distracted me.
18:00 < debbie10t> dougiel: then server.conf will not effect the router
18:00 < debbie10t> add the route as a staic route to your router
18:01 -!- justinzane [~justinzan@24.49.184.42] has quit [Remote host closed the connection]
18:01 -!- justinzane [~justinzan@24.49.184.42] has joined #openvpn
18:01 < dougiel> on the router? that is what I tried every which way and notheing worked... never could ping anything other than the vpn server
18:02 < dougiel> debbie10t, ^^
18:02 < debbie10t> you did enable ipforwarding on the openvpn server machine ?
18:03 < dougiel> err... sorry missed that somewhere :(
18:04 -!- joshh20 is now known as joshh20-Away
18:04 < debbie10t> did you read this yet ? ::: http://openvpn.net/index.php/open-source/documentation/howto.html#scope
18:04 <@vpnHelper> Title: HOWTO (at openvpn.net)
18:05 < dougiel> no
18:06 < dougiel> reading now
18:07 < debbie10t> FYI: adding the static route to your router is still required after you do the HOWTO
18:08 < dougiel> debbie10t, thanks :)
18:08 < debbie10t> what OS is your server ?
18:08 < dougiel> ubuntu
18:09 < dougiel> kde actually
18:09 < dougiel> err kubuntu
18:09 < debbie10t> ok .. there are two ways to approach the solution .. one is proper routing the other is to NAT your VPN traffic on the server to make it look like local traffic
18:11 < dougiel> debbie10t, that howto you recomended is the proper routing? I think I'd prefer to do the one that has the least cons
18:11 < debbie10t> pros and cons for all
18:12 -!- Olipro [~Olipro@uncyclopedia/pdpc.21for7.olipro] has quit [Ping timeout: 246 seconds]
18:13 < dougiel> I knew it would be catch 22 - always is... I am a linux user and know very little about windows and nothing past xp - what do you suggest for a linux environment
18:13 < debbie10t> NAT your VPN traffic by using iptables ::: http://openvpn.net/index.php/open-source/documentation/howto.html#redirect
18:13 <@vpnHelper> Title: HOWTO (at openvpn.net)
18:14 < debbie10t> the essential difference is once your VPN traffic hits your server LAN it is NATtedto your server IP ..
18:15 < debbie10t> catch-22 .. did you ever actually read it ?
18:16 < jlim> on my router i have openvpn server and i have a choice of different encryptions. one of the choices is default... anybody have any idea what default encryption might be?
18:16 < debbie10t> probably my favourite book of all time
18:16 < debbie10t> jlim - default encryption with standard OpenVPN is BlowFish-CBC
18:17 < dougiel> I am reading now... lol - oh, no never read it...
18:17 < jlim> thanks
18:18 < jlim> is blowfish secure or should i go with something else such as aes?
18:18 -!- micko [~micko@203-219-65-120.static.tpgi.com.au] has quit [Ping timeout: 264 seconds]
18:19 < debbie10t> jlim - BF-CBC performs well .. if you are really paranoid AES-256 is a good choice
18:19 < debbie10t> but it depends on your specific requirements .. i use BF-CBC
18:20 -!- Olipro [~Olipro@uncyclopedia/pdpc.21for7.olipro] has joined #openvpn
18:21 < jlim> is aes slower blowfish? i am getting some lag right now with blowfish
18:22 < debbie10t> I believe BF-CBC is less CPU intensive than AES-256
18:22 < rob0> Blowfish is probably the fastest cipher, with no known weakness, thus it is the default.
18:23 < jlim> i have no lag when i ssh buti do get some lag with bf. maybe because my hardware is a lil dated
18:24 -!- Olipro [~Olipro@uncyclopedia/pdpc.21for7.olipro] has quit [Ping timeout: 246 seconds]
18:25 -!- micko [~micko@203-219-65-120.static.tpgi.com.au] has joined #openvpn
18:31 < debbie10t> I used to work for compaq computers - they customised M$-DOS so it looked like it ran faster on their hardware - M$ did not like that so they bjorked it and eventually compaq stopped shipping M$-DOS with their hardware - M$ took over the world of desktop computers and compaq were bought out and scrapped dell or HP or someone .. the lesson = software wins everytime
18:32 -!- bears [~bears@unaffiliated/bears] has quit [Read error: Connection reset by peer]
18:35 -!- james41382 [~james@unaffiliated/james41382] has quit [Quit: Leaving]
18:38 -!- james41382 [~james@unaffiliated/james41382] has joined #openvpn
18:38 -!- gffa [~unknown@unaffiliated/gffa] has quit [Quit: sleep]
18:38 -!- dougiel [~doug@S0106744401495b56.wp.shawcable.net] has quit [Ping timeout: 258 seconds]
18:49 -!- debbie10t [~ma1com10t@host-2-99-68-141.as13285.net] has left #openvpn []
19:16 -!- micko [~micko@203-219-65-120.static.tpgi.com.au] has quit [Ping timeout: 252 seconds]
19:20 -!- SCHAAP137 [dorian@77-173-0-137.ip.telfort.nl] has quit [Remote host closed the connection]
19:21 < jlim> yes
19:22 < jlim> wow
19:22 -!- micko [~micko@203-219-65-120.static.tpgi.com.au] has joined #openvpn
19:24 -!- joshh20-Away is now known as joshh20
19:49 -!- dougiel [~doug@S0106744401495b56.wp.shawcable.net] has joined #openvpn
19:51 -!- micko [~micko@203-219-65-120.static.tpgi.com.au] has quit [Ping timeout: 252 seconds]
19:57 -!- micko [~micko@203-219-65-120.static.tpgi.com.au] has joined #openvpn
20:06 -!- joako [~joako@opensuse/member/joak0] has quit [Ping timeout: 264 seconds]
20:20 -!- jlim [~jlim@unaffiliated/jlim] has left #openvpn []
20:34 -!- jlim [~jlim@unaffiliated/jlim] has joined #openvpn
20:44 -!- dougiel [~doug@S0106744401495b56.wp.shawcable.net] has quit [Remote host closed the connection]
20:56 -!- jlim [~jlim@unaffiliated/jlim] has left #openvpn []
21:37 -!- joshh20 is now known as joshh20-Away
21:51 -!- james41382 [~james@unaffiliated/james41382] has quit [Quit: Leaving]
21:53 -!- james41382 [~james@unaffiliated/james41382] has joined #openvpn
22:07 -!- james41382_ [~james@unaffiliated/james41382] has joined #openvpn
22:08 -!- james41382 [~james@unaffiliated/james41382] has quit [Quit: Leaving]
22:11 -!- james41382_ is now known as james41382
22:14 -!- Left_Turn [~Left_Turn@unaffiliated/turn-left/x-3739067] has quit [Read error: Connection reset by peer]
23:47 -!- Poster [~poster@oh-67-77-115-177.sta.embarqhsd.net] has quit [Quit: don't open your eyes you won't like what you see, the blind have been blessed with security, don't open your eyes take it from me, i have found, you can find, happiness in slavery]
23:53 -!- ShadniX [dagger@p5DDFD96C.dip0.t-ipconnect.de] has quit [Ping timeout: 252 seconds]
23:54 -!- ShadniX [dagger@p5481C99E.dip0.t-ipconnect.de] has joined #openvpn
--- Day changed Sun May 25 2014
00:45 -!- Kephael [~Kephael@unaffiliated/kephael] has quit []
01:35 -!- mattock_afk is now known as mattock
02:08 -!- mattock is now known as mattock_afk
02:25 -!- Megaf [~Megaf@unaffiliated/megaf] has quit [Ping timeout: 252 seconds]
03:46 -!- SCHAAP137 [dorian@77-173-0-137.ip.telfort.nl] has joined #openvpn
04:10 -!- Left_Turn [~Left_Turn@unaffiliated/turn-left/x-3739067] has joined #openvpn
04:10 -!- Poster [~poster@cpe-173-88-31-131.columbus.res.rr.com] has joined #openvpn
04:19 -!- catsup [~d@iad1-vshost12.dreamhost.com] has quit [Read error: Connection reset by peer]
04:43 -!- Netsplit *.net <-> *.split quits: Ulrar, fred``, Chrisje
04:49 -!- gffa [~unknown@unaffiliated/gffa] has joined #openvpn
04:55 -!- BIG_Yack [~BIG_Yack@46-150-33-248.cable.teleing.net] has joined #openvpn
04:56 < BIG_Yack> Hello, people! I've been trying to configure a client VPN for two days now with no success. Can soon help?
05:07 < reiffert> !howto
05:07 <@vpnHelper> "howto" is (#1) OpenVPN comes with a great howto, http://openvpn.net/howto PLEASE READ IT! or (#2) http://www.secure-computing.net/openvpn/howto.php for a mirror
05:08 < BIG_Yack> reiffert, thanks for the link. Read it already. I can now connect to my Mikrotik RouterOS OVPN server and am assigned an IP, but nothing else works. Can't ping anything on remote network ....
05:09 -!- Netsplit over, joins: Ulrar
05:09 -!- Netsplit over, joins: fred``
05:10 -!- Netsplit over, joins: Chrisje
05:19 -!- pa [~pa@unaffiliated/pa] has quit [Read error: Connection reset by peer]
05:22 -!- Olipro [~Olipro@uncyclopedia/pdpc.21for7.olipro] has joined #openvpn
05:27 -!- clu5ter [~staff@unaffiliated/clu5ter] has quit [Remote host closed the connection]
05:30 -!- pa [~pa@unaffiliated/pa] has joined #openvpn
05:32 -!- s7r [~s7r@openvpn/user/s7r] has quit [Quit: Leaving]
05:36 -!- clu5ter [~staff@unaffiliated/clu5ter] has joined #openvpn
05:51 -!- ade_b [~Ade@redhat/adeb] has joined #openvpn
05:55 -!- Jeroen52 [~quassel@milkyway.jeroendeneef.eu] has left #openvpn ["Left"]
06:01 -!- Jeroen52 [~quassel@milkyway.jeroendeneef.eu] has joined #openvpn
06:08 -!- jackbrown [~se@93-44-41-0.ip95.fastwebnet.it] has joined #openvpn
06:18 -!- jackbrown [~se@93-44-41-0.ip95.fastwebnet.it] has quit [Quit: Sto andando via]
06:18 -!- blonkel [~asdgasggK@aftr-37-24-150-116.unity-media.net] has joined #openvpn
06:19 < blonkel> hey, is it possible to run a proxy server, which serves a proxy service (to my local lan) and routes all data trough a openvpn connection?
06:19 < blonkel> or is there even a feature in openvpn for it?
06:20 < stemid> what sort of traffic do you want to proxy? because openvpn acts like a sort of proxy already.
06:20 < stemid> so the question is what you want to accomplish with this proxy of yours.
06:22 < blonkel> well i want to have it running on a server, and basicly the normal traffic shouldnt be redirected (only a part of my traffic should run trough the openvpn service), so i thought the easiest way is to have somehow a proxy service running and all traffic which should run trough the openvpn use then this kind of local proxy service
06:22 -!- jackbrown [~se@93-44-41-0.ip95.fastwebnet.it] has joined #openvpn
06:22 < blonkel> or is there any easier way?
06:23 < blonkel> if i tunnel all traffic, then my services on my server arent reachable are they?
06:23 < rob0> what sort of traffic do you want to proxy?
06:23 < blonkel> http traffic
06:24 < rob0> So you run an http proxy (such as squid) and route your traffic thereto through the vpn.
06:24 < rob0> You can do that using browser configuration (easiest) or through firewall redirection (might get ugly.)
06:25 < blonkel> and discard the default route from the openvpn server?
06:25 < rob0> Don't use --redirect-gateway if you do not wish to redirect the gateway.
06:25 < rob0> It's not a default setting.
06:26 < blonkel> and how do i tell squid to use the openvpn service as the default gateway to www?
06:27 < blonkel> or is there support in squid for openvpn connections?
06:27 < rob0> so, I guess you now are saying that you want to run the proxy client-side?
06:28 < stemid> I would suggest you setup openvpn first, test it in various ways, understand it, then it might be more clear how to use it with squid.
06:28 < stemid> because the vpn is just another network, on your tunnel interface.
06:31 < blonkel> https://www.dropbox.com/s/hk8q9mvs2v1e0g1/Unbenannt.PNG
06:31 <@vpnHelper> Title: Dropbox - Unbenannt.PNG (at www.dropbox.com)
06:31 < blonkel> thanks what i like to do
06:31 < blonkel> thatts*
06:31 < blonkel> basicly all services should be normal reachable of the net
06:31 < blonkel> but some requests should be tunneld through vpn
06:31 < blonkel> but not ALL
06:33 < blonkel> if im connecting to my openvpn provider, he pushes a default route so i redirect all traffic trough the vpn
06:33 < stemid> is www the internet?
06:33 < blonkel> yeah
06:34 < stemid> so you want to proxy smb too?
06:34 < blonkel> sorry ..
06:34 < blonkel> no
06:34 < blonkel> smb was just a example service which is also running
06:34 < blonkel> i just want to tunnel "some requests"
06:35 < stemid> ok so in that case I would setup a http proxy on server, I'm more familiar with apache than squid but whatever. then I would make the backend of that http proxy the VPN tunnel. and in the VPN tunnel I would forward packets from server to vpn, whatever that is.
06:35 < stemid> and about "some requests", you can split requests with apache.
06:35 < stemid> you basically setup a proxy forward on certain addresses.
06:36 < blonkel> so i have to setup static route based on addresses?
06:36 < blonkel> that those addresses run trough the vpn?
06:37 < stemid> setup the openvpn first like I said, then you will understand more. because openvpn relies on packet forwarding too and in this case I would forward the necessary http packets through the tunnel interface to the backend.
06:37 < stemid> afk dinner
06:38 < blonkel> thanks :)
06:49 -!- elfixit [~Icedove@cust.static.46-14-206-196.swisscomdata.ch] has joined #openvpn
07:13 -!- bears [~bears@unaffiliated/bears] has joined #openvpn
07:13 -!- jackbrown [~se@93-44-41-0.ip95.fastwebnet.it] has quit [Quit: Sto andando via]
07:19 -!- goldkatze [~nobody@unaffiliated/goldkatze] has joined #openvpn
08:39 -!- elfixit [~Icedove@cust.static.46-14-206-196.swisscomdata.ch] has quit [Quit: elfixit]
08:39 -!- Denial [Denial@176.250.235.182] has quit []
08:50 -!- wrongplace [~leicht@gateway/tor-sasl/martinphone] has joined #openvpn
09:05 -!- mattock_afk is now known as mattock
09:06 -!- joshh20-Away is now known as joshh20
09:10 -!- brianblaze420 [~brianblaz@unaffiliated/brianblaze] has joined #openvpn
09:23 -!- Denial [Denial@176.250.235.182] has joined #openvpn
09:52 -!- clu5ter [~staff@unaffiliated/clu5ter] has quit [Remote host closed the connection]
09:57 -!- eristisk [~eristisk@gateway/tor-sasl/eristisk] has quit [Ping timeout: 272 seconds]
09:57 -!- jgeboski [~jgeboski@unaffiliated/jgeboski] has quit [Ping timeout: 240 seconds]
10:05 -!- jgeboski [~jgeboski@unaffiliated/jgeboski] has joined #openvpn
10:42 -!- Megaf [~Megaf@unaffiliated/megaf] has joined #openvpn
10:46 -!- clu5ter [~staff@unaffiliated/clu5ter] has joined #openvpn
11:13 -!- wrongplace [~leicht@gateway/tor-sasl/martinphone] has quit [Quit: gone]
11:21 -!- mgorbach [~mgorbach@pool-108-20-78-135.bstnma.fios.verizon.net] has quit [Read error: Connection reset by peer]
11:22 -!- mgorbach [~mgorbach@pool-108-20-78-135.bstnma.fios.verizon.net] has joined #openvpn
11:31 -!- Netsplit *.net <-> *.split quits: fred``, Ulrar, Olipro, Chrisje
11:42 -!- Netsplit over, joins: Chrisje, fred``, Ulrar
11:43 -!- Netsplit over, joins: Olipro
11:44 -!- Netsplit *.net <-> *.split quits: haasn, mete
11:44 -!- Kephael [~Kephael@unaffiliated/kephael] has joined #openvpn
11:49 -!- haasn [~haasn@2a01:4f8:d13:5245::2] has joined #openvpn
12:04 -!- mgorbach [~mgorbach@pool-108-20-78-135.bstnma.fios.verizon.net] has quit [Read error: Connection reset by peer]
12:05 -!- mgorbach [~mgorbach@pool-108-20-78-135.bstnma.fios.verizon.net] has joined #openvpn
12:06 -!- mgorbach [~mgorbach@pool-108-20-78-135.bstnma.fios.verizon.net] has quit [Read error: Connection reset by peer]
12:06 -!- mgorbach [~mgorbach@pool-108-20-78-135.bstnma.fios.verizon.net] has joined #openvpn
12:33 -!- goldkatze [~nobody@unaffiliated/goldkatze] has quit []
12:45 -!- mgorbach [~mgorbach@pool-108-20-78-135.bstnma.fios.verizon.net] has quit [Read error: Connection reset by peer]
12:47 -!- mgorbach [~mgorbach@pool-108-20-78-135.bstnma.fios.verizon.net] has joined #openvpn
12:47 -!- mgorbach [~mgorbach@pool-108-20-78-135.bstnma.fios.verizon.net] has quit [Read error: Connection reset by peer]
12:52 -!- mgorbach [~mgorbach@pool-108-20-78-135.bstnma.fios.verizon.net] has joined #openvpn
12:52 -!- mgorbach [~mgorbach@pool-108-20-78-135.bstnma.fios.verizon.net] has quit [Read error: Connection reset by peer]
12:53 -!- mgorbach [~mgorbach@pool-108-20-78-135.bstnma.fios.verizon.net] has joined #openvpn
12:53 -!- mgorbach [~mgorbach@pool-108-20-78-135.bstnma.fios.verizon.net] has quit [Read error: Connection reset by peer]
12:55 -!- mgorbach_ [~mgorbach@pool-108-20-78-135.bstnma.fios.verizon.net] has joined #openvpn
12:55 -!- mgorbach_ [~mgorbach@pool-108-20-78-135.bstnma.fios.verizon.net] has quit [Read error: Connection reset by peer]
12:56 -!- mgorbach [~mgorbach@pool-108-20-78-135.bstnma.fios.verizon.net] has joined #openvpn
12:58 -!- mgorbach [~mgorbach@pool-108-20-78-135.bstnma.fios.verizon.net] has quit [Read error: Connection reset by peer]
13:00 -!- mgorbach [~mgorbach@pool-108-20-78-135.bstnma.fios.verizon.net] has joined #openvpn
13:04 -!- ade_b [~Ade@redhat/adeb] has quit [Ping timeout: 252 seconds]
13:04 -!- joshh20 is now known as joshh20-Away
13:28 -!- mgorbach [~mgorbach@pool-108-20-78-135.bstnma.fios.verizon.net] has quit [Read error: Connection reset by peer]
13:29 -!- mgorbach [~mgorbach@pool-108-20-78-135.bstnma.fios.verizon.net] has joined #openvpn
13:29 -!- mgorbach [~mgorbach@pool-108-20-78-135.bstnma.fios.verizon.net] has quit [Read error: Connection reset by peer]
13:31 -!- mgorbach [~mgorbach@pool-108-20-78-135.bstnma.fios.verizon.net] has joined #openvpn
13:37 -!- mgorbach [~mgorbach@pool-108-20-78-135.bstnma.fios.verizon.net] has quit [Read error: Connection reset by peer]
13:38 -!- mgorbach_ [~mgorbach@pool-108-20-78-135.bstnma.fios.verizon.net] has joined #openvpn
13:39 -!- mgorbach_ is now known as mgorbach
13:40 -!- fred`` is now known as fred
13:40 -!- fred is now known as fred``
13:43 -!- mgorbach [~mgorbach@pool-108-20-78-135.bstnma.fios.verizon.net] has quit [Read error: Connection reset by peer]
13:45 -!- mgorbach [~mgorbach@pool-108-20-78-135.bstnma.fios.verizon.net] has joined #openvpn
13:46 -!- BIG_Yack [~BIG_Yack@46-150-33-248.cable.teleing.net] has quit [Read error: Connection reset by peer]
14:02 -!- james41382 [~james@unaffiliated/james41382] has quit [Quit: Leaving]
14:04 -!- james41382 [~james@unaffiliated/james41382] has joined #openvpn
14:06 -!- RaiNerTsuFal [~RaiNerTsu@akita.vtlx.cn] has quit [Quit: Conversation terminated!]
14:09 -!- mgorbach [~mgorbach@pool-108-20-78-135.bstnma.fios.verizon.net] has quit [Read error: Connection reset by peer]
14:10 -!- mgorbach [~mgorbach@pool-108-20-78-135.bstnma.fios.verizon.net] has joined #openvpn
14:13 -!- james41382 [~james@unaffiliated/james41382] has quit [Quit: Leaving]
14:14 -!- james41382 [~james@unaffiliated/james41382] has joined #openvpn
14:17 -!- aji [~alex@atheme/member/aji] has quit [Ping timeout: 240 seconds]
14:39 -!- RaiNerTsuFal [~RaiNerTsu@akita.vtlx.cn] has joined #openvpn
14:51 -!- joshh20-Away is now known as joshh20
15:36 -!- mbff [~marshall@c-66-41-101-175.hsd1.mn.comcast.net] has joined #openvpn
15:37 -!- Cpt-Oblivious [~chatzilla@31-151-71-109.dynamic.upc.nl] has joined #openvpn
15:38 < mbff> question: When using openVPN on Windows my DNS set by my Windows box and when using openVPN on Linux my DNS is set based off my laptop. However, on Android, the app follows directions and only uses the dns server requested by the server.
15:39 < mbff> How can I adjust my script to make Windows and Linux work like the Android app. I would like them to follow the openVPN's instructions and only use the one dns server
15:39 < mbff> script = client config
15:40 -!- maskedlua [~maskedlua@unaffiliated/themaskedlua] has quit [Quit: WeeChat 0.4.3]
15:46 -!- eristisk [~eristisk@gateway/tor-sasl/eristisk] has joined #openvpn
15:48 -!- aji [~alex@atheme/member/aji] has joined #openvpn
15:50 -!- joako [~joako@opensuse/member/joak0] has joined #openvpn
15:54 -!- wrongplace [~leicht@gateway/tor-sasl/martinphone] has joined #openvpn
16:00 -!- maskedlua [~maskedlua@unaffiliated/themaskedlua] has joined #openvpn
16:03 -!- mattock is now known as mattock_afk
16:23 -!- Cpt-Oblivious [~chatzilla@31-151-71-109.dynamic.upc.nl] has quit [Ping timeout: 258 seconds]
16:27 -!- AsadH [~AsadH@unaffiliated/asadh] has quit [Ping timeout: 258 seconds]
16:27 -!- dougiel [~doug@S0106744401495b56.wp.shawcable.net] has joined #openvpn
16:39 -!- gffa [~unknown@unaffiliated/gffa] has quit [Quit: sleep]
16:54 -!- AsadH [~AsadH@unaffiliated/asadh] has joined #openvpn
16:54 -!- mbff [~marshall@c-66-41-101-175.hsd1.mn.comcast.net] has quit [Ping timeout: 252 seconds]
16:56 -!- TTimoNN [~ttimonn@5352E966.cm-6-3d.dynamic.ziggo.nl] has left #openvpn []
17:15 -!- joako [~joako@opensuse/member/joak0] has quit [Quit: quit]
17:18 -!- joako [~joako@opensuse/member/joak0] has joined #openvpn
17:21 -!- wrongplace [~leicht@gateway/tor-sasl/martinphone] has quit [Quit: gone]
17:24 -!- dougiel [~doug@S0106744401495b56.wp.shawcable.net] has quit [Remote host closed the connection]
17:27 -!- Jeroen52 [~quassel@milkyway.jeroendeneef.eu] has quit [Ping timeout: 264 seconds]
17:30 -!- eristisk [~eristisk@gateway/tor-sasl/eristisk] has quit [Ping timeout: 272 seconds]
17:30 -!- joako [~joako@opensuse/member/joak0] has quit [Ping timeout: 252 seconds]
17:31 -!- Jeroen52 [~quassel@milkyway.jeroendeneef.eu] has joined #openvpn
17:35 -!- joako [~joako@opensuse/member/joak0] has joined #openvpn
18:13 -!- Soliah [~Soliah@kin1287146.lnk.telstra.net] has joined #openvpn
18:30 -!- joako [~joako@opensuse/member/joak0] has quit [Quit: quit]
18:31 -!- joako [~joako@opensuse/member/joak0] has joined #openvpn
18:33 -!- eristisk [~eristisk@gateway/tor-sasl/eristisk] has joined #openvpn
18:38 -!- SCHAAP137 [dorian@77-173-0-137.ip.telfort.nl] has quit [Remote host closed the connection]
18:43 -!- RBecker [~Ryan@unaffiliated/rbecker] has quit [Ping timeout: 240 seconds]
19:04 -!- RBecker [~Ryan@unaffiliated/rbecker] has joined #openvpn
19:05 -!- fred`` [fred@earthli.ng] has quit [Ping timeout: 246 seconds]
19:09 -!- RBecker [~Ryan@unaffiliated/rbecker] has quit [Ping timeout: 240 seconds]
19:12 -!- RBecker [~Ryan@unaffiliated/rbecker] has joined #openvpn
19:25 -!- Soliah [~Soliah@kin1287146.lnk.telstra.net] has quit [Quit: Soliah]
20:16 -!- blonkel [~asdgasggK@aftr-37-24-150-116.unity-media.net] has left #openvpn []
20:19 -!- WinstonSmith [~WinstonSm@unaffiliated/winstonsmith] has quit [Ping timeout: 252 seconds]
20:21 -!- WinstonSmith [~WinstonSm@unaffiliated/winstonsmith] has joined #openvpn
20:22 -!- Latrina [~Latrina@151.56.181.34] has quit [Ping timeout: 258 seconds]
20:24 -!- Latrina [~Latrina@ppp-158-33.26-151.libero.it] has joined #openvpn
21:02 -!- themaskedlua [~maskedlua@unaffiliated/themaskedlua] has joined #openvpn
21:04 -!- maskedlua [~maskedlua@unaffiliated/themaskedlua] has quit [Ping timeout: 276 seconds]
21:33 -!- joshh20 is now known as joshh20-Away
21:47 -!- Left_Turn [~Left_Turn@unaffiliated/turn-left/x-3739067] has quit [Read error: Connection reset by peer]
22:18 -!- themaskedlua [~maskedlua@unaffiliated/themaskedlua] has quit [Quit: WeeChat 0.4.3]
22:20 -!- maskedlua [~maskedlua@unaffiliated/themaskedlua] has joined #openvpn
22:25 -!- zoomequipd [~zoomequip@gateway/tor-sasl/zoomequipd] has quit [Remote host closed the connection]
22:25 -!- tempus_fol [~tempus@gateway/tor-sasl/foltempus] has quit [Remote host closed the connection]
22:25 -!- eristisk [~eristisk@gateway/tor-sasl/eristisk] has quit [Write error: Connection reset by peer]
22:29 -!- brianblaze420 [~brianblaz@unaffiliated/brianblaze] has quit [Quit: Leaving...]
22:34 -!- tempus_fol [~tempus@gateway/tor-sasl/foltempus] has joined #openvpn
22:34 -!- zoomequipd [~zoomequip@gateway/tor-sasl/zoomequipd] has joined #openvpn
22:48 -!- Popsikle [~popsikle@pool-108-27-211-233.nycmny.fios.verizon.net] has joined #openvpn
22:50 -!- Popsikle [~popsikle@pool-108-27-211-233.nycmny.fios.verizon.net] has quit [Remote host closed the connection]
22:57 -!- james41382 [~james@unaffiliated/james41382] has quit [Quit: Leaving]
23:00 -!- james41382 [~james@unaffiliated/james41382] has joined #openvpn
23:06 -!- u0m3_ [~u0m3@109.96.151.200] has joined #openvpn
23:06 -!- Popsikle [~popsikle@pool-108-27-211-233.nycmny.fios.verizon.net] has joined #openvpn
23:08 -!- u0m3 [~u0m3@92.80.115.246] has quit [Ping timeout: 240 seconds]
23:10 -!- Popsikle [~popsikle@pool-108-27-211-233.nycmny.fios.verizon.net] has quit [Ping timeout: 252 seconds]
23:34 -!- Popsikle [~popsikle@pool-108-27-211-233.nycmny.fios.verizon.net] has joined #openvpn
23:41 -!- Popsikle [~popsikle@pool-108-27-211-233.nycmny.fios.verizon.net] has quit [Ping timeout: 240 seconds]
23:53 -!- ShadniX [dagger@p5481C99E.dip0.t-ipconnect.de] has quit [Ping timeout: 252 seconds]
23:54 -!- ShadniX [dagger@p5481CA64.dip0.t-ipconnect.de] has joined #openvpn
--- Day changed Mon May 26 2014
00:05 -!- pEYEd [~bastard@ool-2f147c48.dyn.optonline.net] has joined #openvpn
00:05 < pEYEd> following an update, openvpn fails with 'Exiting due to fatal error' http://paste.ee/p/f9bh3
00:19 < pekster> Seeing the config files you're using might help:
00:19 < pekster> !configs
00:19 <@vpnHelper> "configs" is (#1) please pastebin your client and server configs (with comments removed, you can use `grep -vE '^#|^;|^$' server.conf`), also include which OS and version of openvpn. or (#2) dont forget to include any ccd entries or (#3) on pfSense, see http://www.secure-computing.net/wiki/index.php/OpenVPN/pfSense to obtain your config
00:23 < pekster> That's a generic message during a fatal abort; the real cause should be sooner, but I don't see it in that output
00:23 < pekster> Oh, and stop using verb 9
00:23 < pekster> Set verb 4
00:24 < pekster> 5 is for logging per-packet events in the log, and >5 is for developers familiar with the code
00:29 < pEYEd> http://bpaste.net/show/yRX7lHUQwnXzL901y5ls/
00:29 < pEYEd> pekster the config hasn't changed
00:29 < pEYEd> I can't see anything that's depreciated.
00:32 < pekster> Using the grep would have been better
00:32 < pekster> Most of those 300 lines are blanks/comments
00:33 < pekster> The config seems straight-forward enough. If you set the --verb level to 4 do you still have issues?
00:34 < pEYEd> pekster yes
00:35 -!- mgorbach [~mgorbach@pool-108-20-78-135.bstnma.fios.verizon.net] has quit [Ping timeout: 240 seconds]
00:35 < pekster> I'm unclear how those get into syslog; presuambly you're running this through an initscript. Try not doing that and just call it from the CLI
00:35 < pekster> ie: `openvpn --config /etc/openvpn/openvpn.conf`
00:35 < pekster> (ensure you've stopped any distro-specific init stuff first, of course)
00:37 -!- Popsikle [~popsikle@pool-108-27-211-233.nycmny.fios.verizon.net] has joined #openvpn
00:37 -!- Megaf [~Megaf@unaffiliated/megaf] has quit [Ping timeout: 240 seconds]
00:40 < pEYEd> got something new http://bpaste.net/show/sx4cU0NrfX1m6puqxGdV/
00:40 < pEYEd>  --client-config-dir fails with 'ccd': No such file or directory
00:41 < pekster> Use a full path
00:41 < pekster> The `ccd` dir does not exists where you are starting openvpn from
00:41 < pEYEd> pekster full path to what?
00:41 < pekster> (probably your CWD doesn't match what the initscript does, but it's best to use fully-qualified paths, or use the --cd option)
00:41 < pekster> The ccd dir, which I just referred to
00:42 -!- Popsikle [~popsikle@pool-108-27-211-233.nycmny.fios.verizon.net] has quit [Ping timeout: 252 seconds]
00:42 < pEYEd> I have no clue what directory it wants
00:42 < pekster> You don't know where your own ccd dir is?
00:42 < pEYEd> nope
00:42 < pekster> That's kind of a problem and yo'd best find it first
00:42 < pekster> Why are you using a ccd dir if you don't even know what/where it is?
00:42 < pekster> !ccd
00:42 <@vpnHelper> "ccd" is (#1) entries that are basically included into server.conf, but only for the specified client based on common-name. use --client-config-dir <dir> to enable it, then put the config options for the client in <dir>/common-name or (#2) the ccd file is parsed each time the client connects.
00:43 < pekster> Maybe it's under /etc/openvpn/ccd, but I have no clue where it might be under your environment
00:45 < pEYEd> http://bpaste.net/show/zJWZ8yBUMQyoLcWADWvC/ ?
00:46 < pekster> Looks like a ccd dir, yes
00:46 < pekster> Your distro init wrapper is apparently adding a --cd to /etc/openvpn on invocation, or changing the path there first
00:46 < pekster> Either way you should really use full paths unless you're willing to match whatever your distro is "doing for you" while we run it from the CLI
00:46 < pekster> (full paths is easier and non-ambigious)
00:48 < pEYEd> no candy   http://bpaste.net/show/ChwLEwNNzjapguw7fghL/
00:48 -!- ade_b [~Ade@redhat/adeb] has joined #openvpn
00:49 < pEYEd> TCP/UDP: Socket bind failed on local address
00:50 < pekster> You sure you stopped anything else listening on that port? Namely other openvpn instances?
00:50 < pekster> Perhaps `pidof openvpn` or `netstat -anu | grep 1194` can provide clues
00:50 < pekster> That or your --local directive is bogus
00:50 < pekster> (you probably don't need --local unless you're multi-homed or other wierdness)
00:55 < pEYEd> only one instance of openvpn  http://bpaste.net/show/5zqezeHHWbvFBc4eSSwl/
00:56 < pekster> My statement about your --local directive being bogus applies
00:56 < pekster> You cann't listen on an address not assigned to your interfaces
00:56 < pekster> Just remove that directive since you obviously don't want/need it
00:56 < pekster> If you _do_ use it, it _must_ refer to an availble IP
00:57 < pekster> That's almost always the wrong choice for DHCP ISP connections
00:57 -!- ade_b [~Ade@redhat/adeb] has quit [Quit: Too sexy for his shirt]
00:58 < pEYEd> no where in the config is there a '--local'.
00:58 < pekster> local 198.74.50.169
00:58 < pekster> !--
00:58 <@vpnHelper> "--" is OpenVPN allows any option to be placed either on the command line or in a configuration file. Though all command line options are preceded by a double-leading-dash ("--"), this prefix is usually omitted when an option is placed in a configuration file.
00:58 < pekster> -- is just an option specification
00:59 < pekster> You've used what's obviously a former IP on your device there, and as noted above, this is probably something you don't want at all
01:00 < pekster> I supply all directives with the leading -- becuase that 1) identifies them as openvpn directives, and 2) encourages people to search the the manpage for their meaning
01:00 < pEYEd> that did the trick. thank you very much!
01:13 -!- mgorbach [~mgorbach@pool-108-20-78-135.bstnma.fios.verizon.net] has joined #openvpn
01:25 -!- ade_b [~Ade@redhat/adeb] has joined #openvpn
01:33 -!- mattock_afk is now known as mattock
01:38 -!- Popsikle [~popsikle@pool-108-27-211-233.nycmny.fios.verizon.net] has joined #openvpn
01:38 -!- TheSov [~TheSov4@50-76-75-45-static.hfc.comcastbusiness.net] has quit [Ping timeout: 240 seconds]
01:42 -!- Popsikle [~popsikle@pool-108-27-211-233.nycmny.fios.verizon.net] has quit [Ping timeout: 252 seconds]
01:50 -!- Popsikle [~popsikle@pool-108-27-211-233.nycmny.fios.verizon.net] has joined #openvpn
01:55 -!- Kephael [~Kephael@unaffiliated/kephael] has quit []
01:56 -!- Popsikle [~popsikle@pool-108-27-211-233.nycmny.fios.verizon.net] has quit [Ping timeout: 264 seconds]
02:02 -!- pEYEd [~bastard@ool-2f147c48.dyn.optonline.net] has left #openvpn []
02:11 -!- alexxtasi [~alex@unaffiliated/alexxtasi] has joined #openvpn
02:19 -!- iokill [~iokill@91.114.127.102] has joined #openvpn
02:29 -!- james41382 [~james@unaffiliated/james41382] has quit [Quit: Leaving]
02:52 -!- Popsikle [~popsikle@pool-108-27-211-233.nycmny.fios.verizon.net] has joined #openvpn
02:54 -!- Cpt-Oblivious [~chatzilla@31-151-71-109.dynamic.upc.nl] has joined #openvpn
02:56 -!- Popsikle [~popsikle@pool-108-27-211-233.nycmny.fios.verizon.net] has quit [Ping timeout: 240 seconds]
02:59 -!- james41382 [~james@unaffiliated/james41382] has joined #openvpn
03:06 -!- ade_b [~Ade@redhat/adeb] has quit [Quit: Too sexy for his shirt]
03:30 -!- mallxs [~mallxs@84.246.31.190] has quit [Ping timeout: 252 seconds]
03:31 -!- iokill_ [~iokill@91.114.127.102] has joined #openvpn
03:32 -!- mallxs [~mallxs@84.246.31.190] has joined #openvpn
03:34 -!- iokill [~iokill@91.114.127.102] has quit [Ping timeout: 276 seconds]
03:35 -!- Popsikle [~popsikle@pool-108-27-211-233.nycmny.fios.verizon.net] has joined #openvpn
03:39 -!- Popsikle [~popsikle@pool-108-27-211-233.nycmny.fios.verizon.net] has quit [Ping timeout: 258 seconds]
03:45 -!- dazo_afk is now known as dazo
03:46 -!- ade_b [~Ade@redhat/adeb] has joined #openvpn
03:47 -!- Left_Turn [~Left_Turn@unaffiliated/turn-left/x-3739067] has joined #openvpn
04:32 -!- larryone [~larryone@185.32.152.150] has joined #openvpn
04:32 -!- jzaw [~jzaw@loki.dzki.co.uk] has quit [Quit: really? must I leave? aw pls let me stay!]
04:33 -!- jzaw [~jzaw@loki.dzki.co.uk] has joined #openvpn
04:35 -!- Popsikle [~popsikle@pool-108-27-211-233.nycmny.fios.verizon.net] has joined #openvpn
04:40 -!- Popsikle [~popsikle@pool-108-27-211-233.nycmny.fios.verizon.net] has quit [Ping timeout: 240 seconds]
04:54 -!- mallxs [~mallxs@84.246.31.190] has quit [Remote host closed the connection]
05:17 -!- VlperX [~VlperX@60-240-168-120.static.tpgi.com.au] has joined #openvpn
05:26 -!- elfixit [~Icedove@2001:1620:2777:11:3e97:eff:fe7f:f3ad] has joined #openvpn
05:36 -!- Popsikle [~popsikle@pool-108-27-211-233.nycmny.fios.verizon.net] has joined #openvpn
05:41 -!- Popsikle [~popsikle@pool-108-27-211-233.nycmny.fios.verizon.net] has quit [Ping timeout: 252 seconds]
05:41 -!- goldkatze [~nobody@unaffiliated/goldkatze] has joined #openvpn
06:06 -!- tempus_fol [~tempus@gateway/tor-sasl/foltempus] has quit [Ping timeout: 272 seconds]
06:06 -!- tempus_fol [~tempus@gateway/tor-sasl/foltempus] has joined #openvpn
06:07 -!- JPeterson [~JPeterson@81-233-152-121-no83.tbcn.telia.com] has quit [Ping timeout: 252 seconds]
06:11 -!- Cpt-Oblivious [~chatzilla@31-151-71-109.dynamic.upc.nl] has quit [Ping timeout: 258 seconds]
06:45 -!- Megaf [~Megaf@unaffiliated/megaf] has joined #openvpn
07:34 -!- dazo is now known as dazo_afk
07:36 -!- VlperX [~VlperX@60-240-168-120.static.tpgi.com.au] has quit [Ping timeout: 245 seconds]
07:36 -!- brianblaze420 [~brianblaz@unaffiliated/brianblaze] has joined #openvpn
08:05 -!- Popsikle [~popsikle@pool-108-27-211-233.nycmny.fios.verizon.net] has joined #openvpn
08:12 -!- Popsikle [~popsikle@pool-108-27-211-233.nycmny.fios.verizon.net] has quit [Ping timeout: 265 seconds]
08:16 -!- fred`` [fred@earthli.ng] has joined #openvpn
08:28 -!- brianblaze420 [~brianblaz@unaffiliated/brianblaze] has quit [Remote host closed the connection]
08:32 -!- elfixit [~Icedove@2001:1620:2777:11:3e97:eff:fe7f:f3ad] has quit [Quit: elfixit]
08:36 -!- brianblaze420 [~brianblaz@unaffiliated/brianblaze] has joined #openvpn
08:37 -!- brianblaze420 [~brianblaz@unaffiliated/brianblaze] has quit [Remote host closed the connection]
08:43 -!- brianblaze420 [~brianblaz@unaffiliated/brianblaze] has joined #openvpn
09:08 -!- deeville [~deeville@38.117.108.108] has joined #openvpn
09:13 -!- emcepe [~mcp@wolk-project.de] has joined #openvpn
09:13 -!- emcepe is now known as mcp
09:22 -!- alexxtasi [~alex@unaffiliated/alexxtasi] has left #openvpn []
09:34 -!- dazo_afk is now known as dazo
09:35 -!- elfixit [~Icedove@cust.static.46-14-206-196.swisscomdata.ch] has joined #openvpn
09:49 -!- joshh20-Away is now known as joshh20
10:13 -!- joshh20 is now known as joshh20-Away
10:21 -!- iokill_ [~iokill@91.114.127.102] has quit [Ping timeout: 276 seconds]
10:23 -!- zacktu [~chatzilla@173.246.212.95] has joined #openvpn
10:26 -!- zacktu [~chatzilla@173.246.212.95] has left #openvpn []
10:28 -!- eristisk [~eristisk@gateway/tor-sasl/eristisk] has joined #openvpn
10:42 -!- Kephael [~Kephael@unaffiliated/kephael] has joined #openvpn
11:30 -!- eristisk [~eristisk@gateway/tor-sasl/eristisk] has quit [Remote host closed the connection]
11:33 -!- ade_b [~Ade@redhat/adeb] has quit [Quit: Too sexy for his shirt]
11:53 -!- eristisk [~eristisk@gateway/tor-sasl/eristisk] has joined #openvpn
12:02 -!- brianblaze420 [~brianblaz@unaffiliated/brianblaze] has quit [Quit: Leaving...]
12:08 -!- larryone [~larryone@185.32.152.150] has quit [Ping timeout: 276 seconds]
12:20 -!- Kephael [~Kephael@unaffiliated/kephael] has quit []
12:28 -!- Popsikle [~popsikle@pool-108-27-211-233.nycmny.fios.verizon.net] has joined #openvpn
12:30 -!- joshh20-Away is now known as joshh20
12:48 -!- Popsikle [~popsikle@pool-108-27-211-233.nycmny.fios.verizon.net] has quit [Remote host closed the connection]
12:54 -!- eristisk [~eristisk@gateway/tor-sasl/eristisk] has quit [Ping timeout: 272 seconds]
12:58 -!- joshh20 is now known as joshh20-Away
13:00 < Haigha> hi again, i've found that using tcp-nodelay on a client actually does "Assertion failed at helper.c:533"
13:00 < Haigha> instead of ignoring it
13:00 < Haigha> (as documented)
13:01 -!- qwertyoruiop [~hax@93.174.90.31] has joined #openvpn
13:02 < pekster> What version?
13:06 < Haigha> tested on OpenVPN 2.3.4 on Windows
13:06 < Haigha> https://github.com/OpenVPN/openvpn/blob/master/src/openvpn/helper.c#L533
13:06 <@vpnHelper> Title: openvpn/src/openvpn/helper.c at master · OpenVPN/openvpn · GitHub (at github.com)
13:06 < pekster> Looks like options.c:2127 intends to error out
13:07 < pekster> Yea, I see the assert, but the comment at options.c:2095 suggests (programatically) it's supposed to complain that you're not using --server when you use --tcp-nodelay. Manapge suggests it'll just be ignored though :\
13:09 < pekster> Would you mind opening a bug on the tracker? It should either be fixed to cause a fatal error on start (and the manpage updated) or not fail on the assertion
13:11 < pekster> https://community.openvpn.net/openvpn/newticket (you'll need an account, but it's quick & easy at the 'Register' link near the top)
13:11 < pekster> As a bonus, you'll be notified on ticket progress
13:12 -!- mgorbach_ [~mgorbach@pool-108-20-78-135.bstnma.fios.verizon.net] has joined #openvpn
13:14 -!- mgorbach [~mgorbach@pool-108-20-78-135.bstnma.fios.verizon.net] has quit [Ping timeout: 240 seconds]
13:14 -!- mgorbach_ is now known as mgorbach
13:19 < Haigha> quick & easy, sure :D
13:19 < pekster> I agree it's a bug, but I'm not likely to fix it before something takes me away and my brain forgets it ;P
13:20 < Haigha> i'll open a bug
13:21 < Haigha> meh, it doesn't allow "+" in email addresses
13:21 < Haigha> that's a bug too
13:22  * pekster pokes ecrist: trac disallowing '+' in registration signups? ^
13:22 < pekster> Not sure if that's fixable or not
13:22  * krzee redirects poke to mattock 
13:22 -!- mgorbach_ [~mgorbach@pool-108-20-78-135.bstnma.fios.verizon.net] has joined #openvpn
13:23 < pekster> Now the real question is if poke-redirects are accepted or firewalled :P
13:23 <@krzee> :D
13:23 -!- mgorbach_ [~mgorbach@pool-108-20-78-135.bstnma.fios.verizon.net] has quit [Read error: Connection reset by peer]
13:24 -!- mgorbach_ [~mgorbach@pool-108-20-78-135.bstnma.fios.verizon.net] has joined #openvpn
13:25 -!- mgorbach [~mgorbach@pool-108-20-78-135.bstnma.fios.verizon.net] has quit [Ping timeout: 276 seconds]
13:25 -!- mgorbach_ is now known as mgorbach
13:26 < pekster> Haigha: If you'd prefer I can open a bug for you too; you just won't get updates since IIRC you can't opt-in to a CC list
13:27 < Haigha> i'm writing it
13:28 -!- mgorbach [~mgorbach@pool-108-20-78-135.bstnma.fios.verizon.net] has quit [Read error: Connection reset by peer]
13:29 -!- mgorbach [~mgorbach@pool-108-20-78-135.bstnma.fios.verizon.net] has joined #openvpn
13:29 -!- mgorbach [~mgorbach@pool-108-20-78-135.bstnma.fios.verizon.net] has quit [Read error: Connection reset by peer]
13:30 -!- mgorbach [~mgorbach@pool-108-20-78-135.bstnma.fios.verizon.net] has joined #openvpn
13:33 -!- mgorbach [~mgorbach@pool-108-20-78-135.bstnma.fios.verizon.net] has quit [Read error: Connection reset by peer]
13:34 -!- mgorbach [~mgorbach@pool-108-20-78-135.bstnma.fios.verizon.net] has joined #openvpn
13:36 -!- mgorbach [~mgorbach@pool-108-20-78-135.bstnma.fios.verizon.net] has quit [Read error: Connection reset by peer]
13:41 -!- mgorbach [~mgorbach@pool-108-20-78-135.bstnma.fios.verizon.net] has joined #openvpn
13:43 -!- TBJoe [~TBJoe@tmo-110-152.customers.d1-online.com] has joined #openvpn
13:44 < TBJoe> Hi guys, I'm using a VPN connection and it let's me access everything inside the network where the VPN server is installed - but every other traffic is not routed via the VPN server but through my own internet connection. I want to go all traffic go through the VPN, how can I do that?
13:45 -!- mattock is now known as mattock_afk
13:48 -!- ddyne [~ddyne@g230091226.adsl.alicedsl.de] has joined #openvpn
13:49 < ddyne> Good evening everyone! :-)
13:49 < ddyne> I'm trying to set up my VPN
13:49 < ddyne> cert-based access works fine
13:50 < ddyne> now I'd like to authenticate against an OpenLDAP server
13:50 < ddyne> but when I connect, Tunnelblick on my mac does not display any dialog for the credentials
13:51 -!- ddyne [~ddyne@g230091226.adsl.alicedsl.de] has quit [Remote host closed the connection]
13:51 -!- TBJoe [~TBJoe@tmo-110-152.customers.d1-online.com] has quit [Read error: Connection reset by peer]
13:52 -!- ddyne [~ddyne@g230091226.adsl.alicedsl.de] has joined #openvpn
13:53 < ddyne> sorry, my IRC client crashed :o)
13:53 < ddyne> anyway, there's no login dialog in Tunnelblick
13:54 < ddyne> and in the server logs, I get tls error auth username/password was not provided by peer
13:54 -!- mgorbach [~mgorbach@pool-108-20-78-135.bstnma.fios.verizon.net] has quit [Read error: Connection reset by peer]
13:54 -!- TBJoe [~TBJoe@tmo-110-152.customers.d1-online.com] has joined #openvpn
13:54 < ddyne> so, a general question about the config:
13:56 -!- ddyne [~ddyne@g230091226.adsl.alicedsl.de] has quit [Remote host closed the connection]
13:57 < Haigha> pekster: finally https://community.openvpn.net/openvpn/ticket/408
13:57 <@vpnHelper> Title: #408 (Assertion failed on clients with --tcp-nodelay) – OpenVPN Community (at community.openvpn.net)
13:57 < Haigha> pekster: thank you for your help :)
13:58 < pekster> Yup, I'm adding some notes to it now. For the time being, even with the ugly assert message fixed, the program is set not to allow --tcp-nodelay in client mode
13:59 < pekster> So, there are 2 issues. 1) fixing the assert so the failure case at least gives a sane message to users. 2) either update manpage to indicate that this is a server _only_ flag, or silently drop it (maybe with a warning) instead of fail
14:00 -!- mgorbach [~mgorbach@pool-108-20-78-135.bstnma.fios.verizon.net] has joined #openvpn
14:01 -!- mgorbach [~mgorbach@pool-108-20-78-135.bstnma.fios.verizon.net] has quit [Read error: Connection reset by peer]
14:01 -!- mgorbach [~mgorbach@pool-108-20-78-135.bstnma.fios.verizon.net] has joined #openvpn
14:04 -!- mgorbach [~mgorbach@pool-108-20-78-135.bstnma.fios.verizon.net] has quit [Read error: Connection reset by peer]
14:09 -!- mgorbach [~mgorbach@pool-108-20-78-135.bstnma.fios.verizon.net] has joined #openvpn
14:10 -!- mgorbach [~mgorbach@pool-108-20-78-135.bstnma.fios.verizon.net] has quit [Read error: Connection reset by peer]
14:10 -!- mgorbach [~mgorbach@pool-108-20-78-135.bstnma.fios.verizon.net] has joined #openvpn
14:11 -!- mgorbach [~mgorbach@pool-108-20-78-135.bstnma.fios.verizon.net] has quit [Read error: Connection reset by peer]
14:16 -!- joshh20-Away is now known as joshh20
14:16 -!- mgorbach [~mgorbach@pool-108-20-78-135.bstnma.fios.verizon.net] has joined #openvpn
14:21 -!- TBJoe [~TBJoe@tmo-110-152.customers.d1-online.com] has quit [Read error: Connection reset by peer]
14:43 -!- volkswagner [~Adium@cpe-98-15-160-220.hvc.res.rr.com] has joined #openvpn
14:43 -!- TBJoe [~TBJoe@tmo-110-152.customers.d1-online.com] has joined #openvpn
14:43 < TBJoe> in my openvpn configuration file I wrote "redirect-gateway def1" at the end however it doesn't route my traffic through the VPN, what am I doing wrong?
14:44 < pekster> Missing --pull or --client on the client side? If you're still confused, take a look at the info/flowcharts:
14:44 < pekster> !redirect
14:44 <@vpnHelper> "redirect" is (#1) to make all inet traffic flow through the vpn, you will need --redirect-gateway (see !def1), as well as IP forwarding (see !ipforward) and NAT (see !nat) enabled on the server. or (#2) you may need to use a different dns server when redirecting gateway, see !dns or !pushdns or (#3) if using ipv6 try: route-ipv6 2000::/3 or (#4) Handy troubleshooting flowchart:
14:44 <@vpnHelper> http://ircpimps.org/redirect.png | http://pekster.sdf.org/misc/redirect.png
14:45 < volkswagner> Greetings!
14:45 < volkswagner> I have routing question with the following setup:
14:46 < volkswagner> KVM host on Debian 7 also hosting OpenVPN, what would be best way to allow routing between vpn client and kvm guests
14:46 < volkswagner> KVM is setup with virbr0 192.168.122.0/24, OpenVPN is tun0 10.12.0.0/24
14:47 < TBJoe> !def1
14:47 <@vpnHelper> "def1" is (#1) used in redirect-gateway, Add the def1 flag to override the default gateway by using 0.0.0.0/1 and 128.0.0.0/1 rather than 0.0.0.0/0. This has the benefit of overriding but not wiping out the original default gateway. or (#2) please see --redirect-gateway in the man page ( !man ) to fully understand or (#3) push "redirect-gateway def1"
14:47 < volkswagner> If I try to add route 192.168.122.0/24 in OpenVPN clients/server config it breaks gateway for virbr0, ie: 192.168.122.0 ends up with two gateways (virbr0 and tun0)
14:48 < volkswagner> Can I add route but specify different gateway?  Probably dumb question! I'm just a bit lost in the fundamentals.
14:48 < pekster> volkswagner: Is your VPN server also the default gateway for the LAN you're trying to connect to?
14:50 < volkswagner> pekster, yes.  The VPN server is acting as router as well for the guest VM's using virbr0, I only have one real NIC
14:50 < pekster> Sounds like you want:
14:50 < pekster> !serverlan
14:50 <@vpnHelper> "serverlan" is (#1) for a lan behind a server, the server must have ip forwarding enabled (!ipforward), the server needs to push a route for its lan to clients, and the router of the lan the server is on needs a route added to it (!route_outside_openvpn) or (#2) see !route for a better explanation or (#3) Handy troubleshooting flowchart: http://ircpimps.org/serverlan.png |
14:50 <@vpnHelper> http://pekster.sdf.org/misc/serverlan.png
14:51 < pekster> flowchart will be helpful
14:54 < volkswagner> pekster thanks, perhaps I need to know difference between "push route" and "iroute", iroute is what I used in ccd file, perhaps that was wrong
14:55 < pekster> iroute is for when you have a LAN behind a VPN _client_ instance
14:56 < volkswagner> pekster, thanks… I'll make changes and test again.
14:59 -!- le0 [~l30@unaffiliated/le0] has joined #openvpn
15:11 -!- M4rc3l [~marc@unaffiliated/m4rc3l] has joined #openvpn
15:13 -!- dazo is now known as dazo_afk
15:13 < M4rc3l> Hi, im trying to install openvpn on centos 6 and when im doing ./build-ca i get this:
15:13 < M4rc3l> Please edit the vars script to reflect your configuration,
15:13 < M4rc3l>   then source it with "source ./vars".
15:13 < M4rc3l>   Next, to start with a fresh PKI configuration and to delete any
15:13 < M4rc3l>   previous certificates and keys, run "./clean-all".
15:13 < M4rc3l>   Finally, you can run this tool (pkitool) to build certificates/keys.
15:13 < M4rc3l> i did the source var and the other stuff before i tried to build the keys
15:14 < volkswagner> pekster: progress!  I'm nearly at end of flowchart, I can ping LAN gateway but not machines behind it.  I believe issue is now related to firewall
15:15 < volkswagner> I thought the following two lines in iptables.rules would allow traffic:
15:15 < volkswagner> -A INPUT -s 10.12.0.0/24 -d 192.168.122.0/24  -j ACCEPT
15:15 < volkswagner> -A INPUT -s 192.168.122.0/24 -d 10.12.0.0/24  -j ACCEPT
15:15 < pekster> Context matters a lot here. Without context, you could be dropping sooner
15:15 < pekster> `iptables-save -c` on some pastebin for Netfilter ruleset help (which is exactly what #Netfilter would ask for)
15:15 < volkswagner> Ok, I''l pastbin rules
15:16 < pekster> And do verify you've got ip forwarding on
15:16 < rob0> and INPUT is wrong
15:16 < volkswagner> Yes, I'm already forwarding, perhaps that's part of the problem, as you say earlier in rules.
15:24 < volkswagner> pekster, thanks again. Flushing iptables and all is well. I'll get my rules straightened out.  You have been most helpful!
15:24 -!- elfixit [~Icedove@cust.static.46-14-206-196.swisscomdata.ch] has quit [Quit: elfixit]
15:25 < pekster> The hint about INPUT is a good place to start (forwarded packets traverse filter/FORWARD, not filter/INPUT.) #Netfilter is more targeted help for Netfilter issues too
15:25 -!- Kephael [~Kephael@unaffiliated/kephael] has joined #openvpn
15:30 < volkswagner> pekster, yes, forward rules got me all set! :)
15:52 < M4rc3l> when im trying to do ./build-ca i get this:
15:52 < M4rc3l> Please edit the vars script to reflect your configuration,
15:52 < M4rc3l>   then source it with "source ./vars".
15:52 < M4rc3l>   Next, to start with a fresh PKI configuration and to delete any
15:52 < M4rc3l>   previous certificates and keys, run "./clean-all".
15:52 < M4rc3l>   Finally, you can run this tool (pkitool) to build certificates/keys.
15:52 < M4rc3l> could anyone help
15:53 < M4rc3l> i tried to create the keys folder but that didn't help
15:54 -!- deeville [~deeville@38.117.108.108] has quit [Quit: Leaving]
15:54 < pekster> easyrsa v2 requires you source the "vars" file into your environment before _every_ invocation of easy-rsa in a new shell (or when you changed the options)
15:54 -!- Cpt-Oblivious [~chatzilla@31-151-71-109.dynamic.upc.nl] has joined #openvpn
15:54 < pekster> We've done away with most of that in the new easyrsa v3 codebase, becuase it was very silly
15:57 < M4rc3l> hm i just did su root and it all worked d:
15:58 < pekster> There's no reason at all to run PKI tasks as the root user, but I suppose that's site preference. Some recommendations for securing PKI at !hardening if you want ideas
15:59 < M4rc3l> !hardening
15:59 <@vpnHelper> "hardening" is https://community.openvpn.net/openvpn/wiki/Hardening
15:59 < M4rc3l> thanks man
16:10 -!- volkswagner [~Adium@cpe-98-15-160-220.hvc.res.rr.com] has quit [Quit: Leaving.]
16:13 -!- volkswagner [~Adium@cpe-98-15-160-220.hvc.res.rr.com] has joined #openvpn
16:18 -!- micko [~micko@203-219-65-120.static.tpgi.com.au] has quit [Ping timeout: 252 seconds]
16:25 -!- le0 [~l30@unaffiliated/le0] has quit [Quit: Leaving]
16:27 -!- micko [~micko@203-219-65-120.static.tpgi.com.au] has joined #openvpn
16:29 -!- volkswagner [~Adium@cpe-98-15-160-220.hvc.res.rr.com] has quit [Quit: Leaving.]
16:29 -!- edge226 [~quassel@unaffiliated/edge226] has quit [Remote host closed the connection]
16:33 -!- Olipro [~Olipro@uncyclopedia/pdpc.21for7.olipro] has quit [Ping timeout: 246 seconds]
16:41 -!- micko [~micko@203-219-65-120.static.tpgi.com.au] has quit [Ping timeout: 265 seconds]
16:55 -!- adaptr [~jgeilman@unaffiliated/adaptr] has quit [Quit: WeeChat 0.4.2]
16:55 -!- joako [~joako@opensuse/member/joak0] has quit [Ping timeout: 258 seconds]
16:59 -!- edge226 [~quassel@unaffiliated/edge226] has joined #openvpn
17:03 -!- TBJoe [~TBJoe@tmo-110-152.customers.d1-online.com] has quit [Quit: TBJoe]
17:14 -!- Olipro [~Olipro@uncyclopedia/pdpc.21for7.olipro] has joined #openvpn
17:32 -!- volkswagner [~Adium@cpe-98-15-160-220.hvc.res.rr.com] has joined #openvpn
17:52 -!- volkswagner [~Adium@cpe-98-15-160-220.hvc.res.rr.com] has quit [Quit: Leaving.]
18:02 -!- syzzer [~syzzer@openvpn/community/developer/syzzer] has quit [Ping timeout: 245 seconds]
18:05 -!- justinzane [~justinzan@24.49.184.42] has quit []
18:22 -!- VlperX [~VlperX@60-240-168-120.static.tpgi.com.au] has joined #openvpn
18:25 -!- JPeterson [~JPeterson@81-233-152-121-no83.tbcn.telia.com] has joined #openvpn
18:29 -!- Cpt-Oblivious [~chatzilla@31-151-71-109.dynamic.upc.nl] has quit [Ping timeout: 258 seconds]
18:42 -!- JackWinter_ [~jack@vodsl-10810.vo.lu] has quit [Ping timeout: 252 seconds]
18:49 -!- JackWinter_ [~jack@vodsl-10810.vo.lu] has joined #openvpn
19:01 -!- justinzane [~justinzan@24.49.184.42] has joined #openvpn
19:04 -!- brianblaze420 [~brianblaz@unaffiliated/brianblaze] has joined #openvpn
19:08 -!- syzzer [~syzzer@openvpn/community/developer/syzzer] has joined #openvpn
19:08 -!- mode/#openvpn [+o syzzer] by ChanServ
19:23 -!- VlperX [~VlperX@60-240-168-120.static.tpgi.com.au] has quit [Read error: Connection reset by peer]
19:34 -!- joshh20 is now known as joshh20-Away
19:40 -!- goldkatze [~nobody@unaffiliated/goldkatze] has quit [Ping timeout: 252 seconds]
20:30 -!- tempus_fol [~tempus@gateway/tor-sasl/foltempus] has quit [Ping timeout: 272 seconds]
20:31 -!- tempus_fol [~tempus@gateway/tor-sasl/foltempus] has joined #openvpn
21:21 -!- brianblaze420 [~brianblaz@unaffiliated/brianblaze] has quit [Quit: Leaving...]
21:23 -!- mgorbach [~mgorbach@pool-108-20-78-135.bstnma.fios.verizon.net] has quit [Read error: Connection reset by peer]
21:26 -!- edge226 [~quassel@unaffiliated/edge226] has quit [Remote host closed the connection]
21:28 -!- mgorbach [~mgorbach@pool-108-20-78-135.bstnma.fios.verizon.net] has joined #openvpn
21:33 -!- Popsikle [~popsikle@pool-108-27-211-233.nycmny.fios.verizon.net] has joined #openvpn
21:33 -!- kraut [~kraut@blackhole.netzdeponie.de] has quit [Ping timeout: 245 seconds]
21:48 -!- Popsikle [~popsikle@pool-108-27-211-233.nycmny.fios.verizon.net] has quit [Remote host closed the connection]
21:59 -!- Popsikle [~popsikle@pool-108-27-211-233.nycmny.fios.verizon.net] has joined #openvpn
22:14 -!- bears [~bears@unaffiliated/bears] has quit [Quit: closing IRC]
22:19 -!- Popsikle [~popsikle@pool-108-27-211-233.nycmny.fios.verizon.net] has quit [Remote host closed the connection]
22:22 -!- Megaf is now known as MegAFK
22:26 -!- Left_Turn [~Left_Turn@unaffiliated/turn-left/x-3739067] has quit [Ping timeout: 252 seconds]
22:27 -!- MegAFK [~Megaf@unaffiliated/megaf] has quit [Ping timeout: 264 seconds]
22:46 -!- Thermi [~Thermi@unaffiliated/thermi] has quit [Ping timeout: 252 seconds]
22:48 -!- Thermi [~Thermi@unaffiliated/thermi] has joined #openvpn
23:17 -!- Kephael [~Kephael@unaffiliated/kephael] has quit []
23:33 -!- eristisk [~eristisk@gateway/tor-sasl/eristisk] has joined #openvpn
23:51 -!- ShadniX [dagger@p5481CA64.dip0.t-ipconnect.de] has quit [Ping timeout: 252 seconds]
23:52 -!- ShadniX [dagger@p5DDFDE17.dip0.t-ipconnect.de] has joined #openvpn
23:53 -!- micko [~micko@203-219-65-120.static.tpgi.com.au] has joined #openvpn
--- Day changed Tue May 27 2014
00:00 -!- goldkatze [~nobody@unaffiliated/goldkatze] has joined #openvpn
00:16 -!- VlperX [~VlperX@60-240-168-120.static.tpgi.com.au] has joined #openvpn
01:03 -!- peper [~peper@gentoo/developer/peper] has quit [Ping timeout: 240 seconds]
01:04 -!- peper [~peper@gentoo/developer/peper] has joined #openvpn
01:06 -!- mattock_afk is now known as mattock
01:32 -!- alexxtasi [~alex@unaffiliated/alexxtasi] has joined #openvpn
02:04 -!- u0m3_ [~u0m3@109.96.151.200] has quit [Ping timeout: 240 seconds]
02:12 -!- c0ded [~c0ded@unaffiliated/c0ded] has quit [Ping timeout: 240 seconds]
03:00 -!- le0 [~l30@unaffiliated/le0] has joined #openvpn
03:05 -!- plaisthos [~arne@openvpn/community/developer/plaisthos] has quit [Remote host closed the connection]
03:08 -!- mynameisrickert1 [~patrick@5.61.249.139] has joined #openvpn
03:08 < mynameisrickert1> list
03:15 -!- plaisthos [~arne@openvpn/community/developer/plaisthos] has joined #openvpn
03:15 -!- mode/#openvpn [+o plaisthos] by ChanServ
03:16 < mynameisrickert1> hi, i cant open the newest openvpnclient for windows on windows7
03:16 < mynameisrickert1> it keeps loading
03:18 < mynameisrickert1> the older versions work
03:20 < mynameisrickert1> maybe its a problem with w7
03:23 -!- mynameisrickert1 [~patrick@5.61.249.139] has quit [Quit: leaving]
03:49 -!- micko [~micko@203-219-65-120.static.tpgi.com.au] has quit [Ping timeout: 252 seconds]
03:55 -!- micko [~micko@203-219-65-120.static.tpgi.com.au] has joined #openvpn
04:02 -!- dazo_afk is now known as dazo
04:04 -!- c0mrade_ [~c0mrade@unaffiliated/c0mrade/x-3310965] has joined #openvpn
04:05 < c0mrade_> WriteLn.Console("Hello");
04:05 < c0mrade_> How can I uninstall openvpn from centos?
04:05 < c0mrade_> I want to start over from a fresh installation again.
04:27 < c0mrade_> ??
04:30 <@dazo> c0mrade_: yum erase openvpn ... remove whatever is in /etc/openvpn ... and yum install openvpn
04:36 -!- Left_Turn [~Left_Turn@unaffiliated/turn-left/x-3739067] has joined #openvpn
05:01 -!- le0 [~l30@unaffiliated/le0] has quit [Quit: Leaving]
05:11 -!- VlperX [~VlperX@60-240-168-120.static.tpgi.com.au] has quit [Ping timeout: 245 seconds]
05:26 -!- ayaz [~Ayaz@linuxpakistan/ayaz] has joined #openvpn
05:26 -!- ayaz [~Ayaz@linuxpakistan/ayaz] has quit [Max SendQ exceeded]
05:31 -!- Kephael [~Kephael@unaffiliated/kephael] has joined #openvpn
05:35 -!- ayaz [~Ayaz@linuxpakistan/ayaz] has joined #openvpn
05:37 -!- justinzane [~justinzan@24.49.184.42] has quit [Ping timeout: 240 seconds]
05:59 -!- artemz [~quassel@2001:4ba0:cafe:768::1] has joined #openvpn
06:00 < artemz> !welcome
06:00 <@vpnHelper> "welcome" is (#1) Start by stating your goal, such as 'I would like to access the internet over my vpn' || new to IRC? see the link in !ask || we may need !logs and !configs and maybe !interface to help you. || See !howto for beginners. || See !route for lans behind openvpn. || !redirect for sending inet traffic through the server. || Also interesting: !man !/30 !topology !iporder !sample !forum
06:00 <@vpnHelper> !wiki !mitm or (#2) Don't use 192.168.1.0/24 or 192.168.0.0/24 (too much potential for conflict)
06:01 < artemz> !goal
06:01 <@vpnHelper> "goal" is Please clearly state your goal for your vpn: example, I would like to access the lan behind the server , I would like to access the internet over my vpn , I just want a secure connection between 2 computers , etc
06:09 -!- renihs [~arf@83-65-34-34.arsenal.xdsl-line.inode.at] has joined #openvpn
06:09 -!- artemz [~quassel@2001:4ba0:cafe:768::1] has quit [Quit: http://quassel-irc.org - Chat comfortably. Anywhere.]
06:11 -!- elfixit [~Icedove@cust.static.46-14-206-196.swisscomdata.ch] has joined #openvpn
06:11 -!- artemz [~quassel@2001:4ba0:cafe:768::1] has joined #openvpn
06:13 -!- Megaf [~Megaf@unaffiliated/megaf] has joined #openvpn
06:22 -!- c0mrade_ [~c0mrade@unaffiliated/c0mrade/x-3310965] has quit []
06:28 -!- pEYEd [~bastard@ool-2f147c48.dyn.optonline.net] has joined #openvpn
06:29 < pEYEd> before, when VPN was turned on, all routable IP address traffic would shut down and only LAN communication existed, traffic would enter my router, cross NAT and then hit my email server and then go back the same path. Now, openvpn no longer shuts down routable IP address upon connection, traffic enters the NAT/LAN and hits the email server but goes back out the open WAN interface, which totally borks the connection. How to I restore my clien
06:31 -!- lbft [~lbft@unaffiliated/lbft] has quit [Ping timeout: 255 seconds]
06:51 < pEYEd> web services are failing such as www and email server behind my NAT/VPN network. Inbound traffic reaches the vpn client/web server or email, but return traffic goes out the eth0 interface instead of tun0. How do I force all traffic to the VPN tunnel?  http://paste.ee/p/QhrVI
06:54 -!- JackWinter_ [~jack@vodsl-10810.vo.lu] has quit [Remote host closed the connection]
06:54 < pEYEd> my routes appear to be reaching the client correctly  http://paste.ee/p/E1wke
06:54 -!- JackWinter_ [~jack@vodsl-10810.vo.lu] has joined #openvpn
07:04 -!- artemz [~quassel@2001:4ba0:cafe:768::1] has left #openvpn ["http://quassel-irc.org - Chat comfortably. Anywhere."]
07:04 -!- artemz [~quassel@2001:4ba0:cafe:768::1] has joined #openvpn
07:18 -!- cyberspace- [20253@ninthfloor.org] has quit [Remote host closed the connection]
07:20 -!- cyberspace- [20253@ninthfloor.org] has joined #openvpn
07:35 -!- vinky_ [~vinky@81-230-177-246-no98.tbcn.telia.com] has joined #openvpn
07:37 -!- justinzane [~justinzan@host-69-59-81-22.nctv.com] has joined #openvpn
07:50 -!- EmLeX [~emx@unaffiliated/emlex] has quit [Quit: Bye.]
07:57 -!- gbit [~chatzilla@unaffiliated/gbit] has joined #openvpn
07:58 < gbit> Hello, What else can I do when http://openvpn.net/index.php/open-source/faq/77-server/265-how-do-i-enable-ip-forwarding.html does not work?  In Windows 7 seems that 'netsh bridge show adapter' does not work.
07:58 <@vpnHelper> Title: How do I enable IP forwarding? (at openvpn.net)
07:59 -!- Popsikle [~popsikle@pool-108-27-211-233.nycmny.fios.verizon.net] has joined #openvpn
08:09 -!- lbft [~lbft@unaffiliated/lbft] has joined #openvpn
08:14 -!- Popsikle [~popsikle@pool-108-27-211-233.nycmny.fios.verizon.net] has quit [Remote host closed the connection]
08:15 -!- ade_b [~Ade@redhat/adeb] has joined #openvpn
08:16 -!- Popsikle [~popsikle@pool-108-27-211-233.nycmny.fios.verizon.net] has joined #openvpn
08:20 -!- Popsikle [~popsikle@pool-108-27-211-233.nycmny.fios.verizon.net] has quit [Ping timeout: 255 seconds]
08:21 -!- JackWinter_ [~jack@vodsl-10810.vo.lu] has quit [Quit: Konversation terminated!]
08:23 -!- Mimiko [~Mimiko@77.89.245.38] has joined #openvpn
08:24 < artemz> Hello, is it possible to use both internal (say 10.8.0.0/24) and external (say 94.242.221.0/24) ip addresses on a bridged network in openvpn?
08:24 -!- JackWinter [~jack@vodsl-10810.vo.lu] has joined #openvpn
08:43 -!- Popsikle [~popsikle@pool-108-27-211-233.nycmny.fios.verizon.net] has joined #openvpn
08:51 < renihs> artemz, what are your intentions?
09:05 -!- ildefonso [~ilde123@201.185.229.85] has joined #openvpn
09:07 < artemz> renihs, I want users to either have a shared ip (in this case I assign them an ip from 10.8.. and then forward their requests with iptables and snat to an external ip) or a dedicated IP (in this case I just assign them external ips, but it doesn't seem to work well)
09:10 -!- Mimiko [~Mimiko@77.89.245.38] has quit []
09:15 -!- alexxtasi [~alex@unaffiliated/alexxtasi] has left #openvpn []
09:17 -!- M4rc3l [~marc@unaffiliated/m4rc3l] has quit [Ping timeout: 252 seconds]
09:21 -!- MyMind [~Sembei@unaffiliated/sembei] has joined #openvpn
09:21 -!- Sembei [~Sembei@unaffiliated/sembei] has quit [Read error: Connection reset by peer]
09:25 -!- Popsikle [~popsikle@pool-108-27-211-233.nycmny.fios.verizon.net] has quit [Remote host closed the connection]
09:27 -!- M4rc3l [~marc@unaffiliated/m4rc3l] has joined #openvpn
09:28 -!- jeev [~jeev@unaffiliated/jeev] has joined #openvpn
09:29 -!- edge226 [~quassel@unaffiliated/edge226] has joined #openvpn
09:32 -!- M4rc3l [~marc@unaffiliated/m4rc3l] has quit [Ping timeout: 255 seconds]
09:35 -!- M4rc3l [~marc@unaffiliated/m4rc3l] has joined #openvpn
09:36 -!- swebb is now known as zz_swebb
09:40 -!- M4rc3l [~marc@unaffiliated/m4rc3l] has quit [Ping timeout: 245 seconds]
09:44 -!- M4rc3l [~marc@unaffiliated/m4rc3l] has joined #openvpn
09:44 < renihs> artemz, you dont need bridging for that, that will only nuke the setup
09:45 < renihs> just give them internal addresses on their tun devices and SNAT to your public ip that the vpn host may have
09:47 -!- Macer [macer@lasziv.reprehensible.net] has joined #openvpn
09:47 < Macer> sorry to ask but as far as removing key files from the server side. is there anything specific i need to keep on the server side related to creating the client key?
09:47 < Macer> or do i only remove the client.key?
09:48 -!- elfixit [~Icedove@cust.static.46-14-206-196.swisscomdata.ch] has quit [Ping timeout: 276 seconds]
09:48 < rob0> The server only needs its own key and cert, the CA cert, and the dhparam file.
09:50 < rob0> The CA key should not be on the server at all. Choose another machine (ideally off the VPN, not a client) on which to manage the CA.
09:51 < Macer> ah ok. so after i mv the keys to the /etc/openvpn dir then can i just do a .clean-all to remove everything from easy-rsa/keys?
09:51 < Macer> or do i just rm the keys in that dir manually?
09:51 < rob0> hm? IIRC clean-all is to wipe the entire CA.
09:52 < Macer> oh
09:52 < rob0> which means you're not planning to use it anymore
09:52 < Macer> sorry. didn't know that.
10:00 < Macer> hm. after deleting the keys it no longer seems to want to work :/
10:00 < Macer> did i miss something here?
10:01 -!- MyMind [~Sembei@unaffiliated/sembei] has quit [Ping timeout: 252 seconds]
10:03 -!- MyMind [~Sembei@unaffiliated/sembei] has joined #openvpn
10:03 < rob0> Does the server have its own key and cert, the CA cert, and the dhparam file?
10:04 -!- fellayaboy [~fellayabo@unaffiliated/fellayaboy] has joined #openvpn
10:05 < fellayaboy> what are the iptables settings for ubuntu 13.10/linuxmint 16
10:05 < fellayaboy> i keep having issues with iptables
10:06 < fellayaboy> firewall issues\
10:07 -!- renihs [~arf@83-65-34-34.arsenal.xdsl-line.inode.at] has quit [Quit: narf]
10:08 < fellayaboy> this is the setup i put on my ubuntu 14.04 openvpn server. my clients connect but no internet is following through, http://pastie.org/9223395
10:12 < fellayaboy> never seem to be able to get any help on this channel
10:14 < ildefonso> fellayaboy, uh....
10:14 < ildefonso> fellayaboy, these firewall rules are not allowing traffic forwarding at all.
10:15 < fellayaboy> oh ok
10:15 < fellayaboy> what would be the proper settings, im not famaliar with iptables
10:15 < ildefonso> fellayaboy, as a matter of fact, clients shouldn't even be able to connect to the server, as INPUT policy is DROP, and you don't seem to be allowing incoming VPN traffic.
10:16 < fellayaboy> hmm interesting.
10:16 < ildefonso> fellayaboy, are you sure these are the firewall rules from your server?
10:16 < fellayaboy> i had no clue
10:16 < fellayaboy> this use to work in previous ubuntu versions idk what happened
10:16 < fellayaboy> ubuntu 11.04 and 12.04
10:16 < Macer> weird. i don't know what happened but now it won't connect :/
10:16 < Macer> rob0: yes
10:17 < Macer> it was working a little while ago.. not sure what i changed but i just recreated the ca.crt, dh2048.pem, server and client keys
10:17 < Macer> and restarted openvpn
10:17 < fellayaboy> ildefonso: do you know whats the proper iptables settings?
10:17 -!- zz_swebb is now known as swebb
10:18 < rob0> !factoids search koala
10:18 <@vpnHelper> No keys matched that query.
10:18 < rob0> !factoids help
10:20 < fellayaboy> ildefonso: yes these are the firewall rules from my server
10:21 < Macer> May 27 10:20:35 blacksilver NetworkManager[805]: <info> VPN connection 'SciVPN' (Connect) reply received.
10:21 < Macer> hm. seems to be getting a reply
10:21 < Macer> but then it fails saying the connection timed out :/
10:21 < rob0> https://github.com/QueuingKoala has some example Netfilter/iptables rulesets.
10:21 <@vpnHelper> Title: QueuingKoala (Josh Cepek) · GitHub (at github.com)
10:22 < rob0> !iptables
10:22 <@vpnHelper> "iptables" is (#1) To test if netfilter ("iptables rules") are your problem, disable all rules with an ACCEPT policy. See https://github.com/QueuingKoala/netfilter-samples/tree/master/reset-rules for a script to do this. or (#2) See also the manpage section on firewalls at this link: https://community.openvpn.net/openvpn/wiki/Openvpn23ManPage#lbBG or (#3) These are just the basics to get you started
10:22 <@vpnHelper> as firewall design is beyond this channel's scope; you can also see #netfilter
10:23 < rob0> Ask in an Ubuntu place about how to use/control the rulesets they provide.
10:24 < ildefonso> fellayaboy, look, you need to learn Linux firewall, I could help with more specific issues (very busy atm), but at this point you really need to go and understand how the firewall works.  Check netfilter resources, howtos, play a bit with it.
10:27 < fellayaboy> wow thanks man ok
10:27 < fellayaboy> i definitely need to train myself on this
10:28 -!- Poster [~poster@cpe-173-88-31-131.columbus.res.rr.com] has quit [Read error: Connection reset by peer]
10:29 -!- Poster [~poster@cpe-173-88-31-131.columbus.res.rr.com] has joined #openvpn
10:31 -!- Megaf_ [~Megaf@unaffiliated/megaf] has joined #openvpn
10:33 -!- Megaf [~Megaf@unaffiliated/megaf] has quit [Ping timeout: 255 seconds]
10:36 -!- ayaz [~Ayaz@linuxpakistan/ayaz] has quit [Quit: My MacBook Pro has gone to sleep. ZZZzzz…]
10:39 < ildefonso> fellayaboy, didn't mean to be rude, we all have been newbies at some point, but I am really busy right now to explain all the necessary details about the firewall.
10:42 -!- ayaz [~Ayaz@linuxpakistan/ayaz] has joined #openvpn
10:42 < fellayaboy> ok no proble ildefonso
10:42 -!- ayaz [~Ayaz@linuxpakistan/ayaz] has quit [Max SendQ exceeded]
10:54 -!- CaTtleyA [~CaTtleyA@185.24.142.82] has joined #openvpn
11:00 -!- CaTtleyA [~CaTtleyA@185.24.142.82] has quit [Quit: leaving]
11:03 -!- xMopxShell [~xMopxShel@dpedu.io] has quit [Remote host closed the connection]
11:05 < Macer> hm. i was able to connect to it. seems like it was an ip issue
11:05 -!- xMopxShell [~xMopxShel@dpedu.io] has joined #openvpn
11:05 < Macer> but now that i can connect to it (using tap) i can't seem to ping outside the network using the vpn as the gateway
11:05 < Macer> but i can hit the local side including the local dns on the remote side
11:11 < Macer> i'm at a loss
11:11 < Macer> i can't figure out where the routing is messed up
11:12 -!- eristisk [~eristisk@gateway/tor-sasl/eristisk] has quit [Ping timeout: 272 seconds]
11:13 -!- ade_b [~Ade@redhat/adeb] has quit [Ping timeout: 252 seconds]
11:18 < Macer> server-bridge 192.168.1.17 255.255.255.0 192.168.1.50 192.168.1.99
11:18 < Macer> is that just wrong or something
11:18 < Macer> 17 is the vpn server with the ip range of 50-99 for the ips for clients
11:19 < Macer> am i supposed to add more routing information?
11:19 -!- navaismo [~navaismo@200-52-45-221.dynamic.axtel.net] has joined #openvpn
11:19 < Macer> i can connect to it. ping the local IPs but the clients can't get out to the internet via the vpn
11:19 < Macer> and i can't figure out why :/
11:22 < navaismo> Hello, does anyone know how can I generate a certificate and key using md5 only? usually I use the easy-rsa scripts to do it. It use the SHA256 method in the openssl-X.X.X.cnf, but i have some clients that only support MD5 so i don't know how to create it with md5 without modifying the openssl-X.X.X.cnf files.
11:32 -!- gffa [~unknown@unaffiliated/gffa] has joined #openvpn
11:38 -!- gffa [~unknown@unaffiliated/gffa] has quit [Ping timeout: 264 seconds]
11:46 < Poster> Macer: you likely need NAT on the OpenVPN server side, what OS is the OpenVPN server?
11:50 -!- antihero is now known as ratsupremacy
11:56 < Macer> ubuntu server
11:56 < Macer> i seem to have gotten it working
11:56 < Macer> and have no idea how
11:56 < Macer> but the client seems to be routing through the vpn for all traffic and now it can ping outside the local subnet
12:00 -!- Latrina [~Latrina@ppp-158-33.26-151.libero.it] has quit [Ping timeout: 240 seconds]
12:00 < Macer> i suppose maybe when i enabled pkg fwding?
12:01 -!- Latrina [~Latrina@ppp-170-37.26-151.libero.it] has joined #openvpn
12:01 < Poster> yeah that is important
12:01 < Poster> make sure you preserve it by editing /etc/sysctl.conf
12:01 < Poster> should be something near: net.ipv4.ip_forward = 1
12:06 < Macer> yeah i did
12:07 < Macer> hm. browsing through the vpn seems a bit sluggiish tho
12:07 < Macer> then again it could be this crapernet tether :)
12:11 < Poster> it will be, you have to traverse the Internet to get to your OpenVPN host and then back out to get to your ultimate destination
12:11 < Poster> plus there's a fair chance the OpenVPN host has limited bandwidth in one direction if it is on some type of cable or DSL line with asymetric upload/download speeds
12:13 < Poster> say your remote line is 1.5 megabit down, 256 kilobit up, you will see, at max, somewhat under 256 kilobit to your OpenVPN client
12:13 < Macer> i have a pretty decent connection
12:13 < Macer> 8/16
12:13 < Macer> faster than my tether to say the least ;)
12:14 < Poster> oh, then yeah your tether is likely the limiting factor
12:16 < Macer> hm. it seems like there is a lot of slowness
12:16 < Macer> i mean i can give you the latency... but this is slime slow
12:17 < Macer> i don't even know if facebook is working heh
12:19 < Poster> are you able to ping out to the Internet via the OpenVPN link?
12:25 -!- edge226 [~quassel@unaffiliated/edge226] has quit [Read error: Connection reset by peer]
12:25 < Macer> yes
12:26 < Poster> what does the latency look like?
12:26 < Macer> 64 bytes from edge-star-shv-13-frc1.facebook.com (173.252.110.27): icmp_seq=1 ttl=82 time=147 ms
12:26 < Macer> decent
12:26 < Poster> hrmm yeah
12:26 < Macer> it is getting hung up somewhere
12:28 < Poster> wonder if you're catching a clipped MTU
12:28 < Poster> is the client a Windows host?
12:29 < Macer> no
12:29 < Macer> linux
12:29 < Macer> running ubuntu
12:30 < Macer> it's not a speed issue either
12:30 < Macer> i just downloaded a few mp3s @ 400K/s
12:33 < Poster> try: ping -s 1472 www.yahoo.com
12:34 < Macer> seems to be just sitting there
12:34 < Poster> was that mp3 download from the Internet or from the OpenVPN server/local network?
12:35 < Macer> (192.168.1.17): icmp_seq=23 Redirect Host(New nexthop: incognito.scientiam.org (192.168.1.17))
12:35 < Macer> thatw as from a local ip over the vpn
12:35 < Macer> i'm goin tto try to download something from onedrive in a minute
12:35 < Macer> it started to work but took a minute
12:37 < Poster> if you run a traceroute somewhere, is 192.168.1.17 your first hop?
12:37 < Macer> it's weird. it's like the websites are just slacking off heh
12:37 < Macer> yes
12:37 < Macer>  1  incognito.scientiam.org (192.168.1.17)  126.406 ms  142.192 ms  143.181 ms
12:37 < Macer>  2  router.scientiam.org (192.168.1.1)  143.196 ms  143.199 ms  143.201 ms
12:38 < Macer> maybe i have some funky cache issues. let me reboot and connect to the vpn again
12:41 < Poster> you can try backing down the ping size until you get a value that passes
12:42 < Macer> oh i'm sorry. the pings started to hit yahoo
12:42 < Macer> just took a few sec
12:42 < Poster> if you have some type of tethering protocol (PPoE, for example) your native MTU may be shrunk then again by the encryption overhead of OpenVPN, could be a smallish number by the time it makes it through
12:42 < Poster> ok that being the case I'd suggest verifying proper, speedy name resolution
12:42 < Macer> the dns works ;)
12:42 < Poster> how fast are the responses?
12:42 < Macer> fast
12:43 < Macer> like split second. i'm running a local dns on the remote end
12:43 < Macer> using that as my dns on the client
12:43 < Poster> eg; dig www.google.com | grep 'Query time'
12:43 < Macer> 191ms
12:43 < Poster> ok still fairly good
12:44 < Macer> let me try a website again
12:44 < Macer> facebook seems especially broken heh
12:44 < Macer> yeah. like i'm trying to connect to fb in ff and it just is hanging there
12:45 < Macer> but i can ping and i can hit anywhere on the internet
12:45 < Macer> weird
12:45 < Poster> I was going to suggest a wget, maybe
12:45 < Poster> wget http://mirror.anl.gov/pub/ubuntu-iso/CDs/14.04/ubuntu-14.04-desktop-i386.iso
12:45 < Poster> see how that goes
12:46 < Macer> hovering around 300K/s from a term
12:46 < Macer> 300-400K
12:46 -!- fellayaboy [~fellayabo@unaffiliated/fellayaboy] has left #openvpn ["Leaving"]
12:46 < Macer> could it be that these sites have some sort of vpn/proxy detection?
12:47 < Macer>  2% [==>                                                                                                   ] 30,385,498   362KB/s  eta 45m 14s^C
12:47 < Macer> it was going pretty decent tho
12:47 < Macer> doesn't seem like a speed issue
12:50 -!- elfixit [~Icedove@cust.static.46-14-206-196.swisscomdata.ch] has joined #openvpn
12:50 < ildefonso> Macer, VPN is almost impossible to detect, and I don't think fb would care about that :P
12:50 < Macer> ildefonso: just saying heh
12:51 < Macer> i have no idea what is wrong.. but web sites seem to half load.. google will load its first page then the actual search is stuck
12:51 < ildefonso> Macer, I bet it is MTU thing, if you are just testing, try "fragment 384" or something like that.
12:53 -!- edge226 [~quassel@unaffiliated/edge226] has joined #openvpn
12:53 < Macer> on the client side?
12:54 < Macer> do you mean for the mtu or for the udp pkt size?
12:54 < ildefonso> Macer, on OpenVPN configurations, on both, client AND server, add  "fragment 384"
12:54 < ildefonso> Macer, bear in mind this will break connection for *any* other clients connecting.
12:55 -!- Kephael [~Kephael@unaffiliated/kephael] has quit []
12:55 < ildefonso> Macer, that's why I was telling you to only try that if you are just testing.
12:56 < Macer> yeah it's just the one
12:56 < Macer> but on the client i'm using the ubuntu network manager
12:57 < Macer> the client has 2 places .. one says udp fragment and the other is mtu.. i'm guessing i should lower the mtu to 384 or are you talking about the udp fragmenting?
12:59 < ildefonso> Macer, fragmenting.
13:02 -!- micko [~micko@203-219-65-120.static.tpgi.com.au] has quit [Ping timeout: 265 seconds]
13:03 < Macer> ah well...
13:03 < Macer> that seems to have done the trick :)
13:03 < ildefonso> Macer, is that a 3G or similar connection?
13:03 < Macer> 4G yes
13:04 < ildefonso> Macer, in my experience, these use to have broken MTU paths, not sure on why :(
13:04 < ildefonso> Macer, I usually end up adding fragment 384 (just some made-up small number).
13:04 < Macer> haha
13:04 < Macer> so what happens when you use tcp?
13:04 < Macer> the only option for fragmenting in the network manager is "UDP Fragment"
13:05 < Macer> wow... it's seriously flying now
13:05 < Macer> maybe due to the lzo compression? seems a lot zippier than non-vpn
13:06 < Macer> awesome. thanks so so much
13:07 < Poster> I think lzo is relatively fast/light
13:07 < Poster> my guess is that you were hitting some MTU limitation somewhere in the chain
13:08 -!- micko [~micko@203-219-65-120.static.tpgi.com.au] has joined #openvpn
13:08 < Macer> does the low fragmentation really affect performance?
13:09 < Macer> do i edge it up little by little or something? i'm mostly going to be use it tethered
13:10 < Poster> you can, generally one of two things happen, if the frame exceeds the smallest MTU, a fragmentation needed ICMP message is sent.  In a perfect world this would be received, honored and the larger payload broken into smaller pieces.  Some firewall systems may block this, when blocked, the fragmentation needed request never makes it and things seem to simply "die"
13:11 < Poster> it's also possible, though unlikely your frames had the don't fragment bit set, which prohibits the fragementation from being sent at all
13:12 < Poster> in any event, ildefonso has you going in the right direction, you can try slowly increasing the size until issue return
13:12 < Macer> well thanks a ton :) seems to be working great now.
13:13 < Poster> np!
13:26 < navaismo> (msg repeated)Hello, does anyone know how can I generate a certificate and key using md5 only? usually I use the easy-rsa scripts to do it. It use the SHA256 method in the openssl-X.X.X.cnf, but i have some clients that only support MD5 so i don't know how to create it with md5 without modifying the openssl-X.X.X.cnf files.
13:30 < rob0> yeah I saw that question awhile ago, and it confuses me, because it seems it contains the answer?
13:31 < rob0> modify the openssl.cnf file?
13:32 < navaismo> yeah, but i dont want other clients use md5 like Windows or Linux clients since they can support sha256
13:32 < rob0> modify it back? Or maintain two copies, switch off with a symlink?
13:33 -!- u0m3 [~u0m3@92.80.122.72] has joined #openvpn
13:33 < rob0> There may be a cleaner way, like to have sections within the file and use some openssl command line option to select sections
13:34 < navaismo> I was wondering if the easy-rsa scripts use openssl and set the method in it, so i can use it
13:34 < rob0> unfortunately no one (not even openssl developers) really know how to do that :)
13:34 < rob0> of course, easy-rsa is just a frontend to openssl
13:35 < navaismo> ok
13:36 -!- u0m3 [~u0m3@92.80.122.72] has quit [Read error: Connection reset by peer]
13:40 -!- u0m3 [~u0m3@92.80.122.72] has joined #openvpn
13:43 -!- c0mrade_ [~c0mrade@unaffiliated/c0mrade/x-3310965] has joined #openvpn
13:55 < ildefonso> navaismo, using md5 is a really bad idea, md5 is considered weak now, you should really be using at least sha1.
13:56 < navaismo> yes thats why i need to separate the old client to use only md5 and the other can handle sha256
13:57 < ildefonso> navaismo, what I mean is that you should get those clients updated, there is real risk involved.
13:57 < c0mrade_> What does that mean?
13:58 < c0mrade_> , name=server, emailAddress=root@paratodosweb.tk
13:58 < c0mrade_> Tue May 27 21:56:18 2014 TLS_ERROR: BIO read tls_read_plaintext error: error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed
13:58 < c0mrade_> Tue May 27 21:56:18 2014 TLS Error: TLS object -> incoming plaintext read error
13:58 < c0mrade_> Tue May 27 21:56:18 2014 TLS Error: TLS handshake failed
13:58 < navaismo> is the only method that those phones support the manufacturer is not going to add a new method
14:00 < c0mrade_> Does anyone here has experience in setting up OpenVPN in a CentOS Virtual Private server that uses OpenVZ?
14:00 < ildefonso> navaismo, sigh.... then these should be replaced, unless you don't care about security (md5 is weak, but requires some effort, so, it is at least better than nothing, but the risk will be there).
14:01 < navaismo> yep
14:02 < ildefonso> c0mrade_, that error is not related to that being in a VM, the cert is not passing validation, maybe it is not (yet) valid (date/time differences in the server), or you are using the wrong certificate authority certificate for verifying.... and OpenVZ is not the best for this (I know there are limitations, and I just used a KVM-based VM instead).
14:06 < c0mrade_> I have this VPS up and running.
14:06 < c0mrade_> I can't switch to another one.
14:06 < c0mrade_> I have enabled TUN/TAP successfully.
14:07 < c0mrade_> Opened port 1194/udp.
14:07 < c0mrade_> Etc...
14:07 < c0mrade_> I can provide remote access to my PC, can you check it?
14:08 < c0mrade_> Or anyone.
14:20 -!- justinzane [~justinzan@host-69-59-81-22.nctv.com] has quit [Ping timeout: 276 seconds]
14:25 -!- justinzane [~justinzan@67.21.190.53] has joined #openvpn
14:26 -!- le0 [~l30@unaffiliated/le0] has joined #openvpn
14:27 -!- Dry_Lips [~cuneiform@unaffiliated/dry-lips/x-3531376] has left #openvpn ["Whoops"]
14:40 -!- eristisk [~eristisk@gateway/tor-sasl/eristisk] has joined #openvpn
14:43 -!- eristisk [~eristisk@gateway/tor-sasl/eristisk] has quit [Excess Flood]
14:43 -!- eristisk [~eristisk@gateway/tor-sasl/eristisk] has joined #openvpn
14:44 < pEYEd> web services are failing such as www and email server behind my NAT/VPN network. Inbound traffic reaches the vpn client/web server or email, but return traffic goes out the eth0 interface instead of tun0. How do I force all traffic to the VPN tunnel?  http://paste.ee/p/QhrVI
14:46 < c0mrade_> Um...
14:46 < c0mrade_> Anyone interested in an offer?
14:46 < pEYEd> my routes appear to be reaching the client correctly  http://paste.ee/p/E1wke
14:47 < c0mrade_> I got teamviewer on my pc I can give remote access to my pc. Just guide me on how to setup openvpn on my CentOS 5.10 Virtual Private Server (OpenVZ/virtuozzo) and I will offer you a cPanel account for one month...
14:47 < c0mrade_> Anyone?
14:50 < pEYEd> c0mrade_ what's wrong?
14:50 < ildefonso> c0mrade_, the error message you posted is a certificates error, have you verified certificates?
14:50 < c0mrade_> Um.
14:50 < c0mrade_> I messed up with a lot of configs.
14:50 < c0mrade_> And IPs
14:50 < c0mrade_> And stuff.
14:51 < c0mrade_> It's now confusing to me and I don't know where to start.
14:51 < c0mrade_> If someone will be able to help.
14:51 < c0mrade_> I will offer him a cPanel account.
14:53 < c0mrade_> Also I can setup a free domain for you unless you have a domain name or you want to buy one.
14:56 < ildefonso> c0mrade_, just focus on your setup, firstly, you can just revert all of your changes, and keep it simple, ie: star with a really basic vpn configuration (try PSK first), once you have that working, you start complicating things.
14:58 < c0mrade_> Can someone take a look remotely?
15:00 < pEYEd> c0mrade_ http://bpaste.net a copy of your openvpn.conf
15:01 <@krzee> !goal
15:01 <@vpnHelper> "goal" is Please clearly state your goal for your vpn: example, I would like to access the lan behind the server , I would like to access the internet over my vpn , I just want a secure connection between 2 computers , etc
15:08 -!- michaelhart [~michaelha@192.237.177.15] has joined #openvpn
15:09 < c0mrade_> pEYEd: http://bpaste.net/show/glRAOKTvtEpTm4pTlpWH/
15:11 -!- nessa [~nessa@vbo1.inmotionhosting.com] has joined #openvpn
15:11 -!- nessa [~nessa@vbo1.inmotionhosting.com] has left #openvpn []
15:14 < pEYEd> c0mrade_ where are the certs located on your server?
15:14 < c0mrade_> Um.
15:14 < c0mrade_> You mean.
15:14 -!- Slagwag [~Slagwag@ec2-54-243-204-28.compute-1.amazonaws.com] has joined #openvpn
15:14 < c0mrade_> ca.crt?
15:15 < pEYEd> server.key dh1024.pem etc..
15:16 < c0mrade_> Hmmm. One moment.
15:19 < c0mrade_> http://bpaste.net/show/Blz6NRLur65gXZm2542k/
15:24 < pEYEd> do you have access to your log files?
15:24 -!- brianblaze420 [~brianblaz@unaffiliated/brianblaze] has joined #openvpn
15:24 < c0mrade_> I have root access.
15:24 < c0mrade_> What log files?
15:26 <@krzee> !logfile
15:26 <@vpnHelper> "logfile" is (#1) If you want logging you can easily just specify your own logfile with: log /path/to/logfile or (#2) openvpn will log to syslog if started in daemon mode, but without any log-redirection options, openvpn sends output to stdout. or (#3) verb 3 is good for everyday usage, verb 5 for debugging. see --daemon --log and --verb in the manual (!man) for more info
15:28 < pEYEd> which os?
15:30 < c0mrade_> Which OS is my VPS using?
15:30 < pEYEd> yes
15:31 < c0mrade_> Linux CentOS 5.10 32-bit on OpenVZ/Virtuozzo
15:33 < pEYEd> bpaste.net a copy of 'ls /var/log/'
15:35 < c0mrade_> http://bpaste.net/show/ncgeDV1zFkxtG0btTxsK/
15:37 -!- navaismo [~navaismo@200-52-45-221.dynamic.axtel.net] has left #openvpn ["Leaving"]
15:38 < pEYEd> first, in your openvpn.conf, change your certnames to /path/certname, based on this http://bpaste.net/show/Blz6NRLur65gXZm2542k/  you path is either /etc/openvpn/easy-rsa/2.0/keys/  or  /etc/openvpn/
15:38 -!- fin__ [~l30@unaffiliated/le0] has joined #openvpn
15:39 -!- le0 [~l30@unaffiliated/le0] has quit [Ping timeout: 252 seconds]
15:41 -!- Redjon [~IceChat77@h8.83.184.173.dynamic.ip.windstream.net] has joined #openvpn
15:41 < pEYEd> next do a tail -f /var/log/messages  in terminal, change verb 3 to verb 5 and restart the vpn server. look for errors in messages
15:42 < c0mrade_> Okay.
15:42 < c0mrade_> certnames
15:42 < Redjon> I have some basic questions regarding VPNBook and OpenVPN and how to set it up/configure, The UI seems to be missing.
15:44 < c0mrade_> Like.
15:44 < c0mrade_> There are three lines.
15:44 < c0mrade_> ca ca.crt
15:44 < c0mrade_> cert server.crt
15:44 < pEYEd> Redjon I never knew openvpn had a UI
15:44 < c0mrade_> key server.key
15:45 < Redjon> I was following the guide on its site, i don't know what else to call it, The guide shows a UI.
15:45 < Redjon> http://www.vpnbook.com/howto/setup-openvpn-on-windows7
15:45 < c0mrade_> pEYEd: So I should put:
15:45 <@vpnHelper> Title: How To Set Up OpenVPN on Windows 7 (at www.vpnbook.com)
15:45 < c0mrade_> ca /etc/openvpn/easy-rsa/2.0/keys/ca.crt
15:45 < c0mrade_> ??
15:46 -!- michaelhart [~michaelha@192.237.177.15] has quit [Quit: michaelhart]
15:46 < pEYEd> c0mrade_ yes
15:50 < Redjon> outdated guide?
15:51 < pEYEd> I never use windows
15:52 < c0mrade_> pEYEd: When I've done that.
15:52 < c0mrade_> Not it failed to start.
15:52 < c0mrade_> :P
15:52 < c0mrade_> service openvpn start [FAILED]
15:52 < c0mrade_> :P
15:53 < pEYEd> what verb setting is it on?
15:53 < c0mrade_> I've put it to 5 like you said.
15:53 < pEYEd> bpaste.net the entire log output from tail
15:53 < pEYEd> related to openvpn that is
15:54 -!- gffa [~unknown@unaffiliated/gffa] has joined #openvpn
15:54 < pEYEd> it should of dumped a ton of stuff on your screen
15:54 < c0mrade_> Hmmm...
15:54 < c0mrade_> One moment.
15:54 < Redjon> anyone who does use windows around?
15:56 -!- mattock is now known as mattock_afk
15:57 < c0mrade_> Um.
15:57 < c0mrade_> I can see that it cannot load certificate file
15:57 < c0mrade_> because
15:57 < c0mrade_> server.crt no such file or directory.
15:59 < pEYEd> c0mrade_ try the other directory
15:59 < c0mrade_> Done
15:59 < c0mrade_> :)
16:00 < c0mrade_> STARTED.
16:00 < c0mrade_> :D
16:04 -!- dazo is now known as dazo_afk
16:05 -!- c0mrade_ [~c0mrade@unaffiliated/c0mrade/x-3310965] has quit [Ping timeout: 252 seconds]
16:06 -!- c0mrade__ [~c0mrade@unaffiliated/c0mrade/x-1816193] has joined #openvpn
16:06 < c0mrade__> Um.
16:07 < c0mrade__> Now I am getting.
16:07 < c0mrade__> http://bpaste.net/show/6XlH6n5H7nA9wXWXYVbf/
16:08 < c0mrade__> VERIFY ERROR: depth=0, error=unable to get local issuer certificate:
16:08 < c0mrade__> bla bla bla
16:09 < pEYEd> the issuer failed you. did the cert expire?
16:10 < c0mrade__> How to check that?
16:11 -!- fin__ [~l30@unaffiliated/le0] has quit [Quit: Leaving]
16:13 < pekster> Sounds like you signed it with a different CA than you're using to verify
16:13 < pekster> !intro-to-pki
16:13 <@vpnHelper> "intro-to-pki" is For an intro to PKI basics, see: https://github.com/OpenVPN/easy-rsa/blob/v3.0.0-rc1/doc/Intro-To-PKI.md
16:14 < pekster> ^ You might read that document for a brief introduction to how PKI works
16:14 -!- SCHAAP137 [dorian@77-173-0-137.ip.telfort.nl] has joined #openvpn
16:15 -!- c0ded [~c0ded@unaffiliated/c0ded] has joined #openvpn
16:25 -!- elfixit [~Icedove@cust.static.46-14-206-196.swisscomdata.ch] has quit [Quit: elfixit]
16:27 -!- wrongplace [~leicht@gateway/tor-sasl/martinphone] has joined #openvpn
16:28 -!- Kephael [~Kephael@unaffiliated/kephael] has joined #openvpn
16:31 -!- goldkatze [~nobody@unaffiliated/goldkatze] has quit [Ping timeout: 265 seconds]
16:55 < pEYEd> I think my tun interface is borked somehow. I see traffic come down the tnnel and hit my email server interface, but it is though there is a firewall (iptables is verified shut down). I can send/recieve email normally if I conncet directly to the eth0.
16:55 -!- Redjon [~IceChat77@h8.83.184.173.dynamic.ip.windstream.net] has quit [Quit: He who laughs last, thinks slowest]
16:56 -!- TheSov [~TheSov4@50-76-75-45-static.hfc.comcastbusiness.net] has joined #openvpn
16:57 < pEYEd> the client and server configs worked normal prior to update http://bpaste.net/show/U7dplbYZ6ONR83WaRxbi/
17:02 -!- c0ded [~c0ded@unaffiliated/c0ded] has quit [Quit: I Was Just De-c0ded!]
17:03 < pEYEd> weird http://bpaste.net/show/brGBFZLRWG3HH6jSr0ur/
17:09 -!- joshh20-Away is now known as joshh20
17:11 -!- eristisk [~eristisk@gateway/tor-sasl/eristisk] has quit [Remote host closed the connection]
17:12 -!- eristisk [~eristisk@gateway/tor-sasl/eristisk] has joined #openvpn
17:12 -!- TheSov [~TheSov4@50-76-75-45-static.hfc.comcastbusiness.net] has quit [Quit: Leaving]
17:15 -!- c0ded [~c0ded@unaffiliated/c0ded] has joined #openvpn
17:20 -!- c0mrade__ [~c0mrade@unaffiliated/c0mrade/x-1816193] has quit []
17:27 -!- wrongplace [~leicht@gateway/tor-sasl/martinphone] has quit [Quit: gone]
17:49 < pekster> pEYEd: Looks like you've got asymmetric routing going on, or firewall problems
17:57 -!- adaptr [~jgeilman@unaffiliated/adaptr] has joined #openvpn
17:58 -!- SCHAAP137 [dorian@77-173-0-137.ip.telfort.nl] has quit [Remote host closed the connection]
18:02 < pEYEd> pekster firewall is verified shutdown
18:03 < pekster> Why are you receiveing public IP traffic over your tun device?
18:03 < pekster> Where is your other config file?
18:03 < pekster> Why didn't you run the one you linked through the posted grep to remove the crap?
18:03 < pEYEd> I was thinking a cert issue. but just watched the entire ssl/tls run without a hitch on the eth0 interface. tun0, everything fails like a firewall.
18:04 < pEYEd> pekster NAT on the front end
18:04 < pekster> And that's your problem
18:05 < pekster> You have asymmetric routing. You either need to route _all_ (yes, _all_ ) Internet traffic back across the VPN, or policy route
18:05 < pEYEd> what is?
18:05 < pekster> Reply traffic uses your routin tables, which will not go back out the tun device. Which is why you don't see it. And the original target will throw away the rely from "some other" IP
18:06 < pekster> What OS is your client?
18:06 < pekster> (VPN client)
18:08 < pEYEd> traffic goes from router to VPN server and down a 200 miles tunnel perfectly. It his the tun interface and dies.
18:08 < pekster> Becuase you don't undersatnd advanced routing and are attempting to multi-home your client
18:09 < pEYEd> routing table for device at point of death  http://bpaste.net/show/y1DGlGUd7l9Yh3E5XpvJ/
18:09 < pekster> Right. asymmetric routing
18:09 < pekster> What OS is this?
18:09 < pekster> (or is that a secreT?)
18:09 < pEYEd> gentoo
18:09 < pEYEd> and ip_fwd is initialized
18:09 < pekster> So policy route, or redirect all internet traffic via tun0
18:09 < pekster> Dude, stop and listen
18:10 < pekster> You have an _advanced_ routing setup. I've given you 2 options to fix it. I have a document that introduces policy routing, but if you don't understand it, ##networking or a basic network course might be a better idea
18:10 < pekster> Some info I have on policy routing for Linux endpoints here: https://github.com/QueuingKoala/network-concepts/tree/master/multi-uplink-linux
18:10 <@vpnHelper> Title: network-concepts/multi-uplink-linux at master · QueuingKoala/network-concepts · GitHub (at github.com)
18:11 < pEYEd> pekster I am not doing any policy routing, it's all static
18:11 -!- gbit [~chatzilla@unaffiliated/gbit] has quit [Quit: ChatZilla 0.9.90.1 [Firefox 29.0.1/20140506152807]]
18:11 < pekster> Which is why it's broken
18:11 < pEYEd> I don't need policy routing. your crazy on a one to one mapping.
18:12 < pekster> Of course, that would require bothering to read my document
18:12 -!- bears [~bears@unaffiliated/bears] has joined #openvpn
18:12 -!- adaptr [~jgeilman@unaffiliated/adaptr] has quit [Ping timeout: 264 seconds]
18:12 < pEYEd> this is a basic networking function , rx
18:13 < pEYEd> has nothing to do with policy routing.
18:13 < pEYEd> at all.
18:13 < pEYEd> just rx
18:13 < pekster> Troll elsewhere please
18:15 < pEYEd> we don't even have layer 1 confirmed and you're on layer 2
18:16 -!- alexw [~textual@unaffiliated/alexw] has joined #openvpn
18:18 < pekster> Argue all you want, I'm well-aware why it's broken and you seem to think you have all the answers. I don't really care if you get your problem fixed or not
18:18 < rob0> I do! But not enough to scroll up and see what's going on. :)
18:19 -!- swebb is now known as zz_swebb
18:19 < rob0> I can of course vouch for the pekster :)
18:20 < pekster> rob0: that policy routing link might be useful to you in the future for use as a reference
18:20 < pekster> I got sick of explaining it here and in #Netfilter, so I wrote that up
18:24 < rob0> pekster, yeah, I will look at it later if I get a chance
18:24 < rob0> thanks
18:29 -!- pEYEd [~bastard@ool-2f147c48.dyn.optonline.net] has left #openvpn []
18:30 < Saul775> Hmm… I'm still a little new to OpenVPN and networking in general.  I live in the mountains and have my Internet "beamed" to me.  Because of this, I'm NATed.  I'd like to access my home computer every once and a while without tools such as LogMeIn, so I'm trying OpenVPN.  I have a server that is going to act as a router and forward all traffic to my home computer.  Should I be using TUN or TAP?
18:36 < pekster> Saul775: tun. And you'll need to establish the outbound connection from your home to your server, and expose your home LAN. You want to first get a working VPN setup (read: !howto for links) and then you want to follow the steps/flowchart at !clientlan
18:37 < Saul775> Yes, that's what I was thinking I would have to do.
18:37 < Saul775> Thank you -- once again -- pekster.  You're very helpful.
18:39 < Saul775> !howto
18:39 <@vpnHelper> "howto" is (#1) OpenVPN comes with a great howto, http://openvpn.net/howto PLEASE READ IT! or (#2) http://www.secure-computing.net/openvpn/howto.php for a mirror
18:40 < Saul775> !clientlan
18:40 <@vpnHelper> "clientlan" is (#1) for a lan behind a client, the client must have ip forwarding enabled (!ipforward), the server needs a route to the lan, the server needs to push a route for the lan to clients, the server needs a ccd (!ccd) file for the client with an iroute (!iroute) entry in it, and the router of the lan the client is on needs a route added to it (!route_outside_openvpn) or (#2) see !route
18:40 <@vpnHelper> for a better explanation or (#3) Handy troubleshooting flowchart: http://ircpimps.org/clientlan.png | http://pekster.sdf.org/misc/clientlan.png
18:44 -!- NucWin [~nucwin@unaffiliated/nucwin] has quit [Quit: ttfn]
18:46 -!- NucWin [~nucwin@unaffiliated/nucwin] has joined #openvpn
18:48 -!- michaelhart [~michaelha@162.209.54.120] has joined #openvpn
18:55 -!- dvl [~dvl@pdpc/supporter/active/dvl] has quit [Quit: ZNC - http://znc.in]
18:58 -!- gffa [~unknown@unaffiliated/gffa] has quit [Quit: sleep]
19:01 -!- adaptr [~jgeilman@unaffiliated/adaptr] has joined #openvpn
19:38 -!- alexw [~textual@unaffiliated/alexw] has quit [Quit: My MacBook Pro has gone to sleep. ZZZzzz…]
19:52 -!- joshh20 is now known as joshh20-Away
19:55 -!- zz_swebb is now known as swebb
20:07 -!- Brando753 [~Brando753@unaffiliated/brando753] has quit [Ping timeout: 240 seconds]
20:10 -!- michaelhart [~michaelha@162.209.54.120] has quit [Quit: michaelhart]
20:13 -!- brianblaze420 [~brianblaz@unaffiliated/brianblaze] has quit [Quit: Leaving...]
20:13 -!- Brando753 [~Brando753@unaffiliated/brando753] has joined #openvpn
20:30 -!- eristisk [~eristisk@gateway/tor-sasl/eristisk] has quit [Ping timeout: 272 seconds]
20:48 -!- alexw [~textual@unaffiliated/alexw] has joined #openvpn
21:05 -!- eristisk [~eristisk@gateway/tor-sasl/eristisk] has joined #openvpn
21:12 -!- ildefonso [~ilde123@201.185.229.85] has quit [Quit: Leaving]
21:24 -!- Cpt-Oblivious [~chatzilla@31-151-71-109.dynamic.upc.nl] has joined #openvpn
21:33 -!- Mike-- [mad@mx.probie.nl] has quit [Read error: Connection reset by peer]
21:33 -!- WinstonSmith [~WinstonSm@unaffiliated/winstonsmith] has quit [Ping timeout: 252 seconds]
21:34 -!- WinstonSmith [~WinstonSm@unaffiliated/winstonsmith] has joined #openvpn
21:45 -!- brianblaze420 [~brianblaz@unaffiliated/brianblaze] has joined #openvpn
21:51 -!- Left_Turn [~Left_Turn@unaffiliated/turn-left/x-3739067] has quit [Read error: Connection reset by peer]
22:03 -!- Megaf_ [~Megaf@unaffiliated/megaf] has quit [Ping timeout: 252 seconds]
22:06 -!- syzzer [~syzzer@openvpn/community/developer/syzzer] has quit [Ping timeout: 245 seconds]
22:08 -!- Kephael [~Kephael@unaffiliated/kephael] has quit []
22:22 -!- brianblaze420 [~brianblaz@unaffiliated/brianblaze] has quit [Quit: Leaving...]
22:31 -!- alexw [~textual@unaffiliated/alexw] has quit [Quit: Textual IRC Client: www.textualapp.com]
22:46 -!- syzzer [~syzzer@openvpn/community/developer/syzzer] has joined #openvpn
22:46 -!- mode/#openvpn [+o syzzer] by ChanServ
22:52 -!- syzzer [~syzzer@openvpn/community/developer/syzzer] has quit [Ping timeout: 245 seconds]
22:58 -!- syzzer [~syzzer@openvpn/community/developer/syzzer] has joined #openvpn
22:58 -!- mode/#openvpn [+o syzzer] by ChanServ
23:00 -!- bears [~bears@unaffiliated/bears] has quit [Quit: closing IRC]
23:01 -!- max__ [~max@c-71-231-120-93.hsd1.wa.comcast.net] has joined #openvpn
23:01 -!- max__ is now known as Synthead
23:17 -!- ntfwc [~ntfwc@c-107-2-116-154.hsd1.mn.comcast.net] has joined #openvpn
23:18 < ntfwc> !welcome
23:18 <@vpnHelper> "welcome" is (#1) Start by stating your goal, such as 'I would like to access the internet over my vpn' || new to IRC? see the link in !ask || we may need !logs and !configs and maybe !interface to help you. || See !howto for beginners. || See !route for lans behind openvpn. || !redirect for sending inet traffic through the server. || Also interesting: !man !/30 !topology !iporder !sample !forum
23:18 <@vpnHelper> !wiki !mitm or (#2) Don't use 192.168.1.0/24 or 192.168.0.0/24 (too much potential for conflict)
23:18 < ntfwc> !route
23:18 <@vpnHelper> "route" is (#1) http://www.secure-computing.net/wiki/index.php/OpenVPN/Routing or https://community.openvpn.net/openvpn/wiki/RoutedLans (same page mirrored) if you have lans behind openvpn, read it DONT SKIM IT or (#2) READ IT DONT SKIM IT! or (#3) See !tcpip for a basic networking guide or (#4) See !serverlan or !clientlan for steps and troubleshooting flowcharts for LANs behind the server or client
23:22 < ntfwc> !goal
23:22 <@vpnHelper> "goal" is Please clearly state your goal for your vpn: example, I would like to access the lan behind the server , I would like to access the internet over my vpn , I just want a secure connection between 2 computers , etc
23:23 < ntfwc> I would like to make a virtualbox guest openvpn server reachable from systems other than the host.
23:31 < ntfwc> I am using NAT, and I have port forwarded. The server hears non-host requests, but looking at tcpdump on the host, those requests go completely unanswered.
23:32 -!- Synthead [~max@c-71-231-120-93.hsd1.wa.comcast.net] has quit [Ping timeout: 255 seconds]
23:34 -!- Synthead [~max@c-71-231-120-93.hsd1.wa.comcast.net] has joined #openvpn
23:47 -!- ade_b [~Ade@redhat/adeb] has joined #openvpn
23:50 -!- ShadniX [dagger@p5DDFDE17.dip0.t-ipconnect.de] has quit [Ping timeout: 252 seconds]
23:52 -!- ShadniX [dagger@p5481D619.dip0.t-ipconnect.de] has joined #openvpn
--- Day changed Wed May 28 2014
00:00 -!- goldkatze [~nobody@unaffiliated/goldkatze] has joined #openvpn
00:08 -!- qwertyoruiop [~hax@93.174.90.31] has quit [Ping timeout: 245 seconds]
00:12 < ntfwc> nvm. I have no idea what I tripped over, but everything is working now, I guess.
00:44 -!- Popsikle [~popsikle@pool-108-27-211-233.nycmny.fios.verizon.net] has joined #openvpn
00:44 -!- ntfwc [~ntfwc@c-107-2-116-154.hsd1.mn.comcast.net] has left #openvpn ["Konversation terminated!"]
00:53 -!- Cpt-Oblivious [~chatzilla@31-151-71-109.dynamic.upc.nl] has quit [Ping timeout: 258 seconds]
01:26 -!- mattock_afk is now known as mattock
01:46 -!- alexxtasi [~alex@unaffiliated/alexxtasi] has joined #openvpn
01:53 -!- mattock [~mattock@openvpn/corp/admin/mattock] has left #openvpn []
01:59 -!- DARPA [~user@unaffiliated/lysergide] has joined #openvpn
02:00 < DARPA> Hello, I'm just asking for a quick guide that specifically helps me install the openvpn client on Debian Stable [willing to use a 3rd party utility perhaps even]
02:00 < DARPA> Not trying to deploy a server just the client...
02:01 -!- mattock_afk [~mattock@openvpn/corp/admin/mattock] has joined #openvpn
02:01 -!- mode/#openvpn [+o mattock_afk] by ChanServ
02:01 -!- mattock_afk is now known as mattock
02:06 < DARPA> Attempting to run the OpenVPN client on Debian [stable], I know about the rebooting scheme but even after that it does not connect at all to the VPNs I import [which are functional, on Android & Windows]
02:11 -!- peper [~peper@gentoo/developer/peper] has quit [Ping timeout: 245 seconds]
02:13 -!- peper [~peper@gentoo/developer/peper] has joined #openvpn
02:14 -!- CaTtleyA [~CaTtleyA@185.24.142.82] has joined #openvpn
02:22 -!- goldkatze [~nobody@unaffiliated/goldkatze] has quit []
02:26 -!- CaTtleyA [~CaTtleyA@185.24.142.82] has quit [Ping timeout: 256 seconds]
02:35 -!- alias_neo [~AndChat16@213.205.240.42] has joined #openvpn
02:44 < alias_neo> Hi all Amy chance someone could help point me in the right direction please? I've set up openvpn on my raspberry pi I can access the Internet, the openvpn box and the remote gateway and one other remote machine , but not the other remote machine. I've got a static route in my router from VPN subnet to VPN box lan address and I've messed with iptables for hours
02:45 < DARPA> Just curious, are you running any sort of system firewalls?
02:46 -!- alias_neo [~AndChat16@213.205.240.42] has quit [Read error: Connection reset by peer]
02:47 -!- alias_neo [~AndChat16@213.205.241.170] has joined #openvpn
02:47 -!- alias_neo [~AndChat16@213.205.241.170] has quit [Read error: Connection reset by peer]
02:48 -!- alias_neo [~AndChat16@213.205.241.170] has joined #openvpn
02:51 < alias_neo> Anyone?
02:53 < DARPA> I'm here, alias; don't think anyone else is.
02:53 < DARPA> alias_neo *
02:54 -!- alias_neo [~AndChat16@213.205.241.170] has quit [Read error: Connection reset by peer]
02:54 -!- Popsikle [~popsikle@pool-108-27-211-233.nycmny.fios.verizon.net] has quit [Remote host closed the connection]
02:54 -!- stemid [~avatar@ns4.sydit.se] has left #openvpn []
02:58 -!- alias_neo [~AndChat16@213.205.240.170] has joined #openvpn
03:00 < alias_neo> My remote lan is 192.168.0.x, VPN subnet is 10.8.0.x ,I can get to 192.168.0.42 (random machine) but not 192.168.0.2 (other random machine)
03:01 < alias_neo> I've allowed all forwards
03:01 < alias_neo> In the raspberry pi iptables
03:02 < alias_neo> Logs show nothing of use
03:02 < alias_neo> Is there a way to properly pin down the issue?
03:04 < DARPA> Just curious do you know a method to allow 'any' connection from the subnet at hand
03:04 < DARPA> i think that would definitely help out
03:05 < DARPA> 192.168.0.*
03:05 < DARPA> for instance
03:05 < DARPA> * being anything from 1-254
03:06 < DARPA> I see you used 10.8.0.x, might be what you need, not certain though I'm sorry.
03:06 < DARPA> 192.168.0.x
03:06 < alias_neo> I set it to allow the entire subnet which is why I'm confused only certain machines work
03:07 < alias_neo> Or rather 1 certain machine
03:08 < DARPA> Perhaps you have some setting disallowing the transference of packets to be received/delivered
03:08 -!- c0mrade_ [~c0mrade@unaffiliated/c0mrade/x-3310965] has joined #openvpn
03:08 < DARPA> on the remote machine stated which is not operating
03:08 < c0mrade_> OpenVPN keeps restarting for inactivity.
03:08 < c0mrade_> How to solve this?
03:09 < DARPA> A ping deployment I'm presuming
03:09 < DARPA> Set it to ping the server a few times every minute
03:09 < DARPA> that way the connection doesnt just fall off due to inactivity
03:09 < c0mrade_> Is there some other solution.
03:09 < c0mrade_> Like a timeout value that I can modify in the configs or something?
03:10 < DARPA> I'm only guessing, but maybe you have an improper configuration perhaps with that particular VPN
03:10 < DARPA> Are you certain it is your machine doing the disconnection or foreign one?
03:10 -!- CaTtleyA [~CaTtleyA@185.24.142.82] has joined #openvpn
03:10 < c0mrade_> I am checking the logs...
03:11 < c0mrade_> Wed May 28 11:07:39 2014 [server] Inactivity timeout (--ping-restart), restarting
03:11 < c0mrade_> Wed May 28 11:07:39 2014 SIGUSR1[soft,ping-restart] received, process restarting
03:11 < c0mrade_> Wed May 28 11:07:39 2014 MANAGEMENT: >STATE:1401264459,RECONNECTING,ping-restart,,
03:11 < c0mrade_> Wed May 28 11:07:39 2014 Restart pause, 2 second(s)
03:11 < DARPA> Seems like its a server msg [foreign]?
03:11 < c0mrade_> What do you mean?
03:12 -!- seba [~seba@kratzbaum.someserver.de] has quit [Ping timeout: 276 seconds]
03:12 < DARPA> you see how it says ping-restart
03:12 < c0mrade_> --ping-restart
03:12 < c0mrade_> Yeah.
03:12 < DARPA> i believe your vpn knocks you off due to inactivity purposefully
03:12 < c0mrade_> What does that mean?
03:12 < DARPA> to save bandwidth
03:12 < DARPA> Not connected; no activity, drops connection...
03:12 < DARPA> well connected*
03:12 < DARPA> sorry.
03:12 < c0mrade_> Yeah.
03:13 < DARPA> So I'd recommend you ping the server, and maybe a few more, every minute or 5
03:13 < DARPA> to make it seem like you're actually still using the connection allowing some packets to float through
03:13 < alias_neo> It shouldn't be I can usually access the other machine from lan and with forwarding ports  wan too , it's only from the VPN I can't access it
03:14 < c0mrade_> Well my OpenVPN server is installed on a CentOS 5.10 32-bit Virtual Private Server online with a public IP address and the VPS uses OpenVZ/Vrituozzo for virtualization. I've done all the setup. Like enabled TUN/TAP, setup NAT with iptables, setup routing setup openvpn configs/certificates etc...
03:14 < DARPA> Is this your server or is it a remote one?
03:14 < c0mrade_> After some time I was able to connect but now getting disconnected everytime.
03:15 < c0mrade_> DARPA it's a remote server a VPS that I purchased actually.
03:15 < DARPA> Yeah, I'd think personally, that since they're providing/serving a VPS, that they'd initially knock you off just because of bandwidth clauses
03:15 < c0mrade_> Hmm....
03:15 < DARPA> you might want to actually call the provider and ask them to fix this
03:15 < c0mrade_> Bandwidth is 50GB.
03:16 < DARPA> because it may not even be your configuration at fault but their deployment rules.
03:16 < c0mrade_> At the hosting company.
03:16 < c0mrade_> RAM 512 MBs.
03:16 < DARPA> Yeah I'd give them a ring myself, in an angered manner.. Lol.
03:16 < c0mrade_> Na.
03:16 -!- euphoria360 [~euphoria3@2.191.39.249] has joined #openvpn
03:16 < c0mrade_> I am still not sure that the issue is from them.
03:16 < alias_neo> Any more ideas? My server configuration is pushing the remote lan subnet and mask and has ip forwarding enabled
03:17 < DARPA> You're running port forwarding rules and such with the other machines, those utilities might actually have some better reassurance in keeping connectivity because a port is forwarded, might on constant ping probe status so it doesnt fall out of sync with the server
03:17 < euphoria360> !factoids
03:17 <@vpnHelper> "factoids" is A semi-regularly updated dump of factoids database is available at http://www.secure-computing.net/factoids.php
03:18 < DARPA> An active connection, rather than passive; which can be calculated by the remote VPS [servers/company]
03:19 < DARPA> Machine 3 might not be using such features so it's not equipped to sustain the connection since it's not being utilized by a 3rd party connection tool
03:19 -!- seba [~seba@kratzbaum.someserver.de] has joined #openvpn
03:19 < DARPA> though i may be wrong, consult with the actual corporation/entity about the issue, they might resolve it way quicker than these quirky ideas
03:19 < DARPA> I just know ping probes usually keep a connection in place.
03:20 < alias_neo> If I post config do I just dump the content in the channel or attach files?
03:20 < DARPA> Making your PC seem active online instead of just 'on'
03:20 < c0mrade_> Um.
03:20 < DARPA> I wouldnt be too much help in that department unfortunely, hopefully you can ask someone else.
03:20 < c0mrade_> Currently I am pinging the vpn server constantly.
03:20 < DARPA> I'm a novice to OpenVPN configuration
03:20 < c0mrade_> ping -t vnp_ip
03:20 < c0mrade_> to see if it will ever disconnect.
03:21 < alias_neo> No prob
03:21 < DARPA> Exactly.
03:21 < DARPA> That should work just fine, if it doesn't try the calling VPS idea themselves, and if they're giving you any problems
03:21 < DARPA> do a relay check system manually installed on both ends to allow packets to be sent back and forth
03:21 < DARPA> shouldnt be a issue with trial #3 suggestion
03:22 < DARPA> A crafted packet that loops both ways should be suffice to hold connectivity.
03:23 < c0mrade_> Hmm..
03:23 < c0mrade_> I'd better look at configs and see if there's an option within openvpn to do that.
03:23 -!- le0 [~l30@unaffiliated/le0] has joined #openvpn
03:23 < c0mrade_> I there should be.
03:23 < DARPA> Ping A>B & B>A
03:23 < DARPA> A lot of things should be. For sure.
03:23 < c0mrade_> Hmmm....
03:24 < DARPA> Sometimes it's just our human nature to not know a certain mechanism in protocols. Lol.
03:24 < c0mrade_> It didn't disconnect until now...
03:24 < DARPA> It disconnect however?
03:24 < c0mrade_> Looks good for the moment. I will keep monitoring it.
03:25 < DARPA> I am sorry to both c0mrade_  @ alias_neo, for some reason your questions were colliding in my head as the same person
03:25 < DARPA> Kind of tired.
03:25 < DARPA> When I used to use "NetZero" in the 90s. It'd kick me off due to inactivity.
03:25 < c0mrade_> Hehe.
03:25 < DARPA> I'd keep a stream open to keep it awake
03:26 < c0mrade_> I am still connected :D
03:26 < DARPA> Tada :)
03:26 < DARPA> lol
03:26 < DARPA> Let's hope now that they don't find your performance to be an issue, and completely block the method of connectivity
03:26 < DARPA> You can always for sure ping something like google's dns
03:26 < DARPA> instead of the initial server, or run browser scripts that reset
03:27 < DARPA> but this vps has a bandwidth clause right?
03:28 -!- le0 [~l30@unaffiliated/le0] has quit [Quit: Leaving]
03:29 < c0mrade_> Googles DNS...
03:30 < c0mrade_> But will the ping go through my internet connection or through the VPS internet connection?
03:33 -!- Left_Turn [~Left_Turn@unaffiliated/turn-left/x-3739067] has joined #openvpn
03:40 < alias_neo> No worries DARPA
03:43 -!- alias_neo [~AndChat16@213.205.240.170] has quit [Quit: Bye]
03:47 -!- alias_neo [~AndChat16@213.205.240.42] has joined #openvpn
03:48 < alias_neo> Is the irc Web client not allowed to join here?
03:48 < alias_neo> It'd be easier if I could ask for help from my desktop than my android phone.
03:50 < alias_neo> !logs
03:50 <@vpnHelper> "logs" is (#1) please pastebin your logfiles from both client and server with verb set to 4 (only use 5 if asked) or (#2) In the Windows client(OpenVPN-GUI) right-click the status icon and pick View Log or (#3) In the OS X client(Tunnelblick) right-click it and select Copy log text to clipboard or (#4) if you dont know how to find your logs, see !logfile
03:51 < alias_neo> !logfile
03:51 <@vpnHelper> "logfile" is (#1) If you want logging you can easily just specify your own logfile with: log /path/to/logfile or (#2) openvpn will log to syslog if started in daemon mode, but without any log-redirection options, openvpn sends output to stdout. or (#3) verb 3 is good for everyday usage, verb 5 for debugging. see --daemon --log and --verb in the manual (!man) for more info
03:52 < alias_neo> So apparently since I'm running raspbian iptables aren't installed which means my problem is routing not firewall... any help please with that?
03:55 < euphoria360> Funny!
03:55 < alias_neo> ?
03:55 < euphoria360> I had problems setting up Openvpn on my openvz centos vps
03:56 < c0mrade_> euphoria360: Like what?
03:56 < euphoria360> I came here to ask for help, but before, i said lets do it once more, i did and it worked!!
03:56 < c0mrade_> Oh okay.
03:57 < euphoria360> now I can ask for other things :D
03:57 < euphoria360> I followed this tuto: http://www.unixmen.com/setup-openvpn-server-client-centos-6-5/
03:57 <@vpnHelper> Title: Setup And Configure OpenVPN Server On CentOS 6.5 | Unixmen (at www.unixmen.com)
03:58 < euphoria360> and now my openvpn server authenticates with client cert and key
03:58 < euphoria360> i want to change it to password based
03:58 < euphoria360> can someone tell me how?
04:02 < c0mrade_> Well I am tottaly new to OpenVPN actually :P
04:02 < c0mrade_> Although I was able to set it up.
04:02 < c0mrade_> After some time and effort.
04:05 -!- alias_neo [~AndChat16@213.205.240.42] has quit [Ping timeout: 252 seconds]
04:08 -!- DARPA [~user@unaffiliated/lysergide] has quit [Quit: Leaving]
04:16 -!- dazo_afk is now known as dazo
04:20 < defswork> euphoria360, what clients are you using ?
04:21 < defswork> euphoria360, also, you should add user auth to the existing certificate encryption - not replace it
04:22 -!- iokill [~iokill@91.114.127.102] has joined #openvpn
04:25 < euphoria360> well, mostly it is personal, but i might want to give access to friends, family. maybe sell a few
04:26 < euphoria360> also i dont know what openvpn uses as user/password database
04:28 -!- alias_neo [~AndChat16@2.28.160.73] has joined #openvpn
04:29 < alias_neo> Anybody around that may be able to help with my routing problem? Openvpn on a raspberry pi
04:31 < alias_neo> Internet access is fine and access to one remote lan client is fine but not to another
04:31 -!- iokill is now known as iokill_afk
04:32 -!- iokill_afk is now known as iokill
04:34 < alias_neo> If I ssh into the problem machine and try to ping or traceroute the VPN machines lan ip I get no route to host
04:35 < alias_neo> host Which is weird, they're on the same subnet and same physical network
04:39 -!- gffa [~unknown@unaffiliated/gffa] has joined #openvpn
04:41 -!- alias_neo [~AndChat16@2.28.160.73] has quit [Ping timeout: 240 seconds]
04:42 -!- Alias_Neo [~AndChat16@213.205.230.236] has joined #openvpn
04:43 < Alias_Neo> Any replies I missed?
04:44 < defswork> your raspberry pi will be on a vpn subnet - does your lan know how to get to that subnet ?
04:45 < defswork> have you told your openvpn gateway to allow subnet to client traffic ?
04:45 < defswork> do you have ip forwarding enabled on the gateway ?
04:45 < Alias_Neo> I set a static route on the gateway from 10.8.0.0 to 192.168.0.14 (pis lan address)
04:45 < defswork> are your pushing the lan subnet to the vpn client ?
04:45 < defswork> pi's lan address ? the pi isn't on the lan - it's a vpn client
04:46 < Alias_Neo> No the pi is the VPN server
04:46 < defswork> where are the clients ?
04:47 < Alias_Neo> My android phone I'm on it now
04:47 < Alias_Neo> It's remote
04:47 < defswork> 10.8.0.0 is your vpn subnet range ?
04:47 < Alias_Neo> Yep
04:47 < Alias_Neo> And 192.168.0.0 is the lan subnet
04:48 -!- _FBi [B@Aircrack-NG/User] has quit [K-Lined]
04:48 < defswork> ok - so your vpn config needs to have route 192.168.0.0 255.255.255.0 in it somewhere first
04:48 < Alias_Neo> Yep that's pushed to client
04:48 < defswork> nope
04:48 < defswork> thats a different command
04:49 < Alias_Neo> OK which command is this one? Route?
04:49 < defswork> route 192.168.0.0 255.255.255.0 tells openvpn to route that subnet to clients - i.e. allow the traffic to flow
04:49 < Alias_Neo> That's in the server conf?
04:49 < defswork> push "route 192.168.0.0 255.255.255.0" tells the client the route to the subnet
04:49 < defswork> yes
04:49 < Alias_Neo> OK brb need to ssh in and check
04:50 < defswork> without the first route command you simply have a ptp connection on the openvpn 10.8 server and client addresses onlyt
04:50 < defswork> you also need to ensure that your pi is set to route ip traffic
04:50 < defswork> /etc/sysctl.conf and set ip_forward to 1
04:51 < defswork> and to enable it immediately echo 1 > /proc/sys/net/ipv4/ip_foward
04:54 -!- Alias_Neo [~AndChat16@213.205.230.236] has quit [Ping timeout: 252 seconds]
04:57 -!- alias_neo [~AndChat16@2.28.160.73] has joined #openvpn
04:58 < alias_neo> Sorry flaky connection
04:58 < alias_neo> I already did the sysctl forwarding
05:03 < alias_neo> OK ill get disconnected now when I restart openvpn
05:08 -!- alias_neo [~AndChat16@2.28.160.73] has quit [Read error: Connection reset by peer]
05:21 -!- lkthomas [~lkthomas@n11649139179.netvigator.com] has quit [Ping timeout: 240 seconds]
05:23 < c0mrade_> I can't ping my clinet from my openvpn server.
05:23 < c0mrade_> But I can do the vise versa.
05:24 < c0mrade_> Why?
05:41 -!- alias_neo [~AndChat16@213.205.230.236] has joined #openvpn
05:42 < euphoria360> hi. can i use ncsa for authentication
05:42 < alias_neo> OK I think I killed the server conf editing it from my phone so it's game over for now cause I no longer have access to the pi until I get there physically
05:43 < euphoria360> i have also squid setup and some users, wanted to merge both authentications if possible
05:44 < euphoria360> anyone?
05:49 < alias_neo> OK so I'm back In over ssh
05:50 -!- goldkatze [~nobody@unaffiliated/goldkatze] has joined #openvpn
05:57 < c0mrade_> I can ping from the client to openvpn server but I can't ping the other way around why?
06:00 < euphoria360> c0mrade: were you able to auth by user/pass?
06:06 -!- alias_neo [~AndChat16@213.205.230.236] has quit [Ping timeout: 258 seconds]
06:07 -!- iokill [~iokill@91.114.127.102] has quit []
06:09 < c0mrade_> from the client.
06:09 < c0mrade_> No.
06:09 < c0mrade_> It was weird.
06:09 < c0mrade_> It didn't ask for username/password.
06:09 < c0mrade_> I just connected.
06:09 < euphoria360> ok.
06:10 < euphoria360> i"m trying to figure out this one: http://openvpn.defsdoor.org/
06:10 <@vpnHelper> Title: Openvpn authentication using htpasswd file (at openvpn.defsdoor.org)
06:10 < euphoria360> i Downloaded and compiled it
06:11 < euphoria360> when i run it (for example: openvpn-plugin-auth-ncsa.so /etc/some/passwd) it says Usage: openvpn-plugin-auth-ncsa.so PasswordFile VerifyPasswordFile
06:12 < euphoria360> i dont know what VerifyPasswordFile is!
06:23 -!- alias_Neo [~hamid@194.12.3.78] has joined #openvpn
06:23 < alias_Neo> ok, i got a proper irc client now
06:23 < alias_Neo> i still can't access any of the lan machines on the openvpn lan
06:25 < alias_Neo> i have played with iptables and now if i traceroute one of the remote lan machines "192.168.0.2" i get 10.8.0.1 then restination unreachable from "192.168.0.14" (vpn machines lan IP)
06:26 < alias_Neo> i can trace the remote gateway fine 192.168.0.1
06:26 < alias_Neo> and i can trace another machine on the remote lan 192.168.0.42
06:26 < alias_Neo> but not 192.168.0.2 (which is a arch linux box running ssh, ftp, dlna etc
06:27 < alias_Neo> )
06:27 < alias_Neo> can't ping it either
06:28 <@krzee> lan behind server or client?
06:28 < alias_Neo> behind server
06:28 <@krzee> !serverlan
06:28 <@vpnHelper> "serverlan" is (#1) for a lan behind a server, the server must have ip forwarding enabled (!ipforward), the server needs to push a route for its lan to clients, and the router of the lan the server is on needs a route added to it (!route_outside_openvpn) or (#2) see !route for a better explanation or (#3) Handy troubleshooting flowchart: http://ircpimps.org/serverlan.png |
06:28 <@vpnHelper> http://pekster.sdf.org/misc/serverlan.png
06:28 <@krzee> use flowchart at 2nd link in #3
06:30 -!- RobertoBenzi [~RobertoBe@2-238-129-180.ip244.fastwebnet.it] has joined #openvpn
06:30 < RobertoBenzi> Hello there
06:31 < alias_Neo> wont load for some reason
06:31 <@krzee> cause you went to first link and my server is down
06:31 <@krzee> <krzee> use flowchart at 2nd link in #3
06:31 < c0mrade_> I've accidently remove a route from the routing table and now I can't ping the openvpn server from clinet
06:31 < c0mrade_> client*
06:31 < c0mrade_> but I connect.
06:31 < c0mrade_> How to revert back?
06:31 < c0mrade_> This is my routing table
06:31 <@krzee> dont show us
06:31 < c0mrade_> Why?
06:32 -!- Megaf [~Megaf@unaffiliated/megaf] has joined #openvpn
06:32 <@krzee> if you dont know how to readd it yourself, just reboot and run it again
06:32 < RobertoBenzi> I was wondering if is possible to make a wan client or the server log the wan client IP on the server in some way
06:32 < c0mrade_> I removed the one routing entry.
06:32 < c0mrade_> Would a reboot fix that?
06:32 < c0mrade_> And get it back?
06:32 <@krzee> of course
06:33 < RobertoBenzi> how you do that?
06:33 <@krzee> RobertoBenzi,
06:33 <@krzee> !logfile
06:33 <@vpnHelper> "logfile" is (#1) If you want logging you can easily just specify your own logfile with: log /path/to/logfile or (#2) openvpn will log to syslog if started in daemon mode, but without any log-redirection options, openvpn sends output to stdout. or (#3) verb 3 is good for everyday usage, verb 5 for debugging. see --daemon --log and --verb in the manual (!man) for more info
06:33 < alias_Neo> krzee so, any idea why i might be able to hit some server lan boxes and not this specific one? I'm pretty sure i got the routing setu p ok
06:33 <@krzee> the clients ip is already in the logfile, otherwise you can run a script and log it however you want
06:33 <@krzee> !script
06:33 <@vpnHelper> "script" is See SCRIPTING AND ENVIRONMENTAL VARIALBES in the manual for a list of places that scripts can hook into openvpn. Online reference at: https://community.openvpn.net/openvpn/wiki/Openvpn23ManPage#lbAR
06:33 < c0mrade_> Cool.
06:33 < c0mrade_> :D
06:34 < rob0> Roberto, when a connection is initiated, the client IP address is logged. "--verb 4" is a good setting for normal operations.
06:34 < c0mrade_> krzee: I can't ping the clinet from the openvpn server.
06:34 < c0mrade_> Why?
06:34 <@krzee> alias_Neo, did you use the flowchart? i made it so you can use it to tell me your problem
06:34 < RobertoBenzi> you mean the openvpn address or its wan IP?
06:34 -!- iokill_ [~iokill@91.114.127.102] has joined #openvpn
06:34 <@krzee> c0mrade_, reboot
06:34 < alias_Neo> krzee it doesn't load
06:34 < rob0> c0mrade_, did you read the /topic and the "firewall" bit?
06:35 < alias_Neo> i can't even hit the tld
06:35 <@krzee> alias_Neo, once again, THE SECOND LINK in #3
06:35 < alias_Neo> gotcha thanks
06:35 <@krzee> you understand "second" ?
06:35 <@krzee> np
06:36 < alias_Neo> ok, the first point on the flow chart, am i doing all this from the client?
06:36 < rob0> Roberto, both.
06:36 < euphoria360> guys I have problem using script for authentication.
06:36 -!- iokill_ [~iokill@91.114.127.102] has quit [Client Quit]
06:37 < euphoria360> in logs openvpn says: Failed running command (--auth-user-pass-verify): external program did not exit normally
06:37 < alias_Neo> krzee i got as far as "can you ping another machine on the lan" and itworks
06:37 < c0mrade_> krzee: I already rebooted.
06:37 < alias_Neo> but i still can't ping/access the second machine
06:37 <@krzee> euphoria360, yep if it doesnt exit with happy exit status you get that
06:38 <@krzee> alias_Neo, can it ping you?
06:38 < euphoria360> so it means that authentication failed?
06:38 < alias_Neo> can what ping me?
06:38 < alias_Neo> the problem machine or the working one?
06:38 <@krzee> euphoria360, or that the script crashed or something else? debug the script
06:38 <@krzee> alias_Neo, both
06:39 < euphoria360> its the script from here: http://openvpn.defsdoor.org/
06:39 <@vpnHelper> Title: Openvpn authentication using htpasswd file (at openvpn.defsdoor.org)
06:39 < euphoria360> i pointed that script to my passwd file
06:39 <@krzee> i dunno the developer of that so i cant say anything about it
06:39 < euphoria360> which i created using htpasswd
06:39 <@krzee> what i do know is that its exiting unsuccessfully
06:39 < euphoria360> the source is available there. i had to compile it
06:39 <@krzee> which is what openvpn is complaining about.
06:40 < alias_Neo> the vpn server can't ping me
06:40 < alias_Neo> (me being client)
06:40 <@krzee> euphoria360, i cannot support that plugin.
06:40 <@krzee> alias_Neo, can you ping vpn server.
06:40 < RobertoBenzi> Cool, then how can I "extract" those ip from log and put it/them on a given file?- I can't script, and my plan would be to create a file with all clients wan IP, and then in some way use those ip to set a route on firewall, so I can wake on lan from my openvpn server (that is also my router) using a "fixed" Ip
06:40 < alias_Neo> yes i can
06:41 <@krzee> then its firewall.
06:41 < alias_Neo> firewall where? on the vpn or on the router?
06:41 < RobertoBenzi> euphoria360, was it for me?
06:41 <@krzee> c0mrade_, did you start the vpn?
06:41 <@krzee> alias_Neo, dunno, thats for you to figure out.
06:41 < euphoria360> i know. sorry for asking too much, i just wanted to know is it because of wrong user/pass (unsupported hashing alghorithm) or bad script?
06:41 <@krzee> alias_Neo, but 1-way ping is firewall.
06:42 <@krzee> euphoria360, no idea.
06:42 < alias_Neo> right, strange
06:43 < euphoria360> @krzee: Do you know any other htpasswd authentication plugins/scripts?
06:43 < alias_Neo> well thanks for the shove in the right direction
06:43 <@krzee> alias_Neo, on the client with the issue.
06:43 <@krzee> euphoria360, no. why would you want to use htpasswd?
06:43 -!- RobertoBenzi [~RobertoBe@2-238-129-180.ip244.fastwebnet.it] has quit [Remote host closed the connection]
06:43 < alias_Neo> krzee the client is an android phone, shouldn't have firewall problems...
06:44 -!- RobertoBenzi [~RobertoBe@2-238-129-180.ip244.fastwebnet.it] has joined #openvpn
06:44 <@krzee> yet it seems to
06:44 < euphoria360> i have squid and a password file, i wanted both use same
06:44 < RobertoBenzi> crashes
06:44 < RobertoBenzi> I was saying
06:44 < alias_Neo> krzee funny that the last client i had working was a pre-4.3 android phone (before they introduced iptables and droidwall...
06:44 < alias_Neo> )
06:45 < alias_Neo> that'll major suck if android's sdefault firewall in 4.4.2 now is killing it
06:45 < RobertoBenzi> is it possible? I'm just taking my first step in unix, openvpn and openwrt :P
06:45 <@krzee> alias_Neo, why do you need to ping the client anyways?
06:45 < alias_Neo> doesn't really explain why the android client can access some vpn server lan machines and not others thoough
06:45 < euphoria360> squid uses ncsa_auth for auth, can i use its script in openvpn?
06:45 < alias_Neo> krzee you asked me to, to test
06:46 <@krzee> ahh ok, what i was trying to do is figure out whats the missing functionality
06:46 <@plaisthos> alias_Neo: can you give me a short summary of your android problem?
06:46 < alias_Neo> i need the client to access the vpn lan machine 192.168.0.2 (which it cant, nor can it ping) but it can access the vpn gateway 192.168.0.1 and it can access the other vpn lan machine 192.168.0.42
06:46 <@krzee> so you saying you have 2 clients? 1 client can access all lan machines and another client cannot?
06:46 < alias_Neo> no, 1 client, it can access some lan machines and not others
06:46 <@krzee> you dont have another client?
06:47 < alias_Neo> no
06:47 < alias_Neo> i can set up up if necessary though
06:47 <@krzee> can you get one for testing purposes? i dont think you even have an android issue at all
06:47 <@krzee> i think the lan machines with issues have firewall problems, if anything.
06:48 < alias_Neo> fair enough, well the problem machine is an arch box running ssh, ftp, dlna etc maybe i can ssh in and disable iptables or something?
06:58 -!- vinky_ [~vinky@81-230-177-246-no98.tbcn.telia.com] has left #openvpn []
06:58 -!- funnel [~funnel@unaffiliated/espiral] has quit [Remote host closed the connection]
07:00 -!- funnel [~funnel@unaffiliated/espiral] has joined #openvpn
07:00 -!- iokill [~dave@pippin.sigma-star.at] has joined #openvpn
07:03 < defswork> alias_Neo, your default gateway on your lan is 192.168.0.1 - but your pi is 192.168.0.14.  So you need to educate your lan as to how to route to 10.8.0.0/24 via 192.168.0.14
07:03 < defswork> alias_Neo, you can do that on your default gateway
07:03 -!- alias_Neo [~hamid@194.12.3.78] has quit [Ping timeout: 252 seconds]
07:03 < defswork> or on each lan PC
07:09 < euphoria360> can someone pleeease look at this source and tell me what kind of encryption algorithm it uses? Im getting crazy!!!
07:09 < euphoria360> http://openvpn.defsdoor.org/openvpn-passwd.c
07:09 < euphoria360> the source file is ridiculously small
07:10 < euphoria360> i tried CRYPT, no luck
07:10 < euphoria360> MD5, No luck
07:10 -!- Alias_Neo [~hamid@194.12.3.78] has joined #openvpn
07:11 < euphoria360> Alias_Neo: Are you persian?
07:11 -!- iokill [~dave@pippin.sigma-star.at] has quit [Quit: leaving]
07:14 -!- Alias_Neo [~hamid@194.12.3.78] has quit [Quit: Alias_Neo]
07:15 -!- Alias_Neo [~hamid@194.12.3.78] has joined #openvpn
07:15 < Alias_Neo> no, not persian, why?
07:16 -!- n2deep [n2deep@odin.sdf-eu.org] has quit [Ping timeout: 276 seconds]
07:16 < euphoria360> hamid@194.12.3.78) joined
07:17 < euphoria360> hamid is a persian name
07:17 < Alias_Neo> Actually it's an arabic name :D
07:17 < Alias_Neo> Abdalhamid
07:17 < euphoria360> aaaaah
07:17 < euphoria360> yes, but we persians use it too :D
07:18 < euphoria360> you are son of hamid then
07:18 < Alias_Neo> Yep, not surprising
07:20 < euphoria360> gonna go. no luck from here. I wish someone helps you to solve yours.
07:20 < Alias_Neo> cheers man, take care
07:21 < euphoria360> you too. bye
07:21 -!- euphoria360 [~euphoria3@2.191.39.249] has quit [Quit:  HydraIRC -> http://www.hydrairc.com <- *I* use it, so it must be good!]
07:23 < Alias_Neo> could igmp-proxy on my gateway cause the issue? it's disabled
07:28 < Alias_Neo> it seems the vpn server has no route to the problem lan machine
07:29 < Alias_Neo> i can't ping 192.168.0.2 (from the vpn box) nor can I ssh to it
07:29 <@krzee> isnt the vpn server ON the lan?
07:29 < Alias_Neo> yes
07:29 <@krzee> different subnet?
07:29 < Alias_Neo> vpn server is lan ip 192.168.0.14
07:29 < Alias_Neo> i'm ssh'd into it
07:29 < Alias_Neo> and i can ping the gateway at 192.168.0.1
07:30 <@krzee> so from 192.168.0.14 you cannot access 192.168.0.2
07:30 < Alias_Neo> and i can ping a machine at 192.168.0.42
07:30 <@krzee> right?
07:30 < Alias_Neo> yep
07:30 <@krzee> firewall.
07:30 < Alias_Neo> on 192.168.0.2?
07:30 <@krzee> yes
07:30 < Alias_Neo> I can remotely ssh into .0.2 from the internet
07:30 < Alias_Neo> but not from a lan device ...
07:31 <@krzee> why would you suspect routing table when they are on the same ethernet broadcast domain
07:31 <@krzee> Alias_Neo, firewall.
07:31 < Alias_Neo> ok, i'll ssh into 0.2. from the internet and disable iptables if i can
07:33 < Alias_Neo> I@m ssh'd in, as far as I can see there is no firewall on this box
07:33 < Alias_Neo> iptables isn't running as a service
07:33 < Alias_Neo> ufw isn't installed
07:35 < Alias_Neo> ok, 192.168.0.2 can't ping the vpn machine 192.168.0.14
07:35 < Alias_Neo> i suspect the router/gateway is at fault
07:35 < Alias_Neo> i installed a custom firmware a few weeks ago (since last time i accessed the vpn)
07:36 -!- Macer [macer@lasziv.reprehensible.net] has left #openvpn []
07:37 < Alias_Neo> the gateway can ping all the ips both lan machines and the vpn vpn address
07:46 -!- RobertoBenzi [~RobertoBe@2-238-129-180.ip244.fastwebnet.it] has quit [Remote host closed the connection]
07:47 -!- RobertoBenzi [~RobertoBe@2-238-129-180.ip244.fastwebnet.it] has joined #openvpn
07:48 <@krzee> iptables-save on the .2 box
07:50 < Alias_Neo> short one...
07:50 < Alias_Neo> # Generated by iptables-save v1.4.19.1 on Wed May 28 13:50:19 2014
07:50 < Alias_Neo> *filter
07:50 < Alias_Neo> :INPUT ACCEPT [2563:317514]
07:50 < Alias_Neo> :FORWARD ACCEPT [0:0]
07:50 < Alias_Neo> :OUTPUT ACCEPT [2425:381076]
07:50 < Alias_Neo> COMMIT
07:50 < Alias_Neo> # Completed on Wed May 28 13:50:19 2014
07:51 <@krzee> dont paste to the channel, use pastebin or similar please
07:51 < Alias_Neo> apologies
07:51 <@krzee> ok check iptables-save on the router
07:52 -!- Cpt-Oblivious [~chatzilla@31-151-71-109.dynamic.upc.nl] has joined #openvpn
07:52 < rob0> If that's the router, note that no packets hit the FORWARD policy. Often that means that IP forwarding is not enabled.
07:52 < rob0> But a router can't be a router without IP forwarding.
07:52 < Alias_Neo> that wasnt the router
07:53 < Alias_Neo> router says iptablesw-save doesnt exist
07:53 < Alias_Neo> its running a basic busybox shell
07:53 < rob0> If it's supposed to be forwarding, maybe it's not? Too bad the flowchart doesn't ask you to check IP forwarding.
07:53 -!- michaelhart [~michaelha@192.237.177.15] has joined #openvpn
07:54 <@krzee> rob0, its not. its just a lan machine.
07:54 <@krzee> and the flowchart does (for relevant machines)
07:54 < Alias_Neo> ok, iptables --list gives me a similarly empty one from the router
07:54 < rob0> krzee, :)
07:55 <@krzee> well Alias_Neo, your problem really has nothing to do with openvpn
07:55 <@krzee> you cant ping the target machine even from the openvpn server on its own lan
07:55 <@krzee> fix your lan, then worry about openvpn
07:55 < Alias_Neo> fair enough, thanks for the help
07:56 <@krzee> np
07:56 < RobertoBenzi> would it be safe to save the wan ip taken from logs in /etc/ethers of my router/openvpn server?
07:56 < RobertoBenzi> like 4th column openvpn IP, 5th column wan IP
07:56 < RobertoBenzi> resulting in something like
07:57 <@krzee> RobertoBenzi,
07:57 <@krzee> !goal
07:57 <@vpnHelper> "goal" is Please clearly state your goal for your vpn: example, I would like to access the lan behind the server , I would like to access the internet over my vpn , I just want a secure connection between 2 computers , etc
07:57 < RobertoBenzi> [MAC Addr][Tab][Hostname][Tab][Ip addr][Tab][OpenVPN IP][Tab][WAN IP]
07:58 < RobertoBenzi> I would like to save the wan IP of a OpenVpn client on the server
07:59 <@krzee> then why are we talking about /etc/ethers ?
07:59 < RobertoBenzi> in order to have some kind of "static way/address" to wake the openvpn client over wan
07:59 <@krzee> whats your REAL goal
07:59 <@krzee> ok, so you're really trying to get static IPs working for the vpn?
08:00 < RobertoBenzi> more or less
08:00 <@krzee> why didnt you just say so? why ask such weird questions for such an easy goal
08:00 <@krzee> !static
08:00 <@vpnHelper> "static" is (#1) use --ifconfig-push in a ccd entry for a static ip for the vpn client or (#2) example in net30 (default): ifconfig-push 10.8.0.6 10.8.0.5 example in subnet (see !topology) or tap (see !tunortap): ifconfig-push 10.8.0.5 255.255.255.0 or (#3) also see !ccd and !iporder or (#4) when pushing static IPs, you should also limit your --ifconfig-pool to exclude the static range or (#5) See
08:00 < RobertoBenzi> i have a client with dynamic ip
08:00 <@vpnHelper> also: !addressing
08:00 <@krzee> !addressing
08:00 <@vpnHelper> "addressing" is For information about IP addressing in OpenVPN, see: https://community.openvpn.net/openvpn/wiki/Concepts-Addressing
08:01 < RobertoBenzi> I have a client with openvpn static address just set with ccd
08:01 < RobertoBenzi> but with wan dynamic ip
08:01 < rob0> um, the client WAN IP has nothing to do with the VPN IP
08:01 <@krzee> so whats the issue?
08:01 <@krzee> access it by vpn ip
08:01 < RobertoBenzi> that i'd like to be able to wake
08:02 < RobertoBenzi> with the wol/etherwake/luci-app-wol/other of my openwrt
08:02 < rob0> usually a server is left on all the time
08:03 < RobertoBenzi> as long as I know the openvpn ip is not "active" when theclient is shut down
08:03 < rob0> is the server an openwrt device? Those tend to be low power anyway, why put it to sleep?
08:03 <@krzee> well if you want to store the ip i would recommend storing it somewhere the OS wont be jealous of, ethers is prolly not a good place
08:03 < RobertoBenzi> so I'd need a way to wake up the client remotely/from the server
08:03 < rob0> aha, now we get to the real want
08:04 < RobertoBenzi> well, i think I created a little confusion
08:04 < RobertoBenzi> w8 and I'll sum that all
08:04 < rob0> I doubt what you want is possible. It depends on a lot of factors, most of which have nothing to do with openvpn.
08:05 <@krzee> well, if its possible just by knowing the WAN ip, then its possible, you just need to do as you said and log the wan ip when it connects, then you can try waking that wan ip next run
08:05 <@krzee> you can do that with a flat file or a backend database, your choice? you will need to run a script when the client connects to log the WAN ip
08:05 <@krzee> !script
08:05 <@vpnHelper> "script" is See SCRIPTING AND ENVIRONMENTAL VARIALBES in the manual for a list of places that scripts can hook into openvpn. Online reference at: https://community.openvpn.net/openvpn/wiki/Openvpn23ManPage#lbAR
08:06 <@krzee> client-connect should do it i would think
08:06 <@krzee> run a client-connect script with just the env comment (note, it needs valid shbang and also +x)
08:07 < RobertoBenzi> uhm, I'm gonna have hard times, I never scripted in my life XD
08:07 <@krzee> that will output the entire environment of the script to your logfile, or you can use env > /tmp/env and then look in that file to see the script's environment
08:07 <@krzee> well openvpn isnt going to do what you want without a script
08:08 <@krzee> unless you just want to dig through logs when you need to wake the client
08:08 <@krzee> in which case that's easy enough, especially since you use a static IP
08:08 <@krzee> you would just grep out the last few instances of the static ip
08:08 <@krzee> til you see WAN ip
08:09 <@krzee> in fact you can prolly find unique things about the line with WAN ip in it to grep for
08:09 < RobertoBenzi> I'm setting up things in order to learn, so it's not bad, I was just saying that it is gonna be a challenge for me ;)
08:11 <@krzee> =]
08:11 < RobertoBenzi> but...i knowt that may sound silly, what is a script environment?
08:12 <@krzee> the variables the script has access to, openvpn passes a bunch of variables to the script
08:12 <@krzee> by looking at that you can see all info your script will have to work with
08:12 <@krzee> then you can decide what variables will be helpful, such as the one with your LAN ip
08:12 <@krzee> err WAN ip*
08:14 < RobertoBenzi>  (btw as file where to write the output of the script once it will be done, you suggest  not using ethers nor host, but create a new file?)
08:14 <@krzee> yes
08:14 <@krzee> although you may use hosts file, especially if not already modifying it with anything else
08:14 <@krzee> ethers file makes *no* sense
08:15 < RobertoBenzi> I've just screened your suggestions, for future references (i fear it is gonna take long for me to learn XD)
08:15 <@krzee> a script is simply stored shell commands
08:15 <@krzee> if you know how to use your OS you should be able to write a script easy enough
08:16 < RobertoBenzi> well, the logic was "it associates mac and lan ip, let's use an unused part of it (column after the third) to my associations of wan and openvpn Ip!)
08:17 < RobertoBenzi> * :)
08:18 -!- RobertoBenzi [~RobertoBe@2-238-129-180.ip244.fastwebnet.it] has quit [Remote host closed the connection]
08:18 -!- RobertoBenzi [~RobertoBe@2-238-129-180.ip244.fastwebnet.it] has joined #openvpn
08:19 < RobertoBenzi> one last question (atm I'm writing the flowchart/workchart of the whole thing)
08:20 < RobertoBenzi> forwarding the connections to a server lan ip to the wan ip I'm gonna log (and a static port obviusly)
08:21 < RobertoBenzi> would make the client unaccessible when in the server lan - due to some kind of redundancy -
08:22 < RobertoBenzi> or there is a way to set some kind of if
08:23 < RobertoBenzi> that make him use straightforward ip when under lan, and forwarding when outside the server lan?
08:24 <@krzee> your wake operation should be totally serparate
08:24 <@krzee> maybe if cant reach vpn ip try wan ip, by an outside script
08:25 <@krzee> splitdns would do it, using dnsmasq, but the reward is very small and the effort for you to learn it is much bigger than the reward
08:26 -!- RobertoBenzi [~RobertoBe@2-238-129-180.ip244.fastwebnet.it] has quit [Remote host closed the connection]
08:26 -!- RobertoBenzi [~RobertoBe@2-238-129-180.ip244.fastwebnet.it] has joined #openvpn
08:27 < RobertoBenzi> this damn client keep on crashing
08:27 < RobertoBenzi> i was saying that my intention was to forward connections to the client lan ip to wan ip when under wan
08:28 < RobertoBenzi> but maybe it is too compex when it would be enough to set
08:28 -!- RobertoBenzi [~RobertoBe@2-238-129-180.ip244.fastwebnet.it] has quit [Remote host closed the connection]
08:28 < c0mrade_> I can ping the open vpnserver after connecting to it, but I can't ping the client from the openvpn server. Is it a routing issue?
08:28 -!- RobertoBenzi [~RobertoBe@2-238-129-180.ip244.fastwebnet.it] has joined #openvpn
08:28 <@krzee> <krzee> your wake operation should be totally serparate
08:28 <@krzee>  <krzee> maybe if cant reach vpn ip try wan ip, by an outside script
08:28 <@krzee>   <krzee> splitdns would do it, using dnsmasq, but the reward is very small and the effort for you to learn it is much bigger than the reward
08:29 <@krzee> c0mrade_, firewall on client
08:29 < RobertoBenzi> yeah, it would kind of duplicTe the openvpn functions
08:29 < RobertoBenzi> apart from the waking up
08:30 -!- RobertoBenzi [~RobertoBe@2-238-129-180.ip244.fastwebnet.it] has quit [Remote host closed the connection]
08:30 -!- RobertoBenzi [~RobertoBe@2-238-129-180.ip244.fastwebnet.it] has joined #openvpn
08:30 < RobertoBenzi> sigh
08:30 < RobertoBenzi> crash again
08:31 <@krzee> try using a real computer?
08:31 < RobertoBenzi> atm I'm at the public library
08:31 < RobertoBenzi> studying for an exam that have t
08:31 < RobertoBenzi> nothing to do with computers
08:32 < RobertoBenzi> so I think using a computer would not be an option XD
08:32 < RobertoBenzi> it would mean admitting that I'm done studyin for today
08:32 < RobertoBenzi> :P
08:32 < c0mrade_> krzee: You're correct.
08:32 <@krzee> haha
08:33 < c0mrade_> It was a firewall issue :D
08:33 <@krzee> =]
08:33 < c0mrade_> I turned the firewall off on the client windows pc and now the ping is working.
08:33 < RobertoBenzi> this way i can sti
08:33 -!- zapotek6 [~zap@mail.comelit.it] has joined #openvpn
08:33 -!- zapotek6 [~zap@mail.comelit.it] has quit [Max SendQ exceeded]
08:33 < RobertoBenzi> this way i can still say myself I'm taking a break
08:33 < c0mrade_> i think all I have to do now is turn it back on and create ICMP echo reply/request rules for outbound/inbound traffic and enable them.
08:34 < RobertoBenzi> but still studying for the exam XD
08:34 <@krzee> c0mrade_, just disable the firewall on tap adapter
08:37 < c0mrade_> I enabled the firewall on the client pc and created rules and the ping is working :D
08:39 <@krzee> yep but if you want more than ping you have to allow each thing
08:39 <@krzee> or you can disable it on vpn adapter
08:40 < c0mrade_> Well time will show. If I will need access for some other protocols that use certain ports/protocols I'll enable them seperately in the windows box.
08:40 <@krzee> cool
08:40 < c0mrade_> programs.
08:40 < c0mrade_> *
08:42 < c0mrade_> Um.
08:42 < c0mrade_> My windows box has a LAN IP and it's connected to other networks.
08:42 < c0mrade_> If I want to ping these networks I'd have to add a route in the server?
08:42 <@krzee> !clientlan
08:42 <@vpnHelper> "clientlan" is (#1) for a lan behind a client, the client must have ip forwarding enabled (!ipforward), the server needs a route to the lan, the server needs to push a route for the lan to clients, the server needs a ccd (!ccd) file for the client with an iroute (!iroute) entry in it, and the router of the lan the client is on needs a route added to it (!route_outside_openvpn) or (#2) see !route for
08:42 <@vpnHelper> a better explanation or (#3) Handy troubleshooting flowchart: http://ircpimps.org/clientlan.png | http://pekster.sdf.org/misc/clientlan.png
08:42 <@krzee> !winipforward
08:42 <@vpnHelper> "winipforward" is http://support.microsoft.com/kb/315236 to enable ip forwarding on windows
08:43 <@krzee> !iroute
08:43 <@vpnHelper> "iroute" is does not bypass or alter the kernel's routing table, it allows openvpn to know it should handle the routing when the kernel points to it but the network is not one that openvpn knows about. This is only needed when connecting a LAN which is behind a client, and therefor belongs in a ccd entry. Also see !route and !ccd
08:43 <@krzee> try to understand this:
08:43 <@krzee> !route
08:43 <@vpnHelper> "route" is (#1) http://www.secure-computing.net/wiki/index.php/OpenVPN/Routing or https://community.openvpn.net/openvpn/wiki/RoutedLans (same page mirrored) if you have lans behind openvpn, read it DONT SKIM IT or (#2) READ IT DONT SKIM IT! or (#3) See !tcpip for a basic networking guide or (#4) See !serverlan or !clientlan for steps and troubleshooting flowcharts for LANs behind the server or client
08:44 < c0mrade_> So I'd have to push iroute...
08:44 < c0mrade_> From the server...
08:44 < c0mrade_> And basically change some registry settings to enable ip forwarding in windows.
08:44 <@krzee> no, read route and you'll understand iroute
08:44 <@krzee> read !route
08:45 <@krzee> for a lan behind a client, the client must have ip forwarding enabled (!ipforward), the server needs a route to the lan, the server needs to push a route for the lan to clients, the server needs a ccd (!ccd) file for the client with an iroute (!iroute) entry in it, and the router of the lan the client is on needs a route added to it (!route_outside_openvpn)
08:48 < c0mrade_> All right.
08:48 < c0mrade_> Is there a VPN solution for linux that supports IPSec?
08:48 < c0mrade_> Opensource.
08:48 <@krzee> openswan does, you will find no support for it here
08:49 < c0mrade_> How did you know?
08:49 < c0mrade_> What if some people know about it...
08:49 <@krzee> !notovpn
08:49 <@vpnHelper> "notovpn" is (#1) "notopenvpn" is your problem is not about openvpn, and while we try to be helpful, you may have a better chance of finding your answer if you ask your question in a channel related to your problem or (#2) sorry, but we dont care. this channel is only for help with openvpn.
08:49 <@krzee> cause we dont do that here
08:50 < c0mrade_> So 'you' have like a team that you control or what?
08:50 -!- artemz [~quassel@2001:4ba0:cafe:768::1] has quit [Quit: http://quassel-irc.org - Chat comfortably. Anywhere.]
08:50 < c0mrade_> Maybe some people know about openswan and they will volunteer some help...
08:50 <@krzee> well i been an op here for like 8 years or so, i know whats offtopic in here and whats not
08:50 -!- artemz [~artemz@2001:4ba0:cafe:768::1] has joined #openvpn
08:50 <@krzee> which has been the same since we started helping people in here
08:51 < c0mrade_> Well anyway.
08:51 <@krzee> you're in #openvpn we only support openvpn here
08:51 <@krzee> .
08:51 < c0mrade_> Thanks for the help today.
08:51 -!- svg [~svg@hydargos.ginsys.net] has left #openvpn []
08:51 <@krzee> np
09:00 -!- CaTtleyA [~CaTtleyA@185.24.142.82] has quit [Ping timeout: 256 seconds]
09:00 -!- c0mrade_ [~c0mrade@unaffiliated/c0mrade/x-3310965] has quit [Ping timeout: 255 seconds]
09:02 -!- CaTtleyA [~CaTtleyA@185.24.142.82] has joined #openvpn
09:02 -!- alexxtasi [~alex@unaffiliated/alexxtasi] has left #openvpn []
09:02 -!- stemid [~avatar@ns4.sydit.se] has joined #openvpn
09:03 < stemid> is it possible to abbreviate the static key somehow? I'm getting a question from a cisco admin who has PSKs that are just one string, not several lines like the static key cert.
09:03 < stemid> the only thing I can imagine being a PSK in openvpn is the static key cert
09:03 < stemid> but it doesn't look at all like the cisco PSKs
09:19 -!- Left_Turn [~Left_Turn@unaffiliated/turn-left/x-3739067] has quit [Ping timeout: 252 seconds]
09:20 -!- eristisk [~eristisk@gateway/tor-sasl/eristisk] has quit [Ping timeout: 272 seconds]
09:21 < stemid> ugh nvm, I was confusing openswan with openvpn.
09:21 -!- stemid [~avatar@ns4.sydit.se] has left #openvpn []
09:34 -!- zapotek6 [~zap@mail.comelit.it] has joined #openvpn
09:44 -!- qwertyoruiop [~hax@93.174.90.31] has joined #openvpn
09:47 -!- Alias_Neo [~hamid@194.12.3.78] has quit [Remote host closed the connection]
09:48 -!- swebb is now known as zz_swebb
09:48 -!- ek [ek@freebsd/contributor/ek] has joined #openvpn
09:55 -!- Cyclohexane [idunevn@unaffiliated/cyclohexane] has joined #openvpn
09:57 < Cyclohexane> I'm trying to access the web server running on the same box as the vpn. Traffic to other websites (whatsmyip.org) shows the VPN IP but access logs to the local web server are showing my current connection. Anyone hazard a guess as to why?
09:58 < ek> Hello, All. I seem to be having an issue staying connected to systems inside my LAN while I an vpn'd in. Everything appears to be working perfectly as far as access and such. But, it seems that about after an hour or so, I lose connection (ssh) to a system on my LAN. After the connection is lost, I cannot connect again until I ping the system first. Has anyone seen behavior like this before? Any suggestion where to begin looking for a resolution?
09:58 < ek> Also, here are my OpenVPN configs: http://paste.purplehat.org/?page=view&id=1401288939
09:58 -!- RobertoBenzi [~RobertoBe@2-238-129-180.ip244.fastwebnet.it] has quit [Ping timeout: 245 seconds]
10:00 -!- RobertoBenzi [~RobertoBe@2-238-129-180.ip244.fastwebnet.it] has joined #openvpn
10:07 -!- Irssi: #openvpn: Total of 170 nicks [9 ops, 0 halfops, 1 voices, 160 normal]
10:08 -!- RobertoBenzi [~RobertoBe@2-238-129-180.ip244.fastwebnet.it] has quit [Ping timeout: 265 seconds]
10:08 -!- RobertoBenzi [~RobertoBe@2-238-129-180.ip244.fastwebnet.it] has joined #openvpn
10:13 -!- RobertoBenzi [~RobertoBe@2-238-129-180.ip244.fastwebnet.it] has quit [Ping timeout: 258 seconds]
10:13 -!- RobertoBenzi [~RobertoBe@2-238-129-180.ip244.fastwebnet.it] has joined #openvpn
10:24 -!- Left_Turn [~Left_Turn@unaffiliated/turn-left/x-3739067] has joined #openvpn
10:26 -!- zz_swebb is now known as swebb
10:26 -!- MyMind [~Sembei@unaffiliated/sembei] has quit [Read error: Connection reset by peer]
10:34 -!- Synthead [~max@c-71-231-120-93.hsd1.wa.comcast.net] has quit [Ping timeout: 255 seconds]
10:35 -!- elfixit [~Icedove@77-58-251-72.dclient.hispeed.ch] has joined #openvpn
10:42 -!- zapotek6 [~zap@mail.comelit.it] has quit [Ping timeout: 252 seconds]
10:54 -!- ade_b [~Ade@redhat/adeb] has quit [Quit: Too sexy for his shirt]
10:57 -!- ildefonso [~ilde123@201.185.229.85] has joined #openvpn
11:02 -!- iokill [~dave@pippin.sigma-star.at] has joined #openvpn
11:13 -!- elfixit [~Icedove@77-58-251-72.dclient.hispeed.ch] has quit [Quit: elfixit]
11:19 -!- _FBi [B@Aircrack-NG/User] has joined #openvpn
11:20 -!- lbft [~lbft@unaffiliated/lbft] has quit [Ping timeout: 264 seconds]
11:24 -!- ddyne [~ddyne@f048025027.adsl.alicedsl.de] has joined #openvpn
11:24 < ddyne> !welcome
11:24 <@vpnHelper> "welcome" is (#1) Start by stating your goal, such as 'I would like to access the internet over my vpn' || new to IRC? see the link in !ask || we may need !logs and !configs and maybe !interface to help you. || See !howto for beginners. || See !route for lans behind openvpn. || !redirect for sending inet traffic through the server. || Also interesting: !man !/30 !topology !iporder !sample !forum
11:24 <@vpnHelper> !wiki !mitm or (#2) Don't use 192.168.1.0/24 or 192.168.0.0/24 (too much potential for conflict)
11:26 < ddyne> !goal
11:26 <@vpnHelper> "goal" is Please clearly state your goal for your vpn: example, I would like to access the lan behind the server , I would like to access the internet over my vpn , I just want a secure connection between 2 computers , etc
11:27 -!- lbft [~lbft@unaffiliated/lbft] has joined #openvpn
11:40 -!- ddyne [~ddyne@f048025027.adsl.alicedsl.de] has quit [Remote host closed the connection]
12:00 -!- c0mrade_ [~c0mrade@unaffiliated/c0mrade/x-3310965] has joined #openvpn
12:03 < c0mrade_> The openvpn server is setup an running on my online VPS host. When I connect from my windows laptop my public ip is the IP of my ISP. Is there a way to browse the internet using the public static ip of the VPS host?
12:05 < pekster> !redirect
12:05 <@vpnHelper> "redirect" is (#1) to make all inet traffic flow through the vpn, you will need --redirect-gateway (see !def1), as well as IP forwarding (see !ipforward) and NAT (see !nat) enabled on the server. or (#2) you may need to use a different dns server when redirecting gateway, see !dns or !pushdns or (#3) if using ipv6 try: route-ipv6 2000::/3 or (#4) Handy troubleshooting flowchart:
12:05 <@vpnHelper> http://ircpimps.org/redirect.png | http://pekster.sdf.org/misc/redirect.png
12:05 < pekster> c0mrade_: You probably want that
12:09 -!- c0mrade_ [~c0mrade@unaffiliated/c0mrade/x-3310965] has quit [Ping timeout: 240 seconds]
12:10 -!- RobertoBenzi [~RobertoBe@2-238-129-180.ip244.fastwebnet.it] has quit [Remote host closed the connection]
12:17 -!- c0mrade__ [~c0mrade@unaffiliated/c0mrade/x-1816193] has joined #openvpn
12:17 < c0mrade__> Hmm...
12:17 < c0mrade__> I've used push "redirect-gateway def1"
12:18 < c0mrade__> I've enabled ip forwarding.
12:19 < c0mrade__> echo "1" > /proc/sys/net/ipv4/ip_forward
12:19 < c0mrade__> and natting
12:20 < c0mrade__> iptables -t nat -A POSTROUTING -s 10.3.0.0/24 -o eth0 -j SNAT --to public_ip
12:20 < c0mrade__> Of course replacing public_ip with the VPS host public ip address.
12:21 < c0mrade__> Restarted openvpn and still my ip is the ip from my ISP not that of the VPN server.
12:21 < c0mrade__> ??
12:23 -!- CaTtleyA [~CaTtleyA@185.24.142.82] has quit [Ping timeout: 256 seconds]
12:24 < c0mrade__> Um.
12:25 < pekster> Good thing there's a flowchart you follow that walks you through the steps and tells you exactly what the problem is
12:25 < c0mrade__> Does it matter if push dhcp-option dns is before push redirect-gateway ??
12:26 < pekster> Nope
12:26 < pekster> Though if you want to push DNS to non-windows, you need to handle it client-side (details at !pushdns)
12:27 < c0mrade__> It's windows.
12:28 -!- Slagwag [~Slagwag@ec2-54-243-204-28.compute-1.amazonaws.com] has quit [Ping timeout: 240 seconds]
12:29 -!- Slagwag [~Slagwag@ec2-54-243-204-28.compute-1.amazonaws.com] has joined #openvpn
12:29 -!- eristisk [~eristisk@gateway/tor-sasl/eristisk] has joined #openvpn
12:31 -!- edge226 [~quassel@unaffiliated/edge226] has quit [Remote host closed the connection]
12:32 < c0mrade__> Um.
12:32 < c0mrade__> wait
12:32 < c0mrade__> redirect-gateway should be in the server config or the client config hehe.
12:32 < pekster> Either in the client config, or "pushed" from the server config
12:32 < pekster> See --push in the manpage (and --redirect-gateway too if you want a description of it)
12:33 < c0mrade__> I am not using commands.
12:33 < c0mrade__> I am putting these in the config files.
12:33 -!- c0mrade__ [~c0mrade@unaffiliated/c0mrade/x-1816193] has quit []
12:41 < pekster> OpenVPN has no idea about latency/loss. It's stateless (at least in UDP which you should be using), just like the Internet, so it has no idea if a prior packet was lost or never sent
12:41 < pekster> It's up to the higher-level protocols using the VPN as transit to deal with loss
12:41 < pekster> UDP has no "ping"
12:42 < pekster> Not an ICMP echo-request, no
12:42 < pekster> And that packet is no echoed either
12:42 -!- Sidewinder [~de@unaffiliated/sidewinder] has joined #openvpn
12:42 <@vpnHelper> Title: Openvpn22ManPage – OpenVPN Community (at community.openvpn.net)
12:42 < pekster> 2.2 is old dude
12:42 < pekster> And yes, I know full well what you mean, but --ping is *NOT* ICMP echo-request; it's a uni-directional keepalive packet
12:43 < pekster> 2.3.4 is current. See !download
12:43 < pekster> No, it does not
12:43 -!- Sidewinder [~de@unaffiliated/sidewinder] has quit [Client Quit]
12:43 < pekster> This is what "unidirectional" means
12:44 < pekster> It's for peer-state awareness and keeping stateful firewalls open
12:44 < pekster> No, it's not a query/response (for the 3rd time. Arguing won't make it so)
12:44 -!- joshh20-Away is now known as joshh20
12:45 < pekster> A disconnect is detected by using --ping-restart or --ping-exit and that is tripped when a keepalive packet has not arrived from the remote peer in that timeout period
12:45 -!- edge226 [~quassel@unaffiliated/edge226] has joined #openvpn
12:45 < pekster> The local peer doesn't even get to know how often the remote sends them (you could have side A send keepalive every 5 seconds, and side B send every 50 seconds. Very silly though)
12:45 < pekster> Yes
12:46 -!- SCHAAP137 [dorian@77-173-0-137.ip.telfort.nl] has joined #openvpn
12:52 -!- c0mrade_ [~c0mrade@unaffiliated/c0mrade/x-3310965] has joined #openvpn
12:52 < c0mrade_> Um.
12:52 < c0mrade_> Okay.
12:53 < c0mrade_> Now when I connect to the vpn.
12:53 < c0mrade_> I can't browse the internet.
12:53 -!- Lolths [~Lolths@unaffiliated/lolths] has quit [Ping timeout: 276 seconds]
12:54 < c0mrade_> I've disconnected from the vpn server becuase when I've put push "redirect-gateway def1" I connect to vpn but internet stops.
12:54 < c0mrade_> badcodsmell
12:54 < c0mrade_> well I enabled ip forwarding.
12:54 < c0mrade_> let me confirm.
12:54 < c0mrade_> One momen.t
12:55 < c0mrade_> From windows
12:55 < c0mrade_> to linux
12:55 < c0mrade_> And what should I put in push-route if used instead of redirect-gateway?
12:57 -!- ribasushi [~riba@mujunyku.leporine.io] has quit [Read error: Connection reset by peer]
12:57 < c0mrade_> I used push "dhcp-option ...." too
12:57 < c0mrade_> ipconfig /all and route print on the windows box?
12:58 < c0mrade_> It's 1
12:58 < c0mrade_> enabled
12:59 < c0mrade_> But wait a moment.
12:59 < c0mrade_> I'll pastebin all of that to you.
13:01 -!- ribasushi [~riba@mujunyku.leporine.io] has joined #openvpn
13:01 < c0mrade_> Okay one moment.
13:04 < c0mrade_> I can ping from both sides.
13:04 < c0mrade_> One moment.
13:07 -!- Lolths [~Lolths@unaffiliated/lolths] has joined #openvpn
13:07 < c0mrade_> BadCodSmell: http://pastebin.com/6XDbESib
13:10 < c0mrade_> So what do you recommend.
13:10 < c0mrade_> Could it be the cause?
13:11 -!- qwertyoruiop [~hax@93.174.90.31] has quit [Quit: ZNC - http://znc.in]
13:11 < c0mrade_> But would it affect my condition as it is?
13:11 < c0mrade_> I mean I can't browse the internet after I connect..
13:12 < c0mrade_> Here's my openvpn.conf file on the server
13:12 < c0mrade_> http://pastebin.com/dWmKscca
13:12 < c0mrade_> Nothing in -F
13:12 < c0mrade_> Oh boy.
13:13 < c0mrade_> Oh boy.
13:13 < c0mrade_> -F wiped out everything except SNAT stuff
13:15 < c0mrade_> iptables -nat -F doesn't work.
13:17 < c0mrade_> http://pastebin.com/A5cyG5BE
13:17 < c0mrade_> ifconfig
13:18 < c0mrade_> I am using CentOS 5.10 32-bit on a Virtual Private Server online with a static public IP.
13:18 -!- Guest65389 [~hax@3.shulgin.nl.torexit.haema.co.uk] has joined #openvpn
13:18 < c0mrade_> It uses OpenVZ/Virtuozzo.
13:18 < c0mrade_> I have TUN/TAP enabled and I can successfully connect to the openvpn server and ping in both ways.
13:19 < c0mrade_> So what should be the iptables natting rule?
13:19 -!- Guest65389 [~hax@3.shulgin.nl.torexit.haema.co.uk] has left #openvpn []
13:19 < c0mrade_> because all my iptables rules are wiped out now :P
13:19 < c0mrade_> I need to set it up again.
13:20 < c0mrade_> Done.
13:20 < c0mrade_> What about -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
13:20 < c0mrade_> is that necessary?
13:20 < c0mrade_> Um.
13:21 < c0mrade_> Why /16?
13:21 < c0mrade_> I used /24.
13:21 < c0mrade_> So how to delete this rule again?
13:22 < c0mrade_> Angput hte right one?
13:22 < c0mrade_> Okay
13:22 < c0mrade_> Done.
13:23 < c0mrade_> It's a hosted vm.
13:23 < c0mrade_> VPS.
13:23 < c0mrade_> I can't simply upgarde you know.
13:23 < c0mrade_> It will take time anyway.
13:23 < c0mrade_> Okay.
13:23 < c0mrade_> So natting is done.
13:23 < c0mrade_> ip forwarding is enabled.
13:24 < c0mrade_> I have the push "redirect-gateway def1"
13:24 < c0mrade_> set in the server config
13:24 < c0mrade_> What else do I need?
13:26 < c0mrade_> I am using the default DNS
13:26 < c0mrade_> You can see in my example
13:26 < c0mrade_> would they work?
13:26 < c0mrade_> Anyway.
13:26 < c0mrade_> I'll try.
13:26 < c0mrade_> But it it won't work I'll get disconnected.
13:26 < c0mrade_> So...
13:26 < c0mrade_> Hehe.
13:26 < c0mrade_> Um.
13:26 < c0mrade_> One more thing.
13:27 < c0mrade_> I can't see any routes on my windows box after route print command dealing with 10.3.0.0 network...
13:27 < c0mrade_> What do you say about that??
13:27 < c0mrade_> No.
13:27 < c0mrade_> Right now.
13:27 < c0mrade_> Hehe.
13:27 < c0mrade_> Oh.
13:28 < c0mrade_> They're added after connecting you mean.
13:28 < c0mrade_> Okay I'll try to connect now and see what happens.
13:29 < c0mrade_> Oh boy
13:29 < c0mrade_> :D
13:29 < c0mrade_> :D
13:29 < c0mrade_> :D
13:29 < c0mrade_> It worked!!!
13:30 < c0mrade_> Thank you a LOT man!
13:30 < c0mrade_> You're the man!
13:30 < c0mrade_> Now I opened google
13:30 < c0mrade_> what is my ip?
13:30 < c0mrade_> And I got my servers ip
13:30 < c0mrade_> :D
13:30 < c0mrade_> Great!
13:30 -!- c0mrade_ [~c0mrade@unaffiliated/c0mrade/x-3310965] has quit []
13:31 -!- c0mrade_ [~c0mrade@unaffiliated/c0mrade/x-3310965] has joined #openvpn
13:32 < c0mrade_> It did work....
13:32 < c0mrade_> :D
13:33 < c0mrade_> But thanks a bunch man.
13:33 < c0mrade_> Hehe.
13:34 < c0mrade_> I will. I hope I won't enjoy someones DDoS hehe.
13:34 < c0mrade_> :P
13:35 -!- c0mrade_ [~c0mrade@unaffiliated/c0mrade/x-3310965] has quit [Client Quit]
13:37 <@ecrist> holy crap he talks alog
13:37 <@ecrist> alot
13:37 <@ecrist> to himself
13:37 <@ecrist> or, was someone talking to him on my ignore list?
13:37 <@ecrist> it just ocurred to me that people on my /ignore won't show up in stats
13:38 <@ecrist> lol
13:47 -!- c0mrade_ [~c0mrade@unaffiliated/c0mrade/x-3310965] has joined #openvpn
13:47 < c0mrade_> Um.
13:59 -!- dazo is now known as dazo_afk
14:06 -!- agentbob_ is now known as agentbob
14:09 < Eugene> I fail to see the problem?
14:14 <@krzee> lol
14:23 <@krzee> epecially funny is:
14:23 <@krzee> [14:57]  <pekster> [12:19:19] Not an ICMP echo-request, no
14:23 <@krzee> [14:57]  <BadCodSmell> [12:19:22] I see you're new here
14:23 <@krzee> [14:57]  <pekster> [12:19:23] And that packet is no echoed either
14:23 <@krzee> [14:57]  <BadCodSmell> [12:19:36] https://community.openvpn.net/openvpn/wiki/Openvpn22ManPage
14:23 <@vpnHelper> Title: Openvpn22ManPage – OpenVPN Community (at community.openvpn.net)
14:24 <@krzee> had he linked you to a current copy of the manpage it would have been the one pekster configured to properly use anchors for us to link to in the bot
14:26 -!- elfixit [~Icedove@cust.static.46-14-206-196.swisscomdata.ch] has joined #openvpn
14:28 -!- averagecase [~anon@dslb-094-221-216-065.pools.arcor-ip.net] has joined #openvpn
14:34 -!- jackbrown [~se@93-44-41-0.ip95.fastwebnet.it] has joined #openvpn
14:38 -!- tastycactus [~aaron@ip68-106-248-219.ph.ph.cox.net] has joined #openvpn
14:40 < tastycactus> I'm using latest openvpn from git master for elliptic curve support.  How do I configure server.conf for ecdh?
14:41 < tastycactus> README.ec seems to indicate that the ecdh parameters are derived from the key, so I removed dh line from server.conf, but openvpn gives an error
14:41 < tastycactus> "Options error: You must define DH file (--dh)"
14:44 -!- jackbrown [~se@93-44-41-0.ip95.fastwebnet.it] has quit [Quit: Sto andando via]
14:47 < Saul775> I suppose I'm a little confused with ifconfig-push.  I'm trying to set a STATIC IP address for one client that connects to my OpenVPN server.  Why would I need to specify the second endpoint (the server address) if it's always going to be 192.168.5.1?
14:48 -!- eristisk [~eristisk@gateway/tor-sasl/eristisk] has quit [Remote host closed the connection]
14:52 -!- KookyMan [~Shadow@c-50-133-15-50.hsd1.mi.comcast.net] has joined #openvpn
14:52 -!- eristisk [~eristisk@gateway/tor-sasl/eristisk] has joined #openvpn
14:55 < KookyMan> Good Afternoon, was hoping someone might be able to assist me with finding a piece of information.  The last OpenVPN Connect for Android noted "Disable "Seamless Tunnel" feature for devices running API level 19 (Android KitKat 4.4 - 4.4.2)" but I can't find any information on why it was done.  I use that particular feature (or at least think I do) and am hesitant to update without knowing why
14:55 < KookyMan> it was disabled.
14:55 <@krzee> Saul775,
14:55 <@krzee> !topology
14:55 <@vpnHelper> "topology" is (#1) it is possible to avoid the !/30 behavior if you use 2.1+ with the option: topology subnet This will end up being default in later versions. or (#2) Clients will receive addresses ending in .2, .3, .4, etc, instead of being divided into 2-host subnets. or (#3) details and examples at: https://community.openvpn.net/openvpn/wiki/Topology
14:55 <@krzee> !net30
14:55 <@vpnHelper> "net30" is "/30" is (#1) http://openvpn.net/index.php/documentation/faq.html#slash30 explains why routed clients each use 4 ips, or (#2) you can avoid this behavior with by reading !topology
14:56 <@krzee> its not always .1 in net30, if you are using topology subnet or tap then its always .1 however you dont use ifconfig-push that way when using those
14:56 <@krzee> !static
14:56 <@vpnHelper> "static" is (#1) use --ifconfig-push in a ccd entry for a static ip for the vpn client or (#2) example in net30 (default): ifconfig-push 10.8.0.6 10.8.0.5 example in subnet (see !topology) or tap (see !tunortap): ifconfig-push 10.8.0.5 255.255.255.0 or (#3) also see !ccd and !iporder or (#4) when pushing static IPs, you should also limit your --ifconfig-pool to exclude the static range or (#5) See
14:56 <@vpnHelper> also: !addressing
15:10 -!- c0mrade_ [~c0mrade@unaffiliated/c0mrade/x-3310965] has quit [Ping timeout: 252 seconds]
15:13 -!- mattock is now known as mattock_afk
15:19 -!- Synthead [~max@216.239.55.44] has joined #openvpn
15:24 -!- Synthead [~max@216.239.55.44] has quit [Quit: p33 ba115]
15:26 < Saul775> Thank you, krzee.
15:26 < Saul775> I will look at the information you've given me now.
15:32 <@krzee> np
15:32 -!- wrongplace [~leicht@gateway/tor-sasl/martinphone] has joined #openvpn
15:32 <@krzee> to sum it up, theres 2 ways to use ifconfig-push
15:33 <@krzee> and if its truely always .1, you shouldnt be using .1 at all =]
15:33 <@krzee> because if using topology subnet or tap without net30, you can use the subnet style: ifconfig-push 10.8.0.5 255.255.255.0
15:34 -!- Sembei [~Sembei@unaffiliated/sembei] has joined #openvpn
15:40 -!- michaelhart [~michaelha@192.237.177.15] has quit [Quit: michaelhart]
15:49 < KookyMan> Good Afternoon, was hoping someone might be able to assist me with finding a piece of information.  The last OpenVPN Connect for Android (1.1.14 build 56) noted "Disable "Seamless Tunnel" feature for devices running API level 19 (Android KitKat 4.4 - 4.4.2)" but I can't find any information on why it was disabled.  I use that particular feature (or at least think I do) and am hesitant to update
15:49 < KookyMan> without knowing why it was disabled.  Might someone know, or suggest someplace to look?
15:51 -!- MadTBone [~MadTBone@160.39.238.199] has joined #openvpn
15:56 <@krzee> no idea, openvpn connect is not an open project really
15:56 <@krzee> but heres the source:
15:56 <@krzee> !androidsource
15:56 <@vpnHelper> "androidsource" is (#1) The source for OpenVPN For Android is here: http://code.google.com/p/ics-openvpn/source/checkout or (#2) The source for some of OpenVPN connect for android/IOS is here: http://staging.openvpn.net/openvpn3/
15:56 <@krzee> #2
16:10 < Saul775> Okay, I've another question.  My OpenVPN will assign clients an IP address in the range 192.168.5.2 - 192.168.5.254.  Can I specify the DHCP range?  EXA:  I want them in the range 192.168.5.100 - 192.168.5.254.
16:12 <@krzee> instead of using --server you can see the manual for what --server really expands to (its simply a helper directive that expands to more options) then you can re-make it however you want
16:12 <@krzee> !man
16:12 <@vpnHelper> "man" is (#1) For man pages, see http://openvpn.net/index.php/open-source/documentation/manuals/ or (#2) the man pages are your friend! or (#3) Protip: you can search the manpage for a specific --option (with dashes) to find it quicker
16:13 < Saul775> Thank you, krzee.  I thought I saw that.  It does the if dev_tun … if dev_tap.  I thought I would do that, but I wasn't sure if there was an easier way.  Thank you again.
16:14 <@krzee> no problem
16:49 -!- Olipro [~Olipro@uncyclopedia/pdpc.21for7.olipro] has quit [Ping timeout: 246 seconds]
17:01 -!- outofbounds [~outofboun@198.199.109.226] has quit [Ping timeout: 264 seconds]
17:01 -!- Olipro [~Olipro@uncyclopedia/pdpc.21for7.olipro] has joined #openvpn
17:07 -!- Left_Turn [~Left_Turn@unaffiliated/turn-left/x-3739067] has quit [Read error: Connection reset by peer]
17:07 -!- Absolu7e [~Absolu7eO@cpe-24-162-109-29.hot.res.rr.com] has joined #openvpn
17:07 -!- Absolu7e [~Absolu7eO@cpe-24-162-109-29.hot.res.rr.com] has left #openvpn []
17:10 -!- Left_Turn [~Left_Turn@unaffiliated/turn-left/x-3739067] has joined #openvpn
17:11 < Saul775> Hi, krzee.  One last thing.  I've removed the server option in my server.conf file, and I've replaced it with what the "server" option truly is.  However, I can't start the service now.  I look at the log files, and it doesn't like if-statements…  Suggestions, my friend?
17:11 <@krzee> haha
17:11 <@krzee> ya it doesnt like if statements, thats meta for you to understand what the logic in --server is
17:11 <@krzee> you will need to apply that logic yourself while making your config
17:12 < Saul775> Ahhh!  I was wondering if that's what I was supposed to do, but I wasn't sure.  Thank you again.
17:14 -!- Olipro [~Olipro@uncyclopedia/pdpc.21for7.olipro] has quit [Ping timeout: 246 seconds]
17:16 -!- bears [~bears@unaffiliated/bears] has joined #openvpn
17:19 -!- Olipro [~Olipro@uncyclopedia/pdpc.21for7.olipro] has joined #openvpn
17:27 -!- Olipro [~Olipro@uncyclopedia/pdpc.21for7.olipro] has quit [Ping timeout: 246 seconds]
17:29 -!- Kephael [~Kephael@unaffiliated/kephael] has joined #openvpn
17:31 -!- wrongplace [~leicht@gateway/tor-sasl/martinphone] has quit [Quit: gone]
17:33 -!- elfixit [~Icedove@cust.static.46-14-206-196.swisscomdata.ch] has quit [Ping timeout: 264 seconds]
17:33 -!- gffa [~unknown@unaffiliated/gffa] has quit [Quit: sleep]
17:35 -!- qwertyoruiop [~hax@3.shulgin.nl.torexit.haema.co.uk] has joined #openvpn
17:46 -!- bogie [bogie@mail.epow0.org] has joined #openvpn
17:47 -!- Cpt-Oblivious [~chatzilla@31-151-71-109.dynamic.upc.nl] has quit [Quit: ChatZilla 0.9.90.1-rdmsoft [XULRunner 22.0/20130619132145]]
18:10 -!- swebb is now known as zz_swebb
18:40 -!- alexw [~textual@unaffiliated/alexw] has joined #openvpn
18:51 -!- zz_swebb is now known as swebb
19:12 < Saul775> Grr… I'm so close.  Okay, I converted the "server 10.8.0.0 255.255.255.0" option in my server.conf to the following:
19:12 < Saul775> mode server
19:12 < Saul775> tls-server
19:12 < Saul775> push "topology subnet"
19:12 < Saul775> ifconfig 10.8.0.1 255.255.255.0
19:12 < Saul775> ifconfig-pool 10.8.0.100 10.8.0.254
19:12 < Saul775> route 10.8.0.0 255.255.255.0
19:12 < Saul775> push "route 10.8.0.0 255.255.255.0"
19:12 < Saul775> push "route-gateway 10.8.0.1"
19:13 < Saul775> P.S.  I didn't mean to spam.  I didn't think it was too many lines, so I didn't pastebin it.
19:13 < Saul775> However, I'm not getting a "offset is outside of --ifconfig subnet."
19:13 < Saul775> Err… I'm NOW getting an "offset is outside of --ifconfig subnet."  Any more recommendations?
19:14 <@krzee> did you put: topology subnet
19:15 <@krzee> (without push)
19:15 < pekster> The route for 10.8.0.0/24 is wrong; that's implicit in subnet
19:15 < Saul775> I did not put the topology subnet in my config.  *sighs*
19:16 < Saul775> Success!  Thanks again, krzee.
19:16 < Saul775> Thank you, too, pekster.  I will remove my route 10.8.0.0 now.
19:19 -!- clu5ter [~staff@unaffiliated/clu5ter] has quit [Ping timeout: 399 seconds]
19:19 < Saul775> pekster, it's time to use your handy clientlan.png now.  :)
19:20 -!- mgorbach [~mgorbach@pool-108-20-78-135.bstnma.fios.verizon.net] has quit [Ping timeout: 252 seconds]
19:20  * pekster did not make it, merely indexed the PNG and mirrors it
19:20 -!- mgorbach [~mgorbach@pool-108-20-78-135.bstnma.fios.verizon.net] has joined #openvpn
19:21 < Saul775> Well, it led me to the correct solution; my stupid Windows firewall was on.  *laughs*  Everything works perfectly… (so far).
19:22 -!- alexw [~textual@unaffiliated/alexw] has quit [Quit: Textual IRC Client: www.textualapp.com]
19:25 -!- goldkatze [~nobody@unaffiliated/goldkatze] has quit [Ping timeout: 276 seconds]
19:56 -!- elfixit [~Icedove@77-58-251-72.dclient.hispeed.ch] has joined #openvpn
19:56 -!- nutron [~nutron@unaffiliated/nutron] has joined #openvpn
20:03 -!- averagecase [~anon@dslb-094-221-216-065.pools.arcor-ip.net] has quit [Quit: Verlassend]
20:34 -!- tastycactus [~aaron@ip68-106-248-219.ph.ph.cox.net] has quit [Quit: leaving]
20:34 -!- joshh20 is now known as joshh20-Away
20:39 -!- elfixit [~Icedove@77-58-251-72.dclient.hispeed.ch] has quit [Quit: elfixit]
20:45 -!- Popsikle [~popsikle@pool-108-27-211-233.nycmny.fios.verizon.net] has joined #openvpn
21:10 < jeev> krzee, there?
21:10 -!- SCHAAP137 [dorian@77-173-0-137.ip.telfort.nl] has quit [Remote host closed the connection]
21:13 -!- Left_Turn [~Left_Turn@unaffiliated/turn-left/x-3739067] has quit [Read error: Connection reset by peer]
21:16 -!- Popsikle [~popsikle@pool-108-27-211-233.nycmny.fios.verizon.net] has quit []
21:33 -!- KookyMan [~Shadow@c-50-133-15-50.hsd1.mi.comcast.net] has left #openvpn []
22:25 -!- tempus_fol [~tempus@gateway/tor-sasl/foltempus] has quit [Remote host closed the connection]
22:25 -!- zoomequipd [~zoomequip@gateway/tor-sasl/zoomequipd] has quit [Remote host closed the connection]
22:25 -!- eristisk [~eristisk@gateway/tor-sasl/eristisk] has quit [Write error: Broken pipe]
22:34 -!- zoomequipd [~zoomequip@gateway/tor-sasl/zoomequipd] has joined #openvpn
22:34 -!- tempus_fol [~tempus@gateway/tor-sasl/foltempus] has joined #openvpn
22:38 -!- Megaf [~Megaf@unaffiliated/megaf] has quit [Ping timeout: 252 seconds]
22:59 -!- eristisk [~eristisk@gateway/tor-sasl/eristisk] has joined #openvpn
23:49 -!- ShadniX [dagger@p5481D619.dip0.t-ipconnect.de] has quit [Ping timeout: 252 seconds]
23:50 -!- ShadniX [dagger@p5DDFF726.dip0.t-ipconnect.de] has joined #openvpn
23:58 -!- hyperch [~hyperch@ns99.roleplayer.org] has joined #openvpn
23:59 < hyperch> krzee: online?
--- Day changed Thu May 29 2014
00:25 -!- bears_ [~bears@unaffiliated/bears] has joined #openvpn
00:27 -!- bears [~bears@unaffiliated/bears] has quit [Ping timeout: 240 seconds]
01:12 -!- VlperX [~VlperX@60-240-168-120.static.tpgi.com.au] has joined #openvpn
01:13 -!- VlperX [~VlperX@60-240-168-120.static.tpgi.com.au] has quit [Max SendQ exceeded]
01:13 -!- VlperX [~VlperX@60-240-168-120.static.tpgi.com.au] has joined #openvpn
01:14 -!- VlperX [~VlperX@60-240-168-120.static.tpgi.com.au] has quit [Max SendQ exceeded]
01:15 -!- VlperX [~VlperX@60-240-168-120.static.tpgi.com.au] has joined #openvpn
01:15 -!- jackbrown [~se@93-44-41-0.ip95.fastwebnet.it] has joined #openvpn
01:15 -!- VlperX [~VlperX@60-240-168-120.static.tpgi.com.au] has quit [Max SendQ exceeded]
01:16 -!- VlperX [~VlperX@60-240-168-120.static.tpgi.com.au] has joined #openvpn
01:16 -!- VlperX [~VlperX@60-240-168-120.static.tpgi.com.au] has quit [Max SendQ exceeded]
01:17 -!- VlperX [~VlperX@60-240-168-120.static.tpgi.com.au] has joined #openvpn
01:17 -!- VlperX [~VlperX@60-240-168-120.static.tpgi.com.au] has quit [Max SendQ exceeded]
01:18 -!- alexxtasi [~alex@unaffiliated/alexxtasi] has joined #openvpn
01:23 -!- mattock_afk is now known as mattock
01:26 -!- jackbrown [~se@93-44-41-0.ip95.fastwebnet.it] has quit [Quit: Sto andando via]
01:34 -!- Kephael [~Kephael@unaffiliated/kephael] has quit []
01:43 -!- zapotek6 [~zap@mail.comelit.it] has joined #openvpn
01:43 -!- zapotek6 [~zap@mail.comelit.it] has quit [Max SendQ exceeded]
01:44 -!- jackbrown [~se@93-44-41-0.ip95.fastwebnet.it] has joined #openvpn
01:49 -!- indy [~indy@shadow.kastnerove.cz] has quit [Ping timeout: 240 seconds]
02:06 -!- bears [~bears@unaffiliated/bears] has joined #openvpn
02:10 -!- bears_ [~bears@unaffiliated/bears] has quit [Ping timeout: 276 seconds]
02:18 -!- zapotek6 [~zap@213.149.219.85] has joined #openvpn
02:18 -!- zapotek6 [~zap@213.149.219.85] has quit [Max SendQ exceeded]
02:23 -!- indy [~indy@shadow.kastnerove.cz] has joined #openvpn
02:24 -!- JordanJ2 [xClone84@unaffiliated/jordanj2] has joined #openvpn
02:32 -!- le0 [~l30@unaffiliated/le0] has joined #openvpn
02:50 -!- ayaz [~Ayaz@linuxpakistan/ayaz] has joined #openvpn
02:50 -!- ayaz [~Ayaz@linuxpakistan/ayaz] has quit [Max SendQ exceeded]
03:23 -!- jackbrown [~se@93-44-41-0.ip95.fastwebnet.it] has quit [Ping timeout: 245 seconds]
03:34 -!- Left_Turn [~Left_Turn@unaffiliated/turn-left/x-3739067] has joined #openvpn
03:38 -!- ayaz [~Ayaz@linuxpakistan/ayaz] has joined #openvpn
04:43 -!- goldkatze [~nobody@unaffiliated/goldkatze] has joined #openvpn
04:56 -!- SCHAAP137 [dorian@77-173-0-137.ip.telfort.nl] has joined #openvpn
04:57 -!- CaTtleyA [~CaTtleyA@put92-2-82-66-41-53.fbx.proxad.net] has joined #openvpn
05:07 -!- Linmu [~Linmu@203.70.194.104] has joined #openvpn
05:11 -!- gffa [~unknown@unaffiliated/gffa] has joined #openvpn
05:31 -!- imdea [~joel@193.145.14.145] has joined #openvpn
05:32 < imdea> Hi, I'm trying to start openvpn as soon as my machine boots up, but it doesn't. Once the system is booted up, when I type: /etc/init.d/openvpn start I'm getting: May 29 12:24:10 dijkstra ovpn-openvpn-client[21524]: Options error: You must define TUN/TAP device (--dev)
05:32 < imdea> May 29 12:24:10 dijkstra ovpn-openvpn-client[21524]: Use --help for more information.  however, if from the console I do: openvpn --config /etc/openvpn/openvpn-client.conf --auth-user-pass /etc/openvpn/up it works,. any ideas?
05:47 -!- jackbrown [~se@93-44-41-0.ip95.fastwebnet.it] has joined #openvpn
06:02 -!- ddyne [~ddyne@g227122073.adsl.alicedsl.de] has joined #openvpn
06:15 -!- jackbrown [~se@93-44-41-0.ip95.fastwebnet.it] has quit [Remote host closed the connection]
06:21 -!- ddyne [~ddyne@g227122073.adsl.alicedsl.de] has quit [Ping timeout: 252 seconds]
06:42 -!- imdea [~joel@193.145.14.145] has quit [Ping timeout: 252 seconds]
07:05 -!- Cpt-Oblivious [~chatzilla@31-151-71-109.dynamic.upc.nl] has joined #openvpn
07:10 -!- asio [asio@109-74-7-223-static.serverhotell.net] has joined #openvpn
07:14 -!- elfixit [~Icedove@cust.static.46-14-206-196.swisscomdata.ch] has joined #openvpn
07:21 -!- ade_b [~Ade@redhat/adeb] has joined #openvpn
07:22 -!- michaelhart [~michaelha@192.237.177.15] has joined #openvpn
07:24 < asio> !configs
07:24 <@vpnHelper> "configs" is (#1) please pastebin your client and server configs (with comments removed, you can use `grep -vE '^#|^;|^$' server.conf`), also include which OS and version of openvpn. or (#2) dont forget to include any ccd entries or (#3) on pfSense, see http://www.secure-computing.net/wiki/index.php/OpenVPN/pfSense to obtain your config
07:24 < asio> !logs
07:24 <@vpnHelper> "logs" is (#1) please pastebin your logfiles from both client and server with verb set to 4 (only use 5 if asked) or (#2) In the Windows client(OpenVPN-GUI) right-click the status icon and pick View Log or (#3) In the OS X client(Tunnelblick) right-click it and select Copy log text to clipboard or (#4) if you dont know how to find your logs, see !logfile
07:24 < asio> !welcome
07:24 <@vpnHelper> "welcome" is (#1) Start by stating your goal, such as 'I would like to access the internet over my vpn' || new to IRC? see the link in !ask || we may need !logs and !configs and maybe !interface to help you. || See !howto for beginners. || See !route for lans behind openvpn. || !redirect for sending inet traffic through the server. || Also interesting: !man !/30 !topology !iporder !sample !forum !wiki
07:24 <@vpnHelper> !mitm or (#2) Don't use 192.168.1.0/24 or 192.168.0.0/24 (too much potential for conflict)
07:25 < asio> !route
07:25 <@vpnHelper> "route" is (#1) http://www.secure-computing.net/wiki/index.php/OpenVPN/Routing or https://community.openvpn.net/openvpn/wiki/RoutedLans (same page mirrored) if you have lans behind openvpn, read it DONT SKIM IT or (#2) READ IT DONT SKIM IT! or (#3) See !tcpip for a basic networking guide or (#4) See !serverlan or !clientlan for steps and troubleshooting flowcharts for LANs behind the server or client
07:27 <@krzee> Saul775, you're welcome for the flowchart =]
07:27 <@krzee> jeev, hyperch in here.
07:27 <@krzee> im*
07:27 <@krzee> if you guys said more than "there?" and "oneline?" ild be able to answer your questions instead of now saying "yes" and leaving in a minute...
07:30 -!- Left_Turn [~Left_Turn@unaffiliated/turn-left/x-3739067] has quit [Ping timeout: 252 seconds]
07:30 -!- ayaz [~Ayaz@linuxpakistan/ayaz] has quit [Read error: Connection reset by peer]
07:31 -!- SCHAAP137 [dorian@77-173-0-137.ip.telfort.nl] has quit [Remote host closed the connection]
07:34 < asio> Hi, I'm trying to setup openvpn on layer2 on openbsd5.3 using mac os x as client...but I get SSL errors on certificates, I've but server/client confs and logs as well as routing table/cert generation step  and interface config here: https://www.asio.se/openvpn/
07:34 <@vpnHelper> Title: Index of /openvpn/ (at www.asio.se)
07:34 < asio> the error I get looks like this:
07:34 < asio> VERIFY ERROR: depth=1, error=unable to get local issuer certificate: /C=SE/L=Stockholm/O=Asio_Technology_AB/OU=IT_Operations/CN=Asio_Technology_AB_-_Sweden_CA/emailAddress=ca@asio.se
07:34 < asio> 2014-05-29 14:29:20 us=248489 TLS_ERROR: BIO read tls_read_plaintext error: error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed
07:34 < asio> 2014-05-29 14:29:20 us=248534 TLS Error: TLS object -> incoming plaintext read error
07:36 -!- bears [~bears@unaffiliated/bears] has quit [Read error: Connection reset by peer]
07:39 -!- s7r [~s7r@openvpn/user/s7r] has joined #openvpn
07:39 -!- mode/#openvpn [+v s7r] by ChanServ
07:40 -!- jackbrown [~se@93-44-41-0.ip95.fastwebnet.it] has joined #openvpn
07:52 < defswork> asio, your TLS layer is failing
07:52 < defswork> asio, you using tls server and tls client appropriately ?
07:52 < asio> I don't know...my first time setting up openvpn
07:52 < defswork> so you have tls enable - you need to tell on end it's the server and one end it's the client
07:53 < asio> hm...how do I do that?
07:53 < defswork> tls-server ; tls-auth /etc/openvpn/keys/ta.key 0  < on the server
07:53 < defswork> and tls-client ; tls-auth ta.key 1
07:54 < defswork> use the right paths to ta.key etc..
07:54 < asio> okey...how is ta.key generated?
07:54 < defswork> I assume you already done it
07:55 < asio> nah...didn't know it was required
07:55 < defswork> if you have no tls stuff in your configs then you arent using it
07:55 < defswork> (I would use it)
07:55 < defswork> your certs are missing then
07:55 < defswork> you got all 3 on the client ?
07:55 < defswork> ca.crt ; client.crt and client.key ?
07:56 < asio> I have no tls stuff on either server or client, only ca/cert/key directives
07:56 < defswork> ok - add tls later
07:56 < asio> https://www.asio.se/openvpn/server.conf https://www.asio.se/openvpn/client.conf
07:56 < defswork> sort out your certs
07:56 < asio> yes...I think the problem is with the cert but I cannot find out what
07:57 < asio> this is how I generated the root ca/intermediate ca and client cert: https://www.asio.se/openvpn/cert-generation-steps
07:57 < defswork> you pasted em in correctly
07:58 < asio> yes
07:58 < asio> the first line in all files i ---BEGIN... end file ends with ---END...
07:58 < defswork> does openvpn support [inline] on all versions ? I thought it was a hack for IOS
07:59 < asio> it seems to read them at least
07:59 < asio> I can try and change them to paths instead to se if it works
08:00 < defswork> that inline stuff is mostly to allow you to get em onto a locked down system like ios
08:01 < asio> ah...I hoped it would also work on other platforms...easy way of distributing all parts needed on client for non techies
08:02 < asio> it gives the same error
08:06 -!- croftworth [croftworth@unaffiliated/croftworth] has joined #openvpn
08:10 -!- jackbrown [~se@93-44-41-0.ip95.fastwebnet.it] has quit [Ping timeout: 252 seconds]
08:15 -!- tempus_fol [~tempus@gateway/tor-sasl/foltempus] has quit [Ping timeout: 272 seconds]
08:16 -!- tempus_fol [~tempus@gateway/tor-sasl/foltempus] has joined #openvpn
08:22 -!- Left_Turn [~Left_Turn@unaffiliated/turn-left/x-3739067] has joined #openvpn
08:23 -!- wrongplace [~leicht@gateway/tor-sasl/martinphone] has joined #openvpn
08:32 -!- ade_b [~Ade@redhat/adeb] has quit [Ping timeout: 264 seconds]
09:02 -!- Megaf [~Megaf@unaffiliated/megaf] has joined #openvpn
09:06 -!- swebb is now known as zz_swebb
09:12 -!- edge226 [~quassel@unaffiliated/edge226] has quit [Remote host closed the connection]
09:17 -!- edge226 [~quassel@unaffiliated/edge226] has joined #openvpn
09:26 < ShadniX> defswork, asio: you should be able to put die cert/key-data in the config-files on all recent openvpn-versions - i'm running serveral windows- and linux-installations that way
09:35 -!- Netsplit *.net <-> *.split quits: CaTtleyA
09:36 -!- pekster [~rewt@openvpn/community/support/pekster] has quit [Ping timeout: 252 seconds]
09:36 -!- ade_b [~Ade@redhat/adeb] has joined #openvpn
09:40 < ShadniX> asio: I've never used OpenVPN with intermediate CAs, but i think you have to provide your intermediate and your root certificate in your CA cert file
09:40 -!- CaTtleyA [~CaTtleyA@put92-2-82-66-41-53.fbx.proxad.net] has joined #openvpn
09:43 -!- Nikon_m [~Niko@38.104.158.106] has joined #openvpn
09:43 < Nikon_m> hello
09:43 -!- alexxtasi [~alex@unaffiliated/alexxtasi] has left #openvpn []
09:44 < Nikon_m> So question
09:45 < Nikon_m> If im building my cert with easy rsa and i am getting it signed via a root cert, what should i use? the class 3 PKI or the GPG key?
09:45 < asio> ShadniX: if I do that (cat ca-root.crt ca-intermediate.crt > ca-stacked.pem) and use that for "ca" dirctive I get this error instead:
09:45 < asio> 2014-05-29 16:44:38 us=928122 VERIFY ERROR: depth=2, error=self signed certificate in certificate chain: /C=SE/L=Stockholm/O=Asio_Technology_AB/OU=IT_Operations/CN=Asio_Technology_AB_-_Root_CA/emailAddress=ca@asio.se
09:50 -!- ade_b [~Ade@redhat/adeb] has quit [Quit: Too sexy for his shirt]
09:56 -!- lewiz [~lthompson@195.59.118.200] has joined #openvpn
09:56 < asio> ShadniX: progress, using a file with both root and intermediate on both client AND server gives a new error:
09:56 < asio> Thu May 29 16:55:15 2014 us=113944 10.0.2.55:53033 TLS: Initial packet from 10.0.2.55:53033, sid=a0744a13 73a8b803
09:56 < asio> Thu May 29 16:55:16 2014 us=716004 10.0.2.55:53033 VERIFY ERROR: depth=0, error=unsupported certificate purpose: /C=SE/L=Stockholm/O=Asio_Technology_AB/OU=IT_Operations/CN=vpn.asio.se/emailAddress=ca@asio.se
09:56 < asio> Thu May 29 16:55:16 2014 us=716599 10.0.2.55:53033 TLS_ERROR: BIO read tls_read_plaintext error: error:140890B2:SSL routines:SSL3_GET_CLIENT_CERTIFICATE:no certificate returned
09:56 < asio> Thu May 29 16:55:16 2014 us=716665 10.0.2.55:53033 TLS Error: TLS object -> incoming plaintext read error
09:56 < asio> Thu May 29 16:55:16 2014 us=716707 10.0.2.55:53033 TLS Error: TLS handshake failed
09:56 < asio> Thu May 29 16:55:16 2014 us=716998 10.0.2.55:53033 SIGUSR1[soft,tls-error] received, client-instance restarting
09:58 < asio> ShadniX: logs: https://www.asio.se/openvpn/new-client.log https://www.asio.se/openvpn/new-error-server.log
09:58 < ShadniX> asio: error=unsupported certificate purpose - your server cert needs the server extension
09:58 < asio> what does that mean?
10:00 < ShadniX> asio: create the sign request with -extensions server - iirc
10:07 < asio> ShadniX: based on the openssl.cfg I used it should already be correct extension: https://www.asio.se/openvpn/openssl.cfg
10:10 -!- claudiop [~claudiop@62.113.205.36] has joined #openvpn
10:12 < claudiop> Is port-sharing supposed to block access to the port while the vpn is in use? When there is no one connected to the vpn it works well, but when someone connects, the shared service becomes unaccessible
10:17 -!- jackbrown [~se@93-44-41-0.ip95.fastwebnet.it] has joined #openvpn
10:17 -!- Nikon_m [~Niko@38.104.158.106] has quit [Quit: Leaving]
10:17 -!- cornfeedhobo [~cornfeedh@unaffiliated/cornfeed] has joined #openvpn
10:19 <@plaisthos> claudiop: are you using port-share with tls-server?
10:19 <@plaisthos> port-share and a regular p2p configuration might behave that way
10:20 < cornfeedhobo> good morning. I have a question that might have to do more with routing than anything else, but i think it might be better to ask here first.  I have a VPN server that currently routes all client traffic through it (secure internet); this has been going well for quite some time. I am now in the need to be on the VPN, but access peers on the local lan (work wifi). how can i make it so 10.0.0.0/8 traffic is not routed over the VPN?
10:21 < ShadniX> asio: might it be possible that you mixed them up? the client.conf you've posted earlier with the inline cert hat TLS Web Server Authentication as its key usage and seems more like your server cert, judging from your cert-generation-steps
10:22 < cornfeedhobo> i keep looking around, but all answers dont seem to account for a setup where, by default, all traffic is routed over the vpn
10:22 -!- zapotek6 [~zap@mail.comelit.it] has joined #openvpn
10:22 -!- zapotek6 [~zap@mail.comelit.it] has quit [Max SendQ exceeded]
10:23 < asio> ShadniX: maybe I should just delete all certs and the CA, and follow the cert-generation-steps again and make sure not to mix them up...
10:30 < cornfeedhobo> asio: +1   best to use the easy-rsa3 package too. makes life easy
10:30 -!- TheEternalAbyss [~IRCIdent@unaffiliated/theeternalabyss] has joined #openvpn
10:30 < asio> cornfeedhobo: I was planning on using the root ca for a couple of other things too, like certs for web pages, and wanted to separate them
10:30 < TheEternalAbyss> Hello
10:31 < TheEternalAbyss> I had a quick question when it comes to configuring openvpn
10:31 < cornfeedhobo> asio: i do that
10:32 -!- Megaf_ [~Megaf@unaffiliated/megaf] has joined #openvpn
10:32 < TheEternalAbyss> what is the format for the certificates if i'm using a .cer and .pfx? I mean how do I put it in the config so it understands what I want in there instead of ca and cert
10:32 < cornfeedhobo> asio: pretty handy. you can install the cert on your comps and not get warnings too
10:32 < asio> mm
10:32 < asio> it pretty nice, especially when it is only used for internal sites too, and all clients have the root ca installed
10:32 < asio> not having to go through with a commercial ca
10:33 < TheEternalAbyss> i hope my question makes sense I'm still kinda noobish when it comes to vpn stuff
10:33 < asio> gonna try and follow the steps for root/intermediate ca in my instrucitons and hopefully not mess it up, see it works...https://www.asio.se/openvpn/cert-generation-steps
10:33 < cornfeedhobo> asio: yup :)
10:34 -!- Megaf [~Megaf@unaffiliated/megaf] has quit [Ping timeout: 252 seconds]
10:34 < claudiop> plaisthos: I was using with the https port. I think i found the problem, and if i am correct, it can be considered as an openvpn bug
10:35 < cornfeedhobo> asio: that just seems like a pita, i would clone https://github.com/OpenVPN/easy-rsa
10:35 <@vpnHelper> Title: OpenVPN/easy-rsa · GitHub (at github.com)
10:35 < TheEternalAbyss> would I just put down 'cer mycert.cer' and 'pfx mypfxcert.pfx' ?
10:35 < cornfeedhobo> they make the handy scripts for you :D   and v3 is WAY better than v2 if you didnt like it
10:35 -!- jackbrown [~se@93-44-41-0.ip95.fastwebnet.it] has quit [Quit: Sto andando via]
10:36 < asio> cornfeedhobo: can it also do intermediate ca generation too?
10:36 < cornfeedhobo> TheEternalAbyss: no http://security.stackexchange.com/questions/29425/difference-between-pfx-and-cert-certificates
10:36 <@vpnHelper> Title: ssl - Difference between .pfx and .cert certificates - Information Security Stack Exchange (at security.stackexchange.com)
10:36 < claudiop> If the connection number limit of the vpn is 1, and that connection is busy (someone is there using), it will refuse any additional connection without verification if it is meant for it or for the shared service
10:36 < cornfeedhobo> asio: yup
10:36 < TheEternalAbyss> ok
10:36 < cornfeedhobo> asio: they really cleaned it up. it can do all. just make sure you set things as you like in `vars`
10:36 < asio> Ah...did not now that...looked at couple of guides but none of them used intermediate...so thought it wasn't possible
10:37 < claudiop> Can someone please fill the bug? Im not really into the openvpn community, don't know how can do so :(
10:37 -!- zz_swebb is now known as swebb
10:39 < TheEternalAbyss> i see.. so if I extract the certificate from the pfx, then I can just config openvpn to use that if I understood this correctly
10:40 < ShadniX> cornfeedhobo: using "redirect-gateway def1"? either add a static route for your 10./8 (if you can), which should takes preference over the routes that are added by the redirect-gatway option
10:42 < cornfeedhobo> TheEternalAbyss: correct
10:42 < ShadniX> cornfeedhobo: or... well - i just scrapped the or...
10:42 < cornfeedhobo> ShadniX: thats what i was thinking, but so far my attempts to manually add the route for testing have failed
10:43 < cornfeedhobo> i am new to static routing, and it is admittedly a weak spot
10:45 < ShadniX> cornfeedhobo: what is your setup and at which point does it fail?
10:48 < cornfeedhobo> ShadniX: https://ezcrypt.it/DE8n#ZrYaVUw4oU526j3D93wMd1mQ
10:48 <@vpnHelper> Title: EZCrypt - Paste (at ezcrypt.it)
10:49 < TheEternalAbyss> hmm
10:49 < cornfeedhobo> that is without my messing around. just connecting to wired internet, and then to the vpn
10:50 < TheEternalAbyss> it's telling me i have to define a ca file or tell it the path to one. I don't have one. How can  get that from the cer and pfx file provided to me?
10:50 < cornfeedhobo> ShadniX: 10.0.8.0/24 goes to a router that has routes for other internal vlans, i.e. 10.0.5.0/24 etc
10:50 < cornfeedhobo> TheEternalAbyss: you can get it from the person who issued you the certificate
10:50 < cornfeedhobo> s/person/organization/
10:51 < TheEternalAbyss> hmm.. let me see..
10:53 < ShadniX> cornfeedhobo: so, you can reach your 10./8 from this machine? if your fine with accessing your 10./8 through this vpn-server (i assume it is your vpn server system?) you could just add a route via
10:53 < ShadniX> ip route add 10.0.0.0/8 via <gateway-ip>
10:54 < ShadniX> if the traffic should never enter the vpn on the client side, you need to split the traffic on the client side
10:54 < ShadniX> meaning adding a route on the client routing table
10:55 < ShadniX> which - depending on your client os - may invole scripting in some way
10:56 < cornfeedhobo> hmm. let me see
10:56 < cornfeedhobo> yeah, using network-manager in kubuntu
10:56 < cornfeedhobo> i can currently ping 10.0.8.0/24 so that works
10:57 -!- claudiop [~claudiop@62.113.205.36] has quit [Quit: Leaving]
10:58 < cornfeedhobo> yup, cant ping a 10.0.50/24 but other people in the office cant, so that will be my first test
10:58 < cornfeedhobo> office can*
10:59 < cornfeedhobo> ShadniX: what do you mean split?
10:59 < cornfeedhobo> masquerade?
11:00 < cornfeedhobo> ip r a 10.0.5.0/24 via 10.0.8.1 works, but i dont want to have to do that manually all the time
11:00 < ShadniX> no - split in the sense of "choosing the right path" or - well - routing
11:01 < cornfeedhobo> hmm, you dont think there is a "universal" route i can push through openvpn to avoid all of this
11:03 < TheEternalAbyss> hmm
11:03 < TheEternalAbyss> odd
11:04 < TheEternalAbyss> so it managed to try and connect but then it gave me this error: Cannot load CA certificate file myca.cer path (null) (SSL_CTX_load_verify_locations) (OpenSSL)
11:05 < cornfeedhobo> TheEternalAbyss: some (read: most) platforms require inline keys (pasted in the conf, wrapped with xml tags) or with absolute paths defined
11:05 < cornfeedhobo> i have not had one that worked with relational locations except windows 7 iirc
11:06 < TheEternalAbyss> ok..so how do I fix this (remember I'm slightly noobish here lol )
11:06 < cornfeedhobo> thats fine. what platform is the client on?
11:06 < TheEternalAbyss> osx
11:06 < ShadniX> well - if your clients are always at the same network, you should be able to safely push the route using a push option like
11:07 < ShadniX> push "route 10.0.0.0 255.0.0.0 net_gateway"
11:07 < ShadniX> or
11:07 < ShadniX> push "route 10.0.0.0 255.0.0.0 <your_local_client_gateway_ip>"
11:07 < ShadniX> man pages lists: net_gateway -- The pre-existing IP default gateway, read from the routing table (not supported on all OSes).
11:08 < ShadniX> cornfeedhobo: if you have mobile clients which can be in other networks, you might need some scripting work to decide if the client is in your local network
11:08 < cornfeedhobo> TheEternalAbyss: create a folder in your home folder named "Keys". put all your ssl stuff in there. then in the conf, explicitely write out the full path to those files
11:09 < ShadniX> cornfeedhobo: i also think there is a dhcp options for pushing routes - never used that though
11:09 < cornfeedhobo> yeah i think there is
11:09 < cornfeedhobo> let me poke around with those. good thinking!
11:09 < cornfeedhobo> ShadniX: ^
11:11 < cornfeedhobo> TheEternalAbyss: i dont use macs, but it would look something like `ca /USers/<username>/Keys/ca.crt`    assuming that is the correct stucture, i havent touched a mac in a while
11:18 -!- axelm7 [~axelm7@186.135.29.72] has joined #openvpn
11:19 < axelm7> hi guys, has anyone implemented an openvpn cluster without using Access Server? I am currently only interested in failover. Load-balancing is not necessary in my use case.
11:25 < ShadniX> axelm7: regarding failover, you can define multiple vpn server addresses in your client config - openvpn will try to connect to each of them, until a connection is established
11:50 -!- debbie10t [~ma1com10t@host-2-99-68-141.as13285.net] has joined #openvpn
11:52 < debbie10t> hi - I have searched the wiki for "windows install problems" but cannot find anything specific yet.  Is there a wiki page dedicated to windows install problems .. sorry to ask (maybe I am going blind) if not perhaps one can be created - thanks
11:53 -!- elfixit [~Icedove@cust.static.46-14-206-196.swisscomdata.ch] has quit [Ping timeout: 276 seconds]
11:55 -!- pekster [~rewt@openvpn/community/support/pekster] has joined #openvpn
11:56 < debbie10t> hi pekster
11:56 < debbie10t> hi - I have searched the wiki for "windows install problems" but cannot find anything specific yet.  Is there a wiki page dedicated to windows install problems .. sorry to ask (maybe I am going blind) if not perhaps one can be created - thanks
11:56 <@mattock> what kind of install problem?
11:57 < debbie10t> with regard to this post: https://forums.openvpn.net/topic15971.html
11:57 <@vpnHelper> Title: OpenVPN Support Forum Newbie in need of some help - not server, but client issue : Installation Help (at forums.openvpn.net)
11:58 <@mattock> there's some very odd problem with that particular Windows installation
11:59 < debbie10t> sure .. but i guess it is likely to be ongoing
11:59 <@mattock> possibly some security software thingy is preventing the install from starting
11:59 < debbie10t> yep - like commodo interfereing
11:59 <@mattock> or maybe windows for some reason fails to validate the installer's signature or something
11:59 <@mattock> although that should not cause the installer to fail completely
11:59 < debbie10t> exactly what I was hoping to find on the wiki
12:00 <@mattock> there haven't been many issues of this kind, so there's no wiki/faq entry for this
12:01 < debbie10t> i'll try searching the bug list
12:04 < debbie10t> hmm .. keyword: install reveals nothing related
12:04 -!- jgeboski [~jgeboski@unaffiliated/jgeboski] has quit [Ping timeout: 258 seconds]
12:06 < debbie10t> I have installed on v234 on W7 64bit no problem .. so I guess it is something to do with the users windows setup .. oh well
12:08 < debbie10t> as that post says "OpenVPN client" could it be something othert than OpenVPN 234 ?
12:08 -!- le0 [~l30@unaffiliated/le0] has quit [Quit: Leaving]
12:09 < debbie10t> I'll ask the user ... cheers mattock
12:09 <@mattock> bye
12:09 < debbie10t> yeah - forget itr - it is v234 so .. must be windows
12:12 -!- jgeboski [~jgeboski@unaffiliated/jgeboski] has joined #openvpn
12:13 -!- pseudo_ [~pseudo@65.204.49.74] has joined #openvpn
12:14 < M4rc3l> are there any common reasons why openvpn app on iphone might connect to the server but you can't browse the internet?
12:14 < M4rc3l> same cert works on a windows PC
12:15 < pseudo_> i want to let clients use the upstream dhcp server to get ip addresses (i explicitly do not want to reserve an ip block for clients) - howver, I do not have control over my upstream dhcp server - is there any way that i can use openvpn as a dhcp client or another way to prevent a default route from being pushed to my clients?
12:15 < M4rc3l> and i tested it 1 device at a time
12:22 < axelm7> ShadniX, that would make part of the clients connect to one server and other clients connect to the other server. how would you solve configuration synchronization and client-to-client when they are on different servers?
12:25 -!- liriel [~liriel@aphrodite.feralhosting.com] has quit [Quit: bye]
12:27 < ShadniX> axelm7: i guess you have to deal with server config syncronisation yourself - client to client - either route between them or bridge them into the same subnet
12:29 -!- liriel [~liriel@asia.feralhosting.com] has joined #openvpn
12:56 -!- bears [~bears@unaffiliated/bears] has joined #openvpn
13:10 -!- joshh20-Away is now known as joshh20
13:15 -!- oxee [~oxee@n215s221.ntc.harrisonburg.shentel.net] has joined #openvpn
13:29 -!- edge226 [~quassel@unaffiliated/edge226] has quit [Read error: Connection reset by peer]
13:45 -!- michaelhart [~michaelha@192.237.177.15] has quit [Quit: michaelhart]
13:59 -!- SCHAAP137 [dorian@77-173-0-137.ip.telfort.nl] has joined #openvpn
14:03 -!- oxee [~oxee@n215s221.ntc.harrisonburg.shentel.net] has quit [Quit: Computer has gone to sleep.]
14:09 -!- zoomequipd [~zoomequip@gateway/tor-sasl/zoomequipd] has quit [Remote host closed the connection]
14:09 -!- zoomequipd [~zoomequip@gateway/tor-sasl/zoomequipd] has joined #openvpn
14:28 -!- croftworth is now known as leeve
14:29 -!- jackbrown [~se@93-44-41-0.ip95.fastwebnet.it] has joined #openvpn
14:30 -!- leeve is now known as croftworth
14:31 -!- Nothing4You [N4Y@Nothing4You.w.tf-w.tf] has quit [Quit: Gone...]
14:33 -!- Nothing4You [N4Y@Nothing4You.w.tf-w.tf] has joined #openvpn
14:38 -!- Kephael [~Kephael@unaffiliated/kephael] has joined #openvpn
14:50 -!- joshh20 is now known as joshh20-Away
14:53 -!- le0 [~l30@unaffiliated/le0] has joined #openvpn
15:02 -!- axelm7 [~axelm7@186.135.29.72] has left #openvpn []
15:04 -!- Nothing4You [N4Y@Nothing4You.w.tf-w.tf] has quit [Ping timeout: 265 seconds]
15:04 -!- s7r [~s7r@openvpn/user/s7r] has quit [Remote host closed the connection]
15:04 -!- s7r [~s7r@openvpn/user/s7r] has joined #openvpn
15:04 -!- mode/#openvpn [+v s7r] by ChanServ
15:04 -!- oxee [~oxee@n215s221.ntc.harrisonburg.shentel.net] has joined #openvpn
15:09 -!- oxee [~oxee@n215s221.ntc.harrisonburg.shentel.net] has quit [Ping timeout: 255 seconds]
15:10 -!- Nothing4You [N4Y@w.tf-w.tf] has joined #openvpn
15:10 -!- mattock is now known as mattock_afk
15:13 -!- bears [~bears@unaffiliated/bears] has quit [Read error: Connection reset by peer]
15:14 -!- bears [~bears@unaffiliated/bears] has joined #openvpn
15:17 -!- le0 [~l30@unaffiliated/le0] has quit [Quit: Leaving]
15:21 -!- pseudo_ [~pseudo@65.204.49.74] has quit [Ping timeout: 252 seconds]
15:25 -!- jackbrown [~se@93-44-41-0.ip95.fastwebnet.it] has quit [Quit: Sto andando via]
15:37 -!- Popsikle [~popsikle@rrcs-24-103-53-46.nyc.biz.rr.com] has joined #openvpn
15:42 -!- jackbrown [~se@93-44-41-0.ip95.fastwebnet.it] has joined #openvpn
15:45 -!- jackbrown [~se@93-44-41-0.ip95.fastwebnet.it] has quit [Client Quit]
15:45 -!- joshh20-Away is now known as joshh20
15:53 -!- edge226 [~quassel@unaffiliated/edge226] has joined #openvpn
15:56 -!- wrongplace [~leicht@gateway/tor-sasl/martinphone] has quit [Ping timeout: 272 seconds]
16:06 -!- michaelhart [~michaelha@162.209.54.120] has joined #openvpn
16:08 -!- wrongplace [~leicht@gateway/tor-sasl/martinphone] has joined #openvpn
16:41 -!- wrongplace [~leicht@gateway/tor-sasl/martinphone] has quit [Ping timeout: 272 seconds]
16:46 -!- bears [~bears@unaffiliated/bears] has quit [Quit: closing IRC]
17:07 -!- debbie10t [~ma1com10t@host-2-99-68-141.as13285.net] has quit [Ping timeout: 260 seconds]
17:09 < hyperch> krzee: what do you think of current truecrypt events?
17:12 -!- Popsikle [~popsikle@rrcs-24-103-53-46.nyc.biz.rr.com] has quit [Remote host closed the connection]
17:34 -!- Left_Turn [~Left_Turn@unaffiliated/turn-left/x-3739067] has quit [Read error: Connection reset by peer]
17:37 -!- Left_Turn [~Left_Turn@unaffiliated/turn-left/x-3739067] has joined #openvpn
17:54 -!- bears [~bears@unaffiliated/bears] has joined #openvpn
18:17 -!- averagecase [~anon@dslb-094-221-216-065.pools.arcor-ip.net] has joined #openvpn
18:25 -!- cyrozap [~cyrozap@198.23.172.133] has joined #openvpn
18:29 -!- averagecase [~anon@dslb-094-221-216-065.pools.arcor-ip.net] has quit [Remote host closed the connection]
18:56 -!- richo [~richo@unaffiliated/richohealey] has joined #openvpn
18:57 < richo> if I create a plugin that uses PLUGIN_FUNC_DEFERRED, is there a callback that I can fire when the result file is written to?
19:00 < Eugene> hyperch - I'm in the "NSL Canary letter" camp
19:18 -!- SCHAAP137 [dorian@77-173-0-137.ip.telfort.nl] has quit [Remote host closed the connection]
19:23 -!- joshh20 is now known as joshh20-Away
19:26 -!- goldkatze [~nobody@unaffiliated/goldkatze] has quit []
19:53 -!- eristisk [~eristisk@gateway/tor-sasl/eristisk] has quit [Read error: Connection reset by peer]
19:54 -!- eristisk [~eristisk@gateway/tor-sasl/eristisk] has joined #openvpn
19:55 -!- Popsikle [~popsikle@pool-108-27-211-233.nycmny.fios.verizon.net] has joined #openvpn
20:02 -!- wrongplace [~leicht@gateway/tor-sasl/martinphone] has joined #openvpn
20:05 -!- Cpt-Oblivious [~chatzilla@31-151-71-109.dynamic.upc.nl] has quit [Quit: ChatZilla 0.9.90.1-rdmsoft [XULRunner 22.0/20130619132145]]
20:19 -!- WinstonSmith [~WinstonSm@unaffiliated/winstonsmith] has quit [Ping timeout: 240 seconds]
20:26 -!- WinstonSmith [~WinstonSm@unaffiliated/winstonsmith] has joined #openvpn
20:56 -!- Megaf_ is now known as Megaf
21:40 -!- Left_Turn [~Left_Turn@unaffiliated/turn-left/x-3739067] has quit [Ping timeout: 252 seconds]
21:43 -!- gffa [~unknown@unaffiliated/gffa] has quit [Quit: sleep]
21:55 -!- clu5ter [~staff@unaffiliated/clu5ter] has joined #openvpn
22:02 -!- jareth_ [~jareth_@2001:980:e1c0:1:219:66ff:fea0:a502] has quit [Ping timeout: 264 seconds]
22:03 -!- jareth_ [~jareth_@2001:980:e1c0:1:219:66ff:fea0:a502] has joined #openvpn
22:11 -!- jareth_ [~jareth_@2001:980:e1c0:1:219:66ff:fea0:a502] has quit [Ping timeout: 264 seconds]
22:12 -!- jareth_ [~jareth_@2001:980:e1c0:1:219:66ff:fea0:a502] has joined #openvpn
22:18 -!- zoomequipd [~zoomequip@gateway/tor-sasl/zoomequipd] has quit [Ping timeout: 272 seconds]
22:20 -!- wrongplace [~leicht@gateway/tor-sasl/martinphone] has quit [Quit: gone]
22:23 -!- zoomequipd [~zoomequip@gateway/tor-sasl/zoomequipd] has joined #openvpn
22:25 -!- tempus_fol [~tempus@gateway/tor-sasl/foltempus] has quit [Remote host closed the connection]
22:25 -!- zoomequipd [~zoomequip@gateway/tor-sasl/zoomequipd] has quit [Remote host closed the connection]
22:25 -!- eristisk [~eristisk@gateway/tor-sasl/eristisk] has quit [Write error: Connection reset by peer]
22:25 -!- s7r [~s7r@openvpn/user/s7r] has quit [Write error: Broken pipe]
22:33 -!- s7r [~s7r@openvpn/user/s7r] has joined #openvpn
22:33 -!- mode/#openvpn [+v s7r] by ChanServ
22:34 -!- zoomequipd [~zoomequip@gateway/tor-sasl/zoomequipd] has joined #openvpn
22:35 -!- tempus_fol [~tempus@gateway/tor-sasl/foltempus] has joined #openvpn
22:40 <@krzee> hyperch, i think they were clear when they said to switch to the microsoft encryption product
22:40 <@krzee> to me that was clearly a message to us sayingn they were being coerced
22:41 < Eugene> Ayup.
22:50 -!- Megaf is now known as Megaf[Debian]
23:06 < hyperch> krzee: any other recommendation to use instead now?
23:19 < Eugene> dmcrypt if you're on a linux box.
23:20 < Eugene> I'm sticking with TC until a better alternative is presented / the details are fully revealed / the audit is completed.
23:23 -!- eristisk [~eristisk@gateway/tor-sasl/eristisk] has joined #openvpn
23:29 -!- Megaf[Debian] is now known as Back
23:29 -!- Back is now known as Megaf
23:49 -!- ShadniX [dagger@p5DDFF726.dip0.t-ipconnect.de] has quit [Ping timeout: 252 seconds]
23:50 -!- ShadniX [dagger@p5DDFE579.dip0.t-ipconnect.de] has joined #openvpn
--- Day changed Fri May 30 2014
00:11 -!- Popsikle [~popsikle@pool-108-27-211-233.nycmny.fios.verizon.net] has quit [Remote host closed the connection]
00:16 -!- Kephael [~Kephael@unaffiliated/kephael] has quit []
00:22 -!- Megaf [~Megaf@unaffiliated/megaf] has quit [Ping timeout: 252 seconds]
00:28 -!- NChief [~nchief@unaffiliated/nchief] has quit [Remote host closed the connection]
00:28 -!- mattock_afk is now known as mattock
00:50 -!- NChief [~nchief@unaffiliated/nchief] has joined #openvpn
00:56 -!- haroldoFurtado [~textual@177.159.19.233] has joined #openvpn
00:56 < haroldoFurtado> hello guys
00:57 < haroldoFurtado> got a huge problem
00:57 < haroldoFurtado> i would like to know if has anyway to inset the password for http-proxy into ovpn file
00:58 < haroldoFurtado> my problem is that I'm trying to use it on my iphone but I can't pass my password over it
00:58 < haroldoFurtado> =/
01:00 -!- prettyrobots [~prettyrob@do.inputrc.com] has quit [Quit: ZNC - http://znc.in]
01:01 -!- CaTtleyA [~CaTtleyA@put92-2-82-66-41-53.fbx.proxad.net] has quit [Ping timeout: 245 seconds]
01:06 -!- bears [~bears@unaffiliated/bears] has quit [Quit: closing IRC]
01:15 -!- haroldoFurtado [~textual@177.159.19.233] has quit [Ping timeout: 255 seconds]
01:24 -!- alexxtasi [~alex@unaffiliated/alexxtasi] has joined #openvpn
01:36 -!- zoredache_ [~zoredache@pdpc/supporter/professional/zoredache] has quit [Ping timeout: 252 seconds]
01:44 -!- haroldofurtado [~textual@177.135.7.142.dynamic.adsl.gvt.net.br] has joined #openvpn
01:52 -!- Starcraftmazter [~scm@xmatio.lnk.telstra.net] has joined #openvpn
01:54 -!- zoredache [~zoredache@pdpc/supporter/professional/zoredache] has joined #openvpn
02:00 -!- haroldofurtado [~textual@177.135.7.142.dynamic.adsl.gvt.net.br] has quit [Quit: Textual IRC Client: www.textualapp.com]
02:01 -!- andi [~andi@unaffiliated/fr00d] has joined #openvpn
02:01 < andi> Hi
02:02 -!- haroldofurtado [~textual@177.135.7.142.dynamic.adsl.gvt.net.br] has joined #openvpn
02:03 -!- haroldofurtado [~textual@177.135.7.142.dynamic.adsl.gvt.net.br] has quit [Client Quit]
02:04 < andi> I'd like to run multiple openvpn instances on a single server. For each instance I do have a local virtual nic which connects to an internal network. A on each side, vpn and lan, should not be able to give themself a ip of one of the other networks. If so the client should not get access to one of the other network. Is openvswitch the correct approach to solve this problem?
02:05 -!- haroldofurtado [~textual@177.135.7.142.dynamic.adsl.gvt.net.br] has joined #openvpn
02:13 -!- CaTtleyA [~CaTtleyA@185.24.142.82] has joined #openvpn
02:16 < Starcraftmazter> whats the commandline usage for openvpn?
02:16 < Starcraftmazter> if i just have the IP, username and password
02:16 < Starcraftmazter> no config files or anything
02:16 < Starcraftmazter> just those 3 things
02:26 -!- haroldofurtado [~textual@177.135.7.142.dynamic.adsl.gvt.net.br] has quit [Quit: Textual IRC Client: www.textualapp.com]
02:44 -!- wrongplace [~leicht@gateway/tor-sasl/martinphone] has joined #openvpn
02:47 -!- Left_Turn [~Left_Turn@unaffiliated/turn-left/x-3739067] has joined #openvpn
02:52 -!- richo [~richo@unaffiliated/richohealey] has quit [Ping timeout: 252 seconds]
02:54 -!- Poster|x [~poster@cpe-173-88-31-131.columbus.res.rr.com] has joined #openvpn
02:55 -!- Latrina [~Latrina@ppp-170-37.26-151.libero.it] has quit [Ping timeout: 258 seconds]
02:55 -!- jgeboski [~jgeboski@unaffiliated/jgeboski] has quit [Ping timeout: 255 seconds]
02:56 -!- s7r [~s7r@openvpn/user/s7r] has quit [Ping timeout: 272 seconds]
02:57 -!- s7r_k [~s7r@openvpn/user/s7r] has joined #openvpn
02:57 -!- mode/#openvpn [+v s7r_k] by ChanServ
02:57 -!- Poster [~poster@cpe-173-88-31-131.columbus.res.rr.com] has quit [Ping timeout: 265 seconds]
02:57 -!- alexxtasi [~alex@unaffiliated/alexxtasi] has quit [Ping timeout: 255 seconds]
02:58 -!- s7r_k is now known as s7r
03:00 -!- Latrina [~Latrina@ppp-170-37.26-151.libero.it] has joined #openvpn
03:02 -!- jgeboski [~jgeboski@unaffiliated/jgeboski] has joined #openvpn
03:27 -!- CaTtleyA [~CaTtleyA@185.24.142.82] has quit [Ping timeout: 245 seconds]
03:29 -!- CaTtleyA [~CaTtleyA@185.24.142.82] has joined #openvpn
03:30 -!- joako [~joako@opensuse/member/joak0] has joined #openvpn
03:43 -!- goldkatze [~nobody@unaffiliated/goldkatze] has joined #openvpn
03:48 -!- CaTtleyA [~CaTtleyA@185.24.142.82] has quit [Ping timeout: 245 seconds]
03:50 -!- CaTtleyA [~CaTtleyA@185.24.142.82] has joined #openvpn
03:56 -!- halothe23 [~halothe23@freenode/sponsor/halothe23] has quit [Quit: Quit]
03:57 -!- halothe23 [~halothe23@freenode/sponsor/halothe23] has joined #openvpn
03:58 -!- zoredache [~zoredache@pdpc/supporter/professional/zoredache] has quit [Ping timeout: 240 seconds]
03:59 -!- oxee [~oxee@n215s221.ntc.harrisonburg.shentel.net] has joined #openvpn
04:04 -!- oxee [~oxee@n215s221.ntc.harrisonburg.shentel.net] has quit [Ping timeout: 255 seconds]
04:20 < Starcraftmazter> anyone around?
04:21 -!- ayaz [~Ayaz@linuxpakistan/ayaz] has joined #openvpn
04:29 -!- halothe23 [~halothe23@freenode/sponsor/halothe23] has quit [Quit: Quit]
04:30 -!- halothe23 [~halothe23@freenode/sponsor/halothe23] has joined #openvpn
04:31 -!- Starcraftmazter [~scm@xmatio.lnk.telstra.net] has quit [Quit: GNU/Linux*]
04:31 -!- zoredache [~zoredache@pdpc/supporter/professional/zoredache] has joined #openvpn
04:32 -!- halothe23 [~halothe23@freenode/sponsor/halothe23] has quit [Client Quit]
04:33 -!- halothe23 [~halothe23@freenode/sponsor/halothe23] has joined #openvpn
04:37 -!- zoredache [~zoredache@pdpc/supporter/professional/zoredache] has quit [Ping timeout: 252 seconds]
04:44 -!- ShadniX [dagger@p5DDFE579.dip0.t-ipconnect.de] has quit [Quit: Bye.]
04:44 -!- ShadniX [dagger@p5DDFE579.dip0.t-ipconnect.de] has joined #openvpn
04:46 -!- zoredache [~zoredache@pdpc/supporter/professional/zoredache] has joined #openvpn
04:58 -!- oxee [~oxee@n215s221.ntc.harrisonburg.shentel.net] has joined #openvpn
05:03 -!- oxee [~oxee@n215s221.ntc.harrisonburg.shentel.net] has quit [Ping timeout: 255 seconds]
05:05 -!- Starcraftmazter [~scm@eth2395.nsw.adsl.internode.on.net] has joined #openvpn
05:05 < Starcraftmazter> hi
05:05 < Starcraftmazter> anyone around
05:08 -!- micko [~micko@203-219-65-120.static.tpgi.com.au] has quit [Ping timeout: 276 seconds]
05:14 -!- micko [~micko@203-219-65-120.static.tpgi.com.au] has joined #openvpn
05:14 -!- Starcraftmazter [~scm@eth2395.nsw.adsl.internode.on.net] has quit [Quit: GNU/Linux*]
05:47 -!- Cpt-Oblivious [~chatzilla@31-151-71-109.dynamic.upc.nl] has joined #openvpn
05:59 -!- oxee [~oxee@n215s221.ntc.harrisonburg.shentel.net] has joined #openvpn
06:03 -!- oxee [~oxee@n215s221.ntc.harrisonburg.shentel.net] has quit [Ping timeout: 255 seconds]
06:05 -!- larryone [~larryone@176.61.1.155] has joined #openvpn
06:06 -!- wrongplace [~leicht@gateway/tor-sasl/martinphone] has quit [Quit: gone]
06:13 -!- barnoid [~barney@baiji.subli.me.uk] has joined #openvpn
06:49 -!- Megaf [~Megaf@unaffiliated/megaf] has joined #openvpn
06:59 -!- oxee [~oxee@n215s221.ntc.harrisonburg.shentel.net] has joined #openvpn
07:04 -!- oxee [~oxee@n215s221.ntc.harrisonburg.shentel.net] has quit [Ping timeout: 255 seconds]
07:05 -!- eristisk [~eristisk@gateway/tor-sasl/eristisk] has quit [Ping timeout: 272 seconds]
07:06 -!- eristisk [~eristisk@gateway/tor-sasl/eristisk] has joined #openvpn
07:16 -!- ayaz [~Ayaz@linuxpakistan/ayaz] has quit [Ping timeout: 258 seconds]
07:40 <@krzee> andi,
07:40 <@krzee> read this
07:40 <@krzee> !route
07:40 <@vpnHelper> "route" is (#1) http://www.secure-computing.net/wiki/index.php/OpenVPN/Routing or https://community.openvpn.net/openvpn/wiki/RoutedLans (same page mirrored) if you have lans behind openvpn, read it DONT SKIM IT or (#2) READ IT DONT SKIM IT! or (#3) See !tcpip for a basic networking guide or (#4) See !serverlan or !clientlan for steps and troubleshooting flowcharts for LANs behind the server or client
07:41 <@krzee> you dont need to give them ips on other networks, just properly configure routing
07:45 -!- mojtaba [~Thunderbi@135-23-121-108.cpe.pppoe.ca] has joined #openvpn
07:45 < mojtaba> Hi, I have followed all this tutorial and I am trying to connect to my pi via ubuntu. But I get connection timed out error. Any help is highly appreciated. http://readwrite.com/2014/04/10/raspberry-pi-vpn-tutorial-server-secure-web-browsing#awesm=~oFHQP63smB59uG
07:45 <@vpnHelper> Title: Building A Raspberry Pi VPN Part One: How And Why To Build A Server ReadWrite (at readwrite.com)
07:46 <@krzee> no!walkthrough
07:46 <@krzee> !walkthrough
07:46 <@vpnHelper> "walkthrough" is if you are using some walkthrough and now you are here cause you have problems and dont understand your setup, type !howto and !man and try to actually learn what you're doing. most those docs about openvpn from google SUCK.
07:47 <@krzee> so ya im down to help, but im not reading the walkthrough
07:47 <@krzee> !goal
07:47 <@vpnHelper> "goal" is Please clearly state your goal for your vpn: example, I would like to access the lan behind the server , I would like to access the internet over my vpn , I just want a secure connection between 2 computers , etc
07:52 < mojtaba> krzee: How can I check the log for vpn errors?
07:55 <@krzee> !logfile
07:55 <@vpnHelper> "logfile" is (#1) If you want logging you can easily just specify your own logfile with: log /path/to/logfile or (#2) openvpn will log to syslog if started in daemon mode, but without any log-redirection options, openvpn sends output to stdout. or (#3) verb 3 is good for everyday usage, verb 5 for debugging. see --daemon --log and --verb in the manual (!man) for more info
07:55 <@krzee> feel free to pastebin it and i can take a look for you
07:56 <@krzee> also your
07:56 <@krzee> !configs
07:56 <@vpnHelper> "configs" is (#1) please pastebin your client and server configs (with comments removed, you can use `grep -vE '^#|^;|^$' server.conf`), also include which OS and version of openvpn. or (#2) dont forget to include any ccd entries or (#3) on pfSense, see http://www.secure-computing.net/wiki/index.php/OpenVPN/pfSense to obtain your config
07:56 <@krzee> and dont forget to:
07:56 <@krzee> !goal
07:56 <@vpnHelper> "goal" is Please clearly state your goal for your vpn: example, I would like to access the lan behind the server , I would like to access the internet over my vpn , I just want a secure connection between 2 computers , etc
08:01 < mojtaba> krzee: The goal is to connect to pi in a lan (Although I have configured the DDNS service to connect to it behind router and I have forwarded the needed port over udp.)
08:02 <@krzee> and you simply get timeout?
08:03 < mojtaba> krzee: I am trying to pastebin the log
08:03 <@krzee> ok
08:03 <@krzee> ill need the log from both sides
08:03 <@krzee> with verb 5 set
08:03 < mojtaba> krzee: How should I set verb 5?
08:03 <@krzee> does your config have a line with verb in it?
08:03 <@krzee> grep verb /path/to/config
08:04 < mojtaba> krzee: let me check
08:06 < mojtaba> krzee: in server.conf it is verb 1
08:06 <@krzee> see, i hate walkthroughs
08:06 <@krzee> set that to verb 5 for testing, and later verb 3 is usually good for normal usage
08:07 < mojtaba> krzee: also in the client configuration code it is verb 1
08:07 <@krzee> although if on the pi verb 1 may be best when finished
08:07 <@krzee> because of space issues
08:07 <@krzee> either way, change both to 5 for now.,
08:07 < mojtaba> krzee: ok
08:08 < mojtaba> krzee: I set them
08:09 < mojtaba> should I try to connect and then take a look at log?
08:12 -!- elfixit [~Icedove@2001:1620:2777:11:3e97:eff:fe7f:f3ad] has joined #openvpn
08:14 -!- Slagwag [~Slagwag@ec2-54-243-204-28.compute-1.amazonaws.com] has left #openvpn []
08:16 <@krzee> yes, after setting them start openvpn on the server, then on the client
08:16 <@krzee> then when it fails post both logs
08:18 -!- fonk [~fonk@unforgotten.de] has joined #openvpn
08:25 -!- gffa [~unknown@unaffiliated/gffa] has joined #openvpn
08:36 -!- cyberspace- [20253@ninthfloor.org] has quit [Remote host closed the connection]
08:38 -!- cyberspace- [20253@ninthfloor.org] has joined #openvpn
08:39 < mojtaba> krzee: It is on client side: http://paste.ubuntu.com/7551577/
08:39 -!- fonk [~fonk@unforgotten.de] has left #openvpn []
08:41 < mojtaba> krzee: PI: http://paste.debian.net/102562/
08:42 <@krzee> read this again:
08:42 <@krzee> !logfile
08:42 <@vpnHelper> "logfile" is (#1) If you want logging you can easily just specify your own logfile with: log /path/to/logfile or (#2) openvpn will log to syslog if started in daemon mode, but without any log-redirection options, openvpn sends output to stdout. or (#3) verb 3 is good for everyday usage, verb 5 for debugging. see --daemon --log and --verb in the manual (!man) for more info
08:42 <@krzee> thats not your openvpn log
08:50 < mojtaba> krzee: I am looking for it. :)
08:54 -!- CaTtleyA [~CaTtleyA@185.24.142.82] has quit [Ping timeout: 245 seconds]
08:56 -!- CaTtleyA [~CaTtleyA@185.24.142.82] has joined #openvpn
09:04 -!- CaTtleyA [~CaTtleyA@185.24.142.82] has quit [Ping timeout: 245 seconds]
09:06 -!- CaTtleyA [~CaTtleyA@185.24.142.82] has joined #openvpn
09:22 -!- tamazaki [~tamazaki@95.85.35.109] has joined #openvpn
09:24 < tamazaki> the mtu on my link is 1470 when not connecting through OpenVPN. Once connected, if I try ping any Internet server through the VPN, the maximum packet size is 171 bytes before I get no reply. Any idea what could cause that?
09:27 < tamazaki> If I 'ping -M do -c 1 -s 172 openvpn.net' I get no response.
09:43 -!- phreakocious [~phreakoci@aesoterica.phreakocious.net] has joined #openvpn
09:45 -!- CaTtleyA [~CaTtleyA@185.24.142.82] has quit [Ping timeout: 245 seconds]
09:46 -!- outofbounds [~outofboun@198.199.109.226] has joined #openvpn
09:47 -!- CaTtleyA [~CaTtleyA@185.24.142.82] has joined #openvpn
09:50 < tamazaki> Can anyone confirm what they would expect to see?
09:53 -!- CaTtleyA [~CaTtleyA@185.24.142.82] has quit [Ping timeout: 245 seconds]
10:26 -!- Cpt-Oblivious [~chatzilla@31-151-71-109.dynamic.upc.nl] has quit [Read error: Connection reset by peer]
10:32 -!- wrongplace [~leicht@gateway/tor-sasl/martinphone] has joined #openvpn
10:32 -!- Cpt-Oblivious [~chatzilla@31-151-71-109.dynamic.upc.nl] has joined #openvpn
10:45 -!- eristisk [~eristisk@gateway/tor-sasl/eristisk] has quit [Ping timeout: 272 seconds]
10:47 -!- eristisk [~eristisk@gateway/tor-sasl/eristisk] has joined #openvpn
11:12 -!- eristisk [~eristisk@gateway/tor-sasl/eristisk] has quit [Ping timeout: 272 seconds]
11:14 -!- lewiz [~lthompson@195.59.118.200] has quit [Ping timeout: 255 seconds]
11:24 -!- eristisk [~eristisk@gateway/tor-sasl/eristisk] has joined #openvpn
11:25 -!- axelm7 [~axelm7@186.135.81.52] has joined #openvpn
11:25 -!- axelm7 [~axelm7@186.135.81.52] has left #openvpn []
11:31 -!- michaelhart_ [~michaelha@192-0-240-20.cpe.teksavvy.com] has joined #openvpn
11:33 -!- michaelhart [~michaelha@162.209.54.120] has quit [Ping timeout: 255 seconds]
11:33 -!- michaelhart_ is now known as michaelhart
11:41 < pekster> tamazaki: tamazaki Sounds like screwed up MTU setings between your 2 endpoints. "technically" with IPv4 fragmentation you could theoretically disallow fragments larger than 68 bytes, but after re-assembly the far end would (by RFC) be required to handle at _least_ 576
11:42 < pekster> Either your openvpn configs don't match MTU settings between them, or the link on the far side is misconfigured
11:49 < M4rc3l> with the iphone openvpn app does the profile i imported from my pc need any special settings?
11:49 < M4rc3l> it connects to the server but i cant acces the interwebs
11:49 < M4rc3l> and it works perfectly fine on the pc
11:57 -!- larryone [~larryone@176.61.1.155] has quit [Ping timeout: 264 seconds]
12:35 -!- elfixit [~Icedove@2001:1620:2777:11:3e97:eff:fe7f:f3ad] has quit [Quit: elfixit]
12:46 -!- s7r [~s7r@openvpn/user/s7r] has quit [Remote host closed the connection]
12:49 -!- bears [~bears@unaffiliated/bears] has joined #openvpn
12:54 -!- u0m3_ [~u0m3@92.80.122.72] has joined #openvpn
12:56 -!- u0m3 [~u0m3@92.80.122.72] has quit [Ping timeout: 245 seconds]
13:01 -!- u0m3 [~u0m3@92.80.122.72] has joined #openvpn
13:01 -!- u0m3_ [~u0m3@92.80.122.72] has quit [Ping timeout: 240 seconds]
14:08 -!- michaelhart [~michaelha@192-0-240-20.cpe.teksavvy.com] has quit [Ping timeout: 255 seconds]
14:30 -!- jp- [~jp@unaffiliated/jp-] has joined #openvpn
14:31 -!- michaelhart [~michaelha@192-0-240-20.cpe.teksavvy.com] has joined #openvpn
14:42 -!- elfixit [~Icedove@1-122.198-178.cust.bluewin.ch] has joined #openvpn
14:58 -!- mojtaba [~Thunderbi@135-23-121-108.cpe.pppoe.ca] has quit [Ping timeout: 252 seconds]
15:15 -!- APTX [~APTX@unaffiliated/aptx] has quit [Quit: No Ping reply in 180 seconds.]
15:17 -!- pnielsen_ [pnielsen@2a01:7e00::f03c:91ff:fedf:3a21] has joined #openvpn
15:17 -!- Turn_Left [~Left_Turn@unaffiliated/turn-left/x-3739067] has joined #openvpn
15:21 -!- mattock is now known as mattock_afk
15:21 -!- jerrcs [jeremy@dogpound.sliqua.com] has quit [Write error: Broken pipe]
15:21 -!- jzaw [~jzaw@loki.dzki.co.uk] has quit [Excess Flood]
15:21 -!- reiffert [~thomas@mail.reifferscheid.org] has quit [Write error: Broken pipe]
15:22 -!- APTX [~APTX@unaffiliated/aptx] has joined #openvpn
15:22 -!- jzaw [~jzaw@loki.dzki.co.uk] has joined #openvpn
15:26 -!- Left_Turn [~Left_Turn@unaffiliated/turn-left/x-3739067] has quit [Ping timeout: 252 seconds]
15:26 -!- elfixit [~Icedove@1-122.198-178.cust.bluewin.ch] has quit [Ping timeout: 276 seconds]
15:31 -!- mojtaba [~Thunderbi@135-23-121-108.cpe.pppoe.ca] has joined #openvpn
15:40 -!- hyperch [~hyperch@ns99.roleplayer.org] has left #openvpn ["Konversation terminated!"]
16:13 -!- joako [~joako@opensuse/member/joak0] has quit [Ping timeout: 264 seconds]
16:14 -!- Kephael [~Kephael@unaffiliated/kephael] has joined #openvpn
16:18 -!- joako [~joako@opensuse/member/joak0] has joined #openvpn
16:25 -!- steveeJ [~junky@HSI-KBW-46-223-54-149.hsi.kabel-badenwuerttemberg.de] has joined #openvpn
16:38 -!- oxee [~oxee@n215s221.ntc.harrisonburg.shentel.net] has joined #openvpn
16:44 -!- brianblaze420 [~brianblaz@unaffiliated/brianblaze] has joined #openvpn
17:10 -!- brianblaze420 [~brianblaz@unaffiliated/brianblaze] has quit [Quit: Leaving...]
17:34 -!- Megaf [~Megaf@unaffiliated/megaf] has quit [Ping timeout: 245 seconds]
17:42 -!- jerrcs [jeremy@dogpound.sliqua.com] has joined #openvpn
18:27 -!- JordanJ2 [xClone84@unaffiliated/jordanj2] has left #openvpn ["Leaving"]
19:04 -!- gffa [~unknown@unaffiliated/gffa] has quit [Quit: sleep]
19:24 -!- Popsikle [~popsikle@pool-108-27-211-233.nycmny.fios.verizon.net] has joined #openvpn
19:31 -!- joshh20-Away is now known as joshh20
19:33 -!- oxee [~oxee@n215s221.ntc.harrisonburg.shentel.net] has quit [Quit: Computer has gone to sleep.]
19:39 -!- goldkatze [~nobody@unaffiliated/goldkatze] has quit []
19:58 -!- Popsikle [~popsikle@pool-108-27-211-233.nycmny.fios.verizon.net] has quit [Remote host closed the connection]
20:44 -!- wrongplace [~leicht@gateway/tor-sasl/martinphone] has quit [Quit: gone]
20:57 -!- zoomequipd [~zoomequip@gateway/tor-sasl/zoomequipd] has quit [Remote host closed the connection]
20:57 -!- tempus_fol [~tempus@gateway/tor-sasl/foltempus] has quit [Remote host closed the connection]
20:57 -!- eristisk [~eristisk@gateway/tor-sasl/eristisk] has quit [Write error: Broken pipe]
20:57 -!- tempus_fol [~tempus@gateway/tor-sasl/foltempus] has joined #openvpn
20:58 -!- zoomequipd [~zoomequip@gateway/tor-sasl/zoomequipd] has joined #openvpn
20:58 -!- eristisk [~eristisk@gateway/tor-sasl/eristisk] has joined #openvpn
21:04 -!- Turn_Left [~Left_Turn@unaffiliated/turn-left/x-3739067] has quit [Quit: Leaving]
21:23 -!- joshh20 is now known as joshh20-Away
21:29 -!- ufd [~uf@111.173.101.25] has joined #openvpn
21:31 -!- cyrozap [~cyrozap@198.23.172.133] has quit [Quit: Client quit]
21:33 -!- cyrozap [~cyrozap@198.23.172.133] has joined #openvpn
21:46 -!- indy [~indy@shadow.kastnerove.cz] has quit [Ping timeout: 240 seconds]
21:49 -!- indy [~indy@shadow.kastnerove.cz] has joined #openvpn
21:53 -!- cyrozap [~cyrozap@198.23.172.133] has quit [Quit: Client quit]
21:54 -!- cyrozap [~cyrozap@198.23.172.133] has joined #openvpn
22:19 -!- Cpt-Oblivious [~chatzilla@31-151-71-109.dynamic.upc.nl] has quit [Remote host closed the connection]
22:25 -!- tempus_fol [~tempus@gateway/tor-sasl/foltempus] has quit [Remote host closed the connection]
22:25 -!- zoomequipd [~zoomequip@gateway/tor-sasl/zoomequipd] has quit [Remote host closed the connection]
22:25 -!- eristisk [~eristisk@gateway/tor-sasl/eristisk] has quit [Write error: Connection reset by peer]
22:32 -!- eristisk [~eristisk@gateway/tor-sasl/eristisk] has joined #openvpn
22:33 -!- zoomequipd [~zoomequip@gateway/tor-sasl/zoomequipd] has joined #openvpn
22:33 -!- tempus_fol [~tempus@gateway/tor-sasl/foltempus] has joined #openvpn
22:42 -!- Brando753 [~Brando753@unaffiliated/brando753] has quit [Read error: Connection reset by peer]
22:46 -!- Netsplit *.net <-> *.split quits: kossy, _FBi, AsadH, RBecker
22:46 -!- Netsplit over, joins: kossy
22:49 -!- RBecker [~Ryan@unaffiliated/rbecker] has joined #openvpn
22:50 -!- Poster|x is now known as Poster
22:51 -!- AsadH [~AsadH@unaffiliated/asadh] has joined #openvpn
22:57 -!- clu5ter [~staff@unaffiliated/clu5ter] has quit [Read error: No route to host]
23:01 -!- clu5ter [~staff@unaffiliated/clu5ter] has joined #openvpn
23:12 -!- mojtaba [~Thunderbi@135-23-121-108.cpe.pppoe.ca] has quit [Ping timeout: 276 seconds]
23:23 -!- mojtaba [~Thunderbi@135-23-121-108.cpe.pppoe.ca] has joined #openvpn
23:27 -!- mojtaba [~Thunderbi@135-23-121-108.cpe.pppoe.ca] has quit [Ping timeout: 240 seconds]
23:48 -!- ShadniX [dagger@p5DDFE579.dip0.t-ipconnect.de] has quit [Ping timeout: 252 seconds]
23:49 -!- ShadniX [dagger@p5DDFC830.dip0.t-ipconnect.de] has joined #openvpn
--- Day changed Sat May 31 2014
00:35 -!- hilarie [~hilarie@static-nonat-195-100.kpunet.net] has joined #openvpn
00:36 < hilarie> !welcome
00:36 <@vpnHelper> "welcome" is (#1) Start by stating your goal, such as 'I would like to access the internet over my vpn' || new to IRC? see the link in !ask || we may need !logs and !configs and maybe !interface to help you. || See !howto for beginners. || See !route for lans behind openvpn. || !redirect for sending inet traffic through the server. || Also interesting: !man !/30 !topology !iporder !sample !forum
00:36 <@vpnHelper> !wiki !mitm or (#2) Don't use 192.168.1.0/24 or 192.168.0.0/24 (too much potential for conflict)
00:36 < hilarie> !mitm
00:36 <@vpnHelper> "mitm" is (#1) http://openvpn.net/index.php/documentation/howto.html#mitm to know about stopping Man-in-the-Middle attacks by signing the server cert specially or (#2) use !servercert to generate the server cert manually or use the easy-rsa build-key-server script to build your server certificates or (#3) then use: remote-cert-tls server in the client config
00:36 < hilarie> !wiki
00:36 <@vpnHelper> "wiki" is (#1) http://www.secure-computing.net/wiki/index.php/OpenVPN for the Unofficial wiki or (#2) https://community.openvpn.net/openvpn/wiki for the Official wiki
00:38 < hilarie> !configs
00:38 <@vpnHelper> "configs" is (#1) please pastebin your client and server configs (with comments removed, you can use `grep -vE '^#|^;|^$' server.conf`), also include which OS and version of openvpn. or (#2) dont forget to include any ccd entries or (#3) on pfSense, see http://www.secure-computing.net/wiki/index.php/OpenVPN/pfSense to obtain your config
00:45 < hilarie> Alrighty, http://pastebin.ubuntu.com/7556511/ is my config.  What I am trying to do is run my whole network through openvpn(My isp is being creepy) I've set up my HTPC with an addition NIC and made it my DHCP server, and followed the iptables instructions on tinyurl.com/9tbqul7 that is functioning I can access the internet anywhere on my network through my HTPC, but when I start openvpn, things
00:45 < hilarie> explode, I've also tried editing the ethX to tun0 to no avail.
00:55 -!- kirin` [telex@gateway/shell/anapnea.net/x-kiwpbdpqkiakherf] has quit [Ping timeout: 240 seconds]
00:57 -!- kirin` [telex@gateway/shell/anapnea.net/x-fqpzoyozpynhndhm] has joined #openvpn
01:04 < hilarie> Here is my question on superuser it is formatted better http://superuser.com/questions/760942/combination-of-nat-dhcp-and-openvpn-on-lubuntu-14-04
01:04 <@vpnHelper> Title: linux - Combination of NAT, DHCP, and OpenVPN on lubuntu 14.04 - Super User (at superuser.com)
01:13 < cyberanger> hilarie: cat /process/sys/ipv4/ip_forward please
01:13 < hilarie> one moment
01:14 < hilarie> No such file or directory
01:15 < hilarie> no /process/ exists though
01:17 -!- cheesenbiscuits [cheesenbis@213.218.50.60.cbj04-home.tm.net.my] has joined #openvpn
01:17 < cheesenbiscuits> Hi Everybody
01:17 < cyberanger> hilarie: my bad, android autocorrect fouled that up
01:18 < hilarie> No problem at all, what was I catting?
01:18 < cyberanger> Cat /proc/sys/net/ipv4/ip_forward
01:19 < hilarie> the output is 1
01:20 < cyberanger> Trying to rule out three thoughts, that cmd spits out zero or one, depending on what the kernel is set for
01:21 < cyberanger> You want one (you ran a command for it, but I wanted to verify it was applied)
01:21 < hilarie> You can rule out a hundred thoughts, my ISP is creeping me out and I really want to just encrypt my entire connection, I've got all weekend
01:23 < cyberanger> hilarie: hoping you don't need that much, noticed your config uses run instead of tap, is that what your provider wants?
01:24 < hilarie> Yes, should I switch away from them?
01:25 < hilarie> I was thinking I would eventually set up some iptables to let SSL around the vpn tunnel
01:26 < cyberanger> My main thought is run won't tunnel DNS amongst other protocols
01:27 < cyberanger> Will your provider allow tap
01:27 < hilarie> I'll open a chat with them, and see
01:28 < hilarie> Worst case I can always pick up a VPS or something at the datacenter my ISP lands in
01:29 -!- cheesenbiscuits [cheesenbis@213.218.50.60.cbj04-home.tm.net.my] has quit [Ping timeout: 245 seconds]
01:30 < hilarie> They are saying I can run either.
01:31 < cyberanger> I would switch, considering your goal
01:31 < hilarie> Although I think I may be more confused Samantha B
01:31 < hilarie> The tap driver if for windows computers. Tun is for android devices.
01:31 < cyberanger> I run tap on android and linux
01:32 < hilarie> I'm just quoting there tech person
01:34 < hilarie> I'm going to try running it as tap, I'll probably disapear for a few minutes
01:34 < cyberanger> Yeah, Idk why they think thay
01:34 -!- mattock_afk is now known as mattock
01:34 < cyberanger> That
01:35 < cyberanger> OK I'll be around again
01:35 < hilarie> hrm, exited due to fatal error
01:35 < cyberanger> Shouldn't be going anywhere soon
01:36 < hilarie> pastebin.ubuntu.com/7556754
01:37 -!- croftworth [croftworth@unaffiliated/croftworth] has quit [Remote host closed the connection]
01:38 < hilarie> all I changed was dev tun to dev tap
01:40 < cyberanger> OK, lemme look at something real quick
01:51 < hilarie> I'm seeing that the difference is an extra hop in latency, It only takes me from 70ms to 85ms to a stable reference server
01:52 < cyberanger> hilarie: might have to revisit this when I'm at my desk, bumpy roads making reading and typing hard
01:53 < cyberanger> Plus I have Pia config there too (rarely use it though, keep to my own little network mostly)
01:54 < cyberanger> That way I can see what I did myself, make troubleshooting a little easier
01:56 < hilarie> Ahhh
01:58 -!- DrCode [~DrCode@gateway/tor-sasl/drcode] has joined #openvpn
02:08 -!- hilarie [~hilarie@static-nonat-195-100.kpunet.net] has quit []
02:09 -!- hilarie [~hilarie@static-nonat-195-100.kpunet.net] has joined #openvpn
02:14 -!- Kephael [~Kephael@unaffiliated/kephael] has quit []
02:20 -!- hilarie [~hilarie@static-nonat-195-100.kpunet.net] has quit [Disconnected by services]
02:21 -!- hilarie [~hilarie@173.192.176.162-static.reverse.softlayer.com] has joined #openvpn
02:24 -!- abbe [having@badti.me] has joined #openvpn
02:29 -!- hilarie [~hilarie@173.192.176.162-static.reverse.softlayer.com] has quit [Ping timeout: 245 seconds]
02:30 -!- DrCode [~DrCode@gateway/tor-sasl/drcode] has quit [Quit: ZNC - http://znc.in]
02:34 -!- hilarie [~hilarie@173.192.170.103-static.reverse.softlayer.com] has joined #openvpn
02:34 < hilarie> It didn't seem to survive reboot
02:35 -!- ayaz [~Ayaz@linuxpakistan/ayaz] has joined #openvpn
02:40 -!- hilarie [~hilarie@173.192.170.103-static.reverse.softlayer.com] has quit [Ping timeout: 255 seconds]
02:45 -!- hilarie [~hilarie@173.192.170.96] has joined #openvpn
02:50 -!- hilarie [~hilarie@173.192.170.96] has quit [Ping timeout: 240 seconds]
02:53 -!- hilarie [~hilarie@static-nonat-195-100.kpunet.net] has joined #openvpn
02:54 < hilarie> holy cow, I got an answer on superuser, but it is intermittant still
03:00 -!- hilarie [~hilarie@static-nonat-195-100.kpunet.net] has quit [Ping timeout: 240 seconds]
03:08 -!- hilarie [~hilarie@static-nonat-195-100.kpunet.net] has joined #openvpn
03:15 < hilarie> cyberanger, I'm going to bed, I'm not sure what is going on, but whenever I reboot it gets angry again, the linked superuser thing made it work until restart, I need to figure it out, I think it has to do with iptables not wanting to nat to an interface that doesn't exist yet or something.
03:15 -!- jzaw [~jzaw@loki.dzki.co.uk] has quit [Quit: really? must I leave? aw pls let me stay!]
03:16 -!- Fat-Zer_ [~alexander@ppp83-237-175-168.pppoe.mtu-net.ru] has joined #openvpn
03:18 -!- hilarie [~hilarie@static-nonat-195-100.kpunet.net] has quit [Quit: ZNC - http://znc.in]
03:20 -!- Left_Turn [~Left_Turn@unaffiliated/turn-left/x-3739067] has joined #openvpn
03:27 -!- hilarie [~hilarie@173.192.176.155-static.reverse.softlayer.com] has joined #openvpn
03:27 < hilarie> #python
03:27 < hilarie> I figured it out! or rather someone else figured it out!
03:28 < hilarie> It was the eth2 vs tun interface, and then, it was the tunX vs generic tun
03:28 < hilarie> Now the real trick is to take detailed enough notes that when I hose this in a couple months I don't have to do it again...
03:33 -!- jzaw [~jzaw@loki.dzki.co.uk] has joined #openvpn
03:40 -!- mattock is now known as mattock_afk
04:27 -!- SCHAAP137 [dorian@77-173-0-137.ip.telfort.nl] has joined #openvpn
04:40 -!- jonquest [~jp@unaffiliated/jp-] has joined #openvpn
04:41 -!- bears_ [~bears@unaffiliated/bears] has joined #openvpn
04:42 -!- joako [~joako@opensuse/member/joak0] has quit [Ping timeout: 265 seconds]
04:42 -!- jp- [~jp@unaffiliated/jp-] has quit [Ping timeout: 265 seconds]
04:43 -!- pnielsen__ [pnielsen@2a01:7e00::f03c:91ff:fedf:3a21] has joined #openvpn
04:44 -!- MadTBone [~MadTBone@160.39.238.199] has quit [Ping timeout: 265 seconds]
04:44 -!- haasn [~haasn@2a01:4f8:d13:5245::2] has quit [Ping timeout: 265 seconds]
04:44 -!- pnielsen_ [pnielsen@2a01:7e00::f03c:91ff:fedf:3a21] has quit [Ping timeout: 265 seconds]
04:44 -!- bears [~bears@unaffiliated/bears] has quit [Ping timeout: 265 seconds]
04:44 -!- edge226 [~quassel@unaffiliated/edge226] has quit [Ping timeout: 265 seconds]
04:44 -!- iokill [~dave@pippin.sigma-star.at] has quit [Ping timeout: 265 seconds]
04:45 -!- joako [~joako@opensuse/member/joak0] has joined #openvpn
04:47 -!- haasn [~haasn@2a01:4f8:d13:5245::2] has joined #openvpn
05:04 -!- goldkatze [~nobody@unaffiliated/goldkatze] has joined #openvpn
05:12 -!- hilarie [~hilarie@173.192.176.155-static.reverse.softlayer.com] has quit [Ping timeout: 260 seconds]
05:14 -!- edge226 [~quassel@unaffiliated/edge226] has joined #openvpn
06:42 -!- cornfeedhobo [~cornfeedh@unaffiliated/cornfeed] has left #openvpn ["when i leave, come together like butt cheeks"]
06:44 -!- larryone [~larryone@89.100.23.131] has joined #openvpn
06:50 -!- larryone [~larryone@89.100.23.131] has quit [Ping timeout: 265 seconds]
07:45 -!- michaelhart [~michaelha@192-0-240-20.cpe.teksavvy.com] has quit [Quit: michaelhart]
08:06 -!- larryone [~larryone@89.100.23.131] has joined #openvpn
08:25 -!- Cpt-Oblivious [~chatzilla@31-151-71-109.dynamic.upc.nl] has joined #openvpn
08:54 -!- larryone [~larryone@89.100.23.131] has quit [Quit: This computer has gone to sleep]
09:14 -!- joshh20-Away is now known as joshh20
09:15 -!- Megaf [~Megaf@unaffiliated/megaf] has joined #openvpn
09:49 -!- svg [~svg@hydargos.ginsys.net] has joined #openvpn
09:53 < svg> Hi, FWIW, I shared a generic Python script to implement various openvpn user script; also a more specific one with which I implemented ldap group membership based profiles: https://github.com/ginsys/openvpn-user-defined-scripts
09:53 <@vpnHelper> Title: ginsys/openvpn-user-defined-scripts · GitHub (at github.com)
10:07 -!- pekster [~rewt@openvpn/community/support/pekster] has quit [Quit: AF_INET -> AF_INET6]
10:07 -!- pekster [~rewt@openvpn/community/support/pekster] has joined #openvpn
10:12 -!- AmazonStuff [AmazonStuf@unaffiliated/amazonstuff] has joined #openvpn
10:14 -!- ufd [~uf@111.173.101.25] has quit [Quit: Leaving]
10:17 < AmazonStuff> Is it possible to surf the web from work and appear to the rest of the world (internet) that you are using your home IP address?
10:17 < pekster> !redirect
10:17 <@vpnHelper> "redirect" is (#1) to make all inet traffic flow through the vpn, you will need --redirect-gateway (see !def1), as well as IP forwarding (see !ipforward) and NAT (see !nat) enabled on the server. or (#2) you may need to use a different dns server when redirecting gateway, see !dns or !pushdns or (#3) if using ipv6 try: route-ipv6 2000::/3 or (#4) Handy troubleshooting flowchart:
10:17 <@vpnHelper> http://ircpimps.org/redirect.png | http://pekster.sdf.org/misc/redirect.png
10:24 < AmazonStuff> pekster: Thanks! :D
10:25 -!- ayaz [~Ayaz@linuxpakistan/ayaz] has quit [Quit: Textual IRC Client: www.textualapp.com]
10:27 -!- AmazonStuff [AmazonStuf@unaffiliated/amazonstuff] has quit []
10:27 -!- wrongplace [~leicht@gateway/tor-sasl/martinphone] has joined #openvpn
10:30 -!- bonjurkes [~julia@178.240.242.223] has joined #openvpn
10:31 < bonjurkes> ahoy. I am trying to arrange openvpn connection on my dd-wrt router. I have 2 issues. First one is MULTI: bad source address from client [192.168.1.108], packet dropped
10:31 < bonjurkes> and second one is, I can't ping google.com , and I can't also ping 8.8.8.8 . Related with that error above probably
10:32 -!- artemz [~artemz@2001:4ba0:cafe:768::1] has quit [Read error: Connection reset by peer]
10:32 < pekster> Probably not related to that above error (or your client sucks at determining proper routing sources.)
10:32 -!- Megaf_ [~Megaf@unaffiliated/megaf] has joined #openvpn
10:32 < pekster> !goal
10:32 <@vpnHelper> "goal" is Please clearly state your goal for your vpn: example, I would like to access the lan behind the server , I would like to access the internet over my vpn , I just want a secure connection between 2 computers , etc
10:34 < bonjurkes> goal : making dd-wrt router connect to openvpn so all network will use vpn connection to go out.
10:34 < bonjurkes> problem1: not sure about if any iptables needed on dd-wrt side. Connection is succeeded but the routing probably is problematic
10:35 -!- Megaf [~Megaf@unaffiliated/megaf] has quit [Ping timeout: 265 seconds]
10:35 < bonjurkes> fact1: vpn server works fine for connecting over laptop, mobile phone etc. but never tried connecting to vpn server from a router
10:35 -!- Megaf_ is now known as Megaf
10:35 < pekster> !redirect
10:35 <@vpnHelper> "redirect" is (#1) to make all inet traffic flow through the vpn, you will need --redirect-gateway (see !def1), as well as IP forwarding (see !ipforward) and NAT (see !nat) enabled on the server. or (#2) you may need to use a different dns server when redirecting gateway, see !dns or !pushdns or (#3) if using ipv6 try: route-ipv6 2000::/3 or (#4) Handy troubleshooting flowchart:
10:35 <@vpnHelper> http://ircpimps.org/redirect.png | http://pekster.sdf.org/misc/redirect.png
10:35 < Eugene> The flowchart is your friend.
10:36 < Eugene> Also, it sounds like your issue is
10:36 < Eugene> !clientlan
10:36 <@vpnHelper> "clientlan" is (#1) for a lan behind a client, the client must have ip forwarding enabled (!ipforward), the server needs a route to the lan, the server needs to push a route for the lan to clients, the server needs a ccd (!ccd) file for the client with an iroute (!iroute) entry in it, and the router of the lan the client is on needs a route added to it (!route_outside_openvpn) or (#2) see !route for
10:36 <@vpnHelper> a better explanation or (#3) Handy troubleshooting flowchart: http://ircpimps.org/clientlan.png | http://pekster.sdf.org/misc/clientlan.png
10:36 < Eugene> no iroute directive = bad source address
10:36 < pekster> dd-wrt is kind of a junk OS (history of some basic security problems, plus lack of real tools like a proper network or Netfilter userland.) YMMV, and if you have a crappy device that "only" runs it, you're SOL
10:37 < pekster> It'll probably work with openvpn at a basic level, but missing userland utilities is kind of a pain for advanced networking
10:37 -!- bonjurkes [~julia@178.240.242.223] has left #openvpn []
10:37 -!- brianblaze420 [~brianblaz@unaffiliated/brianblaze] has joined #openvpn
10:38 < pekster> Well, ok then
10:39 -!- bonjurkes [~julia@178.240.242.223] has joined #openvpn
10:39 < bonjurkes> !routing
10:39 < bonjurkes> appearently I can'T make it work and magically my room window is closed
10:40 < bonjurkes> !routing
10:41 < pekster> (maybe you want !route? also, the flowchart is where you should be starting, although there's lots of good info in !route too)
10:41 < bonjurkes> !route
10:41 <@vpnHelper> "route" is (#1) http://www.secure-computing.net/wiki/index.php/OpenVPN/Routing or https://community.openvpn.net/openvpn/wiki/RoutedLans (same page mirrored) if you have lans behind openvpn, read it DONT SKIM IT or (#2) READ IT DONT SKIM IT! or (#3) See !tcpip for a basic networking guide or (#4) See !serverlan or !clientlan for steps and troubleshooting flowcharts for LANs behind the server or
10:41 <@vpnHelper> client
10:42 < bonjurkes> Eugene what was the cause of bad source address issue as you have mentioned it already?
10:42 < pekster> bonjurkes: If what you want is to redirect VPN _client_ traffic across the Internet, you do _not_ want to use clientlan or iroutes
10:42 < pekster> That "error" in such cases is your client being stupid as rocks and sourcing from bogus addresses
10:43 < pekster> (and you'd fix it by identifying the silly application that does such things. I've seen the Windows NTP client do that, and there was some Linux kernel module that was broken in a similar way, some obscure network storage module)
10:43 < bonjurkes> well I just want my whole network traffic to be routed on openvpn server, so whenever ip is checked on local devices it will show openvpn addres
10:44 < pekster> What "whole network" ?
10:44 < bonjurkes> devices connected to router
10:44 < pekster> And that's the VPN client?
10:44 < bonjurkes> I assume router will be the vpn client
10:45 < pekster> assume? You don't know how you plan to design the topology?
10:45 < bonjurkes> nope
10:45 < pekster> Then you need to figure that out first
10:45 < pekster> If you want the traffic to go somewhere else, you need to create a remote system at that "somewhere else" to act as your VPN server
10:46 < bonjurkes> pekster I have vpn server, I have vpn clients on my laptop, on my android phone etc
10:46 < bonjurkes> so I can connect to vpn server from those devices seperately
10:46 < pekster> So there's your topology
10:47 < bonjurkes> What I want is using dd-wrt 's so called openvpn functionality, to make router connected to vpn server, and route all network traffic to openvpn server, and vpn server will handle the rest
10:47 < pekster> Sounds to me like you don't really want to redirect _all_ traffic from your client-side router though (unless you're OK with not having external access to the router itself, in which case you probably cood)
10:47 -!- dvl [~dvl@pdpc/supporter/active/dvl] has joined #openvpn
10:47 < pekster> I have zero clue aobut dd-wrt's functionality (for help with that, ask them.) I do know how openvpn works though
10:48 < bonjurkes> pekster not having external access to router is fine
10:49 < pekster> In that case, you will need both !redirect and one of either: 1) !clientlan so your VPN server knows of the client network, or 2) NAT traffic from your router's LAN to the VPN IP its assigned
10:49 < pekster> Normally you avoid NAT like the plauge, but since you're presumably NATing on the VPN server egress anyway, there's not really a drawback
10:50 < bonjurkes> !redirect
10:50 <@vpnHelper> "redirect" is (#1) to make all inet traffic flow through the vpn, you will need --redirect-gateway (see !def1), as well as IP forwarding (see !ipforward) and NAT (see !nat) enabled on the server. or (#2) you may need to use a different dns server when redirecting gateway, see !dns or !pushdns or (#3) if using ipv6 try: route-ipv6 2000::/3 or (#4) Handy troubleshooting flowchart:
10:50 <@vpnHelper> http://ircpimps.org/redirect.png | http://pekster.sdf.org/misc/redirect.png
10:53 < bonjurkes> !nat
10:53 <@vpnHelper> "nat" is (#1) http://openvpn.net/howto.html#redirect for an explanation of NAT as it applies to openvpn or (#2) http://www.secure-computing.net/wiki/index.php/OpenVPN/FAQ#Traffic_forwarding_doesn.27t_work_when_using_client_specific_access_rules or (#3) dont forget to turn on ip forwarding or (#4) please choose between !linnat !openvznat !winnat and !fbsdnat for specific howto
10:57 < bonjurkes> !ipforward
10:57 <@vpnHelper> "ipforward" is (#1) ip forwarding is needed any time you want packets to flow from 1 interface to another, so from tun to eth, eth to tun, tun to tun, etc etc. it must be enabled in the kernel AND allowed in the firewall or (#2) please choose between !linipforward !winipforward !osxipforward and !fbsdipforward
10:58 < bonjurkes> !linipforward
10:58 <@vpnHelper> "linipforward" is (#1) echo 1 > /proc/sys/net/ipv4/ip_forward for a temp solution (til reboot) or set net.ipv4.ip_forward = 1 in sysctl.conf for perm solution or (#2) chmod +x /etc/rc.d/rc.ip_forward for perm solution in slackware or (#3) you also must allow forwarding in your forward chain in iptables. iptables -I FORWARD -i tun+ -j ACCEPT
10:59 -!- mattock_afk is now known as mattock
11:03 < bonjurkes> !linnat
11:03 <@vpnHelper> "linnat" is (#1) for a basic iptables NAT where 10.8.0.x is the vpn network: iptables -t nat -I POSTROUTING -s 10.8.0.0/24 -o eth0 -j MASQUERADE or (#2) to choose what IP address to NAT as, you can use iptables -t nat -I POSTROUTING -o eth0 -j SNAT --to <IP ADDRESS> or (#3) http://netfilter.org/documentation/HOWTO//NAT-HOWTO.html for more info or (#4) openvz see !openvzlinnat
11:07 < bonjurkes> redirect-gateway is enabled, nat is enabled, ipforward is enabled. Can see that I got ip from vpnserver. But still can't ping ips
11:12 < pekster> What OS is your VPN server?
11:12 < pekster> (and for now don't even worry about the LAN behind your VPN client. Save that for later)
11:13 -!- FoXMaN [xoff@unaffiliated/foxman] has joined #openvpn
11:14 < FoXMaN> hello
11:14 < FoXMaN> can anyone tell me where can i  report openvpn bugs?
11:15 < pekster> FoXMaN: https://community.openvpn.net/openvpn/report (account required for reporting.) What's your issue?
11:15 <@vpnHelper> Title: Available Reports – OpenVPN Community (at community.openvpn.net)
11:16 -!- chuck_f [~chuck_f@185.red-80-26-202.adsl.dynamic.ccgg.telefonica.net] has joined #openvpn
11:21 < FoXMaN> pekster: in openvpn server compiled with openssl when using capath option, CA certificates and CRLs are loaded only once during initialization (to X509_STORE). As a result CRL files are never refreshed during the server lifetime. When CRL list expire after few weeks all clients are rejected.
11:23 < FoXMaN> an server restart is required. This also mean that when certain certificate is banned by the CA, openvpn won't refresh crl until restart and this client will be able to establish connection'
11:23 < pekster> Ah, interesting use-case. A bugreport is probably the best place for that
11:23 < FoXMaN> s/an//
11:23 < pekster> You would work-around the issue with --crl instead (which is consulted each connection, and each TLS renewal)
11:24 < FoXMaN> pekster: can i specify more than one crl list?, i'm affraid that bad CRLs will still be in X509_STORE struct and all clients will get blocked when crl list expires
11:25 < pekster> OpenVPN will still use expired CRLs
11:25 < pekster> (ie: those past the "next issuance expected" date)
11:25 < pekster> Why do you need more than 1 list? Do you have a chain of CAs?
11:26  * pekster doesn't understand what you're doing exactly. The problem with "refreshing" the --capath list is 1) you need to do it on _every_ connection and _every_ TLS renewal, and that might be operationally expensive or troublesome, and 2) that opens up the door for CA values to change, which opens up subtle failure modes
11:27 < pekster> Well, and 3) it doesn't exist today :P
11:28 < FoXMaN> pekster: we use two separate CAa
11:29 < pekster> Just combine the CRLs into one file then
11:29 < pekster> Oh, or better yet: see --crl-verify
11:29 < pekster> It supports a 'dir' flag
11:30 < FoXMaN> pekster: i'll have a look
11:30 < pekster> Oh, guess that's for files-as-serial only, so won't work here (as each CA may use the same serial itself)
11:30 < FoXMaN> i think that refreshing CApath can be done once a few minutes w/o any performance penalty
11:30 < pekster> But you should be able to combine crl1.pem and crl2.pem into crl_both.pem and use that
11:31 < pekster> Be careful making assumptions like this when other people might be supporting many more connections than you are
11:31 < pekster> My point is there may be a better way to do what you want
11:32 < pekster> You 1) do not need to keep old copies of the CRL around. That's silly. 2) Don't worry about the "expiration" time -- OpenVPN does not use/care about it. 3) so long as combining CRLs works, I don't think you have a problem using --crl-verify in the first place
11:32 < FoXMaN> pekster: crl-verify might be an option here, but can we get rid of capath directive by concatenating two ca certs?
11:32 < pekster> Yes
11:32 < FoXMaN> are you sure?
11:33 -!- elfixit [~Icedove@cust.static.46-14-206-196.swisscomdata.ch] has joined #openvpn
11:33 < pekster> Yup. Read the manpage
11:34 < FoXMaN> ok. thanks for help. We decided to use capath as we used it for other software like apache.httpd
11:34 < FoXMaN> i'll check it
11:34 < pekster> huh? You're not pointing this to your system-wide OpenSSL CA store are you?!
11:35 < pekster> (if you have done that, you'be just allowed anyone on the planet issued a cert by a CA your distro trusts to auth against your VPN)
11:36 < pekster> If your path consists strictly of CAs you do trust to authenticate users, that should be fine. Just handle the CRLs via --crl-verify; choice of --ca verses --capath is up to you
11:36 -!- Left_Turn [~Left_Turn@unaffiliated/turn-left/x-3739067] has quit [Ping timeout: 252 seconds]
11:37 < FoXMaN> pekster: :) we know what we're doing, we use client-connect script and have our own certificate dir for 2 CAs
11:38 < pekster> k, just checking. We do get people here who think trusting all CAs is smart :P
11:39 < FoXMaN> :)
11:41 < pekster> Seems this is a known openssl problem in this mode: http://marc.info/?l=openssl-dev&m=122411123423793&w=2
11:41 <@vpnHelper> Title: 'X509_STORE_add_crl does not replace CRLs' - MARC (at marc.info)
11:42 < pekster> So, "even if" the code called in openvpn again that was originally called with --capth, it still won't work as expected
11:43 < pekster> A different method in the code might "fix" that, but it's a question of time to do that
11:44 -!- gffa [~unknown@unaffiliated/gffa] has joined #openvpn
11:47 < pekster> Bah, and as always with openssl, this gets even worse. 0.9.8 does not support multiple CRLs with the same issuer name in the store, but >=1.0.0 does. Lots of subtle problems :\
11:48 < bonjurkes> hm hm
11:49 < bonjurkes> pekster I have a progress here, I can ping ip now, but can't ping google. You will say DNS. But it already has dhcp-option sent after command
11:50 < pekster> dhcp-option does nothing by default on non-Windows. !pushdns for details
11:50 < bonjurkes> !pushdns
11:50 <@vpnHelper> "pushdns" is (#1) push dhcp-option DNS a.b.c.d to push dns to the client or (#2) For pushing DNS to a Windows client, see: !windns or (#3) Unix-alikes are required to process the env-var in an --up script; read about --dhcp-option in the manpage or (#4) For distros that use resolvconf(8) you can try the pull-resolv-conf script under the contrib/ source dir
11:50 < bonjurkes> hmmm
11:51 < pekster> DNS is easy to identify or rule out anyway: just ping an IP (googleDNS works well, 8.8.8.8)
11:51 < pekster> If that works, you _know_ your issue is DNS
12:08 -!- chuck_f [~chuck_f@185.red-80-26-202.adsl.dynamic.ccgg.telefonica.net] has quit [Quit: Leaving]
12:12 < bonjurkes> yep issue is dns
12:12 < bonjurkes> I didnt' understand anything about the dns thing for linux
12:13 < pekster> Pushing (or setting locally) the --dhcp-option does absoutely nothing beyond setting an environmental variable
12:13 < pekster> It's up to you to do something useful with that on your client, usually in an --up or --route-up script
12:13 < pekster> What you do depends completely on your client OS/distro and how you have configured DNS
12:14 < bonjurkes> well I will use 8.8.8.8 dns for sure
12:14 < pekster> Optionally, don't mess with that at all and use global DNS
12:14 < pekster> Then you avoid the problem
12:15 < bonjurkes> well both client and vpn is on linux. So I should either push dns to linux client, just like I do for windows. Or set that option locally on client
12:16 < bonjurkes> but I don't know how to do that for linux
12:18 < pekster> If you do not know how to set your DNS servers, ask your distro documentation or support
12:20 -!- brianblaze420 [~brianblaz@unaffiliated/brianblaze] has quit [Quit: Leaving...]
12:24 -!- Kephael [~Kephael@unaffiliated/kephael] has joined #openvpn
12:25 -!- bears_ [~bears@unaffiliated/bears] has quit [Read error: Connection reset by peer]
12:27 -!- _FBi [B@Aircrack-NG/User] has joined #openvpn
12:29 < bonjurkes> awww yiss
12:30 < bonjurkes> crap
12:37 < _FBi> that's what they all say
12:39 -!- Popsikle [~popsikle@pool-108-27-211-233.nycmny.fios.verizon.net] has joined #openvpn
12:43 < bonjurkes> should I both include up and down for update-resolv-conf in server.conf?
12:44 < pekster> Presumably if you want hooks for both events
12:45 < bonjurkes> will it run "down" command before disconnecting?
12:51 < bonjurkes> yea!
12:52 < bonjurkes> yep my own issues, forgot to set local dns
12:58 -!- Sqarepusher [~Squarepus@port-1932.pppoe.wtnet.de] has joined #openvpn
13:04 -!- Sqarepusher [~Squarepus@port-1932.pppoe.wtnet.de] has quit [Remote host closed the connection]
13:07 -!- Sqarepusher [~Squarepus@port-1932.pppoe.wtnet.de] has joined #openvpn
13:20 -!- bonjurkes [~julia@178.240.242.223] has quit [Ping timeout: 264 seconds]
13:20 -!- le0 [~l30@unaffiliated/le0] has joined #openvpn
13:22 -!- Popsikle [~popsikle@pool-108-27-211-233.nycmny.fios.verizon.net] has quit [Remote host closed the connection]
13:25 -!- Kephael [~Kephael@unaffiliated/kephael] has quit []
13:30 -!- Sqarepusher [~Squarepus@port-1932.pppoe.wtnet.de] has quit [Quit: bye]
13:31 -!- edge226 [~quassel@unaffiliated/edge226] has quit [Remote host closed the connection]
13:34 -!- Left_Turn [~Left_Turn@unaffiliated/turn-left/x-3739067] has joined #openvpn
13:40 -!- Popsikle [~popsikle@pool-108-27-211-233.nycmny.fios.verizon.net] has joined #openvpn
14:07 -!- Popsikle [~popsikle@pool-108-27-211-233.nycmny.fios.verizon.net] has quit [Remote host closed the connection]
14:07 -!- Kephael [~Kephael@unaffiliated/kephael] has joined #openvpn
14:14 < Haigha> hi, i'll have a large number of clients connecting from a known network to a OpenVPN server
14:14 < Haigha> anbd i don't need encryption or authentication
14:15 < Haigha> can OpenVPN work like that ?
14:16 -!- edge226 [~quassel@unaffiliated/edge226] has joined #openvpn
14:18 -!- Olipro [~Olipro@uncyclopedia/pdpc.21for7.olipro] has joined #openvpn
14:18 < pekster> Haigha: for the data transit, yes (read --auth and --cipher in the manpage.) In multi-client mode the data channel must be TLS
14:18 < pekster> Sorry, the control channel must be TLS
14:19 < pekster> The data channel is encrypted/authenticated based on the 2 directives I just mentioned
14:21 < Haigha> do i need to generate a certificate for each client?
14:22 < Haigha> last time i tried duplicate-cn, it killed the first connection anyway
14:25 < pekster> THen you did it wrong
14:25 < pekster> (forgot to restart the instance perhaps)
14:25 < pekster> If you want "no authentication" then sure, re-use the same client keypair everywhere
14:26 < pekster> openvpn really doesn't like to be used in a no-security mode, but you can sort of do that
14:26 < Haigha> thanks, i'll try again :)
14:31 -!- gffa [~unknown@unaffiliated/gffa] has quit [Ping timeout: 252 seconds]
14:39 -!- Sqarepusher [~Squarepus@port-1932.pppoe.wtnet.de] has joined #openvpn
14:41 -!- gffa [~unknown@unaffiliated/gffa] has joined #openvpn
14:45 -!- jonquest is now known as jp-
14:48 -!- mattock is now known as mattock_afk
15:15 -!- gffa [~unknown@unaffiliated/gffa] has quit [Ping timeout: 260 seconds]
15:17 -!- le0 [~l30@unaffiliated/le0] has quit [Quit: Leaving]
15:17 -!- gffa [~unknown@unaffiliated/gffa] has joined #openvpn
15:21 -!- indy [~indy@shadow.kastnerove.cz] has quit [Ping timeout: 252 seconds]
15:31 < steveeJ>  what am i doing wrong here? openvpn[15833]: write to TUN/TAP : No buffer space available (code=105)
15:35 -!- joshh20 is now known as joshh20-Away
15:35 < steveeJ> could this have anything to do with KSM? i recently enabled that in the kernel
15:39 < pekster> In a generic sense it means the programm was unable to push data into the tun device buffer. If you made a limited number of recent changes, chances are good that one is responsible. Have you tried diabling KSM and checking results?
15:41 < steveeJ> i haven't tried to disable it yet
15:43 < steveeJ> but KSM is not enabled to run. it's just compiled in
15:50 < pekster> That appears to be one-and-the-same, but the linked docs are muddy
15:50 < steveeJ> to enable it you have to write 1 to /sys/kernel/mm/ksm/run
15:50 < pekster> Then that page has a serious omission not explaining that under "Enabling KSM"
15:51 < pekster> Of course, the "TBD" section makes it clear this isn't a very full document anyway
15:51 < steveeJ> https://www.kernel.org/doc/Documentation/vm/ksm.txt
15:51 < steveeJ> search for /sys/kernel/mm/ksm/run
15:52 < steveeJ> but i wonder what else it could be
15:52 < steveeJ> i have setup my vpn network a while a go and never had this problem
15:52 < steveeJ> now i have moved two of my systems to new hardware. so it could as well be NIC driver related
15:53 < steveeJ> and enabled KSM in kernel while i had to compile a new kernel anyway
15:54 < pekster> It's the write to the tun/tap that's failing
15:54 < steveeJ> it's a gigabit network setup with mtu size of 48k
15:54 < pekster> (not your hardware NIC)
15:55 < steveeJ> but the tun/tap buffer is only consumed by the NIC actually transmitting things over the phyiscal network
15:57 -!- Sqarepusher [~Squarepus@port-1932.pppoe.wtnet.de] has quit [Remote host closed the connection]
15:58 < steveeJ> i just went through the kernel config, and i have also changed preemption to "desktop" instead of "server". (CONFIG_PREEMPT_VOLUNTARY instead of CONFIG_PREEMPT_NONE)
15:58 < pekster> No, it's consumed by a write to the _virtual_ adapter
15:59 < pekster> f.eg, sending to your own IP, or a locally-connect VPN connection (as silly as that is in practice) would cause a tun write but _no_ physical NIC involvement
15:59 < steveeJ> ah i see
16:12 -!- Kephael [~Kephael@unaffiliated/kephael] has quit []
16:14 -!- SCHAAP137 [dorian@77-173-0-137.ip.telfort.nl] has quit [Remote host closed the connection]
16:16 -!- nubnub [~nubnub@c-71-231-185-57.hsd1.wa.comcast.net] has joined #openvpn
16:17 < nubnub> i am trying to setup openVPN and there are a number of iptables rules that need to be added rc.local on ubuntu, i have been using ufw and my question is, should i add the iptables rules to rc.local or to before.rules (or somewhere else)?
16:18 < nubnub> !heartbleed
16:18 <@vpnHelper> "heartbleed" is (#1) only affects OpenSSL 1.0.1 through 1.0.1f. Does not affect polarssl or (#2) if running vuln openssl then both client and server keys not protected by tls-auth should be considered compromised. or (#3) android 4.1.2_r1 is the first one to have -DOPENSSL_NO_HEARTBEATS and it is still in master. android 4.1 and 4.1.1 are probably affected. or (#4)
16:18 <@vpnHelper> https://community.openvpn.net/openvpn/wiki/heartbleed or (#5) http://xkcd.com/1354/
16:21 < pekster> nubnub: Probably better asked in #Netfilter. The short story is that your "rules" should _not_ be calling `iptables` at all, but properly integrated into an atomic firewall ruleset process that eventually feeds into iptables-restore(8)
16:22 < pekster> For more Netfilter concepts, read the links you can find in #Netfilter's /TOPIC first URL. I'd especially recommend the TPR link for a brief into
16:22 < nubnub> ok, thanks
16:22 -!- elfixit [~Icedove@cust.static.46-14-206-196.swisscomdata.ch] has quit [Ping timeout: 240 seconds]
16:40 < steveeJ> pekster: the weird thing about the tun/tap overflow is, i can't reproduce it. not even a long running iperf benchmark doesn't always trigger it
17:01 -!- debbie10t [~ma1com10t@host-92-20-43-236.as13285.net] has joined #openvpn
17:04 -!- Cpt-Oblivious [~chatzilla@31-151-71-109.dynamic.upc.nl] has quit [Ping timeout: 240 seconds]
17:04 -!- debbie10t [~ma1com10t@host-92-20-43-236.as13285.net] has left #openvpn []
17:13 -!- zoredache [~zoredache@pdpc/supporter/professional/zoredache] has quit [Ping timeout: 276 seconds]
17:15 -!- zoredache [~zoredache@pdpc/supporter/professional/zoredache] has joined #openvpn
17:30 -!- SCHAAP137 [dorian@77-173-0-137.ip.telfort.nl] has joined #openvpn
17:30 -!- SCHAAP137 [dorian@77-173-0-137.ip.telfort.nl] has quit [Remote host closed the connection]
17:31 -!- SCHAAP137 [dorian@77-173-0-137.ip.telfort.nl] has joined #openvpn
17:44 -!- edge226 [~quassel@unaffiliated/edge226] has quit [Remote host closed the connection]
18:03 -!- edge226 [~quassel@unaffiliated/edge226] has joined #openvpn
18:05 -!- joshh20-Away is now known as joshh20
18:18 -!- Kephael [~Kephael@unaffiliated/kephael] has joined #openvpn
18:56 -!- gffa [~unknown@unaffiliated/gffa] has quit [Quit: sleep]
19:47 -!- mojtaba [~Thunderbi@135-23-121-108.cpe.pppoe.ca] has joined #openvpn
19:47 < mojtaba> Hi, Does anybody know where is openvpn log file?
19:48 < pekster> !logfile
19:48 <@vpnHelper> "logfile" is (#1) If you want logging you can easily just specify your own logfile with: log /path/to/logfile or (#2) openvpn will log to syslog if started in daemon mode, but without any log-redirection options, openvpn sends output to stdout. or (#3) verb 3 is good for everyday usage, verb 5 for debugging. see --daemon --log and --verb in the manual (!man) for more info
19:49 < mojtaba> I have configured my openvpn server (pi) and my client (ubuntu), but I get timed out error.
19:52 < mojtaba> This is the result of syslog: http://paste.debian.net/102765/
19:53 < mojtaba> in PI
19:54 < pekster> none of that has anything to do with openvpn
19:54 < pekster> ifplugd and ntpd are not openvpn
19:55 < mojtaba> pekster: Could you please tell me where should I check then?
19:55 < pekster> I did
19:55 < pekster> !logfile
19:55 <@vpnHelper> "logfile" is (#1) If you want logging you can easily just specify your own logfile with: log /path/to/logfile or (#2) openvpn will log to syslog if started in daemon mode, but without any log-redirection options, openvpn sends output to stdout. or (#3) verb 3 is good for everyday usage, verb 5 for debugging. see --daemon --log and --verb in the manual (!man) for more info
19:56 < mojtaba> pekster: I have specified verb 5, and I have not specified log path.
19:56 < pekster> Then it'll get sent to standard output unless your distro is adding other options
19:57 < pekster> As explained by #2 above
19:57 < mojtaba> pekster: my distro raspbian and there is nothing on stdout
19:58 < pekster> THen you've done something wrong. Post your configs, with comments/blanks removed. Per this info:
19:58 < pekster> !configs
19:58 <@vpnHelper> "configs" is (#1) please pastebin your client and server configs (with comments removed, you can use `grep -vE '^#|^;|^$' server.conf`), also include which OS and version of openvpn. or (#2) dont forget to include any ccd entries or (#3) on pfSense, see http://www.secure-computing.net/wiki/index.php/OpenVPN/pfSense to obtain your config
19:59 < mojtaba> pekster: ok thanks
20:06 -!- wrongplace [~leicht@gateway/tor-sasl/martinphone] has quit [Quit: gone]
20:34 < mojtaba> pekster: http://paste.ubuntu.com/7562721/
20:38 < mojtaba> pekster: For the client part I just used the GUI in Ubuntu
20:39 < pekster> And that's why you have no clue where your logfile is. Without the actual client config you're using, you'd have ask ubuntu
20:40 < pekster> The better solution here is to call openvpn from the console and specify the config file with the --config option
20:40 < mojtaba> pekster: Meanwhile I am asking there, could you please review that link?
20:40 < pekster> Leave the GUI until after things work becuase it tends to hide real problems
20:42 < pekster> line 18 of your server config is bogus, remove it (line 16 already expands to include addressing)
20:42 < pekster> (line number per the paste link)
20:42 -!- Left_Turn [~Left_Turn@unaffiliated/turn-left/x-3739067] has quit [Remote host closed the connection]
20:42 < pekster> So is line 20
20:43 < pekster> If your client is on 192.168.1.0/24 you'll have problems; ensure that your client never connects from its "own" version of that network, or consider changing your server-side network
20:44 < mojtaba> pekster: line 18 is command I thought.
20:44 < pekster> You appear to have no --tls-auth key in your client config, but apparently do have a --key-direction. The direction part looks okay, but without --tls-auth on the client the server will reject it
20:44 < pekster> Not in your paste, no
20:44 < pekster> http://paste.ubuntu.com/7562721/
20:44 < pekster> No comment in line 18
20:44 < mojtaba> ok, sorry I was checking real server.conf
20:45 < mojtaba> ok
20:45 < pekster> Minus the 2 lines I noted earlier, it looks okay, minus the potential conflict of common RFC1918 network
20:46 < pekster> Oh, and of course missing --tls-auth on the client
20:46 < pekster> Try build a "real" config, none of this ubuntu/network-manager crap
20:46 < pekster> Get a basic setup working before you try to do extra thngs
20:47 < mojtaba> pekster: I will try to configure client in cmd. should  I remove line 20 as well?
20:47 -!- Left_Turn [~Left_Turn@unaffiliated/turn-left/x-3739067] has joined #openvpn
20:47 < pekster> Yes, the client already has a route to the server's IP
20:47 -!- brianblaze420 [~brianblaz@unaffiliated/brianblaze] has joined #openvpn
20:48 < pekster> Actually, comment out (or remove) line 22 (again, paste line numbers) as well
20:48 < pekster> --client-to-client already does that with --server
20:48 < pekster> Whatever you got that file from is really wrong :]
20:48 < pekster> :\
20:50 < pekster> Also, I've no clue why you give me something that is an incomplete config file
20:50 < pekster> I asked for your config file, not some template you run through some crappy "bash" script
20:51 < mojtaba> pekster: Actually this is the thing I have. (I took it from the link at the beginning of http://paste.ubuntu.com/7562721/)
20:51 < pekster> (omit the actual key text, but otherwise I'm not going to try and decode what that script is doing)
20:52 < mojtaba> pekster: I wish I could find something better. This is my first time I am trying to configure openvpn.
20:53 < pekster> What you've given me is completely bogus for a client config
20:53 < pekster> I don't want your shell scripts
20:53 -!- b4ggi0 [~b4ggi0@210.17.248.33] has joined #openvpn
20:53 < pekster> DEFAULT.TXT is _not_ a complete client config. you're missing: --ca, --cert, --key, and --tls-auth at minimum
20:54 < mojtaba> pekster: I have them
20:54 < mojtaba> pekster: Do you know any better step by step guide?
20:54 < pekster> I'm not playing these games
20:54 < pekster> !configs
20:54 <@vpnHelper> "configs" is (#1) please pastebin your client and server configs (with comments removed, you can use `grep -vE '^#|^;|^$' server.conf`), also include which OS and version of openvpn. or (#2) dont forget to include any ccd entries or (#3) on pfSense, see http://www.secure-computing.net/wiki/index.php/OpenVPN/pfSense to obtain your config
20:54 < pekster> If you don't have configs to show me, I don't have the care to help
20:55 < pekster> The _only_ thing you should remove is the <key> and <tls-auth> contents
20:55 < pekster> I want _everything_ else from your config file, not this DEAFULT.TXT nonsense
20:55 < mojtaba> pekster: I am just a newbie.
20:55 < pekster> !howto
20:55 <@vpnHelper> "howto" is (#1) OpenVPN comes with a great howto, http://openvpn.net/howto PLEASE READ IT! or (#2) http://www.secure-computing.net/openvpn/howto.php for a mirror
20:55 < pekster> mojtaba: ^^ start there. Whatever guide you followed is apparently crap.
20:56 < mojtaba> pekster: I will try to redo from the beginning with the help of that link
20:57 < pekster> What's the end-goal? If you want server-side LAN access, you really should change your LAN network
20:57 < pekster> Or is that more stuff you just coppied from this "guide" ?
20:58 < mojtaba> pekster: Actually I just want have a secure Internet access while I am in a trip.
20:59 < pekster> Then all this nonsense about 192.168.1.0 in your server config is unnecessary
21:00 < mojtaba> pekster: Actually I just followed the tutorial.
21:01 < pekster> THen it's so wrong I don't even know where to start; I just covered about half of your server config lines that are blatently wrong
21:01 < pekster> Once you follow the !howto and get basic connectivity working so that you can connect your client and ping the VPN IP of your server, follow and read: !redirect
21:01 < pekster> That should get what you want
21:02 < mojtaba> pekster: Where is !redirect?
21:02 < pekster> It's a command here:
21:02 < pekster> !new
21:02 <@vpnHelper> "new" is (#1) New here? Start by reading the /TOPIC and looking at basic info in !welcome, !ask, and !howto or (#2) You can type each of the !commands in this chat and our bot will provide useful references and info or (#3) you can see the full factoids list at !factoids
21:03 < pekster> So, to get it, you just type:
21:03 < pekster> !redirect
21:03 <@vpnHelper> "redirect" is (#1) to make all inet traffic flow through the vpn, you will need --redirect-gateway (see !def1), as well as IP forwarding (see !ipforward) and NAT (see !nat) enabled on the server. or (#2) you may need to use a different dns server when redirecting gateway, see !dns or !pushdns or (#3) if using ipv6 try: route-ipv6 2000::/3 or (#4) Handy troubleshooting flowchart:
21:03 <@vpnHelper> http://ircpimps.org/redirect.png | http://pekster.sdf.org/misc/redirect.png
21:03 < mojtaba> ok
21:03 < mojtaba> thanks
21:08 -!- brianblaze420 [~brianblaz@unaffiliated/brianblaze] has quit [Quit: Leaving...]
21:08 -!- b4ggi0 [~b4ggi0@210.17.248.33] has quit [Ping timeout: 240 seconds]
22:09 -!- Left_Turn [~Left_Turn@unaffiliated/turn-left/x-3739067] has quit [Ping timeout: 252 seconds]
22:12 -!- bears [~bears@unaffiliated/bears] has joined #openvpn
22:23 -!- SCHAAP137 [dorian@77-173-0-137.ip.telfort.nl] has quit [Remote host closed the connection]
22:29 -!- brianblaze420 [~brianblaz@unaffiliated/brianblaze] has joined #openvpn
22:33 -!- jeev [~jeev@unaffiliated/jeev] has quit [Ping timeout: 255 seconds]
22:42 -!- joshh20 is now known as joshh20-Away
23:01 -!- nubnub [~nubnub@c-71-231-185-57.hsd1.wa.comcast.net] has quit []
23:20 -!- brianblaze420 [~brianblaz@unaffiliated/brianblaze] has quit [Quit: Leaving...]
23:21 -!- Megaf [~Megaf@unaffiliated/megaf] has quit [Ping timeout: 252 seconds]
23:31 -!- ribasushi [~riba@mujunyku.leporine.io] has quit [Ping timeout: 240 seconds]
23:36 -!- nutron [~nutron@unaffiliated/nutron] has quit [Excess Flood]
23:36 -!- nutron [~nutron@unaffiliated/nutron] has joined #openvpn
23:37 -!- Cultist [~CultOfThe@c-98-223-211-32.hsd1.il.comcast.net] has quit [Excess Flood]
23:37 -!- Cultist [~CultOfThe@c-98-223-211-32.hsd1.il.comcast.net] has joined #openvpn
23:37 -!- eristisk [~eristisk@gateway/tor-sasl/eristisk] has quit [Ping timeout: 272 seconds]
23:39 -!- lbft [~lbft@unaffiliated/lbft] has quit [Excess Flood]
23:40 -!- lbft [~lbft@unaffiliated/lbft] has joined #openvpn
23:42 -!- ribasushi [~riba@mujunyku.leporine.io] has joined #openvpn
23:44 -!- eristisk [~eristisk@gateway/tor-sasl/eristisk] has joined #openvpn
23:47 -!- ShadniX [dagger@p5DDFC830.dip0.t-ipconnect.de] has quit [Ping timeout: 252 seconds]
23:48 -!- ShadniX [dagger@p5DDFFA7B.dip0.t-ipconnect.de] has joined #openvpn
23:54 -!- mojtaba [~Thunderbi@135-23-121-108.cpe.pppoe.ca] has quit [Quit: mojtaba]
--- Day changed Sun Jun 01 2014
00:15 -!- Cpt-Oblivious [~chatzilla@31-151-71-109.dynamic.upc.nl] has joined #openvpn
00:21 -!- Cpt-Oblivious [~chatzilla@31-151-71-109.dynamic.upc.nl] has quit [Ping timeout: 240 seconds]
00:34 -!- indy [~indy@shadow.kastnerove.cz] has joined #openvpn
00:51 -!- eristisk [~eristisk@gateway/tor-sasl/eristisk] has quit [Ping timeout: 272 seconds]
00:56 -!- eristisk [~eristisk@gateway/tor-sasl/eristisk] has joined #openvpn
01:05 -!- eristisk [~eristisk@gateway/tor-sasl/eristisk] has quit [Ping timeout: 272 seconds]
01:07 -!- eristisk [~eristisk@gateway/tor-sasl/eristisk] has joined #openvpn
01:13 -!- eristisk [~eristisk@gateway/tor-sasl/eristisk] has quit [Ping timeout: 272 seconds]
01:36 -!- goldkatze [~nobody@unaffiliated/goldkatze] has quit [Ping timeout: 240 seconds]
01:36 -!- mattock_afk is now known as mattock
01:38 -!- Kephael [~Kephael@unaffiliated/kephael] has quit []
03:07 -!- Fat-Zer_ [~alexander@ppp83-237-175-168.pppoe.mtu-net.ru] has quit [Ping timeout: 276 seconds]
03:27 -!- Starcraftmazter [~scm@ppp59-167-167-10.static.internode.on.net] has joined #openvpn
03:27 < Starcraftmazter> hi
03:27 < Starcraftmazter> how can i connect to an IP with just a username and password - no certificates?
04:01 -!- Saul775 [~Saul@12.6.176.106] has quit [Ping timeout: 240 seconds]
04:02 -!- Saul775 [~Saul@12.6.176.106] has joined #openvpn
04:09 < steveeJ> Starcraftmazter: PPTP :P
04:10 < steveeJ> seriously, even if that setup worked you would have no encryption
04:11 < Starcraftmazter> steveeJ: pptp?
04:11 < steveeJ> that was supposed to be a (bad) joke
04:12 < Starcraftmazter> idk i asked my work for vpn access and i got given a username, password and IP
04:12 < Starcraftmazter> so not really sure
04:12 < steveeJ> no software package?
04:13 < steveeJ> well, openvpn is not the only implementation of the term VPN
04:14 -!- Left_Turn [~Left_Turn@unaffiliated/turn-left/x-3739067] has joined #openvpn
04:19 -!- catsup [~d@iad1-vshost12.dreamhost.com] has joined #openvpn
04:22 < Starcraftmazter> sure
04:22 < Starcraftmazter> but thats what i use
04:28 < steveeJ> but it's not necessarily compatible with the server you want to connect to
04:29 < steveeJ> it could be ciscos vpn, or whatever calls itself VPN
04:30 -!- Cybertinus [~Cybertinu@cybertinus.customer.cloud.nl] has quit [Remote host closed the connection]
04:32 -!- Cybertinus [~Cybertinu@cybertinus.customer.cloud.nl] has joined #openvpn
04:51 -!- steveeJ [~junky@HSI-KBW-46-223-54-149.hsi.kabel-badenwuerttemberg.de] has quit [Ping timeout: 252 seconds]
05:14 < gac> Starcraftmazter: could be an SSL VPN? is there a HTTPS webserver running on that IP?
05:14 -!- steveeJ [~junky@HSI-KBW-46-223-54-149.hsi.kabel-badenwuerttemberg.de] has joined #openvpn
05:25 < Starcraftmazter> maybe
05:29 -!- gffa [~unknown@unaffiliated/gffa] has joined #openvpn
05:50 -!- lbft is now known as drmike
05:50 -!- drmike is now known as lbft
06:24 -!- SCHAAP137 [dorian@77-173-0-137.ip.telfort.nl] has joined #openvpn
06:42 -!- goldkatze [~nobody@unaffiliated/goldkatze] has joined #openvpn
07:19 -!- SCHAAP137 [dorian@77-173-0-137.ip.telfort.nl] has quit [Ping timeout: 240 seconds]
07:30 -!- tdreyer1 [~tdreyer1@unaffiliated/tdreyer1] has quit [Read error: Connection reset by peer]
07:42 -!- SCHAAP137 [dorian@77-173-0-137.ip.telfort.nl] has joined #openvpn
07:47 -!- b4ggi0 [~b4ggi0@58.229.184.213] has joined #openvpn
07:49 -!- ShadniX [dagger@p5DDFFA7B.dip0.t-ipconnect.de] has quit [Quit: Bye.]
07:51 -!- ShadniX [dagger@p5DDFFA7B.dip0.t-ipconnect.de] has joined #openvpn
08:12 -!- b4ggi0 [~b4ggi0@58.229.184.213] has quit [Quit: Leaving]
08:14 -!- hive-mind [pranq@mail.bbis.us] has quit [Remote host closed the connection]
08:16 -!- hive-mind [pranq@mail.bbis.us] has joined #openvpn
08:17 -!- wrongplace [~leicht@gateway/tor-sasl/martinphone] has joined #openvpn
08:34 -!- esde [~esde@unaffiliated/esde] has joined #openvpn
08:35 -!- Perkol [~Perkol@91.187.6.248] has joined #openvpn
08:35 < Perkol> !welcome
08:35 <@vpnHelper> "welcome" is (#1) Start by stating your goal, such as 'I would like to access the internet over my vpn' || new to IRC? see the link in !ask || we may need !logs and !configs and maybe !interface to help you. || See !howto for beginners. || See !route for lans behind openvpn. || !redirect for sending inet traffic through the server. || Also interesting: !man !/30 !topology !iporder !sample !forum
08:35 <@vpnHelper> !wiki !mitm or (#2) Don't use 192.168.1.0/24 or 192.168.0.0/24 (too much potential for conflict)
08:36 < Perkol> !howto
08:36 <@vpnHelper> "howto" is (#1) OpenVPN comes with a great howto, http://openvpn.net/howto PLEASE READ IT! or (#2) http://www.secure-computing.net/openvpn/howto.php for a mirror
08:38 < Perkol> Hello. I'm using win xp, and have problem with tap drivers. When i add one it creates new network connection, instead of using old one. that way i can't use vpn.
08:55 -!- Megaf [~Megaf@unaffiliated/megaf] has joined #openvpn
08:58 -!- Starcraftmazter [~scm@ppp59-167-167-10.static.internode.on.net] has quit [Quit: GNU/Linux*]
09:12 -!- tdreyer1 [~tdreyer1@unaffiliated/tdreyer1] has joined #openvpn
09:33 -!- Cpt-Oblivious [~chatzilla@31-151-71-109.dynamic.upc.nl] has joined #openvpn
09:59 -!- joshh20-Away is now known as joshh20
10:16 -!- gffa [~unknown@unaffiliated/gffa] has quit [Quit: quit]
10:23 -!- Perkol [~Perkol@91.187.6.248] has quit [Remote host closed the connection]
10:32 -!- gffa [~unknown@unaffiliated/gffa] has joined #openvpn
10:48 -!- gffa [~unknown@unaffiliated/gffa] has quit [Quit: leaving]
10:48 -!- gffa [~unknown@unaffiliated/gffa] has joined #openvpn
10:51 -!- RaiNerTsuFal [~RaiNerTsu@akita.vtlx.cn] has quit [Ping timeout: 240 seconds]
11:10 -!- CaTtleyA [~CaTtleyA@put92-2-82-66-41-53.fbx.proxad.net] has joined #openvpn
11:26 -!- Kephael [~Kephael@unaffiliated/kephael] has joined #openvpn
11:33 -!- perhapstired [~perhapsti@62.175.241.65.static.user.ono.com] has joined #openvpn
11:35 <@krzee> remove them all and then add 1
11:50 < M4rc3l> i have an ovpn profile that works fine on my pc but when i try to use it on my iphone 4 it connects but i can't acces the internet or anything, is there anything i need to change in the config?
11:50 < M4rc3l> also i tested it 1 at a time
11:58 -!- mattock is now known as mattock_afk
12:06 < perhapstired> Is setting up an openvpn server the same as connecting to a vpn that's using openvpn?
12:07 < Poster> M4rc3l: I don't know about iphones, but I believe androids can only use TUN adapters and not TAP.  Might want to make sure your iphone is able to use TAP (assuming that is what you're using)
12:08 < Poster> perhapstired: it's a bit more complicated, you have the tasks of IP addressing, routing, possibly packet filtering, etc
12:08 < M4rc3l> tun/tap is enabled on my vps
12:08 -!- syzzer [~syzzer@openvpn/community/developer/syzzer] has quit [Ping timeout: 245 seconds]
12:08 < Poster> it is the same binary and uses a lot of the same configurations though
12:08 < Poster> M4rc3l: right - I meant make sure your iphone can support TUN (if that's what you have on your OpenVPN server itself)
12:09 < M4rc3l> ah
12:09 < Poster> there may also be some limitations within the iphone surrounding usage of the tun/tap adapters, the phone might need "rooted" or something
12:15 < perhapstired> Poster: I see, thanks. I'm on a home connection  just trying to connect to an openvpn vpn. With Ubuntu inside a virtualbox and the host is windows. And the daemon won't start it just says its starting and adds three ... but then I'm not asked to authenticate myself. Apparently I don't have something called tun0, I think, either. Usually google results keep giving me instruction manuals for people that are trying to set up actual 
12:16 < Poster> ok what I would do there is start the daemon interactively
12:16 < perhapstired> Interesting, what do you mean by that?
12:16 < Poster> so the OpenVPN client is Ubuntu?
12:17 < perhapstired> Well inside ubuntu I've done a sudo apt get install openvpn yes
12:17 < Poster> ok so log into a console on your Ubuntu host and type
12:17 < Poster> openvpn --config /path/to/openvpn.conf
12:17 < perhapstired> I'm moving a windows guest to this pc to see if its the host's fault
12:17 < perhapstired> Ok one sec
12:17 < Poster> I think on Ubuntu it defaults to /etc/openvpn/_____.conf
12:18 < Poster> the above command will display interactively and may help show what is wrong
12:18 < Poster> you can also crank up the verbosity
12:18 < Poster> openvpn --verb N --config /path/to/openvpn.conf
12:18 < Poster> where N increases, I want to say 3 or so is pretty good, 5+ is pretty heavy debugging
12:19 < perhapstired> Interestingly enough I only have the .ovpn file that the VPN apparently uses, and a file called update-resolv-conf inside the etc/openvpn. I've been missing a server.conf
12:19 < Poster> well the actual file names are just cosmetic
12:19 < Poster> though OpenVPN on Windows looks for *.ovpn
12:19 < Poster> then most startup scripts look for *.conf on *n?x
12:20 < Poster> aside from pathing and some platform specific limitations (eg; chroot on *n?x only) they're pretty much interchangable
12:20 < perhapstired> I'm not sure I follow did you want me to type openvpn --config /etc/openvpn/file.ovpn?
12:20 < Poster> yeah that's how you start it interactively, let's back up though, is the Windows system the OpenVPN server?
12:21 < perhapstired> The windows system is just the host. Where I wanted to put the vpn was inside an ubuntu guest.
12:21 < Poster> ok but what are you connecting to?
12:21 < perhapstired> I went into bridged mode in case NAT had issues, really a gamble though as I don't know much
12:22 < perhapstired> a VPN in Russia I think
12:22 < perhapstired> or France
12:22 < Poster> ok so some VPN service I guess, I take it you were provided a config (ovpn is targeted Windows but can be made to work on *n?x) and maybe a shared key or SSL certificate/key/CA cert?
12:23 < perhapstired> Hmm interesting I am asked for auth username here
12:23 < Poster> ok hang on
12:23 < Poster> were you given the credentials to use?
12:23 < perhapstired> I think you might have solved it, yup I was I'll go get them.
12:23 < Poster> you can store them for automatic application, let me verify the syntax
12:24 < Poster> ok if you want, create a file of some name that makes sense to you, on the first like, put your username, second line your password
12:25 < Poster> I'd recommend applying restricted permissions to this file, possibly owned by root/root (uid 0 gid 0) then something like chmod 600 to be only owner read/write
12:26 < Poster> then launch with
12:26 < Poster> openvpn --auth-user-pass /path/to/credentialfile --auth-no-cache --config /path/to/openvpn.conf
12:26 < perhapstired> Interesting, thanks I'll use that.
12:27 < Poster> if the above works, we can add the auth-user-pass and auth-no-cache to the openvpn.conf itself, then you should be good to start/stop the daemon via native Ubuntu startup scripts
12:27 < perhapstired> Well I seem to have left the suspensive dots of the daemon behind, but now I ''canot load CA certificate file ssl/ca.crt path.. do you think this is the VPN's fault not mine?
12:27 < Poster> no it's a pathing issue
12:28 < Poster> I take it you have a ca.crt somewhere
12:28 -!- mattock_afk is now known as mattock
12:28 < perhapstired> Do you mean has the VPN given me a ca.crt?
12:28 < Poster> you'll just need to edit openvpn.conf to get the right place, by default on the Windows side it's relative to C:\Program Files\OpenVPN\config or C:\Program Files (x86)\OpenVPN\config
12:29 < Poster> yeah this service you're using likely included a ca.crt
12:29 < perhapstired> Do you think I should just create an openvpn.conf in ubuntu if none is there?
12:29 < perhapstired> Never mind one sec
12:30 < Poster> I am unsure what all options your OpenVPN provider is using, we most likely have to transpose paths to various files if it's configuration was targeted for Windows
12:43 < perhapstired> Interesting, I'm getting my head around these instructions as I'm fairly new to ubuntu. Just tried it through the network manager and it doesn't work. I did find the ca.crt file they gave me yes, maybe I should also be using the ta.key? I'll log into through cmd using verbosity to see if it gives me any more info as to what may be wrong.
12:45 < Poster> I am not sure what ta.key is, ca.crt is likely their own, self signed certificate authority cert
12:45 < Poster> you should be able to look through the .ovpn provided to determine what each file does
12:45 < Poster> in any event you can probably correct the pathing to them and be in good shape
12:46 < Poster> eg; copy them both to /etc/openvpn, then adjust the values in your *.ovpn (or *.conf) to reference /etc/openvpn/ca.crt and /etc/openvpn/ta.key
12:47 < perhapstired> Thanks. I haven't slept well I'm not processing the info well and I had 20 tabs open before asking you, so I'm getting there slowly :)... clearly I should be aiming for their .ovpn file when usually it would be a .conf file
12:47 < Poster> I would recommend renaming it to a .conf and putting it in /etc/openvpn
12:48 < Poster> I am fairly sure that Ubuntu scans for *.conf files in /etc/openvpn and will start them in order via their startup scripts
12:48 < pekster> Before you rely on GUIs, init scripts, or other such abstractions, get your config _working_
12:50 -!- edge226 [~quassel@unaffiliated/edge226] has quit [Remote host closed the connection]
12:50 < pekster> Full paths are better for files you reference. Read about --cd if you'd like, but realtive paths are generally just asking for trouble unless you know what you're doing
12:53 -!- bears is now known as BearsOnUnicycles
12:54 < perhapstired> That's an interesting point you guys are making. That's what I suspect the update-server-config file must be for, I probably run that and it updates the new .conf file in the directory. I'm currently restarting the guest because the ovpn file couldnt be renamed. Also I made lots and lots of copy paste changes from the 20 tabs I was mentioning before and I'm quite sure one of them ruined my guest's network lol so I'm just going to
12:54 < perhapstired> it'll take time, so I'll get back to this in an hour or so, either way thanks for your help guys
12:56 < pekster> !both
12:56 <@vpnHelper> "both" is If you do not control both ends of the link (server and client) then there is not much we can do to help you. Please talk to your network admin instead.
12:56 < pekster> !provider
12:56 <@vpnHelper> "provider" is (#1) We are not your provider's free tech support. We support the free open source app OpenVPN, not your provider. Just because they run openvpn does not mean we are their support team. or (#2) Please contact their support team.
12:56 < pekster> In other words, you should go ask them
12:58 < perhapstired> Yes I understand that thanks, it's just my clumsiness and cli don't mix well xD
12:59 < Poster> did it work on your Windows host?
13:01 < perhapstired> I think I've made a couple of big advances seeing as half an hour ago I didn't have a clue, but I haven't actually tried it on the windows host yet.; I think what happened is I got obsessed with getting it working from the cli in ubuntu I ignored everything else.
13:02 -!- edge226 [~quassel@unaffiliated/edge226] has joined #openvpn
13:02 < Poster> gotcha, I'd try it on it's targeted platform first, make sure everything is ok over there, then work to take the translation to bring it over to your Ubuntu host
13:08 < perhapstired> Yes, you're right. Linked clones would have been a saner approach indeed.
13:11 -!- wrongplace [~leicht@gateway/tor-sasl/martinphone] has quit [Quit: gone]
13:27 -!- joshh20 is now known as joshh20-Away
13:32 -!- sunwind [~paradox@cpc19-brmb8-2-0-cust205.1-3.cable.virginm.net] has joined #openvpn
13:33 -!- JackWinter [~jack@vodsl-10810.vo.lu] has quit [Quit: Konversation terminated!]
13:34 -!- JackWinter [~jack@vodsl-10810.vo.lu] has joined #openvpn
13:34 -!- JackWinter [~jack@vodsl-10810.vo.lu] has quit [Client Quit]
13:34 -!- JackWinter [~jack@vodsl-10810.vo.lu] has joined #openvpn
13:56 -!- Cpt-Oblivious [~chatzilla@31-151-71-109.dynamic.upc.nl] has quit [Ping timeout: 265 seconds]
14:03 -!- Popsikle [~popsikle@pool-108-27-211-233.nycmny.fios.verizon.net] has joined #openvpn
14:28 -!- troyt [~troyt@2601:7:6200:1362:44dd:acff:fe85:9c8e] has quit [Ping timeout: 240 seconds]
14:42 -!- larryone [~larryone@89.100.23.131] has joined #openvpn
14:43 -!- troyt [~troyt@2601:7:6200:1362:44dd:acff:fe85:9c8e] has joined #openvpn
14:50 -!- syzzer [~syzzer@openvpn/community/developer/syzzer] has joined #openvpn
14:50 -!- mode/#openvpn [+o syzzer] by ChanServ
15:02 -!- rawburt [~irc@pdpc/supporter/professional/rawburt] has joined #openvpn
15:04 < rawburt> the init.d script for OpenVPN, at least in the Debian package, is massive. when I call it from a script that runs as a cronjob, it doesn't seem to work. any thoughts on how to diagnose this?
15:07 < pekster> File a bugreport downstream
15:07 < pekster> If your openvpn config works when called with `openvpn --config /path/to/openvpn.conf` then openvpn is doing the right thing
15:08 < rawburt> I'm starting it with /etc/init.d/openvpn start <name> in both the script and CLI... but I will try like that
15:08 < pekster> In which case you're running "whatever code debian put in"
15:09 < pekster> If you want to debug it, you want a channel for that distro, or a generic shell support channel if you need help understanding the shell code
15:10 < rawburt> thanks
15:11 < pekster> You can identify if it's the config or the init wrapper that's the problem by verifying the config works as I listed above
15:13 < rawburt> pending
15:14 < Cyclohexane> Can anyone suggest why my connections to my VPN server's web service use my normal IP as opposed to the VPN IP? (if I check the web server access logs)
15:14 -!- larryone [~larryone@89.100.23.131] has quit [Quit: This computer has gone to sleep]
15:15 -!- sunwind [~paradox@cpc19-brmb8-2-0-cust205.1-3.cable.virginm.net] has quit [Quit: sunwind]
15:15 -!- Popsikle [~popsikle@pool-108-27-211-233.nycmny.fios.verizon.net] has quit [Remote host closed the connection]
15:16 -!- larryone [~larryone@89.100.23.131] has joined #openvpn
15:16 -!- larryone [~larryone@89.100.23.131] has quit [Client Quit]
15:22 -!- mattock is now known as mattock_afk
15:31 -!- Sidewinder [~de@unaffiliated/sidewinder] has joined #openvpn
15:31 -!- Sidewinder [~de@unaffiliated/sidewinder] has quit [Remote host closed the connection]
15:34 < rawburt> pekster: does not work with openvpn --config /etc/openvpn/*****.conf
15:34 < rawburt> in the script... that is. works fine if I run it from the CLI
15:34 < rawburt> from my shell rather
15:34 < rawburt> think I should open a bug?
15:39 < rawburt> not yet, still gathering information. save your response until later.
15:44 -!- RaiNerTsuFal [~RaiNerTsu@akita.vtlx.cn] has joined #openvpn
16:14 -!- ender| [krneki@2a01:260:4094:1:42:42:42:42] has quit [Ping timeout: 245 seconds]
16:20 -!- gffa [~unknown@unaffiliated/gffa] has quit [Quit: sleep]
16:23 -!- ender| [krneki@2a01:260:4094:1:42:42:42:42] has joined #openvpn
16:25 < rawburt> pekster: stupidly, I was adding the cron job to root's cron; when I put it in /etc/crontab everything works. it was probably environment variables in the /etc/crontab that I don't have in root's cron.
16:26 < rawburt> thanks for your help!
16:27 -!- larryone [~larryone@176.61.1.155] has joined #openvpn
16:27 -!- wrongplace [~leicht@gateway/tor-sasl/martinphone] has joined #openvpn
17:12 -!- brianblaze420 [~brianblaz@unaffiliated/brianblaze] has joined #openvpn
17:20 -!- ebaydan777 [~danielmar@ip68-101-163-72.sd.sd.cox.net] has joined #openvpn
17:20 < ebaydan777> hello, any mods that could help me?
17:22 -!- larryone [~larryone@176.61.1.155] has quit [Ping timeout: 265 seconds]
17:23 < ebaydan777> with my iphone connection, keeps timing out when trying to join vpn
17:26 -!- Netsplit *.net <-> *.split quits: Chrisje, fred``, Ulrar, Olipro, Nothing4You
17:27 -!- `Nothing4You [N4Y@w.tf-w.tf] has joined #openvpn
17:29 -!- `Nothing4You is now known as Nothing4You
17:30 -!- goldkatze [~nobody@unaffiliated/goldkatze] has quit []
17:37 -!- Netsplit over, joins: fred``, Chrisje, Ulrar
17:37 -!- ebaydan777 [~danielmar@ip68-101-163-72.sd.sd.cox.net] has left #openvpn []
17:37 -!- ebaydan777 [~danielmar@ip68-101-163-72.sd.sd.cox.net] has joined #openvpn
17:37 < ebaydan777> anyone that can help?
17:38 -!- elfixit [~Icedove@77-58-251-72.dclient.hispeed.ch] has joined #openvpn
17:39 -!- Olipro [~Olipro@uncyclopedia/pdpc.21for7.olipro] has joined #openvpn
17:41 -!- joshh20-Away is now known as joshh20
17:51 -!- joshh20 is now known as joshh20-Away
18:07 < Cyclohexane> How can I get around this issue? http://lowendtalk.com/discussion/17979/openvpn-doesn-t-tunnel-traffic-to-vpn-host-server -- I want to only allow vpn clients to a certain directory in the web server (also on the same server)
18:07 <@vpnHelper> Title: OpenVPN doesn't tunnel traffic to VPN host server - LowEndTalk (at lowendtalk.com)
18:10 -!- brianblaze420 [~brianblaz@unaffiliated/brianblaze] has quit [Quit: Leaving...]
18:10 -!- SCHAAP137 [dorian@77-173-0-137.ip.telfort.nl] has quit [Remote host closed the connection]
18:15 -!- Megaf [~Megaf@unaffiliated/megaf] has quit [Ping timeout: 260 seconds]
18:19 < pekster> Use the VPN IP
18:19 < pekster> Or set up advanced policy routing on your client
18:22 -!- brianblaze420 [~brianblaz@unaffiliated/brianblaze] has joined #openvpn
18:22 < pekster> Oh, -as is completely different
18:22 < pekster> !as
18:22 <@vpnHelper> "as" is Please go to #OpenVPN-AS for help with commercial products from OpenVPN Technologies, including Access Server, Android Connect, etc
18:22 < pekster> AS != OpenVPN -- it's a commercial wrapper around the 2.2 series openvpn
18:35 -!- eristisk [~eristisk@gateway/tor-sasl/eristisk] has joined #openvpn
18:42 -!- u0m3 [~u0m3@92.80.122.72] has quit [Read error: Connection reset by peer]
18:48 -!- malc0re_ is now known as malc0re
18:53 < Cyclohexane> pekster: i'm not using -as, the link just perfectly described what i wanted to say. What do you mean "use the VPN IP"? that's entirely the problem, VPN and web server are on the same vps. Connections to the web server use my local IP
18:53 < pekster> Then describe your problem, not link to a report that uses a completely different product
18:54 < pekster> If you're connected to a remote VPN server, accessing the same IP as the --remote address will _not_ traverse the VPN (even when using --redirect-gateway) due to how that works
18:55 < pekster> You tunnel over the VPN by using the VPN IP of the remote endpoint (so, 10.8.0.1, when using the example 10.8.0.0/24 VPN network)
18:55 -!- u0m3 [~u0m3@92.80.122.72] has joined #openvpn
18:55 < pekster> If that's a problem and you "really need" traffic to the --remote endpoint to go over the VPN, you need to set up policy routing on your client such that only the VPN traffic goes over the physical link, usually identified by IP/port/protocol you're using. This is a somewhat advanced routing technique
18:58 < Cyclohexane> pekster: do you have a link that describes that? Ideally I want to be able to access a protected web directory (only allowing VPN connections makes life easier in case of multiple public IPs e.g. travelling)
18:58 < pekster> Then access it via the IP of the VPN
18:58 < pekster> set up some https://vpn.www.example.net that points to the VPN IP range
19:00 < Cyclohexane> pekster: if i connect to http://10.8.0.1/ it still shows my local IP in the web server access logs
19:01 < pekster> What's your overall topology look like? you're accessing that URL from a client connected to the VPN server?
19:03 < Cyclohexane> pekster: Yeah I'm connected to the VPN, connecting via browser. The VPS just has a tun0 interface on 10.8.0.0 (nothing else other than eth0/lo)
19:05 < pekster> What OS is your client?
19:05 -!- wrongplace [~leicht@gateway/tor-sasl/martinphone] has quit [Quit: gone]
19:05 < Cyclohexane> pekster: windows - using Viscosity
19:06 < pekster> Do you have a valid route to reach 10.8.0.1 shown in `route -4 print` ?
19:08 < Cyclohexane> pekster: I have          10.8.0.1  255.255.255.255         10.8.0.5         10.8.0.6     30
19:08 < Cyclohexane> the same for 10.8.0.0
19:09 < pekster> You can avoid the /30 sillyness by reading !topology, but that's not the issue here
19:09 < pekster> So accessing 10.8.0.1 from the client should go over your tun interface on the client
19:09 < pekster> The webserver on 10.8.0.1 will see the connection as sourced from the VPN client's interface
19:09 < pekster> (IP, rather)
19:11 < Cyclohexane> pekster: the web server redirects to a hostname, could that be the problem? e.g. 10.8.0.1 becomes http://hostname.com/
19:11 <@vpnHelper> Title: hostname.com (at hostname.com)
19:11 < pekster> Yes
19:11 < pekster> What is "hostname.com" resolving to?
19:12 < Cyclohexane> pekster: the external IP address of the vps
19:12 -!- joshh20-Away is now known as joshh20
19:12 < pekster> Right, which won't go over the VPN link as previously defined
19:12 < pekster> Why would you expect it to?
19:12 < Cyclohexane> cause im a big noob
19:13 < Cyclohexane> pekster: thanks anyway, you've been a big help
19:14 < pekster> If you're expecting --redirect-gateway to redirect _everything_ , that's not how it works. Pay attention to the manpage's description of that directive, specifically step (1) in that sequence
19:14 < pekster> You can work around it, but if your client is Windows it's basically impossible
19:14 < pekster> It's still complex on Linux/Unix, but at least within the realm of possibility
19:15 < pekster> What you probably want to do instead is used a DNS entry that uses the VPN IP, since that'll work everywhere
19:26 < pekster> Cyclohexane: The other way to solve this problem is allocate a new public IP to this service which you do direct over the VPN (either by a route --push, or by way of --redirect-gateway since it won't be the VPN endpoint)
19:29 -!- eristisk [~eristisk@gateway/tor-sasl/eristisk] has quit [Quit: killall -9 irc]
19:31 -!- eristisk [~eristisk@gateway/tor-sasl/eristisk] has joined #openvpn
20:01 -!- tdreyer1 [~tdreyer1@unaffiliated/tdreyer1] has quit [Remote host closed the connection]
20:08 -!- elfixit [~Icedove@77-58-251-72.dclient.hispeed.ch] has quit [Quit: elfixit]
20:33 -!- phreakocious [~phreakoci@aesoterica.phreakocious.net] has quit [Ping timeout: 252 seconds]
20:33 -!- JackWinter [~jack@vodsl-10810.vo.lu] has quit [Excess Flood]
20:34 -!- JackWinter [~jack@vodsl-10810.vo.lu] has joined #openvpn
20:35 -!- lewiz [~lthompson@195.59.118.200] has joined #openvpn
20:51 -!- tdreyer1 [~tdreyer1@unaffiliated/tdreyer1] has joined #openvpn
21:05 -!- ebaydan777 [~danielmar@ip68-101-163-72.sd.sd.cox.net] has quit [Quit: ebaydan777]
21:23 -!- Left_Turn [~Left_Turn@unaffiliated/turn-left/x-3739067] has quit [Read error: Connection reset by peer]
21:27 -!- msn [~kvirc@125.234.96.10] has joined #openvpn
21:28 < msn> I have 2 vpn servers in seperate locations using the same auth base and certs, is there someway i can check/make sure that 1 user can only connect to the VPN only once either on one server or another
21:31 < Eugene> Not without scripting
21:31 < Eugene> !management
21:31 <@vpnHelper> "management" is (#1) see http://openvpn.net/management for doc on management interface or (#2) read https://github.com/OpenVPN/openvpn/blob/release/2.3/doc/management-notes.txt if you are a programmer making a GUI that will interact with OpenVPN or (#3) Enable with `--management 127.0.0.1 1234` (adjust port to taste.) See the manpage for pw and socket options
21:52 < pppingme> Need an opinion.  I have an openvpn client on my smartphone and tablet (both android 4.2).  When I'm at a certain location that has a uverse (its actually an adsl2+, not vdsl, but marketed as uverse) I can't get a connection, I don't have issues from anywhere else.  Now, here's where it gets weird, if..
21:52 < pppingme> if I turn wifi off, I can get a connection over 3g, or even edge, and once I get a connection, if I flip back to wifi, of course openvpn client see's the network has changed, but then has no problem connecting.
21:53 < pppingme> any ideas?  I haven't had a chance to setup a network capture of any kind yet, so I don't have that yet.
21:53 -!- zoredache [~zoredache@pdpc/supporter/professional/zoredache] has quit [Ping timeout: 264 seconds]
21:54 -!- zoredache [~zoredache@pdpc/supporter/professional/zoredache] has joined #openvpn
21:54 < pppingme> when on wifi, it just stops after the client says authenticating
21:58 -!- brianblaze420 [~brianblaz@unaffiliated/brianblaze] has quit [Quit: Leaving...]
22:08 < msn> port block?
22:09 < pekster> msn: No, you'd need something higher-level than that to sync the current status of a connection between servers
22:09 < msn> pekster: i was answering pppingme, i got the management idea
22:10 < msn> will take sometie to implement
22:16 -!- joshh20 is now known as joshh20-Away
22:19 < pppingme> msn ports blocked doesn't make sense, because if I turn off wifi, it connects over 3g, then go back to wifi and it has no problem reconnecting
22:19 < msn> syn block
22:22 < pppingme> no reason to expect any traffic blocking, its the typical motorola gateway device with no special or custom settings, 100% default settings except wifi psk
22:25 -!- zoomequipd [~zoomequip@gateway/tor-sasl/zoomequipd] has quit [Remote host closed the connection]
22:25 -!- tempus_fol [~tempus@gateway/tor-sasl/foltempus] has quit [Remote host closed the connection]
22:25 -!- eristisk [~eristisk@gateway/tor-sasl/eristisk] has quit [Write error: Connection reset by peer]
22:25 -!- perhapstired [~perhapsti@62.175.241.65.static.user.ono.com] has quit [Ping timeout: 252 seconds]
22:26 < msn> i mean the wifi might be blocking 1) syn on vpn port or 2) udp connection if your openvpn is using udp
22:27 < pppingme> yes, udp, standard openvpn port.  What doesn't make sense though, and goes against what you're saying, is if I have the phone connect to the opevvpn server via 3g first, then flip back to wifi, it has no issue.
22:28 < pppingme> its also not a 100% consistent problem, its probably around 75% of the time I have the issue, the other 25% I don't.  I'm at the problem location about twice a week on average
22:28 < pppingme> resetting their gateway doesn't help either
22:30 -!- tdreyer1 [~tdreyer1@unaffiliated/tdreyer1] has quit [Remote host closed the connection]
22:32 -!- tempus_fol [~tempus@gateway/tor-sasl/foltempus] has joined #openvpn
22:32 -!- zoomequipd [~zoomequip@gateway/tor-sasl/zoomequipd] has joined #openvpn
22:41 -!- eristisk [~eristisk@gateway/tor-sasl/eristisk] has joined #openvpn
22:45 -!- tdreyer1 [~tdreyer1@unaffiliated/tdreyer1] has joined #openvpn
23:02 -!- tauzero [~user@c-71-231-44-93.hsd1.wa.comcast.net] has joined #openvpn
23:13 -!- tauzero [~user@c-71-231-44-93.hsd1.wa.comcast.net] has quit [Quit: Leaving]
23:46 -!- ShadniX [dagger@p5DDFFA7B.dip0.t-ipconnect.de] has quit [Ping timeout: 252 seconds]
23:47 -!- ShadniX [dagger@p5DDFE97A.dip0.t-ipconnect.de] has joined #openvpn
23:58 -!- BearsOnUnicycles [~bears@unaffiliated/bears] has quit [Read error: Connection reset by peer]
--- Day changed Mon Jun 02 2014
00:01 -!- Popsikle [~popsikle@pool-108-27-211-233.nycmny.fios.verizon.net] has joined #openvpn
00:02 -!- alexw [~textual@unaffiliated/alexw] has joined #openvpn
00:09 -!- treshoem2 [~treshoem@mnathani-1-pt.tunnel.tserv21.tor1.ipv6.he.net] has quit [Ping timeout: 252 seconds]
00:10 -!- treshoem2 [~treshoem@mnathani-1-pt.tunnel.tserv21.tor1.ipv6.he.net] has joined #openvpn
00:27 -!- CaTtleyA [~CaTtleyA@put92-2-82-66-41-53.fbx.proxad.net] has quit [Ping timeout: 245 seconds]
00:30 -!- Popsikle [~popsikle@pool-108-27-211-233.nycmny.fios.verizon.net] has quit [Remote host closed the connection]
00:48 -!- iokill [~dave@pippin.sigma-star.at] has joined #openvpn
01:16 -!- swebb [~swebb@c-76-120-34-202.hsd1.co.comcast.net] has quit [Ping timeout: 252 seconds]
01:21 -!- alexxtasi [~alex@unaffiliated/alexxtasi] has joined #openvpn
01:26 -!- eristisk [~eristisk@gateway/tor-sasl/eristisk] has quit [Remote host closed the connection]
01:27 -!- eristisk [~eristisk@gateway/tor-sasl/eristisk] has joined #openvpn
01:31 -!- alexw [~textual@unaffiliated/alexw] has quit [Quit: My MacBook Pro has gone to sleep. ZZZzzz…]
01:36 -!- Sembei [~Sembei@unaffiliated/sembei] has quit [Ping timeout: 245 seconds]
01:40 -!- goldkatze [~nobody@unaffiliated/goldkatze] has joined #openvpn
01:43 -!- dazo_afk is now known as dazo
01:50 -!- swebb [~swebb@c-76-120-34-202.hsd1.co.comcast.net] has joined #openvpn
01:52 -!- mattock_afk is now known as mattock
02:04 -!- ayaz [~Ayaz@linuxpakistan/ayaz] has joined #openvpn
02:09 -!- Kephael [~Kephael@unaffiliated/kephael] has quit []
02:30 -!- msn [~kvirc@125.234.96.10] has quit [Quit: KVIrc 4.2.0 Equilibrium http://www.kvirc.net/]
02:31 -!- RobertoBenzi [~RobertoBe@78-134-110-22.v4.ngi.it] has joined #openvpn
02:51 -!- mattock is now known as mattock_afk
03:03 -!- mattock_afk is now known as mattock
03:14 -!- le0 [~l30@unaffiliated/le0] has joined #openvpn
03:17 -!- fin__ [~l30@unaffiliated/le0] has joined #openvpn
03:19 -!- le0 [~l30@unaffiliated/le0] has quit [Ping timeout: 255 seconds]
03:32 -!- vinky_ [~vinky@81-230-177-246-no98.tbcn.telia.com] has joined #openvpn
03:46 -!- RobertoBenzi [~RobertoBe@78-134-110-22.v4.ngi.it] has quit [Remote host closed the connection]
03:47 -!- RobertoBenzi [~RobertoBe@78-134-110-22.v4.ngi.it] has joined #openvpn
03:47 -!- Left_Turn [~Left_Turn@unaffiliated/turn-left/x-3739067] has joined #openvpn
04:07 -!- Verdi [~dagda@ip1.thgersdorf.net] has quit [Ping timeout: 240 seconds]
04:59 -!- chuck_f [~chuck_f@85.Red-83-33-47.dynamicIP.rima-tde.net] has joined #openvpn
05:14 -!- fin__ [~l30@unaffiliated/le0] has quit [Read error: Connection reset by peer]
05:17 -!- le0 [~l30@unaffiliated/le0] has joined #openvpn
05:17 -!- le0 [~l30@unaffiliated/le0] has quit [Client Quit]
05:30 -!- MacGyver [~macgyver@unaffiliated/macgyvernl] has quit [Quit: Exiting]
05:33 -!- MacGyver [~macgyver@unaffiliated/macgyvernl] has joined #openvpn
05:44 -!- le0 [~l30@unaffiliated/le0] has joined #openvpn
05:55 -!- Sembei [~Sembei@unaffiliated/sembei] has joined #openvpn
06:07 -!- ustunozg_ [~ustunozgu@li283-143.members.linode.com] has joined #openvpn
06:09 < ustunozg_> hi there, does anyone know where openvpn connect on os x stores the profiles?
06:10 < ustunozg_> I want to clean up some test users but there doesn't seem to be a way to import new users.
06:16 -!- ustunozg_ [~ustunozgu@li283-143.members.linode.com] has quit [Ping timeout: 240 seconds]
06:20 -!- ustuno___ [~ustunozgu@212.174.135.252] has joined #openvpn
06:21 < ustuno___> it still remembers the revoked certs on the mac app
06:21 < ustuno___> any way to completely wipe that out?
06:21 < ustuno___> I can't find where it stores the profiles on os x.
06:21 -!- Megaf [~Megaf@unaffiliated/megaf] has joined #openvpn
06:23 -!- renihs [~arf@83-65-34-34.arsenal.xdsl-line.inode.at] has joined #openvpn
06:24 < renihs> hmm is there a way to set the openvpn (client) to automatically reconnect to the server? (linux, cli, centos, openvpn service) or do i need to script something for that (check if up, restart if not)?
06:27 -!- dazo is now known as dazo_afk
06:29 -!- chuck_f [~chuck_f@85.Red-83-33-47.dynamicIP.rima-tde.net] has quit [Quit: Leaving]
06:39 -!- ustuno___ [~ustunozgu@212.174.135.252] has quit [Read error: Connection reset by peer]
06:40 -!- CaTtleyA [~CaTtleyA@185.24.142.82] has joined #openvpn
06:49 < rob0> renihs, --ping-restart
06:50 -!- le0 [~l30@unaffiliated/le0] has quit [Ping timeout: 255 seconds]
06:54 < renihs> rob0, as config setting on the client side i assume?
06:57 -!- le0 [~l30@unaffiliated/le0] has joined #openvpn
06:59 -!- eristisk [~eristisk@gateway/tor-sasl/eristisk] has quit [Ping timeout: 272 seconds]
07:04 -!- alexw [~textual@unaffiliated/alexw] has joined #openvpn
07:05 -!- le0 [~l30@unaffiliated/le0] has quit [Ping timeout: 252 seconds]
07:07 -!- le0 [~l30@unaffiliated/le0] has joined #openvpn
07:15 -!- alexw [~textual@unaffiliated/alexw] has quit [Quit: My MacBook Pro has gone to sleep. ZZZzzz…]
07:35 -!- eristisk [~eristisk@gateway/tor-sasl/eristisk] has joined #openvpn
07:41 -!- eristisk [~eristisk@gateway/tor-sasl/eristisk] has quit [Ping timeout: 272 seconds]
07:47 -!- zoredache [~zoredache@pdpc/supporter/professional/zoredache] has quit [Ping timeout: 240 seconds]
07:49 -!- zoredache [~zoredache@pdpc/supporter/professional/zoredache] has joined #openvpn
07:51 -!- wrongplace [~leicht@gateway/tor-sasl/martinphone] has joined #openvpn
07:56 -!- eristisk [~eristisk@gateway/tor-sasl/eristisk] has joined #openvpn
07:58 -!- eristisk [~eristisk@gateway/tor-sasl/eristisk] has quit [Max SendQ exceeded]
08:02 -!- eristisk [~eristisk@gateway/tor-sasl/eristisk] has joined #openvpn
08:04 -!- fin__ [~l30@unaffiliated/le0] has joined #openvpn
08:05 -!- le0 [~l30@unaffiliated/le0] has quit [Ping timeout: 260 seconds]
08:06 < renihs> rob0, seems like ping-restart is default anyways (120), was some other issue :)
08:06 < renihs> i really need to put more effort into "removing all asa/cisco stuff" from my endpoints
08:08 -!- eristisk [~eristisk@gateway/tor-sasl/eristisk] has quit [Write error: Broken pipe]
08:09 -!- fin__ [~l30@unaffiliated/le0] has quit [Ping timeout: 252 seconds]
08:15 -!- elfixit [~Icedove@2001:1620:2777:11:3e97:eff:fe7f:f3ad] has joined #openvpn
08:17 -!- elfixit [~Icedove@2001:1620:2777:11:3e97:eff:fe7f:f3ad] has quit [Client Quit]
08:23 -!- elfixit [~Icedove@2001:1620:2777:11:3e97:eff:fe7f:f3ad] has joined #openvpn
09:10 -!- joshh20-Away is now known as joshh20
09:13 -!- alexxtasi [~alex@unaffiliated/alexxtasi] has left #openvpn []
09:26 -!- zafu [~pif@217-162-81-21.dynamic.hispeed.ch] has joined #openvpn
09:27 < zafu> hi, how can I ignore push messages from the server?
09:27 < zafu> for example "Received control message: 'PUSH_REPLY,route 46.246.32.130 255.255.255.255 net_gateway,route-gateway 46.246.32.1,redirect-gateway def1,topology subnet,dhcp-option DOMAIN ipredator.se,dhcp-option DNS 46.246.46.46,dhcp-option DNS 194.132.32.23,ip-win32 dynamic,ping 10,ping-restart 60,auth-retry nointeract,ifconfig 46.246.32.226 255.255.255.0'"
09:27 -!- wrongplace [~leicht@gateway/tor-sasl/martinphone] has quit [Ping timeout: 272 seconds]
09:29 -!- wrongplace [~leicht@gateway/tor-sasl/martinphone] has joined #openvpn
09:44 -!- [diecast] [~diecast@unaffiliated/diecast/x-4821952] has joined #openvpn
09:44 -!- [diecast] [~diecast@unaffiliated/diecast/x-4821952] has quit [Max SendQ exceeded]
10:07 -!- Popsikle [~popsikle@rrcs-24-103-53-46.nyc.biz.rr.com] has joined #openvpn
10:08 <@ecrist> --no-pull
10:08 <@ecrist> but you really won't get anything at all from the server, then, zafu
10:08 -!- altermann [~chatzilla@174.1.107.101] has joined #openvpn
10:09 <@ecrist> sorry, that's wrong
10:09 <@ecrist> --route-nopull won't pull routes from server
10:09 <@ecrist> on the client, look at the man page about the --client option
10:10 <@ecrist> it is a macro for a few things, one of those being --pull
10:13 -!- Popsikle [~popsikle@rrcs-24-103-53-46.nyc.biz.rr.com] has quit []
10:15 < zafu> thx
10:29 -!- haroldof_ [~textual@177.135.1.64.dynamic.adsl.gvt.net.br] has joined #openvpn
10:31 -!- CaTtleyA [~CaTtleyA@185.24.142.82] has quit [Quit: Lost terminal]
10:33 -!- Megaf_ [~Megaf@unaffiliated/megaf] has joined #openvpn
10:34 -!- randt0sh [~tosh@2a02-8420-5d7e-c300-0213-72ff-feb1-7b24.rev.sfr.net] has joined #openvpn
10:35 -!- Megaf [~Megaf@unaffiliated/megaf] has quit [Ping timeout: 252 seconds]
10:41 -!- ayaz [~Ayaz@linuxpakistan/ayaz] has quit [Quit: Textual IRC Client: www.textualapp.com]
10:44 < altermann> how do you check a vpn tunnel from the command line?
10:44 < altermann> check connection status
10:44 -!- randt0sh [~tosh@2a02-8420-5d7e-c300-0213-72ff-feb1-7b24.rev.sfr.net] has quit [Quit: leaving]
10:45 -!- randt0sh [~tosh@2a02-8420-5d7e-c300-18e1-1daf-01c6-4749.rev.sfr.net] has joined #openvpn
10:51 <@krzee> umm, ping?
10:52 <@krzee> ...how would you check it if you had used a cable?
10:56 -!- james41382 [~james@unaffiliated/james41382] has quit [Quit: Leaving]
11:02 -!- halothe23 [~halothe23@freenode/sponsor/halothe23] has quit [Quit: Quit]
11:03 -!- halothe23 [~halothe23@freenode/sponsor/halothe23] has joined #openvpn
11:05 -!- jeev [~jeev@unaffiliated/jeev] has joined #openvpn
11:18 < haroldof_> hello guys
11:18 < haroldof_> got a big problem
11:19 -!- wrongplace [~leicht@gateway/tor-sasl/martinphone] has quit [Ping timeout: 272 seconds]
11:19 < haroldof_> there's a way to pass user and password proxy directly in a ovpn file?
11:19 < haroldof_> i need to do it because im trying to use my vpn from job and theres a proxy there
11:21 -!- chuck_f [~chuck_f@85.Red-83-33-47.dynamicIP.rima-tde.net] has joined #openvpn
11:31 -!- wrongplace [~leicht@gateway/tor-sasl/martinphone] has joined #openvpn
11:36 -!- debbie10t [~ma1com10t@host-92-20-43-236.as13285.net] has joined #openvpn
11:36 < randt0sh> haroldof_: are you looking the --socks-proxy option ?
11:38 -!- elfixit [~Icedove@2001:1620:2777:11:3e97:eff:fe7f:f3ad] has quit [Quit: elfixit]
11:45 -!- Kephael [~Kephael@unaffiliated/kephael] has joined #openvpn
11:53 -!- bears [~bears@unaffiliated/bears] has joined #openvpn
11:59 < haroldof_> well
11:59 < haroldof_> not really
12:00 < haroldof_> normally you pass http-proxy <ip> <port> <file> basic
12:00 < haroldof_> what i want is not need this file
12:00 -!- CaTtleyA [~CaTtleyA@put92-2-82-66-41-53.fbx.proxad.net] has joined #openvpn
12:00 < haroldof_> and insert directly int ovpn file
12:00 < haroldof_> something like
12:00 < haroldof_> http-proxy <ip> <port> user password
12:00 < haroldof_> something like that
12:01 -!- jgeboski [~jgeboski@unaffiliated/jgeboski] has quit [Quit: Leaving]
12:03 -!- jgeboski [~jgeboski@unaffiliated/jgeboski] has joined #openvpn
12:09 -!- haroldof_ [~textual@177.135.1.64.dynamic.adsl.gvt.net.br] has quit [Quit: My MacBook Pro has gone to sleep. ZZZzzz…]
12:11 -!- haroldofurtado [~textual@177.135.1.64.dynamic.adsl.gvt.net.br] has joined #openvpn
12:13 -!- Kephael [~Kephael@unaffiliated/kephael] has quit []
12:14 -!- haroldofurtado [~textual@177.135.1.64.dynamic.adsl.gvt.net.br] has quit [Client Quit]
12:14 -!- gffa [~unknown@unaffiliated/gffa] has joined #openvpn
12:17 -!- RobertoBenzi [~RobertoBe@78-134-110-22.v4.ngi.it] has quit [Remote host closed the connection]
12:18 < debbie10t> can I ask about iOS + OpenVPN here ?
12:22 < debbie10t> This post: https://forums.openvpn.net/post41623.html#p41623 - seems to imply that there is something wrong with --comp-lzo on iOS#
12:23 <@vpnHelper> Title: OpenVPN Support Forum iPAD Air iOS 7.1.1 connection problems : OpenVPN Connect (iOS) (at forums.openvpn.net)
12:31 <@ecrist> there is no LZO on iOS
12:31 <@ecrist> iOS openvpn is not a fully functional openvpn client, there's a lot of limitations.
12:32 < debbie10t> ahh .. thanks eric ;)
12:32 -!- haroldofurtado [~textual@177.135.1.64.dynamic.adsl.gvt.net.br] has joined #openvpn
12:32 < debbie10t> i just thought it wise to ask as the poster seemd to have isolated a problem .. but now i understand
12:34 -!- haroldofurtado [~textual@177.135.1.64.dynamic.adsl.gvt.net.br] has quit [Client Quit]
12:34 <@ecrist> iOS client is a complete ground-up rewrite
12:35 <@ecrist> which means it doesn't use the 2.3 codebase, but it's own codebase
12:35 <@ecrist> it will be what 3.0 is built from, we think
12:35 -!- joshh20 is now known as joshh20-Away
12:36 < debbie10t> ok .. thanks very much
12:37 -!- haroldofurtado [~textual@177.135.1.64.dynamic.adsl.gvt.net.br] has joined #openvpn
12:46 -!- haroldofurtado [~textual@177.135.1.64.dynamic.adsl.gvt.net.br] has quit [Quit: My MacBook Pro has gone to sleep. ZZZzzz…]
12:47 -!- reiffert [~thomas@mail.reifferscheid.org] has joined #openvpn
12:47 < reiffert> !welcome
12:47 <@vpnHelper> "welcome" is (#1) Start by stating your goal, such as 'I would like to access the internet over my vpn' || new to IRC? see the link in !ask || we may need !logs and !configs and maybe !interface to help you. || See !howto for beginners. || See !route for lans behind openvpn. || !redirect for sending inet traffic through the server. || Also interesting: !man !/30 !topology !iporder !sample !forum
12:47 <@vpnHelper> !wiki !mitm or (#2) Don't use 192.168.1.0/24 or 192.168.0.0/24 (too much potential for conflict)
12:47 -!- novaflash [~novaflash@openvpn/corp/support/novaflash] has quit [Quit: ABANDON SHIP! ABANDON SHIP!]
12:48 < reiffert> 'I would like to access the internet over my vpn'
12:48 < reiffert> !/30
12:48 <@vpnHelper> "/30" is (#1) http://goo.gl/SbKrT5 explains why routed clients each use 4 ips or (#2) you can avoid this behavior with by reading !topology
12:48 < reiffert> !sample
12:48 <@vpnHelper> "sample" is (#1) http://www.ircpimps.org/openvpn.configs for a working sample config or (#2) DO NOT use these configs until you understand the commands in them, read up on each first column of the configs in the manpage (see !man) or (#3) these configs are for a basic multi-user vpn, which you can then build upon to add lans or internet redirecting
12:53 < reiffert> ecrist: Resolving www.ircpimps.org (www.ircpimps.org)... 66.181.8.149
12:53 < reiffert> Connecting to www.ircpimps.org (www.ircpimps.org)|66.181.8.149|:80... failed: No route to host.
13:01 -!- cyberspace- [20253@ninthfloor.org] has quit [Remote host closed the connection]
13:02 -!- cyberspace- [20253@ninthfloor.org] has joined #openvpn
13:03 <@ecrist> reiffert: that's krzee's box
13:03 < reiffert> krzee: fail
13:03 < reiffert> :-)
13:30 -!- phreakocious [~phreakoci@aesoterica.phreakocious.net] has joined #openvpn
13:35 -!- ayaka [~ayaka@ayaka-2-pt.tunnel.tserv21.tor1.ipv6.he.net] has joined #openvpn
13:36 < ayaka> I have problem with choosing vpn, when shall I use openvpn and when shall I use ipsec solution
13:38 -!- james41382 [~james@unaffiliated/james41382] has joined #openvpn
13:40 -!- joshh20-Away is now known as joshh20
13:44 -!- joshh20 is now known as joshh20-Away
13:53 -!- lbft [~lbft@unaffiliated/lbft] has quit [Ping timeout: 240 seconds]
13:55 -!- james41382 [~james@unaffiliated/james41382] has quit [Quit: Leaving]
13:57 <@ecrist> ayaka: that's not something we can really help you with, directly
13:57 <@ecrist> it all depends on what you're doing
13:58 < ayaka> ecrist, just like want to compare the advantage and disadvantage of them
13:58 < ayaka> I find openvpn is much easier to config than ipsec
13:58 <@ecrist> well, IPSec is really best for site-to-site tunnels
13:59 <@ecrist> many hardware devices like Cisco, Fortinet, etc, support those types of tunnels
13:59 <@ecrist> openvpn can be used for site-to-site tunnels, but it requires a system that supports openvpn and the operating daemon
13:59 <@ecrist> there are some client IPSec solutions, but they all suck, and are clunky to use
13:59 <@ecrist> openvpn shines, there
14:00 -!- lbft [~lbft@unaffiliated/lbft] has joined #openvpn
14:02 < svg> IPSec is the best implementation of "the best thing about standards is, you get lots of them"
14:02 < reiffert> any recommendations for a bluetooth headset, over ear speakers, active noise cancelation?
14:03 -!- steveeJ [~junky@HSI-KBW-46-223-54-149.hsi.kabel-badenwuerttemberg.de] has quit [Quit: Leaving]
14:05 -!- wrongplace [~leicht@gateway/tor-sasl/martinphone] has quit [Write error: Connection reset by peer]
14:06 < Eugene> I have a pair of Logitech h800s; they're not full-can, nor cancelling, but they work pretty damn good, even on airplanes.
14:07 < reiffert> I'm planning to wear them 8-9 hours daily
14:08 < Eugene> These suit me just fine with that type of use
14:08 < Eugene> An extra bonus is that they charge while in use; other wireless sets I've owned need to be Off
14:09 < reiffert> how does charging work when using them wirelessly?
14:09 -!- mattock is now known as mattock_afk
14:10 -!- zoomequipd [~zoomequip@gateway/tor-sasl/zoomequipd] has quit [Ping timeout: 272 seconds]
14:10 < Eugene> Just a microUSB cable
14:12 < Eugene> If they're really dead and I need to use them while walking around I have a battery pack that drops in the pocket
14:12 -!- zoomequipd [~zoomequip@gateway/tor-sasl/zoomequipd] has joined #openvpn
14:12 < Eugene> http://smile.amazon.com/dp/B008YRG5JQ
14:13 < reiffert> I have one too for geocaching
14:16 < Eugene> This is more of "walking around town"
14:17 < Eugene> But I'm a nutjob who carries three phones, two tablets, and a smartwatch
14:17 < reiffert> power cells: same with me for walking around in the forest
14:21 -!- eristisk [~eristisk@gateway/tor-sasl/eristisk] has joined #openvpn
14:21 -!- james41382 [~james@unaffiliated/james41382] has joined #openvpn
14:23 -!- chuck_f [~chuck_f@85.Red-83-33-47.dynamicIP.rima-tde.net] has quit [Quit: Leaving]
14:52 -!- haroldof_ [~textual@177.135.1.64.dynamic.adsl.gvt.net.br] has joined #openvpn
15:01 -!- haroldof_ [~textual@177.135.1.64.dynamic.adsl.gvt.net.br] has quit [Quit: My MacBook Pro has gone to sleep. ZZZzzz…]
15:08 <@krzee> reiffert, ya man fail is right
15:09 <@krzee> my guy local to the box needs to get out there to turn it back on
15:09 < Haigha> hi, one of our clients has a really strange problem. He has two connections. On the first, he can use our VPN perfectly. On the second, it resets the connection in two minutes and fails to restart.
15:09 -!- shreezbot [~chris@68-185-251-231.dhcp.leds.al.charter.com] has joined #openvpn
15:09 < shreezbot> Hi!
15:09 < Haigha> he has also tried to use the android openvpn app on the second connection, and it didn't reproduce the problem
15:10 < shreezbot> I'm trying to do some port forwarding on my openvpn server to the clients, and when my server attemts to execute a script that contains the iptables commands it it, it fails with:  client-connect command failed: external program exited with error status: 1
15:10 <@krzee> Haigha, is he using the same cert on both connections?
15:10 < shreezbot> Any ideas what would cause the status 1?
15:11 <@krzee> shreezbot, you need to debug and figure out what command is failing
15:11 < rob0> shreezbot, just a WAG here (that's all we can do), maybe you dropped privilege?
15:11 < Haigha> krzee: i already checked that, he is never using both at the same time
15:11 < shreezbot> Seems like a permissions error, as if I comment out the iptables lines, the script works
15:11 <@krzee> shreezbot, could need +x or a shbang or could have a failing command
15:11 <@krzee> or could need full path to iptables
15:12 < Haigha> i think he has one laptop and two wifi on different locations
15:12 <@krzee> Haigha, could be a firewall
15:13 < Haigha> it works on his tablet on both connections
15:13 < Haigha> and on hit laptop in the first
15:13 < Haigha> *his
15:14 < shreezbot> krzee, I definitely have +x on the script, but it looks like the iptables commands aren't working for some reason...
15:14 < shreezbot> But I cannot for the life of me figure out why
15:15 <@krzee> Haigha, thats what i asked and you said he had 1 device, does he use the same certificates on both devices?
15:16 < Haigha> we use user/pass auth
15:17 < ayaka> ecrist, thank you
15:18 < ayaka> svg, thank you
15:18 -!- ayaka [~ayaka@ayaka-2-pt.tunnel.tserv21.tor1.ipv6.he.net] has left #openvpn ["离开"]
15:18 < Haigha> krzee: and i think he only have one username
15:18 < shreezbot> rob0, Is there a way to make sure my scripts get run as root?
15:18 < shreezbot> rob0, apparently, adding sudo in front of it doesn't correct the issue...
15:19 < Haigha> shreezbot: you should try to print some debug into a file, like echo $USER >> /tmp/script.log
15:19 -!- lbft [~lbft@unaffiliated/lbft] has quit [Ping timeout: 240 seconds]
15:19 < rob0> Either: 1. Don't drop privilege; or 2. Configure sudo or other such means of privilege escalation for your openvpn user.
15:21 -!- larryone [~larryone@176.61.1.155] has joined #openvpn
15:23 < reiffert> krzee: why did he turn it off in the first place?
15:26 -!- ShadniX [dagger@p5DDFE97A.dip0.t-ipconnect.de] has quit [Ping timeout: 252 seconds]
15:28 -!- ShadniX [dagger@p5DDFE97A.dip0.t-ipconnect.de] has joined #openvpn
15:32 < shreezbot> So what is the secret to gettting the openvpn server to execute a script as root?
15:32 < shreezbot> My issue appears to be that you have to be root to execute iptables commands
15:36 -!- lbft [~lbft@unaffiliated/lbft] has joined #openvpn
15:48 < rob0> I answered that.
15:48 -!- gffa [~unknown@unaffiliated/gffa] has quit [Quit: sleep]
15:50 -!- larryone [~larryone@176.61.1.155] has quit [Quit: This computer has gone to sleep]
15:58 -!- larryone [~larryone@176.61.1.155] has joined #openvpn
16:00 < Eugene> !unpriv
16:00 <@vpnHelper> "unpriv" is see https://community.openvpn.net/openvpn/wiki/UnprivilegedUser for a write-up by EugeneKay on how to run OpenVPN without root/admin permissions.
16:00 < Eugene> Enjoy. I've stopped bothering.
16:01 < Eugene> Fucking package upgrades
16:01 -!- larryone [~larryone@176.61.1.155] has quit [Client Quit]
16:11 -!- alexw [~textual@unaffiliated/alexw] has joined #openvpn
16:11 < shreezbot> :)
16:12 -!- artemz [~artemz@2001:4ba0:cafe:768::1] has joined #openvpn
16:12 < shreezbot> Well, perhaps I need to approach this from a different angle.  There might be a better way of doing what I'm trying to do...
16:12 < shreezbot> I have a port that I want to forward from my openvpn server to one of my clients.
16:13 < artemz> lol seems like I was trying to force clients to use tun device while my server uses tap. this was causing all the problems for me for a whole week
16:14 < shreezbot> So I have an application on the client that I want to listen for traffic on port 58000 through the VPN, and I want connections to the external interface on the VPN server on that port to forward to the client machine...
16:14 < shreezbot> Is there a way to do that?
16:15 < artemz> shreezbot: it shoudnt be a problem if your client has static internal ip. then you can forward any port on your server to this ip using iptables
16:16 < Haigha> krzee: could it be a MTU problem ?
16:16 < shreezbot> I've tried to configure the port forward using iptables and I am obviously doing something wrong as the port isn't forwarding through...  :(
16:16 < shreezbot> admittedly, I'm not great with iptables
16:17 < artemz> shreezbot: well share the iptables command you are trying to use for forwarding
16:17 -!- haroldofurtado [~textual@177.135.1.64.dynamic.adsl.gvt.net.br] has joined #openvpn
16:17 < haroldofurtado> ?
16:17 < artemz> btw make sure forwarding is enabled in the system
16:17 < haroldofurtado> still having problems with my vpn
16:17 < haroldofurtado> there's anyway to pass authentication into ovpn?
16:18 < haroldofurtado> i can't use a file to do it
16:18 < shreezbot> artemz, iptables -A FORWARD -p tcp -i eth7 -d 10.8.0.10 --dport 58000 -j ACCEPT
16:19 < haroldofurtado> ?
16:19 < haroldofurtado> sorry
16:19 < haroldofurtado> i saw in one place <http-proxy-user-pass>
16:19 < haroldofurtado> but it didn't work for me
16:19 < shreezbot> And then:  iptables -t nat -A PREROUTING -p tcp -d 10.8.0.1 --dport 58000 -j DNAT --to-destination 10.8.0.10:58000
16:20 < shreezbot> I don't get errors on either command
16:20 < shreezbot> But the port doesn't get forwarded
16:22 -!- haroldofurtado [~textual@177.135.1.64.dynamic.adsl.gvt.net.br] has quit [Quit: Textual IRC Client: www.textualapp.com]
16:23 < artemz> because it must be matching only packets for 10.8.0.1 ip address. are you sure you want to redirect this port on 10.8.0.1 ip?
16:23 -!- alexw [~textual@unaffiliated/alexw] has quit [Ping timeout: 265 seconds]
16:24 < shreezbot> artemz, Well, that might not be the correct ip then!  I might need to use my actual external IP
16:24 < shreezbot> artemz, May need to use the IP for my eth7 instead of the IP for tun0...
16:24 < shreezbot> artemz, perhaps...
16:25 < shreezbot> HOLY SHIT!  That worked!!!
16:26 -!- alexw [~textual@unaffiliated/alexw] has joined #openvpn
16:26 -!- alexw [~textual@unaffiliated/alexw] has quit [Client Quit]
16:27 < artemz> glad to hear that
16:30 -!- haroldofurtado [~kvirc@177.135.1.64.dynamic.adsl.gvt.net.br] has joined #openvpn
16:33 < shreezbot> Now that I have the correct rules, what is the best way to make sure these rules get applied when my server is rebooted?
16:33 < haroldofurtado> does anyone knows how to pass http-proxy directly into ovpn file?
16:33 < haroldofurtado> i mean
16:33 < haroldofurtado> i can't use a file to do it
16:34 < haroldofurtado> like <http-proxy>
16:34 < haroldofurtado> user
16:34 < haroldofurtado> pass
16:34 < haroldofurtado> </http-proxy>
16:36 < haroldofurtado> =
16:36 < haroldofurtado> =(
16:40 < reiffert> !factoids search proxy
16:40 <@vpnHelper> "obfsproxy" is (#1) For a writeup on using obfsproxy with OpenVPN see https://syria.hacktivist.me/?p=148 or (#2) See also !obfs. The link to TrafficObfuscation also contains a setup example
16:41 < reiffert> !factoids search --values proxy
16:41 <@vpnHelper> 'sockd', 'port-share', 'obfsproxy', 'routebyapp', and 'obfs'
16:41 < haroldofurtado> !factoids search proxy
16:41 <@vpnHelper> "obfsproxy" is (#1) For a writeup on using obfsproxy with OpenVPN see https://syria.hacktivist.me/?p=148 or (#2) See also !obfs. The link to TrafficObfuscation also contains a setup example
16:41 < haroldofurtado> page not found
16:43 -!- joshh20-Away is now known as joshh20
16:45 < haroldofurtado> that's not what i want
16:45 < haroldofurtado> i need to insert my user and pass through ovpn file
17:05 -!- goldkatze [~nobody@unaffiliated/goldkatze] has quit [Ping timeout: 245 seconds]
17:11 -!- cyberspace- [20253@ninthfloor.org] has quit [Ping timeout: 252 seconds]
17:12 -!- ayaka [~ayaka@ayaka-2-pt.tunnel.tserv21.tor1.ipv6.he.net] has joined #openvpn
17:13 < ayaka> there is a remote vps, I can ping it without lost packages, but the openvpn is hard to get connection(but it does finally) I got those kind of message in log http://fpaste.org/106654/74714214/
17:13 < ayaka> what may cause that? the firewall or GFW
17:15 -!- shreezbot [~chris@68-185-251-231.dhcp.leds.al.charter.com] has left #openvpn ["Leaving"]
17:26 -!- Kephael [~Kephael@unaffiliated/kephael] has joined #openvpn
17:33 -!- randt0sh [~tosh@2a02-8420-5d7e-c300-18e1-1daf-01c6-4749.rev.sfr.net] has quit [Remote host closed the connection]
17:37 -!- alexw [~textual@unaffiliated/alexw] has joined #openvpn
18:02 < MacGyver> Is there a way to have openvpn re-run a script when it loses the connection and tries to reconnect?
18:03 < MacGyver> It doesn't seem to re-run up- or route-up scripts.
18:10 -!- debbie10t [~ma1com10t@host-92-20-43-236.as13285.net] has left #openvpn []
18:17 -!- ShadniX [dagger@p5DDFE97A.dip0.t-ipconnect.de] has quit [Ping timeout: 252 seconds]
18:22 -!- ShadniX [dagger@p5DDFE97A.dip0.t-ipconnect.de] has joined #openvpn
18:24 -!- bears [~bears@unaffiliated/bears] has quit [Quit: closing IRC]
18:25 -!- bears [~bears@unaffiliated/bears] has joined #openvpn
18:25 -!- Left_Turn [~Left_Turn@unaffiliated/turn-left/x-3739067] has quit [Read error: Connection reset by peer]
18:28 -!- Left_Turn [~Left_Turn@unaffiliated/turn-left/x-3739067] has joined #openvpn
18:31 -!- joshh20 is now known as joshh20-Away
18:33 -!- Netsplit *.net <-> *.split quits: Ulrar, fred``, Olipro, Chrisje
18:42 -!- ShadniX [dagger@p5DDFE97A.dip0.t-ipconnect.de] has quit [Ping timeout: 252 seconds]
18:44 -!- Netsplit over, joins: fred``, Chrisje, Ulrar
18:45 -!- Olipro [~Olipro@uncyclopedia/pdpc.21for7.olipro] has joined #openvpn
18:46 -!- ShadniX [dagger@p5DDFE97A.dip0.t-ipconnect.de] has joined #openvpn
19:12 -!- bears is now known as BearsOnUnicycles
19:23 -!- james41382 [~james@unaffiliated/james41382] has quit [Quit: Leaving]
19:27 -!- joshh20-Away is now known as joshh20
19:38 -!- BearsOnUnicycles [~bears@unaffiliated/bears] has quit [Quit: closing IRC]
19:44 -!- bears [~bears@unaffiliated/bears] has joined #openvpn
19:49 -!- bears [~bears@unaffiliated/bears] has quit [Read error: Connection reset by peer]
19:54 -!- bears [~bears@unaffiliated/bears] has joined #openvpn
20:12 -!- funyun [~temp@cpe-74-141-29-120.swo.res.rr.com] has joined #openvpn
20:18 < funyun> hi. my vpn is fast now but are there any easy optimizations I can add for increased speed? here’s my server config http://pastebin.com/YVsE7EzE
20:19 -!- WinstonSmith [~WinstonSm@unaffiliated/winstonsmith] has quit [Ping timeout: 255 seconds]
20:22 -!- WinstonSmith [~WinstonSm@unaffiliated/winstonsmith] has joined #openvpn
20:26 -!- james41382 [~james@unaffiliated/james41382] has joined #openvpn
21:02 -!- bogie is now known as bawki
21:06 -!- Magiobiwan [IRC@unaffiliated/magiobiwan] has quit [Quit: ZOMBIES!]
21:08 -!- Moonlightning [~blackl@unaffiliated/moonlightning] has joined #openvpn
21:08 < Moonlightning> !heartbleed
21:08 <@vpnHelper> "heartbleed" is (#1) only affects OpenSSL 1.0.1 through 1.0.1f. Does not affect polarssl or (#2) if running vuln openssl then both client and server keys not protected by tls-auth should be considered compromised. or (#3) android 4.1.2_r1 is the first one to have -DOPENSSL_NO_HEARTBEATS and it is still in master. android 4.1 and 4.1.1 are probably affected. or (#4)
21:08 <@vpnHelper> https://community.openvpn.net/openvpn/wiki/heartbleed or (#5) http://xkcd.com/1354/
21:09 < Moonlightning> Hehehe, using the Xkcd comic.
21:09 < Moonlightning> xkcd *? XKCD *?
21:09 < Moonlightning> Xkcd looks horribly wrong. 6_9
21:11 < Moonlightning> !welcome
21:11 <@vpnHelper> "welcome" is (#1) Start by stating your goal, such as 'I would like to access the internet over my vpn' || new to IRC? see the link in !ask || we may need !logs and !configs and maybe !interface to help you. || See !howto for beginners. || See !route for lans behind openvpn. || !redirect for sending inet traffic through the server. || Also interesting: !man !/30 !topology !iporder !sample
21:11 <@vpnHelper> !forum !wiki !mitm or (#2) Don't use 192.168.1.0/24 or 192.168.0.0/24 (too much potential for conflict)
21:12 -!- Left_Turn [~Left_Turn@unaffiliated/turn-left/x-3739067] has quit [Remote host closed the connection]
21:12 < Moonlightning> Hmm…
21:12 < Moonlightning> !ubuntu
21:12 <@vpnHelper> "ubuntu" is dont use network manager!
21:12 < Moonlightning> !debian
21:12 <@vpnHelper> "debian" is Although we are aware the Debian stable package repository has OpenVPN 2.1rc11, to offer support, we require users to run the current version of OpenVPN. See !download for information on where/how to obtain a recent release.
21:12 < Moonlightning> !download
21:12 <@vpnHelper> "download" is (#1) http://openvpn.net/index.php/download/community-downloads.html to download openvpn or (#2) OpenVPN's Windows installer now includes OpenVPN GUI. Don't bother with http://openvpn.se anymore or (#3) Don't trust download.com at all. It provides an extremely old version with malware: http://insecure.org/news/download-com-fiasco.html or (#4) in the community version of openvpn
21:12 <@vpnHelper> (only thing supported here) there is no separate download for client/server, it is the same install with different configs
21:14 < Moonlightning> Can I use the version of 2.3.2 that's currently in the Ubuntu repo?
21:14 < Moonlightning> Or should I just build 2.3.4 from source?
21:14 < pekster> Moonlightning: For what uprpose?
21:15  * Moonlightning blinks.
21:15 < Moonlightning> Just in general?
21:15 < pekster> You asked about 2 different versions; you want to know "A or B, in genral?" I can't grok that
21:16 < Moonlightning> Okay, ignore the second part then.
21:16 < Moonlightning> < Is there any reason not to use the version of 2.3.2 that's currently in the Ubuntu repo?
21:16 < pekster> Back to my first question: what do you want to know about those versions
21:16 < pekster> Not unless you need features in 2.3.3 or greater
21:17 -!- Left_Turn [~Left_Turn@unaffiliated/turn-left/x-3739067] has joined #openvpn
21:17 < Moonlightning> Just asking. I know InspIRCd recommends against using the version in the Debian|Ubuntu repos.
21:17 < pekster> TLSv1.2 negotiation would require >=2.3.3 for instance (or a custom build with that feature backports)
21:17 < Moonlightning> Mmm. May as well, then.
21:17 < Moonlightning> Thanks.
21:27 -!- Okita [~Okita@162.248.165.62] has joined #openvpn
21:28 < Okita> I'm running OpenVPN Connect 1.0.4 on iOS 7 and iPhone 5S, I can connect to the VPN, but my external IP hasn't changed
21:28 < pekster> !connect
21:28 <@vpnHelper> "connect" is (#1) OpenVPN Connect is part of the commercial, non-free (non-GPL) corporate offering; see #openvpn-as for help with these. For the community-maintained GPL OpenVPN, see !download for download links, !android for GPL-openvpn on Android, or !howto for the beginner how-to guide or (#2) https://forums.openvpn.net/post34969.html#p34969 or (#3) the source is here:
21:28 <@vpnHelper> http://staging.openvpn.net/openvpn3/ except for the portion that may not be released because of NDA with apple (for its vpn API)
21:29 < pekster> If you control the server end, you probably want to read about !redirect. If not, you should ask the people you obtain service from for help
21:30 < Okita> !redirect
21:30 <@vpnHelper> "redirect" is (#1) to make all inet traffic flow through the vpn, you will need --redirect-gateway (see !def1), as well as IP forwarding (see !ipforward) and NAT (see !nat) enabled on the server. or (#2) you may need to use a different dns server when redirecting gateway, see !dns or !pushdns or (#3) if using ipv6 try: route-ipv6 2000::/3 or (#4) Handy troubleshooting flowchart:
21:30 <@vpnHelper> http://ircpimps.org/redirect.png | http://pekster.sdf.org/misc/redirect.png
21:30 < Okita> pekster: Thanks
21:31 < Okita> pekster: It works fine (with a different client conf) via Tunnelblick, so I was confused
21:32 < Okita> But likely because the client has its own "route all traffic through VPN" option
21:32 < Okita> !def1
21:32 <@vpnHelper> "def1" is (#1) used in redirect-gateway, Add the def1 flag to override the default gateway by using 0.0.0.0/1 and 128.0.0.0/1 rather than 0.0.0.0/0. This has the benefit of overriding but not wiping out the original default gateway. or (#2) please see --redirect-gateway in the man page ( !man ) to fully understand or (#3) push "redirect-gateway def1"
21:41 -!- alexw [~textual@unaffiliated/alexw] has quit [Quit: Textual IRC Client: www.textualapp.com]
21:46 -!- james41382 [~james@unaffiliated/james41382] has quit [Quit: Leaving]
21:49 -!- cyberspace- [20253@ninthfloor.org] has joined #openvpn
21:52 -!- james41382 [~james@unaffiliated/james41382] has joined #openvpn
21:56 < Moonlightning> !signature
21:56 < Moonlightning> !help
21:56 <@vpnHelper> (help [<plugin>] [<command>]) -- This command gives a useful description of what <command> does. <plugin> is only necessary if the command is in more than one plugin.
21:56 < Moonlightning> !triggers
21:57 < Moonlightning> No? Okay, then. Can somepony verify the fingerprint of the key the tarballs are signed with?
22:00 < pekster> https://openvpn.net/index.php/open-source/documentation/sig.html
22:00 <@vpnHelper> Title: File Signatures (at openvpn.net)
22:00 < pekster> keyID 198D22A3
22:01 < Moonlightning> Thanks.
22:12 -!- funyun_ [~temp@ns236132.ip-192-99-21.net] has joined #openvpn
22:13 -!- haroldofurtado [~kvirc@177.135.1.64.dynamic.adsl.gvt.net.br] has quit [Quit: KVIrc 4.2.0 Equilibrium http://www.kvirc.net/]
22:15 -!- funyun [~temp@cpe-74-141-29-120.swo.res.rr.com] has quit [Ping timeout: 252 seconds]
22:17 -!- bears [~bears@unaffiliated/bears] has quit [Read error: Connection reset by peer]
22:24 < Moonlightning> …actually.
22:24 < Moonlightning> Does 2.3.2 still support TLS 1.1?
22:25 -!- tempus_fol [~tempus@gateway/tor-sasl/foltempus] has quit [Remote host closed the connection]
22:25 -!- zoomequipd [~zoomequip@gateway/tor-sasl/zoomequipd] has quit [Remote host closed the connection]
22:25 -!- eristisk [~eristisk@gateway/tor-sasl/eristisk] has quit [Write error: Broken pipe]
22:26 < Okita> pekster: That was the issue, I just had to uncomment that line in the server.conf about redirection
22:26 -!- Left_Turn [~Left_Turn@unaffiliated/turn-left/x-3739067] has quit [Ping timeout: 252 seconds]
22:28 < funyun_> hi. my vpn is fast now but are there any easy optimizations I can add for increased speed? here’s my server config http://pastebin.com/YVsE7EzE
22:31 -!- joshh20 is now known as joshh20-Away
22:33 -!- tempus_fol [~tempus@gateway/tor-sasl/foltempus] has joined #openvpn
22:34 -!- zoomequipd [~zoomequip@gateway/tor-sasl/zoomequipd] has joined #openvpn
22:41 -!- zoredache [~zoredache@pdpc/supporter/professional/zoredache] has quit [Ping timeout: 240 seconds]
22:49 -!- dazo_afk [~dazo@openvpn/community/developer/dazo] has quit [Quit: Ciao]
22:51 -!- Megaf_ [~Megaf@unaffiliated/megaf] has quit [Ping timeout: 260 seconds]
22:53 -!- clu5ter [~staff@unaffiliated/clu5ter] has quit [Ping timeout: 260 seconds]
22:55 -!- clu5ter [~staff@unaffiliated/clu5ter] has joined #openvpn
22:57 -!- Megaf [~Megaf@unaffiliated/megaf] has joined #openvpn
23:03 -!- justinzane [~justinzan@67.21.190.53] has quit [Remote host closed the connection]
23:04 -!- justinzane [~justinzan@67.21.190.53] has joined #openvpn
23:15 -!- funyun_ [~temp@ns236132.ip-192-99-21.net] has quit [Read error: Connection reset by peer]
23:27 -!- zoredache [~zoredache@pdpc/supporter/professional/zoredache] has joined #openvpn
23:29 -!- Megaf [~Megaf@unaffiliated/megaf] has quit [Ping timeout: 240 seconds]
23:43 -!- justinzane [~justinzan@67.21.190.53] has quit [Remote host closed the connection]
23:43 -!- justinzane [~justinzan@67.21.190.53] has joined #openvpn
23:45 -!- ShadniX [dagger@p5DDFE97A.dip0.t-ipconnect.de] has quit [Ping timeout: 252 seconds]
23:45 <@krzee> Haigha,
23:45 <@krzee> !dupe
23:45 <@vpnHelper> "dupe" is (#1) see --duplicate-cn in the manual (!man) to see how to allow multiple clients to use the same key (NOT recommended) or (#2) instead, use !pki to make a cert for each user
23:46 -!- ShadniX [dagger@p5DDFE655.dip0.t-ipconnect.de] has joined #openvpn
23:47 <@krzee> the 2nd client knocks off the 1st client, then they fight over the connection constantly knocking eachother off (assuming you use --keepalive or similar options)
--- Day changed Tue Jun 03 2014
00:03 -!- mattock_afk is now known as mattock
00:10 -!- Okita [~Okita@162.248.165.62] has quit [Ping timeout: 252 seconds]
00:19 -!- justinzane [~justinzan@67.21.190.53] has quit [Ping timeout: 265 seconds]
00:38 < Haigha> krzee: i've already checked that, he told me to never use two cliebts at the same time
00:41 < Haigha> i mean he told me that he has not done it
00:47 -!- CaTtleyA [~CaTtleyA@put92-2-82-66-41-53.fbx.proxad.net] has quit [Ping timeout: 245 seconds]
01:26 -!- alexxtasi [~alex@unaffiliated/alexxtasi] has joined #openvpn
01:29 -!- v0lZy [~Thunderbi@BSN-77-81-109.static.dsl.siol.net] has joined #openvpn
01:29 < v0lZy> hi
01:29 < v0lZy> quick question, can openvpn server expose managment interface on an IP other then 127.0.0.1 ?
01:31 < Eugene> !management
01:31 <@vpnHelper> "management" is (#1) see http://openvpn.net/management for doc on management interface or (#2) read https://github.com/OpenVPN/openvpn/blob/release/2.3/doc/management-notes.txt if you are a programmer making a GUI that will interact with OpenVPN or (#3) Enable with `--management 127.0.0.1 1234` (adjust port to taste.) See the manpage for pw and socket options
01:31 < Eugene> UNIX socket, 127.0.0.1, or the VPN address.
01:32 < v0lZy> the vpn server address?
01:32 < Eugene> The address of the tun device on the server
01:32 < v0lZy> (does this mean all users can access it?
01:32 < Eugene> But read the docs
01:32 < v0lZy> Yeah, I am.
01:32 < Eugene> Why owuld you want to do it, though.
01:33 < Eugene> Having such thing be open to the internet is A Bad Idea
01:33 < Eugene> Hence, only allowed via localhost
01:36 < v0lZy> i have a weird fringe situation where I have to monitor if a client is connected or not
01:39 < v0lZy> but seems to be a dead end inc ombination with pfsense...
01:40 < v0lZy> it uses unix sockets..
01:45 -!- ayaz [~Ayaz@linuxpakistan/ayaz] has joined #openvpn
01:54 -!- Kephael [~Kephael@unaffiliated/kephael] has quit []
01:56 -!- Ulrar [~Ulrar@luwin.ulrar.net] has quit [Ping timeout: 246 seconds]
01:58 -!- Haseo [~Haseo@aufrinfo.net] has quit [Ping timeout: 245 seconds]
02:04 -!- randt0sh [~tosh@2a02-8420-5d7e-c300-0213-72ff-feb1-7b24.rev.sfr.net] has joined #openvpn
02:14 < v0lZy> Eugene: I'm thinking of using the existing managment interface pfsense is using
02:14 < v0lZy> its using a unix socket
02:15 < v0lZy> and there's some php that runs when u visit a peculiar website, that connects to the managment interface and extracts info about tunnels that are up
02:15 < v0lZy> this being a unix socket, is there a problem if i take this script and put it into a separate file, run it periodically from cron
02:16 < v0lZy> will there be any issues with 2 programs reading from the socket?
02:16 < reiffert> not when using select()
02:16 < v0lZy> select() ?
02:19 < v0lZy> reiffert: i'm not a coder, I'm looking at some php function here
02:20 < v0lZy> seems to me that it reads the socket
02:20 < v0lZy> http://bpaste.net/show/9hKJ4xtDVSfZ0IuhYOQR/
02:21 < v0lZy> though I dont know if it passes any commend to it to get specific kind of output
02:27 < v0lZy> hm ... seems to depend on another function..
02:29 < v0lZy> reiffert: this seems to be the meat of it all: http://bpaste.net/show/3UEVBtczB5WJHcFhl41o/
02:29 -!- larryone [~larryone@178.167.254.85.threembb.ie] has joined #openvpn
02:30 < v0lZy> I don't see a select() there anywhere, but im unsure of what that select() is supposed to pertain to
02:34 -!- larryone [~larryone@178.167.254.85.threembb.ie] has quit [Ping timeout: 252 seconds]
02:40 < reiffert> man select
02:40 < reiffert> SELECT(2)                                   Linux Programmer's Manual                                  SELECT(2)
02:40 < reiffert> NAME select, pselect, FD_CLR, FD_ISSET, FD_SET, FD_ZERO - synchronous I/O multiplexing
02:41 < reiffert> see also man ipc, man unix, man socket
02:41 < reiffert> NAME unix, AF_UNIX, AF_LOCAL - Sockets for local interprocess communication
02:42 < reiffert> how to do it with php? dont know.
02:43 < v0lZy> thanks reiffert
02:44 < reiffert> 08:29 < v0lZy> quick question, can openvpn server expose managment interface on an IP other then 127.0.0.1 ?
02:44 < reiffert> short answer: yes.
02:46 < v0lZy> reiffert: i tried managment <local ip> 777 directive
02:46 -!- dazo_afk [~dazo@openvpn/community/developer/dazo] has joined #openvpn
02:46 -!- mode/#openvpn [+o dazo_afk] by ChanServ
02:46 < v0lZy> management*
02:46 < v0lZy> doesnt seem to work.
02:46 -!- dazo_afk is now known as dazo
02:47 < v0lZy> though can it take an arbitrary IP...  i suppose not... only 127.0.0.1 or vpn server tun ip, right?
02:47 -!- treshoem2 [~treshoem@mnathani-1-pt.tunnel.tserv21.tor1.ipv6.he.net] has quit [Ping timeout: 265 seconds]
02:51 -!- treshoem2 [~treshoem@mnathani-1-pt.tunnel.tserv21.tor1.ipv6.he.net] has joined #openvpn
03:07 -!- Plastefuchs_ [~fweee@198.98.120.235] has joined #openvpn
03:07 < Plastefuchs_> !welcome
03:07 <@vpnHelper> "welcome" is (#1) Start by stating your goal, such as 'I would like to access the internet over my vpn' || new to IRC? see the link in !ask || we may need !logs and !configs and maybe !interface to help you. || See !howto for beginners. || See !route for lans behind openvpn. || !redirect for sending inet traffic through the server. || Also interesting: !man !/30 !topology !iporder !sample
03:07 <@vpnHelper> !forum !wiki !mitm or (#2) Don't use 192.168.1.0/24 or 192.168.0.0/24 (too much potential for conflict)
03:08 < Plastefuchs_> !redirect
03:08 <@vpnHelper> "redirect" is (#1) to make all inet traffic flow through the vpn, you will need --redirect-gateway (see !def1), as well as IP forwarding (see !ipforward) and NAT (see !nat) enabled on the server. or (#2) you may need to use a different dns server when redirecting gateway, see !dns or !pushdns or (#3) if using ipv6 try: route-ipv6 2000::/3 or (#4) Handy troubleshooting flowchart:
03:08 <@vpnHelper> http://ircpimps.org/redirect.png | http://pekster.sdf.org/misc/redirect.png
03:11 -!- le0 [~l30@unaffiliated/le0] has joined #openvpn
03:12 -!- kirin` [telex@gateway/shell/anapnea.net/x-fqpzoyozpynhndhm] has quit [Ping timeout: 252 seconds]
03:13 -!- kirin` [telex@gateway/shell/anapnea.net/x-yivjugthxqkcclcc] has joined #openvpn
03:18 < Plastefuchs_> !howto
03:18 <@vpnHelper> "howto" is (#1) OpenVPN comes with a great howto, http://openvpn.net/howto PLEASE READ IT! or (#2) http://www.secure-computing.net/openvpn/howto.php for a mirror
03:19 -!- hyper_ch [~hyperch@ns99.roleplayer.org] has joined #openvpn
03:20 < hyper_ch> hmmm, in a Windows 8.1 vm it takes like forever to bring up to vpn connection... I got a lot of messages:  Route: waiting for TUN/TAP interface to come up...... TEST ROUTES: 0/0 succeeded in len1=1.....
03:21 -!- Left_Turn [~Left_Turn@unaffiliated/turn-left/x-3739067] has joined #openvpn
03:23 -!- bhuddah [~bhuddah@unaffiliated/bhuddah] has joined #openvpn
03:23 -!- bhuddah [~bhuddah@unaffiliated/bhuddah] has left #openvpn []
03:32 -!- goldkatze [~nobody@unaffiliated/goldkatze] has joined #openvpn
03:42 -!- Linmu [~Linmu@203.70.194.104] has quit [Ping timeout: 255 seconds]
03:43 -!- Linmu [~Linmu@203.70.194.104] has joined #openvpn
03:49 -!- Anywhere [~Anywhere@nl2x.mullvad.net] has joined #openvpn
03:51 < Anywhere> !linnat
03:51 <@vpnHelper> "linnat" is (#1) for a basic iptables NAT where 10.8.0.x is the vpn network: iptables -t nat -I POSTROUTING -s 10.8.0.0/24 -o eth0 -j MASQUERADE or (#2) to choose what IP address to NAT as, you can use iptables -t nat -I POSTROUTING -o eth0 -j SNAT --to <IP ADDRESS> or (#3) http://netfilter.org/documentation/HOWTO//NAT-HOWTO.html for more info or (#4) openvz see !openvzlinnat
03:52 < Anywhere> Any idea how to get that to work on freebsd? My nat just dies when I start my openvpn, everything seems to work fine. I can access the machine from in and outside, fw allows all etc. (Ill post all info later for a real question)
04:08 -!- CaTtleyA [~CaTtleyA@185.24.142.82] has joined #openvpn
04:17 -!- Anywhere [~Anywhere@nl2x.mullvad.net] has quit [Quit: Leaving]
04:19 -!- Anywhere [~Anywhere@nl2x.mullvad.net] has joined #openvpn
04:21 -!- Ulrar [~Ulrar@luwin.ulrar.net] has joined #openvpn
04:36 < hyper_ch> Hmmm, I have a strange issue. In my public dns zone file I set samba.domain.tld to IP 10.10.11.7. When I  "dig samba.domain.tld ANY" I do get the IP 10.10.11.7. When I ping 10.10.11.7 I get a reply but when I ping samba.domain.tld I get unknown host
04:39 < hyper_ch> shouldn't that resolv?
04:45 -!- Anywhere [~Anywhere@nl2x.mullvad.net] has quit [Ping timeout: 240 seconds]
04:51 < renihs> hyper_ch, dig samba.domain.tld <your_ns_from_resolv.conf>
04:53 < hyper_ch> shouldn't it be  dig @ns_from_resolv.conf samba.domain.tld?
04:55 < renihs> um, yeah :)
04:55 < renihs> i made an alias to change that, keep forgetting it
04:56 < renihs> i need dns server last, else my brain ends up with interrupting conflicts usually
04:56 < hyper_ch> :)
04:57 < hyper_ch> ok, resolv.conf is the router
04:57 < hyper_ch> the router is said to be used to use google's 8.8.8.8
04:57 < hyper_ch> however when I dig @router   I get no/empty reply
04:57 < hyper_ch> when I dig @8.8.8.8  it all resolves fine
04:58 < hyper_ch> I just thought it would be a nice and easy way to put the VPN address into public DNS
04:59 < renihs> well, sounds to me like the router doesnt reply to you
04:59 < hyper_ch> teh router hates me :(
04:59 < renihs> so probably a bind issue there
04:59 < renihs> or you are not in the acl
04:59 < hyper_ch> acl?
04:59 < renihs> access control list from bind/named
05:00 < renihs> allowed hosts :)
05:00 < hyper_ch> it's just a modem/router
05:00 < renihs> well i am sure it has a webinterface or such, prolly needs configuraiton to accept dns requests from your host
05:00 < renihs> else skip it and use another outside dns
05:00 < renihs> not much of a difference in this case
05:00 < hyper_ch> well, why am I then to resolv other stuff?
05:01 < renihs> ah, forgot, you want internal dns names :)
05:01 < hyper_ch> well, samba.domain.tld is registere on my public dns server
05:02 < hyper_ch> and I set an A record to resolv it to 10.10.11.7
05:02 < renihs> if its just few hosts, put them into /etc/hosts, else fix the modem dns server thingie or create a small server/vm which dns abilities in your lan would be my suggestion
05:02 < renihs> i thought your public dns server was 8.8.8.8?
05:02 < hyper_ch> the routere her doesn't know anything about domain.tld
05:02 < hyper_ch> so any queries it gets about domain.tld it should forward to 8.8.8.8 - at leas that's how I understand it
05:03 < renihs> not following, i thought your dns server is your router?
05:03 < hyper_ch> no
05:03 < hyper_ch> I have a public dns server
05:03 < hyper_ch> hosted in a datacenter in a land far, far away
05:03 < renihs> and if you query that one, it resolves correctly?
05:03 < hyper_ch> in that public dns server, I do host domain.tld and it's authorative
05:04 < hyper_ch> that public dns server has an A entry for samba.domain.tld which resolved to 10.10.11.7
05:04 < hyper_ch> (basically whereever I am, I want to have samba.domain.tld to be resolved to the VPN)
05:04 < renihs> bla, but does it resolve correctly or not?
05:04 < hyper_ch> so, where I am now at work
05:04 < hyper_ch> there's a small router/modem
05:05 < hyper_ch> when I dig @router/modem samba.domain.tld   I don't get a reply or rather nothing to use... just:    ;samba.domain.tld.   IN   A
05:05 < renihs> to be expected
05:05 < hyper_ch> the router/modem is set to use google's dns server aka 8.8.8.8
05:06 < hyper_ch> so, if I query the router/modem for a domain name that it doesn't know, shouldn't it forward the query then to google?
05:06 < renihs> sure
05:06 < renihs> i mean no
05:06 < renihs> depends, but it wont return 10.10
05:06 < renihs> in either case
05:06 < hyper_ch> when I   dig @8.8.8.8   I do get a proper reply with correct serolution
05:06 < hyper_ch> why won't it return 10.10?
05:06 < renihs> you dig 8.8.8.8 and you get your 10.10.11.7?
05:06 < renihs> it wont and never will
05:07 < renihs> you need to ask your server directly
05:07 < hyper_ch> when I dig @8.8.8.8  samba.domain.tld   I do get  10.10.11.7 as reply back
05:07 < renihs> ? not from 8.8.8.8 :)
05:07 < hyper_ch> try it:   samba.jus-law.ch
05:07 < hyper_ch> dig @8.8.8.8 samba.jus-law.ch
05:08 < renihs> hmm
05:08 < hyper_ch> http://paste.debian.net/hidden/ecabfdc8/
05:09 < renihs> yeah, seems like not touching dns for like 10 years hmm i am surprised :)
05:09 < hyper_ch> so I fail to comprehend why the router/modem doesn't give proper reply
05:09 < renihs> good question, it obviously doesnt ask 8.8.8.8
05:10 < renihs> and whomever he asks, has not received the updates
05:10 < renihs> as of yet
05:10 < hyper_ch> me:"hey router, tell me the IP for xxxx", router: "Sorry, dude, I don't know the answer, but I'll ask my buddy 8.8.8.8",   google: "hey router, I found it... check out 10.10.11.7";  router:"so, I found it, it's at 10.10.11.7"
05:10 < hyper_ch> shouldn't it go that way?
05:10 < renihs> it should, but it prolly wont ask 8.8.8.8
05:10 < renihs> maybe the provider intercepts? 8.8.8.8 is tricky btw
05:10 < renihs> its a geoip
05:11 < renihs> so if i ask 8.8.8.8 i end up on a different host than you most likely
05:11 < renihs> but thats not an explanation, dunno, it seems like your dns query gets either redirected ISP wise or asks a server that has not yet receive the new A record
05:12 < renihs> do you have a shell on that router?
05:12 < hyper_ch> I also digged on of my ISPs dns server (that's setup in the router as secondary) and I also get proper resolution there
05:12 < hyper_ch> sounds like there's really a router problem
05:12 < renihs> good question, no idea, i point at the router, and maybe it doesnt ask 8.8.8.8 but the root dns servers or something else
05:13 < renihs> sniffing would solve that mystery :p
05:13 < renihs> but you would need to sniff on the router/modem or a hop after it
05:13 < hyper_ch> still, the authorative nameserver for that domain announces it properly when asked
05:13 < hyper_ch> teh router has busybox in it
05:14 < hyper_ch> I'll ssh in and do some investigation
05:14 < hyper_ch> (right after lunch break)
05:14 < renihs> busybox can be compiled with or without many features :)
05:14 < renihs> but yeah, it should work as you described imho
05:16 < hyper_ch> is there a compelling reason as to not put VPN addresses into public DNS=
05:16 < hyper_ch> ?
05:19 < renihs> there are compelling reasons not to put internal addresses to public dns :)
05:20 < renihs> same reason one usually doesnt allow zone transfers for internal networks :)
05:20 < renihs> makes mapping kinda easy for an malicious person
05:22 < renihs> usually, i log into my vpns and my vpn servers push the internal dns servers (not accessible from outside) so i can resolve everything just fine as long as i am in the vpn
05:26 -!- wrongplace [~leicht@gateway/tor-sasl/martinphone] has joined #openvpn
05:48 < Plastefuchs_> if i want to have two clients connect, controlled by a server, is client to client the way to go? http://backreference.org/2010/05/02/controlling-client-to-client-connections-in-openvpn/ mentions that it might not?
05:48 <@vpnHelper> Title: Controlling client-to-client connections in OpenVPN « \1 (at backreference.org)
05:49 -!- hyper_ch is now known as hyper_away
05:49 -!- hyper_away is now known as hyper_ch
05:50 < hyper_ch> renihs: security through obscurity?
05:52 < hyper_ch> Plastefuchs_: what do you exactly want to do?
05:55 < Plastefuchs_> hyper_ch: endgoal would be to have clients connect to the server and the server then allows connectivity between a specific pair of clients.
05:55 < Plastefuchs_> I stumbled over that feature through pure luck and wonder if i understood it right
05:56 -!- elfixit [~Icedove@cust.static.46-14-206-196.swisscomdata.ch] has joined #openvpn
05:56 < hyper_ch> any reason why each client shouldn't be allowed to connect to every other one?
05:56 < Plastefuchs_> That is one of the constrains more or less.
05:57 < Plastefuchs_> Right now i am happy if all connect with all, but the top goal would be a way to limit connections
05:57 < Plastefuchs_> I guess c2c with client-pf is the way to go?
05:57 < hyper_ch> not really sure what's the best way for that
05:59 < Plastefuchs_> "The above example sets the packet filter policy for the client identified by CID=99.  This client may not connect to any other clients except those having a common name of "public"." from https://openvpn.net/index.php/open-source/documentation/miscellaneous/management-interface.html
05:59 <@vpnHelper> Title: Management Interface (at openvpn.net)
05:59 < Plastefuchs_> That looks promising
06:01 -!- zoomequipd [~zoomequip@gateway/tor-sasl/zoomequipd] has quit [Remote host closed the connection]
06:01 -!- zoomequipd [~zoomequip@gateway/tor-sasl/zoomequipd] has joined #openvpn
06:02 -!- wrongplace [~leicht@gateway/tor-sasl/martinphone] has quit [Quit: gone]
06:36 -!- Megaf [~Megaf@unaffiliated/megaf] has joined #openvpn
06:49 -!- indy [~indy@shadow.kastnerove.cz] has quit [Quit: ZNC - http://znc.sourceforge.net]
06:57 -!- goldkatze [~nobody@unaffiliated/goldkatze] has quit []
07:01 -!- barnoid [~barney@baiji.subli.me.uk] has left #openvpn []
07:02 < renihs> hyper_ch, security is an illusion, obscurity is a like a "hit me, hit me" sign, combining them tends to be a bad idea :)
07:08 < hyper_ch> so, there's no real problem using private entries in public dns :)
07:09 < renihs> define "real", but no, no technical problems
07:09 < hyper_ch> :)
07:09 < hyper_ch> except for my router here :)
07:09 < renihs> beside it not making much sense since the information is (hopefully) useless to the world
07:10 < hyper_ch> since the samba server only listens to vpn, it shouldn't be a security issue eitehr
07:11 < renihs> well, if i know your internal network, that takes alot work away from an remote attacker :)
07:11 < renihs> though i would suspect a honeypot :p
07:11 < hyper_ch> if you get access to my vpn I have a big issue anyway
07:11 <@plaisthos> anyone here with an Android 4.4.3 device?
07:11 < hyper_ch> no
07:12 < renihs> hyper_ch, well, that router/modem thingie doesnt sound too trustworthy to begin with :p
07:12 < hyper_ch> it's a fritzbox
07:12 < renihs> oh then it listens to magic packets :)
07:12 < hyper_ch> but it'll probably be put out of commission as modem-only and get an asus rt-ac68u
07:13 < hyper_ch> friend keeps telling me it's an awesome router
07:13 < hyper_ch> and the wifi on it is excellent in speed and quality
07:13 -!- indy [~indy@shadow.kastnerove.cz] has joined #openvpn
07:13 < hyper_ch> also custom firmware for more goodies
07:14 < renihs> i like to seperate wlan devices from my core devices :)
07:18 < hyper_ch> with wifi-n you get decent speeds without having to run cables everywhere
07:19 < hyper_ch> and my buddy told me, that asus router gives good speeds
07:36 -!- renihs [~arf@83-65-34-34.arsenal.xdsl-line.inode.at] has quit [Remote host closed the connection]
07:47 < MacGyver> Is there a way to have openvpn re-run a script when it loses the connection and reconnects?
07:47 < MacGyver> It doesn't seem to re-run up- or route-up scripts.
07:51 < MacGyver> (What I actually need is a file that contains the IP address currently connected to, I figured it was easiest to write and update that from a script.)
07:59 -!- Linmu [~Linmu@203.70.194.104] has quit [Ping timeout: 264 seconds]
08:01 -!- Linmu [~Linmu@203.70.194.104] has joined #openvpn
08:50 < hyper_ch> ip address currently connected to?
08:56 < MacGyver> Oh, yeah: client-side. So either the value of remote in the client configuration, or the resolved address, but only once it's connected.
08:59 -!- Cpt-Oblivious [~chatzilla@31-151-71-109.dynamic.upc.nl] has joined #openvpn
09:09 -!- v0lZy [~Thunderbi@BSN-77-81-109.static.dsl.siol.net] has quit [Remote host closed the connection]
09:14 -!- alexxtasi [~alex@unaffiliated/alexxtasi] has left #openvpn []
09:33 -!- mattock is now known as mattock_afk
09:34 -!- Magiobiwan [IRC@unaffiliated/magiobiwan] has joined #openvpn
09:42 < Plastefuchs_> via the management interface, is it possible to poll the CID of a certain connected client? The 'CLIENT notification' part of the docs is not really clear on that. To mee it looks as if i had to track the CID myself
09:42 < Plastefuchs_> Which would be kind of bad, since a simple service restart on one of my clients will give that same client the next CID
09:48 -!- joshh20-Away is now known as joshh20
09:49 < Plastefuchs_> Or the other way: Is it possible to use client-pf with another parameter beside CID?
09:54 <@plaisthos> Plastefuchs_: yeah
09:54 <@plaisthos> a new status stuff is included in 2.3 or master
09:54 <@plaisthos> not totally sure
09:54 < Plastefuchs_> !
09:55 < Plastefuchs_> I had found https://groups.google.com/forum/#!msg/openvpn-devel/jIvifrFOJyk/pHBXiMiCD0IJ but including some random patch that is 4 years old seemed unwise
09:55 <@vpnHelper> Title: Google Groups (at groups.google.com)
10:00 <@plaisthos> Plastefuchs_: yeah I know ;)
10:00 <@plaisthos> It is my patch
10:00 <@plaisthos> but it is commited as 662ce6acc065bddf6490b3494725b8b3987b7def
10:00 < Plastefuchs_> hah
10:00 <@plaisthos> but as far as I can see it is only in master
10:01 < Plastefuchs_> Now I only need to figure out if my ubuntu can apt-get it and how far debian is behind
10:01 < Plastefuchs_> oh, so it might not be in 2.3? ._.
10:01 <@plaisthos> no
10:01 <@plaisthos> it is not in 2.3
10:01 < Plastefuchs_> oh =(
10:02 <@plaisthos> but that patch or cherry picking 662ce6 should be fine
10:05 < Plastefuchs_> plaisthos: i'll look into that
10:05 < Plastefuchs_> Now i need to try out if client-pf works as written
10:08 <@plaisthos> client-pf only works with dev tap iirc
10:08 <@plaisthos> there was something strange about it
10:08 < Plastefuchs_> dev tap?
10:08 <@plaisthos> it is 4 years ago :)
10:13 < Plastefuchs_> SUCCESS: client-pf command succeeded > client still is able to ping the denied machine :|
10:18 <@plaisthos> Plastefuchs_: are you dev tun?
10:18 <@plaisthos> or dev tap
10:18 <@plaisthos> in your server configuration
10:18 -!- ayaz [~Ayaz@linuxpakistan/ayaz] has quit [Quit: Textual IRC Client: www.textualapp.com]
10:18 < Plastefuchs_> oh
10:19 < Plastefuchs_> oh, tun :|
10:19 < Plastefuchs_> ok, next point on the agenda: reading about tun and tap
10:24 <@plaisthos> Plastefuchs_: you can always use the platform's firewall
10:24 < Plastefuchs_> Yeah, i am a bit too much of a noob in that regard. I thought this would be a nifty way to solve my problem
10:25 <@plaisthos> no
10:25 <@plaisthos> client-pf is an undocumented minefield
10:25 < Plastefuchs_> Well, it is in the docs <.<
10:26 <@plaisthos> poorly documented :)
10:26 < Plastefuchs_> :(
10:26 < Plastefuchs_> Please please please, add something to that effect to the docs
10:26 < Plastefuchs_> I was thinking for a few hours now that client-pf would be my holy grail
10:27 <@plaisthos> Plastefuchs_: on the contrary
10:27 <@plaisthos> client-pf code might be removed from OpenVPN one day
10:28 < Plastefuchs_> oh, i can see that. But mentioning that would be neat.
10:28 < Plastefuchs_> It would have been bad if i had developed something based on client-pf and one year down the road it is gone
10:30 < Plastefuchs_> plaisthos: just to get you right, i should be able to allow client-to-client, block all traffic between them, but allow certain clients to connect to some other clients
10:30 < Plastefuchs_> ^ via iptables
10:34 < Plastefuchs_> Time to go for today, thank you so far plaisthos o/
10:34 <@plaisthos> Plastefuchs_: err disable client-to-client
10:34 <@plaisthos> !c2c
10:34 <@vpnHelper> "c2c" is "client-to-client" is with this option packets from 1 client to another are routed inside the server process. without it packets leave the server process, hit the kernel (firewall, routing table) and if allowed by firewall and routed back to server process, they go to the client. you use this option when you do not want to use selective firewall rules on what clients can access things
10:34 <@vpnHelper> behind other clients
10:34 -!- sauce [sauce@unaffiliated/sauce] has joined #openvpn
10:35 -!- Kephael [~Kephael@unaffiliated/kephael] has joined #openvpn
10:35 < Plastefuchs_> ah
10:36 < Plastefuchs_> ah^2
10:36 < Plastefuchs_> so screw tun and tap, iptables!
10:43 <@krzee> This week's Psychic Meeting has been canceled due to unforeseen problems.
10:53 -!- CaTtleyA [~CaTtleyA@185.24.142.82] has quit [Quit: Lost terminal]
11:14 -!- eristisk [~eristisk@gateway/tor-sasl/eristisk] has joined #openvpn
11:16 -!- joshh20 is now known as joshh20-Away
11:27 -!- SCHAAP137 [dorian@77-173-0-137.ip.telfort.nl] has joined #openvpn
11:30 -!- Linmu [~Linmu@203.70.194.104] has quit [Ping timeout: 252 seconds]
11:32 -!- Linmu [~Linmu@203.70.194.104] has joined #openvpn
11:43 -!- gffa [~unknown@unaffiliated/gffa] has joined #openvpn
11:43 -!- mattock_afk is now known as mattock
11:54 -!- Linmu [~Linmu@203.70.194.104] has quit [Ping timeout: 276 seconds]
11:55 -!- Linmu [~Linmu@203.70.194.104] has joined #openvpn
12:09 -!- hyper_ch is now known as hyper_away
12:09 -!- hyper_away is now known as hyper_ch
12:13 < hyper_ch> hmmm, having same issues at home now
12:24 -!- le0 [~l30@unaffiliated/le0] has quit [Quit: Leaving]
12:29 -!- larryone [~larryone@95.83.254.192] has joined #openvpn
12:34 -!- JackWinter [~jack@vodsl-10810.vo.lu] has quit [Read error: Connection reset by peer]
12:37 -!- larryone [~larryone@95.83.254.192] has quit [Quit: This computer has gone to sleep]
12:45 -!- JackWinter [~jack@vodsl-10810.vo.lu] has joined #openvpn
13:07 -!- edge226 [~quassel@unaffiliated/edge226] has quit [Remote host closed the connection]
13:08 -!- Kephael [~Kephael@unaffiliated/kephael] has quit []
13:08 -!- JackWinter [~jack@vodsl-10810.vo.lu] has quit [Quit: Konversation terminated!]
13:10 -!- JackWinter [~jack@vodsl-10810.vo.lu] has joined #openvpn
13:20 -!- edge226 [~quassel@unaffiliated/edge226] has joined #openvpn
13:42 -!- dazo is now known as dazo_afk
13:45 -!- hyper_ch [~hyperch@ns99.roleplayer.org] has left #openvpn ["Konversation terminated!"]
13:48 -!- eristisk [~eristisk@gateway/tor-sasl/eristisk] has quit [Ping timeout: 272 seconds]
13:54 -!- mattock is now known as mattock_afk
13:54 -!- Cybertinus [~Cybertinu@cybertinus.customer.cloud.nl] has quit [Ping timeout: 265 seconds]
13:55 -!- artemz [~artemz@2001:4ba0:cafe:768::1] has quit [Remote host closed the connection]
14:00 -!- eristisk [~eristisk@gateway/tor-sasl/eristisk] has joined #openvpn
14:00 -!- Cybertinus [~Cybertinu@cybertinus.customer.cloud.nl] has joined #openvpn
14:03 -!- eristisk [~eristisk@gateway/tor-sasl/eristisk] has quit [Remote host closed the connection]
14:03 -!- eristisk [~eristisk@gateway/tor-sasl/eristisk] has joined #openvpn
14:11 -!- wrongplace [~leicht@gateway/tor-sasl/martinphone] has joined #openvpn
14:14 -!- batrick [batrick@nmap/developer/batrick] has quit [Quit: WeeChat 0.4.3]
14:19 -!- batrick [batrick@nmap/developer/batrick] has joined #openvpn
14:38 -!- dvl [~dvl@pdpc/supporter/active/dvl] has quit [Quit: ZNC - http://znc.in]
14:38 -!- Six6siX [~Devil@jasmine.sammybakar.com] has joined #openvpn
14:39 -!- dvl [~dvl@pdpc/supporter/active/dvl] has joined #openvpn
14:52 -!- joshh20-Away is now known as joshh20
15:01 -!- JackWinter [~jack@vodsl-10810.vo.lu] has quit [Quit: Konversation terminated!]
15:02 -!- JackWinter [~jack@vodsl-10810.vo.lu] has joined #openvpn
15:24 -!- bears [~bears@unaffiliated/bears] has joined #openvpn
15:26 -!- qwertyoruiop is now known as not-qwertyoruiop
15:30 -!- not-qwertyoruiop is now known as qwertyoruiop
15:37 < Cyclohexane> How do I only route specific traffic e.g. to Google over the VPN? The rest uses the local client IP address
15:49 -!- qwertyoruiop is now known as OccupyJBQA
15:49 -!- OccupyJBQA is now known as qwertyoruiop
16:01 -!- joshh20 is now known as joshh20-Away
16:10 -!- randt0sh [~tosh@2a02-8420-5d7e-c300-0213-72ff-feb1-7b24.rev.sfr.net] has quit [Remote host closed the connection]
16:12 -!- debbie10t [~ma1com10t@host-92-20-43-236.as13285.net] has joined #openvpn
16:12 -!- meepmeep [meepmeep@end.of.cylind.re] has quit [Ping timeout: 240 seconds]
16:14 -!- meepmeep [meepmeep@end.of.cylind.re] has joined #openvpn
16:16 -!- ildefonso [~ilde123@201.185.229.85] has quit [Ping timeout: 252 seconds]
16:16 -!- bears [~bears@unaffiliated/bears] has quit [Quit: closing IRC]
16:26 -!- elfixit [~Icedove@cust.static.46-14-206-196.swisscomdata.ch] has quit [Quit: elfixit]
16:31 -!- CaTtleyA [~CaTtleyA@put92-2-82-66-41-53.fbx.proxad.net] has joined #openvpn
16:32 < pekster> Cyclohexane: You use a proxy for that. OpenVPN routes packets, so the notion of connecting it to something as abstract as domains or DNS doesn't apply
16:33 < pekster> What you could do is force local users to use a proxy that makes a delivery decision based on the domain being accessed. Or you culd use a VM and redirect its gateway since the VM will have a different routing table than the host
16:36 -!- phormUlate [~phormUlat@gateway/tor-sasl/phormulate] has joined #openvpn
16:37 < phormUlate> Hi, I have a routing issue with my win7 ovpn client I was hoping to get some help with.
16:39 < phormUlate> I have my own sever over dyndns I connect to access the local network, and another which I'd like to use concurrently for all other trafic. I don't control the config of the latter server, and because this is a windows client, and my server doesn't have a static address, it isn't so straight forward as using cron and env variables/ using a static persistent route.
16:40 < phormUlate> I'd really rather not have to install the ms unix subsystem tools env on this client and setup a hacky script to resolv the ip, store it, and execute a route update every so often.
16:40 < phormUlate> anyone have an idea?
16:44 < pekster> I don't understand your problem? You have 2 completely unrelated VPN endpoints you wish to connect to? If that's the case, just connect to both of them. Problem solved
16:45 < pekster> You can read about traffic redirection setup at !redirect, but that in no way prevents you from also connecting somewhere that pushes other routes to you
16:45 < phormUlate> the problem being resolution of the first, not over the second, am I incorrect?
16:46 < phormUlate> so they independently connect from the primary gateway without nesting, in the case that I connect to the second, which I use for all web traffic?
16:47 < pekster> Oh, I see your issue; you don't want the encapsulating traffic to your endpoint getting redirected
16:47 < phormUlate> and can just set a route for the former, for which I just use its local network resources
16:47 < phormUlate> ya
16:47 < pekster> Yea, you'd either need a host-route via your physical uplink, or policy routing (which Windows won't do)
16:48 < phormUlate> ya, that is my bummer, I can do policy routing, just not with the windows tools exclusively
16:48 < phormUlate> the big problem being, the first server is on dyndns
16:48 < phormUlate> otherwise I'd be golden
16:49 < pekster> Easiest here might just be a wrapper to launch the VPN that 1. does a DNS lookup, 2. inserts that IP into the config, 3. sets up a /32 (or /128 for IPv6 transit) route to it via your physical uplink, and 4) launches on that config
16:50 < pekster> Or, another option, insert that /32 (or /128) via the net_gateway macro (read --route in the manpage) when the redirect VPN goes up
16:51 < phormUlate> ya, that was pretty close to my plan, I'm just not as great with the win powershell crap as I am in *nix, in which it is a cinch.... guess I'll have to grab that unix subsystem for windows
16:51 < pekster> It won't pick up DNS changes (you'd have to restart it or deal with that manually) but you could script updates to that route line
16:51 < pekster> SFU? that's mostly crap and designed to allow people migrating *to* windows to do things
16:51 < phormUlate> yep
16:51 < pekster> Grab cygwin if you want a "proper" environment
16:51 < phormUlate> but there is a debian port
16:51 < phormUlate> **
16:52 < phormUlate> with full aptitude
16:52 < phormUlate> :D
16:52 < phormUlate> they changed the name for vista+, called sua now
16:52 < phormUlate> subsystem unix something or other
16:53 < pekster> cygwin or related tools (msys and friends)
16:53 < phormUlate> cygwin is meh, but good in some cases
16:53 < phormUlate> I actually prefer the debian port to sua
16:53 < pekster> you need a port on Linux to use real tools?
16:53 < phormUlate> not as good as colinux though
16:53 < pekster> this is news to me
16:54 < pekster> If you want portability, write in POSIX (shell or ANSI C) and it'll work anywhere
16:54 < phormUlate> heheh, just about
16:54 < pekster> You'll need an interperter, but it works fine in Windows too. Bundle msys's sh.exe and any libs plus programs you need
16:55 < phormUlate> sounds like a project for another day, noted
16:58 -!- cyberspace- [20253@ninthfloor.org] has quit [Quit: leaving]
17:01 -!- cyberspace- [20253@ninthfloor.org] has joined #openvpn
17:18 -!- james41382 [~james@unaffiliated/james41382] has quit [Quit: Leaving]
17:19 -!- SCHAAP137 [dorian@77-173-0-137.ip.telfort.nl] has quit [Remote host closed the connection]
17:25 -!- brianblaze420 [~brianblaz@unaffiliated/brianblaze] has joined #openvpn
17:31 -!- phunyguy_ [~vortex@unaffiliated/phunyguy] has joined #openvpn
17:32 -!- phunyguy_ [~vortex@unaffiliated/phunyguy] has quit [Client Quit]
17:36 -!- bears [~bears@unaffiliated/bears] has joined #openvpn
17:38 -!- james41382 [~james@unaffiliated/james41382] has joined #openvpn
17:41 -!- gffa [~unknown@unaffiliated/gffa] has quit [Quit: sleep]
17:52 -!- james41382_ [~james@unaffiliated/james41382] has joined #openvpn
17:55 -!- james41382 [~james@unaffiliated/james41382] has quit [Ping timeout: 276 seconds]
17:59 -!- debbie10t [~ma1com10t@host-92-20-43-236.as13285.net] has left #openvpn []
18:00 -!- maxiepax [max@locke.misse.org] has quit [Remote host closed the connection]
18:02 -!- wrongplace [~leicht@gateway/tor-sasl/martinphone] has quit [Quit: gone]
18:05 -!- brianblaze420 [~brianblaz@unaffiliated/brianblaze] has quit [Remote host closed the connection]
18:08 -!- Linmu [~Linmu@203.70.194.104] has quit [Ping timeout: 240 seconds]
18:08 -!- Linmu [~Linmu@203.70.194.104] has joined #openvpn
18:14 -!- Denial- [Denial@176.250.235.182] has joined #openvpn
18:15 -!- cyberspace- [20253@ninthfloor.org] has quit [Disconnected by services]
18:16 -!- cyberspace- [20253@ninthfloor.org] has joined #openvpn
18:20 -!- abbe_ [having@badti.me] has joined #openvpn
18:20 -!- mete [~mete@91.247.253.160] has joined #openvpn
18:20 -!- Six6siX [~Devil@jasmine.sammybakar.com] has quit [Write error: Broken pipe]
18:20 -!- liriel [~liriel@asia.feralhosting.com] has quit [Write error: Broken pipe]
18:20 -!- Latrina [~Latrina@ppp-170-37.26-151.libero.it] has quit [Write error: Broken pipe]
18:20 -!- GrecKo [~GrecKo@2001:41d0:1:cb16::1] has quit [Write error: Broken pipe]
18:20 -!- asio [asio@109-74-7-223-static.serverhotell.net] has quit [Write error: Broken pipe]
18:20 -!- abbe [having@badti.me] has quit [Excess Flood]
18:20 -!- ayaka [~ayaka@ayaka-2-pt.tunnel.tserv21.tor1.ipv6.he.net] has quit [Excess Flood]
18:20 -!- roentgen [~none@openvpn/community/support/roentgen] has quit [Remote host closed the connection]
18:20 -!- Denial [Denial@176.250.235.182] has quit [Remote host closed the connection]
18:20 -!- joshh20-Away [~joshh20@v-70-42-74-226.unman-vds.internap-nyc.nfoservers.com] has quit [Quit: ZNC - http://znc.in]
18:20 -!- troj [~xxx@2001:470:1f15:107a::50f7] has quit [Quit: :(]
18:20 -!- roentgen [~none@openvpn/community/support/roentgen] has joined #openvpn
18:20 -!- abbe_ is now known as abbe
18:21 -!- Denial- is now known as Denial
18:21 -!- svg [~svg@hydargos.ginsys.net] has quit [Remote host closed the connection]
18:21 -!- liriel [~liriel@asia.feralhosting.com] has joined #openvpn
18:22 -!- Linmu [~Linmu@203.70.194.104] has quit [Ping timeout: 252 seconds]
18:22 -!- Linmu [~Linmu@203.70.194.104] has joined #openvpn
18:24 -!- svg [~svg@hydargos.ginsys.net] has joined #openvpn
18:24 -!- zafu [~pif@217-162-81-21.dynamic.hispeed.ch] has quit [Ping timeout: 252 seconds]
18:26 -!- Sembei [~Sembei@unaffiliated/sembei] has quit [Excess Flood]
18:27 -!- Olipro [~Olipro@uncyclopedia/pdpc.21for7.olipro] has quit [Ping timeout: 246 seconds]
18:27 -!- Sembei [~Sembei@unaffiliated/sembei] has joined #openvpn
18:28 -!- Olipro [~Olipro@uncyclopedia/pdpc.21for7.olipro] has joined #openvpn
19:16 -!- javierlito [~glitcheds@2601:3:8580:1a2:28a7:1a73:188a:6d7c] has joined #openvpn
19:16 < javierlito> hello?
19:17 < javierlito> Can anyone help me setup open vpn I am trying hook up a .ovpn file I got from cyberghost
19:18 -!- ildefonso [~ilde123@201.185.229.85] has joined #openvpn
19:24 < javierlito> hello???
19:26 < javierlito> anyone there???
19:35 < javierlito> root@debian:/# openvpn --config '/home/glitchedsoulz/Downloads/CyberGhost.ovpn'
19:35 < javierlito> Options error: Unrecognized option or missing parameter(s) in /home/glitchedsoulz/Downloads/CyberGhost.ovpn:7: dhcp-renew (2.2.1)
19:35 < javierlito> Use --help for more information.
19:35 < javierlito> root@debian:/# openvpn --config
19:35 < javierlito> Options error: Unrecognized option or missing parameter(s) in [CMD-LINE]:1: config (2.2.1)
19:35 < javierlito> Use --help for more information.
19:35 < javierlito> root@debian:/#
19:41 < javierlito> fucking
19:41 < javierlito> hell
19:41 -!- javierlito [~glitcheds@2601:3:8580:1a2:28a7:1a73:188a:6d7c] has quit [Quit: Leaving]
19:42 -!- elfixit [~Icedove@77-58-251-72.dclient.hispeed.ch] has joined #openvpn
19:42 -!- elfixit [~Icedove@77-58-251-72.dclient.hispeed.ch] has quit [Client Quit]
19:44 -!- c00w [c00w@2600:3c03::f03c:91ff:fe6e:e88b] has joined #openvpn
19:50 -!- brianblaze420 [~brianblaz@unaffiliated/brianblaze] has joined #openvpn
19:52 -!- Soliah [~Soliah@kin1287146.lnk.telstra.net] has joined #openvpn
20:07 -!- javierlito [~glitcheds@2601:3:8580:1a2:28a7:1a73:188a:6d7c] has joined #openvpn
20:07 -!- javierlito is now known as GlitchedSoulz
20:07 < GlitchedSoulz> Hello?
20:07 < GlitchedSoulz> I need help
20:09 < GlitchedSoulz> ughhh
20:09 < GlitchedSoulz> hello? anyone there
20:15 -!- Left_Turn [~Left_Turn@unaffiliated/turn-left/x-3739067] has quit [Read error: Connection reset by peer]
20:18 -!- Left_Turn [~Left_Turn@unaffiliated/turn-left/x-3739067] has joined #openvpn
20:36 -!- tdreyer1 [~tdreyer1@unaffiliated/tdreyer1] has quit [Ping timeout: 252 seconds]
20:40 -!- tdreyer1 [~tdreyer1@unaffiliated/tdreyer1] has joined #openvpn
20:41 < GlitchedSoulz> FUCKING HELL
21:13 -!- ildefonso [~ilde123@201.185.229.85] has quit [Quit: Leaving]
21:23 -!- tdreyer1 [~tdreyer1@unaffiliated/tdreyer1] has quit [Read error: Connection reset by peer]
21:24 -!- tdreyer1 [~tdreyer1@unaffiliated/tdreyer1] has joined #openvpn
21:38 < _FBi> ask your damn question
22:04 -!- CaTtleyA [~CaTtleyA@put92-2-82-66-41-53.fbx.proxad.net] has quit [Ping timeout: 245 seconds]
22:07 -!- Linmu [~Linmu@203.70.194.104] has quit [Ping timeout: 240 seconds]
22:08 -!- Linmu [~Linmu@203.70.194.104] has joined #openvpn
22:09 -!- jtrucks [jtrucks@freenode/staff/lopsa.foundingmember.jtrucks] has quit [Remote host closed the connection]
22:09 -!- jtrucks [jtrucks@freenode/staff/lopsa.foundingmember.jtrucks] has joined #openvpn
22:11 -!- Megaf [~Megaf@unaffiliated/megaf] has quit [Ping timeout: 255 seconds]
22:13 -!- brianblaze420 [~brianblaz@unaffiliated/brianblaze] has quit [Quit: Leaving...]
22:14 -!- Left_Turn [~Left_Turn@unaffiliated/turn-left/x-3739067] has quit [Remote host closed the connection]
22:16 -!- jtrucks [jtrucks@freenode/staff/lopsa.foundingmember.jtrucks] has quit [Read error: Connection reset by peer]
22:16 -!- jtrucks [jtrucks@freenode/staff/lopsa.foundingmember.jtrucks] has joined #openvpn
22:19 -!- altermann [~chatzilla@174.1.107.101] has quit [Quit: ChatZilla 0.9.90.1 [Firefox 24.5.0/20140421162246]]
22:25 -!- zoomequipd [~zoomequip@gateway/tor-sasl/zoomequipd] has quit [Remote host closed the connection]
22:25 -!- tempus_fol [~tempus@gateway/tor-sasl/foltempus] has quit [Remote host closed the connection]
22:25 -!- phormUlate [~phormUlat@gateway/tor-sasl/phormulate] has quit [Write error: Broken pipe]
22:25 -!- eristisk [~eristisk@gateway/tor-sasl/eristisk] has quit [Write error: Connection reset by peer]
22:27 -!- GlitchedSoulz [~glitcheds@2601:3:8580:1a2:28a7:1a73:188a:6d7c] has quit [Ping timeout: 240 seconds]
22:33 -!- tempus_fol [~tempus@gateway/tor-sasl/foltempus] has joined #openvpn
22:33 -!- zoomequipd [~zoomequip@gateway/tor-sasl/zoomequipd] has joined #openvpn
22:59 -!- _quadDamage [~EmperorTo@boom.blissfulidiot.com] has quit [Read error: Connection reset by peer]
23:00 -!- Linmu [~Linmu@203.70.194.104] has quit [Ping timeout: 240 seconds]
23:02 -!- Linmu [~Linmu@203.70.194.104] has joined #openvpn
--- Log closed Tue Jun 03 23:08:43 2014
--- Log opened Wed Jun 04 08:08:00 2014
08:08 -!- ecrist [~ecrist@freebsd/contributor/openvpn.community.support.ecrist] has joined #openvpn
08:08 -!- Irssi: #openvpn: Total of 181 nicks [7 ops, 0 halfops, 1 voices, 173 normal]
08:08 -!- Irssi: Join to #openvpn was synced in 0 secs
08:08 -!- mode/#openvpn [+o ecrist] by ChanServ
08:17 -!- GrantK [19YEdWlb4s@bolt.sonic.net] has joined #openvpn
08:18 -!- mattock [~mattock@openvpn/corp/admin/mattock] has left #openvpn []
08:18 < GrantK> Hi.  When starting Openvpn using systemd init, is the Openvpn `daemon` config option still useful/recommended/necessary?  Or is daemonization completely handled by systemd in this case?
08:32 -!- james41382 [~james@unaffiliated/james41382] has joined #openvpn
09:04 -!- CaTtleyA [~CaTtleyA@185.24.142.82] has joined #openvpn
09:11 < reiffert> http://fedoraproject.org/wiki/Openvpn
09:11 <@vpnHelper> Title: Openvpn - FedoraProject (at fedoraproject.org)
09:12 < reiffert> http://forums.fedoraforum.org/showthread.php?t=272612
09:26 -!- bears [~bears@unaffiliated/bears] has joined #openvpn
09:28 -!- alexxtasi [~alex@unaffiliated/alexxtasi] has left #openvpn []
09:29 -!- CaTtleyA [~CaTtleyA@185.24.142.82] has quit [Ping timeout: 245 seconds]
09:31 -!- CaTtleyA [~CaTtleyA@185.24.142.82] has joined #openvpn
09:40 -!- dazo_afk is now known as dazo
09:40 -!- GrantK [19YEdWlb4s@bolt.sonic.net] has left #openvpn []
09:58 -!- mattock_afk [~mattock@openvpn/corp/admin/mattock] has joined #openvpn
09:58 -!- mode/#openvpn [+o mattock_afk] by ChanServ
09:58 -!- mattock_afk is now known as mattock
09:58 -!- mattock [~mattock@openvpn/corp/admin/mattock] has left #openvpn []
09:59 -!- mattock [~mattock@openvpn/corp/admin/mattock] has joined #openvpn
09:59 -!- mode/#openvpn [+o mattock] by ChanServ
09:59 -!- mattock [~mattock@openvpn/corp/admin/mattock] has left #openvpn []
09:59 -!- mattock [~mattock@openvpn/corp/admin/mattock] has joined #openvpn
09:59 -!- mode/#openvpn [+o mattock] by ChanServ
10:08 -!- Megaf [~Megaf@unaffiliated/megaf] has quit [Remote host closed the connection]
10:09 -!- Megaf [~Megaf@unaffiliated/megaf] has joined #openvpn
10:19 -!- CaTtleyA [~CaTtleyA@185.24.142.82] has quit [Quit: Lost terminal]
10:33 -!- CaTtleyA [~CaTtleyA@185.24.142.82] has joined #openvpn
10:36 -!- Megaf [~Megaf@unaffiliated/megaf] has quit [Ping timeout: 265 seconds]
11:06 -!- Kephael [~Kephael@unaffiliated/kephael] has joined #openvpn
11:23 -!- CaTtleyA [~CaTtleyA@185.24.142.82] has quit [Ping timeout: 245 seconds]
11:38 -!- Moonlightning [~blackl@unaffiliated/moonlightning] has quit [Ping timeout: 252 seconds]
11:41 -!- Moonlightning [~blackl@unaffiliated/moonlightning] has joined #openvpn
11:54 -!- SCHAAP137 [dorian@77-173-0-137.ip.telfort.nl] has joined #openvpn
12:08 -!- Kephael [~Kephael@unaffiliated/kephael] has quit []
12:17 -!- ayaz [~Ayaz@linuxpakistan/ayaz] has quit [Quit: Textual IRC Client: www.textualapp.com]
12:18 -!- s7r [~s7r@openvpn/user/s7r] has joined #openvpn
12:19 -!- mode/#openvpn [+v s7r] by ChanServ
12:32 -!- Left_Turn [~Left_Turn@unaffiliated/turn-left/x-3739067] has quit [Read error: Connection reset by peer]
12:52 -!- Left_Turn [~Left_Turn@unaffiliated/turn-left/x-3739067] has joined #openvpn
13:15 -!- wrongplace [~leicht@gateway/tor-sasl/martinphone] has joined #openvpn
13:29 -!- vexingWinter [~Tantalus@c-76-123-182-108.hsd1.ms.comcast.net] has joined #openvpn
13:43 -!- dazo is now known as dazo_afk
13:52 -!- Moonlightning [~blackl@unaffiliated/moonlightning] has quit [Quit: The Nightmares will collide. And become a Dream. <3]
13:55 -!- cyford [~cyford33@cyfordtechnologies.com] has joined #openvpn
13:56 < cyford> hoi,  my openvpn is very slow while on 1gps connection,
14:03 < cyford> 45kB/s
14:11 -!- SupaYoshi [Elite9191@gateway/shell/elitebnc/x-msdmumvcyinlrumt] has joined #openvpn
14:12 < SupaYoshi> Hi guys,
14:12 < SupaYoshi> Can I have that em image with how to do things? Like
14:12 < SupaYoshi> What is your goal etc.
14:12 < SupaYoshi> I have a working VPN here, but Im trying to route traffic over the vpn. Or have it as default gateway.
14:13 < SupaYoshi> And idk how to do so. I had something read with gateway=def1
14:13 < SupaYoshi> or something?
14:15 -!- Cpt-Oblivious [~chatzilla@31-151-71-109.dynamic.upc.nl] has joined #openvpn
14:18 -!- mattock is now known as mattock_afk
14:31 -!- cyford [~cyford33@cyfordtechnologies.com] has quit [Remote host closed the connection]
14:32 <@krzee> !redirect
14:32 <@vpnHelper> "redirect" is (#1) to make all inet traffic flow through the vpn, you will need --redirect-gateway (see !def1), as well as IP forwarding (see !ipforward) and NAT (see !nat) enabled on the server. or (#2) you may need to use a different dns server when redirecting gateway, see !dns or !pushdns or (#3) if using ipv6 try: route-ipv6 2000::/3 or (#4) Handy troubleshooting flowchart:
14:32 <@vpnHelper> http://ircpimps.org/redirect.png | http://pekster.sdf.org/misc/redirect.png
14:40 < SupaYoshi> http://paste.ubuntu.com/7589802/
14:40 < SupaYoshi> will this work?
14:41 < SupaYoshi> It works without the push redirect gateway
15:16 -!- c00w [c00w@2600:3c03::f03c:91ff:fe6e:e88b] has quit [Quit: I left the oven on]
15:22 -!- randt0sh [~tosh@2a02-8420-5d7e-c300-fd7e-a189-8dcc-1f1c.rev.sfr.net] has quit [Remote host closed the connection]
15:24 -!- someone [someone@2600:3c01::f03c:91ff:fedf:feb8] has joined #openvpn
15:25 -!- Latrina [~Latrina@ppp-170-37.26-151.libero.it] has joined #openvpn
15:32 -!- c00w [~c00w@li656-207.members.linode.com] has joined #openvpn
15:34 -!- brianblaze420 [~brianblaz@unaffiliated/brianblaze] has joined #openvpn
15:40 -!- s7r [~s7r@openvpn/user/s7r] has left #openvpn []
15:43 < SupaYoshi> http://paste.ubuntu.com/7590182/
15:45 < SupaYoshi> Will this work?
15:47 -!- debbie10t [~ma1com10t@host-92-20-43-236.as13285.net] has joined #openvpn
15:56 -!- le0 [~l30@unaffiliated/le0] has quit [Quit: Leaving]
15:57 -!- funnel [~funnel@unaffiliated/espiral] has quit [Remote host closed the connection]
16:00 -!- funnel [~funnel@unaffiliated/espiral] has joined #openvpn
16:06 -!- debbie10t [~ma1com10t@host-92-20-43-236.as13285.net] has quit [Ping timeout: 260 seconds]
16:08 -!- brianblaze420 [~brianblaz@unaffiliated/brianblaze] has quit [Ping timeout: 276 seconds]
16:13 < pekster> SupaYoshi: It's one of several things you need to do in such a setup. See: !redirect
16:13 < pekster> Also, opendns is bad; avoid them. Read !opendns for why, or just use googleDNS instead
16:19 -!- dym [~patrick@unaffiliated/dym] has joined #openvpn
16:21 < SupaYoshi> pekster i saw these things, my vpn works now.
16:21 < dym> Hey everyone. I have a little question. I have an online server A that has a /28 assigned. On this server i have a VM (B) running an openvpn server instance. From the outside i have clients connecting to B and i was wondering if it was possible to assign ip addresses from A all the way through to the clients that connect to B to make them publicly available by the world?
16:21 < SupaYoshi> ALl i wanna do now, is redirect the traffic hehe
16:21 < SupaYoshi> :3
16:21 < pekster> This is why I told you to read !redirect
16:22 < pekster> If you've already done that, then you're all done
16:22 < pekster> dym: Not unless you have a block routed to you; is your /28 routed to system A via a separate link network?
16:23 < pekster> You can do awful things like bridging or arp proxy, but really you want a routed block to do such things with
16:23 < pekster> You might ask if you can get a /32 assigned to your host so the /28 can be routed to you
16:25 < dym> pekster: it's hetzner and afaik i the net is routed to the machine.
16:25 < dym> i can assign the addresses to seperate VM's at least.
16:26 < pekster> "as far as you know"? You didn't think to check?
16:26 < pekster> What OS?
16:26 < dym> using vmbr0
16:26 < dym> Debian
16:26 < pekster> bridge != routing
16:26 < pekster> `ip addr sho`
16:26 < dym> on the host?
16:26 < pekster> Yup. You can see from that if it's on-link or if you get a separate link IP
16:27 < pekster> "br" is a bridge, and bridging is not routing. VM networks frequently use bridging on the downstream side, so that doesn't tell me anything useful
16:27 < dym> master vmbr0
16:27 < dym> http://drop.openroot.de/AviU/42udIKmx
16:27 <@vpnHelper> Title: 1: lo: mtu 16436 qdisc noqueue state UNKNOWN link/loopback 00:00:00:00... Droplr (at drop.openroot.de)
16:28 < pekster> That's not the ip output I asked for
16:28 < dym> it's ip addr sho
16:28 < dym> or on the vm host?
16:28 < dym> as in on the vm
16:29 < pekster> Oh that is your host?
16:29 < dym> thats the VM host
16:29 < pekster> So the /27 is your uplink? And the /28 is for your VMs?
16:29 < dym> not the vm itself
16:30 < dym> correct
16:31 < pekster> If you want to give a VPN client some addresses out of that range, I'd allocate a /29 and route it to your VPN system in `topology subnet` mode -- that'll give you support for 5 clients, each with a routable public IP from the /29
16:32 < pekster> Optionally if all of your systems are non-Windows, you could use PtP topology and get 7 clients in a /29, or 3 in a /30
16:32 < dym> i already have some of the adresses allocated to VM's
16:33 < pekster> A /28 gives you two /29's
16:33 < pekster> Use one for the VMs, and the other to route downstream. Or a /30 if you're tight on space and only need a single Windows client, or up to 3 non-Windows
16:33 < dym> i have no windows client
16:34 < dym> so i have one vm that acts as openvpn server
16:34 < pekster> PtP will be the way to go then; tun does not need to waste IPs for "network" and "broadcast" (but you'll burn them in `subnet` topology for Windows compliance)
16:35 -!- bears [~bears@unaffiliated/bears] has quit [Quit: closing IRC]
16:35 < pekster> So if you don't have a /29 to spare but have a /30, you can use f.ex 78.47.108.252/30 for the VPN system. The server eats .252, and clients get assigned .253, .254, and .255
16:35 < pekster> The VPN server itself needs another IP out of the remainder of our /28 that you are assigning to VMs
16:36 < pekster> Your other option here is some 1:1 NAT where you translate a known RFC1918 IP into one of your public ones, also routing whatever public IPs you're using to the VPN server
16:37 < pekster> That's a bit less clean (since you need to setup NAT) and the clients don't actually know their own IP by looking at what they were given
16:37 < dym> well
16:37 < dym> i'll go wtih 78.46.140.189/30
16:37 < dym> :)
16:38 < dym> the server vm already has an address from the /28
16:38 < pekster> Also, be sure to consider return routing
16:38 < dym> does it need the 189 assigned too?
16:38 < dym> as interface?
16:38 < dym> can you hand me a link to some sort of readthrough?
16:39 < pekster> OpenVPN will take care of that. Also, the network is 78.46.140.188/30
16:39 < SupaYoshi> UNDEF,188.207.82.171:20917,606,4712,Wed Jun  4 23:38:15 2014 what does this mean
16:39 < pekster> You basically can follow the howto, but you'll need to deal with addresing using PtP networking. See this wiki page for a primer on addressing:
16:39 < pekster> !addressing
16:39 <@vpnHelper> "addressing" is For information about IP addressing in OpenVPN, see: https://community.openvpn.net/openvpn/wiki/Concepts-Addressing
16:40 < pekster> Howto is at !howto, and some description of the various topology options (`subnet`, `ptp`, etc) at: !topology
16:40 < pekster> One more basic question for you though: is the goal here to allow arbitrary Internet clients to reach these VPN systems on these IPs you assign them? If so, you need to take special care to either 1) set up policy routing on each client, or 2) route _all_ Internet-bound traffic from them over the VPN (ie: !redirect)
16:41 < dym> yes, that's the goal
16:41 < dym> and redirect is setup already
16:42 < dym> i just need to modify the openvpn config accordingly.
16:42 < dym> although "just" sounds a bit too easy
16:42 < dym> !topology
16:42 <@vpnHelper> "topology" is (#1) it is possible to avoid the !/30 behavior if you use 2.1+ with the option: topology subnet This will end up being default in later versions. or (#2) Clients will receive addresses ending in .2, .3, .4, etc, instead of being divided into 2-host subnets. or (#3) details and examples at: https://community.openvpn.net/openvpn/wiki/Topology
16:43 < pekster> The clients are already redirecting traffic via `--redirect-gateway def1` ? If so, that does indeed handling return-routing
16:44 < dym> pekster: yes, i use one of my office machines that connects to the vpn server and currently utilizes the openvpn servers public ip address for incoming/outgoing traffic.
16:47 < pekster> Gotcha. Some folks want to do that without redirecting "everything else", and that requires a bit more care
16:48 < dym> pekster: yeah, thats okay. i just want it to route eveything right through.
16:48 < dym> unfortunately i have to undo all the bridging stuff some random tutorial told me to do now
16:48 -!- kossy [a@unaffiliated/kossy] has quit [Ping timeout: 240 seconds]
16:50 < pekster> I did just realize that the addressing page doesn't have a PtP section. Since that's one of the more easy topologies, I'll fix that with an update now :)
16:51 < Cyclohexane> I have push "route 10.8.0.1 255.255.255.255" inside my server config, how come the client doesn't pick it up? I have to manually add route-nopull, route .... to the client config to get the functionality I'm after
16:52 < pekster> Is your server using 10.8.0.0/24 for its VPN network? If so, you should never have to do that
16:52 < pekster> Seeing your server config would probably clarify things here
16:54 < Cyclohexane> pekster: yeah it is. I only want traffic to 10.8.0.1 to use the VPN, the rest uses my normal IP. Said commands seem to achieve this goal (client-side)
16:55 < pekster> You get that for free if you do nothing
16:55 < Cyclohexane> pekster: when I did nothing everything went through the vpn, whatsmyip.org showed the vpn
16:56 -!- Kephael [~Kephael@unaffiliated/kephael] has joined #openvpn
16:57 < dym> pekster: let me know once finished
16:57 -!- CaTtleyA [~CaTtleyA@put92-2-82-66-41-53.fbx.proxad.net] has joined #openvpn
17:01 < dym> pekster: So again. I have the VM running openvpn server that has one IP addressed from the /28. Does the /30 need to be configured somehow other than in ccd's for the clients?
17:01 < pekster> You need to route it to the VM guest's IP
17:01 < pekster> (and allow it on firewalls, make sure you're forwarding it, etc)
17:02 < dym> mhh, i have no routing target though
17:02 < pekster> Yes you do: the IP you assigned the VM, just as I said
17:02 < dym> the public one?
17:03 -!- CaTtleyA [~CaTtleyA@put92-2-82-66-41-53.fbx.proxad.net] has quit [Ping timeout: 245 seconds]
17:03 < pekster> Right, the one the VPN server (your VM guest) uses to reach the Internet. You route to things on the closest facing interface from another system on its same network
17:04 < dym> AH!
17:04 < dym> so instead of the vpn server having a private ip as it's own vpn internal address, it get's the first of the /30 ?
17:04 < dym> (it used to be an all private address vpn)
17:04 < pekster> You can't route private addresses
17:05 < pekster> You can NAT them, but if you can avoid NAT, it's best to do so
17:05 < pekster> There's no point in silly NAT anyway since you have no Windows hosts, and can thus use the entire range anyway
17:06 < dym> okay
17:06 < pekster> In fact, if you get _really_ clever, you can use all 4 IPs in the /30 for VPN clients since the VPN server won't need a public IP itself
17:06 < dym> this is the vpn server: http://drop.openroot.de/21fS/3hpIEGRC
17:06 <@vpnHelper> Title: eth0 Link encap:Ethernet Hardware Adresse 96:0a:0c:9c:96:d6 inet Adresse:78.46.14... Droplr (at drop.openroot.de)
17:07 < dym> so the "server" directive in the server conf will be my /30?
17:08 < dym> currently it's server 10.1.35.0 255.255.255.0 since i used the 35.0 to assign private addresses to the vpn clients
17:09 < dym> oh
17:09 < dym> Options error: --server directive when used with --dev tun must define a subnet of 255.255.255.248 (/29) or lower
17:11 < pekster> You should avoid ifconfig; it handles things like PtP poorly on Linux
17:12 < dym> ifconfig? in what respect?
17:12 < dym> ah
17:12 < dym> in showing
17:13 < dym> here we go: http://drop.openroot.de/xkaz/PMkb5vGP
17:13 <@vpnHelper> Title: 1: lo: mtu 16436 qdisc noqueue state UNKNOWN link/loopback 00:00:00:00... Droplr (at drop.openroot.de)
17:13 < dym> the tap now ate the .189
17:14 -!- Thermi [~Thermi@unaffiliated/thermi] has quit [Ping timeout: 245 seconds]
17:14 -!- APTX [~APTX@unaffiliated/aptx] has quit [Ping timeout: 245 seconds]
17:17 < dym> pekster: why does openvpn enforce a tap? dont i need tun?
17:19 < pekster> openvpn doesn't enforce tap; in fact you should never use tap unless you require Ethernet frame transport
17:19 < pekster> !tunortap
17:19 <@vpnHelper> "tunortap" is (#1) you ONLY want tap if you need to pass layer2 traffic over the vpn (traffic destined for a MAC address). If you are using IP traffic you want tun. or (#2) and if your reason for wanting tap is windows shares, see !wins or use DNS or (#3) remember layer2 has no security, arp poisoning works over tap vpns or (#4) lan gaming? use tap! or (#5) Normal Android/iOS devices (not
17:19 <@vpnHelper> rooted/jailbroken) support only tun
17:19 < pekster> I did also put an update on that Addressing wiki page
17:20 -!- CaTtleyA [~CaTtleyA@put92-2-82-66-41-53.fbx.proxad.net] has joined #openvpn
17:20 -!- Thermi [~Thermi@unaffiliated/thermi] has joined #openvpn
17:20 < pekster> The advanced example showing 100% utilization of a /30 might be of interest, but you could just as easily assign the server peering IP out of the /30. Addressing in PtP is completely arbitrary
17:21 < dym> thing is
17:21 < dym> when i assign the first ip of the /30 to the server
17:21 < dym> it gives me
17:21 < dym> Jun  5 00:20:07 vpn ovpn-server[2745]: Options error: --server directive when used with --dev tun must define a subnet of 255.255.255.248 (/29) or lower
17:21 < pekster> You do not use --server
17:21 < pekster> Note that my examples don't
17:21 -!- eristisk [~eristisk@gateway/tor-sasl/eristisk] has quit [Ping timeout: 272 seconds]
17:21 < pekster> net30 requires a minimum of a /29, and that gives you on 1 client. It's epicly wastefuly
17:22 < pekster> wasteful*
17:22 < pekster> p2p != net30
17:22 < dym> oh, havent checked back to the addressing page
17:22 < dym> sec
17:22 < pekster> Re-read that !topology wiki page if you don't understand the distinction
17:22 < dym> !topology
17:22 <@vpnHelper> "topology" is (#1) it is possible to avoid the !/30 behavior if you use 2.1+ with the option: topology subnet This will end up being default in later versions. or (#2) Clients will receive addresses ending in .2, .3, .4, etc, instead of being divided into 2-host subnets. or (#3) details and examples at: https://community.openvpn.net/openvpn/wiki/Topology
17:22 < dym> !addressing
17:22 <@vpnHelper> "addressing" is For information about IP addressing in OpenVPN, see: https://community.openvpn.net/openvpn/wiki/Concepts-Addressing
17:23 -!- APTX [~APTX@unaffiliated/aptx] has joined #openvpn
17:24 -!- eristisk [~eristisk@gateway/tor-sasl/eristisk] has joined #openvpn
17:25 < dym> i dont understand "--ifconfig 192.168.222.0 192.168.222.1"
17:25 < dym> .0 is the server's "eth0"?
17:25 < dym> or the address assigned to the interface
17:25 < pekster> This is all *tun*
17:26 < pekster> You need a "real" IP on eth0
17:26 < pekster> You always do
17:26 < dym> ok
17:26 < dym> ah
17:26 < dym> so ifconfig comes in instead of server!
17:26 < dym> gotcha
17:26 < pekster> Right, the topology wiki page explains this about p2p mode
17:26 < dym> but what are those 2 ip's?
17:27 < pekster> Arbitrary RFC1918 IPs
17:27 < pekster> For all it matters use 172.12.12.12 and 172.99.99.99
17:27 < dym> ah
17:27 < pekster> Erm, but not that last one
17:27 < dym> so they serve no real purpose?
17:27 < dym> ah
17:27 < dym> routing
17:27 < pekster> "something allowed and not in the /30" is the only goal
17:27 < dym> :D
17:27 < pekster> Right, it's "just" a way to describe "that thing I'm connected to"
17:28 < pekster> It means literally no more than that, and since it's the inside routing on a private VPN, you don't need to burn a public IP from your limited supply
17:31 < dym> Options error: --client-config-dir/--ccd-exclusive requires --mode server
17:31 < dym> what now, sherlock? :D
17:32 < pekster> My examples have that ;)
17:32 < dym> damn
17:32 < dym> they do
17:33 -!- wrongplace [~leicht@gateway/tor-sasl/martinphone] has quit [Quit: gone]
17:33 < dym> i really need to learn to read more carefully
17:34 -!- CaTtleyA [~CaTtleyA@put92-2-82-66-41-53.fbx.proxad.net] has quit [Ping timeout: 245 seconds]
17:34 < pekster> It's a somewhat advanced configuration, but from the standpoint of PtP, you can use any unrelated addresses. In your case the client-assigned IPs are the only "important" ones since you intend to actually route them
17:34 < dym> i understand
17:35 < dym> the private addresses are just for adressing purposes within the vpn construct
17:36 < pekster> They're also unrealted to the remote end (client1 could use '203.0.113.252/32 -> 10.1.2.3', except that causes extra headache if you push routes over the VPN
17:36 < pekster> But save that brainteaser for after you get the basics :P
17:37 < dym> mhhh
17:37 < dym> okay, so i have a client connected with .189
17:37 < pekster> "It's so simple, it's complicated"
17:37 < dym> ah routing.
17:37 < dym> sec
17:38 < pekster> Yup, so both your VPN server _and_ the VM host need to have routing enabled and configured properly. Firewalls need to allow the traffic, and the VM host must route the /30 to the VPN server's uplink address (on eth0)
17:38 < dym> ah, im missing the very upper routing of the vm host
17:40 < dym> 8.46.140.188/30 via 78.46.140.180 dev vmbr0
17:40 < dym> 78.46.140.188/30 via 78.46.140.180 dev vmbr0
17:40 < dym> here we go
17:40 < pekster> Looks right if that .180 is the VM guest IP
17:40 < dym> okay, pings hit the vpn server eth0
17:41 < dym> is this wrong?
17:41 < dym> 78.46.140.188/30 via 192.168.222.1 dev tun0
17:41 < SupaYoshi> Hey im getting protecting socket fd 10 error on my android phone.
17:41 < dym> (vpn server)
17:41 < SupaYoshi> And I dont understand whats goign wrong, cant find anything on that error really
17:41 < SupaYoshi> can find something on protecting socket fd 4
17:41 < SupaYoshi> but not 10?
17:41 -!- bears [~bears@unaffiliated/bears] has joined #openvpn
17:42 < pekster> dym: That's what you want there, although my example should probably include a route for the VPN network like that too
17:43 < dym> pekster: traffics not going through though
17:43 < SupaYoshi> pekster, i have a working vpn client on windows, so I copied the openvpn.conf file to my android
17:43 < SupaYoshi> it imported it succesfully, but it gives me this error when i try to connect.
17:43 < SupaYoshi> Protecting socket fd 10
17:43 < pekster> dym: Forget IP routing, or firewall stopping it?
17:43 < SupaYoshi> and then after 5 times it stops
17:44 < pekster> SupaYoshi: Using the `OpenVPN for Android` product? People seem to have better luck with that verses the Connect product (although as of very recently, most of that code is supposed to be open-source now too)
17:45 < dym> pekster: nothing left to block
17:45 < SupaYoshi> ok ok :)
17:45 < SupaYoshi> let me try
17:45 -!- CaTtleyA [~CaTtleyA@put92-2-82-66-41-53.fbx.proxad.net] has joined #openvpn
17:45 < dym> VM host has: 78.46.140.188/30 via 78.46.140.180 dev vmbr0, vpn server has: 78.46.140.188/30 via 192.168.222.1 dev tun0
17:45 < pekster> dym: `sysctl net.ipv4.ip_forward` (should be 1)
17:46 < dym> well, on vpn server it obviously is
17:46 < dym> else all the traffic redirection wouldnt have worked :P
17:46 < pekster> And you're seeing traffic on the VPN server's eth0, right?
17:46 < dym> correct
17:46 < pekster> (no, that routing only sends it to the VPN client, which is the part that isn't working)
17:46 < dym> icmp is incoming when i ping
17:46 < pekster> If ip_forward is off, that will still arrive on eth0 so long as upstream sends it to you (ie: the VM host)
17:47 < dym> pekster: remember i said i had clients running on the vpn server before, utilizing the servers eth0?
17:47 < dym> anyways, it's on.
17:47 < pekster> If you were bridging, that's different
17:47 < pekster> BUt yes, on is good
17:47 < dym> no
17:47 < dym> i wanst
17:47 < dym> wasnt
17:47 < pekster> Firewall maybe? That or these routing weirdness
17:47 < dym> no firewall present
17:48 < pekster> Take a look at `iptables-save` for clues on the firewall
17:48 < dym> iptables -L shows an empty firewall
17:48 < pekster> Don't use -L
17:49 < pekster> -L shows you 1 of 5 possible tables involved (and while you _probably_ don't have anything in mangle, nat, raw, or security, you should use proper tools)
17:49 < dym> ah
17:49 < dym> :POSTROUTING ACCEPT [388:25632]
17:49 < dym> -A POSTROUTING -s 10.1.35.0/24 -o eth0 -j MASQUERADE
17:49 < dym> NAT from redirect
17:50 < pekster> That single rule won't pose a problem here since that /24 is not involved
17:50 < pekster> Other rules might pose issues though (depending on what they do)
17:50 < SupaYoshi> mhm thats odd
17:50 < dym> pekster: nothing else going on
17:50 < SupaYoshi> I get OpenVPN server, certificate verifcation failed. PolarSSL
17:50 < SupaYoshi> SSL read error X509 - Certificate verification failed.
17:51 < pekster> dym: Can I see the rules, please?
17:51 < dym> ah
17:51 < dym> pekster:
17:51 < dym> the client can communicate outwards using it's public ip
17:51 < dym> (tried an ip discovery webpage)
17:51 < dym> mhhh
17:51 < dym> it's an osx laptop
17:51 < pekster> I asked becuase I'd like to rule it out as a possibiliy, not be fed things 2 lines at a time
17:51 < pekster> SupaYoshi: Sounds like the cert presented from your server doesn't verify against the CA you have in that imported config
17:51 < SupaYoshi> thats odd.
17:52 < dym> dont think theres icmp  blocking going on
17:52 < dym> haha
17:52 < dym> odd
17:52 < SupaYoshi> cus im pretty certain it does :P
17:52 < dym> pekster: i just started a webserver on the client - it's reachable
17:52 < dym> pekster: odd pings wont work
17:52 < SupaYoshi> also, since other clientts (windows and linux) are able to authenciate with the same cert.
17:52 < pekster> dym: tcpdump on the server's tun0 interface; you should see them go out to the client
17:52 < pekster> If you do and get no replies, it's the client's fault
17:53 < dym> indeed no reply
17:53 < dym> odd
17:53 < dym> but thankfully the assignment works!
17:53 < pekster> client firewall, most likely
17:53 < dym> thank you so much
17:53 < SupaYoshi> dym, windows firewall is a bish
17:53 < dym> then something os x internally
17:53 < SupaYoshi> jus if yu are on windows.
17:53 < dym> its mac
17:53 < SupaYoshi> mhm
17:53 < SupaYoshi> ah ok.
17:54 < SupaYoshi> but em, pekster, any idea why the cert doesnt match according to OpenVPN connect on android?
17:54 < pekster> SupaYoshi: I'm not sure how verbose polarssl get, but do you get any more clues with --verb 4 in the client?
17:54 < SupaYoshi> The url is quite weird though, it says hostname.nl/autologin
17:54 < SupaYoshi> well thats the profile name it imports.
17:54 < SupaYoshi> which is odd to me.
17:54 < pekster> Smells like AS nonsense to me
17:55 < pekster> OpenVPN does not login using a "URL"
17:55 < pekster> It connects using a --remote IP
17:55 -!- APTX [~APTX@unaffiliated/aptx] has quit [Ping timeout: 245 seconds]
17:55 < SupaYoshi> yes
17:55 < SupaYoshi> but like, it shows that in the app :P
17:55 < SupaYoshi> hehe
17:55 -!- vexingWinter [~Tantalus@c-76-123-182-108.hsd1.ms.comcast.net] has quit [Quit: Leaving]
17:56 < SupaYoshi> I have a url in my client config, to make it easier.
17:56 < SupaYoshi> to connect.
17:56 < pekster> A hostname?
17:56 < SupaYoshi> (well in case my ip would change I can just edit the domain things.
17:56 < pekster> Again, openvpn does not have anything to do with a URL
17:56 < SupaYoshi> ik.
17:56 < SupaYoshi> I used a hostname instead of a IP
17:56 < SupaYoshi> in the client.conf
17:56 < SupaYoshi> so that if my IP would ever change.
17:56 < SupaYoshi> Id not have to edit hte configs on all devices.
17:56 < pekster> Yup, openvpn doesn't care (it runs it through gethostbyname(2))
17:56 < SupaYoshi> but just the dns settings of the domain.
17:57 < SupaYoshi> k i get u :P but, like. It looks like its doin something?
17:57 < SupaYoshi> lemme try editing it and see what happens.
17:58 < pekster> Add some more verbosity if you can. And you might try `openvpn for android` which is based on the current OpenVPN code; Connect is all-new code that's unrelated to the current 2.x series development
17:58 < SupaYoshi> http://paste.ubuntu.com/7590889/
17:58 < SupaYoshi> this is my config btw.
17:58 < pekster> The new codebase has just recently been released and most of us here have little to no experience with it
17:58 -!- fred`` [fred@earthli.ng] has quit [Ping timeout: 246 seconds]
17:58 < SupaYoshi> pekster, i used openvpn for android just earlier, and that gave that error fd10
17:59 -!- eristisk [~eristisk@gateway/tor-sasl/eristisk] has quit [Ping timeout: 272 seconds]
17:59  * pekster pokes plaisthos ^^ seen that "protecting socket fd 10" before, on OpenVPN for Android?
18:00 -!- fred`` [fred@earthli.ng] has joined #openvpn
18:00 < pekster> SupaYoshi: AFAICT, that's not an OpenVPN-specific error message, so it might have something to do with Android internals. It may or may not be related to the Connect problems, although I suspect they're different issues
18:01 < SupaYoshi> I see.
18:01 < pekster> Are you using any exotic --cipher, --auth, or --tls-cipher settings on the server? Or any abnormal properties in your generated certs?
18:02 < SupaYoshi> nuh i dont think so
18:03 < SupaYoshi> http://paste.ubuntu.com/7590889/ - client.conf
18:03 < SupaYoshi> http://paste.ubuntu.com/7590923/ - server.conf
18:04 < dym> pekster: help me out here. the /29 within 78.46.140.176/28 would be 78.46.140.184/29?
18:04 -!- eristisk [~eristisk@gateway/tor-sasl/eristisk] has joined #openvpn
18:04 < dym> the second half at least
18:04 < dym> :D
18:04 -!- APTX [~APTX@unaffiliated/aptx] has joined #openvpn
18:04 < pekster> SupaYoshi: Yea, simple enough. polarssl has some limitations on the ciphers it supports, but you're just using the program defaults which are supported fine
18:05 < SupaYoshi> okay.
18:05 < SupaYoshi> I am using a chinese phone though?
18:05 < SupaYoshi> Might be china not liking me using a VPN? :P
18:05 < SupaYoshi> (lol lol)
18:05 < SupaYoshi> haha, :P idk, just a guess. lol
18:06 < SupaYoshi> https://s3.amazonaws.com/pushbullet-uploads/ujxmyuGuoXk-iIJdg6tD0xFvqhBslVO7VA77Sfzv8qGi/Screenshot_2014-06-05-01-06-19.png
18:06 < pekster> dym: So 176 + 2^(32-28) is 176 + 2^4 = 176 + 16 = 184
18:07 < pekster> dym: A tool like sipcalc can be used at the CLI to do subnet calculations, like splitting a subnet
18:07 < pekster> THat same math can be done with the sipcalc command: `sipcalc 78.46.140.176/28 -s /29` which asks it to split th egiven /28 in to its component /29 segments
18:07 < SupaYoshi> Log file: https://s3.amazonaws.com/pushbullet-uploads/ujxmyuGuoXk-dZTSJF6yzdAijoqaVbu3iDQZbqWAAt4c/Screenshot_2014-06-05-01-07-13.png
18:09 < SupaYoshi> i just read this: https://forums.openvpn.net/topic11986.html
18:09 <@vpnHelper> Title: OpenVPN Support Forum OpenVPN Connect certificate error : OpenVPN Connect (iOS) (at forums.openvpn.net)
18:09 < pekster> SupaYoshi: It could very well be if the managed to remove whatever the VPN software requries from a crypto standpoint
18:09 < SupaYoshi> pekster, i dunt think they have, its just a normal rom :P hehe i flashed it, im jus messing
18:10 < pekster> So it's a generic verification problem
18:10 < pekster> You might try verifying you're using the same CA cert (check the hash) against another device that is working
18:11 < dym> cheers pekster
18:11 < SupaYoshi> im quite sure i am, cus i copied the ca.cert from the laptop to the phone lol
18:11 < SupaYoshi> Ill redo it, to see what happens.
18:12 < pekster> You can compare issuing authority of the server's cert against your CA fingerprint too. However unlikely, there's always the possibility that it is being interfered with, but that tends to be pretty rare in practice
18:14 < pekster> Oh, and my math was off by 1: should have been 2^3 for 32-29 ;)
18:14 < SupaYoshi> pekster, i see.
18:14 < pekster> Becuase you're raising 2 to the power of the difference between a single host and the subnet you wish to "add" to your starting one
18:15 < SupaYoshi> could it have something to do with me changing the ca.cert of the server itself? o.o or apache?
18:15 < pekster> Plenty of websites out there to break the math down further for you
18:15 < SupaYoshi> I done that a while ago, my computers arent complaining?
18:15 < SupaYoshi> But android app might?
18:15 < pekster> SupaYoshi: If you re-generate your CA, you must regneratate your _entire_ PKI
18:15 -!- james41382 [~james@unaffiliated/james41382] has quit [Quit: Leaving]
18:15 < pekster> !intro-to-pki
18:15 <@vpnHelper> "intro-to-pki" is For an intro to PKI basics, see: https://github.com/OpenVPN/easy-rsa/blob/v3.0.0-rc1/doc/Intro-To-PKI.md
18:15 < pekster> Also, the server should not be your CA; it merely has a copy of the CA certificate
18:16 < SupaYoshi> oh no i didnt mean that.
18:16 < pekster> You shouldn't keep your private CA files on the VPN server
18:16 < SupaYoshi> Yes I kno that. :)
18:16 < pekster> Well, changing the CA on the VPN server implies a new CA, which would mean re-issuing new client certs and distributing the new CA cert to them
18:17 < SupaYoshi> oh yeah i done that.
18:17 < pekster> And this is why it doesn't work
18:17 < SupaYoshi> Well i ment soemthing else, :P nvm, im confusing now hah.
18:17 < SupaYoshi> All certs are from april 17 :) so are these.
18:17 < SupaYoshi> but somehwow they wont work on the android phone.
18:17 < SupaYoshi> .__.
18:18 < pekster> You can perform a manual verification aginst what the server has by taking a copy of the server.crt, copying it to a client system that has the ca.crt you're using in the config
18:18 < pekster> Then you do `openssl verify -verbose -CAfile /path/to/ca.crt /path/to/server.crt`
18:18 < pekster> That won't rule out MITM involvement, but otherwise it'll tell you if the far side has a valid cert or not
18:20 < pekster> Probably not necessary if it works on your PC though
18:20 < SupaYoshi> pekster, Im using an 3g connection from android to the VPN network. Could that have something to do with the MITM.
18:20 < SupaYoshi> But I also tried with Wifi and am getting the same error.
18:20 < pekster> Unlikely then, unless the phone itself is haxored
18:20 < SupaYoshi> Im sure it works, cus it works on a Linux box, and on a Windows laptop connected through this phone
18:21 < SupaYoshi> hehe i dun hope so :P
18:21 -!- Popsikle [~popsikle@pool-108-27-211-233.nycmny.fios.verizon.net] has joined #openvpn
18:21 < SupaYoshi> lets focus on this error.
18:21 < SupaYoshi> Verify OK: Dept=0 error rendering cert.
18:22 < pekster> No idea; that's a connect-specific message
18:22 < SupaYoshi> ill try openvpn for android again
18:22 < pekster> It's obviously unhappy verifying the cert aginst the CA, but the rest of the error is pretty vauge
18:22 < SupaYoshi> let me see if i can get more logs.
18:22 < pekster> basically "something went wrong"
18:23 < SupaYoshi> heh yeh, i got that. i hate when errors are unclear. its like windows
18:23 < pekster> "eg CRL, CA, or signature check failed" -- those are all wildly different things
18:24 < SupaYoshi> okay this is odd...
18:24 < SupaYoshi> protecting socket fd 9 now.
18:24 < SupaYoshi> instaed of 10.
18:24 < SupaYoshi> let me see...
18:26 < pekster> Digging into the now-released openvpn3 code that Connect is using, it seems that "error rendering cert" message comes up when it fails to parse the cert info from the presented cert
18:26 < SupaYoshi> http://pastebin.com/N3Z5nBTV
18:26 < SupaYoshi> this helps a lot more i think.
18:27 < SupaYoshi> line 212
18:27 < pekster> different than the depth=0 returned by polarssl and openvpn3 (that's an odd difference, but I won't worry about that now)
18:28 < pekster> I trust the 2.x codebase more in this case. So the cert doesn't match the CA
18:28 < SupaYoshi> 2014-06-05 01:24:18 VERIFY ERROR: depth=1, error=self signed certificate in certificate chain: C=NL, ST=UT, L=Maarssen, O=Fort-Home, OU=HOMESRV, CN=HOMESRV, name=HOMESRV, emailAddress=homesrv@arwingship.nl
18:28 < pekster> self-signed means the CA cert presented by the far side is not trusted locally
18:28 < SupaYoshi> I see. :P
18:28 < SupaYoshi> Do I need to install it on android?
18:28 < pekster> No, you need to use the _same_ CA you signed the server with in your local config
18:28 < SupaYoshi> I believe I am
18:29 < pekster> Not according to line 210
18:29 < SupaYoshi> Well I think so.. at least.
18:29 < SupaYoshi> I have CA.crt the same in /etc/openvpn/easy-rsa/keys as in the client folder.
18:30 < pekster> They need to be the **SAME** CA
18:30 < pekster> You can't have "2" CA files
18:30 < pekster> I suggest you do manual verification of the server cert against whatever ca you're usnig in the client config
18:30 < pekster> That last log output shows they don't match
18:31 < SupaYoshi> i copied that ca.crt to my phone :P
18:32 < SupaYoshi> but okay lets see.
18:32 < pekster> It needs to be the one referenced by the config
18:32 < SupaYoshi> it is :P hehe.
18:32 < SupaYoshi> lol
18:32 < SupaYoshi> http://paste.ubuntu.com/7590889/
18:32 < SupaYoshi> client.conf.
18:32 < SupaYoshi> but lemme verify
18:34 < pekster> The config importer thingy usually puts that file inline
18:34 < pekster> What you probably want to do is take that inline contents from the file you sent to your phone, save it on-disk in a new directory on a system that has `openssl` present, and verify it as I showed earlier against a copy of what the server is using as its server.crt file
18:34 < pekster> (you'll want to transfer that from the server itself to ensure you're testing the copy it's sending)
18:38 < SupaYoshi> http://paste.ubuntu.com/7591105/
18:40 < pekster> You have an unqualified 'ca.crt' in your config
18:40 < pekster> What's the $PWD for that?
18:41 < SupaYoshi> PWD?
18:41 < pekster> current directory where you launch the config from?
18:41 < SupaYoshi> same as where the ca.crt is
18:41 < pekster> Do you actually start it from /etc/openvpn/easy-rsa/keys?
18:41 < pekster> Every time?
18:41 < SupaYoshi> Oh no, not on android.
18:41 < pekster> The importer puts it inline I think
18:42 < SupaYoshi> Yeah it should
18:42 < SupaYoshi> it does on windows.
18:42 < pekster> Then check _that_ file
18:42 < SupaYoshi> Oh on the clients i put the config everywhere.
18:42 < pekster> Not the ca.crt in some arbitrary directory on a different system :P
18:42 < SupaYoshi> lol
18:42 < pekster> That directory should have nothing at all to do with openvpn
18:42 < SupaYoshi> it doesnt
18:42 < SupaYoshi> I just used it right now to verify, found it easy.
18:42 < SupaYoshi> :p
18:43 < pekster> But the whole point of this is to test the CA your openvpn client is using, not the one you know works
18:43 < pekster> (presumably they're different, which is the whole point here)
18:46 < SupaYoshi> ok ok :)
18:47 < pekster> The give-away here is that 'self-signed cert in chain' error you get. It means "I found the root cert from the remote-presented bundle, but I can't authenticate it"
18:47 < pekster> That doesn't happen when it matches a CA you do trust
18:49 < SupaYoshi> okay tufuk
18:49 < SupaYoshi> http://paste.ubuntu.com/7591159/
18:50 < pekster> Yup
18:50 < pekster> Server cert was _not_ signed by the same CA you're using to verify
18:51 < pekster> fwiw, Connect supplies a really awful message here :\
18:51 < pekster> Maybe it's got better logging options though that go into more detail
18:52 < pekster> But the fix here is to use the right CA cert. Note that your client cert must have been signed by whatever the far end expects as well
18:52 < SupaYoshi> got yu
18:53 < SupaYoshi> its just so weird.
18:53 < SupaYoshi> as soon as i bring the file over to my phone
18:53 < SupaYoshi> it gets wrong.
18:54 < pekster> Don't use relative paths like that
18:54 < pekster> My guess is the importer has no idea where your "real" ca.crt is
18:54 < pekster> But I've no idea since I don't use openvpn on my phone
18:56 < SupaYoshi> wait :P
18:56 < SupaYoshi> something seems working somehow
18:56 < SupaYoshi> hold on
18:59 -!- Soliah [~Soliah@kin1287146.lnk.telstra.net] has quit [Quit: Soliah]
19:01 < SupaYoshi> k now its connecting....
19:01 < SupaYoshi> :p
19:02 -!- Soliah [~Soliah@kin1287146.lnk.telstra.net] has joined #openvpn
19:02 -!- Soliah [~Soliah@kin1287146.lnk.telstra.net] has quit [Client Quit]
19:04 -!- tempus_fol [~tempus@gateway/tor-sasl/foltempus] has quit [Ping timeout: 272 seconds]
19:05 -!- tempus_fol [~tempus@gateway/tor-sasl/foltempus] has joined #openvpn
19:05 < SupaYoshi> yeah it gets stuck on authenciating...
19:05 < SupaYoshi> http://paste.ubuntu.com/7591235/
19:05 < pekster> Check logs on the far side
19:06 < pekster> Sounds like you might have the same problem there (the client cert is rejected due to auth problems)
19:06 < pekster> Again, everything needs to be signed by the _same_ CA (there are split-CA setups, but that's far too complex to get into here)
19:07 < SupaYoshi> but it is the same CA.crt. I am absolutly sure . xD so weird.
19:08 < pekster> So check the logs first?
19:08  * pekster shrugs
19:09 < SupaYoshi> logs on the server?
19:09 < SupaYoshi> I am, it doesnt state anything
19:09 < SupaYoshi> wait
19:10 < SupaYoshi> i think u might be right?
19:10 < SupaYoshi> http://paste.ubuntu.com/7591252/
19:10 < SupaYoshi> it has no idea where the cert is? :P
19:10 -!- brianblaze420 [~brianblaz@unaffiliated/brianblaze] has joined #openvpn
19:10 < pekster> It can't find the issuing cert
19:10 < pekster> Your client cert is bogus
19:12 < SupaYoshi> bogus?
19:12 < pekster> Not signed by he CA = worthless, for this use
19:13 < SupaYoshi> k.
19:13 < SupaYoshi> wait u mean the client.crt?
19:13 < pekster> That's what the server is checking
19:13 < pekster> Why would the server check its own cert?
19:15 < SupaYoshi> heh idk
19:17 < SupaYoshi> success
19:17 < SupaYoshi> thanks
19:17 < SupaYoshi> pff
19:19 -!- joako [~joako@opensuse/member/joak0] has quit [Ping timeout: 245 seconds]
19:20 < SupaYoshi> damnnn
19:20 < SupaYoshi> finally i can see tv outside
19:20 -!- brianblaze420 [~brianblaz@unaffiliated/brianblaze] has quit [Read error: Connection reset by peer]
19:20 < SupaYoshi> awh crap XD
19:22 < SupaYoshi> ah nvm :P
19:22 -!- brianblaze420 [~brianblaz@unaffiliated/brianblaze] has joined #openvpn
19:22 -!- james41382 [~james@unaffiliated/james41382] has joined #openvpn
19:23 < SupaYoshi> fucking awesome :PP
19:23 < SupaYoshi> can see tv now through 3g and wherever i am :D woooooo
19:23 < SupaYoshi> thanks so much pekster !!!
19:23 -!- joako [~joako@opensuse/member/joak0] has joined #openvpn
19:28 -!- brianblaze420 [~brianblaz@unaffiliated/brianblaze] has quit [Ping timeout: 260 seconds]
19:30 < SupaYoshi> hehe to bad my allowance is only 2 gigs a month .__.
19:31 < SupaYoshi> TV seems to use a lot of data :P hehe
19:46 < c00w> Does anyone know a way to tell a client to ignore a specific option pushed by a server? In this case the server is pushing ping-restart 60 and I'd rather have ping-exit 60
19:48 < pekster> c00w: Just set --ping-exit 60 yourself then
19:48 < pekster> Do it after the --pull statement though
19:50 < c00w> Thats not working. Config is http://ix.io/cNq, and its still doing ping-restart at 60.
19:52 -!- Popsikle [~popsikle@pool-108-27-211-233.nycmny.fios.verizon.net] has quit [Remote host closed the connection]
19:54 < c00w> pekster, Unless putting it all the way at the bottom of the file would help?
19:55 -!- adaptr [~jgeilman@unaffiliated/adaptr] has quit [Ping timeout: 265 seconds]
19:56 < pekster> Shouldn't matter; it might be that the config option is parsed, then gets overwritten with the server push
19:57 < c00w> Hmmm, I guess I'll play around with it, perhaps adding a ping-restart as well as a ping-exit will work.
19:57 -!- Olipro [~Olipro@uncyclopedia/pdpc.21for7.olipro] has quit [Ping timeout: 246 seconds]
19:59 < pekster> I don't think there's a way to avoid pulling that from the server without avoiding a push-request
19:59 < pekster> And as a client you can't just skip that part
19:59 < pekster> You could fix this server-side though with a client-specific ccd that pushes a push-exit instead of ping-restart
20:00 -!- Olipro [~Olipro@uncyclopedia/pdpc.21for7.olipro] has joined #openvpn
20:01 < c00w> Saddly the server is outside my control so that won't work.
20:01 < pekster> Recompile your client to not accept that option? :P
20:02 < c00w> Given that I'm having dns problems though, perhaps I should see if I can drop the dns entries we inserted from openvpn in a client side script before we try to do a soft restart.
20:02 -!- adaptr [~jgeilman@unaffiliated/adaptr] has joined #openvpn
20:06 < c00w> And it looks like up-restart does exactly what I want. Thanks.
20:18 -!- Linmu [~Linmu@203.70.194.104] has quit [Ping timeout: 260 seconds]
20:19 -!- Linmu [~Linmu@203.70.194.104] has joined #openvpn
20:23 -!- brianblaze420 [~brianblaz@unaffiliated/brianblaze] has joined #openvpn
20:29 -!- SCHAAP137 [dorian@77-173-0-137.ip.telfort.nl] has quit [Remote host closed the connection]
21:02 -!- brianblaze420 [~brianblaz@unaffiliated/brianblaze] has quit [Quit: Leaving...]
21:04 -!- james41382_ [~james@unaffiliated/james41382] has joined #openvpn
21:08 -!- james41382 [~james@unaffiliated/james41382] has quit [Ping timeout: 276 seconds]
22:00 -!- Megaf [~Megaf@unaffiliated/megaf] has joined #openvpn
22:03 -!- Left_Turn [~Left_Turn@unaffiliated/turn-left/x-3739067] has quit [Read error: Connection reset by peer]
22:25 -!- tempus_fol [~tempus@gateway/tor-sasl/foltempus] has quit [Remote host closed the connection]
22:25 -!- zoomequipd [~zoomequip@gateway/tor-sasl/zoomequipd] has quit [Remote host closed the connection]
22:25 -!- eristisk [~eristisk@gateway/tor-sasl/eristisk] has quit [Write error: Connection reset by peer]
22:34 -!- tempus_fol [~tempus@gateway/tor-sasl/foltempus] has joined #openvpn
22:34 -!- zoomequipd [~zoomequip@gateway/tor-sasl/zoomequipd] has joined #openvpn
23:13 -!- bears [~bears@unaffiliated/bears] has quit [Quit: closing IRC]
23:16 -!- Megaf [~Megaf@unaffiliated/megaf] has quit [Ping timeout: 265 seconds]
23:45 -!- ShadniX [dagger@p5DDFD540.dip0.t-ipconnect.de] has quit [Ping timeout: 252 seconds]
23:46 -!- ShadniX [dagger@p5481DC58.dip0.t-ipconnect.de] has joined #openvpn
--- Day changed Thu Jun 05 2014
00:09 -!- Kephael [~Kephael@unaffiliated/kephael] has quit []
00:23 -!- zoredache [~zoredache@pdpc/supporter/professional/zoredache] has quit [Ping timeout: 240 seconds]
01:05 -!- halothe23 [~halothe23@freenode/sponsor/halothe23] has quit [Ping timeout: 252 seconds]
01:06 -!- BladedThesis [~BladedThe@2001:1af8:4010:a027:3::] has quit [Ping timeout: 252 seconds]
01:07 -!- halothe23 [~halothe23@freenode/sponsor/halothe23] has joined #openvpn
01:08 -!- BladedThesis [~BladedThe@2001:1af8:4010:a027:3::] has joined #openvpn
01:23 -!- alexxtasi [~alex@unaffiliated/alexxtasi] has joined #openvpn
01:29 -!- mattock_afk is now known as mattock
01:31 -!- zafu [~pif@217-162-81-21.dynamic.hispeed.ch] has joined #openvpn
01:31 < zafu> hi, is it possible to tell openvpn to not care about the return code of the up/down commands
01:32 < Eugene> Sure, write a wrapper script and don't return an error code.
01:33 < zafu> ok, so there's no config parameter for that?
01:33 < Eugene> No.
01:33 < zafu> thanks
01:44 < zafu> what kind of routing command should I use if I want apps to use the vpn only if they bind to its local address?
01:53 -!- randt0sh [~tosh@2a02-8420-5d7e-c300-0213-72ff-feb1-7b24.rev.sfr.net] has joined #openvpn
01:53 -!- kossy [a@unaffiliated/kossy] has joined #openvpn
01:54 -!- CaTtleyA [~CaTtleyA@put92-2-82-66-41-53.fbx.proxad.net] has quit [Ping timeout: 245 seconds]
01:56 -!- xylogics [~omarjavai@ool-44c514e9.dyn.optonline.net] has joined #openvpn
01:56 < xylogics> hey
01:56 < xylogics> Can anyone help me or give me some advice on how to tunnel ips from a linux vps to a windows server using openvpn
02:22 -!- xylogics [~omarjavai@ool-44c514e9.dyn.optonline.net] has quit [Quit: xylogics]
02:31 -!- SCHAAP137 [dorian@77-173-0-137.ip.telfort.nl] has joined #openvpn
02:41 -!- ade_b [~Ade@redhat/adeb] has joined #openvpn
02:47 -!- NucWin [~nucwin@unaffiliated/nucwin] has quit [Quit: ttfn]
02:47 -!- RickyB98 [RickyB98@mediawiki/rickyb98] has joined #openvpn
02:48 < RickyB98> are webchats banned in this channel?
02:50 -!- le0 [~l30@unaffiliated/le0] has joined #openvpn
02:52 -!- ayaz [~Ayaz@linuxpakistan/ayaz] has joined #openvpn
02:53 -!- NucWin [~nucwin@unaffiliated/nucwin] has joined #openvpn
03:03 -!- Left_Turn [~Left_Turn@unaffiliated/turn-left/x-3739067] has joined #openvpn
03:04 -!- naaw [~cb@181.222.70.115.static.exetel.com.au] has joined #openvpn
03:23 -!- qwertyoruiop [~hax@3.shulgin.nl.torexit.haema.co.uk] has quit [Ping timeout: 245 seconds]
03:24 < naaw> Hi! I'm running a site-to-site tunnel using AES-128-CBC. Each end of the tunnel runs pfSense 2.1.3 with OpenVPN 2.3.2. Both firewalls are VMs with dedicated resources (E5-2430 CPUs). The connection at both ends are 100/100 Mbps. My tunnel throughput is ~20Mbps with and without LZO compression.
03:25 < naaw> The CPU utilization at both ends are ~ 15%
03:25 < naaw> I was hoping to get better throughout than this but don't really know what to expect
03:25 < naaw> Is anyone able to point me in the right direction?
03:28 -!- Left_Turn [~Left_Turn@unaffiliated/turn-left/x-3739067] has quit [Read error: Connection reset by peer]
03:32 -!- Left_Turn [~Left_Turn@unaffiliated/turn-left/x-3739067] has joined #openvpn
03:39 -!- kossy [a@unaffiliated/kossy] has quit [Ping timeout: 240 seconds]
03:41 -!- kossy [a@unaffiliated/kossy] has joined #openvpn
04:14 -!- CaTtleyA [~CaTtleyA@185.24.142.82] has joined #openvpn
04:26 <@syzzer> anyone actively operating this channel present? this guy AlexPortable just poked me he is banned from this channel but hasn't actually joined before.
04:29 <@plaisthos> syzzer: I think all webchats are banned or something like that
04:30 <@plaisthos> 11:29:55 -!- 3 - #openvpn: ban *!*@gateway/web/* [by krzee!~k@openvpn/community/support/krzee, 3767445 secs ago]
04:31 <@plaisthos> syzzer: I have no idea why/or what the reason is though
04:33 < zafu> what is the best ip anonymiser service (using openvpn) out there?
04:47 -!- naaw [~cb@181.222.70.115.static.exetel.com.au] has quit [Ping timeout: 240 seconds]
05:04 <@plaisthos> !search provider
05:04 <@vpnHelper> There were no matching configuration variables.
05:04 <@plaisthos> !provider
05:04 <@vpnHelper> "provider" is (#1) We are not your provider's free tech support. We support the free open source app OpenVPN, not your provider. Just because they run openvpn does not mean we are their support team. or (#2) Please contact their support team.
05:04 <@plaisthos> hm
05:04 <@plaisthos> not that
05:04 <@plaisthos> !factoids
05:04 <@vpnHelper> "factoids" is A semi-regularly updated dump of factoids database is available at http://www.secure-computing.net/factoids.php
05:04 -!- wrongplace [~leicht@gateway/tor-sasl/martinphone] has joined #openvpn
05:06 <@plaisthos> zafu: we generally don't advise to use one or another VPN provider
05:06 <@plaisthos> this channel more centered around people who want to run their own client and server
05:14 -!- CaTtleyA [~CaTtleyA@185.24.142.82] has quit [Ping timeout: 245 seconds]
05:16 -!- CaTtleyA [~CaTtleyA@185.24.142.82] has joined #openvpn
05:18 -!- tempus_fol [~tempus@gateway/tor-sasl/foltempus] has quit [Ping timeout: 272 seconds]
05:19 -!- tempus_fol [~tempus@gateway/tor-sasl/foltempus] has joined #openvpn
06:06 -!- Chrisje [chris@2a03:f80:ed15:ed15:ed15:ed15:bc4c:4bfe] has quit [Ping timeout: 246 seconds]
06:08 -!- Chrisje [chris@2a03:f80:ed15:ed15:ed15:ed15:bc4c:4bfe] has joined #openvpn
06:11 -!- SKiTZO [~lennart@ti0003a400-3540.bb.online.no] has joined #openvpn
06:12 < SKiTZO> I am debugging my vpn connection. It is of the simple static key type. in the output of openvpn on the server I can see that local options hash does not match
06:12 < SKiTZO> what does that mean?
06:14 < SKiTZO> "Expected Remote Option hash: (VER=V4): '144508c6' and Local Options has (VER=V4): 'd14c5f5a'
06:14 < SKiTZO> arethey not supposed to be the same?
06:31 -!- Megaf [~Megaf@unaffiliated/megaf] has joined #openvpn
06:32 -!- SKiTZO [~lennart@ti0003a400-3540.bb.online.no] has quit [Ping timeout: 255 seconds]
06:36 -!- jackbrown [~se@93-44-41-0.ip95.fastwebnet.it] has joined #openvpn
06:48 -!- zapotek6 [~zap@109.52.130.85] has joined #openvpn
06:49 -!- zapotek6 [~zap@109.52.130.85] has quit [Max SendQ exceeded]
06:57 -!- zapotek6 [~zap@109.52.130.85] has joined #openvpn
06:57 -!- zapotek6 [~zap@109.52.130.85] has quit [Max SendQ exceeded]
07:07 -!- c0ded [~c0ded@unaffiliated/c0ded] has quit [Quit: I Was Just De-c0ded!]
07:07 -!- c0ded [~c0ded@unaffiliated/c0ded] has joined #openvpn
07:15 -!- idl0r [~idl0r@gentoo/developer/idl0r] has joined #openvpn
07:18 -!- idl0r [~idl0r@gentoo/developer/idl0r] has left #openvpn []
07:48 -!- jackbrown [~se@93-44-41-0.ip95.fastwebnet.it] has quit [Quit: Sto andando via]
07:56 -!- ayaz [~Ayaz@linuxpakistan/ayaz] has quit [Quit: My MacBook Pro has gone to sleep. ZZZzzz…]
08:03 -!- ayaz [~Ayaz@linuxpakistan/ayaz] has joined #openvpn
08:09 -!- CaTtleyA [~CaTtleyA@185.24.142.82] has quit [Ping timeout: 245 seconds]
08:20 -!- dazo_afk is now known as dazo
08:21 -!- Linmu [~Linmu@203.70.194.104] has quit [Remote host closed the connection]
08:21 -!- Linmu [~Linmu@203.70.194.104] has joined #openvpn
08:21 -!- early [~early@192.241.198.49] has quit [Quit: ERC Version 5.3 (IRC client for Emacs)]
08:23 -!- lbft [~lbft@unaffiliated/lbft] has quit [Ping timeout: 240 seconds]
08:24 -!- early [~early@192.241.198.49] has joined #openvpn
08:33 -!- lbft [~lbft@unaffiliated/lbft] has joined #openvpn
08:36 -!- zoredache [~zoredache@pdpc/supporter/professional/zoredache] has joined #openvpn
08:41 -!- lbft [~lbft@unaffiliated/lbft] has quit [Ping timeout: 264 seconds]
09:21 -!- Megaf [~Megaf@unaffiliated/megaf] has quit [Ping timeout: 260 seconds]
09:23 -!- alexxtasi [~alex@unaffiliated/alexxtasi] has left #openvpn []
09:50 -!- Ryu_Fitzgerald [~Ryu_Fitzg@c-76-26-176-87.hsd1.fl.comcast.net] has joined #openvpn
09:51 < Ryu_Fitzgerald> i am setting up a vpn.  It ask for a tunnel network and local network.  Is the tunnel networks the local network at the site that is providing the vpn service?
09:54 < Ryu_Fitzgerald> anyone
10:14 -!- joako [~joako@opensuse/member/joak0] has quit [Ping timeout: 264 seconds]
10:19 -!- joako [~joako@opensuse/member/joak0] has joined #openvpn
10:26 -!- Linmu [~Linmu@203.70.194.104] has quit [Remote host closed the connection]
10:26 -!- Linmu [~Linmu@203.70.194.104] has joined #openvpn
10:28 -!- dym [~patrick@unaffiliated/dym] has left #openvpn []
10:29 -!- ade_b [~Ade@redhat/adeb] has quit [Ping timeout: 276 seconds]
10:30 -!- zapotek6 [~zap@host138-62-static.18-80-b.business.telecomitalia.it] has joined #openvpn
10:30 -!- zapotek6 [~zap@host138-62-static.18-80-b.business.telecomitalia.it] has quit [Max SendQ exceeded]
10:31 < ayaz> Hello. Is there an ETA on updated OpenVPN Windows installers?
10:32 -!- CaTtleyA [~CaTtleyA@185.24.142.82] has joined #openvpn
10:32 -!- bears [~bears@unaffiliated/bears] has joined #openvpn
10:37 -!- wrongplace [~leicht@gateway/tor-sasl/martinphone] has quit [Ping timeout: 272 seconds]
10:40 < ayaz> Okay, never mind. I see that they are available already. Thank you.
10:50 -!- wrongplace [~leicht@gateway/tor-sasl/martinphone] has joined #openvpn
10:52 -!- roentgen [~none@openvpn/community/support/roentgen] has quit [Remote host closed the connection]
10:54 -!- roentgen [~none@openvpn/community/support/roentgen] has joined #openvpn
10:54 -!- liriel [~liriel@asia.feralhosting.com] has quit [Quit: bye]
10:54 -!- gffa [~unknown@unaffiliated/gffa] has joined #openvpn
10:55 -!- Megaf [~Megaf@unaffiliated/megaf] has joined #openvpn
10:57 -!- ade_b [~Ade@redhat/adeb] has joined #openvpn
11:00 -!- wrongplace [~leicht@gateway/tor-sasl/martinphone] has quit [Ping timeout: 272 seconds]
11:02 -!- liriel [~liriel@asia.feralhosting.com] has joined #openvpn
11:12 -!- SCHAAP137 [dorian@77-173-0-137.ip.telfort.nl] has quit [Ping timeout: 260 seconds]
11:26 -!- s7r [~s7r@openvpn/user/s7r] has joined #openvpn
11:26 -!- mode/#openvpn [+v s7r] by ChanServ
11:28 -!- SCHAAP137 [dorian@77-173-0-137.ip.telfort.nl] has joined #openvpn
11:34 -!- zoomequipd [~zoomequip@gateway/tor-sasl/zoomequipd] has quit [Ping timeout: 272 seconds]
11:35 -!- zoomequipd [~zoomequip@gateway/tor-sasl/zoomequipd] has joined #openvpn
11:39 -!- ade_b [~Ade@redhat/adeb] has quit [Quit: Too sexy for his shirt]
11:42 < rob0> ayaz, o/ ... and yes, mattock works quickly!
11:43 < ayaz> rob0: \o Indeed! Many thanks.
11:53 -!- ayaz [~Ayaz@linuxpakistan/ayaz] has quit [Quit: Textual IRC Client: www.textualapp.com]
12:06 -!- CaTtleyA [~CaTtleyA@185.24.142.82] has quit [Ping timeout: 245 seconds]
12:09 -!- le0 [~l30@unaffiliated/le0] has quit [Ping timeout: 252 seconds]
12:15 -!- Adran [adran@botters/staff/adran] has joined #openvpn
12:17 < Adran> Has anyone had success using an OpenVPN ipv4 tap/bridge and getting ipv6 router advertisements / dhcpv6 and getting an address+route client side on os x?
12:44 < rob0> You have to bring up ipv6 on the interface before you can use dhcpv6. You must have an ipv6 link-local address on the interface.
12:48 < Adran> Is there a way I can get openvpn to bring it up via the configuration? I'm presuming I'll need to do a script.
12:48 <@ecrist> --up
12:49 < Adran> So a script
12:49 < Adran> Alright, I was hoping there was something a bit more automatic/universal, but I'll go aim for that. Thanks
13:06 -!- Kephael [~Kephael@unaffiliated/kephael] has joined #openvpn
13:11 -!- bears [~bears@unaffiliated/bears] has quit [Quit: closing IRC]
13:18 -!- xylogics [~omarjavai@ool-44c514e9.dyn.optonline.net] has joined #openvpn
13:18 -!- justinzane [~justinzan@24.49.207.203] has joined #openvpn
13:18 < xylogics> anyone here that can help me tunnel ips from a linux to a windows network
13:21 -!- Ryu_Fitzgerald [~Ryu_Fitzg@c-76-26-176-87.hsd1.fl.comcast.net] has quit [Quit: irc2go]
13:40 -!- xylogics [~omarjavai@ool-44c514e9.dyn.optonline.net] has quit [Quit: xylogics]
13:47 -!- jareth_ [~jareth_@2001:980:e1c0:1:219:66ff:fea0:a502] has quit [Quit: ZNC - http://znc.in]
13:50 -!- jareth_ [~jareth_@2001:980:e1c0:1:219:66ff:fea0:a502] has joined #openvpn
13:52 -!- CaTtleyA [~CaTtleyA@put92-2-82-66-41-53.fbx.proxad.net] has joined #openvpn
14:07 -!- Willdude123_ [~Willdude1@gateway/tor-sasl/willdude123] has joined #openvpn
14:27 -!- Ryu_Fitzgerald [~Ryu_Fitzg@c-76-26-176-87.hsd1.fl.comcast.net] has joined #openvpn
14:28 < Ryu_Fitzgerald> how do i set up a router to make everything on its network go through the vpn?
14:39 < Ryu_Fitzgerald> can anyone in this channel please help
14:40 <@ecrist> !howto
14:40 <@vpnHelper> "howto" is (#1) OpenVPN comes with a great howto, http://openvpn.net/howto PLEASE READ IT! or (#2) http://www.secure-computing.net/openvpn/howto.php for a mirror
14:41 -!- mattock [~mattock@openvpn/corp/admin/mattock] has left #openvpn []
14:50 -!- wrongplace [~leicht@gateway/tor-sasl/martinphone] has joined #openvpn
14:52 -!- Ryu_Fitzgerald [~Ryu_Fitzg@c-76-26-176-87.hsd1.fl.comcast.net] has quit [Ping timeout: 240 seconds]
14:58 -!- svg [~svg@hydargos.ginsys.net] has left #openvpn []
14:58 -!- wrongplace [~leicht@gateway/tor-sasl/martinphone] has quit [Ping timeout: 272 seconds]
15:01 -!- Kephael [~Kephael@unaffiliated/kephael] has quit []
15:06 -!- jamB43a [~jamB434a@71-13-169-66.static.ftbg.wi.charter.com] has joined #openvpn
15:07 < jamB43a> Is it possible to disable clients from auto reconnecting from the server?  (Community Edition)
15:09 < jamB43a> I already setup --ping-exit and --inactive but the clients keep reconnecting
15:19 -!- wrongplace [~leicht@gateway/tor-sasl/martinphone] has joined #openvpn
15:20 -!- gffa [~unknown@unaffiliated/gffa] has quit [Quit: sleep]
15:25 -!- wrongplace [~leicht@gateway/tor-sasl/martinphone] has quit [Ping timeout: 272 seconds]
15:26 -!- Kephael [~Kephael@unaffiliated/kephael] has joined #openvpn
15:28 -!- jp- [~jp@unaffiliated/jp-] has quit [Ping timeout: 240 seconds]
15:31 -!- qwertyoruiop [~hax@3.shulgin.nl.torexit.haema.co.uk] has joined #openvpn
15:31 -!- larryone [~larryone@89.100.23.131] has joined #openvpn
15:36 -!- CaTtleyA_ [~CaTtleyA@put92-2-82-66-41-53.fbx.proxad.net] has joined #openvpn
15:44 -!- larryone [~larryone@89.100.23.131] has quit [Quit: This computer has gone to sleep]
15:45 -!- larryone [~larryone@89.100.23.131] has joined #openvpn
15:47 -!- jp- [~jp@unaffiliated/jp-] has joined #openvpn
15:53 -!- xylogics [~omarjavai@ool-44c514e9.dyn.optonline.net] has joined #openvpn
15:54 < xylogics> hello
15:54 < xylogics> anyone here that can help me tunnel ips from a linux to a windows network
15:56 -!- Kephael [~Kephael@unaffiliated/kephael] has quit []
15:59 < pppingme> xylogics you have a routed subnet or what?
15:59 < xylogics> I am trying to get a routed subnet
15:59 < xylogics> But i have no idea how to route a subnet from a linux vps to my main windows server
15:59 < pppingme> if you don't have it yet, what are you tryign to tunnel?
16:00 < xylogics> I have about 23 ips on a linux vps that i want to be tunnelled to my main windows box
16:00 < pppingme> is it a true subnet, or just a range of ip's?   a BIG DIFFERENCE in how it would be handled
16:00 < xylogics> range of ips its a /27
16:00 < pppingme> then its easy, just add route statements to the next device until it gets where you want it.
16:01 < pppingme> then its probably best to make sure return traffic goes the same route
16:01 < pppingme> a range of ip's is not the same as a subnet..  if you have a TRUE /27 this is easy
16:02 < xylogics> ah i see i see
16:03 < xylogics> I believe itss a subnet the network owner has a /21 that he just lets /27s in the middle be brokered out
16:04 -!- larryone [~larryone@89.100.23.131] has quit [Quit: This computer has gone to sleep]
16:05 < pppingme> then establis a tunnel (you can use private or other ip's if needed) between the source of the ip's and the destination, between two routers, can be linux boxes, or whatever, then add routes for the /27, and you're good to go.
16:06 < xylogics> ahh i see i see
16:07 < pppingme> and its probably best that the destination also use the tunnel back to the source as its default route
16:07 < xylogics> So tunneling a /27 I would have to establish a tunnell from the linux vps and the windows servver and then use the tunnell back
16:08 < pppingme> thats best
16:08 < pppingme> since most isp's filter on source address and only allow their own ip's.
16:09 < xylogics> ahhhh
16:09 < xylogics> i see i see
16:10 < xylogics> So basically after i do this, and i add the ips to my windows server, the windows server looks at the ips from the linux server as its own network
16:10 -!- edge226 [~quassel@unaffiliated/edge226] has quit [Read error: Connection reset by peer]
16:10 < xylogics> ?
16:10 < pppingme> yep
16:12 < xylogics> kk time to try this
16:14 < xylogics> you know anything about GRE tunnells aswell?
16:14 < xylogics> or is it the same theory?
16:16 < pppingme> yeah, you could do it with a GRE tunnel, they are very fast and efficient, since there's no encryption or other things that add to their latency, on the flip side they are also very easy to "sniff" if thats a concern
16:16 < xylogics> not a concern at all
16:17 < xylogics> So i can use openvpn as a gre tunnel to route a /27 on a linux vps to a windows server?
16:18 < pppingme> an openvpn tunnel is not the same thing as a gre tunnel, they achieve the same end result, gre does it faster and more efficiently, openvpn encrypts, so pick one and go.
16:18 < xylogics> ah i see
16:20 < xylogics> so tunneling with a gre from a linux slave to windows complicated task you think?
16:20 < pppingme> I would do it linux <=> linux..
16:20 < xylogics> I can’t
16:20 < xylogics> the software that i use the ips for is a windows only software
16:21 < pppingme> the "software you use for ip's"???
16:22 < rob0> I've done GRE within openvpn.
16:22 < pppingme> rob0 what would be the point?
16:22 < xylogics> game server
16:23 -!- ShadniX [dagger@p5481DC58.dip0.t-ipconnect.de] has quit [Quit: Bye.]
16:23 < rob0> I had a second IP bound on another host on this end.
16:23 < pppingme> xylogics youy still run your game server or whatever it is on windows, you're just using the linux box as a router
16:23 < rob0> um, I mean, the GRE endpoint meant I didn't have to NAT
16:24 < xylogics> thats why packetsniffing isnt really a problem i just want the ip space to be on my windows
16:25 -!- edge226 [~quassel@unaffiliated/edge226] has joined #openvpn
16:25 -!- ShadniX [dagger@p5481DC58.dip0.t-ipconnect.de] has joined #openvpn
16:25 < pppingme> xylogics right, using a linux router
16:25 < xylogics> yeah
16:27 < xylogics> so knowing my situation, would you reccomend openvpn as the software i should use?
16:28 < pppingme> no, I'd probably still go with a simple gre tunnel that you originally asked about
16:29 < xylogics> thing is i know how to gre tunnell using linux > linux but now linux > windows
16:30 < pppingme> which is why I recommend a linux router at both ends, it will make life simpler in the long run
16:32 < xylogics> i know i know but i simply cant
16:32 < xylogics> i wish i could
16:32 < xylogics> :’(
16:32 < xylogics> story of my life
16:39 < jamB43a> does anyone know a way to make the openvpn client not automatically reconnect? I'd prefer to do it on the server side to enforce it
16:40 < pppingme> jamB43a why would you not want it to auto reconnect?
16:41 < pppingme> seems like it would just cause massive confusion if it dropped
16:42 < jamB43a> for security, if they walk away from their PC so someone else can't just hop on it and have access
16:43 < pppingme> so you're taking a chance at the vpn dropping to fix that?  whats to keep the "new user" from just bringing the vpn back up?
16:43 < jamB43a> the passphrase required
16:44 < jamB43a> what do you mean taking a chance at the VPN dropping? I just want it to disconnect the idle user
16:49 -!- Willdude123_ [~Willdude1@gateway/tor-sasl/willdude123] has quit [Ping timeout: 272 seconds]
17:07 -!- randt0sh [~tosh@2a02-8420-5d7e-c300-0213-72ff-feb1-7b24.rev.sfr.net] has quit [Remote host closed the connection]
17:07 -!- cyrozap [~cyrozap@198.23.172.133] has quit [Ping timeout: 260 seconds]
17:18 -!- xylogics [~omarjavai@ool-44c514e9.dyn.optonline.net] has quit [Quit: xylogics]
17:20 -!- xylogics [~omarjavai@ool-44c514e9.dyn.optonline.net] has joined #openvpn
17:22 -!- cyrozap [~cyrozap@198.23.172.133] has joined #openvpn
17:24 -!- JackWinter [~jack@vodsl-10810.vo.lu] has quit [Quit: Konversation terminated!]
17:26 -!- JackWinter [~jack@vodsl-10810.vo.lu] has joined #openvpn
17:33 -!- larryone [~larryone@176.61.1.155] has joined #openvpn
17:36 -!- Kephael [~Kephael@unaffiliated/kephael] has joined #openvpn
17:37 -!- Magiobiwan [IRC@unaffiliated/magiobiwan] has quit [Ping timeout: 265 seconds]
17:42 -!- bears [~bears@unaffiliated/bears] has joined #openvpn
17:56 -!- Magiobiwan [IRC@unaffiliated/magiobiwan] has joined #openvpn
18:08 -!- Magiobiwan [IRC@unaffiliated/magiobiwan] has quit [Ping timeout: 260 seconds]
18:13 -!- Magiobiwan [IRC@unaffiliated/magiobiwan] has joined #openvpn
18:15 -!- bears [~bears@unaffiliated/bears] has quit [Quit: closing IRC]
18:16 < pekster> jamB43a: read about --ping-exit verses --ping-restart
18:16 < pekster> And maybe --inactive
18:16 < pekster> (though the last is eaisly made useless if a user just keeps a ping running)
18:22 -!- dazo is now known as dazo_afk
18:24 -!- Magiobiwan [IRC@unaffiliated/magiobiwan] has quit [Ping timeout: 276 seconds]
18:33 -!- larryone [~larryone@176.61.1.155] has quit [Ping timeout: 276 seconds]
18:41 < Eugene> !fail2ban
18:41 <@vpnHelper> "fail2ban" is in linux you can replace fail2ban without the background process with something like: iptables -A INPUT -m tcp -p tcp --dport 22 -m hashlimit --hashlimit-name ssh --hashlimit-upto 5/minute --hashlimit-mode srcip --hashlimit-srcmask 24 -j ACCEPT
18:41 -!- codehero [codehero@i.have.ipv6.on.coding4coffee.org] has quit [Remote host closed the connection]
18:55 -!- codehero [codehero@i.have.ipv6.on.coding4coffee.org] has joined #openvpn
18:58 -!- bears [~bears@unaffiliated/bears] has joined #openvpn
19:11 -!- zoomequipd [~zoomequip@gateway/tor-sasl/zoomequipd] has quit [Ping timeout: 272 seconds]
19:15 -!- Cpt-Oblivious [~chatzilla@31-151-71-109.dynamic.upc.nl] has quit [Quit: ChatZilla 0.9.90.1-rdmsoft [XULRunner 22.0/20130619132145]]
19:19 -!- SCHAAP137 [dorian@77-173-0-137.ip.telfort.nl] has quit [Remote host closed the connection]
19:32 -!- s7r [~s7r@openvpn/user/s7r] has left #openvpn []
19:58 -!- Linmu [~Linmu@203.70.194.104] has quit [Ping timeout: 240 seconds]
19:59 -!- Linmu [~Linmu@203.70.194.104] has joined #openvpn
20:03 -!- s7r [~s7r@openvpn/user/s7r] has joined #openvpn
20:03 -!- mode/#openvpn [+v s7r] by ChanServ
20:11 -!- Popsikle [~popsikle@pool-108-27-211-233.nycmny.fios.verizon.net] has joined #openvpn
20:19 -!- tempus_fol [~tempus@gateway/tor-sasl/foltempus] has quit [Ping timeout: 272 seconds]
20:21 -!- tempus_fol [~tempus@gateway/tor-sasl/foltempus] has joined #openvpn
21:18 -!- jgeboski [~jgeboski@unaffiliated/jgeboski] has quit [Quit: Leaving]
21:19 -!- jgeboski [~jgeboski@unaffiliated/jgeboski] has joined #openvpn
21:44 -!- Left_Turn [~Left_Turn@unaffiliated/turn-left/x-3739067] has quit [Quit: Leaving]
21:46 -!- Popsikle [~popsikle@pool-108-27-211-233.nycmny.fios.verizon.net] has quit [Remote host closed the connection]
22:18 -!- bears [~bears@unaffiliated/bears] has quit [Read error: Connection reset by peer]
22:24 -!- bears [~bears@unaffiliated/bears] has joined #openvpn
22:25 -!- tempus_fol [~tempus@gateway/tor-sasl/foltempus] has quit [Remote host closed the connection]
22:25 -!- s7r [~s7r@openvpn/user/s7r] has quit [Write error: Broken pipe]
22:28 -!- cransom [~cransom@petit.hubns.net] has joined #openvpn
22:34 -!- tempus_fol [~tempus@gateway/tor-sasl/foltempus] has joined #openvpn
22:34 -!- s7r [~s7r@openvpn/user/s7r] has joined #openvpn
22:34 -!- mode/#openvpn [+v s7r] by ChanServ
22:38 < RBecker> so how does one get an openvpn/user cloak
22:42 < thumbs> RBecker: you find the group contact and ask him.
22:48 < reiffert> it's ecrist.
22:48 < reiffert> !factoids search --values cload
22:48 <@vpnHelper> No keys matched that query.
22:48 < reiffert> !factoids search --values cloak
22:48 <@vpnHelper> No keys matched that query.
23:00 -!- Megaf [~Megaf@unaffiliated/megaf] has quit [Ping timeout: 240 seconds]
23:00 < RBecker> ecrist: ping
23:13 -!- bears [~bears@unaffiliated/bears] has quit [Read error: Connection reset by peer]
23:17 -!- mattock_afk [~mattock@openvpn/corp/admin/mattock] has joined #openvpn
23:17 -!- mode/#openvpn [+o mattock_afk] by ChanServ
23:17 -!- mattock_afk is now known as mattock
23:36 -!- bears [~bears@unaffiliated/bears] has joined #openvpn
23:43 -!- ShadniX [dagger@p5481DC58.dip0.t-ipconnect.de] has quit [Ping timeout: 252 seconds]
23:44 -!- ShadniX [dagger@p5DDFFF2D.dip0.t-ipconnect.de] has joined #openvpn
23:53 -!- kirin` [telex@gateway/shell/anapnea.net/x-yivjugthxqkcclcc] has quit [Ping timeout: 260 seconds]
23:54 -!- Soliah [~Soliah@kin1287146.lnk.telstra.net] has joined #openvpn
23:54 -!- kirin` [telex@gateway/shell/anapnea.net/x-aohnkgpkzunvfsii] has joined #openvpn
--- Day changed Fri Jun 06 2014
00:02 -!- kossy [a@unaffiliated/kossy] has quit [Ping timeout: 240 seconds]
00:03 -!- someone [someone@2600:3c01::f03c:91ff:fedf:feb8] has quit [Ping timeout: 240 seconds]
00:04 -!- kenyon [kenyon@darwin.kenyonralph.com] has quit [Ping timeout: 240 seconds]
00:05 -!- Clone [~Clone@2001:470:d3a1::fa:cade] has quit [Ping timeout: 240 seconds]
00:09 -!- jzaw [~jzaw@loki.dzki.co.uk] has quit [Ping timeout: 264 seconds]
00:09 -!- seba [~seba@kratzbaum.someserver.de] has quit [Ping timeout: 264 seconds]
00:09 -!- CaTtleyA [~CaTtleyA@put92-2-82-66-41-53.fbx.proxad.net] has quit [Ping timeout: 245 seconds]
00:09 -!- plaisthos [~arne@openvpn/community/developer/plaisthos] has quit [Ping timeout: 264 seconds]
00:10 -!- MacGyver [~macgyver@unaffiliated/macgyvernl] has quit [Ping timeout: 264 seconds]
00:10 -!- CaTtleyA_ [~CaTtleyA@put92-2-82-66-41-53.fbx.proxad.net] has quit [Ping timeout: 245 seconds]
00:15 -!- Netsplit *.net <-> *.split quits: adaptr, tempus_fol, NucWin, hive-mind, Nothing4You, defswork, MatToufoutu, get, Sembei, phreakocious,  (+116 more, use /NETSPLIT to show all of them)
00:21 -!- reiffert [~thomas@mail.reifferscheid.org] has quit [Write error: Broken pipe]
00:21 -!- peper [~peper@gentoo/developer/peper] has quit [Write error: Connection reset by peer]
00:27 -!- peper [~peper@gentoo/developer/peper] has joined #openvpn
00:27 -!- jtrucks [~jtrucks@freenode/staff/lopsa.foundingmember.jtrucks] has joined #openvpn
00:27 -!- Netsplit over, joins: jareth_
00:27 -!- plai [~arne@openvpn/community/developer/plaisthos] has joined #openvpn
00:27 -!- Netsplit over, joins: kirin`, ShadniX, bears, @mattock, +s7r, tempus_fol, cransom, jgeboski, Linmu, codehero (+32 more)
00:27 -!- ServerMode/#openvpn [+oov plai mattock s7r] by asimov.freenode.net
00:27 -!- Netsplit over, joins: Sembei, abbe, cyberspace-, Cybertinus, indy, Ulrar, Plastefuchs_, @dazo_afk, clu5ter, phreakocious (+72 more)
00:28 -!- jtrucks [~jtrucks@freenode/staff/lopsa.foundingmember.jtrucks] has quit [Remote host closed the connection]
00:29 -!- Netsplit *.net <-> *.split quits: adaptr, tempus_fol, NucWin, hive-mind, Nothing4You, defswork, MatToufoutu, get, Sembei, phreakocious,  (+117 more, use /NETSPLIT to show all of them)
00:33 -!- Netsplit over, joins: peper, jareth_, @plai, kirin`, ShadniX, bears, @mattock, +s7r, tempus_fol, cransom (+115 more)
00:34 -!- seba [~seba@kratzbaum.someserver.de] has joined #openvpn
00:36 -!- Olipro [~Olipro@uncyclopedia/pdpc.21for7.olipro] has joined #openvpn
00:36 -!- zapotek6 [~zap@213.149.219.85] has joined #openvpn
00:36 -!- zapotek6 [~zap@213.149.219.85] has quit [Max SendQ exceeded]
00:39 -!- NChief [~nchief@unaffiliated/nchief] has joined #openvpn
01:03 -!- kenyon [kenyon@darwin.kenyonralph.com] has joined #openvpn
01:06 -!- james41382_ [~james@unaffiliated/james41382] has quit [Read error: Connection reset by peer]
01:07 -!- james41382_ [~james@unaffiliated/james41382] has joined #openvpn
01:10 -!- troyt [~troyt@2601:7:6200:1362:44dd:acff:fe85:9c8e] has quit [Ping timeout: 240 seconds]
01:11 -!- troyt [~troyt@2601:7:6200:1362:44dd:acff:fe85:9c8e] has joined #openvpn
01:19 -!- ade_b [~Ade@redhat/adeb] has joined #openvpn
01:25 -!- troyt [~troyt@2601:7:6200:1362:44dd:acff:fe85:9c8e] has quit [Ping timeout: 240 seconds]
01:29 -!- troyt [~troyt@2601:7:6200:1362:44dd:acff:fe85:9c8e] has joined #openvpn
01:30 -!- Soliah [~Soliah@kin1287146.lnk.telstra.net] has quit [Quit: Soliah]
01:46 -!- alexxtasi [~alex@unaffiliated/alexxtasi] has joined #openvpn
01:55 -!- Kephael [~Kephael@unaffiliated/kephael] has quit []
01:56 -!- Mimiko [~Mimiko@77.89.245.38] has joined #openvpn
02:02 -!- Linmu [~Linmu@203.70.194.104] has quit [Ping timeout: 252 seconds]
02:03 -!- Linmu [~Linmu@203.70.194.104] has joined #openvpn
02:04 -!- SCHAAP137 [dorian@77-173-0-137.ip.telfort.nl] has joined #openvpn
02:09 -!- xylogics [~omarjavai@ool-44c514e9.dyn.optonline.net] has quit [Quit: xylogics]
02:11 -!- vinky [~vinky@81-230-177-246-no98.tbcn.telia.com] has joined #openvpn
02:11 -!- vinky_ [~vinky@81-230-177-246-no98.tbcn.telia.com] has quit [Ping timeout: 264 seconds]
02:13 -!- xylogics [~omarjavai@ool-44c514e9.dyn.optonline.net] has joined #openvpn
02:15 -!- randt0sh [~tosh@2a02-8420-5d7e-c300-0213-72ff-feb1-7b24.rev.sfr.net] has joined #openvpn
02:16 -!- le0 [~l30@unaffiliated/le0] has joined #openvpn
02:19 -!- james41382 [~james@unaffiliated/james41382] has joined #openvpn
02:22 -!- james41382_ [~james@unaffiliated/james41382] has quit [Ping timeout: 260 seconds]
02:23 -!- Left_Turn [~Left_Turn@unaffiliated/turn-left/x-3739067] has joined #openvpn
02:25 -!- james41382 [~james@unaffiliated/james41382] has quit [Ping timeout: 260 seconds]
02:32 -!- SomeRando22 [SomeRando2@pool-72-75-233-61.bflony.fios.verizon.net] has joined #openvpn
02:32 < SomeRando22> hello i have a question, how do i assign public static ip from server company to vpn clients?
02:38 -!- lilalinuxKL [~lilalinux@firewall01.talentformation.kunden.net-lab.net] has joined #openvpn
02:38 < lilalinuxKL> Why does this config still pull routes? http://pastebin.com/3HwdAizj
02:39 -!- plai [~arne@openvpn/community/developer/plaisthos] has quit [Remote host closed the connection]
02:46 -!- plaisthos [~arne@openvpn/community/developer/plaisthos] has joined #openvpn
02:46 -!- mode/#openvpn [+o plaisthos] by ChanServ
02:48 -!- lilalinuxKL [~lilalinux@firewall01.talentformation.kunden.net-lab.net] has quit [Ping timeout: 240 seconds]
02:58 -!- dazo_afk is now known as dazo
03:18 -!- jareth_ [~jareth_@2001:980:e1c0:1:219:66ff:fea0:a502] has quit [Ping timeout: 252 seconds]
03:20 -!- jareth_ [~jareth_@2001:980:e1c0:1:219:66ff:fea0:a502] has joined #openvpn
03:30 -!- s7r [~s7r@openvpn/user/s7r] has quit [Remote host closed the connection]
03:35 -!- jareth_ [~jareth_@2001:980:e1c0:1:219:66ff:fea0:a502] has quit [Ping timeout: 252 seconds]
03:36 -!- larryone [~larryone@185.32.152.150] has joined #openvpn
03:37 -!- jareth_ [~jareth_@2001:980:e1c0:1:219:66ff:fea0:a502] has joined #openvpn
03:51 -!- lilalinu_ [~lilalinux@firewall01.talentformation.kunden.net-lab.net] has joined #openvpn
03:51 < lilalinu_> got disconnected :-(
03:51 < lilalinu_> has there been a reply to my question?
03:57 -!- lilalinu_ [~lilalinux@firewall01.talentformation.kunden.net-lab.net] has quit [Ping timeout: 252 seconds]
04:13 -!- dazo [~dazo@openvpn/community/developer/dazo] has quit [Ping timeout: 252 seconds]
04:21 -!- swebb [~swebb@c-76-120-34-202.hsd1.co.comcast.net] has quit [Ping timeout: 252 seconds]
04:22 -!- dazo_afk [~dazo@openvpn/community/developer/dazo] has joined #openvpn
04:22 -!- mode/#openvpn [+o dazo_afk] by ChanServ
04:22 -!- dazo_afk is now known as dazo
04:42 < SomeRando22> anyone home mofo
05:10 -!- xylogics [~omarjavai@ool-44c514e9.dyn.optonline.net] has quit [Ping timeout: 260 seconds]
05:13 -!- Cybertinus [~Cybertinu@cybertinus.customer.cloud.nl] has quit [Remote host closed the connection]
05:14 -!- Cybertinus [~Cybertinu@cybertinus.customer.cloud.nl] has joined #openvpn
05:19 -!- Plastefuchs_ [~fweee@198.98.120.235] has quit [Ping timeout: 252 seconds]
05:21 -!- goldkatze [~nobody@unaffiliated/goldkatze] has joined #openvpn
05:23 -!- wrongplace [~leicht@gateway/tor-sasl/martinphone] has joined #openvpn
05:27 -!- reiffert [~thomas@mail.reifferscheid.org] has joined #openvpn
05:28 -!- zapotek6 [~zap@213.149.219.85] has joined #openvpn
05:33 -!- Plastefuchs_ [~fweee@198.98.120.235] has joined #openvpn
05:46 -!- ade_b [~Ade@redhat/adeb] has quit [Ping timeout: 245 seconds]
05:50 -!- swebb [~swebb@c-76-120-34-202.hsd1.co.comcast.net] has joined #openvpn
06:04 -!- kirin` [telex@gateway/shell/anapnea.net/x-aohnkgpkzunvfsii] has quit [Ping timeout: 245 seconds]
06:05 -!- kirin` [telex@gateway/shell/anapnea.net/x-iltfwqsfxvjzouze] has joined #openvpn
06:10 -!- WinstonSmith [~WinstonSm@unaffiliated/winstonsmith] has quit [Ping timeout: 264 seconds]
06:11 -!- WinstonSmith [~WinstonSm@unaffiliated/winstonsmith] has joined #openvpn
06:15 -!- zoredache [~zoredache@pdpc/supporter/professional/zoredache] has quit [Ping timeout: 276 seconds]
06:26 -!- larryone [~larryone@185.32.152.150] has quit [Quit: Leaving]
06:27 -!- CaTtleyA [~CaTtleyA@185.24.142.82] has joined #openvpn
06:52 -!- Megaf [~Megaf@unaffiliated/megaf] has joined #openvpn
07:15 -!- hyper_ch [~hyperch@ns99.roleplayer.org] has joined #openvpn
07:16 < hyper_ch> hmmm, is it smart to put private keys can ca.crt into the openvpn.conf ?
07:19 -!- james41382 [~james@unaffiliated/james41382] has joined #openvpn
07:21 <@ecrist> RBecker: pong
07:30 -!- zafu [~pif@217-162-81-21.dynamic.hispeed.ch] has quit [Quit: leaving]
07:33 -!- nick4 [~nick4@178.128.1.129.dsl.dyn.forthnet.gr] has joined #openvpn
07:36 < nick4> Can I execute the OpenVPN GUI from a batch file and tell it to search for a .ovpn file in a dir other than 'config'? I know I can change this from the registry but I'd preferably not do that.
07:36 < nick4> Wait, I think I found it
07:37 < hyper_ch> from batch file?
07:37 < hyper_ch> why not at login?
07:39 < nick4> it's a VPN setup for gaming
07:39 < reiffert> he wants to run the gui from a batch file. Period.
07:39 < nick4> yeap, I got it
07:40 -!- NucWin [~nucwin@unaffiliated/nucwin] has quit [Quit: ttfn]
07:40 < reiffert> hyper_ch: can you help me reinvent the wheel?
07:40 < hyper_ch> reiffert: often people don't know what they want
07:40 < hyper_ch> reiffert: the wheel... that's a tough one... you sure you wanna do that?
07:40 < reiffert> let's start with this [.] - will it work?
07:40 -!- NucWin [~nucwin@unaffiliated/nucwin] has joined #openvpn
07:40 < reiffert> I think it will on a surface like /\/\//\/\/\/\
07:41 < reiffert> sorry [.] distracted me ..        (.)(.)     popped up in my head next
07:41 -!- lbft [~lbft@unaffiliated/lbft] has joined #openvpn
07:41 < rob0> haha
07:42 < nick4> hyper_ch asked just to make sure I wasn't doing something unproductive
07:42 < hyper_ch> nick4: don't worry about me... usually it's me who is mean to others
07:42 < nick4> I didn't feel anything mean
07:42 < rob0> Why wouldn't you just run openvpn.exe from your batch file?
07:43 < rob0> or, run it as a service?
07:43 < nick4> that's what I was doing so far - to get rid of the cmd window in the taskbar and give users an easier way to understand what's happening and manage things
07:43 < nick4> oh, it's a game VPN, I don't want it always on
07:43 < rob0> multiple users on one Windows machine?
07:44 < nick4> no
07:44 < nick4> one linux server, multiple windows clients
07:45 < nick4> another question: is there a way to auto-update OpenVPN? Or at least run something that will check for newer versions? (I know there is a notification email list)
07:45 < nick4> I'm talking about Windows here
07:46 < rob0> That is not an openvpn feature, so maybe it is a Windows question.
07:46 -!- torezzz [~user@KD027081024147.ppp-bb.dion.ne.jp] has joined #openvpn
07:47 < hyper_ch> can openvpn be as easily compiled for windows as for linux? I mean ./configure && make && make install is so simple
07:47 < nick4> thanks rob0
07:47 < hyper_ch> if so, you can easily "update" openvpn also on Windows :)
07:48 < torezzz> Hello. How can i use VPN on my VPS ? When i start openvpn i got disconnected, and be no able to connect back to my VPS.
07:49 < hyper_ch> don't use redirect-gateway def1 I'd guess
07:49 < hyper_ch> also, do your VPS allow tun or tap?
07:50 < torezzz> have no idea.. how i can check this ?
07:50 < hyper_ch> check your plan at your vps provider
07:50 < torezzz> ok
07:52 < rob0> hyper_ch, I don't think so. For one thing, you would have to install a programming environment; Windows does not come with such a thing.
07:53 < hyper_ch> rob0: I was more think if you have the build toold and stuff.... make install on *nix just puts stuff automagically into the right places... but on windows how would you achieve that
07:53 < torezzz> on their page there is nothing about that :/ i probably need to write them
07:54 < rob0> hyper_ch, yeah, I don't know
07:54 < hyper_ch> torezzz: url?
07:54 < rob0> tun and tap are features of the same driver (tun), so I doubt it matters.
07:54 < torezzz> https://www.vpsbg.eu
07:54 <@vpnHelper> Title: VPS Хостинг - Виртуални сървъри на ниска цена (at www.vpsbg.eu)
07:55 < rob0> oh weird, "hosting" transliterated
07:56 < hyper_ch> openvz
07:56 < rob0> !openvz
07:56 <@vpnHelper> "openvz" is (#1) http://wiki.openvz.org/VPN_via_the_TUN/TAP_device to learn bout openvz specific stuff with regards to openvpn or (#2) It is usually less painful to switch to a host with better virtualization technology, eg KVM or Xen
07:56 < hyper_ch> doesn't that use the actualy hosts kernel?
07:56 < rob0> yes
07:57 < hyper_ch> torezzz: have a read at that wiki entry and good luck
07:58 < torezzz> yes, reading it now. thanks
08:00 -!- zapotek6 [~zap@213.149.219.85] has quit [Ping timeout: 255 seconds]
08:02 < hyper_ch> torezzz: it seems that host must allow the access to the tun/tap.....
08:03 < torezzz> ok, i try to configure my vps
08:07 -!- bears [~bears@unaffiliated/bears] has quit [Read error: Connection reset by peer]
08:11 -!- Mimiko [~Mimiko@77.89.245.38] has quit [Remote host closed the connection]
08:19 < torezzz> i probably misundertsand what i need todo ... these commands in http://wiki.openvz.org/VPN_via_the_TUN/TAP_device is for controling openVZ
08:19 <@vpnHelper> Title: VPN via the TUN/TAP device - OpenVZ Linux Containers Wiki (at wiki.openvz.org)
08:19 -!- jareth_ [~jareth_@2001:980:e1c0:1:219:66ff:fea0:a502] has quit [Ping timeout: 240 seconds]
08:20 < torezzz> but since i'm just a vps subsciber i can't configure anything about openvz
08:21 < hyper_ch> torezzz: you'll need to ask your host if they can enable it
08:22 < torezzz> i see
08:22 -!- jareth_ [~jareth_@2001:980:e1c0:1:219:66ff:fea0:a502] has joined #openvpn
08:22 < torezzz> will do
08:23 -!- debbie10t [~ma1com10t@host-92-20-69-169.as13285.net] has joined #openvpn
08:29 -!- torezzz [~user@KD027081024147.ppp-bb.dion.ne.jp] has left #openvpn []
08:34 < debbie10t> With regard to "update-resolv-conf" - why is there nothing in the HOWTO or manual about this script ?
08:36 <@ecrist> because nobody's written it
08:36 -!- Linmu [~Linmu@203.70.194.104] has quit [Ping timeout: 252 seconds]
08:36 < debbie10t> is that it ... !
08:37 -!- Linmu [~Linmu@203.70.194.104] has joined #openvpn
08:40 -!- elfixit [~Icedove@2001:1620:2777:11:3e97:eff:fe7f:f3ad] has joined #openvpn
08:40 < debbie10t> does "update-resolv-conf" work for MAC ?
08:45 -!- Kephael [~Kephael@unaffiliated/kephael] has joined #openvpn
08:47 < gac> don't think so, OS X has its own ways of setting nameservers (doesn't use resolv.conf except in ancient versions, IIRC)
08:49 <@ecrist> the tunnelblick folks have written scripts to handle the DNS stuff
08:49 <@ecrist> debbie10t: if you want to put the work in to write the docs, you're more than welcome.
08:49 < debbie10t> i am looking it up on wiki as we speak
08:52 < gac> yep, i've found tunnelblick's support scripts work well as long as you're up to date - there were changes in Mavericks that "broke" older versions of tunnelblick
09:10 <@plaisthos> gac: Cocoa/Carbon programs don't use resolv.conf but iirc normal command line tools still do
09:11 < gac> yeah, possibly. i forget how it works, i'm not a full time OSX user
09:12 <@plaisthos> but that may have changed
09:12 <@plaisthos> no idea. Apple does crazy things sometimes
09:23 -!- Popsikle [~popsikle@rrcs-24-103-53-46.nyc.biz.rr.com] has joined #openvpn
09:24 -!- CaTtleyA [~CaTtleyA@185.24.142.82] has quit [Quit: Lost terminal]
09:27 < RBecker> ecrist: i hear you're the openvpn group maintainer?
09:27 -!- bears [~bears@unaffiliated/bears] has joined #openvpn
09:32 -!- alexxtasi [~alex@unaffiliated/alexxtasi] has left #openvpn []
09:34  * plaisthos wonders what the openvpn group maintainer is 
09:43 < rob0> for freenode
09:44 < rob0> ecrist, RBecker wants an openvpn user cloak.
09:45 -!- dasdajs [~dasdajs@unaffiliated/dasdajs] has joined #openvpn
09:46 < dasdajs> !heartbleed
09:46 <@vpnHelper> "heartbleed" is (#1) only affects OpenSSL 1.0.1 through 1.0.1f. Does not affect polarssl or (#2) if running vuln openssl then both client and server keys not protected by tls-auth should be considered compromised. or (#3) android 4.1.2_r1 is the first one to have -DOPENSSL_NO_HEARTBEATS and it is still in master. android 4.1 and 4.1.1 are probably affected. or (#4)
09:46 <@vpnHelper> https://community.openvpn.net/openvpn/wiki/heartbleed or (#5) http://xkcd.com/1354/
09:47 <@ecrist> yes, I am
09:48 <@ecrist> openvpn/user/RBecker ok?
09:48 <@ecrist> plaisthos: I'm the "official" representative for OpenVPN on freenode
09:48 <@ecrist> we had to file paperwork and everything
09:49 < hyper_ch> ecrist: is there a good reason why you shouldn't put the certs and stuff into the config.conf on a client?
09:49 <@ecrist> no, at $work that's exactly what I do
09:49 <@ecrist> ssl-admin even supports putting them inline for you
09:49 <@ecrist> you can also put your dh params inline, too
09:50 < hyper_ch> dh params?
09:50 <@ecrist> !dh
09:50 <@vpnHelper> "dh" is (#1) build-dh from easy-rsa and option dh in ssl-admin, creates a file which is a prime number the size of bits you defined (1024 default) which is used in the diffie-hellman algorithm to provide a method to negotiate a secure connection over an insecure channel. just one of the layers of encryption available to you in your VPN or (#2) openssl gendh [numbits]
09:50 < hyper_ch> that's only for the server, right?
09:51 < hyper_ch> well, I just thought for clients it's much easier if you give them just one file that contains everything and tell them to put it into the openvpn conf folder
09:52 <@ecrist> nothing wrong with it, at all
09:52 < hyper_ch> good to know
09:52 < dasdajs> Hi, when I try to contact web serivce on my openvpn server, I get not connection. I've opened the ports needed in the firewall and everything seems to be running fine. I can connect without any trouble to the vpn service, but no access to web service. What do I do here?
09:53 < hyper_ch> !ipforward > dasdajs
09:53 <@ecrist> are you trying to connect to the web service on the same IP as your VPN server?
09:53 < hyper_ch> there's no factoid?
09:53 -!- nick4 [~nick4@178.128.1.129.dsl.dyn.forthnet.gr] has quit [Ping timeout: 260 seconds]
09:53 < dasdajs> ecrist, no the openvpn lan ip
09:54 < dasdajs> !ipforward
09:54 <@vpnHelper> "ipforward" is (#1) ip forwarding is needed any time you want packets to flow from 1 interface to another, so from tun to eth, eth to tun, tun to tun, etc etc. it must be enabled in the kernel AND allowed in the firewall or (#2) please choose between !linipforward !winipforward !osxipforward and !fbsdipforward
09:54 <@ecrist> are you pushing the correct routes?
09:54 <@ecrist> !configs
09:54 <@vpnHelper> "configs" is (#1) please pastebin your client and server configs (with comments removed, you can use `grep -vE '^#|^;|^$' server.conf`), also include which OS and version of openvpn. or (#2) dont forget to include any ccd entries or (#3) on pfSense, see http://www.secure-computing.net/wiki/index.php/OpenVPN/pfSense to obtain your config
09:54 <@ecrist> !goal
09:54 <@vpnHelper> "goal" is Please clearly state your goal for your vpn: example, I would like to access the lan behind the server , I would like to access the internet over my vpn , I just want a secure connection between 2 computers , etc
09:55 -!- nick4 [~nick4@178.128.4.70.dsl.dyn.forthnet.gr] has joined #openvpn
09:55 < dasdajs> I would like to access my webpage which runs on the vpn ip, and i'm connectet from my client to the server, but i can't even ping the vpn ip the server
09:56 < dasdajs> I'll check the routes, 2sec
09:59 < dasdajs> Well i'm not sure.. doesn't look like
10:00 < hyper_ch> is the vpn connection established?
10:04 < dasdajs> Yes
10:04 < dasdajs> And the client receives the push command
10:05 < dasdajs> I get this error: ERROR: Windows route add command failed [adaptive]: returned error code 1
10:09 < hyper_ch> did you run the gui as admin?
10:10 < jamB43a> Right click and choose Run as admin
10:10 < dasdajs> Now it works, thx
10:10 < hyper_ch> you want to autostart it at boot up?
10:10 < dasdajs> Found out that it's because my client doesn't change the route
10:11 < dasdajs> I didn't run it as admin, just normal user :b
10:11 < hyper_ch> normal user isn't allowed to add routes
10:11 < dasdajs> Ye, found that out :b
10:12 < jamB43a> on the openvpn shortcut  right click->properties->Compatibility Tab->at the bottom check the box Run this as an administrator.
10:12 < jamB43a> then you don't have to worry about it
10:12 < hyper_ch> if you want to run it automagically at boot up open "Task Scheduler
10:12 < dasdajs> Nice, thanks guys :
10:12 < dasdajs> :)
10:13 < hyper_ch> Action -> New Task
10:13 < dasdajs> Oh, apparently I got to vpn configurations, one for admin and one for my user
10:14 < hyper_ch> and then in the general tab be sure to check the "run with highest privileges" checkbox
10:14 < dasdajs> That's why I couldn't get vpn working as admin
10:14 < hyper_ch> and I set the Trigger to run at "log on" for "any user"
10:15 < hyper_ch> and as action select the openvpn-gui.exe and as argument add:   --connect PROFILE.ovpn
10:15 < hyper_ch> that's how I autostart it :)
10:16 < dasdajs> Ah nice, didn't knew that either :b haven't used task manager before hehe
10:16 < dasdajs> thx for the advice :}
10:16 < hyper_ch> not task manager
10:16 < hyper_ch> task scheduler ;)
10:16 < dasdajs> ye sorry :b
10:16 < dasdajs> You knew what I meant :b
10:17 -!- lbft [~lbft@unaffiliated/lbft] has quit [Ping timeout: 240 seconds]
10:24 -!- lbft [~lbft@unaffiliated/lbft] has joined #openvpn
10:30 <@ecrist> RBecker: ping
10:32 -!- Willdude123 [~Willdude1@gateway/tor-sasl/willdude123] has joined #openvpn
10:32 -!- Megaf [~Megaf@unaffiliated/megaf] has quit [Read error: Connection reset by peer]
10:34 -!- tempus_fol [~tempus@gateway/tor-sasl/foltempus] has quit [Remote host closed the connection]
10:34 -!- Willdude123 [~Willdude1@gateway/tor-sasl/willdude123] has quit [Remote host closed the connection]
10:34 -!- wrongplace [~leicht@gateway/tor-sasl/martinphone] has quit [Write error: Connection reset by peer]
10:35 -!- tempus_fol [~tempus@gateway/tor-sasl/foltempus] has joined #openvpn
10:36 -!- Megaf [~Megaf@unaffiliated/megaf] has joined #openvpn
10:55 -!- novaflash [~novaflash@openvpn/corp/support/novaflash] has joined #openvpn
10:55 -!- mode/#openvpn [+o novaflash] by ChanServ
11:02 -!- gffa [~unknown@unaffiliated/gffa] has joined #openvpn
11:12 -!- lbft [~lbft@unaffiliated/lbft] has quit [Ping timeout: 264 seconds]
11:13 < debbie10t> On Trac - To add say ... "using update-resolv-conf for linux to assign DNS server in resolv.conf" to the FAQ - it is done like so : Edit the FAQ page and add the "using update-resolv-conf ..." entry -- then "attaching" a file for that entry with instructions for using update-resolv-conf ?  if so .. what is the numbering system : eg. https://community.openvpn.net/openvpn/wiki/281-what-to-do-if-the-installation-of-the-tap-win32-driver-fai
11:13 < debbie10t>  ==[ Number 281 ]==
11:14 < debbie10t> i expect this is _not_ how its done ..
11:14 -!- brianblaze420 [~brianblaz@unaffiliated/brianblaze] has joined #openvpn
11:16 -!- Saul775 [~Saul@12.6.176.106] has quit [Ping timeout: 240 seconds]
11:17 -!- Saul775 [~Saul@12.6.176.106] has joined #openvpn
11:18 -!- hyper_ch [~hyperch@ns99.roleplayer.org] has left #openvpn ["Konversation terminated!"]
11:35 -!- le0 [~l30@unaffiliated/le0] has quit [Quit: Leaving]
11:41 -!- someone [someone@2600:3c01::f03c:91ff:fedf:feb8] has joined #openvpn
11:53 -!- outofbounds [~outofboun@198.199.109.226] has quit [Quit: ZNC - http://znc.in]
11:55 -!- cransom [~cransom@petit.hubns.net] has left #openvpn []
11:55 -!- edge226 [~quassel@unaffiliated/edge226] has quit [Remote host closed the connection]
12:00 -!- Kephael [~Kephael@unaffiliated/kephael] has quit []
12:01 -!- s7r [~s7r@openvpn/user/s7r] has joined #openvpn
12:01 -!- mode/#openvpn [+v s7r] by ChanServ
12:02 -!- jamB43a [~jamB434a@71-13-169-66.static.ftbg.wi.charter.com] has quit [Quit: Leaving]
12:02 -!- Saul775 [~Saul@12.6.176.106] has quit [Quit: Leaving]
12:03 -!- outofbounds [~outofboun@198.199.109.226] has joined #openvpn
12:16 -!- Linmu [~Linmu@203.70.194.104] has quit [Remote host closed the connection]
12:16 -!- Linmu [~Linmu@203.70.194.104] has joined #openvpn
12:25 -!- edge226 [~quassel@unaffiliated/edge226] has joined #openvpn
12:54 -!- lbft_ [~lbft@unaffiliated/lbft] has joined #openvpn
12:59 -!- lbft_ [~lbft@unaffiliated/lbft] has quit [Ping timeout: 255 seconds]
13:03 <@ecrist> !learn cloak as Talk to ecrist if you want an OpenVPN user host cloak such as ircuser@openvpn/user/ircuser
13:03 <@vpnHelper> Error: You don't have the factoids.learn capability. If you think that you should have this capability, be sure that you are identified before trying again. The 'whoami' command can tell you if you're identified.
13:04 -!- Saul775 [~Saul@12.6.176.106] has joined #openvpn
13:06 -!- vpnHelper [~vpnHelper@openvpn/bot/vpnHelper] has quit [Remote host closed the connection]
13:06 -!- vpnHelper [~vpnHelper@openvpn/bot/vpnHelper] has joined #openvpn
13:06 -!- mode/#openvpn [+o vpnHelper] by ChanServ
13:07 <@ecrist> !learn cloak as Talk to ecrist if you want an OpenVPN user host cloak such as ircuser@openvpn/user/ircuser
13:07 <@vpnHelper> Error: You don't have the factoids.learn capability. If you think that you should have this capability, be sure that you are identified before trying again. The 'whoami' command can tell you if you're identified.
13:07 <@ecrist> fuck you, bot
13:07 < rob0> haha
13:07 < debbie10t> lol
13:07 -!- vpnHelper [~vpnHelper@openvpn/bot/vpnHelper] has quit [Client Quit]
13:08 -!- nick4 [~nick4@178.128.4.70.dsl.dyn.forthnet.gr] has quit [Ping timeout: 252 seconds]
13:09 -!- vpnHelper [~vpnHelper@openvpn/bot/vpnHelper] has joined #openvpn
13:09 -!- mode/#openvpn [+o vpnHelper] by ChanServ
13:09 <@ecrist> !learn cloak as Talk to ecrist if you want an OpenVPN user host cloak such as ircuser@openvpn/user/ircuser
13:09 <@vpnHelper> Error: You don't have the factoids.learn capability. If you think that you should have this capability, be sure that you are identified before trying again. The 'whoami' command can tell you if you're identified.
13:09 <@ecrist> :(
13:09 < debbie10t> can i get a cloak ?
13:09 -!- Cultist [~CultOfThe@c-98-223-211-32.hsd1.il.comcast.net] has quit [Ping timeout: 264 seconds]
13:09 -!- lbft_ [~lbft@unaffiliated/lbft] has joined #openvpn
13:10 <@ecrist> sure
13:10 -!- nick4 [~nick4@62.1.189.93.dsl.dyn.forthnet.gr] has joined #openvpn
13:10 < debbie10t> cheers =]
13:11 < debbie10t> Sorry .. where are my manners ^^ pleas & hankyou
13:11 < debbie10t> damm keyboard
13:14 -!- Cultist [~CultOfThe@c-98-223-211-32.hsd1.il.comcast.net] has joined #openvpn
13:16 <@ecrist> debbie10t: you should have a PM from a netop now
13:17 < debbie10t> ok
13:18 -!- debbie10t [~ma1com10t@host-92-20-69-169.as13285.net] has quit [Changing host]
13:18 -!- debbie10t [~ma1com10t@openvpn/community/support/debbie10t] has joined #openvpn
13:20 <@ecrist> now don't say I never did anything for ya
13:23 < debbie10t> i never ever did .. but thanks :)
13:24 <@ecrist> now do me a favor and enter that !learn command I've been trying to save
13:24 < debbie10t> i will be needing a hammer ...
13:24 <@ecrist> it'll work for you now
13:25 < debbie10t> !learn cloak as Talk to ecrist if you want an OpenVPN user host cloak such as ircuser@openvpn/user/ircuser
13:25 <@vpnHelper> Joo got it.
13:25 < debbie10t> rofl
13:25 <@ecrist> see?
13:25 < debbie10t> lololol .. see :)
13:25 <@ecrist> I have a weird host cloak the bot doesn't parse properly amd I've been too lazy to fix the python responsible
13:27 < debbie10t> The "todo" List !
13:28 < debbie10t> !cloak
13:28 <@vpnHelper> "cloak" is Talk to ecrist if you want an OpenVPN user host cloak such as ircuser@openvpn/user/ircuser
13:35 -!- lbft_ [~lbft@unaffiliated/lbft] has quit [Ping timeout: 264 seconds]
13:40 -!- lbft_ [~lbft@unaffiliated/lbft] has joined #openvpn
13:41 -!- rapha [~rapha@unaffiliated/rapha] has joined #openvpn
13:41 < rapha> Hi!
13:42 < rapha> Without my OpenVPN server config having changed, my clients don't get routed through to the internet anymore. The logs are full of "bad source address from client". What is going wrong?
13:44 -!- eN_Joy [~zhou3594@zjd2014.srtc.ou.edu] has joined #openvpn
13:50 < eN_Joy> i am running OpenVPN 2.3.2, recently when i try to create client cert, i got `Error Loading extension section usr_cert` full message here: http://pastebin.com/6aHY1LPT what should i look at?
13:50 < debbie10t> rapha: see https://community.openvpn.net/openvpn/wiki/317-qmulti-bad-source-address-from-client--packet-droppedq-or-qget-inst-by-virt-failedq
13:50 <@vpnHelper> Title: 317-qmulti-bad-source-address-from-client--packet-droppedq-or-qget-inst-by-virt-failedq – OpenVPN Community (at community.openvpn.net)
13:53 < rapha> debbie10t: thanks; I know that FAQ. It doesn't apply to my situation though. Especially since the internet should be available to all clients. The FAQ seems to be about a problem where a network on the client's side needs to be available to the openvpn server.
13:54 < debbie10t> rapha: do you use windows clients ?
13:54 < rob0> Apparently one or more clients is routing traffic through the VPN with an unrecognized source address.
13:55 < rapha> debbie10t: currently, one linux and one windows client are connected.
13:55 < RBecker> ecrist: pong, sorry for IRC tag, yeah openvpn/user/RBecker is cool
13:56 < rapha> rob0: I just found a curious hotfix: "iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o eth0 -j MASQUERADE". curious, because that rule was already in the table 4 times. now 5, but apparently the clients can access the internet again.
13:57 < rapha> debbie10t: interesting, now the message has indeed disappeared for the linux client. only for the windows client is it still showing up, even though he, too, can now access the internet again.
13:57 < debbie10t> exactly
13:57 < rapha> debbie10t: so you're saying I should create a CCD for the windows client only?
13:58 < debbie10t> you do not need to
13:58 < rapha> *confused*
13:58 < debbie10t> the error is caused by windows using the wrong sorce address
13:59 < rapha> ah okay. so it cannot be fixed and should just be ignored?
13:59 < debbie10t> openvpn is just letting you know
13:59 < rapha> okay
13:59 < debbie10t> it can be fixed
13:59 < rapha> but on the windows side i presume?
13:59 < debbie10t> it is not really an error though
13:59 < rob0> Well, if your Windows is doing something wrong, sure, you might want to fix it, ^^ yes
13:59 < debbie10t> yesah windows
14:00 < debbie10t> the way i like to do it is to setup CCD routing for a single host and not the whole client subnet
14:01 < debbie10t> but that only works if your windows client always get the same IP from their DHCP or have static IP
14:01 < debbie10t> local IP not internet IP
14:02 < rapha> i.e., the same openvpn IP address? well, that should be possible, shouldn't it.
14:02 < debbie10t> no the same real IP
14:02 < debbie10t> on the eth0 or wlan
14:03 < debbie10t> does your server require access to your cvlient subnet ?
14:04 < debbie10t> btw: your VPN address will always be the same because you CAN control that with OpenVPN
14:05 < rapha> debbie10t: nah, our VPN is only about letting us appear with a German IP address from abroad. No need for client network access.
14:06 < rapha> (basically, you might say, it's a VPN for watching soccer games while staying abroad in restrictive dictatorships)
14:06 < debbie10t> basically -- you can ignore the bad address if you can confirm it is the right address for your client LAN IP - or you can setup CCD file and route/iroute for the host /32 not the network /24(ish)
14:08 < debbie10t> I would also say .. use tls-auth option aswell
14:08 < rapha> debbie10t: tls-auth is enabled
14:08 < rapha> debbie10t: so what would the ccd look like? i have an example one that says "ifconfig-push 10.8.0.1 10.8.0.6
14:08 -!- lbft- [~lbft@unaffiliated/lbft] has joined #openvpn
14:09 < debbie10t> rapha: http://openvpn.net/index.php/open-source/documentation/howto.html#scope
14:09 <@vpnHelper> Title: HOWTO (at openvpn.net)
14:09 < rapha> whoops ... now there's the bus ... bb in 10 mins once i got the on-bus WLAN going
14:09 < debbie10t> read it but route for a single client not the entire client subnet
14:11 < debbie10t> rob0: sorry .. how would you fix windows .. the only solution i can think of is very fine grained firewall rules on windows (with 3rd party firewall) or not use windows ?
14:12 < rob0> I do not use nor support Windows, sorry.
14:12 < debbie10t> lol
14:13 < debbie10t> So i can file this : <rob0>Well, if your Windows is doing something wrong, sure, you might want to fix it, ^^ yes
14:14 < rob0> ? I suppose you can do what you will. And when people ask !notovpn questions, I can point it out.
14:17 -!- lbft_ [~lbft@unaffiliated/lbft] has quit [Ping timeout: 255 seconds]
14:17 < debbie10t> !notovpn
14:17 <@vpnHelper> "notovpn" is (#1) "notopenvpn" is your problem is not about openvpn, and while we try to be helpful, you may have a better chance of finding your answer if you ask your question in a channel related to your problem or (#2) sorry, but we dont care. this channel is only for help with openvpn.
14:18 < debbie10t> filed ;)
14:18 < debbie10t> remind me when ever you like ;)
14:23 -!- lbft_ [~lbft@unaffiliated/lbft] has joined #openvpn
14:24 < rapha> debbie10t: Okay, so that FAQ entry says to put something like 'push "route 10.66.0.0 255.255.255.0"' into the CCD where 10.66.0.0 is the server side LAN. I.e., in my case, the internet? What is that, then, 0.0.0.0?
14:24 < rapha> Argl, no, wait. It's probably the windows client's IP, even though I don't know why. So 'push "route 10.8.0.14 255.255.255.0"'
14:33 <@ecrist> RBecker: still here?
14:33 < RBecker> yessir
14:33 <@ecrist> ok, standby
14:36 <@ecrist> PM from netop incoming
14:37 -!- nick4 [~nick4@62.1.189.93.dsl.dyn.forthnet.gr] has left #openvpn []
14:38 < RBecker> kk
14:40 -!- lbft_ [~lbft@unaffiliated/lbft] has quit [Ping timeout: 260 seconds]
14:41 -!- lbft_ [~lbft@unaffiliated/lbft] has joined #openvpn
14:54 -!- Left_Turn [~Left_Turn@unaffiliated/turn-left/x-3739067] has quit [Read error: Connection reset by peer]
14:55 -!- Fusl [Fusl@unaffiliated/fusl] has quit [Quit: Contact: http://hallowe.lt/]
14:59 -!- lbft_ [~lbft@unaffiliated/lbft] has quit [Ping timeout: 240 seconds]
14:59 -!- Fusl [Fusl@unaffiliated/fusl] has joined #openvpn
15:01 -!- yoavz [yoavz@yoavz.net] has quit [Ping timeout: 454 seconds]
15:04 -!- yoavz [yoavz@yoavz.net] has joined #openvpn
15:04 -!- lbft_ [~lbft@unaffiliated/lbft] has joined #openvpn
15:06 -!- Fusl [Fusl@unaffiliated/fusl] has quit [Quit: Contact: http://hallowe.lt/]
15:15 -!- Fusl [Fusl@unaffiliated/fusl] has joined #openvpn
15:16 -!- lbft_ [~lbft@unaffiliated/lbft] has quit [Quit: Bye]
15:19 -!- Linmu [~Linmu@203.70.194.104] has quit [Ping timeout: 252 seconds]
15:20 -!- Linmu [~Linmu@203.70.194.104] has joined #openvpn
15:21 -!- CaTtleyA [~CaTtleyA@put92-2-82-66-41-53.fbx.proxad.net] has joined #openvpn
15:21 -!- lbft- is now known as lbft
15:25 -!- cyberspace- [20253@ninthfloor.org] has quit [Disconnected by services]
15:25 -!- cyberspace- [20253@ninthfloor.org] has joined #openvpn
15:26 -!- justinzane [~justinzan@24.49.207.203] has quit [Write error: Broken pipe]
15:26 -!- justinzane [~justinzan@24.49.207.203] has joined #openvpn
15:31 -!- doebi [~doebi@doebi.at] has quit [Quit: WeeChat 0.4.3]
15:33 -!- CaTtleyA [~CaTtleyA@put92-2-82-66-41-53.fbx.proxad.net] has quit [Quit: Lost terminal]
15:34 -!- doebi [~doebi@doebi.at] has joined #openvpn
15:41 -!- bears [~bears@unaffiliated/bears] has quit [Ping timeout: 252 seconds]
16:04 -!- debbie10t [~ma1com10t@openvpn/community/support/debbie10t] has left #openvpn []
16:08 -!- Kephael [~Kephael@unaffiliated/kephael] has joined #openvpn
16:13 -!- s7r [~s7r@openvpn/user/s7r] has quit [Remote host closed the connection]
16:13 -!- s7r [~s7r@openvpn/user/s7r] has joined #openvpn
16:13 -!- mode/#openvpn [+v s7r] by ChanServ
16:14 -!- Chrisje [chris@2a03:f80:ed15:ed15:ed15:ed15:bc4c:4bfe] has quit [Quit: ZNC - http://znc.sourceforge.net]
16:18 -!- randt0sh [~tosh@2a02-8420-5d7e-c300-0213-72ff-feb1-7b24.rev.sfr.net] has quit [Remote host closed the connection]
16:57 -!- RBecker [~Ryan@unaffiliated/rbecker] has quit [Changing host]
16:57 -!- RBecker [~Ryan@openvpn/user/RBecker] has joined #openvpn
16:57 -!- mode/#openvpn [+v RBecker] by ChanServ
17:01 -!- Left_Turn [~Left_Turn@unaffiliated/turn-left/x-3739067] has joined #openvpn
17:04 -!- larryone [~larryone@109.78.39.63] has joined #openvpn
17:09 -!- bears [~bears@unaffiliated/bears] has joined #openvpn
17:12 -!- gffa [~unknown@unaffiliated/gffa] has quit [Quit: sleep]
17:18 -!- eN_Joy [~zhou3594@zjd2014.srtc.ou.edu] has left #openvpn []
17:22 -!- Popsikle [~popsikle@rrcs-24-103-53-46.nyc.biz.rr.com] has quit [Remote host closed the connection]
17:24 -!- maskedlua [~maskedlua@unaffiliated/themaskedlua] has quit [Quit: WeeChat 0.4.3]
17:26 -!- maskedlua [~maskedlua@unaffiliated/themaskedlua] has joined #openvpn
17:38 < Jeroen52> Just a quick question, to fix CVE-2014-0160 do I need to install OpenSSL 1.0.1h and restart OpenVPN, or do I need to build it again?
17:41 -!- goldkatze [~nobody@unaffiliated/goldkatze] has quit [Ping timeout: 252 seconds]
17:42 < rob0> is that heartbleed?
17:42 < rob0> !heartbleed
17:42 <@vpnHelper> "heartbleed" is (#1) only affects OpenSSL 1.0.1 through 1.0.1f. Does not affect polarssl or (#2) if running vuln openssl then both client and server keys not protected by tls-auth should be considered compromised. or (#3) android 4.1.2_r1 is the first one to have -DOPENSSL_NO_HEARTBEATS and it is still in master. android 4.1 and 4.1.1 are probably affected. or (#4)
17:42 <@vpnHelper> https://community.openvpn.net/openvpn/wiki/heartbleed or (#5) http://xkcd.com/1354/
17:45 < Jeroen52> Nope.
17:46 < Jeroen52> Wait
17:46 < Jeroen52> CVE-2014-0160 is heartbleed
17:46 < Jeroen52> Wrong code.
17:46 < Jeroen52> I was talking about CVE-2014-0224
17:49 < pekster> Jeroen52: 1.0.1h, or backport the fix, yes
17:50 < pekster> If your distro provides the openssl headers you're linking against, they should provide such a backported version
17:50 < pekster> (in that case you will not need to recompile as ABI remains stable against the old version)
17:54 < Jeroen52> So I'll need to recompile it to get OpenSSL 1.0.1h on OpenVPN?
17:57 -!- mattock [~mattock@openvpn/corp/admin/mattock] has left #openvpn []
17:58 < pekster> How is your openssl library provided now? It's not by your distro?
17:58 -!- SCHAAP137 [dorian@77-173-0-137.ip.telfort.nl] has quit [Remote host closed the connection]
18:08 -!- dazo is now known as dazo_afk
18:18 < Jeroen52> I don't know, I have installed OpenSSL via yum, then I think compiled OpenVPN, and in the meanwhile came CVE-2014-0224
18:27 -!- Kephael [~Kephael@unaffiliated/kephael] has quit []
18:41 -!- larryone [~larryone@109.78.39.63] has quit [Ping timeout: 252 seconds]
18:46 -!- Kephael [~Kephael@unaffiliated/kephael] has joined #openvpn
18:47 -!- bears [~bears@unaffiliated/bears] has quit [Read error: Connection reset by peer]
18:50 -!- bears [~bears@unaffiliated/bears] has joined #openvpn
18:55 < pekster> Jeroen52: Right, no recompile of anything is necessary unless you went to special lengths to use a _locally_ compiled openssl
18:55 < pekster> If you haven't done that, just take in the distro patch for the problem
18:55 < pekster> ie: update your OS
18:56 -!- alexw [~textual@unaffiliated/alexw] has joined #openvpn
19:21 -!- elfixit1 [~Icedove@77-58-251-72.dclient.hispeed.ch] has joined #openvpn
20:09 -!- bears [~bears@unaffiliated/bears] has quit [Quit: closing IRC]
20:12 -!- Popsikle [~popsikle@pool-108-27-211-233.nycmny.fios.verizon.net] has joined #openvpn
20:17 -!- bears [~bears@unaffiliated/bears] has joined #openvpn
20:21 -!- WinstonSmith [~WinstonSm@unaffiliated/winstonsmith] has quit [Ping timeout: 276 seconds]
20:27 -!- WinstonSmith [~WinstonSm@unaffiliated/winstonsmith] has joined #openvpn
20:28 -!- micko [~micko@203-219-65-120.static.tpgi.com.au] has quit [Ping timeout: 240 seconds]
20:33 -!- Popsikle [~popsikle@pool-108-27-211-233.nycmny.fios.verizon.net] has quit [Remote host closed the connection]
20:34 -!- micko [~micko@203-219-65-120.static.tpgi.com.au] has joined #openvpn
20:46 -!- jp- [~jp@unaffiliated/jp-] has quit [Ping timeout: 265 seconds]
20:51 -!- jp- [~jp@unaffiliated/jp-] has joined #openvpn
21:03 -!- Popsikle [~popsikle@pool-108-27-211-233.nycmny.fios.verizon.net] has joined #openvpn
21:09 < esde> !configs
21:09 <@vpnHelper> "configs" is (#1) please pastebin your client and server configs (with comments removed, you can use `grep -vE '^#|^;|^$' server.conf`), also include which OS and version of openvpn. or (#2) dont forget to include any ccd entries or (#3) on pfSense, see http://www.secure-computing.net/wiki/index.php/OpenVPN/pfSense to obtain your config
21:39 -!- Left_Turn [~Left_Turn@unaffiliated/turn-left/x-3739067] has quit [Remote host closed the connection]
21:51 -!- alexw [~textual@unaffiliated/alexw] has quit [Quit: My MacBook Pro has gone to sleep. ZZZzzz…]
22:22 -!- Linmu [~Linmu@203.70.194.104] has quit [Quit: leaving]
22:24 -!- Linmu [~Linmu@203.70.194.104] has joined #openvpn
22:36 -!- Popsikle [~popsikle@pool-108-27-211-233.nycmny.fios.verizon.net] has quit [Remote host closed the connection]
23:03 -!- Popsikle [~popsikle@pool-108-27-211-233.nycmny.fios.verizon.net] has joined #openvpn
23:29 -!- TheEternalAbyss [~IRCIdent@unaffiliated/theeternalabyss] has quit [Ping timeout: 252 seconds]
23:32 -!- elfixit1 [~Icedove@77-58-251-72.dclient.hispeed.ch] has quit [Ping timeout: 260 seconds]
23:41 -!- ShadniX [dagger@p5DDFFF2D.dip0.t-ipconnect.de] has quit [Ping timeout: 252 seconds]
23:42 -!- ShadniX [dagger@p5481DD6B.dip0.t-ipconnect.de] has joined #openvpn
23:46 -!- Kephael [~Kephael@unaffiliated/kephael] has quit []
23:46 -!- Megaf [~Megaf@unaffiliated/megaf] has quit [Ping timeout: 240 seconds]
23:49 -!- brianblaze420 [~brianblaz@unaffiliated/brianblaze] has quit [Quit: Leaving...]
23:54 -!- alexw [~textual@unaffiliated/alexw] has joined #openvpn
23:56 -!- alexw [~textual@unaffiliated/alexw] has quit [Client Quit]
23:59 -!- alexw [~textual@unaffiliated/alexw] has joined #openvpn
--- Day changed Sat Jun 07 2014
00:12 -!- alexw [~textual@unaffiliated/alexw] has quit [Quit: My MacBook Pro has gone to sleep. ZZZzzz…]
00:30 -!- goldkatze [~nobody@unaffiliated/goldkatze] has joined #openvpn
01:13 -!- james41382 [~james@unaffiliated/james41382] has quit [Quit: Leaving]
01:25 -!- james41382 [~james@unaffiliated/james41382] has joined #openvpn
01:26 -!- roentgen [~none@openvpn/community/support/roentgen] has quit [Remote host closed the connection]
01:26 -!- dreamcat4 [~dreamcat4@62.49.10.153] has joined #openvpn
01:27 -!- kiki67100 [~chatzilla@unaffiliated/kiki67100] has joined #openvpn
01:28 < kiki67100> Hello everybody, i just configured my openvpn client and just know if possible to DO NOT use openvpn connection as default network just  ?
01:28 < kiki67100> -just
01:29 -!- roentgen [~none@openvpn/community/support/roentgen] has joined #openvpn
01:30 -!- Popsikle [~popsikle@pool-108-27-211-233.nycmny.fios.verizon.net] has quit [Remote host closed the connection]
01:34 < kiki67100> somebody can help me ?
02:00 < reiffert> !factoids search def1
02:00 <@vpnHelper> "def1" is (#1) used in redirect-gateway, Add the def1 flag to override the default gateway by using 0.0.0.0/1 and 128.0.0.0/1 rather than 0.0.0.0/0. This has the benefit of overriding but not wiping out the original default gateway. or (#2) please see --redirect-gateway in the man page ( !man ) to fully understand or (#3) push "redirect-gateway def1"
02:00 < reiffert> remove it.
02:21 < kiki67100> reiffert: Thanks, i view that in man, i can use directly that when i call openvpn --config myconfig ? like openvpn --config myconfig --redirect-gateway def1 ?
02:46 -!- dreamcat4 [~dreamcat4@62.49.10.153] has quit [Quit: Lost terminal]
02:56 -!- SCHAAP137 [dorian@77-173-0-137.ip.telfort.nl] has joined #openvpn
03:06 -!- Netsplit *.net <-> *.split quits: danielbw
03:10 -!- gffa [~unknown@unaffiliated/gffa] has joined #openvpn
03:12 -!- joako [~joako@opensuse/member/joak0] has quit [Ping timeout: 265 seconds]
03:17 -!- joako [~joako@opensuse/member/joak0] has joined #openvpn
03:58 -!- Left_Turn [~Left_Turn@unaffiliated/turn-left/x-3739067] has joined #openvpn
03:58 -!- Netsplit *.net <-> *.split quits: @krzee, ratsupremacy, Gman32, pnielsen, c0ded, Cultist, tapout, Saul775, @dazo_afk, +RBecker,  (+21 more, use /NETSPLIT to show all of them)
03:59 -!- Netsplit over, joins: doebi, yoavz, Cultist, Saul775, outofbounds, someone, Plastefuchs_, @dazo_afk, troyt, Adran (+21 more)
03:59 -!- SomeRando22 [SomeRando2@pool-72-75-233-61.bflony.fios.verizon.net] has quit []
04:01 -!- Netsplit *.net <-> *.split quits: xMopxShell, Cybertinus, b00b, indy, JackWinter, c00w, Haigha, someone, NChief, SupaYoshi,  (+148 more, use /NETSPLIT to show all of them)
04:01 -!- Netsplit over, joins: thefinn93, Martin`, lfx, fremo, Champi, gardar, b00b, KiNgMaR, TypoNe, lamokie (+148 more)
04:02 -!- Olipro [~Olipro@uncyclopedia/pdpc.21for7.olipro] has quit [Max SendQ exceeded]
04:02 -!- Netsplit *.net <-> *.split quits: doebi, outofbounds, @dazo_afk, yoavz, Cultist, ribasushi, _FBi
04:04 -!- Netsplit *.net <-> *.split quits: @raidz, Plastefuchs_, jeev, AsadH, Saul775
04:04 -!- Netsplit over, joins: doebi, yoavz, Cultist, outofbounds, @dazo_afk, ribasushi, _FBi
04:05 -!- kossy [a@unaffiliated/kossy] has joined #openvpn
04:11 -!- Saul775 [~Saul@12.6.176.106] has joined #openvpn
04:11 -!- Plastefuchs_ [~fweee@198.98.120.235] has joined #openvpn
04:11 -!- jeev [~jeev@unaffiliated/jeev] has joined #openvpn
04:11 -!- AsadH [~AsadH@unaffiliated/asadh] has joined #openvpn
04:11 -!- raidz [~raidz@openvpn/corp/admin/andrew] has joined #openvpn
04:11 -!- ServerMode/#openvpn [+o raidz] by asimov.freenode.net
04:12 -!- Olipro [~Olipro@uncyclopedia/pdpc.21for7.olipro] has joined #openvpn
04:24 -!- rapha [~rapha@unaffiliated/rapha] has left #openvpn ["bye"]
04:33 -!- larryone [~larryone@109.78.219.236] has joined #openvpn
05:07 -!- larryone [~larryone@109.78.219.236] has quit [Quit: This computer has gone to sleep]
05:08 -!- wrongplace [~leicht@gateway/tor-sasl/martinphone] has joined #openvpn
06:03 < Jeroen52> Question: I have just updated OpenVPN Community from 2.3.2 to 2.3.4, and I checked 'openvpn --version', isn't OpenSSL 1.0.1e vulnerable?
06:03 < Jeroen52> http://pastebin.com/7bb7b4UW
06:21 -!- wrongplace [~leicht@gateway/tor-sasl/martinphone] has quit [Quit: gone]
06:39 <@plaisthos> Jeroen52: debian, ubuntu etc backport the security fixes
07:24 -!- Left_Turn [~Left_Turn@unaffiliated/turn-left/x-3739067] has quit [Read error: Connection reset by peer]
07:27 -!- Left_Turn [~Left_Turn@unaffiliated/turn-left/x-3739067] has joined #openvpn
07:29 -!- alexw [~textual@unaffiliated/alexw] has joined #openvpn
07:30 < Jeroen52> plaisthos: So if I ./configure make and make install it is okay?
07:39 -!- alexw [~textual@unaffiliated/alexw] has quit [Quit: My MacBook Pro has gone to sleep. ZZZzzz…]
07:41 -!- Megaf [~Megaf@unaffiliated/megaf] has joined #openvpn
07:52 < rob0> hmm? Why are you doing that?
08:18 < Jeroen52> Because I prefer that.
08:27 -!- elfixit1 [~Icedove@cust.static.46-14-206-196.swisscomdata.ch] has joined #openvpn
08:30 < _FBi> Jeroen52, on debian if you apt-get update && apt-get upgrade  ->  and get OpenSSL 1.0.1e you're secure.  as mentioned
08:31 -!- debbie10t [~ma1com10t@openvpn/community/support/debbie10t] has joined #openvpn
08:32 -!- Popsikle [~popsikle@pool-108-27-211-233.nycmny.fios.verizon.net] has joined #openvpn
08:34 < debbie10t> I believe "ns-cert-type server" is no longer the preferred method but I can't remember what i was advised to use in future -- does anybody know what I should use .. thanks
08:36 -!- Popsikle [~popsikle@pool-108-27-211-233.nycmny.fios.verizon.net] has quit [Remote host closed the connection]
08:36 < debbie10t> ahh .. got it "tls-remote name"
08:37 < debbie10t> nope that is depricated .. mayby i got it the wrong way round completely
08:38 < debbie10t> i think it is "remote-cert-tls ..."
08:39 -!- indy [~indy@shadow.kastnerove.cz] has quit [Ping timeout: 245 seconds]
08:51 -!- brianblaze420 [~brianblaz@unaffiliated/brianblaze] has joined #openvpn
09:00 -!- Mike-- [mad@mx.probie.nl] has joined #openvpn
09:05 -!- SCHAAP137 [dorian@77-173-0-137.ip.telfort.nl] has quit [Remote host closed the connection]
09:15 < pekster> Jeroen52: As I told you yesteray, no recompile is necessary. Your distro backports security fixes specifically so built programs are secure (as soon as your distro provides a fix, anyway) _without_ the need to recompile
09:18 -!- kiki67100 [~chatzilla@unaffiliated/kiki67100] has quit [Quit: ChatZilla 0.9.90.1 [Firefox 29.0.1/20140506152807]]
09:26 -!- wrongplace [~leicht@gateway/tor-sasl/martinphone] has joined #openvpn
09:35 -!- indy [~indy@shadow.kastnerove.cz] has joined #openvpn
09:39 -!- Popsikle [~popsikle@pool-108-27-211-233.nycmny.fios.verizon.net] has joined #openvpn
09:50 -!- syzzer [~syzzer@openvpn/community/developer/syzzer] has quit [Ping timeout: 245 seconds]
09:53 -!- syzzer [~syzzer@openvpn/community/developer/syzzer] has joined #openvpn
09:53 -!- mode/#openvpn [+o syzzer] by ChanServ
09:59 -!- Popsikle [~popsikle@pool-108-27-211-233.nycmny.fios.verizon.net] has quit [Remote host closed the connection]
10:02 -!- Popsikle [~popsikle@pool-108-27-211-233.nycmny.fios.verizon.net] has joined #openvpn
10:02 -!- Popsikle [~popsikle@pool-108-27-211-233.nycmny.fios.verizon.net] has quit [Remote host closed the connection]
10:04 -!- Popsikle [~popsikle@pool-108-27-211-233.nycmny.fios.verizon.net] has joined #openvpn
10:19 < Jeroen52> Thank you pekster
10:22 -!- Popsikle [~popsikle@pool-108-27-211-233.nycmny.fios.verizon.net] has quit [Remote host closed the connection]
10:22 -!- Popsikle [~popsikle@pool-108-27-211-233.nycmny.fios.verizon.net] has joined #openvpn
10:26 -!- Popsikle [~popsikle@pool-108-27-211-233.nycmny.fios.verizon.net] has quit [Remote host closed the connection]
10:26 -!- Popsikle [~popsikle@pool-108-27-211-233.nycmny.fios.verizon.net] has joined #openvpn
10:28 -!- Popsikle [~popsikle@pool-108-27-211-233.nycmny.fios.verizon.net] has quit [Remote host closed the connection]
10:28 -!- Kephael [~Kephael@unaffiliated/kephael] has joined #openvpn
10:31 < debbie10t> I know this is not specific to openvpn but here is something I have discovered and wondered if anybody could offer an opinion : I have a VirtualBOX client running on my OpenVPN Server (Basic TUN/Full PKI) - The VBOX client is VBOX-Bridged to the vbox host/openvpn server - This causes replay warnings when the vbox client is running with or without ovpn running on the vb-client - these replay warnings are seen by ovpn server + all c
10:31 < debbie10t> but
10:32 < debbie10t> if i run wireshark on the ovpn server the replay warnings stop ... ?
10:37 < debbie10t> actually the warning is : Authenticate/Decrypt packet error: bad packet ID (may be a replay): [ #44 ]
10:53 -!- SCHAAP137 [dorian@77-173-0-137.ip.telfort.nl] has joined #openvpn
10:56 -!- SCHAAP137 [dorian@77-173-0-137.ip.telfort.nl] has quit [Remote host closed the connection]
11:04 -!- brianblaze420 [~brianblaz@unaffiliated/brianblaze] has quit [Quit: Leaving...]
11:24 -!- u0m3 [~u0m3@92.80.122.72] has quit [Read error: Connection reset by peer]
11:26 -!- Linmu [~Linmu@203.70.194.104] has quit [Ping timeout: 245 seconds]
11:27 -!- Linmu [~Linmu@203.70.194.104] has joined #openvpn
11:28 -!- u0m3 [~u0m3@109.96.144.61] has joined #openvpn
12:00 -!- s7r [~s7r@openvpn/user/s7r] has quit [Remote host closed the connection]
12:00 -!- s7r [~s7r@openvpn/user/s7r] has joined #openvpn
12:00 -!- mode/#openvpn [+v s7r] by ChanServ
12:08 -!- EugeneK [~eugene@znc.itvends.com] has joined #openvpn
12:14 -!- EugeneK [~eugene@znc.itvends.com] has quit [Quit: ZNC - http://znc.sourceforge.net]
12:19 -!- EugeneK [~eugene@znc.itvends.com] has joined #openvpn
12:20 -!- Eugene [eugene@badcryp.to] has quit [Quit: ZNC - http://znc.sourceforge.net]
12:20 -!- EugeneK is now known as Eugene
12:35 -!- Nothing4You [N4Y@w.tf-w.tf] has quit [Ping timeout: 260 seconds]
12:35 -!- Nothing4You [N4Y@w.tf-w.tf] has joined #openvpn
13:08 -!- SCHAAP137 [dorian@77-173-0-137.ip.telfort.nl] has joined #openvpn
13:21 -!- elfixit1 [~Icedove@cust.static.46-14-206-196.swisscomdata.ch] has quit [Ping timeout: 240 seconds]
13:32 -!- eristisk [~eristisk@gateway/tor-sasl/eristisk] has joined #openvpn
13:37 -!- Linmu [~Linmu@203.70.194.104] has quit [Ping timeout: 240 seconds]
13:38 -!- Linmu [~Linmu@203.70.194.104] has joined #openvpn
13:44 -!- tempus_fol [~tempus@gateway/tor-sasl/foltempus] has quit [Remote host closed the connection]
13:44 -!- tempus_fol [~tempus@gateway/tor-sasl/foltempus] has joined #openvpn
13:55 -!- Left_Turn [~Left_Turn@unaffiliated/turn-left/x-3739067] has quit [Remote host closed the connection]
14:20 -!- wrongplace [~leicht@gateway/tor-sasl/martinphone] has quit [Quit: gone]
14:29 < Eugene> !man
14:29 <@vpnHelper> "man" is (#1) For man pages, see http://openvpn.net/index.php/open-source/documentation/manuals/ or (#2) the man pages are your friend! or (#3) Protip: you can search the manpage for a specific --option (with dashes) to find it quicker
14:29 < Eugene> !hmac
14:29 <@vpnHelper> "hmac" is (#1) The tls-auth directive adds an additional HMAC signature to all SSL/TLS handshake packets for integrity verification. Any UDP packet not bearing the correct HMAC signature can be dropped without further processing. The tls-auth HMAC signature provides an additional level of security above and beyond that provided by SSL/TLS. or (#2) openvpn --genkey --secret ta.key to make the tls
14:29 <@vpnHelper> static key , in configs: tls-auth ta.key # , 1 for client or 0 for server in the configs
14:32 -!- batrick [batrick@nmap/developer/batrick] has quit [Quit: WeeChat 0.4.3]
14:32 -!- batrick [batrick@nmap/developer/batrick] has joined #openvpn
15:34 -!- wrongplace [~leicht@gateway/tor-sasl/martinphone] has joined #openvpn
16:05 -!- Eugene [~eugene@znc.itvends.com] has quit [Ping timeout: 240 seconds]
16:09 -!- nutron [~nutron@unaffiliated/nutron] has quit [Ping timeout: 240 seconds]
16:10 -!- Eugene [~eugene@codingforjes.us] has joined #openvpn
16:13 -!- nutron [~nutron@unaffiliated/nutron] has joined #openvpn
16:25 -!- alexw [~textual@unaffiliated/alexw] has joined #openvpn
16:36 -!- moviuro__ [~moviuro@50728417.static.ziggozakelijk.nl] has joined #openvpn
16:37 < moviuro__> hi all! I'm setting up a client on Archlinux and have the 2 folowing questions: 1) what takes care of the MAC address of the tun/tap device? 2) What is the point of a bridge on the client?
16:38 < moviuro__> question 1 is so that I can make sure I keep one so that the server delivers a fixed IP address to me (because it is a DHCP server)
16:39 < moviuro__> question 2 is because I (think I) set up the server (OpenBSD) to use a bridge
16:39 < moviuro__> plz, highlight me when answering, thank you!
16:47 < pekster> Don't bridge, solves both problms
16:47 < pekster> The MAC is dynamically assigned with ephemeral tap devices, but you can use OS tools to set one if you really want. Better is to avoid bridging unless you _actually_ need to transport OSI L2 (Ethernet Frames)
16:55 -!- alexw [~textual@unaffiliated/alexw] has quit [Quit: Textual IRC Client: www.textualapp.com]
17:23 -!- joako [~joako@opensuse/member/joak0] has quit [K-Lined]
17:26 -!- eristisk [~eristisk@gateway/tor-sasl/eristisk] has quit [Ping timeout: 272 seconds]
17:38 -!- eristisk [~eristisk@gateway/tor-sasl/eristisk] has joined #openvpn
17:44 -!- Eugene [~eugene@codingforjes.us] has quit [Quit: ZNC - http://znc.sourceforge.net]
17:45 -!- Eugene [eugene@codingforjes.us] has joined #openvpn
17:54 -!- gffa [~unknown@unaffiliated/gffa] has quit [Quit: sleep]
18:01 -!- Fusl [Fusl@unaffiliated/fusl] has quit [Remote host closed the connection]
18:04 -!- Fusl [Fusl@unaffiliated/fusl] has joined #openvpn
18:14 -!- tapout [~tapout@unaffiliated/tapout] has quit [Quit: ZNC - http://znc.sourceforge.net]
18:19 -!- Fusl [Fusl@unaffiliated/fusl] has quit [Remote host closed the connection]
18:20 -!- ek [ek@freebsd/contributor/ek] has quit [Quit: Bbiab.]
18:27 -!- Kephael [~Kephael@unaffiliated/kephael] has quit []
18:39 -!- Fusl [Fusl@unaffiliated/fusl] has joined #openvpn
18:47 -!- james41382 [~james@unaffiliated/james41382] has quit [Quit: Leaving]
18:50 -!- eristisk [~eristisk@gateway/tor-sasl/eristisk] has quit [Ping timeout: 272 seconds]
19:04 -!- eristisk [~eristisk@gateway/tor-sasl/eristisk] has joined #openvpn
19:26 -!- larryone [~larryone@109.78.219.236] has joined #openvpn
19:29 -!- u0m3 [~u0m3@109.96.144.61] has quit [Quit: Leaving]
19:32 -!- u0m3 [~u0m3@109.96.144.61] has joined #openvpn
19:35 -!- u0m3 [~u0m3@109.96.144.61] has quit [Read error: Connection reset by peer]
19:39 -!- u0m3 [~u0m3@92.80.87.54] has joined #openvpn
19:55 -!- debbie10t [~ma1com10t@openvpn/community/support/debbie10t] has quit [Ping timeout: 260 seconds]
19:56 -!- wrongplace [~leicht@gateway/tor-sasl/martinphone] has quit [Quit: gone]
20:02 -!- Popsikle [~popsikle@pool-108-27-211-233.nycmny.fios.verizon.net] has joined #openvpn
20:19 -!- larryone [~larryone@109.78.219.236] has quit [Ping timeout: 260 seconds]
20:57 -!- scottbuckel [~scottbuck@73.191.54.250] has joined #openvpn
20:57 < scottbuckel> I'm having really big troubles installing the TAP Driver on Win 8.1, anyone have suggestions? i've been Googling for 4+ hrs now, lol
20:58 < scottbuckel> I don't even know which log or config to paste, I've tried so many things
21:12 < Eugene> The usual troubleshooting is to just uninstall and undo everything you've done
21:13 < Eugene> Then install the proper openvpn
21:13 < Eugene> !download
21:13 <@vpnHelper> "download" is (#1) http://openvpn.net/index.php/download/community-downloads.html to download openvpn or (#2) OpenVPN's Windows installer now includes OpenVPN GUI. Don't bother with http://openvpn.se anymore or (#3) Don't trust download.com at all. It provides an extremely old version with malware: http://insecure.org/news/download-com-fiasco.html or (#4) in the community version of openvpn (only
21:13 <@vpnHelper> thing supported here) there is no separate download for client/server, it is the same install with different configs
21:13 < scottbuckel> Eugene, I've done that, thanks...been trying things for 4 hrs lol
21:14 < scottbuckel> Tried installing just the TAP driver, installed other VPN Software that comes with TAP Drivers, all the same issue...can't install
21:14 -!- nick4 [~nick4@178.128.21.22.dsl.dyn.forthnet.gr] has joined #openvpn
21:14 < Eugene> "can't install" is basically meaningless. Even a screenshot of the Windows error is helpful.
21:15 < Eugene> If I had to guess, you have some group policy(or clicked the button) to disallow third-party drivers, and now its stuck.
21:16 < scottbuckel> I'm not sure exactly what to screenshot for you, here's the start: http://snag.gy/ewywf.jpg
21:16 < scottbuckel> That's the problem, I don't know what the issue is to send a screenshot of :/
21:17 < scottbuckel> That's using privateinternetaccess' "Reinstall Tap Driver", not OpenVPN. I can show you the same thing in OpenVPN though
21:18 < scottbuckel> Here's the error when installing OpenVPN - The same issue happens even if I just download the TAP Driver installer: http://snag.gy/tkCfJ.jpg
21:18 < scottbuckel> Let me know if you'd like a screenshot of anything else, at this point I'm at a loss..
21:23 < scottbuckel> hmmm, in setupapi.dev.log, I see this "Error 0x800b0109: A certificate chain processed, but terminated in a root certificate which is not trusted by the trust provider."
21:23 < scottbuckel> so your theory could be correct
21:25 < scottbuckel> gonna give it a try, requires a reboot
21:26 -!- scottbuckel [~scottbuck@73.191.54.250] has quit []
21:32 -!- larryone [~larryone@109.79.89.99] has joined #openvpn
21:48 -!- scottbuckel [~scottbuck@73.191.54.250] has joined #openvpn
21:48 < scottbuckel> Eugene: no luck. I also see this issue now in the setupapi.dev.log: !!!  ndv:      Device install failed for device.        !!!  ndv:      Error 2: The system cannot find the file specified.
21:50 -!- larryone [~larryone@109.79.89.99] has quit [Read error: Connection reset by peer]
21:50 -!- larryone [~larryone@109.79.89.99] has joined #openvpn
21:55 -!- joako [~joako@opensuse/member/joak0] has joined #openvpn
21:57 -!- supergauntlet [~supergaun@unaffiliated/supergauntlet] has joined #openvpn
22:03 -!- scottbuckel [~scottbuck@73.191.54.250] has quit [Ping timeout: 252 seconds]
22:05 -!- scottbuckel [~scottbuck@73.191.54.250] has joined #openvpn
22:06 < scottbuckel> Eugene: I'm willing to pay if you can figure this out, lol
22:08 -!- scottbuckel [~scottbuck@73.191.54.250] has quit [Client Quit]
22:14 -!- cyrozap [~cyrozap@198.23.172.133] has left #openvpn ["Client quit"]
22:20 -!- scottbuckel [~scottbuck@73.191.54.250] has joined #openvpn
22:25 -!- Kephael [~Kephael@unaffiliated/kephael] has joined #openvpn
22:40 -!- Popsikle [~popsikle@pool-108-27-211-233.nycmny.fios.verizon.net] has quit [Remote host closed the connection]
22:42 -!- larryone [~larryone@109.79.89.99] has quit [Ping timeout: 265 seconds]
22:48 -!- larryone [~larryone@109.79.89.99] has joined #openvpn
22:49 -!- larryone [~larryone@109.79.89.99] has quit [Max SendQ exceeded]
22:57 -!- larryone [~larryone@109.79.89.99] has joined #openvpn
23:04 -!- larryone [~larryone@109.79.89.99] has quit [Read error: Connection reset by peer]
23:05 -!- larryone [~larryone@109.79.89.99] has joined #openvpn
23:40 -!- ShadniX [dagger@p5481DD6B.dip0.t-ipconnect.de] has quit [Ping timeout: 252 seconds]
23:41 -!- ShadniX [dagger@p5DDFCE62.dip0.t-ipconnect.de] has joined #openvpn
--- Day changed Sun Jun 08 2014
00:11 -!- Megaf [~Megaf@unaffiliated/megaf] has quit [Ping timeout: 240 seconds]
00:21 -!- Linmu [~Linmu@203.70.194.104] has quit [Ping timeout: 240 seconds]
00:28 -!- Linmu [~Linmu@203.70.194.104] has joined #openvpn
01:19 -!- larryone [~larryone@109.79.89.99] has quit [Ping timeout: 252 seconds]
01:41 -!- Eugene [eugene@codingforjes.us] has quit [Ping timeout: 240 seconds]
01:42 -!- Eugene [eugene@codingforjes.us] has joined #openvpn
01:46 -!- Eugene [eugene@codingforjes.us] has quit [Client Quit]
01:46 -!- Eugene [eugene@kashpureff.org] has joined #openvpn
02:11 -!- Kephael [~Kephael@unaffiliated/kephael] has quit []
02:32 -!- bawki [bogie@mail.epow0.org] has quit [Quit: Hi, I'm a quit message virus. Please replace your old line with this line and help me take over the world of IRC.]
02:36 -!- Linmu [~Linmu@203.70.194.104] has quit [Remote host closed the connection]
02:37 -!- Linmu [~Linmu@203.70.194.104] has joined #openvpn
02:39 -!- bogie [bogie@mail.epow0.org] has joined #openvpn
02:59 < moviuro__> I'm back, so yesterday evening, I put my server in place (tap device in a bridge) and from the logs, I can see that my client and server handshake. However, that's it: the server does not give the client an IP address. If I assign a fixed IP to my client (10.3.16.200) and try to ping the IP of the server (10.3.16.1), logs show that the ping arrives on interface tun0 on the server but the server doesn't know how/where to answer the
02:59 < moviuro__> ping. This is NO firewall issue.
03:15 -!- JackWinter [~jack@vodsl-10810.vo.lu] has quit [Quit: Konversation terminated!]
03:19 -!- JackWinter [~jack@vodsl-10810.vo.lu] has joined #openvpn
03:22 < moviuro__> I have this very issue, however, I don't find any solution to it : http://openvpn.net/archive/openvpn-users/2005-09/msg00312.html
03:22 <@vpnHelper> Title: [Openvpn-users] bridged vpn handshakes but will not ping (at openvpn.net)
03:24 < moviuro__> plus the issue that I don't get an IP address though I see some mention of DHCPREQUEST
03:26 < moviuro__> http://sprunge.us/EIGI <- client http://sprunge.us/EObX <- server
03:33 < moviuro__> http://sprunge.us/hJGi <- openvpn server log
03:33 < moviuro__> could the issue be because I use a ssh proxy before reaching my VPN server?
03:38 -!- jibran [~jibran@39.59.48.202] has joined #openvpn
03:47 -!- gffa [~unknown@unaffiliated/gffa] has joined #openvpn
03:48 -!- M4rc3l [~marc@unaffiliated/m4rc3l] has quit [Ping timeout: 240 seconds]
04:00 < jibran> First time?
04:01 < jibran> !welcome
04:01 <@vpnHelper> "welcome" is (#1) Start by stating your goal, such as 'I would like to access the internet over my vpn' || new to IRC? see the link in !ask || we may need !logs and !configs and maybe !interface to help you. || See !howto for beginners. || See !route for lans behind openvpn. || !redirect for sending inet traffic through the server. || Also interesting: !man !/30 !topology !iporder !sample !forum
04:01 <@vpnHelper> !wiki !mitm or (#2) Don't use 192.168.1.0/24 or 192.168.0.0/24 (too much potential for conflict)
04:01 < jibran> !goal
04:01 <@vpnHelper> "goal" is Please clearly state your goal for your vpn: example, I would like to access the lan behind the server , I would like to access the internet over my vpn , I just want a secure connection between 2 computers , etc
04:02 < moviuro__> OK, well goal was: have a working VPN distributing addresse from DHCP on 10.3.16, with DNS server '10.3.14.15' pushed to clients
04:02 < jibran> !sample
04:02 <@vpnHelper> "sample" is (#1) http://www.ircpimps.org/openvpn.configs for a working sample config or (#2) DO NOT use these configs until you understand the commands in them, read up on each first column of the configs in the manpage (see !man) or (#3) these configs are for a basic multi-user vpn, which you can then build upon to add lans or internet redirecting
04:03 < jibran> !forum
04:03 <@vpnHelper> "forum" is (#1) The official OpenVPN support forum is available at http://forums.openvpn.net or (#2) you can join #OpenVPN-Forum to see the forum-feed announcements if you want to.
04:07 -!- M4rc3l [~marc@unaffiliated/m4rc3l] has joined #openvpn
04:09 < jibran> Can I use openvpn on ubuntu?
04:27 -!- Left_Turn [~Left_Turn@unaffiliated/turn-left/x-3739067] has joined #openvpn
04:31 -!- vinky [~vinky@81-230-177-246-no98.tbcn.telia.com] has quit [Remote host closed the connection]
04:33 -!- vinky [~vinky@81-230-177-246-no98.tbcn.telia.com] has joined #openvpn
04:37 -!- larryone [~larryone@109.79.89.99] has joined #openvpn
04:54 -!- Left_Turn [~Left_Turn@unaffiliated/turn-left/x-3739067] has quit [Read error: Connection reset by peer]
04:56 -!- moviuro__ [~moviuro@50728417.static.ziggozakelijk.nl] has quit [Ping timeout: 245 seconds]
05:40 -!- treshoem2 [~treshoem@mnathani-1-pt.tunnel.tserv21.tor1.ipv6.he.net] has quit [Ping timeout: 265 seconds]
05:54 -!- Left_Turn [~Left_Turn@unaffiliated/turn-left/x-3739067] has joined #openvpn
06:02 -!- jzaw [~jzaw@loki.dzki.co.uk] has joined #openvpn
06:11 -!- larryone [~larryone@109.79.89.99] has quit [Ping timeout: 240 seconds]
06:26 -!- larryone [~larryone@109.79.89.99] has joined #openvpn
06:57 -!- Linmu [~Linmu@203.70.194.104] has quit [Ping timeout: 252 seconds]
06:57 -!- Linmu [~Linmu@203.70.194.104] has joined #openvpn
07:01 -!- Popsikle [~popsikle@pool-108-27-211-233.nycmny.fios.verizon.net] has joined #openvpn
07:08 -!- wrongplace [~leicht@gateway/tor-sasl/martinphone] has joined #openvpn
07:10 -!- bears [~bears@unaffiliated/bears] has quit [Read error: Connection reset by peer]
07:21 -!- bears [~bears@unaffiliated/bears] has joined #openvpn
07:52 -!- aPollO2k [znc1@unaffiliated/apollo2k] has quit [Quit: irc panic]
07:52 -!- aPollO2k [znc1@unaffiliated/apollo2k] has joined #openvpn
07:54 -!- Linmu [~Linmu@203.70.194.104] has quit [Remote host closed the connection]
07:54 -!- Linmu [~Linmu@203.70.194.104] has joined #openvpn
08:14 -!- jibran [~jibran@39.59.48.202] has quit [Ping timeout: 240 seconds]
08:16 -!- bears [~bears@unaffiliated/bears] has quit [Read error: Connection reset by peer]
08:25 -!- BenLue [NoMail@unaffiliated/benlue] has joined #openvpn
08:27 < BenLue> pekster, can you give me your paste client.conf from your openwrt device?
08:28 < BenLue> Im lost your latest paste, need to start openvpn as Service in Background
08:35 -!- bears [~bears@unaffiliated/bears] has joined #openvpn
08:36 < scottbuckel> Hi All, I'm having major issues installing the TAP Drivers--Windows 8.1, setupapi.dev.log says that it "Cannot find specified file" during the installation--but I have no idea which file that is, it doesnt tell me. I've been Googling for 5+ hours to fix the issue, anybody have suggestions? I tried installing just the TAP Driver from OpenVPN's website, I've installed the included TAP driver in
08:36 < scottbuckel> other VPN packages--they all fail with the same issue.
08:40 < scottbuckel> Here's a paste of the install log from setupapi.dev.log: http://pastebin.com/vTnFzADX
08:47 -!- Left_Turn [~Left_Turn@unaffiliated/turn-left/x-3739067] has quit [Ping timeout: 252 seconds]
08:52 -!- Megaf [~Megaf@unaffiliated/megaf] has joined #openvpn
08:59 -!- Megaf is now known as Megaf_
08:59 -!- Megaf_ is now known as Megaf
09:10 -!- Popsikle [~popsikle@pool-108-27-211-233.nycmny.fios.verizon.net] has quit [Remote host closed the connection]
09:11 -!- larryone [~larryone@109.79.89.99] has quit [Quit: This computer has gone to sleep]
09:14 -!- larryone [~larryone@109.79.89.99] has joined #openvpn
09:25 < scottbuckel> https://community.openvpn.net/openvpn/ticket/341 Looks to be a very similar issue to mine, but importing the certificate manually didn't work for me, hmm?
09:25 <@vpnHelper> Title: #341 (TAP-Windows installation failed, probably because of not trusted root certificate) – OpenVPN Community (at community.openvpn.net)
09:26 -!- larryone [~larryone@109.79.89.99] has quit [Ping timeout: 252 seconds]
09:26 -!- scottbuckel [~scottbuck@73.191.54.250] has quit []
09:41 -!- scottbuckel [~scottbuck@73.191.54.250] has joined #openvpn
09:44 -!- Popsikle [~popsikle@pool-108-27-211-233.nycmny.fios.verizon.net] has joined #openvpn
09:49 -!- larryone [~larryone@109.79.89.99] has joined #openvpn
09:50 -!- Popsikle [~popsikle@pool-108-27-211-233.nycmny.fios.verizon.net] has quit [Ping timeout: 240 seconds]
09:54 -!- micko [~micko@203-219-65-120.static.tpgi.com.au] has quit [Ping timeout: 245 seconds]
09:56 -!- larryone [~larryone@109.79.89.99] has quit [Ping timeout: 240 seconds]
10:00 -!- micko [~micko@203-219-65-120.static.tpgi.com.au] has joined #openvpn
10:14 -!- eristisk [~eristisk@gateway/tor-sasl/eristisk] has quit [Read error: Connection reset by peer]
10:14 -!- tempus_fol [~tempus@gateway/tor-sasl/foltempus] has quit [Write error: Connection reset by peer]
10:14 -!- wrongplace [~leicht@gateway/tor-sasl/martinphone] has quit [Write error: Connection reset by peer]
10:14 -!- s7r [~s7r@openvpn/user/s7r] has quit [Write error: Connection reset by peer]
10:16 -!- Netsplit *.net <-> *.split quits: bashusr, Nothing4You
10:16 -!- Nothing4You [N4Y@Nothing4You.w.tf-w.tf] has joined #openvpn
10:16 -!- Netsplit over, joins: bashusr
10:20 -!- eristisk [~eristisk@127.0.0.1] has joined #openvpn
10:25 -!- tempus_fol [~tempus@unaffiliated/fol-tempus/x-4804267] has joined #openvpn
10:25 -!- s7r [~s7r@openvpn/user/s7r] has joined #openvpn
10:25 -!- mode/#openvpn [+v s7r] by ChanServ
10:25 -!- edge226 [~quassel@unaffiliated/edge226] has quit [Read error: Connection reset by peer]
10:30 -!- Linmu [~Linmu@203.70.194.104] has quit [Ping timeout: 245 seconds]
10:30 -!- Linmu [~Linmu@203.70.194.104] has joined #openvpn
10:33 -!- Megaf_ [~Megaf@unaffiliated/megaf] has joined #openvpn
10:37 -!- Megaf [~Megaf@unaffiliated/megaf] has quit [Ping timeout: 265 seconds]
10:38 -!- Megaf_ is now known as Megaf
10:42 -!- tempus_fol [~tempus@unaffiliated/fol-tempus/x-4804267] has quit [Changing host]
10:42 -!- tempus_fol [~tempus@gateway/tor-sasl/foltempus] has joined #openvpn
10:46 -!- Popsikle [~popsikle@pool-108-27-211-233.nycmny.fios.verizon.net] has joined #openvpn
10:51 -!- Popsikle [~popsikle@pool-108-27-211-233.nycmny.fios.verizon.net] has quit [Ping timeout: 252 seconds]
11:01 -!- edge226 [~quassel@unaffiliated/edge226] has joined #openvpn
11:25 -!- DrCode [~DrCode@gateway/tor-sasl/drcode] has joined #openvpn
11:38 -!- edge226 [~quassel@unaffiliated/edge226] has quit [Remote host closed the connection]
11:42 -!- edge226 [~quassel@unaffiliated/edge226] has joined #openvpn
11:47 -!- Popsikle [~popsikle@pool-108-27-211-233.nycmny.fios.verizon.net] has joined #openvpn
11:51 -!- Popsikle [~popsikle@pool-108-27-211-233.nycmny.fios.verizon.net] has quit [Ping timeout: 245 seconds]
11:55 -!- ayaka [~ayaka@ayaka-2-pt.tunnel.tserv21.tor1.ipv6.he.net] has joined #openvpn
11:55 -!- Kephael [~Kephael@unaffiliated/kephael] has joined #openvpn
11:55 < ayaka> I don't want to push redirect gateway auto, so I don't set push "redirect-gateway local def1"
11:56 < ayaka> could still use openvpn server as gateway?
12:11 < Cyclohexane> ayaka: yep
12:12 < ayaka> Cybertinus, just left server do nat?
12:12 < ayaka> let server do nat, but I can't work, I could ping the server at client subnetwork and server could ping client's subnetwork
12:23 -!- Netsplit *.net <-> *.split quits: NucWin, qwertyoruiop, justinzane
12:24 -!- Netsplit over, joins: justinzane
12:24 -!- Netsplit over, joins: NucWin
12:24 -!- Poster [~poster@cpe-173-88-31-131.columbus.res.rr.com] has quit [Remote host closed the connection]
12:29 -!- Guest85836 [~hax@3.shulgin.nl.torexit.haema.co.uk] has joined #openvpn
12:46 < pekster> BenLue: The initscript on openwrt can be pointed to a config file, so just create a "normal" client config and start it that way. More info at: !openwrt
12:46 < pekster> ayaka: Add the `--redirect-gateway def1` on your client end, or have the server push it via a ccd to just that client (see: !ccd)
12:49 < ayaka> pekster, push what? the default gateway or the subnet of client end, if the second one I did it
12:49 -!- Popsikle [~popsikle@pool-108-27-211-233.nycmny.fios.verizon.net] has joined #openvpn
12:49 < pekster> What's the client subnet got to do with this?
12:49 < pekster> !goal
12:49 <@vpnHelper> "goal" is Please clearly state your goal for your vpn: example, I would like to access the lan behind the server , I would like to access the internet over my vpn , I just want a secure connection between 2 computers , etc
12:50 < ayaka> pekster, there is a remote openvpn server will be the default gateway
12:50 < ayaka> there is router which is the client end of openvpn, the router has a subnetwork 192.168.6.0/24
12:51 < ayaka> pekster, I want a host at 192.168.6.0/24 use the remote vps as the default  gateway
12:53 < pekster> And what about the router itself?
12:53 < pekster> Do you want it to do that too?
12:54 -!- Popsikle [~popsikle@pool-108-27-211-233.nycmny.fios.verizon.net] has quit [Ping timeout: 260 seconds]
12:56 -!- nick4 [~nick4@178.128.21.22.dsl.dyn.forthnet.gr] has quit [Quit: Quit]
12:59 < ayaka> pekster, the host in the subnetwork could ping the virtual interface's ip of server, the server could ping the host too
13:01 -!- mgorbach [~mgorbach@pool-108-20-78-135.bstnma.fios.verizon.net] has quit [Write error: Connection reset by peer]
13:02 -!- mgorbach [~mgorbach@pool-108-20-78-135.bstnma.fios.verizon.net] has joined #openvpn
13:11 -!- Guest85836 [~hax@3.shulgin.nl.torexit.haema.co.uk] has left #openvpn []
13:21 < pekster> That's not an answer to my question
13:27 -!- JackWinter [~jack@vodsl-10810.vo.lu] has quit [Quit: Konversation terminated!]
13:28 -!- JackWinter [~jack@vodsl-10810.vo.lu] has joined #openvpn
13:50 -!- Popsikle [~popsikle@pool-108-27-211-233.nycmny.fios.verizon.net] has joined #openvpn
13:53 -!- woodgiraffe [~wee@109.201.154.173] has joined #openvpn
13:55 -!- Popsikle [~popsikle@pool-108-27-211-233.nycmny.fios.verizon.net] has quit [Ping timeout: 240 seconds]
13:58 -!- demize [kyrias@archlinux/op/demize] has joined #openvpn
13:58 -!- holomorph [~holomorph@unaffiliated/holomorph] has joined #openvpn
14:00 -!- bears [~bears@unaffiliated/bears] has quit [Read error: Connection reset by peer]
14:02 < ayaka> pekster, I didn't do --redirect-gateway def1 on client end
14:03 < ayaka> is it necessary to do that?
14:03 -!- holomorph [~holomorph@unaffiliated/holomorph] has left #openvpn []
14:04 -!- Sivert3 [~julian@89-162-110-108.fiber.signal.no] has joined #openvpn
14:04 < Sivert3> I'm trying to set up OpenVPN to make a tunnel to my LAN at home, but I can't get IP forwarding to work.
14:05 < Sivert3> Packets flow from my remote client, to the tun0 interface, from there it is routed to the local LAN.
14:06 < Sivert3> The host on the LAN replies, the packets end up on the ethernet inteface, but are not routed back through the tun0 interface.
14:06 < pekster> What's the VPN server in your setup? Are you running that on a system at home?
14:06 < Sivert3> Yes the VPN server is on a system at my home.
14:07 < pekster> You want to follow:
14:07 < pekster> !serverlan
14:07 <@vpnHelper> "serverlan" is (#1) for a lan behind a server, the server must have ip forwarding enabled (!ipforward), the server needs to push a route for its lan to clients, and the router of the lan the server is on needs a route added to it (!route_outside_openvpn) or (#2) see !route for a better explanation or (#3) Handy troubleshooting flowchart: http://ircpimps.org/serverlan.png |
14:07 <@vpnHelper> http://pekster.sdf.org/misc/serverlan.png
14:07 < pekster> flowchart is quite helpful too
14:07 -!- demize [kyrias@archlinux/op/demize] has left #openvpn []
14:08 < Sivert3> I've enabled ip forwarding. When I disable it, no packets flow from the tun0 interface to the ethernet interface.
14:10 < Sivert3> Using wireshark I can see that ping requests are routed out the the LAN at home, and replies are recieved on the ethernet intefrace.
14:10 < pekster> Good thing the flowchart has a lot more to check than just that
14:11 < pekster> Maybe you neglected to get return routing working; just a guess
14:11 < Sivert3> Just a sec, I'm going to take a look a the chart.
14:14 < Sivert3> Okay, I ended up on "Add a route to the lan machine so it knows how to reach the vpn subnet". I have done that.
14:14 < pekster> You don't control the LAN router?
14:14 < Sivert3> In my current network setup, no.
14:15 < pekster> Sounds like a firewall issue then. Traffic from the VPN network leave the VPN server's downstream interface and reaches your client? What then?
14:15 < pekster> If the client doesn't send a reply, it's obviously the client's firewall. If it does but it's _not_ being sent to the MAC of the VPN server on that network, routing is not correct
14:18 < Sivert3> I can ping the client VPN IP address from the server and vice versa.
14:19 -!- bears [~bears@unaffiliated/bears] has joined #openvpn
14:20 < Sivert3> The VPN server has no firewalls that I am aware of.
14:21 < Sivert3> I disabled the firewall in the client and the computer on my LAN that I'm trying to reach.
14:21 < pekster> tcpdump will be very obvious here
14:21 < pekster> Say eth0 is the downsream interface on the server, and your LAN system is 10.50.0.100; you'd do `tcpdump -pni eth0 host 10.50.0.100` and try to reach it from the VPN client
14:21 < pekster> If you get no reply traffic from the client, it's the client's fault
14:22 < pekster> (assuming you see the outbound request)
14:22 < Sivert3> I have tshark.
14:22 < pekster> Same thing
14:23 < Sivert3> Using `tshark -i ens33 -R ip.addr=10.8.0.6` I get the following trying to ping the host on my home LAN.
14:24 < Sivert3> 190  14.396436     10.8.0.6 -> 192.168.10.39 ICMP 74 Echo (ping) request  id=0x0001, seq=304/12289, ttl=127
14:24 < Sivert3> 191  14.396685 192.168.10.39 -> 10.8.0.6     ICMP 74 Echo (ping) reply    id=0x0001, seq=304/12289, ttl=128 (request in 190)
14:25 < Sivert3> from the remote client.
14:25 < pekster> Working just fine then; you get the reply
14:25 < pekster> That's from the VPN client, right?
14:25 < pekster> (the dump)
14:26 < Sivert3> No, the dump is from the VPN server.
14:26 < Sivert3> ens33 is tied to my home LAN.
14:27 < Sivert3> If i do a packet dump on the VPN interface on the server i see the ping request, but no reply.
14:27 < pekster> So you get the reply. Repeat the dump on the tun interface
14:27 < pekster> firewall then
14:27 < pekster> Maybe bad NAT
14:28 < pekster> (you don't need NAT at all on the traffic if you're trying to route properly, so stop that if you are)
14:28 < Sivert3> There is no firewall that I am aware of. iptables are clean. I have not set up NAT.
14:29 < pekster> `iptables-save -c`
14:31 < Sivert3> http://pastebin.com/iJp71JTk
14:36 < pekster> Doesn't make much sense then. Any bizarre policy routing going on?
14:36 < Sivert3> No. I mean, I certanly haven't setup anything like that.
14:38 < Sivert3> I don't know where to look. I just installed Arch Linux on the VPN server. Pretty much nothing else on that box.
14:39 < Sivert3> It's a virtual machine running on vmWare player on my desktop. Network interface is bridged with the LAN.
14:40 < Sivert3> But that should't be an issue as the packets are received on the ens33 interface, with the correct destination.
14:41 < Sivert3> Somehow they are not forwarded to the tun0 interface. I have no idea where to look.
14:41 < pekster> What is 192.168.10.39?
14:41 < pekster> Is it the same as the VM Host, by chance?
14:41 < Sivert3> The ip of the desktop.
14:41 < Sivert3> Yes.
14:42 < pekster> Right, that's why; you _have_ screwed up routing, and just happen to "see" the reply becuase you're dumping in promisc mode
14:42 < pekster> Show me `ip -4 a` and `ip l` from the VPN server, and a routing table on the 192.168.10.39 box
14:43 < pekster> `ip r` please if that's Linux, or `route print -4` from Win32/64
14:43 < pekster> That, or vmware has pwned the packets :\
14:50 < Sivert3> You're right, I did screw up routing.
14:51 < Sivert3> I can post the routing tables if you're interested in spotting the error i made.
14:51 < Sivert3> I fixed it and now it's working.
14:52 -!- optprime_ [~optprime@14.139.228.217] has joined #openvpn
14:53 < Sivert3> Thanks for the help.
14:53 < optprime_> hey i am setting up a subCA from our rootCA i wanted to know that what extendedKeyUsage is required for server nd clients?
14:55 < pekster> Sivert3: Neat. fwiw, this is why I always recommend `tcp -pni <interface>` -- read about why in the -p flag
14:55 < pekster> Maybe tshark has a similar flag (but really, tcpdump is where it's at on Linux/Unix)
14:55 < optprime_> and would it be possible to issue servers from one subca1(ordinary ssl certificates) and clients from subca2 (ordinary client certs)
14:56 < pekster> optprime_: Yup, sure. You'll need to ensure that your client cert files contain the full bundle to reach a trusted CA (trusted by the far side) though; basically just like you do with bundles on webservers
14:57 < optprime_> pekster: Thanks will do that .
14:57 < pekster> No special eKu required; CAs will need the usual kU of keyCertSign, and almost always cRLSign
14:58 < pekster> https://github.com/OpenVPN/easy-rsa/blob/master/easyrsa3/x509-types/ca
14:58 <@vpnHelper> Title: easy-rsa/easyrsa3/x509-types/ca at master · OpenVPN/easy-rsa · GitHub (at github.com)
14:58 < Sivert3> pekster: Yes, tshark has the same flag with the same meaning.
15:00 < optprime_> pekster: thanks for reminding that i forgot to put up the mechanism for crls :)
15:02 < Sivert3> But due to blindly following instructions I had set the interface to promisc mode, so it wouldn't have helped in my case.
15:03 < pekster> Ah. Right, unless you're acting as a bridge, you almost never want promisc on interfaces
15:03 < pekster> This is why I hinted at checking the MAC ;)
15:04 < pekster> I've seen routers eat themselves when admins forgot the -p flag to tcpdump before. Extra fun when that wipes out office access for phones and staff :P
15:16 < ayaka> pekster, thank you all the same
15:18 -!- james41382 [~james@unaffiliated/james41382] has joined #openvpn
15:23 -!- james41382_ [~james@unaffiliated/james41382] has joined #openvpn
15:26 -!- james41382 [~james@unaffiliated/james41382] has quit [Ping timeout: 260 seconds]
15:33 -!- wrongplace [~leicht@gateway/tor-sasl/martinphone] has joined #openvpn
15:48 -!- bears is now known as BearsOnUnicycles
15:51 -!- Sivert3 [~julian@89-162-110-108.fiber.signal.no] has quit [Quit: leaving]
15:51 -!- BearsOnUnicycles is now known as bears
16:00 < BenLue> !openwrt
16:00 <@vpnHelper> "openwrt" is In OpenWRT, the easiest way to supply configs with the stock init is to use the `option config /path/to/your/openvpn.conf` in your UCI stanza. This allows you to maintain a standard config file that OpenWRT can launch for you.
16:01 < BenLue> pekster; thx for information! Have a nice day
16:03 -!- Linmu [~Linmu@203.70.194.104] has quit [Remote host closed the connection]
16:03 -!- Linmu [~Linmu@203.70.194.104] has joined #openvpn
16:08 -!- optprime_ [~optprime@14.139.228.217] has quit [Ping timeout: 240 seconds]
16:34 -!- jgeboski [~jgeboski@unaffiliated/jgeboski] has quit [Quit: Leaving]
16:35 -!- jgeboski [~jgeboski@unaffiliated/jgeboski] has joined #openvpn
16:40 -!- tdreyer1 [~tdreyer1@unaffiliated/tdreyer1] has quit [Ping timeout: 252 seconds]
16:44 -!- tdreyer1 [~tdreyer1@unaffiliated/tdreyer1] has joined #openvpn
16:53 -!- tdreyer1 [~tdreyer1@unaffiliated/tdreyer1] has quit [Ping timeout: 245 seconds]
16:57 -!- tdreyer1 [~tdreyer1@unaffiliated/tdreyer1] has joined #openvpn
16:57 -!- Left_Turn [~Left_Turn@unaffiliated/turn-left/x-3739067] has joined #openvpn
17:00 -!- troyt [~troyt@2601:7:6200:1362:44dd:acff:fe85:9c8e] has quit [Ping timeout: 240 seconds]
17:07 -!- srged [~Earth@unaffiliated/srged] has joined #openvpn
17:08 < srged> is it possible to do automatization so I wont have to manually enter the username and pass?
17:11 < pekster> srged: At a loss of security (and when compiled with ENABLE_PASSWORD_SAVE), yes. Read the manpage for the option --auth-user-pass
17:11 < srged> pekster: thx
17:14 -!- srged [~Earth@unaffiliated/srged] has quit [Quit: leaving]
17:20 -!- james41382_ [~james@unaffiliated/james41382] has quit [Ping timeout: 252 seconds]
17:21 -!- edge226 [~quassel@unaffiliated/edge226] has quit [Ping timeout: 245 seconds]
17:22 -!- cyberspace- [20253@ninthfloor.org] has quit [Remote host closed the connection]
17:22 -!- BenLue [NoMail@unaffiliated/benlue] has quit []
17:24 -!- cyberspace- [20253@ninthfloor.org] has joined #openvpn
17:26 -!- eristisk [~eristisk@127.0.0.1] has quit [Ping timeout: 264 seconds]
17:33 -!- troyt [~troyt@2601:7:6200:1362:44dd:acff:fe85:9c8e] has joined #openvpn
17:37 -!- troyt [~troyt@2601:7:6200:1362:44dd:acff:fe85:9c8e] has quit [Ping timeout: 240 seconds]
17:40 -!- vinky [~vinky@81-230-177-246-no98.tbcn.telia.com] has quit [Ping timeout: 245 seconds]
17:44 -!- vinky [~vinky@81-230-177-246-no98.tbcn.telia.com] has joined #openvpn
17:47 -!- troyt [~troyt@2601:7:6200:1362:44dd:acff:fe85:9c8e] has joined #openvpn
17:53 -!- Sivert3 [~julian@89-162-110-108.fiber.signal.no] has joined #openvpn
17:54 -!- eristisk [~eristisk@gateway/tor-sasl/eristisk] has joined #openvpn
17:58 -!- Sivert3 [~julian@89-162-110-108.fiber.signal.no] has quit [Quit: leaving]
18:04 -!- mete [~mete@91.247.253.160] has quit [Quit: .]
18:05 -!- mete [~mete@91.247.253.160] has joined #openvpn
18:10 -!- gffa [~unknown@unaffiliated/gffa] has quit [Quit: sleep]
18:10 -!- james41382 [~james@unaffiliated/james41382] has joined #openvpn
18:20 -!- woodgiraffe [~wee@109.201.154.173] has left #openvpn ["WeeChat 0.4.3"]
18:59 -!- Sivert3 [~julian@89-162-110-108.fiber.signal.no] has joined #openvpn
19:02 < Sivert3> When I try to innitiate a remote desktop session over my OpenVPN tunell, the tunnel stops responding and the RDP session dies.
19:05 -!- SCHAAP137 [dorian@77-173-0-137.ip.telfort.nl] has quit [Remote host closed the connection]
19:08 -!- zalami [~NDJ@cpe-74-73-165-167.nyc.res.rr.com] has joined #openvpn
19:08 < zalami> Hello, I need some help. I want to log all of the traffic that goes through my openvpn server, how can I do that?
19:10 -!- elfixit1 [~Icedove@77-58-251-72.dclient.hispeed.ch] has joined #openvpn
19:11 < Sivert3> Have you looked at packet sniffers?
19:14 < zalami> Sivert3: Not really, what would I have to do. Is there a simple solution to just have openvpn log all of its traffic to some file?
19:15 < Sivert3> Are you thinking of just the connections that are made, or all the data that sent with it?
19:15 < zalami> all the daya sent with it
19:15 < zalami> like, I have a client, and I wantto log all off the traffic from that client
19:17 < Sivert3> I don't think OpenVPN provides anything like that, but I'm not sure.
19:18 < zalami> do you know of a way to do it?
19:18 < Sivert3> You can use packet sniffers.
19:18 < zalami> how would I use them?
19:18 < zalami> sorry new to openvpn?
19:19 < zalami> no ? there
19:19 < zalami> type
19:19 -!- goldkatze [~nobody@unaffiliated/goldkatze] has quit [Ping timeout: 252 seconds]
19:19 < zalami> typo
19:19 < zalami> oh my
19:19 < pekster> tcpdump has documentation. ##networking is a better place to ask if you need "101" help on general networking or advice on tools
19:20 < zalami> thanks
19:20 < pekster> openvpn is "just" a virtual router with some security added on; it's up to you to do something useful with that
19:20 < pekster> For all openvpn cares, spawn a tcpdump process for each client that connects and dump traffic from the assigned IP to some file
19:21 < pekster> Read !scripts for hooks to openvpn, but again, it's entierly on you to decide what to do in such a script
19:22 < zalami> sounds good, thanks
19:26 -!- wrongplace [~leicht@gateway/tor-sasl/martinphone] has quit [Quit: gone]
19:35 < Sivert3> I'm trying to figure out why remote desktop fails through my OpenVPN tunnel, but I'm about to give up. Any ideas?
19:42 < Sivert3> SSH, SFTB, and file sharing in windows works without problems. But when I start an RDP session the tunnel clogs up and stop responding for up to minute.
19:56 < Sivert3> *several minutes. I think that has something to do with the strange network setup (the computer I'm trying to RDP to is running the OpenVPN server as a virtual machine).
19:57 < Sivert3> Anyway, I'm tired and it's getting very late here, so I'm giving up and heading to bed.
19:58 < Sivert3> exit
19:58  * Sivert3 is not used to console irc clients
19:58 -!- Sivert3 [~julian@89-162-110-108.fiber.signal.no] has quit [Quit: leaving]
20:23 -!- elfixit1 [~Icedove@77-58-251-72.dclient.hispeed.ch] has quit [Quit: elfixit1]
20:38 < esde> ?configs
20:38 < esde> !configs
20:38 <@vpnHelper> "configs" is (#1) please pastebin your client and server configs (with comments removed, you can use `grep -vE '^#|^;|^$' server.conf`), also include which OS and version of openvpn. or (#2) dont forget to include any ccd entries or (#3) on pfSense, see http://www.secure-computing.net/wiki/index.php/OpenVPN/pfSense to obtain your config
20:51 -!- Popsikle [~popsikle@pool-108-27-211-233.nycmny.fios.verizon.net] has joined #openvpn
21:02 -!- bears_ [~bears@unaffiliated/bears] has joined #openvpn
21:04 -!- bears [~bears@unaffiliated/bears] has quit [Ping timeout: 245 seconds]
21:10 -!- james41382 [~james@unaffiliated/james41382] has quit [Quit: Leaving]
21:13 -!- james41382 [~james@unaffiliated/james41382] has joined #openvpn
21:37 -!- james41382 [~james@unaffiliated/james41382] has quit [Quit: Leaving]
21:44 -!- Left_Turn [~Left_Turn@unaffiliated/turn-left/x-3739067] has quit [Read error: Connection reset by peer]
21:54 -!- Popsikle [~popsikle@pool-108-27-211-233.nycmny.fios.verizon.net] has quit [Remote host closed the connection]
21:54 -!- prettyrobots [~prettyrob@do.inputrc.com] has joined #openvpn
22:03 -!- bears_ [~bears@unaffiliated/bears] has quit [Quit: closing IRC]
22:20 -!- alexw_ [~textual@unaffiliated/alexw] has joined #openvpn
22:26 -!- eristisk [~eristisk@gateway/tor-sasl/eristisk] has quit [Ping timeout: 264 seconds]
22:30 -!- alexw_ [~textual@unaffiliated/alexw] has quit [Quit: Textual IRC Client: www.textualapp.com]
22:44 -!- eristisk [~eristisk@gateway/tor-sasl/eristisk] has joined #openvpn
22:58 -!- james41382 [~james@unaffiliated/james41382] has joined #openvpn
23:29 -!- Megaf [~Megaf@unaffiliated/megaf] has quit [Ping timeout: 252 seconds]
23:40 -!- ShadniX [dagger@p5DDFCE62.dip0.t-ipconnect.de] has quit [Ping timeout: 252 seconds]
23:41 -!- ShadniX [dagger@p5DDFFDA0.dip0.t-ipconnect.de] has joined #openvpn
23:55 -!- xylogics [~omarjavai@ool-44c514e9.dyn.optonline.net] has joined #openvpn
23:56 < xylogics> Looking to hire someone to GRE Tunnell ips from a linux box to a windows
--- Day changed Mon Jun 09 2014
00:04 -!- alexw [~textual@unaffiliated/alexw] has joined #openvpn
00:06 < xylogics>  Basically I have several servers from a variety of different companies with many different IP ranges/subnets/gateways etc, and I want to be able to tunnel those IPs, that is use them on one central server. All the tunnel servers are CentOS, but my main server is Windows 2008 Web Edition.
00:06 < xylogics> I want to be able to add all the Tunnel servers IP addresses that were assigned to my main Windows server, so that I can use them for email traffic etc. Can you let me know if this is possible?
00:07 -!- xylogics [~omarjavai@ool-44c514e9.dyn.optonline.net] has left #openvpn []
00:08 -!- ayaka [~ayaka@ayaka-2-pt.tunnel.tserv21.tor1.ipv6.he.net] has left #openvpn ["离开"]
00:09 -!- xylogics [~omarjavai@ool-44c514e9.dyn.optonline.net] has joined #openvpn
00:09 < xylogics>  Basically I have several servers from a variety of different companies with many different IP ranges/subnets/gateways etc, and I want to be able to tunnel those IPs, that is use them on one central server. All the tunnel servers are CentOS, but my main server is Windows 2008 Web Edition.
00:09 < xylogics> I want to be able to add all the Tunnel servers IP addresses that were assigned to my main Windows server, so that I can use them for email traffic etc. Can you let me know if this is possible?
00:10 -!- xylogics [~omarjavai@ool-44c514e9.dyn.optonline.net] has quit [Quit: xylogics]
00:12 -!- xylogics [~xylogics@ool-44c514e9.dyn.optonline.net] has joined #openvpn
00:53 -!- alexw [~textual@unaffiliated/alexw] has quit [Quit: My MacBook Pro has gone to sleep. ZZZzzz…]
01:10 -!- Linmu [~Linmu@203.70.194.104] has quit [Quit: leaving]
01:18 -!- Kephael [~Kephael@unaffiliated/kephael] has quit []
01:50 -!- Latrina [~Latrina@ppp-170-37.26-151.libero.it] has quit [Read error: Connection reset by peer]
01:53 -!- Latrina [~Latrina@ppp-170-37.26-151.libero.it] has joined #openvpn
01:55 -!- mattock_afk [~mattock@openvpn/corp/admin/mattock] has joined #openvpn
01:55 -!- mode/#openvpn [+o mattock_afk] by ChanServ
01:55 -!- mattock_afk is now known as mattock
01:56 -!- Latrina [~Latrina@ppp-170-37.26-151.libero.it] has quit [Read error: Connection reset by peer]
02:01 -!- Latrina [~Latrina@ppp-170-37.26-151.libero.it] has joined #openvpn
02:07 -!- ayaz [~Ayaz@linuxpakistan/ayaz] has joined #openvpn
02:07 -!- Latrina [~Latrina@ppp-170-37.26-151.libero.it] has quit [Read error: Connection reset by peer]
02:11 -!- Latrina [~Latrina@ppp-170-37.26-151.libero.it] has joined #openvpn
02:16 -!- Latrina [~Latrina@ppp-170-37.26-151.libero.it] has quit [Read error: Connection reset by peer]
02:17 -!- le0 [~l30@unaffiliated/le0] has joined #openvpn
02:21 -!- Latrina [~Latrina@ppp-170-37.26-151.libero.it] has joined #openvpn
02:31 -!- Latrina [~Latrina@ppp-170-37.26-151.libero.it] has quit [Read error: Connection reset by peer]
02:35 -!- Latrina [~Latrina@adsl-ull-240-184.50-151.net24.it] has joined #openvpn
02:40 -!- micko [~micko@203-219-65-120.static.tpgi.com.au] has quit [Ping timeout: 240 seconds]
02:47 -!- micko [~micko@203-219-65-120.static.tpgi.com.au] has joined #openvpn
02:56 -!- zapotek6 [~zap@213.149.219.85] has joined #openvpn
02:56 -!- zapotek6 [~zap@213.149.219.85] has quit [Max SendQ exceeded]
02:58 -!- dazo_afk [~dazo@openvpn/community/developer/dazo] has quit [Ping timeout: 240 seconds]
03:00 -!- outofbounds [~outofboun@198.199.109.226] has quit [Ping timeout: 240 seconds]
03:01 -!- scottbuckel [~scottbuck@73.191.54.250] has quit [Ping timeout: 240 seconds]
03:01 -!- yoavz [yoavz@yoavz.net] has quit [Ping timeout: 240 seconds]
03:03 -!- outofbounds [~outofboun@198.199.109.226] has joined #openvpn
03:04 -!- yoavz [yoavz@yoavz.net] has joined #openvpn
03:04 -!- mgorbach [~mgorbach@pool-108-20-78-135.bstnma.fios.verizon.net] has quit [Ping timeout: 240 seconds]
03:04 -!- ribasushi [~riba@mujunyku.leporine.io] has quit [Ping timeout: 240 seconds]
03:07 -!- supergauntlet [~supergaun@unaffiliated/supergauntlet] has quit [Ping timeout: 240 seconds]
03:08 -!- supergauntlet [~supergaun@unaffiliated/supergauntlet] has joined #openvpn
03:09 -!- bashusr [~bashusr@unaffiliated/bashusr] has quit [Ping timeout: 240 seconds]
03:10 -!- bashusr [~bashusr@unaffiliated/bashusr] has joined #openvpn
03:10 -!- ribasushi [~riba@mujunyku.leporine.io] has joined #openvpn
03:12 -!- _FBi [B@Aircrack-NG/User] has quit [Ping timeout: 240 seconds]
03:12 -!- SCHAAP137 [dorian@77-173-0-137.ip.telfort.nl] has joined #openvpn
03:20 -!- xylogics [~xylogics@ool-44c514e9.dyn.optonline.net] has quit [Quit: xylogics]
03:52 -!- doebi [~doebi@doebi.at] has quit [Ping timeout: 240 seconds]
04:04 -!- larryone [~larryone@185.32.152.150] has joined #openvpn
04:12 -!- Left_Turn [~Left_Turn@unaffiliated/turn-left/x-3739067] has joined #openvpn
04:14 -!- Cultist [~CultOfThe@c-98-223-211-32.hsd1.il.comcast.net] has quit [Ping timeout: 240 seconds]
04:17 -!- Cultist [~CultOfThe@c-98-223-211-32.hsd1.il.comcast.net] has joined #openvpn
04:18 -!- doebi [~doebi@doebi.at] has joined #openvpn
04:18 -!- pradeepc [~pradeepc@198.199.90.215] has joined #openvpn
05:04 -!- wrongplace [~leicht@gateway/tor-sasl/martinphone] has joined #openvpn
05:19 -!- jackbrown [~se@93-44-41-0.ip95.fastwebnet.it] has joined #openvpn
05:22 -!- jackbrown [~se@93-44-41-0.ip95.fastwebnet.it] has quit [Client Quit]
05:24 -!- gffa [~unknown@unaffiliated/gffa] has joined #openvpn
05:40 -!- Chrisje [chris@2a03:f80:ed15:ed15:ed15:ed15:bc4c:4bfe] has joined #openvpn
05:48 -!- NP-Hardass [~NP-Hardas@unaffiliated/np-hardass] has joined #openvpn
05:50 -!- masterkorp [~masterkor@static.85-10-196-211.clients.your-server.de] has joined #openvpn
05:50 < masterkorp> hello
05:50 < masterkorp> !goal
05:50 <@vpnHelper> "goal" is Please clearly state your goal for your vpn: example, I would like to access the lan behind the server , I would like to access the internet over my vpn , I just want a secure connection between 2 computers , etc
05:52 < masterkorp> Guys I am getting an error on generating a client key
05:52 < masterkorp> unable to open '/etc/openvpn/keys/index.txt'
05:52 < masterkorp>                   3073771196:error:02001002:system library:fopen:No such file or directory:bss_file.c:398:fopen('/etc/openvpn/keys/index.txt','r')
05:52 < masterkorp> its that the index.txt is not generated
06:03 -!- wrongplace [~leicht@gateway/tor-sasl/martinphone] has quit [Quit: gone]
06:21 -!- larryone [~larryone@185.32.152.150] has quit [Quit: This computer has gone to sleep]
06:42 -!- Megaf [~Megaf@unaffiliated/megaf] has joined #openvpn
07:12 -!- Left_Turn [~Left_Turn@unaffiliated/turn-left/x-3739067] has quit [Read error: Connection reset by peer]
07:17 -!- goldkatze [~nobody@unaffiliated/goldkatze] has joined #openvpn
07:27 -!- le0 [~l30@unaffiliated/le0] has quit [Quit: Leaving]
07:31 -!- u0m3_ [~u0m3@92.80.73.182] has joined #openvpn
07:34 -!- u0m3 [~u0m3@92.80.87.54] has quit [Ping timeout: 276 seconds]
07:35 -!- early [~early@192.241.198.49] has quit [Quit: ERC Version 5.3 (IRC client for Emacs)]
07:39 <@ecrist> masterkorp: are you using easy-rsa?
07:39 -!- early [~early@192.241.198.49] has joined #openvpn
07:41 -!- brianblaze420 [~brianblaz@unaffiliated/brianblaze] has joined #openvpn
08:02 -!- NP-Hardass [~NP-Hardas@unaffiliated/np-hardass] has quit [Ping timeout: 260 seconds]
08:02 -!- randt0sh [~tosh@2a02-8420-5d7e-c300-0213-72ff-feb1-7b24.rev.sfr.net] has joined #openvpn
08:06 -!- NP-Hardass [~NP-Hardas@unaffiliated/np-hardass] has joined #openvpn
08:11 -!- deeville [~deeville@66.97.28.166] has joined #openvpn
08:13 -!- NP-Completeass [~NP-Hardas@unaffiliated/np-hardass] has joined #openvpn
08:14 -!- NP-Completeass [~NP-Hardas@unaffiliated/np-hardass] has quit [Client Quit]
08:15 -!- lbft is now known as Vladimir-Putin
08:15 -!- Vladimir-Putin is now known as lbft
08:33 -!- axelm7 [~axelm7@186.135.4.36] has joined #openvpn
08:36 -!- goldkatze [~nobody@unaffiliated/goldkatze] has quit []
08:44 -!- goldkatze [~nobody@unaffiliated/goldkatze] has joined #openvpn
09:00 -!- bears [~bears@unaffiliated/bears] has joined #openvpn
09:24 < masterkorp> ecrist: yes
09:25 -!- jp- [~jp@unaffiliated/jp-] has left #openvpn []
09:36 -!- Megaf is now known as Megaf_
09:43 -!- edge226 [~quassel@unaffiliated/edge226] has joined #openvpn
09:47 -!- lau [~lau@unaffiliated/lau] has joined #openvpn
09:48 < lau> running openvpn 2.3.2 and trying to create a point-to-point ipv6 tunnels
09:49 < lau> we get a resolver error : openvpn[21907]: RESOLVE: Cannot resolve host address: <ipv6>: Address family for hostname not supported
09:50 < lau> any idea please ?
09:52 -!- SCHAAP137 [dorian@77-173-0-137.ip.telfort.nl] has quit [Remote host closed the connection]
09:53 < rob0> Isn't that an idea?
09:54 -!- jp- [~jp@unaffiliated/jp-] has joined #openvpn
09:56 -!- w0jtas [~Adium@host8925152170.ppcom.3s.pl] has joined #openvpn
09:56 < w0jtas> Hello, i am trying to install openvpn server - anybody could tell what steps i should follow to setup server on 2 nics machine? 1 is external and 1 internal, what ip should i use for bridge ?
10:00 < w0jtas> anybody ?
10:00 < rob0> Don't bridge. Why do you
10:00 < rob0> be patient
10:01 < w0jtas> so how should i setup then ?
10:01 < rob0> Why do you think you want to bridge?
10:01 < w0jtas> i follow ubuntu help pages
10:01 < rob0> !howto
10:01 <@vpnHelper> "howto" is (#1) OpenVPN comes with a great howto, http://openvpn.net/howto PLEASE READ IT! or (#2) http://www.secure-computing.net/openvpn/howto.php for a mirror
10:03 -!- SCHAAP137 [dorian@77-173-0-137.ip.telfort.nl] has joined #openvpn
10:10 -!- SCHAAP137 [dorian@77-173-0-137.ip.telfort.nl] has quit [Remote host closed the connection]
10:15 -!- SCHAAP137 [dorian@77-173-0-137.ip.telfort.nl] has joined #openvpn
10:19 -!- Oranabi [~Ayhan@i220-220-226-200.s11.a023.ap.plala.or.jp] has joined #openvpn
10:20 < Oranabi> !welcome
10:20 <@vpnHelper> "welcome" is (#1) Start by stating your goal, such as 'I would like to access the internet over my vpn' || new to IRC? see the link in !ask || we may need !logs and !configs and maybe !interface to help you. || See !howto for beginners. || See !route for lans behind openvpn. || !redirect for sending inet traffic through the server. || Also interesting: !man !/30 !topology !iporder !sample !forum
10:20 <@vpnHelper> !wiki !mitm or (#2) Don't use 192.168.1.0/24 or 192.168.0.0/24 (too much potential for conflict)
10:22 < Oranabi> !howto
10:22 <@vpnHelper> "howto" is (#1) OpenVPN comes with a great howto, http://openvpn.net/howto PLEASE READ IT! or (#2) http://www.secure-computing.net/openvpn/howto.php for a mirror
10:41 -!- meepmeep [meepmeep@end.of.cylind.re] has quit [Quit: Yippee-kay-yay]
10:43 -!- meepmeep [meepmeep@end.of.cylind.re] has joined #openvpn
10:46 -!- u0m3_ is now known as u0m3
10:51 -!- ayaz [~Ayaz@linuxpakistan/ayaz] has quit [Quit: Textual IRC Client: www.textualapp.com]
11:03 -!- Oranabi [~Ayhan@i220-220-226-200.s11.a023.ap.plala.or.jp] has quit [Quit: Leaving]
11:06 -!- wrongplace [~leicht@gateway/tor-sasl/martinphone] has joined #openvpn
11:17 -!- Left_Turn [~Left_Turn@unaffiliated/turn-left/x-3739067] has joined #openvpn
11:25 -!- TheEternalAbyss [~IRCIdent@unaffiliated/theeternalabyss] has joined #openvpn
11:28 -!- edge226 [~quassel@unaffiliated/edge226] has quit [Ping timeout: 276 seconds]
11:35 -!- edge226 [~quassel@unaffiliated/edge226] has joined #openvpn
11:52 -!- w0jtas [~Adium@host8925152170.ppcom.3s.pl] has quit [Ping timeout: 245 seconds]
11:54 -!- troyt [~troyt@2601:7:6200:1362:44dd:acff:fe85:9c8e] has quit [Ping timeout: 240 seconds]
12:20 -!- troyt [~troyt@2601:7:6200:1362:44dd:acff:fe85:9c8e] has joined #openvpn
12:22 -!- dob1 [~dob@dynamic-adsl-84-220-115-82.clienti.tiscali.it] has joined #openvpn
12:24 < dob1> hi, i have setup an openvpn service in my lan. the clients from outside can connect with no problems. the clients from inside the lan (thet client that are in the same lan of the openvpn server) can connect to openvpn too but they have to use the local ip of the server in che configuration file, not its name.  It's ok and it's better, but i was wondering why this
12:25 < dob1> maybe as you said in the topic firewall problems?
12:32 -!- BenLue [NoMail@unaffiliated/benlue] has joined #openvpn
12:39 < gac> dob1: depends on your DNS setup and possibly your NAT setup, IMO
12:40 < gac> if you have an internal DNS server which is able to resolve the same hostname to an internal IP address for internal clients then it should work
12:41 < gac> alternatively, if you don't have an internal DNS server, you need to see if your NAT router supports NAT reflection/hairpinning so that it can direct traffic going to its external IP back in through the same portforward that external traffic uses
12:48 < masterkorp> Guys how do I make the VPN clients able to reach the LAN on the server side ?
12:50 <@ecrist> !route
12:50 <@vpnHelper> "route" is (#1) http://www.secure-computing.net/wiki/index.php/OpenVPN/Routing or https://community.openvpn.net/openvpn/wiki/RoutedLans (same page mirrored) if you have lans behind openvpn, read it DONT SKIM IT or (#2) READ IT DONT SKIM IT! or (#3) See !tcpip for a basic networking guide or (#4) See !serverlan or !clientlan for steps and troubleshooting flowcharts for LANs behind the server or
12:50 <@vpnHelper> client
12:50 <@ecrist> masterkorp: ^^^
12:50 < masterkorp> ecrist: thanks
12:54 < BenLue> hmmm i will create an Openvpn Client on my OpenWRT but the follow command "uci set" isnt working! Im Actual on Attitude Adjustment 12.09.1
12:54 < BenLue> anyone ideas?
12:57 <@ecrist> for that command, you should probably ask the openwrt folks
12:58 < BenLue> :) ecrist you are not a Member of OpenWRT Folk? *gg*
13:10 -!- wbk [~wallbroke@unaffiliated/wallbroken] has joined #openvpn
13:10 < wbk> hi guys
13:10 < wbk> some problem with vpnbook
13:10 < wbk> during the connection
13:11 < wbk> when i do "what's my ip" on google, i get the main ip connection, and not the gateway vpn ip
13:13 -!- NP-Hardass [~NP-Hardas@unaffiliated/np-hardass] has quit [Quit: WeeChat 0.4.3]
13:13 -!- NP-Hardass [~NP-Hardas@unaffiliated/np-hardass] has joined #openvpn
13:55 <@ecrist> what is vpnbook?
13:57 < wbk> vhttp://www.vpnbook.com/
13:57 <@vpnHelper> Title: Free VPN 100% Free PPTP and OpenVPN Service (at www.vpnbook.com)
13:58 -!- xylogics [~xylogics@ool-44c514e9.dyn.optonline.net] has joined #openvpn
14:00 <@ecrist> oh, talk to them about support
14:00 <@ecrist> we really only support other server admins here
14:00 <@ecrist> not users
14:02 < wbk> the question should be simple
14:03 < wbk> http://nopaste.info/c9714043d0.html
14:03 < wbk> this config should redirect all the traffic into the tunneL?
14:07 -!- plaisthos [~arne@openvpn/community/developer/plaisthos] has quit [Ping timeout: 252 seconds]
14:07 -!- plaisthos [~arne@openvpn/community/developer/plaisthos] has joined #openvpn
14:07 -!- mode/#openvpn [+o plaisthos] by ChanServ
14:09 -!- clu5ter [~staff@unaffiliated/clu5ter] has quit [Read error: Connection reset by peer]
14:14 -!- supergauntlet [~supergaun@unaffiliated/supergauntlet] has quit [Ping timeout: 252 seconds]
14:16 -!- supergauntlet [~supergaun@unaffiliated/supergauntlet] has joined #openvpn
14:16 -!- clu5ter [~staff@unaffiliated/clu5ter] has joined #openvpn
14:21 -!- dob1 [~dob@dynamic-adsl-84-220-115-82.clienti.tiscali.it] has quit [Quit: Leaving]
14:29 < xylogics> Basically I have several servers from a variety of different companies with many different IP ranges/subnets/gateways etc, and I want to be able to tunnel those IPs, that is use them on one central server. All the tunnel servers are CentOS, but my main server is Windows 2008 Web Edition.
14:29 < xylogics> I want to be able to add all the Tunnel servers IP addresses that were assigned to my main Windows server, so that I can use them for email traffic etc. Can you let me know if this is possible?
14:32 <@ecrist> wbk: maybe
14:33 <@ecrist> really, you should likely be using, on line 16, redirect-gateway def1
14:33 <@ecrist> and this will only work if the SERVER supports it, and is configured properly
14:33 <@ecrist> this is why we don't generally support the users.  they are unable to fix the server, where such problems can reside
14:40 < wbk> ecrist, why you said "maybe" ?
14:40 < wbk> if i check what's my ip, i get the provider ip
14:41 < wbk> this means that traffic is not forwarded throught the vpn tunnel
14:42 <@ecrist> yup
14:43 < wbk> so, it should be some problem
14:43 <@ecrist> talk to server administrator
14:55 <@krzee> !provider
14:55 <@vpnHelper> "provider" is (#1) We are not your provider's free tech support. We support the free open source app OpenVPN, not your provider. Just because they run openvpn does not mean we are their support team. or (#2) Please contact their support team.
15:00 -!- brianblaze420 [~brianblaz@unaffiliated/brianblaze] has quit [Quit: Leaving...]
15:05 -!- x00e [~itch@188.27.192.144] has joined #openvpn
15:09 -!- wrongplace [~leicht@gateway/tor-sasl/martinphone] has quit [Quit: gone]
15:12 < x00e> Hello guys. I`m runnig into a bit of an issue. Installed oepnvpn sever onto a debian machine and tried to set it up as to allow me to access internet through it. I made sure my firewell is not blocking, I`ve set up ipv4 ip forwarding, etc. But while I can connect to the sever, I can`t access anything through it, or anything from my local network for that matter and the connection to the server keep reconnecting. Is sommeone is willing to take a peek at my ser
15:12 < x00e> ver.conf .. http://pastebin.com/NsWEYDkQ
15:13 < rob0> sounds like you need:
15:13 < rob0> !redirect
15:13 <@vpnHelper> "redirect" is (#1) to make all inet traffic flow through the vpn, you will need --redirect-gateway (see !def1), as well as IP forwarding (see !ipforward) and NAT (see !nat) enabled on the server. or (#2) you may need to use a different dns server when redirecting gateway, see !dns or !pushdns or (#3) if using ipv6 try: route-ipv6 2000::/3 or (#4) Handy troubleshooting flowchart:
15:13 <@vpnHelper> http://ircpimps.org/redirect.png | http://pekster.sdf.org/misc/redirect.png
15:13 < rob0> !serverlan
15:13 <@vpnHelper> "serverlan" is (#1) for a lan behind a server, the server must have ip forwarding enabled (!ipforward), the server needs to push a route for its lan to clients, and the router of the lan the server is on needs a route added to it (!route_outside_openvpn) or (#2) see !route for a better explanation or (#3) Handy troubleshooting flowchart: http://ircpimps.org/serverlan.png |
15:13 <@vpnHelper> http://pekster.sdf.org/misc/serverlan.png
15:13 < rob0> ^^ start with flowcharts
15:16 < x00e> rob0, thanks
15:16 -!- kirin` [telex@gateway/shell/anapnea.net/x-iltfwqsfxvjzouze] has quit [Ping timeout: 252 seconds]
15:18 -!- kirin` [telex@gateway/shell/anapnea.net/x-gxwbhbryckbnhtmz] has joined #openvpn
15:21 -!- mattock is now known as mattock_afk
15:26 -!- gffa [~unknown@unaffiliated/gffa] has quit [Quit: sleep]
15:29 -!- alexw [~textual@unaffiliated/alexw] has joined #openvpn
15:39 -!- alexw [~textual@unaffiliated/alexw] has quit [Quit: My MacBook Pro has gone to sleep. ZZZzzz…]
15:42 -!- xylogics [~xylogics@ool-44c514e9.dyn.optonline.net] has quit [Quit: xylogics]
15:42 -!- alexw [~textual@unaffiliated/alexw] has joined #openvpn
15:45 -!- randt0sh [~tosh@2a02-8420-5d7e-c300-0213-72ff-feb1-7b24.rev.sfr.net] has quit [Remote host closed the connection]
15:46 -!- _FBi [B@Aircrack-NG/User] has joined #openvpn
15:54 -!- alexw [~textual@unaffiliated/alexw] has quit [Quit: My MacBook Pro has gone to sleep. ZZZzzz…]
15:55 -!- alexw [~textual@unaffiliated/alexw] has joined #openvpn
16:04 -!- CaTtleyA [~CaTtleyA@put92-2-82-66-41-53.fbx.proxad.net] has joined #openvpn
16:05 -!- bears [~bears@unaffiliated/bears] has quit [Quit: closing IRC]
16:08 -!- alexw [~textual@unaffiliated/alexw] has quit [Quit: My MacBook Pro has gone to sleep. ZZZzzz…]
16:24 -!- JackWinter [~jack@vodsl-10810.vo.lu] has quit [Excess Flood]
16:25 -!- JackWinter [~jack@vodsl-10810.vo.lu] has joined #openvpn
16:26 -!- Kephael [~Kephael@unaffiliated/kephael] has joined #openvpn
16:29 -!- joako [~joako@opensuse/member/joak0] has quit [Ping timeout: 264 seconds]
16:35 -!- alexw [~textual@unaffiliated/alexw] has joined #openvpn
16:35 -!- joako [~joako@opensuse/member/joak0] has joined #openvpn
16:40 -!- p3rror [~mezgani@105.157.103.176] has joined #openvpn
16:47 -!- larryone [~larryone@176.61.1.155] has joined #openvpn
16:54 -!- ayaka [~ayaka@ayaka-2-pt.tunnel.tserv21.tor1.ipv6.he.net] has joined #openvpn
16:55 < ayaka> there is a remote server which has both ipv6 and ipv4 access
16:55 < ayaka> there is a client end which only has ipv4, the client want to visit ipv6 network through the remote server, it is possible for openvpn to do that?
16:57 -!- alexw [~textual@unaffiliated/alexw] has quit [Quit: Textual IRC Client: www.textualapp.com]
16:58 -!- x00e [~itch@188.27.192.144] has quit [Quit: Leaving]
17:02 -!- wrongplace [~leicht@gateway/tor-sasl/martinphone] has joined #openvpn
17:17 -!- Netsplit *.net <-> *.split quits: fred``, Ulrar, Chrisje, Olipro
17:26 -!- eristisk [~eristisk@gateway/tor-sasl/eristisk] has quit [Ping timeout: 264 seconds]
17:27 -!- eristisk [~eristisk@gateway/tor-sasl/eristisk] has joined #openvpn
17:28 -!- Netsplit over, joins: Chrisje, fred``, Ulrar
17:29 -!- Netsplit over, joins: Olipro
17:50 -!- xylogics [~xylogics@ool-44c514e9.dyn.optonline.net] has joined #openvpn
17:59 < pekster> ayaka: Yes, read the wiki page at !ipv6. And route it; ignore all the nonsense about running two L3 networks on the same L2 domain
18:00 < ayaka> pekster, I see thank yoi
18:00 < ayaka> s/yoi/you/
18:00 < ayaka> !ipv6
18:00 <@vpnHelper> "ipv6" is (#1) The wiki has IPv6 details: https://community.openvpn.net/openvpn/wiki/IPv6 or (#2) The manpage contains info about IPv6 features present in 2.3+: https://community.openvpn.net/openvpn/wiki/Openvpn23ManPage#lbAQ
18:29 -!- goldkatze [~nobody@unaffiliated/goldkatze] has quit []
18:39 -!- larryone [~larryone@176.61.1.155] has quit [Ping timeout: 260 seconds]
18:40 -!- bears [~bears@unaffiliated/bears] has joined #openvpn
18:44 -!- SCHAAP137 [dorian@77-173-0-137.ip.telfort.nl] has quit [Remote host closed the connection]
18:53 -!- wrongplace [~leicht@gateway/tor-sasl/martinphone] has quit [Quit: gone]
19:03 -!- SCHAAP137 [dorian@77-173-0-137.ip.telfort.nl] has joined #openvpn
19:10 -!- alexw [~textual@unaffiliated/alexw] has joined #openvpn
19:20 -!- SCHAAP137 [dorian@77-173-0-137.ip.telfort.nl] has quit [Remote host closed the connection]
19:46 -!- axelm7 [~axelm7@186.135.4.36] has left #openvpn []
19:55 -!- alexw [~textual@unaffiliated/alexw] has quit [Quit: Textual IRC Client: www.textualapp.com]
20:06 -!- elfixit1 [~Icedove@77-58-251-72.dclient.hispeed.ch] has joined #openvpn
20:08 -!- elfixit1 [~Icedove@77-58-251-72.dclient.hispeed.ch] has quit [Client Quit]
20:17 -!- Left_Turn [~Left_Turn@unaffiliated/turn-left/x-3739067] has quit [Read error: Connection reset by peer]
20:22 -!- BenLue is now known as LueBen
20:52 -!- batrick [batrick@nmap/developer/batrick] has quit [Quit: WeeChat 0.4.3]
20:56 -!- LueBen [NoMail@unaffiliated/benlue] has quit []
21:06 -!- Cpt-Oblivious [~chatzilla@31-151-71-109.dynamic.upc.nl] has joined #openvpn
21:07 -!- RaiNerTsuFal [~RaiNerTsu@akita.vtlx.cn] has quit [Ping timeout: 240 seconds]
21:34 -!- Popsikle [~popsikle@pool-108-27-211-233.nycmny.fios.verizon.net] has joined #openvpn
22:00 -!- CaTtleyA [~CaTtleyA@put92-2-82-66-41-53.fbx.proxad.net] has quit [Ping timeout: 252 seconds]
22:00 -!- CaTtleyA [~CaTtleyA@put92-2-82-66-41-53.fbx.proxad.net] has joined #openvpn
22:02 -!- phunyguy [~vortex@unaffiliated/phunyguy] has joined #openvpn
22:03 < phunyguy> hello, I am getting an error on a new server install: WARNING: External program may not be called unless '--script-security 2' or higher is enabled. See --help text or man page for detailed info. - is this as simple as adding that option to the server config file?
22:17 < pekster> Yes, if you want to use scripts like --up, --down, --client-connect, and others.
22:18 < pekster> Did you read about that option in the manpage?
22:18 < pekster> It should be very clear
22:22 -!- Popsikle [~popsikle@pool-108-27-211-233.nycmny.fios.verizon.net] has quit [Remote host closed the connection]
22:22 < phunyguy> yeah, sorry, forgot to come back and say I tried it and it worked.
22:22 < phunyguy> I knew the answer already, I was just being dumb
22:23 < phunyguy> SELinux was getting me also.  :)
22:25 < pekster> The price to be paid for that level of security
22:28 -!- phunyguy [~vortex@unaffiliated/phunyguy] has quit [Ping timeout: 260 seconds]
22:29 -!- phunyguy [~vortex@unaffiliated/phunyguy] has joined #openvpn
22:30 -!- phunyguy [~vortex@unaffiliated/phunyguy] has quit [Max SendQ exceeded]
22:33 -!- phunyguy [~vortex@unaffiliated/phunyguy] has joined #openvpn
23:11 -!- Megaf_ [~Megaf@unaffiliated/megaf] has quit [Ping timeout: 265 seconds]
23:24 -!- Kephael [~Kephael@unaffiliated/kephael] has quit []
23:39 -!- ShadniX [dagger@p5DDFFDA0.dip0.t-ipconnect.de] has quit [Ping timeout: 252 seconds]
23:40 -!- ShadniX [dagger@p5DDFF1BD.dip0.t-ipconnect.de] has joined #openvpn
23:53 -!- alexw [~textual@unaffiliated/alexw] has joined #openvpn
--- Day changed Tue Jun 10 2014
00:00 -!- bears [~bears@unaffiliated/bears] has quit [Quit: closing IRC]
00:15 -!- CaTtleyA [~CaTtleyA@put92-2-82-66-41-53.fbx.proxad.net] has quit [Remote host closed the connection]
00:35 -!- Soliah [~Soliah@kin1287146.lnk.telstra.net] has joined #openvpn
00:51 -!- xylogics [~xylogics@ool-44c514e9.dyn.optonline.net] has quit [Quit: xylogics]
01:15 -!- alexw [~textual@unaffiliated/alexw] has left #openvpn ["Textual IRC Client: www.textualapp.com"]
01:26 -!- randt0sh [~tosh@2a02-8420-5d7e-c300-0213-72ff-feb1-7b24.rev.sfr.net] has joined #openvpn
01:31 -!- alexxtasi [~alex@unaffiliated/alexxtasi] has joined #openvpn
01:46 -!- mattock_afk is now known as mattock
02:40 -!- xylogics [~xylogics@ool-44c514e9.dyn.optonline.net] has joined #openvpn
02:45 -!- le0 [~l30@unaffiliated/le0] has joined #openvpn
03:02 -!- SCHAAP137 [dorian@77-173-0-137.ip.telfort.nl] has joined #openvpn
03:07 -!- Denial [Denial@176.251.77.152] has quit []
03:11 -!- wojtasfs [~Adium@host8925152170.ppcom.3s.pl] has joined #openvpn
03:16 -!- Denial [Denial@176.251.77.152] has joined #openvpn
03:36 -!- p3rror [~mezgani@105.157.103.176] has quit [Ping timeout: 265 seconds]
03:36 -!- larryone [~larryone@185.32.152.150] has joined #openvpn
03:37 -!- Left_Turn [~Left_Turn@unaffiliated/turn-left/x-3739067] has joined #openvpn
03:54 -!- ayaz [~Ayaz@linuxpakistan/ayaz] has joined #openvpn
04:02 -!- SCHAAP137 [dorian@77-173-0-137.ip.telfort.nl] has quit [Remote host closed the connection]
04:11 -!- SCHAAP137 [dorian@77-173-0-137.ip.telfort.nl] has joined #openvpn
04:12 -!- ade_b [~Ade@redhat/adeb] has joined #openvpn
04:15 < wojtasfs> Hello, anybody could help with setting up openvpn? I've spent whole yesterday with fighting on that with no success :/ I can't auth client. I am using mikrotik router on client side and ubuntu on server side. I have TLS failure on client side. Not sure what should i make with shared key as client is able only to send shared key, not certificate.
04:20 < wojtasfs> and i am using openvpn 2.3
04:57 < wojtasfs> Ok i solved that, last thing left, anybody could tell how can i set routing after client connection ?
05:01 -!- ade_b [~Ade@redhat/adeb] has quit [Ping timeout: 260 seconds]
05:23 -!- wrongplace [~leicht@gateway/tor-sasl/martinphone] has joined #openvpn
05:26 -!- blues-man [~xchat@93-62-149-181.ip23.fastwebnet.it] has joined #openvpn
05:27 -!- qwertyoruiop [~hax@3.shulgin.nl.torexit.haema.co.uk] has joined #openvpn
05:28 < blues-man> hi, i'm try to connect an iOS client with Openvpn Connect but I'm getting the /30 net30 error on the iOS client, even if I put the 'push "topology subnet" in the server.conf . I wonder if is possible to connect with an iOS client to a VPN net30 looks like a limitation on the client side
05:46 -!- larryone [~larryone@185.32.152.150] has quit [Ping timeout: 265 seconds]
05:48 -!- le0 [~l30@unaffiliated/le0] has quit [Quit: Leaving]
05:57 -!- ade_b [~Ade@redhat/adeb] has joined #openvpn
06:02 -!- blues-man [~xchat@93-62-149-181.ip23.fastwebnet.it] has quit [Quit: Sto andando via]
06:03 -!- ketas [ketas@ketas6-sixxs.si.pri.ee] has quit [Read error: Connection reset by peer]
06:03 -!- ketas [ketas@ketas6-sixxs.si.pri.ee] has joined #openvpn
06:04 -!- elfixit [~Icedove@2001:1620:2777:11:3e97:eff:fe7f:f3ad] has quit [Ping timeout: 252 seconds]
06:04 -!- halothe23 [~halothe23@freenode/sponsor/halothe23] has quit [Ping timeout: 252 seconds]
06:06 -!- Fusl [Fusl@unaffiliated/fusl] has quit [Ping timeout: 252 seconds]
06:06 -!- BladedThesis [~BladedThe@2001:1af8:4010:a027:3::] has quit [Ping timeout: 252 seconds]
06:07 -!- elfixit [~Icedove@2001:1620:2777:11:3e97:eff:fe7f:f3ad] has joined #openvpn
06:09 -!- ketas [ketas@ketas6-sixxs.si.pri.ee] has quit [Remote host closed the connection]
06:09 -!- ketas [ketas@ketas6-sixxs.si.pri.ee] has joined #openvpn
06:11 -!- BladedThesis [~BladedThe@2001:1af8:4010:a027:3::] has joined #openvpn
06:11 -!- xylogics [~xylogics@ool-44c514e9.dyn.optonline.net] has quit [Quit: xylogics]
06:14 -!- ketas [ketas@ketas6-sixxs.si.pri.ee] has quit [Remote host closed the connection]
06:15 -!- ketas [ketas@ketas6-sixxs.si.pri.ee] has joined #openvpn
06:20 -!- ketas [ketas@ketas6-sixxs.si.pri.ee] has quit [Remote host closed the connection]
06:21 -!- ketas [ketas@ketas6-sixxs.si.pri.ee] has joined #openvpn
06:21 -!- wrongplace [~leicht@gateway/tor-sasl/martinphone] has quit [Quit: gone]
06:22 -!- Fusl [Fusl@unaffiliated/fusl] has joined #openvpn
06:22 -!- Megaf [~Megaf@unaffiliated/megaf] has joined #openvpn
06:25 -!- halothe23 [~halothe23@freenode/sponsor/halothe23] has joined #openvpn
06:26 -!- ketas [ketas@ketas6-sixxs.si.pri.ee] has quit [Remote host closed the connection]
06:27 -!- ketas [ketas@ketas6-sixxs.si.pri.ee] has joined #openvpn
06:32 -!- ketas [ketas@ketas6-sixxs.si.pri.ee] has quit [Remote host closed the connection]
06:32 -!- ketas [ketas@ketas6-sixxs.si.pri.ee] has joined #openvpn
06:38 -!- ketas [ketas@ketas6-sixxs.si.pri.ee] has quit [Remote host closed the connection]
06:38 -!- ketas [ketas@ketas6-sixxs.si.pri.ee] has joined #openvpn
06:46 -!- wbk [~wallbroke@unaffiliated/wallbroken] has left #openvpn []
06:50 -!- ayaz [~Ayaz@linuxpakistan/ayaz] has quit [Ping timeout: 252 seconds]
07:06 -!- DrCode [~DrCode@gateway/tor-sasl/drcode] has quit [Remote host closed the connection]
07:07 -!- DrCode [~DrCode@gateway/tor-sasl/drcode] has joined #openvpn
07:12 -!- wojtasfs [~Adium@host8925152170.ppcom.3s.pl] has quit [Read error: No route to host]
07:17 -!- elfixit1 [~Icedove@cust.static.46-14-206-196.swisscomdata.ch] has joined #openvpn
07:38 -!- rawtaz [~rawtaz@rho.hobbyhotellet.se] has joined #openvpn
07:38 < rawtaz> hi
07:40 < rawtaz> i know this is off topic, but does anyone know what's up with the company behind OpenVPN Access Server? they're continously not replying or avoiding requests for a) information and b) patches for their commercial OpenVPN product. ive tried for days now (since the latest openssl vulnerabilities came out) to get a response regarding the version we're running, both by support tickets and by the IRC, without success.
07:40 < rawtaz> like, did they close or what? seriously starting to wonder, they've always been great otherwise!
07:41 < rawtaz> just figured maybe someone here runs their stuff and know them or something
07:41 < rob0> That company also holds the copyright on the free software openvpn.
07:42 < rob0> And there is at least one company person here, but I rarely see him talk.
07:42 < rawtaz> i know one too :) i think he's pretty busy, but at the same time you'd think there's more of them behind the scene. they shouldn't have just one single person doing all the support/communication
07:42 < rob0> If you corner him at one of the developer meetings, he will probably answer. :)
07:43 < rawtaz> regarding that copyright thing; is it the original authors of openvpn that started the company? what about all the code that has been contributed by others through times, do they have a CLA in place that lets them keep a comprehensive copyright on it all?
07:43 < rob0> I bet the "company", such as it is, is very small.
07:43 < rawtaz> yeah probably
07:43 < rob0> James Yonan sold to investors, I think.
07:43 < rob0> and the investors also employed him
07:44 < rob0> Now there ARE folks here who have contributed code and can answer that.
07:44 < rawtaz> seems ike it's all GPL so i wonder what value there is to the copyright. i guess the ability to relicense if need be
07:45 < rob0> yep
07:47 < rawtaz> well ill just have to wait and see
07:47 < rawtaz> thanks for your insight rob0
07:48 < rob0> yw, as far as patches go, I think they build the AS codebase off of the GPL one.
07:52 -!- jp- [~jp@unaffiliated/jp-] has left #openvpn ["Textual IRC Client: www.textualapp.com"]
08:08 -!- deeville [~deeville@66.97.28.166] has quit [Ping timeout: 260 seconds]
08:09 -!- deeville [~deeville@38.117.108.108] has joined #openvpn
08:18 -!- mgorbach [~mgorbach@pool-108-20-78-135.bstnma.fios.verizon.net] has joined #openvpn
08:25 -!- deeville [~deeville@38.117.108.108] has quit [Quit: Leaving]
08:59 -!- bears [~bears@unaffiliated/bears] has joined #openvpn
09:01 -!- batrick [batrick@nmap/developer/batrick] has joined #openvpn
09:29 -!- alexxtasi [~alex@unaffiliated/alexxtasi] has left #openvpn []
09:30 -!- ade_b [~Ade@redhat/adeb] has quit [Quit: Too sexy for his shirt]
09:31 -!- ade_b [~Ade@redhat/adeb] has joined #openvpn
09:35 -!- ade_b [~Ade@redhat/adeb] has quit [Client Quit]
09:49 -!- wojtasfs [~Adium@host8925152170.ppcom.3s.pl] has joined #openvpn
09:50 < wojtasfs> Hello, i have openvpn set up, on one side client-to-client setup (ubuntu) and client (mikrotik) on other side, i can ping from mikrotik lan to -> ubuntu lan but can't ping from ubuntu lan to mikrotik lan, anybody could help, please it's so important for me and 2 days of tries without result :(
09:53 -!- Kephael [~Kephael@unaffiliated/kephael] has joined #openvpn
10:00 -!- wojtasfs [~Adium@host8925152170.ppcom.3s.pl] has quit [Ping timeout: 260 seconds]
10:08 -!- moviuro [~moviuro@ginfo.ext.ec-m.fr] has joined #openvpn
10:10 < moviuro> Hi all! I'm having the following issue: I can ssh client -> server, server -> client but not client -> client. the server is in layer 2 on openBSD (tun0, link0, bridge), from client1, 'host <IP client2>' gives back something stupid, not honoring routes of "ip route show"
10:16 < moviuro> the issue is not firewall-related (I checked pflog), it is not because I didn't forward the packets (server is also a router, so I would have noticed)
10:16 < moviuro> http://sprunge.us/TATf <- routes on the client
10:17 < moviuro> http://paste.ubuntu.com/7623943 <- routes on the server
10:37 -!- Megaf_ [~Megaf@unaffiliated/megaf] has joined #openvpn
10:38 -!- Megaf [~Megaf@unaffiliated/megaf] has quit [Ping timeout: 260 seconds]
10:52 < masterkorp> how do make the lan on my server available to the clients ?
10:57 < moviuro> masterkorp: push the routes
10:57 < moviuro> and have the clients understand and add the routes too
10:59 < masterkorp> can you point me to documentation please ?
11:00 < moviuro> masterkorp: search "push" in the config file of the server
11:00 < masterkorp> its not there
11:00 < moviuro> that's weird
11:00 < moviuro> don't you have an example file ?
11:01 -!- gffa [~unknown@unaffiliated/gffa] has joined #openvpn
11:01 < moviuro> masterkorp: https://openvpn.net/index.php/open-source/documentation/howto.html#scope
11:01 <@vpnHelper> Title: HOWTO (at openvpn.net)
11:03 -!- Left_Turn [~Left_Turn@unaffiliated/turn-left/x-3739067] has quit [Ping timeout: 252 seconds]
11:06 < masterkorp> push "route 172.31.0.0 255.255.255.0"
11:06 < masterkorp> moviuro: i am adding my route
11:06 < masterkorp> it gets pushed
11:06 < masterkorp> but i can't ping 172.31.13.85
11:06 < masterkorp> or nmap
11:07 < moviuro> masterkorp: from client "ip route show" or "netstat -r"
11:08 < masterkorp> yeah i have the route
11:08 < masterkorp> ip r
11:08 < masterkorp> 172.31.0.0/24 via 10.8.0.1 dev tun0
11:08 < moviuro> well then, your server does not answer
11:08 < moviuro> (or at least it is what it looks like)
11:08 < moviuro> check your firewall
11:08 < masterkorp> i can ping it from the vpn server
11:09 < masterkorp> no rules
11:09 < moviuro> you mean client can't ping client ?
11:09 < masterkorp> status: vpn can ping machine behing lan
11:10 < masterkorp> clinet connects to vpn
11:10 < masterkorp> client can't ping machine behing lan
11:10 < moviuro> I have a similar issue
11:10 < masterkorp> no iptables ruling
11:10 < masterkorp> how can i debug this
11:11 < moviuro> dunno, I asked the same thing one hour ago
11:11 < moviuro> so I'll idle here until someone helps out ^_^
11:13 < masterkorp> +1
11:23 -!- axelm7 [~axelm7@186.135.28.140] has joined #openvpn
11:26 -!- gffa [~unknown@unaffiliated/gffa] has quit [Ping timeout: 276 seconds]
11:27 < masterkorp> i enabled ip forwarding
11:27 < masterkorp> same result
11:40 -!- A_Pickle [~A_Pickle@host-72-174-195-13.chy-wy.client.bresnan.net] has joined #openvpn
11:40 < A_Pickle> Oh harro.
11:44 < masterkorp> A_Pickle: welp
11:47 < A_Pickle> Oh.
11:47 < masterkorp> masterkorp-laptop# traceroute 172.31.13.85
11:47 < masterkorp> traceroute to 172.31.13.85 (172.31.13.85), 30 hops max, 60 byte packets
11:47 < masterkorp>  1  10.8.0.1 (10.8.0.1)  136.452 ms  141.905 ms  142.811 ms
11:47 < masterkorp> he indeed goes to the server
11:47 < A_Pickle> Actually I think I figured out my problem.
11:47 < A_Pickle> But thanks anyways, guys.  Today I learned about NickServ.
11:48 < masterkorp> but it seems the that its not redirected elsewhere
11:58 -!- gffa [~unknown@unaffiliated/gffa] has joined #openvpn
12:11 -!- A_Pickle [~A_Pickle@host-72-174-195-13.chy-wy.client.bresnan.net] has left #openvpn []
12:13 -!- qwertyoruiop [~hax@3.shulgin.nl.torexit.haema.co.uk] has quit [Disconnected by services]
12:23 -!- Megaf_ is now known as Megaf
12:38 -!- Left_Turn [~Left_Turn@unaffiliated/turn-left/x-3739067] has joined #openvpn
12:39 -!- james41382_ [~james@unaffiliated/james41382] has joined #openvpn
12:42 -!- james41382 [~james@unaffiliated/james41382] has quit [Ping timeout: 260 seconds]
12:49 -!- james41382_ [~james@unaffiliated/james41382] has quit [Quit: Leaving]
12:50 -!- wrongplace [~leicht@gateway/tor-sasl/martinphone] has joined #openvpn
12:51 -!- james41382 [~james@unaffiliated/james41382] has joined #openvpn
13:08 -!- ayaka [~ayaka@ayaka-2-pt.tunnel.tserv21.tor1.ipv6.he.net] has left #openvpn ["离开"]
13:20 <@krzee> masterkorp,
13:20 <@krzee> !clientlan
13:20 <@vpnHelper> "clientlan" is (#1) for a lan behind a client, the client must have ip forwarding enabled (!ipforward), the server needs a route to the lan, the server needs to push a route for the lan to clients, the server needs a ccd (!ccd) file for the client with an iroute (!iroute) entry in it, and the router of the lan the client is on needs a route added to it (!route_outside_openvpn) or (#2) see !route for
13:20 <@vpnHelper> a better explanation or (#3) Handy troubleshooting flowchart: http://ircpimps.org/clientlan.png | http://pekster.sdf.org/misc/clientlan.png
13:20 <@krzee> follow the flowchart
13:20 <@krzee> the sdf.org link
13:22 -!- RaiNerTsuFal [~RaiNerTsu@akita.vtlx.cn] has joined #openvpn
13:23 < masterkorp> krzee: no i want the lan behing the server
13:23 <@krzee> ok then
13:23 <@krzee> !serverlan
13:23 <@vpnHelper> "serverlan" is (#1) for a lan behind a server, the server must have ip forwarding enabled (!ipforward), the server needs to push a route for its lan to clients, and the router of the lan the server is on needs a route added to it (!route_outside_openvpn) or (#2) see !route for a better explanation or (#3) Handy troubleshooting flowchart: http://ircpimps.org/serverlan.png |
13:23 <@vpnHelper> http://pekster.sdf.org/misc/serverlan.png
13:23 <@krzee> same deal
13:24 < masterkorp> nvm the problem is the amazon aws
13:24 <@krzee> oh ya you arent the first with issues with them
13:24 <@krzee> forwarding issues iirc
13:24 < reiffert> krzee: ircpimps.org no work
13:24 <@krzee> i know thats why i said the sdf.org link
13:25 <@krzee> im waiting on slow people in the city where that server is
13:25 <@krzee> but i have cheap subletting on the colo so i cant bitch at them much
13:27 < Eugene> Shoulda bought a Linode :v
13:28 <@krzee> !factoids search aws
13:28 <@vpnHelper> "aws" is Ziber> So, in the AWS console, you can disable 'source/destination checks', which allow you to route outside of the VPC. Which is a LAN-ception concept, that's isolated beyond belief.
13:28 <@krzee> masterkorp, ^^
13:37 -!- ||arifaX_ [~quassel@unaffiliated/arifax/x-427475] has joined #openvpn
13:37 -!- mattock is now known as mattock_afk
13:48 -!- elfixit [~Icedove@2001:1620:2777:11:3e97:eff:fe7f:f3ad] has quit [Remote host closed the connection]
13:49 -!- ||arifaX_ is now known as ||arifaX
13:58 -!- xylogics [~xylogics@ool-44c514e9.dyn.optonline.net] has joined #openvpn
14:31 -!- ||arifaX [~quassel@unaffiliated/arifax/x-427475] has quit [Remote host closed the connection]
14:39 -!- tempus_fol [~tempus@gateway/tor-sasl/foltempus] has quit [Remote host closed the connection]
14:40 -!- tempus_fol [~tempus@gateway/tor-sasl/foltempus] has joined #openvpn
14:43 -!- u0m3_ [~u0m3@92.80.75.201] has joined #openvpn
14:44 -!- SCHAAP137 [dorian@77-173-0-137.ip.telfort.nl] has quit [Remote host closed the connection]
14:45 -!- u0m3 [~u0m3@92.80.73.182] has quit [Ping timeout: 245 seconds]
14:46 -!- xylogics [~xylogics@ool-44c514e9.dyn.optonline.net] has quit [Quit: xylogics]
14:51 -!- SCHAAP137 [dorian@77-173-0-137.ip.telfort.nl] has joined #openvpn
14:58 -!- Kephael [~Kephael@unaffiliated/kephael] has quit [Ping timeout: 260 seconds]
14:58 -!- james41382 [~james@unaffiliated/james41382] has quit [Quit: Leaving]
14:59 -!- JordiGH [~jordi@octave/developer/JordiGH] has joined #openvpn
14:59 < JordiGH> !goal
14:59 <@vpnHelper> "goal" is Please clearly state your goal for your vpn: example, I would like to access the lan behind the server , I would like to access the internet over my vpn , I just want a secure connection between 2 computers , etc
15:02 < JordiGH> I want to connect my laptop to a VPN provider. It is timing out. I suspect someone between me and the provider is doing port blocking, so I think I might try another remote port. How do this?
15:03 -!- u0m3_ [~u0m3@92.80.75.201] has quit [Read error: Connection reset by peer]
15:03 < JordiGH> A friend told me they were having problems too, but managed to connect when they "changed to tcp and port 80".
15:04 -!- xylogics [~xylogics@ool-44c514e9.dyn.optonline.net] has joined #openvpn
15:04 -!- james41382 [~james@unaffiliated/james41382] has joined #openvpn
15:07 -!- u0m3 [~u0m3@109.96.156.238] has joined #openvpn
15:21 < JordiGH> Okay, turns out that "custom gateway port" is what I want. The tooltip made it sound like a local port on my laptop, which I thought is not what I wanted.
15:29 -!- Megaf is now known as Megaf_
15:30 -!- SCHAAP137 [dorian@77-173-0-137.ip.telfort.nl] has quit [Remote host closed the connection]
15:30 -!- halothe23 [~halothe23@freenode/sponsor/halothe23] has quit [Quit: Quit]
15:31 -!- halothe23 [~halothe23@freenode/sponsor/halothe23] has joined #openvpn
15:33 -!- Netsplit *.net <-> *.split quits: gac, NucWin, nutron, phreakocious, moh, M4rc3l, adaptr, liriel, gardar
15:33 -!- Netsplit over, joins: nutron, M4rc3l, NucWin, liriel
15:34 -!- Netsplit over, joins: adaptr
15:35 -!- SCHAAP137 [dorian@77-173-0-137.ip.telfort.nl] has joined #openvpn
15:37 < moviuro> masterkorp: solved your issue?
15:38 -!- gardar [~gardar@bnc.giraffi.net] has joined #openvpn
15:38 -!- gac [~gavin@196.108.255.149.in-addr.arpa] has joined #openvpn
15:39 -!- cyberspace- [20253@ninthfloor.org] has quit [Disconnected by services]
15:39 -!- cyberspace- [20253@ninthfloor.org] has joined #openvpn
15:41 -!- halothe23 [~halothe23@freenode/sponsor/halothe23] has quit [Quit: Quit]
15:41 -!- halothe23 [~halothe23@freenode/sponsor/halothe23] has joined #openvpn
15:42 < masterkorp> yeah it was aws rules that were blocking the traffic moviuro
15:42 -!- JordiGH [~jordi@octave/developer/JordiGH] has left #openvpn ["Leaving"]
15:42 < moviuro> masterkorp: *facepalm*
15:43 < masterkorp> i don't get it why they do it by default
15:43 < masterkorp> fuck the cloud
15:44 < moviuro> masterkorp: your server was on ec2? yeah, that's weird too for a default (block all)
15:45 -!- james41382_ [~james@unaffiliated/james41382] has joined #openvpn
15:50 -!- bears [~bears@unaffiliated/bears] has quit [Quit: closing IRC]
15:53 -!- randt0sh [~tosh@2a02-8420-5d7e-c300-0213-72ff-feb1-7b24.rev.sfr.net] has quit [Remote host closed the connection]
15:54 -!- Netsplit *.net <-> *.split quits: james41382, Soliah, clu5ter, edge226, phunyguy, tdreyer1
15:55 -!- Netsplit over, joins: phunyguy
16:00 -!- xylogics [~xylogics@ool-44c514e9.dyn.optonline.net] has quit [Quit: xylogics]
16:11 -!- Soliah [~Soliah@kin1287146.lnk.telstra.net] has joined #openvpn
16:11 -!- clu5ter [~staff@unaffiliated/clu5ter] has joined #openvpn
16:11 -!- tdreyer1 [~tdreyer1@unaffiliated/tdreyer1] has joined #openvpn
16:13 -!- Kephael [~Kephael@unaffiliated/kephael] has joined #openvpn
16:29 -!- yikoru [~yikoru@186.67.252.202] has joined #openvpn
16:33 -!- doebi [~doebi@doebi.at] has quit [Quit: WeeChat 0.4.3]
16:34 -!- doebi [~doebi@doebi.at] has joined #openvpn
16:35 -!- doebi [~doebi@doebi.at] has quit [Client Quit]
16:35 -!- doebi [~doebi@doebi.at] has joined #openvpn
16:54 -!- troyt [~troyt@2601:7:6200:1362:44dd:acff:fe85:9c8e] has quit [Ping timeout: 240 seconds]
16:58 -!- brianblaze420 [~brianblaz@unaffiliated/brianblaze] has joined #openvpn
17:03 -!- troyt [~troyt@2601:7:6200:1362:44dd:acff:fe85:9c8e] has joined #openvpn
17:05 -!- yikoru [~yikoru@186.67.252.202] has quit [Ping timeout: 260 seconds]
17:14 < moviuro> ok, so the issue was an extra ';' in ";client-to-client"
17:21 -!- bears [~bears@unaffiliated/bears] has joined #openvpn
17:26 -!- eristisk [~eristisk@gateway/tor-sasl/eristisk] has quit [Ping timeout: 264 seconds]
17:34 -!- xylogics [~xylogics@ool-44c514e9.dyn.optonline.net] has joined #openvpn
17:35 -!- james41382_ [~james@unaffiliated/james41382] has quit [Quit: Leaving]
17:36 < xylogics> I am looking to pay someone
17:36 < xylogics> if they can figure out how to gre tunnell between windows and linux
17:41 -!- gffa [~unknown@unaffiliated/gffa] has quit [Quit: sleep]
17:46 -!- james41382 [~james@unaffiliated/james41382] has joined #openvpn
17:50 -!- rawtaz [~rawtaz@rho.hobbyhotellet.se] has left #openvpn []
17:54 -!- Kephael [~Kephael@unaffiliated/kephael] has quit [Ping timeout: 265 seconds]
17:56 -!- Popsikle [~popsikle@pool-108-27-211-233.nycmny.fios.verizon.net] has joined #openvpn
17:56 -!- brianblaze420 [~brianblaz@unaffiliated/brianblaze] has quit [Quit: Leaving...]
18:02 -!- wrongplace [~leicht@gateway/tor-sasl/martinphone] has quit [Quit: gone]
18:09 -!- Popsikle [~popsikle@pool-108-27-211-233.nycmny.fios.verizon.net] has quit [Remote host closed the connection]
18:25 -!- Megaf_ is now known as Megaf
18:46 -!- phreakocious [~phreakoci@aesoterica.phreakocious.net] has joined #openvpn
18:53 -!- xylogics [~xylogics@ool-44c514e9.dyn.optonline.net] has quit [Quit: xylogics]
19:06 -!- xylogics [~xylogics@ool-44c514e9.dyn.optonline.net] has joined #openvpn
19:14 -!- elfixit1 [~Icedove@cust.static.46-14-206-196.swisscomdata.ch] has quit [Ping timeout: 276 seconds]
19:20 -!- xylogics [~xylogics@ool-44c514e9.dyn.optonline.net] has quit [Quit: xylogics]
19:38 -!- snappy [nipnop@unaffiliated/snappy] has joined #openvpn
19:39 -!- Kephael [~Kephael@unaffiliated/kephael] has joined #openvpn
19:40 < snappy> I have a typical home network setup with the home router running OpenWRT (and thus can run openvpn). I want to selectively forward any traffic from a certain static IP in my home network over a VPN tunnel, and all other traffic not over the vpn. Is this a known scenario?
19:48 < Eugene> Yes. You need policy routing.
19:51 -!- eristisk [~eristisk@gateway/tor-sasl/eristisk] has joined #openvpn
19:56 < snappy> yeah, looks that way -- is it possible to get the client to inject the default route to a different routing table?
19:58 < snappy> im just trying to bypass the content wall, might be able to get away with something simpler like a gre tunnel
20:01 -!- u0m3 [~u0m3@109.96.156.238] has quit [Read error: Connection reset by peer]
20:14 -!- u0m3 [~u0m3@109.96.156.238] has joined #openvpn
20:16 -!- elfixit [~Icedove@77-58-251-72.dclient.hispeed.ch] has joined #openvpn
20:18 -!- elfixit [~Icedove@77-58-251-72.dclient.hispeed.ch] has quit [Client Quit]
20:20 -!- WinstonSmith [~WinstonSm@unaffiliated/winstonsmith] has quit [Ping timeout: 252 seconds]
20:23 -!- WinstonSmith [~WinstonSm@unaffiliated/winstonsmith] has joined #openvpn
20:23 < Eugene> You could just have the machine owning that static IP run openvpn itself....
20:26 < snappy> that would be easiest, but this is for consumer devices where openvpn cnanot be installed
20:28 < snappy> ps3, appletv, etc.
20:40 -!- elfixit [~Icedove@77-58-251-72.dclient.hispeed.ch] has joined #openvpn
20:43 -!- elfixit [~Icedove@77-58-251-72.dclient.hispeed.ch] has quit [Client Quit]
20:50 <+RBecker> snappy: does OpenWRT let you modify the routing table?
20:50 < pekster> Indeed it is
20:50 < pekster> busybox has support for all the routing needs via its `ip` applet, even without the "full" iproute2 package
20:51 < pekster> `ip route` and `ip rule` work fine. Follow the advice you got before and set up policy routing
20:51 < pekster> ip route add default via 10.8.0.1 table 100
20:51 < pekster> ip route add 192.168.0.0/24 dev ifLAN scope link
20:52 < pekster> ip rule add from 192.168.0.100 lookup 100
20:52 < pekster> tune to taste, read manpages
20:52 < pekster> Probably put that under /etc/config/ where it belongs using UCI stanzas
20:52 < pekster> Or in an --up script for openvpn
20:53 < pekster> And make the route I missed on table 100, or whatever you end up using
20:55 -!- Soliah [~Soliah@kin1287146.lnk.telstra.net] has quit [Quit: Soliah]
20:55 < snappy> yep, im familiar with PBR, been awhile; but i think i'm going to first try a simpler solution using gre/vtun -- just need an ip tunnel; nothing fancy.
21:00 -!- phunyguy [~vortex@unaffiliated/phunyguy] has quit [Quit: Goodbye cruel world!]
21:01 -!- phunyguy [~vortex@unaffiliated/phunyguy] has joined #openvpn
21:04 -!- phunyguy [~vortex@unaffiliated/phunyguy] has quit [Remote host closed the connection]
21:05 -!- phunyguy [~vortex@unaffiliated/phunyguy] has joined #openvpn
21:31 -!- phunyguy_ [~vortex@unaffiliated/phunyguy] has joined #openvpn
21:32 -!- phunyguy [~vortex@unaffiliated/phunyguy] has quit [Quit: Goodbye cruel world!]
21:33 -!- phunyguy_ is now known as phunyguy
21:33 -!- phunyguy [~vortex@unaffiliated/phunyguy] has quit [Client Quit]
21:35 -!- phunyguy [~vortex@unaffiliated/phunyguy] has joined #openvpn
21:42 -!- phunyguy [~vortex@unaffiliated/phunyguy] has quit [Remote host closed the connection]
21:45 -!- phunyguy [~vortex@unaffiliated/phunyguy] has joined #openvpn
21:51 -!- not_phunyguy [~vortex@unaffiliated/phunyguy] has joined #openvpn
21:53 -!- not_phunyguy [~vortex@unaffiliated/phunyguy] has quit [Remote host closed the connection]
21:56 -!- Left_Turn [~Left_Turn@unaffiliated/turn-left/x-3739067] has quit [Ping timeout: 252 seconds]
22:03 <@krzee> you need to run openvpn on the device in question, or use policy routing.
22:03 <@krzee> (as you were told)
22:03 <@krzee> =]
22:10 -!- not_phunyguy [~vortex@unaffiliated/phunyguy] has joined #openvpn
22:12 -!- phunyguy [~vortex@unaffiliated/phunyguy] has quit [Quit: Goodbye cruel world!]
22:12 -!- not_phunyguy is now known as phunyguy
22:21 -!- mgorbach [~mgorbach@pool-108-20-78-135.bstnma.fios.verizon.net] has quit [Read error: Connection reset by peer]
22:27 -!- mgorbach [~mgorbach@pool-108-20-78-135.bstnma.fios.verizon.net] has joined #openvpn
22:51 < jeev> man i'm getting so lazy with remembering openvpn things
23:35 -!- bears [~bears@unaffiliated/bears] has quit [Read error: Connection reset by peer]
23:39 -!- ShadniX [dagger@p5DDFF1BD.dip0.t-ipconnect.de] has quit [Ping timeout: 252 seconds]
23:40 -!- ShadniX [dagger@p5DDFFB79.dip0.t-ipconnect.de] has joined #openvpn
23:56 -!- vinky_ [~vinky@81-230-177-246-no98.tbcn.telia.com] has joined #openvpn
23:56 -!- vinky [~vinky@81-230-177-246-no98.tbcn.telia.com] has quit [Ping timeout: 252 seconds]
23:57 -!- Soliah [~Soliah@kin1287146.lnk.telstra.net] has joined #openvpn
--- Day changed Wed Jun 11 2014
00:00 -!- mattock_afk is now known as mattock
00:12 -!- Soliah [~Soliah@kin1287146.lnk.telstra.net] has quit [Quit: Soliah]
00:29 -!- Megaf is now known as Megaf__
00:29 -!- sourmash [~guest_ran@c-50-160-233-160.hsd1.ga.comcast.net] has joined #openvpn
00:32 < sourmash> morning
00:39 -!- mattock [~mattock@openvpn/corp/admin/mattock] has left #openvpn []
00:40 -!- SlutaTramsa [~SlutaTram@unaffiliated/slutatramsa] has joined #openvpn
00:40 -!- xylogics [~xylogics@ool-44c514e9.dyn.optonline.net] has joined #openvpn
00:45 -!- justinzane [~justinzan@24.49.207.203] has quit []
00:52 -!- justinzane [~justinzan@24.49.207.203] has joined #openvpn
00:59 -!- Cpt-Oblivious [~chatzilla@31-151-71-109.dynamic.upc.nl] has quit [Ping timeout: 260 seconds]
01:04 -!- Kephael [~Kephael@unaffiliated/kephael] has quit []
01:14 -!- Megaf__ [~Megaf@unaffiliated/megaf] has quit [Ping timeout: 265 seconds]
01:24 -!- alexxtasi [~alex@unaffiliated/alexxtasi] has joined #openvpn
01:29 -!- tempus_fol [~tempus@gateway/tor-sasl/foltempus] has quit [Ping timeout: 264 seconds]
01:31 -!- tempus_fol [~tempus@gateway/tor-sasl/foltempus] has joined #openvpn
01:38 -!- randt0sh [~tosh@2a02-8420-5d7e-c300-0213-72ff-feb1-7b24.rev.sfr.net] has joined #openvpn
01:56 -!- zapotek6 [~zap@mail.comelit.it] has joined #openvpn
01:56 -!- zapotek6 [~zap@mail.comelit.it] has left #openvpn []
02:15 -!- mattock_afk [~mattock@openvpn/corp/admin/mattock] has joined #openvpn
02:15 -!- mode/#openvpn [+o mattock_afk] by ChanServ
02:15 -!- mattock_afk is now known as mattock
02:15 -!- mattock [~mattock@openvpn/corp/admin/mattock] has left #openvpn []
02:17 -!- mattock [~mattock@openvpn/corp/admin/mattock] has joined #openvpn
02:17 -!- mode/#openvpn [+o mattock] by ChanServ
02:20 -!- le0 [~l30@unaffiliated/le0] has joined #openvpn
02:27 -!- le0 [~l30@unaffiliated/le0] has quit [Quit: Leaving]
02:28 -!- le0 [~l30@unaffiliated/le0] has joined #openvpn
02:47 -!- elfixit [~Icedove@77-58-251-72.dclient.hispeed.ch] has joined #openvpn
03:00 -!- elfixit [~Icedove@77-58-251-72.dclient.hispeed.ch] has quit [Quit: elfixit]
03:18 -!- vinky_ [~vinky@81-230-177-246-no98.tbcn.telia.com] has quit [Read error: Connection reset by peer]
03:19 -!- xylogics [~xylogics@ool-44c514e9.dyn.optonline.net] has quit [Quit: xylogics]
03:20 -!- vinky [~vinky@81-230-177-246-no98.tbcn.telia.com] has joined #openvpn
03:32 -!- Left_Turn [~Left_Turn@unaffiliated/turn-left/x-3739067] has joined #openvpn
03:37 -!- xylogics [~xylogics@ool-44c514e9.dyn.optonline.net] has joined #openvpn
03:45 -!- gffa [~unknown@unaffiliated/gffa] has joined #openvpn
03:57 < Plastefuchs_> morning o/
04:01 < Plastefuchs_> pkitool on debian: 'unknown option: --help' -> running pkitool without args gives the help. pkitool on ubuntu: shows help with --help, but generates 'changeme'.key without options. Both show pkitool 2.0 in their help. Is this just some weirdness between ubuntu<->debian? :D
04:04 < Plastefuchs_> Also, is it possible to run pkitool without sourcing ./vars? I'd like to use it from within python and i did not want to bother with sourcing variables if it is possible to just supply all that info via some argument(s)
04:05 -!- mcp [~mcp@wolk-project.de] has quit [Remote host closed the connection]
04:13 -!- lewiz [~lthompson@195.59.118.200] has quit [Ping timeout: 265 seconds]
04:17 < snappy> Plastefuchs_: not sure about pkitool, but you can use ssl-admin
04:17 < snappy> its not bad.
04:17 -!- lewiz [~lthompson@195.59.118.200] has joined #openvpn
04:36 -!- vinky [~vinky@81-230-177-246-no98.tbcn.telia.com] has quit [Remote host closed the connection]
04:38 -!- vinky [~vinky@81-230-177-246-no98.tbcn.telia.com] has joined #openvpn
04:43 -!- wrongplace [~leicht@gateway/tor-sasl/martinphone] has joined #openvpn
04:48 -!- ShadniX [dagger@p5DDFFB79.dip0.t-ipconnect.de] has quit [Ping timeout: 252 seconds]
04:50 -!- ShadniX [dagger@p5DDFFB79.dip0.t-ipconnect.de] has joined #openvpn
04:54 -!- wrongplace [~leicht@gateway/tor-sasl/martinphone] has quit [Quit: gone]
04:59 -!- xylogics [~xylogics@ool-44c514e9.dyn.optonline.net] has quit [Quit: xylogics]
05:00 -!- larryone [~larryone@176.61.1.155] has joined #openvpn
05:15 -!- moviuro [~moviuro@ginfo.ext.ec-m.fr] has left #openvpn ["Bye!"]
05:20 -!- mirco [~mirco@ip-5-146-124-121.unitymediagroup.de] has joined #openvpn
06:00 -!- mcp [~mcp@wolk-project.de] has joined #openvpn
06:07 -!- codehero [codehero@i.have.ipv6.on.coding4coffee.org] has quit [Ping timeout: 265 seconds]
06:08 -!- bashusr [~bashusr@unaffiliated/bashusr] has quit [Ping timeout: 265 seconds]
06:10 -!- bashusr [~bashusr@unaffiliated/bashusr] has joined #openvpn
06:13 -!- funnel_ [~funnel@unaffiliated/espiral] has joined #openvpn
06:13 -!- `Nothing4You [N4Y@w.tf-w.tf] has joined #openvpn
06:14 -!- TheEternalAbyss [~IRCIdent@unaffiliated/theeternalabyss] has quit [Ping timeout: 265 seconds]
06:14 -!- jareth_ [~jareth_@2001:980:e1c0:1:219:66ff:fea0:a502] has quit [Ping timeout: 265 seconds]
06:14 -!- Nothing4You [N4Y@Nothing4You.w.tf-w.tf] has quit [Ping timeout: 265 seconds]
06:14 -!- haasn [~haasn@2a01:4f8:d13:5245::2] has quit [Ping timeout: 265 seconds]
06:14 -!- funnel [~funnel@unaffiliated/espiral] has quit [Ping timeout: 265 seconds]
06:14 -!- SlutaTramsa [~SlutaTram@unaffiliated/slutatramsa] has quit [Ping timeout: 265 seconds]
06:14 -!- Cybertinus [~Cybertinu@cybertinus.customer.cloud.nl] has quit [Ping timeout: 265 seconds]
06:14 -!- ender| [krneki@2a01:260:4094:1:42:42:42:42] has quit [Ping timeout: 265 seconds]
06:14 -!- funnel_ is now known as funnel
06:15 -!- `Nothing4You is now known as Nothing4You
06:17 -!- axelm7 [~axelm7@186.135.28.140] has quit [Ping timeout: 265 seconds]
06:23 -!- haasn [~haasn@2a01:4f8:d13:5245::2] has joined #openvpn
06:23 -!- Megaf [~Megaf@unaffiliated/megaf] has joined #openvpn
06:32 -!- JPeterson [~JPeterson@81-233-152-121-no83.tbcn.telia.com] has quit [Ping timeout: 265 seconds]
06:34 -!- haasn [~haasn@2a01:4f8:d13:5245::2] has quit [Ping timeout: 265 seconds]
06:37 -!- SlutaTramsa [~SlutaTram@unaffiliated/slutatramsa] has joined #openvpn
06:38 -!- haasn [~haasn@2a01:4f8:d13:5245::2] has joined #openvpn
06:54 < Plastefuchs_> snappy: i'll take a look, thank you :3
07:03 -!- haasn [~haasn@2a01:4f8:d13:5245::2] has quit [Ping timeout: 265 seconds]
07:05 -!- haasn [~haasn@2a01:4f8:d13:5245::2] has joined #openvpn
07:16 -!- haasn [~haasn@2a01:4f8:d13:5245::2] has quit [Ping timeout: 265 seconds]
07:16 -!- elfixit [~Icedove@2001:1620:2777:11:3e97:eff:fe7f:f3ad] has joined #openvpn
07:17 -!- mirco [~mirco@ip-5-146-124-121.unitymediagroup.de] has quit [Read error: Connection reset by peer]
07:17 -!- mirco [~mirco@ip-5-146-124-121.unitymediagroup.de] has joined #openvpn
07:23 -!- haasn [~haasn@2a01:4f8:d13:5245::2] has joined #openvpn
07:24 -!- axelm7 [~axelm7@186.135.28.140] has joined #openvpn
07:25 < axelm7> hi guys, I'm having trouble setting up TLS-cipher on a certain client. This config does not connect. If I set tls-cipher to none it works. http://pastebin.com/4iZ2z2Nz
07:25 < axelm7> do I need to set up anything special on the server side to support this cipher?
07:26 < axelm7> the cipher I chose is on the openvpn --tls-cipher list on both sides
07:26 <@syzzer> axelm7: no, you should not. But unfortunately, OpenSSL is pretty bad at reporting the actually working ciphers
07:26 < axelm7> client is 2.3.2. Server is AS 2.0.8 which uses 2.3.4
07:26 <@syzzer> why do you want to specify --tls-cipher?
07:27 < axelm7> it's recommended here: https://community.openvpn.net/openvpn/wiki/Hardening
07:27 <@vpnHelper> Title: Hardening – OpenVPN Community (at community.openvpn.net)
07:27 < axelm7> See "Use of --tls-cipher"
07:28 <@syzzer> ah, right.
07:29 <@syzzer> what you can do to figure out what is supported, is leave out the --tls-cipher option on both side, see what OpenSSL negotiatias (OpenVPN logs it during the handshake) and use that
07:29 < axelm7> I can also remove the tls-cipher setting from the conf file. How do I know what cipher was negotiated between client and server
07:30 < axelm7> oops, cross posted
07:30 < axelm7> ok, I'll try that
07:32 <@syzzer> but in general, supplying --tls-cipher shouldn't be neccesary. The defaults are pretty sane and autmatically negotiate 'the best available'.
07:32 < axelm7> Control Channel: TLSv1, cipher TLSv1/SSLv3 DHE-RSA-AES256-SHA, 2048 bit RSA'
07:33 < axelm7> I could set that on the client to force it, just to be sure
07:33 <@syzzer> ah, right, there's your problem with the other cipher you chose; that other cipher is in TLSv1.1 (iirc), but OpenVPN 2.3 only does TLSv1.0
07:34 <@syzzer> axelm7: yes, you could. But if OpenVPN or OpenSSL add support for stronger ciphers and you don't update your config you'll be stuck on this one
07:35 < snappy> ugh tls version madness, which is the good version of tls again?
07:35 < axelm7> would forcing the cipher beat an attacker that uses CVE-2014-0224 to force the use of weak keying material?
07:35 <@syzzer> axelm7: nope
07:36 <@syzzer> but using tls-auth does :)
07:36 < axelm7> ok, I use tls auth in all my clients :)
07:37 <@syzzer> CVE-2014-0224 forces weak keys, not weak ciphers.
07:39 <@syzzer> what basiaclly happens in the CCS attack is that you tell OpenSSL to "to derive your totally secure key, use '0' as a random number!', which is - as you can image - pretty predictable
07:42 < axelm7> thanks for the info. My clients are currently using openssl 0.9.8l. Server is 2.3.4 with OpenSSL 1.0.1h. I need to know if I am vulnerable
07:42 -!- haasn [~haasn@2a01:4f8:d13:5245::2] has quit [Ping timeout: 265 seconds]
07:43 <@plaisthos> axelm7: if that are stock Openssl versions, yes
07:43 <@plaisthos> if that version shipped/updated with your distribution, check your distributions security announcements
07:44 < axelm7> plaisthos, distro is dd-wrt on the client side. Not easy to do updates remotely without killing the routers.
07:45 < axelm7> server side is Ubuntu 14.04 and Access Server 2.0.8 (2.3.4) using OpenSSL 1.0.1h
07:46 < axelm7> plaisthos, do you know which vulnerability would apply to openvpn 2.2.1 + openssl 0.9.8l on the client side? I'd like to research my options before forcing an upgrade to all my client routers
07:48 -!- SlutaTramsa [~SlutaTram@unaffiliated/slutatramsa] has quit [Ping timeout: 265 seconds]
07:48 -!- aPollO2k [znc1@unaffiliated/apollo2k] has quit [Ping timeout: 265 seconds]
07:50 -!- aPollO2k [znc1@unaffiliated/apollo2k] has joined #openvpn
07:50 < axelm7> 0.9.8l is vulnerable to CVE-2014-0224. Damn, gotta upgrade all the clients
07:51 < axelm7> but I am using tls-auth, so this would not apply to me, right?
08:09 <@plaisthos> as long as your tls-auth keys are not public
08:10 -!- SlutaTramsa [~SlutaTram@unaffiliated/slutatramsa] has joined #openvpn
08:15 -!- james41382 [~james@unaffiliated/james41382] has quit [Quit: Leaving]
08:18 -!- james41382 [~james@unaffiliated/james41382] has joined #openvpn
08:23 -!- SlutaTramsa [~SlutaTram@unaffiliated/slutatramsa] has quit [Ping timeout: 265 seconds]
08:33 -!- SlutaTramsa [~SlutaTram@unaffiliated/slutatramsa] has joined #openvpn
08:52 -!- haasn [~haasn@2a01:4f8:d13:5245::2] has joined #openvpn
09:18 -!- bears [~bears@unaffiliated/bears] has joined #openvpn
09:24 -!- Left_Turn [~Left_Turn@unaffiliated/turn-left/x-3739067] has quit [Ping timeout: 252 seconds]
09:30 -!- elfixit [~Icedove@2001:1620:2777:11:3e97:eff:fe7f:f3ad] has quit [Quit: elfixit]
09:38 -!- elfixit [~Icedove@2001:1620:2777:11:3e97:eff:fe7f:f3ad] has joined #openvpn
09:38 -!- wrongplace [~leicht@gateway/tor-sasl/martinphone] has joined #openvpn
09:42 -!- ender| [~ender1@2a01:260:4094:1:42:42:42:42] has joined #openvpn
09:45 -!- phunyguy_ [~vortex@unaffiliated/phunyguy] has joined #openvpn
09:46 -!- elfixit [~Icedove@2001:1620:2777:11:3e97:eff:fe7f:f3ad] has quit [Quit: elfixit]
09:53 -!- phunyguy is now known as not_phunyguy
09:53 -!- not_phunyguy is now known as phunyguy
09:54 -!- bears is now known as Kniaz
10:03 -!- Kniaz [~bears@unaffiliated/bears] has quit [Quit: closing IRC]
10:03 -!- Kniaz [~Kniaz@unaffiliated/bears] has joined #openvpn
10:06 -!- Kniaz [~Kniaz@unaffiliated/bears] has quit [Client Quit]
10:06 -!- Kniaz [~Kniaz@unaffiliated/bears] has joined #openvpn
10:08 -!- Brando753 [~Brando753@unaffiliated/brando753] has joined #openvpn
10:16 -!- edge226 [~quassel@unaffiliated/edge226] has joined #openvpn
10:34 -!- indy [~indy@shadow.kastnerove.cz] has quit [Ping timeout: 252 seconds]
10:35 -!- Megaf is now known as Megaf_
10:48 -!- le0 [~l30@unaffiliated/le0] has quit [Quit: Leaving]
11:18 -!- phunyguy_ [~vortex@unaffiliated/phunyguy] has quit [Quit: Goodbye cruel world!]
11:42 -!- wrongplace [~leicht@gateway/tor-sasl/martinphone] has quit [Quit: gone]
11:43 -!- larryone [~larryone@176.61.1.155] has quit [Quit: This computer has gone to sleep]
11:51 -!- Megaf_ is now known as Megaf
11:59 -!- larryone [~larryone@95.83.254.93] has joined #openvpn
12:21 -!- Left_Turn [~Left_Turn@unaffiliated/turn-left/x-3739067] has joined #openvpn
12:36 -!- sla3k [~aman@unaffiliated/sla3k] has joined #openvpn
12:37 < sla3k> Hi people, I was using the openVPN for myself till now but I need to share the server with others now. Could anybody please let me know how can I set a monthly quota so that these users should not be able to use more than, say, 10 GB or 20 GB per month.
12:37 < sla3k> Is it possible?
12:47 < Eugene> openvpn has nothing for that built-in, no.
12:49 < sla3k> Eugene: Thank you for replying, so I need to do that from radius perspective then.
13:04 -!- larryone [~larryone@95.83.254.93] has quit [Quit: This computer has gone to sleep]
13:14 -!- michaelhart [~michaelha@192.237.177.15] has joined #openvpn
13:26 -!- Ryu_Fitzgerald [~Ryu_Fitzg@199-193-117-84.static.hvvc.us] has joined #openvpn
13:27 < Ryu_Fitzgerald> i set up a openvpn on a pfsense router.  How do i configure it so that if the vpn drops, it will have its internet disabled until vpn connection is restored?
13:28 < Ryu_Fitzgerald> basically a kill switch
13:34 -!- xylogics [~xylogics@ool-44c514e9.dyn.optonline.net] has joined #openvpn
13:36 -!- Ryu_Fitzgerald [~Ryu_Fitzg@199-193-117-84.static.hvvc.us] has quit [Ping timeout: 272 seconds]
13:36 < _FBi> sla3k, FreeRADIUS
13:37 < sla3k> _FBi: Thank you for that, I am already onto it, going to configure FreeRADIUS to authenticate users for OpenVPM.
13:37 -!- indy [~indy@shadow.kastnerove.cz] has joined #openvpn
13:38 < _FBi> sla3k, if you figure it out, please let me know :)
13:43 < sla3k> _FBi: Sure, I have already done it on one of my test servers and made a blog entry, if you wish, you may have a look at: http://techlinux.net/2014/01/configuring-openvpn-to-authenticate-with-freeradius-part-1/
13:43 <@vpnHelper> Title: Configuring OpenVPN to authenticate with FreeRADIUS part 1 | (at techlinux.net)
13:43 < sla3k> Although I still have to figure out how to impose a limit.
14:00 -!- mattock is now known as mattock_afk
14:05 -!- zapotek6 [~zap@host145-84-dynamic.8-87-r.retail.telecomitalia.it] has joined #openvpn
14:23 -!- xylogics [~xylogics@ool-44c514e9.dyn.optonline.net] has quit [Quit: xylogics]
14:25 -!- xylogics [~xylogics@ool-44c514e9.dyn.optonline.net] has joined #openvpn
14:27 -!- TheEternalAbyss_ [~IRCIdent@unaffiliated/theeternalabyss] has joined #openvpn
14:27 -!- TheEternalAbyss_ is now known as TheEternalAbyss
14:32 -!- TheEternalAbyss is now known as carl79
14:32 -!- carl79 is now known as TheEternalAbyss
14:33 -!- elfixit [~Icedove@cust.static.46-14-206-196.swisscomdata.ch] has joined #openvpn
14:36 -!- eristisk [~eristisk@gateway/tor-sasl/eristisk] has quit [Ping timeout: 264 seconds]
14:37 -!- axelm7 [~axelm7@186.135.28.140] has quit [Ping timeout: 260 seconds]
14:40 -!- zapotek6 [~zap@host145-84-dynamic.8-87-r.retail.telecomitalia.it] has quit [Ping timeout: 245 seconds]
14:49 -!- eristisk [~eristisk@gateway/tor-sasl/eristisk] has joined #openvpn
14:54 -!- Cpt-Oblivious [~chatzilla@31-151-71-109.dynamic.upc.nl] has joined #openvpn
15:00 -!- LuisM [~LuisM@unaffiliated/luism] has joined #openvpn
15:00 < LuisM> hi folks
15:01 < LuisM> i've setup a new PKI and start openvpn server in linux using fedora
15:02 < LuisM> iface tun0 comes up and so on
15:02 < LuisM> but appear service wont listening on port 1194
15:04 < LuisM> not even test inside own server..openvpn /etc/client.conf don't connect at server
15:04 -!- michaelhart [~michaelha@192.237.177.15] has quit [Quit: michaelhart]
15:05 < LuisM> and log returns none erro
15:05 < LuisM> wtf?
15:06 < LuisM> and iptables rules are fine
15:07 -!- eristisk [~eristisk@gateway/tor-sasl/eristisk] has quit [Ping timeout: 264 seconds]
15:09 < rob0> How did you determine that nothing is "listening"?
15:10 -!- eristisk [~eristisk@gateway/tor-sasl/eristisk] has joined #openvpn
15:10 -!- elfixit [~Icedove@cust.static.46-14-206-196.swisscomdata.ch] has quit [Ping timeout: 240 seconds]
15:11 < LuisM> sites like "canyouseeme"
15:12 < LuisM> or simple "telnet hostname 1194"
15:12 < LuisM> on machine outside network
15:13 < LuisM> http://www.portcheckers.com/
15:13 <@vpnHelper> Title: Port Forward Checker - Open Port Checker - Port Checker Online (at www.portcheckers.com)
15:13 < rob0> telnet(1) is TCP only; by default (and for good reason) openvpn uses UDP.
15:13 < rob0> faulty testing methodology.
15:13 < LuisM> yes
15:14 < LuisM> and about testing inside own server?
15:15 -!- wrongplace [~leicht@gateway/tor-sasl/martinphone] has joined #openvpn
15:15 < LuisM> rob0, i think you could help me
15:15 -!- xylogics [~xylogics@ool-44c514e9.dyn.optonline.net] has quit [Quit: xylogics]
15:22 -!- Denial [Denial@176.251.77.152] has quit []
15:40 -!- Netsplit *.net <-> *.split quits: yoavz, kloeri, +hazardous, tamazaki, reiffert, jgeboski, c00w, rawburt, lbft, zalami,  (+4 more, use /NETSPLIT to show all of them)
15:40 -!- Netsplit over, joins: yoavz, rawburt, jgeboski
15:40 -!- mode/#openvpn [+v hazardous] by ChanServ
15:40 -!- Netsplit over, joins: kloeri, lbft, sla3k, hazardous
15:40 -!- c00w [c00w@2600:3c03::f03c:91ff:fe6e:e88b] has joined #openvpn
15:40 -!- Netsplit over, joins: peper
15:41 -!- Netsplit over, joins: xMopxShell
15:42 -!- jzaw [~jzaw@loki.dzki.co.uk] has quit [Quit: really? must I leave? aw pls let me stay!]
15:43 < swebb> LuisM: /sbin/lsof | grep UDP | grep openvpn
15:45 < LuisM> is running
15:45 < LuisM> @.@
15:45 -!- peper [~peper@gentoo/developer/peper] has quit [Ping timeout: 240 seconds]
15:45 < LuisM> but won't connect, not inside server
15:45 < LuisM> openvpn /etc/client.conf
15:46 < LuisM> even inside server*
15:46 -!- Martin` [martin@shell.ipv6.octocore.net] has quit [Ping timeout: 245 seconds]
15:46 -!- peper [~peper@gentoo/developer/peper] has joined #openvpn
15:47 -!- Megaf is now known as Megaf_
15:48 -!- jzaw [~jzaw@loki.dzki.co.uk] has joined #openvpn
15:51 -!- supergauntlet [~supergaun@unaffiliated/supergauntlet] has quit [Quit: ZNC - http://znc.in]
15:54 -!- supergauntlet [~supergaun@unaffiliated/supergauntlet] has joined #openvpn
15:58 -!- LuisM [~LuisM@unaffiliated/luism] has quit [Read error: Connection reset by peer]
15:59 -!- LuisM [LuisM@unaffiliated/luism] has joined #openvpn
16:01 -!- reiffert [~thomas@mail.reifferscheid.org] has joined #openvpn
16:01 < reiffert> the identity thing's getting slightly on my nerves
16:02 < reiffert> need to lookup how to have irssi auto identify
16:04 -!- ketas [ketas@ketas6-sixxs.si.pri.ee] has quit [Ping timeout: 264 seconds]
16:08 -!- LuisM [LuisM@unaffiliated/luism] has quit [Quit: Leaving]
16:10 -!- LuisM [~LuisM@unaffiliated/luism] has joined #openvpn
16:10 -!- tdreyer1 [~tdreyer1@unaffiliated/tdreyer1] has quit [Excess Flood]
16:10 -!- Nothing4You [N4Y@w.tf-w.tf] has quit [Ping timeout: 1825 seconds]
16:10 -!- `Nothing4You [N4Y@Nothing4You.w.tf-w.tf] has joined #openvpn
16:11 -!- tdreyer1 [~tdreyer1@unaffiliated/tdreyer1] has joined #openvpn
16:13 -!- `Nothing4You is now known as Nothing4You
16:18 -!- Netsplit *.net <-> *.split quits: AsadH, Plastefuchs_, Cultist, @raidz, jeev, Saul775, lau
16:18 -!- Netsplit over, joins: Cultist
16:18 -!- Netsplit over, joins: Saul775, raidz
16:18 -!- mode/#openvpn [+o raidz] by ChanServ
16:19 -!- Netsplit over, joins: Plastefuchs_
16:19 -!- Netsplit over, joins: lau
16:24 -!- jeev [~jeev@unaffiliated/jeev] has joined #openvpn
16:24 -!- randt0sh [~tosh@2a02-8420-5d7e-c300-0213-72ff-feb1-7b24.rev.sfr.net] has quit [Remote host closed the connection]
16:26 -!- AsadH [~AsadH@unaffiliated/asadh] has joined #openvpn
16:34 < Eugene> reiffert - `/msg nickserv help access` ;-)
16:39 -!- mirco [~mirco@ip-5-146-124-121.unitymediagroup.de] has quit [Quit: mirco]
16:40 -!- LuisM [~LuisM@unaffiliated/luism] has quit [Read error: Connection reset by peer]
16:47 -!- eristisk [~eristisk@gateway/tor-sasl/eristisk] has quit [Ping timeout: 264 seconds]
16:48 -!- ketas [ketas@ketas6-sixxs.si.pri.ee] has joined #openvpn
16:53 -!- gffa [~unknown@unaffiliated/gffa] has quit [Quit: sleep]
16:53 -!- ketas [ketas@ketas6-sixxs.si.pri.ee] has quit [Remote host closed the connection]
16:54 -!- ketas [ketas@ketas6-sixxs.si.pri.ee] has joined #openvpn
17:01 -!- eristisk [~eristisk@gateway/tor-sasl/eristisk] has joined #openvpn
17:02 < reiffert> Eugene: lets sit and wait. You've made my day if it works
17:06 -!- xylogics [~xylogics@ool-44c514e9.dyn.optonline.net] has joined #openvpn
17:07 < Eugene> It won't auto-op you, but it keeps the Guest at bay
17:09 < reiffert> let's see what the next netsplit will bring
17:12 -!- NP-Hardass [~NP-Hardas@unaffiliated/np-hardass] has quit [Ping timeout: 252 seconds]
17:15 -!- Left_Turn [~Left_Turn@unaffiliated/turn-left/x-3739067] has quit [Read error: Connection reset by peer]
17:20 -!- Kniaz1 [~Kniaz@unaffiliated/bears] has joined #openvpn
17:21 -!- Kniaz [~Kniaz@unaffiliated/bears] has quit [Quit: closing IRC]
17:22 -!- Kniaz1 [~Kniaz@unaffiliated/bears] has quit [Client Quit]
17:22 -!- Kniaz [~Kniaz@unaffiliated/bears] has joined #openvpn
17:24 -!- Left_Turn [~Left_Turn@unaffiliated/turn-left/x-3739067] has joined #openvpn
17:26 -!- elfixit [~Icedove@77-58-251-72.dclient.hispeed.ch] has joined #openvpn
17:28 -!- Kniaz [~Kniaz@unaffiliated/bears] has quit [Quit: closing IRC]
17:29 -!- Cybertinus [~Cybertinu@cybertinus.customer.cloud.nl] has joined #openvpn
17:32 -!- xylogics [~xylogics@ool-44c514e9.dyn.optonline.net] has quit [Ping timeout: 264 seconds]
17:38 -!- Kniaz [~Kniaz@unaffiliated/bears] has joined #openvpn
17:49 -!- NP-Hardass [~NP-Hardas@unaffiliated/np-hardass] has joined #openvpn
17:55 -!- wrongplace [~leicht@gateway/tor-sasl/martinphone] has quit [Quit: gone]
17:57 < esde> i deleted my openvpn log file a few hours ago, it was 1.2G and filled with "Authenticate/Decrypt packet error: bad packet ID (may be a replay)" errors. Since deleting the log, i've not seen another log appear in it's place. is there something i need to do to create a new .log for openvpn and apparently resume logging?
18:00 < Eugene> SIGHUP I believe
18:01 < pekster> Doesn't look like that works
18:01 < pekster> Perhaps you want to use syslog for this
18:01 < Eugene> This is why I... yeah.
18:02 < pekster> Without digging in the code, I'd guess that the --log feature opens a file-descriptor and hangs onto it until termination
18:02 -!- LuisM [~LuisM@unaffiliated/luism] has joined #openvpn
18:03 -!- Cybertinus [~Cybertinu@cybertinus.customer.cloud.nl] has quit [Remote host closed the connection]
18:04 -!- Cybertinus [~Cybertinu@cybertinus.customer.cloud.nl] has joined #openvpn
18:21 -!- Megaf_ is now known as Megaf
18:27 -!- eristisk [~eristisk@gateway/tor-sasl/eristisk] has quit [Ping timeout: 264 seconds]
18:32 -!- Kephael [~Kephael@unaffiliated/kephael] has joined #openvpn
18:43 -!- eristisk [~eristisk@gateway/tor-sasl/eristisk] has joined #openvpn
18:46 -!- Megaf is now known as Megaf_
19:19 -!- dasdajs [~dasdajs@unaffiliated/dasdajs] has left #openvpn []
19:25 -!- mgorbach [~mgorbach@pool-108-20-78-135.bstnma.fios.verizon.net] has quit [Read error: Connection reset by peer]
19:27 -!- mgorbach [~mgorbach@pool-108-20-78-135.bstnma.fios.verizon.net] has joined #openvpn
19:35 -!- james41382 [~james@unaffiliated/james41382] has quit [Quit: Leaving]
19:41 -!- james41382 [~james@unaffiliated/james41382] has joined #openvpn
19:58 -!- troyt [~troyt@2601:7:6200:1362:44dd:acff:fe85:9c8e] has quit [Ping timeout: 240 seconds]
20:05 -!- james41382 [~james@unaffiliated/james41382] has quit [Quit: Leaving]
20:07 -!- james41382 [~james@unaffiliated/james41382] has joined #openvpn
20:07 -!- troyt [~troyt@2601:7:6200:1362:44dd:acff:fe85:9c8e] has joined #openvpn
20:19 -!- Left_Turn [~Left_Turn@unaffiliated/turn-left/x-3739067] has quit [Remote host closed the connection]
20:23 -!- Left_Turn [~Left_Turn@unaffiliated/turn-left/x-3739067] has joined #openvpn
20:29 -!- TheEternalAbyss [~IRCIdent@unaffiliated/theeternalabyss] has quit [Ping timeout: 245 seconds]
20:31 -!- michaelhart [~michaelha@192-0-240-20.cpe.teksavvy.com] has joined #openvpn
20:35 -!- Eugene [eugene@kashpureff.org] has quit [Quit: ZNC - http://znc.sourceforge.net]
20:39 -!- Eugene [eugene@kashpureff.org] has joined #openvpn
20:40 -!- Saul775 [~Saul@12.6.176.106] has quit [Ping timeout: 264 seconds]
21:02 -!- LuisM [~LuisM@unaffiliated/luism] has quit [Read error: Connection reset by peer]
21:02 -!- michaelhart [~michaelha@192-0-240-20.cpe.teksavvy.com] has quit [Quit: michaelhart]
21:02 -!- LuisM [~LuisM@unaffiliated/luism] has joined #openvpn
21:09 -!- mgorbach [~mgorbach@pool-108-20-78-135.bstnma.fios.verizon.net] has quit [Max SendQ exceeded]
21:10 -!- mgorbach [~mgorbach@pool-108-20-78-135.bstnma.fios.verizon.net] has joined #openvpn
21:41 -!- marcham93 [~marcham93@ool-43507375.dyn.optonline.net] has joined #openvpn
21:43 < marcham93> Hello all. Just installed openvpn on a linux machine. I can access the admin site from outside my network, but the Connectivity tests keeps failing.
21:43 < marcham93> Any help would be more than super appreciated.
21:46 < rob0> I'm not sure what "the admin site" means, nor what "the Connectivity tests" are/do.
21:47 < marcham93> Admin site refers to the web interface for controlling openvpn. The Connectivity test is one of the tools on the site to check if your vpn is accessible.
21:48 < pekster> !as
21:48 <@vpnHelper> "as" is Please go to #OpenVPN-AS for help with commercial products from OpenVPN Technologies, including Access Server, Android Connect, etc
21:48 < pekster> AS is a commercial wrapper around openvpn; openvpn itself is a console-only application
21:48 < marcham93> Oh... apologize. I'm very new to this. Just trying to setup a VPN for a secure connection when in public.
21:49 < marcham93> Searching for the easiest way to do so.
21:49 -!- kirin` [telex@gateway/shell/anapnea.net/x-gxwbhbryckbnhtmz] has quit [Ping timeout: 240 seconds]
21:49 < pekster> You could use openvpn for that, but you'd need to design a config for that. AS offers a non-free alternative that offers convenience in exchange for accepting the license
21:50 < marcham93> pekster, alright thanks. It seems to come with two free users. I guess I might just do more research.
21:51 < pekster> Depends on your goals, yea. Commercial solutions usually come with high-level knobs, but less overall flexiblity and EULAs. It's a convenience vs complexity trade-off for many
21:53 < rob0> ah, that explains why I have never heard of these concepts. :)
21:54 < marcham93> rob0, I'm here to confuse. ha.
21:54 < pekster> The naming scheme is highly confusing, yes
22:00 < rob0> marcham93, no, I don't blame you. Lots of folks think the same thing. In fact the openvpn web site seems designed to cause such confusion.
22:01 < rob0> Would you have downloaded the non-free AS software for Linux if you knew you already had the free version?
22:01 -!- Left_Turn [~Left_Turn@unaffiliated/turn-left/x-3739067] has quit [Read error: Connection reset by peer]
22:01 < rob0> (Just about any GNU/Linux distro comes with openvpn.)
22:02 -!- Megaf_ [~Megaf@unaffiliated/megaf] has quit [Ping timeout: 260 seconds]
22:02 < marcham93> Since I'm not stealing your attention from other questions... if I'm just looking to protect my web surfing when in public - is a vpn or ssh tunneling best?
22:03 < marcham93> And yeah... got stuck looking at their "Private Tunnel" service for a few minutes.
22:04 < rob0> you might actually want a service like that
22:04 < marcham93> Yeah, but I figured I could setup my own free version =P haha
22:04 < rob0> unless you have lots of bandwidth at home
22:04 < marcham93> Have 50Mb Down and like 30Mb Up
22:05 < rob0> I could set it up, but I couldn't run it through my anemic ADSL at home, I think ~150kb/s upload speed :(
22:05 < rob0> oh yeah, that should be fine
22:05 < rob0> !howto
22:05 <@vpnHelper> "howto" is (#1) OpenVPN comes with a great howto, http://openvpn.net/howto PLEASE READ IT! or (#2) http://www.secure-computing.net/openvpn/howto.php for a mirror
22:05 < rob0> !redirect
22:05 <@vpnHelper> "redirect" is (#1) to make all inet traffic flow through the vpn, you will need --redirect-gateway (see !def1), as well as IP forwarding (see !ipforward) and NAT (see !nat) enabled on the server. or (#2) you may need to use a different dns server when redirecting gateway, see !dns or !pushdns or (#3) if using ipv6 try: route-ipv6 2000::/3 or (#4) Handy troubleshooting flowchart:
22:05 <@vpnHelper> http://ircpimps.org/redirect.png | http://pekster.sdf.org/misc/redirect.png
22:13 -!- kirin` [telex@gateway/shell/anapnea.net/x-szhxtiptmwvyezcv] has joined #openvpn
22:28 -!- sj7trunks [~textual@17.149.231.137] has joined #openvpn
22:30 < sj7trunks> anyone have issues with port forwarding when the default route is not set to the openvpn server
22:34 -!- marcham93 [~marcham93@ool-43507375.dyn.optonline.net] has quit [Quit: Leaving]
23:04 -!- Latrina [~Latrina@adsl-ull-240-184.50-151.net24.it] has quit [Ping timeout: 252 seconds]
23:05 -!- sourmash [~guest_ran@c-50-160-233-160.hsd1.ga.comcast.net] has quit [Remote host closed the connection]
23:08 -!- Latrina [~Latrina@ppp-172-13.26-151.libero.it] has joined #openvpn
23:32 -!- elfixit [~Icedove@77-58-251-72.dclient.hispeed.ch] has quit [Ping timeout: 252 seconds]
23:38 -!- ShadniX [dagger@p5DDFFB79.dip0.t-ipconnect.de] has quit [Ping timeout: 252 seconds]
23:39 -!- ShadniX [dagger@p5DDFE7CB.dip0.t-ipconnect.de] has joined #openvpn
--- Day changed Thu Jun 12 2014
00:26 -!- Kniaz [~Kniaz@unaffiliated/bears] has quit [Read error: Connection reset by peer]
00:31 -!- mattock_afk is now known as mattock
00:33 -!- RickyB98 [RickyB98@mediawiki/rickyb98] has quit [Ping timeout: 245 seconds]
00:33 -!- subir [~subir@unaffiliated/subir] has joined #openvpn
00:34 < subir> !welcome
00:34 <@vpnHelper> "welcome" is (#1) Start by stating your goal, such as 'I would like to access the internet over my vpn' || new to IRC? see the link in !ask || we may need !logs and !configs and maybe !interface to help you. || See !howto for beginners. || See !route for lans behind openvpn. || !redirect for sending inet traffic through the server. || Also interesting: !man !/30 !topology !iporder !sample !forum
00:34 <@vpnHelper> !wiki !mitm or (#2) Don't use 192.168.1.0/24 or 192.168.0.0/24 (too much potential for conflict)
00:36 -!- subir [~subir@unaffiliated/subir] has left #openvpn ["Leaving"]
00:46 -!- randt0sh [~tosh@2a02-8420-5d7e-c300-0213-72ff-feb1-7b24.rev.sfr.net] has joined #openvpn
01:19 -!- Kephael [~Kephael@unaffiliated/kephael] has quit []
01:32 -!- alexxtasi [~alex@unaffiliated/alexxtasi] has left #openvpn []
01:36 -!- alexxtasi [~alex@unaffiliated/alexxtasi] has joined #openvpn
01:36 -!- sj7trunks [~textual@17.149.231.137] has quit [Quit: My MacBook Pro has gone to sleep. ZZZzzz…]
01:46 -!- Cpt-Oblivious [~chatzilla@31-151-71-109.dynamic.upc.nl] has quit [Remote host closed the connection]
01:59 -!- NP-Hardass [~NP-Hardas@unaffiliated/np-hardass] has quit [Ping timeout: 245 seconds]
02:00 -!- RickyB98 [RickyB98@mediawiki/rickyb98] has joined #openvpn
02:00 -!- le0 [~l30@unaffiliated/le0] has joined #openvpn
02:01 -!- ayaz [~Ayaz@linuxpakistan/ayaz] has joined #openvpn
02:12 -!- mirco [~mirco@ip-5-146-124-121.unitymediagroup.de] has joined #openvpn
02:35 -!- wrongplace [~leicht@gateway/tor-sasl/martinphone] has joined #openvpn
03:16 -!- Left_Turn [~Left_Turn@unaffiliated/turn-left/x-3739067] has joined #openvpn
03:47 -!- wrongplace [~leicht@gateway/tor-sasl/martinphone] has quit [Quit: gone]
03:52 -!- larryone [~larryone@185.32.152.150] has joined #openvpn
04:02 -!- larryone [~larryone@185.32.152.150] has quit [Ping timeout: 245 seconds]
04:03 -!- Latrina [~Latrina@ppp-172-13.26-151.libero.it] has quit [Ping timeout: 240 seconds]
04:05 -!- Latrina [~Latrina@adsl-ull-28-189.50-151.net24.it] has joined #openvpn
04:18 -!- _bt [~bt@unaffiliated/bt/x-192343] has joined #openvpn
05:47 -!- Megaf [~Megaf@unaffiliated/megaf] has joined #openvpn
05:59 -!- Denial [Denial@176.251.77.152] has joined #openvpn
06:11 -!- kenyon [kenyon@darwin.kenyonralph.com] has quit [Ping timeout: 264 seconds]
06:12 -!- kenyon [kenyon@darwin.kenyonralph.com] has joined #openvpn
06:16 -!- zapotek6 [~zap@mail.comelit.it] has joined #openvpn
06:32 -!- `Ile` [~ile@178-223-70-70.dynamic.isp.telekom.rs] has joined #openvpn
06:33 -!- `Ile` [~ile@178-223-70-70.dynamic.isp.telekom.rs] has quit [Client Quit]
06:33 -!- octocpp [~octo@unaffiliated/octocpp] has joined #openvpn
06:34 < octocpp> I downloaded the win installer, but i dont have a client to log onto my vpn?
06:35 < octocpp> I just have a prog that runs in the systray and gives me the option to use a openvpn config file, but it doesnt even let you choose what config file to use>?
06:36 < octocpp> I see pics of a client in the documentation, but where is it located? I dont see any client files that got installed?
06:39 -!- DrCode [~DrCode@gateway/tor-sasl/drcode] has quit [Remote host closed the connection]
06:44 -!- DrCode [~DrCode@gateway/tor-sasl/drcode] has joined #openvpn
06:46 -!- Megaf [~Megaf@unaffiliated/megaf] has quit [Ping timeout: 245 seconds]
06:51 -!- michaelhart [~michaelha@192.237.177.15] has joined #openvpn
07:01 <@ecrist> octocpp: try reading some documentation
07:01 <@ecrist> !howto
07:01 <@vpnHelper> "howto" is (#1) OpenVPN comes with a great howto, http://openvpn.net/howto PLEASE READ IT! or (#2) http://www.secure-computing.net/openvpn/howto.php for a mirror
07:12 -!- Megaf [~Megaf@unaffiliated/megaf] has joined #openvpn
07:16 < octocpp> Thanks, looking now.
07:24 -!- s7r [~s7r@openvpn/user/s7r] has quit [Remote host closed the connection]
07:24 -!- s7r [~s7r@openvpn/user/s7r] has joined #openvpn
07:24 -!- mode/#openvpn [+v s7r] by ChanServ
07:27 -!- mike_papa [~marek@212.180.174.163] has joined #openvpn
07:28 < mike_papa> !welcome
07:28 <@vpnHelper> "welcome" is (#1) Start by stating your goal, such as 'I would like to access the internet over my vpn' || new to IRC? see the link in !ask || we may need !logs and !configs and maybe !interface to help you. || See !howto for beginners. || See !route for lans behind openvpn. || !redirect for sending inet traffic through the server. || Also interesting: !man !/30 !topology !iporder !sample !forum
07:28 <@vpnHelper> !wiki !mitm or (#2) Don't use 192.168.1.0/24 or 192.168.0.0/24 (too much potential for conflict)
07:28 < mike_papa> !paste
07:28 <@vpnHelper> "paste" is "pastebin" is (#1) please paste anything with more than 5 lines into a pastebin site or (#2) https://gist.github.com is recommended for fewest ads; try fpaste.org or paste.kde.org as backups or (#3) If you're pasting config files, see !configs for grep syntax to remove comments or (#4) gist allows multiple files per paste, useful if you have several files to show
07:34 < mike_papa> Hello. I'm running openvpn server on raspberry pi. I used http://readwrite.com/2014/04/10/raspberry-pi-vpn-tutorial-server-secure-web-browsing tutorial to make it running. It does work with my android client (but only from outside, not from home LAN), and it doesn't work with lubuntu's network manager giving me timeout (here is syslog: https://gist.github.com/anonymous/e271aa57ceb9787dd710). Anyone any ideas what's wrong?
07:34 <@vpnHelper> Title: Cannot connect to VPN (at gist.github.com)
07:36 -!- u0m3 [~u0m3@109.96.156.238] has quit [Ping timeout: 260 seconds]
07:46 -!- Netsplit *.net <-> *.split quits: jeev, clu5ter
07:46 -!- Netsplit over, joins: clu5ter
07:46 -!- Netsplit over, joins: jeev
07:47 -!- elfixit [~Icedove@2001:1620:2777:11:3e97:eff:fe7f:f3ad] has joined #openvpn
07:50 < mike_papa> when I did openvpn --config config.ovpn I got "TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity)"
07:50 <@krzee> !walkthrough
07:50 <@vpnHelper> "walkthrough" is if you are using some walkthrough and now you are here cause you have problems and dont understand your setup, type !howto and !man and try to actually learn what you're doing. most those docs about openvpn from google SUCK.
07:50 <@krzee> !timeout
07:50 <@vpnHelper> "timeout" is if you see TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity) then your problem is likely one of the following: either the server isnt running, your client is connecting to the wrong ip/port/protocol, the server's firewall/nat has an issue, or the client's isp blocks it
07:52 < mike_papa> well... as I said. Using android client works fine. So I guess server is running, ip/port/protocol is fine, firewall/nat is fine, and ISP stays the same.
07:54 < mike_papa> !howto
07:54 <@vpnHelper> "howto" is (#1) OpenVPN comes with a great howto, http://openvpn.net/howto PLEASE READ IT! or (#2) http://www.secure-computing.net/openvpn/howto.php for a mirror
08:00 -!- Megaf is now known as Megaf_
08:00 -!- Megaf_ is now known as Megaf
08:02 -!- u0m3 [~u0m3@109.96.156.238] has joined #openvpn
08:04 -!- s7r [~s7r@openvpn/user/s7r] has quit [Remote host closed the connection]
08:04 -!- s7r [~s7r@openvpn/user/s7r] has joined #openvpn
08:04 -!- mode/#openvpn [+v s7r] by ChanServ
08:06 <@krzee> "(but only from outside, not from home LAN)"
08:06 <@krzee> thats is to be expected if your server is at home
08:06 <@plaisthos> the android is expected to be able to work in this scenario
08:06 <@krzee> sure if you connect from external internet
08:06 <@plaisthos> since Android uses policy routing in the backgroudn
08:07 <@plaisthos> krzee: local LAN to local server from Android
08:07 <@krzee> your router doesnt know what to do with packets headed to its external interface addressed from internal address being NAT'ed back to internal address
08:07 <@plaisthos> (if the server is then not completely confused)
08:07 <@krzee> its not the android's fault
08:07 <@krzee> its the lil home router
08:07 <@krzee> the natbox
08:07 <@krzee> the packets never get to the server from the client which is in the same lan
08:08 <@krzee> (unless you connect to the LAN ip)
08:08 -!- larryone [~larryone@185.32.152.150] has joined #openvpn
08:12 -!- mike_papa [~marek@212.180.174.163] has quit [Ping timeout: 244 seconds]
08:12 -!- mike_papa [~marek@178.182.181.19.nat.umts.dynamic.t-mobile.pl] has joined #openvpn
08:13 < mike_papa> so I just got kicked out of net when you started talking. ;)
08:13 < mike_papa> anyway if I do try to connect from outside, using same configuration as on android, my lubuntu doesn't connect.
08:14 < mike_papa> I even use android's tethering to make sure ISP stays the same.
08:16 <@krzee> look at logs on both sides with verb 5
08:16 <@krzee> if its just a simple timeout i stand by what the bot says
08:18 < mike_papa> "ERROR: Linux route add command failed: external program exited with error status: 2"
08:18 < mike_papa> twice on /sbin/ip route add ....
08:20 <@krzee> show us
08:23 -!- mike_papa [~marek@178.182.181.19.nat.umts.dynamic.t-mobile.pl] has quit [Ping timeout: 240 seconds]
08:23 <@plaisthos> now you scared him off :)
08:23 <@krzee> haha
08:24 -!- mike_papa [~marek@212.180.174.163] has joined #openvpn
08:25 < mike_papa> ok. Now I got connected from command line. I have no idea what's the difference. I guess network-manager addon does something wrong
08:27 < mike_papa> anyway end of play. Kid woke up. Thanks for your time anyway. Byr
08:27 < mike_papa> bye*
08:27 -!- mike_papa [~marek@212.180.174.163] has quit [Client Quit]
08:28 -!- ayaz [~Ayaz@linuxpakistan/ayaz] has quit [Ping timeout: 244 seconds]
08:55 < vinky> is it possible to specify the port range that is used on the client for the connection?
08:55 <@plaisthos> no
08:55 <@plaisthos> only lport or fixed
08:55 <@plaisthos> or nobind for random
08:56 <@krzee> so yes if you want a range of 1 :D
09:28 -!- Kniaz [~Kniaz@unaffiliated/bears] has joined #openvpn
09:49 -!- elfixit [~Icedove@2001:1620:2777:11:3e97:eff:fe7f:f3ad] has quit [Quit: elfixit]
09:54 -!- TheEternalAbyss [~IRCIdent@unaffiliated/theeternalabyss] has joined #openvpn
10:08 -!- Saul775 [~Saul@12.6.176.106] has joined #openvpn
10:33 -!- Left_Turn [~Left_Turn@unaffiliated/turn-left/x-3739067] has quit [Ping timeout: 240 seconds]
10:36 -!- Ryu_Fitzgerald [~Ryu_Fitzg@199-193-117-84.static.hvvc.us] has joined #openvpn
10:39 < Ryu_Fitzgerald> how do I tell my router configured with openvpn to block traffic that comes not over the vpn from reaching to people with local router ip address.  How do i prevent people with local router ip addresses from being able to send data to outside the openvpn
10:40  * ecrist tries to grok
10:41 <@ecrist> can you re-state what you're trying to accomplish?
10:41 < rob0> I think it is a !serverlan/!clientlan question, inverted, goal being to *prevent* lan access.
10:42 <@plaisthos> redirect-local block iirc
10:42 <@plaisthos> or redirect-gateway blocklocal
10:42 < Ryu_Fitzgerald> i have openvpn set up. I want it so if it goes down temporarly all people connected to that router lose internet instead of router swapping to unsecure connection
10:44 < rob0> I guess the router is a client, and you are asking how to configure routes and firewall rules on your router?
10:45 < Ryu_Fitzgerald> the firewall rules and NAT rules.  The router is the client
10:46 -!- tpw_rules [~tpw_rules@li242-215.members.linode.com] has joined #openvpn
10:47 < Ryu_Fitzgerald> any ideas.  Do you need me to get any information?
10:48 <@plaisthos> also look into persist-tun
10:49 < tpw_rules> hey all. i'm having issues setting up a pass-all-the-traffic vpn. i've done one before but now i'm doing it for a friend and i'm not sure what's wrong. i've got it so i can access the server just fine but i can't access the internet. i think something has gone wrong with the route setup. if i ask it to print out the route to something like google's ip, it takes 30 or 40 seconds to chug at it. http://pastie.org/private/ogyavtsf2h2gnurom
10:49 < tpw_rules> kgmuw
10:50 < tpw_rules> http://pastie.org/private/ogyavtsf2h2gnuromkgmuw (non line-wrapped)
10:50 < Ryu_Fitzgerald> what type of vpn are you using?
10:51 < tpw_rules> openvpn routed
10:51 < Ryu_Fitzgerald> i just figure out how to set up openvpn myself so i can walk you through it.  I did this on a pfsense router though
10:52 < Ryu_Fitzgerald> First, you do not need any new firewall rules so you can get rid of any you made unless you have some custum reason why you need them
10:52 <@plaisthos> does your vpn configuration have any mention of connected.sh?
10:53 < Ryu_Fitzgerald> you mea something like a ssh?
10:53 < tpw_rules> http://pastie.org/private/nmwhtgze8eeqenugdhrda is the server config file
10:53 < tpw_rules> plaisthos: no, that's a feature of the client program i'm using
10:54 < tpw_rules> i know it's going to be one of those things where i'll facepalm so hard my skull shatters, but i haven't been able to find the mistak eyet
10:54 < rob0> Ryu, I don't know what router you have (and even if I did, we don't support it here.) On a high level I can tell you to block LAN client traffic from going out the raw Internet route/interface, only allow it out the tun interface.
10:55 < Ryu_Fitzgerald> i dont'know how to tell it to block lan traffic to internet
10:55 < tpw_rules> i'm not sure it's a firewall issue. i think it's a configuration
10:55 < rob0> (You will have to translate that into terms your router can deal with. And some routers might not allow that kind of control.)
10:55 < Ryu_Fitzgerald> this is pfsense so it does allow it
10:56 < Ryu_Fitzgerald> tpw_rules,  i see nothing about .sh in that link you pasted
10:56 < tpw_rules> http://pastie.org/private/uyf8tr5milgnjhcvby8fyq client config
10:56 < tpw_rules> i'm not asking about the .sh
10:56 < tpw_rules> that's my client program
10:56 < Ryu_Fitzgerald> what is your question then
10:57 < tpw_rules> <tpw_rules> hey all. i'm having issues setting up a pass-all-the-traffic vpn. i've done one before but now i'm doing it for a friend and i'm not sure what's wrong. i've got it so i can access the server just fine but i can't access the internet. i think something has gone wrong with the route setup. if i ask it to print out the route to something like google's ip, it takes 30 or 40 seconds to chug at it.
10:57 <@plaisthos> !nat
10:57 <@vpnHelper> "nat" is (#1) http://openvpn.net/howto.html#redirect for an explanation of NAT as it applies to openvpn or (#2) http://www.secure-computing.net/wiki/index.php/OpenVPN/FAQ#Traffic_forwarding_doesn.27t_work_when_using_client_specific_access_rules or (#3) dont forget to turn on ip forwarding or (#4) please choose between !linnat !openvznat !winnat and !fbsdnat for specific howto
10:57 <@plaisthos> hm
10:57 <@plaisthos> no
10:58 <@plaisthos> seems like your dns is broken in some way
10:58 < tpw_rules> by "it" i mean route get -host 173.194.37.33
10:58 <@plaisthos> and route -n -host 173.194.37.33?
10:58 < tpw_rules> sec
10:58 <@plaisthos> well
10:58 <@plaisthos> is that route on your client or server?
10:59 <@plaisthos> because route -n get -host 173.194.37.33
10:59 <@plaisthos> route -n get -host 173.194.37.33
10:59 <@plaisthos> (correct syntax)
11:01 < tpw_rules> http://pastie.org/private/ackmwkl83ki9eykr7pncg that looks sensible
11:01 < tpw_rules> and didn't take 37 seconds
11:02 < tpw_rules> so yeah, it probably is a firewall issue
11:03 <@plaisthos> something is wrong with DNS then probably :)
11:04 -!- cyberspace- [20253@ninthfloor.org] has quit [Remote host closed the connection]
11:05 < Ryu_Fitzgerald> here is a really good guide that was made for pfsense but it might help you solve your problem  http://www.bodenzord.com/archives/324
11:05 <@vpnHelper> Title: Tutorial: Configuring pfSense-to-Private Internet Access | Bodenzord (at www.bodenzord.com)
11:06 -!- cyberspace- [20253@ninthfloor.org] has joined #openvpn
11:08 < Ryu_Fitzgerald> irony, i found somethign i may need that i didn't notice before in that guide
11:08 -!- mirco [~mirco@ip-5-146-124-121.unitymediagroup.de] has quit [Quit: mirco]
11:09 < tpw_rules> plaisthos: i can't get numeric IPs to work at all either. ping [ip] doesn't work and traceroute shows the packets falling off after the router
11:09 < tpw_rules> so i guess i do need firewall help :3
11:12 -!- michaelhart_ [~michaelha@69-165-175-193.dsl.teksavvy.com] has joined #openvpn
11:12 -!- michaelhart [~michaelha@192.237.177.15] has quit [Ping timeout: 240 seconds]
11:12 -!- michaelhart_ is now known as michaelhart
11:14 -!- gffa [~unknown@unaffiliated/gffa] has joined #openvpn
11:15 -!- wrongplace [~leicht@gateway/tor-sasl/martinphone] has joined #openvpn
11:17 -!- Ryu_Fitzgerald [~Ryu_Fitzg@199-193-117-84.static.hvvc.us] has quit [Ping timeout: 272 seconds]
11:23 -!- KarlBauman [~SoWhat@78.173.161.83] has joined #openvpn
11:24 < KarlBauman> hello! I cant install OpenVPN on Windows 8 64bit. It says there were problem with TAP-Win32 adapter installation
11:29 -!- tpw_rules [~tpw_rules@li242-215.members.linode.com] has left #openvpn ["Evil will always triumph, because good is dumb."]
11:32 -!- octocpp [~octo@unaffiliated/octocpp] has left #openvpn ["Konversation terminated!"]
11:36 < KarlBauman> ehh, no help.. bye
11:36 -!- KarlBauman [~SoWhat@78.173.161.83] has quit [Quit: Leaving]
11:36 <@plaisthos> early: you could try the new adapter
11:36 <@plaisthos> argh
11:46 -!- zapotek6 [~zap@mail.comelit.it] has quit [Ping timeout: 272 seconds]
11:49 -!- larryone [~larryone@185.32.152.150] has quit [Ping timeout: 245 seconds]
11:53 -!- le0 [~l30@unaffiliated/le0] has quit [Ping timeout: 264 seconds]
12:03 -!- le0 [~l30@unaffiliated/le0] has joined #openvpn
12:10 -!- RaMcHiP [~RaMcHiP@97-117-228-47.phnx.qwest.net] has joined #openvpn
12:25 -!- sunwind [~paradox@cpc19-brmb8-2-0-cust205.1-3.cable.virginm.net] has joined #openvpn
12:31 < RaMcHiP> Has anyone ever had an issue with a VPN where you can access the network for the first few seconds of the connection but then it just dies and I have to restart the connection
12:35 < RaMcHiP> It works fine for awhile and then just stops
12:44 -!- sunwind [~paradox@cpc19-brmb8-2-0-cust205.1-3.cable.virginm.net] has quit [Quit: sunwind]
13:05 -!- Popsikle [~popsikle@2600:1001:b111:1e63:44ff:3d75:cc2a:921] has joined #openvpn
13:07 -!- le0 [~l30@unaffiliated/le0] has quit [Quit: Leaving]
13:12 -!- Popsikle [~popsikle@2600:1001:b111:1e63:44ff:3d75:cc2a:921] has quit [Remote host closed the connection]
13:15 -!- edge226 [~quassel@unaffiliated/edge226] has quit [Ping timeout: 264 seconds]
13:47 -!- Netsplit *.net <-> *.split quits: Ulrar, fred``, Olipro, Chrisje
13:54 -!- lambda79 [~lambda79@AReims-653-1-7-186.w109-219.abo.wanadoo.fr] has joined #openvpn
13:58 -!- Netsplit over, joins: Chrisje, fred``, Ulrar
13:58 < lambda79> hi I have issues with openvpn (2.2.2-2) always giving me: ' Usage message not available ' output when I try to execute /usr/sbin/openvpn
13:58 < lambda79> I can't figure out whats going on
13:58 < lambda79> i am using openvpn as a server
13:59 -!- Olipro [~Olipro@uncyclopedia/pdpc.21for7.olipro] has joined #openvpn
14:02 -!- mirco [~mirco@ip-5-146-124-121.unitymediagroup.de] has joined #openvpn
14:02 -!- Netsplit *.net <-> *.split quits: nutron, ender|, SlutaTramsa, Cybertinus, haasn
14:03 -!- Netsplit over, joins: nutron
14:04 -!- Cybertinus [~Cybertinu@cybertinus.customer.cloud.nl] has joined #openvpn
14:04 -!- lambda79 [~lambda79@AReims-653-1-7-186.w109-219.abo.wanadoo.fr] has quit [Disconnected by services]
14:05 -!- lambda79 [~lambda79@AReims-653-1-7-186.w109-219.abo.wanadoo.fr] has joined #openvpn
14:05 < lambda79> hi back
14:05 -!- ender| [krneki@2a01:260:4094:1:42:42:42:42] has joined #openvpn
14:05 < lambda79> could you please help me on the topic i am talking about above ? thx
14:06 < RaMcHiP> I have been in here for hours with mine as well
14:06 -!- SlutaTramsa [~SlutaTram@unaffiliated/slutatramsa] has joined #openvpn
14:07 -!- haasn [~haasn@2a01:4f8:d13:5245::2] has joined #openvpn
14:12 < lambda79> user message not available what does it mean? please
14:13 < lambda79> openvpn is not starting
14:13 < lambda79> some idea for troubleshooting?
14:16 -!- lambda79 [~lambda79@AReims-653-1-7-186.w109-219.abo.wanadoo.fr] has quit [Remote host closed the connection]
14:21 -!- hilarie [~hilarie@184.75.214.138] has joined #openvpn
14:28 -!- Megaf is now known as Megaf_
14:37 -!- Popsikle [~popsikle@rrcs-24-103-53-46.nyc.biz.rr.com] has joined #openvpn
14:47 -!- larryone [~larryone@89.100.23.131] has joined #openvpn
14:58 -!- Left_Turn [~Left_Turn@unaffiliated/turn-left/x-3739067] has joined #openvpn
15:05 -!- michaelhart [~michaelha@69-165-175-193.dsl.teksavvy.com] has quit [Quit: michaelhart]
15:16 -!- RaMcHiP [~RaMcHiP@97-117-228-47.phnx.qwest.net] has quit [Ping timeout: 245 seconds]
15:18 -!- Netsplit *.net <-> *.split quits: Champi
15:18 -!- Netsplit over, joins: Champi
15:18 -!- Champi [Champi@rootshell.fr] has left #openvpn []
15:18 -!- Champi [Champi@rootshell.fr] has joined #openvpn
15:19 -!- mirco [~mirco@ip-5-146-124-121.unitymediagroup.de] has quit [Quit: mirco]
15:25 -!- qwertyoruiop [~hax@3.shulgin.nl.torexit.haema.co.uk] has joined #openvpn
15:34 < hilarie> I can't figure out how to google this, I've got my Ubuntu server running openvpn, I've got it set up as my default gateway on my home network, and it's using NAT for all of the lan traffic to tunnel out, using tun0 I'd like for it to not use tun0 for SSL traffic (port 443) is there any way to do this?
15:34 < hilarie> This is the command I use to make everything run through the tunnel iptables --table nat -A POSTROUTING -o tun0 -j MASQUERADE
15:45 -!- mattock is now known as mattock_afk
15:47 -!- mnathani [~mnathani@constance.winvive.com] has quit [Ping timeout: 252 seconds]
15:49 -!- larryone [~larryone@89.100.23.131] has quit [Quit: This computer has gone to sleep]
15:51 -!- gffa [~unknown@unaffiliated/gffa] has quit [Quit: sleep]
15:52 -!- mnathani [~mnathani@constance.winvive.com] has joined #openvpn
16:16 -!- Denial [Denial@176.251.77.152] has quit []
16:28 -!- averagecase [~anon@dslb-094-221-217-081.pools.arcor-ip.net] has joined #openvpn
16:29 -!- Denial [Denial@176.251.77.152] has joined #openvpn
16:38 < pekster> hilarie: You'd need policy routing on the client end for that
16:52 -!- randt0sh [~tosh@2a02-8420-5d7e-c300-0213-72ff-feb1-7b24.rev.sfr.net] has quit [Remote host closed the connection]
16:56 < Thermi> hilarie: That iptables command is nonsense.
16:57 < Thermi> Oh, it's on a gateway. Nevermind.
17:03 < pekster> It's still nonsense; masquerading as things leave via tun0 is very rarely what you want to do
17:05 < pekster> Either way, routing tables care about destinations. If you care about non-IP things like "protocol" and "port", you need policy routing
17:14 < hilarie> pekster policy routing? what do you mean, is there another way to set up my network to go through the VPN?
17:15 < pekster> If that's "all" you want, !redirect does that
17:15 < pekster> You asked for redirecting all traffic _except_ certain types. This is very different
17:16 < hilarie> Oh
17:16 < pekster> What's the intent here?
17:16 < hilarie> Okay, right now, all traffic goes through the tunnel, I want all traffic except for traffic that's SSL (port 443)
17:17 < pekster> Why? This will possibly break websites tha log you in via https but serve content (after login) over http
17:17 < pekster> Many will accept changing IPs, but some won't
17:18 < hilarie> I don't like the latency hit I seem to be getting on everything and I figured SSL would be enough to keep my ISP from being creepy
17:18 < hilarie> (They are in fact creepy)
17:19 < hilarie> That and if I figured out how to do it for SSL, I figured I could do it for other things that I want better latency vs better privacy
17:20 < pekster> Doing so might break in subtle and unforseen ways, but you can set it up like that if you really want. Doing it properly is a bit non-trivial because it's not just tcp/443 traffic you need to redirect, but outbound ICMP messages and other similar traffic related to that session
17:21 < hilarie> That sounds more complicated then it is probably worth then :/
17:22 < pekster> Right, it's not nearly as simple as adding the --redirect-gateway option
17:23 < pekster> The client is Linux? If so, policy routing involves a secondary routing table, identifying rules to route traffic there, and (to do it properly) integration with conntrack so the related traffic does the right thing too
17:23 < hilarie> The clients on my home network are windows linux and Mac
17:24 < pekster> Windows won't policy route at all (maybe if you spend $2000 on their routing nonsense server platform it might, but nobody seriously does complex routing on Windows)
17:24 < pekster> It's far easier to use a real OS in front of Windows that acts as the VPN termination and routes traffic where you want, but that's also not "simple"
17:25 < hilarie> umm, I think that's what I do? I have my internet, come into ubuntu 14.04 which I use NAT on that computer, to give my whole network internet through the VPN
17:27 < pekster> Then yes, if you policy route on your router (acting as a VPN client) it'll apply the routing policy for all downstream systems
17:28 < hilarie> like this? http://www.ubuntugeek.com/howto-add-permanent-static-routes-in-ubuntu.html
17:28 <@vpnHelper> Title: Howto add permanent static routes in Ubuntu | Ubuntu Geek (at www.ubuntugeek.com)
17:29 < pekster> No
17:29 < pekster> Also stop using deprecated tools on Linux
17:29 < pekster> We don't use `route` or `ifconfig` anymore since the 2.4 kernel days. It's old and not maintained, and buggy:
17:29 < pekster> !ifconfig_linux
17:29 <@vpnHelper> "ifconfig_linux" is Avoid use of 'ifconfig' and 'route' commands on modern Linux distros. It's old, deprecated, and often misleading/wrong. Use the 'ip a' and 'ip r' commands instead. More info: http://inai.de/2008/0219-ifconfig-sucks.php
17:29 < pekster> Policy routing requires iproute2 anyway, as does any reasonably modern networking
17:30 < pekster> I have a policy routing with openvpn intro, but it's designed for people trying to policy route _inbound_ connections, not outbound ones
17:31 < pekster> The concept is similar, but you need to apply connmark values on the outbound protocol/port on packets coming from your LAN, not based on inbound interface.
17:31 < pekster> https://community.openvpn.net/openvpn/wiki/Concepts-PolicyRouting-Linux
17:31 <@vpnHelper> Title: Concepts-PolicyRouting-Linux – OpenVPN Community (at community.openvpn.net)
17:34 < hilarie> okay, I don't understand the 2nd link, could you give me more information on the first? is 'ip route' a drop in for route? or is there different syntax, the man page for IP just says ip route is how you route things
17:35 < pekster> ip-route(8) says a lot more than that
17:35 < pekster> Ref: the "SEE ALSO" section of ip(8)
17:36 < hilarie> Okay, I was looking at the short ubuntu version, I'm at the die.net one now
17:37 < pekster> `man 8 ip-route` works fine for me on a 14.04 Ubuntu flavour
17:37 < hilarie> I am terrible at the keybinds for the terminal man, so I generally rely on the internet for my man pages
17:38 -!- Cpt-Oblivious [~chatzilla@31-151-71-109.dynamic.upc.nl] has joined #openvpn
17:40 < hilarie> Am I going to have to generate a rule for each website/IP address I want to route around the tunnel? or is there a way to *:443 I'm not seeing anything here for that
17:40 < pekster> You tag it
17:41 < pekster> That's the _entire_ point of the document I linked
17:41 < pekster> This is _not_ simple single-route-entrying routing
17:41 < pekster> You _must_ have a second routing table, conntrack integration, and a routing rule. As I said before.
17:42 < hilarie> :O Sorry I misunderstood
17:42 < hilarie> I can see how to do it for games now at least!
17:45 < hilarie> Not at least, You've been tons of help, sorry if I'm misunderstanding you, but for each website, I'd have to do this again and again, it wouldn't be a simple one or a couple liner to get everything going
17:45 < pekster> No
17:45 < pekster> You route it by _policy_ (not destination)
17:45 < pekster> So you do exactly as I've now said 3 times; you create a secondary routing table, a routing rule to send tagged traffic to a different gateway than the rest of the traffic uses, and netfilter integration do distinguish the traffic
17:47 < sla3k> How can I check if OpenVPN server is actually trying to connect to freeradius server for authentication or not?
17:47 < sla3k> Any logs or anything would be helpful.
17:49 < pekster> OpenVPN does not auth to freeradius. There may be external plugins or use of a --client-connect script that do, but then you'd need to consult its documentation
17:49 < pekster> Or better yet, the logs on your RADIUS server
17:49 < pekster> The PAM plugin can likely be configured to do RADIUS auth too if you have a PAM plugin for that
17:51 -!- Left_Turn [~Left_Turn@unaffiliated/turn-left/x-3739067] has quit [Read error: Connection reset by peer]
17:51 < sla3k> hmmm, I am using radiusplugin from "http://www.nongnu.org/radiusplugin/", all worked fine, shared secret is same (I did a diff), but somehow I am assuming openvpn is not sending AUTH to freeradius, it is still searching for a local unix account.
17:52 < sla3k> in server.conf, I have enabled that plugin, restarted the openvpn server, I am not sure where I missed something.
17:52 < pekster> Dunno, I've never used the plugin
17:53 < pekster> I have done RADIUS auth from openvpn before, but it's quite simple to write a tiny shell script to call radiusclient
17:53 < pekster> I see no reason to use a bunch of C code as a plugin when I can get what I want with ~20 lines of shell
17:53 < pekster> Plus I can log as little or as much as I want ;)
17:54 < pekster> The plugin just gets to integrate in to one of openvpn's programatic (its API) hooks to certain events, like auth
17:54 < pekster> After that, the plugin does "whatever it wants" and returns a "pass/fail" to the auth event
17:54 < sla3k> pekster: I would be very much interested to try that shell thing if you could share
17:55 < pekster> It's locked up at a former employer's code repos
17:55 < pekster> I don't do RADIUS personally
17:55 < pekster> Read the radiusclient manpages for clues; it's not that hard to figure out
17:55 < sla3k> The real need for using radius is to limit user quota's otherwise I would've stayed away
17:57 < pekster> No idea on the accounting aspects of the plugin though
17:58 < pekster> That plugin has a mailing list; you might try it
17:59 < pekster> Seems a bit dead though. Maybe openvpn-users, but that whole plugin seems fairly stale
18:03 -!- wrongplace [~leicht@gateway/tor-sasl/martinphone] has quit [Quit: gone]
18:21 -!- SCHAAP137 [dorian@77-173-0-137.ip.telfort.nl] has quit [Remote host closed the connection]
18:23 -!- Cpt-Oblivious [~chatzilla@31-151-71-109.dynamic.upc.nl] has quit [Ping timeout: 272 seconds]
18:34 -!- Cpt-Oblivious [~chatzilla@31-151-71-109.dynamic.upc.nl] has joined #openvpn
18:39 -!- Left_Turn [~Left_Turn@unaffiliated/turn-left/x-3739067] has joined #openvpn
19:09 -!- LuisM [~LuisM@unaffiliated/luism] has quit [Read error: Connection reset by peer]
19:09 -!- joako [~joako@opensuse/member/joak0] has quit [Ping timeout: 276 seconds]
19:09 -!- LuisM [~LuisM@unaffiliated/luism] has joined #openvpn
19:13 -!- joako [~joako@opensuse/member/joak0] has joined #openvpn
19:20 -!- mirco [~mirco@ip-5-146-124-121.unitymediagroup.de] has joined #openvpn
20:52 -!- averagecase [~anon@dslb-094-221-217-081.pools.arcor-ip.net] has quit [Quit: Verlassend]
20:55 -!- michaelhart [~michaelha@192-0-240-20.cpe.teksavvy.com] has joined #openvpn
20:56 -!- joako [~joako@opensuse/member/joak0] has quit [Ping timeout: 245 seconds]
21:03 -!- Kephael [~Kephael@unaffiliated/kephael] has joined #openvpn
21:05 -!- joako [~joako@opensuse/member/joak0] has joined #openvpn
21:08 -!- michaelhart [~michaelha@192-0-240-20.cpe.teksavvy.com] has quit [Quit: michaelhart]
21:08 -!- Kniaz [~Kniaz@unaffiliated/bears] has quit [Disconnected by services]
21:08 -!- Kniaz1 [~Kniaz@unaffiliated/bears] has joined #openvpn
21:10 -!- Kniaz [~Kniaz@unaffiliated/bears] has joined #openvpn
21:24 -!- nutron [~nutron@unaffiliated/nutron] has quit [Remote host closed the connection]
21:52 -!- Kniaz [~Kniaz@unaffiliated/bears] has quit [Quit: closing IRC]
21:53 -!- Left_Turn [~Left_Turn@unaffiliated/turn-left/x-3739067] has quit [Read error: Connection reset by peer]
22:16 -!- justinzane [~justinzan@24.49.207.203] has quit [Read error: No route to host]
22:27 -!- troyt [~troyt@2601:7:6200:1362:44dd:acff:fe85:9c8e] has quit [Ping timeout: 240 seconds]
22:32 -!- troyt [~troyt@2601:7:6200:1362:44dd:acff:fe85:9c8e] has joined #openvpn
22:37 -!- troyt [~troyt@2601:7:6200:1362:44dd:acff:fe85:9c8e] has quit [Ping timeout: 240 seconds]
22:41 -!- justinzane [~justinzan@24.49.207.203] has joined #openvpn
22:49 -!- JordanJ2 [Jordan@unaffiliated/jordanj2] has joined #openvpn
22:49 < JordanJ2> hi, I have OpenVPN set up, can I get it to use IPv6?
22:53 -!- LuisM [~LuisM@unaffiliated/luism] has quit [Quit: Leaving]
22:56 -!- troyt [~troyt@2601:7:6200:1362:44dd:acff:fe85:9c8e] has joined #openvpn
23:27 -!- Megaf_ [~Megaf@unaffiliated/megaf] has quit [Ping timeout: 245 seconds]
23:37 -!- ShadniX [dagger@p5DDFE7CB.dip0.t-ipconnect.de] has quit [Ping timeout: 252 seconds]
23:38 -!- ShadniX [dagger@p5481DA1B.dip0.t-ipconnect.de] has joined #openvpn
--- Day changed Fri Jun 13 2014
00:09 -!- SKiTZO [~lennart@46.156.38.93.tmi.telenormobil.no] has joined #openvpn
00:10 < SKiTZO> I am following the debian openvpn doc and the static key example works 100% but I can't get tls  example working
00:11 < SKiTZO> i can see from the log output that it connects fine in both ends but no ping or ssh possible. also a strange thing, in ifconfig output it puts inet and P-t-P addresses on the server. is that normal+
00:11 < SKiTZO> *?
00:22 -!- SKiTZO [~lennart@46.156.38.93.tmi.telenormobil.no] has quit [Ping timeout: 264 seconds]
00:44 -!- mattock_afk is now known as mattock
00:45 -!- tempus_fol [~tempus@gateway/tor-sasl/foltempus] has quit [Remote host closed the connection]
00:45 -!- tempus_fol [~tempus@gateway/tor-sasl/foltempus] has joined #openvpn
01:04 -!- SCHAAP137 [dorian@77-173-0-137.ip.telfort.nl] has joined #openvpn
01:10 -!- Kephael [~Kephael@unaffiliated/kephael] has quit []
01:19 -!- alexxtasi [~alex@unaffiliated/alexxtasi] has left #openvpn []
01:26 -!- alexxtasi [~alex@unaffiliated/alexxtasi] has joined #openvpn
01:28 -!- RickyB98 [RickyB98@mediawiki/rickyb98] has quit [Ping timeout: 252 seconds]
02:06 -!- le0 [~l30@unaffiliated/le0] has joined #openvpn
02:22 -!- randt0sh [~tosh@2a02-8420-5d7e-c300-ac09-c5fa-7be6-261f.rev.sfr.net] has joined #openvpn
02:22 -!- swebb [~swebb@c-76-120-34-202.hsd1.co.comcast.net] has quit [Ping timeout: 240 seconds]
02:22 -!- Lolths [~Lolths@unaffiliated/lolths] has quit [Ping timeout: 245 seconds]
02:24 -!- Lolths [~Lolths@unaffiliated/lolths] has joined #openvpn
02:38 -!- Popsikle [~popsikle@rrcs-24-103-53-46.nyc.biz.rr.com] has quit [Remote host closed the connection]
02:39 -!- Lolths [~Lolths@unaffiliated/lolths] has quit [Ping timeout: 245 seconds]
02:47 -!- Lolths [~Lolths@unaffiliated/lolths] has joined #openvpn
02:52 -!- swebb [~swebb@c-76-120-34-202.hsd1.co.comcast.net] has joined #openvpn
03:12 -!- tempus_fol [~tempus@gateway/tor-sasl/foltempus] has quit [Remote host closed the connection]
03:12 -!- DrCode [~DrCode@gateway/tor-sasl/drcode] has quit [Write error: Broken pipe]
03:12 -!- eristisk [~eristisk@gateway/tor-sasl/eristisk] has quit [Write error: Connection reset by peer]
03:12 -!- tempus_fol [~tempus@gateway/tor-sasl/foltempus] has joined #openvpn
03:12 -!- lewiz [~lthompson@195.59.118.200] has quit [Quit: Leaving.]
03:12 -!- DrCode [~DrCode@gateway/tor-sasl/drcode] has joined #openvpn
04:01 -!- Left_Turn [~Left_Turn@unaffiliated/turn-left/x-3739067] has joined #openvpn
04:15 -!- Latrina [~Latrina@adsl-ull-28-189.50-151.net24.it] has quit [Remote host closed the connection]
04:44 -!- ayaz [~Ayaz@linuxpakistan/ayaz] has joined #openvpn
04:46 -!- JackWinter [~jack@vodsl-10810.vo.lu] has quit [Quit: Konversation terminated!]
04:51 -!- JackWinter [~jack@vodsl-10810.vo.lu] has joined #openvpn
05:01 -!- qwertyoruiop [~hax@3.shulgin.nl.torexit.haema.co.uk] has quit [Remote host closed the connection]
05:05 -!- Latrina [~Latrina@151.50.189.28] has joined #openvpn
06:24 -!- TBJoe [~TBJoe@drms-4d014aaf.pool.mediaWays.net] has joined #openvpn
06:31 -!- Megaf [~Megaf@unaffiliated/megaf] has joined #openvpn
06:48 -!- Cpt-Oblivious [~chatzilla@31-151-71-109.dynamic.upc.nl] has quit [Remote host closed the connection]
07:09 -!- elfixit [~Icedove@cust.static.46-14-114-50.swisscomdata.ch] has joined #openvpn
07:13 -!- michaelhart [~michaelha@69-165-175-193.dsl.teksavvy.com] has joined #openvpn
08:02 < halothe23> I have a slight issue with OpenVPN connections.
08:02 < halothe23> I'm on a Mac, using Mavericks. Tunnel establishes fine, but everything that uses the OpenSSL suite to generate traffic fails. HTTP and Skype, pinging trace routes and whatnot show perfect results. Anything loading over HTTPS fails miserably though.
08:02 < halothe23> Anyone encountered this issue like me before?
08:02 < halothe23> (And perhaps knows a fix)
08:05 < rob0> You're saying that once you bring up the tunnel, https fails? Sounds like maybe the tunnel redirects your gateway?
08:05 < halothe23> The point is to tunnel traffic trough it, of course. And it does what its expected to do, for everything apart from HTTPS links, and apps that use OpenSSL libraries to generate SSL/TLS links.
08:06 < halothe23> Server rejected SSL handshake is a common error even when trying via CURL
08:06 < rob0> so basically it's just https
08:07 < halothe23> Well even the IRC connection to my bouncer.
08:07 < halothe23> TCP establishes fine, just not the SSL/TLS handshake and data transfer.
08:08 < halothe23> If I connect without SSL I connect fine, trough the OpenVPN tunnel
08:38 -!- Fohlen [~Fohlen@153.ip-92-222-25.eu] has joined #openvpn
08:40 < Fohlen> hey guys. Haven't found a clear answer in the docs, does openvpn support IPv6 server-sided? My listen with ipv6 spikes out a RESOLVE: Address family for hostname not supported error.
08:40 < Fohlen> I'm on ubuntu 14.04 server, so might be a bit out-dated, if there is support for it in newer versions
08:43 < Fohlen> ups I see nvm, needed to switch proto to tcp6
08:46 -!- spillere [~spillere@unaffiliated/spillere] has joined #openvpn
08:48 -!- elfixit [~Icedove@cust.static.46-14-114-50.swisscomdata.ch] has quit [Ping timeout: 252 seconds]
09:04 -!- Fohlen [~Fohlen@153.ip-92-222-25.eu] has quit [Quit: ZNC - http://znc.in]
09:05 -!- Fohlen [~Fohlen@153.ip-92-222-25.eu] has joined #openvpn
09:05 -!- spillere [~spillere@unaffiliated/spillere] has quit [Ping timeout: 264 seconds]
09:24 -!- randt0sh [~tosh@2a02-8420-5d7e-c300-ac09-c5fa-7be6-261f.rev.sfr.net] has quit [Remote host closed the connection]
09:25 -!- randt0sh [~tosh@2a02-8420-5d7e-c300-0213-72ff-feb1-7b24.rev.sfr.net] has joined #openvpn
09:30 -!- alexxtasi [~alex@unaffiliated/alexxtasi] has left #openvpn []
09:33 -!- Kniaz1 [~Kniaz@unaffiliated/bears] has quit [Quit: closing IRC]
09:33 -!- Kniaz [~Kniaz@unaffiliated/bears] has joined #openvpn
09:39 -!- wrongplace [~leicht@gateway/tor-sasl/martinphone] has joined #openvpn
09:47 -!- Left_Turn [~Left_Turn@unaffiliated/turn-left/x-3739067] has quit [Ping timeout: 264 seconds]
09:50 -!- wrongplace [~leicht@gateway/tor-sasl/martinphone] has quit [Quit: gone]
10:05 -!- dren [dren@access.not.allowed.org] has joined #openvpn
10:19 -!- wrongplace [~leicht@gateway/tor-sasl/martinphone] has joined #openvpn
10:25 -!- TBJoe [~TBJoe@drms-4d014aaf.pool.mediaWays.net] has quit [Quit: TBJoe]
10:45 -!- ayaz [~Ayaz@linuxpakistan/ayaz] has quit [Quit: Textual IRC Client: www.textualapp.com]
10:55 -!- LuisM [~LuisM@unaffiliated/luism] has joined #openvpn
11:04 -!- Popsikle [~popsikle@pool-108-27-211-233.nycmny.fios.verizon.net] has joined #openvpn
11:07 -!- gffa [~unknown@unaffiliated/gffa] has joined #openvpn
11:25 -!- tase [~Phil@unaffiliated/tase] has joined #openvpn
11:25 -!- Adran is now known as Wherdran
11:26 < tase> How do I debug webadmin connectivity test failures (Error, Could not connect to the test server on the Internet.)
11:27 < rob0> webadmin? Sounds like you might be using OpenVPN-AS?
11:27 < rob0> !as
11:27 <@vpnHelper> "as" is Please go to #OpenVPN-AS for help with commercial products from OpenVPN Technologies, including Access Server, Android Connect, etc
11:28 < tase> rob0, indeed i am, thanks for the redirect
11:34 -!- Cpt-Oblivious [~chatzilla@31-151-71-109.dynamic.upc.nl] has joined #openvpn
11:38 -!- LuisM [~LuisM@unaffiliated/luism] has quit [Quit: Leaving]
11:42 < halothe23> Anyone got any idea on what the issue I explained before could be caused by? (Paste: http://sprunge.us/KZjJ )
11:50 -!- raidz is now known as raidz_away
11:52 -!- le0 [~l30@unaffiliated/le0] has quit [Read error: Connection reset by peer]
11:55 < rob0> As per /topic, the only thing I can guess is a firewall issue?  Maybe you're being forced into a transparent proxy, and the proxy is broken?
11:58 < halothe23> Well, tunnel wouldn't establis
11:59 < halothe23> And connections, trace routes, and whatnot wouldn't be working trough the tunnel
12:02 < rob0> why not?
12:23 < pekster> A firewall is quite able to fuck with your https traffic and leave other stuff alone
12:23 < pekster> Pretty trivial if you do it by port (blindly assuming it's https traffic if-and-only-if it's on tcp/443) or with more invasive measures like an IDS
12:24 < pekster> Sounds a lot to me like you don't control the server, so all bets are off. Ask the owner
12:30 < halothe23> I do control the server.
12:30 < halothe23> SSL is not blocked.
12:37 < pekster> Is something upstream of you perhaps messing with the traffic?
12:37 < pekster> OpenVPN does not know/care what is inside the IP packets. TLS, or even TCP vs UDP (or just random bytes even!) don't matter
12:54 -!- raidz_away is now known as raidz
13:35 -!- mirco [~mirco@ip-5-146-124-121.unitymediagroup.de] has quit [Quit: mirco]
13:55 -!- edge226 [~quassel@unaffiliated/edge226] has joined #openvpn
13:57 -!- hilarie [~hilarie@184.75.214.138] has quit []
14:30 -!- Popsikle [~popsikle@pool-108-27-211-233.nycmny.fios.verizon.net] has quit [Remote host closed the connection]
14:38 -!- linuxthefish [~ltf@unaffiliated/edmundf] has joined #openvpn
14:38 < linuxthefish> hi, why is there no defualt gateway and internet not working through opnvpn? but it's working on my other laptop...
14:39 < linuxthefish> and ipconfig for tap is not showing defualt gateway either
14:46 -!- SCHAAP137 [dorian@77-173-0-137.ip.telfort.nl] has quit [Remote host closed the connection]
14:48 < linuxthefish> grr why can't openvpn do away with all this access server rubbish
14:57 -!- Left_Turn [~Left_Turn@unaffiliated/turn-left/x-3739067] has joined #openvpn
14:57 -!- RickyB98 [RickyB98@mediawiki/rickyb98] has joined #openvpn
15:01 -!- Wherdran is now known as Weredran
15:02 -!- lfx [~lfx@self-aware.evilmachines.net] has quit [Ping timeout: 252 seconds]
15:04 -!- Plastefuchs_ [~fweee@198.98.120.235] has quit [Ping timeout: 252 seconds]
15:07 < Thermi> linuxthefish: Problem on layer eight.
15:17 -!- Plastefuchs_ [~fweee@198.98.120.235] has joined #openvpn
15:33 -!- michaelhart [~michaelha@69-165-175-193.dsl.teksavvy.com] has quit [Quit: michaelhart]
15:36 -!- mirco [~mirco@ip-5-146-124-121.unitymediagroup.de] has joined #openvpn
15:39 -!- michaelhart [~michaelha@69-165-175-193.dsl.teksavvy.com] has joined #openvpn
15:45 -!- michaelhart [~michaelha@69-165-175-193.dsl.teksavvy.com] has quit [Quit: michaelhart]
15:48 -!- elfixit [~Icedove@77-58-251-72.dclient.hispeed.ch] has joined #openvpn
16:08 -!- Kniaz [~Kniaz@unaffiliated/bears] has quit [Quit: closing IRC]
16:10 -!- Left_Turn [~Left_Turn@unaffiliated/turn-left/x-3739067] has quit [Read error: Connection reset by peer]
16:15 < Eugene> Uh, what?
16:17 < Eugene> #1 ipconfig won't show default gateway, wtf r u doin
16:17 < Eugene> #2 do you have any idea what openvpn does? It doesn't magically change your gateway unless you tell it to
16:17 < Eugene> #3 AS is a commercial product.
16:19 < JordanJ2> Hi, Can I get OpenVPN to use IPv6?
16:20 < JordanJ2> Is there any web interface to it?
16:20 < Eugene> OpenVPN supports IPv6 for the transport as well as within the tunnel, yes.
16:21 < Eugene> The core openvpn software does not have a web interface, only a socket-based management you can access
16:21 < Eugene> There are several packages which will work with this interface. i've used(and can vouch for) none of them.
16:22 < JordanJ2> Ah okay
16:23 < JordanJ2> Could you tell me how to enable IPv6 as a transport method? I used a script to install it
16:23 < Eugene> "proto udp6"
16:23 < randt0sh> Hello, I have a little problem with openvpn/IPv6
16:24 < randt0sh> Server side, I used the option : server-ipv6 fe80:dead::/64
16:24 < randt0sh> But client side, I obtain the fe80:dead::1:0 address
16:25 < randt0sh> And i want a address like fe80:dead::X
16:25 < randt0sh> how can I solve this ?
16:26 -!- ninstaah [~ninstaah@78.143.78.171] has joined #openvpn
16:28 < ninstaah> Hi there! Can anyone help me with making openvpn work inside a openvz vps?
16:33 < JordanJ2> I've got mine working in a OpenVZ VPS currently
16:33 < ninstaah> JordanJ2, are you also the host of the node?
16:34 < JordanJ2> No
16:35 < ninstaah> Ok, thats what I am
16:35 < JordanJ2> Oh okay
16:35 < JordanJ2> May I ask if it's part of a company?
16:36 < randt0sh> And I have an other question... Is it possible to enable ONLY ipv6 on tun interfaces ?
16:37 < randt0sh> or we must have both ipv6/ipv4 address per tun iface if we want to enable IPv6 ?
16:38 < ninstaah> JordanJ2, no - its my personal intel nuc :-)
16:38 < JordanJ2> Ah okay
16:39 < JordanJ2> Are you making money from it?
16:40 < ninstaah> JordanJ2, not really - power bills, hardware, lots of time. Why are you asking these questions?
16:40 < JordanJ2> Was generally curious :P
16:40 < ninstaah> Not a single costumer and my own personal homelab to the fullest extend :P
16:40 < JordanJ2> Ahh
16:40 < JordanJ2> !heartbleed
16:40 <@vpnHelper> "heartbleed" is (#1) only affects OpenSSL 1.0.1 through 1.0.1f. Does not affect polarssl or (#2) if running vuln openssl then both client and server keys not protected by tls-auth should be considered compromised. or (#3) android 4.1.2_r1 is the first one to have -DOPENSSL_NO_HEARTBEATS and it is still in master. android 4.1 and 4.1.1 are probably affected. or (#4)
16:41 <@vpnHelper> https://community.openvpn.net/openvpn/wiki/heartbleed or (#5) http://xkcd.com/1354/
16:41 < ninstaah> and Intel Nuc is very recommendable"
16:42 < Eugene> !openvz
16:42 <@vpnHelper> "openvz" is (#1) http://wiki.openvz.org/VPN_via_the_TUN/TAP_device to learn bout openvz specific stuff with regards to openvpn or (#2) It is usually less painful to switch to a host with better virtualization technology, eg KVM or Xen
16:43 < Eugene> ninstaah - VZ sucks. If you value your sanity switch to ACTUAL virtualization, not steroided chroot
16:43 < Eugene> !static
16:43 <@vpnHelper> "static" is (#1) use --ifconfig-push in a ccd entry for a static ip for the vpn client or (#2) example in net30 (default): ifconfig-push 10.8.0.6 10.8.0.5 example in subnet (see !topology) or tap (see !tunortap): ifconfig-push 10.8.0.5 255.255.255.0 or (#3) also see !ccd and !iporder or (#4) when pushing static IPs, you should also limit your --ifconfig-pool to exclude the static range or (#5) See
16:43 <@vpnHelper> also: !addressing
16:43 < JordanJ2> Eugene: proto udp6?
16:44 < ninstaah> hahaha Eugene what an epic statement
16:44 < Eugene> randt0sh - I've not used it myself with v6, but I believe the v6-related options should do static, too ^
16:44 < ninstaah> Eugene, any suggestions?
16:44 < Eugene> !beer
16:44 <@vpnHelper> "beer" is what's for dinner (and occasionally breakfast)
16:45  * ninstaah gives up
16:45 < Eugene> randt0sh - I'm not sure about v6-only either; again not one i've played with. Dual-stack is usual preferable..... NAT64 / DNS64 trololo
16:45 < Eugene> ninstaah - you asked for a suggestion, I gave one. Was there a particular subject you wanted to know about?
16:47 < ninstaah> Eugene, and up on that high horse you didn't have a clue about what I meant by that?
16:47 < Eugene> If you want to get sassy, fuck off. I'm not in the mood for it.
16:47 < Eugene> This is a free support channel. Don't like it?
16:47 < Eugene> !refund
16:47 <@vpnHelper> "refund" is If you are not satisfied with the GPL openvpn, or the support provided by the volunteers of #openvpn, you are entitled to a full refund of the purchase price and are invited to use another VPN solution. Elsewhere.
16:49 < ninstaah> Wow. that escalated quickly. I'll as said "fuck off".
16:49 -!- ninstaah [~ninstaah@78.143.78.171] has left #openvpn ["Leaving"]
16:50 < randt0sh> Thanks for your answer Eugene :)
16:50 < Eugene> Any time
16:51 -!- mattock is now known as mattock_afk
16:51 < rob0> Thanks for the show Eugene :)
16:52 < Eugene> I'm here all day
16:52 < rob0> I'll tell my friends ... no wait ... I don't have friends
16:52 < Eugene> D'awwww we'll be your friends
16:53 < rob0> No, it's okay, I have computers.
16:55 < JordanJ2> Can I enable IPv6 if I don't have IPv6 support on the client machine?
16:56 < Eugene> It needs to be baked into the kernel, but no, you don't need to have v6 on ethN
16:57 -!- tharkun [~0@unaffiliated/tharkun] has joined #openvpn
16:57 < JordanJ2> I would only need it on the server side then?
16:57 < Eugene> The same applies.
16:57 < JordanJ2> Okay
16:57 < JordanJ2> Thank you
16:57 < Eugene> If you want your client to be able to reach the v6 internet via the tunnel, then yes, you would need to have a path via the server outwards
16:58 < Eugene> But it will function just fine as a PtP tunnel
16:58 < tharkun> Good $DATE I can ping from end A of the vpn to end B but I can't do it from network A which is at the A end of the vpn.
16:59 < Eugene> !serverlan
16:59 <@vpnHelper> "serverlan" is (#1) for a lan behind a server, the server must have ip forwarding enabled (!ipforward), the server needs to push a route for its lan to clients, and the router of the lan the server is on needs a route added to it (!route_outside_openvpn) or (#2) see !route for a better explanation or (#3) Handy troubleshooting flowchart: http://ircpimps.org/serverlan.png |
16:59 <@vpnHelper> http://pekster.sdf.org/misc/serverlan.png
16:59 < Eugene> Flowchart ^
16:59 < tharkun> Eugene: :)
17:00 < tharkun> Eugene: Yes that was it but how do I make them persistent across reboots?
17:00 < Eugene> I'm guessing you mean
17:00 < Eugene> !linipforward
17:00 <@vpnHelper> "linipforward" is (#1) echo 1 > /proc/sys/net/ipv4/ip_forward for a temp solution (til reboot) or set net.ipv4.ip_forward = 1 in sysctl.conf for perm solution or (#2) chmod +x /etc/rc.d/rc.ip_forward for perm solution in slackware or (#3) you also must allow forwarding in your forward chain in iptables. iptables -I FORWARD -i tun+ -j ACCEPT
17:00  * tharkun kisses Eugene 
17:00 < Eugene> That'll be $20
17:01  * tharkun looks at his 2,000 budget "What will I get?"
17:02 < Eugene> 13.33 hours of my time, at standard rates.
17:03 < tharkun> lol
17:04 -!- mode/#openvpn [+o tharkun] by ChanServ
17:04 <@tharkun> lol :)
17:05 < rob0> BTW there's also a !clientlan factoid and flowchart, use which one fits best.
17:05 < Eugene> I took a guess
17:06 -!- mode/#openvpn [-o tharkun] by ChanServ
17:06 < rob0> tharkun can figure it out :)
17:07 < tharkun> Yes, Actually I totally forgot about editing sysctl.d/local.conf witht the apropiate value. All is well now.
17:08 < tharkun> rob0: Totally forgot about the other lolipop. The kids laughed a lot yesterday :)
17:08 < tharkun> !clientlan
17:08 <@vpnHelper> "clientlan" is (#1) for a lan behind a client, the client must have ip forwarding enabled (!ipforward), the server needs a route to the lan, the server needs to push a route for the lan to clients, the server needs a ccd (!ccd) file for the client with an iroute (!iroute) entry in it, and the router of the lan the client is on needs a route added to it (!route_outside_openvpn) or (#2) see !route
17:08 <@vpnHelper> for a better explanation or (#3) Handy troubleshooting flowchart: http://ircpimps.org/clientlan.png | http://pekster.sdf.org/misc/clientlan.png
17:09 < tharkun> Is there a way to push a route through dhcp? I tried all the options I could muster to no avail. I ended up adding the routes manually.
17:11 -!- javierlito [~GlitchedS@Vpn.animeforumz.net] has joined #openvpn
17:12 < javierlito> Hello could anyone help me enable port forwarding on my open vpn server centod 6 64bit
17:12 < tharkun> !linipforward
17:12 <@vpnHelper> "linipforward" is (#1) echo 1 > /proc/sys/net/ipv4/ip_forward for a temp solution (til reboot) or set net.ipv4.ip_forward = 1 in sysctl.conf for perm solution or (#2) chmod +x /etc/rc.d/rc.ip_forward for perm solution in slackware or (#3) you also must allow forwarding in your forward chain in iptables. iptables -I FORWARD -i tun+ -j ACCEPT
17:12 < tharkun> :)
17:13 < javierlito> is that for me? vpnHelper
17:13 < Eugene> !bot
17:13 <@vpnHelper> "bot" is I'm a bot.. just a bot. krzee and ecrist are my maintainers, and I haven't said anything, if you'd notice, the person who spoke just before me gave a !command to make me speak :P
17:13 -!- ValdikSS [~valdikss@2001:470:28:1b3::1] has joined #openvpn
17:13 < Eugene> Yes
17:13 < javierlito> oh thats a bot?
17:13 < javierlito> Lol
17:13 < javierlito> !help
17:13 <@vpnHelper> (help [<plugin>] [<command>]) -- This command gives a useful description of what <command> does. <plugin> is only necessary if the command is in more than one plugin.
17:13 < javierlito> !say hi
17:14 < JordanJ2> !list
17:14 <@vpnHelper> Admin, BadWords, Channel, ChannelLogger, Config, Factoids, FloodPrevent, Google, Misc, Owner, Relay, Seen, Services, User, Weather, and Web
17:14 < JordanJ2> Ah
17:14 < ValdikSS> Hello. Is there any way to disable pulling IPv6 address from server but to keep IPv4?
17:14 < ValdikSS> Something like no-tun-ipv6?
17:15 < tharkun> http://ircpimps.org/clientlan.png is dead from my end. Can someone confirm?
17:15 < tharkun> dns resolves fine but the connections time out.
17:18 < rob0> gright use pekster's
17:18 < rob0> or even just "right"
17:39 -!- randt0sh [~tosh@2a02-8420-5d7e-c300-0213-72ff-feb1-7b24.rev.sfr.net] has quit [Remote host closed the connection]
17:48 -!- javierlito [~GlitchedS@Vpn.animeforumz.net] has quit [Ping timeout: 252 seconds]
17:48 < dren> yes
17:48 < dren> openvpn should not use ipv6 though unless you are configuring it to do that
17:49 < dren> http://ircpimps.org/clientlan.png is timing out
17:49 < Eugene> I do remember something about that being dead from yesterday
17:59 -!- Kephael [~Kephael@unaffiliated/kephael] has joined #openvpn
17:59 -!- Kniaz [~Kniaz@unaffiliated/bears] has joined #openvpn
18:16 < rob0> right, use pekster's
18:24 -!- Cybertinus [~Cybertinu@cybertinus.customer.cloud.nl] has quit [Ping timeout: 240 seconds]
18:24 -!- Cybertinus [~Cybertinu@cybertinus.customer.cloud.nl] has joined #openvpn
18:41 -!- Kephael [~Kephael@unaffiliated/kephael] has quit [Read error: Connection reset by peer]
18:42 -!- Kephael [~Kephael@unaffiliated/kephael] has joined #openvpn
18:47 -!- gffa [~unknown@unaffiliated/gffa] has quit [Quit: sleep]
18:53 -!- Ryu_Fitzgerald [~Ryu_Fitzg@199-193-117-84.static.hvvc.us] has joined #openvpn
18:53 < Ryu_Fitzgerald> does anyone know how to force someone that is set to a static ip to go through a particular vpn set up on the server
18:59 < Eugene> "particular vpn set up" ?
19:00 < Ryu_Fitzgerald> its a openvpn
19:00 < Ryu_Fitzgerald> the router runs as client
19:00 < Eugene> Do you mean that you want to filter an incoming connection based upon its source IP address and sort it to a certain instance of openvpn on your server?
19:00 < Ryu_Fitzgerald> i want it so a local ip addres on the router only has traffic over one particular vpn set up on the router
19:01 -!- ValdikSS [~valdikss@2001:470:28:1b3::1] has quit [Quit: Konversation terminated!]
19:02 < Ryu_Fitzgerald> by local ip address, i mean one of the lan addresses
19:02 < Eugene> Router is acting as an openvpn client; you want a machine on the LAN of Router to have its traffic sent via openvpn?
19:02 < Ryu_Fitzgerald> yes
19:02 < Ryu_Fitzgerald> one particular machine
19:02 < Eugene> Gotcha.
19:03 < james41382> if it's only one machine, why not just have that particular machine connect to the openvpn itself and cut out the router completely?
19:03 < Eugene> So.... the easy way to do this is to just make that LAN Machine be the openvpn client(openvpn traverses NATs just fine)
19:03 < Eugene> The hard way involves Policy Routing.
19:04 < Ryu_Fitzgerald> i can't do it the easy way
19:04 < Ryu_Fitzgerald> it has to be the hard way
19:04 < Eugene> !lartc
19:04 <@vpnHelper> "lartc" is LARTC is the de-facto guide to policy routing and QoS (tc, or traffic control) on Linux. http://lartc.org/howto/ . Policy routing in Ch. 4, QoS in Ch. 9. Start at the beginning if you're new to advanced routing on Linux
19:04 < Eugene> Enjoy.
19:06 < Ryu_Fitzgerald> i was reading that earlier today.  It is not exactly clear on where the commands should be put
19:07 < Eugene> That's why its called The Hard Way.
19:07 < Ryu_Fitzgerald> silly question, is a subnet domain limited to one vpn at a time?
19:08 < Eugene> You're mixing three different things there. i'm gonna go with "No?"
19:14 -!- Ryu_Fitzgerald [~Ryu_Fitzg@199-193-117-84.static.hvvc.us] has quit [Quit: irc2go]
19:15 -!- edge226 [~quassel@unaffiliated/edge226] has quit [Remote host closed the connection]
19:44 -!- MaliusArth [~MaliusArt@chello062178183011.18.14.vie.surfer.at] has joined #openvpn
19:47 < MaliusArth> raspian: installed openVPN and I am able to connect to a vpn manually, however on boot it seams to establish a connection but I don't have an internet connection unless I reconnect
19:49 < MaliusArth> !welcome
19:49 <@vpnHelper> "welcome" is (#1) Start by stating your goal, such as 'I would like to access the internet over my vpn' || new to IRC? see the link in !ask || we may need !logs and !configs and maybe !interface to help you. || See !howto for beginners. || See !route for lans behind openvpn. || !redirect for sending inet traffic through the server. || Also interesting: !man !/30 !topology !iporder !sample !forum
19:49 <@vpnHelper> !wiki !mitm or (#2) Don't use 192.168.1.0/24 or 192.168.0.0/24 (too much potential for conflict)
19:51 -!- eristisk [~eristisk@gateway/tor-sasl/eristisk] has joined #openvpn
19:59 -!- Weredran [adran@botters/staff/adran] has left #openvpn []
20:00 -!- michaelhart [~michaelha@192-0-240-20.cpe.teksavvy.com] has joined #openvpn
20:01 < MaliusArth> i need to reload openvpn in order for it to work
20:03 -!- Kniaz [~Kniaz@unaffiliated/bears] has quit [Quit: closing IRC]
20:06 -!- Popsikle [~popsikle@pool-108-27-211-233.nycmny.fios.verizon.net] has joined #openvpn
20:14 -!- wrongplace [~leicht@gateway/tor-sasl/martinphone] has quit [Quit: gone]
20:15 -!- Left_Turn [~Left_Turn@unaffiliated/turn-left/x-3739067] has joined #openvpn
20:21 -!- Cpt-Oblivious [~chatzilla@31-151-71-109.dynamic.upc.nl] has quit [Ping timeout: 272 seconds]
20:25 -!- elfixit [~Icedove@77-58-251-72.dclient.hispeed.ch] has quit [Quit: elfixit]
20:29 < MaliusArth> !logs
20:29 <@vpnHelper> "logs" is (#1) please pastebin your logfiles from both client and server with verb set to 4 (only use 5 if asked) or (#2) In the Windows client(OpenVPN-GUI) right-click the status icon and pick View Log or (#3) In the OS X client(Tunnelblick) right-click it and select Copy log text to clipboard or (#4) if you dont know how to find your logs, see !logfile
20:32 < MaliusArth> !logfile
20:32 <@vpnHelper> "logfile" is (#1) If you want logging you can easily just specify your own logfile with: log /path/to/logfile or (#2) openvpn will log to syslog if started in daemon mode, but without any log-redirection options, openvpn sends output to stdout. or (#3) verb 3 is good for everyday usage, verb 5 for debugging. see --daemon --log and --verb in the manual (!man) for more info
20:42 < MaliusArth> I would like to connect to my VPN on startup | client.conf: http://pastebin.com/4qVJatJt | after boot it says: "[ ok ] Starting virtual private network daemon: client." but I have no access to the internet and I need to reload the service for it to work
20:43 < MaliusArth> installed openvpn via apt-get
20:44 < MaliusArth> it obviously attempts to connect but for some reason there is not connectivity
20:45 < MaliusArth> !man
20:45 <@vpnHelper> "man" is (#1) For man pages, see http://openvpn.net/index.php/open-source/documentation/manuals/ or (#2) the man pages are your friend! or (#3) Protip: you can search the manpage for a specific --option (with dashes) to find it quicker
20:45 -!- SCHAAP137 [dorian@77-173-0-137.ip.telfort.nl] has joined #openvpn
20:50 -!- edge226 [~quassel@unaffiliated/edge226] has joined #openvpn
20:55 -!- michaelhart [~michaelha@192-0-240-20.cpe.teksavvy.com] has quit [Quit: michaelhart]
20:55 -!- michaelhart [~michaelha@192-0-240-20.cpe.teksavvy.com] has joined #openvpn
21:01 -!- Kniaz [~Kniaz@unaffiliated/bears] has joined #openvpn
21:03 -!- SCHAAP137 [dorian@77-173-0-137.ip.telfort.nl] has quit [Remote host closed the connection]
21:09 -!- Latrina [~Latrina@151.50.189.28] has quit [Ping timeout: 244 seconds]
21:10 -!- Latrina [~Latrina@ppp-93-33.26-151.libero.it] has joined #openvpn
21:23 -!- edge226 [~quassel@unaffiliated/edge226] has quit [Remote host closed the connection]
21:27 -!- eristisk [~eristisk@gateway/tor-sasl/eristisk] has quit [Ping timeout: 264 seconds]
21:39 -!- eristisk [~eristisk@gateway/tor-sasl/eristisk] has joined #openvpn
21:40 -!- Left_Turn [~Left_Turn@unaffiliated/turn-left/x-3739067] has quit [Read error: Connection reset by peer]
22:04 <@krzee> MaliusArth, have you read your logs to see what happened?
22:09 < MaliusArth> in syslogs everything looks fine
22:09 <@krzee> !logfile
22:09 <@vpnHelper> "logfile" is (#1) If you want logging you can easily just specify your own logfile with: log /path/to/logfile or (#2) openvpn will log to syslog if started in daemon mode, but without any log-redirection options, openvpn sends output to stdout. or (#3) verb 3 is good for everyday usage, verb 5 for debugging. see --daemon --log and --verb in the manual (!man) for more info
22:10 < MaliusArth> had verb 4 on
22:11 <@krzee> should be fine
22:11 <@krzee> 5 would help diagnose firewall issues
22:12 < MaliusArth> well syslog did show anything on 4
22:12 < MaliusArth> also I have no problem connecting manually
22:13 < MaliusArth> so it's has to be related to the boot process
22:19 -!- james41382 [~james@unaffiliated/james41382] has quit [Quit: Leaving]
22:21 < MaliusArth> relevant part of the syslog: http://pastebin.com/YEFAiU4G
22:25 -!- mode/#openvpn [+o Eugene] by ChanServ
22:26 -!- Megaf [~Megaf@unaffiliated/megaf] has quit [Ping timeout: 245 seconds]
23:32 -!- james41382 [~james@unaffiliated/james41382] has joined #openvpn
23:33 -!- james41382 [~james@unaffiliated/james41382] has quit [Read error: Connection reset by peer]
23:35 -!- ShadniX [dagger@p5481DA1B.dip0.t-ipconnect.de] has quit [Ping timeout: 252 seconds]
23:37 -!- ShadniX [dagger@p5794195B.dip0.t-ipconnect.de] has joined #openvpn
23:39 -!- MaliusArth [~MaliusArt@chello062178183011.18.14.vie.surfer.at] has quit [Quit: Leaving.]
23:42 -!- james41382 [~james@unaffiliated/james41382] has joined #openvpn
23:46 -!- james41382 [~james@unaffiliated/james41382] has quit [Client Quit]
23:50 -!- james41382 [~james@unaffiliated/james41382] has joined #openvpn
23:55 -!- Popsikle [~popsikle@pool-108-27-211-233.nycmny.fios.verizon.net] has quit [Remote host closed the connection]
--- Day changed Sat Jun 14 2014
00:01 -!- RickyB98 [RickyB98@mediawiki/rickyb98] has quit [Ping timeout: 252 seconds]
00:33 -!- early [~early@192.241.198.49] has quit [Ping timeout: 240 seconds]
00:35 -!- early [~early@192.241.198.49] has joined #openvpn
00:36 -!- james41382 [~james@unaffiliated/james41382] has quit [Quit: Leaving]
01:21 -!- nick4 [~nick4@46.246.240.236.dsl.dyn.forthnet.gr] has joined #openvpn
01:21 -!- RickyB98 [RickyB98@mediawiki/rickyb98] has joined #openvpn
01:25 -!- ayaz [~Ayaz@linuxpakistan/ayaz] has joined #openvpn
01:25 -!- saebl [~saebl@f053003239.adsl.alicedsl.de] has joined #openvpn
01:38 -!- randt0sh [~tosh@2a02-8420-5d7e-c300-2d68-6130-b945-b2c5.rev.sfr.net] has joined #openvpn
01:46 -!- Kephael [~Kephael@unaffiliated/kephael] has quit []
02:15 -!- Cpt-Oblivious [~chatzilla@31-151-71-109.dynamic.upc.nl] has joined #openvpn
02:34 -!- ayaz [~Ayaz@linuxpakistan/ayaz] has quit [Quit: Textual IRC Client: www.textualapp.com]
02:35 -!- Monotoko [~monotoko@unaffiliated/monotoko] has joined #openvpn
02:36 < Monotoko> does it matter what IP address(es) I set my bridge to be if I want to authenticate from eth0 then get the routes for eth1?
03:21 -!- mirco [~mirco@ip-5-146-124-121.unitymediagroup.de] has quit [Ping timeout: 240 seconds]
03:47 -!- eristisk [~eristisk@gateway/tor-sasl/eristisk] has quit [Ping timeout: 264 seconds]
03:49 -!- halothe23 [~halothe23@freenode/sponsor/halothe23] has quit [Read error: Connection reset by peer]
03:59 -!- saebl [~saebl@f053003239.adsl.alicedsl.de] has quit [Quit: Leaving]
04:02 -!- eristisk [~eristisk@gateway/tor-sasl/eristisk] has joined #openvpn
04:42 -!- randt0sh [~tosh@2a02-8420-5d7e-c300-2d68-6130-b945-b2c5.rev.sfr.net] has quit [Ping timeout: 252 seconds]
04:56 -!- randt0sh [~tosh@2a02-8420-5d7e-c300-2d68-6130-b945-b2c5.rev.sfr.net] has joined #openvpn
05:03 -!- randt0sh [~tosh@2a02-8420-5d7e-c300-2d68-6130-b945-b2c5.rev.sfr.net] has quit [Ping timeout: 264 seconds]
05:09 -!- claudiop [~claudiop@a85-138-3-198.cpe.netcabo.pt] has joined #openvpn
05:10 < claudiop> Hi. My vpn fails to start on boot but manually starts (systemd). Is there any known easy fix for this problem or is it isolated?
05:10 -!- randt0sh [~tosh@2a02-8420-5d7e-c300-2d68-6130-b945-b2c5.rev.sfr.net] has joined #openvpn
05:16 -!- randt0sh [~tosh@2a02-8420-5d7e-c300-2d68-6130-b945-b2c5.rev.sfr.net] has quit [Ping timeout: 240 seconds]
05:19 -!- eristisk [~eristisk@gateway/tor-sasl/eristisk] has quit [Remote host closed the connection]
05:20 -!- eristisk [~eristisk@gateway/tor-sasl/eristisk] has joined #openvpn
05:23 -!- randt0sh [~tosh@2a02-8420-5d7e-c300-2d68-6130-b945-b2c5.rev.sfr.net] has joined #openvpn
05:25 -!- Popsikle [~popsikle@pool-108-27-211-233.nycmny.fios.verizon.net] has joined #openvpn
05:29 -!- Popsikle [~popsikle@pool-108-27-211-233.nycmny.fios.verizon.net] has quit [Ping timeout: 240 seconds]
05:30 -!- SCHAAP137 [dorian@77-173-0-137.ip.telfort.nl] has joined #openvpn
05:31 -!- mirco [~mirco@ip-62-143-141-0.unitymediagroup.de] has joined #openvpn
05:36 < Thermi> claudiop: Probably a missing dependency on network-online.target
05:40 -!- gffa [~unknown@unaffiliated/gffa] has joined #openvpn
05:57 -!- Popsikle [~popsikle@pool-108-27-211-233.nycmny.fios.verizon.net] has joined #openvpn
06:02 -!- Popsikle [~popsikle@pool-108-27-211-233.nycmny.fios.verizon.net] has quit [Ping timeout: 264 seconds]
06:13 -!- randt0sh [~tosh@2a02-8420-5d7e-c300-2d68-6130-b945-b2c5.rev.sfr.net] has quit [Ping timeout: 264 seconds]
06:25 -!- JordanJ2 [Jordan@unaffiliated/jordanj2] has quit [Ping timeout: 240 seconds]
06:29 -!- randt0sh [~tosh@2a02-8420-5d7e-c300-2d68-6130-b945-b2c5.rev.sfr.net] has joined #openvpn
06:36 -!- randt0sh [~tosh@2a02-8420-5d7e-c300-2d68-6130-b945-b2c5.rev.sfr.net] has quit [Ping timeout: 264 seconds]
06:37 -!- u0m3 [~u0m3@109.96.156.238] has quit [Read error: Connection reset by peer]
06:40 -!- u0m3 [~u0m3@109.96.135.222] has joined #openvpn
06:45 -!- randt0sh [~tosh@2a02-8420-5d7e-c300-2d68-6130-b945-b2c5.rev.sfr.net] has joined #openvpn
07:22 -!- randt0sh [~tosh@2a02-8420-5d7e-c300-2d68-6130-b945-b2c5.rev.sfr.net] has quit [Remote host closed the connection]
07:23 -!- dob1 [~dob@dynamic-adsl-84-221-67-139.clienti.tiscali.it] has joined #openvpn
07:23 -!- randt0sh [~tosh@2a02-8420-5d7e-c300-0213-72ff-feb1-7b24.rev.sfr.net] has joined #openvpn
07:24 < dob1> hi, i am trying to install openvpn client on a windows xp pc, i am using http://swupdate.openvpn.org/community/releases/openvpn-install-2.3.4-I002-i686.exe  , the problem is that during the installation it complains that the tap driver is not signed, is this normal?
07:28 < vinky> dob1: I'm on W7 and it doesn't complain for me
07:29 < dob1> vinky, is the right installer what i am using?
07:33 < dob1> i installed it on another windows xp pc and it worked with no problems, on another windows 7 same
07:33 < dob1> but on this one i get this warning
07:51 -!- ribasushi [~riba@mujunyku.leporine.io] has quit [Ping timeout: 260 seconds]
07:59 -!- mirco [~mirco@ip-62-143-141-0.unitymediagroup.de] has quit [Quit: mirco]
08:01 -!- ribasushi [~riba@mujunyku.leporine.io] has joined #openvpn
08:02 -!- elfixit [~Icedove@cust.static.46-14-114-50.swisscomdata.ch] has joined #openvpn
08:15 -!- randt0sh [~tosh@2a02-8420-5d7e-c300-0213-72ff-feb1-7b24.rev.sfr.net] has quit [Ping timeout: 260 seconds]
08:15 -!- randt0sh [~tosh@2a02-8420-5d7e-c300-fdd5-af1a-382a-0fd2.rev.sfr.net] has joined #openvpn
08:18 -!- claudiop [~claudiop@a85-138-3-198.cpe.netcabo.pt] has quit [Ping timeout: 240 seconds]
08:29 -!- halothe23 [~halothe23@freenode/sponsor/halothe23] has joined #openvpn
08:42 -!- Megaf [~Megaf@unaffiliated/megaf] has joined #openvpn
08:51 -!- Monotoko [~monotoko@unaffiliated/monotoko] has quit [Ping timeout: 272 seconds]
09:01 -!- dob1 [~dob@dynamic-adsl-84-221-67-139.clienti.tiscali.it] has quit [Quit: quit]
09:11 -!- halothe23 [~halothe23@freenode/sponsor/halothe23] has quit [Quit: Quit]
09:13 -!- halothe23 [~halothe23@freenode/sponsor/halothe23] has joined #openvpn
09:32 -!- randt0sh [~tosh@2a02-8420-5d7e-c300-fdd5-af1a-382a-0fd2.rev.sfr.net] has quit [Remote host closed the connection]
09:33 -!- ayaka [~ayaka@ayaka-2-pt.tunnel.tserv21.tor1.ipv6.he.net] has joined #openvpn
09:33 -!- randt0sh [~tosh@2a02-8420-5d7e-c300-0213-72ff-feb1-7b24.rev.sfr.net] has joined #openvpn
09:40 < ayaka> about ifconfig-ipv6, what does the meaning of its parameter?
09:40 < ayaka> in wiki ipv6, it didn't find it
09:42 -!- SCHAAP137 [dorian@77-173-0-137.ip.telfort.nl] has quit [Remote host closed the connection]
09:46 -!- Kniaz [~Kniaz@unaffiliated/bears] has quit [Quit: closing IRC]
09:56 <@plaisthos> ayaka: did you check the manual page?
10:05 < ayaka> plaisthos, sorry, I didn't and I will
10:05 -!- LuisM [~luism@unaffiliated/luism] has joined #openvpn
10:06 < ayaka> plaisthos, thank you
10:07 < LuisM> afternoon..
10:08 < LuisM> folks, when i try to start openvpn-as in webui (running fine) returns this error:
10:08 < LuisM> process started and then immediately exited: ['Sat Jun 14 12:05:35 2014 Linux ifconfig failed: could not execute external program']
10:08 < LuisM> service failed to start or returned error status
10:08 < LuisM> wtf?
10:08 < LuisM> fedora 20 x64
10:11 < LuisM> could somebody help me?
10:15 <@plaisthos> !as
10:15 <@vpnHelper> "as" is Please go to #OpenVPN-AS for help with commercial products from OpenVPN Technologies, including Access Server, Android Connect, etc
10:53 -!- Left_Turn [~Left_Turn@unaffiliated/turn-left/x-3739067] has joined #openvpn
10:54 -!- JackWinter_ [~jack@vodsl-11028.vo.lu] has joined #openvpn
10:55 -!- JackWinter [~jack@vodsl-10810.vo.lu] has quit [Ping timeout: 272 seconds]
10:56 -!- MaliusArth [~MaliusArt@chello062178183011.18.14.vie.surfer.at] has joined #openvpn
10:57 -!- mirco [~mirco@ip-62-143-141-0.unitymediagroup.de] has joined #openvpn
11:15 < MaliusArth> I'm having no internet connection when autoconnecting to VPN on boot, | client.conf: pastebin.com/4qVJatJt | syslog: pastebin.com/YEFAiU4G | ping & traceroute can't even resolve "google.com" | its able to connect after "sudo service openvpn reload"
11:16 < MaliusArth> I'm on a debian
11:53 <@Eugene> MaliusArth - sounds like it's an order-of-services problem?
11:55 -!- wrongplace [~leicht@gateway/tor-sasl/martinphone] has joined #openvpn
11:57 -!- Netsplit *.net <-> *.split quits: Ulrar, fred``, Olipro, Chrisje
12:03 -!- Kniaz [~Kniaz@unaffiliated/bears] has joined #openvpn
12:07 -!- Netsplit over, joins: Chrisje, fred``, Ulrar
12:09 -!- Olipro [~Olipro@uncyclopedia/pdpc.21for7.olipro] has joined #openvpn
12:36 -!- Popsikle [~popsikle@pool-108-27-211-233.nycmny.fios.verizon.net] has joined #openvpn
12:47 -!- Left_Turn [~Left_Turn@unaffiliated/turn-left/x-3739067] has quit [Ping timeout: 264 seconds]
12:56 -!- Popsikle [~popsikle@pool-108-27-211-233.nycmny.fios.verizon.net] has quit [Remote host closed the connection]
12:59 -!- pekster [~rewt@openvpn/community/support/pekster] has quit [Ping timeout: 245 seconds]
13:07 -!- LuisM [~luism@unaffiliated/luism] has quit [Ping timeout: 255 seconds]
13:15 -!- nullsign [~nullsign@daedalus.nullsign.com] has joined #openvpn
13:15 < nullsign> if you are just using openvpn with certs, how can you do static ip assignment to a host?
13:15 < nullsign> cert/key combo
13:16 < _FBi> what?
13:16 < _FBi> oh
13:16 < _FBi> gotcha
13:16 < nullsign> i see some notes about using a password file i guess
13:16 < nullsign> so you can assign a username.
13:16 < _FBi> common name I would htink
13:16 < _FBi> think
13:17 < nullsign> common name?
13:17 < _FBi> when you sign someone's cert. they supply  common name.  I think common is the word, once
13:17 < _FBi> oce sec
13:18 < _FBi> one sec
13:18 < nullsign> ah of the cert.. only issue is they all use the same cert/key
13:18 -!- Popsikle [~popsikle@pool-108-27-211-233.nycmny.fios.verizon.net] has joined #openvpn
13:18 < _FBi> that's a horrible idea
13:19 < nullsign> well, here is my scenario, tell me how you'd do it;
13:19 < nullsign> i have 5 hosts, i want them all to have a single private virtual network that they can communicate across from one to each other.
13:19 < nullsign> redundancy would be nice too
13:19 < nullsign> i've made it work, to a degree, in the past, just curious what im missing for best practices.
13:20 < _FBi> 5 users and one server?
13:20 < nullsign> techncially the users are all other servers.
13:20 -!- joako [~joako@opensuse/member/joak0] has quit [Ping timeout: 264 seconds]
13:21 < _FBi> isn't that how a vpn works?
13:21 < nullsign> yep
13:21 < nullsign> when i had just 3 servers (not 5), i have each server run a openvpn daemon.
13:21 < nullsign> and each one had 2 other connections, so each link was reundant in a star.
13:22 < nullsign> made IP space issues a nightmare tho.
13:22 < nullsign> now with 5.. i want to redo this.
13:22 < nullsign> so it scales better
13:23 < MaliusArth> Eugene - order-of-services ? can explain what that means and how to fix it? I'm new to all this
13:23 <@Eugene> openvpn is starting before everything else is ready
13:24 < _FBi> nullsign, have one host the server, and have everyone connect to it?
13:25 < nullsign> but thats not redundant..
13:25 < nullsign> how will they all talk to one another if the openvpn server dies, etc.
13:25 < _FBi> reboot it?
13:26 < nullsign> ...
13:26 -!- joako [~joako@opensuse/member/joak0] has joined #openvpn
13:26 < nullsign> thats not HA :P
13:31 -!- catepillar [~catepilla@ec2-107-21-80-97.compute-1.amazonaws.com] has joined #openvpn
13:32 < catepillar> !welcome
13:32 <@vpnHelper> "welcome" is (#1) Start by stating your goal, such as 'I would like to access the internet over my vpn' || new to IRC? see the link in !ask || we may need !logs and !configs and maybe !interface to help you. || See !howto for beginners. || See !route for lans behind openvpn. || !redirect for sending inet traffic through the server. || Also interesting: !man !/30 !topology !iporder !sample !forum
13:32 <@vpnHelper> !wiki !mitm or (#2) Don't use 192.168.1.0/24 or 192.168.0.0/24 (too much potential for conflict)
13:33 < catepillar> hmm ok
13:33 -!- nick4 [~nick4@46.246.240.236.dsl.dyn.forthnet.gr] has quit [Ping timeout: 252 seconds]
13:33 < catepillar> I am getting started with openvpn on my aws, and im trying to decide between bridging and routing
13:33 -!- JordanJ2 [Jordan@unaffiliated/jordanj2] has joined #openvpn
13:34 < catepillar> the main reason i want to set up openvpn is to route all my traffic through my server and effectively change my ip address
13:34 < catepillar> i would need to set up briding for that, correct?
13:34 -!- nick4 [~nick4@46.246.234.57.dsl.dyn.forthnet.gr] has joined #openvpn
13:37 -!- joako [~joako@opensuse/member/joak0] has quit [Ping timeout: 244 seconds]
13:39 <@Eugene> Negatory.
13:39 <@Eugene> !whybridge
13:39 <@vpnHelper> "whybridge" is (#1) you only bridge if you want layer2 to the lan. if you want layer2 only between vpn nodes then routed tap is enough. if you only want layer3 use tun. or (#2) See this URL for a more in-depth discussion on bridging vs routing: https://community.openvpn.net/openvpn/wiki/BridgingAndRouting or (#3) See also !tunortap
13:40 <@Eugene> Given your description, routing is what you want.
13:40 <@Eugene> !redirect
13:40 <@vpnHelper> "redirect" is (#1) to make all inet traffic flow through the vpn, you will need --redirect-gateway (see !def1), as well as IP forwarding (see !ipforward) and NAT (see !nat) enabled on the server. or (#2) you may need to use a different dns server when redirecting gateway, see !dns or !pushdns or (#3) if using ipv6 try: route-ipv6 2000::/3 or (#4) Handy troubleshooting flowchart:
13:40 <@vpnHelper> http://ircpimps.org/redirect.png | http://pekster.sdf.org/misc/redirect.png
13:40 < catepillar> thanks
13:48 -!- joako [~joako@opensuse/member/joak0] has joined #openvpn
13:56 -!- joako [~joako@opensuse/member/joak0] has quit [Ping timeout: 264 seconds]
14:00 -!- joako [~joako@opensuse/member/joak0] has joined #openvpn
14:06 -!- Left_Turn [~Left_Turn@unaffiliated/turn-left/x-3739067] has joined #openvpn
14:08 -!- nick4 [~nick4@46.246.234.57.dsl.dyn.forthnet.gr] has quit [Ping timeout: 255 seconds]
14:09 -!- nick4 [~nick4@77.49.186.53.dsl.dyn.forthnet.gr] has joined #openvpn
14:42 < nullsign> anyone ever see this? 11.248:1194 VERIFY ERROR: depth=0, error=unsupported certificate purpose:
14:43 <@Eugene> Yes, it happens when you don't gen the certs correctly.
14:43 < nullsign> ah.. nvm, i see what i did.
14:44 < nullsign> yep, i gen'd a client cert as a server, doh.
14:44 <@Eugene> Tada
14:46 < nullsign> do you like to use sepaeate certs/keys off oyur private ca for openvpn, vs email, vs apache ssl, etc?
14:46 < nullsign> separate
14:46 < nullsign> trying to decide how to name these, in the past i'd just use the hostname as a common name.
14:47 < nullsign> but it keeps messy if you use diff certs for diff functions.
14:53 -!- Lolths [~Lolths@unaffiliated/lolths] has quit [Ping timeout: 272 seconds]
14:54 -!- Lolths [~Lolths@unaffiliated/lolths] has joined #openvpn
15:13 < nullsign> hrm.. anyone know much about the CCD stuff for static ip assignment to a given CN?
15:15 <@Eugene> !static
15:15 <@vpnHelper> "static" is (#1) use --ifconfig-push in a ccd entry for a static ip for the vpn client or (#2) example in net30 (default): ifconfig-push 10.8.0.6 10.8.0.5 example in subnet (see !topology) or tap (see !tunortap): ifconfig-push 10.8.0.5 255.255.255.0 or (#3) also see !ccd and !iporder or (#4) when pushing static IPs, you should also limit your --ifconfig-pool to exclude the static range or (#5) See
15:15 <@vpnHelper> also: !addressing
15:15 < nullsign> yeah i did that.. didnt work tho.
15:15 < nullsign> tho i am dealing with a tls handshake error, might be an issue prior to that.
15:16 <@Eugene> Yup. CCD isn't until after key/cert acceptance.
15:16 < nullsign> TLS Error: Auth Username/Password was not provided by peer
15:16 < nullsign> odd, since im just using certs
15:16 <@Eugene> !configs
15:16 <@vpnHelper> "configs" is (#1) please pastebin your client and server configs (with comments removed, you can use `grep -vE '^#|^;|^$' server.conf`), also include which OS and version of openvpn. or (#2) dont forget to include any ccd entries or (#3) on pfSense, see http://www.secure-computing.net/wiki/index.php/OpenVPN/pfSense to obtain your config
15:21 < nullsign> !tls
15:22 -!- LuisM [~luism@unaffiliated/luism] has joined #openvpn
15:28 < MaliusArth> Eugene - how can I make openvpn start later then?
15:29 <@Eugene> Depends upon how your init scripts are set up, or if its upstart etc
15:29 <@Eugene> The easy way out is to stick `service openvpn restart` into the end of /etc/rc.local
15:29 -!- edge226 [~quassel@unaffiliated/edge226] has joined #openvpn
15:32 < nullsign> anyone know what causes this error? TLS Error: Auth Username/Password was not provided by peer
15:32 -!- Neal_ [neal@felix.ineal.me] has joined #openvpn
15:33 <@Eugene> Yes, having the wrong config option turned on. Paste your configs per above, or hunt it yourself.
15:35 < Neal_> !configs
15:35 <@vpnHelper> "configs" is (#1) please pastebin your client and server configs (with comments removed, you can use `grep -vE '^#|^;|^$' server.conf`), also include which OS and version of openvpn. or (#2) dont forget to include any ccd entries or (#3) on pfSense, see http://www.secure-computing.net/wiki/index.php/OpenVPN/pfSense to obtain your config
15:35 < nullsign> http://pastie.org/9290669
15:36 < nullsign> :)
15:37 -!- Left_Turn [~Left_Turn@unaffiliated/turn-left/x-3739067] has quit [Read error: Connection reset by peer]
15:38 < Neal_> so i've been trying to set up ipv6 tunnel and have just been running into random issues - the latest one is MULTI: bad source address from client [::], packet dropped
15:38 -!- LuisM [~luism@unaffiliated/luism] has quit [Ping timeout: 240 seconds]
15:38 < Neal_> here's my config: https://ghostbin.com/paste/u4nko
15:42 < nullsign> here's my config: http://pastie.org/9290669
15:45 -!- elfixit [~Icedove@cust.static.46-14-114-50.swisscomdata.ch] has quit [Ping timeout: 240 seconds]
15:45 <@Eugene> Line 24, tada.
15:45 < nullsign> right, the plugin so i can use pam instead.
15:45 <@Eugene> Your server is expecting the client to send a user/pass to be checked against that PAM module
15:45 < nullsign> is it a either or, instead of and?
15:45 <@Eugene> The client isn't sending that.
15:45 < nullsign> i can't do both?
15:46 <@Eugene> It's an AND.
15:46 < nullsign> ah..
15:46 < nullsign> so i can't do it as an OR.
15:46 <@Eugene> If you want key/crt OR user/pass then you need two openvpn instances.
15:46 < nullsign> got it.
15:47 <@Eugene> There's --auth-user-pass-optional, but that's for --auth-user-pass-verify rather than --plugin pam
15:48 < nullsign> gotcha, ive used static keys for years, swapping it all out now for certs off a private ca.
15:48 < nullsign> new territory.
15:49 -!- Fusl is now known as netsplit
16:02 < nullsign> i wonder if you can use openvpn to restrict certain certs from certain IPs?
16:04 -!- agorecki [~agorecki@S0106b8a38657b866.ok.shawcable.net] has joined #openvpn
16:07 -!- randt0sh [~tosh@2a02-8420-5d7e-c300-0213-72ff-feb1-7b24.rev.sfr.net] has quit [Remote host closed the connection]
16:07 < MaliusArth> Eugene - adding "service openvpn restart" at the end of rc.local didn't work...
16:08 <@Eugene> Dunno then. Looks like you're working with a Rasp Pi?
16:08 < MaliusArth> yea
16:09 < MaliusArth> a friend have this problem on his Pi though
16:09 <@Eugene> My experience with those has never been good. I dunno.
16:09 < MaliusArth> *didn't
16:25 -!- DrCode [~DrCode@gateway/tor-sasl/drcode] has quit [Ping timeout: 264 seconds]
16:25 < Neal_> here are some logs: https://ghostbin.com/paste/b4x3t
16:26 -!- Fohlen [~Fohlen@153.ip-92-222-25.eu] has left #openvpn []
16:27 -!- DrCode [~DrCode@gateway/tor-sasl/drcode] has joined #openvpn
16:30 < MaliusArth> at which runlevel is openvpn supposed to start
16:32 < MaliusArth> can someone post a working rc3.d/SXXopenvpn file
16:35 < MaliusArth> /etc/rc3.d/SXXopenvpn
16:41 -!- Popsikle [~popsikle@pool-108-27-211-233.nycmny.fios.verizon.net] has quit [Ping timeout: 264 seconds]
16:43 -!- netsplit [Fusl@unaffiliated/fusl] has quit [Quit: Contact: http://hallowe.lt/]
16:43 -!- Fusl [Fusl@unaffiliated/fusl] has joined #openvpn
16:43 -!- Fusl [Fusl@unaffiliated/fusl] has quit [Remote host closed the connection]
16:45 -!- Fusl [Fusl@unaffiliated/fusl] has joined #openvpn
16:51 <@Eugene> It's just a symlink to the init script
16:51 < Neal_> Eugene: any ideas about my issue?
16:52 <@Eugene> Update to 2.3.
16:52 <@Eugene> 2.2 doesn't speak v6
16:53 < Neal_> this is the one in debian package managers :/ any easier ways to update?
16:53 < Neal_> even tunneling over v4? a friend of mine has it set up with 2.2 :o
16:54 <@Eugene> You can put v6 inside of a tap device, but need to script it yourself. 2.3 builds that in.
16:54 -!- Cpt-Oblivious [~chatzilla@31-151-71-109.dynamic.upc.nl] has quit [Quit: ChatZilla 0.9.90.1-rdmsoft [XULRunner 22.0/20130619132145]]
16:54 <@Eugene> !download
16:54 <@vpnHelper> "download" is (#1) http://openvpn.net/index.php/download/community-downloads.html to download openvpn or (#2) OpenVPN's Windows installer now includes OpenVPN GUI. Don't bother with http://openvpn.se anymore or (#3) Don't trust download.com at all. It provides an extremely old version with malware: http://insecure.org/news/download-com-fiasco.html or (#4) in the community version of openvpn (only
16:54 <@vpnHelper> thing supported here) there is no separate download for client/server, it is the same install with different configs
16:54 <@Eugene> .deb are provided ^
16:54 < Neal_> aha. cool!
17:00 < Neal_> updated and still having the same issue
17:20 < Neal_> so the "failed to parse/resolve route for host/network: 2000::/3" was because i had "ifconfig-push 10.8.0.8 255.255.255.0" in my ccd
17:30 -!- droid909 [~droid909@unaffiliated/droid909] has joined #openvpn
17:31 < droid909> on what port openvpn management telnet console is accessed
17:31 < droid909> ?
17:44 -!- gffa [~unknown@unaffiliated/gffa] has quit [Quit: sleep]
17:55 -!- droid909 [~droid909@unaffiliated/droid909] has left #openvpn []
18:00 -!- michaelhart [~michaelha@192-0-240-20.cpe.teksavvy.com] has quit [Quit: michaelhart]
18:02 -!- michaelhart [~michaelha@162.209.54.120] has joined #openvpn
18:02 -!- michaelhart [~michaelha@162.209.54.120] has quit [Client Quit]
18:12 -!- MaliusArth1 [~MaliusArt@chello062178183011.18.14.vie.surfer.at] has joined #openvpn
18:14 -!- SCHAAP137 [dorian@77-173-0-137.ip.telfort.nl] has joined #openvpn
18:15 -!- MaliusArth [~MaliusArt@chello062178183011.18.14.vie.surfer.at] has quit [Ping timeout: 255 seconds]
18:42 -!- agorecki [~agorecki@S0106b8a38657b866.ok.shawcable.net] has quit [Quit: Leaving]
18:42 -!- raspberrypifan [~textual@190.131.163.123] has joined #openvpn
18:42 < raspberrypifan> has anyone tried vpn book
18:54 -!- wrongplace [~leicht@gateway/tor-sasl/martinphone] has quit [Quit: gone]
18:54 -!- raspberrypifan [~textual@190.131.163.123] has quit [Ping timeout: 272 seconds]
18:59 -!- james41382 [~james@unaffiliated/james41382] has joined #openvpn
19:08 -!- james41382 [~james@unaffiliated/james41382] has quit [Quit: Leaving]
19:12 -!- brianblaze420 [~brianblaz@unaffiliated/brianblaze] has joined #openvpn
19:18 -!- kirin` [telex@gateway/shell/anapnea.net/x-szhxtiptmwvyezcv] has quit [Ping timeout: 272 seconds]
19:19 -!- kirin` [telex@gateway/shell/anapnea.net/x-iwlktiqvmzmhkvut] has joined #openvpn
19:20 -!- edge226 [~quassel@unaffiliated/edge226] has quit [Remote host closed the connection]
19:28 -!- Kephael [~Kephael@unaffiliated/kephael] has joined #openvpn
19:28 -!- Netsplit *.net <-> *.split quits: Ulrar, fred``, Olipro, Chrisje
19:39 -!- Netsplit over, joins: Chrisje, fred``, Ulrar
19:41 -!- Olipro [~Olipro@uncyclopedia/pdpc.21for7.olipro] has joined #openvpn
19:46 -!- james41382 [~james@unaffiliated/james41382] has joined #openvpn
19:52 -!- james41382 [~james@unaffiliated/james41382] has quit [Quit: Leaving]
19:54 -!- Left_Turn [~Left_Turn@unaffiliated/turn-left/x-3739067] has joined #openvpn
20:08 -!- james41382 [~james@unaffiliated/james41382] has joined #openvpn
20:15 -!- agorecki [~agorecki@S0106b8a38657b866.ok.shawcable.net] has joined #openvpn
20:21 -!- WinstonSmith [~WinstonSm@unaffiliated/winstonsmith] has quit [Ping timeout: 252 seconds]
20:23 -!- WinstonSmith [~WinstonSm@unaffiliated/winstonsmith] has joined #openvpn
20:25 -!- JordanJ2 [Jordan@unaffiliated/jordanj2] has left #openvpn ["Leaving"]
21:07 -!- Left_Turn [~Left_Turn@unaffiliated/turn-left/x-3739067] has quit [Read error: Connection reset by peer]
21:11 -!- brianblaze420 [~brianblaz@unaffiliated/brianblaze] has quit [Quit: Leaving...]
21:12 -!- Kephael [~Kephael@unaffiliated/kephael] has quit [Ping timeout: 244 seconds]
21:44 -!- raspberrypifan [~textual@190.131.163.123] has joined #openvpn
22:01 -!- agorecki [~agorecki@S0106b8a38657b866.ok.shawcable.net] has quit [Quit: Leaving]
22:14 -!- raspberrypifan [~textual@190.131.163.123] has quit [Quit: My MacBook Pro has gone to sleep. ZZZzzz…]
22:17 -!- RBecker [~Ryan@openvpn/user/RBecker] has quit [Quit: Quit]
22:23 -!- MaliusArth1 [~MaliusArt@chello062178183011.18.14.vie.surfer.at] has left #openvpn []
22:26 -!- Kniaz [~Kniaz@unaffiliated/bears] has quit [Quit: closing IRC]
22:28 -!- SCHAAP137 [dorian@77-173-0-137.ip.telfort.nl] has quit [Remote host closed the connection]
22:42 -!- RBecker [~Ryan@openvpn/user/RBecker] has joined #openvpn
22:42 -!- mode/#openvpn [+v RBecker] by ChanServ
22:56 -!- Kniaz [~Kniaz@unaffiliated/bears] has joined #openvpn
23:35 -!- ShadniX [dagger@p5794195B.dip0.t-ipconnect.de] has quit [Ping timeout: 252 seconds]
23:36 -!- ShadniX [dagger@p5DDFF449.dip0.t-ipconnect.de] has joined #openvpn
23:42 -!- Megaf [~Megaf@unaffiliated/megaf] has quit [Ping timeout: 255 seconds]
23:50 -!- raspberrypifan [~textual@190.131.163.123] has joined #openvpn
--- Day changed Sun Jun 15 2014
00:31 -!- raspberrypifan [~textual@190.131.163.123] has quit [Quit: My MacBook Pro has gone to sleep. ZZZzzz…]
01:02 -!- edge226 [~quassel@unaffiliated/edge226] has joined #openvpn
01:21 -!- randt0sh [~tosh@2a02-8420-5d7e-c300-0213-72ff-feb1-7b24.rev.sfr.net] has joined #openvpn
01:23 -!- edge226 [~quassel@unaffiliated/edge226] has quit [Ping timeout: 264 seconds]
01:42 -!- Neal_ [neal@felix.ineal.me] has quit [Ping timeout: 240 seconds]
01:43 -!- Neal_ [~neal@2600:3c00:e001:1a00::1] has joined #openvpn
02:13 -!- andi [~andi@unaffiliated/fr00d] has quit [Ping timeout: 240 seconds]
02:40 -!- ade_b [~Ade@redhat/adeb] has joined #openvpn
03:50 -!- Cpt-Oblivious [~chatzilla@31-151-71-109.dynamic.upc.nl] has joined #openvpn
04:16 -!- Left_Turn [~Left_Turn@unaffiliated/turn-left/x-3739067] has joined #openvpn
04:17 -!- catsup [~d@iad1-vshost12.dreamhost.com] has quit [Remote host closed the connection]
04:27 -!- gffa [~unknown@unaffiliated/gffa] has joined #openvpn
04:49 -!- mattock_afk is now known as mattock
05:00 -!- SCHAAP137 [dorian@77-173-0-137.ip.telfort.nl] has joined #openvpn
05:03 -!- Leoneof [~Leoneof@unaffiliated/leoneof] has joined #openvpn
05:03 < Leoneof> !welcome
05:03 <@vpnHelper> "welcome" is (#1) Start by stating your goal, such as 'I would like to access the internet over my vpn' || new to IRC? see the link in !ask || we may need !logs and !configs and maybe !interface to help you. || See !howto for beginners. || See !route for lans behind openvpn. || !redirect for sending inet traffic through the server. || Also interesting: !man !/30 !topology !iporder !sample !forum
05:03 <@vpnHelper> !wiki !mitm or (#2) Don't use 192.168.1.0/24 or 192.168.0.0/24 (too much potential for conflict)
05:11 -!- wrongplace [~leicht@gateway/tor-sasl/martinphone] has joined #openvpn
05:33 -!- ayaka [~ayaka@ayaka-2-pt.tunnel.tserv21.tor1.ipv6.he.net] has left #openvpn ["离开"]
05:50 -!- Netsplit *.net <-> *.split quits: Ulrar, fred``, Leoneof, Olipro, Chrisje
06:00 -!- Netsplit over, joins: Chrisje, fred``, Ulrar
06:02 -!- Olipro [~Olipro@uncyclopedia/pdpc.21for7.olipro] has joined #openvpn
06:11 -!- ade_b [~Ade@redhat/adeb] has quit [Quit: Too sexy for his shirt]
07:37 -!- raspberrypifan [~textual@190.131.163.123] has joined #openvpn
07:51 -!- nick4 [~nick4@77.49.186.53.dsl.dyn.forthnet.gr] has quit [Ping timeout: 255 seconds]
07:54 -!- nick4 [~nick4@77.49.190.129.dsl.dyn.forthnet.gr] has joined #openvpn
08:02 -!- SCHAAP137 [dorian@77-173-0-137.ip.telfort.nl] has quit [Remote host closed the connection]
08:02 -!- SCHAAP137 [dorian@77-173-0-137.ip.telfort.nl] has joined #openvpn
08:20 -!- dob1 [~dob@dynamic-adsl-84-221-67-139.clienti.tiscali.it] has joined #openvpn
08:23 < dob1> hi, i have an hostname and i have 2 vpn, they connect to the same server but different networks, i will use one or the other not the both at the same time. I would like to resolve an hostname to an address based on the vpn where i am connected,  so for example  test.foobar.lan   if i am connected to vpn 1  10.5.5.1 , if i am connected to vpn 2  10.6.6.1,  i modify host file after i connect, but there are other options?
08:23 -!- nick4 [~nick4@77.49.190.129.dsl.dyn.forthnet.gr] has quit [Ping timeout: 255 seconds]
08:23 < dob1> bad english sorry
08:25 -!- nick4 [~nick4@77.49.47.77.dsl.dyn.forthnet.gr] has joined #openvpn
08:41 -!- mattock is now known as mattock_afk
08:49 -!- nick4 [~nick4@77.49.47.77.dsl.dyn.forthnet.gr] has quit [Ping timeout: 252 seconds]
08:59 < _FBi> dob1, yes, I believe so
08:59 < _FBi> does test.foobar.lan = 1 static IP ?
09:00 -!- warewolf [warewolf@warewolf.org] has joined #openvpn
09:04 -!- Megaf [~Megaf@unaffiliated/megaf] has joined #openvpn
09:10 < dob1> _FBi, yes but it has to vary depends on which vpn i am connected
09:38 -!- Mimiko [~Mimiko@89.28.88.177] has joined #openvpn
09:56 -!- nick4 [~nick4@77.49.47.199.dsl.dyn.forthnet.gr] has joined #openvpn
09:59 -!- raspberrypifan [~textual@190.131.163.123] has quit [Ping timeout: 252 seconds]
09:59 -!- raspberrypifan [~textual@190.131.163.123] has joined #openvpn
10:25 < _FBi> why?
10:35 -!- mattock_afk is now known as mattock
10:38 -!- s7r [~s7r@openvpn/user/s7r] has quit [Remote host closed the connection]
10:39 -!- s7r [~s7r@openvpn/user/s7r] has joined #openvpn
10:39 -!- mode/#openvpn [+v s7r] by ChanServ
10:39 -!- raspberrypifan [~textual@190.131.163.123] has quit [Quit: Textual IRC Client: www.textualapp.com]
10:41 -!- raspberrypifan [~textual@190.131.163.123] has joined #openvpn
10:47 -!- raspberrypifan [~textual@190.131.163.123] has quit [Quit: Textual IRC Client: www.textualapp.com]
10:49 -!- raspberrypifan [~textual@190.131.163.123] has joined #openvpn
10:55 -!- Cpt-Oblivious [~chatzilla@31-151-71-109.dynamic.upc.nl] has quit [Ping timeout: 244 seconds]
10:59 -!- Cpt-Oblivious [~chatzilla@31-151-71-109.dynamic.upc.nl] has joined #openvpn
10:59 -!- mattock is now known as mattock_afk
11:08 -!- elfixit [~Icedove@cust.static.46-14-114-50.swisscomdata.ch] has joined #openvpn
11:10 < dob1> _FBi, i connect to this server with 2 vpn, one on a network (10.5.5.0/24) and one on another (10.8.8.0/24) and on this server there is a service that need the fully qualified name and i need to resolve it via client,  i don't know if i am clear :)
11:13 < dob1> this service create some links based on a parameter in its configuration, so i have to put the fully qualified name of the server here but the cliend needs to know how to resolve it and it has to resolve to different ips depending on which vpn i am connected
11:16 < Haigha> couldn't you use another range common to both VPNs ? (I do this for my DNS server)
11:17 < Haigha> maybe with bind's views and match-clients http://www.zytrax.com/books/dns/ch7/view.html#match-clients
11:18 <@vpnHelper> Title: Chapter 7 DNS BIND view Clause (at www.zytrax.com)
11:19 < dob1> Haigha, the fact is that i want this to keep the 2 vpn separated
11:20 < dob1> Haigha, i don't want that clients from one vpn can "talk" with the clients of othr vpn
11:20 < Haigha> i do the same, they wont be able to do that
11:21 < dob1> Haigha, so what you do ?
11:21 < Haigha> ip addr add 10.1.1.1/24 dev tun0 && ip addr add 10.1.1.1/24 dev tun1
11:22 < Haigha> then, make your named listen on 10.1.1.1, and you can use 10.1.1.1 on both networks
11:22 < dob1> they are not on the same newtork?
11:22 < Haigha> ehm and you need to add a route on each vpn
11:22 < Haigha> wait i'll check on my servers
11:24 < dob1> but i was wondering, is this possible?  2 clients can get the same ip?
11:25 < Haigha> why 2 clients ? sorry i think i don't understand your question
11:26 < dob1> you have 2 vpn on the same network,  one client connect to one and get for example 10.1.1.5, another client connect to the other one, can it get 10.1.1.5 too?
11:27 < Haigha> you still use 10.8.8.0/24 and 10.5.5.0/24
11:27 < Haigha> but add a third network, 10.1.1.0/24 for example, that clients can access
11:27 -!- syncrow [syncrow@unaffiliated/syncrow] has joined #openvpn
11:27 < dob1> i think i don't get it then or my networking knowledge are not good :)
11:27 < Haigha> but you don't have to give addresses on 10.1.1.0/24 to clients
11:29 < dob1> ok stupid question, 10.8.8.0/24  can talk only with 10.8.8.1-254 right ?
11:29 < Haigha> yeah
11:29 < dob1> so how can they use your 10.1.1.1 dns server?
11:30 < Haigha> but, the point here is to allow 10.8.8.0/24 to talk to 10.1.1.0/24
11:30 < Haigha> by adding a route
11:30 < Haigha> route 10.1.1.0 255.255.255.0 10.8.8.1
11:30 < Haigha> push "route 10.1.1.0 255.255.255.0 10.8.8.1"
11:30 < Haigha> on both servers
11:30 < dob1> and push dns too?
11:30 < Haigha> yes
11:30 < Haigha> then, 10.8.8.42 will be able to ping 10.1.1.0.45
11:31 < Haigha> -".0"
11:31 < dob1> and then how the dns server know how to resolve test.foobar.lan to one or another depending on the vpn network?
11:31 -!- Kephael [~Kephael@unaffiliated/kephael] has joined #openvpn
11:32 < Haigha> actually that solution was to avoid doing that by having only one IP for "test.foobar.lan"
11:33 < dob1> ah so you can add another address to tun0 and tun1 ?
11:33 < Haigha> yes
11:33 < dob1> i think i get the idea now :)
11:34 < Haigha> \o/
11:34 < dob1> i miss how to add another ip to the interface but i think is via ifconfig
11:35 < Haigha> ip addr add 10.1.1.42 dev tun0
11:35 < dob1> i am looking at the man
11:36 < Haigha> i use this script: https://github.com/CCrypto/ccvpn_ovpnscripts/blob/master/server-up.sh
11:36 <@vpnHelper> Title: ccvpn_ovpnscripts/server-up.sh at master · CCrypto/ccvpn_ovpnscripts · GitHub (at github.com)
11:37 < dob1> i can use something similar in an init script after vpn is up
11:38 < Haigha> "up server-up.sh"
11:38 < Haigha> in your openvpn config
11:38 < dob1> what do you use as dns server? bind ?
11:39 < Haigha> unbound since a few months
11:39 < Haigha> but bind is fine
11:40 < dob1> well i need a simple one, it's just for this, bind is not so simple to setup :)
11:40 < dob1> maybe dnsmasq
11:43 < dob1> Haigha, thanks for the help, i never figured out that i can do this without your help, i will try :)
12:17 -!- Ryu_Fitzgerald [~Ryu_Fitzg@199-193-117-84.static.hvvc.us] has joined #openvpn
12:18 < Ryu_Fitzgerald> Could someone help me set up my openvpn a certain way.  What I am trying to do is not basic stuff so I don't know if anyone here would know how to do it.
13:01 < reiffert> Ryu_Fitzgerald: read the fucking topic.
13:02 < Ryu_Fitzgerald> my set up is modem-> pfsense router-> wirless router
13:03 < Ryu_Fitzgerald> i have two vpns.  I need all but one person to go through 1 vpn and the other person to go through the other vpn.  How would i do this?
13:03 < Cultist> between running my own openvpn server on a raspi and utilizing my router's built-in openvpn server, is either particularly preferable? The purpose just being so I can access my home server
13:05 -!- wrongplace [~leicht@gateway/tor-sasl/martinphone] has quit [Quit: gone]
13:08 < raspberrypifan> if i have ports blocked by my isp can i use a vpn to bypass that?
13:08 < Ryu_Fitzgerald> yes
13:09 < raspberrypifan> yay
13:09 < raspberrypifan> do anyone know how you would use asterisk and a vpn
13:10 < Ryu_Fitzgerald> is asterisk a router?
13:10 < Cultist> FOSS voip solution I believe
13:10 < raspberrypifan> no its a voip thing, but i suppose i could set up a wifi router to use the vpn directly right?
13:10 < raspberrypifan> yup its a voip thing
13:13 < Ryu_Fitzgerald> i don't know how to set up the phone by itself on a vpn.  I'd have to look it up
13:13 < Ryu_Fitzgerald> or if it is even possible
13:13 < Ryu_Fitzgerald> i have an idea on how to set up a rouer though
13:17 < Ryu_Fitzgerald> what isp do you have blocking voip phones?
13:17 < raspberrypifan> its in Ecuador lol
13:18 < Ryu_Fitzgerald> oh and thee voip doesn't do business in that country so they have it blocked?
13:18 < raspberrypifan> well apparently they do have DIDs
13:18 < raspberrypifan> but its only for corporate clients
13:18 < raspberrypifan> and shit
13:18 < raspberrypifan> but ill figure ito ut
13:38 -!- raspberrypifan [~textual@190.131.163.123] has quit [Quit: My MacBook Pro has gone to sleep. ZZZzzz…]
13:39 -!- zeiter [~zeiq@modemcable027.4-160-184.mc.videotron.ca] has joined #openvpn
13:39 < zeiter> hi all :)
13:39 < zeiter> i need help
13:39 -!- wrongplace [~leicht@gateway/tor-sasl/martinphone] has joined #openvpn
13:41 < zeiter> to set up a vpn client
13:51 < Ryu_Fitzgerald> on what?
14:07 < zeiter> on my router
14:07 < zeiter> asus rt-n56u with padavan firmware
14:09 -!- Ryu_Fitzgerald [~Ryu_Fitzg@199-193-117-84.static.hvvc.us] has quit [Ping timeout: 244 seconds]
14:21 -!- pekster [~rewt@openvpn/community/support/pekster] has joined #openvpn
14:23 -!- dob1 [~dob@dynamic-adsl-84-221-67-139.clienti.tiscali.it] has left #openvpn ["Leaving"]
14:27 -!- Mimiko [~Mimiko@89.28.88.177] has quit []
14:29 -!- brianblaze420 [~brianblaz@unaffiliated/brianblaze] has joined #openvpn
14:32 -!- spillere [~spillere@unaffiliated/spillere] has joined #openvpn
15:00 -!- Jobbe [~Jobbe@188.40.14.222] has joined #openvpn
15:00 < Jobbe> Hi
15:01 < Jobbe> Past couple of hours i've been trying to dig info on the interwebs about port forwarding though VPN
15:02 < Jobbe> i know ssh port forwarding, however one issue - remote IPs ain't forwarded. ie local apache <- port 80 forward -> remote dumb server .. ip that shows in config is 127.0.0.1 when a client visits the remote dumb server. I want it to forward the remote visiting ip though the port. Question it: what should i look for, if this exists in OpenVPN ?
15:03 < Jobbe> s/it/is
15:05 < zeiter> hi Jobbe
15:05 < zeiter> im trying to setup my vpn
15:05 < Jobbe> hi zeiter :)
15:17 < pekster> Jobbe: What's the purpose here? What direction are you trying to NAT on?
15:18 < Jobbe> well
15:19 < Jobbe> I have internet though my housing company - they run it as a NAT - so i have no control over incoming traffic - however i can create tunnels if i initiate the connection from the inside. What i basically wants is take the servers on my home server, and forward it to a VPS somewhere in the internet, so the things i host on my home server, can get online.
15:20 < Jobbe> So the VPS should act as gateway to my home network, on ports i specify
15:20 < pekster> Apart from setting up the NAT on the VPN server, your other main issue will be properly routing return traffic
15:20 < Jobbe> probably
15:20 < Jobbe> i can do it fine with SSH tunnels
15:20 < pekster> You need to do one of these: 1) route _ALL_ outbound Internet traffic across the VPN (even traffic to google, youtube, your email, etc.) Or, 2) set up policy routing
15:20 < Jobbe> but, the problem with ssh tunnels is that i don't get the visitors IP - which would be essential in blocking bad traffic etc
15:21 < Jobbe> could you explain policy routing ?
15:21 < pekster> https://community.openvpn.net/openvpn/wiki/Concepts-PolicyRouting-Linux
15:21 <@vpnHelper> Title: Concepts-PolicyRouting-Linux – OpenVPN Community (at community.openvpn.net)
15:22 < pekster> In your case you aren't redirecting traffic in the first place, but the concept is the same
15:22 < pekster> For your setup, you'd need to reverse the logic. That is, mark inbound traffic _from_ your tun device, and then the secondary routing table routes it via the far-side VPN IP
15:23 < Jobbe> tun device ?
15:23 < pekster> OpenVPN uses tun for IP routing
15:23 < pekster> If you're using tap, stop it
15:23 < pekster> !tunortap
15:23 <@vpnHelper> "tunortap" is (#1) you ONLY want tap if you need to pass layer2 traffic over the vpn (traffic destined for a MAC address). If you are using IP traffic you want tun. or (#2) and if your reason for wanting tap is windows shares, see !wins or use DNS or (#3) remember layer2 has no security, arp poisoning works over tap vpns or (#4) lan gaming? use tap! or (#5) Normal Android/iOS devices (not
15:23 <@vpnHelper> rooted/jailbroken) support only tun
15:23 < Jobbe> i am not using anything as of right now
15:23 < Jobbe> all i got is a newly installed proxmox server, with a test web server
15:24 < Jobbe> and then i have a test VPS
15:24 < pekster> Can't do much of anything with openvpn until you get a basic configuration up and running. For that, see: !howto
15:24 < Jobbe> !howto
15:24 <@vpnHelper> "howto" is (#1) OpenVPN comes with a great howto, http://openvpn.net/howto PLEASE READ IT! or (#2) http://www.secure-computing.net/openvpn/howto.php for a mirror
15:24 < Jobbe> ok
15:25 < pekster> What's the OS on the home system?
15:25 < Jobbe> Debian on both
15:25  * Jobbe only use Debian :)
15:25 < Jobbe> That would be debian Wheezy to be exact, 64 bit
15:26 < pekster> Yea, just making sure that link applies to you from a configuration standpoint (PF uses a different implementation)
15:26 < pekster> Windows won't do it at all ;)
15:26 < Jobbe> Windows? .. Who uses that! :P
15:26 < pekster> To do routing? No one sane
15:27 < Jobbe> I replaced my dads windows xp with debian few months ago
15:27 < Jobbe> using a reverse ssh tunnel to help him when he's in trouble :P
15:31 < Jobbe> alright, i'll run though that howto page
15:32 -!- zeiter [~zeiq@modemcable027.4-160-184.mc.videotron.ca] has quit [Remote host closed the connection]
15:40 < Jobbe> pekster: i would want my gateway to be the VPN server, correct? - And the web server to be a client?
15:41 < pekster> Right, otherwise you cannot connect (directly) to your RFC1918 system
15:41 < Jobbe> RFC1918 ?
15:42 < Jobbe> there is some terms i need to learn hehe
15:43 < pekster> !1918
15:43 <@vpnHelper> "1918" is (#1) RFC1918 makes three unique netblocks available for private use: 10.0.0.0/8, 172.16.0.0/12, and 192.168.0.0/16 or (#2) see also: http://en.wikipedia.org/wiki/Private_network or http://www.faqs.org/rfcs/rfc1918.html or (#3) Too lazy to find your own subnet? Try this one: http://scarydevilmonastery.net/subnet.cgi or (#4) See !5737 for addresses to use for examples and documentation
15:43 < Jobbe> ah
15:55 -!- elfixit [~Icedove@cust.static.46-14-114-50.swisscomdata.ch] has quit [Quit: elfixit]
15:58 < Jobbe> "Now edit the vars file (called vars.bat on Windows) and set the KEY_COUNTRY, KEY_PROVINCE, KEY_CITY, KEY_ORG, and KEY_EMAIL parameters. Don't leave any of these parameters blank."
15:58 < Jobbe> pekster: those settings are not in the vars.example file
16:17 < pekster> v2 is different than v3
16:17 < pekster> v3 does away with all this nonsense about telling it what "city, country, state, orgizination" etc you are in. That is silly, and openvpn does not care
16:17 < pekster> !easyrsa
16:17 <@vpnHelper> "easyrsa" is (#1) easy-rsa is a certificate generation utility. or (#2) Download here: https://github.com/OpenVPN/easy-rsa/releases or (#3) Source checkouts available from the github project; current official release download is 2.2.2 with 3.x code in git-master. or (#4) Helpful wiki info about easyrsa at: https://community.openvpn.net/openvpn/wiki/EasyRSA
16:17 < pekster> Links to both v2 and v3 resources there
16:18 < pekster> The !howto expects you to use easyrsa v2. That wiki links to instructions for v3
16:18 < Jobbe> yeah i installed easyrsa from the debian repo
16:18 < Jobbe> and found the files eventually :)
16:18 < Jobbe> i have generated my keys
16:18 < Jobbe> i'm at "Editing the server configuration file"
16:18 -!- gffa [~unknown@unaffiliated/gffa] has quit [Quit: sleep]
16:19 < Jobbe> it takes a while to read it all and understand what you're doing :P
16:35 < Jobbe> boom
16:35 < Jobbe> server works
16:36 < Jobbe> client failed
16:37 < Jobbe> [server] Peer Connection Initiated with [AF_INET]ip:port
16:37 < Jobbe> ERROR: Cannot open TUN/TAP dev /dev/net/tun: No such file or directory (errno=2)
16:37 < Jobbe> hm
16:40 < Jobbe> I have a feeling, that that error is happening because my server is a container
16:43 < pekster> Can't use openvpn without tun device support in your kernel
16:43 < Jobbe> yeah
16:43 < Jobbe> i use an OpenVZ container
16:43 < Jobbe> https://openvz.org/VPN_via_the_TUN/TAP_device#Granting_container_an_access_to_TUN.2FTAP
16:43 <@vpnHelper> Title: VPN via the TUN/TAP device - OpenVZ Linux Containers Wiki (at openvz.org)
16:43 < Jobbe> readin up on it
16:44 < Jobbe> using proxmox on my home server
16:45 < pekster> You might consider something less crappy than openvz
16:45 < pekster> !openvz
16:45 <@vpnHelper> "openvz" is (#1) http://wiki.openvz.org/VPN_via_the_TUN/TAP_device to learn bout openvz specific stuff with regards to openvpn or (#2) It is usually less painful to switch to a host with better virtualization technology, eg KVM or Xen
16:46 < Jobbe> pekster: all my vms run in openvz on proxmox on another server
16:46 < pekster> There are ways to get what you want, but it may or may not complicate other parts of the setup too
16:47 < Jobbe> hmm
16:47 < Jobbe> yes
16:47 < Jobbe> I'm gonna try this first :)
16:48 < Jobbe> Sun Jun 15 21:48:35 2014 Initialization Sequence Completed
16:48 < Jobbe> there
16:49 < Jobbe> root@web1:~# ping 10.8.0.1
16:49 < Jobbe> PING 10.8.0.1 (10.8.0.1) 56(84) bytes of data.
16:49 < Jobbe> 64 bytes from 10.8.0.1: icmp_req=1 ttl=64 time=15.8 ms
16:49 < Jobbe> connection established
16:52 < Jobbe> pekster: with the VPN up, then i can do this?
16:52 < Jobbe>  https://community.openvpn.net/openvpn/wiki/Concepts-PolicyRouting-Linux
16:52 <@vpnHelper> Title: Concepts-PolicyRouting-Linux – OpenVPN Community (at community.openvpn.net)
16:56 -!- Kniaz [~Kniaz@unaffiliated/bears] has quit [Ping timeout: 255 seconds]
17:00 -!- randt0sh [~tosh@2a02-8420-5d7e-c300-0213-72ff-feb1-7b24.rev.sfr.net] has quit [Remote host closed the connection]
17:12 < pekster> Jobbe: Yes, but remember that if you're not redirecting traffic, you need to reverse the logic so you're routing things that came in over the VPN back out over it
17:13 < Jobbe> uhm i'm not following ?
17:15 < pekster> 1) Packet comes from 192.0.2.50 (some external source on the web) to 203.0.113.7 (pretend IP of your VPN-sever.) 2) you DNAT to your 10.8.0.2 IP (your VPN client.) 3) your system incorrectly tries to send back to 192.0.2.50 via your regular Internet connection. 4) the remote IP says "wtf, I didn't ask to speak to you" and drops it
17:15 < pekster> Policy route to avoid that
17:17 -!- wrongplace [~leicht@gateway/tor-sasl/martinphone] has quit [Quit: gone]
17:18 < Jobbe> hmm
17:18 -!- wrongplace [~leicht@gateway/tor-sasl/martinphone] has joined #openvpn
17:18 < Jobbe> so
17:19 < Jobbe> sorry for being slow, but i need to do the ip routeing on both machines ?
17:19 < pekster> Policy routing on the client, and obviously you need IP-routing enabled on the server
17:19 < Jobbe> oh only on the client
17:20 < Jobbe> so on the client it would in this case be the wen server
17:20 < Jobbe> what would i wnat to do on the server/gateway ?
17:20 < rob0> Functional routing is always bidirectional. What is the point in sending packets somewhere, if the destination does not know how/where to send a reply?
17:21 < pekster> Jobbe: Just enable IP routing, and the NAT you need
17:21 < pekster> Probably best to have the client have a static IP (read: !static) so your NAT rule is consistent
17:21 < pekster> Probably run a firewall too, but that's outside the scope of #openvpn
17:21 < Jobbe> my gateway is yes
17:21 < Jobbe> wops
17:21 < Jobbe> yes
17:21 < Jobbe> i ment
17:22 < Jobbe> gateway 185.14.186.242 / 10.8.0.1 - client 10.8.0.6
17:23 < Jobbe> in /etc/sysctl.conf i did set "net.ipv4.ip_forward=1
17:23 < Jobbe> and restart it
17:24 < Jobbe> i think i'm gonna take a break for now
17:24 < Jobbe> thank you for helping pekster - I'll be back later on
17:28 -!- raspberrypifan [~textual@190.131.163.123] has joined #openvpn
17:44 -!- raspberrypifan [~textual@190.131.163.123] has quit [Ping timeout: 244 seconds]
18:17 -!- syncrow [syncrow@unaffiliated/syncrow] has quit [Quit: Lost terminal]
18:28 -!- wrongplace [~leicht@gateway/tor-sasl/martinphone] has quit [Quit: gone]
18:52 -!- Left_Turn [~Left_Turn@unaffiliated/turn-left/x-3739067] has quit [Read error: Connection reset by peer]
18:57 -!- Left_Turn [~Left_Turn@unaffiliated/turn-left/x-3739067] has joined #openvpn
19:14 -!- p3rror [~mezgani@105.156.216.71] has joined #openvpn
19:20 -!- brianblaze420 [~brianblaz@unaffiliated/brianblaze] has quit [Quit: Leaving...]
19:25 -!- SCHAAP137 [dorian@77-173-0-137.ip.telfort.nl] has quit [Remote host closed the connection]
19:33 -!- elfixit [~Icedove@77-58-251-72.dclient.hispeed.ch] has joined #openvpn
21:04 -!- Left_Turn [~Left_Turn@unaffiliated/turn-left/x-3739067] has quit [Ping timeout: 255 seconds]
21:13 -!- Moonlightning [~blackl@unaffiliated/moonlightning] has joined #openvpn
21:15 < Moonlightning> Is there a Debian init script around somewhere?
21:15  * Moonlightning built from source.
21:17 < Neal_> Moonlightning: this is the one that apt-get installs https://ghostbin.com/paste/kgzhf
21:18 < Moonlightning> Thanks, Neal_.
21:56 <@Eugene> !fail2ban
21:56 <@vpnHelper> "fail2ban" is in linux you can replace fail2ban without the background process with something like: iptables -A INPUT -m tcp -p tcp --dport 22 -m hashlimit --hashlimit-name ssh --hashlimit-upto 5/minute --hashlimit-mode srcip --hashlimit-srcmask 24 -j ACCEPT
22:14 -!- DrCode [~DrCode@gateway/tor-sasl/drcode] has quit [Ping timeout: 264 seconds]
22:22 -!- DrCode [~DrCode@gateway/tor-sasl/drcode] has joined #openvpn
22:49 -!- nullsign [~nullsign@daedalus.nullsign.com] has quit [Remote host closed the connection]
23:00 -!- simcop2387 [~simcop238@p3m/member/simcop2387] has quit [Quit: ZNC - http://znc.sourceforge.net]
23:04 -!- simcop2387 [~simcop238@p3m/member/simcop2387] has joined #openvpn
23:14 -!- zpatten [~zpatten@unaffiliated/zpatten] has joined #openvpn
23:34 -!- elfixit [~Icedove@77-58-251-72.dclient.hispeed.ch] has quit [Ping timeout: 264 seconds]
23:34 -!- ShadniX [dagger@p5DDFF449.dip0.t-ipconnect.de] has quit [Ping timeout: 252 seconds]
23:35 -!- ShadniX [dagger@p5481C7A2.dip0.t-ipconnect.de] has joined #openvpn
--- Day changed Mon Jun 16 2014
00:13 -!- Megaf [~Megaf@unaffiliated/megaf] has quit [Ping timeout: 240 seconds]
00:51 -!- sla3k [~aman@unaffiliated/sla3k] has quit [Quit: WeeChat 0.4.3]
00:56 -!- Cpt-Oblivious [~chatzilla@31-151-71-109.dynamic.upc.nl] has quit [Ping timeout: 252 seconds]
01:38 -!- eroen [~eroen@unaffiliated/eroen] has joined #openvpn
01:41 -!- alexxtasi [~alex@unaffiliated/alexxtasi] has joined #openvpn
01:42 -!- Kephael [~Kephael@unaffiliated/kephael] has quit []
02:22 -!- ade_b [~Ade@redhat/adeb] has joined #openvpn
02:45 -!- le0 [~l30@unaffiliated/le0] has joined #openvpn
03:07 -!- nick4 [~nick4@77.49.47.199.dsl.dyn.forthnet.gr] has quit [Ping timeout: 272 seconds]
03:07 -!- nick4 [~nick4@46.246.191.234.dsl.dyn.forthnet.gr] has joined #openvpn
03:29 < vinky> on windows, is it possible to start openvpn as a service and control it with the gui?
03:29 -!- randt0sh [~tosh@2a02-8420-5d7e-c300-7526-fc80-9cf8-e364.rev.sfr.net] has joined #openvpn
03:31 <@plaisthos> not with the default GUI iirc
03:58 -!- larryone [~larryone@185.32.152.150] has joined #openvpn
04:02 -!- randt0sh [~tosh@2a02-8420-5d7e-c300-7526-fc80-9cf8-e364.rev.sfr.net] has quit [Quit: Lost terminal]
04:10 -!- randt0sh [~tosh@2a02-8420-5d7e-c300-7526-fc80-9cf8-e364.rev.sfr.net] has joined #openvpn
04:26 -!- derRichard [~derRichar@pippin.sigma-star.at] has joined #openvpn
04:27 < derRichard> hi!
04:27 < derRichard> i'm looking for a openvpn client für windows phone. is there any?
04:32 < Plastefuchs_> playing with easy_rsa again. I set the KEY_DIR environ and the keys are put into the right dir, but the index.txt are not get created there. Is there some other place the path to the index.txt is referenced?
04:36 < Plastefuchs_> Seems like that $easy_rsa/keys is hardcoded some place ...
05:28 -!- ayaz [~Ayaz@linuxpakistan/ayaz] has joined #openvpn
05:29 -!- DrCode [~DrCode@gateway/tor-sasl/drcode] has quit [Remote host closed the connection]
05:30 -!- DrCode [~DrCode@gateway/tor-sasl/drcode] has joined #openvpn
05:36 -!- elfixit [~Icedove@cust.static.46-14-114-50.swisscomdata.ch] has joined #openvpn
05:42 -!- DrCode [~DrCode@gateway/tor-sasl/drcode] has quit [Ping timeout: 264 seconds]
05:45 -!- iokill [~dave@pippin.sigma-star.at] has quit [Ping timeout: 252 seconds]
05:45 -!- DrCode [~DrCode@gateway/tor-sasl/drcode] has joined #openvpn
05:46 -!- ade_b [~Ade@redhat/adeb] has quit [Ping timeout: 245 seconds]
05:47 -!- iokill [~dave@pippin.sigma-star.at] has joined #openvpn
05:48 -!- elfixit [~Icedove@cust.static.46-14-114-50.swisscomdata.ch] has quit [Ping timeout: 245 seconds]
06:01 -!- ade_b [~Ade@redhat/adeb] has joined #openvpn
06:13 <@ecrist> derRichard: I don't think there is a windows phone client
06:14 <@ecrist> Plastefuchs_: easy-rsa is just a set of shell scripts
06:14 < derRichard> ecrist: hmm, sad :(
06:14 <@ecrist> those shell scripts call the openssl binary - your openssl conf file might have a path set
06:26 < Plastefuchs_> ecrist: I know, i looked at them, even set my own env var only for the index.txt/db file, it did nothing so far. I stopped going into that direction though and just leave all the files in /keys now. Not that important really.
06:27 <@ecrist> ok
06:29 < Plastefuchs_> ecrist: The openssl conf sets the directories and locations relative to one env var (KEY_DIR), at least the basic openssl.cnf that is included with easy_rsa on my side.
06:31 -!- Megaf [~Megaf@unaffiliated/megaf] has joined #openvpn
06:37 -!- p3rror [~mezgani@105.156.216.71] has quit [Ping timeout: 272 seconds]
07:04 -!- Megaf [~Megaf@unaffiliated/megaf] has quit [Ping timeout: 240 seconds]
07:04 -!- Megaf_ [~Megaf@unaffiliated/megaf] has joined #openvpn
08:02 -!- Megaf_ is now known as Megaf
08:17 -!- randt0sh [~tosh@2a02-8420-5d7e-c300-7526-fc80-9cf8-e364.rev.sfr.net] has quit [Quit: Lost terminal]
08:17 -!- randt0sh [~tosh@2a02-8420-5d7e-c300-7526-fc80-9cf8-e364.rev.sfr.net] has joined #openvpn
08:28 -!- ayaz [~Ayaz@linuxpakistan/ayaz] has quit [Quit: Textual IRC Client: www.textualapp.com]
08:35 -!- Popsikle [~popsikle@pool-108-27-211-233.nycmny.fios.verizon.net] has joined #openvpn
08:39 -!- Popsikle [~popsikle@pool-108-27-211-233.nycmny.fios.verizon.net] has quit [Ping timeout: 240 seconds]
09:19 -!- Kniaz [~Kniaz@unaffiliated/bears] has joined #openvpn
09:22 -!- Left_Turn [~Left_Turn@unaffiliated/turn-left/x-3739067] has joined #openvpn
09:26 -!- goldkatze [~nobody@unaffiliated/goldkatze] has joined #openvpn
09:29 -!- nick4 [~nick4@46.246.191.234.dsl.dyn.forthnet.gr] has quit [Ping timeout: 264 seconds]
10:37 -!- gffa [~unknown@unaffiliated/gffa] has joined #openvpn
10:59 -!- yoavz [yoavz@yoavz.net] has quit [Quit: ZNC - http://znc.in]
10:59 -!- AsadH [~AsadH@unaffiliated/asadh] has quit [Ping timeout: 240 seconds]
11:00 -!- yoavz [yoavz@yoavz.net] has joined #openvpn
11:09 -!- SCHAAP137 [dorian@77-173-0-137.ip.telfort.nl] has joined #openvpn
11:12 -!- AsadH [~AsadH@unaffiliated/asadh] has joined #openvpn
11:17 -!- batrick [batrick@nmap/developer/batrick] has quit [Quit: WeeChat 0.4.3]
11:18 -!- nick4 [~nick4@178.128.241.218.dsl.dyn.forthnet.gr] has joined #openvpn
11:19 -!- batrick [batrick@nmap/developer/batrick] has joined #openvpn
11:36 -!- larryone [~larryone@185.32.152.150] has quit [Ping timeout: 252 seconds]
11:36 -!- kossy [a@unaffiliated/kossy] has quit [Ping timeout: 240 seconds]
11:40 -!- kossy [a@unaffiliated/kossy] has joined #openvpn
12:01 -!- le0 [~l30@unaffiliated/le0] has quit [Quit: Leaving]
12:13 -!- p3rror [~mezgani@105.156.210.175] has joined #openvpn
12:29 -!- Latrina [~Latrina@ppp-93-33.26-151.libero.it] has quit [Ping timeout: 255 seconds]
12:29 -!- Cpt-Oblivious [~chatzilla@31-151-71-109.dynamic.upc.nl] has joined #openvpn
12:31 -!- Latrina [~Latrina@ppp-227-55.26-151.libero.it] has joined #openvpn
13:06 -!- u0m3 [~u0m3@109.96.135.222] has quit [Read error: Connection reset by peer]
13:16 -!- Denial [Denial@176.251.77.152] has quit []
13:19 -!- sepeck [~sepeck@drupal.org/user/5195/view] has joined #openvpn
13:20 -!- sepeck [~sepeck@drupal.org/user/5195/view] has left #openvpn []
13:20 -!- MikeO_ [~root@c-66-177-159-15.hsd1.fl.comcast.net] has joined #openvpn
13:20 -!- hid [~hid@unaffiliated/hid] has joined #openvpn
13:20 < hid> hello
13:21 < hid> how do you configure a vpn without passwords?
13:21 < hid> (with windows)
13:21 < hid> i have only openvpn files who work perfectly under linux
13:21 < hid> but when i try with openvpn-gui, nothing happens
13:27 -!- Denial [Denial@176.251.77.152] has joined #openvpn
13:31 < hid> hello?
13:32 -!- MikeO_ [~root@c-66-177-159-15.hsd1.fl.comcast.net] has left #openvpn []
13:34 <@krzee> hid, openvpn normally requires no passwords
13:35 <@krzee> by "nothing happens" what do you mean?
13:35 <@krzee> you mean it doesnt magically start itself? or that it starts but has errors?
13:35 <@krzee> or that it's asking for some password that is not asked for when using linux?
13:36 < hid> The connection does not work
13:36 < hid> it fails
13:36 < hid> but with linux it works
13:37 < hid> It asks no password
13:37 <@krzee> !winadmin
13:37 <@krzee> !factoids search win
13:37 <@vpnHelper> 'winroute', 'winpass', 'win_noadmin', 'winipforward', '2.1-winpass-script', 'wintaphide', 'wins', 'win_ipfail', 'win2k8', 'sudowin', 'win_tcplimit', 'winnat', 'winscript', 'win_rollup', 'winpath', 'winsudo', 'windows_mobile', 'win_build', 'new_win_gui', 'win7', 'win-dns-vista-7', 'win-dns-xp', 'win-dns', 'winshortcut', 'windows_problems', 'windows', and 'windns'
13:37 < hid> but with the same files, the connection fails under windows
13:37 <@krzee> !factoids
13:37 <@vpnHelper> "factoids" is A semi-regularly updated dump of factoids database is available at http://www.secure-computing.net/factoids.php
13:37 <@krzee> 1sec
13:38 <@krzee> show me the logfile from windows
13:38 <@krzee> !logfile
13:38 <@vpnHelper> "logfile" is (#1) If you want logging you can easily just specify your own logfile with: log /path/to/logfile or (#2) openvpn will log to syslog if started in daemon mode, but without any log-redirection options, openvpn sends output to stdout. or (#3) verb 3 is good for everyday usage, verb 5 for debugging. see --daemon --log and --verb in the manual (!man) for more info
13:39 < hid> where can you find it?
13:39 < hid> i'm currently on linux
13:39 < hid> should i restart now?
13:41 <@krzee> i dont need it in linux
13:41 <@krzee> i need it in windows
13:41 <@krzee> and you can find it where you tell it to be
13:41 <@krzee> as you see the log explain how to do here:
13:41 <@krzee> !logs
13:41 <@vpnHelper> "logs" is (#1) please pastebin your logfiles from both client and server with verb set to 4 (only use 5 if asked) or (#2) In the Windows client(OpenVPN-GUI) right-click the status icon and pick View Log or (#3) In the OS X client(Tunnelblick) right-click it and select Copy log text to clipboard or (#4) if you dont know how to find your logs, see !logfile
13:41 <@krzee> err i mean
13:41 <@krzee> !logfile
13:41 <@vpnHelper> "logfile" is (#1) If you want logging you can easily just specify your own logfile with: log /path/to/logfile or (#2) openvpn will log to syslog if started in daemon mode, but without any log-redirection options, openvpn sends output to stdout. or (#3) verb 3 is good for everyday usage, verb 5 for debugging. see --daemon --log and --verb in the manual (!man) for more info
13:42 <@krzee> looking at the logfile should be the first step in troubleshooting
13:44 -!- Mike-- [mad@mx.probie.nl] has quit [Ping timeout: 240 seconds]
13:45 -!- Mike-- [mad@mx.probie.nl] has joined #openvpn
13:47 -!- p3rror [~mezgani@105.156.210.175] has quit [Quit: Leaving]
13:48 < hid> there's no log
13:48 < hid> in openvpn\
13:48 -!- woshty [~irc@84.200.211.57] has quit [Ping timeout: 252 seconds]
13:48 -!- mete [~mete@91.247.253.160] has quit [Ping timeout: 252 seconds]
13:48 -!- woshty [~irc@84.200.211.57] has joined #openvpn
13:49 < hid> in Program_files(x86)\openvpn\
13:53 -!- mete [~mete@91.247.253.160] has joined #openvpn
13:55 <@krzee> then you didnt tell it to have one there
13:55 <@krzee> it doesnt happen magically, first you have to start a config that has the log being saved there
13:56 < hid> how?
14:03 < reiffert> it will work magically.
14:03 < reiffert> Just sit there for a bit
14:03 < reiffert> and wait.
14:03 <@krzee> hid, was there a part of what i had the bot tell you twice that you did not understand?
14:05 < hid> But the aim of openvpn-gui under windows isn't to provide an easy-to-use tool?
14:05 <@krzee> no, that is access server
14:05 <@krzee> the aim of openvpn-gui is for you to be able to run your properly configured vpn from windows
14:05 <@krzee> (for free)
14:05 <@krzee> !AS
14:05 <@vpnHelper> "AS" is Please go to #OpenVPN-AS for help with commercial products from OpenVPN Technologies, including Access Server, Android Connect, etc
14:06 < reiffert> you dont necessarily need the gui for that
14:06 < reiffert> you can run it magically.
14:06 <@krzee> access-server is the project that has the goal of being easy-to-use
14:06 <@krzee> true, of use reiffert's magic
14:06 <@krzee> !magik
14:06 <@krzee> !magic
14:06 <@vpnHelper> "magic" is For a story about magic read http://www.catb.org/jargon/html/magic-story.html
14:09 -!- hid [~hid@unaffiliated/hid] has quit [Quit: Quitte]
14:12 -!- Left_Turn is now known as [ENGLAND]Left_Tu
14:12 -!- ade_b [~Ade@redhat/adeb] has quit [Quit: Too sexy for his shirt]
14:13 -!- [ENGLAND]Left_Tu is now known as [ENG]Left_Turn
14:15 -!- JackWinter_ [~jack@vodsl-11028.vo.lu] has quit [Ping timeout: 245 seconds]
14:23 -!- tase [~Phil@unaffiliated/tase] has quit [Read error: Connection reset by peer]
14:23 -!- Kniaz [~Kniaz@unaffiliated/bears] has quit [Read error: Connection reset by peer]
14:24 -!- Saul775 [~Saul@12.6.176.106] has quit [Read error: Connection reset by peer]
14:24 -!- Kniaz [~Kniaz@unaffiliated/bears] has joined #openvpn
14:24 -!- Saul775 [~Saul@12.6.176.106] has joined #openvpn
14:25 -!- mirco [~mirco@ip-62-143-141-0.unitymediagroup.de] has quit [Read error: Connection reset by peer]
14:25 -!- mirco [~mirco@ip-62-143-141-0.unitymediagroup.de] has joined #openvpn
14:25 -!- vinky [~vinky@81-230-177-246-no98.tbcn.telia.com] has quit [Quit: No Ping reply in 180 seconds.]
14:26 -!- vinky [~vinky@81-230-177-246-no98.tbcn.telia.com] has joined #openvpn
14:26 -!- linuxthefish [~ltf@unaffiliated/edmundf] has quit [Ping timeout: 245 seconds]
14:26 -!- DrCode [~DrCode@gateway/tor-sasl/drcode] has quit [Ping timeout: 264 seconds]
14:26 -!- JackWinter [~jack@vodsl-11028.vo.lu] has joined #openvpn
14:27 -!- mnathani [~mnathani@constance.winvive.com] has quit [Ping timeout: 245 seconds]
14:27 -!- DrCode [~DrCode@gateway/tor-sasl/drcode] has joined #openvpn
14:27 -!- meepmeep [meepmeep@end.of.cylind.re] has quit [Ping timeout: 245 seconds]
14:29 -!- meepmeep [meepmeep@end.of.cylind.re] has joined #openvpn
14:30 -!- spillere [~spillere@unaffiliated/spillere] has left #openvpn ["adios"]
14:46 -!- gffa [~unknown@unaffiliated/gffa] has quit [Quit: quit]
15:35 -!- brianblaze420 [~brianblaz@unaffiliated/brianblaze] has joined #openvpn
15:35 -!- phunyguy [~vortex@unaffiliated/phunyguy] has quit [Quit: Goodbye cruel world!]
15:36 -!- phunyguy [~vortex@unaffiliated/phunyguy] has joined #openvpn
15:38 -!- nick4 [~nick4@178.128.241.218.dsl.dyn.forthnet.gr] has quit [Ping timeout: 252 seconds]
15:39 -!- nick4 [~nick4@46.246.128.153.dsl.dyn.forthnet.gr] has joined #openvpn
15:39 -!- phunyguy [~vortex@unaffiliated/phunyguy] has quit [Client Quit]
15:40 -!- phunyguy [~vortex@unaffiliated/phunyguy] has joined #openvpn
15:51 -!- scyld [~scyld@unaffiliated/wasyl] has joined #openvpn
15:53 -!- phunyguy [~vortex@unaffiliated/phunyguy] has quit [Quit: Goodbye cruel world!]
15:54 -!- phunyguy [~vortex@unaffiliated/phunyguy] has joined #openvpn
16:02 -!- randt0sh [~tosh@2a02-8420-5d7e-c300-7526-fc80-9cf8-e364.rev.sfr.net] has quit [Remote host closed the connection]
16:09 -!- supergauntlet [~supergaun@unaffiliated/supergauntlet] has quit [Ping timeout: 245 seconds]
16:09 -!- syzzer [~syzzer@openvpn/community/developer/syzzer] has quit [Quit: ZNC - http://znc.in]
16:11 -!- meepmeep [meepmeep@end.of.cylind.re] has quit [Ping timeout: 245 seconds]
16:11 -!- syzzer [~syzzer@openvpn/community/developer/syzzer] has joined #openvpn
16:11 -!- mode/#openvpn [+o syzzer] by ChanServ
16:12 -!- supergauntlet [~supergaun@unaffiliated/supergauntlet] has joined #openvpn
16:13 -!- meepmeep [meepmeep@end.of.cylind.re] has joined #openvpn
16:21 -!- wrongplace [~leicht@gateway/tor-sasl/martinphone] has joined #openvpn
16:23 -!- hazardous [~hz@openvpn/user/hazardous] has quit [Ping timeout: 252 seconds]
16:24 -!- hazardous [~hz@openvpn/user/hazardous] has joined #openvpn
16:24 -!- mode/#openvpn [+v hazardous] by ChanServ
16:26 -!- mnathani [~mnathani@constance.winvive.com] has joined #openvpn
16:33 -!- wrongplace [~leicht@gateway/tor-sasl/martinphone] has quit [Ping timeout: 264 seconds]
16:37 -!- trending [~trending@adsl196-102-21-206-196.adsl196-1.iam.net.ma] has joined #openvpn
16:45 -!- s7r [~s7r@openvpn/user/s7r] has quit [Ping timeout: 264 seconds]
16:46 -!- s7r [~s7r@openvpn/user/s7r] has joined #openvpn
16:46 -!- mode/#openvpn [+v s7r] by ChanServ
16:46 -!- DrCode [~DrCode@gateway/tor-sasl/drcode] has quit [Ping timeout: 264 seconds]
16:50 -!- brianblaze420 [~brianblaz@unaffiliated/brianblaze] has quit [Remote host closed the connection]
16:51 -!- brianblaze420 [~brianblaz@unaffiliated/brianblaze] has joined #openvpn
16:51 -!- brianblaze420 [~brianblaz@unaffiliated/brianblaze] has quit [Remote host closed the connection]
16:52 -!- DrCode [~DrCode@gateway/tor-sasl/drcode] has joined #openvpn
17:10 -!- james41382 [~james@unaffiliated/james41382] has quit [Quit: Leaving]
17:11 -!- james41382 [~james@unaffiliated/james41382] has joined #openvpn
17:18 < Moonlightning> The --help on --ifconfig says that for tun devices, the second argument should be the address of the remote endpoint. What should it be for a server that needs to handle multiple clients?
17:18 < Moonlightning> I had it set to a subnet mask, like for tap, only I've always been using tun.
17:19 < pekster> Read about:
17:19 < pekster> !topology
17:19 <@vpnHelper> "topology" is (#1) it is possible to avoid the !/30 behavior if you use 2.1+ with the option: topology subnet This will end up being default in later versions. or (#2) Clients will receive addresses ending in .2, .3, .4, etc, instead of being divided into 2-host subnets. or (#3) details and examples at: https://community.openvpn.net/openvpn/wiki/Topology
17:19 < pekster> Use of the `subnet` topology is recommended for tun (unless you're doing p2p, which excludes Windows)
17:25 -!- scyld [~scyld@unaffiliated/wasyl] has quit [Quit: Wychodzi]
17:55 -!- cyberspace- [20253@ninthfloor.org] has quit [Remote host closed the connection]
17:56 -!- cyberspace- [20253@ninthfloor.org] has joined #openvpn
18:04 -!- Kniaz [~Kniaz@unaffiliated/bears] has quit [Quit: closing IRC]
18:06 < Moonlightning> pekster: so…with `topology subnet`, `ifconfig` behaves as if under `dev tun`.
18:06 -!- phunyguy [~vortex@unaffiliated/phunyguy] has quit [Quit: Goodbye cruel world!]
18:07 -!- phunyguy [~vortex@unaffiliated/phunyguy] has joined #openvpn
18:17 -!- s34n [~chatzilla@ip-208-76-93-210.mvdsl.com] has joined #openvpn
18:17 < Moonlightning> OpenVPN seems to think that the certificates are self-signed. They're not, though; they're signed by a CA I made, and all the machines have a copy of /that/ cert in the config dir.
18:17 < Moonlightning> VERIFY ERROR: depth=1, error=self signed certificate in certificate chain: <distinguished-name>
18:18 < s34n> I'm trying to get an openvpn client working again after an OS refresh.
18:19 < s34n> I imported my old config, but I am unable to connect
18:19 < s34n> using openvpn 2.3.2 on fedora 20, xcfe
18:19 < s34n> using nm-openvpm plugin
18:19 < s34n> *nm-openvpn
18:21 < Moonlightning> The DN given is that of the CA.
18:21 < Moonlightning> I guess it doesn't trust it. Even though I've explicitly set it with `ca`?
18:24 -!- Kniaz [~Kniaz@unaffiliated/bears] has joined #openvpn
18:29 < s34n> hmm. it may have to do with selinux not liking how I copied the cert, etc.
18:37 -!- pppingme [~pppingme@unaffiliated/pppingme] has quit [Ping timeout: 264 seconds]
18:40 < s34n> is there a better place to store my cert, etc. than in my home dir?
18:40 < s34n> what selinux labels do I have to apply to them to make it work?
18:42 < pekster> Moonlightning: The DN is not how certs are verified; it's the actual key material that matters (of which the X.509 CN is only part of what goes into the hash that is signed)
18:42 -!- pppingme [~pppingme@unaffiliated/pppingme] has joined #openvpn
18:42 < Moonlightning> pekster: That's what I would've expected.
18:43 < pekster> Clearly the cert isn't validating; try manually taking the remote end's actual cert and verifying it manually on the end that is failing. ie: `openssl verify -CAfile /path/to/local/ca.crt -verbose exact-copy-of-far-end.crt`
18:44 < pekster> Or look at the AKI of the cert your verifying and compare it against the identifier of your local CA
18:45 < Moonlightning> Fixed it.
18:45 < Moonlightning> Apparently you need to pass --server to pkitool both when you generate the CSR AND when you sign it|generate the cert.
18:46 < Moonlightning> YAY I has VPN nao thank you. ^^
18:46 < pekster> Really just when signing it; a CSR is just a list of elements the generating party is asking for
18:46 < pekster> The CA can ignore them or enforce their own
18:50 -!- phunyguy [~vortex@unaffiliated/phunyguy] has quit [Quit: Goodbye cruel world!]
18:51 -!- phunyguy [~vortex@unaffiliated/phunyguy] has joined #openvpn
18:51 -!- [ENG]Left_Turn [~Left_Turn@unaffiliated/turn-left/x-3739067] has quit [Read error: Connection reset by peer]
18:55 -!- Left_Turn [~Left_Turn@unaffiliated/turn-left/x-3739067] has joined #openvpn
19:02 -!- RaiNerTsuFal [~RaiNerTsu@akita.vtlx.cn] has quit [Ping timeout: 240 seconds]
19:04 -!- RaiNerTsuFal [~RaiNerTsu@akita.vtlx.cn] has joined #openvpn
19:14 -!- SCHAAP137 [dorian@77-173-0-137.ip.telfort.nl] has quit [Remote host closed the connection]
19:45 -!- p3rror [~mezgani@105.156.210.175] has joined #openvpn
19:49 -!- DrCode [~DrCode@gateway/tor-sasl/drcode] has quit [Ping timeout: 264 seconds]
19:50 -!- Latrina [~Latrina@ppp-227-55.26-151.libero.it] has quit [Ping timeout: 244 seconds]
19:51 -!- DrCode [~DrCode@gateway/tor-sasl/drcode] has joined #openvpn
19:52 -!- Latrina [~Latrina@ppp-222-9.26-151.libero.it] has joined #openvpn
19:53 -!- Cpt-Oblivious [~chatzilla@31-151-71-109.dynamic.upc.nl] has quit [Read error: Connection reset by peer]
19:59 -!- DrCode [~DrCode@gateway/tor-sasl/drcode] has quit [Remote host closed the connection]
20:00 -!- DrCode [~DrCode@gateway/tor-sasl/drcode] has joined #openvpn
20:33 -!- Kephael [~Kephael@unaffiliated/kephael] has joined #openvpn
21:03 -!- s34n [~chatzilla@ip-208-76-93-210.mvdsl.com] has quit [Read error: Connection reset by peer]
21:21 -!- trending [~trending@adsl196-102-21-206-196.adsl196-1.iam.net.ma] has quit [Ping timeout: 264 seconds]
21:22 -!- Left_Turn [~Left_Turn@unaffiliated/turn-left/x-3739067] has quit [Remote host closed the connection]
21:56 -!- edge226 [~quassel@unaffiliated/edge226] has joined #openvpn
22:06 -!- jgeboski [~jgeboski@unaffiliated/jgeboski] has quit [Quit: Leaving]
22:09 -!- jgeboski [~jgeboski@unaffiliated/jgeboski] has joined #openvpn
22:33 -!- Megaf [~Megaf@unaffiliated/megaf] has quit [Ping timeout: 240 seconds]
22:37 -!- DrMacinyasha [0@unaffiliated/drmacinyasha] has joined #openvpn
22:40 < DrMacinyasha> Hello all. I'm looking to try and get ChromeOS devices setup to connect to my (fairly vanilla) OpenVPN-AS server using an ONC file. I've managed to get the ca.crt and user.p12 installed in ChromeOS, get an ONC imported which includes the ta.key from my client.ovpn. The VPN connection immediately fails when trying to connect (after putting in username, password, and OTP) and I've been unsuccessful
22:40 < DrMacinyasha> finding anything in the (client) logs which might suggest a reason why. AS's logs don't even show a connection attempt. Would anyone be able to assist me with this?
22:41 < DrMacinyasha> Other clients connect and work fine, leading me to believe it's definitely not a server-side/AS-related issue, thus why I'm asking here. :)
22:46 -!- RickyB98 [RickyB98@mediawiki/rickyb98] has quit [Ping timeout: 252 seconds]
22:55 < DrMacinyasha> Here's the client configuration (ONC file) I'm using: http://pastebin.com/PwUHDmQ0
23:32 -!- ShadniX [dagger@p5481C7A2.dip0.t-ipconnect.de] has quit [Ping timeout: 252 seconds]
--- Day changed Tue Jun 17 2014
00:02 -!- s7r [~s7r@openvpn/user/s7r] has quit [Quit: Leaving]
00:07 -!- RickyB98 [RickyB98@mediawiki/rickyb98] has joined #openvpn
00:47 -!- justinzane [~justinzan@24.49.207.203] has quit []
01:09 -!- randt0sh [~tosh@2a02-8420-5d7e-c300-a07c-812b-808f-4491.rev.sfr.net] has joined #openvpn
01:14 -!- ShadniX [dagger@p5481D29B.dip0.t-ipconnect.de] has joined #openvpn
01:25 -!- tempus_fol [~tempus@gateway/tor-sasl/foltempus] has quit [Remote host closed the connection]
01:25 -!- tempus_fol [~tempus@gateway/tor-sasl/foltempus] has joined #openvpn
01:48 -!- alexxtasi [~alex@unaffiliated/alexxtasi] has left #openvpn []
01:51 -!- kossy [a@unaffiliated/kossy] has quit [Ping timeout: 240 seconds]
01:52 -!- alexxtasi [~alex@unaffiliated/alexxtasi] has joined #openvpn
01:53 -!- kossy [a@unaffiliated/kossy] has joined #openvpn
01:54 -!- Kephael [~Kephael@unaffiliated/kephael] has quit []
02:13 -!- le0 [~l30@unaffiliated/le0] has joined #openvpn
02:18 -!- fin__ [~l30@unaffiliated/le0] has joined #openvpn
02:19 -!- le0 [~l30@unaffiliated/le0] has quit [Ping timeout: 255 seconds]
02:49 -!- APTX [~APTX@unaffiliated/aptx] has quit [Quit: No Ping reply in 180 seconds.]
02:50 -!- jgeboski [~jgeboski@unaffiliated/jgeboski] has quit [Quit: Leaving]
02:51 -!- jgeboski [~jgeboski@unaffiliated/jgeboski] has joined #openvpn
02:57 -!- APTX [~APTX@unaffiliated/aptx] has joined #openvpn
03:19 -!- Netsplit *.net <-> *.split quits: early, @krzee, Samopotamus, pnielsen, ratsupremacy, someone, kossy, Gman32, c00w, @Eugene,  (+12 more, use /NETSPLIT to show all of them)
03:20 -!- Netsplit *.net <-> *.split quits: tempus_fol, Jobbe, _bt, defswork, Nothing4You, mirco, hive-mind, get, Moonlightning, NucWin,  (+109 more, use /NETSPLIT to show all of them)
03:23 -!- Netsplit over, joins: APTX, jgeboski, fin__, tempus_fol, ShadniX
03:23 -!- randt0sh [~tosh@2a02-8420-5d7e-c300-a07c-812b-808f-4491.rev.sfr.net] has joined #openvpn
03:23 -!- Netsplit over, joins: RickyB98, edge226, DrCode, Latrina, p3rror, RaiNerTsuFal, phunyguy, cyberspace-, james41382, mnathani (+1 more)
03:23 -!- syzzer [~syzzer@openvpn/community/developer/syzzer] has joined #openvpn
03:23 -!- Netsplit over, joins: nick4, JackWinter, mirco, Saul775
03:23 -!- mete [~mete@91.247.253.160] has joined #openvpn
03:23 -!- Netsplit over, joins: woshty, Mike--, Denial, batrick, goldkatze, derRichard, eroen, simcop2387, Moonlightning, Jobbe
03:23 -!- pekster [~rewt@openvpn/community/support/pekster] has joined #openvpn
03:23 -!- Netsplit over, joins: Olipro, Ulrar, fred``, Chrisje, WinstonSmith, kirin`, Fusl, Lolths, joako, halothe23 (+1 more)
03:23 -!- Cybertinus [~Cybertinu@cybertinus.customer.cloud.nl] has joined #openvpn
03:23 -!- ServerMode/#openvpn [+o syzzer] by asimov.freenode.net
03:23 -!- Netsplit over, joins: Plastefuchs_, swebb, Champi, haasn, SlutaTramsa
03:23 -!- ender| [krneki@2a01:260:4094:1:42:42:42:42] has joined #openvpn
03:23 -!- Netsplit over, joins: clu5ter
03:23 -!- _bt [~bt@unaffiliated/bt/x-192343] has joined #openvpn
03:23 -!- Netsplit over, joins: Nothing4You, reiffert, jzaw, kloeri, indy, Brando753, aPollO2k, funnel, bashusr, mcp
03:23 -!- mattock_afk [~mattock@openvpn/corp/admin/mattock] has joined #openvpn
03:23 -!- Netsplit over, joins: snappy, phreakocious, doebi, gac, gardar, adaptr, liriel, NucWin, M4rc3l
03:23 -!- BladedThesis [~BladedThe@2001:1af8:4010:a027:3::] has joined #openvpn
03:23 -!- plaisthos [~arne@openvpn/community/developer/plaisthos] has joined #openvpn
03:23 -!- Netsplit over, joins: outofbounds, micko
03:23 -!- roentgen [~none@openvpn/community/support/roentgen] has joined #openvpn
03:23 -!- Netsplit over, joins: maskedlua
03:23 -!- novaflash [~novaflash@openvpn/corp/support/novaflash] has joined #openvpn
03:23 -!- Netsplit over, joins: NChief, Thermi, SupaYoshi, Sembei, abbe, esde
03:23 -!- hive-mind [pranq@mail.bbis.us] has joined #openvpn
03:23 -!- Netsplit over, joins: FoXMaN, jerrcs, Cyclohexane, aji
03:23 -!- ServerMode/#openvpn [+ooo mattock_afk plaisthos novaflash] by asimov.freenode.net
03:23 -!- Netsplit over, joins: pa, Matir, koniiiik, Haigha, cyberanger, defswork, pcdummy, MatToufoutu, thumbs
03:23 -!- riddle [riddle@us.yunix.net] has joined #openvpn
03:23 -!- Netsplit over, joins: fejjerai, malc0re, nlb, Tykling, emid, rob0, thefinn93, fremo, b00b, KiNgMaR (+5 more)
03:23 -!- Netsplit over, joins: kossy, DrMacinyasha, Neal_, early, troyt, kenyon, mgorbach, @Eugene, @raidz, c00w (+12 more)
03:23 -!- Olipro [~Olipro@uncyclopedia/pdpc.21for7.olipro] has quit [Max SendQ exceeded]
03:24 -!- Netsplit over, joins: eristisk
03:24 -!- kossy [a@unaffiliated/kossy] has quit [Max SendQ exceeded]
03:27 -!- RBecker [~Ryan@openvpn/user/RBecker] has quit [Excess Flood]
03:27 -!- warewolf [warewolf@warewolf.org] has quit [Write error: Broken pipe]
03:28 -!- iokill [~dave@pippin.sigma-star.at] has quit [Remote host closed the connection]
03:30 -!- RBecker [~Ryan@openvpn/user/RBecker] has joined #openvpn
03:30 -!- mode/#openvpn [+v RBecker] by ChanServ
03:31 -!- Olipro [~Olipro@uncyclopedia/pdpc.21for7.olipro] has joined #openvpn
03:34 -!- Netsplit *.net <-> *.split quits: tempus_fol, Jobbe, @krzee, _bt, defswork, mirco, hive-mind, Nothing4You, get, Moonlightning,  (+130 more, use /NETSPLIT to show all of them)
03:34 -!- peper [~peper@gentoo/developer/peper] has quit [Max SendQ exceeded]
03:42 -!- kossy [a@unaffiliated/kossy] has joined #openvpn
03:42 -!- peper [~peper@gentoo/developer/peper] has joined #openvpn
03:42 -!- Netsplit over, joins: Olipro, +RBecker, eristisk, rustem, get, havoc, lamokie, TypoNe, KiNgMaR, b00b (+130 more)
03:44 -!- Olipro [~Olipro@uncyclopedia/pdpc.21for7.olipro] has quit [Max SendQ exceeded]
03:45 -!- plaisthos [~arne@openvpn/community/developer/plaisthos] has quit [Remote host closed the connection]
03:47 -!- sammm [~sam@c114-76-87-212.thoms3.vic.optusnet.com.au] has joined #openvpn
03:52 -!- Olipro [~Olipro@uncyclopedia/pdpc.21for7.olipro] has joined #openvpn
03:53 -!- Saul775 [~Saul@12.6.176.106] has quit [Ping timeout: 272 seconds]
03:57 < sammm> Hey guys, I've set up openvpn server and my client can connect fine and access LAN devices and what not but we are not able to play LAN games together! If I host a game my client cannot see it. Here are the configs, I'm not very experienced with VPNs so any help would be wonderful! http://pastie.org/9298318
04:08 -!- plaisthos [~arne@openvpn/community/developer/plaisthos] has joined #openvpn
04:08 -!- mode/#openvpn [+o plaisthos] by ChanServ
04:21 -!- Sembei [~Sembei@unaffiliated/sembei] has quit [Read error: Connection reset by peer]
04:21 -!- MyMind [~Sembei@unaffiliated/sembei] has joined #openvpn
04:32 -!- DrCode [~DrCode@gateway/tor-sasl/drcode] has quit [Ping timeout: 264 seconds]
04:33 -!- DrCode [~DrCode@gateway/tor-sasl/drcode] has joined #openvpn
04:45 -!- wrongplace [~leicht@gateway/tor-sasl/martinphone] has joined #openvpn
04:48 -!- p3rror [~mezgani@105.156.210.175] has quit [Ping timeout: 252 seconds]
05:04 -!- wrongplace [~leicht@gateway/tor-sasl/martinphone] has quit [Remote host closed the connection]
05:05 -!- wrongplace [~leicht@gateway/tor-sasl/martinphone] has joined #openvpn
05:13 -!- wrongplace [~leicht@gateway/tor-sasl/martinphone] has quit [Quit: gone]
05:22 -!- wrongplace [~leicht@gateway/tor-sasl/martinphone] has joined #openvpn
05:25 -!- zFleshMissile [~FleshMiss@87.237.70.109] has joined #openvpn
05:33 -!- Megaf [~Megaf@unaffiliated/megaf] has joined #openvpn
05:45 -!- iokill [~dave@pippin.sigma-star.at] has joined #openvpn
05:47 -!- wrongplace [~leicht@gateway/tor-sasl/martinphone] has quit [Quit: gone]
05:56 -!- sammm [~sam@c114-76-87-212.thoms3.vic.optusnet.com.au] has quit [Remote host closed the connection]
06:33 -!- jackbrown [~se@93-44-41-0.ip95.fastwebnet.it] has joined #openvpn
06:35 -!- u0m3 [~u0m3@109.96.135.222] has joined #openvpn
06:57 -!- zFleshMissile [~FleshMiss@87.237.70.109] has quit [Ping timeout: 272 seconds]
07:05 -!- Roostmax [~Roostmax@90.217.217.76] has joined #openvpn
07:05 < Roostmax> Good day folks
07:05 < Roostmax> Trying to setup opnevpn to remote server
07:05 < Roostmax> On headless raspberry pi
07:06 < Roostmax> So obviously ssh is also routed through vpn
07:06 < Roostmax> And direction on exclduing ssh from vpn please
07:06 < Roostmax> *excluding
07:21 -!- jackbrown [~se@93-44-41-0.ip95.fastwebnet.it] has quit [Quit: Sto andando via]
07:27 -!- zFleshMissile [~FleshMiss@87.237.70.109] has joined #openvpn
07:27 < zFleshMissile> Hey, I've just done a a vulnerability scan and it's identifying a number of weak ciphers,(SSL2_RC4_128_MD5, TLS1_RSA_RC4_128_MD5 etc) I need to disable. Does anyone know how I would do that on an Openvpn server? I did try "-cipher SSL2_RC4_128_MD5" in the server directive on the Advanced VPN page but when I did another vulnerability scan it was still there. Am I using the directive wrong?
07:38 -!- cyberspace- [20253@ninthfloor.org] has quit [Ping timeout: 240 seconds]
07:39 -!- cyberspace- [20253@ninthfloor.org] has joined #openvpn
07:41 -!- Kniaz [~Kniaz@unaffiliated/bears] has quit [Read error: Connection reset by peer]
07:46 < snappy> zFleshMissile: just set cipher to aes-cbc, not sure how to specify hash/MAC function though
07:57 -!- jackbrown [~se@93-44-41-0.ip95.fastwebnet.it] has joined #openvpn
07:58 -!- ade_b [~Ade@redhat/adeb] has joined #openvpn
07:59 -!- brianblaze420 [~brianblaz@unaffiliated/brianblaze] has joined #openvpn
08:04 <@plaisthos> !auth
08:05 <@plaisthos> zFleshMissile: see tls-cipher, cipher and auth
08:05 <@plaisthos> !cipher
08:09 -!- simcop2387 [~simcop238@p3m/member/simcop2387] has quit [Excess Flood]
08:09 -!- simcop2387 [~simcop238@p3m/member/simcop2387] has joined #openvpn
08:14 -!- deeville [~deeville@38.117.108.108] has joined #openvpn
08:14 -!- s7r [~s7r@openvpn/user/s7r] has joined #openvpn
08:14 -!- mode/#openvpn [+v s7r] by ChanServ
08:20 < zFleshMissile> !cipher
08:22 -!- michaelhart [~michaelha@192-0-240-20.cpe.teksavvy.com] has joined #openvpn
08:26 <@plaisthos> zFleshMissile: in the man page
08:26 <@plaisthos> !man
08:26 <@vpnHelper> "man" is (#1) For man pages, see http://openvpn.net/index.php/open-source/documentation/manuals/ or (#2) the man pages are your friend! or (#3) Protip: you can search the manpage for a specific --option (with dashes) to find it quicker
08:34 -!- jackbrown [~se@93-44-41-0.ip95.fastwebnet.it] has quit [Quit: Sto andando via]
08:37 < zFleshMissile> Ah, thanks
08:42 -!- wrongplace [~leicht@gateway/tor-sasl/martinphone] has joined #openvpn
08:57 -!- Roostmax [~Roostmax@90.217.217.76] has left #openvpn []
09:10 -!- Kniaz [~Kniaz@unaffiliated/bears] has joined #openvpn
09:34 -!- alexxtasi [~alex@unaffiliated/alexxtasi] has left #openvpn []
09:40 -!- justinzane [~justinzan@24.49.207.203] has joined #openvpn
09:44 -!- EmperorTom [~EmperorTo@boom.blissfulidiot.com] has joined #openvpn
09:56 -!- p3rror [~mezgani@41.140.5.14] has joined #openvpn
10:01 < Plastefuchs_> Would it be wise/'secure enough' to use the client-config directive to push certain routes to specific clients, to make only those clients talk to each other that I would like to? (probably displaying a good lack of basic networking knowledge here, so sorry in advance >.o)
10:01 -!- Saul775 [~Saul@12.6.176.106] has joined #openvpn
10:03 <@plaisthos> Plastefuchs_: that is security by obscurity
10:03 <@plaisthos> a user on the client and simply add route x y z to their config file
10:03 <@plaisthos> better use real firewalling
10:10 -!- elfixit [~Icedove@cust.static.46-14-114-50.swisscomdata.ch] has joined #openvpn
10:21 -!- Cpt-Oblivious [~chatzilla@31-151-71-109.dynamic.upc.nl] has joined #openvpn
10:29 -!- EmperorTom is now known as _quadDamage
10:36 -!- ade_b [~Ade@redhat/adeb] has quit [Quit: Too sexy for his shirt]
11:07 -!- p3rror [~mezgani@41.140.5.14] has quit [Ping timeout: 240 seconds]
11:10 -!- Leoneof [~Leoneof@unaffiliated/leoneof] has joined #openvpn
11:11 < Leoneof> hello
11:16 < Leoneof> openvpn website is blocked, where i can download it?
11:17 < rob0> what in particular do you need, the software? For what OS?
11:18 < Leoneof> rob0: openvpn client, software.
11:18 < Leoneof> Windows
11:18 < rob0> !download
11:18 <@vpnHelper> "download" is (#1) http://openvpn.net/index.php/download/community-downloads.html to download openvpn or (#2) OpenVPN's Windows installer now includes OpenVPN GUI. Don't bother with http://openvpn.se anymore or (#3) Don't trust download.com at all. It provides an extremely old version with malware: http://insecure.org/news/download-com-fiasco.html or (#4) in the community version of openvpn (only
11:18 <@vpnHelper> thing supported here) there is no separate download for client/server, it is the same install with different configs
11:19 < rob0> okay, I don't know, I thought there would be an alternate download site listed
11:19 < Leoneof> :(
11:19 < rob0> you're in China?
11:19 < Leoneof> rob0: no
11:24 < pekster> A tor hidden service mirror would be kind of nifty
11:24 < Leoneof> ok, i need md5sum for openvpn client *.exe
11:25 < pekster> Leoneof: 32 or 64-bit?
11:25 < Leoneof> pekster: 32
11:27 < pekster> 8e785892ecd8bf28b4203b98184dbf0b and you can verify the gpg sig too if you'd like (current releases signed with key ID 0x198D22A3, and here's the detached signature: http://fpaste.org/110523/02239314/ )
11:27 < pekster> Plus official releaes have an MS Authenticode signature as well
11:28 < Leoneof> pekster: thank you very much
11:29 -!- gffa [~unknown@unaffiliated/gffa] has joined #openvpn
11:38 -!- wrongplace [~leicht@gateway/tor-sasl/martinphone] has quit [Quit: gone]
11:40 -!- fin__ [~l30@unaffiliated/le0] has quit [Quit: Leaving]
11:41 -!- tiller [~tiller@ip-156.net-89-2-168.rev.numericable.fr] has joined #openvpn
11:41 < tiller> Hello there.
11:42 -!- roentgen [~none@openvpn/community/support/roentgen] has quit [Remote host closed the connection]
11:43 < tiller> I'd like to ask you something guys: Why is downloading (using HTTP) a file from my server to my computer being through my server's vpn slower than downloading the same file, on the same server, without VPN, but throught HTTPS?
11:44 -!- roentgen [~none@openvpn/community/support/roentgen] has joined #openvpn
11:45 <@krzee> for 1 thing there is packet encapsulation with its overhead
11:45 <@krzee> which could also change mtu factors
11:46 < Thermi> Also, the network route from the web server to the VPN server and then to you might be more congested than the route from the web server to you.
11:46 <@krzee> i took his wording to mean that his vpn is on the webserver itself
11:46 < tiller> yes, the web server hosts the VPN
11:47 <@krzee> so ya, tunneling complete packets is more overhead than simple https encryption
11:47 <@krzee> even more if you use dev tap
11:47 < Thermi> Ah, okay. Well, the algorithms used to encrypt the traffic for the VPN could be too expensive (in performance terms) for the server to achieve a high data rate
11:48 <@krzee> Thermi, not likely
11:48 < tiller> but in fact my problem is a little bit different from what I said: Without VPN, HTTPS through public IP = 12MB/s. With VPN, HTTPS, through public IP = 12MB/s, but With VPN, though lan's IP = 2MB/s
11:48 <@krzee> unless you have too much traffic for your hardware to handle
11:48 <@krzee> tiller, you may have found some mtu issues
11:48 <@krzee> !mtu
11:48 <@vpnHelper> "mtu" is (#1) see --mtu-test to learn how to test your MTU settings. Basically you just use --mtu-test in your normal client config or (#2) mtu debugging guide: http://www.secure-computing.net/wiki/index.php/OpenVPN/Troubleshooting
11:48 < tiller> ok, I'll take a look, thanks :)
11:50 -!- Kniaz [~Kniaz@unaffiliated/bears] has quit [Quit: closing IRC]
11:52 <@krzee> np
11:59 -!- Left_Turn [~Left_Turn@unaffiliated/turn-left/x-3739067] has joined #openvpn
12:01 < tiller> hmm, my packets seem fine. With a MTU of 1400 I've no loss, neither with 1000
12:01 -!- zFleshMissile [~FleshMiss@87.237.70.109] has quit []
12:01 < tiller> but I'm still caped to 2MB/s
12:02 <@krzee> !gigabit
12:02 <@vpnHelper> "gigabit" is https://community.openvpn.net/openvpn/wiki/Gigabit_Networks_Linux for JJK's writeup on getting the most out of openvpn over gigabit
12:02 <@krzee> jjk had no problems getting very high speeds so i dunno
12:02 <@krzee> and i have vpn links between servers that goes plenty fast
12:04 < tiller> yeah that's why I think it's not related. But the thing is, if ALL my network traffic is routed through my VPN, https://server_public_ip/file downloads at 12MB/s, whereas http://10.42.0.1/file at 2MB/s
12:08 < tiller> ping server_lan_ip gives 500ms
12:09 < tiller> ping server_public_ip gives 20ms
12:13 < Leoneof> pekster: md5sum is not same, you did md5sum for privatetunnel-win-2.3.exe 32bit? :\
12:14 <@krzee> Leoneof,
12:14 <@krzee> !download
12:14 <@vpnHelper> "download" is (#1) http://openvpn.net/index.php/download/community-downloads.html to download openvpn or (#2) OpenVPN's Windows installer now includes OpenVPN GUI. Don't bother with http://openvpn.se anymore or (#3) Don't trust download.com at all. It provides an extremely old version with malware: http://insecure.org/news/download-com-fiasco.html or (#4) in the community version of openvpn (only
12:14 <@vpnHelper> thing supported here) there is no separate download for client/server, it is the same install with different configs
12:15 <@krzee> tiller, still sounds like an mtu issue to me but did you also check things on your box like cpu?
12:15 < tiller> well, I did. OpenVPN use 20% of the CPU while downloading the file
12:16 <@krzee> how many cores?
12:16 < tiller> 2 cores with hyperthread
12:16 <@krzee> so is that 20% of 1 core?
12:16 <@krzee> i ask because openvpn only can run on a single core
12:16 <@krzee> because its single threaded
12:16 < tiller> no it's 20% of the overall processos
12:17 < tiller> oh no, by bad. htop gives me 20% of a core
12:18 <@krzee> hyperthreading is treated as another set of cores by the os so i think that means 80%
12:18 <@krzee> really i dunno
12:19 <@krzee> ive never had an issue like that
12:19 <@krzee> i would try playing with mtu on both sides together
12:19 < tiller> well don't mind. Thanks for the help so far :) I'll find a way to fix it!
12:19 <@krzee> (but ive never had an excuse to do so)
12:23 -!- tiller [~tiller@ip-156.net-89-2-168.rev.numericable.fr] has quit [Quit: Quitte]
12:25 < Leoneof> krzee: openvpn is blocked, and i have downloaded openvpn client from other website, i just need md5sum, or sha-256
12:26 <@krzee> privatetunnel is not the opensource openvpn
12:26 -!- Sidewinder [~de@unaffiliated/sidewinder] has joined #openvpn
12:26 <@krzee> do you want the opensource exe and hash?
12:27 -!- Sidewinder [~de@unaffiliated/sidewinder] has quit [Client Quit]
12:29 < Leoneof> krzee: i want both, opensouce .exe and hash, if possible
12:35 <@krzee> SHA256 (openvpn-install-2.3.4-I002-i686.exe) = f4ec57fe309a27e7aba1596dfe6c384df4f3a2536df8b6b6ebbf43345c09a503
12:35 <@krzee> MD5 (openvpn-install-2.3.4-I002-i686.exe) = 8e785892ecd8bf28b4203b98184dbf0b
12:36 <@krzee> ftp://xxx.ircpimps.org/pub/openvpn-install-2.3.4-I002-i686.exe
12:36 < Leoneof> krzee: thank you :)
12:36 <@krzee> np
12:37 <@krzee> need anything else, such as obfsproxy?
12:38 < Leoneof> krzee: i don't know if i need it, i just want to use facebook/twitter to chat with the family, i hope openvpn is enough
12:39 <@krzee> what country are you in?
12:39 < Leoneof> krzee: iraq, they blocked all social networks recently, even youtube too. :[
12:39 <@krzee> oh ok i dont know if they have openvpn filters there or not
12:40 <@krzee> you a contractor?
12:40 < Leoneof> krzee: no, iraq is my home :]
12:40 <@krzee> ahh
12:41 -!- s34n [~chatzilla@ip-208-76-93-210.mvdsl.com] has joined #openvpn
12:41 < s34n> selinux is preventing my openvpn client from working
12:41 <@krzee> if you dont know the problem why dont you fix it?
12:42 -!- eristisk [~eristisk@gateway/tor-sasl/eristisk] has quit [Remote host closed the connection]
12:42 <@krzee> s34n, i believe the proper way to configure selinux is to run it permissive while you observe what you need to allow, then allow it to block stuff
12:42 -!- eristisk [~eristisk@gateway/tor-sasl/eristisk] has joined #openvpn
12:43 <@krzee> but since this is #openvpn and not #selinux i dont have specifics on how to do any of that
12:45 -!- tiller [~tiller@kim.tiller.fr] has joined #openvpn
12:55 < tiller> well, you may be right. I've a lot of TCP error "Reassembly error, protocol TCP: New fragment overlaps old data (retransmission?)"
12:56 < tiller> but even messing with the mtu it doesn't change anything
13:05 -!- batrick [batrick@nmap/developer/batrick] has quit [Quit: WeeChat 0.4.3]
13:08 <@krzee> you keeping both sides the same when you mess with settings?
13:16 -!- batrick [batrick@nmap/developer/batrick] has joined #openvpn
13:30 -!- SCHAAP137 [dorian@77-173-0-137.ip.telfort.nl] has joined #openvpn
13:33 < Leoneof> krzee: i just figured out about there are vpn in Windows connection setup, it is not like openvpn?
13:33 -!- gffa [~unknown@unaffiliated/gffa] has quit [Quit: quit]
13:47 <@krzee> no
13:47 <@krzee> !notcompat
13:47 <@vpnHelper> "notcompat" is (#1) IPsec, PPTP, & L2TP are _not_ compatible with OpenVPN. OpenVPN uses SSL whereas PPTP and IPSEC use their own protocols and therefore cannot be compatible. or (#2) OpenVPN connects only to OpenVPN
13:48 < Saul775> Uff-da.  I'm a little confused with the OpenVPN service startup for Windows.  I want it to connect to an OpenVPN at startup, so I turn the service to "Automatic."  Well, when I reboot, the service starts and connects, but if I type an ipconfig, I don't see my device.  HOWEVER, I can ping the server.  If -- on the OpenVPN server -- I try to ping back, I can't reach it.
13:49 < Saul775> Finally, if I kill the OpenVPN service and RUN a command prompt as administrator and establish a connection that way, my communication is just fine.  Some permissions issue I assume.  Is there a way around this to have it start automatically using LocalSystem?
13:50 -!- Saul775 [~Saul@12.6.176.106] has quit [Quit: Leaving]
13:50 -!- Saul775 [~Saul@12.6.176.106] has joined #openvpn
13:50 < Saul775> Ack… my connection went down.
13:51 <@krzee> you have it as a service right?
13:51 < Saul775> Yes.
13:51 <@krzee> then it should be running as admin
13:52 <@krzee> !winroute
13:52 <@vpnHelper> "winroute" is (#1) in windows if the route cannot be added, try route-method exe in your config file or (#2) many users also report it helps to add route-delay to give the interface extra time to get up or (#3) you may need to turn off routing and remote acess in administrative tools - routing and remote access or (#4) make sure you are running openvpn as admin or (#5) you might also want to see that
13:52 <@vpnHelper> and use trial and error with these solutions: http://openvpn.net/index.php/open-source/faq/79-client/259-tap-win32-adapter-is-not-coming-up-qinitialization-sequence-completed-with-errorsq.html
13:52 < Saul775> I've never seen something like this before… it SOMEWHAT connects.  I can ping and SSH into the OpenVPN server.
13:52 <@krzee> do you have a route-delay?
13:52 < Saul775> No.
13:52 < Saul775> I will look into it.  Thank you, krzee.
13:52 <@krzee> add route-delay to your client config and reboot
13:52 <@krzee> see if that helps
13:52 <@krzee> np
13:55 -!- batrick [batrick@nmap/developer/batrick] has quit [Quit: WeeChat 0.4.3]
13:55 -!- batrick [batrick@nmap/developer/batrick] has joined #openvpn
13:56 < Leoneof> krzee: i see, thanks
13:57 <@krzee> but if you can reach the server the routes are fine and its just a client firewall issue
13:57 <@krzee> either way you want route-delay on windows when autostarting as a service
14:01 <@krzee> !learn 1way as a 1-way ping between client and server indicates that you have a firewall problem on the end that cannot be pinged but is able to ping the other side
14:01 <@vpnHelper> Joo got it.
14:02 < Saul775> Well, that's just it.  I can PING from the client to the server.  I can't ping from the server to the client.  However, if I KILL the OpenVPN service process and type: openvpn <config.file>       I can ping both directions and establish connections both directions too.  It's really weird.  I'm currently in the process of adding the delay now.  One second...
14:14 -!- Leoneof [~Leoneof@unaffiliated/leoneof] has quit [Read error: Connection timed out]
14:15 -!- tiller [~tiller@kim.tiller.fr] has quit [Ping timeout: 240 seconds]
14:15 -!- Leoneof [~Leoneof@unaffiliated/leoneof] has joined #openvpn
14:16 -!- Leoneof [~Leoneof@unaffiliated/leoneof] has quit [Max SendQ exceeded]
14:18 < Saul775> No dice.  So weird.  When the service runs, and I do an "ipconfig."  It still shows the adapter as being "disconnected."  Curse you, Windows.  :)
14:18 < Saul775> I still think it's a permission issue.  *shrugs*
14:19 < Saul775> It is Windows Server 2008 if that matters.
14:23 -!- brianblaze420 [~brianblaz@unaffiliated/brianblaze] has quit [Quit: Leaving...]
14:38 -!- elfixit [~Icedove@cust.static.46-14-114-50.swisscomdata.ch] has quit [Ping timeout: 272 seconds]
15:19 -!- Netsplit *.net <-> *.split quits: tempus_fol, Jobbe, @krzee, _bt, defswork, lamokie, Nothing4You, mirco, hive-mind, mcp,  (+145 more, use /NETSPLIT to show all of them)
15:19 -!- u0m3 [~u0m3@109.96.135.222] has quit [Max SendQ exceeded]
15:20 -!- Netsplit over, joins: batrick, Saul775, SCHAAP137, eristisk, s34n, Left_Turn, roentgen, Cpt-Oblivious, _quadDamage, justinzane (+145 more)
15:21 -!- u0m3 [~u0m3@109.96.135.222] has joined #openvpn
15:21 -!- ketas [ketas@ketas6-sixxs.si.pri.ee] has quit [Max SendQ exceeded]
15:21 -!- MyMind [~Sembei@unaffiliated/sembei] has quit [Max SendQ exceeded]
15:22 -!- ketas [ketas@ketas6-sixxs.si.pri.ee] has joined #openvpn
15:23 -!- MyMind [~Sembei@unaffiliated/sembei] has joined #openvpn
15:24 -!- Netsplit *.net <-> *.split quits: AsadH, zpatten, TheEternalAbyss, jeev, supergauntlet
15:27 -!- ketas [ketas@ketas6-sixxs.si.pri.ee] has quit [Remote host closed the connection]
15:27 -!- ketas [ketas@ketas6-sixxs.si.pri.ee] has joined #openvpn
15:28 -!- funnel [~funnel@unaffiliated/espiral] has quit [Ping timeout: 245 seconds]
15:29 -!- funnel [~funnel@unaffiliated/espiral] has joined #openvpn
15:36 -!- supergauntlet [~supergaun@unaffiliated/supergauntlet] has joined #openvpn
15:36 -!- zpatten [~zpatten@unaffiliated/zpatten] has joined #openvpn
15:36 -!- TheEternalAbyss [~IRCIdent@unaffiliated/theeternalabyss] has joined #openvpn
15:36 -!- jeev [~jeev@unaffiliated/jeev] has joined #openvpn
15:42 -!- AsadH [~AsadH@unaffiliated/asadh] has joined #openvpn
15:47 -!- deeville [~deeville@38.117.108.108] has quit [Quit: Leaving]
15:51 -!- funnel [~funnel@unaffiliated/espiral] has quit [Ping timeout: 240 seconds]
15:53 < Plastefuchs_> plaisthos: got it, so netfilter(and its tools) is the way to go then
15:53 -!- funnel [~funnel@unaffiliated/espiral] has joined #openvpn
16:14 -!- brianblaze420 [~brianblaz@unaffiliated/brianblaze] has joined #openvpn
16:27 -!- wrongplace [~leicht@gateway/tor-sasl/martinphone] has joined #openvpn
16:47 -!- randt0sh [~tosh@2a02-8420-5d7e-c300-a07c-812b-808f-4491.rev.sfr.net] has quit [Remote host closed the connection]
16:55 -!- Latrina [~Latrina@ppp-222-9.26-151.libero.it] has quit [Ping timeout: 264 seconds]
17:02 -!- Latrina [~Latrina@ppp-1-48.26-151.libero.it] has joined #openvpn
17:14 -!- Kniaz [~Kniaz@unaffiliated/bears] has joined #openvpn
17:24 -!- Latrina [~Latrina@ppp-1-48.26-151.libero.it] has quit [Ping timeout: 240 seconds]
17:27 -!- Latrina [~Latrina@ppp-84-43.26-151.libero.it] has joined #openvpn
17:29 -!- SCHAAP137 [dorian@77-173-0-137.ip.telfort.nl] has quit [Read error: Connection reset by peer]
17:29 -!- SCHAAP137 [dorian@77-173-0-137.ip.telfort.nl] has joined #openvpn
17:34 -!- brianblaze420 [~brianblaz@unaffiliated/brianblaze] has quit [Quit: Leaving...]
17:41 -!- mirco [~mirco@ip-62-143-141-0.unitymediagroup.de] has quit [Quit: mirco]
17:59 -!- nemysis [~nemysis@freebsd/developer/pcbsd.nemysis] has joined #openvpn
18:03 -!- Latrina [~Latrina@ppp-84-43.26-151.libero.it] has quit [Ping timeout: 264 seconds]
18:05 -!- jackbrown [~se@93-44-41-0.ip95.fastwebnet.it] has joined #openvpn
18:07 -!- elfixit [~Icedove@77-58-251-72.dclient.hispeed.ch] has joined #openvpn
18:08 -!- Latrina [~Latrina@ppp-48-63.26-151.libero.it] has joined #openvpn
18:17 -!- tiksa [~tiksa@gateway/tor-sasl/tiksa] has joined #openvpn
18:20 -!- Cpt-Oblivious [~chatzilla@31-151-71-109.dynamic.upc.nl] has quit [Remote host closed the connection]
18:21 -!- Kniaz [~Kniaz@unaffiliated/bears] has quit [Read error: Connection reset by peer]
18:23 -!- Latrina [~Latrina@ppp-48-63.26-151.libero.it] has quit [Ping timeout: 264 seconds]
18:29 -!- Latrina [~Latrina@ppp-196-7.26-151.libero.it] has joined #openvpn
18:29 -!- Kniaz [~Kniaz@unaffiliated/bears] has joined #openvpn
18:33 -!- SCHAAP137 [dorian@77-173-0-137.ip.telfort.nl] has quit [Remote host closed the connection]
18:37 -!- Latrina [~Latrina@ppp-196-7.26-151.libero.it] has quit [Ping timeout: 264 seconds]
18:42 -!- Latrina [~Latrina@ppp-201-10.26-151.libero.it] has joined #openvpn
18:46 -!- Latrina [~Latrina@ppp-201-10.26-151.libero.it] has quit [Ping timeout: 245 seconds]
18:57 -!- michaelhart [~michaelha@192-0-240-20.cpe.teksavvy.com] has quit [Quit: michaelhart]
19:00 -!- wrongplace [~leicht@gateway/tor-sasl/martinphone] has quit [Quit: gone]
19:01 -!- michaelhart [~michaelha@162.209.54.120] has joined #openvpn
19:05 -!- michaelhart [~michaelha@162.209.54.120] has quit [Client Quit]
19:06 -!- nick4 [~nick4@46.246.128.153.dsl.dyn.forthnet.gr] has quit [Ping timeout: 240 seconds]
19:06 -!- nick4 [~nick4@46.246.255.54.dsl.dyn.forthnet.gr] has joined #openvpn
19:15 -!- jackbrown [~se@93-44-41-0.ip95.fastwebnet.it] has quit [Quit: Sto andando via]
19:15 -!- michaelhart [~michaelha@192-0-240-20.cpe.teksavvy.com] has joined #openvpn
19:15 -!- michaelhart [~michaelha@192-0-240-20.cpe.teksavvy.com] has quit [Client Quit]
20:05 <@krzee> Saul775, well its crazy easy to set the user on a service iirc
20:05 <@krzee> so if you thought that was it i would assume you set it to administrator long ago and confirmed
20:26 -!- mgorbach [~mgorbach@pool-108-20-78-135.bstnma.fios.verizon.net] has quit [Read error: Connection reset by peer]
20:27 -!- mgorbach [~mgorbach@pool-108-20-78-135.bstnma.fios.verizon.net] has joined #openvpn
20:30 -!- Megaf [~Megaf@unaffiliated/megaf] has quit [Quit: No Ping reply in 90 seconds.]
20:32 -!- Megaf [~Megaf@unaffiliated/megaf] has joined #openvpn
20:37 -!- Left_Turn [~Left_Turn@unaffiliated/turn-left/x-3739067] has quit [Read error: Connection reset by peer]
20:49 -!- brianblaze420 [~brianblaz@unaffiliated/brianblaze] has joined #openvpn
20:59 -!- brianblaze420 [~brianblaz@unaffiliated/brianblaze] has quit [Quit: Leaving...]
22:18 -!- Kephael [~Kephael@unaffiliated/kephael] has joined #openvpn
23:04 -!- Megaf [~Megaf@unaffiliated/megaf] has quit [Ping timeout: 264 seconds]
23:13 <@krzee> !tcp
23:13 <@vpnHelper> "tcp" is (#1) Sometimes you cannot avoid tunneling over tcp, but if you can avoid it, DO. http://sites.inka.de/~bigred/devel/tcp-tcp.html Why TCP Over TCP Is A Bad Idea. or (#2) http://www.openvpn.net/papers/BLUG-talk/14.html for a presentation by James Yonan (OpenVPN lead developer) or (#3) if you must use tcp, you likely want --tcp-nodelay
23:21 -!- ShadniX [dagger@p5481D29B.dip0.t-ipconnect.de] has quit [Ping timeout: 252 seconds]
23:24 -!- ShadniX [dagger@p5DDFE8E6.dip0.t-ipconnect.de] has joined #openvpn
23:33 -!- elfixit [~Icedove@77-58-251-72.dclient.hispeed.ch] has quit [Ping timeout: 240 seconds]
23:54 < rawburt> Icedove?
23:57 <@krzee> ?
23:57 <@krzee> firechicken?
--- Day changed Wed Jun 18 2014
00:05 -!- arescorpio [~arescorpi@86-237-16-190.fibertel.com.ar] has joined #openvpn
00:24 -!- pppingme [~pppingme@unaffiliated/pppingme] has quit [Ping timeout: 264 seconds]
00:34 -!- arescorpio [~arescorpi@86-237-16-190.fibertel.com.ar] has quit [Excess Flood]
00:37 -!- pppingme [~pppingme@unaffiliated/pppingme] has joined #openvpn
01:03 -!- pppingme [~pppingme@unaffiliated/pppingme] has quit [Ping timeout: 264 seconds]
01:19 -!- Netsplit *.net <-> *.split quits: nick4, s34n, Kephael, mete, JackWinter
01:23 -!- Netsplit over, joins: Kephael, nick4, s34n, JackWinter
01:23 -!- mete [~mete@91.247.253.160] has joined #openvpn
01:26 -!- pppingme [~pppingme@unaffiliated/pppingme] has joined #openvpn
01:28 -!- alexxtasi [~alex@unaffiliated/alexxtasi] has joined #openvpn
01:35 -!- Kephael [~Kephael@unaffiliated/kephael] has quit []
01:46 -!- randt0sh [~tosh@2a02-8420-5d7e-c300-150a-1429-8265-4681.rev.sfr.net] has joined #openvpn
02:02 -!- nemysis [~nemysis@freebsd/developer/pcbsd.nemysis] has quit [Remote host closed the connection]
02:05 -!- larryone [~larryone@178.167.254.75.threembb.ie] has joined #openvpn
02:23 -!- mirco [~mirco@ip-62-143-141-0.unitymediagroup.de] has joined #openvpn
02:28 -!- dddh [~Zumu@pdpc/supporter/active/dddh] has joined #openvpn
02:42 -!- le0 [~l30@unaffiliated/le0] has joined #openvpn
02:51 -!- troyt [~troyt@2601:7:6200:1362:44dd:acff:fe85:9c8e] has quit [Ping timeout: 240 seconds]
02:54 -!- ade_b [~Ade@redhat/adeb] has joined #openvpn
03:07 -!- larryone [~larryone@178.167.254.75.threembb.ie] has quit [Quit: This computer has gone to sleep]
03:18 -!- Moonlightning [~blackl@unaffiliated/moonlightning] has quit [Ping timeout: 272 seconds]
03:19 -!- Moonlightning [~blackl@unaffiliated/moonlightning] has joined #openvpn
03:45 -!- wrongplace [~leicht@gateway/tor-sasl/martinphone] has joined #openvpn
04:02 -!- pkug [~pkug@elmis.litnet.lt] has joined #openvpn
04:07 < pkug> Hi there, would it be feasible to assign virtual subnets routed for each connected node ? let's say there's a VPN client with address 10.0.0.2 and I want all traffic to 10.0.2.X (X - any number) to be routed to 10.0.0.2, considering 10.0.0.1 is OpenVPN server (gateway)
04:24 -!- Leoneof [~Leoneof@unaffiliated/leoneof] has joined #openvpn
04:24 < Leoneof> hi
04:36 -!- Leoneof [~Leoneof@unaffiliated/leoneof] has quit [Ping timeout: 246 seconds]
04:45 <@krzee> pkug, whats the real goal? what problem are you solving?
04:45 <@krzee> !xy
04:45 <@vpnHelper> "xy" is http://mywiki.wooledge.org/XyProblem -- I want to do X, but I'm asking how to do Y...
05:06 -!- ayaz [~Ayaz@linuxpakistan/ayaz] has joined #openvpn
05:23 -!- ade_b [~Ade@redhat/adeb] has quit [Quit: Too sexy for his shirt]
05:25 -!- nick4 [~nick4@46.246.255.54.dsl.dyn.forthnet.gr] has quit [Ping timeout: 255 seconds]
05:25 -!- s34n [~chatzilla@ip-208-76-93-210.mvdsl.com] has quit [Ping timeout: 255 seconds]
05:26 -!- nick4 [~nick4@46.246.216.9.dsl.dyn.forthnet.gr] has joined #openvpn
05:39 -!- wrongplace [~leicht@gateway/tor-sasl/martinphone] has quit [Quit: gone]
05:46 -!- edge226 [~quassel@unaffiliated/edge226] has quit [Ping timeout: 240 seconds]
05:47 -!- ade_b [~Ade@redhat/adeb] has joined #openvpn
05:49 -!- gffa [~unknown@unaffiliated/gffa] has joined #openvpn
05:56 -!- Denial [Denial@176.251.77.152] has quit [Ping timeout: 264 seconds]
05:56 -!- tiksa [~tiksa@gateway/tor-sasl/tiksa] has quit [Quit: Peace]
06:08 -!- peper [~peper@gentoo/developer/peper] has quit [Ping timeout: 252 seconds]
06:11 -!- peper [~peper@gentoo/developer/peper] has joined #openvpn
06:12 -!- vNistelroot [~secure@54.Red-88-21-63.staticIP.rima-tde.net] has joined #openvpn
06:13 < vNistelroot> hi people
06:13 < vNistelroot> could I connect via openvpn to fortigate ssl ?
06:29 -!- Megaf [~Megaf@unaffiliated/megaf] has joined #openvpn
06:42 -!- Leoneof [~Leoneof@unaffiliated/leoneof] has joined #openvpn
06:43 < Leoneof> hello, is there portable version for openvpn? :)
06:43 -!- fin__ [~l30@unaffiliated/le0] has joined #openvpn
06:45 -!- le0 [~l30@unaffiliated/le0] has quit [Ping timeout: 240 seconds]
06:50 -!- fin__ [~l30@unaffiliated/le0] has quit [Quit: Leaving]
06:52 -!- v0lZy [~Thunderbi@BSN-77-81-109.static.dsl.siol.net] has joined #openvpn
06:52 < v0lZy> hi
06:59 <@ecrist> vNistelroot: no
06:59 <@ecrist> Leoneof: no
06:59 <@ecrist> v0lZy: hello
06:59 <@ecrist> pkug: if you want to route various remote lans to other VPN endpoints, sure
07:00 <@ecrist> krzee: thunderpheasant
07:01 < v0lZy> anyone know how I can retrieve my given ip via managment console?
07:01 < v0lZy> running on the client, i'd like to check the console as to what IP my interface has
07:03 -!- Denial [Denial@90.222.27.203] has joined #openvpn
07:03 <@ecrist> status?
07:04 -!- Megaf_ [~Megaf@unaffiliated/megaf] has joined #openvpn
07:04 -!- Megaf [~Megaf@unaffiliated/megaf] has quit [Ping timeout: 240 seconds]
07:07 -!- Left_Turn [~Left_Turn@unaffiliated/turn-left/x-3739067] has joined #openvpn
07:08 <@ecrist> v0lZy: state
07:14 -!- Leoneof [~Leoneof@unaffiliated/leoneof] has quit [Ping timeout: 246 seconds]
07:16 -!- Megaf_ is now known as Megaf
07:17 < v0lZy> ecrist: state command on the managment interface?
07:23 -!- Leoneof [~Leoneof@unaffiliated/leoneof] has joined #openvpn
07:26 <@ecrist> yes
07:26 <@ecrist> you can also type "help" to see what other commands are available
07:29 < v0lZy> thanks!
07:35 < Leoneof> does free vpn can sniff/monitor my accounts like username/password?
07:36 < reiffert> Leoneof: no.
07:37 < Leoneof> reiffert: why not? because my data will go to their vpn server
07:37 < reiffert> Leoneof: because free vpn is unencrypted.
07:38 < reiffert> Leoneof: are you from France?
07:38 < Leoneof> reiffert: no
07:39 < Leoneof> :[
07:40 -!- Leoneof [~Leoneof@unaffiliated/leoneof] has quit [Read error: Connection reset by peer]
07:42 -!- Leoneof [~Leoneof@unaffiliated/leoneof] has joined #openvpn
07:42 -!- Leoneof [~Leoneof@unaffiliated/leoneof] has quit [Client Quit]
07:43 -!- Leoneof [~Leoneof@unaffiliated/leoneof] has joined #openvpn
07:43 -!- Cpt-Oblivious [~chatzilla@31-151-71-109.dynamic.upc.nl] has joined #openvpn
07:55 -!- Kniaz [~Kniaz@unaffiliated/bears] has quit [Quit: closing IRC]
07:56 -!- Olipro [~Olipro@uncyclopedia/pdpc.21for7.olipro] has quit [Ping timeout: 246 seconds]
08:13 -!- tiksa [~tiksa@gateway/tor-sasl/tiksa] has joined #openvpn
08:13 -!- michaelhart [~michaelha@69-165-175-193.dsl.teksavvy.com] has joined #openvpn
08:15 -!- Olipro [~Olipro@uncyclopedia/pdpc.21for7.olipro] has joined #openvpn
08:21 -!- swenr [~swenr@193.190.138.250] has joined #openvpn
08:23 -!- mgorbach [~mgorbach@pool-108-20-78-135.bstnma.fios.verizon.net] has quit [Read error: Connection reset by peer]
08:23 < swenr> Hey, is there a way to create a "general" ca.{crt,key} and server.{crt,key} file that is working on different machines?
08:26 -!- Latrina [~Latrina@ppp-145-61.26-151.libero.it] has joined #openvpn
08:26 -!- swenr [~swenr@193.190.138.250] has left #openvpn ["Leaving"]
08:27 -!- mgorbach [~mgorbach@pool-108-20-78-135.bstnma.fios.verizon.net] has joined #openvpn
08:39 -!- swenr [~swenr@193.190.138.250] has joined #openvpn
08:40 -!- vNistelroot [~secure@54.Red-88-21-63.staticIP.rima-tde.net] has quit [Ping timeout: 272 seconds]
08:40 -!- swenr [~swenr@193.190.138.250] has quit [Remote host closed the connection]
08:41 -!- Left_Turn [~Left_Turn@unaffiliated/turn-left/x-3739067] has quit [Ping timeout: 240 seconds]
08:51 -!- nick4 [~nick4@46.246.216.9.dsl.dyn.forthnet.gr] has quit [Ping timeout: 244 seconds]
08:52 -!- nick4 [~nick4@46.246.184.56.dsl.dyn.forthnet.gr] has joined #openvpn
08:58 < Leoneof> reiffert: vpnbook is free + ssl
09:03 -!- Kniaz [~Kniaz@unaffiliated/bears] has joined #openvpn
09:25 -!- Left_Turn [~Left_Turn@unaffiliated/turn-left/x-3739067] has joined #openvpn
09:31 < reiffert> !notovpn
09:31 <@vpnHelper> "notovpn" is (#1) "notopenvpn" is your problem is not about openvpn, and while we try to be helpful, you may have a better chance of finding your answer if you ask your question in a channel related to your problem or (#2) sorry, but we dont care. this channel is only for help with openvpn.
09:33 -!- ayaz [~Ayaz@linuxpakistan/ayaz] has quit [Quit: Textual IRC Client: www.textualapp.com]
09:39 -!- Moonlightning [~blackl@unaffiliated/moonlightning] has quit [Quit: The Nightmares will collide. And become a Dream. <3]
09:40 -!- M4rc3l [~marc@unaffiliated/m4rc3l] has quit [Quit: bye]
10:14 < Leoneof> reiffert: where i can ask about vpn services?
10:55 -!- SCHAAP137 [dorian@77-173-0-137.ip.telfort.nl] has joined #openvpn
10:58 -!- Megaf is now known as Megaf_
11:04 -!- Leoneof [~Leoneof@unaffiliated/leoneof] has quit [Quit: what?]
11:05 -!- Leoneof [~Leoneof@unaffiliated/leoneof] has joined #openvpn
11:09 -!- Leoneof [~Leoneof@unaffiliated/leoneof] has quit [Client Quit]
11:10 -!- Leoneof [~Leoneof@unaffiliated/leoneof] has joined #openvpn
11:20 -!- Leoneof [~Leoneof@unaffiliated/leoneof] has quit [Max SendQ exceeded]
11:21 -!- Leoneof [~Leoneof@unaffiliated/leoneof] has joined #openvpn
11:26 -!- Megaf_ is now known as Megaf
11:27 -!- Leoneof [~Leoneof@unaffiliated/leoneof] has quit [Max SendQ exceeded]
11:28 -!- Leoneof [~Leoneof@unaffiliated/leoneof] has joined #openvpn
11:30 -!- Leoneof [~Leoneof@unaffiliated/leoneof] has quit [Max SendQ exceeded]
11:30 -!- Leoneof [~Leoneof@unaffiliated/leoneof] has joined #openvpn
11:32 -!- Leoneof [~Leoneof@unaffiliated/leoneof] has quit [Max SendQ exceeded]
11:33 -!- Leoneof [~Leoneof@unaffiliated/leoneof] has joined #openvpn
11:34 -!- Pyrogerg [~Gregory@72.170.196.218] has joined #openvpn
11:36 -!- Leoneof [~Leoneof@unaffiliated/leoneof] has quit [Max SendQ exceeded]
11:37 -!- Leoneof [~Leoneof@unaffiliated/leoneof] has joined #openvpn
11:38 -!- Leoneof [~Leoneof@unaffiliated/leoneof] has quit [Max SendQ exceeded]
11:38 -!- Leoneof [~Leoneof@unaffiliated/leoneof] has joined #openvpn
11:38 -!- Leoneof [~Leoneof@unaffiliated/leoneof] has quit [Max SendQ exceeded]
11:39 -!- Leoneof [~Leoneof@unaffiliated/leoneof] has joined #openvpn
11:39 < Pyrogerg> I am having trouble establishing a VPN connection and I suspect that network latency issues are to blame (my ISP is HughesNet satellite service). I am able to connect from other ISPs, which is why I suspect the latency issue. I've pasted diagnostic info. (including log) here: http://pastebin.com/JW3nkJ61.
11:40 < Pyrogerg> Is there a way to configure the connection to be more tolerant of latency?
11:41 < Pyrogerg> It may be worth noting that I am also unable to connect to TunnelBear's VPN service from my HughesNet connection, but I do not have that problem from other ISPs.
11:42 < Pyrogerg> I am not concerned about the TunnelBear connection, however.
11:45 -!- Left_Turn [~Left_Turn@unaffiliated/turn-left/x-3739067] has quit [Ping timeout: 240 seconds]
12:15 -!- Leoneof [~Leoneof@unaffiliated/leoneof] has quit [Ping timeout: 246 seconds]
13:11 <@Eugene> My usual response is to get a less shite connection
13:11 <@Eugene> And that paste link comes back unknown
13:21 < Jobbe> [20:11] <+      Jobbe>| [16:04:58] WTF stian ! http://www.dagbladet.no/2014/06/14/nyheter/innenriks/kuriosa/33841819/                                                     │········································
13:21 <@vpnHelper> Title: Fant en halv million kroner i postkassen - nyheter - Dagbladet.no (at www.dagbladet.no)
13:21 < Jobbe> [20:11] <+      Jobbe>| [16:04:58] WTF stian ! http://www.dagbladet.no/2014/06/14/nyheter/innenriks/kuriosa/33841819/                                                     │········································
13:21 < Jobbe> [20:11] <+      Jobbe>| [16:04:58] WTF stian ! http://www.dagbladet.no/2014/06/14/nyheter/innenriks/kuriosa/33841819/                                                     │········································
13:22 -!- Jobbe was kicked from #openvpn by Eugene [-a- ]
13:22 -!- Jobbe [~Jobbe@188.40.14.222] has joined #openvpn
13:24 -!- Jobbe was kicked from #openvpn by Eugene [no.]
13:24 -!- Jobbe [~Jobbe@188.40.14.222] has joined #openvpn
13:52 -!- NiteRain [~kvirc@cpe-075-182-089-207.nc.res.rr.com] has joined #openvpn
13:52 < NiteRain> !welcome
13:52 <@vpnHelper> "welcome" is (#1) Start by stating your goal, such as 'I would like to access the internet over my vpn' || new to IRC? see the link in !ask || we may need !logs and !configs and maybe !interface to help you. || See !howto for beginners. || See !route for lans behind openvpn. || !redirect for sending inet traffic through the server. || Also interesting: !man !/30 !topology !iporder !sample !forum
13:52 <@vpnHelper> !wiki !mitm or (#2) Don't use 192.168.1.0/24 or 192.168.0.0/24 (too much potential for conflict)
13:53 < NiteRain> !goal
13:53 <@vpnHelper> "goal" is Please clearly state your goal for your vpn: example, I would like to access the lan behind the server , I would like to access the internet over my vpn , I just want a secure connection between 2 computers , etc
14:07 -!- Megaf is now known as Megaf_
14:14 -!- NiteRain [~kvirc@cpe-075-182-089-207.nc.res.rr.com] has quit [Quit: KVIrc 4.2.0 Equilibrium http://www.kvirc.net/]
14:31 -!- v0lZy [~Thunderbi@BSN-77-81-109.static.dsl.siol.net] has quit [Quit: v0lZy]
15:16 -!- ade_b [~Ade@redhat/adeb] has quit [Ping timeout: 240 seconds]
15:30 -!- michaelhart [~michaelha@69-165-175-193.dsl.teksavvy.com] has quit [Quit: michaelhart]
15:30 -!- heraclitus [~halcyon@unaffiliated/heraclitis] has joined #openvpn
15:42 -!- Left_Turn [~Left_Turn@unaffiliated/turn-left/x-3739067] has joined #openvpn
15:48 -!- Left_Turn [~Left_Turn@unaffiliated/turn-left/x-3739067] has quit [Ping timeout: 240 seconds]
15:51 -!- edge226 [~quassel@unaffiliated/edge226] has joined #openvpn
15:54 -!- Kniaz [~Kniaz@unaffiliated/bears] has quit [Quit: closing IRC]
15:57 -!- gffa [~unknown@unaffiliated/gffa] has quit [Quit: sleep]
16:08 -!- wrongplace [~leicht@gateway/tor-sasl/martinphone] has joined #openvpn
16:12 -!- randt0sh [~tosh@2a02-8420-5d7e-c300-150a-1429-8265-4681.rev.sfr.net] has quit [Remote host closed the connection]
16:35 -!- Left_Turn [~Left_Turn@unaffiliated/turn-left/x-3739067] has joined #openvpn
16:38 -!- Megaf_ is now known as Megaf
16:43 -!- bitfury [~bitfury@unaffiliated/bitfury] has joined #openvpn
16:46 < bitfury> hey guys, so I just inherited a server which is running puppet and openvpn on the same box. I was wondering if is possible to use the client cert and private key generated by puppet to authenticate against the openvpn server?
16:46 < Pyrogerg> Is there a way to configure a VPN connection to be more tolerant of network latency?
16:47 < bitfury> or it needs a separate pair of cert/key
16:48 -!- tapout [~tapout@unaffiliated/tapout] has joined #openvpn
16:52 -!- erkules [~erkan@pdpc/supporter/professional/erkules] has joined #openvpn
16:53 -!- Latrina [~Latrina@ppp-145-61.26-151.libero.it] has quit [Ping timeout: 244 seconds]
16:55 -!- Latrina [~Latrina@ppp-171-51.26-151.libero.it] has joined #openvpn
16:59 <+RBecker> bitfury: does puppet provide its certificate as a config variable?
16:59 -!- funnel [~funnel@unaffiliated/espiral] has quit [Remote host closed the connection]
16:59 <+RBecker> if it does, you could write a manifest to generate an .ovpn file with the key inserted
17:00 -!- funnel [~funnel@unaffiliated/espiral] has joined #openvpn
17:01 <+RBecker> facter doesn't appear to offer up its certificate
17:02 <+RBecker> bitfury: looks like the puppet ca and puppet cert commands may be of use
17:03 <+RBecker> don't know if they would be or not, just looking at puppet help that stood out to me
17:04 < bitfury> RBecker: we use puppet cert to list initial certificate signing requests from puppet agents
17:04 < bitfury> and use puppet ca to sign them
17:04 <+RBecker> ah
17:04 <+RBecker> i'm only just learning puppet over the past couple of days
17:04 <+RBecker> don't know a whole lot about it yet
17:05 < bitfury> RBecker: me too
17:05 < bitfury> :D
17:05 <+RBecker> i'm working through the quests on the learning vm
17:05 <+RBecker> it's a pretty cool learning tool
17:05 < erkules> Ahoi: Inactivity timeout (--ping-restart), restarting Does this mean the client is restarting the session? Putting ping 30 into the config didn't help. It gets restartet every two (default) minutes :/
17:06 < bitfury> RBecker: I used the puppet agent ca and key to sign onto OpenVPN so I'm trying to figure out why that was possible
17:06 <+RBecker> gotcha
17:07 <+RBecker> you may be able to retrieve the key from the agent
17:07 <+RBecker> or from the filesystem
17:08 < bitfury> yep, that's what I did. Got it from the puppet agent
17:11 < bitfury> RBecker: how would I find out if puppet provide its cert as a config variable? probably not a question for this channel, but since you might know
17:11 <+RBecker> sadly it doesn't
17:11 < pekster> bitfury: Just mind the cert's kU/eKu bits
17:11 <+RBecker> facter would be the only way to find out, and it didn't spit it out when i ran it
17:11 <+RBecker> only the ssh keys
17:11 < pekster> If you plan to use MITM protection (which you really ought to) it's important to sign your certs correctly by the CA
17:12 <+RBecker> unless you use something other than $::configvar and use something in a manifest to retrieve it from the fs or from the puppet command
17:12 < pekster> erkules: It means the local end got no keepalive packet from the far side in the configured timeout period. Keepalive pings in openvpn are *one* way, ie, not "echoed" like ICMP pings are
17:13 < erkules> pekster: thx
17:14 < bitfury> RBecker: hmm ok.. gah driving me nuts
17:14 -!- Cpt-Oblivious [~chatzilla@31-151-71-109.dynamic.upc.nl] has quit [Remote host closed the connection]
17:14 <+RBecker> yeah, sorry, and idk if DSL even lets you do what i just described
17:14 < erkules> pekster: so using tcpdump I should see my packages
17:15 < pekster> Right, although it's all multiplexed (and encrypted) over the TLS control channel. If you're sure you aren't sending _any_ data packets across the tun device, the only traffic after the TLS handshake should be keepalive packets
17:16 < pekster> The --ping-restart (and --ping-exit) values are basically "how long we wait until we restart/exit if we don't get active keepalive data from the far side"
17:16 < pekster> Obviously if the far side doesn't send them, sends them too far apart, or they get lost, a disconnect event is triggered
17:22 -!- Kephael [~Kephael@unaffiliated/kephael] has joined #openvpn
17:23 < Pyrogerg> Is there a way to configure a VPN connection to be more tolerant of network latency?
17:24 -!- Kniaz [~Kniaz@unaffiliated/bears] has joined #openvpn
17:24 < Pyrogerg> I don't need the connection to be fast, but I do need for it to establish reliably in the face of significant latency.
17:25 < pekster> Pyrogerg: Tune your keepalive values (read: !keepalive) and possibly --tls-timeout (see: !man)
17:25 < Pyrogerg> pekster: Thanks. I'll look into that.
17:26 < erkules> ok thx pekster. I was irritated why I can't sniff on tun0. Sniffing on br0 helped.
17:27 < erkules> as a fact there are some packages between server and client. But the client packages all have: [bad udp cksum 0xabea -> 0xa596!]
17:28 < pekster> Right, TLS keepalive are not tun packets
17:29 < pekster> OpenVPN sends them over the control channel, ie: created in the openvpn (userland) process, encrypted, and sent out the physical link between your peers
17:30 < Pyrogerg> pekster: I'm not finding the keepalive values or --tls-timout in the client configuration. Are those set on the server side?
17:31 < Pyrogerg> It would help if I could tell my sysadmin where to look. He doesn't deal with vpn all that much.
17:31 < erkules> ok, as looking at tcpdump. It looks like after some time only the client is sending packages and the server ignores them
17:32 < pekster> Pyrogerg: They're in the manpages, which I figured you'd type in here
17:32 < pekster> !new
17:32 <@vpnHelper> "new" is (#1) New here? Start by reading the /TOPIC and looking at basic info in !welcome, !ask, and !howto or (#2) You can type each of the !commands in this chat and our bot will provide useful references and info or (#3) you can see the full factoids list at !factoids
17:32 < pekster> Pyrogerg: Then read:
17:32 < pekster> !keepalive
17:32 <@vpnHelper> "keepalive" is (#1) see --keepalive in the manual for how to make clients retry connecting if they get disconnected. or (#2) basically it is a wrapper for managing --ping and --ping-restart in server/client mode or (#3) if you use this, don't use --tls-exit and also avoid --single-session and --inactive or (#4) Also beware of --auth-nocache for automated reconnects
17:32 < pekster> Pyrogerg: And also read:
17:32 < pekster> !man
17:32 <@vpnHelper> "man" is (#1) For man pages, see http://openvpn.net/index.php/open-source/documentation/manuals/ or (#2) the man pages are your friend! or (#3) Protip: you can search the manpage for a specific --option (with dashes) to find it quicker
17:33 < pekster> erkules: How have you determined they are ignored?
17:33 < pekster> Did you debug at verb 5 and watch the acual received packets?
17:33 < pekster> If not, I think you didn't read what I said earlier carefully enough
17:33 < erkules> pekster: only one way (in tcpdump)
17:33 < pekster> Yes, this is what I said
17:33  * erkules hides
17:34 < erkules> ok gonna reread sorry
17:34 < pekster> 2014-06-18 17:12< pekster> erkules: It means the local end got no keepalive pa
17:34 < pekster> cket from the far side in the configured timeout period. Keepalive pings in op
17:34 < pekster> envpn are *one* way, ie, not "echoed" like ICMP pings are
17:34 -!- Latrina [~Latrina@ppp-171-51.26-151.libero.it] has quit [Ping timeout: 240 seconds]
17:34 < pekster> Ugh, paste fail
17:34 < pekster> Please read --ping in the manpage (!man)
17:34 < Pyrogerg> pekster: Thanks!
17:34 < erkules> okdioki
17:34 < Pyrogerg> !new
17:34 <@vpnHelper> "new" is (#1) New here? Start by reading the /TOPIC and looking at basic info in !welcome, !ask, and !howto or (#2) You can type each of the !commands in this chat and our bot will provide useful references and info or (#3) you can see the full factoids list at !factoids
17:35 -!- Latrina [~Latrina@ppp-238-56.26-151.libero.it] has joined #openvpn
17:40 -!- Left_Turn [~Left_Turn@unaffiliated/turn-left/x-3739067] has quit [Ping timeout: 240 seconds]
17:45 -!- Latrina [~Latrina@ppp-238-56.26-151.libero.it] has quit [Ping timeout: 240 seconds]
17:48 -!- Latrina [~Latrina@ppp-141-16.26-151.libero.it] has joined #openvpn
17:52 -!- Kniaz [~Kniaz@unaffiliated/bears] has quit [Quit: closing IRC]
17:53 -!- Latrina [~Latrina@ppp-141-16.26-151.libero.it] has quit [Ping timeout: 255 seconds]
17:55 -!- Latrina [~Latrina@ppp-221-22.26-151.libero.it] has joined #openvpn
18:13 -!- Kniaz [~Kniaz@unaffiliated/bears] has joined #openvpn
18:19 < Pyrogerg> pekster: It appears that the hand-window is what was preventing me from connecting due to the latency issue. Thanks for pointing me in the right general direction.
18:21 -!- wrongplace [~leicht@gateway/tor-sasl/martinphone] has quit [Quit: gone]
18:32 -!- SCHAAP137 [dorian@77-173-0-137.ip.telfort.nl] has quit [Remote host closed the connection]
19:33 -!- Kniaz [~Kniaz@unaffiliated/bears] has quit [Read error: Connection reset by peer]
19:34 -!- Kniaz [~Kniaz@unaffiliated/bears] has joined #openvpn
19:34 -!- jzaw [~jzaw@loki.dzki.co.uk] has quit [Ping timeout: 260 seconds]
19:35 -!- jzaw [~jzaw@loki.dzki.co.uk] has joined #openvpn
19:37 -!- elfixit [~Icedove@77-58-251-72.dclient.hispeed.ch] has joined #openvpn
20:05 -!- Pyrogerg [~Gregory@72.170.196.218] has quit [Read error: Connection reset by peer]
20:16 -!- Pyrogerg [~Gregory@72.170.196.218] has joined #openvpn
20:21 -!- WinstonSmith [~WinstonSm@unaffiliated/winstonsmith] has quit [Ping timeout: 240 seconds]
20:23 -!- WinstonSmith [~WinstonSm@unaffiliated/winstonsmith] has joined #openvpn
20:53 -!- erkules [~erkan@pdpc/supporter/professional/erkules] has quit [Ping timeout: 264 seconds]
21:07 -!- erkules [~erkan@pdpc/supporter/professional/erkules] has joined #openvpn
21:11 -!- drksoft [~drksoft@kareem.is.gay.hades.co] has joined #openvpn
21:11 < drksoft> hello, anyone alive herE?
21:13 -!- drksoft [~drksoft@kareem.is.gay.hades.co] has quit [Client Quit]
21:27 -!- Latrina [~Latrina@ppp-221-22.26-151.libero.it] has quit [Ping timeout: 240 seconds]
21:30 -!- Latrina [~Latrina@adsl-ull-155-221.50-151.net24.it] has joined #openvpn
21:41 -!- RaiNerTsuFal [~RaiNerTsu@akita.vtlx.cn] has quit [Ping timeout: 240 seconds]
22:27 -!- drksoft [~drksoft@c-68-37-101-9.hsd1.nj.comcast.net] has joined #openvpn
22:27 < drksoft> hello
22:42 -!- troyt [~troyt@2601:7:6200:1362:44dd:acff:fe85:9c8e] has joined #openvpn
22:47 -!- Pyrogerg [~Gregory@72.170.196.218] has quit [Read error: Connection reset by peer]
22:54 -!- drksoft [~drksoft@c-68-37-101-9.hsd1.nj.comcast.net] has quit [Quit: leaving]
22:57 -!- Kniaz [~Kniaz@unaffiliated/bears] has quit [Read error: Connection reset by peer]
23:04 -!- edge226 [~quassel@unaffiliated/edge226] has quit [Quit: http://quassel-irc.org - Chat comfortably. Anywhere.]
23:07 -!- Pyrogerg [~Gregory@72.170.196.218] has joined #openvpn
23:13 -!- Pyrogerg [~Gregory@72.170.196.218] has quit [Read error: Connection reset by peer]
23:22 -!- ShadniX [dagger@p5DDFE8E6.dip0.t-ipconnect.de] has quit [Ping timeout: 252 seconds]
23:23 -!- ShadniX [dagger@p5DDFC269.dip0.t-ipconnect.de] has joined #openvpn
23:34 -!- elfixit [~Icedove@77-58-251-72.dclient.hispeed.ch] has quit [Ping timeout: 240 seconds]
23:41 -!- edge226 [~quassel@unaffiliated/edge226] has joined #openvpn
23:42 -!- Megaf [~Megaf@unaffiliated/megaf] has quit [Ping timeout: 240 seconds]
23:43 -!- edge226 [~quassel@unaffiliated/edge226] has quit [Client Quit]
--- Day changed Thu Jun 19 2014
01:03 -!- ajc_ [ajc@nat/hp/x-kqexynmxloyzdpun] has joined #openvpn
01:04 -!- edge226 [~quassel@unaffiliated/edge226] has joined #openvpn
01:09 -!- ade_b [~Ade@redhat/adeb] has joined #openvpn
01:09 -!- ade_b [~Ade@redhat/adeb] has quit [Remote host closed the connection]
01:35 -!- alexxtasi [~alex@unaffiliated/alexxtasi] has left #openvpn []
01:40 -!- alexxtasi [~alex@unaffiliated/alexxtasi] has joined #openvpn
01:42 -!- Kephael [~Kephael@unaffiliated/kephael] has quit []
01:52 -!- KarlBauman [~SoWhat@81.198.51.190] has joined #openvpn
01:53 < KarlBauman> hey guys! I finally found a reason why my VPN client hangs up
01:53 < KarlBauman> and uses all CPU
01:54 < KarlBauman> it happens when wifi signal is not strong enough
01:55 < KarlBauman> I almost killed somebody because of that - when I am home, everything works, but when I really need VPN, in hotels, restourants and other public places, it never works
01:55 < KarlBauman> and now I know why
01:56 < KarlBauman> it is probably because of TAP driver
02:03 -!- seba [~seba@kratzbaum.someserver.de] has quit [Ping timeout: 264 seconds]
02:04 -!- randt0sh [~tosh@2a02-8420-5d7e-c300-0213-72ff-feb1-7b24.rev.sfr.net] has joined #openvpn
02:04 -!- kossy [a@unaffiliated/kossy] has quit [Ping timeout: 240 seconds]
02:04 -!- seba [~seba@kratzbaum.someserver.de] has joined #openvpn
02:05 -!- dddh [~Zumu@pdpc/supporter/active/dddh] has quit [Ping timeout: 264 seconds]
02:08 -!- kossy [a@unaffiliated/kossy] has joined #openvpn
02:13 -!- le0 [~l30@unaffiliated/le0] has joined #openvpn
02:14 -!- KarlBauman [~SoWhat@81.198.51.190] has quit [Ping timeout: 240 seconds]
02:27 -!- bashusr [~bashusr@unaffiliated/bashusr] has quit [Ping timeout: 252 seconds]
02:27 -!- gardar [~gardar@bnc.giraffi.net] has quit [Ping timeout: 252 seconds]
02:27 -!- _bt [~bt@unaffiliated/bt/x-192343] has quit [Ping timeout: 252 seconds]
02:27 -!- Thermi [~Thermi@unaffiliated/thermi] has quit [Ping timeout: 252 seconds]
02:28 -!- snappy [nipnop@unaffiliated/snappy] has quit [Read error: Connection reset by peer]
02:29 -!- bashusr [~bashusr@unaffiliated/bashusr] has joined #openvpn
02:29 -!- gardar [~gardar@bnc.giraffi.net] has joined #openvpn
02:30 -!- Thermi [~Thermi@unaffiliated/thermi] has joined #openvpn
02:45 -!- JackWinter [~jack@vodsl-11028.vo.lu] has quit [Remote host closed the connection]
02:45 -!- JackWinter [~jack@vodsl-11028.vo.lu] has joined #openvpn
02:46 < pkug> hmm, is tap0 device supposed to be set automatically to be promiscious by openvpn server ?
02:48 -!- JackWinter [~jack@vodsl-11028.vo.lu] has quit [Remote host closed the connection]
02:49 -!- JackWinter [~jack@vodsl-11028.vo.lu] has joined #openvpn
02:57 -!- ayaz [~Ayaz@linuxpakistan/ayaz] has joined #openvpn
03:15 -!- icebrain [~andre@193-126-23-253.static.optimus.net.pt] has joined #openvpn
03:16 < icebrain> hi! is there an easy way to bundle an OpenVPN Windows installer with config + CA certificate? I want to provide an easy self-installation process for our Windows (l)users
03:41 < mnathani> how can I use Openvpn to tunnel IPv6 traffic over an IPv4 vpn connection? The OpenVPN server will have additional /64 networks to route to the client
03:50 -!- tiksa [~tiksa@gateway/tor-sasl/tiksa] has quit [Ping timeout: 264 seconds]
03:54 -!- tiksa [~tiksa@gateway/tor-sasl/tiksa] has joined #openvpn
03:57 -!- nick4 [~nick4@46.246.184.56.dsl.dyn.forthnet.gr] has quit [Ping timeout: 272 seconds]
03:57 -!- nick4 [~nick4@130.43.40.29.dsl.dyn.forthnet.gr] has joined #openvpn
03:59 -!- tiksa [~tiksa@gateway/tor-sasl/tiksa] has quit [Client Quit]
04:30 -!- ntz [~jdoe@static-84-42-228-122.net.upcbroadband.cz] has joined #openvpn
04:30 < ntz> hello
04:31 < ntz> may I ask .. openvpn over udp is relict these days, right ?
04:36 < ntz> from my understanding how tcp and udp works i'd guess that openvpn might benefit from udp in case of some special purpose when ran only in LAN
04:36 < pekster> !tcp
04:36 <@vpnHelper> "tcp" is (#1) Sometimes you cannot avoid tunneling over tcp, but if you can avoid it, DO. http://sites.inka.de/~bigred/devel/tcp-tcp.html Why TCP Over TCP Is A Bad Idea. or (#2) http://www.openvpn.net/papers/BLUG-talk/14.html for a presentation by James Yonan (OpenVPN lead developer) or (#3) if you must use tcp, you likely want --tcp-nodelay
04:37 < pekster> ie: never use tcp unless you must
04:38 < ntz> so udp over wan is preffered for openvpn ? o.O
04:38 < ntz> how surprising
04:40 < icebrain> ntz: not really. tcp needs to have packets drop to adjust to the connection conditions. If you run a tcp protocol over a tcp vpn, you're losing that ability, since all packages are guaranteed to be delivered by the underlying tcp connection
04:41 < ntz> ah, okay .. nicely explained
04:42 < ntz> icebrain: so just to get it confirmed: I should use openvpn sitting on the udp unless some special purpose, right ?
04:42 < icebrain> ntz: yeah, like pekster said, use udp unless you can't
04:43 < ntz> great .. thanks :)
04:43 < ntz> apologize for my poor brain ... I set up in my life numerous openvpn servers but hence not one in past 2 years I feel like I'm starting with it from beginning
04:47 -!- wrongplace [~leicht@gateway/tor-sasl/martinphone] has joined #openvpn
04:52 < ntz> icebrain: the only problem with vpn is that it usually all works out of box :P so you have only limited opportunity to dive to solving some related issues and thus your learning curve is not very steep :P
04:52 < ntz> s/vpn/openvpn/
04:53 < icebrain> ntz: ha, yeah. I actually learned the tcp-over-tcp issue from sshuttle, which is a great poor man's VPN alternative: https://github.com/apenwarr/sshuttle He explains the issue in the README
04:53 <@vpnHelper> Title: apenwarr/sshuttle · GitHub (at github.com)
04:56 < ntz> yeah, but I knew it in past, at least I'm pretty sure that someone from this chan pinted me to that article few years ago but as I said .. oh my poor memory :P
04:56 < ntz> **pointed
05:01 -!- le0 [~l30@unaffiliated/le0] has quit [Ping timeout: 272 seconds]
05:05 -!- tiksa [~tiksa@gateway/tor-sasl/tiksa] has joined #openvpn
05:30 -!- Left_Turn [~Left_Turn@unaffiliated/turn-left/x-3739067] has joined #openvpn
06:21 -!- elfixit [~Icedove@cust.static.46-14-114-50.swisscomdata.ch] has joined #openvpn
06:34 -!- Left_Turn [~Left_Turn@unaffiliated/turn-left/x-3739067] has quit [Ping timeout: 240 seconds]
06:42 -!- dvl [~dvl@pdpc/supporter/active/dvl] has quit [Quit: ZNC - http://znc.in]
06:49 -!- ade_b [~Ade@redhat/adeb] has joined #openvpn
06:50 -!- ajc_ [ajc@nat/hp/x-kqexynmxloyzdpun] has quit [Read error: Connection reset by peer]
07:14 -!- Runkle [~jmacdonal@li508-90.members.linode.com] has joined #openvpn
07:15 < Runkle> hello.
07:15 < Runkle> I'm curious if after you revoke a certificate and crl.pem is updates, do you need to restart openvpn to deny that user access?
07:16 -!- ntz [~jdoe@static-84-42-228-122.net.upcbroadband.cz] has left #openvpn []
07:16 < Runkle> nevermind. i read the docs :P
07:19 -!- michaelhart [~michaelha@69-165-175-193.dsl.teksavvy.com] has joined #openvpn
07:20 < Plastefuchs_> well, do you? :p
07:22 -!- halothe23 [~halothe23@freenode/sponsor/halothe23] has quit [Quit: Quit]
07:22 -!- halothe23 [~halothe23@freenode/sponsor/halothe23] has joined #openvpn
07:28 < Runkle> if you leave it running, they'll get denied next time they want access. but if you restart it, they'll get kicked immediatly.
07:58 -!- wrongplace [~leicht@gateway/tor-sasl/martinphone] has quit [Quit: gone]
07:59 -!- ade_b [~Ade@redhat/adeb] has quit [Remote host closed the connection]
08:07 -!- xmj [~xmj@freebsd/developer/xmj] has joined #openvpn
08:07 < xmj> hi
08:07 < xmj> does anyone have a good tutorial how to setup an openvpn client to connect to a cisco ipsec server?
08:08 -!- DrCode [~DrCode@gateway/tor-sasl/drcode] has quit [Ping timeout: 264 seconds]
08:10 < Runkle> openvpn is an SSL vpn not ipsec. so I think its mixing apples and oranges.
08:11 < Runkle> http://openvpn.net/index.php/component/content/article/55-about-openvpn.html
08:11 <@vpnHelper> Title: OpenVPN (at openvpn.net)
08:11 < Runkle> "Does openvpn support ipsec or ppptp"
08:14 -!- DrCode [~DrCode@gateway/tor-sasl/drcode] has joined #openvpn
08:25 -!- ade_b [~Ade@redhat/adeb] has joined #openvpn
08:29 < xmj> ahh
08:29 < xmj> ok, thanks
08:29 < xmj> i got confused by the amount of references in its manpage.
08:29 -!- xmj [~xmj@freebsd/developer/xmj] has left #openvpn []
08:58 -!- alexxtasi [~alex@unaffiliated/alexxtasi] has left #openvpn []
09:05 < esde> My log is filled with, "Authenticate/Decrypt packet error: bad packet ID (may be a replay)". I've made sure ntp is configured and the time on the client and server is synced, how can i troubleshoot this error further?
09:08 -!- nikon_m [~Nikon@38.64.170.10] has joined #openvpn
09:08 < nikon_m> Heuo
09:08 < nikon_m> Heyo*
09:09 < nikon_m> Is there any way I can get openvpn to work with the Windows VPN connections?
09:12 < esde> can you connect to an openvpn server with the built in windows vpn client? no not that im aware of
09:12 < esde> and im glad for that
09:12 < nikon_m> Eh?
09:12 <+RBecker> you can't, because Windows RAS and OpenVPN are two very different technologies
09:12 <+RBecker> there's a version of the client that installs a network adapter and uses that to connect iirc
09:12 <+RBecker> but that's the closest you'll get
09:13 -!- Nikon_ [~Niko@38.104.158.106] has joined #openvpn
09:13 < Nikon_> so theres no way huh?
09:13 < esde> lol
09:13 < esde> wow
09:13 -!- nikon_m [~Nikon@38.64.170.10] has quit [Quit: AndroIRC - Android IRC Client ( http://www.androirc.com )]
09:13 < Nikon_> sorry, switched to desktop
09:13 < esde> https://i.imgur.com/bGscL2I.jpg
09:13 <+RBecker> no, there isn't
09:14 <+RBecker> not to mention the way to authenticate is completely different
09:14 -!- Kniaz [~Kniaz@unaffiliated/bears] has joined #openvpn
09:14 <+RBecker> windows uses username/password, openvpn needs 3 key files
09:14 < Nikon_> ahh
09:14 < esde> its apples and oranges
09:15 < esde> suppose no one knows about the error i am receiving though
09:16 <+RBecker> what error?
09:17 < esde> My log is filled with, "Authenticate/Decrypt packet error: bad packet ID (may be a replay)". I've made sure ntp is configured and the time on the client and server is synced
09:18 <+RBecker> same timezone between your server and client?
09:19 <+RBecker> bad internet connection causing out of order packets?
09:19 < esde> timezone is same
09:19 <+RBecker> also, using wifi on one or both ends?
09:19 < esde> no wifi
09:19 -!- Cpt-Oblivious [~chatzilla@31-151-71-109.dynamic.upc.nl] has joined #openvpn
09:20 <+RBecker> not really sure
09:20 <+RBecker> seems that it's a fairly common issue, mostly caused by a bad link making packets arrive out of sequence
09:20 <+RBecker> either client side or server sie
09:20 <+RBecker> side*
09:20 < esde> the client is on comcast service and the server is hosted offsite
09:20 <+RBecker> anyways, i gotta run, google around and you'll find some stuff :)
09:20 < esde> ive been googling for over a year
09:20 < esde> :P
09:20 <+RBecker> heh :P
09:20 <+RBecker> well g2g, sorry
09:21 < esde> pz
09:40 -!- Megaf [~Megaf@unaffiliated/megaf] has joined #openvpn
09:49 < Jobbe> hay
09:56 -!- ade_b [~Ade@redhat/adeb] has quit [Quit: Too sexy for his shirt]
09:58 -!- heraclitus [~halcyon@unaffiliated/heraclitis] has quit [Read error: Connection reset by peer]
09:59 -!- heraclitus [~halcyon@unaffiliated/heraclitis] has joined #openvpn
09:59 -!- heraclitus [~halcyon@unaffiliated/heraclitis] has quit [Read error: Connection reset by peer]
09:59 -!- heraclitus [~halcyon@unaffiliated/heraclitis] has joined #openvpn
10:06 -!- MACscr [~Adium@c-50-158-183-38.hsd1.il.comcast.net] has joined #openvpn
10:08 < MACscr> ok, so the openvpn server im trying to setup has a public interface and lan interface. According to the ubuntu docs for openvpn, it says to create a bridge for eth0, but that seems to imply that eth0 is on the network i really want to access, im more obviously wanting access to the lan. So should i be setting up the bridge on the lan interface?
10:13 -!- tiksa [~tiksa@gateway/tor-sasl/tiksa] has quit [Remote host closed the connection]
10:14 -!- tiksa [~tiksa@gateway/tor-sasl/tiksa] has joined #openvpn
10:23 < phreakocious> MACscr: most likely, yes
10:23 -!- Nikon_ [~Niko@38.104.158.106] has quit [Read error: Connection reset by peer]
10:31 -!- Leoneof [~Leoneof@unaffiliated/leoneof] has joined #openvpn
10:33 < Leoneof> hello, i've connected with openvpn, the icon is green, but my browser is still using my isp ip, not openvpn, how to fix it?
10:35 < MACscr> phreakocious: hmm, im not 100% sure if its possible now that think of it actually get a bridge to work as im already using a bridge for the lxc guest itself. doesnt seem to work when i try to do a bridge within the guest
10:44 -!- ayaz [~Ayaz@linuxpakistan/ayaz] has quit [Quit: Textual IRC Client: www.textualapp.com]
10:46 < Leoneof> nobody? :)
10:47 < gac> Leoneof: sounds like you don't have your default gateway redirected, so the OpenVPN connection is only being used for a specific subset of IP addresses
10:47 < Leoneof> i think my computer is still using LAN connection directly, instead of openvpn connection
10:48 < Leoneof> gac: i've been using openvbn without any extra steps :\
10:49 < Leoneof> openvpn*
10:49 -!- gffa [~unknown@unaffiliated/gffa] has joined #openvpn
10:49 < gac> as in following an online walkthrough? you might find it was written for someone who didn't want that behaviour
10:50 < gac> I think "redirect-gateway def1" in the server config should do it, although that's from memory so not necessarily current
10:51 < Leoneof> oh, i will check it
10:53 -!- Leoneof` [~Leoneof@unaffiliated/leoneof] has joined #openvpn
10:57 -!- Leoneof [~Leoneof@unaffiliated/leoneof] has quit [Ping timeout: 246 seconds]
10:58 -!- Leoneof` [~Leoneof@unaffiliated/leoneof] has quit [Ping timeout: 246 seconds]
11:07 -!- SCHAAP137 [dorian@77-173-0-137.ip.telfort.nl] has joined #openvpn
11:13 < icebrain> hi! is there an easy way to bundle an OpenVPN Windows installer with config + CA certificate?
11:31 <@Eugene> !rollup
11:31 <@vpnHelper> "rollup" is See !win_rollup
11:31 <@Eugene> !win_rollup
11:32 <@vpnHelper> "win_rollup" is please see http://www.secure-computing.net/wiki/index.php/OpenVPN/HowTo_for_Windows_2 for dazo's writeup on making unattended windows installers for openvpn
11:32 <@Eugene> icebrain ^
11:32 < icebrain> Eugene: thanks! I'll check it out
11:52 < Haigha> i think i have MTU problems with my servers
11:52 < Haigha> one client can ping, use IRC and receive HTTP redirects with the VPN
11:52 < Haigha> but he cannot load a full web page
11:53 < Haigha> what can I do to fix it?
12:02 -!- Runkle [~jmacdonal@li508-90.members.linode.com] has left #openvpn []
12:06 -!- Leoneof8 [~Leoneof@unaffiliated/leoneof] has joined #openvpn
12:11 < MACscr> ok, if im accessing the vpn on 192.168.1.133 and the vpn gives me 192.168.0.240 and i want to access 192.168.0.20, should my iptables be adjusted?
12:11 < MACscr> http://pastie.org/pastes/9305829/text
12:11 -!- JackWinter [~jack@vodsl-11028.vo.lu] has quit [Quit: Konversation terminated!]
12:17 -!- JackWinter [~jack@vodsl-11028.vo.lu] has joined #openvpn
12:27 -!- DrCode [~DrCode@gateway/tor-sasl/drcode] has quit [Remote host closed the connection]
12:28 -!- DrCode [~DrCode@gateway/tor-sasl/drcode] has joined #openvpn
12:30 -!- vinky [~vinky@81-230-177-246-no98.tbcn.telia.com] has quit [Remote host closed the connection]
12:43 -!- artemz [~artemz@2001:4ba0:cafe:768::1] has joined #openvpn
12:53 -!- JackWinter [~jack@vodsl-11028.vo.lu] has quit [Quit: Konversation terminated!]
12:55 -!- JackWinter [~jack@vodsl-11028.vo.lu] has joined #openvpn
12:56 -!- jackbrown [~se@93-44-41-0.ip95.fastwebnet.it] has joined #openvpn
12:56 -!- JackWinter [~jack@vodsl-11028.vo.lu] has quit [Client Quit]
12:58 -!- artemz [~artemz@2001:4ba0:cafe:768::1] has quit [Read error: Connection reset by peer]
13:09 -!- Netsplit *.net <-> *.split quits: tempus_fol, adaptr, NucWin, @krzee, Nothing4You, defswork, lamokie, mirco, get, hive-mind,  (+140 more, use /NETSPLIT to show all of them)
13:09 -!- kossy [a@unaffiliated/kossy] has quit [Max SendQ exceeded]
13:10 -!- vinky [~vinky@81-230-177-246-no98.tbcn.telia.com] has joined #openvpn
13:10 -!- Pyrogerg [~Gregory@72.170.196.218] has joined #openvpn
13:10 -!- Netsplit over, joins: _quadDamage, jackbrown, DrCode, SCHAAP137, gffa, tiksa, MACscr, heraclitus, halothe23, nick4 (+139 more)
13:11 -!- kossy [a@unaffiliated/kossy] has joined #openvpn
13:11 -!- MyMind [~Sembei@unaffiliated/sembei] has quit [Max SendQ exceeded]
13:13 -!- MyMind [~Sembei@unaffiliated/sembei] has joined #openvpn
13:14 -!- icebrain [~andre@193-126-23-253.static.optimus.net.pt] has quit [Ping timeout: 240 seconds]
13:15 -!- Netsplit *.net <-> *.split quits: tempus_fol, adaptr, NucWin, @krzee, Nothing4You, hive-mind, defswork, mirco, get, MatToufoutu,  (+141 more, use /NETSPLIT to show all of them)
13:16 -!- Netsplit over, joins: _quadDamage, kossy, vinky, Pyrogerg, jackbrown, DrCode, SCHAAP137, gffa, tiksa, MACscr (+140 more)
13:16 -!- MyMind [~Sembei@unaffiliated/sembei] has quit [Max SendQ exceeded]
13:17 -!- MyMind [~Sembei@unaffiliated/sembei] has joined #openvpn
13:21 -!- soapee01 [~soapee01@65-36-104-170.dyn.grandenetworks.net] has quit [Ping timeout: 264 seconds]
13:26 -!- soapee01 [~soapee01@65-36-104-170.dyn.grandenetworks.net] has joined #openvpn
13:26 -!- Olipro [~Olipro@uncyclopedia/pdpc.21for7.olipro] has joined #openvpn
13:27 -!- deeville [~deeville@38.117.108.108] has joined #openvpn
13:28 -!- vinky [~vinky@81-230-177-246-no98.tbcn.telia.com] has quit [Remote host closed the connection]
13:30 -!- vinky [~vinky@81-230-177-246-no98.tbcn.telia.com] has joined #openvpn
13:33 -!- Kniaz [~Kniaz@unaffiliated/bears] has quit [Excess Flood]
13:33 -!- zpatten [~zpatten@unaffiliated/zpatten] has quit [Excess Flood]
13:33 -!- zpatten [~zpatten@unaffiliated/zpatten] has joined #openvpn
13:33 -!- Megaf [~Megaf@unaffiliated/megaf] has quit [Excess Flood]
13:33 -!- Kniaz [~Kniaz@unaffiliated/bears] has joined #openvpn
13:34 -!- Megaf [~Megaf@unaffiliated/megaf] has joined #openvpn
13:40 -!- jackbrown [~se@93-44-41-0.ip95.fastwebnet.it] has quit [Quit: Sto andando via]
13:56 < bitfury> hey guys, I have a Windows 7 OpenVPN client which is unable to connect. Getting connection reset. After Verify OK
13:56 < bitfury> any clues?
14:02 <@Eugene> !logs
14:02 <@vpnHelper> "logs" is (#1) please pastebin your logfiles from both client and server with verb set to 4 (only use 5 if asked) or (#2) In the Windows client(OpenVPN-GUI) right-click the status icon and pick View Log or (#3) In the OS X client(Tunnelblick) right-click it and select Copy log text to clipboard or (#4) if you dont know how to find your logs, see !logfile
14:02 <@Eugene> Likely a failed verification of the client(by the server)
14:12 < bitfury> vpnHelper: I don't have verbosity enabled on the server, would I need to restart the server after enabling it?
14:14 -!- JPeterson [~JPeterson@81-233-152-121-no83.tbcn.telia.com] has joined #openvpn
14:30 -!- elfixit [~Icedove@cust.static.46-14-114-50.swisscomdata.ch] has quit [Ping timeout: 244 seconds]
15:02 -!- rapture [~Adium@173-13-164-217-sfba.hfc.comcastbusiness.net] has joined #openvpn
15:02 < rapture> Using openVPN-as, our users already have private/public keys issued. Can users pub key be added somewhere in openvpn-as so they can vpn in using existing private key?
15:04 < rapture> The keys issued are rsa
15:22 -!- michaelhart [~michaelha@69-165-175-193.dsl.teksavvy.com] has quit [Quit: michaelhart]
15:25 -!- Kephael [~Kephael@unaffiliated/kephael] has joined #openvpn
15:40 -!- deeville [~deeville@38.117.108.108] has quit [Quit: This computer has gone to sleep]
15:41 -!- wrongplace [~leicht@gateway/tor-sasl/martinphone] has joined #openvpn
15:53 <@Eugene> !as
15:53 <@vpnHelper> "as" is Please go to #OpenVPN-AS for help with commercial products from OpenVPN Technologies, including Access Server, Android Connect, etc
15:53 -!- deeville [~deeville@66.97.28.166] has joined #openvpn
15:58 -!- deeville [~deeville@66.97.28.166] has quit [Ping timeout: 244 seconds]
16:00 -!- Left_Turn [~Left_Turn@unaffiliated/turn-left/x-3739067] has joined #openvpn
16:04 -!- Pyrogerg [~Gregory@72.170.196.218] has quit [Read error: Connection reset by peer]
16:30 -!- rapture [~Adium@173-13-164-217-sfba.hfc.comcastbusiness.net] has quit [Quit: Leaving.]
16:32 -!- gffa [~unknown@unaffiliated/gffa] has quit [Quit: sleep]
16:40 -!- arescorpio [~arescorpi@14-57-245-190.fibertel.com.ar] has joined #openvpn
16:49 -!- bitfury [~bitfury@unaffiliated/bitfury] has quit [Quit: Leaving]
16:55 -!- Kniaz [~Kniaz@unaffiliated/bears] has quit [Quit: closing IRC]
16:58 -!- Cpt-Oblivious [~chatzilla@31-151-71-109.dynamic.upc.nl] has quit [Ping timeout: 240 seconds]
16:59 -!- randt0sh [~tosh@2a02-8420-5d7e-c300-0213-72ff-feb1-7b24.rev.sfr.net] has quit [Read error: Connection reset by peer]
17:06 -!- arescorpio [~arescorpi@14-57-245-190.fibertel.com.ar] has quit [Excess Flood]
17:22 -!- tiksa [~tiksa@gateway/tor-sasl/tiksa] has quit [Quit: Peace]
17:45 -!- wrongplace [~leicht@gateway/tor-sasl/martinphone] has quit [Quit: gone]
17:51 -!- Leoneof [~Leoneof@unaffiliated/leoneof] has joined #openvpn
18:06 -!- elfixit [~Icedove@77-58-251-72.dclient.hispeed.ch] has joined #openvpn
18:13 < MACscr> when i run ./pkitool server and ./pkitool client, do i need to change the KEY_CN entry in the vars file?
18:14 -!- NucWin [~nucwin@unaffiliated/nucwin] has quit [Quit: ttfn]
18:14 -!- s7r [~s7r@openvpn/user/s7r] has quit [Remote host closed the connection]
18:15 -!- s7r [~s7r@openvpn/user/s7r] has joined #openvpn
18:15 -!- mode/#openvpn [+v s7r] by ChanServ
18:17 -!- NucWin [~nucwin@unaffiliated/nucwin] has joined #openvpn
18:18 -!- elfixit [~Icedove@77-58-251-72.dclient.hispeed.ch] has quit [Quit: elfixit]
18:25 -!- tharkun [~0@unaffiliated/tharkun] has quit [Ping timeout: 264 seconds]
18:26 -!- Leoneof [~Leoneof@unaffiliated/leoneof] has quit [Quit: what?]
18:26 -!- Kniaz [~Kniaz@unaffiliated/bears] has joined #openvpn
18:27 -!- tiksa [~tiksa@gateway/tor-sasl/tiksa] has joined #openvpn
18:39 -!- MyMind [~Sembei@unaffiliated/sembei] has quit [Read error: Connection reset by peer]
18:40 -!- MyMind [~Sembei@unaffiliated/sembei] has joined #openvpn
18:45 -!- michaelhart [~michaelha@192-0-240-20.cpe.teksavvy.com] has joined #openvpn
18:48 -!- SCHAAP137 [dorian@77-173-0-137.ip.telfort.nl] has quit [Remote host closed the connection]
18:56 -!- Lolths [~Lolths@unaffiliated/lolths] has quit [Quit: Leaving]
19:00 -!- Lolths [~Lolths@unaffiliated/lolths] has joined #openvpn
19:46 -!- arescorpio [~arescorpi@14-57-245-190.fibertel.com.ar] has joined #openvpn
20:03 -!- redpill [~redpill@unaffiliated/redpill] has joined #openvpn
20:20 < MACscr> ok, ive really simplified things for testing
20:20 < MACscr> Looking for some advice for my very simple vpn that i have setup where upon i cant seem to ping/access other servers on the 192.168.0.0 network. Ive tried to provide as much useful information here as possible: http://pastie.org/pastes/9307137/text?key=jclx06m31jyqynz1nqnnw
20:23 -!- VlperX [~VlperX@60-240-168-120.static.tpgi.com.au] has joined #openvpn
20:27 < MACscr> damn, it was the firewall rules. got it fixed. Thanks
20:27 -!- mnathani [~mnathani@constance.winvive.com] has quit [Read error: Connection reset by peer]
20:36 -!- michaelhart [~michaelha@192-0-240-20.cpe.teksavvy.com] has quit [Quit: michaelhart]
20:47 -!- tempus_fol [~tempus@gateway/tor-sasl/foltempus] has quit [Ping timeout: 264 seconds]
20:50 -!- erkules_ [~erkan@pdpc/supporter/professional/erkules] has joined #openvpn
20:50 -!- tempus_fol [~tempus@gateway/tor-sasl/foltempus] has joined #openvpn
20:52 -!- erkules [~erkan@pdpc/supporter/professional/erkules] has quit [Ping timeout: 240 seconds]
20:53 -!- VlperX [~VlperX@60-240-168-120.static.tpgi.com.au] has quit [Quit: Adios]
20:54 < MACscr> hmm, doing 'keepalive 10 60' on the client keeps disconnecting me, but its solid if i dont have it
20:54 -!- redpill [~redpill@unaffiliated/redpill] has left #openvpn []
21:29 -!- Left_Turn [~Left_Turn@unaffiliated/turn-left/x-3739067] has quit [Read error: Connection reset by peer]
21:40 -!- Pyrogerg [~Gregory@72.170.196.218] has joined #openvpn
21:42 -!- Megaf [~Megaf@unaffiliated/megaf] has quit [Ping timeout: 244 seconds]
21:53 < pekster> MACscr: read:
21:53 < pekster> !keepalive
21:53 <@vpnHelper> "keepalive" is (#1) see --keepalive in the manual for how to make clients retry connecting if they get disconnected. or (#2) basically it is a wrapper for managing --ping and --ping-restart in server/client mode or (#3) if you use this, don't use --tls-exit and also avoid --single-session and --inactive or (#4) Also beware of --auth-nocache for automated reconnects
21:53 < pekster> MACscr: And probably --ping in the manpage. It's a *UNI* directional ping, so if the far side does not send keepalive packets, you never get them. Then it times out
21:54 -!- brianblaze420 [~brianblaz@unaffiliated/brianblaze] has joined #openvpn
21:54 -!- brianblaze420 [~brianblaz@unaffiliated/brianblaze] has quit [Remote host closed the connection]
21:57 -!- squaresurf [~squaresur@73.53.28.180] has joined #openvpn
21:59 -!- LuisM [~luism@unaffiliated/luism] has joined #openvpn
21:59 < LuisM> hi all
21:59 < MACscr> pekster: so i need to specify the keepalive setting on both ends?
21:59 < LuisM> guys, my openvpn server don't set default gw on clients (windows)
21:59 < LuisM> but set dns and connection is fine
22:00 < pekster> MACscr: Normally "just" the server end with a --pull setup (read --pull and --client in addition to --keepalive)
22:01 < pekster> Normally clients "magically do the right thing" given a sane server config
22:01 < LuisM> push "redirect-gateway def1 dhcp-bypass"
22:01 < LuisM> this option is active
22:01 -!- erkules_ is now known as erkules
22:01 < LuisM> could somebody help me?
22:02 < pekster> LuisM: Don't mess with the default gateway; def1 avoids that for very good reasons (read: !def1 for details)
22:02 < pekster> If you can't make generic redirection work, better ask _that_ rather than a much more specific and likely unhelpful question. Maybe read: !redirect
22:02 < LuisM> !def1
22:02 <@vpnHelper> "def1" is (#1) used in redirect-gateway, Add the def1 flag to override the default gateway by using 0.0.0.0/1 and 128.0.0.0/1 rather than 0.0.0.0/0. This has the benefit of overriding but not wiping out the original default gateway. or (#2) please see --redirect-gateway in the man page ( !man ) to fully understand or (#3) push "redirect-gateway def1"
22:03 < LuisM> so, if i need redirect all traffic trough vpn?
22:03 < pekster> Then you read the other reference I took the time to suggest
22:03 < LuisM> to bypass isp e.g. traffic shaping
22:03 < LuisM> !redirect
22:03 <@vpnHelper> "redirect" is (#1) to make all inet traffic flow through the vpn, you will need --redirect-gateway (see !def1), as well as IP forwarding (see !ipforward) and NAT (see !nat) enabled on the server. or (#2) you may need to use a different dns server when redirecting gateway, see !dns or !pushdns or (#3) if using ipv6 try: route-ipv6 2000::/3 or (#4) Handy troubleshooting flowchart:
22:03 <@vpnHelper> http://ircpimps.org/redirect.png | http://pekster.sdf.org/misc/redirect.png
22:04 < LuisM> ok
22:04 < LuisM> but i've set this option, no?
22:05 < pekster> Good news: the flowchart makes you check a lot more than "this option." Bad news: you apparently didn't bother to read/follow it
22:05 < LuisM> i'm checking flowchar
22:05 < LuisM> ;)
22:07 <@Eugene> !learn game as #openvpn drinking game: sip for every un-pasted log file. Beer for ignored flow charts. Cocktail for example.com redaction. Shot for "network expert" arguing with op-holders
22:07 <@vpnHelper> Error: You don't have the factoids.learn capability. If you think that you should have this capability, be sure that you are identified before trying again. The 'whoami' command can tell you if you're identified.
22:07 <@Eugene> Fuck you, bot.
22:07 < LuisM> redirect-gateway enabled on the client?
22:09 < squaresurf> Hey all, I'm new to openvpn and am thinking about setting up a server to access servers behind a gateway server. I'm a chef user and am thinking of using the chef openvpn cookbook to install it, but it states that it sets up a fairly basic configuration. Can someone point me in the direction of some good docs for locking down openvpn?
22:09 < squaresurf> someone: sorry, I didn't realize you had that nick.
22:10 <@Eugene> "locking down" in what way? It's a relatively simple network daemon
22:10 <@Eugene> !unpriv
22:10 <@vpnHelper> "unpriv" is see https://community.openvpn.net/openvpn/wiki/UnprivilegedUser for a write-up by EugeneKay on how to run OpenVPN without root/admin permissions.
22:10 <@Eugene> If you don't want it to be root, see that ^
22:12 < squaresurf> Cool. Thanks. Basically I'm new to this and don't want to leave my network wide open due to a n00b mistake. I've used ssh quite extensively and am not sure the differences between ssh and openvpn. So if I get a basic install running as an unpriveleged user it should be secure?
22:13 <@Eugene> If you've followed the HOWTO document, openvpn will only respect connections from clients holding a valid client certificate for your private PKI, which is usually "secure enough"
22:13 <@Eugene> !hmac
22:13 <@vpnHelper> "hmac" is (#1) The tls-auth directive adds an additional HMAC signature to all SSL/TLS handshake packets for integrity verification. Any UDP packet not bearing the correct HMAC signature can be dropped without further processing. The tls-auth HMAC signature provides an additional level of security above and beyond that provided by SSL/TLS. or (#2) openvpn --genkey --secret ta.key to make the tls
22:13 <@vpnHelper> static key , in configs: tls-auth ta.key # , 1 for client or 0 for server in the configs
22:14 <@Eugene> You can use --tls-auth in addition to completely ignore clients without the needed key. This notably prevented openvpn from being susceptible to Heartbleed if properly configured!
22:14 < squaresurf> Nice.
22:14 < squaresurf> Thank you.
22:15 < squaresurf> That helps a ton.
22:15 < pekster> squaresurf: Some general security recommendations at:
22:15 < pekster> !hardening
22:15 <@vpnHelper> "hardening" is https://community.openvpn.net/openvpn/wiki/Hardening
22:15 < squaresurf> Ah, thats what I was looking for.
22:15 < pekster> downgrading runtime privs is possible too, but generally not as useful as most of those
22:16 <@Eugene> Aha, that's the other one
22:16 < squaresurf> Why isn't unpriv on that page?
22:16 < pekster> (and that comes with pitfalls such as problems accessing files for reads and similar things)
22:16 < squaresurf> That seems like a good thing to do.
22:16 < pekster> It's less useful than you'd imagine
22:16 < squaresurf> Oh ok.
22:16 <@Eugene> Remote-root exploits are AFAIK unheard of in openvpn, because it isn't written like the dungpile that is Apache.
22:17 < pekster> It basically breaks any proper client use (that may very well disconnect, try to reconnect a bit, get a new IP, then fail in subtle ways when it can't apply the new address. Or the user "thought" they were smart, set --persist-ip, and it still breaks becuase it's an illegal IP now
22:17 <@Eugene> FWIW, the unpriv writeup of mine accounts for those scenarios
22:17 < pekster> So downgrading permission is a PITA if you're not an expert, and not really needed
22:18 < squaresurf> Hmm. I'll start with the basic install then move from there and see if I can get the other things working for me.
22:18 < pekster> There's no way to handle that unless you grant the user CAPs to do network things, or a suid script to proxy network stuff
22:18 < pekster> And that's painfully distro-centric
22:18 <@Eugene> It does indeed abuse sudo
22:18 < pekster> No bueno without passwordless sudo ;)
22:19 < pekster> Presumably people security-concious enough to downgrade privs won't be doing that, but hey
22:19 <@Eugene> !shotgun
22:19 <@vpnHelper> "shotgun" is (#1) the most effective form of physical security or (#2) <hyper_ch> shotgun security? <EugeneKay> If you try to physically attack my network, I chase you with a shotgun.
22:19 < squaresurf> lol
22:19 < squaresurf> What are you using for vpnHelper?
22:20 <@Eugene> And that's why my WiFi has no WEP/WPA
22:23 < pekster> That said, I try not to encourage possible L2 attacks
22:23 < pekster> Not that I trust L2, but I like the layered approach to security. Security by obscurity is bad, but obscurity in addition to decent security can't really hurt
22:27 < LuisM> guys
22:27 < LuisM> something is wrong
22:27 < LuisM> netmask on my client is /30
22:28 < pekster> !/30
22:28 <@vpnHelper> "/30" is (#1) http://goo.gl/SbKrT5 explains why routed clients each use 4 ips or (#2) you can avoid this behavior with by reading !topology
22:28 < pekster> Read !topology to do the recommended thing and use `subnet` topology
22:28 < pekster> net30 is old and busted and is only the default for fear of "breaking" historical compat
22:29 < LuisM> and my dhcp-server in nic status is set to unreachable ip
22:29 < LuisM> i'll read topology
22:29 < LuisM> !topology
22:29 <@vpnHelper> "topology" is (#1) it is possible to avoid the !/30 behavior if you use 2.1+ with the option: topology subnet This will end up being default in later versions. or (#2) Clients will receive addresses ending in .2, .3, .4, etc, instead of being divided into 2-host subnets. or (#3) details and examples at: https://community.openvpn.net/openvpn/wiki/Topology
22:29 < pekster> That's a different problem; the tap driver "fakes" a DHCP reply because Windows lacks proper networking API
22:30 < LuisM> so, in fact, obiously my dhcp server is my openvpn server
22:30 < LuisM> ;)
22:30 < pekster> No, the "DHCP server" is the TAP driver
22:30 < LuisM> hmm
22:30 < pekster> ie: it does not exist
22:31 < LuisM> is strange thing..i'm using tun and in windows my nic is tap
22:31 < LuisM> lol
22:31 < pekster> That's just the driver name
22:31 < LuisM> yeah
22:31 < pekster> "tap" in Unix/Linux uses the "tun" driver
22:31 < pekster> Same thing
22:31 < pekster> Build it yourself and call it the PurplePeopleEater driver. Doesn't matter.
22:31 < LuisM> UASHdUASHDASD
22:31 < LuisM> ;)
22:31 -!- MACscr [~Adium@c-50-158-183-38.hsd1.il.comcast.net] has left #openvpn []
22:34 < LuisM> This is the old topology for support with Windows clients running 2.0.9 or older clients. This is the default as of OpenVPN 2.3, but not recommended for current use. Each client is allocated a virtual /30, taking 4 IPs per client, plus 4 for the server.
22:34 < LuisM> i paste from net30
22:34 < LuisM> so, yeah, my client was allocated with /30
22:34 < LuisM> no recommended
22:34 < LuisM> hmm
22:35 < pekster> Not unless you're using 7-year old windows clients. If you are, you have bigger problems
22:36 < pekster> net30 has been a dirty hack to support windows. And an unnecessary one since version 2.1.0, released 7 years ago
22:37 < LuisM> my client is windows 8.1
22:38 < LuisM> and openvpn bin is 2.3.4.0
22:38 < pekster> 2.3.4 > 2.0.9
22:38 < LuisM> yeah
22:38 < LuisM> so, dude, i'll try subnet topology
22:39 < pekster> net30 "works", it's just pointless
22:39 < pekster> (kinda like IPv4. Too soon?)
22:40 < LuisM> In subnet topology, the tun device is configured with an IP and netmask like a "traditional" broadcast-based network. The traditional network and broadcast IPs should not be used; while tun has no concept of broadcasts, Windows clients will be unable to properly use these addresses.
22:40 < LuisM> so, will not work in windows client?
22:40 < LuisM> @.@
22:40 < pekster> Works fine.
22:40 < LuisM> ok
22:40 < pekster> Perhaps you need some better basic networking background if you've never heard terms like network and broadcast IPs
22:41 < pekster> !101
22:41 < pekster> I'd suggest google
22:41 <@vpnHelper> "101" is This channel is not a '101' replacement for any of the following topics or others: Networking, Firewalls, Routing, Your OS, Security, etc etc
22:41 < LuisM> wow, i'm ok with these networks terms
22:42 < LuisM> man, in server config file i need to add what..what parameter?
22:42 < LuisM> --topology subnet
22:42 < LuisM> is to run with "openvpn --topology subnet"..right?
22:43 < pekster> And update any PtP IP references with IP/subnet instead
22:43 < LuisM> in server.conf
22:44 < LuisM> what parameter is "--topology subnet"?
22:44 < LuisM> same?
22:44 < pekster> !--
22:44 <@vpnHelper> "--" is OpenVPN allows any option to be placed either on the command line or in a configuration file. Though all command line options are preceded by a double-leading-dash ("--"), this prefix is usually omitted when an option is placed in a configuration file.
22:44 < LuisM> nice
22:44 < pekster> This is explained in the first couple of paragaraphs in the manpage too (!man)
22:44 < LuisM> great bot
22:44 < LuisM> is yours?
22:44 < pekster> No. But it does answer questions we get a lot of
22:45 < LuisM> yes..nice
22:58 -!- Pyrogerg [~Gregory@72.170.196.218] has quit [Read error: Connection reset by peer]
23:01 -!- Megaf [~Megaf@unaffiliated/megaf] has joined #openvpn
23:02 -!- squaresurf [~squaresur@73.53.28.180] has quit [Quit: Lingo - http://www.lingoirc.com]
23:06 -!- Megaf [~Megaf@unaffiliated/megaf] has quit [Ping timeout: 240 seconds]
23:07 -!- Pyrogerg [~Gregory@72.170.196.218] has joined #openvpn
23:07 -!- Pyrogerg [~Gregory@72.170.196.218] has quit [Read error: Connection reset by peer]
23:10 -!- Kniaz [~Kniaz@unaffiliated/bears] has quit [Read error: Connection reset by peer]
23:10 < LuisM> pekster: dude
23:10 < LuisM> look, when i set only "push "redirect-gateway"
23:11 < LuisM> my gateway in my client of lan goes away..
23:11 < LuisM> and my default gateway turns my openvpn server...right?
23:11 < pekster> Don't do that
23:11 < LuisM> but i neither can to ping it..
23:11 < pekster> Use def1 or things will eventually break in very subtle ways
23:12 < LuisM> yes..so, what i did..use with def1 parameter and start proxy (squid)
23:12 < pekster> wtf does squid have to do with redirecting traffic?
23:12 < LuisM> so, i set my proxy address with openvpn server
23:12 < pekster> This is completely unrelated
23:12 < LuisM> and works fine
23:13 < LuisM> yes, really is
23:13 < pekster> redirect is for doing _IP_ redirection of traffic. A proxy is an OSI L7 concept
23:13 < pekster> (application traffic)
23:13 < LuisM> yes, dude, absolutely
23:13 < pekster> If you can't ping your VPN server, you failed step 1 on the flowchart
23:13 < LuisM> yes
23:13 < pekster> You'd best fix that; either it's a basic config problem, or firewall problem
23:14 < LuisM> but if i set def1 vpn works fine and i can ping it
23:14 < pekster> !configs
23:14 <@vpnHelper> "configs" is (#1) please pastebin your client and server configs (with comments removed, you can use `grep -vE '^#|^;|^$' server.conf`), also include which OS and version of openvpn. or (#2) dont forget to include any ccd entries or (#3) on pfSense, see http://www.secure-computing.net/wiki/index.php/OpenVPN/pfSense to obtain your config
23:14 < pekster> !logs
23:14 <@vpnHelper> "logs" is (#1) please pastebin your logfiles from both client and server with verb set to 4 (only use 5 if asked) or (#2) In the Windows client(OpenVPN-GUI) right-click the status icon and pick View Log or (#3) In the OS X client(Tunnelblick) right-click it and select Copy log text to clipboard or (#4) if you dont know how to find your logs, see !logfile
23:15 < LuisM> are you want see me logs? i wonder understand this thing and browsing without a proxy
23:15 < LuisM> only using openvpn ;)
23:15 < LuisM> i'll paste it for you
23:20 -!- ShadniX [dagger@p5DDFC269.dip0.t-ipconnect.de] has quit [Ping timeout: 252 seconds]
23:20 -!- ShadniX [dagger@p5DDFE8A5.dip0.t-ipconnect.de] has joined #openvpn
23:24 < LuisM> http://pastebin.com/05JzJR72
23:24 < LuisM> http://pastebin.com/DPApZTpg
23:24 < LuisM> look, please, pekster
23:25 < pekster> blah, hundreds of comments/blanks :\
23:25 < LuisM> yeam, i'msorry
23:25 < LuisM> i like comments due explanation
23:26 -!- Pyrogerg [~Gregory@72.170.196.218] has joined #openvpn
23:26 < LuisM> i can repaste without it
23:26 < LuisM> using sed bin ;)
23:26 < LuisM> regex ftw
23:26 < pekster> Already done locally
23:26 < LuisM> ok ;)
23:27 < pekster> 422 lines down to 35 across both files; former is just silly
23:28 < LuisM> =/
23:30 < pekster> Looks fine; the ns-cert-type in the client config should ideally be replaced with `--remote-cer-tls server` (which does the same thing in a newer and more forward-compatible way)
23:30 < pekster> Oh, the dhcp-bypass is incorrect though
23:31 < pekster> If you need it, it should be bypass-dhcp. And you probably don't need it unless your client DHCP server is off-link
23:31 < LuisM> hmm ok
23:31 < LuisM> i just do a dump/copy of /usr/share/openvpn/examples
23:31 < LuisM> hehe
23:31 < LuisM> so, pekster
23:32 < pekster> Erm, that's --remote-cert-tls server
23:34 < LuisM> done
23:34 < LuisM> so, my question is
23:34 < LuisM> to browser web using this vpn..what i need?
23:34 < LuisM> my iptables is allowing anything
23:34 < LuisM> ACCEPT policy
23:35 < pekster> So what _exactly_ is not working? I've seen no logs as requested, nor any clue if you can ping the server after a successful connection
23:36 < LuisM> after vpn client connects to server only traffic 10.8.0.0/24 goes to openvpn server
23:36 < pekster> Without logs, "something is not working"
23:36 < LuisM> rest goes to my default gw == wifi network..
23:36 < pekster> !crystal
23:36 <@vpnHelper> "crystal" is (#1) Our crystal ball is out of service. Try explaining your !goal, a description of your problem, and relevant !configs and !logs. See also: !welcome. or (#2) unless reiffert is here, his crystal ball is functional again
23:36 < LuisM> UAHsdUAHASd
23:36 < LuisM> i'll post logs
23:37 < LuisM> ;)
23:38 < pekster> At verb 4 (since you seem to have a hard time raeding what's asked)
23:48 < LuisM> done
23:48 < LuisM> http://pastebin.com/hBMXPTLH -> client log
23:49 < LuisM> http://pastebin.com/HzSynSqU -> server log
23:49 < LuisM> http://pastebin.com/aMF0S2SY -> route table (when vpn is online)
23:50 -!- arescorpio [~arescorpi@14-57-245-190.fibertel.com.ar] has quit [Excess Flood]
23:50 < LuisM> pekster: crystal done haha
23:50 < pekster> Routes added fine to the client (lines 349 & 352)
23:51 < pekster> trace a path to something external, like 8.8.8.8 and you should see 10.8.0.1 as the first-hop
23:51 < LuisM> no
23:51 < pekster> No? What's `route print -4` show?
23:51 < LuisM> when vpn is online i can't ping 8.8.8.8 or 10.8.0.1
23:51 < LuisM> haha
23:51 < pekster> Then you have a fireawll problem
23:51 < LuisM> look my routable paste ;)
23:52 < LuisM> i paste it for you
23:52 < pekster> Stop trying to make this work until you fix box _ONE_ in the flowchart
23:52 < pekster> You can't ping your server. Stop doing _ANYTHING_ else until you fix that
23:52 < LuisM> i think is route problem
23:52 < LuisM> look, please
23:53 < pekster> 10.8.0.0/24 is on-link, so that won't be the problem
23:53 < LuisM> too many routes to same network..wtf? haha
23:54 < pekster> Either the VPN dies and will time out in 120 seconds, or you have a firewall on the server
23:54 < LuisM> so, my routes are ok?
23:56 < LuisM> this things start  when i set "topology subnet"
23:56 < LuisM> whitout this parameter i can ping 10.8.0.1
23:56 < pekster> What server OS?
23:57 < LuisM> archlinux
23:57 < pekster> `iptables-save -c` somewhere
23:57 < LuisM> no
23:57 < LuisM> itpables are blanck
23:57 < LuisM> blank
23:57 < pekster> Did you actually run that command?
23:57 < LuisM> all rules are accept
23:57 < LuisM> no one
23:57 < pekster> This is not the same
23:57 < pekster> ACCEPT means shit is loaded
23:57 < pekster> If you can't give me what I asked, I don't care
23:58 < pekster> Pick one, I'm sick of this BS
23:58 < LuisM> are u nervous?
23:58 -!- mode/#openvpn [+o pekster] by ChanServ
23:58 -!- LuisM was kicked from #openvpn by pekster [LuisM]
23:58 -!- LuisM [~luism@unaffiliated/luism] has joined #openvpn
23:58 < LuisM> -.-'
23:59 < LuisM> relax, i need only help
23:59 < LuisM> and you know about this shit..
23:59 <@pekster> Then stop acting like a child and show me your loaded rules. ACCEPT is _NOT_ an unloaded ruleset
23:59 <@pekster> !topsecret
23:59 <@vpnHelper> "topsecret" is (#1) if your setup is so top secret that you cant post your configs or logs, please leave now and go find support you trust. or (#2) Clever readers may attempt to use RFC5737/RFC3849 to represent arbitrary public IPs one wishes to hide. Unclever attempts may be ignored with prejudice.
23:59 -!- mode/#openvpn [-o pekster] by ChanServ
--- Day changed Fri Jun 20 2014
00:00 < pekster> Loaded rules means I want to see _every_ table you have loaded. Oddly enough, this is what the command I asked for shows
00:00 < LuisM> ok
00:00 < LuisM> itpables -L
00:00 < pekster> No
00:00 < LuisM> iptabples -L -t nat
00:01 < pekster> Are you blind or just stupid?
00:01 < LuisM> loadded?
00:01 < pekster> 23:57:15 < pekster> `iptables-save -c` somewhere
00:01 < pekster> 23:57:20 < LuisM> no
00:01 < pekster> 23:57:29 < LuisM> itpables are blanck
00:01 < LuisM> none table
00:01 < pekster> ACCEPT != blank
00:01 < pekster> I want to see the output of that command
00:01 < LuisM> hm
00:01 < LuisM> ok
00:02 < LuisM> http://pastebin.com/U2Nd4Dcv
00:03 < pekster> Whatever, I lost interest
00:03 < pekster> Not what I asked for, and not helpfl
00:03 < LuisM> oh ok
00:04 < LuisM> i don't need neither open openvpn port to connect in server..once my firewall is disabled
00:05 < LuisM> i will find another one person could help me
00:05 < LuisM> thank you
00:05 < LuisM> can*
00:35 -!- DrCode [~DrCode@gateway/tor-sasl/drcode] has quit [Ping timeout: 264 seconds]
00:39 -!- DrCode [~DrCode@gateway/tor-sasl/drcode] has joined #openvpn
00:50 -!- DrMacinyasha [0@unaffiliated/drmacinyasha] has left #openvpn []
01:05 -!- edge226 [~quassel@unaffiliated/edge226] has quit [Quit: http://quassel-irc.org - Chat comfortably. Anywhere.]
01:06 -!- edge226 [~quassel@unaffiliated/edge226] has joined #openvpn
01:19 -!- Kephael [~Kephael@unaffiliated/kephael] has quit []
01:22 -!- alexxtasi [~alex@unaffiliated/alexxtasi] has joined #openvpn
01:43 -!- randt0sh [~tosh@2a02-8420-5d7e-c300-0213-72ff-feb1-7b24.rev.sfr.net] has joined #openvpn
01:45 -!- Pyrogerg [~Gregory@72.170.196.218] has quit [Read error: Connection reset by peer]
01:56 -!- edge226 [~quassel@unaffiliated/edge226] has quit [Remote host closed the connection]
02:07 -!- peper [~peper@gentoo/developer/peper] has quit [Ping timeout: 255 seconds]
02:09 -!- peper [~peper@gentoo/developer/peper] has joined #openvpn
02:13 -!- Denial [Denial@90.222.27.203] has quit [Ping timeout: 264 seconds]
02:23 -!- le0 [~l30@unaffiliated/le0] has joined #openvpn
03:12 -!- tempus_fol [~tempus@gateway/tor-sasl/foltempus] has quit [Ping timeout: 264 seconds]
03:13 -!- tempus_fol [~tempus@gateway/tor-sasl/foltempus] has joined #openvpn
03:29 -!- ShadniX [dagger@p5DDFE8A5.dip0.t-ipconnect.de] has quit [Ping timeout: 252 seconds]
03:31 -!- ShadniX [dagger@p5DDFE8A5.dip0.t-ipconnect.de] has joined #openvpn
03:45 -!- s7r [~s7r@openvpn/user/s7r] has quit [Quit: Leaving]
03:58 -!- pppingme [~pppingme@unaffiliated/pppingme] has quit [Quit: Leaving]
04:25 -!- pppingme [~pppingme@unaffiliated/pppingme] has joined #openvpn
04:26 -!- s7r [~s7r@openvpn/user/s7r] has joined #openvpn
04:26 -!- mode/#openvpn [+v s7r] by ChanServ
04:31 -!- le0 [~l30@unaffiliated/le0] has quit [Quit: Leaving]
04:37 -!- le0 [~l30@unaffiliated/le0] has joined #openvpn
04:39 -!- Cpt-Oblivious [~chatzilla@31-151-71-109.dynamic.upc.nl] has joined #openvpn
04:49 -!- le0 [~l30@unaffiliated/le0] has quit [Quit: Leaving]
05:00 -!- elfixit [~Icedove@77-58-251-72.dclient.hispeed.ch] has joined #openvpn
05:02 -!- elfixit [~Icedove@77-58-251-72.dclient.hispeed.ch] has quit [Client Quit]
05:06 -!- elfixit [~Icedove@77-58-251-72.dclient.hispeed.ch] has joined #openvpn
05:13 -!- elfixit [~Icedove@77-58-251-72.dclient.hispeed.ch] has quit [Ping timeout: 272 seconds]
05:22 < pppingme> is there a "redirect-gateway" equivalent for ipv6, or do I need to push a ::/0 route of some sort?
05:34 -!- FoXMaN [xoff@unaffiliated/foxman] has quit [Ping timeout: 276 seconds]
05:38 -!- mirco [~mirco@ip-62-143-141-0.unitymediagroup.de] has quit [Quit: mirco]
05:40 -!- mirco [~mirco@ip-62-143-141-0.unitymediagroup.de] has joined #openvpn
05:55 -!- ade_b [~Ade@redhat/adeb] has joined #openvpn
06:32 -!- DrCode [~DrCode@gateway/tor-sasl/drcode] has quit [Remote host closed the connection]
06:34 -!- DrCode [~DrCode@gateway/tor-sasl/drcode] has joined #openvpn
06:44 -!- mattock_afk is now known as mattock
06:48 -!- mattock is now known as mattock_afk
06:56 -!- michaelhart [~michaelha@69-165-175-193.dsl.teksavvy.com] has joined #openvpn
07:36 -!- elfixit [~Icedove@cust.static.46-14-206-196.swisscomdata.ch] has joined #openvpn
07:43 -!- elfixit [~Icedove@cust.static.46-14-206-196.swisscomdata.ch] has quit [Ping timeout: 264 seconds]
08:23 -!- icebrain [~andre@193-126-23-253.static.optimus.net.pt] has joined #openvpn
08:30 -!- Denial [~Denial@host86-163-221-23.range86-163.btcentralplus.com] has joined #openvpn
08:33 -!- deeville [~deeville@66.97.28.166] has joined #openvpn
08:42 -!- sunwind [~paradox@cpc19-brmb8-2-0-cust205.1-3.cable.virginm.net] has joined #openvpn
08:43 -!- sunwind [~paradox@cpc19-brmb8-2-0-cust205.1-3.cable.virginm.net] has left #openvpn []
08:57 -!- RaiNerTsuFal [~RaiNerTsu@akita.vtlx.cn] has joined #openvpn
08:58 -!- Denial [~Denial@host86-163-221-23.range86-163.btcentralplus.com] has quit [Ping timeout: 245 seconds]
08:59 <@krzee> pppingme,
08:59 <@krzee> !redirect
08:59 <@vpnHelper> "redirect" is (#1) to make all inet traffic flow through the vpn, you will need --redirect-gateway (see !def1), as well as IP forwarding (see !ipforward) and NAT (see !nat) enabled on the server. or (#2) you may need to use a different dns server when redirecting gateway, see !dns or !pushdns or (#3) if using ipv6 try: route-ipv6 2000::/3 or (#4) Handy troubleshooting flowchart:
08:59 <@vpnHelper> http://ircpimps.org/redirect.png | http://pekster.sdf.org/misc/redirect.png
08:59 <@krzee> #3
09:02 -!- Denial [~Denial@host86-163-221-23.range86-163.btcentralplus.com] has joined #openvpn
09:12 -!- Denial [~Denial@host86-163-221-23.range86-163.btcentralplus.com] has quit []
09:18 -!- Left_Turn [~Left_Turn@unaffiliated/turn-left/x-3739067] has joined #openvpn
09:19 -!- Denial [~Denial@host86-163-221-23.range86-163.btcentralplus.com] has joined #openvpn
09:36 -!- alexxtasi [~alex@unaffiliated/alexxtasi] has left #openvpn []
09:47 -!- Megaf [~Megaf@unaffiliated/megaf] has joined #openvpn
09:51 -!- Cpt-Oblivious [~chatzilla@31-151-71-109.dynamic.upc.nl] has quit [Ping timeout: 240 seconds]
09:53 -!- Cpt-Oblivious [~chatzilla@31-151-71-109.dynamic.upc.nl] has joined #openvpn
10:04 -!- Kephael [~Kephael@unaffiliated/kephael] has joined #openvpn
10:13 -!- Denial [~Denial@host86-163-221-23.range86-163.btcentralplus.com] has quit [Ping timeout: 245 seconds]
10:23 -!- Denial [~Denial@host86-144-49-152.range86-144.btcentralplus.com] has joined #openvpn
10:31 -!- Left_Turn [~Left_Turn@unaffiliated/turn-left/x-3739067] has quit [Ping timeout: 264 seconds]
10:31 -!- Kniaz [~Kniaz@unaffiliated/bears] has joined #openvpn
10:34 -!- ade_b [~Ade@redhat/adeb] has quit [Quit: Too sexy for his shirt]
11:02 -!- SCHAAP137 [dorian@77-173-0-137.ip.telfort.nl] has joined #openvpn
11:02 -!- erratic [erratic@laptop-v6.paigeat.info] has joined #openvpn
11:03 < erratic> !heartbleed
11:03 <@vpnHelper> "heartbleed" is (#1) only affects OpenSSL 1.0.1 through 1.0.1f. Does not affect polarssl or (#2) if running vuln openssl then both client and server keys not protected by tls-auth should be considered compromised. or (#3) android 4.1.2_r1 is the first one to have -DOPENSSL_NO_HEARTBEATS and it is still in master. android 4.1 and 4.1.1 are probably affected. or (#4)
11:03 <@vpnHelper> https://community.openvpn.net/openvpn/wiki/heartbleed or (#5) http://xkcd.com/1354/
11:31 -!- Denial [~Denial@host86-144-49-152.range86-144.btcentralplus.com] has quit [Ping timeout: 264 seconds]
11:58 -!- erratic [erratic@laptop-v6.paigeat.info] has quit [Ping timeout: 260 seconds]
12:01 -!- Kephael [~Kephael@unaffiliated/kephael] has quit []
12:04 -!- Sidewinder [~de@unaffiliated/sidewinder] has joined #openvpn
12:10 -!- Sidewinder [~de@unaffiliated/sidewinder] has quit [Quit: Leaving]
12:49 -!- squaresurf [~squaresur@174.127.143.12] has joined #openvpn
12:57 -!- heraclitus [~halcyon@unaffiliated/heraclitis] has quit [Remote host closed the connection]
12:58 -!- heraclitus [~halcyon@unaffiliated/heraclitis] has joined #openvpn
13:08 -!- squaresurf [~squaresur@174.127.143.12] has quit [Quit: Computer has gone to sleep.]
13:15 -!- squaresurf [~squaresur@174.127.143.12] has joined #openvpn
13:24 -!- LuisM [~luism@unaffiliated/luism] has left #openvpn []
13:26 -!- cyberspace- [20253@ninthfloor.org] has quit [Remote host closed the connection]
13:28 -!- cyberspace- [20253@ninthfloor.org] has joined #openvpn
13:35 -!- Kniaz [~Kniaz@unaffiliated/bears] has quit [Quit: closing IRC]
13:43 -!- icebrain [~andre@193-126-23-253.static.optimus.net.pt] has quit [Ping timeout: 264 seconds]
14:03 -!- gffa [~unknown@unaffiliated/gffa] has joined #openvpn
14:08 -!- Left_Turn [~Left_Turn@unaffiliated/turn-left/x-3739067] has joined #openvpn
14:10 -!- prettyrobots [~prettyrob@do.inputrc.com] has quit [Ping timeout: 264 seconds]
14:21 -!- SCHAAP137 [dorian@77-173-0-137.ip.telfort.nl] has quit [Remote host closed the connection]
14:22 -!- joako [~joako@opensuse/member/joak0] has quit [Ping timeout: 272 seconds]
14:28 -!- joako [~joako@opensuse/member/joak0] has joined #openvpn
14:49 -!- NucWin [~nucwin@unaffiliated/nucwin] has quit [Quit: ttfn]
14:49 -!- NucWin [~nucwin@unaffiliated/nucwin] has joined #openvpn
14:53 -!- Kniaz [~Kniaz@unaffiliated/bears] has joined #openvpn
15:02 -!- deeville [~deeville@66.97.28.166] has quit [Quit: Leaving]
15:12 -!- DrCode [~DrCode@gateway/tor-sasl/drcode] has quit [Remote host closed the connection]
15:13 -!- DrCode [~DrCode@gateway/tor-sasl/drcode] has joined #openvpn
15:13 -!- s7r [~s7r@openvpn/user/s7r] has quit [Remote host closed the connection]
15:14 -!- s7r [~s7r@openvpn/user/s7r] has joined #openvpn
15:14 -!- mode/#openvpn [+v s7r] by ChanServ
15:18 -!- debbie10t [~ma1com10t@openvpn/community/support/debbie10t] has joined #openvpn
15:21 -!- eristisk [~eristisk@gateway/tor-sasl/eristisk] has quit [Quit: killall -9 irc]
15:23 -!- michaelhart [~michaelha@69-165-175-193.dsl.teksavvy.com] has quit [Quit: michaelhart]
15:31 -!- kirin` [telex@gateway/shell/anapnea.net/x-iwlktiqvmzmhkvut] has quit [Quit: Lost terminal]
15:31 -!- kirin` [telex@gateway/shell/anapnea.net/x-gkyuzlscbwgjbevx] has joined #openvpn
15:35 -!- wrongplace [~leicht@gateway/tor-sasl/martinphone] has joined #openvpn
15:47 -!- Kephael [~Kephael@unaffiliated/kephael] has joined #openvpn
15:48 -!- Chrisje [chris@2a03:f80:ed15:ed15:ed15:ed15:bc4c:4bfe] has quit [Quit: ZNC - http://znc.sourceforge.net]
16:01 -!- wrongplace [~leicht@gateway/tor-sasl/martinphone] has quit [Ping timeout: 264 seconds]
16:06 -!- Chrisje [Chris@2a02:418:6050:ed15:ed15:ed15:1a27:a32b] has joined #openvpn
16:19 -!- hpekdemir [~hpekdemir@unaffiliated/hpekdemir] has joined #openvpn
16:19 < hpekdemir> hi all
16:19 < hpekdemir> ip a outputs "state UNKNOWN" and I can't ping my peer
16:19 < hpekdemir> shouldn't be state "UP"?
16:20 -!- wrongplace [~leicht@gateway/tor-sasl/martinphone] has joined #openvpn
16:34 -!- eristisk [~eristisk@gateway/tor-sasl/eristisk] has joined #openvpn
16:45 -!- jason_rad [~jason_rad@208.86.45.162] has joined #openvpn
16:47 < jason_rad> Question.  I have a client connected to an openvpn server.  The client has an ip address of 192.168.1.100 ( eth0 ).  The client is in a newtwork with multiple other systems in the 192.168.1.x range.  My question.  Is there a way I can communicate with the 192.168 subnet from my openvpn server?
16:54 -!- randt0sh [~tosh@2a02-8420-5d7e-c300-0213-72ff-feb1-7b24.rev.sfr.net] has quit [Remote host closed the connection]
16:55 -!- gffa [~unknown@unaffiliated/gffa] has quit [Quit: sleep]
17:12 -!- jason_rad [~jason_rad@208.86.45.162] has quit [Quit: leaving]
17:21 -!- debbie10t is now known as tekfournine
17:25 -!- arescorpio [~arescorpi@14-57-245-190.fibertel.com.ar] has joined #openvpn
17:26 -!- doebi [~doebi@doebi.at] has quit [Quit: WeeChat 0.4.3]
17:29 -!- wrongplace [~leicht@gateway/tor-sasl/martinphone] has quit [Quit: gone]
17:36 -!- wrongplace [~leicht@gateway/tor-sasl/martinphone] has joined #openvpn
17:39 -!- doebi [~doebi@doebi.at] has joined #openvpn
18:14 -!- arescorpio [~arescorpi@14-57-245-190.fibertel.com.ar] has quit [Excess Flood]
18:15 -!- tiksa [~tiksa@gateway/tor-sasl/tiksa] has quit [Ping timeout: 264 seconds]
18:27 -!- tiksa [~tiksa@gateway/tor-sasl/tiksa] has joined #openvpn
18:27 <@Eugene> There would be, if you had stuck around after your support question.
18:30 -!- elfixit [~Icedove@77-58-251-72.dclient.hispeed.ch] has joined #openvpn
18:37  * pekster demands Eugene support him now. I mean, my beer is almost empty, so clearly it's someone else's responsibility to fill it!
18:37 <@Eugene> !beer
18:37 <@vpnHelper> "beer" is what's for dinner (and occasionally breakfast)
18:37 < pekster> Ironically, one of the blends of beer I picked up from the next state over is titled "Breakfast Lager"
18:43 -!- squaresurf [~squaresur@174.127.143.12] has quit [Quit: Computer has gone to sleep.]
19:08 -!- thefinn93 [~finn@unaffiliated/thefinn93] has quit [Ping timeout: 245 seconds]
19:09 -!- thefinn93 [~finn@unaffiliated/thefinn93] has joined #openvpn
19:13 -!- dave_s [~IceChat77@72.95.137.28] has joined #openvpn
19:13 < dave_s> !serverlan
19:13 <@vpnHelper> "serverlan" is (#1) for a lan behind a server, the server must have ip forwarding enabled (!ipforward), the server needs to push a route for its lan to clients, and the router of the lan the server is on needs a route added to it (!route_outside_openvpn) or (#2) see !route for a better explanation or (#3) Handy troubleshooting flowchart: http://ircpimps.org/serverlan.png |
19:13 <@vpnHelper> http://pekster.sdf.org/misc/serverlan.png
19:15 < dave_s> !ipforward
19:15 <@vpnHelper> "ipforward" is (#1) ip forwarding is needed any time you want packets to flow from 1 interface to another, so from tun to eth, eth to tun, tun to tun, etc etc. it must be enabled in the kernel AND allowed in the firewall or (#2) please choose between !linipforward !winipforward !osxipforward and !fbsdipforward
19:15 < dave_s> !fbsdipforward
19:15 <@vpnHelper> "fbsdipforward" is is set gateway_enable="YES" in /etc/rc.conf to enable ip forwarding in freebsd
19:19 -!- wrongplace [~leicht@gateway/tor-sasl/martinphone] has quit [Quit: gone]
19:19 < dave_s> !route_outside_openvpn
19:19 <@vpnHelper> "route_outside_openvpn" is (#1) If your server is not the default gateway for the LAN, you will need to add routes to your gateway. See ROUTES TO ADD OUTSIDE OPENVPN in !route or (#2) Here are 2 diagrams that explain how this works: http://www.secure-computing.net/wiki/index.php/Graph http://i.imgur.com/BM9r1.png
19:21 < dave_s> !route
19:21 <@vpnHelper> "route" is (#1) http://www.secure-computing.net/wiki/index.php/OpenVPN/Routing or https://community.openvpn.net/openvpn/wiki/RoutedLans (same page mirrored) if you have lans behind openvpn, read it DONT SKIM IT or (#2) READ IT DONT SKIM IT! or (#3) See !tcpip for a basic networking guide or (#4) See !serverlan or !clientlan for steps and troubleshooting flowcharts for LANs behind the server or
19:21 <@vpnHelper> client
19:29 -!- hpekdemir [~hpekdemir@unaffiliated/hpekdemir] has quit [Ping timeout: 255 seconds]
20:18 -!- tekfournine [~ma1com10t@openvpn/community/support/debbie10t] has quit [Ping timeout: 255 seconds]
20:24 -!- Soliah [~Soliah@kin1287146.lnk.telstra.net] has joined #openvpn
20:30 -!- Cpt-Oblivious [~chatzilla@31-151-71-109.dynamic.upc.nl] has quit [Ping timeout: 240 seconds]
20:31 -!- SCHAAP137 [dorian@77-173-0-137.ip.telfort.nl] has joined #openvpn
20:36 -!- goldkatze [~nobody@unaffiliated/goldkatze] has quit [Ping timeout: 245 seconds]
20:51 -!- erkules [~erkan@pdpc/supporter/professional/erkules] has quit [Ping timeout: 255 seconds]
20:57 -!- Left_Turn [~Left_Turn@unaffiliated/turn-left/x-3739067] has quit [Read error: Connection reset by peer]
21:06 -!- Soliah [~Soliah@kin1287146.lnk.telstra.net] has quit [Quit: Soliah]
21:19 -!- esde [~esde@unaffiliated/esde] has quit [Ping timeout: 276 seconds]
22:00 -!- SCHAAP137 [dorian@77-173-0-137.ip.telfort.nl] has quit [Remote host closed the connection]
22:27 -!- arescorpio [~arescorpi@14-57-245-190.fibertel.com.ar] has joined #openvpn
22:28 -!- dave_s [~IceChat77@72.95.137.28] has quit [Quit: If at first you don't succeed, skydiving is not for you]
22:47 -!- erkules [~erkan@pdpc/supporter/professional/erkules] has joined #openvpn
22:48 -!- squaresurf [~squaresur@2601:8:b080:aca:9da1:94d8:45c4:177c] has joined #openvpn
23:19 -!- ShadniX [dagger@p5DDFE8A5.dip0.t-ipconnect.de] has quit [Ping timeout: 252 seconds]
23:20 -!- ShadniX [dagger@p5DDFF230.dip0.t-ipconnect.de] has joined #openvpn
23:32 -!- elfixit [~Icedove@77-58-251-72.dclient.hispeed.ch] has quit [Ping timeout: 240 seconds]
23:40 < DrCode> hi all
23:41 < DrCode> I want to connect to my openvpn server by android, any idea?
23:45 -!- dimm0k [~dimm0k@unaffiliated/dimm0k] has joined #openvpn
23:45 < dimm0k> if i set up openvpn in a business environment, i can no longer use the free version?
23:52 -!- Megaf [~Megaf@unaffiliated/megaf] has quit [Ping timeout: 240 seconds]
--- Day changed Sat Jun 21 2014
00:27 -!- Soliah [~Soliah@kin1287146.lnk.telstra.net] has joined #openvpn
00:28 -!- arescorpio [~arescorpi@14-57-245-190.fibertel.com.ar] has quit [Excess Flood]
00:29 -!- squaresurf [~squaresur@2601:8:b080:aca:9da1:94d8:45c4:177c] has quit [Quit: Computer has gone to sleep.]
00:29 <@krzee> dimm0k, sure you can
01:04 -!- Soliah [~Soliah@kin1287146.lnk.telstra.net] has left #openvpn []
01:04 -!- dimm0k [~dimm0k@unaffiliated/dimm0k] has quit [Ping timeout: 272 seconds]
01:11 -!- dimm0k [~dimm0k@unaffiliated/dimm0k] has joined #openvpn
01:42 -!- Kephael [~Kephael@unaffiliated/kephael] has quit []
01:43 -!- randt0sh [~tosh@2a02-8420-5d7e-c300-0213-72ff-feb1-7b24.rev.sfr.net] has joined #openvpn
02:47 -!- gffa [~unknown@unaffiliated/gffa] has joined #openvpn
03:00 -!- goldkatze [~nobody@unaffiliated/goldkatze] has joined #openvpn
03:15 -!- someone [someone@2600:3c01::f03c:91ff:fedf:feb8] has quit [Ping timeout: 240 seconds]
03:15 -!- RBecker [~Ryan@openvpn/user/RBecker] has quit [Ping timeout: 240 seconds]
03:21 -!- RBecker [~Ryan@openvpn/user/RBecker] has joined #openvpn
03:21 -!- mode/#openvpn [+v RBecker] by ChanServ
03:41 -!- NChief [~nchief@unaffiliated/nchief] has quit [Remote host closed the connection]
03:49 -!- eristisk [~eristisk@gateway/tor-sasl/eristisk] has quit [Ping timeout: 264 seconds]
04:15 < Jobbe> morning
04:16 < Jobbe> man why is it, it always goes in here... stupid irssi
04:43 -!- wrongplace [~leicht@gateway/tor-sasl/martinphone] has joined #openvpn
04:58 -!- DrCode [~DrCode@gateway/tor-sasl/drcode] has quit [Remote host closed the connection]
04:59 -!- DrCode [~DrCode@gateway/tor-sasl/drcode] has joined #openvpn
05:04 -!- mattock_afk [~mattock@openvpn/corp/admin/mattock] has quit [Ping timeout: 240 seconds]
05:06 -!- SCHAAP137 [dorian@77-173-0-137.ip.telfort.nl] has joined #openvpn
05:07 -!- eristisk [~eristisk@gateway/tor-sasl/eristisk] has joined #openvpn
05:09 -!- mattock [~mattock@openvpn/corp/admin/mattock] has joined #openvpn
05:09 -!- mode/#openvpn [+o mattock] by ChanServ
05:17 -!- larryone [~larryone@176.61.1.155] has joined #openvpn
05:25 -!- larryone [~larryone@176.61.1.155] has quit [Quit: This computer has gone to sleep]
06:06 -!- wrongplace [~leicht@gateway/tor-sasl/martinphone] has quit [Quit: gone]
06:08 -!- debbie10t [~ma1com10t@openvpn/community/support/debbie10t] has joined #openvpn
06:09 < debbie10t> hi - does IPv6 still require IPv4 as carrier or IPv6 fuly supported ?
06:19 -!- someone [someone@2600:3c01::f03c:91ff:fedf:feb8] has joined #openvpn
06:26 < debbie10t> From this : https://community.openvpn.net/openvpn/wiki/287-is-ipv6-support-plannedin-the-works
06:26 <@vpnHelper> Title: 287-is-ipv6-support-plannedin-the-works – OpenVPN Community (at community.openvpn.net)
06:27 < debbie10t> The VPN carrier connection __had__ to use IPv4 endpoints
06:27 < debbie10t> does this mean that IPv6 is now supported without the need for IPv4 endpoints ?
06:43 -!- tiksa [~tiksa@gateway/tor-sasl/tiksa] has quit [Quit: Peace]
06:59 -!- michaelhart [~michaelha@162.209.54.120] has joined #openvpn
07:08 -!- michaelhart [~michaelha@162.209.54.120] has quit [Quit: michaelhart]
07:14 -!- dimm0k [~dimm0k@unaffiliated/dimm0k] has quit [Ping timeout: 255 seconds]
07:16 -!- heraclitus [~halcyon@unaffiliated/heraclitis] has quit [Read error: Connection reset by peer]
07:17 -!- heraclitus [~halcyon@unaffiliated/heraclitis] has joined #openvpn
07:22 -!- eristisk [~eristisk@gateway/tor-sasl/eristisk] has quit [Ping timeout: 264 seconds]
07:24 -!- eristisk [~eristisk@gateway/tor-sasl/eristisk] has joined #openvpn
07:33 -!- wrongplace [~leicht@gateway/tor-sasl/martinphone] has joined #openvpn
07:41 -!- Cpt-Oblivious [~chatzilla@31-151-71-109.dynamic.upc.nl] has joined #openvpn
07:50 -!- RedDeath [Xe@92.114.69.151] has joined #openvpn
08:06 < Jobbe> man
08:07 < debbie10t> !man
08:07 <@vpnHelper> "man" is (#1) For man pages, see http://openvpn.net/index.php/open-source/documentation/manuals/ or (#2) the man pages are your friend! or (#3) Protip: you can search the manpage for a specific --option (with dashes) to find it quicker
08:10 < Jobbe> lol
08:11 < Jobbe> for some reason irssi starts up in this channel
08:11 < Jobbe> but displays the content of another :P
08:11 < Jobbe> so
08:11 < Jobbe> sometimes i write in a wrong channel lol
08:20 -!- RedDeath [Xe@92.114.69.151] has quit []
08:31 -!- RangerTalon [RedDeath@caught.me.as.i.was.leav.in] has joined #openvpn
08:42 -!- SCHAAP137 [dorian@77-173-0-137.ip.telfort.nl] has quit [Remote host closed the connection]
09:01 -!- Megaf [~Megaf@unaffiliated/megaf] has joined #openvpn
09:10 -!- RangerTalon is now known as RedDeath
09:16 -!- randt0sh [~tosh@2a02-8420-5d7e-c300-0213-72ff-feb1-7b24.rev.sfr.net] has quit [Remote host closed the connection]
09:26 -!- RedDeath is now known as zz_RedDeath
10:04 -!- early [~early@192.241.198.49] has quit [Ping timeout: 240 seconds]
10:18 -!- early [~early@192.241.198.49] has joined #openvpn
10:38 -!- wrongplace [~leicht@gateway/tor-sasl/martinphone] has quit [Quit: gone]
10:55 -!- elfixit [~Icedove@cust.static.46-14-114-50.swisscomdata.ch] has joined #openvpn
10:57 -!- NChief [~nchief@unaffiliated/nchief] has joined #openvpn
11:25 -!- Left_Turn [~Left_Turn@unaffiliated/turn-left/x-3739067] has joined #openvpn
11:44 -!- outofbounds [~outofboun@198.199.109.226] has quit [Ping timeout: 260 seconds]
11:45 -!- early [~early@192.241.198.49] has quit [Ping timeout: 240 seconds]
11:49 -!- outofbounds [~outofboun@198.199.109.226] has joined #openvpn
11:52 -!- michaelhart [~michaelha@192-0-240-20.cpe.teksavvy.com] has joined #openvpn
12:02 -!- early [~early@192.241.198.49] has joined #openvpn
12:03 -!- zz_RedDeath is now known as RedDeath
12:03 -!- elfixit [~Icedove@cust.static.46-14-114-50.swisscomdata.ch] has quit [Ping timeout: 245 seconds]
12:14 -!- Kephael [~Kephael@unaffiliated/kephael] has joined #openvpn
12:19 -!- michaelhart [~michaelha@192-0-240-20.cpe.teksavvy.com] has quit [Quit: michaelhart]
12:53 -!- lkthomas [~lkthomas@n218250150200.netvigator.com] has quit [Ping timeout: 264 seconds]
13:30 -!- brianblaze420 [~brianblaz@unaffiliated/brianblaze] has joined #openvpn
13:48 -!- brianblaze420 [~brianblaz@unaffiliated/brianblaze] has quit [Quit: Leaving...]
13:53 -!- mgorbach [~mgorbach@pool-108-20-78-135.bstnma.fios.verizon.net] has quit [Read error: Connection reset by peer]
13:58 -!- mgorbach [~mgorbach@pool-108-20-78-135.bstnma.fios.verizon.net] has joined #openvpn
14:11 -!- Olivier| [Olivier@185.13.226.177] has joined #openvpn
14:41 -!- MyMind [~Sembei@unaffiliated/sembei] has quit [Max SendQ exceeded]
14:41 -!- MyMind [~Sembei@unaffiliated/sembei] has joined #openvpn
15:14 -!- wrongplace [~leicht@gateway/tor-sasl/martinphone] has joined #openvpn
15:20 -!- dvl [~dvl@pdpc/supporter/active/dvl] has joined #openvpn
15:37 -!- le0 [~l30@unaffiliated/le0] has joined #openvpn
15:39 -!- joako [~joako@opensuse/member/joak0] has quit [Quit: quit]
15:40 -!- joako [~joako@opensuse/member/joak0] has joined #openvpn
15:48 -!- MyMind [~Sembei@unaffiliated/sembei] has quit [Ping timeout: 255 seconds]
15:55 -!- michaelhart [~michaelha@192-0-240-20.cpe.teksavvy.com] has joined #openvpn
15:59 -!- michaelhart [~michaelha@192-0-240-20.cpe.teksavvy.com] has quit [Client Quit]
16:22 -!- elfixit [~Icedove@77-58-251-72.dclient.hispeed.ch] has joined #openvpn
16:28 -!- SCHAAP137 [dorian@77-173-0-137.ip.telfort.nl] has joined #openvpn
16:29 -!- MyMind [~Sembei@unaffiliated/sembei] has joined #openvpn
16:34 -!- le0 [~l30@unaffiliated/le0] has quit [Ping timeout: 264 seconds]
17:03 -!- Lolths [~Lolths@unaffiliated/lolths] has quit [Ping timeout: 245 seconds]
17:04 -!- Pisuke [~Sembei@unaffiliated/sembei] has joined #openvpn
17:05 -!- MyMind [~Sembei@unaffiliated/sembei] has quit [Read error: Connection reset by peer]
17:07 -!- Kephael [~Kephael@unaffiliated/kephael] has quit []
17:14 -!- kossy [a@unaffiliated/kossy] has quit [Read error: Connection reset by peer]
17:15 -!- kossy [a@unaffiliated/kossy] has joined #openvpn
17:17 -!- kossy [a@unaffiliated/kossy] has quit [Excess Flood]
17:18 -!- kossy [a@unaffiliated/kossy] has joined #openvpn
17:21 -!- Lolths [~Lolths@unaffiliated/lolths] has joined #openvpn
17:49 -!- debbie10t [~ma1com10t@openvpn/community/support/debbie10t] has left #openvpn []
18:02 -!- pushpop [~pushpop@pool-173-77-243-190.nycmny.fios.verizon.net] has joined #openvpn
18:05 -!- RedDeath is now known as zz_RedDeath
18:08 -!- mirco [~mirco@ip-62-143-141-0.unitymediagroup.de] has quit [Quit: mirco]
18:31 -!- gffa [~unknown@unaffiliated/gffa] has quit [Quit: sleep]
18:42 -!- Ryu_Fitzgerald [~Ryu_Fitzg@199-193-117-84.static.hvvc.us] has joined #openvpn
18:42 < Ryu_Fitzgerald> how do i optimize a vpn?
18:42 < Ryu_Fitzgerald> ping is rather high
18:46 < pekster> Avoid TCP, otherwise if pinging the endpoint is still crappy there's not much you can do
18:46 < pekster> That shouldn't be much higher than pinging the physical address of the endpoint though. The crypto penalty is pretty low for a simple once-per-second ping
18:48 < Ryu_Fitzgerald> isn't tcp safer then udp though?
18:50 < pekster> No
18:50 < pekster> !tcp
18:50 <@vpnHelper> "tcp" is (#1) Sometimes you cannot avoid tunneling over tcp, but if you can avoid it, DO. http://sites.inka.de/~bigred/devel/tcp-tcp.html Why TCP Over TCP Is A Bad Idea. or (#2) http://www.openvpn.net/papers/BLUG-talk/14.html for a presentation by James Yonan (OpenVPN lead developer) or (#3) if you must use tcp, you likely want --tcp-nodelay
18:50 < pekster> It's no less "safe"
18:50 < pekster> Maybe if you're behind some abusive firewall that restricts UDP for some dumb reason you need to work around it, but that's not a saftey issue as much as it is you trying to bypass the sandbox your netadmins have placed you in
18:51 -!- zz_RedDeath is now known as RedDeath
18:51 < Ryu_Fitzgerald> wouldn't an isp that throttles throttle UDP more then tcp since web page request are done in tcp?
18:52 < pekster> Find a less shitty ISP if that's your problem
18:52 < Ryu_Fitzgerald> so that is true then?
18:52 < pekster> It's unlikely sane ISPs QoS traffic like that; ones that do aren't worth paying
18:52 < pekster> I have no clue if it's the case for _you_ -- go run some tests and find out
18:52 < pekster> If it is, switch providers
18:52 < pekster> Only fucked up ISPs do that
18:53 < Ryu_Fitzgerald> those isps control most of the market sadly :(
18:53 < pekster> Not in the US anyway
18:53 < Ryu_Fitzgerald> yes in the US
18:54 < Ryu_Fitzgerald> I know verizon Vios , Charter and Comcast throttle.  I'm not sure about others
18:54 < pekster> I use VPNs daily for my job, and have no problem with latency over UDP connections, on a variety of ISPs
18:54 < pekster> I think you're smoking something
18:54 < Ryu_Fitzgerald> i said they throttle non vpned connections
18:54 < Ryu_Fitzgerald> i don't know about vpned connections using UDP
18:55 < pekster> So you ran your mouth about how latency is so crappy for you and blaned the ISP? Heh.
18:55 < pekster> Whatever, not really interested in FUD
18:55 < Ryu_Fitzgerald> the latency after using vpn is high.  I was trying to fix it
18:56 < Ryu_Fitzgerald> because 400 ms is bad for real time things
18:56 < Ryu_Fitzgerald> that is why i asked you, if you knew if they throttled based on packet type?
18:57 < pekster> You're looking in the wrong place. I already gave you info on why to avoid TCP, and that output even had some suggetisons if you "must" use it
18:57 < pekster> You ignored it and went all FUD on ISPs. Thus I don't care what your problem is anymore
18:58 < Ryu_Fitzgerald> not sure why you got upset.  I was explaining my problem i'm trying to solve
19:16 < pekster> No, you went off on a tangent about how ISPs are meddling in the affairs of your packets after I suggested you either 1) avoid TCP, or 2) spend 3 minutes reading the references the bot gave you about working with TCP
19:17 < pekster> You appear to have done neither, nor asked for clarification on that, then tried to tell me how ISPs are screwing with your data. If that's your problem, #openvpn probably can't help you
19:29 < Ryu_Fitzgerald> i just finished reading through them both
19:29 < Ryu_Fitzgerald> will data loss from udp cause problems?
19:30 < pekster> No more than data loss on "The Internet"
19:30 < pekster> TCP-over-TCP is well-understood to be a bad thing
19:30 < Ryu_Fitzgerald> it says udp just drops the packet outright though
19:30 < Ryu_Fitzgerald> with no backups
19:30 < pekster> Right. This is how the Internet works
19:31 < pekster> If you're sending TCP over the VPN, you _WANT_ the VPN transport to drop it because the "real" TCP socket expects to own retransmissions
19:32 < Ryu_Fitzgerald> vpns have a tcp like back up system while the data is heading to vpn server?
19:34 < pekster> No, and you do not want that
19:34 < pekster> Routers on the Internet don't do that; openvpn is basically a software router, so you want it to act like one
19:34 < pekster> Do you expect your Ethernet cable to have a "built-in-backup" too?
19:34 < pekster> Leave the retransmissions to TCP; that's its job
19:35 < Ryu_Fitzgerald> so your saying if a computer request information over internet, its default is tcp but routers don't do that?
19:36 < pekster> Depends on the protocol
19:36 < pekster> DNS is expected to get lost if there is a transport problem. This is normal, and the client will re-send the request in such a case
19:36 < Ryu_Fitzgerald> like if you request a web page
19:36 < pekster> That's TCP, and the TCP stack of the client/server know how to handle packet loss
19:37 < pekster> You do _NOT_ want your VPN also trying to retransmit, otherwise they _both_ retransmit, and you end up with duplicate packets getting sent
19:37 -!- Kephael [~Kephael@unaffiliated/kephael] has joined #openvpn
19:37 < pekster> The URLs in the !tcp link tell you as much
19:37 < pekster> Google for "tcp over tcp" if you still need more reading on this topic
19:38 < Ryu_Fitzgerald> I understanding that tcp in tcp is bad.  What it sounds like your saying is that udp has no disadvantages
19:38 < Ryu_Fitzgerald> though i don't fully understand why
19:39 < pekster> UDP more closely resembles IP, which is what a VPN is attempting to emulate
19:40 < Ryu_Fitzgerald> it sounds like your saying that udp does lets the reciever handle packet losses and that it is not a problem for the reciever to handle packet losses
19:41 < Ryu_Fitzgerald> there is no problems from dropped packets basically
19:41 < pekster> Packet loss is expected; it's the protocol or application's choice how to deal with it
19:41 < pekster> 2nd guessing the careful balance built into existing protocols and applications is usually unwise unless you're an expert who Knows What They're Doing
19:42 < Ryu_Fitzgerald> i thought tcp was a standard is internet communication so packet loss is not considered the norm
19:42 < pekster> TCP just hides packet loss from an application
19:42 < pekster> It's still there, just "handled magically without the programmer needing to care"
19:44 < pekster> Just use UDP for openvpn unless you know why you need TCP
19:44 < pekster> That's the right answer
19:49 < Ryu_Fitzgerald> i was more curious on do vpns have a way built in to handle packet loss?
19:50 < pekster> In OpenVPN's case you want it to drop the data traffic. It _does_ have its own internal retransmit mechanism for the TLS control channel
19:50 < pekster> That's because TLS requires delivery, and over UDP that means extra magic to handle that. Newer protocols like DTLS automatically take care of this, but openvpn was written before DTLS was introduced
19:50 < pekster> So, the complex answer is "yes, you can build it in", but this is an advanced case where the developers knew what they were doing ;)
19:51 < Ryu_Fitzgerald> thankyou, this has been very informative
19:56 -!- Ryu_Fitzgerald [~Ryu_Fitzg@199-193-117-84.static.hvvc.us] has quit [Ping timeout: 240 seconds]
19:59 -!- mitz [~mitz@113.161.65.219] has joined #openvpn
19:59 -!- Cpt-Oblivious [~chatzilla@31-151-71-109.dynamic.upc.nl] has quit [Ping timeout: 240 seconds]
20:11 -!- elfixit [~Icedove@77-58-251-72.dclient.hispeed.ch] has quit [Quit: elfixit]
20:13 -!- Ryu_Fitzgerald [~Ryu_Fitzg@199-193-117-84.static.hvvc.us] has joined #openvpn
20:13 < Ryu_Fitzgerald> i set my vpn to udp.  should i leave firewall rules to allowing tcp or set them to udp or any
20:14 < Ryu_Fitzgerald> i'm not sure what having a udp vpn with firewall rules that only allow tcp will do?
20:16 -!- wrongplace [~leicht@gateway/tor-sasl/martinphone] has quit [Quit: gone]
20:23 -!- s7r [~s7r@openvpn/user/s7r] has quit [Quit: Leaving]
20:23 -!- Ryu_Fitzgerald [~Ryu_Fitzg@199-193-117-84.static.hvvc.us] has quit [Quit: irc2go]
20:40 < _FBi> what
20:40 < _FBi> !freeradius
20:40 < _FBi> !radius
20:40 < _FBi> !beer
20:40 <@vpnHelper> "beer" is what's for dinner (and occasionally breakfast)
20:42 <@Eugene> !factoids search radius
20:42 <@vpnHelper> No keys matched that query.
20:42 <@Eugene> !factoids search --values radius
20:42 <@vpnHelper> No keys matched that query.
20:42 <@Eugene> Well fuck you
20:47 < _FBi> heya Eugene.  I've never really introduced myself.  What's up?
20:47 <@Eugene> Arguing with the S3 API
20:47 -!- erkules [~erkan@pdpc/supporter/professional/erkules] has quit [Ping timeout: 264 seconds]
20:47 < _FBi> very valid
21:04 -!- erkules [~erkan@pdpc/supporter/professional/erkules] has joined #openvpn
21:04 <@Eugene> s3cmd is surprisingly good. Dealing with the Archival Policies and the IAM permissions is a bit more of a pain
21:04 <@Eugene> I think I have it figured out, though
21:10 -!- goldkatze [~nobody@unaffiliated/goldkatze] has quit [Ping timeout: 240 seconds]
21:10 -!- arescorpio [~arescorpi@14-57-245-190.fibertel.com.ar] has joined #openvpn
21:28 -!- pushpop [~pushpop@pool-173-77-243-190.nycmny.fios.verizon.net] has quit [Read error: No route to host]
21:43 -!- Left_Turn [~Left_Turn@unaffiliated/turn-left/x-3739067] has quit [Read error: Connection reset by peer]
21:49 -!- RedDeath is now known as zz_RedDeath
22:04 -!- Haseo [~Haseo@aufrinfo.net] has quit [Ping timeout: 264 seconds]
22:05 -!- MacGyver [~macgyver@unaffiliated/macgyvernl] has joined #openvpn
22:05 -!- Haseo [~Haseo@aufrinfo.net] has joined #openvpn
22:07 -!- Wolfbutt [~quassel@milkyway.jeroendeneef.eu] has joined #openvpn
22:07 -!- bogie [bogie@mail.epow0.org] has quit [Ping timeout: 264 seconds]
22:08 -!- Jeroen52 [~quassel@milkyway.jeroendeneef.eu] has quit [Ping timeout: 264 seconds]
22:10 -!- mirco [~mirco@ip-62-143-141-0.unitymediagroup.de] has joined #openvpn
22:14 -!- eristisk [~eristisk@gateway/tor-sasl/eristisk] has quit [Remote host closed the connection]
22:14 -!- eristisk [~eristisk@gateway/tor-sasl/eristisk] has joined #openvpn
22:24 -!- arescorpio [~arescorpi@14-57-245-190.fibertel.com.ar] has quit [Excess Flood]
23:19 -!- ShadniX [dagger@p5DDFF230.dip0.t-ipconnect.de] has quit [Ping timeout: 252 seconds]
23:20 -!- ShadniX [dagger@p5DDFD5A1.dip0.t-ipconnect.de] has joined #openvpn
23:30 -!- _FBi [B@Aircrack-NG/User] has quit [Ping timeout: 240 seconds]
23:41 -!- nick4 [~nick4@130.43.40.29.dsl.dyn.forthnet.gr] has quit [Ping timeout: 255 seconds]
23:48 -!- tempus_fol [~tempus@gateway/tor-sasl/foltempus] has quit [Remote host closed the connection]
23:49 -!- tempus_fol [~tempus@gateway/tor-sasl/foltempus] has joined #openvpn
--- Day changed Sun Jun 22 2014
01:04 -!- Megaf [~Megaf@unaffiliated/megaf] has quit [Ping timeout: 255 seconds]
01:13 -!- JPeterson [~JPeterson@81-233-152-121-no83.tbcn.telia.com] has quit [Ping timeout: 240 seconds]
01:30 -!- Kephael [~Kephael@unaffiliated/kephael] has quit []
01:35 -!- james41382 [~james@unaffiliated/james41382] has quit [Read error: Connection reset by peer]
01:35 -!- u0m3_ [~u0m3@109.96.135.222] has joined #openvpn
01:35 -!- james41382 [~james@unaffiliated/james41382] has joined #openvpn
01:37 -!- u0m3 [~u0m3@109.96.135.222] has quit [Ping timeout: 240 seconds]
02:20 -!- joako [~joako@opensuse/member/joak0] has quit [Quit: quit]
02:22 -!- joako [~joako@opensuse/member/joak0] has joined #openvpn
03:00 -!- goldkatze [~nobody@unaffiliated/goldkatze] has joined #openvpn
03:50 -!- eristisk [~eristisk@gateway/tor-sasl/eristisk] has quit [Ping timeout: 264 seconds]
03:57 -!- eristisk [~eristisk@gateway/tor-sasl/eristisk] has joined #openvpn
04:14 -!- zz_RedDeath is now known as RedDeath
04:16 -!- soffio [~mancante@gateway/tor-sasl/riflesso] has joined #openvpn
04:17 < soffio> hi, how can i check default 'cipher' and 'auth' option?
04:19 < soffio> does that respect what `man openvpn` said? seems that cipher is BF-CBC and auth is SHA1
04:24 -!- AsadH [~AsadH@unaffiliated/asadh] has quit [Ping timeout: 244 seconds]
04:30 -!- AsadH [~AsadH@unaffiliated/asadh] has joined #openvpn
04:30 < soffio> i don't see anything in man pages related to tls-cipher
04:34 < pekster> Everything supported is allowed by default. You can limit the --tls-cipher to a more limited set though. Some details here:
04:34 < pekster> !hardening
04:34 <@vpnHelper> "hardening" is https://community.openvpn.net/openvpn/wiki/Hardening
04:37 < soffio> well.. if by default it use the most secure common tls-cipher, is not needed
04:38 < soffio> oh, man help about that. someone could MITM and try to let you use an old tls-cipher
04:38 < pekster> Exactly
04:39 < soffio> i guess i should search in log what tls-cipher is used automatically, and setup it as the only tls-cipher?
04:40 < soffio> because, myself, i can't catch what tls-cipher i should use :)
04:40 < pekster> Wiki page gives you suggestions
04:40 < soffio> i'm the only vpn user.. i don't need more then 1 mode
04:42 < soffio> i guess 'TLS-DHE-RSA-WITH-AES-256-CBC-SHA' is my choice
04:44 < soffio> wait but, does the order mean something? or openvpn will reoder them?
04:44 < soffio> if i just set a list of what i'd like to use, i guess openvpn will use the most secure if it's avaible
04:46 -!- gffa [~unknown@unaffiliated/gffa] has joined #openvpn
04:47 < soffio> tls-cipher TLS-DHE-RSA-WITH-AES-256-GCM-SHA384:TLS-DHE-RSA-WITH-AES-256-CBC-SHA256:TLS-DHE-RSA-WITH-AES-256-CBC-SHA
04:47 < soffio> --tleopenvpn --show-tls | grep DHE | grep AES | grep -v 128 | grep -v ECD | grep -v DSS (LOL)
04:47 < soffio> i got them :)
04:48 < soffio> * openvpn --show-tls | grep DHE | grep AES | grep -v 128 | grep -v ECD | grep -v DSS
04:51 < soffio> is enought to set this on server?
04:53 < pekster> Those all appaer to be reasonable choices in terms of security
04:53 < soffio> a more logical order: openvpn --show-tls | grep -v ECDH | grep -v DSS | grep -v 128 | grep DHE | grep AES
04:54 < soffio> exclude ECHD couse not supported, exclude DSS couse i don't know what it is, exclude 128bits modes, catch DHE modes, catch only AES cipher
04:55 < soffio> probably DSS is DES
04:58 < soffio> http://en.wikipedia.org/wiki/Comparison_of_TLS_implementations#Key_exchange_algorithms_.28certificate-only.29
04:58 <@vpnHelper> Title: Comparison of TLS implementations - Wikipedia, the free encyclopedia (at en.wikipedia.org)
04:59 < pekster> No ECDH support today, although it's something that's being worked on
04:59 < soffio> at what version?
04:59 < soffio> i've got 2.3.4 here
05:02 < soffio> seems that is related to openvpn 2.4 https://community.openvpn.net/openvpn/ticket/307
05:02 <@vpnHelper> Title: #307 (Enable use of ECDH) – OpenVPN Community (at community.openvpn.net)
05:04 -!- s7r [~s7r@openvpn/user/s7r] has joined #openvpn
05:04 -!- mode/#openvpn [+v s7r] by ChanServ
05:19 -!- SCHAAP137 [dorian@77-173-0-137.ip.telfort.nl] has quit [Remote host closed the connection]
05:22 -!- nick4 [~nick4@178.128.24.119.dsl.dyn.forthnet.gr] has joined #openvpn
05:31 -!- cyberspace- [20253@ninthfloor.org] has quit [Ping timeout: 255 seconds]
05:32 -!- cyberspace- [20253@ninthfloor.org] has joined #openvpn
05:45 -!- soffio [~mancante@gateway/tor-sasl/riflesso] has left #openvpn []
05:46 -!- skyroveEE [~skyroveRR@unaffiliated/skyroverr] has joined #openvpn
05:47 < skyroveEE> Which option do I need to use in easy-rsa to generate a pkcs12 file?
05:48 < skyroveEE> I'm using easyrsa3 and it doesn't have a build-key-pkcs12 option.
06:01 -!- Kephael [~Kephael@unaffiliated/kephael] has joined #openvpn
06:03 -!- mitz is now known as mitz_offline
06:04 -!- mitz_offline is now known as mitz
06:05 -!- mitz is now known as mitz_offline
06:05 -!- mitz_offline is now known as mitz
06:05 < mitz> jj
06:21 -!- skyroveEE [~skyroveRR@unaffiliated/skyroverr] has quit [Read error: Connection reset by peer]
06:22 -!- Chrisje [Chris@2a02:418:6050:ed15:ed15:ed15:1a27:a32b] has quit [Excess Flood]
06:22 -!- skyroveRR [~skyroveRR@unaffiliated/skyroverr] has joined #openvpn
06:22 -!- skyroveRR [~skyroveRR@unaffiliated/skyroverr] has quit [Read error: Connection reset by peer]
06:23 -!- Chrisje [Chris@2a02:418:6050:ed15:ed15:ed15:1a27:a32b] has joined #openvpn
06:23 -!- Chrisje [Chris@2a02:418:6050:ed15:ed15:ed15:1a27:a32b] has quit [Excess Flood]
06:23 -!- Chrisje [Chris@2a02:418:6050:ed15:ed15:ed15:1a27:a32b] has joined #openvpn
06:23 -!- Chrisje [Chris@2a02:418:6050:ed15:ed15:ed15:1a27:a32b] has quit [Excess Flood]
06:24 -!- Chrisje [Chris@2a02:418:6050:ed15:ed15:ed15:1a27:a32b] has joined #openvpn
06:24 -!- Chrisje [Chris@2a02:418:6050:ed15:ed15:ed15:1a27:a32b] has quit [Excess Flood]
06:24 -!- Chrisje [Chris@2a02:418:6050:ed15:ed15:ed15:1a27:a32b] has joined #openvpn
06:24 -!- Chrisje [Chris@2a02:418:6050:ed15:ed15:ed15:1a27:a32b] has quit [Excess Flood]
06:25 -!- Chrisje [Chris@2a02:418:6050:ed15:ed15:ed15:1a27:a32b] has joined #openvpn
06:25 -!- Chrisje [Chris@2a02:418:6050:ed15:ed15:ed15:1a27:a32b] has quit [Excess Flood]
06:25 -!- Chrisje [Chris@2a02:418:6050:ed15:ed15:ed15:1a27:a32b] has joined #openvpn
06:25 -!- Chrisje [Chris@2a02:418:6050:ed15:ed15:ed15:1a27:a32b] has quit [Excess Flood]
06:26 -!- Chrisje [Chris@2a02:418:6050:ed15:ed15:ed15:1a27:a32b] has joined #openvpn
06:26 -!- Chrisje [Chris@2a02:418:6050:ed15:ed15:ed15:1a27:a32b] has quit [Excess Flood]
06:27 -!- Chrisje [Chris@2a02:418:6050:ed15:ed15:ed15:1a27:a32b] has joined #openvpn
06:27 -!- Chrisje [Chris@2a02:418:6050:ed15:ed15:ed15:1a27:a32b] has quit [Excess Flood]
06:27 -!- skyroveRR [~skyroveRR@unaffiliated/skyroverr] has joined #openvpn
06:29 -!- Chrisje [Chris@2a02:418:6050:ed15:ed15:ed15:1a27:a32b] has joined #openvpn
06:29 -!- Chrisje [Chris@2a02:418:6050:ed15:ed15:ed15:1a27:a32b] has quit [Excess Flood]
06:29 -!- Chrisje [Chris@2a02:418:6050:ed15:ed15:ed15:1a27:a32b] has joined #openvpn
06:29 -!- Chrisje [Chris@2a02:418:6050:ed15:ed15:ed15:1a27:a32b] has quit [Excess Flood]
06:30 -!- Chrisje [Chris@2a02:418:6050:ed15:ed15:ed15:1a27:a32b] has joined #openvpn
06:30 -!- Chrisje [Chris@2a02:418:6050:ed15:ed15:ed15:1a27:a32b] has quit [Excess Flood]
06:30 -!- Chrisje [Chris@2a02:418:6050:ed15:ed15:ed15:1a27:a32b] has joined #openvpn
06:30 -!- Chrisje [Chris@2a02:418:6050:ed15:ed15:ed15:1a27:a32b] has quit [Excess Flood]
06:31 -!- Chrisje [Chris@2a02:418:6050:ed15:ed15:ed15:1a27:a32b] has joined #openvpn
06:31 -!- Chrisje [Chris@2a02:418:6050:ed15:ed15:ed15:1a27:a32b] has quit [Excess Flood]
06:31 -!- Chrisje [Chris@2a02:418:6050:ed15:ed15:ed15:1a27:a32b] has joined #openvpn
06:31 -!- Chrisje [Chris@2a02:418:6050:ed15:ed15:ed15:1a27:a32b] has quit [Excess Flood]
06:32 -!- Chrisje [Chris@2a02:418:6050:ed15:ed15:ed15:1a27:a32b] has joined #openvpn
06:32 -!- Chrisje [Chris@2a02:418:6050:ed15:ed15:ed15:1a27:a32b] has quit [Excess Flood]
06:32 -!- Chrisje [Chris@2a02:418:6050:ed15:ed15:ed15:1a27:a32b] has joined #openvpn
06:32 -!- Chrisje [Chris@2a02:418:6050:ed15:ed15:ed15:1a27:a32b] has quit [Excess Flood]
06:33 -!- ade_b [~Ade@redhat/adeb] has joined #openvpn
06:33 -!- Chrisje [Chris@2a02:418:6050:ed15:ed15:ed15:1a27:a32b] has joined #openvpn
06:33 -!- Chrisje [Chris@2a02:418:6050:ed15:ed15:ed15:1a27:a32b] has quit [Excess Flood]
06:33 -!- skyroveRR [~skyroveRR@unaffiliated/skyroverr] has quit [Quit: WeeChat 0.0.0 :P]
06:33 -!- Chrisje [Chris@2a02:418:6050:ed15:ed15:ed15:1a27:a32b] has joined #openvpn
06:33 -!- Chrisje [Chris@2a02:418:6050:ed15:ed15:ed15:1a27:a32b] has quit [Excess Flood]
06:34 -!- skyroveRR [~skyroveRR@unaffiliated/skyroverr] has joined #openvpn
06:34 -!- Chrisje [Chris@2a02:418:6050:ed15:ed15:ed15:1a27:a32b] has joined #openvpn
06:34 -!- Chrisje [Chris@2a02:418:6050:ed15:ed15:ed15:1a27:a32b] has quit [Excess Flood]
06:37 -!- SCHAAP137 [dorian@77-173-0-137.ip.telfort.nl] has joined #openvpn
06:39 -!- Chrisje [Chris@2a02:418:6050:ed15:ed15:ed15:1a27:a32b] has joined #openvpn
06:42 -!- nick4 [~nick4@178.128.24.119.dsl.dyn.forthnet.gr] has quit [Disconnected by services]
06:46 < Chrisje> Anyone know something about OpenVPN for Windows Phone?
06:54 -!- skyroveRR [~skyroveRR@unaffiliated/skyroverr] has quit [Read error: Connection reset by peer]
06:55 -!- skyroveRR [~skyroveRR@unaffiliated/skyroverr] has joined #openvpn
07:03 -!- SCHAAP137 [dorian@77-173-0-137.ip.telfort.nl] has quit [Remote host closed the connection]
07:05 -!- skyroveRR [~skyroveRR@unaffiliated/skyroverr] has quit [Read error: Connection reset by peer]
07:06 -!- skyroveRR [~skyroveRR@unaffiliated/skyroverr] has joined #openvpn
07:14 -!- SCHAAP137 [dorian@77-173-0-137.ip.telfort.nl] has joined #openvpn
07:21 -!- skyroveRR [~skyroveRR@unaffiliated/skyroverr] has quit [Read error: Connection reset by peer]
07:28 -!- SCHAAP137 [dorian@77-173-0-137.ip.telfort.nl] has quit [Remote host closed the connection]
07:32 -!- skyroveRR [~skyroveRR@unaffiliated/skyroverr] has joined #openvpn
07:41 -!- Cybertinus [~Cybertinu@cybertinus.customer.cloud.nl] has quit [Remote host closed the connection]
07:42 -!- jp- [~jp@unaffiliated/jp-] has joined #openvpn
07:43 -!- Cybertinus [~Cybertinu@cybertinus.customer.cloud.nl] has joined #openvpn
07:43 < jp-> i have some client configs and corresponding keys that go with them, i'd like to embed the keys in the config files. is there a tool for doing this or a guide? i've seen it done before but i'm not sure of the exact process for it.
07:49 -!- SCHAAP137 [dorian@77-173-0-137.ip.telfort.nl] has joined #openvpn
07:50 < jp-> i've found what i needed
08:28 -!- debbie10t [~ma1com10t@openvpn/community/support/debbie10t] has joined #openvpn
08:28 < debbie10t> is it just me or is the forum website down ?
08:29 < debbie10t> no .. it is just me .. whoopsie !
08:36 -!- larryone [~larryone@176.61.1.155] has joined #openvpn
08:37 -!- larryone [~larryone@176.61.1.155] has quit [Client Quit]
08:40 < skyroveRR> Hello, I've configured openvpn to use 10.0.8.0/24 network, the VPN authenticates successfully, however I am unable to ping either sides, the server is 10.0.8.1 and the client is 10.0.8.2 can someone please tell me what might be wrong?
08:41 < debbie10t> skyroveRR : are you using topology subnet ?
08:41 < skyroveRR> I'm unaware of that, how can I check? I'm following this tutorial http://docs.slackware.com/howtos:network_services:openvpn since my server is slackware and my client is an android phone.
08:41 <@vpnHelper> Title: howtos:network_services:openvpn - SlackDocs (at docs.slackware.com)
08:43 < debbie10t> !config
08:43 <@vpnHelper> (config <name> [<value>]) -- If <value> is given, sets the value of <name> to <value>. Otherwise, returns the current value of <name>. You may omit the leading "supybot." in the name if you so choose.
08:43 < skyroveRR> Oh..
08:43 < skyroveRR> Yes.
08:43 < skyroveRR> Err...
08:44 < debbie10t> !configs
08:44 <@vpnHelper> "configs" is (#1) please pastebin your client and server configs (with comments removed, you can use `grep -vE '^#|^;|^$' server.conf`), also include which OS and version of openvpn. or (#2) dont forget to include any ccd entries or (#3) on pfSense, see http://www.secure-computing.net/wiki/index.php/OpenVPN/pfSense to obtain your config
08:44 < skyroveRR> Sure.
08:44 < debbie10t> cool
08:44 < skyroveRR> http://sprunge.us/GSbL?en
08:45 < debbie10t> you see .. you are using --topology net30 by default
08:45 < debbie10t> so your client cannot be on .2
08:45 < skyroveRR> Then what should I use?
08:45 < debbie10t> the first available address for your client is actually .5 or .6
08:45 < skyroveRR> How?
08:46 < debbie10t> how about your client config ?
08:46 < skyroveRR> It's on an android phone, I'm unsure how I should upload it, let me ssh into it and grab it, one min.
08:47 < debbie10t> ok
08:47 < debbie10t> see this
08:47 < debbie10t> !topology
08:47 <@vpnHelper> "topology" is (#1) it is possible to avoid the !/30 behavior if you use 2.1+ with the option: topology subnet This will end up being default in later versions. or (#2) Clients will receive addresses ending in .2, .3, .4, etc, instead of being divided into 2-host subnets. or (#3) details and examples at: https://community.openvpn.net/openvpn/wiki/Topology
08:47 < skyroveRR> Oh! 2 host subnets, meaning it's using CIDR /30 by default?
08:47 < debbie10t> yup
08:48 < debbie10t> but you can use --topology subnet .. which will give you a standard /24 network
08:48 < skyroveRR> In the config file?
08:48 < debbie10t> stick it in the server config and it will be poushed to the client automatically
08:49 < skyroveRR> I actually disabled that... I put in all the settings normally since I wanted to know what's going on.
08:49 < debbie10t> that is if you use --client or --pull in the client config
08:49 < debbie10t> re:I wanted to know what's going on.
08:49 < debbie10t> did you read the official docs ?
08:50 < skyroveRR> ........ no....
08:50 < debbie10t> http://openvpn.net/index.php/open-source/documentation.html
08:50 <@vpnHelper> Title: Documentation (at openvpn.net)
08:50 < debbie10t> good place to start learning
08:50 < skyroveRR> I just grabbed the tutorial since.... I was in a rush.
08:53 < debbie10t> you know what they say : fail to prepare ... prepare to fail
08:53 < debbie10t> anyway ..
08:53 < debbie10t> the documentation on the forum is fairly good
08:54 < debbie10t> and if you run into issues you can post all the details on the forum if you like
08:55 < debbie10t> !howto
08:55 <@vpnHelper> "howto" is (#1) OpenVPN comes with a great howto, http://openvpn.net/howto PLEASE READ IT! or (#2) http://www.secure-computing.net/openvpn/howto.php for a mirror
08:55 < debbie10t>  http://openvpn.net/howto
08:55 < skyroveRR> I'm trying to find where the configuration file on android is located.... google isn't helping me much on this.
08:56 < debbie10t> this might help : https://forums.openvpn.net/topic14432.html
08:56 <@vpnHelper> Title: OpenVPN Support Forum OpenVPN Connect (Android) FAQ : OpenVPN Connect (Android) (at forums.openvpn.net)
08:57 < skyroveRR> I'm not using a .ovpn profile..
08:57 < debbie10t> so what r u using ?
08:57 < skyroveRR> I manually imported ca/client certificates and the client key.
08:58 < skyroveRR> After I generated them on my slackware server.
08:58 < skyroveRR> And then ran the android client, which created the configuration automatically for me, and saved it in some obscure location, which I'm currently trying to find.
09:00 < debbie10t> hmm ..
09:00 -!- skyroveRR [~skyroveRR@unaffiliated/skyroverr] has quit [Read error: Connection reset by peer]
09:00 < debbie10t> lol
09:01 -!- skyroveRR [~skyroveRR@unaffiliated/skyroverr] has joined #openvpn
09:01 < skyroveRR> HA! Found the stupid conf file.
09:03 < skyroveRR> Ok, pasting it.
09:03 < skyroveRR> It's in /data/data/de.blinkt.openvpn/cache/, named "android.conf".
09:05 < skyroveRR> debbie10t: http://paste.debian.net/106248/
09:05 < skyroveRR> ^ Client conf file.
09:06 < debbie10t> reading ...
09:06 < debbie10t> damm .. that is all wrong !
09:07 < debbie10t> you should push the ifconfig from the server
09:07 < skyroveRR> Knew it.
09:07 < skyroveRR> Ok!
09:07 < debbie10t> i guess the android.conf is auto generated ?
09:07 < skyroveRR> All of it?
09:07 < debbie10t> can you edit it ?
09:08 < skyroveRR> I could, but typing on my phone would take time.
09:08 < skyroveRR> I an edit the conf file on the server though.
09:09 -!- pa [~pa@unaffiliated/pa] has quit [Remote host closed the connection]
09:09 < debbie10t> things that are wrong with your client config:
09:09 < debbie10t> ifconfig 10.0.8.2  255.255.255.0
09:10 < debbie10t> route 0.0.0.0 0.0.0.0
09:10 < skyroveRR> I had disabled "Pull Settings: No information is requested from the server. Settings need to be specified below"..
09:10 < debbie10t> ahh ..
09:10 < skyroveRR> I'll enable.
09:10 < debbie10t> yes
09:10 < debbie10t> but i think you will need to re-import with the "pull enabled"
09:11  * debbie10t is not 100% sure about android
09:11 < skyroveRR> Mm the certificates seem to be in place.
09:11 < debbie10t> certs look ok
09:11 < skyroveRR> Let me start the vpn now.
09:13 < skyroveRR> It gets stuck after a few lines, I'll have to paste them... one sec.
09:13 -!- SCHAAP137 [dorian@77-173-0-137.ip.telfort.nl] has quit [Remote host closed the connection]
09:17 < skyroveRR> debbie10t: http://paste.debian.net/106252/
09:17 -!- Megaf [~Megaf@unaffiliated/megaf] has joined #openvpn
09:17 < debbie10t> P.TLS Error: TLS key negotiation failed to occur within 60 seconds. (check your network connectivity)
09:17 < debbie10t> did you enable portforwarding and open a port on your firewwall ?
09:18 < skyroveRR> Uh...
09:18 < skyroveRR> Let me check.
09:18 < skyroveRR> Oops.. no.
09:18 < debbie10t> are you sitting by your server ?
09:18 -!- SCHAAP137 [dorian@77-173-0-137.ip.telfort.nl] has joined #openvpn
09:18 < skyroveRR> Yes.
09:18 < debbie10t> tail -f server.log
09:18 < debbie10t> adjust for your setup
09:18 -!- skyroveRR [~skyroveRR@unaffiliated/skyroverr] has quit [Read error: Connection reset by peer]
09:19 < debbie10t> lol
09:19 -!- skyroveRR [~skyroveRR@unaffiliated/skyroverr] has joined #openvpn
09:19 < skyroveRR> ...
09:19 < debbie10t> ;)
09:19 < skyroveRR> Sorry, my router's firewall is amazing, everytime I restart it, the other connections restart as well.
09:20 < skyroveRR> The devs say it should be fixed in the next release, though.
09:20 < debbie10t> c'est la vie
09:20 < skyroveRR> Huh?
09:20 < skyroveRR> 415 Sun Jun 22 19:46:00 2014 TLS Error: cannot locate HMAC in incoming packet from [AF_INET]172.24.140.147:1194
09:20 < skyroveRR> 416 Sun Jun 22 19:46:08 2014 TLS Error: cannot locate HMAC in incoming packet from [AF_INET]172.24.140.147:1194
09:20 < skyroveRR> 417 Sun Jun 22 19:46:23 2014 TLS Error: cannot locate HMAC in incoming packet from [AF_INET]172.24.140.147:1194
09:21 < debbie10t> server config: tls-auth /etc/openvpn/keys/ta.key
09:21 < debbie10t> that should be marke3d with direction
09:21 < debbie10t> ie : tls-auth /etc/openvpn/keys/ta.key 0 (on server
09:22 < debbie10t> !tls
09:22 < skyroveRR> Oh, ok.
09:22 < debbie10t> !tls
09:22 < debbie10t> !tls-auth
09:22 <@vpnHelper> "tls-auth" is "hmac" is (#1) The tls-auth directive adds an additional HMAC signature to all SSL/TLS handshake packets for integrity verification. Any UDP packet not bearing the correct HMAC signature can be dropped without further processing. The tls-auth HMAC signature provides an additional level of security above and beyond that provided by SSL/TLS., or (#2) openvpn --genkey --secret ta.key
09:22 <@vpnHelper> to make the tls static key , in configs: tls-auth ta.key # , 1 for client or 0 for server in the configs
09:23 < debbie10t> read this : https://community.openvpn.net/openvpn/wiki/Openvpn23ManPage#lbAK
09:23 <@vpnHelper> Title: Openvpn23ManPage – OpenVPN Community (at community.openvpn.net)
09:23 < skyroveRR> Ok, added a "0", let me restart and check.
09:24 < debbie10t> scroll to : --tls-auth file [direction]
09:24 < debbie10t> you need 1 in the client
09:24 < debbie10t> its all go =]
09:25 -!- Latrina [~Latrina@adsl-ull-155-221.50-151.net24.it] has quit [Ping timeout: 240 seconds]
09:26 < skyroveRR> I don't have that in the client's conf file.
09:26 < debbie10t> also .. you need it in the client :D
09:26 < skyroveRR> But I do have "tls-client" http://paste.debian.net/106248/ line 10.
09:27 < skyroveRR> Wait, I need to add --tls-auth </path/to/file> in the server again?
09:27 -!- Latrina [~Latrina@ppp-90-58.26-151.libero.it] has joined #openvpn
09:27 < debbie10t> --tls-auth keyfile direction | on server (file 0) & client (file 1) !
09:31 < skyroveRR> Great, now I have to generate a TLS certificate, if I understand correctly.
09:33 < debbie10t> if your server starts ok then you already have a ta.key file
09:33 < debbie10t> otherwisew your server would fail to start
09:34 < skyroveRR>  $ sudo ls /etc/openvpn/keys/
09:34 < skyroveRR> Password:
09:34 < skyroveRR> easy.key  ta.key
09:34 -!- SCHAAP137 [dorian@77-173-0-137.ip.telfort.nl] has quit [Remote host closed the connection]
09:34 < skyroveRR> So I just add "tls-auth /etc/openvpn/keys/ta.key"?
09:35 < debbie10t> --tls-auth file direction
09:35 < skyroveRR> In the conf file, it's simply "tls-auth blablabla" without "--".
09:35 < skyroveRR> And I have it already http://sprunge.us/GSbL?en
09:36 < debbie10t> "--" is used to denote that this is a config directive and not some random word
09:36 < skyroveRR> In .conf files?
09:36 < debbie10t> in a config it does not require --
09:36 < skyroveRR> Right.
09:36 < skyroveRR> But I already have it.
09:37 < debbie10t> your server config:  6 tls-auth /etc/openvpn/keys/ta.key
09:37 < debbie10t> which requires  6 tls-auth /etc/openvpn/keys/ta.key 1
09:37 < debbie10t> sorry  6 tls-auth /etc/openvpn/keys/ta.key 0
09:37 < debbie10t> 6 is ther line number
09:37 < skyroveRR> Oh
09:38 < skyroveRR> ... I added that when you told me earlier. duh.
09:38 < skyroveRR> http://sprunge.us/eOeY?en
09:38 < debbie10t> ok
09:39 -!- Latrina [~Latrina@ppp-90-58.26-151.libero.it] has quit [Ping timeout: 244 seconds]
09:39 < debbie10t> so what is in your log now ?
09:39 < skyroveRR> One sec.
09:40 -!- Latrina [~Latrina@adsl-ull-242-217.50-151.net24.it] has joined #openvpn
09:41 -!- SCHAAP137 [dorian@77-173-0-137.ip.telfort.nl] has joined #openvpn
09:43 < skyroveRR> Still that "--tls-auth fails with 'missing'. No such file or directory" error....
09:43 < debbie10t> ahh .. then you _do_ need to generate a key file
09:43 < debbie10t> lol
09:44 < skyroveRR> Where?
09:44 < skyroveRR> Should I uncheck "Expect TLS server certificates"?
09:44 < debbie10t> hang on .. is this your client log ?
09:44 < skyroveRR> Yes.
09:44 < debbie10t> then you need to copy the ta.key file to your android
09:45 < debbie10t> from your server
09:45 < skyroveRR> Ok.
09:45 < debbie10t> ta.key is a pre-shared key (PSK)
09:46 < skyroveRR> Ok.
09:46 < debbie10t> you must make sure it cannot be copied by a MITM when you copy it
09:54 <@plaisthos> skyroveRR: there is menu to show the configuration
09:55 <@plaisthos> see also
09:55 <@plaisthos> !inline
09:55 <@vpnHelper> "inline" is (#1) Inline files (e.g. <ca> ... </ca> are supported since OpenVPN 2.1rc1 and documented in the OpenVPN 2.3 man page at https://community.openvpn.net/openvpn/wiki/Openvpn23ManPage#lbAV or (#2) https://community.openvpn.net/openvpn/wiki/IOSinline for a writeup that includes how to use inline certs
09:55 <@plaisthos> for inlining the ta.key
09:55 < skyroveRR> Ok.
09:56 < skyroveRR> Oops, forgot to put in the DNS servers.
09:56 < skyroveRR> Will they be sent by the server to the client as well?
09:57 <@plaisthos> if you do push dhcp-option dns... then yes
09:57 < skyroveRR> Also, I repeatedly get P.Bad LZA decompression header byte: 42, no idea what that means..
09:57 < debbie10t> !pushdns
09:57 <@vpnHelper> "pushdns" is (#1) push dhcp-option DNS a.b.c.d to push dns to the client or (#2) For pushing DNS to a Windows client, see: !windns or (#3) Unix-alikes are required to process the env-var in an --up script; read about --dhcp-option in the manpage or (#4) For distros that use resolvconf(8) you can try the pull-resolv-conf script under the contrib/ source dir
10:02 <@plaisthos> skyroveRR: compression settings have to match between server and client
10:02 < skyroveRR> dhcp-option DNS 172.24.140.148 <- I added that to server.conf but openvpn on my client still complains about DNS.
10:04 <@plaisthos> !pushdns
10:04 <@vpnHelper> "pushdns" is (#1) push dhcp-option DNS a.b.c.d to push dns to the client or (#2) For pushing DNS to a Windows client, see: !windns or (#3) Unix-alikes are required to process the env-var in an --up script; read about --dhcp-option in the manpage or (#4) For distros that use resolvconf(8) you can try the pull-resolv-conf script under the contrib/ source dir
10:04 <@plaisthos> mind the push
10:05 < skyroveRR> Oh, oops.
10:10 < debbie10t> hmm .. skyroveRR's server configs does not specify comp-lzo so it should default to adaptive ? like the client has comp-lzo ...
10:10 -!- pa [~pa@unaffiliated/pa] has joined #openvpn
10:10 < debbie10t> ahh ..
10:10 < debbie10t> no comp-lzo on the server means no lzo at all
10:11 -!- jgeboski [~jgeboski@unaffiliated/jgeboski] has quit [Ping timeout: 264 seconds]
10:11 < debbie10t> that is a slightly odd default
10:11 < debbie10t> by not specifying comp-lzo you get nothing .. but the manual appears to suggest that the default is adaptive
10:12 < debbie10t> two tiered default
10:12 -!- clu5ter [~staff@unaffiliated/clu5ter] has quit [Ping timeout: 245 seconds]
10:12 < skyroveRR> So... the vpn is up and running on my phone, but it has yet to open a web page... o.O
10:13 < skyroveRR> It sent 3840 bytes/64 packets, and received 0 bytes/0 packets? O.o
10:14 -!- clu5ter [~staff@unaffiliated/clu5ter] has joined #openvpn
10:14 < debbie10t> skyroveRR : can you ping ?
10:14 < debbie10t> ei: vlient to server or vice versa
10:14 < debbie10t> damm keyboard .. lol
10:16 < skyroveRR> Yes.
10:16 < debbie10t> whaT can you ping ?
10:16 < skyroveRR> From server to client.
10:17 < skyroveRR> And vice versa.
10:17 -!- jgeboski [~jgeboski@unaffiliated/jgeboski] has joined #openvpn
10:17 < debbie10t> did you read this : http://openvpn.net/index.php/open-source/documentation/howto.html#redirect
10:17 < skyroveRR> I'm only sending packets, receiving none in return.
10:17 <@vpnHelper> Title: HOWTO (at openvpn.net)
10:18 < skyroveRR> Yes, it is redirecting ALL the traffic through openvpn
10:19 < skyroveRR> "Use default Route" is checked on the client.
10:19 < debbie10t> and NAT on the server ?
10:19 < debbie10t> what ids your server OS
10:19 < skyroveRR> What?
10:19 < debbie10t> is*
10:19 < debbie10t> servcer operating system ...
10:19 < skyroveRR> Slackware 14.0.
10:19 < debbie10t> damm this keyboard
10:20 -!- roentgen [~none@openvpn/community/support/roentgen] has quit [Remote host closed the connection]
10:20 < debbie10t> On Linux, you could use a command such as this to NAT the VPN client traffic to the internet:
10:20 < debbie10t>     iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o eth0 -j MASQUERADE
10:21 < skyroveRR> It is already doing that.
10:21 < skyroveRR> Do I need to enable IP forwarding btw?
10:24 < debbie10t> yes
10:24 < debbie10t> on the server
10:25 < skyroveRR> That is done.
10:31 < skyroveRR> I can't ping 10.0.8.5 from the server and vice versa.
10:31 < debbie10t> you still not using --topology subnet .... you cannot ping the .5 address by design
10:32 < debbie10t> your client should be .6
10:32 < skyroveRR> Oh!
10:32 < skyroveRR> I can ping 10.0.8.6 :)
10:32 < debbie10t> done =]
10:33 < skyroveRR> Then why can't I open any web page on my client? O.o
10:33 < debbie10t> you are correctlyNATting your client traffic on your server ?
10:34 < skyroveRR> I think so..
10:34 < debbie10t> what is your server real IP ?
10:34 < debbie10t> LAN ip
10:34 < debbie10t> not public ip
10:35 < debbie10t> like 192.168. something
10:35 < skyroveRR> 172.24.140.149.
10:35 < debbie10t> ah
10:35 < debbie10t> so what is your server default gateway ?
10:35 < skyroveRR> 172.24.140.150.
10:35 < skyroveRR> In reverse.
10:35 < skyroveRR> 151 is broadcast.
10:35 < skyroveRR> Since it's a /29 network.
10:36 < debbie10t> http://sprunge.us/eOeY?en what is your new server config
10:38 < debbie10t> is it that ?
10:38 < debbie10t> no ...
10:39 < skyroveRR> debbie10t: http://sprunge.us/LZSh?en
10:39 < debbie10t> 23 push dhcp-option DNS 172.24.140.148
10:39 < debbie10t> i dont think so ....
10:40 < skyroveRR> Why?
10:40 < skyroveRR> I'm running my own DNS server.
10:40 -!- Kniaz [~Kniaz@unaffiliated/bears] has quit [Quit: closing IRC]
10:40 -!- noobcybot [~noobcybot@46.161.102.160] has joined #openvpn
10:41 < skyroveRR> I get this btw: DNS Server: 172.24.140.148, Domain: null.
10:41 < noobcybot> hello where can I download windows desktop client? i cannot find it on the website
10:41 < debbie10t> : /30 subnet means .148 is a network number not a host....
10:41 < skyroveRR> I said /29, not /30.
10:41 < skyroveRR> Earlier.
10:41 < skyroveRR> noobcybot: https://openvpn.net/index.php/download/community-downloads.html
10:41 <@vpnHelper> Title: Community Downloads (at openvpn.net)
10:42 -!- Kniaz [~Kniaz@unaffiliated/bears] has joined #openvpn
10:42 < noobcybot> skyroveRR, I found that but it does not install openvpn connect client which I had earlier
10:42 < debbie10t> skyroveRR : can you ping the DNS server from the client ?
10:42 < skyroveRR> debbie10t: let me check.
10:42 < noobcybot> this one http://documentation.jentla.com/@api/deki/files/649/=OpenVPN_Profile_Import_1.png
10:43 < debbie10t> noobcybot : please ask in #openvpn-as
10:43 < noobcybot> this is access server? way too confusing
10:43 < skyroveRR> Hmm, I get "Destination Host Unreachable"...
10:43 < skyroveRR> Sorry, Port.
10:44 < skyroveRR> Destination Port Unreachable.
10:44 < debbie10t> skyroveRR : check your DNS server is really a DNS server
10:45 < skyroveRR> ... it is.
10:45 < debbie10t> check firewalls
10:45 -!- CmdrMoozy [~CmdrMoozy@209.2.73.94] has joined #openvpn
10:46 < skyroveRR> Can it be that since I'm forwarding only to this machine, it isn't sending anything on the DNS server?
10:46 < debbie10t> skyroveRR : perhaps you have allowed UDP 1194 but not UDP 53
10:46 < skyroveRR> I am allowing 1194.
10:46 < CmdrMoozy> this is probably a dumb question, but can one generate a PKI such that openvpn doesn't need a password to start as a daemon? easyrsa seems to require passwords for both the CA and the server key
10:46 -!- skyroveRR [~skyroveRR@unaffiliated/skyroverr] has quit [Read error: Connection reset by peer]
10:47 < debbie10t> CmdrMoozy : yes .. passwords are not necessarily a part of your PKI
10:48 -!- skyroveRR [~skyroveRR@unaffiliated/skyroverr] has joined #openvpn
10:48 < skyroveRR> ...
10:48 < CmdrMoozy> debbie10t, ah, i see :) i needed to do easyrsa gen-req (name) nopass
10:48 -!- skyroveRR [~skyroveRR@unaffiliated/skyroverr] has quit [Read error: Connection reset by peer]
10:48 < debbie10t> CmdrMoozy : see openvpn.net/index.php/open-source/documentation/howto.html#pki
10:49 -!- skyroveRR [~skyroveRR@unaffiliated/skyroverr] has joined #openvpn
10:49 < debbie10t> hmm .. url failed to copy ?
10:49 < CmdrMoozy> debbie10t, thanks :) it seems to have worked for me
10:49 < debbie10t> cool :)
10:50 < skyroveRR> ...
10:51 < skyroveRR> I can't even run traceroute on the client.
10:53 < debbie10t> skyroveRR : did you push routing for your server side LAN ?
10:53 < debbie10t> ie: push "route 172.etc"
10:54 < skyroveRR> ... I don't have that anywhere in the conf file.
10:54 < debbie10t> http://openvpn.net/index.php/open-source/documentation/howto.html#scope
10:54 <@vpnHelper> Title: HOWTO (at openvpn.net)
10:58 < skyroveRR> Hmm. Did that.
10:58 < skyroveRR> Still no pings.
10:59 < debbie10t> skyroveRR : please paste current server config .. and restart server and client
10:59 < skyroveRR> I added this: "push "route 172.24.140.144 255.255.255.248""
10:59 < skyroveRR> Ok.
10:59 < debbie10t> server Must be restarted
10:59 < skyroveRR> http://sprunge.us/dOHa?en
10:59 < skyroveRR> Yes I restarted it.
10:59 -!- Pisuke [~Sembei@unaffiliated/sembei] has quit [Quit: WeeChat 1.0-dev]
11:00 -!- s7r [~s7r@openvpn/user/s7r] has quit [Quit: Leaving]
11:00 < debbie10t> hold on .. loading subnet.xls ;)
11:00 < skyroveRR> ...
11:00 < skyroveRR> .144 is the network.
11:00 < debbie10t> subnet.ods (open doc format .. not that MS wollop)
11:00 < skyroveRR> And the CIDR is /29, so I get 6 usable IP addresses.
11:02 < debbie10t> ok
11:03 < debbie10t> so you cannot ping your DNS but your VPN is up
11:03 < debbie10t> and you can ping server
11:03 < skyroveRR> Yes, the one with 10.0.8.1 but NOT 172.bla.bla.bla.
11:03 < skyroveRR> In fact, I can't ping any hosts with 172.bla.bla.bla.
11:04 < skyroveRR> Oh wait, I can ping 172.24.140.150 which is my gateway.
11:04 < debbie10t> on your client .. does it have a route for 172.*
11:04 < debbie10t> lollolhttp://openvpn.net/index.php/open-source/documentation/howto.html#scope
11:04 <@vpnHelper> Title: HOWTO (at openvpn.net)
11:05 < debbie10t> liusdfoh'osfgb'ifsgb
11:05 < debbie10t> what the fk
11:05 < skyroveRR> Huh?
11:05 <@ecrist> debbie10t: if you're trying to edit the wiki on the community site, you should be able to once you're authenticated
11:05 < debbie10t> my irc has gone mental
11:05 < debbie10t> brb
11:05 -!- debbie10t [~ma1com10t@openvpn/community/support/debbie10t] has left #openvpn []
11:06 < skyroveRR> Great. I'm stuck now.
11:06 -!- debbie10t [~ma1com10t@openvpn/community/support/debbie10t] has joined #openvpn
11:06 <@ecrist> debbie10t: if you're trying to edit the wiki on the community site, you should be able to once you're authenticated
11:06 < debbie10t> thats better
11:07 < skyroveRR> debbie10t: welcome back.
11:07 < skyroveRR> debbie10t: I've checked "Use default Route" in the client.
11:07 < debbie10t> ecrist : thasnks I will check again
11:07 <@ecrist> you must be authenticated, though.
11:07 < debbie10t> yup
11:07 < skyroveRR> Authenticated to what?
11:07 < debbie10t> TRAC
11:07 <@ecrist> all authenticated users have WIKI_MODIFY and WIKI_CREATE
11:07 <@ecrist> yes, trac
11:07 < skyroveRR> Hmm..
11:08 <@ecrist> same creds as the forum
11:08 < debbie10t> ecrist : I know .. I think it is a permissions or user (me idiot) thing
11:08 < skyroveRR> Ok, a bit of help here.
11:09 < debbie10t> skyroveRR : chill out man .. you are getting helphttp://openvpn.net/index.php/open-source/documentation/howto.html#scope
11:09 <@vpnHelper> Title: HOWTO (at openvpn.net)
11:09  * ecrist poofs
11:09 < skyroveRR> I read that and added a sentence in the server.conf file.
11:09 < debbie10t> lol
11:10 < skyroveRR> What.
11:10  * debbie10t is thinking ...
11:12 < debbie10t> skyroveRR : can you ping your server 172.24.140.145 from the client ?
11:12 -!- _FBi [B@Aircrack-NG/User] has joined #openvpn
11:12 < skyroveRR> ... let me clarify this:
11:13 < skyroveRR> 172.24.140.150 is my gateway; 140.149 is this server, and 140.148 is my DNS server, it's in reverse.
11:13 < skyroveRR> So yes, I can ping the gateway [if that's what you meant] from the client.
11:13 < debbie10t> ok
11:13 < debbie10t> can you ping your DNS server from the client ?
11:13 < skyroveRR> Let me check.
11:14 < skyroveRR> No, I get "Destination Port Unreachable".
11:15 < debbie10t> if you ping you are not specifying a port
11:15 < skyroveRR> Of course not.
11:15 < debbie10t> then you do not get "port unreachable"
11:16 < skyroveRR> Hmm....
11:16 < debbie10t> you might get "host unreachable" but more likely "time out"
11:17 < skyroveRR> Ok
11:18  * debbie10t loads VM .. to be totally **** sure
11:18 -!- s7r [~s7r@openvpn/user/s7r] has joined #openvpn
11:18 -!- mode/#openvpn [+v s7r] by ChanServ
11:18 < debbie10t> skyroveRR: can you paste a client log ?
11:19 < skyroveRR> It's a fucking pain.
11:19 < skyroveRR> Ok, let me try.
11:19 < debbie10t> you don't know the half of it ;)
11:20 < skyroveRR> IDK where the fuck it logs them.
11:20 < debbie10t> ahh .. yeah andriod
11:20 < debbie10t> you can add "log /folder/file.log" to your client config
11:20 < skyroveRR> I'll have to type it.
11:21 < debbie10t> probably on your SD card
11:21 < skyroveRR> Give me a 2 mins.
11:21 < debbie10t> and restart
11:21 < skyroveRR> ... ok, one sec.
11:21 < debbie10t> tick
11:21 < debbie10t> lol
11:24 < skyroveRR> http://paste.debian.net/106267/
11:24 < skyroveRR> http://sprunge.us/FESi?en <- server.conf
11:25 < debbie10t> ecrist : when I tried to edit the docs on trak I was able to .. but I found I was not able to change the name of the CommunityLangning page https://community.openvpn.net/openvpn/wiki/NewCommunityLangingPage
11:25 <@vpnHelper> Title: NewCommunityLangingPage – OpenVPN Community (at community.openvpn.net)
11:26 < debbie10t> like I said <- user error most likely
11:27 < debbie10t> skyroveRR : do you still have that "route 0.0.0.0" in your client config ?
11:27 <@krzee> skyroveRR, when you connect a client does it then lose its internet connection?
11:27 <@krzee> i didnt read the scroll, but i did look at the config
11:28 < skyroveRR> Let me paste my client config file.
11:28 -!- Latrina [~Latrina@adsl-ull-242-217.50-151.net24.it] has quit [Ping timeout: 240 seconds]
11:29 < skyroveRR> debbie10t: http://paste.debian.net/106268/ <- client config.
11:29 <@krzee> so the client cannot reach the internet? right?
11:29 < skyroveRR> krzee: no.
11:29 <@krzee> once it connects
11:29 < skyroveRR> krzee: uh right.
11:30 -!- Latrina [~Latrina@adsl-ull-249-186.50-151.net24.it] has joined #openvpn
11:30 <@krzee> ya, i didnt even read anything you said, the config was obvious
11:30 < skyroveRR> ... I gave a conflicting answer, sorry, the client can't connect to the internet.
11:30 <@krzee> i would fix it for you, but you hid the Ip in --remote which is all that matters
11:31 < skyroveRR> Well, I'll suit the config accordingly :)
11:31 < skyroveRR> Please suggest a fix.
11:31 <@krzee> push "route <ip_from_remote> net_gateway"
11:31 <@krzee> in server config
11:31 <@krzee> and it must be net_gateway
11:31 <@krzee> the words, not you changing it
11:32 <@krzee> !route_override
11:32 <@vpnHelper> "route_override" is (#1) https://forums.openvpn.net/viewtopic.php?f=15&t=7161 for how to override --redirect-gateway for a certain subnet or (#2) to see how to make it so the client will still reply to requests to its public ip over the internet and not the vpn see !splitroute
11:32 <@krzee> oops
11:32 < skyroveRR> Umm
11:32 <@krzee> push "route <ip_from_remote> 255.255.255.255 net_gateway"
11:32 <@krzee> only change <ip_from_remote>
11:32 <@krzee> heres what happening...
11:33 <@krzee> you are connecting to the VPN, then you send ALL your traffic to the subnet your VPN is in over vpn
11:33 <@krzee> but without a direct route to the vpn server, you cannot send traffic to the vpn to then redirect it to the internet
11:33 <@krzee> you end up with a routing loop, and no internet connection.
11:34 < skyroveRR> Oh!
11:34 < pekster> skyroveRR: Not sure if you figured this out before, but see `./easyrsa help export-p12`
11:34 < skyroveRR> pekster: I did, I'm over it :)
11:34 <@krzee> or theres always:
11:34 <@krzee> !p12
11:34 <@vpnHelper> "p12" is openssl pkcs12 -export -out filename.p12 -inkey filename.key -in filename.crt -certfile ca.crt
11:34 < skyroveRR> :)
11:35 < debbie10t> I thought "redirect-gateway def1" did that auto ?
11:35 < skyroveRR> krzee: so basically the remove IP is ACTUALLY the ip of the vpn server, right?
11:35 < skyroveRR> * remote.
11:35 <@krzee> skyroveRR, yes the ip you hid from us in --remote
11:35 < skyroveRR> Ok.
11:35 <@krzee> if i needed more info and you kept hiding i would have said:
11:35 <@krzee> !topsecret
11:35 <@vpnHelper> "topsecret" is (#1) if your setup is so top secret that you cant post your configs or logs, please leave now and go find support you trust. or (#2) Clever readers may attempt to use RFC5737/RFC3849 to represent arbitrary public IPs one wishes to hide. Unclever attempts may be ignored with prejudice.
11:35 < skyroveRR> ...
11:36 < skyroveRR> 183.87.135.49.
11:36 <@krzee> however it was little enough that it didnt hurt my ability to help you ;]
11:36 < skyroveRR> Happy?
11:36 < skyroveRR> Just don't ping me to death using it.
11:36 < skyroveRR> It's my VPN server.
11:36 < skyroveRR> :)
11:36 <@krzee> also did you know about this:
11:36 <@krzee> !def1
11:36 <@vpnHelper> "def1" is (#1) used in redirect-gateway, Add the def1 flag to override the default gateway by using 0.0.0.0/1 and 128.0.0.0/1 rather than 0.0.0.0/0. This has the benefit of overriding but not wiping out the original default gateway. or (#2) please see --redirect-gateway in the man page ( !man ) to fully understand or (#3) push "redirect-gateway def1"
11:37 < debbie10t> guess what -- no push redirect-gateway def1 in server.conf
11:37 <@krzee> instead of adding a route for 0/0 manually you can use redirect-gateway which also adds the route i just told you to add to fix your setup
11:37 < debbie10t> i did paste the HOWTO
11:37 <@krzee> please see --redirect-gateway in the man page ( !man ) to fully understand  ;]
11:38 < skyroveRR> So do I remove route "172.24.140.144 255.255.255.248"?
11:38 < skyroveRR> From the server conf file?
11:38 <@krzee> no, now that i see its not the vpn server
11:38 <@krzee> but i did see the client had route 0.0.0.0 0.0.0.0
11:38 <@krzee> change that to redirect-gateway
11:39 <@krzee> or do you have a reason why not?
11:39 < skyroveRR> That was from the server.conf file...
11:39 < skyroveRR> Not client.conf.
11:39 < skyroveRR> I meant 172.
11:39 < skyroveRR> 0.0.0.0 was in client.conf.
11:40 <@krzee> i answered that, and then i moved on to talk about the client.conf
11:40 < skyroveRR> Ok.
11:40 <@krzee> !man
11:40 <@vpnHelper> "man" is (#1) For man pages, see http://openvpn.net/index.php/open-source/documentation/manuals/ or (#2) the man pages are your friend! or (#3) Protip: you can search the manpage for a specific --option (with dashes) to find it quicker
11:41 <@krzee> if you look at --redirect-gateway
11:41 <@krzee> see what it does
11:41 < skyroveRR> Yup.
11:41 <@krzee> then you'll see that if you use redirect-gateway instead of route 0.0.0.0 0.0.0.0 it creates the static route to the vpn for you
11:41 <@krzee> as to not create a routing loop
11:42 <@krzee> (which you are creating by using route 0.0.0.0 0.0.0.0 without doing the rest of what redirect-gateway does to make it work
11:42 <@krzee> follow me?
11:43 < skyroveRR> Sure.
11:43 < skyroveRR> Making the changes.
11:43 < skyroveRR> :)
11:43 <@krzee> what exactly are you changing?
11:44 <@krzee> better yet, after you make changes post your configs again
11:44 < skyroveRR> I commented out the router 172.xxx command, and added push "redirect-gateway def1" to the conf file.
11:44 -!- elfixit [~Icedove@cust.static.46-14-114-50.swisscomdata.ch] has joined #openvpn
11:44 < skyroveRR> http://sprunge.us/DNIj?en
11:44 < skyroveRR> ^ server.
11:44 < skyroveRR> Let me make the changes to client.
11:44 <@krzee> you dont need line 26
11:45 <@krzee> because its part of line 27
11:45 < skyroveRR> Ok.
11:46 < skyroveRR> Now? http://sprunge.us/BegB?en
11:46 < debbie10t> As I satated before: I posted the redirect HOWTO .. and checked the push route for server lan and made sure NAT was enabled (IPforwarding was checked by sky) .. I mentioned the route 0.0.0.0 .. so is krzee still ignoring me .. and if so why ? .. do I not provide reasonable help .. ?
11:47 < skyroveRR> krzee: and my client has options for adding routes manually, so what should I add there?
11:47 <@krzee> post the client config
11:48 < skyroveRR> http://paste.debian.net/106268/
11:48 < skyroveRR> I'm about to remove that 0.0.0.0.
11:48 -!- p3rror [~mezgani@41.248.177.255] has joined #openvpn
11:48 <@krzee> thats all you need to do
11:48 < skyroveRR> Ok.
11:49 <@krzee> optionally you could have put the redirect-gateway in the client config without "push"
11:49 <@krzee> but thats totally up to you, works both ways
11:50 <@krzee> now on the server, cat /proc/sys/net/ipv4/ip_forward
11:51 <@krzee> whats the output?
11:51 < debbie10t> he did that already ....
11:51 < skyroveRR> 1.
11:51 < debbie10t> exactly
11:52 < skyroveRR> ... for some reason, the client keeps adding route 0.0.0.0 0.0.0.0....
11:52 < debbie10t> one fkn mistake and you are tarred for life .. even when you man the forum practically single handedly
11:53 < skyroveRR> I'm confused as to who should I listen to now.
11:53 < debbie10t> listen to krzee
11:53 < debbie10t> i am just bitter that he is ignoring me
11:53 < skyroveRR> I'm sorry, debbie10t
11:53 < debbie10t> no prob
11:54 < debbie10t> ~:)
11:54 < debbie10t> or as krzee would say : =]
11:54 < skyroveRR> So, in routing section of the android client, I have "ignore pushed routes" checkbox, "use default route" checkbox, and custom routes options, which should I use?>
11:55 <@krzee> sorry i dont deal with checkboxes
11:55 <@krzee> i deal with openvpn configs
11:56 <@krzee> but if you ignore pushed routes then how you gunna accept the pushed routes you just configured
11:57 <@krzee> when i use the android client i grab "openvpn for android" then i import my working config (already tested on my laptop) and then im done.
11:57 <@krzee> i never check boxes.
11:57 < debbie10t> and so you never check
11:57 < skyroveRR> Can I see your routing section screenshot pls? :)
11:57 <@krzee> i also have debbie on ignore so i dont see whatever hes saying
11:57 < debbie10t> exactly
11:57 <@krzee> routing section?  you configured that in your configs
11:58 < debbie10t> which is why he doesnt know how much i expalined before
11:58 <@krzee> also, are you using "openvpn for android" or "openvpn connect" ?
11:58 <@krzee> skyroveRR, can you stop using the android client and start using a computer until you get it working as desired, and THEN we can go android?
11:58 < skyroveRR> Then which one should I use? O.o
11:59 <@krzee> skyroveRR, which one ARE you using?
11:59 < skyroveRR> umm both...
11:59 <@krzee> you can use whichever you like, but i personally only know the open source
11:59 < skyroveRR> Oh
11:59 <@krzee> "openvpn for android"
11:59 < skyroveRR> In that case ummm
11:59 < skyroveRR> 'OpenVPN for Android".
12:00 < skyroveRR> Which one do you use?
12:00 <@krzee> usually "openvpn for android"
12:00 <@krzee> although on some setups i dont use any GUI
12:00 <@krzee> i just install the binary and set it up to run via init.d
12:00 -!- br4ndon [~br4ndon@mic92-6-82-227-94-156.fbx.proxad.net] has joined #openvpn
12:01 < debbie10t> if krzee knew how to configure android he would do it on android and not on a PC
12:01 < skyroveRR> Ok, now how do I prevent the android.conf client file from being overwritten?
12:01 <@krzee> anyways, can we get this working from a normal computer first?
12:01 < debbie10t> if krzee knew how to configure android he would do it on android and not on a PC
12:02 < skyroveRR> ... ok.
12:02 -!- br4ndon [~br4ndon@mic92-6-82-227-94-156.fbx.proxad.net] has quit [Client Quit]
12:02 <@krzee> that way when its time to work on android you know everything should work
12:02 < skyroveRR> Fine.
12:02 < debbie10t> *should* lol
12:02 <@krzee> cool, what client os will we be using now?
12:02 < skyroveRR> Wait, you mean running on a VM or something?
12:02 <@krzee> sure a vm is fine
12:03 < skyroveRR> Crap, I don't have any emulator handy.
12:03 < debbie10t> not on your server it is not
12:03 <@krzee> as long as its not a vm on the machine with the server running
12:03  * skyroveRR facepalms
12:03 <@krzee> is the server at home?
12:03 < skyroveRR> Yes.
12:03 <@krzee> i see
12:03 < skyroveRR> And I'm at home too.
12:03 < debbie10t> hey .. run a VBOX on your server and watch it crash
12:03 <@krzee> ok screw it i guess setting up on the android will be fine then :-p
12:04 < skyroveRR> lol.
12:04 <@krzee> 1sec
12:04 < skyroveRR> Ok, tell me what to do.
12:04 < skyroveRR> Sure.
12:05 <@krzee> do you actually have ipv6?
12:05 < skyroveRR> Nope.
12:06 <@krzee> http://pastebin.com/DLZAgqfG
12:06 < CmdrMoozy> when i try connecting to my server, it fails with "VERIFY nsCertType ERROR: CN=Bupkis, require nsCertType=SERVER" - i think i just generated my keys incorrectly so "ns-cert-type server" verification fails
12:06 <@krzee> of course you should not cut out the file info in the real config, but when pasting it to me you definitely should
12:06 <@krzee> this stuff:
12:06 <@krzee> <ca>
12:06 <@krzee> ...
12:06 <@krzee> </tls-auth>
12:07 < CmdrMoozy> how does one generate a server certificate that has that field set properly with easyrsa from git?
12:07 < skyroveRR> right.
12:07 <@krzee> CmdrMoozy, try this:
12:07 <@krzee> remote-cert-tls server
12:07 <@krzee> nscerttype is old, remote-cert-tls is new, they are equally effective but you have to use the one you build with
12:08 <@krzee> remote-cert-tls follows the rules, nscerttype existed before there were rules ;]
12:08 < CmdrMoozy> krzee, that did it :) thanks!
12:08 <@krzee> CmdrMoozy, np =]
12:08 < skyroveRR> ... I gotta go, krzee .
12:08 <@krzee> skyroveRR, then remove both openvpns from your phone and add "openvpn for android" then import that config
12:09 <@krzee> heh
12:09 < skyroveRR> TTYL. Thanks, krzee and debbie10t ! BBL.
12:09 -!- skyroveRR [~skyroveRR@unaffiliated/skyroverr] has quit [Quit: WeeChat 0.0.0 :P]
12:09 <@krzee> and we never even got to checking his server firewall / nat
12:09 < debbie10t> yes we did
12:09 < debbie10t> but you canmt see that
12:10 < debbie10t> ignore at your peril
12:13 < noobcybot> guys how can I load ovpn config in OpenVPN GUI on windows?
12:13 < noobcybot> I just have systray icon with basically nothing in settings
12:13 <@krzee> the config must be in program files/openvpn/config or whatever the dir it made is named (i dont use windows)
12:14 <@krzee> then when you right client the tray icon you'll be able to click connect
12:14 <@krzee> oh and config must have file extension .ovpn
12:15 <@krzee> noobcybot, ^
12:15 < noobcybot> that's it! thank you so much
12:15 <@krzee> np
12:16 < debbie10t> bla bla bla
12:21 -!- debbie10t [~ma1com10t@openvpn/community/support/debbie10t] has left #openvpn []
12:21 -!- CmdrMoozy [~CmdrMoozy@209.2.73.94] has quit [Quit: Leaving]
12:32 -!- wrongplace [~leicht@gateway/tor-sasl/martinphone] has joined #openvpn
12:34 -!- nikade [racer@2001:1608:3:1::ffff] has joined #openvpn
12:37 < nikade> hi guys - ive been struggling with openvpn 2.1.3 on a windows 2008 r2 64bit server and 2st windows 7 64bit clients. the server is connected with 1Gig to the internet and the clients are both connected with 100Mbit and the clients cannot seem to get over 10Mbit/s when transfering files through the openvpn. the tap interfaces on both sides shows a 10Mbit link but I know thats not true since its a virtual interface
12:37 < nikade> anyone have any tips?
12:37 < nikade> i tried connecting a pc at work running windows 7 and i have the same problem there aswell, max speed over the VPN is 10Mbit
12:37 < pekster> 2.1.3 is rather old; 2.3.4 is current
12:38 < pekster> Additionally, tap is best avoided due to performance, security, and bridigng complexity. See also:
12:38 < pekster> !tunortap
12:38 <@vpnHelper> "tunortap" is (#1) you ONLY want tap if you need to pass layer2 traffic over the vpn (traffic destined for a MAC address). If you are using IP traffic you want tun. or (#2) and if your reason for wanting tap is windows shares, see !wins or use DNS or (#3) remember layer2 has no security, arp poisoning works over tap vpns or (#4) lan gaming? use tap! or (#5) Normal Android/iOS devices (not
12:38 <@vpnHelper> rooted/jailbroken) support only tun
12:38 < pekster> Also, avoid TCP as the transport (see: !tcp)
12:38 < nikade> yeah im using tap and udp as the proto
12:39 < pekster> You should be using tun unless you need support for raw (non-IP) Ethernet frames
12:39 < nikade> the point with this tunnel is to reach a share at the 2008r2 machine
12:39 < nikade> will the driver provided with the installation support tun? i mean the driver is even named "tap" :)
12:39 -!- psiklops [~psiklops@unaffiliated/psiklops] has joined #openvpn
12:39 < pekster> Yes, it's just the driver name. The "tun" driver on Linux supports tun & tap the same way
12:40 < nikade> oh great, imma try that right away! thanks for the help so far, i'll be back soon with the resault
12:40 < pekster> NBNS might be the only reason you'd want to use tap, but the proper solution is to use DNS as intended
12:40 < nikade> yea agreed - im using IPs anyway so it wont be a problems
12:40 < nikade> problem*
12:40 < pekster> Ah, even better (avoid the problem!) :P
12:40 -!- SCHAAP137 [dorian@77-173-0-137.ip.telfort.nl] has quit [Read error: Connection reset by peer]
12:41 < nikade> haha yeah exactly :>
12:41 < pekster> All this said, eventually openvpn is limited by CPU. 10 Mbps seems a little low though
12:42 < pekster> And of course the path of your transit traffic
12:42 -!- SCHAAP137 [dorian@77-173-0-137.ip.telfort.nl] has joined #openvpn
12:42 < nikade> yeah - the 2008r2 server is a intel hexacore at 3,5ghz with 32g ram
12:42 < nikade> its not even showing 1% cpu when im transfering from 3 clients at the same time
12:42 < psiklops> Hi .. i connected through openvpn to vpnbook. vpnbook says for me to connect with the config file: vpnbook-euro1-tcp443.ovpn  .. does this mean that only https:// sites are connect to vpnbook-IP or does this also include are http:// ?
12:43 < pekster> The speed you get is the lowest of the entire system, which includes CPU, interrupts, context switches, and network traffic between _both_ ends
12:43 < pekster> psiklops: Ask them. Without knowing how their server is configured it's impossible to say
12:44 < pekster> Chances are good they use some form of --redirect-gateway, but if you're interested from a technical standpoint, set your --verb (see: !verb) level to 4 and check your logs for hints
12:44 < nikade> pekster: for the fun of it i tried a pptp-tunnel earlier and i was able to upload an .img-file at 98Mbit/s :)
12:45 < pekster> And nothing but feel-good-security to show for it :P
12:45 < pekster> (unless you're using PEAP/LEAP, but that's quite rare in practice)
12:46 < pekster> !factoids search --values cloudcracker
12:46 <@vpnHelper> "pptp" is (#1) PPTP is known to be a faulty protocol. The designers of the protocol, Microsoft, recommend not to use it due to the inherent risks. Lots of people use PPTP anyway due to ease of use, but that doesn't mean it is any less hazardous. The maintainers of PPTP Client and Poptop recommend using OpenVPN (SSL based) or IPSec instead. http://pptpclient.sourceforge.net/protocol-security.phtml
12:46 <@vpnHelper> to read about why to not use pptp or (#2) Why not to use it: http://en.wikipedia.org/wiki/Pptp#Security or (#3) https://www.cloudcracker.com/blog/2012/07/29/cracking-ms-chap-v2/
12:46 < pekster> heh
12:46 < nikade> yeah im not gonna use pptp, dont worry :)
12:47 < pekster> I figured, I just like the $100 and you're owned page :)
12:47 < nikade> haha yeah
12:47 < nikade> that was awesome
12:47 < pekster> "This protocol we've all known was broken for a decade? Yea, now it's even _more_ broken!"
12:48 < pekster> But yea, try tun (since you're only doing IP anyway, that's what you want.) Tun is a routed setup, so you need a _dedicate_ network for the VPN, and then route to it from your server-side LAN
12:48 < pekster> See !serverlan for some info & a flowchart, but it's "just standard routing" from the context of your LAN
12:48 < pekster> dedicated*
12:49 < nikade> yeah ive got a dedicated subnet on the other side
12:49 < psiklops> thanx pekster
12:49 < pekster> No, the VPN network is dedicated
12:49 < pekster> Tap lets you either route (less common) or bridge; tun can _not_ share the same network as a network you're routing to (not without really ugly NAT anyway)
12:50 < nikade> ah yea no worries, i dont need it bridged
12:50 < nikade> anyway tun was horrible
12:50 < nikade> performance is now only 3Mbit/s
12:50 < nikade> compared to 10Mbit/s earlier
12:51 < pekster> tun is always faster, even in the face of 0% packet loss due to a slightly smaller header
12:51 < nikade> not in my case
12:51 < pekster> SOmething else is at work, becuase tun vs tap in "ideal" conditions is marginally faster
12:51 < nikade> changed to tun on the server and restarted the client
12:51 < pekster> tap gets worse faster in non-ideal conditions
12:51 < pekster> Do you have some configs available?
12:51 < pekster> !configs
12:51 <@vpnHelper> "configs" is (#1) please pastebin your client and server configs (with comments removed, you can use `grep -vE '^#|^;|^$' server.conf`), also include which OS and version of openvpn. or (#2) dont forget to include any ccd entries or (#3) on pfSense, see http://www.secure-computing.net/wiki/index.php/OpenVPN/pfSense to obtain your config
12:51 < nikade> yea sure
12:51 < nikade> hold
12:53 < nikade> pekster: http://pastebin.com/qmmrrveu <--- server
12:54 -!- ade_b [~Ade@redhat/adeb] has quit [Quit: Too sexy for his shirt]
12:55 < nikade> pekster: http://pastebin.com/ZrgrAcbf <--- client-1 running windows 7 x64 ultimate
12:55 < pekster> (FYI, verb 4 is usually what you want for general debugging; 5 is for printing chars for each inside/outside packet, and >5 is for developers with custom debug builds)
12:56 < pekster> Is 10.10.1.0/24 unique and only used for the VPN network? Not the downstream LAN?
12:56 < nikade> yeah
12:56 < nikade> its a dedicated subnet
12:56 < nikade> i used the higher debug-lvl's to figure something out with the encryption
12:56 < pekster> That setup does not currently let you connect to any of your server-side LAN network, but if you're trying to reach the VPN server itself, that's okay
12:56 < nikade> yea im only gonna reach stuff at the vpn-server
12:56 < pekster> k
12:57 -!- wrongplace [~leicht@gateway/tor-sasl/martinphone] has quit [Ping timeout: 264 seconds]
12:57 < nikade> im having a CIFS-share over therew
12:57 < nikade> which im gonna use to store stuff from different offices
12:58 < pekster> At verb 4 (I suppose 6 works, just extra noisy) do you see any lines about "Replay-window backtrack occurred" ?
12:59 < pekster> Oh, comment-out that tun-mtu-extra on line 7 of the server too; normally you don't want that in tun mode, and it should be matched between endpoints in almost all cases
13:00 < pekster> Chances are good you want --mss-fix and --fragment if you have MTU problems anyway
13:00 < pekster> (better is to fix your broken pMTUd if that's the case)
13:00 -!- VinceN [~VinceN@c-68-42-230-18.hsd1.mi.comcast.net] has joined #openvpn
13:01 < VinceN> Good Afternoon,  I was wondering if someone here would be willing to help a Newb configure OpenVPN server to work on Ubuntu 12.04.  I've been trying to do it for days and I just seem to be missing something
13:01 < nikade> yeah i'll try remove that line, thanks pekster
13:02 < pekster> The goal is to avoid fragmentation of packets by preventing peers from sending "too large" packets that openvpn has to send as 1 full-sized, and a 2nd nearly-empty packet
13:02 < VinceN> This is the guide I have been utilizing
13:02 < VinceN> https://library.linode.com/networking/openvpn/ubuntu-12.04-precise
13:02 <@vpnHelper> Title: Secure Communications with OpenVPN on Ubuntu 12.04 (Precise) and Debian 7 – Linode Library (at library.linode.com)
13:02 < pekster> You can try something like `--mssfix 1300` on both ends as a quick and usually-overkill way to see if you have MTU issues
13:03 < pekster> VinceN: Per the /TOPIC, without your !goal we'll be hardpressed to do much for you
13:03 < pekster> !new
13:03 <@vpnHelper> "new" is (#1) New here? Start by reading the /TOPIC and looking at basic info in !welcome, !ask, and !howto or (#2) You can type each of the !commands in this chat and our bot will provide useful references and info or (#3) you can see the full factoids list at !factoids
13:03 < nikade> pekster: i tried setting a linksys e4200 with ddwrt up as a client to see if this is windows-client-related and its having the same limit at 10Mbit/s using the TAP-device
13:03 < nikade> pekster: using TUN its about the same as the windows-clients
13:03 < nikade> ~3Mbit/s
13:03 < pekster> nikade: embedded is going to have really awful thoughput
13:03 < pekster> Namely becuase of the weak CPU and no support for AES-NI
13:04 < VinceN> My Goal is to have my Linode VPN with Ubuntu 12.04 act as a centralized VPN server that I can then connect my home PC and Laptop too for remote communication to each other via the VPN
13:04 < VinceN> But rightnow just getting anything to actually connect to the server is being problematic
13:04 < nikade> pekster: yea i know, but still, its not doing too bad if its pusing 10Mbit/s using the TAP-device, its getting the exact same performance as the windows-clients
13:04 < pekster> VinceN: So you don't need to connect to anything not already on the VPN? 2 clients will both connect to the VPN, then use each other's VPN IP (or DNS based on that) to talk?
13:05 < VinceN> pekster: They should have full internet access also with traffic being routed through the Linode Server.
13:05 < pekster> That's important to state then
13:05 < VinceN> pekster: Sorry, I am VERY new to VPN's
13:05 < pekster> VinceN: What you want is to start with a basic connection (read: !howto) and then once you can ping from the client to the VPN IP of your server, proceed with the info at: !redirect
13:06 < VinceN> !howto
13:06 <@vpnHelper> "howto" is (#1) OpenVPN comes with a great howto, http://openvpn.net/howto PLEASE READ IT! or (#2) http://www.secure-computing.net/openvpn/howto.php for a mirror
13:06 < pekster> VinceN: You probably want to use the `--client-to-client` option too once you have the "howto" done successfully; this lets all clients talk to each other without needing to worry about firewall restrictions
13:07 < pekster> That should be enough to get you started
13:07 < VinceN> Ok, I'll hang out and read up and give it a shot and respond back when I start running into difficulty.  Thanks :-)
13:07 < VinceN> Thats alot of ands... LOL
13:12 -!- randt0sh [~tosh@2a02-8420-5d7e-c300-0213-72ff-feb1-7b24.rev.sfr.net] has joined #openvpn
13:13 < nikade> connected a debian 7 machine to the tunnel, both with tun and tap and it seems like the problem is the same, with TAP its 10Mbit/s max and with TUN its around 3Mbit/s
13:13 < nikade> the debian machine is connected with 2x1Gbit LACP to the switch so its most def not a bandwidth issue there
13:16 < pekster> And properly configured, 100 Mbps shouldn't be a real problem. I have a VPN server on my 100 Mbps LAN here, and I just did an FTP transfer over it at 42.88 Mbps (that's 5.36 Mbytes/s.) And that was CPU-limited by my poor 2.26 Celeron
13:16 < pekster> With a faster processor, speeds could be faster yet
13:17 < pekster> Obviously there's a bottleneck somewhere. You might even try a more-robust protocol like http or ftp for your speed tests (CIFS is kind of a crappy protocol, and it'd be nice to rule it out as a cause)
13:20 < nikade> yeah im a bit confused
13:21 < nikade> im mostly into IPSEC and we're pushing several hundreds of Mbit/s over our IPSEC-tunnels at work
13:21 < pekster> Fire up apache or IIS or something, drop on a 200 meg file, and see how long it takes to pull down
13:21 < pekster> IPSec is in-kernenl, so it won't reach limitations of the CPU as quick as OpenVPN will. AES-NI can help a lot if both ends support it and you set the data crypto to AES (from the default BF-CBC)
13:21 < pekster> But you don't get there until your actually maxing out 1 core (openvpn is single-threaded, so 1 core is all you get, per instance)
13:23 < pekster> I'd try a file transfer over http (just drop a ~200 meg file on the server, and time the download; Most browsers show you transfer rate at the end.) Verify no reply window messages in logs, and possibly try that --mssfix I also suggested earlier
13:24 < pekster> Couldn't hurt to wach CPU usage on both systems, keeping an eye on per-core utilization
13:24 < nikade> cliens are all quad cores and the server is a hexacore
13:24 < pekster> Openvpn treats them as a SINGLE core
13:24 < pekster> As I just stated.
13:25 < nikade> ah yea, sorry
13:25 < nikade> anyways, while doing a transfer the server is using 1% cpu and the client 2%
13:25 < nikade> havent tried IIS yet
13:25 < nikade> but i'll try FTP or something else which isnt encrypted
13:26 < pekster> Right, any "dumb, efficient" protocol is fine. CIFS is both complex and rather inefficient
13:30 < pekster> Also, if you're testing over the Internet at large, you might consider a local-test on-site, just to rule out any possible problems with Internet delivery
13:30 < pekster> Again, speed is the lowest of all involved factors
13:31 -!- Left_Turn [~Left_Turn@unaffiliated/turn-left/x-3739067] has joined #openvpn
13:34 -!- Kephael [~Kephael@unaffiliated/kephael] has quit []
13:36 < nikade> i've tried from 3 different sites
13:36 < nikade> all minimum 100Mbit
13:36 < nikade> and they all reach MAX 10Mbit/s using the TAP, TUN its about 3Mbit/s
13:36 < nikade> so it must be something server-side
13:38 < pekster> Not really waht I suggested
13:39 < pekster> You want to _remove_ possibilities, not muddy them
13:40 < pekster> Try it locally. What about the other suggestions I gave you about looking at MTU issues? etc, etc
13:41 < nikade> what do you mean by locally? ftp to localhost or the vpn-specific IP and fetching/uploading a file?
13:43 < pekster> VPN from the _LOCAL_ network
13:43 < pekster> Remove "any problems on the the Internet" from your problem path
13:44 < pekster> Could be a slow router. Maybe something QoS's UDP traffic, or the TLS throws a DPI box into overdrive trying to "scan" your traffic
13:44 < pekster> Run a speed test there. If that's different than the exact same test from another location, network transport is the problem
13:45 < nikade> i tried from a debian 7 box at the same site on the same switch
13:45 < nikade> it had the same "max" speed
13:45 < nikade> 10Mbit/s with TAP and ~3Mbit/s with TUN
13:46 < nikade> i just tried FTP
13:46 < nikade> its about the same speed
13:46 < pekster> And what did you learn from reviewing your log files as I suggested? Or mssfix?
13:46 < nikade> getting about 3,5Mbit/s with TUN and 9,9Mbit/s with TAP
13:46 < pekster> Or do you want to keep spewing the same numbers at me (hint: it won't help if you do it another dozen times)
13:47 -!- JackWinter [~jack@vodsl-11028.vo.lu] has joined #openvpn
13:47 < nikade> i'll try the mssfix now
13:48 < nikade> im just giving you the numbers over again to show you that there is no difference
13:48 < nikade> it is not to insult you, its just to provide the facts
13:48 < pekster> You mean that thing I suggested 45 minutes ago? You might finally try it now?
13:48 < pekster> Or maybe I'm just talking to myself. I dunno.
13:49 < nikade> no you're not but i was trying different clients to rule those things out aswell
13:49 < nikade> im appreciating your help, i am, but i had some ideas myself aswell
13:50 < pekster> With reasonably-powered clients (that aren't capping out on CPU usage, including Sys, Usr, or Wa/St capacity) it shouldn't be a CPU bottleneck
13:51 < pekster> At least not for sane ciphers, like BF-CBC and AES
13:51 -!- SCHAAP137 [dorian@77-173-0-137.ip.telfort.nl] has quit [Ping timeout: 240 seconds]
13:51 -!- SCHAAP137 [dorian@77-173-0-137.ip.telfort.nl] has joined #openvpn
13:52 < nikade> yea i guess its not gonna be CPU
13:52 < nikade> slowest client is an intel i5 at 2,7ghz
13:53 < nikade> tried mssfix aswell, its a littie bit faster, about 6Mbit/s now on the TUN and 12Mbit/s on TAP
13:53 < pekster> This isn't a units conversion issue, is it? 6 MByte/s would be somewhat-reasonable
13:53 < nikade> hehe no im sorry its not
13:54 < nikade> those 6Mbit/s are like ~750Kbytes/s
13:54 < nikade> imma try and setup a debian machine
13:54 < nikade> and try the server-config on it
13:54 < pekster> For fun, you could try --no-reply on both ends
13:54 < nikade> might be some windows-issue because ive been using openvpn before and i've pushed nearly 100Mbit/s without any problems at all
13:54 < nikade> but then both sides were debian and no windows involved
13:55 -!- psiklops [~psiklops@unaffiliated/psiklops] has left #openvpn ["Leaving"]
13:55 < pekster> There's always samba :P
13:55 < nikade> exactly
13:56 -!- jgeboski [~jgeboski@unaffiliated/jgeboski] has quit [Ping timeout: 240 seconds]
13:56 < pekster> Wouldn't be the first time I've seen Windows eat itself doing something that should be simple
13:56 < nikade> problem is one of the other admins have never used linux - me myself is a linux-sysadmin at work so i have no problems using samba :)
13:56 < nikade> exactly, wouldnt be the first or last time
13:56 -!- clu5ter [~staff@unaffiliated/clu5ter] has quit [Ping timeout: 252 seconds]
13:57 -!- jgeboski [~jgeboski@unaffiliated/jgeboski] has joined #openvpn
13:57 < pekster> You ever fix your wickedly outdated version?
13:57 -!- clu5ter [~staff@unaffiliated/clu5ter] has joined #openvpn
13:58 < nikade> yeah first time i did ;)
13:59 < nikade> debian is booting up now, lets see if theres any difference
13:59 -!- jgeboski [~jgeboski@unaffiliated/jgeboski] has quit [Excess Flood]
13:59 -!- jgeboski [~jgeboski@unaffiliated/jgeboski] has joined #openvpn
14:00 -!- jgeboski [~jgeboski@unaffiliated/jgeboski] has quit [Excess Flood]
14:02 -!- jgeboski [~jgeboski@unaffiliated/jgeboski] has joined #openvpn
14:02 < nikade> getting about twice the speed
14:03 < nikade> with the TUN
14:03 < nikade> gonna try TAP next
14:03 -!- jgeboski [~jgeboski@unaffiliated/jgeboski] has quit [Excess Flood]
14:03 -!- clu5ter [~staff@unaffiliated/clu5ter] has quit [Ping timeout: 240 seconds]
14:03 -!- wrongplace [~leicht@gateway/tor-sasl/martinphone] has joined #openvpn
14:04 -!- jgeboski [~jgeboski@unaffiliated/jgeboski] has joined #openvpn
14:05 -!- clu5ter [~staff@unaffiliated/clu5ter] has joined #openvpn
14:06 -!- Pyrogerg [~Gregory@67-0-208-86.albq.qwest.net] has joined #openvpn
14:08 < VinceN> Ok pekster, I've been reading down the quick start guide and I've got the server installed, my CA and Client Certificates, Keys ect generated and transfered securely to the client machine.  Now i'm at the point where I need to open my firewall traffic but this seems tp depend on weather or not i'm going to do Bridging or Routing.  I honestly don't understand the pros and cons outside of performance issues.
14:09 < pekster> Do you need to send non-IP raw Ethernet frames over the VPN?
14:09 < pekster> If not (as is the case for most people) you want tun
14:09 < VinceN> I don't think so.  Can't think of a reason why I would.
14:09 < pekster> Most people shouldn't need to do that. Bridging "sounds easier" but it's not, since you have deal with distro/OS specific bridging setup that OpenVPN won't do for you
14:10 < VinceN> No, I want to just be able to generate keys, Install Open-VPN Gui and run with it after setting up interfaces
14:10 -!- clu5ter [~staff@unaffiliated/clu5ter] has quit [Ping timeout: 246 seconds]
14:11 < pekster> Yup. Routed is exactly what you want then
14:11 < pekster> The flowchart helps walk you though all the steps to route to a LAN behind either endpoint
14:11 < VinceN> So we're just going to do routing and that means I just have to add a rule allowing UDP port 1194 forwarded through IPTABLES
14:11 < pekster> You'd need that either way
14:12 < pekster> The VPN traffic is encapsulated over a single UDP (or optionally TCP, but best to avoid that) port
14:12 < pekster> Obviously the server must accept the inbound traffic or nothing interesting happens
14:12 -!- clu5ter [~staff@unaffiliated/clu5ter] has joined #openvpn
14:13 < VinceN> Okey doky, I'll run with that and report back when I have something or get stuck agian.  Thanks :-)
14:13 -!- Pyrogerg [~Gregory@67-0-208-86.albq.qwest.net] has quit [Ping timeout: 272 seconds]
14:14 < VinceN> Oh on a side not tough.  I know that we want to avoid TCP because of the added overhead involved but there are situations where your on a network that just kills the UDP traffic right?
14:15 < pekster> Not on properly configured networks. The --keepalive helper (see: !keepalive) ensures that stateful firewalls don't have problems
14:15 -!- jgeboski [~jgeboski@unaffiliated/jgeboski] has quit [Ping timeout: 244 seconds]
14:15 < pekster> And realistically, some stateful firewalls have rather low TCP timeouts too, but usually not less than 30 minutes or so
14:15 < VinceN> Well I figured it was more for the prevention of people using VPNs
14:16 < pekster> OpenVPN makes no attempt at all to hide itself; even in  UDP mode the TLS handshake is easy to match if someone wants to
14:16 < VinceN> gotcha
14:16 < pekster> There are other solutions to that problem (like !obfs or !static) but they come with their own drawbacks and complications
14:16 -!- clu5ter [~staff@unaffiliated/clu5ter] has quit [Ping timeout: 260 seconds]
14:17 < VinceN> Well I don't know if anywhere I plan to use it will even present that issue, its just something I heard/read somewhere and wanted to be sure I was remembering right
14:18 < pekster> You can run multiple instances to get around that; prefer UDP unless you're behind some totaliarian firewall that is both abusive enough to block UDP but also stupid enough to let non-https traffic go to port tcp/443 or something
14:18 < pekster> These-days I just connect via my mobile data service if that's ever a problem
14:18 -!- clu5ter [~staff@unaffiliated/clu5ter] has joined #openvpn
14:19 < pekster> Even VoIP over 3G tends to be pretty usable along most of the US Interstate
14:20 -!- SCHAAP137 [dorian@77-173-0-137.ip.telfort.nl] has quit [Remote host closed the connection]
14:22 < VinceN> haha, I would like to use a Asterisk server over this if the performance holds up
14:23 -!- Latrina [~Latrina@adsl-ull-249-186.50-151.net24.it] has quit [Ping timeout: 264 seconds]
14:23 < cyberanger> Trouble is where there is no 3G
14:24 -!- joako [~joako@opensuse/member/joak0] has quit [Ping timeout: 240 seconds]
14:24 -!- jgeboski [~jgeboski@unaffiliated/jgeboski] has joined #openvpn
14:24 -!- clu5ter [~staff@unaffiliated/clu5ter] has quit [Ping timeout: 255 seconds]
14:25 < cyberanger> But I've just dropped to a lower codec with 2g an a sat phone too
14:27 -!- clu5ter [~staff@unaffiliated/clu5ter] has joined #openvpn
14:28 -!- Latrina [~Latrina@ppp-4-17.26-151.libero.it] has joined #openvpn
14:28 -!- le0 [~l30@unaffiliated/le0] has joined #openvpn
14:29 -!- jgeboski [~jgeboski@unaffiliated/jgeboski] has quit [Ping timeout: 240 seconds]
14:29 -!- joako [~joako@opensuse/member/joak0] has joined #openvpn
14:30 <@Eugene> Grar.... what's the magic iptables line to nuke ICMP redirect(new nexthop)? I know it goes on OUTPUT
14:31 <@krzee> #netfilter ;]
14:31 <@Eugene> I'm looking for a bit of wisdom, not "go read the fucking manpage you lazy dolt"
14:31 -!- jgeboski [~jgeboski@unaffiliated/jgeboski] has joined #openvpn
14:31 -!- elfixit [~Icedove@cust.static.46-14-114-50.swisscomdata.ch] has quit [Ping timeout: 240 seconds]
14:31 <@Eugene> `iptables -A OUTPUT -p icmp --icmp-type 5`, if I'm reading it right
14:32 < pekster> Eugene: Why not just set the send_redirects sysctl kernel-knob instead?
14:32 <@Eugene> Because I forgot about it
14:32 < pekster> There's also accept_redirects if you want to be complete
14:33 -!- clu5ter [~staff@unaffiliated/clu5ter] has quit [Ping timeout: 245 seconds]
14:33 <@Eugene> Meh, I just want my `ping` output to be clean
14:33 <@Eugene> Rah rah rah, c2c, yes I know.
14:34 <@Eugene> Here, have a cookie. Thanks for reminding me of the right way.
14:34 -!- mode/#openvpn [+v pekster] by Eugene
14:34 -!- larryone [~larryone@89.100.23.131] has joined #openvpn
14:35 -!- larryone [~larryone@89.100.23.131] has quit [Remote host closed the connection]
14:35 -!- clu5ter [~staff@unaffiliated/clu5ter] has joined #openvpn
14:38 -!- SCHAAP137 [dorian@77-173-0-137.ip.telfort.nl] has joined #openvpn
14:40 -!- phunyguy [~vortex@unaffiliated/phunyguy] has quit [Ping timeout: 245 seconds]
14:42 -!- larryone [~larryone@89.100.23.131] has joined #openvpn
14:43 -!- roentgen [~none@openvpn/community/support/roentgen] has joined #openvpn
14:43 -!- roentgen [~none@openvpn/community/support/roentgen] has quit [Remote host closed the connection]
14:43 -!- clu5ter [~staff@unaffiliated/clu5ter] has quit [Ping timeout: 252 seconds]
14:46 -!- larryone [~larryone@89.100.23.131] has quit [Client Quit]
14:47 -!- clu5ter [~staff@unaffiliated/clu5ter] has joined #openvpn
14:50 -!- larryone [~larryone@89.100.23.131] has joined #openvpn
14:52 -!- SCHAAP137 [dorian@77-173-0-137.ip.telfort.nl] has quit [Remote host closed the connection]
14:54 -!- jgeboski [~jgeboski@unaffiliated/jgeboski] has quit [Quit: Leaving]
14:54 -!- clu5ter [~staff@unaffiliated/clu5ter] has quit [Ping timeout: 240 seconds]
14:57 -!- clu5ter [~staff@unaffiliated/clu5ter] has joined #openvpn
15:01 -!- wrongplace [~leicht@gateway/tor-sasl/martinphone] has quit [Quit: gone]
15:01 -!- SCHAAP137 [dorian@77-173-0-137.ip.telfort.nl] has joined #openvpn
15:04 -!- clu5ter [~staff@unaffiliated/clu5ter] has quit [Ping timeout: 246 seconds]
15:06 -!- clu5ter [~staff@unaffiliated/clu5ter] has joined #openvpn
15:06 -!- larryone [~larryone@89.100.23.131] has quit [Quit: This computer has gone to sleep]
15:13 -!- tempus_fol [~tempus@gateway/tor-sasl/foltempus] has quit [Ping timeout: 264 seconds]
15:13 -!- tempus_fol [~tempus@gateway/tor-sasl/foltempus] has joined #openvpn
15:15 < VinceN> Ok, Now getting this issue.  I followed the setup and generated my DH Parameters.  I copied the file over to /etc/openvpn along with my keys.  But when I try to start the server it says it cannot find the file?
15:16 <+pekster> Check your paths; it's best to use explicit, fully-qualified paths
15:16 <+pekster> There exists the --cd directive too, if you prefer to go that route
15:17 <+pekster> Mind the quoting on Windows. You must do something like: --dh "C:\\Program Files\\openvpn\\config\\dh.pem"
15:17 <+pekster> Or use single-forward slashes
15:17 < VinceN> The server is on Ubuntu so I should be fine with that
15:17 <+pekster> Still need to either fully-qualify paths or set --cd properly
15:18 < VinceN> so instead of "dh dh1024.pem" I should use "/etc/openvpn/dh1024.pem" ?
15:18 <+pekster> Yup
15:19 <+pekster> Or set --cd explicitly to that path, but you have to be careful if you're using distro init as some like to set that "for you"
15:19 < VinceN> Eh, If I specify it in the config everything should know what it's talking about
15:19 <+pekster> Not if it's overridden by crappy distro init
15:20 <+pekster> Are you using initscripts, or plan to always invoke your server startup manually from a terminal?
15:20 < VinceN> I assume Int Scripts
15:20 <+pekster> Are you 100% sure it's not adding a --cd itself after the --config line?
15:20 <+pekster> If not, just qualify your paths
15:21 <+pekster> That, or go digging to learn how it works and if it's safe to ignore my advice. And hope your maintaininers never screw that up, or things will break
15:21 < VinceN> I am not, I just used the default install from the Ubuntu Repositories
15:21 < VinceN> and followed the directions at my Linode Setup guide and the How To you gave me
15:22 <+pekster> Then FFS, qualify your paths. If you're an expert who knows you don't need that, then don't do it
15:22 < VinceN> Oh i'm no expert
15:22 < VinceN> LOL
15:22 < VinceN> That got it
15:22 < VinceN> Servers up
15:25 < VinceN> Ok and we have some activitity on the GUI that I didn't have before
15:26 < VinceN> It is NOT connecting but it looks like its actively being rejected which I consider progress LOL
15:26 < VinceN> TLS Handshake failed
15:30 < VinceN> Had my old server certificate still in there from my previous attempt
15:30 < VinceN> WE HAVE CONNECTION!
15:32 < VinceN> Good Ping from VPN Gateway, SO were passing bits over the tunnels.  Thanks for your help sir
15:40 -!- jgeboski [~jgeboski@unaffiliated/jgeboski] has joined #openvpn
15:51 -!- wrongplace [~leicht@gateway/tor-sasl/martinphone] has joined #openvpn
15:57 -!- Sembei [~Sembei@unaffiliated/sembei] has joined #openvpn
16:02 -!- SCHAAP137 [dorian@77-173-0-137.ip.telfort.nl] has quit [Remote host closed the connection]
16:04 -!- SCHAAP137 [dorian@77-173-0-137.ip.telfort.nl] has joined #openvpn
16:11 -!- SCHAAP137 [dorian@77-173-0-137.ip.telfort.nl] has quit [Ping timeout: 240 seconds]
16:16 < VinceN> !redirect
16:16 <@vpnHelper> "redirect" is (#1) to make all inet traffic flow through the vpn, you will need --redirect-gateway (see !def1), as well as IP forwarding (see !ipforward) and NAT (see !nat) enabled on the server. or (#2) you may need to use a different dns server when redirecting gateway, see !dns or !pushdns or (#3) if using ipv6 try: route-ipv6 2000::/3 or (#4) Handy troubleshooting flowchart:
16:16 <@vpnHelper> http://ircpimps.org/redirect.png | http://pekster.sdf.org/misc/redirect.png
16:19 -!- gffa [~unknown@unaffiliated/gffa] has quit [Quit: sleep]
16:34 < VinceN> Can't seem to get routing to work.  The VPN Tunnel itself is fine.  I can ping the gateway and surf to local resources hosted on the server.
16:34 < VinceN> Traceroutes just show they die trying to get to the next hop
16:34 <+pekster> Where did the flowchart leave you?
16:36 < VinceN> Think it's a routing/firewall issue
16:38 -!- squaresurf [~squaresur@73.53.28.180] has joined #openvpn
16:54 < VinceN> Can't seem to find it.  Does anyone see anything obvious with this IPTABLES output?
16:54 < VinceN> http://pastebin.com/17E6S6d9
16:55 < VinceN> I just can't seem to get traffic to route out of the network correctly
17:00 -!- arescorpio [~arescorpi@14-57-245-190.fibertel.com.ar] has joined #openvpn
17:03 -!- Latrina [~Latrina@ppp-4-17.26-151.libero.it] has quit [Ping timeout: 272 seconds]
17:05 -!- VinceN [~VinceN@c-68-42-230-18.hsd1.mi.comcast.net] has quit [Ping timeout: 240 seconds]
17:06 -!- Latrina [~Latrina@ppp-232-62.26-151.libero.it] has joined #openvpn
17:06 -!- p3rror [~mezgani@41.248.177.255] has quit [Ping timeout: 245 seconds]
17:09 -!- SCHAAP137 [dorian@77-173-0-137.ip.telfort.nl] has joined #openvpn
17:10 -!- nikade [racer@2001:1608:3:1::ffff] has left #openvpn []
17:13 -!- early [~early@192.241.198.49] has quit [Ping timeout: 240 seconds]
17:14 -!- outofbounds [~outofboun@198.199.109.226] has quit [Ping timeout: 255 seconds]
17:16 -!- le0 [~l30@unaffiliated/le0] has quit [Ping timeout: 272 seconds]
17:19 -!- early [~early@192.241.198.49] has joined #openvpn
17:19 -!- outofbounds [~outofboun@198.199.109.226] has joined #openvpn
17:20 -!- tempus_fol [~tempus@gateway/tor-sasl/foltempus] has quit [Remote host closed the connection]
17:20 -!- tempus_fol [~tempus@gateway/tor-sasl/foltempus] has joined #openvpn
17:24 -!- Latrina [~Latrina@ppp-232-62.26-151.libero.it] has quit [Ping timeout: 272 seconds]
17:25 -!- Latrina [~Latrina@ppp-41-26.26-151.libero.it] has joined #openvpn
17:35 -!- Latrina [~Latrina@ppp-41-26.26-151.libero.it] has quit [Ping timeout: 240 seconds]
17:37 -!- Latrina [~Latrina@ppp-51-44.26-151.libero.it] has joined #openvpn
17:49 -!- SCHAAP137 [dorian@77-173-0-137.ip.telfort.nl] has quit [Remote host closed the connection]
18:10 -!- phunyguy [~vortex@unaffiliated/phunyguy] has joined #openvpn
18:19 -!- elfixit [~Icedove@77-58-251-72.dclient.hispeed.ch] has joined #openvpn
18:21 -!- RedDeath is now known as zz_RedDeath
18:23 -!- BenLue [~OpenWrt@unaffiliated/benlue] has joined #openvpn
18:25 -!- Pyrogerg [~Gregory@67-0-208-86.albq.qwest.net] has joined #openvpn
18:29 -!- Pyrogerg [~Gregory@67-0-208-86.albq.qwest.net] has quit [Ping timeout: 255 seconds]
18:53 -!- goldkatze [~nobody@unaffiliated/goldkatze] has quit [Ping timeout: 240 seconds]
19:03 -!- squaresurf [~squaresur@73.53.28.180] has quit [Quit: Computer has gone to sleep.]
19:04 -!- Kniaz [~Kniaz@unaffiliated/bears] has quit [Quit: closing IRC]
19:07 -!- noobcybot [~noobcybot@46.161.102.160] has quit [Quit: Leaving]
19:16 -!- wrongplace [~leicht@gateway/tor-sasl/martinphone] has quit [Quit: gone]
19:19 -!- liriel [~liriel@asia.feralhosting.com] has quit [Quit: bye]
19:23 -!- phunyguy [~vortex@unaffiliated/phunyguy] has quit [Ping timeout: 245 seconds]
19:25 -!- liriel [~liriel@asia.feralhosting.com] has joined #openvpn
19:33 -!- randt0sh [~tosh@2a02-8420-5d7e-c300-0213-72ff-feb1-7b24.rev.sfr.net] has quit [Remote host closed the connection]
20:08 -!- eroen [~eroen@unaffiliated/eroen] has quit [Ping timeout: 245 seconds]
20:09 -!- eroen [~eroen@unaffiliated/eroen] has joined #openvpn
20:10 -!- Magiobiwan [IRC@unaffiliated/magiobiwan] has joined #openvpn
20:11 -!- mitz [~mitz@113.161.65.219] has quit [Quit: ZNC - http://znc.in]
20:21 -!- WinstonSmith [~WinstonSm@unaffiliated/winstonsmith] has quit [Ping timeout: 272 seconds]
20:23 -!- WinstonSmith [~WinstonSm@unaffiliated/winstonsmith] has joined #openvpn
20:40 -!- phunyguy [~vortex@unaffiliated/phunyguy] has joined #openvpn
20:42 -!- Left_Turn [~Left_Turn@unaffiliated/turn-left/x-3739067] has quit [Read error: Connection reset by peer]
20:48 -!- erkules [~erkan@pdpc/supporter/professional/erkules] has quit [Ping timeout: 244 seconds]
20:48 -!- erkules [~erkan@pdpc/supporter/professional/erkules] has joined #openvpn
20:59 -!- hazardous [~hz@openvpn/user/hazardous] has quit [Ping timeout: 240 seconds]
21:04 -!- hazardous [~hz@openvpn/user/hazardous] has joined #openvpn
21:04 -!- mode/#openvpn [+v hazardous] by ChanServ
21:18 -!- michaelhart [~michaelha@192-0-240-20.cpe.teksavvy.com] has joined #openvpn
21:19 -!- skyroveRR [~skyroveRR@unaffiliated/skyroverr] has joined #openvpn
21:20 < skyroveRR> o/
21:28 < BenLue> o/
21:51 < skyroveRR> I can ping from server to the client, but not from the client to the server, http://sprunge.us/DHKj?en server: 10.0.8.1, client 10.0.8.6.
21:51 < skyroveRR> Any guesses why?
21:53 < Latrina> http://ircpimps.org/redirect.png
21:53 <+pekster> Always a firewall problem if it works in 1 direciton but not the other
21:53 <+pekster> Between VPN peers, you know the traffic flows in each direciton as the echo-reply makes it "back" from the echo-request
21:54 < skyroveRR> IDK where the firewall is blocked, I've port forwarded 1194 from the gateway to the server...
21:55 <+pekster> tun, not physical transport
21:55 < skyroveRR> http://imagebin.org/314221
21:55 <@vpnHelper> Title: Imagebin - A place to slap up your images. (at imagebin.org)
21:56 < skyroveRR> I didn't get you, tun?
21:57 <+pekster> The device. The tun device. The virtual Ethernet device
21:57 < skyroveRR> What about it?
21:57 <+pekster> It's being firewalled. You should fix that
21:58 < Latrina> I think I had the same issue awhile ago
21:58 < skyroveRR> The firewall is open..
21:58 < Latrina> this guide helped me
21:58 < Latrina> https://community.openvpn.net/openvpn/wiki/BridgingAndRouting#Usingrouting
21:58 <@vpnHelper> Title: BridgingAndRouting – OpenVPN Community (at community.openvpn.net)
21:58 < skyroveRR> Server: http://paste.debian.net/106316/
21:59 <+pekster> Apparently not. OpenVPN is doing its job if you can successfully ping between the endpoints, in _any_ direction
22:00 < skyroveRR> Is the server firewall ok?
22:00 <+pekster> No idea. -L isn't how you show Netfilter output
22:00 < skyroveRR> Then what does?
22:00 <+pekster> `iptables-save -c` is the non-insane way to do it
22:00 < skyroveRR> Ok.
22:00 <+pekster> -L lies, omits data, and doesn't you full context
22:01 < skyroveRR> http://paste.debian.net/106317/
22:02 -!- squaresurf [~squaresur@2601:8:b080:aca:94ef:db36:16f5:5619] has joined #openvpn
22:02 <+pekster> You're not accpeting pings, so it's not surprise that doesn't wnork
22:02 <+pekster> Pings are not ESTABLISHED or RELATED connections, nor are they on port 1194.
22:02 <+pekster> You don't need tcp/1194 unless you plan to run a 2nd instance
22:03 <+pekster> You probably shouldn't be doing any OUTPUT filtering unless you really know what you're doing
22:03 <+pekster> -m state is deprecated (replace with -m conntrack --ctstate)
22:03 < skyroveRR> What's the command to accept pings?
22:03 <+pekster> Duplicate rules at lines 9-10
22:04 <+pekster> https://github.com/QueuingKoala/netfilter-samples
22:04 <@vpnHelper> Title: QueuingKoala/netfilter-samples · GitHub (at github.com)
22:05 <+pekster> So, to be clearly, by "firewall is open" you meant "I'm running firewall rules and I have no clue what they are"
22:05 <+pekster> Not quite sure how those work, but okay. You might want to start with one of my examples and add in the bits you need for the tun traffic
22:05 < skyroveRR> Ok.
22:06 < skyroveRR> Hm. Makes sense. I'll study the firewall then. :)
22:06 <+pekster> My examples are _very_ basic starting points; if you use one as a template, add in the VPN stuff you need and be sure you have a failsafe way in (consider using iptables-apply(8) )
22:07 <+pekster> #Netfilter is also helpful for questions, although you can sometimes find advice here relating to VPN needs
22:09 -!- squaresurf [~squaresur@2601:8:b080:aca:94ef:db36:16f5:5619] has quit [Quit: Lingo - http://www.lingoirc.com]
22:31 -!- arescorpio [~arescorpi@14-57-245-190.fibertel.com.ar] has quit [Excess Flood]
22:55 -!- michaelhart [~michaelha@192-0-240-20.cpe.teksavvy.com] has quit [Quit: michaelhart]
23:17 -!- ShadniX [dagger@p5DDFD5A1.dip0.t-ipconnect.de] has quit [Ping timeout: 252 seconds]
23:18 -!- ShadniX [dagger@p5481C1BA.dip0.t-ipconnect.de] has joined #openvpn
23:34 -!- elfixit [~Icedove@77-58-251-72.dclient.hispeed.ch] has quit [Ping timeout: 255 seconds]
23:59 -!- ramz [~ramz@221.120.165.254] has joined #openvpn
23:59 < ramz> Hi all ...
--- Day changed Mon Jun 23 2014
00:00 -!- goldkatze [~nobody@unaffiliated/goldkatze] has joined #openvpn
00:01 < ramz> I have a question regarding tuntap interface. I have posted the question in SO. Can some one answer it.  http://stackoverflow.com/questions/24358438/ping-not-working-from-tap-interface-attached-to-bridge-interface-with-ip-on-same
00:01 <@vpnHelper> Title: Ping not working from tap interface attached to bridge interface with ip on same subnet as that of bridge to outside - Stack Overflow (at stackoverflow.com)
00:06 -!- Megaf [~Megaf@unaffiliated/megaf] has quit [Ping timeout: 244 seconds]
00:22 -!- Kniaz [~Kniaz@unaffiliated/bears] has joined #openvpn
00:27 <@krzee> ramz, no idea, but what is your real goal? what is the problem you're trying to solve
00:29 < ramz> @krzee ... My real goal is to simulate packets with different mac address to send to coovachilli server ...
00:30 <@krzee> you're aware that you dont need different tap interfaces to spoof macs?
00:30 <@krzee> you can change any device's MAC address at will
00:31 < ramz> yes. But i need simultaneous connections to be happening ...
00:31 <@krzee> ahh, well when bridged in you're seeing the correct behavior by the OS
00:31 <@krzee> sending from bridge interface
00:32 <@krzee> i suppose you could make an app that lets you communicate to coovachilli server via many MACs
00:33 < ramz> what kind of an app you are suggesting ?
00:33 < ramz> i need to create some 100 simultaneous clients ...
00:33 -!- ajc_ [ajc@nat/hp/x-qnernozvhqjivjhp] has joined #openvpn
00:33 <@krzee> ya i guess i dunno
00:34 <@krzee> but i dont think openvpn will be much help
00:34 < ramz> oh okay ... Thanks a lot krzee for your time ...
00:34 <@krzee> np
00:36 <@krzee> hmm i wonder if you could manually manage the adding of ips to your eth0 and then sending a gratuitous arp reply to the target telling him that the new ip goes to some new mac
00:36 <@krzee> then when you send out traffic to the server as that client you spoof your MAC as that one
00:37 <@krzee> you'd be going back and forth a ton, but i dunno what else you can do
00:39 <@krzee> just for the hell of it, if you ping -I can you change what MAC it sends as?
00:40 < ramz> nope ... i can give only the interface not mac.
00:40 <@krzee> i know
00:40 < ramz> I just tried a config, it seems to be working. I dont know why ...
00:40 < ramz> create a bridge, attach eth0 and tap0
00:40 <@krzee> you got it working how you want?
00:41 < ramz> almost yes, but i am not sure why it works.
00:41 <@krzee> !magic
00:41 <@vpnHelper> "magic" is For a story about magic read http://www.catb.org/jargon/html/magic-story.html
00:42 < ramz> attach a program to tap0 and forward traffic between tap0 to other tap interface. It works ...
01:10 -!- `Ile` [~ile@109-93-220-4.dynamic.isp.telekom.rs] has joined #openvpn
01:11 < `Ile`> WinstonSmith: 1
01:11 -!- `Ile` [~ile@109-93-220-4.dynamic.isp.telekom.rs] has quit [Client Quit]
01:17 -!- zz_RedDeath is now known as RedDeath
01:24 -!- alexxtasi [~alex@unaffiliated/alexxtasi] has joined #openvpn
01:42 < skyroveRR> Hi krzee
01:43 < skyroveRR> pekster: I had blindly copied the firewall script in the openvpn tutorial without knowing what that script might do, and I studied that script and realised that part of it is wrong.
01:45 -!- skyroveRR [~skyroveRR@unaffiliated/skyroverr] has quit [Quit: WeeChat 0.0.0 :P]
01:45 -!- skyroveRR [~skyroveRR@unaffiliated/skyroverr] has joined #openvpn
02:11 -!- Whoopie [~Whoopie@unaffiliated/whoopie] has joined #openvpn
02:12 -!- AlexKvazos [~AlexKvazo@189-209-191-225.static.axtel.net] has joined #openvpn
02:12 < Whoopie> Hi, I have a question regarding tap0 creation: is it right that openvpn creates the needed tap0 device during startup? Or do I need to run the mktun command before starting openvpn?
02:13 -!- eristisk [~eristisk@gateway/tor-sasl/eristisk] has quit [Remote host closed the connection]
02:13 -!- eristisk [~eristisk@gateway/tor-sasl/eristisk] has joined #openvpn
02:22 -!- le0 [~l30@unaffiliated/le0] has joined #openvpn
02:22 -!- ramz [~ramz@221.120.165.254] has quit [Remote host closed the connection]
02:37 -!- eristisk [~eristisk@gateway/tor-sasl/eristisk] has quit [Remote host closed the connection]
02:38 -!- eristisk [~eristisk@gateway/tor-sasl/eristisk] has joined #openvpn
03:08 -!- ayaz [~Ayaz@linuxpakistan/ayaz] has joined #openvpn
03:14 -!- randt0sh [~tosh@2a02-8420-5d7e-c300-0213-72ff-feb1-7b24.rev.sfr.net] has joined #openvpn
03:25 -!- icebrain [~andre@193-126-23-253.static.optimus.net.pt] has joined #openvpn
04:18 -!- AlexKvazos [~AlexKvazo@189-209-191-225.static.axtel.net] has left #openvpn ["Bye!"]
04:19 -!- u0m3_ [~u0m3@109.96.135.222] has quit [Ping timeout: 240 seconds]
04:28 -!- eroen [~eroen@unaffiliated/eroen] has quit [Read error: Connection reset by peer]
04:30 -!- eroen [~eroen@unaffiliated/eroen] has joined #openvpn
04:48 -!- skyroveRR [~skyroveRR@unaffiliated/skyroverr] has quit [Read error: Connection reset by peer]
05:03 -!- skyroveRR [~skyroveRR@unaffiliated/skyroverr] has joined #openvpn
05:31 -!- Left_Turn [~Left_Turn@unaffiliated/turn-left/x-3739067] has joined #openvpn
05:32 -!- elfixit [~Icedove@cust.static.46-14-114-50.swisscomdata.ch] has joined #openvpn
05:42 -!- VlperX [~VlperX@60-240-168-120.static.tpgi.com.au] has joined #openvpn
06:18 -!- skyroveRR [~skyroveRR@unaffiliated/skyroverr] has quit [Read error: Connection reset by peer]
06:24 -!- eristisk [~eristisk@gateway/tor-sasl/eristisk] has quit [Ping timeout: 264 seconds]
06:26 -!- eristisk [~eristisk@gateway/tor-sasl/eristisk] has joined #openvpn
06:33 -!- skyroveRR [~skyroveRR@unaffiliated/skyroverr] has joined #openvpn
06:47 < BenLue> I have some trouble with my OpenVPN
06:47 < BenLue> OpenWRT (VPN-Client) - Router (192.168.2.1) [France] <- Internet -> [Germany]Modem - OpenWRT (192.168.1.1) (VPN-Server)
06:47 < BenLue> (VPN-Server config): http://paste.debian.net/hidden/f18f74e1/
06:47 < BenLue> (Germany Network config): http://paste.debian.net/hidden/21ee213c/
06:51 <@krzee> !openwrt
06:51 <@vpnHelper> "openwrt" is In OpenWRT, the easiest way to supply configs with the stock init is to use the `option config /path/to/your/openvpn.conf` in your UCI stanza. This allows you to maintain a standard config file that OpenWRT can launch for you.
06:52 <@krzee> and i didnt read the server config because its mostly comments
06:52 <@krzee> !goal
06:52 <@vpnHelper> "goal" is Please clearly state your goal for your vpn: example, I would like to access the lan behind the server , I would like to access the internet over my vpn , I just want a secure connection between 2 computers , etc
06:52 <@krzee> start by telling us what you want your vpn to do, and what is not working
06:52 -!- Megaf [~Megaf@unaffiliated/megaf] has joined #openvpn
06:57 < BenLue> ok when i start the server i cant connect the Router (Connection Time out)
06:57 < BenLue> i need to stop the Server restart and see there i can connect again
06:58 < BenLue> is my push route correct? (VPN-Server config): http://paste.debian.net/hidden/f18f74e1/
07:00 -!- eristisk [~eristisk@gateway/tor-sasl/eristisk] has quit [Ping timeout: 264 seconds]
07:12 <@krzee> !configs
07:12 <@vpnHelper> "configs" is (#1) please pastebin your client and server configs (with comments removed, you can use `grep -vE '^#|^;|^$' server.conf`), also include which OS and version of openvpn. or (#2) dont forget to include any ccd entries or (#3) on pfSense, see http://www.secure-computing.net/wiki/index.php/OpenVPN/pfSense to obtain your config
07:12 <@krzee> oh those arent even openvpn configs
07:13 <@krzee> sorry man, we dont really support openwrt obscured configs
07:13 <@krzee> we rather suggest that you use normal openvpn config files like suggested here:
07:13 <@krzee> !openwrt
07:13 <@vpnHelper> "openwrt" is In OpenWRT, the easiest way to supply configs with the stock init is to use the `option config /path/to/your/openvpn.conf` in your UCI stanza. This allows you to maintain a standard config file that OpenWRT can launch for you.
07:16 -!- eristisk [~eristisk@gateway/tor-sasl/eristisk] has joined #openvpn
07:29 <@krzee> however, if you're concerned about a push route working that tells me you're probably sharing a lan behind the server
07:29 <@krzee> !serverlan
07:29 <@vpnHelper> "serverlan" is (#1) for a lan behind a server, the server must have ip forwarding enabled (!ipforward), the server needs to push a route for its lan to clients, and the router of the lan the server is on needs a route added to it (!route_outside_openvpn) or (#2) see !route for a better explanation or (#3) Handy troubleshooting flowchart: http://ircpimps.org/serverlan.png |
07:29 <@vpnHelper> http://pekster.sdf.org/misc/serverlan.png
07:29 <@krzee> so you can use the flowchart to find issues if you like
07:30 <@krzee> or if you make openvpn configs i'ld be happy to take a look
07:35 -!- michaelhart [~michaelha@69-165-175-193.dsl.teksavvy.com] has joined #openvpn
07:40 -!- ajc_ [ajc@nat/hp/x-qnernozvhqjivjhp] has quit [Read error: Connection reset by peer]
07:48 -!- icebrain [~andre@193-126-23-253.static.optimus.net.pt] has quit [Ping timeout: 240 seconds]
08:05 -!- Skutov [~Skutov@cpc24-aztw23-2-0-cust111.aztw.cable.virginm.net] has joined #openvpn
08:15 -!- skyroveRR [~skyroveRR@unaffiliated/skyroverr] has quit [Quit: WeeChat 0.0.0 :P]
08:26 < Skutov> Hi there, I'm having some trouble connecting to an OpenVPN server running on CentOS (config file http://pastebin.com/1mtuT7Zs) from a client running on Windows 7 (config file http://pastebin.com/sRuc8MmK). When I try to connect the connection is made, within about 2 seconds the client throws the error "Assertion failed at crypto.c:174" and disconnects. I have googled for this error and found ones s
08:26 < Skutov> imilar to it but I haven't found any soloutions to it. The log file for the client showing the error on line 23 is here http://pastebin.com/XU2LCNiq and the server log file showing the client connecting and then dropping due to inactivity is here http://pastebin.com/B8zY0qJP. Can anyone suggest some potential fixes?
08:26 < Skutov> Thanks in advance.
08:34 -!- VlperX [~VlperX@60-240-168-120.static.tpgi.com.au] has quit [Ping timeout: 255 seconds]
08:51 -!- Skutov [~Skutov@cpc24-aztw23-2-0-cust111.aztw.cable.virginm.net] has quit [Quit:  I love my HydraIRC -> http://www.hydrairc.com <-]
08:58 -!- u0m3 [~u0m3@109.96.150.109] has joined #openvpn
09:01 <@krzee> if that skutov comes back, his config file pastebins expired but this would do it:
09:01 <@krzee> Mon Jun 23 14:19:52 2014 WARNING: 'cipher' is used inconsistently, local='cipher DES-CFB', remote='cipher AES-128-CBC'
09:17 -!- alexxtasi [~alex@unaffiliated/alexxtasi] has left #openvpn []
09:32 -!- Megaf is now known as Megaf_
09:35 -!- piratemother [~int3@203.122.50.114] has joined #openvpn
09:35 -!- icebrain [~andre@62.48.195.253] has joined #openvpn
09:36 < piratemother> hello everyone, have a problem with my vpn network setup
09:40 < piratemother> i have a decent system (Intel i3-3210 with 8G Ram thats on a Gigabyte H77N-Wifi Mini-ITX Motherboard) that i intend to use as a router/gateway
09:46 < piratemother> the system has two network cards, the 1st one i would like to connect it to internet where it would accept VPN connections, and the 2nd one to an internal network (btw, its a debian box)
09:48 < piratemother> 1st card is configured to be DHCP and takes address from ISP directly, the 2nd is static ip configured with (10.42.43.1 range of IP's), i have about 12 machines connected to this 2nd card.
09:48 -!- icebrain [~andre@62.48.195.253] has quit [Ping timeout: 255 seconds]
09:49 < piratemother> now my requirement is that i have to provide people with VPN connections in such a way that they will be able to access all my systems connected to 2nd card.
09:50 < piratemother> can anyone help!!
09:52 -!- Pyrogerg [~Gregory@192.67.133.200] has joined #openvpn
10:08 <@plaisthos> !tutorial
10:08 <@plaisthos> !howto
10:08 <@vpnHelper> "howto" is (#1) OpenVPN comes with a great howto, http://openvpn.net/howto PLEASE READ IT! or (#2) http://www.secure-computing.net/openvpn/howto.php for a mirror
10:08 <@plaisthos> piratemother: that is pretty standard setup
10:08 <@plaisthos> you should find enough howto how to do that
10:09 < piratemother> i tried many different setups, it might be a silly mistake that am doing somewhere, but its really eating away my brain...
10:10 < piratemother> i have installed open vpn and tried to access the machines at secondary network card, but am unable to, cant ping those systems
10:19 < piratemother> can anyone point me in the right direction, know any tutorial/page that can help??
10:25 -!- u0m3 [~u0m3@109.96.150.109] has quit [Read error: Connection reset by peer]
10:30 -!- ayaz [~Ayaz@linuxpakistan/ayaz] has quit [Quit: BBL]
10:33 -!- icebrain [~andre@193-126-23-253.static.optimus.net.pt] has joined #openvpn
10:37 -!- Pyrogerg [~Gregory@192.67.133.200] has quit [Ping timeout: 240 seconds]
10:38 -!- AlexKvazos [~AlexKvazo@189-209-191-225.static.axtel.net] has joined #openvpn
10:39 -!- Pyrogerg [~Gregory@146.185.129.18] has joined #openvpn
10:40 -!- piratemother [~int3@203.122.50.114] has quit [Quit: Leaving]
10:46 -!- Pyrogerg_ [~Gregory@ns4010174.ip-192-99-6.net] has joined #openvpn
10:48 -!- Pyrogerg [~Gregory@146.185.129.18] has quit [Ping timeout: 240 seconds]
11:02 -!- Pyrogerg_ [~Gregory@ns4010174.ip-192-99-6.net] has quit [Ping timeout: 272 seconds]
11:04 -!- Pyrogerg [~Gregory@gpenne3bc.nmsu.edu] has joined #openvpn
11:06 -!- gffa [~unknown@unaffiliated/gffa] has joined #openvpn
11:22 -!- Pyrogerg [~Gregory@gpenne3bc.nmsu.edu] has quit [Ping timeout: 240 seconds]
11:24 -!- u0m3 [~u0m3@109.96.150.109] has joined #openvpn
11:26 -!- Pyrogerg [~Gregory@ns4009886.ip-192-99-5.net] has joined #openvpn
11:29 -!- batrick [batrick@nmap/developer/batrick] has quit [Quit: WeeChat 0.4.3]
11:34 -!- batrick [~batrick@nmap/developer/batrick] has joined #openvpn
11:52 -!- Pyrogerg [~Gregory@ns4009886.ip-192-99-5.net] has quit [Ping timeout: 245 seconds]
11:52 -!- Left_Turn [~Left_Turn@unaffiliated/turn-left/x-3739067] has quit [Ping timeout: 264 seconds]
11:55 -!- Pyrogerg [~Gregory@gpenne3bc.nmsu.edu] has joined #openvpn
12:04 -!- squaresurf [~squaresur@174.127.143.12] has joined #openvpn
12:12 -!- pquery [~jduffer@12.232.188.66] has joined #openvpn
12:13 < pquery> is there a way in openvpn to create a user on the command line?
12:13 < pquery> especially from the ami on the amazon marketplace? the pam module doesn't work on that edition
12:16 <+pekster> OpenVPN does not deal with creating users. If you're referring to AS, see:
12:16 <+pekster> !as
12:16 <@vpnHelper> "as" is Please go to #OpenVPN-AS for help with commercial products from OpenVPN Technologies, including Access Server, Android Connect, etc
12:24 -!- icebrain [~andre@193-126-23-253.static.optimus.net.pt] has quit [Read error: Connection reset by peer]
12:27 -!- AlexKvazos [~AlexKvazo@189-209-191-225.static.axtel.net] has quit [Remote host closed the connection]
12:29 -!- squaresurf [~squaresur@174.127.143.12] has left #openvpn []
12:47 < BenLue> pekster is list push "route 10.8.0.0 255.255.255.0" same as push "route 10.8.0.0 255.255.255.0"?
12:47 < BenLue> I use openwert Openvpn Server
12:50 -!- goldkatze [~nobody@unaffiliated/goldkatze] has quit []
12:50 <+pekster> Best to use a real config file; then you just write real config lines ;)
12:50 <+pekster> !openwrt
12:50 <@vpnHelper> "openwrt" is In OpenWRT, the easiest way to supply configs with the stock init is to use the `option config /path/to/your/openvpn.conf` in your UCI stanza. This allows you to maintain a standard config file that OpenWRT can launch for you.
12:50 -!- goldkatze [~nobody@unaffiliated/goldkatze] has joined #openvpn
12:51 <+pekster> So, put that `option config ...` in the UCI conf, then don't worry about if it's a `list` or `option` or `bool` or w/e, and don't worry if the initscript doesn't support something well
12:51 <+pekster> needless abstraction eventually gets you in trouble (or just plain confused)
12:54 -!- pquery [~jduffer@12.232.188.66] has left #openvpn ["Leaving"]
13:35 -!- trending [~trending@adsl196-6-32-206-196.adsl196-2.iam.net.ma] has joined #openvpn
13:36 < trending> Hello, I installed openvpn on my server, I can connect to it but I get no connection, I tried -almost- everything on "google" but without any results, can you please help me ?
13:46 -!- AlexKvazos [~AlexKvazo@189-209-191-225.static.axtel.net] has joined #openvpn
13:49 -!- james41382 [~james@unaffiliated/james41382] has quit [Read error: Connection reset by peer]
13:50 -!- james41382 [~james@unaffiliated/james41382] has joined #openvpn
14:07 -!- AlexKvazos [~AlexKvazo@189-209-191-225.static.axtel.net] has quit [Remote host closed the connection]
14:33 -!- AlexKvazos [~AlexKvazo@189-209-191-225.static.axtel.net] has joined #openvpn
14:37 -!- roentgen [~none@openvpn/community/support/roentgen] has joined #openvpn
14:42 -!- ShadniX [dagger@p5481C1BA.dip0.t-ipconnect.de] has quit [Quit: Bye.]
14:42 -!- roentgen [~none@openvpn/community/support/roentgen] has quit [Remote host closed the connection]
14:42 -!- roentgen [~none@openvpn/community/support/roentgen] has joined #openvpn
14:43 -!- ShadniX [dagger@p5481C1BA.dip0.t-ipconnect.de] has joined #openvpn
14:45 -!- brianblaze420 [~brianblaz@unaffiliated/brianblaze] has joined #openvpn
14:45 -!- trending [~trending@adsl196-6-32-206-196.adsl196-2.iam.net.ma] has left #openvpn ["ANNNNNNNNND I'M GONE!"]
14:46 -!- Six6siX [~Devil@jasmine.sammybakar.com] has joined #openvpn
14:51 -!- Megaf_ is now known as Megaf
15:16 -!- AlexKvazos [~AlexKvazo@189-209-191-225.static.axtel.net] has quit [Remote host closed the connection]
15:28 -!- ruicruz [~ruicruz@209.105.239.197] has joined #openvpn
15:36 -!- RedDeath is now known as zz_RedDeath
15:42 -!- Left_Turn [~Left_Turn@unaffiliated/turn-left/x-3739067] has joined #openvpn
15:45 -!- michaelhart [~michaelha@69-165-175-193.dsl.teksavvy.com] has quit [Quit: michaelhart]
15:46 -!- zz_RedDeath is now known as RedDeath
15:49 -!- Left_Turn [~Left_Turn@unaffiliated/turn-left/x-3739067] has quit [Quit: Leaving]
16:12 -!- gffa [~unknown@unaffiliated/gffa] has quit [Quit: sleep]
16:22 -!- eristisk [~eristisk@gateway/tor-sasl/eristisk] has quit [Remote host closed the connection]
16:23 -!- eristisk [~eristisk@gateway/tor-sasl/eristisk] has joined #openvpn
16:31 -!- SCHAAP137 [dorian@77-173-0-137.ip.telfort.nl] has joined #openvpn
16:33 -!- larryone [~larryone@176.61.1.155] has joined #openvpn
16:35 -!- elfixit [~Icedove@cust.static.46-14-114-50.swisscomdata.ch] has quit [Ping timeout: 240 seconds]
16:43 -!- larryone [~larryone@176.61.1.155] has quit [Quit: This computer has gone to sleep]
16:59 -!- Left_Turn [~Left_Turn@unaffiliated/turn-left/x-3739067] has joined #openvpn
17:04 -!- Kephael [~Kephael@unaffiliated/kephael] has joined #openvpn
17:05 -!- eristisk [~eristisk@gateway/tor-sasl/eristisk] has quit [Remote host closed the connection]
17:05 -!- eristisk [~eristisk@gateway/tor-sasl/eristisk] has joined #openvpn
17:14 -!- randt0sh [~tosh@2a02-8420-5d7e-c300-0213-72ff-feb1-7b24.rev.sfr.net] has quit [Remote host closed the connection]
17:26 -!- AlexKvazos [~AlexKvazo@189-209-191-225.static.axtel.net] has joined #openvpn
17:34 -!- AlexKvazos [~AlexKvazo@189-209-191-225.static.axtel.net] has quit [Ping timeout: 272 seconds]
17:43 -!- SCHAAP137 [dorian@77-173-0-137.ip.telfort.nl] has quit [Remote host closed the connection]
17:46 -!- hive-mind [pranq@mail.bbis.us] has quit [Ping timeout: 240 seconds]
18:07 -!- le0 [~l30@unaffiliated/le0] has quit [Quit: Leaving]
18:16 -!- hive-mind [pranq@mail.bbis.us] has joined #openvpn
18:18 -!- JackWinter [~jack@vodsl-11028.vo.lu] has quit [Read error: Connection reset by peer]
18:19 -!- JackWinter [~jack@vodsl-11028.vo.lu] has joined #openvpn
18:28 -!- hive-mind [pranq@mail.bbis.us] has quit [Ping timeout: 244 seconds]
18:36 -!- hive-mind [pranq@mail.bbis.us] has joined #openvpn
18:37 -!- AlexKvazos [~AlexKvazo@189-209-191-225.static.axtel.net] has joined #openvpn
18:39 -!- brianblaze420 [~brianblaz@unaffiliated/brianblaze] has quit [Quit: Leaving...]
18:56 -!- michaelhart [~michaelha@192-0-240-20.cpe.teksavvy.com] has joined #openvpn
18:57 -!- JackWinter [~jack@vodsl-11028.vo.lu] has quit [Ping timeout: 240 seconds]
19:10 -!- tiksa [~tiksa@gateway/tor-sasl/tiksa] has joined #openvpn
19:10 -!- s7r [~s7r@openvpn/user/s7r] has quit [Remote host closed the connection]
19:20 -!- JackWinter [~jack@vodsl-11028.vo.lu] has joined #openvpn
19:26 -!- arescorpio [~arescorpi@160-241-16-190.fibertel.com.ar] has joined #openvpn
19:26 -!- michaelhart [~michaelha@192-0-240-20.cpe.teksavvy.com] has quit [Ping timeout: 272 seconds]
19:26 -!- michaelhart_ [~michaelha@162.209.54.120] has joined #openvpn
19:42 -!- michaelhart_ [~michaelha@162.209.54.120] has quit [Quit: michaelhart_]
19:44 -!- AlexKvazos [~AlexKvazo@189-209-191-225.static.axtel.net] has quit [Remote host closed the connection]
19:59 -!- CoryCA [~cory@vps2.cory.albrecht.name] has joined #openvpn
20:00 < CoryCA> Hello.
20:02 < CoryCA> Anybody alive to answer a question or 3 about IPv6 support in OpenVPN?
20:04 -!- RedDeath is now known as zz_RedDeath
20:05 < CoryCA> I'm just getting around to updating my openvpn VPN server which has been unchanged for 4-5 years, mostly because I was hoping the IPv6 support that wasn't back then woudl make a few things easier.
20:05 < CoryCA> So added the line "server-ipv6 2001:470:b09d:17::/64" to the server config file.
20:06 < CoryCA> When OpenVPN comes up (this is on OpenBSD 5.5, BTW), tun0 gets 2001:470:b09d:17::1/64, as expected
20:07 < CoryCA> But when I make the clients connect, they get addresses starting at 2001:470:b09d:17::1000/64, not 2001:470:b09d:17::2 as expected.
20:08 < CoryCA> or, at least, as I expected.
20:08 -!- AlexKvazos [~AlexKvazo@189-209-191-225.static.axtel.net] has joined #openvpn
20:14 < CoryCA> Is IPv6 allocation to the client supposed to start from <prefix>:1000 ?
20:23 -!- AlexKvazos [~AlexKvazo@189-209-191-225.static.axtel.net] has left #openvpn ["Bye!"]
20:46 -!- erkules_ [~erkan@pdpc/supporter/professional/erkules] has joined #openvpn
20:47 -!- erkules [~erkan@pdpc/supporter/professional/erkules] has quit [Ping timeout: 245 seconds]
21:18 -!- Left_Turn [~Left_Turn@unaffiliated/turn-left/x-3739067] has quit [Ping timeout: 264 seconds]
21:27 < CoryCA> I guess nobody's here, so I;ll just continue to rant.
21:36 < CoryCA> the IPv6 support seems only to have been written witha tun devices, not tap. And not tun with "topology subnet", either.
21:38 < CoryCA> You think that ifconfig-ipv6 would have a second form with dev tap or dev tun+topology subnet, but it doesn't
21:41 -!- skyroveRR [~skyroveRR@unaffiliated/skyroverr] has joined #openvpn
21:41 < skyroveRR> ping pekster
21:44 -!- ek [ek@freebsd/contributor/ek] has joined #openvpn
21:44 < CoryCA> Rather odd, because if server is essentially a macro that expands to somethign youc an configure manually, why not server-ipv6?
21:45 < ek> Hello, all. I've been searching and testing for a way to change the default gateway (redirect-gateway) to something other than the OpenVPN's server's default gateway. Is this possible? Everything I've seen online hasn't worked (although, my Google-Fu may be lacking...)
21:47 < ek> Essentially, I need something like: push "redirect-gateway 192.168.1.1"
21:47 < ek> ... if that makes sense.
21:47 < ek> As opposed to "def1".
21:48 < skyroveRR> I guess that would push the gateway, but the server gateway would remain unchanged...
21:48 < CoryCA> ek: the whole purpose of teh redirect-gateway option is to make the OpenVPN server the default gateway for the OpenVPN clinet
21:48 < ek> CoryCA: Okay. That makes perfect as to why it's so difficult to change.
21:48 < ek> I'm not sure if what I'm looking for is possible then.
21:48 < CoryCA> analogous to how Microsoft PPTP, Cisco AnyConnect
21:49 < ek> CoryCA: Sure. So, the "def1" isn't just using the OpenVPN server's default gateway, it's telling the client to use the OpenVPN server itself as the gateway.
21:49 < CoryCA> are you tryingto make the default gateway of the openvpn client an IP on VPN netblock, just not the OpenVPN server?
21:50 < ek> CoryCA: Well, it's a bit of a strange setup, but the server OpenVPN is running on is part of both a bridged, external network (to comply with some datacenter jargon) and the secondary interface is on a LAN (192.168.1.0/24).
21:51 < CoryCA> ek: yes, because the OpenVPN server's default gateway is not somethign that is visible to teh OpenVPN clients
21:51 < ek> Using "def1" as the gateway, the OpenVPN server seems to be trying to use the ISP's default gateway to send out (which won't work). So, I'm trying to route everything through the LAN's gateway.
21:53 < CoryCA> which LAN's gateway? the original default gateway of the client?
21:53 < ek> Of course, everything else with the OVPN server and client works (all systems can *mostly* see each other). But, there are some users that need to have all traffic routed through OpenVPN (located in China and such for work where certain things are blocked).
21:53 -!- Mike-- [mad@mx.probie.nl] has quit [Ping timeout: 264 seconds]
21:53 < ek> So, this isn't site-wide so it needs to be adjustable via the CCD.
21:54 < CoryCA> let me rephrase to see if I think I understand what you're trying to do.
21:54 -!- tiksa [~tiksa@gateway/tor-sasl/tiksa] has quit [Ping timeout: 264 seconds]
21:55 < ek> I'm thinking, at this point, it might be wise to simple run another server strictly associated with the LAN, or run OpenVPN from the firewall itself (in order to hopefully avoid the bridge).
21:56 -!- tiksa [~tiksa@gateway/tor-sasl/tiksa] has joined #openvpn
21:56 < CoryCA> 1- some clients only need to route traffice destined for the private network through the VPN, but everything else (Google, Facebook) they can just use the default-gateway that was there before the OpenVON clinet started running
21:57 -!- jerrcs [jeremy@dogpound.sliqua.com] has quit [Ping timeout: 245 seconds]
21:57 < ek> Well, all clients are currently able to connect and access the LAN (which is desired). But, some clients need to have all traffic routed through VPN (as you'd mentioned for Google, Facebook, etc...)
21:58 < CoryCA> 2- Certain other clients, at locations where their internet is severely resticted, need to route *all* traffic through the VPN so they can get to public sites (Gooble, Tumblr) that are otherwise blocked by their local router's access policies
21:58 < ek> CoryCA: Pretty much, yes.
21:59 < ek> CoryCA: Although, the clients that don't need *all* traffic routed through VPN are perfectly fine. Just access to the LAN is fine.
22:00 < CoryCA> so in your client-config-dir you have the file commonNameComputerA and it has the line "redirect-gateway"?
22:00 < ek> So, I'm using TUN (to accomodate for the iPhone's lack of TAP without jail breaking) so I'm not bridging with OVPN.
22:00 < ek> CoryCA: Yes.
22:01 < ek> And it worked fine before the OVPN server was migrated to "outside the LAN".
22:01 < CoryCA> The "192.168.1.1" you mentioned above, which device was that supposed to represent?
22:04 < ek> That represents the LAN.
22:04 < ek> Lemme see if I can mock up a quick diagram of what's happening.
22:05 < CoryCA> Which LAN? the remote user's local LAN, the LAN at the far en of the tunnel behind teh OpenVPN server?
22:12 < ek> Server's local LAN.
22:13 < ek> If that makes sense.
22:13 < ek> So, the OpenVPN server is using 130.20.43.106-109 (external IPs) and the default gateway of 130.20.43.110.
22:13 < ek> On, say, eth0.
22:14 < ek> Then, on eth1, there is the 192.168.1.6 IP for the LAN.
22:14 < ek> I'm using 10.10.8.0/24 for the VPN network.
22:16 < ek> So, when clients connect with "redirect-gateway def1" enabled, it seems to try to route all traffic to 130.20.43.110 which is denied any route due to it comming from 10.10.8.0/24.
22:16 < ek> However, the firewall on 192.168.1.1 is set to allow traffic from 10.10.8.0/24 out (and was working perfectly before setting the default gateway to an external IP).
22:17 < ek> So, essentially, I need all OpenVPN clients to use the 192.168.1.1 gateway when they are set to route all traffic through the VPN.
22:18 < CoryCA> well, like I said, 192.168.1.1 is not visible  is not visible to the VPN clients
22:18 < ek> Yes. It is.
22:18 < CoryCA> the only way the get to it is through routed hops
22:19 < ek> I can ping it and log into it.
22:19 < ek> I just can't seem to get traffic to route through it.
22:19 < CoryCA> so assuming the OpenVPN server is 10.10.8.1/24 on teh VPN, than that is what the default gateway needs to be for teh VPN clients
22:19 < CoryCA> of when sall their traffic through the vpn'
22:20 < CoryCA> and then your VPN server has to forward tha traffic approriately
22:20 < CoryCA> it is a router, too.
22:22 < CoryCA> if itif the traffic from the 10.10.8.x vpn client is destined for 192.168.1.0/24, then the VPN server just dumps it on it's local LAN
22:23 -!- heraclitus [~halcyon@unaffiliated/heraclitis] has quit [Read error: Connection reset by peer]
22:24 < CoryCA> and if the traffic from 10.10.8.x is going to facebook.com, then the OpenVPN server sends it out it's default gateway of 130.20.43.110
22:25 < CoryCA> but it also needs to NAT that 10.10.8.x addres, not simple forward the packets
22:26 < CoryCA> that you have the OpenVPN serve with it's own public IPs does make it a wee bit more complicated
22:28 < CoryCA> Assumign that your OpenVPN server is Linux, you'll need to use something like this http://www.novell.com/support/kb/doc.php?id=7008874
22:28 <@vpnHelper> Title: Support | How to set up source based routing with Linux (at www.novell.com)
22:28 < CoryCA> to set up source based routing in Linux
22:28 < CoryCA> which is a pain in the ass.
22:29 < ek> Well, what makes it even more of a pain in the ass, is that it isn't Linux.
22:29 < ek> It's FreeBSD (which I'm familiar with).
22:29 < CoryCA> of then it can be done with pf relatively easily
22:29 < ek> But, no iptables. ;)
22:30 < ek> Yeah. I was just trying to avoid PF behind PF.
22:30 < ek> (using PF for the firewall)
22:30 < ek> Well, hard firewall, not on the OVPN server itself.
22:30 < CoryCA> it's not really a problem becuas eyou won't be using any of teg NAT or other "firewall" functionality o fteh PF on teh OpenVPN server
22:30 < CoryCA> just the simple routing abilities
22:31 < CoryCA> no packet alteration
22:31 < ek> Yeah.
22:31 < ek> Gotta kldload pf*.ko.
22:31 < ek> Then create the rule(s).
22:31 < CoryCA> and your firewall just needs a route back to the OpenVPN server's 192.168.1.x address for th 10.10.8.0/24 block
22:31 < ek> Yeah. Firewall already has all that.
22:32 < ek> What I'm stumped on, really. Is that the 192.168.0./24 network is routed on the OpenVPN server to go to 192.168.1.1.
22:33 < ek> And the 10.10.8.0/24 is routed on the firewall back to 192.168.1.6.
22:33 < ek> Hrm. Well, that does make sense, I suppose.
22:35 < CoryCA> probably some thing like: pass in on $VPN_IF from 10.108.0/20 to !192.168.1.0/24 rdr-to 192.168.1.1
22:36 < CoryCA> My router at home here used to be OpenBSD so I used to be very familiar with pf, but a number of years ago i switched to an enterprise-grade Cisco 1841, so i am a bit rusty.
22:37 < ek> So, before it was something like: client(10.10.8.2) -> OpenVPN(10.10.8.1) -> Default Gateway(192.168.1.1) -> Which routed 10.10.8.0/24 back to 192.168.1.6 -> LAN.
22:37 < CoryCA> or may be match in on $VPN_IF to !192.168.1.0/24 rdr-to 192.168.1.1
22:38 < CoryCA> like I said, rusty. :-)
22:38 < ek> Or: client(10.10.8.2) -> OpenVPN(10.10.8.1) -> Default Gateway(192.168.1.1) -> Google.com (for an external request).
22:38 < ek> Haha. That's alright. I believe those are correct. Might need a slight touch-up.
22:41 < ek> Gonna try it right now.
22:48 < ek> CoryCA: Out of curiosity, why did you migrate from OBSD to Cisco? Did it offer something that you needed or was it just an opportunity to get something expensive? :)
22:52 <@krzee> !pfnat
22:52 <@vpnHelper> "pfnat" is nat on <inf> from <subnet/ip> to <subnet/ip> -> <nat_ip>
23:10 < ek> Don't needs no networks translations...
23:11 < ek> Although, my syntax is dash-fucked at the moment.
23:11 -!- arescorpio [~arescorpi@160-241-16-190.fibertel.com.ar] has quit [Excess Flood]
23:17 -!- ShadniX [dagger@p5481C1BA.dip0.t-ipconnect.de] has quit [Ping timeout: 252 seconds]
23:18 -!- ShadniX [dagger@p5481C0E9.dip0.t-ipconnect.de] has joined #openvpn
23:44 -!- Megaf [~Megaf@unaffiliated/megaf] has quit [Ping timeout: 240 seconds]
23:48 <@krzee> you said it was going to google
23:48 <@krzee> that means you need to NAT it
23:48 <@krzee> !redirect
23:48 <@vpnHelper> "redirect" is (#1) to make all inet traffic flow through the vpn, you will need --redirect-gateway (see !def1), as well as IP forwarding (see !ipforward) and NAT (see !nat) enabled on the server. or (#2) you may need to use a different dns server when redirecting gateway, see !dns or !pushdns or (#3) if using ipv6 try: route-ipv6 2000::/3 or (#4) Handy troubleshooting flowchart:
23:48 <@vpnHelper> http://ircpimps.org/redirect.png | http://pekster.sdf.org/misc/redirect.png
23:49 <@krzee> !linnat
23:49 <@vpnHelper> "linnat" is (#1) for a basic iptables NAT where 10.8.0.x is the vpn network: iptables -t nat -I POSTROUTING -s 10.8.0.0/24 -o eth0 -j MASQUERADE or (#2) to choose what IP address to NAT as, you can use iptables -t nat -I POSTROUTING -o eth0 -j SNAT --to <IP ADDRESS> or (#3) http://netfilter.org/documentation/HOWTO//NAT-HOWTO.html for more info or (#4) openvz see !openvzlinnat
--- Day changed Tue Jun 24 2014
00:24 -!- ShadniX [dagger@p5481C0E9.dip0.t-ipconnect.de] has quit [Ping timeout: 252 seconds]
00:25 -!- ShadniX [dagger@p5DDFC257.dip0.t-ipconnect.de] has joined #openvpn
00:51 -!- CoryCA [~cory@vps2.cory.albrecht.name] has quit [Ping timeout: 240 seconds]
01:00 -!- Kephael [~Kephael@unaffiliated/kephael] has quit []
01:08 -!- skyroveEE [~skyroveRR@unaffiliated/skyroverr] has joined #openvpn
01:09 -!- skyroveRR [~skyroveRR@unaffiliated/skyroverr] has quit [Read error: Connection reset by peer]
01:09 -!- skyroveEE is now known as skyroveRR
01:13 < ek> krzee: Ah. I see what you mean.
01:14 <@krzee> =]
01:14 < ek> krzee: I'm thinking that on my firewall I should be able to do the same.
01:14 < ek> In theory, it should work.
01:14 < ek> The only problem is, I need to figure out how to use the GUI to do it. :)
01:14 < ek> PITA.
01:16 < ek> Thanks, though! It's certainly something to look into.
01:19 -!- skyroveRR [~skyroveRR@unaffiliated/skyroverr] has quit [Quit: WeeChat 0.0.0 :P]
01:25 -!- phunyguy [~vortex@unaffiliated/phunyguy] has quit [Ping timeout: 272 seconds]
01:31 -!- erkules_ is now known as erkules
01:37 <@krzee> ek, sure? you can do it at the server or the router that the server uses
01:37 <@krzee> so long as it gets NAT'ed on its way out to the real internet
01:37 <@krzee> if you can do it on the border even better, i agree
01:38 <@krzee> np
01:46 -!- JackWinter [~jack@vodsl-11028.vo.lu] has quit [Quit: Konversation terminated!]
01:48 -!- JackWinter [~jack@vodsl-11028.vo.lu] has joined #openvpn
01:52 -!- phunyguy [~vortex@unaffiliated/phunyguy] has joined #openvpn
02:13 -!- le0 [~l30@unaffiliated/le0] has joined #openvpn
02:18 -!- Mike-- [mad@mx.probie.nl] has joined #openvpn
02:28 -!- someone [someone@2600:3c01::f03c:91ff:fedf:feb8] has quit [Ping timeout: 272 seconds]
02:33 -!- zz_RedDeath is now known as RedDeath
02:35 -!- RedDeath is now known as zz_RedDeath
02:36 -!- zz_RedDeath is now known as RedDeath
03:07 -!- alexxtasi [~alex@unaffiliated/alexxtasi] has joined #openvpn
03:11 -!- eristisk [~eristisk@gateway/tor-sasl/eristisk] has quit [Remote host closed the connection]
03:12 -!- eristisk [~eristisk@gateway/tor-sasl/eristisk] has joined #openvpn
03:21 -!- ade_b [~Ade@redhat/adeb] has joined #openvpn
03:42 -!- ajc_ [ajc@nat/hp/x-esogmfxmngpncxjz] has joined #openvpn
03:46 -!- eristisk [~eristisk@gateway/tor-sasl/eristisk] has quit [Remote host closed the connection]
03:56 -!- elfixit [~Icedove@cust.static.46-14-114-50.swisscomdata.ch] has joined #openvpn
04:01 -!- Left_Turn [~Left_Turn@unaffiliated/turn-left/x-3739067] has joined #openvpn
06:06 -!- ketas- [ketas@ketas6-sixxs.si.pri.ee] has joined #openvpn
06:08 -!- BladedThesis [~BladedThe@2001:1af8:4010:a027:3::] has quit [Ping timeout: 260 seconds]
06:08 -!- ketas [ketas@ketas6-sixxs.si.pri.ee] has quit [Ping timeout: 260 seconds]
06:08 -!- BladedThesis [~BladedThe@2001:1af8:4010:a027:3::] has joined #openvpn
06:11 -!- ketas- [ketas@ketas6-sixxs.si.pri.ee] has quit [Remote host closed the connection]
06:12 -!- ketas [ketas@ketas6-sixxs.si.pri.ee] has joined #openvpn
06:17 -!- ketas [ketas@ketas6-sixxs.si.pri.ee] has quit [Remote host closed the connection]
06:17 -!- ketas [ketas@ketas6-sixxs.si.pri.ee] has joined #openvpn
06:23 -!- ketas [ketas@ketas6-sixxs.si.pri.ee] has quit [Ping timeout: 264 seconds]
06:23 -!- ketas [ketas@ketas6-sixxs.si.pri.ee] has joined #openvpn
06:29 -!- ketas [ketas@ketas6-sixxs.si.pri.ee] has quit [Remote host closed the connection]
06:29 -!- ketas [ketas@ketas6-sixxs.si.pri.ee] has joined #openvpn
06:31 -!- Megaf [~Megaf@unaffiliated/megaf] has joined #openvpn
06:34 -!- ketas [ketas@ketas6-sixxs.si.pri.ee] has quit [Remote host closed the connection]
06:35 -!- ketas [ketas@ketas6-sixxs.si.pri.ee] has joined #openvpn
06:40 -!- ketas [ketas@ketas6-sixxs.si.pri.ee] has quit [Remote host closed the connection]
06:41 -!- ketas [ketas@ketas6-sixxs.si.pri.ee] has joined #openvpn
06:45 -!- DrCode [~DrCode@gateway/tor-sasl/drcode] has quit [Write error: Connection reset by peer]
06:45 -!- DrCode [~DrCode@gateway/tor-sasl/drcode] has joined #openvpn
06:46 -!- ketas [ketas@ketas6-sixxs.si.pri.ee] has quit [Remote host closed the connection]
06:47 -!- ketas [ketas@ketas6-sixxs.si.pri.ee] has joined #openvpn
06:52 -!- ketas [ketas@ketas6-sixxs.si.pri.ee] has quit [Remote host closed the connection]
06:52 -!- ketas [ketas@ketas6-sixxs.si.pri.ee] has joined #openvpn
06:57 -!- ketas [ketas@ketas6-sixxs.si.pri.ee] has quit [Ping timeout: 240 seconds]
06:58 -!- ketas [ketas@ketas6-sixxs.si.pri.ee] has joined #openvpn
07:02 -!- Megaf [~Megaf@unaffiliated/megaf] has quit [Read error: Connection reset by peer]
07:04 -!- ketas [ketas@ketas6-sixxs.si.pri.ee] has quit [Remote host closed the connection]
07:04 -!- ketas [ketas@ketas6-sixxs.si.pri.ee] has joined #openvpn
07:06 -!- Megaf [~Megaf@unaffiliated/megaf] has joined #openvpn
07:10 -!- ketas [ketas@ketas6-sixxs.si.pri.ee] has quit [Remote host closed the connection]
07:10 -!- ketas [ketas@ketas6-sixxs.si.pri.ee] has joined #openvpn
07:15 -!- ketas [ketas@ketas6-sixxs.si.pri.ee] has quit [Remote host closed the connection]
07:16 -!- ketas [ketas@ketas6-sixxs.si.pri.ee] has joined #openvpn
07:21 -!- ketas [ketas@ketas6-sixxs.si.pri.ee] has quit [Remote host closed the connection]
07:22 -!- ketas [ketas@ketas6-sixxs.si.pri.ee] has joined #openvpn
07:27 -!- ketas [ketas@ketas6-sixxs.si.pri.ee] has quit [Remote host closed the connection]
07:27 -!- ketas [ketas@ketas6-sixxs.si.pri.ee] has joined #openvpn
07:33 -!- ketas [ketas@ketas6-sixxs.si.pri.ee] has quit [Remote host closed the connection]
07:33 -!- ketas [ketas@ketas6-sixxs.si.pri.ee] has joined #openvpn
07:39 -!- ramz [~ramz@27-33-200-92.tpgi.com.au] has joined #openvpn
07:39 -!- ketas [ketas@ketas6-sixxs.si.pri.ee] has quit [Remote host closed the connection]
07:39 -!- ketas [ketas@ketas6-sixxs.si.pri.ee] has joined #openvpn
07:41 -!- Kniaz [~Kniaz@unaffiliated/bears] has quit [Read error: Connection reset by peer]
07:44 -!- ketas [ketas@ketas6-sixxs.si.pri.ee] has quit [Ping timeout: 240 seconds]
07:44 -!- ramz [~ramz@27-33-200-92.tpgi.com.au] has quit [Ping timeout: 264 seconds]
07:45 -!- ketas [ketas@ketas6-sixxs.si.pri.ee] has joined #openvpn
07:47 -!- omrib [~omrib@ec2-50-17-197-161.compute-1.amazonaws.com] has quit [Quit: ZNC - http://znc.in]
07:50 -!- ajc_ [ajc@nat/hp/x-esogmfxmngpncxjz] has quit [Read error: Connection reset by peer]
07:50 -!- ketas [ketas@ketas6-sixxs.si.pri.ee] has quit [Remote host closed the connection]
07:51 -!- ketas [ketas@ketas6-sixxs.si.pri.ee] has joined #openvpn
07:55 -!- ketas [ketas@ketas6-sixxs.si.pri.ee] has quit [Ping timeout: 252 seconds]
07:56 -!- ketas [ketas@ketas6-sixxs.si.pri.ee] has joined #openvpn
08:02 -!- ketas [ketas@ketas6-sixxs.si.pri.ee] has quit [Remote host closed the connection]
08:02 -!- ketas [ketas@ketas6-sixxs.si.pri.ee] has joined #openvpn
08:08 -!- ketas [ketas@ketas6-sixxs.si.pri.ee] has quit [Remote host closed the connection]
08:08 -!- ketas [ketas@ketas6-sixxs.si.pri.ee] has joined #openvpn
08:13 -!- ketas [ketas@ketas6-sixxs.si.pri.ee] has quit [Ping timeout: 272 seconds]
08:14 -!- someone [someone@2600:3c01::f03c:91ff:fedf:feb8] has joined #openvpn
08:14 -!- ketas [ketas@ketas6-sixxs.si.pri.ee] has joined #openvpn
08:20 -!- ketas [ketas@ketas6-sixxs.si.pri.ee] has quit [Remote host closed the connection]
08:20 -!- ketas [ketas@ketas6-sixxs.si.pri.ee] has joined #openvpn
08:25 -!- ketas [ketas@ketas6-sixxs.si.pri.ee] has quit [Remote host closed the connection]
08:26 -!- ketas [ketas@ketas6-sixxs.si.pri.ee] has joined #openvpn
08:31 -!- ketas [ketas@ketas6-sixxs.si.pri.ee] has quit [Remote host closed the connection]
08:32 -!- ketas [ketas@ketas6-sixxs.si.pri.ee] has joined #openvpn
08:34 -!- cyberspace- [20253@ninthfloor.org] has quit [Remote host closed the connection]
08:37 -!- ketas [ketas@ketas6-sixxs.si.pri.ee] has quit [Ping timeout: 264 seconds]
08:38 -!- ketas [ketas@ketas6-sixxs.si.pri.ee] has joined #openvpn
08:42 -!- cyberspace- [20253@ninthfloor.org] has joined #openvpn
08:43 -!- ketas [ketas@ketas6-sixxs.si.pri.ee] has quit [Remote host closed the connection]
08:44 -!- ketas [ketas@ketas6-sixxs.si.pri.ee] has joined #openvpn
08:49 -!- michaelhart [~michaelha@69-165-175-193.dsl.teksavvy.com] has joined #openvpn
09:04 -!- Kniaz [~Kniaz@unaffiliated/bears] has joined #openvpn
09:23 -!- alexxtasi [~alex@unaffiliated/alexxtasi] has left #openvpn []
09:29 -!- JackWinter [~jack@vodsl-11028.vo.lu] has quit [Quit: Konversation terminated!]
09:32 -!- Megaf is now known as Megaf_
09:33 -!- JackWinter [~jack@vodsl-11028.vo.lu] has joined #openvpn
09:42 -!- mattock [~mattock@openvpn/corp/admin/mattock] has left #openvpn []
09:42 -!- mattock [~mattock@openvpn/corp/admin/mattock] has joined #openvpn
09:42 -!- mode/#openvpn [+o mattock] by ChanServ
09:48 -!- deeville [~deeville@38.117.108.108] has joined #openvpn
09:50 -!- Kniaz [~Kniaz@unaffiliated/bears] has quit [Quit: closing IRC]
09:56 -!- squaresurf [~squaresur@2601:8:b080:aca:c84e:4c83:f1a5:b3e1] has joined #openvpn
09:57 -!- squaresurf [~squaresur@2601:8:b080:aca:c84e:4c83:f1a5:b3e1] has left #openvpn []
10:07 -!- elfixit [~Icedove@cust.static.46-14-114-50.swisscomdata.ch] has quit [Ping timeout: 245 seconds]
10:08 -!- supergauntlet [~supergaun@unaffiliated/supergauntlet] has quit [Ping timeout: 244 seconds]
10:08 -!- TheEternalAbyss [~IRCIdent@unaffiliated/theeternalabyss] has quit [Ping timeout: 244 seconds]
10:09 -!- lotherk [~lotherk@office.corpex-net.de] has joined #openvpn
10:10 -!- supergauntlet [~supergaun@unaffiliated/supergauntlet] has joined #openvpn
10:11 < lotherk> hi
10:22 < lotherk> I really don't know what my exact problem is, but maybe you can give me some topics or hints to google for as the results I've checked on google didn't satisfied me: it basically is very simple. I have a KVM vserver (with aes-ni support), 100mbit up- and downlink. At home I have 100mbit down and 6mbit up. I've set up a link between my home and the KVM to route my traffic over that link. I get a "very bad" download rate on this. The first problem I'v
10:24 <@krzee> "very bad" doesnt mean much
10:25 <@krzee> a "very bad" link in norway probably outperforms a "very good" link where i live haha
10:28 -!- ade_b [~Ade@redhat/adeb] has quit [Quit: Too sexy for his shirt]
10:28 <@krzee> but read these:
10:28 <@krzee> !gigabit
10:28 <@vpnHelper> "gigabit" is https://community.openvpn.net/openvpn/wiki/Gigabit_Networks_Linux for JJK's writeup on getting the most out of openvpn over gigabit
10:28 <@krzee> !mtu
10:28 <@vpnHelper> "mtu" is (#1) see --mtu-test to learn how to test your MTU settings. Basically you just use --mtu-test in your normal client config or (#2) mtu debugging guide: http://www.secure-computing.net/wiki/index.php/OpenVPN/Troubleshooting
10:35 < lotherk> very bad means 700kb/s instead of 12mb/s.
10:35 < lotherk> as I've said, I read the document about gigabit networks.
10:35 -!- tiksa [~tiksa@gateway/tor-sasl/tiksa] has quit [Quit: Peace]
10:36 < lotherk> I've also used test-mtu and set the mtu openvpn suggested, without any benefit.
10:37 <@ecrist> could be a shit processor?
10:37 < lotherk> openvpn is consuming about 20% cpu
10:38 <@ecrist> how many users?
10:38 < lotherk> just me
10:39 <@ecrist> so, you can transfer files to the VM, without openvpn, at 12mb/s?
10:39 < lotherk> not to, but from, yes.
10:39 <@ecrist> can you show me?
10:40 < lotherk> sec
10:40 < lotherk> 100%   98MB   9.8MB/s   00:10
10:41 < lotherk> through the tunnel
10:41 < lotherk> 100%   98MB   3.4MB/s   00:29
10:42 < lotherk> as I've said, this is a "zero" file
10:42 <@ecrist> doesn't matter what the file is, really
10:42 < lotherk> okay
10:42 <@ecrist> what process or is it?
10:42 <@ecrist>  /proc/procinfo iirc
10:43 < lotherk> vm: Intel(R) Xeon(R) CPU E5-2630 0 @ 2.30GHz (but only 1 core), my lan server: Intel(R) Celeron(R) CPU G550 @ 2.60GHz (dualcore)
10:43 -!- gffa [~unknown@unaffiliated/gffa] has joined #openvpn
10:44 <@ecrist> what does the local processor load look like when you're transferring the file?
10:45 < lotherk> load was 0.27 bevore the transfer,  0.4 while transfering  and openvpn uses about 18-20% cpu
10:45 < lotherk> before*
10:45 <@ecrist> my guess is your local processor is limiting your transfer speed
10:45 <@ecrist> try a client on a different machine
10:46 < lotherk> yes, I will when I get home.
10:46 < lotherk> do you have any further hints of the i5 is doing the job that "bad" aswell?
10:46 < lotherk> if*
10:46 <@ecrist> I doubt that's your problem.
10:47 <@ecrist> 9.8MB/s is nearly your link speed
10:47 < lotherk> yes.
10:47 <@ecrist> seems like it's keeping up just fine
10:47 <@ecrist> 3.4MB/s is still pretty darn fast, it could simply be better
10:47 < lotherk> would it make sense, or help, or doesn't make a disadvantage if I'd use the tunnels without ciphers through an ssh tunnel?
10:48 <@ecrist> that seems silly
10:48 <@ecrist> are you transferring these files via SSH?
10:48 < lotherk> yes
10:48 <@ecrist> both in and out of the tunnel?
10:48 < lotherk> yes
10:48 <@ecrist> that's another layer of crypto your local Celeron has to calculate.
10:49 <@ecrist> on a per-packet basis
10:49 < lotherk> makes sense.
10:50 < lotherk> thanks ecrist, gotta go home now. I'll test it with the i5 and share my results.
10:50 < lotherk> later. *detach*
10:53 -!- Left_Turn [~Left_Turn@unaffiliated/turn-left/x-3739067] has quit [Read error: Connection reset by peer]
11:06 -!- ek [ek@freebsd/contributor/ek] has quit [Ping timeout: 255 seconds]
11:12 -!- squaresurf [~squaresur@2601:8:b080:aca:c84e:4c83:f1a5:b3e1] has joined #openvpn
11:15 -!- ek [ek@freebsd/contributor/ek] has joined #openvpn
11:15 -!- SCHAAP137 [dorian@77-173-0-137.ip.telfort.nl] has joined #openvpn
11:18 -!- squaresurf [~squaresur@2601:8:b080:aca:c84e:4c83:f1a5:b3e1] has left #openvpn []
11:29 -!- Cpt-Oblivious [~chatzilla@31-151-71-109.dynamic.upc.nl] has joined #openvpn
11:30 -!- Kniaz [~Kniaz@unaffiliated/bears] has joined #openvpn
11:41 -!- AsadH is now known as NotAsadH
11:42 -!- NotAsadH is now known as AsadH
12:10 -!- Megaf_ is now known as Megaf
12:12 -!- troj [~xxx@2001:470:1f15:107a::50f7] has joined #openvpn
12:18 -!- Sidewinder [~de@unaffiliated/sidewinder] has joined #openvpn
12:58 -!- Kephael [~Kephael@unaffiliated/kephael] has joined #openvpn
13:00 -!- Fusl [Fusl@unaffiliated/fusl] has quit [Ping timeout: 272 seconds]
13:01 -!- Whoopie_ [~Whoopie@unaffiliated/whoopie] has joined #openvpn
13:02 -!- Whoopie [~Whoopie@unaffiliated/whoopie] has quit [Ping timeout: 272 seconds]
13:02 -!- Whoopie_ is now known as Whoopie
13:05 -!- Fusl [Fusl@unaffiliated/fusl] has joined #openvpn
13:07 -!- Sidewinder [~de@unaffiliated/sidewinder] has quit [Quit: Leaving]
13:27 -!- Kephael [~Kephael@unaffiliated/kephael] has quit []
13:32 -!- RedDeath is now known as zz_RedDeath
13:35 -!- mattock is now known as mattock_afk
13:42 -!- Netsplit *.net <-> *.split quits: Ulrar, fred``, Olipro, Thermi
13:52 -!- Netsplit over, joins: Thermi, fred``, Ulrar
13:58 -!- Ryu_Fitzgerald [~Ryu_Fitzg@199-193-117-84.static.hvvc.us] has joined #openvpn
14:00 < Ryu_Fitzgerald> do i understand this correctly?  When setting up an openvpn server.  You make a master CA which is a cert+plus key.  Then you set up a cert for the server to use that is generated off of the master CA.  Then you make a cert for the client to use that is generated off the master CA?
14:06 -!- Olipro [~Olipro@uncyclopedia/pdpc.21for7.olipro] has joined #openvpn
14:12 -!- zz_RedDeath is now known as RedDeath
14:14 -!- tiksa [~tiksa@gateway/tor-sasl/tiksa] has joined #openvpn
14:16 <@ecrist> Ryu_Fitzgerald: exactly
14:17 <@ecrist> if you're looking at a heirarchy, the server cert and client certs *can* be at the same level, but the server cert could also be a sub-CA, and you could have client certs signed by it
14:20 -!- larryone [~larryone@89.100.23.131] has joined #openvpn
14:22 -!- lbft [~lbft@unaffiliated/lbft] has quit [Ping timeout: 240 seconds]
14:26 -!- lbft [~lbft@unaffiliated/lbft] has joined #openvpn
14:36 < Ryu_Fitzgerald> do openvpn clients need to specify what type of encryption the server is using?
14:36 < Ryu_Fitzgerald> or is the the master ca, client ca, client key, username and password all they need?
14:42 -!- BenLue [~OpenWrt@unaffiliated/benlue] has quit [Ping timeout: 244 seconds]
14:43 -!- lbft [~lbft@unaffiliated/lbft] has quit [Read error: Connection reset by peer]
14:45 -!- Matir [~matir@ubuntu/member/matir] has quit [Remote host closed the connection]
14:46 -!- funnel [~funnel@unaffiliated/espiral] has quit [Remote host closed the connection]
14:46 -!- mirco [~mirco@ip-62-143-141-0.unitymediagroup.de] has quit [Quit: mirco]
14:53 -!- larryone [~larryone@89.100.23.131] has quit [Quit: This computer has gone to sleep]
15:03 -!- squaresurf [~squaresur@2601:8:b080:aca:c84e:4c83:f1a5:b3e1] has joined #openvpn
15:06 -!- squaresurf [~squaresur@2601:8:b080:aca:c84e:4c83:f1a5:b3e1] has left #openvpn []
15:06 < Ryu_Fitzgerald> what nat rules do i need to make when setting up openvpn server
15:06 < Ryu_Fitzgerald> i created a server but the process can't run
15:07 < adaptr> that's never a firewall problem. it means the server couldn't bind, or had some other issue. possibly network-or filesystem related.
15:09 < Ryu_Fitzgerald> does the fact the process can't run mean it needs port forwarding?
15:11 -!- gffa [~unknown@unaffiliated/gffa] has quit [Quit: sleep]
15:17 -!- deeville [~deeville@38.117.108.108] has quit [Quit: This computer has gone to sleep]
15:21 -!- lbft_ [~lbft@unaffiliated/lbft] has joined #openvpn
15:24 -!- funnel [~funnel@unaffiliated/espiral] has joined #openvpn
15:24 -!- lbft_ is now known as lbft
15:26 -!- michaelhart [~michaelha@69-165-175-193.dsl.teksavvy.com] has quit [Quit: michaelhart]
15:26 -!- dvl_ [~dvl@pdpc/supporter/active/dvl] has joined #openvpn
15:27 < dvl_> if I make a change to a ccd entry (I added 'iroute 10.80.0.0 255.255.255.0'), do I need to restart the server?  I ask because the route hasn't appeared on the server after the client connected.
15:29 < rob0> I would think that the ccd file is read when the client connects.  It wouldn't make sense to load all those in memory.
15:29 < dvl_> rob0: that was my guess.
15:30 < rob0> but your testing does not confirm this?
15:30 < Ryu_Fitzgerald> i feeling like i live in this channel with how long i spend trying to find someone :(
15:31 < Ryu_Fitzgerald> what do i have to do with ports so my vpn server can be reached by clients?
15:32 < dvl_> rob0: not so far.  I rebooted the client (for something else) and when it came back the VPN connected, but no iroute).
15:33 < rob0> dvl_, "verb 4" should show the ccd file being read.
15:33 < dvl_> rob0: I'll try that
15:35 < dvl_> MULTI: internal route 10.70.0.0/24
15:36 < dvl_> $ netstat -nr  | grep 10.70
15:36 < dvl_> nada
15:36 < dvl_> !ccd
15:36 <@vpnHelper> "ccd" is (#1) entries that are basically included into server.conf, but only for the specified client based on common-name. use --client-config-dir <dir> to enable it, then put the config options for the client in <dir>/common-name or (#2) the ccd file is parsed each time the client connects.
15:37 < dvl_> !iroute
15:37 <@vpnHelper> "iroute" is does not bypass or alter the kernel's routing table, it allows openvpn to know it should handle the routing when the kernel points to it but the network is not one that openvpn knows about. This is only needed when connecting a LAN which is behind a client, and therefor belongs in a ccd entry. Also see !route and !ccd
15:38 -!- le0 [~l30@unaffiliated/le0] has quit [Quit: Leaving]
15:39 < rob0> Ryu, in your firewall, open whatever port+protocol your server is using so clients can reach it.
15:40 < dvl_> I see differences in my client config files...
15:44 -!- Megaf is now known as Megaf_
15:47 -!- GrecKo [~GrecKo@2001:41d0:1:cb16::1] has joined #openvpn
15:47 < GrecKo> !splitdns
15:47 <@vpnHelper> "splitdns" is see http://www.thekelleys.org.uk/dnsmasq/doc.html for dnsmasq, which will let you do split-dns setups
15:55 -!- joe9 [~user@ip68-103-51-213.ks.ok.cox.net] has joined #openvpn
15:55 -!- syzzer [~syzzer@openvpn/community/developer/syzzer] has quit [Ping timeout: 245 seconds]
15:55 -!- c00w [c00w@2600:3c03::f03c:91ff:fe6e:e88b] has quit [K-Lined]
15:55 -!- pnielsen [pnielsen@2600:3c03::f03c:91ff:fe6e:5d41] has quit [K-Lined]
15:56 -!- syzzer [~syzzer@openvpn/community/developer/syzzer] has joined #openvpn
15:56 -!- mode/#openvpn [+o syzzer] by ChanServ
15:56 < joe9> I am trying to understand mtu-test usage. I understand that it tests and shows the proper values that can be used with the fragment directive. Does it set the fragment directive too? I am wondering if I should remove mtu-test and add the fragment directive or if I could just leave the mtu-test?
15:57 -!- pnielsen [pnielsen@2600:3c03::f03c:91ff:fe6e:5d41] has joined #openvpn
15:57 -!- c00w [c00w@2600:3c03::f03c:91ff:fe6e:e88b] has joined #openvpn
15:59 < dvl_> Oh, I see, openvpn.conf has a 'route push 10.80.0.0 255.255.255.0' and the ccd has: iroute 10.80.0.0 255.255.255.0
15:59 < dvl_> I think I get it.
16:01 < dvl_> that's it!
16:01 < dvl_> wooT!
16:01 < dvl_> I got route baby!
16:03 < Ryu_Fitzgerald> i have an error message Options error: --server directive network/netmask combination is invalid
16:04 < Ryu_Fitzgerald> how do i fix that?
16:08 < joe9> does anyone know if mtu-test sets the fragment size too automatically for that session?
16:08 < joe9> or, is it just to use the fragment size in .conf files?
16:09 < Ryu_Fitzgerald> do you have to know the clients lan network to make a openvpn server?
16:13 -!- dvl_ [~dvl@pdpc/supporter/active/dvl] has left #openvpn ["Leaving"]
16:17 -!- dvl_ [~dvl@pdpc/supporter/active/dvl] has joined #openvpn
16:19 < dvl_> I've noticed that if my server restarts, openvpn on the the client can stop.  I have to go and restart that by hand.  Not sure why that happens.  I'm seeing: "kernel: tun0: link state changed to DOWN" and late"openvpn[1797]: FreeBSD 'destroy tun interface' failed (non-critical): external program exited with error status: 1"r
16:20 < Ryu_Fitzgerald> it seems no one in the openvpn channel knows how to set one up :(
16:21 -!- arescorpio [~arescorpi@23-26-245-190.fibertel.com.ar] has joined #openvpn
16:21 -!- Kniaz [~Kniaz@unaffiliated/bears] has quit [Quit: closing IRC]
16:22 -!- Ryu_Fitzgerald [~Ryu_Fitzg@199-193-117-84.static.hvvc.us] has quit [Quit: irc2go]
16:49 -!- Olipro [~Olipro@uncyclopedia/pdpc.21for7.olipro] has quit [Ping timeout: 246 seconds]
17:06 -!- Kephael [~Kephael@unaffiliated/kephael] has joined #openvpn
17:06 -!- SCHAAP137 [dorian@77-173-0-137.ip.telfort.nl] has quit [Remote host closed the connection]
17:12 -!- brianblaze420 [~brianblaz@unaffiliated/brianblaze] has joined #openvpn
17:25 -!- Olipro [~Olipro@uncyclopedia/pdpc.21for7.olipro] has joined #openvpn
17:33 -!- Kniaz [~Kniaz@unaffiliated/bears] has joined #openvpn
17:36 -!- AsadH [~AsadH@unaffiliated/asadh] has quit [Remote host closed the connection]
17:37 -!- fiasco_averted [glen-a@64.125.189.90] has joined #openvpn
17:41 -!- c0ded [~c0ded@unaffiliated/c0ded] has quit [Quit: I Was Just De-c0ded!]
17:42 < fiasco_averted> hello, I have a working solution using certificate-based authentication on openvpn client and server and want to use a different cert that has a specific, invalid EKU estension that is marked critical. This is explicitly designed to fail rfc 5280 verification. When I attempt to use this cert (which is valid, and passes OCSP validation and uses the same certificate chain that the server has access to) it failed with the serverside message of "VERIFY ER
17:42 < fiasco_averted> Is there a method to pass in this specific extension so that it validates? I guess more information on the "remote-cert-eku" option might be helpful, but if that definitely won't work, please let me know and I'll figure out a different workaround.
17:44 <+pekster> Your first message got cut off during the error message
17:45 <+pekster> This said, openvpn relies on openssl to do the verification, so if it doesn't pass with the options provided, you either need to tweak those options, or resolve the underlying cause of failure
17:46 <+pekster> --remote-cert-enu simply require that the OID (or symbolic name) is present in the received cert
17:46 <+pekster> eku*
17:47 -!- AsadH [~AsadH@unaffiliated/asadh] has joined #openvpn
17:48 < fiasco_averted> so if I pass the OID using --remote-cert-eku on the serverside config (its already in the client cert), then will that still likely fail as an invalid cert because it is invalid as per rfc5280 and openssl's implementation of that?
17:48 < fiasco_averted> and do I pass in that OID as kex?
17:48 < fiasco_averted> hex*
17:51 -!- Plastefuchs_ [~fweee@198.98.120.235] has quit [Ping timeout: 240 seconds]
17:52 -!- brianblaze420 [~brianblaz@unaffiliated/brianblaze] has quit [Quit: Leaving...]
17:54 <+pekster> It's an OID -- you pass that in
17:55 <+pekster> For instance, string "TLS Web Client Authentication" is the symbolic name for the OID 1.3.6.1.5.5.7.3.2
17:56 < fiasco_averted> so i could pass in either "TLS Web Client Authentication" or "1.3.6.1.5.5.7.3.2" as values to that option?
17:56 <+pekster> Yup
17:56 -!- c0ded [~c0ded@unaffiliated/c0ded] has joined #openvpn
17:56 <+pekster> The former is more apparent as to the reason, so it's generally used
17:56 <+pekster> Note that most implementations just use the --remote-cert-tls option instead (which checks both the kU and eKu fields
17:57 <+pekster> Unless you have to key off exotic options, that should do what you generally need
18:06 -!- Megaf_ is now known as Megaf__
18:06 -!- Megaf__ is now known as Megaf
18:09 < fiasco_averted> thanks pekster. end result is that passing the oid via remote-cert-eku does not end up with the cert validating via openssl. I'll got the route of using a different cert (aka fix the underlying problem)
18:14 <+pekster> Yea, it's that or see what magic options the openssl library needs and validate that way. There's an external verification mechanism you can use, but you still need the core cert to pass openvpn's checks
18:14 <+pekster> ie: --tls-verify
18:15 <+pekster> If your setup works if you don't perform any extended ku/eku validation in openvpn, that might be something to look at
18:15 <+pekster> By defition, a 'critical' extension should fail if the validating side doesn't understand it ;)
18:15 <+pekster> definition*
18:18 < fiasco_averted> yea, that's in the RFC that if a "critical" extension isn't recognized, then reject the whole certificate. The cert is designed to fail verification if used for anything other than what its purposed for and I'm trying to repurpose it so I don't have to muck with C to operate on OSX's keychain (where the other certs I could use are). It looks like that's the case though, so I'll go that route now. Thanks for the assistance.
18:21 <+pekster> You should be generating certs for openvpn from a CA used for that purpose
18:21 <+pekster> If you'd like that CA can itself be a sub-CA to another part of your infrastructure if that's a benefit
18:39 -!- cyberspace- [20253@ninthfloor.org] has quit [Ping timeout: 255 seconds]
18:40 -!- cyberspace- [20253@ninthfloor.org] has joined #openvpn
18:44 -!- Valcorb [~Valcorb@unaffiliated/valcorb] has joined #openvpn
18:44 -!- Valcorb [~Valcorb@unaffiliated/valcorb] has left #openvpn []
18:47 -!- goldkatze [~nobody@unaffiliated/goldkatze] has quit [Ping timeout: 245 seconds]
18:56 -!- RedDeath is now known as zz_RedDeath
19:10 -!- fiasco_averted [glen-a@64.125.189.90] has quit [Quit: Leaving.]
19:27 -!- brianblaze420 [~brianblaz@unaffiliated/brianblaze] has joined #openvpn
19:30 -!- michaelhart [~michaelha@192-0-240-20.cpe.teksavvy.com] has joined #openvpn
19:38 -!- ek [ek@freebsd/contributor/ek] has quit [Quit: Brb.]
20:02 -!- michaelhart [~michaelha@192-0-240-20.cpe.teksavvy.com] has quit [Quit: michaelhart]
20:04 -!- Argat [~argat@adsl-98-48.du.nwc.is] has joined #openvpn
20:10 -!- eristisk [~eristisk@gateway/tor-sasl/eristisk] has joined #openvpn
20:10 -!- CaTtleyA [~CaTtleyA@put92-2-82-66-41-53.fbx.proxad.net] has joined #openvpn
20:32 -!- kossy [a@unaffiliated/kossy] has quit [Read error: Connection reset by peer]
20:33 -!- kossy [a@unaffiliated/kossy] has joined #openvpn
20:43 -!- erkules_ [~erkan@pdpc/supporter/professional/erkules] has joined #openvpn
20:45 -!- erkules [~erkan@pdpc/supporter/professional/erkules] has quit [Ping timeout: 240 seconds]
21:07 -!- Left_Turn [~Left_Turn@unaffiliated/turn-left/x-3739067] has joined #openvpn
21:16 -!- joe9 [~user@ip68-103-51-213.ks.ok.cox.net] has quit [Remote host closed the connection]
21:32 -!- arescorpio [~arescorpi@23-26-245-190.fibertel.com.ar] has quit [Excess Flood]
21:38 -!- erkules_ is now known as erkules
21:51 -!- brianblaze420 [~brianblaz@unaffiliated/brianblaze] has quit [Quit: Leaving...]
21:53 -!- simcop2387 [~simcop238@p3m/member/simcop2387] has quit [Excess Flood]
21:55 -!- simcop2387 [~simcop238@p3m/member/simcop2387] has joined #openvpn
22:03 -!- Left_Turn [~Left_Turn@unaffiliated/turn-left/x-3739067] has quit [Read error: Connection reset by peer]
22:11 -!- CaTtleyA [~CaTtleyA@put92-2-82-66-41-53.fbx.proxad.net] has quit [Remote host closed the connection]
22:15 -!- Kniaz [~Kniaz@unaffiliated/bears] has quit [Quit: closing IRC]
22:40 < dvl> ! persist-tun
22:40 < dvl> !persist-tun
22:42 -!- Megaf [~Megaf@unaffiliated/megaf] has quit [Ping timeout: 245 seconds]
22:54 -!- sauce [sauce@unaffiliated/sauce] has quit [Quit: sauce]
22:54 -!- sauce [sauce@unaffiliated/sauce] has joined #openvpn
23:03 < reiffert> !factoids seach persist
23:04 < reiffert> Jim, it's dead, Jim.
--- Day changed Wed Jun 25 2014
00:00 -!- goldkatze [~nobody@unaffiliated/goldkatze] has joined #openvpn
00:22 -!- ShadniX [dagger@p5DDFC257.dip0.t-ipconnect.de] has quit [Ping timeout: 252 seconds]
00:22 -!- ShadniX [dagger@p5DDFD043.dip0.t-ipconnect.de] has joined #openvpn
00:32 -!- Kephael [~Kephael@unaffiliated/kephael] has quit []
01:48 -!- rustem [~ka4ok@141.0.170.169] has quit [Quit: No Ping reply in 180 seconds.]
02:00 -!- alexxtasi [~alex@unaffiliated/alexxtasi] has joined #openvpn
02:02 -!- GrecKo [~GrecKo@2001:41d0:1:cb16::1] has left #openvpn []
02:37 -!- ade_b [~Ade@redhat/adeb] has joined #openvpn
02:38 -!- elfixit [~Icedove@cust.static.46-14-114-50.swisscomdata.ch] has joined #openvpn
02:40 -!- Cpt-Oblivious [~chatzilla@31-151-71-109.dynamic.upc.nl] has quit [Ping timeout: 240 seconds]
02:44 -!- Cpt-Oblivious [~chatzilla@31-151-71-109.dynamic.upc.nl] has joined #openvpn
02:46 -!- Peter_Occ [~chatzilla@user-160u207.cable.mindspring.com] has joined #openvpn
02:53 -!- Cpt-Oblivious [~chatzilla@31-151-71-109.dynamic.upc.nl] has quit [Remote host closed the connection]
02:53 -!- Peter_Occ [~chatzilla@user-160u207.cable.mindspring.com] has quit [Quit: ChatZilla 0.9.90.1 [Firefox 31.0/20140616143923]]
03:04 -!- Cpt-Oblivious [~chatzilla@31-151-71-109.dynamic.upc.nl] has joined #openvpn
03:21 -!- le0 [~l30@unaffiliated/le0] has joined #openvpn
03:39 -!- zz_RedDeath is now known as RedDeath
03:45 -!- eristisk [~eristisk@gateway/tor-sasl/eristisk] has quit [Remote host closed the connection]
04:02 -!- Cpt-Oblivious [~chatzilla@31-151-71-109.dynamic.upc.nl] has quit [Remote host closed the connection]
04:09 -!- tiksa [~tiksa@gateway/tor-sasl/tiksa] has quit [Ping timeout: 264 seconds]
04:17 -!- tiksa [~tiksa@gateway/tor-sasl/tiksa] has joined #openvpn
04:24 -!- joako [~joako@opensuse/member/joak0] has quit [Ping timeout: 245 seconds]
04:28 -!- swebb [~swebb@c-76-120-34-202.hsd1.co.comcast.net] has quit [Ping timeout: 252 seconds]
04:30 -!- Netsplit *.net <-> *.split quits: Ulrar, fred``, Olipro, Thermi
04:31 -!- eristisk [~eristisk@gateway/tor-sasl/eristisk] has joined #openvpn
04:31 -!- joako [~joako@opensuse/member/joak0] has joined #openvpn
04:34 -!- Denial [~Denial@host86-134-248-230.range86-134.btcentralplus.com] has joined #openvpn
04:41 -!- Netsplit over, joins: Thermi, fred``, Ulrar
04:51 -!- ruicruz [~ruicruz@209.105.239.197] has quit []
04:53 -!- swebb [~swebb@c-71-237-49-232.hsd1.co.comcast.net] has joined #openvpn
04:53 -!- Olipro [~Olipro@uncyclopedia/pdpc.21for7.olipro] has joined #openvpn
04:59 -!- zapotek6 [~zap@mail.comelit.it] has joined #openvpn
05:00 -!- halothe23 [~halothe23@freenode/sponsor/halothe23] has quit [Quit: Quit]
05:00 -!- zapotek6 [~zap@mail.comelit.it] has left #openvpn []
05:01 -!- halothe23 [~halothe23@freenode/sponsor/halothe23] has joined #openvpn
05:02 -!- RedDeath is now known as zz_RedDeath
05:06 -!- dazo [~dazo@openvpn/community/developer/dazo] has joined #openvpn
05:06 -!- mode/#openvpn [+o dazo] by ChanServ
05:10 -!- gffa [~unknown@unaffiliated/gffa] has joined #openvpn
05:41 -!- lotherk [~lotherk@office.corpex-net.de] has left #openvpn []
05:45 -!- SlutaTramsa [~SlutaTram@unaffiliated/slutatramsa] has quit [Ping timeout: 240 seconds]
05:50 -!- lotherk [~lotherk@office.corpex-net.de] has joined #openvpn
05:51 -!- SlutaTramsa [~SlutaTram@unaffiliated/slutatramsa] has joined #openvpn
06:11 -!- SlutaTramsa [~SlutaTram@unaffiliated/slutatramsa] has quit [Quit: Doh!]
06:12 -!- ajc_ [ajc@nat/hp/x-zorcezqwtlxejfoh] has joined #openvpn
06:21 -!- SlutaTramsa [~SlutaTram@unaffiliated/slutatramsa] has joined #openvpn
06:42 -!- lau [~lau@unaffiliated/lau] has left #openvpn ["Bye!"]
06:47 -!- A103X [~A103X@178.114.95.195.wireless.dyn.drei.com] has joined #openvpn
07:10 < vinky> how big of an impact is comp-lzo CPU-wise? tried to find some estimate but didnt find any
07:11 < vinky> also is the only way to divide the work over multiple cores to use 2+ vpn servers?
07:14 -!- pa [~pa@unaffiliated/pa] has quit [Ping timeout: 255 seconds]
07:22 -!- michaelhart [~michaelha@69-165-175-193.dsl.teksavvy.com] has joined #openvpn
07:23 -!- ajc_ [ajc@nat/hp/x-zorcezqwtlxejfoh] has quit [Read error: Connection reset by peer]
07:28 -!- pa [~pa@unaffiliated/pa] has joined #openvpn
07:29 -!- eristisk [~eristisk@gateway/tor-sasl/eristisk] has quit [Ping timeout: 264 seconds]
07:30 -!- tiksa [~tiksa@gateway/tor-sasl/tiksa] has quit [Quit: Peace]
07:33 -!- A103X [~A103X@178.114.95.195.wireless.dyn.drei.com] has left #openvpn ["Textual IRC Client: www.textualapp.com"]
07:33 -!- zapotek6 [~zap@mail.comelit.it] has joined #openvpn
07:46 -!- Akoi [~Akoi@gateway/tor-sasl/akoi] has joined #openvpn
07:52 -!- Akoi [~Akoi@gateway/tor-sasl/akoi] has quit [Remote host closed the connection]
07:55 -!- deeville [~deeville@38.117.108.108] has joined #openvpn
07:57 -!- zz_RedDeath is now known as RedDeath
08:01 -!- eristisk [~eristisk@gateway/tor-sasl/eristisk] has joined #openvpn
08:13 -!- Megaf [~Megaf@unaffiliated/megaf] has joined #openvpn
08:21 -!- SchmoDroid [~SchmoDroi@gw01.focusmr.com] has joined #openvpn
08:23 -!- brezel [~dahbrezel@2a03:4000:6:206b::] has joined #openvpn
08:23 < brezel> hello everybody
08:23 -!- JackWinter [~jack@vodsl-11028.vo.lu] has quit [Quit: Konversation terminated!]
08:24 < brezel> i was wondering if any of you have ever experienced problems with oracle jdbc connections over openvpn
08:25 < brezel> sometimes when our remote office loses its internet connection and the vpn connection is bein re-established, we end up with TCP connections that still exist on the client server (netstat -tpn) but don't exist anymore on the remote db server
08:25 -!- JackWinter [~jack@vodsl-11028.vo.lu] has joined #openvpn
08:26 < brezel> i thought that TCP should take care of cleaning up such connections, but somehow it isn't happening and the connections stay seemingly alive forever
08:27 < brezel> (linux on both participating servers)
08:27 < brezel> both servers are located in private lans and don't run openvpn themselves
08:27 < rob0> I have had ssh connections through openvpn survive VPN restarts.  Of course it is non-responsive during the restart.
08:28 < brezel> yeah, that also works for us mostly
08:28 < brezel> what i don't understand is that the 2 servers in our jdbc case disagree on the state of the tcp connection
08:28 < brezel> the client thinks it's connected to the db
08:28 < brezel> but the db knows it isn't
08:38 <@Eugene> Check sysctl. you've probably tuned TCP timeouts somewhere and forgotten it
08:42 < brezel> hmm
08:43 < brezel> after some more googling it seems that tcp just works that way o.O
08:43 < brezel> unless keepalive is enabled
08:43 <@Eugene> Yes, one end or the other gives up. when this happens is up to tuning
08:44 < brezel> ok, i see
08:44 < brezel> that's already a good start, thanks
08:44 <@Eugene> It sounds like your two ends disagree about when this happens
08:44 <@Eugene> So one gets confused
08:45 < brezel> my guess is, that the oracle DB sends some heartbeat packets every now and then
08:45 < brezel> so when the vpn goes down
08:45 < brezel> oracle notices that
08:45 < brezel> shuts down its side of the connection
08:45 < brezel> the vpn comes back up
08:45 < brezel> and the client is still waiting for replies from  the DB server which never come
08:45 < brezel> does that sound realistic?
08:46 <@Eugene> Yup.
08:52 -!- brianblaze420 [~brianblaz@unaffiliated/brianblaze] has joined #openvpn
08:55 -!- SchmoDroid [~SchmoDroi@gw01.focusmr.com] has quit [Ping timeout: 264 seconds]
08:55 -!- deeville [~deeville@38.117.108.108] has quit [Quit: Leaving]
08:56 -!- ade_b [~Ade@redhat/adeb] has quit [Remote host closed the connection]
08:58 -!- SchmoDroid [~SchmoDroi@213.235.233.85] has joined #openvpn
08:59 -!- Pyrogerg [~Gregory@gpenne3bc.nmsu.edu] has quit [Quit: Textual IRC Client: www.textualapp.com]
08:59 < haasn> Is it possible to have a script run *before* OpenVPN tries to connect?
09:00 < haasn> I need to set up a route so that I can actually reach the VPN
09:04 <@Eugene> In your init script is the place to do it.
09:05 < haasn> Yikes, I'd rather not hard-code my IPs into the init script; but if that's the only way to do it, I guess it'll have to suffice
09:05 <@Eugene> some of them(CentOS in particular) will invoke connection.sh before executing 'openvpn connection.conf'
09:06 < haasn> (This is using Gentoo's OpenRC script)
09:06 <@Eugene> No clue on Gentoo, but I'd use the same approach - hook into a connection-specific script before launching
09:07 <@Eugene> Then hardcode it there(or do a DNS lookup......)
09:07 < haasn> Hmm, it seems really ugly; I'll need to do a DNS lookup because I have no idea if the IP of the VPN changes
09:08 <@Eugene> That's what happens when default routes don't work right. Fix your network!
09:09 < brezel> thanks Eugene we're looking into our options with keepalives now :)
09:09 < haasn> I don't want to have a default route, though; I don't want unencrypted packets to ever leave the network
09:09 < haasn> If I'm not connected to the VPN, I do not want connectivity
09:09 -!- tiksa [~tiksa@gateway/tor-sasl/tiksa] has joined #openvpn
09:09 <@Eugene> That's a firewalls job
09:09 <@Eugene> OUTPUT table
09:10 < haasn> How would I filter for OpenVPN traffic in iptables?
09:10 <@Eugene> By UDP port number
09:10 <@Eugene> Standard is 1194
09:11 < haasn> Hmm; my other VPN is on 8080; but I can hard code that one's IP
09:11 <@Eugene> You can set it to whatever you want
09:11 <@Eugene> btw, this is a great example of
09:11 <@Eugene> !xy
09:11 <@vpnHelper> "xy" is http://mywiki.wooledge.org/XyProblem -- I want to do X, but I'm asking how to do Y...
09:12 < haasn> Let me try starting at the beginning. X: I want to be connected to two OpenVPN networks. I want to send traffic outside those OpenVPN networks through one of the two. I don't want unencrypted packets to leave my system
09:13 < haasn> I want my networks to automatically reconnect whenever my connection dies (or IP changes)
09:13 < haasn> (Ps. These networks unfortunately share the same address space, 10.8.0.0/24. I don't know how much of a problem that will end up being, I've never had a collision so far. I can't change either of the servers' settings)
09:15 <@Eugene> A single /24? oy
09:15 <@Eugene> Yes, that will make it nigh impossible.
09:15 < haasn> Hmm, actually, I think one of the two is 10.8.0.0/16
09:15 -!- Kniaz [~Kniaz@unaffiliated/bears] has joined #openvpn
09:15 <@Eugene> Otherwise, that's just a list of bot factoids
09:15 <@Eugene> !serverlan
09:15 <@vpnHelper> "serverlan" is (#1) for a lan behind a server, the server must have ip forwarding enabled (!ipforward), the server needs to push a route for its lan to clients, and the router of the lan the server is on needs a route added to it (!route_outside_openvpn) or (#2) see !route for a better explanation or (#3) Handy troubleshooting flowchart: http://ircpimps.org/serverlan.png |
09:15 <@vpnHelper> http://pekster.sdf.org/misc/serverlan.png
09:15 <@Eugene> !def1
09:15 <@vpnHelper> "def1" is (#1) used in redirect-gateway, Add the def1 flag to override the default gateway by using 0.0.0.0/1 and 128.0.0.0/1 rather than 0.0.0.0/0. This has the benefit of overriding but not wiping out the original default gateway. or (#2) please see --redirect-gateway in the man page ( !man ) to fully understand or (#3) push "redirect-gateway def1"
09:16 <@Eugene> We already mentioned OUTPUT filtering
09:16 <@Eugene> !keepalive
09:16 <@vpnHelper> "keepalive" is (#1) see --keepalive in the manual for how to make clients retry connecting if they get disconnected. or (#2) basically it is a wrapper for managing --ping and --ping-restart in server/client mode or (#3) if you use this, don't use --tls-exit and also avoid --single-session and --inactive or (#4) Also beware of --auth-nocache for automated reconnects
09:16 <@Eugene> And then your networks need a dose of sanity with addressingg
09:17 <@Eugene> 10/8 is huge. Pick any other numbers, really
09:17 < haasn> Can I do this client-side?
09:21 <@Eugene> Everything except renumbering
09:22 -!- alexxtasi [~alex@unaffiliated/alexxtasi] has left #openvpn []
09:22 <@Eugene> You could potentially use nasty host-specific routes or policy routing to overcome it, but don't do that. its painful
09:22 <@Eugene> It also sounds like this is
09:22 <@Eugene> !both
09:22 <@vpnHelper> "both" is If you do not control both ends of the link (server and client) then there is not much we can do to help you. Please talk to your network admin instead.
09:30 -!- Kephael [~Kephael@unaffiliated/kephael] has joined #openvpn
09:48 < haasn> Something must be awry with my iptables rules and I just cannot figure out why; would you be willing to have a quick look at them?
09:49 < haasn> Actually, I think I already realized why it's not working
09:50 < haasn> I forgot to add rules for my devices tun0 and tap0
09:52 -!- goldkatze [~nobody@unaffiliated/goldkatze] has quit [Remote host closed the connection]
09:53 -!- goldkatze [~nobody@unaffiliated/goldkatze] has joined #openvpn
09:56 -!- elfixit [~Icedove@cust.static.46-14-114-50.swisscomdata.ch] has quit [Ping timeout: 244 seconds]
10:02 -!- Eagleman [~Eagleman@546BC8D0.cm-12-4d.dynamic.ziggo.nl] has joined #openvpn
10:02 < Eagleman> Is it possible to setup openvpn to start a client config instead of a server config (service openvpn start)?
10:03 <@krzee> Eagleman, your OS startup script doesnt know if your vpn config is server or client
10:04 -!- goldkatze [~nobody@unaffiliated/goldkatze] has quit [Ping timeout: 245 seconds]
10:05 < Eagleman> krzee currently its not strating the client config in the /etc/openvpn folder
10:11 < rob0> Your distro provided the init script.  Did they document how it works?  If not, read the script.
10:13 < Eagleman> hmm, its from he epel repo (centos)
10:16 <@plaisthos>             if (lineno==1 && (line.startsWith("PK\003\004")
10:16 <@plaisthos>                         ||   (line.startsWith("PK\007\008"))))
10:16 <@plaisthos>                     throw new ConfigParseError("Input looks like a ZIP Archive. Import is only possible for OpenVPN config files (.ovpn/.conf)");
10:16 <@plaisthos> something I should I have done a _long_ time ago
10:16 < Eagleman> aw got it, renamed .ovpn to .conf
10:32 -!- eristisk [~eristisk@gateway/tor-sasl/eristisk] has quit [Ping timeout: 264 seconds]
10:36 <@krzee> plaisthos, i that a common issue?  people trying to import a .zip?
10:38 -!- debbie10t [~ma1com10t@openvpn/community/support/debbie10t] has joined #openvpn
10:39 < debbie10t> This post : https://forums.openvpn.net/posting.php?mode=reply&f=4&t=16188 : To cut a long story short, the user requires --dev tun for android but wants to bridge .. it is possible to bridge with dev tun ?
10:39 <@vpnHelper> Title: OpenVPN Support Forum Login (at forums.openvpn.net)
10:40 < rob0> no
10:40 < debbie10t> rob0: thanks ... i did not think so
10:45 <@dazo> debbie10t: tun processes only IP packets (OSI layer 3), while tap processes ethernet frames (OSI layer 2) ... and you need ethernet frames to do bridging
10:46 < debbie10t> thanks .. that is exactly what I thought .. I would have setup my own test but it seemed logical that this was a no brainer so I just thought I would ask this time .. I try not to be here too much and work most things out myself
10:49 < debbie10t> On a different note : I am running a tun server and a samba server on the same machine and I have noticed that running tcpdump on the server side tun0 interface I get to see broadcasts from the client IPS .. i thought TUN did not forward broadcasts ?
10:51 -!- RedDeath is now known as zz_RedDeath
10:52 -!- Le_pro_du_94 [4eeaab33@wikipedia/Le-pro-du-94] has joined #openvpn
10:52 < debbie10t> r00t@ubsv-dik-vbox:/etc/openvpn/tuns_37233u/CCD$  sudo tcpdump -i tun0
10:52 < debbie10t> [sudo] password for r00t:
10:52 < debbie10t> tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
10:52 < debbie10t> listening on tun0, link-type RAW (Raw IP), capture size 65535 bytes
10:52 < debbie10t> 16:48:05.201536 IP 10.101.101.210.netbios-dgm > 10.101.101.255.netbios-dgm: NBT UDP PACKET(138)
10:52 -!- debbie10t [~ma1com10t@openvpn/community/support/debbie10t] has quit [Excess Flood]
10:53 -!- debbie10t [~ma1com10t@openvpn/community/support/debbie10t] has joined #openvpn
10:54 < debbie10t> sorry .. forgot to pastebin
10:54 < debbie10t> here it is:
10:54 < debbie10t> http://pastebin.com/QGQR0QEz
10:54 -!- Le_pro_du_94 [4eeaab33@wikipedia/Le-pro-du-94] has left #openvpn []
10:54 <@plaisthos> krzee: yeah. People get their configuration bundle or set of multiple ovpn from their VPN provider and try to import that into the app
10:54 <@plaisthos> and I am not going to implement a ZIP reader ...
11:01 -!- zapotek6 [~zap@mail.comelit.it] has quit [Ping timeout: 255 seconds]
11:04 <@ecrist> inline certs ftw
11:04 <@ecrist> oh, ssl-admin 1.2.1 was released today
11:04 <@ecrist> technically, last night
11:29 -!- SCHAAP137 [dorian@77-173-0-137.ip.telfort.nl] has joined #openvpn
11:37 -!- tiksa [~tiksa@gateway/tor-sasl/tiksa] has quit [Quit: Peace]
11:49 -!- SchmoDroid [~SchmoDroi@213.235.233.85] has quit [Ping timeout: 240 seconds]
11:54 < debbie10t> got it .. ptp vs 1/many
12:00 -!- debbie10t [~ma1com10t@openvpn/community/support/debbie10t] has left #openvpn []
12:01 -!- Kephael [~Kephael@unaffiliated/kephael] has quit [Read error: Connection reset by peer]
12:07 -!- dvl_ [~dvl@pdpc/supporter/active/dvl] has left #openvpn ["Leaving"]
12:24 -!- clu5ter [~staff@unaffiliated/clu5ter] has quit [Ping timeout: 260 seconds]
12:24 -!- jgeboski [~jgeboski@unaffiliated/jgeboski] has quit [Ping timeout: 264 seconds]
12:25 -!- clu5ter [~staff@unaffiliated/clu5ter] has joined #openvpn
12:28 -!- Megaf [~Megaf@unaffiliated/megaf] has quit [Quit: http://quassel-irc.org - Chat comfortably. Anywhere.]
12:30 -!- clu5ter [~staff@unaffiliated/clu5ter] has quit [Ping timeout: 255 seconds]
12:30 -!- jgeboski [~jgeboski@unaffiliated/jgeboski] has joined #openvpn
12:33 -!- occupant [~null@204.14.158.226] has joined #openvpn
12:34 < occupant> so how much latency should I expect from a setup? my server is pretty quick, like <10ms, but my pings are all over the place, up to 150.
12:35 -!- Megaf [~Megaf@unaffiliated/megaf] has joined #openvpn
12:39 -!- jgeboski [~jgeboski@unaffiliated/jgeboski] has quit [Ping timeout: 240 seconds]
12:43 -!- clu5ter [~staff@unaffiliated/clu5ter] has joined #openvpn
12:55 -!- jgeboski [~jgeboski@unaffiliated/jgeboski] has joined #openvpn
13:00 -!- zz_RedDeath is now known as RedDeath
13:22 -!- Matir [~matir@ubuntu/member/matir] has joined #openvpn
13:26 -!- SCHAAP137 [dorian@77-173-0-137.ip.telfort.nl] has quit [Remote host closed the connection]
13:34 -!- le0 [~l30@unaffiliated/le0] has quit [Quit: Leaving]
13:48 -!- Ryu_Fitzgerald [~Ryu_Fitzg@199-193-117-84.static.hvvc.us] has joined #openvpn
13:48 -!- u0m3 [~u0m3@109.96.150.109] has quit [Ping timeout: 245 seconds]
13:49 < Ryu_Fitzgerald> could someone please take the time to help me set up a vpn server
14:03 -!- u0m3 [~u0m3@109.96.150.109] has joined #openvpn
14:13 -!- dvl [~dvl@pdpc/supporter/active/dvl] has quit [Quit: ZNC - http://znc.in]
14:20 -!- Netsplit *.net <-> *.split quits: Ulrar, fred``, Olipro, Thermi
14:21 <@krzee> Ryu_Fitzgerald,
14:21 <@krzee> !howto
14:21 <@vpnHelper> "howto" is (#1) OpenVPN comes with a great howto, http://openvpn.net/howto PLEASE READ IT! or (#2) http://www.secure-computing.net/openvpn/howto.php for a mirror
14:21 <@krzee> !goal
14:21 <@vpnHelper> "goal" is Please clearly state your goal for your vpn: example, I would like to access the lan behind the server , I would like to access the internet over my vpn , I just want a secure connection between 2 computers , etc
14:25 -!- brianblaze420 [~brianblaz@unaffiliated/brianblaze] has quit [Quit: Leaving...]
14:30 -!- Netsplit over, joins: Thermi, fred``, Ulrar
14:39 -!- Ryu_Fitzgerald [~Ryu_Fitzg@199-193-117-84.static.hvvc.us] has quit [Quit: irc2go]
14:45 -!- iokill [~dave@pippin.sigma-star.at] has quit [Ping timeout: 252 seconds]
14:45 -!- Olipro [~Olipro@uncyclopedia/pdpc.21for7.olipro] has joined #openvpn
14:45 -!- derRichard [~derRichar@pippin.sigma-star.at] has quit [Ping timeout: 252 seconds]
15:10 -!- dazo is now known as dazo_afk
15:15 -!- iokill [~dave@pippin.sigma-star.at] has joined #openvpn
15:23 -!- Fusl [Fusl@unaffiliated/fusl] has quit [Excess Flood]
15:24 -!- Fusl [Fusl@unaffiliated/fusl] has joined #openvpn
15:28 -!- iokill [~dave@pippin.sigma-star.at] has quit [Quit: leaving]
15:29 -!- iokill [~dave@pippin.sigma-star.at] has joined #openvpn
15:35 -!- Megaf is now known as Megaf_
15:35 -!- michaelhart [~michaelha@69-165-175-193.dsl.teksavvy.com] has quit [Quit: michaelhart]
15:36 -!- Cpt-Oblivious [~chatzilla@31-151-71-109.dynamic.upc.nl] has joined #openvpn
15:40 -!- Pyrogerg [~Gregory@gpenne3bc.nmsu.edu] has joined #openvpn
16:01 -!- Kephael [~Kephael@unaffiliated/kephael] has joined #openvpn
16:01 -!- Kniaz [~Kniaz@unaffiliated/bears] has quit [Quit: closing IRC]
16:08 -!- Megaf_ is now known as Megaf
16:08 -!- maskedlua [~maskedlua@unaffiliated/themaskedlua] has quit [Ping timeout: 245 seconds]
16:13 -!- halothe23 [~halothe23@freenode/sponsor/halothe23] has quit [Ping timeout: 272 seconds]
16:14 -!- gffa [~unknown@unaffiliated/gffa] has quit [Quit: sleep]
16:22 -!- maskedlua [~maskedlua@unaffiliated/themaskedlua] has joined #openvpn
16:39 -!- dvl [~dvl@pdpc/supporter/active/dvl] has joined #openvpn
16:55 -!- maskedlua [~maskedlua@unaffiliated/themaskedlua] has quit [Quit: WeeChat 0.4.3]
16:57 -!- maskedlua [~maskedlua@unaffiliated/themaskedlua] has joined #openvpn
16:59 -!- le0 [~l30@unaffiliated/le0] has joined #openvpn
17:00 -!- thefinn93 [~finn@unaffiliated/thefinn93] has quit [Quit: cya]
17:07 -!- le0 [~l30@unaffiliated/le0] has quit [Quit: Leaving]
17:16 -!- Kniaz [~Kniaz@unaffiliated/bears] has joined #openvpn
17:40 -!- simcop2387 [~simcop238@p3m/member/simcop2387] has left #openvpn []
17:46 -!- Kephael [~Kephael@unaffiliated/kephael] has quit [Read error: Connection reset by peer]
18:11 -!- NucWin [~nucwin@unaffiliated/nucwin] has quit [Quit: ttfn]
18:14 -!- NucWin [~nucwin@unaffiliated/nucwin] has joined #openvpn
18:19 -!- Mike-- [mad@mx.probie.nl] has quit [Ping timeout: 244 seconds]
18:35 -!- NoNamesLeft [~ChairmanM@cpc14-wake7-2-0-cust129.17-1.cable.virginm.net] has joined #openvpn
18:39 < NoNamesLeft> Hey guys, I hate to be that guy but I must ask for help, I've wiki'd and googled and I'm really confused. I've straight up disabled firewalls on both the client and server now and I've still got the issue
18:39 < NoNamesLeft> The issue is that I can connect the the VPN and be assigned an IP, but I can only ping one ip -- the external IP on the host
18:40 < NoNamesLeft> I can't ping any 'local' IPs. IRC and Skype work but the web acts like there is no DNS
18:40 < NoNamesLeft> I'm going to paste the configs
18:42 < NoNamesLeft> http://p.pomf.se/3675 xxx is censored because it's public
18:42 <@vpnHelper> Title: Pomf Paste - Uguu~ (at p.pomf.se)
18:43 < NoNamesLeft> http://82.199.155.15/tf/server.txt server
18:45 < NoNamesLeft> This worked fine until an emergency reboot by the VPS server
18:48 < NoNamesLeft> Thanks in advance
18:54 -!- SushiDude [~SushiDude@unaffiliated/sushidude] has joined #openvpn
18:58 <@ecrist> !welcome
18:58 <@vpnHelper> "welcome" is (#1) Start by stating your goal, such as 'I would like to access the internet over my vpn' || new to IRC? see the link in !ask || we may need !logs and !configs and maybe !interface to help you. || See !howto for beginners. || See !route for lans behind openvpn. || !redirect for sending inet traffic through the server. || Also interesting: !man !/30 !topology !iporder !sample !forum
18:58 <@ecrist> !configs
18:58 <@vpnHelper> !wiki !mitm or (#2) Don't use 192.168.1.0/24 or 192.168.0.0/24 (too much potential for conflict)
18:58 <@vpnHelper> "configs" is (#1) please pastebin your client and server configs (with comments removed, you can use `grep -vE '^#|^;|^$' server.conf`), also include which OS and version of openvpn. or (#2) dont forget to include any ccd entries or (#3) on pfSense, see http://www.secure-computing.net/wiki/index.php/OpenVPN/pfSense to obtain your config
18:58 <@ecrist> !logs
18:58 <@vpnHelper> "logs" is (#1) please pastebin your logfiles from both client and server with verb set to 4 (only use 5 if asked) or (#2) In the Windows client(OpenVPN-GUI) right-click the status icon and pick View Log or (#3) In the OS X client(Tunnelblick) right-click it and select Copy log text to clipboard or (#4) if you dont know how to find your logs, see !logfile
18:58 <@ecrist> !goal
18:58 <@vpnHelper> "goal" is Please clearly state your goal for your vpn: example, I would like to access the lan behind the server , I would like to access the internet over my vpn , I just want a secure connection between 2 computers , etc
19:00 < NoNamesLeft> !goal I want to make my VPN work because I can't ping anything at all but Skype and IRC work and despite  disabling firewalls it still doesn't work, it's like there's no DNS but not even IPs work
19:00 < NoNamesLeft> !configs server: http://82.199.155.15/tf/server.txt client: http://82.199.155.15/tf/client2.txt
19:02 -!- RedDeath is now known as zz_RedDeath
19:03 < NoNamesLeft> !logs client: http://82.199.155.15/tf/clientlog.txt server: http://82.199.155.15/tf/serverlog.txt
19:04 < SushiDude> I am trying to configure an OpenVPN server to securely route all IPv4 and IPv6 traffic through my server (level 3). I am having trouble configuring IPv6 though. I am confused as to what IP address I am supposed to give to server-ipv6. Also, is the IPv6 going to be encapsulated and sent to he server over IPv4?
19:22 <+pekster> SushiDude: Yes. You need to use an unallocated IP range for your inside (the VPN-owned) network. Generally you use a /64, but you can use a /112 instead; if you do that, be aware this is incompatible with the "unofficial" patches debian applied to their 2.2.x OpenVPN releases
19:23 <+pekster> So, "same way you'd route IPv6 to a downstream LAN", just instead of a link-local /64 on your downstream interface, you assign that range to OpenVPN instead
19:25 <+pekster> NoNamesLeft: Flowchart for setting up and fixing redirect problems is here:
19:25 <+pekster> !redirect
19:25 <@vpnHelper> "redirect" is (#1) to make all inet traffic flow through the vpn, you will need --redirect-gateway (see !def1), as well as IP forwarding (see !ipforward) and NAT (see !nat) enabled on the server. or (#2) you may need to use a different dns server when redirecting gateway, see !dns or !pushdns or (#3) if using ipv6 try: route-ipv6 2000::/3 or (#4) Handy troubleshooting flowchart:
19:25 <@vpnHelper> http://ircpimps.org/redirect.png | http://pekster.sdf.org/misc/redirect.png
19:26 < NoNamesLeft> pekster: thanks, but I've already got that open
19:26 < SushiDude> pekster: How would I go about determining and or setting up an unallocated IP range inside the VPN network? I am not very familiar with IPv6 networking.
19:26 <+pekster> The same way you'd do it in IPv4 networking. Just with an IPv6 subnet.
19:27 <+pekster> I assume you already have a properly-deligated block of IP space to this server?
19:27 <+pekster> If not, you need to fix that (or use awful hacks becuase your ISP is too braindead to support RFC6177)
19:27 < NoNamesLeft> I get to "you likely have a firewall issue" but I've actually set iptables to accept EVERYTHING and disabled windows firewall on the client
19:27 < SushiDude> I get IPv6 from my ISP, so I assume so.
19:28 <+pekster> SushiDude: Do you get a routed /60 or /56 block then?
19:28 <+pekster> You can't use the on-link /64 with a routed VPN; you need a _routed_ block of space to work with
19:28 <+pekster> You should have received (or be able to easily request) something between a /60 and a /56 depending on what your needs are and how helpful your ISP is
19:29 <+pekster> NoNamesLeft: People have all sorts of (usually wrong) ways to check their Netfilter state. Can you paste `iptables-save` to a pastebin? Let's check things over the right way first.
19:29 < SushiDude> pekster: Well, this is a home ISP so I don't think I can request anything from them.
19:29 <+pekster> Then find one that doesn't suck donkey balls
19:29 <+pekster> RFC6177 is your reference here
19:30 <+pekster> It very plainly says in the summary that a single /64 is TOO SMALL for endpoints
19:30 <+pekster> If that's all you have, you are paying money to receive crap for IPv6 service
19:30 < SushiDude> Well, I don't know how to check if I have a /60 or /56.
19:30 <+pekster> Ask your ISP? :)
19:31 <+pekster> Some assign it on request, some give you a routed /64 or /60 by default, and some require you to use IPv6 PD (Prefix Deligation is your search term there) to request it automatically
19:31 < SushiDude> is there no way to check without contracting them?
19:31 <+pekster> Until you know how that's configured, OpenVPN won't really do much good unless you only route private address space
19:31 <+pekster> Enable PD and find out? Consult your documentation?
19:31 <+pekster> I'm not your ISP's tech support ;)
19:32 < SushiDude> I am thinking that setting up a bridged (level 2) VPN would be a better idea in my situation
19:32 <+pekster> Bridging is almost always the wrong solution
19:32 <+pekster> !tunortap
19:32 <@vpnHelper> "tunortap" is (#1) you ONLY want tap if you need to pass layer2 traffic over the vpn (traffic destined for a MAC address). If you are using IP traffic you want tun. or (#2) and if your reason for wanting tap is windows shares, see !wins or use DNS or (#3) remember layer2 has no security, arp poisoning works over tap vpns or (#4) lan gaming? use tap! or (#5) Normal Android/iOS devices (not
19:32 <@vpnHelper> rooted/jailbroken) support only tun
19:33 < NoNamesLeft> pekster
19:33 < NoNamesLeft> http://82.199.155.15/tf/iptables.up.rules
19:33 < NoNamesLeft> I am probably wrong, but I had it just-working (tm) up until now
19:34 <+pekster> NoNamesLeft: Netfilter rules are indeed not blocking anything. So right now your VPN client can ping the VPN IP of the server, but nothing beyond that, like 4.2.2.1 ?
19:34 < NoNamesLeft> I can ping the EXTERNAL ip
19:34 < NoNamesLeft> but nothing else
19:34 <+pekster> Start with the VPN IP
19:34 < NoNamesLeft> not even 10.9.8.1
19:35 <+pekster> Then you shouldn't have progressed to any other box on the flowchart until you fixed that (it's the very _first_ box)
19:35 < NoNamesLeft> I can ping the external IP
19:35 < NoNamesLeft> which is what I assumed it meant
19:35 < NoNamesLeft> as in 82.199.155.15
19:36 < NoNamesLeft> even then, "fix your vpn" is the whole reason I'm at this chart
19:36 <+pekster> That flowchart is for when your VPN already works and you wish to redirect Internet traffic over it
19:36 < NoNamesLeft> oh, well it is 'working' --I'm connected
19:36 < NoNamesLeft> I assumed it was a redirect issue
19:37 < NoNamesLeft> http://openvpn.net/index.php/open-source/faq/77-server/285-everything-seems-to-be-configured-correctly-but-i-cant-ping-across-the-tunnel.html I'm looking at this
19:37 <@vpnHelper> Title: Everything seems to be configured correctly, but I can't ping across the tunnel. (at openvpn.net)
19:37 <+pekster> NoNamesLeft: Your client log contains the problem. Things like "ERROR" are usually important
19:37 < NoNamesLeft> everything mathces in the configs
19:37 <+pekster> Specifically:
19:37 <+pekster> Thu Jun 26 00:54:31 2014 ERROR: Windows ipconfig command failed: returned error code 2
19:38 < NoNamesLeft> issue on the clientside with the tap adapter?
19:38 <+pekster> More likely the win32-api method to set the IP is failing for some reason in your setup
19:38 < NoNamesLeft> well
19:38 < NoNamesLeft> interesting you say that
19:38 <+pekster> You're running the VPN process "as an administrator"  ?
19:38 < NoNamesLeft> i got another client to try
19:38 < NoNamesLeft> and they ahd the same
19:38 < NoNamesLeft> yep
19:38 < NoNamesLeft> as admin
19:38 < NoNamesLeft> as I always did
19:38 < NoNamesLeft> I haven't changed anything on my client end
19:38 < NoNamesLeft> and it worked yesterday
19:39 <+pekster> Try adding `--ip-win32 ipapi` to your client config
19:40 < NoNamesLeft> done
19:40 < NoNamesLeft> testing now
19:41 < NoNamesLeft> nope
19:41 < NoNamesLeft> same error in log
19:42 <+pekster> You could try either the `manual` or `netsh` methods too
19:42 < NoNamesLeft> as I say
19:42 < NoNamesLeft> other clients for whom it worked
19:42 <+pekster> Windows has some fairly quicky networking behavior, possibly made worse by all the software that may have fingers in parts of it
19:42 < NoNamesLeft> it's no longer working for them
19:42 <+pekster> (network drivers, sometimes even antivirus software sticks its nose where it doesn't belong)
19:42 < NoNamesLeft> and the only thing that changed is on the clientside
19:42 < NoNamesLeft> ***Serverside
19:43 <+pekster> Hmm, that might actually be caused by the register-dns stuff
19:43 <+pekster> At a wild stab, does commenting that out change anything?
19:43 < NoNamesLeft> should I change the DNS?
19:43 < NoNamesLeft> I'll try that now
19:44 <+pekster> No, just comment out that option
19:44 < NoNamesLeft> yeah
19:44 < NoNamesLeft> that's what I mean
19:45 <+pekster> It has the client run a bunch of hacks to "trick" their shitty DNS into (usually, except on full moons) doing the right thing
19:45 < NoNamesLeft> aaaand
19:45 < NoNamesLeft> nope
19:45 < NoNamesLeft> I'm still on IRC though
19:45 <+pekster> On connect is the IP set correctly?
19:45 < NoNamesLeft> I'm connected to the vPn
19:45 < NoNamesLeft> but I'm talking to you
19:45 < NoNamesLeft> and let me check
19:45 < NoNamesLeft> yep
19:46 < NoNamesLeft> I'm just gonan change the port and protocol
19:46 < NoNamesLeft> I have to use TCP443 for uni
19:46 <+pekster> And the routes? One for the /32 of your external server IP, then a /24 route for the VPN network of 10.9.8.0/24, and two more routes for 0/1 and 128/1 ?
19:46 < NoNamesLeft> everything else is blocked
19:46 <+pekster> The on-link route for 10.9.8/24 is very important
19:46 < NoNamesLeft> right
19:46 < NoNamesLeft> I'll just compare them all now
19:46 < NoNamesLeft> as I say
19:46 < NoNamesLeft> this all worked perfectly yesterday
19:47 <+pekster> Otherwise maybe try a tcpdump on the egress of your client and see if the packets are leaving the server when you ping across the tunnel? (careful not to count the TLS keepalive traffic though)
19:47 < NoNamesLeft> I'm running a tcpdump on tun0 right now
19:47 <+pekster> if they leave, you should see the packet on the recieving end (at the server) and see the ping on the tun interface
19:47 < NoNamesLeft> as I ping
19:48 < NoNamesLeft> I can't ping server-to-client
19:49 <+pekster> Don't worry about that (might be client firewall.) Save that for later
19:49 < NoNamesLeft> disabled
19:49 <+pekster> Or client A/V. I can identify netfilter rules better than "anything that might be running on the client"
19:49 <+pekster> And with the ruleset you posted, assuming that's the live output of the ruleset, isn't blocking anything it gets, and routing isn't even involved to ping the server itself
19:50 < NoNamesLeft> this is a 2 day old install of win8.1 -- I haven't got round to AV software yet. I'll try and turn off windows defender
19:50 <+pekster> Unlikely that's the problem, but you never know. I'd really look at a packet dump though (grab wireshark or tshark if you need it) just to verify it leaves your OS on the _physical_ interface
19:50 <+pekster> (not the tap adapter)
19:51 < NoNamesLeft> I'll check that now
19:51 < NoNamesLeft> this is the server-to-client
19:51 < NoNamesLeft> listening on tun0, link-type RAW (Raw IP), capture size 65535 bytes
19:51 < NoNamesLeft> 20:48:35.952459 IP 10.9.8.1 > 10.9.8.2: ICMP echo request, id 4699, seq 1, length 64
19:51 < NoNamesLeft> that just repeats
19:51 < NoNamesLeft> so it is leaving the server
19:51 < NoNamesLeft> I think
19:51 <+pekster> Either the client isn't getting it, or it's ignoring it
19:51 <+pekster> That's just the tun device
19:51 < NoNamesLeft> should I watch on the actual output?
19:52 <+pekster> Pretty sure I suggested that twice. But for a ping in the other direction
19:52 < NoNamesLeft> yeah
19:52 < NoNamesLeft> sorry
19:52 <+pekster> See what that tells you
19:53 < NoNamesLeft> installing wireshark
19:56 < NoNamesLeft> okay watching my ethernet adapter
19:56 < NoNamesLeft> continuation data is continually leaving for the server
19:56 < NoNamesLeft> but when i ping
19:56 < NoNamesLeft> nothing
19:57 < NoNamesLeft> when i ping the external ip
19:57 <+pekster> You'll be able to identify the keepalive traffic fairly easily (you'll see an asymettric packet every ~10 seconds, one in each direction.)
19:57 < NoNamesLeft> it works
19:57 < NoNamesLeft> yeah
19:57 <+pekster> You want to see the traffic that's in response to your ping though
19:57 <+pekster> Or rather, "generated by" the ping
19:57 < NoNamesLeft> when I ping 82.199.155.15 I get that
19:57 <+pekster> If that doesn't work, either the route is missing/wrong for the 10.9.8/24 route, or your OS is seriously screwing up
19:58 < NoNamesLeft> 10.9.8.1? blank
19:58 < NoNamesLeft> well
19:58 < NoNamesLeft> let's try
19:58 < NoNamesLeft> turning it off and on again
19:58 < NoNamesLeft> back in a sec
19:58 <+pekster> That should be routed via the TAP32 adapter in the routing table
19:58 < NoNamesLeft> hm but again
19:58 < NoNamesLeft> the other client is also facing this
19:59 < NoNamesLeft> I might just nuke the entire setup
19:59 < NoNamesLeft> and go from scratch
19:59 <+pekster> If it's not sending packets, you've got a very basic problem somewhere
19:59 -!- NoNamesLeft [~ChairmanM@cpc14-wake7-2-0-cust129.17-1.cable.virginm.net] has quit [Read error: Connection reset by peer]
20:00 -!- NoNamesLeft [~ChairmanM@cpc14-wake7-2-0-cust129.17-1.cable.virginm.net] has joined #openvpn
20:01 < NoNamesLeft> it's just hit 2am. thanks for all your help, I'll have to see if I can find the root of the issue tomorrow
20:02 <+pekster> I'd suggest the "follow the packet" game -- start at the very beginning on your tun device of the sending system, and work forward from there
20:02 <+pekster> Don't forget to follow the path through the encryption/decryption (so you've got at least 4 interfaces involved, and possibly more if you control the routers)
20:02 < NoNamesLeft> right, thanks again
20:03 < NoNamesLeft> I'll let you know if I get it sorted
20:03 <+pekster> gl
20:03 -!- NoNamesLeft [~ChairmanM@cpc14-wake7-2-0-cust129.17-1.cable.virginm.net] has quit [Read error: Connection reset by peer]
20:04 -!- tempus_fol [~tempus@gateway/tor-sasl/foltempus] has quit [Remote host closed the connection]
20:07 -!- troyt [~troyt@2601:7:6200:1362:44dd:acff:fe85:9c8e] has quit [Ping timeout: 240 seconds]
20:07 -!- zz_RedDeath is now known as RedDeath
20:21 -!- troyt [~troyt@2601:7:6200:1362:44dd:acff:fe85:9c8e] has joined #openvpn
20:33 -!- arescorpio [~arescorpi@23-26-245-190.fibertel.com.ar] has joined #openvpn
20:42 -!- erkules_ [~erkan@pdpc/supporter/professional/erkules] has joined #openvpn
20:44 -!- erkules [~erkan@pdpc/supporter/professional/erkules] has quit [Ping timeout: 240 seconds]
20:56 -!- dvl [~dvl@pdpc/supporter/active/dvl] has left #openvpn ["Leaving"]
21:07 -!- Thermi [~Thermi@unaffiliated/thermi] has quit [Ping timeout: 246 seconds]
21:09 -!- Thermi [~Thermi@unaffiliated/thermi] has joined #openvpn
21:48 < SushiDude> What is the IPv6 equivalent to redirect-gateway?
21:50 <+pekster> !redirect
21:50 <@vpnHelper> "redirect" is (#1) to make all inet traffic flow through the vpn, you will need --redirect-gateway (see !def1), as well as IP forwarding (see !ipforward) and NAT (see !nat) enabled on the server. or (#2) you may need to use a different dns server when redirecting gateway, see !dns or !pushdns or (#3) if using ipv6 try: route-ipv6 2000::/3 or (#4) Handy troubleshooting flowchart:
21:50 <@vpnHelper> http://ircpimps.org/redirect.png | http://pekster.sdf.org/misc/redirect.png
21:50 <+pekster> See (#3) above
21:50 <+pekster> That's "all of the globally routable IP space" today
21:52 < SushiDude> What about all of the globally routable IP space tomorrow?
21:53 <+pekster> Pretty sure IANA won't be allocating that anytime soon. Subscribe to their announcement lists if you're that concerned
22:04 -!- troj [~xxx@2001:470:1f15:107a::50f7] has quit [Ping timeout: 260 seconds]
22:04 -!- Haseo [~Haseo@aufrinfo.net] has quit [Ping timeout: 264 seconds]
22:04 -!- fred`` [fred@earthli.ng] has quit [Ping timeout: 246 seconds]
22:05 -!- Ulrar [~Ulrar@luwin.ulrar.net] has quit [Ping timeout: 246 seconds]
22:05 -!- RickyB98 [RickyB98@mediawiki/rickyb98] has quit [Ping timeout: 260 seconds]
22:06 -!- Wolfbutt [~quassel@milkyway.jeroendeneef.eu] has quit [Ping timeout: 264 seconds]
22:06 -!- SushiDude [~SushiDude@unaffiliated/sushidude] has quit [Ping timeout: 272 seconds]
22:07 -!- troj [~xxx@2001:470:1f15:107a::50f7] has joined #openvpn
22:09 -!- Jeroen52 [~quassel@milkyway.jeroendeneef.eu] has joined #openvpn
22:10 -!- Ulrar [~Ulrar@luwin.ulrar.net] has joined #openvpn
22:11 -!- Haseo [~Haseo@aufrinfo.net] has joined #openvpn
22:11 -!- SushiDude [~SushiDude@unaffiliated/sushidude] has joined #openvpn
22:12 -!- troj [~xxx@2001:470:1f15:107a::50f7] has quit [Ping timeout: 252 seconds]
22:14 -!- troj [~xxx@2001:470:1f15:107a::50f7] has joined #openvpn
22:16 -!- erkules_ is now known as erkules
22:17 -!- Kephael [~Kephael@unaffiliated/kephael] has joined #openvpn
22:19 -!- RickyB98 [RickyB98@mediawiki/rickyb98] has joined #openvpn
22:20 -!- fred`` [fred@earthli.ng] has joined #openvpn
22:35 < SushiDude> Well now that I pushed route-ipv6 2000::/3, ipv6 does not work on the client at all.
22:35 < SushiDude> Which leads me to believe that I did the subnetting wrong.
22:36 <+pekster> Have a server config somewhere? (sans blanks/comments please, we have grep to rip out the junk at !configs)
22:38 < SushiDude> !configs
22:38 <@vpnHelper> "configs" is (#1) please pastebin your client and server configs (with comments removed, you can use `grep -vE '^#|^;|^$' server.conf`), also include which OS and version of openvpn. or (#2) dont forget to include any ccd entries or (#3) on pfSense, see http://www.secure-computing.net/wiki/index.php/OpenVPN/pfSense to obtain your config
22:40 < SushiDude> pekster: http://pastebin.com/20175Xwy
22:49 <+pekster> So you can't ping 2604:6000:1005:beef::1 ?
22:50 < SushiDude> from the client?
22:51 <+pekster> Yup. That should be going over the tunnel assuming no very broken networking setup
22:51 < SushiDude> I will go and try.
22:52 <+pekster> I'd presume you'd already done that before declaring IPv6 "does not work at all"
22:52 <+pekster> Maybe check/fix IPv6 forwarding?
22:52 <+pekster> Start with those 2 items
22:58 < SushiDude> I was checking my IP address through Google and after pushing route-ipv6 2000::/3 I could only connect through IPv4.
22:58 < SushiDude> I can ping 2604:6000:1005:beef::1.
22:59 <+pekster> So IPv6 is working. It's _not_ completely broken
22:59 <+pekster> ping6 to 2600::. If that fails, fix your routing or firewalling on the server
23:00 -!- arescorpio [~arescorpi@23-26-245-190.fibertel.com.ar] has quit [Excess Flood]
23:09 -!- SushiDude [~SushiDude@unaffiliated/sushidude] has quit [Ping timeout: 252 seconds]
23:10 -!- Kniaz [~Kniaz@unaffiliated/bears] has quit [Quit: closing IRC]
23:14 -!- SushiDude [~SushiDude@unaffiliated/sushidude] has joined #openvpn
23:30 < SushiDude> I am not sure how to configure my firewall to allow IPv6 in this situation. I am using UFW. I have DEFAULT_FORWARD_POLICY="ACCEPT" net/ipv4/ip_forward=1net/ipv6/conf/default/forwarding=1 net/ipv6/conf/all/forwarding=1.
23:31 <+pekster> No clue about UFW; ask #ubuntu maybe (ubuntu maintains it.)
23:32 < SushiDude> It is iptables based
23:32 <+pekster> Don't care. I'm not interested in fixing ufw, network-manager, or any of the ubuntu line of crapware
23:32 <+pekster> If you want to write real Netfilter-based rules, I have some templates (IPv6 edge-routing included) you might be able to learn from: https://github.com/QueuingKoala/netfilter-samples
23:32 <@vpnHelper> Title: QueuingKoala/netfilter-samples · GitHub (at github.com)
23:33 <+pekster> If you have questions about Netfilter _specifically_ there is #Netfilter. They will not deal with ufw either.
23:35 < SushiDude> Okay, then. But just so you know, NetworkManager was made by Red Hat.
23:35 <+pekster> True enough
23:35 -!- Megaf [~Megaf@unaffiliated/megaf] has quit [Ping timeout: 244 seconds]
23:39 -!- Kniaz [~Kniaz@unaffiliated/bears] has joined #openvpn
23:53 -!- ShadniX [dagger@p5DDFD043.dip0.t-ipconnect.de] has quit [Ping timeout: 252 seconds]
23:54 -!- ShadniX [dagger@p5DDFFA8F.dip0.t-ipconnect.de] has joined #openvpn
--- Day changed Thu Jun 26 2014
00:00 -!- ajc_ [ajc@nat/hp/x-hvqwvcabpidmdlei] has joined #openvpn
00:12 -!- RedDeath is now known as zz_RedDeath
00:22 < SushiDude> Well, I tried '-A FORWARD -s 2604:6000:1005:beef::/64 -o eth0 -j ACCEPT' and that did not work
01:09 -!- Cpt-Oblivious [~chatzilla@31-151-71-109.dynamic.upc.nl] has quit [Remote host closed the connection]
01:27 -!- Mike-- [mad@84.245.27.194] has joined #openvpn
01:34 -!- halothe23 [~halothe23@freenode/sponsor/halothe23] has joined #openvpn
01:35 -!- alexxtasi [~alex@unaffiliated/alexxtasi] has joined #openvpn
01:39 <@krzee> ?and can it return?
01:44 < SushiDude> Well I tried a ton of other things and non of them worked.
01:44 <@krzee> !linipforward
01:44 <@vpnHelper> "linipforward" is (#1) echo 1 > /proc/sys/net/ipv4/ip_forward for a temp solution (til reboot) or set net.ipv4.ip_forward = 1 in sysctl.conf for perm solution or (#2) chmod +x /etc/rc.d/rc.ip_forward for perm solution in slackware or (#3) you also must allow forwarding in your forward chain in iptables. iptables -I FORWARD -i tun+ -j ACCEPT
01:45 < SushiDude> krzee: that does not help. IPv4 forwarding works perfectly. What I need is IPv6.
01:46 <@krzee> sysctl -a|grep forward
01:46 <@krzee> show me on pastebin
01:47 < SushiDude> http://pastebin.com/tyqhY2aW
01:48 < SushiDude> krzee: ^
01:50 <@krzee> how about iptables-save
01:53 < SushiDude> krzee: Here is my OpenVPN server config: http://pastebin.com/20175Xwy. I can ping 2604:6000:1005:beef::1.
01:53 < SushiDude> krzee: http://pastebin.com/3qZp55sx
01:53 -!- le0 [~l30@unaffiliated/le0] has joined #openvpn
01:56 <@krzee> omg eye bleach
01:57 < SushiDude> krzee: what is wrong?
01:59 <@krzee> your firewall hurts my eyes
02:00 <@krzee> iptables -I FORWARD -i tun+ -j ACCEPT
02:00 <@krzee> see if you can just short circuit it
02:00 <@krzee> -I and -A are different
02:01 <@krzee> also you dont need your nat rule 20 times :D
02:01 < SushiDude> That was UFW
02:01 < SushiDude> It readded it a bunch because I have been restarting it a lot.
02:10 -!- le0 [~l30@unaffiliated/le0] has quit [Ping timeout: 240 seconds]
02:11 <@krzee> did you do what i said?
02:14 -!- le0 [~l30@unaffiliated/le0] has joined #openvpn
02:59 -!- le0 [~l30@unaffiliated/le0] has quit [Quit: Leaving]
03:06 -!- zz_RedDeath is now known as RedDeath
03:09 -!- Kephael [~Kephael@unaffiliated/kephael] has quit [Read error: Connection reset by peer]
03:18 -!- elfixit [~Icedove@cust.static.46-14-114-50.swisscomdata.ch] has joined #openvpn
03:42 -!- ade_b [~Ade@redhat/adeb] has joined #openvpn
03:48 -!- defsdoor [~andy@cpc9-sutt4-2-0-cust184.perr.cable.virginm.net] has joined #openvpn
03:57 -!- Cybertinus [~Cybertinu@cybertinus.customer.cloud.nl] has quit [Quit: No Ping reply in 180 seconds.]
04:29 -!- Argat [~argat@adsl-98-48.du.nwc.is] has quit [Read error: Connection reset by peer]
04:34 -!- mvdan [~mvdan@mvdan.cc] has joined #openvpn
04:34 < mvdan> is the developer of de.blinkt.openvpn here?
04:37 -!- le0 [~l30@unaffiliated/le0] has joined #openvpn
04:47 -!- RedDeath is now known as zz_RedDeath
04:55 -!- RaiNerTsuFal [~RaiNerTsu@akita.vtlx.cn] has quit [Quit: Conversation terminated!]
05:08 -!- tiksa [~tiksa@gateway/tor-sasl/tiksa] has joined #openvpn
05:46 -!- SchmoDroid [~SchmoDroi@213.235.233.85] has joined #openvpn
06:04 -!- Brando753 [~Brando753@unaffiliated/brando753] has quit [Ping timeout: 260 seconds]
06:18 -!- Hadi [~Instantbi@31.59.157.230] has joined #openvpn
06:20 < Hadi> Hello guys. How can i run openvpn in linux in background? so if i close the terminal, it won't close down the connection?
06:20 < Hadi> I connect like this, i type sudo openvpn  myvpnconfig.conf
06:21 < lotherk> Hadi, add --daemon
06:21 < lotherk> to command line, or daemon into the config
06:22 < Hadi> lotherk:  should i type it after openvpn? or after that i specified the config file
06:22 < lotherk> what will work for sure is: openvpn --daemon --config <your conf file>
06:22 < lotherk> or simply add "daemon" into the conf file
06:22 < Hadi> lotherk: just in one line? alright! i'll check it now
06:22 < lotherk> yea, just in a single line.
06:23 < lotherk> the conf file basically consists out of command line arguments per line (with a few exceptions like xml styled <ca>, etc.)
06:25 < Hadi> lotherk: I did it! my command prompt reappeared.. Is there a way to check the output somewhere?
06:25 < lotherk> if you've added the 'log <file>' statement, then it that file.
06:26 < Hadi> awesome
06:26 < lotherk> :)
06:26 < Hadi> How can i  close it down when i'm done?
06:26 <+pekster> lotherk: Most distros come with an initscript for this kind of control
06:26 <+pekster> If yours does not, you might consider writing one
06:27 < lotherk> pekster: you want to talk to Hadi I guess.
06:27 <+pekster> Ah, yes I do (still working on coffee #1 ;)
06:27 < Hadi> pekster: it's manjaro
06:27 < lotherk> Hadi you could run ps aux |grep openvpn and kill the pid
06:28 <+pekster> No idea what it is, but an initscript is a common part of packaging any application to a new distro/platform
06:28 < lotherk> you could also tell openvpn to write its pid to some file (don't know the argument)
06:28 -!- u0m3 [~u0m3@109.96.150.109] has quit [Read error: Connection reset by peer]
06:28 < lotherk> Hadi, do you want to run openvpn permanently? Like on every boot?
06:28 <+pekster> Right, an initscript tends to 1) do any distro-specific setup, 2) launching the service (openvpn here) with the right options for what the user asked for, and 3) allow the process to be queried for status, stopped, or restarted on-demand
06:28 < Hadi> lotherk:  i see it's pid,  great
06:29 < Hadi> lotherk:  that would be more than awesome
06:29 <+pekster> You can store the PID with openvpn's --pidfile option too
06:29 < lotherk> then it might be enough if you copy your config into /etc/openvpn
06:29 <+pekster> (initscripts tend to use that)
06:29 < lotherk> and run /etc/init.d/openvpn start
06:29 < lotherk> (as root, both)
06:29 < lotherk> you can then stop openvpn with /etc/init.d/openvpn stop
06:29 < lotherk> or restart, or status like pekster said
06:30 < lotherk> btw, your config should end with .conf
06:30 < Hadi> pekster:  thanks for that init explaination, i'm a linux newb
06:30 < lotherk> you could also use the tools your desktop environment offers
06:30 < lotherk> e.g. gnome's networkmanager
06:30 < lotherk> (might require networkmanager-openvpn to be installed, at least on debian* systems)
06:31 <+pekster> We've seen networkmanager handle openvpn poorly here, but if your setup is simple it might do what you want
06:31 < Hadi> lotherk:  manjaro is based on arch, does it have the init thingy?
06:31 < lotherk> yes, it does. every linux has that "init" thingy ;)
06:31 <+pekster> Just make sure your config is working first and _then_ add complex GUI frontends; doing it the other way around makes identifying your own problems hard
06:31 < Hadi> I saw systemctl stuff, is that the same thing
06:32  * lotherk has no clue about manjaro/arch
06:32 < lotherk> just try to copy your config to /etc/openvpn and run /etc/init.d/openvpn start
06:32 < Hadi> protips by pekster!
06:32 < lotherk> if it works, you don't have to do anything else.
06:33 < Hadi> lotherk:  whiew,  /etc/init.d does not exist. noooooOO
06:34 <+pekster> You might ask in a channel or mailing-list for your distro
06:34 < Hadi> Yeah i think i need to make a .service file for systemctl for the openvpn startup
06:34 <+pekster> Oh, systemd sillyness?
06:34 <+pekster> Yea, that's part of the distro's responsibility to ship support for things like that
06:35 < Hadi> Dam it censorship made me to do things that i shouldn't do as a beginner maybe
06:35 -!- zoomequipd [~zoomequip@gateway/tor-sasl/zoomequipd] has joined #openvpn
06:36 -!- u0m3 [~u0m3@109.96.150.109] has joined #openvpn
06:58 -!- Cpt-Oblivious [~chatzilla@31-151-71-109.dynamic.upc.nl] has joined #openvpn
07:03 -!- stemid [~avatar@ns4.sydit.se] has joined #openvpn
07:03 < stemid> is there any magic in openvpn that can handle a shaky wifi connection? right now my wifi seems to disconnect every hour and openvpn hangs even though the wifi returns almost immediately.
07:03 < stemid> I'm using udp
07:04 < lotherk> may keepalive help here?
07:06 < stemid> hmm ok, I will check out ping-restart and keepalive
07:06 < stemid> today my server has keepalive 10 120 set arbitrarily
07:07 < stemid> 120 is default I believe
07:09 < lotherk> yea, ping-restart may help, too. I'm using both and my tunnels reconnect without problems but can't say for sure.
07:09 < stemid> thanks
07:09 < stemid> lotherk: what is yours set to?
07:10 < lotherk> sec
07:10 < lotherk> keepalive 10 120
07:10 < stemid> =)
07:10 < lotherk> :)
07:10 < stemid> there is a very specific error whenever the wifi fails and openvpn hangs, but it's gone in terminal buffer now. will be back later with it
07:11 < stemid> I know it will happen again
07:11 < stemid> and FYI I'm in a class so it's not my wifi. or I would fix it
07:27 -!- tiksa [~tiksa@gateway/tor-sasl/tiksa] has quit [Quit: Peace]
07:50 -!- Eagleman [~Eagleman@546BC8D0.cm-12-4d.dynamic.ziggo.nl] has quit [Quit: ZNC - http://znc.in]
08:00 -!- ajc_ [ajc@nat/hp/x-hvqwvcabpidmdlei] has quit [Read error: Connection reset by peer]
08:05 -!- Eagleman [~Eagleman@546BC8D0.cm-12-4d.dynamic.ziggo.nl] has joined #openvpn
08:13 < vinky> what is a good approach to optimizing a openvpn configuration? I've read this, but is there anything else I should look at? https://community.openvpn.net/openvpn/wiki/Gigabit_Networks_Linux
08:13 <@vpnHelper> Title: Gigabit_Networks_Linux – OpenVPN Community (at community.openvpn.net)
08:16 < rob0> JJK wrote that, I believe, so that's credible.
08:16 -!- Megaf [~Megaf@unaffiliated/megaf] has joined #openvpn
08:22 -!- Eagleman [~Eagleman@546BC8D0.cm-12-4d.dynamic.ziggo.nl] has quit [Ping timeout: 240 seconds]
08:23 -!- Brando753 [~Brando753@unaffiliated/brando753] has joined #openvpn
08:30 < stemid> ok here's what happens to my openvpn on an unstable wifi right now. I never catch the wifi going down but when I look at my openvpn terminal I see it has done a ton of Wr's that are not real because I do not have that much traffic going. then it says Inactivity timeout and restarting due to ping-restart. then I get this error over and over until I interrupt openvpn and restart it. Thu Jun 26 15:23:59 2014 us=41001 RESOLVE: Cannot resolve host address: my.vpn.
08:30 < lotherk> well
08:30 < lotherk> my.vpn may not be resolvable?
08:33 -!- Hadi [~Instantbi@31.59.157.230] has quit [Quit: Instantbird 1.6a1pre -- http://www.instantbird.com]
08:35 -!- hadi [~root@cpc23-stkn13-2-0-cust538.11-2.cable.virginm.net] has joined #openvpn
08:36 -!- hadi [~root@cpc23-stkn13-2-0-cust538.11-2.cable.virginm.net] has left #openvpn []
08:38 < stemid> if anyone said anything after my last line then I didn't see it because I reconnected through another openvpn.
08:38 < stemid> but now I'm using a single VPS instance with no NAT.
08:42 -!- zz_RedDeath is now known as RedDeath
08:43 -!- Eagleman [~Eagleman@546BC8D0.cm-12-4d.dynamic.ziggo.nl] has joined #openvpn
08:47 -!- Eagleman [~Eagleman@546BC8D0.cm-12-4d.dynamic.ziggo.nl] has quit [Ping timeout: 244 seconds]
08:54 -!- larryone [~larryone@89.100.23.131] has joined #openvpn
08:58 -!- Eagleman [~Eagleman@546BC8D0.cm-12-4d.dynamic.ziggo.nl] has joined #openvpn
09:13 -!- zapotek6 [~zap@mail.comelit.it] has joined #openvpn
09:13 -!- zapotek6 [~zap@mail.comelit.it] has quit [Max SendQ exceeded]
09:27 -!- Ulrar [~Ulrar@luwin.ulrar.net] has quit [Ping timeout: 246 seconds]
09:29 -!- Ulrar [~Ulrar@luwin.ulrar.net] has joined #openvpn
09:33 -!- alexxtasi [~alex@unaffiliated/alexxtasi] has left #openvpn []
09:39 -!- Mike-- [mad@84.245.27.194] has quit [Read error: Connection reset by peer]
09:39 -!- Mike-- [mad@mx.probie.nl] has joined #openvpn
09:41 -!- ade_b [~Ade@redhat/adeb] has quit [Quit: Too sexy for his shirt]
09:57 -!- Mike-- [mad@mx.probie.nl] has quit [Ping timeout: 255 seconds]
10:05 -!- Kniaz [~Kniaz@unaffiliated/bears] has quit [Read error: Connection reset by peer]
10:18 -!- zapotek6 [~zap@213.149.219.85] has joined #openvpn
10:18 -!- zapotek6 [~zap@213.149.219.85] has quit [Max SendQ exceeded]
10:35 -!- hyper_ch [~hyper_ch@149.154.159.210] has joined #openvpn
10:36 < hyper_ch> hmmm, on my android I have three openvpn apps installed: OpenVPN connect, openvpn installer and openvpn settings... I tend to think I don't need all of them
10:37 <@Eugene> stemid - the W in your log is definitely real; it's packets generated by applications running over the VPN(TCP) retrying to send, but getting nowhere
10:37 <@Eugene> The issue sounds like you're doing DNS over the vpn, with no fallback mechanism.
10:38 <@Eugene> The quickest way to resolve this is to hardcode your server's IP address in your conf file
10:50 -!- gffa [~unknown@unaffiliated/gffa] has joined #openvpn
10:58 -!- SushiDude [~SushiDude@unaffiliated/sushidude] has quit [Quit: Quit]
11:00 -!- SushiDude [~SushiDude@unaffiliated/sushidude] has joined #openvpn
11:08 -!- hyper_ch [~hyper_ch@149.154.159.210] has left #openvpn ["Konversation terminated!"]
11:20 -!- elfixit [~Icedove@cust.static.46-14-114-50.swisscomdata.ch] has quit [Ping timeout: 244 seconds]
12:03 -!- SchmoDroid [~SchmoDroi@213.235.233.85] has quit [Ping timeout: 240 seconds]
12:09 -!- SCHAAP137 [dorian@77-173-0-137.ip.telfort.nl] has joined #openvpn
12:10 -!- Hadi [~Instantbi@31.59.157.230] has joined #openvpn
12:12 -!- NoNamesLeft [~ChairmanM@cpc14-wake7-2-0-cust129.17-1.cable.virginm.net] has joined #openvpn
12:14 < NoNamesLeft> !goal
12:14 <@vpnHelper> "goal" is Please clearly state your goal for your vpn: example, I would like to access the lan behind the server , I would like to access the internet over my vpn , I just want a secure connection between 2 computers , etc
12:14 < NoNamesLeft> I stated all this at 1am GMT
12:14 < NoNamesLeft> pekster was helping me but they are away now
12:15 -!- Kniaz [~Kniaz@unaffiliated/bears] has joined #openvpn
12:16 -!- s7r [~s7r@openvpn/user/s7r] has joined #openvpn
12:16 -!- mode/#openvpn [+v s7r] by ChanServ
12:19 -!- APTX [~APTX@unaffiliated/aptx] has quit [Ping timeout: 252 seconds]
12:21 -!- APTX [~APTX@unaffiliated/aptx] has joined #openvpn
12:28 -!- brah [~allsdfjal@190.193.70.120] has joined #openvpn
12:28 < brah> Sup.
12:29 < brah> Should openssl -verify -CAcert ca.crt somecrt.crt return OK for OpenVPN to work using PKI?
12:30 -!- Hadi [~Instantbi@31.59.157.230] has quit [Quit: Instantbird 1.6a1pre -- http://www.instantbird.com]
12:31 < brah> ehh -verify should be verify and -CAcert should be -CAfile, but you get the point
12:51 -!- NoNamesLeft [~ChairmanM@cpc14-wake7-2-0-cust129.17-1.cable.virginm.net] has quit [Read error: Connection reset by peer]
12:59 -!- Sidewinder [~de@unaffiliated/sidewinder] has joined #openvpn
13:00 -!- Mike-- [mad@84.245.27.194] has joined #openvpn
13:01 -!- RaiNerTsuFal [~RaiNerTsu@akita.vtlx.cn] has joined #openvpn
13:13 < brah> I had a setup somehow working with a mismatching ca.crt and client.crt pair. I'm only running the client so I looked up if it was possible to ignore this on the server, but it doesn't seem to be possible
13:13 -!- Mike-- [mad@84.245.27.194] has quit [Read error: Connection reset by peer]
13:13 < brah> And the server endpoint is not cooperating, they say I'm at fault.
13:14 < brah> Error is at depth 0, ca.crt is trusted and valid while client.crt is self signed by them.
13:15 -!- Hadi [~Instantbi@31.59.157.230] has joined #openvpn
13:15 -!- Hadi [~Instantbi@31.59.157.230] has quit [Quit: Instantbird 1.6a1pre -- http://www.instantbird.com]
13:17 -!- Hadi [~Instantbi@31.59.157.230] has joined #openvpn
13:21 -!- Kephael [~Kephael@unaffiliated/kephael] has joined #openvpn
13:25 < brah> Is the following scenario even possible? Our ca.crt and their server.crt verify OK, their ca.crt and our client.crt verify OK, and the VPN works.
13:27 -!- goldkatze [~nobody@unaffiliated/goldkatze] has joined #openvpn
13:27 -!- larryone [~larryone@89.100.23.131] has quit [Quit: This computer has gone to sleep]
13:33 -!- Cpt-Oblivious [~chatzilla@31-151-71-109.dynamic.upc.nl] has quit [Ping timeout: 240 seconds]
13:34 -!- Cpt-Oblivious [~chatzilla@31-151-71-109.dynamic.upc.nl] has joined #openvpn
13:34 -!- Cpt-Oblivious [~chatzilla@31-151-71-109.dynamic.upc.nl] has quit [Client Quit]
13:46 -!- Netsplit *.net <-> *.split quits: NucWin, adaptr, @krzee, Nothing4You, defswork, mcp, get, MatToufoutu, Sembei, ratsupremacy,  (+123 more, use /NETSPLIT to show all of them)
13:46 -!- peper [~peper@gentoo/developer/peper] has quit [Max SendQ exceeded]
13:46 -!- cyberspace- [20253@ninthfloor.org] has quit [Max SendQ exceeded]
13:46 -!- kossy [a@unaffiliated/kossy] has quit [Max SendQ exceeded]
13:47 -!- Netsplit over, joins: Hadi, RaiNerTsuFal, APTX, +s7r, SushiDude, gffa, Ulrar, Brando753, Megaf, stemid (+123 more)
13:47 -!- ppr [~peper@gentoo/developer/peper] has joined #openvpn
13:47 -!- RedDeath is now known as zz_RedDeath
13:47 -!- Olipro [~Olipro@uncyclopedia/pdpc.21for7.olipro] has quit [Max SendQ exceeded]
13:48 -!- Netsplit *.net <-> *.split quits: thumbs, gac, nlb, emid, roentgen, Cyclohexane, micko, malc0re, rob0
13:48 -!- Netsplit over, joins: malc0re, thumbs, gac
13:48 -!- Netsplit over, joins: roentgen
13:49 -!- Netsplit over, joins: Cyclohexane, micko
13:49 -!- goldkatze_ [~nobody@unaffiliated/goldkatze] has joined #openvpn
13:50 -!- nlb [~nlb@unaffiliated/nlb] has joined #openvpn
13:52 -!- NChief_ [~nchief@unaffiliated/nchief] has joined #openvpn
13:57 -!- Netsplit *.net <-> *.split quits: SCHAAP137, james41382, goldkatze, NChief, Magiobiwan, jgeboski, sauce, Pyrogerg, jeev, +hazardous,  (+1 more, use /NETSPLIT to show all of them)
13:59 -!- Olipro [~Olipro@uncyclopedia/pdpc.21for7.olipro] has joined #openvpn
13:59 -!- Netsplit over, joins: james41382
14:02 -!- rob0 [rob0@pdpc/valentine/postfixninja/rob0] has joined #openvpn
14:03 -!- SCHAAP137 [dorian@77-173-0-137.ip.telfort.nl] has joined #openvpn
14:15 -!- supergauntlet [~supergaun@unaffiliated/supergauntlet] has joined #openvpn
14:17 -!- joe9 [~user@ip68-103-51-213.ks.ok.cox.net] has joined #openvpn
14:19 -!- Pyrogerg [~Gregory@gpenne3bc.nmsu.edu] has joined #openvpn
14:19 -!- jgeboski [~jgeboski@unaffiliated/jgeboski] has joined #openvpn
14:19 -!- sauce [sauce@unaffiliated/sauce] has joined #openvpn
14:19 -!- hazardous [~hz@openvpn/user/hazardous] has joined #openvpn
14:19 -!- Magiobiwan [IRC@unaffiliated/magiobiwan] has joined #openvpn
14:19 -!- jeev [~jeev@unaffiliated/jeev] has joined #openvpn
14:19 -!- ServerMode/#openvpn [+v hazardous] by asimov.freenode.net
14:28 -!- zz_RedDeath is now known as RedDeath
14:44 -!- Sidewinder [~de@unaffiliated/sidewinder] has quit [Quit: Leaving]
14:45 < joe9> Is there something similar to "redirect gateway" option for the server? I want to route an application's network traffic <--> openpn server <--> openvpn client <--> internet. I have the tun0 device created where the openvpn server is running. But, am not able to figure out how to route the traffic through the tun0.
14:46 < joe9>  http://codepad.org/0T2qkhxQ is not working.
14:46 <@vpnHelper> Title: Plain Text code - 3 lines - codepad (at codepad.org)
14:46 < joe9> q
14:47 < joe9> ip netns exec vpnNameSpace ip route add default via 10.8.0.2 dev tun0 after deleting the existing default route. When I delete the existing default route, the openvpn server loses connection with these messages (Thu Jun 26 13:46:05 2014 write UDPv4: Network is unreachable (code=101))
14:57 -!- Kniaz [~Kniaz@unaffiliated/bears] has quit [Changing host]
14:57 -!- Kniaz [~Kniaz@unaffiliated/vsiozashibis] has joined #openvpn
14:59 -!- Kniaz [~Kniaz@unaffiliated/vsiozashibis] has quit [Changing host]
14:59 -!- Kniaz [~Kniaz@unaffiliated/kniaz] has joined #openvpn
15:01 -!- liriel [~liriel@asia.feralhosting.com] has quit [Quit: bye]
15:07 -!- liriel [~liriel@asia.feralhosting.com] has joined #openvpn
15:30 -!- gffa [~unknown@unaffiliated/gffa] has quit [Quit: sleep]
16:10 -!- novaflash [~novaflash@openvpn/corp/support/novaflash] has quit [Quit: ABANDON SHIP! ABANDON SHIP!]
16:21 -!- p3rror [~mezgani@41.249.38.19] has joined #openvpn
16:25 -!- le0 [~l30@unaffiliated/le0] has quit [Quit: Leaving]
16:35 -!- Hadi [~Instantbi@31.59.157.230] has quit [Ping timeout: 245 seconds]
16:36 -!- arescorpio [~arescorpi@23-26-245-190.fibertel.com.ar] has joined #openvpn
16:36 -!- Cybertinus [~Cybertinu@cybertinus.customer.cloud.nl] has joined #openvpn
16:38 -!- triplicate [~triplicat@ip98-165-149-127.ph.ph.cox.net] has joined #openvpn
16:39 < triplicate> do there exist any best practice guidelines on priv key delivery to remote clients over the net?  e.g. prior to them connecting to a VPN?
16:41 < rob0> Best practice is for the users to generate their own key and CSR, so nothing secure ever needs to go over the net.
16:51 -!- mvdan [~mvdan@mvdan.cc] has left #openvpn ["WeeChat 0.4.3"]
16:52 -!- Kniaz [~Kniaz@unaffiliated/kniaz] has quit [Quit: closing IRC]
17:06 -!- p3rror [~mezgani@41.249.38.19] has quit [Read error: Connection reset by peer]
17:08 -!- SCHAAP137 [dorian@77-173-0-137.ip.telfort.nl] has quit [Remote host closed the connection]
17:11 -!- defsdoor [~andy@cpc9-sutt4-2-0-cust184.perr.cable.virginm.net] has quit [Quit: Ex-Chat]
17:12 -!- SCHAAP137 [dorian@77-173-0-137.ip.telfort.nl] has joined #openvpn
17:13 -!- SCHAAP137 [dorian@77-173-0-137.ip.telfort.nl] has quit [Read error: Connection reset by peer]
17:14 <+pekster> triplicate: General security recommendations (especially re: PKI) at:
17:14 <+pekster> !hardening
17:14 <@vpnHelper> "hardening" is https://community.openvpn.net/openvpn/wiki/Hardening
17:14 <+pekster> Otherwise see the easyrsa v3 howto here that makes CSR+signing as simple as it ought to be:
17:14 <+pekster> !easyrsa
17:14 <@vpnHelper> "easyrsa" is (#1) easy-rsa is a certificate generation utility. or (#2) Download here: https://github.com/OpenVPN/easy-rsa/releases or (#3) Source checkouts available from the github project; current official release download is 2.2.2 with 3.x code in git-master. or (#4) Helpful wiki info about easyrsa at: https://community.openvpn.net/openvpn/wiki/EasyRSA
17:15 <+pekster> Or optionally, any other PKI tool you like (see: !certman for alternatives in a variety of langauges)
17:28 -!- tiksa [~tiksa@gateway/tor-sasl/tiksa] has joined #openvpn
17:38 -!- SCHAAP137 [dorian@77-173-0-137.ip.telfort.nl] has joined #openvpn
17:55 < triplicate> thx pekster
17:59 -!- tiksa [~tiksa@gateway/tor-sasl/tiksa] has quit [Ping timeout: 264 seconds]
18:01 -!- tiksa [~tiksa@gateway/tor-sasl/tiksa] has joined #openvpn
18:06 -!- james41382 [~james@unaffiliated/james41382] has quit [Quit: Leaving]
18:06 -!- james41382 [~james@unaffiliated/james41382] has joined #openvpn
18:11 -!- maskedlua [~maskedlua@unaffiliated/themaskedlua] has quit [Excess Flood]
18:12 -!- maskedlua [~maskedlua@unaffiliated/themaskedlua] has joined #openvpn
18:12 -!- SlutaTramsa [~SlutaTram@unaffiliated/slutatramsa] has quit [Ping timeout: 240 seconds]
18:14 -!- Kniaz [~Kniaz@unaffiliated/kniaz] has joined #openvpn
18:26 -!- raspberrypifan [~textual@190.130.236.28] has joined #openvpn
18:32 -!- SlutaTramsa [~SlutaTram@unaffiliated/slutatramsa] has joined #openvpn
18:43 -!- ShadniX [dagger@p5DDFFA8F.dip0.t-ipconnect.de] has quit [Ping timeout: 252 seconds]
18:45 -!- ShadniX [dagger@p5DDFFA8F.dip0.t-ipconnect.de] has joined #openvpn
18:49 -!- brah [~allsdfjal@190.193.70.120] has quit [Ping timeout: 240 seconds]
19:04 -!- triplicate [~triplicat@ip98-165-149-127.ph.ph.cox.net] has quit [Remote host closed the connection]
19:04 -!- SCHAAP137 [dorian@77-173-0-137.ip.telfort.nl] has quit [Remote host closed the connection]
19:06 -!- RedDeath is now known as zz_RedDeath
19:17 -!- joe9 [~user@ip68-103-51-213.ks.ok.cox.net] has quit [Remote host closed the connection]
19:42 -!- raspberrypifan [~textual@190.130.236.28] has quit [Quit: Textual IRC Client: www.textualapp.com]
19:44 -!- goldkatze_ [~nobody@unaffiliated/goldkatze] has quit [Ping timeout: 260 seconds]
19:44 -!- abbe is now known as _abbe`
20:18 -!- DrCode [~DrCode@gateway/tor-sasl/drcode] has quit [Remote host closed the connection]
20:19 -!- DrCode [~DrCode@gateway/tor-sasl/drcode] has joined #openvpn
20:21 -!- WinstonSmith [~WinstonSm@unaffiliated/winstonsmith] has quit [Ping timeout: 245 seconds]
20:23 -!- WinstonSmith [~WinstonSm@unaffiliated/winstonsmith] has joined #openvpn
20:37 -!- Kniaz [~Kniaz@unaffiliated/kniaz] has quit [Quit: closing IRC]
20:38 -!- Kniaz [~Kniaz@unaffiliated/kniaz] has joined #openvpn
20:41 -!- erkules_ [~erkan@pdpc/supporter/professional/erkules] has joined #openvpn
20:43 -!- erkules [~erkan@pdpc/supporter/professional/erkules] has quit [Ping timeout: 240 seconds]
20:45 -!- s7r [~s7r@openvpn/user/s7r] has quit [Remote host closed the connection]
20:57 -!- vinky [~vinky@81-230-177-246-no98.tbcn.telia.com] has quit [Ping timeout: 240 seconds]
20:58 -!- vinky [~vinky@81-230-177-246-no98.tbcn.telia.com] has joined #openvpn
21:15 -!- u0m3_ [~u0m3@92.80.95.201] has joined #openvpn
21:15 -!- RBecker [~Ryan@openvpn/user/RBecker] has quit [Ping timeout: 240 seconds]
21:17 -!- u0m3 [~u0m3@109.96.150.109] has quit [Ping timeout: 255 seconds]
21:18 -!- RBecker [~Ryan@openvpn/user/RBecker] has joined #openvpn
21:18 -!- mode/#openvpn [+v RBecker] by ChanServ
21:21 -!- arescorpio [~arescorpi@23-26-245-190.fibertel.com.ar] has quit [Excess Flood]
21:58 -!- u0m3 [~u0m3@92.80.77.210] has joined #openvpn
22:01 -!- u0m3_ [~u0m3@92.80.95.201] has quit [Ping timeout: 264 seconds]
22:26 -!- RBecker [~Ryan@openvpn/user/RBecker] has quit [Ping timeout: 264 seconds]
22:31 -!- RBecker [~Ryan@openvpn/user/RBecker] has joined #openvpn
22:31 -!- mode/#openvpn [+v RBecker] by ChanServ
23:41 -!- Megaf [~Megaf@unaffiliated/megaf] has quit [Ping timeout: 255 seconds]
23:53 -!- ShadniX [dagger@p5DDFFA8F.dip0.t-ipconnect.de] has quit [Ping timeout: 252 seconds]
23:54 -!- ShadniX [dagger@p5DDFEC20.dip0.t-ipconnect.de] has joined #openvpn
--- Day changed Fri Jun 27 2014
00:00 -!- goldkatze_ [~nobody@unaffiliated/goldkatze] has joined #openvpn
00:12 -!- erkules_ is now known as erkules
01:00 -!- DrCode [~DrCode@gateway/tor-sasl/drcode] has quit [Remote host closed the connection]
01:02 -!- DrCode [~DrCode@gateway/tor-sasl/drcode] has joined #openvpn
01:02 -!- ajc_ [ajc@nat/hp/x-bmcbnrljsjsyzjoe] has joined #openvpn
01:24 -!- RickyB98 [RickyB98@mediawiki/rickyb98] has quit [Ping timeout: 252 seconds]
01:49 -!- alexxtasi [~alex@unaffiliated/alexxtasi] has joined #openvpn
01:51 -!- ade_b [~Ade@redhat/adeb] has joined #openvpn
02:04 -!- Kephael [~Kephael@unaffiliated/kephael] has quit [Read error: Connection reset by peer]
02:13 -!- le0 [~l30@unaffiliated/le0] has joined #openvpn
02:22 -!- le0 [~l30@unaffiliated/le0] has quit [Ping timeout: 245 seconds]
02:25 -!- le0 [~l30@unaffiliated/le0] has joined #openvpn
03:27 -!- SchmoDroid [~SchmoDroi@gw02.focusmr.com] has joined #openvpn
05:54 -!- zz_RedDeath is now known as RedDeath
06:15 -!- elfixit [~Icedove@148-236.197-178.cust.bluewin.ch] has joined #openvpn
06:18 -!- dazo_afk is now known as dazo
06:26 -!- elfixit [~Icedove@148-236.197-178.cust.bluewin.ch] has quit [Ping timeout: 252 seconds]
06:42 -!- stemid [~avatar@ns4.sydit.se] has left #openvpn []
06:47 -!- Megaf [~Megaf@unaffiliated/megaf] has joined #openvpn
06:49 -!- le0 [~l30@unaffiliated/le0] has quit [Quit: Leaving]
06:58 -!- dazo is now known as dazo_afk
07:03 -!- ajc_ [ajc@nat/hp/x-bmcbnrljsjsyzjoe] has quit [Read error: Connection reset by peer]
07:04 -!- mirco [~mirco@ip-62-143-141-0.unitymediagroup.de] has joined #openvpn
07:06 -!- Kniaz [~Kniaz@unaffiliated/kniaz] has quit [Read error: Connection reset by peer]
07:10 -!- RedDeath is now known as zz_RedDeath
07:13 -!- Cpt-Oblivious [~chatzilla@31-151-71-109.dynamic.upc.nl] has joined #openvpn
07:14 -!- DrCode [~DrCode@gateway/tor-sasl/drcode] has quit [Ping timeout: 264 seconds]
07:18 -!- DrCode [~DrCode@gateway/tor-sasl/drcode] has joined #openvpn
07:22 -!- ade_b [~Ade@redhat/adeb] has quit [Quit: Too sexy for his shirt]
07:43 -!- dazo_afk is now known as dazo
08:14 <@ecrist> good morning.  Happy Friday.
08:40 -!- Kniaz [~Kniaz@unaffiliated/kniaz] has joined #openvpn
08:54 -!- s7r [~s7r@openvpn/user/s7r] has joined #openvpn
08:54 -!- mode/#openvpn [+v s7r] by ChanServ
09:01 -!- Billy2 [~nwnkirc@pool-98-110-181-88.bstnma.fios.verizon.net] has joined #openvpn
09:03 -!- DrCode [~DrCode@gateway/tor-sasl/drcode] has quit [Ping timeout: 264 seconds]
09:04 -!- DrCode [~DrCode@gateway/tor-sasl/drcode] has joined #openvpn
09:07 -!- troyt [~troyt@2601:7:6200:1362:44dd:acff:fe85:9c8e] has quit [Ping timeout: 260 seconds]
09:08 -!- troyt [~troyt@2601:7:6200:1362:44dd:acff:fe85:9c8e] has joined #openvpn
09:20 -!- SchmoDroid [~SchmoDroi@gw02.focusmr.com] has quit [Ping timeout: 252 seconds]
09:41 -!- Billy2 [~nwnkirc@pool-98-110-181-88.bstnma.fios.verizon.net] has left #openvpn []
09:46 -!- dazo is now known as dazo_afk
10:00 -!- alexxtasi [~alex@unaffiliated/alexxtasi] has left #openvpn []
10:24 -!- le0 [~l30@unaffiliated/le0] has joined #openvpn
10:27 -!- tiksa [~tiksa@gateway/tor-sasl/tiksa] has quit [Ping timeout: 264 seconds]
10:29 -!- DrCode [~DrCode@gateway/tor-sasl/drcode] has quit [Remote host closed the connection]
10:30 -!- DrCode [~DrCode@gateway/tor-sasl/drcode] has joined #openvpn
10:40 -!- tiksa [~tiksa@gateway/tor-sasl/tiksa] has joined #openvpn
11:03 -!- Olipro [~Olipro@uncyclopedia/pdpc.21for7.olipro] has quit [Ping timeout: 246 seconds]
11:06 -!- Olipro [~Olipro@uncyclopedia/pdpc.21for7.olipro] has joined #openvpn
11:11 -!- Kephael [~Kephael@unaffiliated/kephael] has joined #openvpn
11:15 -!- Kephael_ [~Kephael@unaffiliated/kephael] has joined #openvpn
11:15 -!- Kephael_ [~Kephael@unaffiliated/kephael] has quit [Remote host closed the connection]
11:24 -!- SCHAAP137 [dorian@77-173-0-137.ip.telfort.nl] has joined #openvpn
11:24 -!- le0 [~l30@unaffiliated/le0] has quit [Quit: Leaving]
11:33 -!- Netsplit *.net <-> *.split quits: Ulrar, fred``, Olipro
11:42 -!- Pyrogerg [~Gregory@gpenne3bc.nmsu.edu] has quit [Ping timeout: 244 seconds]
11:44 -!- Netsplit over, joins: Ulrar, fred``
11:56 -!- Olipro [~Olipro@uncyclopedia/pdpc.21for7.olipro] has joined #openvpn
12:12 -!- fol_tempus [~tempus@gateway/tor-sasl/foltempus] has joined #openvpn
12:27 -!- Kephael [~Kephael@unaffiliated/kephael] has quit [Quit: Leaving]
12:35 -!- gffa [~unknown@unaffiliated/gffa] has joined #openvpn
12:54 -!- Kniaz [~Kniaz@unaffiliated/kniaz] has quit [Quit: closing IRC]
12:57 -!- Kniaz [~Kniaz@unaffiliated/kniaz] has joined #openvpn
13:15 -!- DrCode [~DrCode@gateway/tor-sasl/drcode] has quit [Remote host closed the connection]
13:16 -!- DrCode [~DrCode@gateway/tor-sasl/drcode] has joined #openvpn
13:49 -!- dwitten [~dwitten@user-0c2i9ep.cable.earthlink.net] has joined #openvpn
13:50 -!- raspberrypifan [~textual@190.130.236.28] has joined #openvpn
13:51 -!- raspberrypifan [~textual@190.130.236.28] has quit [Max SendQ exceeded]
13:58 -!- raspberrypifan [~textual@190.130.236.28] has joined #openvpn
13:59 -!- Whoopie [~Whoopie@unaffiliated/whoopie] has quit [Quit: Proxy shutdown]
14:37 -!- arescorpio [~arescorpi@186-202-17-190.fibertel.com.ar] has joined #openvpn
14:38 -!- Kniaz [~Kniaz@unaffiliated/kniaz] has quit [Quit: closing IRC]
14:43 -!- Chrisje [Chris@2a02:418:6050:ed15:ed15:ed15:1a27:a32b] has quit [Ping timeout: 240 seconds]
14:43 -!- SlutaTramsa [~SlutaTram@unaffiliated/slutatramsa] has quit [Ping timeout: 240 seconds]
14:43 -!- seba [~seba@kratzbaum.someserver.de] has quit [Ping timeout: 240 seconds]
14:43 -!- haasn [~haasn@2a01:4f8:d13:5245::2] has quit [Ping timeout: 240 seconds]
14:43 -!- meepmeep [meepmeep@end.of.cylind.re] has quit [Ping timeout: 240 seconds]
14:43 -!- jzaw [~jzaw@loki.dzki.co.uk] has quit [Ping timeout: 240 seconds]
14:43 -!- Chrisje [Chris@2a02:418:6050:ed15:ed15:ed15:1a27:a32b] has joined #openvpn
14:44 -!- meepmeep [meepmeep@end.of.cylind.re] has joined #openvpn
14:44 -!- SlutaTramsa [~SlutaTram@unaffiliated/slutatramsa] has joined #openvpn
14:45 -!- jzaw [~jzaw@loki.dzki.co.uk] has joined #openvpn
14:45 -!- haasn [~haasn@2a01:4f8:d13:5245::2] has joined #openvpn
14:47 -!- seba [~seba@kratzbaum.someserver.de] has joined #openvpn
14:47 -!- Olipro [~Olipro@uncyclopedia/pdpc.21for7.olipro] has quit [Ping timeout: 246 seconds]
14:50 -!- Olipro [~Olipro@uncyclopedia/pdpc.21for7.olipro] has joined #openvpn
14:53 -!- debbie10t [~ma1com10t@openvpn/community/support/debbie10t] has joined #openvpn
14:54 < debbie10t> curios about this one : https://forums.openvpn.net/topic16243.html
14:54 <@vpnHelper> Title: OpenVPN Support Forum socket_protect error on Android L : OpenVPN Connect (Android) (at forums.openvpn.net)
15:04 -!- hanno [~hanno@91-64-49-24-dynip.superkabel.de] has joined #openvpn
15:05 < hanno> hi, I want to create a bug report
15:05 < hanno> however, I don't see any "new ticket" or anything alike in the trac interface (I have registered an account)
15:06 < debbie10t> hanno : https://community.openvpn.net/openvpn/newticket
15:09 < hanno> before I report anything unneccessary: the lzo vulnerability hasn't been discussed here before(?)
15:11 < debbie10t> discuss away ...
15:12 <@Eugene> CVE-2014-4607? I haven't seen a discussion here, no.
15:12 <@Eugene> Neither do I see an Issue open in the tracker, but that doesn't mean it isn't being worked on
15:12 <@Eugene> !devel
15:12 <@Eugene> !dev
15:12 <@vpnHelper> "dev" is https://lists.sourceforge.net/lists/listinfo/openvpn-devel to sign up for devel mail list
15:13 <@Eugene> #openvpn-devel is the right place to have it, though. See also that list
15:16 <@Eugene> !fail2ban
15:16 <@vpnHelper> "fail2ban" is in linux you can replace fail2ban without the background process with something like: iptables -A INPUT -m tcp -p tcp --dport 22 -m hashlimit --hashlimit-name ssh --hashlimit-upto 5/minute --hashlimit-mode srcip --hashlimit-srcmask 24 -j ACCEPT
15:19 < hanno> I've opened an issue in the tracker now
15:20 < hanno> https://community.openvpn.net/openvpn/ticket/419
15:20 <@vpnHelper> Title: #419 (Vulnerability in bundled LZO compression code) – OpenVPN Community (at community.openvpn.net)
15:20 <@Eugene> Should really reference the CVE, not a random blogpost.
15:22 < hanno> Eugene, I added a comment with the cve
15:25 -!- brianblaze420 [~brianblaz@unaffiliated/brianblaze] has joined #openvpn
15:28 -!- arescorpio [~arescorpi@186-202-17-190.fibertel.com.ar] has quit [Excess Flood]
15:44 -!- Kniaz [~Kniaz@unaffiliated/kniaz] has joined #openvpn
15:46 -!- Cybert1nus [~Cybertinu@cybertinus.customer.cloud.nl] has joined #openvpn
15:47 -!- funnel_ [~funnel@unaffiliated/espiral] has joined #openvpn
15:51 -!- raspberrypifan [~textual@190.130.236.28] has quit [Ping timeout: 264 seconds]
15:52 -!- Netsplit *.net <-> *.split quits: SlutaTramsa, Chrisje, Cybertinus, jzaw, haasn, funnel
15:52 -!- funnel_ is now known as funnel
15:55 -!- Netsplit over, joins: jzaw
15:57 -!- Chrisje [Chris@2a02:418:6050:ed15:ed15:ed15:1a27:a32b] has joined #openvpn
15:58 -!- Netsplit *.net <-> *.split quits: Chrisje
16:06 -!- micko [~micko@203-219-65-120.static.tpgi.com.au] has quit [Ping timeout: 264 seconds]
16:10 -!- gffa [~unknown@unaffiliated/gffa] has quit [Ping timeout: 264 seconds]
16:13 -!- haasn [~haasn@2a01:4f8:d13:5245::2] has joined #openvpn
16:13 -!- Netsplit over, joins: Chrisje
16:15 -!- tiksa [~tiksa@gateway/tor-sasl/tiksa] has quit [Quit: Peace]
16:15 -!- SlutaTramsa [~SlutaTram@unaffiliated/slutatramsa] has joined #openvpn
16:15 -!- micko1 [~micko@203-219-65-120.static.tpgi.com.au] has joined #openvpn
16:15 -!- gffa_ [~unknown@unaffiliated/gffa] has joined #openvpn
16:15 -!- micko1 is now known as micko
16:15 -!- dwitten [~dwitten@user-0c2i9ep.cable.earthlink.net] has quit [Quit: Leaving]
--- Log closed Fri Jun 27 16:25:23 2014
--- Log opened Mon Jun 30 14:40:15 2014
14:40 -!- ecrist_ [~ecrist@freebsd/contributor/openvpn.community.support.ecrist] has joined #openvpn
14:40 -!- Irssi: #openvpn: Total of 166 nicks [6 ops, 0 halfops, 3 voices, 157 normal]
14:40 -!- Irssi: Join to #openvpn was synced in 1 secs
14:40 -!- mode/#openvpn [+o ecrist_] by ChanServ
14:41 -!- dazo is now known as dazo_afk
14:48 -!- hyper_ch [~hyper_ch@149.154.159.210] has joined #openvpn
14:49 -!- hyper_ch [~hyper_ch@149.154.159.210] has left #openvpn ["Konversation terminated!"]
14:51 -!- Ryu_Fitzgerald [~Ryu_Fitzg@199-193-117-84.static.hvvc.us] has quit [Ping timeout: 248 seconds]
14:51 -!- batrick [~batrick@nmap/developer/batrick] has quit [Quit: WeeChat 0.4.3]
14:59 -!- lfx [~lfx@self-aware.evilmachines.net] has joined #openvpn
15:00 < lfx> does ECDH work in openvpn yet?
15:04 -!- gffa [~unknown@unaffiliated/gffa] has quit [Remote host closed the connection]
15:06 < Monotoko> nvm
15:06  * Monotoko grumbles about sysctl
15:06 <@syzzer> lfx: not in the 2.3 releases, but there is support for it in the master branch
15:07 < lfx> syzzer, thank you
15:08 -!- zapotek6 [~zap@host170-76-dynamic.9-87-r.retail.telecomitalia.it] has quit [Ping timeout: 264 seconds]
15:08 -!- batrick [~batrick@nmap/developer/batrick] has joined #openvpn
15:13 < lfx> syzzer, the master branch doesn't seem to have the configure script
15:14 <@syzzer> lfx: run an 'autoreconf -vi' first :)
15:15 < lfx> ok :)
15:17 < lfx> works, thanks
15:18 < lfx> some other question: is it somehow possible to have different ciphers on the same instance/port?
15:18 < lfx> afik it is not negociated
15:18 < lfx> different cipher == different port/config
15:20 < lfx> the reason I'm wondering is because I have an account with a vpn service (private internet access) and they are running different ciphers on the same port
15:20 <@syzzer> lfx: no it's not possible (yet). cipher negotiation is on the wishlist, but so are many other features :)
15:20 < lfx> so I was wondering if it's possible by default and I don't know how or they customized it
15:20 < lfx> ah, ok :)
15:23 -!- DrCode [~DrCode@gateway/tor-sasl/drcode] has quit [Ping timeout: 264 seconds]
15:26 -!- alfadir [~fred@ag-248-181.sta.ji.cz] has quit [Quit: Lost terminal]
15:30 -!- DrCode [~DrCode@gateway/tor-sasl/drcode] has joined #openvpn
15:30 -!- Ryu_Fitzgerald [~Ryu_Fitzg@199-193-117-84.static.hvvc.us] has joined #openvpn
15:31 < Ryu_Fitzgerald> I have a vpn server that the clients can connect to but for some reason they can't get internet
15:31 < Ryu_Fitzgerald> I have tried messing with NAT rules but it does not work.  I know of no way to proceed from this point
15:31 < Ryu_Fitzgerald> how do I give vpn cients internet?
15:39 -!- Ryu_Fitzgerald [~Ryu_Fitzg@199-193-117-84.static.hvvc.us] has quit [Quit: irc2go]
16:17 -!- raspberrypifan [~textual@190.131.164.211] has joined #openvpn
16:17 -!- raspberrypifan [~textual@190.131.164.211] has quit [Client Quit]
16:18 -!- raspberrypifan [~textual@190.131.164.211] has joined #openvpn
16:19 -!- raspberrypifan [~textual@190.131.164.211] has quit [Client Quit]
16:19 -!- raspberrypifan [~textual@190.131.164.211] has joined #openvpn
16:22 -!- raspberrypifan [~textual@190.131.164.211] has quit [Client Quit]
16:22 -!- raspberrypifan [~textual@190.131.164.211] has joined #openvpn
16:23 -!- raspberrypifan [~textual@190.131.164.211] has quit [Client Quit]
16:25 -!- raspberrypifan [~textual@190.131.164.211] has joined #openvpn
16:26 -!- Kniaz [~Kniaz@unaffiliated/kniaz] has quit [Quit: closing IRC]
16:26 -!- MyMind [~Sembei@unaffiliated/sembei] has joined #openvpn
16:30 -!- Megaf_ [~Megaf@unaffiliated/megaf] has joined #openvpn
16:34 -!- Thermi [~Thermi@unaffiliated/thermi] has quit [Ping timeout: 240 seconds]
16:34 -!- Thermi [~Thermi@unaffiliated/thermi] has joined #openvpn
16:35 -!- lfx [~lfx@self-aware.evilmachines.net] has quit [Ping timeout: 240 seconds]
16:35 -!- Jobbe [~Jobbe@188.40.14.222] has quit [Ping timeout: 240 seconds]
16:35 -!- MatToufoutu [~MaT@unaffiliated/mattoufoutu] has quit [Ping timeout: 240 seconds]
16:35 -!- lamokie [~steve@li428-245.members.linode.com] has quit [Ping timeout: 240 seconds]
16:35 -!- Megaf [~Megaf@unaffiliated/megaf] has quit [Ping timeout: 240 seconds]
16:35 -!- Sembei [~Sembei@unaffiliated/sembei] has quit [Ping timeout: 240 seconds]
16:35 -!- adaptr [~jgeilman@unaffiliated/adaptr] has quit [Ping timeout: 240 seconds]
16:35 -!- RaiNerTsuFal [~RaiNerTsu@akita.vtlx.cn] has quit [Ping timeout: 240 seconds]
16:36 -!- Jobbe [~Jobbe@188.40.14.222] has joined #openvpn
16:38 -!- Jobbe [~Jobbe@188.40.14.222] has quit [Client Quit]
16:38 -!- MatToufoutu [~MaT@unaffiliated/mattoufoutu] has joined #openvpn
16:39 -!- c00w [c00w@2600:3c03::f03c:91ff:fe6e:e88b] has quit [Ping timeout: 252 seconds]
16:40 -!- Jobbe [~Jobbe@188.40.14.222] has joined #openvpn
16:41 -!- c00w [c00w@2600:3c03::f03c:91ff:fe6e:e88b] has joined #openvpn
16:42 -!- adaptr [~jgeilman@unaffiliated/adaptr] has joined #openvpn
16:46 -!- RaiNerTsuFal [~RaiNerTsu@akita.vtlx.cn] has joined #openvpn
16:53 -!- mirco [~mirco@ip-62-143-141-0.unitymediagroup.de] has quit [Quit: mirco]
17:09 -!- Envil [~meep@85.17.109.16] has quit [Remote host closed the connection]
17:10 -!- raspberrypifan [~textual@190.131.164.211] has quit [Quit: Textual IRC Client: www.textualapp.com]
17:15 -!- Nikon [Nikon@alpha.yourbnc.co.uk] has joined #openvpn
17:15 < Nikon> yooooo
17:15 < Nikon> can I use easy RSA to do stuff other than for openvon?
17:16 <+pekster> Yup. What specifically interests you?
17:17 < Nikon> I'm looking to build some certs for my XMPP server as well, wondering if i should use build-key-server for that or if thats a openvpn thing
17:18 < elite_> use openfire
17:18 < elite_> it's automatic
17:18 < Nikon> elite_: i would but openfires bosh doesn't comply with the standard
17:18 <+pekster> It's a generic X.509 cert, and in the EasyRSA v2 model it's basically a stock openssl.cnf with minima modification
17:19 < Nikon> pekster: would it be good to use in this case then?
17:20 <+pekster> It'll probably be simple enough for you, yes. What kind of a PKI layout are you planning? Are you creating your own root CA, and how do you plan on distributing it?
17:21 < Nikon> I have my own root CA and it'll just sit on my machine
17:22 <+pekster> You already have the CA, and a signing structure? So how does this XMPP server fit into this?
17:23 < Nikon> It just needs the PEM
17:24 < Nikon> the actual keys
17:24 <+pekster> That's the result; how you get there matters an awful lot if you expect users to actually trust this in any meaningful way
17:25 <+pekster> Do you want self-signed? Do you want a CSR (request) you send to a CA you already have? Do you want to set up a CA and generate a request for signing in the (hopefully secured) CA system?
17:31 -!- Kniaz [~Kniaz@unaffiliated/kniaz] has joined #openvpn
17:32 < Nikon> self-signed
17:33 <+pekster> easyrsa isn't designed to create a self-signed cert with the TLS-Server flag set you're probably expecting; if that's all you want, you don't have a CA at all, just the self-signed cert (which is sort of "both" a CA and an entity cert)
17:36 < Nikon> so, can i just build a normal self-signed cert like as with openvpn?
17:36 <+pekster> OpenVPN does _not_ use self-signed certs
17:36 <+pekster> It uses a properly created PKI with a CA, and entity certificates signed by this CA
17:37 <+pekster> Self-signed means you only have a single cert, and it is both the CA and entity certificate. It's basically completely untrustworthy and serves only as a form of opportunistic encryption (as any attacker could simply provide their "own" self-signed cert)
17:37 < Nikon> with the CA being themselves?
17:37 <+pekster> The CA is (or should be) kept on a secure environment, usually a separate system, but sometimes jsut
17:38 <+pekster> just a locked down account (I use the 'pki' account on a management system personally)
17:38 <+pekster> "I" am still the CA holder, and "I" own my server, but the CA and server systems are separate
17:38 < Nikon> Okay, so i guess i screwed up my terms, so i have the CA, i want to gen then sign a request right?
17:40 <+pekster> Let's see if I understand your setup. You have an existing CA and PKI structure ready to accept CSRs (a "Certificate Signing Request", usually stored in a .csr or .req file), yes? And you need to create a request for your server, which you are ready to sign?
17:40 < Nikon> yea
17:41 <+pekster> EasyRSA v2 is rather unsuited to do this. EasyRSA v3 makes this fairly easy though. What's your server OS?
17:42 < Nikon> I've got 3, debian
17:44 <+pekster> If you need the full "country, state, city, org, org unit" etc fields, you'll need to enable that by copying vars.example to vars, otherwise just do `./easyrsa init-pki && ./easyrsa gen-req nopass` to generate a CSR
17:44 <+pekster> Servers almost always have no password on private keys (otherwise you need to enter it on each startup) so be sure your filesystem and physical security suits your needs
17:44 < Nikon> wait
17:44 < Nikon> ....
17:44 < Nikon> fudge
18:23 -!- mgorbach [~mgorbach@pool-108-20-78-135.bstnma.fios.verizon.net] has quit [Quit: ZNC - http://znc.in]
18:23 -!- mgorbach [~mgorbach@pool-108-20-78-135.bstnma.fios.verizon.net] has joined #openvpn
18:24 -!- mgorbach [~mgorbach@pool-108-20-78-135.bstnma.fios.verizon.net] has quit [Client Quit]
18:25 -!- mgorbach [~mgorbach@pool-108-20-78-135.bstnma.fios.verizon.net] has joined #openvpn
18:27 -!- mgorbach [~mgorbach@pool-108-20-78-135.bstnma.fios.verizon.net] has quit [Client Quit]
18:28 -!- mgorbach [~mgorbach@pool-108-20-78-135.bstnma.fios.verizon.net] has joined #openvpn
18:29 -!- mgorbach [~mgorbach@pool-108-20-78-135.bstnma.fios.verizon.net] has quit [Remote host closed the connection]
18:29 -!- mgorbach [~mgorbach@pool-108-20-78-135.bstnma.fios.verizon.net] has joined #openvpn
18:31 -!- mgorbach [~mgorbach@pool-108-20-78-135.bstnma.fios.verizon.net] has quit [Client Quit]
18:32 -!- mgorbach [~mgorbach@pool-108-20-78-135.bstnma.fios.verizon.net] has joined #openvpn
18:45 -!- mgorbach [~mgorbach@pool-108-20-78-135.bstnma.fios.verizon.net] has quit [Quit: ZNC - http://znc.in]
18:45 -!- mgorbach [~mgorbach@pool-108-20-78-135.bstnma.fios.verizon.net] has joined #openvpn
18:55 -!- mgorbach [~mgorbach@pool-108-20-78-135.bstnma.fios.verizon.net] has quit [Quit: ZNC - http://znc.in]
18:56 -!- mgorbach [~mgorbach@pool-108-20-78-135.bstnma.fios.verizon.net] has joined #openvpn
18:59 -!- mgorbach [~mgorbach@pool-108-20-78-135.bstnma.fios.verizon.net] has quit [Client Quit]
19:00 -!- mgorbach [~mgorbach@pool-108-20-78-135.bstnma.fios.verizon.net] has joined #openvpn
19:10 -!- elfixit [~Icedove@77-58-251-72.dclient.hispeed.ch] has joined #openvpn
20:22 -!- james41382_ [~james@unaffiliated/james41382] has joined #openvpn
20:26 -!- outofbounds [~outofboun@198.199.109.226] has quit [Ping timeout: 245 seconds]
20:29 -!- outofbounds [~outofboun@198.199.109.226] has joined #openvpn
20:36 -!- erkules_ [~erkan@pdpc/supporter/professional/erkules] has joined #openvpn
20:38 -!- erkules [~erkan@pdpc/supporter/professional/erkules] has quit [Ping timeout: 255 seconds]
20:42 -!- justinzane [~justinzan@24.49.207.203] has quit [Ping timeout: 240 seconds]
20:50 -!- zoomequipd [~zoomequip@gateway/tor-sasl/zoomequipd] has quit [Quit: Leaving!]
20:51 -!- zoomequipd [~zoomequip@gateway/tor-sasl/zoomequipd] has joined #openvpn
20:54 -!- zoomequipd [~zoomequip@gateway/tor-sasl/zoomequipd] has quit [Remote host closed the connection]
20:55 -!- zoomequipd [~zoomequip@gateway/tor-sasl/zoomequipd] has joined #openvpn
20:59 -!- _KaszpiR_ [~quassel@unaffiliated/kaszpir/x-3157048] has quit [Ping timeout: 264 seconds]
21:08 -!- _KaszpiR_ [~quassel@unaffiliated/kaszpir/x-3157048] has joined #openvpn
21:12 -!- james41382_ [~james@unaffiliated/james41382] has quit [Ping timeout: 248 seconds]
21:13 -!- james41382_ [~james@unaffiliated/james41382] has joined #openvpn
21:17 -!- zoomequipd [~zoomequip@gateway/tor-sasl/zoomequipd] has quit [Quit: Leaving!]
21:23 -!- zoomequipd [~zoomequip@gateway/tor-sasl/zoomequipd] has joined #openvpn
21:38 -!- elfixit [~Icedove@77-58-251-72.dclient.hispeed.ch] has quit [Quit: elfixit]
21:54 -!- zoomequipd [~zoomequip@gateway/tor-sasl/zoomequipd] has quit [Quit: Leaving!]
21:55 -!- zoomequipd [~zoomequip@gateway/tor-sasl/zoomequipd] has joined #openvpn
21:55 -!- zoomequipd [~zoomequip@gateway/tor-sasl/zoomequipd] has quit [Client Quit]
21:56 -!- zoomequipd [~zoomequip@gateway/tor-sasl/zoomequipd] has joined #openvpn
21:56 -!- zoomequipd [~zoomequip@gateway/tor-sasl/zoomequipd] has quit [Remote host closed the connection]
22:03 -!- arescorpio [~arescorpi@190.19.140.162] has joined #openvpn
22:11 -!- zoomequipd [~zoomequip@gateway/tor-sasl/zoomequipd] has joined #openvpn
22:45 -!- justinzane [~justinzan@24.49.207.203] has joined #openvpn
23:15 -!- Netsplit *.net <-> *.split quits: fred``, Ulrar, Olipro
23:21 -!- Netsplit *.net <-> *.split quits: adaptr, NucWin, james41382_, hive-mind, Nothing4You, @krzee, defswork, MatToufoutu, get, dvl,  (+129 more, use /NETSPLIT to show all of them)
23:23 -!- Netsplit over, joins: supergauntlet, Nikon, outofbounds
23:23 -!- peper [~peper@gentoo/developer/peper] has joined #openvpn
23:23 -!- Netsplit over, joins: justinzane, zoomequipd, arescorpio, james41382_, _KaszpiR_, erkules_, mgorbach, Kniaz, RaiNerTsuFal, adaptr (+124 more)
23:23 -!- kossy [a@unaffiliated/kossy] has joined #openvpn
23:23 -!- vpnHelper [~vpnHelper@openvpn/bot/vpnHelper] has quit [Disconnected by services]
23:23 -!- Netsplit over, joins: Ulrar, fred``
23:24 -!- JackWinter_ [~jack@vodsl-11028.vo.lu] has joined #openvpn
23:25 -!- vpnHelper [~vpnHelper@openvpn/bot/vpnHelper] has joined #openvpn
23:25 -!- mode/#openvpn [+o vpnHelper] by ChanServ
23:26 -!- XJR-9 [sid2977@pdpc/supporter/active/xjr-9] has quit [Ping timeout: 252 seconds]
23:26 -!- Olipro [~Olipro@uncyclopedia/pdpc.21for7.olipro] has joined #openvpn
23:26 -!- XJR-9 [sid2977@pdpc/supporter/active/xjr-9] has joined #openvpn
23:27 -!- JackWinter [~jack@vodsl-11028.vo.lu] has quit [Write error: Broken pipe]
23:31 -!- ShadniX [dagger@p57941694.dip0.t-ipconnect.de] has quit [Ping timeout: 252 seconds]
23:31 -!- Cultist [~CultOfThe@c-98-223-211-32.hsd1.il.comcast.net] has quit [Excess Flood]
23:31 -!- jgeboski [~jgeboski@unaffiliated/jgeboski] has quit [Excess Flood]
23:32 -!- jgeboski [~jgeboski@unaffiliated/jgeboski] has joined #openvpn
23:32 -!- Cultist [~CultOfThe@c-98-223-211-32.hsd1.il.comcast.net] has joined #openvpn
23:32 -!- Magiobiwan [IRC@unaffiliated/magiobiwan] has quit [Ping timeout: 397 seconds]
23:32 -!- ShadniX [dagger@p5481CF7C.dip0.t-ipconnect.de] has joined #openvpn
23:34 -!- Magiobiwan [IRC@unaffiliated/magiobiwan] has joined #openvpn
--- Day changed Tue Jul 01 2014
00:03 -!- ajc_ [ajc@nat/hp/x-hykcwauvrabojtsj] has joined #openvpn
00:05 -!- Cpt-Oblivious [~chatzilla@31-151-71-109.dynamic.upc.nl] has quit [Ping timeout: 248 seconds]
00:10 -!- arescorpio [~arescorpi@190.19.140.162] has quit [Excess Flood]
00:13 -!- alfadir [~fred@ag-248-181.sta.ji.cz] has joined #openvpn
00:34 -!- james41382_ [~james@unaffiliated/james41382] has quit [Remote host closed the connection]
00:45 -!- Kerbe [kerberos@gladiolus.fi] has joined #openvpn
01:24 -!- DrCode [~DrCode@gateway/tor-sasl/drcode] has quit [Remote host closed the connection]
01:28 -!- zalami [~NDJ@cpe-74-73-165-167.nyc.res.rr.com] has quit [Ping timeout: 245 seconds]
01:32 -!- lfx [~lfx@self-aware.evilmachines.net] has joined #openvpn
01:32 -!- DrCode [~DrCode@gateway/tor-sasl/drcode] has joined #openvpn
01:39 -!- alexxtasi [~alex@unaffiliated/alexxtasi] has joined #openvpn
01:57 -!- mirco [~mirco@ip-62-143-141-0.unitymediagroup.de] has joined #openvpn
02:05 -!- le0 [~l30@unaffiliated/le0] has joined #openvpn
02:24 -!- larryone [~larryone@178.167.254.123.threembb.ie] has joined #openvpn
02:36 -!- tiksa [~tiksa@gateway/tor-sasl/tiksa] has quit [Remote host closed the connection]
02:36 -!- tiksa [~tiksa@gateway/tor-sasl/tiksa] has joined #openvpn
02:54 -!- ade_b [~Ade@redhat/adeb] has joined #openvpn
03:21 -!- larryone [~larryone@178.167.254.123.threembb.ie] has quit [Quit: This computer has gone to sleep]
03:24 -!- _quadDamage [~EmperorTo@boom.blissfulidiot.com] has quit [Ping timeout: 264 seconds]
03:25 -!- vpnHelper [~vpnHelper@openvpn/bot/vpnHelper] has quit [Remote host closed the connection]
03:30 -!- zoomequipd [~zoomequip@gateway/tor-sasl/zoomequipd] has quit [Ping timeout: 264 seconds]
03:31 -!- vpnHelper [~vpnHelper@openvpn/bot/vpnHelper] has joined #openvpn
03:31 -!- mode/#openvpn [+o vpnHelper] by ChanServ
03:34 -!- zoomequipd [~zoomequip@gateway/tor-sasl/zoomequipd] has joined #openvpn
03:57 -!- elfixit [~Icedove@77-58-251-72.dclient.hispeed.ch] has joined #openvpn
04:00 -!- Cpt-Oblivious [~chatzilla@31-151-71-109.dynamic.upc.nl] has joined #openvpn
04:11 -!- vpnHelper [~vpnHelper@openvpn/bot/vpnHelper] has quit [Remote host closed the connection]
04:12 -!- vpnHelper [~vpnHelper@openvpn/bot/vpnHelper] has joined #openvpn
04:12 -!- mode/#openvpn [+o vpnHelper] by ChanServ
04:15 -!- hive-mind [pranq@mail.bbis.us] has quit [Remote host closed the connection]
04:15 -!- hive-mind [pranq@mail.bbis.us] has joined #openvpn
04:15 -!- fred`` [fred@earthli.ng] has quit [Ping timeout: 246 seconds]
04:28 -!- lfx [~lfx@self-aware.evilmachines.net] has quit [Ping timeout: 240 seconds]
05:40 -!- dazo_afk is now known as dazo
05:42 -!- Cpt-Oblivious [~chatzilla@31-151-71-109.dynamic.upc.nl] has quit [Remote host closed the connection]
05:48 -!- vpnHelper [~vpnHelper@openvpn/bot/vpnHelper] has quit [Remote host closed the connection]
05:49 -!- vpnHelper [~vpnHelper@openvpn/bot/vpnHelper] has joined #openvpn
05:49 -!- mode/#openvpn [+o vpnHelper] by ChanServ
06:44 -!- Cybertinus [~Cybertinu@cybertinus.customer.cloud.nl] has quit [Quit: No Ping reply in 180 seconds.]
06:51 -!- NucWin [~nucwin@unaffiliated/nucwin] has quit [Ping timeout: 245 seconds]
06:51 -!- NucWin [~nucwin@unaffiliated/nucwin] has joined #openvpn
06:52 -!- Jobbe [~Jobbe@188.40.14.222] has quit [Changing host]
06:52 -!- Jobbe [~Jobbe@fsf/member/Jobbe] has joined #openvpn
07:00 -!- doebi1 [~doebi@doebi.at] has joined #openvpn
07:01 -!- reiffert [~thomas@mail.reifferscheid.org] has quit [Ping timeout: 245 seconds]
07:01 -!- doebi [~doebi@doebi.at] has quit [Ping timeout: 245 seconds]
07:08 -!- zapotek6 [~zap@host138-62-static.18-80-b.business.telecomitalia.it] has joined #openvpn
07:08 -!- zapotek6 [~zap@host138-62-static.18-80-b.business.telecomitalia.it] has quit [Max SendQ exceeded]
07:12 -!- lbft [~lbft@unaffiliated/lbft] has quit [Ping timeout: 264 seconds]
07:13 -!- zapotek6 [~zap@host138-62-static.18-80-b.business.telecomitalia.it] has joined #openvpn
07:13 -!- reiffert [~thomas@mail.reifferscheid.org] has joined #openvpn
07:13 -!- zapotek6 [~zap@host138-62-static.18-80-b.business.telecomitalia.it] has quit [Max SendQ exceeded]
07:13 -!- zoomequipd [~zoomequip@gateway/tor-sasl/zoomequipd] has quit [Ping timeout: 264 seconds]
07:13 -!- DrCode [~DrCode@gateway/tor-sasl/drcode] has quit [Ping timeout: 264 seconds]
07:13 < reiffert> Eugene: I had to re-identify with the nickserv. Your advise didnt work.
07:17 -!- ajc_ [ajc@nat/hp/x-hykcwauvrabojtsj] has quit [Write error: Connection reset by peer]
07:17 -!- Kuba [newc3917@unaffiliated/kuba] has joined #openvpn
07:17 < Kuba> hey :)
07:19 -!- tiksa [~tiksa@gateway/tor-sasl/tiksa] has quit [Ping timeout: 264 seconds]
07:19 < Kuba> `man openvpn` several times mentions directives "exapanding", where expanded code contains if/else statements; am I allowed to if/else in my openvpn.conf?
07:26 -!- APTX [~APTX@unaffiliated/aptx] has quit [Ping timeout: 252 seconds]
07:30 -!- elfixit [~Icedove@77-58-251-72.dclient.hispeed.ch] has quit [Quit: elfixit]
07:35 -!- lbft [~lbft@unaffiliated/lbft] has joined #openvpn
07:36 -!- clu5ter [~staff@unaffiliated/clu5ter] has joined #openvpn
07:36 -!- APTX [~APTX@unaffiliated/aptx] has joined #openvpn
07:37 -!- rooth [tomte@stuck.in.the.basement.at.fritzl.nu] has joined #openvpn
07:40 < reiffert> Kuba: you are not. Its use is reserved for developers.
07:45 -!- tiksa [~tiksa@unaffiliated/tiksa] has joined #openvpn
07:48 -!- tiksa [~tiksa@unaffiliated/tiksa] has quit [Client Quit]
07:48 -!- Kniaz [~Kniaz@unaffiliated/kniaz] has quit [Read error: Connection reset by peer]
07:55 <@plaisthos> Kuba: in the manpage that is more like pseudo code
08:14 < Kuba> all right, thanks!
08:14 < Kuba> it wasn't entirely clear to me
08:24 -!- tiksa [~tiksa@unaffiliated/tiksa] has joined #openvpn
08:24 -!- raidz is now known as raidz_away
08:28 -!- Mike-- [mad@mx.probie.nl] has joined #openvpn
08:38 -!- Slippern [slippern@server02.hjemmeserver.info] has quit [Ping timeout: 245 seconds]
08:40 -!- Slippern [slippern@server02.hjemmeserver.info] has joined #openvpn
08:48 < Kuba> i'm trying to set up openvpn on my home router, where DHCP is handled by home router's DHCP server, which assigns same network range addresses for openvpn and physical client; now, how to handle situation when I'm back home, connected both physically and virtually through openvpn to the home network?
08:48 < Kuba> dhclient -v tap0 results in a new route added for the tap0 interface, but this collides with wlan0 route
08:49 < Kuba> and it's not possible to connect from home router to the device, unless I delete tap0 route and readd it with higher metric...
08:49 < Kuba> how do you handle situations like that?
08:50 < rob0> this whole thing hinges on, "why are you using tap?"  I don't recommend it.
08:53 < Kuba> urm, I need to tunnel more than IP
08:53 < Kuba> so I'm left with tap
08:53 < rob0> hmm, I can do that with tun
08:54 < Kuba> https://openvpn.net/index.php/open-source/documentation/howto.html#vpntype
08:54 <@vpnHelper> Title: HOWTO (at openvpn.net)
08:54 < Kuba> rob0: so you're saying this page is rubbish? ;)
08:55 < Kuba> i do need Samba as well
08:55 < rob0> I don't recall saying that.  Perhaps I am saying you misunderstood it?  Where in that section does it mention the limitation you describe?
08:56 < Kuba> the VPN needs to be able to handle non-IP protocols such as IPX,
08:56 < Kuba> you would like to allow browsing of Windows file shares across the VPN without setting up a Samba or WINS server
08:56 < rob0> You do NOT need broadcasts for Samba.  The 1990s called, they want their protocols back.
08:57 < Kuba> but it is necessary for LAN games and other stuff that might need it
08:57 < rob0> OH ... so sorry ... I missed or inserted a ward
08:57 < rob0> "tunnel more than IP" --> I read "tunnel more than one IP"
08:57 < Kuba> ah, sorry then
08:58 < rob0> what non-IP protocols are you using?
08:58 < Kuba> nevertheless I would be interested how to cleany solve this under tap0
08:58 < Kuba> tap *
09:00 -!- Kniaz [~Kniaz@unaffiliated/kniaz] has joined #openvpn
09:00 < Kuba> rob0: would that knowledge really help to solve the problem I'm posing?
09:01 < Kuba> i'm currently trying to set it up using tap, it doesn't make sense to discuss tun vs tap over here :)
09:02 -!- tiksa [~tiksa@unaffiliated/tiksa] has quit [Quit: Peace]
09:04 -!- erkules_ is now known as erkules
09:11 < rob0> Perhaps not, but as I don't do much with tap, I probably can't solve it anyway.  That said, we both see the problem, the tap0 route overriding the wlan0 route.
09:12 < rob0> searching the man page for all occurances of "DHCP" might yield a clue or kludge or two.
09:13 < Kuba> ok, thank you
09:19 -!- zoomequipd [~zoomequip@gateway/tor-sasl/zoomequipd] has joined #openvpn
09:24 -!- DrCode [~DrCode@gateway/tor-sasl/drcode] has joined #openvpn
09:28 -!- mapps [Mark@4e690915.skybroadband.com] has quit [Ping timeout: 272 seconds]
09:36 -!- fred`` [fred@earthli.ng] has joined #openvpn
09:38 -!- alexxtasi [~alex@unaffiliated/alexxtasi] has left #openvpn []
09:39 -!- Kniaz [~Kniaz@unaffiliated/kniaz] has quit [Quit: closing IRC]
09:42 -!- u0m3 [~u0m3@92.80.77.210] has quit [Read error: Connection reset by peer]
09:46 -!- u0m3 [~u0m3@92.80.103.49] has joined #openvpn
09:51 < Kuba> is it server-bridge nogw or server-bridge 'nogw' ?
09:52 -!- raidz_away is now known as raidz
09:55 < Kuba> it seems like nogw == 'nogw'
09:55 -!- Kniaz [~Kniaz@unaffiliated/kniaz] has joined #openvpn
09:55 < Kuba> but why do I get default from from dhclient when using nogw, contrary to what would i expect?
09:56 < Kuba> when I use "server-bridge" (without nogw), dhclient does not set default route
09:57 < Kuba> :O
09:58 -!- ade_b [~Ade@redhat/adeb] has quit [Ping timeout: 244 seconds]
09:58 < Kuba> shouldn't it be the other way round?
09:58 -!- Cybertinus [~Cybertinu@cybertinus.customer.cloud.nl] has joined #openvpn
09:59 -!- Slippern [slippern@server02.hjemmeserver.info] has quit [Ping timeout: 245 seconds]
10:01 -!- Megaf [~Megaf@unaffiliated/megaf] has joined #openvpn
10:02 -!- Slippern [slippern@server02.hjemmeserver.info] has joined #openvpn
10:05 -!- Jobbe [~Jobbe@fsf/member/Jobbe] has left #openvpn []
10:12 -!- Cybertinus [~Cybertinu@cybertinus.customer.cloud.nl] has quit [Quit: No Ping reply in 180 seconds.]
10:21 -!- mitz [~mitz@rt.miraclelinux.com] has joined #openvpn
10:21 <@plaisthos> Kuba: Iirc real dhcp is only supported on windows
10:21 <@plaisthos> I am not sure if dhclient works on tap interfaces
10:24 < Kuba> yeah, it does
10:24 < Kuba> I mean, I'm able to run dhclien on tap device
10:25 < Kuba> plaisthos: however, when I use "nogw" dhclient sets the default gateway; when I leave it out, dhclient does not set default gateway
10:25 < Kuba> plaisthos: how could it possible happen?
10:25 < Kuba> plaisthos: I would guess that "nogw" will just make sure push "route-gateway dhcp" is NOT sent
10:30 < Kuba> also, from which version odes openvpn create tap automatically? :)
10:32 <@plaisthos> I would have to read the source code again what the nogw stuff really does if it is not the man page
10:32 <@plaisthos> Kuba: a very long time
10:32 <@plaisthos> at least 2.0/2.1 ish
10:33 < Kuba> damn, I realy don't get why this default route appears in here
10:33 < Kuba> is it possible that OpenVPN, mangles DHCP replies before it gets to the client?
10:35 -!- Cybertinus [~Cybertinu@cybertinus.customer.cloud.nl] has joined #openvpn
10:37 -!- tiksa [~tiksa@gateway/tor-sasl/tiksa] has joined #openvpn
10:39 < rob0> I don't think so.  But it's possible that you'll have to solve this in your dhcpd.
10:41 -!- ade_b [~Ade@redhat/adeb] has joined #openvpn
10:41 < Kuba> I literally add or remove "nogw" only. How would that depend on dhpcd?
10:47 < Kuba> :(
10:50 <@plaisthos> rob0: iirc OpenVPN at least parses dhcp replies
10:50 <@plaisthos> not sure if it mangles them
11:00 -!- funnel [~funnel@unaffiliated/espiral] has quit [Read error: Connection reset by peer]
11:01 -!- funnel [~funnel@unaffiliated/espiral] has joined #openvpn
11:02 < Kuba> strange, after about 20 consecutive tests this behaviour dissapeared... hmmm
11:08 -!- Slippern [slippern@server02.hjemmeserver.info] has quit [Ping timeout: 245 seconds]
11:10 -!- Slippern [slippern@server02.hjemmeserver.info] has joined #openvpn
11:10 -!- Latrina [~Latrina@ppp-59-1.26-151.libero.it] has quit [Ping timeout: 252 seconds]
11:15 -!- Latrina [~Latrina@adsl-ull-134-191.50-151.net24.it] has joined #openvpn
11:18 -!- ade_b [~Ade@redhat/adeb] has quit [Ping timeout: 240 seconds]
11:19 -!- gffa [~unknown@unaffiliated/gffa] has joined #openvpn
11:19 -!- s7r [~s7r@openvpn/user/s7r] has joined #openvpn
11:19 -!- mode/#openvpn [+v s7r] by ChanServ
11:38 -!- Cybertinus [~Cybertinu@cybertinus.customer.cloud.nl] has quit [Ping timeout: 240 seconds]
11:38 -!- le0 [~l30@unaffiliated/le0] has quit [Quit: Leaving]
11:38 -!- funnel [~funnel@unaffiliated/espiral] has quit [Read error: Connection reset by peer]
11:39 -!- funnel [~funnel@unaffiliated/espiral] has joined #openvpn
11:50 -!- funnel [~funnel@unaffiliated/espiral] has quit [Read error: Connection reset by peer]
11:51 -!- Monotoko [~monotoko@unaffiliated/monotoko] has quit [Quit: Leaving]
11:56 -!- funnel [~funnel@unaffiliated/espiral] has joined #openvpn
11:57 -!- s7r_q [~s7r@openvpn/user/s7r] has joined #openvpn
11:57 -!- mode/#openvpn [+v s7r_q] by ChanServ
11:57 -!- s7r [~s7r@openvpn/user/s7r] has quit [Remote host closed the connection]
11:58 -!- funnel [~funnel@unaffiliated/espiral] has quit [Read error: Connection reset by peer]
12:05 -!- OndraG [~ondra@ip-89-176-56-50.net.upcbroadband.cz] has joined #openvpn
12:06 -!- flexo_ [~flexo@85.17.248.147] has joined #openvpn
12:06 -!- OndraG [~ondra@ip-89-176-56-50.net.upcbroadband.cz] has left #openvpn []
12:09 -!- Cybertinus [~Cybertinu@cybertinus.customer.cloud.nl] has joined #openvpn
12:09 -!- funnel [~funnel@unaffiliated/espiral] has joined #openvpn
12:10 -!- OndraG [~ondra@ip-89-176-56-50.net.upcbroadband.cz] has joined #openvpn
12:10 < OndraG> !welcome
12:10 <@vpnHelper> "welcome" is (#1) Start by stating your goal, such as 'I would like to access the internet over my vpn' || new to IRC? see the link in !ask || we may need !logs and !configs and maybe !interface to help you. || See !howto for beginners. || See !route for lans behind openvpn. || !redirect for sending inet traffic through the server. || Also interesting: !man !/30 !topology !iporder !sample !forum
12:10 <@vpnHelper> !wiki !mitm or (#2) Don't use 192.168.1.0/24 or 192.168.0.0/24 (too much potential for conflict)
12:11 < OndraG> !goal
12:11 <@vpnHelper> "goal" is Please clearly state your goal for your vpn: example, I would like to access the lan behind the server , I would like to access the internet over my vpn , I just want a secure connection between 2 computers , etc
12:11 < OndraG> !redirect
12:11 <@vpnHelper> "redirect" is (#1) to make all inet traffic flow through the vpn, you will need --redirect-gateway (see !def1), as well as IP forwarding (see !ipforward) and NAT (see !nat) enabled on the server. or (#2) you may need to use a different dns server when redirecting gateway, see !dns or !pushdns or (#3) if using ipv6 try: route-ipv6 2000::/3 or (#4) Handy troubleshooting flowchart:
12:11 <@vpnHelper> http://ircpimps.org/redirect.png | http://pekster.sdf.org/misc/redirect.png
12:12 < OndraG> !def1
12:12 <@vpnHelper> "def1" is (#1) used in redirect-gateway, Add the def1 flag to override the default gateway by using 0.0.0.0/1 and 128.0.0.0/1 rather than 0.0.0.0/0. This has the benefit of overriding but not wiping out the original default gateway. or (#2) please see --redirect-gateway in the man page ( !man ) to fully understand or (#3) push "redirect-gateway def1"
12:13 < OndraG> !ipforward
12:13 <@vpnHelper> "ipforward" is (#1) ip forwarding is needed any time you want packets to flow from 1 interface to another, so from tun to eth, eth to tun, tun to tun, etc etc. it must be enabled in the kernel AND allowed in the firewall or (#2) please choose between !linipforward !winipforward !osxipforward and !fbsdipforward
12:13 < OndraG> !linipforward
12:14 <@vpnHelper> "linipforward" is (#1) echo 1 > /proc/sys/net/ipv4/ip_forward for a temp solution (til reboot) or set net.ipv4.ip_forward = 1 in sysctl.conf for perm solution or (#2) chmod +x /etc/rc.d/rc.ip_forward for perm solution in slackware or (#3) you also must allow forwarding in your forward chain in iptables. iptables -I FORWARD -i tun+ -j ACCEPT
12:14 -!- funnel [~funnel@unaffiliated/espiral] has quit [Read error: Connection reset by peer]
12:14 -!- funnel [~funnel@unaffiliated/espiral] has joined #openvpn
12:15 < OndraG> !nat
12:15 <@vpnHelper> "nat" is (#1) http://openvpn.net/howto.html#redirect for an explanation of NAT as it applies to openvpn or (#2) http://www.secure-computing.net/wiki/index.php/OpenVPN/FAQ#Traffic_forwarding_doesn.27t_work_when_using_client_specific_access_rules or (#3) dont forget to turn on ip forwarding or (#4) please choose between !linnat !openvznat !winnat and !fbsdnat for specific howto
12:15 < OndraG> !linnat
12:15 <@vpnHelper> "linnat" is (#1) for a basic iptables NAT where 10.8.0.x is the vpn network: iptables -t nat -I POSTROUTING -s 10.8.0.0/24 -o eth0 -j MASQUERADE or (#2) to choose what IP address to NAT as, you can use iptables -t nat -I POSTROUTING -o eth0 -j SNAT --to <IP ADDRESS> or (#3) http://netfilter.org/documentation/HOWTO//NAT-HOWTO.html for more info or (#4) openvz see !openvzlinnat
12:18 < flexo_> somewhat offtopic (more routing related than vpn) - but i'll ask anyway... here is my problem: http://pastie.org/private/tvwhgwj9njulfui7f9fv2q
12:18 < OndraG> !configs
12:18 <@vpnHelper> "configs" is (#1) please pastebin your client and server configs (with comments removed, you can use `grep -vE '^#|^;|^$' server.conf`), also include which OS and version of openvpn. or (#2) dont forget to include any ccd entries or (#3) on pfSense, see http://www.secure-computing.net/wiki/index.php/OpenVPN/pfSense to obtain your config
12:19 < OndraG> !logs
12:19 <@vpnHelper> "logs" is (#1) please pastebin your logfiles from both client and server with verb set to 4 (only use 5 if asked) or (#2) In the Windows client(OpenVPN-GUI) right-click the status icon and pick View Log or (#3) In the OS X client(Tunnelblick) right-click it and select Copy log text to clipboard or (#4) if you dont know how to find your logs, see !logfile
12:19 -!- Slippern [slippern@server02.hjemmeserver.info] has quit [Ping timeout: 245 seconds]
12:20 -!- Envil [~meep@85.17.109.16] has joined #openvpn
12:21 -!- Slippern [slippern@server02.hjemmeserver.info] has joined #openvpn
12:25 -!- funnel [~funnel@unaffiliated/espiral] has quit [Read error: Connection reset by peer]
12:25 < OndraG> hello, is "curl --interface tun0 google.com" supposed to fetch the Google page when used on a server side?
12:25 -!- Cpt-Oblivious [~chatzilla@31-151-71-109.dynamic.upc.nl] has joined #openvpn
12:35 < rob0> Wait, you have a server which is accessing the Internet through a tun interface?  How is this?
12:36 < OndraG> nono, I just want to test my VPN server, because it doesn't route all the client's trafic through
12:36 < OndraG> according to http://pekster.sdf.org/misc/redirect.png, my error should be "you likely have a firewall issue"
12:37 -!- funnel [~funnel@unaffiliated/espiral] has joined #openvpn
12:37 < OndraG> but then I don't know how to debug it
12:38 < OndraG> is there some easy method of testing the NAT?
13:00 -!- funnel [~funnel@unaffiliated/espiral] has quit [Read error: Connection reset by peer]
13:00 -!- funnel [~funnel@unaffiliated/espiral] has joined #openvpn
13:08 -!- elfixit [~Icedove@77-58-251-72.dclient.hispeed.ch] has joined #openvpn
13:21 -!- s7r_q [~s7r@openvpn/user/s7r] has quit [Remote host closed the connection]
13:22 -!- s7r_q [~s7r@openvpn/user/s7r] has joined #openvpn
13:22 -!- mode/#openvpn [+v s7r_q] by ChanServ
13:29 -!- OndraG [~ondra@ip-89-176-56-50.net.upcbroadband.cz] has quit [Remote host closed the connection]
13:41 <@krzee> sure, tcpdump
13:42 <@krzee> (or wireshark)
13:44 -!- Cybertinus [~Cybertinu@cybertinus.customer.cloud.nl] has quit [Ping timeout: 264 seconds]
13:44 <@krzee> flexo_,
13:45 <@krzee> oh nevermind i didnt see i could scroll over
13:45 <@krzee> ill continue reading, i thought the ips didnt match but they do
13:46 <@krzee> flexo_, you also want to use tcpdump to analyze your nat issue
13:47 <@krzee> see whats happening as opposed to what you expect
13:47 <@krzee> oh i see ondrag left, he needed that same advice
13:51 -!- s7r_q is now known as s7r
13:51 -!- arescorpio [~arescorpi@89-26-245-190.fibertel.com.ar] has joined #openvpn
13:53 -!- Cybertinus [~Cybertinu@cybertinus.customer.cloud.nl] has joined #openvpn
14:04 -!- Cybertinus [~Cybertinu@cybertinus.customer.cloud.nl] has quit [Ping timeout: 240 seconds]
14:18 -!- lauri [~lauri@ip18864bed.dynamic.kabel-deutschland.de] has joined #openvpn
14:18 < lauri> Hello guys
14:20 < lauri> I've been digging through James Yonan's interview in 2003 and rant by Peter Gutmann in 2003, could anyone please elaborate on the standardization status of OpenVPN protocol (or any other SSL-VPN solution)?
14:22 -!- Thermi_ [~Thermi@unaffiliated/thermi] has joined #openvpn
14:22 <@krzee> im not very familiar with his 11 year old interview hhe
14:23 -!- Thermi [~Thermi@unaffiliated/thermi] has quit [Ping timeout: 255 seconds]
14:23 -!- Thermi_ is now known as Thermi
14:24 < lauri> krzee: http://www.linuxsecurity.com/content/view/117363/49/
14:24 <@vpnHelper> Title: OpenVPN: An Introduction and Interview with Founder, James Yonan - The Community's Center for Security (at www.linuxsecurity.com)
14:25 < lauri> I'm writing a term paper about open source vs standardization
14:26 < lauri> currently I am missing an official statement about the status of standardization of OpenVPN protocol
14:27 <@krzee> not sure what you really mean by standardization? but its all opensource so if someone would like to code another app to interface with it they may
14:28 <@krzee> http://openvpn.net/index.php/open-source/documentation/security-overview.html
14:28 <@vpnHelper> Title: Security Overview (at openvpn.net)
14:28 <@krzee> maybe that helps? ^
14:30 < lauri> source != standard
14:30 < lauri> I am talking about RFC-s
14:31 < Haigha> i don't think OpenVPN is a good example for it
14:33 < lauri> OpenVPN 3.0 seems to be going to the right direction though
14:33 < lauri> DTLS is in the roadmap
14:34 -!- dazo is now known as dazo_afk
14:34 <@krzee> the openvpn protocol does not itself have an RFC afaik
14:34 <@krzee> you might want to find a better example?
14:35 < lauri> Yes I know OpenVPN itself does not have RFC
14:35 < lauri> I am looking for an official statement from the devs whether there in interest to create one
14:35  * krzee pokes plaisthos 
14:36 < lauri> IPsec has dozens of RFC-s which formalize configuration handshake and *a lot* of other stuff
14:36 <@krzee> i have never heard any such interest over the years
14:36 <@krzee> but as an open source project, if that was your interest you may feel free to contribute
14:37 < lauri> that would be extensive work of course
14:37 <@krzee> is that the case?
14:37 < lauri> Nope  I don't have time nor expertise
14:37 <@krzee> werd, i dont think anyone else with the time / expertise feels like doing it either
14:38 <@krzee> but i could be wrong, if you are looking for a quote from a dev im not the guy
14:38 < lauri> I am saying IPsec has gained support from hardware vendors, isn't the company behind OpenVPN interested in wider adoption in corporate environments
14:38 <@krzee> if you can idle for awhile ask your question in #openvpn-devel
14:38 < lauri> that's where I was planning to go next ;)
14:38 <@krzee> GPL stops corporate adoption more than a lack of RFC
14:39 < lauri> Well RFC would allow proprietary or BSD/MIT licensed works
14:39 < lauri> (alternative implementations)
14:39 <@krzee> if it was BSD code i bet it would already be encorporated into mainstream OS's, but i cant see microsoft / apple distriubuting the GPL code
14:39 <@krzee> they dont need RFC to do that
14:40 <@krzee> if someone wanted to make it in BSD code, they would
14:40 <@krzee> they arent sitting there wishing there was an RFC so they could do it
14:40 < lauri> well it would be technically derivative work if OpenVPN source code is the only reference point
14:40 <@krzee> http://openvpn.net/index.php/open-source/documentation/security-overview.html
14:40 <@vpnHelper> Title: Security Overview (at openvpn.net)
14:41 <@krzee> and im sure they could get plenty of help in the dev channel if thats what they wanted to do
14:41 <@krzee> with openvpn 3 they can just include the openvpn library, but i dont think that is even GPL (apple IOS store doesnt allow GPL code, hence the rewrite)
14:42 <@krzee> not sure what license it is actually, lets check
14:42 <@krzee> !connect
14:42 <@vpnHelper> "connect" is (#1) OpenVPN Connect is part of the commercial, non-free (non-GPL) corporate offering; see #openvpn-as for help with these. For the community-maintained GPL OpenVPN, see !download for download links, !android for GPL-openvpn on Android, or !howto for the beginner how-to guide or (#2) https://forums.openvpn.net/post34969.html#p34969 or (#3) the source is here:
14:42 <@vpnHelper> http://staging.openvpn.net/openvpn3/ except for the portion that may not be released because of NDA with apple (for its vpn API)
14:42 -!- le0 [~l30@unaffiliated/le0] has joined #openvpn
14:42 <@krzee> ahh  AGPL 3
14:43 <@krzee> but ya, if someone wants to make a RFC they are welcome to contribute (that was once the answer for ipv6 and many other things, but people did come contribute and now we have more features)
14:48 -!- debbie10t [~ma1com10t@openvpn/community/support/debbie10t] has joined #openvpn
14:52 <@krzee> !roadmap
14:52 <@vpnHelper> "roadmap" is https://community.openvpn.net/openvpn/wiki/RoadMap for the roadmap for OpenVPN 3
14:55 -!- Kephael [~Kephael@unaffiliated/kephael] has joined #openvpn
14:56 -!- SCHAAP137 [dorian@77-173-0-137.ip.telfort.nl] has joined #openvpn
15:05 -!- DrCode [~DrCode@gateway/tor-sasl/drcode] has quit [Remote host closed the connection]
15:08 -!- DrCode [~DrCode@gateway/tor-sasl/drcode] has joined #openvpn
15:38 -!- alfadir [~fred@ag-248-181.sta.ji.cz] has quit [Quit: Lost terminal]
15:46 -!- zoomequipd [~zoomequip@gateway/tor-sasl/zoomequipd] has left #openvpn []
15:49 -!- JackWinter_ [~jack@vodsl-11028.vo.lu] has quit [Read error: Connection reset by peer]
15:50 -!- JackWinter [~jack@vodsl-11028.vo.lu] has joined #openvpn
15:57 -!- Cybertinus [~Cybertinu@cybertinus.customer.cloud.nl] has joined #openvpn
16:05 < Kuba> rob0: I found a nice solution using ifmetric
16:07 < Kuba> rob0: allow-hotplug tap0 \ iface tap0 inet dhcp \ metric 100 (in /etc/network/interfaces)
16:14 -!- Slippern [slippern@server02.hjemmeserver.info] has quit [Ping timeout: 245 seconds]
16:17 -!- RBecker [~Ryan@openvpn/user/RBecker] has quit [Ping timeout: 240 seconds]
16:22 -!- Envil [~meep@85.17.109.16] has quit [Remote host closed the connection]
16:43 -!- Kniaz [~Kniaz@unaffiliated/kniaz] has quit [Quit: closing IRC]
17:00 -!- RBecker [~Ryan@openvpn/user/RBecker] has joined #openvpn
17:00 -!- mode/#openvpn [+v RBecker] by ChanServ
17:03 -!- rooth [tomte@stuck.in.the.basement.at.fritzl.nu] has quit [Ping timeout: 240 seconds]
17:25 -!- Kephael [~Kephael@unaffiliated/kephael] has quit [Read error: Connection reset by peer]
17:26 -!- le0 [~l30@unaffiliated/le0] has quit [Quit: Leaving]
17:59 -!- Kniaz [~Kniaz@unaffiliated/kniaz] has joined #openvpn
18:02 -!- arescorpio [~arescorpi@89-26-245-190.fibertel.com.ar] has quit [Ping timeout: 240 seconds]
18:02 -!- Champi [Champi@rootshell.fr] has quit [Ping timeout: 260 seconds]
18:06 -!- gffa [~unknown@unaffiliated/gffa] has quit [Quit: sleep]
18:07 -!- Champi [Champi@rootshell.fr] has joined #openvpn
18:10 -!- maskedlua [~maskedlua@unaffiliated/themaskedlua] has quit [Quit: maybe bbl]
18:10 -!- brianblaze420 [~brianblaz@unaffiliated/brianblaze] has joined #openvpn
18:12 -!- maskedlua [~maskedlua@unaffiliated/themaskedlua] has joined #openvpn
18:13 -!- SCHAAP137 [dorian@77-173-0-137.ip.telfort.nl] has quit [Remote host closed the connection]
18:16 -!- james41382_ [~james@unaffiliated/james41382] has joined #openvpn
18:19 -!- james41382 [~james@unaffiliated/james41382] has quit [Ping timeout: 248 seconds]
18:20 -!- brianblaze420 [~brianblaz@unaffiliated/brianblaze] has quit [Quit: Leaving...]
18:27 -!- debbie10t [~ma1com10t@openvpn/community/support/debbie10t] has quit [Read error: Connection reset by peer]
18:36 -!- Cpt-Oblivious [~chatzilla@31-151-71-109.dynamic.upc.nl] has quit [Remote host closed the connection]
18:39 -!- phunyguy [~vortex@unaffiliated/phunyguy] has quit [Quit: Goodbye cruel world!]
18:42 -!- phunyguy [~vortex@unaffiliated/phunyguy] has joined #openvpn
19:09 -!- brianblaze420 [~brianblaz@unaffiliated/brianblaze] has joined #openvpn
19:36 -!- s7r [~s7r@openvpn/user/s7r] has quit [Ping timeout: 264 seconds]
19:37 -!- s7r [~s7r@openvpn/user/s7r] has joined #openvpn
19:37 -!- mode/#openvpn [+v s7r] by ChanServ
19:37 -!- arescorpio [~arescorpi@89-26-245-190.fibertel.com.ar] has joined #openvpn
20:03 -!- Kephael [~Kephael@unaffiliated/kephael] has joined #openvpn
20:08 -!- profall [~profall@host-208-117-118-169.beyondbb.com] has joined #openvpn
20:08 < profall> Hey
20:08 < profall> The repos are not working on ubuntu
20:08 < profall> 14.04 lts trusty
20:09 < rob0> repos?
20:09 < rob0> Does openvpn have special ubunti repos?
20:11 < profall> https://community.openvpn.net/openvpn/wiki/OpenvpnSoftwareRepos
20:11 <@vpnHelper> Title: OpenvpnSoftwareRepos – OpenVPN Community (at community.openvpn.net)
20:11 < profall> followed these instructions
20:14 < rob0> ah, cool
20:15 <+pekster> No 14.04 packages IIRC
20:15 < profall> is 12.04 or 13.10 packages working with 14.04
20:15 < profall> anybody know?
20:15 <+pekster> This said, ubuntu should have 2.3.x packages available officially now
20:16 <+pekster> Probably not; ubuntu back-ports openssl, and 12.04 is on 1.0.0 with security fixes back-ported
20:16 <+pekster> Not sure about 13.10 though
20:16 <+pekster> If you really want that, openvpn is pretty easy to compile; just install it to /usr/local/ or such
20:16 < profall> ok got it
20:17 <+pekster> It does look like 2.3.3 is the latest on 14.04, not 2.3.4
20:18 < profall> whats the command
20:18 < profall> looks like the ubuntu site not working well with it
20:18 < profall> out-dated apt-get command
20:20 < profall> eh ill just build it
20:21 < profall> anyone have good instructions for setting up the network devices
20:24 <+pekster> 14.04 has it in the public repos
20:24 <+pekster> I use them (although I have some locally installed copies for testing/dev use too)
20:25 < profall> what command did you use?
20:25 < profall> apt-get install openvpn says not working
20:26  * pekster is pretty sure "not working" isn't what apt-get outputs
20:27 < profall> ok, apt-get install openvpn worked
20:27 < profall> probably just a couple minuted downtime that was throwing me off.
20:28 < profall> https://help.ubuntu.com/community/OpenVPN
20:28 <+pekster> Pretty sure that too gives a better message than "not working", but take complaints about apt-get to #ubuntu ;)
20:28 <@vpnHelper> Title: OpenVPN - Community Help Wiki (at help.ubuntu.com)
20:28 < profall> https://help.ubuntu.com/community/OpenVPN
20:28 <@vpnHelper> Title: OpenVPN - Community Help Wiki (at help.ubuntu.com)
20:28 < profall> just follow these directions?
20:28 <+pekster> We don't recommend bridging
20:29 < profall> What do you recommend ?
20:29 <+pekster> The howto, as does our /TOPIC here
20:29 <+pekster> !howto
20:29 <@vpnHelper> "howto" is (#1) OpenVPN comes with a great howto, http://openvpn.net/howto PLEASE READ IT! or (#2) http://www.secure-computing.net/openvpn/howto.php for a mirror
20:30 <+pekster> Also, this info:
20:30 <+pekster> !tunortap
20:30 <@vpnHelper> "tunortap" is (#1) you ONLY want tap if you need to pass layer2 traffic over the vpn (traffic destined for a MAC address). If you are using IP traffic you want tun. or (#2) and if your reason for wanting tap is windows shares, see !wins or use DNS or (#3) remember layer2 has no security, arp poisoning works over tap vpns or (#4) lan gaming? use tap! or (#5) Normal Android/iOS devices (not
20:30 <@vpnHelper> rooted/jailbroken) support only tun
20:31 -!- phunyguy [~vortex@unaffiliated/phunyguy] has quit [Quit: Goodbye cruel world!]
20:34 -!- phunyguy [~vortex@unaffiliated/phunyguy] has joined #openvpn
20:34 -!- erkules_ [~erkan@pdpc/supporter/professional/erkules] has joined #openvpn
20:37 -!- erkules [~erkan@pdpc/supporter/professional/erkules] has quit [Ping timeout: 252 seconds]
20:56 -!- indy [~indy@shadow.kastnerove.cz] has quit [Ping timeout: 248 seconds]
21:03 -!- indy [~indy@shadow.kastnerove.cz] has joined #openvpn
21:53 -!- ajc_ [ajc@nat/hp/x-zrloqonuzyyumnna] has joined #openvpn
21:58 -!- lbft [~lbft@unaffiliated/lbft] has quit [Excess Flood]
22:17 -!- arescorpio [~arescorpi@89-26-245-190.fibertel.com.ar] has quit [Excess Flood]
22:51 -!- brianblaze420 [~brianblaz@unaffiliated/brianblaze] has quit [Quit: Leaving...]
23:16 -!- lbft [~lbft@unaffiliated/lbft] has joined #openvpn
23:29 -!- ShadniX [dagger@p5481CF7C.dip0.t-ipconnect.de] has quit [Ping timeout: 252 seconds]
23:30 -!- ShadniX [dagger@p5481CCD9.dip0.t-ipconnect.de] has joined #openvpn
23:32 -!- elfixit [~Icedove@77-58-251-72.dclient.hispeed.ch] has quit [Ping timeout: 240 seconds]
23:32 -!- profall [~profall@host-208-117-118-169.beyondbb.com] has quit [Remote host closed the connection]
23:56 -!- Popsikle [~popsikle@pool-108-27-211-233.nycmny.fios.verizon.net] has joined #openvpn
--- Day changed Wed Jul 02 2014
00:01 -!- s7r [~s7r@openvpn/user/s7r] has quit [Remote host closed the connection]
00:10 -!- mirco [~mirco@ip-62-143-141-0.unitymediagroup.de] has quit [Remote host closed the connection]
00:24 -!- Megaf [~Megaf@unaffiliated/megaf] has quit [Ping timeout: 255 seconds]
00:25 -!- james41382_ [~james@unaffiliated/james41382] has quit [Quit: Leaving]
00:35 -!- joako [~joako@opensuse/member/joak0] has quit [Ping timeout: 240 seconds]
00:42 -!- joako [~joako@opensuse/member/joak0] has joined #openvpn
01:13 < Kuba> hm, why does OpenVPN reply with a different source IP address than request destination IP (UDP)?
01:14 < Kuba> I'm trying to connect to OpenVPN server from a local home network, but using public IP
01:14 < Kuba> and it replies from IP from the local network address range
01:32 -!- alexxtasi [~alex@unaffiliated/alexxtasi] has joined #openvpn
01:35 -!- james41382 [~james@unaffiliated/james41382] has joined #openvpn
01:38 -!- ade_b [~Ade@redhat/adeb] has joined #openvpn
01:48 -!- CaTtleyA [~CaTtleyA@185.24.142.82] has joined #openvpn
01:49 < Kuba> it works well with TCP, hmm
01:53 -!- Kephael [~Kephael@unaffiliated/kephael] has quit [Read error: Connection reset by peer]
01:56 < Kuba> also, would openvpn work if I redirected (iptables) several ports (same proto) to single port server is listening on?
02:06 -!- james41382 [~james@unaffiliated/james41382] has quit [Quit: Leaving]
02:28 -!- Popsikle [~popsikle@pool-108-27-211-233.nycmny.fios.verizon.net] has quit [Remote host closed the connection]
02:35 -!- tiksa [~tiksa@gateway/tor-sasl/tiksa] has quit [Quit: Peace]
02:44 -!- lbft [~lbft@unaffiliated/lbft] has quit [Ping timeout: 240 seconds]
02:52 -!- gffa [~unknown@unaffiliated/gffa] has joined #openvpn
02:55 -!- Candidate [~petur@130.225.243.68] has joined #openvpn
02:56 < Candidate> Hello. I have installed OpenVPN Connect for OS X, but I cannot find the configuratio file. It seams to be hard coded for a single server and I need to change the port settings it tries to connect to. Can anyone tell me where the configuration file is located?
03:01 < Kuba> regarding my previous question: --multihome to the rescue! :)
03:03 -!- DrCode [~DrCode@gateway/tor-sasl/drcode] has quit [Ping timeout: 264 seconds]
03:14 -!- DrCode [~DrCode@gateway/tor-sasl/drcode] has joined #openvpn
03:26 -!- gac [~gavin@196.108.255.149.in-addr.arpa] has quit [Ping timeout: 252 seconds]
03:31 -!- gac [~gavin@196.108.255.149.in-addr.arpa] has joined #openvpn
03:39 -!- Cybertinus [~Cybertinu@cybertinus.customer.cloud.nl] has quit [Ping timeout: 240 seconds]
03:40 -!- hal_from_2001 [~chatzilla@91.123.49.70] has joined #openvpn
03:40 < hal_from_2001> good morning
03:40 < hal_from_2001> !goal
03:40 <@vpnHelper> "goal" is Please clearly state your goal for your vpn: example, I would like to access the lan behind the server , I would like to access the internet over my vpn , I just want a secure connection between 2 computers , etc
03:41 < hal_from_2001> I have a very basic question, which is probably firewall related. So sorry if this is the wrong channel.
03:41 -!- Cybertinus [~Cybertinu@cybertinus.customer.cloud.nl] has joined #openvpn
03:42 < hal_from_2001> I have a computer on my lan which is connected to a opnvpn server. This works good.
03:42 < hal_from_2001> But I would also be able to reach this computer from within my lan.
03:42 -!- matt_ [~matt@ccpc-mwr.bath.ac.uk] has joined #openvpn
03:42 < hal_from_2001> The reason for all this mess is that I have connection problems and would like to hunt them down, and it is easier done on a workstation than on the router.
03:43 < hal_from_2001> Has anyone a good idea where to look to solve this problem?
03:43 < matt_> hello, if I run an openvpn server, with dev tun, that will accept multiple connections do I get a new tunX interface for each connection, or do I just get one tun interface for all clients?
03:46 < Kuba> matt_: one tun interface
03:46 < Kuba> (I believe)
03:47 < matt_> Kuba: cool, so would I be right in thinking that only a single address is required for each client connection and not a /30
03:47 < Kuba> I really have no idea
03:48 < matt_> Kuba: ok, it should be if its a single interface, thanks
03:48 < Kuba> hal_from_2001: you probalby want to set up the server as a gateway; this involves sysctl net.ipv4.ip_forward = 1
03:49 < hal_from_2001> wait
03:49 < Kuba> hal_from_2001: unless you've already done that and I'm missing the point of your question
03:50 < hal_from_2001> The base problem was that I have connection problem witha professional vpn provider. I want to debug these. Because running tests on the router itself is tedious and my wife will kill me if the internet is down several times, I want to first try thius on my workstation.
03:51 < hal_from_2001> So the server is off limits. The client is in my lan. One of my home servers playing the openvpn client.
03:52 < hal_from_2001> So while being connected to the vpn, I would like to be able to ssh into this machine, because it is in the vpn then it should not respond to the local ssh request, and I want to allow this reqeust.
03:52 < hal_from_2001> SO I guess this is a routing of fw problem, not openvpn
03:58 -!- Candidate [~petur@130.225.243.68] has quit [Quit: leaving]
04:01 < Kuba> hal_from_2001: so you've got one VPN server, two VPN clients which are also physically in the same LAN (your home network)?
04:02 < hal_from_2001> No, sorry for the confusion. Only one client on my lan which connects to an outside vpn server
04:02 < hal_from_2001> I want to be able to reach this client also from other computers from the lan over ssh.
04:02 < Kuba> ah, so you want to your current workstation to become a router for other non-vpn clients in the LAN?
04:03 < hal_from_2001> no, just reach this workstation over ssh from other computers in the same lan
04:03 < matt_> just ssh to it then?
04:04 < hal_from_2001> My understanding is that a openvpn client only "listens" to the tun device if it is connected.
04:04 < Kuba> have you tries simply sshing?
04:04 < matt_> hal_from_2001: use the local address to ssh to the machine
04:04 < matt_> dont worry about the address bound to the tun interface
04:04 < hal_from_2001> Maybe I think too complex.
04:04 < hal_from_2001> I guess that is my problem...
04:05 < Kuba> openvpn does not redirect all network traffic by defailt
04:05 < hal_from_2001> So the openvpn doesn't "kill" the connections to the local address?
04:05 < hal_from_2001> my bad, sorry
04:05 < Kuba> even if it does, it still maintains local network routes
04:05 < Kuba> otherwise your workstation wouldn't be connected to the home network
04:06 < Kuba> so it should be possible to connect to the other machines in LAN using their local IPs
04:06 < hal_from_2001> My main problem is that the vpn connection is kind of unstable, even tcp. So it breaks at one point and then the router says something like "cannot resolve xxx.xxx.xxx.net"
04:06 < hal_from_2001> And I would like to debug this issue to see how it can be solved.
04:06 < matt_> you should always be able to get to the local network, you would have a problem if the vpn stopped you getting to other local machines as it would stop you getting to your gateway and stall its own link to the internet
04:07 < Kuba> hal_from_2001: what happens when you try to ssh?
04:07 < hal_from_2001> I always thought it reroutes every traffic.
04:07 < hal_from_2001> Didn't do. Decided to debug yesterday midnight :)
04:08 < Kuba> hal_from_2001: well, read again what matt_ said and think about it
04:08 < Kuba> hal_from_2001: while you're connected to VPN your computer has to still maintain connection to the local network gateway
04:08 < matt_> hal_from_2001: your using tcp? if you use tcp, as it ack'es every packet, if your underlying tcp connection hangs it will have _every_ connection going through the VPN link at the time
04:09 < Kuba> hal_from_2001: so "every traffic" cannot be redirected ;)
04:09 < matt_> as your networking stack will be waiting for the underlying TCP packet to be ack'ed before anything going to the vpn server on that port will continue
04:09 < hal_from_2001> I get it now, I think.
04:09 < matt_> I would really use UDP for all VPN connections
04:09 < Kuba> hal_from_2001: you might have problems if your VPN network subnet collides with local home network subnet...
04:09 < hal_from_2001> So if sshing into the machine works I can crank up verbosity and check where openvpn lososes its connection.
04:10 < matt_> udp dosn't ack, it just forgets about it so if your running tcp over udp the 'higher' tcp connections will worry about the ack's
04:11 < Kuba> hal_from_2001: you could also disconnect your local workstation from the vpn and then SSH do the other vpn client
04:11 < Kuba> and do the debugging from the other machine
04:12 < hal_from_2001> hmm, "the other client" is the dd-wrt router. Limited capacity of ressources.
04:12 < hal_from_2001> So I would prefer to do the dbugging on my workstation. Also I want to know if maybe the dd-wrt version of openvpn is buggy.
04:13 < hal_from_2001> If my workstation looses also connectivity, then I can debug it. If not, it is the dd-wrt version whic is not so good.
04:14 < hal_from_2001> It may also be that a "pull" of the pushed DNS server helps. But I guess somehow the server restarts the connection and my client doesn't get it.
04:14 < hal_from_2001> Either way, I need more verbosity and I do not want to spam my router.
04:14 < hal_from_2001> brb
04:35 -!- larryone [~larryone@87-198-220-54.static.ptr.magnet.ie] has joined #openvpn
04:48 -!- hal_from_2001 [~chatzilla@91.123.49.70] has quit [Ping timeout: 260 seconds]
04:56 -!- tiksa [~tiksa@gateway/tor-sasl/tiksa] has joined #openvpn
05:03 -!- u0m3_ [~u0m3@109.96.140.174] has joined #openvpn
05:03 -!- u0m3 [~u0m3@92.80.103.49] has quit [Ping timeout: 248 seconds]
05:11 -!- larryone [~larryone@87-198-220-54.static.ptr.magnet.ie] has quit [Ping timeout: 248 seconds]
05:30 -!- _bt [~bt@unaffiliated/bt/x-192343] has joined #openvpn
05:35 -!- lbft [~lbft@unaffiliated/lbft] has joined #openvpn
05:38 -!- larryone [~larryone@185.32.152.150] has joined #openvpn
05:49 -!- elfixit [~Icedove@cust.static.46-14-114-50.swisscomdata.ch] has joined #openvpn
05:56 <@plaisthos> !heartbleed
05:56 <@vpnHelper> "heartbleed" is (#1) only affects OpenSSL 1.0.1 through 1.0.1f. Does not affect polarssl or (#2) if running vuln openssl then both client and server keys not protected by tls-auth should be considered compromised. or (#3) android 4.1.2_r1 is the first one to have -DOPENSSL_NO_HEARTBEATS and it is still in master. android 4.1 and 4.1.1 are probably affected. or (#4)
05:57 <@vpnHelper> https://community.openvpn.net/openvpn/wiki/heartbleed or (#5) http://xkcd.com/1354/
05:57 <@plaisthos> !learn
05:57 <@vpnHelper> (learn [<channel>] <key> as <value>) -- Associates <key> with <value>. <channel> is only necessary if the message isn't sent on the channel itself. The word 'as' is necessary to separate the key from the value. It can be changed to another word via the learnSeparator registry value.
05:58 <@plaisthos> !heartbleed heartbleed as OpenVPN for Android versions 0.6.17 and later ship with a bundled not vulnerable OpenSSL library
05:59 -!- Cybertinus [~Cybertinu@cybertinus.customer.cloud.nl] has quit [Quit: No Ping reply in 180 seconds.]
06:02 -!- Cybertinus [~Cybertinu@cybertinus.customer.cloud.nl] has joined #openvpn
06:03 -!- erkules_ is now known as erkules
06:06 -!- debbie10t [~ma1com10t@openvpn/community/support/debbie10t] has joined #openvpn
06:07 -!- elfixit [~Icedove@cust.static.46-14-114-50.swisscomdata.ch] has quit [Ping timeout: 255 seconds]
06:07 -!- debbie10t [~ma1com10t@openvpn/community/support/debbie10t] has left #openvpn []
06:09 -!- DrCode [~DrCode@gateway/tor-sasl/drcode] has quit [Remote host closed the connection]
06:15 -!- pompato [~sled@rttlm.dti.supsi.ch] has joined #openvpn
06:15 < pompato> Hi guys
06:16 -!- DrCode [~DrCode@gateway/tor-sasl/drcode] has joined #openvpn
06:17 < pompato> I need support. I have a openvpn tunnel correctly open: server tunnel IP is 10.0.2.1, routes are set up correctly. The server is fully visible from client (with tunnel IP 10.0.2.6) through the tunnel.
06:18 < pompato> I can netcat TCP and UDP successfully, and transfer data in both directions. However, I want to measure UDP performance with iperf from the client to the server through the tunnel. Iperf can't connect to 10.0.2.1, although it is correctly listening. (test on WAN IP works)
06:20 < pompato> can anyone help me to resolve this problem? I don't understand why netcat UDP data transfer works while iperf UDP doesn't
06:24 -!- Latrina [~Latrina@adsl-ull-134-191.50-151.net24.it] has quit [Ping timeout: 255 seconds]
06:25 -!- Latrina [~Latrina@adsl-ull-52-254.45-151.net24.it] has joined #openvpn
06:25 <+pekster> If you can ping (or otherwise exchange data between the endpoints) it's likely a firewall issue
06:27 <+pekster> There's a chance it's MTU-related; you can try to test that with these directives on both sides: `--fragment 1300 --mssfix 1300`
06:28 <+pekster> If that seemingly fixes the problem, you should figure out why the MTU is broken and possibly come up with a better solution that doesn't involve fragmenting non-TCP data
06:39 -!- Megaf [~Megaf@unaffiliated/megaf] has joined #openvpn
06:41 -!- u0m3_ is now known as u0m3
06:58 -!- ajc_ [ajc@nat/hp/x-zrloqonuzyyumnna] has quit [Read error: Connection reset by peer]
07:08 -!- Megaf__ [~Megaf@unaffiliated/megaf] has joined #openvpn
07:09 -!- Megaf [~Megaf@unaffiliated/megaf] has quit [Ping timeout: 272 seconds]
07:31 -!- v0lZy [~Thunderbi@BSN-77-81-109.static.dsl.siol.net] has joined #openvpn
07:31 < v0lZy> hi
07:31 < v0lZy> can anyone advise if its possible to use the openvpn client to run a VPN to a firewall, then once connected, run another vpn to another firewall behind the original one?
07:56 -!- dazo_afk is now known as dazo
07:57 < matt_> v0lZy: its technically possible
08:12 -!- Kniaz [~Kniaz@unaffiliated/kniaz] has quit [Read error: Connection reset by peer]
08:15 -!- Popsikle [~popsikle@pool-108-27-211-233.nycmny.fios.verizon.net] has joined #openvpn
08:17 -!- Cpt-Oblivious [~chatzilla@31-151-71-109.dynamic.upc.nl] has joined #openvpn
08:21 -!- mapps [Mark@2.223.180.42] has joined #openvpn
08:21 -!- ade_b [~Ade@redhat/adeb] has quit [Quit: Too sexy for his shirt]
08:24 -!- ShadniX [dagger@p5481CCD9.dip0.t-ipconnect.de] has quit [Quit: Bye.]
08:28 -!- ShadniX [dagger@p5481CCD9.dip0.t-ipconnect.de] has joined #openvpn
08:31 < v0lZy> matt_: how do I do ti though? do i run openvpn twice?
08:32 < v0lZy> so i get two icons in the system tray
08:32 < v0lZy> and just run them in sequence
08:32 < v0lZy> or is it more complicated than that
08:32 < v0lZy> I know how to setup a server, what to listen on etc.. so id set one server to listen on a public ip, the other would listen on its WAN IP, but WAN would be a private IP
08:33 < v0lZy> i know how to enumerate teh subnets etc so that this works... just thinking if its as simple as running two in a row, or if its more complicated
08:36 -!- ShadniX [dagger@p5481CCD9.dip0.t-ipconnect.de] has quit [Quit: Bye.]
08:37 -!- mapps [Mark@2.223.180.42] has quit [Ping timeout: 260 seconds]
08:39 < matt_> v0lZy: from a client point of view, just run one openvpn client, as normal, add, or push, a route to the remote servers public address down the vpn tunnel, then connect to the public address of the remote server?
08:39 -!- brianblaze420 [~brianblaz@unaffiliated/brianblaze] has joined #openvpn
08:40 < v0lZy> ok
08:40 < v0lZy> theres no contradictions ... openvpn protocl within openvpn etc..?
08:43 < rob0> openvpn provides you an IP address to use as you see fit.
09:06 -!- alexxtasi [~alex@unaffiliated/alexxtasi] has left #openvpn []
09:23 -!- mapps [Mark@176.25.214.122] has joined #openvpn
09:38 -!- Kniaz [~Kniaz@unaffiliated/kniaz] has joined #openvpn
10:30 -!- CaTtleyA [~CaTtleyA@185.24.142.82] has quit [Remote host closed the connection]
10:33 -!- v0lZy [~Thunderbi@BSN-77-81-109.static.dsl.siol.net] has quit [Remote host closed the connection]
11:14 -!- ShadniX [dagger@p5481CCD9.dip0.t-ipconnect.de] has joined #openvpn
11:31 -!- larryone [~larryone@185.32.152.150] has quit [Quit: This computer has gone to sleep]
12:13 -!- Ryu_Fitzgerald [~Ryu_Fitzg@199-193-117-84.static.hvvc.us] has joined #openvpn
12:14 < Ryu_Fitzgerald> i have one simple security question to ask
12:15 < Ryu_Fitzgerald> If one server VPNs into another server.  Can the vpn host access printers and other networks resources of the client?
12:15 < Ryu_Fitzgerald> i'm hoping someone here would know the answer to this
12:16 <@krzee> not unless you do extra to allow it
12:16 <@krzee> it can be done if it is the goal
12:16 < Ryu_Fitzgerald> what exactly is this extra?
12:16 <@krzee> !clientlan
12:16 <@vpnHelper> "clientlan" is (#1) for a lan behind a client, the client must have ip forwarding enabled (!ipforward), the server needs a route to the lan, the server needs to push a route for the lan to clients, the server needs a ccd (!ccd) file for the client with an iroute (!iroute) entry in it, and the router of the lan the client is on needs a route added to it (!route_outside_openvpn) or (#2) see !route for
12:16 <@vpnHelper> a better explanation or (#3) Handy troubleshooting flowchart: http://ircpimps.org/clientlan.png | http://pekster.sdf.org/misc/clientlan.png
12:17 <@krzee> and as for the question you asked a number of times yesterday but then left before i saw:
12:17 <@krzee> !redirect
12:17 <@vpnHelper> "redirect" is (#1) to make all inet traffic flow through the vpn, you will need --redirect-gateway (see !def1), as well as IP forwarding (see !ipforward) and NAT (see !nat) enabled on the server. or (#2) you may need to use a different dns server when redirecting gateway, see !dns or !pushdns or (#3) if using ipv6 try: route-ipv6 2000::/3 or (#4) Handy troubleshooting flowchart:
12:17 <@vpnHelper> http://ircpimps.org/redirect.png | http://pekster.sdf.org/misc/redirect.png
12:20 -!- SCHAAP137 [dorian@77-173-0-137.ip.telfort.nl] has joined #openvpn
12:21 < Ryu_Fitzgerald> thanks, I was just worried that it would be unsafe to put networks file on the net because of the vpn
12:22 < Ryu_Fitzgerald> so as long as i haven't used any push commands, it should be closed from what I am seeing
12:22 <@krzee> you are the client and concerned about connecting to the server?
12:22 <@krzee> if so, you should be using your a firewall
12:23 <@krzee> s/ a //
12:23 < Ryu_Fitzgerald> i have a fire wall but i always thought a vpn between servers was a lan merger
12:23 <@krzee> you are bridging?
12:24 < Ryu_Fitzgerald> how would i know if i am
12:24 < Ryu_Fitzgerald> i just know it is openvpn
12:24 <@krzee> then how would i know if you are?
12:24 <@krzee> i just know its your setup
12:24 <@krzee> you using dev tun?
12:25 < Ryu_Fitzgerald> would you know what to check to see if i am bridging
12:25 < Ryu_Fitzgerald> i am using tun
12:25 <@krzee> then just firewall stuff and you have nothing to worry about
12:25 < Ryu_Fitzgerald> and not tap
12:25 < Ryu_Fitzgerald> firewall setting only need to block on wan
12:25 < Ryu_Fitzgerald> or do i have to have blocks in other areas?
12:26 <@krzee> whatever is listening on tun ip that you dont want accessed
12:26 <@krzee> kinda requires understanding whats going on
12:26 < Ryu_Fitzgerald> i don't have access to the other lan
12:26 < Ryu_Fitzgerald> i only have access to clients lan
12:26 < Ryu_Fitzgerald> and not servers lan
12:26 <@krzee> what im saying is:
12:27 <@krzee> if the client has open ports on its tun ip that you do not want accessed by the server, then firewall them
12:27 <@krzee> i cant walk you through it, and its not openvpn related anyways
12:28 < Ryu_Fitzgerald> there are many places to put a firewall.  do you mean firewall in wan or some other location?
12:28 <@krzee> on the client, and only if its needed
12:28 <@krzee> !101
12:28 <@vpnHelper> "101" is This channel is not a '101' replacement for any of the following topics or others: Networking, Firewalls, Routing, Your OS, Security, etc etc
12:29 < Ryu_Fitzgerald> i know what firewalls all, i just don't know how openvpn changes things
12:30 < Ryu_Fitzgerald> i was worried a vpn would bypass the firewall
12:30 < Ryu_Fitzgerald> on WAN
12:30 < Ryu_Fitzgerald> so i would not matter what i did there
12:34 <@krzee> !vpn
12:34 <@vpnHelper> "vpn" is http://openvpn.net/index.php/open-source/faq/75-general/293-what-is-the-principle-behind-openvpn-tunnels.html for a basic rundown of what a vpn is
12:35 -!- ShadniX [dagger@p5481CCD9.dip0.t-ipconnect.de] has quit [Quit: Bye.]
12:35 <@krzee> tap is a virtual ethernet cable, tun is the same idea but only layer3
12:36 -!- ShadniX [dagger@p5481CCD9.dip0.t-ipconnect.de] has joined #openvpn
12:38 < Ryu_Fitzgerald> layer3?
12:39 <@krzee> !tunortap
12:39 <@vpnHelper> "tunortap" is (#1) you ONLY want tap if you need to pass layer2 traffic over the vpn (traffic destined for a MAC address). If you are using IP traffic you want tun. or (#2) and if your reason for wanting tap is windows shares, see !wins or use DNS or (#3) remember layer2 has no security, arp poisoning works over tap vpns or (#4) lan gaming? use tap! or (#5) Normal Android/iOS devices (not
12:39 <@vpnHelper> rooted/jailbroken) support only tun
12:41 -!- RaiNerTsuFal [~RaiNerTsu@akita.vtlx.cn] has quit [Ping timeout: 240 seconds]
12:42 -!- RaiNerTsuFal [~RaiNerTsu@akita.vtlx.cn] has joined #openvpn
12:46 < Ryu_Fitzgerald> Could i use a different 4096 letter cert key for TLS key or are they different in a way that prevents this?
12:49 <@krzee>  prevent what?
12:53 < Ryu_Fitzgerald> i am saying i want to make a 4096 TLS key.  The problem is, my router only makes 2048 but it can make 4096 CA certs.  Can CA cert be used as a TLS or is there some mathimatical difference on why you shouldn't do this
12:55 <@krzee> that makes no sense, sure it can make a 4096 key, however you should NEVER build your keys on a router
12:56 < Ryu_Fitzgerald> why?
12:56 <@krzee> they suck at random number generation
12:56 <@krzee> DJB explains it in his "facthacks" speech
12:58 < Ryu_Fitzgerald> i assume you mean this
12:59 <@krzee> !google youtube facthacks
12:59 <@vpnHelper> FactHacks [29c3] - YouTube: <http://www.youtube.com/watch?v=IuSnY_O8DqQ>; PGP and RSA theory - Uncovering Cicada Wiki: <http://uncovering-cicada.wikia.com/wiki/PGP_and_RSA_theory>; [SSL Observatory] Batch gcd - Gmane: <http://comments.gmane.org/gmane.comp.security.ssl.observatory/267>
12:59 <@krzee> first link
12:59 <@krzee> warning, you wont understand it
13:01 < reiffert> :)
13:01 < Ryu_Fitzgerald> don't worry, i'm used to understanding complicated things ;)
13:01 <@krzee> hey reif
13:01 < reiffert> whats up
13:01 < Ryu_Fitzgerald> find information is far more difficult a task
13:01 < Ryu_Fitzgerald> :)
13:02 < reiffert> I'm offering to pay 10USD per month to google if they would skip all the results I dont need.
13:02 < Ryu_Fitzgerald> you mean remove the paid results?
13:03 < reiffert> -forum -board -nonsense
13:03 < Ryu_Fitzgerald> i don't know what your refering to
13:04 < reiffert> -"I just found out that 1+1=2"
13:04 < reiffert> all this crap nobody needs
13:04 <@krzee> youd be surprised
13:04 <@krzee> thats usually what people are looking for
13:04 <@krzee> people are simple
13:04 < reiffert> I need answers not all the 1+1=2 stuff. I can do maths on my own
13:05 < Ryu_Fitzgerald> as far as the google web results go, they have the best algorithm at finding what you need in existance
13:05 <@krzee> oh ya? they never send whores
13:05 < Ryu_Fitzgerald> they probably want the search engine family safe
13:06 < Ryu_Fitzgerald> though i wouldn't be surprised if they have a way to disable hat
13:06 < Ryu_Fitzgerald> that
13:06 < Ryu_Fitzgerald> well thankyou, bye
13:06 -!- Ryu_Fitzgerald [~Ryu_Fitzg@199-193-117-84.static.hvvc.us] has quit [Quit: irc2go]
13:11 -!- pompato [~sled@rttlm.dti.supsi.ch] has quit [Quit: Lost terminal]
13:12 -!- ShadniX [dagger@p5481CCD9.dip0.t-ipconnect.de] has quit [Quit: Bye.]
13:14 -!- ShadniX [dagger@p5481CCD9.dip0.t-ipconnect.de] has joined #openvpn
13:17 -!- ShadniX [dagger@p5481CCD9.dip0.t-ipconnect.de] has quit [Client Quit]
13:18 -!- ShadniX [dagger@p5481CCD9.dip0.t-ipconnect.de] has joined #openvpn
13:22 -!- ShadniX [dagger@p5481CCD9.dip0.t-ipconnect.de] has quit [Client Quit]
13:25 -!- ShadniX [dagger@p5481CCD9.dip0.t-ipconnect.de] has joined #openvpn
13:56 -!- ShadniX [dagger@p5481CCD9.dip0.t-ipconnect.de] has quit [Quit: Bye.]
13:58 -!- ShadniX [~ShadniX@p5481CCD9.dip0.t-ipconnect.de] has joined #openvpn
14:16 -!- s7r [~s7r@openvpn/user/s7r] has joined #openvpn
14:16 -!- mode/#openvpn [+v s7r] by ChanServ
14:30 -!- justinzane [~justinzan@24.49.207.203] has quit [Read error: Connection reset by peer]
14:30 -!- justinzane [~justinzan@24.49.207.203] has joined #openvpn
14:37 -!- ShadniX [~ShadniX@p5481CCD9.dip0.t-ipconnect.de] has quit [Quit: Bye.]
14:39 -!- ShadniX [dagger@p5481CCD9.dip0.t-ipconnect.de] has joined #openvpn
14:51 -!- brianblaze420 [~brianblaz@unaffiliated/brianblaze] has quit [Quit: Leaving...]
15:05 -!- Kniaz [~Kniaz@unaffiliated/kniaz] has quit [Quit: closing IRC]
15:15 -!- RaiNerTsuFal [~RaiNerTsu@akita.vtlx.cn] has quit [Quit: Conversation terminated!]
15:23 -!- RaiNerTsuFal [~RaiNerTsu@akita.vtlx.cn] has joined #openvpn
16:10 -!- AsadH [~AsadH@unaffiliated/asadh] has quit [Ping timeout: 240 seconds]
16:15 -!- raidz is now known as raidz_away
16:18 <@plaisthos> krzee: yes?
16:25 -!- gffa [~unknown@unaffiliated/gffa] has quit [Quit: sleep]
16:26 -!- AsadH [~AsadH@unaffiliated/asadh] has joined #openvpn
16:28 -!- Slippern [slippern@server02.hjemmeserver.info] has joined #openvpn
16:31 -!- raidz_away is now known as raidz
16:59 -!- dazo is now known as dazo_afk
17:07 -!- Kephael [~Kephael@unaffiliated/kephael] has joined #openvpn
17:21 -!- Kniaz [~Kniaz@unaffiliated/kniaz] has joined #openvpn
17:29 -!- Cpt-Oblivious [~chatzilla@31-151-71-109.dynamic.upc.nl] has quit [Quit: ChatZilla 0.9.90.1-rdmsoft [XULRunner 22.0/20130619132145]]
17:57 -!- SCHAAP137 [dorian@77-173-0-137.ip.telfort.nl] has quit [Remote host closed the connection]
18:06 -!- Popsikle [~popsikle@pool-108-27-211-233.nycmny.fios.verizon.net] has quit [Remote host closed the connection]
18:15 -!- u0m3 [~u0m3@109.96.140.174] has quit [Read error: Connection reset by peer]
18:23 -!- elfixit [~Icedove@77-58-251-72.dclient.hispeed.ch] has joined #openvpn
18:28 -!- james41382 [~james@unaffiliated/james41382] has joined #openvpn
18:36 -!- u0m3 [~u0m3@109.96.140.174] has joined #openvpn
18:59 -!- BladedThesis [~BladedThe@2001:1af8:4010:a027:3::] has quit [Ping timeout: 272 seconds]
18:59 -!- BladedThesis [~BladedThe@2001:1af8:4010:a027:3::] has joined #openvpn
19:17 -!- fol_tempus [~tempus@gateway/tor-sasl/foltempus] has quit [Ping timeout: 264 seconds]
19:20 -!- tempus_fol [~tempus@gateway/tor-sasl/foltempus] has joined #openvpn
19:29 -!- JackWinter [~jack@vodsl-11028.vo.lu] has quit [Ping timeout: 248 seconds]
19:29 -!- elfixit [~Icedove@77-58-251-72.dclient.hispeed.ch] has quit [Quit: elfixit]
19:29 -!- JackWinter [~jack@vodsl-11028.vo.lu] has joined #openvpn
20:22 -!- altermann [~chatzilla@174.1.107.101] has joined #openvpn
20:22 < altermann> hi there
20:23 < altermann> is there any reason why i can't ping the virtual address of an ipad connected to the ovpn server?
20:24 < altermann> connection on both ends exists but i cannot access the network on the server side
20:26 <+pekster> Can you ping the server VPN IP from the client?
20:26 -!- mapps [Mark@176.25.214.122] has quit [Ping timeout: 255 seconds]
20:27 < altermann> did not try that
20:27 < altermann> let me see if i can d/l a terminal emulator for the ipad
20:27 <+pekster> Kind of a broken device if it won't let you do that :\
20:27 < altermann> it's an ipad
20:27 < altermann> :)
20:28 <+pekster> Apparently. You've strayed from the Garden Path that the Gods of Apple have been kind enough to bestow upon you
20:28 < altermann> lol
20:28 < altermann> it's a work ipad for one of the sheeple
20:29 < altermann> bosses refused to buy laptops
20:29 <+pekster> I'd bet it has some kind of a firewall on it, but you don't really know
20:29 < altermann> i'm the sys admin
20:29 < altermann> wtf
20:30 < altermann> i'd know that crap
20:30 <+pekster> The distinction is quite important. If you are 100% sure there's no firewall, then you screwed up the VPN
20:31 < altermann> you mean a firewall on the client end?
20:31 < altermann> does that matter?
20:31 <+pekster> If you're trying to ping the client? Obviously.
20:31 < altermann> my intention was to have a road warrior setup
20:32 < altermann> which seems to allow the tunnel to be created between the client and the server
20:32 <+pekster> But why on earth would you think a firewall on the client wouldn't matter if you're trying to ping it?
20:32 <+pekster> That's quite nonsensical
20:32 <+pekster> It's a firewalls job to drop traffic, and many consumer devices block echo-request by default
20:33 < altermann> but the client should be able to get through to the network behind the vpn server right?
20:33 <+pekster> That's not what you said you're trying to do
20:33 -!- erkules_ [~erkan@pdpc/supporter/professional/erkules] has joined #openvpn
20:33 < altermann> i'm sorry
20:33 < altermann> i jumped the gun
20:33 <+pekster> You want to "ping the virtual address of an ipad connected to the ovpn server"
20:33 < altermann> my apologies
20:33 <+pekster> Or you want to do something completely unrelated to what you asked
20:33 <+pekster> !xy
20:34 <@vpnHelper> "xy" is http://mywiki.wooledge.org/XyProblem -- I want to do X, but I'm asking how to do Y...
20:34 < altermann> i'm tired as fuck
20:34 <+pekster> So, what is it you _do_ want?
20:34 < altermann> i want to access the network behind the ovpn server
20:34 <+pekster> For that, we have:
20:34 <+pekster> !serverlan
20:34 <@vpnHelper> "serverlan" is (#1) for a lan behind a server, the server must have ip forwarding enabled (!ipforward), the server needs to push a route for its lan to clients, and the router of the lan the server is on needs a route added to it (!route_outside_openvpn) or (#2) see !route for a better explanation or (#3) Handy troubleshooting flowchart: http://ircpimps.org/serverlan.png |
20:34 <@vpnHelper> http://pekster.sdf.org/misc/serverlan.png
20:35 <+pekster> Chances are good one of the following is missing 1) lack of pushed routes to the client, 2) no return route from the server-side LAN to reach the VPN IP range, or 3) a firewall (VPN server or the server-side LAN's, usually) is blocking it
20:35 <+pekster> Helpful flowchart is helpful.
20:35 -!- erkules [~erkan@pdpc/supporter/professional/erkules] has quit [Ping timeout: 244 seconds]
20:36 -!- Valen [~Valen@mail.workershealth.com.au] has joined #openvpn
20:36 < cyberanger> !route_outside_openvpn
20:36 <@vpnHelper> "route_outside_openvpn" is (#1) If your server is not the default gateway for the LAN, you will need to add routes to your gateway. See ROUTES TO ADD OUTSIDE OPENVPN in !route or (#2) Here are 2 diagrams that explain how this works: http://www.secure-computing.net/wiki/index.php/Graph http://i.imgur.com/BM9r1.png
20:38 < Valen> I'm having an "interesting" issue with openvpn on a pfsense install. Head Office (HO) and 2 sites A and B everything routes ok and is all generally good. However when site A floods HO's uplink after some short period site A's connection will "ping restart" and often site B will do the same at the same time.
20:38 < Valen> I have traffic shaping on the firewall such that VoIP calls can still be made whilst the link is flooded (not over the VPN)
20:39 < Valen> HTTP transfers that saturate the uplink and downlink at both sides also work
20:39 < Valen> so, any ideas?
20:39 <+pekster> Fix your broken links that introduce enough latency to cause that much traffic to be lost
20:40 <+pekster> Or make openvpn willing to handle severe levels of network breakage by increasing the --ping-restart values at both ends
20:40 <+pekster> See:
20:40 <+pekster> !ping
20:40 <@vpnHelper> pong
20:40 <+pekster> Erm,
20:40 <+pekster> !keepalive
20:40 < Valen> so openvpn cannot operate if it saturates a link?
20:40 <@vpnHelper> "keepalive" is (#1) see --keepalive in the manual for how to make clients retry connecting if they get disconnected. or (#2) basically it is a wrapper for managing --ping and --ping-restart in server/client mode or (#3) if you use this, don't use --tls-exit and also avoid --single-session and --inactive or (#4) Also beware of --auth-nocache for automated reconnects
20:40 <+pekster> Valen: That's not the problem. The problem is that you're dropping packets
20:41 <+pekster> Read what --keepalive does, and either stop your link from dropping all the keepalive traffic in your timeout period, or increase your timeout period while you completely decimate your Internet connection
20:41 < Valen> running ping parallel over the vpn indicates about 300ms latency when its saturated
20:41 < Valen> it shouldn't need keepalive traffic if the link (which is all openvpn traffic) is active though should it?
20:42 <+pekster> Dunno how much more clear I can be. "ping-timeout" means that _NO_ (that's zero, none, zilch, absolutely nothing) was received from the local end that the far side is sending as keepalive traffic
20:42 <+pekster> Yes, it does
20:42 <+pekster> Keepalive is a special TLS packet that tells the far side "I'm still here"
20:42 <+pekster> The resource I gave you above tells you to "(#1) see --keepalive in the manual for how to make clients retry connecting if they get disconnected." -- did something there confuse you?
20:44 < Valen> imilar to --ping-exit, but trigger a SIGUSR1 restart after n seconds pass without reception of a ping or other packet from remote.
20:44 < Valen> the bit where it says "or other packet from remote"
20:44 <+pekster> Not "or other packet"
20:45 <+pekster> Oh, interesting
20:45 < Valen> well that is what is in the manual
20:45 <+pekster> Maybe add --verb 5 to the end that's getting disconnected (usually the client) and see if it's getting inbound packets?
20:45 < Valen> and indeed "Ping remote over the TCP/UDP control channel if no packets have been sent for at least n seconds"
20:46 < Valen> what I am doing is copying a file over a samba share, the copy starts and runs at the link rate, then after a time it stops, and I get a ping-restart in the client logs
20:46 < Valen> running the latest openvpn on the client
20:47 < Valen> the transfer dying I can see happening due to packet loss and other assorted issues, thats fine
20:47 < Valen> but I cant explain why the active openvpn connection would restart under pretty much any circumstance
20:48 < Valen> unless the manual and the program operate don't agree?
20:48 <+pekster> The fact that it stops suggests you're not receiving data anymore
20:48 < Valen> if as you say the program is written to only pay attention to "keepalive" messages that would explain it
20:49 <+pekster> Well, it might be (I'm digging in the source now, but it's a bit of spaghetti to track some of it down)
20:49 < Valen> I appreciate that thankyou
20:52 < altermann> pekster: i noticed that i do not have a client ip on the ipad
20:52 < altermann> i only have a VPN IPv4
20:52 <+pekster> Isn't that what you want? Or do you mean you're trying to push v6 over the link too?
20:57 -!- james41382 [~james@unaffiliated/james41382] has quit [Quit: Leaving]
20:58 -!- Popsikle [~popsikle@pool-108-27-211-233.nycmny.fios.verizon.net] has joined #openvpn
20:59 < altermann> no v6
21:01 < altermann> it is connecting but something is wrong with the routing
21:01 < Valen> pekster, I have to go do some SQL, but I'll be back in a bit, I'm keen to find out the result of your mosey through the code
21:08 <+pekster> Valen: Seems it's using a "timeval" struct associated with each client to track the last response, and that does get updated on receipt of authenticated packets
21:09 <+pekster> A quick test locally confirms that behiavor where I sent ping packets large enough to distinguish from the "regular" keepalive traffic, dropped the keepalives, and there was no restart until I stopped the pings
21:10 <+pekster> Valen: But like I said earlier, it seems your entire link dies (that's why your transfer bombs out) so see what you learn from either logs at --verb 5 (which prints chars for each packet received, inside & outside the tunnel) or just a simple packet capture
21:10 <+pekster> Oh, but the ipad probably won't capture traffic for you since it's a crippled OS, right. Put it behind a router that can dump packets? :P
21:45 -!- james41382 [~james@unaffiliated/james41382] has joined #openvpn
21:48 -!- Kniaz [~Kniaz@unaffiliated/kniaz] has quit [Quit: closing IRC]
22:07 < Valen> Xanfoo
22:07 < Valen> bah wrong window
22:13 < Valen> pekster, thanks for the help, I'll do some more digging and see how things go
22:14 <+pekster> Sure. The one thing that might be useful to know is that even when authenticated data is received, the keepalives are still sent defined by the --ping time frame (which makes sense; just because you got a packet doesn't mean the far end got any of what you sent previously)
22:15 <+pekster> So if you see "nothing" on the transport port, you know something is awry
22:15 < Valen> I'd suggest its because its easier to fire off a ping packet on a fixed timer than to try and monitor outbound packets ;->
22:17 <+pekster> That, and the "ping" in this case is a stateless, uni-directional "fire and forget" deal
22:18 -!- Megaf__ [~Megaf@unaffiliated/megaf] has quit [Ping timeout: 248 seconds]
22:26 -!- Popsikle [~popsikle@pool-108-27-211-233.nycmny.fios.verizon.net] has quit [Remote host closed the connection]
22:38 -!- clu5ter [~staff@unaffiliated/clu5ter] has quit [Ping timeout: 246 seconds]
22:40 -!- clu5ter [~staff@unaffiliated/clu5ter] has joined #openvpn
23:10 -!- Popsikle [~popsikle@pool-108-27-211-233.nycmny.fios.verizon.net] has joined #openvpn
23:19 -!- Popsikle [~popsikle@pool-108-27-211-233.nycmny.fios.verizon.net] has quit [Ping timeout: 264 seconds]
23:20 -!- ajc_ [ajc@nat/hp/x-cbysfpsorpxwhhpe] has joined #openvpn
23:29 -!- ShadniX [dagger@p5481CCD9.dip0.t-ipconnect.de] has quit [Ping timeout: 252 seconds]
23:30 -!- ShadniX [dagger@p57941BC4.dip0.t-ipconnect.de] has joined #openvpn
23:48 -!- maskedlua is now known as KesyerSoze|sleep
23:59 -!- Valen [~Valen@mail.workershealth.com.au] has quit [Read error: Connection reset by peer]
--- Day changed Thu Jul 03 2014
00:40 -!- s7r [~s7r@openvpn/user/s7r] has quit [Remote host closed the connection]
00:40 -!- s7r [~s7r@openvpn/user/s7r] has joined #openvpn
00:40 -!- mode/#openvpn [+v s7r] by ChanServ
01:02 -!- zapotek6 [~zap@mail.comelit.it] has joined #openvpn
01:02 -!- zapotek6 [~zap@mail.comelit.it] has quit [Max SendQ exceeded]
01:27 -!- hal_from_2001 [~chatzilla@91.123.49.70] has joined #openvpn
01:28 < hal_from_2001> good morning
01:30 -!- erkules_ is now known as erkules
01:31 < hal_from_2001> I have a short question: I have a professional vpn provider. But the connection breaks at one point, because of "--ping-restart". The restart is not the problem itself. But after that I always get a "Resolv Error: Cannot resolve xxx.xxx.xxx.NET". Is this a common problem? I cannot provide a log now, because I have to extract it at home. I just wanted to ask if the error is somewhat common.
01:32 < hal_from_2001> I tried the connection on my dd-wrt router and my Linux workstation, also with Google's DNS server and the pudh'ed one from the vpn provider.
01:35 -!- alexxtasi [~alex@unaffiliated/alexxtasi] has joined #openvpn
02:03 -!- Kephael [~Kephael@unaffiliated/kephael] has quit [Read error: Connection reset by peer]
02:11 <@krzee> hal_from_2001, what persist options are you using?
02:12 <@krzee> (on the client)
02:13 -!- mirco [~mirco@tmo-108-171.customers.d1-online.com] has joined #openvpn
02:13 -!- JackWinter [~jack@vodsl-11028.vo.lu] has quit [Remote host closed the connection]
02:16 < hal_from_2001> wait, I have to download their config...
02:16 <@krzee> i expected youd at least be able to look at your own config? but ok
02:16 <@krzee> !provider
02:16 <@vpnHelper> "provider" is (#1) We are not your provider's free tech support. We support the free open source app OpenVPN, not your provider. Just because they run openvpn does not mean we are their support team. or (#2) Please contact their support team.
02:17 <@krzee> or if you want, tell me what persist options are in your config
02:17 < hal_from_2001> I am at work currently.
02:17 < hal_from_2001> persist-tun and persist-key
02:17 <@krzee> try removing persist-tun
02:18 <@krzee> when you lose your connection to the vpn your tun persists so your routes remain, and then you cannot reach your dns server which is routed over the vpn
02:19 <@krzee> at least thats my guess
02:21 < hal_from_2001> makes sense.
02:21 < hal_from_2001> But I wonder why I am the only customer with this issue...
02:24 -!- JackWinter [~jack@vodsl-11028.vo.lu] has joined #openvpn
02:31 -!- mirco [~mirco@tmo-108-171.customers.d1-online.com] has quit [Ping timeout: 260 seconds]
02:34 -!- le0 [~l30@unaffiliated/le0] has joined #openvpn
02:34 -!- s7r [~s7r@openvpn/user/s7r] has quit [Remote host closed the connection]
02:35 -!- s7r [~s7r@openvpn/user/s7r] has joined #openvpn
02:35 -!- mode/#openvpn [+v s7r] by ChanServ
02:40 -!- mirco [~mirco@tmo-108-171.customers.d1-online.com] has joined #openvpn
02:57 -!- CaTtleyA [~CaTtleyA@185.24.142.82] has joined #openvpn
03:03 -!- CaTtleyA [~CaTtleyA@185.24.142.82] has quit [Quit: leaving]
03:12 -!- mirco [~mirco@tmo-108-171.customers.d1-online.com] has quit [Ping timeout: 260 seconds]
03:30 -!- mirco [~mirco@nat2-145.fh-giessen.de] has joined #openvpn
03:41 -!- larryone [~larryone@185.32.152.150] has joined #openvpn
03:54 -!- mirco [~mirco@nat2-145.fh-giessen.de] has quit [Ping timeout: 255 seconds]
03:57 -!- CaTtleyA [~CaTtleyA@185.24.142.82] has joined #openvpn
04:06 -!- tiksa [~tiksa@gateway/tor-sasl/tiksa] has quit [Remote host closed the connection]
04:07 -!- tiksa [~tiksa@gateway/tor-sasl/tiksa] has joined #openvpn
04:10 -!- dazo_afk is now known as dazo
04:22 -!- mitz [~mitz@rt.miraclelinux.com] has quit [Ping timeout: 255 seconds]
04:33 -!- s7r [~s7r@openvpn/user/s7r] has quit [Ping timeout: 264 seconds]
04:35 -!- s7r [~s7r@openvpn/user/s7r] has joined #openvpn
04:35 -!- mode/#openvpn [+v s7r] by ChanServ
04:44 -!- Popsikle [~popsikle@pool-108-27-211-233.nycmny.fios.verizon.net] has joined #openvpn
04:49 -!- Popsikle [~popsikle@pool-108-27-211-233.nycmny.fios.verizon.net] has quit [Ping timeout: 260 seconds]
04:55 -!- tapout [~tapout@unaffiliated/tapout] has quit [Ping timeout: 240 seconds]
04:59 -!- mirco [~mirco@tmo-108-171.customers.d1-online.com] has joined #openvpn
05:05 -!- mirco [~mirco@tmo-108-171.customers.d1-online.com] has quit [Ping timeout: 248 seconds]
05:09 -!- tapout [~tapout@unaffiliated/tapout] has joined #openvpn
05:13 -!- mirco [~mirco@tmo-108-171.customers.d1-online.com] has joined #openvpn
05:23 -!- elfixit [~Icedove@77-58-251-72.dclient.hispeed.ch] has joined #openvpn
05:25 -!- mirco [~mirco@tmo-108-171.customers.d1-online.com] has quit [Ping timeout: 255 seconds]
05:31 -!- mirco [~mirco@tmo-108-171.customers.d1-online.com] has joined #openvpn
05:36 -!- mirco [~mirco@tmo-108-171.customers.d1-online.com] has quit [Ping timeout: 260 seconds]
05:39 -!- hal_from_2001 [~chatzilla@91.123.49.70] has quit [Ping timeout: 240 seconds]
05:45 -!- Popsikle [~popsikle@pool-108-27-211-233.nycmny.fios.verizon.net] has joined #openvpn
05:50 -!- le0 [~l30@unaffiliated/le0] has quit [Read error: Connection reset by peer]
05:50 -!- Popsikle [~popsikle@pool-108-27-211-233.nycmny.fios.verizon.net] has quit [Ping timeout: 264 seconds]
05:54 -!- mapps [Mark@2.217.141.108] has joined #openvpn
05:57 -!- Nikon [Nikon@alpha.yourbnc.co.uk] has quit [Ping timeout: 260 seconds]
05:57 -!- tempus_fol [~tempus@gateway/tor-sasl/foltempus] has quit [Ping timeout: 264 seconds]
05:59 -!- tempus_fol [~tempus@gateway/tor-sasl/foltempus] has joined #openvpn
06:03 -!- Nikon [Nikon@alpha.yourbnc.co.uk] has joined #openvpn
06:19 -!- jackbrown [~se@93-44-41-0.ip95.fastwebnet.it] has joined #openvpn
06:25 -!- jackbrown [~se@93-44-41-0.ip95.fastwebnet.it] has quit [Ping timeout: 272 seconds]
06:36 -!- mirco [~mirco@nat2-146.fh-giessen.de] has joined #openvpn
06:51 -!- mirco [~mirco@nat2-146.fh-giessen.de] has quit [Ping timeout: 252 seconds]
06:58 -!- mirco [~mirco@nat2-146.fh-giessen.de] has joined #openvpn
07:04 -!- mirco [~mirco@nat2-146.fh-giessen.de] has quit [Quit: mirco]
07:05 -!- mirco [~mirco@nat2-146.fh-giessen.de] has joined #openvpn
07:06 -!- Kniaz [~Kniaz@unaffiliated/kniaz] has joined #openvpn
07:11 -!- elfixit [~Icedove@77-58-251-72.dclient.hispeed.ch] has quit [Quit: elfixit]
07:11 -!- CaTtleyA [~CaTtleyA@185.24.142.82] has quit [Ping timeout: 252 seconds]
07:18 -!- Chiftin [~Chiftin@178.250.179.140] has joined #openvpn
07:20 -!- mirco [~mirco@nat2-146.fh-giessen.de] has quit [Quit: mirco]
07:23 -!- tiksa [~tiksa@gateway/tor-sasl/tiksa] has quit [Remote host closed the connection]
07:23 -!- Champi [Champi@rootshell.fr] has quit [Ping timeout: 260 seconds]
07:24 -!- raidz [~raidz@openvpn/corp/admin/andrew] has quit [Ping timeout: 260 seconds]
07:24 -!- Champi [Champi@rootshell.fr] has joined #openvpn
07:24 -!- raidz [~raidz@openvpn/corp/admin/andrew] has joined #openvpn
07:24 -!- mode/#openvpn [+o raidz] by ChanServ
07:24 -!- CaTtleyA [~CaTtleyA@185.24.142.82] has joined #openvpn
07:25 -!- tiksa [~tiksa@gateway/tor-sasl/tiksa] has joined #openvpn
07:30 -!- ajc_ [ajc@nat/hp/x-cbysfpsorpxwhhpe] has quit [Ping timeout: 252 seconds]
08:29 -!- JackWinter [~jack@vodsl-11028.vo.lu] has quit [Quit: Konversation terminated!]
08:31 -!- JackWinter [~jack@vodsl-11028.vo.lu] has joined #openvpn
08:58 < matt_> does anybody know if openvpn in server mode (with tun) can grab dhcp leases from a dhcp server to give to clients?
08:59 < matt_> I am setting up openvpn that will need to give out addresses from a subnet that already has other vpn servers on it and it will avoid address conflicts
09:05 -!- Rahoul [~nicolas@186.22.121.187] has joined #openvpn
09:08 < Rahoul> Hi i generated a key by doing build-key user and when going through the creation process I accidentally skipped the sing step, and instead of hitting Y/N I hit enter which resulted in the creation of an empty user.crt file. As soon as I realised of that I tried removing it by revoking the cert I get the following database error:
09:08 < Rahoul> 3073628360:error:02001002:system library:fopen:No such file or directory:bss_file.c:398:fopen('user.crt','r')
09:08 < Rahoul> 3073628360:error:20074002:BIO routines:FILE_CTRL:system lib:bss_file.c:400:
09:08 < Rahoul> unable to load certificate
09:11 < Rahoul> how can I revoke it?
09:13 < rob0> matt_, there is no such feature, although something like that could be written.
09:14 < rob0> I would suggest simply expanding your networks such that conflicts will be impossible.
09:15 < matt_> rob0: ok, is there any way to dynamically supply addresses to an openvpn server for client use? it would also be helpful if there was multiple openvpn servers all sharing the same subnet?
09:15 < matt_> rob0: I could but thats using more public addresses that are already running out
09:16 < matt_> rob0: the vpn subnet is already a /22
09:16 < rob0> Oh, so not RFC 1918 as we would normally assume around here?  Maybe you can get away with smaller slices.
09:17 < Rahoul> hi rob0
09:17 < matt_> rob0: I could, the only problem I would have is if servers fail and everything rocks onto a single server it might run out of addresses but could be possiable
09:19 -!- loganaden [~logan@197.226.7.64] has joined #openvpn
09:19 < loganaden> hoi
09:22 < Rahoul> I just found a fix, sharing if anyone is interested: http://openvpn.net/archive/openvpn-users/2006-07/msg00184.html
09:22 <@vpnHelper> Title: [Openvpn-users] Is it possible to revoke without their crt? (at openvpn.net)
09:33 -!- ShadniX [dagger@p57941BC4.dip0.t-ipconnect.de] has quit [Ping timeout: 252 seconds]
09:34 -!- jp- [~jp@unaffiliated/jp-] has left #openvpn ["Textual IRC Client: www.textualapp.com"]
09:34 -!- ShadniX [dagger@p57941BC4.dip0.t-ipconnect.de] has joined #openvpn
09:35 -!- brianblaze420 [~brianblaz@unaffiliated/brianblaze] has joined #openvpn
09:39 -!- elfixit [~Icedove@cust.static.46-14-206-196.swisscomdata.ch] has joined #openvpn
09:40 -!- Megaf_ [~Megaf@unaffiliated/megaf] has joined #openvpn
09:44 -!- elfixit [~Icedove@cust.static.46-14-206-196.swisscomdata.ch] has quit [Ping timeout: 264 seconds]
09:48 -!- Rahoul [~nicolas@186.22.121.187] has left #openvpn []
09:48 -!- Rahoul [~nicolas@186.22.121.187] has joined #openvpn
09:58 -!- alexxtasi [~alex@unaffiliated/alexxtasi] has left #openvpn []
10:00 -!- TheEternalAbyss [~IRCIdent@unaffiliated/theeternalabyss] has joined #openvpn
10:04 < mapps> argh noone answered me on forum..in here or in #openvpn-as
10:25 < rob0> Bummer.  But if you are in fact using Access Server, this is not the place to complain.
10:27 -!- dvl_ [~dvl@pdpc/supporter/active/dvl] has joined #openvpn
10:27 < dvl_> This tun0 for OpenVPN works. tun0:         inet 10.8.1.31 --> 10.8.1.31 netmask 0xffffffff <== Figured both ends had to be unique.
10:30 < dvl_> Two of my clients have both ends of the tunnel with the same IP address.
10:35 -!- AwesomeMarioFan [~Mario@167.88.119.119] has joined #openvpn
10:35 < rob0> How do you say it works?  I'd think each end would handle packets to 10.8.1.31 as local, on its own loopback.
10:35 < AwesomeMarioFan> Hi, I was wondering if someone could help me out with IPv6 on openvpn
10:36 < AwesomeMarioFan> I have it setup, and the client gets a v6 address as well as sends ping requests, but there's no response
10:37 -!- CaTtleyA [~CaTtleyA@185.24.142.82] has quit [Ping timeout: 252 seconds]
10:38 -!- tempus_fol [~tempus@gateway/tor-sasl/foltempus] has quit [Ping timeout: 264 seconds]
10:40 -!- s7r [~s7r@openvpn/user/s7r] has quit [Ping timeout: 264 seconds]
10:40 -!- DrCode [~DrCode@gateway/tor-sasl/drcode] has quit [Ping timeout: 264 seconds]
10:41 -!- DrCode [~DrCode@gateway/tor-sasl/drcode] has joined #openvpn
10:43 -!- tempus_fol [~tempus@gateway/tor-sasl/foltempus] has joined #openvpn
10:44 -!- le0 [~l30@unaffiliated/le0] has joined #openvpn
10:48 -!- AwesomeMarioFan [~Mario@167.88.119.119] has quit [Ping timeout: 264 seconds]
10:56 < dvl_> rob0: traffic between the server and client travels as expected.  This has been set up this way for months.
10:57 < dvl_> rob0:  on the client, pings are 100ms, on the server, 54ms.  so clearly 10.8.1.31 is at the server
10:58 < dvl_> Yet ifconfig | grep 10.8.1.31 on the server gives nothing.
10:58 -!- Chiftin [~Chiftin@178.250.179.140] has quit [Quit: Leaving]
11:06 -!- SCHAAP137 [dorian@77-173-0-137.ip.telfort.nl] has joined #openvpn
11:27 -!- tempus_fol [~tempus@gateway/tor-sasl/foltempus] has quit [Ping timeout: 264 seconds]
11:33 -!- le0 [~l30@unaffiliated/le0] has quit [Quit: Leaving]
11:44 -!- raidz is now known as raidz_away
11:44 -!- raidz_away is now known as raidz
11:45 -!- gffa [~unknown@unaffiliated/gffa] has joined #openvpn
11:46 -!- ribasushi [~riba@mujunyku.leporine.io] has quit [Ping timeout: 272 seconds]
11:48 -!- larryone [~larryone@185.32.152.150] has quit [Quit: This computer has gone to sleep]
11:51 -!- DrCode [~DrCode@gateway/tor-sasl/drcode] has quit [Ping timeout: 264 seconds]
11:54 -!- tempus_fol [~tempus@gateway/tor-sasl/foltempus] has joined #openvpn
11:56 -!- ribasushi [~riba@mujunyku.leporine.io] has joined #openvpn
12:05 -!- ribasushi [~riba@mujunyku.leporine.io] has quit [Quit: So long and thankful is the fish...]
12:05 -!- Latrina [~Latrina@adsl-ull-52-254.45-151.net24.it] has quit [Ping timeout: 248 seconds]
12:09 -!- ribasushi [~riba@mujunyku.leporine.io] has joined #openvpn
12:10 -!- Latrina [~Latrina@ppp-163-2.26-151.libero.it] has joined #openvpn
12:33 -!- SCHAAP137 [dorian@77-173-0-137.ip.telfort.nl] has quit [Ping timeout: 255 seconds]
12:39 -!- Cpt-Oblivious [~chatzilla@31-151-71-109.dynamic.upc.nl] has joined #openvpn
13:02 -!- Cybertinus [~Cybertinu@cybertinus.customer.cloud.nl] has quit [Quit: ENOIRC]
13:04 -!- Cybertinus [~Cybertinu@cybertinus.customer.cloud.nl] has joined #openvpn
13:15 -!- le0 [~l30@unaffiliated/le0] has joined #openvpn
13:22 -!- TheScorp [~noyou@37.81-166-92.customer.lyse.net] has joined #openvpn
13:50 -!- DrCode [~DrCode@gateway/tor-sasl/drcode] has joined #openvpn
13:53 < haasn> When using --ifconfig-noexec and/or --route-noexec, is there some sort of “default” or “template” script that I can base my edits off that will imitate what OpenVPN is doing without those commands? I want to add “sudo” in front of each, I added openvpn ALL=(root) NOPASSWD: /bin/route, /bin/ifconfig to my sudoers
13:54 < haasn> (My problem is that openvpn doesn't have permissions to update routing tables after the priv drop and hence simply dies if the connection goes down)
14:14 -!- brianblaze420 [~brianblaz@unaffiliated/brianblaze] has quit [Quit: Leaving...]
14:17 -!- Latrina [~Latrina@ppp-163-2.26-151.libero.it] has quit [Max SendQ exceeded]
14:18 -!- SCHAAP137 [dorian@77-173-0-137.ip.telfort.nl] has joined #openvpn
14:18 -!- batrick [~batrick@nmap/developer/batrick] has quit [Quit: WeeChat 0.4.3]
14:18 -!- Latrina [~Latrina@ppp-163-2.26-151.libero.it] has joined #openvpn
14:26 < haasn> Hmm, managed to clobber something together by running a bunch of echos on the environmental variables openvpn provides
14:26 < haasn> Not very resistant to upstream change, but I guess it works for me
14:32 -!- batrick [~batrick@nmap/developer/batrick] has joined #openvpn
14:40 -!- dazo is now known as dazo_afk
14:43 < haasn> Managed to do the same for ifconfig-noexec now; I'm left with one sticky situation though. The contents of $remote_1 that openvpn sets are the *hostname* of the remote client, as specified in my “remote” config entry. Is there any way to get the IP address of the server I'm actually connecting to?
14:43 < haasn> (So I can set up a route)
14:54 -!- br4ndon [~br4ndon@mic92-6-82-227-94-156.fbx.proxad.net] has joined #openvpn
14:55 < br4ndon> hi there
14:56 < br4ndon> could someone suggest a way to sync files through openvpn connections?
14:57 < dvl_> rsync?
14:58 < dvl_> That's what I'd use
15:00 < br4ndon> hm okay
15:00 < br4ndon> I was hesitating with unison
15:01 < br4ndon> (which is a layer over rsync if  I remember right)
15:04 -!- joako [~joako@opensuse/member/joak0] has quit [Ping timeout: 245 seconds]
15:05 -!- SCHAAP137 [dorian@77-173-0-137.ip.telfort.nl] has quit [Ping timeout: 240 seconds]
15:06 -!- SCHAAP137 [dorian@77-173-0-137.ip.telfort.nl] has joined #openvpn
15:06 < Eugene> "The same way you'd transfer a file not-over-openvpn"
15:07 < Eugene> rsync-over-SSH being a great option. Select a cheap cipher if you're moving several jiggabytes
15:07 -!- supergauntlet [~supergaun@unaffiliated/supergauntlet] has quit [Ping timeout: 255 seconds]
15:12 -!- tiksa_ [~tiksa@gateway/tor-sasl/tiksa] has joined #openvpn
15:12 < br4ndon> the goal is not to have the files stay on the server
15:12 -!- tiksa [~tiksa@gateway/tor-sasl/tiksa] has quit [Remote host closed the connection]
15:12 -!- tiksa_ is now known as tiksa
15:12 -!- SCHAAP137 [dorian@77-173-0-137.ip.telfort.nl] has quit [Ping timeout: 252 seconds]
15:13 < br4ndon> so having two machines connected to the server with openvpn, and use rsync is a proper way?
15:13 < br4ndon> Did not think it would be that easy
15:13 < br4ndon> Can't try now that's why I bother asking
15:13 -!- joako [~joako@opensuse/member/joak0] has joined #openvpn
15:13 < Eugene> openvpn is just a way to set up a secure network tunnel
15:13 < Eugene> Nothing special about the traffic inside it
15:14 < br4ndon> I often experience disconnections through my openvpn daemon
15:14 < br4ndon> would that be a problem for rsync?
15:15 < br4ndon> as not being able to recover a badly stopped previous rsync
15:16 -!- SCHAAP137 [dorian@77-173-0-137.ip.telfort.nl] has joined #openvpn
15:18 < haasn> In my very limited experience the most resilient protocol for transferring files through any sort of network is torrent; I do not know a torrent client that does not handle disconnections, shutdowns, timeouts or ip changes gracefully
15:18 < haasn> I don't think you can “resume” with ssh or rsync; rsync won't re-transfer already-done files but it won't resume an “in transfer” file afaik
15:19 < br4ndon> torrents may have a robust resuming capacity, it is not quite suitable to personal file syncing
15:19 < haasn> maybe you could get HTTP to work, that supports resuming files (partial downloads) really well
15:20 < haasn> apart from that, I don't know; I'd like to know this as well. file transferring is one of the few unsolved problems of the 21st century
15:21 -!- phunyguy [~vortex@unaffiliated/phunyguy] has quit [Ping timeout: 272 seconds]
15:25 -!- KesyerSoze|sleep [~maskedlua@unaffiliated/themaskedlua] has quit [Read error: Connection reset by peer]
15:26 -!- KesyerSoze|sleep [~maskedlua@unaffiliated/themaskedlua] has joined #openvpn
15:30 -!- SCHAAP137 [dorian@77-173-0-137.ip.telfort.nl] has quit [Ping timeout: 248 seconds]
15:33 -!- SCHAAP137 [dorian@77-173-0-137.ip.telfort.nl] has joined #openvpn
15:34 -!- loganaden [~logan@197.226.7.64] has quit [Quit: Lost terminal]
15:35 -!- outofbounds [~outofboun@198.199.109.226] has quit [Ping timeout: 255 seconds]
15:38 -!- SCHAAP137 [dorian@77-173-0-137.ip.telfort.nl] has quit [Remote host closed the connection]
15:38 -!- Megaf_ [~Megaf@unaffiliated/megaf] has quit [Ping timeout: 255 seconds]
15:38 -!- Megaf_ [~Megaf@unaffiliated/megaf] has joined #openvpn
15:38 -!- outofbounds [~outofboun@198.199.109.226] has joined #openvpn
15:46 <@syzzer> br4ndon: actually, BTSync does pretty well :)
15:51 -!- james41382_ [~james@unaffiliated/james41382] has joined #openvpn
15:52 -!- james41382 [~james@unaffiliated/james41382] has quit [Read error: Connection reset by peer]
16:00 -!- hive-mind [pranq@mail.bbis.us] has quit [Ping timeout: 252 seconds]
16:03 -!- hive-mind [pranq@mail.bbis.us] has joined #openvpn
16:20 -!- c00w [c00w@2600:3c03::f03c:91ff:fe6e:e88b] has quit [Quit: I left the oven on]
16:22 -!- gffa [~unknown@unaffiliated/gffa] has quit [Quit: sleep]
16:26 -!- br4ndon [~br4ndon@mic92-6-82-227-94-156.fbx.proxad.net] has quit [Quit: br4ndon]
16:36 -!- Slippern [slippern@server02.hjemmeserver.info] has quit [Ping timeout: 245 seconds]
16:38 -!- phunyguy [~vortex@unaffiliated/phunyguy] has joined #openvpn
16:47 -!- zapotek6 [~zap@host248-82-dynamic.9-87-r.retail.telecomitalia.it] has joined #openvpn
16:47 -!- zapotek6 [~zap@host248-82-dynamic.9-87-r.retail.telecomitalia.it] has quit [Max SendQ exceeded]
16:58 -!- Slippern [slippern@server02.hjemmeserver.info] has joined #openvpn
17:04 < altermann> BTSync is the shiet
17:04 < altermann> sorry for the foul language
17:06 < altermann> if i have a point-to-network type of setup, can i also have road warriors?
17:08 -!- arescorpio [~arescorpi@210-203-17-190.fibertel.com.ar] has joined #openvpn
17:12 -!- le0 [~l30@unaffiliated/le0] has quit [Quit: Leaving]
17:19 -!- c00w [c00w@2600:3c03::f03c:91ff:fe6e:e88b] has joined #openvpn
17:24 < rob0> If you mean static-key p2p type tunnels, it does not scale well past a few peers, but sure, just give each road warrior peer a distinct port.
17:27 < altermann> i'm running this OS called ipfire and everything is displayed in a browser. their naming convention is slightly different than other distros
17:27 < altermann> so my initial setup which works fine is: net-to-net, 2 machines running ipfire and acting as gw as well
17:27 < altermann> open vpn is setup in a server-to-server kind of deal
17:28 < altermann> at least that's how i see it
17:28 < altermann> but only one machine generates certs and config files
17:31 < altermann> but i can also setup static subnets for road warriors which i've done so, and i've generated separate zip packages for each client. even thought the clients connect to the ovpn server, they cannot browse the local subnet behind the ovpn server
17:32 < altermann> the local subnet is pushed to the clients by default
17:35 -!- brianblaze420 [~brianblaz@unaffiliated/brianblaze] has joined #openvpn
17:47 <+pekster> No pushing of subnets happens by default in OpenVPN. If you're not directly using OpenVPN, you'd have to ask the provider/vendor of the frontend you're using
17:48 <+pekster> We have resources to do that _with_ OpenVPN in: !serverlan (for LANs behind the server) or !clientlan (for LANs behind a client)
17:51 -!- dvl_ [~dvl@pdpc/supporter/active/dvl] has quit [Ping timeout: 252 seconds]
17:56 < altermann> pekster: it is openvpn they just throw a web interface on top of it. :)
17:56 < altermann> i will mock around with it and see if i can get to the bottom of it
17:58 < altermann> the reason i said the lan behind openvpn gets pushed by default is be cause i actually tried to push it manually from the "routes push option" section and i got an error message saying it's pushed by default. in fact it is listed on the client pc when i do "route PRINT" in cmd
17:58 <+pekster> It does _NOT_ get pushed by default from OpenVPN
17:58 -!- larryone [~larryone@176.61.1.155] has joined #openvpn
17:59 <+pekster> If you're using something else, please consult its documentation, support channels, forums, or mailing list as we don't try and support every frontend out there
17:59 <+pekster> Now if you have a config, that's a starting point as to learning what it's doing. If you "don't get" that, you're stuck using whater UI/APIs they give you
18:01 -!- larryone [~larryone@176.61.1.155] has quit [Client Quit]
18:03 -!- tempus_fol [~tempus@gateway/tor-sasl/foltempus] has quit [Remote host closed the connection]
18:03 -!- tempus_fol [~tempus@gateway/tor-sasl/foltempus] has joined #openvpn
18:08 < Haigha> it is possible to push mssfix/fragment in 2.3.4 ?
18:12 -!- DrCode [~DrCode@gateway/tor-sasl/drcode] has quit [Ping timeout: 264 seconds]
18:13 -!- bashusr [~bashusr@unaffiliated/bashusr] has quit [Ping timeout: 245 seconds]
18:13 -!- DrCode [~DrCode@gateway/tor-sasl/drcode] has joined #openvpn
18:14 -!- tempus_fol [~tempus@gateway/tor-sasl/foltempus] has quit [Ping timeout: 264 seconds]
18:14 -!- bashusr [~bashusr@unaffiliated/bashusr] has joined #openvpn
18:14 -!- tempus_fol [~tempus@gateway/tor-sasl/foltempus] has joined #openvpn
18:22 -!- tempus_fol [~tempus@gateway/tor-sasl/foltempus] has quit [Remote host closed the connection]
18:28 -!- p3rror [~mezgani@105.158.144.222] has joined #openvpn
18:38 < haasn> altermann: Is there a foss alternative to BTSync?
18:39 < haasn> ah, there's http://prism-break.org/en/all/#file-storage-sync
18:39 <@vpnHelper> Title: All Projects - PRISM Break (at prism-break.org)
18:53 -!- phunyguy [~vortex@unaffiliated/phunyguy] has quit [Quit: Goodbye cruel world!]
18:55 -!- arescorpio [~arescorpi@210-203-17-190.fibertel.com.ar] has quit [Excess Flood]
18:55 -!- phunyguy [~vortex@unaffiliated/phunyguy] has joined #openvpn
19:02 -!- Kniaz [~Kniaz@unaffiliated/kniaz] has quit [Read error: Connection reset by peer]
19:37 -!- arescorpio [~arescorpi@210-203-17-190.fibertel.com.ar] has joined #openvpn
19:43 -!- Megaf_ [~Megaf@unaffiliated/megaf] has quit [Ping timeout: 272 seconds]
20:08 -!- Kephael [~Kephael@unaffiliated/kephael] has joined #openvpn
20:13 -!- mapps [Mark@2.217.141.108] has quit [Ping timeout: 244 seconds]
20:21 -!- seba [~seba@kratzbaum.someserver.de] has quit [Ping timeout: 240 seconds]
20:25 -!- brianblaze420 [~brianblaz@unaffiliated/brianblaze] has quit [Quit: Leaving...]
20:25 <@krzee> Haigha, im not sure, but that should be easy as hell to test
20:25 -!- seba [~seba@kratzbaum.someserver.de] has joined #openvpn
20:30 -!- Mike-- [mad@mx.probie.nl] has quit [Read error: Connection reset by peer]
20:34 -!- Megaf_ [~Megaf@unaffiliated/megaf] has joined #openvpn
20:35 -!- erkules [~erkan@pdpc/supporter/professional/erkules] has quit [Ping timeout: 264 seconds]
20:35 -!- Rahoul [~nicolas@186.22.121.187] has quit [Quit: Leaving.]
20:43 -!- Rahoul [~nicolas@186.22.121.187] has joined #openvpn
20:46 -!- Rahoul [~nicolas@186.22.121.187] has quit [Client Quit]
20:47 -!- Rahoul [~nicolas@186.22.121.187] has joined #openvpn
20:57 -!- altermann [~chatzilla@174.1.107.101] has quit [Ping timeout: 252 seconds]
21:11 -!- Rahoul [~nicolas@186.22.121.187] has quit [Quit: Leaving.]
21:21 -!- kossy [a@unaffiliated/kossy] has quit [Ping timeout: 240 seconds]
21:22 -!- erkules [~erkan@pdpc/supporter/professional/erkules] has joined #openvpn
21:23 -!- kossy [a@unaffiliated/kossy] has joined #openvpn
22:36 -!- ajc_ [ajc@nat/hp/x-xkuiafdvgsyjbqoe] has joined #openvpn
23:10 -!- arescorpio [~arescorpi@210-203-17-190.fibertel.com.ar] has quit [Excess Flood]
23:24 -!- thomasb9511 [~tbrown13@unaffiliated/thomasb9511] has joined #openvpn
23:24 < thomasb9511> !welcome
23:24 <@vpnHelper> "welcome" is (#1) Start by stating your goal, such as 'I would like to access the internet over my vpn' || new to IRC? see the link in !ask || we may need !logs and !configs and maybe !interface to help you. || See !howto for beginners. || See !route for lans behind openvpn. || !redirect for sending inet traffic through the server. || Also interesting: !man !/30 !topology !iporder !sample
23:24 <@vpnHelper> !forum !wiki !mitm or (#2) Don't use 192.168.1.0/24 or 192.168.0.0/24 (too much potential for conflict)
23:25 < thomasb9511> !goal
23:25 <@vpnHelper> "goal" is Please clearly state your goal for your vpn: example, I would like to access the lan behind the server , I would like to access the internet over my vpn , I just want a secure connection between 2 computers , etc
23:27 < thomasb9511> !goal I would like to connect my router using ipv6 back to my server.
23:27 < thomasb9511> !howto
23:27 <@vpnHelper> "howto" is (#1) OpenVPN comes with a great howto, http://openvpn.net/howto PLEASE READ IT! or (#2) http://www.secure-computing.net/openvpn/howto.php for a mirror
23:29 -!- kossy [a@unaffiliated/kossy] has quit [Ping timeout: 240 seconds]
23:29 -!- ShadniX [dagger@p57941BC4.dip0.t-ipconnect.de] has quit [Ping timeout: 252 seconds]
23:30 -!- ShadniX [dagger@p5DDFF3D3.dip0.t-ipconnect.de] has joined #openvpn
23:30 < thomasb9511> Is it possible to pull an entire /64 ipv6 subnet through openvpn? Say I have my ov server setup with ipv6 at work and I wanted to have a subnet of my work's /56 space.
23:31 < thomasb9511> !interface
23:31 <@vpnHelper> "interface" is (#1) paste interface configuration from both client and server, while being disconnected and when beeing connected. Be sure to also add the routing tables for both situations from client and from server or (#2) For Windows: iface: 'ipconfig /all' routing: 'route print' (add -4 or -6 for just IPv4 or v6) or (#3) For Unix: iface: 'ifconfig -a' routing: 'netstat -rn' or (#4) For
23:31 <@vpnHelper> Linux: iface: 'ip a' routing: 'ip r' (use ip -6 for IPv6 routes)
23:31 -!- kossy [a@unaffiliated/kossy] has joined #openvpn
23:34 < thomasb9511> I know using ipv4 it is trivial but ipv6is an odd character.
23:38 < thomasb9511> I.e. like how my our modem uses prefix delagation to get the /56 from our isp and then our switches chop it up into our networks.
23:40 < thomasb9511> That would be a site to site vpn would it not?
23:43 <+pekster> IPv6 hasn't changed the rules of routing
23:44 <+pekster> "having IPv6" is not the same as having a block of address space routing to your system
23:46 <+pekster> Get a routed /64 (or more) block routed to your system and you can do whatever with it though
23:49 < thomasb9511> So I could use openvpn to route a /64 from our /56 block to my firewall here at home?
23:51 <+pekster> Only _if_ you properly route a /64 from the /56 block to the computer at _THAT_ end
23:51 <+pekster> (the server end, not your home end)
23:51 <+pekster> Routing isn't magic
23:52 < thomasb9511> Ok fair enough
23:53 <+pekster> OpenVPN is basically "just another router" -- if you treat it as such from a networking topology you'll have better results figuring it out
23:53 <+pekster> Same as any router, it does no good unless it's been allocated a usable block to do something with
23:54 < thomasb9511> All right
23:59 < thomasb9511> so OpenVPN is a lot more flexible then what I thought it was.
--- Day changed Fri Jul 04 2014
00:03 -!- thomasb9511 [~tbrown13@unaffiliated/thomasb9511] has quit [Quit: Leaving]
00:12 -!- phunyguy [~vortex@unaffiliated/phunyguy] has quit [Read error: Connection reset by peer]
00:12 -!- phunyguy [~vortex@unaffiliated/phunyguy] has joined #openvpn
00:14 -!- thomasb9511 [thomasb951@unaffiliated/thomasb9511] has joined #openvpn
00:30 -!- thomasb9511 [thomasb951@unaffiliated/thomasb9511] has quit [Quit: YourBNC - (https://yourbnc.co.uk)]
00:43 -!- syzzer [~syzzer@openvpn/community/developer/syzzer] has quit [Ping timeout: 252 seconds]
00:49 -!- neverme [neverme@191.185.163.216] has joined #openvpn
00:50 < neverme> Is there a switch command to install openvpn and the tap driver without having to confirm anything? I have UAC disabled but the driver still asks for confirmation and I am trying to automate it with a simple bat fiel
00:50 < neverme> s/fiel/file
00:50 -!- thomasb9511 [thomasb951@unaffiliated/thomasb9511] has joined #openvpn
00:54 -!- thomasb9511 [thomasb951@unaffiliated/thomasb9511] has quit [Client Quit]
01:21 -!- neverme [neverme@191.185.163.216] has quit [Quit: Leaving]
01:43 -!- alexxtasi [~alex@unaffiliated/alexxtasi] has joined #openvpn
02:03 -!- Kephael [~Kephael@unaffiliated/kephael] has quit [Read error: Connection reset by peer]
02:19 -!- le0 [~l30@unaffiliated/le0] has joined #openvpn
02:31 -!- jackbrown [~se@93-44-41-0.ip95.fastwebnet.it] has joined #openvpn
03:08 < haasn> I have ifconfig-noexec; but OpenVPN still tries to remove the TUN device manually when reconnecting. What's the criteria for when ifconfig-noexec actually stops OpenVPN from automatically running ifconfig/iproute?
03:08 < haasn> Do I need to ensure I have both an “up” script as well as a “down” script?
03:11 -!- seba [~seba@kratzbaum.someserver.de] has quit [Ping timeout: 240 seconds]
03:11 <@plaisthos> haasn: ifconfig-noexec is only for ip configuration related stuff
03:12 < haasn> Can I delegate adding/removing the interface to scripts as well?
03:12 -!- seba [~seba@kratzbaum.someserver.de] has joined #openvpn
03:12 <@plaisthos> I don't think so
03:12 < haasn> Hmm, now what?
03:12 <@plaisthos> haasn: normally you don't that
03:13 <@plaisthos> OpenVPN does not remove a tun device that there before starting OpenVPN
03:13 <@plaisthos> also see persist-tun
03:13 -!- jackbrown [~se@93-44-41-0.ip95.fastwebnet.it] has quit [Quit: Sto andando via]
03:16 < haasn> “Fri Jul  4 10:16:15 2014 NOTE: Pulled options changed on restart, will need to close and reopen TUN/TAP device.”
03:17 < haasn> I have custom scripts in place that should be capable of setting up the new IP and adding/removing routes using properly elevated permissions
03:19 < haasn> “Fri Jul  4 10:16:16 2014 ERROR: Cannot ioctl TUNSETIFF tun: Operation not permitted (errno=1)”
03:19 < haasn> The cleanest way around this issue I see would be by providing more commands for OpenVPN to use a custom command for ioctl/ifconfig/iproute/whatever instead of the normal ones; namely I want to run them through “sudo”
03:20 < haasn> There's --iproute in the handbook but I've never gotten it to work (just complains about missing parameters or unrecognized options)
03:24 < haasn> Sounds like http://openvpn.net/archive/openvpn-users/2006-03/msg00266.html
03:24 <@vpnHelper> Title: [Openvpn-users] TUN/TAP permission, non-root user (at openvpn.net)
03:24 < haasn> I guess the only solution that thread mentions is “run OpenVPN as root”
03:24 < haasn> ugly, but better than no connectivity
03:28 -!- Chiftin [~Chiftin@178.250.179.140] has joined #openvpn
03:28 <@plaisthos> you can probably hack something to together to let another programm open the tun device for you
03:29 <@plaisthos> iirc there have been patches to the mailinglist
03:30 <@plaisthos> google for add pipe to external programm
03:59 -!- Chiftin [~Chiftin@178.250.179.140] has quit [Quit: Leaving]
04:01 -!- dazo_afk is now known as dazo
04:02 -!- cyberspace- [20253@ninthfloor.org] has quit [Remote host closed the connection]
04:02 -!- Chiftin [~Chiftin@178.250.179.140] has joined #openvpn
04:04 -!- cyberspace- [20253@ninthfloor.org] has joined #openvpn
04:43 -!- syzzer [~syzzer@openvpn/community/developer/syzzer] has joined #openvpn
04:43 -!- mode/#openvpn [+o syzzer] by ChanServ
04:46 -!- JPeterson [~JPeterson@81-233-152-121-no83.tbcn.telia.com] has joined #openvpn
04:50 -!- debbie10t [~ma1com10t@openvpn/community/support/debbie10t] has joined #openvpn
04:50 < debbie10t> hi, is Securepoint related to OpenVPN ?
06:04 -!- debbie10t [~ma1com10t@openvpn/community/support/debbie10t] has left #openvpn []
06:51 -!- Moz [~Moz@62-210-142-219.rev.poneytelecom.eu] has joined #openvpn
06:51 < Moz> Hi All
06:51 < Moz> I have a problem working out how to add a route from my client to an openvpn server I have successfully connected to.
06:52 < Moz> The OpenVPN connection has created a device tuin0
06:52 < Moz> tun0*
06:52 < Moz> but no traffic is being routed to it
06:52 < Moz> how do I work out what "ip route add .." commands to issue to send all the traffic through the vpn?
06:56 < Moz> Without the server sending me the redirect-gateway
07:00 <@syzzer> either let your server push route commands, or add route commands to your client config
07:00 < Moz> yes I need to add the route commands but I dont understand what the commands are I need to add
07:01 <@syzzer> well, for the networks you want to have routed over your VPN
07:01 < Moz> When I connect I get a note to say " unable to redirect default gateway -- Cannot read current default gateway from system" so the server cannot set the route for me
07:01 < Moz> I want to route all traffic over the VPN
07:01 <@syzzer> ah, you're on a windows client
07:01 < Moz> Im using Ubuntu
07:01 < Moz> command line
07:02 <@syzzer> ah, ok, sorry. I was under the impression that error msg was windows specific
07:02 < Moz> Ive had a long look around on google and I see lots of people suggesting adding an up.sh which is run after the vpn is connected, but Im really confused what I need to add in there.
07:02 <@syzzer> try "redirect-gateway def1", instead of just "redirect-gateway"
07:02 < Moz> ok trying
07:03 <@syzzer> disclaimer: I'm more a crypto guy than a networking guy, so I might say stupid stuff ;)
07:04 < Moz> nope, still the same NOTE and also traffic still going via the normal internet connection
07:04 <@syzzer> are you running openvpn as root?
07:05 < Moz> yes
07:07 -!- ajc_ [ajc@nat/hp/x-xkuiafdvgsyjbqoe] has quit [Ping timeout: 252 seconds]
07:09 -!- Megaf [~Megaf@unaffiliated/megaf] has joined #openvpn
07:10 -!- Megaf_ [~Megaf@unaffiliated/megaf] has quit [Ping timeout: 272 seconds]
07:15 <@plaisthos> !redirect-gateway
07:15 <@plaisthos> Moz: are you using redirect-gateway without the def1 option?
07:15 <@plaisthos> oh syzzer already said that
07:15 <@plaisthos> nevermind
07:16 <@syzzer> hmm, perhaps:
07:16 <@syzzer> !redirect
07:16 <@vpnHelper> "redirect" is (#1) to make all inet traffic flow through the vpn, you will need --redirect-gateway (see !def1), as well as IP forwarding (see !ipforward) and NAT (see !nat) enabled on the server. or (#2) you may need to use a different dns server when redirecting gateway, see !dns or !pushdns or (#3) if using ipv6 try: route-ipv6 2000::/3 or (#4) Handy troubleshooting flowchart:
07:16 <@vpnHelper> http://ircpimps.org/redirect.png | http://pekster.sdf.org/misc/redirect.png
07:21 < Moz> It's not my openvpn server, it is a vpn provider so I cant change the openvpn configuration
07:21 < Moz> I mean I cant change the server configuration
07:26 < Moz> ahh, I managed to do it by running  "route add -net 0.0.0.0 netmask 0.0.0.0 dev tun0"
07:34 < Moz> bah no I didn't.
07:38 -!- Shikieiki_ [~user@unaffiliated/shikieiki/x-6321105] has joined #openvpn
07:39 < Shikieiki_> Linux ifconfig inet6 failed: external program exited with error status: 1
07:39 < Shikieiki_> i'm getting this error here, even though i do not use ipv6
07:42 < Shikieiki_> this only happened recently, a day ago. i am on openvpn version 2.3.4
07:46 < Shikieiki_> if someone is aware of a simple fix and knows the problem already please memoserv me if you don't mind, i have to abruptly leave
07:46 -!- Shikieiki_ [~user@unaffiliated/shikieiki/x-6321105] has quit [Quit: leaving]
07:49 -!- JackWinter [~jack@vodsl-11028.vo.lu] has quit [Quit: Konversation terminated!]
07:51 -!- JackWinter [~jack@vodsl-11028.vo.lu] has joined #openvpn
07:55 -!- elfixit [~Icedove@2001:1620:2777:11:3e97:eff:fe7f:f3ad] has joined #openvpn
07:59 -!- KesyerSoze|sleep is now known as KeyserSoze
07:59 -!- KeyserSoze is now known as maskedlua
08:25 -!- ||arifaX [~quassel@unaffiliated/arifax/x-427475] has joined #openvpn
08:29 -!- ||arifaX [~quassel@unaffiliated/arifax/x-427475] has quit [Remote host closed the connection]
08:52 -!- alexxtasi [~alex@unaffiliated/alexxtasi] has left #openvpn []
08:58 -!- Moz [~Moz@62-210-142-219.rev.poneytelecom.eu] has quit []
09:01 -!- tiksa [~tiksa@gateway/tor-sasl/tiksa] has quit [Remote host closed the connection]
09:02 -!- tiksa [~tiksa@gateway/tor-sasl/tiksa] has joined #openvpn
09:07 -!- eroen [~eroen@unaffiliated/eroen] has quit [Ping timeout: 245 seconds]
10:00 < matt_> does anybody know if its possiable to specify which address openvpn will assign to its tun0 interface when running in client/server mode?
10:01 < matt_> its taken the first address but I would like it to take a different one
10:11 <@dazo> matt_: If you look at --server in the man page (I presume you use --server), you'll see that --server is just a kind of macro.  If you instead do all those steps --server covers, you can set your own IP address for tun/tap devices
10:17 -!- Cultist [~CultOfThe@c-98-223-211-32.hsd1.il.comcast.net] has quit [Max SendQ exceeded]
10:17 -!- s7r [~s7r@openvpn/user/s7r] has joined #openvpn
10:17 -!- mode/#openvpn [+v s7r] by ChanServ
10:19 -!- Cultist [~CultOfThe@c-98-223-211-32.hsd1.il.comcast.net] has joined #openvpn
10:26 < matt_> dazo: cool, cheers
10:29 -!- zapotek6 [~zap@host198-84-dynamic.9-87-r.retail.telecomitalia.it] has joined #openvpn
10:30 -!- zapotek6 [~zap@host198-84-dynamic.9-87-r.retail.telecomitalia.it] has quit [Max SendQ exceeded]
10:38 -!- JackWinter [~jack@vodsl-11028.vo.lu] has quit [Remote host closed the connection]
10:40 -!- JackWinter [~jack@vodsl-11028.vo.lu] has joined #openvpn
10:50 -!- s7r [~s7r@openvpn/user/s7r] has quit [Quit: Leaving]
11:00 -!- Chiftin [~Chiftin@178.250.179.140] has quit [Read error: Connection reset by peer]
11:28 -!- fin__ [~l30@unaffiliated/le0] has joined #openvpn
11:29 -!- Latrina [~Latrina@ppp-163-2.26-151.libero.it] has quit [Ping timeout: 244 seconds]
11:30 -!- Latrina [~Latrina@adsl-ull-21-179.50-151.net24.it] has joined #openvpn
11:30 -!- le0 [~l30@unaffiliated/le0] has quit [Ping timeout: 255 seconds]
11:33 -!- NP-Hardass [~NP-Hardas@unaffiliated/np-hardass] has joined #openvpn
11:47 -!- NP-Hardass [~NP-Hardas@unaffiliated/np-hardass] has quit [Quit: WeeChat 0.4.3]
12:05 -!- Whoopie [~Whoopie@unaffiliated/whoopie] has quit [Quit: Proxy shutdown]
12:44 -!- Envil [~meep@85.17.109.16] has joined #openvpn
12:50 -!- brianblaze420 [~brianblaz@unaffiliated/brianblaze] has joined #openvpn
12:58 -!- Kephael [~Kephael@unaffiliated/kephael] has joined #openvpn
13:05 -!- Fusl [Fusl@unaffiliated/fusl] has quit [Ping timeout: 272 seconds]
13:06 -!- tiksa [~tiksa@gateway/tor-sasl/tiksa] has quit [Ping timeout: 264 seconds]
13:07 -!- ocherno [~ocherno@d199-74-72-47.try.wideopenwest.com] has joined #openvpn
13:07 -!- tiksa [~tiksa@gateway/tor-sasl/tiksa] has joined #openvpn
13:09 < ocherno> hey, in the bridge mode, how do I push DNS to the remote client?
13:10 <+pekster> Depends what's providing the DHCP; if you have openvpn fake it, use !pushdns (same as not bridging with stand-alone tap or tun.) Otherwise, configure your far-side DHCP server properly if openvpn is _not_ giving the client an IP
13:11 <+pekster> You should also consider if you really want to bridge (or use tap at all) as that tends to complicate topology. More info at: !tunortap
13:11 -!- Fusl [Fusl@unaffiliated/fusl] has joined #openvpn
13:15 < ocherno> does local DCHP provide IPs for remote clients in the bridge mode? What do you mean by "fake it" ... ifconfig-pool?
13:16 <+pekster> Yes
13:17 <+pekster> OpenVPN fakes a DHCP reply (on Windows) or causes the remote side to directly set (on non-Windows) the address provided
13:18 <+pekster> Otherwise, if you don't use that, normal OSI L2 broadcasts are responsible for that kind of thing (and it gets extra-complicated to deal with that due to default routes screwing things up for VPN clients)
13:18 < rob0> You could do L2 filtering (such as ebtables) before the bridge, if you want.
13:19 < rob0> However, like pekster, I would bet that the best answer is to switch to tun.
13:19 <+pekster> If you don't need non-IP transport, stick to tun. Your life will be easier
13:19 <+pekster> If you do, be prepared for life to get a bit more complicated (possibly a lot more depending on what you want)
13:19 <+pekster> (do need non-IP transport, that is)
13:22 < ocherno> usually I set up VPN in NAT mode, but this particular client asked for bridge, since he needs access remote client from the office .. is there a way to provide reverse path in NAT mode?
13:24 <+pekster> What does "access remote client from the office" mean? You didn't explain why you need non-IP transit yet
13:24 <+pekster> What _exactly_ are you "accessing"?
13:25 < rob0> NAT?  Why NAT?  NAT and bridge are not exclusive, nor are either always necessary.
13:26 < ocherno> an employee connects via VPN a remote machine... another employee from the office, need to ssh into the remote machine
13:26 < rob0> "reverse path"?
13:26 < rob0> sure, set up proper routes
13:26 < rob0> maybe like:
13:26 < rob0> !serverlan
13:26 <@vpnHelper> "serverlan" is (#1) for a lan behind a server, the server must have ip forwarding enabled (!ipforward), the server needs to push a route for its lan to clients, and the router of the lan the server is on needs a route added to it (!route_outside_openvpn) or (#2) see !route for a better explanation or (#3) Handy troubleshooting flowchart: http://ircpimps.org/serverlan.png |
13:26 <@vpnHelper> http://pekster.sdf.org/misc/serverlan.png
13:29 <+pekster> Provided you control the office network, no NAT is necessary at all
13:29 <+pekster> Have the office LAN route the VPN IP range to the VPN server, use tun in routing mode (what you should be doing here), and magically all office systems can reach the VPN range
13:29 <+pekster> Mind firewalls, of course
13:30 <+pekster> You might need to NAT on the outbound since the far-client won't know how to get back to the company IP range, unless you push routes (and if you do that, careful to scope/select networks unlikely to collide)
13:39 -!- br4ndon [~br4ndon@195.33.51.31] has joined #openvpn
13:39 < ocherno> for some reason, I thought that layer3/mode presumes NAT
13:39 <+pekster> NAT is separate from (yet related to) routing
13:40 < ocherno> so I can switch VPN to layer3 mode and maintain a flat network with remote users being part of it?
13:40 <+pekster> tun is routing
13:40 <+pekster> Like _any_ routed topology, each network is unique
13:41 <+pekster> You don't want to bridge anyway; are you personally being given network space on the remote-networks? If not, bridging isn't the right solution
13:41 <+pekster> It also seems foolish to bridge foreign "customer/client" systems to your corp network; then an infected/hacked/mallicious system could do fun things like ARP poison you and hijack all office network traffic
13:41 <+pekster> Probably not what you want
13:41 <+pekster> ssh is an _IP_ protocol -- why are you even considering using tap at all?
13:42 <+pekster> (well, IP-based, as in it sits above IP)
13:43 -!- fin__ [~l30@unaffiliated/le0] has quit [Ping timeout: 255 seconds]
13:45 < ocherno> well ... I was not investing enough time to think of routing option ... and went replicating customer old setup
13:46 < ocherno> now I do see, that wiht proper routing I can have NAT remote client while still give office users access to the remote machine
13:46 <+pekster> Right. "It's just routing" -- think of openvpn as "just a router" (with some cool security features) and it'll be easier to design a topology around it
13:49 < ocherno> thanks
13:49 < ocherno> for you in US, happy for 4th
13:50 < ocherno> s/for/
14:09 -!- outofbounds [~outofboun@198.199.109.226] has quit [Ping timeout: 252 seconds]
14:14 -!- br4ndon [~br4ndon@195.33.51.31] has quit [Quit: br4ndon]
15:01 -!- gffa [~unknown@unaffiliated/gffa] has joined #openvpn
15:06 -!- micko [~micko@203-219-65-120.static.tpgi.com.au] has quit [Ping timeout: 245 seconds]
15:12 -!- micko [~micko@203-219-65-120.static.tpgi.com.au] has joined #openvpn
16:00 -!- SushiDude [~SushiDude@unaffiliated/sushidude] has joined #openvpn
16:32 -!- goldkatze [~nobody@unaffiliated/goldkatze] has joined #openvpn
17:10 < ocherno> can I assign to remote clients static IP?
17:18 -!- p3rror [~mezgani@105.158.144.222] has quit [Ping timeout: 272 seconds]
17:18 <+pekster> ocherno: Read:
17:18 <+pekster> !static
17:18 <@vpnHelper> "static" is (#1) use --ifconfig-push in a ccd entry for a static ip for the vpn client or (#2) example in net30 (default): ifconfig-push 10.8.0.6 10.8.0.5 example in subnet (see !topology) or tap (see !tunortap): ifconfig-push 10.8.0.5 255.255.255.0 or (#3) also see !ccd and !iporder or (#4) when pushing static IPs, you should also limit your --ifconfig-pool to exclude the static range or (#5) See
17:19 <@vpnHelper> also: !addressing
17:29 < ocherno> !addressing
17:29 <@vpnHelper> "addressing" is For information about IP addressing in OpenVPN, see: https://community.openvpn.net/openvpn/wiki/Concepts-Addressing
17:30 <+pekster> !forget static 4
17:30 <@vpnHelper> Joo got it.
17:30 <+pekster> !forget static 4
17:30 <@vpnHelper> Joo got it.
17:30 <+pekster> !learn static as with static IPs, limit your --ifconfig-pool to exclude the static range
17:30 <@vpnHelper> Joo got it.
17:30 <+pekster> !learn statuc as See also: !addressing
17:30 <@vpnHelper> Joo got it.
17:30 <+pekster> !forget statuc
17:30 <@vpnHelper> Joo got it.
17:31 <+pekster> !learn static as See also: !addressing
17:31 <@vpnHelper> Joo got it.
17:44 -!- SushiDude [~SushiDude@unaffiliated/sushidude] has quit [Ping timeout: 240 seconds]
17:45 -!- quinso [~crabman@h86-62-100-131.ln.rinet.ru] has joined #openvpn
17:46 -!- SushiDude [~SushiDude@unaffiliated/sushidude] has joined #openvpn
17:48 < quinso> Hello. I have a little problem with openvpn: I want to create a script to launch openvpn with some options, and it should tell username and password to openvpn. The problem is openvpn ignores its stdin and tries to read username and password from the terminal. The command I use is "openvpn --config filename.ovpn". If I redirect or pipe something for openvpn to use as stdin, it ignores that.
17:51 <+pekster> quinso: OpenVPN doesn't accept passwords on stdin. Read about the --auth-user-pass option in the manpage (see: !man) and the optional file parameter
17:52 < quinso> Oh, great. I'll have to rebuild openvpn to do that. I wonder who though that this is a good idea.
17:53 <+pekster> Most binary releases include that support by default
17:53 < quinso> pekster: I am on gentoo
17:53 <+pekster> Ah, then 5 minutes and you'll be set
17:53 < quinso> pekster: and somewhy that use flag is not enabled by default
17:57 <+pekster> Suggest a patch to the ebuild and file a bugreport if you'd like; that's a distro issue, but might get traction if you suggest good reasons in the bugreport
17:57 <+pekster> Inquire at #gentoo if you'd like to learn more about getting involved like that ;)
17:57 < quinso> pekster: ok, thanks for help
17:58 -!- quinso [~crabman@h86-62-100-131.ln.rinet.ru] has left #openvpn []
18:01 -!- goldkatze [~nobody@unaffiliated/goldkatze] has quit [Ping timeout: 272 seconds]
18:08 -!- pekster [~rewt@openvpn/community/support/pekster] has quit [Ping timeout: 272 seconds]
18:17 < ocherno> when switching openVPN server from layer2 to layer3 mode, do users have to re-download their client.ovpn files?
18:22 -!- SushiDude [~SushiDude@unaffiliated/sushidude] has quit [Ping timeout: 240 seconds]
18:25 -!- SushiDude [~SushiDude@unaffiliated/sushidude] has joined #openvpn
18:28 -!- nutron [~nutron@unaffiliated/nutron] has joined #openvpn
19:02 -!- thomasb9511 [~tbrown13@unaffiliated/thomasb9511] has joined #openvpn
19:03 -!- dazo is now known as dazo_afk
19:03 -!- p3rror [~mezgani@105.158.161.203] has joined #openvpn
19:04 < thomasb9511> I am having trouble assigning my clients a static ipv6 address.
19:06 -!- brianblaze420 [~brianblaz@unaffiliated/brianblaze] has quit [Quit: Leaving...]
19:23 -!- gffa [~unknown@unaffiliated/gffa] has quit [Quit: sleep]
19:34 -!- Slippern [slippern@server02.hjemmeserver.info] has quit [Ping timeout: 245 seconds]
19:48 <@krzee> i would expect a gentoo user would not care what flags are enabled by default
19:49 <@krzee> ocherno, re-download or modify? they cannot use the same configs
19:50 <@krzee> for sure they must use dev tun instead of dev tap, and possibly other changes depending on your setup
19:50 < ocherno> I meant do they have to get a new client.ovpn file after I re-configure the server?
19:51 <@krzee> and i answered
19:51 <@krzee> they either need to get a new one or modify the old one
19:51 <@krzee> but for sure it must change.
19:52 < ocherno> got it, thanks\
19:52 <@krzee> np
19:54 < thomasb9511> Does ov allow for static assignment of ipv6 addresses to its clients?
19:58 <@krzee> im not sure, to find out you want to see if theres something like:
19:58 <@krzee> !static
19:58 <@vpnHelper> "static" is (#1) use --ifconfig-push in a ccd entry for a static ip for the vpn client or (#2) example in net30 (default): ifconfig-push 10.8.0.6 10.8.0.5 example in subnet (see !topology) or tap (see !tunortap): ifconfig-push 10.8.0.5 255.255.255.0 or (#3) also see !ccd and !iporder or (#4) with static IPs, limit your --ifconfig-pool to exclude the static range or (#5) See also: !addressing
19:58 <@krzee> an ifconfig-push for ipv6
19:59 <@krzee> yep, ifconfig-ipv6-push
20:04 < thomasb9511> When I use it my client doesn't get any ipv6 address.
20:05 <@krzee> and when you dont use it, your client gets assigned an ipv6 address?
20:06 < thomasb9511> yep
20:08 -!- erkules [~erkan@pdpc/supporter/professional/erkules] has quit [Ping timeout: 248 seconds]
20:09 < thomasb9511> ok it now is working, I had an extra colon in my client overide
20:10 <@krzee> nice
20:10 -!- Cpt-Oblivious [~chatzilla@31-151-71-109.dynamic.upc.nl] has quit [Remote host closed the connection]
20:12 -!- mapps [Mark@2.217.140.183] has joined #openvpn
20:13 < thomasb9511> It's what happens when you have twenty things to do and you rush through things
20:15 <@krzee> meh it happens
20:22 -!- Envil [~meep@85.17.109.16] has quit [Remote host closed the connection]
20:22 -!- erkules [~erkan@pdpc/supporter/professional/erkules] has joined #openvpn
20:28 -!- Cpt-Oblivious [~chatzilla@31-151-71-109.dynamic.upc.nl] has joined #openvpn
20:44 -!- arescorpio [~arescorpi@192-27-245-190.fibertel.com.ar] has joined #openvpn
21:34 -!- Cpt-Oblivious [~chatzilla@31-151-71-109.dynamic.upc.nl] has quit [Remote host closed the connection]
21:52 -!- ZitZ [~paul@h186.163.101.208.dynamic.ip.windstream.net] has joined #openvpn
21:53 < ZitZ> i'm using openvpn for android, my vpn works when I'm on 3g, but not when i'm on my parents wifi, i'm thinking because the router here is at 192.168.1.1, which is the same as my router back home. And it doesn't know to route that traffic through the vpn?
21:54 < ZitZ> make any sense?
22:18 <@krzee> ZitZ, you have found the reason to not share your common subnet
22:18 <@krzee> you should change your lan subnet to something far less common if you want to share it over the vpn
22:19 <@krzee> !randomsubnet
22:19 <@vpnHelper> "randomsubnet" is (#1) http://scarydevilmonastery.net/subnet.cgi for a random !1918 subnet or (#2) If your shell has $RANDOM support, perhaps try this: `echo 10.$((RANDOM%256)).$((RANDOM%256)).0/24 `
22:20 < ZitZ> New vpn connection-=]n\
22:20 < ZitZ> ugh, sorry about that
22:20 < ZitZ> yeah, that is probably the simplest solution
22:21 < ZitZ> I never use hardcoded IPs at home anyway, so changing should be a breeze
22:23 -!- thomasb9511 [~tbrown13@unaffiliated/thomasb9511] has quit [Quit: Leaving]
22:28 <@krzee> if that is the case you might be able to get away with it from home
22:28 <@krzee> assuming you bind your services to * and not the ip itself
22:29 <@krzee> if you cant reach your router over the vpn you can NAT to it
22:44 -!- themaskedlua [~maskedlua@unaffiliated/themaskedlua] has joined #openvpn
22:44 -!- maskedlua [~maskedlua@unaffiliated/themaskedlua] has quit [Read error: Connection reset by peer]
22:51 -!- fejjerai [~quassel@kde/mitchell] has quit [Read error: Connection reset by peer]
22:52 -!- fejjerai [~quassel@kde/mitchell] has joined #openvpn
22:57 -!- p3rror [~mezgani@105.158.161.203] has quit [Quit: Leaving]
23:00 -!- goldkatze [~nobody@unaffiliated/goldkatze] has joined #openvpn
23:11 -!- tiksa_ [~tiksa@gateway/tor-sasl/tiksa] has joined #openvpn
23:14 -!- tiksa [~tiksa@gateway/tor-sasl/tiksa] has quit [Ping timeout: 264 seconds]
23:14 -!- jgeboski [~jgeboski@unaffiliated/jgeboski] has quit [Ping timeout: 264 seconds]
23:14 -!- catsup [~d@iad1-vshost12.dreamhost.com] has quit [Ping timeout: 264 seconds]
23:14 -!- catsup [~d@iad1-vshost12.dreamhost.com] has joined #openvpn
23:18 -!- You're now known as ecrist
23:18 -!- jgeboski [~jgeboski@unaffiliated/jgeboski] has joined #openvpn
23:18 <@ecrist> 'Merica
23:22 -!- arescorpio [~arescorpi@192-27-245-190.fibertel.com.ar] has quit [Excess Flood]
23:25 -!- pekster [~rewt@openvpn/community/support/pekster] has joined #openvpn
23:26 -!- ShadniX [dagger@p5DDFF3D3.dip0.t-ipconnect.de] has quit [Ping timeout: 252 seconds]
23:27 -!- ShadniX [dagger@p5481C3B2.dip0.t-ipconnect.de] has joined #openvpn
23:43 < ocherno> connecting with command line, does not update DNS... any one used "post-up /etc/network/if-up.d/" successfully?
23:49 < jeev> ecrist, http://i.imgur.com/uRcW3cX.jpg
--- Day changed Sat Jul 05 2014
00:05 -!- pa [~pa@unaffiliated/pa] has quit [Ping timeout: 252 seconds]
00:19 -!- pa [~pa@unaffiliated/pa] has joined #openvpn
00:37 <@krzee> ocherno,
00:37 <@krzee> !pushdns
00:37 <@vpnHelper> "pushdns" is (#1) push dhcp-option DNS a.b.c.d to push dns to the client or (#2) For pushing DNS to a Windows client, see: !windns or (#3) Unix-alikes are required to process the env-var in an --up script; read about --dhcp-option in the manpage or (#4) For distros that use resolvconf(8) you can try the pull-resolv-conf script under the contrib/ source dir
01:02 -!- Megaf [~Megaf@unaffiliated/megaf] has quit [Ping timeout: 272 seconds]
01:15 -!- on248 [~on@189.161.56.115] has joined #openvpn
01:15 < on248> Hi
01:16 -!- Kephael [~Kephael@unaffiliated/kephael] has quit [Read error: Connection reset by peer]
01:18 < on248> i want to connect from my lan 192.168.1.0/24 To my vps that assigns 10.
01:18 < on248> .8.6.0/24 adresses
01:19 < on248> but i get bad source addresd when i want to get to the internet
01:20 < on248> !welcome
01:20 <@vpnHelper> "welcome" is (#1) Start by stating your goal, such as 'I would like to access the internet over my vpn' || new to IRC? see the link in !ask || we may need !logs and !configs and maybe !interface to help you. || See !howto for beginners. || See !route for lans behind openvpn. || !redirect for sending inet traffic through the server. || Also interesting: !man !/30 !topology !iporder !sample !forum
01:20 <@vpnHelper> !wiki !mitm or (#2) Don't use 192.168.1.0/24 or 192.168.0.0/24 (too much potential for conflict)
01:21 < on248> !route
01:21 <@vpnHelper> "route" is (#1) http://www.secure-computing.net/wiki/index.php/OpenVPN/Routing or https://community.openvpn.net/openvpn/wiki/RoutedLans (same page mirrored) if you have lans behind openvpn, read it DONT SKIM IT or (#2) READ IT DONT SKIM IT! or (#3) See !tcpip for a basic networking guide or (#4) See !serverlan or !clientlan for steps and troubleshooting flowcharts for LANs behind the server or client
01:21 < on248> !clientlan
01:21 <@vpnHelper> "clientlan" is (#1) for a lan behind a client, the client must have ip forwarding enabled (!ipforward), the server needs a route to the lan, the server needs to push a route for the lan to clients, the server needs a ccd (!ccd) file for the client with an iroute (!iroute) entry in it, and the router of the lan the client is on needs a route added to it (!route_outside_openvpn) or (#2) see !route for
01:22 <@vpnHelper> a better explanation or (#3) Handy troubleshooting flowchart: http://ircpimps.org/clientlan.png | http://pekster.sdf.org/misc/clientlan.png
01:23 < on248> !tcpip
01:23 <@vpnHelper> "tcpip" is http://www.redbooks.ibm.com/redbooks/pdfs/gg243376.pdf See chapter 3.1 for useful basic TCP/IP networking knowledge you should probably know
01:24 <@krzee> !iroute
01:24 <@vpnHelper> "iroute" is does not bypass or alter the kernel's routing table, it allows openvpn to know it should handle the routing when the kernel points to it but the network is not one that openvpn knows about. This is only needed when connecting a LAN which is behind a client, and therefor belongs in a ccd entry. Also see !route and !ccd
01:24 <@krzee> you're missing that ^
01:24 <@krzee> thats why you get the bad src address errors
01:25 <@krzee> why its needed is covered in !route
01:26 -!- Poster [~poster@cpe-74-140-100-29.swo.res.rr.com] has joined #openvpn
01:27 < on248> so i do iroute 192.168.1.0/24 ovpn address poo.Ñ
01:27 < on248> pool
01:30 < on248> its needed my connection should be ldrvice>home router > vps > inet
01:31 < on248> !ccd
01:31 <@vpnHelper> "ccd" is (#1) entries that are basically included into server.conf, but only for the specified client based on common-name. use --client-config-dir <dir> to enable it, then put the config options for the client in <dir>/common-name or (#2) the ccd file is parsed each time the client connects.
01:36  * on248 needs help
01:38 <@krzee> what is the subnet behind the client?
01:38 < on248> 192.168.0.1/24
01:39 <@krzee> are you going to be connecting from random places?
01:39 < on248> each device connects to server
01:39 <@krzee> if so, you want to change that
01:39 < on248> yes
01:39 <@krzee> that is a very common subnet and will conflict with many places
01:39 <@krzee> !randomsubnet
01:39 <@vpnHelper> "randomsubnet" is (#1) http://scarydevilmonastery.net/subnet.cgi for a random !1918 subnet or (#2) If your shell has $RANDOM support, perhaps try this: `echo 10.$((RANDOM%256)).$((RANDOM%256)).0/24 `
01:40 < on248> the server assigns 10.0.8/24
01:40 <@krzee> right, but if you're going to be sharing other lans you also want those to not be common
01:42 < on248> my lan encomprises all my stuff
01:42 < on248> but well
01:42 < on248> i could change it
01:42 < on248> i just want to vpn to my servr(s)
01:43 < on248> and accesd internet
01:44 <@krzee> access internet?
01:45 < on248> Using the vps
01:46 <@krzee> sorry now i see what you want
01:46 <@krzee> for some reason i thought you were trying to share your lan over the vpn
01:46 <@krzee> !redirect
01:46 <@vpnHelper> "redirect" is (#1) to make all inet traffic flow through the vpn, you will need --redirect-gateway (see !def1), as well as IP forwarding (see !ipforward) and NAT (see !nat) enabled on the server. or (#2) you may need to use a different dns server when redirecting gateway, see !dns or !pushdns or (#3) if using ipv6 try: route-ipv6 2000::/3 or (#4) Handy troubleshooting flowchart:
01:46 <@vpnHelper> http://ircpimps.org/redirect.png | http://pekster.sdf.org/misc/redirect.png
01:46 <@krzee> you dont need iroute, or to change your subnet
01:47 < on248> how i can fix it
01:48 < on248> server has public ip and isnt firewalled
01:49 < on248> Oh  i see
01:51 < on248> and what if i need to acess server B which is accesible with a local ip from vpn serv
01:51 < on248> isnt a must but would be nicr
01:53 < on248> What does def1 mean
01:59 < on248> Nope
02:01 <@krzee> !def1
02:01 <@vpnHelper> "def1" is (#1) used in redirect-gateway, Add the def1 flag to override the default gateway by using 0.0.0.0/1 and 128.0.0.0/1 rather than 0.0.0.0/0. This has the benefit of overriding but not wiping out the original default gateway. or (#2) please see --redirect-gateway in the man page ( !man ) to fully understand or (#3) push "redirect-gateway def1"
02:05 < on248> Didnt work
02:05 < on248> tried client and server side
02:10 -!- on248 [~on@189.161.56.115] has quit [Ping timeout: 264 seconds]
02:13 -!- on247 [~on@189.161.56.115] has joined #openvpn
02:13 < on247> Nope
02:14 < on247> it didnt work
02:14 < on247> but i can ping server on vpn
02:24 -!- pa [~pa@unaffiliated/pa] has quit [Remote host closed the connection]
02:31 < Poster> what OS is your OpenVPN server?
02:32 < Poster> make sure you have IP forwarding enabled and you will likely need some type NAT
02:32 < Poster> netfilter, pf, etc
02:32 < on247> Ubuntu 14.04
02:32 < Poster> ok what is the output of:
02:33 < Poster> cat /proc/sys/net/ipv4/ip_forward
02:33 < on247> 1 on my pc
02:33 < Poster> ok is that the OpenVPN server?
02:33 < on247> nope
02:34 < Poster> ok need to run it against the OpenVPN server
02:35 < on247> Now its 1
02:36 < Poster> ok are you running iptables/ufw on the OpenVPN server?
02:40 < on247> Just checked all rule chains empty
02:42 < on247> its a vps and has a direct connection to the int
02:42 < Poster> ok what is the interface name of the OpenVPN server's public adapter (probably eth0)?
02:44 < Poster> might be something else if it's a VPS
02:45 < on247> yeah
02:45 < Poster> what is the adapter name?
02:46 < on247> Eth0
02:47 < Poster> ok so type
02:47 < Poster> sudo iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
02:47 < Poster> then retry Internet access from the OpenVPN client
02:52 -!- on247 [~on@189.161.56.115] has quit [Ping timeout: 255 seconds]
02:59 -!- doebi1 is now known as doebi
03:25 -!- _FBi [B@Aircrack-NG/User] has quit [Ping timeout: 240 seconds]
03:25 -!- krzee [~k@openvpn/community/support/krzee] has quit [Ping timeout: 240 seconds]
03:26 -!- krzee [~k@openvpn/community/support/krzee] has joined #openvpn
03:26 -!- mode/#openvpn [+o krzee] by ChanServ
04:17 -!- DrCode [~DrCode@gateway/tor-sasl/drcode] has quit [Ping timeout: 264 seconds]
04:21 -!- DrCode [~DrCode@gateway/tor-sasl/drcode] has joined #openvpn
04:28 -!- tiksa_ is now known as tiksa
04:28 -!- tiksa [~tiksa@gateway/tor-sasl/tiksa] has quit [Quit: Peace]
04:37 -!- tiksa [~tiksa@gateway/tor-sasl/tiksa] has joined #openvpn
05:14 -!- halothe23 [~halothe23@freenode/sponsor/halothe23] has quit [Quit: Quit]
05:14 <@plaisthos> ZitZ: hat should work
05:14 <@plaisthos> ZitZ: which android version are you using and have you disabled or enable the access local network feature?
05:15 -!- halothe23 [~halothe23@freenode/sponsor/halothe23] has joined #openvpn
05:16 -!- gffa [~unknown@unaffiliated/gffa] has joined #openvpn
05:43 -!- halothe23 [~halothe23@freenode/sponsor/halothe23] has quit [Quit: Quit]
05:50 -!- halothe23_ [~halothe23@freenode/sponsor/halothe23] has joined #openvpn
05:54 -!- halothe23_ is now known as halothe23
06:50 -!- goldkatze [~nobody@unaffiliated/goldkatze] has quit [Ping timeout: 255 seconds]
06:55 -!- goldkatze [~nobody@unaffiliated/goldkatze] has joined #openvpn
07:09 -!- JackWinter [~jack@vodsl-11028.vo.lu] has quit [Quit: Konversation terminated!]
07:12 -!- goldkatze [~nobody@unaffiliated/goldkatze] has quit [Ping timeout: 260 seconds]
07:13 -!- JackWinter [~jack@vodsl-11028.vo.lu] has joined #openvpn
07:29 -!- goldkatze [~nobody@unaffiliated/goldkatze] has joined #openvpn
07:30 -!- goldkatze [~nobody@unaffiliated/goldkatze] has quit [Client Quit]
07:31 -!- Denial [~Denial@host86-134-248-230.range86-134.btcentralplus.com] has quit [Ping timeout: 240 seconds]
07:37 -!- Denial [~Denial@host86-148-138-181.range86-148.btcentralplus.com] has joined #openvpn
07:47 -!- Kuba [newc3917@unaffiliated/kuba] has quit [Ping timeout: 245 seconds]
07:47 -!- goldkatze [~nobody@unaffiliated/goldkatze] has joined #openvpn
07:47 -!- Kuba [newc3917@unaffiliated/kuba] has joined #openvpn
08:00 < lauri> Hi guys, is openvpn3 source changelog somewhere available aswell?
08:02 -!- s7r [~s7r@openvpn/user/s7r] has joined #openvpn
08:02 -!- mode/#openvpn [+v s7r] by ChanServ
08:05 -!- _FBi [B@Aircrack-NG/User] has joined #openvpn
08:07 -!- goldkatze [~nobody@unaffiliated/goldkatze] has quit [Ping timeout: 260 seconds]
08:27 -!- elfixit1 [~Icedove@77-58-251-72.dclient.hispeed.ch] has joined #openvpn
08:38 -!- goldkatze [~nobody@unaffiliated/goldkatze] has joined #openvpn
08:41 < ZitZ> i'm on 4.0 something and i have toyed with the local network feature i believe you are referring to
08:41 <@plaisthos> lauri: openvpn3 isn't officially released, the best there is the changelog of the ios/android openvpn connect client
08:42 <@plaisthos> If that feature does not help you may need to add routes half the destination network
08:43 <@plaisthos> e.g. 192.168.6.0/25  and 192.168.6.128/25 as routed over the  vpn
08:43 <@plaisthos> or just routes  to the host you want to reach
08:43 < ZitZ> hmmmm, what would be an example for a host specific route?
08:44 < ZitZ> i've been toying with forcing some routes in the app, and no dice
08:44 < ZitZ> but haven't tried host specific
08:45 -!- goldkatze [~nobody@unaffiliated/goldkatze] has quit [Ping timeout: 264 seconds]
08:45 <@plaisthos> just the ip without a /xx
08:45 <@plaisthos> that should work
08:45 <@plaisthos> at least it did in my last test
08:49 < ZitZ> that works
08:50 < ZitZ> but doesn't solve not being able to access named resources since dns isn't being served by the remote router
08:50 < ZitZ> what if i added 192.168.1.1?
08:52 < ZitZ> that works
08:53 <@plaisthos> :)
08:53 < ZitZ> thanks for the stopgap. :) i'll definitely change my LAN ip to something much more obscure, any recommendations?
08:54 <@plaisthos> if you want really obscare use something from the third range
08:54 <@plaisthos> the 172.something
08:54 <@plaisthos> !rfc1918
08:54 <@vpnHelper> "rfc1918" is "1918" is (#1) RFC1918 makes three unique netblocks available for private use: 10.0.0.0/8, 172.16.0.0/12, and 192.168.0.0/16 or (#2) see also: http://en.wikipedia.org/wiki/Private_network or http://www.faqs.org/rfcs/rfc1918.html or (#3) Too lazy to find your own subnet? Try this one: http://scarydevilmonastery.net/subnet.cgi
08:54 < ZitZ> my VPN subnet is 172.16 i think? that won't conflict?
08:54 <@plaisthos> then use 172.27.213.0/24 :)
08:55 <@plaisthos> or somethng similar obscure
08:56 < ZitZ> that sould work just fine for me. thanks for the information
09:02 -!- Envil [~meep@85.17.109.16] has joined #openvpn
09:05 < lauri> plaisthos: could you state some dates please? when was openvpn3 development started?
09:47 -!- Kephael [~Kephael@unaffiliated/kephael] has joined #openvpn
09:49 -!- liriel [~liriel@asia.feralhosting.com] has quit [Quit: bye]
09:55 -!- liriel [~liriel@asia.feralhosting.com] has joined #openvpn
10:16 <@plaisthos> lauri: ask openvpn corp
10:24 -!- RBecker [~Ryan@openvpn/user/RBecker] has quit [Ping timeout: 240 seconds]
10:39 -!- Megaf_ [~Megaf@unaffiliated/megaf] has joined #openvpn
10:53 -!- NP-Hardass [~NP-Hardas@unaffiliated/np-hardass] has joined #openvpn
11:08 -!- tiksa [~tiksa@gateway/tor-sasl/tiksa] has left #openvpn ["Peace"]
11:09 -!- Megaf [~Megaf@unaffiliated/megaf] has joined #openvpn
11:09 -!- Megaf_ [~Megaf@unaffiliated/megaf] has quit [Ping timeout: 272 seconds]
11:22 -!- benxyzzy [~ben_xyzzy@cpc2-cmbg15-2-0-cust359.5-4.cable.virginm.net] has joined #openvpn
11:22 -!- NP-Hardass [~NP-Hardas@unaffiliated/np-hardass] has quit [Quit: WeeChat 0.4.3]
11:39 < benxyzzy> How can I debug this issue? I have a program which needs to talk to a server in a VPN-accessible network. However, communication fails unless the VPN connection is established over ethernet. When wirelessly connected to my local network (+ tunnelblick connection to remote network on OSX Mavericks) I can 'see' the remote network including the server. I can even communicate with other services on the server eg. SMB shares
11:39 < benxyzzy> . But this one specific program acts like it can't see the server.
11:41 < benxyzzy> Why should it make a difference to the tunnel whether or not it's going over wired or wireless? Let alone one specific program using the tunnel. This program (MATLAB) runs on Java.
11:42 -!- Synchunk [Synchunk@unaffiliated/synchunk] has joined #openvpn
11:46 < benxyzzy> I really don't know where to look to pinpoint the discrepancy. I've tcpdump-ed the traffic under each circumstance and can see where the MATLAB-server 'conversation' starts to diverge, but don't have the expertise to interpret.
11:46 -!- RBecker [~Ryan@openvpn/user/RBecker] has joined #openvpn
11:46 -!- mode/#openvpn [+v RBecker] by ChanServ
11:48 -!- elfixit1 [~Icedove@77-58-251-72.dclient.hispeed.ch] has quit [Quit: elfixit1]
11:52 -!- elfixit1 [~Icedove@77-58-251-72.dclient.hispeed.ch] has joined #openvpn
11:53 -!- elfixit1 [~Icedove@77-58-251-72.dclient.hispeed.ch] has quit [Client Quit]
11:56 < Eugene> benxyzzy - what OS?
11:56 < benxyzzy> OSX Mavericks
11:59 -!- Cybertinus [~Cybertinu@cybertinus.customer.cloud.nl] has quit [Remote host closed the connection]
12:01 < benxyzzy> I've heard tell of tunnelblick / openvpn issues specifically over wireless connections, but Google implies these are all-or-nothing. These people cannot connect via VPN *at all* except by wired connection. I am seemingly connected fine, but this one specific program has a problem. Maybe it's not VPN's fault per se - could my 'en0' and 'en1' interfaces have some config difference? tunnelblick creates a new 'tap0' interfa
12:01 < benxyzzy> ce for the connection - I'd have expected MATLAB to regard it identically whatever 'actual' interface the tunnel's going over.
12:01 < Eugene> Then I have absolutely idea
12:02 < Eugene> I'd guess some sort of issue with your transport - wireless networks often fall over under heavy packet loads
12:03 < Eugene> Or possibly a RFC1918 collision
12:05 < benxyzzy> Thanks for your thoughts
12:06 -!- JackWinter [~jack@vodsl-11028.vo.lu] has quit [Quit: Konversation terminated!]
12:15 -!- Synchunk [Synchunk@unaffiliated/synchunk] has quit [Quit: Synchunk]
12:15 -!- Synchunk [Synchunk@unaffiliated/synchunk] has joined #openvpn
12:19 -!- mingdao [~mingdao@unaffiliated/mingdao] has joined #openvpn
12:34 -!- JackWinter [~jack@vodsl-11028.vo.lu] has joined #openvpn
12:48 -!- arescorpio [~arescorpi@91-201-17-190.fibertel.com.ar] has joined #openvpn
12:55 -!- Damjanko [~hmsck@static-dsl-84.87-197-153.telecom.sk] has joined #openvpn
13:05 -!- Damjanko [~hmsck@static-dsl-84.87-197-153.telecom.sk] has quit [Quit: Leaving]
13:33 -!- Netsplit *.net <-> *.split quits: Ulrar, fred``, Olipro
13:43 -!- Netsplit over, joins: fred``, Ulrar
13:44 -!- justinzane [~justinzan@24.49.207.203] has quit []
13:46 -!- Olipro [~Olipro@uncyclopedia/pdpc.21for7.olipro] has joined #openvpn
14:04 -!- Eagleman [~Eagleman@546BC8D0.cm-12-4d.dynamic.ziggo.nl] has quit [Ping timeout: 240 seconds]
14:08 -!- JackWinter [~jack@vodsl-11028.vo.lu] has quit [Quit: Konversation terminated!]
14:09 -!- Eagleman [~Eagleman@546BC8D0.cm-12-4d.dynamic.ziggo.nl] has joined #openvpn
14:13 -!- JackWinter [~jack@vodsl-11028.vo.lu] has joined #openvpn
14:25 -!- arescorpio [~arescorpi@91-201-17-190.fibertel.com.ar] has quit [Excess Flood]
14:32 -!- SCHAAP137 [dorian@77-173-0-137.ip.telfort.nl] has joined #openvpn
14:50 -!- justinzane [~justinzan@24.49.207.203] has joined #openvpn
14:55 -!- Megaf [~Megaf@unaffiliated/megaf] has quit [Ping timeout: 272 seconds]
15:43 < gac> benxyzzy: is your copy of Matlab a company one using FlexLM?
15:46 < benxyzzy> I have no idea, but from reading about it now I don't think so. It is licensed.
15:50 < gac> fair enough. we used to have trouble in my last job with macs and flexlm, where the mac would report a different hostname depending on which connections were active when you booted it up
15:50 < gac> so because we controlled licensing with flexlm to keep costs down, if your mac sent a hostname that didn't match the license file then you weren't allowed to run it
15:53 -!- Latrina [~Latrina@adsl-ull-21-179.50-151.net24.it] has quit [Ping timeout: 260 seconds]
15:56 -!- Latrina [~Latrina@ppp-141-33.26-151.libero.it] has joined #openvpn
16:02 < benxyzzy> It's not actually the license manager I'm trying to get to. I'm using Parallel MATLAB + remote Distributed Computing cluster. Or trying to.
16:20 -!- s1dev [~s1dev@199.241.28.135] has joined #openvpn
16:35 -!- Megaf [~Megaf@unaffiliated/megaf] has joined #openvpn
17:02 -!- Cybert1nus [~Cybertinu@cybertinus.customer.cloud.nl] has joined #openvpn
17:05 -!- Cybert1nus is now known as Cybertinus
17:24 -!- gffa [~unknown@unaffiliated/gffa] has quit [Quit: sleep]
17:27 -!- MACscr [~Adium@c-50-158-183-38.hsd1.il.comcast.net] has joined #openvpn
17:31 < MACscr> im doing a very basic vpn with only a secret key and it appears the openvpn connect ios app requires certificates to be used instead of just a key. Anyone recommend an alternative ios app that might work for me?
17:42 -!- SushiDude [~SushiDude@unaffiliated/sushidude] has quit [Ping timeout: 240 seconds]
17:48 -!- Kephael [~Kephael@unaffiliated/kephael] has quit [Read error: Connection reset by peer]
18:03 -!- SushiDude [~SushiDude@unaffiliated/sushidude] has joined #openvpn
18:04 -!- s1dev [~s1dev@199.241.28.135] has quit [Read error: No route to host]
18:07 -!- s1dev [~s1dev@199.241.28.135] has joined #openvpn
18:17 -!- Envil [~meep@85.17.109.16] has quit [Remote host closed the connection]
18:32 -!- SushiDude [~SushiDude@unaffiliated/sushidude] has quit [Quit: Quit]
18:41 -!- SushiDude [~SushiDude@unaffiliated/sushidude] has joined #openvpn
18:42 -!- Netsplit *.net <-> *.split quits: Ulrar, fred``, Olipro
18:53 -!- Netsplit over, joins: fred``, Ulrar
18:55 -!- Olipro [~Olipro@uncyclopedia/pdpc.21for7.olipro] has joined #openvpn
18:57 -!- mapps [Mark@2.217.140.183] has quit [Ping timeout: 255 seconds]
19:20 -!- Cpt-Oblivious [~chatzilla@31-151-71-109.dynamic.upc.nl] has joined #openvpn
19:22 -!- Latrina [~Latrina@ppp-141-33.26-151.libero.it] has quit [Ping timeout: 244 seconds]
19:24 -!- Latrina [~Latrina@ppp-80-26.26-151.libero.it] has joined #openvpn
19:29 <@plaisthos> gac, benxyzzy: yes matlab uses flexlm
20:05 -!- erkules_ [~erkan@pdpc/supporter/professional/erkules] has joined #openvpn
20:07 -!- erkules [~erkan@pdpc/supporter/professional/erkules] has quit [Ping timeout: 252 seconds]
20:29 -!- mapps [Mark@2.223.180.105] has joined #openvpn
20:32 -!- Synchunk` [Synchunk@unaffiliated/synchunk] has joined #openvpn
20:35 -!- Synchunk [Synchunk@unaffiliated/synchunk] has quit [Ping timeout: 260 seconds]
20:35 -!- Synchunk` is now known as Synchunk
21:27 -!- RBecker [~Ryan@openvpn/user/RBecker] has quit [Quit: Quit]
21:32 -!- RBecker [~RBecker@openvpn/user/RBecker] has joined #openvpn
21:32 -!- mode/#openvpn [+v RBecker] by ChanServ
21:41 -!- arescorpio [~arescorpi@121-24-245-190.fibertel.com.ar] has joined #openvpn
22:02 -!- psycho_oreos [~tuxsavvy@unaffiliated/tuxsavvy] has joined #openvpn
22:34 < MACscr> right now i am using "ifconfig 10.8.0.1 10.8.0.2" on my serverconf and reverse on my client. Now i am realizing i want to connect a few extra devices. How can i go about that?
22:35 < MACscr> wont that ifconfig ip assignment setup only allow p2p?
23:01 -!- Megaf [~Megaf@unaffiliated/megaf] has quit [Ping timeout: 264 seconds]
23:05 -!- krzee [~k@openvpn/community/support/krzee] has quit [Ping timeout: 240 seconds]
23:05 -!- _FBi [B@Aircrack-NG/User] has quit [Ping timeout: 240 seconds]
23:07 -!- themaskedlua [~maskedlua@unaffiliated/themaskedlua] has quit [Quit: WeeChat 0.4.3]
23:08 -!- krzee [~k@openvpn/community/support/krzee] has joined #openvpn
23:08 -!- mode/#openvpn [+o krzee] by ChanServ
23:09 -!- maskedlua [~maskedlua@unaffiliated/themaskedlua] has joined #openvpn
23:20 -!- MACscr [~Adium@c-50-158-183-38.hsd1.il.comcast.net] has quit [Quit: Leaving.]
23:26 -!- ShadniX [dagger@p5481C3B2.dip0.t-ipconnect.de] has quit [Ping timeout: 252 seconds]
23:27 -!- ShadniX [dagger@p5794115C.dip0.t-ipconnect.de] has joined #openvpn
23:32 -!- RBecker [~RBecker@openvpn/user/RBecker] has quit [Remote host closed the connection]
23:33 -!- RBecker [~RBecker@openvpn/user/RBecker] has joined #openvpn
23:33 -!- mode/#openvpn [+v RBecker] by ChanServ
23:36 -!- Cpt-Oblivious [~chatzilla@31-151-71-109.dynamic.upc.nl] has quit [Remote host closed the connection]
23:40 -!- vpnHelper [~vpnHelper@openvpn/bot/vpnHelper] has quit [Disconnected by services]
23:42 -!- vpnHelper [~vpnHelper@openvpn/bot/vpnHelper] has joined #openvpn
23:42 -!- mode/#openvpn [+o vpnHelper] by ChanServ
23:48 -!- Cultist [~CultOfThe@c-98-223-211-32.hsd1.il.comcast.net] has quit [Excess Flood]
23:48 -!- Cultist [~CultOfThe@c-98-223-211-32.hsd1.il.comcast.net] has joined #openvpn
23:56 -!- reiffert [~thomas@mail.reifferscheid.org] has quit [Remote host closed the connection]
23:59 -!- AsadH [~AsadH@unaffiliated/asadh] has quit [Ping timeout: 877 seconds]
23:59 -!- sauce [sauce@unaffiliated/sauce] has quit [Ping timeout: 877 seconds]
23:59 -!- hazardous [~hz@openvpn/user/hazardous] has quit [Ping timeout: 877 seconds]
23:59 -!- jeev [~jeev@unaffiliated/jeev] has quit [Ping timeout: 877 seconds]
23:59 -!- hazardous [~hz@openvpn/user/hazardous] has joined #openvpn
23:59 -!- mode/#openvpn [+v hazardous] by ChanServ
23:59 -!- jeev [~jeev@unaffiliated/jeev] has joined #openvpn
--- Day changed Sun Jul 06 2014
00:01 -!- yoavz [yoavz@yoavz.net] has quit [Ping timeout: 276 seconds]
00:01 -!- TheEternalAbyss [~IRCIdent@unaffiliated/theeternalabyss] has quit [Ping timeout: 276 seconds]
00:01 -!- sauce [sauce@unaffiliated/sauce] has joined #openvpn
00:02 -!- SCHAAP137 [dorian@77-173-0-137.ip.telfort.nl] has quit [Remote host closed the connection]
00:02 -!- yoavz [yoavz@yoavz.net] has joined #openvpn
00:09 -!- SCHAAP137 [dorian@77-173-0-137.ip.telfort.nl] has joined #openvpn
00:11 -!- AsadH [~AsadH@unaffiliated/asadh] has joined #openvpn
00:11 -!- arescorpio [~arescorpi@121-24-245-190.fibertel.com.ar] has quit [Excess Flood]
00:27 -!- krzee [~k@openvpn/community/support/krzee] has quit [Ping timeout: 240 seconds]
00:28 -!- vpnHelper [~vpnHelper@openvpn/bot/vpnHelper] has quit [Ping timeout: 240 seconds]
00:28 -!- vpnHelper [~vpnHelper@openvpn/bot/vpnHelper] has joined #openvpn
00:28 -!- mode/#openvpn [+o vpnHelper] by ChanServ
00:30 -!- krzee [~k@openvpn/community/support/krzee] has joined #openvpn
00:30 -!- mode/#openvpn [+o krzee] by ChanServ
00:37 -!- Zimsky [~alice@unaffiliated/zimsky] has joined #openvpn
01:10 -!- u0m3_ [~u0m3@109.96.147.3] has joined #openvpn
01:13 -!- u0m3 [~u0m3@109.96.140.174] has quit [Ping timeout: 248 seconds]
01:39 -!- MACscr [~Adium@c-50-158-183-38.hsd1.il.comcast.net] has joined #openvpn
01:41 -!- erkules_ is now known as erkules
01:43 -!- elite_ [~elite@loft7596.serverloft.com] has quit [Ping timeout: 252 seconds]
02:47 -!- phunyguy [~vortex@unaffiliated/phunyguy] has quit [Quit: Goodbye cruel world!]
02:48 -!- micko [~micko@203-219-65-120.static.tpgi.com.au] has quit [Ping timeout: 260 seconds]
02:54 -!- micko [~micko@203-219-65-120.static.tpgi.com.au] has joined #openvpn
02:57 -!- phunyguy [~vortex@unaffiliated/phunyguy] has joined #openvpn
02:57 -!- phunyguy [~vortex@unaffiliated/phunyguy] has quit [Remote host closed the connection]
02:59 -!- phunyguy [~vortex@unaffiliated/phunyguy] has joined #openvpn
03:13 -!- gffa [~unknown@unaffiliated/gffa] has joined #openvpn
03:20 -!- ShadniX [dagger@p5794115C.dip0.t-ipconnect.de] has quit [Ping timeout: 252 seconds]
04:45 -!- Denial [~Denial@host86-148-138-181.range86-148.btcentralplus.com] has quit [Ping timeout: 252 seconds]
04:58 -!- Lolths [~Lolths@unaffiliated/lolths] has quit [Ping timeout: 245 seconds]
04:59 -!- Lolths [~Lolths@unaffiliated/lolths] has joined #openvpn
05:03 -!- heap [heap@localhost.sk] has joined #openvpn
05:05 < heap> hello, i created tun openvpn on server, and on the server samba is running too. when client join openvpn i can ping server ip where is samba running but i cant mount samba share to client. it says that host is down. any idea?
05:08 < heap> errror msg by mount: mount error(112): Host is down
05:09 < heap> and if i connect client to local network with ethernet it works fine
05:46 -!- kirin` [telex@gateway/shell/anapnea.net/x-cqtminelqxijhayb] has joined #openvpn
06:22 -!- JackWinter [~jack@vodsl-11028.vo.lu] has quit [Quit: Konversation terminated!]
06:28 -!- ShadniX [dagger@p5794115C.dip0.t-ipconnect.de] has joined #openvpn
06:34 -!- ShadniX [dagger@p5794115C.dip0.t-ipconnect.de] has quit [Quit: Bye.]
06:36 -!- ShadniX [dagger@p5794115C.dip0.t-ipconnect.de] has joined #openvpn
06:36 -!- JackWinter [~jack@vodsl-11028.vo.lu] has joined #openvpn
07:43 -!- JackWinter [~jack@vodsl-11028.vo.lu] has quit [Quit: Konversation terminated!]
07:48 -!- JackWinter [~jack@vodsl-11028.vo.lu] has joined #openvpn
08:13 -!- ShadniX_ [dagger@p5794115C.dip0.t-ipconnect.de] has joined #openvpn
08:13 -!- ShadniX [dagger@p5794115C.dip0.t-ipconnect.de] has quit [Ping timeout: 252 seconds]
08:13 -!- ShadniX_ is now known as ShadniX
08:22 -!- JackWinter [~jack@vodsl-11028.vo.lu] has quit [Quit: Konversation terminated!]
08:40 -!- JackWinter [~jack@vodsl-11028.vo.lu] has joined #openvpn
09:32 -!- Poster|x [~poster@cpe-74-140-100-29.swo.res.rr.com] has joined #openvpn
09:33 -!- vpnHelper [~vpnHelper@openvpn/bot/vpnHelper] has quit [Disconnected by services]
09:33 -!- JackWinter [~jack@vodsl-11028.vo.lu] has quit [Quit: Konversation terminated!]
09:34 -!- pekster [~rewt@openvpn/community/support/pekster] has quit [Ping timeout: 240 seconds]
09:35 -!- vpnHelper [~vpnHelper@openvpn/bot/vpnHelper] has joined #openvpn
09:35 -!- mode/#openvpn [+o vpnHelper] by ChanServ
09:36 -!- JackWinter [~jack@vodsl-11028.vo.lu] has joined #openvpn
09:36 -!- benxyzzy [~ben_xyzzy@cpc2-cmbg15-2-0-cust359.5-4.cable.virginm.net] has quit [Quit: Leaving]
09:42 -!- Netsplit *.net <-> *.split quits: erkules, Poster, phunyguy, Latrina
09:42 -!- Netsplit over, joins: Latrina
09:45 -!- phunyguy [~vortex@unaffiliated/phunyguy] has joined #openvpn
09:49 -!- erkules [~erkan@pdpc/supporter/professional/erkules] has joined #openvpn
09:51 -!- Mike-- [mad@mx.probie.nl] has joined #openvpn
10:06 -!- golionz [golionz@unaffiliated/golionz] has joined #openvpn
10:11 -!- golionz [golionz@unaffiliated/golionz] has left #openvpn ["Leaving"]
10:12 -!- krzee [~k@openvpn/community/support/krzee] has quit [Excess Flood]
10:13 -!- krzee [~k@openvpn/community/support/krzee] has joined #openvpn
10:13 -!- mode/#openvpn [+o krzee] by ChanServ
10:22 -!- ZitZ [~paul@h186.163.101.208.dynamic.ip.windstream.net] has quit [Quit: leaving]
11:01 -!- Kephael [~Kephael@unaffiliated/kephael] has joined #openvpn
11:05 -!- mapps [Mark@2.223.180.105] has quit []
11:23 -!- Megaf [~Megaf@unaffiliated/megaf] has joined #openvpn
11:27 -!- elfixit1 [~Icedove@cust.static.46-14-114-50.swisscomdata.ch] has joined #openvpn
11:30 -!- Synchunk [Synchunk@unaffiliated/synchunk] has quit [Quit: Synchunk]
11:33 -!- JackWinter [~jack@vodsl-11028.vo.lu] has quit [Quit: Konversation terminated!]
11:36 -!- JackWinter [~jack@vodsl-11028.vo.lu] has joined #openvpn
11:43 -!- elfixit1 [~Icedove@cust.static.46-14-114-50.swisscomdata.ch] has quit [Quit: elfixit1]
11:45 -!- Lolths [~Lolths@unaffiliated/lolths] has quit [Ping timeout: 272 seconds]
11:46 -!- Lolths [~Lolths@unaffiliated/lolths] has joined #openvpn
12:04 -!- Eagleman [~Eagleman@546BC8D0.cm-12-4d.dynamic.ziggo.nl] has quit [Quit: ZNC - http://znc.in]
12:05 -!- Eagleman [~Eagleman@546BC8D0.cm-12-4d.dynamic.ziggo.nl] has joined #openvpn
12:15 -!- ender| [krneki@2a01:260:4094:1:42:42:42:42] has quit [Quit: It's nice to know that my launch to orbit won't have any pesky back-up systems weighing me down.	-- Andy Weir: The Martian]
12:19 -!- Eagleman [~Eagleman@546BC8D0.cm-12-4d.dynamic.ziggo.nl] has quit [Quit: ZNC - http://znc.in]
12:20 -!- Eagleman [~Eagleman@546BC8D0.cm-12-4d.dynamic.ziggo.nl] has joined #openvpn
12:25 -!- Eagleman [~Eagleman@546BC8D0.cm-12-4d.dynamic.ziggo.nl] has quit [Ping timeout: 264 seconds]
12:29 -!- Cpt-Oblivious [~chatzilla@31-151-71-109.dynamic.upc.nl] has joined #openvpn
12:32 -!- Eagleman [~Eagleman@546BC8D0.cm-12-4d.dynamic.ziggo.nl] has joined #openvpn
12:47 -!- Latrina [~Latrina@ppp-80-26.26-151.libero.it] has quit [Max SendQ exceeded]
12:48 -!- Latrina [~Latrina@ppp-80-26.26-151.libero.it] has joined #openvpn
13:08 -!- JordanJ2 [Jordan@unaffiliated/jordanj2] has joined #openvpn
13:09 < JordanJ2> Hi, I've installed OpenVPN on Debian 7 using https://github.com/Nyr/openvpn-install and I can connect with the client certificates. How can I add username/password authentication along with the certificate files?
13:09 <@vpnHelper> Title: Nyr/openvpn-install · GitHub (at github.com)
13:22 -!- Cpt-Oblivious [~chatzilla@31-151-71-109.dynamic.upc.nl] has quit [Ping timeout: 255 seconds]
13:35 -!- pekster_ [~rewt@openvpn/community/support/pekster] has joined #openvpn
13:35 -!- Cpt-Oblivious [~chatzilla@31-151-71-109.dynamic.upc.nl] has joined #openvpn
14:05 -!- Poster|x is now known as Poster
14:12 -!- arescorpio [~arescorpi@121-24-245-190.fibertel.com.ar] has joined #openvpn
14:51 -!- s7r [~s7r@openvpn/user/s7r] has quit [Quit: Leaving]
15:13 -!- Kniaz [~Kniaz@unaffiliated/kniaz] has joined #openvpn
16:05 -!- u0m3_ is now known as u0m3
16:07 -!- gffa [~unknown@unaffiliated/gffa] has quit [Quit: sleep]
16:22 -!- syzzer [~syzzer@openvpn/community/developer/syzzer] has quit [Ping timeout: 260 seconds]
16:35 < heap> any idea about that smb issue?
16:40 < gac> possibly because you're using tun, not tap? if you try and open the host by using \\1.2.3.4\share instead of the name, does it work? windows relies on broadcast packets for resolution on some networks, and these don't go over a tun connection
16:50 < heap> yeah im using tun. Im using ip directly not hostname. and client is linux
16:54 -!- ocherno [~ocherno@d199-74-72-47.try.wideopenwest.com] has quit [Quit: Leaving]
17:11 -!- _KaszpiR_ [~quassel@unaffiliated/kaszpir/x-3157048] has quit [Ping timeout: 240 seconds]
17:16 -!- _KaszpiR_ [~quassel@unaffiliated/kaszpir/x-3157048] has joined #openvpn
17:21 -!- Synchunk [Synchunk@unaffiliated/synchunk] has joined #openvpn
17:34 < heap> gac: or u mean windows like on the level of  samba implementation?
17:35 < gac> depending on how samba is configured it can do name resolution the same as windows does, or via dns. if you're using IP and it's still not working then it pretty much means it's not a name resolution thing though
17:38 < heap> gac yeah im using ip address. so any idea whats going on?
17:41 < gac> short answer; nope.
17:41 < gac> you can ping the server address though, right?
17:42 < heap> sure
17:43 < heap> thats why im confused..because i can ping the host and it says its down
17:44 < gac> is the firewall on the server configured to allow samba connections from whichever IP addresses you're using for openvpn clients?
17:46 -!- Synchunk [Synchunk@unaffiliated/synchunk] has quit [Quit: Synchunk]
17:47 < heap> there is no fw i think
17:54 -!- Synchunk [Synchunk@unaffiliated/synchunk] has joined #openvpn
18:02 -!- SCHAAP137 [dorian@77-173-0-137.ip.telfort.nl] has quit [Remote host closed the connection]
18:26 -!- Synchunk [Synchunk@unaffiliated/synchunk] has left #openvpn ["Leaving all channels"]
18:36 -!- JackWinter [~jack@vodsl-11028.vo.lu] has quit [Ping timeout: 260 seconds]
18:47 -!- JackWinter [~jack@vodsl-11028.vo.lu] has joined #openvpn
19:47 -!- syzzer [~syzzer@openvpn/community/developer/syzzer] has joined #openvpn
19:47 -!- mode/#openvpn [+o syzzer] by ChanServ
20:05 -!- erkules [~erkan@pdpc/supporter/professional/erkules] has quit [Ping timeout: 264 seconds]
20:19 -!- erkules [~erkan@pdpc/supporter/professional/erkules] has joined #openvpn
20:27 -!- Ridley5 [~Ridley@unaffiliated/ridley5] has joined #openvpn
20:41 -!- Megaf [~Megaf@unaffiliated/megaf] has quit [Ping timeout: 252 seconds]
20:50 -!- _FBi [B@Aircrack-NG/User] has joined #openvpn
20:56 -!- elfixit1 [~Icedove@77-58-251-72.dclient.hispeed.ch] has joined #openvpn
21:08 -!- justinzane [~justinzan@24.49.207.203] has quit [Ping timeout: 272 seconds]
21:25 -!- neopipil [~smendoza@ool-182f341b.dyn.optonline.net] has joined #openvpn
21:30 < neopipil> !welcome
21:30 <@vpnHelper> "welcome" is (#1) Start by stating your goal, such as 'I would like to access the internet over my vpn' || new to IRC? see the link in !ask || we may need !logs and !configs and maybe !interface to help you. || See !howto for beginners. || See !route for lans behind openvpn. || !redirect for sending inet traffic through the server. || Also interesting: !man !/30 !topology !iporder !sample !forum
21:30 <@vpnHelper> !wiki !mitm or (#2) Don't use 192.168.1.0/24 or 192.168.0.0/24 (too much potential for conflict)
21:31 < neopipil> !howto
21:31 <@vpnHelper> "howto" is (#1) OpenVPN comes with a great howto, http://openvpn.net/howto PLEASE READ IT! or (#2) http://www.secure-computing.net/openvpn/howto.php for a mirror
21:36 < neopipil> Hello.  I configured openvpn on tcp port 443. I am able to connect to openvpn from my laptop with out a problem.  I also configured my ipad to connect to open vpn on port 443. My pad connects to open vpn but no traffic is sent via openvpn. has nyone encountered this issue or has any insight as to what might be going on?
21:37 < Poster> I think there's a restriction from IOS of device type, I can't remember if it's tun or tap, but I'd start there
21:39 < neopipil> Thanks Poster.  It makes sense,  I am using tun right now.  Let me research it.
21:42 < Poster> keep in mind you can run multiple instances of the OpenVPN daemon, one for IOS and one for everything else, the only rub is that you cannot use the same port/protocol
21:42 < Poster> so maybe something like 443/tcp for one and 53/udp for the other, assuming you don't already have services on those
21:44 < JordanJ2> Hi, I've installed OpenVPN on Debian 7 using https://github.com/Nyr/openvpn-install and I can connect with the client certificates. How can I add username/password authentication along with the certificate files?
21:44 <@vpnHelper> Title: Nyr/openvpn-install · GitHub (at github.com)
21:45 < Poster> where do you want the credentials to come from?
21:45 -!- NucWin [~nucwin@unaffiliated/nucwin] has quit [Quit: ttfn]
21:46 < Ridley5> !ask
21:46 <@vpnHelper> "ask" is (#1) don't ask to ask, just ask your question please, see this link for how to get help on IRC: http://workaround.org/getting-help-on-irc or (#2) See also, How to ask questions the smart way here: http://catb.org/~esr/faqs/smart-questions.html
21:46 -!- NucWin [~nucwin@unaffiliated/nucwin] has joined #openvpn
21:47 < Ridley5> i cannot use internet while connected to Openvpn some one can help me please ?
21:47 < Ridley5> i installed the package on my VPS
21:47 < Ridley5> added iptables rules
21:47 < Ridley5> activated port forwarding
21:47 < Poster> IP forwarding?
21:48 < Ridley5> but connectivity test always fail on Openvs
21:48 < Ridley5> yes Poster
21:48 < Ridley5> echo 1 > /proc/sys/net/ipv4/ip_forward
21:48 < Poster> ok can you ping the public IP address of your VPS via the OpenVPN link?
21:49 < Ridley5> i cant only acces my server IP with OpenVPN
21:49 < Poster> ok I don't know what you mean with that
21:49 < Poster> what is the interface name of your public ethernet adapter on your VPS?
21:49 < Ridley5> venet0
21:49 < Poster> ok try this:
21:50 < Poster> sudo iptables -t nat -A POSTROUTING -o venet0 -j MASQUERADE
21:50 < Poster> then retry
21:50 < Ridley5> ok i try that...
21:50 < neopipil> Another great point Poster.  I was trying to avoid running two instances but it seems I may need to run two instances, one on tcp 443 and another one on udp 1194
21:51 < Ridley5> "Could not connect to the test server on the Internet."
21:53 -!- metaf5 [~metaf5@107.181.166.167] has joined #openvpn
21:53 < metaf5> !welcome
21:53 <@vpnHelper> "welcome" is (#1) Start by stating your goal, such as 'I would like to access the internet over my vpn' || new to IRC? see the link in !ask || we may need !logs and !configs and maybe !interface to help you. || See !howto for beginners. || See !route for lans behind openvpn. || !redirect for sending inet traffic through the server. || Also interesting: !man !/30 !topology !iporder !sample !forum
21:53 <@vpnHelper> !wiki !mitm or (#2) Don't use 192.168.1.0/24 or 192.168.0.0/24 (too much potential for conflict)
21:53 < Poster> Ridley5: are you able to ping the IP of the OpenVPN server within the OpenVPN tunnel itself?
21:54 < Ridley5> how can i do that Poster
21:54 < Poster> ping?
21:55 < Ridley5> yes
21:55 < Ridley5> ping what ip
21:55 < Poster> what addressing did you setup on your OpenVPN server?
21:56 < Ridley5> can i give you my shell account and view by yourself Poster ?
21:56 < Poster> no thanks
21:56 < Ridley5> how can i view adressing then
21:56 < Poster> is OpenVPN even running?
21:56 < Ridley5> yes
21:56 < Poster> how did you get it started?
21:56 < Ridley5> yes
21:56 < Ridley5> i'm on the web panel
21:57 < Poster> ok somewhere in there you should see configuration options around IP addressing
21:57 < Poster> that should tell you where you should run your ping tests against
21:57 < Ridley5> Network adress: 5.5.0.0
21:58 < Ridley5> Group Default IP Address Network  5.5.16.0/20
21:58 < Poster> ok and you've successfully connected to this ?
21:58 < metaf5> Is there any way to change which routing table openvpn pulls the routes to?  I'd like to route a certain user through that table, but let other users use the regular interface.
21:59 < Ridley5> yes Poster
21:59 -!- Coburn [~kvirc@C-59-101-10-155.hay.connect.net.au] has joined #openvpn
21:59 < Poster> ok Ridley5, try to print your routing table on the OpenVPN client, I'm assuming you'll have some networks routed to some IP address in the 5.5.0.0 range
22:00 < Ridley5> its on the config file ?
22:00 < Poster> the command is probably "route"
22:00 < Poster> metaf5: I think you might want to look at the "client-config-dir" option
22:01 < Ridley5> i can access the Openvpn server from my PC
22:01 < Coburn> Alright, before I go insane, I installed OpenVPN on a Debian Wheezy machine and did all the essentials, however when clients go to connect to it from remote (3G/4G on Android using OpenVPN for Android), it says " ++ Certificate has key usage  0080, expects 00a0" and "++ Certificate has key usage  0080, expects 0088"
22:01 < Coburn> then saying "VERIFY KU ERROR"
22:01 < Ridley5> but cant use internet (only the server IP including Openvpn panel, and others website i added to my server) Poster
22:02 < Coburn> ultimately failing while crash and burning in "TLS_ERROR: BIO read tls_read_plaintext error: error:140890B2:SSL routines:SSL3_GET_CLIENT_CERTIFICATE:no certificate returned"
22:02 < Ridley5> check your certificate Coburn
22:02 < Coburn> I did, it said "OK"
22:02 < Ridley5> remake new one
22:02 < Coburn> "openssl verify -purpose any -CAfile ca.crt client1.crt" client1.crt: OK
22:03 < Coburn> if I do this, however: "openssl verify -purpose any client1.crt" = error 20 at 0 depth lookup:unable to get local issuer certificate
22:03 < metaf5> Poster:  Whoops, I was unclear.  I meant I'm a client getting a pushed route, and I want to control on my machine who uses that route, so it isn't ideal for openvpn to pull routes into the default routing table.
22:03 < Coburn> already remade this cert like 5 times now.
22:04 < Ridley5> dont know Coburn sorry
22:04 < Coburn> it's really starting to tick me off.
22:04 < Coburn> configs are incoming in a moment
22:05 < Coburn> server.conf = http://privatepaste.com/ca8df86cd3
22:06 < Coburn> main goal is to be able to have a secure link to the office while abroad
22:06 < Coburn> because I don't really trust the general public airwaves...
22:06 < Poster> metaf5: gotcha, if your client OS machine is Linux or BSD, there are modules for iptables and pf which can impose rules based on local UID, not sure if that'll get you what you want though
22:07 < metaf5> Poster: I'm just mangling the packets per UID with marks, and then routing with 'fwmark'.  All I'm asking here is how to get openvpn to put the route it's pulling into a non-default routing table.
22:08 < Poster> oh- sorry, I don't know the answer to that one
22:09 < Ridley5> any sollution Poster ?
22:10 < Poster> I'd be tempted to see if you could run maybe a virtual guest as the OpenVPN client then selectively route to it based upon the needs of the primary host
22:10 < Poster> maybe something like Xen or OpenVZ
22:11 < Ridley5> i dont know how to do that...
22:11 < Poster> That was intended to metaf5
22:12 < Ridley5> ah sorry
22:12 < Poster> Ridley5 I am not quite able to follow what all you have going on
22:13 < Ridley5> it's simple Poster, i can connect to Openvpn but i cant use internet, on the admin panel the Connectivity test alwas fail (    Could not connect to the test server on the Internet.)
22:13 < metaf5> Poster: I'm trying to get this to work on an openVZ vps.  I think I want to do something with --route-up...but my experiments are failing so far.
22:13 < metaf5> It looks like I can get environment vars with the config stuff being pushed to me...I just have to figure out what to do with it which is equivalent to the default behavior, except operating on another routint able.
22:14 < Poster> would a second OpenVPN daemon instance help?
22:14 < Coburn> any ideas on my situation?
22:18 < Poster> Coburn: the command that is failing seems to be lacking the root CA definition
22:18 < Poster> make sure when you're setting things up you keep the public/private keys matched up to the signing CA
22:19 < Poster> Ridley5: ok I get that part, what I don't get is what you've got setup between your OpenVPN client and OpenVPN server
22:19 < Coburn> Poster: On the client or server side?
22:19 < Poster> you likely have some small IP subnet between the two that I was suggesting you make sure you can ping across to verify the OpenVPN link itself is working
22:19 < Poster> Coburn: all of the above
22:30 < Ridley5> i have the Openvpn AS version
22:30 < Ridley5> downloaded the config from the web panel
22:31 < Poster> ok try #openvpn-as
22:31 < Ridley5> no one did reply to my question there
22:32 < Poster> ok I am not sure anyone here can help you, which is why it's  in the topic
22:32 < Ridley5> thank you Poster
23:00 -!- ribasushi [~riba@mujunyku.leporine.io] has quit [Ping timeout: 248 seconds]
23:06 < Coburn> Okay, almost there
23:07 < Coburn> now I'm getting this:
23:07 < Coburn> "Authenticate/Decrypt packet error: cipher final failed"
23:07 < Coburn> I bet it's something to do with the cipher
23:08 -!- MACscr [~Adium@c-50-158-183-38.hsd1.il.comcast.net] has quit [Quit: Leaving.]
23:09 -!- arescorpio [~arescorpi@121-24-245-190.fibertel.com.ar] has quit [Excess Flood]
23:09 -!- ribasushi [~riba@mujunyku.leporine.io] has joined #openvpn
23:09 < Poster> also make sure your system clocks are accurate
23:10 < Coburn> yep, it's all connected now
23:10 < Coburn> but no internet
23:11 < Poster> ok we can fix that
23:11 < Poster> what is the OpenVPN server OS?
23:11 < Coburn> Debian.
23:11 < Coburn> I know the issue - iptables wrong ip
23:12 < Poster> ok also keep in mind, if you wish to force all Internet traffic across the OpenVPN link, you will need to perform NAT/IP Masquerade on the OpenVPN server to hide the OpenVPN client's IP address
23:12 < Poster> something like:
23:12 < Poster> sudo iptables -t nat -A POSTROUTING -o $EXTERNALINTERFACE -j MASQUERADE
23:13 < Coburn> yep, got that working
23:13 < Coburn> thanks a lot!
23:13 < Poster> np!
23:21 < JordanJ2> Poster: Upon connecting to the client cert
23:22 < Poster> was that a question?
23:26 -!- ShadniX [dagger@p5794115C.dip0.t-ipconnect.de] has quit [Ping timeout: 252 seconds]
23:27 -!- ShadniX [dagger@p5481C1FB.dip0.t-ipconnect.de] has joined #openvpn
23:34 -!- elfixit1 [~Icedove@77-58-251-72.dclient.hispeed.ch] has quit [Ping timeout: 264 seconds]
23:56 < Ridley5> are you here Poster ?
23:56 -!- justinzane [~justinzan@24.49.207.203] has joined #openvpn
23:57 < Ridley5> i installed Openvpn (not the as version)
--- Day changed Mon Jul 07 2014
00:23 <@krzee> Ridley5, was there a question too? or did you just want to tell him you installed openvpn?
01:03 -!- MACscr [~Adium@c-50-158-183-38.hsd1.il.comcast.net] has joined #openvpn
01:07 -!- AsadH [~AsadH@unaffiliated/asadh] has quit [Ping timeout: 240 seconds]
01:14 -!- ajc_ [ajc@nat/hp/x-esdgqvyoxyviafvm] has joined #openvpn
01:17 -!- AsadH [~AsadH@unaffiliated/asadh] has joined #openvpn
01:34 -!- neopipil [~smendoza@ool-182f341b.dyn.optonline.net] has quit [Ping timeout: 255 seconds]
01:36 -!- Kephael [~Kephael@unaffiliated/kephael] has quit [Read error: Connection reset by peer]
02:35 -!- alexxtasi [~alex@unaffiliated/alexxtasi] has joined #openvpn
02:53 -!- Coburn [~kvirc@C-59-101-10-155.hay.connect.net.au] has quit [Quit: KVIrc 4.2.0 Equilibrium http://www.kvirc.net/]
03:09 -!- le0 [~l30@unaffiliated/le0] has joined #openvpn
03:31 -!- elfixit [~Icedove@2001:1620:2777:11:3e97:eff:fe7f:f3ad] has quit [Ping timeout: 272 seconds]
04:38 -!- Saul775 [~Saul@12.6.176.106] has quit [Ping timeout: 264 seconds]
04:40 -!- mirco [~mirco@ip-62-143-141-0.unitymediagroup.de] has joined #openvpn
04:43 -!- dazo_afk is now known as dazo
04:50 -!- RaiNerTsuFal [~RaiNerTsu@akita.vtlx.cn] has quit [Quit: Conversation terminated!]
05:02 -!- RaiNerTsuFal [~RaiNerTsu@akita.vtlx.cn] has joined #openvpn
05:27 -!- Cpt-Oblivious [~chatzilla@31-151-71-109.dynamic.upc.nl] has quit [Remote host closed the connection]
06:10 -!- elfixit [~Icedove@dhcp-129-136.office.init7.net] has joined #openvpn
06:46 -!- JackWinter [~jack@vodsl-11028.vo.lu] has quit [Quit: Konversation terminated!]
06:47 -!- JackWinter [~jack@vodsl-11028.vo.lu] has joined #openvpn
06:48 -!- JackWinter [~jack@vodsl-11028.vo.lu] has quit [Client Quit]
06:50 -!- JackWinter [~jack@vodsl-11028.vo.lu] has joined #openvpn
06:58 -!- JackWinter [~jack@vodsl-11028.vo.lu] has quit [Quit: Konversation terminated!]
07:09 -!- JackWinter [~jack@vodsl-11028.vo.lu] has joined #openvpn
07:12 -!- UncleMeat [~uncle@nl6x.mullvad.net] has joined #openvpn
07:15 <@plaisthos> !conflict
07:15 <@plaisthos> hm ...
07:15 < UncleMeat> hello, is there a way in OpenVPN, when running in UDP mode, to send out fewer but larger packets (i.e. as close to MTU as possible)?
07:15 <@plaisthos> UncleMeat: OpenVPN will already do that
07:16 < UncleMeat> plaisthos: hmmmm, based on my observations with tcpdump it isn't doing that, any reason it might not be happening?
07:16 <@plaisthos> but it will not merge multiple packets
07:16 < UncleMeat> ah ok
07:16 < UncleMeat> that's what I meant
07:16 < UncleMeat> so no way to do that either?
07:16 <@plaisthos> not without hacking the source code
07:17 < UncleMeat> ok
07:17 <@plaisthos> and probably getting problem PMTU discover
07:17 < UncleMeat> thanks for the information
07:17 <@plaisthos> and other weird effects
07:17 < UncleMeat> do you know if there's any open source VPN solutions that can do this?
07:17 <@plaisthos> no idea
07:17 < UncleMeat> I'm running into an issue where tunnel traffic is triggering DDoS protection on the underlying network
07:17 <@plaisthos> but as said, merging multiple packets into one will give a lot of problems
07:18 < UncleMeat> *nods*
07:18 <@plaisthos> too aggressive IPS probably
07:18 < UncleMeat> IPS?
07:18 <@plaisthos> intrusion dectition system
07:18 < UncleMeat> intrusion prevention?
07:18 <@plaisthos> eyes
07:19 < UncleMeat> yeah that's what I was thinking, unfortunately I can't turn this one off
07:19 <@plaisthos> or whatever the current marketing buzzword is
07:19 < UncleMeat> guess I'll have to look for other solutions
07:19 < UncleMeat> thanks for your help
07:19 <@plaisthos> you can do openvpn over tcp
07:19 <@plaisthos> (which has its own set of problems)
07:19 < UncleMeat> I did try that but it led to huge latencies
07:19 < UncleMeat> didn't try very hard to make it work, admittedly
07:20 <@plaisthos> yeah :)
07:20 -!- heraclitus [~halcyon@unaffiliated/heraclitis] has joined #openvpn
07:20 <@plaisthos> that is one of the expected problem with tcp over tcp
07:28 -!- JordanJ2 [Jordan@unaffiliated/jordanj2] has quit [Ping timeout: 252 seconds]
07:28 -!- XJR-9 [sid2977@pdpc/supporter/active/xjr-9] has quit [Ping timeout: 252 seconds]
07:29 -!- Ridley5 [~Ridley@unaffiliated/ridley5] has quit [Ping timeout: 252 seconds]
07:29 -!- Jeroen [~quassel@milkyway.jeroendeneef.eu] has quit [Read error: Connection reset by peer]
07:29 -!- kenyon [kenyon@darwin.kenyonralph.com] has quit [Ping timeout: 252 seconds]
07:30 -!- kenyon [kenyon@darwin.kenyonralph.com] has joined #openvpn
07:30 -!- haasn [~haasn@2a01:4f8:d13:5245::2] has quit [Ping timeout: 252 seconds]
07:30 -!- DrCode [~DrCode@gateway/tor-sasl/drcode] has quit [Ping timeout: 264 seconds]
07:31 -!- haasn [~haasn@2a01:4f8:d13:5245::2] has joined #openvpn
07:31 -!- XJR-9 [sid2977@pdpc/supporter/active/xjr-9] has joined #openvpn
07:31 -!- troj [~xxx@2001:470:1f15:107a::50f7] has joined #openvpn
07:31 -!- JordanJ2 [Jordan@unaffiliated/jordanj2] has joined #openvpn
07:31 -!- Jeroen [~Jeroen@milkyway.jeroendeneef.eu] has joined #openvpn
07:33 -!- ajc_ [ajc@nat/hp/x-esdgqvyoxyviafvm] has quit [Ping timeout: 240 seconds]
07:34 -!- heraclitus [~halcyon@unaffiliated/heraclitis] has quit [Remote host closed the connection]
07:35 -!- heraclitus [~halcyon@unaffiliated/heraclitis] has joined #openvpn
08:31 -!- heraclitus [~halcyon@unaffiliated/heraclitis] has quit [Quit: Ping timeout: 221 seconds]
09:07 -!- elfixit1 [~Icedove@cust.static.46-14-114-50.swisscomdata.ch] has joined #openvpn
09:17 -!- Tygra [~Tygra____@209.119.143.90] has joined #openvpn
09:18 -!- alexxtasi [~alex@unaffiliated/alexxtasi] has left #openvpn []
09:19 < Tygra> Good Morning - I have a few drive by questions I'm hoping the great people of IRC can point me in the right direction.
09:20 < Tygra> I'm researching several Enterprise VPN solutions.  I'm a huge opensource fan and would like to see if OpenVPN can scale, and if there are tools out there that allow for automation of client configurations.
09:21 < Tygra> Can anyone point to any resources/articles on deploying OpenVPN to 5,000 clients?  Note: The clients are going to be Point of Sale systems
09:23 < rob0> For something like that, I would suggest that you check with the good folks at OpenVPN Technologies.  They would be glad to make it scale for you.
09:28 < Tygra> rob0 thank you very much.
09:29 < Tygra> Do you have experience working with OpenVPN Technologies?  Can you speak to their support?
09:29 < rob0> Not firsthand, but I think at least one of them can be found in IRC.
09:30 < Tygra> Good To Know - Thank you again.
09:34 -!- Oele [~Oele@oelieloelie.nl] has joined #openvpn
09:35 -!- zapotek6 [~zap@213.149.219.85] has joined #openvpn
09:35 -!- zapotek6 [~zap@213.149.219.85] has quit [Max SendQ exceeded]
09:36 < Oele> !paste
09:36 <@vpnHelper> "paste" is "pastebin" is (#1) please paste anything with more than 5 lines into a pastebin site or (#2) https://gist.github.com is recommended for fewest ads; try fpaste.org or paste.kde.org as backups or (#3) If you're pasting config files, see !configs for grep syntax to remove comments or (#4) gist allows multiple files per paste, useful if you have several files to show
09:37 < Oele> ..
09:39 < Oele> does anyone know how to get my openvpn clients (a few ubuntu servers that connect to a central 'hub' server) to auto-reconnect (and keep trying!) when they loose the connection to the server? preferably without having to run openvpn as root?
09:39 < Oele> i keep ketting "ERROR: Cannot ioctl TUNSETIFF tun0: Operation not permitted (errno=1) / Exiting due to fatal error"
09:39 < Oele> here's one of my client configs: https://gist.github.com/anonymous/e4d6a209463a9405c94a
09:39 <@vpnHelper> Title: gist:e4d6a209463a9405c94a (at gist.github.com)
09:43 < rob0> a quick guess without reviewing the config: --persist-tun (also see other --persist-* options in the man page.)
09:48 < Oele> rob0: persist-tun is in the config
09:52 -!- eZpl0it [~eZpl0it@193.234.224.171] has joined #openvpn
09:53 < eZpl0it> Hey guys, I'm living in a college dorm. We need to login with a http post request to a site to have a connection to the internet. I'm using openvpn and I want to send that request on every first connection and on every reconnect
09:53 < eZpl0it> is there a way to run scripts like pre-up
09:54 < eZpl0it> if i dont login i cant connect to my openvpn server. The connection gets reseted at a specific time and sometimes randomly. Openvpn would just try to reestablish the connection  but it wouldn't work because there is no internet connection at that moment.
09:55 < eZpl0it> So I need to run my script every time before it tries to make a connection
09:56 -!- zapotek6 [~zap@213.149.219.85] has joined #openvpn
09:56 -!- zapotek6 [~zap@213.149.219.85] has quit [Max SendQ exceeded]
09:56 -!- elfixit1 [~Icedove@cust.static.46-14-114-50.swisscomdata.ch] has quit [Ping timeout: 264 seconds]
10:03 < Eugene> Not from openvpn proper, but your distro's init scripts probably have a hook for it
10:03 < Eugene> Or put it in your rc.local, or your WiFi initialization, or something like that.
10:04 < eZpl0it> i thought about making a route so that the login requests still go over the normal connection and i would just send a login request every minute or so
10:05 -!- Left_Turn [~Left_Turn@unaffiliated/turn-left/x-3739067] has joined #openvpn
10:12 < eZpl0it> getting the initial connection would be easy Eugene the problem is what happens if the connection drops or the connection gets reseted at 2am every day and sometimes randomly
10:13 < eZpl0it> then openvpn just runs and time outs
10:13 < eZpl0it> but tun0 is still up then and i cant connect anywhere else
10:13 < Eugene> You'll need a separate daemon of some sort to manage your connection
10:13 < Eugene> A script on a cron job would do the trick
10:13 < eZpl0it> i had one before with vpnc when i used the college vpn for that
10:18 -!- Left_Turn [~Left_Turn@unaffiliated/turn-left/x-3739067] has quit [Read error: Connection reset by peer]
10:21 -!- Megaf [~Megaf@unaffiliated/megaf] has joined #openvpn
10:25 -!- MaliusArth [~MaliusArt@chello062178183011.18.14.vie.surfer.at] has joined #openvpn
10:49 < MaliusArth> !welcome
10:49 <@vpnHelper> "welcome" is (#1) Start by stating your goal, such as 'I would like to access the internet over my vpn' || new to IRC? see the link in !ask || we may need !logs and !configs and maybe !interface to help you. || See !howto for beginners. || See !route for lans behind openvpn. || !redirect for sending inet traffic through the server. || Also interesting: !man !/30 !topology !iporder !sample !forum
10:49 <@vpnHelper> !wiki !mitm or (#2) Don't use 192.168.1.0/24 or 192.168.0.0/24 (too much potential for conflict)
10:54 -!- Saul775 [~Saul@12.6.176.106] has joined #openvpn
10:58 < MaliusArth> !ask
10:59 <@vpnHelper> "ask" is (#1) don't ask to ask, just ask your question please, see this link for how to get help on IRC: http://workaround.org/getting-help-on-irc or (#2) See also, How to ask questions the smart way here: http://catb.org/~esr/faqs/smart-questions.html
10:59 -!- funnel [~funnel@unaffiliated/espiral] has quit [Remote host closed the connection]
10:59 < MaliusArth> !logs
10:59 <@vpnHelper> "logs" is (#1) please pastebin your logfiles from both client and server with verb set to 4 (only use 5 if asked) or (#2) In the Windows client(OpenVPN-GUI) right-click the status icon and pick View Log or (#3) In the OS X client(Tunnelblick) right-click it and select Copy log text to clipboard or (#4) if you dont know how to find your logs, see !logfile
10:59 < MaliusArth> !logfile
10:59 <@vpnHelper> "logfile" is (#1) If you want logging you can easily just specify your own logfile with: log /path/to/logfile or (#2) openvpn will log to syslog if started in daemon mode, but without any log-redirection options, openvpn sends output to stdout. or (#3) verb 3 is good for everyday usage, verb 5 for debugging. see --daemon --log and --verb in the manual (!man) for more info
11:03 < MaliusArth> !configs
11:03 <@vpnHelper> "configs" is (#1) please pastebin your client and server configs (with comments removed, you can use `grep -vE '^#|^;|^$' server.conf`), also include which OS and version of openvpn. or (#2) dont forget to include any ccd entries or (#3) on pfSense, see http://www.secure-computing.net/wiki/index.php/OpenVPN/pfSense to obtain your config
11:08 -!- DrCode [~DrCode@gateway/tor-sasl/drcode] has joined #openvpn
11:10 -!- JackWinter [~jack@vodsl-11028.vo.lu] has quit [Quit: Konversation terminated!]
11:14 -!- JackWinter [~jack@vodsl-11028.vo.lu] has joined #openvpn
11:27 -!- gffa [~unknown@unaffiliated/gffa] has joined #openvpn
11:30 < MaliusArth> !interface
11:30 <@vpnHelper> "interface" is (#1) paste interface configuration from both client and server, while being disconnected and when beeing connected. Be sure to also add the routing tables for both situations from client and from server or (#2) For Windows: iface: 'ipconfig /all' routing: 'route print' (add -4 or -6 for just IPv4 or v6) or (#3) For Unix: iface: 'ifconfig -a' routing: 'netstat -rn' or (#4) For
11:30 <@vpnHelper> Linux: iface: 'ip a' routing: 'ip r' (use ip -6 for IPv6 routes)
11:35 < MaliusArth> !route
11:35 <@vpnHelper> "route" is (#1) http://www.secure-computing.net/wiki/index.php/OpenVPN/Routing or https://community.openvpn.net/openvpn/wiki/RoutedLans (same page mirrored) if you have lans behind openvpn, read it DONT SKIM IT or (#2) READ IT DONT SKIM IT! or (#3) See !tcpip for a basic networking guide or (#4) See !serverlan or !clientlan for steps and troubleshooting flowcharts for LANs behind the server or
11:35 <@vpnHelper> client
11:43 < heap> okay the problem was with "hosts allow" in smb conf, so samba works fine with tun iface too.
11:44 -!- heap [heap@localhost.sk] has left #openvpn []
11:48 -!- pekster_ is now known as pekster
12:02 -!- le0 [~l30@unaffiliated/le0] has quit [Quit: Leaving]
12:05 -!- larryone [~larryone@178.167.254.67.threembb.ie] has joined #openvpn
12:10 -!- Sidewinder [~de@unaffiliated/sidewinder] has joined #openvpn
12:17 -!- mirco [~mirco@ip-62-143-141-0.unitymediagroup.de] has quit [Quit: mirco]
12:18 < MaliusArth> I would like to access the internet over my vpn, I am not able to ping outside of the Lan, browser doesn't route through VPN | debian wheezy/raspian | client conf: pastebin.com/2be4XzuD | start log: pastebin.com/6jrEDMgb
12:19 < Eugene> !def1
12:19 <@vpnHelper> "def1" is (#1) used in redirect-gateway, Add the def1 flag to override the default gateway by using 0.0.0.0/1 and 128.0.0.0/1 rather than 0.0.0.0/0. This has the benefit of overriding but not wiping out the original default gateway. or (#2) please see --redirect-gateway in the man page ( !man ) to fully understand or (#3) push "redirect-gateway def1"
12:19 < Eugene> !redirect
12:19 <@vpnHelper> "redirect" is (#1) to make all inet traffic flow through the vpn, you will need --redirect-gateway (see !def1), as well as IP forwarding (see !ipforward) and NAT (see !nat) enabled on the server. or (#2) you may need to use a different dns server when redirecting gateway, see !dns or !pushdns or (#3) if using ipv6 try: route-ipv6 2000::/3 or (#4) Handy troubleshooting flowchart:
12:19 <@vpnHelper> http://ircpimps.org/redirect.png | http://pekster.sdf.org/misc/redirect.png
12:19 < Eugene> Flowchart ^
12:21 < MaliusArth> I'm having the --redirect-gateway in my conf
12:28 -!- le0 [~l30@unaffiliated/le0] has joined #openvpn
12:29 < MaliusArth> what preferences do I need for my router/modem? I think it's related to my modem since it's working at a friends place with the same device
12:32 -!- [666] [~everythin@pdpc/supporter/active/busdrivertom] has joined #openvpn
12:32 < _FBi> MaliusArth, do you have forwarding on ... on your router?
12:37 < MaliusArth> i haven't changed the forwarding manually, do I need that?
12:38 < [666]> i can set my router mode to DMZ+ and access the server. however, I can set up a port forward for 1194 and cannot access it. are there other ports that need forwarded?
12:41 < _FBi> MaliusArth, I believe that's a step I do that I always miss.  It's been awhile since I've set it up, though.
12:48 < [666]> ehh. why does UDP protocol not work with some routers?
12:52 -!- larryone [~larryone@178.167.254.67.threembb.ie] has quit [Ping timeout: 240 seconds]
12:54 -!- [666] [~everythin@pdpc/supporter/active/busdrivertom] has left #openvpn []
13:01 -!- le0 [~l30@unaffiliated/le0] has quit [Ping timeout: 260 seconds]
13:03 < Eugene> Because some routers suck at NAT
13:10 -!- surrealillusion [~whome@69-165-175-91.dsl.teksavvy.com] has joined #openvpn
13:10 < MaliusArth> _FBi, port forwarding didn't seem to do anything, do I have to reboot the router? the device itself? I just tried it with openvpn restart
13:13 < _FBi> no, rebooting wasn't necessary
13:14 -!- moparisthebest [~quassel@cpe-74-140-244-163.swo.res.rr.com] has joined #openvpn
13:22 -!- jgeboski [~jgeboski@unaffiliated/jgeboski] has quit [Quit: Leaving]
13:23 -!- jgeboski [~jgeboski@unaffiliated/jgeboski] has joined #openvpn
13:25 < moparisthebest> I have openvpn set up and running fine over udp on port 1194, i'd also like it accessible via port 53, so I setup forwarding with iptables, and it works with netcat but not openvpn
13:25 < moparisthebest> the tls handshake is never completed when connecting to 53
13:25 < moparisthebest> any ideas?
13:26 <@krzee> run another process on udp 53 if  thats what you want
13:27 < moparisthebest> I'd prefer the same process, it works for the tcp openvpn server I have running, iptables forwarding tcp port 53 to it works perfectly
13:29 <@krzee> k, good luck
13:30 < moparisthebest> I'm just looking for someone in here who has done the same thing, I feel like it should be pretty common
13:30 <@krzee> its not, common is running multiple processes for multiple sockets
13:30 <@krzee> very common actually
13:30 <@krzee> (also common because openvpn doesnt scale well otherwise)
13:31 <@krzee> cause openvpns single threaded and can only run on a single core
13:31 < moparisthebest> I don't need it to scale that well, I'll need at most 10 connections total
13:31 < moparisthebest> but anyway, if I listen on port 53, I can't specify an interface can I?
13:31 <@krzee> cool, just telling you the other way is common and your way isnt
13:31 < moparisthebest> I only see syntax to specify an address, and since the public address is dynamic, I have no way of finding that ahead of time
13:31 <@krzee> what do you mean specify an interface?
13:32 <@krzee> like --dev tun2 ?
13:32 < moparisthebest> like, listen on eth0
13:32 < sauce> moparisthebest 2 processes. listen to krzee
13:32 < moparisthebest> on port 1194 I can listen on 0.0.0.0
13:32 <@krzee> sure, --listen
13:32 <@krzee> not by interface, by ip
13:32 < moparisthebest> but the ip is dynamic, so I don't know it ahead of time
13:33 <@krzee> you have multiple uplinks?
13:33 < moparisthebest> no, a public ip and a private ip, it's a router
13:33 <@krzee> then listen on 0.0.0.0 and use a firewall
13:33 < moparisthebest> and the private ip has dns listening on 53
13:33 < moparisthebest> so I can't have openvpn listen on 0.0.0.0:53
13:34 <@krzee> write a wrapper for starting that vpn
13:34 <@krzee> have it dynamically change --listen
13:34 <@krzee> so like:
13:34 < moparisthebest> and then when the ip changes at 3am and i'm 100 miles away?
13:34 <@krzee> openvpn --listen "$pub_ip" --config server.conf
13:35 <@krzee> dyndns.
13:35 <@krzee> and --float
13:35 <@krzee> these are not openvpn problems btw
13:35 <@krzee> just general networking
13:35 < moparisthebest> yes dynamic dns updates that, but doesn't restart the openvpn server
13:35 < moparisthebest> what is --float?
13:35 <@krzee> !man
13:35 <@vpnHelper> "man" is (#1) For man pages, see http://openvpn.net/index.php/open-source/documentation/manuals/ or (#2) the man pages are your friend! or (#3) Protip: you can search the manpage for a specific --option (with dashes) to find it quicker
13:35 -!- Tygra [~Tygra____@209.119.143.90] has quit [Read error: Connection reset by peer]
13:37 < moparisthebest> ah, again that won't help without writing a script to restart the openvpn server when the public ip changes
13:37 <@krzee> right, like the app that changes your ip for example
13:37 < moparisthebest> which is a giant hack when I could just have iptables forward packets to the process already running :/
13:37 <@krzee> most dhcp servers can handle that, so can dyndns updating scripts
13:38 <@krzee> none of what you're talking about relates to the port used
13:38 <@krzee> so i fail to see your connection there
13:39 <@ecrist> moparisthebest: this isn't really an openvpn problem, per se
13:39 <@krzee> the ip changing remains the exact same problem regardless of port used
13:39 <@ecrist> it's a networking 101 problem
13:39 <@krzee> krzee> these are not openvpn problems btw
13:39 <@krzee> <krzee> just general networking
13:39 <@krzee> :D
13:39 -!- Sidewinder [~de@unaffiliated/sidewinder] has quit [Quit: Leaving]
13:40 < moparisthebest> openvpn is what is rejecting the forwarded packets though
13:41 < moparisthebest> because with my current firewall setup, netcat listening on 1194 udp can be connected to and 2-way communication works perfectly when connected to remotely via port 53
13:42 < moparisthebest> so openvpn is dropping them for some reason, I'm assuming it's a configuration issue
13:43 <@krzee> well if it is then --float would help but in at least 7 years of being here helping people you're the first that i have seen do this
13:45 -!- fin__ [~l30@unaffiliated/le0] has joined #openvpn
13:48 < MaliusArth> !ipforward
13:48 <@vpnHelper> "ipforward" is (#1) ip forwarding is needed any time you want packets to flow from 1 interface to another, so from tun to eth, eth to tun, tun to tun, etc etc. it must be enabled in the kernel AND allowed in the firewall or (#2) please choose between !linipforward !winipforward !osxipforward and !fbsdipforward
13:49 < MaliusArth> !linipforward
13:49 <@vpnHelper> "linipforward" is (#1) echo 1 > /proc/sys/net/ipv4/ip_forward for a temp solution (til reboot) or set net.ipv4.ip_forward = 1 in sysctl.conf for perm solution or (#2) chmod +x /etc/rc.d/rc.ip_forward for perm solution in slackware or (#3) you also must allow forwarding in your forward chain in iptables. iptables -I FORWARD -i tun+ -j ACCEPT
13:52 <@ecrist> moparisthebest: OpenVPN is not going to reject properly-forwarded packets
14:07 < Oele>  does anyone know how to get my openvpn clients (a few ubuntu servers that connect to a central 'hub' server) to auto-reconnect (and keep trying!) when they loose the connection to the server? preferably without having to run openvpn as root? i keep ketting "ERROR: Cannot ioctl TUNSETIFF tun0: Operation not permitted (errno=1) / Exiting due to fatal error"
14:07 < Oele> here's one of my client configs: https://gist.github.com/anonymous/e4d6a209463a9405c94a
14:07 <@vpnHelper> Title: gist:e4d6a209463a9405c94a (at gist.github.com)
14:13 -!- fin__ [~l30@unaffiliated/le0] has quit [Ping timeout: 248 seconds]
14:16 < Oele> n/m
14:17 < Oele> rob0: (also see other --persist-* options in the man page.)  <-- this was the solution. thanks! should have checked that immediately
14:18 -!- Pyrogerg [~Gregory@192.67.133.200] has joined #openvpn
14:21 -!- dazo is now known as dazo_afk
14:23 -!- [666] [~everythin@pdpc/supporter/active/busdrivertom] has joined #openvpn
14:29 < [666]> i can connect to the openvpn server from an external client(android phone) on the same IP block as the rest of the network, 192.168.1.0, but DNS connectivity for the machine running the server is disrupted while the server is running...any way around that?
14:32 <@krzee> [666], what do you mean by "dns connectivity is disrupted"
14:34 < [666]> meaning that my client can access a site by resolving the name but the machine running the server can no longer resolve the names.
14:37 <@krzee> on the server, what is in /etc/resolv.conf
14:38 < [666]> it's a windows machine.
14:39 < rob0> translated, the question is, "what is the IP address of the nameserver[s] you are using?"
14:41 < [666]> 192.168.1.254(because the router handles the DNS requests)
14:44 < [666]> i am port fowarding through the DSL modem/router
14:46 -!- spstarr [~spstarr@fedora/spstarr] has joined #openvpn
14:46 < spstarr> Question: AUTH: Received control message: AUTH_FAILED,SESSION: Your session has expired, please reauthenticate is there a client config option to reconnect/authenticate again ?
14:46 < spstarr> it drops every 24 hours
14:50 < spstarr> an ugly hack is cronjob to restart systemd openvpn clients
14:54 -!- arescorpio [~arescorpi@218-25-245-190.fibertel.com.ar] has joined #openvpn
14:57 -!- JackWinter [~jack@vodsl-11028.vo.lu] has quit [Quit: Konversation terminated!]
14:58 -!- JackWinter [~jack@vodsl-11028.vo.lu] has joined #openvpn
15:00 -!- Ridley5 [~Ridley@unaffiliated/ridley5] has joined #openvpn
15:01 < Ridley5> hi all
15:01 < Ridley5> i have problem connecting internet with my Openvpn
15:02 < Ridley5> i can access only my VPS that include Openvpn
15:06 <@ecrist> !forward
15:06 <@ecrist> !def1
15:06 <@vpnHelper> "def1" is (#1) used in redirect-gateway, Add the def1 flag to override the default gateway by using 0.0.0.0/1 and 128.0.0.0/1 rather than 0.0.0.0/0. This has the benefit of overriding but not wiping out the original default gateway. or (#2) please see --redirect-gateway in the man page ( !man ) to fully understand or (#3) push "redirect-gateway def1"
15:10 -!- Esya [~zncuser@mini-02.y0y.fr] has joined #openvpn
15:10 -!- odie5533 [~odie5533@wikipedia/odie5533] has joined #openvpn
15:14 < odie5533> What is the ca.crt file used for?
15:14 -!- [666] [~everythin@pdpc/supporter/active/busdrivertom] has quit [Quit: leaving]
15:15 < Esya> Hi all, weird problem here, here are my two configs : http://pastebin.com/bi2HYKP0 it connects fine, HTTP works fine (curl ifconfig.me shows me the server's ip) but https hangs forever
15:15 < Esya> Any idea?
15:19 < odie5533> Is CA.CRT only used to verify things during the TLS negotiation, and the actual connection is encrypted using whatever best encryption TLS has? Is there a way to tell what encryption OpenVPN is currently using on a connection?
15:23 < Ridley5> i setup correctly IP forwording, added iptables rules too, no way to connect to internet ecrist
15:27 -!- MaliusArth [~MaliusArt@chello062178183011.18.14.vie.surfer.at] has left #openvpn []
15:36 <@plaisthos> odie553
!cipher
15:36 <@plaisthos> !cipher
15:36 <@plaisthos> hm see --cipher
15:40 < Esya> Anyone for my problem ? It's a bit weird.. really simple configurations : http://pastebin.com/itpw8T2R and some http works, some https does not
15:40 < Esya> the DHCP line is actually 10.9 not 10.8 , so configured fine
15:42 < Esya> Like, I do a curl -v ifconfig.me
15:43 < Esya> It says * Connected to ifconfig.me (49.212.202.172) port 80 (#0), and I see the request and the response, which is the VPN's ip, so working fine. I do a curl somewhere else, it says connected, sends the request, but no output
15:43 < Esya> From the server if I do the same curl request, it works though and I get the output.
15:44 < Esya> And a tcpdump on the VPN server shows that when I do it from my VPN client, the server actually forwards the request AND gets a response.. :|
15:46 -!- Latrina [~Latrina@ppp-80-26.26-151.libero.it] has quit [Max SendQ exceeded]
15:46 -!- Latrina [~Latrina@ppp-80-26.26-151.libero.it] has joined #openvpn
15:48 -!- K1rk [~Kirk@equinox.epecweb.com] has joined #openvpn
15:48 < Esya> Fixed, was a MTU problem
15:48 < K1rk> How illegal is it to use OpenVPN in China?
15:48 < K1rk> I've got a friend traveling there in a few months, and I'd like to give her access to my server so she can use the open Internet while she's there.
15:49 < Esya> K1rk I'm setting up an open serv for our office in shangai right now
15:49 < Esya> It's.. I dunno. A lot of people do it
15:49 < K1rk> But isn't it technically illegal?
15:49 < Esya> Meh.
15:49 < K1rk> So it's sort of like torrenting
15:49 < Esya> Just avoid using a very famous vpn provider
15:49 < Esya> Because they know their ips
15:49 < K1rk> lol
15:50 < K1rk> Well this would be on my personal server.
15:50 < K1rk> Not a big name VPN provider.
15:50 < Esya> So it should be just fine.
15:50 < K1rk> Cool, I didn't expect to get such an insightful answer so fast.
15:50 < K1rk> Thank you Esya
15:50 < Esya> No problem :p
15:59 -!- gffa [~unknown@unaffiliated/gffa] has quit [Quit: sleep]
16:13 < Ridley5> i have this error :  Linux ip addr del failed: could not execute external program
16:14 < Ridley5> deamon fail to load
16:15 -!- Latrina [~Latrina@ppp-80-26.26-151.libero.it] has quit [Max SendQ exceeded]
16:17 -!- Latrina [~Latrina@ppp-80-26.26-151.libero.it] has joined #openvpn
16:26 -!- Latrina [~Latrina@ppp-80-26.26-151.libero.it] has quit [Ping timeout: 245 seconds]
16:28 -!- Latrina [~Latrina@ppp-78-22.26-151.libero.it] has joined #openvpn
16:35 -!- brah [~allsdfjal@181.164.61.9] has joined #openvpn
16:36 < brah> !goal
16:36 <@vpnHelper> "goal" is Please clearly state your goal for your vpn: example, I would like to access the lan behind the server , I would like to access the internet over my vpn , I just want a secure connection between 2 computers , etc
16:38 < K1rk> Ridley5: Might be due to script security settings
16:39 < pekster> Ridley5: My guess is that you're downgrading runtime permission with --user and/or --group and the non-root user can't tear down the routes; you can ignore that as they go away when the interface does
16:39 < brah> I would like to make a client certificate that only uses auth-user-pass. I want to mimic a Mikrotik config that uses certificate=none, user=foo, password=secret123. How would I go about doing this?
16:39 < K1rk> Oh I didn't notice it was the tearodwn
16:39 < K1rk> Yeah probably doesn't matter then
16:39 < Ridley5> yes i commented : user nobody & group nobody K1rk pekster
16:40 < pekster> This said, it might pose an issue if this is a client and it's a reconnect event; your choice there is to not downgrade permission, or set up a static (see: !static) IP for the client and use some of the --persist-* options
16:40 < Ridley5> now daemon start
16:40 < Ridley5> but cant reach internet :(
16:40 < pekster> See !redirect and the flowchart for that
16:40 < Ridley5> !redirect
16:40 <@vpnHelper> "redirect" is (#1) to make all inet traffic flow through the vpn, you will need --redirect-gateway (see !def1), as well as IP forwarding (see !ipforward) and NAT (see !nat) enabled on the server. or (#2) you may need to use a different dns server when redirecting gateway, see !dns or !pushdns or (#3) if using ipv6 try: route-ipv6 2000::/3 or (#4) Handy troubleshooting flowchart:
16:40 <@vpnHelper> http://ircpimps.org/redirect.png | http://pekster.sdf.org/misc/redirect.png
16:40 < pekster> brah: There's no certificate involved if you don't want a certificate :P
16:41 < pekster> Read about --auth-user-pass-verify and --auth-user-pass in the manpage
16:41 < Ridley5> how can i ping my Openpvn server ?
16:41 < Ridley5> ping .... what ?
16:41 < pekster> brah: And also --client-cert-not-required and --username-as-common-name
16:41 < pekster> Ridley5: The VPN IP of your server. You ping it.
16:42 < Ridley5> yes i can access my server including web page on my VPS while connected to Openvpn
16:42 < pekster> The _VPN_ IP?
16:42 < Ridley5> the VPN IP = VPS IP ?
16:42 < pekster> (might be easier if you just post !configs, and please mind the sanitzation grep syntax we have there)
16:42 < pekster> No, the IP on the *VPN* network
16:42 < Ridley5> oh
16:43 < Ridley5> where i can find that please
16:43 < Ridley5> excuse me im newbie
16:43 < pekster> !new
16:43 <@vpnHelper> "new" is (#1) New here? Start by reading the /TOPIC and looking at basic info in !welcome, !ask, and !howto or (#2) You can type each of the !commands in this chat and our bot will provide useful references and info or (#3) you can see the full factoids list at !factoids
16:43 < brah> pekster: Those go on the server side. If I comment out CA, KEY and CERT the client refuses to start.
16:43 < pekster> Ridley5: So, information about posting configs is at:
16:43 < pekster> !configs
16:43 <@vpnHelper> "configs" is (#1) please pastebin your client and server configs (with comments removed, you can use `grep -vE '^#|^;|^$' server.conf`), also include which OS and version of openvpn. or (#2) dont forget to include any ccd entries or (#3) on pfSense, see http://www.secure-computing.net/wiki/index.php/OpenVPN/pfSense to obtain your config
16:43 < pekster> brah: You need the CA as there is no other way for the client to verify the server (outside of static-key mode, !static)
16:44 < pekster> The client can optionally not be required to present a certificate, just a password (that's how many websites work: the server has a cert issued by a CA, but the client need not)
16:44 -!- surrealillusion [~whome@69-165-175-91.dsl.teksavvy.com] has quit [Ping timeout: 264 seconds]
16:46 -!- odie5533 [~odie5533@wikipedia/odie5533] has quit [Quit: Leaving]
16:53 < Ridley5> this is my server.conf pekster: http://pastebin.com/ic69WfX5
16:54 < pekster> Remove lines 29-30; they're duplicates of lines 17 and 18
16:54 < pekster> Otherwise it looks fine; the VPN IP in that setup is 10.8.0.1, so pinging that from the client is the "first box" in the flowchart diagram
16:54 < pekster> When you can successfully do that, move on to the next box
16:55 < Ridley5> ok i try to ping..
16:58 < Ridley5> i have these on my client: ERROR: Linux route add command failed: external program exited with error status: 2
16:58 < Ridley5>  /sbin/ip route add 0.0.0.0/1 via 10.8.0.5 RTNETLINK answers: File exists
16:59 < pekster> How do you already have a 0/1 route?
16:59 < pekster> Are you running the VPN twice?
16:59 < Ridley5> i check
17:00 < Ridley5> yes i have 2 instance running, killed all, started new client
17:01 < Ridley5> it's ok now, i check the connection
17:02 < Ridley5> ping reply OK from the clien pekster
17:02 < Ridley5> *client
17:02 < Ridley5> but cant cant access internet
17:03 < brah> pekster: http://pastebin.com/Dq7QAPTd
17:07 < pekster> Ridley5: Then use the flowchart. There's a lot more than that 1 box
17:07 < Ridley5> i cant ping google.com too pekster
17:07 < Ridley5> i can *
17:08 < Ridley5> yes with flowchart i must access the site secure computing to show vpn ip
17:08 < Ridley5> but can"t reach internet
17:08 < pekster> You're on the internet here
17:09 < Ridley5> im on a bouncer in the VPS with Openvpn pekster
17:09 < pekster> I'm not really interested in providing help if that means doing your work for you
17:09 < pekster> You should download that flowchart on a computer (or phone, tablet, whatever) and follow it
17:09 < Ridley5> i have the flowchart saved pekster
17:10 < pekster> brah: I've no idea what lines 1-8 are; it appears to be some vendor-centric frontend
17:10 < brah> pekster: Do you think this could be a closed implementation of OpenVPN?
17:11 < pekster> Unlikely; it appears to be "Yet Another OpenVPN Wrapper"
17:11 < pekster> Did you have server configs too?
17:12 < brah> pekster: No. Some vendor gave us a Mikrotik router with this config inside, asking us to plug that router into our network. Not gonna happen.
17:12 < pekster> Then you need to ask them. Line 323 of that log shows that the far side reset the connection
17:12 < pekster> It rejected the connection, but for what reason you need the server logs to find out
17:13 < pekster> Plus you're lacking MITM protection (usually provided by the --remote-cert-tls option)
17:15 < pekster> Could be bad credentials, incorrect security settings, or missing --tls-auth file
17:22 < Ridley5> http://oi57.tinypic.com/2l9nxfn.jpg
17:23 -!- Poster [~poster@cpe-74-140-100-29.swo.res.rr.com] has quit [Read error: Connection reset by peer]
17:26 < pekster> firewall or routing problem it sounds like
17:26 < Ridley5> :S
17:27 < pekster> It might be worth a tcpdump on the server, first on the tun device, then on the physical egress to see if the request is properly forwarded to the endpoint
17:28 < pekster> Could be lack of NAT for RFC1918 space too
17:28 < pekster> (falls under a firewall problem, basically)
17:28 < Ridley5> thank you for your help pekster
18:03 -!- ShadniX [dagger@p5481C1FB.dip0.t-ipconnect.de] has quit [Ping timeout: 252 seconds]
18:09 -!- haasn [~haasn@2a01:4f8:d13:5245::2] has quit [Ping timeout: 240 seconds]
18:09 -!- ShadniX [dagger@p5481D867.dip0.t-ipconnect.de] has joined #openvpn
18:09 < Ridley5> i added this firewall script: http://dev.shyd.de/2011/02/dockstar-howto-setup-openvpn-debian/
18:09 <@vpnHelper> Title: Dockstar: HowTo setup OpenVPN on Debian | developer.shyd.de. (at dev.shyd.de)
18:10 < Ridley5> no way, no internet connection :(
18:11 < pekster> "scripts" are almost always the wrong way to configure Netfilter. #Netfilter can help you do it right (because most "blogs" and "guides" do it wrong)
18:11 -!- Kephael [~Kephael@unaffiliated/kephael] has joined #openvpn
18:12 < Ridley5> thank you
18:13 < Ridley5> i wanna ask there
18:16 -!- Cpt-Oblivious [~chatzilla@31-151-71-109.dynamic.upc.nl] has joined #openvpn
18:18 -!- phunyguy [~vortex@unaffiliated/phunyguy] has quit [Quit: Goodbye cruel world!]
18:24 -!- phunyguy [~vortex@unaffiliated/phunyguy] has joined #openvpn
18:26 -!- phunyguy [~vortex@unaffiliated/phunyguy] has quit [Client Quit]
18:32 -!- phunyguy [~vortex@unaffiliated/phunyguy] has joined #openvpn
18:35 -!- DrCode [~DrCode@gateway/tor-sasl/drcode] has quit [Ping timeout: 264 seconds]
18:35 -!- phunyguy [~vortex@unaffiliated/phunyguy] has quit [Client Quit]
18:38 -!- GrantK [eXfkYSleLs@bolt.sonic.net] has joined #openvpn
18:39 -!- phunyguy [~vortex@unaffiliated/phunyguy] has joined #openvpn
18:42 -!- brah [~allsdfjal@181.164.61.9] has quit [Read error: Connection reset by peer]
18:43 < GrantK> I have two boxes connected over an Openvpn IPv4 link.  From BoxA's private IP I can ping, ssh, etc to services listening on BoxB's private IP and to the LAN behind BoxB.  This is working like I'd hoped.
18:43 < GrantK> Now, I need to setup the firewall On BoxB to limit/protect this same access from BoxA.  Given that I'm connected through the VPN tunnel's 2 tun interfaces, but obviously connected across the 2 boxes' real ethX interfaces, exactly WHICH interface do I firewall?  tun0 or eth0 on BoxB?  I guess I'm not understanding the flow of packets right yet.
18:43 -!- brah [~allsdfjal@181.164.61.9] has joined #openvpn
18:44 -!- Ridley5 [~Ridley@unaffiliated/ridley5] has quit [Remote host closed the connection]
18:46 < pekster> OpenVPN secures the traffic over the public Internet (provided you use certificates and MITM protection) so you don't usually need to treat the outside path special. If you want to limit what can flow over the VPN even after an authenticated client sends traffic, filter across the tun devices, or possibly forwarded traffic from a tun device of an openvpn router that is leaving to a downstream LAN
18:48 -!- Kephael [~Kephael@unaffiliated/kephael] has quit [Quit: Leaving]
18:52 < GrantK> pekster: sry, read that.  twice.  i'm being thick.  BoxA is my vpn server.  BoxB is my vpn client.  When client connects to server, the server pushes routes that allow BoxA to "see & touch" BoxB, and other boxes on its LAN, behind it, e.g. BoxB1 & BoxB2.
18:52 < GrantK> Specific example -- if I want to ALLOW BoxA to telnet to BoxB1, but NOT to BoxB2,  I can write a firewall rule -- but on which specific interface:  tun0 on BoxB?
18:53 -!- DrCode [~DrCode@gateway/tor-sasl/drcode] has joined #openvpn
18:54 < pekster> Filter on traaffic arriving on the tun device in the path of the forwarded traffic
18:54 < pekster> You can't filter on the inbond of the physical uplink because the traffic hasn't yet been decrypted by OpenVPN (so you don't know what the inside payload, including headers, ar)
18:54 < pekster> are*
18:54 < pekster> inbound*
18:55 < GrantK> pekster: "physical" uplink, here, being the 'real' ethX, right?
18:55 < pekster> Right
18:56 < pekster> You could filter on the egress to the downstream LAN too, but traditionally you are picky about things arriving from untrusted sources, not as traffic leaves for your protected networks
18:56 -!- Olivier| [Olivier@185.13.226.177] has quit [Ping timeout: 260 seconds]
18:56 < pekster> The concepts are similar, it's mostly a matter of how you form the rules
18:56 < GrantK> pekster: Thanks.  I'm still at the "Holy CryptoPackets, Batman -- This works!" stage.
18:57 < GrantK> The 'server' is a VM in the Cloud.  The 'client' is my home/office LAN's router/firewall box -- *IT* is the protected lan.
18:57 < pekster> Think of openvpn like a fancy router; if you ignore the crypto for a moment, what you put into the tun device at one end will arrive on the far side's tun device, kind of like a "really long ethernet cable"
18:57 < pekster> If you do that, just treat the tun device like any other interface in terms of your firewall and it might be easier
18:58 < GrantK> pekster: yep, understood.  working on that now. thanks.
19:10 -!- Olivier| [Olivier@185.13.226.177] has joined #openvpn
19:10 < GrantK> pekster: hm.  rule's in place, no effect atm.  doing something silly, I suspect.  off to find some docs / examples.
19:15 < GrantK> aHA!  the SRC= address for this traffic is BoxA's tun IPaddr -- NOT its PrivateIP
19:16 < pekster> That's typical of multi-homed hosts. You can force it to do something different with advanced techniques like source address selection or policy routing, but you usually don't need to (just firewall on the "near" side in this case)
19:18 -!- justinzane [~justinzan@24.49.207.203] has quit []
19:19 < GrantK> pekster: sure.  I'd initially set : -i tun0 -s <server's IP address> -d <client's LAN segment>
19:19 < GrantK> incorrectly ...
19:19 -!- JordanJ2 [Jordan@unaffiliated/jordanj2] has left #openvpn ["I'm out"]
19:21 < GrantK> pekster: works perfectly. thanks a bunch!
19:21 -!- s7r [~s7r@openvpn/user/s7r] has joined #openvpn
19:21 -!- mode/#openvpn [+v s7r] by ChanServ
19:32 -!- Poster [~poster@cpe-74-140-100-29.swo.res.rr.com] has joined #openvpn
20:00 -!- GrantK [eXfkYSleLs@bolt.sonic.net] has left #openvpn []
20:02 -!- erkules_ [~erkan@pdpc/supporter/professional/erkules] has joined #openvpn
20:05 -!- erkules [~erkan@pdpc/supporter/professional/erkules] has quit [Ping timeout: 240 seconds]
20:42 -!- justinzane [~justinzan@24.49.207.203] has joined #openvpn
20:53 -!- haasn [~haasn@2a01:4f8:d13:5245::2] has joined #openvpn
21:01 -!- erkules [~erkan@pdpc/supporter/professional/erkules] has joined #openvpn
21:03 -!- erkules_ [~erkan@pdpc/supporter/professional/erkules] has quit [Ping timeout: 240 seconds]
21:39 -!- spstarr [~spstarr@fedora/spstarr] has quit [Read error: No route to host]
21:45 -!- Pisuke [~Sembei@unaffiliated/sembei] has joined #openvpn
21:47 -!- MyMind [~Sembei@unaffiliated/sembei] has quit [Ping timeout: 248 seconds]
22:40 -!- arescorpio [~arescorpi@218-25-245-190.fibertel.com.ar] has quit [Excess Flood]
23:17 -!- ShadniX [dagger@p5481D867.dip0.t-ipconnect.de] has quit [Ping timeout: 252 seconds]
23:18 -!- ShadniX [dagger@p5481DEA7.dip0.t-ipconnect.de] has joined #openvpn
23:26 -!- ajc_ [ajc@nat/hp/x-rqxddrrrgrqqrfpo] has joined #openvpn
23:30 -!- Olivier| [Olivier@185.13.226.177] has quit [Ping timeout: 256 seconds]
23:39 -!- Olivier| [Olivier@185.13.226.177] has joined #openvpn
--- Day changed Tue Jul 08 2014
00:16 -!- Oele [~Oele@oelieloelie.nl] has quit [Quit: Coyote finally caught me]
00:21 -!- vpnHelper [~vpnHelper@openvpn/bot/vpnHelper] has quit [Read error: Connection reset by peer]
00:22 -!- vpnHelper [~vpnHelper@openvpn/bot/vpnHelper] has joined #openvpn
00:22 -!- mode/#openvpn [+o vpnHelper] by ChanServ
00:53 < MACscr> well crap, my vpn connection is still connecting, but im not able to access the lan anymore that im connected to
00:53 < MACscr> i can ping the lan ip of the vpn server though
00:53 < MACscr> my routes still seem in place though
00:53 < MACscr> so im not sure what the issue might be
01:28 -!- alexxtasi [~alex@unaffiliated/alexxtasi] has joined #openvpn
01:38 -!- ribasushi [~riba@mujunyku.leporine.io] has quit [Ping timeout: 252 seconds]
01:41 -!- ribasushi [~riba@mujunyku.leporine.io] has joined #openvpn
02:10 -!- james41382 [~james@unaffiliated/james41382] has joined #openvpn
02:11 <@krzee> !route_outside_ovpn
02:11 <@vpnHelper> "route_outside_ovpn" is "route_outside_openvpn" is (#1) If your server is not the default gateway for the LAN, you will need to add routes to your gateway. See ROUTES TO ADD OUTSIDE OPENVPN in !route or (#2) Here are 2 diagrams that explain how this works: http://www.secure-computing.net/wiki/index.php/Graph http://i.imgur.com/BM9r1.png
02:13 -!- james41382_ [~james@unaffiliated/james41382] has quit [Ping timeout: 264 seconds]
02:14 < MACscr> krzee: it is the default gateway for the lan
02:15 -!- s7r [~s7r@openvpn/user/s7r] has quit [Remote host closed the connection]
02:15 -!- s7r [~s7r@openvpn/user/s7r] has joined #openvpn
02:16 -!- mode/#openvpn [+v s7r] by ChanServ
02:17 < MACscr> wth, it somehow just started working again
02:18 -!- plaisthos [~arne@openvpn/community/developer/plaisthos] has quit [Ping timeout: 272 seconds]
02:34 -!- larryone [~larryone@178.167.254.144.threembb.ie] has joined #openvpn
02:41 -!- le0 [~l30@unaffiliated/le0] has joined #openvpn
02:43 -!- plaisthos [~arne@openvpn/community/developer/plaisthos] has joined #openvpn
02:43 -!- mode/#openvpn [+o plaisthos] by ChanServ
02:43 -!- Saul775 [~Saul@12.6.176.106] has quit [Ping timeout: 255 seconds]
02:48 -!- Cpt-Oblivious [~chatzilla@31-151-71-109.dynamic.upc.nl] has quit [Remote host closed the connection]
03:28 -!- larryone [~larryone@178.167.254.144.threembb.ie] has quit [Quit: This computer has gone to sleep]
03:39 < Kerbe> sshtunnel?
03:42 < Kerbe> BadCodSmell: I've used autossh to create tunnels between servers, when vpn or ipsec has been felt a bit too heavy
03:53 -!- propheticsquiddy [~Proph@unaffiliated/propheticsquiddy] has joined #openvpn
04:01 -!- JackWinter [~jack@vodsl-11028.vo.lu] has quit [Quit: Konversation terminated!]
04:02 -!- JackWinter [~jack@vodsl-11028.vo.lu] has joined #openvpn
04:05 -!- JackWinter [~jack@vodsl-11028.vo.lu] has quit [Client Quit]
04:06 -!- JackWinter [~jack@vodsl-11028.vo.lu] has joined #openvpn
04:16 < Kerbe> I've used ipsec too between servers, so not bad alternative either
04:17 < Kerbe> didn't just know what kind of light weight alternative you were after, ssh tunnels with autossh is fast to set up and works for certain things nicely. :)
04:20 -!- ajc_ [ajc@nat/hp/x-rqxddrrrgrqqrfpo] has quit [Read error: Connection reset by peer]
04:42 -!- dazo_afk is now known as dazo
05:04 -!- mbwe [~mbwe@188.226.228.27] has joined #openvpn
05:05 < mbwe> hi everybody, i want to move my openvpn server to another server, how should i backup my openvpn installation
05:18 -!- ade_b [~Ade@redhat/adeb] has joined #openvpn
05:21 -!- Pisuke [~Sembei@unaffiliated/sembei] has quit [Read error: Connection reset by peer]
05:22 -!- Eagleman [~Eagleman@546BC8D0.cm-12-4d.dynamic.ziggo.nl] has quit [Ping timeout: 252 seconds]
05:22 -!- Pisuke [~Sembei@unaffiliated/sembei] has joined #openvpn
05:27 -!- Eagleman [~Eagleman@546BC8D0.cm-12-4d.dynamic.ziggo.nl] has joined #openvpn
05:29 -!- Kephael [~Kephael@unaffiliated/kephael] has joined #openvpn
05:41 -!- MaliusArth [~MaliusArt@chello062178183011.18.14.vie.surfer.at] has joined #openvpn
05:41 -!- MaliusArth [~MaliusArt@chello062178183011.18.14.vie.surfer.at] has left #openvpn []
06:45 -!- Pandemic_Force [~Pandemic_@unaffiliated/pandemic-force/x-1349428] has joined #openvpn
06:50 -!- larryone [~larryone@185.32.152.150] has joined #openvpn
07:02 -!- debbie10t [~ma1com10t@openvpn/community/support/debbie10t] has joined #openvpn
07:03 < debbie10t> I notice that the Misc: Ethernet-Bridge HOWTO does not have any information regarding the default gw of the bridge ?
07:06 < debbie10t> and bridge-stop renders the machine with no IP at all ?
07:10 -!- Megaf_ [~Megaf@unaffiliated/megaf] has joined #openvpn
07:11 -!- Megaf [~Megaf@unaffiliated/megaf] has quit [Ping timeout: 264 seconds]
07:14 -!- JackWinter [~jack@vodsl-11028.vo.lu] has quit [Quit: Konversation terminated!]
07:21 -!- propheticsquiddy [~Proph@unaffiliated/propheticsquiddy] has quit [Ping timeout: 255 seconds]
07:28 -!- propheticsquiddy [~Proph@unaffiliated/propheticsquiddy] has joined #openvpn
07:39 -!- JackWinter [~jack@vodsl-11028.vo.lu] has joined #openvpn
07:41 -!- UncleMeat [~uncle@nl6x.mullvad.net] has quit [Ping timeout: 240 seconds]
07:48 -!- mbwe [~mbwe@188.226.228.27] has quit [Quit: WeeChat 0.4.2]
08:04 -!- zapotek6 [~zap@mail.comelit.it] has joined #openvpn
08:04 -!- zapotek6 [~zap@mail.comelit.it] has quit [Max SendQ exceeded]
08:11 -!- zapotek6 [~zap@mail.comelit.it] has joined #openvpn
08:13 -!- pseudopr1me [~bryan@c-24-34-219-11.hsd1.nh.comcast.net] has joined #openvpn
08:16 < pseudopr1me> i am having issues with my openvpn server pushing a default route to vpn clients. causing them to lose all networking. how can i prevent this from happening? this is my config: http://pastebin.com/9qDQiWij
08:19 < pseudopr1me> output from my client: http://pastebin.com/i4ddeY6M
08:20 < debbie10t> pseudopr1me : you cannot start your bridge with an openvpn up script .. it must be done *before you start openvpn
08:21 < pseudopr1me> routing tables: http://pastebin.com/Cuh3nHmC
08:21 < debbie10t> pseudopr1me http://openvpn.net/index.php/open-source/documentation/miscellaneous/ethernet-bridging.html
08:21 <@vpnHelper> Title: Ethernet Bridging (at openvpn.net)
08:21 -!- Megaf_ is now known as Megaf
08:21 -!- JackWinter [~jack@vodsl-11028.vo.lu] has quit [Quit: Konversation terminated!]
08:25 < pseudopr1me>        --up cmd
08:25 < pseudopr1me>               Run command cmd after  success‐
08:25 < pseudopr1me>               ful  TUN/TAP  device  open
08:26 < pseudopr1me> pretty sure that placing the scripts under that directive is fine.
08:27 < debbie10t> ok .. just keep bashing your head against a brick wall then
08:27 < pseudopr1me> if i am wrong, that is fine. i just don't see why that would cause a route to be pushed.
08:29 < pseudopr1me> fyi, this: https://help.ubuntu.com/community/OpenVPN is where i got that from
08:29 <@vpnHelper> Title: OpenVPN - Community Help Wiki (at help.ubuntu.com)
08:30 -!- fin__ [~l30@unaffiliated/le0] has joined #openvpn
08:30 < debbie10t> read the official docs
08:31 < pseudopr1me> an explanation would help me much more than screaming rtfm
08:33 -!- le0 [~l30@unaffiliated/le0] has quit [Ping timeout: 245 seconds]
08:33 < debbie10t> who's screaming ?
08:33 < pseudopr1me> whatever man, ill go figure it out
08:35 < debbie10t> pseudopr1me http://openvpn.net/index.php/open-source/documentation/miscellaneous/ethernet-bridging.html
08:35 <@vpnHelper> Title: Ethernet Bridging (at openvpn.net)
08:48 < pseudopr1me> for the record, i just figured out that it was my operating system's dhcp client that was overstretching it's reach. nothing to do with my bridge device.
08:48 < pseudopr1me> but thanks for all your wonderful help
08:49 -!- pseudopr1me [~bryan@c-24-34-219-11.hsd1.nh.comcast.net] has quit [Quit: leaving]
09:06 -!- TheEternalAbyss [~IRCIdent@unaffiliated/theeternalabyss] has joined #openvpn
09:46 -!- hazardous [~hz@openvpn/user/hazardous] has quit [Ping timeout: 260 seconds]
09:47 -!- hazardous [~hz@openvpn/user/hazardous] has joined #openvpn
09:47 -!- mode/#openvpn [+v hazardous] by ChanServ
09:54 -!- alexxtasi [~alex@unaffiliated/alexxtasi] has left #openvpn []
10:55 -!- ade_b [~Ade@redhat/adeb] has quit [Ping timeout: 255 seconds]
11:02 -!- Cpt-Oblivious [~chatzilla@31-151-71-109.dynamic.upc.nl] has joined #openvpn
11:05 -!- zapotek6 [~zap@mail.comelit.it] has quit [Ping timeout: 256 seconds]
11:10 -!- Denial [~Denial@host86-163-221-70.range86-163.btcentralplus.com] has joined #openvpn
11:27 -!- jetole [~jetole@unaffiliated/jetole] has joined #openvpn
11:28 -!- s7r [~s7r@openvpn/user/s7r] has quit [Quit: Leaving]
11:31 -!- jetole [~jetole@unaffiliated/jetole] has quit [Client Quit]
11:38 -!- gffa [~unknown@unaffiliated/gffa] has joined #openvpn
11:42 -!- ade_b [~Ade@redhat/adeb] has joined #openvpn
11:43 -!- Kephael [~Kephael@unaffiliated/kephael] has quit [Read error: Connection reset by peer]
11:44 -!- ade_b [~Ade@redhat/adeb] has quit [Client Quit]
11:49 -!- larryone [~larryone@185.32.152.150] has quit [Ping timeout: 240 seconds]
11:50 -!- cyberspace- [20253@ninthfloor.org] has quit [Remote host closed the connection]
11:52 -!- cyberspace- [20253@ninthfloor.org] has joined #openvpn
12:14 -!- Olivier| [Olivier@185.13.226.177] has quit [Ping timeout: 264 seconds]
12:17 -!- Olivier| [Olivier@185.13.226.177] has joined #openvpn
12:28 -!- fin__ [~l30@unaffiliated/le0] has quit [Quit: Leaving]
12:31 -!- Olivier| [Olivier@185.13.226.177] has quit [Ping timeout: 255 seconds]
12:37 -!- arescorpio [~arescorpi@71-206-17-190.fibertel.com.ar] has joined #openvpn
12:41 -!- Olivier| [Olivier@185.13.226.177] has joined #openvpn
12:43 -!- Latrina [~Latrina@ppp-78-22.26-151.libero.it] has quit [Ping timeout: 240 seconds]
12:45 -!- Latrina [~Latrina@ppp-78-22.26-151.libero.it] has joined #openvpn
13:10 -!- arescorpio [~arescorpi@71-206-17-190.fibertel.com.ar] has quit [Ping timeout: 240 seconds]
13:38 -!- MadTBone [~MadTBone@128.59.37.113] has joined #openvpn
14:05 -!- larryone [~larryone@176.61.1.155] has joined #openvpn
14:10 -!- xdudi [~Marcin@91.226.23.64] has joined #openvpn
14:13 < debbie10t> I just got this in the log file : MULTI: Learn: 10.1.101.222 -> client02/92.20.29.104:4272
14:13 < debbie10t> but I have no machine at all on IP address 10.1.101.222
14:13 < xdudi> i have weird problem, after connected to vpn (from windows 8), i have web inaccessible, i tried add register-dns command to config file, but it doesn't work, can anyone tell me how modify my config file?
14:26 -!- deeville [~deeville@38.117.108.108] has joined #openvpn
14:36 -!- le0 [~l30@unaffiliated/le0] has joined #openvpn
14:37 -!- larryone [~larryone@176.61.1.155] has quit [Quit: This computer has gone to sleep]
14:37 -!- deeville [~deeville@38.117.108.108] has quit [Quit: This computer has gone to sleep]
14:38 -!- arescorpio [~arescorpi@71-206-17-190.fibertel.com.ar] has joined #openvpn
14:45 <@krzee> xdudi, !redirect
14:45 <@krzee> follow the flowchart
14:45 <@krzee> !redirect
14:45 <@vpnHelper> "redirect" is (#1) to make all inet traffic flow through the vpn, you will need --redirect-gateway (see !def1), as well as IP forwarding (see !ipforward) and NAT (see !nat) enabled on the server. or (#2) you may need to use a different dns server when redirecting gateway, see !dns or !pushdns or (#3) if using ipv6 try: route-ipv6 2000::/3 or (#4) Handy troubleshooting flowchart:
14:45 <@vpnHelper> http://ircpimps.org/redirect.png | http://pekster.sdf.org/misc/redirect.png
14:59 -!- MaliusArth [~MaliusArt@chello062178183011.18.14.vie.surfer.at] has joined #openvpn
15:00 -!- brianblaze420 [~brianblaz@unaffiliated/brianblaze] has joined #openvpn
15:01 -!- MaliusArth [~MaliusArt@chello062178183011.18.14.vie.surfer.at] has left #openvpn []
15:05 < debbie10t> hmm .. turns out 10.1.101.222 was being resolved by DNS incorrectly .. doh !
15:08 -!- arescorpio [~arescorpi@71-206-17-190.fibertel.com.ar] has quit [Excess Flood]
15:08 -!- dazo is now known as dazo_afk
15:13 -!- batrick [~batrick@nmap/developer/batrick] has quit [Quit: WeeChat 0.4.3]
15:16 -!- batrick [~batrick@nmap/developer/batrick] has joined #openvpn
15:21 -!- defswork [~andy@141.0.50.105] has quit [Ping timeout: 252 seconds]
16:04 -!- mete [~mete@91.247.253.160] has quit [Quit: .]
16:12 -!- mete [~mete@91.247.253.160] has joined #openvpn
16:13 -!- SushiDude [~SushiDude@unaffiliated/sushidude] has quit [Ping timeout: 240 seconds]
16:14 -!- le0 [~l30@unaffiliated/le0] has quit [Quit: Leaving]
16:16 -!- mete [~mete@91.247.253.160] has quit [Client Quit]
16:16 -!- SushiDude [~SushiDude@unaffiliated/sushidude] has joined #openvpn
16:18 -!- mete [~mete@91.247.253.160] has joined #openvpn
16:28 -!- SushiDude [~SushiDude@unaffiliated/sushidude] has quit [Ping timeout: 240 seconds]
16:29 -!- SushiDude [~SushiDude@unaffiliated/sushidude] has joined #openvpn
16:41 -!- mete [~mete@91.247.253.160] has quit [Quit: .]
16:43 -!- mete [~mete@91.247.253.160] has joined #openvpn
16:48 -!- RedDeath [Xe@92.114.69.151] has joined #openvpn
16:57 -!- p3rror [~mezgani@41.249.90.224] has joined #openvpn
17:10 -!- liriel [~liriel@asia.feralhosting.com] has quit [Ping timeout: 272 seconds]
17:11 -!- liriel [~liriel@asia.feralhosting.com] has joined #openvpn
17:17 -!- liriel [~liriel@asia.feralhosting.com] has quit [Ping timeout: 248 seconds]
17:18 -!- liriel [~liriel@asia.feralhosting.com] has joined #openvpn
17:25 -!- propheticsquiddy [~Proph@unaffiliated/propheticsquiddy] has quit [Quit: Leaving]
17:28 -!- liriel [~liriel@asia.feralhosting.com] has quit [Quit: bye]
17:33 -!- liriel [~liriel@asia.feralhosting.com] has joined #openvpn
17:44 -!- p3rror [~mezgani@41.249.90.224] has quit [Ping timeout: 256 seconds]
17:51 -!- Ridley5 [~Ridley@unaffiliated/ridley5] has joined #openvpn
17:51 < Ridley5> hi all
17:58 -!- james41382 [~james@unaffiliated/james41382] has quit [Read error: Connection reset by peer]
17:59 -!- james41382 [~james@unaffiliated/james41382] has joined #openvpn
18:08 -!- Kephael [~Kephael@unaffiliated/kephael] has joined #openvpn
18:11 -!- RedDeath [Xe@92.114.69.151] has quit []
18:25 -!- elfixit1 [~Icedove@77-58-251-72.dclient.hispeed.ch] has joined #openvpn
18:35 -!- debbie10t [~ma1com10t@openvpn/community/support/debbie10t] has left #openvpn []
18:37 -!- elfixit1 [~Icedove@77-58-251-72.dclient.hispeed.ch] has quit [Quit: elfixit1]
18:42 -!- outofbounds [~outofboun@gateway/tor-sasl/outofbounds] has joined #openvpn
18:44 -!- outofbounds [~outofboun@gateway/tor-sasl/outofbounds] has quit [Client Quit]
18:48 -!- gffa [~unknown@unaffiliated/gffa] has quit [Quit: sleep]
18:48 -!- outofbounds [~outofboun@gateway/tor-sasl/outofbounds] has joined #openvpn
18:49 -!- outofbounds [~outofboun@gateway/tor-sasl/outofbounds] has quit [Client Quit]
18:51 -!- xdudi [~Marcin@91.226.23.64] has quit []
19:01 -!- outofbounds [~outofboun@gateway/tor-sasl/outofbounds] has joined #openvpn
19:05 -!- outofbounds [~outofboun@gateway/tor-sasl/outofbounds] has quit [Client Quit]
19:20 -!- arescorpio [~arescorpi@71-206-17-190.fibertel.com.ar] has joined #openvpn
19:30 -!- james41382 [~james@unaffiliated/james41382] has quit [Quit: Leaving]
19:36 -!- james41382 [~james@unaffiliated/james41382] has joined #openvpn
20:09 -!- sauce [sauce@unaffiliated/sauce] has quit [Quit: sauce]
20:11 -!- sauce [sauce@unaffiliated/sauce] has joined #openvpn
20:13 <@krzee> greetings
20:21 -!- Poster [~poster@cpe-74-140-100-29.swo.res.rr.com] has quit [Read error: Connection reset by peer]
20:21 -!- Poster [~poster@cpe-74-140-100-29.swo.res.rr.com] has joined #openvpn
20:53 -!- themadcanudist [~themadcan@24-52-242-139.cable.teksavvy.com] has joined #openvpn
20:54 < themadcanudist> hey guys, anyone here experienced with linux + tap + ethernet bridging? I have it working, but am curious if I can extend the bridge on the client side to forward/rebroadcast it on the local segment the client is on.
20:54 < themadcanudist> i can explain in more detail if someone is willing to help
20:54 < pekster> Best not to bridge as it adds undue complications
20:55 < pekster> See the bot info on why at: !tunortap and !whybridge
20:55 < pekster> If you truely have non-IP protocols you must transport, you're the very rare exception to this advice
20:55 < themadcanudist> pekster: It's a requirement on my end. ie. I have an established network that I need to extend over an openvpn tunnel to another location
20:55 < pekster> THat's not a valid reason. What protocols are you using that cannot do IP transit?
20:56 < pekster> (hint: the "Internet at large" works with routing, not bridging. That's why your ISP isn't a giant switch farm)
20:56 < themadcanudist> pekster: I know that
20:56 < themadcanudist> THey are on a private VLAN
20:56 < themadcanudist> huge chunk of infrastructure
20:56 < themadcanudist> I can not make it public
20:56 < pekster> Why can't you route to it?
20:57 < themadcanudist> let's rephrase this as a dialogue not about what is ideal, but what is possible.
20:57 < pekster> Even if it's private, just push a route to that private space across your secure VPN and route as usual
20:57 < pekster> If it's possible to do this properly, you should
20:57 < themadcanudist> ah
20:57 -!- Cpt-Oblivious [~chatzilla@31-151-71-109.dynamic.upc.nl] has quit [Ping timeout: 255 seconds]
20:57 < themadcanudist> it has to be on the local segment for bootp protocols.
20:57 < themadcanudist> can't be routed
20:58 < pekster> Your goal is bootp over the VPN from one end to the other?
20:58 < themadcanudist> yes
20:58 < themadcanudist> if possible
20:58 < themadcanudist> if not, then it's a different story
20:58 < themadcanudist> but I believe it is
20:58 < pekster> So bootp is the protocol you're using. It is possible, although how you handle DHCP might add complexity to your solution
20:59 < themadcanudist> I was hoping that I could just extend the network and have it work like magic to do the initial builds
20:59 < themadcanudist> then the vpn can be taken down
20:59 -!- erkules_ [~erkan@pdpc/supporter/professional/erkules] has joined #openvpn
20:59 < pekster> A bridged tap VPN acts like a "really long Ethernet cable", although OpenVPN cannot today do 802.1Q (VLANs) over the link. You're free to bridge to an untagged VLAN though
21:00 < pekster> It can optionally assign the clients an IP out of its own pool, or you can rely on your own DHCP server to integrate in with bootp. The pitfall here is that you must carefully consider how you handle the default route to VPN clients unless you really want their default route to go across your VPN link
21:01 < pekster> (and if you do that, _all_ the clients at the far side will route across your link for any traffic: to google, OS updates, NTP syncing, whatever)
21:01 -!- erkules [~erkan@pdpc/supporter/professional/erkules] has quit [Ping timeout: 255 seconds]
21:02 < pekster> themadcanudist: With me so far? It sounds like you might be fine managing the DHCP yourself and just using OpenVPN as that "long cable", knowing that all Internet access will go across it
21:03  * themadcanudist nods
21:03 < themadcanudist> ok
21:03 < themadcanudist> lemme try to explain what I have so far.
21:03 < pekster> Sure, that'll help. Just making sure you're not setting yourself for disappointment on the routing front
21:04 < themadcanudist> on the server end, I have this set up successfully. There are many hosts on a private VLAN, when the client connects, it gets an ip (due to server-bridge config) on the same subnet…
21:04 < themadcanudist> the client can ping all hosts on the remote end and all hosts can ping it
21:04 <@krzee> are you bridging only to get it onto that subnet?
21:04 < themadcanudist> However, I need one additional step
21:04 < pekster> krzee: bootp exposed over DHCP on the server-end, it sounds like
21:05 < pekster> If I understand that right, this _is_ one of those rare cases of "proper" use of bridging
21:05 <@krzee> oh
21:05 < themadcanudist> I want the client, to essentially BRIDGE the tap0 device to the eth0 device (the same device that the public interface is on). SO that local machines on the client's VLAN can see the subnet that has been extended from the remote/server side.
21:06 < themadcanudist> That's where I'm hitting the issue
21:06 < pekster> Yes, you need to create a bridge in your OS with the real adapter (or your VLAN adapter, if that's what you have) and then also assign the tap device as a bridge member
21:06 < themadcanudist> when I bridge the tap0/eth0 device the box is knocked off the network
21:06 < pekster> Create your bridge as part of your on-boot networking
21:07 < pekster> Until you do that, you cannot meaningfully perform network bridging at all
21:07 < pekster> (with or with openvpn -- same rule applies if you try to bridge to "normal" Ethernet devices)
21:07 < themadcanudist> yeah, i think there's a missing piece here on my part.
21:07 < themadcanudist> step 1, bridging works for client
21:08 < pekster> Not if you don't have a bridg eon the server
21:08 < pekster> Then it's just a normal tap, no bridging involved yet at all
21:08 < pekster> A bridge requires _YOU_ to set up a bridge interface in your OS
21:08 < themadcanudist> yes
21:08 < themadcanudist> i have
21:08 < themadcanudist> on the server
21:08 < themadcanudist> to make it work
21:08 < themadcanudist> and it works 100%
21:08 < pekster> What OS?
21:08 < themadcanudist> linux
21:08 < pekster> Can I see `brctl show` and `ip a` on a pastebin?
21:08 < themadcanudist> yes
21:09 < themadcanudist> http://pastebin.com/e3fhZJES
21:09 < themadcanudist> as i said
21:09 -!- Chex [sss@hotlanta.northnook.ca] has joined #openvpn
21:09 < themadcanudist> i have the standard openvpn bridging working
21:09 < themadcanudist> I need to do an additional step
21:09 < pekster> If shouldn't ever knock yuo off
21:09 < pekster> If it does, you're following some really dated script and you outght to do this properly in your OS
21:10 < themadcanudist> which is to allow the client to "rebroadcast" the bridge over the same interface it's connected to the server with
21:10 < pekster> Almost every Linux distro provides a way to configure a bridge by default on boot, and on Linux the bridge device itself holds the addresing and routes
21:10 < themadcanudist> i need to draw it out for you
21:10 < pekster> I understand how briding works
21:10 < themadcanudist> pekster
21:10 < pekster> I don't understand why you're using "scripts" to do this
21:10 < themadcanudist> scripts?
21:10 < themadcanudist> i have it working
21:11 < themadcanudist> i want to rebroadcast on the client side
21:11 < pekster> Oh, just bridge it there then
21:11 < themadcanudist> yes
21:11 < themadcanudist> that's where i'm hitting the issue
21:11 < themadcanudist> i don't think it's an openvpn specific issue
21:11 < pekster> So the client has its own IP on the bridge in the _same_ network space, but not an overlapping IP, right?
21:11  * themadcanudist nods
21:11 < themadcanudist> yep, i incremented by one
21:12 < themadcanudist> so, by default openvpn server gives it the first IP available out of server-bridge syntax
21:12 < pekster> And `brctl show` on the client shows br0 (or w/e) with the physical iface and your tap? And the VPN is up and started successfully
21:12 < pekster> Oh, if you want bootp to work, you can't use the openvpn ifconfig pool
21:13 < themadcanudist> i don't use the ifconfig-pool syntax
21:13 < themadcanudist> just server-bridge
21:13 < pekster> THat does it anywya
21:13  * themadcanudist nods
21:13 < themadcanudist> ah
21:13 < pekster> Don't use the "helper-options" -- they do more than you realize
21:13 < themadcanudist> so i either have to configure server or server-bridge
21:13 < themadcanudist> or it complains on start
21:13 < pekster> See the manpage, but you explicitly should _not_ use the pool if you need to control things like bootp over the far side
21:13 < themadcanudist> that may be my issue
21:13 < themadcanudist> ah
21:13 < pekster> Then you've missed options you need, or misconfigured them
21:14 < themadcanudist> interesting. I think I found it. sec
21:15 < themadcanudist> there was an ifconfig-pool option. i removed it… had to add tls-server to config
21:15 < themadcanudist> it starts now
21:15 < themadcanudist> lemme test
21:16 < pekster> Yup, gotta "finish expanding" that *-server stuff if you manage it yourself
21:16 < pekster> That was probably what was missing
21:17 -!- brianblaze420 [~brianblaz@unaffiliated/brianblaze] has quit [Ping timeout: 240 seconds]
21:20 < themadcanudist> pekster: same sitaution. As soon as I add tap0 to the bridge with eth0, the client gets knocked off the network. From the console I can't ping the gateway anymore. gateway is local to the machine, not over the vpn as per route -rn.
21:21 < themadcanudist> both the public IP and the private bridged subnet IP on client are assigned to br0 and br0:1
21:21 < themadcanudist> on the client
21:21 < themadcanudist> as soon as I remove the tap device from the br0
21:21 < themadcanudist> it comes back online
21:21 < themadcanudist> FYI: all interfaces on bridge are in promisc mode, in case you were wondering ;)
21:21 < pekster> br0:1 is bogus
21:21 < themadcanudist> ah
21:22 < pekster> Aliases on Linux networking died about a decade ago
21:22 < themadcanudist> shoud i use ip route instead
21:22 < pekster> If you need a secondary IP, add it to the interface
21:22 < themadcanudist> kk, sec
21:22 < pekster> Not route, just `ip` if you need more addresses. WHy do you need 2 IPs on that host?
21:22 < pekster> Was that intentional?
21:22 < themadcanudist> sorry, i meant iproute2.. ie. 'ip'
21:22 < themadcanudist> sec
21:22 < pekster> (some distro scripts are still stuck in the 90's and use aliases like disco and bell-bottom pants are still in style)
21:23 < pekster> Oh, "private" network, as in another one on the same broadcast domain? Kind of silly, but okay
21:23  * themadcanudist nod
21:23 < themadcanudist> OHHH
21:23 < themadcanudist> looks better, sec
21:24 < pekster> It offers no real security, and since it's broadcast, anyone on either network can easily see the network scope and hop to the other
21:24 < pekster> But that's of little concern here :P
21:24  * themadcanudist nods
21:26 < themadcanudist> damn, same result
21:27 < pekster> What's your server config look like?
21:27 < pekster> Also, I don't really get this "knocked off the 'net" thing. Ideally I'd recommend you just create the tap device on boot with a given name and use it
21:27 < pekster> Call it "tap_vpn" or something not tap#
21:27 < pekster> Then tell openvpn to connect to that, which is already a part of the bridge
21:27 < themadcanudist> right
21:27 < themadcanudist> ok, I can wrangle that now
21:27 < themadcanudist> when i say knoecked off the net
21:28 < themadcanudist> the client no longer can ping its local GW or anything local to it.
21:29 < themadcanudist> I'm just creating a perm one called tap0
21:29 < themadcanudist> and telling the client to use it, rather than spawn one.
21:29 -!- james41382 [~james@unaffiliated/james41382] has quit [Quit: Leaving]
21:30 < pekster> careful with tap0 if you run another VPN instance, but otherwise that may be fine
21:30  * themadcanudist nods
21:30 < pekster> The advantage here is no silly script that openvpn runs to "take the dynamically created tap and add it as a bridge member" -- it just works
21:31 < themadcanudist> yeah, for sure
21:31 < themadcanudist> hah, interesting
21:31 < pekster> You do `--dev tap0` in your config, on *nix. Windows has some --dev-node nonsense instead
21:31 < themadcanudist> yeah, already done
21:31 < pekster> neat
21:31 < themadcanudist> in this config, as SOON as I connect
21:31 < themadcanudist> the box disappears off net
21:31 < pekster> You pushing addressing to it or anything? overlapping default gateways? Something else out of whack?
21:32 < themadcanudist> does this have anything to do with client using eth1 to initiate the openvpn connection AND also having that interface in the bridge to bridge the tap0 network back over it?
21:32 < pekster> Remember, _both_ networks need completely non-overlapping IP assignments
21:32 < themadcanudist> when you say non-overlapping, you mean no IP conflicts?
21:32 < pekster> Right
21:32 < themadcanudist> in that case, of course!
21:32 < themadcanudist> yeah, client can't ping its local gateway anymore
21:33 < pekster> Is the gateway on unique address space on both ends?
21:33 < themadcanudist> oh yes
21:33 < pekster> And your server is staticlly addressed on eth1? No DHCP for 'net access?
21:33  * themadcanudist nods
21:34 <@krzee> do you haved a default gateway set properly to go over the bridge?
21:34 <@krzee> it disappears when you do the bridging iirc
21:34 < themadcanudist> yep
21:34 < pekster> You need the default gateway on the server to stay local
21:34 < themadcanudist> br0 owns the public and "extended private IP"
21:34 < pekster> (which it will be if statically addressed inc'l the route)
21:36 < pekster> For fun, what happens if you add `--up /usr/local/bin/print-route.sh --up-delay 10` and make that a shell script (chmod +x too!) do: `ip r > /tmp/vpn-up-routes.txt` or similar. Does something hose the route to your _local_ gateway?
21:37 < pekster> Getting knocked off the network such that it can't ping anything including its local gateway suggests either a routing issue, or problem resolving the L2 destination of the gateway
21:37 <@krzee> nice idea
21:38 < pekster> It shouldn't do silly things like put that as an on-link route on tap0, but that might provide clues as to such similar problems
21:38 < pekster> tap0 should remain address-less. Maybe also print `ip a` too
21:38 < themadcanudist> yeah, tap0 has no address, br0 does
21:45 < themadcanudist> dang, i have to leave this for now and attend to other matters. Thank you for all your help, I will be back ;)
21:45 < pekster> Sure, & g/l. Feel free to idle around as this can be a bit of a slow channel at certain times
21:45 -!- james41382 [~james@unaffiliated/james41382] has joined #openvpn
21:45 < pekster> (just gotta find the right person at the right time)
21:52 -!- arescorpio [~arescorpi@71-206-17-190.fibertel.com.ar] has quit [Excess Flood]
22:56 -!- brianblaze420 [~brianblaz@unaffiliated/brianblaze] has joined #openvpn
23:17 -!- ShadniX [dagger@p5481DEA7.dip0.t-ipconnect.de] has quit [Ping timeout: 252 seconds]
23:18 -!- ShadniX [dagger@p5DDFE214.dip0.t-ipconnect.de] has joined #openvpn
23:33 -!- crus [~crusader@crus0r.soho.on.net] has joined #openvpn
23:52 -!- james41382 [~james@unaffiliated/james41382] has quit [Quit: Leaving]
23:52 -!- Megaf [~Megaf@unaffiliated/megaf] has quit [Ping timeout: 240 seconds]
23:55 -!- james41382 [~james@unaffiliated/james41382] has joined #openvpn
--- Day changed Wed Jul 09 2014
00:00 -!- erkules_ is now known as erkules
01:01 -!- jeev [~jeev@unaffiliated/jeev] has quit [Quit: ZNC - http://znc.sourceforge.net]
01:08 -!- Kephael [~Kephael@unaffiliated/kephael] has quit [Read error: Connection reset by peer]
01:10 -!- Fusl [Fusl@unaffiliated/fusl] has quit [Ping timeout: 272 seconds]
01:11 -!- halothe23 [~halothe23@freenode/sponsor/halothe23] has quit [Ping timeout: 272 seconds]
01:11 -!- halothe23 [~halothe23@freenode/sponsor/halothe23] has joined #openvpn
01:13 -!- Fusl [Fusl@unaffiliated/fusl] has joined #openvpn
01:34 -!- alexxtasi [~alex@unaffiliated/alexxtasi] has joined #openvpn
01:41 -!- b00b [~spunk@smurf.mmnetworks.se] has quit [Ping timeout: 252 seconds]
01:41 -!- halothe23 [~halothe23@freenode/sponsor/halothe23] has quit [Ping timeout: 272 seconds]
01:41 -!- halothe23 [~halothe23@freenode/sponsor/halothe23] has joined #openvpn
01:44 -!- vu [~vu@dsl-hkibrasgw1-58c39c-234.dhcp.inet.fi] has joined #openvpn
01:59 -!- brah [~allsdfjal@181.164.61.9] has quit [Ping timeout: 248 seconds]
02:17 -!- mete [~mete@91.247.253.160] has quit [Quit: .]
02:20 -!- mete [~mete@91.247.253.160] has joined #openvpn
02:30 -!- mete [~mete@91.247.253.160] has quit [Read error: Connection reset by peer]
02:31 -!- mete [~mete@91.247.253.160] has joined #openvpn
02:37 -!- Poster [~poster@cpe-74-140-100-29.swo.res.rr.com] has quit [Remote host closed the connection]
02:40 -!- RBecker [~RBecker@openvpn/user/RBecker] has quit [Excess Flood]
02:44 -!- RBecker [~RBecker@openvpn/user/RBecker] has joined #openvpn
02:44 -!- mode/#openvpn [+v RBecker] by ChanServ
02:45 -!- le0 [~l30@unaffiliated/le0] has joined #openvpn
02:55 -!- xdudi [~Marcin@91.226.23.64] has joined #openvpn
02:56 < xdudi> what is an "Use only for the resources in this connection" equivalent of .ovpn config file?
03:12 -!- syzzer [~syzzer@openvpn/community/developer/syzzer] has quit [Ping timeout: 260 seconds]
03:13 -!- mattock [~mattock@openvpn/corp/admin/mattock] has joined #openvpn
03:13 -!- mode/#openvpn [+o mattock] by ChanServ
03:22 -!- Rymax99 [~Ryan@s2.rymax99.com] has joined #openvpn
03:23 < Rymax99> Hi. I have a stock OpenVPN install on my Debian 7 XEN VPS, it seems that when I'm browsing the web connected to it, it is randomly very slow, and sometimes it just stops loading pages/responding altogether.
03:36 -!- get [219@unaffiliated/get] has quit [Excess Flood]
03:51 -!- jackbrown [~se@93-44-41-0.ip95.fastwebnet.it] has joined #openvpn
04:05 -!- funnel [~funnel@unaffiliated/espiral] has joined #openvpn
04:17 -!- jackbrown [~se@93-44-41-0.ip95.fastwebnet.it] has quit [Quit: Sto andando via]
04:31 -!- starlays [~starlays@unaffiliated/starlays] has joined #openvpn
04:34 < starlays> hello to all, I need some help, I configured openvpn server on my Archlinux machine, tested, and it is Up and running. Now I want to connect my andoid phone to the server for that i have installed openVPN Connect from the market but I don't know how to make it work. It is asking me a .ovpn profile file, how do I generate such a file? Thank you in advance
04:44 -!- JackWinter [~jack@vodsl-11028.vo.lu] has joined #openvpn
04:47 -!- ade_b [~Ade@redhat/adeb] has joined #openvpn
04:52 < xdudi> starlays: first, try to connect from linux by cmd: openvpn --config file.ovpn
04:54 < xdudi> starlays: https://openvpn.net/index.php/open-source/documentation/howto.html#client
04:54 <@vpnHelper> Title: HOWTO (at openvpn.net)
04:59 -!- seppuku [~seppuku@host4-46-dynamic.56-82-r.retail.telecomitalia.it] has joined #openvpn
05:05 -!- le0 [~l30@unaffiliated/le0] has quit [Ping timeout: 255 seconds]
05:16 -!- v0lZy [~Thunderbi@BSN-77-81-109.static.dsl.siol.net] has joined #openvpn
05:16 < v0lZy> Hi
05:16 < v0lZy> I'm paralized by an openvpn TLS key authentication failed to occur withing 60 seconds issue
05:17 < v0lZy> I'm trying to connect to a VERY iffy remote site with very poor internet
05:17 < v0lZy> is there a way i can increase the timeout period?
05:18 < v0lZy> i see theres a tls-timeout thing
05:19 < v0lZy> do i have to do that both server and lcient side or onyl client side?
05:22 -!- psycho_oreos [~tuxsavvy@unaffiliated/tuxsavvy] has quit [Read error: Connection reset by peer]
05:23 -!- JackWinter [~jack@vodsl-11028.vo.lu] has quit [Quit: Konversation terminated!]
05:24 < starlays> xdudi: it is working from command line, i can connect and ping the guest
05:25 < v0lZy> aslso there seems to be a handshake window thing
05:25 < v0lZy> anyoen know how to put these parameters into effect ... server side? client side? how to speciry them in the config file?
05:25 -!- JackWinter [~jack@vodsl-11028.vo.lu] has joined #openvpn
05:25 < xdudi> starlays: send your .ovpn config file to the mobile phone and use it to connect
05:28 -!- JackWinter [~jack@vodsl-11028.vo.lu] has quit [Client Quit]
05:31 <@plaisthos> starlays: you can also use openvpn for android, there you can configure the profile in the app
05:33 -!- JackWinter [~jack@vodsl-11028.vo.lu] has joined #openvpn
05:33 -!- JackWinter [~jack@vodsl-11028.vo.lu] has quit [Remote host closed the connection]
05:34 -!- JackWinter [~jack@vodsl-11028.vo.lu] has joined #openvpn
05:35 -!- syzzer [~syzzer@openvpn/community/developer/syzzer] has joined #openvpn
05:35 -!- mode/#openvpn [+o syzzer] by ChanServ
05:46 < v0lZy> never mind, found it.
05:52 -!- JackWinter [~jack@vodsl-11028.vo.lu] has quit [Quit: Konversation terminated!]
05:54 -!- JackWinter [~jack@vodsl-11028.vo.lu] has joined #openvpn
05:59 < starlays> plaisthos: hmm, I'm using openvpn connect
05:59 < starlays> plaisthos: let me see what is available on market
06:03 < starlays> plaisthos: are you reffering to openvpn for android?
06:03 <@plaisthos> starlays: yes
06:03 <@plaisthos> !android
06:03 <@vpnHelper> "android" is (#1) an open source OpenVPN client for ICS is available in Google Play, look for OpenVPN for Android. FAQ is here: http://code.google.com/p/ics-openvpn/wiki/FAQ or (#2) Direct Play link: https://play.google.com/store/apps/details?id=de.blinkt.openvpn or (#3) Old (pre-ICS) device? See: !android-old
06:05 < starlays> plaisthos: on the openvpn website is sending me to a android app that is called private tunnel, from the openvpn.net
06:05 < starlays> plaisthos: thank you, I'll give it a try
06:05 < starlays> xdudi: thank you
06:10 < v0lZy> hey everyone
06:11 < v0lZy> I'm having some problems
06:11 < v0lZy> Im using a TCP connection, 2048 bit encryption... and the internet line to the remote end is really bad
06:11 < v0lZy> i increased hand-window from 60 seconds to 360 seconds
06:12 < v0lZy> and now TLS handshake no longer fails, but i keep getting bad encapsulated packet length messages
06:12 < v0lZy> am i missing something?
06:28 -!- RBecker [~RBecker@openvpn/user/RBecker] has quit [Excess Flood]
06:32 -!- RBecker [~RBecker@openvpn/user/RBecker] has joined #openvpn
06:32 -!- mode/#openvpn [+v RBecker] by ChanServ
06:36 -!- brianblaze420 [~brianblaz@unaffiliated/brianblaze] has quit [Quit: Leaving...]
06:43 <@krzee> v0lZy,
06:43 <@krzee> !tcp
06:43 <@vpnHelper> "tcp" is (#1) Sometimes you cannot avoid tunneling over tcp, but if you can avoid it, DO. http://sites.inka.de/~bigred/devel/tcp-tcp.html Why TCP Over TCP Is A Bad Idea. or (#2) http://www.openvpn.net/papers/BLUG-talk/14.html for a presentation by James Yonan (OpenVPN lead developer) or (#3) if you must use tcp, you likely want --tcp-nodelay
06:44 < v0lZy> ah
06:44 < v0lZy> where do I put tcp-nodelay ? client side?
06:44 < v0lZy> or server side or both?
06:44 < starlays> I'm getting an error: Authenticate/Decrypt packet error: packet HMAC authentication failed I'm trying to connect to the server with Openvpn for android
06:47 < v0lZy> server it seems
06:47 < v0lZy> and then server pushes it to client
06:56 <@plaisthos> starlays: then you have probably misconfigured somthing
06:56 <@plaisthos> look for warnings about mismatched cipher auth
06:56 -!- gffa [~unknown@unaffiliated/gffa] has joined #openvpn
06:59 < v0lZy> krzee: I need to use TCP because of outgoing restrictions
07:00 < v0lZy> krzee: not sure why im havin gos much trouble with packet size... wish i understood whats going on.. I suppose packets are becoming bigger becuase of encapsulation or something
07:00 < v0lZy> though this never used to be a problem
07:00 < v0lZy> so i suspect latency and stuff like that, but tcp-nodelay doesnt solve it..
07:00 <@krzee> starlays, check the tls-auth file's MD5/SHA hash matches on both sides
07:01 <@plaisthos> krzee: tls-auth should not trigger hmac errors iirc
07:01 <@plaisthos> oh
07:01 <@krzee> sure it does, the hmac comes from tls-auth
07:01 <@plaisthos> ignore that
07:01 -!- themadcanudist [~themadcan@24-52-242-139.cable.teksavvy.com] has quit [Quit: Leaving.]
07:01 <@krzee> keeping me on my toes? ;]
07:02 <@plaisthos> let me rephase that ;)
07:02 <@plaisthos> hmac errors can happens also without tls-auth if --auth values mismatch
07:02 <@krzee> ahh sure
07:03 <@krzee> also sometimes if compression options dont match i think
07:04 <@krzee> or tls-auth direction
07:04 <@krzee> i always start with hashing the file tho, i feel its the most common problem for that issue
07:05 <@plaisthos> nah, iirc compress happens after hmac and decrypt
07:07 <@krzee> ive seen it happen, but it could possibly be on old issue or something
07:14 < starlays> krzee: problem solved, I can connect now but i do not have internet acces, I added the 2 options for the server: push "dhcp-option DNS 8.8.8.8" and push "redirect-gateway def1"
07:14 < starlays> what sould i dig for?
07:15 <@krzee> so the files were not = and thats what you fixed?
07:15 <@krzee> !redirect
07:15 <@vpnHelper> "redirect" is (#1) to make all inet traffic flow through the vpn, you will need --redirect-gateway (see !def1), as well as IP forwarding (see !ipforward) and NAT (see !nat) enabled on the server. or (#2) you may need to use a different dns server when redirecting gateway, see !dns or !pushdns or (#3) if using ipv6 try: route-ipv6 2000::/3 or (#4) Handy troubleshooting flowchart:
07:15 <@vpnHelper> http://ircpimps.org/redirect.png | http://pekster.sdf.org/misc/redirect.png
07:15 <@krzee> what OS is your server?
07:20 < v0lZy> Hm... I'm lost... I added tcp-nodelay to the server config, i dont provide a DNS server, i use an IP in the config file...
07:20 < v0lZy> i cant understnd why the whole thing gets the bad encapsulation thing
07:21 <@krzee> v0lZy, what "bad encapsulation" thing? i thought you just had very poor performance on your network link to the server...
07:22 < starlays> krzee: no, it needed to enable lz compression and got it working
07:24  * krzee pokes plaisthos =]
07:25 < v0lZy> CAn anyone provid more guidance on this encapsulation ength problem ?
07:26 < v0lZy> sorry, didnt see your repyl come through
07:26 < v0lZy> krzee: yes, I do.. .very very poor
07:26 < v0lZy> but im getting a message
07:26 < v0lZy> i cant connect... my server doenst say anything about the connecting client in the log
07:26 < v0lZy> I dont know what the issue is honestly
07:26 <@krzee> !logs
07:26 <@vpnHelper> "logs" is (#1) please pastebin your logfiles from both client and server with verb set to 4 (only use 5 if asked) or (#2) In the Windows client(OpenVPN-GUI) right-click the status icon and pick View Log or (#3) In the OS X client(Tunnelblick) right-click it and select Copy log text to clipboard or (#4) if you dont know how to find your logs, see !logfile
07:27 < v0lZy> the network is so bad i cant really get to the logs easily
07:27 <@krzee> then sorry i cant heko
07:27 <@krzee> help*
07:27 < v0lZy> let me transcribe what i see in the console
07:27 <@krzee> no
07:27 <@krzee> get logs or ignore me lol
07:28 < v0lZy> TCPv4_CLIENT link remote: [AF_INET]<target ip>:80
07:29 -!- Pisuke [~Sembei@unaffiliated/sembei] has quit [Ping timeout: 248 seconds]
07:29 < v0lZy> then WARNING: Bad encapsulated packet length from peer (18516), which must be > 0 and <- 1559 -- please ensure that --tun-mtu or --link-mtu is qeual on obht peers -- this condition could also indicate a possible active attack on the tcp link -- [attempting restart ...]
07:29 < v0lZy> Connection reset, restarting [0]
07:29 <@krzee> a proper logfile will have tons of output, you'll need to use pastebin or similar
07:29 < v0lZy> SIUSR1[soft, connection-reset] received, process restarting
07:29 < v0lZy> thats what im seeing.
07:29 <@krzee> v0lZy, pls stop
07:29 < v0lZy> ok
07:29 <@krzee> <krzee> get logs or ignore me lol
07:30 < v0lZy> what do i cann openvpn.exe with to get a good log?
07:30 <@krzee> !logfile
07:30 <@vpnHelper> "logfile" is (#1) If you want logging you can easily just specify your own logfile with: log /path/to/logfile or (#2) openvpn will log to syslog if started in daemon mode, but without any log-redirection options, openvpn sends output to stdout. or (#3) verb 3 is good for everyday usage, verb 5 for debugging. see --daemon --log and --verb in the manual (!man) for more info
07:30 < v0lZy> thing is, my tunnel works.. i have several remote users on it.. this one client is having these difficulties.
07:36 <@krzee> starlays, what OS is your server?
07:49 < v0lZy> krzee: should i be able to see anything on the server if i have verb 4 ?
07:50 <@krzee> you need to put both sides at verb 4 and post the log from start to them being connected with issues
07:50 -!- Eagleman [~Eagleman@546BC8D0.cm-12-4d.dynamic.ziggo.nl] has quit [Ping timeout: 264 seconds]
07:51 -!- plaisthos [~arne@openvpn/community/developer/plaisthos] has quit [Ping timeout: 240 seconds]
07:52 < v0lZy> krzee: I have verb 4 on the server at the moment. Im connecting the client to the server... should I see anything IP related in the server side log or not? because right now, all im seeng is CMD 'status2' CMD 'quit' Client Disconnected
07:52 < v0lZy> and something about Client Connected form /var/etc/openvpn/server1.sock
07:52 < v0lZy> and im finding that a bit strange... as if the clients not even making it to my server
07:53 <@krzee> is there a web interface involved anywhere in your setup?
07:53 < v0lZy> yes
07:53 < v0lZy> using pfsense
07:53 <@krzee> !as
07:53 <@vpnHelper> "as" is Please go to #OpenVPN-AS for help with commercial products from OpenVPN Technologies, including Access Server, Android Connect, etc
07:53 <@krzee> oh nevermind
07:53 <@krzee> haha
07:53 < v0lZy> and thats what i suppose is gettings this status 2 quit disconnected stuff
07:53 <@krzee> you're probably just looking at the wrong logs
07:53 <@krzee> !logfile
07:53 <@vpnHelper> "logfile" is (#1) If you want logging you can easily just specify your own logfile with: log /path/to/logfile or (#2) openvpn will log to syslog if started in daemon mode, but without any log-redirection options, openvpn sends output to stdout. or (#3) verb 3 is good for everyday usage, verb 5 for debugging. see --daemon --log and --verb in the manual (!man) for more info
07:54 < v0lZy> theres an openvpn tab
07:54 < v0lZy> showing only openvpn stuff
07:54 < v0lZy> which usually shows more...
07:54 <@krzee> !pfsense
07:54 <@vpnHelper> "pfsense" is dont use the web gui for configuring openvpn, you need to understand the config and logfiles
07:55 < starlays> krzee: archlinux-arm, it is on a respberry pi
07:55 <@krzee> !linipforward
07:55 <@vpnHelper> "linipforward" is (#1) echo 1 > /proc/sys/net/ipv4/ip_forward for a temp solution (til reboot) or set net.ipv4.ip_forward = 1 in sysctl.conf for perm solution or (#2) chmod +x /etc/rc.d/rc.ip_forward for perm solution in slackware or (#3) you also must allow forwarding in your forward chain in iptables. iptables -I FORWARD -i tun+ -j ACCEPT
07:55 <@krzee> !linnat
07:55 <@vpnHelper> "linnat" is (#1) for a basic iptables NAT where 10.8.0.x is the vpn network: iptables -t nat -I POSTROUTING -s 10.8.0.0/24 -o eth0 -j MASQUERADE or (#2) to choose what IP address to NAT as, you can use iptables -t nat -I POSTROUTING -o eth0 -j SNAT --to <IP ADDRESS> or (#3) http://netfilter.org/documentation/HOWTO//NAT-HOWTO.html for more info or (#4) openvz see !openvzlinnat
07:55 <@krzee> @ starlays ^^
07:55 < starlays> krzee: from the android phone I can't ping the server
07:55 < starlays> ok
07:56 <@krzee> dont test your server using a phone
07:56 <@krzee> get it working fine from a computer
07:56 <@krzee> then worry about phones
07:56 -!- xdudi [~Marcin@91.226.23.64] has left #openvpn []
07:56 < starlays> krzee: with my linux pc it is working
07:56 -!- defswork [~andy@141.0.50.98] has joined #openvpn
07:56 <@krzee> even internet over the server?
07:56 < starlays> that one didn't test
07:56 <@krzee> well...
07:57 <@krzee> then is it really working!?
07:57 < starlays> i tested only the ping after the connection is established
07:57 <@krzee> hah
07:57 < starlays> you are right
07:57 < starlays> I'll debug
07:57 <@krzee> gotta go 1 step at a time
07:57 <@krzee> not 1 step - skip to end - hey why doesnt it work!?
07:58 -!- Eagleman [~Eagleman@546BC778.cm-12-4d.dynamic.ziggo.nl] has joined #openvpn
08:00 -!- elfixit [~Icedove@dhcp-129-136.office.init7.net] has quit [Ping timeout: 264 seconds]
08:02 -!- elfixit [~Icedove@dhcp-129-136.office.init7.net] has joined #openvpn
08:09 < v0lZy> hm
08:10 < v0lZy> I'm convinced my remote side doesnt even ever reach openvpn
08:10 < v0lZy> i have portsharing activated
08:10 < v0lZy> should they have some kind of a MTU set
08:10 < v0lZy> woudl that effect openvpn recognizing openvpn packets etc?
08:10 <@krzee> if you have to ask, no.
08:10 <@krzee> (you should only be changing mtu when you know why)
08:11 < v0lZy> thats the thing here
08:11 < v0lZy> im not in control of the remote site to that extent
08:11 < v0lZy> its a river curising ship
08:11 -!- themadcanudist [~themadcan@vmfarms-1.itcanada.com] has joined #openvpn
08:12 <@krzee> is that why an hour has about gone by and no logs?
08:12 < v0lZy> not sure if they have any MTU settings changed anywhere
08:12 < v0lZy> krzee: yeah
08:12 <@krzee> cause you're almost on my ignore list based on that
08:12 < v0lZy> i can transcribe faster than I can move the mouse.
08:12 < v0lZy> the connection over teamveiwer is horrid
08:12 <@krzee> almost an hour. you should have them by now.
08:13 -!- plaisthos [~arne@openvpn/community/developer/plaisthos] has joined #openvpn
08:13 -!- mode/#openvpn [+o plaisthos] by ChanServ
08:14 < v0lZy> krzee: im trying to grab server logs, and based on what i've seen, nothing is wrong since other clients connecting to the same openvpn server are conencting ok... and for this ship, i literally cant find it in the logs. So something is obviously off here... i'm checking my config files, checking if the ship generally has access to my location etc
08:14 < v0lZy> im doing portsharing, and if i access port 80 from a browser on that ship, i can land on my page
08:14 <@krzee> you're looking at the wrong logs
08:14 <@krzee> ssh in and get me the LOGFILE
08:14 <@krzee> !logfile
08:14 <@vpnHelper> "logfile" is (#1) If you want logging you can easily just specify your own logfile with: log /path/to/logfile or (#2) openvpn will log to syslog if started in daemon mode, but without any log-redirection options, openvpn sends output to stdout. or (#3) verb 3 is good for everyday usage, verb 5 for debugging. see --daemon --log and --verb in the manual (!man) for more info
08:14 <@krzee> for the 3rd or 4th time ^
08:15 < v0lZy> krzee: im in /var/log/openvpn.log
08:16 <@krzee> grep openvpn.log /path/to/openvpn/config
08:16 <@krzee> (show me in the config file what makes that file)
08:16 < v0lZy> according to my contact on the other side, im going into the ship via satellite link... 3000ms latency is 'normal'
08:17 < v0lZy> im looking at my firewall
08:17 < v0lZy> and trying to find the log file
08:17 < v0lZy> ill restart the service to get a clean file... sec
08:18 <@krzee> my sat link is more like 650 ms
08:18 <@krzee> (had to connect before i could test)
08:19 < v0lZy> is your satlink moving around? :D
08:19 <@krzee> neg
08:19 -!- deeville [~deeville@38.117.108.108] has joined #openvpn
08:19 < v0lZy> ships sometimes turn faster than satellite dishes
08:19 < v0lZy> go under bridges
08:19 < v0lZy> dock next to buildings covering line of sight to the satellite
08:19 < v0lZy> things like that
08:19 < v0lZy> horrible internet connection.
08:20 <@krzee> sure, but im sure those things dont factor in to "normal"
08:20 <@krzee> but are rather the outliers
08:21 <@krzee> anyways
08:21 <@krzee> get me the configs and logs too now, the only way i will know what your "/var/log/openvpn.log" means is seeing your config file
08:21 <@krzee> !configs
08:21 <@vpnHelper> "configs" is (#1) please pastebin your client and server configs (with comments removed, you can use `grep -vE '^#|^;|^$' server.conf`), also include which OS and version of openvpn. or (#2) dont forget to include any ccd entries or (#3) on pfSense, see http://www.secure-computing.net/wiki/index.php/OpenVPN/pfSense to obtain your config
08:22 <@krzee> !router
08:22 <@vpnHelper> "router" is if you are using one of those hacked up linksys linux routers, and you are not logging... dont expect help until you turn on logging so you can post them
08:22 <@krzee> :D
08:22 < v0lZy> krzee: my openvpn server config: http://pastebin.com/VBqUdkbx
08:22 -!- dazo_afk is now known as dazo
08:22 <@krzee> wb dazo
08:24 <@krzee> v0lZy, so you're port-sharing but not running on port 443?
08:24 < v0lZy> yeah.
08:24 < v0lZy> portsharing on port 80
08:24 <@krzee> ?why?
08:25 < v0lZy> what difference does it make if its on 443? the idea is to have openVPN on a tcp port most likely accessible form the outside.
08:25 < v0lZy> theres outbound filtering on the ships.
08:25 <@krzee> then why bother port-sharing?
08:26 < v0lZy> because theres only one IP here
08:26 <@krzee> oh hah so you use it just for NAT
08:26 <@krzee> to proxy it
08:26 < v0lZy> yes, to proxy http requests
08:26 < v0lZy> i have a pfsense firewall that runs the openvpn server... behind this firewall, theres a websever
08:26 <@krzee> ok well i still havnt seen your error, but im pretty sure that openvpn over a 3000ms link will explode with TCP
08:27 <@krzee> so like, i expect it to suck
08:27 <@krzee> because of:
08:27 <@krzee> !tcp
08:27 <@vpnHelper> "tcp" is (#1) Sometimes you cannot avoid tunneling over tcp, but if you can avoid it, DO. http://sites.inka.de/~bigred/devel/tcp-tcp.html Why TCP Over TCP Is A Bad Idea. or (#2) http://www.openvpn.net/papers/BLUG-talk/14.html for a presentation by James Yonan (OpenVPN lead developer) or (#3) if you must use tcp, you likely want --tcp-nodelay
08:27 < v0lZy> krzee: I kind of expect it to suck as well.. but port 80 tcp is what the aim is right now
08:27 < v0lZy> well in absence of port 80 udp being closed..
08:27 <@plaisthos> v0lZy: ask yourself if you really need VPN
08:27 <@krzee> 80 udp?
08:27 < v0lZy> the only thing I could think of is udp 53 then or soemthing
08:27 <@krzee> do people even use 80 udp?
08:28 < v0lZy> 80 udp would not be http... most likely closed.
08:28 <@krzee> ya udp 53 makes more sense
08:28 <@krzee> or a voip port
08:28 <@plaisthos> or if you could do ssh+port forwarding or something
08:28 < v0lZy> limitation here is client side
08:28 <@plaisthos> because tcp over tcp in a high latency link with varying latency is a worst case scenario
08:28 <@krzee> ^^^
08:29 < v0lZy> plaisthos: yeah, i know, and ideally, we'll manage to setup a udp 53
08:29 -!- themadcanudist [~themadcan@vmfarms-1.itcanada.com] has left #openvpn []
08:29 < v0lZy> but this severely depends on the environment the client vpn is dialing from
08:29 <@krzee> unfortunately ssh tunnel would be the same tcp in tcp issue
08:29 <@plaisthos> krzee: nah
08:29 < v0lZy> this tcp within tcp performance issue asside...
08:29 < v0lZy> my acutal problem is that i get a message saiyng peer has bad encapsulation length
08:29 <@plaisthos> krzee: ssh -L and ssh -R don't do tcp over tcp
08:30 <@krzee> in fact openvpn was basically orig made to solve that problem according to a slideshow from james
08:30 <@krzee> i dont use that part of ssh much, is that the socks proxying?
08:30 <@plaisthos> krzee: no, simple port forwarding
08:30 < v0lZy> krzee: anyway, server logs dont show ANYTHING from the remote end.. so im wondering what the hell is the matter.
08:30 <@krzee> oh i see =]
08:30 < v0lZy> remote admin asures me there's no messing with MTUs .
08:31 <@krzee> v0lZy, im ignoring you until you post logs
08:31 <@krzee> !logfile
08:31 <@vpnHelper> "logfile" is (#1) If you want logging you can easily just specify your own logfile with: log /path/to/logfile or (#2) openvpn will log to syslog if started in daemon mode, but without any log-redirection options, openvpn sends output to stdout. or (#3) verb 3 is good for everyday usage, verb 5 for debugging. see --daemon --log and --verb in the manual (!man) for more info
08:31 <@krzee> ^ last time i post that ^
08:31 <@krzee> you posted your config clearly without log in it
08:32 <@krzee> its been an hour asking for the same logfile.
08:33 < v0lZy> krzee: config is set to daemon, so logs to stdout if i undrestand correctly
08:33 <@krzee> get a log file.
08:33 < v0lZy> i have a /var/log/openvpn.log file, where i suspect the output is piped to
08:33 <@krzee> stop suspecting.
08:34  * rob0 is suspicious
08:34 < v0lZy> krzee: well if i actually do have a log file, since I can see it, then obviously im not pulling your leg here... its getting logged into /var/log/openvpn.log ... now ill clear the log restart the service and paste the log
08:35 <@krzee> use --log .
08:35 < v0lZy> ok
08:35 <@krzee> how can it possibly be this hard to get a log file to help someone?
08:35 < v0lZy> ill add that
08:36 <@krzee> <krzee> <krzee> get logs or ignore me lol    <--- that was copied/pasted an hour ago
08:37 < v0lZy> restarted the service
08:37 < v0lZy> now running remote side client..
08:38 -!- RBecker [~RBecker@openvpn/user/RBecker] has quit [Excess Flood]
08:39 < v0lZy> it takes a while to run through to the part where it reports the encapsulation problem..
08:39 <@krzee> thats fine
08:39 <@krzee> i expect the logs to have a lot
08:40 <@krzee> server 10.111.110.0 255.255.255.0
08:40 <@krzee> port-share 10.111.111.55 80
08:40 <@krzee> umm, hows that working for you?
08:41 < v0lZy> different subnets.
08:41 < v0lZy> 111 and 110
08:41 <@krzee> oh right ok
08:41 <@krzee> haha
08:42 <@krzee> hurts my eyes
08:42 -!- RBecker [~RBecker@openvpn/user/RBecker] has joined #openvpn
08:42 -!- mode/#openvpn [+v RBecker] by ChanServ
08:42 -!- JackWinter_ [~jack@vodsl-11028.vo.lu] has joined #openvpn
08:42 < v0lZy> stopped the service
08:42 -!- soapee01_ [~soapee01@65-36-104-170.dyn.grandenetworks.net] has joined #openvpn
08:42 < v0lZy> now gonna fetch the log
08:43 -!- kloeri_ [~kloeri@freenode/staff/exherbo.kloeri] has joined #openvpn
08:43 -!- kirin` [telex@gateway/shell/anapnea.net/x-cqtminelqxijhayb] has quit [Disconnected by services]
08:44 -!- kirin` [telex@gateway/shell/anapnea.net/x-ukpbiwpsodagkvhv] has joined #openvpn
08:44 <@krzee> push "route 10.111.111.0 255.255.255.0"
08:44 <@krzee> port-share 10.111.111.55 80
08:44 <@krzee> that works?
08:44 < v0lZy> yes.
08:45 < v0lZy> route is pushed to 10.111.110.0/24 roadwarriors
08:45 <@krzee> hmm, ild expect a routing loop but i guess it works since its not a direct connection to the 10.111.111.55 80 but rather a proxied one
08:45 < v0lZy> port-share occurs on the WAN interface.
08:46 -!- mattock_ [~mattock@openvpn/corp/admin/mattock] has joined #openvpn
08:46 -!- mode/#openvpn [+o mattock_] by ChanServ
08:46 < v0lZy> not that much info in the log file
08:47 -!- mgorbach_ [~mgorbach@pool-108-20-78-135.bstnma.fios.verizon.net] has joined #openvpn
08:47 < v0lZy> total of 325 lines
08:47 -!- metaf5_ [~metaf5@107.181.166.167] has joined #openvpn
08:47 -!- lbft_ [~lbft@unaffiliated/lbft] has joined #openvpn
08:47 -!- joako_ [~joako@opensuse/member/joak0] has joined #openvpn
08:47 <@krzee> shoot it over
08:47 -!- jgeboski- [~jgeboski@unaffiliated/jgeboski] has joined #openvpn
08:47 -!- ratsupremacy [~antihero@37.139.5.204] has joined #openvpn
08:47 <@krzee> and i hope you have the other side too
08:47 <@krzee> both sides of that connection, with the expected error
08:48 -!- Netsplit *.net <-> *.split quits: @mattock, pppingme, kloeri, malc0re, kantlivelong, Mike--, Cyclohexane, thumbs, mingdao, soapee01,  (+24 more, use /NETSPLIT to show all of them)
08:48 -!- lbft_ is now known as lbft
08:48 -!- mattock_ is now known as mattock
08:48 -!- metaf5_ is now known as metaf5
08:48 -!- joako_ is now known as joako
08:48 -!- mgorbach_ is now known as mgorbach
08:48 -!- jgeboski- is now known as jgeboski
08:48 < v0lZy> http://pastebin.com/Rq96fTeV
08:49 <@krzee> also port-share is commonly used to hide openvpn from someone who is inspecting
08:49 < v0lZy> thats the server
08:49 < v0lZy> ill do the log of the client
08:49 -!- Netsplit over, joins: thumbs
08:49 <@krzee> so people run it on port 443 and forward to another server when someone checks manually
08:50 <@krzee> 443 being the ssl web port, so crypto traffic is expected
08:50 -!- Netsplit over, joins: indy
08:50 < v0lZy> yes, makes sense
08:51 < v0lZy> 443 in my specific setup with routes gives me trouble with pfsense interface, hehe
08:51 <@krzee> do you also need to serve port 80 for some reason?
08:51 < v0lZy> yes
08:52 < v0lZy> need to serve port 80 for the webserver behind the firewall
08:52 < v0lZy> i hope to get more ips later
08:52 < v0lZy> but current isp doesnt offer it ont his plan
08:52 < v0lZy> requires a different plan....
08:52 <@krzee> so the cruise ship has a webserver?
08:52 < v0lZy> im not on the ship
08:52 < v0lZy> the ship's the remote vpn roadwarrior.
08:52 <@krzee> cruise ship is a client?
08:53 < v0lZy> yup
08:53 <@krzee> oh ok that is much better than what i thought :D
08:53 <@krzee> you can ignore the constant management stuff
08:53 < v0lZy> yes, thats pfsense stuff
08:53 <@krzee> thats some display interface constantly polling for info
08:53 <@krzee> annoying maybe, but not a problem
08:54 <@krzee> so? was there an error somewhere?
08:54 < v0lZy> not on the server side
08:54 < v0lZy> server side literally sees nothing apparently
08:54 -!- gac [~gavin@196.108.255.149.in-addr.arpa] has joined #openvpn
08:54 -!- kloeri_ is now known as kloeri
08:55 -!- Cyclohexane [idunevn@unaffiliated/cyclohexane] has joined #openvpn
08:55 <@krzee> it connects, of course it sees it
08:55 <@krzee> did you still not manually make a logfile?
08:55 -!- Lolths [~Lolths@unaffiliated/lolths] has joined #openvpn
08:55 < v0lZy> im trying to log it
08:55 < v0lZy> but the way im doing this, seem sto be an issue...
08:55 <@krzee> no kidding
08:55 < v0lZy> what you see conencting is another clinet, thats not the ship.
08:56 <@krzee> if you feel its blocking things you can firewall that client off for a minute
08:56 <@krzee> otherwise, its fine
08:57 <@krzee> so that log i just looked at was the ship?
08:57 < v0lZy> no
08:57 < v0lZy> thats the server
08:57 < v0lZy> the ship im uploading fresh configs to so it will log
08:57 <@krzee> and you're trying to get a log from the ship now?
08:57 < v0lZy> yes
08:57 <@krzee> k
08:57 -!- malc0re [mc@unaffiliated/csdsss] has joined #openvpn
08:57 -!- mingdao [~mingdao@unaffiliated/mingdao] has joined #openvpn
08:58 -!- Matir [~matir@ubuntu/member/matir] has joined #openvpn
08:58 <@krzee> oh the client connecting to the server in this server log is *not* the ship
08:58 -!- NChief [~nchief@unaffiliated/nchief] has joined #openvpn
08:58 <@krzee> is what you said
08:58 < v0lZy> yes
08:58 <@krzee> oh ok, ya thats a problem
08:58 < v0lZy> thats not the ship, thats another clinet with the same setup, who works
08:59 < v0lZy> and is on a more stable network
08:59 < v0lZy> actually a virtual machine here on the lan.
08:59 <@krzee> gotchya
08:59 -!- themadcanudist [~themadcan@vmfarms-1.itcanada.com] has joined #openvpn
08:59 <@krzee> so, useless log is useless
08:59 < v0lZy> takes a few minutes .. and since im logging to a ifle, i cant easily see if i got the error yet..
09:00 <@krzee> sure you can, grep for it
09:00 < v0lZy> can barely move the mouse
09:00 < v0lZy> remotes a windows machine.
09:00 <@krzee> eww
09:00 < rob0> ewww
09:00 <@krzee> :D
09:01 -!- xMopxShell [~xMopxShel@dpedu.io] has joined #openvpn
09:01 < themadcanudist> Hey guys, anyone here willing to help me answer a quick question about bridging via openvpn. I can get it working so the client can do bootp in this configuration, but I'd like to "rebroadcast/bridge" the network that's come across 172.16… to other machines on the same physical VLAN VIA the same eth0 device that the openvpn connection is on. When I try to add tap0+eth0 to the bridge, the box loses connectivity and can't ping anything on
09:02 <@krzee> themadcanudist, did you try peksters suggestion for checking the routing table?
09:02 -!- Magiobiwan [IRC@unaffiliated/magiobiwan] has joined #openvpn
09:02 < themadcanudist> krzee: I did, the routing table had a default route to the router via br0
09:03 <@krzee> so ya i dont really troubleshoot bridges, just wanted to ask that cause it was a good idea
09:03 <@krzee> =]
09:03  * themadcanudist nods
09:03 < rob0> You're bridging the Internet interface with openvpn?  If so, yikes?
09:04 < themadcanudist> rob0: exactly
09:04 < themadcanudist> i think it own't be possible
09:04 < rob0> I agree.
09:04 < themadcanudist> I believe if it was on a different physical NIC, it would work
09:04 < themadcanudist> however, I was hoping there might be a way.. ie. with vlans/virtual interfaces?
09:04 <@krzee> or at least a better idea
09:04 <@krzee> i vaguely remember security warnings about that
09:04 < themadcanudist> krzee: i can ignore security now
09:05 < themadcanudist> because it's isolated and locked down
09:05 <@krzee> o.O
09:05 < themadcanudist> rather, it's not ignoring
09:05 < rob0> vlan is like a separate interface, but you need support in your switch
09:05 < themadcanudist> rob0: I can utilize vlan tagging
09:05  * krzee deferrs to rob0 
09:05 < rob0> Not sure what you mean otherwise by "virtual interface".
09:05 < rob0> You could say that tun/tap are "virtual".
09:05 < v0lZy> ok
09:06 < v0lZy> successfully generate the log with the error
09:06 < v0lZy> just have to pull it down
09:06 < themadcanudist> rob0, they are..
09:06 < themadcanudist> i just meant vlan interface
09:06 < themadcanudist> i wonder if I'm barking up the wrong tree?
09:06 <@krzee> v0lZy, cool and now is there more in the server log?
09:06 < themadcanudist> rob0: Do you believe it would work if it was on a separate physical interface
09:07 -!- Cpt-Oblivious [~chatzilla@31-151-71-109.dynamic.upc.nl] has joined #openvpn
09:08 -!- Mike-- [mad@mx.probie.nl] has joined #openvpn
09:08 < rob0> eth0 is Ethernet, not a vlan interface.  If you have a vlan on eth0, there's no reason why you can't bridge that with openvpn.
09:08 -!- pppingme [~pppingme@unaffiliated/pppingme] has joined #openvpn
09:09 < v0lZy> sec
09:09 -!- ade_b [~Ade@redhat/adeb] has joined #openvpn
09:09 < rob0> That said: bridging is almost always wrong, and I have no interest in working on it for you. :)
09:09 -!- micko [~micko@203-219-65-120.static.tpgi.com.au] has quit [Ping timeout: 240 seconds]
09:09 < v0lZy> krzee: this is the roadwarrior side log: http://pastebin.com/nN8Y3p3p
09:10 <@krzee> show me the config from ship
09:11 < themadcanudist> rob0: Haha, aight, thanks ;)
09:12 < v0lZy> krzee: ship conf: http://pastebin.com/DXPUCixP
09:13 < v0lZy> the problem line is this: Wed Jul 09 16:03:12 2014 us=629710 WARNING: Bad encapsulated packet length from peer (18516), which must be > 0 and <= 1559 -- please ensure that --tun-mtu or --link-mtu is equal on both peers -- this condition could also indicate a possible active attack on the TCP link -- [Attempting restart...]
09:14 <@plaisthos> v0lZy: that could be also a transparent proxy or something similar on port http
09:14 <@plaisthos> can you try another port?
09:14 < v0lZy> plaisthos: well im doing port sharing...
09:14 < v0lZy> on port 80
09:14 < rob0> haha a ship, trying another port!  Get it? :)
09:14 < v0lZy> hehe
09:14 < v0lZy> lol
09:15 < rob0> Any port in a packet storm, I suppose.
09:15 -!- micko [~micko@203-219-65-120.static.tpgi.com.au] has joined #openvpn
09:15 <@krzee> haha
09:16 < v0lZy> but i think plaisthos has a point
09:16 < v0lZy> my openvpn server doesnt see the client
09:16 < v0lZy> and the client is obviously talkign to something thats not the server then
09:16 <@krzee> v0lZy, dont set lport to 0
09:16 <@krzee> just use nobind
09:17 <@krzee> assuming thats what you thought setting it to 0 is
09:17 < v0lZy> its set to 0 by the client export utility...
09:18 < v0lZy> i gather its a local port
09:18 < v0lZy> where the openvpn.exe is listening
09:18 <@krzee> v0lZy, i see the problem here:
09:18 <@krzee> auth SHA1
09:18 <@krzee> remove that from the client config file
09:19 <@krzee> your server and client have to match on auth and cipher
09:20 < v0lZy> hm
09:20 < v0lZy> how come it works for the other client though?
09:20 -!- Megaf [~Megaf@unaffiliated/megaf] has joined #openvpn
09:21 <@krzee> the other client doesnt have it in their config
09:21 < v0lZy> it does
09:21 <@krzee> then these are not the proper configs.
09:22 < v0lZy> krzee: i have myself a roadwarrior setup for when im out of the office
09:22 <@krzee> ya i see in your server log it does have auth SHA1
09:22 < v0lZy> i can access the vpn just fine
09:22 <@krzee> its just the server config you showed me is wrong.
09:22 < v0lZy> andi  have auth SHA1 in it too
09:23 < v0lZy> its malformed?
09:23 <@krzee> your server config is not what is running on your server
09:23 <@krzee> the config does NOT have auth sha1, your server log shows the active config DOES have it
09:23 <@krzee> should be: /var/etc/openvpn/server1.conf
09:24 < v0lZy> puzzling
09:24 < v0lZy> ill cehck that var etc path..
09:25 <@krzee> Wed Jul  9 15:36:20 2014 us=233809 Current Parameter Settings:
09:25 <@krzee> Wed Jul  9 15:36:20 2014 us=233994   config = '/var/etc/openvpn/server1.conf'
09:26 < v0lZy> indeed
09:26 < v0lZy> looking at /var/etc/openvpn/server1.conf
09:26 < v0lZy> and theres no auth SHA1 there..
09:26 < v0lZy> this still doesnt add up though
09:27 < v0lZy> ... /var/etc/openvpn/server1.conf is what is running
09:27 < v0lZy> and I can connect to that VPN
09:27 -!- alexxtasi [~alex@unaffiliated/alexxtasi] has left #openvpn []
09:27 < v0lZy> yet in my config file
09:27 < v0lZy> i clearly have auth SHA1
09:27 < v0lZy> so... for me it doesnt seem to matter
09:27 < v0lZy> but it kills the ship?
09:28 <@krzee> your server log shows it DOES have auth sha1
09:28 <@krzee> so theres more options being passed than in the config
09:28 <@krzee> show me ps auxwww|grep vpn
09:29 < v0lZy> interesting
09:29 < v0lZy> very very interesting
09:29 < v0lZy> root    3641  0.0  0.0  8296  1848  ??  S     4:28PM   0:00.00 sh -c ps auxwww | grep vpn 2>&1
09:29 < v0lZy> root    4280  0.0  0.0  9068  1496  ??  S     4:28PM   0:00.00 grep vpn
09:29 < v0lZy> root    7365  0.0  0.1 13488  4484  ??  Ss   Tue02PM   0:00.89 /usr/local/sbin/openvpn --config /var/etc/openvpn/server2.conf
09:29 < v0lZy> root   37675  0.0  0.1 13488  4992  ??  Ss    4:16PM   0:00.04 /usr/local/sbin/openvpn --config /var/etc/openvpn/server1.conf
09:29 < v0lZy> root   37730  0.0  0.1 13488  4608  ??  S     4:16PM   0:00.00 /usr/local/sbin/openvpn --config /var/etc/openvpn/server1.conf
09:29 < v0lZy> server2.conf is my site-to-site bridge to a remote office
09:29 < v0lZy> but why is server1.conf used twice?!
09:30 -!- mattock [~mattock@openvpn/corp/admin/mattock] has left #openvpn []
09:31 -!- mattock [~mattock@openvpn/corp/admin/mattock] has joined #openvpn
09:31 -!- mode/#openvpn [+o mattock] by ChanServ
09:33 <@krzee> kill one of them
09:33 <@krzee> actually kill both and then start 1
09:33 < v0lZy> im starting them through pfsense's webgui
09:33 < v0lZy> if i stop the service
09:33 < v0lZy> both stop
09:33 <@krzee> !pfsense
09:33 <@vpnHelper> "pfsense" is dont use the web gui for configuring openvpn, you need to understand the config and logfiles
09:33 < v0lZy> if i start the service, both start
09:33 <@krzee> stop using the web interface until we finish
09:34 <@krzee> after we finish you can worry about the web interface which i dont care about
09:35 < v0lZy> i just killed both
09:35 < v0lZy> ran one
09:35 < v0lZy> and i still see 2 of them running
09:36 -!- elfixit [~Icedove@dhcp-129-136.office.init7.net] has quit [Ping timeout: 272 seconds]
09:36 <@krzee> started via cmdline?
09:36 <@krzee> ok? then maybe it starts a proxy process or something, show me a new log from it after you started via commandline
09:37 < v0lZy> hm
09:37 < v0lZy> actually not sure if they got killed...
09:37 < v0lZy> gimme a sec
09:37 <@krzee> you're still using the web if arent you
09:37 < v0lZy> web interface has a command line
09:38 <@krzee> so does ssh
09:38 < v0lZy> let me ssh into it wiht putty..
09:38 <@krzee> there ya go
09:38 < v0lZy> hmzz
09:44 < v0lZy> krzee: i shut both down
09:44 < v0lZy> started one up
09:44 < v0lZy> got 2 again
09:44 < v0lZy> working from putty
09:44 < v0lZy> then i grepped the log for 'SHA1'
09:44 <@krzee> ok? then maybe it starts a proxy process or something, show me a new log from it after you started via commandline
09:44 < v0lZy> and it says  its using it.
09:44 -!- Poster [~poster@cpe-74-140-100-29.swo.res.rr.com] has joined #openvpn
09:44 < v0lZy> let me first clear the log
09:44 < v0lZy> shut it down
09:44 < v0lZy> clear the log
09:44 < v0lZy> hold on
09:44 <@krzee> then get the ship to try and connect
09:46 -!- soapee01_ is now known as soapee01
09:47 < v0lZy> hm
09:47 < v0lZy> i clear the log
09:47 < v0lZy> restarted the whole thing
09:47 < v0lZy> and now the log is empty...
09:48 < v0lZy> and thats probably because of the way i run it from console
09:48 < v0lZy> need to output to the log i suppose
09:50 <@krzee> --log like in !logfile that you read 4 times
09:50 < v0lZy> hm
09:50 < v0lZy> i dont see anything in the log file
09:50 < v0lZy> which is worrying
09:50 < v0lZy> must have borked it
09:53 < v0lZy> shit, it doesnt create a log file anymore
09:53 < v0lZy> great.. just fucking great :(
09:56 <@krzee> show me that config
09:57 < v0lZy> ok
09:57 < v0lZy> finally recreated the log
09:57 < v0lZy> now i can do that start stop stuff agian
09:58 < v0lZy> ok
09:58 < v0lZy> got the log
10:00 < v0lZy> krzee: new log: http://pastebin.com/Rkk1f0ZG
10:00 < v0lZy> authname = 'SHA1'
10:01 < v0lZy> Outgoing Control Channel Authentication: Using 160 bit message hash 'SHA1' for HMAC authentication
10:01 < v0lZy> Jul  9 16:57:57 aegis openvpn[63761]: Incoming Control Channel Authentication: Using 160 bit message hash 'SHA1' for HMAC
10:01 < v0lZy> etc
10:01 < v0lZy> I dont think SHA1 is the culprit here
10:02 <@krzee> nah its not
10:02 <@krzee> thats actually default, sorry for the red herring
10:02 <@krzee> =/
10:02 <@krzee> all mtu options look = too
10:03 <@krzee> lzo is =
10:04 < v0lZy> any ideas what the issue would be
10:04 < v0lZy> I mean, its liek these guys meet, start to negotiate
10:05 < v0lZy> but then cant decide on what the MTU is
10:05 < v0lZy> and give up
10:05 <@krzee> well maybe your client cant handle that mtu
10:05 < v0lZy> and nothing is logged cause they cant successfully exchange anything
10:05 <@krzee> my sat link handles default mtu
10:05 <@krzee> maybe yours not? has this worked before?
10:05 < v0lZy> havent tried it before yet
10:05 <@krzee> ok
10:07 < v0lZy> i mean i tried it from outside the office
10:07 < v0lZy> but not over a satlink
10:07 <@krzee> got ya
10:08 <@krzee> try on that client mssfix 1400
10:08 -!- arescorpio [~arescorpi@115-201-17-190.fibertel.com.ar] has joined #openvpn
10:08 < v0lZy> hm
10:08 < v0lZy> ok
10:08 < v0lZy> can i put it anywhere?
10:09 < v0lZy> beginning of file?
10:09 <@krzee> whereever on its own line
10:10 <@krzee> if that doesnt work try --fragment 1300 --mssfix
10:11 <@krzee> (i have never played with mtu before, never had a reason to)
10:12 < v0lZy> ill try
10:12 < v0lZy> though i doubt its that
10:13 < v0lZy> why dont i see anything on the server side though.. nothing
10:13 <@krzee> why do you doubt its mtu when using a sat link?
10:13 <@krzee> maybe its so messy that its not seen as vpn traffic
10:13 < v0lZy> theres still routers on the ship
10:13 <@krzee> and gets forwarded
10:13 < v0lZy> that are supposed to handle this
10:13 <@ecrist> I've found OpenVPN is very bad on satellite uplinks
10:14 <@ecrist> never spent much time trying to figureout *why* it was bad, though.
10:14 <@krzee> works for me
10:16 -!- elfixit [~Icedove@dhcp-129-136.office.init7.net] has joined #openvpn
10:19 <@krzee> I found out what was causing that weird error. I am sure it was conflicting with the SSH as I had them set to the same port. I turned the SSH off and the TCP version worked. At least it works connected to the office LAN.
10:19 < v0lZy> so
10:19 < v0lZy> port sharing is the issue?
10:19 <@krzee> no
10:19 <@krzee> remove lport from the config
10:19 <@krzee> and put nobind
10:19 <@krzee> then try again.
10:19 < v0lZy> on client side
10:20 <@krzee> (client config)
10:20 <@krzee> then if same error, check if something else is running on the same port on the same machine
10:20 <@krzee> on the server
10:20 < v0lZy> what would the port be though
10:20 <@krzee> actually, just do the test and tell me what happens
10:21 <@krzee> same error or not
10:21 <@krzee> if it gives same error ill give you the command to pastebin me output from server cli
10:21 <@krzee> remove the fragment and mssfix options too
10:24 < v0lZy> running it now with nobind
10:24 < v0lZy> on the client
10:25 < v0lZy> hm... well nothing so far.
10:25 < v0lZy> nothing in the server log
10:25 <@krzee> not same error?
10:26 < v0lZy> takes a while to throw the error
10:26 < v0lZy> i have a 360s timeout for the handshake window
10:26 <@krzee> in client log
10:26 < v0lZy> yeah, takes a while
10:26 < v0lZy> im looking at it, it still at link remote: [AF_INET]....
10:27 < v0lZy> its the point where its supposed to be talking with the server
10:27 < v0lZy> but nothign is going through.. then its gonna throw the error and restart
10:28 <@krzee> im talking about the error in client
10:30 < v0lZy> yeah
10:30 < v0lZy> same error
10:30 < v0lZy> it just threw it out now
10:30 <@krzee> oh ok
10:30 < v0lZy> Bad encapsulated packet length form peer (18516) ...
10:30 < v0lZy> i did like u said, removed lport 0 and set nobind
10:31 <@plaisthos> krzee: auth SHA1 is default
10:33 <@plaisthos> so one side with it and the other without is okay
10:33 <@krzee> my client got messed up
10:33 <@krzee> last thing i saw was:
10:33 <@krzee> krzee> im talking about the error in client
10:33 -!- RBecker [~RBecker@openvpn/user/RBecker] has quit [Excess Flood]
10:33 <@plaisthos> it is like specifying cipher BF-CBC
10:34 <@krzee> ya i appologized for that red herring
10:34 <@krzee> it took me a few to realize sha1 is default auth
10:34 <@plaisthos> krzee: no problem, I was reading backlog and did not realize it
10:35 -!- RBecker [~RBecker@openvpn/user/RBecker] has joined #openvpn
10:35 -!- mode/#openvpn [+v RBecker] by ChanServ
10:35 <@krzee> did he say anything after "krzee> im talking about the error in client"
10:35 < v0lZy> krzee: i got the error from the client
10:35 < v0lZy> its the same error
10:35 <@krzee> v0lZy, show me:  netstat -ln on the server
10:35 < v0lZy> 17:30:34 - v0lZy: Bad encapsulated packet length form peer (18516) ...
10:35 < v0lZy> 17:30:47 - v0lZy: i did like u said, removed lport 0 and set nobind
10:37 < v0lZy> i did netstat -ln
10:37 < v0lZy> i dont see the public ip from the other side
10:37 < v0lZy> unlesss its an ipv6
10:37 <@krzee> o.O
10:37 < v0lZy> but i doubt it
10:37 <@krzee> not what im looking for
10:37 <@plaisthos> lport 0 is actually valid
10:37 <@plaisthos> for the rare cornercase that you need to bind to local ip but not to port
10:38 <@krzee> plaisthos, the error hes getting was solved by someone else by finding that openvpn was running on the same port as something else
10:38 <@krzee> as i hadnt seen lport used like that i figured ild try that side first
10:38 <@plaisthos> krzee: :)
10:38 <@krzee> now if he shows me netstat like i asked ill check the other side
10:38 <@plaisthos> I spent too much time with socket.c ;)
10:39 < v0lZy> what part of netstat do you want to see?
10:39 <@krzee> as compared with my 0minutes
10:39 <@krzee> hahah
10:39 < v0lZy> active internet connections?
10:39 <@krzee> v0lZy, the output from the command i told you to enter.
10:39 <@krzee> how is that confusing?
10:41 < v0lZy> http://pastebin.com/hcW6XFuk
10:42 <@krzee> that is not the output from netstat -ln
10:42 < v0lZy> it is on pfsense
10:43 <@krzee> oh riiight
10:43 <@krzee> freebsd
10:43 <@krzee> sockstat -l4 please =]
10:44 < v0lZy> http://pastebin.com/jz8yZA9w
10:44 <@krzee> root     lighttpd   84218 17 tcp4   *:80
10:44 <@krzee> there it is.
10:45 <@krzee> you already have something listening on the port you are running openvpn on
10:45 -!- ade_b [~Ade@redhat/adeb] has quit [Ping timeout: 256 seconds]
10:45 <@krzee> im not used to seeing tcp logs, openvpn errors different for tcp than udp in this situation
10:46 < v0lZy> lighttpd binds to *:80 because it doesnt know what hte local ip will be on the LAN
10:46 <@krzee> plaisthos, why doesnt openvpn complain and shit itself when that happens?
10:46 < v0lZy> its the webgui..
10:46 <@krzee> v0lZy, well thats the problem.
10:46 < v0lZy> how come the VPN otherwise works?
10:46 < v0lZy> and its just on satlink that it doesnt?
10:46 <@krzee> dunno, dont run openvpn on the same ip:port as something else
10:46 < v0lZy> krzee: openvpn prevents lighttpd from running
10:47 < v0lZy> it actually kills it
10:47 <@krzee> i see it running.
10:47 < v0lZy> so what happens is u run lighttpd first
10:47 < v0lZy> erm
10:47 < v0lZy> sorry
10:47 < v0lZy> u run openvpn first
10:47 < v0lZy> portshare
10:47 <@krzee> either way, no
10:47 < v0lZy> then lighttpd.
10:47 <@krzee> portshare is for ANOTHER socket
10:47 -!- debbie10t [~ma1com10t@openvpn/community/support/debbie10t] has joined #openvpn
10:47 <@krzee> run lighttpd on another port and port-share to that
10:48 < v0lZy> i dont understand the another socket part
10:48 <@krzee> another ip:port
10:48 < debbie10t> No doubt forked processes are also monitored : https://forums.openvpn.net/post42711.html#p42711
10:48 <@vpnHelper> Title: OpenVPN Support Forum Openvpn server suspends routing during client-connect script : Scripting and Customizations (at forums.openvpn.net)
10:48 <@krzee> can be same ip:different-port
10:48 < v0lZy> krzee: but if this was the issue, why would clients that are not on satlink work?
10:49 <@krzee> dunno dont care
10:49 <@krzee> not gunna chase down why broken shit sometimes works
10:49 < v0lZy> hm
10:49 <@krzee> you cannot run 2 things on the same ip:port
10:49 < v0lZy> acording to this output
10:49 <@krzee> period.
10:49 < v0lZy> openvpn isnt listening on port 80 at all
10:49 < v0lZy> hows it portsharing por t80 then?
10:50 <@plaisthos> v0lZy: openvpn does forward everything to the other port when it is does port sharing
10:50 <@krzee> show me the server log pastebin again, i lost the link
10:51 <@krzee> and yes it does show it listening
10:51 <@krzee> root     openvpn    64643 11 tcp4   88.77.66.109:80      *:*
10:51 < debbie10t> openvpn detects if the protocol is for openvpn - if it is not openvpn sends the connection to the host/port you have specified
10:51 <@krzee> plaisthos, he has lighttpd AND openvpn running on port 80
10:51 < v0lZy> debbie10t, plaisthos, krzee so openvpn binds to IP:80 and lighttpd binds to *:80
10:51 <@krzee> lighttpd on *:80
10:51 < v0lZy> but since openvpn is already bound on IP
10:51 < v0lZy> lighttpd just gets handmedowns
10:52 <@plaisthos> v0lZy: don't do that
10:52 <@krzee> no. dont do that.
10:52 < v0lZy> well it actualyl doesnt happen like that, sorry
10:52 <@krzee> thats hella !101
10:52 <@krzee> !101
10:52 < v0lZy> openvpn does NAT handmedowns to a different ip
10:52 <@vpnHelper> "101" is This channel is not a '101' replacement for any of the following topics or others: Networking, Firewalls, Routing, Your OS, Security, etc etc
10:52 < v0lZy> the lighttpd is just a sucker who get LAN, but doesnt get WAN because openvpn is on WAN first.
10:52 <@krzee> you're doing it wrong.
10:53 < v0lZy> ok, i get the conflict of the same thing being assinged
10:53 < v0lZy> i get that
10:53 < v0lZy> but
10:53 < v0lZy> consider it this way
10:53 <@krzee> no but.
10:53 <@plaisthos> v0lZy: no
10:53 <@krzee> ok im tossing you on ignore
10:53 <@krzee> i spent 3 or 4 hours finding your problem and you dont wanna listen to it
10:53 <@krzee> done.
10:53 < v0lZy> if you have openvpn on WAN IP, and lighttpd listening on ANY IP... it doesnt mean its specifically bound to all IPs
10:54 < v0lZy> it means it gets those it can get
10:54 < v0lZy> and those it can get, depends on how the services were started
10:54 <@plaisthos> v0lZy: like openvpn connection on your WAN
10:54 < v0lZy> krzee: I appreciate the help, im listening, im just not understanding
10:55 <@plaisthos> v0lZy: bind it to your internal ip or remov listing to port 80 alltogether
10:55 < v0lZy> plaisthos: in my case, openVPN starts before lighttpd
10:55 < v0lZy> and it sits on the WAN ip, waiting for outside connectiosn to come in
10:55 <@plaisthos> v0lZy: You are gambling on undefined behaviour
10:55 < v0lZy> lighttpd has * natively by pfsense because it cant predict what you're gonna use to access it form what woudl be LAN sides.
10:56 <@plaisthos> v0lZy: okay I am going to ignore you too, if you don't want to coperate
10:56 < v0lZy> how am i not cooperating?
10:56 <@krzee> plaisthos, it really does make the channel peaceful
10:57 <@krzee> and still after all these years i only have 11 entries on ignore
10:57 -!- deeville [~deeville@38.117.108.108] has joined #openvpn
10:57 < v0lZy> you're saying that its a problem... im asking if its still a problem if you take the order in which they bind into account?
10:57 <@plaisthos> v0lZy: you are asked to stop listing your lighttpd on port 80 and you stubbernly refuse
10:57 -!- Cpt-Oblivious [~chatzilla@31-151-71-109.dynamic.upc.nl] has quit [Quit: ChatZilla 0.9.90.1-rdmsoft [XULRunner 22.0/20130619132145]]
10:58 < v0lZy> plaisthos: i dont refuse it
10:58 <@krzee> i refuse to argue to get correct solutions implimented when doing free support
10:58 < v0lZy> i just cant do that at the moment, i need to plan for it, and ill try that solution
10:58 < v0lZy> im just not 'getting it', why its a problem .. whats the conflict?
10:59 < v0lZy> vpn doesnt care about non vpn traffic and lighttpd doesnt care about non http traffic
10:59 <@krzee> hell my real job has never once required it, i just do whats right and everybody is happy. if it requires equipment i submit to receipt and collect the $
10:59 < v0lZy> i'd like to understand, im not arguing or refusing a solution or anything
10:59 < v0lZy> im just not understanding
11:00 < v0lZy> i dont have a problem changing it if that solves my problem
11:00 < v0lZy> but id like to understand why it works for non satlink stuff... and it doesnt work for satlink stuff...
11:00 < v0lZy> i feel like we're all looking at 'thats the problem and this solves it' and thats fine, but furthering the debate beyond just solving it... whats the praxis behind this?
11:01 < v0lZy> what makes it work the way its set up and what makes it not work in a different scenario
11:01 < v0lZy> im ignorant about htat
11:01 < debbie10t> v0lZy : did you try the source code for answers ?
11:01 < pekster> themadcanudist: I only read a small part of the backlog, but if eth0 is doing 802.1Q tagging, you can't bridge a tap to it as tap today does not understand 802.1Q -- you can bridge to a VLAN-specific interface though, as the tap will remain happily unaware of that. I'm not sure what brctl magic might be needed for that though
11:02 < v0lZy> debbie10t: i am not a programmer
11:02 < v0lZy> and which source woudl that be... openvpn or lighttpd
11:02 < v0lZy> would it be any different if it wasn something and something else?
11:02 < debbie10t> openvpn .. of course
11:03 < pekster> bind to the wildcard or do silly things like have openvpn HUP/restart/whatever-you-need-to-do to lighttpd
11:03 < themadcanudist> pekster: thanks for the update
11:03 < pekster> v0lZy: ^
11:05 < v0lZy> debbie10t: please pass on my thanks to krzee
11:05 < v0lZy> and to everyone else whos ignore list im not yet on, i appreciate your help
11:05 < debbie10t> v0lZy : I have earned one of krzees ignore list places aswell ;)
11:06 < v0lZy> well, somone please tell him i appreciate his effor
11:06 < v0lZy> and that im not arguing
11:06 < v0lZy> and I appologize if I made him upset
11:06 < v0lZy> I do appreciate his time, effort and help
11:06 < v0lZy> now i have to go.
11:06 < v0lZy> Bye everyone, ill be back later
11:06 -!- v0lZy [~Thunderbi@BSN-77-81-109.static.dsl.siol.net] has quit [Quit: v0lZy]
11:07 <@plaisthos> pekster: v0lZy wants to thanks you for your effort and apologizes for making you upset
11:07 < debbie10t> v0lZy - I think the point was - port "sharing" is not actually what openvpn does .. openvpn owns the port and forward non-openvpn protocols to your specified host:port
11:07 <@krzee> why do people ask for help, get help, and refuse to accept it?
11:07 <@plaisthos> err
11:07 <@krzee> ya i got it ;]
11:08 <@plaisthos> that was meant for you
11:08 <@krzee> i sat through it taking over an hour to get logs
11:08 <@krzee> finally finding the problem and having it completely ignored was too much
11:09 < debbie10t> being a pain in the *** will also get you ignored /:)
11:10  * debbie10t knows krzee did not see that
11:10 < debbie10t> OK
11:11 < debbie10t> are forked processes on --client-connect scripts .. also waited upon ?
11:11 < debbie10t> https://forums.openvpn.net/post42711.html#p42711
11:11 <@vpnHelper> Title: OpenVPN Support Forum Openvpn server suspends routing during client-connect script : Scripting and Customizations (at forums.openvpn.net)
11:11 < debbie10t> thanks
11:12 < debbie10t> ( i know .. try it yourself .. jsut wondering if I can get any answers here any more or not )
11:13 <@krzee> the urltitle from vpnHelper is expected.
11:13 <@krzee> the scripts block openvpn
11:13 <@krzee> if thats a problem, make a plugin.
11:14 <@krzee> plugins do not block openvpn.
11:14 < pekster> (neither would forking properly, but you should seek help in a channel for $YourProgrammingLanguage for that
11:15 < debbie10t> sure .. sounds like user misunderstaning in that case .. i think
11:15 <@krzee> pekster, true that you can fork it to background and disown it, but naturally scripts block openvpn and plugins do not.
11:16 < pekster> And bash in the shebang? Really? That's some awful shell code. no reason to require bash, use of outdated backticks, the options pased to "node" (node.js? Ugh..) aren't quote-safe
11:16 < pekster> And that's just in a 10-second review :P
11:17 < pekster> ##bash can explain why
11:17 <@krzee> i couldnt see that far i have debbie on ignore too so all i saw was the bots output
11:17 < pekster> Oh, that's just from the code in the URL as well
11:18 < debbie10t> in advance of any un-ignore = i apologies to krzee for whatever it was - to all , i says thanks again
11:19 < debbie10t> is there a specific time-out for script execution on --clinet-connect ?
11:19 < debbie10t> 60 seconds ?
11:21 <@krzee> scripts i write for myself often use a bash shebang
11:21 <@krzee> but they also often use bash specific code
11:22 < pekster> Which is fine if you use bashisms, otherwise they're just non-portable and a bit slower
11:22 < pekster> Yea
11:22 < pekster> I've got a small collection of zsh scripts (multios is slick) but I aim for portability where possible
11:22 <@krzee> when i write them for public i try to keep it /bin/sh
11:22 <@krzee> which can be a bit more annoying
11:22 <@krzee> haha
11:24 < pekster> krzee: consider this in zsh, which can't be (easily) done in sh short of fifos: `printf "Hello World" > >(md5sum) >(md5sum)`
11:25 < pekster> bash has alternatives too for command subprocess pipelines, but POSIX sh doesn't
11:25 < pekster> Erm, make one of those sha1sum for better effect
11:29 <@krzee> a very very common way for me to read in variables is something like:
11:29 <@krzee> while read var1 var2 ; do whatever ;done < <(some command)
11:29 <@krzee> sh doesnt like that
11:29 < pekster> Set IFS and use a for loop in sh
11:32 <@krzee> IFS to stop the word splitting side effect? got ya
11:32 < pekster> Exactly. while loops operate in an implied subshell, which is fine unless you intend variables to escape scope
11:32 <@krzee> no no, thats if you pipe to them
11:32 <@krzee> if you do it my way no subshell
11:33 <@krzee> well the <(cmd)  is a subshell but not the while
11:33 < pekster> IIRC you can even do things like IFS='<NL-goes-here>' for var in $input; do ...; done
11:34 -!- MadTBone [~MadTBone@128.59.37.113] has quit [Remote host closed the connection]
11:34 -!- starlays [~starlays@unaffiliated/starlays] has quit [Remote host closed the connection]
11:45 -!- cartufer [~cartufer@99-42-17-54.lightspeed.cicril.sbcglobal.net] has joined #openvpn
11:46 -!- cartufer [~cartufer@99-42-17-54.lightspeed.cicril.sbcglobal.net] has left #openvpn []
11:52 -!- larryone [~larryone@178.167.254.179.threembb.ie] has joined #openvpn
11:52 -!- v0lZy [~Thunderbi@84-255-194-41.static.t-2.net] has joined #openvpn
11:52 < v0lZy> Hi
11:52 < v0lZy> I'm back
11:52 < v0lZy> I dont want to antagonize anyone
11:53 < v0lZy> but I googled about ports and binds and wildcards etc
11:53 < v0lZy> Google came up with this: http://books.google.si/books?id=ptSC4LpwGA0C&pg=PA211&lpg=PA211&dq=wildcard+bind+port&source=bl&ots=Ks0BUiekTm&sig=2_XAg5v12PhkpjpniU_ZRCBpmkY&hl=en&sa=X&ei=eHG9U8H7DufnywP-koII&ved=0CF4Q6AEwCQ#v=onepage&q=wildcard%20bind%20port&f=false
11:53 <@vpnHelper> Title: UNIX Network Programming - W. Richard Stevens, Bill Fenner, Andrew M. Rudoff - Google Books (at books.google.si)
11:54 <@krzee>  kill lighttp and see if it works
11:54 < v0lZy> I'll be able to do that tomorrow
11:54 < v0lZy> but yeah, its a simple enough test
11:55 < v0lZy> also
11:55 < v0lZy> i have to specifically start things in order
11:55 <@krzee> instead of trying to prove it wrong via google, try doing whats told and see if it works.
11:55 < v0lZy> i was restarting openvpn
11:55 < v0lZy> while i wasnt restarting lightpd
11:55 < v0lZy> not sure what happens when a port becomes free... does lighttpd eat it up or someting
11:55 <@krzee> dont rely on undefined behavior that may change on an update
11:55 <@krzee> just do it right.
11:55 < v0lZy> krzee: im not trying to prove anyone wrong
11:56 < v0lZy> im not arguing and while I have the chance, thanks for your effort and help, i really appreciate it it
11:56 <@krzee> well you werent trying to listen and take advice.
11:56 <@krzee> yw
11:56 < v0lZy> I am taking your advice, its just that I cant implement it at this very moment
11:56 < v0lZy> im not adovcating that im doing it right
11:56 < v0lZy> im probably doing it wrong
11:57 < v0lZy> its just that id like to know the peculiar detail ... you know, kind of like you know you should nail it and not glue it, but if you know glue will hold under the conditions and dont have a nail...
11:57 < v0lZy> Its in my interest to do things right
11:58 < v0lZy> but if i can extract what exactly is wrong for what reason, I can grow.. not make the mistake with other software
11:58 < v0lZy> because if it turns our that this is a fringe scenario, then people at pfsense need to rethink at least about putting in a notice
11:58 < v0lZy> if not coming up with a different way of binding lighttpd
11:59 <@krzee> i dont think you understood the link you posted either
11:59 <@krzee> cause that book hes basically saying what im saying.
11:59 <@krzee> he even called it a socket like i was :-p
11:59 < v0lZy> what i gather from the link is that it has to be implemented accross the board, which i suppose it probably isnt
12:00 <@krzee> he says dont bind 2 things to the same socket
12:01 <@krzee> he says use a different ip or port
12:01 < v0lZy> there seem to be general rules that a wildcard is in effect until something more specific is encounted... though it depends on implementation.. where there's no such pardigm, its more like first come first serve apparently
12:01 <@krzee> ymmv, expect broken shit when you do it wrong.
12:01 < v0lZy> i was reading page 211
12:01 < v0lZy> yeah
12:01 < v0lZy> it seems very delicate
12:02 < v0lZy> especially in tcp land
12:02 <@krzee> only delicate cause its not supposed to be done
12:02 -!- mete [~mete@91.247.253.160] has quit [Ping timeout: 240 seconds]
12:03 < v0lZy> but it gives legitimate examples when you do it
12:03 < v0lZy> like the webserver example
12:03 <@krzee> actually, its example is talking about spawned children processes if i read it right
12:03 <@krzee> oh no
12:03 < v0lZy> it starts off with that
12:04 < v0lZy> but gives more examples.
12:04 <@krzee> sorry wrong example
12:04 <@krzee> on page 211 its talking about the IP changing
12:04 < v0lZy> and the wildcard
12:04 < v0lZy> and how its supposed to work
12:04 < v0lZy> lower still it mentions what I have set up
12:05 <@krzee> the second call fails unless special coding
12:05 -!- mete [~mete@91.247.253.160] has joined #openvpn
12:05 <@krzee> as it says
12:05 < v0lZy> yeah
12:05 < v0lZy> and if you read lower sill
12:05 < v0lZy> you encounter what i unknowingly set up
12:05 < v0lZy> specific bind before wildcard  bind
12:06 < v0lZy> and that is what i have in place
12:06 <@krzee> well guess what,
12:06 <@krzee> your error was found by others when they run another service on the same port
12:06 < v0lZy> question is, with all the vpn server setting i was changing, i gather the vpn server got restared
12:06 <@krzee> and then i find you're doing that.
12:06 < v0lZy> so whenever it restarts, its no longer a wildcard last scenario i thikn
12:06 <@krzee> coincidence?
12:06 <@krzee> or maybe you're digging further than your understanding...?
12:07 <@krzee> and how the hell could it be intelligent to setup such a fragile setup, even if it *did* work
12:07 <@krzee> (if it worked you wouldnt be here)
12:08 < v0lZy> I'm trying to dig deeper because I dont have an 'absolute' scenario - i have 8 roadwarriors on stable connections from around the world... from wifi to fiber optic to dsl, vastly different pings
12:08 < v0lZy> bu this ship example is sort of extreme
12:08 <@krzee> you're reading a programming book to talk about a networking 101 subject.
12:08 < v0lZy> and its only this example with the ship thats not working. (others are not ships)
12:08 <@krzee> well i guess now you have to do it right then
12:09 <@krzee> like i said, im not interested in debugging why wrong shit sometimes works.
12:09 < v0lZy> yeah, I have to fix it because this whole idea is for the ships
12:09 < v0lZy> if it doesnt work with the ships it has to be modified so that it does
12:10 < v0lZy> im not asking you to debug it
12:10 < v0lZy> just asking for interpretations, ideas etc.
12:10 <@krzee> doing it wrong can lead to undefined results
12:10 <@krzee> you're doing it wrong.
12:10 <@krzee> you just dont run 2 services on the same ip:port
12:11 < v0lZy> yes
12:11 <@krzee> if this remains a topic im ignoring you with wildcards
12:11 <@krzee> before you talk about this more you need to test it.
12:11 < v0lZy> but you see, thats the default setting on pfsense, it wasnt me who decided that lighttpd runs on *:80
12:11 < v0lZy> it was me who decided that openvpn does.
12:12 <@krzee> so?
12:12 < v0lZy> which begs a different problem... dnsmasq is also a service
12:12 < v0lZy> and it does NAT
12:12 <@krzee> you cant run 2 things on the same socket.
12:12 < v0lZy> and at home
12:12 < v0lZy> i have a server behind the firewall
12:12 < v0lZy> and am natting port 80
12:12 < v0lZy> ...
12:12 <@krzee> wait what? natting port 80?
12:13 <@krzee> is that why its not even reaching the friggen server?
12:13 < v0lZy> different firewall
12:13 < v0lZy> 19:12:05 - v0lZy: and at home
12:13 <@krzee> are all the working clients remote in other locations?
12:13 < v0lZy> yes
12:13 <@krzee> ok
12:14 <@krzee> anyways
12:14 <@krzee> no more talking til you go do it
12:14 <@krzee> kill lighttp to test before we talk next.
12:14 < v0lZy> Well I cant, im home already.
12:14 <@krzee> if you cant do that now, come back another time
12:14 < v0lZy> I am planning to do it tomorrow
12:14 <@krzee> cause otherwise its just so pointless
12:15 < v0lZy> and i hope that this really is the issue, because then I know how to get thigns working
12:15 < v0lZy> on the other hand, it makes me a bit worried about pfsense
12:16 < v0lZy> i wonder if binding lighttpd to *:80 is jusifiable ...
12:16 < v0lZy> I've noticed tat when i install openvpn pacakge on pfsense, it breaks the webgui
12:16 < v0lZy> specifically on this port 80 thing
12:16 < v0lZy> and at first i thougt, ok, ill add another IP
12:17 < v0lZy> ISP wouldnt give me one on this contract, but even if they did... lighttpd still binds *:80 .. so it would bind that too
12:17 < v0lZy> so there's obviously  huge problem here if you want to have openvpn on port 80 on pfsense.
12:17 <@krzee> all of the above they expect you to know how to manage unix, including knowing to not run multiple services on the same port
12:17 <@krzee> cant blame them for when you do it
12:18 < v0lZy> not blaming them
12:18 <@krzee> "<v0lZy> on the other hand, it makes me a bit worried about pfsense"
12:18 < v0lZy> well yes
12:18 < v0lZy> it means I'll have to find a way o work around that
12:18 <@krzee> well you wanna hear what ild do?
12:18 < v0lZy> disable gui
12:18 < v0lZy> or... change port
12:19 <@krzee> actually yes good point ild never have that gui in the first place? but not what i was gunna say
12:19 <@krzee> i would run openvpn on port 443 tcp and keep everything else the same
12:19 <@krzee> because on port 80 is just weird anyways
12:19 <@krzee> encrypted traffic to 80?  ehh?
12:19 < v0lZy> but in that case, you cant run the webgui on 443 then
12:20 <@krzee> but 443, now that looks right? so i take a manual look and --port-share sends me to a http page
12:20 <@krzee> no crypto, but i guess somethings setup weird and stop looking
12:20 <@krzee> what webgui?
12:20 < v0lZy> pfsense webgui
12:20 <@krzee> oh is it already on *:443?
12:20 <@krzee> well wtf then, kill its port 80 all together!
12:20 < v0lZy> i think either 80 o 443 are default
12:20 <@krzee> only use the web gui on 443
12:21 < v0lZy> you can choose which
12:21 <@krzee> if its on both, limit it to one and use the other for openvpn.
12:21 <@krzee> is what we'll pretend i would do
12:21 <@krzee> in real life i would not have a web gui as you correctly guessed
12:23 < v0lZy> well, the webgui is a home-user convenience.. and this is its limiation... it basically robbs you of flexibility in my particular scenario, giving support to the argument against webguis.
12:23 < v0lZy> which makes me wonder ... perhaps its time to replace the webgui on pfsense with a cli shell script or something
12:25 <@krzee> it actually does no such thing
12:25 <@krzee> all it means is you need to use another port for the web gui
12:26 < v0lZy> hm
12:26 < v0lZy> you are right
12:26 <@krzee> let me take a guess here
12:26 < v0lZy> they could as easily say browse o htp://ip:1000 on the section where they provide u with default username and pass
12:26 <@krzee> is the final setup going to be a pfsense router in each ship connecting to your server?
12:26 < v0lZy> no
12:26 <@krzee> and you want to manage them over their web gui over the vpn?
12:27 < v0lZy> no
12:27 <@krzee> oh ok
12:27 < v0lZy> I dont manage ships
12:27 < v0lZy> well, not exactly anyway
12:27 <@krzee> anyways
12:27 <@krzee> good luck
12:28 < v0lZy> ever heard of teamviewer/logmein ?
12:28 <@krzee> sure
12:28 < v0lZy> well, this is basically how hey work.
12:28 < v0lZy> they dial out and establish a vpn between the user and the inermediary, and the other user and the intermediary
12:29 < v0lZy> hamachi from logmein works like that
12:29 < v0lZy> idea here is that if you can remotely trigger for a ship to call home
12:29 <@krzee> no idea what you're talking about but not sure i need to
12:29 < v0lZy> you can have it initiate a vpn tunnel via which you can access it.
12:30 < v0lZy> so theres no need to keep rack of what IP the ship has, if its on saellite or wifi in a port
12:42 -!- mcp [~mcp@wolk-project.de] has quit [Remote host closed the connection]
12:56 -!- larryone [~larryone@178.167.254.179.threembb.ie] has quit [Ping timeout: 264 seconds]
12:57 -!- deeville [~deeville@38.117.108.108] has quit [Quit: This computer has gone to sleep]
12:57 -!- deeville [~deeville@38.117.108.108] has joined #openvpn
12:59 -!- starlays [~starlays@unaffiliated/starlays] has joined #openvpn
13:03 -!- DrCode [~DrCode@gateway/tor-sasl/drcode] has quit [Ping timeout: 264 seconds]
13:07 -!- DrCode [~DrCode@gateway/tor-sasl/drcode] has joined #openvpn
13:08 -!- deeville [~deeville@38.117.108.108] has quit [Quit: Leaving]
13:16 -!- Pyrogerg [~Gregory@192.67.133.200] has quit [Quit: Textual IRC Client: www.textualapp.com]
13:18 -!- Megaf is now known as HelloEveryone
13:18 -!- HelloEveryone is now known as Megaf
13:21 -!- Pyrogerg [~Gregory@192.67.133.200] has joined #openvpn
13:49 < starlays> !redirect
13:49 <@vpnHelper> "redirect" is (#1) to make all inet traffic flow through the vpn, you will need --redirect-gateway (see !def1), as well as IP forwarding (see !ipforward) and NAT (see !nat) enabled on the server. or (#2) you may need to use a different dns server when redirecting gateway, see !dns or !pushdns or (#3) if using ipv6 try: route-ipv6 2000::/3 or (#4) Handy troubleshooting flowchart:
13:49 <@vpnHelper> http://ircpimps.org/redirect.png | http://pekster.sdf.org/misc/redirect.png
13:50 < starlays> !def1
13:50 <@vpnHelper> "def1" is (#1) used in redirect-gateway, Add the def1 flag to override the default gateway by using 0.0.0.0/1 and 128.0.0.0/1 rather than 0.0.0.0/0. This has the benefit of overriding but not wiping out the original default gateway. or (#2) please see --redirect-gateway in the man page ( !man ) to fully understand or (#3) push "redirect-gateway def1"
14:06 -!- erkules [~erkan@pdpc/supporter/professional/erkules] has left #openvpn ["WeeChat 0.3.2"]
14:41 -!- mcp [~mcp@wolk-project.de] has joined #openvpn
14:45 -!- dazo is now known as dazo_afk
14:54 -!- gffa [~unknown@unaffiliated/gffa] has quit [Quit: quit]
15:14 -!- baus [baus@weirdo.mooo.com] has joined #openvpn
15:14 < baus> i am new to vpns, can someone tell me if there is any downside to using L2TP vs OpenVPN?
15:16 -!- n1md4 [~nimda@anion.cinosure.com] has joined #openvpn
15:17 < n1md4> hi.  i've a 1 box server, running proxmox and shorewall, with an openvpn VM.
15:17 < n1md4> on the other end, my laptop, from various locations.
15:18 < n1md4> I've followed this https://wiki.debian.org/OpenVPN guide, as far as "Static-Key VPN".
15:18 <@vpnHelper> Title: OpenVPN - Debian Wiki (at wiki.debian.org)
15:19 < n1md4> Problem is, traffic reaches the proxmox/fw box, but nothing appears to get through; according to tcpdump
15:20 < n1md4> I'm using macro.OpenVPN from shorewall in rules with "net -> dmz:rfc1918" and "dmz:rfc1918 -> net"
15:20 < n1md4> an advice to get this working .. or maybe this is better asked in the shorewall (or other) channel.
15:41 -!- starlays [~starlays@unaffiliated/starlays] has quit [Ping timeout: 245 seconds]
16:05 -!- Ryu_Fitzgerald [~Ryu_Fitzg@199-193-117-84.static.hvvc.us] has joined #openvpn
16:06 < Ryu_Fitzgerald> I am trying to force tls 1.2 for a openvpn server (which I think is the highest).   I know i have to use --tls-cipher somehow from reading around but it doesn't say how the arguments should be written
16:18 -!- le0 [~l30@unaffiliated/le0] has joined #openvpn
16:25 -!- Ryu_Fitzgerald [~Ryu_Fitzg@199-193-117-84.static.hvvc.us] has quit [Quit: irc2go]
16:25 -!- themadcanudist [~themadcan@vmfarms-1.itcanada.com] has quit [Quit: Leaving.]
16:31 -!- elfixit1 [~Icedove@77-58-251-72.dclient.hispeed.ch] has joined #openvpn
16:36 -!- dvl [~dvl@pdpc/supporter/active/dvl] has joined #openvpn
16:38 < debbie10t> ecrist : as Easy-rsa maintainer perhaps you know about this : https://forums.openvpn.net/post42729.html
16:38 <@vpnHelper> Title: OpenVPN Support Forum WARNING: can't open config file: /etc/ssl/openssl.cnf : Easy-RSA (at forums.openvpn.net)
16:39 < debbie10t> w7 openvpn 64b
16:47 < pekster> v2 is a pile of broken with the required sourcing of the 'vars' nonsense. That forum entry is pure inability to follow directions. "exec" is bogus on Windows
16:47  * pekster needs to spin a new v3 rc (it's got some unresolved issues, but a new rc fixes the 0.9 breakage.) v2 "works" if users can follow directions, which seems to be hard :P
17:01 -!- Kniaz [~Kniaz@unaffiliated/kniaz] has quit [Read error: Connection reset by peer]
17:03 -!- Kniaz [~Kniaz@unaffiliated/kniaz] has joined #openvpn
17:05 < debbie10t> following instructions is hard .... =] .. cheers pekster .. I was just letting ecrist know .. but I expect he does anyway
17:05 -!- mattock is now known as mattock_afk
17:06 < debbie10t> i thought i saw i post about ecrist being the easy-rsa maintainer ?
17:07 < debbie10t> https://forums.openvpn.net/topic11421.html
17:07 <@vpnHelper> Title: OpenVPN Support Forum Easy-RSA 3.0 Development Direction : Easy-RSA (at forums.openvpn.net)
17:07 < pekster> debbie10t: Most of the v3 code is mine
17:08 < pekster> All of v2 is just a bad design based on the "sample" openssl.cnf provided by the openssl release, which was never really intended to be used as a CA as-is
17:08 < pekster> I've ignored v3 for a while since it mostly works, and the bugs left are a bit obscure and require some time to fix; this said, I'll see about spinning new stuff soonish
17:09 < debbie10t> ok - I have used v3 aswell .. it seems to work even with an idiot like me .. took a while to work out what i was doing but it worked in the end
17:09 < debbie10t> all in a shell
17:13 -!- brianblaze420 [~brianblaz@unaffiliated/brianblaze] has joined #openvpn
17:13 -!- sympto [~h4dorno_x@unaffiliated/h4dorno-x/x-6450635] has joined #openvpn
17:14 < pekster> There's no good way to do a UI portably without something like java/perl/gtk+/etc as a core. POSIX works everywhere but Windows, and it's "sort of" easy to ship enough POSIX in a .zip file for Windows
17:14 < sympto> may anyone tell me whether this is up-to-date or not? https://wiki.debian.org/openvpn%20for%20server%20and%20client
17:14 <@vpnHelper> Title: openvpn for server and client - Debian Wiki (at wiki.debian.org)
17:14 < pekster> That's probably the trickiest part of easyrsa v3 is making sure it'll play nice with Windows. That and OpenSSL's strange quicks :\
17:18 < debbie10t> In fairness .. easy-rsa 2.x expecting a user to edit vars.bat and read a readme is really not that big a deal .. but you have your own personal goals to achieve.
17:18 -!- themadcanudist [~themadcan@24-52-242-139.cable.teksavvy.com] has joined #openvpn
17:19 < pekster> v2 is broken lots of ways
17:20 < pekster> Shitty windows support (no one wants to maintain a "port" to batch. yuck.) vars is unnecessary, all the "city/org/state/ou/challenge-pass" are stupid, and 100% worthless for openvpn
17:20 < pekster> etc
17:20 < debbie10t> what isn't ? ;)
17:21 < pekster> sympto: We don't try hard to support unofficial howtos or blogs, but that looks mostly sane at a quick skimming. ns-cert-type is deprecated though (see our bot's info for !mitm here for modern replacements)
17:23 < debbie10t> pekster : can you please take a quick look at this : https://forums.openvpn.net/topic16332.html
17:23 <@vpnHelper> Title: OpenVPN Support Forum OpenVPN process dies before rinning the down script on Win : Scripting and Customizations (at forums.openvpn.net)
17:23 < debbie10t> I realise it is a windows issue but I cannot get to the bottom of it and wondered if you might have any thoughts
17:24 < pekster> No configs, no log output, I'm not playing this game
17:24 < pekster> You know better; stop being stupid please
17:24 < debbie10t> ahh .. sure ok
17:25 < debbie10t> i will fill in the blanks on the forum and let you know in time
17:25 < sympto> pekster: i understand and thank you
17:26 < pekster> sympto: Sure. Oh, and no clue what those DNS IPs are, but you ought to consider either googleDNS or DNS you run at the server-end
17:27 < pekster> Too many other "well known" public services do evil things like hijack NXDOMAIN for ad-money
17:28 -!- v0lZy [~Thunderbi@84-255-194-41.static.t-2.net] has quit [Quit: v0lZy]
17:40 -!- le0 [~l30@unaffiliated/le0] has quit [Quit: Leaving]
17:40 -!- LFNfan [~paul@pesbaker.plus.com] has joined #openvpn
17:41 < LFNfan> !welcome
17:41 <@vpnHelper> "welcome" is (#1) Start by stating your goal, such as 'I would like to access the internet over my vpn' || new to IRC? see the link in !ask || we may need !logs and !configs and maybe !interface to help you. || See !howto for beginners. || See !route for lans behind openvpn. || !redirect for sending inet traffic through the server. || Also interesting: !man !/30 !topology !iporder !sample !forum
17:41 <@vpnHelper> !wiki !mitm or (#2) Don't use 192.168.1.0/24 or 192.168.0.0/24 (too much potential for conflict)
17:41 -!- themadcanudist [~themadcan@24-52-242-139.cable.teksavvy.com] has left #openvpn []
17:41 < LFNfan> !goal
17:41 <@vpnHelper> "goal" is Please clearly state your goal for your vpn: example, I would like to access the lan behind the server , I would like to access the internet over my vpn , I just want a secure connection between 2 computers , etc
17:44 < LFNfan> I am trying to set up my public key infrastructure using easy-rsa on linux mint 17 and fail at source ./vars  Any advice appreciated...
17:46 < LFNfan> Terminal error message: bash: export: `/etc/openvpn/easy-rsa/openssl.cnf': not a valid identifier
17:46 < LFNfan> Terminal error message is "bash: export: `/etc/openvpn/easy-rsa/openssl.cnf': not a valid identifier"
17:47 < pekster> Sounds like vars might be messed up, but easyrsa v2 is a bit quicky that way. It "should" work under bash, but v2 is only maintained to the point that people are willing to report problems and people interested in fixing them
17:48 < pekster> Something as simple as an export shouldn't fail on a POSIX-compliant shell though
17:51 < LFNfan> I have set a few paths in the vars file, but "don't think" I've messsed it up.
17:52 < debbie10t> LFNfan : you could paste your vars file to pastebin ...
17:53 < LFNfan> The potentially iffy line in vars is: "export KEY_CONFIG= "$EASY_RSA/openssl.cnf""
17:54 < LFNfan> Hi.  N00b here.  Let me just have a look into pastebin
17:56 -!- Olivier| is now known as Olivier
17:56 < pekster> LFNfan: Yes, that's wrong. Spaces are not allowed like that in assignment
17:56 < LFNfan> there we go,  I just pasted it here: http://pastebin.com/XzjdqUUX
17:57 < pekster> Fix line 30, then it should at least pass your current roadblock
17:57 < LFNfan> no way - the space?!  Let me have a go at fixing that...
17:59 < LFNfan> whoa, I am in business!  Thanks v much pekster
17:59  * debbie10t * sulks :(
18:00 < LFNfan> and debbie10t of course!!
18:00 < debbie10t> :D
18:00 < LFNfan> you've taught me all about pastebin
18:00 < debbie10t> cool :)
18:01 < debbie10t> i wuz just messin about ;)
18:02 < LFNfan> :D
18:02 < debbie10t> pekster is the Master !
18:05 -!- Poster|x [~poster@cpe-74-140-100-29.swo.res.rr.com] has joined #openvpn
18:06 -!- LFNfan [~paul@pesbaker.plus.com] has quit [Quit: Leaving]
18:08 -!- Poster [~poster@cpe-74-140-100-29.swo.res.rr.com] has quit [Ping timeout: 240 seconds]
18:17 < debbie10t> ok .. that's it for today .. bye now .. thanks p.
18:17 -!- debbie10t [~ma1com10t@openvpn/community/support/debbie10t] has left #openvpn []
19:11 -!- u0m3 [~u0m3@109.96.147.3] has quit [Read error: Connection reset by peer]
19:25 -!- u0m3 [~u0m3@109.96.147.3] has joined #openvpn
19:32 -!- SushiDude [~SushiDude@unaffiliated/sushidude] has quit [Quit: Quit]
19:34 -!- SushiDude [~SushiDude@unaffiliated/sushidude] has joined #openvpn
21:04 -!- brianblaze420 [~brianblaz@unaffiliated/brianblaze] has quit [Remote host closed the connection]
21:05 -!- sympto [~h4dorno_x@unaffiliated/h4dorno-x/x-6450635] has quit [Ping timeout: 245 seconds]
21:10 -!- baus [baus@weirdo.mooo.com] has left #openvpn []
21:11 -!- hydrajump [~hydrajump@unaffiliated/hydrajump] has quit [Ping timeout: 252 seconds]
21:12 -!- hazardous [~hz@openvpn/user/hazardous] has quit [Ping timeout: 240 seconds]
21:15 -!- hazardous [~hz@openvpn/user/hazardous] has joined #openvpn
21:15 -!- mode/#openvpn [+v hazardous] by ChanServ
21:15 -!- peper [~peper@gentoo/developer/peper] has quit [Ping timeout: 260 seconds]
21:15 -!- rob0 [rob0@pdpc/valentine/postfixninja/rob0] has quit [Ping timeout: 252 seconds]
21:16 -!- peper [~peper@gentoo/developer/peper] has joined #openvpn
21:21 -!- arescorpio [~arescorpi@115-201-17-190.fibertel.com.ar] has quit [Excess Flood]
21:39 -!- hydrajump [~hydrajump@unaffiliated/hydrajump] has joined #openvpn
23:08 -!- Megaf [~Megaf@unaffiliated/megaf] has quit [Ping timeout: 245 seconds]
23:15 -!- ShadniX [dagger@p5DDFE214.dip0.t-ipconnect.de] has quit [Ping timeout: 252 seconds]
23:15 -!- ShadniX [dagger@p5DDFFA0D.dip0.t-ipconnect.de] has joined #openvpn
23:16 -!- Poster|x is now known as Poster
23:33 -!- elfixit1 [~Icedove@77-58-251-72.dclient.hispeed.ch] has quit [Ping timeout: 272 seconds]
23:37 -!- MACscr [~Adium@c-50-158-183-38.hsd1.il.comcast.net] has quit [Quit: Leaving.]
--- Day changed Thu Jul 10 2014
00:22 -!- hive-mind [pranq@mail.bbis.us] has quit [Ping timeout: 272 seconds]
00:29 -!- hive-mind [pranq@mail.bbis.us] has joined #openvpn
00:52 -!- sauce [sauce@unaffiliated/sauce] has quit [Ping timeout: 264 seconds]
01:27 -!- sauce [sauce@unaffiliated/sauce] has joined #openvpn
01:29 -!- ayaz [~Ayaz@linuxpakistan/ayaz] has joined #openvpn
01:46 -!- alexxtasi [~alex@unaffiliated/alexxtasi] has joined #openvpn
01:59 -!- jackbrown [~se@93-44-41-0.ip95.fastwebnet.it] has joined #openvpn
02:02 -!- blz37 [~minsa@99-73-164-80.lightspeed.sntcca.sbcglobal.net] has joined #openvpn
02:07 -!- MACscr [~Adium@50.158.183.38] has joined #openvpn
02:10 -!- jackbrown [~se@93-44-41-0.ip95.fastwebnet.it] has quit [Ping timeout: 264 seconds]
02:10 -!- mattock_afk is now known as mattock
02:25 -!- v0lZy [~Thunderbi@BSN-77-81-109.static.dsl.siol.net] has joined #openvpn
02:29 -!- jackbrown [~se@93-44-41-0.ip95.fastwebnet.it] has joined #openvpn
02:31 -!- jackbrown [~se@93-44-41-0.ip95.fastwebnet.it] has quit [Read error: Connection reset by peer]
02:32 -!- le0 [~l30@unaffiliated/le0] has joined #openvpn
02:38 -!- jackbrown [~se@93.44.41.0] has joined #openvpn
02:39 -!- jackbrown [~se@93.44.41.0] has quit [Remote host closed the connection]
02:40 < v0lZy> hi
02:40 < v0lZy> krzee: following up on yesterdays conversation, I am just now trying to get the ship to connect
02:41 < v0lZy> i killed lighttpd on pfsense
02:41 < v0lZy> my sockstat -l4 output only shows :80 for my openvpn
02:42 < v0lZy> So far, no progress.
02:43 < v0lZy> connection can not be established
02:43 < v0lZy> and im still getting the bad encapsulation packet length
02:43 <@plaisthos> v0lZy: tried tcpdump port 80 on the server?
02:44 <@plaisthos> if there is anything that even reaches your server?
02:47 < v0lZy> i am seeing some traffic
02:47 < v0lZy> trying to see if its from the ship
02:48 -!- troyt [~troyt@2601:7:6200:1362:44dd:acff:fe85:9c8e] has quit [Ping timeout: 240 seconds]
02:51 < v0lZy> hm
02:54 < v0lZy> i am trying to grep... and im grepping
02:55 < v0lZy> but i fail to see how this grep is properly working since the string im getting as a match doesnt contain what im grepping for, lol
02:56 < v0lZy> im doing tcpdump -nn -i pppoe0 port 80 ... pppoe being an interface with an ip im expecting vpn connections to come in on
02:57 < v0lZy> im not getting anything from the ip the ship reports on whatsmyip..
02:59 < v0lZy> if i open a website
02:59 < v0lZy> i get traffic
03:00 < v0lZy> i think it has to do with the port sharing thing more than it has to do with lighttpds wildcard
03:00 <@plaisthos> no
03:00 <@plaisthos> if you see no traffic at all the packets are not even reaching your server
03:00 -!- troyt [~troyt@2601:7:6200:1362:44dd:acff:fe85:9c8e] has joined #openvpn
03:00 <@plaisthos> try using a different port than port 80
03:00 <@plaisthos> to see if there is some transparent http proxy or something else involved
03:01 < v0lZy> plaisthos: im on the ship, if i open a website sitting behind my firewall... port 80... i see packets
03:01 < v0lZy> but i dotn see packets from the vpn tunnel
03:01 < v0lZy> yeah, ill try port 53 udp...
03:01 < v0lZy> or port 80 udp...
03:03 -!- larryone [~larryone@178.167.254.53.threembb.ie] has joined #openvpn
03:03 -!- milligan [~milligan@voyage.vhost.usr.no] has joined #openvpn
03:04 < v0lZy> plaisthos: i assume i only need to change tcp-client to udp-client and fix tthe port?
03:05 < milligan> Hey - trying to set up an openvpn server. I am able to set up a connection using a static key, but I am unable to pass any traffic (i.e pings won't work). I used the basic example from here, https://wiki.debian.org/OpenVPN . What could be wrong ?
03:05 <@vpnHelper> Title: OpenVPN - Debian Wiki (at wiki.debian.org)
03:08 -!- raidz is now known as raidz_away
03:10 < v0lZy> hm cant use udp 53 as long as im using this router as a dns forwarder either :|
03:10 < v0lZy> gonna try 58 ...
03:16 < v0lZy> seems to work on udp 58
03:17 -!- jackbrown [~se@93-44-41-0.ip95.fastwebnet.it] has joined #openvpn
03:29 -!- jackbrown [~se@93-44-41-0.ip95.fastwebnet.it] has quit [Ping timeout: 260 seconds]
03:37 -!- troyt [~troyt@2601:7:6200:1362:44dd:acff:fe85:9c8e] has quit [Ping timeout: 252 seconds]
03:39 -!- troyt [~troyt@2601:7:6200:1362:44dd:acff:fe85:9c8e] has joined #openvpn
03:43 -!- raidz_away is now known as raidz
03:44 -!- troyt [~troyt@2601:7:6200:1362:44dd:acff:fe85:9c8e] has quit [Ping timeout: 252 seconds]
03:48 -!- novaflash [~novaflash@openvpn/corp/support/novaflash] has joined #openvpn
03:48 -!- mode/#openvpn [+o novaflash] by ChanServ
03:49 -!- troyt [~troyt@2601:7:6200:1362:44dd:acff:fe85:9c8e] has joined #openvpn
03:49 -!- zapotek6 [~zap@213.149.219.85] has joined #openvpn
03:54 -!- troyt [~troyt@2601:7:6200:1362:44dd:acff:fe85:9c8e] has quit [Ping timeout: 272 seconds]
03:58 -!- raidz is now known as raidz_away
03:59 -!- larryone [~larryone@178.167.254.53.threembb.ie] has quit [Quit: This computer has gone to sleep]
04:00 -!- raidz_away is now known as raidz
04:03 -!- seba [~seba@kratzbaum.someserver.de] has quit [Ping timeout: 240 seconds]
04:03 -!- troyt [~troyt@2601:7:6200:1362:44dd:acff:fe85:9c8e] has joined #openvpn
04:06 -!- dazo_afk is now known as dazo
04:09 -!- seba [~seba@kratzbaum.someserver.de] has joined #openvpn
04:17 -!- troyt [~troyt@2601:7:6200:1362:44dd:acff:fe85:9c8e] has quit [Ping timeout: 260 seconds]
04:22 -!- Chais [~Chais@chello062178229110.15.15.vie.surfer.at] has joined #openvpn
04:22 < Chais> I'm trying to setup a site-to-site vpn server, but don't want to host the CA myself. what kind of certificates do I need?
04:56 -!- DrCode [~DrCode@gateway/tor-sasl/drcode] has quit [Remote host closed the connection]
04:57 -!- DrCode [~DrCode@gateway/tor-sasl/drcode] has joined #openvpn
05:09 -!- fred`` [fred@earthli.ng] has quit [Ping timeout: 246 seconds]
05:09 -!- DrCode [~DrCode@gateway/tor-sasl/drcode] has quit [Ping timeout: 264 seconds]
05:09 -!- Nikon [Nikon@alpha.yourbnc.co.uk] has quit [Ping timeout: 260 seconds]
05:10 -!- malc0re [mc@unaffiliated/csdsss] has quit [Ping timeout: 245 seconds]
05:11 -!- kirin` [telex@gateway/shell/anapnea.net/x-ukpbiwpsodagkvhv] has quit [Ping timeout: 264 seconds]
05:11 -!- NucWin [~nucwin@unaffiliated/nucwin] has quit [Ping timeout: 272 seconds]
05:13 -!- kirin` [telex@gateway/shell/anapnea.net/x-sspxkduwbnbkhrks] has joined #openvpn
05:13 -!- NucWin [~nucwin@unaffiliated/nucwin] has joined #openvpn
05:15 -!- DrCode [~DrCode@gateway/tor-sasl/drcode] has joined #openvpn
05:18 -!- malc0re [mc@unaffiliated/csdsss] has joined #openvpn
05:22 -!- v0lZy [~Thunderbi@BSN-77-81-109.static.dsl.siol.net] has quit [Ping timeout: 264 seconds]
05:35 -!- jackbrown [~se@93.44.41.0] has joined #openvpn
05:35 -!- fred`` [fred@earthli.ng] has joined #openvpn
06:10 <@plaisthos> !ca
06:10 <@plaisthos> !easyca
06:10 <@plaisthos> !certificates
06:10 <@plaisthos> I am bad at this :(
06:10 <@plaisthos> !search certificates
06:10 <@vpnHelper> There were no matching configuration variables.
06:37 -!- moparisthebest [~quassel@cpe-74-140-244-163.swo.res.rr.com] has joined #openvpn
06:38 < moparisthebest> if I run multiple openvpn instances, do I need a seperate tap interface for each?
06:45 < Chais> plaisthos: it's not that I don't know how to set a CA up. I just don't want to self sign the certs. I'd like to have them signed by cacert.org or something
06:46 < Chais> but for that I need to know what kind of cert I need to generate. and also what's the deal with the diffie-helman cert
06:57 < moparisthebest> with openvpn what reason is there NOT to sign the certs with your own CA?
06:58 < moparisthebest> I can only think of upsides, easier, more secure
07:16 <@ecrist> !easy-rsa
07:16 <@vpnHelper> "easy-rsa" is (#1) easy-rsa is a certificate generation utility. or (#2) Download here: https://github.com/OpenVPN/easy-rsa/downloads or (#3) https://community.openvpn.net/openvpn/wiki/EasyRSA
07:16 <@ecrist> plaisthos: ^
07:16 <@ecrist> :)
07:17 <@ecrist> moparisthebest: yes, you need a tap/tun interface for each
07:17 <@ecrist> if you're using tap, odds are you're doing it wrong
07:17 <@ecrist> Chais: why do you want them signed by cacert.org?
07:17 <@plaisthos> moparisthebest: using a general CA like Cacert requires you to have a lot of understanding of X509 stuff and so on
07:18 <@plaisthos> with you own mini ca, you least know that there only the certificates of your own mini ca that work
07:18 <@plaisthos> otherwise you need to distinguish between authentication and authorization
07:18 < moparisthebest> I think you meant that at Chais plaisthos, but I agree :)
07:19 <@ecrist> !ssl-admin
07:19 <@vpnHelper> "ssl-admin" is (#1) if you use freebsd, it is in ports or (#2) svn co https://www.secure-computing.net/svn/trunk/ssl-admin to grab it from svn or (#3) A perl script for managing SSL certificates (being a CA). Makes a good replacement for easy-rsa
07:19 < moparisthebest> ecrist: can I route instead of bridge and still have all my clients on the same subnet?
07:19 <@ecrist> moparisthebest: yes
07:19 < Chais> ecrist: doesn't have to be cacert.org I'd just like to have it signed by a third party. ideally something that is in most CA chains but doesn't cost
07:20 <@ecrist> without bridging, broadcast (l2) traffic won't flow, but you RARELY need that
07:20 <@ecrist> moparisthebest: you'll want to use --topology subnet
07:20 <@ecrist> Chais: there is no default CA chain in OpenVPN
07:21 < moparisthebest> eh, didn't explain that right, say my home network has all computers in 192.168.1.X, I'd like all openvpn clients (currently from 3 different instances) all 192.168.1.X as well, is that possible?
07:21 <@ecrist> you're likely referring to the list of automatically trusted root CAs in most web browsers - which has exactly zero bearing on openvpn
07:21 <@ecrist> moparisthebest: sure, it's possible, sans broadcast traffic
07:21 <@ecrist> really, you should separate the networks and set up proper/correct routing, though.
07:21 < Chais> I admit I assumed there to be something similar in ovpn. but if there isn't I need to import the ca cert anyway. so it doesn't really matter
07:22 <@ecrist> Chais: exactly. :)
07:22 -!- dvl [~dvl@pdpc/supporter/active/dvl] has quit [Quit: ZNC - http://znc.in]
07:22 <@ecrist> what good is a VPN if we trust other people's certs automatically?
07:23 < Chais> on the other hand, what good is a vpn if the only person verifying my identity is myself?
07:23 < moparisthebest> yes broadcast isn't a requirement, any pointers on how to do that though?  I like to keep them on the same subnet so I can set it up so they have the same address when at home or away
07:23 <@ecrist> Chais: that's what makes it private
07:24 <@ecrist> moparisthebest: likely not a good idea to set it up with the same address at home/away
07:24 <@ecrist> adds complexity that really doesn't matter
07:24 <@ecrist> instead, why not set up a --client-connect script that sets forward and reverse DNS for the connected VPN client in a sensible way?
07:26 < moparisthebest> it's pretty simple, I already have my own dhcp/dns server set up to give them specific IPs at home, then a client-config-dir shared among them to give them that same IP over the VPN
07:26 < moparisthebest> just currently, it's bridged and not routed
07:26 <@ecrist> !bridge
07:26 <@vpnHelper> "bridge" is (#1) http://openvpn.net/index.php/documentation/miscellaneous/ethernet-bridging.html for the doc or (#2) http://openvpn.net/index.php/documentation/faq.html#bridge1 for info from the FAQ or (#3) also see !tunortap and !layer2 and read --server-bridge in the manual (!man) or (#4) also see !whybridge
07:26 <@ecrist> !tunortap
07:26 <@vpnHelper> "tunortap" is (#1) you ONLY want tap if you need to pass layer2 traffic over the vpn (traffic destined for a MAC address). If you are using IP traffic you want tun. or (#2) and if your reason for wanting tap is windows shares, see !wins or use DNS or (#3) remember layer2 has no security, arp poisoning works over tap vpns or (#4) lan gaming? use tap! or (#5) Normal Android/iOS devices (not
07:26 <@vpnHelper> rooted/jailbroken) support only tun
07:28 -!- seba [~seba@kratzbaum.someserver.de] has quit [Excess Flood]
07:28 < moparisthebest> but I haven't seen any examples on how to set up tun/routing on the same subnet, I didn't think it was possible which is why I went tap/bridged
07:28 <@ecrist> !subnet
07:28 <@vpnHelper> "subnet" is (#1) http://www.subnet-calculator.com/ or http://en.wikipedia.org/wiki/Subnetwork or (#2) Want a random subnet generator? See: !randomsubnet
07:28 <@ecrist> !101
07:28 <@vpnHelper> "101" is This channel is not a '101' replacement for any of the following topics or others: Networking, Firewalls, Routing, Your OS, Security, etc etc
07:28 -!- seba [~seba@kratzbaum.someserver.de] has joined #openvpn
07:31 < moparisthebest> yes, I understand all that, just not how to set it up with openvpn
07:31 -!- vu [~vu@dsl-hkibrasgw1-58c39c-234.dhcp.inet.fi] has quit [Quit: Leaving]
07:32 <@ecrist> basically, think of the VPN and local LAN as two separate networks
07:32 <@ecrist> number the VPN 192.168.2.0/24
07:32 <@ecrist> then, you push the 192.168.1.0/24 route to the VPN clients and provide a reverse route from the LAN to the VPN
07:32 -!- fejjerai [~quassel@kde/mitchell] has quit [Remote host closed the connection]
07:32 <@ecrist> if your LAN router is also the VPN server, it makes things much simpler
07:32 <@ecrist> as the reverse route will "just work"
07:33 -!- elfixit [~Icedove@dhcp-129-136.office.init7.net] has left #openvpn []
07:34 < moparisthebest> yes, they are the same and I know I *can* do it that way, I just wanted them on the same subnet so I don't have to change a lot of other things
07:35 <@ecrist> do what you want, you came here for help/advice
07:37 < moparisthebest> so the reason I don't want to do it that way is because openvpn doesn't support listening on more than one port (or tcp/udp on one instance)
07:37 < moparisthebest> so it's not like I'd just have to set that up for 1 other subnet, but 1 for each openvpn instance, and it just gets to be a huge pain
07:37 <@ecrist> that's not one port, that's a port on two different protocols
07:38 < moparisthebest> yes, but I also can't get it to listen on, say, port 53 AND 1194
07:38 <@ecrist> that's what port forwarding is for
07:38 < matt_> !randomsubnet
07:38 <@vpnHelper> "randomsubnet" is (#1) http://scarydevilmonastery.net/subnet.cgi for a random !1918 subnet or (#2) If your shell has $RANDOM support, perhaps try this: `echo 10.$((RANDOM%256)).$((RANDOM%256)).0/24 `
07:40 < moparisthebest> hehe ecrist, I came in here the other day for help on port forwarding (because openvpn was discarding forwarded udp packets) and multiple people told me NOT to do that and instead run multiple openvpn instances :)
07:40 <@ecrist> they're fucking idiots
07:41 <@ecrist> also, generally, if you're trying to do a bunch of weird stuff, and you're not finding much help on how to do what you're trying to do, you're probably doing it wrong
07:41 < moparisthebest> <krzee> its not, common is running multiple processes for multiple sockets
07:41 < moparisthebest> <sauce> moparisthebest 2 processes. listen to krzee
07:41 <@ecrist> there are exceptions, but I'm pretty certain you don't fall in that group
07:41 <@ecrist> krzee: you're a fucking idiot. :)
07:44 -!- jackbrown [~se@93.44.41.0] has quit [Quit: Sto andando via]
07:46  * ecrist poofs
07:51 -!- Megaf [~Megaf@unaffiliated/megaf] has joined #openvpn
07:56 -!- fejjerai [~quassel@kde/mitchell] has joined #openvpn
07:59 -!- fejjerai [~quassel@kde/mitchell] has quit [Remote host closed the connection]
08:08  * ecrist unpoofs
08:19 -!- ayaz [~Ayaz@linuxpakistan/ayaz] has quit [Quit: Textual IRC Client: www.textualapp.com]
08:35 -!- fejjerai [~quassel@kde/mitchell] has joined #openvpn
08:35 -!- MadTBone [~MadTBone@128.59.37.113] has joined #openvpn
08:51 -!- babilen [~babilen@unaffiliated/babilen] has joined #openvpn
08:52 < babilen> Hello. I am working with easy-rsa, and am not entirely sure what the ALPHANUMERICALID.pem files in KEY_DIR are. Could somebody shed some light on that? (e.g. 5B.pem)
08:54 <@ecrist> that's the serial number, iirc
08:57 -!- le0 [~l30@unaffiliated/le0] has quit [Quit: Leaving]
08:58 < babilen> ecrist: Thanks. Background to my question is that I'm trying to automate the creation of a PKI in salt and would also like to be able to migrate the contents of an old KEY_DIR
08:59 < babilen> I am just not sure what exactly generates those.
08:59 < babilen> I mean I want some logic like: "If no ca.* run --initca" ... and so on.
08:59 < matt_> babilen: they are from openssl, if you sign a cert it will save it in a pem file with the name of the serial number
09:00 < matt_> babilen: openssl x509 -in 5B.pem -noout -text
09:00 < babilen> Ah, so they belong to the respective certificates that have been generated for various --server(s) ?
09:00 < matt_> babilen: its handy to keep them if you want to revoke a certificate
09:01 < matt_> babilen: should do, if you use that openssl command and look at the CN for it, you should see what it was generated for
09:03 < babilen> matt_: Yes, that clarifies everything.
09:04 < babilen> Thank you for the fast and kind help.
09:04 < matt_> babilen: np
09:06 < sauce> moparisthebest if i backed up the wrong decision i apologize
09:09 < moparisthebest> sauce: no problem, I don't think either way is really 'wrong', just personal preference one way or the other
09:15 -!- debbie10t [~ma1com10t@openvpn/community/support/debbie10t] has joined #openvpn
09:16 < debbie10t> as it is quiet ...
09:17 < debbie10t> pekster: W7 reboot / explicit-exit-notify issue : https://forums.openvpn.net/post42765.html
09:17 <@vpnHelper> Title: OpenVPN Support Forum Windows Seven & explicit-exit-notify 3 : Server Administration (at forums.openvpn.net)
09:17 < debbie10t> tia
09:23 -!- debbie10t is now known as debbie10t|afk
09:46 -!- groszek [~groszek@46.246.47.138] has joined #openvpn
09:48 -!- groszek [~groszek@46.246.47.138] has left #openvpn ["."]
10:02 -!- debbie10t|afk is now known as debbie10t
10:05 -!- alexxtasi [~alex@unaffiliated/alexxtasi] has left #openvpn []
10:05 -!- Megaf [~Megaf@unaffiliated/megaf] has quit [Ping timeout: 255 seconds]
10:41 -!- Latrina [~Latrina@ppp-78-22.26-151.libero.it] has quit [Ping timeout: 240 seconds]
10:42 -!- Latrina [~Latrina@ppp-38-36.26-151.libero.it] has joined #openvpn
10:58  * Eugene sits in a corner and cries
10:58 < Eugene> $JOB uses L2TP/IPsec
11:03 -!- zapotek6 [~zap@213.149.219.85] has quit [Ping timeout: 240 seconds]
11:15 -!- phreakocious [~phreakoci@aesoterica.phreakocious.net] has joined #openvpn
11:19 -!- Kephael [~Kephael@unaffiliated/kephael] has joined #openvpn
11:31 -!- gffa [~unknown@unaffiliated/gffa] has joined #openvpn
11:45 -!- Latrina [~Latrina@ppp-38-36.26-151.libero.it] has quit [Ping timeout: 245 seconds]
11:46 -!- Latrina [~Latrina@ppp-122-32.26-151.libero.it] has joined #openvpn
12:27 -!- crus [~crusader@crus0r.soho.on.net] has quit [Ping timeout: 256 seconds]
12:35 -!- mattock is now known as mattock_afk
12:37 -!- crus [~crusader@crus0r.soho.on.net] has joined #openvpn
12:39 -!- dazo is now known as dazo_afk
12:43 -!- crus [~crusader@crus0r.soho.on.net] has quit [Ping timeout: 256 seconds]
13:02 -!- dferris [~dferris@bravo.usrsbin.com] has joined #openvpn
13:02 < dferris> !heartbleed
13:02 <@vpnHelper> "heartbleed" is (#1) only affects OpenSSL 1.0.1 through 1.0.1f. Does not affect polarssl or (#2) if running vuln openssl then both client and server keys not protected by tls-auth should be considered compromised. or (#3) android 4.1.2_r1 is the first one to have -DOPENSSL_NO_HEARTBEATS and it is still in master. android 4.1 and 4.1.1 are probably affected. or (#4)
13:02 <@vpnHelper> https://community.openvpn.net/openvpn/wiki/heartbleed or (#5) http://xkcd.com/1354/
13:02 -!- dferris [~dferris@bravo.usrsbin.com] has left #openvpn []
13:09 -!- arescorpio [~arescorpi@72-242-16-190.fibertel.com.ar] has joined #openvpn
13:10 -!- jareth_ [~jareth_@2001:980:e1c0:1:219:66ff:fea0:a502] has joined #openvpn
13:22 -!- goldkatze [~nobody@unaffiliated/goldkatze] has joined #openvpn
13:23 -!- liriel [~liriel@asia.feralhosting.com] has quit [Ping timeout: 240 seconds]
13:29 -!- liriel [~liriel@185.21.217.6] has joined #openvpn
13:30 -!- SCHAAP137 [dorian@77-173-0-137.ip.telfort.nl] has joined #openvpn
13:57 -!- mattock_afk is now known as mattock
14:00 -!- MadTBone [~MadTBone@128.59.37.113] has quit [Quit: Leaving]
14:10 -!- Megaf [~Megaf@unaffiliated/megaf] has joined #openvpn
14:19 -!- kenyon [kenyon@darwin.kenyonralph.com] has quit [Quit: rebooting]
14:23 -!- ayaka [~ayaka@ayaka-2-pt.tunnel.tserv21.tor1.ipv6.he.net] has joined #openvpn
14:24 < ayaka> I have a problem with vpn connection. with a long connection, the speed in vpn network would be very slow(like transport file in it)
14:24 < ayaka> I have to restart the connection, then the speed back to normal level
14:24 < ayaka> what is the problem and anyway to avoid it?
14:25 -!- kenyon [kenyon@darwin.kenyonralph.com] has joined #openvpn
14:31 -!- arescorpio [~arescorpi@72-242-16-190.fibertel.com.ar] has quit [Excess Flood]
14:58 -!- hazardous [~hz@openvpn/user/hazardous] has quit [Ping timeout: 264 seconds]
15:00 -!- hazardous [~hz@openvpn/user/hazardous] has joined #openvpn
15:00 -!- mode/#openvpn [+v hazardous] by ChanServ
15:08 -!- gffa [~unknown@unaffiliated/gffa] has quit [Quit: sleep]
15:45 -!- SlutaTramsa [~SlutaTram@unaffiliated/slutatramsa] has quit [Ping timeout: 240 seconds]
15:46 -!- SlutaTramsa [~SlutaTram@unaffiliated/slutatramsa] has joined #openvpn
15:56 -!- LFNfan [~paul@pesbaker.plus.com] has joined #openvpn
15:57 -!- u0m3 [~u0m3@109.96.147.3] has quit [Ping timeout: 264 seconds]
15:57 -!- u0m3_ [~u0m3@92.80.90.74] has joined #openvpn
16:03 -!- mattock is now known as mattock_afk
16:28 < LFNfan> I am trying to set up my public key infrastructure using easy-rsa on linux mint 17 and fail at "./build-ca"Any advice appreciated...
16:29 < LFNfan> paste of terminal and vars file here: http://pastebin.com/qeKRtfqA
16:29 -!- tamazaki [~tamazaki@95.85.35.109] has quit [Quit: leaving]
17:05 -!- ShadniX [dagger@p5DDFFA0D.dip0.t-ipconnect.de] has quit [Ping timeout: 252 seconds]
17:07 -!- ShadniX [dagger@p5DDFFA0D.dip0.t-ipconnect.de] has joined #openvpn
17:08 -!- u0m3_ is now known as u0m3
17:10 -!- goldkatze [~nobody@unaffiliated/goldkatze] has quit [Ping timeout: 240 seconds]
17:14 -!- Latrina [~Latrina@ppp-122-32.26-151.libero.it] has quit [Ping timeout: 252 seconds]
17:16 -!- Latrina [~Latrina@151.26.20.118] has joined #openvpn
17:33 -!- Netsplit *.net <-> *.split quits: jzaw, SupaYoshi, _abbe`, brezel, Samopotamus, someone, Nothing4You, early, tapout, Neal_,  (+32 more, use /NETSPLIT to show all of them)
17:33 -!- Netsplit over, joins: roentgen, aPollO2k
17:33 -!- Netsplit over, joins: u0m3
17:33 -!- seppuku [~seppuku@82.56.46.4] has joined #openvpn
17:33 -!- Netsplit over, joins: raidz
17:33 -!- mode/#openvpn [+o raidz] by ChanServ
17:34 -!- riddle [riddle@76.72.170.57] has joined #openvpn
17:34 -!- Tykling [tykling@gibfest.dk] has joined #openvpn
17:36 -!- milligan [~milligan@voyage.vhost.usr.no] has joined #openvpn
17:36 -!- JackWinter_ [~jack@vodsl-11028.vo.lu] has joined #openvpn
17:36 -!- Rymax99 [~Ryan@s2.rymax99.com] has joined #openvpn
17:36 -!- ribasushi [~riba@mujunyku.leporine.io] has joined #openvpn
17:36 -!- krzee [~k@openvpn/community/support/krzee] has joined #openvpn
17:36 -!- kossy [a@unaffiliated/kossy] has joined #openvpn
17:36 -!- c00w [c00w@2600:3c03::f03c:91ff:fe6e:e88b] has joined #openvpn
17:36 -!- tapout [~tapout@unaffiliated/tapout] has joined #openvpn
17:36 -!- c0ded [~c0ded@unaffiliated/c0ded] has joined #openvpn
17:36 -!- jzaw [~jzaw@loki.dzki.co.uk] has joined #openvpn
17:36 -!- early [~early@192.241.198.49] has joined #openvpn
17:36 -!- Eugene [eugene@kashpureff.org] has joined #openvpn
17:36 -!- Neal_ [~neal@2600:3c00:e001:1a00::1] has joined #openvpn
17:36 -!- Samopotamus [~IRCIdent@2607:5300:60:a0d::1] has joined #openvpn
17:36 -!- Gman32 [~Gman32@2607:2200:0:3400::5616:cdbc] has joined #openvpn
17:36 -!- someone [someone@2600:3c01::f03c:91ff:fedf:feb8] has joined #openvpn
17:36 -!- ServerMode/#openvpn [+o krzee] by morgan.freenode.net
17:36 -!- joako [~joako@opensuse/member/joak0] has joined #openvpn
17:36 -!- K1rk [~Kirk@equinox.epecweb.com] has joined #openvpn
17:36 -!- Zimsky [~alice@unaffiliated/zimsky] has joined #openvpn
17:36 -!- brezel [~dahbrezel@2a03:4000:6:206b::] has joined #openvpn
17:36 -!- Nothing4You [N4Y@Nothing4You.w.tf-w.tf] has joined #openvpn
17:36 -!- SupaYoshi [Elite9191@gateway/shell/elitebnc/x-msdmumvcyinlrumt] has joined #openvpn
17:36 -!- _abbe` [having@badti.me] has joined #openvpn
17:36 -!- aji [~alex@atheme/member/aji] has joined #openvpn
17:36 -!- Haigha [~root@dovahkiin.xomg.net] has joined #openvpn
17:36 -!- cyberanger [cyberanger@swissknife/adak/infocop411] has joined #openvpn
17:36 -!- TypoNe [~itsme@195.197.184.87] has joined #openvpn
17:36 -!- KiNgMaR [~ingmar@2001:41d0:2:ba51::1] has joined #openvpn
17:36 -!- vpnHelper [~vpnHelper@openvpn/bot/vpnHelper] has quit [Disconnected by services]
17:36 -!- Thermi [~Thermi@unaffiliated/thermi] has joined #openvpn
17:36 -!- Nothing4You [N4Y@Nothing4You.w.tf-w.tf] has quit [Max SendQ exceeded]
17:36 -!- Nothing4You [N4Y@Nothing4You.w.tf-w.tf] has joined #openvpn
17:36 -!- c0ded [~c0ded@unaffiliated/c0ded] has quit [Max SendQ exceeded]
17:36 -!- kossy [a@unaffiliated/kossy] has quit [Max SendQ exceeded]
17:36 -!- tapout [~tapout@unaffiliated/tapout] has quit [Max SendQ exceeded]
17:37 -!- tapout [~tapout@unaffiliated/tapout] has joined #openvpn
17:37 -!- kossy [a@unaffiliated/kossy] has joined #openvpn
17:37 -!- Olipro [~Olipro@uncyclopedia/pdpc.21for7.olipro] has quit [Max SendQ exceeded]
17:38 -!- malc0re [mc@unaffiliated/csdsss] has quit [Remote host closed the connection]
17:38 -!- malc0re_ [mc@unaffiliated/csdsss] has joined #openvpn
17:38 -!- vpnHelper [~vpnHelper@openvpn/bot/vpnHelper] has joined #openvpn
17:38 -!- mode/#openvpn [+o vpnHelper] by ChanServ
17:39 -!- seppuku [~seppuku@82.56.46.4] has quit [Ping timeout: 240 seconds]
17:39 -!- c0ded [~c0ded@unaffiliated/c0ded] has joined #openvpn
17:40 -!- seppuku [~seppuku@82.56.46.4] has joined #openvpn
17:45 -!- seppuku [~seppuku@82.56.46.4] has quit [Ping timeout: 240 seconds]
17:46 -!- u0m3 [~u0m3@92.80.90.74] has quit [Quit: Leaving]
17:47 -!- seppuku [~seppuku@host4-46-dynamic.56-82-r.retail.telecomitalia.it] has joined #openvpn
17:47 -!- u0m3 [~u0m3@92.80.90.74] has joined #openvpn
17:50 -!- Olipro [~Olipro@uncyclopedia/pdpc.21for7.olipro] has joined #openvpn
17:52 -!- seppuku [~seppuku@host4-46-dynamic.56-82-r.retail.telecomitalia.it] has quit [Ping timeout: 260 seconds]
17:53 -!- seppuku [~seppuku@host4-46-dynamic.56-82-r.retail.telecomitalia.it] has joined #openvpn
17:58 -!- seppuku [~seppuku@host4-46-dynamic.56-82-r.retail.telecomitalia.it] has quit [Ping timeout: 240 seconds]
18:00 -!- seppuku [~seppuku@82.56.46.4] has joined #openvpn
18:04 -!- seppuku [~seppuku@82.56.46.4] has quit [Ping timeout: 240 seconds]
18:06 -!- seppuku [~seppuku@host4-46-dynamic.56-82-r.retail.telecomitalia.it] has joined #openvpn
18:11 -!- seppuku [~seppuku@host4-46-dynamic.56-82-r.retail.telecomitalia.it] has quit [Ping timeout: 264 seconds]
18:12 -!- debbie10t [~ma1com10t@openvpn/community/support/debbie10t] has left #openvpn []
18:13 -!- seppuku [~seppuku@host4-46-dynamic.56-82-r.retail.telecomitalia.it] has joined #openvpn
18:18 -!- seppuku [~seppuku@host4-46-dynamic.56-82-r.retail.telecomitalia.it] has quit [Ping timeout: 245 seconds]
18:20 -!- seppuku [~seppuku@host4-46-dynamic.56-82-r.retail.telecomitalia.it] has joined #openvpn
18:25 -!- seppuku [~seppuku@host4-46-dynamic.56-82-r.retail.telecomitalia.it] has quit [Ping timeout: 245 seconds]
18:27 -!- seppuku [~seppuku@host4-46-dynamic.56-82-r.retail.telecomitalia.it] has joined #openvpn
18:33 -!- seppuku [~seppuku@host4-46-dynamic.56-82-r.retail.telecomitalia.it] has quit [Ping timeout: 272 seconds]
18:33 -!- seppuku [~seppuku@host4-46-dynamic.56-82-r.retail.telecomitalia.it] has joined #openvpn
18:35 < LFNfan> quit
18:35 < LFNfan> exit
18:35 -!- LFNfan [~paul@pesbaker.plus.com] has quit [Quit: Leaving]
18:39 -!- seppuku [~seppuku@host4-46-dynamic.56-82-r.retail.telecomitalia.it] has quit [Ping timeout: 240 seconds]
18:40 -!- seppuku [~seppuku@host4-46-dynamic.56-82-r.retail.telecomitalia.it] has joined #openvpn
18:40 -!- SCHAAP137 [dorian@77-173-0-137.ip.telfort.nl] has quit [Remote host closed the connection]
18:46 -!- seppuku [~seppuku@host4-46-dynamic.56-82-r.retail.telecomitalia.it] has quit [Ping timeout: 255 seconds]
18:47 -!- seppuku [~seppuku@host4-46-dynamic.56-82-r.retail.telecomitalia.it] has joined #openvpn
18:52 -!- brah [~allsdfjal@181.164.61.9] has joined #openvpn
18:52 < brah> Hello.
18:52 -!- seppuku [~seppuku@host4-46-dynamic.56-82-r.retail.telecomitalia.it] has quit [Ping timeout: 240 seconds]
18:53 -!- seppuku [~seppuku@host4-46-dynamic.56-82-r.retail.telecomitalia.it] has joined #openvpn
18:59 -!- seppuku [~seppuku@host4-46-dynamic.56-82-r.retail.telecomitalia.it] has quit [Ping timeout: 240 seconds]
19:00 -!- seppuku [~seppuku@host4-46-dynamic.56-82-r.retail.telecomitalia.it] has joined #openvpn
19:05 -!- seppuku [~seppuku@host4-46-dynamic.56-82-r.retail.telecomitalia.it] has quit [Ping timeout: 240 seconds]
19:06 -!- seppuku [~seppuku@host4-46-dynamic.56-82-r.retail.telecomitalia.it] has joined #openvpn
19:11 -!- seppuku [~seppuku@host4-46-dynamic.56-82-r.retail.telecomitalia.it] has quit [Ping timeout: 260 seconds]
19:13 -!- seppuku [~seppuku@host4-46-dynamic.56-82-r.retail.telecomitalia.it] has joined #openvpn
19:18 -!- seppuku [~seppuku@host4-46-dynamic.56-82-r.retail.telecomitalia.it] has quit [Ping timeout: 240 seconds]
19:20 < brah> My server is pushing inactive 600. I set ping 10 on my client, but it still disconnects. What do?
19:21 -!- fred`` [fred@earthli.ng] has quit [Ping timeout: 246 seconds]
19:29 -!- ljvb [~jason@us.vps.vanbrecht.com] has joined #openvpn
19:32 < ljvb> evening
19:32 < ljvb> random question, when using mssfix 0, I am having issues with two different hosts picking different window sizes
19:33 < ljvb> on one host it is 64 (the server), on the other is is 32 (client)
19:36 < ljvb> I know they do not have to be the same, but no data transfers
19:38 -!- ljvb [~jason@us.vps.vanbrecht.com] has quit [Quit: BitchX-1.2-final -- just do it.]
19:40 -!- ljvb [~jason@us.vps.vanbrecht.com] has joined #openvpn
19:40 < ljvb> and I rebooted the wrong box lol
19:42 -!- fred`` [fred@earthli.ng] has joined #openvpn
20:01 <@krzee> ecrist, :-p
20:25 -!- dvl [~dvl@pdpc/supporter/active/dvl] has joined #openvpn
20:27 -!- Netsplit *.net <-> *.split quits: adaptr, NucWin, @krzee, hive-mind, Nothing4You, defswork, MatToufoutu, dvl, vinky, Chais,  (+119 more, use /NETSPLIT to show all of them)
20:27 -!- kossy [a@unaffiliated/kossy] has quit [Max SendQ exceeded]
20:30 -!- Netsplit over, joins: tapout, milligan, JackWinter_, Rymax99, ribasushi, @krzee, c00w, jzaw, early, Eugene (+4 more)
20:33 -!- peper [~peper@gentoo/developer/peper] has quit [Write error: Connection reset by peer]
20:58 -!- Denial [~Denial@host86-163-221-70.range86-163.btcentralplus.com] has joined #openvpn
20:58 -!- Olivier [Olivier@185.13.226.177] has joined #openvpn
20:58 -!- metaf5 [~metaf5@107.181.166.167] has joined #openvpn
20:58 -!- Magiobiwan [IRC@unaffiliated/magiobiwan] has joined #openvpn
20:58 -!- DrCode [~DrCode@gateway/tor-sasl/drcode] has joined #openvpn
20:58 -!- Kephael [~Kephael@unaffiliated/kephael] has joined #openvpn
20:58 -!- MacGyver [~macgyver@unaffiliated/macgyvernl] has joined #openvpn
20:58 -!- pnielsen_ [pnielsen@2a01:7e00::f03c:91ff:fedf:3a21] has joined #openvpn
20:58 -!- nyx_o [~nyx@cav33-1-78-231-214-8.fbx.proxad.net] has joined #openvpn
20:58 -!- Kerbe [kerberos@gladiolus.fi] has joined #openvpn
20:58 -!- doebi [~doebi@doebi.at] has joined #openvpn
20:58 -!- clu5ter [~staff@unaffiliated/clu5ter] has joined #openvpn
20:58 -!- Champi [Champi@rootshell.fr] has joined #openvpn
20:58 -!- bashusr [~bashusr@unaffiliated/bashusr] has joined #openvpn
20:58 -!- troj [~xxx@2001:470:1f15:107a::50f7] has joined #openvpn
20:58 -!- Poster [~poster@cpe-74-140-100-29.swo.res.rr.com] has joined #openvpn
20:58 -!- SushiDude [~SushiDude@unaffiliated/sushidude] has joined #openvpn
20:58 -!- c0ded [~c0ded@unaffiliated/c0ded] has joined #openvpn
20:58 -!- tdreyer1 [~tdreyer1@unaffiliated/tdreyer1] has joined #openvpn
20:58 -!- pradeepc [~pradeepc@198.199.90.215] has joined #openvpn
20:58 -!- swebb [~swebb@c-71-237-49-232.hsd1.co.comcast.net] has joined #openvpn
20:58 -!- ketas [ketas@ketas6-sixxs.si.pri.ee] has joined #openvpn
20:58 -!- TheScorp [~noyou@37.81-166-92.customer.lyse.net] has joined #openvpn
20:58 -!- eZpl0it [~eZpl0it@193.234.224.171] has joined #openvpn
20:58 -!- Ridley5 [~Ridley@unaffiliated/ridley5] has joined #openvpn
20:58 -!- syzzer [~syzzer@openvpn/community/developer/syzzer] has joined #openvpn
20:58 -!- seba [~seba@kratzbaum.someserver.de] has joined #openvpn
20:58 -!- Thermi [~Thermi@unaffiliated/thermi] has joined #openvpn
20:58 -!- Chrisje [Chris@2a02:418:6050:ed15:ed15:ed15:1a27:a32b] has joined #openvpn
20:58 -!- APTX [~APTX@unaffiliated/aptx] has joined #openvpn
20:58 -!- nutron [~nutron@unaffiliated/nutron] has joined #openvpn
20:58 -!- Kuba [newc3917@unaffiliated/kuba] has joined #openvpn
20:58 -!- Cybertinus [~Cybertinu@cybertinus.customer.cloud.nl] has joined #openvpn
20:58 -!- s1dev [~s1dev@199.241.28.135] has joined #openvpn
20:58 -!- pekster [~rewt@openvpn/community/support/pekster] has joined #openvpn
20:58 -!- justinzane [~justinzan@24.49.207.203] has joined #openvpn
20:58 -!- defswork [~andy@141.0.50.98] has joined #openvpn
20:58 -!- Eagleman [~Eagleman@546BC778.cm-12-4d.dynamic.ziggo.nl] has joined #openvpn
20:58 -!- plaisthos [~arne@openvpn/community/developer/plaisthos] has joined #openvpn
20:58 -!- mgorbach [~mgorbach@pool-108-20-78-135.bstnma.fios.verizon.net] has joined #openvpn
20:58 -!- gac [~gavin@196.108.255.149.in-addr.arpa] has joined #openvpn
20:58 -!- Cyclohexane [idunevn@unaffiliated/cyclohexane] has joined #openvpn
20:58 -!- Lolths [~Lolths@unaffiliated/lolths] has joined #openvpn
20:58 -!- NChief [~nchief@unaffiliated/nchief] has joined #openvpn
20:58 -!- ayaka [~ayaka@ayaka-2-pt.tunnel.tserv21.tor1.ipv6.he.net] has joined #openvpn
20:58 -!- kenyon [kenyon@darwin.kenyonralph.com] has joined #openvpn
20:58 -!- ServerMode/#openvpn [+oo syzzer plaisthos] by morgan.freenode.net
20:58 -!- vinky [~vinky@81-230-177-246-no98.tbcn.telia.com] has joined #openvpn
20:58 -!- MatToufoutu [~MaT@unaffiliated/mattoufoutu] has joined #openvpn
20:58 -!- TheEternalAbyss [~IRCIdent@unaffiliated/theeternalabyss] has joined #openvpn
20:58 -!- xMopxShell [~xMopxShel@dpedu.io] has joined #openvpn
20:58 -!- pppingme [~pppingme@unaffiliated/pppingme] has joined #openvpn
20:58 -!- RBecker [~RBecker@openvpn/user/RBecker] has joined #openvpn
20:58 -!- n1md4 [~nimda@anion.cinosure.com] has joined #openvpn
20:58 -!- blz37 [~minsa@99-73-164-80.lightspeed.sntcca.sbcglobal.net] has joined #openvpn
20:58 -!- novaflash [~novaflash@openvpn/corp/support/novaflash] has joined #openvpn
20:58 -!- kirin` [telex@gateway/shell/anapnea.net/x-sspxkduwbnbkhrks] has joined #openvpn
20:58 -!- Megaf [~Megaf@unaffiliated/megaf] has joined #openvpn
20:58 -!- malc0re_ [mc@unaffiliated/csdsss] has joined #openvpn
20:58 -!- aPollO2k [znc1@unaffiliated/apollo2k] has joined #openvpn
20:58 -!- NucWin [~nucwin@unaffiliated/nucwin] has joined #openvpn
20:58 -!- Chais [~Chais@chello062178229110.15.15.vie.surfer.at] has joined #openvpn
20:58 -!- Matir [~matir@ubuntu/member/matir] has joined #openvpn
20:58 -!- mingdao [~mingdao@unaffiliated/mingdao] has joined #openvpn
20:58 -!- funnel [~funnel@unaffiliated/espiral] has joined #openvpn
20:58 -!- cyberspace- [20253@ninthfloor.org] has joined #openvpn
20:58 -!- RaiNerTsuFal [~RaiNerTsu@akita.vtlx.cn] has joined #openvpn
20:58 -!- ServerMode/#openvpn [+vo RBecker novaflash] by morgan.freenode.net
20:58 -!- fred`` [fred@earthli.ng] has joined #openvpn
20:58 -!- Ulrar [~Ulrar@luwin.ulrar.net] has joined #openvpn
21:03 -!- joako [~joako@opensuse/member/joak0] has joined #openvpn
21:03 -!- K1rk [~Kirk@equinox.epecweb.com] has joined #openvpn
21:03 -!- Zimsky [~alice@unaffiliated/zimsky] has joined #openvpn
21:03 -!- brezel [~dahbrezel@2a03:4000:6:206b::] has joined #openvpn
21:03 -!- SupaYoshi [Elite9191@gateway/shell/elitebnc/x-msdmumvcyinlrumt] has joined #openvpn
21:03 -!- _abbe` [having@badti.me] has joined #openvpn
21:03 -!- aji [~alex@atheme/member/aji] has joined #openvpn
21:03 -!- Haigha [~root@dovahkiin.xomg.net] has joined #openvpn
21:03 -!- TypoNe [~itsme@195.197.184.87] has joined #openvpn
21:03 -!- KiNgMaR [~ingmar@2001:41d0:2:ba51::1] has joined #openvpn
21:03 -!- Chex [sss@hotlanta.northnook.ca] has joined #openvpn
21:04 -!- dvl [~dvl@pdpc/supporter/active/dvl] has joined #openvpn
21:04 -!- riddle [riddle@76.72.170.57] has joined #openvpn
21:04 -!- MACscr [~Adium@50.158.183.38] has joined #openvpn
21:05 -!- fred`` [fred@earthli.ng] has quit [Ping timeout: 246 seconds]
21:05 -!- Ulrar [~Ulrar@luwin.ulrar.net] has quit [Ping timeout: 246 seconds]
21:06 -!- raidz [~raidz@openvpn/corp/admin/andrew] has joined #openvpn
21:06 -!- Latrina [~Latrina@151.26.20.118] has joined #openvpn
21:06 -!- liriel [~liriel@185.21.217.6] has joined #openvpn
21:06 -!- ServerMode/#openvpn [+o raidz] by morgan.freenode.net
21:06 -!- u0m3 [~u0m3@92.80.90.74] has joined #openvpn
21:06 -!- vpnHelper [~vpnHelper@openvpn/bot/vpnHelper] has joined #openvpn
21:06 -!- hazardous [~hz@openvpn/user/hazardous] has joined #openvpn
21:06 -!- babilen [~babilen@unaffiliated/babilen] has joined #openvpn
21:06 -!- fejjerai [~quassel@kde/mitchell] has joined #openvpn
21:06 -!- hive-mind [pranq@mail.bbis.us] has joined #openvpn
21:06 -!- halothe23 [~halothe23@freenode/sponsor/halothe23] has joined #openvpn
21:06 -!- Fusl [Fusl@unaffiliated/fusl] has joined #openvpn
21:06 -!- Jeroen [~Jeroen@milkyway.jeroendeneef.eu] has joined #openvpn
21:06 -!- XJR-9 [sid2977@pdpc/supporter/active/xjr-9] has joined #openvpn
21:06 -!- BladedThesis [~BladedThe@2001:1af8:4010:a027:3::] has joined #openvpn
21:06 -!- adaptr [~jgeilman@unaffiliated/adaptr] has joined #openvpn
21:06 -!- iokill [~dave@pippin.sigma-star.at] has joined #openvpn
21:06 -!- zpatten [~zpatten@unaffiliated/zpatten] has joined #openvpn
21:06 -!- ServerMode/#openvpn [+ov vpnHelper hazardous] by morgan.freenode.net
21:08 -!- ljvb [~jason@us.vps.vanbrecht.com] has joined #openvpn
21:08 -!- Tykling [tykling@gibfest.dk] has joined #openvpn
21:08 -!- SlutaTramsa [~SlutaTram@unaffiliated/slutatramsa] has joined #openvpn
21:08 -!- hydrajump [~hydrajump@unaffiliated/hydrajump] has joined #openvpn
21:08 -!- mcp [~mcp@wolk-project.de] has joined #openvpn
21:08 -!- micko [~micko@203-219-65-120.static.tpgi.com.au] has joined #openvpn
21:08 -!- indy [~indy@shadow.kastnerove.cz] has joined #openvpn
21:08 -!- thumbs [1000@unaffiliated/thumbs] has joined #openvpn
21:08 -!- haasn [~haasn@2a01:4f8:d13:5245::2] has joined #openvpn
21:20 -!- Nothing4You [N4Y@Nothing4You.w.tf-w.tf] has joined #openvpn
21:20 -!- kossy [a@unaffiliated/kossy] has joined #openvpn
21:22 -!- Brando753 [~Brando753@unaffiliated/brando753] has joined #openvpn
21:26 -!- u0m3_ [~u0m3@92.80.102.192] has joined #openvpn
21:28 -!- u0m3 [~u0m3@92.80.90.74] has quit [Ping timeout: 272 seconds]
21:43 -!- ShadniX [dagger@p5DDFFA0D.dip0.t-ipconnect.de] has joined #openvpn
21:48 -!- woshty [~irc@84.200.211.57] has joined #openvpn
22:14 < brah>  Basically I'm trying to override the 'inactive 600' sent by the server
22:14 <@krzee> you control the server?
22:15 < brah> krzee: No, only the client.
22:15 <@krzee> short answer, you cant easily
22:16 <@krzee> long answer, if you dont pull ANY options, then you have to set all the options that would normally pull except that one
22:17 -!- arescorpio [~arescorpi@201-26-245-190.fibertel.com.ar] has joined #openvpn
22:17 < brah> krzee: That is a good idea.
22:32 < ayaka> I have a problem with long time vpn connection. after the vpn has connected a long,  the speed in vpn network would be very slow(like transport file in it)
22:32 < ayaka> is it common?
22:36 < brah> krzee: Any idea of why it's expecting this now? http://pastebin.com/z8qyDV1q
22:36 < brah> ayaka: Common as should that happen? No.
22:37 < ayaka> it could be solved but just restart connection, but it is really boring
22:38 < brah> ayaka: Are you using TCP?
22:38 < ayaka> brah, no udp
22:45 <@krzee> ayaka, tested your mtu? looked at packetdumps to see if anything sticks out?
22:46 < ayaka> krzee, no I haven't, is there any guide, in my memory, if I change the mtu, the vpn won't connect, so I haven't touch it long time
22:47 <@krzee> ayaka, not your server?
22:48 < ayaka> both client and server is under my control
22:48 <@krzee> !mtu
22:48 <@vpnHelper> "mtu" is (#1) see --mtu-test to learn how to test your MTU settings. Basically you just use --mtu-test in your normal client config or (#2) mtu debugging guide: http://www.secure-computing.net/wiki/index.php/OpenVPN/Troubleshooting
22:51 <@krzee> brah, dunno, that might be worthy of making a ticket
22:51 <@krzee> !trac
22:51 <@vpnHelper> "trac" is (#1) see https://community.openvpn.net for development information and bug tracker. or (#2) if you have a forum login, use that for trac, its the same database.
22:52 < brah> krzee: Docs aren't very helpful, but I found 'client' means both 'pull' and 'tls-client'. Then it definitely shouldn't behave differently.
22:52 <@krzee> well did you look at every pushed option in your normal logs?
22:53 <@krzee> and then copy every single one except --inactive ?
22:53 <@krzee> although really your error is before connection attempt isnt it
22:53 < brah> krzee: Yes. However, OpenVPN shouldn't refuse to start.
22:53 < brah> exit code is 1
22:54 <@krzee> before it even tries to connect, right?
22:54 < ayaka> krzee, brah thank you I would check it
22:54 < brah> krzee: That's correct.
22:54 <@krzee> brah, sounds bug report worthy
22:54 <@krzee> use the trac link above
22:55 < brah> Only issue I have now is this VPN restarting every 10 minutes if nothing happens. With my luck, the CEO is going to try to do something over it while it's restarting.
22:59 <@krzee> well that sounds easy enough to fix...
22:59 <@krzee> send a ping every 5 minutes :-p
22:59 -!- vpnHelper [~vpnHelper@openvpn/bot/vpnHelper] has quit [Remote host closed the connection]
23:00 -!- vpnHelper [~vpnHelper@openvpn/bot/vpnHelper] has joined #openvpn
23:00 -!- mode/#openvpn [+o vpnHelper] by ChanServ
23:01 <@krzee> well i guess that depends on the bytes passed to it
23:01 <@krzee> but you get the idea
23:01 <@krzee> wget a small file (but bigger than --inactive bytes) or whatever
23:01 < brah> krzee: Does ping really count towards reseting inactive though? Aren't they 2 different mechanisms?
23:01 <@krzee> you're thinking of the internal --ping
23:01 < brah> Yeah, I am.
23:02 <@krzee> im talking about send some traffic over the vpn
23:02 -!- arescorpio [~arescorpi@201-26-245-190.fibertel.com.ar] has quit [Excess Flood]
23:02 <@krzee> generate just enough to never trigger --inactive
23:02 <@krzee> workaround solved
23:03 <@krzee> maybe icmp ping wouldnt work depending on bytes option to --inactive
23:04 <@krzee> but if that is the case you can just download a file of the right size over the vpn every 7 minutes or whatever
23:14 -!- ShadniX [dagger@p5DDFFA0D.dip0.t-ipconnect.de] has quit [Ping timeout: 240 seconds]
23:15 -!- ShadniX [dagger@p5DDFEF26.dip0.t-ipconnect.de] has joined #openvpn
23:38 -!- Megaf [~Megaf@unaffiliated/megaf] has quit [Ping timeout: 255 seconds]
--- Day changed Fri Jul 11 2014
00:01 -!- brah [~allsdfjal@181.164.61.9] has quit [Quit: Leaving]
00:05 -!- Artea [~Lufia@po-217-129-154-19.netvisao.pt] has joined #openvpn
01:11 -!- Kephael [~Kephael@unaffiliated/kephael] has quit [Quit: Leaving]
01:40 -!- le0 [~l30@unaffiliated/le0] has joined #openvpn
01:52 -!- phihag [~phihag@dsdf-4db5c67a.pool.mediaWays.net] has joined #openvpn
01:57 -!- phihag [~phihag@dsdf-4db5c67a.pool.mediaWays.net] has left #openvpn ["Wireless cable cut"]
01:57 -!- phihag [~phihag@dsdf-4db5c67a.pool.mediaWays.net] has joined #openvpn
01:58 < phihag> What can make the default gateway end in .5? My server address is 10.222.0.1, but the client gets pushed a route for 10.222.0.5 https://gist.github.com/phihag/41bc5ad580f065fbc690
01:58 <@vpnHelper> Title: OpenVPN problem - Why is the default gateway 10.222.0.5? (at gist.github.com)
01:58 -!- mattock_afk is now known as mattock
02:13 -!- Latrina [~Latrina@151.26.20.118] has quit [Max SendQ exceeded]
02:14 -!- Latrina [~Latrina@ppp-118-20.26-151.libero.it] has joined #openvpn
02:26 -!- babilen [~babilen@unaffiliated/babilen] has left #openvpn []
02:27 -!- ade_b [~Ade@redhat/adeb] has joined #openvpn
02:39 -!- SushiDude [~SushiDude@unaffiliated/sushidude] has quit [Ping timeout: 260 seconds]
02:46 -!- SushiDude [~SushiDude@unaffiliated/sushidude] has joined #openvpn
02:52 -!- Hadi [~Instantbi@151.239.169.88] has joined #openvpn
02:53 -!- SushiDude [~SushiDude@unaffiliated/sushidude] has quit [Ping timeout: 260 seconds]
02:56 -!- SushiDude [~SushiDude@unaffiliated/sushidude] has joined #openvpn
03:04 -!- alexxtasi [~alex@unaffiliated/alexxtasi] has joined #openvpn
03:15 -!- phihag [~phihag@dsdf-4db5c67a.pool.mediaWays.net] has quit [Ping timeout: 240 seconds]
03:27 < vinky> Im having two openvpn connections from the same Windows klient to two different vpn services on a remote, I can connect fine to both but only ping the first
03:27 < defswork> are both redirecting gateway ?
03:28 < vinky> how do I see that?
03:28 < defswork> in the logs
03:28 < defswork> will show the routes being assigned
03:30 -!- le0 [~l30@unaffiliated/le0] has quit [Quit: Leaving]
03:30 -!- le0 [~l30@unaffiliated/le0] has joined #openvpn
03:32 < vinky> ah, I missed the permission denied
04:07 -!- SushiDude [~SushiDude@unaffiliated/sushidude] has quit [Quit: Quit]
04:12 -!- SushiDude [~SushiDude@unaffiliated/sushidude] has joined #openvpn
05:09 -!- goldkatze [~nobody@unaffiliated/goldkatze] has joined #openvpn
05:09 -!- _KaszpiR_ [~quassel@unaffiliated/kaszpir/x-3157048] has quit [Ping timeout: 264 seconds]
05:39 -!- u0m3_ [~u0m3@92.80.102.192] has quit [Ping timeout: 240 seconds]
05:42 -!- Hadi [~Instantbi@151.239.169.88] has quit [Ping timeout: 240 seconds]
05:43 -!- brezel [~dahbrezel@2a03:4000:6:206b::] has quit [Ping timeout: 245 seconds]
05:44 -!- dazo_afk is now known as dazo
05:45 -!- u0m3 [~u0m3@92.80.90.192] has joined #openvpn
05:49 -!- debbie10t [~ma1com10t@openvpn/community/support/debbie10t] has joined #openvpn
05:54 < debbie10t> Windows is soooo  dumb !  -- without changing any thing I have a client that is sending all out going traffic from the TAP address .. this is the simplest TUN setup .. no special options .. and so the client is completely useless .. the only thing it can do is let me on a remote desktop as that is over the VPN !
05:54 < debbie10t> I don't need help .. just saying how dumb windows is
05:55 <@plaisthos> In my experience that sounds like a misconfiguration
05:56 <@plaisthos> windows allows things like default routes on all interfaces
05:56 < debbie10t> of openvpn or windows ?
05:56 <@plaisthos> it often works
06:00 < debbie10t> I am not redirecting anything .. even if i ping the clients remote gateway from a dosbox on the client (under RDP) it fails because the source address is the VPN IP and the remote gateway does not have static route for VPN .. I can't add one becuse I cant login to the gateway either .. lol
06:04 < debbie10t> gah .. this is pathetic .. it has worked for over a year and now sudddenly this ...
06:14 < debbie10t> http://support.microsoft.com/default.aspx?scid=kb;EN-US;175396
06:14 <@vpnHelper> Title: Windows Socket Connection from a Multiple-Homed Computer (at support.microsoft.com)
06:14 < debbie10t> The stack cannot make an intelligent choice until it knows the target IP address
06:14 < debbie10t> cannot make an intelligent choice FULL STOP
06:15 < debbie10t> If a source IP is not given the Primary IP address of the adapter with a route that most closely matches the target IP address is used to source the packet and the adapter that the Primary IP is associated with is used as the source adapter
06:15 < debbie10t> Oh no it does not.
06:19 <@plaisthos> debbie10t: yeah, so what?
06:19 <@plaisthos> Unices work the same way
06:22 < debbie10t> plaisthos: just annoyed that technet talks bollx
06:22 <@plaisthos> debbie10t: !?!
06:23 <@plaisthos> the article perfectly well describes socket behaviour under Windows and other Unics
06:23 < debbie10t> according to technet the source ip is selected as the one which matches closest the dest ip ..
06:23 <@plaisthos> Linux does the same stuff
06:23 < debbie10t> only not in this case !
06:24 < matt_> debbie10t: pastebin the routing table
06:25 < debbie10t> matt_ client or server ~?
06:25 < matt_> debbie10t: client
06:25 < debbie10t> will take a while
06:27 < debbie10t> well .. i have removed the client code for routing the client side subnet and reconnected now it is ok
06:27 < debbie10t> wierd
06:28 < matt_> ... cool
06:28 < debbie10t> i must have made some odd error
06:28 < debbie10t> gonna have to go through this very carefully
06:29 <@plaisthos> debbie10t: also you know, modern windows variants use the strong E/S model
06:29 < debbie10t> sure but I don't have money to buy everybody new windows ;)
06:30 <@plaisthos> debbie10t: you should read articles you post
06:30 <@plaisthos> newer in this context means Vista
06:31 < debbie10t> so what vista isn't free ..
06:32 <@plaisthos> debbie10t: just shut up. I cannot bear your half knowledge and blaming everything on Microsoft without hard facts anymore
06:33 < debbie10t> sorry .. if yyou mean that article was meant for vista .. yes I know .. otherwise I am not sure what you meant .. other than that .. sorry .. going
06:35 <@plaisthos> debbie10t: you know there is a section that article stating to which OSes the articles applies?
06:36 < debbie10t> yes .. -- I have to go for now .. sorry to piss you off plaisthos
06:36 -!- debbie10t is now known as debbie10t|afk
06:37 -!- goldkatze [~nobody@unaffiliated/goldkatze] has quit []
06:52 -!- debbie10t|afk [~ma1com10t@openvpn/community/support/debbie10t] has left #openvpn []
07:28 -!- ade_b [~Ade@redhat/adeb] has quit [Quit: Too sexy for his shirt]
07:39 -!- Megaf [~Megaf@unaffiliated/megaf] has joined #openvpn
07:48 < ayaka> about fragment, should I set it in the both side or just client side is enough?
07:48 -!- Eagleman [~Eagleman@546BC778.cm-12-4d.dynamic.ziggo.nl] has quit [Read error: Connection reset by peer]
07:50 -!- Eagleman [~Eagleman@546BC778.cm-12-4d.dynamic.ziggo.nl] has joined #openvpn
07:52 -!- Eagleman [~Eagleman@546BC778.cm-12-4d.dynamic.ziggo.nl] has quit [Read error: Connection reset by peer]
07:53 -!- Eagleman [~Eagleman@546BC778.cm-12-4d.dynamic.ziggo.nl] has joined #openvpn
07:57 <@plaisthos> ayaka: both sides need that option iirc
08:34 -!- Pyrogerg [~Gregory@192.67.133.200] has joined #openvpn
08:48 -!- KaiForce [~chatzilla@107-223-70-10.lightspeed.bcvloh.sbcglobal.net] has joined #openvpn
08:52 < ayaka> plaisthos, but if the client is in the different place. it should use a different fragment
09:00 < matt_> ayaka: fragment is a setting for the maximum size of the packets that the openvpn deamons generate. It will normally depend on the underlying network infrastructure
09:02 < matt_> ayaka: its also normally used for work arounds for clients behind dodgy networks or routers and it would probuly be best to try the connection without fragment before playing with it
09:03 < ayaka> matt_, but my problem is that, with a long vpn connection, the speed of scp would be very slow
09:03 < ayaka> but if I restart the vpn connection, the speed would be normal
09:04 < ayaka> matt_, yesterday I was suggested to set mtu
09:04 < matt_> ayaka: do you have the same problem if you scp without using a vpn? if thats possiable
09:05 < matt_> ayaka: also, are you using udp or tcp for the openvpn connection?
09:05 < ayaka> matt_, no without vpn, scp always work normal
09:05 < ayaka> I am using udp
09:08 -!- raikolito [~circuser-@50.Red-88-20-184.staticIP.rima-tde.net] has joined #openvpn
09:08 < raikolito> hello!
09:09 < raikolito> can someone give m some help with my openvpn?
09:13 <@ecrist> !ask
09:13 <@vpnHelper> "ask" is (#1) don't ask to ask, just ask your question please, see this link for how to get help on IRC: http://workaround.org/getting-help-on-irc or (#2) See also, How to ask questions the smart way here: http://catb.org/~esr/faqs/smart-questions.html
09:15 -!- jackbrown [~se@93-44-41-0.ip95.fastwebnet.it] has joined #openvpn
09:16 -!- Eagleman [~Eagleman@546BC778.cm-12-4d.dynamic.ziggo.nl] has quit [Read error: Connection reset by peer]
09:17 < ayaka> Matir, is it correct way to do that?
09:18 -!- moparisthebest [~quassel@cpe-74-140-244-163.swo.res.rr.com] has quit [Remote host closed the connection]
09:20 -!- _bt [~bt@unaffiliated/bt/x-192343] has joined #openvpn
09:21 -!- Eagleman [~Eagleman@546BC778.cm-12-4d.dynamic.ziggo.nl] has joined #openvpn
09:22 -!- Eagleman [~Eagleman@546BC778.cm-12-4d.dynamic.ziggo.nl] has quit [Read error: Connection reset by peer]
09:23 <@plaisthos> ayaka: then fragment is probably not the answer for you
09:23 <@plaisthos> ayaka: you can also try mssfix
09:25 -!- jackbrown [~se@93-44-41-0.ip95.fastwebnet.it] has quit [Ping timeout: 255 seconds]
09:26 < ayaka> plaisthos, but it seems for tcp?
09:26 < raikolito> I´m trying to run the openvpn windows. the problem is when it´s installed, the installation wizard doesnt create the easy-rsa folder, i go to this link: https://github.com/OpenVPN/easy-rsa but i don´t locate the vards,build.dh command, etc.. any ideaS?
09:26 <@vpnHelper> Title: OpenVPN/easy-rsa · GitHub (at github.com)
09:26 -!- Eagleman [~Eagleman@546BC778.cm-12-4d.dynamic.ziggo.nl] has joined #openvpn
09:27 <@plaisthos> ayaka: like scp?
09:27 < ayaka> plaisthos, I understand now, thank you
09:27 <@plaisthos> "Announce to TCP sessions  running  over  the  tunnel .."
09:28 <@plaisthos> mssfix can be used on client and/or server
09:28 < ayaka> but the default value is 1450, which is low enough, I think the mtu of my vpn is 1460
09:31 -!- alexxtasi [~alex@unaffiliated/alexxtasi] has left #openvpn []
09:45 -!- mete [~mete@91.247.253.160] has quit [Quit: .]
09:46 -!- mete [~mete@91.247.253.160] has joined #openvpn
09:50 -!- APTX [~APTX@unaffiliated/aptx] has quit [Ping timeout: 240 seconds]
09:51 -!- raikolito [~circuser-@50.Red-88-20-184.staticIP.rima-tde.net] has quit [Remote host closed the connection]
09:53 -!- APTX [~APTX@unaffiliated/aptx] has joined #openvpn
09:59 -!- APTX [~APTX@unaffiliated/aptx] has quit [Ping timeout: 260 seconds]
10:25 -!- APTX [~APTX@unaffiliated/aptx] has joined #openvpn
10:41 -!- Pyrogerg [~Gregory@192.67.133.200] has quit [Quit: Textual IRC Client: www.textualapp.com]
10:42 -!- elfixit [~Icedove@2001:1620:2777:11:3e97:eff:fe7f:f3ad] has joined #openvpn
10:44 -!- Pyrogerg [~Gregory@192.67.133.200] has joined #openvpn
10:58 -!- Kephael [~Kephael@unaffiliated/kephael] has joined #openvpn
10:58 -!- Megaf [~Megaf@unaffiliated/megaf] has quit [Ping timeout: 240 seconds]
11:25 -!- _KaszpiR_ [~quassel@unaffiliated/kaszpir/x-3157048] has joined #openvpn
11:25 -!- _KaszpiR__ [~kaszpir@unaffiliated/kaszpir/x-3157048] has joined #openvpn
11:46 -!- larryone [~larryone@178.167.254.66.threembb.ie] has joined #openvpn
11:52 -!- le0 [~l30@unaffiliated/le0] has quit [Ping timeout: 240 seconds]
11:52 -!- vinky [~vinky@81-230-177-246-no98.tbcn.telia.com] has quit [Ping timeout: 255 seconds]
11:55 -!- vinky [~vinky@81-230-177-246-no98.tbcn.telia.com] has joined #openvpn
11:58 -!- _KaszpiR__ [~kaszpir@unaffiliated/kaszpir/x-3157048] has quit [Quit: Resistance was futile.]
12:00 -!- Envil [~meep@151.236.22.8] has joined #openvpn
12:05 -!- gffa [~unknown@unaffiliated/gffa] has joined #openvpn
12:07 -!- hazardous [~hz@openvpn/user/hazardous] has quit [Quit: Lost terminal]
12:08 -!- larryone [~larryone@178.167.254.66.threembb.ie] has quit [Ping timeout: 240 seconds]
12:19 -!- Kephael [~Kephael@unaffiliated/kephael] has quit [Read error: Connection reset by peer]
12:37 -!- RBecker [~RBecker@openvpn/user/RBecker] has quit [Disconnected by services]
12:37 -!- RBecker [~RBecker@openvpn/user/RBecker] has joined #openvpn
12:37 -!- mode/#openvpn [+v RBecker] by ChanServ
12:39 -!- kirin` [telex@gateway/shell/anapnea.net/x-sspxkduwbnbkhrks] has quit [Disconnected by services]
12:39 -!- kirin` [telex@gateway/shell/anapnea.net/x-lcortawmdjmegvzv] has joined #openvpn
12:41 -!- Netsplit *.net <-> *.split quits: blz37, xMopxShell, n1md4, pppingme, _bt, TheEternalAbyss, @novaflash, MatToufoutu
12:44 -!- elfixit [~Icedove@2001:1620:2777:11:3e97:eff:fe7f:f3ad] has quit [Quit: elfixit]
12:51 -!- MatToufoutu [~MaT@unaffiliated/mattoufoutu] has joined #openvpn
12:52 -!- xMopxShell [~xMopxShel@dpedu.io] has joined #openvpn
13:26 -!- cyberanger [cyberanger@swissknife/adak/infocop411] has joined #openvpn
13:33 -!- Envil [~meep@151.236.22.8] has quit [Ping timeout: 240 seconds]
13:38 -!- pppingme [~pppingme@unaffiliated/pppingme] has joined #openvpn
13:48 -!- Envil [~meep@95.211.26.40] has joined #openvpn
13:54 -!- hazardous [~hz@openvpn/user/hazardous] has joined #openvpn
13:54 -!- mode/#openvpn [+v hazardous] by ChanServ
14:03 -!- seba [~seba@kratzbaum.someserver.de] has quit [Ping timeout: 252 seconds]
14:04 -!- Megaf [~Megaf@unaffiliated/megaf] has joined #openvpn
14:08 -!- seba [~seba@kratzbaum.someserver.de] has joined #openvpn
14:19 -!- KaiForce [~chatzilla@107-223-70-10.lightspeed.bcvloh.sbcglobal.net] has quit [Quit: ChatZilla 0.9.90.1 [Firefox 30.0/20140605174243]]
14:31 -!- cyberanger [cyberanger@swissknife/adak/infocop411] has quit [Quit: ZNC - http://znc.in]
14:33 -!- SushiDude [~SushiDude@unaffiliated/sushidude] has quit [Ping timeout: 252 seconds]
14:34 -!- SushiDude [~SushiDude@unaffiliated/sushidude] has joined #openvpn
14:34 -!- cyberanger [cyberanger@swissknife/adak/infocop411] has joined #openvpn
14:54 -!- cyberanger [cyberanger@swissknife/adak/infocop411] has quit [Quit: ZNC - http://znc.in]
14:58 -!- cyberanger [cyberanger@swissknife/adak/infocop411] has joined #openvpn
15:00 -!- seba [~seba@kratzbaum.someserver.de] has quit [Ping timeout: 252 seconds]
15:02 -!- Pyrogerg [~Gregory@192.67.133.200] has quit [Ping timeout: 240 seconds]
15:03 -!- pa [~pa@unaffiliated/pa] has joined #openvpn
15:08 -!- seba [~seba@kratzbaum.someserver.de] has joined #openvpn
15:12 -!- batrick [~batrick@nmap/developer/batrick] has quit [Quit: WeeChat 0.4.3]
15:13 -!- dazo is now known as dazo_afk
15:38 -!- Eagleman [~Eagleman@546BC778.cm-12-4d.dynamic.ziggo.nl] has quit [Quit: ZNC - http://znc.in]
15:39 -!- Eagleman [~Eagleman@546BC778.cm-12-4d.dynamic.ziggo.nl] has joined #openvpn
15:49 -!- SCHAAP137 [dorian@77-173-0-137.ip.telfort.nl] has joined #openvpn
15:54 -!- mattock is now known as mattock_afk
15:57 -!- le0 [~l30@unaffiliated/le0] has joined #openvpn
16:11 -!- pa [~pa@unaffiliated/pa] has quit [Quit: Sto andando via]
16:16 -!- moviuro [~moviuro@ginfo.ext.ec-m.fr] has joined #openvpn
16:17 < moviuro> Hi all! I'd like to have a quick explanation to this non-sense: http://sprunge.us/QERE
16:17 -!- Kephael [~Kephael@unaffiliated/kephael] has joined #openvpn
16:20 < pekster> moviuro: Wrong tap device perhaps, or lacking permissions to adjust them? Works here provided you don't have a tap0 beforehand
16:20 < pekster> Running this as root has the expected behavior for me: openvpn --dev tap --lladdr 00:11:22:aa:bb:cc --ifconfig 10.50.0.1 255.255.255.0
16:21 < moviuro> well, fun partis: if I do have a tap0 before hand and put tap0 as dev, openvpn deletes the existing MAC
16:22 < pekster> Oh, I'm using iproute2 here (on Linux) -- maybe things change with the old net-utils junk? Or is this another Unix-alike?
16:22 < pekster> If you add --verb 4 you will see the command it's using to set the LL
16:23 < moviuro> surely ip since I've got nothing else
16:23 < pekster> That's not the openvpn build default
16:23 < moviuro> it seems to work correctly on my other PC though
16:23 < pekster> Did you compile with --enable-iproute2 ?
16:23 < pekster> If not, you're probably using the old-and-busted Linux networking APIs :P
16:23 < moviuro> dunno, I used archlinux packages
16:23 < pekster> Here's what you see using iproute2 in the logs at --verb 4: /sbin/ip link set addr 00:11:22:aa:bb:cc dev tap0
16:24 < pekster> Specifically, the "/sbin/ip" part
16:25 < pekster> Could be that feature has issues with the net-tools API, or some distro/OS quirkyness using it
16:25 < pekster> I'd see what it's doing and see if you can get it to work by manually supplying the same command
16:25 < pekster> If you still can't, maybe try recompiling openvpn with iproute2 and see if that fixes it?
16:29 < moviuro> Fri Jul 11 23:28:08 2014 us=850823 /usr/bin/ip link set addr 19:03:08:09:26:15 dev tap0
16:29 < pekster> Seems to work here iwth ifconfig too
16:30 < pekster> Looks right. If you issue that command at a root terminal, does it do anything?
16:31 < moviuro> cannot find device :
16:34 < pekster> Did you forget to do that after you had a tap0?
16:34 < pekster> Obviously it won't do much if you have no device :P
16:34 -!- arescorpio [~arescorpi@201-26-245-190.fibertel.com.ar] has joined #openvpn
16:34 < moviuro> since openvpn takes care of the mac address, I take it it also creates the device
16:34 < moviuro> it works on my other computer
16:34 < pekster> Right, and if you killed the process and ran that command, you get that error
16:34 < pekster> Hence my question
16:35 < moviuro> well, shouldn't 2 computers behave in the same way?
16:35 < pekster> ..
16:35 < pekster> What's this to do with you running the command the right way? Maybe iproute2 is screwed up on one, I have no idea
16:36 < pekster> This is why I'm asking you to do it and verify the details
16:36 < moviuro> both computers have the same network setup
16:36 < pekster> So did you, or did you not verify that tap0 exists before you issued, as root, `/usr/bin/ip link set addr 19:03:08:09:26:15 dev tap0`  ?
16:36 < moviuro> files in /etc/systemd/network are the same, openvpn config is the same (only lladdr is different)
16:36 < pekster> Fuck systemd
16:36 < pekster> This is a shell command
16:37 < moviuro> yes, and on both computers, the tap0 does not exist before I launch openvpn
16:37 < pekster> So _when_ did you manually invoke `ip` ?
16:37 < pekster> And did you verify the tap existsed right before you did that?
16:38 < pekster> Or better yet, pastebin `ip l && /usr/bin/ip link set addr 19:03:08:09:26:15 dev tap0` somewhere if you're still confused
16:41 < moviuro> found what makes it fail : RTNETLINK answers: Cannot assign requested address
16:44 -!- pa [~pa@unaffiliated/pa] has joined #openvpn
16:51 < moviuro> ok pekster, so it was because I was using an invalid MAC address for one of my two machines
16:52 < pekster> That would indeed cause it to fail
16:54 < moviuro> Also, another thought: I'm not sure it should be openvpn's job to set a MAC address. systemd can now handle it. was it intended so that openvpn always gets its way? Is there a way to force openvpn to use a tap device without changing its MAC?
16:55 -!- triplicate [~triplicat@206.169.175.130] has joined #openvpn
16:56 < pekster> Don't use --lladdr
16:57 < pekster> To use a device, just referencen it
16:57 < pekster> --dev tap_blue_fush
16:57 < pekster> fish*
16:57 < moviuro> pekster: well, I trid that and it replaced the original MAC with an auto generated one
16:58 < pekster> (btw, systemd is not at all required -- you could just as easily set the tap up with `ip tuntap add dev tap_blue_fish mode tun` )
16:59 < pekster> A tap won't have an address until it's initialized IIRC
16:59 < moviuro> pekster: yeah, but it's got its ow network managing services now, and the less tools I use for a task, the better
17:00 < moviuro> systemd.netdev introduced tap/tun in version 215
17:00 < pekster> "network services" should _NOT_ be opening your tap for you
17:00 < pekster> If it it's it's retarted
17:00 < pekster> Opening the API to _use_ the adapter is the job of an application
17:00 < moviuro> not even create the device ?
17:00 < pekster> Okay, stop using systemd for 30 seconds and listen to what I'm saying
17:00 < pekster> Run: `ip tuntap add dev tap_blah mode tun`
17:01 < pekster> Then run: `ip link show dev tap_blah` -- take note of how it has _NO_ LL address
17:01 < pekster> It's not actually doing anything yet, so it'll have no address
17:01 < pekster> Is your tooling doing something different before you even connect to the tap from an application (ie: openvpn) ?
17:01 < moviuro> no, it's just sitting there
17:01 < moviuro> nothing on it, just a name
17:02 < pekster> Exactly
17:02 < pekster> It doesn't get an address until an _application_ connects to it. Last I checked systemd (or any other such service) is not the application, it's just a glorified initscript that tries to do too much with no stable API to speak of :P
17:03 < pekster> Presumably this is why the --lladdr option exists to openvpn. If that's "not good enough" then write your own script to do "whatever you want" to set it: see !scripts for links to scriptable hooks to openvpn
17:03 < pekster> If you want to call some obscene systemd command instead of a simple call to `ip`, go for it
17:04 < pekster> But the point remains: your tooling isn't setting the MAC, so why are you asking how to do that here? ;)
17:04 < moviuro> ok pekster, I'll read more about device initialization and how to do the best/cleanest solution
17:04 < pekster> Does it matter so much where the address is defined?
17:04 < pekster> I'm mildly interested in your usecase for wanting it "managed" by systemd so badly
17:05 < moviuro> pekster: because systemd does allow to set the MAC (it just calls ip), at boot time, and makes sure the integration of the given interface is OK with its starting sequence
17:05 < pekster> But it doesn't -- you just told me that
17:05 < pekster> taps are not like other "real" devices
17:05 < pekster> You said earlier than systemd is not setting the MAC on an unused (merely created) tap device -- so if you want systemd to do something it doesn't, ask the systemd folks, not us
17:06 < moviuro> http://www.freedesktop.org/software/systemd/man/systemd.netdev.html#Kind=
17:06 <@vpnHelper> Title: systemd.netdev (at www.freedesktop.org)
17:06 < moviuro> pekster: if I said that, I didn't mean it, it's quite the opposite now
17:07 < moviuro> so should I better let systemd create the tap device with a fixed MAC to which openvpn connects (ohopefully without removing the present MAC address) or should I let openvpn take care of creating/setting up/removing the interface ?
17:08 < pekster> I'm not sure what happens if you "set" the MAC like that on a device that's not opened for use by any application, and then give it to openvpn
17:08 < pekster> Try It And See?
17:09 < pekster> If it works, that's one option. If not, use another option, or if it really bugs you that much see about adding a patch to openvpn so that it can take a special value to the --lladdr option such that it will leave any existing address there (and probably needs to fall back to the dynamic behavior it has today if there isn't one)
17:11 < pekster> I've NFI why systemd is taking the device out of the DOWN state though -- it's none of systemd's business messing with it like that, IMO
17:11 < pekster> Lenheart said so, that's why!
17:13 < ayaka> matt_,  plaisthos thank you
17:13 < moviuro> ok pekster, thanks for sharing your opinion ;)
17:14 < moviuro> that's it for today folks ;) gotta go (sleep)
17:14 < pekster> Well, the help is free, but when it comes to systemd you'll probably get my opinion on it too :P
17:16 -!- Envil [~meep@95.211.26.40] has quit [Remote host closed the connection]
17:27 -!- triplicate [~triplicat@206.169.175.130] has quit [Ping timeout: 240 seconds]
17:40 -!- trending [~trending@adsl196-93-54-206-196.adsl196-2.iam.net.ma] has joined #openvpn
17:43 < trending> Hello, what are the minimum VPS requirements to setup OpenVPN on it (1 user only) ? Thank you
17:44 < pekster> 1 "user" -- no idea what this means. Only root? This is a weasle-word that is pretty meaningless without context, and Unix-alikes are crippled without being able to use POSIX users/groups (but by all means run "everything" as root -- as horrible as it is, it's your system, not mine)
17:45 < pekster> OpenVPN runs happily on minimal resources; I've set up installations on embedded hardware with as little as 300 MHz CPU, & 32 MB RAM
17:45 < pekster> You can't realistically do much with less, but it depends on your goals
17:45 < pekster> !goal
17:45 <@vpnHelper> "goal" is Please clearly state your goal for your vpn: example, I would like to access the lan behind the server , I would like to access the internet over my vpn , I just want a secure connection between 2 computers , etc
17:47 < trending> By 1 user, I mean that I'll be using it only me. I will only access the internet with it, surfing, reading, watching videos but no torrenting
17:47 < pekster> OpenVPN supports an unlimited number of users, bounded only by system resources
17:48 < trending> pekster: I thought the open source version only allows 2 users (on the same time)
17:49 < pekster> No!
17:49 < pekster> That's not OpenVPN. You're referring to:
17:49 < pekster> !as
17:49 <@vpnHelper> "as" is Please go to #OpenVPN-AS for help with commercial products from OpenVPN Technologies, including Access Server, Android Connect, etc
17:50 < pekster> And Access Server is a commercial frontend which is most certainly not open-source, although it uses an older version of openvpn internally to do the VPN tasks; the "web management frontend" goo is subject to the EULA. OpenVPN is a GPLv2 project and you are free to connect thousands of users if you wish, all at no charge. That's the magic of open-source
17:50 < pekster> OpenVPN != Access Server
17:50 < trending> I just want to setup a VPN on my VPS for free ._.
17:51 < trending> and I'm asking what's the minimum to run it for my own usage, that's it.
17:51 < pekster> OpenVPN can do that. AS probably can too, but it's a completely different product managed/licensed by the company behind it
17:52 < pekster> Depends if you want to use non-open code in exchange for a frontend that tries to do more for you. If you're comfortable following a howto, OpenVPN comes with one (link at: !howto)
17:52 < trending> so 32Mb and 300MHz CPU is enough ?
17:52 < trending> any other requirements ?
17:52 < trending> !howto
17:52 <@vpnHelper> "howto" is (#1) OpenVPN comes with a great howto, http://openvpn.net/howto PLEASE READ IT! or (#2) http://www.secure-computing.net/openvpn/howto.php for a mirror
17:52 < pekster> For a "functional VPN"? No. Now what you want to do with it matters a lot
17:52 < trending> and what are the requirements for a functional VPN ?
17:53 < pekster> supported OS, openvpn installed, tun device support, and a supported SSL library (openssl or polarssl today)
17:55 < pekster> So "all" you want is to connect securely to your VPS system? And that's it?
17:55 < pekster> (because so far that's all you've noted)
17:56 < trending> Not connect to the VPS but connect to the internet using the VPS, make it as a tunnel (I don't know if that's the right term)
17:57 < pekster> So first you need a working VPN (that's what the !howto link gives you) and once you have that, redirecting traffic over the link has information and a flowchart to guide you at: !redirect
17:57 < trending> !redirect
17:57 <@vpnHelper> "redirect" is (#1) to make all inet traffic flow through the vpn, you will need --redirect-gateway (see !def1), as well as IP forwarding (see !ipforward) and NAT (see !nat) enabled on the server. or (#2) you may need to use a different dns server when redirecting gateway, see !dns or !pushdns or (#3) if using ipv6 try: route-ipv6 2000::/3 or (#4) Handy troubleshooting flowchart:
17:57 <@vpnHelper> http://ircpimps.org/redirect.png | http://pekster.sdf.org/misc/redirect.png
17:57 < trending> Thanks !
17:57 < pekster> Unless you have public IP space, you'll need routing, NAT, and firewall (at least that's highly recommended) support as well
18:08 -!- ayaka [~ayaka@ayaka-2-pt.tunnel.tserv21.tor1.ipv6.he.net] has left #openvpn ["离开"]
18:15 -!- Megaf [~Megaf@unaffiliated/megaf] has quit [Ping timeout: 240 seconds]
18:19 -!- trending [~trending@adsl196-93-54-206-196.adsl196-2.iam.net.ma] has quit [Quit: Quitte]
18:31 -!- gffa [~unknown@unaffiliated/gffa] has quit [Quit: sleep]
18:59 -!- le0 [~l30@unaffiliated/le0] has quit [Quit: Leaving]
19:27 -!- Megaf [~Megaf@unaffiliated/megaf] has joined #openvpn
20:16 -!- brianblaze420 [~brianblaz@unaffiliated/brianblaze] has joined #openvpn
20:55 -!- brianblaze420 [~brianblaz@unaffiliated/brianblaze] has quit [Quit: Leaving...]
21:23 -!- metabsd [~metabsd@cable-29.246.173-249.electronicbox.net] has joined #openvpn
21:23 < metabsd> !paste
21:23 <@vpnHelper> "paste" is "pastebin" is (#1) please paste anything with more than 5 lines into a pastebin site or (#2) https://gist.github.com is recommended for fewest ads; try fpaste.org or paste.kde.org as backups or (#3) If you're pasting config files, see !configs for grep syntax to remove comments or (#4) gist allows multiple files per paste, useful if you have several files to show
21:24 < metabsd> !configs
21:24 <@vpnHelper> "configs" is (#1) please pastebin your client and server configs (with comments removed, you can use `grep -vE '^#|^;|^$' server.conf`), also include which OS and version of openvpn. or (#2) dont forget to include any ccd entries or (#3) on pfSense, see http://www.secure-computing.net/wiki/index.php/OpenVPN/pfSense to obtain your config
21:32 < metabsd> I need help with openvpn. I setup a server to a dedicated server and now i try to connect my home router to this server. I follow guide from Debian wiki. The connection is ok but i think something is wrong with the firewall or something else .. PasteBin : http://pastebin.com/rzec2spZ
21:33 < metabsd> When i tcpdump the decicated server i see a lot of traffic on openvpn port. But nothing to tun0
21:34 < pekster> What's the goal here?
21:34 < pekster> !goal
21:34 <@vpnHelper> "goal" is Please clearly state your goal for your vpn: example, I would like to access the lan behind the server , I would like to access the internet over my vpn , I just want a secure connection between 2 computers , etc
21:34 < metabsd> I disable the firewall by Input Accept Output Accept Forward Accept
21:34 < metabsd> I want to acces the internet over my vpn
21:34 < pekster> Don't show firewall rules like that; use `iptables-save` to show rules. -L is quite inefficient
21:35 < metabsd> pekster ok i update the pastebin
21:36 < metabsd> Iptables pastbin : http://pastebin.com/tCGyWdEA
21:36 < pekster> Server config looks sane enough; there's no client config there
21:37 < metabsd> I use a router with
21:37 < metabsd> tomato firmware
21:37 < metabsd> it's graphical
21:38 < pekster> OpenVPN isn't, and you're going to find it nearly impossible to get help here without real configs
21:38 < pekster> Your firewall rules are also in need of attention; everything INPUT after line 10 is worthless because ACCEPT is a terminating target
21:38 < metabsd> Yes i know im in troubleshoot. I accept all to find why it's not working
21:39 < pekster> No clue what's going on there, but you accept anything going to your host. Your client should certainly be able to ping the server, if things are set up there
21:39 < pekster> Everything is so scrwed up about your rules. Even without line 10, line 11 makes lines 12-15 worthless. Same problem with 19/20/and 20-25
21:40 < metabsd> i generate an ovpn file for my android to test and the connection is ok but when i try to see what is my ip to make sure i use the vpn im not able to go to internet by the vpn
21:40 < pekster> !redirect
21:40 <@vpnHelper> "redirect" is (#1) to make all inet traffic flow through the vpn, you will need --redirect-gateway (see !def1), as well as IP forwarding (see !ipforward) and NAT (see !nat) enabled on the server. or (#2) you may need to use a different dns server when redirecting gateway, see !dns or !pushdns or (#3) if using ipv6 try: route-ipv6 2000::/3 or (#4) Handy troubleshooting flowchart:
21:40 <@vpnHelper> http://ircpimps.org/redirect.png | http://pekster.sdf.org/misc/redirect.png
21:40 < metabsd> debian:/etc/openvpn# cat /proc/sys/net/ipv4/ip_forward
21:40 < metabsd> 1
21:41 < pekster> Helpful flowchart is helpful
21:42 < metabsd> if i understand iptables to nat
21:42 < metabsd> right
21:43 < pekster> The NAT is fine (though your rules are quite the mess, but work with lines 16 & 18
21:45 < pekster> The device counters shouldn't remain at 0 if you can successfully ping the VPN IP of the server
21:45 < metabsd> it's my first vpn setup ... :P
21:45 < pekster> Are you sure you didn't forget that step on the flowchart? Or did you get a reply doing that, pinging 10.65.0.1
21:46 < metabsd> no reply
21:46 < pekster> Is this network dedicated to the VPN? You have no 10.65.0.0/24 anywhere else that the client or server is connected to?
21:47 < metabsd> Dedicated server have 10.65.0.1 -- my home router have 10.65.0.5
21:47 < pekster> You can't do that
21:47 < pekster> The VPN network must be 100% independent of _ANY_ other networks you are using
21:47 < Eugene> That sounds like a net30 tun address set actually....
21:48 < metabsd> no i dont have 10.65.0.0/24 network this is the tun have this ip
21:48 < pekster> 10.65.0.5 is _on_ 10.65.0.0/24
21:48 < metabsd> server tun0 10.65.0.1 client tun0 10.65.0.5
21:48  * Eugene slaps pekster a bit with a trout
21:49 < pekster> Oh, the home router on the VPN? So the physical networks are on different ranges, right?
21:49 < metabsd> the client can't ping 10.65.0.1 ... i dont know why and i think this is the problem
21:49 < metabsd> yes
21:49 < pekster> Server firewall looks fine, albiet it barely. You can ask #Netfilter how to clean that up later. Without client configs and logs it'll be hard to tell you much
21:50 < pekster> Eugene: Yea, I suppose the PtP might take priority, but that might get goofy depending on what the router IP is. Overlapping ranges are just bad, but that's not the case here
21:50 < Eugene> And I knew that
21:50 < pekster> Also, the client won't ever have .5 in net30, though it might have .6
21:51 < Eugene> so it won't
21:51 < pekster> (Well, you could push the "opposing" set in a net30, but that's just be weird)
21:52 < metabsd> ok forget my router.
21:52 < metabsd> now i test with my android device
21:52 < pekster> Might be a firewall issue on that device since it is connected (see line 87 in your first paste.) That's the likely cause nearn as I can tell
21:52 < metabsd> i install openvpn app and make a connection succesfully but i can't go to internet by the vpn
21:53 < pekster> First things first, can you ping 10.65.0.1 from the client?
21:54 < metabsd> no
21:54 < metabsd> openvpn is connected but ping 10.65.0.1 not working
21:55 < pekster> A client config and logs (at --verb 4) would be helpful
21:56 < metabsd> i see the log on my screen now i try to find how i can export
21:57 < metabsd> something wrong in my config ... i juste see session invalidated : KeepAlive_Timeout
21:58 < metabsd> client terminated ...
21:59 < metabsd> [route] [0.0.0.0.][0.0.0.0] i think that the problem in my config
21:59 < metabsd> i cannot export the log in Android openvpn app :(
22:01 < pekster> There are 2, and you'll generally have better luck with the 'OpenVPN for Android' here:
22:01 < pekster> !android
22:01 <@vpnHelper> "android" is (#1) an open source OpenVPN client for ICS is available in Google Play, look for OpenVPN for Android. FAQ is here: http://code.google.com/p/ics-openvpn/wiki/FAQ or (#2) Direct Play link: https://play.google.com/store/apps/details?id=de.blinkt.openvpn or (#3) Old (pre-ICS) device? See: !android-old
22:02 < pekster> It's generally easier to get a working config on a PC, and then just import that to your phone
22:02 < pekster> It's also far easier to get logs that way
22:02 < metabsd> installing
22:05 < metabsd> ok i have the log :)
22:08 < metabsd> http://pastebin.com/ukz5yY22
22:09 -!- arescorpio [~arescorpi@201-26-245-190.fibertel.com.ar] has quit [Excess Flood]
22:12 < pekster> You're pushing the --redirect-gateway def1, so I don't understand where that 0/0 route on line 253 comes from
22:12 < pekster> Did you put some extra --route line in your client config?
22:13 < pekster> If you've added --redirect-gateway on your client, you want to remove that as the server is pushing it in your setup
22:13 < metabsd> 2sec i double check the ovpn
22:15 < metabsd> ovpn profile : http://pastebin.com/PMEbD05e
22:16 < pekster> Remove line 10 -- that's bogus
22:20 < metabsd> trying
22:21 -!- u0m3_ [~u0m3@92.80.101.5] has joined #openvpn
22:22 < metabsd> ok i modify the ovpn profile, delete the old one on the android .. reimport the new one. Reconnect and i cannot ping 10.65.0.1
22:22 < metabsd> i try to go to internet too and i have no internet connection when i use openvpn ..
22:23 < pekster> Until you can ping 10.65.0.1 from the client, all bets are off
22:23 < metabsd> when i check the status of the openvpn connection i see packet going but nothing comeback and the connection drop until 2-3min and retry
22:24 -!- u0m3 [~u0m3@92.80.90.192] has quit [Ping timeout: 272 seconds]
22:24 < pekster> Oh, no keepalive in the server -- that messes up stateful firewalls, generally
22:24 < pekster> Add in `keepalive 10 60` to your server config, then restart that end
22:26 < metabsd>  Bad lzo decompression headers
22:26 < metabsd> byte : 42
22:26 < metabsd> google time
22:27 < pekster> adaptive lzo is the default, although you've only included that on 1 side of your connection
22:28 < pekster> No real point in compression if you're using a phone as a client, so you could just set `comp-lzo no` on both ends
22:28 < pekster> The extra CPU spent just isn't worth it
22:29 < metabsd> the vpn drop a lot
22:29 < metabsd> a lot of reconnect ion
22:29 -!- MACscr [~Adium@50.158.183.38] has quit [Quit: Leaving.]
22:32 -!- u0m3 [~u0m3@92.80.86.136] has joined #openvpn
22:33 < metabsd> The tun0 on the server have no traffic
22:34 < metabsd> ok i flush all iptables rules
22:34 < metabsd> i only want ping 10.65.0.1 working
22:34 -!- u0m3_ [~u0m3@92.80.101.5] has quit [Ping timeout: 240 seconds]
22:36 < metabsd> it's possible that my certificate auth ?
22:39 < pekster> Not with the log you pasted earlier
22:39 < pekster> You won't even see the 'PUSH_REPLY' message if the TLS auth fails
22:41 -!- justinzane [~justinzan@24.49.207.203] has quit []
22:42 < metabsd> ping 10.65.0.1
22:42 < metabsd> work ....
22:43 < metabsd> i plan in the futur to add the openvpn to 443 tcp
22:43 < metabsd> and i also disable lzo-compression on client side
22:45 < metabsd> The problem is the compression ...
22:45 < metabsd> because it's not specify on the server side ?
22:46 < pekster> Is that what fixed it? `comp-lzo adaptive` should be teh default, but the general rule is that if you put it on either side, you should match it on the other
22:48 < metabsd> yep i add comp-lzo adaptive and reenable compression on client side and now its working
22:49 < metabsd> ok now do you have some piece of advice
22:49 < metabsd> you see my config
22:50 < pekster> Overall the VPN stuff is fine. Maybe consider using `topology subnet` to avoid the net30 sillyness, but that's mostly semantic
22:50 < pekster> You can read about topology choices at: !topology too
22:50 < metabsd> !topology
22:50 <@vpnHelper> "topology" is (#1) it is possible to avoid the !/30 behavior if you use 2.1+ with the option: topology subnet This will end up being default in later versions. or (#2) Clients will receive addresses ending in .2, .3, .4, etc, instead of being divided into 2-host subnets. or (#3) details and examples at: https://community.openvpn.net/openvpn/wiki/Topology
22:52 < metabsd> add that in my config file ? topology subnet ?
22:54 < pekster> Yea, that's actually all you need since that'll get pushed to the clients in your setup. What that does is avoids splitting networks into /30 segments and treats them more like a "traditional" LAN
22:54 < metabsd> already done and i prefer that :)
22:54 < metabsd> Server have : 10.65.0.1 and client 10.65.0.2
22:55 < metabsd> next client will have the next ip
22:55 < pekster> net30 is mostly a relic to support ancient versions of OpenVPN with Windows. No point for it these-days besides history
22:55 < metabsd> ok
22:57 < metabsd> but if i want to share my openvpn server but now share same subnet i can create multiple subnet and specify and force my friend to use that subnet ?
22:57 < metabsd> by the way sorry for my english it's not my principal language :P
22:58 -!- u0m3 [~u0m3@92.80.86.136] has quit [Ping timeout: 240 seconds]
22:58 < pekster> No worries
22:59 < pekster> Are you trying to share access to the server-network, or something else?
23:00 < metabsd> me-> internet (My subnet) :: friend -> internet(his subnet)
23:00 < metabsd> and his subnet and my subnet cannot be share
23:01 < pekster> You can route between them
23:01 < pekster> If you want to access the network behind a VPN client at your friend's location, OpenVPN can do that. You need unique address space between your network and the far side though
23:01 < pekster> So don't use 192.168.1.0/24 or other common network on your end, otherwise you will likely run into problems
23:02 < pekster> There's a flowchart for that too, once you get a basic VPN client working at the other network: !clientlan
23:05 < metabsd> !clientlan
23:05 <@vpnHelper> "clientlan" is (#1) for a lan behind a client, the client must have ip forwarding enabled (!ipforward), the server needs a route to the lan, the server needs to push a route for the lan to clients, the server needs a ccd (!ccd) file for the client with an iroute (!iroute) entry in it, and the router of the lan the client is on needs a route added to it (!route_outside_openvpn) or (#2) see !route
23:05 <@vpnHelper> for a better explanation or (#3) Handy troubleshooting flowchart: http://ircpimps.org/clientlan.png | http://pekster.sdf.org/misc/clientlan.png
23:07 < metabsd> pekster thank you for your help.
23:08 < pekster> Sure. It sounds like you've made some progress so far, so that's godo
23:08 < pekster> good*
23:08 < metabsd> yep
23:08 < metabsd> i understand more than before :)
23:09 < metabsd> now i have to work on my home router to create some segmentation to go by the vpn from some vlan and the other go directly to internet
23:11 < pekster> You can firewall based on the client too
23:11 < pekster> That way you can use just a single VPN and allow some "special" users to access your home network. The easiest thing is to set a static IP and do it in your firewall
23:11 < pekster> See:
23:11 < pekster> !static
23:11 <@vpnHelper> "static" is (#1) use --ifconfig-push in a ccd entry for a static ip for the vpn client or (#2) example in net30 (default): ifconfig-push 10.8.0.6 10.8.0.5 example in subnet (see !topology) or tap (see !tunortap): ifconfig-push 10.8.0.5 255.255.255.0 or (#3) also see !ccd and !iporder or (#4) with static IPs, limit your --ifconfig-pool to exclude the static range or (#5) See also: !addressing
23:13 < pekster> You also said you wanted TCP, and you will need a different VPN network for that. But you can get away withi just those 2
23:15 -!- ShadniX [dagger@p5DDFEF26.dip0.t-ipconnect.de] has quit [Ping timeout: 240 seconds]
23:16 -!- ShadniX [dagger@p5DDFC6AF.dip0.t-ipconnect.de] has joined #openvpn
--- Day changed Sat Jul 12 2014
00:28 -!- Megaf [~Megaf@unaffiliated/megaf] has quit [Ping timeout: 240 seconds]
00:35 -!- justinzane [~justinzan@24.49.207.203] has joined #openvpn
00:40 -!- cesurasean [~Sean@c-71-207-227-197.hsd1.al.comcast.net] has joined #openvpn
00:41 < cesurasean> hey guys., trying to setup a windows openvpn, and getting this error; Could not find C:\Program Files (x86)\OpenVPN\easy-rsa\keys\*.old
00:41 < cesurasean> im following the guidelines on openvpn's website, but no cigar.
00:42 -!- cesurasean [~Sean@c-71-207-227-197.hsd1.al.comcast.net] has left #openvpn []
01:24 -!- mattock_afk is now known as mattock
01:49 -!- MACscr [~Adium@c-50-158-183-38.hsd1.il.comcast.net] has joined #openvpn
01:58 -!- Kephael [~Kephael@unaffiliated/kephael] has quit [Read error: Connection reset by peer]
03:01 -!- gffa [~unknown@unaffiliated/gffa] has joined #openvpn
03:07 -!- indy [~indy@shadow.kastnerove.cz] has quit [Ping timeout: 256 seconds]
03:26 -!- Jeroen is now known as Jeroen52
04:20 -!- metabsd [~metabsd@cable-29.246.173-249.electronicbox.net] has quit [Ping timeout: 240 seconds]
04:37 -!- cyberspace- [20253@ninthfloor.org] has quit [Remote host closed the connection]
04:38 -!- cyberspace- [20253@ninthfloor.org] has joined #openvpn
04:46 -!- ade_b [~Ade@redhat/adeb] has joined #openvpn
05:05 -!- jzaw [~jzaw@loki.dzki.co.uk] has quit [Ping timeout: 240 seconds]
05:46 -!- le0 [~l30@unaffiliated/le0] has joined #openvpn
06:11 -!- jzaw [~jzaw@loki.dzki.co.uk] has joined #openvpn
06:19 -!- RaiNerTsuFal [~RaiNerTsu@akita.vtlx.cn] has quit [Ping timeout: 240 seconds]
06:22 -!- RaiNerTsuFal [~RaiNerTsu@akita.vtlx.cn] has joined #openvpn
06:23 -!- fred`` [fred@earthli.ng] has joined #openvpn
06:28 -!- ribasushi [~riba@mujunyku.leporine.io] has quit [Ping timeout: 240 seconds]
06:31 -!- ribasushi [~riba@mujunyku.leporine.io] has joined #openvpn
06:36 -!- RaiNerTsuFal [~RaiNerTsu@akita.vtlx.cn] has quit [Ping timeout: 240 seconds]
06:38 -!- RaiNerTsuFal [~RaiNerTsu@akita.vtlx.cn] has joined #openvpn
06:44 -!- SCHAAP137 [dorian@77-173-0-137.ip.telfort.nl] has quit [Remote host closed the connection]
06:57 -!- spreadsheet [~spreadshe@unaffiliated/spreadsheet] has joined #openvpn
06:58 < spreadsheet> hi
06:58 < spreadsheet> what's a good openvpn port to use to bypass firewalls?
06:58 < spreadsheet> 1194 is default, so I used 1221 or similar, but I can't connect
06:58 < spreadsheet> of course the server's running fine
06:59 < spreadsheet> and this firewall, is the chinese one
07:06 -!- Netsplit *.net <-> *.split quits: _abbe`, Denial, APTX, malc0re_, Zimsky, Matir, TypoNe, NChief, Magiobiwan, Kuba,  (+79 more, use /NETSPLIT to show all of them)
07:07 -!- Netsplit over, joins: jzaw, spreadsheet, RaiNerTsuFal, ribasushi, le0, ade_b, gffa, moviuro, Eagleman, seba (+8 more)
07:07 -!- mete [~mete@91.247.253.160] has joined #openvpn
07:07 -!- Netsplit over, joins: riddle, Haigha, syzzer, troj, Latrina, Artea, Brando753, Nothing4You, haasn, thumbs (+42 more)
07:07 -!- Cybertinus [~Cybertinu@cybertinus.customer.cloud.nl] has joined #openvpn
07:07 -!- Netsplit over, joins: pekster, @plaisthos, s1dev, defswork, mgorbach, gac, Cyclohexane, Lolths, NChief, kenyon (+7 more)
07:07 -!- ServerMode/#openvpn [+oo syzzer plaisthos] by morgan.freenode.net
07:07 -!- Brando753 [~Brando753@unaffiliated/brando753] has quit [Max SendQ exceeded]
07:07 -!- Brando753 [~Brando753@unaffiliated/brando753] has joined #openvpn
07:08 -!- Chais [~Chais@chello062178229110.15.15.vie.surfer.at] has quit [Read error: Connection reset by peer]
07:09 -!- vpnHelper [~vpnHelper@openvpn/bot/vpnHelper] has quit [Disconnected by services]
07:10 -!- Chais [~Chais@chello062178229110.15.15.vie.surfer.at] has joined #openvpn
07:11 -!- vpnHelper [~vpnHelper@openvpn/bot/vpnHelper] has joined #openvpn
07:11 -!- mode/#openvpn [+o vpnHelper] by ChanServ
07:14 -!- vpnHelper is now known as 23LAA0UHM
07:14 -!- 23LAA0UHM is now known as vpnHelper
07:14 -!- cyberspace- [20253@ninthfloor.org] has quit [Max SendQ exceeded]
07:15 -!- pa [~pa@unaffiliated/pa] has quit [Excess Flood]
07:15 -!- Kniaz [~Kniaz@unaffiliated/kniaz] has quit [Excess Flood]
07:15 -!- james41382 [~james@unaffiliated/james41382] has quit [Excess Flood]
07:15 -!- Kniaz [~Kniaz@unaffiliated/kniaz] has joined #openvpn
07:16 -!- james41382 [~james@unaffiliated/james41382] has joined #openvpn
07:16 -!- pa [~pa@unaffiliated/pa] has joined #openvpn
07:18 -!- cyberspace- [20253@ninthfloor.org] has joined #openvpn
07:22 -!- Artea [~Lufia@po-217-129-154-19.netvisao.pt] has quit [Ping timeout: 240 seconds]
07:30 -!- Artea [~Lufia@po-217-129-154-19.netvisao.pt] has joined #openvpn
07:30 -!- Artea [~Lufia@po-217-129-154-19.netvisao.pt] has quit [Excess Flood]
07:43 -!- ade_b [~Ade@redhat/adeb] has quit [Quit: Too sexy for his shirt]
07:44 -!- Artea [~Lufia@po-217-129-154-19.netvisao.pt] has joined #openvpn
07:44 -!- Artea [~Lufia@po-217-129-154-19.netvisao.pt] has quit [Excess Flood]
08:06 -!- Olipro [~Olipro@uncyclopedia/pdpc.21for7.olipro] has joined #openvpn
09:11 -!- u0m3 [~u0m3@92.80.86.136] has joined #openvpn
09:31 -!- runvnc [~runvnc@68.6.214.173] has joined #openvpn
09:32 < runvnc> !logs
09:32 <@vpnHelper> "logs" is (#1) please pastebin your logfiles from both client and server with verb set to 4 (only use 5 if asked) or (#2) In the Windows client(OpenVPN-GUI) right-click the status icon and pick View Log or (#3) In the OS X client(Tunnelblick) right-click it and select Copy log text to clipboard or (#4) if you dont know how to find your logs, see !logfile
09:32 < runvnc> !logfile
09:32 <@vpnHelper> "logfile" is (#1) If you want logging you can easily just specify your own logfile with: log /path/to/logfile or (#2) openvpn will log to syslog if started in daemon mode, but without any log-redirection options, openvpn sends output to stdout. or (#3) verb 3 is good for everyday usage, verb 5 for debugging. see --daemon --log and --verb in the manual (!man) for more info
09:34 -!- Chais [~Chais@chello062178229110.15.15.vie.surfer.at] has quit [Ping timeout: 240 seconds]
09:39 -!- Megaf [~Megaf@unaffiliated/megaf] has joined #openvpn
09:39 -!- Chais [~Chais@chello062178229110.15.15.vie.surfer.at] has joined #openvpn
09:45 <@krzee> spreadsheet,
09:45 <@krzee> !obfs
09:45 <@vpnHelper> "obfs" is (#1) if you are looking to obfuscate your traffic to get through a firewall that recognizes and blocks openvpn, try using this proxy: obfsproxy https://www.torproject.org/projects/obfsproxy.html.en to encapsulate your packets in other protocols or (#2) http://community.openvpn.net/openvpn/wiki/TrafficObfuscation or (#3) in client/server mode an admin can know that openvpn is being used. in
09:45 <@vpnHelper> static-key mode they only know that it is some encrypted data, but not specifically openvpn; however with static-key you lose forward security (!forwardsecurity)
09:55 < runvnc> ls
09:55 < runvnc> lol sorry
09:58 < runvnc>       
09:59 -!- Megaf [~Megaf@unaffiliated/megaf] has quit [Ping timeout: 240 seconds]
09:59 -!- Megaf_ [~Megaf@unaffiliated/megaf] has joined #openvpn
10:00 -!- SCHAAP137 [dorian@77-173-0-137.ip.telfort.nl] has joined #openvpn
10:02 -!- Kephael [~Kephael@unaffiliated/kephael] has joined #openvpn
10:10 < runvnc> Client conf = http://sprunge.us/Sibg  client log = http://sprunge.us/MUIJ server log=http://sprunge.us/NTCh after starting client, server hangs
10:10 < runvnc> I think my VPS is completely frozen, not 100% sure.  But I know my ssh dies and I can't ping it
10:11 < runvnc> so I tried a bunch of stuff that came up on google related to like MTU and fragment commands
10:12 < runvnc> different variations of those mssfix and fragment (on client and server)
10:12 < runvnc> I mean my ssh session appears frozen
10:12 < runvnc> I just have to do a power cycle through the digital ocean control panel in order to get back into the vps
10:13 < runvnc> If anyone has any ideas at all let me know. thanks
10:14 < runvnc> uh oh, I said 'server hangs' I meant that the VPS that my openvpn CLIENT is running on seems to hang. the server has continued to work great and I can connect to it fine from my home laptop
10:22 <@krzee> ok so without even looking i can tell you
10:22 <@krzee> well not tell, but i can guess
10:22 <@krzee> you're trying to redirect the client's internet over the vpn
10:22 <@krzee> but then you cannot reach the client on its normal IP
10:23 <@krzee> !factoids search route
10:23 <@vpnHelper> 'winroute', 'iroute', 'router', 'dlink_static_route', 'external_routes', 'route_override', 'splitroute', 'route_outside_openvpn', 'route_outside_ovpn', 'routebyapp', 'route', 'ppp_defaultroute', and 'route-nopull'
10:23 <@krzee> !splitroute
10:23 <@vpnHelper> "splitroute" is (#1) https://forums.openvpn.net/topic7175.html to see how to add a second routing table so you can use --redirect-gateway AND still serve things to the internet or (#2) see !route_override for how to override --redirect-gateway for a certain subnet
10:23 <@krzee> see #1
10:23 <@krzee> it is policy routing
10:25 < runvnc> ok great thanks I will read all of that
10:25 <@krzee> basically you just need a second routing table :)
10:25 -!- troj [~xxx@2001:470:1f15:107a::50f7] has quit [Ping timeout: 260 seconds]
10:26 <@krzee> then you set policy routing rule so traffic from your ip goes out the other routing table (the one that doesnt change when hitting the inet)
10:26 < runvnc> ok so just to check, is it possible my client config is not really correct for what I am trying to do? I want things to work normally on my vps, but also be able to connect to it with the vpn from other vpses
10:26 <@krzee> post #1 is his question, post #2 is his solution
10:27 < runvnc> so that scenario, I need another routing table like you are explaining right
10:27 <@krzee> do you want all internet traffic initiated by this vpn client to route over the vpn server?
10:27 < runvnc> krzee no way
10:27 <@krzee> but still allow it to serve things to the internet using its normal ip?
10:28 < runvnc> I just want to be able to connect to a certain port over the vpn, for a specific application to talk privately from a different vps
10:28 <@krzee> well none of your links worked for me
10:28 <@krzee> so show me your configs
10:28 <@krzee> quick cause i gotta go
10:28 <@krzee> !configs
10:28 <@vpnHelper> "configs" is (#1) please pastebin your client and server configs (with comments removed, you can use `grep -vE '^#|^;|^$' server.conf`), also include which OS and version of openvpn. or (#2) dont forget to include any ccd entries or (#3) on pfSense, see http://www.secure-computing.net/wiki/index.php/OpenVPN/pfSense to obtain your config
10:29 < runvnc>  http://pastebin.com/tSTU1Ppx
10:30 < runvnc> that is client conf
10:30 <@krzee> !learn pfsense as http://www.secure-computing.net/wiki/index.php/OpenVPN/pfSense to obtain your config
10:30 <@vpnHelper> Joo got it.
10:30 <@krzee> and server config
10:30 <@krzee> and with comments removed, you can use `grep -vE '^#|^;|^$' server.conf`
10:31 <@krzee> im not digging through your hundreds of lines of comments to find 10 lines of config
10:33 < runvnc> http://pastebin.com/3WPsAjzU
10:33 < runvnc> that is client conf
10:34 < runvnc> http://pastebin.com/dJgzBtr6
10:34 < runvnc> server config
10:35 < runvnc> so what you were saying about needing a second routing table only applies if I were trying to send all outgoing traffic from the client machine through the server? (which I am not trying to do)
10:43 -!- tomreyn [~tomreyn@megaglest/team/tomreyn] has joined #openvpn
10:43 < tomreyn> in case anyone can tell OTOH: how, if at all, can you instruct the official openvpn client to ignore the expiry time of a server certificate?
10:43 < runvnc> http://paste.ubuntu.com/7785220/
10:44 < runvnc> that is the client log
10:46 < runvnc> googling doesn't come up with an ignore but it does mention something obvious which is setting a far future expiry
10:46 < runvnc> can you do that
10:53 -!- elfixit [~Icedove@77.58.251.72] has joined #openvpn
10:55 < runvnc> This guy seems to be talking about the same problem as me http://serverfault.com/questions/488893/how-do-i-prevent-tcp-connection-freezes-over-an-openvpn-network
10:55 <@vpnHelper> Title: vpn - How do I prevent TCP connection freezes over an OpenVPN network? - Server Fault (at serverfault.com)
10:56 < runvnc> I have been having a slightly similar issue with ssh seeming to be 'stuck' so I couldnt reconnect, on Ubuntu also
10:56 < runvnc> although that one is probably a bug in ssh related to the ControlPersist option. I guess
11:01 -!- troj [~xxx@2001:470:1f15:107a::50f7] has joined #openvpn
11:05 -!- runvnc [~runvnc@68.6.214.173] has quit [Quit: WeeChat 0.4.1]
11:16 -!- metabsd [~metabsd@cable-29.246.173-249.electronicbox.net] has joined #openvpn
11:16 < pekster> tomreyn: You can't do that; the certificate has expired and is no longer valid. It's like when food goes bad, you can't "un-spoil" it, and OpenVPN won't let you
11:17 < pekster> Just re-issue the cert for a longer validity time
11:17 < pekster> If your CA still has the CSR handy, you can keep the same client-side private key if you'd prefer
11:20 -!- elfixit [~Icedove@77.58.251.72] has quit [Quit: elfixit]
11:26 -!- Argat [~Argat@adsl-98-48.du.nwc.is] has joined #openvpn
11:31 -!- runvnc [~runvnc@ip68-6-214-173.sd.sd.cox.net] has joined #openvpn
11:31 < runvnc> Thank you for your help krzee
11:31 < runvnc> I think I just figured out my problem. based on what you were saying
11:31 < runvnc> I do have redirect-gateway in my server config.  I am hoping I can just take that out
11:32 < runvnc> going to try it
11:35 < runvnc> well my internet didnt go away this time :)
11:38 -!- le0 [~l30@unaffiliated/le0] has quit [Quit: Leaving]
11:45 -!- runvnc [~runvnc@ip68-6-214-173.sd.sd.cox.net] has quit [Quit: WeeChat 0.4.1]
12:05 -!- arescorpio [~arescorpi@201-26-245-190.fibertel.com.ar] has joined #openvpn
12:29 -!- Brando753 [~Brando753@unaffiliated/brando753] has quit [Ping timeout: 245 seconds]
12:29 < tomreyn> pekster: thanks. i worked around it by changing the client's clock.
12:29 < pekster> :(
12:29 < tomreyn> sometimes cryptographically improper solutions are the better ones overall
12:29 < pekster> Why on earth not just re-issue the cert? That solution is so wrong
12:30 < tomreyn> note how i did not say "solution"
12:30 < tomreyn> well, not the first time
12:31 < pekster> And it's on the client? Just fix your server-cert. Without --persist-key it might not even require a restart (though I'm not sure about that)
12:31 < tomreyn> re-issuing the certificate requires access to the PKI in the first place
12:31  * pekster gives up
12:31 < pekster> Not really interested in helping if you've "lost" your PKI
12:32 < tomreyn> not lost, just lost access to it
12:32 < tomreyn> and reestablished by a temporary workaround
12:33 < pekster> Set expiration dates far into the future if that's the MO you're planning to use in the future
12:33 < tomreyn> yes that's how it should have been done in the first place
12:35 -!- Brando753 [~Brando753@unaffiliated/brando753] has joined #openvpn
13:18 -!- s7r [~s7r@openvpn/user/s7r] has joined #openvpn
13:18 -!- mode/#openvpn [+v s7r] by ChanServ
13:24 -!- Envil [~meep@95.211.26.40] has joined #openvpn
13:40 < pekster> !hardening
13:40 <@vpnHelper> "hardening" is https://community.openvpn.net/openvpn/wiki/Hardening
14:01 < pekster> !mitm
14:01 <@vpnHelper> "mitm" is (#1) http://openvpn.net/index.php/documentation/howto.html#mitm to know about stopping Man-in-the-Middle attacks by signing the server cert specially or (#2) use !servercert to generate the server cert manually or use the easy-rsa build-key-server script to build your server certificates or (#3) then use: remote-cert-tls server in the client config
14:22 -!- u0m3 [~u0m3@92.80.86.136] has quit [Ping timeout: 240 seconds]
14:23 -!- s7r [~s7r@openvpn/user/s7r] has quit [Remote host closed the connection]
14:27 -!- Ecaz [~Ecaz@unaffiliated/ecaz] has joined #openvpn
14:28 < Ecaz> !welcome
14:28 <@vpnHelper> "welcome" is (#1) Start by stating your goal, such as 'I would like to access the internet over my vpn' || new to IRC? see the link in !ask || we may need !logs and !configs and maybe !interface to help you. || See !howto for beginners. || See !route for lans behind openvpn. || !redirect for sending inet traffic through the server. || Also interesting: !man !/30 !topology !iporder !sample !forum !wiki
14:28 <@vpnHelper> !mitm or (#2) Don't use 192.168.1.0/24 or 192.168.0.0/24 (too much potential for conflict)
14:29 < Ecaz> !howto
14:29 <@vpnHelper> "howto" is (#1) OpenVPN comes with a great howto, http://openvpn.net/howto PLEASE READ IT! or (#2) http://www.secure-computing.net/openvpn/howto.php for a mirror
14:31 < Ecaz> Hello! I am having trouble locating the TUN driver in the 3.15.4 kernel, so when configuring openvpn I get the following error: ERROR: Cannot open TUN/TAP dev /dev/net/tun: No such file or directory (errno=2) ... Can anyone direct me to the correct module / buildin for the kernel, because clearly I can't find it myself.
14:40 -!- Ecaz [~Ecaz@unaffiliated/ecaz] has quit [Remote host closed the connection]
14:43 -!- Ecaz [~Ecaz@unaffiliated/ecaz] has joined #openvpn
14:46 -!- metabsd [~metabsd@cable-29.246.173-249.electronicbox.net] has quit [Ping timeout: 260 seconds]
14:47 < pekster> Ecaz: Need kernel support for CONFIG_TUN
14:47 < pekster> Without which openvpn (or any other application requriing tun/tap support) won't do much useful
14:47 < pekster> Maybe you didn't build it, or forgot to load the module?
14:51 -!- Ecaz [~Ecaz@unaffiliated/ecaz] has quit [Ping timeout: 240 seconds]
14:52 -!- Ecaz [~Ecaz@unaffiliated/ecaz] has joined #openvpn
14:53 < Ecaz> pekster, correct, i was unable to locate the driver because I was looking in the wrong place
14:55 -!- Ecaz [~Ecaz@unaffiliated/ecaz] has quit [Client Quit]
15:03 -!- le0 [~l30@unaffiliated/le0] has joined #openvpn
15:16 -!- arescorpio [~arescorpi@201-26-245-190.fibertel.com.ar] has quit [Excess Flood]
15:19 -!- Saturn2888 [~Saturn288@67.48.26.144] has joined #openvpn
15:19 < Saturn2888> !static
15:19 <@vpnHelper> "static" is (#1) use --ifconfig-push in a ccd entry for a static ip for the vpn client or (#2) example in net30 (default): ifconfig-push 10.8.0.6 10.8.0.5 example in subnet (see !topology) or tap (see !tunortap): ifconfig-push 10.8.0.5 255.255.255.0 or (#3) also see !ccd and !iporder or (#4) with static IPs, limit your --ifconfig-pool to exclude the static range or (#5) See also: !addressing
15:25 -!- Saturn2888 [~Saturn288@67.48.26.144] has left #openvpn ["PRIVMSG #openwrt :i'll just leave it random"]
15:28 -!- Saturn2888 [~Saturn288@67.48.26.144] has joined #openvpn
15:28 < Saturn2888> !serverlan
15:28 <@vpnHelper> "serverlan" is (#1) for a lan behind a server, the server must have ip forwarding enabled (!ipforward), the server needs to push a route for its lan to clients, and the router of the lan the server is on needs a route added to it (!route_outside_openvpn) or (#2) see !route for a better explanation or (#3) Handy troubleshooting flowchart: http://ircpimps.org/serverlan.png |
15:28 <@vpnHelper> http://pekster.sdf.org/misc/serverlan.png
15:29 -!- cesurasean [~Sean@c-71-207-227-197.hsd1.al.comcast.net] has joined #openvpn
15:29 -!- Saturn2888 [~Saturn288@67.48.26.144] has left #openvpn ["ISON TeruFSX"]
15:29 < cesurasean> anyone setup openvpn on an asus router before here?
15:30 < cesurasean> its hard for me to debug this thing, as it's not giving any error mesages in the logs, but won't connect.
15:30 < pekster> cesurasean: I've done openvpn+openwrt on asus
15:30 < pekster> No clue about stock firmwares though
15:30 < cesurasean> im talking about using the asus firmware.
15:30 < pekster> If you don't get proper config files or logs, there's likely not much we can do for you here
15:30 < pekster> See: !configs or !logfile for clues where to find those
15:31 < cesurasean> ive looked at the log files on the client, and nothing is showing.
15:34 < cesurasean> this is what happens when i try to connect the server to itself - http://pastebin.com/EmxvzuMb
15:34 < pekster> You never get "nothing" in logs
15:34 < pekster> lines 11-13, the peer reset the connection (it didn't like you for some reason.)
15:35 < pekster> Line 31 is because there are no unused vpn adapaters avialble
15:35 < cesurasean> all it says on the asus is "Jul 12 14:31:29 rc_service: waitting "restart_vpncall" via httpd ..."
15:35 < pekster> Either you're running a 2nd VPN and it "already has consumed" the device, or you don't have any device ready to use
15:35 < cesurasean> when connecting the server to itself?
15:35 < pekster> That line from the asus has nothing to do with openvpn
15:36 < pekster> At least not the openvpn program (presumably "vpn" is related, but its their product)
15:36 < pekster> So nevermind that line 11-13, you did eventually get connected
15:36 < pekster> The issue on the client is that line 31 -- you don't seem to have any unused TAP-Win32 adapters
15:37 < pekster> It's "currently in use"
15:39 < cesurasean> how do i add another tap device for the client to use?
15:39 < cesurasean> i want to connect the server to itself to test this first.
15:39 < cesurasean> not sure if udp port 1194 is open on 199.127.130.156 either.
15:40 < pekster> That's in the start menu under TAP-Win32
15:40 < pekster> You can add as many devices as you need
15:40 < pekster> (that's required if you run >1 VPN at the same time)
15:40 < pekster> You'll need --nobind on the client (which is a good idea anyway)
15:41 < pekster> On top of that, you won't properly be able to test routing
15:41 < pekster> For any proper test you really need an external client (run it in a VM if you'd like)
15:43 < cesurasean> ok im getting connection reset by peer.
15:43 < cesurasean> when i added another tap.
15:43 < cesurasean> and try to connect to the server itself.
15:43 < pekster> You probably can't use your external IP like that
15:43 < pekster> Unless that IP is "really" on that system
15:44 < cesurasean> why is the asus remote router not giving much more in the logs about openvpn?
15:44 < pekster> Because it's a crappy product
15:44 < pekster> !logfile
15:44 <@vpnHelper> "logfile" is (#1) If you want logging you can easily just specify your own logfile with: log /path/to/logfile or (#2) openvpn will log to syslog if started in daemon mode, but without any log-redirection options, openvpn sends output to stdout. or (#3) verb 3 is good for everyday usage, verb 5 for debugging. see --daemon --log and --verb in the manual (!man) for more info
15:44 < pekster> OpenVPN is quite talkative in its logs. If some vendor hides that helpful output, that's their bad desgin
15:45 < pekster> You might see if you can put OpenWRT on your hardware -- openwrt is much more "hacker-friendly"
15:45 < cesurasean> ok i got the client to connect now.
15:46 < pekster> I like some of the asus hardawre for openvpn, just not on the Asus OS ;)
15:46 < pekster> I've recently had good luck with the Netgear WNDR3800
15:46 < cesurasean> ive already set one of these up, so i know it works.
15:47 < cesurasean> same router and all.
15:47 < pekster> Those are solid units
15:47 < cesurasean> how do i get the asus to verbose its log output about openvpn?
15:47 < pekster> No clue. OpenVPN has the --verb option
15:47 < pekster> We recommend --verb 4 for some talkative logs, or --verb 5 (only if you're debugging firewall/connection problems)
15:48 < pekster> --verb 3 is a less-verbose setting fine for daily use if 4 is too much. Now what the asus "does" with logging is up to it
15:48 < pekster> Read the !logfile output above to learn where logs can go
15:51 < cesurasean> i tried with the openvpn client, and it stops at this; Sat Jul 12 13:50:50 2014 MANAGEMENT: >STATE:1405198250,WAIT,,,
15:52 < pekster> Give it up to 90 seconds -- the default time for TLS negotiation failures is 60s
15:52 < cesurasean> it fails.
15:52 < cesurasean> and retries and over and over.
15:52 < cesurasean> same error message.
15:52 < pekster> Right, after tls-timeout it'll try again
15:52 < cesurasean> http://pastebin.com/E5R5BxBm
15:52 < pekster> So you're not even connecting to your host. Did you use your actual IP on the server, not the external IP?
15:52 -!- indy [~indy@84.242.65.172] has joined #openvpn
15:52 < cesurasean> yes.
15:53 < pekster> So that server actually has that 199.127.130.156 IP, not a private-IP?
15:53 -!- Megaf_ [~Megaf@unaffiliated/megaf] has quit [Ping timeout: 240 seconds]
15:55 -!- u0m3 [~u0m3@92.80.121.178] has joined #openvpn
15:55 < pekster> If so, you probably have a firewall problem, although without logs on the server it's hard to say
15:55 < pekster> If not, use the correct remote IP for the connection you're making
15:56 < pekster> It might be a firewall config on the asus thing too -- you might try the LAN IP instead
15:56 < pekster> Not much I can do to recommend on that since it's apparently a very limited device
15:57 < cesurasean> the asus is still not connecting, and not much in the logs.
15:57 < cesurasean> i got the client to connect fine.
15:57 < cesurasean> was a firewall issue.
15:57 < pekster> You're using the asus as a client?
15:57 < cesurasean> how do i make this asus connect?
15:57 < cesurasean> yes
15:58 < cesurasean> and i used the software client without the asus.
15:58 < cesurasean> it connected fine.
15:58 < pekster> You figure out why it's broken, but without logs that becomes quite a challenge
15:58 < cesurasean> the asus on the other hand isn't giving much info about an errors.
15:58 < pekster> See if you can dig up a way to get proper logs, maybe a logs, or status, or diagnostics, or whatever section
15:58 < cesurasean> im in the logs section.
15:58 < cesurasean> i shown you the logs already.
15:58 < pekster> Until you have that, there's basically nothing #openvpn can do to even guess at the problem
15:59 < cesurasean> how can i force a client to verbose logs better?
15:59 < pekster> You could check the server logs for hints, but that will only get you so far
15:59 < pekster> !verb
15:59 <@vpnHelper> "verb" is (#1) verb command is for setting log verbosity, see --verb in the manual (!man) for more info or (#2) verb 5 is good for finding firewall problems, verb 4 for troubleshooting anything else, and 3 is good for every day usage. or (#3) Anything more than 5 is for developer debugging only
15:59 < pekster> Level 5 is probably what you want until you confirm a good connection, then back off to level 4
15:59 < cesurasean> Need IPv6 code in mroute_extract_addr_from_packet
16:00 < cesurasean> is what the server is saying.
16:01 < pekster> I see no such error string in the sources; is this OpenVPN? Not "Access Server" ?
16:02 < cesurasean> this is the access server saying this.
16:02 < pekster> !as
16:02 <@vpnHelper> "as" is Please go to #OpenVPN-AS for help with commercial products from OpenVPN Technologies, including Access Server, Android Connect, etc
16:02 < pekster> AS is a product sold/supported by the company that maintains it. OpenVPN is a different codebase
16:02 < cesurasean> maybe its not access server then.
16:02 < cesurasean> my bad.
16:03 < pekster> This said, your Asus unit is probably some flavour of openvpn
16:03 < cesurasean> how do you suggest i turn on better logs for the asus? not sure i understand that yet.
16:03 < pekster> No clue
16:03 < cesurasean> perhaps if i can verbose the logs a bit, it will spit something out.
16:39 < cesurasean> pekster, any idea how to get this asus to talk?
16:39 < cesurasean> no matter what i try, it doesnt show any logs, and acts like it cant connect!
16:41 < cesurasean> it just acts like its restarting openvpn, but doesnt print anything at all.
16:42 < cesurasean> says rc_service: skip the event: restart_vpncall.
16:42 < pekster> Pretty sure if you ask me a 4th and 5th time my answer wont' change
16:43 < cesurasean> lol
16:49 -!- Megaf [~Megaf@unaffiliated/megaf] has joined #openvpn
16:50 < cesurasean> pekster, a hard reboot of the router fixed it!
16:50 < cesurasean> i am connected now via the asus.
16:50 < cesurasean> but, now i can't surf the internet. nothing loads.
16:52 -!- Envil [~meep@95.211.26.40] has quit [Remote host closed the connection]
16:58 < cesurasean> nevermind.
16:59 < cesurasean> i found a page i followed last time. since its windows, routing and access and such have to be enabled.
17:07 -!- cesurasean [~Sean@c-71-207-227-197.hsd1.al.comcast.net] has left #openvpn []
17:12 -!- gffa [~unknown@unaffiliated/gffa] has quit [Quit: sleep]
17:23 -!- tomreyn [~tomreyn@megaglest/team/tomreyn] has left #openvpn []
17:27 -!- cesurasean [~Sean@c-71-207-227-197.hsd1.al.comcast.net] has joined #openvpn
17:27 < cesurasean> ok, i can ping 8.8.8.8 from my windows client onto a windows openvpn, but cannot ping google.com.
17:27 < cesurasean> what's my issue?
17:30 < Zimsky> (tempted to say windows is your issue)
17:30 < Zimsky> :p
17:31 < cesurasean> nah
17:32 < cesurasean> ive got one of these working before. there just is poor documentation on it.
17:35 < cesurasean> http://pastebin.com/p6fynVLw
17:35 < cesurasean> what could my issue be?
17:36 < cesurasean> it was working for a minute, then it stopped working!
17:38 -!- u0m3_ [~u0m3@92.80.95.140] has joined #openvpn
17:40 -!- u0m3 [~u0m3@92.80.121.178] has quit [Ping timeout: 240 seconds]
17:40 -!- u0m3_ is now known as u0m3
17:54 -!- u0m3_ [~u0m3@92.80.102.105] has joined #openvpn
17:55 -!- u0m3 [~u0m3@92.80.95.140] has quit [Ping timeout: 240 seconds]
18:10 -!- mattock is now known as mattock_afk
18:14 -!- cesurasean [~Sean@c-71-207-227-197.hsd1.al.comcast.net] has left #openvpn []
18:19 -!- u0m3_ is now known as u0m3
18:19 -!- TheScorp [~noyou@37.81-166-92.customer.lyse.net] has left #openvpn []
18:33 -!- le0 [~l30@unaffiliated/le0] has quit [Quit: Leaving]
19:35 -!- Brando753 [~Brando753@unaffiliated/brando753] has quit [Read error: Connection reset by peer]
19:39 -!- arescorpio [~arescorpi@201-26-245-190.fibertel.com.ar] has joined #openvpn
19:40 -!- Brando753 [~Brando753@unaffiliated/brando753] has joined #openvpn
19:52 -!- cesurasean [~Sean@c-71-207-227-197.hsd1.al.comcast.net] has joined #openvpn
19:53 < cesurasean> anyone here know windows openvpn?
20:13 < Poster> some, ask your question
20:13 < cesurasean> ok now i got it working with a software client and the server.
20:14 < cesurasean> now the asus is having dns problems, but the windows machine ( client ) does not have those issues.
20:14 < cesurasean> is that possible?
20:15 < pekster> !pushdns
20:15 <@vpnHelper> "pushdns" is (#1) push dhcp-option DNS a.b.c.d to push dns to the client or (#2) For pushing DNS to a Windows client, see: !windns or (#3) Unix-alikes are required to process the env-var in an --up script; read about --dhcp-option in the manpage or (#4) For distros that use resolvconf(8) you can try the pull-resolv-conf script under the contrib/ source dir
20:22 -!- SCHAAP137 [dorian@77-173-0-137.ip.telfort.nl] has quit [Remote host closed the connection]
20:28 -!- cesurasean [~Sean@c-71-207-227-197.hsd1.al.comcast.net] has left #openvpn []
20:37 -!- cesurasean [~Sean@c-71-207-227-197.hsd1.al.comcast.net] has joined #openvpn
20:37 < cesurasean> how do i enable --duplicate-cn on the server?
20:37 < pekster> You put the line `--duplicate-cn` in the config file on the server
20:38 < cesurasean> thank you!
20:38 -!- cesurasean [~Sean@c-71-207-227-197.hsd1.al.comcast.net] has left #openvpn []
20:40 -!- u0m3_ [~u0m3@92.80.102.105] has joined #openvpn
20:41 < pekster> o.O
20:42 -!- u0m3 [~u0m3@92.80.102.105] has quit [Ping timeout: 240 seconds]
20:44 -!- james41382 [~james@unaffiliated/james41382] has quit [Quit: Leaving]
21:15 -!- Zimsky [~alice@unaffiliated/zimsky] has quit [Quit: n]
21:16 -!- Zimsky [~alice@unaffiliated/zimsky] has joined #openvpn
21:16 -!- Zimsky [~alice@unaffiliated/zimsky] has quit [Excess Flood]
21:17 -!- Zimsky [~alice@unaffiliated/zimsky] has joined #openvpn
21:20 -!- Rymax99 [~Ryan@s2.rymax99.com] has left #openvpn []
22:41 -!- elfixit [~Icedove@77-58-251-72.dclient.hispeed.ch] has joined #openvpn
22:59 -!- arescorpio [~arescorpi@201-26-245-190.fibertel.com.ar] has quit [Excess Flood]
23:13 -!- ShadniX [dagger@p5DDFC6AF.dip0.t-ipconnect.de] has quit [Ping timeout: 240 seconds]
23:14 -!- ShadniX [dagger@p5481C494.dip0.t-ipconnect.de] has joined #openvpn
23:30 -!- Megaf [~Megaf@unaffiliated/megaf] has quit [Ping timeout: 240 seconds]
23:31 -!- MACscr [~Adium@c-50-158-183-38.hsd1.il.comcast.net] has quit [Write error: Broken pipe]
23:33 -!- hazardous [~hz@openvpn/user/hazardous] has quit [Excess Flood]
23:34 -!- hazardous [~hz@openvpn/user/hazardous] has joined #openvpn
23:34 -!- mode/#openvpn [+v hazardous] by ChanServ
23:34 -!- elfixit [~Icedove@77-58-251-72.dclient.hispeed.ch] has quit [Ping timeout: 256 seconds]
23:46 -!- soapee01 [~soapee01@65-36-104-170.dyn.grandenetworks.net] has quit [Excess Flood]
23:47 -!- soapee01 [~soapee01@65.36.104.170] has joined #openvpn
23:58 -!- milligan [~milligan@voyage.vhost.usr.no] has quit [Read error: No route to host]
23:58 -!- milligan [~milligan@2001:16d8:ee92:9afa:47d0:3070:4883:d95e] has joined #openvpn
--- Day changed Sun Jul 13 2014
00:33 -!- runvnc [~runvnc@ip68-6-214-173.sd.sd.cox.net] has joined #openvpn
00:34 < runvnc> Hello, I am using the server config option which allows me to add clients easily. Problem is when I try to ping from one client to the other, the ping times seem to indicate that the traffic is going through the server
00:35 < runvnc> Is this normal? Is there a way I can get the convenience of this server thing, i.e. not have to list all of the IP addresses in every client config, but have the clients actually talk directly to eachother without going through the server
00:39 < Poster> make sure you're using the client-to-client option
00:40 < runvnc> yes I have client-to-client on
00:41 < Poster> ok and you want the clients to ping eachother directly, not both sending the traffic across the VPN link?
00:41 < runvnc> yes
00:41 < runvnc> I used the IP addresses on the subnet
00:41 < runvnc> 10.8.0.whatever
00:42 < runvnc> and both clients are physically located nearby
00:42 < Poster> you'd have to have the clients to connect eachother directly
00:42 < Poster> by another link
00:43 < runvnc> ok
00:44 < runvnc> is it possible for this direct alternate link to be on the private encrypted subnet
00:44 < Poster> well yeah it would be a second VPN link between the two
00:45 < runvnc> is it possible to use the server to automatically establish these links between clients so they can talk directly without relaying traffic through the server
00:45 < Poster> not that I'm aware of, there'd be a lot of variables to cope with
00:46 < Poster> exchanging public IP addresses, trying to figure out if each side was behind NAT or a firewall of some type, figuring out which port and protocol to use, what IP addressing to use on this new network, etc
00:46 < Poster> how many client systems are you working with?
00:47 < runvnc> I am building a platform, the vpn is one core part of it, the platform configures the vpn automatically
00:47 < runvnc> it is designed to make scaling easy
00:47 < runvnc> server and container deployment is automated through apis
00:48 < runvnc> originally I was just going to say, if you want a vpn, hamachi is pre-installed. tada
00:49 < runvnc> but I have found that hamachi randomly reverts to a relayed configuration
00:49 < Poster> there's a reason for that
00:49 < runvnc> usually stays connected directly, at some time for some unknown reason connections become relayed.. rather inneficiently
00:49 < Poster> how do you expect to cope with two VPN clients, one at an airport the other at a coffee shop and neither side can accept inbound connections?
00:50 < runvnc> the client server configuration where all data goes through the server
00:50 < runvnc> will handle that
00:50 < Poster> yeah, the "relayed" as hamachi describes it
00:50 < runvnc> I was hoping somehow if both clients could talk over the internet directly through port 1194 or whatever
00:50 < runvnc> then it could do that instead in those times
00:51 < Poster> well that whole inbound connection thing is a show stopper
00:51 < runvnc> which you can do right if you speciy the ip addresses manually in the client confs?
00:51 < Poster> generally no, most public wifi is behind a basic NAT device which will block all inbound connections
00:51 < runvnc> I mean say I didnt need a server
00:51 < runvnc> say this was only for the internet VPSs to talk to eachother
00:52 < runvnc> and they all are directly on the internet and have that port open
00:52 < Poster> VPS to VPS would work assuming you're able to accept connections
00:52 < runvnc> I could have them talk directly, but I would need to specify all of the public ip addresses manually inside of each client's conf?
00:52 < Poster> yes or use DNS based resolution
00:53 < runvnc> in that case do I still have an open vpn server, or is it just client to client
00:53 < Poster> the only thing that distinguishes is who listens and who connects, you can do whatever mix you want
00:54 < Poster> Server A can be a client to Server B, but Server B can be a client to Server C
00:55 < Poster> and Server B can be a client to Server A
00:55 < Poster> you just have to work out who initiates the connection
00:56 < Poster> sometimes referred to as a "star" topology
00:56 < Poster> A -> B, B -> C, C -> A
00:56 < Poster> or some combination thereof
00:56 < runvnc> well, regardless of who initiates or receives the connection
00:56 < runvnc> I would like all clients to be able to talk directly rather than being relayed
00:56 < runvnc> is that possible
00:57 < Poster> as long as no more than one of the systems can accept inbound connections, yes
00:57 < Poster> sorry
00:57 < Poster> as long as no more than one of the systems CANNOT accept inbound connections, yes
00:58 < runvnc> they can all accept inbound connections
00:58 < Poster> then you're good to go
00:58 < runvnc> I appreciate your help a lot
00:58 < runvnc> in order for me to go though
00:58 < runvnc> I need another hint as to what to put in my config files
00:58 < runvnc> so will I be using the "server" config, or the "remote" config
00:58 < runvnc> or neither
00:58 < Poster> it's nothing too fancy, you can adapt the standard configurations, just keep the port numbers separated
00:59 < Poster> server for the listener, remote for the one initiating the connection
00:59 < runvnc> well, can I have one server, or do I need all of the VPSs to like alternate for some reason between being client and server
01:00 < Poster> no just pick one
01:00 < runvnc> ok so I have this configuration
01:00 < runvnc> the problem that I saw was it seemed to be relaying my ping traffic
01:00 < Poster> ex; Instance 1: ServerA -> ServerB:1194, Instance 2: ServerB -> ServerC:1194, Instance 3: ServerC -> ServerA:1194
01:00 < runvnc> how can I prevent the clients data from being relayed over the server
01:00 < Poster> you'll need unique addressing if you want to go direct
01:01 < Poster> so ServerA -> ServerB use 192.168.10.x, ServerB -> ServerC use 192.168.11.x, ServerC -> ServerA use 192.168.12.x
01:01 < Poster> or something
01:01 < Poster> when you want to go A -> B, use 192.168.10.x
01:01 < Poster> when you want to go A -> C, use 192.168.12.x
01:04 < runvnc> so I guess that determines what goes in the ifconfig lines
01:05 < Poster> yep
01:05 < Poster> you can use anything, RFC1918 recommended, just keep them unique
01:30 -!- james41382 [~james@unaffiliated/james41382] has joined #openvpn
01:54 -!- mattock_afk is now known as mattock
02:58 -!- s7r [~s7r@openvpn/user/s7r] has joined #openvpn
02:58 -!- mode/#openvpn [+v s7r] by ChanServ
03:12 -!- Kephael [~Kephael@unaffiliated/kephael] has quit [Read error: Connection reset by peer]
03:21 < runvnc> tinc has automatic full mesh routing, I think that is going to be vastly simpler
03:21 < SushiDude> When I enable mlock in my server configuration, none of my clients can connect. Why is this? Here is my configuration (without the mlock): http://pastebin.com/20175Xwy
03:35 < SushiDude> Never mind, I think it is because the nobody user has an mlock limit set.
03:47 -!- s7r [~s7r@openvpn/user/s7r] has quit [Remote host closed the connection]
03:47 -!- s7r [~s7r@openvpn/user/s7r] has joined #openvpn
03:47 -!- mode/#openvpn [+v s7r] by ChanServ
04:12 -!- james41382 [~james@unaffiliated/james41382] has quit [Read error: Connection reset by peer]
04:14 -!- james41382 [~james@unaffiliated/james41382] has joined #openvpn
04:21 -!- catsup [~d@iad1-vshost12.dreamhost.com] has joined #openvpn
04:48 -!- gffa [~unknown@unaffiliated/gffa] has joined #openvpn
05:12 -!- MACscr [~Adium@c-50-158-183-38.hsd1.il.comcast.net] has joined #openvpn
05:30 -!- goldkatze [~nobody@unaffiliated/goldkatze] has joined #openvpn
05:35 -!- le0 [~l30@unaffiliated/le0] has joined #openvpn
05:38 -!- Netsplit *.net <-> *.split quits: Chex
05:40 -!- Netsplit over, joins: Chex
06:04 < Chais> there should be a different client key for each client, right?
06:05 < Chais> so reasonably I'd create it on the client, not on the server
06:59 -!- moviuro [~moviuro@ginfo.ext.ec-m.fr] has left #openvpn ["Konversation terminated!"]
07:15 -!- sl01 [~sl01@li431-44.members.linode.com] has joined #openvpn
07:18 -!- Chais [~Chais@chello062178229110.15.15.vie.surfer.at] has quit [Read error: Connection reset by peer]
07:19 -!- Chais [~Chais@chello062178229110.15.15.vie.surfer.at] has joined #openvpn
07:21 -!- Latrina [~Latrina@ppp-118-20.26-151.libero.it] has quit [Ping timeout: 240 seconds]
07:27 -!- elfixit [~Icedove@77-58-251-72.dclient.hispeed.ch] has joined #openvpn
08:05 -!- spreadsheet [~spreadshe@unaffiliated/spreadsheet] has left #openvpn ["Textual IRC Client: www.textualapp.com"]
08:13 -!- mgorbach [~mgorbach@pool-108-20-78-135.bstnma.fios.verizon.net] has quit [Ping timeout: 240 seconds]
08:14 -!- s1dev [~s1dev@199.241.28.135] has quit [Ping timeout: 240 seconds]
08:14 -!- s1dev [~s1dev@199.241.28.135] has joined #openvpn
08:16 -!- mgorbach [~mgorbach@pool-108-20-78-135.bstnma.fios.verizon.net] has joined #openvpn
08:18 <@syzzer> Chais: yep, each client should have a unique key
08:19 <@syzzer> generating the keys on the client is fine
08:19 <@syzzer> (assuming we're talking about RSA keys)
08:19 < Chais> I am
08:22 < Chais> the pkc12 file should contain all necessary certs and key, right?
08:22 <@syzzer> yes, the privkey, cert and ca-chain
08:23 -!- Latrina [~Latrina@ppp-226-35.26-151.libero.it] has joined #openvpn
08:23 <@syzzer> only tls-auth not, as that is a openvpn-specific symmetric-cipher extra
08:25 <@syzzer> btw, pkcs#12 is just a container, so what's in there depends on what you put in there :)
08:30 < Chais> k.. then the networkmanager openvpn plugin behaves weirdly. when I give it the p12 (created with build-key-pkcs12) it starts to use up quite some cpu and cycles the file through the 3 slots
08:30 < Chais> can I unpack it somehow?
08:33 < Chais> nvm. got it
08:33 -!- Megaf [~Megaf@unaffiliated/megaf] has joined #openvpn
08:36 -!- Megaf [~Megaf@unaffiliated/megaf] has quit [Read error: Connection reset by peer]
08:40 -!- Megaf [~Megaf@unaffiliated/megaf] has joined #openvpn
08:41 -!- Megaf [~Megaf@unaffiliated/megaf] has quit [Read error: Connection reset by peer]
08:44 -!- Chais [~Chais@chello062178229110.15.15.vie.surfer.at] has quit [Read error: Connection reset by peer]
08:45 -!- Megaf [~Megaf@unaffiliated/megaf] has joined #openvpn
08:50 -!- Megaf [~Megaf@unaffiliated/megaf] has quit [Read error: Connection reset by peer]
08:54 -!- Chais [~Chais@chello062178229110.15.15.vie.surfer.at] has joined #openvpn
08:54 -!- Megaf [~Megaf@unaffiliated/megaf] has joined #openvpn
08:54 -!- Megaf [~Megaf@unaffiliated/megaf] has quit [Read error: Connection reset by peer]
08:58 -!- Megaf [~Megaf@unaffiliated/megaf] has joined #openvpn
09:11 -!- Latrina [~Latrina@ppp-226-35.26-151.libero.it] has quit [Ping timeout: 260 seconds]
09:13 -!- Latrina [~Latrina@ppp-108-47.26-151.libero.it] has joined #openvpn
09:16 -!- elfixit [~Icedove@77-58-251-72.dclient.hispeed.ch] has quit [Quit: elfixit]
09:17 -!- MaliusArth [~MaliusArt@chello062178184068.18.14.vie.surfer.at] has joined #openvpn
09:17 -!- MaliusArth [~MaliusArt@chello062178184068.18.14.vie.surfer.at] has left #openvpn []
09:22 -!- MaliusArth1 [~MaliusArt@chello062178184068.18.14.vie.surfer.at] has joined #openvpn
09:22 -!- MaliusArth1 [~MaliusArt@chello062178184068.18.14.vie.surfer.at] has left #openvpn []
09:27 -!- s7r_m [~s7r@openvpn/user/s7r] has joined #openvpn
09:27 -!- mode/#openvpn [+v s7r_m] by ChanServ
09:28 -!- s7r [~s7r@openvpn/user/s7r] has quit [Ping timeout: 264 seconds]
09:32 -!- MaliusArth [~MaliusArt@chello062178184068.18.14.vie.surfer.at] has joined #openvpn
09:32 -!- MaliusArth [~MaliusArt@chello062178184068.18.14.vie.surfer.at] has left #openvpn []
09:49 -!- DrCode [~DrCode@gateway/tor-sasl/drcode] has quit [Quit: ZNC - http://znc.in]
09:51 -!- DrCode [~DrCode@gateway/tor-sasl/drcode] has joined #openvpn
10:07 -!- DrCode [~DrCode@gateway/tor-sasl/drcode] has quit [Quit: ZNC - http://znc.in]
10:09 -!- DrCode [~DrCode@gateway/tor-sasl/drcode] has joined #openvpn
10:09 -!- DrCode [~DrCode@gateway/tor-sasl/drcode] has quit [Remote host closed the connection]
10:10 -!- DrCode [~DrCode@gateway/tor-sasl/drcode] has joined #openvpn
10:11 -!- le0 [~l30@unaffiliated/le0] has quit [Quit: Leaving]
10:11 -!- DrCode [~DrCode@gateway/tor-sasl/drcode] has quit [Remote host closed the connection]
10:16 -!- DrCode [~DrCode@gateway/tor-sasl/drcode] has joined #openvpn
10:16 -!- DrCode [~DrCode@gateway/tor-sasl/drcode] has quit [Remote host closed the connection]
10:20 -!- DrCode [~DrCode@gateway/tor-sasl/drcode] has joined #openvpn
10:23 -!- DrCode [~DrCode@gateway/tor-sasl/drcode] has quit [Remote host closed the connection]
10:25 -!- DrCode [~DrCode@gateway/tor-sasl/drcode] has joined #openvpn
10:26 -!- DrCode [~DrCode@gateway/tor-sasl/drcode] has quit [Remote host closed the connection]
10:27 -!- DrCode [~DrCode@gateway/tor-sasl/drcode] has joined #openvpn
10:27 -!- DrCode [~DrCode@gateway/tor-sasl/drcode] has quit [Client Quit]
10:28 -!- elfixit [~Icedove@77-58-251-72.dclient.hispeed.ch] has joined #openvpn
10:47 -!- s7r_m is now known as s7r
11:25 -!- u0m3_ [~u0m3@92.80.102.105] has quit [Read error: Connection reset by peer]
11:29 -!- u0m3 [~u0m3@92.80.89.211] has joined #openvpn
12:43 -!- runvnc [~runvnc@ip68-6-214-173.sd.sd.cox.net] has quit [Quit: WeeChat 0.4.1]
12:56 -!- negativerfahrung [~nubnubnub@lpzg-4d0585c3.pool.mediaways.net] has joined #openvpn
12:56 < negativerfahrung> !welcome
12:56 <@vpnHelper> "welcome" is (#1) Start by stating your goal, such as 'I would like to access the internet over my vpn' || new to IRC? see the link in !ask || we may need !logs and !configs and maybe !interface to help you. || See !howto for beginners. || See !route for lans behind openvpn. || !redirect for sending inet traffic through the server. || Also interesting: !man !/30 !topology !iporder !sample
12:56 <@vpnHelper> !forum !wiki !mitm or (#2) Don't use 192.168.1.0/24 or 192.168.0.0/24 (too much potential for conflict)
12:59 < negativerfahrung> !sample
12:59 <@vpnHelper> "sample" is (#1) http://www.ircpimps.org/openvpn.configs for a working sample config or (#2) DO NOT use these configs until you understand the commands in them, read up on each first column of the configs in the manpage (see !man) or (#3) these configs are for a basic multi-user vpn, which you can then build upon to add lans or internet redirecting
13:03 < sl01> how far away is 2.4
13:03 < sl01> and/or where is it being worked on ?
13:06 < pekster> sl01: code at git master: https://github.com/OpenVPN/openvpn . See also the openvpn-devel mailing lists and #openvpn-devel for active development history or contributions
13:06 <@vpnHelper> Title: OpenVPN/openvpn · GitHub (at github.com)
13:07 < pekster> There's some contributing/style info on the community wiki too if you want some general background on the code comitting & review process
13:12 -!- Kephael [~Kephael@unaffiliated/kephael] has joined #openvpn
13:16 -!- elfixit [~Icedove@77-58-251-72.dclient.hispeed.ch] has quit [Quit: elfixit]
13:19 -!- s7r [~s7r@openvpn/user/s7r] has quit [Remote host closed the connection]
13:19 < sl01> pekster: thanks
13:20 -!- s7r [~s7r@openvpn/user/s7r] has joined #openvpn
13:20 -!- mode/#openvpn [+v s7r] by ChanServ
13:39 -!- james41382 [~james@unaffiliated/james41382] has quit [Quit: Leaving]
13:44 <+s7r> can i have 2 logis with the same user certs from different places?
13:44 -!- Eagleman [~Eagleman@546BC778.cm-12-4d.dynamic.ziggo.nl] has quit [Quit: ZNC - http://znc.in]
13:45 -!- Eagleman [~Eagleman@546BC778.cm-12-4d.dynamic.ziggo.nl] has joined #openvpn
13:51 -!- james41382 [~james@unaffiliated/james41382] has joined #openvpn
13:52 -!- james41382 [~james@unaffiliated/james41382] has quit [Read error: Connection reset by peer]
13:53 < pekster> s7r: See:
13:53 < pekster> !dupe
13:53 <@vpnHelper> "dupe" is (#1) see --duplicate-cn in the manual (!man) to see how to allow multiple clients to use the same key (NOT recommended) or (#2) instead, use !pki to make a cert for each user
13:57 -!- james41382 [~james@unaffiliated/james41382] has joined #openvpn
14:03 < SupaYoshi> Hi!
14:04 < SupaYoshi> I have problems redirecting all my traffic through my openvpn tunnel.
14:05 < SupaYoshi> I need to add a route for my vpn.
14:05 < SupaYoshi> <varunendra> SupaYoshi, "route add net 10.15.1.0 tun0" ... then the "gw" command. Be aware that my knowledge about VPN tunnels is zero, just suggesting on the basis of my fundamental knowledge about routing table.
14:06 < SupaYoshi> can i do that safely?
14:09 < SupaYoshi> 10.15.1.0 = my lan network, 10.15.1.1 = my gateway on my network.
14:09 < SupaYoshi> But I was afraid this would maybe break things?
14:23 -!- arescorpio [~arescorpi@201-26-245-190.fibertel.com.ar] has joined #openvpn
14:25 < SupaYoshi> http://paste.ubuntu.com/7790525/
14:34 < SupaYoshi> im trying to route my traffic over my vpn,.
14:35 < SupaYoshi> it works for a little, then stops.
14:35 < SupaYoshi> everything else works though.
14:35 < SupaYoshi> My gateway lan = 10.15.1.1, lan subnet = 10.15.1.0 and theres probally something wrong in my server.conf.
14:35 < SupaYoshi> :/
14:36 -!- brianblaze420 [~brianblaz@unaffiliated/brianblaze] has joined #openvpn
14:38 < SupaYoshi> http://paste.ubuntu.com/7790556/ = config.
14:40 -!- cesurasean [~Sean@c-71-207-227-197.hsd1.al.comcast.net] has joined #openvpn
14:40 < cesurasean> does anyone have a solution to dns, or traffic leaking over a vpn when the openvpn server disconnects?
14:52 -!- brianblaze420 [~brianblaz@unaffiliated/brianblaze] has quit [Quit: Leaving...]
15:05 -!- Latrina [~Latrina@ppp-108-47.26-151.libero.it] has quit [Ping timeout: 240 seconds]
15:06 -!- Latrina [~Latrina@151.26.47.74] has joined #openvpn
15:11 -!- cesurasean [~Sean@c-71-207-227-197.hsd1.al.comcast.net] has left #openvpn []
15:47 -!- ljvb [~jason@us.vps.vanbrecht.com] has quit [Quit: reboot]
16:22 -!- gffa [~unknown@unaffiliated/gffa] has quit [Quit: sleep]
16:59 -!- mattock is now known as mattock_afk
17:02 < SupaYoshi> anyone here that can solve my issue?
17:21 -!- kloeri_ [~kloeri@freenode/staff/exherbo.kloeri] has joined #openvpn
17:37 -!- Left_Turn [~Left_Turn@unaffiliated/turn-left/x-3739067] has joined #openvpn
17:46 -!- arescorpio [~arescorpi@201-26-245-190.fibertel.com.ar] has quit [Excess Flood]
17:59 -!- elfixit [~Icedove@77-58-251-72.dclient.hispeed.ch] has joined #openvpn
18:02 -!- c00w [c00w@2600:3c03::f03c:91ff:fe6e:e88b] has quit [Quit: I left the oven on]
18:57 -!- Left_Turn [~Left_Turn@unaffiliated/turn-left/x-3739067] has quit [Remote host closed the connection]
19:06 -!- snappy [nipnop@unaffiliated/snappy] has joined #openvpn
19:08 -!- arescorpio [~arescorpi@201-26-245-190.fibertel.com.ar] has joined #openvpn
19:37 <@krzee> cesurasean, easy? firewall.
19:38 <@krzee> SupaYoshi,
19:38 <@krzee> !redirect
19:38 <@vpnHelper> "redirect" is (#1) to make all inet traffic flow through the vpn, you will need --redirect-gateway (see !def1), as well as IP forwarding (see !ipforward) and NAT (see !nat) enabled on the server. or (#2) you may need to use a different dns server when redirecting gateway, see !dns or !pushdns or (#3) if using ipv6 try: route-ipv6 2000::/3 or (#4) Handy troubleshooting flowchart:
19:38 <@vpnHelper> http://ircpimps.org/redirect.png | http://pekster.sdf.org/misc/redirect.png
20:10 -!- negativerfahrung [~nubnubnub@lpzg-4d0585c3.pool.mediaways.net] has quit [Ping timeout: 260 seconds]
20:16 -!- grendal_prime [~sgraham@173-166-255-77-stockton.hfc.comcastbusiness.net] has joined #openvpn
20:16 < grendal_prime> hey guys.
20:17 < grendal_prime> i got this issue with a client, they have a pretty flaky internet connection it goes up and down a few times a day, (ATNT) anyway after awile all of clients just sort of bomb out and stop trying to connect.
20:18 < grendal_prime> these are linux desktops, and one server hosting kvm guests.
20:19 < grendal_prime> i usually have them reboot one of the desktops then ssh in via the vpn, then ssh to the other machines in the building and restart the vpn clients
20:19 < grendal_prime> kinda a pain
20:20 <@krzee> got relevant logs?
20:22 <@krzee> also it sounds like you're connecting to the same vpn from multiple clients in the same building, is that right?
20:48 -!- NP-Hardass [~NP-Hardas@unaffiliated/np-hardass] has joined #openvpn
20:53 -!- elfixit [~Icedove@77-58-251-72.dclient.hispeed.ch] has quit [Quit: elfixit]
21:06 -!- NP-Hardass [~NP-Hardas@unaffiliated/np-hardass] has quit [Quit: WeeChat 0.4.3]
21:09 -!- justinzane [~justinzan@24.49.207.203] has quit [Ping timeout: 240 seconds]
21:24 -!- micah [~micah@debian/developer/micah] has joined #openvpn
21:25 < micah> when I run openvpn with --verb 3, i see that it is issuing the /sbin/ip commands I expect it to, but one of them doesn't get added to my routing table
21:25 < micah> if I do it manually afterwards, it gets added fine
21:34 -!- justinzane [~justinzan@24.49.207.203] has joined #openvpn
22:05 -!- arescorpio [~arescorpi@201-26-245-190.fibertel.com.ar] has quit [Excess Flood]
22:55 -!- Megaf [~Megaf@unaffiliated/megaf] has quit [Ping timeout: 240 seconds]
23:11 -!- arescorpio [~arescorpi@201-26-245-190.fibertel.com.ar] has joined #openvpn
23:11 -!- ShadniX [dagger@p5481C494.dip0.t-ipconnect.de] has quit [Ping timeout: 240 seconds]
23:13 -!- ShadniX [dagger@p5481C530.dip0.t-ipconnect.de] has joined #openvpn
23:54 -!- arescorpio [~arescorpi@201-26-245-190.fibertel.com.ar] has quit [Excess Flood]
--- Day changed Mon Jul 14 2014
00:41 -!- NP-Hardass [~NP-Hardas@unaffiliated/np-hardass] has joined #openvpn
00:49 -!- Kephael [~Kephael@unaffiliated/kephael] has quit [Quit: Leaving]
01:05 -!- jzaw [~jzaw@loki.dzki.co.uk] has quit [Ping timeout: 240 seconds]
01:10 -!- jzaw [~jzaw@loki.dzki.co.uk] has joined #openvpn
01:36 <@krzee> micah, show me
01:36 <@krzee> but verb 4 please
01:42 -!- alexxtasi [~alex@unaffiliated/alexxtasi] has joined #openvpn
01:55 -!- mattock_afk is now known as mattock
02:15 -!- SlutaTramsa [~SlutaTram@unaffiliated/slutatramsa] has quit [Quit: Doh!]
02:24 -!- Left_Turn [~Left_Turn@unaffiliated/turn-left/x-3739067] has joined #openvpn
02:30 -!- SlutaTramsa [~SlutaTram@unaffiliated/slutatramsa] has joined #openvpn
02:36 -!- starlays [~starlays@unaffiliated/starlays] has joined #openvpn
02:47 -!- le0 [~l30@unaffiliated/le0] has joined #openvpn
03:02 -!- le0 [~l30@unaffiliated/le0] has quit [Ping timeout: 264 seconds]
03:03 -!- le0 [~l30@unaffiliated/le0] has joined #openvpn
03:35 -!- Poster [~poster@cpe-74-140-100-29.swo.res.rr.com] has quit [Ping timeout: 260 seconds]
04:04 -!- Kerbe [kerberos@gladiolus.fi] has quit [Ping timeout: 260 seconds]
04:07 -!- NP-Hardass [~NP-Hardas@unaffiliated/np-hardass] has quit [Quit: WeeChat 0.4.3]
04:29 -!- troj [~xxx@2001:470:1f15:107a::50f7] has quit [Ping timeout: 260 seconds]
04:29 -!- Champi [Champi@rootshell.fr] has quit [Ping timeout: 260 seconds]
04:30 -!- doebi [~doebi@doebi.at] has quit [Ping timeout: 260 seconds]
04:31 -!- nyx_o [~nyx@cav33-1-78-231-214-8.fbx.proxad.net] has quit [Ping timeout: 260 seconds]
04:32 -!- troj [~xxx@2001:470:1f15:107a::50f7] has joined #openvpn
04:33 -!- Champi [Champi@rootshell.fr] has joined #openvpn
04:34 -!- doebi [~doebi@doebi.at] has joined #openvpn
04:41 < vinky> I need some tips on speeding up a vpn-tunnel over udp. client Windows7/WServer2008, server RHEL5. iperf outside the tunnel shows 3Mbit/s with default settings (last week I got 100), 400-700Mbit/s when setting window size to 8M. Inside the tunnel I get  110 vs 180 Mbit/s. I have tried messing with fragment, mssfix and tun-mtu but I can't seem to make it better. any tips?
05:28 -!- Chiftin [~Chiftin@178.250.179.140] has joined #openvpn
05:29 -!- dazo_afk is now known as dazo
05:31 -!- Mike-- [mad@mx.probie.nl] has quit [Ping timeout: 240 seconds]
05:55 < vinky> hm, looks like I'm maxing one core
06:03 -!- Mike-- [mad@mx.probie.nl] has joined #openvpn
06:08 -!- pa [~pa@unaffiliated/pa] has quit [Quit: Sto andando via]
06:16 -!- pa [~pa@unaffiliated/pa] has joined #openvpn
06:24 <@dazo> !gigabit
06:24 <@vpnHelper> "gigabit" is https://community.openvpn.net/openvpn/wiki/Gigabit_Networks_Linux for JJK's writeup on getting the most out of openvpn over gigabit
06:25 <@dazo> vinky: ^^^ that's a good resource
06:39 < vinky> dazo: that's the one I got the tips on the parameters I mentioned
06:40 < vinky> :-)
06:40 <@dazo> ahh, right
07:01 < vinky> Openvpn seems to maxing out a core on the client though, so thats probably part of the reason
07:06 -!- c0ded [~c0ded@unaffiliated/c0ded] has quit [Ping timeout: 260 seconds]
07:07 -!- Megaf [~Megaf@unaffiliated/megaf] has joined #openvpn
07:07 -!- pa [~pa@unaffiliated/pa] has quit [Ping timeout: 240 seconds]
07:08 -!- Megaf [~Megaf@unaffiliated/megaf] has quit [Read error: Connection reset by peer]
07:09 -!- pa [~pa@unaffiliated/pa] has joined #openvpn
07:12 -!- Megaf [~Megaf@unaffiliated/megaf] has joined #openvpn
07:12 -!- c0ded [~c0ded@unaffiliated/c0ded] has joined #openvpn
07:15 -!- Megaf [~Megaf@unaffiliated/megaf] has quit [Read error: Connection reset by peer]
07:18 < vinky> quite annoying when I know the server can handle more
07:19 -!- Megaf [~Megaf@unaffiliated/megaf] has joined #openvpn
07:24 -!- elfixit [~Icedove@2001:1620:2777:11:3e97:eff:fe7f:f3ad] has joined #openvpn
07:39 -!- Pyrogerg [~Gregory@97-123-29-139.albq.qwest.net] has joined #openvpn
07:44 <@dazo> vinky: yeah, openvpn is single threaded ... so I understand that annoyance ... but by using f.ex. blowfish, you might be able to squeeze more out of it ... or use --engine aesni (if you use AES and have CPU support for the aes-ni instruction set)
07:45 <@dazo> blowfish is strictly bound to the CPU clock .... while the AES-NI is a hardware accelerator
07:48 -!- elfixit [~Icedove@2001:1620:2777:11:3e97:eff:fe7f:f3ad] has quit [Ping timeout: 272 seconds]
07:49 < vinky> the server is only using 40% of a core, with blowfish or none
07:59 < vinky> and the client Im testing with now is virtualized so thats probably not making it better
08:00 -!- elfixit [~Icedove@2001:1620:2777:11:3e97:eff:fe7f:f3ad] has joined #openvpn
08:04 -!- elfixit1 [~Icedove@2a02:168:2000:0:3e97:eff:fe7f:f3ad] has joined #openvpn
08:05 -!- elfixit [~Icedove@2001:1620:2777:11:3e97:eff:fe7f:f3ad] has quit [Ping timeout: 272 seconds]
08:07 -!- Kniaz [~Kniaz@unaffiliated/kniaz] has quit [Read error: Connection reset by peer]
08:08 -!- elfixit1 [~Icedove@2a02:168:2000:0:3e97:eff:fe7f:f3ad] has quit [Client Quit]
08:11 -!- elfixit [~Icedove@2a02:168:2000:0:3e97:eff:fe7f:f3ad] has joined #openvpn
08:12 < micah> krzee: http://paste.debian.net/109664/ - as you can see, the route added on line 66 does not appear in the after routing table (but I can manually add it!)
08:13 -!- elfixit [~Icedove@2a02:168:2000:0:3e97:eff:fe7f:f3ad] has quit [Client Quit]
08:31 -!- APTX [~APTX@unaffiliated/aptx] has quit [Ping timeout: 252 seconds]
08:33 -!- APTX [~APTX@unaffiliated/aptx] has joined #openvpn
08:38 -!- metaf5 [~metaf5@107.181.166.167] has quit [Ping timeout: 245 seconds]
08:38 -!- elfixit [~Icedove@2a02:168:2000:0:3e97:eff:fe7f:f3ad] has joined #openvpn
08:49 < defswork> does openvpn still just take first IP when dns resolves to mutliple ?
08:49 < defswork> I read somewhere it left it up to NS to randomise the results
08:51 -!- james41382_ [~james@unaffiliated/james41382] has joined #openvpn
08:52 -!- james41382 [~james@unaffiliated/james41382] has quit [Read error: Connection reset by peer]
08:55 < defswork> problem with that is some unlucky clients could go many lookups before they get the 2nd IP first
08:57 <@plaisthos> defswork: in 2.3 yes
08:57 <@plaisthos> in 2.4 it will iterate through all returned ips
08:57 < defswork> \o.
08:58 < defswork> ok - cheers
08:59 <@plaisthos> The android clients will do that already :)
08:59 < defswork> we're migrating our vpn server and we added 2nd ip in advance - started causing problems
08:59 < defswork> I'd always assumed the client did the trying multiple
09:03 -!- Pyrogerg [~Gregory@97-123-29-139.albq.qwest.net] has quit [Ping timeout: 260 seconds]
09:07 -!- le0 [~l30@unaffiliated/le0] has quit [Quit: Leaving]
09:09 -!- alexxtasi [~alex@unaffiliated/alexxtasi] has left #openvpn []
09:11 -!- Pyrogerg [~Gregory@97-123-29-139.albq.qwest.net] has joined #openvpn
09:14 -!- le0 [~l30@unaffiliated/le0] has joined #openvpn
09:22 -!- Pyrogerg [~Gregory@97-123-29-139.albq.qwest.net] has quit [Ping timeout: 240 seconds]
09:22 -!- P-NuT [~P-NuT@90.196.104.189] has joined #openvpn
09:22 < P-NuT> Hi all, does anyone know how to automate the CA and client certs for openvpn so we can script them?
09:24 <@ecrist> easy-rsa can
09:24 <@ecrist> ssl-admin has some ability, as well
09:24 <@ecrist> !easy-rsa
09:24 -!- KiNgMaR [~ingmar@2001:41d0:2:ba51::1] has quit [Ping timeout: 245 seconds]
09:24 <@vpnHelper> "easy-rsa" is (#1) easy-rsa is a certificate generation utility. or (#2) Download here: https://github.com/OpenVPN/easy-rsa/downloads or (#3) https://community.openvpn.net/openvpn/wiki/EasyRSA
09:24 <@ecrist> !ssl-admin
09:24 <@vpnHelper> "ssl-admin" is (#1) if you use freebsd, it is in ports or (#2) svn co https://www.secure-computing.net/svn/trunk/ssl-admin to grab it from svn or (#3) A perl script for managing SSL certificates (being a CA). Makes a good replacement for easy-rsa
09:25 < P-NuT> easy-rsa prompts you for input, what I need is the ability to provide all the details on one line and have it make the cert
09:25 <+s7r> https://play.google.com/store/apps/details?id=net.openvpn.openvpn&hl=en
09:25 <+s7r> openvpn as and community project use polarssl now instead of openssl?
09:25 <+s7r> for encryption?
09:25 <@plaisthos> s7r: see !android
09:25 <@ecrist> P-NuT: you need to read the docs a bit, then
09:25 <@ecrist> you can set environment variables
09:25 <@plaisthos> !android
09:25 <@vpnHelper> "android" is (#1) an open source OpenVPN client for ICS is available in Google Play, look for OpenVPN for Android. FAQ is here: http://code.google.com/p/ics-openvpn/wiki/FAQ or (#2) Direct Play link: https://play.google.com/store/apps/details?id=de.blinkt.openvpn or (#3) Old (pre-ICS) device? See: !android-old
09:25 <@ecrist> ssl-admin allows you to use command line switches
09:26 <@plaisthos> s7r: and yes also the normal OpenVPN can use PolarSSL
09:26 <+s7r> plaisthos i saw that, but polarssl is only on android?
09:26 <@plaisthos> s7r: no
09:26 -!- K1rk [~Kirk@equinox.epecweb.com] has quit [Ping timeout: 245 seconds]
09:26 -!- Haigha [~root@dovahkiin.xomg.net] has quit [Ping timeout: 245 seconds]
09:26 <@plaisthos> plaisthos: and even on android it is wrong
09:26 <+s7r> so PolarSSL on client side and OpenSSL on server side?
09:26 <@plaisthos> argh
09:27 < P-NuT> ecrist: yes you can set them in the vars file, but you still need to pres enter each time you are prompted.
09:27 <@plaisthos> s7r: and even on android that not quite true
09:27 <@plaisthos> s7r: OpenVPN Connect != OpenVPN for Android
09:27 <@krzee> polar can be used on any OS build, in fact openvpn-nl only uses polar
09:27 < P-NuT> this is not what I need. I need the ability to script this and that requires everything on one line
09:27 <+s7r> plaisthos let me get this straight. i have an openvpn server with OpenSSL. will it work to connect an android client wth polarssl?
09:28 <@krzee> s7r, if everything you use is supported by polar, yes it will work
09:28 <@plaisthos> yes
09:28 <@ecrist> P-NuT: I'm not talking about the vars file
09:28 <@ecrist> also, look at ssl-admin, or script it yourself
09:28 <@plaisthos> s7r: otherwise just use OpenVPN for Android
09:28 <@plaisthos> s7r: that uses OpenSSL
09:28 < P-NuT> ecrist: what are you talking about then?
09:29 <+s7r> that does not exist
09:29 <@krzee> what does not exist s7r?
09:29 <@krzee> Openvpn for android definitely exists...
09:29 <@krzee> !android
09:29 <+s7r> openvpn client for android published by openvpn technologies.
09:29 <@vpnHelper> "android" is (#1) an open source OpenVPN client for ICS is available in Google Play, look for OpenVPN for Android. FAQ is here: http://code.google.com/p/ics-openvpn/wiki/FAQ or (#2) Direct Play link: https://play.google.com/store/apps/details?id=de.blinkt.openvpn or (#3) Old (pre-ICS) device? See: !android-old
09:29 < P-NuT> ecrist: Don't worry, I can plug the values straight into pkitool instead. (Y)
09:30 -!- P-NuT [~P-NuT@90.196.104.189] has quit [Quit: Leaving]
09:30 <@plaisthos> s7r: OpenVPN Connect is published by openvpn technologies
09:30 <+s7r> i know. but it uses polarssl and i am afraid it won't work with my community openvpn server running openssl latest version
09:30 <@plaisthos> s7r: https://play.google.com/store/apps/details?id=de.blinkt.openvpn
09:30 <+s7r> and i don't see other android cliet using openssl publishhed by openvpn technologies
09:31 <@krzee> s7r, why do you think that it wont work?
09:31 <@krzee> s7r, what crypto you using?
09:31 <@plaisthos> s7r: there are none
09:31 <@krzee> if defaut, it'll work.
09:31 <+s7r> krzee aes-256-cbc?
09:31 <+s7r> i don't know if it will work. i don't know if polarssl is compatible with openssl
09:31 <@plaisthos> s7r: Just use https://play.google.com/store/apps/details?id=de.blinkt.openvpn
09:31 <+s7r> server-client
09:31 <@plaisthos> s7r: that gives you OpenVPN with OpenSSL
09:32 -!- K1rk [~Kirk@equinox.epecweb.com] has joined #openvpn
09:32 <@krzee> ya ild expect that in polar, but either way s7r, you're looking for the "openvpn for android" by arne (aka plaisthos)
09:32 <+s7r> got it . will it modify the routing table and make updates and everything via vpn?
09:32 <+s7r> absolutely any tcp/udp connection?
09:33 <@krzee> kinda confused by the question
09:34 -!- Poster [~poster@cpe-74-140-100-29.swo.res.rr.com] has joined #openvpn
09:34 <+s7r> krzee when using openvpn in windows, the routing table is modified and all apps which require internet, including windows update go via the vpn tun device.
09:34 <+s7r> does this also apply in android?
09:35 <@plaisthos> that is the point of a VPN, right?
09:35 <+s7r> exactly.
09:35 <+s7r> that or to connect to other internal network
09:35 <+s7r> in which case modifying the gateway does not matter
09:35 <+s7r> so that is why i asked.
09:36 <@krzee> plaisthos, not the point of a vpn for any of my connections, but yes it is a common goal
09:36 -!- Kniaz [~Kniaz@unaffiliated/kniaz] has joined #openvpn
09:36 -!- KiNgMaR [~ingmar@2001:41d0:2:ba51::1] has joined #openvpn
09:36 <@plaisthos> s7r: yes that works
09:36 <@plaisthos> s7r: maybe you should just try the apps
09:36 <@krzee> ^ ++
09:37 -!- Haigha [~root@dovahkiin.xomg.net] has joined #openvpn
09:41 -!- elfixit [~Icedove@2a02:168:2000:0:3e97:eff:fe7f:f3ad] has quit [Ping timeout: 240 seconds]
09:44 -!- elfixit [~Icedove@2001:1620:2777:11:3e97:eff:fe7f:f3ad] has joined #openvpn
09:46 -!- metaf5 [~metaf5@107.181.166.167] has joined #openvpn
09:51 -!- le0 [~l30@unaffiliated/le0] has quit [Quit: Leaving]
09:57 -!- KiNgMaR [~ingmar@2001:41d0:2:ba51::1] has quit [Ping timeout: 245 seconds]
09:57 -!- Haigha [~root@dovahkiin.xomg.net] has quit [Ping timeout: 245 seconds]
10:16 -!- Haigha [~root@dovahkiin.xomg.net] has joined #openvpn
10:17 -!- KiNgMaR [~ingmar@2001:41d0:2:ba51::1] has joined #openvpn
10:20 -!- mcp [~mcp@wolk-project.de] has quit [Ping timeout: 256 seconds]
10:24 -!- kantlivelong [~kantlivel@home.kantlivelong.com] has joined #openvpn
10:28 -!- mode/#openvpn [+o Eugene] by ChanServ
10:28 <@Eugene> Sigh. Another Monday morning, another round of crying with L2TP/IPsec.
10:54 -!- ljvb [~jason@us.vps.vanbrecht.com] has joined #openvpn
10:55 < ljvb> random question about mssfix (which I asked last week but killed my tmux session so I did not see any answer if one was provided)
10:55 < ljvb> setting it to 0 on all the boxes is supposed to help with performance (based on the link https://community.openvpn.net/openvpn/wiki/Gigabit_Networks_Linux)
10:55 <@vpnHelper> Title: Gigabit_Networks_Linux – OpenVPN Community (at community.openvpn.net)
10:56 < ljvb> yet when I set it to 0, all communication drops between the hosts
11:00 -!- Chiftin [~Chiftin@178.250.179.140] has quit [Read error: Connection reset by peer]
11:05 <@plaisthos> ljvb: yeah :)
11:05 <@plaisthos> that is expected
11:05 <@plaisthos> you set the maximum segment size to 0
11:06 <@plaisthos> hm
11:06 <@plaisthos> there is really mssfix 0
11:06 <@plaisthos> strange
11:06 -!- Megaf [~Megaf@unaffiliated/megaf] has quit [Ping timeout: 272 seconds]
11:15 -!- Kephael [~Kephael@unaffiliated/kephael] has joined #openvpn
11:30 < ljvb> yeah, it disables it
11:33 < ljvb> well, not disable, just sets no vlaue, at least as far as I can tell
11:41 -!- gffa [~unknown@unaffiliated/gffa] has joined #openvpn
11:46 -!- DrCode [~DrCode@gateway/tor-sasl/drcode] has joined #openvpn
11:55 -!- SCHAAP137 [dorian@77-173-0-137.ip.telfort.nl] has joined #openvpn
12:04 -!- larryone [~larryone@178.167.254.199.threembb.ie] has joined #openvpn
12:07 -!- elfixit [~Icedove@2001:1620:2777:11:3e97:eff:fe7f:f3ad] has quit [Quit: elfixit]
12:10 -!- Kephael [~Kephael@unaffiliated/kephael] has quit [Quit: Leaving]
12:26 -!- PhrozenByte [~Daniel_Ru@p5B1127DD.dip0.t-ipconnect.de] has joined #openvpn
12:26 < PhrozenByte> !welcome
12:26 <@vpnHelper> "welcome" is (#1) Start by stating your goal, such as 'I would like to access the internet over my vpn' || new to IRC? see the link in !ask || we may need !logs and !configs and maybe !interface to help you. || See !howto for beginners. || See !route for lans behind openvpn. || !redirect for sending inet traffic through the server. || Also interesting: !man !/30 !topology !iporder !sample
12:26 <@vpnHelper> !forum !wiki !mitm or (#2) Don't use 192.168.1.0/24 or 192.168.0.0/24 (too much potential for conflict)
12:28 -!- Pyrogerg [~Gregory@97-123-29-139.albq.qwest.net] has joined #openvpn
12:35 < PhrozenByte> Hi, I'm expierencing a little curios problem with OpenVPN routing. I want to connect two networks with one another using routing (tun devices). Both networks have an dedicated router and OpenVPN server/client running on distinct devices.
12:35 < PhrozenByte> Setting everything up was pretty easy, but now I'm at a point where I don't know what to do. I have no firewall (iptables -L is empty with ACCEPT policy), net.ipv4.ip_forward is enabled.
12:35 < PhrozenByte> Clients in network A can reach all clients of network B - and vice versa. The OpenVPN server reaches the OpenVPN client - and vice versa. But: OpenVPN server and client can't reach the clients behind OpenVPN. Is this a typical misconfiguration or can someone tell me where I can start debugging?
12:43 <@Eugene> !route
12:43 <@vpnHelper> "route" is (#1) http://www.secure-computing.net/wiki/index.php/OpenVPN/Routing or https://community.openvpn.net/openvpn/wiki/RoutedLans (same page mirrored) if you have lans behind openvpn, read it DONT SKIM IT or (#2) READ IT DONT SKIM IT! or (#3) See !tcpip for a basic networking guide or (#4) See !serverlan or !clientlan for steps and troubleshooting flowcharts for LANs behind the server or
12:43 <@vpnHelper> client
12:43 <@Eugene> !serverlan
12:43 <@vpnHelper> "serverlan" is (#1) for a lan behind a server, the server must have ip forwarding enabled (!ipforward), the server needs to push a route for its lan to clients, and the router of the lan the server is on needs a route added to it (!route_outside_openvpn) or (#2) see !route for a better explanation or (#3) Handy troubleshooting flowchart: http://ircpimps.org/serverlan.png |
12:43 <@vpnHelper> http://pekster.sdf.org/misc/serverlan.png
12:43 <@Eugene> !clientlan
12:43 <@vpnHelper> "clientlan" is (#1) for a lan behind a client, the client must have ip forwarding enabled (!ipforward), the server needs a route to the lan, the server needs to push a route for the lan to clients, the server needs a ccd (!ccd) file for the client with an iroute (!iroute) entry in it, and the router of the lan the client is on needs a route added to it (!route_outside_openvpn) or (#2) see !route for
12:43 <@vpnHelper> a better explanation or (#3) Handy troubleshooting flowchart: http://ircpimps.org/clientlan.png | http://pekster.sdf.org/misc/clientlan.png
12:44 <@Eugene> Flowcharts ^
12:46 < PhrozenByte> Eugene, thanks, I'll check them
12:47 -!- outofbounds [~outofboun@gateway/tor-sasl/outofbounds] has joined #openvpn
12:49 -!- MaliusArth [~MaliusArt@chello062178184068.18.14.vie.surfer.at] has joined #openvpn
12:50 -!- Pyrogerg_ [~Gregory@97-123-29-139.albq.qwest.net] has joined #openvpn
12:51 -!- Pyrogerg [~Gregory@97-123-29-139.albq.qwest.net] has quit [Ping timeout: 240 seconds]
12:52 -!- MaliusArth [~MaliusArt@chello062178184068.18.14.vie.surfer.at] has left #openvpn []
13:05 -!- larryone [~larryone@178.167.254.199.threembb.ie] has quit [Read error: Connection reset by peer]
13:16 -!- bern [~Adium@cpc6-nmal18-2-0-cust127.croy.cable.virginm.net] has joined #openvpn
13:16 < bern> !welcome
13:16 <@vpnHelper> "welcome" is (#1) Start by stating your goal, such as 'I would like to access the internet over my vpn' || new to IRC? see the link in !ask || we may need !logs and !configs and maybe !interface to help you. || See !howto for beginners. || See !route for lans behind openvpn. || !redirect for sending inet traffic through the server. || Also interesting: !man !/30 !topology !iporder !sample !forum !wiki
13:16 <@vpnHelper> !mitm or (#2) Don't use 192.168.1.0/24 or 192.168.0.0/24 (too much potential for conflict)
13:17 < bern> !route
13:17 <@vpnHelper> "route" is (#1) http://www.secure-computing.net/wiki/index.php/OpenVPN/Routing or https://community.openvpn.net/openvpn/wiki/RoutedLans (same page mirrored) if you have lans behind openvpn, read it DONT SKIM IT or (#2) READ IT DONT SKIM IT! or (#3) See !tcpip for a basic networking guide or (#4) See !serverlan or !clientlan for steps and troubleshooting flowcharts for LANs behind the server or client
13:23 -!- PhrozenByte [~Daniel_Ru@p5B1127DD.dip0.t-ipconnect.de] has quit [Quit: Leaving.]
13:23 < bern> hello, gurus
13:24 < bern> I've done some openvpn configs over the years and generally think it's lovely
13:24 < bern> I have a problem when using the Tunnelblick client on MacOS
13:25 < bern> it doesn't add a /32 route to the VPN server, so pushing a split-tunnel subnet which includes that IP blows up on connect
13:25 < bern> same config appears to work with Linux and Windows clients.. ..is this a Tunnelblick bug or feature?
13:26  * bern couldn't (admittedly idly) find #tunnelblick
13:32 -!- Pyrogerg_ [~Gregory@97-123-29-139.albq.qwest.net] has quit [Ping timeout: 260 seconds]
13:35 -!- Pyrogerg [~Gregory@97-123-29-139.albq.qwest.net] has joined #openvpn
13:36 -!- PhrozenByte [~Daniel_Ru@p5B1127DD.dip0.t-ipconnect.de] has joined #openvpn
13:38 < PhrozenByte> !route_outside_openvp
13:38 <@krzee> my tunnelblick client has /32 routes pushed to it and works fine? but have you tried the same config with openvpn without tunnelblick?
13:38 <@krzee> bern, ^
13:38 <@krzee> PhrozenByte,
13:38 <@krzee> !route_outside_ovpn
13:38 <@vpnHelper> "route_outside_ovpn" is "route_outside_openvpn" is (#1) If your server is not the default gateway for the LAN, you will need to add routes to your gateway. See ROUTES TO ADD OUTSIDE OPENVPN in !route or (#2) Here are 2 diagrams that explain how this works: http://www.secure-computing.net/wiki/index.php/Graph http://i.imgur.com/BM9r1.png
13:39 <@krzee> or even better:
13:39 <@krzee> !factoids
13:39 <@vpnHelper> "factoids" is A semi-regularly updated dump of factoids database is available at http://www.secure-computing.net/factoids.php
13:39 < PhrozenByte> krzee: thanks, somebody should update !clientlan and !serverlan ;)
13:39 <@krzee> !clientlan
13:39 <@vpnHelper> "clientlan" is (#1) for a lan behind a client, the client must have ip forwarding enabled (!ipforward), the server needs a route to the lan, the server needs to push a route for the lan to clients, the server needs a ccd (!ccd) file for the client with an iroute (!iroute) entry in it, and the router of the lan the client is on needs a route added to it (!route_outside_openvpn) or (#2) see !route for
13:39 <@vpnHelper> a better explanation or (#3) Handy troubleshooting flowchart: http://ircpimps.org/clientlan.png | http://pekster.sdf.org/misc/clientlan.png
13:40 <@krzee> !route_outside_openvpn
13:40 <@vpnHelper> "route_outside_openvpn" is (#1) If your server is not the default gateway for the LAN, you will need to add routes to your gateway. See ROUTES TO ADD OUTSIDE OPENVPN in !route or (#2) Here are 2 diagrams that explain how this works: http://www.secure-computing.net/wiki/index.php/Graph http://i.imgur.com/BM9r1.png
13:40 < PhrozenByte> oO
13:40 <@krzee> PhrozenByte, you were missing the n
13:40 <@krzee>  <PhrozenByte> !route_outside_openvp
13:40 < PhrozenByte> aaaaah
13:40 < PhrozenByte> yeah, that's a explanation :D
13:42 -!- Pyrogerg [~Gregory@97-123-29-139.albq.qwest.net] has quit [Ping timeout: 240 seconds]
13:42 -!- Megaf [~Megaf@unaffiliated/megaf] has joined #openvpn
13:44 < bern> thanks for all the responses
13:44 < bern> not sure I made myself clear, though
13:44 < PhrozenByte> !route
13:44 <@vpnHelper> "route" is (#1) http://www.secure-computing.net/wiki/index.php/OpenVPN/Routing or https://community.openvpn.net/openvpn/wiki/RoutedLans (same page mirrored) if you have lans behind openvpn, read it DONT SKIM IT or (#2) READ IT DONT SKIM IT! or (#3) See !tcpip for a basic networking guide or (#4) See !serverlan or !clientlan for steps and troubleshooting flowcharts for LANs behind the server or
13:44 <@vpnHelper> client
13:45 < PhrozenByte> ok, that !route_outsinde_ovpn was what I've missed. I've added those routes to both routers and OpenVPN server and client can ping the routers, now. But: they still can't ping other clients (i.e. the OpenVPN client can't ping this laptop, who's behind the OpenVPN server)
13:45 < bern> I'm not expecting /32 routes to be pushed to the client
13:46 -!- Latrina [~Latrina@151.26.47.74] has quit [Ping timeout: 240 seconds]
13:46 < bern> say the server is x.y.1.1 and pushes a route for x.y.0.0/16
13:46 < bern> my tunnelblick client gets that route pushed to 10.8.0.1
13:47 -!- Latrina [~Latrina@ppp-74-47.26-151.libero.it] has joined #openvpn
13:47 < bern> but the UDP 1194 packets now don't have a route to x.y.1.1
13:47 < bern> MacOS tries to send them down utun0
13:48 < bern> I'd expect there to be an x.y.1.1/32 route in my routing table, pointing at my local default gw
13:48 < bern> this ought to be added by the VPN client itself, right? just to avoid the chicken-and-egg
13:48 <@krzee> no
13:49 <@krzee> if it was redirect-gateway yes, because that is a macro that does it
13:49 <@krzee> but if you push the internet ip of your server in a route over the vpn, this happens
13:49 <@krzee> push another route for the /32 with net_gateway
13:49 <@krzee> !net_gateway
13:49 <@krzee> !factoids search --invalues net_gateway
13:49 <@vpnHelper> (factoids search [<channel>] [--values] [--{regexp} <value>] [<glob> ...]) -- Searches the keyspace for keys matching <glob>. If --regexp is given, it associated value is taken as a regexp and matched against the keys. If --values is given, search the value space instead of the keyspace.
13:50 <@krzee> !factoids search --values net_gateway
13:50 <@vpnHelper> No keys matched that query.
13:50 <@krzee> hmm
13:50 <@krzee> !route_override
13:50 <@vpnHelper> "route_override" is (#1) https://forums.openvpn.net/viewtopic.php?f=15&t=7161 for how to override --redirect-gateway for a certain subnet or (#2) to see how to make it so the client will still reply to requests to its public ip over the internet and not the vpn see !splitroute
13:50 <@krzee> so:
13:50 <@krzee> route x.y.1.1 255.255.255.255 net_gateway
13:51 <@krzee> and leave net_gateway as is, dont change it to a real ip
13:51 < bern> OK, many many thanks
13:51 <@krzee> np
13:51  * bern wonders why it worked with Linux and Windows clients
13:52 <@krzee> dont know, maybe some newer version does something smart in that case which i dont know about
13:52 <@krzee> but i would expect such a config to lead to a routing loop
13:53 < bern> maybe the defaults are different on different platforms, anyway not to worry
13:53 < SupaYoshi> Hi
13:53 < SupaYoshi> Is there anyone here that can help me routing my traffic over my internal LAN, gateway?
13:53 < SupaYoshi> I got it setup, and working. I was here yesterday but without any replies.
13:53 < SupaYoshi> But, it works... but stops working after a minute or 2.
13:54 <@krzee> what happens when it stops working...?
13:54 <@krzee> also "routing my traffic over my internal LAN, gateway" i dont see anything about a vpn
13:55 < bern> would be good to see your client routing tables before and after it stopping working
14:02 -!- Pyrogerg [~Gregory@97-123-29-139.albq.qwest.net] has joined #openvpn
14:02 < PhrozenByte> Anyone an idea? I want to connect network A and B; clients in network A are already able to reach all clients of network B and vice versa. OpenVPN server and client (on distinct devices) can reach both routers (worked after adding routes for the VPN subnet to both routers) and one another, but they still can't reach other clients.
14:02 -!- Pyrogerg [~Gregory@97-123-29-139.albq.qwest.net] has quit [Max SendQ exceeded]
14:03 <@ecrist> --client-to-client in server config
14:03 -!- Pyrogerg [~Gregory@97-123-29-139.albq.qwest.net] has joined #openvpn
14:04 < PhrozenByte> with "other clients" I mean other "physical" clients behind OpenVPN, not OpenVPN clients. client-to-client is enabled already
14:05 <@krzee> !clientlan
14:05 <@vpnHelper> "clientlan" is (#1) for a lan behind a client, the client must have ip forwarding enabled (!ipforward), the server needs a route to the lan, the server needs to push a route for the lan to clients, the server needs a ccd (!ccd) file for the client with an iroute (!iroute) entry in it, and the router of the lan the client is on needs a route added to it (!route_outside_openvpn) or (#2) see !route for
14:05 <@vpnHelper> a better explanation or (#3) Handy troubleshooting flowchart: http://ircpimps.org/clientlan.png | http://pekster.sdf.org/misc/clientlan.png
14:05 <@krzee> like that?
14:06 < PhrozenByte> yep, worked that through already
14:06 < PhrozenByte> propably I've missed something ^^
14:08 < PhrozenByte> but can't see what... my first mistake was !route_outside_openvpn, after setting the necessary routes OpenVPN devices can reach both routers, but they can't reach other clients
14:09 <@ecrist> you must have routes to and from the network
14:09 < PhrozenByte> what do you mean?
14:11 < PhrozenByte> the routers now have 2 additional static routes: one for the VPN subnet and one for the subnet of the "other" network
14:11 <@ecrist> and the firewall allows all those IP ranges?
14:13 < PhrozenByte> that's a good keyword... maybe the router software isn't that good... let me see...
14:13 < PhrozenByte> iptables -L of both OpenVPN devices is already empty (with policy ACCEPT)
14:17 <@krzee> iptables-save, never iptables -L
14:18 <@ecrist> !iptables
14:18 <@vpnHelper> "iptables" is (#1) To test if netfilter ("iptables rules") are your problem, disable all rules with an ACCEPT policy. See https://github.com/QueuingKoala/netfilter-samples/tree/master/reset-rules for a script to do this. or (#2) See also the manpage section on firewalls at this link: https://community.openvpn.net/openvpn/wiki/Openvpn23ManPage#lbBG or (#3) These are just the basics to get you started
14:19 <@vpnHelper> as firewall design is beyond this channel's scope; you can also see #netfilter
14:24 < PhrozenByte> AVM Fritz!Box, very common routers in Germany, doesn't use iptables. As far as I can see in their firewall config and what I can find via google, they don't have any restrictions regarding internal communications...
14:25 -!- starlays [~starlays@unaffiliated/starlays] has left #openvpn ["WeeChat 0.4.3"]
14:33 < PhrozenByte> ok, I think I'll give it another try tomorrow. maybe I'm just stuck ^^
14:33 < PhrozenByte> big thank you to all helpers anyway!
14:34 -!- brianblaze420 [~brianblaz@unaffiliated/brianblaze] has joined #openvpn
14:35 -!- PhrozenByte [~Daniel_Ru@p5B1127DD.dip0.t-ipconnect.de] has left #openvpn []
14:37 -!- mcp [~mcp@wolk-project.de] has joined #openvpn
14:46 -!- Pyrogerg [~Gregory@97-123-29-139.albq.qwest.net] has quit [Read error: Connection reset by peer]
14:54 -!- arescorpio [~arescorpi@201-26-245-190.fibertel.com.ar] has joined #openvpn
15:13 < SupaYoshi> krzee, sorry i was afk.
15:13 < SupaYoshi> Are you still here?
15:13 < SupaYoshi> Sorry
15:15 -!- ub1quit33_ [~quassel@wifi02.la3.routers.zerolag.com] has joined #openvpn
15:17 < ub1quit33_> is there a way to add multiple private IPs to the VPN gateway?
15:18 < ub1quit33_> I've played a bit with the ifconfig directive, but I can't seem to be able to figure out how to use it for this purpose (or if I even should)
15:23 -!- Esya [~zncuser@mini-02.y0y.fr] has joined #openvpn
15:25 -!- FFes [~quassel@5ED1F2B3.cm-7-2d.dynamic.ziggo.nl] has joined #openvpn
15:26 < FFes> !welcome
15:26 <@vpnHelper> "welcome" is (#1) Start by stating your goal, such as 'I would like to access the internet over my vpn' || new to IRC? see the link in !ask || we may need !logs and !configs and maybe !interface to help you. || See !howto for beginners. || See !route for lans behind openvpn. || !redirect for sending inet traffic through the server. || Also interesting: !man !/30 !topology !iporder !sample !forum !wiki
15:26 <@vpnHelper> !mitm or (#2) Don't use 192.168.1.0/24 or 192.168.0.0/24 (too much potential for conflict)
15:29 < ub1quit33_> !iporder
15:29 <@vpnHelper> "iporder" is (#1) OpenVPN's internal client IP address selection algorithm works as follows: 1 -- Use --client-connect script generated file for static IP (first choice). or (#2) Use --client-config-dir file for static IP (next choice) !static for more info or (#3) Use --ifconfig-pool allocation for dynamic IP (last choice) or (#4) if you use --ifconfig-pool-persist see !ipp
15:30 < ub1quit33_> !/30
15:30 <@vpnHelper> "/30" is (#1) http://goo.gl/SbKrT5 explains why routed clients each use 4 ips or (#2) you can avoid this behavior with by reading !topology
15:30 < ub1quit33_> !topology
15:30 <@vpnHelper> "topology" is (#1) it is possible to avoid the !/30 behavior if you use 2.1+ with the option: topology subnet This will end up being default in later versions. or (#2) Clients will receive addresses ending in .2, .3, .4, etc, instead of being divided into 2-host subnets. or (#3) details and examples at: https://community.openvpn.net/openvpn/wiki/Topology
15:35 -!- Megaf_ [~Megaf@unaffiliated/megaf] has joined #openvpn
15:35 -!- Megaf [~Megaf@unaffiliated/megaf] has quit [Ping timeout: 260 seconds]
15:36 -!- PhrozenByte [~Daniel_Ru@p5B1127DD.dip0.t-ipconnect.de] has joined #openvpn
15:37 -!- Megaf_ [~Megaf@unaffiliated/megaf] has quit [Excess Flood]
15:37 -!- Megaf [~Megaf@unaffiliated/megaf] has joined #openvpn
15:39 -!- PhrozenByte [~Daniel_Ru@p5B1127DD.dip0.t-ipconnect.de] has quit [Client Quit]
15:44 -!- Kephael [~Kephael@unaffiliated/kephael] has joined #openvpn
15:45 < ub1quit33_> Goal: I would like the VPN server to have two separate IPs from two separate subnets on the VPN
15:45 < ub1quit33_> the default server IP is 10.40.8.1/21
15:46 < ub1quit33_> I would like to assign it 10.40.0.1/24 as well
15:46 < ub1quit33_> any pointers are welcome! ty in advance
15:48 < ub1quit33_> actually, I should rephrase my goal
15:49 < ub1quit33_> what I actually want is for the primary IP address of the VPN server to be 10.40.0.1
15:49 < ub1quit33_> and assign all clients IPs from the 10.40.8.0/21 subnet
15:49 -!- Pyrogerg [~Gregory@97-123-29-139.albq.qwest.net] has joined #openvpn
15:50 < ub1quit33_> I am already pushing the appropriate routes for all netowrks in the 10.40.8.0/20 block
16:00 -!- gffa [~unknown@unaffiliated/gffa] has quit [Quit: sleep]
16:01 -!- flexo_ [~flexo@85.17.248.147] has left #openvpn []
16:02 -!- roentgen [~none@openvpn/community/support/roentgen] has joined #openvpn
16:10 -!- roentgen [~none@openvpn/community/support/roentgen] has quit [Remote host closed the connection]
16:13 -!- roentgen [~none@openvpn/community/support/roentgen] has joined #openvpn
16:26 -!- FFes [~quassel@5ED1F2B3.cm-7-2d.dynamic.ziggo.nl] has quit [Remote host closed the connection]
16:34 -!- roentgen [~none@openvpn/community/support/roentgen] has quit [Ping timeout: 260 seconds]
16:34 -!- roentgen [~none@openvpn/community/support/roentgen] has joined #openvpn
16:34 -!- Kniaz [~Kniaz@unaffiliated/kniaz] has quit [Quit: closing IRC]
16:45 -!- bern [~Adium@cpc6-nmal18-2-0-cust127.croy.cable.virginm.net] has quit [Quit: Leaving.]
17:04 -!- brianblaze420 [~brianblaz@unaffiliated/brianblaze] has quit [Quit: Leaving...]
17:05 -!- Pyrogerg [~Gregory@97-123-29-139.albq.qwest.net] has quit [Ping timeout: 272 seconds]
17:18 -!- brianblaze420 [~brianblaz@unaffiliated/brianblaze] has joined #openvpn
17:37 -!- larryone [~larryone@176.61.1.155] has joined #openvpn
17:38 -!- larryone [~larryone@176.61.1.155] has quit [Remote host closed the connection]
17:51 -!- dazo is now known as dazo_afk
17:55 -!- mattock is now known as mattock_afk
18:19 -!- Megaf [~Megaf@unaffiliated/megaf] has quit [Ping timeout: 240 seconds]
18:22 -!- ub1quit33_ [~quassel@wifi02.la3.routers.zerolag.com] has quit [Ping timeout: 240 seconds]
18:29 -!- Kniaz [~Kniaz@unaffiliated/kniaz] has joined #openvpn
18:41 -!- s7r [~s7r@openvpn/user/s7r] has quit [Remote host closed the connection]
19:09 -!- raspberrypifan [~raspberry@190.131.164.211] has joined #openvpn
19:09 -!- SCHAAP137 [dorian@77-173-0-137.ip.telfort.nl] has quit [Remote host closed the connection]
19:09 -!- outofbounds [~outofboun@gateway/tor-sasl/outofbounds] has quit [Remote host closed the connection]
19:09 < raspberrypifan> can anyone help with a setup of openvpn on os x
19:26 -!- brah [~allsdfjal@190.193.70.120] has joined #openvpn
19:35 -!- elfixit [~Icedove@77-58-251-72.dclient.hispeed.ch] has joined #openvpn
19:45 -!- brianblaze420 [~brianblaz@unaffiliated/brianblaze] has quit [Read error: Connection timed out]
20:02 -!- maskedlua [~maskedlua@unaffiliated/themaskedlua] has joined #openvpn
20:10 -!- goldkatze [~nobody@unaffiliated/goldkatze] has quit [Ping timeout: 240 seconds]
20:19 -!- elfixit [~Icedove@77-58-251-72.dclient.hispeed.ch] has quit [Quit: elfixit]
20:38 -!- Left_Turn [~Left_Turn@unaffiliated/turn-left/x-3739067] has quit [Remote host closed the connection]
20:57 < brah> !welcome
20:57 <@vpnHelper> "welcome" is (#1) Start by stating your goal, such as 'I would like to access the internet over my vpn' || new to IRC? see the link in !ask || we may need !logs and !configs and maybe !interface to help you. || See !howto for beginners. || See !route for lans behind openvpn. || !redirect for sending inet traffic through the server. || Also interesting: !man !/30 !topology !iporder !sample !forum !wiki
20:57 <@vpnHelper> !mitm or (#2) Don't use 192.168.1.0/24 or 192.168.0.0/24 (too much potential for conflict)
20:58 < brah> !forum
20:58 <@vpnHelper> "forum" is (#1) The official OpenVPN support forum is available at http://forums.openvpn.net or (#2) you can join #OpenVPN-Forum to see the forum-feed announcements if you want to.
20:58 -!- raspberrypifan [~raspberry@190.131.164.211] has quit [Remote host closed the connection]
20:59 -!- james41382_ [~james@unaffiliated/james41382] has quit [Quit: Leaving]
21:01 -!- james41382 [~james@unaffiliated/james41382] has joined #openvpn
21:42 -!- Netsplit *.net <-> *.split quits: Poster, metaf5, MatToufoutu, woshty, +hazardous, ShadniX
21:42 -!- Netsplit over, joins: hazardous, Poster
21:42 -!- mode/#openvpn [+v hazardous] by ChanServ
21:42 -!- Netsplit over, joins: metaf5
21:44 -!- Netsplit over, joins: MatToufoutu
21:45 -!- Netsplit over, joins: ShadniX
21:47 -!- woshty [~irc@84.200.211.57] has joined #openvpn
21:51 < brah> krzee: Are you around?
22:09 < _FBi> no
22:10 <@Eugene> !krzee
22:10 <@vpnHelper> "krzee" is (#1) krzee says happy 4/20 or (#2) http://www.ircpimps.org/pics/krzee/blunt.jpg or (#3) location: moon base where he smokes moonajuana or (#4) takes bonghits on the freeswitch teleconference
22:12 -!- Netsplit *.net <-> *.split quits: NucWin, Nothing4You, defswork, MatToufoutu, dvl, vinky, clu5ter, pekster, mete, APTX,  (+82 more, use /NETSPLIT to show all of them)
22:18 -!- cyberspace- [20253@ninthfloor.org] has quit [Remote host closed the connection]
22:20 -!- Netsplit over, joins: roentgen, Haigha, troj, jzaw, soapee01, MatToufoutu, Poster, hazardous, james41382, Kniaz (+31 more)
22:20 -!- mete [~mete@91.247.253.160] has joined #openvpn
22:20 -!- Netsplit over, joins: Nothing4You, haasn, thumbs, micko
22:20 -!- ServerMode/#openvpn [+v hazardous] by morgan.freenode.net
22:20 -!- Netsplit over, joins: riddle, syzzer, hydrajump, Tykling, dvl, TypoNe, aji, _abbe`, SupaYoshi, joako (+17 more)
22:20 -!- Cybertinus [~Cybertinu@cybertinus.customer.cloud.nl] has joined #openvpn
22:20 -!- Netsplit over, joins: pekster, @plaisthos, defswork, gac, Cyclohexane, Lolths, NChief, kenyon, malc0re_, aPollO2k (+4 more)
22:20 -!- ServerMode/#openvpn [+oo syzzer plaisthos] by morgan.freenode.net
22:22 -!- woshty [~irc@84.200.211.57] has joined #openvpn
22:22 -!- ShadniX [dagger@p5481C530.dip0.t-ipconnect.de] has joined #openvpn
22:23 -!- fred`` [fred@earthli.ng] has joined #openvpn
22:24 <@ecrist> boats and hos
22:24 <@ecrist> brah: what do you need help with?
22:24 -!- Olipro [~Olipro@uncyclopedia/pdpc.21for7.olipro] has joined #openvpn
22:25 -!- kirin` [telex@gateway/shell/anapnea.net/x-lcortawmdjmegvzv] has quit [Ping timeout: 256 seconds]
22:27 -!- kirin` [telex@gateway/shell/anapnea.net/x-zjdgfilnarvvzkab] has joined #openvpn
22:32 -!- kirin` [telex@gateway/shell/anapnea.net/x-zjdgfilnarvvzkab] has quit [Ping timeout: 260 seconds]
22:32 < brah> ecrist: I was troubleshooting my setup last week, where I'm the client of a CA-only tunnel, authenticated using auth-user-pass.
22:33 -!- kirin` [telex@gateway/shell/anapnea.net/x-vkydjqdelsjyeqhb] has joined #openvpn
22:35 < brah> ecrist: And client is supposed to mean tls-client, pull. But changing client to tls-client on the config makes openvpn fail to start.
22:35 < brah> Looking around the code path, it appears as if you can't have auth-user-pass without pull, why is this?
22:37 < brah> Anyway, I was looking for a way to disregard an 'inactive 600' my server is sending to me.
22:38 < brah> Instead I have to do ugly hacks like croning a wget or similar.
22:39 <@krzee> you made a trac ticket?
22:39 < brah> No, because I don't know if it's a bug or proper behavior.
22:43 -!- arescorpio [~arescorpi@201-26-245-190.fibertel.com.ar] has quit [Excess Flood]
22:43  * ecrist returns
22:44 <@ecrist> brah: have you looked at ping and ping-restart?
22:44 <@ecrist> !ping
22:44 <@vpnHelper> pong
22:45 <@ecrist> :\
22:45 <@ecrist> !ping-restart
22:45 <@krzee> ecrist, both of which are overridden by the server
22:46 <@ecrist> it is?
22:46 <@krzee> yes
22:46 <@ecrist> ping-restart is, yes, sorry, ping is not
22:47 <@krzee> o?k? and?
22:47 <@ecrist> and will avoid the inactivity timeout
22:47 <@krzee> no it wont
22:47 <@krzee> the --ping packets are control, --inactive specifically states in the manual they are not counted
22:48  * ecrist packs his bag and gives up
22:48 <@krzee> although my suggestion was to setup a script to generate [bytes] (from --inactive <time> [bytes]) amount of traffic every <time>
22:49 <@ecrist> and this isn't even my second beer
22:49 <@ecrist> cron job, every minute, traceroute something
22:49 <@krzee> background and disown it in the openvpn client startup, and kill it on vpn shutdown
22:50 <@krzee> tracert may not be enough depending on <bytes> but he never specified that
22:51 < brah> krzee: You talked about bytes earlier, where can I see the set inactive bytes? Server is only pushing inactive, I can't seem to find inactive bytes on the manual.
22:51 <@ecrist> brah: it's part of the --inactive arg
22:52 <@ecrist> --inactive n [bytes]
22:52 <@krzee> post the client log at verb 4 of it connecting
22:52 <@ecrist> where n is time, in seconds
22:55 < brah> Received control message: 'PUSH_REPLY,dhcp-option DNS 10.x.x.x,inactive 600,route 10.x.x.x 255.255.255.252,ifconfig 10.x.x.x 10.x.x.x'
22:55 <@krzee> so it looks like an icmp ping should be enough
22:55 <@krzee> just needs *something*
22:55 <@krzee> some kind of heart beat more often than 600 seconds
22:55 <@krzee> (10min
22:56 <@krzee> or use the vpn as it was intended...
22:56 <@krzee> connect, do what you need, then get off.
22:56 <@krzee> (because evidentally thats what the admin wants)
22:56 < brah> I'm still wondering why, techinically, I need to have pull to have auth-user-pass.
22:57 < brah> krzee: The admin wanted PPTP or IPSEC, we stuck to our guns and he came up with... this. A rather insecure setup vunerable to MITM.
22:57 <@krzee> i guess you could ask in #openvpn-devel or make a low priority trac ticket
22:58 <@ecrist> brah: why subject to MITM?
22:58 <@krzee> good job on not letting him do PPTP
22:58 <@krzee> ecrist, because they dont even use certs
22:58 <@krzee> could pretend to be the server and accept the L/P
22:58 <@ecrist> he said they use a CA cert
22:58 <@krzee> and thats all
22:58 <@krzee> both sides using the same one
22:59 <@ecrist> CA key and a server key, though, akin to a webserver, iirc
22:59 <@ecrist> brah: from the manual:
22:59 <@ecrist> --pull
22:59 <@ecrist> This option must be used on a client which is connecting to a multi-client server. It indicates to OpenVPN that it should accept options pushed by the server, provided they are part of the legal set of pushable options (note that the --pull option is implied by --client ).
23:00 <@krzee> if you do server cert checking, he hasnt shown his config so i dunno if they do but i suppose they dont if he said mitm (i never brought it up)
23:00 < brah> Nope, no server cert checking.
23:00 <@ecrist> does the client have the CA cert?
23:00 <@ecrist> !configs
23:00 <@vpnHelper> "configs" is (#1) please pastebin your client and server configs (with comments removed, you can use `grep -vE '^#|^;|^$' server.conf`), also include which OS and version of openvpn. or (#2) dont forget to include any ccd entries or (#3) on pfSense, see http://www.secure-computing.net/wiki/index.php/OpenVPN/pfSense to obtain your config
23:00 <@krzee> ecrist, he does not want to pull, but he cant run the client without it because he needs L/P and pull is required.
23:01 <@ecrist> krzee: I know he doesn't WANT to, but it's a required option for a multi-client server instance
23:02 <@krzee> ahh damn that "must"
23:02 < brah> http://pastebin.com/7aafzFKD
23:03 <@ecrist> looking at the client config, my best guess is there IS a server certificate, signed by the mutual CA
23:03 <@ecrist> that means no (or a difficult) MITM
23:03 <@krzee> actually ya thats true because theres no client cert to MITM with
23:03 <@ecrist> basically, the openvpn client is operating in a similar fashion to how most people browse the web
23:03 < brah> The dealbreaker is, this CA is public and downloadable from the internet.
23:04 <@krzee> the ca key?
23:04 < brah> Yeah.
23:04 <@ecrist> brah: the CA is supposed to be public
23:04 <@krzee> the KEY?
23:04 <@ecrist> not the CA key, just the certificate
23:04 <@krzee> right thats what im saying
23:04 < brah> No, the cert.
23:04 <@krzee> all certs are public.
23:04 <@ecrist> that's the whole fucking point
23:04 <@krzee> yep.
23:05 <@krzee> now the ca.key, if someone gets that they can mitm? but that is pretty much always true
23:06 <@ecrist> yes, then they can MITM
23:06 <@ecrist> unless they were using tls-auth
23:06 <@ecrist> but they're not
23:07 <@ecrist> still not an insecure VPN implementation, just not as secure as it could be
23:07 <@ecrist> not having client certificates eliminates that extra authentication layer
23:07 < brah> I'm still trying to figure out why pull is an absolute requirement for multiclient configs, and not a recommendation.
23:07 <@ecrist> things like IP addresses
23:07 <@ecrist> keepalives, etc
23:08 < brah> I can still set those locally, can't I?
23:08 <@ecrist> some of them are overridden
23:08 <@krzee> well if you set the ip differently than the server it wont work...
23:08 <@ecrist> something like an IP is stupid to override locally, because you don't know if it will work
23:08 <@krzee> the servers iroute table will MULTI error you outta here
23:09 < brah> I'm saying, perhaps using pull with multiclient could be a should, not a must
23:10 <@ecrist> no
23:10 <@krzee> maybe its because openvpn is made with the idea that the server admin should be able to control his vpn
23:11 <@ecrist> I've figured you out, brah.  You're one of those people that tries to do stupid shit because you *think* you understand how it works, but you really don't.
23:11 <@krzee> if he says --inactive 600 its because he said so. his vpn, his rules.  i know that if i used L/P auth i would be mad about my users storing them to a file for example? i wouldnt mind an option disabling the clients ability to do that.
23:11  * ecrist agrees
23:11 -!- ShadniX [dagger@p5481C530.dip0.t-ipconnect.de] has quit [Ping timeout: 250 seconds]
23:12 <@ecrist> particularly if we could stick it in the DEFAULT CCD entry
23:12 <@ecrist> and override as needed
23:12 <@ecrist> :)
23:12 <@krzee> hahah
23:13 -!- ShadniX [dagger@p5481C9DE.dip0.t-ipconnect.de] has joined #openvpn
23:15 < brah> Meh. Your VPN, your rules, but they are enforced locally.
23:15 <@ecrist> you could write a patch to fix this "issue" and submit it to the dev list
23:24 < brah> Now, allow me to backpedal for a second. If you want the client to do something you cannot enforce that locally as that is not secure. If there is a behavior that is a recommendation, under no circumstances it should be absolutely required. Unless there is a technical reason for this, which is what I asked and instead I'm told I'm a fucking idiot, this is a bug and not an "issue".
23:30 <@krzee> what is not secure?
23:34 < brah> Relying on the client's software to carry out behaviors.
23:55 -!- Kniaz1 [~Kniaz@unaffiliated/kniaz] has joined #openvpn
23:59 -!- Kniaz [~Kniaz@unaffiliated/kniaz] has quit [Ping timeout: 256 seconds]
--- Day changed Tue Jul 15 2014
00:00 -!- Kniaz1 [~Kniaz@unaffiliated/kniaz] has quit [Ping timeout: 250 seconds]
00:34 -!- MACscr [~Adium@c-50-158-183-38.hsd1.il.comcast.net] has quit [Ping timeout: 264 seconds]
00:34 -!- Kephael [~Kephael@unaffiliated/kephael] has quit [Read error: Connection reset by peer]
00:36 -!- mnathani [~mnathani@butterfly.winvive.com] has joined #openvpn
00:41 <@krzee> brah, you keep using the word secure but i dont think you know what it means
00:42 < brah> My vocabulary is limited, sorry.
00:44 < brah> My point is, relying on pushes to the client, that the client carries out on its own, is not a very solid idea because it can be ignored.
00:45 <@krzee> cool, ignore it then
00:59 < cyberanger> even if settings are ignored, the server could also be setup to not allow anything but the settings it pushes
01:00 < cyberanger> I don't think it was ever intended as a security feature, merely a convinence in setup
01:06 -!- ub1quit33_ [~quassel@cpe-198-72-138-144.socal.res.rr.com] has joined #openvpn
01:08 -!- SCHAAP137 [dorian@77-173-0-137.ip.telfort.nl] has joined #openvpn
01:22 -!- ub1quit33_ [~quassel@cpe-198-72-138-144.socal.res.rr.com] has quit [Ping timeout: 250 seconds]
01:23 <@krzee> right
01:23 <@krzee> not a security issue one way or the other
01:25 -!- brah [~allsdfjal@190.193.70.120] has quit [Quit: Leaving]
01:33 -!- alexxtasi [~alex@unaffiliated/alexxtasi] has joined #openvpn
01:34 -!- SCHAAP137 [dorian@77-173-0-137.ip.telfort.nl] has quit [Remote host closed the connection]
01:51 -!- Chiftin [~Chiftin@178.250.179.140] has joined #openvpn
02:00 -!- goldkatze [~nobody@unaffiliated/goldkatze] has joined #openvpn
02:06 -!- le0 [~l30@unaffiliated/le0] has joined #openvpn
02:16 -!- mattock_afk is now known as mattock
02:33 -!- zapotek6 [~zap@host138-62-static.18-80-b.business.telecomitalia.it] has joined #openvpn
02:34 -!- zapotek6 [~zap@host138-62-static.18-80-b.business.telecomitalia.it] has quit [Max SendQ exceeded]
02:52 -!- MACscr [~Adium@c-50-158-183-38.hsd1.il.comcast.net] has joined #openvpn
03:15 -!- Left_Turn [~Left_Turn@unaffiliated/turn-left/x-3739067] has joined #openvpn
03:29 -!- Left_Turn [~Left_Turn@unaffiliated/turn-left/x-3739067] has quit [Ping timeout: 240 seconds]
03:36 -!- mirco [~mirco@ip-88-153-222-56.unitymediagroup.de] has joined #openvpn
04:00 -!- Left_Turn [~Left_Turn@unaffiliated/turn-left/x-3739067] has joined #openvpn
04:01 -!- le0 [~l30@unaffiliated/le0] has quit [Read error: Connection reset by peer]
04:04 -!- Pandemic_Force [~Pandemic_@unaffiliated/pandemic-force/x-1349428] has quit [Ping timeout: 264 seconds]
04:06 -!- Pandemic_Force [~Pandemic_@unaffiliated/pandemic-force/x-1349428] has joined #openvpn
04:37 -!- dazo_afk is now known as dazo
04:39 -!- zapotek6 [~zap@217.202.194.241] has joined #openvpn
04:39 -!- zapotek6 [~zap@217.202.194.241] has quit [Max SendQ exceeded]
04:56 -!- Netsplit *.net <-> *.split quits: NucWin, Nothing4You, hive-mind, defswork, mirco, MatToufoutu, dvl, adaptr, @krzee, ratsupremacy,  (+130 more, use /NETSPLIT to show all of them)
05:04 -!- Netsplit over, joins: MatToufoutu, Poster, +hazardous, james41382, roentgen, Esya, mcp, Latrina, DrCode, kantlivelong (+121 more)
05:04 -!- yoavz [yoavz@yoavz.net] has quit [Max SendQ exceeded]
05:04 -!- jgeboski [~jgeboski@unaffiliated/jgeboski] has quit [Max SendQ exceeded]
05:04 -!- Netsplit over, joins: kossy
05:04 -!- yoavz [yoavz@yoavz.net] has joined #openvpn
05:06 -!- jgeboski [~jgeboski@unaffiliated/jgeboski] has joined #openvpn
05:07 -!- kirin` [telex@gateway/shell/anapnea.net/x-vkydjqdelsjyeqhb] has quit [Read error: Connection reset by peer]
05:08 -!- Pandemic_Force [~Pandemic_@unaffiliated/pandemic-force/x-1349428] has joined #openvpn
05:08 -!- pa [~pa@unaffiliated/pa] has joined #openvpn
05:08 -!- Mike-- [mad@mx.probie.nl] has joined #openvpn
05:08 -!- phreakocious [~phreakoci@aesoterica.phreakocious.net] has joined #openvpn
05:08 -!- sauce [sauce@unaffiliated/sauce] has joined #openvpn
05:08 -!- ratsupremacy [~antihero@37.139.5.204] has joined #openvpn
05:08 -!- AsadH [~AsadH@unaffiliated/asadh] has joined #openvpn
05:10 -!- Olipro [~Olipro@uncyclopedia/pdpc.21for7.olipro] has joined #openvpn
05:14 -!- zapotek6 [~zap@217.202.194.241] has joined #openvpn
05:14 -!- zapotek6 [~zap@217.202.194.241] has quit [Max SendQ exceeded]
05:20 -!- JackWinter_ is now known as JackWinter
05:35 -!- Mimiko [~Mimiko@77.89.245.38] has joined #openvpn
05:50 -!- mirco [~mirco@ip-88-153-222-56.unitymediagroup.de] has quit [Quit: mirco]
05:51 -!- jdunn_ [~jdunn@c-76-19-44-237.hsd1.ma.comcast.net] has joined #openvpn
05:54 < jdunn_> hello.  I followed the instructions on readwrite.com and was unsuccessful.  The error I get from the client is TLS key negotiation failed to occur within 60 seconds (check your network connectivity)
05:55 < jdunn_> hello?
05:56 < jdunn_> !welcome
05:56 <@vpnHelper> "welcome" is (#1) Start by stating your goal, such as 'I would like to access the internet over my vpn' || new to IRC? see the link in !ask || we may need !logs and !configs and maybe !interface to help you. || See !howto for beginners. || See !route for lans behind openvpn. || !redirect for sending inet traffic through the server. || Also interesting: !man !/30 !topology !iporder !sample !forum
05:56 <@vpnHelper> !wiki !mitm or (#2) Don't use 192.168.1.0/24 or 192.168.0.0/24 (too much potential for conflict)
05:58 < jdunn_> hello. I followed the instructions on readwrite.com and was unsuccessful.  The error I get from the client is TLS key negotiation failed to occur within 60 seconds (check your network connectivity).  I'd like to be able to connect to the openvpn server on my raspberry pi
05:58 < jdunn_> zzzzzzzzzzzzzzz
05:59 < jdunn_> !howto
05:59 <@vpnHelper> "howto" is (#1) OpenVPN comes with a great howto, http://openvpn.net/howto PLEASE READ IT! or (#2) http://www.secure-computing.net/openvpn/howto.php for a mirror
06:01 < jdunn_> !goal
06:01 <@vpnHelper> "goal" is Please clearly state your goal for your vpn: example, I would like to access the lan behind the server , I would like to access the internet over my vpn , I just want a secure connection between 2 computers , etc
06:01 < jdunn_> hello?  There are a lot of people here but no one is talking
06:02 < jdunn_> HELLO IS ANYBODY LISTENING OR ARE YOU ALL JUST JERKING OFF ON PR0N?
06:04 < jdunn_> my goal is to talk to someone on this fucking irc channel who can hopefully walk me through some suggestions that will allow me to connect to openvpn on my raspberry pi
06:06 <@dazo> jdunn_: IRC (and IM) is instant messaging, not instant answer ... hang out here and be patient
06:07 < jdunn_> thank you
06:07 <@dazo> jdunn_: furhter ... we *expect* you to read those messages from vpnhelper.  We only support the official howtos (there are a billion wikis and blogs which are just wrong), and we expect a clear answer to !goal
06:07  * dazo don't have time to provide more support right now
06:08 < jdunn_> okay
06:10 < jdunn_> !goal
06:10 <@vpnHelper> "goal" is Please clearly state your goal for your vpn: example, I would like to access the lan behind the server , I would like to access the internet over my vpn , I just want a secure connection between 2 computers , etc
06:13 < jdunn_> !goal I would like to access openvpn on my raspberry pi with a client on Windows 7.  I want to access my home network and the internet through a secure connection from public wifi hotspots
06:45 -!- m4rcu5 [bip@2001:1af8:4400:a010:1::1130] has joined #openvpn
06:50 < jdunn_>  I would like to access openvpn on my raspberry pi with a client on Windows 7.  I want to access my home network and the internet through a secure connection from public wifi hotspots
06:54 -!- Megaf [~Megaf@unaffiliated/megaf] has joined #openvpn
06:59 -!- elfixit [~Icedove@77-58-251-72.dclient.hispeed.ch] has joined #openvpn
07:01 <@dazo> jdunn_: Just a quick reply .... have you ever set up any type of VPN before?
07:02 < jdunn_> no
07:02 -!- autrilla [~autrilla@unaffiliated/autrilla] has joined #openvpn
07:02 -!- zapotek6 [~zap@95.74.128.69] has joined #openvpn
07:03 <@dazo> Okay ... then you need to start really simple, to understand how this works ... Start with this guide, to get a basic grip how openvpn works
07:03 <@dazo> http://openvpn.net/index.php/open-source/documentation/miscellaneous/78-static-key-mini-howto.html
07:03 <@vpnHelper> Title: Static Key Mini-HOWTO (at openvpn.net)
07:03 -!- zapotek6 [~zap@95.74.128.69] has quit [Max SendQ exceeded]
07:03 <@dazo> And then this setup can be extended to provide better security and be more flexible
07:03 <@dazo> and then it's time to think about routing all internet traffic via your vpn
07:04 < autrilla> Can anyone help? 10.9.8.10,favega,XX.XX.2.106:20581,Tue Jul 15 13:51:11 2014 10.9.8.6,ruben,XXXX.246.135:60427,Tue Jul 15 13:50:11 201, and I can ping 10.9.8.10 from 10.9.8.6, but remote desktop doesn't work
07:05 < jdunn_> will this apply just as easily to raspberry pi raspbian?  I guess it should
07:06 < jdunn_> I already have openvpn downloaded from the package manager
07:06 <@dazo> yes, openvpn is mostly configured in the same way on all platforms
07:06 <@dazo> start with running openvpn from a command line
07:06 <@dazo> !--
07:06 <@vpnHelper> "--" is OpenVPN allows any option to be placed either on the command line or in a configuration file. Though all command line options are preceded by a double-leading-dash ("--"), this prefix is usually omitted when an option is placed in a configuration file.
07:07 < jdunn_> thanks
07:21 -!- jdunn_ [~jdunn@c-76-19-44-237.hsd1.ma.comcast.net] has quit [Quit: Leaving]
07:21 < autrilla> ... I can ping my Windows Server (the VPN server is linux) but I can't remote desktop to it. Why could this be?
07:27 <@dazo> autrilla: firewalling?
07:27 < autrilla> dazo, ports open, at least on the client. It's just TCP, right?
07:29 -!- Mimiko [~Mimiko@77.89.245.38] has quit []
07:30 -!- Pyrogerg [~Gregory@75-173-71-21.albq.qwest.net] has joined #openvpn
07:30 <@dazo> autrilla: have you tried to telnet port 3389? ... have you tried tcpdump or wireshare to see where the packets stops?
07:31 < autrilla> dazo, no :/
07:31 < autrilla> That's too advanced
07:31 <@dazo> then you know what to do ;-)
07:31 < autrilla> I don't know if I'll know how to do it
07:31 < autrilla> I'll try!
07:31 <@dazo> autrilla: Seriously ... if you want to do VPN, you have no option than to learn how to "debug" networks
07:31 <@dazo> if you give up, you can give up VPN.
07:32 < autrilla>  I'm not giving up!
07:33 <@dazo> then nothing is too advanced either ;-)
07:41 < autrilla> dazo, what do I need to telnet, the VPN server or my Windows Server?
07:42 < autrilla> telnet 10.9.8.1 or 10.9.8.10
07:45 <@dazo> autrilla: I'll ask you think about that, and come up with a suggestion to an answer.  You need to learn to think what you do
07:55 < autrilla> dazo, the Windows Server, 3389 is RDP :)
07:56 <@dazo> correct!
07:56 < autrilla> I connected (via Remote Desktop) but it disconnects after a while
07:56 < autrilla> The problem was the server's firewall, I think
07:56 < autrilla> A while = ~20 seconds
07:56 <@dazo> now I really can say: I told you so
07:56 <@dazo> ;-)
07:57 < autrilla> And if I ping the Windows Server, it times out
07:57 < autrilla> Weird :/
07:58 < autrilla> dazo, why could that be?
07:58 <@dazo> it can be firewalling, it can be an unstable VPN connection, or it can be routing (depends on which IP address you ping and from where)
08:01 -!- Popsikle [~popsikle@pool-108-27-211-233.nycmny.fios.verizon.net] has joined #openvpn
08:02 < autrilla> dazo, how do I diagnose it?
08:05 < autrilla> dazo, when it stops working, it doesn't respond to pings either
08:05 <@dazo> log files, and again tcpdump/wireshark
08:05 <@dazo> use --verb 4 in config files, to get a better overview
08:11 < ljvb> damnit, they overcooked my eggs again
08:29 -!- debbie10t [~guest7657@openvpn/community/support/debbie10t] has joined #openvpn
08:29 -!- debbie10t [~guest7657@openvpn/community/support/debbie10t] has left #openvpn []
08:30 < autrilla> This is going to be a pain in the butt
08:32 < ljvb> I'm too lazy to scroll up.. what is your problem.
08:32 -!- Kephael [~Kephael@unaffiliated/kephael] has joined #openvpn
08:46 < autrilla> ljvb, RDP connection dropping over VPN
08:46 < autrilla> mostly
08:47 -!- micko [~micko@203-219-65-120.static.tpgi.com.au] has quit [Ping timeout: 256 seconds]
--- Log closed Tue Jul 15 08:54:43 2014
--- Log opened Tue Jul 15 09:44:36 2014
09:44 -!- ecrist [~ecrist@freebsd/contributor/openvpn.community.support.ecrist] has joined #openvpn
09:44 -!- Irssi: #openvpn: Total of 165 nicks [8 ops, 0 halfops, 3 voices, 154 normal]
09:44 -!- mode/#openvpn [+o ecrist] by ChanServ
09:44 -!- Irssi: Join to #openvpn was synced in 1 secs
10:26 -!- metaf5 [~metaf5@107.181.166.167] has quit [Ping timeout: 272 seconds]
10:29 -!- metaf5 [~metaf5@107.181.166.167] has joined #openvpn
10:37 -!- elfixit [~Icedove@77-58-251-72.dclient.hispeed.ch] has joined #openvpn
10:45 -!- s7r [~s7r@openvpn/user/s7r] has quit [Remote host closed the connection]
10:45 -!- s7r [~s7r@openvpn/user/s7r] has joined #openvpn
10:45 -!- mode/#openvpn [+v s7r] by ChanServ
10:56 -!- dazo is now known as dazo_afk
11:02 -!- Chiftin [~Chiftin@178.250.179.140] has quit [Read error: Connection reset by peer]
11:15 < snappy> anyone know where I can download the APK for openvpn connect android so I can sideload it?
11:18 -!- brianblaze420 [~brianblaz@unaffiliated/brianblaze] has joined #openvpn
11:30 <@krzee> from any device that has downloaded it via the store
11:30 <@krzee> (thats how i get apk for sideload)
11:31 <@krzee> s/device/rooted device/
11:37 < snappy> roger, thanks
11:38 <@krzee> np
11:39 < ljvb> since it is in the store, why bother with sideloading
11:39 -!- yeled [~yeled@spodder.com] has left #openvpn ["meh.."]
11:39 < snappy> kindle fire
11:42 < ljvb> aahh
11:43 < autrilla> Can't you sideload the Google Play apk?
11:44 < ljvb> won't make a difference since your forced through the kindle gateway I believe, so the store the play app pulls down is what amazon wants you to see
11:44 < ljvb> at least that is what I believe happens, I could be wrong
11:45 < ljvb> I remember I had to make a db and file modification to force my stock google play to pull from teh UK app store (I Wanted the bbc iplayer not available in the US
11:51 < autrilla> ljvb, how could I join a Windows Server file share through the VPN, just to test downloading a large file?
11:59 -!- roentgen [~none@openvpn/community/support/roentgen] has quit [Remote host closed the connection]
12:04 < snappy> ok this is cool: http://apps.evozi.com/apk-downloader/
12:04 <@vpnHelper> Title: APK Downloader [Latest] Download Directly | Chrome Extension v2.1.2 (Evozi Official) (at apps.evozi.com)
12:08 -!- elfixit [~Icedove@77-58-251-72.dclient.hispeed.ch] has quit [Quit: elfixit]
12:11 -!- roentgen [~none@openvpn/community/support/roentgen] has joined #openvpn
12:12 -!- D-Boy [~D-Boy@unaffiliated/cain] has joined #openvpn
12:12 -!- roentgen [~none@openvpn/community/support/roentgen] has quit [Remote host closed the connection]
12:13 < D-Boy> Hello, Cannot open /etc/openvpn/certs/dh1024.pem for DH parameters: error:02001002:system library:fopen:No such file or directory: error:2006D080:BIO routines:BIO_new_file:no such file <== I have : dh /etc/openvpn/certs/dh4096.pem (and i also have the dh1024.pem) but it can't find it ?
12:14 <@krzee> D-Boy,
12:14 <@krzee> !configs
12:14 <@vpnHelper> "configs" is (#1) please pastebin your client and server configs (with comments removed, you can use `grep -vE '^#|^;|^$' server.conf`), also include which OS and version of openvpn. or (#2) dont forget to include any ccd entries or (#3) on pfSense, see http://www.secure-computing.net/wiki/index.php/OpenVPN/pfSense to obtain your config
12:14 <@krzee> !logs
12:14 <@vpnHelper> "logs" is (#1) please pastebin your logfiles from both client and server with verb set to 4 (only use 5 if asked) or (#2) In the Windows client(OpenVPN-GUI) right-click the status icon and pick View Log or (#3) In the OS X client(Tunnelblick) right-click it and select Copy log text to clipboard or (#4) if you dont know how to find your logs, see !logfile
12:14 <@krzee> just for the server is fine.
12:15 < D-Boy> krzee: okey, let me prepare this for you
12:19 < D-Boy> krzee: http://pastebin.com/4UtXFsQT for server.conf & http://pastebin.com/kQ3dxnYT for logs
12:19 < D-Boy> krzee: also it seems that it logs nothing when i try service openvpn restart (i checked the time)
12:20 < D-Boy> krzee: i followed this : https://openvpn.net/index.php/access-server/docs/admin-guides/186-how-to-run-access-server-on-a-vps-container.html & afted this ==> http://www.tecmint.com/install-openvpn-in-debian/
12:20 <@vpnHelper> Title: How to run Access Server on a VPS container (at openvpn.net)
12:20 <@krzee> !as
12:20 < D-Boy> the container is a debian 7
12:20 <@vpnHelper> "as" is Please go to #OpenVPN-AS for help with commercial products from OpenVPN Technologies, including Access Server, Android Connect, etc
12:21 <@krzee> your link is about AS but your config isnt...?
12:21 < D-Boy> hum i wasn't aware there was 2 products, but i install the package on debian
12:21 < D-Boy> the first link is about preparing the host node (proxmox) and the container to host openvpn
12:22 <@krzee> AS and opensource openvpn are different
12:22 < D-Boy> but the config i followed was about openvpn (the deb package on debian repos)
12:22 < D-Boy> the opensource then i guess
12:22 <@krzee> k well i have no plans on reading the walkthrough you followed
12:22 <@krzee> but ill look at what you posted me =]
12:22 < D-Boy> ok :)
12:23 <@krzee> are you starting this with OS scripts or by calling the openvpn binary?
12:24 < D-Boy> OS scripts i believe (by calling "service openvpn restart")
12:24 <@krzee> ok so 2 things
12:24 <@krzee> 1)  script security 3 system    <-- typo
12:25 < D-Boy> krzee: typo ? I don't see
12:27 <@krzee> !man
12:27 <@vpnHelper> "man" is (#1) For man pages, see http://openvpn.net/index.php/open-source/documentation/manuals/ or (#2) the man pages are your friend! or (#3) Protip: you can search the manpage for a specific --option (with dashes) to find it quicker
12:27 <@krzee> see --script-security in the manual
12:28 -!- gffa [~unknown@unaffiliated/gffa] has joined #openvpn
12:28 <@krzee> for 1, there is a - in it, also in 2.3+ the system flag was removed
12:28 <@krzee> "The reason the support for the system flag was removed is due to the security implications with shell expansions when executing scripts via the system() call."
12:31 < D-Boy> krzee: thx! now it runs, (let see if i can connect a client)
12:32 < D-Boy> krzee: you was saying 2 things ?
12:32 <@krzee> well the error about dh
12:32 <@krzee> i figured it was something totally different which would work fine if calling openvpn directly but not by OS script
12:32 <@krzee> right now when it worked, was it by calling openvpn directly?
12:33 <@krzee> or was it service openvpn [re]start
12:33 < D-Boy> by the same way i did before
12:33 < D-Boy> service openvpn restart
12:33 <@krzee> ok cool then
12:33 < D-Boy> thx again, next step then
12:34 <@krzee> im dumbfounded how that error could possibly come from that issue
12:34 <@krzee> seems like that log HAD to be from a different config file
12:34 <@krzee> ls /etc/openvpn/*.conf
12:35 <@krzee> anything there besides server.conf   ?
12:35 < D-Boy> nope
12:35 <@krzee> *shrug*
12:35 < D-Boy> that's a fresh vm
12:35 <@krzee> weird but if you're up and running now i guess screw it :D
12:35 < D-Boy> :D
12:36 < D-Boy> the openvpn client have a gui version ? (the opensource one)
12:36 <@krzee> which os?
12:36 < D-Boy> debian & windows
12:36 < m4rcu5> D-Boy: yep a real nice one for windows
12:36 < D-Boy> winxp/win7 ?
12:37 < m4rcu5> both works
12:37 <@krzee> debian has a couple i think, i see network manager more often. DO NOT CONFIGURE the vpn with network manager just import your already tested config
12:37 <@krzee> windows the standard .exe includes a little gui
12:37 <@krzee> !download
12:37 <@vpnHelper> "download" is (#1) http://openvpn.net/index.php/download/community-downloads.html to download openvpn or (#2) OpenVPN's Windows installer now includes OpenVPN GUI. Don't bother with http://openvpn.se anymore or (#3) Don't trust download.com at all. It provides an extremely old version with malware: http://insecure.org/news/download-com-fiasco.html or (#4) in the community version of openvpn (only
12:37 <@vpnHelper> thing supported here) there is no separate download for client/server, it is the same install with different configs
12:37 < m4rcu5> NM is kinda pickey on the format
12:37 < D-Boy> okey, thx guys
12:37 -!- Kephael [~Kephael@unaffiliated/kephael] has quit [Read error: Connection reset by peer]
12:38 <@krzee> personally none of my linux/unix boxes (except my osx) even have GUI
12:38 < m4rcu5> krzee: same here, but i used to have a laptop with NM
12:38 <@krzee> and osx has some guis too, i use tunnelblick there
12:39 <@krzee> you know its probably coming to that for me, im starting to dislike my apple laptop? i would be running linux on it by now but the retina keeps me from doing it
12:40 < m4rcu5> i tent to get a weak spot for apple. but i keep running gentoo on my thinkpad for now :)
12:42 < m4rcu5> ... which also has some quirks dhcpd and openvpn fighting for resolv.conf
12:43 < snappy> sort of openvpn related; on the kindle fire, /proc/config.gz shows CONFIG_TUN=y, and dmesg shows a message that the tun/tap device driver 1.6 is loaded.
12:43 < snappy> # ip tuntap add dev tun0 mode tun
12:43 < snappy> open: No such file or directory
12:43 < snappy> seems like ip isn't able to register it though?
12:45 -!- supergauntlet [~supergaun@unaffiliated/supergauntlet] has joined #openvpn
12:48 < m4rcu5> meanwhile a small question of mine, i currently have a LAN (ip x.x.x.y) bridged with TAP (none) < openvpn, i set the NBT type to b-node, and do not run WINS. OpenVPN is in TAP mode. Is this the right way of getting some road warriors into the small office?
12:50 -!- elfixit [~Icedove@77-58-251-72.dclient.hispeed.ch] has joined #openvpn
12:50 < m4rcu5> @krzee, have you checked Plasma 5 for your retina?
12:51 <@krzee> never heard of it
12:51 <@krzee> and it looks like the article im reading about it is from *today*
12:51 <@krzee> haha
12:53 < m4rcu5> hehe, i just stumbled across it as well :)
12:55 < snappy> ugh screw this; vpn on kindle firetv isn't happening; i guess i'll have to do policy based routing on my openwrt box
12:55 < m4rcu5> snappy: on a kindle 0_0
13:00 < snappy> i was skeptical to begin with
13:01 < snappy> feel like all the components are in place, rooted, tun (built into the kernel), but openvpn connect says it wont run on this version of android due to some bug, very vague about it as well
13:04 <@krzee> snappy, try "openvpn for android"
13:04 < ljvb> don't use opevnvpn for android, try "OpenVPN Connect" the official app
13:05 <@krzee> ljvb, openvpn for android is made by plaisthos, it is based on the openvpn source code
13:05 <@krzee> openvpn connect is based on an entirely new source code
13:05 <@krzee> !android
13:05 <@vpnHelper> "android" is (#1) an open source OpenVPN client for ICS is available in Google Play, look for OpenVPN for Android. FAQ is here: http://code.google.com/p/ics-openvpn/wiki/FAQ or (#2) Direct Play link: https://play.google.com/store/apps/details?id=de.blinkt.openvpn or (#3) Old (pre-ICS) device? See: !android-old
13:06 <@krzee> !factoids search android
13:06 <@vpnHelper> 'android', 'android-old', and 'androidsource'
13:06 < snappy> ah good to know
13:06 <@krzee> !androidsource
13:06 <@vpnHelper> "androidsource" is (#1) The source for OpenVPN For Android is here: http://code.google.com/p/ics-openvpn/source/checkout or (#2) The source for some of OpenVPN connect for android/IOS is here: http://staging.openvpn.net/openvpn3/
13:07 < snappy> thanks, been looking for the source!
13:07 <@krzee> not all of connect is open sourced, or can be (due to licensing).
13:09 <@krzee> snappy, connect supports you (snappy compression)
13:12 < snappy> damn kindle firetv omits vpnservice api support, i guess the tinkerers need to tinker more with the android
13:13 < snappy> yeah, i give up, looks like openvpn on the router + some policy based routing gymnastics
13:14 < m4rcu5> any comments on my setup? :)
13:15 -!- rudivd_ [~rudivd@2001:980:74d0:1000:9d0c:643:f7e3:eee4] has quit [Quit: My MacBook Pro has gone to sleep. ZZZzzz…]
13:17 < snappy> yeah sure, NBT/WINS? 1995 is calling and they want their networking stack back
13:19 < m4rcu5> snappy: windws 7 still seems to make vivid use of it with the workgroups and share detection... :'(
13:30 -!- MaliusArth [~MaliusArt@chello062178198129.5.15.univie.teleweb.at] has joined #openvpn
13:30 -!- MaliusArth [~MaliusArt@chello062178198129.5.15.univie.teleweb.at] has left #openvpn []
13:33 -!- cap3lla [~cap3lla@unaffiliated/cap3lla] has joined #openvpn
13:34 < cap3lla> hello everybody. How can I safely delete/remove a client certificate I have created before with "build-key-pkcs12 client" ? do I have to manually edit serial.txt and delete some files, or is there a wrapper for that, something equivalent to to the "build-key-pkcs12 client" command I used before?
13:36 <@krzee> you seem to not understand how PKI works
13:37 <@krzee> you want to stop a user who has a cert from connecting, right?
13:37 -!- rudivd [~rudivd@2001:980:74d0:1000:9d0c:643:f7e3:eee4] has joined #openvpn
13:39 < cap3lla> krzee: unfortunately not. No, I don't want to just "revoke" (=make invalid) a clients certificate, I really want to remove it completely from my /etc/easy-rsa/keys directory there. I could do of course manually edit the files, but is there another way?
13:40 <@krzee> no because theres no point to doing that
13:40 <@krzee> once its been signed its been signed, theres no undoing it
13:41 <@krzee> uncoding the record of it makes it impossible to later revoke with a crl
13:41 <@krzee> s/uncoding/undoing/
13:43 < cap3lla> krzee: that's exactly what I need to know. Please explain to me more detailled: if I would ... (1)remove 03.pem, (2)remove the line 03 in "index.txt", (3)edit "serial" and lower it -1
13:44 < cap3lla> the OpenVPN server wouldn't accept the client I deleted, right? When I would put these information later in again and restart the OpenVPN server, will he accept the cert?
13:44 <@krzee> of course it would accept it
13:44 <@krzee> !pki
13:44 <@vpnHelper> "pki" is (#1) http://openvpn.net/index.php/open-source/documentation/howto.html#pki for how to make your PKI stuff (ca, and certs) or (#2) Heres a basic rundown of how it works... The server, client, and ca certs are all signed by the same ca.key. The server and client use the ca.crt to check that eachother were signed by the right ca.key. Optionally, the client also checks that the server cert was
13:44 <@vpnHelper> signed specially as a server (see !servercert) or (#3) See !certman for various PKI management frontends
13:45 < m4rcu5> cap3lla: you might want to look into certificate revocation lists
13:45 <@krzee> !crl
13:45 <@vpnHelper> "crl" is (#1) --crl-verify <crl> A CRL (certificate revocation list) is used when a particular key is compromised but when the overall PKI is still intact. The only time when it would be necessary to rebuild the entire PKI from scratch would be if the root certificate key itself was compromised. or (#2) you can make use of CRL by using the revoke-full script in easy-rsa (packaged with openvpn) that
13:45 <@vpnHelper> will create the CRL file for you. ssl-admin will also build a crl for you or (#3) openssl ca -config openssl-1.0.0.cnf -gencrl -out keys/crl.pem
13:46 <@krzee> m4rcu5, really first he should look into how PKI works
13:46 <@krzee> (before administrating his own)
13:47 < m4rcu5> krzee: agree, however the "function" he tries to use in the crl :P
13:47 < cap3lla> krzee: that information is all I need. Thank you very much. You helped me -although you still think I need to look inside the "revoke" stuff :P -
13:47 < cap3lla> thanks
13:47 <@krzee> cap3lla, once you sign the .csr and get a .crt, the person with the .crt and its .key are authorized by anybody who uses the ca.crt it was made with to check
13:47 -!- Pyrogerg [~Gregory@75-173-71-21.albq.qwest.net] has quit [Ping timeout: 264 seconds]
13:48 -!- debbie10t [~debbie10t@openvpn/community/support/debbie10t] has joined #openvpn
13:48 -!- d3lphi [~d3lphi@HSI-KBW-46-223-193-194.hsi.kabel-badenwuerttemberg.de] has joined #openvpn
13:48 <@krzee> you will prolly break the PKI by doing what you're talking about cap3lla
13:48 < cap3lla> krzee: got 'ya, yes
13:48 < cap3lla> thanks
13:48 < cap3lla> cya
13:49 -!- cap3lla [~cap3lla@unaffiliated/cap3lla] has quit [Quit: protect yourself! --> www.govspy.com <-- be informed, share that!]
13:52 < m4rcu5> ow well it can be usefull if you signed a cert, but immidiatly erased it (keeping the serial the same)
14:03 <@krzee> why do i feel like that guy owned some site and just signed his own cert to their vpn
14:03 <@krzee> haha
14:06 < m4rcu5> krzee: what you mean?
14:13 -!- dazo_afk is now known as dazo
14:15 -!- larryone [~larryone@89.100.23.131] has joined #openvpn
14:20 -!- rudivd [~rudivd@2001:980:74d0:1000:9d0c:643:f7e3:eee4] has quit [Quit: Textual IRC Client: www.textualapp.com]
14:37 -!- RaiNerTsuFal [~RaiNerTsu@akita.vtlx.cn] has quit [Ping timeout: 240 seconds]
14:39 -!- D-Boy [~D-Boy@unaffiliated/cain] has quit [Excess Flood]
14:39 -!- s7r [~s7r@openvpn/user/s7r] has quit [Ping timeout: 264 seconds]
14:40 -!- s7r [~s7r@openvpn/user/s7r] has joined #openvpn
14:40 -!- mode/#openvpn [+v s7r] by ChanServ
14:41 -!- DrCode [~DrCode@gateway/tor-sasl/drcode] has quit [Ping timeout: 264 seconds]
14:44 -!- BenLue [~BenLue@unaffiliated/benlue] has joined #openvpn
14:46 -!- DrCode [~DrCode@gateway/tor-sasl/drcode] has joined #openvpn
14:50 -!- D-Boy [~D-Boy@unaffiliated/cain] has joined #openvpn
14:52 -!- d3lphi [~d3lphi@HSI-KBW-46-223-193-194.hsi.kabel-badenwuerttemberg.de] has left #openvpn []
14:56 -!- rudivd_ [~rudivd@2001:980:74d0:1000:9d0c:643:f7e3:eee4] has joined #openvpn
15:07 -!- TheEternalAbyss [~IRCIdent@unaffiliated/theeternalabyss] has joined #openvpn
15:08 -!- TheEternalAbyss [~IRCIdent@unaffiliated/theeternalabyss] has left #openvpn ["Textual IRC Client: www.textualapp.com"]
15:12 -!- TheEternalAbyss [~IRCIdent@unaffiliated/theeternalabyss] has joined #openvpn
15:32 -!- mattock is now known as mattock_afk
15:36 -!- Fusl [Fusl@unaffiliated/fusl] has quit [Ping timeout: 272 seconds]
15:39 -!- elfixit [~Icedove@77-58-251-72.dclient.hispeed.ch] has quit [Quit: elfixit]
15:41 -!- larryone [~larryone@89.100.23.131] has quit [Ping timeout: 260 seconds]
15:53 -!- Fusl [Fusl@unaffiliated/fusl] has joined #openvpn
16:00 < BenLue> my Network Structur: OpenWRT VPN Client -> Orange Router -> Internet
16:00 < BenLue> fc
16:01 -!- rudivd_ [~rudivd@2001:980:74d0:1000:9d0c:643:f7e3:eee4] has quit [Quit: My MacBook Pro has gone to sleep. ZZZzzz…]
16:07 -!- Netsplit *.net <-> *.split quits: eZpl0it, pradeepc, Ridley5, @syzzer, Thermi, swebb, ketas, tdreyer1, SushiDude
16:07 -!- Netsplit over, joins: pradeepc
16:07 -!- Netsplit over, joins: ketas, Thermi
16:07 -!- Netsplit over, joins: syzzer, SushiDude
16:07 -!- mode/#openvpn [+o syzzer] by ChanServ
16:08 -!- Netsplit over, joins: tdreyer1
16:13 -!- swebb [~swebb@c-71-237-49-232.hsd1.co.comcast.net] has joined #openvpn
16:17 -!- Pyrogerg [~Gregory@75-173-71-21.albq.qwest.net] has joined #openvpn
16:22 -!- Pyrogerg [~Gregory@75-173-71-21.albq.qwest.net] has quit [Ping timeout: 250 seconds]
16:24 -!- Kniaz [~Kniaz@unaffiliated/kniaz] has quit [Quit: closing IRC]
16:27 -!- Pyrogerg [~Gregory@75-173-71-21.albq.qwest.net] has joined #openvpn
16:32 -!- Pyrogerg [~Gregory@75-173-71-21.albq.qwest.net] has quit [Ping timeout: 264 seconds]
16:33 -!- le0 [~l30@unaffiliated/le0] has joined #openvpn
16:43 -!- brah [~allsdfjal@190.193.70.120] has joined #openvpn
16:58 -!- brianblaze420 [~brianblaz@unaffiliated/brianblaze] has quit [Quit: Leaving...]
17:01 -!- Pyrogerg [~Gregory@75-173-71-21.albq.qwest.net] has joined #openvpn
17:08 -!- Champi [Champi@rootshell.fr] has quit [Ping timeout: 260 seconds]
17:11 -!- Champi [Champi@rootshell.fr] has joined #openvpn
17:12 -!- kenyon [kenyon@darwin.kenyonralph.com] has quit [Ping timeout: 240 seconds]
17:13 -!- mirco [~mirco@ip-88-153-222-56.unitymediagroup.de] has joined #openvpn
17:16 -!- gffa [~unknown@unaffiliated/gffa] has quit [Quit: sleep]
17:21 -!- Chex [sss@hotlanta.northnook.ca] has quit [Ping timeout: 252 seconds]
17:27 -!- le0 [~l30@unaffiliated/le0] has quit [Quit: Leaving]
17:30 -!- Kniaz [~Kniaz@unaffiliated/kniaz] has joined #openvpn
17:37 -!- MaliusArth [~MaliusArt@chello062178184068.18.14.vie.surfer.at] has joined #openvpn
17:42 -!- mirco [~mirco@ip-88-153-222-56.unitymediagroup.de] has quit [Quit: mirco]
17:47 -!- Cpt-Oblivious [~chatzilla@31-151-71-109.dynamic.upc.nl] has joined #openvpn
17:48 -!- Kephael [~Kephael@unaffiliated/kephael] has joined #openvpn
17:51 -!- Pyrogerg [~Gregory@75-173-71-21.albq.qwest.net] has quit [Ping timeout: 240 seconds]
17:56 -!- MaliusArth [~MaliusArt@chello062178184068.18.14.vie.surfer.at] has left #openvpn []
17:57 -!- Pyrogerg [~Gregory@75-173-71-21.albq.qwest.net] has joined #openvpn
18:00 -!- Valcorb [Valcorb@unaffiliated/valcorb] has joined #openvpn
18:00 < Valcorb> Hello
18:00 < Valcorb> I have a small question
18:00 < Valcorb> What are the steps to open a port on my VPN?
18:00 < Valcorb> tried opening the port on iptables but didn't work
18:01 < pekster> "on your VPN" ?
18:01 < pekster> !goal
18:01 <@vpnHelper> "goal" is Please clearly state your goal for your vpn: example, I would like to access the lan behind the server , I would like to access the internet over my vpn , I just want a secure connection between 2 computers , etc
18:01 <+s7r> anyone in the mood to help me configure a vpn for my mobile phone? I have the server and everything, just don't know what to put inside the server and client config
18:01 < Valcorb> access internet over my vpn
18:01 < Valcorb> I redirected all traffic through my VPN
18:01 < Valcorb> but can't seem to open ports
18:02 < pekster> THat's not specific enough. Can you not get to google? Is there a firewall on your client? The VPN server? Are you trying to send data _to_ the client? (going the "other" direction?)
18:02 < pekster> Our crystal ball quit due to overuse and bad pay ;)
18:03 < Valcorb> no no
18:03 < Valcorb> everything is working fine
18:03 < Valcorb> like
18:03 < Valcorb> I can access Google
18:03 < Valcorb> and play games
18:03 < Valcorb> and whatnot
18:03 < Valcorb> I just want to open a port on µTorrent
18:03 < Valcorb> through  my VPN
18:03 < Valcorb> so the utorrent port is open on my VPN
18:03 < pekster> So you want to receive inbound connections from the outside?
18:04 < Valcorb> yes
18:04 < pekster> Is the VPN IP space RFC1918, or globally-routable?
18:05 -!- brianblaze420 [~brianblaz@unaffiliated/brianblaze] has joined #openvpn
18:06 < Valcorb> I would guess globally-routable
18:06 < Valcorb> oh
18:06 < Valcorb> wait
18:06 < Valcorb> no
18:06 < Valcorb> RFC1918
18:07 < pekster> Then you need 3 things to happen for this to work. 1) You need to do inbound NAT on the VPN server just as you would across any RFC1918 boundry, 2) you need to either redirect all outbound traffic from the client over the VPN link _or_ optionally set up policy routing based on the inbound interface of arriving traffic, and 3) the firewall on the VPN server and client must be permissive of the traffic
18:08 < Valcorb> hmm
18:08 < Valcorb> okay
18:08 < Valcorb> I see
18:09 < Valcorb> pekster: wit iptables, right?
18:09 < Valcorb> *with
18:10 < pekster> On Linux you can do NAT and firewalling with Netfilter, yes. Policy routing is provided by a utility in the iproute2 package
18:13 < Valcorb> hmm
18:13 < Valcorb> sounds ocmplicating
18:14 -!- elfixit [~Icedove@77-58-251-72.dclient.hispeed.ch] has joined #openvpn
18:14 < Valcorb> *complicating
18:14 -!- ub1quit33_ [~quassel@wifi02.la3.routers.zerolag.com] has quit [Ping timeout: 264 seconds]
18:14 < Valcorb> thank you pekster
18:14 < pekster> You can avoid policy routing if you're already redirecting traffic over the link, but otherwise not
18:14 < pekster> The other 2 requirements are simply how NAT works
18:14 < Valcorb> over the link?
18:15 < pekster> Over the link created by the VPN tunnel
18:15 < pekster> A VPN just connects 2 endpoints
18:15 < Valcorb> oh
18:16 < Valcorb> okay
18:16 < Valcorb> sounds complicating
18:19 -!- Pyrogerg_ [~Gregory@75-173-71-21.albq.qwest.net] has joined #openvpn
18:20 -!- Pyrogerg [~Gregory@75-173-71-21.albq.qwest.net] has quit [Ping timeout: 240 seconds]
18:21 < BenLue> hmmm im with my latain to the end
18:22 < BenLue> Im Using OpenWRT as VPN Client. Client is connected but i can only sometimes the VPN Server IP and other VPN Clients
18:22 -!- grendal_prime [~sgraham@173-166-255-77-stockton.hfc.comcastbusiness.net] has quit [Quit: Ex-Chat]
18:23 < BenLue> My Network OpenWRT -> Netger Router -> Internet
18:24 < BenLue> when i will ping from an Windows Client = Ping Time out
18:25 < BenLue> Server Config: http://paste.debian.net/hidden/5427dab4/
18:25 < BenLue> Client Config: http://paste.debian.net/110020/
18:26 < pekster> That's not a client config
18:26 < pekster> It's a UCI-centric configuration picked up on by a distro-centric initscript that is used to append CLI options that get passed to openvpn
18:27 < pekster> THat's "the thing that configures the thing that launches openvpn"
18:27 < BenLue> aho sry
18:27 < pekster> What we recommend is doing your openwrt config the sane way:
18:27 < pekster> !openwrt
18:27 <@vpnHelper> "openwrt" is In OpenWRT, the easiest way to supply configs with the stock init is to use the `option config /path/to/your/openvpn.conf` in your UCI stanza. This allows you to maintain a standard config file that OpenWRT can launch for you.
18:27 < pekster> You can both maintain a "standard" openvpn config _and_ still launch it via OpenWRT
18:30 < pekster> It's also vastly helpful if you remove comments/whitespace (we have grep for that in !configs) as it turns 100's of lines into about 10-20
18:30 < BenLue> its better to use own openvpn.conf?
18:30 < pekster> Yes, because #openvpn helps with OpenVPN :)
18:30 -!- Dat [dat@unaffiliated/dat] has joined #openvpn
18:30 < BenLue> uci show openvpn better?
18:31 < pekster> I've no idea what that does. If it just spits back the UCI config, no, not really
18:31 < pekster> If it somehow tries to "generate" a standard config or options list, maybe
18:31 < Dat> I'm on Windows 7 Pro, using 2.3.4 openvpn and for some werid reason I am unable to create any tap devices can someone help me with this?
18:31 < BenLue> http://paste.debian.net/110022/
18:31 < pekster> Ugh no
18:32 < pekster> Just put that into an openvpn config -- you have 90% of it done for you there
18:32 < BenLue> kk
18:33 < pekster> Then replace the entire contents of the config (back it up first if you want) with 4 lines: line1) package openvpn, line2) config openvpn my_config line3) option enabled 1 line4) option config /etc/openvpn/my_config.conf
18:34 < pekster> It's basically the same amount of work, and you're not stuck relying on UCI to translate things into openvpn options and launch openvpn for you, because it's 1) ugly and I hate trying to think about it, and more logically, 2) they get small things wrong
18:34 < pekster> (comp-lzo, for instance, is _not_ a "bool" value, but openwrt pretends it is.)
18:36 < pekster> I guess that uci show output is *marginally* better. Some of the options are harder to read than others. I still have no idea what the purpose is
18:37 < BenLue> ok
18:37 < pekster> (of the UCI stuff, not your config. Ignore myranting ;)
18:37 < pekster> Also, you can either strip out your comments with our grep in !configs, or wait for me to port my old de-commenter script to perl and do it then :P
18:45 < BenLue> wich grep command i must use pekster?
18:45 < pekster> !configs
18:45 <@vpnHelper> "configs" is (#1) please pastebin your client and server configs (with comments removed, you can use `grep -vE '^#|^;|^$' server.conf`), also include which OS and version of openvpn. or (#2) dont forget to include any ccd entries or (#3) on pfSense, see http://www.secure-computing.net/wiki/index.php/OpenVPN/pfSense to obtain your config
18:46 < BenLue> my Client Config: http://paste.debian.net/110023/
18:48 < Valcorb> pekster:
18:48 < Valcorb> can I have a reject rule in my forward chain in my iptables list?
18:48 < Valcorb> or is htat the reason its not working?
18:48 < pekster> Much cleaner :). Simple enough, although you usually don't need/want persist-key or persist-tun on clients. --ns-cert-type is deprecated, but still works (consider replacing that with `--remote-cert-tls server` instead)
18:49 < pekster> Otherwise that's a very generic client config
18:52 < Valcorb> these are my current rules
18:52 < Valcorb> http://i.imgur.com/7rctl40.png
18:52 < pekster> No. Screenshots bad. -L is bad. That's just awful
18:52 < pekster> Pastebin `iptables-save` somewhere if you want me to even look at it
18:53 < pekster> Remember there are generally firewalls at _both_ ends (VPN server and client) and the server is far more important here
18:53 < Valcorb> yea this is the server
18:54 < BenLue> pekster i have change ns-cert-type to remote-cert-tls server but no result ping timeout again :(
18:54 < pekster> Nah, that won't fix that BenLue, just a suggestion to avoid the deprecated stuff
18:54 < BenLue> ahh okay
18:55 -!- dazo is now known as dazo_afk
18:56 < BenLue> i dount know were im beginning to search!
18:56 < Valcorb> pekster:
18:56 < Valcorb> http://paste.debian.net/110025/
18:56 < Valcorb> like this?
18:57 < BenLue> Now i can ping again to my VPN Server
18:57 < pekster> Much better Valcorb
18:57 < BenLue> but how long
18:57 < Valcorb> alright, btw thanks for your help
18:58 < pekster> Valcorb: However, you don't have any inbound NAT configured (read about the DNAT target in iptables-extensions(8) -- or iptables(8) if your userland is way out of date.) You'll also need to accept it on the filter table, and I'd recommend simply accepting anything that matches `--ctstate DNAT`
18:58 < pekster> Also, -m state on line 14 is deprecated -- consider replacing with `-m conntrack --ctstate` instead
18:58 < Valcorb> You seem to be really advanced in this stuff
18:59 < Valcorb> I like that
18:59 < Valcorb> I'll look into it
18:59 < Valcorb> thanks
18:59 < pekster> #Netfilter has more experts (I idle there too) for Netfilter-specific knowledge
18:59 < pekster> OpenVPN is "just a fancy router" in principle
18:59 < Valcorb> haha
18:59 < Valcorb> okay
18:59 < Valcorb> thanks
18:59 < pekster> It's not really that useful unless you know basic networking and routing
19:02 < Valcorb> hehe
19:02 < Valcorb> I'll try to figure it out
19:05 < BenLue> pekster i cant ping from Windows Client to any VPN IPS. I need a special Route?
19:07 < BenLue> but Ping to my Own VPN ip 10.8.0.6 is working
19:07 < pekster> Without a server config it's hard to say
19:08 < BenLue> ohhh sry pekster :) Here my Server Config http://paste.debian.net/110027/
19:10 < pekster> And the client connects successfully (and stays connected for about 90 seconds -- that's about the ping timeout value) ? But you can't ping 10.8.0.1 from the client?
19:11 -!- Latrina [~Latrina@ppp-74-47.26-151.libero.it] has quit [Ping timeout: 260 seconds]
19:12 < BenLue> Only from Location Germany, in Location France (here), works fine
19:12 < pekster> Without logs from the client, it's hard to day
19:12 < pekster> say*
19:12 -!- s7r [~s7r@openvpn/user/s7r] has quit [Ping timeout: 264 seconds]
19:12 -!- Latrina [~Latrina@ppp-5-42.26-151.libero.it] has joined #openvpn
19:12 < pekster> Logs at --verb 4 tend to identify problems
19:14 -!- DrCode [~DrCode@gateway/tor-sasl/drcode] has quit [Ping timeout: 264 seconds]
19:17 < BenLue> http://paste.debian.net/hidden/886ecf6d/
19:18 < BenLue>  Peer Connection Initiated with [AF_INET]
19:18 < BenLue> it looks fine
19:21 < pekster> Are you connecting from both clients using the same cert? If so, you should use separate certs, or read about !dupe
19:23 < BenLue> seperat
19:23 < pekster> Then unless that client gets disconncted a moment later, or proper review of the logs at --verb 4 shows other errors, that client is connected successfully
19:24 < pekster> (moment =~ 70 seconds or so)
19:24 < pekster> Or the firewall allows 1 client to ping but not the other ;)
19:25 < BenLue> hmmm here my tracert: http://paste.debian.net/hidden/bde07aa9/
19:26 < BenLue> from Location in Germany
19:27 < BenLue> and tracert from Location France: http://paste.debian.net/hidden/eb51281b/
19:30 < BenLue> pekster it looks strange
19:32 < pekster> Smells like firewall on that 2nd hop
19:34 < BenLue> http://paste.debian.net/hidden/31505696/
19:36 < pekster> FFS, openwrt writes ugly rules
19:36 < pekster> -L is also braindead-stupid
19:37 < pekster> -L lines, it omits critical info, and shows you 20% of the default tables in Netfilter; avoid it like the AIDS.
19:37 < pekster> lies*
19:37 < pekster> iptables-save on the other hand spits complete output, but that's one meta-ugly ruleset anyway
19:37 -!- brianblaze420 [~brianblaz@unaffiliated/brianblaze] has quit [Ping timeout: 272 seconds]
19:38 < pekster> If you're trying to make openwrt's "stock" ruleset be permissive to your packets, you'll likely have better luck asking them
19:38 < pekster> Do tcpdump your traffic first though to confirm the pings never leave out the tun device
19:39 < pekster> If they don't, it's almost certainly your firewall
19:41 < BenLue> ahhh okay i learn more, thank you. Here my iptables-save: http://paste.debian.net/hidden/7ea18a2c/
19:41 -!- debbie10t [~debbie10t@openvpn/community/support/debbie10t] has quit [Ping timeout: 240 seconds]
19:42 < pekster> Yea, sorry, not really interesting in reviewing that mess
19:43 < pekster> Verify if your packets bound for 10.8.0.1 ever leave the tun device on the router though. If they do, the problem is elsewhere. If they don't, you probably need to learn how openwrt configures its firewall, or learn how to manage Netfilter in a less-sloppy way
19:43 -!- mirco [~mirco@ip-88-153-222-56.unitymediagroup.de] has joined #openvpn
19:44 < BenLue> Problem is, i use the same firewall settings from my second Location
19:54 -!- Cpt-Oblivious [~chatzilla@31-151-71-109.dynamic.upc.nl] has quit [Remote host closed the connection]
19:57 -!- u0m3_ [~u0m3@92.80.75.87] has joined #openvpn
19:59 -!- u0m3 [~u0m3@92.80.89.211] has quit [Ping timeout: 256 seconds]
20:23 -!- Latrina [~Latrina@ppp-5-42.26-151.libero.it] has quit [Ping timeout: 240 seconds]
20:26 -!- Latrina [~Latrina@ppp-183-1.26-151.libero.it] has joined #openvpn
20:26 -!- joako [~joako@opensuse/member/joak0] has quit [Ping timeout: 245 seconds]
20:33 -!- BenLue [~BenLue@unaffiliated/benlue] has quit [Ping timeout: 250 seconds]
20:35 -!- joako [~joako@opensuse/member/joak0] has joined #openvpn
20:38 -!- u0m3_ is now known as u0m3
20:43 -!- DrCode [~DrCode@gateway/tor-sasl/drcode] has joined #openvpn
21:01 -!- brah [~allsdfjal@190.193.70.120] has quit [Ping timeout: 264 seconds]
21:11 -!- sdkell2 [~shlomo@199.233.247.170] has joined #openvpn
21:11 < sdkell2> !welcome
21:11 <@vpnHelper> "welcome" is (#1) Start by stating your goal, such as 'I would like to access the internet over my vpn' || new to IRC? see the link in !ask || we may need !logs and !configs and maybe !interface to help you. || See !howto for beginners. || See !route for lans behind openvpn. || !redirect for sending inet traffic through the server. || Also interesting: !man !/30 !topology !iporder !sample !forum
21:11 <@vpnHelper> !wiki !mitm or (#2) Don't use 192.168.1.0/24 or 192.168.0.0/24 (too much potential for conflict)
21:12 < sdkell2> !goal
21:12 <@vpnHelper> "goal" is Please clearly state your goal for your vpn: example, I would like to access the lan behind the server , I would like to access the internet over my vpn , I just want a secure connection between 2 computers , etc
21:15 -!- sdkell2 [~shlomo@199.233.247.170] has quit [Client Quit]
21:15 <@ecrist> that's not a goal
21:34 -!- Chais [~Chais@chello062178229110.15.15.vie.surfer.at] has quit [Ping timeout: 240 seconds]
21:40 -!- Chais [~Chais@chello062178229110.15.15.vie.surfer.at] has joined #openvpn
22:35 -!- elfixit [~Icedove@77-58-251-72.dclient.hispeed.ch] has quit [Quit: elfixit]
22:45 -!- Kniaz [~Kniaz@unaffiliated/kniaz] has quit [Read error: Connection reset by peer]
22:59 -!- arescorpio [~arescorpi@201-26-245-190.fibertel.com.ar] has joined #openvpn
23:09 -!- ShadniX [dagger@p5481C9DE.dip0.t-ipconnect.de] has quit [Ping timeout: 250 seconds]
23:12 -!- ShadniX [dagger@p5DDFFB4C.dip0.t-ipconnect.de] has joined #openvpn
23:18 -!- Megaf [~Megaf@unaffiliated/megaf] has quit [Ping timeout: 264 seconds]
23:34 -!- Kephael [~Kephael@unaffiliated/kephael] has quit [Read error: Connection reset by peer]
--- Day changed Wed Jul 16 2014
00:06 < Dat> I am having a strange problem with my openvpn it can't create a tap device in windows 7
00:06 < Dat> how can I fix?
00:20 -!- arescorpio [~arescorpi@201-26-245-190.fibertel.com.ar] has quit [Excess Flood]
00:40 -!- sauce [sauce@unaffiliated/sauce] has quit [Quit: sauce]
00:41 -!- sauce [sauce@unaffiliated/sauce] has joined #openvpn
00:55 -!- rudivd_ [~rudivd@2001:980:74d0:1000:9d0c:643:f7e3:eee4] has joined #openvpn
01:21 -!- mattock_afk is now known as mattock
01:21 -!- rudivd_ [~rudivd@2001:980:74d0:1000:9d0c:643:f7e3:eee4] has quit [Quit: My MacBook Pro has gone to sleep. ZZZzzz…]
01:26 -!- alexxtasi [~alex@unaffiliated/alexxtasi] has joined #openvpn
01:44 -!- le0 [~l30@unaffiliated/le0] has joined #openvpn
02:06 -!- zapotek6 [~zap@mail.comelit.it] has joined #openvpn
02:28 -!- Chiftin [~Chiftin@178.250.179.140] has joined #openvpn
02:39 -!- SupaYoshi [Elite9191@gateway/shell/elitebnc/x-msdmumvcyinlrumt] has quit [Ping timeout: 245 seconds]
02:46 -!- mattock is now known as mattock_afk
03:14 -!- mirco [~mirco@ip-88-153-222-56.unitymediagroup.de] has quit [Quit: mirco]
03:14 -!- Left_Turn [~Left_Turn@unaffiliated/turn-left/x-3739067] has quit [Remote host closed the connection]
03:31 <@plaisthos> snappy: hu? It does?
03:43 <@krzee> snappy, just use the binary from openvpn-installer and run it from cli / script
03:44 <@krzee> you dont need the gui, assuming you have root and tun in the kernel
03:44 <@krzee> or can find tun module for the kernel
03:49 -!- Latrina [~Latrina@ppp-183-1.26-151.libero.it] has quit [Ping timeout: 240 seconds]
03:50 -!- rudivd__ [~rudivd@2001:980:74d0:1000:682b:50bf:3662:dbb7] has joined #openvpn
03:51 -!- Latrina [~Latrina@ppp-53-38.26-151.libero.it] has joined #openvpn
04:00 -!- rudivd__ [~rudivd@2001:980:74d0:1000:682b:50bf:3662:dbb7] has quit [Quit: My MacBook Pro has gone to sleep. ZZZzzz…]
04:09 -!- elfixit [~Icedove@77-58-251-72.dclient.hispeed.ch] has joined #openvpn
04:20 -!- Haigha [~root@dovahkiin.xomg.net] has quit [Ping timeout: 245 seconds]
04:20 -!- KiNgMaR [~ingmar@2001:41d0:2:ba51::1] has quit [Ping timeout: 245 seconds]
04:23 -!- KiNgMaR [~ingmar@2001:41d0:2:ba51::1] has joined #openvpn
04:24 -!- Haigha [~root@dovahkiin.xomg.net] has joined #openvpn
04:27 -!- Mimiko [~Mimiko@77.89.245.38] has joined #openvpn
04:29 < snappy> plaisthos: yeah, according to the openvpn gui it says vpnservice isn't available
04:29 < snappy> firetv
04:29 < snappy> krzee: hvaen't tried the binary yet
04:52 -!- Mimiko [~Mimiko@77.89.245.38] has quit []
05:16 -!- kantlivelong [~kantlivel@home.kantlivelong.com] has quit [Ping timeout: 240 seconds]
05:16 -!- pekster [~rewt@openvpn/community/support/pekster] has quit [Ping timeout: 240 seconds]
05:18 -!- kantlivelong [~kantlivel@home.kantlivelong.com] has joined #openvpn
05:18 -!- pekster [~rewt@openvpn/community/support/pekster] has joined #openvpn
05:24 < D-Boy> Hello again, I setup openvpn client on a windows xp VM, It connects to the openvpn server, and i can see the local ip (10.8.0.6) but when browsing internet (firefox) to http://adresseip.com, i still get my ISP IP instead of the openvpn server IP (on a dedicated server)
05:34 -!- zapotek6 [~zap@mail.comelit.it] has quit [Ping timeout: 240 seconds]
05:51 -!- Cpt-Oblivious [~chatzilla@31-151-71-109.dynamic.upc.nl] has joined #openvpn
06:21 -!- Left_Turn [~Left_Turn@unaffiliated/turn-left/x-3739067] has joined #openvpn
06:33 -!- MaliusArth [~MaliusArt@chello062178184068.18.14.vie.surfer.at] has joined #openvpn
06:36 -!- Pyrogerg_ [~Gregory@75-173-71-21.albq.qwest.net] has quit [Ping timeout: 240 seconds]
06:37 -!- Pyrogerg [~Gregory@67-0-225-231.albq.qwest.net] has joined #openvpn
06:40 -!- MaliusArth [~MaliusArt@chello062178184068.18.14.vie.surfer.at] has left #openvpn []
07:06 -!- Popsikle [~popsikle@pool-108-27-211-233.nycmny.fios.verizon.net] has quit [Remote host closed the connection]
07:12 -!- mattock_afk is now known as mattock
07:21 -!- Megaf [~Megaf@unaffiliated/megaf] has joined #openvpn
07:49 -!- Pyrogerg [~Gregory@67-0-225-231.albq.qwest.net] has quit [Ping timeout: 256 seconds]
07:51 -!- Pyrogerg [~Gregory@67-0-225-231.albq.qwest.net] has joined #openvpn
08:02 < ljvb> D-Boy look into the "redirect-gateway" option
08:07 -!- autrilla is now known as autrilla|noms
08:08 -!- JackWinter [~jack@vodsl-11028.vo.lu] has quit [Quit: Konversation terminated!]
08:11 -!- JackWinter [~jack@vodsl-11028.vo.lu] has joined #openvpn
08:21 -!- Pyrogerg [~Gregory@67-0-225-231.albq.qwest.net] has quit [Ping timeout: 240 seconds]
08:44 -!- u0m3 [~u0m3@92.80.75.87] has quit [Read error: Connection reset by peer]
08:49 -!- u0m3 [~u0m3@92.80.64.168] has joined #openvpn
08:50 -!- elfixit1 [~Icedove@2001:1620:2777:11:3e97:eff:fe7f:f3ad] has joined #openvpn
08:54 -!- rudivd__ [~rudivd@xlexit.xs4all.nl] has joined #openvpn
08:58 -!- Kniaz [~Kniaz@unaffiliated/kniaz] has joined #openvpn
09:00 -!- Pyrogerg [~Gregory@67-0-225-231.albq.qwest.net] has joined #openvpn
09:04 -!- autrilla|noms is now known as autrilla
09:45 -!- le0 [~l30@unaffiliated/le0] has quit [Quit: Leaving]
09:46 -!- alexxtasi [~alex@unaffiliated/alexxtasi] has left #openvpn []
09:47 -!- Kephael [~Kephael@unaffiliated/kephael] has joined #openvpn
09:49 -!- gffa [~unknown@unaffiliated/gffa] has joined #openvpn
09:53 -!- KaiForce [~chatzilla@107-223-70-10.lightspeed.bcvloh.sbcglobal.net] has joined #openvpn
10:00 -!- Popsikle [~popsikle@rrcs-24-103-53-46.nyc.biz.rr.com] has joined #openvpn
10:10 -!- rudivd__ [~rudivd@xlexit.xs4all.nl] has quit [Quit: My MacBook Pro has gone to sleep. ZZZzzz…]
10:30 -!- troj [~xxx@2001:470:1f15:107a::50f7] has quit [Ping timeout: 260 seconds]
10:43 < D-Boy> ljvb: thx, i had several issues, and finally it works :)
10:49 -!- mirco [~mirco@ip-88-153-222-56.unitymediagroup.de] has joined #openvpn
10:51 -!- Denial [~Denial@host86-163-221-70.range86-163.btcentralplus.com] has quit [Ping timeout: 245 seconds]
10:54 -!- cyberspace- [20253@ninthfloor.org] has joined #openvpn
11:07 -!- rudivd_ [~rudivd@2001:980:74d0:1000:1d4a:8d8d:aa76:3119] has joined #openvpn
11:09 -!- pseudo_ [~pseudo@65.204.49.74] has joined #openvpn
11:11 -!- Chiftin [~Chiftin@178.250.179.140] has quit [Read error: Connection reset by peer]
11:12 -!- SCHAAP137 [dorian@77-173-0-137.ip.telfort.nl] has joined #openvpn
11:13 -!- Neoteric [~timball@coronal-mass-ejection.sunlightfoundation.com] has joined #openvpn
11:14 -!- rudivd_ [~rudivd@2001:980:74d0:1000:1d4a:8d8d:aa76:3119] has quit [Quit: My MacBook Pro has gone to sleep. ZZZzzz…]
11:15 < Neoteric> i've setup an ec2 instance w/ openvpn according to the docs . i've logged in and created a group and a user but i can't figure out how to generate an .ovpn from the web thingie ... unless i'm not supposed to do that in which case i'm confused what the web access thingie is for
11:16 < pekster> web thingy probably means you're using AS, not OpenVPN. See here:
11:16 < pekster> !as
11:16 <@vpnHelper> "as" is Please go to #OpenVPN-AS for help with commercial products from OpenVPN Technologies, including Access Server, Android Connect, etc
11:18 < Neoteric> interseting
11:18 <@krzee> !learn as as AS is a commercial product, different from open source OpenVPN
11:18 <@vpnHelper> Joo got it.
11:18 < Neoteric> gotcha
11:18 <@Eugene> !as
11:18 <@vpnHelper> "as" is Please go to #OpenVPN-AS for help with commercial products from OpenVPN Technologies, including Access Server, Android Connect, etc
11:18 <@krzee> o.O
11:18 < Neoteric> thanks thank
11:18 <@Eugene> "as" as.
11:19 <@krzee> !AS
11:19 <@vpnHelper> "AS" is Please go to #OpenVPN-AS for help with commercial products from OpenVPN Technologies, including Access Server, Android Connect, etc
11:19 <@Eugene> (we've been through this before, methinks)
11:19 < pekster> AS is more of a commercial-frontend to the 2.2 series, but the "program as a whole" is of course subjct to the EULA stuff
11:19 <@krzee> i guess eric made the entry via sqlite
11:27 < Neoteric> well yeah i didn't get that when i did the install... thanks all
11:27 -!- Neoteric [~timball@coronal-mass-ejection.sunlightfoundation.com] has left #openvpn []
11:30 <@krzee> !as
11:30 <@vpnHelper> "as" is Please go to #OpenVPN-AS for help with commercial products from OpenVPN Technologies, including Access Server, Android Connect, etc. Access Server is a commercial product, different from open source OpenVPN
11:30 <@krzee> :D
11:30 <@Eugene> Huzzah
11:31 -!- rudivd [~rudivd@2001:980:74d0:1000:1d4a:8d8d:aa76:3119] has joined #openvpn
11:33 < _FBi> :)
11:51 < Valcorb> Whenever I restart my computer, I have to re-install the TAP driver on my Win installation for it to redirect traffic through my VPN
11:51 < Valcorb> it connects fine, it just doesn't redirect traffic
11:51 < Valcorb> until I re-install the TAP driver
12:03 -!- pseudo_ [~pseudo@65.204.49.74] has quit [Quit: leaving]
12:03 -!- Kephael [~Kephael@unaffiliated/kephael] has quit [Read error: Connection reset by peer]
12:05 -!- MaliusArth1 [~MaliusArt@chello062178184068.18.14.vie.surfer.at] has joined #openvpn
12:06 -!- troj [~xxx@2001:470:1f15:107a::50f7] has joined #openvpn
12:13 -!- schz2 [~jbiskofsk@customer-189-217-131-58.cablevision.net.mx] has joined #openvpn
12:14 < schz2> hey everyone, i set up an openvpn server on a linux machine using easy-rsa v2 to generate the certs, i then copied the client certs over to my mac and tried to connect and it worked perfect
12:14 < schz2> copied them over to a freebsd server and it worked perfect
12:14 < schz2> same client config/certs copied over to a windows7 machine using openvpn gui from openvpn.se
12:14 < schz2> VERIFY ERROR: depth=1, error=certificate signature failure:
12:15 < schz2> TLS_ERROR: BIO read tls_read_plaintext error
12:15 < schz2> ive tried regenerating the certs a bunch of times
12:15 < schz2> and no luck, cant get past that error on windows
12:15 < schz2> ive made sure all the machines have the correct time
12:15 < schz2> i dont know whats going on. any ideas? thanks :]
12:17 -!- Flametail [~Jamie96@dynamic-acs-72-23-73-146.zoominternet.net] has joined #openvpn
12:18 -!- MaliusArth1 [~MaliusArt@chello062178184068.18.14.vie.surfer.at] has left #openvpn []
12:18 < schz2> i did notice the linux server is 2.3.4, the freebsd machine is 2.3.0, mac is also 2.3.0 and the windows machine says 2.0.9 in the logs
12:18 < schz2> but i just used the most recent downlad available for all machines
12:18 < Flametail> My OpenVPN server is behind a router that does not do static routes, and I have tried to employ the NAT-hack with no success in allowing remote clients to access LAN resources.
12:19 < Flametail> My server is Server 2003, my stupid router is a NETGEAR R6300, which, while it allows me to set routes, apparently ignores them.
12:19 < schz2> flametail, i would try to install a simpler service on the windows machine, like a little web server and then redirect port 80 on the router to the windows machine, and make sure that works
12:20 < schz2> another option, there is an alternative firmware for those routers called ddrwt
12:20 < schz2> if you install that on the router, that thing does openvpn natively
12:21 < Flametail> schz2: Port forwarding works, I can connect to the VPN service remotely just fine, just can't seem to use it to connect to other internet stuff.
12:21 < Flametail> *internal
12:23 < schz2> ok - so its like this : client -> internet -> netgear6300 -> openvpn server
12:23 < schz2> ?
12:23 < Flametail> schz2: Yes
12:23 < schz2> and you want client to access other stuff on the openvpn server lan ?
12:24 < Flametail> And I want to achieve client -> internet -> netgear -> ovpn --> NAS/iMac/Laptop
12:24 < Flametail> And it's all fine except for "-->"
12:24 < schz2> ok - im not an expert, i came in here asking questions too, but i dont think you need to set routes on the netgear to achieve that at all
12:25 < schz2> you need the ovpn server to route traffic between client and lan
12:25 < Flametail> schz2: Yeah, I thought that too...NAT-hack. Sadly, that's not helping either.
12:25 < Flametail> https://community.openvpn.net/openvpn/wiki/NatHack
12:25 <@vpnHelper> Title: NatHack – OpenVPN Community (at community.openvpn.net)
12:25 < schz2> is the ovpn server linux or windows?
12:26 < Flametail> schz2: Windows Server 2003
12:27 < schz2> ok, so i think this should work, figure out how to get the windows server 2003 to route traffic between interfaces, unfortunately i only know how to do that on linux or bsd, not windows, then on the windows client add a route that says route add internal.lan.ip/24 openvpn.server.tunnel.ip tap-if
12:27 < schz2> thats not a real command, but its sxomething like that
12:28 < schz2> you need to let the client know that to reach the lan it need to use the ovpn server as its gateway
12:28 < schz2> ive done this for sure, just not using windows
12:37 -!- Latrina [~Latrina@ppp-53-38.26-151.libero.it] has quit [Max SendQ exceeded]
12:37 -!- Latrina [~Latrina@ppp-53-38.26-151.libero.it] has joined #openvpn
12:39 -!- s7r [~s7r@openvpn/user/s7r] has joined #openvpn
12:39 -!- mode/#openvpn [+v s7r] by ChanServ
12:42 -!- dazo_afk is now known as dazo
12:44 -!- Flametail [~Jamie96@dynamic-acs-72-23-73-146.zoominternet.net] has quit [Ping timeout: 240 seconds]
12:51 -!- schz2 [~jbiskofsk@customer-189-217-131-58.cablevision.net.mx] has quit [Quit: .]
12:51 -!- nobody481 [~demigod12@ool-18bc9d5b.dyn.optonline.net] has joined #openvpn
12:51 < nobody481> I'm running FreeBSD 8.4.  I'm trying to follow the instructions on openvpn.net to "Generate the master Certificate Authority certificate & key".  I get to the step where I'm supposed to run ". ./vars" and it gives a permission denied error.  I ran the same command as root and get "/usr/local/bin/.: Permission denied."   I don't understand how a period is supposed to be a command.  I understand ./some-command but what is one period supp
12:52 -!- Kniaz [~Kniaz@unaffiliated/kniaz] has quit [Quit: closing IRC]
12:52 < nobody481> !welcome
12:52 <@vpnHelper> "welcome" is (#1) Start by stating your goal, such as 'I would like to access the internet over my vpn' || new to IRC? see the link in !ask || we may need !logs and !configs and maybe !interface to help you. || See !howto for beginners. || See !route for lans behind openvpn. || !redirect for sending inet traffic through the server. || Also interesting: !man !/30 !topology !iporder !sample !forum
12:52 <@vpnHelper> !wiki !mitm or (#2) Don't use 192.168.1.0/24 or 192.168.0.0/24 (too much potential for conflict)
13:05 -!- rudivd [~rudivd@2001:980:74d0:1000:1d4a:8d8d:aa76:3119] has quit [Quit: My MacBook Pro has gone to sleep. ZZZzzz…]
13:17 -!- rudivd_ [~rudivd@2001:980:74d0:1000:bded:14f4:c95d:5007] has joined #openvpn
13:20 -!- rudivd_ [~rudivd@2001:980:74d0:1000:bded:14f4:c95d:5007] has quit [Client Quit]
13:29 <+s7r> i have a strange problem. a vpn works just fine in my computer, but won't connect on android. it says: unrecognized option dev
13:38 -!- s7r [~s7r@openvpn/user/s7r] has quit [Quit: Leaving]
13:45 -!- elfixit [~Icedove@77-58-251-72.dclient.hispeed.ch] has quit [Quit: elfixit]
13:46 -!- altermann [~none@S010660a44c6619d1.vs.shawcable.net] has joined #openvpn
14:11 -!- buhman [rewt@selene.buhman.org] has joined #openvpn
14:11 < buhman> MULTI: bad source address from client [173.230.137.76], packet dropped
14:13 < buhman> how can I tell openvpn to allow arbitrary source addresses for traffic client->server, and that thus and such source address in replies (server->client) should go back to the same client.
14:15 < buhman> the only documented thing afaict is doing iroute in a client ccd saying thus and such network prefix is being forwarded by this client.
14:16 < buhman> instead I want 0/0 to go (server->client) if source address is 'foo', and to not-drop 0/0 (client->server).
14:20 -!- Brando753 [~Brando753@unaffiliated/brando753] has quit [Ping timeout: 260 seconds]
14:24 -!- akp [~akp@50.169.193.161] has joined #openvpn
14:24 < akp> hello
14:24 < akp> is there a way to import .crypt files from Securepoint SSL VPN client to linux/openvpn?
14:25 -!- eddq [~eddq@li645-74.members.linode.com] has joined #openvpn
14:25 < eddq> !welcome
14:25 <@vpnHelper> "welcome" is (#1) Start by stating your goal, such as 'I would like to access the internet over my vpn' || new to IRC? see the link in !ask || we may need !logs and !configs and maybe !interface to help you. || See !howto for beginners. || See !route for lans behind openvpn. || !redirect for sending inet traffic through the server. || Also interesting: !man !/30 !topology !iporder !sample !forum !wiki
14:25 <@vpnHelper> !mitm or (#2) Don't use 192.168.1.0/24 or 192.168.0.0/24 (too much potential for conflict)
14:26 < eddq> !logs
14:26 <@vpnHelper> "logs" is (#1) please pastebin your logfiles from both client and server with verb set to 4 (only use 5 if asked) or (#2) In the Windows client(OpenVPN-GUI) right-click the status icon and pick View Log or (#3) In the OS X client(Tunnelblick) right-click it and select Copy log text to clipboard or (#4) if you dont know how to find your logs, see !logfile
14:26 < akp> i have a windows securepoint install.  i have exports its configs (since i can't remember some things) to a .crypt file
14:26 < akp> is there anyway i can import this .crypt file in to openvpn and use it on my linux box.
14:33 < eddq> !config
14:33 <@vpnHelper> (config <name> [<value>]) -- If <value> is given, sets the value of <name> to <value>. Otherwise, returns the current value of <name>. You may omit the leading "supybot." in the name if you so choose.
14:33 < eddq> !redirect
14:33 <@vpnHelper> "redirect" is (#1) to make all inet traffic flow through the vpn, you will need --redirect-gateway (see !def1), as well as IP forwarding (see !ipforward) and NAT (see !nat) enabled on the server. or (#2) you may need to use a different dns server when redirecting gateway, see !dns or !pushdns or (#3) if using ipv6 try: route-ipv6 2000::/3 or (#4) Handy troubleshooting flowchart:
14:33 <@vpnHelper> http://ircpimps.org/redirect.png | http://pekster.sdf.org/misc/redirect.png
14:37 < akp> ?
14:41 -!- D-Boy [~D-Boy@unaffiliated/cain] has quit [Excess Flood]
14:43 -!- D-Boy [~D-Boy@unaffiliated/cain] has joined #openvpn
14:45 < eddq> !howto
14:45 <@vpnHelper> "howto" is (#1) OpenVPN comes with a great howto, http://openvpn.net/howto PLEASE READ IT! or (#2) http://www.secure-computing.net/openvpn/howto.php for a mirror
14:48 < eddq> Hi, I've read the help guides and info but am still having an issue trying to debug my openvpn issue. I had a previously working vpn running on Ubuntu and then did an upgrade and reboot and it stopped working. I can connect to it and ping it but can't reach the internet through it
14:48 < eddq> ip forwarding is enabled so I'm pretty stumped
14:51 < eddq> client config: http://pastie.org/private/6zbbfn3xurwmxwb017dya - Server config: http://pastie.org/private/chzevlmrzualcoydsmrhjg - connection log: http://pastebin.com/AkD0g2Np
14:51 -!- s7r [~s7r@openvpn/user/s7r] has joined #openvpn
14:51 -!- mode/#openvpn [+v s7r] by ChanServ
14:51 < eddq> Cheers
14:53 -!- nobody481 [~demigod12@ool-18bc9d5b.dyn.optonline.net] has quit [Ping timeout: 250 seconds]
14:55 -!- KaiForce [~chatzilla@107-223-70-10.lightspeed.bcvloh.sbcglobal.net] has quit [Quit: ChatZilla 0.9.90.1 [Firefox 30.0/20140605174243]]
15:02 -!- eddq [~eddq@li645-74.members.linode.com] has quit [Remote host closed the connection]
15:16 -!- Dat [dat@unaffiliated/dat] has left #openvpn []
15:17 -!- eddq [~eddq@li645-74.members.linode.com] has joined #openvpn
15:25 -!- Kniaz [~Kniaz@unaffiliated/kniaz] has joined #openvpn
15:31 -!- eddq [~eddq@li645-74.members.linode.com] has left #openvpn []
15:46 -!- joako [~joako@opensuse/member/joak0] has quit [Read error: Connection reset by peer]
15:54 -!- joako [~joako@opensuse/member/joak0] has joined #openvpn
16:05 -!- mirco [~mirco@ip-88-153-222-56.unitymediagroup.de] has quit [Quit: mirco]
16:07 -!- mattock is now known as mattock_afk
16:11 -!- gffa [~unknown@unaffiliated/gffa] has quit [Quit: sleep]
16:22 -!- amartinenco [~chatzilla@206-248-138-154.dsl.teksavvy.com] has joined #openvpn
16:23 < amartinenco> quick question. I wanted to install OpenVPN knowing that it was free and now I see 7.50$ per user license. Is it for Access server only?
16:24 < pekster> amartinenco: Correct, AS is a commercially-licensed product. OpenVPN is GPLv2 and you're free to use it however you like so long as you follow its license
16:25 < pekster> If you got misdirected by the payware-download stuff, see here:
16:25 < pekster> !download
16:25 <@vpnHelper> "download" is (#1) http://openvpn.net/index.php/download/community-downloads.html to download openvpn or (#2) OpenVPN's Windows installer now includes OpenVPN GUI. Don't bother with http://openvpn.se anymore or (#3) Don't trust download.com at all. It provides an extremely old version with malware: http://insecure.org/news/download-com-fiasco.html or (#4) in the community version of openvpn (only
16:25 <@vpnHelper> thing supported here) there is no separate download for client/server, it is the same install with different configs
16:26 < akp> what linux client supports OTP for openvpn?
16:26 < akp> ??
16:27 < pekster> akp: Use --auth-user-pass with a script you write that does the OTP auth (eg: TOTP)
16:27 -!- Pyrogerg [~Gregory@67-0-225-231.albq.qwest.net] has quit [Ping timeout: 240 seconds]
16:27 < pekster> You'll need to get just a little clever about not requiring the password after the initial login attempt, but otherwise you treat it just like any other two-factor auth in openvpn
16:27 < akp> pekster: can you point me at something?
16:28 < pekster> !scripts
16:28 <@vpnHelper> "scripts" is "script" is See SCRIPTING AND ENVIRONMENTAL VARIALBES in the manual for a list of places that scripts can hook into openvpn. Online reference at: https://community.openvpn.net/openvpn/wiki/Openvpn23ManPage#lbAR
16:28 < akp> i am using network manager, and it wants me to give the cert pass + otp pass
16:28 < pekster> I've NFI what "OTP pass" is
16:28 < pekster> It's network-manager stupidity, because the client does not know/care _what_ the password is used for
16:28 < akp> ?
16:28 < akp> so i can leave that password blank?
16:29 < pekster> Do you even have an OTP implementation on your server? Are you using OATH-style TOTP, such as with Google Authenticator?
16:29 < pekster> Have you send your authenticator the shared-secret already for an OTP scheme?
16:29 < pekster> etc, etc
16:29 < pekster> You seem not to really know what OTP is, thus I suspect you're not using it
16:30 < pekster> This is the traditional way to do device-agnostic OTP these-days: https://en.wikipedia.org/wiki/Time-based_One-time_Password_Algorithm
16:30 <@vpnHelper> Title: Time-based One-time Password Algorithm - Wikipedia, the free encyclopedia (at en.wikipedia.org)
16:30 -!- Pyrogerg [~Gregory@67-0-225-231.albq.qwest.net] has joined #openvpn
16:41 -!- amartinenco [~chatzilla@206-248-138-154.dsl.teksavvy.com] has quit [Ping timeout: 264 seconds]
16:56 -!- altermann [~none@S010660a44c6619d1.vs.shawcable.net] has quit [Ping timeout: 240 seconds]
17:03 -!- Pyrogerg [~Gregory@67-0-225-231.albq.qwest.net] has quit [Ping timeout: 240 seconds]
17:09 -!- Popsikle [~popsikle@rrcs-24-103-53-46.nyc.biz.rr.com] has quit [Remote host closed the connection]
17:10 < akp> pekster: i was trying to do it on the client side.  my office has a server setup with OTP
17:11 < akp> the server side has my seeds etc
17:11 < akp> and i currently use it with sercurepoint ssl client on windows
17:11 < pekster> !notcompat
17:11 <@vpnHelper> "notcompat" is (#1) IPsec, PPTP, & L2TP are _not_ compatible with OpenVPN. OpenVPN uses SSL whereas PPTP and IPSEC use their own protocols and therefore cannot be compatible. or (#2) OpenVPN connects only to OpenVPN
17:11 < pekster> OpenVPN works with OpenVPN, not any other VPN protocol
17:11 < akp> and yes, it is TOTP
17:12 < akp> pekster: please stop speaking out of your ass.
17:12 < akp> pekster: http://www.securepoint.cc/products-vpn-clients.html
17:12 <@vpnHelper> Title: Securepoint VPN Clients (at www.securepoint.cc)
17:12 < pekster> So then say you're using openvpn. I don't care what branding some commercial wrapper around it has
17:12 < akp> its the client
17:13  * pekster shrugs
17:13 < akp> that is only the client
17:13 < akp> the server backend is a openvpn server.
17:13 < akp> i have been asking for a client.
17:13 < pekster> An OpenVPN client has nothing at all to do with OTP
17:13 < akp> not some MS L2TP VPN etc etc
17:14 < pekster> You can _supply_ OTP credentials however you require for your server-side infra, which is almost always going to be using the --auth-user-pass mechanism. Optionally read about the C/R mechanism in the management documentation, but that's a fairly advanced concept
17:14 < pekster> Of course, that choice needs to match how the server is configured to require them. AFAIK there's basically nothing out there using C/R except maybe the Connect software, but the API is available should you wish to explore it
17:16 -!- Pyrogerg [~Gregory@67-0-225-231.albq.qwest.net] has joined #openvpn
17:25 -!- DrCode [~DrCode@gateway/tor-sasl/drcode] has quit [Remote host closed the connection]
17:26 -!- DrCode [~DrCode@gateway/tor-sasl/drcode] has joined #openvpn
17:37 -!- ShadniX [dagger@p5DDFFB4C.dip0.t-ipconnect.de] has quit [Ping timeout: 250 seconds]
17:39 -!- ShadniX [dagger@p5DDFF499.dip0.t-ipconnect.de] has joined #openvpn
17:39 <+s7r> my vpn server has native v6 , can i use that too?
17:40 <@dazo> s7r: with openvpn 2.3, yes
17:41 <@dazo> but if you want to provide IPv6 over the tunnel, you need to allocate a subnet for it
17:41 <+s7r> simultaneous or 2 instances for v4 and v6?
17:41 <@dazo> iirc, if you configure udp6 or tcp6, it will respond to both
17:49 -!- SCHAAP137 [dorian@77-173-0-137.ip.telfort.nl] has quit [Remote host closed the connection]
17:50 -!- Kniaz1 [~Kniaz@unaffiliated/kniaz] has joined #openvpn
17:52 -!- Pyrogerg [~Gregory@67-0-225-231.albq.qwest.net] has quit [Read error: Connection reset by peer]
17:52 -!- Pyrogerg_ [~Gregory@67-0-225-231.albq.qwest.net] has joined #openvpn
17:53 -!- Kniaz [~Kniaz@unaffiliated/kniaz] has quit [Quit: closing IRC]
17:53 -!- Kniaz1 is now known as kniaz
17:53 -!- kniaz is now known as Kniaz
18:00 -!- hive-mind [pranq@mail.bbis.us] has quit [Ping timeout: 272 seconds]
18:35 -!- propheticsquiddy [~Proph@unaffiliated/propheticsquiddy] has joined #openvpn
18:43 -!- NucWin [~nucwin@unaffiliated/nucwin] has quit [Quit: ttfn]
18:43 -!- goldkatze [~nobody@unaffiliated/goldkatze] has quit [Ping timeout: 272 seconds]
18:45 -!- NucWin [~nucwin@unaffiliated/nucwin] has joined #openvpn
18:57 -!- Pyrogerg_ [~Gregory@67-0-225-231.albq.qwest.net] has quit [Ping timeout: 250 seconds]
19:04 -!- MaliusArth [~MaliusArt@chello062178184068.18.14.vie.surfer.at] has joined #openvpn
19:04 -!- MaliusArth [~MaliusArt@chello062178184068.18.14.vie.surfer.at] has left #openvpn []
19:14 -!- james41382 [~james@unaffiliated/james41382] has quit [Quit: Leaving]
19:15 -!- adaptr [~jgeilman@unaffiliated/adaptr] has quit [Ping timeout: 272 seconds]
19:22 -!- adaptr [~jgeilman@unaffiliated/adaptr] has joined #openvpn
19:37 -!- Pyrogerg [~Gregory@67-0-225-231.albq.qwest.net] has joined #openvpn
19:59 -!- dazo is now known as dazo_afk
20:15 -!- Cpt-Oblivious [~chatzilla@31-151-71-109.dynamic.upc.nl] has quit [Remote host closed the connection]
20:18 -!- brianblaze420 [~brianblaz@unaffiliated/brianblaze] has joined #openvpn
20:45 -!- Left_Turn [~Left_Turn@unaffiliated/turn-left/x-3739067] has quit [Remote host closed the connection]
20:46 -!- brianblaze420 [~brianblaz@unaffiliated/brianblaze] has quit [Quit: Leaving...]
20:49 < snappy> is there an openvpn dev channel?
20:49 < pekster> #openvpn-devel (best to idle there for a bit due to time-zone differences.) There's also a mailing list
20:57 < snappy> thanks
21:26 -!- Kephael [~Kephael@unaffiliated/kephael] has joined #openvpn
21:35 -!- arescorpio [~arescorpi@201-26-245-190.fibertel.com.ar] has joined #openvpn
21:36 <@krzee> !mesh
21:36 <@vpnHelper> "mesh" is (#1) openvpn does not do mesh networking or (#2) see !rip or (#3) check out http://github.com/darkpixel/openmesher/ for auto-creating openvpn meshes
21:36 <@krzee> check out #3
22:19 -!- ShadniX [dagger@p5DDFF499.dip0.t-ipconnect.de] has quit [Ping timeout: 250 seconds]
22:20 -!- ShadniX [dagger@p5481DE87.dip0.t-ipconnect.de] has joined #openvpn
23:02 -!- arescorpio [~arescorpi@201-26-245-190.fibertel.com.ar] has quit [Excess Flood]
23:25 -!- ShadniX [dagger@p5481DE87.dip0.t-ipconnect.de] has quit [Ping timeout: 250 seconds]
23:26 -!- ShadniX [dagger@p5DDFE367.dip0.t-ipconnect.de] has joined #openvpn
23:29 -!- Megaf [~Megaf@unaffiliated/megaf] has quit [Ping timeout: 250 seconds]
--- Day changed Thu Jul 17 2014
00:03 -!- autrilla [~autrilla@unaffiliated/autrilla] has left #openvpn ["Leaving"]
00:16 -!- Brando753 [~Brando753@unaffiliated/brando753] has joined #openvpn
00:21 -!- joako [~joako@opensuse/member/joak0] has quit [Ping timeout: 245 seconds]
00:29 -!- joako [~joako@opensuse/member/joak0] has joined #openvpn
00:39 -!- mattock_afk is now known as mattock
00:51 -!- joako [~joako@opensuse/member/joak0] has quit [Ping timeout: 240 seconds]
00:53 -!- joako [~joako@opensuse/member/joak0] has joined #openvpn
00:58 -!- joako [~joako@opensuse/member/joak0] has quit [Ping timeout: 245 seconds]
01:03 -!- joako [~joako@opensuse/member/joak0] has joined #openvpn
01:24 -!- mirco [~mirco@ip-88-153-222-56.unitymediagroup.de] has joined #openvpn
--- Log closed Thu Jul 17 01:30:21 2014
--- Log opened Thu Jul 17 07:37:52 2014
07:37 -!- ecrist [~ecrist@freebsd/contributor/openvpn.community.support.ecrist] has joined #openvpn
07:37 -!- Irssi: #openvpn: Total of 159 nicks [8 ops, 0 halfops, 3 voices, 148 normal]
07:37 -!- mode/#openvpn [+o ecrist] by ChanServ
07:37 -!- Irssi: Join to #openvpn was synced in 1 secs
07:38 <+s7r> plaisthos dev tun
07:42 -!- zapotek6 [~zap@95.74.109.18] has joined #openvpn
07:42 -!- zapotek6 [~zap@95.74.109.18] has quit [Max SendQ exceeded]
07:55 -!- trispace [~rf@unaffiliated/trispace] has joined #openvpn
08:12 -!- DrCode [~DrCode@gateway/tor-sasl/drcode] has quit [Remote host closed the connection]
08:13 -!- DrCode [~DrCode@gateway/tor-sasl/drcode] has joined #openvpn
08:16 -!- elfixit [~Icedove@245-228.197-178.cust.bluewin.ch] has joined #openvpn
08:20 -!- elfixit [~Icedove@245-228.197-178.cust.bluewin.ch] has quit [Ping timeout: 250 seconds]
08:21 -!- zapotek6 [~zap@95.74.109.18] has joined #openvpn
08:21 -!- zapotek6 [~zap@95.74.109.18] has quit [Max SendQ exceeded]
08:34 -!- trispace [~rf@unaffiliated/trispace] has quit [Quit: trispace]
08:34 -!- Cpt-Oblivious [~chatzilla@31-151-71-109.dynamic.upc.nl] has joined #openvpn
08:49 <@plaisthos> s7r: hm OpenVPN should have no problem with that
08:50 <@plaisthos> s7r: I am really confused what happens there on your phone
08:50 < busch> !welcome
08:50 <@vpnHelper> "welcome" is (#1) Start by stating your goal, such as 'I would like to access the internet over my vpn' || new to IRC? see the link in !ask || we may need !logs and !configs and maybe !interface to help you. || See !howto for beginners. || See !route for lans behind openvpn. || !redirect for sending inet traffic through the server. || Also interesting: !man !/30 !topology !iporder !sample !forum
08:50 <@vpnHelper> !wiki !mitm or (#2) Don't use 192.168.1.0/24 or 192.168.0.0/24 (too much potential for conflict)
08:51 < busch> !iporder
08:51 <@vpnHelper> "iporder" is (#1) OpenVPN's internal client IP address selection algorithm works as follows: 1 -- Use --client-connect script generated file for static IP (first choice). or (#2) Use --client-config-dir file for static IP (next choice) !static for more info or (#3) Use --ifconfig-pool allocation for dynamic IP (last choice) or (#4) if you use --ifconfig-pool-persist see !ipp
08:52 < busch> !static
08:52 <@vpnHelper> "static" is (#1) use --ifconfig-push in a ccd entry for a static ip for the vpn client or (#2) example in net30 (default): ifconfig-push 10.8.0.6 10.8.0.5 example in subnet (see !topology) or tap (see !tunortap): ifconfig-push 10.8.0.5 255.255.255.0 or (#3) also see !ccd and !iporder or (#4) with static IPs, limit your --ifconfig-pool to exclude the static range or (#5) See also: !addressing
08:53 < busch> !ipp
08:53 <@vpnHelper> "ipp" is (#1) the option --ifconfig-pool-persist ipp.txt does NOT create static ips or (#2) Note that the entries in this file are treated by OpenVPN as suggestions only, based on past associations between a common name and IP address. They do not guarantee that the given common name will always receive the given IP address. If you want guaranteed assignment, see !iporder and !static
08:54 -!- eike_52n [~eike@80.156.182.234] has joined #openvpn
08:54 < busch> awesome bot oO. Problem solved by talking to a machine :D
08:54 < eike_52n> !welcome
08:54 <@vpnHelper> "welcome" is (#1) Start by stating your goal, such as 'I would like to access the internet over my vpn' || new to IRC? see the link in !ask || we may need !logs and !configs and maybe !interface to help you. || See !howto for beginners. || See !route for lans behind openvpn. || !redirect for sending inet traffic through the server. || Also interesting: !man !/30 !topology !iporder !sample !forum
08:54 <@vpnHelper> !wiki !mitm or (#2) Don't use 192.168.1.0/24 or 192.168.0.0/24 (too much potential for conflict)
08:54 <@krzee> good job!
08:56 < eike_52n> !goal
08:56 <@vpnHelper> "goal" is Please clearly state your goal for your vpn: example, I would like to access the lan behind the server , I would like to access the internet over my vpn , I just want a secure connection between 2 computers , etc
08:56 <@plaisthos> busch: you solve a problem with a machine using a machine you would not have if the first machine did not exist
08:57 < busch> plaisthos: Whoever programmed this bot: Good job!
08:58 <@krzee> !version
08:58 <@vpnHelper> The current (running) version of this Supybot is 0.83.4.1.  The newest version available online is 0.83.4.1.
08:58 <@krzee> !factoids
08:58 <@vpnHelper> "factoids" is A semi-regularly updated dump of factoids database is available at http://www.secure-computing.net/factoids.php
08:58 <@krzee> !bot
08:58 <@vpnHelper> "bot" is I'm a bot.. just a bot. krzee and ecrist are my maintainers, and I haven't said anything, if you'd notice, the person who spoke just before me gave a !command to make me speak :P
08:58 <@krzee> =]
08:58 < eike_52n> goal := I want to connect external clients via openvpn to our company LAN. E.g. a staff member is in homeoffice, starts openvpn client and becames part of the company LAN and becaus of that he/she is able to use resources from the LAN, e.g. printer...
08:58 <@krzee> !serverlan
08:58 <@vpnHelper> "serverlan" is (#1) for a lan behind a server, the server must have ip forwarding enabled (!ipforward), the server needs to push a route for its lan to clients, and the router of the lan the server is on needs a route added to it (!route_outside_openvpn) or (#2) see !route for a better explanation or (#3) Handy troubleshooting flowchart: http://ircpimps.org/serverlan.png |
08:58 <@vpnHelper> http://pekster.sdf.org/misc/serverlan.png
08:59 < busch> krzee and ecrist: Thanks!
08:59 < eike_52n> krzee, the openvpn server is not running on the company LAN router and on a didecated pc available via NAT. Is this !servlan, too?
09:01 <@krzee> eike_52n, sure, just means you need !route_outside_openvpn on the lan router
09:02 < eike_52n> I did this and the route is pushed to the client. It receives an IP from the vpn subnet 10.x.x.x but did not became part of the company LAN...
09:02 < eike_52n> I'll check your serverlan stuff
09:02 < eike_52n> By the way, I cannot reach http://ircpimps.org/serverlan.png
09:03 <@krzee> ya my servers down use the link right after
09:03 < eike_52n> Thank you
09:04 -!- Popsikle [~popsikle@pool-108-27-211-233.nycmny.fios.verizon.net] has joined #openvpn
09:05 -!- Kniaz1 [~Kniaz@unaffiliated/kniaz] has joined #openvpn
09:05 -!- Kniaz1 is now known as Kniazek
09:11 < eike_52n> I'll check this from my homeoffice. See you later and thank you for your help so far!
09:11 <@krzee> np
09:16 -!- eike_52n [~eike@80.156.182.234] has quit [Ping timeout: 250 seconds]
09:16 -!- DrCode [~DrCode@gateway/tor-sasl/drcode] has quit [Ping timeout: 264 seconds]
09:22 -!- DrCode [~DrCode@gateway/tor-sasl/drcode] has joined #openvpn
09:24 <@ecrist> what did I do?
09:30 -!- alexxtasi [~alex@unaffiliated/alexxtasi] has left #openvpn []
09:30 <@krzee> help change vpnHelper's diapers
09:31 <@krzee> haha
09:31 <@ecrist> ah
09:38 -!- SushiDude [~SushiDude@unaffiliated/sushidude] has quit [Ping timeout: 240 seconds]
09:49 -!- eike_52n [~eike@e181227192.adsl.alicedsl.de] has joined #openvpn
09:50 -!- SushiDude [~SushiDude@unaffiliated/sushidude] has joined #openvpn
09:50 <@krzee> !tcp
09:50 <@vpnHelper> "tcp" is (#1) Sometimes you cannot avoid tunneling over tcp, but if you can avoid it, DO. http://sites.inka.de/~bigred/devel/tcp-tcp.html Why TCP Over TCP Is A Bad Idea. or (#2) http://www.openvpn.net/papers/BLUG-talk/14.html for a presentation by James Yonan (OpenVPN lead developer) or (#3) if you must use tcp, you likely want --tcp-nodelay
09:56 -!- goldkatze_ [~nobody@unaffiliated/goldkatze] has joined #openvpn
10:02 -!- amartinenco [~chatzilla@206-248-138-154.dsl.teksavvy.com] has joined #openvpn
10:02 -!- Netsplit *.net <-> *.split quits: indy, goldkatze, eike_52n, @raidz, Cpt-Oblivious
10:03 -!- Netsplit over, joins: raidz
10:03 -!- mode/#openvpn [+o raidz] by ChanServ
10:04 < amartinenco> if I install OpenVPN on a dedicated machine and connect that machine to the local switch and then port forward VPN traffic from my router to it, will it work or am I misunderstanding something?
10:05 <@plaisthos> yeah openvpn is just a normal udp/tcp service
10:06 <@plaisthos> you might get bitten by
10:06 <@plaisthos> !route_outside_openvpn
10:06 <@vpnHelper> "route_outside_openvpn" is (#1) If your server is not the default gateway for the LAN, you will need to add routes to your gateway. See ROUTES TO ADD OUTSIDE OPENVPN in !route or (#2) Here are 2 diagrams that explain how this works: http://www.secure-computing.net/wiki/index.php/Graph http://i.imgur.com/BM9r1.png
10:06 <@plaisthos> depending on what you are tryingto achieve
10:11 < amartinenco> well basically I have 1 Lan. Modem->Router->Switch. Suppose I have 192.168.1.1 as gateway and 192.168.1.105 my OpenVPN assigned by routers dhcp. Shouldnt route be already added by default in OpenVPN server?
10:22 <@plaisthos> you might also look at
10:22 <@plaisthos> !serverlan
10:22 <@vpnHelper> "serverlan" is (#1) for a lan behind a server, the server must have ip forwarding enabled (!ipforward), the server needs to push a route for its lan to clients, and the router of the lan the server is on needs a route added to it (!route_outside_openvpn) or (#2) see !route for a better explanation or (#3) Handy troubleshooting flowchart: http://ircpimps.org/serverlan.png |
10:22 <@vpnHelper> http://pekster.sdf.org/misc/serverlan.png
10:32 -!- Cpt-Oblivious [~chatzilla@31-151-71-109.dynamic.upc.nl] has joined #openvpn
10:40 -!- Popsikle [~popsikle@pool-108-27-211-233.nycmny.fios.verizon.net] has quit [Remote host closed the connection]
10:41 -!- Popsikle [~popsikle@pool-108-27-211-233.nycmny.fios.verizon.net] has joined #openvpn
10:46 -!- bviktor [~bviktor@unaffiliated/bviktor] has joined #openvpn
10:48 < bviktor> hi, i'm trying to run a script after the vpn connection is up, but the problem is that the script is run BEFORE the "Initialization Sequence Completed
10:48 < bviktor> " message, and there's no network connection during that time so the --route-up option seems to be useless
10:50 <@krzee> !script
10:50 <@vpnHelper> "script" is See SCRIPTING AND ENVIRONMENTAL VARIALBES in the manual for a list of places that scripts can hook into openvpn. Online reference at: https://community.openvpn.net/openvpn/wiki/Openvpn23ManPage#lbAR
10:50 <@krzee> if you need it to be after all of those, then i could suggest either of 2 lil workarounds...
10:51 < bviktor> no, i need it after a successful connection
10:51 < bviktor> route-up is supposed to be that, but it doesn't work
10:51 <@krzee> 1) you could call it with the last script hook, make it sleep something like 20sec before dropping its payload.  just remember that you must background it and disown it because otherwise it will sit there blocking openvpn from moving forward
10:52 <@krzee> 2) you could start openvpn with a wrapper script, then once verifying openvpn is done loading run the next script
10:52 < bviktor> "verifying openvpn is done", yeah, exactly, how do i do that
10:52 <@krzee> ping the other side of the vpn link
10:53 <@krzee> the vpn server vpn ip
10:53 < bviktor> uh
10:53 -!- Kephael [~Kephael@unaffiliated/kephael] has joined #openvpn
10:53 < bviktor> i already mentioned
10:53 < bviktor> there's no network connection
10:53 < bviktor> it's in limbo
10:53 <@krzee> oh, why is there no network?
10:53 < bviktor> because openvpn is not finished with the connection!
10:54 <@krzee> openvpn cannot run without network
10:54 < bviktor> but it already calls the script
10:54 < bviktor> ...
10:54 < bviktor> no shit.
10:54 <@krzee> nevermind i dont care anymore, good luck
10:54 < bviktor> you're so ignorant
10:54 <@krzee> oh ok, now i guess its more than ill just ignore ya
10:55 < bviktor> https://groups.google.com/forum/#!msg/openvpn-users/MV4O563P7BE/8zLThpd56dwJ
10:55 <@vpnHelper> Title: Google Groups (at groups.google.com)
10:55 -!- mode/#openvpn [+b *!*bviktor@unaffiliated/bviktor] by krzee
10:55 <@krzee> later
10:55 -!- bviktor was kicked from #openvpn by krzee [bviktor]
10:55 <@krzee> rude lil bitch
10:56 <@krzee> anyone else, feel free to unban him whever you want
10:56 <@krzee> maybe you wont be too ignorant for him and be deserving of helping him
11:00 -!- Chiftin [~Chiftin@178.250.179.140] has quit [Read error: Connection reset by peer]
11:00 -!- mode/#openvpn [-b *!bviktor@unaffiliated/bviktor] by krzee
11:02 -!- MACscr [~Adium@c-50-158-183-38.hsd1.il.comcast.net] has quit [Quit: Leaving.]
11:06 -!- MACscr [~Adium@c-50-158-183-38.hsd1.il.comcast.net] has joined #openvpn
11:06 -!- MACscr [~Adium@c-50-158-183-38.hsd1.il.comcast.net] has quit [Max SendQ exceeded]
11:06 -!- MACscr [~Adium@c-50-158-183-38.hsd1.il.comcast.net] has joined #openvpn
11:09 -!- Nightling [~Lightning@unaffiliated/lightningw] has joined #openvpn
11:15 -!- mode/#openvpn [-b *!*bviktor@unaffiliated/bviktor] by krzee
11:20 -!- soapee01_ is now known as soapee01
11:29 -!- nobody481 [~demigod12@ool-18bc9d5b.dyn.optonline.net] has joined #openvpn
11:31 < nobody481> Is there a way to have openvpn output to the screen and a log file at the same time?
11:40 -!- Nightling [~Lightning@unaffiliated/lightningw] has left #openvpn ["Leaving"]
11:49 <@krzee> !logfile
11:49 <@vpnHelper> "logfile" is (#1) If you want logging you can easily just specify your own logfile with: log /path/to/logfile or (#2) openvpn will log to syslog if started in daemon mode, but without any log-redirection options, openvpn sends output to stdout. or (#3) verb 3 is good for everyday usage, verb 5 for debugging. see --daemon --log and --verb in the manual (!man) for more info
11:49 <@krzee> so use --log and not --daemon
11:58 -!- nobody481 [~demigod12@ool-18bc9d5b.dyn.optonline.net] has quit [Remote host closed the connection]
12:09 -!- eike|52n [~eike@e181231092.adsl.alicedsl.de] has joined #openvpn
12:10 < eike|52n> Hi. I am in my homeoffice and working through http://pekster.sdf.org/misc/serverlan.png My set-up is failing at the point:"Can you ping the lan ip of the server?"
12:11 < eike|52n> I am note sure what to do with the response which is turn on ipforwarding in the firewall? which one? my locale or the company one?
12:11 -!- elfixit1 [~Icedove@2001:1620:2777:11:3e97:eff:fe7f:f3ad] has quit [Quit: elfixit1]
12:16 <@krzee> eike|52n, same machine
12:16 <@krzee> what needs to happen: packets need to flow from 1 interface to another
12:16 <@krzee> !linipforward
12:16 <@vpnHelper> "linipforward" is (#1) echo 1 > /proc/sys/net/ipv4/ip_forward for a temp solution (til reboot) or set net.ipv4.ip_forward = 1 in sysctl.conf for perm solution or (#2) chmod +x /etc/rc.d/rc.ip_forward for perm solution in slackware or (#3) you also must allow forwarding in your forward chain in iptables. iptables -I FORWARD -i tun+ -j ACCEPT
12:16 < eike|52n> yes, but different place. But I found a "solution" with google: run as admin
12:16 <@krzee> oh its windows?
12:16 < eike|52n> yes, Windows 7
12:17 <@krzee> it MUST run as admin
12:17 <@krzee> but also
12:17 <@krzee> !winipforward
12:17 <@vpnHelper> "winipforward" is http://support.microsoft.com/kb/315236 to enable ip forwarding on windows
12:17 < eike|52n> the client, and ubuntu as server
12:17 <@krzee> and disable the firewall for the tap interface
12:17 <@krzee> well what side has a lan behind it?
12:17 <@krzee> windows or ubuntu?
12:17 <@krzee> (a lan that needs to be reached over the vpn)
12:17 < eike|52n> ubuntu is the openvpn server and is PART of the lan
12:17 <@krzee> ok
12:18 < eike|52n> the openvpn server is not the router of the lan
12:18 <@krzee> windows always runs as admin.
12:18 <@krzee> on ubuntu:
12:18 <@krzee> !linipforward
12:18 <@vpnHelper> "linipforward" is (#1) echo 1 > /proc/sys/net/ipv4/ip_forward for a temp solution (til reboot) or set net.ipv4.ip_forward = 1 in sysctl.conf for perm solution or (#2) chmod +x /etc/rc.d/rc.ip_forward for perm solution in slackware or (#3) you also must allow forwarding in your forward chain in iptables. iptables -I FORWARD -i tun+ -j ACCEPT
12:18 < eike|52n> !version
12:18 <@vpnHelper> The current (running) version of this Supybot is 0.83.4.1.  The newest version available online is 0.83.4.1.
12:18 < eike|52n> nice bot
12:18 <@krzee> once you get ip forwarding correct, you will be able to ping the lan ip of the server and continue on the flowchart
12:20 <@krzee> thanks =]
12:20 <@krzee> you dont need ip forwarding in windows.
12:28 -!- nobody481 [~demigod12@ool-18bc9d5b.dyn.optonline.net] has joined #openvpn
12:29 < eike|52n> krzee, okay, it seems to work. I can reach all resources in the network but now I want to become really part of the network. The external IP of the client did not change.
12:30 <@krzee> you mean you want to connect to the internet through the vpn?
12:30 < eike|52n> as background: our staff member want to use this vpn connection to be able to use our mail servers which are located in the www and not our lan
12:30 < eike|52n> yes
12:30 <@krzee> !redirect
12:30 <@vpnHelper> "redirect" is (#1) to make all inet traffic flow through the vpn, you will need --redirect-gateway (see !def1), as well as IP forwarding (see !ipforward) and NAT (see !nat) enabled on the server. or (#2) you may need to use a different dns server when redirecting gateway, see !dns or !pushdns or (#3) if using ipv6 try: route-ipv6 2000::/3 or (#4) Handy troubleshooting flowchart:
12:30 <@vpnHelper> http://ircpimps.org/redirect.png | http://pekster.sdf.org/misc/redirect.png
12:31 <@krzee> that is a separate issue from sharing the lan
12:31 < eike|52n> okay, thanks
12:32 <@krzee> np
12:32 <@krzee> !linnat
12:32 <@vpnHelper> "linnat" is (#1) for a basic iptables NAT where 10.8.0.x is the vpn network: iptables -t nat -I POSTROUTING -s 10.8.0.0/24 -o eth0 -j MASQUERADE or (#2) to choose what IP address to NAT as, you can use iptables -t nat -I POSTROUTING -o eth0 -j SNAT --to <IP ADDRESS> or (#3) http://netfilter.org/documentation/HOWTO//NAT-HOWTO.html for more info or (#4) openvz see !openvzlinnat
12:32 <@krzee> !def1
12:32 <@vpnHelper> "def1" is (#1) used in redirect-gateway, Add the def1 flag to override the default gateway by using 0.0.0.0/1 and 128.0.0.0/1 rather than 0.0.0.0/0. This has the benefit of overriding but not wiping out the original default gateway. or (#2) please see --redirect-gateway in the man page ( !man ) to fully understand or (#3) push "redirect-gateway def1"
12:33 < eike|52n> okay, the bot is not responding in a query :-(
12:34 <@krzee> !msg
12:34 <@vpnHelper> "msg" is (#1) to see vpnHelper's factoids in msg instead of the channel, /msg vpnHelper factoids whatis #openvpn <key> or (#2) so to see !configs in msg, you would type /msg vpnHelper factoids whatis #openvpn configs or (#3) you can also just see !factoids for a link to the full list of what the bot knows
12:34 <@krzee> or easier:
12:34 <@krzee> !factoids
12:34 <@vpnHelper> "factoids" is A semi-regularly updated dump of factoids database is available at http://www.secure-computing.net/factoids.php
12:34 < eike|52n> !msg
12:34 <@vpnHelper> "msg" is (#1) to see vpnHelper's factoids in msg instead of the channel, /msg vpnHelper factoids whatis #openvpn <key> or (#2) so to see !configs in msg, you would type /msg vpnHelper factoids whatis #openvpn configs or (#3) you can also just see !factoids for a link to the full list of what the bot knows
12:42 < eike|52n> !ipforward
12:42 <@vpnHelper> "ipforward" is (#1) ip forwarding is needed any time you want packets to flow from 1 interface to another, so from tun to eth, eth to tun, tun to tun, etc etc. it must be enabled in the kernel AND allowed in the firewall or (#2) please choose between !linipforward !winipforward !osxipforward and !fbsdipforward
12:43 < eike|52n> krzee, is the iptables entry required, if already added ip_forward = 1 to sysctl.conf?
12:43 <@krzee> the nat one is
12:44 <@krzee> you cant send rfc1918 ips to the internet, must nat the new subnet
12:44 <@krzee> !1918
12:44 < eike|52n> okay, nat is the next step on my list
12:44 <@vpnHelper> "1918" is (#1) RFC1918 makes three unique netblocks available for private use: 10.0.0.0/8, 172.16.0.0/12, and 192.168.0.0/16 or (#2) see also: http://en.wikipedia.org/wiki/Private_network or http://www.faqs.org/rfcs/rfc1918.html or (#3) Too lazy to find your own subnet? Try this one: http://scarydevilmonastery.net/subnet.cgi or (#4) See !5737 for addresses to use for examples and documentation
12:44 < eike|52n> !5737
12:44 <@vpnHelper> "5737" is Clever readers may attempt to use RFC5737 to represent arbitrary public IPs one wishes to hide; unclever attempts may be ignored with prejudice.
12:45 -!- nobody481 [~demigod12@ool-18bc9d5b.dyn.optonline.net] has quit [Ping timeout: 250 seconds]
13:04 < eike|52n> on the server I just executed: sudo iptables -t nat -I POSTROUTING -s 10.8.0.0/24 -o eth0 -j MASQUERADE
13:04 < eike|52n> but sudo iptables -L POSTROUTING returns "iptables: No chain/target/match by that name."
13:05 < eike|52n> Is this a problem?
13:11 -!- ub1quit33 [~quassel@cpe-198-72-138-144.socal.res.rr.com] has joined #openvpn
13:26 < eike|52n> krzee, thank you very much, it seems to work! Have a nice evening/day/night (choose the right depending on your time zone!)!
13:35 -!- eike|52n [~eike@e181231092.adsl.alicedsl.de] has quit [Ping timeout: 250 seconds]
13:45 -!- larryone [~larryone@176.61.1.155] has joined #openvpn
14:03 -!- arescorpio [~arescorpi@201-26-245-190.fibertel.com.ar] has joined #openvpn
14:32 -!- Chais [~Chais@chello062178229110.15.15.vie.surfer.at] has quit [Ping timeout: 272 seconds]
14:34 -!- D-Boy [~D-Boy@unaffiliated/cain] has quit [Excess Flood]
14:53 -!- Chais [~Chais@chello062178229110.15.15.vie.surfer.at] has joined #openvpn
14:54 -!- D-Boy [~D-Boy@unaffiliated/cain] has joined #openvpn
14:54 -!- larryone [~larryone@176.61.1.155] has quit [Ping timeout: 240 seconds]
14:57 -!- Pyrogerg_ [~Gregory@71-33-41-189.albq.qwest.net] has joined #openvpn
15:00 -!- Pyrogerg [~Gregory@67-0-225-231.albq.qwest.net] has quit [Ping timeout: 240 seconds]
15:05 -!- Kniazek [~Kniaz@unaffiliated/kniaz] has quit [Quit: closing IRC]
15:32 -!- mattock is now known as mattock_afk
15:45 -!- dvl [~dvl@pdpc/supporter/active/dvl] has joined #openvpn
15:46 < amartinenco> where can I download openvpn client from? or there is no such thing?
15:50 <@krzee> !download
15:50 <@vpnHelper> "download" is (#1) http://openvpn.net/index.php/download/community-downloads.html to download openvpn or (#2) OpenVPN's Windows installer now includes OpenVPN GUI. Don't bother with http://openvpn.se anymore or (#3) Don't trust download.com at all. It provides an extremely old version with malware: http://insecure.org/news/download-com-fiasco.html or (#4) in the community version of openvpn (only
15:50 <@vpnHelper> thing supported here) there is no separate download for client/server, it is the same install with different configs
15:58 -!- arescorpio [~arescorpi@201-26-245-190.fibertel.com.ar] has quit [Excess Flood]
16:07 -!- liriel [~liriel@asia.feralhosting.com] has quit [Quit: bye]
16:08 < amartinenco> For openvpn gui I was expecting something like this http://www.vpnbook.com/howto/setup-openvpn-on-windows7-steps/s5.png  but all i get with the package is a small icon with settings.
16:10 <@dazo> amartinenco: That screenshot looks like the OpenVPN Connect client (closed source GUI from OpenVPN Tech) ... in this channel we only support the open source/community version
16:11 < amartinenco> oh ok. Good to know.
16:11 -!- liriel [~liriel@asia.feralhosting.com] has joined #openvpn
16:11 <@dazo> (And there is a guy working on massive improvements to the GUI, but it will take some time ... it's a side-project he has on his normal job)
16:12 <@dazo> If we're lucky, maybe it'll be in 2.4 ... but then we're really lucky
16:12 < amartinenco> it it possible to have user/password authentication with opensource version?
16:13 <@dazo> absolutely ... you need 'auth-user-pass' in the config, and it'll detect that and will ask for it
16:14  * dazo heads out
16:15 -!- dazo is now known as dazo_afk
16:18 <@krzee> !pwauth
16:19 <@krzee> !authpass
16:19 <@vpnHelper> "authpass" is (#1) please see --auth-user-pass-verify in the manual to learn how to force clients to use passwords in addition to certs or (#2) or to ONLY use passwords (no certs, highly NOT recommended) also use --client-cert-not-required or (#3) and if you want the login name to be used as the common-name for things like ccd entries, use --username-as-common-name
16:22 -!- mirco [~mirco@ip-88-153-222-56.unitymediagroup.de] has quit [Quit: mirco]
16:23 < amartinenco> do I need at least 2 NICS to setup openvpn server or 1 should be enough?
16:25 <@krzee> 1 is fine
16:31 -!- s1dev [~s1dev@199.241.28.135] has left #openvpn ["Leaving"]
16:32 < amartinenco> is it possible to block vpn user access to certain machines on my local network?
16:34 <@plaisthos> !firewall
16:34 <@vpnHelper> "firewall" is (#1) please see https://community.openvpn.net/openvpn/wiki/Openvpn23ManPage#lbBG for more info or (#2) see http://www.secure-computing.net/wiki/index.php/OpenVPN/Firewall for brief notes on disabling firewall rulesets. or (#3) Please see this for a better method to unloading netfilter (aka iptables ) rules: https://gist.github.com/QueuingKoala/6350127
16:37 -!- Popsikle [~popsikle@pool-108-27-211-233.nycmny.fios.verizon.net] has quit [Remote host closed the connection]
16:40 -!- amartinenco [~chatzilla@206-248-138-154.dsl.teksavvy.com] has quit [Ping timeout: 240 seconds]
17:07 -!- propheticsquiddy [~Proph@unaffiliated/propheticsquiddy] has quit [Quit: Leaving]
17:11 <+s7r> the rsa in openvpn (certs, keys) is 1024?
17:11 -!- tapout [~tapout@unaffiliated/tapout] has quit [Ping timeout: 240 seconds]
17:15 <@plaisthos> s7r: whatever you chose
17:15 <@plaisthos> you can also do 2048 or 4096 bit
17:15 <+s7r> you mean the dh.pem file?
17:16 <+s7r> the key length is given from that?
17:16 <@plaisthos> s7r: certificates in openvpn are not fixed to 1024
17:16 <@plaisthos> or what do you want to know?
17:17 <+s7r> how to increase the keysize?
17:17 <+s7r> to 2048 for example
17:17 <@plaisthos> build certificates with 2048 bit
17:27 -!- Popsikle [~popsikle@pool-108-27-211-233.nycmny.fios.verizon.net] has joined #openvpn
17:31 -!- Popsikle [~popsikle@pool-108-27-211-233.nycmny.fios.verizon.net] has quit [Ping timeout: 245 seconds]
17:48 -!- ice9 [~ice9@gateway/tor-sasl/ice9] has joined #openvpn
17:48 < ice9> anybody heard about bitmask.net?
17:51 -!- Netsplit *.net <-> *.split quits: Chais, +s7r, Olivier, DrCode, K1rk, Magiobiwan, Brando753, ice9
17:52 -!- Netsplit *.net <-> *.split quits: kantlivelong, SlutaTramsa, Nothing4You, thumbs, Esya, hydrajump, Megaf, haasn, Tykling, Cpt-Oblivious,  (+2 more, use /NETSPLIT to show all of them)
17:53 -!- Netsplit over, joins: Cpt-Oblivious, Megaf, kantlivelong, ketas, Esya, SlutaTramsa, cyberanger, Nothing4You, Tykling, hydrajump (+2 more)
17:53 -!- ketas [ketas@ketas6-sixxs.si.pri.ee] has quit [Max SendQ exceeded]
17:53 -!- kantlivelong [~kantlivel@home.kantlivelong.com] has quit [Max SendQ exceeded]
17:53 -!- Netsplit over, joins: ice9, Chais, DrCode, Brando753, +s7r, K1rk, Magiobiwan, Olivier
17:53 -!- ketas- [ketas@ketas6-sixxs.si.pri.ee] has joined #openvpn
17:54 -!- Netsplit *.net <-> *.split quits: TypoNe, Haigha, joako, KiNgMaR, Zimsky, aji, _abbe`
17:54 -!- K1rk [~Kirk@equinox.epecweb.com] has quit [Max SendQ exceeded]
17:54 -!- DrCode [~DrCode@gateway/tor-sasl/drcode] has quit [Max SendQ exceeded]
17:54 -!- Netsplit *.net <-> *.split quits: soapee01
17:54 -!- Netsplit over, joins: Haigha, joako, KiNgMaR, Zimsky, _abbe`, aji, TypoNe
17:54 -!- Netsplit *.net <-> *.split quits: clu5ter, NucWin, bashusr, vinky, Poster, troj, @syzzer, Champi, MacGyver, mgorbach,  (+2 more, use /NETSPLIT to show all of them)
17:56 -!- Netsplit *.net <-> *.split quits: @krzee, Nothing4You, m4rcu5, MatToufoutu, dvl, adaptr, ratsupremacy, phreakocious, Gman32, mete,  (+103 more, use /NETSPLIT to show all of them)
17:56 -!- ketas- [ketas@ketas6-sixxs.si.pri.ee] has quit [Max SendQ exceeded]
17:57 -!- DrCode [~DrCode@gateway/tor-sasl/drcode] has joined #openvpn
17:57 -!- Netsplit over, joins: syzzer, MacGyver, pnielsen_, clu5ter, bashusr, vinky, mgorbach, APTX, Poster, Champi (+1 more)
17:57 -!- soapee01 [~soapee01@65-36-104-170.dyn.grandenetworks.net] has joined #openvpn
17:57 -!- Netsplit over, joins: Haigha, @raidz, TypoNe, aji, _abbe`, Zimsky, KiNgMaR, joako, Olivier, Magiobiwan (+23 more)
17:57 -!- ServerMode/#openvpn [+ovo syzzer s7r raidz] by hobana.freenode.net
17:57 -!- Netsplit over, joins: riddle, snappy, @dazo_afk, lauri, @mattock_afk, Left_Turn, jgeboski, mcp, yoavz, +hazardous (+40 more)
17:57 -!- krzee [~k@openvpn/community/support/krzee] has joined #openvpn
17:57 -!- Netsplit over, joins: @vpnHelper, +RBecker
17:57 -!- ServerMode/#openvpn [+oovo Eugene krzee RBecker vpnHelper] by hobana.freenode.net
17:57 -!- Netsplit over, joins: Argat, milligan, Eagleman, justinzane, c0ded, maskedlua, zpatten, iokill
17:57 -!- BladedThesis [~BladedThe@2001:1af8:4010:a027:3::] has joined #openvpn
17:57 -!- Netsplit over, joins: XJR-9, Jeroen52, halothe23, fejjerai, sl01, fred``, woshty, funnel, mingdao, Matir (+2 more)
17:57 -!- mete [~mete@91.247.253.160] has joined #openvpn
17:57 -!- Netsplit over, joins: pppingme, catsup, micah, MatToufoutu
17:57 -!- troj [~xxx@2001:470:1f15:107a::50f7] has joined #openvpn
17:57 -!- kantlivelong [~kantlivel@home.kantlivelong.com] has joined #openvpn
17:57 -!- K1rk [~Kirk@equinox.epecweb.com] has joined #openvpn
17:58 -!- riddle [riddle@us.yunix.net] has quit [Disconnected by services]
17:58 -!- cyberspace- [20253@ninthfloor.org] has quit [Disconnected by services]
17:58 -!- Poster [~poster@cpe-74-140-100-29.swo.res.rr.com] has quit [Ping timeout: 260 seconds]
17:58 -!- riddle_ [riddle@us.yunix.net] has joined #openvpn
17:58 -!- ketas [ketas@ketas6-sixxs.si.pri.ee] has joined #openvpn
17:59 -!- cyberspace- [20253@ninthfloor.org] has joined #openvpn
17:59 -!- riddle_ is now known as riddle
18:00 -!- kloeri [~kloeri@freenode/staff/exherbo.kloeri] has quit [Write error: Connection reset by peer]
18:00 -!- Poster [~poster@cpe-74-140-100-29.swo.res.rr.com] has joined #openvpn
18:01 -!- brah [~allsdfjal@181.164.61.75] has joined #openvpn
18:03 -!- Olipro [~Olipro@uncyclopedia/pdpc.21for7.olipro] has joined #openvpn
18:11 -!- tapout [~tapout@unaffiliated/tapout] has joined #openvpn
19:25 -!- micko [~micko@203-219-65-120.static.tpgi.com.au] has quit [Ping timeout: 240 seconds]
19:27 -!- ice9 [~ice9@gateway/tor-sasl/ice9] has left #openvpn ["PART ##networking :ISON pheas"]
19:31 -!- micko [~micko@203-219-65-120.static.tpgi.com.au] has joined #openvpn
21:19 -!- Pyrogerg_ [~Gregory@71-33-41-189.albq.qwest.net] has quit [Ping timeout: 250 seconds]
21:20 -!- Pyrogerg [~Gregory@71-33-41-189.albq.qwest.net] has joined #openvpn
21:30 -!- mattock_afk is now known as mattock
21:34 -!- Pyrogerg [~Gregory@71-33-41-189.albq.qwest.net] has quit [Ping timeout: 240 seconds]
21:35 -!- phunyguy [~vortex@unaffiliated/phunyguy] has quit [Quit: Goodbye cruel world!]
21:35 -!- Pyrogerg [~Gregory@71-33-41-189.albq.qwest.net] has joined #openvpn
21:40 -!- phunyguy [~vortex@unaffiliated/phunyguy] has joined #openvpn
21:46 -!- kossy [a@unaffiliated/kossy] has quit [Ping timeout: 240 seconds]
21:46 -!- Left_Turn [~Left_Turn@unaffiliated/turn-left/x-3739067] has quit [Remote host closed the connection]
22:15 -!- Megaf [~Megaf@unaffiliated/megaf] has quit [Ping timeout: 256 seconds]
22:19 -!- ub1quit33 [~quassel@cpe-198-72-138-144.socal.res.rr.com] has quit [Remote host closed the connection]
22:23 -!- Kniaz [~Kniaz@unaffiliated/kniaz] has quit [Read error: Connection reset by peer]
22:28 -!- amartinenco [~chatzilla@CPE0016b64068bb-CM78cd8e66d31d.cpe.net.cable.rogers.com] has joined #openvpn
22:31 < amartinenco> I am following official ubuntu guide for installing open vpn and I am at the step where I have to run "source vars" on /etc/openvpn/easy-rsa/. The command runs fine but after when I run "sudo ./clean-all"   it says Please source the vars script first  (i.e source ./vars)
22:33 < amartinenco> did you ever have this problem before?
23:12 < amartinenco> btw the solution was stupid. I had to run exactly same commands but under "sudo -s" =/ Go figure.
23:23 -!- brah [~allsdfjal@181.164.61.75] has quit [Quit: Leaving]
23:24 -!- ShadniX [dagger@p5DDFE367.dip0.t-ipconnect.de] has quit [Ping timeout: 250 seconds]
23:25 -!- ShadniX [dagger@p5DDFEFA5.dip0.t-ipconnect.de] has joined #openvpn
23:40 -!- ub1quit33 [~quassel@cpe-198-72-138-144.socal.res.rr.com] has joined #openvpn
23:49 -!- amartinenco [~chatzilla@CPE0016b64068bb-CM78cd8e66d31d.cpe.net.cable.rogers.com] has quit [Quit: ChatZilla 0.9.90.1 [Firefox 30.0/20140605174243]]
--- Day changed Fri Jul 18 2014
00:12 -!- james41382_ [~james@unaffiliated/james41382] has joined #openvpn
00:28 -!- roentgen [~none@openvpn/community/support/roentgen] has joined #openvpn
00:42 -!- jgeboski [~jgeboski@unaffiliated/jgeboski] has quit [Quit: Leaving]
00:44 -!- jgeboski [~jgeboski@unaffiliated/jgeboski] has joined #openvpn
00:49 -!- ub1quit33 [~quassel@cpe-198-72-138-144.socal.res.rr.com] has quit [Ping timeout: 264 seconds]
01:01 -!- ub1quit33 [~quassel@cpe-198-72-138-144.socal.res.rr.com] has joined #openvpn
01:12 -!- Kephael [~Kephael@unaffiliated/kephael] has quit [Quit: Leaving]
01:14 -!- mirco [~mirco@ip-88-153-222-56.unitymediagroup.de] has joined #openvpn
01:28 -!- nobody481 [~demigod12@ool-18bc9d5b.dyn.optonline.net] has joined #openvpn
01:37 -!- alexxtasi [~alex@unaffiliated/alexxtasi] has joined #openvpn
01:40 -!- le0 [~l30@unaffiliated/le0] has joined #openvpn
01:48 -!- zapotek6 [~zap@mail.comelit.it] has joined #openvpn
01:48 -!- zapotek6 [~zap@mail.comelit.it] has quit [Max SendQ exceeded]
02:01 -!- eristisk [~eristisk@gateway/tor-sasl/eristisk] has joined #openvpn
02:09 -!- Cpt-Oblivious [~chatzilla@31-151-71-109.dynamic.upc.nl] has quit [Remote host closed the connection]
02:34 -!- mattock [~mattock@openvpn/corp/admin/mattock] has left #openvpn []
02:37 -!- mattock_afk [~mattock@openvpn/corp/admin/mattock] has joined #openvpn
02:37 -!- mode/#openvpn [+o mattock_afk] by ChanServ
02:37 -!- mattock_afk is now known as mattock
02:55 -!- ub1quit33 [~quassel@cpe-198-72-138-144.socal.res.rr.com] has quit [Ping timeout: 250 seconds]
03:09 -!- ub1quit33_ [~quassel@cpe-198-72-138-144.socal.res.rr.com] has joined #openvpn
03:22 -!- micah [~micah@debian/developer/micah] has quit [Remote host closed the connection]
03:46 -!- starlays [~starlays@unaffiliated/starlays] has joined #openvpn
03:48 < starlays> Hello to all, I have an openvpn server up and running and i don't know what it would be the best way to share files between linux server and android device, any help on this? thank you in advance
03:49 -!- dob1 [~dob@dynamic-adsl-78-13-165-224.clienti.tiscali.it] has joined #openvpn
03:51 < dob1> hi, i am using openvpn, i generated the keys for client and server, every key has its own passphrase. what i don't understand is, this authentication method is like ssh authentication method via key right?  so why it never asks for the passphrase?  i am missing something?
04:03 -!- qdii [~qdii@ns3296354.ip-5-135-189.eu] has joined #openvpn
04:03 < qdii> hey
04:03 < qdii> is there a specific reason I would like my openvpn server to use UDP?
04:04 < qdii> as far as I see it, many firewalls block it entirely
04:06 -!- dazo_afk is now known as dazo
04:11 <@plaisthos> starlays: put the keys/certificates inline and email it to you
04:11 <@plaisthos> !inline
04:11 <@vpnHelper> "inline" is (#1) Inline files (e.g. <ca> ... </ca> are supported since OpenVPN 2.1rc1 and documented in the OpenVPN 2.3 man page at https://community.openvpn.net/openvpn/wiki/Openvpn23ManPage#lbAV or (#2) https://community.openvpn.net/openvpn/wiki/IOSinline for a writeup that includes how to use inline certs
04:15 -!- Left_Turn [~Left_Turn@unaffiliated/turn-left/x-3739067] has joined #openvpn
04:16 -!- zapotek6 [~zap@mail.comelit.it] has joined #openvpn
04:16 -!- zapotek6 [~zap@mail.comelit.it] has quit [Max SendQ exceeded]
04:35 < gac> qdii: UDP has fewer issues with performance (TCP-over-TCP can bring oddities, particularly if you're using tun rather than tap)
04:48 -!- s7r [~s7r@openvpn/user/s7r] has quit [Quit: Leaving]
05:07 -!- dob1 [~dob@dynamic-adsl-78-13-165-224.clienti.tiscali.it] has left #openvpn ["Leaving"]
05:27 -!- lbft [~lbft@unaffiliated/lbft] has quit [Ping timeout: 240 seconds]
05:30 -!- lbft [~lbft@unaffiliated/lbft] has joined #openvpn
05:31 -!- ub1quit33_ [~quassel@cpe-198-72-138-144.socal.res.rr.com] has quit [Ping timeout: 240 seconds]
05:31 -!- Ridley5 [~NA@unaffiliated/ridley5] has joined #openvpn
05:41 < pekster> gac: tun vs tap has no meaningful impact on the udp vs tcp transport issues. As far as the transport protocol is concerned, you're just sending "a bunch of data" in the payload (it just happens to be openvpn traffic.)
05:42 < gac> pekster: I was thinking that tun often has more traffic over it (because of broadcasts etc) which then have to go over the tcp link
05:42 < pekster> qdii: DNS uses UDP, as do many common link-local protocols (although the 2nd category isn't usually routed.) I'd hope outright blocking of UDP isn't "common", but maybe you're on super-restrictive networks or something
05:43 < pekster> That would be if you're using tap rather than tun ;)
05:43 < snappy> http://sites.inka.de/~W1011/devel/tcp-tcp.html
05:43 <@vpnHelper> Title: Why TCP Over TCP Is A Bad Idea (at sites.inka.de)
05:43 < gac> erm yeah
05:43 < pekster> tun rather than tap tends to be better (in general, regardless of tcp/udp_)
05:43 < gac> got that the wrong way round, oops
05:44 < snappy> it makes no sense to use a reliable transport for an inherently unreliable protocol
05:45 < pekster> Right, although you have no choice if you're trying to escape a firewall that might only allow a select handful of destination ports/protocols
05:45 < pekster> Best option there is to run 2 VPNs: one on UDP you use all the time, and another for TCP you use only when required
05:46 < pekster> You can use a TCP VPN to provide a "reliability layer" to some unreliable transport (works so long as the VPN doesn't go down) but I'd suggest the inner-protocol is flawed to begin with then :P
05:46 < snappy> does anyone know how to invoke the cli version of openvpn on android? does it come with one of these apks?
05:46 <@plaisthos> snappy: you need root for the cli version
05:47 < snappy> i have root; i have TUN module builtin to kernel (but cannot confirm if it actually works)
05:48 <@plaisthos> OpenVPN seting might include a version that runs on the command line
05:48 <@plaisthos> OpenVPN for ANdroid contains a openvpn programm that runs on the cli but it is useless without the UI
05:49 <@plaisthos> any specific reason not to use the ui?
05:49 < snappy> hm, so the openvpn log for openvpn for android says (and i can't read it fully since it stretches on screen):
05:49 -!- DrCode [~DrCode@gateway/tor-sasl/drcode] has quit [Remote host closed the connection]
05:49 < snappy> "something" API permission dialog cancelled:
05:50 < snappy> "your image does not support the VPNService API, sorry :("
05:50 < snappy> this is kindle firetv
05:50 <@plaisthos> snappy: ah
05:50 <@plaisthos> hm
05:50 <@plaisthos> does it have /system/apk/VpnDialogs.apk?
05:50 <@plaisthos> or is that missing?
05:50 < snappy> that seems missing
05:51 <@plaisthos> it /might/ work if you put the VPnDialogs.apk there and reboot
05:51 -!- DrCode [~DrCode@gateway/tor-sasl/drcode] has joined #openvpn
05:51 < snappy> roger, let me see if i can find a copy
05:54 <@plaisthos> well the kindle fire emulator images are gone ...
05:55 <@plaisthos> I can give you a generic VPNDialogs.apk from an Android emulator image
05:55 <@plaisthos> which android version is Kinde Fire TV?
05:56 < snappy> not sure, i think 4.4
05:56 < snappy> one sec, there should be a faq on xda to confirm
05:57 <@plaisthos> start oepnvpn for android
05:57 -!- elfixit [~Icedove@77-58-251-72.dclient.hispeed.ch] has joined #openvpn
05:57 <@plaisthos>  the first line should say model something, android API xx,
05:57 <@plaisthos> the api xx is android version api
05:58 <@plaisthos> snappy: Amazon Fire TV runs Fire OS 3.0, based on Android Jelly Bean (API level 17).
05:58 < snappy> ah ok, sec
05:59 <@plaisthos> that is 4.2.x
05:59 -!- elfixit [~Icedove@77-58-251-72.dclient.hispeed.ch] has quit [Client Quit]
06:01 < snappy> i think i might be missing api info because the screen is stretched (i can't see the entire canvas of openvpn for android)
06:06 <@plaisthos> snappy: oh okay
06:08 < snappy> ok, i got a copy of vpndialogs.apk, put it in /system/app, crossing finger.
06:08 < snappy> not sure if its the right api version
06:08 <@plaisthos> that file is from 4.2.2 emulator
06:09 < snappy> ah thanks
06:17 < snappy> damn, no dice
06:17 <@plaisthos> :/
06:22 < snappy> ok too much stuffing around with openvpn on the kindle firetv -- i dont think its the clients, its just that amazon has seriously restricted firetv
06:23 < snappy> i guess i will commit some time to plan b: doing openvpn on the router and use policy based routing
06:23 <@plaisthos> is /dev/net/tun on you kindle tv?
06:28 < snappy> /dev/tun exists, but not /dev/net/tun
06:29 < snappy> also:
06:29 < snappy> # ip tuntap add dev tun0 mode tun
06:29 < snappy> open: No such file or directory
06:29 <@plaisthos> make a symlink from net/tun to /dev/tun
06:29 -!- Megaf [~Megaf@unaffiliated/megaf] has joined #openvpn
06:29 <@plaisthos> ip probably also wants /dev/net/tun
06:30 < snappy> hah!
06:30 < snappy> you're right
06:31 <@plaisthos> what happend after you installed vpndialogs?
06:31 <@plaisthos> different error mesage or the same/
06:31 < snappy> going to try again, one sec
06:32 -!- DrCode [~DrCode@gateway/tor-sasl/drcode] has quit [Remote host closed the connection]
06:32 < starlays> plaisthos: actually I want to sync my photos from my android device to the server, I think that I will build a ftpd bind to the tun0 interface so it will be accessible only via vpn
06:33 -!- DrCode [~DrCode@gateway/tor-sasl/drcode] has joined #openvpn
06:33 <@plaisthos> starlays: err, no idea about what is a good program for android there
06:34 < snappy> Same error message: VPN API permission dialog cancelled... image does not support hte VPNService API
06:34 <@plaisthos> hm
06:34 <@plaisthos> there might be more missing from the image :/
06:37 < snappy> yeah not sure what provides android.net.VpnService
06:38 <@plaisthos> That is deep in the network framework
06:38 <@plaisthos> but the actual dialogs are from VpnDialogs.apk
06:39 <@plaisthos> some espcially custom rom forget the VPnDialgos.apk but have the rest in place
06:39 <@plaisthos> unforetenately amazon seems not to be your typical stupid ROM Hax0r
06:40 < snappy> im surprised we don't have any kids producing custom roms for firetv yet, maybe in a few months
06:41 < snappy> although yucky, i think policy based routing + openvpn client on my router should do the trick
06:49 <@plaisthos> and won't probably break as easy
06:51 <@plaisthos> snappy: it is not such a trendy target
06:52 <@plaisthos> if you wanted a nice customizable home tv solution you probably would have bought something else
06:55 < snappy> not sure if there's anything close to amazon firetv at the price point and capability; appletv is crippled, and i don't know much about roku but they seem adament to stop any discussion about vpn on their forums
07:08 -!- AsadH is now known as dayanimal
07:11 -!- Megaf [~Megaf@unaffiliated/megaf] has quit [Ping timeout: 245 seconds]
07:12 -!- Megaf [~Megaf@unaffiliated/megaf] has joined #openvpn
07:25 -!- Pyrogerg [~Gregory@71-33-41-189.albq.qwest.net] has quit [Ping timeout: 240 seconds]
07:26 -!- Megaf [~Megaf@unaffiliated/megaf] has quit [Ping timeout: 255 seconds]
07:27 -!- jonascj [~jonas@002130139208.mbb.telenor.dk] has joined #openvpn
07:28 < jonascj> Hi all. Is it possible to make an vpn tunnel which is not secure from end-to-end (and do such vpn tools exist currently)?
07:28 -!- Megaf [~Megaf@unaffiliated/megaf] has joined #openvpn
07:28 < jonascj> Or will it always be secure end-to-end with ssl/tls?
07:31 -!- Pyrogerg [~Gregory@71-222-145-148.albq.qwest.net] has joined #openvpn
07:36 -!- le0 [~l30@unaffiliated/le0] has quit [Quit: Leaving]
07:44 -!- Megaf [~Megaf@unaffiliated/megaf] has quit [Ping timeout: 245 seconds]
07:44 -!- indy [~indy@shadow.kastnerove.cz] has joined #openvpn
07:45 -!- lbft is now known as itsover
07:46 -!- dayanimal is now known as AsadH
07:46 -!- itsover is now known as lbft
08:36 -!- defswork [~andy@141.0.50.98] has quit [Ping timeout: 240 seconds]
08:37 -!- jonascj [~jonas@002130139208.mbb.telenor.dk] has quit [Ping timeout: 256 seconds]
08:51 -!- jonascj [~jonas@002130139208.mbb.telenor.dk] has joined #openvpn
08:59 -!- s7r [~s7r@openvpn/user/s7r] has joined #openvpn
08:59 -!- mode/#openvpn [+v s7r] by ChanServ
08:59 -!- Kniaz [~Kniaz@unaffiliated/kniaz] has joined #openvpn
09:15 -!- DrCode [~DrCode@gateway/tor-sasl/drcode] has quit [Remote host closed the connection]
09:15 -!- DrCode [~DrCode@gateway/tor-sasl/drcode] has joined #openvpn
09:24 -!- Popsikle [~popsikle@rrcs-24-103-53-46.nyc.biz.rr.com] has joined #openvpn
09:37 -!- amartinenco [~chatzilla@206-248-138-154.dsl.teksavvy.com] has joined #openvpn
09:40 -!- Megaf [~Megaf@unaffiliated/megaf] has joined #openvpn
09:48 -!- defswork [~andy@141.0.50.98] has joined #openvpn
09:48 -!- ub1quit33_ [~quassel@cpe-198-72-138-144.socal.res.rr.com] has joined #openvpn
09:51 -!- ntz [~jdoe@static-84-42-228-122.net.upcbroadband.cz] has joined #openvpn
09:51 < ntz> hello
09:52 < ntz> can you please point me to some article discussing scaling ? I did many openvpn deployments but now seems like that this one will be rather big, say possibly thousands of concurrent connections
09:56 -!- alexxtasi [~alex@unaffiliated/alexxtasi] has left #openvpn []
10:07 < ntz> anyway, forget it, i'll do it somehow
10:07 < ntz> from my experience one thread == 100 users
10:08 <@plaisthos> !gigabit
10:08 <@vpnHelper> "gigabit" is https://community.openvpn.net/openvpn/wiki/Gigabit_Networks_Linux for JJK's writeup on getting the most out of openvpn over gigabit
10:08 <@plaisthos> for highspeed
10:09 <@plaisthos> other than that you are probably right
10:09 <@plaisthos> multiple instances with a limited number of users each
10:10 < ntz> thanks for linkx
10:11 < ntz> plaisthos: I'm usually used to kill performance problems by throwing more hardware on them
10:12 -!- Pyrogerg [~Gregory@71-222-145-148.albq.qwest.net] has quit [Read error: Connection reset by peer]
10:13 -!- Pyrogerg [~Gregory@71-222-145-148.albq.qwest.net] has joined #openvpn
10:14 < ntz> so now generally said that if the cap is 10k of concurrent connections when usual peak should be something like 3-5k I'd suppose that 50 threads should be enough (? 5-6 sockets when one provides 8 threads)
10:14 <@plaisthos> also depends on the amount of traffic of each client
10:15 < ntz> yes, that's what I ask for but I get no clear answers .. the only what I know is that they will transfer rather smaller datas
10:15 < ntz> like they will connect some shared cifs folders with documents
10:16 < ntz> i've been told that there will be implemented some FUP just for this
10:18 < ntz> plaisthos: and moreover, this will be special purpose openvpn inside the internal network, so there are everywhere expected 1Gbit/100Mbit connections
10:19 -!- Pyrogerg [~Gregory@71-222-145-148.albq.qwest.net] has quit [Ping timeout: 255 seconds]
10:31 -!- Pyrogerg [~Gregory@71-222-145-148.albq.qwest.net] has joined #openvpn
10:34 < pekster> Consider use of AES-NI too on the server; even if the clients don't support it, you want to avoid making the server the CPU bottleneck
10:35 < pekster> BF-CBC is the default symmetric cipher, so using AES (after you verify hardware support, of course ;) would have to be an explicit setting, and would have to match client configs
10:38 -!- Pyrogerg [~Gregory@71-222-145-148.albq.qwest.net] has quit [Ping timeout: 255 seconds]
10:38 -!- Pyrogerg [~Gregory@71-222-145-148.albq.qwest.net] has joined #openvpn
10:44 -!- james41382__ [~james@unaffiliated/james41382] has joined #openvpn
10:45 -!- james41382_ [~james@unaffiliated/james41382] has quit [Read error: Connection reset by peer]
10:46 < ntz> ok .. thanks
10:46 -!- ntz [~jdoe@static-84-42-228-122.net.upcbroadband.cz] has left #openvpn []
10:52 -!- Pyrogerg [~Gregory@71-222-145-148.albq.qwest.net] has quit [Ping timeout: 240 seconds]
11:02 -!- dazo is now known as dazo_afk
11:13 -!- Pyrogerg [~Gregory@71-222-145-148.albq.qwest.net] has joined #openvpn
11:29 -!- eristisk [~eristisk@gateway/tor-sasl/eristisk] has quit [Ping timeout: 264 seconds]
11:29 -!- SCHAAP137 [dorian@77-173-0-137.ip.telfort.nl] has joined #openvpn
11:34 -!- elfixit [~Icedove@2001:1620:2777:11:3e97:eff:fe7f:f3ad] has joined #openvpn
12:20 -!- joako [~joako@opensuse/member/joak0] has quit [Ping timeout: 245 seconds]
12:29 -!- joako [~joako@opensuse/member/joak0] has joined #openvpn
13:36 -!- Netsplit *.net <-> *.split quits: K1rk, KiNgMaR, aji, Haigha, Zimsky, _abbe`, TypoNe
13:36 -!- abbe [having@badti.me] has joined #openvpn
13:36 -!- Netsplit over, joins: aji
13:37 -!- Netsplit over, joins: K1rk
13:43 -!- Haigha [~root@dovahkiin.xomg.net] has joined #openvpn
13:52 -!- tempus_fol [~tempus@gateway/tor-sasl/foltempus] has joined #openvpn
13:54 -!- lfx [~lfx@self-aware.evilmachines.net] has joined #openvpn
13:54 < tempus_fol> Hello, I apologize if it's not entirely openvpn-related (#networkmanager is almost not-existant) but: the fact that there's no way to input/pass the nsCertType value to nm-openvpn (so that it invariably spouts warnings about a hypothetical mitm risk in the logs) is a NetworkManager "feature"?
13:55 < lfx> hello. I got openvpn to work with ECC on linux with the master branch from git but I was wodering if I have to build it on windows or the latest 2.3.4 precompiled version from openvpn.net supports ECC by default?
13:58 -!- Megaf [~Megaf@unaffiliated/megaf] has quit [Read error: Connection reset by peer]
14:25 -!- ub1quit33_ [~quassel@cpe-198-72-138-144.socal.res.rr.com] has quit [Read error: Connection reset by peer]
14:29 -!- jonascj [~jonas@002130139208.mbb.telenor.dk] has quit [Ping timeout: 240 seconds]
14:41 -!- D-Boy [~D-Boy@unaffiliated/cain] has quit [Excess Flood]
14:45 -!- michaelwendel [~michaelwe@h63n2-m-sp-a31.ias.bredband.telia.com] has joined #openvpn
14:52 -!- KiNgMaR [~ingmar@2001:41d0:2:ba51::1] has joined #openvpn
14:52 -!- Popsikle [~popsikle@rrcs-24-103-53-46.nyc.biz.rr.com] has quit [Remote host closed the connection]
14:55 -!- Netsplit *.net <-> *.split quits: joako, Kniaz, Poster, dvl, jgeboski
14:55 -!- Netsplit over, joins: Poster
14:55 -!- Netsplit *.net <-> *.split quits: roentgen, Left_Turn, lbft
14:55 -!- Netsplit over, joins: roentgen
14:55 -!- Netsplit over, joins: Kniaz
14:55 -!- Netsplit over, joins: jgeboski
14:55 -!- D-Boy [~D-Boy@unaffiliated/cain] has joined #openvpn
14:55 -!- Netsplit over, joins: Left_Turn
14:57 -!- Netsplit over, joins: lbft
14:57 -!- zapotek6 [~zap@host112-90-dynamic.8-87-r.retail.telecomitalia.it] has joined #openvpn
14:57 -!- zapotek6 [~zap@host112-90-dynamic.8-87-r.retail.telecomitalia.it] has quit [Max SendQ exceeded]
14:57 -!- Netsplit over, joins: joako
15:16 -!- michaelwendel [~michaelwe@h63n2-m-sp-a31.ias.bredband.telia.com] has quit [Quit: michaelwendel]
15:21 -!- brianblaze420 [~brianblaz@unaffiliated/brianblaze] has joined #openvpn
15:32 -!- D-Boy [~D-Boy@unaffiliated/cain] has quit [Excess Flood]
15:32 -!- jonascj [~jonas@145.255.56.124] has joined #openvpn
15:39 -!- jonascj [~jonas@145.255.56.124] has quit [Quit: Lost terminal]
15:52 < lfx> how do I disable snappy when cross compiling openvpn? build-snapshot or build-complete download the source but I want to pass --disble-snappy to ./configure
15:55 -!- D-Boy [~D-Boy@unaffiliated/cain] has joined #openvpn
16:02 < busch> I am talking iSCSI through openvpn on a not-so-stable-link. Is it a good idea then to use TCP to prevent a currupted filesystem?
16:05 -!- gffa [~unknown@unaffiliated/gffa] has joined #openvpn
16:11 < busch> (i am asking because a revieve the following errer every 1-3 hours: Authenticate/Decrypt packet error: bad packet ID (may be a replay))
16:12 -!- gffa [~unknown@unaffiliated/gffa] has quit [Ping timeout: 240 seconds]
16:14 -!- Kniaz [~Kniaz@unaffiliated/kniaz] has quit [Quit: closing IRC]
16:15 -!- gffa [~unknown@unaffiliated/gffa] has joined #openvpn
16:27 -!- michaelwendel [~michael@h63n2-m-sp-a31.ias.bredband.telia.com] has joined #openvpn
16:42 -!- amartinenco [~chatzilla@206-248-138-154.dsl.teksavvy.com] has quit [Ping timeout: 255 seconds]
16:42 -!- michaelwendel [~michael@h63n2-m-sp-a31.ias.bredband.telia.com] has quit [Read error: Connection reset by peer]
16:46 -!- brianblaze420 [~brianblaz@unaffiliated/brianblaze] has quit [Quit: Leaving...]
17:14 -!- mirco [~mirco@ip-88-153-222-56.unitymediagroup.de] has quit [Quit: mirco]
17:15 -!- gffa [~unknown@unaffiliated/gffa] has quit [Quit: sleep]
17:17 -!- Pyrogerg [~Gregory@71-222-145-148.albq.qwest.net] has quit [Read error: Connection reset by peer]
17:17 -!- Pyrogerg_ [~Gregory@71-222-145-148.albq.qwest.net] has joined #openvpn
17:27 -!- Cpt-Oblivious [~chatzilla@31-151-71-109.dynamic.upc.nl] has joined #openvpn
17:44 -!- mattock is now known as mattock_afk
17:50 -!- Kniaz [~Kniaz@unaffiliated/kniaz] has joined #openvpn
17:50 -!- tempus_fol [~tempus@gateway/tor-sasl/foltempus] has quit [Remote host closed the connection]
17:50 -!- tempus_fol [~tempus@gateway/tor-sasl/foltempus] has joined #openvpn
17:51 -!- eristisk [~eristisk@gateway/tor-sasl/eristisk] has joined #openvpn
17:53 -!- Kniaz [~Kniaz@unaffiliated/kniaz] has quit [Client Quit]
17:55 -!- Kniaz [~Kniaz@unaffiliated/kniaz] has joined #openvpn
18:00 -!- Cpt-Oblivious [~chatzilla@31-151-71-109.dynamic.upc.nl] has quit [Remote host closed the connection]
18:02 -!- jdunn_ [~jdunn@c-76-19-44-237.hsd1.ma.comcast.net] has joined #openvpn
18:04 < jdunn_> Hello.  I need some help with openvpn.  I tried the static key tutorial and was unable to connect or ping.  I checked firewall settings for client and server and router settings
18:04 -!- elfixit1 [~Icedove@77-58-251-72.dclient.hispeed.ch] has joined #openvpn
18:06 < jdunn_> !welcome
18:06 <@vpnHelper> "welcome" is (#1) Start by stating your goal, such as 'I would like to access the internet over my vpn' || new to IRC? see the link in !ask || we may need !logs and !configs and maybe !interface to help you. || See !howto for beginners. || See !route for lans behind openvpn. || !redirect for sending inet traffic through the server. || Also interesting: !man !/30 !topology !iporder !sample !forum
18:06 <@vpnHelper> !wiki !mitm or (#2) Don't use 192.168.1.0/24 or 192.168.0.0/24 (too much potential for conflict)
18:08 < jdunn_>  Hello.  I need some help with openvpn.  I tried the static key tutorial and was unable to connect or ping.  I checked firewall settings for client and server and router settings
18:09 < jdunn_>  Hello.  I need some help with openvpn.  I tried the static key tutorial and was unable to connect or ping.  I checked firewall settings for client and server and router settings
18:13 < jdunn_> Hello.  I need some help with openvpn.  I tried the static key tutorial and was unable to connect or ping.  I checked firewall settings for client and server and router settings
18:15 < jdunn_> Hello.  I need some help with openvpn.  I tried the static key tutorial and was unable to connect or ping.  I checked firewall settings for client and server and router settings
18:18 -!- Sandfly [~debbie10t@openvpn/community/support/debbie10t] has joined #openvpn
18:19 < jdunn_> Hello, I tried the static key tutorial that was recommended and I was unable to connect or ping.  I checked my firewall settings and my router settings.  I'm at a complete loss to explain why I can't complete this simple tutorial
18:19 < busch> jdunn_: Dont do that. And paste your logs
18:28 < Sandfly> jdunn_, sleep and recooperation
18:29 < snappy> is there a way to have the client refuse/ignore push DHCP options?
18:30 -!- Kniaz [~Kniaz@unaffiliated/kniaz] has quit [Read error: Connection reset by peer]
18:30 -!- Sandfly is now known as crystalballs
18:32 -!- Kniaz [~Kniaz@unaffiliated/kniaz] has joined #openvpn
18:34 -!- crystalballs is now known as chrystalballz
18:35 -!- chrystalballz is now known as k-bristol-ballz
18:40 -!- goldkatze_ [~nobody@unaffiliated/goldkatze] has quit []
18:40 -!- k-bristol-ballz is now known as enp0s3
18:40  * enp0s3 are now known as a ass hole 
18:40  * enp0s3 < /Ignore
18:43  * enp0s3 >> why
18:45  * enp0s3 < we can get a million of you .. what you got ?
18:46  * enp0s3 >> jugotit ?
18:47  * enp0s3 < Shut the fk up
18:47  * enp0s3 >> live and LEARN
18:51 -!- mode/#openvpn [+o Eugene] by ChanServ
18:51 -!- enp0s3 was kicked from #openvpn by Eugene [Bye]
18:51 <@Eugene> jdunn_ - we heard you the first time, no need to spam
18:52 -!- enp0s3 [~debbie10t@openvpn/community/support/debbie10t] has joined #openvpn
18:53 < enp0s3> hmm..
18:53 < enp0s3> ican we at least .. TALK .. ?
18:54 -!- mode/#openvpn [+q *!*@openvpn/community/support/debbie10t] by Eugene
18:54 <@Eugene> I don't even want to sort out whatever you're going on about right now
19:07 < snappy> hm, so apparently pull tells a client to accept pushed options from a server; i don't have pull in my config file but routes are set and DHCP is used
19:08 < pekster> snappy: There's --route-nopull or --route-noexec if you want to either ignore or not apply (and maybe apply them yourself via --route-up) routes
19:09 < pekster> DHCP options for non-windows are not applied at all by openvpn: see !pushdns for the external required script that you need. I'm not sure there's a way to do that on Windows though
19:09 < pekster> You could selectively not push them to a client though via ccd (or client-connect script)
19:11 < snappy> ah perfect, that's basically what i need -- just don't want to install the routes or even DNS
19:11 < snappy> thanks
19:12 < pekster> tempus_fol: So don't use n-m ;). Or patch it. But really, --ns-cert-type is deprecated anyway, and you should be using --remote-cert-tls instead
19:14 < snappy> Hm actually i need route-up since I'm creating a separate routing table, but how does removing routes work?
19:15 < snappy> ah probably client-disconnect and/or down
19:15 < pekster> Yea, although if they're going via the gateway over the VPN link, the routes will be automatically removed when the link is
19:16 < pekster> I suppose if you're doing policy routing (on Linux anyway) you'd want to rip out the `ip rule` statements directing traffic to that secondary table
19:16 < snappy> yep
19:16 < pekster> Note that clients don't have a --client-disconnect call (that's for servers.) use --down and maybe --down-pre
19:20 -!- Megaf [~Megaf@unaffiliated/megaf] has joined #openvpn
19:24 -!- enp0s3 [~debbie10t@openvpn/community/support/debbie10t] has left #openvpn []
19:29 -!- jdunn_ [~jdunn@c-76-19-44-237.hsd1.ma.comcast.net] has quit [Quit: Leaving]
19:32 -!- arescorpio [~arescorpi@201-26-245-190.fibertel.com.ar] has joined #openvpn
19:43 -!- C0SM0S [~C0SM0S@unaffiliated/c0sm0s] has joined #openvpn
19:43 < C0SM0S> !welcome
19:43 <@vpnHelper> "welcome" is (#1) Start by stating your goal, such as 'I would like to access the internet over my vpn' || new to IRC? see the link in !ask || we may need !logs and !configs and maybe !interface to help you. || See !howto for beginners. || See !route for lans behind openvpn. || !redirect for sending inet traffic through the server. || Also interesting: !man !/30 !topology !iporder !sample !forum
19:43 <@vpnHelper> !wiki !mitm or (#2) Don't use 192.168.1.0/24 or 192.168.0.0/24 (too much potential for conflict)
19:44 < C0SM0S> !goal
19:44 <@vpnHelper> "goal" is Please clearly state your goal for your vpn: example, I would like to access the lan behind the server , I would like to access the internet over my vpn , I just want a secure connection between 2 computers , etc
19:48 < C0SM0S> I would like to install openvpn on my VPS that is running Debian.  I do not want to use a static key.  I would like about 5 devices to be able to connect.  I do not want everything leaving my home network to be in a vpn.   I will mostly be accessing the internet over my vpn. but would also want to be able to connect outside my network to a computer inside my network with a vpn tunnel.
19:49 < C0SM0S> howdy everyone!
20:12 -!- Megaf_ [~Megaf@unaffiliated/megaf] has joined #openvpn
20:12 -!- Megaf [~Megaf@unaffiliated/megaf] has quit [Ping timeout: 240 seconds]
20:21 <@Eugene> !howto
20:21 <@vpnHelper> "howto" is (#1) OpenVPN comes with a great howto, http://openvpn.net/howto PLEASE READ IT! or (#2) http://www.secure-computing.net/openvpn/howto.php for a mirror
20:21 <@Eugene> Depending upon how you want traffic to flow you're gonna need
20:21 <@Eugene> !def1
20:21 <@vpnHelper> "def1" is (#1) used in redirect-gateway, Add the def1 flag to override the default gateway by using 0.0.0.0/1 and 128.0.0.0/1 rather than 0.0.0.0/0. This has the benefit of overriding but not wiping out the original default gateway. or (#2) please see --redirect-gateway in the man page ( !man ) to fully understand or (#3) push "redirect-gateway def1"
20:21 <@Eugene> !redirect
20:21 <@vpnHelper> "redirect" is (#1) to make all inet traffic flow through the vpn, you will need --redirect-gateway (see !def1), as well as IP forwarding (see !ipforward) and NAT (see !nat) enabled on the server. or (#2) you may need to use a different dns server when redirecting gateway, see !dns or !pushdns or (#3) if using ipv6 try: route-ipv6 2000::/3 or (#4) Handy troubleshooting flowchart:
20:21 <@vpnHelper> http://ircpimps.org/redirect.png | http://pekster.sdf.org/misc/redirect.png
20:21 <@Eugene> Or possibly
20:22 <@Eugene> !routebyapp
20:22 <@vpnHelper> "routebyapp" is (#1) if you want to send only certain apps over the VPN you need to run a socks server on the internal VPN subnet (see !sockd) then get an app like proxifier (windows, osx) or tsocks (linux, BSD) to selectively route traffic over the socks proxy based on port/app/subnet or any combination. or (#2) Alternatively, read up about Policy Routing to make routing decisions based on defined
20:22 <@vpnHelper> policies you set. For Linux, read about !lartc
20:22 <@Eugene> And maybe just
20:22 <@Eugene> !route
20:22 <@vpnHelper> "route" is (#1) http://www.secure-computing.net/wiki/index.php/OpenVPN/Routing or https://community.openvpn.net/openvpn/wiki/RoutedLans (same page mirrored) if you have lans behind openvpn, read it DONT SKIM IT or (#2) READ IT DONT SKIM IT! or (#3) See !tcpip for a basic networking guide or (#4) See !serverlan or !clientlan for steps and troubleshooting flowcharts for LANs behind the server or
20:22 <@vpnHelper> client
20:22 <@Eugene> Call us after you've read all the above ;-)
20:25 -!- SCHAAP137 [dorian@77-173-0-137.ip.telfort.nl] has quit [Remote host closed the connection]
20:31 < C0SM0S> thanks
20:32 <@krzee> dont forget:
20:32 <@krzee> !easy-rsa
20:32 <@vpnHelper> "easy-rsa" is (#1) easy-rsa is a certificate generation utility. or (#2) Download here: https://github.com/OpenVPN/easy-rsa/downloads or (#3) https://community.openvpn.net/openvpn/wiki/EasyRSA
20:32 < C0SM0S> because of debian right
20:32 < C0SM0S> or on all OS
20:32 <@krzee> no, because thats how you make your certificates.
20:32 < C0SM0S> derp
20:32 < C0SM0S> ok
20:32 < C0SM0S> i've read most of it
20:33 <@krzee> its a new version so use ITS documents and not some random webpages
20:33 < C0SM0S> jsut dont' know what i'm about to get myself into :p
20:33 < C0SM0S> doing it headless over ssh. without easy repair
20:33 <@krzee> and theres definitely advantages to using the newer version if you dont know enough to configure earlier version properly
20:34 < C0SM0S> maybe i should install debian in vm and practice before doing it on vps
20:34 -!- Pyrogerg_ [~Gregory@71-222-145-148.albq.qwest.net] has quit [Ping timeout: 256 seconds]
20:34 < C0SM0S> thanks krzee
20:34 < C0SM0S> just mostly for confidence
20:34 <@krzee> np
20:35 < C0SM0S> need to read up on the /30 compared to /24
20:35 < C0SM0S> !/30
20:35 <@vpnHelper> "/30" is (#1) http://goo.gl/SbKrT5 explains why routed clients each use 4 ips or (#2) you can avoid this behavior with by reading !topology
20:35 < C0SM0S> need to sit down and do the topology i think to get a better idea
20:36 <@krzee> well
20:36 <@krzee> server can take a /24 either way
20:36 <@krzee> with default topology, each client gets their own /30 (because once upon a time windows could only do that, so it was a work-around)
20:36 <@krzee> then they figured this out:
20:37 <@krzee> !topology
20:37 <@vpnHelper> "topology" is (#1) it is possible to avoid the !/30 behavior if you use 2.1+ with the option: topology subnet This will end up being default in later versions. or (#2) Clients will receive addresses ending in .2, .3, .4, etc, instead of being divided into 2-host subnets. or (#3) details and examples at: https://community.openvpn.net/openvpn/wiki/Topology
20:37 < C0SM0S> good to know
20:37 < C0SM0S> the reading gets a little confusing from server to client
20:38 < C0SM0S> but with all the bots help.. i should be able to knock this out
20:38 <@krzee> !factoids
20:38 <@vpnHelper> "factoids" is A semi-regularly updated dump of factoids database is available at http://www.secure-computing.net/factoids.php
20:39 <@krzee> in case you wanna see everything the bot knows ^^
20:39 < C0SM0S> bookmarked.. thanks
20:39 <@krzee> bbl, in vegas going out
20:39 <@krzee> np
20:39 < C0SM0S> n'joy!!
20:40 < pekster> I saw vegas, from about 30 miles away on the freeway. I think that's a great vantage point ;)
20:40 < pekster> "Close, but not too close"
20:41 -!- elfixit1 [~Icedove@77-58-251-72.dclient.hispeed.ch] has quit [Quit: elfixit1]
21:12 -!- Pyrogerg [~Gregory@71-222-145-148.albq.qwest.net] has joined #openvpn
22:05 -!- Left_Turn [~Left_Turn@unaffiliated/turn-left/x-3739067] has quit [Remote host closed the connection]
22:09 -!- Kephael [~Kephael@unaffiliated/kephael] has joined #openvpn
23:05 -!- Gman32 [~Gman32@2607:2200:0:3400::5616:cdbc] has quit [Quit: Headin Out...]
23:20 -!- Pyrogerg [~Gregory@71-222-145-148.albq.qwest.net] has quit [Read error: Connection reset by peer]
23:21 -!- Pyrogerg [~Gregory@71-222-145-148.albq.qwest.net] has joined #openvpn
23:23 -!- ShadniX [dagger@p5DDFEFA5.dip0.t-ipconnect.de] has quit [Ping timeout: 250 seconds]
23:24 -!- Megaf_ [~Megaf@unaffiliated/megaf] has quit [Ping timeout: 256 seconds]
23:24 -!- arescorpio [~arescorpi@201-26-245-190.fibertel.com.ar] has quit [Excess Flood]
23:25 -!- ShadniX [dagger@p5DDFF4ED.dip0.t-ipconnect.de] has joined #openvpn
23:31 < snappy> I think I'm misunderstanding something fundamental about running OpenVPN client on a router to tunnel all traffic from the LAN-side of my router.
23:31 < snappy> Before openvpn, the router simply forwards to default gateway, and performs NAT for the local network (this is all done in openwrt).
23:33 < snappy> I setup openvpn client, I have it tunnel all traffic to the openvpn server tunnel endpoint address; for traffic generated by the router itself, it works correctly. However for devices on the LAN behind the router, traffic is forwarded through the tunnel as-is (without NAT), and openvpn logs from server side says bad source address from client.
23:33 < pekster> If you want to NAT LAN and openwrt Internet-bound traffic, just use a standard !redirect setup. If you want to redirect the LAN but explicitly _not_ the router-to-Internet traffic, that requires some complex policy routing
23:33 < pekster> Oh, gotta NAT the LAN-to-Internet traffic same as always
23:34 < pekster> Maybe you forgot to update your SNAT (or MASQUERADE) rule for the tun device egress?
23:34 < snappy> Ah I'll take a look at !redirect. First I want to get something work, then do explicit policy based routing
23:34 < pekster> Just treat openvpn as "any other router" -- you need to set up routing, NAT, and firewall as if it was a traditional router
23:34 < pekster> All openvpn does is connect 2 endpoints, and add some neat security to it
23:34 < snappy> Roger, I think that's what I'm fundamentally misunderstanding.
23:35 < snappy> I thought I would be NATting the LAN IP addresses /at the openvpn server endpoint/
23:35 < pekster> You probably have an SNAT/MASQUERADE rule for your physical link egress only, not the the tun dev/network
23:35 < snappy> I'm a little confused as well. NAT always does my head in; I hate it so much.
23:35 < pekster> IPv6: coming since nearly 2 decades ago
23:37 < snappy> it'll shift the burden to carriers (carrier grade nat for ipv6-to-ipv4), it probably won't go away in my lifetime
23:39 -!- ub1quit33_ [~quassel@cpe-198-72-138-144.socal.res.rr.com] has joined #openvpn
23:42 < snappy> pekster: seem to do the trick, thanks.
23:43 < pekster> Ugh, Fuck CGN
23:43 < pekster> Nat 4 Lyfe!
--- Day changed Sat Jul 19 2014
00:28 -!- Kephael [~Kephael@unaffiliated/kephael] has quit [Read error: Connection reset by peer]
00:45 < tempus_fol> pekster: yep, I know about the remote-cert-tls for openvpn >= 2.1; but I can't pass that value to nm-openvpn anyway, afaik it has been disabled upstream because it caused issues (within nm) some years ago... and now it seems a "feature"; I'm not using it right now;  as far as "patching" goes, I'd have more insight about why it has been disabled, how can it be enabled and so on.. but I've some issues contacting someone on the upstream it
00:45 < tempus_fol> seems. I guess that a correct(ed) nm-openvpn implementation wouldn't harm anyone
00:49 -!- mirco [~mirco@ip-88-153-222-56.unitymediagroup.de] has joined #openvpn
00:59 < lfx> hello. I can't get openvpn snapshot to compile using openvpn-build, getting some compile errors near the end: socket.c:3098:45: error: 'struct link_socket_addr' has no member named 'local'
00:59 < lfx> perhaps I need a specific mingw version?
01:01 < lfx> I think this is it: https://community.openvpn.net/openvpn/ticket/391
01:01 <@vpnHelper> Title: #391 (src/openvpn/socket.c failed to compile for win32) – OpenVPN Community (at community.openvpn.net)
01:17 -!- c0ded [~c0ded@unaffiliated/c0ded] has quit [Remote host closed the connection]
01:17 -!- tempus_fol [~tempus@gateway/tor-sasl/foltempus] has quit [Ping timeout: 264 seconds]
01:18 -!- tempus_fol [~tempus@gateway/tor-sasl/foltempus] has joined #openvpn
01:19 -!- mirco [~mirco@ip-88-153-222-56.unitymediagroup.de] has quit [Quit: mirco]
01:23 -!- ub1quit33_ [~quassel@cpe-198-72-138-144.socal.res.rr.com] has quit [Ping timeout: 245 seconds]
01:36 -!- ub1quit33_ [~quassel@cpe-198-72-138-144.socal.res.rr.com] has joined #openvpn
01:58 -!- c0ded [~c0ded@unaffiliated/c0ded] has joined #openvpn
02:01 -!- lauri [~lauri@ip18864bed.dynamic.kabel-deutschland.de] has quit [Read error: Connection reset by peer]
02:32 -!- ub1quit33_ [~quassel@cpe-198-72-138-144.socal.res.rr.com] has quit [Ping timeout: 250 seconds]
02:32 -!- ub1quit33_ [~quassel@cpe-198-72-138-144.socal.res.rr.com] has joined #openvpn
02:43 -!- mattock_afk is now known as mattock
02:58 -!- Pyrogerg_ [~Gregory@71-222-145-148.albq.qwest.net] has joined #openvpn
02:59 -!- Pyrogerg [~Gregory@71-222-145-148.albq.qwest.net] has quit [Read error: Connection reset by peer]
03:08 -!- starlays [~starlays@unaffiliated/starlays] has left #openvpn ["WeeChat 0.4.3"]
03:13 -!- Left_Turn [~Left_Turn@unaffiliated/turn-left/x-3739067] has joined #openvpn
03:16 < snappy> plaisthos: can't believe i'm going back to this idea -- but what was the difficulty with using a command-line vpn client on android?
03:24 -!- scyld [~scyld@unaffiliated/wasyl] has joined #openvpn
03:35 -!- SupaYoshi [Elite9191@gateway/shell/elitebnc/x-bvvdtsjrzcayermp] has joined #openvpn
03:35 < SupaYoshi> Hey! Anyone here that can help me perhaps with a non working VPN gateway, the VPN works, but after a few minutes it stops working.
03:35 < SupaYoshi> I think it has something to do with the config of openvpn.
03:36 < SupaYoshi> Is there anyone here today that perhaps can help :/ I been looking for some help in the past few days.
03:36 -!- scyld [~scyld@unaffiliated/wasyl] has quit [Quit: Wychodzi]
03:37 < busch> I am talking iSCSI through openvpn on a not-so-stable-link. Is it a good idea then to use TCP to prevent a currupted filesystem? (i am asking because a revieve the following errer every 1-3 hours: Authenticate/Decrypt packet error: bad packet ID (may be a replay))
03:42 < SupaYoshi> http://paste.ubuntu.com/7818650/
03:43 -!- ub1quit33_ [~quassel@cpe-198-72-138-144.socal.res.rr.com] has quit [Ping timeout: 240 seconds]
04:11 -!- Left_Turn [~Left_Turn@unaffiliated/turn-left/x-3739067] has quit [Ping timeout: 250 seconds]
04:18 -!- Left_Turn [~Left_Turn@unaffiliated/turn-left/x-3739067] has joined #openvpn
04:33 -!- Cpt-Oblivious [~chatzilla@31-151-71-109.dynamic.upc.nl] has joined #openvpn
04:44 <@plaisthos> snappy: on 4.4 it probably breaks the routing, on 4.2.2 it should be fine. You need to build a command line version though
04:44 < snappy> plaisthos: looks like: https://code.google.com/p/android-openvpn-installer/ sitll works even in 4.4, i'm very surprised to say the least
04:44 <@vpnHelper> Title: android-openvpn-installer - Installs openvpn on your rooted phone - Google Project Hosting (at code.google.com)
04:44 < snappy> looks like whoever was working on that left a github repo, i'm going to see if i can upgrade to the latest version of openvpn (this version was 2.1.1)
04:45 <@plaisthos> :D
04:45 < lfx> is it just me or the git version can't be compiled for windows?
04:45 <@plaisthos> you could download my source and change the -DTARGET_ANDROID -DTARGET_LINUX to
04:45 <@plaisthos> lfx: it is not just you
04:45 < lfx> phew :)
04:46 < lfx> I'm trying this since yesterday to no avail
04:46 <@plaisthos> lfx: it is on my todo list to look into it but I had no time for that so far
04:46 < snappy> hm, definitely look into it
04:46 < lfx> please do
04:46 <@plaisthos> lfx: it is on my todo for 3 months now
04:46 <@plaisthos> if you can fix it yourself we are happy to accept patches
04:46 < lfx> now I was about to install visual studio to try compiling it natively since openvpn-build failed
04:47 < lfx> I am no programmer, I can comment half the code in socket.c and see if it works :P
04:47 <@plaisthos> lfx: that is probably not a good idea
04:47 < lfx> it's the same with the visual studio right?
04:47 < lfx> it's not just a mingw issue
04:47 <@plaisthos> probably yes
04:48 < lfx> hmm too bad
04:48 < lfx> I wanted to test ECDH on Windows
04:48 < snappy> does windows version use schannel or openssl?
04:48 < lfx> it works fine on Linux
04:48 <@plaisthos> openssl
04:48 < lfx> openssl
04:48 < snappy> the lesser of the two evils :)
04:50 < lfx> the socket.c issue was introduced before the ECC support in 2.3.4 right? thiking about trying to compile older commits ...
04:51 -!- goldkatze [~nobody@unaffiliated/goldkatze] has joined #openvpn
04:55 <@plaisthos> probably my socket patches
04:56 < lfx> ok
04:56 < lfx> thanks
04:57 -!- Left_Turn [~Left_Turn@unaffiliated/turn-left/x-3739067] has quit [Ping timeout: 256 seconds]
05:02 <@plaisthos> lfx: do you have a diff what I need to change in openvpn-build to build with git
05:02 < lfx> no, sorry
05:24 -!- Envil [~meep@95.211.26.40] has joined #openvpn
05:30 -!- troj [~xxx@2001:470:1f15:107a::50f7] has quit [Ping timeout: 250 seconds]
05:39 -!- Left_Turn [~Left_Turn@unaffiliated/turn-left/x-3739067] has joined #openvpn
05:45 -!- gffa [~unknown@unaffiliated/gffa] has joined #openvpn
06:04 -!- SCHAAP137 [dorian@77-173-0-137.ip.telfort.nl] has joined #openvpn
06:05 -!- troj [~xxx@2001:470:1f15:107a::50f7] has joined #openvpn
06:07 < pekster> tempus_fol: Oh, bummer. Yea, we generally don't recommend n-m here specifically because it tends to work poorly :\
06:11 < pekster> lfx: Are you cross-compiling for Windows from a Linux host? The visual-studio support has always been very spotty and the build docs basically recommend you do builds from a Unix-alike anyway
06:12 < pekster> I think the instructions for ubuntu 12.04 include all the steps like patching mingw (because there's a component too old) so it'll basically guide you to a working compiler setup. Now if git has pending issues after you do have a working build env, that's another issue ;)
06:50 < lfx> pekster, yes, i am cross compiling on linux for win32
06:52 < lfx> http://comments.gmane.org/gmane.network.openvpn.devel/8646
06:52 <@vpnHelper> Title: OpenVPN developers list (at comments.gmane.org)
06:52 < lfx> I think it's the same issue
06:55 < lfx> I tried on a fairly new Ubuntu and a debian, I'll try again with Ubuntu 12 and those patches
06:56 < pekster> There might be more subtle dragons lurking for "too new"
06:56 < lfx> I successfully cross compiled 2.3.r though on the same machine, just not the master branch :)
06:56 < pekster> I just kept my 12.04 ubuntu VM around from when I built last (it was recommended then too) and IIRC a 13.whatever version blew up in some not-so-friendly ways
06:56 < lfx> 2.3.4*
06:56 < pekster> Ah
06:57 < pekster> Might not be host-toolchian related then
07:00 < lfx> I will try applying the ECDH patch to 2.3.4,since ecdh is why I am trying to build the master branch
07:12 -!- eristisk [~eristisk@gateway/tor-sasl/eristisk] has quit [Quit: killall -9 irc]
07:48 -!- dvl [~dvl@pdpc/supporter/active/dvl] has joined #openvpn
07:50 -!- Megaf [~Megaf@unaffiliated/megaf] has joined #openvpn
07:52 -!- heraclitus [~heraclitu@unaffiliated/heraclitis] has joined #openvpn
07:58 -!- MaliusArth [~MaliusArt@chello062178184068.18.14.vie.surfer.at] has joined #openvpn
08:21 -!- MaliusArth [~MaliusArt@chello062178184068.18.14.vie.surfer.at] has left #openvpn []
08:31 -!- Cpt-Oblivious [~chatzilla@31-151-71-109.dynamic.upc.nl] has quit [Remote host closed the connection]
08:36 -!- Pyrogerg_ [~Gregory@71-222-145-148.albq.qwest.net] has quit [Ping timeout: 256 seconds]
08:37 -!- Pyrogerg [~Gregory@71-222-145-148.albq.qwest.net] has joined #openvpn
08:41 -!- Cpt-Oblivious [~chatzilla@31-151-71-109.dynamic.upc.nl] has joined #openvpn
08:58 -!- Pyrogerg [~Gregory@71-222-145-148.albq.qwest.net] has quit [Ping timeout: 245 seconds]
09:01 -!- Pyrogerg [~Gregory@71-222-145-148.albq.qwest.net] has joined #openvpn
09:11 -!- Pyrogerg [~Gregory@71-222-145-148.albq.qwest.net] has quit [Ping timeout: 245 seconds]
09:12 -!- mattock is now known as mattock_afk
09:17 < C0SM0S> does anyone know if i use debian v7 is very similar to v6 ... as far as installing and configuring openvpn?
09:17 < C0SM0S> err that doesn't totally makes sense,, but maybe someone get my drift
09:17 < C0SM0S> trying to do vm before doing it on vps
09:26 -!- s7r [~s7r@openvpn/user/s7r] has quit [Quit: Leaving]
09:33 -!- Chais [~Chais@chello062178229110.15.15.vie.surfer.at] has quit [Ping timeout: 245 seconds]
09:34 -!- defswork [~andy@141.0.50.98] has quit [Ping timeout: 250 seconds]
09:40 -!- Chais [~Chais@chello062178229110.15.15.vie.surfer.at] has joined #openvpn
09:58 -!- Kephael [~Kephael@unaffiliated/kephael] has joined #openvpn
09:59 -!- Pyrogerg [~Gregory@71-222-145-148.albq.qwest.net] has joined #openvpn
10:59 -!- Pyrogerg [~Gregory@71-222-145-148.albq.qwest.net] has quit [Ping timeout: 240 seconds]
11:03 -!- Pyrogerg [~Gregory@71-222-145-148.albq.qwest.net] has joined #openvpn
11:14 -!- ub1quit33 [~quassel@cpe-198-72-138-144.socal.res.rr.com] has joined #openvpn
11:29 -!- Pyrogerg [~Gregory@71-222-145-148.albq.qwest.net] has quit [Read error: Connection reset by peer]
11:29 -!- Pyrogerg_ [~Gregory@71-222-145-148.albq.qwest.net] has joined #openvpn
11:41 -!- s7r [~s7r@openvpn/user/s7r] has joined #openvpn
11:41 -!- mode/#openvpn [+v s7r] by ChanServ
11:43 -!- Pyrogerg_ [~Gregory@71-222-145-148.albq.qwest.net] has quit [Ping timeout: 264 seconds]
11:46 -!- Kniaz [~Kniaz@unaffiliated/kniaz] has quit [Quit: closing IRC]
11:48 -!- Kniaz [~Kniaz@unaffiliated/kniaz] has joined #openvpn
12:16 -!- vinky [~vinky@81-230-177-246-no98.tbcn.telia.com] has quit [Ping timeout: 260 seconds]
12:18 -!- vinky [~vinky@81-230-177-246-no98.tbcn.telia.com] has joined #openvpn
13:00 -!- ub1quit33 [~quassel@cpe-198-72-138-144.socal.res.rr.com] has quit [Ping timeout: 240 seconds]
13:12 -!- Pyrogerg [~Gregory@71-222-145-148.albq.qwest.net] has joined #openvpn
13:18 -!- MaliusArth [~MaliusArt@chello062178184068.18.14.vie.surfer.at] has joined #openvpn
13:18 -!- MaliusArth [~MaliusArt@chello062178184068.18.14.vie.surfer.at] has left #openvpn []
13:34 -!- ub1quit33_ [~quassel@cpe-198-72-138-144.socal.res.rr.com] has joined #openvpn
13:47 -!- james41382__ [~james@unaffiliated/james41382] has quit [Read error: Connection reset by peer]
14:05 -!- james41382 [~james@unaffiliated/james41382] has joined #openvpn
14:09 -!- Megaf [~Megaf@unaffiliated/megaf] has quit [Ping timeout: 240 seconds]
14:21 -!- Fusl [Fusl@unaffiliated/fusl] has quit [Quit: Contact: http://hallowe.lt/]
14:24 -!- ub1quit33_ [~quassel@cpe-198-72-138-144.socal.res.rr.com] has quit [Ping timeout: 256 seconds]
14:34 -!- Pyrogerg [~Gregory@71-222-145-148.albq.qwest.net] has quit [Ping timeout: 240 seconds]
14:35 -!- Pyrogerg [~Gregory@71-222-145-148.albq.qwest.net] has joined #openvpn
14:41 -!- Argat [~Argat@adsl-98-48.du.nwc.is] has quit [Ping timeout: 240 seconds]
14:47 -!- MACscr [~Adium@c-50-158-183-38.hsd1.il.comcast.net] has quit [Quit: Leaving.]
14:52 -!- Pyrogerg [~Gregory@71-222-145-148.albq.qwest.net] has quit [Ping timeout: 260 seconds]
14:56 -!- Pyrogerg [~Gregory@71-222-145-148.albq.qwest.net] has joined #openvpn
15:03 -!- s7r [~s7r@openvpn/user/s7r] has quit [Ping timeout: 264 seconds]
15:07 -!- Verdi [~dagda@ip1.thgersdorf.net] has joined #openvpn
15:08 < Verdi> hi. i have an openvpn in subnet topology running. does anyone have a tip on how to implement name resolution inside the subnet, as in server1.ovpn or similar? the official documentation to openvpn dns is rather confusing
15:09 < pekster> Verdi: Read:
15:09 < pekster> !pushdns
15:09 <@vpnHelper> "pushdns" is (#1) push dhcp-option DNS a.b.c.d to push dns to the client or (#2) For pushing DNS to a Windows client, see: !windns or (#3) Unix-alikes are required to process the env-var in an --up script; read about --dhcp-option in the manpage or (#4) For distros that use resolvconf(8) you can try the pull-resolv-conf script under the contrib/ source dir
15:11 < Verdi> pekster: i understand how to push dns servers, however i run the nets such that only traffic for the subnet is routed through it without affecting the rest. won't an additional dns server just break the global ns resolution?
15:12 < pekster> huh?
15:12 < pekster> Do you deny recursive DNS requests?
15:12 < pekster> If so, yes, you will probably break your client's DNS access. If you intend to replace the client's DNS you should probably allow recursive queries
15:12 < pekster> (at least from the VPN range)
15:13 < pekster> Oh, you mean DNS to _reach_ the clients?
15:13 < pekster> Gotta do some dynamic DNS updating (for pool allocations) or have OpenVPN server static addresses if that's less work (reading on that is at: !static)
15:14 < Verdi> hrm
15:14 < Verdi> i probably can give out static addresses
15:14 < pekster> Just remember to reduce your pool range when you do that, otherwise things tend to break in subtle ways
15:15 < Verdi> how come?
15:16 < pekster> Read the above output
15:16 < pekster> !static
15:16 <@vpnHelper> "static" is (#1) use --ifconfig-push in a ccd entry for a static ip for the vpn client or (#2) example in net30 (default): ifconfig-push 10.8.0.6 10.8.0.5 example in subnet (see !topology) or tap (see !tunortap): ifconfig-push 10.8.0.5 255.255.255.0 or (#3) also see !ccd and !iporder or (#4) with static IPs, limit your --ifconfig-pool to exclude the static range or (#5) See also: !addressing
15:16 < pekster> (these aren't just fun things for us to type -- they have good info ;)
15:17 < pekster> If you don't do (#4) above, it's possible for that IP to be given out to a non-static client first
15:17 < pekster> Then you're really in trouble
15:17 < Verdi> ah like that
15:17 < Verdi> ok
15:17 < Verdi> i get it i think
15:18 < Verdi> still trying to wrap my head around the whole thing
15:18 < Verdi> dns itself is a mindbreaker enough without involving vpn
15:22 -!- D-Boy [~D-Boy@unaffiliated/cain] has quit [Excess Flood]
15:22 -!- D-Boy [~D-Boy@unaffiliated/cain] has joined #openvpn
15:37 -!- ub1quit33_ [~quassel@cpe-198-72-138-144.socal.res.rr.com] has joined #openvpn
15:51 < lfx> !windns
15:51 <@vpnHelper> "windns" is (#1) http://thread.gmane.org/gmane.network.openvpn.user/25139/focus=25147 see that mail archive for some info on pushing dns or (#2) http://article.gmane.org/gmane.network.openvpn.user/25149 for a perm fix via regedit or (#3) http://comments.gmane.org/gmane.network.openvpn.user/31975 reports --register-dns as fixing their problems pushing DNS to windows 7
16:23 -!- Latrina [~Latrina@ppp-53-38.26-151.libero.it] has quit [Max SendQ exceeded]
16:24 -!- Latrina [~Latrina@ppp-53-38.26-151.libero.it] has joined #openvpn
16:27 -!- Latrina [~Latrina@ppp-53-38.26-151.libero.it] has quit [Max SendQ exceeded]
16:27 -!- Latrina [~Latrina@ppp-53-38.26-151.libero.it] has joined #openvpn
16:31 -!- Latrina [~Latrina@ppp-53-38.26-151.libero.it] has quit [Max SendQ exceeded]
16:31 -!- Latrina [~Latrina@ppp-53-38.26-151.libero.it] has joined #openvpn
16:35 -!- SupaYoshii [~SupaYoshi@ip4da5d319.direct-adsl.nl] has joined #openvpn
16:35 < SupaYoshii> Hi guys, Im setting up a vpn from a vps, i can connect my client (router) to it, and i can communicatie with i.
16:35 < SupaYoshii> However im trying to route veerything over the VPN.
16:35 < SupaYoshii> However when im connected to the VPN, internet doesn't work.
16:36 < SupaYoshii> What do I do to fix this?
16:36 < SupaYoshii> This is my config file.
16:36 < SupaYoshii> http://paste.ubuntu.com/7821690/
16:37 -!- SCHAAP137 [dorian@77-173-0-137.ip.telfort.nl] has quit [Remote host closed the connection]
16:37 -!- SCHAAP137 [dorian@77-173-0-137.ip.telfort.nl] has joined #openvpn
16:41 -!- SupaYoshii [~SupaYoshi@ip4da5d319.direct-adsl.nl] has quit [Ping timeout: 240 seconds]
16:45 < SupaYoshi> back
16:52 < Poster> SupaYoshi: keep in mind you will need to NAT the outbound traffic from the VPS prior to being sent out onto the Internet
16:53 < Poster> otherwise your source IP will be in your 10.9.0.x range and be unroutable
16:53 < Poster> assuming the public interface name on your VPS is eth0, something like this should do the trick:
16:53 < Poster> sudo iptables -t nat -A POSTROUTING -o eth0 -s 10.9.0.0/24 -j MASQUERADE
16:53 < fred``> so its only possible to build openvpn with openssl or polarssl - not with libressl ?
16:54 < fred``> ./configure --help |grep ssl just show --disable-ssl
16:54 < Poster> additionaly, make sure you have IP forwarding enabled on your VPS, this is generally present in sysctl.conf, net.ipv4.ip_forward=1 ; you can enable it interactively with (as root) "echo 1 > /proc/sys/net/ipv4/ip_forward"
16:54 < SupaYoshi> okay let me go ahead
16:56 < Poster> you can also enable IP forwarding with: sudo sysctl -w net.ipv4.ip_forward=1
16:56 < Poster> but it's important to changet /etc/sysctl.conf to preserve it across reboots
17:01 -!- ub1quit33_ [~quassel@cpe-198-72-138-144.socal.res.rr.com] has quit [Ping timeout: 264 seconds]
17:04 < Poster> also don't forget about the POSTROUTING rule, it will need to be preserved as well.  Each distribution may have their own way of applying iptables rules on startup
17:04 < Poster> worst case you could also add it to something like /etc/rc.local
17:06 < SupaYoshi> hey Poster
17:06 < SupaYoshi> going to check now
17:28 < SupaYoshi> okay
17:28 < SupaYoshi> Poster
17:28 < SupaYoshi> Are you still  there?
17:28 < SupaYoshi> http://paste.ubuntu.com/7821894/
17:28 < SupaYoshi> this is from the client
17:28 < SupaYoshi> think its going wrong here.
17:29 < SupaYoshi> (this is my server.conf on the vps) got it off the internet. http://paste.ubuntu.com/7821898/
17:30 < SupaYoshi> ./sbin/route add -net 81.4.110.165 netmask 255.255.255.255 gw 10.15.1.1 this looks ridicilous
17:30 < SupaYoshi> my home lan router is on 10.15.1.1 the gateway.
17:30 < Poster> no that's all right
17:30 < SupaYoshi> the 81.4.110.165 = my server ip.
17:31 < Poster> that is adding a host route to your VPS via your local default gateway
17:31 < SupaYoshi> ah ok.
17:31 < SupaYoshi> ah i see.
17:31 < Poster> if you don't have that the route add will sever the link to the VPN server itself
17:31 < SupaYoshi> so, why is there no internet x_x.
17:31 < Poster> ok from your OpenVPN client, can you ping: 10.9.0.9 ?
17:31 < SupaYoshi> I did what you said.
17:31 < SupaYoshi> let me see
17:33 < SupaYoshi> back
17:33 < SupaYoshi> I cant ping that, but 10.9.0.9 is nothing?
17:33 < SupaYoshi> The server itself is 10.9.0.1 and I can ping that though, and I can ping from server to client. (10.9.0.10)
17:34 < Poster> ok good, now perform a traceroute to 81.4.110.165
17:34 < SupaYoshi> okay
17:34 < SupaYoshi> hold on mate
17:34 < Poster> please past output in paste.ubuntu.com or similar
17:36 < SupaYoshi> back
17:38 < SupaYoshi> okay
17:38 < SupaYoshi> got it
17:39 < SupaYoshi> routes through my local router, not vpn.
17:39 < SupaYoshi> http://paste.ubuntu.com/7821938/
17:39 < Poster> ok which device is the OpenVPN client?
17:39 < SupaYoshi> A OpenWRT router :)
17:39 < Poster> ok I assume that is 10.15.1.1 ?
17:39 < SupaYoshi> no x_x
17:40 < SupaYoshi> that is my gateway, (another router)
17:40 < Poster> ok what is 192.168.2.254?
17:40 < SupaYoshi> another router.
17:40 < Poster> ok which one is the OpenWRT router which is the OpenVPN client?
17:40 < SupaYoshi> 192.168.1.1
17:41 < SupaYoshi> which is not in that route...
17:41 < Poster> is 192.168.1.1 your default gateway?
17:41 -!- NealShire [~NealShire@pool-71-160-95-79.lsanca.fios.verizon.net] has joined #openvpn
17:41 < SupaYoshi> that is for the router yes, (with openvpn client)
17:42 < NealShire> Hello, I'm looking to create a VPN for use abroad so I can use unsecured wifi in relative safety. How complicated is this?
17:42 < NealShire> I have a Galaxy S4, btw. android 4.4
17:43 < Poster> SupaYoshi: ok, please put together a quick diagram of each hop and IP addressing, I am not completely sure I am following your topology which seems to have 3(?) router systems
17:43 < NealShire> I normally run an apache web server on the host machine.
17:43 < NealShire> !welcome
17:43 <@vpnHelper> "welcome" is (#1) Start by stating your goal, such as 'I would like to access the internet over my vpn' || new to IRC? see the link in !ask || we may need !logs and !configs and maybe !interface to help you. || See !howto for beginners. || See !route for lans behind openvpn. || !redirect for sending inet traffic through the server. || Also interesting: !man !/30 !topology !iporder !sample !forum
17:43 <@vpnHelper> !wiki !mitm or (#2) Don't use 192.168.1.0/24 or 192.168.0.0/24 (too much potential for conflict)
17:44 < NealShire> !howto
17:44 <@vpnHelper> "howto" is (#1) OpenVPN comes with a great howto, http://openvpn.net/howto PLEASE READ IT! or (#2) http://www.secure-computing.net/openvpn/howto.php for a mirror
17:46 -!- hays [~hays@unaffiliated/hays] has joined #openvpn
17:47 < NealShire> !heartbleed
17:47 <@vpnHelper> "heartbleed" is (#1) only affects OpenSSL 1.0.1 through 1.0.1f. Does not affect polarssl or (#2) if running vuln openssl then both client and server keys not protected by tls-auth should be considered compromised. or (#3) android 4.1.2_r1 is the first one to have -DOPENSSL_NO_HEARTBEATS and it is still in master. android 4.1 and 4.1.1 are probably affected. or (#4)
17:47 <@vpnHelper> https://community.openvpn.net/openvpn/wiki/heartbleed or (#5) http://xkcd.com/1354/
17:48 < SupaYoshi> okay
17:48 < SupaYoshi> Poster
17:48 < SupaYoshi> Im back, when I do traceroute google.com it goes through the VPN. and ends there.
17:49 < Poster> ok that's good, on your VPS host, type the following and paste output (should be 1 line)
17:49 < Poster> cat /proc/sys/net/ipv4/ip_forward
17:50 < SupaYoshi> the normal IP goes throught the default gateway though. (10.15.1.1) which is my second router.
17:50 < SupaYoshi> em ok
17:50 < SupaYoshi> output is 1 Poster
17:50 < SupaYoshi> I put my laptop upstairs, easier to test here.
17:51 -!- Kephael [~Kephael@unaffiliated/kephael] has quit [Read error: Connection reset by peer]
17:51 < Poster> ok on your VPS, what is the adapter name which owns the IP address 81.4.110.165?
17:51 < SupaYoshi> Poster, the traceroute on the client is stuck though, at the first line.
17:51 < Poster> this can be shown with the ifconfig command
17:51 < SupaYoshi> venet0:0
17:51 < Poster> ok on your VPS type this:
17:51 < SupaYoshi> i did the eth0 thing before.
17:52 < SupaYoshi> can i remove that? or is that okay?
17:52 < Poster> sudo iptables -t nat -A POSTROUTING -s 10.9.0.0/24 -o venet0:0 -j MASQUERADE
17:52 < Poster> yes, getting the adapter right is what I meant when I said "<Poster> assuming the public interface name on your VPS is eth0" ..
17:53 < SupaYoshi> done.
17:53 < Poster> yes you can remove the rule assigned to eth0
17:53 < SupaYoshi> how do i remove that rule?
17:53 -!- ub1quit33 [~quassel@cpe-198-72-138-144.socal.res.rr.com] has joined #openvpn
17:53 < Poster> ok with that POSTROUTING rule in place with venet0:0, retry your traceroute
17:53 < SupaYoshi> and, do I need to restart openvpn on the client now?
17:53 < Poster> no
17:54 < SupaYoshi> 2, 3 and 4th line are * * * now.
17:54 < Poster> sudo iptables -t nat -D POSTROUTING -o eth0 -s 10.9.0.0/24 -j MASQUERADE
17:54 < Poster> will remove the route
17:54 < Poster> oops, will remove the rule
17:54 < SupaYoshi> okay
17:54 < SupaYoshi> done.
17:54 < Poster> ok please paste traceroute output
17:54 < SupaYoshi> okay reboot openvpn?
17:54 < SupaYoshi> or not?
17:54 < NealShire> why am I banned on this channel from my other comptter?
17:54 < NealShire> same IP and the hostmask is the same afaik
17:54 -!- Thermi [~Thermi@unaffiliated/thermi] has left #openvpn []
17:54 < SupaYoshi> Poster, * * * on google.com
17:55 < SupaYoshi> rebooting openvpn to try
17:55 < Poster> that's not entirely helpful, please paste the full output
17:55 < SupaYoshi> okay sorry mate, :P sec.
17:56 < SupaYoshi> traceroute for google right?
17:58 < SupaYoshi> nothign really interesting about it but here ya go, http://paste.ubuntu.com/7822003/
17:59 < SupaYoshi> to he server ip, it still uses the default route.
17:59 < SupaYoshi> (10.15.1.1 and on)
17:59 < SupaYoshi> need to see my client.conf?
17:59 < SupaYoshi> or has it something to do with my firewall settings/ interfaces?
17:59 < SupaYoshi> on the openwrt router?
18:00 < Poster> possibly, from the VPS, can you trace to google.nl?
18:00 -!- WinstonSmith [~WinstonSm@unaffiliated/winstonsmith] has joined #openvpn
18:02 < SupaYoshi> http://paste.ubuntu.com/7822021/
18:02 < SupaYoshi> yes
18:03 < SupaYoshi> http://paste.ubuntu.com/7822025/ does this helP/
18:04 < Poster> somewhat, let's try a broader POSTROUTING rule
18:04 < Poster> sudo iptables -t nat -D POSTROUTING -s 10.9.0.0/24 -o venet0:0 -j MASQUERADE
18:05 < Poster> sudo iptables -t nat -A POSTROUTING -j MASQUERADE
18:06 < SupaYoshi> just in case i gave u the wrong adapter - http://paste.ubuntu.com/7822032/
18:06 < SupaYoshi> Nope same result,
18:06 < SupaYoshi> Added that, tracerroute shows the exact same.
18:06 < Poster> ok let's try this
18:06 < SupaYoshi> 10.9.0.1 first line, then * * * , 3th  * * *,
18:06 < Poster> on the VPS: tcpdump -i venet0:0 host 8.8.4.4
18:06 < Poster> on the OpenVPN client, ping 8.8.4.4
18:07 < Poster> do you see any frames in the tcpdump?
18:07 < SupaYoshi> http://paste.ubuntu.com/7822038/
18:07 < SupaYoshi> ah wait
18:07 < SupaYoshi> sudo sorry
18:07 < SupaYoshi> done
18:07 < SupaYoshi> now what?
18:07 < SupaYoshi> its listening, nothing showing up yet?
18:08 < SupaYoshi> http://paste.ubuntu.com/7822041/
18:08 < Poster> ok you are probably hitting rules on your OpenWRT device that may not be allowing the traffic
18:08 < SupaYoshi> should i disable firewall on openwrt?
18:09 < SupaYoshi> for a sec?
18:09 < SupaYoshi> :D
18:09 < Poster> I am not sure what that actually equates to, I'm assuming it's performing some type of NAT which you will likely need
18:09 < Poster> you can try it though
18:10 < Poster> or set the default forward policy to ACCEPT then clear out any rules on the forward chain
18:10 -!- WinstonSmith [~WinstonSm@unaffiliated/winstonsmith] has quit [Quit: off to do some thoughtcrime]
18:10 < SupaYoshi> same with firewall off
18:10 < NealShire> haha @ winston
18:10 < SupaYoshi> cant be the next firewall right?
18:11 < Poster> the upstream devices will only see the VPN session, not the traffic within it
18:11 < SupaYoshi> yah thought so.
18:11 < SupaYoshi> okay, so.
18:11 < Poster> ok on your VPS, try this:
18:12 < Poster> sudo tcpdump -i tun0 icmp
18:12 < Poster> then from the OpenVPN client side, attempt a ping to 8.8.4.4
18:12 < SupaYoshi> okay
18:12 < SupaYoshi> http://paste.ubuntu.com/7822055/
18:12 < SupaYoshi> that works
18:13 -!- vinky [~vinky@81-230-177-246-no98.tbcn.telia.com] has quit [Remote host closed the connection]
18:13 < SupaYoshi> client says, 21 packets lost, server says, http://paste.ubuntu.com/7822056/
18:13 < Poster> ok that's good, so the traffic is getting to your VPS
18:14 < Poster> on your VPS, please type and paste the output from
18:14 < Poster> sudo iptables -L -n ; sudo iptables -t nat -L -n
18:14 < SupaYoshi> http://paste.ubuntu.com/7822060/
18:15 < Poster> ok we're missing the POSTROUTING rule from there, on your VPS please type
18:15 < Poster> sudo iptables -t nat -A POSTROUTING -s 10.9.0.0/24 -j MASQUERADE
18:15 < Poster> then rerun/repaste: sudo iptables -t nat -A POSTROUTING -s 10.9.0.0/24 -j MASQUERADE
18:15 < Poster> oops
18:15 < Poster> rerun/repaste: sudo iptables -L -n ; sudo iptables -t nat -L -n
18:16 < SupaYoshi> http://paste.ubuntu.com/7822070/
18:16 < Poster> ok that looks right, retry your pings from OpenVPN client to 8.8.4.4
18:16 < SupaYoshi> i can now ping.
18:16 < SupaYoshi> :)
18:16 < SupaYoshi> just not traceroute yet
18:17 < SupaYoshi> dns?
18:17 < Poster> ok to confirm, ping to 8.8.4.4 is now working from the OpenVPN client?
18:18 < SupaYoshi> confirm 2 times now
18:18 < SupaYoshi> :)
18:18 < Poster> try this from the OpenVPN client: telnet www.google.nl 443
18:18 < Poster> does the connection establish?
18:19 < SupaYoshi> waiting....
18:19 < Poster> ok that's not good
18:19 < SupaYoshi> Connection closed by foreign host
18:19 < Poster> did it connect?  Depending on the client the screen may have just have gone blank
18:20 -!- ub1quit33 [~quassel@cpe-198-72-138-144.socal.res.rr.com] has quit [Ping timeout: 250 seconds]
18:20 < SupaYoshi> i did that from the putty console
18:20 -!- WinstonSmith [~WinstonSm@unaffiliated/winstonsmith] has joined #openvpn
18:20 < SupaYoshi> em.. do i need to do it with something else?
18:20 < Poster> ok putty console connected to what?
18:20 < SupaYoshi> connected to the router.
18:20 < SupaYoshi> (client)
18:21 < SupaYoshi> I did the ping from the putty too, that works.
18:21 < Poster> ok what do you have in /etc/resolv.conf from the OpenVPN client?
18:21 < SupaYoshi> i can ping domains too btw.
18:21 < SupaYoshi> lemme check
18:22 < SupaYoshi> search lan
18:22 < SupaYoshi> nameserver 127.0.0.1
18:22 < Poster> ok probably a dnsmasq instance or something, try tracing by IP address, something like 8.8.4.4
18:23 < SupaYoshi> that does the same, * * * *
18:23 < SupaYoshi> Oh wait!
18:23 < SupaYoshi> No sorry.
18:24 < SupaYoshi> that trace works.
18:24 < Poster> ok, we'll probably need to dig into the local DNS server running on OpenWRT, I am guessing it is an instance of dnsmasq
18:24 < SupaYoshi> so dns issue?
18:24 < Poster> yeah
18:24 < SupaYoshi> dnsmasq yes
18:25 < Poster> if you look at your process list, you should see it, I'm only slightly familiar with OpenWRT, but you should have something like dnsmasq -c /some/path/to/config
18:25 < SupaYoshi> also.
18:25 < SupaYoshi> under HDCP and DNS, on the webgui, it goes to /tmp/resolv.conf.auto
18:25 < SupaYoshi> and in that file is the following:
18:26 < SupaYoshi> http://paste.ubuntu.com/7822104/
18:26 < SupaYoshi> Could that be the issue?
18:26 < SupaYoshi> # interface wan nameserver 10.15.1.1
18:27 < Poster> possibly, the OpenWRT device, it's LAN interface is 192.168.x.x and WAN is 10.15.1.x ?
18:27 < SupaYoshi> yep
18:27 < SupaYoshi> cus i was lazy connecting it, to set it up
18:28 < SupaYoshi> otherwise ive to mount it in the closet, and its really warm here, 33 celcius hehe, and i thought it wouldn really matter
18:28 < SupaYoshi> so :P thats why its such a weird horrible setup right now heh
18:28 < SupaYoshi> will be fixed later.
18:28 < SupaYoshi> should i try changing 10.15.1.1 to 10.9.0.1?
18:28 < Poster> actually go public, 8.8.8.8 or 8.8.4.4
18:29 < SupaYoshi>  inside /tmp/resolv.conf.autO?
18:29 < Poster> I think so- that's what dnsmasq is pointing to
18:30 -!- phunyguy [~vortex@unaffiliated/phunyguy] has quit [Ping timeout: 245 seconds]
18:30 < SupaYoshi> yah cus the dns ive setup in my default router is 8.8.8.8 and 8.8.4.4
18:30 -!- phunyguy [~vortex@unaffiliated/phunyguy] has joined #openvpn
18:31 < Poster> on the OpenWRT host, see if this works
18:31 < SupaYoshi> so wat do i do?
18:31 < Poster> nslookup www.google.com 10.15.1.1
18:31 < SupaYoshi> ok
18:31 < Poster> or you can use www.google.nl, just trying to see if recursion is working
18:31 < SupaYoshi> that works.
18:32 < SupaYoshi> want a pastebin? or believe it?
18:32 < SupaYoshi> lol.
18:32 < Poster> ok you may want to go through your OpenWRT configuration (web or otherwise) and manually specify 8.8.8.8 and 8.8.4.4
18:33 < Poster> if you're goal is to hide Internet traffic from your local IP address, you will also want the DNS traffic to go to the VPS as well
18:34 < SupaYoshi> Yes
18:34 < SupaYoshi> thats my goal indeed.
18:34 < SupaYoshi> em,
18:34 < SupaYoshi> what file should i add the 8.8.8.8 and 8.8.4.4 too?
18:35 < Poster> I think you said it was /tmp/resolv.conf.auto
18:35 < Poster> though I am unsure if that will stay across reboots
18:35 < SupaYoshi> so i remove the nameserver there?
18:35 < Poster> I would guess the preferred method would be to manually enter it into the OpenWRT management interface
18:35 < SupaYoshi> under interface #wan
18:35 < SupaYoshi> ah ok.
18:35 < SupaYoshi> Yah,
18:35 < Poster> thought I cannot speak as to how that is actually done
18:35 < SupaYoshi> But just wondering Poster, on the webinterface of openwrt
18:35 < SupaYoshi> there is no interface for the tun0 device.
18:35 < SupaYoshi> it is there, (in ifconfig) and so.
18:36 < SupaYoshi> But is that okay?
18:36 < Poster> yeah you should be ok
18:36 < SupaYoshi> Or should I make an interface in he webgui? for tun0?
18:36 < SupaYoshi> ok
18:36 < Poster> all we are really trying to do is tell OpenWRT's dnsmasq interface to send queries to 8.8.8.8 and/or 8.8.4.4
18:36 < Poster> when the OpenVPN link is up, it will be sent across teh OpenVPN link to your VPS
18:36 < Poster> effectively hiding the source IP
18:37 < SupaYoshi> okay awesome.
18:37 < SupaYoshi> i see.
18:37 < SupaYoshi> Well it still sending em to 10.9.0.1 :/
18:38 < Poster> nah, the traffic to 10.9.0.1 is inside of the OpenVPN link
18:38 < SupaYoshi> oh wait a sec.
18:38 < SupaYoshi> The traceroute google.nl works
18:38 < SupaYoshi> o.o
18:38 < Poster> once it reaches 10.9.0.1, it will be forwarded, then prior to being sent out onto the Internet, it will inherit the source IP address of your VPS via the MASQUERADE rule we crafted
18:39 < Poster> The full path out will look something like-
18:39 < SupaYoshi> cool :D
18:39 < Poster> Desktop -> OpenWRT -[OpenVPN] -> VPS -> VPS Default Gateway -> Internet
18:39 < SupaYoshi> okay aweosme.
18:39 < SupaYoshi> So.. it works now?
18:39 < SupaYoshi> But my laptop doesnt have internet yet?
18:39 < SupaYoshi> x_x
18:40 < Poster> ok is the laptop behind the OpenWRT device?
18:41 < SupaYoshi> yep
18:41 < Poster> can your laptop ping 10.9.0.1 ?
18:41 < SupaYoshi> let me see.
18:42 < SupaYoshi> no
18:42 < SupaYoshi> windows firewall?
18:42 < SupaYoshi> nope
18:42 < Poster> can it ping the LAN IP address of the OpenWRT interface?
18:42 < SupaYoshi> disabled that, same result.
18:43 < SupaYoshi> yes
18:43 < SupaYoshi> oh we need to add a static route dont we?!
18:43 < SupaYoshi> on the openwrt device?
18:43 < SupaYoshi> or no?
18:43 < Poster> is the default route on the laptop the OpenWRT device?
18:43 < SupaYoshi> yes
18:43 < SupaYoshi> 192.168.1.1
18:44 < SupaYoshi> do i need to add a static route?
18:44 < Poster> but the laptop cannot ping 10.9.0.1 ?
18:44 < SupaYoshi> nope
18:44 < SupaYoshi> Cus it doesnt know where that is most likely.
18:44 < Poster> what OS is your laptop?
18:44 < SupaYoshi> windows 8.1
18:45 < SupaYoshi> tracert 10.9.0.1 gives this:
18:45 < SupaYoshi> 192.168.1.1, *** *** *** ****
18:45 < Poster> ok please open up a shell window and type: route -n and paste it's output
18:45 < SupaYoshi> eh
18:46 < SupaYoshi> that brings up tutorial
18:46 < Poster> sorry, route print
18:46 < SupaYoshi> route PRINT?
18:46 < Poster> yeah, on Windows I believe the command is: route print
18:47 < SupaYoshi> http://paste.ubuntu.com/7822194/
18:47 < SupaYoshi> line #237
18:48 < Poster> ok that all looks good
18:48 < SupaYoshi> on my other device I had to add a route on the router to be able to ping 10.8.0.1
18:48 < SupaYoshi> *static route
18:48 < SupaYoshi> well that was what they told me back then.
18:48 < Poster> on your VPS, let's start another tcpdump session:  sudo tcpdump -i tun0 icmp
18:48 < Poster> on your Windows 8.1 laptop, type: ping 8.8.4.4
18:49 < SupaYoshi> done
18:49 < Poster> do you see any traffic on tcpdump?
18:49 < SupaYoshi> ok
18:50 < SupaYoshi> http://paste.ubuntu.com/7822198/
18:50 < SupaYoshi> yep
18:50 < Poster> ok on your VPS, stop the tcpdump and relaunch with: sudo tcpdump -i venet0:0 icmp
18:50 < Poster> and rerun the ping from your Windows 8.1 laptop
18:51 < SupaYoshi> http://paste.ubuntu.com/7822201/
18:51 < SupaYoshi> 1 packet, 4 send. ?
18:51 < SupaYoshi> getthing that
18:52 < Poster> not real sure what's going on there
18:52 < Poster> it does look like the echo request, at lease one of them is leaving
18:52 < SupaYoshi> i see.
18:52 < Poster> for grins restart tcpdump without name resolution: sudo tcpdump -i venet0:0 -n icmp
18:52 < SupaYoshi> oh they arrived all 4
18:53 < SupaYoshi> jus took a little time.
18:53 < SupaYoshi> :3
18:53 < SupaYoshi> http://paste.ubuntu.com/7822214/
18:53 < SupaYoshi> new one
18:53 < SupaYoshi> firewall?
18:53 < SupaYoshi> Maybe ive to define a zone for tun0 on the router?
18:54 < Poster> I don't think so
18:54 < SupaYoshi> ah ok
18:54 < SupaYoshi> yah jus what i read in tutorials.
18:54 < SupaYoshi> http://paste.ubuntu.com/7822219/
18:54 < Poster> it looks like you've got some UDP traffic coming back do you
18:54 -!- phunyguy is now known as phunyguy-freenod
18:54 < Poster> I was expecting to see ICMP echo requests/replies
18:55 -!- phunyguy-freenod is now known as phunyguy
18:55 < SupaYoshi> https://forum.openwrt.org/viewtopic.php?id=42990
18:55 <@vpnHelper> Title: OpenVPN client setup (Page 1) — General Discussion — OpenWrt (at forum.openwrt.org)
18:55 < SupaYoshi> x_x
18:56 < SupaYoshi> lolz, so whats going on x__x so confused.
18:56 < SupaYoshi> lolz
18:56 < Poster> ok yeah it looks like there is some more work to do
18:56 < Poster> I'm not very familiar with OpenWRT, sorry
18:56 < SupaYoshi> np.
18:57 < SupaYoshi> lolz. no worries man, im doing this myself for the firsttime, as a client setup
18:57 < SupaYoshi> lolz.
18:57 < SupaYoshi> Soooo :P em.
18:57 < SupaYoshi> I need to make the interface right?
18:57 < Poster> it looks like it
18:57 < Poster> and probably rules to allow forwarding
18:58 < SupaYoshi> heh
18:58 < SupaYoshi> i need to pick a protocol
18:58 < Poster> I can talk you through it from command line mostly
18:59 < SupaYoshi> ah wait
18:59 < Poster> though it will likely be lost on reboot
19:00 < SupaYoshi> no it saves command line stuff too
19:00 < SupaYoshi> it doesnt have to be done from the webgui
19:00 < SupaYoshi> yu can put it in the right files and fine.
19:00 < Poster> right, I just don't know how OpenWRT stores/calls the rulesets
19:01 < Poster> I can step you through testing, but not how to correctly add it via the OpenWRT framework
19:01 -!- phunyguy [~vortex@unaffiliated/phunyguy] has quit [Quit: Goodbye cruel world!]
19:01 -!- gffa [~unknown@unaffiliated/gffa] has quit [Quit: sleep]
19:02 < SupaYoshi> lol
19:02 < SupaYoshi> i did what he did.
19:02 -!- phunyguy [~vortex@unaffiliated/phunyguy] has joined #openvpn
19:02 < SupaYoshi> And now Ive internet... and shit.
19:02 < SupaYoshi> But with my own IP xD
19:02 < SupaYoshi> lol lol.
19:02 < SupaYoshi> Not through the VPN tunnel. X-x
19:03 < SupaYoshi> Poster sure lets do that.
19:04 < Poster> ok with your putty session into the OpenWRT system, please type and paste output of: sudo iptables -L -n ; sudo iptables -t nat -L -n
19:04 -!- SupaYoshii [~SupaYoshi@ip4da5d319.direct-adsl.nl] has joined #openvpn
19:04 < SupaYoshi> sudo iptables -L -n ; sudo iptables -t nat -L -n
19:07 -!- Envil [~meep@95.211.26.40] has quit [Remote host closed the connection]
19:08 < SupaYoshi> http://paste.ubuntu.com/7822260/
19:08 < SupaYoshi> there ya go
19:08 < SupaYoshi> woa
19:09 -!- SupaYoshii [~SupaYoshi@ip4da5d319.direct-adsl.nl] has quit [Ping timeout: 264 seconds]
19:10 < SupaYoshi> can u join openwrt? im asking them now, what to do
19:10 < Poster> a quick test is to flip the default policy, try: iptables -P FORWARD ACCEPT
19:11 < Poster> they break it down into many sub chains, which I guess is ok but makes this step complicated
19:13 < SupaYoshi> okay, just let me ssee what thy say for a sec
19:16 < Poster> yeah that's good, it's best to follow their standards
19:16 < SupaYoshi> Yo
19:16 < SupaYoshi> I found this, http://wiki.openwrt.org/doc/howto/vpn.client.openvpn.tap
19:16 < SupaYoshi> theyre slowie :3
19:17 < Poster> that guide looks pretty good
19:17 < SupaYoshi> Routing traffic over NAT + Routing client traffic transparently
19:17 < SupaYoshi> Should I do these?
19:19 < Poster> it looks like the guide is set for VPN connections to OpenWRT
19:19 < Poster> where here we're doing an all encompassing VPN from OpenWRT
19:20 < SupaYoshi> ah yah
19:20 < SupaYoshi> okay.
19:20 < SupaYoshi> So usueless.
19:20 < SupaYoshi> Using Openwrt as OpenVPN client with TAP device  = Just a confusing title
19:20 < Poster> not entirely
19:20 < Poster> you just need to change VPN_Client to any
19:20 < Poster> assuming any is an ok designator for 0.0.0.0/0
19:21 < SupaYoshi> i think VPN_client = jus a name?
19:22 < Poster> probably
19:22 < Poster> the net result should be allowing forwarding from your lan to anywhere via the OpenVPN link
19:22 < SupaYoshi> meh :/
19:22 < SupaYoshi> ya
19:24 < SupaYoshi> WAIT
19:24 < SupaYoshi> I GFUCKING DID IT
19:24 < SupaYoshi> I FUCKIGN DID IT
19:24 < SupaYoshi> X___X OMG.
19:24 < SupaYoshi> FUCK YES
19:24 < SupaYoshi> X___X sorry.
19:24 < SupaYoshi> looooool
19:24 < SupaYoshi> I was so close. x_x
19:24 < SupaYoshi> got it.
19:24 < SupaYoshi> lol lol lol.
19:24 -!- Kephael [~Kephael@unaffiliated/kephael] has joined #openvpn
19:24 < SupaYoshi> So remember that topic i just gave you?
19:25 < SupaYoshi> https://forum.openwrt.org/viewtopic.php?id=42990
19:25 <@vpnHelper> Title: OpenVPN client setup (Page 1) — General Discussion — OpenWrt (at forum.openwrt.org)
19:25 < SupaYoshi> Post #24.
19:25 < SupaYoshi> http://prntscr.com/44e7uh
19:25 <@vpnHelper> Title: Screenshot by Lightshot (at prntscr.com)
19:26 < SupaYoshi> I just put this on accept instead of reject. (forward WAN-VPN)
19:26 < SupaYoshi> Now it works :D
19:26 < SupaYoshi> And I got an different IP :)
19:26 < Poster> ok cool
19:26 < SupaYoshi> Jus to be sure, is this safe?
19:27 -!- SupaYoshii [~SupaYoshi@81.4.110.165] has joined #openvpn
19:27 < SupaYoshii> http://prntscr.com/44e84b
19:27 <@vpnHelper> Title: Screenshot by Lightshot (at prntscr.com)
19:27 < Poster> yeah that should be good
19:27 < SupaYoshi> or should one be on reject?
19:27 < SupaYoshi> Okay Poster, all these rules we added to the VPS box, do they get saved?
19:27 < Poster> no you need to pass the OpenVPN bound traffic
19:28 < Poster> the two things we need on the VPS side is the ip forwarding and MASQUERADE rule
19:28 < Poster> what distribution are you working with on the VPS?
19:28 < SupaYoshi> Ubuntu 14.04
19:29 < Poster> ok reading up, I know the native iptables commands but not the ubuntu ufw string, hang on
19:31 < SupaYoshi> okay thanks :)
19:31 < SupaYoshi> <3
19:31 -!- ub1quit33 [~quassel@cpe-198-72-138-144.socal.res.rr.com] has joined #openvpn
19:32 < Poster> ok let's check to see that you have a file /etc/ufw/before.rules
19:32 < Poster> https://help.ubuntu.com/14.04/serverguide/firewall.html is where I am reading
19:32 <@vpnHelper> Title: 防火墙 (at help.ubuntu.com)
19:32 < Poster> we'll need to adjust for your VPS to be:
19:32 < SupaYoshi> Okay :D
19:32 < Poster> -A POSTROUTING -s 10.9.0/24 -o venet0:0 -j MASQUERADE
19:32 < SupaYoshi> wait wait
19:32 < Poster> oops make that
19:32 < Poster> -A POSTROUTING -s 10.9.0.0/24 -o venet0:0 -j MASQUERADE
19:33 < SupaYoshi> okay mate, buyt hold on.
19:33 < SupaYoshi> Ive never worked with ufw before.
19:33 < Poster> it appears to mostly be geared towards standard inbound and outbound rules, NAT looks to be configuration file edits
19:33 < SupaYoshi> I dont have that file
19:34 < SupaYoshi> ./etc/ufw/before.rules
19:34 < Poster> ok no problem there, let's try another approach
19:34 < Poster> you should have /etc/rc.local
19:34 < SupaYoshi> But wait Poster
19:34 < SupaYoshi> I want to start using ufw anyway
19:34 < SupaYoshi> cus I need to secure this box,
19:35 < SupaYoshi> So maybe its best if I do it with ufw.
19:35 < Poster> sure, just be careful to not lock yourself out of the VPS
19:35 < SupaYoshi> yeah
19:35 < SupaYoshi> I am aware of that.
19:35 < SupaYoshi> So, I want to em..
19:35 < SupaYoshi> Enable it,
19:35 < SupaYoshi> But afraid too
19:35 < SupaYoshi> cus it might block me instantly
19:35 < Poster> does your VPS provider give you some type of console access?
19:36 -!- ub1quit33 [~quassel@cpe-198-72-138-144.socal.res.rr.com] has quit [Ping timeout: 245 seconds]
19:36 < SupaYoshi> got the files.
19:36 < SupaYoshi> le mme check
19:37 < SupaYoshi> Yeah
19:37 < SupaYoshi> serial console.
19:37 < SupaYoshi> Port	7777
19:39 < SupaYoshi> why?
19:41 < Poster> ok I would recommend you connect in and make sure you can get to your console
19:41 < Poster> if something goes wrong you will need to access your VPS via it's console
19:41 < SupaYoshi> but that uses a port too/
19:41 < SupaYoshi> it says.
19:42 < SupaYoshi> i am logged in
19:42 < SupaYoshi> :) what now
19:43 < Poster> ok via the port 7777
19:43 < SupaYoshi> yep
19:43 < Poster> and probably a different IP address than your VPS
19:44 < SupaYoshi> indeed
19:44 < Poster> ok good, I think you should be able to install ufw now, guessing it's: sudo apt-get install ufw
19:44 < SupaYoshi> got that already
19:44 < SupaYoshi> just status inactive
19:44 < SupaYoshi> :)
19:44 < SupaYoshi> Should i start adding rules now?
19:44 < SupaYoshi> Allow 22?
19:44 < SupaYoshi> sudo ufw allow 22
19:44 < Poster> yep and whatever port/protocol you have OpenVPN
19:45 < Poster> it defaults to 1194, but you may have something else
19:45 < SupaYoshi> nah 1194
19:45 < SupaYoshi> so em
19:45 < SupaYoshi> done
19:45 < SupaYoshi> that file is now there too btw.
19:46 < SupaYoshi> ./etc/ufw/before.rules
19:46 < Poster> ok that should be enough to get started, go ahead and start ufw
19:46 < Poster> or activate it
19:46 -!- sylon [~sylon@unaffiliated/sylon] has joined #openvpn
19:46 < sylon> is there any guide i can follow to get openvpn connection (client) working on openWrt ?
19:46 < SupaYoshi> done.
19:47 < Poster> ok appears to be active now
19:47 < SupaYoshi> okay :)
19:48 < SupaYoshi> em
19:48 < SupaYoshi> vpn has seem to have stopped working.
19:48 < Poster> at least my bogus telnet attempt is hanging, which is usually an indicator that the SYN frame is being silently dropped
19:48 < Poster> ok, are you using TCP or UDP?
19:48 < SupaYoshi> can still trace though. :)
19:48 < SupaYoshi> UDP.
19:48 < SupaYoshi> (afaik)
19:49 < Poster> ok when you added rules, did you permit 1194 udp inbound?
19:49 -!- sylon [~sylon@unaffiliated/sylon] has left #openvpn []
19:49 < SupaYoshi> em
19:49 < SupaYoshi> I just did, this
19:49 < SupaYoshi> sudo ufw allow 1194
19:50 < SupaYoshi> x-x
19:50 < SupaYoshi> getting * * * agains. x_x -freaks out- lol lol nah.
19:50 < SupaYoshi> 1194                       ALLOW       Anywhere
19:51 < Poster> is that TCP or UDP?
19:51 < SupaYoshi> bet the masq are goe.
19:51 < SupaYoshi> I didnt tell it.
19:51 < Poster> try: sudo ufw allow 1194/udp
19:51 < Poster> ok from your VPS SSH session type: sudo iptables -t nat -L -n
19:51 -!- Cpt-Oblivious [~chatzilla@31-151-71-109.dynamic.upc.nl] has quit [Remote host closed the connection]
19:52 < Poster> do you have a MASQUERADE rule in there?
19:52 < SupaYoshi> http://paste.ubuntu.com/7822408/
19:53 < Poster> ok that looks good, let's check to see if ip forwarding is enabled
19:53 < Poster> cat /proc/sys/net/ipv4/ip_forward
19:53 < Poster> we want a 1
19:53 < SupaYoshi> 1
19:54 < Poster> ok from your Windows 8.1 laptop or OpenWRT device, try to ping 10.9.0.1
19:54 < SupaYoshi> should i do sudo ufw disable
19:54 < SupaYoshi> to see if it fixes this?
19:54 < SupaYoshi> ok
19:54 < Poster> hang on I think we're close
19:54 < SupaYoshi> openwrt device done.
19:54 < SupaYoshi> wrosk.
19:54 < Poster> ok can openwrt device ping 8.8.4.4 ?
19:54 < SupaYoshi> laptop works.
19:54 < SupaYoshi> yes
19:55 < Poster> ok I think you should be good
19:55 < Poster> go ahead and check for your public IP
19:55 < SupaYoshi> got no internet.
19:55 < SupaYoshi> on the laptop
19:55 < SupaYoshi> restart openvpn client?
19:55 < Poster> actually restart ufw
19:55 < SupaYoshi> traceroute also gives the  *** again on the 2nd rule
19:55 < SupaYoshi> ok
19:55 < Poster> then restart openvpn client
19:56 < SupaYoshi> so
19:56 < SupaYoshi> em reload?
19:56 < SupaYoshi> or stop and start?
19:56 < SupaYoshi> dsiable / enable?
19:57 < Poster> sudo ufw disable && sudo ufw enable
19:57 < SupaYoshi> http://paste.ubuntu.com/7822420/
19:57 < SupaYoshi> okay done
19:57 < SupaYoshi> no working traceroute.
19:57 < SupaYoshi> at restarted.
19:57 < SupaYoshi> let me disable and see.
19:58 < SupaYoshi> disabled = BOOM works!
19:58 < Poster> let's look on your VPS for the file /etc/default/ufw
19:58 < Poster> need to set/verify DEFAULT_FORWARD_POLICY="ACCEPT"
19:58 < SupaYoshi> ok.
19:58 < Poster> here; https://help.ubuntu.com/14.04/serverguide/firewall.html
19:58 <@vpnHelper> Title: 防火墙 (at help.ubuntu.com)
19:58 < SupaYoshi> got that.
19:58 < Poster> edit /etc/ufw/sysctl.conf to have: net/ipv4/ip_forward=1
19:58 < SupaYoshi> DEFAULT_FORWARD_POLICY="DROP"
19:59 < Poster> well that's probably not going to work well :|
19:59 < Poster> flip that to ACCEPT
19:59 < SupaYoshi> okay
19:59 < SupaYoshi> :)
19:59 < SupaYoshi> done
19:59 < SupaYoshi> ufw enable?
20:00 < Poster> sudo ufw disable && sudo ufw enable
20:00 < SupaYoshi> grrrrrrrr
20:00 -!- SupaYoshii [~SupaYoshi@81.4.110.165] has quit [Ping timeout: 245 seconds]
20:00 < SupaYoshi> works
20:00 < Poster> ok so ping, traceroute outbound works?
20:01 < SupaYoshi> even traceroute does from the router.
20:01 < SupaYoshi> :D
20:01 < SupaYoshi> yeo
20:01 < SupaYoshi> Yep
20:01 < SupaYoshi> Imma write a tutorial.
20:01 < Poster> ok so everything is working as intended?
20:01 < SupaYoshi> yes
20:01 < Poster> ok cool
20:01 < SupaYoshi> fucking love yu man x_x.
20:01 < SupaYoshi> nohomo
20:01 < SupaYoshi> :D:D:D
20:02 < SupaYoshi> damn :D love this
20:02 < SupaYoshi> okay gonna reboot server.
20:02 < Poster> ok just to be safe, you may want to consider a complete reboot of your VPS
20:02 < SupaYoshi> and see if it stays working?
20:02 < SupaYoshi> is that okay?
20:02 < Poster> yep
20:02 < SupaYoshi> hah :D
20:02 < Poster> also your OpenWRT device
20:02 < SupaYoshi> same thought
20:03 < SupaYoshi> okay :D
20:03 < SupaYoshi> rebooting em now :D hold on
20:04 < SupaYoshi> aw no
20:04 < SupaYoshi> think it changed the resolv.conf.auto back
20:05 < SupaYoshi> yep
20:07 < Poster> ok I think there is probably somewhere within the OpenWRT GUI to hardcode DNS server addresses
20:08 < Poster> I would recommend you stick with something public such as Google's 8.8.4.4 and 8.8.8.8, there may be something else closer to you that can work too
20:09 < Poster> whichever addresses you choose, please be sure to verify they accept recursive lookups from both your local Internet connection and your VPS
20:13 < SupaYoshi> i pick google dunt worry
20:13 < SupaYoshi> jus hold on and lemme try this x_X
20:27 < SupaYoshi> ;/
20:29 < Poster> unable to change the resolv.conf.auto ?
20:29 < SupaYoshi> Yeah, they say it gets reset.
20:29 < SupaYoshi> Gave me another option
20:29 < SupaYoshi> So I tried something myself.
20:29 < SupaYoshi> And now i cant resolv anything anymore.
20:29 < SupaYoshi> fucked something up in openwrt.
20:29 < SupaYoshi> rebooting wont help lol
20:30 < SupaYoshi> lemme try disabling openvpn for a sec
20:35 < SupaYoshi> they broke my router :/
20:35 < SupaYoshi> mofos.
20:35 < SupaYoshi> :/ ugh.
20:36 < Poster> is it just dnsmasq that is broken?
20:36 < SupaYoshi> yeah i think so?
20:36 < SupaYoshi> It says bad-addres on everything :/
20:37 < SupaYoshi> except for ips
20:37 < Poster> ok are you able to paste the contents of resolv.conf.auto ?
20:37 < SupaYoshi> yaeh
20:40 < SupaYoshi> http://paste.ubuntu.com/7822560/
20:40 < SupaYoshi> this
20:41 < Poster> ok from openwrt does
20:41 < Poster> nslookup www.google.nl 10.15.1.1
20:41 < Poster> resolve?
20:41 < SupaYoshi> yeah
20:41 < Poster> how about: nslookup www.google.nl 127.0.0.1
20:42 < SupaYoshi> no
20:42 < SupaYoshi> ;/
20:44 < Poster> can you verify that dnsmasq is running?
20:45 < SupaYoshi> em.
20:45 < SupaYoshi> think so?
20:45 < SupaYoshi> im pretty sure it is? lol.
20:46 < Poster> ok try: nslookup www.google.nl 192.168.1.1
20:48 < SupaYoshi> nope
20:48 < SupaYoshi> x_x
20:48 < Poster> ok I don't think dnsmasq is running, can you get a process list from your OpenWRT system?
20:49 < SupaYoshi> lemme see
20:51 < SupaYoshi> http://paste.ubuntu.com/7822590/
20:51 < SupaYoshi> there.
20:51 < SupaYoshi> it is runnign :/
20:52 < Poster> ok let's look at what I think is going to be /var/etc/dnsmasq or maybe /var/etc/dnsmasq.conf
20:54 < SupaYoshi> wait dude.
20:54 < SupaYoshi> x_X
20:54 < SupaYoshi> i think i kno.
20:54 < SupaYoshi> i just disabled openvpn, and now the dns is up.
20:54 < SupaYoshi> :/
20:54 < SupaYoshi> x-x
20:54 < SupaYoshi> so now we just have to get back to adding the custom dns servers.
20:55 < SupaYoshi> <Bushmills> ah, right.  in /etc/config/dhcp, add an  option 'server'  directive, specifying the nameserver you want queries to be forwarded to
20:55 < SupaYoshi> This is what he said.
20:55 < Poster> ok and did you go down that path?
20:56 < SupaYoshi> yeah but i think i did it wrong
20:56 < SupaYoshi> he wasnt sure either.
20:56 < SupaYoshi> he said like.
20:56 < Poster> ok can we look at the contents of /var/etc/dnsmasq or something near that?
20:56 < Poster> not sure if there's an extension, the top output seems to be clipped
20:56 < SupaYoshi> ok
20:56 < SupaYoshi> here sec
20:57 < SupaYoshi> http://paste.ubuntu.com/7822609/
20:57 < SupaYoshi> dnsmasq.conf
20:57 < SupaYoshi> and em
20:58 < SupaYoshi> http://paste.ubuntu.com/7822625/
20:59 < SupaYoshi> the other config /etc/config/dhcp
20:59 < SupaYoshi> think he ment there
21:02 < SupaYoshi> http://wiki.openwrt.org/doc/howto/dhcp.dnsmasq#add.a.secondary.dns
21:02 < SupaYoshi> what about this?
21:07 < Poster> yeah you can try that
21:07 < Poster> though I am guessing that the upstream device at 10.15.1.1 is handing out a DHCP address to your OpenWRT device and will overwrite it on each boot
21:08 < SupaYoshi> meh
21:08 < SupaYoshi> that wont do.
21:08 < SupaYoshi> Cant I add a static route or something?
21:08 < SupaYoshi> can u explain whats goignw rong btw?
21:08 < Poster> yeah you should be able to setup your OpenWRT device to have a static IP on it's WAN side
21:08 < SupaYoshi> ah!
21:08 < SupaYoshi> thats all?
21:09 < Poster> just assign it to the 10.15.1.x you have now, probably a subnet mask of 255.255.255.0 default gateway 10.15.1.1
21:09 < Poster> most likely yes
21:09 < SupaYoshi> so it doesnt assign the 10.15.1.1 as a default dns.
21:09 < SupaYoshi> yu mean
21:09 < Poster> ifconfig on the OpenWRT device should tell you the address on 10.15.1.x
21:09 < Poster> yeah when you go static, you have to specify it all
21:09 < Poster> which is kind of what we want here
21:09 < SupaYoshi> mhm.
21:09 < SupaYoshi> I see.
21:09 < SupaYoshi> So look. Poster
21:09 < SupaYoshi> this router is going to germany.
21:10 < SupaYoshi> there is going to be a router there / modem router,
21:10 < SupaYoshi> and that gives an IP to this router.
21:10 < SupaYoshi> I DMZ that thing to this thing.
21:10 < Poster> the OpenWRT device is going to another location?
21:10 < SupaYoshi> I give this device a static IP from that router right?
21:10 < SupaYoshi> yes :)
21:10 < SupaYoshi> 10.15.1.1 = temp.
21:10 < Poster> oh, ok static IP may not be best
21:10 < SupaYoshi> hehe.
21:11 < SupaYoshi> can u explain whats going wrong right now?
21:11 < SupaYoshi> cus I wanna kno whats going wrong.
21:11 < SupaYoshi> as soon as i connect to the openvpn
21:11 < Poster> based on what I can tell, dnsmasq is trying to forward all DNS queries upstream to 10.15.1.1
21:11 < SupaYoshi> no internet.
21:11 < SupaYoshi> k
21:11 < Poster> but when OpenVPN kicks up, the path to 10.15.1.1 is forced across the OpenVPN tunnel, 10.15.1.1 is no longer reachable and DNS queries begin to fail
21:12 < SupaYoshi> k
21:12 < Poster> though the path to 10.15.1.1 should be a local subnet, but something else seems to be going wrong there
21:12 < SupaYoshi> 10.15.1.1 is a local subnet infront of the 192.168.1.1
21:12 < SupaYoshi> which will go away ofcourse
21:15 < SupaYoshi> I see.
21:21 < Poster> unfortunately I think we're at the mercy of the OpenWRT startup system
21:21 < Poster> which I am not even remotely familiar with
21:23 < Poster> this might help though: http://wiki.openwrt.org/doc/uci/network#protocol.dhcp
21:23 < Poster> peerdns 0
21:23 < Poster> dns 8.8.4.4 8.8.8.8
21:23 < Poster> I need to step out for a bit, I should be back in about 45-60 minutes
21:24 < SupaYoshi> mhm
21:24 < SupaYoshi> em
21:24 < SupaYoshi> im going to bed
21:24 < SupaYoshi> :/
21:24 < SupaYoshi> Its like
21:24 < SupaYoshi> 4.23 am here
21:24 < SupaYoshi> Been struggling all day
21:24 < SupaYoshi> Are you here tommorow?
21:24 -!- nutron [~nutron@unaffiliated/nutron] has quit [Read error: Connection reset by peer]
21:25 < Poster> yeah should be, have work starting in about 2 hours, will probably still be up when you return
21:25 < SupaYoshi> okay x_x
21:25 < SupaYoshi> thanks mate
21:25 < SupaYoshi> got skype?
21:26 < Poster> not really no
21:26 < Poster> am on here pretty regularly though
21:27 < SupaYoshi> k cool
21:42 -!- SupaYoshii [~SupaYoshi@ip4da5d319.direct-adsl.nl] has joined #openvpn
21:42 < SupaYoshii> back.
21:44 -!- tempus_fol [~tempus@gateway/tor-sasl/foltempus] has quit [Ping timeout: 264 seconds]
21:49 -!- tempus_fol [~tempus@gateway/tor-sasl/foltempus] has joined #openvpn
21:56 -!- Left_Turn [~Left_Turn@unaffiliated/turn-left/x-3739067] has quit [Remote host closed the connection]
21:59 -!- SupaYoshii [~SupaYoshi@ip4da5d319.direct-adsl.nl] has quit [Ping timeout: 240 seconds]
22:12 < Poster> any luck?
22:18 -!- Pyrogerg [~Gregory@71-222-145-148.albq.qwest.net] has quit [Ping timeout: 250 seconds]
22:38 -!- Pyrogerg [~Gregory@71-222-145-148.albq.qwest.net] has joined #openvpn
22:40 -!- Zimsky [~alice@unaffiliated/zimsky] has joined #openvpn
23:21 -!- ShadniX [dagger@p5DDFF4ED.dip0.t-ipconnect.de] has quit [Ping timeout: 250 seconds]
23:23 -!- ShadniX [dagger@p5481DF20.dip0.t-ipconnect.de] has joined #openvpn
23:39 -!- Mike-- [mad@mx.probie.nl] has quit [Write error: Broken pipe]
23:48 -!- pa [~pa@unaffiliated/pa] has quit [Excess Flood]
23:48 -!- Pandemic_Force [~Pandemic_@unaffiliated/pandemic-force/x-1349428] has quit [Excess Flood]
23:49 -!- pa [~pa@unaffiliated/pa] has joined #openvpn
23:57 -!- Pandemic_Force [~Pandemic_@unaffiliated/pandemic-force/x-1349428] has joined #openvpn
--- Day changed Sun Jul 20 2014
00:06 -!- NealShire [~NealShire@pool-71-160-95-79.lsanca.fios.verizon.net] has quit [Quit: The NSA is doubleplusgood!]
01:36 -!- u0m3_ [~u0m3@92.80.88.65] has joined #openvpn
01:38 -!- u0m3 [~u0m3@92.80.64.168] has quit [Ping timeout: 240 seconds]
03:01 -!- mattock_afk is now known as mattock
03:11 -!- Kephael [~Kephael@unaffiliated/kephael] has quit [Read error: Connection reset by peer]
03:11 -!- Envil [~meep@95.211.26.40] has joined #openvpn
03:53 -!- C0SM0S [~C0SM0S@unaffiliated/c0sm0s] has quit [Ping timeout: 256 seconds]
03:55 -!- gffa [~unknown@unaffiliated/gffa] has joined #openvpn
04:20 -!- catsup [~d@iad1-vshost12.dreamhost.com] has quit [Read error: Connection reset by peer]
04:20 -!- catsup [~d@iad1-vshost12.dreamhost.com] has joined #openvpn
05:09 -!- Cysioland [Cysioland@Wikimedia/Cysioland] has joined #openvpn
05:10 < Cysioland> Can someone help me to troubleshoot OpenVPN on my OpenWRT router?
05:10 < Cysioland> !welcome
05:10 <@vpnHelper> "welcome" is (#1) Start by stating your goal, such as 'I would like to access the internet over my vpn' || new to IRC? see the link in !ask || we may need !logs and !configs and maybe !interface to help you. || See !howto for beginners. || See !route for lans behind openvpn. || !redirect for sending inet traffic through the server. || Also interesting: !man !/30 !topology !iporder !sample !forum
05:10 <@vpnHelper> !wiki !mitm or (#2) Don't use 192.168.1.0/24 or 192.168.0.0/24 (too much potential for conflict)
05:10 < Cysioland> !goal
05:10 <@vpnHelper> "goal" is Please clearly state your goal for your vpn: example, I would like to access the lan behind the server , I would like to access the internet over my vpn , I just want a secure connection between 2 computers , etc
05:11 < Cysioland> I would like to access the Internet over the VPN, I set OpenVPN up on OpenWRT router, it connects, but nothing apart from that. Can't ping lan & net, can't browse.
05:13 < Cysioland> !interface
05:13 <@vpnHelper> "interface" is (#1) paste interface configuration from both client and server, while being disconnected and when beeing connected. Be sure to also add the routing tables for both situations from client and from server or (#2) For Windows: iface: 'ipconfig /all' routing: 'route print' (add -4 or -6 for just IPv4 or v6) or (#3) For Unix: iface: 'ifconfig -a' routing: 'netstat -rn' or (#4) For
05:13 <@vpnHelper> Linux: iface: 'ip a' routing: 'ip r' (use ip -6 for IPv6 routes)
05:13 -!- Left_Turn [~Left_Turn@unaffiliated/turn-left/x-3739067] has joined #openvpn
05:15 < SupaYoshi> Poster
05:15 < SupaYoshi> im back
05:15 < Poster> Greetings!
05:15 < SupaYoshi> Yay!
05:15 < SupaYoshi> ur still there
05:15 < SupaYoshi> no luck yet.
05:15 < SupaYoshi> :D Got an idea?
05:16 < Poster> I was looking at http://wiki.openwrt.org/doc/uci/network#protocol.dhcp
05:16 < SupaYoshi> Yeah
05:16 < SupaYoshi> What I did
05:16 < SupaYoshi> Was try that.
05:16 < SupaYoshi> I went to interface settings,
05:16 < Poster> if I am interpreting it, "peerdns 0" will disable getting upstream DNS from DHCP
05:16 < SupaYoshi> and put a dns in ther emanually
05:16 < Cysioland> Nobody will help me
05:16 < SupaYoshi> but no luck.
05:16 < Cysioland> :(
05:16 < Poster> then "dns 8.8.4.4 8.8.8.8" will tell dnsmasq to use those instead
05:17 < SupaYoshi> well
05:17 < SupaYoshi> lemme try again then :P
05:18 < Poster> Cysioland: Make sure that 1) IP Forwarding is enabled on your OpenVPN server system "sudo sysctl -w net.ipv4.ip_forward=1" 2) You're set to NAT the outbound traffic "sudo iptables -t nat -A POSTROUTING -o YOUREXTERNALINTERFACE -j MASQUERADE"
05:18 < SupaYoshi> use default gateway is checked,
05:18 < SupaYoshi> use dns servers advertised by peer is checked as well
05:18 < Poster> I don't think you want advertised by peer
05:18 < Poster> in this instance
05:18 < SupaYoshi> added them and removed that checkbox
05:18 < SupaYoshi> so lemme see, what the config says of dnsmasq.conf
05:19 < Poster> ok did you restart the OpenWRT device?
05:19 < SupaYoshi> okay lemme restart
05:19 < SupaYoshi> :)
05:21 < Cysioland> Poster, there is no sysctl on openwrt, there is also no sudo.
05:21 < SupaYoshi> nope, :P
05:21 < SupaYoshi> I get bad-address
05:21 < SupaYoshi> however, my skype will connect on my laptop :P lol lol
05:21 < SupaYoshi> so thats cool
05:21 < SupaYoshi> but yah skype is weird :)
05:22 < Poster> :(
05:22 < SupaYoshi> lol wait ill get yu pastebin of what i did
05:22 < Poster> is the OpenVPN server OpenWRT?
05:23 < SupaYoshi> no!
05:23 < SupaYoshi> it is ubuntu vps
05:23 < SupaYoshi> remember :D
05:23 < Poster> that was geared to Cysioland sorry
05:23 < Poster> I'll try to prefix
05:23 < Cysioland> Poster, yes, the server is OpenWRT, the client is Android 4.1.2 phone with official app
05:23 < Poster> gotcha, are you able to ping the IP address that OpenWRT has on the OpenVPN side of the link?
05:24 < SupaYoshi> http://paste.ubuntu.com/7824139/
05:24 < Cysioland> Poster, I'm not able.
05:25 < Poster> Cysioland: are you sure you are connected?
05:25 < Poster> SupaYoshi: ok looks good, what does resolv.conf.auto look like?
05:26 < SupaYoshi> http://paste.ubuntu.com/7824148/
05:26 < SupaYoshi> :)
05:26 < SupaYoshi> that looks nice, id say.
05:26 < Poster> yeah
05:26 < SupaYoshi> but nah it isnt x_x lol.
05:26 < SupaYoshi> smh
05:26 < Cysioland> Poster, app says that I'm connected. It says, that no packets have been received, and some have been transmited
05:26 < Cysioland> transmitted*
05:27 < Poster> Cysioland: ok double check to make sure you're using the correct adapter type (tap vs. tun) and that they match
05:27 < Poster> SupaYoshi: ok so OpenVPN is up but pinging by name is not working?
05:27 < SupaYoshi> pinging by name?
05:28 < Poster> yeah- ping www.google.nl
05:28 < Cysioland> Poster, I'm using tun, as in tutorial.
05:28 < Poster> Cysioland: can you ping your android from the OpenWRT device?
05:29 < SupaYoshi> i can still ping the server. x_x
05:29 < Poster> SupaYoshi: how about pinging by IP address- ping 8.8.4.4
05:29 -!- Left_Turn [~Left_Turn@unaffiliated/turn-left/x-3739067] has quit [Ping timeout: 256 seconds]
05:29 < SupaYoshi> that doesn twork
05:29 < SupaYoshi> that goes to 10.9.0.1 witha  traceroute
05:29 < SupaYoshi> and then * * *
05:29 < SupaYoshi> like before.
05:30 < Cysioland> Poster, no
05:31 < SupaYoshi> thats with ufw enabled, and disabled the same.
05:31 < SupaYoshi> Poster, in my server.conf of the server, shouldn't i be pushing a certain route?
05:32 < Poster> Cysioland: if your OpenWRT device has a syslog daemon of some type, try doing a tail on /var/log/messages (or whatever it is called) and disconnect/reconnect the android device
05:32 < Cysioland> Poster, I have separate log for vpn, will it suffice?
05:32 < Poster> SupaYoshi: you are, you should get two routes, the first to 0.0.0.0/1 and the second to 128.0.0.0/1
05:32 < Poster> Cysioland: yes we just want to see if the OpenVPN connection is successful
05:32 < SupaYoshi> ah ok
05:32 < SupaYoshi> sorry.
05:33 < SupaYoshi> http://paste.ubuntu.com/7824172/
05:33 < SupaYoshi> Just to make sure, this is all right right?
05:34 < Poster> SupaYoshi: yep all looks good
05:34 < SupaYoshi> okay
05:35 < Poster> can you log into the VPS and run: sudo iptables -L -n ; sudo iptables -t nat -L -n ; cat /proc/sys/net/ipv4/ip_forward
05:35 < SupaYoshi> that is 1 line?
05:36 < Poster> sort of, it's 3 commands sequentially
05:36 < Poster> but yeah you can paste it all in 1
05:36 < SupaYoshi> http://paste.ubuntu.com/7824187/
05:36 < Poster> ok we're missing the NAT rule
05:36 < Poster> is ufw disabled?
05:37 < SupaYoshi> no
05:37 < Cysioland> Poster, https://gist.github.com/Cysioland/91531f692c14052bb572
05:37 <@vpnHelper> Title: gist:91531f692c14052bb572 (at gist.github.com)
05:38 < Poster> SupaYoshi: just for grins, type this and retry your traceroute: sudo ufw disable && sudo ufw enable
05:38 < SupaYoshi> same results.
05:38 < SupaYoshi> but im missing 1 nat rule right?
05:39 -!- Left_Turn [~Left_Turn@unaffiliated/turn-left/x-3739067] has joined #openvpn
05:39 < Poster> yeah, edit: /etc/ufw/before.rules
05:39 < SupaYoshi> okay
05:39 < Poster> I thought we already did this, but it seems to be missing
05:39 < SupaYoshi> thought so.
05:39 < SupaYoshi> what do I edit?
05:40 < SupaYoshi> I put something on ACCEPT THERE
05:40 < Poster> Cysioland: that looks right, can you please paste the output of: ifconfig ; iptables -L -n ; iptables -t nat -L -n
05:40 < SupaYoshi> asomething with 1.
05:40 < Poster> SupaYoshi: add: -A POSTROUTING -s 10.9.0.0/24 -o venet0:0 -j MASQUERADE
05:40 < SupaYoshi> on what line?
05:41 < Poster> https://help.ubuntu.com/14.04/serverguide/firewall.html#ip-masquerading
05:41 <@vpnHelper> Title: 防火墙 (at help.ubuntu.com)
05:41 < SupaYoshi> http://paste.ubuntu.com/7824210/
05:41 < SupaYoshi> ok
05:42 < Poster> SupaYoshi: ok I'd say at the bottom before the COMMIT line
05:42 < SupaYoshi> http://paste.ubuntu.com/7824213/
05:42 < Poster> Start with the *nat, include :POSTROUTING ACCELT [0:0] then end with the -A POSTROUTING -s 10.9.0.0/24 -o vnet0:0 -j MASQUERADE
05:43 < SupaYoshi> http://paste.ubuntu.com/7824216/
05:43 < Cysioland> Poster, https://gist.github.com/Cysioland/4efa8ec72eb7d7acad2b
05:43 <@vpnHelper> Title: gist:4efa8ec72eb7d7acad2b (at gist.github.com)
05:43 < Poster> yikes, did you envoke "ufw enable" without sudo?
05:44 < SupaYoshi> no
05:45 < SupaYoshi> http://paste.ubuntu.com/7824226/
05:45 < SupaYoshi> so like this?
05:45 < Poster> sorry, I didn't mean verbatim as I typed it
05:46 < Poster> everything in the blue box in step 2 here: https://help.ubuntu.com/14.04/serverguide/firewall.html#ip-masquerading
05:46 <@vpnHelper> Title: 防火墙 (at help.ubuntu.com)
05:46 < Poster> except the bottom 2 lines # don't delete .... and COMMIT
05:46 < SupaYoshi> should i move it up?
05:47 < SupaYoshi> http://paste.ubuntu.com/7824226/
05:47 < SupaYoshi> + what do I keep?
05:47 < SupaYoshi> remove the *nat right?
05:47 < Poster> Cysioland: just to confirm, from OpenWRT you are unable to ping 10.8.0.2 and from your Android you cannot ping 10.8.0.1 ?
05:47 < Poster> SupaYoshi: delete this entire line
05:47 < Poster> *nat, include :POSTROUTING ACCELT [0:0] -A POSTROUTING -s 10.9.0.0/24 -o vnet0:0 -j MASQUERADE
05:47 < Poster> -A POSTROUTING -s 10.9.0.0/24 -o venet0:0 -j MASQUERADE
05:48 < SupaYoshi> done
05:48 < SupaYoshi> now add what?
05:48 < Poster> https://help.ubuntu.com/14.04/serverguide/firewall.html#ip-masquerading look at step 2, there is a light blue box with several lines in it
05:48 <@vpnHelper> Title: 防火墙 (at help.ubuntu.com)
05:48 < SupaYoshi> mhm
05:49 < Poster> paste everything except the last two lines
05:49 < Poster> The first line should be
05:49 < Poster> # nat Table rules
05:49 < Poster> the last line should be
05:49 < SupaYoshi> yep
05:49 < SupaYoshi> got it.
05:49 < Poster> -A POSTROUTING -s 10.9.0.0/24 -o venet0:0 -j MASQUERADE
05:49 < Poster> note the different source network and output adapter name
05:50 < SupaYoshi> http://paste.ubuntu.com/7824250/
05:50 < SupaYoshi> now have this
05:50 < SupaYoshi> yeah i was expecting this, im following this,
05:50 < Cysioland> Poster, yes
05:50 < SupaYoshi> eoors again -.-
05:50 < SupaYoshi> http://paste.ubuntu.com/7824252/
05:50 < Poster> Cysioland: do you have tcpdump by chance?  I am not too familiar with the OpenWRT set
05:51 < SupaYoshi> http://paste.ubuntu.com/7824260/
05:51 < Cysioland> Poster, I don't have it
05:51 < Poster> Cysioland: ok I am not sure if I can help you much more, do you have a PC you can run a standard OpenVPN client on?
05:52 < Cysioland> Poster, yes, it's the PC I'm writing from. I'll tether it via phone and see, what happens. I'll use network manager's openvpn plugin. Is that ok?
05:52 < Poster> might be!
05:53 < Poster> what OS is the PC you're using?
05:54 < SupaYoshi> Poster, got an idea whats wrong in the file? im brb for 10 min,.
05:59 < Cysioland> Poster, here are the results: from my box I can ping and even ssh to router, and I have dns working, but I can't ping outside Internet, nor browse web
05:59 < Poster> ok when you say my box, are you referring to a PC connected to the LAN side of the OpenWRT device?
06:01 < Cysioland> Poster, my box is the pc I'm writing from. Basically, form PC I can ping and even ssh to router. I also have dns working, but I can't access web, nor I can ping the internet addresses.
06:01 < Poster> ok can you ping the Internet when you SSH into your OpenWRT router?
06:01 < Cysioland> Poster, yup, my router can indeed access the net.
06:02 < Poster> ok I would spend some time reviewing your firewall rules, it sounds like you may be inadvertently blocking Internet access
06:02 < SupaYoshi> back
06:02 < Poster> is there an option to reset them by chance?
06:03 < SupaYoshi> Yeah I am poster
06:03 < SupaYoshi> Should I just open port 80?
06:03 < Cysioland> Poster, what do you mean „reset”?
06:03 < SupaYoshi> I cant ping from teh server either.
06:03 < SupaYoshi> x_x
06:03 < SupaYoshi> lol!
06:03 < SupaYoshi> Poster, should I do, sudo ufw add 80
06:03 < SupaYoshi> ?
06:03 < Poster> Cysioland: take whatever rules that are currently running and return them to a default
06:04 < Cysioland> Poster, I didn't introduce any blocking rules. I can turn off firewall completely. Resetting rules would mean resetting whole router to defaults, and that means also setting up openvpn anew.
06:04 < Poster> SupaYoshi: for kicks just type this directly into your shell on the VPS: sudo iptables -t nat -A POSTROUTING -o venet0:0 -j MASQUERADE
06:04 < SupaYoshi> Poster done
06:05 < Poster> Cysioland: understood, though if you can't get your LAN on the Internet working out getting OpenVPN clients on is going to be even more difficult
06:05 < SupaYoshi> Poster, still cant ping.
06:05 < SupaYoshi> From the server itself.
06:05 < SupaYoshi> Should i allow port 80?
06:05 < SupaYoshi> i don run a webserver anyway
06:07 < Poster> SupaYoshi: probably not- is the VPS itself able to ping out to the Internet ok?
06:07 < SupaYoshi> no
06:08 < SupaYoshi> that is what i was saying x
06:08 < SupaYoshi> the VPS is unable to ping out to the internet itself.
06:08 < Poster> yikes, try: sudo ufw disable
06:08 < SupaYoshi> can now ping.
06:08 < SupaYoshi> from vps to internet.
06:09 < SupaYoshi> open port 80 on vps?
06:09 < Poster> ok now try: sudo iptables -t nat -A POSTROUTING -o venet0:0 -j MASQUERADE
06:09 < Poster> then ping from behind OpenWRT
06:09 < SupaYoshi> done
06:09 < SupaYoshi> ill reboot openwrt.
06:09 < SupaYoshi> cus it says bad ddress still, probally because of ufw. or something
06:09 < SupaYoshi> sec.
06:10 < Poster> openwrt is reporting bad address?
06:10 < SupaYoshi> yeah
06:10 < Poster> try to ping 8.8.4.4
06:11 < SupaYoshi> doing that now, doesnt work from openwrt.
06:17 < SupaYoshi> should i tcpdump again?
06:17 < SupaYoshi> :x meh. im getting hopeless. lol
06:19 -!- s7r [~s7r@openvpn/user/s7r] has joined #openvpn
06:19 -!- mode/#openvpn [+v s7r] by ChanServ
06:20 < Poster> yeah you can use tcpdump again
06:20 < Poster> sudo tcpdump -i venet0:0 icmp
06:20 -!- Mike-- [mad@mx.probie.nl] has joined #openvpn
06:23 <+s7r> what could be the cause of a vpn deconnecting when non-activity for long time (e.g. over 1 hour) ?
06:23 <+s7r> i have keep alive and persist key and persist tun in both server and client config
06:23 < SupaYoshi> back
06:23 <+s7r> and when I get back to the laptop running windows 8.1 the vpn is conneted, it shows green state in tray bar, the tap adapter is up .. but can't access any web page or do anything
06:23 < SupaYoshi> okay
06:24 < SupaYoshi> listening now.
06:24 -!- Denial [~Denial@host86-162-217-216.range86-162.btcentralplus.com] has joined #openvpn
06:24 < SupaYoshi> Poster, when i ping from the openwrt device, the listening thing on the vps does this: http://paste.ubuntu.com/7824409/
06:25 < SupaYoshi> does port 1194 have to be open on the client side?
06:26 < Poster> SupaYoshi: no, the client needs no inbound ports opened, the traffic is not hitting MASQUERADE, on your VPS, type:
06:26 < Poster> sudo iptables -t nat -A POSTROUTING -s 10.9.0.0 -o venet0:0 -j MASQUERADE
06:26 < Poster> rerun your ping test
06:31 < SupaYoshi> back
06:32 < SupaYoshi> added that
06:32 < SupaYoshi> http://paste.ubuntu.com/7824454/
06:32 < SupaYoshi> still the same :/
06:32 < SupaYoshi> lolz.
06:32 < SupaYoshi> stupid ubuntu server firewall
06:33 < SupaYoshi> how to print iptables again? ill give yu what it has right now with ufw disabled.
06:33 <+s7r> iptables -L
06:33 < Poster> ok it might not be taking the adapter:0, try
06:33 < SupaYoshi> http://paste.ubuntu.com/7824456/
06:33 < Poster> sudo iptables -t nat -A POSTROUTING -o venet0 -j MASQUERADE
06:33 < SupaYoshi> yes
06:34 < SupaYoshi> ping now works
06:34 < SupaYoshi> from the openwrt router.
06:34 < Poster> ok let's go back into /etc/ufw/before.rules on the VPS and change
06:35 < SupaYoshi> http://paste.ubuntu.com/7824462/
06:35 < Poster> -A POSTROUTING -s 10.9.0.0/24 -o venet0:0 -j MASQUERADE
06:35 < Poster> to be
06:35 < Poster> -A POSTROUTING -s 10.9.0.0/24 -o venet0 -j MASQUERADE
06:35 < Poster> sudo ufw disable && sudo ufw enable
06:35 < SupaYoshi> http://paste.ubuntu.com/7824474/
06:35 < SupaYoshi> it doesnt like that adding to it.
06:36 < SupaYoshi> http://paste.ubuntu.com/7824480/
06:36 < Poster> try putting a COMMIT before the line # nat Table rules
06:36 -!- abrkn [~abrkn@176-9-206-176.cinfuserver.com] has joined #openvpn
06:37 < SupaYoshi> done
06:37 < SupaYoshi> now no errors.
06:37 < Poster> ok ping from openwrt
06:37 < SupaYoshi> ping still works.
06:37 < SupaYoshi> but it did as well when that file errored.
06:37 < SupaYoshi> reboot vps and try?
06:38 < Poster> so what happened after you edited /etc/ufw/before.rules then executed; sudo ufw disable && sudo ufw enable ?
06:38 < Poster> is everything working?
06:38 < SupaYoshi> yeah.
06:38 < SupaYoshi> It said enabled and enabled at boot.
06:38 < SupaYoshi> em no
06:38 < SupaYoshi> internet still doesnt work.
06:39 < SupaYoshi> dns issue is still there,
06:39 < abrkn> i'm suddenly unable to connect to my openvpn connect server. i receive the error SSL23_READ (handshake error) when connecting. the admin over https gives ERR_SSL_PROTOCOL_ERROR. i've also tried from my android phone, same issue. ideas? the host is vpn.justcoin.com
06:39 < SupaYoshi> I was thinking to make hte nameserver 10.9.0.1
06:39 < SupaYoshi> lol.
06:39 < Poster> can OpenWRT ping 8.8.8.8 and 8.8.4.4 ?
06:39 < SupaYoshi> yes
06:39 < Poster> on OpenWRT try: nslookup www.google.nl 8.8.4.4
06:40 < SupaYoshi> that resolves perfectly
06:40 < Poster> ok something may be wrong with the dnsmasq instance, on OpenWRT try: nslookup www.google.nl 127.0.0.1
06:40 < SupaYoshi> can't resolve name or service not known.
06:41 < SupaYoshi> should i try rebooting openwrt?
06:41 < SupaYoshi> just to see, cus of the masq. now being effective
06:41 < Poster> can you get a process list and see if dnsmasq is running?
06:41 < SupaYoshi> yeah
06:41 < SupaYoshi> i can see its running with top
06:41 < Poster> try some other hostname from OpenWRT: nslookup www.yahoo.com 127.0.0.1
06:42 < SupaYoshi> - /usr/sbin/dnsmasq -c /var/etc/dnsmasq
06:43 < SupaYoshi> same cant reolve that.
06:43 < Poster> can you check the contents of resolv.conf.auto ?
06:43 < SupaYoshi> i think bout rebooting, or changing the dns back to default gateway 10.15.1.1
06:43 < SupaYoshi> sure
06:44 < SupaYoshi> its the same as before, #interface wan, nameserver 8.8.8.8, nameserver 8.8.4.4
06:44 < SupaYoshi> interface wan 6 then, but thats nada.
06:44 < Poster> can you do a netstat -an on OpenWRT and paste the output?
06:45 < SupaYoshi> sure
06:45 < SupaYoshi> the protocol of the vpn interface on openwrt is unmanaged
06:45 < SupaYoshi> maybe we could change that to dhcp.
06:45 < SupaYoshi> and that would be better?
06:45 < SupaYoshi> or na?
06:45 < SupaYoshi> jus thinking
06:45 < Poster> I don't think applicable
06:45 < SupaYoshi> okay sure heres netstat for you
06:46 < Poster> IP is ok, something is wrong with dnsmasq it seems
06:46 < SupaYoshi> http://paste.ubuntu.com/7824524/
06:47 < SupaYoshi> mhm pretty sure it is dnsmasq.
06:47 < Poster> ok dnsmasq isn't listening, I don't know how to restart the service, is there an /etc/init.d folder?
06:47 < SupaYoshi> We could ask openwrt, but they give wizard answers.
06:47 < SupaYoshi> yes
06:47 < SupaYoshi> i can restart dnsmasq hold on
06:47 < Poster> you should see a UDP listener on :domain or :53
06:48 < SupaYoshi> ok
06:48 < SupaYoshi> restarted
06:48 < Poster> ok rerun netstat -an
06:48 < SupaYoshi> no dnsmasq on 53 yet
06:48 < SupaYoshi> want a netstat -an
06:48 < SupaYoshi> ok
06:48 < SupaYoshi> there we go
06:49 < SupaYoshi> http://paste.ubuntu.com/7824533/
06:49 < SupaYoshi> oh wait think it is listening now.
06:49 < Poster> ok much better
06:49 < Poster> yep it's where it needs to be
06:50 < Poster> try: ping www.google.nl
06:50 < SupaYoshi> bad addresss
06:50 < SupaYoshi> nslookup www.google.nl 127.0.0.1
06:50 < SupaYoshi> ?
06:50 < Poster> yep
06:50 < SupaYoshi> same as before.
06:50 < SupaYoshi> NAme or service not known.
06:50 < Poster> can you paste the contents of /var/etc/dnsmasq ?
06:50 < SupaYoshi> these dns settings i added are in /etc/config/network.
06:51 < SupaYoshi> okay, let me get yu that :)
06:51 < SupaYoshi> http://paste.ubuntu.com/7824545/
06:51 < SupaYoshi> this
06:52 < Poster> hang on something is missing from that configuration file
06:52 < SupaYoshi> ok
06:53 < Poster> ok in /var/etc/dnsmasq add the line:
06:53 < Poster> resolv-file=/var/etc/resolv.conf.auto
06:53 < Poster> I'm guessing on the path, point it to wherever resolv.conf.auto lives
06:56 < SupaYoshi> ok
06:56 < Poster> once added, restart dnsmasq, wait a couple seconds then retry: ping www.google.nl
06:57 < SupaYoshi> i can now ping google.nl
06:57 < SupaYoshi> :D
06:57 < SupaYoshi> from the router
06:57 < Poster> ok, try to ping www.google.nl from behind the OpenWRT router
06:57 < SupaYoshi> laptop tooo!
06:57 < SupaYoshi> :D
06:57 < SupaYoshi> OMG
06:57 < SupaYoshi> ya did it!
06:57 < SupaYoshi> Yu are amaaaazzingggg
06:57 < SupaYoshi> :3
06:57 < Poster> ok reboot OpenWRT to make sure it sticks
06:58 < SupaYoshi> rebooting
06:58 < SupaYoshi> :D
06:59 < SupaYoshi> yep still works
06:59 < SupaYoshi> reboot vps now? :D
06:59 < Poster> ok on your VPS let's backup /etc/ufw/before.rules
06:59 < Poster> so sudo cp -p /etc/ufw/before.rules /etc/ufw/before.rules.bak
06:59 < Poster> then reboot your VPS
07:00 -!- MaliusArth [~MaliusArt@chello062178184068.18.14.vie.surfer.at] has joined #openvpn
07:00 < SupaYoshi> rebooting
07:00 < SupaYoshi> :D
07:01 < SupaYoshi> yep still works!
07:01 < Poster> ok great
07:01 < SupaYoshi> I just had to reconnect openvpn
07:01 < SupaYoshi> :)
07:01 < SupaYoshi> on the client.
07:01 < Poster> yeah that'll happen
07:01 < SupaYoshi> cus it timed out
07:01 < SupaYoshi> :D
07:02 -!- MaliusArth [~MaliusArt@chello062178184068.18.14.vie.surfer.at] has left #openvpn []
07:02 < SupaYoshi> Okay wowww
07:02 < SupaYoshi> Sooo
07:02 < SupaYoshi> im done? :D
07:02 < SupaYoshi> omg.
07:03 < Poster> I think so yeah
07:03 < SupaYoshi> lemme reboot server one more time
07:03 < SupaYoshi> :D
07:03 < SupaYoshi> so
07:04 < SupaYoshi> what if the server is rebooted?
07:04 < SupaYoshi> does the router always have to be rebooted?
07:04 -!- novaflash [~novaflash@openvpn/corp/support/novaflash] has joined #openvpn
07:04 -!- mode/#openvpn [+o novaflash] by ChanServ
07:04 < Poster> if you flip the transport to TCP it will recover a bit faster from reboots, but it will have more overhead for normal usage
07:05 < SupaYoshi> How long does autoreconnect take yu think?
07:05 < SupaYoshi> with UDP
07:06 < Poster> I am not compelely sure, the challenge with UDP is that it's stateless, so we're dependent on the OpenVPN daemon to recognize that something is wrong with things being out of sequence, presumably after a handful of packets
07:06 < Poster> with TCP, being stateful, the client would be mid session and the server wouldn't have any of it in the connection table, so the 1st frame from the client to the server, the server would send a TCP reset and cause OpenVPN to restart the link
07:07 < Poster> it's really a personal preference, your VPS is probably fairly stable and you may favor slightly improved performance with UDP over faster recovery with TCP
07:07 < SupaYoshi> ah
07:07 < SupaYoshi> I just rebooted the vps
07:08 < SupaYoshi> and the openwrt router auto recovered.
07:08 < SupaYoshi> after a minute
07:08 < Poster> yeah it will
07:08 < Poster> just takes a little longer with UDP from what I understand
07:08 < SupaYoshi> :P ah np
07:08 < SupaYoshi> the connection speed is 2mbits anyway
07:08 -!- elfixit1 [~Icedove@77-58-251-72.dclient.hispeed.ch] has joined #openvpn
07:12 -!- Valcorb [Valcorb@unaffiliated/valcorb] has quit [Ping timeout: 240 seconds]
07:23 -!- hays [~hays@unaffiliated/hays] has quit [Ping timeout: 250 seconds]
07:25 -!- Pyrogerg [~Gregory@71-222-145-148.albq.qwest.net] has quit [Read error: Connection reset by peer]
07:26 -!- hays [~hays@unaffiliated/hays] has joined #openvpn
07:39 < SupaYoshi> Hey Poster
07:39 < SupaYoshi> pm
07:44 < Cysioland> Poster, what is the progress of you reviewing my firewall configs?
07:46 < Poster> Cysioland: admittedly, I am a bit lost, I know OpenWRT has their methods, it's just difficult for me to follow
07:47 < Poster> only quick hit I can think to check, which I am pretty sure is already enabled is ip forwarding
07:47 < Poster> cat /proc/sys/net/ipv4/ip_forward
07:47 < Poster> should return "1"
07:47 < Cysioland> Poster, yup, returns 1
07:48 -!- u0m3_ is now known as u0m3
07:48 < Poster> can you backup your OpenWRT configuration then delete all the firewall rules?
07:49 < Cysioland> Poster, I'll turn firewall off for a moment, as they say.
07:52 < Poster> ok I can talk you though the command line method, though it will not be preserved across a device restart
07:52 < Cysioland> Poster, disabling firewall didn't solve problem.
07:53 < Cysioland> Poster, what that method will do?
07:53 < Poster> ok on openwrt, can you please type and paste output of:
07:53 < Poster> ifconfig ; route -n
07:54 < Cysioland> Poster, when being vpn'd, or not?
07:54 < Poster> either way, the VPN portion isn't really applicable yet
07:57 < Cysioland> Poster, https://gist.github.com/Cysioland/c447b91200bbcfd3b5dc
07:57 <@vpnHelper> Title: gist:c447b91200bbcfd3b5dc (at gist.github.com)
07:57 < Poster> Cysioland: ok on OpenWRT type this:
07:59 < Poster> iptables -P INPUT ACCEPT ; iptables -P OUTPUT ACCEPT ; iptables -P FORWARD ACCEPT ; iptables -t nat -P POSTROUTING ACCEPT ; iptables -t nat -P PREROUTING ACCEPT ; iptables -t nat -P OUTPUT ACCEPT
07:59 < Poster> then type
07:59 < Poster> iptables -t nat -A POSTROUTING -o eth1 -j MASQUERADE
07:59 < Cysioland> Poster, will it be preserved after reboot?
08:00 < Poster> not likely
08:00 < Cysioland> Poster, good
08:00 < Cysioland> I don't want to factory reset
08:00 < Poster> nah we're just manipulating iptables rules directly
08:01 < Poster> actually there's more :|
08:01 < Poster> iptables -X ; iptables -t nat -X
08:01 < Cysioland> Poster, after last one: iptables: Too many links.
08:01 < Cysioland> iptables: Too many links
08:01 < Poster> ok I might have that one wrong
08:02 -!- SupaYoshii [~SupaYoshi@81.4.110.165] has joined #openvpn
08:02 < Poster> iptables -X may be all we need
08:02 -!- elfixit1 [~Icedove@77-58-251-72.dclient.hispeed.ch] has quit [Quit: elfixit1]
08:02 < Poster> anyway, with all of those, now try to ping 8.8.8.8 from your PC behind OpenWRT
08:02 < Cysioland> Poster, with openwrt?
08:02 < Cysioland> And iptables -X returns Too many links
08:02 < Cysioland> Poster, with VPN?
08:02 < Poster> just LAN for now
08:03 < Cysioland> Poster, works smoothly, as before
08:03 < Poster> your PC behidn OpenWRT could access the Internet prior to everything we just did?
08:03 < Cysioland> Poster, yup
08:03 < Poster> :|
08:03 < Cysioland> I'm writing from it, so, yes
08:03 < Poster> ok kick up your android and connect OpenVPN
08:03 < Cysioland> Without VPN
08:05 < Cysioland> Poster, still can't ping lan. Maybe I should try vpning pc?
08:06 < Poster> hang on
08:06 < Poster> can you ping 10.8.0.2 from OpenWRT?
08:07 < Cysioland> Poster, when VPN client is attached>
08:07 < Cysioland> ?
08:07 < Poster> yes
08:08 < Cysioland> Poster, from wrt I can't ping 10.8.0.2 and 10.8.0.6 (IP that my Android received)
08:08 < Poster> :(
08:08 < Poster> can the Android ping 8.8.8.8 ?
08:08 < Cysioland> Poster, while vpn'd?
08:09 < Poster> yes
08:09 < Cysioland> Poster, nope.
08:10 < Cysioland> Poster, it triggers reconnect in vpn app, while reconection it can. When reconnect gets successful, ping goes mute
08:10 < Poster> :(
08:10 < Poster> ok I am not really sure what you have going on there, the ruleset is at a bare minimum
08:11 < Cysioland> Poster, lan ping is android's problem ,since pc can do it while vpn'd
08:11 < Cysioland> I'll try accessing the net from pc while vpn'd
08:14 < Cysioland> Poster, with pc the same. So it's nor firewall problem, am i right?
08:16 < Poster> so you have your PC using OpenVPN, connected to OpenWRT device and you cannot ping 10.8.0.1 from PC ?
08:17 < Cysioland> Poster, nope. When I connect my PC directly, everything is fine. When I connect my Android via OpenWRT, I can't ping anything. When I connect my PC tethered to 3g and with OpenVPN, I can ping 10.8.0.1, I can even SSH to it, but I can't access internet.
08:17 < Poster> ok and this is true even after our manual modifications?
08:18 < Cysioland> Poster, yup, freshly check'd
08:19 < Poster> What OS is your PC?
08:19 < Cysioland> Poster, Linux Mint 16, based on Ubuntu 13.10
08:19 < Poster> ok great, on your PC, please type and paste the output of:
08:19 < Poster> route -n
08:19 < Cysioland> Poster, after being vpn'd?
08:20 < Poster> yes
08:20 -!- hazardous [~hz@openvpn/user/hazardous] has quit [Ping timeout: 240 seconds]
08:21 -!- mattock is now known as mattock_afk
08:24 -!- hazardous [~hz@openvpn/user/hazardous] has joined #openvpn
08:24 -!- mode/#openvpn [+v hazardous] by ChanServ
08:25 < Cysioland> Poster, https://gist.github.com/Cysioland/788a8beb85e78100602c
08:25 <@vpnHelper> Title: gist:788a8beb85e78100602c (at gist.github.com)
08:25 < Poster> ok that all looks right, you can ping 10.8.0.9 from your PC correct?
08:26 < Cysioland> Poster, 10.8.0.9 IS my pc
08:26 < Cysioland> Router is 10.8.0.1
08:26 < Cysioland> And I can ping and ssh it
08:26 < Poster> oh, something is wrong then
08:26 < Poster> your default gateway is your local interface
08:26 < Poster> with the VPN up, type this
08:26 < Poster> sudo route delete default ; sudo route add default gw 10.8.0.1
08:27 < Cysioland> Poster, will it be reset after reconnecting to wire?
08:27 < Poster> I think so yeah
08:27 < Poster> tun0 will go away
08:29 -!- Kuba [newc3917@unaffiliated/kuba] has quit [Ping timeout: 240 seconds]
08:30 < Cysioland> Poster, it doesn,t work, I get SIOCADDRT: Sieć jest niedostępna
08:30 -!- Kuba [newc3917@unaffiliated/kuba] has joined #openvpn
08:30 < Cysioland> „Sieć jest niedostępna” means „Network is unavailable”
08:30 < Poster> yikes ok, go ahead and drop the VPN link, can you past the output of your openvpn configuration on the OpenWRT device?
08:32 < Cysioland> Poster, https://gist.github.com/Cysioland/900e41d2ae1a80d22155
08:32 <@vpnHelper> Title: gist:900e41d2ae1a80d22155 (at gist.github.com)
08:32 < Cysioland> Oh
08:32 < Cysioland> I have a blink
08:32 < Cysioland> What, if instead of def1 there should be eth1 or sth?
08:33 < Cysioland> Or maybe not
08:37 < Poster> I think the def1 is correct
08:37 < Poster> something is wrong I just don't know what
08:40 < Poster> in your openvpn configuration file, can you add: option topology 'net30'
08:40 < Poster> restart the OpenVPN daemon, reconnect your PC and try to ping the Internet again
08:43 -!- Valcorb [Valcorb@unaffiliated/valcorb] has joined #openvpn
08:45 < Cysioland> Poster, still not
08:46 < Poster> ok can you ping 8.8.4.4 from PC?
08:46 < Cysioland> Poster, when VPN'd? If so, I tested with 8.8.8.8
08:46 < Poster> yes with VPN on
08:46 < Poster> also try 192.168.0.1
08:50 < Cysioland> Poster, results: 8.8.8.8 — nope, 8.8.4.4 — nope, 192.168.0.1 — hell yea, 192.168.0.1:80 — going into my openwrt web interface.
08:51 < Poster> ok on OpenWRT, please type and paste output of
08:51 < Poster> iptables -L -n ; iptables -t nat -L -n
08:51 < Cysioland> Poster, while vpn
08:51 < Cysioland> ?
08:51 < Poster> doesn't matter
08:51 -!- SupaYoshii [~SupaYoshi@81.4.110.165] has quit [Ping timeout: 256 seconds]
08:52 -!- Sembei [~Sembei@unaffiliated/sembei] has joined #openvpn
08:53 < Cysioland> Poster, https://gist.github.com/f6e73f8c8b7faf0ab957
08:53 <@vpnHelper> Title: output.txt (at gist.github.com)
08:53 < Poster> wow, I missed something quite important :|
08:53 < Poster> on the OpenWRT system, please type:
08:54 < Poster> iptables -F
08:54 < Poster> then retry pinging to 8.8.8.8 while VPN is up
08:57 < Cysioland> Poster, still nothing
08:57 < Poster> ok on OpenWRT; also type:
08:57 < Poster> iptables -X
08:57 < Poster> with VPN up on PC try pinging 8.8.8.8
09:00 < Cysioland> Poster, still nothing
09:00 < Poster> but pinging to 192.168.0.1 is ok?
09:01 < Cysioland> Poster, I need to check
09:02 -!- abrkn [~abrkn@176-9-206-176.cinfuserver.com] has left #openvpn []
09:03 < Cysioland> Poster, yes, it works
09:05 < Poster> ok on OpenWRT, please execute and paste output of:
09:05 < Poster> iptables -L -n ; iptables -t nat -L -n
09:05 < Poster> with or without VPN
09:06 < Cysioland> Poster, https://gist.github.com/4fb424066cb6c9e58a81
09:06 <@vpnHelper> Title: output.txt (at gist.github.com)
09:06 < Poster> ok I apparently can't get those tables cleared
09:06 < Poster> are you sure you're typing this into OpenWRT?
09:06 < Poster> iptables -F ; iptables -X
09:06 < Cysioland> Poster, yes, iptables commands don't work on my pc
09:07 < Poster> does the above return any errors?
09:07 < Cysioland> Poster, no
09:08 < Poster> so after iptables -F ; iptables -X; when you run iptables -L -n you still get many lines of output?
09:09 < Cysioland> Poster, apparently not, Empty
09:09 < Cysioland> Just few lines
09:09 < Poster> ok, please connect VPN and try to ping 8.8.8.8 again
09:11 < Cysioland> Poster, still doesn't work
09:12 < Poster> ok, on OpenWRT, type:
09:12 < Poster> iptables -t nat -F ; iptables -t nat -A POSTROUTING -o eth1 -j MASQUERADE
09:12 < Poster> then retry via VPN to ping 8.8.8.8
09:13 < Cysioland> Poster, still doesn't work
09:14 < Poster> from the VPN client, can you ping the public IP address of your OpenWRT system?
09:14 < Cysioland> Poster, yup
09:15 < Poster> ok and when you type: ifconfig on your OpenWRT system, eth1 is the interface that has your public IP, correct?
09:15 < Cysioland> Poster, yup
09:16 -!- Megaf [~Megaf@unaffiliated/megaf] has joined #openvpn
09:16 < Poster> ok let's try this, on OpenWRT type: iptables -t nat -A POSTROUTING -s 10.8.0.0/24 ! -d 10.8.0.0/24 -j MASQUERADE
09:16 -!- Pyrogerg [~Gregory@67-0-255-101.albq.qwest.net] has joined #openvpn
09:16 < Poster> and retry pinging 8.8.8.8
09:19 < Cysioland> Poster, still fails
09:20 < Poster> ok I am not sure what else to suggest, without tcpdump I can only guess as to what's happening or not happening
09:20 < Poster> we should be applying MASQUERADE on eth1 prior to being send out on the Internet but it apparently is not
09:20 < Poster> you can ping 8.8.8.8 from OpenWRT itself, correct?
09:21 -!- elfixit1 [~Icedove@77-58-251-72.dclient.hispeed.ch] has joined #openvpn
09:21 < Cysioland> Poster, yup
09:21 < Poster> ok, I can't think of anything else to try, sorry
09:27 < Cysioland> Poster, then I rebooted my router, because it started misbehaving
09:27 < Poster> yeah that should set it back to what you had
09:28 -!- elfixit1 [~Icedove@77-58-251-72.dclient.hispeed.ch] has quit [Ping timeout: 264 seconds]
09:33 -!- s7r [~s7r@openvpn/user/s7r] has quit [Ping timeout: 264 seconds]
09:34 -!- s7r [~s7r@openvpn/user/s7r] has joined #openvpn
09:34 -!- mode/#openvpn [+v s7r] by ChanServ
09:34 < Cysioland> Greeeeeeat, openwrt package server is down :(
10:03 -!- Fusl [Fusl@unaffiliated/fusl] has joined #openvpn
10:54 -!- dypsilon [~dypsilon@e180067059.adsl.alicedsl.de] has joined #openvpn
10:54 < dypsilon> Hi everyone, do I have to pay for each client if I host OpenVPN myself?
10:56 < pekster> No. But you do with "Access Server" which is a non-GPL frontend based on OpenVPN; AS is subject to an EULA and licensing scheme. See: !as for details on that commercial product
10:56 < pekster> OpenVPN 2.x is a GPLv2 project and you're free to use it as such without any direct costs
10:57 < dypsilon> pekster, where do I get information only about the GPL version?
10:57 < dypsilon> !welcome
10:57 <@vpnHelper> "welcome" is (#1) Start by stating your goal, such as 'I would like to access the internet over my vpn' || new to IRC? see the link in !ask || we may need !logs and !configs and maybe !interface to help you. || See !howto for beginners. || See !route for lans behind openvpn. || !redirect for sending inet traffic through the server. || Also interesting: !man !/30 !topology !iporder !sample !forum
10:57 <@vpnHelper> !wiki !mitm or (#2) Don't use 192.168.1.0/24 or 192.168.0.0/24 (too much potential for conflict)
10:58 < pekster> See: !howto for getting started, and !download for binary (and source) downloads
10:58 < dypsilon> pekster, thank you
10:58 < dypsilon> !howto
10:58 <@vpnHelper> "howto" is (#1) OpenVPN comes with a great howto, http://openvpn.net/howto PLEASE READ IT! or (#2) http://www.secure-computing.net/openvpn/howto.php for a mirror
11:00 -!- elfixit [~Icedove@2001:1620:2777:11:3e97:eff:fe7f:f3ad] has quit [Remote host closed the connection]
11:03 < dypsilon> One more quick question: I want to use OpenVPN to protect a development server. It's a server which has several applications installed and exposes them through ports. Also it's not possible to configure authentication for each of those apps. Is it a good way to protect this server using a vpn so that each developer has to log in to the private network and use the applications that way?
11:05 < pekster> That's a common use-case, yes. When you can't secure the traffic itself (such as with TLS security) you can use a VPN to provide the security layer. You can even have it log who connected, using what IPs, at what times if you need fancy auditing
11:06 < dypsilon> That's sounds fantastic.
11:07 < dypsilon> When I'm connected to such a server, do I have to go through the VPN tunnel to visit other websites or is it configurable either?
11:08 < dypsilon> So that I only go through VPN wenn talking to this one server and otherwise through my normal internet connection.
11:09 -!- s7r [~s7r@openvpn/user/s7r] has quit [Quit: Leaving]
11:09 < pekster> By default openvpn will not route any traffic over the VPN other than your VPN network range
11:09 < dypsilon> Great, exactly what I'm looking for.
11:10 < pekster> If the VPN server will run on this host you're trying to secure, you can have the VPN clients use the VPN IP of the server
11:10 < pekster> You'll run into problems if you run the VPN there and also want VPN client traffic to the same IP the VPN is listening on (that gets a bit complex and requires some policy routing)
11:10 < pekster> Is that what you plan to do, or will another system run the VPN server?
11:11 < dypsilon> I'm planning to run the VPN server on the same machine, yes.
11:12 < pekster> So, let's say this box runs on 10.20.30.101. If a VPN client connects to it using the example VPN network of 10.8.0.0/24, traffic the VPN client sends to 10.8.0.1 (VPN IP of your server) would be protected. Traffic to 10.20.30.101 would _not_ (without OS-dependent setup)
11:13 < pekster> You can work around that several ways: 1) run the VPN server on a secondary IP, and push a route to the "primary" IP your users expect to reach it on. By pushing a route over a connection the VPN traffic isn't using, it'll work
11:13 < pekster> 2) policy routing on your server. This is OS-specific and a somewhat-advanced setup
11:14 < pekster> 3) run the VPN server on a different system (presumably on the same network as your dev server), secure traffic to the VPN server, and then (insecurely) deliver it to the target system
11:14 < pekster> #1 is probably the least work, and gives you end-to-end security
11:15 < pekster> Oh, #2 is actually worse than I described; it's the client that would need policy routing (so best to avoid that one ;)
11:16 < dypsilon> Hm, do you mean that 10.20.30.101 and 10.8.0.1 is the same machine?
11:16 < pekster> Yup
11:17 < pekster> OpenVPN provides "another" virtual network
11:17 < dypsilon> Why is it a problem that the traffic between 10.20.30.101 and 10.8.0.1 is not protected?
11:17 < dypsilon> Since it's the same machine...
11:17 < pekster> It is, but you cann't just tell openvpn to route all traffic to 10.20.30.101 over the VPN, because that would incorrectly include the VPN traffic tiself
11:18 < pekster> You can't send the secured VPN transport packets over the VPN (becuae they would need to go over the VPN -- see the chicken/egg problem?)
11:19 < pekster> You _can_ set up complex policy routing on _all_ of your clients (for _each_ VPN connection) where they route the VPN traffic to the host directly, and all other traffic over the VPN, but that's really messy, and doesn't work at all on eg: Windows clients
11:19 < pekster> This is why I'm basically telling you it's a horrible choice ;)
11:19 < pekster> #1 is easy; add a 2nd IP to your server you use just for the VPN, and then have the openvpn server push a route to the dev box's primary IP (10.20.30.101 in this example.) Then it all works
11:21 < pekster> dypsilon: Hmm, one more question for you as I'm thinking this through; your VPN clients won't connect from the same actual network as this dev box, correct?
11:21 < dypsilon> Thats a very good advice, thank you again.
11:21 < dypsilon> pekster, now, they are connecting from all over the country.
11:21 < dypsilon> *no
11:22 < pekster> Perfect. The setup I proposed w/ the 2nd IP and pushing a route (see !route and --route in the manapge) works so long as a VPN client is never on the local network as the dev host
11:22 < pekster> Hopefully you don't need encryption there :P
11:23 < dypsilon> Inside the machine I don't, no :) but outside I have to encrypt the connection.
11:24 < pekster> Yup, should be easy enough to take care of then
11:24 -!- phunyguy [~vortex@unaffiliated/phunyguy] has quit [Ping timeout: 255 seconds]
11:24 -!- nullsign [~nullsign@daedalus.nullsign.com] has joined #openvpn
11:25 < dypsilon> I have to see how the vpn connection is established exactly but I would naively suppose that I would have to open one port on 10.20.30.101 which should be used only for vpn connections and close everything else from the outside but open to the vpn network. Wouldn't work? ... say with iptables rules.
11:25 < nullsign> how do you get the fastest speed possible with openvpn? my 50 Mbps connection slows to about 15 Mbps when going thru my openvpn, using the AES cipher, comp-lzo..
11:26 < pekster> dypsilon: Right, but remember you need a secondary IP if any clients can "normally" reach 10.20.30.101 without a VPN
11:26 < nullsign> also, net.inet.ip.fastforwarding = 1 didn't seem to do much
11:26 < pekster> So, run the VPN on 10.20.30.102 (2nd IP on same machine) and open the VPN port for that, traditionally udp/1194 unless you change it
11:26 < dypsilon> pekster, 10.20.30.101 should be reachable only inside the VPN network.
11:27 < pekster> dypsilon: Then how do you make the VPN connection :P
11:27 < dypsilon> pekster, through this one port.
11:27 < pekster> Can't do that
11:27 < dypsilon> Which is open, and others are closed.
11:27 < pekster> Then the client "can" reach that IP not over the VPN
11:27 < pekster> No, that's where policy routing hell comes in; avoid that
11:27 < pekster> Put a 2nd IP to avoid this nastyness
11:27 < dypsilon> hm
11:28 < dypsilon> ok, I see
11:28 < dypsilon> pekster, thanks for your wisdom
11:28 < pekster> Your clients _can_ reach 10.20.30.101, apparently, or you wouldn't be running a service there
11:28 < pekster> If you add a route to it, "nothing" happens -- your VPN clients just get an "extra" interface/IP using 10.8.0.0/24 (the doc's example network -- you're free to change it.)
11:28 < pekster> As much as you'd like to, you cannot just say "hey VPN client, send everything to 10.20.30.101 down the VPN pipe" as that breaks your VPN
11:29 < pekster> The fix: run your VPN server on 10.20.30.102, have clients connect to _that_, and in your VPN server config push a route for 10.20.30.101/32
11:29 < pekster> Now all traffic to 10.20.30.101 is secure so long as the VPN is up
11:29 < pekster> (Use firewall rules to prevent traffic getting accepted if the VPN is down, if that's importnat)
11:30 < pekster> nullsign: Need to figure out where the speed bottleneck is. See:
11:30 < pekster> !speed
11:30 <@vpnHelper> "speed" is (#1) Having speed problems? The following suggestions may help. or (#2) OpenVPN is often CPU bound; check utilization, and remember it only uses 1 core (single-threaded) or (#3) Prefer UDP over TCP (see !tcp) or (#4) MTU issues? Send max-size DF packets and watch for fragmentation/delivery issues or (#5) iface txqueuelen often needs to be >100 on fast and/or latent links or (#6)
11:30 <@vpnHelper> latenty/slow links don't magically get better with openvpn or (#7) less likely are issues with bad TCP window scaling or the sliding window; generally, don't 2nd guess TCP (in openvpn or your OS knobs)
11:30 < nullsign> only thing i havent tried is larger mtu..
11:30 < nullsign> ill do that next.
11:30 < dypsilon> pekster, in this case I would need to buy another public IP right? Do I understand you correctly?
11:31 < pekster> nullsign: There's also !gigabit which discusses some > 100 Mbps links, but at your reported speeds something else is likely the bottleneck before MTU. At least I'd guess so.
11:31 < pekster> dypsilon: Ah, the server is on a public IP? Yes, you'd need 2 of them. Alternatively you'd need your VPN clients to stop reaching the "real" IP of this box and you could have them use 10.8.0.1 (the VPN-provided RFC1918 IP) and that would be secure
11:32 < pekster> But if they "accidently" connected to the actual IP, it wouldn't be secured
11:32 < pekster> (again, you could firewall it on the server. That doesn't stop connection attempts, just stops the server from ever replying to them)
11:32 < pekster> You could put 10.8.0.1 into public DNS as dev.yourhost.yourcompany.com
11:33 < nullsign> actually. it was mtu size.
11:33 < nullsign> mtu size = 6000 and i get 76 Mbps
11:33 < nullsign> faster then fios w/o the vpn..
11:33 < nullsign> neat.
11:33 < nullsign> than/
11:36 -!- Lolths [~Lolths@unaffiliated/lolths] has quit [Ping timeout: 240 seconds]
11:43 -!- Gman32 [~Gman32@2607:2200:0:3400::5616:cdbc] has joined #openvpn
11:56 -!- Kephael [~Kephael@unaffiliated/kephael] has joined #openvpn
12:20 -!- Tim-RoninDesign [~Myrddin@68.171.218.176] has joined #openvpn
12:20 < Tim-RoninDesign> !welcome
12:20 <@vpnHelper> "welcome" is (#1) Start by stating your goal, such as 'I would like to access the internet over my vpn' || new to IRC? see the link in !ask || we may need !logs and !configs and maybe !interface to help you. || See !howto for beginners. || See !route for lans behind openvpn. || !redirect for sending inet traffic through the server. || Also interesting: !man !/30 !topology !iporder !sample
12:20 <@vpnHelper> !forum !wiki !mitm or (#2) Don't use 192.168.1.0/24 or 192.168.0.0/24 (too much potential for conflict)
12:20 < Tim-RoninDesign> !goal
12:20 <@vpnHelper> "goal" is Please clearly state your goal for your vpn: example, I would like to access the lan behind the server , I would like to access the internet over my vpn , I just want a secure connection between 2 computers , etc
12:23 < Tim-RoninDesign> Hello, my goal is: "creation of vpn where clients can connect to the internet through the vpn gateway server: clients -> vpn-gateway (a remote computer/network) -> internet"
12:24 < pekster> Tim-RoninDesign: First you need a working VPN setup (ie: you can ping your internal VPN IP of the server.) See: !howto. Then you need to follow the info/flowchart at: !redirect
12:24 < Tim-RoninDesign> For two different computers (clients) on same network, I have working vpn connection to internet (i.e. different IP shows correctly when using vpn)
12:24 -!- Latrina [~Latrina@ppp-53-38.26-151.libero.it] has quit [Ping timeout: 245 seconds]
12:24 < Tim-RoninDesign> I can ping the gateway (10.8.0.1) from both clients
12:25 < Tim-RoninDesign> but I can only ping ONE of the clients from the sever
12:25 < Tim-RoninDesign> *server
12:25 < Tim-RoninDesign> this client is running windows 8.1 which I'm guessing there is some issue with a firewall or other configuration, but I'm not really sure how to troubleshoot
12:26 < Tim-RoninDesign> I can ping this computer from other computers on the local network using the local IP
12:26 < Tim-RoninDesign> 192.168.2.X
12:27 < Tim-RoninDesign> I can even ping from Win8.1 -> VPN -> Win7
12:27 < Tim-RoninDesign> I've tried using identical configurations (ovpn), so I'm fairly certain it's the computer configuration itself
12:28 < pekster> Yup, see the "it's usually your firewall" part of our /TOPIC ;)
12:28 < Tim-RoninDesign> hehe yep, I figured, but I'm not really sure what else to check
12:28 < pekster> You don't really need to ping the client if you just want to route Internet access over the VPN
12:28 < Tim-RoninDesign> I have the firewall entirely disabled
12:28 < Tim-RoninDesign> Yes, but I would like bi-directional access
12:28 < Tim-RoninDesign> out and in to the client
12:28 < pekster> A/V sometimes comes with a firewall, and beware Windows defines multiple "zones" these-days for your firewall setup
12:29 < Tim-RoninDesign> Yeah, I have windows firewall off everywhere I could find it
12:29 < pekster> If you can ping from the client to thte 10.8.0.1 IP, you know the client is receiving traffic it "chooses to" because the reply comes back ;)
12:29 < Tim-RoninDesign> I also do not have any A/V installed...
12:29 < Tim-RoninDesign> Yep, I can ping the gateway successfully
12:29 < pekster> Just double-check you're using the right client-assigned IP
12:29 < Tim-RoninDesign> definitely feels like a FW issues (or maybe routing?) but having trouble locating it...
12:30 < pekster> Won't be routing unless 10.8.0.0/24 is in use elsewhere on your network (witih a tighter netmask)
12:30 < Tim-RoninDesign> hmm, how do you mean?
12:30 < Tim-RoninDesign> is this an openvpn sever config?
12:30 < Tim-RoninDesign> or client / routing?
12:30 < pekster> Routing on either end
12:30 < pekster> You should not overlap networks; if you had a link-local 10.8.0.0/25 for instance, that would cause all sorts of issues
12:31 < Tim-RoninDesign> yeah, I have vpn server set for 10.8.0.0/24
12:31 < pekster> I'd try tcpdumping the client-side tun device
12:31 < Tim-RoninDesign> and on local I have pushed route 10.8.0.0 255.255.255.0 etc
12:31 < Tim-RoninDesign> ah kk
12:31 < Tim-RoninDesign> I'll try this
12:31 < pekster> (or wireshark I suppose since Windows has no "standard" package for that last I checked)
12:32 -!- phunyguy [~vortex@unaffiliated/phunyguy] has joined #openvpn
12:32 < Tim-RoninDesign> bah, always end up at wireshark! Haha, would this still register the ping attempt?
12:32 < pekster> I _think_ you still see packets that come in even if it blocks them, but I'm not actually 100% sure. You should be able to dump the VPN transit traffic on 1194 though
12:32 < Tim-RoninDesign> even if it's getting blocked / response-denied
12:32 < Tim-RoninDesign> ^^
12:32 < Tim-RoninDesign> hahaha
12:32 < pekster> Just be careful not to count the keepalive traffic
12:32 < Tim-RoninDesign> got it, kk
12:33 < Tim-RoninDesign> I shall try, thanks for the suggestion, was really stuck reviewing forums, but "oh no can't ping" was a common symptom for lots of issues
12:33 -!- Cysioland [Cysioland@Wikimedia/Cysioland] has left #openvpn ["Leaving"]
12:35 < pekster> In this case, it's a 99.5% chance is a firewall somewhere (and I'm happy to blame Windows ;)
12:52 -!- s7r [~s7r@openvpn/user/s7r] has joined #openvpn
12:52 -!- mode/#openvpn [+v s7r] by ChanServ
12:53 <+s7r> if anyone can help -> https://forums.openvpn.net/post43037.html
12:53 <@vpnHelper> Title: OpenVPN Support Forum OpenVPN gets disconnected if no or small activity : Configuration (at forums.openvpn.net)
12:53 <@plaisthos> !git
12:53 <@vpnHelper> "git" is (#1) For the stable git tree: git clone git://openvpn.git.sourceforge.net/gitroot/openvpn/openvpn.git or (#2) For the development git tree: git clone git://openvpn.git.sourceforge.net/gitroot/openvpn/openvpn-testing.git or (#3) Browse the git repositories here: http://openvpn.git.sourceforge.net/git/gitweb-index.cgi or (#4) See !git-doc how to use git
12:54 <@plaisthos> pekster: !git here and in #o-dev are diffrent ...
12:55 < pekster> Yea, I think that the bot there will show the #openvpn version unless it's been applied as something else there
12:55 < pekster> I don't know; I just (ab)use the bot, not run it ;)
12:57 <@plaisthos> :)
12:57 <@plaisthos> krzee: you are running the bot, right?
12:57 < pekster> That's ecrist I think
13:01  * Eugene abuses pekster
13:09 < Tim-RoninDesign> ok, so I'm seeing the ICMP echo (pign) request coming from my server IP (not vpn ip)
13:10 < Tim-RoninDesign> so maybe it's trying to respond, but packets are getting routed incorrectly?
13:15 < Tim-RoninDesign> Or not... when I compare ping communication to internal network (over the local router/network, 192.168.2.0/24) I see my Win8.1 replying instantly. So something is definitely just disallowing ping reply...
13:15 < pekster> You're trying to ping 10.8.0.<something> right?
13:15 < pekster> That should alwayas go over the VPN
13:15 < pekster> If not you have something very fundamental messed up about your routing setup
13:15 < Tim-RoninDesign> yep
13:15 < Tim-RoninDesign> tested both over VPN and not VPN
13:16 < Tim-RoninDesign> 10.8.0.0/24 traffic always goes over vpn
13:16 < Tim-RoninDesign> (as per routing table)
13:16 < Tim-RoninDesign> but in wireshark
13:16 < Tim-RoninDesign> my computer doesn't even attempt to reply to the ping
13:16 < Tim-RoninDesign> I just see requests come in and nothing
13:17 < Tim-RoninDesign> does the TAP interface need to be configured to respond to ping? :X
13:17 < Tim-RoninDesign> lol
13:18 < pekster> Don't use tap
13:18 < pekster> !tunortap
13:18 <@vpnHelper> "tunortap" is (#1) you ONLY want tap if you need to pass layer2 traffic over the vpn (traffic destined for a MAC address). If you are using IP traffic you want tun. or (#2) and if your reason for wanting tap is windows shares, see !wins or use DNS or (#3) remember layer2 has no security, arp poisoning works over tap vpns or (#4) lan gaming? use tap! or (#5) Normal Android/iOS devices (not
13:18 <@vpnHelper> rooted/jailbroken) support only tun
13:18 < Tim-RoninDesign> well everything is configured as "tun", but it's called a TAP interface in windows...
13:18 < pekster> Oh, okay
13:18 < pekster> It's still tun, but windows "pretends" it's an Ethernet device since it's got limited brain-power ;)
13:18 < Tim-RoninDesign> "Tap-Windows Adapter V9"
13:18 < Tim-RoninDesign> XD
13:18 < Tim-RoninDesign> yeah figured
13:19 < pekster> No special config needed. If wireshark shows the ICMP echo-request on the device on the client-side, the request is making it to your OS
13:19 < pekster> What it does with it is entierly up to it
13:21 < Tim-RoninDesign> Hmm, is it bad that wireshark is showing my VPN gateway as the "source" interface?
13:22 < Tim-RoninDesign> shouldn't it be the VPN IP of the pinging device....
13:22 < pekster> Did you incorrectly NAT things you shouldn't have?
13:22 < pekster> You should be doing NAT on internal networks you control
13:22 < pekster> shouldn't*
13:23 -!- Pyrogerg [~Gregory@67-0-255-101.albq.qwest.net] has quit [Ping timeout: 240 seconds]
13:23 < Tim-RoninDesign> instead of showing 10.8.0.<Win7> -> 10.8.0.<Win8> it shows: X.X.X.<remote-server-public-IP> -> 10.8.0.<Win8>
13:24 < Tim-RoninDesign> where "remote-server-public-IP" is NOT the vpn gateway address, but the actual IP (same as used for the client when contecting, etc)
13:24 < pekster> The remote server is the one runnign openvpn?
13:24 < Tim-RoninDesign> Yes
13:25 -!- Pyrogerg [~Gregory@97-123-19-205.albq.qwest.net] has joined #openvpn
13:25 < pekster> And it's pinging 10.8.0.<clientIP> ? That should go over the VPN. Did you confirm the routing table there?
13:25 < Tim-RoninDesign> I don't believe I'm doing any local NAT, there is a local router @ 192.168.2.1, but as far as I know I'm not running any routing / nat through it
13:25 < pekster> Maybe you forgot to add --client-to-client (which is a "helper-directive" that further-expands the --server "helper-directive" by pushing the VPN netwnork as a supernet)
13:25 < pekster> You can avoid all of this hassle by using the subnet topology too, which is recommended anyway: see: !topology
13:25 < Tim-RoninDesign> I definitely don't have client-to-client
13:26 < pekster> Oh, the server should still have the /24 though
13:26 < Tim-RoninDesign> ah yeah, I kept seeing that popping up, but wanted to confirm interconnectivity before branching out....
13:26 < pekster> That's only needed for clientA to reach clientB over the VPN. Still, check your server-side routing tables
13:26 < pekster> The VPN server should never be sending traffic to the VPN range over its physical link
13:26 < Tim-RoninDesign> well, I can ping from 10.8.0.<Win8> -> 10.8.0.<Win7>
13:26 < Tim-RoninDesign> just not the other way
13:27 < Tim-RoninDesign> hmm, ok where on the server would I be looking for this routing? just iptables?
13:27 < Tim-RoninDesign> only think I have there is the SNAT
13:27 < pekster> Do not NAT RFC1918 you control
13:28 < pekster> Incorrectly applied (or overly broad) SNAT would indeed screw this up
13:28 < Tim-RoninDesign> bah, I tried to very particularly set it up :(
13:28 < Tim-RoninDesign> I think I used: iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -j SNAT --to x.x.x.x
13:28 < pekster> Don't do that
13:28 < Tim-RoninDesign> where x's was physical / public-IP
13:28 < pekster> Remove that completely unless you're trying to provide Internet-access over the VPN
13:28 < Tim-RoninDesign> Yes I am
13:28 < pekster> Then fix your lack of specificity on the egress
13:29 < Tim-RoninDesign> ah, do I need individual records per client?
13:29 < pekster> Use of SNAT should almost always use -o
13:29 < Tim-RoninDesign> this would make sense, I wasn't sure how this was being handled
13:29 < pekster> Same as use of DNAT should always use either -d or -i (and frequently both)
13:29 < pekster> This is why the IP is bogus ;)
13:30 < Tim-RoninDesign> iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -j SNAT --to <VPN-public-IP>
13:30 < Tim-RoninDesign> that was the excat cmd I used
13:30 < Tim-RoninDesign> *exact
13:30 < pekster> You did not follow my advice
13:31 < pekster> 13:29:22 < pekster> Use of SNAT should almost always use -o
13:31 < Tim-RoninDesign> along with: iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o eth0:3 -j MASQUERADE
13:31 < Tim-RoninDesign> yes, I mean previously
13:31 < Tim-RoninDesign> I haven't tried again
13:31 < pekster> Also, "iptables commands" are best avoided: apply _rulesets_, not muck with interactive commands. Ask #Netfilter if you want to know more about doing it right
13:31 < Tim-RoninDesign> just wanted to post exactly what I used before, so there was no confusion
13:31 < pekster> iptables-restore(8) is how you apply rulesets. `iptables` on the CLI is for interactive-testing-only
13:32 < pekster> And yes, what you did before is the cause of your IP getting mangled
13:33 < Tim-RoninDesign> bah, strange that it worked for Win7 but not Win8 :/
13:33 < Tim-RoninDesign> I did not realize this! I will figure out how to do correctly
13:34 < Tim-RoninDesign> almost all the tutorials I found had iptables, but I guess they were from last year... so maybe old
13:39 < pekster> No, they're just wrong/stupid
13:40 < pekster> Lots of crappy examples on line, becuase the masses are like lemmings that just copy what the stupid blog before them did
13:40 < pekster> I have some well-commented templates on doing Netfilter properly: https://github.com/QueuingKoala/netfilter-samples
13:40 <@vpnHelper> Title: QueuingKoala/netfilter-samples · GitHub (at github.com)
13:40 < Tim-RoninDesign> Agreed, the other methods seemed to make more sense, but it was hard finding any tutorials / user experience with them and so was a bit worred about support since I'm new to most of this
13:40 < Tim-RoninDesign> ^^ Hahaha exactly
13:41 < Tim-RoninDesign> Fantastic, thank you very much
13:41 < pekster> Yup. And as I noted earlier, #Netfilter is a great place to laern if you're committed to learning to do it the right way. Plenty of smart folks there
13:42 < Tim-RoninDesign> Awesome, I'll definitely check it out. I've not much experience with networking layers, usually I'm working on a bit higher of a level. Definitely been an awesome learning experience.
13:47 < snappy> worse than just copying iptables rules is running everyones "special script that magically does everything"
13:49 -!- Tim-RoninDesign [~Myrddin@68.171.218.176] has quit [Read error: Connection reset by peer]
13:51 -!- Tim-RoninDesign [~Myrddin@c-98-203-152-123.hsd1.wa.comcast.net] has joined #openvpn
13:51 < Tim-RoninDesign> Oh joy, I removed iptables trash, and now ping over vpn works fine lol
13:52 < Tim-RoninDesign> iptables: always the bane of my existance
13:53 -!- Pyrogerg [~Gregory@97-123-19-205.albq.qwest.net] has quit [Ping timeout: 240 seconds]
13:55 -!- Pyrogerg [~Gregory@97-123-19-205.albq.qwest.net] has joined #openvpn
13:59 -!- funnel [~funnel@unaffiliated/espiral] has quit [Ping timeout: 240 seconds]
14:06 -!- Pyrogerg [~Gregory@97-123-19-205.albq.qwest.net] has quit [Ping timeout: 245 seconds]
14:11 -!- Pyrogerg [~Gregory@97-123-19-205.albq.qwest.net] has joined #openvpn
14:20 -!- Pyrogerg [~Gregory@97-123-19-205.albq.qwest.net] has quit [Ping timeout: 240 seconds]
14:43 < lfx> what's an easy fix to the windows DHCP issue, when the OS will continue to use the LAN gateway DNS?
14:44 < lfx> aka dns leak
14:45 < _FBi> switch to Linux :)
14:46 < lfx> sure, it's even better on Linux when OpenVPN doesn't assign the DNS server unless you use the up/down script
14:46 < lfx> except when using network manager which is a buggy thing I wouldn't use
14:47 < _FBi> I didn't assign up/down :)
14:47 < lfx> running it from console it won't change the DNS unless you know some magic which I'd be glad to know too
14:47 < lfx> :)
14:48 < lfx> I'm referring to the resolvconf script that needs to run when connection is up
14:49 < _FBi> you're having problems giving clients IPs?
14:49 < lfx> no
14:49 < lfx> the DNS server is not assigned properly
14:51 < lfx> so far I am aware of two solutions on Windows: 1. manually assign 8.8.8.8 or whatever public DNS, 2. run a script on connection up to remove the DNS (be it DHCP or static), such as the batch provided here https://www.dnsleaktest.com/how-to-fix-a-dns-leak.html
14:51 <@vpnHelper> Title: DNS leak test (at www.dnsleaktest.com)
14:51 < lfx> but that batch is too messy
14:51 < lfx> bat runs a VBS
14:51 < lfx> I was wondering if there's an easier way, even a bat...
14:52 < lfx> the "register-dns" parameter doesn't work
14:54 -!- Eugene [eugene@kashpureff.org] has quit [Ping timeout: 240 seconds]
15:00 -!- s7r_d [~s7r@openvpn/user/s7r] has joined #openvpn
15:00 -!- mode/#openvpn [+v s7r_d] by ChanServ
15:02 < hays> I am a bit over my head here using OpenVPN and I was hoping to get some help. I have set up OpenVPN on a VPS per a guide in such a way that when i am connected all IP traffic is routed through the VPN.  These were all server-side config settings. Is there a way to have another client connect whereby this rerouting of traffic does not occur?
15:02 -!- s7r [~s7r@openvpn/user/s7r] has quit [Ping timeout: 264 seconds]
15:03 < hays> i have a server machine in a third location that i just want to bring onto the network
15:06 < pekster> lfx: Windows is brain-dead and keeps track of DNS on each interface, then someone assigns an order to try them in. You don't actually get to control the super-set of DNS servers used, only apply suggestions as to which gets used based on the DHCP-provided search-suffix
15:06 < pekster> (and the search-suffix list in windows is unhelpfully also an amalamation of each interface)
15:07 < pekster> Oh, and all register-DNS does is "trick" Windows into updating all of this "now" -- I did testing a few years ago for a Windows-based client environment, and it tends to fix itself if you leave it alone for between 0 and 15 minutes. Eventually.
15:07 < lfx> thank you. So the only fix is to remove the DHCP DNS record
15:07 < lfx> either use blank/bogus or 8.8.8.8
15:08 < pekster> Basically, yea. Or maybe another alternative would be to drop DNS across your VPN link that isn't to the one you're pushing
15:08 < pekster> But that won't work if the pre-existing DNS is link-local
15:08 < lfx> yeah, it works fine if it is 8.8.8.8 because it will go through the VPN due to new gw
15:08 < pekster> Oh, it might actually if you use the new --block-local, but only if the DNS isn't also the default-gateway
15:08 < lfx> it doesn't work if it is the LAN gw :)
15:08 < pekster> yup
15:09 < pekster> Life get more complex if you consider that client-side LAN DHCP will probably attempt to re-apply the DNS server on renewal
15:09 < lfx> I reckon DNS is the default gw in 99.9999% cases
15:09 < lfx> default DHCP settings on virtually all routers
15:09 < pekster> It's common on SOHO, unless the DHCP passes along the upstream (ISP-provided) servers to clients
15:09 < lfx> yeap
15:10 < pekster> Alternatively, just use a SOCKS-proxy on the VPN-server side
15:10 < pekster> Solves this quite nicely by encapsulating the http/https protocols completely to the far end
15:11 < pekster> That's what I do when I want to secure my browsing on the go (I'm not using any silly "VPN service" though. This is just running off a server at home to provide security when in coffee shops and hotels)
15:12 < pekster> OpenVPN + TinyProxy (on the server) and Firefox with foxyproxy plugin on the client
15:13 < pekster> If you control the LAN router, another even easier option is just feed googleDNS to your LAN
15:13 < pekster> Anything that avoids relying on Windows bi-polar behavior is good
15:22 < _FBi> heh
15:32 -!- Chrisje [Chris@2a02:418:6050:ed15:ed15:ed15:1a27:a32b] has quit [Quit: ZNC - http://znc.in]
15:32 -!- D-Boy [~D-Boy@unaffiliated/cain] has quit [Excess Flood]
15:33 -!- Chrisje [Chris@2a02:418:6050:ed15:ed15:ed15:1a27:a32b] has joined #openvpn
15:33 -!- Chrisje [Chris@2a02:418:6050:ed15:ed15:ed15:1a27:a32b] has quit [Excess Flood]
15:33 -!- rudivd [~rudivd@xlexit.xs4all.nl] has joined #openvpn
15:34 -!- Chrisje [Chris@2a02:418:6050:ed15:ed15:ed15:1a27:a32b] has joined #openvpn
15:34 -!- dypsilon [~dypsilon@e180067059.adsl.alicedsl.de] has quit [Quit: q]
15:38 -!- D-Boy [~D-Boy@unaffiliated/cain] has joined #openvpn
15:54 -!- rudivd__ [~rudivd@2001:980:74d0:f000::1000] has joined #openvpn
15:54 -!- rudivd [~rudivd@xlexit.xs4all.nl] has quit [Ping timeout: 256 seconds]
16:02 -!- Megaf [~Megaf@unaffiliated/megaf] has quit [Ping timeout: 260 seconds]
16:10 -!- rudivd__ [~rudivd@2001:980:74d0:f000::1000] has quit [Ping timeout: 260 seconds]
16:16 -!- Envil [~meep@95.211.26.40] has quit [Ping timeout: 240 seconds]
16:19 -!- gffa [~unknown@unaffiliated/gffa] has quit [Quit: sleep]
17:10 <@ecrist> what did I do?
17:12 <@ecrist> !git
17:12 <@vpnHelper> "git" is (#1) For the stable git tree: git clone git://openvpn.git.sourceforge.net/gitroot/openvpn/openvpn.git or (#2) For the development git tree: git clone git://openvpn.git.sourceforge.net/gitroot/openvpn/openvpn-testing.git or (#3) Browse the git repositories here: http://openvpn.git.sourceforge.net/git/gitweb-index.cgi or (#4) See !git-doc how to use git
17:12 -!- s7r_d [~s7r@openvpn/user/s7r] has quit [Quit: Leaving]
17:13 <@ecrist> plaisthos / pekster: generally, I run the bot, but krzee has the same access (less willing to mangle the DB directly, though)
17:39 -!- Fusl [Fusl@unaffiliated/fusl] has quit [Ping timeout: 272 seconds]
17:41 -!- Kephael [~Kephael@unaffiliated/kephael] has quit [Quit: Leaving]
17:45 -!- Fusl [Fusl@unaffiliated/fusl] has joined #openvpn
18:24 -!- Kephael [~Kephael@unaffiliated/kephael] has joined #openvpn
18:30 -!- p3rror [~mezgani@41.249.113.172] has joined #openvpn
18:37 -!- monatona123 [~dave@bas4-oshawa95-2925273147.dsl.bell.ca] has joined #openvpn
18:37 < monatona123> hi
18:38 < monatona123> can anyone help me with openvpn setup
18:40 < monatona123> i installed openvpn in ubuntu but i can't find easy-rsa folder or any certificate
18:41 < monatona123> I also installed openvpn server in windows 64bit but the problem is VPN connects successfully but no internet
18:42 < monatona123> I followed this http://openvpn.net/index.php/open-source/documentation/howto.html#redirect
18:42 <@vpnHelper> Title: HOWTO (at openvpn.net)
18:42 < monatona123> but still no internet but I can ping vpn server
18:44 < monatona123> yes I followed that but still no luck
18:44 < monatona123> do you think maybe I should try in windows 32bit?
18:57 -!- emperorsasu [~emperorsa@24.13.176.166] has joined #openvpn
19:03 < emperorsasu> Would really appreciate some input. looked around on google but couldn't find answers. I have <push "redirect-gateway def1"> in my server settings and internet works initially over my vpn connection but stops after a few minutes. pinging local machines gives me no problem.
19:03 < nullsign> do your routing rules change on your client?
19:04 < nullsign> do a netstat -rn on the client while it works, vs when it stops
19:04 < nullsign> are you sure it's not routing anymore, or did your resolv.conf change a few moments later, and it's just DNS thats breaking later on?
19:05 -!- Popsikle [~popsikle@pool-108-27-211-233.nycmny.fios.verizon.net] has joined #openvpn
19:05 < monatona123> i have the similar issue
19:05 < monatona123> my windows openvpn connects but no internet
19:06 < emperorsasu> hmm, that got me thinking. I should probably set a specific DNS on my client. I will try that in a sec. Thanks
19:06 < monatona123> I have windows 64bit vpnserver
19:06 < nullsign> use 8.8.8.8
19:06 < monatona123> i tried that still no internet
19:06 < nullsign> do a traceroute
19:06 < monatona123> push "redirect-gateway def1"
19:06 < monatona123> push "redirect-gateway local def1"
19:07 < nullsign> look at your routing rules prior to the connection, and after
19:07 -!- arescorpio [~arescorpi@201-26-245-190.fibertel.com.ar] has joined #openvpn
19:07 < monatona123> push "dhcp-option DNS 8.8.8.8"
19:08 < monatona123> can I paste my server conf here?
19:08 < nullsign> no
19:08 < nullsign> use pastie.org or the like
19:12 < monatona123> http://pastie.org/private/vejlwdz5rblwq3ctirxxuq
19:12 < monatona123> check my server conf
19:13 < monatona123> if you want then I can give you teamviwer so you can access my comp
19:13 < monatona123> :)
19:16 < hays> I am a bit over my head here using OpenVPN and I was hoping to get some help. I have set up OpenVPN on a VPS per a guide in such a way that when i am connected all IP traffic is routed through the VPN. These were all server-side config settings. Is there a way to have another client connect whereby this rerouting of traffic does not occur?
19:20 < hays> this is my server config http://bpaste.net/show/3yJRmcM9HgRQXh25sLse/
19:23 < hays> client: http://bpaste.net/show/HaaHPRd9mia4WyJNOvTa/
19:25 < hays> so is there a way for the client to get the IP address and then use its own gateway
19:26 -!- goldkatze [~nobody@unaffiliated/goldkatze] has quit [Ping timeout: 240 seconds]
19:27 < hays> this looks promising... https://community.openvpn.net/openvpn/wiki/IgnoreRedirectGateway
19:27 <@vpnHelper> Title: IgnoreRedirectGateway – OpenVPN Community (at community.openvpn.net)
19:28 < monatona123> is it for me?
19:28 < monatona123> can anyone help  me please
19:29 -!- Popsikle [~popsikle@pool-108-27-211-233.nycmny.fios.verizon.net] has quit [Remote host closed the connection]
19:30 -!- SCHAAP137 [dorian@77-173-0-137.ip.telfort.nl] has quit [Remote host closed the connection]
19:32 -!- Popsikle [~popsikle@pool-108-27-211-233.nycmny.fios.verizon.net] has joined #openvpn
19:32 < hays> can i just add route-nopull?
19:36 -!- Popsikle [~popsikle@pool-108-27-211-233.nycmny.fios.verizon.net] has quit [Ping timeout: 240 seconds]
19:37 -!- elfixit [~Icedove@77-58-251-72.dclient.hispeed.ch] has joined #openvpn
19:40 -!- monatona123 [~dave@bas4-oshawa95-2925273147.dsl.bell.ca] has quit [Quit: -=SysReset 2.55=-]
20:00 -!- Popsikle [~popsikle@pool-108-27-211-233.nycmny.fios.verizon.net] has joined #openvpn
20:06 -!- Popsikle [~popsikle@pool-108-27-211-233.nycmny.fios.verizon.net] has quit [Ping timeout: 240 seconds]
20:20 -!- WinstonSmith [~WinstonSm@unaffiliated/winstonsmith] has quit [Read error: Connection reset by peer]
20:25 -!- WinstonSmith [~WinstonSm@unaffiliated/winstonsmith] has joined #openvpn
20:28 -!- p3rror [~mezgani@41.249.113.172] has quit [Quit: Leaving]
20:42 -!- Left_Turn [~Left_Turn@unaffiliated/turn-left/x-3739067] has quit [Remote host closed the connection]
21:03 -!- Popsikle [~popsikle@pool-108-27-211-233.nycmny.fios.verizon.net] has joined #openvpn
21:07 -!- Eugene [~eugene@kashpureff.org] has joined #openvpn
21:07 -!- Popsikle [~popsikle@pool-108-27-211-233.nycmny.fios.verizon.net] has quit [Ping timeout: 264 seconds]
21:23 -!- james41382 [~james@unaffiliated/james41382] has quit [Quit: Leaving]
21:23 -!- Eugene [~eugene@kashpureff.org] has quit [Quit: ZNC - http://znc.sourceforge.net]
21:24 -!- Eugene [eugene@kashpureff.org] has joined #openvpn
21:40 -!- james41382 [~james@unaffiliated/james41382] has joined #openvpn
22:10 -!- Latrina [~Latrina@adsl-ull-195-193.50-151.net24.it] has joined #openvpn
22:12 -!- rudivd_ [~rudivd@205.158.164.101.ptr.us.xo.net] has joined #openvpn
22:37 -!- Popsikle [~popsikle@pool-108-27-211-233.nycmny.fios.verizon.net] has joined #openvpn
22:56 -!- rudivd_ [~rudivd@205.158.164.101.ptr.us.xo.net] has quit [Quit: My MacBook Pro has gone to sleep. ZZZzzz…]
23:22 -!- ShadniX [dagger@p5481DF20.dip0.t-ipconnect.de] has quit [Ping timeout: 250 seconds]
23:23 -!- ShadniX [dagger@p5DDFF391.dip0.t-ipconnect.de] has joined #openvpn
23:32 -!- cyberspace- [20253@ninthfloor.org] has quit [Remote host closed the connection]
23:33 -!- elfixit [~Icedove@77-58-251-72.dclient.hispeed.ch] has quit [Ping timeout: 260 seconds]
23:34 -!- cyberspace- [20253@ninthfloor.org] has joined #openvpn
23:38 -!- arescorpio [~arescorpi@201-26-245-190.fibertel.com.ar] has quit [Excess Flood]
23:46 -!- emperorsasu [~emperorsa@24.13.176.166] has quit [Ping timeout: 255 seconds]
23:50 -!- Popsikle [~popsikle@pool-108-27-211-233.nycmny.fios.verizon.net] has quit [Remote host closed the connection]
--- Day changed Mon Jul 21 2014
00:14 -!- zapotek6 [~zap@95.74.109.18] has joined #openvpn
00:15 -!- zapotek6 [~zap@95.74.109.18] has quit [Max SendQ exceeded]
00:22 -!- zapotek6 [~zap@95.74.109.18] has joined #openvpn
00:22 -!- zapotek6 [~zap@95.74.109.18] has quit [Max SendQ exceeded]
00:40 -!- zapotek6 [~zap@mail.comelit.it] has joined #openvpn
00:40 -!- zapotek6 [~zap@mail.comelit.it] has quit [Max SendQ exceeded]
00:51 -!- Kephael [~Kephael@unaffiliated/kephael] has quit [Read error: Connection reset by peer]
00:54 -!- APTX [~APTX@unaffiliated/aptx] has quit [Ping timeout: 260 seconds]
00:54 -!- APTX_ [~APTX@unaffiliated/aptx] has joined #openvpn
01:00 -!- goldkatze [~nobody@unaffiliated/goldkatze] has joined #openvpn
01:24 -!- Left_Turn [~Left_Turn@unaffiliated/turn-left/x-3739067] has joined #openvpn
01:26 -!- catsup [~d@iad1-vshost12.dreamhost.com] has quit [Ping timeout: 255 seconds]
01:28 -!- catsup [~d@iad1-vshost12.dreamhost.com] has joined #openvpn
01:32 -!- mattock_afk is now known as mattock
01:48 -!- alexxtasi [~alex@unaffiliated/alexxtasi] has joined #openvpn
01:55 -!- Ridley5 [~NA@unaffiliated/ridley5] has left #openvpn ["Script made in Turkey / Script fabriqué en Dinde"]
02:00 < mnathani> I can ping 8.8.8.8, but cant browse websites
02:00 < mnathani> windows openvpn client
02:00 < mnathani> ubuntu linux openvpn server
02:00 < mnathani> nslookup google.com returns valid ip addresses
02:02 -!- Latrina [~Latrina@adsl-ull-195-193.50-151.net24.it] has quit [Max SendQ exceeded]
02:02 -!- Latrina [~Latrina@adsl-ull-195-193.50-151.net24.it] has joined #openvpn
03:09 -!- Sembei [~Sembei@unaffiliated/sembei] has quit [Read error: No route to host]
03:17 -!- defswork [~andy@141.0.50.98] has joined #openvpn
04:33 -!- eike_52n [~eike@80.156.182.234] has joined #openvpn
04:33 < eike_52n> !dns
04:33 <@vpnHelper> "dns" is (#1) Level3 open recursive DNS server at 4.2.2.[1-6] or (#2) Google open recursive DNS server at 8.8.8.8 / 8.8.4.4 or (#3) you might be looking for !pushdns
04:33 < eike_52n> !pushdns
04:33 <@vpnHelper> "pushdns" is (#1) push dhcp-option DNS a.b.c.d to push dns to the client or (#2) For pushing DNS to a Windows client, see: !windns or (#3) Unix-alikes are required to process the env-var in an --up script; read about --dhcp-option in the manpage or (#4) For distros that use resolvconf(8) you can try the pull-resolv-conf script under the contrib/ source dir
04:47 < eike_52n> !windns
04:47 <@vpnHelper> "windns" is (#1) http://thread.gmane.org/gmane.network.openvpn.user/25139/focus=25147 see that mail archive for some info on pushing dns or (#2) http://article.gmane.org/gmane.network.openvpn.user/25149 for a perm fix via regedit or (#3) http://comments.gmane.org/gmane.network.openvpn.user/31975 reports --register-dns as fixing their problems pushing DNS to windows 7
05:29 -!- GrecKo [~GrecKo@2001:41d0:1:cb16::1] has joined #openvpn
05:42 -!- eristisk [~eristisk@gateway/tor-sasl/eristisk] has joined #openvpn
05:46 -!- plaisthos [~arne@openvpn/community/developer/plaisthos] has quit [Ping timeout: 240 seconds]
06:03 -!- plaisthos [~arne@openvpn/community/developer/plaisthos] has joined #openvpn
06:03 -!- mode/#openvpn [+o plaisthos] by ChanServ
06:10 -!- mingdao [~mingdao@unaffiliated/mingdao] has quit [Ping timeout: 240 seconds]
06:26 -!- tekk [~me@93.93.135.50] has joined #openvpn
06:27 < tekk> hi guys, i’ve just setup a second openvpn conf thats for a single client and I want that single client to receive a public IP address rather than NAT’d local IP address, i attempted to change the server line and netmask, yet it complains. can anyone advise?
06:28 < tekk> here’s my config: http://pasti.ng/p/fassDfud
06:29 < tekk> as you can see my old local network config, that worked and clients got ip’s in that masks range… however now i want my single client to get the 1.2.3.4 IP (its not the real IP obviously)…
06:32 < tekk> i basically have a NAT’d host, that I want to use OpenVPN for to “Deliver” it a public IP address thats not NAT’d… rather than having OpenVPN “deliver” a 10.x IP and then having an iptables rule on the OpenVPN server
06:32 < tekk> so basically the client will actually be aware of its real public IP that came from OpenVPN.
06:33 < tekk> would this config suffice: https://forums.openvpn.net/topic8559.html
06:33 <@vpnHelper> Title: OpenVPN Support Forum How-to: Tunnel WAN IP assigned to specific users : Examples (at forums.openvpn.net)
06:33 < tekk> ah no it doesn’t… client is aware of a 10.x not a public IP
06:40 <@ecrist> tekk: unless you have a routable block of IPs you can give to your openvpn instance, the best way to handle that is to do NAT (real NAT, not PAT, which everyone calls NAT)
06:41 <@ecrist> pf of *BSD calls this bi-nat
06:42 < tekk> ecrist, whats the minimum block?
06:42 < tekk> i thought a /31 would work no?
06:42 < tekk> 1 address for server, 1 for client
06:42 < tekk> which would be iirc 255.255.255.254
06:43 <@ecrist> in theory, that should work.
06:43 <@ecrist> really, a /30, though
06:43 < tekk> ok thats also fine :)
06:43 <@ecrist> if you're going to request a routed block from your ISP, I'd ask for a /29, myself
06:44 < tekk> i have a /24 left… but i don’t wanna use too much of it, so wanna subnet it for this purpose as small as i can… i’m not realistically gonna be able to get more addresses easily.
06:44 < tekk> so
06:44 < tekk> lets say i get a /29
06:45 <@ecrist> carve off a /30 then
06:45 <@ecrist> if you have a /24, you can always renumber later
06:45 < tekk> can you point me in the direction of a good guide? or do I simply substitute my local config with the public one ?
06:45 <@ecrist> substitute your real IPs in the openvpn config
06:45 < tekk> ok will give it a whirl and get back to u
06:45 < tekk> cheers
06:46 <@ecrist> and make sure that your border router knows to route that subnet to your openvpn server
06:46 < tekk> thats already done :)
07:02 -!- zapotek6 [~zap@host138-62-static.18-80-b.business.telecomitalia.it] has joined #openvpn
07:02 -!- zapotek6 [~zap@host138-62-static.18-80-b.business.telecomitalia.it] has quit [Max SendQ exceeded]
07:14 -!- zapotek6 [~zap@host138-62-static.18-80-b.business.telecomitalia.it] has joined #openvpn
07:21 -!- Fusl [Fusl@unaffiliated/fusl] has quit [Ping timeout: 272 seconds]
07:28 -!- troj [~xxx@2001:470:1f15:107a::50f7] has quit [Ping timeout: 250 seconds]
07:31 -!- troj [~xxx@2001:470:1f15:107a::50f7] has joined #openvpn
07:38 < busch> For not-so-stable connections, is it better to use TCP instead of UDP?
07:44 <@ecrist> !tcp
07:45 <@vpnHelper> "tcp" is (#1) Sometimes you cannot avoid tunneling over tcp, but if you can avoid it, DO. http://sites.inka.de/~bigred/devel/tcp-tcp.html Why TCP Over TCP Is A Bad Idea. or (#2) http://www.openvpn.net/papers/BLUG-talk/14.html for a presentation by James Yonan (OpenVPN lead developer) or (#3) if you must use tcp, you likely want --tcp-nodelay
07:57 -!- kirin` [telex@gateway/shell/anapnea.net/x-hbcuzzwtvpwfibhv] has joined #openvpn
08:01 < busch> ecrist: The only reason for that openvpn-tunnel ist to talk iSCSI over the Internet. Is tcp needed to prevent filesystem corruption?
08:02 -!- zapotek6 [~zap@host138-62-static.18-80-b.business.telecomitalia.it] has quit [Ping timeout: 264 seconds]
08:03 -!- Fusl [Fusl@unaffiliated/fusl] has joined #openvpn
08:20 -!- dazo_afk is now known as dazo
08:24 -!- Kniaz [~Kniaz@unaffiliated/kniaz] has quit [Read error: Connection reset by peer]
08:58 <@ecrist> I would strongly recommend AGAINST iSCSI of the internet
09:00  * plaisthos agrees with ecrist 
09:14 -!- alexxtasi [~alex@unaffiliated/alexxtasi] has left #openvpn []
09:27 -!- Pyrogerg [~Gregory@192.67.133.200] has joined #openvpn
09:29 -!- Kniaz [~Kniaz@unaffiliated/kniaz] has joined #openvpn
09:34 -!- elfixit [~Icedove@2001:1620:2777:11:3e97:eff:fe7f:f3ad] has joined #openvpn
09:34 -!- troj [~xxx@2001:470:1f15:107a::50f7] has quit [Ping timeout: 250 seconds]
09:36 -!- troj [~xxx@2001:470:1f15:107a::50f7] has joined #openvpn
09:55 -!- MadTBone [~MadTBone@128.59.37.113] has joined #openvpn
10:05 -!- zapotek6 [~zap@host138-62-static.18-80-b.business.telecomitalia.it] has joined #openvpn
10:17 -!- matt_ [~matt@ccpc-mwr.bath.ac.uk] has quit [Read error: Connection reset by peer]
10:21 -!- troj [~xxx@2001:470:1f15:107a::50f7] has quit [Ping timeout: 260 seconds]
10:24 -!- troj [~xxx@2001:470:1f15:107a::50f7] has joined #openvpn
10:31 -!- troj [~xxx@2001:470:1f15:107a::50f7] has quit [Ping timeout: 250 seconds]
10:33 -!- MadTBone [~MadTBone@128.59.37.113] has quit [Remote host closed the connection]
10:33 -!- troj [~xxx@2001:470:1f15:107a::50f7] has joined #openvpn
10:41 -!- troj [~xxx@2001:470:1f15:107a::50f7] has quit [Ping timeout: 250 seconds]
10:43 -!- troj [~xxx@2001:470:1f15:107a::50f7] has joined #openvpn
10:45 -!- zapotek6 [~zap@host138-62-static.18-80-b.business.telecomitalia.it] has quit [Ping timeout: 240 seconds]
10:53 -!- u0m3_ [~u0m3@92.80.113.123] has joined #openvpn
10:54 -!- u0m3 [~u0m3@92.80.88.65] has quit [Ping timeout: 240 seconds]
11:15 -!- gffa [~unknown@unaffiliated/gffa] has joined #openvpn
11:33 -!- troj [~xxx@2001:470:1f15:107a::50f7] has quit [Ping timeout: 260 seconds]
11:40 -!- troj [~xxx@2001:470:1f15:107a::50f7] has joined #openvpn
11:42 -!- eristisk [~eristisk@gateway/tor-sasl/eristisk] has quit [Ping timeout: 264 seconds]
11:47 -!- troj [~xxx@2001:470:1f15:107a::50f7] has quit [Ping timeout: 250 seconds]
11:48 -!- troj [~xxx@2001:470:1f15:107a::50f7] has joined #openvpn
12:00 -!- Cpt-Oblivious [~chatzilla@31-151-71-109.dynamic.upc.nl] has joined #openvpn
12:07 -!- eristisk [~eristisk@gateway/tor-sasl/eristisk] has joined #openvpn
12:14 -!- Kephael [~Kephael@unaffiliated/kephael] has joined #openvpn
12:29 -!- troj [~xxx@2001:470:1f15:107a::50f7] has quit [Ping timeout: 260 seconds]
12:30 -!- troj [~xxx@2001:470:1f15:107a::50f7] has joined #openvpn
12:34 -!- elfixit [~Icedove@2001:1620:2777:11:3e97:eff:fe7f:f3ad] has quit [Quit: elfixit]
12:35 -!- kenyon [kenyon@darwin.kenyonralph.com] has joined #openvpn
12:36 -!- Zoddo [Zoddo@unaffiliated/zoddo] has joined #openvpn
12:37 -!- Zoddo [Zoddo@unaffiliated/zoddo] has left #openvpn []
12:45 -!- eike_52n [~eike@80.156.182.234] has quit [Quit: Verlassend]
12:53 -!- troj [~xxx@2001:470:1f15:107a::50f7] has quit [Ping timeout: 250 seconds]
12:55 -!- troj [~xxx@2001:470:1f15:107a::50f7] has joined #openvpn
13:00 -!- t0rbo [~kvirc@95.233.69.195] has joined #openvpn
13:00 < t0rbo> hi...
13:00 < t0rbo> someone online?
13:04  * t0rbo yuhuuuu (!?!?)
13:08 <@plaisthos> !ask
13:08 <@vpnHelper> "ask" is (#1) don't ask to ask, just ask your question please, see this link for how to get help on IRC: http://workaround.org/getting-help-on-irc or (#2) See also, How to ask questions the smart way here: http://catb.org/~esr/faqs/smart-questions.html
13:10 < t0rbo> i have some difficult to install open vpn
13:10 < t0rbo> for my fedora
13:10 < t0rbo> there's any repo?
13:10 < t0rbo> or rpm package?
13:10 <@dazo> t0rbo: please read the channel topic carefully
13:11 < t0rbo> !welcome
13:11 <@vpnHelper> "welcome" is (#1) Start by stating your goal, such as 'I would like to access the internet over my vpn' || new to IRC? see the link in !ask || we may need !logs and !configs and maybe !interface to help you. || See !howto for beginners. || See !route for lans behind openvpn. || !redirect for sending inet traffic through the server. || Also interesting: !man !/30 !topology !iporder !sample !forum
13:11 <@vpnHelper> !wiki !mitm or (#2) Don't use 192.168.1.0/24 or 192.168.0.0/24 (too much potential for conflict)
13:11 < t0rbo> uhm
13:11 < t0rbo> eh..
13:11 < t0rbo> ergo?
13:12 <@dazo> for fedora ... ehhh .... yum install openvpn?
13:13 < t0rbo> uhm i read that there's not a repo for fedo
13:13 < t0rbo> uhm...
13:13 <@dazo> then your fedora is broken ....
13:13 <@dazo> http://koji.fedoraproject.org/koji/packageinfo?packageID=2700
13:13 <@vpnHelper> Title: openvpn | Package Info | koji (at koji.fedoraproject.org)
13:14 <@dazo> that's available in standard repos for most Fedora versions, even reasonably up-to-date
13:14 < t0rbo> tnx
13:15 <@dazo> https://admin.fedoraproject.org/updates/search/openvpn ... even shows when these packages was released
13:15 <@vpnHelper> Title: Fedora Updates (at admin.fedoraproject.org)
13:18 -!- SCHAAP137 [dorian@77-173-0-137.ip.telfort.nl] has joined #openvpn
13:19 -!- eristisk [~eristisk@gateway/tor-sasl/eristisk] has quit [Ping timeout: 264 seconds]
13:24 -!- troj [~xxx@2001:470:1f15:107a::50f7] has quit [Ping timeout: 260 seconds]
13:28 <@krzee> !repo
13:28 <@vpnHelper> "repo" is openvpn runs some software repositories for your installing pleasure, http://community.openvpn.net/openvpn/wiki/OpenvpnSoftwareRepos
13:28 <@krzee> also got that, not sure if fedora or not
13:32 -!- troj [~xxx@2001:470:1f15:107a::50f7] has joined #openvpn
13:38 -!- Tim-RoninDesign [~Myrddin@c-98-203-152-123.hsd1.wa.comcast.net] has quit [Read error: Connection reset by peer]
13:44 -!- kantlivelong [~kantlivel@home.kantlivelong.com] has quit [Excess Flood]
13:45 -!- kantlivelong [~kantlivel@home.kantlivelong.com] has joined #openvpn
13:58 <@dazo> krzee: Fedora ships 2.3.2 for F19/F20 ... The future coming F21 is on 2.3.4 (iirc) .... so unless anyone wants to really poke with the really latest builds, the stock Fedora repos is quite up-to-date these days
13:59  * dazo is not sure how big the gap from 2.3.2 and 2.3.4 is, in Fedora context
14:03 <@krzee> gotchya
14:04 <@dazo> (seems to be a few bugfixes, some which basically covers corner cases ... and a few nice security enhancements, but nothing strictly critical)
14:05 < Eugene> Generally they abandon a given version about a month before release, and then bring new security vulnerabilities in the nest release 6 mo later(really 8 with the delays)
14:06 <@dazo> Eugene: it's basically up to the package maintainers ... the guy who have stepped up lately have been more "on the edge", but I'll grant you that 2.3.2 is aging
14:07 <@dazo> (but rest assure, a newer version would have had critical CVE's, they would turn around quickly)
14:07 <@dazo> *which* would have had
14:07 < Eugene> CentOS/EPEL7(forked from F19ish) has 2.3.2
14:08 <@dazo> EPEL is a slightly different regime ... and doesn't get rebuilds the same way as Fedora
14:08 < Eugene> So does EPEL6, it seems. Heh.
14:08  * dazo is not sure if EPEL have the same maintainer as Fedora
14:08 < Eugene> "Yes"
14:08 <@krzee> are those not released by redhat?
14:09 <@krzee> how have they not pushed that repo on you? :D
14:09 <@dazo> EPEL is community
14:09 < Eugene> IIRC the process is to take the Fedora srpm and build in a RHEL box
14:09 <@krzee> oh i see
14:09 < Eugene> All of Fedora is "community", but certain of the volunteers are RH employees
14:09 <@dazo> but RH provides the build VMs for EPEL
14:09 <@dazo> Eugene++
14:09 < Eugene> IOW, RH is paying them to do Fedora, and Fedora is accepting the free labor
14:10 <@dazo> hehehe
14:10 < Eugene> I think the Steering Committee(or whatever it's called) is mostly RH employees, but I haven't looked at the details in years
14:10 < Eugene> I know it was back when it was called Fedora Core
14:10 <@dazo> I believe that has changed somewhat ... the chair man must be a RH person, but I think that's all
14:11 <@dazo> (but the community may *vote* for RH people)
14:11 < Eugene> CentOS follows a similar process nowadays too. RH justifies their salaries under the Marketing dept(change a few yum repo entries and pay for the support contract!)
14:12 <@dazo> :)
14:12 <@dazo> maybe not exactly like that ... but I understand the conspiracy ;-)
14:13  * dazo is a red hatter, in case anyone wondered
14:13 < Eugene> It's not a conspiracy if they've said that's the plan
14:13 <@dazo> really?
14:13 < Eugene> It was in the announcement when they joined RH
14:13 < Eugene> Not in as many words, but not really a secret
14:14 <@dazo> because the whole build process between CentOS and RHEL are on completely different systems ... and in-house CentOS people don't have direct access to the RHEL SRPMs
14:15 <@dazo> so there is a clear distinction between CentOS and RHEL .... but they share the same upstream code, and the fixes which goes into RHEL
14:15 <@dazo> (the whole build process is quite confusing for me on this point)
14:17 < Eugene> My understanding was that CentOS was directly formed from debranded RHEL srpms
14:19 < Eugene> I know that Scientific Linux(and several other related projects) aren't going to be doing a 7 release, instead moving over to being a CentOS SIG
14:21 <@dazo> I'm not working on neither RHEL nor CentOS, so my information may be flawed ... but I know they try really to ensure that there's a difference between CentOS and RHEL ... and that CentOS is governed similar to Fedora .... remember that CentOS traditionally have been downstream of RHEL, which is downstream of Fedora ... so I think the attempts is to make it more influenced directly by Fedora, and as many wants a /slightly/ faster moving enter
14:21 <@dazo> prise distro (especially on the desktops)
14:22 < Eugene> That's really getting into the SIGs thing. Everything I've read says that "Core" will continue to directly track RHEL
14:22 <@dazo> If CentOS becomes too close to RHEL, it would for many users not make sense to use RHEL ... which would cut the funding to RH, and they couldn't do all this grand scale community work with Fedora and the upstream projects Fedora depends on
14:22 < Eugene> But yeah, there's gonna be Fedora-like Spins for different feature sets
14:23 <@dazo> it's a tricky thing to juggle correctly :)
14:23 < Eugene> CentOS has always had a goal of 100% binary compatibility with RHEL. The EL value-add is in the Support and RHN access
14:24 < Eugene> Pushy salesmen do a good job convincing executives that they need Support
14:24 < Eugene> A lot of enterprise deployments I've seen do CentOS for their build/test/whatever env, and then EL in Production
14:25 <@dazo> 100% binary compatibility isn't really possible ... as the compilers versions and system libraries may be slightly different ... it can be really close, and it can provide a functional ABI between kernel, libs and apps ... but getting it identical, would mean it would basically be RHEL
14:25 < Eugene> I said Goal
14:25 <@dazo> :)
14:25 < Eugene> And that's just it: they're the same compiler versions
14:25 <@dazo> That's right ... many use CentOS for testing .... but there's many who have ditched EL completely too, due to CentOS working "too well"
14:26 < Eugene> Yup, sure have.
14:27 -!- t0rbo [~kvirc@95.233.69.195] has quit [Ping timeout: 256 seconds]
14:29 <@dazo> Eugene: even the same compiler version isn't necessarily enough.  You need the whole chain of compiling the compilers to be 100% identical ... http://cm.bell-labs.com/who/ken/trust.html
14:29 <@vpnHelper> Title: ACM Classic: Reflections on Trusting Trust (at cm.bell-labs.com)
14:29 < Eugene> Is that the one about the naughty compiler? Yeah, I know what you mean
14:29 <@dazo> yeah, it is
14:30 < Eugene> I know from experience, however, that the behaviour(ABI-level) of a CentOS system is close enough to RHEL that you can, quite literally, replace /etc/yum/repos.d/CentOS.repo with RHEL.repo, `yum update`, and Bob's your uncle.
14:30 <@dazo> there are similar issues when bootstrapping a build environment as well ... with the interaction between glibc and gcc
14:31 <@dazo> agreed ... the ABI level is very close, but nobody dares guaranteeing it 100% :)
14:31 < Eugene> $CLIENT decided they needed the new upstream kernel patch NOW, so out came the credit card
14:31 <@dazo> I'm actually less worried about upgrading the kernel, compared to upgrading system libraries
14:32 < Eugene> It all Just Worked.
14:32 <@dazo> the kernels' ABI is quite consistent, and the glibc has amazing ways to identify which syscall variants to use against the kernel
14:33 <@dazo> (I've run RHEL kernels on Fedora, without issues ... and I'm in the team building kernel-rt (realtime kernel) for RHEL6 ... latest kernel-rt was a 3.10 kernel, RHEL6 ships with a 2.6.32 baseline)
14:33 -!- kirin` [telex@gateway/shell/anapnea.net/x-hbcuzzwtvpwfibhv] has quit [Ping timeout: 245 seconds]
14:33 <@dazo> But I wouldn't dare do that with system libs
14:33  * Eugene shrugs
14:34 < Eugene> I used to have a few CentOS6 x32 userlands running on Linode, with the newest "stable" x64 kernel.
14:34 <@dazo> that works very well
14:34 < Eugene> And a few x64 binaries+libs tossed in from Fedora, for reasons I don't want to discuss
14:34 <@dazo> Kernel developers even encourages that :)
14:35 -!- kirin` [telex@gateway/shell/anapnea.net/x-bqxvqthziifujnav] has joined #openvpn
14:35 < Eugene> The offending machines have been put down mercifully
14:35 <@dazo> heh ... well, there you separate 32bit and 64bits ... so that's a bit different ... as long as you can separate 32/64 bits libs, that will work very fine
14:36 <@dazo> 32bit apps will only use 32bits libs, and same with 64 bits apps/libs
14:37 <@dazo> we had some 32bit customers who got upset when we ditched 32bit for kernel-rt ... we considered to officially support running 64bit kernel-rt on 32bit user-land ... but the whole packaging process got quite messy to really be worth the efforts ... and we didn't want to teach customers to use --force :)
14:41 < Eugene> It's so hard to find a machine with <4GB of RAM anyway
14:41 <@dazo> yupp ... and those customers who wants kernel-rt usually have minimum 16GB, if not 32GB
14:41 <@dazo> (usually minimum 1GB per core)
14:42 <@dazo> and the PAE is just a big mess
14:52 -!- elfixit [~Icedove@77-58-251-72.dclient.hispeed.ch] has joined #openvpn
15:26 -!- gffa [~unknown@unaffiliated/gffa] has quit [Quit: sleep]
15:31 <@dazo> krzee: seen this one?  http://www.zdnet.com/forensic-scientist-identifies-suspicious-back-doors-running-on-every-ios-device-7000031795/#ftag=RSS8c9f30c
15:31 <@vpnHelper> Title: Forensic scientist identifies suspicious back doors running on every iOS device | ZDNet (at www.zdnet.com)
15:32 -!- D-Boy [~D-Boy@unaffiliated/cain] has quit [Excess Flood]
15:34 -!- mattock is now known as mattock_afk
15:35 -!- dazo is now known as dazo_afk
15:36 -!- D-Boy [~D-Boy@unaffiliated/cain] has joined #openvpn
15:40 <@krzee> i had not, loading the link now
15:51 -!- rudivd_ [~rudivd@205.158.164.101.ptr.us.xo.net] has joined #openvpn
16:02 -!- Kniaz [~Kniaz@unaffiliated/kniaz] has quit [Quit: closing IRC]
16:14 -!- pekster [~rewt@openvpn/community/support/pekster] has quit [Ping timeout: 240 seconds]
16:24 -!- rudivd_ [~rudivd@205.158.164.101.ptr.us.xo.net] has quit [Quit: My MacBook Pro has gone to sleep. ZZZzzz…]
17:03 -!- RaiNerTsuFal [~RaiNerTsu@akita.vtlx.cn] has joined #openvpn
17:08 -!- TheEternalAbyss [~IRCIdent@unaffiliated/theeternalabyss] has quit [Ping timeout: 272 seconds]
17:08 -!- supergauntlet [~supergaun@unaffiliated/supergauntlet] has quit [Ping timeout: 240 seconds]
17:14 -!- supergauntlet [~supergaun@unaffiliated/supergauntlet] has joined #openvpn
17:18 -!- Kniaz [~Kniaz@unaffiliated/kniaz] has joined #openvpn
17:20 -!- phunyguy [~vortex@unaffiliated/phunyguy] has quit [Ping timeout: 250 seconds]
17:33 -!- phunyguy [~vortex@unaffiliated/phunyguy] has joined #openvpn
18:18 -!- brianblaze420 [~brianblaz@unaffiliated/brianblaze] has joined #openvpn
18:30 -!- troj [~xxx@2001:470:1f15:107a::50f7] has quit [Ping timeout: 250 seconds]
18:32 -!- troj [~xxx@2001:470:1f15:107a::50f7] has joined #openvpn
18:46 -!- DrSect0r [~DrSect0r@77-175-115-95.FTTH.ispfabriek.nl] has joined #openvpn
19:01 -!- RBecker [~RBecker@openvpn/user/RBecker] has quit [Excess Flood]
19:04 -!- DrSect0r [~DrSect0r@77-175-115-95.FTTH.ispfabriek.nl] has quit [Quit: Leaving]
19:05 -!- Pyrogerg [~Gregory@192.67.133.200] has quit [Ping timeout: 240 seconds]
19:05 -!- DrSect0r [~DrSect0r@77-175-115-95.FTTH.ispfabriek.nl] has joined #openvpn
19:06 -!- RBecker [~RBecker@openvpn/user/RBecker] has joined #openvpn
19:06 -!- mode/#openvpn [+v RBecker] by ChanServ
19:26 -!- C0SM0S [~C0SM0S@unaffiliated/c0sm0s] has joined #openvpn
19:27 < C0SM0S> !paste
19:27 <@vpnHelper> "paste" is "pastebin" is (#1) please paste anything with more than 5 lines into a pastebin site or (#2) https://gist.github.com is recommended for fewest ads; try fpaste.org or paste.kde.org as backups or (#3) If you're pasting config files, see !configs for grep syntax to remove comments or (#4) gist allows multiple files per paste, useful if you have several files to show
19:28 < C0SM0S> hmm - my log says success but yet it's not working like i expect
19:29 -!- SCHAAP137 [dorian@77-173-0-137.ip.telfort.nl] has quit [Remote host closed the connection]
19:33 -!- C0SM0S [~C0SM0S@unaffiliated/c0sm0s] has left #openvpn []
19:34 -!- Cpt-Oblivious [~chatzilla@31-151-71-109.dynamic.upc.nl] has quit [Remote host closed the connection]
19:43 -!- troj [~xxx@2001:470:1f15:107a::50f7] has quit [Ping timeout: 250 seconds]
19:45 -!- troj [~xxx@2001:470:1f15:107a::50f7] has joined #openvpn
19:46 -!- maskedlua [~maskedlua@unaffiliated/themaskedlua] has quit [Ping timeout: 240 seconds]
19:49 < Poster> please explain what you are trying to accomplish
19:52 -!- Macer [macer@lasziv.reprehensible.net] has joined #openvpn
19:53 < Macer> hello. i have a bit of a problem. i'm running openvpn on a wifi router using tomato but it isn't controlling my internet connection. i am trying to connect an iphone using tun. i can connect, authenticate with the keys/certs, and i can get to the router itself.. but i can't seem to redirect internet traffic through it
19:54 -!- troj [~xxx@2001:470:1f15:107a::50f7] has quit [Ping timeout: 250 seconds]
19:54 < Macer> i'm using the comcast router to forward the port to the wifi router running openvpn... is there some sort of workaround for this? i've been looking around for a while
19:54 -!- indy [~indy@shadow.kastnerove.cz] has quit [Ping timeout: 250 seconds]
19:55 -!- troj [~xxx@2001:470:1f15:107a::50f7] has joined #openvpn
19:57 -!- m0rd3cai [~m0rd3cai@unaffiliated/m0rd3cai] has joined #openvpn
19:57 -!- m0rd3cai [~m0rd3cai@unaffiliated/m0rd3cai] has left #openvpn []
19:58 -!- indy [~indy@shadow.kastnerove.cz] has joined #openvpn
20:11 -!- troj [~xxx@2001:470:1f15:107a::50f7] has quit [Ping timeout: 250 seconds]
20:16 -!- troj [~xxx@2001:470:1f15:107a::50f7] has joined #openvpn
20:23 -!- troj [~xxx@2001:470:1f15:107a::50f7] has quit [Ping timeout: 250 seconds]
20:24 -!- ShadniX [dagger@p5DDFF391.dip0.t-ipconnect.de] has quit [Ping timeout: 250 seconds]
20:26 -!- ShadniX [dagger@p5DDFF391.dip0.t-ipconnect.de] has joined #openvpn
20:28 -!- Kephael [~Kephael@unaffiliated/kephael] has quit [Read error: Connection reset by peer]
20:30 -!- akp [~akp@c-50-169-193-161.hsd1.ma.comcast.net] has quit [Ping timeout: 240 seconds]
20:32 -!- troj [~xxx@2001:470:1f15:107a::50f7] has joined #openvpn
20:38 -!- akp [~akp@c-50-169-193-161.hsd1.ma.comcast.net] has joined #openvpn
20:40 -!- troj [~xxx@2001:470:1f15:107a::50f7] has quit [Ping timeout: 260 seconds]
20:45 -!- troj [~xxx@2001:470:1f15:107a::50f7] has joined #openvpn
21:15 -!- Left_Turn [~Left_Turn@unaffiliated/turn-left/x-3739067] has quit [Remote host closed the connection]
21:33 < hays> is there an analog to easy_rsa for ec keys?
21:34 < hays> 1024 dh seems broken these days and i figure ec will be more efficient
21:34 < hays> than going to 2048 or more
21:34 < hays> and will this even work on 2.2.1
21:36 <@ecrist> not heard of using EC keys in place of DH
21:40 <@ecrist> I don't think OpenVPN support this
21:43 <@ecrist> hays: see here, this thread may get you where you're going.  If EC support *has* been added, it certainly won't be in 2.2.x
21:43 <@ecrist> https://forums.openvpn.net/topic8404-30.html
21:43 <@vpnHelper> Title: OpenVPN Support Forum OpenVPN Elliptic Curves (SHA512, ECDSA, ECDH, Linux, Debian) : Configuration - Page 3 (at forums.openvpn.net)
22:11 -!- troj [~xxx@2001:470:1f15:107a::50f7] has quit [Ping timeout: 260 seconds]
22:12 -!- brianblaze420 [~brianblaz@unaffiliated/brianblaze] has quit [Quit: Leaving...]
22:12 -!- troj [~xxx@2001:470:1f15:107a::50f7] has joined #openvpn
22:24 -!- troj [~xxx@2001:470:1f15:107a::50f7] has quit [Ping timeout: 260 seconds]
22:27 -!- troj [~xxx@2001:470:1f15:107a::50f7] has joined #openvpn
22:31 -!- Latrina [~Latrina@adsl-ull-195-193.50-151.net24.it] has quit [Ping timeout: 256 seconds]
22:32 -!- troj [~xxx@2001:470:1f15:107a::50f7] has quit [Ping timeout: 250 seconds]
22:32 -!- arescorpio [~arescorpi@201-26-245-190.fibertel.com.ar] has joined #openvpn
22:32 -!- Latrina [~Latrina@adsl-ull-191-218.50-151.net24.it] has joined #openvpn
22:33 -!- troj [~xxx@2001:470:1f15:107a::50f7] has joined #openvpn
23:20 -!- ShadniX [dagger@p5DDFF391.dip0.t-ipconnect.de] has quit [Ping timeout: 250 seconds]
23:21 -!- ShadniX [dagger@p5DDFF3B4.dip0.t-ipconnect.de] has joined #openvpn
23:32 -!- elfixit [~Icedove@77-58-251-72.dclient.hispeed.ch] has quit [Ping timeout: 240 seconds]
23:41 -!- arescorpio [~arescorpi@201-26-245-190.fibertel.com.ar] has quit [Excess Flood]
--- Day changed Tue Jul 22 2014
00:01 -!- Pyrogerg [~Gregory@mobile-166-137-183-024.mycingular.net] has joined #openvpn
00:06 -!- zapotek6 [~zap@95.74.109.18] has joined #openvpn
00:06 -!- zapotek6 [~zap@95.74.109.18] has quit [Max SendQ exceeded]
00:08 -!- Pyrogerg [~Gregory@mobile-166-137-183-024.mycingular.net] has quit [Read error: Connection reset by peer]
00:09 -!- Kephael [~Kephael@unaffiliated/kephael] has joined #openvpn
00:24 -!- mattock_afk is now known as mattock
00:25 -!- ub1quit33 [~quassel@cpe-198-72-138-144.socal.res.rr.com] has joined #openvpn
01:17 -!- msn [~kvirc@125.234.96.10] has joined #openvpn
01:18 < msn> is it possible to use both auth-user-pass and static key in the same config and only one being required?
01:33 -!- alexxtasi [~alex@unaffiliated/alexxtasi] has joined #openvpn
01:50 -!- msn [~kvirc@125.234.96.10] has quit [Quit: KVIrc 4.2.0 Equilibrium http://www.kvirc.net/]
02:19 -!- hyper_ch [~hyperch@2a01:4f8:160:13a2::2] has joined #openvpn
02:19 < hyper_ch> good morning
02:20 -!- le0 [~l30@unaffiliated/le0] has joined #openvpn
02:23 -!- buhman is now known as buhman--
02:33 -!- buhman-- is now known as buhman
02:40 -!- ub1quit33 [~quassel@cpe-198-72-138-144.socal.res.rr.com] has quit [Ping timeout: 240 seconds]
02:46 -!- pcfreak30 [~pcfreak30@216.245.223.16] has joined #openvpn
02:47 < pcfreak30> How exactly can you have a openvpn user get a dedicated ip via iptables if they have a static internal ip?
02:59 -!- Latrina [~Latrina@adsl-ull-191-218.50-151.net24.it] has quit [Ping timeout: 250 seconds]
03:00 < hyper_ch> pcfreak30: via iptables? why not use ccd (custom-config-dir)?
03:01 < hyper_ch> hmmm, why does ipconfig /all on windows not show the openvpn tun adapter?
03:02 -!- Latrina [~Latrina@adsl-ull-218-255.45-151.net24.it] has joined #openvpn
03:02 < pcfreak30> hyper_ch: no, i mean multiple nics
03:02 < hyper_ch> pcfreak30: no idea
03:04 -!- le0 [~l30@unaffiliated/le0] has quit [Quit: Leaving]
03:05 -!- Left_Turn [~Left_Turn@unaffiliated/turn-left/x-3739067] has joined #openvpn
03:09 -!- le0 [~l30@unaffiliated/le0] has joined #openvpn
03:13 -!- fin__ [~l30@unaffiliated/le0] has joined #openvpn
03:15 -!- le0 [~l30@unaffiliated/le0] has quit [Ping timeout: 245 seconds]
03:19 -!- hyper_ch [~hyperch@2a01:4f8:160:13a2::2] has left #openvpn ["Konversation terminated!"]
03:49 -!- Left_Turn [~Left_Turn@unaffiliated/turn-left/x-3739067] has quit [Ping timeout: 245 seconds]
04:09 -!- larryone [~larryone@185.32.152.150] has joined #openvpn
04:13 -!- larryone [~larryone@185.32.152.150] has quit [Client Quit]
04:13 -!- Left_Turn [~Left_Turn@unaffiliated/turn-left/x-3739067] has joined #openvpn
04:48 -!- pcfreak30 [~pcfreak30@216.245.223.16] has quit [Ping timeout: 256 seconds]
04:52 -!- wiking [~wiking@huwico/staff/wiking] has joined #openvpn
04:54 < wiking> hi! i'm just wondering if anybody had faced a similar problem. currently i'm trying to use openvpn and route all the traffic via it, but for some reason it seems that if i use ssh tunnel instead of openvpn the bandwidth is 10 times faster.
04:54 -!- Netsplit *.net <-> *.split quits: mcp, malc0re_, MatToufoutu, RaiNerTsuFal, mete, swebb, aPollO2k, Matir, pppingme
04:54 -!- Netsplit over, joins: Matir
04:54 -!- malc0re [mc@unaffiliated/csdsss] has joined #openvpn
04:55 -!- Netsplit over, joins: aPollO2k
04:55 -!- Netsplit over, joins: mete
04:55 -!- Netsplit over, joins: pppingme
04:57 -!- mcp [~mcp@wolk-project.de] has joined #openvpn
05:00 -!- swebb [~swebb@c-71-237-49-232.hsd1.co.comcast.net] has joined #openvpn
05:05 -!- MatToufoutu [~MaT@unaffiliated/mattoufoutu] has joined #openvpn
05:12 -!- julius_ [~julius_@141.41.92.61] has joined #openvpn
05:12 < julius_> hi
05:13 -!- fin__ [~l30@unaffiliated/le0] has quit [Quit: Leaving]
05:14 < julius_> ive got    push "dhcp-option DNS 10.8.33.1"   in a ccd/myclientname    but on my host /etc/resolv.conf still says    nameserver someip.  if i add reidrect-gateway...  in the ccd file i can see that my local route table changes, so the ccd file is found
05:15 < julius_> might this be because of "NetworkManager" manages the ethernet connection in generell and just overwrites the openvpn changes?
05:15 < julius_> im on debian wheezy
05:16 -!- Left_Turn [~Left_Turn@unaffiliated/turn-left/x-3739067] has quit [Ping timeout: 240 seconds]
05:28 -!- Left_Turn [~Left_Turn@unaffiliated/turn-left/x-3739067] has joined #openvpn
05:47 -!- dazo_afk is now known as dazo
05:56 -!- pekster [~rewt@openvpn/community/support/pekster] has joined #openvpn
06:32 -!- Kephael [~Kephael@unaffiliated/kephael] has quit [Read error: Connection reset by peer]
06:44 -!- Cpt-Oblivious [~chatzilla@31-151-71-109.dynamic.upc.nl] has joined #openvpn
07:03 < hays> ecrist: thanks... i will upgrade my rsa encryption a bit and give it some time
07:33 < nobody481> Using Windows, if there are multiple .ovpn files in the \config\ directory and you start the OpenVPN serivce, how does it choose which one to use?  I can't find a pattern to it.
07:35 -!- wiking [~wiking@huwico/staff/wiking] has left #openvpn []
07:38 -!- Kniaz [~Kniaz@unaffiliated/kniaz] has quit [Read error: Connection reset by peer]
07:53 < tekk> hi guys
07:53 < tekk> my vpn server sits on 192.168.111.0/24
07:53 < tekk> i’ve carved out a subnet that i’d like the vpn server to serve out addresses for
07:53 < tekk> in my server line i put
07:53 < tekk> server 192.168.111.230 255.255.255.240
07:53 < tekk> which should give me 192.168.111.225 - 192.168.111.238
07:53 < tekk> however when trying to run openvpn i get the following error
07:53 < tekk> Options error: --server directive network/netmask combination is invalid
07:53 < tekk> any ideas?
07:56 < tekk> maybe i should be using server-bridge?
08:01 <@dazo> tekk: that is the wrong answer
08:01 < nobody481> tekk: I'm no expert in subnetting, but try 192.168.111.224 255.255.255.240 instead and see what that does for you.
08:01 <@dazo> $ ipcalc -bn 192.168.111.230 255.255.255.240
08:01 <@dazo> BROADCAST=192.168.111.239
08:01 <@dazo> NETWORK=192.168.111.224
08:01 < tekk> so basically its my shitty math?
08:01 < tekk> :)
08:01 <@dazo> nobody481: seems to be correct
08:02 < tekk> thanks guys
08:02  * tekk must stop doing subnet calcs on pen and paper
08:02 < tekk> i actually had no idea ipcalc existed :)
08:11 < nobody481> Doing it on pen and paper is a noble effort.  I just found a subnetting cheat sheet online.
08:16 <@ecrist> nobody481: the GUI will show a list of connections to choose from.
08:21 -!- GrantK [WSaVZXvTS5@bolt.sonic.net] has joined #openvpn
08:22 < tekk> Options error: --server directive when used with --dev tun must define a subnet of 255.255.255.248 (/29) or lower
08:22  * tekk facepalm
08:22 < tekk> why?
08:22 < tekk> a /30 is perfectly workable
08:24 < GrantK> Hi.  I've openvpn set up in subnet topology between a server & client.  Once the tunnel's up & settled, all's well.  My issue, though is that I've got a (currentlY) "random" variation in the time it takes for the tunnel to be (re)establish.  Bringing down/up either end of the tunnel, by daemon restart or system reboot, results -- sometimes (Maddeningly!) in a pause of up to ~3 minutes before site-to-site pings get responses.
08:25 < GrantK> Sometimes, connection+ping is immediate ... No errors afaict in verbose log.  But,
08:25 < GrantK> when the pingability is reestablished, I see in my SERVER-side log:
08:25 < GrantK> Tue Jul 22 06:08:59 2014 client.mydomain.com/X.X.X.X:1194 SENT CONTROL [client.mydomain.com]: 'PUSH_REPLY,route 192.168.0.0 255.255.255.0,route-gateway 10.0.0.1,topology subnet,ping 10,ping-restart 120,ifconfig 10.0.0.2 255.255.255.0' (status=1)
08:26 < GrantK> I do NOT (yet) know if that's a cause, or result, of the ping being reestablished.
08:26 < GrantK> ANy hints as to where to begin to look to troubleshoot?
08:30 -!- debbie10t [~debbie10t@openvpn/community/support/debbie10t] has joined #openvpn
08:31 -!- debbie10t [~debbie10t@openvpn/community/support/debbie10t] has left #openvpn []
08:34 < nobody481> tekk: I think it's arbitrary, you can pick any class C subnet.  Go with 192.168.211.x and use /29 or lower.
08:36 < tekk> i onl yhave a /30 left… guess i’ll have to patch openvpn
08:37 < nobody481> tekk: Really?  You have an entire class B 192.168.x.x subnet filled up?
08:37 < tekk> its not my network and i’ve been given a /30
08:38 < nobody481> I see
08:38 < nobody481> Carry on
08:51 < GrantK> does Marius Tomaschewski hang in IRC?  got a handle?
08:52 <@plaisthos> GrantK: who would that be?
08:53 < GrantK> plaisthos: Marius Tomaschewski <mt@suse.com>, maintainer for strongswan
08:53 < GrantK> argh!  wrong room. sry!
08:53 <@plaisthos> GrantK: :)
08:53 < GrantK> c.o.f.f.e.e. ...
08:54 -!- Kniaz [~Kniaz@unaffiliated/kniaz] has joined #openvpn
08:56 -!- zapotek6 [~zap@213.149.219.85] has joined #openvpn
08:56 -!- Pyrogerg [~Gregory@192.67.133.200] has joined #openvpn
08:56 -!- zapotek6 [~zap@213.149.219.85] has quit [Max SendQ exceeded]
09:11 <@ecrist> tekk: if you MUST work within that /30, use a bridged VPN
09:11 <@ecrist> though I don't recommend it
09:14 <@plaisthos> or use a p2p or net30 toplogy
09:18 -!- zapotek6 [~zap@213.149.219.85] has joined #openvpn
09:18 -!- zapotek6 [~zap@213.149.219.85] has quit [Max SendQ exceeded]
09:20 -!- ub1quit33_ [~quassel@wifi02.la3.routers.zerolag.com] has joined #openvpn
09:28 -!- renihs [~arf@83-65-34-34.arsenal.xdsl-line.inode.at] has joined #openvpn
09:38 -!- alexxtasi [~alex@unaffiliated/alexxtasi] has left #openvpn []
09:43  * GrantK grumbles -- beating openvpn with a stick is NOT helping 
09:48 <@plaisthos> !android
09:48 <@vpnHelper> "android" is (#1) an open source OpenVPN client for ICS is available in Google Play, look for OpenVPN for Android. FAQ is here: http://code.google.com/p/ics-openvpn/wiki/FAQ or (#2) Direct Play link: https://play.google.com/store/apps/details?id=de.blinkt.openvpn or (#3) Old (pre-ICS) device? See: !android-old
09:49 -!- zapotek6 [~zap@mail.comelit.it] has joined #openvpn
09:49 -!- zapotek6 [~zap@mail.comelit.it] has quit [Max SendQ exceeded]
09:49 <@plaisthos> learn android If you have no playstore on your device you can get the apk from http://plai.de/android/
09:49 <@vpnHelper> Title: Index of /android (at plai.de)
09:49 <@plaisthos> !learn android If you have no playstore on your device you can get the apk from http://plai.de/android/
09:49 <@vpnHelper> (learn [<channel>] <key> as <value>) -- Associates <key> with <value>. <channel> is only necessary if the message isn't sent on the channel itself. The word 'as' is necessary to separate the key from the value. It can be changed to another word via the learnSeparator registry value.
09:50 <@plaisthos> !learn android as If you have no playstore on your device you can get the apk from http://plai.de/android/
09:50 <@vpnHelper> Joo got it.
09:50 <@plaisthos> !android
09:50 <@vpnHelper> "android" is (#1) an open source OpenVPN client for ICS is available in Google Play, look for OpenVPN for Android. FAQ is here: http://code.google.com/p/ics-openvpn/wiki/FAQ or (#2) Direct Play link: https://play.google.com/store/apps/details?id=de.blinkt.openvpn or (#3) Old (pre-ICS) device? See: !android-old or (#4) If you have no playstore on your device you can get the apk from
09:50 <@vpnHelper> http://plai.de/android/
10:09 <@plaisthos> !forget android 4
10:09 <@vpnHelper> Joo got it.
10:10 <@plaisthos> !learn android as You can get the apk directly from http://plai.de/android/
10:10 <@vpnHelper> Joo got it.
10:10 <@plaisthos> !android
10:10 <@vpnHelper> "android" is (#1) an open source OpenVPN client for ICS is available in Google Play, look for OpenVPN for Android. FAQ is here: http://code.google.com/p/ics-openvpn/wiki/FAQ or (#2) Direct Play link: https://play.google.com/store/apps/details?id=de.blinkt.openvpn or (#3) Old (pre-ICS) device? See: !android-old or (#4) You can get the apk directly from http://plai.de/android/
10:12 < GrantK> sequence seems to matter here.  If server & client are both up, tunnel's established, and bi-drectional PINGs are working, then (1) drop & restart CLIENT, PINGs re-start ~immediately.  But (2) drop & restart SERVER, about a 2-3 minute delay for reconnect.
10:12 < GrantK> Gotta be config ...
10:14 < GrantK> s/delay for reconnect/delay for PING reestablish/
10:37 < GrantK> found it.  ping-restart ... Is there any harm/concern in reducing a server's "keepalive 10 120" (default) to "keepalive 2 5" ?
11:20 -!- jefferai [sid1300@kde/mitchell] has joined #openvpn
11:27 -!- tempus_fol [~tempus@gateway/tor-sasl/foltempus] has quit [Ping timeout: 264 seconds]
11:31 < julius_> one of my lan clients cant reacht the openvpn server, the lan router knows about the openvpn server.....details here:  http://www.linuxforums.org/forum/networking/202183-openvpn-server-not-reachable-lan-client.html          could somebody please take a look?
11:32 -!- gffa [~unknown@unaffiliated/gffa] has joined #openvpn
11:32 -!- tempus_fol [~tempus@gateway/tor-sasl/foltempus] has joined #openvpn
11:33 < jefferai> Do I need to have different openvpn configuration files (for instance, tcp and udp) have different addresses configured in server-bridge, or is it smart enough to check whether an address is in use?
11:45 -!- GrantK [WSaVZXvTS5@bolt.sonic.net] has quit [Quit: GrantK]
11:49 -!- Eagleman [~Eagleman@546BC778.cm-12-4d.dynamic.ziggo.nl] has quit [Ping timeout: 240 seconds]
11:54 -!- elfixit [~Icedove@77-58-251-72.dclient.hispeed.ch] has joined #openvpn
12:12 -!- Cpt-Oblivious [~chatzilla@31-151-71-109.dynamic.upc.nl] has quit [Ping timeout: 256 seconds]
12:27 -!- Eagleman [~Eagleman@546BC778.cm-12-4d.dynamic.ziggo.nl] has joined #openvpn
12:56 -!- elfixit [~Icedove@77-58-251-72.dclient.hispeed.ch] has quit [Quit: elfixit]
13:11 -!- Kephael [~Kephael@unaffiliated/kephael] has joined #openvpn
13:22 -!- dazo is now known as dazo_afk
14:08 -!- Latrina [~Latrina@adsl-ull-218-255.45-151.net24.it] has quit [Ping timeout: 264 seconds]
14:08 -!- Latrina [~Latrina@ppp-243-9.26-151.libero.it] has joined #openvpn
14:16 < jefferai> Same question for a routed setup, actually
14:16 < Eugene> yes, you need different addresses
14:19 -!- WinstonSmith [~WinstonSm@unaffiliated/winstonsmith] has quit [Quit: off to do some thoughtcrime]
14:27 -!- elfixit [~Icedove@77-58-251-72.dclient.hispeed.ch] has joined #openvpn
14:30 -!- WinstonSmith [~WinstonSm@unaffiliated/winstonsmith] has joined #openvpn
14:36 -!- mattock is now known as mattock_afk
14:43 -!- brianblaze420 [~brianblaz@unaffiliated/brianblaze] has joined #openvpn
14:44 -!- tempus_fol [~tempus@gateway/tor-sasl/foltempus] has quit [Ping timeout: 264 seconds]
14:51 -!- tempus_fol [~tempus@gateway/tor-sasl/foltempus] has joined #openvpn
15:05 -!- ub1quit33_ [~quassel@wifi02.la3.routers.zerolag.com] has quit [Ping timeout: 250 seconds]
15:06 -!- ub1quit33 [~quassel@wifi02.la3.routers.zerolag.com] has joined #openvpn
15:12 -!- Latrina [~Latrina@ppp-243-9.26-151.libero.it] has quit [Ping timeout: 255 seconds]
15:14 -!- Latrina [~Latrina@ppp-134-10.26-151.libero.it] has joined #openvpn
15:19 -!- LFNfan [~paul@pesbaker.plus.com] has joined #openvpn
15:20 -!- pcfreak30 [~pcfreak30@216.245.223.16] has joined #openvpn
15:20 < pcfreak30> Is there any plugin that would allow to configure a CCD via mysql?
15:24 < LFNfan> Hi trying to get openvpn up and running for first time.  syslog seems to show error to do with ifupdown.  any assistance appreciated.  log and config here: http://pastebin.com/26N4GSRe
15:31 -!- D-Boy [~D-Boy@unaffiliated/cain] has quit [Excess Flood]
15:31 -!- elfixit [~Icedove@77-58-251-72.dclient.hispeed.ch] has quit [Quit: elfixit]
15:37 -!- Cpt-Oblivious [~chatzilla@31-151-71-109.dynamic.upc.nl] has joined #openvpn
15:38 -!- Cpt-Oblivious [~chatzilla@31-151-71-109.dynamic.upc.nl] has quit [Remote host closed the connection]
15:45 -!- D-Boy [~D-Boy@unaffiliated/cain] has joined #openvpn
15:45 -!- Cpt-Oblivious [~chatzilla@31-151-71-109.dynamic.upc.nl] has joined #openvpn
16:05 -!- Kniaz [~Kniaz@unaffiliated/kniaz] has quit [Quit: closing IRC]
16:31 -!- WinstonSmith [~WinstonSm@unaffiliated/winstonsmith] has quit [Quit: off to do some thoughtcrime]
16:35 -!- WinstonSmith [~WinstonSm@unaffiliated/winstonsmith] has joined #openvpn
16:58 < julius_> i cant reach my openvpn server from  a client inside my lan. the router got a connection to the openvpn server....details here: http://www.linuxforums.org/forum/networking/202183-openvpn-server-not-reachable-lan-client.html
16:59 < julius_> could somebody please take a look and answer here?
17:21 -!- u0m3_ [~u0m3@92.80.113.123] has quit [Ping timeout: 255 seconds]
17:23 -!- LFNfan [~paul@pesbaker.plus.com] has quit [Quit: Leaving]
17:24 -!- Kniaz [~Kniaz@unaffiliated/kniaz] has joined #openvpn
17:26 -!- pcfreak30 [~pcfreak30@216.245.223.16] has quit [Quit: Leaving]
17:52 -!- Popsikle [~popsikle@pool-108-27-211-233.nycmny.fios.verizon.net] has joined #openvpn
17:54 -!- nutron [~nutron@unaffiliated/nutron] has joined #openvpn
17:54 -!- u0m3 [~u0m3@92.80.113.123] has joined #openvpn
18:02 -!- gffa [~unknown@unaffiliated/gffa] has quit [Quit: sleep]
18:03 -!- justinzane [~justinzan@24.49.207.203] has quit []
18:09 -!- hays [~hays@unaffiliated/hays] has quit [Read error: Connection reset by peer]
18:17 -!- sauce [sauce@unaffiliated/sauce] has quit [Quit: sauce]
18:19 -!- sauce [sauce@unaffiliated/sauce] has joined #openvpn
18:21 -!- justinzane [~justinzan@24.49.207.203] has joined #openvpn
18:26 -!- arescorpio [~arescorpi@201-26-245-190.fibertel.com.ar] has joined #openvpn
18:26 -!- ub1quit33 [~quassel@wifi02.la3.routers.zerolag.com] has quit [Ping timeout: 260 seconds]
18:45 -!- Pyrogerg [~Gregory@192.67.133.200] has quit [Ping timeout: 255 seconds]
19:02 -!- s7r [~s7r@openvpn/user/s7r] has joined #openvpn
19:02 -!- mode/#openvpn [+v s7r] by ChanServ
20:05 -!- ketas [ketas@ketas6-sixxs.si.pri.ee] has quit [Ping timeout: 272 seconds]
20:22 -!- james41382 [~james@unaffiliated/james41382] has quit [Quit: Leaving]
20:31 -!- Chrisje [Chris@2a02:418:6050:ed15:ed15:ed15:1a27:a32b] has quit [Ping timeout: 240 seconds]
20:32 -!- Cybertinus [~Cybertinu@cybertinus.customer.cloud.nl] has quit [Ping timeout: 240 seconds]
20:32 -!- xMopxShell [~xMopxShel@dpedu.io] has quit [Ping timeout: 240 seconds]
20:33 -!- Chrisje [Chris@2a02:418:6050:ed15:ed15:ed15:1a27:a32b] has joined #openvpn
20:33 -!- xMopxShell [~xMopxShel@dpedu.io] has joined #openvpn
20:34 -!- Cybertinus [~Cybertinu@cybertinus.customer.cloud.nl] has joined #openvpn
20:35 -!- mnathani [~mnathani@butterfly.winvive.com] has quit [Ping timeout: 240 seconds]
20:35 -!- mnathani [~mnathani@butterfly.winvive.com] has joined #openvpn
20:36 -!- Argat [~Argat@adsl-98-48.du.nwc.is] has joined #openvpn
20:43 -!- DrSect0r [~DrSect0r@77-175-115-95.FTTH.ispfabriek.nl] has quit [Quit: Leaving]
21:03 -!- acu [~acu@24-159-215-146.static.roch.mn.charter.com] has joined #openvpn
21:08 -!- arescorpio [~arescorpi@201-26-245-190.fibertel.com.ar] has quit [Ping timeout: 255 seconds]
21:12 -!- acu [~acu@24-159-215-146.static.roch.mn.charter.com] has quit [Quit: Leaving]
21:18 -!- james41382 [~james@unaffiliated/james41382] has joined #openvpn
21:31 -!- Chais [~Chais@chello062178229110.15.15.vie.surfer.at] has quit [Read error: Connection reset by peer]
21:35 -!- ub1quit33_ [~quassel@cpe-198-72-138-144.socal.res.rr.com] has joined #openvpn
21:37 -!- micko [~micko@203-219-65-120.static.tpgi.com.au] has quit [Ping timeout: 240 seconds]
21:40 -!- Chais [~Chais@chello062178229110.15.15.vie.surfer.at] has joined #openvpn
21:43 -!- Left_Turn [~Left_Turn@unaffiliated/turn-left/x-3739067] has quit [Remote host closed the connection]
21:44 -!- micko [~micko@203-219-65-120.static.tpgi.com.au] has joined #openvpn
21:49 -!- micko [~micko@203-219-65-120.static.tpgi.com.au] has quit [Ping timeout: 240 seconds]
21:55 -!- micko [~micko@203-219-65-120.static.tpgi.com.au] has joined #openvpn
21:56 -!- Cpt-Oblivious [~chatzilla@31-151-71-109.dynamic.upc.nl] has quit [Remote host closed the connection]
22:26 -!- larryone [~larryone@176.61.1.155] has joined #openvpn
22:27 -!- larryone [~larryone@176.61.1.155] has quit [Remote host closed the connection]
22:37 -!- james41382 [~james@unaffiliated/james41382] has quit [Quit: Leaving]
22:40 -!- svm_invictvs [~patricktw@unaffiliated/svminvictvs/x-938456] has joined #openvpn
22:40 < svm_invictvs> Hello
22:40 < svm_invictvs> How goes it in here?
22:42 < svm_invictvs> If I wan to enable username/password authentication only, do I simply put "client-cert-not-required" in the client config?
22:57 -!- Popsikle [~popsikle@pool-108-27-211-233.nycmny.fios.verizon.net] has quit [Remote host closed the connection]
23:00 -!- nutron [~nutron@unaffiliated/nutron] has quit [Remote host closed the connection]
23:08 -!- ZeDestructor [~ZD@unaffiliated/zedestructor] has joined #openvpn
23:18 -!- Pyrogerg [~Gregory@mobile-166-137-183-024.mycingular.net] has joined #openvpn
23:20 <@krzee> !nocert
23:20 <@vpnHelper> "nocert" is (#1) to use login and pass (NO CERTS) for auth in server setup, you want --username-as-common-name --auth-user-pass-verify --client-cert-not-required or (#2) to know more, read about those config options in the manual (!man)
23:20 < svm_invictvs> yeah
23:20 -!- ShadniX [dagger@p5DDFF3B4.dip0.t-ipconnect.de] has quit [Ping timeout: 250 seconds]
23:21 -!- ShadniX [dagger@p5DDFE3AB.dip0.t-ipconnect.de] has joined #openvpn
23:22 < svm_invictvs> The password will be tied to an OTP
23:22 < svm_invictvs> So from what I undestand, I can get a self-signed cert
23:22 < svm_invictvs> and distribute the CA to the client
23:23 -!- brianblaze420 [~brianblaz@unaffiliated/brianblaze] has quit [Quit: Leaving...]
23:25 < svm_invictvs> That or I was going to route them to a captive portal and send an SMS with an OTP
23:34 -!- ub1quit33_ [~quassel@cpe-198-72-138-144.socal.res.rr.com] has quit [Ping timeout: 260 seconds]
23:41 < svm_invictvs> uggh
23:41 < svm_invictvs> I'm using a gui to set it up
23:41 < svm_invictvs> So I'm not sure what' it's doing
23:46 -!- Pyrogerg [~Gregory@mobile-166-137-183-024.mycingular.net] has quit [Read error: Connection reset by peer]
23:55 < svm_invictvs> Why would I use tcp vs udp?
23:58 -!- Popsikle [~popsikle@pool-108-27-211-233.nycmny.fios.verizon.net] has joined #openvpn
--- Day changed Wed Jul 23 2014
00:03 -!- Popsikle [~popsikle@pool-108-27-211-233.nycmny.fios.verizon.net] has quit [Ping timeout: 255 seconds]
00:04 -!- ub1quit33 [~quassel@cpe-198-72-138-144.socal.res.rr.com] has joined #openvpn
00:26 -!- ub1quit33 [~quassel@cpe-198-72-138-144.socal.res.rr.com] has quit [Ping timeout: 240 seconds]
00:38 -!- james41382 [~james@unaffiliated/james41382] has joined #openvpn
00:46 -!- james41382 [~james@unaffiliated/james41382] has quit [Quit: Leaving]
00:59 -!- Popsikle [~popsikle@pool-108-27-211-233.nycmny.fios.verizon.net] has joined #openvpn
01:02 -!- metaf5 [~metaf5@107.181.166.167] has quit [Ping timeout: 240 seconds]
01:02 -!- mattock_afk is now known as mattock
01:05 -!- Popsikle [~popsikle@pool-108-27-211-233.nycmny.fios.verizon.net] has quit [Ping timeout: 256 seconds]
01:07 -!- ketas [~ketas@92.38.190.90.dyn.estpak.ee] has joined #openvpn
01:07 -!- james41382 [~james@unaffiliated/james41382] has joined #openvpn
01:07 -!- metaf5 [~metaf5@107.181.166.167] has joined #openvpn
01:12 -!- larryone [~larryone@176.61.1.155] has joined #openvpn
01:16 -!- larryone [~larryone@176.61.1.155] has quit [Client Quit]
01:23 -!- ub1quit33 [~quassel@cpe-198-72-138-144.socal.res.rr.com] has joined #openvpn
01:28 -!- Pandemic_Force is now known as Wombat_
01:29 -!- Wombat_ is now known as Pandemic_Force
01:29 -!- mattock [~mattock@openvpn/corp/admin/mattock] has left #openvpn []
01:30 -!- Pandemic_Force is now known as Doger_
01:30 -!- mattock [~mattock@openvpn/corp/admin/mattock] has joined #openvpn
01:30 -!- mode/#openvpn [+o mattock] by ChanServ
01:30 -!- Doger_ is now known as Pandemic_force
01:31 -!- Pandemic_force is now known as Pandemic_Force
01:41 -!- alexxtasi [~alex@unaffiliated/alexxtasi] has joined #openvpn
01:47 < ZeDestructor> Hi, I'm having a problem with my OpenVPN setup. I can connect to the server fine, and even SSH into other machines on the LAN with the remote server, but unfortunately, I cannot access the internet through the vpn CONNECTION, SOMETHING THAT i WOULD LIKE TO BE ABLE TO DO
01:47 < ZeDestructor> sorry, for accidental caps
01:47 < ZeDestructor> here are my configs: server: http://pastebin.kde.org/prrlxmcrr ; Client: http://pastebin.kde.org/py0qkl6et
01:51 -!- ketas [~ketas@92.38.190.90.dyn.estpak.ee] has quit [Ping timeout: 256 seconds]
01:54 -!- indy [~indy@shadow.kastnerove.cz] has quit [Ping timeout: 256 seconds]
02:00 -!- Kephael [~Kephael@unaffiliated/kephael] has quit [Read error: Connection reset by peer]
02:06 -!- ketas [~ketas@92.38.190.90.dyn.estpak.ee] has joined #openvpn
02:06 < ZeDestructor> guys?
02:06 < ZeDestructor> help?
02:11 -!- tempus_fol [~tempus@gateway/tor-sasl/foltempus] has quit [Remote host closed the connection]
02:20 -!- tempus_fol [~tempus@gateway/tor-sasl/foltempus] has joined #openvpn
02:26 -!- larryone [~larryone@176.61.1.155] has joined #openvpn
02:28 -!- ub1quit33 [~quassel@cpe-198-72-138-144.socal.res.rr.com] has quit [Ping timeout: 260 seconds]
02:33 -!- larryone [~larryone@176.61.1.155] has quit [Quit: This computer has gone to sleep]
02:37 -!- le0 [~l30@unaffiliated/le0] has joined #openvpn
02:42 -!- svm_invictvs [~patricktw@unaffiliated/svminvictvs/x-938456] has quit [Ping timeout: 260 seconds]
02:47 -!- ribasushi [~riba@mujunyku.leporine.io] has quit [Quit: So long and thankful is the fish...]
02:48 -!- ribasushi [~riba@mujunyku.leporine.io] has joined #openvpn
02:49 -!- le0 [~l30@unaffiliated/le0] has quit [Quit: Leaving]
03:04 -!- SupaYoshi [Elite9191@gateway/shell/elitebnc/x-bvvdtsjrzcayermp] has quit [Remote host closed the connection]
03:22 -!- Left_Turn [~Left_Turn@unaffiliated/turn-left/x-3739067] has joined #openvpn
03:38 -!- svm_invictvs [~patricktw@unaffiliated/svminvictvs/x-938456] has joined #openvpn
03:42 -!- svm_invictvs [~patricktw@unaffiliated/svminvictvs/x-938456] has quit [Ping timeout: 240 seconds]
03:48 -!- pa [~pa@unaffiliated/pa] has quit [Ping timeout: 256 seconds]
03:51 -!- indy [~indy@shadow.kastnerove.cz] has joined #openvpn
03:53 -!- ACKNAK [~regolith@79.133.97.154] has joined #openvpn
04:01 -!- s7r_l [~s7r@openvpn/user/s7r] has joined #openvpn
04:01 -!- mode/#openvpn [+v s7r_l] by ChanServ
04:02 -!- s7r [~s7r@openvpn/user/s7r] has quit [Remote host closed the connection]
04:10 < ACKNAK> Hello! Does OpenVPN honors PMTU? I using default MTU values so far, but seems like one of my clients is behind router which says "Frag needed and DF set (mtu = 1440)". I do not want to lower MTU for everybody yet.
04:12 < ACKNAK> may be I should try iptables "-j TCPMSS --clamp-mss-to-pmtu"
04:13 < tekk> hi guys, http://pasti.ng/p/UtDbagrf this is my conf
04:13 < tekk> the VPN runs on the 192.168.111.0/24 network
04:13 < tekk> hands out 192.168.222.0/24 addresses
04:13 < tekk> but i want it to be able to route to 192.168.111.0/24
04:13 < tekk> thats my config
04:13 < tekk> and i have the following iptables
04:14 < tekk> iptables -t nat -A POSTROUTING -s 192.168.111.0/24 -o eth0 -j MASQUERADE
04:14 < tekk> sysctl -w net.ipv4.ip_forward=1
04:14 < tekk> yet it doens’t work
04:16 < tekk> i guess the client either needs the route too or i need push "route 192.168.4.0 255.255.255.0" in the server right?
04:17 < tekk> now it works :)
04:21 < Macer> how did you fix it?
04:25 -!- unixoid [vashirov@nat/redhat/x-zyikudjaqyzyqaqs] has joined #openvpn
04:31 < tekk> i added the push for the route
04:31 < tekk> otherwise i had to put the route line in both client and server i guess
04:35 < Macer> is this tap or tun?
04:35 < Macer> i can't seem to get tun working on ios and it seems a routing issue :/
04:35 < Macer> tap works fine tho on a laptop
04:38 -!- svm_invictvs [~patricktw@unaffiliated/svminvictvs/x-938456] has joined #openvpn
04:42 < tekk> tun
04:42 < tekk> works on my iOS device also
04:43 < tekk> my other clienti s Mac OS
04:43 -!- svm_invictvs [~patricktw@unaffiliated/svminvictvs/x-938456] has quit [Ping timeout: 250 seconds]
04:45 -!- s7r_l [~s7r@openvpn/user/s7r] has quit [Quit: Leaving]
04:45 -!- pa [~pa@unaffiliated/pa] has joined #openvpn
04:46 < Macer> you are running openvpn on your actual internet router?
04:46 < Macer> the guys here suggested it may have been from me not running the internet connection on my router
04:46 < Macer> i was using tomato. i can connect and authenticate using the keys but no internet traffic once it's connected :/
04:48 < tekk> i run it on a linux machine on my LAN
04:48 < tekk> behind the router
04:48 < Macer> hm
04:49 < Macer> no idea what the problem is then... can i see your client and server configs?
04:49 < Macer> that's pretty much what i'm trying to do :/
04:49 < Macer> the wifi router is behind a comcast router
04:49 < Macer> i can hit it and connect but it sure isn't redirecting traffic for tun
04:51 < Macer> like the router that it's on uses 192.168.1.x and the tun is trying to use 192.168.2.x
04:51 < Macer> and i get no internet traffic
04:51 -!- gffa [~unknown@unaffiliated/gffa] has joined #openvpn
04:55 -!- svm_invictvs [~patricktw@unaffiliated/svminvictvs/x-938456] has joined #openvpn
04:57 < tekk> paste your configs on http://pasti.ng
04:57 < tekk> for client and server
05:00 -!- svm_invictvs [~patricktw@unaffiliated/svminvictvs/x-938456] has quit [Ping timeout: 255 seconds]
05:00 < Macer> one sec...
05:01 -!- unixoid [vashirov@nat/redhat/x-zyikudjaqyzyqaqs] has quit [Quit: Leaving]
05:02 < Macer> http://pasti.ng/p/mGzzGiBh
05:02 < Macer> i changed the server name ;) but the server is correct
05:06 < Macer> http://pasti.ng/p/wESYsjLl
05:06 < Macer> and thats my server
05:06 < Macer> again.. server.org isn't the actual domain
05:06 < Macer> that is what tomato automatically generates when enabling the tun
05:08 -!- larryone [~larryone@176.61.1.155] has joined #openvpn
05:17 -!- larryone [~larryone@176.61.1.155] has quit [Ping timeout: 255 seconds]
05:21 -!- unixoid [unixoid@nat/redhat/x-baacxenfxjvoupdn] has joined #openvpn
05:29 -!- unixoid [unixoid@nat/redhat/x-baacxenfxjvoupdn] has quit [Ping timeout: 245 seconds]
05:35 < Macer> yeah just can't figure this out
05:35 < Macer> i guess i'll try openvpn on something else. maybe there is just something wrong with the tomato implementation
05:37 -!- unixoid [unixoid@nat/redhat/x-prfhjmdhdooippbx] has joined #openvpn
05:49 < tekk> from clients
05:49 < tekk> can they ping 192.168.2.x addresses and 192.168.1.x ?
05:52 -!- Left_Turn [~Left_Turn@unaffiliated/turn-left/x-3739067] has quit [Ping timeout: 250 seconds]
05:56 -!- svm_invictvs [~patricktw@unaffiliated/svminvictvs/x-938456] has joined #openvpn
05:58 < Macer> hm
05:58 < Macer> i only have the iphone to work with on the tun
05:58 < Macer> let me install ping on it :)
05:59 -!- Latrina [~Latrina@ppp-134-10.26-151.libero.it] has quit [Ping timeout: 272 seconds]
05:59 < Macer> wow
05:59 < Macer> no ping for ios? wtf?
06:01 -!- svm_invictvs [~patricktw@unaffiliated/svminvictvs/x-938456] has quit [Ping timeout: 255 seconds]
06:02 < Macer> ah. no
06:02 < Macer> i can access the router web ui
06:02 < renihs> iphone/pads can work with openvpn?
06:02 < Macer> but i can't seem to hit anything else on the 192.168.1.x network :/
06:02 < renihs> thats new...
06:03 < tekk> its not new
06:03 < tekk> they’ve been able to work with openvpn since like… 2010
06:03 < Macer> renihs: lol. it is trying to work :)
06:03 < tekk> without jailbreaking
06:03 < renihs> really?
06:03 < tekk> yes
06:03 < Macer> i just have some sort of awkward routing issue
06:03 < renihs> there isnt a app for openvpn
06:03 < Macer> yes there is
06:03 < tekk> there is an official OpenVPN app even
06:03 < renihs> i had to mangle with ipsec/l2tp and stuff
06:03 < tekk> and tons of third party ones
06:03 < renihs> interesting
06:04 < tekk> iOS gives third-party providers access to create their own VPN support
06:04 < renihs> well that was before 2010 i last did that
06:04 < Macer> what sucks about it.. is it can't use tap :/
06:04 < Macer> i'm sure i'd be said and done with this if it supported tap
06:04 < Macer> instead of trying to figure out where the routing issue is with tun
06:04 < tekk> you cna write your own tap support
06:04 < tekk> there is a public API in iOS for VPN providers
06:05 < julius_> lan client(A 192.168.11.140) -> router (B 192.168.11.115) -> internet -> openvpn server(C 10.8.33.1).          router B got a vpn connetion to the openvpn server. now when i run "ping 10.8.33.1" from my lan client the router B forwards the packets...but they never reach the openvpn server...why?  tcpdump -i tun0 icmp   or the same with -i eth0 never show incomming icmp requests. iptables on all boxes is disabled
06:05 <@plaisthos> tekk: only if you are invited and sign an NDA
06:06 < tekk> plaisthos thats incorrect
06:06  * Macer sleeps with a dev book under his pillow
06:06 < tekk> you just have to ask
06:06 < Macer> maybe there is just something fundamentally broken with the openvpn in tomato heh
06:06 < tekk> (and then sign an NDA… which all iOS app developers in the world have to do)
06:07 <@plaisthos> tekk: ask/get invited is probably about the same thing :)
06:07  * tekk is an iOS sofware engineer ex-apple
06:07 < tekk> :o
06:07 < Macer> i just don't get it. i can hit the web ui on the router running ovpn.. can't hit anything else on that network
06:07 < Macer> :/
06:08 < Macer> and the route seems to be there
06:08 -!- Left_Turn [~Left_Turn@unaffiliated/turn-left/x-3739067] has joined #openvpn
06:08 <@plaisthos> tekk: it is was not that easy for OpenVPN Inc to get acceppted in the VPN program as you make it seem
06:08 < tekk> Macer, did you setup iptables to forward and masqerade
06:08 <@plaisthos> but I am not involved int that
06:08 < tekk> plaisthos, thats unfortunate
06:08 < Macer> http://pastebin.com/1QATGyS8
06:08 < tekk> whoever was responsible must have gone down a bad channel
06:09 <@plaisthos> tekk: but if you are an even smaller company your canches are probably worse
06:10 < Macer> tekk: hm. would i masq the two interfaces?
06:10 < Macer> tun22 and br0?
06:10 < tekk> its not the interface
06:10 < tekk> you masq the ip subnet to an interface
06:12 < Macer> yeah but in the case of the tun
06:12 < Macer> would i masq it onto the other subnet's interface or something?
06:13 < tekk> whats your main interface name on your openvpn host, where it listens
06:13 < Macer> it would be br0 on the router
06:14 < tekk> ah
06:14 < Macer> it is forwarded from the comcast router to the ip on br0
06:14 < tekk> its an OpenWRT router?
06:14 < Macer> tomato
06:14 < Macer> but the router isn't controlling the internet connection
06:14 < Macer> it is simply to have wifi access
06:14 < tekk> isn’t Tomato based on OpenWRT ?
06:14 < Macer> yeah pretty sure it is
06:14 < Macer> or at least incredibly similar
06:15 < tekk> so
06:15 < tekk> i can’t remember the rule to forward trafifc on OpenWRT… on linux you need to enable ipv4 forwarding
06:15 < Macer> iptables -t nat -A POSTROUTING -s 192.168.100.0/24 -o br0 -j MASQUERADE
06:16 < tekk> whats your VPN network subnet
06:16 < Macer> but i'm wondering if that's the interface i'm supposed to forward to
06:16 < Macer> the vpn network subnet is 192.168.100.0
06:16 < tekk> 192.168.100.0/24 are your VPN clients?
06:16 < tekk> then thats correct
06:16 < Macer> yes
06:16 < tekk> that iptable should work
06:16 < Macer> ah.. let me try it out
06:16 < tekk> its basically exactly what i use (except the subnet)
06:16 < tekk> i duno if tomato ships with iptables… but its easy to install on OpenWRT based routers if not
06:17 < Macer> oh nice
06:18 < Macer> so now i can see the other stuff on the .1.x subnet
06:18 < Macer> i just hit my freenas box over the vpn
06:18 < Macer> NICE!
06:18 < Macer> it's working :) thanks tekk
06:18 < tekk> :D
06:18 < Macer> feeling kind of retarded considering it was just a masqing issue heh
06:18 < tekk> np
06:19 < Macer> but yeah. i just connected and checked my ip
06:19 < Macer> and it's the wan ip of my home comcast router
06:20 < Macer> let me see where i put this in tomato to make it persist
06:20 <@plaisthos> btw. in the past Tomato managed to somehow patch their OpenSSL/OpenVPN combination in a way that it broke if the client spoke TLS 1.2
06:22 < Macer> hm
06:23 < Macer> can't seem to find anywher ein the ui where it saves iptables rules
06:23 < Macer> ddwrt had a section in the web ui to just add it in
06:23 < tekk> out of interest Macer, if you setup an OpenVPN on an OpenWRT based router (like tomato/dd-wrt) (which i didn’t do in years)… does your entire network sitting behind the router have transparent access to the routes pushed by your VPN ?
06:25 < Macer> i don't understand the question
06:27 < Macer> oh i think i found it.... why would that be under administration? :)
06:28 < Macer> although... now another problem is there is no option to auto start vpn since the only ui option is to start when wan activated
06:28 < Macer> :/
06:33 < Macer> nice.. it all seems to be working :) this is great
06:33 < Macer> glad to find out it is simply an iptables issue with the masqing
06:40 < ACKNAK> guyz guyz, so could anybody help me with MTU? I've lowered MTU globally with "mssfix 1300", but thats not nice =(
06:41 < ACKNAK> does OpenVPN use PMTU discovery?
06:41 < ACKNAK> I see in logs "write UDPv4 [EMSGSIZE Path-MTU=1440]: Message too long (code=97)"
06:45 < Macer> tekk: thanks so much. this is awesome
06:45 < Macer> the real question tho is if i set up a wifi hotspot with the iphone will it route those clients through the vpn as well? :)
06:48 < Macer> tekk: i think i just understood your question
06:48 < Macer> no.. seems like the vpn is one way on the tun subnet
06:48 < Macer> i can't ping the other way to the clients.. but that's not that big of a deal
06:48 < Macer> so long as i can access my home network while i'm away... i don't really see a need to go the other way
06:50 < Macer> ah. and i just noticed that when it's put to sleep the vpn dies on the iphone
06:50 < Macer> i wonder how that works with accessing a mail server while in sleep mode
06:57 -!- svm_invictvs [~patricktw@unaffiliated/svminvictvs/x-938456] has joined #openvpn
07:06 -!- svm_invictvs [~patricktw@unaffiliated/svminvictvs/x-938456] has quit [Ping timeout: 255 seconds]
07:16 -!- Chrisje [Chris@2a02:418:6050:ed15:ed15:ed15:1a27:a32b] has left #openvpn []
07:32 -!- nobody481 [~demigod12@ool-18bc9d5b.dyn.optonline.net] has quit [Ping timeout: 240 seconds]
07:38 -!- rickbol [~rickbol@cpe-174-096-184-106.carolina.res.rr.com] has joined #openvpn
07:40 -!- JackWinter [~jack@vodsl-11028.vo.lu] has quit [Quit: Konversation terminated!]
07:42 -!- JackWinter [~jack@vodsl-11028.vo.lu] has joined #openvpn
07:44 -!- tjz [~tjz@unaffiliated/tjz] has joined #openvpn
07:46 -!- lipizzan [~rickbol@cpe-174-096-184-106.carolina.res.rr.com] has joined #openvpn
07:54 -!- Kniaz [~Kniaz@unaffiliated/kniaz] has quit [Quit: closing IRC]
08:03 -!- svm_invictvs [~patricktw@unaffiliated/svminvictvs/x-938456] has joined #openvpn
08:08 -!- svm_invictvs [~patricktw@unaffiliated/svminvictvs/x-938456] has quit [Ping timeout: 260 seconds]
08:08 -!- lipizzan [~rickbol@cpe-174-096-184-106.carolina.res.rr.com] has quit [Quit: Leaving]
08:10 -!- JackWinter [~jack@vodsl-11028.vo.lu] has quit [Quit: Konversation terminated!]
08:12 -!- JackWinter [~jack@vodsl-11028.vo.lu] has joined #openvpn
08:58 -!- Kniaz [~Kniaz@unaffiliated/kniaz] has joined #openvpn
08:59 -!- svm_invictvs [~patricktw@unaffiliated/svminvictvs/x-938456] has joined #openvpn
09:00 -!- ub1quit33 [~quassel@cpe-198-72-138-144.socal.res.rr.com] has joined #openvpn
09:03 -!- svm_invictvs [~patricktw@unaffiliated/svminvictvs/x-938456] has quit [Ping timeout: 245 seconds]
09:14 -!- Pyrogerg [~Gregory@192.67.133.200] has joined #openvpn
09:16 -!- rickbol [~rickbol@cpe-174-096-184-106.carolina.res.rr.com] has quit [Quit: Leaving]
09:23 -!- svm_invictvs [~patricktw@unaffiliated/svminvictvs/x-938456] has joined #openvpn
09:26 -!- s7r [~s7r@openvpn/user/s7r] has joined #openvpn
09:26 -!- mode/#openvpn [+v s7r] by ChanServ
09:27 -!- alexxtasi [~alex@unaffiliated/alexxtasi] has left #openvpn []
09:32 -!- s7r_x [~s7r@openvpn/user/s7r] has joined #openvpn
09:32 -!- mode/#openvpn [+v s7r_x] by ChanServ
09:33 -!- s7r [~s7r@openvpn/user/s7r] has quit [Ping timeout: 264 seconds]
09:35 -!- brianblaze420 [~brianblaz@unaffiliated/brianblaze] has joined #openvpn
09:37 -!- brianblaze420 [~brianblaz@unaffiliated/brianblaze] has quit [Remote host closed the connection]
09:38 -!- brianblaze420 [~brianblaz@unaffiliated/brianblaze] has joined #openvpn
09:39 -!- brianblaze420 [~brianblaz@unaffiliated/brianblaze] has quit [Remote host closed the connection]
09:42 -!- s7r_x is now known as s7r
09:49 -!- s7r [~s7r@openvpn/user/s7r] has quit [Quit: Leaving]
09:57 -!- Megaf [~Megaf@unaffiliated/megaf] has joined #openvpn
09:58 -!- elfixit [~Icedove@2001:1620:2777:11:3e97:eff:fe7f:f3ad] has joined #openvpn
10:07 -!- ACKNAK [~regolith@79.133.97.154] has quit [Ping timeout: 250 seconds]
10:15 -!- Chiftin [~Chiftin@178.250.179.140] has joined #openvpn
10:16 -!- Pyrogerg [~Gregory@192.67.133.200] has quit [Quit: Textual IRC Client: www.textualapp.com]
10:20 -!- Megaf_ [~Megaf@unaffiliated/megaf] has joined #openvpn
10:21 -!- Megaf [~Megaf@unaffiliated/megaf] has quit [Ping timeout: 255 seconds]
10:22 -!- ShadniX [dagger@p5DDFE3AB.dip0.t-ipconnect.de] has quit [Quit: Bye.]
10:23 < svm_invictvs> Heya
10:24 -!- ShadniX [~ShadniX@p5DDFE3AB.dip0.t-ipconnect.de] has joined #openvpn
10:41 -!- svm_invictvs [~patricktw@unaffiliated/svminvictvs/x-938456] has quit [Quit: Lost terminal]
10:47 -!- svm_invictvs [~patricktw@unaffiliated/svminvictvs/x-938456] has joined #openvpn
10:58 -!- Chiftin [~Chiftin@178.250.179.140] has quit [Quit: Leaving]
11:10 -!- brianblaze420 [~brianblaz@unaffiliated/brianblaze] has joined #openvpn
11:11 -!- brianblaze420 [~brianblaz@unaffiliated/brianblaze] has quit [Remote host closed the connection]
11:33 -!- brianblaze420 [~brianblaz@unaffiliated/brianblaze] has joined #openvpn
11:35 -!- C0SM0S [~C0SM0S@unaffiliated/c0sm0s] has joined #openvpn
11:36 -!- brianblaze420 [~brianblaz@unaffiliated/brianblaze] has quit [Client Quit]
11:37 < C0SM0S> !goal
11:37 <@vpnHelper> "goal" is Please clearly state your goal for your vpn: example, I would like to access the lan behind the server , I would like to access the internet over my vpn , I just want a secure connection between 2 computers , etc
11:38 < julius_> hi
11:39 < C0SM0S> I would like to access the internet over my vpn.  all connections are successful, i just can't seem to ping anything outside of 11.8.0.0/24
11:39 < julius_> is there a way to route all traffic from the local lan over the vpn server? the lan router is connected to the vpn. just using "redirect gateway def1" works for the router. but lan clients cant connect anymore
11:42 < C0SM0S> i too have the similar problem
11:43 < C0SM0S> but i left in the .. bypass-dhcp"
11:43 < julius_> yeah i was just reading yours after posting, sounds similar
11:43 < C0SM0S> push "redirect-gateway def1 bypass-dhcp"
11:43 < julius_> dont know about the bypass-dhcp, but the rest will put your client in contact over the vpn with the outside
11:44 < C0SM0S> oh realy..
11:44 < C0SM0S> i was under the impression you had to do:
11:44 < julius_> theres just one client in your example?
11:44 < C0SM0S> push "dhcp=option DNS 11.8.0.1"
11:45 < C0SM0S> (i changed mine from 10.8.0.0 to 11.8.0.1
11:45 < julius_> a reachable dns doesnt hurt
11:48 < C0SM0S> i also did
11:49 < C0SM0S> ipatables -t nat -A POSTROUTING -o eth0 -s 11.8.0.0/24 -j MASQUERADE
11:50 < C0SM0S> iptables*
11:52 < C0SM0S> guess i could try taking out that part about bypass-dhcp
11:52 < C0SM0S> since i haven't seen any documentation on that
11:53  * C0SM0S resets openvpn
11:54 < C0SM0S> lol not resets, but restarts
11:54 < C0SM0S> started fine.. time to test
11:55 -!- Megaf_ is now known as Megaf
11:55 < C0SM0S> hmm taking away the bypass-dhcp seems to have made it worse
11:56 -!- SlutaTramsa [~SlutaTram@unaffiliated/slutatramsa] has quit [Ping timeout: 256 seconds]
12:00 -!- Megaf_ [~Megaf@unaffiliated/megaf] has joined #openvpn
12:00 -!- Megaf [~Megaf@unaffiliated/megaf] has quit [Ping timeout: 250 seconds]
12:05 -!- lipizzan [~rickbol@cpe-174-096-184-106.carolina.res.rr.com] has joined #openvpn
12:09 -!- SlutaTramsa [~SlutaTram@unaffiliated/slutatramsa] has joined #openvpn
12:12 < lipizzan> I've generated ca.crt\key, openvpn-server & client crs\crt\key using easy-rsa PKI tools. Can I re-use the server key for apache2 ssl, or should I generate a separate build-server <srvr-https> set?
12:16 -!- Cpt-Oblivious [~chatzilla@31-151-71-109.dynamic.upc.nl] has joined #openvpn
12:16 < julius_> C0SM0S, show how your network is build up, with what ip adresses where and so on...otherwise the guys here can just guess if that iptables command makes sense or not
12:18 -!- svm_invictvs [~patricktw@unaffiliated/svminvictvs/x-938456] has quit [Ping timeout: 240 seconds]
12:19 < C0SM0S> seems like a very general basic wildcard style iptable
12:19 < C0SM0S> but i will when i get back home from work
12:19 < C0SM0S> need to head back/ lunch break is over
12:19 < C0SM0S> iptable rule
12:20 < C0SM0S> but thanks julius_ . i'll get someting up on paste.ee or similar soon
12:27 -!- svm_invictvs [~patricktw@unaffiliated/svminvictvs/x-938456] has joined #openvpn
12:38 -!- svm_invictvs [~patricktw@unaffiliated/svminvictvs/x-938456] has quit [Ping timeout: 245 seconds]
12:39 -!- Kephael [~Kephael@unaffiliated/kephael] has joined #openvpn
12:40 -!- DrCode [~DrCode@gateway/tor-sasl/drcode] has quit [Ping timeout: 264 seconds]
12:41 -!- DrCode [~DrCode@gateway/tor-sasl/drcode] has joined #openvpn
12:51 -!- Caplain [~shayne@d192-24-5-39.try.wideopenwest.com] has joined #openvpn
12:52 < Caplain> im trying to use 225.2 for my default gw but tracepath keeps showing 225.1 instead
12:52 < Caplain> what do?
12:55 -!- Latrina [~Latrina@adsl-ull-206-185.50-151.net24.it] has joined #openvpn
13:21 <@ecrist> sounds like .2 is passing it to .1
13:30 -!- Kniaz [~Kniaz@unaffiliated/kniaz] has quit [Quit: closing IRC]
13:30 < Caplain> hmmm....that makes little to no sense
13:30 < Caplain> cause wouldnt i see .2 in the trace?
13:36 -!- Kniaz [~Kniaz@unaffiliated/kniaz] has joined #openvpn
13:36 -!- supersafh [~henrik@c-fa86e555.03-99-6c6b7013.cust.bredbandsbolaget.se] has joined #openvpn
13:37 < supersafh> Greetings folks!
13:37 < supersafh> I have a doubious question of sorts.
13:38 < supersafh> I'm not new to openvpn, but I don't do enough work with it on a daily basis to be called anything but a novice.
13:40 < Caplain> supersafh, ...go on?
13:40  * Caplain gets popcorn
13:43 -!- Poster [~poster@cpe-74-140-100-29.swo.res.rr.com] has quit [Ping timeout: 240 seconds]
13:46 -!- svm_invictvs [~patricktw@unaffiliated/svminvictvs/x-938456] has joined #openvpn
13:47 < supersafh> Caplain, i'm not even sure this is possible, but my problem is this: I need to create an ethernet bridge running through a VPN p2p setup.
13:47 < Caplain> i just threw up a little
13:48 < supersafh> THat's bad, right? ;-)
13:48 < Caplain> and at total loss
13:48 < Caplain> ask in #networking
13:48 < Caplain> :)
13:48 < Caplain> that's terrible
13:48 < Caplain> why, pray tell?
13:50 < supersafh> I am short of one 802.11 accesspoint, but I have a system in my primary location connected to one of my accesspoints in my secondary location.
13:50 < Caplain> yeah you lost me
13:50 < Caplain> ive been trying to use a client as a nat router for smtp all day to no avail
13:51 < supersafh> Problem: The accesspoint will not relay any traffic to any other host connected to the system mentioned above (two nics are bridged on the system). THis is by design of the 802.11 specs.
13:51 -!- kloeri_ [~kloeri@freenode/staff/exherbo.kloeri] has quit [Quit: plop]
13:52 -!- kloeri_ [~kloeri@freenode/staff/exherbo.kloeri] has joined #openvpn
13:52 < supersafh> The only way would be to bridge the system with the accesspoint, but alas, it doesn't work because of the driver on the system.
13:52 < supersafh> Caplain, With me so far?
13:53 < supersafh> That is an 802.11 bridge between the system abd the accesspoint.
13:53 -!- Scramblejams [~Scramblej@ip72-197-214-43.sd.sd.cox.net] has joined #openvpn
13:53 < Caplain> accesspoint?
13:53 < supersafh> Not thernet bridge. :-)
13:53 < Caplain> like wifi?
13:53 < supersafh> Yep.
13:53 < Caplain> diagram?
13:54 < Scramblejams> Hi all. I've got an openvpn server that's working great, with one exception. I'm trying to push a DNS server change to the client with push "dhcp-option DNS 8.8.8.8". The DNS address on the client _does_ change, but not to 8.8.8.8. It changes to 127.0.0.1. Any idea why?
13:54 < Caplain> can you do dhcp option pushing like that?
13:55 < Scramblejams> I thought so? :-)
13:55 < supersafh> network-segement<->nic1-ethernet-bridge-wlan1<->accesspoint.
13:56 < supersafh> capalin, network-segement1<->nic1-ethernet-bridge-wlan1<->accesspoint-network-segement2
13:58 < Scramblejams> Oh I might be missing up and down commands to do the update, I'll try adding those.
13:58 < Scramblejams> Nope, I've already got them in place.
13:58 < supersafh> Caplain, I want: network-segment1<->nic1-ethernet-bridge-tap1-vpn-tap2-ethernet-bridge-nic2<->network-segement2
13:59 < supersafh> That wasy I'd hope to sneak by the ethernet packets under the radar of the accesspoint.
13:59 < Caplain> i am so confused righ tnow
14:00 < Caplain> supersafh, sorry, i just got 3 computers thrown at me to fix
14:00 < supersafh> Caplain, No worries. I'll figure it out. Thx anyways! :-D
14:02 < Caplain> sorry
14:02 -!- u0m3 [~u0m3@92.80.113.123] has quit [Ping timeout: 240 seconds]
14:02 < supersafh> Don't be. you can help me some other time. ;-)
14:02 < supersafh> You can't imagine how much trouble I keep running into!
14:04 <@ecrist> supersafh: wtf are you trying to do?
14:11 < supersafh> ecrist, I'm trying to tie two network segements together at the ethernet level over a vpn. :-)
14:13 < supersafh> I have done it before, but not like this. The vpn endpoints are connected to the same network segments, but I have other systems on either side that can't talk to each other due to 802.11 (wifi) related issues.
14:17 <@ecrist> !diagram
14:17 <@vpnHelper> "diagram" is You can use a site such as http://gliffy.com to create a network diagram as well as programs such as Visio, Dia, or OmniGraffle
14:17 < supersafh> More specifically, one of the endpoints is connected to a wifi accesspoint, the ethernet bridge between of of the ethernet adapters and the wifi-adapter don't do me any good. I need to bridge the ethernet-adapter with a tap-device which is used as a vpn to one of the systems connected to the ethernet adapter of the accesspoint.
14:18 < supersafh> vpnHelper, I was just installing dia to prepare a diagram. :-D
14:22 -!- u0m3 [~u0m3@92.80.113.123] has joined #openvpn
14:33 -!- mattock is now known as mattock_afk
14:48 -!- Scramblejams [~Scramblej@ip72-197-214-43.sd.sd.cox.net] has quit [Quit: leaving]
15:01 < Caplain> http://pastebin.com/SFaSstJX pripyat has an external ip i want to use for smtp to lexic but afaik i need pripyat to be set as lexic's default gateway. what do?
15:13 -!- Chiftin [~Chiftin@host86-177-226-211.range86-177.btcentralplus.com] has joined #openvpn
15:17 -!- Eagleman [~Eagleman@546BC778.cm-12-4d.dynamic.ziggo.nl] has quit [Quit: ZNC - http://znc.in]
15:18 -!- Eagleman [~Eagleman@546BC778.cm-12-4d.dynamic.ziggo.nl] has joined #openvpn
15:22 -!- Eagleman [~Eagleman@546BC778.cm-12-4d.dynamic.ziggo.nl] has quit [Client Quit]
15:23 -!- Eagleman7 [~Eagleman@546BC778.cm-12-4d.dynamic.ziggo.nl] has joined #openvpn
15:28 -!- Eagleman7 is now known as Eagleman
15:32 -!- Pyrogerg [~Gregory@192.67.133.200] has joined #openvpn
15:40 -!- D-Boy [~D-Boy@unaffiliated/cain] has quit [Excess Flood]
15:43 -!- D-Boy [~D-Boy@unaffiliated/cain] has joined #openvpn
16:03 -!- Kniaz [~Kniaz@unaffiliated/kniaz] has quit [Quit: closing IRC]
16:25 -!- elfixit [~Icedove@2001:1620:2777:11:3e97:eff:fe7f:f3ad] has quit [Quit: elfixit]
16:30 -!- u0m3 [~u0m3@92.80.113.123] has quit [Ping timeout: 240 seconds]
16:42 -!- gffa [~unknown@unaffiliated/gffa] has quit [Quit: sleep]
16:42 -!- cyberspace- [20253@ninthfloor.org] has quit [Ping timeout: 255 seconds]
16:43 -!- cyberspace- [20253@ninthfloor.org] has joined #openvpn
16:46 -!- Images [~Images@209.120.172.142] has joined #openvpn
16:47 < Images> Hello, on OSX, I am trying to connect with openvpn 2.3.4 as a client to my server. I get a device named "utun0", and for some reason, my DNS server information pushed from the server is not used. However, when I use tunnelblick with the very same config, I get "tun0" and everything works as expected. Is there some bug I don't know about with the openvpn command line?
16:48 < Images> for the record, "utun0" looks the same as "tun0", however I've never seen "utun0" anywhere else
16:48 < Images> !welcome
16:48 <@vpnHelper> "welcome" is (#1) Start by stating your goal, such as 'I would like to access the internet over my vpn' || new to IRC? see the link in !ask || we may need !logs and !configs and maybe !interface to help you. || See !howto for beginners. || See !route for lans behind openvpn. || !redirect for sending inet traffic through the server. || Also interesting: !man !/30 !topology !iporder !sample !forum
16:48 <@vpnHelper> !wiki !mitm or (#2) Don't use 192.168.1.0/24 or 192.168.0.0/24 (too much potential for conflict)
16:50 -!- lipizzan [~rickbol@cpe-174-096-184-106.carolina.res.rr.com] has quit [Ping timeout: 255 seconds]
16:55 -!- Olipro [~Olipro@uncyclopedia/pdpc.21for7.olipro] has quit [Read error: Connection reset by peer]
17:02 -!- Olipro [~Olipro@uncyclopedia/pdpc.21for7.olipro] has joined #openvpn
17:03 -!- heraclitus [~heraclitu@unaffiliated/heraclitis] has quit [Read error: Connection reset by peer]
17:03 -!- heraclitus [~heraclitu@unaffiliated/heraclitis] has joined #openvpn
17:08 -!- justinzane [~justinzan@24.49.207.203] has quit []
17:17 -!- C0SM0S [~C0SM0S@unaffiliated/c0sm0s] has quit [Ping timeout: 240 seconds]
17:18 -!- justinzane [~justinzan@24.49.207.203] has joined #openvpn
17:21 -!- Kniaz [~Kniaz@unaffiliated/kniaz] has joined #openvpn
17:35 -!- Kniaz [~Kniaz@unaffiliated/kniaz] has quit [Read error: Connection reset by peer]
17:37 -!- Kniaz [~Kniaz@unaffiliated/kniaz] has joined #openvpn
17:39 -!- Chais [~Chais@chello062178229110.15.15.vie.surfer.at] has quit [Quit: ZNC - http://znc.in]
17:41 -!- Chais [~Chais@chello062178229110.15.15.vie.surfer.at] has joined #openvpn
17:48 -!- u0m3 [~u0m3@92.80.113.123] has joined #openvpn
18:02 -!- Fusl [Fusl@unaffiliated/fusl] has quit [Quit: Contact: http://hallowe.lt/]
18:14 -!- Chiftin [~Chiftin@host86-177-226-211.range86-177.btcentralplus.com] has quit [Read error: Connection reset by peer]
18:29 -!- jzaw [~jzaw@loki.dzki.co.uk] has quit [Ping timeout: 240 seconds]
18:34 -!- jzaw [~jzaw@loki.dzki.co.uk] has joined #openvpn
18:46 -!- Macer [macer@lasziv.reprehensible.net] has left #openvpn []
19:12 -!- s7r [~s7r@openvpn/user/s7r] has joined #openvpn
19:13 -!- mode/#openvpn [+v s7r] by ChanServ
19:22 -!- Pyrogerg [~Gregory@192.67.133.200] has quit [Ping timeout: 264 seconds]
19:36 -!- ketas [~ketas@92.38.190.90.dyn.estpak.ee] has quit [Ping timeout: 256 seconds]
19:43 -!- ketas [~ketas@92.38.190.90.dyn.estpak.ee] has joined #openvpn
19:44 -!- u0m3 [~u0m3@92.80.113.123] has quit [Read error: Connection reset by peer]
19:45 -!- u0m3 [~u0m3@92.80.113.123] has joined #openvpn
19:54 -!- james41382 [~james@unaffiliated/james41382] has quit [Quit: Leaving]
20:06 -!- james41382 [~james@unaffiliated/james41382] has joined #openvpn
20:23 -!- ub1quit33 [~quassel@cpe-198-72-138-144.socal.res.rr.com] has quit [Remote host closed the connection]
20:29 -!- hays [~hays@unaffiliated/hays] has joined #openvpn
20:48 -!- goldkatze [~nobody@unaffiliated/goldkatze] has quit []
20:49 -!- Left_Turn [~Left_Turn@unaffiliated/turn-left/x-3739067] has quit [Remote host closed the connection]
20:52 -!- elfixit [~Icedove@77-58-251-72.dclient.hispeed.ch] has joined #openvpn
21:46 -!- elfixit [~Icedove@77-58-251-72.dclient.hispeed.ch] has quit [Ping timeout: 240 seconds]
22:11 -!- Cpt-Oblivious [~chatzilla@31-151-71-109.dynamic.upc.nl] has quit [Remote host closed the connection]
22:17 -!- Valcorb [Valcorb@unaffiliated/valcorb] has quit [Ping timeout: 250 seconds]
22:25 -!- Poster [~poster@cpe-74-140-100-29.swo.res.rr.com] has joined #openvpn
22:29 -!- Valcorb [Valcorb@unaffiliated/valcorb] has joined #openvpn
22:34 -!- Valcorb [Valcorb@unaffiliated/valcorb] has quit [Ping timeout: 240 seconds]
22:44 -!- Pyrogerg [~Gregory@mobile-166-147-078-231.mycingular.net] has joined #openvpn
22:47 -!- Valcorb [Valcorb@unaffiliated/valcorb] has joined #openvpn
23:15 -!- Pyrogerg [~Gregory@mobile-166-147-078-231.mycingular.net] has quit [Read error: Connection reset by peer]
23:20 -!- ShadniX [~ShadniX@p5DDFE3AB.dip0.t-ipconnect.de] has quit [Ping timeout: 250 seconds]
23:21 -!- ShadniX [dagger@p5DDFEA61.dip0.t-ipconnect.de] has joined #openvpn
23:23 -!- Megaf_ [~Megaf@unaffiliated/megaf] has quit [Ping timeout: 256 seconds]
23:33 -!- arescorpio [~arescorpi@201-26-245-190.fibertel.com.ar] has joined #openvpn
23:38 -!- Popsikle [~popsikle@pool-108-27-211-233.nycmny.fios.verizon.net] has joined #openvpn
23:43 -!- Popsikle [~popsikle@pool-108-27-211-233.nycmny.fios.verizon.net] has quit [Remote host closed the connection]
23:53 -!- arescorpio [~arescorpi@201-26-245-190.fibertel.com.ar] has quit [Excess Flood]
--- Day changed Thu Jul 24 2014
00:28 -!- milligan [~milligan@2001:16d8:ee92:9afa:47d0:3070:4883:d95e] has quit [Ping timeout: 240 seconds]
00:40 -!- akp [~akp@c-50-169-193-161.hsd1.ma.comcast.net] has quit [Ping timeout: 264 seconds]
00:56 -!- mattock_afk is now known as mattock
01:03 -!- akp [~akp@c-50-169-193-161.hsd1.ma.comcast.net] has joined #openvpn
01:22 -!- alexxtasi [~alex@unaffiliated/alexxtasi] has joined #openvpn
01:33 -!- Fusl [Fusl@unaffiliated/fusl] has joined #openvpn
01:57 -!- Chiftin [~Chiftin@178.250.179.140] has joined #openvpn
02:07 -!- Kephael [~Kephael@unaffiliated/kephael] has quit [Read error: Connection reset by peer]
02:27 -!- svm_invictvs [~patricktw@unaffiliated/svminvictvs/x-938456] has quit [Ping timeout: 255 seconds]
02:27 -!- le0 [~l30@unaffiliated/le0] has joined #openvpn
02:34 -!- lbft [~lbft@unaffiliated/lbft] has quit [Ping timeout: 240 seconds]
02:40 -!- Left_Turn [~Left_Turn@unaffiliated/turn-left/x-3739067] has joined #openvpn
02:55 -!- Left_Turn [~Left_Turn@unaffiliated/turn-left/x-3739067] has quit [Ping timeout: 240 seconds]
02:58 -!- lbft [~lbft@unaffiliated/lbft] has joined #openvpn
03:03 -!- defswork [~andy@141.0.50.98] has quit [Read error: Connection reset by peer]
03:10 -!- CaTtleyA [~CaTtleyA@185.24.142.82] has joined #openvpn
03:18 -!- swebb [~swebb@c-71-237-49-232.hsd1.co.comcast.net] has quit [Ping timeout: 260 seconds]
03:20 -!- pa [~pa@unaffiliated/pa] has quit [Ping timeout: 240 seconds]
03:22 -!- Left_Turn [~Left_Turn@unaffiliated/turn-left/x-3739067] has joined #openvpn
03:22 -!- cyberspace- [20253@ninthfloor.org] has quit [Ping timeout: 245 seconds]
03:23 -!- svm_invictvs [~patricktw@unaffiliated/svminvictvs/x-938456] has joined #openvpn
03:25 -!- cyberspace- [20253@ninthfloor.org] has joined #openvpn
03:28 -!- svm_invictvs [~patricktw@unaffiliated/svminvictvs/x-938456] has quit [Ping timeout: 250 seconds]
03:46 -!- mirco [~mirco@88.153.222.56] has joined #openvpn
03:49 -!- defswork [~andy@141.0.50.98] has joined #openvpn
04:04 -!- swebb [~swebb@c-71-237-49-232.hsd1.co.comcast.net] has joined #openvpn
04:05 -!- lbft [~lbft@unaffiliated/lbft] has quit [Ping timeout: 240 seconds]
04:25 -!- svm_invictvs [~patricktw@unaffiliated/svminvictvs/x-938456] has joined #openvpn
04:29 -!- svm_invictvs [~patricktw@unaffiliated/svminvictvs/x-938456] has quit [Ping timeout: 240 seconds]
04:56 -!- dazo_afk is now known as dazo
05:23 -!- svm_invictvs [~patricktw@unaffiliated/svminvictvs/x-938456] has joined #openvpn
05:28 -!- svm_invictvs [~patricktw@unaffiliated/svminvictvs/x-938456] has quit [Ping timeout: 245 seconds]
05:30 -!- lbft [~lbft@unaffiliated/lbft] has joined #openvpn
06:05 -!- goldkatze [~nobody@unaffiliated/goldkatze] has joined #openvpn
06:24 -!- svm_invictvs [~patricktw@unaffiliated/svminvictvs/x-938456] has joined #openvpn
06:29 -!- mirco [~mirco@88.153.222.56] has quit [Quit: mirco]
06:29 -!- svm_invictvs [~patricktw@unaffiliated/svminvictvs/x-938456] has quit [Ping timeout: 240 seconds]
06:40 -!- elfixit [~Icedove@77-58-251-72.dclient.hispeed.ch] has joined #openvpn
06:46 -!- pa [~pa@unaffiliated/pa] has joined #openvpn
07:00 -!- svm_invictvs [~patricktw@unaffiliated/svminvictvs/x-938456] has joined #openvpn
07:06 -!- svm_invictvs [~patricktw@unaffiliated/svminvictvs/x-938456] has quit [Ping timeout: 260 seconds]
07:21 -!- CaTtleyA [~CaTtleyA@185.24.142.82] has quit [Ping timeout: 252 seconds]
07:23 -!- SushiDude [~SushiDude@unaffiliated/sushidude] has quit [Ping timeout: 240 seconds]
07:29 -!- SushiDude [~SushiDude@unaffiliated/sushidude] has joined #openvpn
08:05 -!- ketas [~ketas@92.38.190.90.dyn.estpak.ee] has quit [Read error: Connection reset by peer]
08:06 -!- ketas [~ketas@92.38.190.90.dyn.estpak.ee] has joined #openvpn
08:17 -!- elfixit1 [~Icedove@2001:1620:2777:11:3e97:eff:fe7f:f3ad] has joined #openvpn
08:30 -!- Megaf [~Megaf@unaffiliated/megaf] has joined #openvpn
09:15 -!- mirco [~mirco@ip-88-153-222-56.hsi04.unitymediagroup.de] has joined #openvpn
09:22 -!- unixoid [unixoid@nat/redhat/x-prfhjmdhdooippbx] has left #openvpn []
09:28 -!- Pyrogerg [~Gregory@192.67.133.200] has joined #openvpn
09:38 -!- mirco_ [~mirco@ip-88-153-222-56.hsi04.unitymediagroup.de] has joined #openvpn
09:40 -!- mirco [~mirco@ip-88-153-222-56.hsi04.unitymediagroup.de] has quit [Ping timeout: 255 seconds]
09:40 -!- mirco_ is now known as mirco
09:55 -!- Pyrogerg_ [~Gregory@192.67.133.200] has joined #openvpn
09:55 -!- Pyrogerg [~Gregory@192.67.133.200] has quit [Read error: Connection reset by peer]
09:59 -!- alexxtasi [~alex@unaffiliated/alexxtasi] has left #openvpn []
10:05 -!- u0m3 [~u0m3@92.80.113.123] has quit [Read error: Connection reset by peer]
10:05 -!- u0m3 [~u0m3@92.80.113.123] has joined #openvpn
10:19 -!- mirco [~mirco@ip-88-153-222-56.hsi04.unitymediagroup.de] has quit [Ping timeout: 264 seconds]
10:20 -!- mirco [~mirco@ip-88-153-222-56.hsi04.unitymediagroup.de] has joined #openvpn
10:21 -!- jonascj_ [~jonas@0x3e2c877f.mobile.telia.dk] has joined #openvpn
10:21 < jonascj_> Hi all. Will I be able to run an openvpn server behind nat using a portforward of port 1194?
10:26 -!- jonascj_ [~jonas@0x3e2c877f.mobile.telia.dk] has quit [Read error: Connection reset by peer]
10:29 -!- kantlivelong [~kantlivel@home.kantlivelong.com] has quit [Ping timeout: 260 seconds]
10:31 -!- jonascj [~jonas@94.144.50.91] has joined #openvpn
10:50 -!- MadTBone [~MadTBone@128.59.37.113] has joined #openvpn
10:51 -!- deeville [~deeville@38.117.108.108] has joined #openvpn
10:58 -!- Kephael [~Kephael@unaffiliated/kephael] has joined #openvpn
11:00 -!- Chiftin [~Chiftin@178.250.179.140] has quit [Read error: Connection reset by peer]
11:01 -!- kantlivelong [~kantlivel@home.kantlivelong.com] has joined #openvpn
11:09 -!- Flash_G0rd0n [~Flash_G0r@92.55.117.197] has joined #openvpn
11:17 -!- jonascj [~jonas@94.144.50.91] has quit [Ping timeout: 245 seconds]
11:19 -!- jonascj [~jonas@0x3e2c877f.mobile.telia.dk] has joined #openvpn
11:20 -!- jonascj [~jonas@0x3e2c877f.mobile.telia.dk] has quit [Read error: Connection reset by peer]
11:22 -!- vu [~vu@dsl-hkibrasgw1-58c39c-234.dhcp.inet.fi] has joined #openvpn
11:25 -!- jonascj [~jonas@94.144.50.91] has joined #openvpn
11:29 <+s7r> jonascj yes
11:43 -!- gffa [~unknown@unaffiliated/gffa] has joined #openvpn
11:51 -!- ericluwolf [~elujan@24.234.117.54] has joined #openvpn
11:53 < ericluwolf> Just setup an OpenVPN server on WS2K3, starts, creates a TAP NIC, and clients, even from outside of the network can join. But they can't ping even the server VPN gateway (10.8.0.1) [destination host unreachable].
11:55 < ericluwolf> A static route has been set up on the LAN gateway to which the server is connected (192.168.10.1), which routes everything on 10.8.0.0/24 to the server on the lan 192.168.10.14.
11:56 < ericluwolf> !Welcome
11:56 <@vpnHelper> "Welcome" is (#1) Start by stating your goal, such as 'I would like to access the internet over my vpn' || new to IRC? see the link in !ask || we may need !logs and !configs and maybe !interface to help you. || See !howto for beginners. || See !route for lans behind openvpn. || !redirect for sending inet traffic through the server. || Also interesting: !man !/30 !topology !iporder !sample !forum
11:56 <@vpnHelper> !wiki !mitm or (#2) Don't use 192.168.1.0/24 or 192.168.0.0/24 (too much potential for conflict)
11:57 < ericluwolf> !redirect
11:57 <@vpnHelper> "redirect" is (#1) to make all inet traffic flow through the vpn, you will need --redirect-gateway (see !def1), as well as IP forwarding (see !ipforward) and NAT (see !nat) enabled on the server. or (#2) you may need to use a different dns server when redirecting gateway, see !dns or !pushdns or (#3) if using ipv6 try: route-ipv6 2000::/3 or (#4) Handy troubleshooting flowchart:
11:57 <@vpnHelper> http://ircpimps.org/redirect.png | http://pekster.sdf.org/misc/redirect.png
11:58 -!- mirco [~mirco@ip-88-153-222-56.hsi04.unitymediagroup.de] has quit [Ping timeout: 240 seconds]
12:03 -!- eristisk [~eristisk@gateway/tor-sasl/eristisk] has joined #openvpn
12:04 < eristisk> I am on a new ISP now, and when I connect to my usual VPN using openvpn, they seem to be able to block non-Torified DNS requests
12:06 < eristisk> Ah nevermind, I had to edit my resolv.conf to use Google's DNS servers
12:06 < eristisk> Not specifically an OpenVPN issue it seems
12:07 -!- ericluwolf [~elujan@24.234.117.54] has left #openvpn ["WeeChat 0.4.3"]
12:08 -!- Chiftin [~Chiftin@host86-180-110-27.range86-180.btcentralplus.com] has joined #openvpn
12:16 -!- jonascj [~jonas@94.144.50.91] has quit [Ping timeout: 255 seconds]
12:20 -!- vu [~vu@dsl-hkibrasgw1-58c39c-234.dhcp.inet.fi] has quit [Quit: This computer has gone to sleep]
12:26 -!- MadTBone [~MadTBone@128.59.37.113] has quit [Ping timeout: 256 seconds]
12:27 -!- MadTBone [~MadTBone@128.59.37.113] has joined #openvpn
12:30 -!- mirco [~mirco@ip-88-153-222-56.hsi04.unitymediagroup.de] has joined #openvpn
12:31 -!- s7r [~s7r@openvpn/user/s7r] has quit [Ping timeout: 264 seconds]
12:36 -!- abbe is now known as anyone
12:36 -!- MadTBone [~MadTBone@128.59.37.113] has quit [Quit: Leaving]
12:36 -!- anyone is now known as abbe
12:37 -!- s7r [~s7r@openvpn/user/s7r] has joined #openvpn
12:38 -!- mode/#openvpn [+v s7r] by ChanServ
12:44 -!- Popsikle [~popsikle@rrcs-24-103-53-46.nyc.biz.rr.com] has joined #openvpn
12:49 -!- Brando753 [~Brando753@unaffiliated/brando753] has quit [Read error: Connection reset by peer]
12:50 -!- Brando753 [~Brando753@unaffiliated/brando753] has joined #openvpn
12:56 -!- Cpt-Oblivious [~chatzilla@31-151-71-109.dynamic.upc.nl] has joined #openvpn
13:03 -!- tempus_fol [~tempus@gateway/tor-sasl/foltempus] has quit [Remote host closed the connection]
13:03 -!- tempus_fol [~tempus@gateway/tor-sasl/foltempus] has joined #openvpn
13:07 -!- eagles0513875 [eagles0513@gateway/shell/trekweb.org/x-vhzwycwjatohlszr] has joined #openvpn
13:07 < eagles0513875> hey guys has anyone setup openvpn as a vpn tunnel on gentoo?
13:09 -!- Chiftin [~Chiftin@host86-180-110-27.range86-180.btcentralplus.com] has quit [Read error: Connection reset by peer]
13:17 -!- Chiftin [~Chiftin@host86-180-110-27.range86-180.btcentralplus.com] has joined #openvpn
13:24 -!- Flash_G0rd0n [~Flash_G0r@92.55.117.197] has quit [Quit: Leaving]
13:24 -!- TheEternalAbyss [~IRCIdent@unaffiliated/theeternalabyss] has joined #openvpn
13:25 -!- vu [~vu@dsl-hkibrasgw1-58c39c-234.dhcp.inet.fi] has joined #openvpn
13:30 -!- eristisk [~eristisk@gateway/tor-sasl/eristisk] has quit [Ping timeout: 264 seconds]
13:32 -!- vu [~vu@dsl-hkibrasgw1-58c39c-234.dhcp.inet.fi] has quit [Quit: This computer has gone to sleep]
13:34 -!- mirco_ [~mirco@ip-88-153-222-56.hsi04.unitymediagroup.de] has joined #openvpn
13:36 -!- mirco [~mirco@ip-88-153-222-56.hsi04.unitymediagroup.de] has quit [Ping timeout: 245 seconds]
13:36 -!- mirco_ is now known as mirco
13:40 -!- Megaf [~Megaf@unaffiliated/megaf] has quit [Ping timeout: 240 seconds]
13:45 -!- Gman32 [~Gman32@2607:2200:0:3400::5616:cdbc] has quit [Quit: Headin Out...]
14:01 -!- jonascj [~jonas@194-239-236-18-hotspot.dk.customer.tdc.net] has joined #openvpn
14:02 -!- Gman32 [~Gman32@2607:2200:0:3400::5616:cdbc] has joined #openvpn
14:06 -!- mirco_ [~mirco@ip-88-153-222-56.hsi04.unitymediagroup.de] has joined #openvpn
14:08 -!- mirco [~mirco@ip-88-153-222-56.hsi04.unitymediagroup.de] has quit [Ping timeout: 245 seconds]
14:10 -!- mirco_ is now known as mirco
14:17 <@dazo> eagles0513875: many years ago ...  afair, it was basically just to put the config file into /etc/openvpn ... and then start the openvpn service via the init.d script
14:23 -!- Chiftin [~Chiftin@host86-180-110-27.range86-180.btcentralplus.com] has quit [Ping timeout: 240 seconds]
14:33 -!- mirco [~mirco@ip-88-153-222-56.hsi04.unitymediagroup.de] has quit [Ping timeout: 240 seconds]
14:33 -!- mirco [~mirco@ip-88-153-222-56.hsi04.unitymediagroup.de] has joined #openvpn
14:35 -!- le0 [~l30@unaffiliated/le0] has quit [Quit: Leaving]
14:37 -!- mirco [~mirco@ip-88-153-222-56.hsi04.unitymediagroup.de] has quit [Client Quit]
14:47 -!- corretico [~luis@200.46.160.66] has joined #openvpn
14:57 -!- corretico [~luis@200.46.160.66] has quit [Quit: Leaving]
15:04 -!- Cpt-Oblivious [~chatzilla@31-151-71-109.dynamic.upc.nl] has quit [Remote host closed the connection]
15:10 -!- vu [~vu@dsl-hkibrasgw1-58c39c-234.dhcp.inet.fi] has joined #openvpn
15:11 -!- mattock is now known as mattock_afk
15:11 -!- Cpt-Oblivious [~chatzilla@31-151-71-109.dynamic.upc.nl] has joined #openvpn
15:19 -!- vu [~vu@dsl-hkibrasgw1-58c39c-234.dhcp.inet.fi] has quit [Quit: This computer has gone to sleep]
15:24 -!- Talena [~Talena@188.226.226.225] has joined #openvpn
15:25 -!- D-Boy [~D-Boy@unaffiliated/cain] has quit [Excess Flood]
15:26 -!- deeville [~deeville@38.117.108.108] has quit [Quit: Leaving]
15:28 -!- nlb [~nlb@unaffiliated/nlb] has joined #openvpn
15:34 -!- D-Boy [~D-Boy@unaffiliated/cain] has joined #openvpn
15:40 -!- gffa [~unknown@unaffiliated/gffa] has quit [Quit: sleep]
15:43 -!- Pyrogerg_ [~Gregory@192.67.133.200] has quit [Quit: Textual IRC Client: www.textualapp.com]
16:06 -!- jonascj [~jonas@194-239-236-18-hotspot.dk.customer.tdc.net] has quit [Ping timeout: 245 seconds]
16:22 -!- pkr [~Adium@79.97.126.58] has joined #openvpn
16:53 -!- dazo is now known as dazo_afk
16:58 -!- Popsikle [~popsikle@rrcs-24-103-53-46.nyc.biz.rr.com] has quit [Remote host closed the connection]
17:01 -!- fred`` [fred@earthli.ng] has quit [Quit: +++ATH0]
17:03 -!- pkr [~Adium@79.97.126.58] has quit [Quit: Leaving.]
17:07 -!- julius_ [~julius_@141.41.92.61] has left #openvpn ["Verlassend"]
17:11 -!- cesurasean [~Sean@c-71-207-227-197.hsd1.al.comcast.net] has joined #openvpn
17:11 < cesurasean> is it possible to connect one openvpn server to another, so its PC >> openvpn server >> openvpn server?
17:12 < cesurasean> and show's the final openvpn server's ip address?
17:15 -!- Kephael [~Kephael@unaffiliated/kephael] has quit [Read error: Connection reset by peer]
17:19 -!- fred`` [fred@earthli.ng] has joined #openvpn
17:22 -!- elfixit [~Icedove@77-58-251-72.dclient.hispeed.ch] has quit [Ping timeout: 260 seconds]
17:25 -!- cyberspace- [20253@ninthfloor.org] has quit [Remote host closed the connection]
17:26 -!- cyberspace- [20253@ninthfloor.org] has joined #openvpn
17:26 <+s7r> cesurasean that implies a lot of iptables rules and configurations
18:02 -!- p3rror [~mezgani@41.248.120.79] has joined #openvpn
18:06 -!- Talena [~Talena@188.226.226.225] has quit [Ping timeout: 256 seconds]
18:14 -!- Denial [~Denial@host86-162-217-216.range86-162.btcentralplus.com] has quit [Ping timeout: 240 seconds]
18:17 -!- Denial [~Denial@host86-134-252-18.range86-134.btcentralplus.com] has joined #openvpn
18:22 -!- p3rror [~mezgani@41.248.120.79] has quit [Quit: Leaving]
18:27 -!- Kyron__ [~Kyron@cpc65428-new25-2-0-cust54.5-1.cable.virginm.net] has joined #openvpn
18:40 < Kyron__> Hey guys, I'm trying to bind to a local port, but I can't seem to connect. I've tried both Windows and Debain, but no luck. Here's my config.ovpn - http://pastebin.com/UqRePjfy And the Windows Output - http://pastebin.com/mJGWj3EJ
18:48 < Kyron__> Any ideas?
18:51 -!- arescorpio [~arescorpi@201-26-245-190.fibertel.com.ar] has joined #openvpn
19:09 -!- u0m3 [~u0m3@92.80.113.123] has quit [Read error: Connection reset by peer]
19:11 -!- Mike-- [mad@mx.probie.nl] has quit [Read error: Connection reset by peer]
19:17 -!- cesurasean [~Sean@c-71-207-227-197.hsd1.al.comcast.net] has left #openvpn []
19:23 -!- Megaf [~Megaf@unaffiliated/megaf] has joined #openvpn
19:23 -!- Pyrogerg [~Gregory@192.67.133.200] has joined #openvpn
19:30 -!- Megaf [~Megaf@unaffiliated/megaf] has quit [Read error: Connection reset by peer]
19:34 -!- Megaf [~Megaf@unaffiliated/megaf] has joined #openvpn
19:40 -!- Megaf [~Megaf@unaffiliated/megaf] has quit [Read error: Connection reset by peer]
19:43 < Kyron__> Is there anyone active here?... o:
19:44 -!- Megaf [~Megaf@unaffiliated/megaf] has joined #openvpn
19:46 -!- Pyrogerg [~Gregory@192.67.133.200] has quit [Ping timeout: 240 seconds]
19:50 -!- Megaf [~Megaf@unaffiliated/megaf] has quit [Read error: Connection reset by peer]
19:52 -!- u0m3 [~u0m3@92.80.113.123] has joined #openvpn
19:54 -!- Megaf [~Megaf@unaffiliated/megaf] has joined #openvpn
19:54 -!- batrick [~batrick@nmap/developer/batrick] has joined #openvpn
20:00 -!- Megaf [~Megaf@unaffiliated/megaf] has quit [Read error: Connection reset by peer]
20:07 -!- Megaf [~Megaf@unaffiliated/megaf] has joined #openvpn
20:10 -!- Cpt-Oblivious [~chatzilla@31-151-71-109.dynamic.upc.nl] has quit [Ping timeout: 260 seconds]
20:14 -!- Cpt-Oblivious [~chatzilla@31-151-71-109.dynamic.upc.nl] has joined #openvpn
20:23 -!- WinstonSmith [~WinstonSm@unaffiliated/winstonsmith] has quit [Ping timeout: 260 seconds]
20:25 -!- WinstonSmith [~WinstonSm@unaffiliated/winstonsmith] has joined #openvpn
20:44 -!- Left_Turn [~Left_Turn@unaffiliated/turn-left/x-3739067] has quit [Remote host closed the connection]
21:09 -!- Brandan [~Brandan@static-50-53-23-176.bvtn.or.frontiernet.net] has joined #openvpn
21:10 < Brandan> Whenever I try easy-rsa (on windows) and I use build-ca I get this error WARNING: can't open config file: z:/strawberry_libs/build/_2013Q3__/ssl/openssl.cnf.
21:10 < Brandan> I dont have a Z:\ drive.
21:35 -!- havoc [~havoc@neptune.chaillet.net] has joined #openvpn
21:36 -!- Megaf [~Megaf@unaffiliated/megaf] has quit [Ping timeout: 255 seconds]
21:45 -!- goldkatze [~nobody@unaffiliated/goldkatze] has quit [Ping timeout: 250 seconds]
21:51 < sl01> how close to being available for testing is the option negotiation stuff?  like negotiating ciphers and digests
22:04 -!- Brandan [~Brandan@static-50-53-23-176.bvtn.or.frontiernet.net] has quit [Ping timeout: 250 seconds]
22:17 -!- Pyrogerg [~Gregory@mobile-166-147-078-231.mycingular.net] has joined #openvpn
22:35 -!- arescorpio [~arescorpi@201-26-245-190.fibertel.com.ar] has quit [Excess Flood]
22:52 -!- Kyron__ [~Kyron@cpc65428-new25-2-0-cust54.5-1.cable.virginm.net] has quit [Read error: Connection reset by peer]
23:18 -!- ShadniX [dagger@p5DDFEA61.dip0.t-ipconnect.de] has quit [Ping timeout: 250 seconds]
23:18 -!- ShadniX [dagger@p5DDFEABA.dip0.t-ipconnect.de] has joined #openvpn
23:29 -!- Cpt-Oblivious [~chatzilla@31-151-71-109.dynamic.upc.nl] has quit [Remote host closed the connection]
--- Day changed Fri Jul 25 2014
00:05 -!- Latrina [~Latrina@adsl-ull-206-185.50-151.net24.it] has quit [Ping timeout: 240 seconds]
00:09 -!- Latrina [~Latrina@adsl-ull-171-217.50-151.net24.it] has joined #openvpn
00:10 -!- Pyrogerg [~Gregory@mobile-166-147-078-231.mycingular.net] has quit [Quit: Textual IRC Client: www.textualapp.com]
00:15 -!- mattock_afk is now known as mattock
01:00 -!- goldkatze [~nobody@unaffiliated/goldkatze] has joined #openvpn
01:30 -!- alexxtasi [~alex@unaffiliated/alexxtasi] has joined #openvpn
01:32 -!- jonascj [~jonas@ip-52-91.bnaa.dk] has joined #openvpn
02:16 -!- Latrina [~Latrina@adsl-ull-171-217.50-151.net24.it] has quit [Ping timeout: 240 seconds]
02:18 -!- Latrina [~Latrina@adsl-ull-216-244.45-151.net24.it] has joined #openvpn
02:35 -!- micko [~micko@203-219-65-120.static.tpgi.com.au] has quit [Ping timeout: 250 seconds]
02:41 -!- micko [~micko@203-219-65-120.static.tpgi.com.au] has joined #openvpn
02:47 -!- le0 [~l30@unaffiliated/le0] has joined #openvpn
04:05 -!- Left_Turn [~Left_Turn@unaffiliated/turn-left/x-3739067] has joined #openvpn
04:23 -!- JackWinter [~jack@vodsl-11028.vo.lu] has quit [Ping timeout: 264 seconds]
04:24 -!- JackWinter [~jack@vodsl-11028.vo.lu] has joined #openvpn
04:48 -!- mirco [~mirco@95.223.17.51] has joined #openvpn
04:50 -!- matt_ [~matt@ccpc-mwr.bath.ac.uk] has joined #openvpn
05:05 -!- larryone [~larryone@119.30.39.120] has joined #openvpn
05:17 -!- dazo_afk is now known as dazo
05:19 -!- larryone [~larryone@119.30.39.120] has quit [Ping timeout: 260 seconds]
05:20 -!- eristisk [~eristisk@gateway/tor-sasl/eristisk] has joined #openvpn
05:26 -!- larryone [~larryone@119.30.38.7] has joined #openvpn
05:29 -!- mirco_ [~mirco@95.223.17.51] has joined #openvpn
05:29 -!- mirco [~mirco@95.223.17.51] has quit [Ping timeout: 260 seconds]
05:29 -!- mirco_ is now known as mirco
05:38 -!- eristisk [~eristisk@gateway/tor-sasl/eristisk] has quit [Ping timeout: 264 seconds]
05:40 -!- s7r_i [~s7r@openvpn/user/s7r] has joined #openvpn
05:40 -!- mode/#openvpn [+v s7r_i] by ChanServ
05:40 -!- s7r [~s7r@openvpn/user/s7r] has quit [Ping timeout: 264 seconds]
05:40 -!- eristisk [~eristisk@gateway/tor-sasl/eristisk] has joined #openvpn
05:43 -!- s7r_i_p [~s7r@openvpn/user/s7r] has joined #openvpn
05:44 -!- mode/#openvpn [+v s7r_i_p] by ChanServ
05:45 -!- s7r_i [~s7r@openvpn/user/s7r] has quit [Ping timeout: 264 seconds]
05:48 -!- eristisk [~eristisk@gateway/tor-sasl/eristisk] has quit [Ping timeout: 264 seconds]
05:51 -!- eike|52n [~eike@80.156.182.234] has joined #openvpn
06:01 -!- eristisk [~eristisk@gateway/tor-sasl/eristisk] has joined #openvpn
06:28 -!- CaTtleyA [~CaTtleyA@185.24.142.82] has joined #openvpn
06:29 -!- larryone [~larryone@119.30.38.7] has quit [Ping timeout: 256 seconds]
06:29 -!- mirco_ [~mirco@95.223.17.51] has joined #openvpn
06:31 -!- mirco [~mirco@95.223.17.51] has quit [Ping timeout: 240 seconds]
06:31 -!- mirco_ is now known as mirco
07:04 -!- BenLue [~BenLue@unaffiliated/benlue] has joined #openvpn
07:06 < BenLue> Hi ppls! Any Question, OpenVPN is working fine i can ping all my openvpn devices now Windows Network Sharing isnt working! I need Samba?
07:41 -!- Cpt-Oblivious [~chatzilla@31-151-71-109.dynamic.upc.nl] has joined #openvpn
07:43 -!- Kniaz [~Kniaz@unaffiliated/kniaz] has quit [Read error: Connection reset by peer]
08:03 -!- lipizzan [~rickbol@cpe-174-096-184-106.carolina.res.rr.com] has joined #openvpn
08:50 -!- eristisk [~eristisk@gateway/tor-sasl/eristisk] has quit [Ping timeout: 264 seconds]
09:00 -!- Kniaz [~Kniaz@unaffiliated/kniaz] has joined #openvpn
09:02 -!- Popsikle [~popsikle@rrcs-24-103-53-46.nyc.biz.rr.com] has joined #openvpn
09:03 -!- eristisk [~eristisk@gateway/tor-sasl/eristisk] has joined #openvpn
09:06 -!- pnielsen [pnielsen@2600:3c03::f03c:91ff:fe6e:5d41] has joined #openvpn
09:13 < BenLue> no one there?
09:13 < BenLue> \\10.8.0.6\share isnt working :(
09:19 -!- RBecker [~RBecker@openvpn/user/RBecker] has quit [Remote host closed the connection]
09:19 <@ecrist> BenLue: your problem isn't really openvpn
09:19 <@ecrist> it's windows hsharing
09:19 <@ecrist> if the vpn is up
09:20 < BenLue> vpn is up. hsharing? I need Samba on both vpn clients?
09:24 -!- RBecker [~RBecker@openvpn/user/RBecker] has joined #openvpn
09:24 -!- mode/#openvpn [+v RBecker] by ChanServ
09:30 -!- CaTtleyA [~CaTtleyA@185.24.142.82] has quit [Quit: Lost terminal]
09:31 -!- ketas [~ketas@92.38.190.90.dyn.estpak.ee] has quit [Read error: Connection reset by peer]
09:32 -!- ketas [~ketas@92.38.190.90.dyn.estpak.ee] has joined #openvpn
09:32 -!- alexxtasi [~alex@unaffiliated/alexxtasi] has left #openvpn []
09:35 -!- svg [~svg@hydargos.ginsys.net] has joined #openvpn
09:38 < svg> Hi, anyone aware of some script that integrates on ubuntu 'desktop' (as a client) with regards to updating dns info? the standard script (at least what debian/ubuntu installs as /etc/openvpn/update-resolv-conf) doesn't play well on ubuntu that has network manager integrate with dnsmasq
09:39 < svg> (that is, I don't use network manager, and was trhinking of writing/using a script that pushes dns info to dnsmasq through dbus)
09:42 <@ecrist> BenLue: typo on my part, sharing.  your file sharing problems should be addressed in another channel.
09:43 < BenLue> ok
09:43 < BenLue> thx for info
09:49 -!- pnielsen [pnielsen@2600:3c03::f03c:91ff:fe6e:5d41] has quit [Ping timeout: 240 seconds]
09:51 <@ecrist> svg: I'm not aware of anything
09:53 -!- ketas [~ketas@92.38.190.90.dyn.estpak.ee] has quit [Read error: Connection reset by peer]
09:53 -!- ketas [~ketas@92.38.190.90.dyn.estpak.ee] has joined #openvpn
09:56 -!- eike|52n [~eike@80.156.182.234] has quit [Quit: Verlassend]
09:56 -!- ketas [~ketas@92.38.190.90.dyn.estpak.ee] has quit [Read error: Connection reset by peer]
09:58 -!- ketas [~ketas@92.38.190.90.dyn.estpak.ee] has joined #openvpn
10:04 -!- s7r_i_p is now known as s7r
10:09 -!- mirco [~mirco@95.223.17.51] has quit [Ping timeout: 260 seconds]
10:09 -!- mirco [~mirco@ip-95-223-17-51.hsi16.unitymediagroup.de] has joined #openvpn
10:10 -!- Megaf [~Megaf@unaffiliated/megaf] has joined #openvpn
10:23 -!- pnielsen [pnielsen@2600:3c03::f03c:91ff:fe6e:5d41] has joined #openvpn
10:34 -!- tobybl [~toby@cpat001.wlan.net.ed.ac.uk] has joined #openvpn
10:34 -!- outofbounds [~outofboun@gateway/tor-sasl/outofbounds] has joined #openvpn
10:36 < tobybl> Hello, I'm having trouble with the syntax for providing tls-auth for an openvpn connect unified profile for ios...
10:36 < tobybl> Reading the docs, suggests it should be:
10:36 < tobybl> <tls-auth>
10:36 < tobybl> -----BEGIN OpenVPN Static key V1-----
10:36 < tobybl> keyhere.....
10:36 < tobybl> -----END OpenVPN Static key V1-----
10:36 < tobybl> </tls-auth>
10:36 < tobybl> .... but this gives me parse_hex_error on importing profile on ios
10:36 < BenLue> ouch
10:37 < BenLue> Pastebin tobybl?
10:38 < tobybl> thanks for replying - what details do you need in pastebin?
10:45 -!- dtrainor_ [~dtrainor@ip72-208-196-164.ph.ph.cox.net] has joined #openvpn
10:46 < dtrainor_> 'morning.  I'm trying to use 'redirect-gateway dev1' on my client (as I understand it's a client-side option) but I don't see it taking effect.  I see nothing in the debug logs nor do I see it in my routing table.
10:46 < dtrainor_> I'm on a vendor wireless which is my gateway to the outside, so I figured using the 'def1' specification would work
10:48 < Eugene> 1) it's def1, not dev1
10:48 < Eugene> 2) did you restart your client?
10:49 < dtrainor_> right, typo, sorry.  been using 'def1'.  and.  yes.  several times.
10:54 -!- dtrainor_ [~dtrainor@ip72-208-196-164.ph.ph.cox.net] has quit [Ping timeout: 272 seconds]
10:55 -!- dtrainor_ [~dtrainor@ip72-208-196-164.ph.ph.cox.net] has joined #openvpn
10:55 -!- Popsikle [~popsikle@rrcs-24-103-53-46.nyc.biz.rr.com] has quit [Ping timeout: 260 seconds]
10:55 < BenLue> ecrist is this not an OpenVPN Problem? I have not an bridged vpn
10:55 < dtrainor_> bah.  wireless ate me.  sorry about that
10:58 -!- pseudo [~pseudo@65.204.49.74] has joined #openvpn
10:58 < dtrainor_> Anyway, I don't see 'def1' working.  I have an interesting setup where I need to connect to wireless, use that as the *default* route, connect to wired, make three routes for that (I've got these two pieces covered) and route everything else through my vpn.
10:58 < tobybl> what format does contents of -----BEGIN OpenVPN Static key V1----- block need to be?
10:58 < dtrainor_> x509?
10:59 -!- mirco [~mirco@ip-95-223-17-51.hsi16.unitymediagroup.de] has quit [Ping timeout: 240 seconds]
10:59 < tobybl> non-unified file is just 40 or so chars of text
10:59 -!- SCHAAP137 [dorian@77-173-0-137.ip.telfort.nl] has joined #openvpn
10:59 < tobybl> i tried base64-ing it but still parse_hex_error
10:59 -!- mirco [~mirco@ip-95-223-17-51.hsi16.unitymediagroup.de] has joined #openvpn
11:00 < pseudo> i am trying to setup openvpn to allow roadwarrior access. i have 2 NICS on my server, a public ip and a private ip. i want to give users access to the private subnet. in server.conf i have my public ip set in "local" and my private subnet/ip set in "server-bridge". this same setup works for a server behind a nat witht he same ip in local and server-bridge. what do i need to do differently to allow this setup?
11:01 -!- le0 [~l30@unaffiliated/le0] has quit [Quit: Leaving]
11:02 < pseudo> connection succeeds, but i cannot ping the private ip of my server or anything else on the private subnet
11:07 -!- Anodl [~Anodl@p5DC5AA04.dip0.t-ipconnect.de] has joined #openvpn
11:09 < dtrainor_> I'm not crazy, am I?  The manual says that redirect-gateway is a client-side config?
11:09 <@dazo> dtrainor_: that's correct
11:09 <@dazo> pseudo: sounds like firewalling on your server side
11:09 < dtrainor_> thanks.   saw some posts where people were saying, add it to the server side
11:10 <@dazo> dtrainor_: most likely they meant to "push" it to clients from server side
11:10 <@dazo> otherwise, it's plain wrong
11:10 < dtrainor_> oooh.  got it.  didn't know you could do that.
11:11 < pseudo> dazo: the connection succeeds, it's just routing that is messed up
11:11 <@dazo> pseudo: can you ping the server side VPN IP?
11:11 <@dazo> pseudo: but you use bridging?
11:11 < dtrainor_> so 0.0.0.0/1 takes care of the first half of the internet, and 128.0.0.0/1 takes care of the second half, right?
11:12 <@dazo> dtrainor_: that's right
11:12 < pseudo> dazo: i can connect, but cannot ping the server side vpn ip.
11:12 <@dazo> $ ipcalc -bnm 0.0.0.0/1
11:12 <@dazo> NETMASK=128.0.0.0
11:12 <@dazo> BROADCAST=127.255.255.255
11:12 <@dazo> NETWORK=0.0.0.0
11:13 <@dazo> pseudo: then it *IS* your firewall, can be on both client and server side
11:13 <@dazo> pseudo: but do you use bridging?
11:13 < pseudo> dazo: yes, i am using bridging
11:13 <@dazo> pseudo: before I continue to help you ... I must know *why* you want to use bridging ... so why?
11:14 < pseudo> nevermind, i dont need YOUR help
11:14 -!- pseudo was kicked from #openvpn by dazo [and then we don't need you]
11:16 < dtrainor_> d'oh
11:17 < dtrainor_> have you ever heard of def1 not working?  nothing in the logs, even on 'verb 10'
11:17 <@dazo> no, not really
11:17 < dtrainor_> weird.
11:17 <@dazo> have you tried tcpdump?
11:17 <@dazo> to see where the traffic goes?
11:18 < dtrainor_> i have not, no.  haven't needed to go there yet since i saw no updates in my routing table.
11:18 -!- gffa [~unknown@unaffiliated/gffa] has joined #openvpn
11:18 <@dazo> ahh, right ... --redirect-gateway does two things ... first it adds a direct route to the remote, via your LAN gateway
11:19 < dtrainor_> right
11:19 <@dazo> and then it adds either a single route (if def1 was not provided) which, removes the old default gateway
11:19 <@dazo> the new one goes via the tunnel
11:19 <@dazo> *or* if def1 was given, it adds two routes, which preserves the old default gateway
11:20 <@dazo> so if you don't see these changes in the routing table ... is openvpn running with the right privileges?
11:20 < dtrainor_> understood - i was clarifying those two routes earlier
11:20 < dtrainor_> I'm running it as root
11:20 <@dazo> which distro?
11:20 < dtrainor_> even if I wasn't, openvpn complains about writing a pid first
11:21 < dtrainor_> f20 client, rhel6 server
11:21 <@dazo> ahh, okay
11:21 <@dazo> just a sanity check first ... grep denied /var/log/audit/audit.log
11:21 <@dazo> see if SELinux is blocking something for you
11:22 <@dazo> (it's a while since I ran F20, I went back to F19)
11:23 < dtrainor_> can't blame ya
11:23 < dtrainor_> no denials related to that
11:23 <@dazo> goodie
11:24 <@dazo> if you can pastebin a log file with --verb 4 (anything higher is a bit too verbose) ... and I'll have a look
11:24 < dtrainor_> wait.
11:24 <@dazo> sure :)
11:24 < dtrainor_> so i'm using a tap0, can i set routes using that?
11:25 <@dazo> oh yeah, that's no prob
11:25 < dtrainor_> cool
11:25 < dtrainor_> give me a few
11:25 <@dazo> in fact tap devices are the closest you'll get to a pure NIC device ... the only missing part is the physical hardware
11:25 < dtrainor_> right, i wanted that for a bridged network
11:26 <@dazo> (tap is on osi layer 2 - ethernet frames, while tun is on osi layer 3, only transporting IP packets)
11:26 < dtrainor_> back in the day i was experimenting with pxe and dhcp over the vpn
11:26 < dtrainor_> i know :)
11:26 < dtrainor_> thanks though
11:26 <@dazo> :)
11:26 -!- mirco [~mirco@ip-95-223-17-51.hsi16.unitymediagroup.de] has quit [Ping timeout: 260 seconds]
11:26 < dtrainor_> ok, let me get that log.  i'm going to need to drop first.
11:26 <@dazo> oh dear ... pxe + dhcp over vpn ... that must have been painful :)
11:26 <@dazo> sure
11:26 < dtrainor_> haha.  i do a lot lot LOT of "remote" things in my lab, off my laptop, and I have a satellite server at home
11:27 < dtrainor_> give me a min to pull a verbose log, i'm going to have to drop
11:27 <@dazo> I'll wait :)
11:27 < dtrainor_> cool thank you
11:27 -!- dtrainor_ [~dtrainor@ip72-208-196-164.ph.ph.cox.net] has quit [Quit: Leaving]
11:28 -!- Anodl [~Anodl@p5DC5AA04.dip0.t-ipconnect.de] has left #openvpn []
11:36 -!- dtrainor_ [~dtrainor@ip72-208-196-164.ph.ph.cox.net] has joined #openvpn
11:36 < dtrainor_> ok.
11:38 < dtrainor_> may I /notice you the url?
11:38 <@dazo> sure
11:41 <@dazo> dtrainor_: you go via an http proxy?
11:42 < dtrainor_> i do
11:42 <@dazo> maybe you need an explicit route, so that the proxy IP doesn't try to go via the tunnel
11:43 < dtrainor_> i think i still need to go through the tunnel regardless
11:43 < dtrainor_> explicit route, in my openvpn config?
11:44 < dtrainor_> Once the connection is there from me to the vpn endpoint, I can use that for a gateway any time any where and not worry about the proxy any more right
11:44 <@dazo> because if openvpn are requested to connect to the server via an http proxy ... it can't push that traffic via the tunnel
11:44 < dtrainor_> sure it can, i'm using it right now.  I added a route for this freenode server when i just connected
11:44 <@dazo> (I might overlook some details, that openvpn already accounts for this and does the right thing)
11:44 <@dazo> ahh, okay
11:45 <@dazo> the log is very verbose .... so it takes time to "filter out" what I don't need to care for
11:46 < tobybl> does anyone know if it's possible to use a freeform passphrase for tls-auth when including it inline for openvpn connect.  it doesn't seem to work.
11:46 < dtrainor_> it is haha
11:47 <@dazo> tobybl: in the config file, you can use tls-auth [inline] {1|0} ... and then have <tls-auth>{content of tls-auth file}</tls-auth>
11:48 < tobybl> ah, but i need the tls-auth [inline] bit?
11:48 <@dazo> yeah, otherwise it won't know which bit to use
11:48 < tobybl> ok, i'll try that, thanks
11:48 -!- mirco [~mirco@ip-62-143-140-41.hsi01.unitymediagroup.de] has joined #openvpn
11:48 <@dazo> yw!
11:49 <@dazo> doh!
11:49 <@dazo> dtrainor_: Fri Jul 25 09:28:41 2014 us=540000   route_noexec = ENABLED
11:49 <@dazo> dtrainor_: you tell openvpn to not setup any routes at all!
11:49 <@dazo> (remote --route-noexec ... and it'll probably work)
11:50 < BenLue> I have 3 different locations in my VPN Network (Network A - Internet - VPN Server - Internet - Network B) Wich Config mode i must use?
11:50 < BenLue> br tap?
11:50 <@dazo> !bridging
11:50 <@vpnHelper> "bridging" is (#1) Using bridges is either completely stupid or clever. It is stupid if you do it because you think it is easier. It is clever if you're a network knowledgeable person who understands networking very well and knows why routing won't fit for you or (#2) See also https://community.openvpn.net/openvpn/wiki/BridgingAndRouting
11:51 < dtrainor_> what??
11:51 < dtrainor_> let me look...
11:51 <@dazo> BenLue: avoid bridging as long as you can ... bridging is for the hard core network gurus
11:51 < dtrainor_> are you effing kidding me
11:52 <@dazo> and bridging is really not needed in most of the setups
11:52 < dtrainor_> by "remote" you mean "remove", right? :)
11:52 < BenLue> atm i have an Active conection with my both site but i cant connect the other Network
11:52 <@dazo> dtrainor_: of course, remove!
11:52 < BenLue> Ping is working
11:52 < dtrainor_> bah!
11:52 < dtrainor_> ok working on something right now, i'll try it in a minute
11:52 <@dazo> :)
11:52 < tobybl> dazo: openvpn connect doesn't like tls-auth [inline] syntax
11:53 <@dazo> BenLue: okay, just so I understand your !goal ... so what you want is to have a VPN server somewhere on the net.  And then two VPN clients, and let the network behind each of the client access the network on the other client
11:53 <@dazo> BenLue: is that right?
11:54 < tobybl> complains about "Missing/bad file: [inline] :  cannot open /var/mobile/Applications/2B2....."
11:54 <@dazo> tobybl: uhh ... I dunno much about the openvpn connect client .... try asking in #openvpn-as ... as that's a closed source product which we don't know too much about here
11:54 < tobybl> ok, thanks
11:54 <@dazo> tobybl: or tru "OpenVPN for Android" ... that's supported here :)
11:54 < BenLue> Network 192.168.1.0/24 and 192.168.2.0/24 have different locations jeah
11:55 <@dazo> so that's the networks behind each VPN client, right?
11:55 < BenLue> yes
11:55 <@dazo> good
11:55 < tobybl> ha, would love too do that, but don't get to choose what clients we support unfortunately
11:55 < tobybl> thanks for your time
11:55 <@dazo> tobybl: :(
11:55 <@dazo> tobybl: sorry I couldn't help you further!
11:55 < tobybl> no probs
11:56 < tobybl> i think it would work if we switch to a proper key generated with --genkey --secret as client doesn't complain about that.
11:56 <@dazo> BenLue: okay ... so then you need basically to declare a VPN subnet .... most examples in howtos and so on, we use 10.8.0.0/24
11:56 < tobybl> (but obviously doesn't work)
11:56 < BenLue> correct
11:56 <@dazo> The rest is plain routing then :)
11:56  * dazo finds a pointer
11:57 < BenLue> i have add static routes on both sites
11:57 < BenLue> i  can ping from both sites all clients!
11:57 <@dazo> BenLue: https://community.openvpn.net/openvpn/wiki/BridgingAndRouting#Usingrouting ... so basically, it is pretty much close to this, but you have a twist in your case ... however, have a careful look at the ip_forward stuff and iptables first
11:57 <@vpnHelper> Title: BridgingAndRouting – OpenVPN Community (at community.openvpn.net)
11:58 <@dazo> BenLue: perfect!  That is a very good starting point
11:58 <@dazo> then you most likely needs a few extra routes on the VPN server and on the client sides
12:00 <@dazo> So if your servers VPN IP address is 10.8.0.1 .... on the VPN client on 192.168.1.0/24, you need to add 'route 192.168.2.0 255.255.255.0 10.8.0.1'
12:00 <@dazo> And on the VPN client on 192.168.2.0/24 ... you need to add 'route 192.168.1.0 255.255.255.0 10.8.0.1'
12:01 -!- tobybl [~toby@cpat001.wlan.net.ed.ac.uk] has quit [Quit: tobybl]
12:01 <@dazo> In addition, on the VPN server ... you need to add 'iroute 192.168.1.0 255.255.255.0' and 'iroute 192.168.2.0 255.255.255.0'
12:01 <@dazo> you may also want --client-to-client in the server config too
12:02 < BenLue> --client-to-client is active atm
12:02 <@dazo> (this is basically the theory ... but we all know that theory and reality always have some quirks ;-))
12:02 -!- mirco [~mirco@ip-62-143-140-41.hsi01.unitymediagroup.de] has quit [Ping timeout: 250 seconds]
12:04 < dtrainor_> dazo, gonna try removing route-noexec
12:04 < dtrainor_> back in a few
12:05 <@dazo> cooL!
12:06 < BenLue> dazo i must add 'route 192.168.2.0 255.255.255.0 10.8.0.1' in my Client conf or set it in my Router as Static route?
12:06 -!- dtrainor_ [~dtrainor@ip72-208-196-164.ph.ph.cox.net] has quit [Quit: Leaving]
12:07 -!- dtrainor_ [~dtrainor@ip72-208-196-164.ph.ph.cox.net] has joined #openvpn
12:07 < dtrainor_> 128.0.0.0       10.16.0.200     128.0.0.0       UG    0      0        0 tap0
12:07 < dtrainor_> 0.0.0.0         10.16.0.200     128.0.0.0       UG    0      0        0 tap0
12:07 < dtrainor_> traceroute confirms
12:09 <@dazo> BenLue: you can add that line in your client configs ... then these routes will only be added when you have the openvpn connection running
12:09 -!- dvl [~dvl@pdpc/supporter/active/dvl] has quit [Ping timeout: 255 seconds]
12:09 <@dazo> (which is useful, as the 10.8.0.0/24 subnet will only be available when the VPN is running)
12:13 -!- pkr [~Adium@79.97.126.58] has joined #openvpn
12:14 < BenLue> dazo when i add iroute 192.168.1.0 255.255.255.0 and iroute 192.168.2.0 255.255.255.0 will not restart :(
12:14 <@dazo> BenLue: What does the log file say?  (verb 4, please)
12:15 <@dazo> dtrainor_: that really looks good! :)
12:16 < BenLue> http://paste.debian.net/111653/
12:17 < BenLue> ahh sory
12:17 < BenLue> verb 4: http://paste.debian.net/111655/
12:18 <@dazo> BenLue: the complete log file, from openvpn starts, please
12:18 <@dazo> ahh
12:18 <@dazo> iroute must be used inside --client-config-dir configs
12:19 < BenLue> ahhh okay thats new for me, i have never working with  --client-config-dir
12:19 < dtrainor_> dazo, thank you very much for the help
12:20 <@dazo> dtrainor_: you're welcome!
12:20 <@dazo> BenLue: --client-config-dir must point to a directory ... and there you add files with file names that corresponds to the CN of the client's certificate
12:21 <@dazo> so ... ap01-s3system-net  would be the proper filename for one of your clients
12:21 < dtrainor_> i'm so happy.
12:22 < BenLue> ok i need to create an ccd folder in /etc/openvpn
12:22 <@dazo> BenLue: You create it where ever you point --client-config-dir at
12:25 < BenLue> okay the context from /etc/openvpn/ccd/ap01-s3system-net is iroute 192.168.2.0 255.255.255.0 correct?
12:26 < BenLue> ahh wrong i mean iroute 192.168.1.0 255.255.255.0
12:29 -!- mirco [~mirco@ip-62-143-140-41.hsi01.unitymediagroup.de] has joined #openvpn
12:32 < BenLue> dazo
12:33 <@dazo> BenLue: yeah, that should be good
12:33 -!- elfixit1 [~Icedove@2001:1620:2777:11:3e97:eff:fe7f:f3ad] has quit [Quit: elfixit1]
12:34 -!- mirco_ [~mirco@ip-62-143-140-41.hsi01.unitymediagroup.de] has joined #openvpn
12:34 -!- mirco [~mirco@ip-62-143-140-41.hsi01.unitymediagroup.de] has quit [Ping timeout: 240 seconds]
12:34 -!- mirco_ is now known as mirco
12:37 <@dazo> BenLue: the next trap you need to check, is firewalling ... esp. on the VPN clients
12:42 -!- mirco [~mirco@ip-62-143-140-41.hsi01.unitymediagroup.de] has quit [Ping timeout: 255 seconds]
12:43 -!- mirco [~mirco@ip-62-143-140-41.hsi01.unitymediagroup.de] has joined #openvpn
12:44 < BenLue> dazo amazing its working now! Thank you so much :)
12:44 < BenLue> Now i need to configure Samba correct :)
12:44 < BenLue> Have a nice day
12:45 <@dazo> BenLue: Cool!
12:54 -!- pkr [~Adium@79.97.126.58] has quit [Quit: Leaving.]
12:56 -!- Kephael [~Kephael@unaffiliated/kephael] has joined #openvpn
13:13 -!- heraclitus [~heraclitu@unaffiliated/heraclitis] has quit [Ping timeout: 245 seconds]
14:06 -!- pnielsen is now known as pmylund
14:17 -!- mirco [~mirco@ip-62-143-140-41.hsi01.unitymediagroup.de] has quit [Ping timeout: 240 seconds]
14:17 -!- D-Boy [~D-Boy@unaffiliated/cain] has quit [Remote host closed the connection]
14:18 -!- mirco [~mirco@ip-62-143-140-41.hsi01.unitymediagroup.de] has joined #openvpn
14:19 -!- Kniaz [~Kniaz@unaffiliated/kniaz] has quit [Quit: closing IRC]
14:27 -!- Latrina [~Latrina@adsl-ull-216-244.45-151.net24.it] has quit [Ping timeout: 245 seconds]
14:28 -!- Latrina [~Latrina@adsl-ull-44-208.50-151.net24.it] has joined #openvpn
14:29 -!- BenLue [~BenLue@unaffiliated/benlue] has quit [Ping timeout: 250 seconds]
14:31 -!- D-Boy [~D-Boy@unaffiliated/cain] has joined #openvpn
14:42 -!- Latrina [~Latrina@adsl-ull-44-208.50-151.net24.it] has quit [Ping timeout: 250 seconds]
14:42 -!- Pyrogerg [~Gregory@192.67.133.200] has joined #openvpn
14:44 -!- Latrina [~Latrina@ppp-249-48.26-151.libero.it] has joined #openvpn
14:47 -!- xace [~noname@unaffiliated/xace] has joined #openvpn
14:47 < xace> !welcome
14:47 <@vpnHelper> "welcome" is (#1) Start by stating your goal, such as 'I would like to access the internet over my vpn' || new to IRC? see the link in !ask || we may need !logs and !configs and maybe !interface to help you. || See !howto for beginners. || See !route for lans behind openvpn. || !redirect for sending inet traffic through the server. || Also interesting: !man !/30 !topology !iporder !sample !forum !wiki
14:47 <@vpnHelper> !mitm or (#2) Don't use 192.168.1.0/24 or 192.168.0.0/24 (too much potential for conflict)
14:53 < xace> my goal is to use openvpn for the VLAN feature only. I've pretty much exactly copied the sample/example configurations provided by openvpn. the only change I did was authentication stuff and on the server I enabled client-to-client option. It all seems to run, however when my client first establishes a connection to the server internet (webbrowsers) stop working along with other network related programs. is the default client configuration tunnelling my ot
14:53 -!- Latrina [~Latrina@ppp-249-48.26-151.libero.it] has quit [Ping timeout: 255 seconds]
14:54 < xace> my only goal is to use the vlan feature, so I don't need the other tunneling options, if there is a example config for this i'd appreciate a link
14:55 -!- dazo is now known as dazo_afk
14:57 -!- Latrina [~Latrina@ppp-145-61.26-151.libero.it] has joined #openvpn
14:58 -!- jonascj [~jonas@ip-52-91.bnaa.dk] has quit [Ping timeout: 272 seconds]
15:01 -!- jonascj [~jonas@ip-52-91.bnaa.dk] has joined #openvpn
15:01 -!- mattock is now known as mattock_afk
15:02 -!- mirco_ [~mirco@ip-62-143-140-41.hsi01.unitymediagroup.de] has joined #openvpn
15:02 -!- mirco [~mirco@ip-62-143-140-41.hsi01.unitymediagroup.de] has quit [Ping timeout: 272 seconds]
15:02 -!- mirco_ is now known as mirco
15:06 -!- Latrina [~Latrina@ppp-145-61.26-151.libero.it] has quit [Ping timeout: 240 seconds]
15:08 -!- mirco_ [~mirco@ip-62-143-140-41.hsi01.unitymediagroup.de] has joined #openvpn
15:08 -!- Latrina [~Latrina@adsl-ull-246-212.50-151.net24.it] has joined #openvpn
15:09 -!- mirco [~mirco@ip-62-143-140-41.hsi01.unitymediagroup.de] has quit [Ping timeout: 240 seconds]
15:09 -!- mirco_ is now known as mirco
15:13 -!- Latrina [~Latrina@adsl-ull-246-212.50-151.net24.it] has quit [Ping timeout: 250 seconds]
15:13 -!- Latrina [~Latrina@adsl-ull-169-208.50-151.net24.it] has joined #openvpn
15:18 -!- Latrina [~Latrina@adsl-ull-169-208.50-151.net24.it] has quit [Ping timeout: 245 seconds]
15:30 -!- gac [~gavin@196.108.255.149.in-addr.arpa] has quit [Quit: leaving]
15:30 -!- eristisk [~eristisk@gateway/tor-sasl/eristisk] has quit [Ping timeout: 264 seconds]
15:38 -!- vervic [~vervic@88.151.79.78] has joined #openvpn
15:42 -!- mirco [~mirco@ip-62-143-140-41.hsi01.unitymediagroup.de] has quit [Quit: mirco]
15:43 -!- eristisk [~eristisk@gateway/tor-sasl/eristisk] has joined #openvpn
15:53 -!- earthian [~ea@gw.uk.fostral.net] has joined #openvpn
15:54 < earthian> Hello, I am trying to tell my local debian router that network 192.168.0.0/24 is behind 10.0.0.20 with a command ip route add 192.168.0.0/24 via 10.0.0.20 dev tun0, but I get an error RTNETLINK answers: No such process which I believe is not openvpn related.. but maybe you know how to achieve what I need there?
15:55 < earthian> if I make the said command without dev tun0 the route setting succeeds, but the device used is ppp0 which i think is wrong.
16:17 -!- tempus_fol [~tempus@gateway/tor-sasl/foltempus] has quit [Ping timeout: 264 seconds]
16:22 -!- tempus_fol [~tempus@gateway/tor-sasl/foltempus] has joined #openvpn
16:49 -!- fiasco_averted [glen-a@64.125.189.90] has joined #openvpn
16:54 < fiasco_averted> hey all, assuming I'm just pushing routes for syslogs and email down a split tunnel, what kind of resources would you think necessary to support up to 10k simultaneous users? UDP/aes-cbc. I'm thinking that to reduce CPU serverside I should up the reneg-sec, I was thinking 10hrs, so users wouldn't renegotiate during a normal work day. The servers will have 10G pipes, so that shouldn't be an issue, I'm more wondering how much ram/cpu cores I should allo
16:56 -!- plaisthos [~arne@openvpn/community/developer/plaisthos] has quit [Quit: foo!]
16:57 -!- Kniaz [~Kniaz@unaffiliated/kniaz] has joined #openvpn
16:59 -!- plaisthos [~arne@openvpn/community/developer/plaisthos] has joined #openvpn
16:59 -!- mode/#openvpn [+o plaisthos] by ChanServ
17:00 -!- plaisthos [~arne@openvpn/community/developer/plaisthos] has quit [Client Quit]
17:02 -!- plaisthos [~arne@openvpn/community/developer/plaisthos] has joined #openvpn
17:02 -!- mode/#openvpn [+o plaisthos] by ChanServ
17:04 -!- plaisthos [~arne@openvpn/community/developer/plaisthos] has quit [Remote host closed the connection]
17:10 -!- plaisthos [~arne@openvpn/community/developer/plaisthos] has joined #openvpn
17:10 -!- mode/#openvpn [+o plaisthos] by ChanServ
17:11 -!- plaisthos [~arne@openvpn/community/developer/plaisthos] has quit [Client Quit]
17:11 -!- plaisthos [~arne@openvpn/community/developer/plaisthos] has joined #openvpn
17:11 -!- mode/#openvpn [+o plaisthos] by ChanServ
17:15 -!- heraclitus [~heraclitu@unaffiliated/heraclitis] has joined #openvpn
17:22 -!- eristisk [~eristisk@gateway/tor-sasl/eristisk] has quit [Ping timeout: 264 seconds]
17:34 < dtrainor_> fiasco_averted, doesn't rsyslog do tls?
17:35 -!- eristisk [~eristisk@gateway/tor-sasl/eristisk] has joined #openvpn
17:50 -!- Kephael [~Kephael@unaffiliated/kephael] has quit [Read error: Connection reset by peer]
18:09 < Eugene> !scale
18:10 <@vpnHelper> "scale" is (#1) OpenVPN has no hard limits built in, but it is not recommended to run much more than 100 clients per process. or (#2) Also remember that it is single-threaded, so your throughput will be limited by the speed your CPU can do the crypto. or (#3) Both of these issues can be handled by running multiple server instances(on several IPs or ports) and having clients round-robin between them
18:10 < Eugene> !gigabit
18:10 <@vpnHelper> "gigabit" is https://community.openvpn.net/openvpn/wiki/Gigabit_Networks_Linux for JJK's writeup on getting the most out of openvpn over gigabit
18:10 < Eugene> !cpu
18:10 <@vpnHelper> "cpu" is "bottleneck" is (#1) OpenVPN uses userland crypto unless you have HW accel available (as shown with `openvpn --show-engines`.) This means the CPU is frequently the performance bottleneck; remember that OVPN is single-threaded or (#2) See also: !gigabit for ideas on advanced performance tuning options
18:10 < Eugene> Benchmark & test. We'd love if you would do a writeup on your deployment for the wiki.
18:11 < Eugene> I wouldn't tweak the reneg stuff too much; but you probably do want to use a high number for your ping-restart(5min?)
18:20 -!- Sembei [~Sembei@unaffiliated/sembei] has joined #openvpn
18:21 -!- Sembei [~Sembei@unaffiliated/sembei] has quit [Client Quit]
18:21 -!- Sembei [~Sembei@unaffiliated/sembei] has joined #openvpn
18:24 -!- riddle [riddle@us.yunix.net] has quit [Disconnected by services]
18:24 -!- riddle [riddle@us.yunix.net] has joined #openvpn
18:28 -!- Olivier| [Olivier@185.13.226.177] has joined #openvpn
18:29 -!- Netsplit *.net <-> *.split quits: mcp, svg, +s7r, xMopxShell, renihs, ribasushi, nullsign, eristisk, K1rk, Olivier,  (+7 more, use /NETSPLIT to show all of them)
18:29 -!- Eagleman- [~Eagleman@546BC778.cm-12-4d.dynamic.ziggo.nl] has joined #openvpn
18:31 -!- Netsplit over, joins: Magiobiwan, ribasushi
18:33 -!- CaTtleyA [~CaTtleyA@put92-2-82-66-41-53.fbx.proxad.net] has joined #openvpn
18:43 -!- xace [~noname@unaffiliated/xace] has quit [Quit: Lost terminal]
18:53 -!- pmylund [pnielsen@2600:3c03::f03c:91ff:fe6e:5d41] has quit [Ping timeout: 240 seconds]
18:57 -!- pnielsen [pnielsen@2600:3c03::f03c:91ff:fe6e:5d41] has joined #openvpn
19:06 -!- arescorpio [~arescorpi@201-26-245-190.fibertel.com.ar] has joined #openvpn
19:07 -!- CaTtleyA [~CaTtleyA@put92-2-82-66-41-53.fbx.proxad.net] has quit [Ping timeout: 252 seconds]
19:07 -!- abbe [having@badti.me] has quit [Read error: Connection reset by peer]
19:07 -!- abbe [having@badti.me] has joined #openvpn
19:10 -!- jzaw [~jzaw@loki.dzki.co.uk] has quit [Ping timeout: 256 seconds]
19:14 -!- jzaw [~jzaw@loki.dzki.co.uk] has joined #openvpn
19:22 -!- mirco [~mirco@ip-62-143-140-41.hsi01.unitymediagroup.de] has joined #openvpn
19:22 -!- pnielsen [pnielsen@2600:3c03::f03c:91ff:fe6e:5d41] has quit [Ping timeout: 240 seconds]
19:28 -!- pnielsen [pnielsen@2600:3c03::f03c:91ff:fe6e:5d41] has joined #openvpn
19:28 -!- vervic [~vervic@88.151.79.78] has quit [Remote host closed the connection]
19:28 -!- pnielsen [pnielsen@2600:3c03::f03c:91ff:fe6e:5d41] has quit [Client Quit]
19:30 -!- pmylund [pnielsen@2600:3c03::f03c:91ff:fe6e:5d41] has joined #openvpn
19:32 -!- Kephael [~Kephael@unaffiliated/kephael] has joined #openvpn
19:37 -!- mirco_ [~mirco@ip-62-143-140-41.hsi01.unitymediagroup.de] has joined #openvpn
19:38 -!- mirco [~mirco@ip-62-143-140-41.hsi01.unitymediagroup.de] has quit [Ping timeout: 240 seconds]
19:38 -!- mirco_ is now known as mirco
19:50 -!- xMopxShell [~xMopxShel@dpedu.io] has joined #openvpn
19:51 -!- mirco [~mirco@ip-62-143-140-41.hsi01.unitymediagroup.de] has quit [Quit: mirco]
20:01 -!- SCHAAP137 [dorian@77-173-0-137.ip.telfort.nl] has quit [Remote host closed the connection]
20:06 -!- gffa [~unknown@unaffiliated/gffa] has quit [Quit: sleep]
20:15 -!- abbe_ [having@badti.me] has joined #openvpn
20:15 -!- abbe [having@badti.me] has quit [Read error: Connection reset by peer]
20:15 -!- Zimsky [~alice@unaffiliated/zimsky] has quit [Ping timeout: 256 seconds]
20:18 -!- Zimsky [~alice@unaffiliated/zimsky] has joined #openvpn
20:25 -!- dtrainor_ [~dtrainor@ip72-208-196-164.ph.ph.cox.net] has quit [Ping timeout: 245 seconds]
20:29 -!- Left_Turn [~Left_Turn@unaffiliated/turn-left/x-3739067] has quit [Remote host closed the connection]
20:31 -!- fiasco_averted [glen-a@64.125.189.90] has quit [Quit: Leaving.]
20:49 -!- buhman is now known as buhman_
20:52 -!- buhman_ is now known as buhman
21:15 -!- dvl [~dvl@pdpc/supporter/active/dvl] has joined #openvpn
21:17 -!- goldkatze [~nobody@unaffiliated/goldkatze] has quit [Ping timeout: 255 seconds]
21:37 -!- earthian [~ea@gw.uk.fostral.net] has quit [Quit: Leaving]
21:52 -!- phunyguy [~vortex@unaffiliated/phunyguy] has quit [Quit: Goodbye cruel world!]
21:59 -!- phunyguy [~vortex@unaffiliated/phunyguy] has joined #openvpn
22:13 -!- _destroyah_ [~dstryah@ip98-165-177-98.ph.ph.cox.net] has joined #openvpn
22:15 < _destroyah_> anyone familiar with amazon aws / vpc
22:25 -!- Pyrogerg [~Gregory@192.67.133.200] has quit [Ping timeout: 272 seconds]
22:27 -!- _destroyah_ [~dstryah@ip98-165-177-98.ph.ph.cox.net] has quit [Ping timeout: 240 seconds]
22:28 -!- phunyguy [~vortex@unaffiliated/phunyguy] has quit [Quit: Goodbye cruel world!]
22:30 -!- phunyguy [~vortex@unaffiliated/phunyguy] has joined #openvpn
22:32 -!- phunyguy [~vortex@unaffiliated/phunyguy] has quit [Client Quit]
22:34 -!- LarsN [~lrn@freebsd/contributor/LarsN] has joined #openvpn
22:34 < LarsN> is it possible for CCD to do some level of auto-discovery/auto-configuration?
22:37 < LarsN> with a laptop connecting to the server from $GodKnowsWhere it seems rather inflexible to have to pre-define the address space.
22:38 < LarsN> but when I don't I see lots of: "Fri Jul 25 22:28:32 2014 us=642129 evo-laptop/66.68.121.30:1180 MULTI: bad source address from client [172.16.28.110], packet dropped"
22:38 < LarsN> messages in my openvpn.log
22:40 -!- phunyguy [~vortex@unaffiliated/phunyguy] has joined #openvpn
23:17 -!- ShadniX [dagger@p5DDFEABA.dip0.t-ipconnect.de] has quit [Ping timeout: 250 seconds]
23:18 -!- ShadniX [dagger@p5DDFF847.dip0.t-ipconnect.de] has joined #openvpn
23:27 -!- arescorpio [~arescorpi@201-26-245-190.fibertel.com.ar] has quit [Excess Flood]
23:49 -!- Valcorb [Valcorb@unaffiliated/valcorb] has quit [Ping timeout: 272 seconds]
--- Day changed Sat Jul 26 2014
00:04 -!- Megaf [~Megaf@unaffiliated/megaf] has quit [Ping timeout: 250 seconds]
00:05 -!- Kephael [~Kephael@unaffiliated/kephael] has quit [Read error: Connection reset by peer]
00:28 -!- Pyrogerg [~Gregory@mobile-166-147-078-231.mycingular.net] has joined #openvpn
00:44 -!- mattock_afk is now known as mattock
00:56 -!- Pyrogerg [~Gregory@mobile-166-147-078-231.mycingular.net] has quit [Read error: Connection reset by peer]
01:01 -!- james41382 [~james@unaffiliated/james41382] has quit [Quit: Leaving]
01:15 -!- james41382 [~james@unaffiliated/james41382] has joined #openvpn
01:36 -!- Cpt-Oblivious [~chatzilla@31-151-71-109.dynamic.upc.nl] has quit [Ping timeout: 255 seconds]
01:54 -!- Left_Turn [~Left_Turn@unaffiliated/turn-left/x-3739067] has joined #openvpn
02:05 -!- gallatin [~gallatin@dslb-092-073-073-146.092.073.pools.vodafone-ip.de] has joined #openvpn
02:11 -!- larryone [~larryone@119.30.38.106] has joined #openvpn
02:12 -!- larryone [~larryone@119.30.38.106] has quit [Max SendQ exceeded]
02:13 -!- larryone [~larryone@119.30.38.106] has joined #openvpn
02:14 -!- abbe_ is now known as abbe
02:22 -!- nullsign [~nullsign@daedalus.nullsign.com] has joined #openvpn
02:23 -!- DrCode [~DrCode@gateway/tor-sasl/drcode] has joined #openvpn
02:23 -!- tempus_fol [~tempus@unaffiliated/fol-tempus/x-4804267] has joined #openvpn
02:29 -!- tempus_fol [~tempus@unaffiliated/fol-tempus/x-4804267] has quit [Changing host]
02:29 -!- tempus_fol [~tempus@gateway/tor-sasl/foltempus] has joined #openvpn
02:29 -!- larryone [~larryone@119.30.38.106] has quit [Ping timeout: 240 seconds]
02:30 -!- mattock is now known as mattock_afk
02:42 -!- vu [~vu@dsl-hkibrasgw1-58c39c-234.dhcp.inet.fi] has joined #openvpn
02:47 -!- Left_Turn [~Left_Turn@unaffiliated/turn-left/x-3739067] has quit [Ping timeout: 260 seconds]
03:00 -!- goldkatze [~nobody@unaffiliated/goldkatze] has joined #openvpn
03:01 -!- Left_Turn [~Left_Turn@unaffiliated/turn-left/x-3739067] has joined #openvpn
03:25 -!- CaTtleyA [~CaTtleyA@put92-2-82-66-41-53.fbx.proxad.net] has joined #openvpn
03:49 -!- mirco [~mirco@ip-62-143-140-41.hsi01.unitymediagroup.de] has joined #openvpn
03:53 -!- SCHAAP137 [dorian@77-173-0-137.ip.telfort.nl] has joined #openvpn
04:10 -!- gallatin [~gallatin@dslb-092-073-073-146.092.073.pools.vodafone-ip.de] has quit [Ping timeout: 260 seconds]
04:17 -!- gffa [~unknown@unaffiliated/gffa] has joined #openvpn
04:58 -!- CaTtleyA [~CaTtleyA@put92-2-82-66-41-53.fbx.proxad.net] has quit [Ping timeout: 252 seconds]
05:00 -!- CaTtleyA [~CaTtleyA@put92-2-82-66-41-53.fbx.proxad.net] has joined #openvpn
05:02 -!- nea1 [~irc@ns.oakey-net.de] has joined #openvpn
05:02 < nea1> hi, is there a way to bind an key with openvpn to one ip address (so that he can't use an other IP)
05:08 < eagles0513875> hey guys
05:09 < eagles0513875> has anyone setup openvpn before on gentoo
05:14 -!- mirco [~mirco@ip-62-143-140-41.hsi01.unitymediagroup.de] has quit [Quit: mirco]
05:28 -!- DrCode [~DrCode@gateway/tor-sasl/drcode] has quit [Ping timeout: 264 seconds]
05:29 -!- DrCode [~DrCode@gateway/tor-sasl/drcode] has joined #openvpn
05:29 -!- tempus_fol [~tempus@gateway/tor-sasl/foltempus] has quit [Remote host closed the connection]
05:29 -!- fol_tempus [~tempus@gateway/tor-sasl/foltempus] has joined #openvpn
06:45 -!- SCHAAP137 [dorian@77-173-0-137.ip.telfort.nl] has quit [Remote host closed the connection]
06:50 -!- jonascj [~jonas@ip-52-91.bnaa.dk] has quit [Ping timeout: 245 seconds]
07:02 -!- SCHAAP137 [dorian@77-173-0-137.ip.telfort.nl] has joined #openvpn
07:03 -!- larryone [~larryone@119.30.38.22] has joined #openvpn
07:12 -!- swebb [~swebb@c-71-237-49-232.hsd1.co.comcast.net] has quit [Ping timeout: 240 seconds]
07:18 -!- larryone [~larryone@119.30.38.22] has quit [Ping timeout: 256 seconds]
07:58 -!- Eagleman- is now known as Eagleman
08:19 -!- swebb [~swebb@c-71-237-49-232.hsd1.co.comcast.net] has joined #openvpn
09:24 -!- mwargh [~sistemshi@unaffiliated/mwargh] has joined #openvpn
09:31 -!- Chais [~Chais@chello062178229110.15.15.vie.surfer.at] has quit [Read error: Connection reset by peer]
09:32 -!- Megaf [~Megaf@unaffiliated/megaf] has joined #openvpn
09:41 -!- Chais [~Chais@chello062178229110.15.15.vie.surfer.at] has joined #openvpn
09:45 -!- Pyrogerg [~Gregory@192.67.133.200] has joined #openvpn
09:58 -!- SCHAAP137 [dorian@77-173-0-137.ip.telfort.nl] has quit [Ping timeout: 250 seconds]
10:00 -!- Lolths [~Lolths@unaffiliated/lolths] has joined #openvpn
10:00 -!- mgorbach [~mgorbach@pool-108-20-78-135.bstnma.fios.verizon.net] has quit [Quit: ZNC - http://znc.in]
10:01 -!- mgorbach [~mgorbach@pool-108-20-78-135.bstnma.fios.verizon.net] has joined #openvpn
10:02 -!- Caplain [~shayne@d192-24-5-39.try.wideopenwest.com] has quit [Read error: No route to host]
10:10 -!- CaTtleyA [~CaTtleyA@put92-2-82-66-41-53.fbx.proxad.net] has quit [Ping timeout: 252 seconds]
10:11 -!- fol_tempus is now known as fol_tempu
10:16 -!- fol_tempu is now known as tempus_fol
10:17 -!- Cybertinus [~Cybertinu@cybertinus.customer.cloud.nl] has quit [Remote host closed the connection]
10:19 -!- mattock_afk is now known as mattock
10:21 < Eugene> !static
10:21 <@vpnHelper> "static" is (#1) use --ifconfig-push in a ccd entry for a static ip for the vpn client or (#2) example in net30 (default): ifconfig-push 10.8.0.6 10.8.0.5 example in subnet (see !topology) or tap (see !tunortap): ifconfig-push 10.8.0.5 255.255.255.0 or (#3) also see !ccd and !iporder or (#4) with static IPs, limit your --ifconfig-pool to exclude the static range or (#5) See also: !addressing
10:21 < Eugene> nea1 - ^
10:27 -!- Pyrogerg [~Gregory@192.67.133.200] has quit [Quit: Textual IRC Client: www.textualapp.com]
10:27 -!- Pyrogerg [~Gregory@192.67.133.200] has joined #openvpn
10:29 -!- Cybertinus [~Cybertinu@cybertinus.customer.cloud.nl] has joined #openvpn
10:34 -!- WinstonSmith [~WinstonSm@unaffiliated/winstonsmith] has quit [Ping timeout: 250 seconds]
10:35 -!- WinstonSmith [~WinstonSm@unaffiliated/winstonsmith] has joined #openvpn
10:52 -!- CaTtleyA [~CaTtleyA@put92-2-82-66-41-53.fbx.proxad.net] has joined #openvpn
11:07 -!- Megaf [~Megaf@unaffiliated/megaf] has quit [Read error: Connection reset by peer]
11:09 -!- Megaf [~Megaf@unaffiliated/megaf] has joined #openvpn
11:15 -!- Kephael [~Kephael@unaffiliated/kephael] has joined #openvpn
11:23 -!- Eagleman [~Eagleman@546BC778.cm-12-4d.dynamic.ziggo.nl] has quit [Read error: Connection reset by peer]
11:24 -!- Eagleman7 [~Eagleman@546BC778.cm-12-4d.dynamic.ziggo.nl] has joined #openvpn
11:26 -!- Eagleman7 is now known as Eagleman
11:27 -!- SCHAAP137 [dorian@77-173-0-137.ip.telfort.nl] has joined #openvpn
11:31 -!- mattock is now known as mattock_afk
11:35 -!- Eagleman [~Eagleman@546BC778.cm-12-4d.dynamic.ziggo.nl] has quit [Read error: Connection reset by peer]
11:37 -!- Eagleman [~Eagleman@546BC778.cm-12-4d.dynamic.ziggo.nl] has joined #openvpn
11:38 -!- Eagleman [~Eagleman@546BC778.cm-12-4d.dynamic.ziggo.nl] has quit [Read error: Connection reset by peer]
11:39 -!- Eagleman7 [~Eagleman@546BC778.cm-12-4d.dynamic.ziggo.nl] has joined #openvpn
11:43 -!- s7r [~s7r@openvpn/user/s7r] has joined #openvpn
11:43 -!- mode/#openvpn [+v s7r] by ChanServ
11:45 -!- DrCode [~DrCode@gateway/tor-sasl/drcode] has quit [Remote host closed the connection]
11:45 -!- tempus_fol [~tempus@gateway/tor-sasl/foltempus] has quit [Remote host closed the connection]
11:45 -!- Eagleman7 [~Eagleman@546BC778.cm-12-4d.dynamic.ziggo.nl] has quit [Quit: ZNC - http://znc.in]
11:46 -!- DrCode [~DrCode@gateway/tor-sasl/drcode] has joined #openvpn
11:46 -!- tempus_fol [~tempus@gateway/tor-sasl/foltempus] has joined #openvpn
11:48 -!- s7r [~s7r@openvpn/user/s7r] has quit [Remote host closed the connection]
11:48 -!- s7r [~s7r@openvpn/user/s7r] has joined #openvpn
11:48 -!- mode/#openvpn [+v s7r] by ChanServ
12:01 -!- s7r [~s7r@openvpn/user/s7r] has quit [Remote host closed the connection]
12:33 -!- s7r [~s7r@openvpn/user/s7r] has joined #openvpn
12:34 -!- mode/#openvpn [+v s7r] by ChanServ
12:52 < nea1> !addressing
12:52 <@vpnHelper> "addressing" is For information about IP addressing in OpenVPN, see: https://community.openvpn.net/openvpn/wiki/Concepts-Addressing
12:53 < nea1> !ccd
12:53 <@vpnHelper> "ccd" is (#1) entries that are basically included into server.conf, but only for the specified client based on common-name. use --client-config-dir <dir> to enable it, then put the config options for the client in <dir>/common-name or (#2) the ccd file is parsed each time the client connects.
12:53 < nea1> !iporder
12:53 <@vpnHelper> "iporder" is (#1) OpenVPN's internal client IP address selection algorithm works as follows: 1 -- Use --client-connect script generated file for static IP (first choice). or (#2) Use --client-config-dir file for static IP (next choice) !static for more info or (#3) Use --ifconfig-pool allocation for dynamic IP (last choice) or (#4) if you use --ifconfig-pool-persist see !ipp
12:54 < nea1> Eugene: yea, but can't a user then still assign an other ip-address
12:55 < Eugene> Sure, but the server won't respect it or pass them any traffic
12:55 < nea1> with for e.g. ip a add 10.0.0.8/24 dev tun0
12:55 < nea1> ah ok
12:55 < nea1> thats cool then
12:55 < nea1> thanks :)
12:55 < Eugene> Unless you're a fool and using bridging, which you shouldn't be.
12:56 < nea1> yea - i'll stick with tun, eaven if that means that i'll have to add routes on the other side >.<
13:39 -!- Popsikle [~popsikle@pool-108-27-211-233.nycmny.fios.verizon.net] has joined #openvpn
13:51 -!- Pyrogerg [~Gregory@192.67.133.200] has quit [Read error: Connection reset by peer]
13:51 -!- Pyrogerg [~Gregory@192.67.133.200] has joined #openvpn
14:00 -!- arescorpio [~arescorpi@201-26-245-190.fibertel.com.ar] has joined #openvpn
14:25 -!- Pyrogerg [~Gregory@192.67.133.200] has quit [Ping timeout: 255 seconds]
14:29 -!- mirco [~mirco@ip-62-143-140-41.hsi01.unitymediagroup.de] has joined #openvpn
14:29 -!- Pyrogerg [~Gregory@gpenne3bc.nmsu.edu] has joined #openvpn
14:44 -!- CaTtleyA [~CaTtleyA@put92-2-82-66-41-53.fbx.proxad.net] has quit [Quit: Lost terminal]
15:00 -!- arescorpio [~arescorpi@201-26-245-190.fibertel.com.ar] has quit [Excess Flood]
15:03 -!- Kyron_ [~Kyron@cpc65428-new25-2-0-cust54.5-1.cable.virginm.net] has joined #openvpn
15:05 < Kyron_> Hey, does anybody know if I can configure OpenVPN to be assigned to a specific port, instead of taking over all of my applications. So, I could use it, like a proxy?
15:07 < Kyron_> I have a paid service, and my needs differ from tunnelling my whole computer through their network.
15:11 < Kyron_> I've tried setting --lport(and just --port) PORT and --bind, but it doesn't seem to work.
15:12 < Kyron_> I'd like to say, change my browser settings to filter traffic through 127.0.0.1:PORT
15:18 -!- mirco [~mirco@ip-62-143-140-41.hsi01.unitymediagroup.de] has quit [Quit: mirco]
15:23 -!- cyberanger [cyberanger@swissknife/adak/infocop411] has quit [K-Lined]
15:23 -!- pnielsen_ [pnielsen@2a01:7e00::f03c:91ff:fedf:3a21] has quit [K-Lined]
15:23 -!- cyberanger [~cyberange@swissknife/adak/infocop411] has joined #openvpn
15:23 < Kyron_> (Is this a dead IRC, btw.. I've visited a few times and either nobody's responded or I've just been on at the worse times..)
15:24 -!- pnielsen [pnielsen@2a01:7e00::f03c:91ff:fedf:3a21] has joined #openvpn
15:26 -!- mcp [~mcp@wolk-project.de] has joined #openvpn
15:38 -!- kantlivelong [~kantlivel@home.kantlivelong.com] has quit [Ping timeout: 240 seconds]
15:42 -!- D-Boy [~D-Boy@unaffiliated/cain] has quit [Excess Flood]
15:46 -!- cyberanger [~cyberange@swissknife/adak/infocop411] has quit [Quit: ZNC - http://znc.in]
15:46 -!- cyberanger [cyberanger@swissknife/adak/infocop411] has joined #openvpn
15:50 -!- D-Boy [~D-Boy@unaffiliated/cain] has joined #openvpn
15:57 -!- JackWinter [~jack@vodsl-11028.vo.lu] has quit [Quit: Konversation terminated!]
16:03 -!- p3rror [~mezgani@adsl196-114-108-206-196.adsl196-4.iam.net.ma] has joined #openvpn
16:14 -!- K1rk [~Kirk@equinox.epecweb.com] has joined #openvpn
16:15 -!- Megaf_ [~Megaf@unaffiliated/megaf] has joined #openvpn
16:15 -!- Megaf [~Megaf@unaffiliated/megaf] has quit [Ping timeout: 260 seconds]
16:23 -!- Megaf_ is now known as Megaf
16:44 -!- kantlivelong [~kantlivel@home.kantlivelong.com] has joined #openvpn
16:46 -!- funnel [~funnel@unaffiliated/espiral] has joined #openvpn
16:55 < dvl> ecrist: was talking to RJMetrics yesterday.  They use OpenVPN.  FYI. http://rjmetrics.com/
16:55 <@vpnHelper> Title: RJMetrics | Business Intelligence for Ecommerce, SaaS & Mobile (at rjmetrics.com)
17:08 -!- lipizzan [~rickbol@cpe-174-096-184-106.carolina.res.rr.com] has quit [Ping timeout: 240 seconds]
17:12 -!- elfixit [~Icedove@77-58-251-72.dclient.hispeed.ch] has joined #openvpn
17:26 -!- Pyrogerg [~Gregory@gpenne3bc.nmsu.edu] has quit [Ping timeout: 240 seconds]
17:29 -!- Kephael [~Kephael@unaffiliated/kephael] has quit [Read error: Connection reset by peer]
17:31 < nea1> Kyron_: yea it's dead here ^^ - and i'd recomend ssh ;) and port forwarding
17:31 < nea1> or you will have to have a look at policy based routing
17:34 < Poster> or possibly a remote proxy on the far end, then configure each local application to use it, if applicable
17:35 < Poster> most things can go through HTTP proxies such as squid or oops, dante supports SOCKS5
17:41 < Kyron_> nea1: Heh. Thanks for telling me. xD - Alright, can you link me some examples? c:
17:42 -!- justinzane [~justinzan@24.49.207.203] has quit [Remote host closed the connection]
17:43 -!- justinzane [~justinzan@24.49.207.203] has joined #openvpn
17:43 < Poster> SSH tunneling info here: http://www.revsys.com/writings/quicktips/ssh-tunnel.html
17:43 <@vpnHelper> Title: HOWTO: SSH Tunneling Made Easy (at www.revsys.com)
17:43 < Kyron_> Poster: I actually have a VPS that I have previously set up a Squid proxy on. So the idea is, install OpenVPN there, all the traffic is forwarded through that, so, if I connect via Squid proxy, that will be to?.. What if I'd like to connect to multiple servers? o:
17:44 -!- DrCode [~DrCode@gateway/tor-sasl/drcode] has quit [Ping timeout: 264 seconds]
17:44 < Poster> the main drawback with SSH tunneling is that you have to create a session each time, a VPN based solution with remote proxy can stay up indefinately
17:44 < Poster> well presumably your VPN link would only need to link the two together and not manipulate any routing
17:44 < Poster> you would set your HTTP proxy to be the VPN side of the OpenVPN link on whichever port
17:45 < Poster> the client to proxy traffic would traverse the OpenVPN link, then leave the VPS as a standard HTTP/HTTPS/etc client
17:48 < Kyron_> Yes, but, my VPN Provider offers multiple connections/devices and a whole list of servers. What if I'd like to connect to multiple servers at the same time?
17:50 < Poster> you just keep unique addressing to each one
17:50 -!- DrCode [~DrCode@gateway/tor-sasl/drcode] has joined #openvpn
17:50 < Poster> or you can use the connection profiles to try each sequentially, in that case you'd need to ensure that they all assign the same IP addressing within the VPN link
17:50 < Poster> eg; client is always 172.25.5.2 and server is always 172.25.5.1
17:51 < Poster> at which point you'd setup your proxy clients to use 172.25.5.1:3128 regardless of which VPN server you had connected to
17:51 < Poster> it would mean you couldn't connect to more than one at once though
17:53 -!- TheEternalAbyss [~IRCIdent@unaffiliated/theeternalabyss] has joined #openvpn
17:54 < Kyron_> Would SSH Tunneling be a solution to that however? - As I could have multiple TUN/TAP adapters.. Correct?
17:55 < Poster> sure
17:55 < Poster> you can run a bunch of connections as long as you keep the addressing and adapter assignments straight
17:56 -!- gffa [~unknown@unaffiliated/gffa] has quit [Quit: sleep]
17:59 < Kyron_> I should be able to set-up a Python script to do that for me.
18:11 < Kyron_> Poster: Alright, so, I'm not quite sure I understand that article. How would I set up an ssh tunnel for my OpenVPN tun0/tap0 network locally?
18:12 < Kyron_> Poster: Also, how do I disable OpenVPN being used as the default gateway and instead use my plain-l wlan0 connection for general traffic.
18:12 < Kyron_> plain-ol'*
18:13 < Poster> not sure what your configurations look like, generally taking all traffic via remote gateway is pushed from the server to the client with something similar to:
18:13 < Poster> push "redirect-gateway def1 bypass-dhcp"
18:14 < Poster> keep in mind that SSH tunnels are TCP proxies only where OpenVPN is generally an IP route or possibly an ethernet bridge
18:18 < Kyron_> Here's a pastebin of my basic config. http://pastebin.com/QN1ejmCb
18:19 < Poster> :(
18:19 < Poster> go change all your keys, they're now public
18:19 -!- jgeboski [~jgeboski@unaffiliated/jgeboski] has quit [Ping timeout: 240 seconds]
18:19 < Kyron_> They're public on my VPN's site anyway... o:
18:19 < Kyron_> They're useless without the authentication username/password.
18:20 -!- dazo_afk [~dazo@openvpn/community/developer/dazo] has quit [Ping timeout: 240 seconds]
18:20 < Kyron_> Literally, they came from a sample file that's public on my VPN's website..
18:21 -!- jgeboski [~jgeboski@unaffiliated/jgeboski] has joined #openvpn
18:21 -!- LarsN [~lrn@freebsd/contributor/LarsN] has quit [Ping timeout: 240 seconds]
18:21 < Kyron_> ... Do I need to still be worried?
18:22 -!- dazo_afk [~dazo@openvpn/community/developer/dazo] has joined #openvpn
18:22 -!- mode/#openvpn [+o dazo_afk] by ChanServ
18:22 -!- dazo_afk is now known as dazo
18:25 < Poster> possibly, it's now down to getting credentials right instead of having a secret key
18:26 < Poster> so do you not control each OpenVPN server?
18:27 < Kyron_> I'll see what I can do. For now, I've just edited the certificates out of the pastebin. (which is unlisted.)
18:27 < Kyron_> No, I pay for a VPN, I only have access to an OpenVPN Client.
18:28 < Poster> ok so that probably means you cannot install an HTTP/SOCKS proxy server on the far end I take it?
18:28 < Poster> or does this same provider offer proxy services as well?
18:28 < Kyron_> No, I can't. /:
18:30 < Poster> ok so we're back to nea1's suggestion of policy based routing OR setting up a small virtual system to be a VPN client AND an HTTP/SOCKS proxy
18:30 < Kyron_> For HTTP/SOCKS proxy, it would be, install the client on my VPS, install Squid3, and on my current machine, run a proxy through my VPS, which forwards the traffic.
18:30 < Kyron_> I see.
18:31 < Poster> sort of, you'd need the traffic leaving squid3 to go through the VPN, which if running locally you would have to do policy based routing to achieve
18:32 < Poster> you could try something like a virtualbox/vmware player guest on your system that would run squid and OpenVPN client, at which point the flow would be main system -> virtual system (squid) -> VPN provider -> Internet
18:32 < Poster> colinux might also work, I haven't used that in a long time though
18:32 < Poster> based on your configurations it looks like your primary system is Windows based
18:33 < Kyron_> Yes, however, this is my general use system. I plan to move it to my Linux system.
18:33 < Kyron_> Debian*
18:33 < Kyron_> So, which method do you recommend taking?
18:34 < Poster> if you have an available Linux or BSD host, I would probably go there, set it up to be a squid server and OpenVPN client
18:34 < Poster> anything you want to push through the VPN service, set to the local squid server and go
18:34 < Poster> it would mean that the Linux or BSD host would route all traffic via the VPN service though
18:35 < Poster> which is why I had suggested some small virtual system to perform the function, if available
18:38 < Kyron_> Using a squid server would limit me to one connection only. So that's a little unwanted. A Virtual System seems resource-heavy.. Are there any headless/light virtual-systems?
18:39 < Poster> most virtualization systems can be run headless
18:39 < Poster> a "minimal" install, console only, etc
18:39 < Kyron_> Ah.
18:39 < Poster> in terms of one connection, I am not sure what it is you're expecting to achieve, at any given point you can only route internet traffic through one unless you do something odd with round robin outbound
18:40 < Poster> an absolutely bare minimum system could probably be run on about 256mb of memory and 6-8GB disk
18:41 < Poster> less if you're ok with running something small like OpenBSD
18:41 -!- SCHAAP137 [dorian@77-173-0-137.ip.telfort.nl] has quit [Read error: Connection reset by peer]
18:43 < Poster> Debian might be able to go even lighter: https://www.debian.org/releases/stable/i386/ch03s04.html.en
18:43 <@vpnHelper> Title: 3.4. Meeting Minimum Hardware Requirements (at www.debian.org)
18:44 < Kyron_> Well, as I have access to multiple connections and different servers, my goal is to be able to choose what server I use for each application, perhaps via ports. e.g. 127.0.0.1:9000 = OpenVPN Client0/TUN0/TAP0, 127.0.0.1:9001 = Client1/TUN1/TAP1 ... Depending on however many clients/adapters I am running.
18:44 < Poster> yeah you'd be back at policy based routing, OR a squid server/openvpn client per connection
18:44 < Kyron_> I run debian without a desktop anyway, heh.
18:46 < Kyron_> So, how would I go about policy based routing? An extra server per client sounds expensive. xP
18:47 < Poster> you're going to trade system resources for complexity, but this should get you started: https://www.google.com/search?q=iptables+policy+based+routing
18:47 <@vpnHelper> Title: iptables policy based routing - Google Search (at www.google.com)
18:51 < Kyron_> Okay, thanks. (:
18:59 < Kyron_> Oh, by the way, do I need to add "redirect-gateway def1 bypass-dhcp" or something to my OpenVPN config in order to stop it from being assigned as the default gateway?
19:03 < Kyron_> Poster: Or is it suppossed to be removed somewhere..?
19:09 < Poster> that option is on the server side, which gets push to the client
19:09 < Poster> you will probably need to figure out how to adjust the client to not accept the default route when the connection is established
19:10 < Kyron_> Ah. Hmm.
19:16 -!- brianblaze420 [~brianblaz@unaffiliated/brianblaze] has joined #openvpn
19:28 -!- buhman is now known as a123456789012345
19:29 -!- a123456789012345 is now known as buhman
19:31 -!- arescorpio [~arescorpi@201-26-245-190.fibertel.com.ar] has joined #openvpn
19:37 -!- buhman is now known as actually
19:39 -!- actually is now known as buhman
19:57 -!- phunyguy [~vortex@unaffiliated/phunyguy] has quit [Quit: Goodbye cruel world!]
20:38 -!- goldkatze [~nobody@unaffiliated/goldkatze] has quit [Ping timeout: 255 seconds]
20:38 -!- Pyrogerg [~Gregory@192.67.133.200] has joined #openvpn
20:46 -!- Latrina [~Latrina@adsl-ull-165-218.50-151.net24.it] has joined #openvpn
20:57 -!- Latrina [~Latrina@adsl-ull-165-218.50-151.net24.it] has quit [Ping timeout: 250 seconds]
20:58 -!- Latrina [~Latrina@ppp-52-18.26-151.libero.it] has joined #openvpn
21:00 -!- Left_Turn [~Left_Turn@unaffiliated/turn-left/x-3739067] has quit [Quit: Leaving]
21:30 -!- p3rror [~mezgani@adsl196-114-108-206-196.adsl196-4.iam.net.ma] has quit [Ping timeout: 250 seconds]
21:53 -!- Pyrogerg [~Gregory@192.67.133.200] has quit [Ping timeout: 260 seconds]
22:04 -!- Megaf [~Megaf@unaffiliated/megaf] has quit [Ping timeout: 250 seconds]
22:05 -!- Megaf [~Megaf@unaffiliated/megaf] has joined #openvpn
23:00 -!- u0m3 [~u0m3@92.80.113.123] has quit [Read error: Connection reset by peer]
23:03 -!- u0m3 [~u0m3@92.80.107.129] has joined #openvpn
23:11 -!- arescorpio [~arescorpi@201-26-245-190.fibertel.com.ar] has quit [Excess Flood]
23:16 -!- ShadniX [dagger@p5DDFF847.dip0.t-ipconnect.de] has quit [Ping timeout: 250 seconds]
23:17 -!- ShadniX [dagger@p5DDFEA31.dip0.t-ipconnect.de] has joined #openvpn
23:34 -!- elfixit [~Icedove@77-58-251-72.dclient.hispeed.ch] has quit [Ping timeout: 250 seconds]
23:48 -!- justinzane [~justinzan@24.49.207.203] has quit [Write error: Broken pipe]
--- Day changed Sun Jul 27 2014
00:25 -!- Megaf [~Megaf@unaffiliated/megaf] has quit [Ping timeout: 264 seconds]
01:08 -!- brianblaze420 [~brianblaz@unaffiliated/brianblaze] has quit [Quit: Leaving...]
01:26 -!- keatont [~keatont@ip-66-172-11-126.chunkhost.com] has joined #openvpn
01:26 < keatont> The moment when you realize all your VPN woes were caused by your DNS server not listening on the OpenVPN interface.
01:26  * keatont face-palms 
02:00 -!- goldkatze [~nobody@unaffiliated/goldkatze] has joined #openvpn
02:03 -!- goldkatze [~nobody@unaffiliated/goldkatze] has quit [Excess Flood]
02:03 -!- goldkatze [~nobody@unaffiliated/goldkatze] has joined #openvpn
02:17 -!- Kyron_ [~Kyron@cpc65428-new25-2-0-cust54.5-1.cable.virginm.net] has quit [Ping timeout: 264 seconds]
02:44 -!- Popsikle [~popsikle@pool-108-27-211-233.nycmny.fios.verizon.net] has quit [Remote host closed the connection]
03:11 -!- Left_Turn [~Left_Turn@unaffiliated/turn-left/x-3739067] has joined #openvpn
04:02 -!- clyons [~kvirc@host86-157-14-27.range86-157.btcentralplus.com] has joined #openvpn
04:25 -!- gffa [~unknown@unaffiliated/gffa] has joined #openvpn
05:58 -!- SCHAAP137 [dorian@77-173-0-137.ip.telfort.nl] has joined #openvpn
06:10 -!- u0m3 [~u0m3@92.80.107.129] has quit [Ping timeout: 245 seconds]
06:33 -!- kantlivelong [~kantlivel@home.kantlivelong.com] has quit [Ping timeout: 240 seconds]
07:06 -!- mirco [~mirco@ip-62-143-140-41.hsi01.unitymediagroup.de] has joined #openvpn
07:30 -!- mirco [~mirco@ip-62-143-140-41.hsi01.unitymediagroup.de] has quit [Quit: mirco]
07:50 -!- elfixit [~Icedove@77-58-251-72.dclient.hispeed.ch] has joined #openvpn
09:08 -!- D-Boy [~D-Boy@unaffiliated/cain] has quit [Excess Flood]
09:10 -!- D-Boy [~D-Boy@unaffiliated/cain] has joined #openvpn
09:16 -!- u0m3 [~u0m3@92.80.107.129] has joined #openvpn
09:21 -!- Megaf [~Megaf@unaffiliated/megaf] has joined #openvpn
09:51 -!- BenLue [~BenLue@unaffiliated/benlue] has joined #openvpn
09:51 < BenLue> !welcome
09:51 <@vpnHelper> "welcome" is (#1) Start by stating your goal, such as 'I would like to access the internet over my vpn' || new to IRC? see the link in !ask || we may need !logs and !configs and maybe !interface to help you. || See !howto for beginners. || See !route for lans behind openvpn. || !redirect for sending inet traffic through the server. || Also interesting: !man !/30 !topology !iporder !sample !forum
09:52 <@vpnHelper> !wiki !mitm or (#2) Don't use 192.168.1.0/24 or 192.168.0.0/24 (too much potential for conflict)
09:52 < BenLue> !howto
09:52 <@vpnHelper> "howto" is (#1) OpenVPN comes with a great howto, http://openvpn.net/howto PLEASE READ IT! or (#2) http://www.secure-computing.net/openvpn/howto.php for a mirror
10:15 < BenLue> !route
10:15 <@vpnHelper> "route" is (#1) http://www.secure-computing.net/wiki/index.php/OpenVPN/Routing or https://community.openvpn.net/openvpn/wiki/RoutedLans (same page mirrored) if you have lans behind openvpn, read it DONT SKIM IT or (#2) READ IT DONT SKIM IT! or (#3) See !tcpip for a basic networking guide or (#4) See !serverlan or !clientlan for steps and troubleshooting flowcharts for LANs behind the server or
10:15 <@vpnHelper> client
10:16 < BenLue> !clientlan
10:16 <@vpnHelper> "clientlan" is (#1) for a lan behind a client, the client must have ip forwarding enabled (!ipforward), the server needs a route to the lan, the server needs to push a route for the lan to clients, the server needs a ccd (!ccd) file for the client with an iroute (!iroute) entry in it, and the router of the lan the client is on needs a route added to it (!route_outside_openvpn) or (#2) see !route for
10:16 <@vpnHelper> a better explanation or (#3) Handy troubleshooting flowchart: http://ircpimps.org/clientlan.png | http://pekster.sdf.org/misc/clientlan.png
10:18 -!- Popsikle [~popsikle@pool-108-27-211-233.nycmny.fios.verizon.net] has joined #openvpn
10:19 < BenLue> !ipforward
10:19 <@vpnHelper> "ipforward" is (#1) ip forwarding is needed any time you want packets to flow from 1 interface to another, so from tun to eth, eth to tun, tun to tun, etc etc. it must be enabled in the kernel AND allowed in the firewall or (#2) please choose between !linipforward !winipforward !osxipforward and !fbsdipforward
10:56 -!- Popsikle [~popsikle@pool-108-27-211-233.nycmny.fios.verizon.net] has quit [Remote host closed the connection]
11:09 -!- mattock_afk is now known as mattock
11:14 -!- jonascj [~jonas@ip-52-91.bnaa.dk] has joined #openvpn
11:46 -!- Latrina [~Latrina@ppp-52-18.26-151.libero.it] has quit [Ping timeout: 272 seconds]
11:48 -!- Latrina [~Latrina@ppp-92-59.26-151.libero.it] has joined #openvpn
11:52 -!- Latrina [~Latrina@ppp-92-59.26-151.libero.it] has quit [Ping timeout: 240 seconds]
11:57 -!- Cpt-Oblivious [~chatzilla@31-151-71-109.dynamic.upc.nl] has joined #openvpn
12:07 -!- asdfasdafas [~asdfasdaf@173.239.255.18] has joined #openvpn
12:07 < asdfasdafas> is there any way to handle a non-continguious IP pool other than having a bunch of separate openvpn configs/processes?
12:17 < BenLue> I have some troubles with my OpenVPN Network, here my Information to the Network. Server Config: http://paste.debian.net/112034/ ccd folder with File1 likes iroute 192.168.1.0 255.255.255.0 and File2 iroute 192.168.2.0 255.255.255.0 Server Routing Table: http://paste.debian.net/112035/ Client1.conf http://paste.debian.net/112031/ Client2.conf: http://paste.debian.net/112033/
12:18 < BenLue> when i start the Server and Clients, i get an Network Time out on both Router location
12:18 < BenLue> anyone ideas?
13:22 < lfx> where does openvpn look for ssl when compiling? I'm trying to compile it with openssl built from source (latest beta) instead of debian repo, and it says that it can't find ssl
13:25 -!- kirin` [telex@gateway/shell/anapnea.net/x-bqxvqthziifujnav] has quit [Ping timeout: 255 seconds]
13:27 -!- kirin` [telex@gateway/shell/anapnea.net/x-hmknkadhxrbfjysb] has joined #openvpn
13:44 -!- D-Boy [~D-Boy@unaffiliated/cain] has quit [Excess Flood]
13:47 -!- D-Boy [~D-Boy@unaffiliated/cain] has joined #openvpn
14:27 -!- brianblaze420 [~brianblaz@unaffiliated/brianblaze] has joined #openvpn
14:43 -!- asdfasdafas [~asdfasdaf@173.239.255.18] has quit [Quit: leaving]
14:48 -!- CaTtleyA [~CaTtleyA@put92-2-82-66-41-53.fbx.proxad.net] has joined #openvpn
14:53 -!- almac [~almac@unaffiliated/almac] has joined #openvpn
14:53 < almac> !welcome
14:53 <@vpnHelper> "welcome" is (#1) Start by stating your goal, such as 'I would like to access the internet over my vpn' || new to IRC? see the link in !ask || we may need !logs and !configs and maybe !interface to help you. || See !howto for beginners. || See !route for lans behind openvpn. || !redirect for sending inet traffic through the server. || Also interesting: !man !/30 !topology !iporder !sample !forum
14:53 <@vpnHelper> !wiki !mitm or (#2) Don't use 192.168.1.0/24 or 192.168.0.0/24 (too much potential for conflict)
14:53 -!- malc0re [mc@unaffiliated/csdsss] has left #openvpn []
14:54 -!- brianblaze420 [~brianblaz@unaffiliated/brianblaze] has quit [Quit: Leaving...]
14:57 -!- seba [~seba@kratzbaum.someserver.de] has quit [Ping timeout: 240 seconds]
--- Log closed Sun Jul 27 15:01:28 2014
--- Log opened Mon Jul 28 08:02:56 2014
08:02 -!- ecrist_ [~ecrist@freebsd/contributor/openvpn.community.support.ecrist] has joined #openvpn
08:02 -!- Irssi: #openvpn: Total of 164 nicks [8 ops, 0 halfops, 3 voices, 153 normal]
08:02 -!- mode/#openvpn [+o ecrist_] by ChanServ
08:02 -!- Irssi: Join to #openvpn was synced in 1 secs
08:05 -!- CaTtleyA [~CaTtleyA@185.24.142.82] has joined #openvpn
08:18 -!- elfixit [~Icedove@77-58-251-72.dclient.hispeed.ch] has quit [Quit: elfixit]
08:19 -!- Kniaz [~Kniaz@unaffiliated/kniaz] has quit [Read error: Connection reset by peer]
08:24 -!- ade_b [~Ade@redhat/adeb] has joined #openvpn
08:28 -!- CaTtleyA [~CaTtleyA@185.24.142.82] has quit [Remote host closed the connection]
08:32 -!- pmylund [pnielsen@2600:3c03::f03c:91ff:fe6e:5d41] has quit [Ping timeout: 240 seconds]
08:35 -!- CaTtleyA [~CaTtleyA@185.24.142.82] has joined #openvpn
08:37 -!- pmylund [pnielsen@2600:3c03::f03c:91ff:fe6e:5d41] has joined #openvpn
08:43 -!- soffio [~mancante@gateway/tor-sasl/riflesso] has left #openvpn []
08:51 -!- Olivier| is now known as Olivier
08:52 -!- GrecKo [~GrecKo@2001:41d0:1:cb16::1] has left #openvpn []
08:58 -!- CaTtleyA [~CaTtleyA@185.24.142.82] has quit [Quit: Lost terminal]
09:09 -!- CaTtleyA [~CaTtleyA@185.24.142.82] has joined #openvpn
09:21 -!- LarsN [~lrn@freebsd/contributor/LarsN] has joined #openvpn
09:23 < LarsN> I'm trying to setup an OpenVPN hub & spoke network between four sites and am running into a problem I "think" is related to CCD.
09:25 < LarsN> when I connect one site's router to the OpenVPN server the connection opens fine.  But then whenever anything inside the network tries to hit the internet I see errors like....  "bad source address from client [172.16.28.*], packet dropped"
09:25 < LarsN> now I've looked at the CCD bits, and I suspect I can fix this site.  But how do I go about fixing the same kind of problem for a "road warrior" configured laptop where I'm unlikely to have any idea what address it's using?
09:26 < LarsN> Also, if I want to setup split tunnel routing for everything but the road warriors, do I then have to manipulate the routing tables on the clients after they connect?  or is there a server side directive I can pass?
09:26 -!- zapotek6 [~zap@176.200.138.66] has joined #openvpn
09:26 -!- zapotek6 [~zap@176.200.138.66] has quit [Max SendQ exceeded]
09:28 -!- goldkatze [~nobody@unaffiliated/goldkatze] has joined #openvpn
09:28 -!- elfixit [~Icedove@2001:1620:2777:11:3e97:eff:fe7f:f3ad] has joined #openvpn
09:32 -!- alexxtasi [~alex@unaffiliated/alexxtasi] has left #openvpn []
09:32 -!- Pyrogerg [~Gregory@gpenne3bc.nmsu.edu] has joined #openvpn
09:34 <@ecrist_> hey there, LarsN 
09:34 -!- You're now known as ecrist
09:35 <@ecrist> regarding your bad source address issue: https://openvpn.net/index.php/open-source/faq/79-client/317-qmulti-bad-source-address-from-client--packet-droppedq-or-qget-inst-by-virt-failedq.html
09:35 <@vpnHelper> Title: "MULTI: bad source address from client , packet dropped" or "GET INST BY VIRT: [failed]"? (at openvpn.net)
09:36 <@ecrist> regarding routing and your VPN clients, take a look at !route and also note that you can use push "route ..." in your CCD entries for clients
09:37 <@ecrist> I'd strongly recommend a separate openvpn instance for your site-to-site traffic and your road warriors
09:37 <@ecrist> though, it *is* possible to do everything from a single instance
09:41 -!- fitnerd [~dan@75-171-206-2.hlrn.qwest.net] has joined #openvpn
09:44 < fitnerd> I am running 2 instances of openvpn on different ports and have been successfully for a few years.  Within the last few months, when logrotate runs -one- of the instances failes to restart and the log says 'address already in use'.  Yet, when I /etc/init.d/openvpn restart via command line it works fine every single time.  I tried adding 'sleep' to the init script to maybe try some delay between the processes startup but it is not fixing it.  Anyo
09:44 < fitnerd> have ideas why this would only happen when logrotate does it?
09:52 < LarsN> ecrist: howdy man, Long time!
09:54 < LarsN> And thanks!  I'll do some more reading tonight, and hit you up if I get stuck on anything.
09:57 -!- pkr [~Adium@79.97.126.58] has joined #openvpn
09:57 < LarsN> ecrist: I assume it would be safe to have "one of the Clients" also be an OpenVPN server then for the road warriors?
10:01 -!- tempus_fol [~tempus@gateway/tor-sasl/foltempus] has quit [Remote host closed the connection]
10:02 -!- tempus_fol [~tempus@gateway/tor-sasl/foltempus] has joined #openvpn
10:16 -!- pkr [~Adium@79.97.126.58] has quit [Quit: Leaving.]
10:17 -!- zapotek6 [~zap@mail.comelit.it] has joined #openvpn
10:17 -!- zapotek6 [~zap@mail.comelit.it] has quit [Client Quit]
10:18 -!- zapotek6 [~zap@mail.comelit.it] has joined #openvpn
10:20 -!- zapotek6 [~zap@mail.comelit.it] has quit [Max SendQ exceeded]
10:23 -!- Megaf [~Megaf@unaffiliated/megaf] has quit [Read error: Connection reset by peer]
10:26 -!- zapotek6 [~zap@213.149.219.85] has joined #openvpn
10:28 -!- zapotek6 [~zap@213.149.219.85] has quit [Max SendQ exceeded]
10:29 -!- Megaf [~Megaf@unaffiliated/megaf] has joined #openvpn
10:45 -!- jonascj [~jonas@ip-52-91.bnaa.dk] has quit [Quit: Lost terminal]
10:45 -!- zapotek6 [~zap@mail.comelit.it] has joined #openvpn
10:48 -!- zapotek6 [~zap@mail.comelit.it] has quit [Read error: Connection reset by peer]
10:49 -!- ade_b [~Ade@redhat/adeb] has quit [Ping timeout: 250 seconds]
10:50 -!- zapotek6 [~zap@mail.comelit.it] has joined #openvpn
10:50 -!- zapotek6 [~zap@mail.comelit.it] has quit [Max SendQ exceeded]
10:54 -!- Kniaz [~Kniaz@unaffiliated/kniaz] has joined #openvpn
10:55 -!- LuisM [~luism@unaffiliated/luism] has joined #openvpn
10:55 < LuisM> hi folks
10:56 < LuisM> OpenVPN needs a gateway parameter for a --route option and no default was specified by either.
10:56 < LuisM> wtf?
10:56 < LuisM> openvpn server didn't start
10:56 <@krzee> lets see logs and configs like this:
10:56 <@krzee> !configs
10:56 <@vpnHelper> "configs" is (#1) please pastebin your client and server configs (with comments removed, you can use `grep -vE '^#|^;|^$' server.conf`), also include which OS and version of openvpn. or (#2) dont forget to include any ccd entries or (#3) on pfSense, see http://www.secure-computing.net/wiki/index.php/OpenVPN/pfSense to obtain your config
10:56 <@krzee> !logs
10:56 <@vpnHelper> "logs" is (#1) please pastebin your logfiles from both client and server with verb set to 4 (only use 5 if asked) or (#2) In the Windows client(OpenVPN-GUI) right-click the status icon and pick View Log or (#3) In the OS X client(Tunnelblick) right-click it and select Copy log text to clipboard or (#4) if you dont know how to find your logs, see !logfile
10:56 <@krzee> verb 4 is fine =]
10:56 < LuisM> krzee: ok, i'll past
10:57 -!- zapotek6 [~zap@mail.comelit.it] has joined #openvpn
10:58 -!- zapotek6 [~zap@mail.comelit.it] has quit [Max SendQ exceeded]
10:58 -!- CaTtleyA [~CaTtleyA@185.24.142.82] has quit [Quit: Lost terminal]
11:03 -!- Chiftin [~Chiftin@178.250.179.140] has quit [Read error: Connection reset by peer]
11:04 < LuisM> http://ix.io/dCw
11:05 < LuisM> krzee: and my openvpn-status.log is empty..wtf? haha
11:06 < LuisM> i start openvpn with systemctl
11:06 <@krzee> !logfile
11:06 <@vpnHelper> "logfile" is (#1) If you want logging you can easily just specify your own logfile with: log /path/to/logfile or (#2) openvpn will log to syslog if started in daemon mode, but without any log-redirection options, openvpn sends output to stdout. or (#3) verb 3 is good for everyday usage, verb 5 for debugging. see --daemon --log and --verb in the manual (!man) for more info
11:07 <@krzee> ok so 192.168.1.0 255.255.255.0 is a lan subnet behind a client, and only the server needs access to it?
11:08 -!- BenLue [NoMail@unaffiliated/benlue] has joined #openvpn
11:09 < BenLue> I have connected to networks (192.168.2.0 - 192.168.1.0) with OpenVPN now i cant find other Workstations in Network List! Anyone Ideas? Im on Windows8.1 Pro atm
11:09 < BenLue> Ping from local lan to local lan working fine
11:09 <@krzee> BenLue, setup WINS
11:09 < BenLue> !wins
11:09 <@vpnHelper> "wins" is http://oreilly.com/catalog/samba/chapter/book/ch07_03.html is a good link for seeing how to run WINS on samba
11:11 -!- SCHAAP137 [dorian@77-173-0-137.ip.telfort.nl] has joined #openvpn
11:13 < BenLue> krzee thx, its possible to run Samba WINS without PDC?
11:13 <@krzee> samba is linux, very much yes
11:22 < LuisM> krzee: yeah..only server needs access to it
11:22 < LuisM> 192.168.1.0/24 is lan subnet behing client
11:23 < BenLue> yes
11:23 < LuisM> so, whats i need to add in my conf file?
11:24 < LuisM> is weird..in 2 months ago i just start openvpn server with this server conf
11:24 < LuisM> so, now i try to start and got with errors
11:24 < LuisM> lol
11:24 < LuisM> i didn't touch on server.conf
11:25 < BenLue> check "iroute" push "route" settings
11:25 < LuisM> perhaps update of bin changes default settings..dunno
11:26 < LuisM> BenLue: look
11:26 < LuisM> http://ix.io/dCw
11:26 < BenLue> ccd?
11:27 < BenLue> paste please ccd files
11:27 <@ecrist> LarsN: yes, the server can be any system
11:27 < LuisM> ok
11:28 < LuisM> BenLue: only two files with "iroute 192.168.1.0 255.255.255.0"
11:28 < LuisM> two machines
11:29 < LuisM> two machines on lan client subnet
11:29 < BenLue> in same subnet?
11:30 < LuisM> yeah
11:30 < LuisM> so, i don't need two files?
11:30 <@krzee> you cant have the same lan behind 2 different clients
11:31 < LuisM> so, if i remove a file, will run?
11:32 <@krzee> BenLue, if wins doesnt work your alternate method is to use layer2 (tap)
11:32 <@krzee> because netbios resolution is layer2, but wins makes it work over layer3
11:32 < LuisM> wins...omfg =/
11:32 <@krzee> LuisM, you never posted everything i asked for so i cannot attempt to help you.
11:33 <@krzee> i asked for 2 configs and 2 logfiles, i got 1 config.
11:33 < LuisM> yeah..my log is always empty
11:33 <@krzee> no its not
11:33 < BenLue> can i use the same setting only change tun in tap in all config files?
11:33 <@krzee> !logfile
11:33 <@vpnHelper> "logfile" is (#1) If you want logging you can easily just specify your own logfile with: log /path/to/logfile or (#2) openvpn will log to syslog if started in daemon mode, but without any log-redirection options, openvpn sends output to stdout. or (#3) verb 3 is good for everyday usage, verb 5 for debugging. see --daemon --log and --verb in the manual (!man) for more info
11:33 < LuisM> stdout
11:33 <@krzee> make a logfile.
11:33 < BenLue> LuisM Verb4!
11:34 -!- gffa [~unknown@unaffiliated/gffa] has joined #openvpn
11:34 <@krzee> BenLue, that will make it so the client and server have layer2, maybe it will be enough
11:34 <@krzee> not sure
11:34 -!- bakhtiya [~me@office.addictivemobility.com] has joined #openvpn
11:35 <@krzee> i think you may need bridging, but you know you dont even need network browsing to use sharing, right?
11:35 <@krzee> you can simply access the share by its IP
11:35 <@krzee> only the resolution is layer2 or needs wins
11:37 -!- ade_b [~Ade@redhat/adeb] has joined #openvpn
11:37 < LuisM> krzee: http://ix.io/dCC
11:38 <@krzee> oh i see, so i do only need that side
11:38 < LuisM> both files
11:38 < LuisM> http://ix.io/dCw
11:38 < BenLue> ERROR: Cannot open TUN/TAP dev /dev/net/tun: No such device (errno=19)?
11:39 < LuisM> i'm on archlinux
11:39 < BenLue> TUN/TAP dev aviable?
11:39 < LuisM> kernel module?
11:39 < LuisM> yes
11:39 < BenLue> vmaschine?
11:39 < LuisM> yes
11:39 < LuisM> perhaps a reboot due kernel updates..
11:40 <@krzee> LuisM, comment out the route
11:40 <@krzee> see if it starts or not
11:40 <@krzee> might be chasing a red herring cause the first error might cause the second one
11:41 < LuisM> hmm ok
11:42 < fitnerd> regarding my earlier question: here is the log file http://www.coronasolutions.com/downloads/openvpn/openvpn-aes.log
11:42 <@krzee> or maybe visa-versa, but commenting the route will tell us either way
11:43 <@krzee> fitnerd, easy:
11:43 <@krzee> TCP/UDP: Socket bind failed on local address [undef]: Address already in use
11:43 -!- ade_b [~Ade@redhat/adeb] has quit [Quit: Too sexy for his shirt]
11:43 < LuisM> brb, reboot vps
11:43 <@krzee> you're either already running openvpn or you are running something else on the same port you are attempting to run openvpn on'
11:43 -!- LuisM [~luism@unaffiliated/luism] has quit [Quit: leaving]
11:43 < fitnerd> krzee: but I'm not ;) see my question
11:44 < fitnerd> I can repost it, just didn't want to spam
11:44 <@krzee> pls do
11:44 < fitnerd> I am running 2 instances of openvpn on different ports and have been successfully for a few years.  Within the last few months, when logrotate runs -one- of the instances failes to restart and the log says 'address already in use'.  Yet, when I /etc/init.d/openvpn restart via command line it works fine every single time.  I tried adding 'sleep' to the init script to maybe try some delay between the processes startup but it is not fixing it.  Anyo
11:44 < fitnerd> have ideas why this would only happen when logrotate does it?
11:45 <@krzee> i would run logrotate manually with the most debug i could get it to give
11:45 <@krzee> like if its a bash script ild run it with -x
11:45 <@krzee> see wtf its doing
11:45 <@krzee> not really an openvpn question tho
11:46 <@krzee> i mean ya you happen to be running openvpn, but thats a sysadmin question =]
11:47 < fitnerd> yeah but openvpn is the thing failing.. hence my presence here
11:48 < fitnerd> and.. of course it works fine this time
11:48 <@krzee> well i mean
11:48 -!- LuisM [~luism@unaffiliated/luism] has joined #openvpn
11:48 <@krzee> if your vpn runs fine when you run it manually, then your problem isnt openvpn.
11:48 <@krzee> sounds like you have a logrotate issue
11:49 < fitnerd> something in openvpn is locking the net binding and openvpn is the code that is doing it
11:49 < LuisM> krzee: i just reboot and opevpn just start fine ;)
11:49 < LuisM> problem was /dev/net/run device
11:49 < LuisM> due kernel updates
11:49 < LuisM> and long uptime
11:49 < LuisM> i guess
11:49 < LuisM> so, still have a problem (or warning)
11:50 < LuisM> OpenVPN needs a gateway parameter for a --route option and no default was specified by either --route-gateway or --ifconfig options
11:50 < LuisM> what i need to do?
11:50 < fitnerd> I don't understand why 2 different openvpn processes would be binding to the same port when specifically configured to run on different ones.  Maybe there is something that I am exposing that is not common because most people don't run mulitple openvpn on the same server
11:50 <@krzee> fitnerd, i run many instances on many servers
11:51 <@krzee> its actually kinda common for scaling because openvpn only runs on a single cpu core (single threaded)
11:51 <@krzee> !notovpn
11:51 <@vpnHelper> "notovpn" is (#1) "notopenvpn" is your problem is not about openvpn, and while we try to be helpful, you may have a better chance of finding your answer if you ask your question in a channel related to your problem or (#2) sorry, but we dont care. this channel is only for help with openvpn.
11:52 < LuisM> lol
11:52 <@krzee> fitnerd, you can start both at the same time when its not logrotate
11:52 < fitnerd> well good to know I'm not in uncharted territory.  But, the only evidence I have here goes through the openvpn code.  Logrotate may be just coincidental because I have no other need to restart those servers regularly.
11:52 <@krzee> chasing anything except how to get debug info from logrotate is a waste of time imo
11:52 <@krzee> of course you have a need
11:53 <@krzee> the need is to get it to mess up when you start them manually
11:53 <@krzee> because your problem only happens when using logrotate, it's a problem with that.
11:53 < fitnerd> well I am running logrotate with -vvvvv and it works fine right now
11:53 < LuisM> my default gw should be my own server?
11:53 <@krzee> fitnerd, then it sounds like theres no problem to debug.
11:54 < LuisM> so, --route-gateway "ip-server"?
11:55 -!- APTX [~APTX@unaffiliated/aptx] has joined #openvpn
11:55 < fitnerd> krzee: I am struggling to find an appropriate response to your sarcasm.
11:55 <@krzee> well i mean, if you cant reproduce it, how shall we debug it?
11:56 <@krzee> especially if you can only make it happen while using logrotate, but not when you actually call logrotate
11:56 <@krzee> maybe if i supported what you're using, and not just openvpn, i would be more useful for your problem
11:58 <@krzee> hmm LuisM can you try moving the route entry to the ccd for that client and see if openvpn has any magic for that?
11:58 <@krzee> route-gateway 10.8.0.1 may do it
11:59 -!- periheli0n [~Foo@69-196-147-23.dsl.teksavvy.com] has joined #openvpn
11:59 < fitnerd> I certainly am sypathetic to unreproducible errors.  I have been coding for 30 years.  There are types of problems that require "guesses" about what might be happening.  Based on logical deduction, it is an openvpn process that is either a) not releasing it's bound connection upon stop or b) starting with a default binding that is reassigned after startup.   I believe there must be some options that can be suggested by someone who understands the
11:59 < fitnerd> underlying logic better than I do.  But I can't agree this is dismissable as a logrotate issue since logrotate only calls the openpn startup script.
11:59 <@krzee> LuisM, also i think this behavior might have been fixed, you could also just try updating openvpn
11:59 <@krzee> we're on 2.3.4
12:00 < LuisM> me too
12:00 < LuisM> i'll try route-gateway 10.8.0.1
12:00 -!- Cpt-Oblivious [~chatzilla@31-151-71-109.dynamic.upc.nl] has joined #openvpn
12:00 <@krzee> fitnerd, since you're a coder you could try hacking in some debug info into when logrotate actually does its job
12:01 <@krzee> who knows, maybe it just needs to sleep for a second or something
12:01 < fitnerd> as I said earlier, I did add sleep
12:01 <@krzee> sorry dude all i can do is take random stabs at it, as its still not an openvpn problem ;]
12:02 <@krzee> im not against taking those stabs, but its sounds like you've taken the same ones
12:02 < fitnerd> well I can't discount openvpn as the problem.  A logrotate developer would blame openvpn
12:03 < fitnerd> and thus I am in the middle
12:04 <@krzee> the way i see it, if you can only cause your problem with a special wrapper, then the wrapper is to blame.
12:04 < fitnerd> but that is not conculsive
12:05 -!- jgalt [~chatzilla@pool-71-105-122-235.lsanca.dsl-w.verizon.net] has quit [Ping timeout: 255 seconds]
12:05 <@krzee> if the wrapper expects openvpn or the OS scripts to do some of its magic on behalf of it, their bad.
12:05 < fitnerd> but logrotate is not doing it reproducibly
12:05 < fitnerd> if it did it every time, I'd agree 100%
12:06 <@krzee> if NOT using it ever does it, you can look beyond it.
12:06 < fitnerd> it just calls /etc/init.d/openvpn restart
12:06 <@krzee> hell maybe you're somehow running 3 instances of openvpn?
12:07 <@krzee> 1 good and 2 on the same port?
12:07 <@krzee> a backup config that the os script calls?
12:07 < fitnerd> but that would happen every time
12:07 < fitnerd> running it manually I would see it tyring to launch
12:07 <@krzee> since it calls /etc/init.d/openvpn restart, ild say you can easily rule out logrotate, get the problem to happen 1 time while calling /etc/init.d/openvpn restart
12:08 <@krzee> do that once and its not logrotate, do not and it is.
12:09 <@krzee> and still, that can be the os startup script, and by the way sometimes they run with different options passed, not only whats in the config
12:10 <@krzee> so thats another place to add debugging to try and gather info when you actually reproduce it
12:10 < Eugene> krzee, it may amuse you that my girlfriend's fish tank's bubbler sounds like a tiny man smoking a bong 24/7 in my office.
12:11 <@krzee> lol that would be a good figurine for a tank
12:11 <@krzee> lil guy hitting a big bong
12:11 <@krzee> that is really the filter
12:12 -!- u0m3 [~u0m3@92.80.107.129] has quit [Ping timeout: 260 seconds]
12:13 < Eugene> http://i.imgur.com/Q7Zjwlp.jpg
12:13 -!- u0m3 [~u0m3@92.80.87.239] has joined #openvpn
12:13 < Eugene> It's the black sponge in the back-left corner.
12:13 -!- Kephael [~Kephael@unaffiliated/kephael] has joined #openvpn
12:14 <@krzee> nice tank
12:14 < Eugene> Terrible photo
12:14 <@krzee> looks like its a plant tank tho
12:14 < Eugene> There's many fish in there, I assure you
12:14 <@krzee> haha
12:15 < Eugene> Sec, lemme find the better phone
12:15 < LuisM> krzee: everything works fine ;)
12:15 < LuisM> not more warning
12:16 < Eugene> http://i.imgur.com/kdDMH34.jpg
12:16 < Eugene> Not much better, bah
12:16 < LuisM> krzee: only a doubt...i need a ccd file for each one client?
12:16 < LuisM> even are in same lan subnet?
12:16 <@krzee> why do you have multiple clients in the same lan subnet?
12:17 < LuisM> office branch
12:17 <@krzee> but you're already sharing the lan over the vpn
12:18 < LuisM> using route 192.168.1.0/24 ?
12:18 < LuisM> you mean?*
12:18 <@krzee> the entire point of that is to only need 1 vpn node for the entire lan
12:18 <@krzee> yes, that and its matching iroute in the ccd entry
12:18 <@krzee> !clientlan
12:18 <@vpnHelper> "clientlan" is (#1) for a lan behind a client, the client must have ip forwarding enabled (!ipforward), the server needs a route to the lan, the server needs to push a route for the lan to clients, the server needs a ccd (!ccd) file for the client with an iroute (!iroute) entry in it, and the router of the lan the client is on needs a route added to it (!route_outside_openvpn) or (#2) see !route for
12:18 <@vpnHelper> a better explanation or (#3) Handy troubleshooting flowchart: http://ircpimps.org/clientlan.png | http://pekster.sdf.org/misc/clientlan.png
12:19 <@krzee> try the flowchart http://pekster.sdf.org/misc/clientlan.png  if it works then tell me why you have a second client connecting from that lan
12:19 < LuisM> hmm nice
12:19 < LuisM> i'll tell
12:20 < LuisM> i don't have a centralized machine for doing vpn..like firewall
12:20 <@krzee> oh ok
12:20 < LuisM> so, each client on lan needs to connect on vpn server
12:20 <@krzee> !route_outside_ovpn
12:20 <@vpnHelper> "route_outside_ovpn" is "route_outside_openvpn" is (#1) If your server is not the default gateway for the LAN, you will need to add routes to your gateway. See ROUTES TO ADD OUTSIDE OPENVPN in !route or (#2) Here are 2 diagrams that explain how this works: http://www.secure-computing.net/wiki/index.php/Graph http://i.imgur.com/BM9r1.png
12:20 <@krzee> no, you just need to properly configure routing
12:20 <@krzee> =]
12:21 <@krzee> you're most of the way there, a little more and the entire lan will have access to the vpn subnet
12:21 < LuisM> so, no need ccd files for each client?
12:22 <@krzee> only ones that have a reason for it (unless using --ccd-exclusive)
12:22 <@krzee> !ccd
12:22 <@vpnHelper> "ccd" is (#1) entries that are basically included into server.conf, but only for the specified client based on common-name. use --client-config-dir <dir> to enable it, then put the config options for the client in <dir>/common-name or (#2) the ccd file is parsed each time the client connects.
12:29 -!- heraclitus [~heraclitu@unaffiliated/heraclitis] has joined #openvpn
12:30 -!- heraclitus [~heraclitu@unaffiliated/heraclitis] has quit [Remote host closed the connection]
12:30 -!- heraclitus [~heraclitu@unaffiliated/heraclitis] has joined #openvpn
12:48 -!- fitnerd [~dan@75-171-206-2.hlrn.qwest.net] has quit [Remote host closed the connection]
13:01 -!- mirco [~mirco@ip-62-143-140-41.hsi01.unitymediagroup.de] has joined #openvpn
13:07 -!- buhman [rewt@selene.buhman.org] has left #openvpn ["Never is too long a word even for me…"]
14:00 -!- svm_invictvs [~patricktw@unaffiliated/svminvictvs/x-938456] has joined #openvpn
14:00 < svm_invictvs> Hey
14:00 < svm_invictvs> I'm looking over the OpenVPN setup guide and I have a few questions.
14:00 < svm_invictvs> I see there's an option which forces a client's traffic throught he VPN, redirect-gateway
14:01 < svm_invictvs> I want to do something like that, but not with all traffic.
14:01 <@krzee> you can route whatever subnets you want
14:01 < svm_invictvs> Rather, i want to just route some specific traffic through the VPN, but the IP addresses are not on the VPN, they're outside.
14:01 <@krzee> you need everything the same as if you used redirect-gateway, but then instead of that option you just add routes for the subnets you want
14:01 <@krzee> !redirect
14:01 <@vpnHelper> "redirect" is (#1) to make all inet traffic flow through the vpn, you will need --redirect-gateway (see !def1), as well as IP forwarding (see !ipforward) and NAT (see !nat) enabled on the server. or (#2) you may need to use a different dns server when redirecting gateway, see !dns or !pushdns or (#3) if using ipv6 try: route-ipv6 2000::/3 or (#4) Handy troubleshooting flowchart:
14:01 <@vpnHelper> http://ircpimps.org/redirect.png | http://pekster.sdf.org/misc/redirect.png
14:02 < svm_invictvs> Basically, the VPN is in my office, and a few client websites are locked to static IP addresses
14:02 < svm_invictvs> I see
14:02 <@krzee> so you still need ip forwarding and NAT, but you just route whatever IP/subnets you want over the vpn
14:02 < svm_invictvs> I see
14:03 < svm_invictvs> So it's not just push <extreanal-ip>  is it?
14:03 <@krzee> also if your vpn server subnet is on a subnet you plan on routing over the vpn, remember to give it a direct route so you dont make a routing loop
14:03 <@krzee> well you dont even have to push
14:03 <@krzee> --route "network" "netmask"
14:03 < svm_invictvs> Where in the manual is that covered?
14:03 <@krzee> or --push "route network netmask"
14:03 < svm_invictvs> I see
14:03 <@krzee> see --route
14:04 <@krzee> and sorry, the route command doesnt take " " but push does, so my above examples are confusing
14:04 < svm_invictvs> Well, I gotta read the man page a bit, but I think you pointed me in the right direction
14:05 <@krzee> !man
14:05 <@vpnHelper> "man" is (#1) For man pages, see http://openvpn.net/index.php/open-source/documentation/manuals/ or (#2) the man pages are your friend! or (#3) Protip: you can search the manpage for a specific --option (with dashes) to find it quicker
14:05 < svm_invictvs> Why is there no woman page
14:05 < svm_invictvs> That's sexist
14:05 <@krzee> !woman
14:05 <@vpnHelper> "woman" is see !man but with a monthly attitude :D
14:06 < svm_invictvs> lol
14:06 < svm_invictvs> Reminds me of this: https://www.youtube.com/watch?v=pBz0BTb83H8
14:06 <@vpnHelper> Title: How do you write women so well? - YouTube (at www.youtube.com)
14:14 < svm_invictvs> krzee: huzzahhh
14:14 < svm_invictvs> krzee: I think I got it...
14:14 <@krzee> that was quick, goodjob =]
14:15 < svm_invictvs> krzee: I've been futzing with this setup for like a week.  Getting OpenVPN going was pertty easy, getting OpenLDAP working has been nothing but a nightmare.
14:15 < svm_invictvs> I literally had bad dreams about slapd
14:15 <@krzee> time for me to go out
14:15 <@krzee> later
14:22 -!- periheli0n [~Foo@69-196-147-23.dsl.teksavvy.com] has quit [Quit: WeeChat 0.4.3]
14:25 < asturel> what could the reason if the ping fluctioating between the vpn server-client?
14:26 < asturel> if i ping the ip w/o vpn its stable and fine
14:26 < asturel> i tried openvpn over udp and tcp too
14:27 -!- elfixit [~Icedove@2001:1620:2777:11:3e97:eff:fe7f:f3ad] has quit [Quit: elfixit]
14:29 -!- clyons [~kvirc@host81-152-143-128.range81-152.btcentralplus.com] has joined #openvpn
14:46 -!- Chais [~Chais@chello062178229110.15.15.vie.surfer.at] has quit [Ping timeout: 245 seconds]
14:51 -!- BenLue [NoMail@unaffiliated/benlue] has quit [Ping timeout: 250 seconds]
14:52 -!- Chais [~Chais@chello062178229110.15.15.vie.surfer.at] has joined #openvpn
15:03 -!- gffa [~unknown@unaffiliated/gffa] has quit [Quit: sleep]
15:07 -!- lorenzo [lorenzo@stellarossa.enlab.net] has quit [Ping timeout: 250 seconds]
15:42 -!- dazo is now known as dazo_afk
15:55 -!- svm_invictvs [~patricktw@unaffiliated/svminvictvs/x-938456] has quit [Read error: Connection reset by peer]
16:05 -!- Kniaz [~Kniaz@unaffiliated/kniaz] has quit [Quit: closing IRC]
16:12 -!- Megaf [~Megaf@unaffiliated/megaf] has quit [Read error: Connection reset by peer]
16:12 -!- jfroot [~jfroot@pdpc/supporter/active/jfroot] has joined #openvpn
16:13 < jfroot> Has anyone else noticed that the ovpn client on osx does not logout when you logout the user?
16:15 -!- Megaf [~Megaf@unaffiliated/megaf] has joined #openvpn
16:17 -!- kantlivelong [~kantlivel@home.kantlivelong.com] has quit [Ping timeout: 245 seconds]
16:21 -!- BenLue [NoMail@unaffiliated/benlue] has joined #openvpn
16:39 < BenLue> when im using openvpn via tun i need the ccd config and "add route" "Push route" ?
16:44 -!- mirco [~mirco@ip-62-143-140-41.hsi01.unitymediagroup.de] has quit [Ping timeout: 255 seconds]
16:45 -!- micah [~micah@debian/developer/micah] has joined #openvpn
16:46 < micah> hi, my remote is pushing a route that seems to be accepted by the client, but it doesn't appear in the routing table
16:46 < micah> i see the '/sbin/ip route add...' commands, but when it finishes, the route is not there
16:47 < micah> i can manually add it after and that works fine
16:50 < micah> its a default route... the server has 'redirect-gateway def1' set
17:02 -!- kantlivelong [~kantlivel@home.kantlivelong.com] has joined #openvpn
17:03 -!- mirco [~mirco@ip-109-90-242-169.hsi11.unitymediagroup.de] has joined #openvpn
17:10 -!- periheli0n [~Foo@69-196-147-23.dsl.teksavvy.com] has joined #openvpn
17:11 -!- Olipro [~Olipro@uncyclopedia/pdpc.21for7.olipro] has quit [Ping timeout: 256 seconds]
17:12 -!- kantlivelong [~kantlivel@home.kantlivelong.com] has quit [Ping timeout: 255 seconds]
17:18 -!- Olipro [~Olipro@uncyclopedia/pdpc.21for7.olipro] has joined #openvpn
17:21 -!- SCHAAP137 [dorian@77-173-0-137.ip.telfort.nl] has quit [Remote host closed the connection]
17:24 -!- SCHAAP137 [dorian@77-173-0-137.ip.telfort.nl] has joined #openvpn
17:27 -!- novaflash [~novaflash@openvpn/corp/support/novaflash] has quit [Ping timeout: 245 seconds]
17:31 < micah> if I disable network-manager, I no longer have the problem
17:31 < pekster> !netman
17:31 <@vpnHelper> "netman" is (#1) if you are using network manager for linux to configure your vpn, dont! http://openvpn.net/archive/openvpn-users/2008-01/msg00046.html to read the same thing from the author of the openvpn 2 cookbook on the mail list or (#2) Have OpenVPN working but not NetworkManager? Ask the n-m folks for help: http://projects.gnome.org/NetworkManager/
17:31 -!- mirco [~mirco@ip-109-90-242-169.hsi11.unitymediagroup.de] has quit [Quit: mirco]
17:37 -!- BenLue [NoMail@unaffiliated/benlue] has quit [Read error: Connection reset by peer]
17:48 -!- Kniaz [~Kniaz@unaffiliated/kniaz] has joined #openvpn
17:54 -!- kantlivelong [~kantlivel@home.kantlivelong.com] has joined #openvpn
17:56 < micah> pekster: i'm not using network manager to configure the vpn - but network manager is running and managing my wifi/wired and it seems to be interfering with my vpn
18:04 < pekster> micah: You're using def1, and you see the two /1 routes after the VPN comes up?
18:05 < pekster> That won't adjust your default gateway at all, and it's designed specifically to avoid complication when a local dhcp client (regardless of what start it, n-m or something else)
18:05 < micah> pekster: i see openvpn pushing them, but when network-manager is running, they do not show up in the routing table; if I kill NM and connect to the network manually and then run openvpn, they get added to the routing table fine
18:06 < micah> pekster: when a local dhcp client... (seems like you were going to say more here)
18:06 < pekster> That's really weird. I'm mostly against what n-m does, but I do run it on my laptop for the "convenience" factor. OpenVPN works fine here
18:06 -!- kantlivelong [~kantlivel@home.kantlivelong.com] has quit [Ping timeout: 245 seconds]
18:06 < micah> pekster: what version of network-manager?
18:06 < pekster> Oh, yea (IRC input is a horrible plaace to do text editing, apparently)
18:06 < pekster> When a dhcp client is managing your gateway ;)
18:07 < pekster> 0.9.8.8
18:07 < micah> yeah, i'm running 0.9.10.0
18:07 < micah> pekster: how can i determine if my dhclient that is run by NM is managing my gateway?
18:08 < pekster> At verb 4 in openvpn, you should see either the `ip` or `route` (depending on how your openvpn was build) commands
18:08 < pekster> It probably is, but you'd have to "ask network manager to show you what it's doing" which IME is usually akin to gouging your eyes out
18:09 < micah> pekster: yep, i see the /sbin/ip route commands
18:09 < pekster> They complete? Without errors? If so, iproute2 thinks the routes were successfully added
18:09 < pekster> And you don't have anything complex like secondary routing tables or the like?
18:09 < micah> yes, but then if I immediately look at the routing table, they aren't there
18:09 < micah> no
18:09 < micah> after openvpn comes up and I see the routes aren't there, I can add them manually
18:10 < micah> and they show up in the routing table
18:11 < pekster> That's very odd. You could try a test that "should also work" by writing a simple --route-up script that simply adds a 0/1 and 128/1 route via your VPN gateway (remember this won't necessarily be 10.8.0.1 unless you're using subnet topology)
18:11 < pekster> I wouldn't really expect that to succeed where the system call from openvpn failed, but it might give you a few more debugging options
18:12 < pekster> eg: `ip route add 0/1 dev tun0 && ip route >> /tmp/vpn-route1.txt || echo "route command failed 0/1" >> /tmp/vpn-route1.txt`
18:12 < pekster> Or something
18:14 < micah> yeah, the problem is not everyone is using linux, so i'll have to find a time when I can do that
18:15 < pekster> The n-m part of your issue is especially odd. I'm no fan of n-m by any means, but I haven't heard this one before
18:15 -!- kantlivelong [~kantlivel@home.kantlivelong.com] has joined #openvpn
18:16 < micah> well, I run unstable debian, so I tend to be one of the early people to encounter issues
18:16 < pekster> Great, so we can still blame n-m! :P
18:17 < pekster> In any event, a route should never fail to be added after iproute2 tells you it was
18:18 < pekster> Either something is very broken there, or n-m decided you didn't really want it anyway
18:31 -!- SCHAAP137 [dorian@77-173-0-137.ip.telfort.nl] has quit [Remote host closed the connection]
18:45 -!- keatont [~keatont@ip-66-172-11-126.chunkhost.com] has quit [Ping timeout: 272 seconds]
18:53 -!- keatont [~keatont@ip-66-172-11-126.chunkhost.com] has joined #openvpn
18:57 -!- D-Boy [~D-Boy@unaffiliated/cain] has quit [Excess Flood]
18:59 -!- DrSect0r [~DrSect0r@77-175-115-95.FTTH.ispfabriek.nl] has joined #openvpn
19:02 -!- goldkatze [~nobody@unaffiliated/goldkatze] has quit []
19:09 -!- Zimsky-- [~alice@unaffiliated/zimsky] has joined #openvpn
19:14 -!- D-Boy [~D-Boy@unaffiliated/cain] has joined #openvpn
19:19 -!- Zimsky [~alice@unaffiliated/zimsky] has quit [Quit: n]
19:19 -!- Zimsky-- is now known as Zimsky
19:57 < micah> pekster: yeah, there is no error in the openvpn logs about the route being added (--verb 4)
20:02 -!- Mike-- [mad@mx.probie.nl] has quit [Read error: Connection reset by peer]
20:06 -!- Pyrogerg [~Gregory@gpenne3bc.nmsu.edu] has quit [Quit: Textual IRC Client: www.textualapp.com]
20:17 -!- Pyrogerg [~Gregory@gpenne3bc.nmsu.edu] has joined #openvpn
20:28 -!- brianblaze420 [~brianblaz@unaffiliated/brianblaze] has joined #openvpn
20:29 -!- Pyrogerg [~Gregory@gpenne3bc.nmsu.edu] has quit [Ping timeout: 264 seconds]
20:45 -!- kantlivelong [~kantlivel@home.kantlivelong.com] has quit [Excess Flood]
20:47 -!- brianblaze420 [~brianblaz@unaffiliated/brianblaze] has quit [Quit: Leaving...]
20:47 -!- kantlivelong [~kantlivel@home.kantlivelong.com] has joined #openvpn
20:48 -!- brianblaze420 [~brianblaz@unaffiliated/brianblaze] has joined #openvpn
20:57 -!- drocsid [~bob@unaffiliated/drocsid] has joined #openvpn
20:57 < drocsid> not sure how I want to route my traffic through openvpn
20:59 < drocsid> my setup ( desktop ) -- ( tetherd mobile ) <-------> ( open vpn server )
21:01 < drocsid> I don't even know if it's preferred to use tcp or udp as the transport
21:06 -!- Kephael [~Kephael@unaffiliated/kephael] has quit [Read error: Connection reset by peer]
21:07 -!- phunyguy [~vortex@unaffiliated/phunyguy] has quit [Quit: Goodbye cruel world!]
21:09 < drocsid> don't know if I want to use a bridge or routes
21:09 < drocsid> advice?
21:15 < drocsid> guess it's time to rtfm
21:17 -!- elfixit [~Icedove@77-58-251-72.dclient.hispeed.ch] has joined #openvpn
21:18 -!- phunyguy [~vortex@unaffiliated/phunyguy] has joined #openvpn
21:18 -!- brianblaze420 [~brianblaz@unaffiliated/brianblaze] has quit [Quit: Leaving...]
21:48 -!- Left_Turn [~Left_Turn@unaffiliated/turn-left/x-3739067] has quit [Remote host closed the connection]
22:04 -!- phunyguy [~vortex@unaffiliated/phunyguy] has quit [Quit: Goodbye cruel world!]
22:30 -!- drocsid [~bob@unaffiliated/drocsid] has quit [Ping timeout: 245 seconds]
22:31 -!- phunyguy [~vortex@unaffiliated/phunyguy] has joined #openvpn
22:34 -!- Kephael [~Kephael@unaffiliated/kephael] has joined #openvpn
22:40 -!- elfixit [~Icedove@77-58-251-72.dclient.hispeed.ch] has quit [Quit: elfixit]
22:43 -!- Chummy [~Chummy@ip205.208-100-19.static.steadfastdns.net] has joined #openvpn
22:44 < Chummy> What should be entered into 'gateway' for openvpn configurations in xfce?
22:49 < Chummy> ^ answer still needed, much appreciated
22:52 -!- Megaf [~Megaf@unaffiliated/megaf] has quit [Ping timeout: 245 seconds]
23:14 -!- ShadniX [dagger@p5481C669.dip0.t-ipconnect.de] has quit [Ping timeout: 250 seconds]
23:17 -!- ShadniX [dagger@p5DDFF34A.dip0.t-ipconnect.de] has joined #openvpn
23:18 -!- Cpt-Oblivious [~chatzilla@31-151-71-109.dynamic.upc.nl] has quit [Read error: Connection reset by peer]
23:40 < Chummy> What should be entered into 'gateway' for openvpn configurations in xfce?
--- Day changed Tue Jul 29 2014
00:03 -!- Chummy [~Chummy@ip205.208-100-19.static.steadfastdns.net] has quit [Quit: /me ran away]
01:23 -!- alexxtasi [~alex@unaffiliated/alexxtasi] has joined #openvpn
01:24 -!- alexxtasi [~alex@unaffiliated/alexxtasi] has left #openvpn []
01:24 -!- alexxtasi [~alex@unaffiliated/alexxtasi] has joined #openvpn
01:25 -!- Kuba [newc3917@unaffiliated/kuba] has quit [Remote host closed the connection]
01:30 -!- Kephael [~Kephael@unaffiliated/kephael] has quit [Read error: Connection reset by peer]
01:46 -!- mirco [~mirco@ip-109-90-242-169.hsi11.unitymediagroup.de] has joined #openvpn
01:50 -!- clyons|2 [~kvirc@host81-152-143-128.range81-152.btcentralplus.com] has joined #openvpn
01:53 -!- clyons [~kvirc@host81-152-143-128.range81-152.btcentralplus.com] has quit [Ping timeout: 244 seconds]
01:56 -!- clyons|2 [~kvirc@host81-152-143-128.range81-152.btcentralplus.com] has quit [Ping timeout: 244 seconds]
02:00 -!- CaTtleyA [~CaTtleyA@185.24.142.82] has joined #openvpn
02:48 -!- goldkatze [~nobody@unaffiliated/goldkatze] has joined #openvpn
02:52 -!- mirco_ [~mirco@ip-109-90-242-169.hsi11.unitymediagroup.de] has joined #openvpn
02:53 -!- mirco [~mirco@ip-109-90-242-169.hsi11.unitymediagroup.de] has quit [Ping timeout: 240 seconds]
02:53 -!- mirco_ is now known as mirco
03:20 -!- CaTtleyA [~CaTtleyA@185.24.142.82] has quit [Ping timeout: 252 seconds]
03:22 -!- CaTtleyA [~CaTtleyA@185.24.142.82] has joined #openvpn
03:40 -!- CaTtleyA [~CaTtleyA@185.24.142.82] has quit [Quit: Lost terminal]
03:44 -!- goldkatze [~nobody@unaffiliated/goldkatze] has quit []
03:45 -!- Left_Turn [~Left_Turn@unaffiliated/turn-left/x-3739067] has joined #openvpn
03:51 -!- eike_52n [~eike@80.156.182.234] has joined #openvpn
04:00 -!- heraclitus [~heraclitu@unaffiliated/heraclitis] has quit [Remote host closed the connection]
04:00 -!- heraclitus [~heraclitu@unaffiliated/heraclitis] has joined #openvpn
04:26 -!- mattock is now known as mattock_afk
04:29 -!- mattock_afk is now known as mattock
05:01 -!- JackWinter [~jack@vodsl-11028.vo.lu] has joined #openvpn
05:15 -!- Left_Turn [~Left_Turn@unaffiliated/turn-left/x-3739067] has quit [Ping timeout: 272 seconds]
05:30 -!- kirin` [telex@gateway/shell/anapnea.net/x-hmknkadhxrbfjysb] has quit [Ping timeout: 240 seconds]
05:34 -!- Left_Turn [~Left_Turn@unaffiliated/turn-left/x-3739067] has joined #openvpn
05:34 -!- MaX-BR [~MaXBrasil@201-3-207-173.jvece702.dsl.brasiltelecom.net.br] has joined #openvpn
05:37 -!- debbie10t [~debbie10t@openvpn/community/support/debbie10t] has joined #openvpn
05:46 -!- goldkatze [~nobody@unaffiliated/goldkatze] has joined #openvpn
05:48 -!- kirin` [telex@gateway/shell/anapnea.net/x-hqgipgwkladpqvfm] has joined #openvpn
06:06 -!- cyberspace- [20253@ninthfloor.org] has quit [Remote host closed the connection]
06:06 -!- MaX-BR [~MaXBrasil@201-3-207-173.jvece702.dsl.brasiltelecom.net.br] has quit [Ping timeout: 245 seconds]
06:08 -!- cyberspace- [20253@ninthfloor.org] has joined #openvpn
06:08 -!- Champi [Champi@rootshell.fr] has quit [Ping timeout: 260 seconds]
06:30 -!- Chiftin [~Chiftin@178.250.179.140] has joined #openvpn
06:36 -!- lbft [~lbft@unaffiliated/lbft] has quit [Ping timeout: 255 seconds]
06:39 -!- lbft [~lbft@unaffiliated/lbft] has joined #openvpn
07:14 -!- dazo_afk is now known as dazo
07:20 -!- chocolate [~AndChat19@177.191.203.162] has joined #openvpn
07:30 -!- chocolate [~AndChat19@177.191.203.162] has quit [Ping timeout: 264 seconds]
07:32 -!- lbft [~lbft@unaffiliated/lbft] has quit [Ping timeout: 264 seconds]
07:36 -!- lbft [~lbft@unaffiliated/lbft] has joined #openvpn
07:45 -!- JackWinter [~jack@vodsl-11028.vo.lu] has quit [Quit: Konversation terminated!]
07:46 -!- lbft [~lbft@unaffiliated/lbft] has quit [Ping timeout: 240 seconds]
07:48 -!- JackWinter [~jack@vodsl-11028.vo.lu] has joined #openvpn
07:48 -!- lbft [~lbft@unaffiliated/lbft] has joined #openvpn
07:49 -!- MacGyver [~macgyver@unaffiliated/macgyvernl] has quit [Quit: Exiting]
07:52 -!- MacGyver [~macgyver@unaffiliated/macgyvernl] has joined #openvpn
07:53 -!- JackWinter [~jack@vodsl-11028.vo.lu] has quit [Quit: Konversation terminated!]
07:54 -!- JackWinter [~jack@vodsl-11028.vo.lu] has joined #openvpn
07:57 -!- Magiobiwan [IRC@unaffiliated/magiobiwan] has quit [Ping timeout: 264 seconds]
08:06 -!- Magiobiwan [IRC@unaffiliated/magiobiwan] has joined #openvpn
08:10 -!- Kniaz [~Kniaz@unaffiliated/kniaz] has quit [Read error: Connection reset by peer]
08:13 -!- kloeri_ [~kloeri@freenode/staff/exherbo.kloeri] has quit [Quit: leaving]
08:29 -!- etheraap [~scout@auryn.kernelbug.org] has joined #openvpn
08:29 < etheraap> hola folks
08:31 < etheraap> i'm thinking about building a redundant openvpn setup, simular to the following example; http://www.linuxjournal.com/files/linuxjournal.com/linuxjournal/articles/099/9915/9915f1.jpg
08:31 -!- C-S-B [~C-S-B@host217-42-190-86.range217-42.btcentralplus.com] has joined #openvpn
08:32 <@ecrist> congrats
08:32 < etheraap> can anyone give advise, or best practices etc..
08:33 < etheraap> the article related to the picture makes things over-complicated it think
08:33 < etheraap> (http://www.linuxjournal.com/article/9915)
08:33 <@vpnHelper> Title: Building a Multisourced Infrastructure Using OpenVPN | Linux Journal (at www.linuxjournal.com)
08:38 -!- deed02392 [~deed02392@2001:41d0:2:ab60::1] has joined #openvpn
08:47 < etheraap> UDP is the protocol ;)
08:48 < etheraap> openvpn
08:48 < etheraap> just regular connections
08:49 < etheraap> have you ever worked with VPN before?
08:51 < etheraap> depends on the mode
08:51 < etheraap> tun or tap
08:52 < etheraap> and routed or p2p?
08:56 -!- jl- [~lao@c-174-60-71-232.hsd1.pa.comcast.net] has joined #openvpn
08:57 < jl-> why does my ssh connection not break when I disconnect my openvpn gui?
08:58 -!- MacGyver [~macgyver@unaffiliated/macgyvernl] has quit [Quit: Exiting]
08:58 -!- MacGyver [~macgyver@unaffiliated/macgyvernl] has joined #openvpn
08:59 < jl-> now it disconnected
08:59 < jl-> BadCodSmell: can you paste what you/whoever said prior to "the gui is jsut a management interface"
09:00 < jl-> it seems like I got disconnected about 10 mins after disconnecting via gui
09:00 < jl-> :)
09:01 < jl-> possible
09:01 < jl-> the vpn is def. working, confirmed via what's my ip etc.
09:01 < jl-> I was able to access my router too, which is local-only
09:02 < jl-> that pi is working hard :)
09:02 -!- DrCode [~DrCode@gateway/tor-sasl/drcode] has quit [Remote host closed the connection]
09:03 < jl-> another question
09:03 -!- DrCode [~DrCode@gateway/tor-sasl/drcode] has joined #openvpn
09:03 < jl-> my firewall rule is iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o eth0 -j SNAT --to-source IP
09:03 < jl-> I've seen other rules using MASQUERADE
09:03 < jl-> anyone care to explain the difference
09:04 < jl-> I seem to remember masq being the better option but not why
09:04 -!- pmylund [pnielsen@2600:3c03::f03c:91ff:fe6e:5d41] has quit [Ping timeout: 240 seconds]
09:06 < etheraap> google it, i'm sure there is more info about the lowlevel stuff
09:06 < etheraap> or try duckduckgo
09:06 < etheraap> works for me ;)
09:07 -!- JoeyJoeJo [~brian@pool-72-86-34-19.clppva.fios.verizon.net] has joined #openvpn
09:07 -!- CaTtleyA [~CaTtleyA@185.24.142.82] has joined #openvpn
09:08 < etheraap> search further
09:08 < etheraap> or tcpdump
09:08 < etheraap> i don't believe you
09:09 < etheraap> try to concentrate on your chi while searching, it helps ;)
09:10 < etheraap> or offer small animals to the gods...
09:10 < jl-> why small
09:10 < jl-> why not a WHALE
09:15 -!- eike_52n [~eike@80.156.182.234] has quit [Quit: Verlassend]
09:17 -!- u0m3_ [~u0m3@92.80.87.239] has joined #openvpn
09:18 -!- meepmeep [meepmeep@end.of.cylind.re] has quit [Ping timeout: 240 seconds]
09:18 -!- meepmeep [meepmeep@end.of.cylind.re] has joined #openvpn
09:21 -!- u0m3 [~u0m3@92.80.87.239] has quit [Ping timeout: 240 seconds]
09:29 -!- Kniaz [~Kniaz@unaffiliated/kniaz] has joined #openvpn
09:30 -!- larryone [~larryone@180.234.95.133] has joined #openvpn
09:35 -!- elfixit [~Icedove@77-58-251-72.dclient.hispeed.ch] has joined #openvpn
09:43 -!- alexxtasi [~alex@unaffiliated/alexxtasi] has left #openvpn []
09:56 -!- GrantK [eG5B9OIwRG@bolt.sonic.net] has joined #openvpn
10:00 < GrantK> I have a Server--(VPN)--Client--LAN running.  I can ping Server->Client, Client->Server & Server->LAN.  But NOT LAN->Server.  IIUC, that's generally a routing issue.  Can someone hint at a missing route that needs to be in OpenVPN Server's config ? or point to a good doc that addresses this case?  Been driving me nuts :-/
10:06 -!- elfixit [~Icedove@77-58-251-72.dclient.hispeed.ch] has quit [Quit: elfixit]
10:15 <@krzee>  Server->LAN.  But NOT LAN->Server.  IIUC, that's generally a routing issue
10:15 <@krzee> no, generally a firewall issue.
10:15 <@krzee> !1way
10:15 <@vpnHelper> "1way" is a 1-way ping between client and server indicates that you have a firewall problem on the end that cannot be pinged but is able to ping the other side
10:16 < GrantK> krzee: hm.  thought I'd got the FW right.  apparently not!  thx -- looking "there" some more.
10:17 <@krzee> np
10:17 -!- larryone [~larryone@180.234.95.133] has quit [Ping timeout: 260 seconds]
10:18 -!- Pyrogerg [~Gregory@gpenne3bc.nmsu.edu] has joined #openvpn
10:19 < GrantK> It's all been generally easy if ALL traffic originating from my LAN is to go out over the VPN.  This mini-nightmare of mine comes from trying to figure out getting only specific lanIP:port traffic out over the VPN.  tricky.  for me at least.
10:21 <@krzee> instead of by port (iptables magic) if you can just do by IP its very easy
10:21 <@krzee> otherwise, heres how i do it...
10:21 <@krzee> !routebyapp
10:21 <@vpnHelper> "routebyapp" is (#1) if you want to send only certain apps over the VPN you need to run a socks server on the internal VPN subnet (see !sockd) then get an app like proxifier (windows, osx) or tsocks (linux, BSD) to selectively route traffic over the socks proxy based on port/app/subnet or any combination. or (#2) Alternatively, read up about Policy Routing to make routing decisions based on defined
10:21 <@vpnHelper> policies you set. For Linux, read about !lartc
10:24 < GrantK> krzee: hadn't considered a proxy.  i've been trying to setup RFC1819 multihoming on LAN boxes, set specific listeners/daemons to use those IPs, and the monkey with routes.
10:26 -!- CaTtleyA [~CaTtleyA@185.24.142.82] has quit [Quit: Lost terminal]
10:27 -!- u0m3_ is now known as u0m3
10:36 -!- brianblaze420 [~brianblaz@unaffiliated/brianblaze] has joined #openvpn
10:42 < GrantK> !sockd
10:42 <@vpnHelper> "sockd" is if you want !routebyapp you can use this dante config www.ircpimps.org/sockd.conf but BE SURE TO ONLY RUN THIS ON THE INTERNAL VPN IP! otherwise you will be an open proxy. that config has no security because its expected to run inside openvpn
10:45 < GrantK> krzee: that 'dante conf' link is N/A.  got another config link up your sleeve?
10:57 -!- gffa [~unknown@unaffiliated/gffa] has joined #openvpn
11:00 -!- f-zombie [KiloJuliet@pdpc/supporter/student/GPLGeek] has joined #openvpn
11:00 < f-zombie> I know this is more of a networking question than  openvpn connection but does anyone offhand know the rules I should use to forward my openvpn traffic to the internet in ip6tables?
11:01 < f-zombie> I'm on a openvz with a device name of venet0 if that makes a difference
11:05 < pekster> See: !redirect and !openvz
11:06 < f-zombie> !redirect
11:06 <@vpnHelper> "redirect" is (#1) to make all inet traffic flow through the vpn, you will need --redirect-gateway (see !def1), as well as IP forwarding (see !ipforward) and NAT (see !nat) enabled on the server. or (#2) you may need to use a different dns server when redirecting gateway, see !dns or !pushdns or (#3) if using ipv6 try: route-ipv6 2000::/3 or (#4) Handy troubleshooting flowchart:
11:06 <@vpnHelper> http://ircpimps.org/redirect.png | http://pekster.sdf.org/misc/redirect.png
11:07 < f-zombie> !openvz
11:07 <@vpnHelper> "openvz" is (#1) http://wiki.openvz.org/VPN_via_the_TUN/TAP_device to learn bout openvz specific stuff with regards to openvpn or (#2) It is usually less painful to switch to a host with better virtualization technology, eg KVM or Xen
11:20 -!- Chiftin [~Chiftin@178.250.179.140] has quit [Read error: Connection reset by peer]
11:47 -!- Chiftin [~Chiftin@host86-177-225-27.range86-177.btcentralplus.com] has joined #openvpn
11:51 < jl-> my firewall rule is iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o eth0 -j SNAT --to-source IP
11:51 < jl-> I've seen other rules using MASQUERADE
11:51 < jl-> anyone care to explain the difference
11:53 < GrantK> jl-: Lots of great explanations online: https://www.google.com/search?q=Difference+SNAT+Masquerade
11:53 <@vpnHelper> Title: Difference SNAT Masquerade - Google Search (at www.google.com)
11:59 -!- elfixit [~Icedove@77-58-251-72.dclient.hispeed.ch] has joined #openvpn
12:00 -!- Cpt-Oblivious [~chatzilla@31-151-71-109.dynamic.upc.nl] has joined #openvpn
12:04 -!- GrantK [eG5B9OIwRG@bolt.sonic.net] has quit [Quit: GrantK]
12:11 -!- Chiftin [~Chiftin@host86-177-225-27.range86-177.btcentralplus.com] has quit [Ping timeout: 255 seconds]
12:12 -!- Chiftin [~Chiftin@host86-177-225-27.range86-177.btcentralplus.com] has joined #openvpn
12:19 -!- Champi [Champi@damn.e-leet.be] has joined #openvpn
12:24 -!- TheEternalAbyss [~IRCIdent@unaffiliated/theeternalabyss] has quit [Ping timeout: 272 seconds]
12:28 -!- pa [~pa@unaffiliated/pa] has quit [Quit: Sto andando via]
12:36 -!- blind [~msweeney@unaffiliated/blind] has joined #openvpn
12:36 -!- Sigma00 [~Sigma@198.52.199.8] has joined #openvpn
12:36 -!- Chais [~Chais@chello062178229110.15.15.vie.surfer.at] has quit [Quit: ZNC - http://znc.in]
12:36 -!- Sigma00 [~Sigma@198.52.199.8] has left #openvpn []
12:37 < blind> Is the freenode webchat purposely banned here?
12:39 -!- Chais [~Chais@chello062178229110.15.15.vie.surfer.at] has joined #openvpn
13:15 <@dazo> blind: yes
13:33 -!- supergauntlet [~supergaun@unaffiliated/supergauntlet] has joined #openvpn
13:33 -!- metaf5 [~metaf5@107.181.166.167] has quit [Remote host closed the connection]
13:37 -!- supergauntlet [~supergaun@unaffiliated/supergauntlet] has quit [Ping timeout: 240 seconds]
13:37 -!- bitfury [~bitfury@unaffiliated/bitfury] has joined #openvpn
13:39 < bitfury> hey guys so I have this weird issue with one of my clients where his remote route I'm pushing through the server gets deleted
13:39 < bitfury> right after connecting
13:40 < bitfury> Tue Jul 15 14:13:03 2014 C:\windows\system32\route.exe DELETE 10.211.0.0 MASK 255.255.0.0 172.16.208.41
13:40 < bitfury> ^ from the log file, anyone know why this is?
13:41 < bitfury> He's on a windows 8 box
13:41 -!- brianblaze420 [~brianblaz@unaffiliated/brianblaze] has quit [Quit: Leaving...]
13:42 -!- supergauntlet [~supergaun@unaffiliated/supergauntlet] has joined #openvpn
13:51 -!- MrDoctor [~anirban.m@unaffiliated/apostasy] has joined #openvpn
13:53 < MrDoctor> I have internet connectivity accessible from proxy servers in my college. We have ports 80, 8080 and 443 open. I am using openvpn to connect to the internet. I have a question. Is my internet traffic routed first to the proxy server and then to the VPN, or is it directly routed to the VPN, completely bypassing the proxies. In a scenario when none of the proxy servers are working, would the
13:53 < MrDoctor> VPN still continue to work?
13:59 -!- s7r [~s7r@openvpn/user/s7r] has quit [Ping timeout: 264 seconds]
14:05 -!- s7r [~s7r@openvpn/user/s7r] has joined #openvpn
14:05 -!- mode/#openvpn [+v s7r] by ChanServ
14:36 -!- Chiftin [~Chiftin@host86-177-225-27.range86-177.btcentralplus.com] has quit [Read error: Connection reset by peer]
14:37 -!- Chiftin [~Chiftin@host86-177-225-27.range86-177.btcentralplus.com] has joined #openvpn
14:43 -!- TheEternalAbyss [~IRCIdent@unaffiliated/theeternalabyss] has joined #openvpn
14:45 -!- pa [~pa@unaffiliated/pa] has joined #openvpn
14:52 -!- goldkatze [~nobody@unaffiliated/goldkatze] has quit []
14:54 -!- mattock is now known as mattock_afk
15:11 < etheraap> VPN will bypass the proxy
15:11 < etheraap> but only if other ports are not blocked
15:12 < etheraap> anyway you could run your VPN server un port 443
15:12 < MrDoctor> I am doing that itself
15:12 < MrDoctor> Many thanks for the information etheraap
15:15 -!- zapotek6 [~zap@mail.comelit.it] has joined #openvpn
15:15 -!- zapotek6 [~zap@mail.comelit.it] has quit [Max SendQ exceeded]
15:21 -!- DrCode [~DrCode@gateway/tor-sasl/drcode] has quit [Remote host closed the connection]
15:22 -!- DrCode [~DrCode@gateway/tor-sasl/drcode] has joined #openvpn
15:24 -!- Chiftin [~Chiftin@host86-177-225-27.range86-177.btcentralplus.com] has quit [Ping timeout: 240 seconds]
15:24 -!- Chiftin [~Chiftin@host86-177-225-27.range86-177.btcentralplus.com] has joined #openvpn
15:36 -!- mode/#openvpn [+v debbie10t] by ChanServ
15:36 <+debbie10t> test
15:37 < cyberanger> Error: Invalid test parameters
15:37 -!- mode/#openvpn [-v debbie10t] by ChanServ
15:39 -!- Fiouz [~Fiouz@2001:bc8:3068::dead:beef] has joined #openvpn
15:42 -!- debbie10t [~debbie10t@openvpn/community/support/debbie10t] has left #openvpn []
15:50 -!- Chiftin [~Chiftin@host86-177-225-27.range86-177.btcentralplus.com] has quit [Read error: Connection reset by peer]
15:51 -!- Chiftin [~Chiftin@host86-177-225-27.range86-177.btcentralplus.com] has joined #openvpn
15:59 -!- elfixit [~Icedove@77-58-251-72.dclient.hispeed.ch] has quit [Quit: elfixit]
15:59 -!- dazo is now known as dazo_afk
16:02 -!- Chiftin [~Chiftin@host86-177-225-27.range86-177.btcentralplus.com] has quit [Ping timeout: 264 seconds]
16:03 -!- Chiftin [~Chiftin@host86-177-225-27.range86-177.btcentralplus.com] has joined #openvpn
16:07 -!- MrDoctor [~anirban.m@unaffiliated/apostasy] has quit [Read error: Connection reset by peer]
16:07 -!- brianblaze420 [~brianblaz@unaffiliated/brianblaze] has joined #openvpn
16:11 -!- earthian [~ea@gw.uk.fostral.net] has joined #openvpn
16:12 < earthian> Hello, I have set up an openvpn server with address 10.128.0.1. The network interface configuration says 10.128.0.1, P-t-P 10.128.0.2, mask: 255.255.255.255. What is the 10.128.0.2???
16:14 -!- vinky [~vinky@81-230-177-246-no98.tbcn.telia.com] has quit [Remote host closed the connection]
16:15 -!- arescorpio [~arescorpi@201-26-245-190.fibertel.com.ar] has joined #openvpn
16:15 -!- Kephael [~Kephael@unaffiliated/kephael] has joined #openvpn
16:24 -!- bitfury [~bitfury@unaffiliated/bitfury] has quit [Quit: Leaving]
16:34 < Eugene> !/30
16:34 <@vpnHelper> "/30" is (#1) http://goo.gl/SbKrT5 explains why routed clients each use 4 ips or (#2) you can avoid this behavior with by reading !topology
16:37 -!- Kniaz [~Kniaz@unaffiliated/kniaz] has quit [Quit: closing IRC]
16:42 -!- mirco [~mirco@ip-109-90-242-169.hsi11.unitymediagroup.de] has quit [Quit: mirco]
16:43 < earthian> Thanks! :)
16:44 -!- goldkatze [~nobody@unaffiliated/goldkatze] has joined #openvpn
16:47 -!- gffa [~unknown@unaffiliated/gffa] has quit [Quit: sleep]
16:52 -!- croepha [~croepha@199.9.63.130] has joined #openvpn
16:52 < croepha> !welcome
16:52 <@vpnHelper> "welcome" is (#1) Start by stating your goal, such as 'I would like to access the internet over my vpn' || new to IRC? see the link in !ask || we may need !logs and !configs and maybe !interface to help you. || See !howto for beginners. || See !route for lans behind openvpn. || !redirect for sending inet traffic through the server. || Also interesting: !man !/30 !topology !iporder !sample !forum
16:52 <@vpnHelper> !wiki !mitm or (#2) Don't use 192.168.1.0/24 or 192.168.0.0/24 (too much potential for conflict)
16:53 < croepha> !goal
16:53 <@vpnHelper> "goal" is Please clearly state your goal for your vpn: example, I would like to access the lan behind the server , I would like to access the internet over my vpn , I just want a secure connection between 2 computers , etc
16:56 < croepha> I am trying to setup a openvpn config with failover, I am using udp and keepalive, I have multiple connection profiles, on a connection failure, it is restarting (via ping-restart via keepalive) The connection restarts, but it keeps using the first connection profile, is there a way that I can make it cycle through the connection profiles on a failure?
16:58 -!- Chiftin [~Chiftin@host86-177-225-27.range86-177.btcentralplus.com] has quit [Read error: Connection reset by peer]
16:59 -!- Chiftin [~Chiftin@host86-177-225-27.range86-177.btcentralplus.com] has joined #openvpn
17:09 -!- goldkatze [~nobody@unaffiliated/goldkatze] has quit []
17:12 -!- Chiftin [~Chiftin@host86-177-225-27.range86-177.btcentralplus.com] has quit [Read error: Connection reset by peer]
17:12 -!- camden [~camden@camdenbuzard.com] has joined #openvpn
17:12 -!- Chiftin [~Chiftin@host86-177-225-27.range86-177.btcentralplus.com] has joined #openvpn
17:13 <@krzee> croepha, multiple remote entries, optional --remote-random
17:14 < croepha> krzee: kk, thanks
17:14 <@krzee> hmm looks like connection blocks should do that too tho
17:15 < croepha> i guess i was hoping it would do it in squence, but ping-restart seems to start from the beginning
17:15 <@plaisthos> croepha: it shouldn't
17:15 <@plaisthos> it will retry the last one and then move to the next
17:15 <@plaisthos> iirc
17:16 < camden> hi folks. I'm trying to get a basic openvpn tunnel working between a client machine and a vps. the tunnel is working, in that I can talk between server and client over the 10.8 addresses, but I cannot access the internet with the client. server conf: http://pastebin.com/UFE6Nvmy client conf: pastebin.com/y4XSRM8v
17:16 <@plaisthos> (unless you used remap-usr1)
17:16 <@krzee> camden,
17:16 < croepha> plaisthos: i have not
17:16 <@krzee> !redirect
17:16 <@vpnHelper> "redirect" is (#1) to make all inet traffic flow through the vpn, you will need --redirect-gateway (see !def1), as well as IP forwarding (see !ipforward) and NAT (see !nat) enabled on the server. or (#2) you may need to use a different dns server when redirecting gateway, see !dns or !pushdns or (#3) if using ipv6 try: route-ipv6 2000::/3 or (#4) Handy troubleshooting flowchart:
17:16 <@vpnHelper> http://ircpimps.org/redirect.png | http://pekster.sdf.org/misc/redirect.png
17:16 <@krzee> use flowchart at last link
17:17 <@krzee> im guessing your problem is either ip forwarding or firewall
17:18 < camden> krzee: thank you. I enabled ipv4 forwarding, and my firewall rules are (currently) default allow. I will examine the documentation you've provided and get back.
17:18 <@krzee> camden, if its just default allow thats the problem
17:18 <@krzee> you must NAT the vpn subnet
17:18 <@krzee> !linnat
17:18 <@vpnHelper> "linnat" is (#1) for a basic iptables NAT where 10.8.0.x is the vpn network: iptables -t nat -I POSTROUTING -s 10.8.0.0/24 -o eth0 -j MASQUERADE or (#2) to choose what IP address to NAT as, you can use iptables -t nat -I POSTROUTING -o eth0 -j SNAT --to <IP ADDRESS> or (#3) http://netfilter.org/documentation/HOWTO//NAT-HOWTO.html for more info or (#4) openvz see !openvzlinnat
17:20 < camden> !openvzlinnat
17:23 < camden> !openvzlinnat
17:23 < croepha> this is the config I am expirementing with www.privatepaste.com/9446a03b01
17:23 < croepha> btw
17:23 < croepha> just added the remote-random option
17:25 -!- Chiftin [~Chiftin@host86-177-225-27.range86-177.btcentralplus.com] has quit [Ping timeout: 264 seconds]
17:25 < camden> I have enabled forwarding, and I have enabled nat as instructed in the openvpn documentation. I am pushing "redirect-gateway def1"
17:26 -!- Chiftin [~Chiftin@host86-177-225-27.range86-177.btcentralplus.com] has joined #openvpn
17:26 < camden> I added the nat rule via: iptables -t nat -I POSTROUTING -s 10.8.0.0/24 -o vmnet0:0 -j MASQUERADE
17:27 < camden> ohh possibly I need to use SNAT
17:29 < croepha> anyway remote-random works for me, but if anyone figures out why the connections aren’t sequential then I would be interested to know why
17:29 <@krzee> !openvznat
17:29 <@vpnHelper> "openvznat" is (#1) a user reported success with this command: iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -j SNAT --to <PUBLIC-IP> or (#2) someone else got it working with: iptables -t nat -A POSTROUTING -s <vpn_subnet>/<netmask> -o eth<public> -j SNAT --to <public ip>
17:30 < camden> krzee: thanks, I'll try that
17:30 <@krzee> remember to remove the others too
17:30 < camden> krzee: willdo
17:33 -!- Kephael [~Kephael@unaffiliated/kephael] has quit [Read error: Connection reset by peer]
17:35 < camden> aha. my server is forwarding traffic without natting it.
17:37 <@krzee> see, firewall =]
17:37 -!- vinky [~vinky@81-230-177-246-no98.tbcn.telia.com] has joined #openvpn
17:41 -!- SCHAAP137 [dorian@77-173-0-137.ip.telfort.nl] has joined #openvpn
17:47 -!- Megaf [~Megaf@unaffiliated/megaf] has joined #openvpn
17:54 -!- Kniaz [~Kniaz@unaffiliated/kniaz] has joined #openvpn
18:05 < camden> krzee: thanks a million, you've been a huge help
18:05 < camden> it is now working
18:14 -!- f-zombie [KiloJuliet@pdpc/supporter/student/GPLGeek] has quit [Ping timeout: 240 seconds]
18:20 -!- arescorpio [~arescorpi@201-26-245-190.fibertel.com.ar] has quit [Excess Flood]
18:30 -!- croepha [~croepha@199.9.63.130] has quit [Quit: croepha]
18:31 -!- SCHAAP137 [dorian@77-173-0-137.ip.telfort.nl] has quit [Remote host closed the connection]
18:42 -!- CaTtleyA [~CaTtleyA@put92-2-82-66-41-53.fbx.proxad.net] has joined #openvpn
18:42 -!- periheli0n [~Foo@69-196-147-23.dsl.teksavvy.com] has quit [Quit: WeeChat 0.4.3]
18:52 -!- croepha [~croepha@199.9.63.130] has joined #openvpn
19:00 -!- Pyrogerg [~Gregory@gpenne3bc.nmsu.edu] has quit [Ping timeout: 250 seconds]
19:03 -!- CaTtleyA [~CaTtleyA@put92-2-82-66-41-53.fbx.proxad.net] has quit [Quit: Lost terminal]
19:07 -!- D-Boy [~D-Boy@unaffiliated/cain] has quit [Excess Flood]
19:08 < pekster> camden: No clue if you figured this out yet, but aliases are _NOT_ interface in Linux
19:08 < pekster> That's ancient and broken network on Linux that's been dead for a decade
19:08 < pekster> !ifconfig_sucks
19:08 < pekster> !ifconfig_linux
19:08 <@vpnHelper> "ifconfig_linux" is Avoid use of 'ifconfig' and 'route' commands on modern Linux distros. It's old, deprecated, and often misleading/wrong. Use the 'ip a' and 'ip r' commands instead. More info: http://inai.de/2008/0219-ifconfig-sucks.php
19:11 -!- earthian [~ea@gw.uk.fostral.net] has quit [Ping timeout: 255 seconds]
19:16 -!- D-Boy [~D-Boy@unaffiliated/cain] has joined #openvpn
19:56 -!- KaiForce [~chatzilla@107-223-70-10.lightspeed.bcvloh.sbcglobal.net] has joined #openvpn
20:03 -!- elfixit [~Icedove@77-58-251-72.dclient.hispeed.ch] has joined #openvpn
20:19 -!- Pyrogerg [~Gregory@192.67.133.200] has joined #openvpn
20:32 -!- Valcorb [Valcorb@unaffiliated/valcorb] has joined #openvpn
20:51 -!- arescorpio [~arescorpi@201-26-245-190.fibertel.com.ar] has joined #openvpn
20:52 -!- Chiftin [~Chiftin@host86-177-225-27.range86-177.btcentralplus.com] has quit [Read error: Connection reset by peer]
21:14 -!- LuisM [~luism@unaffiliated/luism] has left #openvpn []
21:16 -!- Left_Turn [~Left_Turn@unaffiliated/turn-left/x-3739067] has quit [Remote host closed the connection]
21:29 -!- Kephael [~Kephael@unaffiliated/kephael] has joined #openvpn
21:30 -!- brianblaze420 [~brianblaz@unaffiliated/brianblaze] has quit [Quit: Leaving...]
21:45 -!- GrantK [SzzFiZtd8o@bolt.sonic.net] has joined #openvpn
21:52 -!- DrCode [~DrCode@gateway/tor-sasl/drcode] has quit [Ping timeout: 264 seconds]
21:57 -!- DrCode [~DrCode@gateway/tor-sasl/drcode] has joined #openvpn
22:28 -!- GrantK [SzzFiZtd8o@bolt.sonic.net] has quit [Quit: GrantK]
22:40 -!- arescorpio [~arescorpi@201-26-245-190.fibertel.com.ar] has quit [Excess Flood]
23:14 -!- ShadniX [dagger@p5DDFF34A.dip0.t-ipconnect.de] has quit [Ping timeout: 250 seconds]
23:16 -!- ShadniX [dagger@p5DDFE771.dip0.t-ipconnect.de] has joined #openvpn
23:32 -!- elfixit [~Icedove@77-58-251-72.dclient.hispeed.ch] has quit [Ping timeout: 264 seconds]
23:52 -!- croepha [~croepha@199.9.63.130] has quit [Quit: croepha]
--- Day changed Wed Jul 30 2014
00:34 -!- Megaf [~Megaf@unaffiliated/megaf] has quit [Ping timeout: 240 seconds]
00:37 -!- mirco [~mirco@ip-109-90-242-169.hsi11.unitymediagroup.de] has joined #openvpn
00:57 -!- Brando753 [~Brando753@unaffiliated/brando753] has quit [Ping timeout: 260 seconds]
00:58 -!- Brando753 [~Brando753@unaffiliated/brando753] has joined #openvpn
00:58 -!- Kniaz [~Kniaz@unaffiliated/kniaz] has quit [Read error: Connection reset by peer]
01:03 -!- mattock_afk is now known as mattock
01:27 -!- jonascj [~jonas@194-239-236-19-hotspot.dk.customer.tdc.net] has joined #openvpn
01:34 < jonascj> Hi all. I have a network a.b.c.d/24 and I want clients connecting to my open vpn server to be able to access this network. Does that mean I should have "server a.b.c.d 255.255.255.0" in my server configuration? I think not (i.e. I think that is wrong, based on some vague memory of a previous openvpn conf), but I cannot see how trafic is routed (tun) between the client's network and a.b.c.d/24 without mentioning at least the a.b.c
01:39 < jonascj> Is traffic as default simply routed between the client's network and whatever network the openvpn server host is attached to? E.g. the tun-device created will be created against whatever NIC exist in the open vpn machine (host)?
01:48 < snappy> ok, suppose your clients are on 1/24 and your servers are on 2/24. I think it is simple as pushing a route to clients for 2/24. And on the network connected to the server, routing 1/24 to the openvpn gateway.
01:48 < snappy> (or manually injecting routes on all servers)
01:49 -!- alexxtasi [~alex@unaffiliated/alexxtasi] has joined #openvpn
01:49 < snappy> https://openvpn.net/index.php/open-source/documentation/howto.html <-- see the section in the config for pushing routes - pretty much what you're asking.
01:49 <@vpnHelper> Title: HOWTO (at openvpn.net)
01:50 < jonascj> snappy: I must have overlooked it - I'll ahve a look, thanks!
01:50 < snappy> if you already push redirect-gateway, then you don't have to do anything on the clients end (assuming the server subnet is unambigious)
01:50 < snappy> er unambiguous is not the right term, more like non-overlapping with any of the clients routing tables (e.g. 192.168.0.0 is probably not a good choice for a server subnet)
01:51 < jonascj> snappy: right now I do not have any push route or push redirect-gateway. So I could either push a route to my a.b.c.d/24 net or I could push redirect-gateway
01:52 < jonascj> snappy: and dont worry, 192.168.0.0 is not my server subnet :)
01:53 < jonascj> eg. 'push "route a.b.c.d 255.255.255.0"' would do the trick
02:17 -!- jonascj [~jonas@194-239-236-19-hotspot.dk.customer.tdc.net] has quit [Quit: Reconnecting]
02:17 <@krzee> sup
02:19 -!- Chiftin [~Chiftin@178.250.179.140] has joined #openvpn
02:23 -!- jonascj [~jonas@194-239-236-19-hotspot.dk.customer.tdc.net] has joined #openvpn
02:30 -!- jonascj [~jonas@194-239-236-19-hotspot.dk.customer.tdc.net] has quit [Ping timeout: 245 seconds]
02:30 -!- jonascj [~jonas@194-239-236-19-hotspot.dk.customer.tdc.net] has joined #openvpn
02:36 < jonascj> snappy: it seemed to work with just a single push a.b.c.d 255.255.255.0 , thanks!
02:47 -!- jonascj [~jonas@194-239-236-19-hotspot.dk.customer.tdc.net] has quit [Ping timeout: 260 seconds]
02:48 -!- jonascj [~jonas@194-239-236-19-hotspot.dk.customer.tdc.net] has joined #openvpn
02:52 -!- Left_Turn [~Left_Turn@unaffiliated/turn-left/x-3739067] has joined #openvpn
02:56 -!- Kephael [~Kephael@unaffiliated/kephael] has quit [Read error: Connection reset by peer]
02:57 -!- JackWinter [~jack@vodsl-11028.vo.lu] has quit [Quit: Konversation terminated!]
03:00 -!- zapotek6 [~zap@213.149.219.85] has joined #openvpn
03:00 -!- zapotek6 [~zap@213.149.219.85] has quit [Max SendQ exceeded]
03:03 -!- zapotek6 [~zap@mail.comelit.it] has joined #openvpn
03:09 -!- eike_52n [~eike@80.156.182.234] has joined #openvpn
03:13 -!- Cpt-Oblivious [~chatzilla@31-151-71-109.dynamic.upc.nl] has quit [Remote host closed the connection]
03:14 -!- Left_Turn [~Left_Turn@unaffiliated/turn-left/x-3739067] has quit [Ping timeout: 240 seconds]
03:16 -!- zapotek6 [~zap@mail.comelit.it] has quit [Ping timeout: 250 seconds]
03:16 -!- zapotek6 [~zap@213.149.219.85] has joined #openvpn
03:17 -!- zapotek6 [~zap@213.149.219.85] has quit [Max SendQ exceeded]
03:19 -!- zapotek6 [~zap@mail.comelit.it] has joined #openvpn
03:19 -!- zapotek6 [~zap@mail.comelit.it] has quit [Max SendQ exceeded]
03:20 -!- jonascj [~jonas@194-239-236-19-hotspot.dk.customer.tdc.net] has quit [Ping timeout: 255 seconds]
03:24 -!- zapotek6 [~zap@mail.comelit.it] has joined #openvpn
03:24 -!- zapotek6 [~zap@mail.comelit.it] has quit [Read error: Connection reset by peer]
03:29 -!- JackWinter [~jack@vodsl-11028.vo.lu] has joined #openvpn
04:09 -!- syzzer [~syzzer@openvpn/community/developer/syzzer] has quit [Quit: ZNC - http://znc.in]
04:12 -!- syzzer [~syzzer@openvpn/community/developer/syzzer] has joined #openvpn
04:12 -!- mode/#openvpn [+o syzzer] by ChanServ
04:12 -!- Sembei [~Sembei@unaffiliated/sembei] has quit [Read error: Connection reset by peer]
04:18 -!- notorious_ [~notorious@81.82.195.68] has joined #openvpn
04:19 < notorious_> hi all, ive setup an openvpn tap tunnel
04:19 < notorious_> the client log gets spoofed with openvpn[445]: Extracted DHCP router address:
04:20 < notorious_> (including ip)
04:20 < notorious_> how can i force the client to stop searching for the dhcp router address and set one statically?
04:21 < notorious_> any help much appreciated
04:21 -!- Left_Turn [~Left_Turn@unaffiliated/turn-left/x-3739067] has joined #openvpn
04:26 -!- pa [~pa@unaffiliated/pa] has quit [Quit: Sto andando via]
04:38 -!- heraclitus [~heraclitu@unaffiliated/heraclitis] has quit [Remote host closed the connection]
04:38 -!- heraclitus [~heraclitu@unaffiliated/heraclitis] has joined #openvpn
04:44 -!- agentbob_ [anonymoose@unaffiliated/agentbob] has joined #openvpn
04:44 -!- Netsplit *.net <-> *.split quits: gardar, Six6siX, _FBi, AsadH, yoavz, jgeboski, @dazo_afk, agentbob, @mattock, Cultist,  (+3 more, use /NETSPLIT to show all of them)
04:44 -!- Netsplit over, joins: dazo_afk
04:44 -!- mode/#openvpn [+o dazo_afk] by ChanServ
04:44 -!- mode/#openvpn [+o mattock] by ChanServ
04:44 -!- Netsplit over, joins: mattock
04:45 -!- Netsplit over, joins: Six6siX, yoavz
04:45 -!- dazo_afk is now known as dazo
04:45 -!- gardar [~gardar@82.221.78.13] has joined #openvpn
04:46 -!- Netsplit over, joins: azizLIGHT
04:46 -!- Netsplit over, joins: jgeboski
04:47 -!- Netsplit over, joins: AsadH
04:47 -!- Netsplit over, joins: lbft, Cultist
04:53 -!- shiin [~shiin@funtoo/core/shiin] has joined #openvpn
05:12 -!- Left_Turn [~Left_Turn@unaffiliated/turn-left/x-3739067] has quit [Ping timeout: 250 seconds]
05:16 < shiin> Ive setup openvpn on my root server, which is a cluster of virtual machines with only one gateway. I want to use openvpn to access some services that I prefer not to expose to the wide open internet. I have my own bind9 and dhcpcd already, which handles all internal vms addresses and names. is there a common way to make openvpn use my already existing dhcp, or is it preferred to rely on the openvpn internal dhcp instead?
05:25 -!- CaTtleyA [~CaTtleyA@185.24.142.82] has joined #openvpn
05:29 -!- Left_Turn [~Left_Turn@unaffiliated/turn-left/x-3739067] has joined #openvpn
05:34 -!- yoavz [yoavz@yoavz.net] has quit [Ping timeout: 240 seconds]
05:36 -!- jonascj [~jonas@94.144.50.91] has joined #openvpn
05:37 -!- yoavz [yoavz@yoavz.net] has joined #openvpn
05:41 -!- jonascj [~jonas@94.144.50.91] has quit [Ping timeout: 240 seconds]
05:42 -!- jonascj [~jonas@94.144.50.91] has joined #openvpn
05:49 -!- jonascj [~jonas@94.144.50.91] has quit [Ping timeout: 264 seconds]
05:51 -!- jonascj [~jonas@94.144.50.91] has joined #openvpn
05:54 -!- pppingme [~pppingme@unaffiliated/pppingme] has quit [Quit: Leaving]
06:04 -!- pppingme [~pppingme@unaffiliated/pppingme] has joined #openvpn
06:04 -!- jonascj [~jonas@94.144.50.91] has quit [Quit: Lost terminal]
06:35 -!- jonascj [~jonas@94.144.50.91] has joined #openvpn
06:37 < jonascj> Hi all. I have setup an openvpn server and I am able to connect succesfully using openvpn as client. I can however not access clients on the lan a.b.c.d/24 on which the VPN server is located. I have a push route command. My server config, routes and adapter ip of the windows client can be seen here: http://paste.linuxassist.net/view/e36c5dbf
06:39 < jonascj> I have added the openvpn server host ip configuration to this paste: http://paste.linuxassist.net/view/8a21edf5
06:39 -!- theahindle [~ahindle@cloud.smellynose.com] has joined #openvpn
06:39 < jonascj> Do I need to add a route on the vpn server host to route trafic between the vpn server range and the a.b.c.d/24 network?
06:42 < jonascj> And again adding the routing table from the openvpn host: http://paste.linuxassist.net/view/d69396ab
06:45 < jonascj> Yeah, now I think I need to add such a route. https://openvpn.net/index.php/open-source/documentation/howto.html says it is only necessary if the lan gateway and the vpn server is not the same machine and it my case it is not.
06:45 <@vpnHelper> Title: HOWTO (at openvpn.net)
06:51 < ZeDestructor> Hi. I have the same problem as jonascj. My server.conf: http://sprunge.us/OiOO ; my client.conf: http://sprunge.us/bENE
06:53 -!- mattock [~mattock@openvpn/corp/admin/mattock] has left #openvpn []
06:54 -!- mattock [~mattock@openvpn/corp/admin/mattock] has joined #openvpn
06:54 -!- mode/#openvpn [+o mattock] by ChanServ
06:54 < renihs> jonascj, i would assume, that the hosts you are contacting (through the tunnel) answer to their default gateway
06:54 < renihs> not to the "vpn gateway"
06:54 < ZeDestructor> for general traffic, yes
06:54  * renihs hasnt looked at any paste though
06:55 < ZeDestructor> tl;dr:if I ssh into the VPN host, I can ping stuff on the VPN's LAN, but if I try to do the same through the VPN connection from my laptop, I can't
06:56 < ZeDestructor> I can ping both the VPN provided gateway in the VPN address space and the VPN box itself using the VPN's LAN address
06:56 < jonascj> renihs no worries about the pastes. I would say yes, if the vpn default gateway is whatever you sepcify in the "server network subnet" directive (maybe .1 on that network) then no, the hosts on my LAN do not know about that gateway
06:57 < jonascj> ZeDestructor: I too can ping the vpn host it self using its LAN ip (not the vpn gateway ip), but that is to be expected I think since you are connected directly to that machine. That ping does not have to go through a gateway to reach its target
06:57 < ZeDestructor> indeed
06:57 < ZeDestructor> I've also enabled IP forwarding, as advised by the HOWTO
06:57 < renihs> jonascj, i do not catch your drift, however your "vpn client" sends request to host a.b.c.d inside the LAN -> host a.b.c.d will attempt to answer to the default gateway unless you specified otherwise
06:58 < renihs> are you routing the host (lan) responses through the vpn gw?
06:58 < ZeDestructor> perhaps a missing line in the routing table?
06:58 < renihs> sniffing will tell
06:59 < jonascj> ZeDestructor: I think we both need another route added - I am just trying to figoure out which when my VPN network (as specified in the openvpn config) is 10.116.230.0/24 and the LAN I wish to talk to is 10.191.244.0/24
06:59 < ZeDestructor> have some traceroute: http://pastebin.kde.org/pmcivr0ds/ur17on
07:00 < ZeDestructor> 10.x is the VPN's LAN
07:00 < ZeDestructor> 10.0.0.4 is the VPN box
07:00 < ZeDestructor> 172.31.255.x is the VPN AS
07:00 < ZeDestructor> looks like it is correctly going through the VPN gateway
07:02 < jonascj> VPN AS?
07:02 < ZeDestructor> AS = Address Space
07:02 < jonascj> okay so the VPN's LAN is the lan on which the VPN host machine is located?
07:03 < ZeDestructor> yes
07:03 < jonascj> Regarding routes I do not think (hope, really) that all the machines on the VPN LAN (the machines I want to talk to through the vpn) needs to have routes added to them.... I hope I can make due with a route on the vpn hsot machine
07:04 < ZeDestructor> VPN LAN, the AS the VPN natively lives on is 10.0.0.0/8, the AS my local client lives on is 172.16.0.0/23 and the VPN AS is 172.31.255.0/24
07:05 < jonascj> ZeDestructor: yup, I get you. Your setup seems like mine exactly and our problems exactly alike
07:07 < jonascj> ZeDestructor: your vpn host is that a linux machine?
07:07 < ZeDestructor> all linux here
07:07 < jonascj> ZeDestructor: we could also be missing a forward rule (like in iptables)
07:10 < ZeDestructor> possible
07:11 < jonascj> ZeDestructor: the more I think back on previous setup's I've had with this functionality and the more google searches I do I seem to think we need two forwarding rules like here: http://unix.stackexchange.com/questions/55791/port-forward-to-vpn-client (first answer)
07:11 <@vpnHelper> Title: iptables - Port forward to VPN Client? - Unix & Linux Stack Exchange (at unix.stackexchange.com)
07:12 < jonascj> I seem to recall I had that (just not for a given port, but for all trafic) on a previous setup with a ddwrt router running openvpn
07:15 < renihs> ZeDestructor, so e.g if you attempt to reach 10.0.0.5 from the vpn clients -> it does not work?
07:16 < renihs> ZeDestructor, assuming you use routing (and not SNAT) for the vpn clients, please show the routing table for 10.0.0.5 (or the host you attempt to contact)
07:16 < jonascj> renihs: except I do not knwo the answer on ZeDestructor's behalf, that is my situation.
07:16 < renihs> unless the gw is 10.0.0.4 it proably wont work
07:16 < renihs> you could snat the the vpn clients, in which case answers will automatically go back to the vpn gw
07:16 < ZeDestructor> renihs: yup. I can't ping 10.0.0.5
07:17 < renihs> but that is not as neat, since you wont be able to differe vpn clients (all appear to have the same address, 10.0.0.4)
07:17 < jonascj> renihs: what is not neat?
07:17 < renihs> not as cool :)
07:17 < renihs> nice
07:18 < ZeDestructor> here's the output of ip r on 10.0.0.5
07:18 < jonascj> renihs: I meant what was not neat/cool, but you mean that your snat suggestion is not cool?
07:18 < ZeDestructor> default via 10.0.0.1 dev eth0
07:18 < ZeDestructor> 10.0.0.0/24 dev eth0  proto kernel  scope link  src 10.0.0.5
07:18 < renihs> if you do source nating on the vpn gateway, for the hosts on the lan requests will appear to come from the vpn gateway (instead the internal vpn client ip)
07:18 -!- azizLIGHT [~azizLIGHT@unaffiliated/azizlight] has quit [Ping timeout: 260 seconds]
07:18 < renihs> ZeDestructor, then it cant work
07:18 < renihs> unless you SNAT
07:18 < renihs> the vpn client requests
07:18 < ZeDestructor> ok
07:19 < ZeDestructor> now, how do I do that
07:19 < jonascj> ZeDestructor: head to #netfilter :)
07:19 < renihs> iptables -t nat -A POSTROUTING -o eth0 -s <your vpn client network range/mask> -d 10.0.0.0/24 -j MASQUERADE
07:19 < renihs> would be a very ugly/simple approach
07:19 < renihs> on the vpn gw
07:19 < jonascj> renihs: why ugly
07:20 < renihs> because its not very specific, taste i suppose
07:20 < renihs> that is, assuming you have ip_forwarding enabled and the firewall allows requests :)
07:20 < renihs> the vpn gateway firewall
07:21 < renihs> that line will make all vpn client requests appear to be coming from the vpn gateway at 10.0.0.4
07:21 < renihs> for the hosts on the LAN
07:22 < jonascj> renihs: ah yes, and that could cause trouble if they rely on seeing the correct IPs
07:22 < renihs> probably, i dont know the purpose nor the setup
07:23 < renihs> it still can be matched with the openvpn logs, but not as comfy as seeing 172.x.x.x.x on the target host directly
07:23 < renihs> or whatever the vpn network range is
07:23 < jonascj> renihs: of course not - I just proposed that setups where thta might be a problem could exist (I think they do)
07:23 < renihs> well, problems shouldnt be expected, unless you mean security aspects and management
07:23 < renihs> technically that works :)
07:24 < jonascj> renihs: applications on the host could expect a certain IP etc. Seeing all trafic comming from the masqurading vpn server might screw things up (I will not in my case)
07:24 < renihs> that the network administrator should be able to answer :)
07:26 < jonascj> renihs: you perfectly well that most people asking in here are the "network adminstrator" on the network on which they fool around :P
07:27 < jonascj> *perfectly well know (I suppose)
07:28 < ZeDestructor> yay working
07:28 < ZeDestructor> thanks a bunch
07:28 < ZeDestructor> and tomorrow I try to pipe all the traffic through...
07:29 < jonascj> renihs: So if my VPN hands 10.116.230.x out to connecting clients and the VPN server it selv sits on network 10.191.244.0/24 (on which there are hosts I would like to talk to through the VPN tunnel) should I do:
07:29 < jonascj> iptables -t nat -A POSTROUTING -o eth0 -s 10.116.230.0/24 -d 10.191.244.0/24 -j MASQUERADE
07:29 < jonascj> ?
07:30 < renihs> yeah that should do it assuming the -s is the vpn network, -d is the LAN and eth0 is the device facing the lan
07:31 < renihs> assuming ip_forwarding is enabled and also assuming there are no filter rules preventing it
07:31 < renihs> cat /proc/sys/net/ipv4/ip_forward should be "1"
07:32 < jonascj> renihs: forwarding is enabled. -d (10.191.244.0/24) is the network on which eth0 of the openvpn server machine is connected. -s (10.116.230.x) is the network on which the VPN clients gets IPs
07:33 < ZeDestructor> now, to make that permanent on an opensuse host
07:33 -!- azizLIGHT [~azizLIGHT@unaffiliated/azizlight] has joined #openvpn
07:34 < jonascj> ZeDestructor: iptables-save/reload maybe?
07:35 < ZeDestructor> that gets me what should go in the file
07:35 < ZeDestructor> suse uses it's own firewall tool that regens the rules from scratch every time
07:35 -!- _FBi [B@Aircrack-NG/User] has joined #openvpn
07:36 < renihs> iptables-save will only print the active rules
07:36 < renihs> usually, the init script takes care of that
07:36 < renihs> likew /etc/init.d/iptables save
07:38 < jonascj> renihs: ah yes, maybe suse has a package like debian's "iptables-persistent"
07:38 < renihs> i dont think a "package" is required for that
07:38 < renihs> it simply dumps the output of iptables-save and it should restore it the same way from that file with iptables-restore
07:38 < renihs> its like 1 line, no magic needed :)
07:40 -!- gffa [~unknown@unaffiliated/gffa] has joined #openvpn
07:41 < jonascj> renihs: I think the debian package "iptables-persistent" simply is a collection of scripts which do iptables-save and iptables-reload on shutdown and startup respectively :)
07:43 < renihs> maybe :)
07:44 < renihs> i wouldnt know, sometimes it feels debian employs the motto "why easy when complicated can work as well" :)
07:44 < renihs> i see the point just dont fully understand the reasons :)
07:46 < jonascj> renihs: I think it is because not everyone is comfortable or skilled enough to make those setup them selves. Then debian (being old as hell) have a pretty broad selection of packages which do all the most common things :)
07:46 < jonascj> My masquarde worked as well, btw, thanks a lot!
07:47 < jonascj> What would the alternative be? To add a route on all the LAN hosts (those I want to talk to through the vpn tunnel) such that they know where to access the VPN network (the addresses handed out to the vpn clients)?
07:49 < renihs> you would need to add a route (to the vpn gateway) for the vpn network  on the target hosts
07:49 < renihs> OR adjust your default gatway so that it routes packets to the vpn gateway
07:49 < renihs> because lan host will answer to default gw -> default gateway doesnt know the network and will pass it on to its default gw or drop it
07:58 -!- tempus_fol [~tempus@gateway/tor-sasl/foltempus] has quit [Remote host closed the connection]
07:58 -!- tempus_fol [~tempus@gateway/tor-sasl/foltempus] has joined #openvpn
08:01 < jonascj> renihs: okay - I'll have to try that out somewhere safe, someday, because it sounds like a better solution :)
08:01 < renihs> usually router is "better" then nating :)
08:01 < renihs> s/router/routing/
08:03 -!- Esya is now known as Blahblahblah
08:03 -!- Blahblahblah is now known as Esya
08:04 -!- tempus_fol [~tempus@gateway/tor-sasl/foltempus] has quit [Remote host closed the connection]
08:04 -!- tempus_fol [~tempus@gateway/tor-sasl/foltempus] has joined #openvpn
08:10 -!- DrCode [~DrCode@gateway/tor-sasl/drcode] has quit [Ping timeout: 264 seconds]
08:11 -!- jonascj [~jonas@94.144.50.91] has quit [Ping timeout: 245 seconds]
08:13 -!- elfixit [~Icedove@2001:1620:2777:11:3e97:eff:fe7f:f3ad] has joined #openvpn
08:13 -!- goldkatze [~nobody@unaffiliated/goldkatze] has joined #openvpn
08:15 < etheraap> Hi guys, a question; on my server i conigured this subnet; 10.50.0.0 255.255.248.0, the vpn gateway is automatically at 10.50.0.1, is there any way to change this gateway address?
08:15 < etheraap> i could not find it in the docs or google..
08:17 -!- DrCode [~DrCode@gateway/tor-sasl/drcode] has joined #openvpn
08:22 -!- shiin [~shiin@funtoo/core/shiin] has quit [Quit: My computer has gone to sleep.]
08:35 <@dazo> etheraap: I guess you used --server ... read the man page carefully about --server option, and you'll see it's basically a kind of "macro" which does more stuff.  You can do all that stuff manually in your config as well
08:39 < etheraap> @dazo: i used --server indeed, and i did take a look at the manpage but did not find an answer yet, but i'll dive deeper
08:39 <@dazo> etheraap: The "macro" is explained after the sentence "For example, --server 10.8.0.0 255.255.255.0 expands as follows
08:41 < etheraap> @dazo: i read that part, and it says something about pushing a gateway to the clients, but not how to change the server gw address
08:41 <@dazo>                      ifconfig 10.8.0.1 10.8.0.2
08:41 <@dazo>                        ifconfig-pool 10.8.0.4 10.8.0.251
08:41 <@dazo>                    if dev tap OR (dev tun AND topology == subnet):
08:41 <@dazo>                      ifconfig 10.8.0.1 255.255.255.0
08:41 <@dazo>                        ifconfig-pool 10.8.0.2 10.8.0.254 255.255.255.0
08:42 < etheraap> does that represent the vpn gw?
08:43 <@dazo> The ifconfig option is used to configure the server side VPN IP address
08:43 < etheraap> aah
08:43 <@dazo> which you would have seen, if you then had looked up --ifconfig in the man page
08:45 -!- DrCode [~DrCode@gateway/tor-sasl/drcode] has quit [Remote host closed the connection]
08:46 -!- SushiDude [~SushiDude@unaffiliated/sushidude] has quit [Ping timeout: 240 seconds]
08:46 -!- DrCode [~DrCode@gateway/tor-sasl/drcode] has joined #openvpn
08:48 < etheraap> so ifconfig 10.50.2.1 255.255.248.0 should set the gateway to 10.50.2.1?
08:49 -!- Kniaz [~Kniaz@unaffiliated/kniaz] has joined #openvpn
08:53 -!- Megaf [~Megaf@unaffiliated/megaf] has joined #openvpn
08:55 <@dazo> etheraap: yes ... but iirc, you cannot use --ifconfig and --server.  You need to do all the "magic" --server does for you as well
08:55 <@dazo> if you switch to --ifconfig
08:57 < etheraap> aha
08:57 < etheraap> thanks :)
09:02 -!- jonascj [~jonas@94.144.50.91] has joined #openvpn
09:07 -!- DrSect0r [~DrSect0r@77-175-115-95.FTTH.ispfabriek.nl] has quit [Quit: Leaving]
09:16 -!- jonascj [~jonas@94.144.50.91] has quit [Ping timeout: 256 seconds]
09:28 -!- Fusl [Fusl@unaffiliated/fusl] has quit [Ping timeout: 272 seconds]
09:30 -!- Fusl [Fusl@unaffiliated/fusl] has joined #openvpn
09:39 -!- Chais [~Chais@chello062178229110.15.15.vie.surfer.at] has quit [Read error: Connection reset by peer]
09:40 -!- ribasushi [~riba@mujunyku.leporine.io] has quit [Ping timeout: 250 seconds]
09:40 -!- Chais [~Chais@chello062178229110.15.15.vie.surfer.at] has joined #openvpn
09:45 -!- ribasushi [~riba@mujunyku.leporine.io] has joined #openvpn
09:49 -!- brianblaze420 [~brianblaz@unaffiliated/brianblaze] has joined #openvpn
09:51 -!- brianblaze420 [~brianblaz@unaffiliated/brianblaze] has quit [Remote host closed the connection]
09:53 -!- jonascj [~jonas@94.144.50.91] has joined #openvpn
09:58 -!- jonascj [~jonas@94.144.50.91] has quit [Ping timeout: 255 seconds]
09:58 -!- Chais [~Chais@chello062178229110.15.15.vie.surfer.at] has quit [Quit: ZNC - http://znc.in]
10:00 -!- Chais [~Chais@chello062178229110.15.15.vie.surfer.at] has joined #openvpn
10:04 -!- CaTtleyA [~CaTtleyA@185.24.142.82] has quit [Ping timeout: 252 seconds]
10:04 -!- alexxtasi [~alex@unaffiliated/alexxtasi] has left #openvpn []
10:04 -!- jonascj [~jonas@94.144.50.91] has joined #openvpn
10:06 -!- CaTtleyA [~CaTtleyA@185.24.142.82] has joined #openvpn
10:12 -!- Chais [~Chais@chello062178229110.15.15.vie.surfer.at] has quit [Quit: ZNC - http://znc.in]
10:14 -!- Chais [~Chais@chello062178229110.15.15.vie.surfer.at] has joined #openvpn
10:29 -!- croepha [~croepha@199.9.63.130] has joined #openvpn
10:42 -!- seba [~seba@kratzbaum.someserver.de] has quit [Ping timeout: 256 seconds]
10:47 -!- brianblaze420 [~brianblaz@unaffiliated/brianblaze] has joined #openvpn
10:57 -!- brianblaze420 [~brianblaz@unaffiliated/brianblaze] has quit [Remote host closed the connection]
11:00 -!- Chiftin [~Chiftin@178.250.179.140] has quit [Read error: Connection reset by peer]
11:08 -!- RaiNerTsuFal [~RaiNerTsu@akita.vtlx.cn] has joined #openvpn
11:11 -!- jfroot [~jfroot@pdpc/supporter/active/jfroot] has quit [Ping timeout: 245 seconds]
11:15 -!- jfroot [~jfroot@pdpc/supporter/active/jfroot] has joined #openvpn
11:26 -!- brianblaze420 [~brianblaz@unaffiliated/brianblaze] has joined #openvpn
11:29 -!- jonascj [~jonas@94.144.50.91] has quit [Ping timeout: 255 seconds]
11:31 -!- tempus_fol [~tempus@gateway/tor-sasl/foltempus] has quit [Remote host closed the connection]
11:31 -!- tempus_fol [~tempus@gateway/tor-sasl/foltempus] has joined #openvpn
11:33 -!- camden [~camden@camdenbuzard.com] has quit [Quit: quit]
11:39 -!- brianblaze420 [~brianblaz@unaffiliated/brianblaze] has quit [Remote host closed the connection]
11:40 -!- brianblaze420 [~brianblaz@unaffiliated/brianblaze] has joined #openvpn
11:44 -!- brianblaze420 [~brianblaz@unaffiliated/brianblaze] has quit [Ping timeout: 272 seconds]
11:55 -!- jonascj [~jonas@94.144.63.136] has joined #openvpn
11:55 -!- brianblaze420 [~brianblaz@unaffiliated/brianblaze] has joined #openvpn
11:58 -!- seba [~seba@kratzbaum.someserver.de] has joined #openvpn
12:00 -!- CaTtleyA [~CaTtleyA@185.24.142.82] has quit [Quit: Lost terminal]
12:40 -!- Kephael [~Kephael@unaffiliated/kephael] has joined #openvpn
12:44 < jl-> hi I can connect to my openvpn fine, I get the IP, I can access local lan, everything seems to be working just fine but I'm noticing the following error in the status on my win openvpn gui
12:44 -!- elfixit [~Icedove@2001:1620:2777:11:3e97:eff:fe7f:f3ad] has quit [Quit: elfixit]
12:44 < jl-> ROUTE: route addition failed using CreateIpForwardEntry: The object already exists.   [status=5010 if_index=17]
12:44 < jl-> env_block: add PATH=C:\Windows\System32;C:\WINDOWS;C:\WINDOWS\System32\Wbem
12:44 < jl-> Initialization Sequence Completed
12:44 -!- Netsplit *.net <-> *.split quits: AsadH, _FBi
12:49 -!- AsadH [~AsadH@unaffiliated/asadh] has joined #openvpn
12:52 < jl-> any suggestions on resolving this issue?
13:15 -!- Cpt-Oblivious [~chatzilla@31-151-71-109.dynamic.upc.nl] has joined #openvpn
13:23 -!- DrCode [~DrCode@gateway/tor-sasl/drcode] has quit [Remote host closed the connection]
13:23 -!- tempus_fol [~tempus@gateway/tor-sasl/foltempus] has quit [Remote host closed the connection]
13:23 -!- s7r [~s7r@openvpn/user/s7r] has quit [Write error: Connection reset by peer]
13:24 -!- s7r [~s7r@openvpn/user/s7r] has joined #openvpn
13:24 -!- mode/#openvpn [+v s7r] by ChanServ
13:24 -!- tempus_fol [~tempus@gateway/tor-sasl/foltempus] has joined #openvpn
13:24 -!- DrCode [~DrCode@gateway/tor-sasl/drcode] has joined #openvpn
13:29 -!- eike_52n [~eike@80.156.182.234] has quit [Quit: Verlassend]
13:35 -!- brianblaze420 [~brianblaz@unaffiliated/brianblaze] has quit [Remote host closed the connection]
13:45 <@krzee> jl-, show whole log
13:45 -!- pa [~pa@unaffiliated/pa] has joined #openvpn
13:46 <@krzee> verb 4 please
13:48 -!- brianblaze420 [~brianblaz@unaffiliated/brianblaze] has joined #openvpn
13:48 -!- brianblaze420 [~brianblaz@unaffiliated/brianblaze] has quit [Remote host closed the connection]
13:51 -!- brianblaze420 [~brianblaz@unaffiliated/brianblaze] has joined #openvpn
14:00 -!- mattock is now known as mattock_afk
14:10 -!- brianblaze420 [~brianblaz@unaffiliated/brianblaze] has quit [Quit: Leaving...]
14:19 -!- e87hd [~e87hd@184.75.221.26] has joined #openvpn
14:20 < e87hd> I need help with an OpenVPN connection. I am using Lubuntu and connecting to a paid VPN service. That is working great! However, I need to be able to access some HTTP services on a local port on this machine. While I am connected to the VPN, I am unable to make a connection on that local port. If I turn it off, it works. Is there something I need to configure to make this possible?
14:33 -!- Mike-- [mad@mx.probie.nl] has joined #openvpn
14:53 -!- mirco [~mirco@ip-109-90-242-169.hsi11.unitymediagroup.de] has quit [Quit: mirco]
14:56 -!- andi [~andi@unaffiliated/fr00d] has joined #openvpn
14:58 < andi> Hi, is that possible to have a bridged openvpn client? What I'd like to do is: I have a lan and I'd like to connect to a vpn to get an ip of exactly this lan, but having the vpn server not where the lan is.
15:07 < jl-> krzee: whole log: http://paste.debian.net/hidden/17750a1b/
15:10 -!- dazo is now known as dazo_afk
15:14 -!- soffio [~mancante@gateway/tor-sasl/riflesso] has joined #openvpn
15:15 < soffio> does "--secret file [direction]" help with security? :)
15:16 -!- soffio [~mancante@gateway/tor-sasl/riflesso] has quit [Remote host closed the connection]
15:16 -!- DrCode [~DrCode@gateway/tor-sasl/drcode] has quit [Remote host closed the connection]
15:16 -!- jonascj [~jonas@94.144.63.136] has quit [Ping timeout: 245 seconds]
15:17 -!- soffio [~mancante@gateway/tor-sasl/riflesso] has joined #openvpn
15:17 -!- Cultist [~CultOfThe@c-98-223-211-32.hsd1.il.comcast.net] has quit [Ping timeout: 264 seconds]
15:17 -!- DrCode [~DrCode@gateway/tor-sasl/drcode] has joined #openvpn
15:22 -!- Cultist [~CultOfThe@c-98-223-211-32.hsd1.il.comcast.net] has joined #openvpn
15:23 -!- soffio [~mancante@gateway/tor-sasl/riflesso] has left #openvpn []
15:26 < e87hd> !heartbleed
15:26 <@vpnHelper> "heartbleed" is (#1) only affects OpenSSL 1.0.1 through 1.0.1f. Does not affect polarssl or (#2) if running vuln openssl then both client and server keys not protected by tls-auth should be considered compromised. or (#3) android 4.1.2_r1 is the first one to have -DOPENSSL_NO_HEARTBEATS and it is still in master. android 4.1 and 4.1.1 are probably affected. or (#4)
15:26 <@vpnHelper> https://community.openvpn.net/openvpn/wiki/heartbleed or (#5) http://xkcd.com/1354/
15:31 -!- Butterduck [~Butterduc@unaffiliated/butterduck] has joined #openvpn
15:33 < Butterduck> Hello I have a strange issues with Virtual Machines and OpenVPN. When I connect and use BitTorrent it really bogs down the whole network but it is throttled down to 200 kbps. I am on a 40 MB connection. Any clue why?
15:33 -!- KaiForce [~chatzilla@107-223-70-10.lightspeed.bcvloh.sbcglobal.net] has quit [Quit: ChatZilla 0.9.90.1 [Firefox 30.0/20140605174243]]
15:33 < Butterduck> Works just fine raw without OpenVPN connection established.
15:34 < Butterduck> My only guess is router but it seems fine on non-virtual machine. Very annoying issue.
15:35 < Butterduck> Is there anything I can do to optimize the VPN or something?
15:40 <@krzee> jl-, show us your routing table before and after running the vpn
15:41 <@krzee> i have to go but that will help someone else im sure, it looks like the route that is being attempted to be added exists
15:49 -!- bashusr [~bashusr@unaffiliated/bashusr] has quit [Ping timeout: 260 seconds]
15:53 -!- Butterduck [~Butterduc@unaffiliated/butterduck] has left #openvpn []
16:15 -!- Megaf_ [~Megaf@unaffiliated/megaf] has joined #openvpn
16:16 -!- Megaf [~Megaf@unaffiliated/megaf] has quit [Ping timeout: 240 seconds]
16:17 -!- earthian [~ea@gw.uk.fostral.net] has joined #openvpn
16:22 < earthian> Hello, I am trying to set network so that two remote LANs A and B are reachable for each other via router's tun0 interface. A network router is the openvpn server, B network router is the openvpn client. What route options should I set up on the network A to be able to ping LAN of network B and vice versa?
16:23 < earthian> p.s. client-to-client is enabled as well as the ifconfig-pool-linear
16:24 < earthian> so clients have P-t-P IPs of the server - 10.128.0.1. The network B router vpn is 10.128.0.16
16:24 < earthian> Server's P-t-P is 10.128.0.2,however!
16:25 < Eugene> !route
16:25 <@vpnHelper> "route" is (#1) http://www.secure-computing.net/wiki/index.php/OpenVPN/Routing or https://community.openvpn.net/openvpn/wiki/RoutedLans (same page mirrored) if you have lans behind openvpn, read it DONT SKIM IT or (#2) READ IT DONT SKIM IT! or (#3) See !tcpip for a basic networking guide or (#4) See !serverlan or !clientlan for steps and troubleshooting flowcharts for LANs behind the server or
16:25 <@vpnHelper> client
16:25 < Eugene> !clientlan
16:25 <@vpnHelper> "clientlan" is (#1) for a lan behind a client, the client must have ip forwarding enabled (!ipforward), the server needs a route to the lan, the server needs to push a route for the lan to clients, the server needs a ccd (!ccd) file for the client with an iroute (!iroute) entry in it, and the router of the lan the client is on needs a route added to it (!route_outside_openvpn) or (#2) see !route for
16:25 <@vpnHelper> a better explanation or (#3) Handy troubleshooting flowchart: http://ircpimps.org/clientlan.png | http://pekster.sdf.org/misc/clientlan.png
16:25 < Eugene> !serverlan
16:25 <@vpnHelper> "serverlan" is (#1) for a lan behind a server, the server must have ip forwarding enabled (!ipforward), the server needs to push a route for its lan to clients, and the router of the lan the server is on needs a route added to it (!route_outside_openvpn) or (#2) see !route for a better explanation or (#3) Handy troubleshooting flowchart: http://ircpimps.org/serverlan.png |
16:25 <@vpnHelper> http://pekster.sdf.org/misc/serverlan.png
16:25 < Eugene> Read ^
16:28 < earthian> thanks!
16:39 < e87hd> Posting this again, because I did not get a response:
16:39 < e87hd> I need help with an OpenVPN connection. I am using Lubuntu and connecting to a paid VPN service. That is working great! However, I need to be able to access some HTTP services on a local port on this machine. While I am connected to the VPN, I am unable to make a connection on that local port. If I turn it off, it works. Is there something I need to configure to make this possible?
16:40 -!- SushiDude [~SushiDude@unaffiliated/sushidude] has joined #openvpn
16:40 < etheraap> e87hd: that sounds strange...
16:41 < etheraap> did you check netstat to see on if the local http service is still listening while your vpn is on?
16:44 < e87hd> no
16:44 < e87hd> let me check that
16:44 -!- gffa [~unknown@unaffiliated/gffa] has quit [Quit: sleep]
16:46 < e87hd> what is the netstat command for listing open ports?
16:47 < etheraap> netstat -tunlp
16:47 < etheraap> will give you also the process that's listening on each port
16:51 < e87hd> its there
16:51 < e87hd> tcp        0      0 0.0.0.0:8081            0.0.0.0:*               LISTEN      -
16:52 < etheraap> try telnet
16:52 < etheraap> see what happens
16:52 < etheraap> but this is really basic stuff
16:53 < e87hd> ok, hold on
16:53 < etheraap> i'm sure you can investigate a little further from here
16:55 < e87hd> failing
16:55 < e87hd> telnet to my public ip on port 8081 nothing happens
16:56 < etheraap> public ip? you said it runs on you local machine
16:57 < e87hd> it does
16:57 < e87hd> I am trying to get at it remotely
16:57 < e87hd> locally it works fine
16:57 < e87hd> from another machine on my local network
16:58 -!- raidz is now known as raidz_away
16:58 < e87hd> but from a disparate network it will not
16:59 < etheraap> did you try telnet from the other machine on your network?
17:11 < e87hd> no
17:11 < e87hd> I could do that
17:11 < e87hd> but HTTP is working, so the telnet test would not prove anything
17:11 < e87hd> its just strange
17:11 < e87hd> I am not sure why locally another machine could HTTP to it
17:12 < e87hd> but NAT'd through the router, it does not
17:12 < e87hd> o_0
17:13 < etheraap> you should meditate for a while and try again, if you gonna ask for help again it would be helpful to describe the complete scenario for your irc amigos
17:15 < e87hd> ok
17:15 < e87hd> let me do that
17:18 < etheraap> this could be a great help; http://www.youtube.com/watch?v=Jyy0ra2WcQQ
17:18 <@vpnHelper> Title: Guided Meditation - Blissful Deep Relaxation - YouTube (at www.youtube.com)
17:35 -!- Cpt-Oblivious [~chatzilla@31-151-71-109.dynamic.upc.nl] has quit [Remote host closed the connection]
17:35 -!- raidz_away is now known as raidz
17:47 < earthian> !route_outside_vpn
17:48 < earthian> :(
18:10 -!- Kniaz [~Kniaz@unaffiliated/kniaz] has quit [Quit: closing IRC]
18:50 -!- D-Boy [~D-Boy@unaffiliated/cain] has quit [Excess Flood]
19:02 -!- D-Boy [~D-Boy@unaffiliated/cain] has joined #openvpn
19:12 -!- earthian [~ea@gw.uk.fostral.net] has quit [Ping timeout: 245 seconds]
19:16 -!- Cultist [~CultOfThe@c-98-223-211-32.hsd1.il.comcast.net] has quit [Ping timeout: 255 seconds]
19:22 -!- CaTtleyA [~CaTtleyA@put92-2-82-66-41-53.fbx.proxad.net] has joined #openvpn
19:25 -!- brianblaze420 [~brianblaz@unaffiliated/brianblaze] has joined #openvpn
19:25 -!- Cultist [~CultOfThe@c-98-223-211-32.hsd1.il.comcast.net] has joined #openvpn
19:29 -!- goldkatze [~nobody@unaffiliated/goldkatze] has quit []
19:37 -!- bashusr [~bashusr@unaffiliated/bashusr] has joined #openvpn
19:42 -!- poopdiesel [~a27caf18@31.6.30.166] has joined #openvpn
19:45 < poopdiesel> hello room. I recently upgraded my home broadband connexion to some 100Mbps GPON fiber. Since then, when i saturate the upsream  way of said pipe i get hundreds of such error messages:
19:45 < poopdiesel> Thu Jul 31 02:23:02 2014 Authenticate/Decrypt packet error: bad packet ID (may be a replay): [ #193434 ] -- see the man page entry for --no-replay and --replay-window for more info or silence this warning with --mute-replay-warnings
19:46 < poopdiesel> I assume no one is trying to MITM the tunnel or anything like that. I don't use QoS either for that connexion at the OS level. What could be the cause ? isp ? modem/router ? os ?
19:46 -!- ribasushi [~riba@mujunyku.leporine.io] has quit [Ping timeout: 250 seconds]
19:47 -!- DrCode [~DrCode@gateway/tor-sasl/drcode] has quit [Ping timeout: 264 seconds]
19:47 -!- CaTtleyA [~CaTtleyA@put92-2-82-66-41-53.fbx.proxad.net] has quit [Ping timeout: 252 seconds]
19:49 -!- DrCode [~DrCode@gateway/tor-sasl/drcode] has joined #openvpn
19:50 -!- ribasushi [~riba@mujunyku.leporine.io] has joined #openvpn
19:59 -!- Kniaz [~Kniaz@unaffiliated/kniaz] has joined #openvpn
19:59 < pekster> poopdiesel: Increase your --replay-window as indicated by the message
19:59 < pekster> !man
19:59 <@vpnHelper> "man" is (#1) For man pages, see http://openvpn.net/index.php/open-source/documentation/manuals/ or (#2) the man pages are your friend! or (#3) Protip: you can search the manpage for a specific --option (with dashes) to find it quicker
19:59 < pekster> Use --verb 4 which will indicate the amount you have exceeded your existing window by for tuning suggestions
19:59 < pekster> See: !verb for details if you've never heard of the --verb directive
20:00 < poopdiesel> i'll increase the verbosity and try again, thank you very much
20:01 < pekster> TBH I'd recommend about 200%, give or take, of whatever your max exceeded value is during normal circumstances
20:02 < poopdiesel> understood, i will try this fix right now. Thank you Pekser. I've been using openvpn everyday for many years without ever encountering that problem.
20:02 -!- poopdiesel [~a27caf18@31.6.30.166] has quit [Quit: "trying the fix, thanks everyone"]
20:04 -!- fred`` [fred@earthli.ng] has quit [Ping timeout: 256 seconds]
20:11 -!- fred`` [fred@earthli.ng] has joined #openvpn
20:57 -!- brianblaze420 [~brianblaz@unaffiliated/brianblaze] has quit [Quit: Leaving...]
21:00 -!- Left_Turn [~Left_Turn@unaffiliated/turn-left/x-3739067] has quit [Remote host closed the connection]
21:02 -!- poopdiesel [~a27caf18@31.6.30.6] has joined #openvpn
21:04 < poopdiesel> Hello again, after narrowing down the window to the maximum while at the same time eliminating replays and allowing for a small margin i settled down with "replay-window 2048 5". Is that a value i should be concerned about ? It would allow for roughly 35 million replays every hour. Would that allow some hypothetical oracle to be exploited when it's not possible with default settings ?
21:34 < pekster> Not really. It's just a factor of your link speed combined with latency
21:34 < pekster> You have a fast link, so regardless of how much latency you get, you can expect some natural packet re-ordering since UDP does not provide ordered delivery
21:35 < pekster> If you have even small amounts of latency/jitter, it will multiply the effect of how many packets "backwards" you need to accept. Think of it basically like the TCP sliding window in terms of operation
21:35 < pekster> On a fast link, TCP automatically adjust the window up to allow for more throughput; you just need to tune openvpn to do that same thing here
21:36 -!- poopdiesel [~a27caf18@31.6.30.6] has quit [Ping timeout: 256 seconds]
21:37  * pekster love talking to himself
21:39 -!- _FBi [B@Aircrack-NG/User] has joined #openvpn
22:23 -!- PreludeZzzz [PreludeZzz@2.82.126.119] has joined #openvpn
22:23 < PreludeZzzz> hello
22:24 < PreludeZzzz> anyone know why when i make an openvpn connection from Device > server i always get the ip.ip.0.0 > 0.0.0.0 ? i set it so it uses tap0 and i want by default to put ip.ip.0.0. > gw.gw.gw.gw ( ip obtained by the openvpn connection )
22:24 < _FBi> harro
22:24 < PreludeZzzz> anyone know how to do that?
22:25 < _FBi> your Device gets IP 0.0.0.0
22:25 < PreludeZzzz> well i don't want to route all traffic through 0.0.0.0 > internal network
22:25 < PreludeZzzz> when i make a vpn connection , i only want to route specific ranges through that tunel
22:26 < PreludeZzzz> everything else should go via default > to the internet
22:26 -!- s7r [~s7r@openvpn/user/s7r] has quit [Ping timeout: 264 seconds]
22:27 -!- s7r [~s7r@openvpn/user/s7r] has joined #openvpn
22:27 -!- mode/#openvpn [+v s7r] by ChanServ
22:27 < PreludeZzzz> right now i have it so it connects through the tunnel and automatically creates a route line called " ip.ip.0.0 gw 0.0.0.0 dev tap0
22:27 < PreludeZzzz> i don't want to do that.. i want to go ip,ip.0.0 gw ip.ip.ip.1 dev tap0 or whatever
22:28 < PreludeZzzz> am i making sense?
22:28 < PreludeZzzz> next question is.. server-bridge <ip> < range start > - <range - end > .. What happens if i have fragmented ranges?
22:29 < PreludeZzzz> like what do i do to add say 5 different ranges
22:29 < PreludeZzzz> or single /32's and stuff
22:29 < PreludeZzzz> can it be done?
22:30 < pekster> No, use --client-connect and push things
22:31 < pekster> Don't use tap: see !tunortap and don't use tap at all unless you're sending *non* IP traffic
22:31 < PreludeZzzz> well i want to use real public ips and keep them so the destination sees the original source ip
22:31 < PreludeZzzz> not the vpn server
22:31 < pekster> So do that
22:32 < pekster> Your application still needs to use it correctly, or you need to do server-side NAT in a 1:1 type fashion
22:32 < pekster> If your client is multihomed, it's the _client_ job to correctly pick an IP to source connections with
22:32 -!- Megaf_ [~Megaf@unaffiliated/megaf] has quit [Ping timeout: 255 seconds]
22:33 < pekster> Normally this is selected from the client's routing table, which you get some control over by way of pushing routes (see: !redirect to redirect _all_ internet-bound traffic over openvpn.) If that's too coarse a control for you, you'll need to set up complex policy routing
22:33 < PreludeZzzz> this is all running linu based
22:33 < PreludeZzzz> my clients are simple --config client.ovnp
22:33 < pekster> NAT works on almost any modern OS designed for a router
22:33  * pekster sighs
22:34 < pekster> It's as "complex" or "simple" as you make it. Plenty of reading for you, but your problem isn't really openvpn, but basic routing
22:34 < PreludeZzzz> sorry i am new at this so.
22:34 < PreludeZzzz> ok so you suggest using tun instead of tap?
22:34 < pekster> I did, yes. With references ;)
22:34 < pekster> !new
22:35 <@vpnHelper> "new" is (#1) New here? Start by reading the /TOPIC and looking at basic info in !welcome, !ask, and !howto or (#2) You can type each of the !commands in this chat and our bot will provide useful references and info or (#3) you can see the full factoids list at !factoids
22:35 < PreludeZzzz> the question about adding route rules.... why does it automatically add a route to 0.0.0.0 ? why doesn't it automatically use the route-gateway ip pushed by the server
22:38 < PreludeZzzz> you referenced a client-connect... can within a client connect i write some scripts that produce an IP for that custome rand then simply push that ip with "ifconfig-push newip netmask gw " ? or something like that
22:38 < PreludeZzzz> will i be able to push it that way at all?
22:38 < PreludeZzzz> i want to assign an ip from a DB for example
22:39 < PreludeZzzz> or at least have a way to assign an ip pool that has multiple ranges
22:39 < PreludeZzzz> not one large one
22:44 < _FBi> evening pekster
22:46 -!- arescorpio [~arescorpi@201-26-245-190.fibertel.com.ar] has joined #openvpn
23:15 -!- ShadniX [dagger@p5DDFE771.dip0.t-ipconnect.de] has quit [Ping timeout: 250 seconds]
23:16 -!- ShadniX [dagger@p5481DFAC.dip0.t-ipconnect.de] has joined #openvpn
23:17 -!- s7r [~s7r@openvpn/user/s7r] has quit [Ping timeout: 264 seconds]
23:21 -!- s7r [~s7r@openvpn/user/s7r] has joined #openvpn
23:21 -!- mode/#openvpn [+v s7r] by ChanServ
23:50 -!- mattock_afk is now known as mattock
--- Day changed Thu Jul 31 2014
00:00 -!- PreludeZzzz [PreludeZzz@2.82.126.119] has quit [Ping timeout: 250 seconds]
00:07 -!- jonascj [~jonas@ip-52-91.bnaa.dk] has joined #openvpn
00:42 -!- mirco [~mirco@ip-109-90-242-169.hsi11.unitymediagroup.de] has joined #openvpn
00:46 -!- croepha [~croepha@199.9.63.130] has quit [Quit: croepha]
00:51 <@krzee> !commands
00:51 <@krzee> i like !new
00:52 -!- yoavz [yoavz@yoavz.net] has quit [Ping timeout: 255 seconds]
00:53 -!- yoavz [yoavz@yoavz.net] has joined #openvpn
01:05 -!- arescorpio [~arescorpi@201-26-245-190.fibertel.com.ar] has quit [Excess Flood]
01:06 -!- yoavz [yoavz@yoavz.net] has quit [Ping timeout: 264 seconds]
01:09 -!- yoavz [yoavz@yoavz.net] has joined #openvpn
01:11 -!- woshty [~irc@84.200.211.57] has quit [Ping timeout: 250 seconds]
01:11 -!- mete [~mete@91.247.253.160] has quit [Ping timeout: 255 seconds]
01:11 -!- woshty [~irc@84.200.211.57] has joined #openvpn
01:13 -!- mete [~mete@91.247.253.160] has joined #openvpn
01:24 -!- Kephael [~Kephael@unaffiliated/kephael] has quit [Read error: Connection reset by peer]
01:33 -!- jonascj [~jonas@ip-52-91.bnaa.dk] has quit [Ping timeout: 240 seconds]
01:34 -!- alexxtasi [~alex@unaffiliated/alexxtasi] has joined #openvpn
01:44 -!- Pinchiukas [~keps@unaffiliated/pinchiukas] has joined #openvpn
01:44 < Pinchiukas> !welcome
01:44 <@vpnHelper> "welcome" is (#1) Start by stating your goal, such as 'I would like to access the internet over my vpn' || new to IRC? see the link in !ask || we may need !logs and !configs and maybe !interface to help you. || See !howto for beginners. || See !route for lans behind openvpn. || !redirect for sending inet traffic through the server. || Also interesting: !man !/30 !topology !iporder !sample !forum
01:44 <@vpnHelper> !wiki !mitm or (#2) Don't use 192.168.1.0/24 or 192.168.0.0/24 (too much potential for conflict)
01:45 < Pinchiukas> !mitm
01:45 <@vpnHelper> "mitm" is (#1) http://openvpn.net/index.php/documentation/howto.html#mitm to know about stopping Man-in-the-Middle attacks by signing the server cert specially or (#2) use !servercert to generate the server cert manually or use the easy-rsa build-key-server script to build your server certificates or (#3) then use: remote-cert-tls server in the client config
01:46 < Pinchiukas> !goal
01:46 <@vpnHelper> "goal" is Please clearly state your goal for your vpn: example, I would like to access the lan behind the server , I would like to access the internet over my vpn , I just want a secure connection between 2 computers , etc
01:46 < Pinchiukas> So what is a Diffie-Hellman key?
01:50 <@krzee> !dh
01:50 <@vpnHelper> "dh" is (#1) build-dh from easy-rsa and option dh in ssl-admin, creates a file which is a prime number the size of bits you defined (1024 default) which is used in the diffie-hellman algorithm to provide a method to negotiate a secure connection over an insecure channel. just one of the layers of encryption available to you in your VPN or (#2) openssl gendh [numbits]
01:56 < Pinchiukas> Aren't the private/public keypairs used for that?
02:01 <@krzee> my understanding is that those are for auth and then dh is part of the key negotiation process to help with forward security
02:05 <@krzee> !security
02:05 <@vpnHelper> "security" is "secure" is (#1) http://openvpn.net/howto.html#security for hardening, or (#2) http://openvpn.net/index.php/documentation/security-overview.html for security overview
02:05 <@krzee> you may like #2
02:07 < Pinchiukas> Thanks
02:07 <@krzee> np
02:07 <@krzee> it doesnt mention dh though =/
02:17 < Pinchiukas> "each peer has a distinct send HMAC, receive HMAC, packet encrypt, and packet decrypt key" - if HMAC is used for traffic encryption and decryption, what are those other keys used for?
02:19 <@syzzer> Pinchiukas: HMAC is used to provide integrity, encryption to provide confidentiality
02:19 <@syzzer> you need both for a secure connection
02:21 < etheraap> hola folks
02:25 < Pinchiukas> So HMAC is kind of a checksum?
02:33 -!- Intensity [u8PYVwVSXO@unaffiliated/intensity] has joined #openvpn
02:35 <@krzee> yes exactly
02:35 <@krzee> !hmac
02:35 <@vpnHelper> "hmac" is (#1) The tls-auth directive adds an additional HMAC signature to all SSL/TLS handshake packets for integrity verification. Any UDP packet not bearing the correct HMAC signature can be dropped without further processing. The tls-auth HMAC signature provides an additional level of security above and beyond that provided by SSL/TLS. or (#2) openvpn --genkey --secret ta.key to make the tls
02:35 <@vpnHelper> static key , in configs: tls-auth ta.key # , 1 for client or 0 for server in the configs
02:47 -!- shiin [~shiin@funtoo/core/shiin] has joined #openvpn
02:48 < Pinchiukas> So why do you need a key for a checksum?
02:48 < shiin> Ive setup openvpn on my root server, which is a cluster of virtual machines with only one gateway. I want to use openvpn to access some services that I prefer not to expose to the wide open internet. I have my own bind9 and dhcpcd already, which handles all internal vms addresses and names. is there a common way to make openvpn use my already existing dhcp, or is it preferred to rely on the openvpn internal dhcp instead? heres my config: http://nopaste.i
02:48 < shiin> nfo/c85c6aa736.html
02:49 < shiin> duh. http://nopaste.info/c85c6aa736.html
02:51 <@syzzer> Pinchiukas: because otherwise a mitm atacker can change your packets. Think of changing "pay $100" to "pay $900"
02:59 <@krzee> shiin, preferred is to use tun and therefor using a totally different subnet for the vpn
03:00 <@krzee> then you can simply configure routing for accessing the lan
03:07 < shiin> so I can put that route into the server config, so that the clients will receive that and configure my kernel to handle those routes?
03:08 < Pinchiukas> syzzer: it's the checksum, not the packet itself.
03:08 <@krzee> shiin, sure, the server can push the client the route
03:08 < Pinchiukas> s/packet/payload/
03:08 < shiin> and the server can also push the dns then, since it would be available with the route?
03:09 <@krzee> Pinchiukas, the checksum is used to verify the packet is valid before crypto even comes in to play
03:09 < Pinchiukas> Is the checksum generated before of after the packet is encrypted?
03:09 <@krzee> Pinchiukas, all the recent ssl issues were mitigated even if you were vulnerable if you used HMAC checksums
03:10 <@krzee> like heartbleed for example
03:10 < Pinchiukas> I'm not worried about those if that's what you thought. :) Just want to get a good idea of how OpenVPN works exactly.
03:11 < Pinchiukas> So there are two pairs of keys in the static key: HMAC pair and the payload pair?
03:17 < shiin> krzee: what config parameters would I google for to achieve that route and dns push?
03:17 <@krzee> !man
03:17 <@vpnHelper> "man" is (#1) For man pages, see http://openvpn.net/index.php/open-source/documentation/manuals/ or (#2) the man pages are your friend! or (#3) Protip: you can search the manpage for a specific --option (with dashes) to find it quicker
03:17 <@krzee> !push
03:17 <@vpnHelper> "push" is usage: push <command> , goes in the server config and makes the command act as if it was in the client config, can be used in ccd entries
03:17 <@krzee> !pushdns
03:17 <@vpnHelper> "pushdns" is (#1) push dhcp-option DNS a.b.c.d to push dns to the client or (#2) For pushing DNS to a Windows client, see: !windns or (#3) Unix-alikes are required to process the env-var in an --up script; read about --dhcp-option in the manpage or (#4) For distros that use resolvconf(8) you can try the pull-resolv-conf script under the contrib/ source dir
03:18 < shiin> !wellduh.
03:20 < Pinchiukas> krzee: correct?
03:21 <@krzee> Pinchiukas, the payload pair are dynamic when using ssl, hence the forward security
03:21 <@krzee> remember, static key mode operation is 100% different from ssl mode
03:36 <@syzzer> Pinchiukas: if an attacker can change your 'checksum' (HMAC is a bit different actually), he can change your packet without you detecting he has changed it. Hence, the 'checksum' needs to be keyed.
03:38 <@syzzer> this however is standard crypto stuff - not OpenVPN specific. Either assume you need both for a secure connection and note that OpenVPN does that correctly, or dive into some crypto introduction course ;)
03:58 -!- Left_Turn [~Left_Turn@unaffiliated/turn-left/x-3739067] has joined #openvpn
04:08 < Pinchiukas> But if the attacker changes the payload, he needs to encrypt it with which key? My public key?
04:11 -!- supermat [supermat@unaffiliated/supermat] has joined #openvpn
04:12 -!- pppingme [~pppingme@unaffiliated/pppingme] has quit [Ping timeout: 250 seconds]
04:18 -!- heraclitus [~heraclitu@unaffiliated/heraclitis] has quit [Remote host closed the connection]
04:18 -!- heraclitus [~heraclitu@unaffiliated/heraclitis] has joined #openvpn
04:19 <@syzzer> Pinchiukas: no, this is where the tricky crypto comes into play. For certain streaming crypto modes, flipping bits in the ciphertext results in flipping bits in the plaintext. So, if an attacker would recognize a specific packet, e.g. by it's size or timing, and can guess (part of) the plaintext, he can change the plaintext
04:20 <@krzee> well how about this too, very important? attacker doesnt have your key (yet) but hes able to attack your vuln openssl unless you use HMAC sigs
04:20 <@krzee> !heartbleed
04:20 <@vpnHelper> "heartbleed" is (#1) only affects OpenSSL 1.0.1 through 1.0.1f. Does not affect polarssl or (#2) if running vuln openssl then both client and server keys not protected by tls-auth should be considered compromised. or (#3) android 4.1.2_r1 is the first one to have -DOPENSSL_NO_HEARTBEATS and it is still in master. android 4.1 and 4.1.1 are probably affected. or (#4)
04:20 <@vpnHelper> https://community.openvpn.net/openvpn/wiki/heartbleed or (#5) http://xkcd.com/1354/
04:20 <@syzzer> Pinchiukas: if you'd like to learn about this stuff, I can recommend this free course: https://www.coursera.org/course/crypto
04:20 <@vpnHelper> Title: Coursera.org (at www.coursera.org)
04:21 <@syzzer> otherwise, just assume you always needs three things for a secure connection: (1) confidentiality/encryption, (2) integrity/authentication and (3) replay protection.
04:22 <@syzzer> and openvpn offers all of them ;)
04:25 -!- pppingme [~pppingme@unaffiliated/pppingme] has joined #openvpn
04:26 -!- e87hd [~e87hd@184.75.221.26] has quit [Ping timeout: 264 seconds]
04:27 -!- mattock is now known as mattock_afk
04:45 -!- shiin [~shiin@funtoo/core/shiin] has quit [Quit: My computer has gone to sleep.]
04:50 -!- clu5ter [~staff@unaffiliated/clu5ter] has quit [Ping timeout: 244 seconds]
04:53 -!- jgeboski [~jgeboski@unaffiliated/jgeboski] has quit [Ping timeout: 240 seconds]
04:55 -!- clu5ter [~staff@unaffiliated/clu5ter] has joined #openvpn
04:56 -!- jgeboski [~jgeboski@unaffiliated/jgeboski] has joined #openvpn
04:58 -!- shiin [~shiin@funtoo/core/shiin] has joined #openvpn
05:18 -!- mattock_afk is now known as mattock
05:19 -!- jgeboski [~jgeboski@unaffiliated/jgeboski] has quit [Ping timeout: 264 seconds]
05:21 -!- clu5ter [~staff@unaffiliated/clu5ter] has quit [Ping timeout: 260 seconds]
05:21 -!- Left_Turn [~Left_Turn@unaffiliated/turn-left/x-3739067] has quit [Ping timeout: 272 seconds]
05:25 -!- jgeboski [~jgeboski@unaffiliated/jgeboski] has joined #openvpn
05:29 -!- clu5ter [~staff@unaffiliated/clu5ter] has joined #openvpn
05:29 -!- jgeboski [~jgeboski@unaffiliated/jgeboski] has quit [Excess Flood]
05:30 -!- jgeboski [~jgeboski@unaffiliated/jgeboski] has joined #openvpn
05:35 -!- clu5ter [~staff@unaffiliated/clu5ter] has quit [Ping timeout: 256 seconds]
05:42 -!- jgeboski [~jgeboski@unaffiliated/jgeboski] has quit [Excess Flood]
05:42 -!- clu5ter [~staff@unaffiliated/clu5ter] has joined #openvpn
05:43 -!- jgeboski [~jgeboski@unaffiliated/jgeboski] has joined #openvpn
05:43 -!- dazo_afk is now known as dazo
05:45 -!- tempus_fol [~tempus@gateway/tor-sasl/foltempus] has quit [Remote host closed the connection]
05:45 -!- tempus_fol [~tempus@gateway/tor-sasl/foltempus] has joined #openvpn
05:55 -!- Chiftin [~Chiftin@178.250.179.140] has joined #openvpn
05:59 < Pinchiukas> syzzer: I know a bit about crypto and about PKI but I'm confused about how all of this is implemented in OpenVPN.
06:04 -!- CaTtleyA [~CaTtleyA@185.24.142.82] has joined #openvpn
06:06 -!- dazo is now known as dazo_afk
06:09 -!- jgeboski [~jgeboski@unaffiliated/jgeboski] has quit [Ping timeout: 264 seconds]
06:13 -!- clu5ter [~staff@unaffiliated/clu5ter] has quit [Ping timeout: 244 seconds]
06:14 -!- Left_Turn [~Left_Turn@unaffiliated/turn-left/x-3739067] has joined #openvpn
06:15 -!- dazo_afk is now known as dazo
06:17 -!- clu5ter [~staff@unaffiliated/clu5ter] has joined #openvpn
06:19 -!- jgeboski [~jgeboski@unaffiliated/jgeboski] has joined #openvpn
06:31 -!- ahuemer [ahuemer@unaffiliated/ahuemer] has joined #openvpn
06:31 < ahuemer> !welcome
06:31 <@vpnHelper> "welcome" is (#1) Start by stating your goal, such as 'I would like to access the internet over my vpn' || new to IRC? see the link in !ask || we may need !logs and !configs and maybe !interface to help you. || See !howto for beginners. || See !route for lans behind openvpn. || !redirect for sending inet traffic through the server. || Also interesting: !man !/30 !topology !iporder !sample !forum
06:31 <@vpnHelper> !wiki !mitm or (#2) Don't use 192.168.1.0/24 or 192.168.0.0/24 (too much potential for conflict)
06:35 -!- clu5ter [~staff@unaffiliated/clu5ter] has quit [Ping timeout: 252 seconds]
06:36 < ahuemer> hi all. i have a very simple setup. server http://ahuemer.xx.vu/volatile/2014-07-31-XGDBndQ8wdQ/tun0.conf client http://ahuemer.xx.vu/volatile/2014-07-31-E5gL7GZ9jCI/tun0.conf i would like to communicate (e.g. ping) with the client from the server, but can't. is this an obvious misconfiguration of openvpn or more likely an iptables problem on the server?
06:38 < ahuemer> on the server i run shorewall with the straight forward example config from http://shorewall.net/OPENVPN.html#RoadWarrior
06:38 <@vpnHelper> Title: OpenVPN Tunnels and Bridges (at shorewall.net)
06:38 -!- clu5ter [~staff@unaffiliated/clu5ter] has joined #openvpn
06:38 <@dazo> ahuemer: This is confusing ... are you using the config examples from shorewall, or the pastebins?
06:39 <@dazo> ahuemer: because shorewall config examples won't be compatible with what you pastebinned
06:41 < ahuemer> what i pastebined in the openvpn config i use. i use the shorewall config from the shorewall.net link
06:42 <@dazo> I don't understand what the shorewall config means in this context
06:42 < ahuemer> you are right, the shorewall.net link contains openvpn configs too, sorry for not beeing precise
06:42 < ahuemer> well, all files under /etc/shorewall
06:43  * dazo gets sceptical
06:43 <@dazo> okay ... in your client and server configs, add 'verb 4' and pastebin the output
06:43 <@dazo> *without* modifying the log data
06:43 < ahuemer> k
06:45 -!- clu5ter [~staff@unaffiliated/clu5ter] has quit [Ping timeout: 260 seconds]
06:47 < ahuemer> http://ahuemer.xx.vu/volatile/2014-07-31-pObA9HQELxQ/
06:47 <@vpnHelper> Title: Index of /volatile/2014-07-31-pObA9HQELxQ/ (at ahuemer.xx.vu)
06:47 -!- Plastefuchs [~fweee@198.98.120.235] has joined #openvpn
06:47 < Plastefuchs> hi o/
06:48 -!- jgeboski [~jgeboski@unaffiliated/jgeboski] has quit [Ping timeout: 264 seconds]
06:48 -!- clu5ter [~staff@unaffiliated/clu5ter] has joined #openvpn
06:48 < Plastefuchs> Just to understand it right: --tls-auth adds HMAC to the handshake, but without it all other packages are still verified via HMAC? (this is what i gathered from reading both the howto and the security overview)
06:49 <@dazo> ahuemer: and you can't ping 10.9.8.1 from the client side (presuming client is 10.9.8.2)
06:49 <@dazo> ?
06:50 < ahuemer> the client is 10.9.8.2, from there i can ping 10.9.8.1 just fine. the other way around does not work. from the server (10.9.8.1) i can't ping 10.9.8.2
06:50 -!- jgeboski [~jgeboski@unaffiliated/jgeboski] has joined #openvpn
06:51 < ahuemer> From 10.9.8.1 icmp_seq=1 Destination Host Unreachable
06:52 < ahuemer> those messages flood the console, the seq number does not increase
06:53 <@dazo> ahuemer: you probably have a firewall issue
06:53 <@dazo> the tun device is blocked on your shorewall
06:53 < ahuemer> ok
06:54 <@dazo> Plastefuchs: --tls-auth adds another HMAC packet outside the encrypted packet.  Both is sent over the wire, and if openvpn don't get a valid verification using the HMAC packet, the entire packet is dropped
06:58 < ahuemer> dazo: it works now. i did not allow traffic from the server to the road zone in shorewall
06:59 < ahuemer> many thanks for the competent help
06:59 < Plastefuchs> dazo: I am not 100% firm in my TLS understanding, so I thought that the handshake happens (ideally) once, so the extra package is only wrapped around those pakcages needed for the handshake, but for the following 'regular' packages there is only one layer of HMAC present?
07:01 <@dazo> Plastefuchs: --tls-auth adds HMAC on top of all packets, no matter what is being transferred .... but you're right, the SSL/TLS protocol can also have an HMAC signature too
07:01 <@dazo> those two must not be confused, though
07:02 <@dazo> as --tls-auth uses a shared static key ... while the SSL/TLS protocol's HMAC is based on the key negotiation during the SSL/TLS handshake
07:02 < Plastefuchs> dazo: The security speaks about --tls-auth adding HMAC to the handshake, so i thought that only meant the TLS handshake, nothing more.
07:02 < Plastefuchs> *security overview
07:03 < ahuemer> thanks again. bye
07:03 -!- ahuemer [ahuemer@unaffiliated/ahuemer] has left #openvpn []
07:04 <@dazo> Plastefuchs: you mean this one?  http://openvpn.net/index.php/open-source/documentation/security-overview.html
07:04 <@vpnHelper> Title: Security Overview (at openvpn.net)
07:04 <@syzzer> Plastefuchs: that is correct. tls-auth only puts an extra HMAC on TLS ('control channel') packets
07:05 <@dazo> ahh, syzzer to the rescue :)
07:05 <@dazo> thx!
07:05 < Plastefuchs> dazo: yes, though this sentence came from the howto: "The tls-auth directive adds an additional HMAC signature to all SSL/TLS handshake packets for integrity verification."
07:05 < Plastefuchs> ah
07:05 <@syzzer> yeah, that ^^
07:05 -!- clu5ter [~staff@unaffiliated/clu5ter] has quit [Ping timeout: 240 seconds]
07:06 <@syzzer> the data packets also have an HMAC, but that is using a dynamically negotiated key over the TLS control channel
07:06 < Plastefuchs> And that handshake should happen only once for one connection (unless renegotiation happens, etc.)?
07:06 <@dazo> Plastefuchs: trust syzzer ... he's our crypto geek :)
07:06 < Plastefuchs> Yeah, that is part of TLS
07:06 <@syzzer> Plastefuchs: exactly
07:06 < Plastefuchs> All hail syzzer? ^^
07:06 < Plastefuchs> syzzer: Ah, thank you :3
07:06 -!- jgeboski [~jgeboski@unaffiliated/jgeboski] has quit [Ping timeout: 240 seconds]
07:07 < Plastefuchs> I know bits and pieces about PKI, crypto and whatnot, but having to write about OpenVPN and its workings is a daunting task. This has helped me quite a bit :)
07:07 <@syzzer> there might be other stuff going on over the control channel - I'm not perfercly sure on the networking bits, just the crypto geek ;) - but it's very low bandwidth
07:08 < Plastefuchs> I'll just state it like a fact and they have to disprove me :p
07:08 <@syzzer> you'll probably be right ;)
07:08 < Plastefuchs> syzzer: something else came to mind. I have read about adding 2factor auth to openvpn. Is it possible to run an Openvpn server and have one group of clients use 2factor and another without?
07:09 < renihs> Plastefuchs, read the source luke :)
07:09 -!- jgeboski [~jgeboski@unaffiliated/jgeboski] has joined #openvpn
07:09 -!- KiNgMaR [~ingmar@2001:41d0:2:ba51::1] has quit [Quit: ZNC - http://znc.sourceforge.net]
07:09 -!- clu5ter [~staff@unaffiliated/clu5ter] has joined #openvpn
07:09 < Plastefuchs> A colleague mention that fact, but since i have two 'groups' of clients i didn't want to sink more time into it ...
07:09 < Plastefuchs> renihs: My C is quite rusty <.<
07:09 <@syzzer> Plastefuchs: yes, you could, but you'd have to handle that yourself in your plugin / client-connect script
07:10 <@syzzer> but this is the part where dazo is the expert ;)
07:10 < Plastefuchs> :D
07:10 <@syzzer> he's the plugin-meister
07:10 < Plastefuchs> oh right, i only read today that there are openvpn plugins? ._.
07:10 <@dazo> Plastefuchs: I've been working on a more advanced auth-plugin for openvpn ... eurephia ... and I have code in the pipe which enables different auth-mechanisms based on username and client certificate
07:10 <@dazo> !eurephia
07:10 <@vpnHelper> "eurephia" is http://www.eurephia.net/
07:11 < Plastefuchs> dazo: excelent!
07:11 < Plastefuchs> or however that is spelled ...
07:11 -!- KiNgMaR [~ingmar@2001:41d0:2:ba51::1] has joined #openvpn
07:11 <@syzzer> Plastefuchs: if I may ask, for who are you describing OpenVPN?
07:11 <@dazo> Right now, I'm trying to get some work done on implementing GSSAPI (and with time GSSAPI with IAKERB), to allow for kerberos auth
07:12 -!- mirco_ [~mirco@ip-109-90-242-169.hsi11.unitymediagroup.de] has joined #openvpn
07:13 < Plastefuchs> syzzer: *cough* it is part of my bachelor thesis. Creating a way to connect technicians with servers in corporate environments, all over a shiny interface. Not 100% my forte to be honest. <.<
07:13 -!- mirco [~mirco@ip-109-90-242-169.hsi11.unitymediagroup.de] has quit [Ping timeout: 264 seconds]
07:13 -!- mirco_ is now known as mirco
07:14 < Plastefuchs> dazo: there is a tiny typo in the page: 'Drivers for PostgreSQL and MySQL is being planned.' <- shouldn't that be 'are being planned'
07:14 < Plastefuchs> syzzer: I don't have to go too deep into the nitty gritty details of openvpn, but i should understand the comings and goings all through to argue why the heck i am using this weird --tls-auth option for example.
07:15 <@dazo> Plastefuchs: you're right
07:15 <@syzzer> ah, nice. I thought, if you end up having a nice explanation of openvpn, it might also be worthwhile for other to put in on the wiki :)
07:15 <@dazo> +1
07:16 < Plastefuchs> syzzer: 1) it be in German 2) i am not a good writer v.v
07:16 < Plastefuchs> dazo: all for the nice and helpful people of ##openvpn :3
07:16 -!- clu5ter [~staff@unaffiliated/clu5ter] has quit [Ping timeout: 256 seconds]
07:17 <@syzzer> heh, okay, German is a bit hard to read for a big part of the world
07:18 < Plastefuchs> depends. Not in Germany ;D
07:18 -!- clu5ter [~staff@unaffiliated/clu5ter] has joined #openvpn
07:20 < Plastefuchs> dazo: I am curious, is there a a reason you are still using sourceforge? Conscious decision or just born out of time constraints?
07:20 < Plastefuchs> -still
07:20 <@syzzer> yeah, or most of the surrounding countries (I'm from the Netherlands, I can read German just fine), but English is probably better on the wiki ;) anyway, good luck with the thesis! I'm getting back to my payed-for work :)
07:20 < Plastefuchs> syzzer: Thank you again, have fun at work! :3
07:21 <@dazo> Plastefuchs: I had an account there, and have some other old projects there ... so it was just easier back then ... but these days, I might have chosen something else (except github, but for sure something gittish)
07:21 -!- KiNgMaR [~ingmar@2001:41d0:2:ba51::1] has quit [Quit: ZNC - http://znc.sourceforge.net]
07:22 < Plastefuchs> dazo: gogo bitbucket? ^^
07:23 -!- KiNgMaR [~ingmar@2001:41d0:2:ba51::1] has joined #openvpn
07:24 <@dazo> Plastefuchs: nah ... I'd prefer something fully community FLOSS focused, who fully understands and embraces FLOSS
07:26 <@dazo> (gitlab and gitorious are the ones I'd most likely consider)
07:29 < Plastefuchs> dazo: ah, right on. I haven't looked at other sites so far since I haven't delved deep into dev yet. BB appeals to me since they allow for git and mercurial projects <.<
07:30 <@dazo> There's a nice over view here: https://en.wikipedia.org/wiki/Comparison_of_open-source_software_hosting_facilities
07:30 <@vpnHelper> Title: Comparison of open-source software hosting facilities - Wikipedia, the free encyclopedia (at en.wikipedia.org)
07:30  * dazo just discovered it
07:40 -!- Megaf [~Megaf@unaffiliated/megaf] has joined #openvpn
07:44 < Plastefuchs> Oh, nice :3
07:47 -!- Megaf [~Megaf@unaffiliated/megaf] has quit [Ping timeout: 250 seconds]
08:05 < jl-> krzee: how do I check my routing table, before and after I run vpn (you said it looks like the route that is being attempted to be added exists)
08:06 < jl-> that being said, the VPN seems to work fine (I can access local lan, get different IP) but I get this error:
08:06 < jl-> Wed Jul 30 15:07:44 2014 ROUTE: route addition failed using CreateIpForwardEntry: The object already exists.   [status=5010 if_index=17]
08:06 < jl-> Wed Jul 30 15:07:44 2014 env_block: add PATH=C:\Windows\System32;C:\WINDOWS;C:\WINDOWS\System32\Wbem
08:08 -!- larryone [~larryone@180.234.34.49] has joined #openvpn
08:09 < jl-> anyone?
08:10 < jl-> http://paste.debian.net/hidden/17750a1b/ here's the entire log
--- Log closed Thu Jul 31 08:13:58 2014
--- Log opened Thu Jul 31 10:41:31 2014
10:41 -!- ecrist_ [~ecrist@freebsd/contributor/openvpn.community.support.ecrist] has joined #openvpn
10:41 -!- Irssi: #openvpn: Total of 172 nicks [7 ops, 0 halfops, 3 voices, 162 normal]
10:41 -!- Irssi: Join to #openvpn was synced in 0 secs
10:41 -!- mode/#openvpn [+o ecrist_] by ChanServ
10:41 -!- You're now known as ecrist
10:48 < lfx> Hello. When I try to compile openvpn 2.3.4 with OpenSSL build from source, it won't find it. Where does it look for it or what do I have to change to find the libs?
10:54 <@plaisthos> lfx: find what?
10:55 <@krzee> xeqt, 192.168.1.0 is the network address
10:55 < lfx> ssl libraries
10:55 < lfx> or headers
10:55 < lfx> can't remember (have to try in a minute)
10:57 < lfx> configure: error:  ssl is required but missing
11:01 <@plaisthos> lfx: you are probably missing the ssl devel packets
11:01 <@plaisthos> libssl-dev
11:01 <@plaisthos> or openssl-devel or something like that
11:02 < lfx> I thought they are included in the openssl archive from openssl.org
11:02 < lfx> if I get them with apt-get it will work
11:02 < lfx> but the debian packages are old
11:03 < lfx> and I wanted to build it with the latest openssl
11:03 <@plaisthos> lfx: unless you have really valid reason to use the latest openssl version I would recommend to stick with the distribution's ssl libraries
11:04 <@krzee> and more importantly, you just made it clear that its a matter of properly installing the openssl libraries to your system like the package manager scripts would.
11:05 < lfx> ok
11:05 < lfx> then I will stick to the .deb
11:17 -!- Chiftin [~Chiftin@178.250.179.140] has quit [Read error: Connection reset by peer]
11:20 < jl-> dazo: I added the following to my config route-method exe route-delay 2 -- this resolved this error: ROUTE: route addition failed using CreateIpForwardEntry: The object already exists.   [status=5010 if_index=17]
11:20 < jl-> however, I'm still getting this error: env_block: add PATH=C:\Windows\System32;C:\WINDOWS;C:\WINDOWS\System32\Wbem
11:21 < jl-> here are my logs (minus the route addition failed http://paste.debian.net/hidden/17750a1b/
11:21 < jl-> I can successfully connect, but I'm not sure how 'pure' the connection is
11:25 < jl-> krzee: you mentioned yesterday you would like to see the routing table before and after connection?
11:26 <@krzee> ya but i also said the log needs to be verb 4
11:26 <@krzee> you seem to have verb 1
11:26 <@krzee> also im on vacation and about to leave, gotta make it to my massage
11:27 < jl-> enjoy
11:30 < jl-> Thu Jul 31 12:28:51 2014 env_block: add PATH=C:\Windows\System32;C:\WINDOWS;C:\WINDOWS\System32\Wbem
11:30 < jl-> Thu Jul 31 12:28:51 2014 C:\windows\system32\route.exe ADD 0.0.0.0 MASK 128.0.0.0 10.8.0.9
11:30 < jl-> with verb 4
11:31 -!- adaptr [~jgeilman@unaffiliated/adaptr] has quit [Quit: WeeChat 0.4.3]
11:32 -!- adaptr [~jgeilman@unaffiliated/adaptr] has joined #openvpn
11:49 -!- adaptr [~jgeilman@unaffiliated/adaptr] has quit [Ping timeout: 256 seconds]
11:53 -!- croepha [~croepha@199.9.63.130] has quit [Quit: croepha]
12:07 -!- ahuemer [ahuemer@unaffiliated/ahuemer] has joined #openvpn
12:11 < ahuemer> hi. i noticed some additional, interesting detail. the tunnel is interrupted and later restored. i ping the client from the server, no answers. as soon as i send a single packet from the client to the server, the pings from the server to the client go through
12:11 < ahuemer> any idea why that could be the case?
12:13 -!- adaptr [~jgeilman@unaffiliated/adaptr] has joined #openvpn
12:17 -!- notorious_ [~notorious@81.82.195.68] has quit [Quit: Konversation terminated!]
12:37 -!- adaptr [~jgeilman@unaffiliated/adaptr] has quit [Ping timeout: 240 seconds]
12:55 -!- adaptr [~jgeilman@unaffiliated/adaptr] has joined #openvpn
13:01 -!- croepha [~croepha@199.9.63.130] has joined #openvpn
13:02 < xeqt> is there some way to get more then 10 mbits from the tap tunnel ?
13:02 < xeqt> i have 100 mbits + a 500 mbits line to me
13:05 <@ecrist> yes
13:05 <@ecrist> !gigabit
13:05 <@vpnHelper> "gigabit" is https://community.openvpn.net/openvpn/wiki/Gigabit_Networks_Linux for JJK's writeup on getting the most out of openvpn over gigabit
13:05 <@ecrist> xeqt: the windows indication that the link is only 10Mb is a misnomer
13:05 <@ecrist> ignore that
13:14 -!- azizLIGHT [~azizLIGHT@unaffiliated/azizlight] has quit [Ping timeout: 250 seconds]
13:19 -!- _KaszpiR__ is now known as _KaszpiR_
13:22 < Eugene> Pretty sure we have a factoid for that
13:22 < Eugene> !factoids search 10
13:22 <@vpnHelper> 'net101' and '101'
13:22 < Eugene> !factoids search values 10
13:22 <@vpnHelper> No keys matched that query.
13:23 < Eugene> Guess not
13:25 < Eugene> !learn win10m as The Windows tun/tap device driver reports 10Mb as the line speed, but in reality it is only limited by your CPU and network performance.
13:25 <@vpnHelper> Error: You don't have the factoids.learn capability. If you think that you should have this capability, be sure that you are identified before trying again. The 'whoami' command can tell you if you're identified.
13:25 < Eugene> Hey fuck you
13:25 < xeqt> ecrist : what mtu shoul di use ?
13:26 < xeqt> *should i
13:26 < Eugene> You shouldn't muck with the mtu settings. The default auto-sensing works fine 99% of the time
13:26 < xeqt> what can i do to get higher speed ?
13:26 < xeqt> its for playing games
13:27 < Eugene> The first thing is how are you measuring speed
13:27 -!- azizLIGHT [~azizLIGHT@unaffiliated/azizlight] has joined #openvpn
13:27 < Eugene> Why do you think it isn't performing
13:27 < xeqt> it feels like its hardware problem ..
13:28 < xeqt> should i go lower on the encryption ?
13:28 < Eugene> I feel like I need a sandwich. Feelings are not science.
13:28 < Eugene> !xy
13:28 <@vpnHelper> "xy" is http://mywiki.wooledge.org/XyProblem -- I want to do X, but I'm asking how to do Y...
13:30 < xeqt> Well .. what i was about to say is that i dont have that fast computer to decrypt with. If thats the problem ?
13:32 < xeqt> its a duo core intel 2.66 GHz ..
13:32 < xeqt> its installed with pfsense
13:32 < xeqt> and then openvpn
13:32 <@ecrist> buy faster internet
13:35 -!- brianblaze420 [~brianblaz@unaffiliated/brianblaze] has joined #openvpn
13:35 < xeqt> i have 100 + 500 mbits
13:36 < Eugene> Yes yes yes, we get that you think it should be fast. Why are you saying its slow
13:36 < Eugene> What's slow
13:41 -!- brianblaze420 [~brianblaz@unaffiliated/brianblaze] has quit [Ping timeout: 272 seconds]
13:41 < xeqt> Civilization 5
13:42 <@ecrist> in what way is it slow?
13:42 <@ecrist> can you demonstrate?
13:42 < xeqt> The time it takes to sync and play ..
13:43 <@ecrist> with who?
13:43 <@ecrist> how fast is their internet?
13:43 <@ecrist> what makes you think openvpn is slow?
13:43 < Eugene> What you're describing is high ping time, not low bandwidth
13:45 <@krzee> well thats to be expected when adding a bunch of hops
13:46 -!- gffa [~unknown@unaffiliated/gffa] has joined #openvpn
13:52 -!- brianblaze420 [~brianblaz@unaffiliated/brianblaze] has joined #openvpn
14:01 -!- brianblaze420 [~brianblaz@unaffiliated/brianblaze] has quit [Ping timeout: 256 seconds]
14:13 -!- elfixit [~Icedove@2001:1620:2777:11:3e97:eff:fe7f:f3ad] has quit [Quit: elfixit]
14:32 -!- jadedsecurity [~bob@pentoo/user/Jadedsecurity] has joined #openvpn
14:32 -!- xeqt [~xeqt@h-72-121.a146.priv.bahnhof.se] has quit [Ping timeout: 256 seconds]
14:33 < jadedsecurity> hey, anybody around that can help me out with something real quick
14:37 < jadedsecurity> ImportError: No module named pyovpn.plugin
14:37 < jadedsecurity> where the hell does this thing live
14:39 -!- xeqt [~xeqt@h-72-121.a146.priv.bahnhof.se] has joined #openvpn
14:43 -!- Cpt-Oblivious [~chatzilla@31-151-71-109.dynamic.upc.nl] has joined #openvpn
15:02 -!- dazo is now known as dazo_afk
15:23 -!- s7r [~s7r@openvpn/user/s7r] has quit [Write error: Broken pipe]
15:24 -!- s7r [~s7r@openvpn/user/s7r] has joined #openvpn
15:24 -!- mode/#openvpn [+v s7r] by ChanServ
15:32 < jl-> krzee: the IPforward error is resolved, here is the status I am getting now (again, everything seems functional and I can access local LAN), I just need to make sure it's 100% VPN'd (anonymous) http://paste.debian.net/hidden/f7312889/
15:32 < jl-> see the bottom
15:38 -!- DrCode [~DrCode@gateway/tor-sasl/drcode] has quit [Ping timeout: 264 seconds]
15:45 -!- DrCode [~DrCode@gateway/tor-sasl/drcode] has joined #openvpn
16:04 -!- hays [~hays@unaffiliated/hays] has quit [Ping timeout: 250 seconds]
16:06 -!- hays [~hays@unaffiliated/hays] has joined #openvpn
16:29 -!- s7r_e [~s7r@openvpn/user/s7r] has joined #openvpn
16:29 -!- mode/#openvpn [+v s7r_e] by ChanServ
16:31 -!- s7r [~s7r@openvpn/user/s7r] has quit [Ping timeout: 264 seconds]
16:36 -!- marlinc [~marlinc@ip1.weert.li.nl.cvo-technologies.com] has joined #openvpn
16:37 -!- gffa [~unknown@unaffiliated/gffa] has quit [Quit: sleep]
16:41 -!- s7r_e [~s7r@openvpn/user/s7r] has quit [Ping timeout: 264 seconds]
16:43 -!- s7r [~s7r@openvpn/user/s7r] has joined #openvpn
16:43 -!- mode/#openvpn [+v s7r] by ChanServ
17:09 -!- Kniaz [~Kniaz@unaffiliated/kniaz] has quit [Quit: closing IRC]
17:09 -!- Sembei [~Sembei@unaffiliated/sembei] has joined #openvpn
17:17 -!- mattock is now known as mattock_afk
17:19 -!- arescorpio [~arescorpi@201-26-245-190.fibertel.com.ar] has joined #openvpn
17:20 -!- APTX [~APTX@unaffiliated/aptx] has quit [Ping timeout: 260 seconds]
17:22 -!- APTX [~APTX@unaffiliated/aptx] has joined #openvpn
17:43 -!- liriel [~liriel@asia.feralhosting.com] has quit [Quit: bye]
17:48 -!- liriel [~liriel@asia.feralhosting.com] has joined #openvpn
18:05 -!- RaiNerTsuFal [~RaiNerTsu@akita.vtlx.cn] has quit [Ping timeout: 260 seconds]
18:07 -!- Kephael [~Kephael@unaffiliated/kephael] has joined #openvpn
18:07 -!- RaiNerTsuFal [~RaiNerTsu@akita.vtlx.cn] has joined #openvpn
18:09 -!- Pyrogerg [~Gregory@gpenne3bc.nmsu.edu] has quit [Quit: Textual IRC Client: www.textualapp.com]
18:12 -!- liriel [~liriel@asia.feralhosting.com] has quit [Quit: bye]
18:12 -!- liriel [~liriel@asia.feralhosting.com] has joined #openvpn
18:29 -!- DrCode [~DrCode@gateway/tor-sasl/drcode] has quit [Ping timeout: 264 seconds]
18:29 -!- brianblaze420 [~brianblaz@unaffiliated/brianblaze] has joined #openvpn
18:35 -!- DrCode [~DrCode@gateway/tor-sasl/drcode] has joined #openvpn
18:51 -!- D-Boy [~D-Boy@unaffiliated/cain] has quit [Excess Flood]
18:53 -!- mirco_ [~mirco@ip-109-90-242-169.hsi11.unitymediagroup.de] has joined #openvpn
18:54 -!- mirco [~mirco@ip-109-90-242-169.hsi11.unitymediagroup.de] has quit [Ping timeout: 240 seconds]
18:54 -!- mirco_ is now known as mirco
19:01 -!- james41382 [~james@unaffiliated/james41382] has quit [Quit: Leaving]
19:03 -!- Kniaz [~Kniaz@unaffiliated/kniaz] has joined #openvpn
19:04 -!- james41382 [~james@unaffiliated/james41382] has joined #openvpn
19:05 -!- D-Boy [~D-Boy@unaffiliated/cain] has joined #openvpn
19:37 -!- GrantK [ld0zVNf1YS@bolt.sonic.net] has joined #openvpn
19:37 < GrantK> !routebyapp
19:37 <@vpnHelper> "routebyapp" is (#1) if you want to send only certain apps over the VPN you need to run a socks server on the internal VPN subnet (see !sockd) then get an app like proxifier (windows, osx) or tsocks (linux, BSD) to selectively route traffic over the socks proxy based on port/app/subnet or any combination. or (#2) Alternatively, read up about Policy Routing to make routing decisions based on defined
19:37 <@vpnHelper> policies you set. For Linux, read about !lartc
19:38 < GrantK> !sockd
19:38 <@vpnHelper> "sockd" is if you want !routebyapp you can use this dante config www.ircpimps.org/sockd.conf but BE SURE TO ONLY RUN THIS ON THE INTERNAL VPN IP! otherwise you will be an open proxy. that config has no security because its expected to run inside openvpn
19:47 -!- mirco [~mirco@ip-109-90-242-169.hsi11.unitymediagroup.de] has quit [Ping timeout: 264 seconds]
20:12 -!- mirco [~mirco@ip-109-90-230-9.hsi11.unitymediagroup.de] has joined #openvpn
20:40 -!- GrantK [ld0zVNf1YS@bolt.sonic.net] has quit [Quit: GrantK]
20:55 -!- MyMind [~Sembei@unaffiliated/sembei] has joined #openvpn
20:58 -!- Left_Turn [~Left_Turn@unaffiliated/turn-left/x-3739067] has quit [Remote host closed the connection]
20:59 -!- mgorbach_ [~mgorbach@pool-108-20-78-135.bstnma.fios.verizon.net] has joined #openvpn
20:59 -!- Sembei [~Sembei@unaffiliated/sembei] has quit [Read error: Connection reset by peer]
20:59 -!- mgorbach [~mgorbach@pool-108-20-78-135.bstnma.fios.verizon.net] has quit [Ping timeout: 245 seconds]
20:59 -!- batrick [~batrick@nmap/developer/batrick] has quit [Ping timeout: 245 seconds]
20:59 -!- D-Boy [~D-Boy@unaffiliated/cain] has quit [Ping timeout: 245 seconds]
20:59 -!- keatont [~keatont@ip-66-172-11-126.chunkhost.com] has quit [Ping timeout: 245 seconds]
20:59 -!- mgorbach_ is now known as mgorbach
20:59 -!- keatont [~keatont@ip-66-172-11-126.chunkhost.com] has joined #openvpn
21:01 -!- mirco_ [~mirco@ip-109-90-230-9.hsi11.unitymediagroup.de] has joined #openvpn
21:02 -!- mete [~mete@91.247.253.160] has quit [Ping timeout: 240 seconds]
21:02 -!- lbft [~lbft@unaffiliated/lbft] has quit [Ping timeout: 240 seconds]
21:02 -!- mirco [~mirco@ip-109-90-230-9.hsi11.unitymediagroup.de] has quit [Read error: Connection reset by peer]
21:02 -!- mirco_ is now known as mirco
21:02 -!- Valcorb [Valcorb@unaffiliated/valcorb] has quit [Quit: ZNC - http://znc.in]
21:03 -!- Valcorb [Valcorb@unaffiliated/valcorb] has joined #openvpn
21:04 -!- lbft [~lbft@unaffiliated/lbft] has joined #openvpn
21:05 -!- batrick [~batrick@nmap/developer/batrick] has joined #openvpn
21:09 -!- mirco [~mirco@ip-109-90-230-9.hsi11.unitymediagroup.de] has quit [Quit: mirco]
21:22 -!- D-Boy [~D-Boy@unaffiliated/cain] has joined #openvpn
21:30 -!- RBecker [~RBecker@openvpn/user/RBecker] has quit [Ping timeout: 240 seconds]
21:32 -!- supergauntlet [~supergaun@unaffiliated/supergauntlet] has quit [Quit: ZNC - http://znc.in]
21:32 -!- supergauntlet [~supergaun@unaffiliated/supergauntlet] has joined #openvpn
21:38 -!- supergauntlet [~supergaun@unaffiliated/supergauntlet] has quit [Quit: ZNC - http://znc.in]
21:39 -!- supergauntlet [~supergaun@unaffiliated/supergauntlet] has joined #openvpn
21:42 -!- supergauntlet [~supergaun@unaffiliated/supergauntlet] has quit [Client Quit]
21:44 -!- supergauntlet [~supergaun@unaffiliated/supergauntlet] has joined #openvpn
21:46 -!- RBecker [~RBecker@openvpn/user/RBecker] has joined #openvpn
21:46 -!- mode/#openvpn [+v RBecker] by ChanServ
21:58 -!- RBecker [~RBecker@openvpn/user/RBecker] has quit [Ping timeout: 240 seconds]
21:58 -!- Poster|x is now known as Poster
22:00 -!- RBecker [~RBecker@openvpn/user/RBecker] has joined #openvpn
22:00 -!- mode/#openvpn [+v RBecker] by ChanServ
22:00 -!- otubo [~otubo@62.217.45.26] has quit [Ping timeout: 245 seconds]
22:00 -!- otubo [~otubo@62.217.45.26] has joined #openvpn
22:00 -!- Valcorb [Valcorb@unaffiliated/valcorb] has quit [Excess Flood]
22:28 -!- Cpt-Oblivious [~chatzilla@31-151-71-109.dynamic.upc.nl] has quit [Ping timeout: 256 seconds]
22:44 -!- brianblaze420 [~brianblaz@unaffiliated/brianblaze] has quit [Quit: Leaving...]
23:05 -!- temje [~temje@162.219.179.130] has joined #openvpn
23:11 -!- croepha [~croepha@199.9.63.130] has quit [Quit: croepha]
23:12 -!- ShadniX [dagger@p5481DFAC.dip0.t-ipconnect.de] has quit [Ping timeout: 250 seconds]
23:13 -!- ShadniX [dagger@p5DDFF53C.dip0.t-ipconnect.de] has joined #openvpn
23:57 -!- arescorpio [~arescorpi@201-26-245-190.fibertel.com.ar] has quit [Excess Flood]
--- Day changed Fri Aug 01 2014
00:01 -!- aji is now known as aji_
00:01 -!- aji [~alex@atheme/member/aji] has joined #openvpn
00:01 -!- aji_ [~alex@atheme/member/aji] has quit [Quit: Segmentation fault (aji dumped)]
00:29 -!- loeken [~lknfnd@static.123.253.76.144.clients.your-server.de] has joined #openvpn
00:59 -!- Brando753 [~Brando753@unaffiliated/brando753] has quit [Ping timeout: 245 seconds]
01:05 -!- Brando753 [~Brando753@unaffiliated/brando753] has joined #openvpn
01:11 -!- RBecker [~RBecker@openvpn/user/RBecker] has quit [Excess Flood]
01:11 -!- RBecker [~RBecker@openvpn/user/RBecker] has joined #openvpn
01:11 -!- mode/#openvpn [+v RBecker] by ChanServ
02:01 -!- alexxtasi [~alex@unaffiliated/alexxtasi] has joined #openvpn
02:02 -!- mirco [~mirco@ip-109-90-230-9.hsi11.unitymediagroup.de] has joined #openvpn
02:12 -!- mattock_afk is now known as mattock
02:24 -!- shiin [~shiin@funtoo/core/shiin] has joined #openvpn
02:35 -!- tempus_fol [~tempus@gateway/tor-sasl/foltempus] has quit [Remote host closed the connection]
02:35 -!- Kephael [~Kephael@unaffiliated/kephael] has quit [Read error: Connection reset by peer]
02:35 -!- tempus_fol [~tempus@gateway/tor-sasl/foltempus] has joined #openvpn
02:37 -!- s7r [~s7r@openvpn/user/s7r] has quit [Remote host closed the connection]
02:38 -!- s7r [~s7r@openvpn/user/s7r] has joined #openvpn
02:38 -!- mode/#openvpn [+v s7r] by ChanServ
02:39 -!- james41382_ [~james@unaffiliated/james41382] has joined #openvpn
02:40 -!- james41382 [~james@unaffiliated/james41382] has quit [Read error: Connection reset by peer]
02:43 -!- temje [~temje@162.219.179.130] has quit [Quit: Leaving]
02:46 -!- lfx [~lfx@self-aware.evilmachines.net] has quit [Read error: Connection reset by peer]
02:55 -!- otubo [~otubo@62.217.45.26] has quit [Quit: Leaving]
03:15 -!- xeqt [~xeqt@h-72-121.a146.priv.bahnhof.se] has quit [Ping timeout: 245 seconds]
03:20 -!- Left_Turn [~Left_Turn@unaffiliated/turn-left/x-3739067] has joined #openvpn
03:36 -!- dazo_afk [~dazo@openvpn/community/developer/dazo] has quit [Ping timeout: 250 seconds]
03:39 -!- dazo [~dazo@openvpn/community/developer/dazo] has joined #openvpn
03:39 -!- mode/#openvpn [+o dazo] by ChanServ
03:46 -!- RaiNerTsuFal [~RaiNerTsu@akita.vtlx.cn] has quit [Ping timeout: 260 seconds]
04:21 -!- bakhtiya [~me@office.addictivemobility.com] has quit [Ping timeout: 272 seconds]
04:43 -!- s7r_g [~s7r@openvpn/user/s7r] has joined #openvpn
04:43 -!- mode/#openvpn [+v s7r_g] by ChanServ
04:45 -!- s7r [~s7r@openvpn/user/s7r] has quit [Ping timeout: 264 seconds]
04:55 -!- Left_Turn [~Left_Turn@unaffiliated/turn-left/x-3739067] has quit [Ping timeout: 264 seconds]
04:58 -!- shiin [~shiin@funtoo/core/shiin] has quit [Quit: My computer has gone to sleep.]
05:05 -!- Chris-S [~Chris-S@gateway/tor-sasl/chris-s] has joined #openvpn
05:06 < Chris-S> !welcome
05:06 <@vpnHelper> "welcome" is (#1) Start by stating your goal, such as 'I would like to access the internet over my vpn' || new to IRC? see the link in !ask || we may need !logs and !configs and maybe !interface to help you. || See !howto for beginners. || See !route for lans behind openvpn. || !redirect for sending inet traffic through the server. || Also interesting: !man !/30 !topology !iporder !sample !forum
05:06 <@vpnHelper> !wiki !mitm or (#2) Don't use 192.168.1.0/24 or 192.168.0.0/24 (too much potential for conflict)
05:08 < Chris-S> !goal Forward VPN traffic through a transparent proxy.
05:08 < Chris-S> !goal
05:08 <@vpnHelper> "goal" is Please clearly state your goal for your vpn: example, I would like to access the lan behind the server , I would like to access the internet over my vpn , I just want a secure connection between 2 computers , etc
05:08 < Chris-S> Forward VPN traffic through a transparent proxy, per user settings.
05:09 < Chris-S> !ask
05:09 <@vpnHelper> "ask" is (#1) don't ask to ask, just ask your question please, see this link for how to get help on IRC: http://workaround.org/getting-help-on-irc or (#2) See also, How to ask questions the smart way here: http://catb.org/~esr/faqs/smart-questions.html
05:13 < Chris-S> !howto
05:13 <@vpnHelper> "howto" is (#1) OpenVPN comes with a great howto, http://openvpn.net/howto PLEASE READ IT! or (#2) http://www.secure-computing.net/openvpn/howto.php for a mirror
05:15 < Chris-S> !welcome
05:15 <@vpnHelper> "welcome" is (#1) Start by stating your goal, such as 'I would like to access the internet over my vpn' || new to IRC? see the link in !ask || we may need !logs and !configs and maybe !interface to help you. || See !howto for beginners. || See !route for lans behind openvpn. || !redirect for sending inet traffic through the server. || Also interesting: !man !/30 !topology !iporder !sample !forum
05:16 <@vpnHelper> !wiki !mitm or (#2) Don't use 192.168.1.0/24 or 192.168.0.0/24 (too much potential for conflict)
05:16 < Chris-S> Forward VPN traffic through a transparent proxy.
05:17 < Chris-S> !goal Forward VPN traffic through a transparent proxy.
05:17 < Chris-S> !goal
05:17 < Chris-S> Forward VPN traffic through a transparent proxy.
05:17 <@vpnHelper> "goal" is Please clearly state your goal for your vpn: example, I would like to access the lan behind the server , I would like to access the internet over my vpn , I just want a secure connection between 2 computers , etc
05:18 < Chris-S> Forward VPN traffic through a transparent proxy.
05:18 < Chris-S> I would like to forward VPN traffic through a transparent proxy.
05:18 < Chris-S> !goal I would like to forward VPN traffic through a transparent proxy.
05:18 < Chris-S> !goal "I would like to forward VPN traffic through a transparent proxy."
05:19 < Chris-S> !welcome
05:19 <@vpnHelper> "welcome" is (#1) Start by stating your goal, such as 'I would like to access the internet over my vpn' || new to IRC? see the link in !ask || we may need !logs and !configs and maybe !interface to help you. || See !howto for beginners. || See !route for lans behind openvpn. || !redirect for sending inet traffic through the server. || Also interesting: !man !/30 !topology !iporder !sample !forum
05:19 <@vpnHelper> !wiki !mitm or (#2) Don't use 192.168.1.0/24 or 192.168.0.0/24 (too much potential for conflict)
05:19 < Chris-S> I would like to forward VPN traffic through a transparent proxy.
05:22 -!- Left_Turn [~Left_Turn@unaffiliated/turn-left/x-3739067] has joined #openvpn
05:25 -!- DrCode [~DrCode@gateway/tor-sasl/drcode] has quit [Remote host closed the connection]
06:11 -!- Chris-S [~Chris-S@gateway/tor-sasl/chris-s] has left #openvpn []
06:14 -!- prettyrobots [~prettyrob@do.inputrc.com] has joined #openvpn
06:17 -!- Cybert1nus [~Cybertinu@cybertinus.customer.cloud.nl] has joined #openvpn
06:21 -!- Cybertinus [~Cybertinu@cybertinus.customer.cloud.nl] has quit [Ping timeout: 256 seconds]
06:59 -!- Pinchiukas [~keps@unaffiliated/pinchiukas] has quit [Ping timeout: 256 seconds]
07:05 < jl-> morning
07:05 -!- blind [~msweeney@unaffiliated/blind] has left #openvpn []
07:19 -!- ZeDestructor [~ZD@unaffiliated/zedestructor] has left #openvpn ["o.O"]
07:30 -!- s7r_g [~s7r@openvpn/user/s7r] has quit [Remote host closed the connection]
07:52 -!- Cybert1nus is now known as Cybertinus
08:05 < Plastefuchs> The default KEY_SIZE in easy-rsa is 1024? I don't have a way to touch a system with a default install right now and I only have my modified files at hand...
08:34 -!- dazo is now known as dazo_afk
09:05 -!- elfixit [~Icedove@77-58-251-72.dclient.hispeed.ch] has joined #openvpn
09:10 -!- supermat [supermat@unaffiliated/supermat] has quit [Read error: Connection reset by peer]
09:11 -!- mytbk [~irudog@2001:da8:201:1234:a6db:30ff:fe4e:d7d4] has joined #openvpn
09:12 -!- mytbk [~irudog@2001:da8:201:1234:a6db:30ff:fe4e:d7d4] has left #openvpn ["WeeChat 0.4.3"]
09:17 -!- Kniaz [~Kniaz@unaffiliated/kniaz] has quit [Quit: closing IRC]
09:18 -!- supermat_ [supermat@unaffiliated/supermat] has joined #openvpn
09:20 -!- supermat_ is now known as supermat
09:21 -!- Ulrar [~Ulrar@luwin.ulrar.net] has joined #openvpn
09:22 -!- bakhtiya [~me@office.addictivemobility.com] has joined #openvpn
09:50 -!- Kniaz [~Kniaz@unaffiliated/kniaz] has joined #openvpn
09:51 -!- goldkatze [~nobody@unaffiliated/goldkatze] has joined #openvpn
10:08 -!- elfixit [~Icedove@77-58-251-72.dclient.hispeed.ch] has quit [Quit: elfixit]
10:15 -!- gffa [~unknown@unaffiliated/gffa] has joined #openvpn
10:16 -!- alexxtasi [~alex@unaffiliated/alexxtasi] has left #openvpn []
10:18 -!- brianblaze420 [~brianblaz@unaffiliated/brianblaze] has joined #openvpn
10:35 -!- SupaYoshi [Elite9191@gateway/shell/elitebnc/x-baecdbskzgfwjqtt] has joined #openvpn
10:35 < SupaYoshi> Poster
10:35 < SupaYoshi> :D Heyy
10:39 -!- u0m3 [~u0m3@92.80.87.239] has quit [Ping timeout: 250 seconds]
10:44 -!- croepha [~croepha@host-72-51-153-251.newwavecomm.net] has joined #openvpn
10:45 -!- u0m3 [~u0m3@92.80.107.242] has joined #openvpn
10:46 -!- haasn [~haasn@2a01:4f8:d13:5245::2] has quit [Ping timeout: 256 seconds]
10:46 -!- phreakocious [~phreakoci@aesoterica.phreakocious.net] has quit [Quit: ZNC - http://znc.sourceforge.net]
10:49 -!- phreakocious [~phreakoci@recalcitrant.phreakocious.net] has joined #openvpn
10:52 -!- haasn [~haasn@2a01:4f8:d13:5245::2] has joined #openvpn
11:12 -!- SCHAAP137 [dorian@77-173-0-137.ip.telfort.nl] has joined #openvpn
11:13 -!- RaiNerTsuFal [~RaiNerTsu@akita.vtlx.cn] has joined #openvpn
11:19 -!- tempus_fol [~tempus@gateway/tor-sasl/foltempus] has quit [Ping timeout: 264 seconds]
11:19 -!- brianblaze420 [~brianblaz@unaffiliated/brianblaze] has quit [Remote host closed the connection]
11:20 -!- tempus_fol [~tempus@gateway/tor-sasl/foltempus] has joined #openvpn
11:26 -!- goldkatze [~nobody@unaffiliated/goldkatze] has quit []
11:33 -!- elfixit [~Icedove@77-58-251-72.dclient.hispeed.ch] has joined #openvpn
12:11 < SupaYoshi> back soon
12:12  * krzee waits patiently
12:12 <@krzee> :D
12:12  * Eugene farts. Loudly.
12:12 -!- lsone [~lsone@69.15.58.162] has joined #openvpn
12:13 -!- Kephael [~Kephael@unaffiliated/kephael] has joined #openvpn
12:23 -!- Guest39483 [~wallbroke@unaffiliated/wallbroken] has joined #openvpn
12:23 -!- lsone [~lsone@69.15.58.162] has quit [Quit: Textual IRC Client: www.textualapp.com]
12:26 -!- brianblaze420 [~brianblaz@unaffiliated/brianblaze] has joined #openvpn
12:33 -!- brianblaze420 [~brianblaz@unaffiliated/brianblaze] has quit [Quit: Leaving...]
12:33 -!- tanja84dk_ [~tanja84dk@unaffiliated/tanja84dk] has joined #openvpn
12:35 < pekster> Plastefuchs: latest 2.2 series fixes some dated standards. The v3 branch (currently with an rc2 available) makes a lot more sensible changes for OpenVPN keys/certs, including keysize, plus a less complex X.509 DN
12:36 < Plastefuchs> pekster: hmkay :o
12:39 -!- goldkatze [~nobody@unaffiliated/goldkatze] has joined #openvpn
12:47 -!- phreakocious [~phreakoci@recalcitrant.phreakocious.net] has quit [Quit: gotta go]
12:53 -!- phreakocious [~phreakoci@recalcitrant.phreakocious.net] has joined #openvpn
13:35 -!- Guest39483 [~wallbroke@unaffiliated/wallbroken] has left #openvpn []
13:44 -!- mattock is now known as mattock_afk
13:48 -!- Zimsky [~alice@unaffiliated/zimsky] has quit [Ping timeout: 250 seconds]
13:49 -!- Zimsky [~alice@unaffiliated/zimsky] has joined #openvpn
13:57 -!- deeville [~deeville@38.117.108.108] has joined #openvpn
14:10 -!- lsone [~lsone@69.15.58.162] has joined #openvpn
15:01 -!- xeqt [~xeqt@h-72-121.a146.priv.bahnhof.se] has joined #openvpn
15:05 -!- azizLIGHT [~azizLIGHT@unaffiliated/azizlight] has quit [Ping timeout: 255 seconds]
15:08 -!- phreakocious [~phreakoci@recalcitrant.phreakocious.net] has quit [Quit: gotta go]
15:20 -!- azizLIGHT [~azizLIGHT@unaffiliated/azizlight] has joined #openvpn
15:40 -!- phreakocious [~phreakoci@recalcitrant.phreakocious.net] has joined #openvpn
15:54 -!- tanja84dk_ [~tanja84dk@unaffiliated/tanja84dk] has quit [Read error: Connection reset by peer]
16:29 -!- t0rben [~Talena@5.254.112.6] has joined #openvpn
16:30 -!- t0rben [~Talena@5.254.112.6] has quit [Client Quit]
16:31 -!- t0rben [~t0rben@5.254.112.6] has joined #openvpn
16:49 -!- Chris-S [~Chris-S@gateway/tor-sasl/chris-s] has joined #openvpn
16:50 -!- Chris-S [~Chris-S@gateway/tor-sasl/chris-s] has quit [Client Quit]
16:54 -!- phreakocious [~phreakoci@recalcitrant.phreakocious.net] has quit [Quit: gotta go]
16:55 -!- lsone [~lsone@69.15.58.162] has quit [Quit: Textual IRC Client: www.textualapp.com]
16:55 -!- phreakocious [~phreakoci@recalcitrant.phreakocious.net] has joined #openvpn
16:57 -!- croepha [~croepha@host-72-51-153-251.newwavecomm.net] has quit [Quit: croepha]
17:02 -!- t0rben [~t0rben@5.254.112.6] has quit [Quit: Textual IRC Client: www.textualapp.com]
17:10 -!- gffa [~unknown@unaffiliated/gffa] has quit [Quit: sleep]
18:59 -!- D-Boy [~D-Boy@unaffiliated/cain] has quit [Excess Flood]
19:07 -!- D-Boy [~D-Boy@unaffiliated/cain] has joined #openvpn
19:27 -!- phunyguy [~vortex@unaffiliated/phunyguy] has quit [Read error: Connection reset by peer]
19:30 -!- phunyguy [~vortex@unaffiliated/phunyguy] has joined #openvpn
19:32 -!- phunyguy [~vortex@unaffiliated/phunyguy] has quit [Client Quit]
19:35 -!- phunyguy [~vortex@unaffiliated/phunyguy] has joined #openvpn
19:38 -!- phunyguy [~vortex@unaffiliated/phunyguy] has quit [Client Quit]
19:39 -!- phunyguy [~vortex@unaffiliated/phunyguy] has joined #openvpn
19:42 -!- phunyguy [~vortex@unaffiliated/phunyguy] has quit [Client Quit]
19:43 -!- brianblaze420 [~brianblaz@unaffiliated/brianblaze] has joined #openvpn
19:44 -!- SCHAAP137 [dorian@77-173-0-137.ip.telfort.nl] has quit [Remote host closed the connection]
19:45 -!- phunyguy [~vortex@unaffiliated/phunyguy] has joined #openvpn
19:47 -!- phunyguy [~vortex@unaffiliated/phunyguy] has quit [Client Quit]
19:49 -!- phunyguy [~vortex@unaffiliated/phunyguy] has joined #openvpn
19:49 -!- phunyguy [~vortex@unaffiliated/phunyguy] has quit [Remote host closed the connection]
19:50 -!- phunyguy [~vortex@unaffiliated/phunyguy] has joined #openvpn
19:51 -!- phunyguy [~vortex@unaffiliated/phunyguy] has quit [Client Quit]
19:51 -!- phunyguy [~vortex@unaffiliated/phunyguy] has joined #openvpn
19:58 -!- phunyguy [~vortex@unaffiliated/phunyguy] has quit [Quit: Goodbye cruel world!]
20:01 -!- phunyguy [~vortex@unaffiliated/phunyguy] has joined #openvpn
20:01 -!- croepha [~croepha@host-72-51-153-251.newwavecomm.net] has joined #openvpn
20:01 -!- croepha [~croepha@host-72-51-153-251.newwavecomm.net] has quit [Client Quit]
20:28 -!- arescorpio [~arescorpi@201-26-245-190.fibertel.com.ar] has joined #openvpn
20:36 -!- Kephael [~Kephael@unaffiliated/kephael] has quit [Read error: Connection reset by peer]
20:41 -!- croepha [~croepha@63.149.18.16] has joined #openvpn
20:46 -!- mirco [~mirco@ip-109-90-230-9.hsi11.unitymediagroup.de] has quit [Quit: mirco]
20:59 -!- phunyguy [~vortex@unaffiliated/phunyguy] has quit [Quit: Goodbye cruel world!]
21:01 -!- phunyguy [~vortex@unaffiliated/phunyguy] has joined #openvpn
21:04 -!- phunyguy [~vortex@unaffiliated/phunyguy] has quit [Read error: Connection reset by peer]
21:05 -!- phunyguy [~vortex@unaffiliated/phunyguy] has joined #openvpn
21:15 -!- croepha [~croepha@63.149.18.16] has quit [Remote host closed the connection]
21:18 -!- Left_Turn [~Left_Turn@unaffiliated/turn-left/x-3739067] has quit [Remote host closed the connection]
22:36 -!- brianblaze420 [~brianblaz@unaffiliated/brianblaze] has quit [Remote host closed the connection]
23:12 -!- ShadniX [dagger@p5DDFF53C.dip0.t-ipconnect.de] has quit [Ping timeout: 250 seconds]
23:14 -!- ShadniX [dagger@p5DDFFE2C.dip0.t-ipconnect.de] has joined #openvpn
23:25 -!- marlinc [~marlinc@ip1.weert.li.nl.cvo-technologies.com] has quit [Ping timeout: 244 seconds]
23:33 -!- elfixit [~Icedove@77-58-251-72.dclient.hispeed.ch] has quit [Ping timeout: 255 seconds]
--- Day changed Sat Aug 02 2014
00:18 -!- arescorpio [~arescorpi@201-26-245-190.fibertel.com.ar] has quit [Read error: Connection reset by peer]
00:35 -!- mirco [~mirco@ip-109-90-230-9.hsi11.unitymediagroup.de] has joined #openvpn
00:36 -!- phunyguy [~vortex@unaffiliated/phunyguy] has quit [Quit: Goodbye cruel world!]
00:37 -!- mirco [~mirco@ip-109-90-230-9.hsi11.unitymediagroup.de] has quit [Client Quit]
00:40 -!- svm_invictvs [~patricktw@unaffiliated/svminvictvs/x-938456] has joined #openvpn
00:40 < svm_invictvs> ugh, so I screwed up my opvn setup
00:40 < svm_invictvs> I need to run certain exteranl sites throught he VPN
00:57 -!- mattock_afk is now known as mattock
01:26 -!- svm_invictvs [~patricktw@unaffiliated/svminvictvs/x-938456] has quit [Ping timeout: 240 seconds]
01:35 -!- svm_invictvs [~patricktw@unaffiliated/svminvictvs/x-938456] has joined #openvpn
01:47 -!- svm_invictvs [~patricktw@unaffiliated/svminvictvs/x-938456] has quit [Ping timeout: 250 seconds]
01:51 -!- pppingme [~pppingme@unaffiliated/pppingme] has quit [Ping timeout: 250 seconds]
01:57 -!- pppingme [~pppingme@unaffiliated/pppingme] has joined #openvpn
01:59 -!- svm_invictvs [~patricktw@unaffiliated/svminvictvs/x-938456] has joined #openvpn
02:04 -!- svm_invictvs [~patricktw@unaffiliated/svminvictvs/x-938456] has quit [Ping timeout: 244 seconds]
02:12 -!- svm_invictvs [~patricktw@unaffiliated/svminvictvs/x-938456] has joined #openvpn
02:17 -!- svm_invictvs [~patricktw@unaffiliated/svminvictvs/x-938456] has quit [Ping timeout: 260 seconds]
02:19 -!- svm_invictvs [~patricktw@unaffiliated/svminvictvs/x-938456] has joined #openvpn
02:37 -!- brianblaze420 [~brianblaz@unaffiliated/brianblaze] has joined #openvpn
02:42 -!- brianblaze420 [~brianblaz@unaffiliated/brianblaze] has quit [Ping timeout: 255 seconds]
02:46 -!- keatont [~keatont@ip-66-172-11-126.chunkhost.com] has quit [Ping timeout: 245 seconds]
02:48 -!- svm_invictvs [~patricktw@unaffiliated/svminvictvs/x-938456] has quit [Ping timeout: 250 seconds]
02:48 -!- keatont [~keatont@ip-66-172-11-126.chunkhost.com] has joined #openvpn
03:11 -!- gffa [~unknown@unaffiliated/gffa] has joined #openvpn
03:34 -!- Left_Turn [~Left_Turn@unaffiliated/turn-left/x-3739067] has joined #openvpn
04:38 -!- supermat [supermat@unaffiliated/supermat] has quit [Remote host closed the connection]
04:43 -!- supermat [supermat@unaffiliated/supermat] has joined #openvpn
05:06 -!- SCHAAP137 [dorian@77-173-0-137.ip.telfort.nl] has joined #openvpn
05:30 -!- SCHAAP137 [dorian@77-173-0-137.ip.telfort.nl] has quit [Ping timeout: 244 seconds]
05:47 -!- jareth_ [~jareth_@2001:980:e1c0:1:219:66ff:fea0:a502] has joined #openvpn
06:13 -!- Lolths [~Lolths@unaffiliated/lolths] has quit [Quit: Leaving]
06:15 -!- Lolths [~Lolths@unaffiliated/lolths] has joined #openvpn
06:53 -!- Maksa [Maksa@b702.ip14.netikka.fi] has joined #openvpn
07:29 -!- pa [~pa@unaffiliated/pa] has joined #openvpn
09:21 < eagles0513875> hey guys
09:21 < eagles0513875> has anyone in here setup openvpn on gentoo?
09:56 -!- larryone [~larryone@180.234.22.20] has joined #openvpn
10:57 -!- phlux [phlux@unaffiliated/phlux] has joined #openvpn
10:59 < phlux> Hello, I followed this guide to get my OpenVPN started: https://www.linode.com/docs/networking/vpn/secure-communications-with-openvpn-on-ubuntu-12-04-precise-and-debian-7 and so far, things are working OK. If I visit 'ipchicken.com' or any other website telling me my IP, it will respond with the IP of my VPN server. However, IRC traffic is *not* forwarded. If I try to IRC from my local computer, my local IP
10:59 < phlux> address is shown as the hostname, rather than the host of my VPN. Am I doing something wrong?
10:59 <@vpnHelper> Title: Secure Communications with OpenVPN on Ubuntu 12.04 (Precise) and Debian 7 - Linode Guides & Tutorials (at www.linode.com)
11:06 -!- DrSect0r [~DrSect0r@77-175-115-95.FTTH.ispfabriek.nl] has joined #openvpn
11:11 -!- larryone [~larryone@180.234.22.20] has quit [Quit: This computer has gone to sleep]
11:21 -!- s7r [~s7r@openvpn/user/s7r] has joined #openvpn
11:21 -!- mode/#openvpn [+v s7r] by ChanServ
11:48 -!- lorenzo [lorenzo@nl.shell.enlab.net] has joined #openvpn
11:49 < lorenzo> hi! is it possible to run two openvpn clients against two different openvpn-as instances?
11:49 < lorenzo> on the same client of course
12:08 -!- hydrajump [~hydrajump@unaffiliated/hydrajump] has quit [Ping timeout: 256 seconds]
12:20 -!- hydrajump [~hydrajump@unaffiliated/hydrajump] has joined #openvpn
12:23 -!- s7r [~s7r@openvpn/user/s7r] has quit [Quit: Leaving]
12:28 -!- debbie10t [~debbie10t@openvpn/community/support/debbie10t] has joined #openvpn
12:30 -!- mode/#openvpn [+v debbie10t] by ChanServ
12:31 <+debbie10t> so i am trying to change my password on the community portal and so far I have been waiting 25 mins .. is it all working ?
12:50 < loeken> checked spam?
12:57 -!- phlux [phlux@unaffiliated/phlux] has left #openvpn ["WeeChat 1.0-rc1"]
13:05 -!- Megaf [~Megaf@unaffiliated/megaf] has joined #openvpn
13:07 <+debbie10t> password failed to change
13:12 -!- Argat [~Argat@adsl-98-48.du.nwc.is] has quit [Ping timeout: 255 seconds]
13:32 -!- arescorpio [~arescorpi@201-26-245-190.fibertel.com.ar] has joined #openvpn
13:41 -!- SCHAAP137 [dorian@77-173-0-137.ip.telfort.nl] has joined #openvpn
14:32 -!- elfixit [~Icedove@77-58-251-72.dclient.hispeed.ch] has joined #openvpn
14:39 -!- cyberspace- [20253@ninthfloor.org] has quit [Remote host closed the connection]
14:40 -!- cyberspace- [20253@ninthfloor.org] has joined #openvpn
15:49 -!- mode/#openvpn [-v debbie10t] by ChanServ
15:49 -!- debbie10t [~debbie10t@openvpn/community/support/debbie10t] has left #openvpn []
16:06 -!- SCHAAP137 [dorian@77-173-0-137.ip.telfort.nl] has quit [Remote host closed the connection]
16:31 -!- xup [~xup@unaffiliated/othermth] has joined #openvpn
16:33 < xup> when openvpn lost connection and try to reconnect it asks me about the password that I've provided in it's config file, when I restart it everything goes normal
16:33 < xup> how can I fix this?
16:33 < xup> *lose
16:33 < xup> **loses
16:34 < xup> I wan't it to reconnect without asking me for a password
16:56 -!- xup [~xup@unaffiliated/othermth] has quit [Quit: xup]
16:58 < loeken> auth-user-file userfile.txt
16:59 < loeken> add that to client.conf and then create a userfile.txt with username in the first line and password in the 2nd line
17:20 -!- Maksa [Maksa@b702.ip14.netikka.fi] has left #openvpn []
17:41 -!- arescorpio [~arescorpi@201-26-245-190.fibertel.com.ar] has quit [Excess Flood]
18:22 -!- DrSect0r [~DrSect0r@77-175-115-95.FTTH.ispfabriek.nl] has quit [Ping timeout: 255 seconds]
18:53 -!- mattock is now known as mattock_afk
18:54 -!- Kephael [~Kephael@unaffiliated/kephael] has joined #openvpn
19:08 -!- D-Boy [~D-Boy@unaffiliated/cain] has quit [Excess Flood]
19:16 -!- D-Boy [~D-Boy@unaffiliated/cain] has joined #openvpn
19:45 -!- gffa [~unknown@unaffiliated/gffa] has quit [Quit: sleep]
20:05 -!- james41382_ is now known as james41382
20:09 -!- ub1quit33_ [~quassel@cpe-198-72-138-144.socal.res.rr.com] has joined #openvpn
20:11 -!- ub1quit33_ [~quassel@cpe-198-72-138-144.socal.res.rr.com] has quit [Remote host closed the connection]
20:11 -!- CaTtleyA [~CaTtleyA@put92-2-82-66-41-53.fbx.proxad.net] has joined #openvpn
20:17 -!- ub1quit33_ [~quassel@cpe-198-72-138-144.socal.res.rr.com] has joined #openvpn
20:19 -!- ub1quit33_ [~quassel@cpe-198-72-138-144.socal.res.rr.com] has quit [Remote host closed the connection]
20:20 -!- ub1quit33 [~quassel@cpe-198-72-138-144.socal.res.rr.com] has joined #openvpn
20:21 -!- ub1quit33 [~quassel@cpe-198-72-138-144.socal.res.rr.com] has quit [Read error: Connection reset by peer]
20:22 -!- ub1quit33 [~quassel@cpe-198-72-138-144.socal.res.rr.com] has joined #openvpn
20:25 -!- ub1quit33 [~quassel@cpe-198-72-138-144.socal.res.rr.com] has quit [Remote host closed the connection]
20:35 -!- ub1quit33_ [~quassel@cpe-198-72-138-144.socal.res.rr.com] has joined #openvpn
21:04 -!- heraclitus [~heraclitu@unaffiliated/heraclitis] has quit [Remote host closed the connection]
21:05 -!- heraclitus [~heraclitu@unaffiliated/heraclitis] has joined #openvpn
21:06 -!- ub1quit33_ [~quassel@cpe-198-72-138-144.socal.res.rr.com] has quit [Remote host closed the connection]
21:17 -!- Left_Turn [~Left_Turn@unaffiliated/turn-left/x-3739067] has quit [Remote host closed the connection]
21:28 -!- elfixit [~Icedove@77-58-251-72.dclient.hispeed.ch] has quit [Quit: elfixit]
21:30 -!- p3rror [~mezgani@adsl196-168-25-217-196.adsl196-9.iam.net.ma] has joined #openvpn
21:53 -!- p3rror [~mezgani@adsl196-168-25-217-196.adsl196-9.iam.net.ma] has quit [Quit: Leaving]
21:54 -!- supermat [supermat@unaffiliated/supermat] has quit [Ping timeout: 272 seconds]
22:00 -!- supermat [supermat@unaffiliated/supermat] has joined #openvpn
22:06 -!- arescorpio [~arescorpi@201-26-245-190.fibertel.com.ar] has joined #openvpn
22:34 -!- arescorpio [~arescorpi@201-26-245-190.fibertel.com.ar] has quit [Excess Flood]
22:52 -!- funnel [~funnel@unaffiliated/espiral] has quit [Remote host closed the connection]
23:00 -!- funnel [~funnel@unaffiliated/espiral] has joined #openvpn
23:07 -!- ub1quit33_ [~quassel@cpe-198-72-138-144.socal.res.rr.com] has joined #openvpn
23:11 -!- ShadniX [dagger@p5DDFFE2C.dip0.t-ipconnect.de] has quit [Ping timeout: 250 seconds]
23:12 -!- ShadniX [dagger@p5DDFE701.dip0.t-ipconnect.de] has joined #openvpn
23:17 -!- p3rror [~mezgani@adsl196-168-25-217-196.adsl196-9.iam.net.ma] has joined #openvpn
23:28 -!- xeqt [~xeqt@h-72-121.a146.priv.bahnhof.se] has quit [Remote host closed the connection]
23:34 -!- mete [~mete@91.247.253.160] has joined #openvpn
23:42 -!- Kniaz [~Kniaz@unaffiliated/kniaz] has quit [Quit: closing IRC]
23:44 -!- Cultist [~CultOfThe@c-98-223-211-32.hsd1.il.comcast.net] has quit [Excess Flood]
23:45 -!- Cultist [~CultOfThe@c-98-223-211-32.hsd1.il.comcast.net] has joined #openvpn
23:49 -!- ub1quit33_ [~quassel@cpe-198-72-138-144.socal.res.rr.com] has quit [Remote host closed the connection]
23:56 -!- Kniaz [~Kniaz@unaffiliated/kniaz] has joined #openvpn
--- Day changed Sun Aug 03 2014
00:16 -!- ub1quit33_ [~quassel@cpe-198-72-138-144.socal.res.rr.com] has joined #openvpn
00:17 -!- lorenzo [lorenzo@nl.shell.enlab.net] has left #openvpn []
00:17 -!- ub1quit33_ [~quassel@cpe-198-72-138-144.socal.res.rr.com] has quit [Remote host closed the connection]
00:18 -!- ub1quit33_ [~quassel@cpe-198-72-138-144.socal.res.rr.com] has joined #openvpn
00:29 -!- Kephael [~Kephael@unaffiliated/kephael] has quit [Quit: Leaving]
00:56 -!- mnathani [~mnathani@butterfly.winvive.com] has quit [Ping timeout: 272 seconds]
01:02 -!- ub1quit33_ [~quassel@cpe-198-72-138-144.socal.res.rr.com] has quit [Remote host closed the connection]
01:02 -!- ub1quit33_ [~quassel@cpe-198-72-138-144.socal.res.rr.com] has joined #openvpn
01:03 -!- mnathani [~mnathani@butterfly.winvive.com] has joined #openvpn
01:04 -!- ub1quit33_ [~quassel@cpe-198-72-138-144.socal.res.rr.com] has quit [Remote host closed the connection]
01:05 -!- ub1quit33 [~quassel@cpe-198-72-138-144.socal.res.rr.com] has joined #openvpn
01:09 -!- deed02392 [~deed02392@2001:41d0:2:ab60::1] has quit [Ping timeout: 260 seconds]
01:14 -!- ub1quit33 [~quassel@cpe-198-72-138-144.socal.res.rr.com] has quit [Remote host closed the connection]
01:15 -!- ub1quit33 [~quassel@cpe-198-72-138-144.socal.res.rr.com] has joined #openvpn
01:32 -!- Samopotamus [~IRCIdent@2607:5300:60:a0d::1] has quit [Quit: ZNC - http://znc.in]
01:34 -!- Samopotamus [~IRCIdent@2607:5300:60:a0d::1] has joined #openvpn
01:35 -!- justinzane [~justinzan@24.49.207.203] has joined #openvpn
01:40 -!- SCHAAP137 [dorian@77-173-0-137.ip.telfort.nl] has joined #openvpn
01:58 -!- Ulrar [~Ulrar@luwin.ulrar.net] has quit [Ping timeout: 256 seconds]
02:01 -!- DrSect0r [~DrSect0r@77-175-115-95.FTTH.ispfabriek.nl] has joined #openvpn
02:07 -!- Ulrar [~Ulrar@luwin.ulrar.net] has joined #openvpn
02:25 -!- ub1quit33 [~quassel@cpe-198-72-138-144.socal.res.rr.com] has quit [Read error: Connection reset by peer]
02:25 -!- ub1quit33_ [~quassel@cpe-198-72-138-144.socal.res.rr.com] has joined #openvpn
02:25 -!- ub1quit33_ [~quassel@cpe-198-72-138-144.socal.res.rr.com] has quit [Read error: Connection reset by peer]
02:26 -!- ub1quit33_ [~quassel@cpe-198-72-138-144.socal.res.rr.com] has joined #openvpn
03:04 -!- Popsikle [~popsikle@pool-108-27-211-233.nycmny.fios.verizon.net] has joined #openvpn
03:09 -!- Popsikle [~popsikle@pool-108-27-211-233.nycmny.fios.verizon.net] has quit [Ping timeout: 244 seconds]
03:13 -!- ub1quit33_ [~quassel@cpe-198-72-138-144.socal.res.rr.com] has quit [Ping timeout: 245 seconds]
03:21 -!- mattock_afk is now known as mattock
04:16 -!- Left_Turn [~Left_Turn@unaffiliated/turn-left/x-3739067] has joined #openvpn
04:19 -!- catsup [~d@iad1-vshost12.dreamhost.com] has quit [Read error: Connection reset by peer]
04:33 -!- gffa [~unknown@unaffiliated/gffa] has joined #openvpn
04:37 -!- Popsikle [~popsikle@pool-108-27-211-233.nycmny.fios.verizon.net] has joined #openvpn
04:41 -!- Popsikle [~popsikle@pool-108-27-211-233.nycmny.fios.verizon.net] has quit [Ping timeout: 250 seconds]
05:20 -!- Left_Turn [~Left_Turn@unaffiliated/turn-left/x-3739067] has quit [Ping timeout: 245 seconds]
05:27 -!- ribasushi [~riba@mujunyku.leporine.io] has quit [Ping timeout: 260 seconds]
05:30 -!- ribasushi [~riba@mujunyku.leporine.io] has joined #openvpn
05:34 -!- Megaf_ [~Megaf@unaffiliated/megaf] has joined #openvpn
05:34 -!- Megaf [~Megaf@unaffiliated/megaf] has quit [Ping timeout: 260 seconds]
05:38 -!- Popsikle [~popsikle@pool-108-27-211-233.nycmny.fios.verizon.net] has joined #openvpn
05:42 -!- Popsikle [~popsikle@pool-108-27-211-233.nycmny.fios.verizon.net] has quit [Ping timeout: 244 seconds]
05:53 -!- debbie10t [~debbie10t@openvpn/community/support/debbie10t] has joined #openvpn
05:53 -!- mode/#openvpn [+v debbie10t] by ChanServ
05:54 <+debbie10t> So for two days I have been trying to change my password on the community portal and it is still timing out .. is the portal working correctly ?
06:06 -!- Left_Turn [~Left_Turn@unaffiliated/turn-left/x-3739067] has joined #openvpn
06:32 -!- jareth_ [~jareth_@2001:980:e1c0:1:219:66ff:fea0:a502] has quit [Ping timeout: 256 seconds]
06:34 -!- jareth_ [~jareth_@2001:980:e1c0:1:219:66ff:fea0:a502] has joined #openvpn
06:38 -!- Popsikle [~popsikle@pool-108-27-211-233.nycmny.fios.verizon.net] has joined #openvpn
06:38 -!- jareth_ [~jareth_@2001:980:e1c0:1:219:66ff:fea0:a502] has quit [Ping timeout: 256 seconds]
06:40 -!- jareth_ [~jareth_@2001:980:e1c0:1:219:66ff:fea0:a502] has joined #openvpn
06:43 -!- Popsikle [~popsikle@pool-108-27-211-233.nycmny.fios.verizon.net] has quit [Ping timeout: 250 seconds]
06:46 -!- larryone [~larryone@180.234.227.79] has joined #openvpn
06:50 -!- MatToufoutu [~MaT@unaffiliated/mattoufoutu] has quit [Ping timeout: 244 seconds]
06:56 -!- larryone [~larryone@180.234.227.79] has quit [Quit: This computer has gone to sleep]
07:03 -!- MatToufoutu [~MaT@unaffiliated/mattoufoutu] has joined #openvpn
07:07 -!- clu5ter [~staff@unaffiliated/clu5ter] has quit [Ping timeout: 244 seconds]
07:09 -!- clu5ter [~staff@unaffiliated/clu5ter] has joined #openvpn
07:18 -!- D-Boy [~D-Boy@unaffiliated/cain] has quit [Excess Flood]
07:20 -!- larryone [~larryone@180.234.16.173] has joined #openvpn
07:21 -!- mode/#openvpn [-v debbie10t] by ChanServ
07:29 -!- larryone [~larryone@180.234.16.173] has quit [Ping timeout: 255 seconds]
07:32 -!- Popsikle [~popsikle@pool-108-27-211-233.nycmny.fios.verizon.net] has joined #openvpn
07:33 -!- abbe [having@badti.me] has quit [Ping timeout: 260 seconds]
07:35 -!- fejjerai [~quassel@kde/mitchell] has quit [Ping timeout: 272 seconds]
07:35 -!- D-Boy [~D-Boy@unaffiliated/cain] has joined #openvpn
07:37 -!- Popsikle [~popsikle@pool-108-27-211-233.nycmny.fios.verizon.net] has quit [Ping timeout: 250 seconds]
07:37 -!- Popsikle [~popsikle@pool-108-27-211-233.nycmny.fios.verizon.net] has joined #openvpn
07:39 -!- DrCode [~DrCode@gateway/tor-sasl/drcode] has joined #openvpn
07:42 -!- Popsikle [~popsikle@pool-108-27-211-233.nycmny.fios.verizon.net] has quit [Ping timeout: 255 seconds]
07:46 -!- pa [~pa@unaffiliated/pa] has quit [Remote host closed the connection]
07:58 -!- debbie10t [~debbie10t@openvpn/community/support/debbie10t] has left #openvpn []
08:24 -!- DrSect0r [~DrSect0r@77-175-115-95.FTTH.ispfabriek.nl] has quit [Quit: Leaving]
09:00 -!- LuisM [~luism@unaffiliated/luism] has joined #openvpn
09:00 < LuisM> hi folks
09:00 < LuisM> i have a doubt..
09:01 < LuisM> my openvpn server is working fine. but i haven't centralized firewall/appliance/whatever for working like GW
09:01 < LuisM> so, all clients in my LAN needs to connecting in server
09:02 < LuisM> and i need to add ccd files for each one. so, what's solution? i have very much PC's
09:04 < LuisM> a machine working like "proxy" to access server?
09:05 < LuisM> in GW i'll add a route for vpn address pointing to local machine?
09:07 < LuisM> krzee: are u here? ;)
09:22 -!- ub1quit33_ [~quassel@64.191.249.101] has joined #openvpn
09:26 < LuisM> my confs http://ix.io/dJL
09:45 -!- larryone [~larryone@180.234.240.185] has joined #openvpn
09:45 -!- Cyclohexane [idunevn@unaffiliated/cyclohexane] has joined #openvpn
09:50 -!- abbe [having@badti.me] has joined #openvpn
09:51 -!- larryone [~larryone@180.234.240.185] has quit [Ping timeout: 244 seconds]
10:54 -!- ub1quit33_ [~quassel@64.191.249.101] has quit [Ping timeout: 240 seconds]
11:09 -!- ub1quit33 [~quassel@64.191.249.101] has joined #openvpn
11:12 -!- larryone [~larryone@180.234.247.231] has joined #openvpn
11:19 -!- ub1quit33 [~quassel@64.191.249.101] has quit [Ping timeout: 264 seconds]
11:22 -!- larryone [~larryone@180.234.247.231] has quit [Ping timeout: 244 seconds]
11:34 -!- ub1quit33_ [~quassel@wifi02.la3.routers.zerolag.com] has joined #openvpn
11:44 -!- ub1quit33_ [~quassel@wifi02.la3.routers.zerolag.com] has quit [Ping timeout: 244 seconds]
11:46 -!- ub1quit33_ [~quassel@wifi02.la3.routers.zerolag.com] has joined #openvpn
12:05 -!- Chris-S [~Chris-S@gateway/tor-sasl/chris-s] has joined #openvpn
12:30 -!- mgorbach [~mgorbach@pool-108-20-78-135.bstnma.fios.verizon.net] has quit [Quit: ZNC - http://znc.in]
12:33 -!- mgorbach [~mgorbach@pool-108-20-78-135.bstnma.fios.verizon.net] has joined #openvpn
12:33 -!- mgorbach [~mgorbach@pool-108-20-78-135.bstnma.fios.verizon.net] has quit [Remote host closed the connection]
12:34 -!- mgorbach [~mgorbach@pool-108-20-78-135.bstnma.fios.verizon.net] has joined #openvpn
12:40 -!- p3rror [~mezgani@adsl196-168-25-217-196.adsl196-9.iam.net.ma] has quit [Ping timeout: 244 seconds]
13:06 -!- JackWinter [~jack@vodsl-11028.vo.lu] has quit [Quit: Konversation terminated!]
13:19 -!- ice9 [~ice9@gateway/tor-sasl/ice9] has joined #openvpn
13:19 < ice9> how to protect my pc while connected to vpn?
13:28 -!- JackWinter [~jack@vodsl-11028.vo.lu] has joined #openvpn
13:38 -!- Popsikle [~popsikle@pool-108-27-211-233.nycmny.fios.verizon.net] has joined #openvpn
13:45 -!- ice9 [~ice9@gateway/tor-sasl/ice9] has quit [Ping timeout: 264 seconds]
13:50 -!- DrCode_ [~DrCode@gateway/tor-sasl/drcode] has joined #openvpn
13:52 -!- redpill [~redpill@unaffiliated/redpill] has joined #openvpn
13:52 -!- DrCode [~DrCode@gateway/tor-sasl/drcode] has quit [Ping timeout: 264 seconds]
13:53 -!- DrCode_ is now known as DrCode
14:08 -!- batrick [~batrick@nmap/developer/batrick] has quit [Quit: WeeChat 0.4.3]
14:09 -!- pa [~pa@unaffiliated/pa] has joined #openvpn
14:12 -!- batrick [~batrick@nmap/developer/batrick] has joined #openvpn
14:15 -!- xeqt [xeqt@h-72-121.a146.priv.bahnhof.se] has joined #openvpn
14:18 -!- Chris-S [~Chris-S@gateway/tor-sasl/chris-s] has quit []
14:20 -!- dob1 [~dob@dynamic-adsl-84-220-115-50.clienti.tiscali.it] has joined #openvpn
14:20 -!- NP-Hardass [~NP-Hardas@unaffiliated/np-hardass] has joined #openvpn
14:21 < dob1> hi, I added mtu-test to my client configuration, on the documentation is written that it takes about 3 min to connect using this options but I don't see any difference, so it is ignoring this setting ?
14:41 -!- maps|wrk [mark@97e0b9d3.skybroadband.com] has joined #openvpn
14:41 < maps|wrk> !goal
14:41 <@vpnHelper> "goal" is Please clearly state your goal for your vpn: example, I would like to access the lan behind the server , I would like to access the internet over my vpn , I just want a secure connection between 2 computers , etc
14:42 < maps|wrk> !help
14:42 <@vpnHelper> (help [<plugin>] [<command>]) -- This command gives a useful description of what <command> does. <plugin> is only necessary if the command is in more than one plugin.
14:42 < maps|wrk> !linat
14:42 < maps|wrk> hm
14:43 < maps|wrk> !ipforward
14:43 <@vpnHelper> "ipforward" is (#1) ip forwarding is needed any time you want packets to flow from 1 interface to another, so from tun to eth, eth to tun, tun to tun, etc etc. it must be enabled in the kernel AND allowed in the firewall or (#2) please choose between !linipforward !winipforward !osxipforward and !fbsdipforward
14:43 < maps|wrk> !linipforward
14:43 <@vpnHelper> "linipforward" is (#1) echo 1 > /proc/sys/net/ipv4/ip_forward for a temp solution (til reboot) or set net.ipv4.ip_forward = 1 in sysctl.conf for perm solution or (#2) chmod +x /etc/rc.d/rc.ip_forward for perm solution in slackware or (#3) you also must allow forwarding in your forward chain in iptables. iptables -I FORWARD -i tun+ -j ACCEPT
14:44 -!- NP-Hardass [~NP-Hardas@unaffiliated/np-hardass] has quit [Quit: WeeChat 0.4.3]
14:52 -!- dob1 [~dob@dynamic-adsl-84-220-115-50.clienti.tiscali.it] has quit [Quit: Leaving]
15:03 -!- Popsikle [~popsikle@pool-108-27-211-233.nycmny.fios.verizon.net] has quit [Remote host closed the connection]
15:09 -!- Kephael [~Kephael@unaffiliated/kephael] has joined #openvpn
15:10 -!- deed02392 [~deed02392@2001:41d0:2:ab60::1] has joined #openvpn
15:12 -!- tempus_fol [~tempus@gateway/tor-sasl/foltempus] has quit [Remote host closed the connection]
15:12 -!- tempus_fol [~tempus@gateway/tor-sasl/foltempus] has joined #openvpn
15:28 -!- ub1quit33_ [~quassel@wifi02.la3.routers.zerolag.com] has quit [Remote host closed the connection]
15:31 -!- ub1quit33_ [~quassel@wifi02.la3.routers.zerolag.com] has joined #openvpn
15:48 -!- maps|wrk [mark@97e0b9d3.skybroadband.com] has quit [Quit: Page closed]
16:02 -!- gffa [~unknown@unaffiliated/gffa] has quit [Quit: sleep]
16:10 -!- daeda|us [~daed@173.192.81.161] has joined #openvpn
16:11 < daeda|us> !welcome
16:11 <@vpnHelper> "welcome" is (#1) Start by stating your goal, such as 'I would like to access the internet over my vpn' || new to IRC? see the link in !ask || we may need !logs and !configs and maybe !interface to help you. || See !howto for beginners. || See !route for lans behind openvpn. || !redirect for sending inet traffic through the server. || Also interesting: !man !/30 !topology !iporder !sample !forum
16:11 <@vpnHelper> !wiki !mitm or (#2) Don't use 192.168.1.0/24 or 192.168.0.0/24 (too much potential for conflict)
16:11 -!- pa [~pa@unaffiliated/pa] has quit [Quit: Sto andando via]
16:11 < daeda|us> im just wondering how important this message is: "NOTE: unable to redirect default gateway -- Cannot read current default gateway from system"  i'm not leaking dns or ip
16:13 < daeda|us> and i'm also getting warnings that link-mtu, cipher, and keysize are inconsistent with remote, but then i see where data channels for encrypt and decrypt were initialized with the correct params
16:19 -!- LuisM [~luism@unaffiliated/luism] has left #openvpn []
16:23 -!- arescorpio [~arescorpi@201-26-245-190.fibertel.com.ar] has joined #openvpn
16:32 -!- brianblaze420 [~brianblaz@unaffiliated/brianblaze] has joined #openvpn
17:25 -!- gardar [~gardar@82.221.78.13] has quit [Quit: ZNC - http://znc.in]
17:26 -!- ub1quit33_ [~quassel@wifi02.la3.routers.zerolag.com] has quit [Ping timeout: 255 seconds]
17:27 -!- cyberspace- [20253@ninthfloor.org] has quit [Ping timeout: 245 seconds]
17:27 -!- cyberanger [cyberanger@swissknife/adak/infocop411] has quit [Ping timeout: 256 seconds]
17:28 -!- pnielsen [pnielsen@2a01:7e00::f03c:91ff:fedf:3a21] has quit [Quit: No Ping reply in 180 seconds.]
17:30 -!- Tykling [tykling@gibfest.dk] has quit [Ping timeout: 256 seconds]
17:31 -!- SupaYoshi [Elite9191@gateway/shell/elitebnc/x-baecdbskzgfwjqtt] has quit [Quit: EliteBNC free bnc service - http://elitebnc.org - be a part of the Elite!]
17:32 -!- pnielsen [pnielsen@2a01:7e00::f03c:91ff:fedf:3a21] has joined #openvpn
17:32 -!- cyberanger [~cyberange@swissknife/adak/infocop411] has joined #openvpn
17:32 -!- Tykling [tykling@gibfest.dk] has joined #openvpn
17:33 -!- gardar [~gardar@82.221.78.13] has joined #openvpn
17:34 -!- cyberspace- [~cyberspac@ninthfloor.org] has joined #openvpn
17:36 -!- cyberanger [~cyberange@swissknife/adak/infocop411] has quit [Client Quit]
17:37 -!- pnielsen [pnielsen@2a01:7e00::f03c:91ff:fedf:3a21] has quit [Quit: No Ping reply in 180 seconds.]
17:38 -!- cyberspace- [~cyberspac@ninthfloor.org] has quit [Ping timeout: 240 seconds]
17:38 -!- cyberanger [~cyberange@swissknife/adak/infocop411] has joined #openvpn
17:39 -!- cyberspace- [20253@ninthfloor.org] has joined #openvpn
17:40 -!- pnielsen [pnielsen@2a01:7e00::f03c:91ff:fedf:3a21] has joined #openvpn
17:41 -!- hays [~hays@unaffiliated/hays] has quit [Read error: Connection reset by peer]
17:41 < daeda|us> Can anyone possibly help me decode a few lines in my openvpn log file?  just a bit concerned that something's not set up properly
17:42 -!- Tykling [tykling@gibfest.dk] has quit [Read error: Connection reset by peer]
17:43 -!- hays [~hays@unaffiliated/hays] has joined #openvpn
17:46 -!- Tykling [tykling@gibfest.dk] has joined #openvpn
17:51 -!- Kephael [~Kephael@unaffiliated/kephael] has quit [Read error: Connection reset by peer]
18:16 -!- Tykling [tykling@gibfest.dk] has quit [Read error: Connection reset by peer]
18:16 -!- Tyklol [tykling@gibfest.dk] has joined #openvpn
18:33 -!- SCHAAP137 [dorian@77-173-0-137.ip.telfort.nl] has quit [Remote host closed the connection]
19:28 -!- ub1quit33_ [~quassel@cpe-198-72-138-144.socal.res.rr.com] has joined #openvpn
19:33 -!- ub1quit33_ [~quassel@cpe-198-72-138-144.socal.res.rr.com] has quit [Ping timeout: 264 seconds]
19:57 -!- mgorbach [~mgorbach@pool-108-20-78-135.bstnma.fios.verizon.net] has quit [Quit: ZNC - http://znc.in]
19:57 -!- staticsafe [~staticsaf@unaffiliated/staticsafe] has joined #openvpn
19:58 < staticsafe> https://community.openvpn.net/openvpn/wiki/OpenvpnSoftwareRepos - whoever runs the debian/ubuntu repo, the GPG key has expired
19:58 <@vpnHelper> Title: OpenvpnSoftwareRepos – OpenVPN Community (at community.openvpn.net)
19:58 -!- mgorbach [~mgorbach@pool-108-20-78-135.bstnma.fios.verizon.net] has joined #openvpn
20:00 < daeda|us> i think everyone is competing to have the longest idle time
20:02 -!- Popsikle [~popsikle@pool-108-27-211-233.nycmny.fios.verizon.net] has joined #openvpn
20:27 -!- TommyC [~TommyC@unaffiliated/sepulchralbloom] has joined #openvpn
20:33 -!- CaTtleyA [~CaTtleyA@put92-2-82-66-41-53.fbx.proxad.net] has quit [Ping timeout: 252 seconds]
20:45 -!- staticsafe [~staticsaf@unaffiliated/staticsafe] has left #openvpn ["WeeChat 0.4.3"]
20:47 -!- brianblaze420 [~brianblaz@unaffiliated/brianblaze] has quit [Remote host closed the connection]
21:02 -!- Popsikle [~popsikle@pool-108-27-211-233.nycmny.fios.verizon.net] has quit [Remote host closed the connection]
21:23 -!- Kniaz [~Kniaz@unaffiliated/kniaz] has quit [Ping timeout: 240 seconds]
21:29 -!- Left_Turn [~Left_Turn@unaffiliated/turn-left/x-3739067] has quit [Remote host closed the connection]
22:14 -!- hays [~hays@unaffiliated/hays] has quit [Quit: No Ping reply in 180 seconds.]
22:16 -!- hays [~hays@unaffiliated/hays] has joined #openvpn
22:31 -!- arescorpio [~arescorpi@201-26-245-190.fibertel.com.ar] has quit [Excess Flood]
23:12 -!- ShadniX [dagger@p5DDFE701.dip0.t-ipconnect.de] has quit [Ping timeout: 250 seconds]
23:13 < TommyC> !welcome
23:13 <@vpnHelper> "welcome" is (#1) Start by stating your goal, such as 'I would like to access the internet over my vpn' || new to IRC? see the link in !ask || we may need !logs and !configs and maybe !interface to help you. || See !howto for beginners. || See !route for lans behind openvpn. || !redirect for sending inet traffic through the server. || Also interesting: !man !/30 !topology !iporder !sample !forum
23:13 <@vpnHelper> !wiki !mitm or (#2) Don't use 192.168.1.0/24 or 192.168.0.0/24 (too much potential for conflict)
23:13 -!- ShadniX [dagger@p5DDFD952.dip0.t-ipconnect.de] has joined #openvpn
--- Day changed Mon Aug 04 2014
01:14 < mnathani> my openvpn tunnel establishes, but I am unable to route Internet traffic through the tunnel
01:20 -!- ub1quit33 [~quassel@cpe-198-72-138-144.socal.res.rr.com] has joined #openvpn
01:44 -!- TommyC [~TommyC@unaffiliated/sepulchralbloom] has quit [Quit: TTFN, Ta Ta For Now!]
01:46 -!- CaTtleyA [~CaTtleyA@185.24.142.82] has joined #openvpn
02:20 -!- jackbrown [~se@93-44-41-0.ip95.fastwebnet.it] has joined #openvpn
02:51 -!- jackbrown [~se@93-44-41-0.ip95.fastwebnet.it] has quit [Quit: Sto andando via]
03:04 -!- Left_Turn [~Left_Turn@unaffiliated/turn-left/x-3739067] has joined #openvpn
03:09 -!- Tyklol is now known as Tykling
03:49 -!- Left_Turn [~Left_Turn@unaffiliated/turn-left/x-3739067] has quit [Ping timeout: 255 seconds]
03:52 -!- Chris-S [~Chris-S@gateway/tor-sasl/chris-s] has joined #openvpn
03:55 -!- seba [~seba@kratzbaum.someserver.de] has quit [Quit: Lectus non solum ad dormiendum factus est]
04:15 -!- sieve [~Adium@g226039162.adsl.alicedsl.de] has joined #openvpn
04:15 -!- pa [~pa@unaffiliated/pa] has joined #openvpn
04:16 < sieve> Hi, I have set up openvpn and its working fine on my OSX machine here but for a windows machine they are unable to ping hosts although the client connects
04:26 -!- Chris-S [~Chris-S@gateway/tor-sasl/chris-s] has left #openvpn []
04:59 -!- yoavz [yoavz@yoavz.net] has quit [Ping timeout: 255 seconds]
05:00 -!- yoavz [yoavz@yoavz.net] has joined #openvpn
05:14 -!- CaTtleyA [~CaTtleyA@185.24.142.82] has quit [Quit: Lost terminal]
05:15 -!- Left_Turn [~Left_Turn@unaffiliated/turn-left/x-3739067] has joined #openvpn
05:27 -!- dazo_afk is now known as dazo
05:27 -!- seba [~seba@kratzbaum.someserver.de] has joined #openvpn
05:29 -!- Megaf_ [~Megaf@unaffiliated/megaf] has quit [Remote host closed the connection]
05:55 -!- DrSect0r [~DrSect0r@77-175-115-95.FTTH.ispfabriek.nl] has joined #openvpn
05:55 -!- micko [~micko@203-219-65-120.static.tpgi.com.au] has quit [Ping timeout: 255 seconds]
06:02 -!- micko [~micko@203-219-65-120.static.tpgi.com.au] has joined #openvpn
06:37 -!- brianblaze420 [~brianblaz@unaffiliated/brianblaze] has joined #openvpn
06:37 -!- brianblaze420 [~brianblaz@unaffiliated/brianblaze] has quit [Remote host closed the connection]
06:44 -!- Chais [~Chais@chello062178229110.15.15.vie.surfer.at] has quit [Quit: ZNC - http://znc.in]
06:46 -!- Chais [~Chais@chello062178229110.15.15.vie.surfer.at] has joined #openvpn
07:04 -!- D-Boy [~D-Boy@unaffiliated/cain] has quit [Excess Flood]
07:07 -!- pa [~pa@unaffiliated/pa] has quit [Quit: Sto andando via]
07:10 -!- pa [~pa@unaffiliated/pa] has joined #openvpn
07:15 -!- vinky_ [~vinky@81-230-177-246-no98.tbcn.telia.com] has joined #openvpn
07:16 -!- LiquidSnake [219@alpha.undeadlinux.org] has joined #openvpn
07:16 -!- LiquidSnake [219@alpha.undeadlinux.org] has left #openvpn []
07:18 -!- Champi_ [Champi@damn.e-leet.be] has joined #openvpn
07:19 -!- Netsplit *.net <-> *.split quits: sieve
07:19 -!- Netsplit *.net <-> *.split quits: ribasushi
07:20 -!- Netsplit *.net <-> *.split quits: C-S-B, Images, Six6siX, renihs, vinky, ahuemer, get, deeville, Champi, RaiNerTsuFal,  (+4 more, use /NETSPLIT to show all of them)
07:20 -!- Champi_ is now known as Champi
07:20 -!- Netsplit over, joins: bakhtiya, C-S-B, Six6siX
07:20 -!- JackWinter [~jack@vodsl-11028.vo.lu] has quit [Excess Flood]
07:21 -!- JackWinter [~jack@vodsl-11028.vo.lu] has joined #openvpn
07:21 -!- ribasushi [~riba@mujunyku.leporine.io] has joined #openvpn
07:23 -!- ahuemer [ahuemer@unaffiliated/ahuemer] has joined #openvpn
07:23 -!- RaiNerTsuFal [~RaiNerTsu@akita.vtlx.cn] has joined #openvpn
07:24 -!- D-Boy [~D-Boy@unaffiliated/cain] has joined #openvpn
07:27 -!- Plastefuchs [~fweee@198.98.120.235] has joined #openvpn
07:32 -!- swebb [~swebb@c-71-237-49-232.hsd1.co.comcast.net] has joined #openvpn
07:44 -!- ub1quit33 [~quassel@cpe-198-72-138-144.socal.res.rr.com] has quit [Remote host closed the connection]
07:54 -!- Kephael [~Kephael@unaffiliated/kephael] has joined #openvpn
08:31 -!- bakhtiya [~me@office.addictivemobility.com] has quit [Ping timeout: 240 seconds]
08:31 -!- vinky_ [~vinky@81-230-177-246-no98.tbcn.telia.com] has quit [Ping timeout: 240 seconds]
08:31 -!- heraclitus [~heraclitu@unaffiliated/heraclitis] has quit [Ping timeout: 240 seconds]
08:32 -!- bakhtiya [~me@office.addictivemobility.com] has joined #openvpn
08:32 -!- vinky [~vinky@81-230-177-246-no98.tbcn.telia.com] has joined #openvpn
08:32 -!- heraclitus [~heraclitu@unaffiliated/heraclitis] has joined #openvpn
08:38 -!- NP-Hardass [~NP-Hardas@unaffiliated/np-hardass] has joined #openvpn
08:46 -!- NP-Hardass [~NP-Hardas@unaffiliated/np-hardass] has quit [Quit: WeeChat 0.4.3]
08:52 -!- Kniaz [~Kniaz@unaffiliated/kniaz] has joined #openvpn
09:05 -!- Tykling [tykling@gibfest.dk] has quit [Read error: Connection reset by peer]
09:06 -!- Tykling [tykling@gibfest.dk] has joined #openvpn
09:20 -!- renihs [~arf@83-65-34-34.arsenal.xdsl-line.inode.at] has joined #openvpn
09:27 -!- Popsikle [~popsikle@pool-108-27-211-233.nycmny.fios.verizon.net] has joined #openvpn
09:28 -!- AlexMax [alexmax@2600:3c03::f03c:91ff:fe93:116b] has joined #openvpn
09:29 < AlexMax> Question - do you guys provide help with tunnelblick?  I've tried to uninstall tunnelblick with the uninstaller app and the thing froze.
10:05 -!- CaTtleyA [~CaTtleyA@put92-2-82-66-41-53.fbx.proxad.net] has joined #openvpn
10:24 -!- CaTtleyA [~CaTtleyA@put92-2-82-66-41-53.fbx.proxad.net] has quit [Quit: Lost terminal]
10:49 -!- Hello71 [~Hello71@wikipedia/Hello71] has joined #openvpn
10:49 < Hello71> if I have proto udp and remote server tcp, openvpn will use tcp (for that remote), right?
10:51 < Eugene> Do you mean <connection> blocks?
10:51 < Hello71> no, if I just have a bunch of remote lines
10:51 < Hello71> do I need to put them in blocks?
10:51 < Hello71> assuming no proxy settings
10:52 < Eugene> Use of multiple --remote without <connection> is a special case for the parser
10:52 < Eugene> I /think/ it will work as you've descrived(inheriting --proto for those --remotes which don't define a proto), but I would just eliminate the line and do it right in the --remote
10:53 < Eugene> It's like, three letters.
10:56 < Hello71> right, I mean that the remote one will overwrite the proto
10:56 < Hello71> when it is set
10:56 < Hello71> the manpage is not entirely clear on this matter
10:56 < Hello71> (could probably have tested it in the time to ask)
11:03 -!- CaTtleyA [~CaTtleyA@put92-2-82-66-41-53.fbx.proxad.net] has joined #openvpn
11:04 -!- Chais [~Chais@chello062178229110.15.15.vie.surfer.at] has quit [Read error: Connection reset by peer]
11:13 -!- Chais [~Chais@chello062178229110.15.15.vie.surfer.at] has joined #openvpn
11:17 -!- Pyrogerg [~Gregory@72.170.196.218] has joined #openvpn
11:24 -!- SCHAAP137 [dorian@77-173-0-137.ip.telfort.nl] has joined #openvpn
11:27 -!- Kniaz1 [~Kniaz@unaffiliated/kniaz] has joined #openvpn
11:27 -!- Kniaz [~Kniaz@unaffiliated/kniaz] has quit [Read error: Connection reset by peer]
11:41 -!- Kniaz [~Kniaz@unaffiliated/kniaz] has joined #openvpn
11:41 -!- Kniaz1 [~Kniaz@unaffiliated/kniaz] has quit [Ping timeout: 260 seconds]
11:44 -!- Kephael [~Kephael@unaffiliated/kephael] has quit [Read error: Connection reset by peer]
11:44 -!- halothe23 [~halothe23@freenode/sponsor/halothe23] has quit [Quit: Quit]
11:46 -!- Kniaz [~Kniaz@unaffiliated/kniaz] has quit [Ping timeout: 240 seconds]
11:58 -!- redpill [~redpill@unaffiliated/redpill] has quit [Quit: redpill]
11:58 -!- redpill [~redpill@unaffiliated/redpill] has joined #openvpn
11:59 -!- s7r [~s7r@openvpn/user/s7r] has joined #openvpn
12:00 -!- mode/#openvpn [+v s7r] by ChanServ
12:03 -!- halothe23 [~halothe23@freenode/sponsor/halothe23] has joined #openvpn
12:14 -!- KaiForce [~chatzilla@107-223-70-10.lightspeed.bcvloh.sbcglobal.net] has joined #openvpn
13:03 -!- jadedsecurity [~bob@pentoo/user/Jadedsecurity] has left #openvpn []
13:06 -!- swebb [~swebb@c-71-237-49-232.hsd1.co.comcast.net] has quit [Ping timeout: 255 seconds]
13:14 -!- ub1quit33_ [~quassel@wifi02.la3.routers.zerolag.com] has joined #openvpn
13:38 -!- Mimiko [~Mimiko@89.28.88.177] has joined #openvpn
13:58 < daeda|us> Eugene you're in here too?
13:58 < Eugene> I am everywhere, and I am nowhere.
13:58 < daeda|us> nice
13:58 < Eugene> I am the darkness in the night and the sun shining above
13:58 < daeda|us> you mind attempting to help me out with deciphering my openvpn log file?
13:58 < Eugene> Confide in me your worst fears, and your mind's dreams
13:59 < Eugene> !logs
13:59 <@vpnHelper> "logs" is (#1) please pastebin your logfiles from both client and server with verb set to 4 (only use 5 if asked) or (#2) In the Windows client(OpenVPN-GUI) right-click the status icon and pick View Log or (#3) In the OS X client(Tunnelblick) right-click it and select Copy log text to clipboard or (#4) if you dont know how to find your logs, see !logfile
13:59 < Eugene> !configs
13:59 <@vpnHelper> "configs" is (#1) please pastebin your client and server configs (with comments removed, you can use `grep -vE '^#|^;|^$' server.conf`), also include which OS and version of openvpn. or (#2) dont forget to include any ccd entries or (#3) on pfSense, see http://www.secure-computing.net/wiki/index.php/OpenVPN/pfSense to obtain your config
14:00 < daeda|us> http://pastebin.com/kvXrsSQT
14:00 < daeda|us> so i get these warnings about stuff not matching up, but then i see where the encryption and decryption channels were properly set up
14:02 -!- swebb [~swebb@c-71-237-49-232.hsd1.co.comcast.net] has joined #openvpn
14:10 -!- tempus_fol [~tempus@gateway/tor-sasl/foltempus] has quit [Ping timeout: 264 seconds]
14:13 < daeda|us> and i was just wondering if i should worry about it
14:13 < daeda|us> or not since my encryption/decryption channels are starting properly
14:17 <@syzzer> daeda|us: you won't be able to get data across that link. one of your peers is using a different encryption algorithm than the other
14:17 <@syzzer> BF-CBC vs AES-256-CBC
14:18 <@syzzer> you should set "cipher AES-256-CBC" on both if you want to use that, or leave it out on both if you're fine with BF-CBC
14:19 -!- tempus_fol [~tempus@gateway/tor-sasl/foltempus] has joined #openvpn
14:23 -!- gffa [~unknown@unaffiliated/gffa] has joined #openvpn
14:36 -!- gffa [~unknown@unaffiliated/gffa] has quit [Read error: Connection reset by peer]
14:39 < daeda|us> but i seem to be getting data across the link currently..does that mean im not encrypted?
14:40 < daeda|us> and a program like wireshark is just gonna tell me if there are encrypted packets being sent over a connection, but not which protocol right?
14:43 -!- p3rror [~mezgani@105.158.165.198] has joined #openvpn
14:44 -!- KaiForce [~chatzilla@107-223-70-10.lightspeed.bcvloh.sbcglobal.net] has quit [Quit: ChatZilla 0.9.90.1 [Firefox 31.0/20140716183446]]
14:45 < daeda|us> im using PIA which uses OpenVPN so i figured since they let you set your own encryption settings that they just look for what the client sends and then match it once they get that particular data, but until then it throws out those warnings
14:47 < daeda|us> brb
14:47 -!- daeda|us [~daed@173.192.81.161] has quit []
14:49 -!- catsup [~d@iad1-vshost12.dreamhost.com] has joined #openvpn
14:50 -!- gffa [~unknown@unaffiliated/gffa] has joined #openvpn
14:57 -!- daeda|us [~daed@50.97.94.40-static.reverse.softlayer.com] has joined #openvpn
14:57 < daeda|us> well it's definitely encrypted lol
14:57 < daeda|us> just cant tell by what algorithm
14:57 <@dazo> daeda|us: line 2 and 3 will not make it possible to use the tunnel.  You must fix that
14:58 <@dazo> then there is line 1, which will bite you later on.  So you must ensure you have the same MTU value too
14:58 < daeda|us> but seriously im on it right now
14:59 < daeda|us> and it's encrypted
14:59 <@dazo> otherwise, you must use --fragment with a value lower than 1500 together with --mss-fix
14:59 -!- suzylee [~suzylee@unaffiliated/suzylee] has joined #openvpn
14:59 < daeda|us> just checked the packets with wireshark
14:59 <@dazo> daeda|us: If you have the cipher + keysize warning ... there is no way you can even send as much as a ping over the tunnel
14:59 < daeda|us> so is it possible that PIA is just catching the values that the client sends and then matching it to make the encryption links?
14:59 <@dazo> nope
14:59 < daeda|us> im serious im on it at the moment
14:59 <@dazo> OpenVPN does not adapt to client cipher
15:00 < daeda|us> so how am i able to currently send and receive data
15:00 <@dazo> OpenVPN is missing the code pieces to negotiate the cipher/key length over the wire.  It must be preconfigured
15:00 <@dazo> I dunno what PIA is ... so I have no idea what that means
15:00 < daeda|us> Private Internet Access
15:01 < daeda|us> it's a vpn that was built off of openvpn
15:01 <@dazo> ask PIA support then
15:01 < daeda|us> i did and they said it was normal but i wanted to get an opinion from folks devoted to OpenVPN
15:01 < daeda|us> it's only been about a year since they started allowing clients to select encryption settings from their app
15:03 < daeda|us> http://pastebin.com/MaxpELT3
15:03 < daeda|us> there's a better log
15:08 <@dazo> then it's just to ask for their source code, because they must have implemented something ... as the server have switched from BF to AES
15:08 <@dazo> (and they are obliged to deliver the source code, due to the GPL license)
15:09 < daeda|us> but in your opinion, is that what it looks like to you?
15:09 < daeda|us> that the link was successfully made using my client settings?
15:09 <@dazo> Mon Aug 04 14:49:34 2014 Data Channel Decrypt: Cipher 'AES-256-CBC' initialized with 256 bit key
15:09 < daeda|us> yah
15:10 <@dazo> that means both sides use AES-256-CBC
15:10 < daeda|us> i just wasnt sure if that was something that got spit out on my end
15:10 < daeda|us> nice
15:10 < daeda|us> thanks for bearing with me :)
15:11 -!- suzylee [~suzylee@unaffiliated/suzylee] has quit [Quit: Leaving]
15:11 <@dazo> syzzer: is this something you have a chance/time to follow up?  Trying to get some patches from PIA?
15:11 < daeda|us> it's an old client
15:11 < daeda|us> 2.2.2
15:11 <@dazo> doesn'
15:12 <@dazo> doesn't matter, it's the server side patches we're interested in :)
15:12 < daeda|us> cool deal
15:12 < daeda|us> ive been waiting for almost 2 days to hear back from their tech support about how to update the openvpn client
15:12 < daeda|us> all tier1 could tell me was that it was possible
15:12 <@dazo> 2.1.x, 2.2.x and 2.3.x are quite compatible, at least to IPv4 .... 2.3 is the one supporting IPv6
15:14 < daeda|us> so other than ipv6 support, is their any major reason why i should upgrade to 2.3.4 from 2.2.2?
15:14 <@dazo> bug fixes?
15:14 < daeda|us> but no major security flaws
15:15 <@dazo> Actually, there's at least a theoretical timing attack ... but nothing critical
15:16 <@dazo> https://community.openvpn.net/openvpn/wiki/ChangesInOpenvpn23
15:16 <@vpnHelper> Title: ChangesInOpenvpn23 – OpenVPN Community (at community.openvpn.net)
15:17 < daeda|us> i guess it would still be beneficial to know how to update the client for future reference
15:17 < daeda|us> i just didnt wanna install openvpn to a secondary location and then copy it over, since PIA obviously has some custom scripts i dont wanna mess up
15:22 <@dazo> openvpn itself, is just a single binary executable on *nix ... while it's the openvpn binary plus libraries on the Windows version
15:22 -!- dvl [~dvl@pdpc/supporter/active/dvl] has quit [Quit: ZNC - http://znc.in]
15:22 <@dazo> but if they've added something more depending on the same libaries on Windows, then you can mess things up (their additions might not run)
15:23 < daeda|us> yeah that's what i was worried about
15:24 -!- arescorpio [~arescorpi@201-26-245-190.fibertel.com.ar] has joined #openvpn
15:24 -!- dvl [~dvl@pdpc/supporter/active/dvl] has joined #openvpn
15:33 -!- Mimiko [~Mimiko@89.28.88.177] has quit []
15:37 -!- mattock is now known as mattock_afk
15:44 <@syzzer> dazo: interesting indeed. However, if they're using server-side patches only, do they even have to provide them? Since their not distributing the code.
15:44 <@syzzer> s/code/binary/
15:44 <@dazo> syzzer: it's worth a shot ;-)  As they probably provide client downloads as well
15:45 <@dazo> (it will at least reveal them as good or bad guys)
15:45 -!- redpill [~redpill@unaffiliated/redpill] has quit [Quit: redpill]
15:45 -!- lsone [~lsone@69.15.58.162] has joined #openvpn
15:45 <@syzzer> true. For now AES-GCM is on the top of my list, but I'll put it in the queue ;)
15:45 <@dazo> makes sense!
15:46 -!- redpill [~redpill@unaffiliated/redpill] has joined #openvpn
15:46 <@plaisthos> syzzer: no they don't have to
15:46 -!- redpill [~redpill@unaffiliated/redpill] has quit [Remote host closed the connection]
15:46 <@plaisthos> the AGPL variants were create to address the "problem"
15:48 -!- redpill [~redpill@unaffiliated/redpill] has joined #openvpn
15:49 -!- redpill [~redpill@unaffiliated/redpill] has quit [Remote host closed the connection]
15:51 < daeda|us> would it really be that difficult to impliment without their support though?  you would just need to add a line to  listen for the client settings, then tell the server to match to complete the link
15:51 < daeda|us> im sure there's more to it than that
15:52 <@plaisthos> daeda|us: the client side patches are really simple
15:53 <@plaisthos> the client just tells the server in the initial handshake its cipher, crypto and ca settings
15:53 -!- DrSect0r [~DrSect0r@77-175-115-95.FTTH.ispfabriek.nl] has quit [Quit: Leaving]
15:53 < daeda|us> and then you can get the server to listen for those variables and match them
15:53 < daeda|us> instead of rejecting if they dont match
15:54 <@plaisthos> daeda|us: don't know what they do on the server side
15:54 <@plaisthos> could be some kind of proxy or could be some openvpn patches
15:54 <@plaisthos> dunno
15:56 <@plaisthos> ah and their patches enables TLS 1.2
15:56 -!- redpill [~redpill@unaffiliated/redpill] has joined #openvpn
15:56 <@plaisthos> which openvpn 2.3.3 (and 2.3.4 with the right settings?) and -master have too
16:00 < daeda|us> well my irc packets dont seem to be encrypted
16:00 < daeda|us> i can read them plain as day through wireshark
16:03 <@dazo> daeda|us: on which interface?
16:03 <@dazo> the tun/tap device ... or your local NIC?
16:04 < daeda|us> good point lol
16:04 < daeda|us> i dunno
16:04 < daeda|us> im still learning to read all this tbh
16:04 <@dazo> (btw, freenode servers can do SSL/TLS too)
16:05 < daeda|us> yeah i need to enable that by default i guess
16:05 <@dazo> well, not critical, unless you pass username/password to FreeNode nickserv
16:06 < daeda|us> it's a random pw that's only used for irc so im not even worried about that
16:07 < daeda|us> it says it was on interface 4 but i have no idea what that corresponds to
16:08 < daeda|us> so if i had wireshark set up to catch every interface, would one interface be encrypted and another be decrypted?
16:08 <@dazo> probably
16:08 < daeda|us> i'll have to play around with it and just monitor the irc protocol
16:08 <@dazo> the tun/tap device would be unencrypted ... as that traffic is sent to openvpn, which encrypts it and sends it to the remote server via your local NIC
16:09 <@dazo> (data from the remote server is decrypted by openvpn and sent to the tun/tap device)
16:12 < daeda|us> k it's encrypted on the wireless protocol and decrypted on local
16:12 < daeda|us> good deal lol
16:17 <@syzzer> the thing with these features is that it is quite doable to just 'hack em in'. However, the proper way usually involves quite a bit more work. OpenVPN was not designed with this kind of use in mind, and that is noticeable when you're trying to implement these kind of features properly...
16:17 <@dazo> which is why I would like to see their patches :)
16:24 < daeda|us> and i'd definitely like to hear what you guys think of how they worked things in
16:29 -!- Popsikle [~popsikle@pool-108-27-211-233.nycmny.fios.verizon.net] has quit [Remote host closed the connection]
16:30 -!- ub1quit33_ [~quassel@wifi02.la3.routers.zerolag.com] has quit [Ping timeout: 250 seconds]
16:32 -!- ub1quit33_ [~quassel@wifi02.la3.routers.zerolag.com] has joined #openvpn
16:47 -!- vincx [~vincent@133.88.187.81.in-addr.arpa] has joined #openvpn
16:53 -!- gffa [~unknown@unaffiliated/gffa] has quit [Quit: sleep]
16:56 < vincx> Is there anybody out there, willing to help out with configuring openvpn?
16:58 < vincx> We got a tunnel, but cannot ping servers on the LAN
16:58 < vincx> working: PC -> tunnel-via-internet ->  openvpn -> internet
16:59 < vincx> not working: PC -> tunnel-via-internet -> (10.1.0.0/24) openvpn -> LAN (10.0.0.0/24)
17:06 -!- ub1quit33_ [~quassel@wifi02.la3.routers.zerolag.com] has quit [Ping timeout: 250 seconds]
17:07 < vincx> It is the second situation of https://community.openvpn.net/openvpn/wiki/BridgingAndRouting
17:07 <@vpnHelper> Title: BridgingAndRouting – OpenVPN Community (at community.openvpn.net)
17:07 < vincx> We need to be sure we need to change these ip-tables like described here.
17:08 -!- ub1quit33_ [~quassel@64.191.249.101] has joined #openvpn
17:17 -!- lsone [~lsone@69.15.58.162] has quit [Quit: Textual IRC Client: www.textualapp.com]
17:21 -!- james41382 [~james@unaffiliated/james41382] has quit [Quit: Leaving]
17:28 < vincx> So how to setup the iptable of the router such that it allows the tunnel from the openvpn-server to access both the internet and the LAN?
17:37 -!- vincx [~vincent@133.88.187.81.in-addr.arpa] has quit [Ping timeout: 245 seconds]
17:53 -!- SCHAAP137 [dorian@77-173-0-137.ip.telfort.nl] has quit [Remote host closed the connection]
17:56 -!- vincx [~vincent@sd44054c9.adsl.online.nl] has joined #openvpn
18:01 -!- nsrafk [stfu@209.141.53.113] has joined #openvpn
18:02 -!- nsrafk [stfu@209.141.53.113] has quit [Quit: stfu - mkdir not war]
18:02 -!- nsrafk [stfu@helix.deluxe-host.net] has joined #openvpn
18:06 -!- Kephael [~Kephael@unaffiliated/kephael] has joined #openvpn
18:08 -!- ub1quit33_ [~quassel@64.191.249.101] has quit [Ping timeout: 260 seconds]
18:10 -!- ub1quit33_ [~quassel@wifi02.la3.routers.zerolag.com] has joined #openvpn
18:12 < nsrafk> is it possible to install openvpn without root?
18:13 < nsrafk> never tried setting up one by myself
18:14 -!- james41382 [~james@unaffiliated/james41382] has joined #openvpn
18:17 -!- sieve [~Adium@g226039070.adsl.alicedsl.de] has joined #openvpn
18:18 < Eugene> Yes, you can compile it into ~/bin/ just fine. You'll need root to give you a tun device and the ability to add/remove IPs
18:18 < Eugene> !unpriv
18:18 <@vpnHelper> "unpriv" is see https://community.openvpn.net/openvpn/wiki/UnprivilegedUser for a write-up by EugeneKay on how to run OpenVPN without root/admin permissions.
18:18 < Eugene> !xy
18:18 <@vpnHelper> "xy" is http://mywiki.wooledge.org/XyProblem -- I want to do X, but I'm asking how to do Y...
18:19 < nsrafk> thanks bro
18:21 -!- CaTtleyA [~CaTtleyA@put92-2-82-66-41-53.fbx.proxad.net] has quit [Ping timeout: 252 seconds]
18:24 -!- james41382 [~james@unaffiliated/james41382] has quit [Quit: Leaving]
18:25 -!- KNERD [~KNERD@23.227.189.101] has joined #openvpn
18:26 -!- dazo is now known as dazo_afk
18:32 < KNERD> On CentOS 6.x I dont have suslog installed, and have "log-append  openvpn.log" uncommented. But yet I see no openvpn.log in ./var/log/ Where should this log be contained?
18:36 -!- Kniaz [~Kniaz@unaffiliated/kniaz] has joined #openvpn
18:38 -!- redpill [~redpill@unaffiliated/redpill] has quit [Ping timeout: 240 seconds]
18:39 -!- redpill [~redpill@unaffiliated/redpill] has joined #openvpn
18:43 -!- ub1quit33_ [~quassel@wifi02.la3.routers.zerolag.com] has quit [Ping timeout: 244 seconds]
19:25 -!- mwargh [~sistemshi@unaffiliated/mwargh] has quit [Ping timeout: 255 seconds]
19:35 -!- Left_Turn [~Left_Turn@unaffiliated/turn-left/x-3739067] has quit [Remote host closed the connection]
19:41 < Hello71> hm, tap needs root too, right?
19:55 -!- nsrafk [stfu@helix.deluxe-host.net] has quit [Ping timeout: 245 seconds]
19:56 -!- nsrafk [stfu@helix.deluxe-host.net] has joined #openvpn
20:03 -!- james41382 [~james@unaffiliated/james41382] has joined #openvpn
20:05 -!- DrCode [~DrCode@gateway/tor-sasl/drcode] has quit [Ping timeout: 264 seconds]
20:05 -!- ShadniX [dagger@p5DDFD952.dip0.t-ipconnect.de] has quit [Ping timeout: 250 seconds]
20:06 -!- ShadniX [dagger@93.223.217.82] has joined #openvpn
20:06 -!- DrCode [~DrCode@gateway/tor-sasl/drcode] has joined #openvpn
20:12 -!- goldkatze [~nobody@unaffiliated/goldkatze] has quit [Ping timeout: 256 seconds]
20:21 -!- ShadniX [dagger@93.223.217.82] has quit [Ping timeout: 250 seconds]
20:23 -!- ShadniX [dagger@93.223.217.82] has joined #openvpn
20:40 -!- Kephael [~Kephael@unaffiliated/kephael] has quit [Read error: Connection reset by peer]
20:51 -!- mdoge [~dsc@pwned.systems] has joined #openvpn
20:55 < mdoge> http://pastebin.com/RyrMeDWJ
20:55 < mdoge> no idea what i'm doing wrong...
20:56 < mdoge> my client doesnt go past login
20:58 < _FBi> TLS error would be my guess haha
20:58 -!- vincx [~vincent@sd44054c9.adsl.online.nl] has quit [Ping timeout: 250 seconds]
20:59 < mdoge> _FBi: any idea how to fix it?
20:59 < mdoge> is this a client side or server side error?
20:59 < _FBi> how did you make your TLS ?
20:59 < _FBi> either or both
20:59 < mdoge> i followed this tutorial a 100% : http://d.stavrovski.net/blog/how-to-install-and-set-up-openvpn-in-debian-7-wheezy
20:59 <@vpnHelper> Title: Weblog | Stavrovski.Net (at d.stavrovski.net)
21:00 < _FBi> openvpn --version
21:00 < mdoge> 2.2.1
21:00 < _FBi> old
21:00 < _FBi> and most don't use CN anymore
21:00 < mdoge> well yeah its debian
21:00 < mdoge> everything is old :P
21:00 < _FBi> I use debian, too :P
21:01 < _FBi> http://openvpn.net/index.php/open-source/documentation/howto.html
21:01 <@vpnHelper> Title: HOWTO (at openvpn.net)
21:01 < mdoge> im not sure what a CN is
21:01 < _FBi> if you have the time, read through that.
21:01 < mdoge> nah
21:01 < _FBi> if not, you'll need to find someone to spoon feed you haha
21:01 < mdoge> i dont have time
21:01 < mdoge> okay
21:02 < _FBi> openvpn --genkey --secret /root/easy-rsa/keys/ta.key  <-- how many times did you do that?
21:02 < mdoge> 6 times
21:03 < mdoge> just making sure i did all the steps correctly
21:03 < _FBi> well
21:03 < _FBi> shitty
21:03 < _FBi> That ta.key needs to be copied onto the client and server side -- share the same file.  IE: don't create two
21:04 < mdoge> oh no, they're both the same
21:04 < mdoge> i just started from scratch 6 times
21:04 < mdoge> deleting everything etc
21:04 < _FBi> well, read and follow the link I gave you and do it once :P
21:04 < mdoge> that would require me to dive into how certificates work
21:04 < _FBi> shouldn't take you more than 10 minutes to setup a server
21:05 < mdoge> a task which could take up a whole day
21:05 < _FBi> 10 minutes
21:05 < mdoge> okay
21:06 < _FBi> if you have questions about that tutorial -- ask them here
21:06 < _FBi> or just buy a service ;)
21:07 < _FBi> I'd advertise, but I don't know if that's allowed
21:07 < mdoge> thats true
21:07 < mdoge> i should just buy one
21:07 < mdoge> im way too lazy for this
21:07 < _FBi> haha
21:07 < _FBi> what are you using it for?
21:07 < mdoge> to circumvent the chinese firewall at work
21:08 < mdoge> actually my router might have a vpn server builtin
21:08 < _FBi> do you want american or Netherlands?
21:09 < mdoge> im' going to check if my router supports one first
21:12 < _FBi> I use OpenWRT -- I like it!  OpenWRT > DD WRT
21:14 < mdoge> yeah openwrt is nice
21:27 < mgorbach> Does anyone know where I can find an OpenVPN release RSS feed?
21:31 -!- arescorpio [~arescorpi@201-26-245-190.fibertel.com.ar] has quit [Excess Flood]
21:33 < _FBi> not sure, has google turned up any results?
21:33 < daeda|us> tomato bruh
21:39 -!- redpill [~redpill@unaffiliated/redpill] has quit [Ping timeout: 255 seconds]
21:39 < daeda|us> also, you gotta have a beefy router to do any sort of encryption on the router though
21:39 < daeda|us> -though
21:39 < Hello71> (or hardware support)
21:40 < daeda|us> it's still gotta be beefy
21:42 -!- troj [~xxx@2001:470:1f15:107a::50f7] has quit [Ping timeout: 260 seconds]
21:42 < daeda|us> http://www.cse.wustl.edu/~jain/cse567-08/ftp/ovpn/index.html#sec3
21:42 <@vpnHelper> Title: Performance Analysis of OpenVPN on a Consumer Grade Router (at www.cse.wustl.edu)
21:42 < daeda|us> throughput was cut in half for aes256
21:43 -!- redpill [~redpill@unaffiliated/redpill] has joined #openvpn
21:57 -!- Lolths [~Lolths@unaffiliated/lolths] has quit [Ping timeout: 255 seconds]
22:00 -!- Popsikle [~popsikle@pool-108-27-211-233.nycmny.fios.verizon.net] has joined #openvpn
22:02 < daeda|us> i found the thread i was looking for... you'd need something like a Netgear Nighthawk to get above 50mbps
22:02 < daeda|us> which retails for $250
22:05 -!- mdoge [~dsc@pwned.systems] has left #openvpn []
22:05 -!- Lolths [~Lolths@unaffiliated/lolths] has joined #openvpn
22:10 -!- Kniaz [~Kniaz@unaffiliated/kniaz] has quit [Read error: Connection reset by peer]
22:31 -!- Popsikle [~popsikle@pool-108-27-211-233.nycmny.fios.verizon.net] has quit [Remote host closed the connection]
22:31 -!- james41382 [~james@unaffiliated/james41382] has quit [Quit: Leaving]
22:44 -!- james41382 [~james@unaffiliated/james41382] has joined #openvpn
22:53 -!- larryone [~larryone@180.234.123.68] has joined #openvpn
23:10 -!- ShadniX [dagger@93.223.217.82] has quit [Ping timeout: 250 seconds]
23:12 -!- ShadniX [dagger@p5DDFF62A.dip0.t-ipconnect.de] has joined #openvpn
23:14 -!- larryone [~larryone@180.234.123.68] has quit [Read error: Connection reset by peer]
23:33 -!- micko [~micko@203-219-65-120.static.tpgi.com.au] has quit [Ping timeout: 255 seconds]
23:40 -!- micko [~micko@203-219-65-120.static.tpgi.com.au] has joined #openvpn
23:51 -!- TommyC [~TommyC@unaffiliated/sepulchralbloom] has joined #openvpn
--- Day changed Tue Aug 05 2014
01:00 -!- goldkatze [~nobody@unaffiliated/goldkatze] has joined #openvpn
01:08 -!- goldkatze [~nobody@unaffiliated/goldkatze] has quit [Ping timeout: 256 seconds]
01:09 -!- goldkatze_ [~nobody@unaffiliated/goldkatze] has joined #openvpn
01:14 < TommyC> Hi, for a learning experiment I'm going to be using an OpenVPN server and client (same box, 2 instances of ovpn) to encrypt outgoing traffic, but I was wondering is it alright to use "local" for the client as well, or should that only be for the server and "remote" should be used for the client (pointing to the IP address of the box)?
01:19 -!- mattock_afk is now known as mattock
01:40 -!- syzzer [~syzzer@openvpn/community/developer/syzzer] has quit [Ping timeout: 250 seconds]
01:46 -!- syzzer [~syzzer@openvpn/community/developer/syzzer] has joined #openvpn
01:46 -!- mode/#openvpn [+o syzzer] by ChanServ
01:53 -!- alexxtasi [~alex@unaffiliated/alexxtasi] has joined #openvpn
02:01 -!- redpill [~redpill@unaffiliated/redpill] has quit [Ping timeout: 240 seconds]
02:01 -!- redpill [~redpill@unaffiliated/redpill] has joined #openvpn
02:06 -!- redpill [~redpill@unaffiliated/redpill] has quit [Max SendQ exceeded]
02:07 -!- redpill [~redpill@unaffiliated/redpill] has joined #openvpn
02:12 -!- Pyrogerg [~Gregory@72.170.196.218] has quit [Read error: Connection reset by peer]
02:36 -!- sieve [~Adium@g226039070.adsl.alicedsl.de] has quit [Quit: Leaving.]
02:51 -!- TommyC [~TommyC@unaffiliated/sepulchralbloom] has quit [Quit: TTFN, Ta Ta For Now!]
02:51 -!- sieve [~Adium@g226039070.adsl.alicedsl.de] has joined #openvpn
02:58 -!- MyMind [~Sembei@unaffiliated/sembei] has quit [Read error: No route to host]
03:02 -!- Chris-S [~Chris-S@gateway/tor-sasl/chris-s] has joined #openvpn
03:03 -!- Cybertinus [~Cybertinu@cybertinus.customer.cloud.nl] has quit [Remote host closed the connection]
03:04 -!- Cybertinus [~Cybertinu@cybertinus.customer.cloud.nl] has joined #openvpn
03:34 -!- sieve [~Adium@g226039070.adsl.alicedsl.de] has quit [Quit: Leaving.]
03:41 -!- Left_Turn [~Left_Turn@unaffiliated/turn-left/x-3739067] has joined #openvpn
03:45 -!- `Ile` [~ile@109-93-18-197.dynamic.isp.telekom.rs] has joined #openvpn
03:45 -!- `Ile` [~ile@109-93-18-197.dynamic.isp.telekom.rs] has quit [Client Quit]
04:07 -!- sieve [~Adium@46.115.22.102] has joined #openvpn
04:08 -!- sieve [~Adium@46.115.22.102] has quit [Client Quit]
04:11 -!- sieve [~Adium@46.115.22.102] has joined #openvpn
04:15 -!- sieve [~Adium@46.115.22.102] has quit [Client Quit]
04:55 -!- micko [~micko@203-219-65-120.static.tpgi.com.au] has quit [Ping timeout: 255 seconds]
05:01 -!- micko [~micko@203-219-65-120.static.tpgi.com.au] has joined #openvpn
05:01 -!- pa [~pa@unaffiliated/pa] has quit [Remote host closed the connection]
05:16 -!- pa [~pa@unaffiliated/pa] has joined #openvpn
05:32 -!- sieve [~Adium@141.89.226.145] has joined #openvpn
05:58 -!- p3rror [~mezgani@105.158.165.198] has quit [Read error: Connection reset by peer]
06:01 -!- sieve [~Adium@141.89.226.145] has quit [Quit: Leaving.]
06:17 -!- jackbrown [~se@93-44-41-0.ip95.fastwebnet.it] has joined #openvpn
06:32 -!- sieve [~Adium@141.89.226.145] has joined #openvpn
06:36 -!- sieve [~Adium@141.89.226.145] has quit [Client Quit]
06:37 -!- jackbrown [~se@93-44-41-0.ip95.fastwebnet.it] has quit [Quit: Sto andando via]
06:37 -!- sieve [~Adium@141.89.226.145] has joined #openvpn
06:37 -!- jackbrown [~se@93-44-41-0.ip95.fastwebnet.it] has joined #openvpn
06:38 -!- sieve [~Adium@141.89.226.145] has quit [Client Quit]
06:39 -!- sieve [~Adium@141.89.226.145] has joined #openvpn
06:42 -!- danthedeckie [~danthedec@host-92-18-185-34.as13285.net] has joined #openvpn
06:53 -!- jackbrown [~se@93-44-41-0.ip95.fastwebnet.it] has quit [Quit: Sto andando via]
06:53 -!- danthedeckie [~danthedec@host-92-18-185-34.as13285.net] has quit [Quit: Leaving]
07:01 -!- sieve [~Adium@141.89.226.145] has quit [Quit: Leaving.]
07:03 -!- sieve [~Adium@141.89.226.145] has joined #openvpn
07:05 -!- D-Boy [~D-Boy@unaffiliated/cain] has quit [Excess Flood]
07:06 -!- D-Boy [~D-Boy@unaffiliated/cain] has joined #openvpn
07:10 -!- jackbrown [~se@93-44-41-0.ip95.fastwebnet.it] has joined #openvpn
07:20 -!- dazo_afk is now known as dazo
07:30 -!- jackbrown [~se@93-44-41-0.ip95.fastwebnet.it] has quit [Quit: Sto andando via]
07:30 -!- DrakeFajro [~pi@92.63.172.220] has joined #openvpn
07:38 -!- jackbrown [~se@93-44-41-0.ip95.fastwebnet.it] has joined #openvpn
07:40 -!- sieve [~Adium@141.89.226.145] has quit [Quit: Leaving.]
07:46 -!- sieve [~Adium@141.89.226.145] has joined #openvpn
07:47 -!- sieve [~Adium@141.89.226.145] has quit [Max SendQ exceeded]
07:47 -!- sieve [~Adium@141.89.226.145] has joined #openvpn
07:47 -!- jackbrown [~se@93-44-41-0.ip95.fastwebnet.it] has quit [Quit: Sto andando via]
07:49 -!- larryone [~larryone@180.234.106.131] has joined #openvpn
08:00 -!- larryone [~larryone@180.234.106.131] has quit [Ping timeout: 250 seconds]
08:04 -!- kenyon [kenyon@darwin.kenyonralph.com] has quit [Ping timeout: 256 seconds]
08:14 -!- Netsplit *.net <-> *.split quits: lbft
08:15 -!- Netsplit *.net <-> *.split quits: Chais
08:16 -!- Netsplit *.net <-> *.split quits: prettyrobots, clu5ter, xMopxShell, bashusr, Latrina, eagles0513875, TheEternalAbyss, hid3, _KaszpiR_, +RBecker,  (+5 more, use /NETSPLIT to show all of them)
08:16 -!- Netsplit over, joins: Chais, clu5ter, Cultist, hydrajump, prettyrobots, +RBecker, lbft, hid3, bashusr, _KaszpiR_ (+7 more)
08:21 -!- Popsikle [~popsikle@pool-108-27-211-233.nycmny.fios.verizon.net] has joined #openvpn
08:29 -!- kirin` [telex@gateway/shell/anapnea.net/x-hqgipgwkladpqvfm] has quit [Quit: leaving]
08:30 -!- kirin` [telex@gateway/shell/anapnea.net/x-umwinaspqrluxnuh] has joined #openvpn
08:47 -!- james41382 [~james@unaffiliated/james41382] has quit [Quit: Leaving]
08:48 -!- Latrina [~Latrina@ppp-73-26.26-151.libero.it] has quit [Ping timeout: 255 seconds]
08:48 -!- Latrina [~Latrina@151.56.175.87] has joined #openvpn
08:55 -!- nsrafk [stfu@helix.deluxe-host.net] has quit [Changing host]
08:55 -!- nsrafk [stfu@unaffiliated/nsrafk] has joined #openvpn
08:58 <@krzee> !krzee
08:58 <@vpnHelper> "krzee" is (#1) krzee says happy 4/20 or (#2) http://www.ircpimps.org/pics/krzee/blunt.jpg or (#3) location: moon base where he smokes moonajuana or (#4) takes bonghits on the freeswitch teleconference
09:03 -!- sieve [~Adium@141.89.226.145] has quit [Quit: Leaving.]
09:05 -!- sieve [~Adium@141.89.226.145] has joined #openvpn
09:05 -!- Sembei [~Sembei@unaffiliated/sembei] has joined #openvpn
09:08 -!- sieve [~Adium@141.89.226.145] has quit [Client Quit]
09:08 -!- sieve [~Adium@141.89.226.145] has joined #openvpn
09:08 -!- sieve [~Adium@141.89.226.145] has quit [Client Quit]
09:09 -!- sieve [~Adium@141.89.226.145] has joined #openvpn
09:11 -!- Hello71 [~Hello71@wikipedia/Hello71] has quit [Quit: Bye.]
09:13 -!- Hello71 [~Hello71@wikipedia/Hello71] has joined #openvpn
09:22 -!- sieve [~Adium@141.89.226.145] has quit [Quit: Leaving.]
09:24 -!- ZenKen [~mbs@178-26-180-152-dynip.superkabel.de] has joined #openvpn
09:25 -!- andi [~andi@unaffiliated/fr00d] has quit [Ping timeout: 245 seconds]
09:26 -!- andi [~andi@unaffiliated/fr00d] has joined #openvpn
09:26 -!- ZenKen [~mbs@178-26-180-152-dynip.superkabel.de] has quit [Client Quit]
09:26 -!- ub1quit33_ [~quassel@64.191.249.101] has joined #openvpn
09:28 -!- ZenKen [~ZKenJ@178-26-180-152-dynip.superkabel.de] has joined #openvpn
09:28 < ZenKen> !welcom
09:29 < ZenKen> !welcome
09:29 <@vpnHelper> "welcome" is (#1) Start by stating your goal, such as 'I would like to access the internet over my vpn' || new to IRC? see the link in !ask || we may need !logs and !configs and maybe !interface to help you. || See !howto for beginners. || See !route for lans behind openvpn. || !redirect for sending inet traffic through the server. || Also interesting: !man !/30 !topology !iporder !sample !forum
09:29 <@vpnHelper> !wiki !mitm or (#2) Don't use 192.168.1.0/24 or 192.168.0.0/24 (too much potential for conflict)
09:29 < ZenKen> !goal
09:29 <@vpnHelper> "goal" is Please clearly state your goal for your vpn: example, I would like to access the lan behind the server , I would like to access the internet over my vpn , I just want a secure connection between 2 computers , etc
09:30 < ZenKen> !configs
09:30 <@vpnHelper> "configs" is (#1) please pastebin your client and server configs (with comments removed, you can use `grep -vE '^#|^;|^$' server.conf`), also include which OS and version of openvpn. or (#2) dont forget to include any ccd entries or (#3) on pfSense, see http://www.secure-computing.net/wiki/index.php/OpenVPN/pfSense to obtain your config
09:30 < ZenKen> !logs
09:30 <@vpnHelper> "logs" is (#1) please pastebin your logfiles from both client and server with verb set to 4 (only use 5 if asked) or (#2) In the Windows client(OpenVPN-GUI) right-click the status icon and pick View Log or (#3) In the OS X client(Tunnelblick) right-click it and select Copy log text to clipboard or (#4) if you dont know how to find your logs, see !logfile
09:47 < ZenKen> hello everyone
09:48 < ZenKen> I have a simple OpenVPN setup that allows the client to access a resource only available internally on the server, and this works mostly well
09:49 < ZenKen> My problem is that on Windows 7, certain IPv6 routes appear that weren't configured, and thus deliver traffic over the VPN that is not intended to travel that way, and this slows down our connection
09:50 < ZenKen> here is my server configuration: http://pastebin.com/rH3bUSwn
09:50 < ZenKen> server logs indicating the offending IPv6 traffic: http://pastebin.com/w9Emf5bE
09:50 < ZenKen> client configuration on W7: http://pastebin.com/FtVTCkwZ
09:51 < ZenKen> Interestingly, this only occurs with Windows clients (so far could only test Win7)
09:52 < ZenKen> Two different W7 machines both route traffic for different IPv6 addresses through the VPN
09:53 -!- Chris-S [~Chris-S@gateway/tor-sasl/chris-s] has left #openvpn []
09:53 -!- Pyrogerg [~Gregory@72.170.196.218] has joined #openvpn
09:54 < ZenKen> I understand what "MULTI: bad source address from client [fe80::xxxx:xxxx:xxxx:xxxx], packet dropped" means, but I don't understand how that traffic reaches the server in the first place, as I've defined no IPv6 routes in either server or client config
09:54 -!- Pyrogerg [~Gregory@72.170.196.218] has quit [Read error: Connection reset by peer]
09:55 < ZenKen> I can post client logs too, if that helps, but there is nothing regarding IPv6 routes,just the standard IPv4 routes that OpenVPN sets up for it's tun adapter
09:57 -!- ub1quit33_ [~quassel@64.191.249.101] has quit [Ping timeout: 255 seconds]
09:58 -!- kenyon [kenyon@darwin.kenyonralph.com] has joined #openvpn
09:58 -!- kenyon [kenyon@darwin.kenyonralph.com] has quit [Client Quit]
09:58 -!- kenyon [kenyon@darwin.kenyonralph.com] has joined #openvpn
09:59 -!- ub1quit33_ [~quassel@wifi02.la3.routers.zerolag.com] has joined #openvpn
10:06 -!- pekster [~rewt@openvpn/community/support/pekster] has quit [Ping timeout: 272 seconds]
10:12 < ZenKen> Win7 client log: http://pastebin.com/62FffhW8
10:12 -!- pekster [~rewt@openvpn/community/support/pekster] has joined #openvpn
10:17 < ZenKen> does anyone know how that IPv6 traffic is getting routed through the tunnel?
10:19 < ZenKen> !sample
10:19 <@vpnHelper> "sample" is (#1) http://www.ircpimps.org/openvpn.configs for a working sample config or (#2) DO NOT use these configs until you understand the commands in them, read up on each first column of the configs in the manpage (see !man) or (#3) these configs are for a basic multi-user vpn, which you can then build upon to add lans or internet redirecting
10:19 < ZenKen> !man
10:19 <@vpnHelper> "man" is (#1) For man pages, see http://openvpn.net/index.php/open-source/documentation/manuals/ or (#2) the man pages are your friend! or (#3) Protip: you can search the manpage for a specific --option (with dashes) to find it quicker
10:19 < ZenKen> !topology
10:19 <@vpnHelper> "topology" is (#1) it is possible to avoid the !/30 behavior if you use 2.1+ with the option: topology subnet This will end up being default in later versions. or (#2) Clients will receive addresses ending in .2, .3, .4, etc, instead of being divided into 2-host subnets. or (#3) details and examples at: https://community.openvpn.net/openvpn/wiki/Topology
10:20 -!- sieve [~Adium@46.114.136.223] has joined #openvpn
10:23 -!- sieve [~Adium@46.114.136.223] has quit [Client Quit]
10:27 -!- gffa [~unknown@unaffiliated/gffa] has joined #openvpn
10:51 -!- jackbrown [~se@93-44-41-0.ip95.fastwebnet.it] has joined #openvpn
11:02 -!- DarylXian [HM6L0J7Ly6@bolt.sonic.net] has joined #openvpn
11:02 < DarylXian> I have a simple Server/Client/LAN setup, with IP aliases involved:
11:02 < DarylXian> vpnServer (10.0.0.100) - vpnClient (10.0.1.100,192.168.1.100) - lanDesktop (10.0.1.201,192.168.1.201)
11:03 < DarylXian> I can ping vpnServer from one alias @ lanDesktop, but not the other.   I.e., @ lanDesktop, "ping -I 192.168.1.201 10.0.0.100" fails, but "ping -I 10.0.1.201 10.0.0.100" works.
11:03 < DarylXian> So kindof "1/2 one-way ping"; what am I missing.  A route I guess ... but what/where?
11:11 -!- jackbrown [~se@93-44-41-0.ip95.fastwebnet.it] has quit [Quit: Sto andando via]
11:20 -!- jackbrown [~se@93-44-41-0.ip95.fastwebnet.it] has joined #openvpn
11:29 -!- jackbrown [~se@93-44-41-0.ip95.fastwebnet.it] has quit [Quit: Sto andando via]
11:30 -!- ZenKen [~ZKenJ@178-26-180-152-dynip.superkabel.de] has quit [Quit: leaving]
11:37 -!- Vuokko [vuolasah@mustatilhi.cs.tut.fi] has joined #openvpn
11:40 < Vuokko> Hi! This is propably FAQ: How do I convert openvpn-install-version-arch.exe to .msi file so I can install it with GPO
11:46 -!- daeda|us [~daed@50.97.94.40-static.reverse.softlayer.com] has quit []
11:52 -!- daeda|us [~daed@50.97.94.22-static.reverse.softlayer.com] has joined #openvpn
11:53 -!- Popsikle [~popsikle@pool-108-27-211-233.nycmny.fios.verizon.net] has quit [Remote host closed the connection]
11:56 < Eugene> !win_rollup
11:56 <@vpnHelper> "win_rollup" is please see http://www.secure-computing.net/wiki/index.php/OpenVPN/HowTo_for_Windows_2 for dazo's writeup on making unattended windows installers for openvpn
11:56 < Eugene> Vuokko ^
11:59 < Vuokko> Eugene: thanks.
12:19 -!- Vndtta [~Vndtta@unaffiliated/vndtta] has joined #openvpn
12:27 <@dazo> krzee: Eugene: Seen this one?  http://www.foaas.com/  ;-)
12:27 <@vpnHelper> Title: Fuck Off As A Service (FOAAS) (at www.foaas.com)
12:27 < Eugene> Yup.
12:29  * dazo does get some ideas for improving vpnHelper .... 
12:29 <@dazo> Like /fu <nick> ... which adds on a kick in addition :)
12:39 -!- pekster [~rewt@openvpn/community/support/pekster] has quit [Quit: AF_INET -> AF_INET6]
12:40 -!- pekster [~rewt@openvpn/community/support/pekster] has joined #openvpn
12:40 -!- pschmitt [~pschmitt@85-171-213-220.rev.numericable.fr] has joined #openvpn
12:41 -!- Vndtta [~Vndtta@unaffiliated/vndtta] has quit [Quit: Vndtta]
12:41 < pschmitt> Hi, I have a sorta stupid question: do I have to configure something in openvpn to make it possible to join a host connected to a VPN service via SSH on the "normal" interface (ie not tun0)?
12:43 < pschmitt> or is it a pure sshd thing?
12:43 < pekster> pschmitt: No, not unless you forgot to tell us that you're messing with default outbound routing
12:44 < pschmitt> pekster: not that I am aware of..
12:44 -!- Vndtta [~Vndtta@unaffiliated/vndtta] has joined #openvpn
12:44 < pekster> To be clear, you're using openvpn as a "plain secure network" and not using --redirect-gateway or the like?
12:44 < pschmitt> the thing is that I cannot connect to the said host from the outside when it connected to the vpm
12:45 < pekster> Sounds to me like you are doing exactly what you claim not to :P
12:45 < pekster> What client OS?
12:45 < pschmitt> I must admit that I do not really know, I have an account at a vpn provider
12:45 < pschmitt> linux
12:45 < Vndtta> Hi, I use openvpn with --user-auth-pass file, but I'm concerned with the security issues of having the credentials in plaintext, so I was thinking of encrypting it with gpg, but as --user-auth-pass inputs is only a file, do you know any way of doing this?
12:45 < pekster> Pastebin `ip r` somewhere
12:46 -!- Hello71 [~Hello71@wikipedia/Hello71] has quit [Quit: Bye.]
12:46 -!- Hello71 [~Hello71@wikipedia/Hello71] has joined #openvpn
12:47 < Hello71> Vndtta: and how would you input the passphrase for your gpg key
12:47 < pschmitt> http://pastebin.com/teB0AgTt
12:47 < Vndtta> command line
12:48 < Vndtta> This will be part of a bash script
12:48 < pekster> pschmitt: You are indeed redirecting your traffic like you said you weren't (lines 1 & 5 in that paste.) You have asymmetric routing as a result
12:48 < pekster> https://community.openvpn.net/openvpn/wiki/Concepts-PolicyRouting-Linux
12:48 <@vpnHelper> Title: Concepts-PolicyRouting-Linux – OpenVPN Community (at community.openvpn.net)
12:49 < Hello71> Vndtta: so input the password from the command line
12:49 < Hello71> don't put in 10000 more layers
12:49 < pekster> You can't have your cake and eat it too, not without some semi-advanced routing to go with it. You're blindly sending _all_ Internet traffic to the far side of your VPN, and the original source says "WTF, I didn't talk to _you_, I asked some other host to talk to me" and dumps it
12:49 < pschmitt> my bad, I should have rtfmd, but I had no idea where to start. Thanks
12:50 < pekster> This one isn't in the openvpn docs per se (just that wiki page I wrote, AFAIK.) This isn't really an openvpn problem, but a routing one
12:50 -!- Pyrogerg [~Gregory@72.170.196.218] has joined #openvpn
12:50 < pekster> You either need to not redirect traffic like that, or set up policy routing
12:50 < pekster> (or don't do the VPN on the same host running your ssh)
12:50 < Vndtta> Hello71: The problem is that the user and the password are long strings, I prefer to remember my crypt password and have completely random openvpn password
12:51 < pekster> Vndtta: You can pass the un/pw to the openvpn process via the management interface over a tcp socket
12:52 < pekster> Vndtta: See --management, --management-hold, and --management-query-passwords
12:52 < pschmitt> pekster: since my router is doing the routing, I guess there's no way of doing this (its an appliance from my provider)
12:52 < pekster> pschmitt: Then you're screwed unless you can write your own scripts for it and pass it to a --route-up script or the like
12:52 < Vndtta> pekster: thanks will do
12:52 < pekster> You explicitly need policy routing in your case
12:53 < pschmitt> pekster: okay thanks!
12:54 -!- pschmitt [~pschmitt@85-171-213-220.rev.numericable.fr] has quit [Remote host closed the connection]
12:58 < Vndtta> pekster: It seems I've got the same problem, to start the management interface in a secure way you have to set a pw-file, elsewise anyone can access the management functions
12:58 -!- ploynog [~ploynog@wb0942.dip.tu-dresden.de] has joined #openvpn
12:59 < pekster> You should run management on 127.0.0.1; firewall that further (many OSes let you filter by user account -- Netfilter does.)
12:59 < pekster> Tune to your level of paranoia, and how much you don't trust users on your own system
13:02 < ploynog> I'm setting up a new small CA and wondering whether I can safely use easy-rsa 3.0 for that - mainly for the easy to use extension system. My own tests seem good and the bug list also does not show anything serious. Is there anything I might have missed?
13:02 -!- Mike-- [mad@mx.probie.nl] has joined #openvpn
13:23 -!- Latrina [~Latrina@151.56.175.87] has quit [Remote host closed the connection]
13:24 < Eugene> Go for it.
13:25 -!- Latrina [~Latrina@151.56.175.87] has joined #openvpn
13:25 -!- Latrina [~Latrina@151.56.175.87] has quit [Client Quit]
13:26 -!- TommyC [~TommyC@unaffiliated/sepulchralbloom] has joined #openvpn
13:27 -!- brianblaze420 [~brianblaz@unaffiliated/brianblaze] has joined #openvpn
13:27 -!- DarylXian [HM6L0J7Ly6@bolt.sonic.net] has left #openvpn []
13:27 -!- brianblaze420 [~brianblaz@unaffiliated/brianblaze] has quit [Remote host closed the connection]
13:30 -!- Latrina [~Latrina@151.56.175.87] has joined #openvpn
13:35 -!- brianblaze420 [~brianblaz@unaffiliated/brianblaze] has joined #openvpn
13:39 -!- brianblaze420 [~brianblaz@unaffiliated/brianblaze] has quit [Read error: Connection reset by peer]
13:42 -!- brianblaze420 [~brianblaz@unaffiliated/brianblaze] has joined #openvpn
13:48 -!- ploynog [~ploynog@wb0942.dip.tu-dresden.de] has quit [Remote host closed the connection]
13:48 -!- brianblaze420 [~brianblaz@unaffiliated/brianblaze] has quit [Ping timeout: 264 seconds]
13:51 -!- Pyrogerg [~Gregory@72.170.196.218] has quit [Read error: Connection reset by peer]
14:04 -!- azizLIGHT [~azizLIGHT@unaffiliated/azizlight] has quit [Ping timeout: 250 seconds]
14:06 -!- andi [~andi@unaffiliated/fr00d] has quit [Ping timeout: 255 seconds]
14:08 -!- Pyrogerg [~Gregory@72.170.196.218] has joined #openvpn
14:08 -!- andi [~andi@unaffiliated/fr00d] has joined #openvpn
14:10 -!- lfx [~lfx@self-aware.evilmachines.net] has joined #openvpn
14:11 -!- Pyrogerg [~Gregory@72.170.196.218] has quit [Read error: Connection reset by peer]
14:12 -!- Pyrogerg [~Gregory@72.170.196.218] has joined #openvpn
14:12 < lfx> hello, not clear what "Expected Remote Options hash" and "Local options hash" are. Do they have to match?
14:19 -!- azizLIGHT [~azizLIGHT@unaffiliated/azizlight] has joined #openvpn
14:20 -!- Pyrogerg [~Gregory@72.170.196.218] has quit [Read error: Connection reset by peer]
14:24 -!- aji [~alex@atheme/member/aji] has quit [Changing host]
14:24 -!- aji [~alex@unaffiliated/aji] has joined #openvpn
14:28 -!- Pyrogerg [~Gregory@72.170.196.218] has joined #openvpn
14:39 -!- Vuokko [vuolasah@mustatilhi.cs.tut.fi] has left #openvpn []
14:39 -!- Pyrogerg [~Gregory@72.170.196.218] has quit [Read error: Connection reset by peer]
14:45 -!- Pyrogerg [~Gregory@72.170.196.218] has joined #openvpn
14:47 -!- Pyrogerg [~Gregory@72.170.196.218] has quit [Read error: Connection reset by peer]
14:53 -!- DrakeFajro [~pi@92.63.172.220] has quit [Remote host closed the connection]
14:58 -!- Pyrogerg [~Gregory@72.170.196.218] has joined #openvpn
15:02 -!- Pyrogerg [~Gregory@72.170.196.218] has quit [Read error: Connection reset by peer]
15:10 -!- sieve [~Adium@46.114.24.126] has joined #openvpn
15:12 -!- sieve [~Adium@46.114.24.126] has quit [Client Quit]
15:28 -!- lsone [~lsone@69.15.58.162] has joined #openvpn
15:29 < Ulrar> Are the IP in ipp.txt supposed to be following each others ? If I put the first user as some:v6:ip::1000 and the second as some:v6:ip::1002 on start openvpn rewrites the second user to 1001
15:30 < Eugene> !ipp
15:30 <@vpnHelper> "ipp" is (#1) the option --ifconfig-pool-persist ipp.txt does NOT create static ips or (#2) Note that the entries in this file are treated by OpenVPN as suggestions only, based on past associations between a common name and IP address. They do not guarantee that the given common name will always receive the given IP address. If you want guaranteed assignment, see !iporder and !static
15:30 < Eugene> !static
15:30 <@vpnHelper> "static" is (#1) use --ifconfig-push in a ccd entry for a static ip for the vpn client or (#2) example in net30 (default): ifconfig-push 10.8.0.6 10.8.0.5 example in subnet (see !topology) or tap (see !tunortap): ifconfig-push 10.8.0.5 255.255.255.0 or (#3) also see !ccd and !iporder or (#4) with static IPs, limit your --ifconfig-pool to exclude the static range or (#5) See also: !addressing
15:31 < Eugene> Don't "put" anything in ipp
15:33 -!- p3rror [~mezgani@41.249.133.93] has joined #openvpn
15:34 < Ulrar> yeah but using that, if I don't want to specify the adress for all the clients, will that be a problem ? Can I just not create the script for one user ?
15:37 -!- TommyC [~TommyC@unaffiliated/sepulchralbloom] has quit [Quit: TTFN, Ta Ta For Now!]
15:38 -!- dazo is now known as dazo_afk
15:41 -!- Vndtta [~Vndtta@unaffiliated/vndtta] has quit [Quit: Vndtta]
15:48 -!- C-S-B [~C-S-B@host217-42-190-86.range217-42.btcentralplus.com] has quit [Quit: ZNC - http://znc.in]
15:49 < Eugene> !ccd
15:49 <@vpnHelper> "ccd" is (#1) entries that are basically included into server.conf, but only for the specified client based on common-name. use --client-config-dir <dir> to enable it, then put the config options for the client in <dir>/common-name or (#2) the ccd file is parsed each time the client connects.
15:50 < Eugene> Sure, just make a ccd entry for just the one client you want to be statically addressed
15:50 < Eugene> If you're using the --server helper you may want to read the man page on how it is expanded, and specify ifconfig-pool manually to a restricted set of addresses
15:51 < Eugene> Eg, in your /24, assign .100-.255 to be assigned dynamically, and then manually specify that client X, Y, and Z get the addresses .2 .3 and .4 via ccd ;-)
15:52 <@krzee> !addressing
15:52 <@vpnHelper> "addressing" is For information about IP addressing in OpenVPN, see: https://community.openvpn.net/openvpn/wiki/Concepts-Addressing
15:52 < Eugene> Also make sure you're using
15:52 < Eugene> !subnet
15:52 <@vpnHelper> "subnet" is (#1) http://www.subnet-calculator.com/ or http://en.wikipedia.org/wiki/Subnetwork or (#2) Want a random subnet generator? See: !randomsubnet
15:52 < Eugene> No, not that one, stupid bot
15:52 < Eugene> !topology
15:52 <@vpnHelper> "topology" is (#1) it is possible to avoid the !/30 behavior if you use 2.1+ with the option: topology subnet This will end up being default in later versions. or (#2) Clients will receive addresses ending in .2, .3, .4, etc, instead of being divided into 2-host subnets. or (#3) details and examples at: https://community.openvpn.net/openvpn/wiki/Topology
15:53 < Eugene> !learn subnet as You may be looking for !toplogy subnet
15:53 <@vpnHelper> Error: You don't have the factoids.learn capability. If you think that you should have this capability, be sure that you are identified before trying again. The 'whoami' command can tell you if you're identified.
15:53 < Eugene> Fucking, somebody fix that.
15:56 <@krzee> !learn subnet as You may be looking for !toplogy subnet
15:56 <@vpnHelper> Joo got it.
15:56 < Ulrar> Yeah, I figured it out
15:56 < Ulrar> Works fine, thanks :)
15:56 <@krzee> !forget subnet 4
15:56 <@vpnHelper> Error: Invalid factoid number.
15:56 <@krzee> !forget subnet 3
15:56 <@vpnHelper> Joo got it.
15:56 <@krzee> !learn subnet as You may be looking for !toplogy
15:56 <@vpnHelper> Joo got it.
15:56 < Ulrar> Just had trouble finding the v6 equivalent of ifconfig-push but it wasn't that hard
15:56 <@krzee> !subnet
15:56 <@vpnHelper> "subnet" is (#1) http://www.subnet-calculator.com/ or http://en.wikipedia.org/wiki/Subnetwork or (#2) Want a random subnet generator? See: !randomsubnet or (#3) You may be looking for !toplogy
15:57 <@krzee> !ipv6
15:57 <@vpnHelper> "ipv6" is (#1) The wiki has IPv6 details: https://community.openvpn.net/openvpn/wiki/IPv6 or (#2) The manpage contains info about IPv6 features present in 2.3+: https://community.openvpn.net/openvpn/wiki/Openvpn23ManPage#lbAQ
15:57 < Ulrar> I was just trying to assign funny IPv6 adresses to some people
15:57 < Ulrar> yeah I'm bored
15:58 -!- C-S-B [~C-S-B@host217-42-190-86.range217-42.btcentralplus.com] has joined #openvpn
16:05 -!- Pyrogerg [~Gregory@72.170.196.218] has joined #openvpn
16:10 -!- daeda|us [~daed@50.97.94.22-static.reverse.softlayer.com] has quit [Ping timeout: 264 seconds]
16:14 -!- daeda|us [~daed@173.192.81.187-static.reverse.softlayer.com] has joined #openvpn
16:17 -!- sieve [~Adium@g226039070.adsl.alicedsl.de] has joined #openvpn
16:22 -!- pa [~pa@unaffiliated/pa] has quit [Quit: Sto andando via]
16:23 -!- gffa [~unknown@unaffiliated/gffa] has quit [Quit: sleep]
16:43 -!- Pyrogerg [~Gregory@72.170.196.218] has quit [Read error: Connection reset by peer]
16:43 -!- pa [~pa@unaffiliated/pa] has joined #openvpn
16:47 -!- mattock is now known as mattock_afk
16:56 -!- sieve [~Adium@g226039070.adsl.alicedsl.de] has quit [Quit: Leaving.]
17:09 -!- Sembei [~Sembei@unaffiliated/sembei] has quit [Read error: Connection reset by peer]
17:10 -!- Sembei [~Sembei@unaffiliated/sembei] has joined #openvpn
17:12 -!- keatont [~keatont@ip-66-172-11-126.chunkhost.com] has quit [Ping timeout: 245 seconds]
17:13 -!- hid3 [~arnoldas@78.157.71.116] has quit [Ping timeout: 255 seconds]
17:13 -!- goldkatze_ [~nobody@unaffiliated/goldkatze] has quit [Read error: Connection reset by peer]
17:13 -!- heraclitus [~heraclitu@unaffiliated/heraclitis] has quit [Ping timeout: 250 seconds]
17:13 -!- goldkatze_ [~nobody@unaffiliated/goldkatze] has joined #openvpn
17:15 -!- keatont [~keatont@ip-66-172-11-126.chunkhost.com] has joined #openvpn
17:27 -!- redpill [~redpill@unaffiliated/redpill] has quit [Ping timeout: 260 seconds]
17:28 -!- redpill [~redpill@unaffiliated/redpill] has joined #openvpn
17:47 -!- Gahhruuba [~system32@65-23-185-194-host.drtel.net] has joined #openvpn
17:47 < Gahhruuba> Hello everyone, I've been trying to follow the OpenVPN guide to setting it up on Ubuntu and I seem to have came to a dead end ... Would anyone be able to help me out at all?
17:50 < pekster> Our documentation is quite platform-agnostic
17:50 < pekster> !howto
17:50 <@vpnHelper> "howto" is (#1) OpenVPN comes with a great howto, http://openvpn.net/howto PLEASE READ IT! or (#2) http://www.secure-computing.net/openvpn/howto.php for a mirror
17:51 -!- C-S-B [~C-S-B@host217-42-190-86.range217-42.btcentralplus.com] has quit [Remote host closed the connection]
18:01 -!- lsone [~lsone@69.15.58.162] has quit [Quit: Textual IRC Client: www.textualapp.com]
18:23 -!- Gahhruuba [~system32@65-23-185-194-host.drtel.net] has quit [Ping timeout: 240 seconds]
18:24 < hays> can someone help me with my firewall? I think it is wrong. I am trying to do the redirect-gateway thing. http://bpaste.net/show/BAk43FhxyPFcKZ0wB6Bo/ these are my rules
18:24 < hays> (on the server)
18:25 < hays> what is happening is that i am connecting to the vpn but internet goes away
18:26 < hays> is the problem that my tun and tap rules are after the reject rule?
18:26 < pekster> Exactly
18:27 < pekster> Don't blindly copy guides that have you call '-A' commands in your CLI. Ideally you edit your iptables-save(8) output and re-run it through iptables-restore(8)
18:27 < pekster> As an added bonus, most sane distros (except notably debian, becuase they're too busy arguing to do anything useful) provide an initscript to do just that on system startup
18:28 < hays> yeah im no expert at this at all
18:28 < hays> plus my firewall capabilities are limited as it does not do stateful filtering
18:28 < pekster> Why not? Haven't you built support for conntrack?
18:28 < hays> its a $2/month openvz instance
18:29 < hays> kind of a miracle i can tunnel
18:29 < pekster> Ah, we have a factoid for such limited systems
18:29 < pekster> !openvz
18:29 <@vpnHelper> "openvz" is (#1) http://wiki.openvz.org/VPN_via_the_TUN/TAP_device to learn bout openvz specific stuff with regards to openvpn or (#2) It is usually less painful to switch to a host with better virtualization technology, eg KVM or Xen
18:29 < pekster> openvz is just a glorified chroot
18:29 < hays> $2/month :)
18:29 < hays> i have a real vps for when i want to be serious
18:29 -!- Pyrogerg [~Gregory@72.170.196.218] has joined #openvpn
18:30 -!- suzylee [~suzylee@unaffiliated/suzylee] has joined #openvpn
18:30 < pekster> If you can't use the 'conntrack' Netfilter module, that makes most modern firwalling worthless
18:30 < hays> damn still a no go.
18:31 -!- suzylee [~suzylee@unaffiliated/suzylee] has left #openvpn ["Leaving"]
18:31 < pekster> Need both directions if you refuse to do stateful firewalling properly
18:31 < pekster> -i != -o
18:31 < hays> http://bpaste.net/show/my3SkpQzkJk9L8d9N1Mp/
18:31 < hays> ahh
18:32 < pekster> Are you sure you don't have conntrack? Does `iptables -A INPUT -m conntrack --ctstate NEW` fail?
18:32 -!- Pyrogerg [~Gregory@72.170.196.218] has quit [Read error: Connection reset by peer]
18:33 < hays> hmm.. interesting. it works on this one
18:33  * pekster sighs
18:33 < hays> that is fascinating.
18:33 < pekster> https://github.com/QueuingKoala/netfilter-samples
18:33 <@vpnHelper> Title: QueuingKoala/netfilter-samples · GitHub (at github.com)
18:33 < pekster> Ask #Netfilter if you want to do firewalling properly
18:33 < hays> no--this changes everything. I can do this now. heh
18:33 < pekster> I have some basic examples there you can extend upon
18:33 < hays> thank you.
18:34 < hays> i assumed this 'vps' didn't have it because the one in their other datacenter didn't... but apparently this one does.
18:34 < pekster> And as my comments suggest, ideally you edit a ruleset (mine or your own) and load them back via STDIN into iptables-restore(8) for atomic loads that order things right
18:40 -!- C-S-B [~C-S-B@host217-42-190-86.range217-42.btcentralplus.com] has joined #openvpn
18:40 -!- ub1quit33_ [~quassel@wifi02.la3.routers.zerolag.com] has quit [Ping timeout: 240 seconds]
18:40 -!- Pyrogerg [~Gregory@72.170.196.218] has joined #openvpn
19:01 -!- grendal_prime [~sgraham@173-166-255-77-stockton.hfc.comcastbusiness.net] has joined #openvpn
19:02 < grendal_prime> hey guys...
19:03 < grendal_prime> so got this vpn working for someone. and..its been up and running for over a year now..but they got one guy who is connecting from really far away..from a mac. He is experiencing slow speeds.
19:03 < grendal_prime> so they doubled there upload speed at the server (thinking that would help)  It didnt.. and now im running tests from the server to my client and ya its not transmitting at expected speeds.
19:04 < grendal_prime> they have an upload of 10mbs I have a download of 18 mbs.  Im getting a 10 meg file at like 2.5 mbs.
19:05 < grendal_prime> there isnt anything in openvpn that limits this by default is there?
19:11 -!- Gravitron [~admin@unaffiliated/gravitron] has joined #openvpn
19:12 < Gravitron> !configs
19:12 <@vpnHelper> "configs" is (#1) please pastebin your client and server configs (with comments removed, you can use `grep -vE '^#|^;|^$' server.conf`), also include which OS and version of openvpn. or (#2) dont forget to include any ccd entries or (#3) on pfSense, see http://www.secure-computing.net/wiki/index.php/OpenVPN/pfSense to obtain your config
19:12 < Gravitron> !logs
19:12 <@vpnHelper> "logs" is (#1) please pastebin your logfiles from both client and server with verb set to 4 (only use 5 if asked) or (#2) In the Windows client(OpenVPN-GUI) right-click the status icon and pick View Log or (#3) In the OS X client(Tunnelblick) right-click it and select Copy log text to clipboard or (#4) if you dont know how to find your logs, see !logfile
19:12 < grendal_prime> think i figured it out
19:14 < Gravitron> I'm having some issues connecting certain applications/ports. This makes me think it's an iptables issue. For instance, ssl IRC doesn't work when I'm connected to my VPN. here is my iptables config: http://pastebin.com/KDnGX2Gj
19:14 < Gravitron> anyone seen similar behavior? The other app having problems when I'm connected is radiant player (a OS X google music player)
19:17 < pekster> Netfiler config looks fine for the VPN. You really ought to fix your broken handling of port 443 on your host though (by not accepting RELATED traffic on that port you are dropping ICMP errors in violation of IP RFC)
19:18 < pekster> Oh, I take that back; you're accepting by policy anyway. Should you change that you would then become a broken host
19:18 < pekster> Try a traceroute utility across the adjusted routing path, using a tool that can send incremental TTL packets to the destination port you're trying to use
19:19 < pekster> (mtr can do this)
19:22 < hays> damn.  still not getting this right.
19:23 < hays> http://bpaste.net/show/IutTuPF9yE0WDTxe6udg/  anyone see anything problematic? the vpn is on 10.8.1.0/24
19:25 < pekster> If eth0 is the egress, seems fine. You should verify everything else is correct
19:25 < pekster> !redirect
19:25 <@vpnHelper> "redirect" is (#1) to make all inet traffic flow through the vpn, you will need --redirect-gateway (see !def1), as well as IP forwarding (see !ipforward) and NAT (see !nat) enabled on the server. or (#2) you may need to use a different dns server when redirecting gateway, see !dns or !pushdns or (#3) if using ipv6 try: route-ipv6 2000::/3 or (#4) Handy troubleshooting flowchart:
19:25 <@vpnHelper> http://ircpimps.org/redirect.png | http://pekster.sdf.org/misc/redirect.png
19:26 < pekster> fwiw, `-m state --state` is deprecated, and replaced with `-m conntrack --ctstate`, but that's not relevant here
19:27 < pekster> No clue why line 12 is above 13/14 though
19:27 -!- Gravitron [~admin@unaffiliated/gravitron] has quit [Quit: Textual IRC Client: www.textualapp.com]
19:28 < hays> one question...  and you guys may slap me. but.. my router already connects the whole network to a vpn and traffic is redirected to 10.8.0.1. Is it a problem that I am behind that redirection and am trying to cause another redirect?
19:28 < hays> pekster: yeah, I deleted that line with no effect
19:29 < pekster> Line 12 does nothing but spray data to syslog(3)
19:29 -!- fred`` [fred@earthli.ng] has quit [Ping timeout: 256 seconds]
19:29 -!- Gahhruuba [~system32@198.50.246.228] has joined #openvpn
19:30 < Gahhruuba> Got it :) Now I just have to figure out how to get rid of this DNS leak
19:30 < Gahhruuba> errr.. Configure DNS server to opendns
19:30 < pekster> Fuck opendns
19:30 < pekster> !opendns
19:30 <@vpnHelper> "opendns" is You should avoid using OpenDNS for pushed DNS servers as they violate spec and send you to ad/search domains for mistyped URLs. Use GoogleDNS instead. See !dns for more info.
19:30 < Gahhruuba> lul
19:30 < grendal_prime> grrrr
19:31 < Gahhruuba> fair enough
19:31 < hays> ok going to do this flowchart
19:31 < grendal_prime> this seems to be just a samba issue
19:31 < pekster> SMB is highly inefficient, yes
19:31 -!- james41382 [~james@unaffiliated/james41382] has joined #openvpn
19:31 < Gahhruuba> pekster, I can just edit my connection via the wireless connection selector for that right?
19:32 < pekster> No clue; consult th docs for your "connection selector" thingy
19:32 < grendal_prime> well..ya but its how all the damn windows and mac users connect to the server
19:33 < hays> hmm.. that troubleshooting flowchart puts me at "it is likely a firewall issue"
19:35 < hays> tried it with an empty firewall and still does not connect to the internet
19:36 -!- Pyrogerg [~Gregory@72.170.196.218] has quit [Read error: Connection reset by peer]
19:36 < pekster> "Empty" would be incorrect as you need NAT using RFC1918
19:37 < pekster> tcpdump traffic if you're sure all your other steps are correct
19:37 < pekster> Either traffic isn't getting correctly sent to your VPN server, getting blocked before it's sent, or it's sent and you get no reply fom wherever you sent it
19:38 < pekster> Hitcounters on your ruleset can provide clues too (run with: `iptables-save -c` for counters)
19:38 < hays> hmm it seems like its saying the gateway is 10.8.1.5 but i thought it was 10.8.1.1
19:39 < pekster> net30 is a pile of old to support ancient windows
19:39 < pekster> !net30
19:39 <@vpnHelper> "net30" is "/30" is (#1) http://openvpn.net/index.php/documentation/faq.html#slash30 explains why routed clients each use 4 ips, or (#2) you can avoid this behavior with by reading !topology
19:39 -!- Gahhruuba [~system32@198.50.246.228] has quit [Ping timeout: 255 seconds]
19:39 < pekster> See !topology to use the more sane and recommended `subnet` topology (or live with the old-school /30 layout)
19:40 < grendal_prime> ya..you can use that for really restrictive connections but you probably want topology
19:40 < pekster> No
19:40 < hays> does this look like a reasonable routing table? http://bpaste.net/show/8edckwJOfVA97ElM3RWF/
19:40 < pekster> It has zero to do with "restrictive" at all. The *ONLY* reason you would ever want net30 is if you run Windows clients using 2.0.9 or earlier. That is 7 years out of date
19:40 < pekster> It's just stupid otherwise, left in for fear of breaking people's connections who can't read release notes
19:41 < pekster> Yup, routing looks fine
19:42 < hays> this is perplexing. I can reach the server
19:42 < hays> can't ping 8.8.8.8
19:43 < grendal_prime> pekster, ya you would have to have a brideg config for net 30 to work if i remember right
19:43 < pekster> Also no
19:43 < hays> traceroute shows it going to 10.0.1.1 and then no further
19:43 < pekster> net30 is a tun topology (tap is inherently L2, and has nothing to do with IP at all, though you usually run IP on top of L2)
19:43 < hays> erm 10.8.1.1
19:44 < pekster> hays: Soundsn like you neglected to enable IP forwarding, or the next-hop is rejecting it
19:44 < pekster> Possibly you messed up the SNAT source address
19:46 < hays> pekster: /proc/sys/net/ipv4/ip_forward is 1 on the server
19:46 -!- Gravitron [~admin@unaffiliated/gravitron] has joined #openvpn
19:46 < hays> what do you mean by the SNAT source address? is this in the server.conf?
19:46 < Gravitron> pekster: got it resolved. you sent me down the right track. thanks.
19:47 < Gravitron> hays: i'm guessing you want iptables -A POSTROUTING -s 10.8.0.0/24 -o venet0 -j SNAT --to-source xxx.xxx.xxx.xxx
19:47 < pekster> hays: Oh, you're using MASQUERADE, so that'll do the right thing
19:47 < Gravitron> where the xxx's are your public IP
19:48 < Gravitron> nvm don't listen to me
19:48 -!- fred`` [fred@earthli.ng] has joined #openvpn
19:48 < hays> could it be a problem that i am connecting to an openvpn client via another vpn
19:49 < pekster> Won't matter if you can reach the endpoint you're expecting
19:49 < pekster> I'd still suggestion you tcpdump as I suggested earlier
19:49 < pekster> suggest*
19:49 < hays> let me scroll up
19:50 -!- grendal_prime [~sgraham@173-166-255-77-stockton.hfc.comcastbusiness.net] has quit [Quit: Ex-Chat]
19:51 < hays> heh yeah reading tcpdump may be beyond my current abilities
19:51 -!- Gravitron [~admin@unaffiliated/gravitron] has quit [Client Quit]
19:51 < hays> it comes out as essentially binary data
19:58 -!- Gravitron [~admin@unaffiliated/gravitron] has joined #openvpn
20:02 < hays> pekster: are you saying tcpdump at the server or client
20:05 < pekster> Start at the vpn server, and follow the path of the packets
20:05 < pekster> ie: you should get the inbound on the tun device, then it should egress the uplink, and you'd normally expect a reply back on that interface
20:06 -!- lsone [~lsone@64.197.53.126] has joined #openvpn
20:08 < hays> pinging 8.8.8.8 i see the pings coming in on the tun0 device
20:08 < hays> so i guess that means they get lost coming back
20:09 < pekster> If you ignore the 2nd half of what I said, it might
20:10 < hays> they are leaving venet0 and i think i see the return path
20:10 < hays> 05:10:36.595430 IP google-public-dns-a.google.com.domain > st5ve.1vm.in.15816: 16813 1/0/0 PTR vol21-4-88-166-139-185.fbx.proxad.net. (96)
20:11 < hays> i think that's the echo for the ping
20:11 < pekster> That's a DNS reply
20:11 < pekster> !tcpdump
20:11 <@vpnHelper> "tcpdump" is (#1) tcpdump is a great troubleshooting tool (Wireshark or the tshark.exe CLI tools for Windows.) To start, try a syntax like `tcpdump -pni ifWhatever` or (#2) You can also add filters to the command, like 'icmp' or 'udp port 1194' and the like. Consult the tcpdump docs for details.
20:11 < pekster> Don't dump with DNS resolution
20:12 < hays> right now im pinging 8.8.8.8
20:12 < pekster> and ".domain" is a DNS reply, giving you the PTR reverse name entry
20:12 < pekster> It's got nothing to do with a ping
20:13 < pekster> `tcpdump -pni venet0 icmp and host 8.8.8.8`
20:13 < pekster> or whatever
20:14 < hays> hmm.. ok in that case venet0 seems to just have the echo request outbound
20:15 < pekster> Sounds like stupdity with your upstream routing or the host you're using
20:15 < pekster> It has the correct public IP there, right?
20:16 < pekster> Oh, eth0 != venet0
20:16 < pekster> You can't just blindly copy other people's rules
20:16 < pekster> looking at your Netfilter rules with hitcounters should have made that apparent too
20:17 < pekster> No NAT means you're trying to route RFC1918 upstream. You can't do that
20:19 -!- st5ve [~hays@unaffiliated/hays] has joined #openvpn
20:20 -!- lsone [~lsone@64.197.53.126] has quit [Ping timeout: 244 seconds]
20:21 -!- Kniaz [~Kniaz@unaffiliated/kniaz] has joined #openvpn
20:21 -!- hays [~hays@unaffiliated/hays] has quit [Ping timeout: 250 seconds]
20:21 -!- st5ve is now known as hays
20:22 -!- hays is now known as hays_
20:22 < hays_> ergh
20:22 -!- hays_ is now known as hays
20:23 < hays> pekster: damnit i think you are right
20:23 < hays> big oversight on my part
20:24  * pekster should just ask for `iptables-save -c` more often
20:24 < pekster> It tends to make these kinds of things really obvious :P
20:28 < hays> going to bump offline (sorry)
20:31 -!- arescorpio [~arescorpi@201-26-245-190.fibertel.com.ar] has joined #openvpn
20:32 -!- hays [~hays@unaffiliated/hays] has quit [Ping timeout: 250 seconds]
20:34 -!- hays [~hays@unaffiliated/hays] has joined #openvpn
20:37 < hays> pekster: thank you very much for your patience and help
20:37 < pekster> glad you got it worked out
20:37 -!- goldkatze_ [~nobody@unaffiliated/goldkatze] has quit [Ping timeout: 250 seconds]
20:38 -!- Kephael [~Kephael@unaffiliated/kephael] has joined #openvpn
20:44 -!- TommyC [~TommyC@unaffiliated/sepulchralbloom] has joined #openvpn
20:59 -!- Gravitron [~admin@unaffiliated/gravitron] has quit [Quit: My MacBook Pro has gone to sleep. ZZZzzz…]
21:10 -!- Pyrogerg [~Gregory@72.170.196.218] has joined #openvpn
21:14 -!- Pyrogerg [~Gregory@72.170.196.218] has quit [Read error: Connection reset by peer]
21:53 -!- Left_Turn [~Left_Turn@unaffiliated/turn-left/x-3739067] has quit [Remote host closed the connection]
22:23 -!- heraclitus [~heraclitu@unaffiliated/heraclitis] has joined #openvpn
22:56 -!- DrCode [~DrCode@gateway/tor-sasl/drcode] has quit [Ping timeout: 264 seconds]
22:57 -!- DrCode [~DrCode@gateway/tor-sasl/drcode] has joined #openvpn
23:00 -!- pnielsen [pnielsen@2a01:7e00::f03c:91ff:fedf:3a21] has quit [Quit: No Ping reply in 180 seconds.]
23:02 -!- Kephael [~Kephael@unaffiliated/kephael] has quit [Read error: Connection reset by peer]
23:03 -!- cyberspace- [20253@ninthfloor.org] has quit [Ping timeout: 250 seconds]
23:04 -!- pnielsen [pnielsen@2a01:7e00::f03c:91ff:fedf:3a21] has joined #openvpn
23:04 -!- cyberspace- [20253@ninthfloor.org] has joined #openvpn
23:08 -!- ShadniX [dagger@p5DDFF62A.dip0.t-ipconnect.de] has quit [Ping timeout: 250 seconds]
23:11 -!- ShadniX [dagger@p5481C2E8.dip0.t-ipconnect.de] has joined #openvpn
23:22 -!- DrCode [~DrCode@gateway/tor-sasl/drcode] has quit [Remote host closed the connection]
23:23 -!- DrCode [~DrCode@gateway/tor-sasl/drcode] has joined #openvpn
23:50 -!- pnielsen [pnielsen@2a01:7e00::f03c:91ff:fedf:3a21] has quit [Quit: No Ping reply in 180 seconds.]
23:53 -!- pnielsen [pnielsen@2a01:7e00::f03c:91ff:fedf:3a21] has joined #openvpn
23:56 -!- NucWin [~nucwin@unaffiliated/nucwin] has quit [Ping timeout: 260 seconds]
23:57 -!- tempus_fol [~tempus@gateway/tor-sasl/foltempus] has quit [Ping timeout: 264 seconds]
23:58 -!- Jeroen52 [~Jeroen@milkyway.jeroendeneef.eu] has quit [Read error: Connection reset by peer]
23:58 -!- theahindle [~ahindle@cloud.smellynose.com] has quit [Ping timeout: 272 seconds]
23:58 -!- tjz [~tjz@unaffiliated/tjz] has quit [Ping timeout: 256 seconds]
23:58 -!- tempus_fol [~tempus@gateway/tor-sasl/foltempus] has joined #openvpn
23:59 -!- NucWin [~nucwin@unaffiliated/nucwin] has joined #openvpn
--- Day changed Wed Aug 06 2014
00:00 -!- Jeroen52 [~Jeroen@milkyway.jeroendeneef.eu] has joined #openvpn
00:01 -!- jackbrown [~se@93-44-41-0.ip95.fastwebnet.it] has joined #openvpn
00:18 -!- arescorpio [~arescorpi@201-26-245-190.fibertel.com.ar] has quit [Excess Flood]
00:38 -!- jackbrown [~se@93-44-41-0.ip95.fastwebnet.it] has quit [Ping timeout: 260 seconds]
00:39 -!- jackbrown [~se@93-44-41-0.ip95.fastwebnet.it] has joined #openvpn
00:47 -!- jackbrown [~se@93-44-41-0.ip95.fastwebnet.it] has quit [Quit: Sto andando via]
01:32 -!- mattock_afk is now known as mattock
01:33 -!- Kniaz1 [~Kniaz@unaffiliated/kniaz] has joined #openvpn
01:37 -!- Kniaz [~Kniaz@unaffiliated/kniaz] has quit [Ping timeout: 255 seconds]
01:37 -!- alexxtasi [~alex@unaffiliated/alexxtasi] has left #openvpn []
01:41 -!- jackbrown [~se@93-44-41-0.ip95.fastwebnet.it] has joined #openvpn
01:59 -!- alexxtasi [~alex@unaffiliated/alexxtasi] has joined #openvpn
02:13 -!- jackbrown [~se@93-44-41-0.ip95.fastwebnet.it] has quit [Quit: Sto andando via]
02:19 -!- vincx [~vincent@fw01.streamcomputing.access.infracom.nl] has joined #openvpn
02:31 -!- cyberspace- [20253@ninthfloor.org] has quit [Ping timeout: 260 seconds]
02:32 -!- cyberspace- [20253@ninthfloor.org] has joined #openvpn
--- Log closed Wed Aug 06 02:57:33 2014
--- Log opened Wed Aug 06 02:57:42 2014
02:57 -!- ecrist_ [~ecrist@freebsd/contributor/openvpn.community.support.ecrist] has joined #openvpn
02:57 -!- Irssi: #openvpn: Total of 170 nicks [8 ops, 0 halfops, 3 voices, 159 normal]
02:57 -!- mode/#openvpn [+o ecrist_] by ChanServ
02:58 -!- Irssi: Join to #openvpn was synced in 48 secs
02:58 -!- ecrist [~ecrist@freebsd/contributor/openvpn.community.support.ecrist] has quit [Read error: Connection reset by peer]
02:58 -!- jl- [~lao@c-174-60-71-232.hsd1.pa.comcast.net] has quit [Ping timeout: 264 seconds]
03:10 -!- Chris-S [~Chris-S@gateway/tor-sasl/chris-s] has joined #openvpn
03:28 -!- Left_Turn [~Left_Turn@unaffiliated/turn-left/x-3739067] has joined #openvpn
03:51 -!- shiin [~shiin@funtoo/core/shiin] has joined #openvpn
03:53 -!- yoavz [yoavz@yoavz.net] has quit [Ping timeout: 264 seconds]
03:53 -!- Zimsky [~alice@unaffiliated/zimsky] has quit [Ping timeout: 264 seconds]
03:53 -!- liriel [~liriel@asia.feralhosting.com] has quit [Ping timeout: 264 seconds]
03:53 -!- AsadH [~AsadH@unaffiliated/asadh] has quit [Ping timeout: 264 seconds]
03:53 -!- pekster [~rewt@openvpn/community/support/pekster] has quit [Ping timeout: 250 seconds]
03:53 -!- supergauntlet [~supergaun@unaffiliated/supergauntlet] has quit [Ping timeout: 264 seconds]
03:53 -!- jgeboski [~jgeboski@unaffiliated/jgeboski] has quit [Ping timeout: 264 seconds]
03:53 -!- Olivier [Olivier@185.13.226.177] has quit [Ping timeout: 264 seconds]
03:53 -!- matt_ [~matt@ccpc-mwr.bath.ac.uk] has quit [Ping timeout: 264 seconds]
03:53 -!- Pandemic_Force [~Pandemic_@unaffiliated/pandemic-force/x-1349428] has quit [Ping timeout: 264 seconds]
03:53 -!- ratsupremacy [~antihero@37.139.5.204] has quit [Ping timeout: 264 seconds]
03:53 -!- Intensity [u8PYVwVSXO@unaffiliated/intensity] has quit [Ping timeout: 266 seconds]
03:53 -!- agentbob_ [anonymoose@unaffiliated/agentbob] has quit [Ping timeout: 266 seconds]
03:53 -!- supergauntlet [~supergaun@unaffiliated/supergauntlet] has joined #openvpn
03:53 -!- Pandemic_Force [~Pandemic_@unaffiliated/pandemic-force/x-1349428] has joined #openvpn
03:53 -!- Intensity [WZ0EjnmsBP@unaffiliated/intensity] has joined #openvpn
03:53 -!- agentbob [anonymoose@unaffiliated/agentbob] has joined #openvpn
03:54 -!- justinzane [~justinzan@24.49.207.203] has quit [Ping timeout: 264 seconds]
03:54 -!- liriel [~liriel@asia.feralhosting.com] has joined #openvpn
03:54 -!- Olivier [Olivier@185.13.226.177] has joined #openvpn
03:54 -!- ratsupremacy [~antihero@37.139.5.204] has joined #openvpn
03:54 -!- Zimsky [~alice@unaffiliated/zimsky] has joined #openvpn
03:54 -!- jgeboski [~jgeboski@unaffiliated/jgeboski] has joined #openvpn
03:55 -!- pekster [~rewt@openvpn/community/support/pekster] has joined #openvpn
03:56 -!- yoavz [yoavz@yoavz.net] has joined #openvpn
03:58 -!- ade_b [~Ade@redhat/adeb] has joined #openvpn
04:03 -!- ade_b [~Ade@redhat/adeb] has quit [Ping timeout: 240 seconds]
04:04 -!- AsadH [~AsadH@unaffiliated/asadh] has joined #openvpn
04:05 -!- Esya [~zncuser@mini-02.y0y.fr] has quit [Max SendQ exceeded]
04:08 -!- dazo_afk is now known as dazo
04:11 -!- Left_Turn [~Left_Turn@unaffiliated/turn-left/x-3739067] has quit [Ping timeout: 244 seconds]
04:22 -!- shiin [~shiin@funtoo/core/shiin] has quit [Quit: My computer has gone to sleep.]
04:37 -!- C-S-B [~C-S-B@host217-42-190-86.range217-42.btcentralplus.com] has quit [Ping timeout: 240 seconds]
04:51 -!- shiin [~shiin@funtoo/core/shiin] has joined #openvpn
04:59 -!- Left_Turn [~Left_Turn@unaffiliated/turn-left/x-3739067] has joined #openvpn
05:04 -!- TommyC [~TommyC@unaffiliated/sepulchralbloom] has quit [Quit: TTFN, Ta Ta For Now!]
05:12 -!- SushiDude [~SushiDude@unaffiliated/sushidude] has quit [Ping timeout: 240 seconds]
05:18 -!- SushiDude [~SushiDude@unaffiliated/sushidude] has joined #openvpn
05:37 -!- DrCode [~DrCode@gateway/tor-sasl/drcode] has quit [Remote host closed the connection]
05:38 -!- DrCode [~DrCode@gateway/tor-sasl/drcode] has joined #openvpn
05:40 -!- Zimsky [~alice@unaffiliated/zimsky] has quit [Ping timeout: 264 seconds]
05:46 -!- Zimsky [~alice@unaffiliated/zimsky] has joined #openvpn
05:49 -!- goldkatze_ [~nobody@unaffiliated/goldkatze] has joined #openvpn
05:50 -!- CaTtleyA [~CaTtleyA@185.24.142.82] has joined #openvpn
05:54 -!- CaTtleyA [~CaTtleyA@185.24.142.82] has quit [Ping timeout: 252 seconds]
05:55 -!- CaTtleyA [~CaTtleyA@185.24.142.82] has joined #openvpn
06:25 -!- ade_b [~Ade@redhat/adeb] has joined #openvpn
06:31 -!- hid3 [~arnoldas@78.157.71.116] has joined #openvpn
06:33 -!- pa [~pa@unaffiliated/pa] has quit [Quit: Sto andando via]
06:37 -!- pa [~pa@unaffiliated/pa] has joined #openvpn
06:39 -!- CaTtleyA [~CaTtleyA@185.24.142.82] has quit [Ping timeout: 252 seconds]
06:40 -!- CaTtleyA [~CaTtleyA@185.24.142.82] has joined #openvpn
06:53 -!- shiin [~shiin@funtoo/core/shiin] has quit [Quit: My computer has gone to sleep.]
07:12 -!- brianblaze420 [~brianblaz@unaffiliated/brianblaze] has joined #openvpn
07:14 -!- ade_b [~Ade@redhat/adeb] has quit [Ping timeout: 240 seconds]
07:18 -!- brianblaze420 [~brianblaz@unaffiliated/brianblaze] has quit [Ping timeout: 272 seconds]
07:22 -!- brianblaze420 [~brianblaz@unaffiliated/brianblaze] has joined #openvpn
07:23 -!- D-Boy [~D-Boy@unaffiliated/cain] has quit [Excess Flood]
07:24 -!- brianblaze420 [~brianblaz@unaffiliated/brianblaze] has quit [Read error: Connection reset by peer]
07:28 -!- brianblaze420 [~brianblaz@unaffiliated/brianblaze] has joined #openvpn
07:32 -!- D-Boy [~D-Boy@unaffiliated/cain] has joined #openvpn
07:37 -!- renihs [~arf@83-65-34-34.arsenal.xdsl-line.inode.at] has quit [Quit: narf]
07:44 -!- heraclitus [~heraclitu@unaffiliated/heraclitis] has quit [Read error: Connection reset by peer]
07:53 -!- Kniaz1 [~Kniaz@unaffiliated/kniaz] has quit [Read error: Connection reset by peer]
07:55 -!- lorenzo [lorenzo@nl.shell.enlab.net] has joined #openvpn
07:55 < lorenzo> hi!
07:55 < lorenzo> is there a way to set up a openvpn server as concentrator?
07:56 -!- ade_b [~Ade@redhat/adeb] has joined #openvpn
07:56 < lorenzo> I have four OpenVPN Access Servers I'd like to "merge" into one that I can access
07:56 < lorenzo> any ideas? a fifth access server + openvpn clients pointed to the other four ones?
07:57 -!- Chris-S [~Chris-S@gateway/tor-sasl/chris-s] has left #openvpn []
08:01 -!- jl- [~lao@c-174-60-71-232.hsd1.pa.comcast.net] has joined #openvpn
08:01 -!- shiin [~shiin@funtoo/core/shiin] has joined #openvpn
08:06 -!- ade_b [~Ade@redhat/adeb] has quit [Quit: Too sexy for his shirt]
08:09 -!- MyMind [~Sembei@unaffiliated/sembei] has joined #openvpn
08:11 -!- Sembei [~Sembei@unaffiliated/sembei] has quit [Ping timeout: 260 seconds]
08:19 -!- ade_b [~Ade@redhat/adeb] has joined #openvpn
08:24 -!- cyberspace- [20253@ninthfloor.org] has quit [Remote host closed the connection]
08:26 -!- cyberspace- [20253@ninthfloor.org] has joined #openvpn
08:30 -!- lsone [~lsone@69.15.58.162] has joined #openvpn
08:32 -!- Pyrogerg [~Gregory@72.170.196.218] has joined #openvpn
08:33 -!- ade_b [~Ade@redhat/adeb] has quit [Ping timeout: 260 seconds]
08:36 -!- m4rcu5 is now known as m4rcu5__
08:38 -!- ade_b [~Ade@redhat/adeb] has joined #openvpn
08:39 -!- ade_b [~Ade@redhat/adeb] has quit [Remote host closed the connection]
08:48 -!- ub1quit33 [~quassel@cpe-23-243-158-241.socal.res.rr.com] has joined #openvpn
08:53 -!- ub1quit33 [~quassel@cpe-23-243-158-241.socal.res.rr.com] has quit [Remote host closed the connection]
08:53 -!- ub1quit33_ [~quassel@cpe-23-243-158-241.socal.res.rr.com] has joined #openvpn
08:54 -!- ub1quit33_ [~quassel@cpe-23-243-158-241.socal.res.rr.com] has quit [Read error: Connection reset by peer]
09:03 -!- nsrafk [stfu@unaffiliated/nsrafk] has quit [Quit: stfu - mkdir not war]
09:05 -!- nsrafk [whois@unaffiliated/nsrafk] has joined #openvpn
09:12 -!- gffa [~unknown@unaffiliated/gffa] has joined #openvpn
09:13 -!- Pyrogerg [~Gregory@72.170.196.218] has quit [Read error: Connection reset by peer]
09:14 -!- alexxtasi [~alex@unaffiliated/alexxtasi] has left #openvpn []
09:20 -!- mattock_ [~mattock@openvpn/corp/admin/mattock] has joined #openvpn
09:21 -!- mode/#openvpn [+o mattock_] by ChanServ
09:21 -!- mattock_ [~mattock@openvpn/corp/admin/mattock] has quit [Client Quit]
09:24 -!- Pyrogerg [~Gregory@72.170.196.218] has joined #openvpn
09:26 -!- Pyrogerg [~Gregory@72.170.196.218] has quit [Read error: Connection reset by peer]
09:34 < Eugene> !as
09:34 <@vpnHelper> "as" is Please go to #OpenVPN-AS for help with commercial products from OpenVPN Technologies, including Access Server, Android Connect, etc. Access Server is a commercial product, different from open source OpenVPN
09:34 < Eugene> lorenzo ^
09:43 -!- novaflash [~novaflash@openvpn/corp/support/novaflash] has joined #openvpn
09:43 -!- mode/#openvpn [+o novaflash] by ChanServ
09:45 < lorenzo> okay
09:52 -!- goldkatze_ [~nobody@unaffiliated/goldkatze] has quit []
09:54 -!- shiin [~shiin@funtoo/core/shiin] has quit [Quit: My computer has gone to sleep.]
10:06 -!- s7r [~s7r@openvpn/user/s7r] has quit [Quit: Leaving]
10:14 -!- CaTtleyA [~CaTtleyA@185.24.142.82] has quit [Quit: Lost terminal]
10:24 -!- Pyrogerg [~Gregory@72.170.196.218] has joined #openvpn
10:34 -!- Pyrogerg [~Gregory@72.170.196.218] has quit [Read error: Connection reset by peer]
10:58 -!- heraclitus [~heraclitu@unaffiliated/heraclitis] has joined #openvpn
11:17 -!- dtrainor [~dtrainor@ip72-208-196-164.ph.ph.cox.net] has joined #openvpn
11:17 < dtrainor> hi
11:18 < dtrainor> does the 'route' command work from the client as well?  I wasn't able to conclude this from the manual page.  It looks like 'route' might only be a server option, that the client then receives.  'route push' looks like it's used on a client to set a route on the server.
11:18 < dtrainor> I basically run two 'ip r add ... ...' commands by hand after I connect
11:18 < dtrainor> uh, i guess I can use route-up....
11:18 < pekster> dtrainor: --route always takes effect on the local side
11:18 < dtrainor> oh ok
11:19 < pekster> A server can use --push (for pushable directives) that will be sent to the client if the client uses --pull (implied by --client)
11:19 -!- Changer90 [~quassel@swechsler.de] has joined #openvpn
11:19 -!- Changer90 [~quassel@swechsler.de] has quit [Client Quit]
11:22 < dtrainor> got it.
11:22 -!- SCHAAP137 [dorian@77-173-0-137.ip.telfort.nl] has joined #openvpn
11:22 < dtrainor> would it be more appropriate to use 'route' or 'route-up'?
11:23 < pekster> If openvpn's --route does what you need, use that
11:23 < pekster> --route-up is for when you need more advanced or hands-on control over what happens as you edit your routing table (such as if you need routes to be placed on a secondary routing table or something)
11:23 < dtrainor> got it.
11:23 < dtrainor> thank youi
11:24 < dtrainor> I need to decide which config gets that.  I have two VPN connections, one to my corporate VPN and one to my house.  The one to my house is the default gateway for all traffic.  I'm using 'redirect-gateway def1' for that config.  I'd imagine that I would push these routes for *that* connection
11:25 < pekster> --redirect-gateway already sends traffic (not match by a more specific route) across the VPN
11:26 < pekster> You don't need to add additional routes unless you're specifically trying to override other routes (and I'd ask then why you have them in the first place)
11:26 < dtrainor> I understand how 'def1' works but that's not the behavior I'm seeing
11:27 < dtrainor> likely because I have other routes that cover a broader range of overlapping IP space over a different interface
11:27 < dtrainor> So by adding the routes that I add, I provide a more specific route through a different gateway
11:28 -!- Eugene [eugene@kashpureff.org] has quit [Quit: ZNC - http://znc.sourceforge.net]
11:28 < pekster> def1 adds a 0/1 and 128/1 route
11:29 < pekster> If you supply (or push it to a client that pulls) and the route did not fail to add, you should see it in your routing table
11:29 < dtrainor> works
11:29 < dtrainor> I'm using the 'route' directive to add those routes
11:29 -!- dtrainor [~dtrainor@ip72-208-196-164.ph.ph.cox.net] has quit [Quit: Leaving]
11:30 -!- dtrainor [~dtrainor@ip72-208-196-164.ph.ph.cox.net] has joined #openvpn
11:30 < dtrainor> works
11:31 -!- Eugene [znc@kashpureff.org] has joined #openvpn
11:32 < pekster> Careful with using --route to replace what --redirect-gatweay does; it also adds a /32 route to the VPN transport endpoint over the pre-existing gateway so adding the /1 routes doesn't break things
11:32 < dtrainor> understood
11:32 < dtrainor> i don't expect anything to change any time soon, but thanks for the warning
11:37 -!- Eugene [znc@kashpureff.org] has quit [Quit: ZNC - http://znc.sourceforge.net]
11:37 -!- Eugene [eugene@kashpureff.org] has joined #openvpn
11:40 < dtrainor> every time i do something with openvpn i'm shocked by something new, something cool
11:41 -!- lsone [~lsone@69.15.58.162] has quit [Ping timeout: 240 seconds]
11:42 -!- KaiForce [~chatzilla@107-223-70-10.lightspeed.bcvloh.sbcglobal.net] has joined #openvpn
11:50 -!- vincx [~vincent@fw01.streamcomputing.access.infracom.nl] has quit [Ping timeout: 245 seconds]
11:58 -!- vincx [~vincent@fw01.streamcomputing.access.infracom.nl] has joined #openvpn
12:11 -!- Changer90 [~quassel@swechsler.de] has joined #openvpn
12:12 < Changer90> Hi i'm totally new to openvpn and have got a problem using my clients internet connection is here somebody that could probably help me? I can successfully connect to my network using vpn but my client lose internet connection at that moment
12:12 -!- Brando753 [~Brando753@unaffiliated/brando753] has quit [Ping timeout: 260 seconds]
12:12 < Changer90> i want to use the internet connection of the client and dont want to tunnle the internet from my vpn server
12:13 -!- Brando753 [~Brando753@unaffiliated/brando753] has joined #openvpn
12:13 < dtrainor> you can add specific routes
12:14 < Changer90> okay how do i do that? can i use any network to connect to my vpn then?
12:14 < Changer90> can you probably help me to configure it i tried it for more than a week but wasnt able to solve my problem
12:15 < dtrainor> you *only* want traffic goung through the VPN that is on the same subnet as the other side?
12:16 -!- lsone [~lsone@66-169-215-211.dhcp.dntn.tx.charter.com] has joined #openvpn
12:16 < Changer90> yes i want use the normal connection the pc got and use vpn to connect to my samba share for example
12:21 -!- vincx [~vincent@fw01.streamcomputing.access.infracom.nl] has quit [Ping timeout: 240 seconds]
12:33 < dtrainor> do you specify a 'redirect-gateway' right now?
12:33 < Changer90> i use push "redirect-gateway def1 bypass-dhcp"
12:33 < dtrainor> yeah get rid of that
12:34 < Changer90> ok i comment this line and try it
12:34 < dtrainor> on the client, add 'route <destination> <netmask> <gateway>'
12:36 < Changer90> which values do i use for the destination and gateway? for destination my dyndns?
12:36 < Changer90> sorry for my stupid questions i used openvpn as a plugin in openmediavault
12:37 < dtrainor> no, internal networks
12:37 < dtrainor> wait.  actually i don't believe you need to do that even.
12:37 < dtrainor> just remove the redirect-gateway line, ignore what I said, and see if that works
12:38 < Changer90> okay thank you
12:38 < Changer90> it looks like it works
12:38 < Changer90> :)
12:38 < dtrainor> awesome
12:39 < Changer90> cool what a single line could change
12:39 < dtrainor> right?
12:39 < Changer90> yeah
12:43 -!- p3rror [~mezgani@41.249.133.93] has quit [Ping timeout: 256 seconds]
12:44 -!- bbteufel [~bug@188.25.108.239] has joined #openvpn
12:45 < bbteufel> ave
12:46 < bbteufel> does anyone have the time and mood to help me set up a vpn ?
12:47 < dtrainor> did you read the quickstart guide?
12:47 < bbteufel> yes
12:47 < dtrainor> it's pretty bulletproof
12:47 < dtrainor> got specific questions?
12:48 < bbteufel> I kind of screwed up the iptables so that's where I got stuck now
12:49 < bbteufel> I don't have a specific question. I sort of need someone to look at my iptables and tell me what's wrong, why and what should I do
12:49 -!- grendal_prime [~sgraham@173-166-255-77-stockton.hfc.comcastbusiness.net] has joined #openvpn
12:50 < grendal_prime> ok what would you guys recommend for macs needing file access to a server via vpn.  Samba sucks.
12:50 < grendal_prime> im getting like 3 mbps through a 10mbps connection
12:51 < Eugene> A stiff drink.
12:51 < grendal_prime> ya...no kidding
12:51 < bbteufel> ftp ?
12:51 < grendal_prime> well..i would be ok with that but ...allot of perms..allot of file shares.
12:51 < grendal_prime> this is just for a few mac users.
12:52 < bbteufel> why do you need allot of perms ? one group, n users, same permissions
12:53 < bbteufel> you could try with a svn repo ...
12:54 -!- grendal_prime [~sgraham@173-166-255-77-stockton.hfc.comcastbusiness.net] has quit [Read error: Connection reset by peer]
12:58 -!- grendal_prime [~sgraham@173-166-255-77-stockton.hfc.comcastbusiness.net] has joined #openvpn
12:58 < grendal_prime> its on a linux filer.  ubuntu and it is running samba. all the permisions are handled by groups.
12:59 < bbteufel> you could try a svn repository
12:59 < bbteufel> or another kind of repository
12:59 <@dazo> grendal_prime: tried webdav?
12:59 < grendal_prime> thats what im wondering about
12:59 < bbteufel> never heard of it
12:59 < grendal_prime> does the auth work along with say...pam?
13:00 -!- joako [~joako@opensuse/member/joak0] has quit [Ping timeout: 256 seconds]
13:00 <@dazo> grendal_prime: basically depends on the web server .... in apache, you just add the appropriate mod_authz_* module
13:00 <@dazo> nginx have it's own weird ways of doing auth, but that'll probably work too
13:01 < grendal_prime> ya looks like it would work. i just wonder if the macs will be able to mount it up.
13:01 < grendal_prime> so that their local apps will be able to use it as a mounted resource
13:01 <@dazo> grendal_prime: I think it got built-in webdav support
13:01 < grendal_prime> these are graphic arts folks. needs to act like a hd for them.
13:02 <@dazo> (I mean, the calendar app supports caldav and the mail.app supports carddav, all "forks" of webdav)
13:03 <@dazo> oh, nginx got a more sane auth method too ... http://nginx.org/en/docs/http/ngx_http_auth_basic_module.html
13:03 <@vpnHelper> Title: Module ngx_http_auth_basic_module (at nginx.org)
13:03 < grendal_prime> looks like it may work. Problem is i have to set up apache on there. it will have access to all the data then it looks like.
13:04 -!- lsone [~lsone@66-169-215-211.dhcp.dntn.tx.charter.com] has quit [Ping timeout: 272 seconds]
13:04 < grendal_prime> thats not going to sound good to these guys on a ...security landscape.
13:04 <@dazo> which is why I suggest nginx :)
13:04 < grendal_prime> ill look into that.
13:05 <@dazo> far simpler to configure, faster and not so bloated as apache can be
13:05 < grendal_prime> thanks guys...have to go cut some wood.
13:05 <@dazo> nginx webdav config ... http://nginx.org/en/docs/http/ngx_http_dav_module.html
13:05 <@vpnHelper> Title: Module ngx_http_dav_module (at nginx.org)
13:12 -!- Pyrogerg [~Gregory@72.170.196.218] has joined #openvpn
13:22 -!- lsone [~lsone@69.15.58.162] has joined #openvpn
13:24 -!- Pyrogerg [~Gregory@72.170.196.218] has quit [Read error: Connection reset by peer]
13:25 -!- Esya [~zncuser@mini-02.y0y.fr] has joined #openvpn
13:29 -!- Pyrogerg [~Gregory@72.170.196.218] has joined #openvpn
13:34 -!- brianblaze420 [~brianblaz@unaffiliated/brianblaze] has quit [Remote host closed the connection]
13:34 -!- MyMind [~Sembei@unaffiliated/sembei] has quit [Ping timeout: 260 seconds]
13:35 -!- brianblaze420 [~brianblaz@unaffiliated/brianblaze] has joined #openvpn
13:35 -!- Pyrogerg [~Gregory@72.170.196.218] has quit [Read error: Connection reset by peer]
13:46 -!- brianblaze420 [~brianblaz@unaffiliated/brianblaze] has quit [Ping timeout: 255 seconds]
13:49 < bbteufel> should tun0 ( server side ) have the mask 255.255.255.255 ?
13:55 -!- MyMind [~Sembei@unaffiliated/sembei] has joined #openvpn
13:58 -!- Olipro [~Olipro@uncyclopedia/pdpc.21for7.olipro] has quit [Remote host closed the connection]
13:58 -!- bbteufel [~bug@188.25.108.239] has quit [Ping timeout: 240 seconds]
13:58 -!- MrDoctor [~MrDoctor@unaffiliated/apostasy] has joined #openvpn
14:00 < MrDoctor> Can anyone help me with setting up openvpn with NetworkManager?
14:03 < Eugene> !NetworkManager
14:03 < Eugene> !factoids search values NetworkManager
14:03 <@vpnHelper> No keys matched that query.
14:03 -!- joako [~joako@opensuse/member/joak0] has joined #openvpn
14:04 < Eugene> !factoids
14:04 <@vpnHelper> "factoids" is A semi-regularly updated dump of factoids database is available at http://www.secure-computing.net/factoids.php
14:04 < Eugene> Which would be great if it worked
14:04 < Eugene> !factoids search --values NetworkManager
14:04 <@vpnHelper> "netman" is (#1) if you are using network manager for linux to configure your vpn, dont! http://openvpn.net/archive/openvpn-users/2008-01/msg00046.html to read the same thing from the author of the openvpn 2 cookbook on the mail list or (#2) Have OpenVPN working but not NetworkManager? Ask the n-m folks for help: http://projects.gnome.org/NetworkManager/
14:04 < Eugene> There we go.
14:08 -!- grendal_prime [~sgraham@173-166-255-77-stockton.hfc.comcastbusiness.net] has quit [Ping timeout: 244 seconds]
14:10 < MrDoctor> Ok Eugene
14:10 < MrDoctor> But in case if I use openvpn from the terminal, it is not working
14:10 < MrDoctor> I can connect to the VPN
14:11 < MrDoctor> But webpages do not open after that
14:11 < MrDoctor> What I might be doing wrong?
14:14 -!- clu5ter [~staff@unaffiliated/clu5ter] has quit [Ping timeout: 252 seconds]
14:14 -!- wm_domino [~william@unaffiliated/wm-domino/x-7701134] has joined #openvpn
14:15 -!- clu5ter [~staff@unaffiliated/clu5ter] has joined #openvpn
14:20 -!- bbteufel [~bug@188.25.108.239] has joined #openvpn
14:20 < bbteufel> so, I followed the basic tutorial but I still can't connect to the Internet
14:20 -!- vincx [~vincent@sd44054c9.adsl.online.nl] has joined #openvpn
14:20 < bbteufel> I can connect to my vpn machine and I can ping itt
14:21 < bbteufel> but I can't get to any machine beyond the server
14:21 < bbteufel> can you please help me identify the problem and fix it ?
14:33 -!- reiffert [~thomas@mail.reifferscheid.org] has joined #openvpn
14:36 < bbteufel> no one ?
14:44 < reiffert> question?
14:54 -!- Latrina [~Latrina@151.56.175.87] has quit [Read error: Connection reset by peer]
14:54 -!- Latrina [~Latrina@151.56.175.87] has joined #openvpn
15:06 -!- Latrina [~Latrina@151.56.175.87] has quit [Read error: Connection reset by peer]
15:07 -!- Latrina [~Latrina@151.56.175.87] has joined #openvpn
15:09 -!- Esya [~zncuser@mini-02.y0y.fr] has quit [Max SendQ exceeded]
15:09 -!- byte-smasher [~quassel@S0106c43dc7aec1a7.tb.shawcable.net] has joined #openvpn
15:09 < byte-smasher> !heartbleed
15:09 <@vpnHelper> "heartbleed" is (#1) only affects OpenSSL 1.0.1 through 1.0.1f. Does not affect polarssl or (#2) if running vuln openssl then both client and server keys not protected by tls-auth should be considered compromised. or (#3) android 4.1.2_r1 is the first one to have -DOPENSSL_NO_HEARTBEATS and it is still in master. android 4.1 and 4.1.1 are probably affected. or (#4)
15:09 <@vpnHelper> https://community.openvpn.net/openvpn/wiki/heartbleed or (#5) http://xkcd.com/1354/
15:10 < byte-smasher> yay! I didn't understand a single word of that! :D
15:10  * byte-smasher is le dumb
15:11 -!- Esya [~zncuser@mini-02.y0y.fr] has joined #openvpn
15:16 -!- arescorpio [~arescorpi@201-26-245-190.fibertel.com.ar] has joined #openvpn
15:19 -!- Latrina [~Latrina@151.56.175.87] has quit [Read error: Connection reset by peer]
15:19 -!- Latrina [~Latrina@151.56.175.87] has joined #openvpn
15:33 <@dazo> !gigabit
15:33 <@vpnHelper> "gigabit" is https://community.openvpn.net/openvpn/wiki/Gigabit_Networks_Linux for JJK's writeup on getting the most out of openvpn over gigabit
15:33 -!- KaiForce [~chatzilla@107-223-70-10.lightspeed.bcvloh.sbcglobal.net] has quit [Quit: ChatZilla 0.9.90.1 [Firefox 31.0/20140716183446]]
15:42 -!- dazo is now known as dazo_afk
15:43 -!- Pyrogerg [~Gregory@72.170.196.218] has joined #openvpn
15:44 -!- lsone [~lsone@69.15.58.162] has quit [Ping timeout: 260 seconds]
15:46 -!- lsone [~lsone@69.15.58.162] has joined #openvpn
15:55 -!- byte-smasher [~quassel@S0106c43dc7aec1a7.tb.shawcable.net] has quit [Ping timeout: 245 seconds]
15:59 < bbteufel> exit
16:00 -!- bbteufel [~bug@188.25.108.239] has quit [Quit: leaving]
16:04 -!- MrDoctor [~MrDoctor@unaffiliated/apostasy] has quit [Quit: Leaving]
16:21 -!- gffa [~unknown@unaffiliated/gffa] has quit [Quit: sleep]
16:29 < KNERD> I am getting this very error: http://openvpn.net/index.php/open-source/faq/79-client/253-tls-error-tls-key-negotiation-failed-to-occur-within-60-seconds-check-your-network-connectivity.html
16:29 <@vpnHelper> Title: TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity) (at openvpn.net)
16:29 < KNERD> but none of the solutions are applicible
16:30 < KNERD> and other solution offerings?
16:30 < KNERD> the server is on CentOS
16:30 < KNERD> iptables is shit down
16:30 < KNERD> and I am doing this on a LAN
16:32 < pekster> "shit down" tends to mean different things to different people. Check `iptables-save -c` to verify your "shit down" matches what your Netfilter state actually has. Failing that, verify packets actually make it to your server with tcpdump or similar tools
16:32 < pekster> Logs on both sides should be reviewed too, of course. If the server doesn't get any initial packet, all bets are off until you can successfully deliver packets between your endpoints
16:34 < KNERD> iptables-save -c returns nothing
16:35 < KNERD> but I see antother in the openvpn.log : read UDPv4 [ECONNREFUSED]: Connection refused (code=111)
16:35 < KNERD> guess I need to research that
16:35 < pekster> Ensure you are running iptables-save as root; if you're sure you are, it's possible you have no Netfilter tables loaded
16:36 < KNERD> it's just a test machine..I always run as root on it
16:36 < pekster> But yes, if you get ICMP errors (or Netfilter, or something like SELinux blocks your outbound packets) you can get failure to deliver UDP
16:36 < pekster> If it's not a locally-generated refusal, tcpdump on the client should show what is actively denying your transit traffic
16:36 < KNERD> SELInux..not possible..it is ALWASY shut down
16:37 < KNERD> i can;t see what the client is doing, unfortuantly
16:37 < KNERD> it's a VoIP phone and it generates no logs
16:38 < pekster> That's going to greatly hinder your ability to have any idea what goes wrong
16:38 < pekster> You should complain to the vendor about that
16:39 < KNERD> Yes, I sent a message to their support about it. Thanks
16:43 < KNERD> How can I determine if this is localled generated refusal, or not?
16:43 < pekster> 3 options. 1) the device is not even sending the packet, and you'd need info from it to find out why (its own local firewall, routing table, logs, etc.) 2) Your server gets the packet and actively rejects it. 3) something else upstream of this client rejects it
16:44 < pekster> 2 & 3 you can likely figure out by dumping the path of traffic in front of the device. #1 you're hosed until you can get proper access to the device
16:44 < KNERD> Oh, I think it is conection
16:44 < KNERD> I am seeing this in the log:  Wed Aug  6 16:39:41 2014 us=637860 192.168.5.133:1031 UDPv4 WRITE [126] to 192.168.5.133:1031: P_CONTROL_V1 kid=0 [ 0 ] pid=28 DATA len=100
16:45 < KNERD> 133 is the VoIP phone
16:46 < KNERD> Wed Aug  6 16:39:39 2014 us=312538 192.168.5.133:1031 UDPv4 READ [22] from 192.168.5.133:1031: P_ACK_V1 kid=0 [ 19 ]
16:46 -!- vincx [~vincent@sd44054c9.adsl.online.nl] has quit [Ping timeout: 255 seconds]
16:46 < pekster> verb levels above 5 are silly
16:47 < KNERD> not to me who is new to OpenVPN and trying to figure out why I am having trouble
16:48 < KNERD> here is the whole 3 lines of connection problem
16:48 < KNERD> Wed Aug  6 16:39:40 2014 us=608177 read UDPv4 [ECONNREFUSED]: Connection refused (code=111)
16:48 < KNERD> Wed Aug  6 16:39:40 2014 us=608261 read UDPv4 [ECONNREFUSED|ECONNREFUSED]: Connection refused (code=111)
16:48 < KNERD> Wed Aug  6 16:39:40 2014 us=609382 read UDPv4 [ECONNREFUSED]: Connection refused (code=111)
16:48 < KNERD> Wed Aug  6 16:39:41 2014 us=637639 192.168.5.133:1031 UDPv4 READ [14] from 192.168.5.133:1031: P_CONTROL_HARD_RESET_CLIENT_V2 kid=0 [ ] pid=0 DATA len=0
16:48 < KNERD> or 4
16:49 < pekster> Not really. > 5 is for developers who have enabled debug support in the build
16:49 < pekster> If you didn't compile openvpn from source with debugging, you probably shouldn't be using >= 6
16:49 < pekster> 4 talks a lot, and verb 5 prints RWrw for each tunneled/transit packet
16:49 < pekster> 5 is useful for firewall issues, and something between 2-4 is good for daily use
16:50 < KNERD> okay, thanks for that info
16:52 < KNERD> let me redo it
16:53 < pekster> The read refused looks a bit like it's getting an error sending to the network device
16:55 < KNERD> rebooting the phone with verbosity of 5
16:57 < KNERD> Well here is a cleaner looking log:  http://pastebin.com/J4ffFAqS
17:00 -!- Pyrogerg [~Gregory@72.170.196.218] has quit [Read error: Connection reset by peer]
17:00 -!- marlinc [~marlinc@ip1.weert.li.nl.cvo-technologies.com] has joined #openvpn
17:01 < pekster> Some packets are exchanged during TLS negotiation and then the far side rejects it and connects again 6 seconds later
17:01 < pekster> Reivew the logs on the client device to find out why it's failing
17:05 < KNERD> Ehh...no logs
17:09 < pekster> Then "the client is refusing to connect for some unspecified reason you cannot know"
17:12 < KNERD> apparantly not
17:12 < KNERD> I went over the entire interface and cannot find any sort of loggig mechanism
17:13 < pekster> If you were sold this device you should have legally been provided with the sources to at least the GPL components they use
17:13 < pekster> If not, you should ask for all the relevant sources as legally required by the seller who distributed this to you
17:14 < pekster> They don't necessarily have to provide sources to their non-GPL parts, but it may at least provide clues as to how the system works. Or see if the device can simply expose what it's doing. Black box == no way to know what's broken
17:15 < KNERD> the specifications states is produces system logs, but I cannot find them
17:15 < pekster> The drawback is that if "only" OpenVPN is under the GPL, you still don't really get to have any idea how it works without vendor help
17:15 < KNERD> let me look again
17:17 -!- MogDog [MogDog@unaffiliated/mogdog66] has joined #openvpn
17:17 < MogDog> !welcome
17:17 <@vpnHelper> "welcome" is (#1) Start by stating your goal, such as 'I would like to access the internet over my vpn' || new to IRC? see the link in !ask || we may need !logs and !configs and maybe !interface to help you. || See !howto for beginners. || See !route for lans behind openvpn. || !redirect for sending inet traffic through the server. || Also interesting: !man !/30 !topology !iporder !sample !forum
17:17 <@vpnHelper> !wiki !mitm or (#2) Don't use 192.168.1.0/24 or 192.168.0.0/24 (too much potential for conflict)
17:18 < KNERD> i found it
17:20 < MogDog> !goal
17:20 <@vpnHelper> "goal" is Please clearly state your goal for your vpn: example, I would like to access the lan behind the server , I would like to access the internet over my vpn , I just want a secure connection between 2 computers , etc
17:25 < KNERD> I see the logs, but the time stamp on them is wrong. I will clear them and restart the phone. Even though the time liste dont he phone is correct, time stamps are 5-6 hours ahead
17:26 < KNERD> oh, and I see it has a pcap feature
17:29 < pekster> pcap can help, but from your server logs you know the TLS negotiation takes place, but doesn't complete. OpenVPN logs will explain why
17:29 < pekster> Timestamp may be in UTC, not localtime (or vise-versa)
17:30 < KNERD> yes true
17:31 < KNERD> I have found the problem, I thin
17:31 < KNERD> k
17:31 < KNERD> Aug  6 22:27:49 openvpn[426]: VERIFY ERROR: depth=1, error=certificate signature failure:
17:31 -!- james41382 [~james@unaffiliated/james41382] has quit [Quit: Leaving]
17:31 < KNERD> it is a selfsigned certificate
17:33 < KNERD> ug  6 22:27:49 openvpn[426]: TLS_ERROR: BIO read tls_read_plaintext error: error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed
17:33 < pekster> The cert the server presents must correctly validate against the CA the client is using
17:36 < KNERD> i do believe it is. I used that easy-rsa and it put all the files in one location
17:36 < KNERD> i will retry it
17:37 < pekster> The CA used to _sign_ the server's cert needs to be what the client is using to _verify_ it
17:37 < Hello71> WARNING: Bad encapsulated packet length from peer (5635), which must be > 0 and <= 1559 -- please ensure that --tun-mtu or --link-mtu is equal on both peers -- this condition could also indicate a possible active attack on the TCP link
17:37 < Hello71> script kiddies?
17:38 -!- james41382 [~james@unaffiliated/james41382] has joined #openvpn
17:38 < pekster> !intro_to_pki
17:38 <@vpnHelper> "intro_to_pki" is For an intro to PKI basics, see: https://github.com/OpenVPN/easy-rsa/blob/v3.0.0-rc1/doc/Intro-To-PKI.md
17:41 < Hello71> anything I should do? maybe "hide my IP"?
17:41 < Hello71> old vuln?
17:42 < KNERD> yes, and I am using them..
17:43 < pekster> Is the clock correct (to within a day or so)? If not, the cert verify might fail due to validity constraints
17:44 < pekster> Otherwise, do the usual verification process: take the exact copy of the CA your client config is using, and validate the exact copy that the sever is presenting on its end
17:45 < KNERD> the clock on server and what the phone is displaying match
17:46 < Hello71> hm, now I wonder how specific x509 expiration dates are
17:46 < pekster> Down to the second
17:47 < pekster> `openssl x509 -in your_cert.crt -noout -text` for details
17:47 < pekster> !verify
17:47 <@vpnHelper> "verify" is (#1) If you receive certificate-based 'VERIFY ERROR' messages, you can manually verify the remote cert against a local CA using openssl: `openssl verify -verbose -CAfile /local/ca.crt /remote/copy/of/other.crt` or (#2) Note that this requires you to manually transfer the remote certificate to the local system for testing or (#3) You can also manually check issuer fingerprints with
17:47 <@vpnHelper> detailed cert output: `openssl x509 -in /some/cert.crt -noout -text` and compare against the CA cert fingerprint
17:47 < KNERD> i am creating a new one..then will try again
17:47 < KNERD> then I will do the output if ti fails again
17:49 < KNERD> i think it will work this time..it is working differently this time for generartiob
17:49 < KNERD> I must have left out a step before
17:49 < Hello71> UTC, of course.
17:58 < KNERD> okay..restarting phone
17:59 -!- lsone [~lsone@69.15.58.162] has quit [Quit: Textual IRC Client: www.textualapp.com]
17:59 < KNERD> same error
18:12 -!- SCHAAP137 [dorian@77-173-0-137.ip.telfort.nl] has quit [Remote host closed the connection]
18:20 < KNERD> Validity
18:20 < KNERD>             Not Before: Aug  6 22:46:42 2014 GMT
18:20 < KNERD>             Not After : Aug  3 22:46:42 2024 GMT
18:22 < pekster> Sounds like the phone isn't using the CA you used to generate that
18:22 < pekster> s/generate/sign/
18:25 < KNERD> i have 2 sets of keys I have labeled client and server, and using the same ca.crt in the folder /easy-rsa/keys
18:25 < pekster> You should verify it as I stated above
18:26 < pekster> This means taking the _EXACT_ _SAME_ copy (not one you think is the same, the EXACT same one your client is using) and verify the certificate (the one that is actually referenced on your server by your server config) using the above !verify info
18:26 < pekster> Don't just take the ca.crt file from your PKI you generated from: that's not good enough and not what your client does
18:26 < KNERD> Well, the thing is I am taking the files directly from the /keys folder and putting then into a tar container
18:27 < KNERD> then upload the package to the phone
18:27 < KNERD> tar cvf openvpn.tar vpn.cnf keys/client.key keys/client.crt keys/ca.crt
18:28 < pekster> Relative pathing issues?
18:28 < KNERD> no. If that was the issue then the phone would report an error , thus the upload would fail
18:29 < KNERD> but let me check something
18:29 < KNERD> path issue could be it on the server
18:31 < pekster> Nope, not if it's referencing a _different_ CA
18:31 < pekster> Then this is exactly what would happen
18:32 -!- arescorpio [~arescorpi@201-26-245-190.fibertel.com.ar] has quit [Read error: Connection reset by peer]
18:33 < KNERD> Am I to assume correctly the ca.crt uses is located in /etc/openvpn ? this is what I have in the server.conf "ca ca.crt"
18:35 < pekster> It uses whatever the working-directory is. If you're not sure what it is, set it yoursrelf. Better yet is to always use explicit paths as the config path can be overridden by a CLI directive that appears after the --config directive
18:35 < pekster> Reference --cd in the manpage, and compare to whatever the exact full command you are lunching the openvpn program with
18:41 < KNERD> I gave server.conf the explicit path of /etc/openvpn/ca.crt and the others (server.ct & server.key) and still getting same result
18:42 < KNERD> so in the /easy-rsa/keys colder I copy the files over to /etc/openvpn and it even asks me if I want to overwrite the old ones.
18:42 < KNERD> maybe I need to delete them first
18:43 -!- redpill [~redpill@unaffiliated/redpill] has quit [Ping timeout: 255 seconds]
18:44 < pekster> Your problem is not the server.conf CA
18:44 < KNERD> aoh, and dh2048.pem
18:44 -!- redpill [~redpill@unaffiliated/redpill] has joined #openvpn
18:44 < pekster> The client uses its _own_ copy of the CA to validate the server
18:45 < pekster> The server uses its _own_ copy of the CA to validate the client
18:45 -!- arescorpio [~arescorpi@201-26-245-190.fibertel.com.ar] has joined #openvpn
18:45 < pekster> Since your client is failing to validate the cert, you need to figure out why it's failing. Ideally copy the certificate the server is presenting to the client, and !verify it
18:46 < pekster> If it doesn't have an openssl binary, that'll likely preclude that, and the next-best thing is to take the ca (the exact one the config is referencing -- again, mind paths, working-dir, etc) and validate it on a host that does have openssl
18:48 < KNERD> this is what I am giving the client: ca.crt, client.key and client.crt
18:49 < pekster> All bets are off if the ca.crt you are "giving" the client cannot correctly validate the certificate presented by the server over the wire
18:49 < KNERD> directly from the /easy-rsa/keys folder
18:49 < pekster> Have a pastebin of the client conf somewhere?
18:50 < pekster> If you haven't yet used explicit paths, you'd best do so. I've seen --cd passed after --config before on client initsciprts, which screws up relative pathing
18:50 < KNERD> http://pastebin.com/0qQrshjt
18:52 < pekster> Straight-forward enough
18:53 < pekster> What did an openssl verify result in, validating the server cert (the one its using) against the ca the client is using?
18:53 < pekster> However you get those files to a system with openssl on it is mostly unimportant
18:58 < KNERD> openssl verify -verbose -CAfile /local/ca.crt /remote/copy/of/other.crt` is reporting OKAY
18:59 < KNERD> with server.crt and client.crt
18:59 -!- snappy [nipnop@unaffiliated/snappy] has joined #openvpn
19:02 < pekster> "should" all work then. Was there nothing else in the surrounding log when the client reported problems verifying the cert?
19:04 < KNERD> you saw all the logs
19:04 < KNERD> there are only 2 of them and I pasted all of it
19:04 < pekster> Nope, you only pasted a single line from the client
19:04 < KNERD> no i did not
19:05 < pekster> You pasted http://pastebin.com/J4ffFAqS . There is no client log there
19:05 < pekster> That is a server log; did you paste the client log output? (If so, I missed it.) You pasted the VERIFY_ERROR in chat, but there's sometimes surrounding info as to why it failed
19:05 < KNERD> oh, sorry..i made  a paste..I guess I forgot to put the link here
19:07 -!- tempus_fol [~tempus@gateway/tor-sasl/foltempus] has quit [Ping timeout: 264 seconds]
19:13 -!- tempus_fol [~tempus@gateway/tor-sasl/foltempus] has joined #openvpn
19:14 < KNERD> pekster: http://pastebin.com/cz9K7gSc
19:14 -!- c0ded [~c0ded@unaffiliated/c0ded] has quit [Quit: I Was Just De-c0ded!]
19:14 -!- c0ded [~c0ded@unaffiliated/c0ded] has joined #openvpn
19:18 < pekster> "certificate signature failure" sounds like it's having trouble parsing the signature section of the certificate
19:18 -!- redpill [~redpill@unaffiliated/redpill] has quit [Ping timeout: 245 seconds]
19:18 < pekster> Maybe it's a broken SSL implementation on your client that can't handle the signing hash? On current easy-rsa releases (both the former 2.x series, and the new 3.0 series) sha256 is the default. You could try the older sha1 hash on all your certs and see if that changes anything
19:18 < pekster> That's the only wild guess I have at the moment
19:26 < KNERD> I have to do md5 hash
19:26 < KNERD> the client cannot do sha56
19:27 < KNERD> sha256
19:27 < KNERD> however it can do sha1
19:27 < pekster> sha1 is not sha216
19:27 < pekster> Right
19:27 < pekster> That's a rather broken SSL library, but at least sha1 has no fatal security flaws that are publicly known
19:27 < KNERD> so those are the 2 options md5 and sha1
19:27 < KNERD> okay then I will try sha1
19:28 < pekster> You'll likely need to re-do the CA (ie: all of it) too, if the library can't cope with modern crypto standards
19:31 < KNERD> yes..i will rereun easy-rasy
19:31 < KNERD> with the changes
19:31 < pekster> It might be worth nudging the vendor to see if they're willing to update to something not old-as-dirt. If they care :P
19:32 < KNERD> strangely the fireware is from this past april
19:32 < KNERD> but yes I can bug them
19:33 < KNERD> oh..they say in the future it wil be available
19:33 < KNERD> I am guessing this year
19:38 -!- ShadniX [dagger@p5481C2E8.dip0.t-ipconnect.de] has quit [Ping timeout: 250 seconds]
19:40 -!- ShadniX [dagger@p5481C2E8.dip0.t-ipconnect.de] has joined #openvpn
19:43 < KNERD> rebooting phone
19:44 -!- redpill [~redpill@unaffiliated/redpill] has joined #openvpn
19:48 < KNERD> same error
20:18 < KNERD> i think I know why
20:18 < KNERD> there are TWO default_md lines
20:31 -!- Kephael [~Kephael@unaffiliated/kephael] has joined #openvpn
20:42 -!- dtrainor [~dtrainor@ip72-208-196-164.ph.ph.cox.net] has quit [Ping timeout: 250 seconds]
20:42 < KNERD> pekster: I got it connectecd...the VPN icon is showing up on the phone's displa
20:42 < KNERD> Thanks a bunch for your help!
20:43 < daeda|us> i'm amazed at how many websites force javascript
20:47 -!- tempus_fol [~tempus@gateway/tor-sasl/foltempus] has quit [Remote host closed the connection]
20:48 -!- tempus_fol [~tempus@gateway/tor-sasl/foltempus] has joined #openvpn
20:58 -!- Left_Turn [~Left_Turn@unaffiliated/turn-left/x-3739067] has quit [Remote host closed the connection]
21:16 < KNERD> because it can produce dynamic content
21:17 < KNERD> Java and  Flahs have a lot fo overhard
21:17 < KNERD> overhead
21:51 -!- redpill [~redpill@unaffiliated/redpill] has quit [Ping timeout: 250 seconds]
22:15 -!- Pyrogerg [~Gregory@72.170.196.218] has joined #openvpn
22:30 < daeda|us> they're always finding vulnerabilities for it though
23:06 < KNERD> there is in everything
23:08 -!- ShadniX [dagger@p5481C2E8.dip0.t-ipconnect.de] has quit [Ping timeout: 250 seconds]
23:09 -!- ShadniX [dagger@p5481C0F0.dip0.t-ipconnect.de] has joined #openvpn
23:15 -!- arescorpio [~arescorpi@201-26-245-190.fibertel.com.ar] has quit [Excess Flood]
23:16 < KNERD> in my conf file I have "server 10.8.0.0 255.255.255.0 ", but...in ficonfig I am seeing 10.8.0.1
23:21 < KNERD> and.. 255.255.255.255
23:29 -!- Cybert1nus [~Cybertinu@cybertinus.customer.cloud.nl] has joined #openvpn
23:30 -!- Matir_ [~matir@ubuntu/member/matir] has joined #openvpn
23:30 -!- Pyrogerg_ [~Gregory@72.170.196.218] has joined #openvpn
23:31 -!- frank-- [1000@unaffiliated/thumbs] has joined #openvpn
23:31 -!- badaptr [~jgeilman@unaffiliated/adaptr] has joined #openvpn
23:32 -!- Pyrogerg_ [~Gregory@72.170.196.218] has quit [Read error: Connection reset by peer]
23:32 -!- pnielsen_ [pnielsen@2a01:7e00::f03c:91ff:fedf:3a21] has joined #openvpn
23:35 -!- azizLIGHT [~azizLIGHT@unaffiliated/azizlight] has quit [Killed (sendak.freenode.net (Nickname regained by services))]
23:35 -!- Pyrogerg_ [~Gregory@72.170.196.218] has joined #openvpn
23:35 -!- Netsplit *.net <-> *.split quits: gardar, keatont, thumbs, pnielsen, LarsN, seba, adaptr, Poster, Verdi, Matir,  (+11 more, use /NETSPLIT to show all of them)
23:35 -!- `Nothing4You [N4Y@Nothing4You.w.tf-w.tf] has joined #openvpn
23:36 -!- azizLIGHT [~azizLIGHT@unaffiliated/azizlight] has joined #openvpn
23:36 -!- Netsplit over, joins: Poster
23:36 -!- Netsplit over, joins: phreakocious
23:37 -!- Netsplit over, joins: seba
23:37 -!- `Nothing4You is now known as Nothing4You
--- Day changed Thu Aug 07 2014
00:08 -!- haasn [~haasn@static.102.126.46.78.clients.your-server.de] has joined #openvpn
00:10 -!- james41382 [~james@unaffiliated/james41382] has quit [Quit: Leaving]
00:19 -!- james41382 [~james@unaffiliated/james41382] has joined #openvpn
00:21 -!- nsrafk [whois@unaffiliated/nsrafk] has quit [Ping timeout: 245 seconds]
00:23 -!- nsrafk [whois@unaffiliated/nsrafk] has joined #openvpn
00:41 -!- Kephael [~Kephael@unaffiliated/kephael] has quit [Read error: Connection reset by peer]
00:43 -!- Pyrogerg_ [~Gregory@72.170.196.218] has quit [Read error: Connection reset by peer]
00:54 -!- jetole [~jetole@unaffiliated/jetole] has joined #openvpn
00:55 < jetole> Hey guys. update-resolv-conf seems to always update my search domain but only sometimes adds the name servers. Has anyone had this issue? Is there a resolution?
01:06 -!- james41382 [~james@unaffiliated/james41382] has quit [Quit: Leaving]
01:11 -!- james41382 [~james@unaffiliated/james41382] has joined #openvpn
01:14 -!- phreakocious [~phreakoci@recalcitrant.phreakocious.net] has quit [Ping timeout: 260 seconds]
01:18 -!- phreakocious [~phreakoci@recalcitrant.phreakocious.net] has joined #openvpn
01:46 -!- Cybert1nus is now known as Cybertinus
01:54 -!- alexxtasi [~alex@unaffiliated/alexxtasi] has joined #openvpn
02:04 -!- SlutaTramsa [~SlutaTram@unaffiliated/slutatramsa] has joined #openvpn
02:04 -!- Tykling [tykling@gibfest.dk] has joined #openvpn
02:24 -!- jetole [~jetole@unaffiliated/jetole] has quit [Read error: Connection reset by peer]
02:35 -!- JPeterson [~JPeterson@81-233-152-121-no83.tbcn.telia.com] has joined #openvpn
02:57 -!- Left_Turn [~Left_Turn@unaffiliated/turn-left/x-3739067] has joined #openvpn
03:13 -!- vincx [~vincent@fw01.streamcomputing.access.infracom.nl] has joined #openvpn
03:21 -!- dazo_afk is now known as dazo
03:41 -!- Chris-S [~Chris-S@gateway/tor-sasl/chris-s] has joined #openvpn
03:42 -!- Chris-S [~Chris-S@gateway/tor-sasl/chris-s] has left #openvpn []
03:46 -!- azizLIGHT [~azizLIGHT@unaffiliated/azizlight] has quit [Ping timeout: 250 seconds]
03:59 -!- azizLIGHT [~azizLIGHT@unaffiliated/azizlight] has joined #openvpn
04:00 -!- CaTtleyA [~CaTtleyA@185.24.142.82] has joined #openvpn
04:46 -!- Toumasu [~thomas@81.82.255.117] has joined #openvpn
04:49 < Toumasu> can anyone help me setting up openvpn on an iphone? my server uses RSA keys, sha256 and PEM authorization. also, do i need to paste the entire content of my crt file? with the rsa stuff, or just the part with the --- BEGIN CERTIFICATE ---
04:50 < Toumasu> i meant; do i need to paste it entirely in my ovpn file between the <cert></cert> block
05:05 < alexxtasi> hi! if I have a directive twice in my .conf file, which one would be the "active" ? eg "keepalive 10 60" and at the end of the file "keepalive 10 120" (I suspect the second but I would like a more sure answer...)
05:14 -!- grrrrr [gr@rikos.org] has joined #openvpn
05:17 < grrrrr> Hi, is it normal to have .bash_history clear for root on network-interfaces postup hook? (using vmware appliance)
05:24 -!- ValdikSS [~valdikss@92.42.31.58] has joined #openvpn
05:24 < ValdikSS> Hello everyone
05:25 < ValdikSS> I have some speed issues with openvpn and I don't know what to do
05:25 -!- eike_52n [~eike@80.156.182.234] has joined #openvpn
05:26 < ValdikSS> I have openvpn on the server with 30/30 bw from my location. Without vpn, speed is 30/30, but with vpn download speed doesn't go higher than 17/30
05:26 -!- tempus_fol [~tempus@gateway/tor-sasl/foltempus] has quit [Remote host closed the connection]
05:26 -!- DrCode [~DrCode@gateway/tor-sasl/drcode] has quit [Write error: Broken pipe]
05:26 < ValdikSS> even without encryption (cipher none) and authentication (auth none)
05:27 -!- tempus_fol [~tempus@gateway/tor-sasl/foltempus] has joined #openvpn
05:27 < ValdikSS> I've tried increasing tun-mtu up to 32000 and use mssfix 1400, tried to disable fragment and mssfix (fragment 0 mssfix 0), but no luck
05:27 -!- DrCode [~DrCode@gateway/tor-sasl/drcode] has joined #openvpn
05:27 < ValdikSS> Speed is even lower (down to 10/10) via TCP
05:31 -!- ijb [~ijb@host-92-19-252-226.static.as13285.net] has joined #openvpn
05:34 < ijb> hi, im trying to resolve a problem setting up routing on 2 vm server using openvpn, from the vm servers themselves, I can contact all the vms on the different bridge networks on the other servers, but im unable to connect from vm to vm. I can see the traffic hitting tun0 on the far side, but its not then routed to the correct internal bridge for some reason
05:37 -!- ade_b [~Ade@redhat/adeb] has joined #openvpn
05:42 -!- UnsignedLong [~Unsigned@p5098dfa7.dip0.t-ipconnect.de] has joined #openvpn
05:46 < UnsignedLong> hi all - i've installed an openvpn site2site setup with tun interfaces. topology is as simple ass possible: <network A 10.0.144.0/24>--< 10.0.144.1 : openvpnserver 1 : public IP> -- internet -- <openvpnserver2 : 192.168.178.1>--<network B 192.168.178.0/24>>
05:46 < UnsignedLong> i can: ping openvpnserver 2 from openvpn server 1
05:46 < UnsignedLong> ping network b from openvpnserver 1
05:46 < UnsignedLong> ping openvpnserver2 from network a
05:47 < UnsignedLong> but can not bing network b from network a
05:47 < UnsignedLong> tcpdump shows that traffic is NOT forwarded to the tun0 interface. it just arrives on eth1 and thats it
05:48 < UnsignedLong> if i ping openvpnserver2 from network A traffic is correctly forwarded via tun0
05:48 < UnsignedLong> ip_forwarding is active and my iptables are empty with default policy = accept
05:49 < UnsignedLong> host in network A has openvpnserver1 as default gw, openvpnserver1 has a route to 192.168.178.0/24 via tun0
05:49 < UnsignedLong> any ideas?
05:51 < ijb> Hi UnsignedLong, i have a similar problem. have you tried defining the iroutes in the ccd file?
05:52 < UnsignedLong> cc file is:
05:52 < UnsignedLong> iroute 192.168.178.0 255.255.255.0
05:52 < UnsignedLong> push "route 10.0.144.0 255.255.255.0 vpn_gateway"
05:53 < UnsignedLong> the thing that drives me crazy is that i can't the the traffic on the tun0 device on the first gateway
05:53 < UnsignedLong> *see the
05:56 -!- ValdikSS [~valdikss@92.42.31.58] has quit [Ping timeout: 260 seconds]
05:56 < ijb> which server runs the openvpn server?
05:57 < UnsignedLong> openvpnserver1
05:57 < UnsignedLong> openvpnserver2 is actual "openvpnclient"
05:58 < ijb> do you have iptables running on either host?
05:59 -!- badaptr is now known as adaptr
05:59 < UnsignedLong> openvpnserver2 is a pfsense box with several rules, but the traffic does not enter the tun0 on openvpnserver1, so that shouldn't be a problem. iptables on openvpnserver1 are empty with accept policy
06:00 < ijb> does the openvpn log file show any errors at verb 6?
06:00 < UnsignedLong> I'll try
06:02 < UnsignedLong> looks all great
06:02 < UnsignedLong> no errors at all
06:05 < UnsignedLong> hostonnetwork A: ping 10.0.8.6 (vpn peer ip from openvpnserver2) works fine
06:05 < UnsignedLong> hostonnetworkA: ping 192.168.178.2 - does not...
06:06 < UnsignedLong> traffic comes in on openvpnserver1 (eth1) and thats it.
06:06 < UnsignedLong> route on openvpnserver1:
06:06 < UnsignedLong> 192.168.178.0   10.8.0.2        255.255.255.0   UG    0      0        0 tun0
06:11 < ijb> does server2 have a route back defined?
06:12 -!- deadrabbit [~deadrabbi@cpe-72-225-171-139.nyc.res.rr.com] has joined #openvpn
06:12 < deadrabbit> I am trying to set up a VPN via OpenVPN in Debian 7, it "successfully" connects through Network Manager but I think it isn't routing the traffic correctly...web pages aren't being resolved and applications not connecting either...how do I correctly set this up?
06:18 < UnsignedLong> yep
06:18 < UnsignedLong> routes on server2 looks fine
06:18 -!- daeda|us [~daed@173.192.81.187-static.reverse.softlayer.com] has quit [Ping timeout: 255 seconds]
06:19 < UnsignedLong> got a rout eto the openvpn transfer network (10.0.8.0/24) and one to the remote network: 10.0.144.0/24
06:23 -!- ade_b [~Ade@redhat/adeb] has quit [Quit: Too sexy for his shirt]
06:36 -!- shiin [~shiin@funtoo/core/shiin] has joined #openvpn
06:42 -!- deadrabbit [~deadrabbi@cpe-72-225-171-139.nyc.res.rr.com] has quit [Remote host closed the connection]
06:45 -!- angs [~ubuntu@85.235.3.114] has joined #openvpn
06:46 < angs> is it possible to start openvpn directly from a C code without need of system() or similar ones?
06:46 < angs> on Linux
07:03 -!- frank-- is now known as thumbs
07:20 -!- JPeterson [~JPeterson@81-233-152-121-no83.tbcn.telia.com] has quit [Ping timeout: 255 seconds]
07:21 -!- JPeterson [~JPeterson@81-233-152-121-no83.tbcn.telia.com] has joined #openvpn
07:21 -!- D-Boy [~D-Boy@unaffiliated/cain] has quit [Excess Flood]
07:23 -!- DrSect0r [~DrSect0r@77-175-115-95.FTTH.ispfabriek.nl] has joined #openvpn
07:31 -!- D-Boy [~D-Boy@unaffiliated/cain] has joined #openvpn
07:36 < Hello71> what?
07:38 -!- JPeterson [~JPeterson@81-233-152-121-no83.tbcn.telia.com] has quit [Ping timeout: 260 seconds]
08:06 -!- lbft is now known as jigglypuff
08:09 -!- redpill [~redpill@unaffiliated/redpill] has joined #openvpn
08:10 -!- jigglypuff is now known as lbft
08:16 < angs> one of clients fails with this error code http://pastebin.com/EpG76JCr when I run openvpn ./client.conf
08:16 < angs> I disconnected other clients, but it still fails with the same error message
08:17 < angs> any suggestion what can I do about it?
08:26 -!- micw [~micw@ip9234cc9d.dynamic.kabel-deutschland.de] has joined #openvpn
08:26 < micw> hi
08:27 < micw> i'm running an (online) development server with several virtual machines in the network 10.11.12.0/255.255.255.128. On the same machine i run openvpn on 10.11.12.128/255.255.255.128
08:27 < micw> i have setup routing so that clients connected to the vpn sees the internal virtual netowrk
08:27 < micw> now i start with a second server
08:28 < micw> and i wonder how i can improve these settings. goal: virtual network on each of the both servers sees network of the other. a client connected to the vpn sees both
08:29 < micw> i could add a openvpn server on the new server and connect the old to the new. but what happens when i want to connect 3..4... servers?
08:29 < micw> how could i create a multi-server private network?
08:30 < micw> is openvpn still the right thing for me?
08:32 -!- Olipro [~Olipro@uncyclopedia/pdpc.21for7.olipro] has joined #openvpn
08:34 < Hello71> 1. cidr.
08:35 < Hello71> > virtual network on each of the both servers sees network of the other.
08:35 < Hello71> what.
08:37 < micw> means: virtual machines on each servers see virtual machines on the other servers, using a private network
08:38 < micw> what i basically want is a kind of virtual bridge between multiple servers (using a secure channel)
08:38 < micw> or probably a routing
08:38 < micw> not sure
08:39 < ijb> micw i'm currently implementing the same thing using openvpn
08:39 < micw> bridge or routing?
08:40 < ijb> each vmserver runs openvpn server plus clients to all the other vmservers, im then using routing to connect to vms on the other hosts
08:40 < ijb> only thing you cant do with it is a single subment across several vmservers
08:40 < ijb> subnet even
08:41 < ijb> openvswitch should also do what you want with ipsec_gre, but that only seems to be supported on debian
08:41 < micw> so if you have 2 servers, you would have 2 vpn connections?
08:41 < ijb> server1 -> vpn to server2,    server2 -> vpn to server1
08:41 < micw> on the first you rout server1->server2 network, on the second the other way?
08:41 < ijb> problem comes with reverse routing
08:42 < ijb> which im currently trying to make behave at the moment
08:42 < ijb> there may be better ways
08:43 < micw> i'm not sure if bridging would be better
08:44 < micw> that would allow to use the same subnet
08:46 -!- lsone [~lsone@69.15.58.162] has joined #openvpn
08:49 < ijb> that might work if you just had the one subnet and bridged the various tun devices to create it. don't know if you could do it with multiple subnets over the servers
08:51 < micw> oh i'm flexible with the subnets/topology. my requirement is simply: all vms reach all others regardless on what servers they are
08:51 < micw> + a vpnclient connected to one of the servers reaches all vms
08:55 < angs> in order to use openvpn, do I need to have tun0 interface? I have tunl0 interface, is that one okay?
09:11 -!- Pyrogerg [~Gregory@72.170.196.218] has joined #openvpn
09:19 < Eugene> The name of the interface doesnt' matter; the fact that it's using the tun driver does.
09:25 < angs> Eugene, I have one server and two clients. I check the IP addresses on ipp.txt both IP addresses of the clients are wrong. Is it possible to get the correct list by another means?
09:25 < Eugene> !status
09:25 <@vpnHelper> "status" is (#1) You can use the --status directive to write to a status file to show the list of currently connected clients. This list can be sent to stdout (or your defined !log mechanism) with a USR2 signal as well. or (#2) See also !management
09:29 < angs> do you mean to add "status openvpn-status.log" on the server.conf
09:32 -!- Pyrogerg [~Gregory@72.170.196.218] has quit [Read error: Connection reset by peer]
09:39 -!- alexxtasi [~alex@unaffiliated/alexxtasi] has left #openvpn []
09:43 -!- wm_domino [~william@unaffiliated/wm-domino/x-7701134] has quit [Remote host closed the connection]
10:00 < angs> Eugene, is there any C library that I can directly use openvpn from a C code instead of using some system calls?
10:01 < Eugene> http://staging.openvpn.net/openvpn3/
10:01 <@vpnHelper> Title: OpenVPN 3 (at staging.openvpn.net)
10:02 < Eugene> !learn openvpn3 as OpenVPN3 is a C++ library implementing the functionality of an OpenVPN client. It is used by the Connect clients for iOS and Android, and is released as AGPL3 http://staging.openvpn.net/openvpn3/
10:02 <@vpnHelper> Error: You don't have the factoids.learn capability. If you think that you should have this capability, be sure that you are identified before trying again. The 'whoami' command can tell you if you're identified.
10:02 < angs> Eugene, thank you. Do you know if it will be usable on Linux sometime soon?
10:03 < Eugene> "soon" no.
10:03 <@plaisthos> angs: it is already usable on Linux
10:03 < angs> do you know any planned data for it?
10:03 < angs> plaisthos, can I use it on debian?
10:03 <@plaisthos> but only as a library
10:03 < Eugene> !devel
10:03 <@plaisthos> you will have to code the tun stuff yourself
10:03 < Eugene> !dev
10:03 <@vpnHelper> "dev" is https://lists.sourceforge.net/lists/listinfo/openvpn-devel to sign up for devel mail list
10:03 < Eugene> Ugh you stupid bot
10:04 < Eugene> #openvpn-devel will probably have more for you than I can come up with ;-)
10:04 <@plaisthos> and you have to compile it with PolarSSL
10:04 -!- Toumasu [~thomas@81.82.255.117] has quit [Quit: Ik ga weg]
10:05 < angs> plaisthos, do you suggest any document/link where I should start?
10:06 <@plaisthos> and on top of that, it is probably completed untested for Linux+glibc instead of Linux+Bionic
10:06 <@plaisthos> angs: there is only http://staging.openvpn.net/openvpn3/
10:06 <@vpnHelper> Title: OpenVPN 3 (at staging.openvpn.net)
10:06 <@plaisthos> and understand the AGPL3 before you anything
10:07 < angs> thank you Eugene and plaisthos
10:07 <@plaisthos> angs: you are probably better off using OpenVPN 2.3 and the management interface
10:08 < Eugene> !management
10:08 <@vpnHelper> "management" is (#1) see http://openvpn.net/management for doc on management interface or (#2) read https://github.com/OpenVPN/openvpn/blob/release/2.3/doc/management-notes.txt if you are a programmer making a GUI that will interact with OpenVPN or (#3) Enable with `--management 127.0.0.1 1234` (adjust port to taste.) See the manpage for pw and socket options
10:08 < angs> thanks again
10:20 -!- shiin [~shiin@funtoo/core/shiin] has quit [Quit: My computer has gone to sleep.]
10:27 -!- CaTtleyA [~CaTtleyA@185.24.142.82] has quit [Quit: Lost terminal]
10:41 -!- micw [~micw@ip9234cc9d.dynamic.kabel-deutschland.de] has quit [Quit: Verlassend]
10:49 -!- SCHAAP137 [dorian@77-173-0-137.ip.telfort.nl] has joined #openvpn
10:52 -!- Pyrogerg [~Gregory@72.170.196.218] has joined #openvpn
10:53 -!- Haze` [~Gentoo@unaffiliated/haze/x-7701974] has joined #openvpn
10:54 < Haze`> !welcome
10:54 <@vpnHelper> "welcome" is (#1) Start by stating your goal, such as 'I would like to access the internet over my vpn' || new to IRC? see the link in !ask || we may need !logs and !configs and maybe !interface to help you. || See !howto for beginners. || See !route for lans behind openvpn. || !redirect for sending inet traffic through the server. || Also interesting: !man !/30 !topology !iporder !sample !forum
10:54 <@vpnHelper> !wiki !mitm or (#2) Don't use 192.168.1.0/24 or 192.168.0.0/24 (too much potential for conflict)
11:00 < Haze`> !wiki
11:00 <@vpnHelper> "wiki" is (#1) http://www.secure-computing.net/wiki/index.php/OpenVPN for the Unofficial wiki or (#2) https://community.openvpn.net/openvpn/wiki for the Official wiki
11:01 < Haze`> !interface
11:01 <@vpnHelper> "interface" is (#1) paste interface configuration from both client and server, while being disconnected and when beeing connected. Be sure to also add the routing tables for both situations from client and from server or (#2) For Windows: iface: 'ipconfig /all' routing: 'route print' (add -4 or -6 for just IPv4 or v6) or (#3) For Unix: iface: 'ifconfig -a' routing: 'netstat -rn' or (#4) For Linux:
11:01 <@vpnHelper> iface: 'ip a' routing: 'ip r' (use ip -6 for IPv6 routes)
11:03 -!- eike_52n [~eike@80.156.182.234] has quit [Quit: Verlassend]
11:04 < Haze`> !route
11:04 <@vpnHelper> "route" is (#1) http://www.secure-computing.net/wiki/index.php/OpenVPN/Routing or https://community.openvpn.net/openvpn/wiki/RoutedLans (same page mirrored) if you have lans behind openvpn, read it DONT SKIM IT or (#2) READ IT DONT SKIM IT! or (#3) See !tcpip for a basic networking guide or (#4) See !serverlan or !clientlan for steps and troubleshooting flowcharts for LANs behind the server or client
11:07 -!- UnsignedLong [~Unsigned@p5098dfa7.dip0.t-ipconnect.de] has quit [Remote host closed the connection]
11:11 -!- daeda|us [~daed@198.144.153.101] has joined #openvpn
11:29 -!- pa [~pa@unaffiliated/pa] has quit [Quit: Sto andando via]
11:33 -!- ijb [~ijb@host-92-19-252-226.static.as13285.net] has quit [Quit: Leaving]
11:38 -!- lorenzo [lorenzo@nl.shell.enlab.net] has left #openvpn []
11:59 -!- gffa [~unknown@unaffiliated/gffa] has joined #openvpn
12:04 -!- lsone [~lsone@69.15.58.162] has quit [Read error: No route to host]
12:08 -!- Pyrogerg [~Gregory@72.170.196.218] has quit [Read error: Connection reset by peer]
12:20 -!- Haze` [~Gentoo@unaffiliated/haze/x-7701974] has quit [Disconnected by services]
12:27 -!- angs [~ubuntu@85.235.3.114] has quit [Quit: Leaving]
13:03 -!- Pyrogerg [~Gregory@72.170.196.218] has joined #openvpn
13:09 -!- brianblaze420 [~brianblaz@unaffiliated/brianblaze] has joined #openvpn
13:16 -!- elfixit [~Icedove@89-93-101-142.hfc.dyn.abo.bbox.fr] has joined #openvpn
13:20 -!- elfixit [~Icedove@89-93-101-142.hfc.dyn.abo.bbox.fr] has quit [Ping timeout: 260 seconds]
13:36 -!- pseudo [~pseudo@65.204.49.74] has joined #openvpn
13:38 < pseudo> I have the following option in server.conf `push "dhcp-option DNS 172.17.0.2"` and in my vpn client, i see the following message `PUSH: Received control message: 'PUSH_REPLY,dhcp-option DNS 172.17.0.2..` but /etc/resolv.conf does not get updated with the new dns server. any ideas why?
13:38 < pseudo> my client is running gentoo linux with openvpn 2.3.2
13:45 -!- rooth [tomte@stuck.in.the.basement.at.fritzl.nu] has joined #openvpn
13:49 -!- xeqt [xeqt@h-72-121.a146.priv.bahnhof.se] has quit [Read error: Connection reset by peer]
13:50 -!- brianblaze420 [~brianblaz@unaffiliated/brianblaze] has quit [Ping timeout: 260 seconds]
13:52 -!- brianblaze420 [~brianblaz@unaffiliated/brianblaze] has joined #openvpn
13:53 -!- brianblaze420 [~brianblaz@unaffiliated/brianblaze] has quit [Client Quit]
14:06 -!- xeqt [~xeqt@h-72-121.a146.priv.bahnhof.se] has joined #openvpn
14:16 -!- xrosnight [~quassel@unaffiliated/xrosnight] has joined #openvpn
14:24 -!- [DrSect0r] [~DrSect0r@77-175-115-95.FTTH.ispfabriek.nl] has joined #openvpn
14:24 -!- [DrSect0r] [~DrSect0r@77-175-115-95.FTTH.ispfabriek.nl] has quit [Remote host closed the connection]
14:24 -!- DrSect0r [~DrSect0r@77-175-115-95.FTTH.ispfabriek.nl] has quit [Ping timeout: 246 seconds]
14:34 < Eugene> !eurephia
14:34 <@vpnHelper> "eurephia" is http://www.eurephia.net/
14:34 -!- ahuemer [ahuemer@unaffiliated/ahuemer] has left #openvpn []
14:37 -!- pseudo [~pseudo@65.204.49.74] has quit [Quit: leaving]
14:43 -!- Champi [Champi@damn.e-leet.be] has quit [Quit: Quit]
14:54 -!- Champi [Champi@damn.e-leet.be] has joined #openvpn
15:00 -!- x0077BE [~x731940@c-98-198-255-46.hsd1.tx.comcast.net] has joined #openvpn
15:00 < x0077BE> Is there a reason why OpenVPN would fail silently without logging? My config isn't generating a log when I try to connect.
15:01 < x0077BE> I'm on Windows 8. It just hangs for a bit and then says "Failed to connect:
15:01 < x0077BE> No log.
15:04 < x0077BE> It was sorta working a bit ago.
15:04 < x0077BE> I wasn't getting connected all the way, but I was at least generating logs.
15:10 -!- xrosnight [~quassel@unaffiliated/xrosnight] has quit [Ping timeout: 264 seconds]
15:20 -!- heraclitus [~heraclitu@unaffiliated/heraclitis] has quit [Remote host closed the connection]
15:21 -!- heraclitus [~heraclitu@unaffiliated/heraclitis] has joined #openvpn
15:23 -!- keatont [~keatont@ip-66-172-11-126.chunkhost.com] has joined #openvpn
15:38 -!- azizLIGHT [~azizLIGHT@unaffiliated/azizlight] has quit [Read error: Connection reset by peer]
15:39 -!- dazo is now known as dazo_afk
15:45 -!- vincx [~vincent@fw01.streamcomputing.access.infracom.nl] has quit [Ping timeout: 260 seconds]
15:46 -!- jetole [~jetole@unaffiliated/jetole] has joined #openvpn
15:47 < jetole> Hey guys. update-resolv-conf sometimes updates my DNS servers and sometimes doesn't update them in /etc/resolv.conf. Does anyone know about any issue which would cause this to sometimes succeed / fail ?
15:50 -!- x0077BE [~x731940@c-98-198-255-46.hsd1.tx.comcast.net] has quit [Quit: Leaving]
16:20 -!- gffa [~unknown@unaffiliated/gffa] has quit [Quit: sleep]
16:21 -!- heraclitus [~heraclitu@unaffiliated/heraclitis] has quit [Remote host closed the connection]
16:21 -!- heraclitus [~heraclitu@unaffiliated/heraclitis] has joined #openvpn
16:25 -!- heraclitus [~heraclitu@unaffiliated/heraclitis] has quit [Remote host closed the connection]
16:25 -!- heraclitus [~heraclitu@unaffiliated/heraclitis] has joined #openvpn
16:27 -!- heraclitus [~heraclitu@unaffiliated/heraclitis] has quit [Remote host closed the connection]
16:27 -!- heraclitus [~heraclitu@unaffiliated/heraclitis] has joined #openvpn
16:29 -!- jetole [~jetole@unaffiliated/jetole] has quit [Quit: Leaving]
16:32 -!- heraclitus [~heraclitu@unaffiliated/heraclitis] has quit [Remote host closed the connection]
16:32 -!- heraclitus [~heraclitu@unaffiliated/heraclitis] has joined #openvpn
16:33 -!- heraclitus [~heraclitu@unaffiliated/heraclitis] has quit [Remote host closed the connection]
16:33 -!- heraclitus [~heraclitu@unaffiliated/heraclitis] has joined #openvpn
16:35 -!- heraclitus [~heraclitu@unaffiliated/heraclitis] has quit [Remote host closed the connection]
16:35 -!- heraclitus [~heraclitu@unaffiliated/heraclitis] has joined #openvpn
16:35 -!- heraclitus [~heraclitu@unaffiliated/heraclitis] has quit [Remote host closed the connection]
16:51 -!- mattock is now known as mattock_afk
16:55 -!- Fiouz [~Fiouz@2001:bc8:3068::dead:beef] has quit [Quit: Lost terminal]
16:58 -!- Fiouz [~Fiouz@2001:bc8:3068::dead:beef] has joined #openvpn
16:59 -!- Fiouz [~Fiouz@2001:bc8:3068::dead:beef] has quit [Client Quit]
17:04 -!- Fiouz [~Fiouz@2001:bc8:3068::dead:beef] has joined #openvpn
17:09 -!- jgeboski [~jgeboski@unaffiliated/jgeboski] has quit [Quit: Leaving]
17:10 -!- jgeboski [~jgeboski@unaffiliated/jgeboski] has joined #openvpn
17:13 -!- SCHAAP137 [dorian@77-173-0-137.ip.telfort.nl] has quit [Remote host closed the connection]
17:19 -!- STF [~stf@i53874edc.versanet.de] has joined #openvpn
17:21 < STF> can anyone of you give me an advice how to create a debian package with the latest stable version of openvpn?
17:38 <@syzzer> STF: you don't have, up-to-date debian packages are already available, see https://community.openvpn.net/openvpn/wiki/OpenvpnSoftwareRepos
17:38 <@vpnHelper> Title: OpenvpnSoftwareRepos – OpenVPN Community (at community.openvpn.net)
19:01 -!- heraclitus [~heraclitu@unaffiliated/heraclitis] has joined #openvpn
19:05 -!- joako [~joako@opensuse/member/joak0] has quit [Ping timeout: 255 seconds]
19:11 -!- joako [~joako@opensuse/member/joak0] has joined #openvpn
19:25 -!- OkiieDoe [~adminmx@ool-44c1551f.dyn.optonline.net] has joined #openvpn
19:40 -!- Kephael [~Kephael@unaffiliated/kephael] has joined #openvpn
19:43 -!- arescorpio [~arescorpi@201-26-245-190.fibertel.com.ar] has joined #openvpn
19:53 -!- Jeroen52 [~Jeroen@milkyway.jeroendeneef.eu] has quit [Quit: Quit]
19:55 -!- Jeroen52 [~Jeroen@milkyway.jeroendeneef.com] has joined #openvpn
20:59 -!- STF [~stf@i53874edc.versanet.de] has quit [Killed (kornbluth.freenode.net (Nickname regained by services))]
20:59 -!- STF [~stf@i53877463.versanet.de] has joined #openvpn
21:31 -!- Left_Turn [~Left_Turn@unaffiliated/turn-left/x-3739067] has quit [Remote host closed the connection]
22:07 -!- nsrafk [whois@unaffiliated/nsrafk] has quit [Ping timeout: 244 seconds]
22:17 -!- nsrafk [whois@unaffiliated/nsrafk] has joined #openvpn
22:36 -!- OkiieDoe [~adminmx@ool-44c1551f.dyn.optonline.net] has quit [Ping timeout: 245 seconds]
22:36 -!- arescorpio [~arescorpi@201-26-245-190.fibertel.com.ar] has quit [Excess Flood]
22:47 -!- korrosivek9 [~unknownso@24.1.242.179] has joined #openvpn
22:52 < korrosivek9> I have OpenVPN running on a router with DD-WRT. When I try to connect to it with OpenVPN for android, I get the error "TLS key negotiation failed to occur within 60 seconds"
22:53 < korrosivek9> To set it up, I followed both the DD-WRT OpenVPN tutorial and the tutorial on the OpenVPN site.
22:54 < pekster> Either traffic doesn't make it to the server, or it's rejecting it
22:54 < pekster> View your logs on the server and discover which
22:55 < korrosivek9> I know traffic reaches the router. I can connect to it for RDP and other things.
22:55 < pekster> !logs
22:55 < pekster> !configs
22:55 <@vpnHelper> "logs" is (#1) please pastebin your logfiles from both client and server with verb set to 4 (only use 5 if asked) or (#2) In the Windows client(OpenVPN-GUI) right-click the status icon and pick View Log or (#3) In the OS X client(Tunnelblick) right-click it and select Copy log text to clipboard or (#4) if you dont know how to find your logs, see !logfile
22:55 <@vpnHelper> "configs" is (#1) please pastebin your client and server configs (with comments removed, you can use `grep -vE '^#|^;|^$' server.conf`), also include which OS and version of openvpn. or (#2) dont forget to include any ccd entries or (#3) on pfSense, see http://www.secure-computing.net/wiki/index.php/OpenVPN/pfSense to obtain your config
22:55 < pekster> By "logs" I mean your logs. Not guesses as to what goes where
22:55 < pekster> If packets come to the server, the logs say so
22:55 < pekster> We also have:
22:55 < pekster> !new
22:55 <@vpnHelper> "new" is (#1) New here? Start by reading the /TOPIC and looking at basic info in !welcome, !ask, and !howto or (#2) You can type each of the !commands in this chat and our bot will provide useful references and info or (#3) you can see the full factoids list at !factoids
22:57 < korrosivek9> OK. I have the logs from the android app, but I'm having a hard time figuring out how to get to the logs on the router. I'll see what I can do.
22:57 < pekster> It'll be in:
22:57 < pekster> !logfile
22:57 <@vpnHelper> "logfile" is (#1) If you want logging you can easily just specify your own logfile with: log /path/to/logfile or (#2) openvpn will log to syslog if started in daemon mode, but without any log-redirection options, openvpn sends output to stdout. or (#3) verb 3 is good for everyday usage, verb 5 for debugging. see --daemon --log and --verb in the manual (!man) for more info
23:00 -!- jgeboski [~jgeboski@unaffiliated/jgeboski] has quit [Quit: Leaving]
23:02 -!- jgeboski [~jgeboski@unaffiliated/jgeboski] has joined #openvpn
23:08 -!- Chais [~Chais@chello062178229110.15.15.vie.surfer.at] has quit [Ping timeout: 255 seconds]
23:08 -!- ShadniX [dagger@p5481C0F0.dip0.t-ipconnect.de] has quit [Ping timeout: 250 seconds]
23:09 -!- ShadniX [dagger@p5481CB1F.dip0.t-ipconnect.de] has joined #openvpn
23:14 -!- Chais [~Chais@chello062178229110.15.15.vie.surfer.at] has joined #openvpn
23:14 -!- someone [someone@2600:3c01::f03c:91ff:fedf:feb8] has quit [Ping timeout: 240 seconds]
23:31 -!- korrosivek9 [~unknownso@24.1.242.179] has quit []
23:35 -!- jgeboski [~jgeboski@unaffiliated/jgeboski] has quit [Quit: Leaving]
23:35 -!- jgeboski [~jgeboski@unaffiliated/jgeboski] has joined #openvpn
23:41 -!- korrosivek9 [~unknownso@24.1.242.179] has joined #openvpn
23:43 < korrosivek9> pekster, from the router I need actual OpenVPN logs, not just the regular syslog?
23:44 < korrosivek9> so far, I have a log of accept and drop connections
23:44 < korrosivek9> !logs
23:44 <@vpnHelper> "logs" is (#1) please pastebin your logfiles from both client and server with verb set to 4 (only use 5 if asked) or (#2) In the Windows client(OpenVPN-GUI) right-click the status icon and pick View Log or (#3) In the OS X client(Tunnelblick) right-click it and select Copy log text to clipboard or (#4) if you dont know how to find your logs, see !logfile
23:45 -!- jgeboski [~jgeboski@unaffiliated/jgeboski] has quit [Quit: Leaving]
23:46 -!- jgeboski [~jgeboski@unaffiliated/jgeboski] has joined #openvpn
23:47 < korrosivek9> !logfile
23:47 <@vpnHelper> "logfile" is (#1) If you want logging you can easily just specify your own logfile with: log /path/to/logfile or (#2) openvpn will log to syslog if started in daemon mode, but without any log-redirection options, openvpn sends output to stdout. or (#3) verb 3 is good for everyday usage, verb 5 for debugging. see --daemon --log and --verb in the manual (!man) for more info
23:53 -!- james41382 [~james@unaffiliated/james41382] has quit [Quit: Leaving]
--- Day changed Fri Aug 08 2014
00:15 -!- korrosivek9 [~unknownso@24.1.242.179] has quit []
00:21 -!- mattock_afk is now known as mattock
00:22 -!- Kephael [~Kephael@unaffiliated/kephael] has quit [Quit: Leaving]
00:27 -!- phreakocious [~phreakoci@recalcitrant.phreakocious.net] has quit [Ping timeout: 260 seconds]
00:32 -!- corretico [~luis@200.46.160.66] has joined #openvpn
00:34 -!- phreakocious [~phreakoci@recalcitrant.phreakocious.net] has joined #openvpn
00:36 -!- corretico [~luis@200.46.160.66] has quit [Excess Flood]
00:55 -!- jgeboski [~jgeboski@unaffiliated/jgeboski] has quit [Quit: Leaving]
00:56 -!- jgeboski [~jgeboski@unaffiliated/jgeboski] has joined #openvpn
01:11 -!- jgeboski [~jgeboski@unaffiliated/jgeboski] has quit [Remote host closed the connection]
01:11 -!- jgeboski [~jgeboski@unaffiliated/jgeboski] has joined #openvpn
01:36 -!- alexxtasi [~alex@unaffiliated/alexxtasi] has joined #openvpn
01:44 -!- Brando753 [~Brando753@unaffiliated/brando753] has quit [Read error: Connection reset by peer]
01:50 -!- Brando753 [~Brando753@unaffiliated/brando753] has joined #openvpn
02:01 -!- jgeboski [~jgeboski@unaffiliated/jgeboski] has quit [Quit: Leaving]
02:01 -!- jgeboski [~jgeboski@unaffiliated/jgeboski] has joined #openvpn
02:17 -!- james41382 [~james@unaffiliated/james41382] has joined #openvpn
02:29 -!- Anodl [~Anodl@p5DC5A51A.dip0.t-ipconnect.de] has joined #openvpn
02:33 -!- Anodl [~Anodl@p5DC5A51A.dip0.t-ipconnect.de] has quit [Ping timeout: 260 seconds]
02:34 -!- shiin [~shiin@funtoo/core/shiin] has joined #openvpn
02:41 -!- james41382 [~james@unaffiliated/james41382] has quit [Quit: Leaving]
02:48 -!- larryone [~larryone@180.234.39.37] has joined #openvpn
03:02 -!- eike|52n [~eike@80.156.182.234] has joined #openvpn
03:09 -!- petapetapeta [~Peter@6164198-cl69.boa.fiberby.dk] has joined #openvpn
03:09 < petapetapeta> !welcome
03:09 <@vpnHelper> "welcome" is (#1) Start by stating your goal, such as 'I would like to access the internet over my vpn' || new to IRC? see the link in !ask || we may need !logs and !configs and maybe !interface to help you. || See !howto for beginners. || See !route for lans behind openvpn. || !redirect for sending inet traffic through the server. || Also interesting: !man !/30 !topology !iporder !sample
03:09 <@vpnHelper> !forum !wiki !mitm or (#2) Don't use 192.168.1.0/24 or 192.168.0.0/24 (too much potential for conflict)
03:12 < petapetapeta> I am attempting to connect to a server through OpenVPN. I am getting the error "TLS Error: TLS handshake failed" when I attempt to connect. I have attempted to inspect the traffic using Wireshark, but there is no packages being sent. I have also attempted to disable the firewall, but that didn't solve the problem either
03:13 < petapetapeta> There is another computer on the same network as I am that can connect to the VPN server just fine
03:13 < petapetapeta> Anyone know what the issue could be?
03:17 < loeken> petapetapeta, you mean you disabled the firewall on the client which you cannot connect with?
03:17 < loeken> maybe server sided firewall with exception for the client that can connect?
03:18 < MogDog> Hi guys. So I recently set up a vpn service through networkmanager. However, my vpn service offers multiple exit addresses, and I'd like to somehow randomize the config chosen by networkmanager/openvpn so that I get a different exit address every time. This is easy enough with a bash script but I'm not sure how that'd work with network manager. Can you guys be of any help or should I try somewhere more specifically networkmanager oriented?
03:20 < loeken> MogDog, maybe just change /etc/hosts and thus controlling the routes?
03:20 < shiin> sounds like a round robin routing thing to me
03:21 < petapetapeta> loeken: Yeah I disabled the firewall on the client. I am unsure if the server side firewall has any issues, but since I can't see any outgoing packages through Wireshark I would think that the problem is solely clientside
03:22 < loeken> petapetapeta, add verbose 5 or similar to config and try again i think it might tell you a bit more
03:22 < petapetapeta> !paste
03:22 <@vpnHelper> "paste" is "pastebin" is (#1) please paste anything with more than 5 lines into a pastebin site or (#2) https://gist.github.com is recommended for fewest ads; try fpaste.org or paste.kde.org as backups or (#3) If you're pasting config files, see !configs for grep syntax to remove comments or (#4) gist allows multiple files per paste, useful if you have several files to show
03:22 < MogDog> I suppose maybe I could have a bash script that swaps the config file used's contents on a cron job?
03:23 < loeken> yes
03:23 < loeken> sed -i 's/STRING1/STRING2/g' /path/to/filename.ext
03:24 < MogDog> That might work actually, openvpn/networkmanager would never know the difference. However that would only work on a time-based interval. Theoretically my next exit address could be determined since its cycling the same every x hours
03:24 < loeken> replaces strings inside a file, could use that MogDog to adjust the values of your network manager
03:24 < petapetapeta> loeken: I have done that earlier. THis http://pastebin.com/7vEX2ChV is the result. It doesn't look like there is anything suspicious in there though
03:25 < loeken> petapetapeta, do you have access to the server to do the same there?
03:26 < petapetapeta> loeken: Yeah, but I don't think the traffic from the client is ever reaching the server from what I can see :/
03:28 < loeken> does any talk show up in the server output/log when that client is connecting?
03:29 < loeken> yes
03:30 < loeken> petapetapeta, i ran a quick portscan (nmap ) with the --reason switch
03:30 < loeken> PORT     STATE    SERVICE REASON
03:30 < loeken> 1194/tcp filtered openvpn no-response
03:30 < loeken> so it looks like server is blocking
03:30 < petapetapeta> Unfortunately nothing at all
03:30 < petapetapeta> Okay that is very weird, because it is working from one of the other clients
03:31 < loeken> and when i scan a normal vpn server like one of mine i get a reset as response
03:31 < loeken> maybe you have a firewall setup with an exception rule for that other ip?
03:31 < loeken> or that other ip is on some kind of vlan that has permission to access or something
03:31 < petapetapeta> We are sitting on a network with the same outgoing IP
03:32 < loeken> thats odd :)
03:32 < loeken> traceroute from both to verify?
03:32 < petapetapeta> Yeah that might be it! I will attempt to do that :) Give me a minute or two
03:33 < loeken> maybe system is setup to use a proxy or soemthing?
03:34 < petapetapeta> By system do you mean the other client?
03:37 < petapetapeta> which nmap command did you run btw?
03:39 < petapetapeta> Nevermind I think I have the nmap command now :)
03:47 < petapetapeta> Think I might be on to something here!
03:47 < petapetapeta> Give me a second to figure out if it's actually the problem :)
03:50 -!- ayaka [~ayaka@ayaka-2-pt.tunnel.tserv21.tor1.ipv6.he.net] has joined #openvpn
03:51 < ayaka> I have a problem with vpn connection, what may cause that http://fpaste.org/124081/48783414/
03:52 < ayaka> I could get it connected finally but why it would re-connect many times
03:56 < ayaka> I have no problem to ssh to remote host
03:56 < loeken> petapetapeta, sudo nmap -sS -v -PN 123.123.123.123 -p 1194 --reason
04:11 -!- vinky [~vinky@81-230-177-246-no98.tbcn.telia.com] has quit [Quit: No Ping reply in 180 seconds.]
04:11 -!- Left_Turn [~Left_Turn@unaffiliated/turn-left/x-3739067] has joined #openvpn
04:12 -!- vinky [~vinky@81-230-177-246-no98.tbcn.telia.com] has joined #openvpn
04:12 -!- ade_b [~Ade@redhat/adeb] has joined #openvpn
04:18 < petapetapeta> loeken: The administrator had given me a wrong config file -.-
04:22 -!- larryone [~larryone@180.234.39.37] has quit [Ping timeout: 245 seconds]
04:23 -!- zapotek6 [~zap@176.200.218.171] has joined #openvpn
04:24 -!- zapotek6 [~zap@176.200.218.171] has quit [Max SendQ exceeded]
04:43 -!- eike_52n [~eike@80.156.182.234] has joined #openvpn
04:45 -!- eike|52n [~eike@80.156.182.234] has quit [Ping timeout: 260 seconds]
04:49 -!- CaTtleyA [~CaTtleyA@185.24.142.82] has joined #openvpn
05:05 -!- ade_b [~Ade@redhat/adeb] has quit [Quit: Too sexy for his shirt]
05:11 -!- s7r [~s7r@openvpn/user/s7r] has joined #openvpn
05:11 -!- mode/#openvpn [+v s7r] by ChanServ
05:18 -!- zapotek6 [~zap@213.149.219.85] has joined #openvpn
05:22 -!- zapotek6 [~zap@213.149.219.85] has quit [Ping timeout: 240 seconds]
05:23 -!- vinky [~vinky@81-230-177-246-no98.tbcn.telia.com] has quit [Read error: Connection reset by peer]
05:23 -!- jgeboski [~jgeboski@unaffiliated/jgeboski] has quit [Ping timeout: 240 seconds]
05:23 -!- D-Boy [~D-Boy@unaffiliated/cain] has quit [Ping timeout: 240 seconds]
05:23 -!- cyberspace- [20253@ninthfloor.org] has quit [Ping timeout: 240 seconds]
05:23 -!- micko [~micko@203-219-65-120.static.tpgi.com.au] has quit [Ping timeout: 240 seconds]
05:23 -!- vinky [~vinky@81-230-177-246-no98.tbcn.telia.com] has joined #openvpn
05:24 -!- cyberspace- [20253@ninthfloor.org] has joined #openvpn
05:26 -!- jgeboski [~jgeboski@unaffiliated/jgeboski] has joined #openvpn
05:26 -!- micko [~micko@203-219-65-120.static.tpgi.com.au] has joined #openvpn
05:28 -!- JackWinter [~jack@vodsl-11028.vo.lu] has quit [Quit: Konversation terminated!]
05:35 -!- D-Boy [~D-Boy@unaffiliated/cain] has joined #openvpn
05:52 < loeken> petapetapeta, face + desk ;)
05:54 < ayaka> about topology, if both the server and client support subnet mode, it is better than use net32?
05:59 < petapetapeta> loeken: Indeed. I was just about to repeatedly ram my head against the wall when I figured it out
06:00 < petapetapeta> loeken: I sent him the information from my traceroute and he was like - what IP is that?  o.O That's an old config
06:32 -!- Kallb123 [~Kallb1232@host-92-6-251-21.as43234.net] has joined #openvpn
06:37 < pekster> ayaka: Yes, net30 is only there to support ancient Windows versions. See:
06:37 < pekster> !topology
06:37 <@vpnHelper> "topology" is (#1) it is possible to avoid the !/30 behavior if you use 2.1+ with the option: topology subnet This will end up being default in later versions. or (#2) Clients will receive addresses ending in .2, .3, .4, etc, instead of being divided into 2-host subnets. or (#3) details and examples at: https://community.openvpn.net/openvpn/wiki/Topology
06:38 < ayaka> pekster, thank you
06:43 -!- dazo_afk is now known as dazo
06:52 -!- zapotek6 [~zap@host138-62-static.18-80-b.business.telecomitalia.it] has joined #openvpn
06:55 -!- shiin [~shiin@funtoo/core/shiin] has quit [Quit: My computer has gone to sleep.]
06:56 -!- zapotek6 [~zap@host138-62-static.18-80-b.business.telecomitalia.it] has quit [Client Quit]
06:57 -!- shiin [~shiin@funtoo/core/shiin] has joined #openvpn
06:58 -!- zapotek6 [~zap@host138-62-static.18-80-b.business.telecomitalia.it] has joined #openvpn
06:58 -!- zapotek6 [~zap@host138-62-static.18-80-b.business.telecomitalia.it] has quit [Max SendQ exceeded]
07:06 -!- petapetapeta [~Peter@6164198-cl69.boa.fiberby.dk] has quit [Ping timeout: 255 seconds]
07:14 -!- shiin [~shiin@funtoo/core/shiin] has quit [Quit: My computer has gone to sleep.]
07:18 -!- shiin [~shiin@funtoo/core/shiin] has joined #openvpn
07:23 -!- KaiForce [~chatzilla@107-223-70-10.lightspeed.bcvloh.sbcglobal.net] has joined #openvpn
07:24 -!- D-Boy [~D-Boy@unaffiliated/cain] has quit [Excess Flood]
07:32 -!- D-Boy [~D-Boy@unaffiliated/cain] has joined #openvpn
07:42 -!- tempus_fol [~tempus@gateway/tor-sasl/foltempus] has quit [Quit: Bouncing away]
07:43 -!- tempus_fol [~tempus@gateway/tor-sasl/foltempus] has joined #openvpn
08:17 -!- james41382 [~james@unaffiliated/james41382] has joined #openvpn
08:20 -!- james41382 [~james@unaffiliated/james41382] has quit [Client Quit]
08:29 -!- Chais [~Chais@chello062178229110.15.15.vie.surfer.at] has quit [Quit: ZNC - http://znc.in]
08:36 -!- debbie10t [~debbie10t@openvpn/community/support/debbie10t] has joined #openvpn
08:55 -!- lsone [~lsone@69.15.58.162] has joined #openvpn
09:03 -!- angs [~ubuntu@85.235.3.178] has joined #openvpn
09:04 -!- fser [~fser@ks3367196.kimsufi.com] has joined #openvpn
09:04 < fser> hi guys
09:05 < angs> I want to add a static IP for a client. I created ccd directory, then add "client-config-dir ccd" into server.conf then created a file client1(common name), the instruction says add this line "ifconfig-push 10.9.0.1 10.9.0.2" what is the first and second parameter mean?
09:05 < angs> which address is assigned 10.9.0.1 or 10.9.0.2?
09:06 < angs> on some blogs they use ifconfig IPaddr netmask, which one is correct
09:06 < angs> *ifconfig-push
09:09 < fser> do you know guys if it's possible to configure openvpn with capabilities only, to use it as single user, rather than using tricks such as creating a static tun and so?
09:23 -!- larryone [~larryone@180.234.83.179] has joined #openvpn
09:23 -!- swebb [~swebb@c-71-237-49-232.hsd1.co.comcast.net] has quit [Ping timeout: 245 seconds]
09:29 -!- alexxtasi [~alex@unaffiliated/alexxtasi] has left #openvpn []
09:36 -!- lsone [~lsone@69.15.58.162] has quit [Ping timeout: 250 seconds]
09:39 -!- lsone [~lsone@69.15.58.162] has joined #openvpn
09:42 < angs> I can run client only when it is run as root on linux, client.conf has -rw-r--r-- attributes. what do I need to do to run it as a normal user
09:43 < fser> angs: https://community.openvpn.net/openvpn/wiki/UnprivilegedUser
09:43 <@vpnHelper> Title: UnprivilegedUser – OpenVPN Community (at community.openvpn.net)
09:44 -!- haasn [~haasn@static.102.126.46.78.clients.your-server.de] has quit [Quit: haasn]
09:44 < angs> thank you
09:47 < fser> :)
09:50 -!- haasn [~haasn@static.102.126.46.78.clients.your-server.de] has joined #openvpn
09:56 -!- mode/#openvpn [+v debbie10t] by ChanServ
09:56 <+debbie10t> fser: you can use openvpn in P2P and static key only
09:57 <+debbie10t> fser: http://openvpn.net/index.php/open-source/documentation/howto.html#quick
09:57 <@vpnHelper> Title: HOWTO (at openvpn.net)
09:58 < fser> debbie10t: still, it will have to use a pre created tap
09:59 <+debbie10t> fser .. no it can use dynamic tap/tun
09:59 -!- CaTtleyA [~CaTtleyA@185.24.142.82] has quit [Quit: Lost terminal]
10:00 <+debbie10t> fser : you _cannot_ use Openvpn without tun/tap ...
10:02 < fser> debbie10t: thanks for hints. I'll carry on my searches before saying bullshit and comeback if I have some info.
10:02 < fser> I actually wanted to use capabilities but only for some users / groups which seems to be impossible
10:03 < fser> (for instance, granting openvpn the right to create tun / tap with cap_net_admin)
10:03 <+debbie10t> what is "capabilities" ?
10:04 < fser> kernel capabilities
10:04 < fser> setcap / getcap
10:04 < fser> for instance, using ping without setuid requires a capability to use raw socket
10:04 < fser> https://www.kernel.org/pub/linux/libs/security/linux-privs/kernel-2.2/capfaq-0.2.txt
10:05 <+debbie10t> gotcha .. linux capabilities .. not part of openvpn per se
10:05 < fser> nope indeed :)
10:05 <+debbie10t> did you read the welcome msg ?
10:06 < fser> no !$
10:06 < fser> !welcom
10:06 < fser> !welcome
10:06 <@vpnHelper> "welcome" is (#1) Start by stating your goal, such as 'I would like to access the internet over my vpn' || new to IRC? see the link in !ask || we may need !logs and !configs and maybe !interface to help you. || See !howto for beginners. || See !route for lans behind openvpn. || !redirect for sending inet traffic through the server. || Also interesting: !man !/30 !topology !iporder !sample !forum !wiki
10:06 <@vpnHelper> !mitm or (#2) Don't use 192.168.1.0/24 or 192.168.0.0/24 (too much potential for conflict)
10:06 -!- mode/#openvpn [-v debbie10t] by ChanServ
10:07 < fser> debbie10t: I actually made a typo, s/single/simple/
10:09 -!- u0m3_ [~u0m3@92.80.79.191] has joined #openvpn
10:11 -!- u0m3 [~u0m3@92.80.107.242] has quit [Ping timeout: 244 seconds]
10:12 -!- angs [~ubuntu@85.235.3.178] has quit [Remote host closed the connection]
10:16 < reiffert> anyone trying to calculate hmac-sha1 encryption keys when using ipsec?
10:26 -!- eike_52n [~eike@80.156.182.234] has quit [Quit: Verlassend]
10:33 -!- u0m3_ [~u0m3@92.80.79.191] has quit [Ping timeout: 244 seconds]
10:35 -!- diecast [~diecast@unaffiliated/diecast/x-4821952] has joined #openvpn
10:37 -!- diecast [~diecast@unaffiliated/diecast/x-4821952] has quit [Client Quit]
10:50 -!- Chais [~Chais@chello062178229110.15.15.vie.surfer.at] has joined #openvpn
10:58 -!- yoavz [yoavz@yoavz.net] has quit [Ping timeout: 272 seconds]
10:59 -!- shiin [~shiin@funtoo/core/shiin] has quit [Quit: Wanna pair with me? Twitter/Skype/Gmail: FunTimeCoding]
11:00 -!- yoavz [yoavz@yoavz.net] has joined #openvpn
11:01 -!- Pyrogerg [~Gregory@72.170.196.218] has quit [Read error: Connection reset by peer]
11:06 -!- gffa [~unknown@unaffiliated/gffa] has joined #openvpn
11:10 -!- SCHAAP137 [dorian@77-173-0-137.ip.telfort.nl] has joined #openvpn
11:12 -!- ascheel [~ascheel@ampache/staff/ascheel] has joined #openvpn
11:13 < ascheel> !welcome
11:13 <@vpnHelper> "welcome" is (#1) Start by stating your goal, such as 'I would like to access the internet over my vpn' || new to IRC? see the link in !ask || we may need !logs and !configs and maybe !interface to help you. || See !howto for beginners. || See !route for lans behind openvpn. || !redirect for sending inet traffic through the server. || Also interesting: !man !/30 !topology !iporder !sample !forum
11:13 <@vpnHelper> !wiki !mitm or (#2) Don't use 192.168.1.0/24 or 192.168.0.0/24 (too much potential for conflict)
11:14 -!- Kephael [~Kephael@unaffiliated/kephael] has joined #openvpn
11:43 -!- keatont [~keatont@ip-66-172-11-126.chunkhost.com] has quit [Ping timeout: 260 seconds]
11:47 -!- lsone [~lsone@69.15.58.162] has quit [Quit: Textual IRC Client: www.textualapp.com]
11:47 -!- SushiDude [~SushiDude@unaffiliated/sushidude] has quit [Quit: Quit]
11:49 -!- SushiDude [~SushiDude@unaffiliated/sushidude] has joined #openvpn
11:53 -!- u0m3 [~u0m3@92.80.98.116] has joined #openvpn
11:54 -!- larryone [~larryone@180.234.83.179] has quit [Ping timeout: 255 seconds]
11:59 -!- liriel [~liriel@asia.feralhosting.com] has quit [Ping timeout: 244 seconds]
11:59 -!- u0m3 [~u0m3@92.80.98.116] has quit [Ping timeout: 245 seconds]
12:01 -!- liriel [~liriel@asia.feralhosting.com] has joined #openvpn
12:02 -!- Pyrogerg [~Gregory@72.170.196.218] has joined #openvpn
12:11 -!- someone [someone@2600:3c01::f03c:91ff:fedf:feb8] has joined #openvpn
12:37 -!- Pyrogerg [~Gregory@72.170.196.218] has quit [Read error: Connection reset by peer]
12:38 -!- Pyrogerg [~Gregory@72.170.196.218] has joined #openvpn
12:42 -!- Esya [~zncuser@mini-02.y0y.fr] has quit [Ping timeout: 260 seconds]
13:08 -!- Kallb123 [~Kallb1232@host-92-6-251-21.as43234.net] has quit [Quit: Leaving]
13:36 -!- swebb [~swebb@c-71-237-49-232.hsd1.co.comcast.net] has joined #openvpn
13:45 -!- joako [~joako@opensuse/member/joak0] has quit [Ping timeout: 250 seconds]
13:46 -!- daeda|us [~daed@198.144.153.101] has quit [Ping timeout: 244 seconds]
13:51 -!- SushiDude [~SushiDude@unaffiliated/sushidude] has quit [Ping timeout: 240 seconds]
13:52 -!- SushiDude [~SushiDude@unaffiliated/sushidude] has joined #openvpn
13:54 -!- arescorpio [~arescorpi@201-26-245-190.fibertel.com.ar] has joined #openvpn
13:55 -!- ender` [krneki@2a01:260:4094:1:42:42:42:42] has joined #openvpn
13:56 -!- joako [~joako@opensuse/member/joak0] has joined #openvpn
13:57 -!- mattock is now known as mattock_afk
13:58 -!- kenyon [kenyon@darwin.kenyonralph.com] has quit [Ping timeout: 240 seconds]
13:59 -!- kenyon [kenyon@darwin.kenyonralph.com] has joined #openvpn
14:01 -!- SushiDude [~SushiDude@unaffiliated/sushidude] has quit [Ping timeout: 240 seconds]
14:07 -!- SushiDude [~SushiDude@unaffiliated/sushidude] has joined #openvpn
14:11 -!- Pyrogerg [~Gregory@72.170.196.218] has quit [Read error: Connection reset by peer]
14:18 -!- daeda|us [~daed@173.192.81.133-static.reverse.softlayer.com] has joined #openvpn
14:29 -!- Pyrogerg [~Gregory@72.170.196.218] has joined #openvpn
14:31 -!- Latrina [~Latrina@151.56.175.87] has quit [Ping timeout: 246 seconds]
14:34 -!- Latrina [~Latrina@ppp-9-10.26-151.libero.it] has joined #openvpn
14:54 -!- Pyrogerg [~Gregory@72.170.196.218] has quit [Read error: Connection reset by peer]
14:55 -!- keatont [~keatont@ip-66-172-11-126.chunkhost.com] has joined #openvpn
14:56 -!- keatont [~keatont@ip-66-172-11-126.chunkhost.com] has quit [Client Quit]
14:59 -!- dazo is now known as dazo_afk
15:00 -!- keatont [~keatont@ip-66-172-11-126.chunkhost.com] has joined #openvpn
15:00 -!- shio [marmot@66.65.73.86.rev.sfr.net] has joined #openvpn
15:01 < shio> !welcome
15:01 <@vpnHelper> "welcome" is (#1) Start by stating your goal, such as 'I would like to access the internet over my vpn' || new to IRC? see the link in !ask || we may need !logs and !configs and maybe !interface to help you. || See !howto for beginners. || See !route for lans behind openvpn. || !redirect for sending inet traffic through the server. || Also interesting: !man !/30 !topology !iporder !sample !forum !wiki
15:01 <@vpnHelper> !mitm or (#2) Don't use 192.168.1.0/24 or 192.168.0.0/24 (too much potential for conflict)
15:01 -!- joako [~joako@opensuse/member/joak0] has quit [Ping timeout: 255 seconds]
15:02 < shio> that's a lot of ! lol
15:02 < shio> i've upgraded from I002 to I603 (2.3.4) aka non-ndis to ndis
15:03 < shio> with the ndis version, the exe hangs and can't be taskkill half the time upon using the "reconnect" button
15:04 < shio> i've reverted back to a non-ndis version as i have users connected right now
15:05 < shio> i can do a verbose 5+ later if needed
15:05 < shio> on verbose 3 it crashes right after this "Closing TUN/TAP interface" (on win7 x64)
15:06 < shio> rather hanging than crashing
15:06 -!- joako [~joako@opensuse/member/joak0] has joined #openvpn
15:09 < shio> !configs
15:09 <@vpnHelper> "configs" is (#1) please pastebin your client and server configs (with comments removed, you can use `grep -vE '^#|^;|^$' server.conf`), also include which OS and version of openvpn. or (#2) dont forget to include any ccd entries or (#3) on pfSense, see http://www.secure-computing.net/wiki/index.php/OpenVPN/pfSense to obtain your config
15:10 < shio> !logs
15:10 <@vpnHelper> "logs" is (#1) please pastebin your logfiles from both client and server with verb set to 4 (only use 5 if asked) or (#2) In the Windows client(OpenVPN-GUI) right-click the status icon and pick View Log or (#3) In the OS X client(Tunnelblick) right-click it and select Copy log text to clipboard or (#4) if you dont know how to find your logs, see !logfile
15:12 < shio> config: http://pastebin.com/bgTytt0R
15:13 -!- C-S-B [~C-S-B@host86-150-238-33.range86-150.btcentralplus.com] has joined #openvpn
15:23 -!- Pyrogerg [~Gregory@72.170.196.218] has joined #openvpn
15:40 -!- mode/#openvpn [+v debbie10t] by ChanServ
15:41 <+debbie10t> shio: whiich end crashes the server or client ?
15:41 <+debbie10t> testestest
15:41 <+debbie10t> brb
15:42 -!- debbie10t [~debbie10t@openvpn/community/support/debbie10t] has left #openvpn ["Leaving"]
15:42 -!- debbie10t [~debbie10t@openvpn/community/support/debbie10t] has joined #openvpn
15:42 -!- mode/#openvpn [+v debbie10t] by ChanServ
15:42 <+debbie10t> test
15:42 <+debbie10t> shio .. ?
15:43 < shio> sorry, it crashes on the server
15:43 <+debbie10t> can you please paste the server log
15:44 < shio> it hangs and all i can do is restart the comp
15:44 <+debbie10t> ok .. it is bad ..
15:44 <+debbie10t> perhaps reinstall ?
15:44 <+debbie10t> what OS and firewall is your server
15:46 <+debbie10t> ok linux server .. iptables
15:46 < shio> win7 x64
15:46 < shio> firewall works fine
15:46 <+debbie10t> ahh ok
15:46 < shio> i switched back to non ndis and it works
15:47 < shio> seems to be an issue with the ndis driver
15:47 <+debbie10t> hmm .. where is the bad ndis driver from
15:47 <+debbie10t> please share lURL
15:48 <+debbie10t> *URL
15:49 <+debbie10t> ok .. i see
15:49 <+debbie10t> I have not had time to test those drivers yet ..
15:50 < shio> i just upgraded from I002 to I603
15:50 < shio> official builds
15:50 < shio> and went back to I003 as it works fine
15:51 -!- arescorpio [~arescorpi@201-26-245-190.fibertel.com.ar] has quit [Excess Flood]
15:51 <+debbie10t> sure .. I don't think there is going to be a "fix" for your pronblem yet (other than roll back) .. we will need to identify why your machine crashed
15:51 <+debbie10t> and that will take some serious time and effort
15:52 < shio> i wasn't on verbose 4+
15:53 <+debbie10t> i notice that your server config defines CCD as /openvpn/config/clients .. it that correct directory .. ie: not /programfiles/openvpn/etc
15:53 < shio> and can't do that right now 'cause i have users connected and don't really want to restart computers several times right now
15:54 <+debbie10t> ^^
15:57 < shio> yes it is correct (windows dirs ;))
15:58 <+debbie10t> ok
15:58 < shio> i usually don't install my apps on the system drive
15:59 <+debbie10t> as you do not want to mess with your operational server
15:59 <+debbie10t> i suggest you post a thread to either the forum or a bug rep to the wiki
15:59 <+debbie10t> once we get some meat on the bones no doubt the devs will take some interest
16:00 <+debbie10t> but right now it looks like your server has some other problem
16:01 <+debbie10t> perhaps your NIC drivers do not support NDIS6 ...
16:01 < shio> well it works great on non-ndis that's for sure
16:02 <+debbie10t> it's all NDIS .. just version (6 is way different to 5)
16:05 < shio> oh right then
16:05 < shio> on 5 it's all good :)
16:06 <+debbie10t> NDIS5 has been around since XP
16:06 < shio> i'll do a v4 later
16:06 < shio> verbose4
16:06 <+debbie10t> do u get BSOD ?
16:07 -!- KaiForce [~chatzilla@107-223-70-10.lightspeed.bcvloh.sbcglobal.net] has quit [Quit: ChatZilla 0.9.90.1 [Firefox 31.0/20140716183446]]
16:11 < shio> nope
16:11 < shio> i hit reconnect on the gui
16:11 -!- ub1quit33_ [~quassel@cpe-23-243-158-241.socal.res.rr.com] has joined #openvpn
16:12 < shio> and openvpn.exe hangs there "Closing TUN/TAP interface"
16:12 < shio> can't kill the app
16:13 < shio> have to restart if i want to use openvpn
16:13 -!- akurilin [~alex@208.185.21.146] has joined #openvpn
16:13 < shio> it just runs but cannot do anything with it
16:13 < akurilin> Hey guys: how exactly does the client key password challenge work if I use the openvpn client daemon on something lik eubuntu?
16:14 < akurilin> will it prompt the user somehow for the password when first connecting or?
16:25 <+debbie10t> akurilin: if you setup your configs correctly .. yes your users will be prompted for username/password
16:26 <+debbie10t> shio: you need to get a fll log at at least verb 4 .. if your server crashes save the log before you restart
16:27 <+debbie10t> shio: have you tried using the windows service to start your server ?
16:28 <+debbie10t> shio: perhaps there is a problem with the GUI
16:29 < shio> nope it's a manual start
16:29 < shio> would be weird if it was gui related
16:31 <+debbie10t> it is a long shot but worth looking into
16:32 -!- daeda|us [~daed@173.192.81.133-static.reverse.softlayer.com] has quit [Ping timeout: 240 seconds]
16:37 -!- gffa [~unknown@unaffiliated/gffa] has quit [Quit: sleep]
16:43 < akurilin> debbie10t: what is the username here?
16:44 < akurilin> I'm only aware of the password I set during easyrsa
17:07 <+debbie10t> akurilin: are you using real OpenVPN Community Edition ?
17:13 <+debbie10t> akurilin, did you read the openvpn howto ?
17:13 <+debbie10t> http://openvpn.net/index.php/open-source/documentation/howto.html#auth
17:13 <@vpnHelper> Title: HOWTO (at openvpn.net)
17:15 -!- mode/#openvpn [-v debbie10t] by ChanServ
17:35 -!- ascheel [~ascheel@ampache/staff/ascheel] has quit [Read error: Connection reset by peer]
17:36 -!- ascheel [~ascheel@ampache/staff/ascheel] has joined #openvpn
17:44 < akurilin> debbie10t: I have, I'd rather use certificates though
17:44 < akurilin> than usernames/passwrods
17:48 -!- ascheel [~ascheel@ampache/staff/ascheel] has quit [Ping timeout: 260 seconds]
17:49 -!- ascheel [~ascheel@ampache/staff/ascheel] has joined #openvpn
17:52 -!- Kniaz [~Kniaz@unaffiliated/kniaz] has joined #openvpn
17:54 -!- mode/#openvpn [+v debbie10t] by ChanServ
17:54 <+debbie10t> akurilin, then use the cert method
17:55 <+debbie10t> i always use unique certs
17:58 <+debbie10t> use easy-rsa but do not add a password at the easy0rsa level ..
17:58 -!- ascheel [~ascheel@ampache/staff/ascheel] has quit [Ping timeout: 245 seconds]
18:00 -!- ascheel [~ascheel@ampache/staff/ascheel] has joined #openvpn
18:10 < shio> damn, now that no one's connected on the server it works
18:16 < pekster> akurilin: If you want some intro to PKI concepts, you might get benefit from:
18:16 < pekster> !intro_to_pki
18:16 <@vpnHelper> "intro_to_pki" is For an intro to PKI basics, see: https://github.com/OpenVPN/easy-rsa/blob/v3.0.0-rc1/doc/Intro-To-PKI.md
18:31 -!- brianblaze420 [~brianblaz@unaffiliated/brianblaze] has joined #openvpn
18:37 -!- gardar [~gardar@bnc.giraffi.net] has joined #openvpn
18:50 < akurilin> debbie10t: oh cool, so basically you don't use passwords to secure certs then, right? That's what I've been doing so far but I've been trying to see if I could make it a bit safer.
19:06 -!- Left_Turn [~Left_Turn@unaffiliated/turn-left/x-3739067] has quit [Remote host closed the connection]
19:22 <+debbie10t> akurilin, see pekster's comment above
19:22 -!- mode/#openvpn [-v debbie10t] by ChanServ
19:23 -!- u0m3 [~u0m3@92.80.65.7] has joined #openvpn
19:25 -!- debbie10t [~debbie10t@openvpn/community/support/debbie10t] has left #openvpn []
19:28 -!- lfx [~lfx@self-aware.evilmachines.net] has quit [Ping timeout: 245 seconds]
20:03 -!- s7r [~s7r@openvpn/user/s7r] has quit [Ping timeout: 264 seconds]
20:05 -!- SCHAAP137 [dorian@77-173-0-137.ip.telfort.nl] has quit [Remote host closed the connection]
20:05 -!- s7r [~s7r@openvpn/user/s7r] has joined #openvpn
20:05 -!- mode/#openvpn [+v s7r] by ChanServ
20:20 < pekster> akurilin: certificates are by definition public (and anyone on the wire can see them, including the info you put into the request.) The private _key_ is what's private, and is ideally encrypted because if anyone gets a copy of the unencrypted key, the security for that entity is compromised
20:47 -!- james41382 [~james@unaffiliated/james41382] has joined #openvpn
20:50 -!- u0m3_ [~u0m3@92.80.93.41] has joined #openvpn
20:52 -!- u0m3 [~u0m3@92.80.65.7] has quit [Ping timeout: 240 seconds]
20:57 -!- STF is now known as Guest62195
20:57 -!- Guest62195 [~stf@i53877463.versanet.de] has quit [Killed (tepper.freenode.net (Nickname regained by services))]
20:57 -!- STF [~stf@i53875D0D.versanet.de] has joined #openvpn
21:02 -!- james41382 [~james@unaffiliated/james41382] has quit [Quit: Leaving]
21:03 -!- james41382 [~james@unaffiliated/james41382] has joined #openvpn
21:36 -!- james41382 [~james@unaffiliated/james41382] has quit [Quit: Leaving]
21:38 -!- Kephael [~Kephael@unaffiliated/kephael] has quit [Ping timeout: 240 seconds]
21:38 -!- james41382 [~james@unaffiliated/james41382] has joined #openvpn
21:45 -!- james41382 [~james@unaffiliated/james41382] has quit [Read error: Connection reset by peer]
21:47 -!- james41382 [~james@unaffiliated/james41382] has joined #openvpn
21:47 -!- james41382 [~james@unaffiliated/james41382] has quit [Read error: Connection reset by peer]
21:50 -!- james41382 [~james@unaffiliated/james41382] has joined #openvpn
21:54 -!- Kephael [~Kephael@unaffiliated/kephael] has joined #openvpn
21:56 -!- arescorpio [~arescorpi@201-26-245-190.fibertel.com.ar] has joined #openvpn
22:02 -!- Pyrogerg [~Gregory@72.170.196.218] has quit [Read error: Connection reset by peer]
22:17 -!- Pyrogerg [~Gregory@72.170.196.218] has joined #openvpn
23:08 -!- ShadniX [dagger@p5481CB1F.dip0.t-ipconnect.de] has quit [Ping timeout: 250 seconds]
23:09 -!- ShadniX [dagger@p5481CC88.dip0.t-ipconnect.de] has joined #openvpn
23:13 -!- tanja84dk [~tanja84dk@unaffiliated/tanja84dk] has joined #openvpn
23:34 -!- mapps [Mark@97e0b9d3.skybroadband.com] has joined #openvpn
--- Day changed Sat Aug 09 2014
00:48 -!- arescorpio [~arescorpi@201-26-245-190.fibertel.com.ar] has quit [Excess Flood]
00:58 -!- mattock_afk is now known as mattock
01:17 <@mattock> shio: are you using the I603 installer on WIndows Vista or later?
01:17 <@mattock> it will not work on Windows XP
01:21 <@mattock> if you're not on XP, then this problem is definitely worth looking into in detail
01:37 -!- brianblaze420 [~brianblaz@unaffiliated/brianblaze] has quit [Remote host closed the connection]
02:09 < ayaka> I have a problem with topology set to subnet, the route 192.168.0.0 255.255.255.0 won't take effect on config
02:09 < ayaka> but iroute at ccd will have effect, and if I add route manually, it will works
02:10 -!- redpill [~redpill@unaffiliated/redpill] has quit [Read error: Connection reset by peer]
02:14 < pekster> First off, don't use such a common network as it will break if any of your other clients you push that route to also use that network. Since it's the #2 most common RFC1918 network, you're setting yourself up for failure
02:14 < pekster> Second of all, for client LANs you should verify against the flowchart:
02:14 < pekster> !clientlan
02:14 <@vpnHelper> "clientlan" is (#1) for a lan behind a client, the client must have ip forwarding enabled (!ipforward), the server needs a route to the lan, the server needs to push a route for the lan to clients, the server needs a ccd (!ccd) file for the client with an iroute (!iroute) entry in it, and the router of the lan the client is on needs a route added to it (!route_outside_openvpn) or (#2) see !route
02:14 <@vpnHelper> for a better explanation or (#3) Handy troubleshooting flowchart: http://ircpimps.org/clientlan.png | http://pekster.sdf.org/misc/clientlan.png
02:20 < ayaka> pekster, well all the client is controller by me and their subnets are separated
02:20 < ayaka> it is ok to use this subnet
02:21 < ayaka> p.s http://ircpimps.org/clientlan.png is link is break, I have used a proxy to watch, it is break
02:22 < ayaka> vpnHelper,  tell me about route_outside_openvpn
02:22 < ayaka> vpnHelper,  tell me route_outside_openvpn
02:22 < ayaka> !route_outside_openvpn
02:22 <@vpnHelper> "route_outside_openvpn" is (#1) If your server is not the default gateway for the LAN, you will need to add routes to your gateway. See ROUTES TO ADD OUTSIDE OPENVPN in !route or (#2) Here are 2 diagrams that explain how this works: http://www.secure-computing.net/wiki/index.php/Graph http://i.imgur.com/BM9r1.png
02:24 < ayaka> pekster, from the information you give me, I have do all the thing, here is the config of server http://fpaste.org/124322/40756907/
02:26 -!- Kephael [~Kephael@unaffiliated/kephael] has quit [Ping timeout: 250 seconds]
02:26 < ayaka> do I do anything wrong?
02:29 < ayaka> it works on net30 mode
02:40 -!- larryone [~larryone@180.234.66.149] has joined #openvpn
02:44 -!- larryone [~larryone@180.234.66.149] has quit [Ping timeout: 255 seconds]
03:04 -!- mattock is now known as mattock_afk
03:18 -!- maps|wrk [~Mark@97e0b9d3.skybroadband.com] has joined #openvpn
03:23 -!- SCHAAP137 [dorian@77-173-0-137.ip.telfort.nl] has joined #openvpn
03:24 -!- mapps [Mark@97e0b9d3.skybroadband.com] has quit [Ping timeout: 264 seconds]
03:26 -!- Left_Turn [~Left_Turn@unaffiliated/turn-left/x-3739067] has joined #openvpn
03:38 < shio> mattock_afk: yes, installed on win7 x64, upgraded from I002 to I603, so far it seems to happen only when someone is already connected and I hit "reconnect"
03:38 < shio> i've installed the I603 again, waiting on someone to connect and try again
03:38 < shio> it's on verb4 now
03:47 -!- Verdi [~dagda@ip1.thgersdorf.net] has joined #openvpn
03:47 -!- Latrina [~Latrina@ppp-9-10.26-151.libero.it] has quit [Ping timeout: 250 seconds]
03:50 -!- Latrina [~Latrina@adsl-ull-76-217.50-151.net24.it] has joined #openvpn
04:17 -!- gffa [~unknown@unaffiliated/gffa] has joined #openvpn
04:29 < shio> confirmed, it hangs only if someone's connected to the server
04:33 < shio> saved the log, restarting the computer... :(
04:33 -!- shio [marmot@66.65.73.86.rev.sfr.net] has quit [Remote host closed the connection]
04:46 -!- shio [marmot@66.65.73.86.rev.sfr.net] has joined #openvpn
04:51 -!- heraclitus [~heraclitu@unaffiliated/heraclitis] has quit [Remote host closed the connection]
04:52 -!- heraclitus [~heraclitu@unaffiliated/heraclitis] has joined #openvpn
05:02 < shio> here's the verb4 log: http://pastebin.com/6aEVPvN2
05:37 -!- hays [~hays@unaffiliated/hays] has quit [Ping timeout: 250 seconds]
06:20 -!- lkthomas [~lkthomas@n218250150146.netvigator.com] has joined #openvpn
06:21 < lkthomas> hey guys, I have some routing issue between two tun interface
06:21 < lkthomas> two tun interface is running OSPF
06:21 < lkthomas> they could see each other well, but I couldn't get packet beyond these individual interface
06:52 -!- smartguy [smartguy@79.117.63.75] has joined #openvpn
06:52 < smartguy> I really need help with my CENTOS 7.0 and VPN. VPN is not starting on it, after i install it !
07:09 < ayaka> smartguy, systemctl start openvpn@confname
07:10 < ayaka> the systemd still server per-config as a service
07:11 < smartguy> where i can see the confname?
07:11 < smartguy> lol
07:13 -!- smartguy [smartguy@79.117.63.75] has quit []
07:23 -!- D-Boy [~D-Boy@unaffiliated/cain] has quit [Excess Flood]
07:30 < ayaka> pekster, thank you all the same
07:31 < ayaka> I have a problem with route in configure, it won't add route to system, if the topology set to subnet but if the topology set to net30
07:32 < ayaka> it works fine
07:32 < ayaka> or I add route manually, it works
07:44 -!- D-Boy [~D-Boy@unaffiliated/cain] has joined #openvpn
07:55 -!- Pyrogerg [~Gregory@72.170.196.218] has quit [Read error: Connection reset by peer]
08:03 -!- Pyrogerg [~Gregory@72.170.196.218] has joined #openvpn
08:04 -!- haasn [~haasn@static.102.126.46.78.clients.your-server.de] has quit [Ping timeout: 264 seconds]
08:09 -!- haasn [~haasn@static.102.126.46.78.clients.your-server.de] has joined #openvpn
08:27 -!- Toumasu [~Thunderbi@78-23-52-63.access.telenet.be] has joined #openvpn
08:38 -!- Pyrogerg [~Gregory@72.170.196.218] has quit [Read error: Connection reset by peer]
08:38 -!- Toumasu [~Thunderbi@78-23-52-63.access.telenet.be] has quit [Quit: Toumasu]
09:15 -!- redpill [~redpill@unaffiliated/redpill] has joined #openvpn
10:07 -!- STF [~stf@i53875D0D.versanet.de] has quit [Killed (sinisalo.freenode.net (Nickname regained by services))]
10:07 -!- STF [~stf@i53876B32.versanet.de] has joined #openvpn
10:39 < pekster> ayaka: Sounds like you might have used the wrong syntax for any ifconfig-push in your ccd
10:40 < ayaka> pekster, iroute 192.168.0.0 255.255.255.0
10:40 < pekster> Is that all you have there? No --ifconfig-push ?
10:40 < ayaka> yep
10:41 < pekster> subnet topology does require that you have openvpn >=2.1.0 (2.0.9 is 7 years old now) and that your tun driver support setting an ip/netmask on the interface. After your client connects in subnet, do you see the IP on the tun device? Can you ping the tun IP of the server?
10:42 < ayaka> yes, I could
10:42 < ayaka> I have said that once I add route in server, the subnet of client could ping the server
10:42 < ayaka> the server is 2.3 and the client is 2.2
10:42 < pekster> You don't have another 192.168.0.0/24 network on the server side do you?
10:43 < ayaka> of course
10:43 < pekster> Does that mean you do?
10:43 < ayaka> the server doesn't have 192.168.0.0/24 network directly
10:44 < ayaka> after the vpn connecting is done, I do ip route add 192.168.0.0/24 dev tun0
10:44 < ayaka> in server, then subnet of client could ping the server
10:44 < pekster> Right, I'm just making sure you don't have the server on that network, or a pre-existing route for it before the VPN is involved
10:45 < ayaka> I think it doesn't
10:45 < pekster> Line 24 of the config you pasted earlier should add that route into your system routing table, bound for the server's own VPN address
10:46 < pekster> This lets openvpn "take" the packet, and the iroute is what delivers it from openvpn to the right client. If you don't see a 192.168.0.0/24 route in your system after the VPN comes up (in topology anyway) I'd check the logs to see if you get an error adding it. You probably want `--verb 4` for that
10:46 < ayaka> I will do that
10:47 -!- redpill [~redpill@unaffiliated/redpill] has quit [Remote host closed the connection]
10:49 -!- SCHAAP137 [dorian@77-173-0-137.ip.telfort.nl] has quit [Remote host closed the connection]
10:51 -!- redpill [~redpill@unaffiliated/redpill] has joined #openvpn
10:51 -!- hays [~hays@unaffiliated/hays] has joined #openvpn
10:53 -!- SCHAAP137 [dorian@77-173-0-137.ip.telfort.nl] has joined #openvpn
10:53 -!- hays [~hays@unaffiliated/hays] has quit [Remote host closed the connection]
10:58 < ayaka> pekster, http://fpaste.org/124360/99911140/
11:00 < pekster> The route I'm interested in will be shown when you start the server instance
11:00 < pekster> That just shows the connection from the client, missing the part about adding the server's own route to its table for that client LAN
11:01 < pekster> line 64 shows the iroute getting parsed correctly though
11:02 < ayaka> pekster, but ip r doesn't show it
11:02 < ayaka> it can't be blocked by selinux, selinux doesn't show any error log
11:02 -!- hays [~hays@unaffiliated/hays] has joined #openvpn
11:05 < pekster> You didn't give me what I aske d
11:05 < pekster> iroute is _NOT_ for your system OS; it's for openvpn only
11:05 < pekster> The route I'm interested in has not been shown in the logs, and will only appear on _server_ startup
11:06 < pekster> So, keep the logging as it is, stop the server, verify you do not have a 192.168.0.0/24 route in your system routing tables. Then start the server again and pastebin that log, which will contain the system route command for that network, routed via the VPN instance's own IP
11:08 < ayaka> so I should add verb to higher?
11:08 < pekster> No, you should give me logs of actual server startup
11:08 < pekster> line 1 is not what openvpn provides as the first log line at --verb 4 on startup. Your logs are skipping all the parts I need to determine if the route was added
11:09 < pekster> You should do exactly what I just indicated above, starting with "So, keep the logging as it is.." above
11:09 < ayaka> sorry, I will do that
11:14 -!- hays [~hays@unaffiliated/hays] has quit [Remote host closed the connection]
11:14 < ayaka> I am not familiar with journalctl , pekster  this time the full log http://ur1.ca/hxwa6 ?
11:14 <@vpnHelper> Title: #124365 Fedora Project Pastebin (at ur1.ca)
11:17 < pekster> FYI, there's also:
11:17 < pekster> !logfile
11:17 <@vpnHelper> "logfile" is (#1) If you want logging you can easily just specify your own logfile with: log /path/to/logfile or (#2) openvpn will log to syslog if started in daemon mode, but without any log-redirection options, openvpn sends output to stdout. or (#3) verb 3 is good for everyday usage, verb 5 for debugging. see --daemon --log and --verb in the manual (!man) for more info
11:17 < pekster> OpenVPN gives you lots of flexibility in how you log. This is fine for now, but if you want openvpn to go to a file (until you learn how your userspace logging works) you can do that in the future
11:17 < ayaka> yes I should use it instead
11:19 < pekster> See line 294. You probably need to add `--route-gateway 10.0.12.129` to your server config
11:20 < pekster> I should test that on 2.3.4; if it's still doing that, it's probably a bug because that value should be the implied default for --server configurations
11:20 < pekster> Or at least a "way to improve what --server is supposed to do". It's not really a bug if the documentation doesn't say it's supposed to be doing that ;)
11:23 < ayaka> pekster, I have had server 10.0.12.128 255.255.255.128
11:23 < ayaka> and also server-ipv6 2001:19f0:7000:8404:64::/80
11:23 < ayaka> the new config use --log http://ur1.ca/hxwbr
11:23 <@vpnHelper> Title: #124366 Fedora Project Pastebin (at ur1.ca)
11:23 < pekster> Yes, but line 294 in that last log output show it can't add the route due to no gateway
11:24 < pekster> The directive I gave you above should fix that. Please let me know if it does so I can look at writing a patch to openvpn that makes it the default
11:24 < ayaka> it can't be http://fpaste.org/124368/76014631/
11:24 < ayaka> I think I will try to add route-gateway 10.0.12.129
11:25 -!- hays [~hays@unaffiliated/hays] has joined #openvpn
11:25 < pekster> (no need to push it -- that's already getting pushed. The problem in your case is that the server itself is not aware of its own route to the VPN process, but only in the subnet topology)
11:28 < ayaka> pekster, yes you need route-gateway 10.0.12.129
11:29 < ayaka> or it won't work. once I add it to conf and restart the server, then the route appear
11:30 < pekster> Thanks for letting me know. I'll see about cooking up a fix so hopefully a future release doesn't require this extra step
11:30 < ayaka> pekster, thank you very much
11:37 < ayaka> pekster, but what do see at line 294  ifconfig_ipv6_pool_base = 2001:19f0:7000:8404:64::1000 ?
11:38 < pekster> that's normal
11:38 < ayaka> pekster, "Yes, but line 294 in that last log output show it can't add the route due to no gateway"
11:39 < ayaka> I want to know what do you find, in the next time, I could find out bug myself
11:40 < pekster> Your earlier log
11:40 < pekster> http://paste.fedoraproject.org/124365/60084814/
11:40 < pekster> lines 293/294 talk about IPv4, not v6
11:41 -!- Kephael [~Kephael@unaffiliated/kephael] has joined #openvpn
11:41 < ayaka> pekster, I see
11:41 < ayaka> pekster, thank you, I could debug myself in the next time
11:42 < pekster> Right, although in this case --server should probably do that itself, since it is a "helper-directive" that could do more to help :P
11:42 < pekster> You can unroll --server, but then you're expected to expand each of the directives as you need them (gives you flexability if the defaults aren't good enough)
11:43 < ayaka> as I have many server I need them
11:43 < ayaka> I need the --server
11:43 < pekster> You don't actually -- it expands as described in the manpage
11:44 < pekster> It's just a way to reduce the number of lines you need if you're happy with the default settings
11:44 < pekster> Use of !static IPs requires you not use it (or potentially have address conflicts) for example
11:45 < ayaka> but the real line is http://fpaste.org/124370/76027131/
11:45 < pekster> Yup
11:46 < pekster> So in topology, your --server line is exactly the same as: --mode-server --tls-server --push "topology subnet" --ifconfig-pool 10.0.12.2 10.0.12.254 255.255.255.0 --push "route-gateway 10.0.12.1"
11:46 < pekster> (topology subnet, that is)
11:47 < ayaka> much longer than before
11:47 < pekster> That "should" also include the --route-gateway directive, but doesn't. It works in net30 becuase on Linux net30 is treated the same as p2p for addressing purposes
11:47 < pekster> That's what I said earlier, yes.
11:47 < pekster> If the defaults do not work, it's your job to understand what --server does and apply the defaults, with your own changes
11:47 < pekster> Some addressing concepts that explain this further on the wiki at:
11:47 < pekster> !addressing
11:47 <@vpnHelper> "addressing" is For information about IP addressing in OpenVPN, see: https://community.openvpn.net/openvpn/wiki/Concepts-Addressing
11:50 < ayaka> also, you know some project offer a script to do that :
11:50 < pekster> Do what? Think? Probably not.
11:50 < ayaka> as I am behind the GFW, so website like openvpn site is blocked
11:51 < pekster> The interaction of the directives changes for bugfixes and things, so it's not really something you can program
11:51 < pekster> Oh, bummer. Maybe find a tor bridge or something that isn't yet blocked?
11:51 < ayaka> I know the openvpn could push the default route, but I don't want it, as the remote vpn is slow
11:52 < pekster> Right. You could run a VM on your system and redirect the default route there, and do browsing in the VM
11:52 < ayaka> there is a script could test the connection of remote host, if it can't work, then define the default gateway to remote vpn
11:52 < pekster> Or maybe run a socks proxy in the VM instead, and then add a plugin like FoxyProxy (for Firefox) so you can "switch" your connection to use the non-GFW version on-demand
11:52 -!- DrCode [~DrCode@gateway/tor-sasl/drcode] has quit [Remote host closed the connection]
11:52 -!- tempus_fol [~tempus@gateway/tor-sasl/foltempus] has quit [Remote host closed the connection]
11:52 -!- s7r [~s7r@openvpn/user/s7r] has quit [Write error: Connection reset by peer]
11:53 < pekster> OpenVPN is entierly unconcerned with things like what host you're accessing, or if the request works or doesn't
11:53 < pekster> A proxy might be your best bet, and the VM and proxy server in a VM means it won't touch your own host's routing table
11:53 < ayaka> but the socket proxy is slow, I use the ssh to do that
11:53 < pekster> FoxyProxy is able to keep a list of domains to use the proxy for, so you can just have a growing list of sites GFW blocks
11:53 -!- s7r [~s7r@openvpn/user/s7r] has joined #openvpn
11:53 -!- mode/#openvpn [+v s7r] by ChanServ
11:54 < pekster> Then you're doing it wrong. SOCKS to a VM will be fast
11:54 -!- DrCode [~DrCode@gateway/tor-sasl/drcode] has joined #openvpn
11:54 < ayaka> but I don't need double encrypt
11:54 < pekster> SOCKS doesn't imply encryption
11:54 -!- tempus_fol [~tempus@gateway/tor-sasl/foltempus] has joined #openvpn
11:54 < pekster> tinyproxy won't use it
11:54 < ayaka> I see
11:54 < ayaka> but I prefer some kind of directly proxy, just modify  route table
11:55 < pekster> You can't do that
11:55 < pekster> You cannot translate a "domain" to a route
11:55 < pekster> DNS and CDNs make that a zero-sum game
11:55 < pekster> You _cannot_ get what you want with routes
11:55 < pekster> Try a proxy setup instead
11:55 < ayaka> ok
11:55 < ayaka> thank you very much
11:55 < Eugene> I mean, you could do it with multiple routing tables and binding a browser to a specific one
11:56 < Eugene> But that's a lot of pain in the ass
11:56 < pekster> Need >1 browser then, and a browser that can bind (or policy routing, which is complex)
11:56 < Eugene> Ya
11:56 < pekster> VM + tinyproxy + openvpn, then FoxyProxy on the host works much nicer
11:56 < pekster> It'll even let you do things like say "openvpn.net/.com goes over the proxy" and then it just works
11:57  * pekster flips switch to "More Magic"
11:57 < ayaka> also I am worried about another problem with GFW
11:57 < pekster> I use tinyproxy to a VPN running at home to secure browsing when I'm at wifi hotspots. It's not the government that bugs me nearly as much as the guy with the drive and laptop. Maybe he's working, or maybe he's sniffing packets
11:58 < ayaka> you may have noticed that I don't use the normal openvpn port, as GFW will work on it. But I recently find the GFW will disconnect the ssh key exchange whichever port you used
11:58 < ayaka> does openvpn has a ability to hide the protocol it used
11:59 < pekster> No, but you can add a layer to do that. See:
11:59 < pekster> !obfsproxy
11:59 <@vpnHelper> "obfsproxy" is (#1) For a writeup on using obfsproxy with OpenVPN see https://syria.hacktivist.me/?p=148 or (#2) See also !obfs. The link to TrafficObfuscation also contains a setup example
11:59 < pekster> See also, statickey, but you're trading no handshake in the protocol for lack of perfect-forward-secrecy when you do this:
11:59 < pekster> !statickey
11:59 <@vpnHelper> "statickey" is (#1) you can use static keys by using --secret </path/to/key> or (#2) static keys only work for ptp links, not client/server. They also do not provide forward encryption. A forward-secure encryption scheme (such as openvpn uses with certs) protects secret keys from exposure by evolving the keys with time. or (#3) see !forwardsecurity for more info
11:59 < ayaka> the link is broken https://syria.hacktivist.me/?p=148
11:59 < pekster> !obfs
11:59 <@vpnHelper> "obfs" is (#1) if you are looking to obfuscate your traffic to get through a firewall that recognizes and blocks openvpn, try using this proxy: obfsproxy https://www.torproject.org/projects/obfsproxy.html.en to encapsulate your packets in other protocols or (#2) http://community.openvpn.net/openvpn/wiki/TrafficObfuscation or (#3) in client/server mode an admin can know that openvpn is being used.
11:59 <@vpnHelper> in static-key mode they only know that it is some encrypted data, but not specifically openvpn; however with static-key you lose forward security (!forwardsecurity)
12:00 < pekster> I suppose torproject is also blocked :P
12:00 < ayaka> not just key exchange, the GFW will understand the protocol
12:00 < pekster> Not with statickey
12:00 < pekster> There _is_ no disscernable protocol, just "random packets"
12:00 < pekster> No handshake, no keys/certs. You give up forward-secrecy for that, but it's completely fingerprintless
12:01 < ayaka> I see thank you
12:01 < ayaka> in that time, I would use that
12:01 < pekster> (what you do _over_ your VPN might still be subject to traffic analysis. It always will be)
12:01 < ayaka> I have meet it once this year
12:03 < pekster> You can also try using ports assigned to other purposes. UDP/162 might be a fun one (normally used by SNMP systems, and encrypted traffic over that port wouldn't be entierly unusual as SNMPv3 offers crypto support)
12:03 < pekster> ports 53, 67, and others have common UDP associations too
12:03 < ayaka> thank you very much, in the next, I think I could overcome the GFW
12:04 < ayaka> yes, port 53 is a interesting port, in here, there are some  wifi for fee
12:04 < ayaka> but it never blocks the 53/udp
12:04 < ayaka> then you know what we could do with openvpn
12:05 < pekster> statickey + udp/53 might kind of work, although it wouldn't be hard for DPS to see that it isn't actual DNS traffic, or detect the unusual rate of the traffic
12:05 < pekster> It's a big cat/mouse game
12:05 < pekster> Erm, DPI
12:06 -!- angs [~ubuntu@85.235.3.178] has joined #openvpn
12:06 -!- hays [~hays@unaffiliated/hays] has quit [Remote host closed the connection]
12:06 < ayaka> well, I will take your suggestion, the GFW has a final way, block the ip
12:07 < ayaka> then the game is end
12:08 < angs> my client's connection is terminated by  Linux ifconfig failed: external program exited with error status: 1 here is the full output http://pastebin.com/ZwQp8jMv and config file.
12:08 -!- hays [~hays@unaffiliated/hays] has joined #openvpn
12:08 < angs> which argument is invalid?
12:09 < pekster> 255.255.255.0 looks bogus in p2p
12:10 < pekster> Surely you don't want a PtP link of 10.8.0.2 -> 255.255.255.0
12:12 < angs> pekster, here is my server.conf and ccd/node1 http://pastebin.com/NueqExvc   is "ifconfig-push 10.8.0.2 255.255.255.0" a wrong definition?
12:12 < pekster> Works for me in `ip` though, but it's still rather wrong to do what you're attempting
12:12 < pekster> You might consider compiling openvpn with iproute2 support if your OS has it (ifconfig is 10-year old broken network on Linux these-days)
12:13 < pekster> Your toplolgy is net30. You do _not_ push a netmask in net30 (or p2p) topology
12:13 < pekster> See:
12:13 < pekster> !addressing
12:13 <@vpnHelper> "addressing" is For information about IP addressing in OpenVPN, see: https://community.openvpn.net/openvpn/wiki/Concepts-Addressing
12:13 < pekster> You might also consider switching to the `subnet` toplogoy instead, which does away with the net30 nonsense. For that, see:
12:13 < pekster> !topology
12:13 <@vpnHelper> "topology" is (#1) it is possible to avoid the !/30 behavior if you use 2.1+ with the option: topology subnet This will end up being default in later versions. or (#2) Clients will receive addresses ending in .2, .3, .4, etc, instead of being divided into 2-host subnets. or (#3) details and examples at: https://community.openvpn.net/openvpn/wiki/Topology
12:14 < pekster> In subnet topology, you push a more "traditional" IP+mask, even for tun devices.
12:14 < angs> I wanted to assign a static IP to my client (10.8.0.2) on howto I saw that example
12:15 < angs> I will read the links you suggested
12:15 < angs> thank you
12:16 < pekster> Set topology to subnet and it should "fix" your problem. The links above will explain why
12:25 -!- ayaka [~ayaka@ayaka-2-pt.tunnel.tserv21.tor1.ipv6.he.net] has left #openvpn ["离开"]
12:36 -!- angs [~ubuntu@85.235.3.178] has quit [Quit: Leaving]
12:51 -!- joako [~joako@opensuse/member/joak0] has quit [Ping timeout: 250 seconds]
13:01 -!- joako [~joako@opensuse/member/joak0] has joined #openvpn
13:02 -!- zapotek6 [~zap@host56-81-dynamic.9-87-r.retail.telecomitalia.it] has joined #openvpn
13:10 -!- DrSect0r [~DrSect0r@77-175-115-95.FTTH.ispfabriek.nl] has joined #openvpn
13:19 -!- zapotek6 [~zap@host56-81-dynamic.9-87-r.retail.telecomitalia.it] has quit [Ping timeout: 240 seconds]
13:33 -!- supermat is now known as mt
13:45 -!- ub1quit33_ [~quassel@cpe-23-243-158-241.socal.res.rr.com] has quit [Ping timeout: 245 seconds]
13:48 -!- [DrSect0r] [~DrSect0r@77-175-115-95.FTTH.ispfabriek.nl] has joined #openvpn
13:51 -!- DrSect0r- [~DrSect0r@77-175-115-95.FTTH.ispfabriek.nl] has joined #openvpn
13:51 -!- DrSect0r [~DrSect0r@77-175-115-95.FTTH.ispfabriek.nl] has quit [Ping timeout: 255 seconds]
13:54 -!- [DrSect0r] [~DrSect0r@77-175-115-95.FTTH.ispfabriek.nl] has quit [Ping timeout: 255 seconds]
14:18 -!- DrSect0r- [~DrSect0r@77-175-115-95.FTTH.ispfabriek.nl] has quit [Quit: Leaving]
14:18 -!- DrSect0r [~DrSect0r@77-175-115-95.FTTH.ispfabriek.nl] has joined #openvpn
14:41 -!- SCHAAP137 [dorian@77-173-0-137.ip.telfort.nl] has quit [Remote host closed the connection]
15:34 -!- arescorpio [~arescorpi@201-26-245-190.fibertel.com.ar] has joined #openvpn
15:48 -!- ub1quit33 [~quassel@cpe-23-243-158-241.socal.res.rr.com] has joined #openvpn
16:00 -!- tempus_fol [~tempus@gateway/tor-sasl/foltempus] has quit [Remote host closed the connection]
16:00 -!- tempus_fol [~tempus@gateway/tor-sasl/foltempus] has joined #openvpn
17:16 -!- ub1quit33 [~quassel@cpe-23-243-158-241.socal.res.rr.com] has quit [Ping timeout: 255 seconds]
17:30 -!- arescorpio [~arescorpi@201-26-245-190.fibertel.com.ar] has quit [Excess Flood]
18:42 -!- Kephael [~Kephael@unaffiliated/kephael] has quit [Read error: Connection reset by peer]
19:01 -!- Kephael [~Kephael@unaffiliated/kephael] has joined #openvpn
19:13 -!- SCHAAP137 [dorian@77-173-0-137.ip.telfort.nl] has joined #openvpn
19:26 -!- gffa [~unknown@unaffiliated/gffa] has quit [Quit: sleep]
20:20 -!- STF is now known as Guest67306
20:20 -!- Guest67306 [~stf@i53876B32.versanet.de] has quit [Killed (rajaniemi.freenode.net (Nickname regained by services))]
20:21 -!- STF [~stf@i53875ea5.versanet.de] has joined #openvpn
21:45 -!- Left_Turn [~Left_Turn@unaffiliated/turn-left/x-3739067] has quit [Remote host closed the connection]
22:02 -!- DrSect0r [~DrSect0r@77-175-115-95.FTTH.ispfabriek.nl] has quit [Ping timeout: 272 seconds]
22:31 -!- Kephael [~Kephael@unaffiliated/kephael] has quit [Read error: Connection reset by peer]
22:37 -!- a|3x [~a|3x@c-73-37-66-131.hsd1.or.comcast.net] has joined #openvpn
22:37 < a|3x> hi
23:05 -!- ShadniX [dagger@p5481CC88.dip0.t-ipconnect.de] has quit [Ping timeout: 250 seconds]
23:08 -!- ShadniX [dagger@p579418EF.dip0.t-ipconnect.de] has joined #openvpn
--- Day changed Sun Aug 10 2014
00:15 -!- james41382 [~james@unaffiliated/james41382] has quit [Quit: Leaving]
00:47 -!- s7r_d [~s7r@openvpn/user/s7r] has joined #openvpn
00:47 -!- mode/#openvpn [+v s7r_d] by ChanServ
00:48 -!- s7r [~s7r@openvpn/user/s7r] has quit [Ping timeout: 264 seconds]
00:53 -!- phreakocious [~phreakoci@recalcitrant.phreakocious.net] has quit [Quit: gotta go]
00:54 -!- phreakocious [~phreakoci@recalcitrant.phreakocious.net] has joined #openvpn
01:00 -!- RaiNerTsuFal [~RaiNerTsu@akita.vtlx.cn] has quit [Quit: Conversation terminated!]
01:32 -!- DrCode [~DrCode@gateway/tor-sasl/drcode] has quit [Remote host closed the connection]
01:33 -!- DrCode [~DrCode@gateway/tor-sasl/drcode] has joined #openvpn
01:54 -!- doebi [~doebi@doebi.at] has quit [Ping timeout: 260 seconds]
02:21 -!- lambda79 [~lambda79@unaffiliated/lambda79] has joined #openvpn
02:49 -!- lambda79 [~lambda79@unaffiliated/lambda79] has quit [Read error: Connection reset by peer]
02:56 -!- ub1quit33_ [~quassel@cpe-23-243-158-241.socal.res.rr.com] has joined #openvpn
03:04 -!- ub1quit33_ [~quassel@cpe-23-243-158-241.socal.res.rr.com] has quit [Ping timeout: 246 seconds]
04:05 -!- Left_Turn [~Left_Turn@unaffiliated/turn-left/x-3739067] has joined #openvpn
04:08 -!- doebi [~doebi@doebi.at] has joined #openvpn
04:32 -!- gffa [~unknown@unaffiliated/gffa] has joined #openvpn
04:58 -!- SCHAAP137 [dorian@77-173-0-137.ip.telfort.nl] has quit [Remote host closed the connection]
05:10 -!- s7r_d is now known as s7r
05:34 < tanja84dk> I'm sorry to ask but I have not been able to find the answer on the wiki. I have setup a tap network because it has to work as a lan network. but I would like that the clients have static ip's because it's a administration network for multiple servers
05:38 < Mike--> tanja84dk: look at ccd
05:38 < Mike--> !ccd
05:38 <@vpnHelper> "ccd" is (#1) entries that are basically included into server.conf, but only for the specified client based on common-name. use --client-config-dir <dir> to enable it, then put the config options for the client in <dir>/common-name or (#2) the ccd file is parsed each time the client connects.
05:39 < tanja84dk> Mike--, thank you very much I will look into that right away
05:40 < Mike--> np
05:40 < Mike--> you can also require every connecting client to have ccd file
05:40 < Mike--> in which case you can make sure only static ip's are handed out
05:41 < Mike--> This also lets you configure per-user routing
05:43 < tanja84dk> sounds like the way for me to go, because then I'm sure that servers are able to talk to each others even if the vpn connection is reset because of lets say isp failout
05:45 < Mike--> make that 'per-connection routing'
05:52 < tanja84dk> thanks alot looking into that right now as we speak
06:18 < tanja84dk> Mike--, btw a update, thank you very much I have got it to work now with static ip's there is giving from the server based on ccd
06:22 < Mike--> nice
06:25 -!- ShadniX [dagger@p579418EF.dip0.t-ipconnect.de] has quit [Quit: Bye.]
06:27 -!- ShadniX [~ShadniX@p579418EF.dip0.t-ipconnect.de] has joined #openvpn
06:28 -!- zapotek6 [~zap@176.200.188.255] has joined #openvpn
06:29 -!- zapotek6 [~zap@176.200.188.255] has quit [Max SendQ exceeded]
06:31 -!- zapotek6 [~zap@176.200.188.255] has joined #openvpn
06:31 -!- zapotek6 [~zap@176.200.188.255] has quit [Max SendQ exceeded]
06:37 -!- s7r [~s7r@openvpn/user/s7r] has quit [Quit: Leaving]
06:55 -!- Brando753 [~Brando753@unaffiliated/brando753] has quit [Ping timeout: 260 seconds]
06:59 -!- Brando753 [~Brando753@unaffiliated/brando753] has joined #openvpn
07:09 -!- D-Boy [~D-Boy@unaffiliated/cain] has quit [Excess Flood]
07:22 -!- tacobutt [~tacobutt@46.19.141.158] has joined #openvpn
07:27 -!- D-Boy [~D-Boy@unaffiliated/cain] has joined #openvpn
07:34 < tacobutt> !welcome
07:34 <@vpnHelper> "welcome" is (#1) Start by stating your goal, such as 'I would like to access the internet over my vpn' || new to IRC? see the link in !ask || we may need !logs and !configs and maybe !interface to help you. || See !howto for beginners. || See !route for lans behind openvpn. || !redirect for sending inet traffic through the server. || Also interesting: !man !/30 !topology !iporder !sample !forum
07:34 <@vpnHelper> !wiki !mitm or (#2) Don't use 192.168.1.0/24 or 192.168.0.0/24 (too much potential for conflict)
07:35 < tacobutt> !configs
07:35 <@vpnHelper> "configs" is (#1) please pastebin your client and server configs (with comments removed, you can use `grep -vE '^#|^;|^$' server.conf`), also include which OS and version of openvpn. or (#2) dont forget to include any ccd entries or (#3) on pfSense, see http://www.secure-computing.net/wiki/index.php/OpenVPN/pfSense to obtain your config
07:37 < tacobutt> !sample
07:37 <@vpnHelper> "sample" is (#1) http://www.ircpimps.org/openvpn.configs for a working sample config or (#2) DO NOT use these configs until you understand the commands in them, read up on each first column of the configs in the manpage (see !man) or (#3) these configs are for a basic multi-user vpn, which you can then build upon to add lans or internet redirecting
07:40 < tacobutt> it looks like the link to the sample configs is down
07:44 -!- redpill [~redpill@unaffiliated/redpill] has quit [Remote host closed the connection]
07:46 -!- redpill [~redpill@unaffiliated/redpill] has joined #openvpn
07:53 < tacobutt> is it possible to use this cipher TLS-DHE-RSA-WITH-AES-256-GCM-SHA384 ?
07:54 < tacobutt> is there any extra setup required for GCM?
08:09 -!- tempus_fol [~tempus@gateway/tor-sasl/foltempus] has quit [Ping timeout: 264 seconds]
08:09 <@plaisthos> tacobutt: for control channel yes
08:09 <@plaisthos> for data channel (!cipher) there is no gcm support yet
08:10 < tacobutt> !cipher
08:10 -!- tempus_fol [~tempus@gateway/tor-sasl/foltempus] has joined #openvpn
08:12 < tacobutt> no !cipher trigger, but thank you plaisthos, so how would that look in a config?
08:14 < tacobutt> cipher AES-256-CBC
08:14 < tacobutt> tls-cipher TLS-DHE-RSA-WITH-AES-256-GCM-SHA384 ?
08:16 <@plaisthos> yeah
08:16 <@plaisthos> for example
08:17 < tacobutt> maybe that was causing the handshake errors I was having a while back when I gave up
08:17 < tacobutt> I thought it was some signing issue that I was having with easyrsa3
08:20 -!- heraclitus [~heraclitu@unaffiliated/heraclitis] has quit [Remote host closed the connection]
08:22 -!- heraclitus [~heraclitu@unaffiliated/heraclitis] has joined #openvpn
08:23 <@plaisthos> tacobutt: and you need tls-min-version or -master
08:23 <@plaisthos> since you need tls 1.2 for that
08:24 < tacobutt> tls-version-min 1.2  :D
08:26 -!- Toumasu [~Thunderbi@78-23-52-63.access.telenet.be] has joined #openvpn
08:28 < tacobutt> what about tls-exit?
08:32 <@syzzer> tacobutt: you don't need that. It will prevent openvpn from retrying it the tls connection fails
08:36 < tacobutt> ok
08:47 -!- Toumasu [~Thunderbi@78-23-52-63.access.telenet.be] has quit [Quit: Toumasu]
08:47 < tacobutt> plaisthos: i forgot to ask, what is the result of the -master option?
08:48 <@syzzer> tacobutt: with -master, he means you could use the git-master ('unstable') version of openvpn
08:49 <@syzzer> that will once become openvpn 2.4
08:49 < tacobutt> i see
08:54 < tacobutt> sorry, thanks syzzer
09:00 -!- cyberspace- [20253@ninthfloor.org] has quit [Remote host closed the connection]
09:00 -!- cyberspace- [20253@ninthfloor.org] has joined #openvpn
09:02 -!- Netsplit *.net <-> *.split quits: clu5ter
09:03 -!- Netsplit over, joins: clu5ter
09:04 -!- DrSect0r [~DrSect0r@77-175-115-95.FTTH.ispfabriek.nl] has joined #openvpn
09:09 < tacobutt> syzzer: speaking of compiling openvpn, do you know anything about the efficacy of the scrambler patch?
09:17 -!- maps|wrk is now known as mapps
09:31 <@syzzer> tacobutt: can you be a bit more specific? what patch?
09:31 < tacobutt> https://github.com/clayface/openvpn_xorpatch
09:31 <@vpnHelper> Title: clayface/openvpn_xorpatch · GitHub (at github.com)
09:33 <@syzzer> looks like it will get  you through DPI-firewalls that try to block openvpn
09:33 <@syzzer> never tried it though
09:33 <@syzzer> I hear obfsproxy does the trick too
09:33 < tacobutt> me either
09:33 < tacobutt> never heard of it
09:34 -!- ub1quit33_ [~quassel@wifi02.la3.routers.zerolag.com] has joined #openvpn
09:34 <@syzzer> see https://community.openvpn.net/openvpn/wiki/TrafficObfuscation
09:34 <@vpnHelper> Title: TrafficObfuscation – OpenVPN Community (at community.openvpn.net)
09:35 < tacobutt> thanks
10:01 -!- Gravitron [~admin@unaffiliated/gravitron] has joined #openvpn
10:03 -!- tacobutt [~tacobutt@46.19.141.158] has quit [Quit: https://i.imgur.com/ngMAP0s.jpg]
10:26 -!- Gravitron [~admin@unaffiliated/gravitron] has quit [Quit: My MacBook Pro has gone to sleep. ZZZzzz…]
10:40 -!- Wulf [~Wulf@unaffiliated/wulf] has joined #openvpn
10:40 < Wulf> Hello
10:40 < Wulf> I believe I've seen openvpn config files that had embedded files e.g. in <ca>...</ca> tags. Where can I find documentation on this?
10:48 < Wulf> never mind, found it. Called "INLINE" in the manpage
10:48 -!- Wulf [~Wulf@unaffiliated/wulf] has left #openvpn []
10:57 -!- Kephael [~Kephael@unaffiliated/kephael] has joined #openvpn
11:03 -!- brianblaze420 [~brianblaz@unaffiliated/brianblaze] has joined #openvpn
11:29 -!- tunnels [~tunnels@unaffiliated/tunnels] has joined #openvpn
11:39 < tunnels> !welcome
11:39 <@vpnHelper> "welcome" is (#1) Start by stating your goal, such as 'I would like to access the internet over my vpn' || new to IRC? see the link in !ask || we may need !logs and !configs and maybe !interface to help you. || See !howto for beginners. || See !route for lans behind openvpn. || !redirect for sending inet traffic through the server. || Also interesting: !man !/30 !topology !iporder !sample !forum
11:39 <@vpnHelper> !wiki !mitm or (#2) Don't use 192.168.1.0/24 or 192.168.0.0/24 (too much potential for conflict)
11:50 -!- halothe23 [~halothe23@freenode/sponsor/halothe23] has left #openvpn ["Textual IRC Client: www.textualapp.com"]
12:11 -!- Orbixx [~orbixx@freenode/sponsor/orbixx] has joined #openvpn
12:11 < Orbixx> Is openvpn missing its systemd script in the epel7 repo?
12:20 -!- brianblaze420 [~brianblaz@unaffiliated/brianblaze] has quit [Quit: Leaving...]
12:20 -!- ub1quit33_ [~quassel@wifi02.la3.routers.zerolag.com] has quit [Ping timeout: 272 seconds]
12:28 -!- ub1quit33_ [~quassel@wifi02.la3.routers.zerolag.com] has joined #openvpn
12:29 -!- Denial [~Denial@host86-174-170-118.range86-174.btcentralplus.com] has joined #openvpn
12:39 < Eugene> Works fine for me
12:40 < Eugene> I'm no systemctl expert, but I believe you need to create /etc/openvpn/foo.conf, which then gets exposed via `systemctl` as openvpn@foo.service
12:41 < Eugene> Thus giving you a bit of fine-grained control in which links you want to come up at boot, unlike Ye Olde Init Script, which just started *.conf
12:42 < Eugene> I've only got one box running CentOS7, and I just did a simple import of /etc/openvpn/ and everything Just Fucking Worked. So, happy with it.
12:49 < pekster> Eugene: Like what Gentoo has done for years? :P
12:49 < Eugene> "act as a space heater" ?
13:56 -!- DrSect0r [~DrSect0r@77-175-115-95.FTTH.ispfabriek.nl] has quit [Quit: Leaving]
14:21 -!- Kephael [~Kephael@unaffiliated/kephael] has quit [Read error: Connection reset by peer]
14:32 < Orbixx> Aha
14:34 < Orbixx> Connection keeps resetting: http://pastie.org/private/ch54haalya3gaqtdxtkg
14:35 < Orbixx> Whoops, not the cleanest of pastes
14:38 < pekster> Don't use verb >5 as it's intended for developers doing programatic debugging (and just clutters things otherwise)
14:38 < pekster> If the TLS connection times out either the packets don't make it to the destination, or the remote end has terminated the connection (and you'd need to check the logs fromo that side)
14:39 < pekster> If you need further help determining which, !configs and !logs from both sides would help. Full logs please, at !verb 5. Each of the !things contain more info for you
14:46 -!- tunnels [~tunnels@unaffiliated/tunnels] has left #openvpn ["Leaving"]
14:53 -!- Jeroen52 [~Jeroen@milkyway.jeroendeneef.com] has quit [Remote host closed the connection]
15:30 -!- Jeroen52 [~Jeroen@milkyway.jeroendeneef.com] has joined #openvpn
15:32 -!- Cpt-Oblivious [~chatzilla@31-151-71-109.dynamic.upc.nl] has joined #openvpn
15:46 -!- vinky [~vinky@81-230-177-246-no98.tbcn.telia.com] has left #openvpn []
16:22 -!- gffa [~unknown@unaffiliated/gffa] has quit [Quit: sleep]
16:25 -!- AlexMax [alexmax@2600:3c03::f03c:91ff:fe93:116b] has quit [Quit: WeeChat 0.4.3]
16:29 -!- Exagone313 [~exa@vps.ewd.xyz] has joined #openvpn
16:31 < Exagone313> hi, i installed openvpn-as (it works fine) and i want to use the tunnel to connect to ipv6 websites. how to configure this please?
16:32 < Exagone313> h sorry
16:34 < Exagone313> anyone can help me? no responses on #openvpn-as
16:34 -!- yerodin [~yerodin@unaffiliated/yerodin] has joined #openvpn
16:35 < yerodin> Hey guys, how can I exclude the ssh port from being used in established connection (which works fine) ?
16:35 < yerodin> I need that access locally...
16:39 -!- Cpt-Oblivious [~chatzilla@31-151-71-109.dynamic.upc.nl] has quit [Ping timeout: 240 seconds]
16:42 < Exagone313> http://www.cyberciti.biz/tips/howto-openssh-sshd-listen-multiple-ip-address.html
16:42 <@vpnHelper> Title: Force OpenSSH (sshd) to listen on selected multiple IP address only - nixCraft (at www.cyberciti.biz)
16:42 < Exagone313> this will help you
16:42 < Exagone313> yerodin
16:42 < yerodin> Exagone313: Thanks dude.
16:52 < yerodin> Exagone313: This is the way to make ssh listen to specified IP addresses only. My issue is that I cannot access the machine anymore after I established a vpn connection.
16:53 < Exagone313> you didn't say to exclude ssh?
16:53 < Exagone313> ok
16:53 < yerodin> Well, I tried to say that I want the port to be usable in local network.
16:53 < yerodin> sorry about the misunderstanding.
16:53 < Exagone313> then  don(t know, but this is possible in openvpn-as
16:54 < Exagone313> I don't know*
16:54 < Exagone313> then it is possible :)
16:55 -!- newbie55 [~user___@gateway/tor-sasl/cgeek] has joined #openvpn
16:56 < newbie55> Hello guys, I think my computer may be infected. And/or some weird update broke all the routes for all VPN services. Running Linux... whenever I connect to the VPN it connects but my IP doesn't change :(
16:57 < Exagone313> yerodin: http://backreference.org/2010/05/02/controlling-client-to-client-connections-in-openvpn/
16:57 <@vpnHelper> Title: Controlling client-to-client connections in OpenVPN « \1 (at backreference.org)
16:57 < Exagone313> using iptables command
16:58 < Exagone313> iptables -A FORWARD -s 10.180.0.11 -d 10.180.0.4 -j DROP
16:58 < Exagone313> -s source -d destination
16:59 < newbie55> If anyone could help me out I would appreciate it. Here's what I got - free mullvad trial login: http://paste.ubuntu.com/8011499/  ip route: http://paste.ubuntu.com/8011501/
16:59 < Exagone313> source : your local ip, destination : local ip of openvps computer
16:59 < newbie55> Up until a day ago it worked fine. No idea what changed. Nothing on my end :p
16:59 < yerodin> Exagone313: Will try that.
17:00 < yerodin> Exagone313: source is 127.0.0.1 or the local lan ip of that machine?
17:01 < Exagone313> local ip in the openvpn network
17:02 < yerodin> ok
17:02 < Exagone313> it may not work
17:02 < newbie55> I tried another VPN service as well and same issue... this is really strange :s
17:02 < Exagone313> just try
17:02 < yerodin> We'll see.
17:03 < Exagone313> newbie55: try to renstall your lient
17:03 < newbie55> ok
17:03 < Exagone313> and post to a security forum to help you maybe
17:04 < Exagone313> but on linux idk if you will be helped
17:04 < Exagone313> anyone know how to acces to ipv6 using openvpn?
17:07 < Exagone313> if you know how to tell me in pm, i disconnect
17:31 -!- yerodin [~yerodin@unaffiliated/yerodin] has quit [Quit: Caught sigterm, terminating...]
17:50 -!- cmanns [~cmanns@68-189-105-110.dhcp.wtvl.ca.charter.com] has joined #openvpn
17:54 -!- liberal [~rocketeer@gateway/tor-sasl/rocketeer] has joined #openvpn
18:09 -!- ub1quit33_ [~quassel@wifi02.la3.routers.zerolag.com] has quit [Ping timeout: 255 seconds]
18:12 -!- MogDog [MogDog@unaffiliated/mogdog66] has quit [Quit: Server shutdown]
18:13 -!- MogDog [MogDog@unaffiliated/mogdog66] has joined #openvpn
18:19 -!- newbie55 [~user___@gateway/tor-sasl/cgeek] has quit [Ping timeout: 264 seconds]
18:41 -!- jzaw [~jzaw@loki.dzki.co.uk] has joined #openvpn
18:41 < jzaw> !hartbleed
18:42 < jzaw> oops sp
18:42 < jzaw> !heartbleed
18:42 <@vpnHelper> "heartbleed" is (#1) only affects OpenSSL 1.0.1 through 1.0.1f. Does not affect polarssl or (#2) if running vuln openssl then both client and server keys not protected by tls-auth should be considered compromised. or (#3) android 4.1.2_r1 is the first one to have -DOPENSSL_NO_HEARTBEATS and it is still in master. android 4.1 and 4.1.1 are probably affected. or (#4)
18:42 <@vpnHelper> https://community.openvpn.net/openvpn/wiki/heartbleed or (#5) http://xkcd.com/1354/
18:48 < cmanns> So if my android is 4.4.x I’m fine?
18:50 < Hello71> I guess tls-auth was a good idea?
19:10 < pekster> tls-auth adds another layer of protection in the event a weakness in TLS is discovered (as was the case in heartbleed)
19:11 < pekster> It's one of several ways to harden openvpn: some more recommendations on the wiki at: !hardening
19:20 -!- Gravitron [~admin@unaffiliated/gravitron] has joined #openvpn
19:29 <@krzee> cmanns, yep should be fine
19:31 -!- Gravitron [~admin@unaffiliated/gravitron] has quit [Ping timeout: 250 seconds]
19:36 -!- a|3x [~a|3x@c-73-37-66-131.hsd1.or.comcast.net] has quit [Quit: Leaving]
19:38 -!- liberal is now known as rocketeer
19:45 -!- rocketeer [~rocketeer@gateway/tor-sasl/rocketeer] has quit [Remote host closed the connection]
20:19 -!- STF is now known as Guest69505
20:19 -!- Guest69505 [~stf@i53875ea5.versanet.de] has quit [Killed (dickson.freenode.net (Nickname regained by services))]
20:19 -!- STF [~stf@i538778FE.versanet.de] has joined #openvpn
20:19 -!- Kephael [~Kephael@unaffiliated/kephael] has joined #openvpn
20:34 -!- arescorpio [~arescorpi@201-26-245-190.fibertel.com.ar] has joined #openvpn
21:18 -!- Left_Turn [~Left_Turn@unaffiliated/turn-left/x-3739067] has quit [Remote host closed the connection]
21:23 -!- james41382 [~james@unaffiliated/james41382] has joined #openvpn
21:33 -!- Kephael [~Kephael@unaffiliated/kephael] has quit [Quit: Leaving]
23:06 -!- ShadniX [~ShadniX@p579418EF.dip0.t-ipconnect.de] has quit [Ping timeout: 250 seconds]
23:07 -!- ShadniX [dagger@p5DDFDEBD.dip0.t-ipconnect.de] has joined #openvpn
23:52 -!- arescorpio [~arescorpi@201-26-245-190.fibertel.com.ar] has quit [Excess Flood]
--- Day changed Mon Aug 11 2014
00:23 -!- soffio [~mancante@gateway/tor-sasl/riflesso] has joined #openvpn
00:24 < soffio> hi, that looks really bad: http://pastebin.com/raw.php?i=4mVim1te
00:27 -!- kieppie [~jaco@118.148.154.215] has joined #openvpn
00:27 < kieppie> hi
00:29 < kieppie> I'm netting up a site, but I need to know what ports to NAT through from the outside to allow incoming OpenVPN connections. atm I only have UDP:1194 forwarding. what else is needed?
00:29 <@krzee> soffio, looks like whatever it is, its getting stopped at the HMAC signatures (tls-auth)
00:29 < soffio> like a mitm?
00:30 <@krzee> or a misconfigured client or something
00:30 < soffio> that's a client log
00:31 <@krzee> so the client and server probably dont have the same exact tls-auth file
00:31 <@krzee> or maybe key-direction is set wrong
00:31 <@krzee> post both configs without comments, and md5sum both tls-auth files
00:32 < soffio> server is not mine, and those messages are finished, it was just a moment
00:33 <@krzee> Authenticate/Decrypt packet error: packet HMAC authentication failed
00:33 <@krzee> no more of that?
00:33 <@krzee> and the vpn is working?
00:34 < kieppie> ?ports
00:38 <@krzee> kieppie, what makes you think openv
00:38 <@krzee> openvpn needs to listen on more than one port?
00:39 -!- kieppie [~jaco@118.148.154.215] has quit [Ping timeout: 246 seconds]
00:41 <@krzee> soffio, it does look like something that wasnt your server was sending traffic at the client if so
01:05 -!- soffio [~mancante@gateway/tor-sasl/riflesso] has left #openvpn []
01:24 -!- StrayPyramid [~AnthonyB@222-154-12-144.jetstream.xtra.co.nz] has joined #openvpn
01:24 -!- StrayPyramid [~AnthonyB@222-154-12-144.jetstream.xtra.co.nz] has left #openvpn []
01:25 -!- StrayPyramid [~AnthonyB@222-154-12-144.jetstream.xtra.co.nz] has joined #openvpn
01:29 < StrayPyramid> Hello everyone
01:29 < StrayPyramid> I am having trouble setting up openVPN
01:30 <@krzee> !goal
01:30 <@vpnHelper> "goal" is Please clearly state your goal for your vpn: example, I would like to access the lan behind the server , I would like to access the internet over my vpn , I just want a secure connection between 2 computers , etc
01:32 < StrayPyramid> [6:31:56 PM] SpannerHammer: I would like to set up a secure connection between a laptop and a lan over the internet
01:33 <@krzee> have you got the vpn up at all yet?
01:33 < StrayPyramid> not yet.
01:33 <@krzee> wheres the problem?
01:33 < StrayPyramid> I am receiving an error while trying to start openVPN on an ubuntu server in the lan.
01:34 <@krzee> show me its config file and the log file in pastebins
01:34 -!- alexxtasi [~alex@unaffiliated/alexxtasi] has joined #openvpn
01:34 <@krzee> no comments on the config, like this:
01:34 <@krzee> !configs
01:34 <@vpnHelper> "configs" is (#1) please pastebin your client and server configs (with comments removed, you can use `grep -vE '^#|^;|^$' server.conf`), also include which OS and version of openvpn. or (#2) dont forget to include any ccd entries or (#3) on pfSense, see http://www.secure-computing.net/wiki/index.php/OpenVPN/pfSense to obtain your config
01:34 < StrayPyramid> The error is: Failed running command (--up/--down): could not execute external program
01:34 <@krzee> oh ok
01:34 <@krzee> grep up server.conf
01:35 <@krzee> (show me the line with up)
01:35 < StrayPyramid> up "/etc/openvpn/up.sh br0 trap0 1500"     ?
01:36 <@krzee> why are you bridging?
01:36 < StrayPyramid> tap0*
01:36 < StrayPyramid> I tried to follow a quickstart guide
01:36 <@krzee> !tunortap
01:36 <@vpnHelper> "tunortap" is (#1) you ONLY want tap if you need to pass layer2 traffic over the vpn (traffic destined for a MAC address). If you are using IP traffic you want tun. or (#2) and if your reason for wanting tap is windows shares, see !wins or use DNS or (#3) remember layer2 has no security, arp poisoning works over tap vpns or (#4) lan gaming? use tap! or (#5) Normal Android/iOS devices (not
01:36 <@vpnHelper> rooted/jailbroken) support only tun
01:37 <@krzee> so ya, stop bridging unless you have a reason to
01:37 <@krzee> !walkthrough
01:37 <@vpnHelper> "walkthrough" is if you are using some walkthrough and now you are here cause you have problems and dont understand your setup, type !howto and !man and try to actually learn what you're doing. most those docs about openvpn from google SUCK.
01:37 < StrayPyramid> huzzah.
01:38 <@krzee> show me your config without comments and i'll help you with it
01:38 <@krzee> !whybridge
01:38 <@vpnHelper> "whybridge" is (#1) you only bridge if you want layer2 to the lan. if you want layer2 only between vpn nodes then routed tap is enough. if you only want layer3 use tun. or (#2) See this URL for a more in-depth discussion on bridging vs routing: https://community.openvpn.net/openvpn/wiki/BridgingAndRouting or (#3) See also !tunortap
01:40 < StrayPyramid> !configs
01:40 <@vpnHelper> "configs" is (#1) please pastebin your client and server configs (with comments removed, you can use `grep -vE '^#|^;|^$' server.conf`), also include which OS and version of openvpn. or (#2) dont forget to include any ccd entries or (#3) on pfSense, see http://www.secure-computing.net/wiki/index.php/OpenVPN/pfSense to obtain your config
01:42 < StrayPyramid> www.pastebin.com/rFtCsKc4
01:44 <@krzee> http://pastebin.com/g3MeSWxB
01:44 <@krzee> then make client dev tun as well
01:45 <@krzee> once you can connect the client and ping across the vpn we will worry about routing to the lan
01:45 <@krzee> baby steps ;]
01:53 < StrayPyramid> ok the server works :>
01:53 < StrayPyramid> the second bit might be a problem though
01:53 < StrayPyramid> As i do not currently have access to a client./
01:53 < StrayPyramid> ill be back in about 2 hours if I am still having problems
01:54 < StrayPyramid> Thanks alot for your help krzee :D
01:54 -!- kieppie [~jaco@ip-58-28-154-35.static-xdsl.xnet.co.nz] has joined #openvpn
01:55 <@krzee> good luck
01:55 -!- StrayPyramid [~AnthonyB@222-154-12-144.jetstream.xtra.co.nz] has left #openvpn []
01:56 <@krzee> !route
01:56 <@vpnHelper> "route" is (#1) http://www.secure-computing.net/wiki/index.php/OpenVPN/Routing or https://community.openvpn.net/openvpn/wiki/RoutedLans (same page mirrored) if you have lans behind openvpn, read it DONT SKIM IT or (#2) READ IT DONT SKIM IT! or (#3) See !tcpip for a basic networking guide or (#4) See !serverlan or !clientlan for steps and troubleshooting flowcharts for LANs behind the server or client
01:56 <@krzee> !serverlan
01:56 <@vpnHelper> "serverlan" is (#1) for a lan behind a server, the server must have ip forwarding enabled (!ipforward), the server needs to push a route for its lan to clients, and the router of the lan the server is on needs a route added to it (!route_outside_openvpn) or (#2) see !route for a better explanation or (#3) Handy troubleshooting flowchart: http://ircpimps.org/serverlan.png |
01:56 <@vpnHelper> http://pekster.sdf.org/misc/serverlan.png
02:04 -!- ||arifaX_ [~quassel@unaffiliated/arifax/x-427475] has joined #openvpn
02:07 -!- ||arifaX_ [~quassel@unaffiliated/arifax/x-427475] has quit [Client Quit]
02:18 -!- kieppie [~jaco@ip-58-28-154-35.static-xdsl.xnet.co.nz] has quit [Ping timeout: 250 seconds]
02:31 < lkthomas> hey guys, for tap interface, can I treat it as point to point device and using OSPF to route on top it it ?
02:31 < lkthomas> of it *
02:32 <@krzee> most likely, i have actually had issues with setting up ospf until i made a ptp tun for it
02:34 <@krzee> but yes, unless you have some sort of issue with your ospf stuff… in which case maybe changing addressing can help (did for me)
02:34 <@krzee> also, why do you need tap?
02:34 < lkthomas> we try to avoid iroutes
02:35 < lkthomas> it screwed up a lot as we have 25 sites and the iroutes is a mess
02:35 <@krzee> oh ok
02:36 < lkthomas> actually
02:36 < lkthomas> does it matter at all ?
02:36 < lkthomas> I mean, we are doing routing on top of tap/tun
02:36 < lkthomas> we only need two points be able to communicate
02:37 < lkthomas> we don't have to bridge existing network to tap
02:37 < lkthomas> in theory if no layer2 bridge is connected to tap0, there should be no problem
02:37 < lkthomas> usually people add tap0 to br0
02:37 < lkthomas> which is not what we need
02:38 < lkthomas> is this assumption correct ?
02:39 <@krzee> whoa whoa
02:39 <@krzee> you're bridging??
02:39 <@krzee> i mean i get why you did tap, but why are you bridging?
02:42 <@krzee> bridging 25 sites together… i think you need tun and manage the iroutes :D
02:44 <@krzee> i get around iroute issues when doing ospf by not using client/server but rather a tun ptp setup 1 to 1, not client/server
02:45 -!- yerodin [~yerodin@unaffiliated/yerodin] has joined #openvpn
02:51 -!- abbe [having@badti.me] has quit [Read error: Connection reset by peer]
02:51 -!- abbe_ [having@badti.me] has joined #openvpn
03:20 -!- Cpt-Oblivious [~chatzilla@31-151-71-109.dynamic.upc.nl] has joined #openvpn
03:25 -!- ade_b [~Ade@redhat/adeb] has joined #openvpn
03:26 -!- RBecker is now known as RyanB
03:29 < lkthomas> krzee: how does it work ?
03:37 -!- Left_Turn [~Left_Turn@unaffiliated/turn-left/x-3739067] has joined #openvpn
03:43 -!- RyanB is now known as RBecker
03:44 < lkthomas> krzee: how do you setup point to point interface ?
04:01 -!- AL13N_work [~alien@91.183.52.232] has joined #openvpn
04:02 < AL13N_work> how do i handle multiwan failover with openvpn client? because, right now, if it switches WAN link, it keeps trying but failing to connect, i need to restart openvpn to actually make it work
04:02 < AL13N_work> is there an option that doesn't cache it's route or something?
04:28 < snappy> I'm not sure about the latest stable versions, but there's a patch in devel for --float, which I presume should help in this regard
04:30 -!- Left_Turn [~Left_Turn@unaffiliated/turn-left/x-3739067] has quit [Ping timeout: 272 seconds]
04:49 -!- _bt [~bt@unaffiliated/bt/x-192343] has joined #openvpn
05:37 -!- Left_Turn [~Left_Turn@unaffiliated/turn-left/x-3739067] has joined #openvpn
05:50 < Exagone313> How to access to ipv6 using openvpn?
05:51 < Exagone313> or what is the best forum to ask for it?
05:55 < Exagone313> is there a way to use openvpn as a proxy and then don't use openvpn for some applications?
05:55 < Exagone313> (on client)
06:45 -!- hays [~hays@unaffiliated/hays] has quit [Ping timeout: 246 seconds]
06:46 -!- hays [~hays@unaffiliated/hays] has joined #openvpn
06:53 <@plaisthos> Exagone313: that would be policy pased routing
06:53 <@plaisthos> that is doable but non trivial
06:53 <@plaisthos> Ipv6 is supported
06:53 <@plaisthos> !ipv6
06:53 <@vpnHelper> "ipv6" is (#1) The wiki has IPv6 details: https://community.openvpn.net/openvpn/wiki/IPv6 or (#2) The manpage contains info about IPv6 features present in 2.3+: https://community.openvpn.net/openvpn/wiki/Openvpn23ManPage#lbAQ
06:53 <@plaisthos> !policy
06:53 <@vpnHelper> "policy" is (#1) http://openvpn.net/howto.html#policy for Configuring client-specific rules and access policies or (#2) http://www.secure-computing.net/wiki/index.php/OpenVPN/FAQ#Traffic_forwarding_doesn.27t_work_when_using_client_specific_access_rules for a lil writeup by mario or (#3) dynamic OpenVPN policy github project: https://github.com/QueuingKoala/openvpn-dynamic
06:53 < Exagone313> yes i know it is supported
06:54 < Exagone313> but my tries to activate ipv6 did not work
06:54 < Exagone313> i am using openvps-as but no responses on appopriate channel
06:55 -!- zapotek6 [~zap@176.200.221.192] has joined #openvpn
06:55 < Exagone313> i tried on standart openvpn too
06:56 < Exagone313> what lines should i add to server and client configurations?
06:58 < Exagone313> and on my vps i have only one ipv6 address on internet, not a block
07:01 < snappy> I think you can isolate applications to strictly tunnel via openvpn using linux network namespaces
07:02 < Exagone313> i use a client on windows
07:02 <@plaisthos> Exagone313: then you probably have to do some obscure IPv6 NAT
07:02 <@plaisthos> !vserver
07:02 <@plaisthos> !vps
07:02 <@plaisthos> hm ...
07:03 < Exagone313> i don't want to buy more ipv6 address
07:03 < Exagone313> i just want to use one like ipv4
07:03 -!- zapotek6 [~zap@176.200.221.192] has quit [Read error: Connection reset by peer]
07:03 < snappy> (people pay for ipv6 addresses?)
07:04 -!- shio [marmot@66.65.73.86.rev.sfr.net] has quit [Disconnected by services]
07:04 < Exagone313> i can't have more that one ipv6 address in fact
07:04 -!- shio [marmot@30.65.73.86.rev.sfr.net] has joined #openvpn
07:04 <@plaisthos> snappy: there is a proverb here: if you are a good salesman you can sell an Eskimo a refridgerator
07:06 <@plaisthos> apparently the English translation is to sell ice to Eskimos ;)
07:09 < Exagone313> i found it : https://docs.openvpn.net/docs/access-server/openvpn-access-server-command-line-tools.html#ipv6-support
07:09 <@vpnHelper> Title: OpenVPN Access Server Command-line Tools (at docs.openvpn.net)
07:09 < Exagone313> i'll try after eating
07:13 -!- zapotek6 [~zap@176.200.221.192] has joined #openvpn
07:14 -!- zapotek6 [~zap@176.200.221.192] has quit [Max SendQ exceeded]
07:14 < Hello71> solus (zero-quality panel) only supports assigning ipv6 one by one
07:22 -!- elfixit [~Icedove@77-58-251-72.dclient.hispeed.ch] has joined #openvpn
07:24 -!- Kniaz [~Kniaz@unaffiliated/kniaz] has quit [Read error: Connection reset by peer]
07:25 -!- D-Boy [~D-Boy@unaffiliated/cain] has quit [Excess Flood]
07:27 -!- D-Boy [~D-Boy@unaffiliated/cain] has joined #openvpn
07:29 -!- ShadniX [dagger@p5DDFDEBD.dip0.t-ipconnect.de] has quit [Ping timeout: 250 seconds]
07:31 -!- ShadniX [dagger@p5DDFDEBD.dip0.t-ipconnect.de] has joined #openvpn
07:32 -!- dazo_afk is now known as dazo
07:47 -!- ade_b [~Ade@redhat/adeb] has quit [Quit: Too sexy for his shirt]
08:10 < ascheel> When I connect to OpenVPN, it always tries to connect me to my LAN IP in the client instead of my public hostname.  How can I change this?
08:11 < ascheel> Actually, I think I've found it.
08:12 < ascheel> Yep.  Found it.
08:15 -!- Brando753 [~Brando753@unaffiliated/brando753] has quit [Ping timeout: 245 seconds]
08:15 -!- Kephael [~Kephael@unaffiliated/kephael] has joined #openvpn
08:22 -!- Brando753 [~Brando753@unaffiliated/brando753] has joined #openvpn
08:40 -!- Kniaz [~Kniaz@unaffiliated/kniaz] has joined #openvpn
09:05 -!- KeyboardNotFound [~KeyboardN@unaffiliated/keyboardnotfound] has joined #openvpn
09:05 < KeyboardNotFound> Hi
09:06 < KeyboardNotFound> I have openvpn 2.2.1 installed, how to generate keys and start the openvpn server ?
09:06 < KeyboardNotFound> I'm following https://openvpn.net/index.php/open-source/documentation/howto.html
09:06 <@vpnHelper> Title: HOWTO (at openvpn.net)
09:06 < KeyboardNotFound> and when I enter in /usr/share/doc/openvpn
09:07 < KeyboardNotFound> I can't execute ./vars...
09:07 < KeyboardNotFound> because they aren't in that directory
09:09 < KeyboardNotFound> !paste
09:10 <@vpnHelper> "paste" is "pastebin" is (#1) please paste anything with more than 5 lines into a pastebin site or (#2) https://gist.github.com is recommended for fewest ads; try fpaste.org or paste.kde.org as backups or (#3) If you're pasting config files, see !configs for grep syntax to remove comments or (#4) gist allows multiple files per paste, useful if you have several files to show
09:10 < KeyboardNotFound> !heartbleed
09:10 <@vpnHelper> "heartbleed" is (#1) only affects OpenSSL 1.0.1 through 1.0.1f. Does not affect polarssl or (#2) if running vuln openssl then both client and server keys not protected by tls-auth should be considered compromised. or (#3) android 4.1.2_r1 is the first one to have -DOPENSSL_NO_HEARTBEATS and it is still in master. android 4.1 and 4.1.1 are probably affected. or (#4)
09:10 <@vpnHelper> https://community.openvpn.net/openvpn/wiki/heartbleed or (#5) http://xkcd.com/1354/
09:17 -!- Latrina [~Latrina@adsl-ull-76-217.50-151.net24.it] has quit [Read error: Connection reset by peer]
09:22 < KeyboardNotFound> help
09:24 -!- alexxtasi [~alex@unaffiliated/alexxtasi] has left #openvpn []
09:25 -!- Latrina [~Latrina@adsl-ull-254-177.50-151.net24.it] has joined #openvpn
09:28 -!- ub1quit33_ [~quassel@wifi02.la3.routers.zerolag.com] has joined #openvpn
09:41 -!- MacGyver [~macgyver@unaffiliated/macgyvernl] has quit [Ping timeout: 260 seconds]
10:06 -!- u0m3_ [~u0m3@92.80.93.41] has quit [Quit: Leaving]
10:08 -!- MacGyver [~macgyver@unaffiliated/macgyvernl] has joined #openvpn
10:15 -!- u0m3 [~u0m3@92.80.93.41] has joined #openvpn
10:22 -!- u0m3 [~u0m3@92.80.93.41] has quit [Read error: Connection reset by peer]
10:28 -!- KeyboardNotFound [~KeyboardN@unaffiliated/keyboardnotfound] has quit [Ping timeout: 255 seconds]
10:28 -!- KeyboardNotFound [~KeyboardN@unaffiliated/keyboardnotfound] has joined #openvpn
10:31 -!- brianblaze420 [~brianblaz@unaffiliated/brianblaze] has joined #openvpn
10:36 -!- KeyboardNotFound [~KeyboardN@unaffiliated/keyboardnotfound] has quit [Ping timeout: 246 seconds]
10:57 -!- gffa [~unknown@unaffiliated/gffa] has joined #openvpn
11:07 -!- Chais [~Chais@chello062178229110.15.15.vie.surfer.at] has quit [Ping timeout: 250 seconds]
11:14 -!- Chais [~Chais@chello062178229110.15.15.vie.surfer.at] has joined #openvpn
11:23 <@krzee> lkthomas, by just using ifconfig instead of --server
11:49 -!- nsrafk [whois@unaffiliated/nsrafk] has quit [Ping timeout: 245 seconds]
11:52 -!- nsrafk [whois@unaffiliated/nsrafk] has joined #openvpn
12:08 -!- elfixit [~Icedove@77-58-251-72.dclient.hispeed.ch] has quit [Quit: elfixit]
12:13 < lkthomas> krzee: thanks, I will have a look.
12:14 <@krzee> np
12:24 -!- nlb [~nlb@unaffiliated/nlb] has joined #openvpn
12:35 -!- RBecker is now known as RyanB
12:49 -!- brianblaze420 [~brianblaz@unaffiliated/brianblaze] has quit [Quit: Leaving...]
12:50 -!- RyanB is now known as RBecker
13:06 < cmanns> can anybody help me get a VPN going on a CentOS linux?
13:06 < cmanns> I just want a few clients (Android, OS X, and maybe a server for server-server private networking) The clients I want tot alk to public internet from the primary static IP
13:07 <@plaisthos> !howto
13:07 <@vpnHelper> "howto" is (#1) OpenVPN comes with a great howto, http://openvpn.net/howto PLEASE READ IT! or (#2) http://www.secure-computing.net/openvpn/howto.php for a mirror
13:09 < cmanns> Sure my only concerns is I’ve tried multiple guides for centos/ipsec l2tp openvpn pretty sure, and openswan
13:09 < cmanns> I’ll give this a shot in a momento
13:09 <@krzee> !notcompat
13:09 <@vpnHelper> "notcompat" is (#1) IPsec, PPTP, & L2TP are _not_ compatible with OpenVPN. OpenVPN uses SSL whereas PPTP and IPSEC use their own protocols and therefore cannot be compatible. or (#2) OpenVPN connects only to OpenVPN
13:10 < cmanns> Ah okay cool so thats why Ineed separate application for OpenVPN?
13:11 < cmanns> I wonder if OpenVPN works on my router I’ll have to see, thats a drawback for me :(
13:11 <@krzee> yep
13:11 <@krzee> whats your router?
13:11 <@krzee> openwrt?
13:13 < cmanns> DD-WRT
13:13 < cmanns> Also what the !howto linked does that require the licenses?
13:13 <@krzee> should have it, unless its a small build to fit on an especially small router
13:13 <@krzee> !ddwrt
13:13 < cmanns> https://www.digitalocean.com/community/tutorials/openvpn-access-server-centos
13:13 <@vpnHelper> Title: How To Install and Configure an OpenVPN Access Server on CentOS 6.5 | DigitalOcean (at www.digitalocean.com)
13:13 <@krzee> !dd-wrt
13:13 <@vpnHelper> "dd-wrt" is (#1) While some users have success with dd-wrt, the build system isn't very accessible to users and there have been security issues with the distro. Consider carefully if this is the platform you want to use for OpenVPN or (#2) Firewall oopsie : http://www.dd-wrt.com/phpBB2/viewtopic.php?t=35783 or (#3) more issues: http://www.dd-wrt.com/phpBB2/viewtopic.php?t=84536
13:13 < cmanns> I can install the “big/mega” dd-wrt builds :)
13:14 < cmanns> if the security of the router isnt safe, but my clients are (osx/android not connected via the router) that’s fine by me
13:14 < cmanns> as in heartbleed on the router, etc
13:15 <@krzee> !as
13:15 <@vpnHelper> "as" is Please go to #OpenVPN-AS for help with commercial products from OpenVPN Technologies, including Access Server, Android Connect, etc. Access Server is a commercial product, different from open source OpenVPN
13:16 < cmanns> I’d prefer the open source VPN :)
13:16 < cmanns> This is not for commercial purposes
13:16 <@krzee> !howto
13:16 <@vpnHelper> "howto" is (#1) OpenVPN comes with a great howto, http://openvpn.net/howto PLEASE READ IT! or (#2) http://www.secure-computing.net/openvpn/howto.php for a mirror
13:39 -!- Fusl [Fusl@unaffiliated/fusl] has quit [Quit: Contact: http://hallowe.lt/]
13:41 -!- Cpt-Oblivious [~chatzilla@31-151-71-109.dynamic.upc.nl] has quit [Ping timeout: 250 seconds]
13:42 -!- Fusl [Fusl@unaffiliated/fusl] has joined #openvpn
13:43 < cmanns> So is it fine to use the centos system rpm for openvpn?
13:47 -!- elfixit [~Icedove@77-58-251-72.dclient.hispeed.ch] has joined #openvpn
13:52 -!- Cpt-Oblivious [~chatzilla@31-151-71-109.dynamic.upc.nl] has joined #openvpn
14:15 -!- Kephael [~Kephael@unaffiliated/kephael] has quit [Read error: Connection reset by peer]
14:20 -!- mistermajestic [~mistermaj@109.201.154.211] has joined #openvpn
14:25 -!- dazo is now known as dazo_afk
14:26 <@krzee> sure, depending on version i guess
14:26 <@krzee> theres also:
14:26 <@krzee> !repo
14:26 <@vpnHelper> "repo" is openvpn runs some software repositories for your installing pleasure, http://community.openvpn.net/openvpn/wiki/OpenvpnSoftwareRepos
14:27 < cmanns> thanks!
14:27 <@krzee> np
14:36 -!- pschmitt [~pschmitt@46.19.141.158] has joined #openvpn
14:36 -!- pschmitt [~pschmitt@46.19.141.158] has quit [Client Quit]
14:41 -!- shio [marmot@30.65.73.86.rev.sfr.net] has quit [Read error: Connection reset by peer]
14:41 -!- shio [marmot@30.65.73.86.rev.sfr.net] has joined #openvpn
15:06 -!- arescorpio [~arescorpi@201-26-245-190.fibertel.com.ar] has joined #openvpn
15:10 -!- kieppie [~jaco@ip-58-28-154-35.static-xdsl.xnet.co.nz] has joined #openvpn
15:11 -!- gffa [~unknown@unaffiliated/gffa] has quit [Quit: sleep]
15:12 -!- mistermajestic [~mistermaj@109.201.154.211] has quit []
16:06 -!- Ring0` [~mike@unaffiliated/ring0/x-8667941] has joined #openvpn
16:08 < Ring0`> When I connect to vpn server from my host. And after this I see that assigned ip is ext ip of the server and all my traffic from client is forwarded through server, so basically I'm visible outside as this server, what is the name of this type of routing. Bridge?
16:08 < Ring0`> Also I am able to listen on certain port on client and if I want to connect from outside, I need to provide server's ip address.
16:09 < Ring0`> + am I able to do that if server has only 1 network card? (DO hosting for that matter)?
16:23 -!- tempus_fol [~tempus@gateway/tor-sasl/foltempus] has quit [Ping timeout: 264 seconds]
16:24 -!- tempus_fol [~tempus@gateway/tor-sasl/foltempus] has joined #openvpn
16:32 -!- Ring0` [~mike@unaffiliated/ring0/x-8667941] has quit [Ping timeout: 260 seconds]
16:54 -!- occupant [~null@204.14.158.226] has joined #openvpn
16:59 -!- Ring0` [~mike@unaffiliated/ring0/x-8667941] has joined #openvpn
17:10 -!- kieppie [~jaco@ip-58-28-154-35.static-xdsl.xnet.co.nz] has quit [Ping timeout: 272 seconds]
17:24 -!- kieppie [~jaco@ip202-27-209-236.kc.net.nz] has joined #openvpn
17:35 -!- Cpt-Oblivious [~chatzilla@31-151-71-109.dynamic.upc.nl] has quit [Quit: ChatZilla 0.9.90.1-rdmsoft [XULRunner 22.0/20130619132145]]
17:40 < cmanns> I’m looking to do where I login to OpenVPN, I have private IP can talk to server and other computers connected to same VPN via private lan- and then talkt o public internet via the openvpn servers static primary interface IP
17:40 < cmanns> Is this normal setup/do able?
17:40 -!- snappy [nipnop@unaffiliated/snappy] has quit [Read error: Connection reset by peer]
17:51 -!- Latrina [~Latrina@adsl-ull-254-177.50-151.net24.it] has quit [Ping timeout: 250 seconds]
17:52 -!- Latrina [~Latrina@ppp-118-62.26-151.libero.it] has joined #openvpn
18:07 < pekster> cmanns: See: !redirect. Before you can do that, you need a functional VPN such that you can ping the VPN IP (the inside IP on the VPN network) of your server from the client after a successful connection. If you don't have that, you should follow !howto to get that first
18:07 < cmanns> Okay thanks pekster
18:08 < cmanns> Currently deciding between OpenSource openvpn and the subscription based one since I can use the 2 client “trial” fine
18:10 < cmanns> !howto
18:10 <@vpnHelper> "howto" is (#1) OpenVPN comes with a great howto, http://openvpn.net/howto PLEASE READ IT! or (#2) http://www.secure-computing.net/openvpn/howto.php for a mirror
18:12 -!- Kephael [~Kephael@unaffiliated/kephael] has joined #openvpn
18:13 < cmanns> Anyway to skip the easy-rsa steps? CentOS packages dont contain it
18:20 <@krzee> !easy-rsa
18:20 <@vpnHelper> "easy-rsa" is (#1) easy-rsa is a certificate generation utility. or (#2) Download here: https://github.com/OpenVPN/easy-rsa/downloads or (#3) https://community.openvpn.net/openvpn/wiki/EasyRSA
18:22 < cmanns> :(
18:22 < cmanns> wget never works with github anymore
18:30 -!- ub1quit33_ [~quassel@wifi02.la3.routers.zerolag.com] has quit [Ping timeout: 260 seconds]
18:37 -!- kantlivelong [~kantlivel@home.kantlivelong.com] has quit [Ping timeout: 250 seconds]
18:38 < pekster> cmanns: "never"? Works fine here
18:38 < pekster> GNU Wget 1.15 built on linux-gnu.
18:40 < pekster> If you don't have a set of root CAs, you might need to add --no-check-certificate, but IIRC CentOS comes with the standard set pre-installed. And that's a platform issue at that point anyway
18:47 < cmanns> I have 1.12 wget
18:48 < cmanns> Need 1.13 or 1.14 to avoid the github ssl error
18:48 < cmanns> I got openvpn / easyrsa stuff configured, now just to start the server with basic config, and test a connection
18:52 < cmanns> So can I connect to openvpn open source server via OS X networking utility?
18:53 < pekster> Nope, you need an openvpn client. Tunnelblick seems to be the popular choice for Macs (viscocity is alternative, although I don't know much about it, and when I last evaluated it I wasn't very impressed.)
18:56 < cmanns> Ah I see, I thought maybe for the uhm nonopen source needed client- okay and any idea where logs would be? I put configs in /etc/openvpn/* from sample-config dir I think I need to organize the directory hehe
18:56 < pekster> !logfile
18:56 <@vpnHelper> "logfile" is (#1) If you want logging you can easily just specify your own logfile with: log /path/to/logfile or (#2) openvpn will log to syslog if started in daemon mode, but without any log-redirection options, openvpn sends output to stdout. or (#3) verb 3 is good for everyday usage, verb 5 for debugging. see --daemon --log and --verb in the manual (!man) for more info
18:56 < pekster> OpenVPN can log in a number of ways, so where logs go depend on the options you passed the program (and your config)
18:56 < cmanns> Ah so instead start it via openvpn <server.conf> for now?
18:57 < pekster> That's easiest if you haven't reviewed the documentation for your init system
18:57 < cmanns> Ah okay, well lastly (I think I found reason why it wont start via init)
18:57 < cmanns> should it be /etc/openvpn/easy-rsa or /etc/easy-rsa ?
18:58 < pekster> Whever you put it. I run my PKI out of a homedir dedicated for that purpose under a restrictive user account that nothing else has access to, then copy the components as indicated on the howto (see the !howto for easyrsa v2 or the !easyrsa wiki links for easyrsa v3)
18:58 < cmanns> ah I see
18:59 < pekster> Ideally easyrsa isn't even on your system openvpn is in hardened setups (easyrsa v3 supports this more secure model better. v2 wasn't really designed for it)
18:59 < pekster> If you don't need 'hardened' security, just ignore all that for now
18:59 -!- kantlivelong [~kantlivel@home.kantlivelong.com] has joined #openvpn
19:01 < cmanns> Yeah I don’t this is just for accessing private network/forwarding traffic
19:01 < cmanns> Mon Aug 11 17:01:02 2014 TCP/UDP: Socket bind failed on local address [undef]: Address already in use
19:01 < pekster> Can't bind if something is already listening on that IP/port
19:02 < cmanns> After killing openvpn (not sure why it was running still after failing) i can via openvpn server.conf but not via init still, so looks good so far :D
19:06 <@krzee> look at the logfile when init starts it
19:07 < cmanns> I will after
19:07 < cmanns> I dont even get how to use tunnelbrik
19:07 < cmanns> it wants openvpn configuration file for client but I dont haev one Lol
19:08 <@krzee> what os are you on...?
19:08 < cmanns> Tells me to edit this config.ovpn and it wont open it :S
19:08 < cmanns> mac OS X
19:08 <@krzee> you dont have openvpn configs for the client?
19:08 < cmanns> not yet?
19:08 <@krzee> make them first.
19:10 < cmanns> Yay my VPN works
19:10 < cmanns> Then I got This computers apparent public IP was not different after connecting, is that what you meant by changing settings for data to go over the servers public IP
19:10 < cmanns> I just made the .ovpn config based on what was in the server config as the how to said I suppose
19:11 <@krzee> yep
19:11 < cmanns> What was that setting to look into?
19:11 <@krzee> !redirect
19:11 <@vpnHelper> "redirect" is (#1) to make all inet traffic flow through the vpn, you will need --redirect-gateway (see !def1), as well as IP forwarding (see !ipforward) and NAT (see !nat) enabled on the server. or (#2) you may need to use a different dns server when redirecting gateway, see !dns or !pushdns or (#3) if using ipv6 try: route-ipv6 2000::/3 or (#4) Handy troubleshooting flowchart:
19:11 <@vpnHelper> http://ircpimps.org/redirect.png | http://pekster.sdf.org/misc/redirect.png
19:12 < cmanns> Basically I’d liek to do DLNA from the VPN, basic internet browsing, would the stock “tun” setup work for that?
19:12 < cmanns> both those websites are down :S
19:12 <@krzee> no such thing as a stock setup, but yes tun is good for anything layer3
19:12 < cmanns> ah sweet I’m fine with tun then
19:14 < cmanns> are those sites down for you krzee  ?
19:14 <@krzee> yes, but you dont need a troubleshooting flowchart when you are configuring it
19:15 < cmanns> Odd, completely offline here ;[
19:15 <@krzee> nothing to troubleshoot, just do what needs to be done
19:15 <@krzee> odd?  i said yes.
19:16 < cmanns> Ah sorry I thought you meant online hehe
19:19 -!- Kniaz [~Kniaz@unaffiliated/kniaz] has quit [Quit: closing IRC]
19:19 < cmanns> So far no internet via the VPN
19:19 < cmanns> “[client1]: 'PUSH_REPLY,redirect-gateway def1,dhcp-option DNS 208.67.222.222,dhcp-option DNS 208.67.220.220,route 10.8.0.0 255.255.255.0,topology net30,ping 10,ping-restart 120,ifconfig 10.8.0.6 10.8.0.5' (status=1)”
19:22 <@krzee> you configured ip forwarding and NAT on the server?
19:23 < cmanns> I did iptables for NAT, what about ip forwarding?
19:27 < cmanns> Ah okay I was missing the sysctl.conf setting, I perma set the iptables in rc.script- and appears the init should work fien so hoping it reboots with openvpn started ^_^
19:27 < cmanns> thanks so much krzee
19:27 <@krzee> np
19:28 -!- xMopxShell [~xMopxShel@dpedu.io] has quit [Ping timeout: 255 seconds]
19:29 -!- xMopxShell [~xMopxShel@dpedu.io] has joined #openvpn
19:32 < cmanns> Oh init fails because of Options error: --up script fails with './office.up': No such file or directory
19:32 <@krzee> !fullpath
19:32 <@krzee> !path
19:32 <@vpnHelper> "path" is (#1) use full paths in your config! or (#2) if you use windows, see !winpath
19:32 < cmanns> Do I need those files?
19:32 < cmanns> I was deleting all of them besides server and client
19:32 <@krzee> well you should know why you have an up script
19:32 <@krzee> if you dont have a reason to, then no
19:33 < cmanns> are they selected in server.conf :S
19:33 <@krzee> its YOUR server.conf
19:33 < cmanns> ah yep it is
19:33 <@krzee> so i cant tell you why its there
19:33 < cmanns> thanks I was wondering where it was asking for those
19:35 < cmanns> Now it starts but is “failed” due to the key files but im using full path lolol
19:36 <@krzee> show error
19:36 -!- kieppie [~jaco@ip202-27-209-236.kc.net.nz] has quit [Ping timeout: 240 seconds]
19:36 < cmanns> http://pastebin.com/7AtmWx2r
19:37 < cmanns> and the init script is making it search /etc/openvpn for config, only configs are client.conf and server.conf (remove client.conf?)
19:37 < cmanns> if I start it in directory /etc/openvpn via openvpn server.conf I can connect and all (cept internet yet)
19:37 <@krzee> show comments without configs, yes either remove client.conf or name it client.conf.bak or something
19:37 <@krzee> except internet? i thought you said that worked
19:38 <@krzee> show configs without comments
19:41 -!- cmanns [~cmanns@68-189-105-110.dhcp.wtvl.ca.charter.com] has quit [Ping timeout: 245 seconds]
19:45 -!- cmanns [~cmanns@198.15.84.226] has joined #openvpn
19:45 < cmanns> thanks man :)
19:46 < cmanns> get my prior mesgs?
19:55 -!- kieppie [~jaco@ip-58-28-154-35.static-xdsl.xnet.co.nz] has joined #openvpn
20:06 <@krzee> no
20:07 <@ecrist_> sup kids?
20:08 -!- You're now known as ecrist
20:08 <@krzee> sup eric
20:09 <@ecrist> nm
20:09 <@ecrist> procrastinating writing this "thing"
20:09 <@ecrist> :/
20:09 <@krzee> werd
20:10 <@krzee> im laying on a couch smoking a blunt and upgrading a friends cellphone
20:14 -!- bramgg [~calvin@12.107.117.3] has joined #openvpn
20:14 < bramgg> Pretty sure the hotel I'm at is blocking port 1194 (and that other one VPN's commonly use...). How can I set openvpn/privateinternetaccess to use port 443?
20:15 < bramgg> I've tried changing the number 1194 to 443 in the server/location files in /etc/openvpn that PIA provides, but then I just get connection errors
20:18 -!- STF [~stf@i538778FE.versanet.de] has quit [Killed (wilhelm.freenode.net (Nickname regained by services))]
20:18 -!- STF [~stf@i53876C62.versanet.de] has joined #openvpn
20:19 -!- kieppie [~jaco@ip-58-28-154-35.static-xdsl.xnet.co.nz] has left #openvpn []
20:27 < cmanns> krzee: Iposted a pic saying give this man a cookie, and my internet is now fully forwarded :)
20:27 < cmanns> Have a good one yall !
20:27 <@krzee> nice
20:27 -!- cmanns [~cmanns@198.15.84.226] has quit [Quit: cmanns]
20:28 -!- bramgg [~calvin@12.107.117.3] has quit [Read error: Connection reset by peer]
20:32 -!- brianblaze420 [~brianblaz@unaffiliated/brianblaze] has joined #openvpn
20:47 -!- brianblaze420 [~brianblaz@unaffiliated/brianblaze] has quit [Quit: Leaving...]
21:01 -!- Kniaz [~Kniaz@unaffiliated/kniaz] has joined #openvpn
21:06 -!- Left_Turn [~Left_Turn@unaffiliated/turn-left/x-3739067] has quit [Remote host closed the connection]
21:43 -!- ascheel [~ascheel@ampache/staff/ascheel] has quit [Ping timeout: 260 seconds]
21:51 -!- ascheel [~ascheel@ampache/staff/ascheel] has joined #openvpn
22:01 -!- arescorpio [~arescorpi@201-26-245-190.fibertel.com.ar] has quit [Excess Flood]
22:31 -!- aji [~alex@unaffiliated/aji] has left #openvpn ["Segmentation fault (aji dumped)"]
23:04 -!- ShadniX [dagger@p5DDFDEBD.dip0.t-ipconnect.de] has quit [Ping timeout: 250 seconds]
23:05 -!- ub1quit33_ [~quassel@cpe-23-243-158-241.socal.res.rr.com] has joined #openvpn
23:06 -!- ShadniX [dagger@p5481CC30.dip0.t-ipconnect.de] has joined #openvpn
23:10 -!- heraclitus [~heraclitu@unaffiliated/heraclitis] has quit [Read error: Connection reset by peer]
23:19 -!- heraclitus [~heraclitu@unaffiliated/heraclitis] has joined #openvpn
23:32 -!- elfixit [~Icedove@77-58-251-72.dclient.hispeed.ch] has quit [Remote host closed the connection]
23:38 -!- ub1quit33_ [~quassel@cpe-23-243-158-241.socal.res.rr.com] has quit [Ping timeout: 245 seconds]
23:44 < mnathani> my openvpn tunnel was running fine between 2 Ubuntu machines, but I  restarted one, and now traffic will not go through the VPN
23:44 < mnathani> the VPN establishes fine though. Nothing strange in the logs either.
23:46 <@krzee> i know theres more questions i should ask before taking guesses, but i am hungry and feel like leaving for food… so i bet its firewall.
23:46 <@krzee> i mean, we know its something you did before that you didnt make permanent
23:46 <@krzee> so probably nothing to do with openvpn
23:46 <@krzee> maybe a sysctl, probably firewall.
23:46 < mnathani> would packet captures help?
23:47 < mnathani> I could do one at the 'server' another at the 'client'
23:47 < mnathani> I will check firewalls first
23:47 < mnathani> krzee: thanks
--- Day changed Tue Aug 12 2014
00:02 -!- ShadniX [dagger@p5481CC30.dip0.t-ipconnect.de] has quit [Ping timeout: 250 seconds]
00:03 -!- ShadniX [dagger@p5DDFE968.dip0.t-ipconnect.de] has joined #openvpn
00:07 -!- Kephael [~Kephael@unaffiliated/kephael] has quit [Read error: Connection reset by peer]
00:54 < mnathani> krzee: been working on this issue for a bit now, have ruled out the client side as 3 different machines on my end produce the same result. No traffic going through the VPN and cannot ping 10.8.1.5
00:55 < mnathani> has to be a firewall issue on the server side
00:55 <@krzee> show me logs with verb 5
00:55 <@krzee> also, what is not working?
00:57 < mnathani> rWrWrWrWrWrWrWrWrWrWrWrWrWrWrWrWrWrWrWrWrWrWrWrWrWrWrWrWrWrWrWrWrWrWrWrWrWrWrWrWrWrWrWrWrWrWrWrWrWrWrWrWrWrWrWrWrWrWrWrWrWrWrWrWrWrWrWrWrWrWrWrWrWrWrWrWrWrWrWrWrWrWrWrWrWrWrWrWrWrWrWrWrWrWrWrWrWrWrWrWrWrWrWrWrWrWrWrWrWrWrWrWrWrWrWrWrWrWrWrWrWrWrWrWrWrWrWrWrWrWrWrWrWrWrWrWrWrWrWrWrWrWrWrWrWrWrWrWrWrWrWrWrWrWrWrWrWrWrWrWrWrWrWrWrWrWrWrWrWrWrWrWrWrWrWrWrWrWrWrWrWrWrWrWrWrWrWrWrWrWrWrWrWrWrWrWrWrWrWrWrWrWrWrWrWr
00:57 < mnathani> WrWrWrWrWrWrWrWrWrWrWrWrWrWrWrWrWrWrWrWrWrWrWrWrWrWrWrWrWrWrWrWrWrWrWrWrWrWrWrWrWrWrWrWrWrWrWrWrWrWrWrWrWrWrWrWrWrWrWrWrWrWrWrWrWrWrWrWrWrWrWrWrWrWrWrWrWrWrWrWrWrWrWrWrWrWrWrWrWrWrWrWrWrWrWrWrWrWrWrWrWrWrWrWrWrWrWrWrWrWrWrWrWrWrWrWrWrWrWrWrWrWrWrWrWrWrWrWrWrWrWrWrWrWrWrWrWrWrWrWrWrWrWrWrWrWrWrWrWrWrWrWrWrWrWrWrWrWrWrWrWrWrWrWrWrWrWrWrWrWrWrWrWrWrWrWrWrWrWrWrWrWrWrWrWrWrWrWrWrWrWrWrWrWrWrWrWrWrWrWrWrWrWrWrWrW
00:57 < mnathani> rWrWrWrWrWrWrWrWrWrWrWrWrWrWrWrWrWrWrWrWrWrWrWrWrWrWrWrWrWrWrWrWrWrWrWrWrWrWrWrWrWrWrWrWrWrWrWrWrWrWrWrWrWrWrWrWrWrWrWrWrWrWrWrWrWrWrWrWrWrWrWrWrWrWrWrWrWrWrWrWrWrWrWrWrWrWrWrWrWrWrWrWrWrWrWrWrWrWrWrWrWrWrWrWrWrWrWrWrWrWrWrWrWrWrWrWrWrWrWrWrWrWrWrWrWrWrWrWrWrWrWrWrWrWrWrWrWrWrWrWrWrWrWrWrWrWrWrWrWrWrWrWrWrWrWrWrWrWrWrWrWrWrWrWrWrWrWrWrWrWrWrWrWrWrWrWrWrWrWrWrWrWrWrWrWrWrWrWrWrWrWrWrWrWrWrWrWrWrWrWrWrWrWrWrWr
00:57 < mnathani> WrWrWrWrWrWrWrWrWrWrWrWrWrWrWrWrWrWrWrWrWrWrWrWrWrWrWrWrWrWrWrWrWrWrWrWrWrWrWrWrWrWrWrWrWrWrWrWrWrWrWrWrWrWrWrWrWrWrWrWrWrWrWrWrWrWrWrWrWrWrWrWrWrWrWrWrWrWrWrWrWrWrWrWrWrWrWrWrWrWrWrWrWrWrWrWrWrWrWrWrWrWrWrWrWrWrWrWrWrWrWrWrWrWrWrWrWrWrWrWrWrWrWrWrWrWrWrWrWrWrWrWrWrWrWrWrWrWrWrWrWrWrWrWrWrWrWrWrWrWrWrWrWrWrWrWrWrWrWrWrWrWrWrWrWrWrWrWrWrWrWrWrWrWrWrWrWrWrWrWrWrWrWrWrWrWrWrWrWrWrWrWrWrWrWrWrWrWrWrWrWrWrWrWrWrW
00:57 < mnathani> rWrWrWrWrWrWrWrWrWrWrWrWrWrWrWrWr
00:57 -!- mnathani was kicked from #openvpn by krzee [mnathani]
00:57 -!- mnathani [~mnathani@butterfly.winvive.com] has joined #openvpn
00:57 < mnathani> sorry about that
00:57 <@krzee> np, pastebin
00:57 < mnathani> thats what was in the lgo
00:57 < mnathani> *log
00:57 <@krzee> both logs or 1?
00:58 < mnathani> client log
00:58 < mnathani> just checking server log now
01:03 < mnathani> one thing I just notices, some kind of routing loop perhaps
01:04 < mnathani> RX bytes:0 (0.0 b)  TX bytes:685051921 (653.3 MiB
01:04 < mnathani> a lot of TX bytes on the tun0 interface in a short period
01:04 < mnathani> upto (2.6 GiB) now
01:05 <@krzee> pastebin the routing table
01:05 <@krzee> and configs
01:07 < mnathani> http://pastebin.com/rFc1N7xM
01:07 < mnathani> configs
01:07 < mnathani>  route -nv sufficient?
01:08 <@krzee> ip r
01:09 <@krzee> is $SERVERIP a public routable ip address?
01:09 < mnathani> yes
01:09 < mnathani> like I mentioned earlier, this configuration was workiing fine right until I rebooted the client machine
01:09 < mnathani> http://pastebin.com/Jyxy0s6A
01:11 < mnathani> http://pastebin.com/index/Jyxy0s6A
01:11 <@krzee> can the client ping 10.8.1.1?
01:11 < mnathani> can not
01:11 < mnathani> 7 packets transmitted, 0 received, 100% packet loss, time 6422ms
01:12 < mnathani> >> this seems really strange: >> RX bytes:0 (0.0 b)  TX bytes:5364684717 (4.9 GiB)
01:12 <@krzee> iptables-save on server
01:13 < mnathani> http://pastebin.com/YbaYwiEv
01:14 < mnathani> A.B.C.* is publicly routable
01:20 <@krzee> 10.10.0.0/16 and 172.16.100.0/24 are lans behind the server?
01:21 < mnathani> server can not ping ping 10.8.1.2
01:21 < mnathani> both are behind client
01:21 <@krzee> does the client have the proper iroutes?
01:21 < mnathani> you mean like in the ccd folder?
01:21 <@krzee> right
01:22 < mnathani> root@constance:/etc/openvpn/ccd# cat client1 >> iroute 172.16.100.0 255.255.255.0  && iroute 10.10.0.0 255.255.0.0
01:22 < mnathani> yes
01:22 <@krzee> without &&, right?
01:22 < mnathani> 2 lines in a file called client1
01:22 <@krzee> ok
01:22 < mnathani> this setup was working like 2 days ago
01:23 <@krzee> right, and its not now
01:23 < mnathani> my chromecast was happily using the vpn from behind the client
01:23 < mnathani> that is correct.
01:23 <@krzee> show me iptables-save from client
01:23 < mnathani> I appreciate your assistance.
01:24 <@krzee> what is the clients lan ip?
01:24 < mnathani> 10.10.0.6
01:24 < mnathani> thats one client (centos 6)
01:25 < mnathani> I was using an ubuntu one as well earlier
01:25 < mnathani> Ubuntu one was >> 10.10.10.62
01:25 < mnathani> .    /16 subnet
01:26 <@krzee> cat /proc/sys/net/ipv4/ip_forward
01:26 <@krzee> on both
01:26 < mnathani> root@x61:~# cat /proc/sys/net/ipv4/ip_forward >> 1
01:26 < mnathani> x61 is ubuntu
01:26 <@krzee> please lets only use 1 client
01:27 <@krzee> you only have 1 client setup for the lan, right?
01:27 < mnathani> correct
01:27 <@krzee> ok, lets only use that one.
01:27 <@krzee> are both the client AND server 1 ?
01:28 < mnathani> root@constance:~# cat /proc/sys/net/ipv4/ip_forward >> 1
01:28 <@krzee> show me both logfiles
01:28 < mnathani> yes, both client and server are 1
01:28 <@krzee> !logfiles
01:28 <@krzee> !logs
01:28 <@vpnHelper> "logs" is (#1) please pastebin your logfiles from both client and server with verb set to 4 (only use 5 if asked) or (#2) In the Windows client(OpenVPN-GUI) right-click the status icon and pick View Log or (#3) In the OS X client(Tunnelblick) right-click it and select Copy log text to clipboard or (#4) if you dont know how to find your logs, see !logfile
01:30 -!- DrSect0r [~DrSect0r@188-142-12-159.FTTH.ispfabriek.nl] has joined #openvpn
01:34 < mnathani> too much work sanitizing the logs, so I present them RAW: server: http://paste.ubuntu.com/8024143/  and Client: http://paste.ubuntu.com/8024146/
01:34 < mnathani> both taken with ver set to 5
01:34 < mnathani> *verb
01:35 < mnathani> client public IP starts with: 192.0  and LAN IP is 10.10.2.60
01:36 <@krzee> can the server ping 10.8.1.6?
01:37 < mnathani> it can not
01:38 < mnathani> server IP starts with : 206.162
01:38 <@krzee> routes look fine and firewall looks fine
01:39 < mnathani> I find it quite strange that the VPN establishes, yet does not pass traffic
01:40 -!- alexxtasi [~alex@unaffiliated/alexxtasi] has joined #openvpn
01:40 <@krzee> remove the nat rules on the server
01:41 <@krzee> (they will be needed, but i want to see if we can get a simple ping to 10.8.1.1 working)
01:41 <@krzee> tell me, does that fix?
01:42 -!- heraclitus [~heraclitu@unaffiliated/heraclitis] has quit [Quit: Ping timeout: 221 seconds]
01:43 < mnathani> nada - removed the NAT rules, but no ping from either client > server or server  > client
01:43 < mnathani> tried pinging 10.8.1.1 from client and 10.8.1.6 from server
01:43 <@krzee> show me the new iptables-save
01:43 -!- heraclitus [~heraclitu@unaffiliated/heraclitis] has joined #openvpn
01:44 -!- heraclitus [~heraclitu@unaffiliated/heraclitis] has quit [Remote host closed the connection]
01:44 < mnathani> http://pastebin.ubuntu.com/8024215/
01:44 <@krzee> hmm
01:44 -!- heraclitus [~heraclitu@unaffiliated/heraclitis] has joined #openvpn
01:44 <@krzee> ok sniff tun0 on both sides and ping
01:44 <@krzee> tcpdump
01:45 -!- mattock_afk is now known as mattock
01:47 < mnathani> a lot of activity on the client, none on the server
01:47 < mnathani> http://pastebin.ubuntu.com/8024232/
01:47 <@krzee> umm
01:47 <@krzee> what command did you use?
01:48 < mnathani> tcpdump -i tun0 -vv
01:48 <@krzee> orlly
01:48 <@krzee> that was client, right?
01:48 < mnathani> yes
01:48 <@krzee> show me his routing table before and after running openvpn, do not scrub it
01:49 <@krzee> ohh
01:49 <@krzee> why do you have local flag for redirect-gateway
01:49 <@krzee> !local
01:49 <@vpnHelper> "local" is a flag for --redirect-gateway, Add the local flag if both OpenVPN machines are directly connected via a common subnet, such as with wireless.
01:49 < mnathani> actually, server has similar output
01:49 <@krzee> that's the problem
01:49 < mnathani> just checked again
01:49 < mnathani> http://pastebin.ubuntu.com/8024240/
01:50 < mnathani> show you client routing table or server?
01:50 <@krzee> neither
01:50 <@krzee> remove the local flag to redirect-gateway
01:50 <@krzee> then try again
01:51 < mnathani> 64 bytes from 10.8.1.1: icmp_seq=530 ttl=64 time=89.7 ms
01:51 < mnathani> that was client pinging
01:51 <@krzee> and the other direction?
01:51 < mnathani> checking now
01:52 < mnathani> yup, both directions >> 64 bytes from 10.8.1.6: icmp_seq=328 ttl=64 time=85.0 ms
01:52 <@krzee> k now re-add your nat rules and test those same things again
01:52 <@krzee> then if those still work, test the rest
01:55 < mnathani> just had a device behind the client access the internet through the VPN so looks like everything is working Great!
01:55 < mnathani> Thank you so much!!
01:55 < mnathani> I really appreciate you walking me through the troubleshooting
01:56 <@krzee> you're welcome
01:57 -!- SushiDude [~SushiDude@unaffiliated/sushidude] has quit [Ping timeout: 240 seconds]
01:57 < eagles0513875> hey guys
01:58 < eagles0513875> i have a router which supports vpn would that function as my server or would i need still some point to point connectivity
01:58 < eagles0513875> also i have a question are there any catches with privatetunnel offered by open vpn
01:58 -!- SushiDude [~SushiDude@unaffiliated/sushidude] has joined #openvpn
01:59 <@krzee> if the router supports openvpn then you can use it
01:59 <@krzee> !notcompat
01:59 <@vpnHelper> "notcompat" is (#1) IPsec, PPTP, & L2TP are _not_ compatible with OpenVPN. OpenVPN uses SSL whereas PPTP and IPSEC use their own protocols and therefore cannot be compatible. or (#2) OpenVPN connects only to OpenVPN
01:59 <@krzee> as far as privatetunnel, that question belongs in #openvpn-as
01:59 <@krzee> !as
01:59 <@vpnHelper> "as" is Please go to #OpenVPN-AS for help with commercial products from OpenVPN Technologies, including Access Server, Android Connect, etc. Access Server is a commercial product, different from open source OpenVPN
01:59 < eagles0513875> ahh ok had a hunch that was commercial as nothing price wise was mentioned there
01:59 <@krzee> !download
01:59 <@vpnHelper> "download" is (#1) http://openvpn.net/index.php/download/community-downloads.html to download openvpn or (#2) OpenVPN's Windows installer now includes OpenVPN GUI. Don't bother with http://openvpn.se anymore or (#3) Don't trust download.com at all. It provides an extremely old version with malware: http://insecure.org/news/download-com-fiasco.html or (#4) in the community version of openvpn (only
01:59 <@vpnHelper> thing supported here) there is no separate download for client/server, it is the same install with different configs
02:00 <@krzee> thats the opensource stuff ^
02:02 < eagles0513875> krzee: have you or anyone else in here tried to setup openvpn on gentoo?
02:03 <@krzee> plenty of people have
02:03 <@krzee> do you have a more specific question?
02:03 < eagles0513875> i cant find any good documentation on how to do it :(
02:03 < eagles0513875> basically how to go about installing and configuring it on gentoo
02:03 <@krzee> basically the same as doing it in windows, plus knowing your OS
02:03 <@krzee> you can build it manually or use your package manager
02:04 < eagles0513875> thats the thing though gentoo doesnt work on packages but source though
02:05 <@krzee> !bestos
02:05 <@vpnHelper> "bestos" is the best os for openvpn is the one you are most comfortable with
02:06 <@krzee> !google gentoo install openvpn
02:06 <@vpnHelper> OpenVPN - Gentoo Wiki: <http://wiki.gentoo.org/wiki/OpenVPN>; Gentoo Forums :: View topic - Gentoo Bugzilla recieves some CSS love: <http://forums.gentoo.org/viewtopic-t-117709-view-next.html>; Gentoo Linux Howtos: openvpn -> openvpn install: <http://gentoo.linuxhowtos.org/openvpn/openvpn.htm>
02:08 < eagles0513875> krzee: remove the gentoo wiki that page is totally incomplete
02:09 < mnathani> not sure he can, those are results from google
02:09 <@krzee> incomplete!?
02:10 <@krzee> all you should need is emerge openvpn
02:10 <@krzee> and maybe rebuild the kernel with tun
02:10 <@krzee> (depending if already there or not)
02:11 < eagles0513875> i dont need to do anything special in terms of configuring openvpn
02:11 <@krzee> !notovpn
02:11 <@vpnHelper> "notovpn" is (#1) "notopenvpn" is your problem is not about openvpn, and while we try to be helpful, you may have a better chance of finding your answer if you ask your question in a channel related to your problem or (#2) sorry, but we dont care. this channel is only for help with openvpn.
02:11 <@krzee> i think you really just need help using emerge
02:11 <@krzee> maybe #gentoo
02:12 < eagles0513875> ok
02:14 < AL13N_work> hmm, i wonder if they can be specified
02:14 < AL13N_work> !notovpn#2
02:14 < AL13N_work> !notovpn #2
02:14 < AL13N_work> :-(
02:15 -!- AL13N_work [~alien@91.183.52.232] has left #openvpn []
02:15 <@krzee> !factoids whatis #openvpn notovpn 2
02:15 <@vpnHelper> sorry, but we dont care. this channel is only for help with openvpn.
02:15 <@krzee> guess thats why you dont ask questions as you leave :D
02:16 <@krzee> !tell krzee [factoids whatis #openvpn notovpn 2]
02:16 <@krzee> !tell AL13N_work [factoids whatis #openvpn notovpn 2] (it does work ;))
02:17 -!- AL13N_work [~alien@91.183.52.232] has joined #openvpn
02:17 <@krzee> <krzee> !tell AL13N_work [factoids whatis #openvpn notovpn 2] (it does work ;))
02:17 < AL13N_work> krzee: how did you do it?
02:17 < AL13N_work> oh
02:17 <@krzee> !factoids whatis #openvpn notovpn 2
02:17 <@vpnHelper> sorry, but we dont care. this channel is only for help with openvpn.
02:17 < AL13N_work> a bit longer
02:17 <@krzee> !factoids
02:17 <@vpnHelper> "factoids" is A semi-regularly updated dump of factoids database is available at http://www.secure-computing.net/factoids.php
02:24 < AL13N_work> !notovpn 2
02:24 < AL13N_work> that doesn't work, right, i didn't think so
02:24 <@krzee> heh
02:25 < AL13N_work> krzee: thanks for the info, though
02:25 <@krzee> np
02:25 < AL13N_work> btw: do you have a link to that recent float patch, by any chance?
02:27 <@krzee> !git
02:27 <@vpnHelper> "git" is (#1) For the stable git tree: git clone git://openvpn.git.sourceforge.net/gitroot/openvpn/openvpn.git or (#2) For the development git tree: git clone git://openvpn.git.sourceforge.net/gitroot/openvpn/openvpn-testing.git or (#3) Browse the git repositories here: http://openvpn.git.sourceforge.net/git/gitweb-index.cgi or (#4) See !git-doc how to use git
02:27 <@krzee> (if its in git)
02:35 -!- bbteufel [~na@85.9.7.222] has joined #openvpn
02:48 -!- br4ndon [~br4ndon@195.33.51.31] has joined #openvpn
02:48 -!- br4ndon [~br4ndon@195.33.51.31] has quit [Client Quit]
02:54 -!- mattock is now known as mattock_afk
02:59 -!- tanja84dk [~tanja84dk@unaffiliated/tanja84dk] has quit [Ping timeout: 255 seconds]
03:09 -!- le0 [~l30@unaffiliated/le0] has joined #openvpn
03:12 -!- dazo_afk is now known as dazo
03:12 -!- jackbrown [~se@93-44-41-0.ip95.fastwebnet.it] has joined #openvpn
03:13 -!- jackbrown [~se@93-44-41-0.ip95.fastwebnet.it] has quit [Read error: Connection reset by peer]
03:19 -!- MyMind [~Sembei@unaffiliated/sembei] has quit [Ping timeout: 240 seconds]
03:21 -!- MyMind [~Sembei@unaffiliated/sembei] has joined #openvpn
03:21 -!- larryone [~larryone@180.234.28.46] has joined #openvpn
04:03 -!- Olipro [~Olipro@uncyclopedia/pdpc.21for7.olipro] has quit [Ping timeout: 256 seconds]
04:05 -!- Left_Turn [~Left_Turn@unaffiliated/turn-left/x-3739067] has joined #openvpn
04:06 -!- Olipro [~Olipro@uncyclopedia/pdpc.21for7.olipro] has joined #openvpn
04:11 -!- Latrina [~Latrina@ppp-118-62.26-151.libero.it] has quit [Read error: Connection reset by peer]
04:15 -!- Latrina [~Latrina@ppp-118-62.26-151.libero.it] has joined #openvpn
04:15 -!- Latrina [~Latrina@ppp-118-62.26-151.libero.it] has quit [Read error: Connection reset by peer]
04:16 -!- Latrina [~Latrina@ppp-118-62.26-151.libero.it] has joined #openvpn
04:20 -!- Latrina [~Latrina@ppp-118-62.26-151.libero.it] has quit [Read error: Connection reset by peer]
04:23 -!- joako [~joako@opensuse/member/joak0] has quit [Ping timeout: 255 seconds]
04:25 -!- Latrina [~Latrina@ppp-118-62.26-151.libero.it] has joined #openvpn
04:35 -!- SushiDude [~SushiDude@unaffiliated/sushidude] has quit [Ping timeout: 240 seconds]
04:50 -!- jefferai [sid1300@kde/mitchell] has quit [Ping timeout: 240 seconds]
04:51 -!- XJR-9 [sid2977@pdpc/supporter/active/xjr-9] has quit [Ping timeout: 272 seconds]
04:58 -!- XJR-9 [sid2977@pdpc/supporter/active/xjr-9] has joined #openvpn
04:58 -!- jefferai [jefferai@kde/mitchell] has joined #openvpn
05:07 -!- br4ndon [~br4ndon@195.33.51.31] has joined #openvpn
05:17 -!- larryone [~larryone@180.234.28.46] has quit [Quit: This computer has gone to sleep]
05:20 -!- mattock_afk is now known as mattock
05:35 -!- mattock is now known as mattock_afk
05:41 -!- mattock_afk is now known as mattock
05:42 -!- lbft [~lbft@unaffiliated/lbft] has quit [Ping timeout: 272 seconds]
05:45 -!- lbft [~lbft@unaffiliated/lbft] has joined #openvpn
06:30 -!- meepmeep [meepmeep@end.of.cylind.re] has quit [Ping timeout: 255 seconds]
06:31 -!- br4ndon [~br4ndon@195.33.51.31] has quit [Quit: br4ndon]
06:42 -!- ade_b [~Ade@redhat/adeb] has joined #openvpn
06:49 -!- meepmeep [meepmeep@end.of.cylind.re] has joined #openvpn
06:58 -!- dvl [~dvl@pdpc/supporter/active/dvl] has quit [Quit: ZNC - http://znc.in]
06:59 -!- ACKNAK [~regolith@79.133.97.154] has joined #openvpn
06:59 -!- dvl [~dvl@pdpc/supporter/active/dvl] has joined #openvpn
07:02 -!- Kniaz [~Kniaz@unaffiliated/kniaz] has quit [Read error: Connection reset by peer]
07:10 < ACKNAK> Hello! Does OpenVPN sends PMTUD warning if I send "do not fragment" packet bigger than mssfix size
07:11 < ACKNAK> ( https://forums.openvpn.net/topic16646.html )
07:11 <@vpnHelper> Title: OpenVPN Support Forum Help me to understand MTU problem. : Configuration (at forums.openvpn.net)
07:11 <@ecrist> I don't think OpenVPN does, but the system kernel should
07:12 < ACKNAK> Agreed, but mssfix doesn't change MTU value of interface
07:12 <@ecrist> mssfix isn't supposed to change the MTU value
07:13 < ACKNAK> But "limit their send packet sizes such that after OpenVPN has encapsulated them"...
07:14 <@ecrist> right
07:14 <@ecrist> !mtu
07:14 <@vpnHelper> "mtu" is (#1) see --mtu-test to learn how to test your MTU settings. Basically you just use --mtu-test in your normal client config or (#2) mtu debugging guide: http://www.secure-computing.net/wiki/index.php/OpenVPN/Troubleshooting
07:14 <@ecrist> read that link, ACKNAK
07:15 < ACKNAK> okay
07:23 < ACKNAK> ecrist, article just explains what MTU problems could be. But I'd like to know about difference of fixing methods or how openvpn works with PMTUD.
07:24 -!- D-Boy [~D-Boy@unaffiliated/cain] has quit [Excess Flood]
07:25 < Hello71> openvpn doesn't do anything about pmtud
07:25 < Hello71> er, scratch that.
07:26 -!- D-Boy [~D-Boy@unaffiliated/cain] has joined #openvpn
07:27 -!- mattock is now known as mattock_afk
07:30 < ACKNAK> I like "mssfix" that I do not have to change client's config, I wish there were on what "tun-mtu", "fragment", "mssfix", etc. exactly do, and difference. Do I have to change MTU of tunnel interface to make PMTUD work inside of tunnel?
07:30 < Hello71> man openvpn
07:32 < ACKNAK> ._.
07:32 < ACKNAK> of course i tried that first
07:32 < ACKNAK> have you red it yourself?
07:48 -!- mwargh [~sistemshi@unaffiliated/mwargh] has joined #openvpn
07:49 < mwargh> how to manually set tap device i created with ip tuntap in openvpn client config?
07:49 < mwargh> doesn't matter i think i found how
07:50 < mwargh> indeed i did
08:02 -!- DrSect0r [~DrSect0r@188-142-12-159.FTTH.ispfabriek.nl] has quit [Quit: Leaving]
08:04 -!- mattock_afk is now known as mattock
08:06 < bbteufel> ecrist your website needs refactoring :D
08:17 -!- elfixit [~Icedove@77-58-251-72.dclient.hispeed.ch] has joined #openvpn
08:40 -!- Kniaz [~Kniaz@unaffiliated/kniaz] has joined #openvpn
08:54 -!- agentbob [anonymoose@unaffiliated/agentbob] has quit [Ping timeout: 240 seconds]
08:54 -!- agentbob [anonymoose@unaffiliated/agentbob] has joined #openvpn
09:01 -!- SushiDude [~SushiDude@unaffiliated/sushidude] has joined #openvpn
09:03 -!- lsone [~lsone@69.15.58.162] has joined #openvpn
09:18 <@ecrist> bbteufel: in what way?
09:25 -!- alexxtasi [~alex@unaffiliated/alexxtasi] has left #openvpn []
09:37 -!- mattock is now known as mattock_afk
09:41 -!- lsone [~lsone@69.15.58.162] has quit [Ping timeout: 272 seconds]
10:02 -!- ACKNAK [~regolith@79.133.97.154] has quit [Quit: Leaving]
10:11 -!- shiin [~shiin@funtoo/core/shiin] has joined #openvpn
10:12 -!- gffa [~unknown@unaffiliated/gffa] has joined #openvpn
10:16 < bbteufel> well you could make those tables integrate better with the theme ...
10:17 < bbteufel> ecrist: also the top header is awful ...
10:22 <@krzee> i actually agree with acknak i would enjoy a better doc on the differences between those options and exactly what they do also
10:23 <@krzee> i would, except that i'm one who would enjoy reading it, i've never had a good excuse to play with the options
10:23 < loeken> what page are you talking about?
10:23  * loeken is curious :)
10:24 <@krzee> <ACKNAK>  I like "mssfix" that I do not have to change client's config, I wish there were on what "tun-mtu", "fragment", "mssfix", etc. exactly do, and difference. Do I have to change MTU of tunnel interface to make PMTUD work inside of tunnel?
10:25 <@krzee> he was basically saying he wishes for a doc that goes over all those options and explains what they do / how they differ / how they might work together or against eachother
10:25 <@krzee> we do have a good mtu doc, but i think it aims at simplicity, which is cool, but it can be more complex (or at least feels that way)
10:27 <@ecrist> bbteufel: if you're volunteering to fix it, you're more than welcome. :)
10:27 < bbteufel> ok :)) I'll try:)
10:40 -!- haasn [~haasn@static.102.126.46.78.clients.your-server.de] has quit [Ping timeout: 250 seconds]
10:43 -!- ade_b [~Ade@redhat/adeb] has quit [Quit: Too sexy for his shirt]
10:48 -!- haasn [~haasn@2a01:4f8:d13:5245::2] has joined #openvpn
10:58 -!- elfixit [~Icedove@77-58-251-72.dclient.hispeed.ch] has quit [Quit: elfixit]
11:12 -!- yerodin [~yerodin@unaffiliated/yerodin] has quit [Quit: Disconnecting from stoned server.]
11:16 -!- yerodin [~yerodin@unaffiliated/yerodin] has joined #openvpn
11:19 -!- shiin [~shiin@funtoo/core/shiin] has quit [Quit: My computer has gone to sleep.]
11:44 -!- mattock_afk is now known as mattock
11:56 -!- bbteufel [~na@85.9.7.222] has quit [Quit: leaving]
12:15 -!- le0 [~l30@unaffiliated/le0] has quit [Quit: Leaving]
12:23 -!- spstarr [~spstarr@fedora/spstarr] has joined #openvpn
12:23 < spstarr> hmm, how do I let SNMP pass though VPN?
12:23 < spstarr> Cacti ---> SNMP Request ----> to VPN ---> to Router and back
12:25 -!- joako [~joako@opensuse/member/joak0] has joined #openvpn
12:34 -!- elfixit [~Icedove@77-58-251-72.dclient.hispeed.ch] has joined #openvpn
12:50 -!- mattock is now known as mattock_afk
12:52 -!- nath_schwarz [~nath_schw@198.98.49.138] has joined #openvpn
12:52 -!- xMopxShell [~xMopxShel@dpedu.io] has quit [Quit: ZNC - http://znc.in]
12:54 -!- shiin [~shiin@funtoo/core/shiin] has joined #openvpn
12:54 -!- xMopxShell [~xMopxShel@dpedu.io] has joined #openvpn
13:13 -!- pschmitt [~pschmitt@dyn.98-139-19-46.swissinet.com] has joined #openvpn
13:15 < pschmitt> Hi, I already asked this question but I cannot remember the anwser. So: I am unable to reach my host via SSH when it is connected to my VPN provider. The thing is that openvpn is configured to redirect ALL traffic via the VPN, so as soon as I connect to the VPN I can only reach the said when I am on the same LAN (ie at home).
13:17 < pschmitt> when I try to connect via my router (ie outside my home LAN), no connection  can be established
13:26 -!- brianblaze420 [~brianblaz@unaffiliated/brianblaze] has joined #openvpn
13:42 < pschmitt> someone here?
13:44 < loeken> pschmitt, you are trying to connect via ssh to a server in your lan?
13:44 < loeken> while being connected to a vpn that forwards all traffic?
13:45 < pschmitt> no the other way around: I'm trying to connect from the outside to a host (on my LAN) that is connected to a vpn
13:45 < pschmitt> and yes all the traffic is tunneled via vpn
13:45 < loeken> yepp
13:45 < pschmitt> the machine I'm using to connect is not connected to the vpn
13:46 < loeken> you d have to connect without pulling routes, and then create manual routes i guess
13:46 < loeken> like when the server is trying to reply to you that reply is forwarded via vpn and will not reach the destination
13:46 < pschmitt> someone (cant remember the nick) gave me a link to a wiki page that showed how to achieve this
13:47 < loeken> i guess it ll be something like start openvpn route-nopull
13:48 < loeken> and then only setup forwarding for ips that are not 10.* 172.16* 192.168*
13:48 -!- liriel [~liriel@asia.feralhosting.com] has quit [Quit: bye]
13:48 < loeken> (by adding routes)
13:49 < pschmitt> wouldn't it be easier to make my router somehow alter the packets on port 22 to simulate a LAN-intern communication?
13:50 < pschmitt> cause that actually works, i can ssh into the host while on the same LAN
13:57 -!- brianblaze420 [~brianblaz@unaffiliated/brianblaze] has quit [Quit: Leaving...]
13:59 -!- dazo is now known as dazo_afk
14:04 -!- goldkatze [~nobody@unaffiliated/goldkatze] has joined #openvpn
14:17 -!- pschmitt [~pschmitt@dyn.98-139-19-46.swissinet.com] has quit [Quit: Lost terminal]
14:43 -!- Cpt-Oblivious [~chatzilla@31-151-71-109.dynamic.upc.nl] has joined #openvpn
15:01 -!- brianblaze420 [~brianblaz@unaffiliated/brianblaze] has joined #openvpn
15:30 -!- shiin [~shiin@funtoo/core/shiin] has quit [Quit: My computer has gone to sleep.]
15:30 -!- ShadniX [dagger@p5DDFE968.dip0.t-ipconnect.de] has quit [Ping timeout: 250 seconds]
15:32 -!- ShadniX [dagger@p5DDFE968.dip0.t-ipconnect.de] has joined #openvpn
15:33 -!- shiin [~shiin@funtoo/core/shiin] has joined #openvpn
15:47 -!- Kniaz [~Kniaz@unaffiliated/kniaz] has quit [Quit: closing IRC]
16:01 -!- haasn [~haasn@2a01:4f8:d13:5245::2] has quit [Ping timeout: 260 seconds]
16:04 -!- shiin [~shiin@funtoo/core/shiin] has quit [Quit: Wanna pair with me? Twitter/Skype/Gmail: FunTimeCoding]
16:04 -!- haasn [~haasn@static.102.126.46.78.clients.your-server.de] has joined #openvpn
16:07 < nath_schwarz> !welcome
16:07 <@vpnHelper> "welcome" is (#1) Start by stating your goal, such as 'I would like to access the internet over my vpn' || new to IRC? see the link in !ask || we may need !logs and !configs and maybe !interface to help you. || See !howto for beginners. || See !route for lans behind openvpn. || !redirect for sending inet traffic through the server. || Also interesting: !man !/30 !topology !iporder !sample
16:07 <@vpnHelper> !forum !wiki !mitm or (#2) Don't use 192.168.1.0/24 or 192.168.0.0/24 (too much potential for conflict)
16:08 -!- gffa [~unknown@unaffiliated/gffa] has quit [Quit: sleep]
16:10 -!- Cpt-Oblivious [~chatzilla@31-151-71-109.dynamic.upc.nl] has quit [Ping timeout: 255 seconds]
16:11 -!- haasn [~haasn@static.102.126.46.78.clients.your-server.de] has quit [Ping timeout: 250 seconds]
16:15 < nath_schwarz> Oy mates, I just got openvpn to run and can connect just fine. Problem now is that I can't ping anything, nor access any other computer/domain when connected (not even the vpn-server). All issues I found regarding this were solved by either commenting out redirects (which I didn't have in the first place) or by pushing googles 8.8.8.8, which I do have. Here is my config: http://paste2.org/Nbtxz5bX ; I also tried setting the local address to the co
16:15 < nath_schwarz> rrect lan-ip, commenting it out (like it is now)
16:15 < nath_schwarz> I guess I made a mistake somewhere but can't see it^^
16:17 < pekster> If you're not globenet.com, you shouldn't be using that IP range
16:18 < pekster> Try RFC1918 for your VPN network unless you _actually_ plan to burn a public /24 for the VPN (rather wasteful these-days.) And if you insist on doing that, at least use the `subnet` topology so you only waste 1 IP per client, not 4
16:19 < pekster> Why is your (yes, even commented out) `local` directive in the same range as the VPN server? You can't have the tun device overlapping with any other network either
16:20 < nath_schwarz> I just tried if that could cause the problem because I didn't know if 'listening on this ip' was related to the actual lan or the vpn
16:20 -!- Latrina [~Latrina@ppp-118-62.26-151.libero.it] has quit [Ping timeout: 260 seconds]
16:21 -!- haasn [~haasn@2a01:4f8:d13:5245::2] has joined #openvpn
16:22 < nath_schwarz> Ok, I set 'server 192.168.200.0 255.255.255.0' and 'local 192.168.178.66' - could these have caused the problem?
16:23 -!- Latrina [~Latrina@ppp-252-47.26-151.libero.it] has joined #openvpn
16:24 < nath_schwarz> Mhm, just tried it - no change
16:28 < pekster> Why the hell would you "hide" priavte IP space in the first place? :(
16:29 < pekster> If you can't ping the VPN IP of your server, either your VPN is not correctly connected (check logs on both sides) or your firewall (probably on the server) is blocking the request
16:29 < pekster> Or possibly you have a route conflict if 192.168.200.0/24 is in use on your client already
16:38 < nath_schwarz> <.< Ok, I know one mistake I made
16:38 < nath_schwarz> I activated compression server-side, but not client-side
16:39 < nath_schwarz> Activated client-side and now I can ping the server, but I still can't ping other IP's
16:41 < pekster> What "other IPs" ?
16:41 < pekster> !goal
16:41 <@vpnHelper> "goal" is Please clearly state your goal for your vpn: example, I would like to access the lan behind the server , I would like to access the internet over my vpn , I just want a secure connection between 2 computers , etc
16:46 < nath_schwarz> Sorry, I wasn't clear: I can ping the Server and IP's on my lan, but not e.g. 8.8.8.8 or generally websites (or their IP's). My goal is that I have a vpn for my computers to be able to exchange data and work on without having to rely on dns.
16:47 < nath_schwarz> Uh, to be more specific: I can ping computers on the physical lan and the servers vpn-ip, but not websites or generally IP's outside of the physical lan
16:53 < nath_schwarz> Ok, I got it to work now - I mentioned an option in NetworkManager "Use this connection only for resources on it's network" and it looks like that it is working
16:54 < nath_schwarz> Thanks for the help, pekster :)
17:12 < pekster> We don't recommend frontends becuase they're nearly impossible to debug when they break. If they work for you, great. Otherwise, what you want is clarified in:
17:12 < pekster> !redirect
17:12 <@vpnHelper> "redirect" is (#1) to make all inet traffic flow through the vpn, you will need --redirect-gateway (see !def1), as well as IP forwarding (see !ipforward) and NAT (see !nat) enabled on the server. or (#2) you may need to use a different dns server when redirecting gateway, see !dns or !pushdns or (#3) if using ipv6 try: route-ipv6 2000::/3 or (#4) Handy troubleshooting flowchart:
17:12 <@vpnHelper> http://ircpimps.org/redirect.png | http://pekster.sdf.org/misc/redirect.png
17:16 < nath_schwarz> Ah, okay. I just used the frontend on my laptop because I also need to connect to other vpn's which indeed redirect all data, thus it's more comfortable to just connect to another one through the gui
17:25 < nath_schwarz> Is there an equivalent option for the config-file under /etc/openvpn?
17:40 -!- Latrina [~Latrina@ppp-252-47.26-151.libero.it] has quit [Ping timeout: 244 seconds]
17:41 -!- Latrina [~Latrina@ppp-223-12.26-151.libero.it] has joined #openvpn
18:06 -!- haasn [~haasn@2a01:4f8:d13:5245::2] has quit [Ping timeout: 260 seconds]
18:09 -!- haasn [~haasn@static.102.126.46.78.clients.your-server.de] has joined #openvpn
18:19 -!- abbe [having@badti.me] has joined #openvpn
18:20 -!- abbe_ [having@badti.me] has quit [Ping timeout: 260 seconds]
18:23 -!- goldkatze [~nobody@unaffiliated/goldkatze] has quit []
18:24 -!- goldkatze [~nobody@unaffiliated/goldkatze] has joined #openvpn
18:24 -!- goldkatze [~nobody@unaffiliated/goldkatze] has quit [Client Quit]
18:25 -!- puffie [~anon@ns4008553.ip-198-27-69.net] has joined #openvpn
18:26 < puffie> I'm using Tunnelblick on OS X. Is there an easy way to block internet traffic with OpenVPN while it's connecting to the server?
18:26 < pekster> nath_schwarz: ? As in --config ?
18:45 -!- brianblaze420 [~brianblaz@unaffiliated/brianblaze] has quit [Quit: Leaving...]
18:48 -!- Kniaz [~Kniaz@unaffiliated/kniaz] has joined #openvpn
18:48 -!- justinzane [~justinzan@24.49.207.203] has joined #openvpn
18:56 -!- puffie [~anon@ns4008553.ip-198-27-69.net] has quit [Remote host closed the connection]
19:00 -!- keruton [keruton@cpe-104-34-71-124.socal.res.rr.com] has joined #openvpn
19:03 -!- s7r [~s7r@openvpn/user/s7r] has joined #openvpn
19:03 -!- mode/#openvpn [+v s7r] by ChanServ
19:43 -!- heraclitus [~heraclitu@unaffiliated/heraclitis] has quit [Remote host closed the connection]
19:43 -!- heraclitus [~heraclitu@unaffiliated/heraclitis] has joined #openvpn
19:44 -!- cmanns [~cmanns@71-95-132-218.dhcp.snlo.ca.charter.com] has joined #openvpn
20:14 -!- mapps [~Mark@97e0b9d3.skybroadband.com] has quit [Ping timeout: 240 seconds]
20:16 -!- STF [~stf@i53876C62.versanet.de] has quit [Killed (cameron.freenode.net (Nickname regained by services))]
20:16 -!- STF [~stf@i53877580.versanet.de] has joined #openvpn
20:23 -!- cmanns [~cmanns@71-95-132-218.dhcp.snlo.ca.charter.com] has quit [Quit: cmanns]
20:41 -!- ender^ [krneki@2a01:260:4094:1:42:42:42:42] has joined #openvpn
20:42 -!- ender` [krneki@2a01:260:4094:1:42:42:42:42] has quit [Remote host closed the connection]
20:42 -!- ShadniX [dagger@p5DDFE968.dip0.t-ipconnect.de] has quit [Ping timeout: 250 seconds]
20:43 -!- ShadniX [dagger@p5DDFE968.dip0.t-ipconnect.de] has joined #openvpn
21:14 -!- ShadniX [dagger@p5DDFE968.dip0.t-ipconnect.de] has quit [Ping timeout: 250 seconds]
21:14 -!- ShadniX [dagger@p5DDFE968.dip0.t-ipconnect.de] has joined #openvpn
21:20 -!- spstarr [~spstarr@fedora/spstarr] has left #openvpn ["Leaving"]
21:21 -!- bashusr [~bashusr@unaffiliated/bashusr] has quit [Ping timeout: 255 seconds]
21:28 -!- bashusr [~bashusr@unaffiliated/bashusr] has joined #openvpn
21:40 -!- brianblaze420 [~brianblaz@unaffiliated/brianblaze] has joined #openvpn
22:12 -!- ub1quit33 [~quassel@cpe-23-243-158-241.socal.res.rr.com] has joined #openvpn
22:19 -!- Left_Turn [~Left_Turn@unaffiliated/turn-left/x-3739067] has quit [Remote host closed the connection]
22:46 -!- brianblaze420 [~brianblaz@unaffiliated/brianblaze] has quit [Quit: Leaving...]
23:25 -!- keruton [keruton@cpe-104-34-71-124.socal.res.rr.com] has left #openvpn []
23:30 -!- arescorpio [~arescorpi@201-26-245-190.fibertel.com.ar] has joined #openvpn
23:51 -!- arescorpio [~arescorpi@201-26-245-190.fibertel.com.ar] has quit [Excess Flood]
23:53 -!- Poster [~poster@cpe-74-140-100-29.swo.res.rr.com] has quit [Ping timeout: 272 seconds]
23:57 -!- Poster [~poster@oh-67-77-115-176.sta.embarqhsd.net] has joined #openvpn
--- Day changed Wed Aug 13 2014
00:03 -!- ShadniX [dagger@p5DDFE968.dip0.t-ipconnect.de] has quit [Ping timeout: 250 seconds]
00:04 -!- ShadniX [dagger@p5481CE6D.dip0.t-ipconnect.de] has joined #openvpn
00:55 -!- Toumasu [~Thunderbi@78-23-52-63.access.telenet.be] has joined #openvpn
01:00 -!- Toumasu [~Thunderbi@78-23-52-63.access.telenet.be] has quit [Client Quit]
01:40 -!- bbteufel [~na@85.9.7.222] has joined #openvpn
01:40 -!- ravaa [~rava@63.224.44.173] has joined #openvpn
01:40 < ravaa> hey all
01:41 < bbteufel> hey
01:41 < ravaa> i'm having trouble figuring out what i'm doing wrong here. i've launched ovpn access server in aws and can auth to it just fine, but it's not routing to the subnets i've said users should have access to through NAT
01:42 < ravaa> the other subnets are in peered vpcs that i can ssh to if i ssh to the ovpn server
01:42 < ravaa> but i can't seem to reach them when i'm connected via the client. i've configured ovpn to route client requests as NAT instead of routed or bridged
01:44 < ravaa> i was checking the iptables rules on the instance, and it looks like masquerade isn't set anywhere
01:44 < bbteufel> so this might be one problem :)
01:45 < bbteufel> how well do you understand networking ? ( routes, subnets and forwarding/masquerading )
01:45 < ravaa> happen to know which rule to set this in? all the docs i see use POSTROUTE rule, but it looks like the ami has the rule labeled as AS0_OUT_POST
01:46 < ravaa> i haven't renewed my ccna in over 10 years
01:46 < bbteufel> but you do have one
01:46 < bbteufel> so you know more than me
01:46 < ravaa> lol
01:46 < bbteufel> I've never worked with subnets and openvpn but this might help
01:46 < bbteufel> http://www.secure-computing.net/wiki/index.php/OpenVPN/Routing
01:46 <@vpnHelper> Title: OpenVPN/Routing - Secure Computing Wiki (at www.secure-computing.net)
01:52 -!- alexxtasi [~alex@unaffiliated/alexxtasi] has joined #openvpn
02:13 -!- mattock_afk is now known as mattock
02:29 -!- le0 [~l30@unaffiliated/le0] has joined #openvpn
02:31 -!- hays [~hays@unaffiliated/hays] has quit [Quit: No Ping reply in 180 seconds.]
02:32 -!- RBecker is now known as RBeecker
02:32 -!- RBeecker is now known as RBecker
02:34 -!- hays [~hays@unaffiliated/hays] has joined #openvpn
02:40 -!- Left_Turn [~Left_Turn@unaffiliated/turn-left/x-3739067] has joined #openvpn
02:43 -!- ade_b [~Ade@redhat/adeb] has joined #openvpn
02:43 <@krzee> ravaa,
02:43 <@krzee> !as
02:43 <@vpnHelper> "as" is Please go to #OpenVPN-AS for help with commercial products from OpenVPN Technologies, including Access Server, Android Connect, etc. Access Server is a commercial product, different from open source OpenVPN
02:43 < ravaa> krzee: thanks
02:45 <@krzee> np
02:55 -!- ravaa [~rava@63.224.44.173] has quit [Ping timeout: 260 seconds]
02:57 < AL13N_work> krzee: i don't think that float patch is in git, latest commit is still juli... someone in this channel refered me to a recent pach on float, which might help my problem
03:08 -!- Poster [~poster@oh-67-77-115-176.sta.embarqhsd.net] has quit [Read error: Connection reset by peer]
03:21 -!- larryone [~larryone@180.234.96.26] has joined #openvpn
03:27 -!- shiin [~shiin@funtoo/core/shiin] has joined #openvpn
03:34 -!- yerodin [~yerodin@unaffiliated/yerodin] has quit [Ping timeout: 245 seconds]
03:52 -!- ub1quit33 [~quassel@cpe-23-243-158-241.socal.res.rr.com] has quit [Ping timeout: 244 seconds]
04:09 -!- s7r [~s7r@openvpn/user/s7r] has quit [Remote host closed the connection]
04:09 -!- s7r_t [~s7r@openvpn/user/s7r] has joined #openvpn
04:09 -!- mode/#openvpn [+v s7r_t] by ChanServ
04:09 -!- s7r_t is now known as s7r
04:31 -!- hays [~hays@unaffiliated/hays] has quit [Quit: No Ping reply in 180 seconds.]
04:53 -!- nsrafk [whois@unaffiliated/nsrafk] has quit [Ping timeout: 244 seconds]
04:57 -!- mdoge [~dsc@pwned.systems] has joined #openvpn
04:58 -!- nsrafk [whois@unaffiliated/nsrafk] has joined #openvpn
05:14 -!- mattock is now known as mattock_afk
06:39 -!- dazo_afk is now known as dazo
07:15 -!- yerodin [~yerodin@unaffiliated/yerodin] has joined #openvpn
07:25 -!- D-Boy [~D-Boy@unaffiliated/cain] has quit [Excess Flood]
07:33 -!- occupant [~null@204.14.158.226] has quit [Ping timeout: 272 seconds]
07:42 -!- D-Boy [~D-Boy@unaffiliated/cain] has joined #openvpn
07:44 -!- gffa [~unknown@unaffiliated/gffa] has joined #openvpn
07:48 -!- Kniaz [~Kniaz@unaffiliated/kniaz] has quit [Quit: closing IRC]
07:53 -!- elfixit1 [~Icedove@2001:1620:2777:11:3e97:eff:fe7f:f3ad] has joined #openvpn
07:57 -!- le0 [~l30@unaffiliated/le0] has quit [Quit: Leaving]
07:59 -!- bashusr [~bashusr@unaffiliated/bashusr] has quit [Ping timeout: 240 seconds]
08:05 -!- bashusr [~bashusr@unaffiliated/bashusr] has joined #openvpn
08:28 -!- shiin [~shiin@funtoo/core/shiin] has quit [Quit: Wanna pair with me? Twitter/Skype/Gmail: FunTimeCoding]
08:46 -!- ub1quit33 [~quassel@cpe-23-243-158-241.socal.res.rr.com] has joined #openvpn
08:58 -!- prelude2004c [~Admin@dsl-67-55-28-3.acanac.net] has joined #openvpn
08:58 < prelude2004c> hello everyone
08:59 -!- Cpt-Oblivious [~chatzilla@31-151-71-109.dynamic.upc.nl] has joined #openvpn
08:59 < prelude2004c> I have a quick question. I am running openvpn client config  ( eg. openvpn --config client.ovpn ). On connect it adds the tap0 rules and everything works. The issue i am having at the moment is that when the server side goes down, the rules remain. Is there something i can add to automatically clear the tap0 rules upon disconnect on the server side?
09:02 -!- alexxtasi [~alex@unaffiliated/alexxtasi] has left #openvpn []
09:02 <@plaisthos> prelude2004c: the client does not notice a server restart
09:02 <@plaisthos> oh disconnect
09:03 <@plaisthos> openvpn should automatically clear the rules
09:03 -!- mode/#openvpn [-o plaisthos] by plaisthos
09:03 < prelude2004c> does not do it. I rand route -n and they are still there.
09:03 < prelude2004c> if i control C  then yes
09:03 < prelude2004c> but as long as it keeps retrying the rules remain
09:04 < prelude2004c> any idea?
09:13 < prelude2004c> nevermind persist-tun
09:13 < prelude2004c> that had to be removed
09:13 < prelude2004c> all solved now thank you
09:15 -!- ub1quit33 [~quassel@cpe-23-243-158-241.socal.res.rr.com] has quit [Remote host closed the connection]
09:15 -!- ub1quit33 [~quassel@cpe-23-243-158-241.socal.res.rr.com] has joined #openvpn
09:16 < prelude2004c> another question...
09:16 < prelude2004c> i am using --auth-user-pass authfile.txt
09:16 < prelude2004c> it works when i set to connect.. but on disconnect when the server side resumes it tries to connect again but it then asks me for " Enter Auth Username: "
09:17 < prelude2004c> why does it not use the authfile.txt again?
09:20 < prelude2004c> nevemrind.. removed auth-nocache
09:20 < prelude2004c> seems to have resolved it
09:53 -!- ade_b [~Ade@redhat/adeb] has quit [Ping timeout: 255 seconds]
10:02 -!- bbteufel [~na@85.9.7.222] has quit [Quit: leaving]
10:40 -!- ade_b [~Ade@redhat/adeb] has joined #openvpn
10:44 -!- Pyrogerg [~Gregory@192.67.133.200] has joined #openvpn
10:54 -!- Latrina [~Latrina@ppp-223-12.26-151.libero.it] has quit [Ping timeout: 272 seconds]
10:57 -!- Latrina [~Latrina@adsl-ull-73-187.50-151.net24.it] has joined #openvpn
10:58 -!- ade_b [~Ade@redhat/adeb] has quit [Quit: Too sexy for his shirt]
11:03 -!- zapotek6 [~zap@176.201.42.145] has joined #openvpn
11:05 -!- zapotek6 [~zap@176.201.42.145] has quit [Max SendQ exceeded]
11:11 -!- lbft [~lbft@unaffiliated/lbft] has quit [Ping timeout: 240 seconds]
11:14 -!- lbft [~lbft@unaffiliated/lbft] has joined #openvpn
11:17 -!- Kniaz [~Kniaz@unaffiliated/kniaz] has joined #openvpn
11:20 <@krzee> !c2c
11:20 <@vpnHelper> "c2c" is "client-to-client" is with this option packets from 1 client to another are routed inside the server process. without it packets leave the server process, hit the kernel (firewall, routing table) and if allowed by firewall and routed back to server process, they go to the client. you use this option when you do not want to use selective firewall rules on what clients can access things behind
11:20 <@vpnHelper> other clients
11:22 -!- larryone [~larryone@180.234.96.26] has quit [Ping timeout: 260 seconds]
11:32 <@krzee> if i understood the question right, yes
11:32 <@krzee> bbl gotta go to the datacenter
11:32 < pekster> Almost; --client-to-client implies pushing the VPN subnet, and you don't even need to do that in subnet topology anyway
11:32 -!- hays [~hays@unaffiliated/hays] has joined #openvpn
11:33 < pekster> (if you mean reaching the VPN subnet itself.) In the case of `subnet` topology, the only thing --client-to-client does is "skip" your OS firewall for traffic both arriving from and bound for a VPN client. If you want to be able to firewall that traffic in your OS, don't use that option
11:49 -!- Latrina [~Latrina@adsl-ull-73-187.50-151.net24.it] has quit [Ping timeout: 272 seconds]
11:50 -!- Latrina [~Latrina@ppp-108-55.26-151.libero.it] has joined #openvpn
12:18 -!- arkie [~arkie@unaffiliated/arkie] has joined #openvpn
12:18 < arkie> hey
12:18 < arkie> im trying to set up an openvpn server on my router but im having some trouble understanding what settings i should select
12:18 < arkie> for interface type i went TUN over TAP
12:18 < arkie> protocol UDP..
12:22 < reiffert> !howto
12:22 <@vpnHelper> "howto" is (#1) OpenVPN comes with a great howto, http://openvpn.net/howto PLEASE READ IT! or (#2) http://www.secure-computing.net/openvpn/howto.php for a mirror
12:23 < arkie> thanks reiffert
12:24 < arkie> but for example, firewall i currently have set to auto, im not 100% sure if thats okay and if it should be set to 'external only' or 'custom'
12:25 < arkie> Same aith authorization mode, currently on TLS, not sure about 'static key' or 'custom'
12:25 < reiffert> I have no idea about your firewall.
12:25 < reiffert> are you on openwrt?
12:25 < reiffert> or is this access server?
12:26 < arkie> its an asus rt-ac66u router
12:26 < arkie> running the stock firmware
12:26 < reiffert> please get help with asus then.
12:26 < arkie> ive tried, their manual isnt helpful etc
12:27 < reiffert> please pay attention to the topic of this channel
12:27 < arkie> so i should be in access server channel?
12:27 < arkie> basically im trying to set up an openvpn server so i can access my LAN remotely
12:29 < arkie> !goal
12:29 <@vpnHelper> "goal" is Please clearly state your goal for your vpn: example, I would like to access the lan behind the server , I would like to access the internet over my vpn , I just want a secure connection between 2 computers , etc
12:29 < arkie> !goal i want to set up an openvpn server on my router for remote access to my LAN
12:30 < arkie> !welcome
12:30 <@vpnHelper> "welcome" is (#1) Start by stating your goal, such as 'I would like to access the internet over my vpn' || new to IRC? see the link in !ask || we may need !logs and !configs and maybe !interface to help you. || See !howto for beginners. || See !route for lans behind openvpn. || !redirect for sending inet traffic through the server. || Also interesting: !man !/30 !topology !iporder !sample !forum
12:30 <@vpnHelper> !wiki !mitm or (#2) Don't use 192.168.1.0/24 or 192.168.0.0/24 (too much potential for conflict)
12:31 < reiffert> very good. I think you should consider yourself a beginner which is leading you back to !howto
12:31 < arkie> !howto
12:31 <@vpnHelper> "howto" is (#1) OpenVPN comes with a great howto, http://openvpn.net/howto PLEASE READ IT! or (#2) http://www.secure-computing.net/openvpn/howto.php for a mirror
12:32 < reiffert> !factoids search openwrt
12:32 <@vpnHelper> "openwrt" is In OpenWRT, the easiest way to supply configs with the stock init is to use the `option config /path/to/your/openvpn.conf` in your UCI stanza. This allows you to maintain a standard config file that OpenWRT can launch for you.
12:32 < reiffert> !factoids search --values openwrt
12:32 <@vpnHelper> 'openwrt' and 'uci'
12:32 < reiffert> !uci
12:32 <@vpnHelper> "uci" is "openwrt" is In OpenWRT, the easiest way to supply configs with the stock init is to use the `option config /path/to/your/openvpn.conf` in your UCI stanza. This allows you to maintain a standard config file that OpenWRT can launch for you.
12:33 < arkie> just reading about extra HMAC authorisation reiffert , it's disabled by default, is it a good idea to turn on?
12:33 < reiffert> !factoids search hmac
12:33 <@vpnHelper> "hmac" is (#1) The tls-auth directive adds an additional HMAC signature to all SSL/TLS handshake packets for integrity verification. Any UDP packet not bearing the correct HMAC signature can be dropped without further processing. The tls-auth HMAC signature provides an additional level of security above and beyond that provided by SSL/TLS. or (#2) openvpn --genkey --secret ta.key to make the tls
12:33 <@vpnHelper> static key , in configs: tls-auth ta.key # , 1 for client or 0 for server in the configs
12:34 < reiffert> if enabling this is a good idea lies in the hands of the administrator setting this up. It's not my call to make.
12:34 < arkie> do you find most people do?
12:35 < reiffert> I'm sorry but I dont know most people.
12:35 < arkie> okay, does the extra security make the VPN connection slower?
12:35 < reiffert> We can keep playing this forever. Now get it done following that damn fucking howto
12:36 < reiffert> we would need to clarify your definition of "security" first before focusing on a possible answer to your question.
12:36 < reiffert> So what exactly is security for you?
12:37 -!- Latrina [~Latrina@ppp-108-55.26-151.libero.it] has quit [Read error: Connection reset by peer]
12:37 < arkie> Well I don't want it to be easy for other people to connect to my LAN
12:37 < arkie> That's for sure.
12:38 < reiffert> good, disconnect your LAN from the internet then. = secure.
12:38 < arkie> IF I were going to do that I wouldn't be trying to set up openvpn..
12:38 < reiffert> and why do they let the project manager do the administrators job then?
12:38 < arkie> Everyone makes compromises I guess.
12:39 < arkie> Huh?
12:39 < reiffert> Let's make an example, please tell me the benefits of https
12:40 < arkie> I'm not sure why you're quizzing me.
12:40 < arkie> I use https so there is encryption between me and the server.
12:40 < arkie> Otherwise someone listening can easily get user credentials and so forth.
12:40 < reiffert> the biggest benefitof https is not the encryption
12:40 < reiffert> it is: who am I talking to
12:41 < reiffert> which is why self signed certificates is an entire crap.
12:41 < arkie> I'm no expert and never claimed to be
12:41 < arkie> I've used Start SSL in the past and found them to be good.
12:41 < arkie> But I don't run some massive online store.
12:42 -!- Latrina [~Latrina@adsl-ull-32-212.50-151.net24.it] has joined #openvpn
12:42 < reiffert> allright, back to your problem: If using the GUI on your consumer router is too complicated because terms dont match the howto ... I can fully understand that this is confusing you.
12:42 < reiffert> you might want to consider getting two virtual machines up and play and stick with the howto using windows or linux .. until you have it running
12:43 < reiffert> and then go ahead and find out what Asus was adding to your router. It might still be offering the entire skillset - it might not.
12:44 < arkie> Well one thing that I would like to know, when using hardened security like the Extra HMAC auth, does this compromise speed as a result?
12:44 < reiffert> !hmac
12:44 <@vpnHelper> "hmac" is (#1) The tls-auth directive adds an additional HMAC signature to all SSL/TLS handshake packets for integrity verification. Any UDP packet not bearing the correct HMAC signature can be dropped without further processing. The tls-auth HMAC signature provides an additional level of security above and beyond that provided by SSL/TLS. or (#2) openvpn --genkey --secret ta.key to make the tls
12:44 <@vpnHelper> static key , in configs: tls-auth ta.key # , 1 for client or 0 for server in the configs
12:44 < reiffert> from reading the above it says:
12:45 < reiffert> adds an additional ... whatever ... to all handshake ...
12:45 < arkie> So it's every UDP packet
12:45 < reiffert> when you enter the room for a meeting would you say extened handshaking slows down the meeting?
12:45 < arkie> so I'm assuming there would be a slow down
12:46 < reiffert> say yes or no.
12:47 < arkie> Yes.
12:47 < reiffert> sigh.
12:48 < arkie> sigh
12:49 < reiffert> :-)
12:49 < arkie> If I spend 5 minutes shaking everyones hand, the meeting is going to take longer to complete.
12:49 < reiffert> heads up arkie.
12:49 < arkie> anyway, i think i have all the right settings i want
12:50 < arkie> Weird one was username/password auth only and it was set to no
12:50 < arkie> i'm leaving it there as i assume if you change that to yes, TLS auth won't take place..
12:50 < reiffert> I've never used username/password auth with openvpn. hm.
12:51 < arkie> well this would be user/pass in addition
12:51 < arkie> im not going to be the only client anyway
12:51 < reiffert> how does the openvpnserver identify you as being you?
12:53 < arkie> well the opvn file would have a key that has to match
12:53 < arkie> so there's that
12:53 < arkie> plus the right user/pw combo
12:53 -!- ohrensessel [~leo@ip1f1310c8.dynamic.kabel-deutschland.de] has joined #openvpn
12:53 < ohrensessel> !welcome
12:53 <@vpnHelper> "welcome" is (#1) Start by stating your goal, such as 'I would like to access the internet over my vpn' || new to IRC? see the link in !ask || we may need !logs and !configs and maybe !interface to help you. || See !howto for beginners. || See !route for lans behind openvpn. || !redirect for sending inet traffic through the server. || Also interesting: !man !/30 !topology !iporder !sample
12:53 <@vpnHelper> !forum !wiki !mitm or (#2) Don't use 192.168.1.0/24 or 192.168.0.0/24 (too much potential for conflict)
12:53 < reiffert> arkie, why not go for certificate based authentication
12:53 -!- Latrina [~Latrina@adsl-ull-32-212.50-151.net24.it] has quit [Read error: Connection reset by peer]
12:53 < arkie> it's not available on my router
12:54 < reiffert> arkie: what if any of your road warriors losses your shared key?
12:54 < arkie> they can tell me and ill generate a new one?
12:54 < arkie> an attacker would also need their user/pass too
12:54 < reiffert> arkie: how unfortunate. Do you have another windows or linux machine in your LAN that could act as an openvpn server?
12:54 < arkie> nope i don't
12:55 < reiffert> what's the purpose of your LAN then if there is no Linux or Windows machine?
12:55 < reiffert> just printers only?
12:55 < arkie> there is a printer
12:55 < arkie> a tablet
12:55 < arkie> a synology nas
12:55 < arkie> etc
12:55 < reiffert> I'd go for the Synology then.
12:56 < arkie> too many security holes
12:56 < arkie> half the reason im doing this is because of the synolocker thing recently
12:56 < arkie> :(
12:56 < arkie> im taking my nas down from the open internet and will only be accessing via the vpn from now on
12:56 < ohrensessel> !goal I want to fix my openvpn setup. I have an openvpn client which runs NAT to allow several other users in an attached private net to use the vpn connection. Traffic that is coming to this client from time to time leads to ICPM unreachable messages, probably because the connection tracking does not have an entry (any more) for the connection the traffic is belonging to. Now I have the problem that these ICMP unreachable message
12:56 < reiffert> arkie: did you understand how synolocker works?
12:56 < arkie> my girlfriend is living in another country so i want to get her access too
12:57 < arkie> reiffert, synology havent really made an official statement regarding how they got in
12:57 < arkie> seems like it was through older firmware though
12:57 < arkie> perhaps port 5000/5001
12:57 < reiffert> arkie: they did. their ssh daemon was getting linked against openssl with the heartbleed bug
12:58 < arkie> i got a new ssl cert after heartbleed
12:58 < arkie> and my fw was up to date
12:58 < arkie> so are you saying they were getting user/passes?
12:58 < arkie> where did you read this reiffert ?
12:58 < arkie> anyway, its not safe to have the web ui of the nas on the open internet
12:58 < arkie> i'm thinking an openvpn server is a safer option
12:59 < reiffert> then why not run the openvpn server on your NAS?
13:00 < arkie> why not run it on my router?
13:00 < reiffert> limited functionality
13:02 < arkie> as long as it works im happy reiffert
13:02 < arkie> i feel like i have enough functions right now
13:03 < reiffert> when you came in your concerns where security, then speed and then many security wholes and now you are down to as long as it works.
13:03 < reiffert> get lost.
13:03 < arkie> you get lost
13:03 < reiffert> sure thing
13:03 -!- reiffert [~thomas@mail.reifferscheid.org] has left #openvpn ["ipsec ftw"]
13:05 -!- Latrina [~Latrina@ppp-14-28.26-151.libero.it] has joined #openvpn
13:10 -!- cyberspace- [20253@ninthfloor.org] has quit [Remote host closed the connection]
13:12 -!- cyberspace- [20253@ninthfloor.org] has joined #openvpn
13:19 -!- mode/#openvpn [+o Eugene] by ChanServ
13:31 -!- dazo is now known as dazo_afk
13:40 -!- MogDog66 [MogDog@unaffiliated/mogdog66] has joined #openvpn
13:41 -!- nsrbnc [whois@unaffiliated/nsrafk] has joined #openvpn
13:41 -!- Netsplit *.net <-> *.split quits: yoavz, Verdi, MogDog, _bt, ascheel, nsrafk, D-Boy
13:41 -!- nsrbnc is now known as nsrafk
13:42 -!- MogDog66 is now known as MogDog
13:48 -!- D-Boy [~D-Boy@unaffiliated/cain] has joined #openvpn
14:08 -!- arkie [~arkie@unaffiliated/arkie] has quit [Ping timeout: 252 seconds]
14:08 -!- arkie [~arkie@unaffiliated/arkie] has joined #openvpn
14:57 -!- linuxthefish [~ltf@unaffiliated/edmundf] has joined #openvpn
14:57 < linuxthefish> what should files be called in C:\Program Files\OpenVPN\config ?
14:57 < linuxthefish> like what config file does the gui look for?
14:58 < linuxthefish> nvm it had to be .ovpn...
15:35 -!- clyons [~kvirc@host86-157-15-49.range86-157.btcentralplus.com] has joined #openvpn
15:44 <@Eugene> !ovpn
15:44 <@vpnHelper> "ovpn" is (#1) OpenVPN GUI will load config files with a .ovpn extension when double-clicked. or (#2) this is the same config file format as the standard .conf , just renamed to prevent extension collisions on Windows
15:44 <@Eugene> !win_service
15:44 <@Eugene> !factoids search win
15:44 <@vpnHelper> 'winroute', 'winpass', 'win_noadmin', 'winipforward', '2.1-winpass-script', 'wintaphide', 'wins', 'win_ipfail', 'win2k8', 'sudowin', 'win_tcplimit', 'winnat', 'winscript', 'win_rollup', 'winpath', 'winsudo', 'windows_mobile', 'win_build', 'new_win_gui', 'win7', 'win-dns-vista-7', 'win-dns-xp', 'win-dns', 'winshortcut', 'windows_problems', 'windows', and 'windns'
15:44 <@Eugene> !factoids search --values service
15:44 <@vpnHelper> 'win_ipfail', 'bcast', 'pwfile', 'crystal', and 'license'
15:44 <@Eugene> Meh, whatever.
16:08 -!- ender^ [krneki@2a01:260:4094:1:42:42:42:42] has quit [Read error: Connection reset by peer]
16:11 -!- XJR-9_ [sid2977@pdpc/supporter/active/xjr-9] has joined #openvpn
16:11 -!- XJR-9 [sid2977@pdpc/supporter/active/xjr-9] has quit [Killed (rajaniemi.freenode.net (Nickname regained by services))]
16:11 -!- XJR-9_ is now known as XJR-9
16:11 -!- nath_schwarz [~nath_schw@198.98.49.138] has quit [Quit: Not available.]
16:12 -!- Latrina [~Latrina@ppp-14-28.26-151.libero.it] has quit [Ping timeout: 260 seconds]
16:12 -!- heraclitus [~heraclitu@unaffiliated/heraclitis] has quit [Ping timeout: 260 seconds]
16:12 -!- kenyon [kenyon@darwin.kenyonralph.com] has quit [Ping timeout: 260 seconds]
16:12 -!- SlutaTramsa [~SlutaTram@unaffiliated/slutatramsa] has quit [Ping timeout: 260 seconds]
16:14 -!- kenyon [kenyon@darwin.kenyonralph.com] has joined #openvpn
16:14 -!- Latrina [~Latrina@ppp-14-28.26-151.libero.it] has joined #openvpn
16:14 -!- SlutaTramsa [~SlutaTram@unaffiliated/slutatramsa] has joined #openvpn
16:22 -!- nath_schwarz [~nath_schw@198.98.49.138] has joined #openvpn
16:26 -!- gffa [~unknown@unaffiliated/gffa] has quit [Quit: sleep]
16:28 -!- heraclitus [~heraclitu@unaffiliated/heraclitis] has joined #openvpn
16:34 -!- nath_schwarz [~nath_schw@198.98.49.138] has quit [Read error: Connection reset by peer]
16:39 -!- mrkiko [~mrkiko@host114-12-dynamic.60-82-r.retail.telecomitalia.it] has joined #openvpn
16:40 < mrkiko> !heartbleed
16:40 <@vpnHelper> "heartbleed" is (#1) only affects OpenSSL 1.0.1 through 1.0.1f. Does not affect polarssl or (#2) if running vuln openssl then both client and server keys not protected by tls-auth should be considered compromised. or (#3) android 4.1.2_r1 is the first one to have -DOPENSSL_NO_HEARTBEATS and it is still in master. android 4.1 and 4.1.1 are probably affected. or (#4)
16:40 <@vpnHelper> https://community.openvpn.net/openvpn/wiki/heartbleed or (#5) http://xkcd.com/1354/
16:49 -!- br4ndon [~br4ndon@mic92-6-82-227-94-156.fbx.proxad.net] has joined #openvpn
16:53 -!- Cpt-Oblivious [~chatzilla@31-151-71-109.dynamic.upc.nl] has quit [Ping timeout: 240 seconds]
16:57 -!- Cpt-Oblivious [~chatzilla@31-151-71-109.dynamic.upc.nl] has joined #openvpn
17:05 -!- nath_schwarz [~nath_schw@198.98.49.138] has joined #openvpn
17:12 -!- MyMind [~Sembei@unaffiliated/sembei] has quit [Read error: Connection reset by peer]
17:13 -!- MyMind [~Sembei@unaffiliated/sembei] has joined #openvpn
17:20 -!- br4ndon [~br4ndon@mic92-6-82-227-94-156.fbx.proxad.net] has quit [Ping timeout: 272 seconds]
17:26 -!- Latrina [~Latrina@ppp-14-28.26-151.libero.it] has quit [Ping timeout: 264 seconds]
17:28 -!- Latrina [~Latrina@ppp-33-63.26-151.libero.it] has joined #openvpn
17:56 -!- Pyrogerg [~Gregory@192.67.133.200] has quit [Ping timeout: 244 seconds]
18:03 -!- ShadniX [dagger@p5481CE6D.dip0.t-ipconnect.de] has quit [Ping timeout: 250 seconds]
18:05 -!- ShadniX [dagger@p5481CE6D.dip0.t-ipconnect.de] has joined #openvpn
18:20 -!- mrkiko [~mrkiko@host114-12-dynamic.60-82-r.retail.telecomitalia.it] has left #openvpn []
18:20 -!- mrkiko [~mrkiko@host114-12-dynamic.60-82-r.retail.telecomitalia.it] has joined #openvpn
18:20 < mrkiko> sorry for the rude exiting
18:20 < mrkiko> I am going to bed
18:20 < mrkiko> good night
18:20 < mrkiko> and thank you
18:20 -!- mrkiko [~mrkiko@host114-12-dynamic.60-82-r.retail.telecomitalia.it] has left #openvpn []
18:25 -!- C-S-B [~C-S-B@host86-150-238-33.range86-150.btcentralplus.com] has quit [Ping timeout: 255 seconds]
18:42 -!- s7r [~s7r@openvpn/user/s7r] has quit [Excess Flood]
18:42 -!- s7r [~s7r@openvpn/user/s7r] has joined #openvpn
18:42 -!- mode/#openvpn [+v s7r] by ChanServ
18:54 -!- ub1quit33 [~quassel@cpe-23-243-158-241.socal.res.rr.com] has quit [Read error: Connection reset by peer]
19:01 -!- EvanDotPro [~ecoury@pdpc/supporter/professional/evandotpro] has joined #openvpn
19:01 -!- EvanDotPro [~ecoury@pdpc/supporter/professional/evandotpro] has left #openvpn []
19:01 -!- EvanDotPro [~ecoury@pdpc/supporter/professional/evandotpro] has joined #openvpn
19:29 -!- SushiDude [~SushiDude@unaffiliated/sushidude] has quit [Quit: Quit]
19:29 -!- arescorpio [~arescorpi@201-26-245-190.fibertel.com.ar] has joined #openvpn
19:32 -!- SushiDude [~SushiDude@unaffiliated/sushidude] has joined #openvpn
20:04 -!- elfixit [~Icedove@77-58-251-72.dclient.hispeed.ch] has quit [Quit: elfixit]
20:16 -!- STF is now known as Guest22693
20:16 -!- Guest22693 [~stf@i53877580.versanet.de] has quit [Killed (sendak.freenode.net (Nickname regained by services))]
20:16 -!- STF [~stf@i53874E6B.versanet.de] has joined #openvpn
20:22 -!- tempus_fol [~tempus@gateway/tor-sasl/foltempus] has quit [Remote host closed the connection]
20:22 -!- tempus_fol [~tempus@gateway/tor-sasl/foltempus] has joined #openvpn
20:27 -!- Cpt-Oblivious [~chatzilla@31-151-71-109.dynamic.upc.nl] has quit [Remote host closed the connection]
20:54 -!- tempus_fol [~tempus@gateway/tor-sasl/foltempus] has quit [Ping timeout: 264 seconds]
20:55 -!- tempus_fol [~tempus@gateway/tor-sasl/foltempus] has joined #openvpn
21:03 -!- fxhnd [~fxhnd@cpe-72-227-97-50.maine.res.rr.com] has joined #openvpn
21:05 < fxhnd> !welcome
21:05 <@vpnHelper> "welcome" is (#1) Start by stating your goal, such as 'I would like to access the internet over my vpn' || new to IRC? see the link in !ask || we may need !logs and !configs and maybe !interface to help you. || See !howto for beginners. || See !route for lans behind openvpn. || !redirect for sending inet traffic through the server. || Also interesting: !man !/30 !topology !iporder !sample !forum
21:05 <@vpnHelper> !wiki !mitm or (#2) Don't use 192.168.1.0/24 or 192.168.0.0/24 (too much potential for conflict)
21:05 < fxhnd> !goal
21:05 <@vpnHelper> "goal" is Please clearly state your goal for your vpn: example, I would like to access the lan behind the server , I would like to access the internet over my vpn , I just want a secure connection between 2 computers , etc
21:07 < fxhnd> I would like to be able to SSH into a computer that is currently an openVPN client. I can't connect via SSH because the computer is not listening on port 22 of its 'local' address. (Hello everyone!)
21:08 -!- Poster [~poster@cpe-74-140-100-29.swo.res.rr.com] has joined #openvpn
21:08 < fxhnd> !route
21:08 <@vpnHelper> "route" is (#1) http://www.secure-computing.net/wiki/index.php/OpenVPN/Routing or https://community.openvpn.net/openvpn/wiki/RoutedLans (same page mirrored) if you have lans behind openvpn, read it DONT SKIM IT or (#2) READ IT DONT SKIM IT! or (#3) See !tcpip for a basic networking guide or (#4) See !serverlan or !clientlan for steps and troubleshooting flowcharts for LANs behind the server or client
21:11 < fxhnd> 173 people on this channel and I get more words from the automated system?
21:11 < fxhnd> !tcpip
21:11 <@vpnHelper> "tcpip" is http://www.redbooks.ibm.com/redbooks/pdfs/gg243376.pdf See chapter 3.1 for useful basic TCP/IP networking knowledge you should probably know
21:12 -!- s7r [~s7r@openvpn/user/s7r] has quit [Ping timeout: 264 seconds]
21:13 -!- s7r [~s7r@openvpn/user/s7r] has joined #openvpn
21:13 -!- mode/#openvpn [+v s7r] by ChanServ
21:18 -!- Popsikle [~popsikle@pool-108-27-211-233.nycmny.fios.verizon.net] has joined #openvpn
21:19 -!- Latrina [~Latrina@ppp-33-63.26-151.libero.it] has quit [Ping timeout: 260 seconds]
21:21 -!- Latrina [~Latrina@ppp-165-56.26-151.libero.it] has joined #openvpn
21:28 -!- Left_Turn [~Left_Turn@unaffiliated/turn-left/x-3739067] has quit [Remote host closed the connection]
21:29 -!- tpw_rules [tpw_rules@2600:3c03::f03c:91ff:fe93:20aa] has joined #openvpn
21:30 < tpw_rules> hey. i'm having issues with the openvpn gui for windows 8.1 x64. all i get when i rightclick on the icon is settings and exit
21:30 < tpw_rules> am i using it wrong? left-clicking does nothing
21:37 -!- tpw_rules [tpw_rules@2600:3c03::f03c:91ff:fe93:20aa] has left #openvpn ["Evil will always triumph, because good is dumb."]
21:39 -!- Popsikle [~popsikle@pool-108-27-211-233.nycmny.fios.verizon.net] has quit [Remote host closed the connection]
22:18 -!- Popsikle [~popsikle@pool-108-27-211-233.nycmny.fios.verizon.net] has joined #openvpn
22:19 -!- Kniaz1 [~Kniaz@unaffiliated/kniaz] has joined #openvpn
22:32 -!- Kniaz [~Kniaz@unaffiliated/kniaz] has quit [Disconnected by services]
22:32 -!- Kniaz1 is now known as Kniaz
22:32 -!- Kniaz1 [~Kniaz@unaffiliated/kniaz] has joined #openvpn
22:51 -!- NChief_ [~nchief@unaffiliated/nchief] has joined #openvpn
22:52 -!- Fiouz [~Fiouz@2001:bc8:3068::dead:beef] has quit [Disconnected by services]
22:52 -!- Fiouz [~Fiouz@2001:bc8:3068::dead:beef] has joined #openvpn
22:52 -!- larryone [~larryone@180.234.234.159] has joined #openvpn
22:52 -!- STF [~stf@i53874E6B.versanet.de] has quit [Killed (asimov.freenode.net (Nickname regained by services))]
22:52 -!- STF [~stf@i53874E6B.versanet.de] has joined #openvpn
22:52 -!- syzzer [~syzzer@openvpn/community/developer/syzzer] has quit [Ping timeout: 250 seconds]
22:52 -!- dazo_afk [~dazo@openvpn/community/developer/dazo] has quit [Ping timeout: 250 seconds]
22:52 -!- joako [~joako@opensuse/member/joak0] has quit [Ping timeout: 250 seconds]
22:52 -!- mattock_afk [~mattock@openvpn/corp/admin/mattock] has quit [Ping timeout: 250 seconds]
22:52 -!- Plastefuchs [~fweee@198.98.120.235] has quit [Ping timeout: 250 seconds]
22:52 -!- ribasushi [~riba@mujunyku.leporine.io] has quit [Ping timeout: 250 seconds]
22:52 -!- deed02392 [~deed02392@2001:41d0:2:ab60::1] has quit [Ping timeout: 250 seconds]
22:52 -!- nlb [~nlb@unaffiliated/nlb] has quit [Ping timeout: 250 seconds]
22:52 -!- NChief [~nchief@unaffiliated/nchief] has quit [Ping timeout: 250 seconds]
22:52 -!- Poster [~poster@cpe-74-140-100-29.swo.res.rr.com] has quit [Ping timeout: 250 seconds]
22:52 -!- justinzane [~justinzan@24.49.207.203] has quit [Ping timeout: 250 seconds]
22:52 -!- gardar [~gardar@bnc.giraffi.net] has quit [Ping timeout: 250 seconds]
22:52 -!- Zimsky [~alice@unaffiliated/zimsky] has quit [Ping timeout: 250 seconds]
22:52 -!- fser [~fser@ks3367196.kimsufi.com] has quit [Ping timeout: 250 seconds]
22:52 -!- rooth [tomte@stuck.in.the.basement.at.fritzl.nu] has quit [Ping timeout: 250 seconds]
22:52 -!- pppingme [~pppingme@unaffiliated/pppingme] has quit [Ping timeout: 250 seconds]
22:52 -!- plaisthos [~arne@openvpn/community/developer/plaisthos] has quit [Ping timeout: 250 seconds]
22:52 -!- raidz [~raidz@openvpn/corp/admin/andrew] has quit [Ping timeout: 250 seconds]
22:52 -!- APTX [~APTX@unaffiliated/aptx] has quit [Ping timeout: 250 seconds]
22:53 -!- raidz [~raidz@openvpn/corp/admin/andrew] has joined #openvpn
22:53 -!- mode/#openvpn [+o raidz] by ChanServ
22:53 -!- Zimsky [~alice@unaffiliated/zimsky] has joined #openvpn
22:53 -!- mattock [~mattock@openvpn/corp/admin/mattock] has joined #openvpn
22:53 -!- mode/#openvpn [+o mattock] by ChanServ
22:53 -!- plaisthos [~arne@openvpn/community/developer/plaisthos] has joined #openvpn
22:53 -!- mode/#openvpn [+o plaisthos] by ChanServ
22:53 -!- syzzer [~syzzer@openvpn/community/developer/syzzer] has joined #openvpn
22:53 -!- mode/#openvpn [+o syzzer] by ChanServ
22:53 -!- APTX [~APTX@unaffiliated/aptx] has joined #openvpn
22:53 -!- Poster [~poster@cpe-74-140-100-29.swo.res.rr.com] has joined #openvpn
22:53 -!- ribasushi [~riba@mujunyku.leporine.io] has joined #openvpn
22:54 -!- gardar [~gardar@bnc.giraffi.net] has joined #openvpn
22:54 -!- Plastefuchs [~fweee@198.98.120.235] has joined #openvpn
22:54 -!- pppingme [~pppingme@unaffiliated/pppingme] has joined #openvpn
22:56 -!- joako [~joako@opensuse/member/joak0] has joined #openvpn
22:57 -!- dazo_afk [~dazo@openvpn/community/developer/dazo] has joined #openvpn
22:57 -!- mode/#openvpn [+o dazo_afk] by ChanServ
22:57 -!- dazo_afk is now known as dazo
23:00 -!- kryptkeeper [~root@c-67-160-203-245.hsd1.ca.comcast.net] has joined #openvpn
23:02 < kryptkeeper> Hello, I am struggling to connect my Ipad Air to my VPN server. Could someone direct me to a well written guide dealing with IOS keychain setup?
23:05 -!- arescorpio [~arescorpi@201-26-245-190.fibertel.com.ar] has quit [Excess Flood]
23:07 -!- gardar [~gardar@bnc.giraffi.net] has quit [Ping timeout: 250 seconds]
23:07 -!- APTX [~APTX@unaffiliated/aptx] has quit [Ping timeout: 250 seconds]
23:07 -!- APTX_ [~APTX@unaffiliated/aptx] has joined #openvpn
23:09 < kryptkeeper> anyone?
23:10 -!- larryone [~larryone@180.234.234.159] has quit [Quit: This computer has gone to sleep]
23:20 -!- larryone [~larryone@180.234.83.156] has joined #openvpn
23:23 -!- Poster [~poster@cpe-74-140-100-29.swo.res.rr.com] has quit [Ping timeout: 245 seconds]
23:27 -!- kieppie [~jaco@101.98.221.9] has joined #openvpn
23:27 < kieppie> hi folks
23:28 < kieppie> I just want to confirm something - do I only need to NAT UDP:1194 through my router to my oVPN server?
23:33 -!- kieppie [~jaco@101.98.221.9] has quit [Read error: Connection reset by peer]
23:33 -!- kieppie [~jaco@101.98.221.9] has joined #openvpn
23:33 < kryptkeeper> Yes
23:33 < kryptkeeper> or 1194 TCP if specified in profile
23:38 -!- kieppie [~jaco@101.98.221.9] has quit [Read error: Connection reset by peer]
23:38 -!- kieppie [~jaco@101.98.221.9] has joined #openvpn
23:39 -!- joako [~joako@opensuse/member/joak0] has quit [Ping timeout: 255 seconds]
23:46 -!- joako [~joako@opensuse/member/joak0] has joined #openvpn
23:46 -!- Popsikle [~popsikle@pool-108-27-211-233.nycmny.fios.verizon.net] has quit [Remote host closed the connection]
23:52 -!- Poster [~poster@cpe-74-140-100-29.swo.res.rr.com] has joined #openvpn
--- Day changed Thu Aug 14 2014
00:00 -!- ShadniX [dagger@p5481CE6D.dip0.t-ipconnect.de] has quit [Ping timeout: 250 seconds]
00:03 -!- ShadniX [dagger@p5DDFF07B.dip0.t-ipconnect.de] has joined #openvpn
00:05 -!- kieppie [~jaco@101.98.221.9] has quit [Ping timeout: 260 seconds]
00:07 -!- yerodin_ [~yerodin@unaffiliated/yerodin] has joined #openvpn
00:09 -!- Kniaz [~Kniaz@unaffiliated/kniaz] has quit [Quit: closing IRC]
00:09 -!- Cybert1nus [~Cybertinu@cybertinus.customer.cloud.nl] has joined #openvpn
00:09 -!- kieppie [~jaco@101.98.221.9] has joined #openvpn
00:10 -!- pnielsen_ [pnielsen@2a01:7e00::f03c:91ff:fedf:3a21] has quit [Quit: No Ping reply in 180 seconds.]
00:10 -!- MogDog [MogDog@unaffiliated/mogdog66] has quit [Excess Flood]
00:10 -!- MogDog [MogDog@unaffiliated/mogdog66] has joined #openvpn
00:10 -!- mwargh [~sistemshi@unaffiliated/mwargh] has quit [Write error: Broken pipe]
00:11 -!- pekster_ [~rewt@openvpn/community/support/pekster] has joined #openvpn
00:11 -!- Cybertinus [~Cybertinu@cybertinus.customer.cloud.nl] has quit [Quit: No Ping reply in 180 seconds.]
00:11 -!- pnielsen [pnielsen@2a01:7e00::f03c:91ff:fedf:3a21] has joined #openvpn
00:11 -!- pekster [~rewt@openvpn/community/support/pekster] has quit [Remote host closed the connection]
00:11 -!- yerodin [~yerodin@unaffiliated/yerodin] has quit [Quit: Disconnecting from stoned server.]
00:11 -!- jl- [~lao@c-174-60-71-232.hsd1.pa.comcast.net] has quit [Quit: Disconnecting from stoned server.]
00:11 -!- yerodin_ is now known as yerodin
00:17 -!- kieppie [~jaco@101.98.221.9] has quit [Ping timeout: 260 seconds]
00:52 -!- kryptkeeper [~root@c-67-160-203-245.hsd1.ca.comcast.net] has quit [Quit: WeeChat 0.4.3]
01:40 -!- clyons [~kvirc@host86-157-15-49.range86-157.btcentralplus.com] has quit [Ping timeout: 244 seconds]
02:01 -!- plaisthos [~arne@openvpn/community/developer/plaisthos] has quit [Remote host closed the connection]
02:04 -!- plaisthos [~arne@openvpn/community/developer/plaisthos] has joined #openvpn
02:04 -!- mode/#openvpn [+o plaisthos] by ChanServ
02:13 -!- ub1quit33 [~quassel@cpe-23-243-158-241.socal.res.rr.com] has joined #openvpn
02:15 -!- Left_Turn [~Left_Turn@unaffiliated/turn-left/x-3739067] has joined #openvpn
02:29 -!- ade_b [~Ade@redhat/adeb] has joined #openvpn
02:34 -!- DrSect0r [~DrSect0r@188-142-12-159.FTTH.ispfabriek.nl] has joined #openvpn
02:45 -!- DrSect0r [~DrSect0r@188-142-12-159.FTTH.ispfabriek.nl] has quit [Quit: Leaving]
03:07 -!- StathisA [~StathisA@athedsl-388977.home.otenet.gr] has joined #openvpn
03:08 < StathisA> hello, i have a working OpenVPN server and my clients can connect and redirect all traffic through the remote gateway as intended. Is there a way to configure the windows openvpn to display a notification when the tunnel is down, or stop all traffic to avoid spillage?
03:09 -!- ohrensessel [~leo@ip1f1310c8.dynamic.kabel-deutschland.de] has quit [Quit: Leaving.]
03:09 < StathisA> for now most of the clients will disconnect and not know it, the change in colour of the taskbar icon is just too subtle and easy to overlook
03:09 < StathisA> so they end up using the unsecured network instead for their needs
03:44 -!- shio [marmot@30.65.73.86.rev.sfr.net] has quit [Ping timeout: 260 seconds]
04:02 -!- Cybert1nus is now known as Cybertinus
04:32 -!- Latrina [~Latrina@ppp-165-56.26-151.libero.it] has quit [Ping timeout: 240 seconds]
04:33 -!- ub1quit33 [~quassel@cpe-23-243-158-241.socal.res.rr.com] has quit [Ping timeout: 260 seconds]
04:35 -!- Latrina [~Latrina@adsl-ull-122-208.50-151.net24.it] has joined #openvpn
04:42 -!- tempus_fol [~tempus@gateway/tor-sasl/foltempus] has quit [Remote host closed the connection]
04:43 -!- tempus_fol [~tempus@gateway/tor-sasl/foltempus] has joined #openvpn
05:39 -!- Chais [~Chais@chello062178229110.15.15.vie.surfer.at] has quit [Quit: ZNC - http://znc.in]
05:40 -!- Chais [~Chais@chello062178229110.15.15.vie.surfer.at] has joined #openvpn
06:38 -!- pekster_ is now known as pekster
06:58 -!- Chais [~Chais@chello062178229110.15.15.vie.surfer.at] has quit [Quit: ZNC - http://znc.in]
06:59 -!- Chais [~Chais@chello062178229110.15.15.vie.surfer.at] has joined #openvpn
07:18 -!- fxhnd [~fxhnd@cpe-72-227-97-50.maine.res.rr.com] has quit [Quit: WeeChat 0.3.8]
07:21 -!- larryone [~larryone@180.234.83.156] has quit [Ping timeout: 244 seconds]
07:23 -!- ade_b [~Ade@redhat/adeb] has quit [Quit: Too sexy for his shirt]
07:25 -!- D-Boy [~D-Boy@unaffiliated/cain] has quit [Excess Flood]
07:33 -!- D-Boy [~D-Boy@unaffiliated/cain] has joined #openvpn
07:54 -!- zapotek6 [~zap@176.201.37.244] has joined #openvpn
07:54 -!- gigo1980 [~Adium@178-25-19-170-dynip.superkabel.de] has joined #openvpn
07:55 -!- zapotek6 [~zap@176.201.37.244] has quit [Max SendQ exceeded]
07:55 < gigo1980> hi all. i have auth-user-pass in my config file.. is it posible that i can write user and password into the config file ?
08:03 -!- fxhnd [~fxhnd@cpe-72-227-97-50.maine.res.rr.com] has joined #openvpn
08:06 -!- Popsikle [~popsikle@pool-108-27-211-233.nycmny.fios.verizon.net] has joined #openvpn
08:10 -!- scanman [~scanman84@gateway/tor-sasl/scanman84] has joined #openvpn
08:10 -!- scanman [~scanman84@gateway/tor-sasl/scanman84] has left #openvpn []
08:17 -!- Popsikle [~popsikle@pool-108-27-211-233.nycmny.fios.verizon.net] has quit [Remote host closed the connection]
08:26 -!- goldkatze [~nobody@unaffiliated/goldkatze] has joined #openvpn
08:56 -!- bbteufel [~an@86.126.4.118] has joined #openvpn
09:00 -!- Cpt-Oblivious [~chatzilla@31-151-71-109.dynamic.upc.nl] has joined #openvpn
09:11 -!- shio [marmot@30.65.73.86.rev.sfr.net] has joined #openvpn
09:11 -!- ub1quit33_ [~quassel@cpe-23-243-158-241.socal.res.rr.com] has joined #openvpn
09:15 -!- Pyrogerg [~Gregory@192.67.133.200] has joined #openvpn
09:16 -!- Kniaz1 is now known as Kniaz
09:20 -!- StathisA [~StathisA@athedsl-388977.home.otenet.gr] has quit []
09:28 -!- TheHandyTek [~TheHandyT@174.47.150.125] has joined #openvpn
09:30 -!- TheHandyTek [~TheHandyT@174.47.150.125] has left #openvpn []
09:30 -!- TheHandyTek [~TheHandyT@174.47.150.125] has joined #openvpn
09:31 -!- Cpt-Oblivious [~chatzilla@31-151-71-109.dynamic.upc.nl] has quit [Ping timeout: 245 seconds]
09:32 < TheHandyTek> Morning. Anyone here able to help with an AS upgrade question?
09:34 <@krzee> TheHandyTek,
09:34 <@krzee> !as
09:34 <@vpnHelper> "as" is Please go to #OpenVPN-AS for help with commercial products from OpenVPN Technologies, including Access Server, Android Connect, etc. Access Server is a commercial product, different from open source OpenVPN
09:34 <@krzee> gigo1980,
09:34 <@krzee> !pwfile
09:34 <@vpnHelper> "pwfile" is (#1) OpenVPN will only read passwords from a file if it has been built with the --enable-password-save configure option, or on Windows by defining ENABLE_PASSWORD_SAVE in config-win32.h or (#2) see --auth-user-pass in the manual (!man) for more info or (#3) if you're using this with the windows service, you will need --askpass
09:35 < TheHandyTek> Ok thanks. I am usinf AS for my self w/the two free connections, one more than I will ever need.... :)
09:38 <@krzee> np
09:38 -!- mattock is now known as mattock_afk
09:39 -!- Cpt-Oblivious [~chatzilla@31-151-71-109.dynamic.upc.nl] has joined #openvpn
09:43 -!- Cpt-Oblivious [~chatzilla@31-151-71-109.dynamic.upc.nl] has quit [Remote host closed the connection]
09:51 -!- Cpt-Oblivious [~chatzilla@31-151-71-109.dynamic.upc.nl] has joined #openvpn
09:52 -!- mattock_afk is now known as mattock
10:02 -!- tempus_fol [~tempus@gateway/tor-sasl/foltempus] has quit [Remote host closed the connection]
10:03 -!- tempus_fol [~tempus@gateway/tor-sasl/foltempus] has joined #openvpn
10:21 -!- bbteufel [~an@86.126.4.118] has quit [Ping timeout: 245 seconds]
10:38 -!- mattock is now known as mattock_afk
10:40 -!- TheHandyTek [~TheHandyT@174.47.150.125] has quit [Ping timeout: 245 seconds]
10:42 -!- TheHandyTek [~TheHandyT@174.47.150.125] has joined #openvpn
10:57 -!- ade_b [~Ade@redhat/adeb] has joined #openvpn
11:12 -!- ub1quit33_ [~quassel@cpe-23-243-158-241.socal.res.rr.com] has quit [Remote host closed the connection]
11:13 -!- ub1quit33 [~quassel@cpe-23-243-158-241.socal.res.rr.com] has joined #openvpn
11:16 -!- ub1quit33 [~quassel@cpe-23-243-158-241.socal.res.rr.com] has quit [Remote host closed the connection]
11:19 -!- ub1quit33_ [~quassel@cpe-23-243-158-241.socal.res.rr.com] has joined #openvpn
11:24 -!- ub1quit33_ [~quassel@cpe-23-243-158-241.socal.res.rr.com] has quit [Read error: Connection reset by peer]
11:26 -!- ub1quit33 [~quassel@cpe-23-243-158-241.socal.res.rr.com] has joined #openvpn
11:27 -!- gigo1980 [~Adium@178-25-19-170-dynip.superkabel.de] has quit [Quit: Leaving.]
11:28 -!- ade_b [~Ade@redhat/adeb] has quit [Ping timeout: 245 seconds]
11:28 -!- mattock_afk is now known as mattock
11:48 -!- Valcorb [Valcorb@unaffiliated/valcorb] has joined #openvpn
11:55 -!- nath_schwarz [~nath_schw@198.98.49.138] has quit [Ping timeout: 240 seconds]
12:09 -!- gffa [~unknown@unaffiliated/gffa] has joined #openvpn
12:16 -!- fxhnd [~fxhnd@cpe-72-227-97-50.maine.res.rr.com] has left #openvpn ["WeeChat 0.3.8"]
12:20 -!- TheHandyTek [~TheHandyT@174.47.150.125] has left #openvpn ["Leaving"]
12:25 -!- clyons [~kvirc@host86-157-15-49.range86-157.btcentralplus.com] has joined #openvpn
12:29 -!- nath_schwarz [~nath_schw@198.98.49.138] has joined #openvpn
12:39 -!- Chocobo [~swinchen@pdpc/supporter/student/chocobo] has joined #openvpn
12:39 -!- Chocobo [~swinchen@pdpc/supporter/student/chocobo] has quit [Quit: leaving]
12:39 -!- Chocobo [~swinchen@pdpc/supporter/student/chocobo] has joined #openvpn
12:40 < Chocobo> Hi all.  I am a bit confused by OpenVPNs licensing.  Is it free to use or do you have to pay?  It is released under GPL... so I am guessing free to use, but the website shows pay/license.
12:41 < pekster> The website is somewhat confusing on purpose to lead you to the non-free "Access Server" stuff. OpenVPN is fully GPL with no fees required for use under that license
12:42 < pekster> You want downloads from the GPL (aka "Community") side here:
12:42 < pekster> !download
12:42 <@vpnHelper> "download" is (#1) http://openvpn.net/index.php/download/community-downloads.html to download openvpn or (#2) OpenVPN's Windows installer now includes OpenVPN GUI. Don't bother with http://openvpn.se anymore or (#3) Don't trust download.com at all. It provides an extremely old version with malware: http://insecure.org/news/download-com-fiasco.html or (#4) in the community version of openvpn (only
12:42 <@vpnHelper> thing supported here) there is no separate download for client/server, it is the same install with different configs
12:42 < Chocobo> Ahh, thanks pekster!
12:44 -!- Latrina [~Latrina@adsl-ull-122-208.50-151.net24.it] has quit [Ping timeout: 260 seconds]
12:45 -!- clyons|2 [~kvirc@host86-157-15-49.range86-157.btcentralplus.com] has joined #openvpn
12:48 -!- clyons [~kvirc@host86-157-15-49.range86-157.btcentralplus.com] has quit [Ping timeout: 244 seconds]
12:48 <@krzee> !learn license as The website is somewhat confusing on purpose to lead you to the non-free "Access Server" stuff. OpenVPN is fully GPL with no fees required for use under that license. If you want to download the GPL openvpn see !download
12:48 <@vpnHelper> Joo got it.
12:50 -!- Latrina [~Latrina@adsl-ull-234-216.50-151.net24.it] has joined #openvpn
13:03 -!- KaiForce [~chatzilla@107-223-70-10.lightspeed.bcvloh.sbcglobal.net] has joined #openvpn
13:14 -!- mattock is now known as mattock_afk
13:24 -!- Chocobo [~swinchen@pdpc/supporter/student/chocobo] has quit [Quit: leaving]
13:27 -!- clyons|2 [~kvirc@host86-157-15-49.range86-157.btcentralplus.com] has quit [Read error: Connection reset by peer]
13:29 -!- gigo1980 [~Adium@pD954DB3F.dip0.t-ipconnect.de] has joined #openvpn
13:35 -!- gigo1980 [~Adium@pD954DB3F.dip0.t-ipconnect.de] has quit [Ping timeout: 250 seconds]
13:42 -!- dazo is now known as dazo_afk
13:51 -!- clyons [~kvirc@host86-157-15-49.range86-157.btcentralplus.com] has joined #openvpn
13:57 -!- jareth_ [~jareth_@2001:980:e1c0:1:219:66ff:fea0:a502] has quit [Ping timeout: 240 seconds]
14:00 -!- jareth_ [~jareth_@2001:980:e1c0:1:219:66ff:fea0:a502] has joined #openvpn
14:30 -!- Poster [~poster@cpe-74-140-100-29.swo.res.rr.com] has quit [Ping timeout: 260 seconds]
14:39 -!- Latrina [~Latrina@adsl-ull-234-216.50-151.net24.it] has quit [Ping timeout: 260 seconds]
14:40 -!- Latrina [~Latrina@ppp-3-16.26-151.libero.it] has joined #openvpn
14:40 -!- ade_b [~Ade@redhat/adeb] has joined #openvpn
14:41 -!- kieppie [~jaco@ip-58-28-154-35.static-xdsl.xnet.co.nz] has joined #openvpn
14:47 -!- ade_b [~Ade@redhat/adeb] has quit [Quit: Too sexy for his shirt]
14:55 -!- nath_schwarz [~nath_schw@198.98.49.138] has quit [Remote host closed the connection]
14:59 -!- kieppie [~jaco@ip-58-28-154-35.static-xdsl.xnet.co.nz] has quit [Ping timeout: 264 seconds]
15:02 -!- KaiForce [~chatzilla@107-223-70-10.lightspeed.bcvloh.sbcglobal.net] has quit [Quit: ChatZilla 0.9.90.1 [Firefox 31.0/20140716183446]]
15:13 -!- kieppie [~jaco@101.98.221.9] has joined #openvpn
15:13 -!- joako [~joako@opensuse/member/joak0] has quit [Ping timeout: 250 seconds]
15:18 -!- nsrafk [whois@unaffiliated/nsrafk] has quit [Quit: France sucks but Paris swallows]
15:20 -!- nsrafk [whois@unaffiliated/nsrafk] has joined #openvpn
15:21 -!- ender| [krneki@2a01:260:4094:1:42:42:42:42] has joined #openvpn
15:24 -!- joako [~joako@opensuse/member/joak0] has joined #openvpn
15:27 -!- gffa [~unknown@unaffiliated/gffa] has quit [Quit: sleep]
15:33 -!- scanman84 [~scanman84@gateway/tor-sasl/scanman84] has joined #openvpn
15:33 -!- scanman84 [~scanman84@gateway/tor-sasl/scanman84] has left #openvpn ["Segmentation fault..."]
15:55 -!- kieppie [~jaco@101.98.221.9] has quit [Ping timeout: 260 seconds]
15:59 -!- bbteufel [~an@188.26.149.219] has joined #openvpn
16:04 -!- troyt_ [~troyt@2601:7:6200:1362:44dd:acff:fe85:9c8e] has joined #openvpn
16:07 -!- nath_schwarz [~nath_schw@p54A31C05.dip0.t-ipconnect.de] has joined #openvpn
16:09 -!- bbteufel [~an@188.26.149.219] has quit [Ping timeout: 250 seconds]
16:15 -!- kieppie [~jaco@ip-58-28-154-35.static-xdsl.xnet.co.nz] has joined #openvpn
16:23 -!- heraclitus [~heraclitu@unaffiliated/heraclitis] has quit [Read error: Connection reset by peer]
16:24 -!- heraclitus [~heraclitu@unaffiliated/heraclitis] has joined #openvpn
16:26 -!- SushiDude [~SushiDude@unaffiliated/sushidude] has quit [Ping timeout: 240 seconds]
16:27 -!- SushiDude [~SushiDude@unaffiliated/sushidude] has joined #openvpn
16:32 -!- Kniaz [~Kniaz@unaffiliated/kniaz] has quit [Quit: closing IRC]
16:40 -!- kieppie [~jaco@ip-58-28-154-35.static-xdsl.xnet.co.nz] has quit [Ping timeout: 255 seconds]
16:53 -!- kieppie [~jaco@237.161.173.203.static.cust.vf.net.nz] has joined #openvpn
16:55 -!- heraclitus [~heraclitu@unaffiliated/heraclitis] has quit [Remote host closed the connection]
16:55 -!- heraclitus [~heraclitu@unaffiliated/heraclitis] has joined #openvpn
17:21 -!- kieppie [~jaco@237.161.173.203.static.cust.vf.net.nz] has quit [Ping timeout: 272 seconds]
17:29 -!- u0m3 [~u0m3@92.80.93.41] has joined #openvpn
17:56 -!- kieppie [~jaco@ip-58-28-154-35.static-xdsl.xnet.co.nz] has joined #openvpn
18:01 -!- EvanDotPro [~ecoury@pdpc/supporter/professional/evandotpro] has left #openvpn []
18:07 -!- goldkatze [~nobody@unaffiliated/goldkatze] has quit []
18:32 -!- Popsikle [~popsikle@2600:1001:b126:6d42:9c8c:d626:ad78:55b2] has joined #openvpn
18:36 -!- Popsikle [~popsikle@2600:1001:b126:6d42:9c8c:d626:ad78:55b2] has quit [Remote host closed the connection]
19:05 -!- kieppie [~jaco@ip-58-28-154-35.static-xdsl.xnet.co.nz] has quit [Ping timeout: 264 seconds]
19:20 -!- kieppie [~jaco@ip202-27-209-222.kc.net.nz] has joined #openvpn
19:20 -!- Pyrogerg [~Gregory@192.67.133.200] has quit [Ping timeout: 264 seconds]
19:21 -!- kieppie [~jaco@ip202-27-209-222.kc.net.nz] has left #openvpn []
19:27 -!- arescorpio [~arescorpi@201-26-245-190.fibertel.com.ar] has joined #openvpn
19:47 -!- scanman84 [~scanman84@gateway/tor-sasl/scanman84] has joined #openvpn
20:02 -!- Popsikle [~popsikle@pool-108-27-211-233.nycmny.fios.verizon.net] has joined #openvpn
20:04 -!- elfixit [~Icedove@77-58-251-72.dclient.hispeed.ch] has joined #openvpn
20:15 -!- STF [~stf@i53874E6B.versanet.de] has quit [Killed (sendak.freenode.net (Nickname regained by services))]
20:15 -!- STF [~stf@i538779F8.versanet.de] has joined #openvpn
20:20 -!- u0m3 [~u0m3@92.80.93.41] has quit [Read error: Connection reset by peer]
20:23 -!- Popsikle [~popsikle@pool-108-27-211-233.nycmny.fios.verizon.net] has quit [Remote host closed the connection]
20:31 -!- Pyrogerg [~Gregory@mobile-166-137-181-227.mycingular.net] has joined #openvpn
20:34 -!- u0m3 [~u0m3@92.80.93.41] has joined #openvpn
20:37 -!- Cpt-Oblivious [~chatzilla@31-151-71-109.dynamic.upc.nl] has quit [Ping timeout: 272 seconds]
20:40 -!- Pyrogerg [~Gregory@mobile-166-137-181-227.mycingular.net] has quit [Read error: Connection reset by peer]
20:43 -!- zeroNones [~textual@187.204.140.4] has joined #openvpn
20:43 -!- Cpt-Oblivious [~chatzilla@31-151-71-109.dynamic.upc.nl] has joined #openvpn
20:52 -!- Pyrogerg [~Gregory@mobile-166-137-181-227.mycingular.net] has joined #openvpn
20:59 -!- nath_schwarz [~nath_schw@p54A31C05.dip0.t-ipconnect.de] has quit [Ping timeout: 260 seconds]
21:03 -!- scanman84 [~scanman84@gateway/tor-sasl/scanman84] has quit [Ping timeout: 264 seconds]
21:14 -!- Pyrogerg [~Gregory@mobile-166-137-181-227.mycingular.net] has quit [Read error: Connection reset by peer]
21:20 -!- Valcorb [Valcorb@unaffiliated/valcorb] has quit [Ping timeout: 272 seconds]
21:20 -!- Pyrogerg [~Gregory@mobile-166-137-181-227.mycingular.net] has joined #openvpn
21:22 -!- Pyrogerg [~Gregory@mobile-166-137-181-227.mycingular.net] has quit [Read error: Connection reset by peer]
21:29 -!- Popsikle [~popsikle@pool-108-27-211-233.nycmny.fios.verizon.net] has joined #openvpn
21:29 -!- Pyrogerg [~Gregory@mobile-166-137-181-227.mycingular.net] has joined #openvpn
21:29 -!- Pyrogerg [~Gregory@mobile-166-137-181-227.mycingular.net] has quit [Max SendQ exceeded]
21:30 -!- Pyrogerg [~Gregory@mobile-166-137-181-227.mycingular.net] has joined #openvpn
21:34 -!- Pyrogerg [~Gregory@mobile-166-137-181-227.mycingular.net] has quit [Read error: Connection reset by peer]
21:50 -!- Left_Turn [~Left_Turn@unaffiliated/turn-left/x-3739067] has quit [Remote host closed the connection]
22:03 -!- Kephael [~Kephael@unaffiliated/kephael] has joined #openvpn
22:10 -!- Poster [~poster@cpe-74-140-100-29.swo.res.rr.com] has joined #openvpn
22:13 -!- Popsikle [~popsikle@pool-108-27-211-233.nycmny.fios.verizon.net] has quit [Remote host closed the connection]
22:41 -!- gorelative [~gorelativ@ip72-223-109-128.ph.ph.cox.net] has joined #openvpn
22:41 < gorelative> can anyone help me with this problem? http://www.reddit.com/r/PFSENSE/comments/2dlryp/q_pfsense_openvpn_server_openvpn_as_client/
22:41 <@vpnHelper> Title: [Q] pfsense openvpn server + openvpn_as client routing issues : PFSENSE (at www.reddit.com)
22:45 < _FBi> they are different subnets no?
22:47 < gorelative> they are
22:48 < gorelative> different subnets betwween on-premise lan, and remote lan
22:48 < gorelative> all remote lan machines are on the same subnet, and all on-premise machines are on the same subnet though
22:49 -!- keruton [keruton@cpe-104-34-71-124.socal.res.rr.com] has joined #openvpn
22:56 -!- korrosivek9 [~unknownso@24.1.242.179] has joined #openvpn
22:57 < korrosivek9> Anyone familiar with OpenVPN on DD-WRT? I can't figure out how to get OpenVPN daemon logs.
22:57 <@krzee> !logfile
22:57 <@vpnHelper> "logfile" is (#1) If you want logging you can easily just specify your own logfile with: log /path/to/logfile or (#2) openvpn will log to syslog if started in daemon mode, but without any log-redirection options, openvpn sends output to stdout. or (#3) verb 3 is good for everyday usage, verb 5 for debugging. see --daemon --log and --verb in the manual (!man) for more info
22:57 <@krzee> remember to not leave it running with logging on after you finish debugging
22:58 <@krzee> also,
22:58 <@krzee> !dd-wrt
22:58 <@vpnHelper> "dd-wrt" is (#1) While some users have success with dd-wrt, the build system isn't very accessible to users and there have been security issues with the distro. Consider carefully if this is the platform you want to use for OpenVPN or (#2) Firewall oopsie : http://www.dd-wrt.com/phpBB2/viewtopic.php?t=35783 or (#3) more issues: http://www.dd-wrt.com/phpBB2/viewtopic.php?t=84536
23:09 -!- Chais [~Chais@chello062178229110.15.15.vie.surfer.at] has quit [Ping timeout: 260 seconds]
23:10 < korrosivek9> hmm. Seems ddwrt no longer has /dev/stdout
23:13 < korrosivek9> Interesting links. It's that the issues were quickly resolved. Haven't heard of any issues more recently.
23:13 <@krzee> just output to a file like i said in !logfile
23:13 <@krzee> in #1
23:14 -!- Chais [~Chais@chello062178229110.15.15.vie.surfer.at] has joined #openvpn
23:16 < korrosivek9> through telnet, or what?
23:19 < korrosivek9> tried it in the gui command shell, I get "/bin/sh: eval: line 1: log: not found"
23:20 < korrosivek9> in telnet, "-sh: log: not found"
23:29 <@krzee> in the openvpn config file...
23:38 < korrosivek9> not sure what you mean
23:40 -!- arescorpio [~arescorpi@201-26-245-190.fibertel.com.ar] has quit [Excess Flood]
23:41 < _FBi> openwrt > DD-WRT
23:45 < korrosivek9> _FBi, how so?
23:47 < korrosivek9> _FBi, my router is not yet supported by openwrt
23:52 -!- korrosivek9 [~unknownso@24.1.242.179] has left #openvpn []
23:59 -!- ShadniX [dagger@p5DDFF07B.dip0.t-ipconnect.de] has quit [Ping timeout: 250 seconds]
--- Day changed Fri Aug 15 2014
00:02 -!- ShadniX [dagger@p5DDFDE30.dip0.t-ipconnect.de] has joined #openvpn
00:03 -!- ub1quit33 [~quassel@cpe-23-243-158-241.socal.res.rr.com] has quit [Read error: Connection reset by peer]
00:10 -!- arescorpio [~arescorpi@201-26-245-190.fibertel.com.ar] has joined #openvpn
00:26 -!- Kephael_ [~Kephael@unaffiliated/kephael] has joined #openvpn
00:28 -!- s7r [~s7r@openvpn/user/s7r] has quit [Remote host closed the connection]
00:29 -!- s7r [~s7r@openvpn/user/s7r] has joined #openvpn
00:29 -!- mode/#openvpn [+v s7r] by ChanServ
00:29 -!- Kephael [~Kephael@unaffiliated/kephael] has quit [Ping timeout: 272 seconds]
01:05 -!- arescorpio [~arescorpi@201-26-245-190.fibertel.com.ar] has quit [Ping timeout: 260 seconds]
01:15 -!- zeroNones [~textual@187.204.140.4] has quit [Quit: Textual IRC Client: www.textualapp.com]
01:19 -!- gorelative [~gorelativ@ip72-223-109-128.ph.ph.cox.net] has quit [Ping timeout: 272 seconds]
01:25 -!- keruton [keruton@cpe-104-34-71-124.socal.res.rr.com] has quit [Remote host closed the connection]
01:39 -!- mattock_afk is now known as mattock
01:42 -!- clyons [~kvirc@host86-157-15-49.range86-157.btcentralplus.com] has quit [Ping timeout: 244 seconds]
01:46 -!- gigo1980 [~Adium@pD954CBDE.dip0.t-ipconnect.de] has joined #openvpn
01:57 -!- Cpt-Oblivious [~chatzilla@31-151-71-109.dynamic.upc.nl] has quit [Ping timeout: 244 seconds]
02:06 -!- Cpt-Oblivious [~chatzilla@31-151-71-109.dynamic.upc.nl] has joined #openvpn
02:08 -!- dazo_afk is now known as dazo
02:09 -!- zapotek6 [~zap@176.200.218.15] has joined #openvpn
02:09 -!- zapotek6 [~zap@176.200.218.15] has quit [Max SendQ exceeded]
02:12 -!- james41382 [~james@unaffiliated/james41382] has quit [Quit: Leaving]
02:12 -!- zapotek6 [~zap@176.200.218.15] has joined #openvpn
02:13 -!- zapotek6 [~zap@176.200.218.15] has quit [Max SendQ exceeded]
02:18 -!- Chais [~Chais@chello062178229110.15.15.vie.surfer.at] has quit [Quit: ZNC - http://znc.in]
02:20 -!- Chais [~Chais@chello062178229110.15.15.vie.surfer.at] has joined #openvpn
02:22 -!- zapotek6 [~zap@176.200.218.15] has joined #openvpn
02:22 -!- zapotek6 [~zap@176.200.218.15] has quit [Max SendQ exceeded]
02:23 -!- gigo1980 [~Adium@pD954CBDE.dip0.t-ipconnect.de] has quit [Read error: Connection reset by peer]
02:24 -!- DrCode [~DrCode@gateway/tor-sasl/drcode] has quit [Ping timeout: 264 seconds]
02:27 -!- Kephael_ [~Kephael@unaffiliated/kephael] has quit [Read error: Connection reset by peer]
02:28 -!- DrCode [~DrCode@gateway/tor-sasl/drcode] has joined #openvpn
02:28 -!- zapotek6 [~zap@176.200.218.15] has joined #openvpn
02:28 -!- zapotek6 [~zap@176.200.218.15] has quit [Max SendQ exceeded]
02:32 -!- Left_Turn [~Left_Turn@unaffiliated/turn-left/x-3739067] has joined #openvpn
02:42 -!- zapotek6 [~zap@176.200.218.15] has joined #openvpn
02:43 -!- Aoyagi_mehtop [~Aoyagi@88.208.95.82] has joined #openvpn
02:44 -!- zapotek6 [~zap@176.200.218.15] has quit [Max SendQ exceeded]
02:46 -!- Cpt-Oblivious [~chatzilla@31-151-71-109.dynamic.upc.nl] has quit [Quit: ChatZilla 0.9.90.1-rdmsoft [XULRunner 22.0/20130619132145]]
02:49 -!- Left_Turn [~Left_Turn@unaffiliated/turn-left/x-3739067] has quit [Ping timeout: 260 seconds]
03:35 -!- mnathani [~mnathani@butterfly.winvive.com] has quit [Ping timeout: 255 seconds]
03:39 -!- mnathani [~mnathani@butterfly.winvive.com] has joined #openvpn
03:49 -!- goldkatze [~nobody@unaffiliated/goldkatze] has joined #openvpn
03:51 -!- shiin [~shiin@funtoo/core/shiin] has joined #openvpn
03:52 -!- ender| [krneki@2a01:260:4094:1:42:42:42:42] has quit [Read error: Connection reset by peer]
03:52 -!- ender| [krneki@2a01:260:4094:1:42:42:42:42] has joined #openvpn
04:12 -!- zapotek6 [~zap@176.200.218.15] has joined #openvpn
04:12 -!- zapotek6 [~zap@176.200.218.15] has quit [Max SendQ exceeded]
04:22 -!- Left_Turn [~Left_Turn@unaffiliated/turn-left/x-3739067] has joined #openvpn
04:28 -!- heraclitus [~heraclitu@unaffiliated/heraclitis] has quit [Remote host closed the connection]
04:29 -!- heraclitus [~heraclitu@unaffiliated/heraclitis] has joined #openvpn
04:54 -!- D-Boy [~D-Boy@unaffiliated/cain] has quit [Excess Flood]
04:57 -!- D-Boy [~D-Boy@unaffiliated/cain] has joined #openvpn
05:01 -!- SushiDude [~SushiDude@unaffiliated/sushidude] has quit [Quit: Quit]
05:03 -!- SushiDude [~SushiDude@unaffiliated/sushidude] has joined #openvpn
--- Log closed Fri Aug 15 05:09:13 2014
--- Log opened Fri Aug 15 06:53:18 2014
06:53 -!- ecrist [~ecrist@freebsd/contributor/openvpn.community.support.ecrist] has joined #openvpn
06:53 -!- Irssi: #openvpn: Total of 166 nicks [8 ops, 0 halfops, 3 voices, 155 normal]
06:53 -!- mode/#openvpn [+o ecrist] by ChanServ
06:53 -!- Irssi: Join to #openvpn was synced in 1 secs
07:04 -!- shio [marmot@30.65.73.86.rev.sfr.net] has joined #openvpn
07:22 -!- shiin [~shiin@funtoo/core/shiin] has quit [Ping timeout: 244 seconds]
07:28 -!- prelude2004c [~Admin@dsl-67-55-28-3.acanac.net] has quit [Quit: Leaving]
07:42 -!- Pyrogerg [~Gregory@mobile-166-137-181-227.mycingular.net] has joined #openvpn
07:48 -!- KermitTheFragger [~KermitThe@62-177-178-202.dsl.bbeyond.nl] has joined #openvpn
07:48 < KermitTheFragger> hi all
07:49 < KermitTheFragger> is it possible to have the openvpn server reload its config without restarting it?
07:49 < KermitTheFragger> i googled around a bit but can't find anything on it
07:49 < KermitTheFragger> any signal you can send it?
07:50 < _FBi> not to my knowledge
07:51 < KermitTheFragger> ok, beter use the DEFAULT file in the client-config-dir then i guess?
07:52 < _FBi> ?
07:53 < KermitTheFragger> that file get reread for every connection that is made right?
07:59 < _FBi> I'm not sure, tbh
08:00 < KermitTheFragger> ok well ill dig around some more and experiment a bit. thanks for the insights!
08:01 < _FBi> idle if you can
08:01 < _FBi> they are much smarter people here than me
08:06 -!- mattock_afk is now known as mattock
08:08 -!- Pyrogerg [~Gregory@mobile-166-137-181-227.mycingular.net] has quit [Read error: Connection reset by peer]
08:08 -!- SlutaTramsa [~SlutaTram@unaffiliated/slutatramsa] has quit [Ping timeout: 260 seconds]
08:09 -!- ender^ [krneki@2a01:260:4094:1:42:42:42:42] has joined #openvpn
08:11 -!- pekster_ [~rewt@openvpn/community/support/pekster] has joined #openvpn
08:13 -!- pnielsen_ [pnielsen@2a01:7e00::f03c:91ff:fedf:3a21] has joined #openvpn
08:20 -!- Netsplit *.net <-> *.split quits: ender|, pekster, pnielsen, heraclitus, Tykling, Cybertinus
08:21 -!- STF [~stf@i538779F8.versanet.de] has quit [Ping timeout: 250 seconds]
08:27 -!- SlutaTramsa [~SlutaTram@unaffiliated/slutatramsa] has joined #openvpn
08:28 -!- Tykling [tykling@gibfest.dk] has joined #openvpn
08:29 -!- mattock is now known as mattock_afk
08:40 -!- shiin [~shiin@funtoo/core/shiin] has joined #openvpn
08:41 -!- elfixit [~Icedove@77-58-251-72.dclient.hispeed.ch] has quit [Quit: elfixit]
08:43 < shiin> Im trying to push a route and a dns server through my vpn, but as soon as I connect the vpn, only dig works to look up hostnames, no ping, host, nslookup, browser, nothing else. http://pastebin.com/bvsCkHuF this is my openvpn config.
08:49 < _FBi> I'm not sure how to do dns stuff, sorry
08:49 < _FBi> for me it's the basic iptables, netforwarding, server has dns resolv, google dns, etc.
08:55 -!- Gman32 [~Gman32@2607:2200:0:3400::5616:cdbc] has quit [Quit: Headin Out...]
08:58 -!- Gman32 [~Gman32@2607:2200:0:3400::5616:cdbc] has joined #openvpn
08:58 < shiin> thing is that I have an internal network on my vpn server which should be published to the clients, so I can run websites there for example and access them when vpn connected from any client.
08:58 < shiin> so it could have to do with iptables and forwarding
08:59 < shiin> the server has 3 interfaces. eth0 is from the hosting provider the way out to the internet, vboxnet0 is a hostonly network across all virtual machines and tun0 is of course the vpn adapter
09:01 -!- stf [~stf@i538779F8.versanet.de] has joined #openvpn
09:01 < shiin> so far the vboxnet0 gets nat routing to eth0, but bind is listening on all 3 interfaces addresses
09:02 < shiin> so Ive configured bind to forward anything that isnt my host only network to the dns servers listed in resolv.conf, provided by the hoster.
09:03 < shiin> could the problem be caused by bind receiving a lookup request on the tun0 interface/address and attempt to forward it that way?
09:05 -!- stf [~stf@i538779F8.versanet.de] has quit [Ping timeout: 240 seconds]
09:05 < Plastefuchs> KermitTheFragger: look into using SIGUSR1. If i read the manpage right it should restart without reloading the config and even keeps the tun/tap and the key files read if you configure it right
09:08 < Plastefuchs> KermitTheFragger: also, the howto has some points regarding that, udner modifying a live server configuration
09:09 < KermitTheFragger> Plastefuchs: thx, ill look in to that
09:12 -!- Pyrogerg [~Gregory@192.67.133.200] has joined #openvpn
09:25 -!- Kniaz [~Kniaz@unaffiliated/kniaz] has joined #openvpn
09:27 -!- RaiNerTsuFal [~RaiNerTsu@akita.vtlx.cn] has joined #openvpn
09:35 -!- michaelhart [~michaelha@69-165-175-193.dsl.teksavvy.com] has joined #openvpn
09:44 <@krzee> shiin, you sure you have access to the dns server when over the vpn?
10:01 < shiin> krzee: using dig @ip, I can query the dns server and validate it responds properly
10:02 <@krzee> what os are you pushing it to?
10:02 < shiin> osx
10:02 <@krzee> tunnelblick?
10:03 < shiin> viscosity
10:03 <@krzee> k i never used that but it will need to know you're pushing dns to that connection, because it needs to run an --up script to pull out the dns server and use it
10:04 < shiin> after being pushed to, I can find the new dns server in my /etc/resolv.conf
10:04 < shiin> and if I comment out the push command on the server respectively, it does not show up in /etc/resolv.conf
10:06 < shiin> krzee: is tunnelblick known to work with this kind of setup? cause Ive used it before on another vpn network, but couldnt get dns to work, so I switched to my own local resolver config that points a certain top level domain to the dns server available in the vpn.
10:07 <@krzee> not sure but i can see the settings in tunnelblick since i use it, i use something else to manage where my dns goes
10:08 < shiin> in this case however Im also pondering if/how I can connect to the vpn using iOS to point apps at the websites/webservices
10:08 <@krzee> "to point apps at the websites/webservices" huh?
10:09 < shiin> for instance, I have a jenkins and a gitlab on the network I connect to using vpn. I want iOS apps to be able to access these.
10:09 < shiin> but -not- through the bare internet.
10:10 <@krzee> the services run on the lan of vpn server or on the vpn server itself?
10:10 < shiin> on the lan of the vpn server
10:10 <@krzee> ok
10:10 <@krzee> that lan must not be a common subnet.
10:10 <@krzee> then you:
10:10 <@krzee> !serverlan
10:10 <@vpnHelper> "serverlan" is (#1) for a lan behind a server, the server must have ip forwarding enabled (!ipforward), the server needs to push a route for its lan to clients, and the router of the lan the server is on needs a route added to it (!route_outside_openvpn) or (#2) see !route for a better explanation or (#3) Handy troubleshooting flowchart: http://ircpimps.org/serverlan.png |
10:10 <@vpnHelper> http://pekster.sdf.org/misc/serverlan.png
10:11 < shiin> the lan is 192.168.56.0 and the vpn is 10.8.0.0
10:11 <@krzee> then you connect to those apps via LAN ip
10:12 <@krzee> and your firewalls should allow connections from vpn subnet but not the internet
10:13 < shiin> the server has ip forwarding enabled, because it acts as a router with a third, external address. the external address is on eth0, the 192.168.56.1 address is on vboxnet0 and the 10.8.0.1 address is on tun0
10:14 < shiin> the server also has that nat configured using iptables like http://pastebin.com/PfrHeUUJ
10:15 < shiin> Im still working to understand your proposal, please bear with me.
10:16 < shiin> the server does push a route for its lan to clients, thats what I do by setting push "route 192.168.56.0 255.255.255.0"
10:16 < shiin> and the router of the lan the server is on needs a route added to it - this is what might be missing
10:16 < shiin> !route_outside_openvpn
10:16 <@vpnHelper> "route_outside_openvpn" is (#1) If your server is not the default gateway for the LAN, you will need to add routes to your gateway. See ROUTES TO ADD OUTSIDE OPENVPN in !route or (#2) Here are 2 diagrams that explain how this works: http://www.secure-computing.net/wiki/index.php/Graph http://i.imgur.com/BM9r1.png
10:16 <@krzee> ok, when you connect can you ping 192.168.56.1 from the client?
10:18 -!- KermitTheFragger [~KermitThe@62-177-178-202.dsl.bbeyond.nl] has quit [Quit: Leaving]
10:18 < shiin> I think so. let me verify it. hopefully IRC wont disconnect.
10:18 <@krzee> even better, follow my flowchart for this
10:18 <@krzee> http://ircpimps.org/serverlan.png
10:19 <@krzee> when you get to an answer on that feel free to let me know =]
10:19 -!- shiin [~shiin@funtoo/core/shiin] has quit [Read error: Connection reset by peer]
10:19 -!- shiin [~shiin@funtoo/core/shiin] has joined #openvpn
10:20 <@krzee> you're connecting from outside the network, right?
10:20 < shiin> well duh. yes, the ping worked, but I couldnt ping google.com anymore, which is part of my problem.
10:20 < shiin> now Im on another computer so I can still experiment.
10:20 <@krzee> from within the same lan as the server?
10:21 < shiin> no, the lan is on a hosted server somewhere far away.
10:21 <@krzee> ok cool
10:21 <@krzee> why are you changing dns? are you also routing all internet traffic through the vpn?
10:22 < shiin> Im changing dns because I want to use names for the services provide on the lan I connect to. such as gitlab.lan or jenkins.lan, I do not intend to route all traffic through the vpn, but Id do it if its the only way to get it to work.
10:23 <@krzee> ok so heres what i think is happening
10:23 <@krzee> you are getting a new nameserver, but trying to contact it over your existing internet connection, and since it is not an open relay it does not allow
10:24 <@krzee> if you want to route dns over the vpn you will need to also push a route for the dns server's ip or subnet, and setup NAT on the server as if you were doing a redirect setup, just dont push redirect-gateway
10:24 <@krzee> !redirect
10:24 <@vpnHelper> "redirect" is (#1) to make all inet traffic flow through the vpn, you will need --redirect-gateway (see !def1), as well as IP forwarding (see !ipforward) and NAT (see !nat) enabled on the server. or (#2) you may need to use a different dns server when redirecting gateway, see !dns or !pushdns or (#3) if using ipv6 try: route-ipv6 2000::/3 or (#4) Handy troubleshooting flowchart:
10:24 <@vpnHelper> http://ircpimps.org/redirect.png | http://pekster.sdf.org/misc/redirect.png
10:25 <@krzee> !linnat
10:25 <@vpnHelper> "linnat" is (#1) for a basic iptables NAT where 10.8.0.x is the vpn network: iptables -t nat -I POSTROUTING -s 10.8.0.0/24 -o eth0 -j MASQUERADE or (#2) to choose what IP address to NAT as, you can use iptables -t nat -I POSTROUTING -o eth0 -j SNAT --to <IP ADDRESS> or (#3) http://netfilter.org/documentation/HOWTO//NAT-HOWTO.html for more info or (#4) openvz see !openvzlinnat
10:25 <@krzee> that, or just contact your services by LAN ip
10:26 -!- Cpt-Oblivious [~chatzilla@31-151-71-109.dynamic.upc.nl] has joined #openvpn
10:26 <@krzee> shiin, you follow what im saying?
10:26 < shiin> krzee: processing.
10:27 < shiin> so in my config Ive pushed the route 192.168.56.0 but the pushed dns is 10.8.0.1
10:27 <@krzee> the nameserver IP, is it a lan ip or an internet ip?
10:28 < shiin> lan ip. I let the nameserver listen on 127.0.0.1 and 192.168.56.1 and 10.8.0.1
10:28 <@krzee> oh nevermind then
10:28 <@krzee> well kill the nameserver thing for now
10:28 <@krzee> lets get the lan working
10:28 <@krzee> 1 thing at a time ;]
10:29 < shiin> right. that involves another nat rule?
10:29 <@krzee> no, ignore all that i was thinking the DNS server was a public ip
10:29 <@krzee> sorry for confusing
10:29 < shiin> uhm okay.
10:29 <@krzee> follow this after you get rid of the DNS push, http://ircpimps.org/serverlan.png
10:30 < shiin> will do.
10:30 < shiin> should I also turn of redirect-gateway, or does that not matter?
10:30 <@krzee> you have that on??
10:31 < shiin> well like I posted in my config, yes
10:31 <@krzee> you posted configs??
10:31 <@krzee> haha i missed that
10:32 < shiin> did you find it or should I post it again?
10:32 <@krzee> well of course comment that out, you told me you did NOT want to route all internet over the vpn
10:32 <@krzee> that is WHAT redirect-gateway does… how did you get these configs?
10:33 < shiin> I followed a tutorial on the debian wiki that explained this is how to make it work for android and iOS devices.
10:33 <@krzee> =[
10:33 <@krzee> !walkthrough
10:33 <@vpnHelper> "walkthrough" is if you are using some walkthrough and now you are here cause you have problems and dont understand your setup, type !howto and !man and try to actually learn what you're doing. most those docs about openvpn from google SUCK.
10:33 < shiin> my bad.
10:34 <@krzee> its important to read every config option you use in the manual
10:34 <@krzee> !man
10:34 <@vpnHelper> "man" is (#1) For man pages, see http://openvpn.net/index.php/open-source/documentation/manuals/ or (#2) the man pages are your friend! or (#3) Protip: you can search the manpage for a specific --option (with dashes) to find it quicker
10:34 <@krzee> see what they do… then you will know if you want them
10:34 <@krzee> every config option is there as a --long option
10:34 <@krzee> !--
10:34 <@vpnHelper> "--" is OpenVPN allows any option to be placed either on the command line or in a configuration file. Though all command line options are preceded by a double-leading-dash ("--"), this prefix is usually omitted when an option is placed in a configuration file.
10:35 <@krzee> !tcp
10:35 <@vpnHelper> "tcp" is (#1) Sometimes you cannot avoid tunneling over tcp, but if you can avoid it, DO. http://sites.inka.de/~bigred/devel/tcp-tcp.html Why TCP Over TCP Is A Bad Idea. or (#2) http://www.openvpn.net/papers/BLUG-talk/14.html for a presentation by James Yonan (OpenVPN lead developer) or (#3) if you must use tcp, you likely want --tcp-nodelay
10:35 <@krzee> !ipp
10:35 <@vpnHelper> "ipp" is (#1) the option --ifconfig-pool-persist ipp.txt does NOT create static ips or (#2) Note that the entries in this file are treated by OpenVPN as suggestions only, based on past associations between a common name and IP address. They do not guarantee that the given common name will always receive the given IP address. If you want guaranteed assignment, see !iporder and !static
10:35 < shiin> http://ircpimps.org/serverlan.png <- this evaluates to 'it works'
10:36 <@krzee> ok now re-enable dns and it should still work, but now also by dns
10:37 <@krzee> then, i have a couple questions...
10:38 < shiin> still works. nameserver 10.8.0.1 is in my resolv.conf
10:38 -!- elfixit [~Icedove@77-58-251-72.dclient.hispeed.ch] has joined #openvpn
10:38 <@krzee> so ya, now it does what you want.
10:38 <@krzee> time for some questions:
10:38 <@krzee> why tcp?
10:39 < shiin> dig google.com says 'warning: recursion requested but not available'
10:39 < shiin> https://wiki.debian.org/OpenVPN#Debian_Server_with_Android_.2F_iOS_devices <- this is where they pointed out using tcp, the default configuration went with udp
10:39 <@vpnHelper> Title: OpenVPN - Debian Wiki (at wiki.debian.org)
10:39 <@krzee> thats your nameserver, configure it.
10:39 -!- gigo1980 [~Adium@178-25-19-170-dynip.superkabel.de] has quit [Quit: Leaving.]
10:39 < shiin> so I assumed android/iOS devices require tcp
10:39 <@krzee> i have no intention on reading their walkthrough
10:39 <@krzee> no, they do not.
10:39 <@krzee> !tcp
10:40 <@vpnHelper> "tcp" is (#1) Sometimes you cannot avoid tunneling over tcp, but if you can avoid it, DO. http://sites.inka.de/~bigred/devel/tcp-tcp.html Why TCP Over TCP Is A Bad Idea. or (#2) http://www.openvpn.net/papers/BLUG-talk/14.html for a presentation by James Yonan (OpenVPN lead developer) or (#3) if you must use tcp, you likely want --tcp-nodelay
10:40 < shiin> I saw that its bad, I feel bad now.
10:40 <@krzee> debian wiki is for learning debian ;]
10:40 <@krzee> same reason you arent asking these in #debian
10:41 <@krzee> also, on android i personally prefer openvpn for android
10:41 < shiin> Ive switched it back to udp, still works up to the same point.
10:41 <@krzee> !android
10:41 <@vpnHelper> "android" is (#1) an open source OpenVPN client for ICS is available in Google Play, look for OpenVPN for Android. FAQ is here: http://code.google.com/p/ics-openvpn/wiki/FAQ or (#2) Direct Play link: https://play.google.com/store/apps/details?id=de.blinkt.openvpn or (#3) Old (pre-ICS) device? See: !android-old or (#4) You can get the apk directly from http://plai.de/android/
10:42 <@krzee> !connect
10:42 <@vpnHelper> "connect" is (#1) OpenVPN Connect is part of the commercial, non-free (non-GPL) corporate offering; see #openvpn-as for help with these. For the community-maintained GPL OpenVPN, see !download for download links, !android for GPL-openvpn on Android, or !howto for the beginner how-to guide or (#2) https://forums.openvpn.net/post34969.html#p34969 or (#3) the source is here:
10:42 <@vpnHelper> http://staging.openvpn.net/openvpn3/ except for the portion that may not be released because of NDA with apple (for its vpn API)
10:42 < shiin> I saw theres an iOS app for openvpn too
10:42 <@krzee> yes, the naming is hella confusing
10:42 < shiin> but still. first things first? Ill look at the dns issue now.
10:46 -!- mattock_afk is now known as mattock
10:48 <@krzee> connect for ios/android are free and mostly opensource, and theres a connect for pc that connects to access-server which is a paid product
10:48 <@krzee> somewhere along the line the naming and website got all fubar :D
10:48 <@krzee> !license
10:48 <@vpnHelper> "license" is (#1) OpenVPN 2 is a GPLv2 project and can be distributed, modified, and used under the GPLv2 license. or (#2) Note that any commercial products are under their own EULA; these include AS, Connect, and any services provided by 'OpenVPN Technologies, Inc.' These are not maintained by the open-source community. or (#3) The website is somewhat confusing on purpose to lead you to the non-free
10:48 <@vpnHelper> Access Server stuff. OpenVPN is fully GPL with no fees required for use under that license. If you want to download the GPL openvpn see !download
10:48 -!- mattock is now known as mattock_afk
11:01 <@krzee> shiin, next question is do you really want client-to-client?
11:02 < shiin> krzee: it works! I fixed the dns
11:03 < shiin> and no, maybe not. I just left it in there to ponder it later.
11:03 <@krzee> !c2c
11:03 <@vpnHelper> "c2c" is "client-to-client" is with this option packets from 1 client to another are routed inside the server process. without it packets leave the server process, hit the kernel (firewall, routing table) and if allowed by firewall and routed back to server process, they go to the client. you use this option when you do not want to use selective firewall rules on what clients can access things behind
11:03 <@vpnHelper> other clients
11:03 < shiin> never mind then. Ill scrap that.
11:04 < shiin> gonna drive home now, will be back in ~1 hour
11:04 < shiin> thank you very much
11:04 <@krzee> sounds like you're done anyways
11:04 <@krzee> no problem =]
11:05 -!- shiin [~shiin@funtoo/core/shiin] has quit [Quit: Wanna pair with me? Twitter/Skype/Gmail: FunTimeCoding]
11:37 -!- ayaz [~Ayaz@linuxpakistan/ayaz] has quit [Quit: Textual IRC Client: www.textualapp.com]
11:49 -!- gffa [~unknown@unaffiliated/gffa] has joined #openvpn
12:00 -!- Kephael [~Kephael@unaffiliated/kephael] has joined #openvpn
12:03 -!- dazo is now known as dazo_afk
12:08 -!- clyons [~kvirc@host86-157-15-49.range86-157.btcentralplus.com] has joined #openvpn
12:09 -!- clyons [~kvirc@host86-157-15-49.range86-157.btcentralplus.com] has quit [Client Quit]
12:10 -!- clyons [~kvirc@host86-157-15-49.range86-157.btcentralplus.com] has joined #openvpn
12:11 -!- zeroNones [~textual@187.204.140.4] has joined #openvpn
12:21 -!- shiin [~shiin@funtoo/core/shiin] has joined #openvpn
12:22 -!- Airwave [~Airwave@94.246.37.45] has joined #openvpn
12:23 < Airwave> !heartbleed
12:23 <@vpnHelper> "heartbleed" is (#1) only affects OpenSSL 1.0.1 through 1.0.1f. Does not affect polarssl or (#2) if running vuln openssl then both client and server keys not protected by tls-auth should be considered compromised. or (#3) android 4.1.2_r1 is the first one to have -DOPENSSL_NO_HEARTBEATS and it is still in master. android 4.1 and 4.1.1 are probably affected. or (#4)
12:23 <@vpnHelper> https://community.openvpn.net/openvpn/wiki/heartbleed or (#5) http://xkcd.com/1354/
12:26 < Airwave> I'm running a site-to-site VPN between two routers (UDP, TUN, port 1194). If I leave a ping running from one network to the other, the connection works fine. If I don't, the VPN drops out often for several minutes at a time.
12:26 < Airwave> I have "keepalive 10 60" in my config.
12:31 -!- Chais [~Chais@chello062178229110.15.15.vie.surfer.at] has quit [Read error: Connection reset by peer]
12:32 -!- Kephael_ [~Kephael@unaffiliated/kephael] has joined #openvpn
12:32 -!- pekster_ is now known as pekster
12:34 < pekster> Airwave: What do your logs at both ends say? Do you get a connection restarted due to ping-timeout on the client?
12:34 < Airwave> pekster: The connection is down at the moment. Once it comes back up, I can check the logs.
12:35 -!- Kephael [~Kephael@unaffiliated/kephael] has quit [Ping timeout: 260 seconds]
12:35 < pekster> That `keepalive` directive is on your server config, right?
12:38 < Airwave> pekster: Yeah.
12:38 < Airwave> Ugh. I was messing around with restarting it, so I have to make sure I'm not copying those logs.
12:39 < pekster> Provided the client has --pull (implied by --client) and doesn't override the --ping value with something silly, that setup sounds fine
12:40 -!- Chais [~Chais@chello062178229110.15.15.vie.surfer.at] has joined #openvpn
12:42 < Airwave> pekster: Client config: http://ur1.ca/hzak5
12:42 <@vpnHelper> Title: #125917 Fedora Project Pastebin (at ur1.ca)
12:43 < Airwave> Server: http://ur1.ca/hzakc
12:43 <@vpnHelper> Title: #125918 Fedora Project Pastebin (at ur1.ca)
12:46 < pekster> The client is not doing any in-band pings, so no traffic means the server drops the connection after 2*60 seconds, or 2 minutes
12:46 < pekster> You'll need to add the keepalive directive on the client too since the expansion on the server-side won't be pushing directives as the client does not pull them
12:47 < Airwave> I see. Would adding the "client" directive accomplish this?
12:47 < pekster> No, becuase you're not running a "multi-client" server
12:47 < Airwave> Ah.
12:47 < pekster> You could, but you'd need to use the TLS setup. That is still compatible with the p2p topology you want (where devices are configured as true Point-to-Point devices)
12:49 < Airwave> I use TLS for my "one server many clients" setup, but I figured that for this setup with one server and one client, static key would be simpler.
12:49 < Airwave> Okay, I threw in a "keepalive 15 60" on the client now.
12:49 < pekster> It's less complex to set up, although you do give up forward-secrecy, so it's a trade-off
12:50 < Airwave> Oh, I lose forward secrecy with a static key. That's interesting. I didn't know that.
12:50 < Airwave> I might change it then.
12:51 < shiin> krzee: when I dig for iOS and openvpn I always stumble across the openvpn connect app. does that mean theres no other way, or theyre just ahead with indoctrinating people that they need to install an app what the system might be able to do natively?
12:52 < pekster> In static key the key is used quite literally as a "static encryption key" -- it won't ever change unless you roll it manually. TLS generates ephemeral data encryption keys every hour
12:53 < Airwave> Ah, I see.
12:53 < Airwave> I didn't know that that's how it worked with a static key. Thanks for the heads up.
12:56 < Airwave> pekster: Adding keepalive to the client config seems to have done the trick. Thanks so much!
12:57 < pekster> sure
13:01 -!- joako [~joako@opensuse/member/joak0] has quit [Ping timeout: 255 seconds]
13:02 -!- gigo1980 [~Adium@pD954CBDE.dip0.t-ipconnect.de] has joined #openvpn
13:07 -!- joako [~joako@opensuse/member/joak0] has joined #openvpn
13:10 -!- gigo1980 [~Adium@pD954CBDE.dip0.t-ipconnect.de] has quit [Read error: Connection reset by peer]
13:15 -!- Toumasu [~Thunderbi@78-23-52-63.access.telenet.be] has joined #openvpn
13:16 -!- Hello71 [~Hello71@wikipedia/Hello71] has quit [Quit: Bye.]
13:16 -!- Toumasu [~Thunderbi@78-23-52-63.access.telenet.be] has quit [Client Quit]
13:22 -!- Airwave [~Airwave@94.246.37.45] has left #openvpn ["Bye"]
13:28 -!- Kephael_ [~Kephael@unaffiliated/kephael] has quit [Ping timeout: 250 seconds]
13:35 -!- Hello71 [~Hello71@wikipedia/Hello71] has joined #openvpn
13:36 -!- heraclitus [~heraclitu@unaffiliated/heraclitis] has joined #openvpn
13:36 -!- Hello71 [~Hello71@wikipedia/Hello71] has quit [Remote host closed the connection]
13:47 -!- Toumasu [~Thunderbi@78-23-52-63.access.telenet.be] has joined #openvpn
13:50 -!- Toumasu [~Thunderbi@78-23-52-63.access.telenet.be] has quit [Client Quit]
13:55 -!- micah [~micah@debian/developer/micah] has joined #openvpn
13:55 -!- elfixit1 [~Icedove@2001:1620:2777:11:3e97:eff:fe7f:f3ad] has quit [Remote host closed the connection]
13:56 < micah> at what point is the threshold beyond which VPN over TCP is of equal performance with VPN over UDP but with lower MTU?
13:57 <@krzee> o.O ?
13:57 <@krzee> the issue with openvpn over tcp is the meltdown effect
13:58 <@krzee> network performance hiccups can build and build til the vpn goes unusable
13:58 <@krzee> !tcp
13:58 <@vpnHelper> "tcp" is (#1) Sometimes you cannot avoid tunneling over tcp, but if you can avoid it, DO. http://sites.inka.de/~bigred/devel/tcp-tcp.html Why TCP Over TCP Is A Bad Idea. or (#2) http://www.openvpn.net/papers/BLUG-talk/14.html for a presentation by James Yonan (OpenVPN lead developer) or (#3) if you must use tcp, you likely want --tcp-nodelay
13:58 -!- Cyclohexane [idunevn@unaffiliated/cyclohexane] has quit [Ping timeout: 250 seconds]
14:00 <@krzee> if you're looking for some sort of graph about performance with different protocols and mtu, ild answer i know of no such info, and that it would totally change depending on the networks being used… some people can get away with using tcp and dont notice meltdowns… others will not be so lucky
14:00 < micah> krzee: the problem is I have different users with different MTU sizes, I can lower the fragment/mss to 1200 and probably catch 90% of them, but I wonder if that is going to reduce the overall performance
14:00 < micah> https://community.openvpn.net/openvpn/wiki/Gigabit_Networks_Linux <--- that shows some different performance results with larger MTUs and different ciphers, pretty interesting, but I can't go larger :)
14:00 <@vpnHelper> Title: Gigabit_Networks_Linux – OpenVPN Community (at community.openvpn.net)
14:02 <@krzee> unfortunately i've never gotten to play with those settings cause ive never had mtu issues
14:02 <@krzee> but maybe you could get away with leaving the server and using mssfix on the client?
14:02 <@krzee> worth a try =]
14:02 < micah> i understood that you had to set those options on both sides
14:03 <@krzee> i overheard others talking the other day and i think someone said something about being able to selectively use mssfix, but im not totally sure
14:03 <@krzee> i would love more docs about mtu configuring and spficically the exact differences between all the different options and when each might be used
14:21 -!- Left_Turn [~Left_Turn@unaffiliated/turn-left/x-3739067] has quit [Quit: Leaving]
14:23 -!- hlarsen [~hlarsen@98.207.17.198] has joined #openvpn
14:25 -!- zeroNones [~textual@187.204.140.4] has quit [Quit: Textual IRC Client: www.textualapp.com]
14:26 -!- Cyclohexane [idunevn@unaffiliated/cyclohexane] has joined #openvpn
14:30 < hlarsen> hey guys, i'm trying to get the public ip of an openvpn tunnel using a script run on '-up', but from what i understand i can't pass packets through the tunnel at that point. are there any workarounds? i read a few things about immediately passing control back to openvpn from a script, but i'm not clear on how to do that or if it will work.
14:32 -!- Left_Turn [~Left_Turn@unaffiliated/turn-left/x-3739067] has joined #openvpn
14:36 < loeken> hlarsen, did you make the script executable?
14:37 < loeken> enable logging in the server and tail the log it should show if there are errors
14:44 < hlarsen> loeken: the script runs fine, the problem is i can't pass traffic through the tunnel from a script that is called by the openvpn 'up' config file directive.
14:45 < hlarsen> at least that's what i'm gathering from forum posts (from 2005), i'd love to find a way to do it. i'm trying to get the public ip on the other side of the tunnel
14:46 -!- zeroNones [~textual@187.204.140.4] has joined #openvpn
15:01 -!- michaelhart [~michaelha@69-165-175-193.dsl.teksavvy.com] has quit [Quit: michaelhart]
15:07 <@krzee> the public ip is not the same as the server's ip?
15:08 <@krzee> maybe you can use the script to fork another script to background, disown it, exit with success, then have the disown'ed script sleep for a minute before it checks for the ip?
15:08 <@krzee> kinda a hack, but its what i got unless theres another script hook that can do what you need
15:08 <@krzee> if there is, it's listed here:
15:08 <@krzee> !script
15:08 <@vpnHelper> "script" is See SCRIPTING AND ENVIRONMENTAL VARIALBES in the manual for a list of places that scripts can hook into openvpn. Online reference at: https://community.openvpn.net/openvpn/wiki/Openvpn23ManPage#lbAR
15:16 < hlarsen> krzee: yeah i think that'll have to be the way, i just wanted to make sure i wasn't missing anything. thanks for the tip
15:20 <@krzee> not sure honestly, not even sure why you need the external ip upon connection
15:25 < hlarsen> to set it in some config files
15:29 -!- mattock_afk is now known as mattock
15:38 -!- Toumasu [~Thunderbi@78-23-52-63.access.telenet.be] has joined #openvpn
15:45 -!- s0m3b0dy [~textual@209.222.7.237] has joined #openvpn
15:45 -!- s0m3b0dy [~textual@209.222.7.237] has left #openvpn ["Textual IRC Client: www.textualapp.com"]
15:47 -!- Kephael [~Kephael@unaffiliated/kephael] has joined #openvpn
15:49 -!- elfixit [~Icedove@77-58-251-72.dclient.hispeed.ch] has quit [Quit: elfixit]
15:49 <@Eugene> Today I get to set up bridging. Oh joy.
15:50 -!- Pyrogerg [~Gregory@192.67.133.200] has quit [Ping timeout: 255 seconds]
15:57 -!- Toumasu [~Thunderbi@78-23-52-63.access.telenet.be] has quit [Quit: Toumasu]
15:58 -!- mattock is now known as mattock_afk
16:02 -!- hlarsen [~hlarsen@98.207.17.198] has quit [Quit: leaving]
16:05 -!- Toumasu [~Thunderbi@78-23-52-63.access.telenet.be] has joined #openvpn
16:07 -!- Toumasu [~Thunderbi@78-23-52-63.access.telenet.be] has quit [Client Quit]
16:25 -!- Hello71 [~Hello71@wikipedia/Hello71] has joined #openvpn
16:39 -!- zeroNones [~textual@187.204.140.4] has quit [Ping timeout: 246 seconds]
16:55 -!- shio [marmot@30.65.73.86.rev.sfr.net] has quit [Read error: Connection reset by peer]
16:56 -!- shio [marmot@30.65.73.86.rev.sfr.net] has joined #openvpn
17:09 -!- elfixit [~Icedove@77-58-251-72.dclient.hispeed.ch] has joined #openvpn
17:10 <@krzee> =[
17:10 <@krzee> briding makes krzee sad
17:10 <@krzee> bridging
17:10 <@krzee> every time you bridge a vpn, god kills a kitten
17:34 -!- gffa [~unknown@unaffiliated/gffa] has quit [Quit: sleep]
17:47 -!- adaptr [~jgeilman@unaffiliated/adaptr] has quit [Remote host closed the connection]
17:48 -!- adaptr [~jgeilman@unaffiliated/adaptr] has joined #openvpn
17:53 -!- synged [~synged@71-223-1-10.phnx.qwest.net] has joined #openvpn
17:53 < synged> hi i have a question about openvpn
17:53 -!- Denial [~Denial@host86-174-170-118.range86-174.btcentralplus.com] has quit []
17:54 < synged> there is a version that has a nice gui for windows but i am unable to find it the versions i see on the openvpn downloads section just use the simple grey box icon
17:54 < pekster> The tray icon changed somewhat recently
17:54 < synged> anyone know where i can get the windows desktop client version of openvpn?
17:54 < pekster> The menu and functionality is identical
17:55 < pekster> !download
17:55 <@vpnHelper> "download" is (#1) http://openvpn.net/index.php/download/community-downloads.html to download openvpn or (#2) OpenVPN's Windows installer now includes OpenVPN GUI. Don't bother with http://openvpn.se anymore or (#3) Don't trust download.com at all. It provides an extremely old version with malware: http://insecure.org/news/download-com-fiasco.html or (#4) in the community version of openvpn (only
17:55 <@vpnHelper> thing supported here) there is no separate download for client/server, it is the same install with different configs
17:55 < pekster> There are some other unofficial GUIs, but you're generally best off with the official one as it's tested for functionality
17:55 < synged> do u know which version im talking about pekster?
17:55 < synged> do u know what happened to it?
17:56 < pekster> You mean just the icon itself?
17:56 < pekster> The menu is 100% identical
17:56 < pekster> Only the icon changed
17:56 < synged> well something is wrong then when i install it
17:56 < pekster> Anything else is not OpenVPN. Maybe you mean the commercial "Connect" software, but that's different
17:56 < synged> where do i get the connect software?
17:56 < pekster> !as
17:56 <@vpnHelper> "as" is Please go to #OpenVPN-AS for help with commercial products from OpenVPN Technologies, including Access Server, Android Connect, etc. Access Server is a commercial product, different from open source OpenVPN
17:57 < pekster> Connect is designed for the client end when you're paying for an AS license, and that's not something the open-source community can help with
17:57 < pekster> You might be able to convince connect to speak vanilla openvpn, but must of us here haven't the slightest clue about it
17:58 < synged> the version i want has a menu like this http://blog.erben.sk/wp-content/uploads/2013/02/openvpn-client1.png
17:58 < pekster> !connect
17:58 <@vpnHelper> "connect" is (#1) OpenVPN Connect is part of the commercial, non-free (non-GPL) corporate offering; see #openvpn-as for help with these. For the community-maintained GPL OpenVPN, see !download for download links, !android for GPL-openvpn on Android, or !howto for the beginner how-to guide or (#2) https://forums.openvpn.net/post34969.html#p34969 or (#3) the source is here:
17:58 <@vpnHelper> http://staging.openvpn.net/openvpn3/ except for the portion that may not be released because of NDA with apple (for its vpn API)
17:59 < pekster> You need to write your own configs for the GPL stuff anyway. If you're not paying for the AS product, why would you want to use that client anyway?
17:59 < synged> ok i understand now
18:00 -!- james41382 [~james@unaffiliated/james41382] has joined #openvpn
18:02 < synged> !download
18:02 <@vpnHelper> "download" is (#1) http://openvpn.net/index.php/download/community-downloads.html to download openvpn or (#2) OpenVPN's Windows installer now includes OpenVPN GUI. Don't bother with http://openvpn.se anymore or (#3) Don't trust download.com at all. It provides an extremely old version with malware: http://insecure.org/news/download-com-fiasco.html or (#4) in the community version of openvpn (only
18:02 <@vpnHelper> thing supported here) there is no separate download for client/server, it is the same install with different configs
18:04 -!- james41382 [~james@unaffiliated/james41382] has quit [Client Quit]
18:15 -!- raidz is now known as raidz_away
18:20 -!- james41382 [~james@unaffiliated/james41382] has joined #openvpn
18:25 -!- synged [~synged@71-223-1-10.phnx.qwest.net] has quit []
18:29 <@Eugene> brctl, die in a fire.
18:49 -!- Lolths [~Lolths@unaffiliated/lolths] has quit [Ping timeout: 260 seconds]
18:52 <@Eugene> Also, fuck the openvpn tap document for mentioning ifconfig
18:54 <@Eugene> !static
18:54 <@vpnHelper> "static" is (#1) use --ifconfig-push in a ccd entry for a static ip for the vpn client or (#2) example in net30 (default): ifconfig-push 10.8.0.6 10.8.0.5 example in subnet (see !topology) or tap (see !tunortap): ifconfig-push 10.8.0.5 255.255.255.0 or (#3) also see !ccd and !iporder or (#4) with static IPs, limit your --ifconfig-pool to exclude the static range or (#5) See also: !addressing
18:54 <@Eugene> !factoids
18:54 <@vpnHelper> "factoids" is A semi-regularly updated dump of factoids database is available at http://www.secure-computing.net/factoids.php
18:55 <@Eugene> !man
18:55 <@vpnHelper> "man" is (#1) For man pages, see http://openvpn.net/index.php/open-source/documentation/manuals/ or (#2) the man pages are your friend! or (#3) Protip: you can search the manpage for a specific --option (with dashes) to find it quicker
18:56 -!- u0m3 [~u0m3@92.80.93.41] has quit [Read error: Connection reset by peer]
18:59 <@Eugene> If I'm doing a br0 of tap0<-->ethN on both sides, the invocation I'm looking for is `openvpn --dev tap0 --secret openvpn.key --port 1194 --local 1.2.3.4`, with no --server-bridge, correct?
18:59 <@Eugene> (and `openvpn --dev tap0 --secret openvpn.key --remote 1.2.3.4 --port 1194`)
19:00 <@Eugene> No addressing or other garbage, just a long ethernet cable(yes, there's good reason, I hate it)
19:00 < pekster> It's usually wise to have keepalive on each end too to keep UDP firewalls happy
19:00 <@krzee> ild answer if i could, iirc the cookbook does go over it but im out on vacation so i dont have it handy
19:00 <@Eugene> Both hosts are luckily on public IPs
19:01 < pekster> And not using stateful firewalls? o.O
19:01 <@Eugene> I just did a flat whitelist of UDP:1194 for this.
19:01 <@Eugene> Backstory involves shitty, shitty voip desk phones
19:02 <@Eugene> And me not wanting to drive 6 hours to fucklahoma to plug in to a PBX
19:02 < pekster> I did remote VoIP that needed TFTP boot via routers we sent out
19:02 <@Eugene> That's the one
19:02 < pekster> But I routed it ;)
19:03 < pekster> DHCP at the far end handed out the right TFTP boot server and tftp file path (option 66 and whatever-the-hell-the-other-one-is) and the phones just asked for it, and the IP was routed over the VPN
19:03 < pekster> Magic.
19:03 <@Eugene> I just stuck a cable between the spare rj-45 on my home router and the phone
19:03 <@Eugene> Then gonna let it speak DHCP out to the pbx thing
19:04 <@Eugene> But that is a nifty idea
19:04 < pekster> Worked well enough for the CEO there
19:06 -!- Lolths [~Lolths@unaffiliated/lolths] has joined #openvpn
19:06 <@Eugene> 5PM. That's the end of my arguing for today.
19:06 <@Eugene> !beer
19:06 <@vpnHelper> "beer" is what's for dinner (and occasionally breakfast)
19:07 -!- u0m3 [~u0m3@92.80.93.41] has joined #openvpn
19:14 -!- elfixit [~Icedove@77-58-251-72.dclient.hispeed.ch] has quit [Quit: elfixit]
19:15 -!- goldkatze [~nobody@unaffiliated/goldkatze] has quit [Ping timeout: 240 seconds]
19:21 -!- michaelhart [~michaelha@192-0-240-20.cpe.teksavvy.com] has joined #openvpn
19:29 -!- Lolths [~Lolths@unaffiliated/lolths] has quit [Ping timeout: 250 seconds]
19:32 -!- shio [marmot@30.65.73.86.rev.sfr.net] has quit [Disconnected by services]
19:32 -!- shio [marmot@30.65.73.86.rev.sfr.net] has joined #openvpn
19:33 -!- Lolths [~Lolths@unaffiliated/lolths] has joined #openvpn
19:36 -!- heraclitus [~heraclitu@unaffiliated/heraclitis] has quit [Ping timeout: 246 seconds]
19:55 -!- shiin [~shiin@funtoo/core/shiin] has quit [Quit: My computer has gone to sleep.]
20:22 -!- raidz_away is now known as raidz
20:34 -!- Teduardo [~Teduardo@57.0.be.static.xlhost.com] has quit [Ping timeout: 255 seconds]
20:50 -!- arescorpio [~arescorpi@201-26-245-190.fibertel.com.ar] has joined #openvpn
21:33 -!- pppingme [~pppingme@unaffiliated/pppingme] has quit [Read error: Connection reset by peer]
21:35 -!- pppingme [~pppingme@unaffiliated/pppingme] has joined #openvpn
21:44 -!- Netsplit *.net <-> *.split quits: eagles0513875, hays, TheEternalAbyss, AsadH, xeqt, yerodin, @dazo_afk, defswork, Matir_, sauce,  (+11 more, use /NETSPLIT to show all of them)
21:45 -!- ender^ [krneki@2a01:260:4094:1:42:42:42:42] has quit [Write error: Connection reset by peer]
21:45 -!- ender^ [krneki@2a01:260:4094:1:42:42:42:42] has joined #openvpn
21:48 -!- marlinc [~marlinc@ip1.weert.li.nl.cvo-technologies.com] has quit [Ping timeout: 244 seconds]
21:50 -!- marlinc [~marlinc@ip1.weert.li.nl.cvo-technologies.com] has joined #openvpn
21:53 -!- james41382 [~james@unaffiliated/james41382] has quit [Read error: Connection reset by peer]
21:53 -!- james41382 [~james@unaffiliated/james41382] has joined #openvpn
21:55 -!- james41382 [~james@unaffiliated/james41382] has quit [Read error: Connection reset by peer]
22:05 -!- Left_Turn [~Left_Turn@unaffiliated/turn-left/x-3739067] has quit [Remote host closed the connection]
22:13 -!- Netsplit over, joins: @dazo_afk, @mattock_afk, @raidz, Zimsky, hays, lbft, jgeboski, xeqt, AsadH
22:13 -!- raidz is now known as raidz_away
22:13 -!- Netsplit over, joins: Kephael, yerodin, Matir_, Cultist, hydrajump, prettyrobots, +RBecker, _KaszpiR_, TheEternalAbyss, defswork (+1 more)
22:14 -!- ender^ [krneki@2a01:260:4094:1:42:42:42:42] has quit [Remote host closed the connection]
22:15 -!- ender^ [krneki@2a01:260:4094:1:42:42:42:42] has joined #openvpn
22:16 -!- arescorpio [~arescorpi@201-26-245-190.fibertel.com.ar] has quit [Excess Flood]
22:36 -!- clyons [~kvirc@host86-157-15-49.range86-157.btcentralplus.com] has quit [Read error: Connection reset by peer]
22:36 -!- clyons [~kvirc@host86-157-15-49.range86-157.btcentralplus.com] has joined #openvpn
22:37 -!- james41382 [~james@unaffiliated/james41382] has joined #openvpn
22:44 -!- lachesis [~lachesis@unaffiliated/lachesis] has joined #openvpn
22:44 -!- michaelhart [~michaelha@192-0-240-20.cpe.teksavvy.com] has quit [Quit: michaelhart]
22:47 -!- tempus_fol [~tempus@gateway/tor-sasl/foltempus] has quit [Remote host closed the connection]
22:56 < lachesis> hey guys, i'm having a weird problem with openvpn default routing - redirect-gateway def1 doesn't appear to do anything for me, either when put on the client side or as push "xxx" on the server side
22:56 < lachesis> the odd bit is that if i configure it in network manager, it seems to wokr
22:56 < lachesis> work*
22:58 < lachesis> i can ping the other box across the tunnel fine
22:58 < lachesis> server config: https://gist.github.com/lachesis/8b13fefec80c83ebe491
22:58 <@vpnHelper> Title: openvpn server config (at gist.github.com)
23:00 < lachesis> client config: https://gist.github.com/lachesis/9864f9e7a8c93a26366c
23:00 <@vpnHelper> Title: openvpn client config (at gist.github.com)
23:00 < Poster> lachesis: everything works when you manually route the traffic?
23:01 < lachesis> Poster: hmm 1 sec, let me see
23:01 -!- raidz_away is now known as raidz
23:01 -!- Cpt-Oblivious [~chatzilla@31-151-71-109.dynamic.upc.nl] has quit [Quit: ChatZilla 0.9.90.1-rdmsoft [XULRunner 22.0/20130619132145]]
23:03 < lachesis> routing table (22.11.33.44 is VPN public IP): https://gist.github.com/lachesis/86760fed84ca5fc3d82b
23:03 <@vpnHelper> Title: routing table (at gist.github.com)
23:04 < lachesis> let me try manual routing, 1 sec
23:06 < Poster> you should have a route to 0.0.0.0/1
23:07 < lachesis> yeah, i don't :)
23:07 < lachesis> manual routing works fine
23:11 -!- Poster [~poster@cpe-74-140-100-29.swo.res.rr.com] has quit [Read error: Connection reset by peer]
23:18 < lachesis> manual routing works fine
23:19 < lachesis> but that route isn't getting added
23:29 -!- Poster [~poster@cpe-74-140-100-29.swo.res.rr.com] has joined #openvpn
23:36 -!- joako [~joako@opensuse/member/joak0] has quit [Ping timeout: 240 seconds]
23:46 -!- joako [~joako@opensuse/member/joak0] has joined #openvpn
23:49 < lachesis> alright Poster, still around? for some reason openvpn isn't creating the 0.0.0.0/1 route
23:50 < lachesis> if i do, it works
23:53 < lachesis> they're adding the 128.0.0.0/1 route though
23:54 < lachesis> which is strange, b/c i see it trying to add the route in my openvpn config
23:54 < lachesis> https://gist.github.com/lachesis/eb2a917249db014366dd
23:54 <@vpnHelper> Title: partial client log (at gist.github.com)
23:54 < lachesis> s/config/log/
23:59 -!- ShadniX [dagger@p5DDFDE30.dip0.t-ipconnect.de] has quit [Ping timeout: 250 seconds]
--- Day changed Sat Aug 16 2014
00:00 -!- ShadniX [dagger@p5DDFE745.dip0.t-ipconnect.de] has joined #openvpn
00:00 < lachesis> anyone know what's up there?
00:04 < lachesis> aha! something removed the 0/1 route
00:04 < lachesis> i saw it in the routing table for a sec while doing watch -n0.1 ip route
00:05 < lachesis> hmm how can i figure out what might be removing the default route?
00:14 < lachesis> ok, more details
00:14 < lachesis> 0.0.0.0/1 route is being removed by networkmanager :(
00:18 -!- Toumasu [~Thunderbi@78-23-52-63.access.telenet.be] has joined #openvpn
00:25 -!- mattock_afk is now known as mattock
00:37 -!- troyt_ [~troyt@2601:7:6200:1362:44dd:acff:fe85:9c8e] has quit [Ping timeout: 240 seconds]
00:43 -!- troyt_ [~troyt@c-67-161-211-139.hsd1.ut.comcast.net] has joined #openvpn
01:11 -!- mattock is now known as mattock_afk
01:22 < Poster> :(
01:23 < Poster> I guess we could break it into 4 pieces
01:23 -!- goldkatze [~nobody@unaffiliated/goldkatze] has joined #openvpn
01:24 < Poster> 0.0.0.0/2 64.0.0.0/2 128.0.0.0/2 192.0.0.0/2
01:24 < Poster> what is the distro on the client host?
01:31 -!- mapps [~Mark@97e0b9d3.skybroadband.com] has joined #openvpn
01:37 -!- Toumasu [~Thunderbi@78-23-52-63.access.telenet.be] has quit [Quit: Toumasu]
01:50 -!- james41382 [~james@unaffiliated/james41382] has quit [Quit: Leaving]
01:51 -!- zapotek6 [~zap@mi-18-29-162.service.infuturo.it] has joined #openvpn
01:52 -!- james41382 [~james@unaffiliated/james41382] has joined #openvpn
01:56 < lachesis> Poster: it's arch linux
01:56 < lachesis> not happening on my buddy's ubuntu
01:56 -!- zapotek6 [~zap@mi-18-29-162.service.infuturo.it] has quit [Ping timeout: 272 seconds]
01:58 < Poster> lachesis: gotcha, you could try adding smaller slices mentioned above to see if networkmanager removes them
01:58 < lachesis> Poster: not a bad idea
01:59 < lachesis> i'm gonna try my normal approach to arch bugs, though - wait a week or two and see if it's fixed :)
01:59 < lachesis> i can work around by loading all my OpenVPN configs into NM
01:59 < Poster> that works too!
01:59 < lachesis> which isn't a terrible idea anyway
01:59 < lachesis> thanks for the patience :)
02:01 < lachesis> Poster: hmm, any idea how I can push a null ipv6 route?
02:01 < lachesis> i tried 'push "route-ipv6 2000:/3 ::0"'
02:02 < lachesis> ah derp again
02:02 < lachesis> ::/3
02:02 < lachesis> sorry, i'm not doing great tonight :)
02:03 < lachesis> ah now it's not working for a reason i'm not sure I can fix...  not adding 2000::/3, no IPv6 on if tun0
02:03 < lachesis> i guess i could give the tunnel a private IPv6 address
02:06 < lachesis> or i could figure out my provider's ipv6 and route it over the tunnel.. .null route was gonna just be a quick fix
02:46 -!- Toumasu [~Thunderbi@78-23-52-63.access.telenet.be] has joined #openvpn
03:00 -!- raidz is now known as raidz_away
03:10 -!- Toumasu [~Thunderbi@78-23-52-63.access.telenet.be] has quit [Quit: Toumasu]
03:14 -!- Kephael [~Kephael@unaffiliated/kephael] has quit [Quit: Leaving]
03:27 -!- Left_Turn [~Left_Turn@unaffiliated/turn-left/x-3739067] has joined #openvpn
03:36 -!- DachesBella [~dachesbel@fsf/member/dachesbella] has joined #openvpn
03:40 -!- mattock_afk is now known as mattock
04:09 -!- mattock is now known as mattock_afk
04:23 -!- DachesBella [~dachesbel@fsf/member/dachesbella] has quit [Remote host closed the connection]
04:39 -!- D-Boy [~D-Boy@unaffiliated/cain] has quit [Excess Flood]
05:01 -!- D-Boy [~D-Boy@unaffiliated/cain] has joined #openvpn
05:05 -!- ayaz [~Ayaz@linuxpakistan/ayaz] has joined #openvpn
05:10 < asturel> what could be the problem if i have very bad latency via openvpn? 1500 mtu could be the problem?
05:11 < asturel> i mean even ping throught openvpn is 3-5x higher than w/o
05:20 -!- mattock_afk is now known as mattock
05:32 -!- Denial [~Denial@host86-174-170-118.range86-174.btcentralplus.com] has joined #openvpn
05:40 -!- APTX_ [~APTX@unaffiliated/aptx] has quit [Ping timeout: 260 seconds]
05:52 -!- APTX [~APTX@unaffiliated/aptx] has joined #openvpn
05:57 -!- DrSect0r [~DrSect0r@188-142-12-159.FTTH.ispfabriek.nl] has joined #openvpn
06:01 -!- rfc5340 [~rfc5340@e0109-106-188-100-230.uqwimax.jp] has joined #openvpn
06:06 -!- mt [supermat@unaffiliated/supermat] has left #openvpn ["WeeChat 1.0-rc1"]
06:19 -!- gffa [~unknown@unaffiliated/gffa] has joined #openvpn
06:22 -!- mattock is now known as mattock_afk
07:15 -!- Six6siX [~Devil@jasmine.sammybakar.com] has quit [Ping timeout: 255 seconds]
07:21 -!- linuxthefish [~ltf@unaffiliated/edmundf] has quit [Ping timeout: 256 seconds]
07:33 -!- st34lth [~st34lth@pool-71-179-132-91.bltmmd.fios.verizon.net] has joined #openvpn
07:37 -!- redpill [~redpill@unaffiliated/redpill] has quit [Read error: Connection reset by peer]
07:52 < st34lth> hello
07:52 < st34lth> i'm setting openvpn 2.3.4 via rhel6 on cent0s6. My android client can connect but gives me a known error https://community.openvpn.net/openvpn/wiki/317-qmulti-bad-source-address-from-client--packet-droppedq-or-qget-inst-by-virt-failedq
07:52 <@vpnHelper> Title: 317-qmulti-bad-source-address-from-client--packet-droppedq-or-qget-inst-by-virt-failedq – OpenVPN Community (at community.openvpn.net)
07:53 -!- redpill [~redpill@unaffiliated/redpill] has joined #openvpn
07:54 < st34lth> the solution is odd, my android client won't always have an ip in the  range it has now, I can't be setting clients that way?
08:06 <@krzee> st34lth, are you trying to share the client lan?
08:06 < st34lth> yes
08:06 <@krzee> !iroute
08:06 <@vpnHelper> "iroute" is does not bypass or alter the kernel's routing table, it allows openvpn to know it should handle the routing when the kernel points to it but the network is not one that openvpn knows about. This is only needed when connecting a LAN which is behind a client, and therefor belongs in a ccd entry. Also see !route and !ccd
08:06 <@krzee> !clientlan
08:06 <@vpnHelper> "clientlan" is (#1) for a lan behind a client, the client must have ip forwarding enabled (!ipforward), the server needs a route to the lan, the server needs to push a route for the lan to clients, the server needs a ccd (!ccd) file for the client with an iroute (!iroute) entry in it, and the router of the lan the client is on needs a route added to it (!route_outside_openvpn) or (#2) see !route for
08:06 <@vpnHelper> a better explanation or (#3) Handy troubleshooting flowchart: http://ircpimps.org/clientlan.png | http://pekster.sdf.org/misc/clientlan.png
08:09 < st34lth> I just tried to connect using my own wifi. still drops packets
08:11 <@krzee> lol
08:11 < st34lth> and disabled client-to-client
08:11 <@krzee> dont connect to your lan from your lan, while sharing your lan
08:12 <@krzee> im gunna get ready for my flight, bbl
08:12 <@krzee> post your configs without comments like here:
08:12 <@krzee> !configs
08:12 <@vpnHelper> "configs" is (#1) please pastebin your client and server configs (with comments removed, you can use `grep -vE '^#|^;|^$' server.conf`), also include which OS and version of openvpn. or (#2) dont forget to include any ccd entries or (#3) on pfSense, see http://www.secure-computing.net/wiki/index.php/OpenVPN/pfSense to obtain your config
08:12 <@krzee> and ill take a quick look when im free
08:13 <@krzee> but fort sure you need to test from a different place, not from your lan to your lan
08:13 < st34lth> http://pastie.org/9478339
08:13 < st34lth> thanks
08:14 <@krzee> you are sharing the most common subnet there is
08:14 <@krzee> that will have problems when you happen to find yourself connecting from another location with that subnet
08:14 <@krzee> !samesubnet
08:14 <@vpnHelper> "samesubnet" is (#1) clients can not connect to a server pushing its lan if on the same subnet. you can only reach your subnet on layer2 or through your gateway, when you create a route for it you will try to reach your gateway over the vpn which dies because you cant reach your gateway or (#2) you can use --client-nat if on 2.3 to work around changing the subnet, but you should still just change the
08:14 <@vpnHelper> subnet
08:14 <@krzee> !randomsubnet
08:14 <@vpnHelper> "randomsubnet" is (#1) http://scarydevilmonastery.net/subnet.cgi for a random !1918 subnet or (#2) If your shell has $RANDOM support, perhaps try this: `echo 10.$((RANDOM%256)).$((RANDOM%256)).0/24 `
08:15 <@krzee> now use this:  http://pekster.sdf.org/misc/clientlan.png
08:15 <@krzee> while NOT connecting from your house to your house
08:15 <@krzee> it needs to be from somewhere else
08:30 -!- st34lth [~st34lth@pool-71-179-132-91.bltmmd.fios.verizon.net] has quit [Ping timeout: 250 seconds]
08:33 -!- RBecker is now known as RBecker-
08:33 -!- RBecker- is now known as RBecker
08:43 -!- linuxthefish [~ltf@unaffiliated/edmundf] has joined #openvpn
09:06 -!- rfc5340 [~rfc5340@e0109-106-188-100-230.uqwimax.jp] has quit []
09:18 -!- ice9 [~ice9@gateway/tor-sasl/ice9] has joined #openvpn
09:18 < ice9> I'm connected to openvpn service but internet traffic is not routed through it!
09:18 < ice9> archlinux NetworkManager, gnome-shell
09:21 -!- CaTtleyA_ [~CaTtleyA@put92-2-82-66-41-53.fbx.proxad.net] has joined #openvpn
09:22 <@krzee> !redirect
09:22 <@vpnHelper> "redirect" is (#1) to make all inet traffic flow through the vpn, you will need --redirect-gateway (see !def1), as well as IP forwarding (see !ipforward) and NAT (see !nat) enabled on the server. or (#2) you may need to use a different dns server when redirecting gateway, see !dns or !pushdns or (#3) if using ipv6 try: route-ipv6 2000::/3 or (#4) Handy troubleshooting flowchart:
09:22 <@vpnHelper> http://ircpimps.org/redirect.png | http://pekster.sdf.org/misc/redirect.png
09:22 <@krzee> !netman
09:22 <@vpnHelper> "netman" is (#1) if you are using network manager for linux to configure your vpn, dont! http://openvpn.net/archive/openvpn-users/2008-01/msg00046.html to read the same thing from the author of the openvpn 2 cookbook on the mail list or (#2) Have OpenVPN working but not NetworkManager? Ask the n-m folks for help: http://projects.gnome.org/NetworkManager/
09:23 -!- CaTtleyA_ [~CaTtleyA@put92-2-82-66-41-53.fbx.proxad.net] has quit [Client Quit]
09:28 -!- linuxthefish [~ltf@unaffiliated/edmundf] has quit [Excess Flood]
09:38 -!- ayaz [~Ayaz@linuxpakistan/ayaz] has quit [Quit: Textual IRC Client: www.textualapp.com]
09:46 -!- akurilin [~alex@208.185.21.146] has quit [Ping timeout: 245 seconds]
09:50 -!- ice9 [~ice9@gateway/tor-sasl/ice9] has quit [Ping timeout: 264 seconds]
09:50 -!- CaTtleyA_ [~CaTtleyA@put92-2-82-66-41-53.fbx.proxad.net] has joined #openvpn
09:53 -!- ice9 [~ice9@gateway/tor-sasl/ice9] has joined #openvpn
09:58 < ice9> when I connect through socks5 I get this "recv_socks_reply: Socks proxy returned bad reply"
10:13 -!- shiin [~shiin@funtoo/core/shiin] has joined #openvpn
10:17 -!- redpill [~redpill@unaffiliated/redpill] has quit [Ping timeout: 255 seconds]
10:22 -!- shiin [~shiin@funtoo/core/shiin] has quit [Quit: Wanna pair with me? Twitter/Skype/Gmail: FunTimeCoding]
10:32 -!- ice9 [~ice9@gateway/tor-sasl/ice9] has quit [Quit: Leaving.]
10:48 -!- ub1quit33 [~quassel@cpe-23-243-158-241.socal.res.rr.com] has joined #openvpn
10:52 -!- Cpt-Oblivious [~chatzilla@31-151-71-109.dynamic.upc.nl] has joined #openvpn
11:00 -!- redpill [~redpill@unaffiliated/redpill] has joined #openvpn
11:36 -!- Olivier [Olivier@185.13.226.177] has quit [Ping timeout: 244 seconds]
11:40 -!- Olivier [Olivier@185.13.226.177] has joined #openvpn
11:51 -!- raidz_away is now known as raidz
12:06 -!- Morph4me [~morph4me@74-50-124-83.static.hvvc.us] has joined #openvpn
12:17 -!- Morph4me [~morph4me@74-50-124-83.static.hvvc.us] has quit [Quit: Leaving]
12:19 -!- ice9 [~ice9@gateway/tor-sasl/ice9] has joined #openvpn
12:20 < ice9> how to connect to openvpn server through socks5 proxy "tor"
12:21 < pekster> This is a very silly thing to want, generally. You'll leak any details visible in the certs on either side of your VPN to the tor exit node
12:22 < ice9> pekster: it's the same to your ISP if not using tor!
12:22 < pekster> Right, but you should assume an exit node is "most hostile than usual" to your traffic
12:23 < pekster> Most people seem to put all sorts of stupid details in their certs like the name, city, location, company, etc
12:23 < pekster> Treat this as plaintext, because certs are exchanged in the clear
12:23 < ice9> well, is it that easy to break openvpn connection either by the isp or tor exit node??
12:23 < ice9> ah
12:23 < ice9> but I will connecto to public vpn service not my own server
12:23 < pekster> Yes, it's just a matter of dropping the traffic. The larger threat over tor is that you can assume some exit nodes are sniffing traffic, just becuase they can
12:24 < ice9> pekster: you mean sniffing encrypted vpn traffic is easy?
12:24 < pekster> Yes. Decrypting it is not, however.
12:24 < pekster> Why would you think sniffing a TLS exchagne is any harder than sniffing other kinds of traffic?
12:25 < pekster> You can't see inside the encrypted stream, but you can see anything else, including the TLS exchanges where certs are exchanged in *PLAINTEXT*
12:25 < pekster> (that's why it's called a public certificate)
12:25 < ice9> yes it can be sniffed
12:25 < pekster> If you have been issued a cert, this at the very least opens you up to traffic analysis
12:25 < pekster> (ie: they won't know where you're connecting from, but they'll be able to tell it's the same VPN user as yesterday)
12:26 < pekster> And again, only if you use client-side certs
12:26 < ice9> again, using tor isn't that bad if you know that the isp is already doing so
12:26 < pekster> Maybe. Depends on your threat model
12:26 < ice9> right
12:26 < ice9> so how can I use tor?
12:27 < pekster> You'll need the --socks-proxy option in your local config
12:27 < pekster> That specifically requires SOCKS5
12:27 < ice9> I have don't that but I get  "bad reply from socks server"
12:28 < pekster> Using TCP as the VPN transit? tor won't do UDP
12:29 < ice9> so I should connect to the vpn using tcp?
12:29 < pekster> You have no choice as tor does _NOT_ do UDP
12:29 < pekster> And the far end needs to support it. If not, you cannot use tor at all
12:30 < _FBi> afternoon pekster
12:36 -!- clyons|2 [~kvirc@host86-157-15-49.range86-157.btcentralplus.com] has joined #openvpn
12:37 < ice9> during connection after Initialization I get:
12:37 < ice9> which: no resolvconf in ((null))
12:37 < ice9> Could not find the resolvconf binary, guessing it
12:37 < ice9> but I have /usr/bin/resolvconf
12:37 -!- clyons|3 [~kvirc@host86-157-15-49.range86-157.btcentralplus.com] has joined #openvpn
12:38 -!- clyons|3 [~kvirc@host86-157-15-49.range86-157.btcentralplus.com] has quit [Max SendQ exceeded]
12:38 -!- clyons [~kvirc@host86-157-15-49.range86-157.btcentralplus.com] has quit [Ping timeout: 244 seconds]
12:39 -!- ice9 [~ice9@gateway/tor-sasl/ice9] has quit [Remote host closed the connection]
12:40 -!- clyons [~kvirc@host86-157-15-49.range86-157.btcentralplus.com] has joined #openvpn
12:41 -!- clyons|2 [~kvirc@host86-157-15-49.range86-157.btcentralplus.com] has quit [Ping timeout: 244 seconds]
12:44 -!- clyons [~kvirc@host86-157-15-49.range86-157.btcentralplus.com] has quit [Ping timeout: 244 seconds]
12:48 -!- chieftex [~IceChat9@90.205.2.93] has joined #openvpn
12:48 < chieftex> !welcome
12:48 <@vpnHelper> "welcome" is (#1) Start by stating your goal, such as 'I would like to access the internet over my vpn' || new to IRC? see the link in !ask || we may need !logs and !configs and maybe !interface to help you. || See !howto for beginners. || See !route for lans behind openvpn. || !redirect for sending inet traffic through the server. || Also interesting: !man !/30 !topology !iporder !sample !forum
12:48 <@vpnHelper> !wiki !mitm or (#2) Don't use 192.168.1.0/24 or 192.168.0.0/24 (too much potential for conflict)
12:50 < chieftex> !goal
12:50 <@vpnHelper> "goal" is Please clearly state your goal for your vpn: example, I would like to access the lan behind the server , I would like to access the internet over my vpn , I just want a secure connection between 2 computers , etc
12:51 < chieftex> !howto
12:51 <@vpnHelper> "howto" is (#1) OpenVPN comes with a great howto, http://openvpn.net/howto PLEASE READ IT! or (#2) http://www.secure-computing.net/openvpn/howto.php for a mirror
13:11 < chieftex> goals = I would like to access my linux NAS remotely (inc various web guis) securely, as well as anonymise traffic on my various windows pc's and android phone, in addition to safe use of public wifi hotspots. I'm willing to learn and to pay for a service (which allows openvpn use), but I just need to be pointed in the right direction as I'm a little confused.
13:12 < pekster> Use tor if you want to be anonymous. VPNs are the exact opposite of anonymous as they require 100% unique identification of the authentication details
13:12 < pekster> Now some "providers" try to sell services claiming that they don't do anything with that known authentication, and you're free to trust such marketing as you see fit, but that's less a technical burdon than a social/policy one
13:13 < pekster> You can redirect traffic over a VPN (once you have it working: need to follow !howto for that) by setting up a server that does: !redirect
13:13 < pekster> That means you're redirecting traffic through a server _you_ control
13:13  * chieftex takes notes
13:13 < pekster> For access your own LAN behind a server, first follow the basic !howto, then see: !serverlan
13:14 < pekster> And your server LAN should have a unique numbering scheme. Don't use common networks (like 192.168.0/24 or 192.168.1/24, as they're very likely to conflict with real-world networks)
13:17 < chieftex> ok, so those vpn providers out there who offer anonymous traffic are not the same
13:18 < pekster> They won't connect you to your own home network, no
13:18 < pekster> How much you trust them to do what they claim as far as keeping you "anonymous" is between you and them. But ask yourself if they'd be willing to go to jail to protect you if their local government put pressure on them. Or people with guns broke in and threatoned to kill them
13:19 < chieftex> ok. so it appears my goals 1 and 3 require the same thing, whereas goal 2 requires something else
13:19 < pekster> Your $5/mo or whatever you're paying them just isn't worth death.
13:19 < pekster> Yea
13:19 < pekster> #3 you can handle by doing !redirect yourself, so your Internet-bound connections are securely routed though your home ISP, not out the wifi
13:20 < pekster> Your ISP (and anything upstream of it) can still spy on cleartext traffic from that point, but not the shadey guy in the corner logging everyone's wifi traffic
13:20 < chieftex> understood - thank you for clarifying
13:21 < chieftex> its basically like using my home wifi
13:21 < pekster> With the VPN to get you "into" it. Sort of.
13:21 < chieftex> ok at least to my isp and anything upstream of it, it's as if i am at home on my wifi
13:22 < pekster> Right, depends what you're trying to protect against
13:22 < chieftex> they guy in the corner of the cafe like you said :)
13:23 < pekster> Yup. And some forums don't use encryption at all (or use it poorly in a way that's easy to circumvent if you're skilled.) Your ISP is less likely to actively attack you than shady-cafe-guy
13:25 < chieftex> ok, so goal 2 requires something else. You mentioned Tor, which is similar to all those companies you were talking about no?
13:25 < pekster> Nope. Read their docs, but tor goes out of the way to gaurentee anonymous transactions that cannot (without lots of complicated side-channel attacks) be identified to any user
13:26 < pekster> VPNs are the exact opposite, because the technology is designed to do the exact opposite: identify the account connecting to the system
13:26 < pekster> Both use encryption, but the goals are very different
13:26 -!- ice9 [~ice9@gateway/tor-sasl/ice9] has joined #openvpn
13:27 < ice9> after connection is initialized I get "[server] Inactivity timeout (--ping-restart), restarting" and it disconnects
13:27 < ice9> this happen everytime
13:27 < pekster> Proper use of tor is a bit complex too; for web browsing, for instance, you should always use their Tor Browser Bundle, not your own browser
13:27 < pekster> Just visit https://panopticlick.eff.org to see how "trackable" your browser is (and that doesn't involve cookies at all)
13:27 <@vpnHelper> Title: Panopticlick (at panopticlick.eff.org)
13:27 < chieftex> I've been reading that people recommend using a vpn for anonymising say torrent traffic, so that it is not possible (in theory) for anyone to trace you directly, apart from your vpn reseller of course
13:28 < pekster> ice9: So the connection was made fine, but the local end did not get any keepalive traffic from the far end and disconnected the connection
13:29 < ice9> pekster: seems so, also between intialization and disconnection I wasn't able to have internet connectivity like bing or http
13:29 < pekster> Are you even able to ping the VPN endpoint?
13:29 < pekster> ie: follow the flowchart for !redirect
13:30 < pekster> Either the connection is crap over the link you're using, or there's a configuration problem somewhere between the client & server
13:30 < pekster> (including either end)
13:30 < ice9> I can connect fine without tor
13:31 < pekster> Doesn't change the troubleshooting procedure
13:31 < ice9> !redirect
13:31 <@vpnHelper> "redirect" is (#1) to make all inet traffic flow through the vpn, you will need --redirect-gateway (see !def1), as well as IP forwarding (see !ipforward) and NAT (see !nat) enabled on the server. or (#2) you may need to use a different dns server when redirecting gateway, see !dns or !pushdns or (#3) if using ipv6 try: route-ipv6 2000::/3 or (#4) Handy troubleshooting flowchart:
13:31 <@vpnHelper> http://ircpimps.org/redirect.png | http://pekster.sdf.org/misc/redirect.png
13:32 < ice9> pekster: but redirect is on server side only?
13:32 < pekster> It's often pushed, but you can supply --redirect-gateway locally. It won't do any good if the far side isn't configured in the OS to support it though
13:33 < pekster> --verb 4 will show you what options are pushed
13:37 -!- ice9 [~ice9@gateway/tor-sasl/ice9] has quit [Remote host closed the connection]
13:49 -!- ice9 [~ice9@gateway/tor-sasl/ice9] has joined #openvpn
13:49 -!- ice9 [~ice9@gateway/tor-sasl/ice9] has quit [Remote host closed the connection]
13:57 < chieftex> does it make a practical difference whether you run a vpn on your router, or on a always-on server on your lan?
13:58 < pekster> Not really. Embedded routers tend to have less CPU power, although if your upload speed via your ISP is low (as it often is for residential connections) it won't really matter anyway
13:58 < chieftex> good point - mine is a paltry 1mbit
14:00 < pekster> Shouldn't be a problem as long as your router is able to otherwise run openvpn then
14:00 < chieftex> oh believe me, it isn't. It's the router the isp provides, which is a disaster.
14:03 -!- ice9 [~ice9@gateway/tor-sasl/ice9] has joined #openvpn
14:03 < ice9> pekster: https://gist.github.com/anonymous/92cbf874e993785b7cf5
14:03 <@vpnHelper> Title: gist:92cbf874e993785b7cf5 (at gist.github.com)
14:04 < pekster> Rather goofy DNS to get pushed before googleDNS
14:06 < pekster> 25/8 shouldn't be used like that either, but AFAIK 25/8 isn't actually used by the UK MoD
14:06 < pekster> keepalive settings appear fine though. So you're probably not getting any keepalive traffic from the far end
14:07 < ice9> yeah
14:07 < pekster> --verb 5 will print characters for each packet received, which might give hints. Or see if a constant ping to the VPN endpoint keeps it open
14:07 < pekster> No traffic in 60 seconds means the client aborts and assumes the link is dead
14:10 -!- ice9 [~ice9@gateway/tor-sasl/ice9] has quit [Remote host closed the connection]
14:12 -!- ice9 [~ice9@gateway/tor-sasl/ice9] has joined #openvpn
14:12 < ice9> pekster: https://gist.github.com/anonymous/1410bffddaf06f7553ff
14:12 <@vpnHelper> Title: gist:1410bffddaf06f7553ff (at gist.github.com)
14:14 < pekster> only W out the interface, nothing received
14:14 < pekster> Looks to me like it's not getting any packets back from the far side
14:14 < pekster> If you can't ping the VPN endpoint your packets aren't making it to the peer for whatever reason
14:15 < pekster> ie: 25.25.4.1 in that last log
14:16 < pekster> Probably can't do a who lot more to figure out why without cooperation from the far end
14:16 < ice9> may be tor is blocking the traffic
14:17 < pekster> Seems a little odd to allow the connection and then drop it
14:17 < pekster> But possible
14:17 < pekster> It'd be even more odd if that happens across different exit nodes
14:18 < ice9> I noticed that when the vpn is connected , tor loses internet connectivity
14:18 < pekster> Oh, there's your problem then
14:18 < pekster> Need to exempt the tor process (maybe based on user ID or something else your OS can key off of) to _not_ get redirected like that
14:18 < pekster> Or possibly run tor on a differnet system (or even a VM) to keep the routing tables separate
14:19 < ice9> well, have you heard about leap bitmask?
14:19 < pekster> NFI
14:19 < ice9> leap.se
14:20 < ice9> bitmask client connects to opevnpn servers but ensures that no traffic leak happens when it's not reaching the server or for any other reason
14:20 < ice9> it uses iptabels rules
14:20 < ice9> client and server should be using leap platform
14:22 < pekster> You either need complex policy rourting or not run tor on a host your're also doing --redirect-gatway on
14:22 < pekster> What do you think happens when you try to send tor-to-Internet traffic over a VPN that is configured to use tor's SOCKS proxy (that in turns tries to send Internet-bound traffic over the VPN, which is sending its egress of tor? See the problem?)
14:23 < pekster> OpenVPN won't handle this case properly without you setting up semi-advanced routing on your host to allow for this setup
14:24 < ice9> right
14:25 -!- dazo_afk [~dazo@openvpn/community/developer/dazo] has quit [Ping timeout: 272 seconds]
14:25 < pekster> Netfilter can use the `owner` module, so as long as you run tor as a unique user, you can key on that, `-j MARK` all traffic on mangle/OUTPUT, and use that as the fwmark to key off in an `ip rule` routing decision
14:25 < pekster> Then direct that to a secondary routing table that does not use the VPN, and uses your pre-existing network gateway as the default
14:27 < pekster> Some intro to policy routing on linux at:
14:27 < pekster> !lartc
14:27 <@vpnHelper> "lartc" is LARTC is the de-facto guide to policy routing and QoS (tc, or traffic control) on Linux. http://lartc.org/howto/ . Policy routing in Ch. 4, QoS in Ch. 9. Start at the beginning if you're new to advanced routing on Linux
14:28 < ice9> btw you seems very expereienced in openvpn and routing :)
14:29 < ice9> may I know how you earned this knowledge?
14:29 < pekster> Years of dealing with it
14:30 < pekster> There's lots of reading material on the subject too (such as LARTC.) The info is out there to be consumed, and failing there there's always the source code
14:38 < ice9> wow, learning routing from source code is hell
14:45 < pekster> Routing is fairly standardized (the rest is just local implementation of those standards)
14:47 -!- clyons [~kvirc@host86-157-15-49.range86-157.btcentralplus.com] has joined #openvpn
14:48 -!- Exagone313 [~exa@vps.ewd.xyz] has quit [Ping timeout: 260 seconds]
14:49 -!- dazo_afk [~dazo@openvpn/community/developer/dazo] has joined #openvpn
14:49 -!- mode/#openvpn [+o dazo_afk] by ChanServ
14:49 -!- dazo_afk is now known as dazo
14:49 -!- Exagone313 [~exa@vps.ewd.xyz] has joined #openvpn
14:50 -!- Netsplit over, joins: Denial, joako, yerodin, Matir_, Cultist, hydrajump, prettyrobots, +RBecker, _KaszpiR_, TheEternalAbyss (+2 more)
14:50 -!- Netsplit *.net <-> *.split quits: jgeboski, hays, @mattock_afk, xeqt, lbft, AsadH, Zimsky, @raidz, mapps
14:52 -!- ender^ [krneki@2a01:260:4094:1:42:42:42:42] has quit [Write error: Broken pipe]
14:52 -!- mattock_afk [~mattock@openvpn/corp/admin/mattock] has joined #openvpn
14:52 -!- raidz [~raidz@openvpn/corp/admin/andrew] has joined #openvpn
14:52 -!- hays [~hays@unaffiliated/hays] has joined #openvpn
14:52 -!- ServerMode/#openvpn [+oo mattock_afk raidz] by dickson.freenode.net
14:53 -!- hays [~hays@unaffiliated/hays] has quit [Max SendQ exceeded]
14:53 -!- mapps [~Mark@97e0b9d3.skybroadband.com] has joined #openvpn
14:53 -!- Zimsky [~alice@unaffiliated/zimsky] has joined #openvpn
14:53 -!- lbft [~lbft@unaffiliated/lbft] has joined #openvpn
14:53 -!- jgeboski [~jgeboski@unaffiliated/jgeboski] has joined #openvpn
14:53 -!- xeqt [~xeqt@h-72-121.a146.priv.bahnhof.se] has joined #openvpn
14:53 -!- AsadH [~AsadH@unaffiliated/asadh] has joined #openvpn
14:55 -!- ice9 [~ice9@gateway/tor-sasl/ice9] has quit [Ping timeout: 264 seconds]
14:56 -!- hays [~hays@unaffiliated/hays] has joined #openvpn
14:56 -!- st34lth [~st34lth@pool-71-179-132-91.bltmmd.fios.verizon.net] has joined #openvpn
14:58 -!- dazo [~dazo@openvpn/community/developer/dazo] has quit [Ping timeout: 260 seconds]
14:59 < st34lth> Hello, I still need some guidance, I'm not able to be successful with my setup. I am setting up openvpn for home, I want clients to talk to each other and I want clients to talk to other servers behind the vpn server.
15:00 < st34lth> I'm using i'm on 2.3.4 on centos6. my setup is at http://pastie.org/9478339
15:01 < st34lth> my vpn server interfaces are bridged, I build vms on it. br0, br1
15:01 < st34lth> my clients are able to connect to the vpn, but not access the internet
15:01 < pekster> Don't bridge tun. Don't use bridging at all in fact unless you are transmitting non-IP raw Ethernet frames
15:02 < pekster> Unless you mean br0 and br1 are just for your downstream LAN
15:02 < pekster> (then that's fine)
15:02 < pekster> For redirecting to the Internet, first verify your VPN works and your clients can ping 10.8.0.1. Then follow:
15:02 < pekster> !redirect
15:02 <@vpnHelper> "redirect" is (#1) to make all inet traffic flow through the vpn, you will need --redirect-gateway (see !def1), as well as IP forwarding (see !ipforward) and NAT (see !nat) enabled on the server. or (#2) you may need to use a different dns server when redirecting gateway, see !dns or !pushdns or (#3) if using ipv6 try: route-ipv6 2000::/3 or (#4) Handy troubleshooting flowchart:
15:02 <@vpnHelper> http://ircpimps.org/redirect.png | http://pekster.sdf.org/misc/redirect.png
15:04 < st34lth> br0 and br1 are just for my downstream LAN. I use the interface for VMs, I didn't create it for bridging
15:04 < pekster> server-lan setup looks fine, although remember it will probably break if your VPN client is also connecting from its "own" 192.168.1/24 network. Best to re-number your server LAN to avoid this. If that's not working, it's probably a return-routing or firewall problem. Another flowchart for that at: !serverlan
15:06 < st34lth> on a client my default route is the following 0.0.0.0         10.8.0.9        0.0.0.0         UG    0      0        0 tun0
15:06 < st34lth> but the ip to the server is 10.8.0.1, where is it getting 10.8.0.9?
15:06 < pekster> Still won't do any good if you lack a return route of misconfigured the firewall
15:07 < pekster> It's the 2nd IP in the /30. It's stupid backwards-compat behavior for fear of breaking "really old" setups. Best to switch to the subnet topology:
15:07 < pekster> !topology
15:07 <@vpnHelper> "topology" is (#1) it is possible to avoid the !/30 behavior if you use 2.1+ with the option: topology subnet This will end up being default in later versions. or (#2) Clients will receive addresses ending in .2, .3, .4, etc, instead of being divided into 2-host subnets. or (#3) details and examples at: https://community.openvpn.net/openvpn/wiki/Topology
15:07 -!- dazo_afk [~dazo@openvpn/community/developer/dazo] has joined #openvpn
15:07 -!- mode/#openvpn [+o dazo_afk] by ChanServ
15:07 < pekster> In your case, just add `topology subnet` to your server and you'll use more sane subnet networking (even over the tun device)
15:07 -!- dazo_afk is now known as dazo
15:11 -!- heraclitus [~heraclitu@unaffiliated/heraclitis] has joined #openvpn
15:11 < st34lth> what does it mean by ip forwarding? masquerade rule?
15:12 -!- dazo [~dazo@openvpn/community/developer/dazo] has quit [Ping timeout: 272 seconds]
15:12 < pekster> enable IP forwarding. You need NAT since RFC1918 cannot be routed on the public Internet (it's invalid)
15:13 < pekster> Follow the !things if you need help on each
15:13 < st34lth> !ipforward
15:13 <@vpnHelper> "ipforward" is (#1) ip forwarding is needed any time you want packets to flow from 1 interface to another, so from tun to eth, eth to tun, tun to tun, etc etc. it must be enabled in the kernel AND allowed in the firewall or (#2) please choose between !linipforward !winipforward !osxipforward and !fbsdipforward
15:14 < st34lth> oh yeah net.ipv4.ip_forward = 1
15:15 -!- dazo_afk [~dazo@openvpn/community/developer/dazo] has joined #openvpn
15:15 < st34lth> !nat
15:15 <@vpnHelper> "nat" is (#1) http://openvpn.net/howto.html#redirect for an explanation of NAT as it applies to openvpn or (#2) http://www.secure-computing.net/wiki/index.php/OpenVPN/FAQ#Traffic_forwarding_doesn.27t_work_when_using_client_specific_access_rules or (#3) dont forget to turn on ip forwarding or (#4) please choose between !linnat !openvznat !winnat and !fbsdnat for specific howto
15:15 -!- mode/#openvpn [+o dazo_afk] by ChanServ
15:16 -!- dazo_afk is now known as dazo
15:44 -!- DrSect0r [~DrSect0r@188-142-12-159.FTTH.ispfabriek.nl] has quit [Quit: Leaving]
15:50 -!- dazo_afk [~dazo@openvpn/community/developer/dazo] has joined #openvpn
15:50 -!- mode/#openvpn [+o dazo_afk] by ChanServ
15:51 -!- dazo [~dazo@openvpn/community/developer/dazo] has quit [Ping timeout: 260 seconds]
15:51 -!- dazo_afk is now known as dazo
15:59 -!- Olipro [~Olipro@uncyclopedia/pdpc.21for7.olipro] has quit [Ping timeout: 256 seconds]
16:02 -!- Olipro [~Olipro@uncyclopedia/pdpc.21for7.olipro] has joined #openvpn
16:03 -!- heraclitus [~heraclitu@unaffiliated/heraclitis] has quit [Ping timeout: 260 seconds]
16:04 -!- ice9 [~ice9@gateway/tor-sasl/ice9] has joined #openvpn
16:25 -!- st34lth [~st34lth@pool-71-179-132-91.bltmmd.fios.verizon.net] has quit [Quit: Leaving]
16:53 -!- Hello71 [~Hello71@wikipedia/Hello71] has quit [Quit: performing percussive maintenance]
16:55 -!- aPollO2k [znc1@unaffiliated/apollo2k] has quit [Ping timeout: 250 seconds]
16:57 -!- aPollO2k [znc1@unaffiliated/apollo2k] has joined #openvpn
16:59 -!- Hello71 [~Hello71@wikipedia/Hello71] has joined #openvpn
17:34 -!- dazo [~dazo@openvpn/community/developer/dazo] has quit [Ping timeout: 250 seconds]
17:38 -!- dazo_afk [~dazo@openvpn/community/developer/dazo] has joined #openvpn
17:38 -!- mode/#openvpn [+o dazo_afk] by ChanServ
17:38 -!- dazo_afk is now known as dazo
17:42 -!- ice9 [~ice9@gateway/tor-sasl/ice9] has left #openvpn []
17:51 -!- heraclitus [~heraclitu@unaffiliated/heraclitis] has joined #openvpn
17:51 -!- ice9 [~ice9@gateway/tor-sasl/ice9] has joined #openvpn
17:54 -!- Exagone313 [~exa@vps.ewd.xyz] has quit [Ping timeout: 260 seconds]
17:59 -!- Exagone313 [~exa@vps.ewd.xyz] has joined #openvpn
18:03 -!- akurilin [~alex@208.185.21.146] has joined #openvpn
18:04 -!- Exagone313 [~exa@vps.ewd.xyz] has quit [Ping timeout: 260 seconds]
18:05 -!- ender^ [~ender1@2a01:260:4094:1:42:42:42:42] has joined #openvpn
18:07 -!- Exagone313 [~exa@vps.ewd.xyz] has joined #openvpn
18:15 -!- Exagone313 [~exa@vps.ewd.xyz] has quit [Ping timeout: 250 seconds]
18:16 -!- ice9 [~ice9@gateway/tor-sasl/ice9] has quit [Ping timeout: 264 seconds]
18:16 -!- Exagone313 [~exa@vps.ewd.xyz] has joined #openvpn
18:21 -!- Exagone313 [~exa@vps.ewd.xyz] has quit [Ping timeout: 260 seconds]
18:25 -!- Cpt-Oblivious [~chatzilla@31-151-71-109.dynamic.upc.nl] has quit [Quit: ChatZilla 0.9.90.1-rdmsoft [XULRunner 22.0/20130619132145]]
18:25 -!- Exagone313 [~exa@vps.ewd.xyz] has joined #openvpn
18:46 -!- Exagone313 [~exa@vps.ewd.xyz] has quit [Ping timeout: 272 seconds]
18:47 -!- Exagone313 [~exa@vps.ewd.xyz] has joined #openvpn
19:00 -!- gffa [~unknown@unaffiliated/gffa] has quit [Quit: sleep]
19:08 -!- arescorpio [~arescorpi@201-26-245-190.fibertel.com.ar] has joined #openvpn
19:18 -!- Cpt-Oblivious [~chatzilla@31-151-71-109.dynamic.upc.nl] has joined #openvpn
19:25 -!- Azrael_- [~idjfiawej@adsl-84-226-35-191.adslplus.ch] has joined #openvpn
19:25 -!- Azrael_- [~idjfiawej@adsl-84-226-35-191.adslplus.ch] has left #openvpn []
19:54 -!- Jesse_V [~Jesse_V@unaffiliated/jesse-v/x-9747916] has joined #openvpn
19:54 < Jesse_V> !welcome
19:54 <@vpnHelper> "welcome" is (#1) Start by stating your goal, such as 'I would like to access the internet over my vpn' || new to IRC? see the link in !ask || we may need !logs and !configs and maybe !interface to help you. || See !howto for beginners. || See !route for lans behind openvpn. || !redirect for sending inet traffic through the server. || Also interesting: !man !/30 !topology !iporder !sample !forum
19:54 <@vpnHelper> !wiki !mitm or (#2) Don't use 192.168.1.0/24 or 192.168.0.0/24 (too much potential for conflict)
19:55 < Jesse_V> !howto
19:55 <@vpnHelper> "howto" is (#1) OpenVPN comes with a great howto, http://openvpn.net/howto PLEASE READ IT! or (#2) http://www.secure-computing.net/openvpn/howto.php for a mirror
19:56 < Jesse_V> hello guys, I'm trying to set up a PPTP VPN tunnel for my phone to my server
19:56 < Jesse_V> I've installed OpenVPN and followed https://www.digitalocean.com/community/tutorials/how-to-setup-and-configure-an-openvpn-server-on-debian-6 as best as I can, but I can't connect
19:56 <@vpnHelper> Title: How to Setup and Configure an OpenVPN Server on Debian 6 | DigitalOcean (at www.digitalocean.com)
19:57 < Jesse_V> I'm really new to OpenVPN, so I'm not entirely sure what I'm doing
19:58 < Jesse_V> how, for example, do I specify the client's username and password?
19:58 < Jesse_V> when I'm generating keys I mean
20:00 -!- Left_Turn [~Left_Turn@unaffiliated/turn-left/x-3739067] has quit [Remote host closed the connection]
20:00 -!- ice9 [~ice9@gateway/tor-sasl/ice9] has joined #openvpn
20:01 < Jesse_V> could anyone help me out?
20:03 -!- s7r [~s7r@openvpn/user/s7r] has quit [Quit: Leaving]
20:05 < pekster> !notcompat
20:05 <@vpnHelper> "notcompat" is (#1) IPsec, PPTP, & L2TP are _not_ compatible with OpenVPN. OpenVPN uses SSL whereas PPTP and IPSEC use their own protocols and therefore cannot be compatible. or (#2) OpenVPN connects only to OpenVPN
20:06 < pekster> OpenVPN requires use of OpenVPN. PPTP is a wickedly insecure protocol that is as good as transmitting your password and all VPN data in plaintext, so don't use it unless security is not your goal
20:07 < pekster> Good news is that OpenVPN is secure, and more mobile devices support IPSec with IKEv2 if you need a "native" solution that's not insecure
20:07 < pekster> Also, see: !android or !iphone for mobile openvpn download info
20:08 < Jesse_V> thank you very much
20:08 < Jesse_V> doesn't IPSec require special IPSec-supporting routers?
20:09 < pekster> Not unless you require stateful firewalling or NAT traversal
20:09 < pekster> There's NAT-T for IPSec, but that's another ball of wax
20:09 < Jesse_V> sure
20:10 < pekster> That's one item OpenVPN offers: multiplexing over a single UDP port (or TCP, but best to avoid that unless you require it.) It's very NAT-friendly
20:10 < Jesse_V> I have the following VPN options: "PPTP, L2TP/IPSec PSK, L2TP/IPSec RSA, IPSec Xauth PSK, IPSec Xauth RSA, and IPSec Hybrid RSA"
20:10 < Jesse_V> on my phone
20:10 < Jesse_V> which one would you recommend?
20:10 < Jesse_V> sorry for the newbish questions
20:12 < pekster> You're asking in #openvpn :P
20:12 < pekster> See the references above if you want openvpn to work on your mobile device
20:13 < pekster> No clue if your devices IPSec implemetnation supports IKEv2 as the key exchange, but if you insist on not running OpenVPN, take a look at that. IPSec is going to be more complex to set up, but might work without a separately installed client, if you also insist on not installing software on your phone
20:15 < ice9> pekster: which programming languages do you write in?
20:15 < pekster> Several, plus being dangerious in a half-dozen more
20:19 < ice9> :D
20:19 < ice9> pekster: are you interested in working in open source projects?
20:19 < ice9> from scratch?
20:24 -!- Olipro [~Olipro@uncyclopedia/pdpc.21for7.olipro] has quit [Ping timeout: 256 seconds]
20:27 -!- Olipro [~Olipro@uncyclopedia/pdpc.21for7.olipro] has joined #openvpn
20:31 < Jesse_V> my apologizes pekster, I assumed OpenVPN could support one of those, clearly I have much to learn
20:32 < Jesse_V> thanks very much for your time
20:34 -!- Jesse_V [~Jesse_V@unaffiliated/jesse-v/x-9747916] has left #openvpn ["Tom bom, jolly Tom, Tom Bombadillo!"]
20:58 -!- clyons|2 [~kvirc@host86-157-15-79.range86-157.btcentralplus.com] has joined #openvpn
21:00 -!- clyons [~kvirc@host86-157-15-49.range86-157.btcentralplus.com] has quit [Ping timeout: 244 seconds]
21:08 < Hello71> why is it that "--inetd nowait only makes sense in --dev tap mode"?
21:24 -!- Kephael [~Kephael@unaffiliated/kephael] has joined #openvpn
21:32 -!- ice9 [~ice9@gateway/tor-sasl/ice9] has left #openvpn []
21:37 -!- james41382 [~james@unaffiliated/james41382] has quit [Quit: Leaving]
21:39 -!- james41382 [~james@unaffiliated/james41382] has joined #openvpn
22:05 -!- D-Boy [~D-Boy@unaffiliated/cain] has quit [Ping timeout: 240 seconds]
22:35 -!- Pyrogerg [~Gregory@67-0-227-75.albq.qwest.net] has joined #openvpn
22:38 -!- Matir_ is now known as Matir
22:42 -!- james41382_ [~james@unaffiliated/james41382] has joined #openvpn
22:43 -!- james41382 [~james@unaffiliated/james41382] has quit [Ping timeout: 272 seconds]
22:43 -!- james41382_ is now known as james41382
22:46 -!- Pyrogerg [~Gregory@67-0-227-75.albq.qwest.net] has quit [Ping timeout: 255 seconds]
23:29 -!- zeroNones [~textual@187.204.188.19] has joined #openvpn
23:39 -!- Pyrogerg [~Gregory@67-0-227-75.albq.qwest.net] has joined #openvpn
23:57 -!- arescorpio [~arescorpi@201-26-245-190.fibertel.com.ar] has quit [Excess Flood]
23:59 -!- ShadniX [dagger@p5DDFE745.dip0.t-ipconnect.de] has quit [Ping timeout: 250 seconds]
--- Day changed Sun Aug 17 2014
00:01 -!- ShadniX [dagger@p5481CB72.dip0.t-ipconnect.de] has joined #openvpn
00:14 -!- zpatten [~zpatten@unaffiliated/zpatten] has quit [Quit: l8r]
00:19 -!- C-S-B [~C-S-B@host86-129-162-218.range86-129.btcentralplus.com] has joined #openvpn
00:23 -!- Cpt-Oblivious [~chatzilla@31-151-71-109.dynamic.upc.nl] has quit [Ping timeout: 245 seconds]
00:26 -!- cyberspace- [20253@ninthfloor.org] has quit [Remote host closed the connection]
00:28 -!- cyberspace- [20253@ninthfloor.org] has joined #openvpn
00:46 < heraclitus> !iphone
00:46 <@vpnHelper> "iphone" is (#1) OpenVPN Connect is now available for iOS in the App Store (see also: !connect) or (#2) https://community.openvpn.net/openvpn/wiki/IOSinline
00:46 < heraclitus> !android
00:46 <@vpnHelper> "android" is (#1) an open source OpenVPN client for ICS is available in Google Play, look for OpenVPN for Android. FAQ is here: http://code.google.com/p/ics-openvpn/wiki/FAQ or (#2) Direct Play link: https://play.google.com/store/apps/details?id=de.blinkt.openvpn or (#3) Old (pre-ICS) device? See: !android-old or (#4) You can get the apk directly from http://plai.de/android/
01:52 -!- ub1quit33 [~quassel@cpe-23-243-158-241.socal.res.rr.com] has quit [Ping timeout: 260 seconds]
02:20 -!- Pisuke [~Sembei@unaffiliated/sembei] has joined #openvpn
02:21 -!- MyMind [~Sembei@unaffiliated/sembei] has quit [Ping timeout: 244 seconds]
02:29 -!- APTX [~APTX@unaffiliated/aptx] has quit [Ping timeout: 250 seconds]
02:39 -!- APTX [~APTX@unaffiliated/aptx] has joined #openvpn
02:42 -!- tapout [~tapout@unaffiliated/tapout] has quit [Quit: ZNC - http://znc.sourceforge.net]
02:59 -!- zeroNones [~textual@187.204.188.19] has quit [Ping timeout: 240 seconds]
03:03 -!- Brando753 [~Brando753@unaffiliated/brando753] has quit [Read error: Connection reset by peer]
03:07 -!- RyNet [~RyNet@c-67-160-203-245.hsd1.ca.comcast.net] has joined #openvpn
03:07 < RyNet> how important is it to use nls server verification. i mean what are the odds of a man in the middle attack?
03:10 -!- Poster|x [~poster@oh-67-77-115-176.sta.embarqhsd.net] has joined #openvpn
03:10 -!- Brando753 [~Brando753@unaffiliated/brando753] has joined #openvpn
03:13 -!- raidz is now known as raidz_away
03:13 < cyberanger> RyNet: the odds depend on your enviroment, my envrioment I've had active attacks against me
03:13 -!- Poster [~poster@cpe-74-140-100-29.swo.res.rr.com] has quit [Ping timeout: 245 seconds]
03:13 < RyNet> what's your enviroment entail?
03:16 < cyberanger> a pervasive censorship and counterintelligence regime, a religious minority that gets persecuted under said regime
03:26 -!- Kephael [~Kephael@unaffiliated/kephael] has quit [Read error: Connection reset by peer]
03:28 -!- Toumasu [~Thunderbi@78-23-52-63.access.telenet.be] has joined #openvpn
03:45 < RyNet> so anon i take
03:52 < RyNet> exit
03:52 -!- RyNet [~RyNet@c-67-160-203-245.hsd1.ca.comcast.net] has quit [Quit: WeeChat 1.0]
03:58 -!- Toumasu [~Thunderbi@78-23-52-63.access.telenet.be] has quit [Quit: Toumasu]
03:58 -!- Left_Turn [~Left_Turn@unaffiliated/turn-left/x-3739067] has joined #openvpn
03:59 -!- D-Boy [~D-Boy@unaffiliated/cain] has joined #openvpn
04:11 -!- Poster|x is now known as Poster
04:19 -!- catsup [~d@iad1-vshost12.dreamhost.com] has quit [Remote host closed the connection]
04:19 -!- catsup [~d@iad1-vshost12.dreamhost.com] has joined #openvpn
04:20 -!- elfixit [~Icedove@77-58-251-72.dclient.hispeed.ch] has joined #openvpn
04:28 -!- Six6siX [~Devil@jasmine.sammybakar.com] has joined #openvpn
04:41 -!- elfixit [~Icedove@77-58-251-72.dclient.hispeed.ch] has quit [Quit: elfixit]
04:42 -!- gffa [~unknown@unaffiliated/gffa] has joined #openvpn
04:49 -!- Left_Turn [~Left_Turn@unaffiliated/turn-left/x-3739067] has quit [Ping timeout: 240 seconds]
04:51 -!- Six6siX [~Devil@jasmine.sammybakar.com] has quit [Ping timeout: 246 seconds]
05:41 -!- DrCode [~DrCode@gateway/tor-sasl/drcode] has quit [Write error: Broken pipe]
05:41 -!- DrCode [~DrCode@gateway/tor-sasl/drcode] has joined #openvpn
06:10 -!- Left_Turn [~Left_Turn@unaffiliated/turn-left/x-3739067] has joined #openvpn
06:32 -!- shiin [~shiin@funtoo/core/shiin] has joined #openvpn
07:00 -!- chieftex [~IceChat9@90.205.2.93] has quit [Quit: If your not living on the edge, you're taking up too much space]
07:06 -!- Six6siX [~Devil@jasmine.sammybakar.com] has joined #openvpn
07:09 -!- Toumasu [~Thunderbi@78-23-52-63.access.telenet.be] has joined #openvpn
07:35 -!- Six6siX [~Devil@jasmine.sammybakar.com] has quit [Ping timeout: 255 seconds]
07:44 -!- Toumasu [~Thunderbi@78-23-52-63.access.telenet.be] has quit [Quit: Toumasu]
08:07 -!- shiin [~shiin@funtoo/core/shiin] has quit [Read error: Connection reset by peer]
08:15 -!- Six6siX [~Devil@jasmine.sammybakar.com] has joined #openvpn
08:25 -!- Six6siX [~Devil@jasmine.sammybakar.com] has quit [Ping timeout: 272 seconds]
08:40 -!- larryone [~larryone@180.234.71.8] has joined #openvpn
08:59 -!- erratic [erratic@shells-v6.yourstruly.sx] has joined #openvpn
09:14 -!- larryone [~larryone@180.234.71.8] has quit [Quit: This computer has gone to sleep]
09:28 -!- shiin [~shiin@funtoo/core/shiin] has joined #openvpn
09:54 < shiin> Id like to use my openvpn tunnel to my root server to offer an ipv6 tunnel since my ISP does not support ipv6, but my server does. is such possible? Ive found hints on https://community.openvpn.net/openvpn/wiki/IPv6 but Im not sure if thats really what Im looking for.
09:54 <@vpnHelper> Title: IPv6 – OpenVPN Community (at community.openvpn.net)
09:58 < pekster> It should, so long as you have a properly routed block at your server
09:59 < pekster> If you don't have a _routed_ block, you should nicely ask for one. OpenVPN will work with a /112, but if you wish for compatability for the "IPv6 preview patches" (some Debian systems running openvpn 2.2.x have these) you'll need to use a /64 for the VPN
10:00 < shiin> Im not sure what a routed block is.
10:01 < pekster> Have you been allocated a block to route as you see fit from your network provider at the server?
10:01 < pekster> Not assign to your host, but a proper IPv6 routed block. If you haven't, you should ask for one, because otherwise you need to do ugly hacks like NDP proxy or other evil things
10:02 < shiin> 2a01:4f8:201:53e9:: / 64 <- thats from my hosters webinterface, assigned to my server, I believe thats a yes then.
10:03 < pekster> Show me `ip a` from the server, please
10:03 < pekster> If your server is _using_ an IP from that range on-link, then that entire /64 is already consumed. You cannot assign it to a routed OpenVPN setup becuase it's already in use
10:04 < shiin> http://pastebin.com/UGnJ9ZLb
10:05 < pekster> Right, that's your on-link network (you may or may not be allowed to use more IPs from that network, but _only_ on that host, not for a VPN sytem without ugly hacks)
10:05 < pekster> You should ask for a routed /64 that is routed (not put on-link) and routed to the IPv6 IP assigned to your host (ie, that 2a01:4f8:201:53e9::2 address)
10:06 < pekster> You then use that routed block in OpenVPN, which allows your VPN users to be allocated IPs out of that network
10:07 < shiin> I see. Im going to see if I can get a routed /64 then. thank you.
10:34 -!- shiin [~shiin@funtoo/core/shiin] has quit [Ping timeout: 240 seconds]
10:38 -!- Popsikle [~popsikle@pool-108-27-211-233.nycmny.fios.verizon.net] has joined #openvpn
10:38 -!- mapps [~Mark@97e0b9d3.skybroadband.com] has quit [Ping timeout: 272 seconds]
10:39 -!- mapps [~Mark@97e0b9d3.skybroadband.com] has joined #openvpn
10:42 -!- Popsikle [~popsikle@pool-108-27-211-233.nycmny.fios.verizon.net] has quit [Ping timeout: 244 seconds]
11:51 -!- marlinc [~marlinc@ip1.weert.li.nl.cvo-technologies.com] has quit [Ping timeout: 250 seconds]
12:02 -!- ub1quit33 [~quassel@wifi02.la3.routers.zerolag.com] has joined #openvpn
12:09 -!- raidz_away is now known as raidz
12:11 -!- DrSect0r [~DrSect0r@188-142-12-159.FTTH.ispfabriek.nl] has joined #openvpn
12:13 -!- DrSect0r [~DrSect0r@188-142-12-159.FTTH.ispfabriek.nl] has quit [Remote host closed the connection]
12:22 -!- DrCode [~DrCode@gateway/tor-sasl/drcode] has quit [Ping timeout: 264 seconds]
12:22 -!- D-Boy [~D-Boy@unaffiliated/cain] has quit [Ping timeout: 245 seconds]
12:23 -!- Jeroen52 [~Jeroen@milkyway.jeroendeneef.com] has quit [Read error: Connection reset by peer]
12:24 -!- Ulrar [~Ulrar@luwin.ulrar.net] has quit [Ping timeout: 256 seconds]
12:24 -!- DrCode [~DrCode@gateway/tor-sasl/drcode] has joined #openvpn
12:24 -!- Ulrar [~Ulrar@luwin.ulrar.net] has joined #openvpn
12:25 -!- Jeroen52 [~Jeroen@milkyway.jeroendeneef.com] has joined #openvpn
12:27 -!- D-Boy [~D-Boy@unaffiliated/cain] has joined #openvpn
12:39 -!- james41382 [~james@unaffiliated/james41382] has quit [Quit: Leaving]
12:42 -!- Kephael [~Kephael@unaffiliated/kephael] has joined #openvpn
12:43 -!- james41382 [~james@unaffiliated/james41382] has joined #openvpn
12:44 -!- Popsikle [~popsikle@2600:1001:b12a:55d1:d1e0:21ac:c0d6:a302] has joined #openvpn
12:55 -!- marlinc [~marlinc@ip1.weert.li.nl.cvo-technologies.com] has joined #openvpn
13:02 -!- Popsikle [~popsikle@2600:1001:b12a:55d1:d1e0:21ac:c0d6:a302] has quit [Remote host closed the connection]
13:31 -!- marlinc_ [~marlinc@ip1.weert.li.nl.cvo-technologies.com] has joined #openvpn
13:33 -!- marlinc [~marlinc@ip1.weert.li.nl.cvo-technologies.com] has quit [Ping timeout: 250 seconds]
13:33 -!- marlinc_ is now known as marlinc
13:58 -!- Cpt-Oblivious [~chatzilla@31-151-71-109.dynamic.upc.nl] has joined #openvpn
14:27 -!- tekk [~me@93.93.135.50] has joined #openvpn
14:28 < tekk> hi guys, i’ve just migrated my openvpn server from linux to freebsd
14:28 < tekk> i’ve set gateway_enable=YES in rc.conf
14:28 < tekk> but it seems i’m missing something still
14:28 < tekk> as traffic from the local LAN isn’t reachable from VPN clients
14:28 < tekk> i am pushing routes to clients too
14:28 < tekk> do i need to add a iptables style rule (but for bsd)
14:41 -!- Verdi [~dagda@ip1.thgersdorf.net] has joined #openvpn
14:51 -!- james41382 [~james@unaffiliated/james41382] has quit [Read error: Connection reset by peer]
14:51 -!- mapps [~Mark@97e0b9d3.skybroadband.com] has quit [Read error: Connection reset by peer]
14:51 -!- james41382_ [~james@unaffiliated/james41382] has joined #openvpn
14:52 -!- Pyrogerg_ [~Gregory@67-0-227-75.albq.qwest.net] has joined #openvpn
14:53 -!- Pyrogerg [~Gregory@67-0-227-75.albq.qwest.net] has quit [Ping timeout: 246 seconds]
15:19 -!- Cpt-Oblivious [~chatzilla@31-151-71-109.dynamic.upc.nl] has quit [Remote host closed the connection]
15:26 -!- Cpt-Oblivious [~chatzilla@31-151-71-109.dynamic.upc.nl] has joined #openvpn
15:38 -!- james41382_ is now known as james41382
15:46 -!- Lyn [~Alc@dyn71-368.yok.fi] has joined #openvpn
15:47 < Lyn> !welcome
15:47 <@vpnHelper> "welcome" is (#1) Start by stating your goal, such as 'I would like to access the internet over my vpn' || new to IRC? see the link in !ask || we may need !logs and !configs and maybe !interface to help you. || See !howto for beginners. || See !route for lans behind openvpn. || !redirect for sending inet traffic through the server. || Also interesting: !man !/30 !topology !iporder !sample !forum !wiki
15:47 <@vpnHelper> !mitm or (#2) Don't use 192.168.1.0/24 or 192.168.0.0/24 (too much potential for conflict)
15:47 < Lyn> !howto
15:47 <@vpnHelper> "howto" is (#1) OpenVPN comes with a great howto, http://openvpn.net/howto PLEASE READ IT! or (#2) http://www.secure-computing.net/openvpn/howto.php for a mirror
15:49 < Lyn> I'm using AirVPN and I'm trying to host an irc server. I've set a port in ircd.conf, I forwarded that port in my AirVPN settings to my local port with the same number, and when a friend tries to connect to my exit-node-IP:port, it doesn't work. I'm a beginner when it comes to VPNs. Why doesn't it work?
15:57 < pekster> If you don't control the VPN server system you'll be unable to properly troubleshoot that
15:58 < pekster> NAT and firewalling need to be set up correctly on that system when you're using RFC1918 space on the VPN (and still the firewall even if the VPN uses globally-routable IP space.) Plus your firewall, but a tcpdump would show you traffic before the firewall gets to drop it
15:59 -!- MogDog [MogDog@unaffiliated/mogdog66] has quit [Remote host closed the connection]
16:01 -!- MogDog [MogDog@unaffiliated/mogdog66] has joined #openvpn
16:19 -!- Denial [~Denial@host86-174-170-118.range86-174.btcentralplus.com] has quit []
16:19 -!- Lolths [~Lolths@unaffiliated/lolths] has quit [Ping timeout: 260 seconds]
16:26 -!- gffa [~unknown@unaffiliated/gffa] has quit [Quit: sleep]
16:33 -!- Pyrogerg_ [~Gregory@67-0-227-75.albq.qwest.net] has quit [Ping timeout: 264 seconds]
16:36 -!- Pyrogerg [~Gregory@67-0-227-75.albq.qwest.net] has joined #openvpn
16:39 -!- Lolths [~Lolths@unaffiliated/lolths] has joined #openvpn
16:49 -!- Cybertinus [~Cybertinu@cybertinus.customer.cloud.nl] has joined #openvpn
16:50 -!- Pyrogerg [~Gregory@67-0-227-75.albq.qwest.net] has quit [Ping timeout: 260 seconds]
16:51 -!- Cybertinus [~Cybertinu@cybertinus.customer.cloud.nl] has quit [Remote host closed the connection]
16:52 -!- Cybertinus [~Cybertinu@cybertinus.customer.cloud.nl] has joined #openvpn
16:52 -!- Pyrogerg [~Gregory@67-0-227-75.albq.qwest.net] has joined #openvpn
16:57 -!- raidz is now known as raidz_away
17:08 -!- s7r [~s7r@openvpn/user/s7r] has joined #openvpn
17:08 -!- mode/#openvpn [+v s7r] by ChanServ
17:16 -!- ub1quit33 [~quassel@wifi02.la3.routers.zerolag.com] has quit [Ping timeout: 272 seconds]
17:19 -!- s7r_p [~s7r@openvpn/user/s7r] has joined #openvpn
17:19 -!- mode/#openvpn [+v s7r_p] by ChanServ
17:20 -!- s7r [~s7r@openvpn/user/s7r] has quit [Ping timeout: 264 seconds]
17:20 -!- s7r_p is now known as s7r
17:35 -!- Pyrogerg [~Gregory@67-0-227-75.albq.qwest.net] has quit [Ping timeout: 255 seconds]
17:38 -!- Cyclohexane [idunevn@unaffiliated/cyclohexane] has quit [Quit: Cyclohexane]
17:43 -!- dazo [~dazo@openvpn/community/developer/dazo] has quit [Ping timeout: 260 seconds]
17:58 -!- dazo_afk [~dazo@openvpn/community/developer/dazo] has joined #openvpn
17:58 -!- mode/#openvpn [+o dazo_afk] by ChanServ
17:58 -!- dazo_afk is now known as dazo
18:29 -!- Pyrogerg [~Gregory@67-0-227-75.albq.qwest.net] has joined #openvpn
19:13 -!- raidz_away is now known as raidz
19:24 -!- soffio [~mancante@gateway/tor-sasl/riflesso] has joined #openvpn
19:40 -!- soffio [~mancante@gateway/tor-sasl/riflesso] has quit [Quit: soffio]
19:42 -!- Pyrogerg [~Gregory@67-0-227-75.albq.qwest.net] has quit [Ping timeout: 272 seconds]
19:46 -!- CaTtleyA_ [~CaTtleyA@put92-2-82-66-41-53.fbx.proxad.net] has quit [Ping timeout: 252 seconds]
19:52 -!- Pyrogerg [~Gregory@205.167.120.206] has joined #openvpn
19:57 -!- Cpt-Oblivious [~chatzilla@31-151-71-109.dynamic.upc.nl] has quit [Ping timeout: 246 seconds]
19:58 -!- Left_Turn [~Left_Turn@unaffiliated/turn-left/x-3739067] has quit [Ping timeout: 260 seconds]
20:00 -!- Cpt-Oblivious [~chatzilla@31-151-71-109.dynamic.upc.nl] has joined #openvpn
20:03 -!- suprsonic [~suprsonic@66.170.2.190] has joined #openvpn
20:03 < suprsonic> posssible to route multicast with openvpn tun and avahi?
20:10 -!- Cpt-Oblivious [~chatzilla@31-151-71-109.dynamic.upc.nl] has quit [Ping timeout: 250 seconds]
20:13 -!- Cpt-Oblivious [~chatzilla@31-151-71-109.dynamic.upc.nl] has joined #openvpn
20:25 -!- Pyrogerg [~Gregory@205.167.120.206] has quit [Read error: Connection reset by peer]
20:25 -!- Pyrogerg [~Gregory@205.167.120.206] has joined #openvpn
20:32 -!- raidz is now known as raidz_away
20:42 -!- Pyrogerg [~Gregory@205.167.120.206] has quit [Ping timeout: 240 seconds]
21:26 -!- Pyrogerg [~Gregory@67-0-227-75.albq.qwest.net] has joined #openvpn
21:33 -!- Pyrogerg [~Gregory@67-0-227-75.albq.qwest.net] has quit [Ping timeout: 244 seconds]
21:53 -!- goldkatze [~nobody@unaffiliated/goldkatze] has quit [Ping timeout: 260 seconds]
21:57 -!- Pyrogerg [~Gregory@67-0-227-75.albq.qwest.net] has joined #openvpn
22:11 -!- Pyrogerg [~Gregory@67-0-227-75.albq.qwest.net] has quit [Ping timeout: 240 seconds]
22:28 -!- Pyrogerg [~Gregory@67-0-227-75.albq.qwest.net] has joined #openvpn
22:37 -!- raidz_away is now known as raidz
22:39 -!- raidz is now known as raidz_away
22:40 -!- Pyrogerg [~Gregory@67-0-227-75.albq.qwest.net] has quit [Ping timeout: 240 seconds]
22:51 -!- liriel [~liriel@asia.feralhosting.com] has joined #openvpn
23:01 -!- arescorpio [~arescorpi@201-26-245-190.fibertel.com.ar] has joined #openvpn
23:13 -!- raidz_away is now known as raidz
23:22 -!- Pyrogerg [~Gregory@67-0-227-75.albq.qwest.net] has joined #openvpn
23:46 -!- lachesis [~lachesis@unaffiliated/lachesis] has quit [Quit: ZNC - http://znc.in]
23:49 -!- lachesis [~lachesis@unaffiliated/lachesis] has joined #openvpn
23:58 -!- ShadniX [dagger@p5481CB72.dip0.t-ipconnect.de] has quit [Ping timeout: 250 seconds]
--- Day changed Mon Aug 18 2014
00:00 -!- ShadniX [dagger@p5481C1FD.dip0.t-ipconnect.de] has joined #openvpn
00:07 -!- Denial [~Denial@host86-139-89-191.range86-139.btcentralplus.com] has joined #openvpn
00:34 -!- hadifarnoud [~hadifarno@162.13.2.215] has joined #openvpn
00:34 < hadifarnoud> is there a free version for openvpn access server?
00:35 < hadifarnoud>  /join #openvpn-as
00:48 -!- arescorpio [~arescorpi@201-26-245-190.fibertel.com.ar] has quit [Excess Flood]
00:55 -!- indy [~indy@shadow.kastnerove.cz] has left #openvpn ["Leaving"]
00:56 -!- hadifarnoud [~hadifarno@162.13.2.215] has quit [Ping timeout: 250 seconds]
01:07 -!- aji [~alex@unaffiliated/aji] has joined #openvpn
01:08 -!- aji [~alex@unaffiliated/aji] has left #openvpn []
01:12 -!- tapout [~tapout@unaffiliated/tapout] has joined #openvpn
01:39 -!- Pyrogerg [~Gregory@67-0-227-75.albq.qwest.net] has quit [Ping timeout: 240 seconds]
01:53 -!- CaTtleyA_ [~CaTtleyA@185.24.142.82] has joined #openvpn
02:20 -!- Nothing4You [N4Y@Nothing4You.w.tf-w.tf] has quit [Ping timeout: 256 seconds]
02:21 -!- fred`` [fred@earthli.ng] has quit [Ping timeout: 256 seconds]
02:25 -!- Nothing4You [N4Y@Nothing4You.w.tf-w.tf] has joined #openvpn
02:25 -!- Ulrar [~Ulrar@luwin.ulrar.net] has quit [Ping timeout: 256 seconds]
02:29 -!- Ulrar [~Ulrar@luwin.ulrar.net] has joined #openvpn
02:32 -!- larryone [~larryone@180.234.237.190] has joined #openvpn
02:33 -!- fred`` [fred@earthli.ng] has joined #openvpn
02:38 -!- raidz is now known as raidz_away
02:43 -!- mattock_afk is now known as mattock
02:46 -!- Kephael [~Kephael@unaffiliated/kephael] has quit [Read error: Connection reset by peer]
02:52 -!- pnielsen_ [pnielsen@2a01:7e00::f03c:91ff:fedf:3a21] has quit [Quit: No Ping reply in 180 seconds.]
02:54 -!- pnielsen [pnielsen@2a01:7e00::f03c:91ff:fedf:3a21] has joined #openvpn
03:10 -!- ayaz [~Ayaz@linuxpakistan/ayaz] has joined #openvpn
03:10 -!- Cpt-Oblivious [~chatzilla@31-151-71-109.dynamic.upc.nl] has quit [Remote host closed the connection]
03:11 -!- Left_Turn [~Left_Turn@unaffiliated/turn-left/x-3739067] has joined #openvpn
03:18 -!- marlinc [~marlinc@ip1.weert.li.nl.cvo-technologies.com] has quit [Remote host closed the connection]
04:02 -!- yerodin [~yerodin@unaffiliated/yerodin] has quit [Ping timeout: 255 seconds]
04:03 -!- raidz_away is now known as raidz
04:21 -!- raidz is now known as raidz_away
04:28 -!- mattock is now known as mattock_afk
04:32 -!- JuriadoBalzac [~cpe@www.badcode.net] has joined #openvpn
04:33 < JuriadoBalzac> Hey all! Got a question - I'm trying to basically set up a vpn to a vpn, but for some reason it drops traffic from the first VPN. Is IP forwarding required?
04:38 -!- mattock_afk is now known as mattock
04:56 -!- D-Boy [~D-Boy@unaffiliated/cain] has quit [Excess Flood]
05:00 -!- goldkatze [~nobody@unaffiliated/goldkatze] has joined #openvpn
05:07 -!- CaTtleyA [~CaTtleyA@185.24.142.82] has joined #openvpn
05:08 -!- CaTtleyA_ [~CaTtleyA@185.24.142.82] has quit [Ping timeout: 252 seconds]
05:16 -!- D-Boy [~D-Boy@unaffiliated/cain] has joined #openvpn
05:37 -!- shiin [~shiin@funtoo/core/shiin] has joined #openvpn
05:38 < shiin> pekster: I couldnt get a /64
05:39 < shiin> http://unix.stackexchange.com/questions/136211/routing-public-ipv6-traffic-through-openvpn-tunnel this one says its also possible with a /112
05:39 <@vpnHelper> Title: Routing public ipv6 traffic through openvpn tunnel - Unix & Linux Stack Exchange (at unix.stackexchange.com)
05:39 < shiin> is that a bad idea?
06:33 -!- Chiftin [~Chiftin@178.250.179.140] has joined #openvpn
06:45 < JuriadoBalzac> So, connecting two VPNs, that'd be a bridge?
06:55 -!- ade_b [~Ade@redhat/adeb] has joined #openvpn
06:58 -!- eristisk [~eristisk@gateway/tor-sasl/eristisk] has joined #openvpn
07:18 < AL13N_work> say, wouldn't it be a bad idea to tunnel IPv6, what if remote has native ipv6?
07:19 < AL13N_work> wouldn't it be possible to route the wrong ipv6 out the wrong uplink?
07:53 -!- shiin [~shiin@funtoo/core/shiin] has quit [Ping timeout: 246 seconds]
07:55 -!- goldkatze [~nobody@unaffiliated/goldkatze] has quit []
07:59 -!- goldkatze [~nobody@unaffiliated/goldkatze] has joined #openvpn
07:59 -!- shiin [~shiin@funtoo/core/shiin] has joined #openvpn
08:06 -!- Axeman [~axeman3@openvpn/user/axeman] has joined #openvpn
08:06 -!- mode/#openvpn [+v Axeman] by ChanServ
08:09 -!- Mike-- [mad@mx.probie.nl] has quit [Ping timeout: 250 seconds]
08:22 -!- sauce [sauce@unaffiliated/sauce] has quit [Max SendQ exceeded]
08:24 -!- sauce [sauce@unaffiliated/sauce] has joined #openvpn
08:27 -!- Aoyagi_mehtop [~Aoyagi@88.208.95.82] has quit [Quit: qat]
08:27 -!- v0lZy [~Thunderbi@BSN-77-81-109.static.dsl.siol.net] has joined #openvpn
08:27 < v0lZy> hi
08:27 < v0lZy> question: is there a way to push dns suffixes via openvpn ?
08:27 < v0lZy> I have multiple subdomains... client is upt into vpn.domain.com, but servers are in serv.domain.com
08:28 < v0lZy> i'd like to push serv.domain.com as a search list/domain suffix to the client, so that they can just type hostname
08:37 -!- nath_schwarz [~nath_schw@p54A31B6B.dip0.t-ipconnect.de] has joined #openvpn
08:39 < shiin> Im trying to set up an /112 ipv6 tunnel, but I dont have much experience with subnetting. http://pastebin.com/bRtGZdKu this is my current proposal, but I suspect its not entirely correct.
09:05 -!- Six6siX [~Devil@jasmine.sammybakar.com] has joined #openvpn
09:06 -!- Pyrogerg [~Gregory@mobile-166-137-182-005.mycingular.net] has joined #openvpn
09:11 -!- Netsplit *.net <-> *.split quits: xMopxShell, doebi, mnathani, kantlivelong, aPollO2k, RaiNerTsuFal, Left_Turn, suprsonic
09:12 -!- Netsplit over, joins: kantlivelong
09:12 -!- Netsplit over, joins: aPollO2k
09:13 -!- Netsplit over, joins: Left_Turn
09:13 -!- elfixit [~Icedove@77-58-251-72.dclient.hispeed.ch] has joined #openvpn
09:15 -!- Netsplit over, joins: doebi
09:15 -!- kantlivelong [~kantlivel@home.kantlivelong.com] has quit [Excess Flood]
09:17 -!- kantlivelong [~kantlivel@home.kantlivelong.com] has joined #openvpn
09:18 -!- RaiNerTsuFal [~RaiNerTsu@akita.vtlx.cn] has joined #openvpn
09:19 -!- Pyrogerg [~Gregory@mobile-166-137-182-005.mycingular.net] has quit [Read error: Connection reset by peer]
09:19 -!- mnathani [~mnathani@butterfly.winvive.com] has joined #openvpn
09:20 -!- zeroNones [~textual@187.204.187.148] has joined #openvpn
09:25 -!- ayaz [~Ayaz@linuxpakistan/ayaz] has quit [Quit: Textual IRC Client: www.textualapp.com]
09:31 -!- ender| [krneki@2a01:260:4094:1:42:42:42:42] has joined #openvpn
09:33 -!- ender^ [~ender1@2a01:260:4094:1:42:42:42:42] has quit [Read error: Connection reset by peer]
09:34 -!- RaiNerTsuFal [~RaiNerTsu@akita.vtlx.cn] has quit [Ping timeout: 260 seconds]
09:35 -!- RaiNerTsuFal [~RaiNerTsu@akita.vtlx.cn] has joined #openvpn
09:38 -!- Pyrogerg [~Gregory@mobile-166-137-182-005.mycingular.net] has joined #openvpn
09:38 -!- Pyrogerg [~Gregory@mobile-166-137-182-005.mycingular.net] has quit [Max SendQ exceeded]
09:40 -!- RaiNerTsuFal [~RaiNerTsu@akita.vtlx.cn] has quit [Ping timeout: 260 seconds]
09:42 -!- RaiNerTsuFal [~RaiNerTsu@akita.vtlx.cn] has joined #openvpn
09:43 -!- shiin [~shiin@funtoo/core/shiin] has quit [Read error: Connection reset by peer]
09:45 -!- Kephael [~Kephael@unaffiliated/kephael] has joined #openvpn
09:47 < nath_schwarz> Oy mates - my CentOS Server won't stay connected to my vpn when started via cronjob (@reboot service openvpn start; root cronjob; also tried delaying with sleep 30, 60 and 120) but works fine if run by hand. CentOS is 6.5 final running openvpn 2.3.2; vpn_server is Ubuntu 14.04 with openvpn 2.3.2; client.conf: http://paste.fedoraproject.org/126379/37247614 ; server.conf: http://paste.fedoraproject.org/126380/37254214 ; messages-log
09:47 < nath_schwarz> grepped for vpn on client: http://paste.fedoraproject.org/126378/14083723 ; syslog grepped for vpn on server: http://paste.fedoraproject.org/126382/40837311 ; any ideas?
09:48 -!- Mike-- [mad@mx.probie.nl] has joined #openvpn
09:48 < nath_schwarz> Also - it works fine if I start it by hand no matter how: (sudo) openvpn --config /etc/openvpn/client.conf; (sudo) service openvpn start; (sudo) openvpn --daemon --config /etc/openvpn/client.conf - they all work by hand but not as cronjob
09:49 < nath_schwarz> selinux is disabled, btw
09:52 -!- Chiftin [~Chiftin@178.250.179.140] has quit [Quit: Leaving]
09:52 -!- shiin [~shiin@funtoo/core/shiin] has joined #openvpn
09:53 < nath_schwarz> Firewalls on both server and client are flushed and set to accept all packets
09:54 -!- RaiNerTsuFal [~RaiNerTsu@akita.vtlx.cn] has quit [Ping timeout: 260 seconds]
09:56 -!- RaiNerTsuFal [~RaiNerTsu@akita.vtlx.cn] has joined #openvpn
09:56 < nath_schwarz> The line 'event_wait : Interrupted system call (code=4)' seems to be interesting, but when I search for that I only find posts of people who just configured it wrong and where the client couldn't connect at all
09:56 -!- xMopxShell [~xMopxShel@dpedu.io] has joined #openvpn
10:05 -!- zeroNones [~textual@187.204.187.148] has quit [Quit: My MacBook Pro has gone to sleep. ZZZzzz…]
10:06 -!- elfixit [~Icedove@77-58-251-72.dclient.hispeed.ch] has quit [Ping timeout: 240 seconds]
10:08 -!- v0lZy [~Thunderbi@BSN-77-81-109.static.dsl.siol.net] has quit [Ping timeout: 240 seconds]
10:11 < nath_schwarz> I tried using tcp instead of udp - same issue
10:12 < Hello71> systemd?
10:12 < nath_schwarz> afaik centos uses systemd, yeah
10:14 < nath_schwarz> But shouldn't cronjobs run after the whole systemd-stuff?
10:21 <+Axeman> anyone use openvpn on WRT?
10:29 -!- mattock is now known as mattock_afk
10:30 -!- ade_b [~Ade@redhat/adeb] has quit [Ping timeout: 272 seconds]
10:34 -!- larryone [~larryone@180.234.237.190] has quit [Ping timeout: 272 seconds]
10:34 -!- gffa [~unknown@unaffiliated/gffa] has joined #openvpn
10:36 -!- zeroNones [~textual@187.204.187.148] has joined #openvpn
10:36 -!- CaTtleyA [~CaTtleyA@185.24.142.82] has quit [Quit: Lost terminal]
10:42 -!- bakhtiya [~me@office.addictivemobility.com] has quit [Read error: Connection reset by peer]
10:42 -!- mattock_afk is now known as mattock
10:46 -!- larryone [~larryone@180.234.33.162] has joined #openvpn
11:07 -!- Pyrogerg [~Gregory@67-0-227-75.albq.qwest.net] has joined #openvpn
11:09 -!- Lyn [~Alc@dyn71-368.yok.fi] has quit [Quit: Leaving]
11:10 -!- Chais [~Chais@chello062178229110.15.15.vie.surfer.at] has quit [Ping timeout: 272 seconds]
11:14 -!- Chais [~Chais@chello062178229110.15.15.vie.surfer.at] has joined #openvpn
11:15 -!- raidz_away is now known as raidz
11:17 -!- Lyn [~Alc@37.48.81.54] has joined #openvpn
11:26 -!- Lyn [~Alc@37.48.81.54] has quit [Quit: Leaving]
11:29 -!- Pyrogerg [~Gregory@67-0-227-75.albq.qwest.net] has quit [Ping timeout: 250 seconds]
11:31 -!- eristisk [~eristisk@gateway/tor-sasl/eristisk] has quit [Remote host closed the connection]
11:36 -!- Pyrogerg [~Gregory@67-0-227-75.albq.qwest.net] has joined #openvpn
11:43 -!- larryone [~larryone@180.234.33.162] has quit [Quit: Leaving]
12:22 -!- nath_schwarz [~nath_schw@p54A31B6B.dip0.t-ipconnect.de] has quit [Quit: ErrMessage: UserNotFoundException(0x00929e9)]
12:31 -!- nath_schwarz [~nath_schw@2605:6400:1:fed5:22:f941:69e3:dd5d] has joined #openvpn
12:32 -!- shiin [~shiin@funtoo/core/shiin] has quit [Quit: Wanna pair with me? Twitter/Skype/Gmail: FunTimeCoding]
12:41 <@Eugene> Figured out that stupid bridging problem from Friday. Intermediate firewall was shitting on UDP:1194.
12:44 -!- Cpt-Oblivious [~chatzilla@31-151-71-109.dynamic.upc.nl] has joined #openvpn
12:49 -!- zeroNones [~textual@187.204.187.148] has quit [Ping timeout: 240 seconds]
13:02 -!- danielbw [~danielbw@70.167.122.27] has joined #openvpn
13:08 -!- eristisk [~eristisk@gateway/tor-sasl/eristisk] has joined #openvpn
13:13 -!- Pisuke [~Sembei@unaffiliated/sembei] has quit [Read error: No route to host]
13:14 -!- Pisuke [~Sembei@unaffiliated/sembei] has joined #openvpn
13:18 -!- 6JTAA66S0 [~quassel@wifi02.la3.routers.zerolag.com] has joined #openvpn
13:55 -!- kcaj [~kcaj@li144-83.members.linode.com] has joined #openvpn
13:56 < kcaj> Office 365 is unable to load documents from OneDrive whilst I am connected to my OpenVPN server.
13:59 -!- kcaj [~kcaj@li144-83.members.linode.com] has left #openvpn ["Leaving"]
14:22 -!- Pyrogerg [~Gregory@67-0-227-75.albq.qwest.net] has quit [Ping timeout: 260 seconds]
14:32 -!- dazo is now known as dazo_afk
14:45 -!- JackWinter_ [~jack@vodsl-11028.vo.lu] has joined #openvpn
14:48 -!- JackWinter_ [~jack@vodsl-11028.vo.lu] has quit [Read error: Connection reset by peer]
14:55 -!- Sembei [~Sembei@unaffiliated/sembei] has joined #openvpn
14:58 -!- AsadH [~AsadH@unaffiliated/asadh] has quit [Disconnected by services]
14:58 -!- Netsplit *.net <-> *.split quits: @dazo_afk, JuriadoBalzac, Zimsky, jgeboski, lbft, xeqt, Pisuke
14:59 -!- AsadH [~AsadH@unaffiliated/asadh] has joined #openvpn
14:59 -!- Netsplit over, joins: jgeboski
14:59 -!- Netsplit over, joins: Zimsky
15:00 -!- Netsplit over, joins: dazo_afk
15:00 -!- dazo_afk is now known as dazo
15:00 -!- mode/#openvpn [+o dazo] by ChanServ
15:02 -!- lbft [~lbft@unaffiliated/lbft] has joined #openvpn
15:06 <+Axeman> anyone try SoftEther?
15:11 -!- mattock is now known as mattock_afk
15:18 -!- gffa [~unknown@unaffiliated/gffa] has quit [Quit: sleep]
15:28 -!- mlpokn [~User@static.87.82.251.148.clients.your-server.de] has joined #openvpn
15:29 < mlpokn> hey guys, I'm trying to build open vpn gui using mingw on windows but I get some errors
15:31 -!- mapps [~Mark@97e0b9d3.skybroadband.com] has joined #openvpn
15:40 -!- Pyrogerg [~Gregory@205.167.120.206] has joined #openvpn
15:43 -!- mlpokn [~User@static.87.82.251.148.clients.your-server.de] has quit [Quit: Leaving]
16:00 -!- Axeman [~axeman3@openvpn/user/axeman] has quit [Ping timeout: 240 seconds]
16:24 -!- arescorpio [~arescorpi@201-26-245-190.fibertel.com.ar] has joined #openvpn
16:26 -!- zeroNones [~textual@li116-151.members.linode.com] has joined #openvpn
16:37 -!- Kniaz [~Kniaz@unaffiliated/kniaz] has quit [Quit: closing IRC]
16:45 -!- Pyrogerg [~Gregory@205.167.120.206] has quit [Ping timeout: 255 seconds]
17:05 -!- mnathani [~mnathani@butterfly.winvive.com] has quit [Ping timeout: 245 seconds]
17:05 -!- st5ve [~hays@unaffiliated/hays] has joined #openvpn
17:06 -!- cyberspace- [20253@ninthfloor.org] has quit [Disconnected by services]
17:06 -!- cyberspace- [20253@ninthfloor.org] has joined #openvpn
17:08 -!- mattock [~mattock@openvpn/corp/admin/mattock] has joined #openvpn
17:08 -!- mode/#openvpn [+o mattock] by ChanServ
17:10 -!- lachesis_ [~lachesis@unaffiliated/lachesis] has joined #openvpn
17:10 -!- zeroNones [~textual@li116-151.members.linode.com] has quit [Ping timeout: 245 seconds]
17:11 -!- mattock_afk [~mattock@openvpn/corp/admin/mattock] has quit [Ping timeout: 246 seconds]
17:11 -!- lachesis [~lachesis@unaffiliated/lachesis] has quit [Ping timeout: 246 seconds]
17:11 -!- raidz [~raidz@openvpn/corp/admin/andrew] has quit [Ping timeout: 246 seconds]
17:11 -!- hays [~hays@unaffiliated/hays] has quit [Ping timeout: 246 seconds]
17:11 -!- lachesis_ is now known as lachesis
17:11 -!- raidz [~raidz@openvpn/corp/admin/andrew] has joined #openvpn
17:11 -!- mode/#openvpn [+o raidz] by ChanServ
17:14 -!- mnathani [~mnathani@butterfly.winvive.com] has joined #openvpn
18:04 -!- mnathani [~mnathani@butterfly.winvive.com] has quit [Ping timeout: 245 seconds]
18:06 -!- mnathani [~mnathani@butterfly.winvive.com] has joined #openvpn
18:11 -!- zeroNones [~textual@187.204.179.67] has joined #openvpn
18:15 -!- mnathani [~mnathani@butterfly.winvive.com] has quit [Ping timeout: 255 seconds]
18:18 -!- mnathani [~mnathani@butterfly.winvive.com] has joined #openvpn
18:29 -!- Cpt-Oblivious [~chatzilla@31-151-71-109.dynamic.upc.nl] has quit [Ping timeout: 260 seconds]
18:32 -!- Cpt-Oblivious [~chatzilla@31-151-71-109.dynamic.upc.nl] has joined #openvpn
18:39 -!- 6JTAA66S0 [~quassel@wifi02.la3.routers.zerolag.com] has quit [Ping timeout: 240 seconds]
19:04 -!- brianr134 [~brian@72-160-55-142.dyn.centurytel.net] has joined #openvpn
19:08 < brianr134> !welcome
19:08 <@vpnHelper> "welcome" is (#1) Start by stating your goal, such as 'I would like to access the internet over my vpn' || new to IRC? see the link in !ask || we may need !logs and !configs and maybe !interface to help you. || See !howto for beginners. || See !route for lans behind openvpn. || !redirect for sending inet traffic through the server. || Also interesting: !man !/30 !topology !iporder !sample !forum
19:08 <@vpnHelper> !wiki !mitm or (#2) Don't use 192.168.1.0/24 or 192.168.0.0/24 (too much potential for conflict)
19:09 -!- mnathani [~mnathani@butterfly.winvive.com] has quit [Ping timeout: 240 seconds]
19:14 -!- brianr134 [~brian@72-160-55-142.dyn.centurytel.net] has left #openvpn ["Leaving"]
19:15 -!- mnathani [~mnathani@butterfly.winvive.com] has joined #openvpn
19:20 -!- mnathani [~mnathani@butterfly.winvive.com] has quit [Ping timeout: 250 seconds]
19:22 -!- zeroNones [~textual@187.204.179.67] has quit [Quit: My MacBook Pro has gone to sleep. ZZZzzz…]
19:22 -!- mnathani [~mnathani@butterfly.winvive.com] has joined #openvpn
19:28 -!- ses1984 [~stachursk@c-68-46-148-31.hsd1.pa.comcast.net] has joined #openvpn
19:28 < ses1984> !welcome
19:28 <@vpnHelper> "welcome" is (#1) Start by stating your goal, such as 'I would like to access the internet over my vpn' || new to IRC? see the link in !ask || we may need !logs and !configs and maybe !interface to help you. || See !howto for beginners. || See !route for lans behind openvpn. || !redirect for sending inet traffic through the server. || Also interesting: !man !/30 !topology !iporder !sample !forum
19:28 <@vpnHelper> !wiki !mitm or (#2) Don't use 192.168.1.0/24 or 192.168.0.0/24 (too much potential for conflict)
19:29 < ses1984> !goal
19:29 <@vpnHelper> "goal" is Please clearly state your goal for your vpn: example, I would like to access the lan behind the server , I would like to access the internet over my vpn , I just want a secure connection between 2 computers , etc
19:29 < ses1984> !route
19:29 <@vpnHelper> "route" is (#1) http://www.secure-computing.net/wiki/index.php/OpenVPN/Routing or https://community.openvpn.net/openvpn/wiki/RoutedLans (same page mirrored) if you have lans behind openvpn, read it DONT SKIM IT or (#2) READ IT DONT SKIM IT! or (#3) See !tcpip for a basic networking guide or (#4) See !serverlan or !clientlan for steps and troubleshooting flowcharts for LANs behind the server or
19:29 <@vpnHelper> client
20:08 -!- Left_Turn [~Left_Turn@unaffiliated/turn-left/x-3739067] has quit [Remote host closed the connection]
20:20 -!- goldkatze [~nobody@unaffiliated/goldkatze] has quit [Ping timeout: 245 seconds]
20:22 -!- ub1quit33_ [~quassel@cpe-23-243-158-241.socal.res.rr.com] has joined #openvpn
20:41 < _FBi> !mitm
20:41 <@vpnHelper> "mitm" is (#1) http://openvpn.net/index.php/documentation/howto.html#mitm to know about stopping Man-in-the-Middle attacks by signing the server cert specially or (#2) use !servercert to generate the server cert manually or use the easy-rsa build-key-server script to build your server certificates or (#3) then use: remote-cert-tls server in the client config
20:42 -!- s7r [~s7r@openvpn/user/s7r] has quit [Quit: Leaving]
20:48 -!- Netsplit *.net <-> *.split quits: RaiNerTsuFal
20:52 -!- ub1quit33_ [~quassel@cpe-23-243-158-241.socal.res.rr.com] has quit [Ping timeout: 264 seconds]
20:55 -!- ub1quit33 [~quassel@cpe-23-243-158-241.socal.res.rr.com] has joined #openvpn
20:57 -!- Netsplit over, joins: RaiNerTsuFal
21:00 -!- ub1quit33 [~quassel@cpe-23-243-158-241.socal.res.rr.com] has quit [Ping timeout: 244 seconds]
21:04 < lkthomas> hmm
21:04 < lkthomas> if I use RAW p2p ifconfig setup, does iroute problem still appear ?
21:08 -!- Gravitron [~admin@unaffiliated/gravitron] has joined #openvpn
21:10 -!- Gravitron [~admin@unaffiliated/gravitron] has quit [Client Quit]
21:11 -!- Gravitron [~admin@unaffiliated/gravitron] has joined #openvpn
21:13 -!- Gravitron [~admin@unaffiliated/gravitron] has quit [Client Quit]
21:14 -!- Gravitron [~admin@unaffiliated/gravitron] has joined #openvpn
22:03 -!- Pyrogerg [~Gregory@67-0-227-75.albq.qwest.net] has joined #openvpn
22:08 -!- arescorpio [~arescorpi@201-26-245-190.fibertel.com.ar] has quit [Read error: Connection reset by peer]
22:28 -!- ub1quit33 [~quassel@cpe-23-243-158-241.socal.res.rr.com] has joined #openvpn
22:29 -!- Gravitron [~admin@unaffiliated/gravitron] has quit [Quit: My MacBook Pro has gone to sleep. ZZZzzz…]
22:37 -!- arescorpio [~arescorpi@201-26-245-190.fibertel.com.ar] has joined #openvpn
22:59 -!- PreludeZzzzz [~PreludeZz@dsl-67-55-28-3.acanac.net] has joined #openvpn
22:59 < PreludeZzzzz> hello everyone
23:00 < PreludeZzzzz> i am having some problems with openvpn ( slow connection )
23:00 < PreludeZzzzz> when i try to push over 10Mbit/s it starts to stall .. anyone know why? i have tried settings with cipher none and other
23:00 < PreludeZzzzz> still same result
23:00 < PreludeZzzzz> :(
23:00 < PreludeZzzzz> can anyone help?
23:06 < Poster> what OSes?
23:20 -!- m4rcu5__ [bip@2001:1af8:4400:a010:1::1130] has quit [Ping timeout: 272 seconds]
23:27 -!- ub1quit33 [~quassel@cpe-23-243-158-241.socal.res.rr.com] has quit [Ping timeout: 244 seconds]
23:34 -!- arescorpio [~arescorpi@201-26-245-190.fibertel.com.ar] has quit [Excess Flood]
23:57 -!- ShadniX [dagger@p5481C1FD.dip0.t-ipconnect.de] has quit [Ping timeout: 250 seconds]
23:58 -!- ShadniX [dagger@p5DDFD88D.dip0.t-ipconnect.de] has joined #openvpn
--- Day changed Tue Aug 19 2014
00:17 -!- u0m3_ [~u0m3@92.80.109.44] has joined #openvpn
00:20 -!- u0m3 [~u0m3@92.80.93.41] has quit [Ping timeout: 250 seconds]
00:28 -!- jefferai [jefferai@kde/mitchell] has quit [Ping timeout: 272 seconds]
00:30 -!- jefferai [sid1300@kde/mitchell] has joined #openvpn
00:38 -!- ub1quit33_ [~quassel@cpe-23-243-158-241.socal.res.rr.com] has joined #openvpn
00:54 -!- c0ded [~c0ded@unaffiliated/c0ded] has quit [Quit: I Was Just De-c0ded!]
01:12 <@krzee> tried checking mtu stuff?
01:12 <@krzee> !mtu
01:12 <@vpnHelper> "mtu" is (#1) see --mtu-test to learn how to test your MTU settings. Basically you just use --mtu-test in your normal client config or (#2) mtu debugging guide: http://www.secure-computing.net/wiki/index.php/OpenVPN/Troubleshooting
01:20 -!- Kephael [~Kephael@unaffiliated/kephael] has quit [Read error: Connection reset by peer]
01:26 -!- Pyrogerg [~Gregory@67-0-227-75.albq.qwest.net] has quit [Ping timeout: 245 seconds]
01:35 -!- RBecker [~RBecker@openvpn/user/RBecker] has quit [Ping timeout: 255 seconds]
01:38 -!- clyons|2 [~kvirc@host86-157-15-79.range86-157.btcentralplus.com] has quit [Ping timeout: 244 seconds]
01:40 -!- RBecker [~RBecker@openvpn/user/RBecker] has joined #openvpn
01:40 -!- mode/#openvpn [+v RBecker] by ChanServ
01:47 -!- v0lZy [~Thunderbi@BSN-77-81-109.static.dsl.siol.net] has joined #openvpn
01:47 < v0lZy> hi
01:48 < v0lZy> can anyone help me with pushing domain search lists (suffixes) to windows clients?
01:48 < v0lZy> I can't seam to be able to do it.
01:49 -!- ub1quit33_ [~quassel@cpe-23-243-158-241.socal.res.rr.com] has quit [Ping timeout: 250 seconds]
01:49 < v0lZy> No matter what I do, it doesnt seem to work for me
01:49 < v0lZy> I've read that there are some known issues... does anyone know any workarounds?
02:09 -!- RyNet [~RyNet@c-67-160-203-245.hsd1.ca.comcast.net] has joined #openvpn
02:10 < RyNet> !heartbleed
02:10 <@vpnHelper> "heartbleed" is (#1) only affects OpenSSL 1.0.1 through 1.0.1f. Does not affect polarssl or (#2) if running vuln openssl then both client and server keys not protected by tls-auth should be considered compromised. or (#3) android 4.1.2_r1 is the first one to have -DOPENSSL_NO_HEARTBEATS and it is still in master. android 4.1 and 4.1.1 are probably affected. or (#4)
02:10 <@vpnHelper> https://community.openvpn.net/openvpn/wiki/heartbleed or (#5) http://xkcd.com/1354/
02:11 -!- ade_b [~Ade@redhat/adeb] has joined #openvpn
02:12 < RyNet> sup nerds
02:14 -!- PreludeZzzzz [~PreludeZz@dsl-67-55-28-3.acanac.net] has quit [Ping timeout: 250 seconds]
02:24 -!- RyNet [~RyNet@c-67-160-203-245.hsd1.ca.comcast.net] has left #openvpn ["WeeChat 1.0"]
02:36 -!- Left_Turn [~Left_Turn@unaffiliated/turn-left/x-3739067] has joined #openvpn
02:37 < v0lZy> hello
03:06 -!- lachesis [~lachesis@unaffiliated/lachesis] has quit [Read error: Connection reset by peer]
03:10 -!- lachesis [~lachesis@unaffiliated/lachesis] has joined #openvpn
03:21 -!- Iain_ [~Iain@host86-147-162-219.range86-147.btcentralplus.com] has joined #openvpn
03:24 < Iain_> I have a question regarding the openvpn pam plugin openvpn-auth-pam.so. Does it support session accounting i.e does it send accounting start/stop requests ?
03:26 -!- AL13N_work [~alien@91.183.52.232] has left #openvpn []
03:32 <@krzee> Iain_, does it send accounting start/stop requests to what?
03:37 < Iain_> krzee, in my particular case radius via pam_radius_auth, I can auth ok but I never see any accounting start/stop at radius. If I use the same pam service file for su then I see auth and accounting start/stop in radius
03:37 <@krzee> and do you feel su is sending the accounting info?
03:38 < Iain_> the honest answer is I have no idea
03:38 <@krzee> would seem silly to have an app handle the accounting for the auth system that it uses
03:39 <@krzee> dont you agree?
03:40 < Iain_> I'm just generally confused
03:40 <@krzee> seems to be a pam issue
03:41 <@krzee> but ive never used pam auth for openvpn
03:41 -!- yoavz [yoavz@yoavz.net] has joined #openvpn
03:43 -!- Cpt-Oblivious [~chatzilla@31-151-71-109.dynamic.upc.nl] has quit [Remote host closed the connection]
03:46 < Iain_> krzee, su isn't sending the accouting info that is sent by pam_radius_auth, su thugh must be requesting session stanza of the pam service file is checked for this to happen ?
03:55 -!- Iain_ [~Iain@host86-147-162-219.range86-147.btcentralplus.com] has quit [Ping timeout: 260 seconds]
03:56 -!- Iain_ [~Iain@host86-147-162-219.range86-147.btcentralplus.com] has joined #openvpn
04:11 -!- jareth_ [~jareth_@2001:980:e1c0:1:219:66ff:fea0:a502] has quit [Ping timeout: 272 seconds]
04:12 -!- jareth_ [~jareth_@2001:980:e1c0:1:219:66ff:fea0:a502] has joined #openvpn
04:16 -!- Latrina [~Latrina@adsl-ull-56-192.50-151.net24.it] has quit [Ping timeout: 240 seconds]
04:17 -!- Latrina [~Latrina@adsl-ull-165-176.50-151.net24.it] has joined #openvpn
04:24 -!- Latrina [~Latrina@adsl-ull-165-176.50-151.net24.it] has quit [Ping timeout: 240 seconds]
04:35 -!- Latrina [~Latrina@adsl-ull-239-205.50-151.net24.it] has joined #openvpn
04:57 -!- D-Boy [~D-Boy@unaffiliated/cain] has quit [Excess Flood]
05:00 -!- goldkatze [~nobody@unaffiliated/goldkatze] has joined #openvpn
05:05 -!- D-Boy [~D-Boy@unaffiliated/cain] has joined #openvpn
05:44 -!- v0lZy [~Thunderbi@BSN-77-81-109.static.dsl.siol.net] has quit [Ping timeout: 250 seconds]
05:45 -!- Iain_ [~Iain@host86-147-162-219.range86-147.btcentralplus.com] has quit [Ping timeout: 255 seconds]
05:46 -!- heraclitus [~heraclitu@unaffiliated/heraclitis] has quit [Remote host closed the connection]
05:47 -!- heraclitus [~heraclitu@unaffiliated/heraclitis] has joined #openvpn
05:47 -!- Iain_ [~Iain@host86-147-162-219.range86-147.btcentralplus.com] has joined #openvpn
05:53 -!- Iain_ [~Iain@host86-147-162-219.range86-147.btcentralplus.com] has quit [Ping timeout: 255 seconds]
05:54 -!- Iain_ [~Iain@37.221.163.206] has joined #openvpn
06:01 -!- Iain_ [~Iain@37.221.163.206] has quit [Ping timeout: 255 seconds]
06:34 -!- CaTtleyA [~CaTtleyA@185.24.142.82] has joined #openvpn
06:38 -!- DrSect0r [~DrSect0r@188-142-12-159.FTTH.ispfabriek.nl] has joined #openvpn
06:58 -!- gardar [~gardar@bnc.giraffi.net] has joined #openvpn
07:14 -!- gardar [~gardar@bnc.giraffi.net] has quit [Ping timeout: 250 seconds]
07:14 -!- Pyrogerg [~Gregory@75-173-66-157.albq.qwest.net] has joined #openvpn
07:24 -!- gardar [~gardar@bnc.giraffi.net] has joined #openvpn
08:00 -!- micko [~micko@203-219-65-120.static.tpgi.com.au] has quit [Ping timeout: 250 seconds]
08:04 -!- micko [~micko@203-219-65-120.static.tpgi.com.au] has joined #openvpn
08:12 -!- Pyrogerg [~Gregory@75-173-66-157.albq.qwest.net] has quit [Ping timeout: 260 seconds]
08:40 -!- u0m3_ is now known as u0m3
08:49 -!- s7r [~s7r@openvpn/user/s7r] has joined #openvpn
08:49 -!- mode/#openvpn [+v s7r] by ChanServ
08:51 -!- plaisthos [~arne@openvpn/community/developer/plaisthos] has quit [Ping timeout: 240 seconds]
08:57 -!- Gravitron [~admin@unaffiliated/gravitron] has joined #openvpn
08:58 -!- D-Boy [~D-Boy@unaffiliated/cain] has quit [Excess Flood]
09:06 -!- Pyrogerg [~Gregory@75-173-66-157.albq.qwest.net] has joined #openvpn
09:10 -!- D-Boy [~D-Boy@unaffiliated/cain] has joined #openvpn
09:12 < _FBi> BadCodSmell, what do you mean provides a route?
09:15 -!- bakhtiya [~me@office.addictivemobility.com] has joined #openvpn
09:39 -!- Gravitron [~admin@unaffiliated/gravitron] has quit [Quit: My MacBook Pro has gone to sleep. ZZZzzz…]
09:42 -!- c0ded [~c0ded@unaffiliated/c0ded] has joined #openvpn
09:48 <@dazo> BadCodSmell: --client-config-dir is one thing to check out ... if it's a route to a LAN behind a client, you also need to look at --iroute
10:02 -!- zeroNones [~textual@187.204.189.72] has joined #openvpn
10:04 -!- zeroNones [~textual@187.204.189.72] has quit [Read error: Connection reset by peer]
10:36 -!- Pyrogerg [~Gregory@75-173-66-157.albq.qwest.net] has quit [Ping timeout: 245 seconds]
10:37 -!- dropje [~yge@546A88C4.cm-12-3c.dynamic.ziggo.nl] has joined #openvpn
10:39 -!- Pyrogerg [~Gregory@75-173-66-157.albq.qwest.net] has joined #openvpn
10:46 -!- ade_b [~Ade@redhat/adeb] has quit [Ping timeout: 240 seconds]
10:47 -!- dazo_ [~dazo@openvpn/community/developer/dazo] has joined #openvpn
10:47 -!- mode/#openvpn [+o dazo_] by ChanServ
10:47 -!- dazo [~dazo@openvpn/community/developer/dazo] has quit [Disconnected by services]
10:47 -!- dazo_ is now known as dazo
10:56 -!- gffa [~unknown@unaffiliated/gffa] has joined #openvpn
11:04 -!- CaTtleyA [~CaTtleyA@185.24.142.82] has quit [Quit: Lost terminal]
11:17 -!- Neal_ [~neal@2600:3c00:e001:1a00::1] has quit [Ping timeout: 240 seconds]
11:19 <@krzee> !clientlan
11:19 <@vpnHelper> "clientlan" is (#1) for a lan behind a client, the client must have ip forwarding enabled (!ipforward), the server needs a route to the lan, the server needs to push a route for the lan to clients, the server needs a ccd (!ccd) file for the client with an iroute (!iroute) entry in it, and the router of the lan the client is on needs a route added to it (!route_outside_openvpn) or (#2) see !route for
11:19 <@vpnHelper> a better explanation or (#3) Handy troubleshooting flowchart: http://ircpimps.org/clientlan.png | http://pekster.sdf.org/misc/clientlan.png
11:20 <@krzee> as for who can access it, dont push a route to clients for that lan, and ALSO firewall it in the forward chain on the server and do not use --client-to-client
11:20 <@krzee> !c2c
11:20 <@vpnHelper> "c2c" is "client-to-client" is with this option packets from 1 client to another are routed inside the server process. without it packets leave the server process, hit the kernel (firewall, routing table) and if allowed by firewall and routed back to server process, they go to the client. you use this option when you do not want to use selective firewall rules on what clients can access things behind
11:20 <@vpnHelper> other clients
11:21 <@krzee> actually sorry... that will not be the forward chain, but you can still block it in iptables
11:21 <@dazo> BadCodSmell: and be 100% sure the client config is really loaded ... check with a high --verb setting ... I don't recall if --verb 4 is high enough
11:21 <@krzee> 4 is good enough
11:22 -!- Neal_ [neal@felix.ineal.me] has joined #openvpn
11:22 <@krzee> 5 is needed when you suspect firewall issues
11:22 <@dazo> BadCodSmell: And I've done several "lan behind client" setups without any issues ... so you're doing it wrong! ;-)
11:22 -!- DrSect0r [~DrSect0r@188-142-12-159.FTTH.ispfabriek.nl] has quit [Ping timeout: 272 seconds]
11:22 <@dazo> krzee: ahh, right
11:22 <@dazo> BadCodSmell: I believe it when I see a log file
11:22 <@krzee> BadCodSmell, why dont you use the flowchart
11:22 <@dazo> +1
11:22 <@krzee> http://pekster.sdf.org/misc/clientlan.png
11:23 <@krzee> i love my laziness!  setup a bot and build a flowchart, then just let that stuff help everyone :D
11:24 <@krzee> oh dazo thanks for mentioning that greenwald book im only 50 pages in but its very good
11:24 <@krzee> gunna do some flying tomorrow so ill get some more reading done on it
11:25 <@krzee> BadCodSmell, use the flowchart.
11:26 <@krzee> hmm maybe im on BadCodSmell's /ignore list
11:26 <@krzee> weird cause the flowchart says nothing about verb 4 or tcpdump or c2c
11:29 <@krzee> you dont have to, keep going on the flowchart
11:29 -!- terr1 [~terr1@unaffiliated/terr1] has joined #openvpn
11:29 <@krzee> just get the lan working then worry about who can access, we'll get there :-p
11:29 -!- redpill [~redpill@unaffiliated/redpill] has quit [Remote host closed the connection]
11:33 -!- micah [~micah@debian/developer/micah] has left #openvpn []
11:34 -!- DarkKnightCZ [~lukas@ip-4-11.hlucinnet.cz] has joined #openvpn
11:37 <@krzee> yw
11:37 <@dazo> krzee: happy you like the book!  The first half is really cool, the second half is quite an analysis of the information and can be a harder read ... but I still find it interesting
11:38 <@krzee> and i assume you found that its just route 1.1.2.0 255.255.255.0
11:38  * dazo need to run to catch a train
11:38 <@krzee> cool i believe i'll enjoy the second half too =]
11:39 <@krzee> later
11:40 < pekster> Have to push a route-gateway then
11:41 < pekster> (erm, set one. It gets pushed if you use --server, but the server doesn't get one itself)
11:41 < DarkKnightCZ> hi, does anybody has experience with openvpn connect for android when openvpn uses certificate for authentication? I've looked at https://forums.openvpn.net/topic14432.html and tried that xml-like syntax, but when i import the ovpn file, it says it's missing keys, any ideas?
11:41 <@vpnHelper> Title: OpenVPN Support Forum OpenVPN Connect (Android) FAQ : OpenVPN Connect (Android) (at forums.openvpn.net)
11:42 < pekster> Also, CHINANET-FJ likely doesn't appricate you using their IP space
11:42 -!- redpill [~redpill@unaffiliated/redpill] has joined #openvpn
11:43 <@Eugene> It's a good thing nobody cares :v
11:44 < pekster> You have all of RFC1918; there's rarely a good raeson to use someone else's publicly-routable IP space
11:44 <@krzee> oh right i ran into that problem before
11:45 <@krzee> what i do is i just add the route to the system via script and i add it to the tun device instead of a gateway ip
11:45 <@krzee> that way i dont need to bother giving the client a static ip
11:45 < pekster> krzee: For now you can also add --route-gateway (peer IP in net30 or p2p topo, or the server's IP in subnet/tap)
11:45 < pekster> I should dig in the helper code to see about fixing that
11:46 <@krzee> pekster, but i dunno what ip the client will be for the gateway for the route
11:46 -!- ade_b [~Ade@redhat/adeb] has joined #openvpn
11:46 < pekster> krzee: huh? Why would you ever need that? Clients route to the generic server address, and _it_ routes it on
11:46 <@krzee> we're talking about --route on the server
11:47 <@krzee> not on the client
11:47 < pekster> Right. --route-gateway
11:47 <@krzee> so the gateway is the clients vpn ip
11:47 < pekster> If it's an iroute, ccd. Otherwise, routes will use the configured --route-gateway
11:47 < pekster> client VPN IP means you want an iroute ;)
11:47 < pekster> route just "gets it into the openvpn process"
11:47 <@krzee> of course, iroute is there
11:47 -!- dazo is now known as dazo_afk
11:48 < pekster> You don't really want to send it to the client. You want to send it to the local openvpn instance on the server. It then deals with what client owns that net
11:48 <@krzee> but you need a system route, either pointing to the client vpn ip as gateway or what i do, adding it with the device instead of a gateway ip
11:48 < pekster> You _get_ that with --route
11:48 < pekster> (if you set --route-gateway, as you'r supposed to. Or rather, as the helper should be doing)
11:48 < pekster> It's basically a bug in the --server helper
11:49 < pekster> It should, yes (at least when using the --server helper. You're expected to "do it all yourself" if you don't use that)
11:50 <@krzee> so what should the gateway be in --route-gateway pekster
11:50 <@krzee> when using it on the server, and adding a route for the server to use to reach the clients lan
11:51 <@krzee> because the correct gateway is the client ip, which is unknown when writing the config unless using static ips
11:52 < pekster> Not for an openvpn route, no. You're not routing it to the client (that's the whole point of --iroute)
11:52 <@krzee> iroute is all internal to openvpn, im talking about system routes man
11:53 <@krzee> im talking about the servers system route to be able to reach the lan behind the client, aka --route
11:53 <@krzee> BadCodSmell, no, your iroute is needed.
11:53 < pekster> krzee: Yes. Why on earth would you set that to the CLIENT IP? That's silly
11:53 < pekster> And utterly unnecessary
11:53 <@krzee> so what would YOU set it to?
11:53 <@krzee> the gateway for the system route.
11:54 <@krzee> because that is the next hop, aka the gateway… what would YOU set it to? (which is the question i keep asking you)
11:55 < pekster> Same thing net30 does (which isn't the client IP. It's the server's own address)
11:56 < pekster> But whatever, code talks, and I'll fix the C code in openvpn and it'll be a non-issue. No more silly gateway IP needed in subnet topology with client-LANs
11:56 < pekster> It'll magically work
11:56 <@krzee> hah ill have to try that when i get back to local on the server, i wonder why when we talked about it in dev channel a couple yrs ago nobody said that
11:56 <@krzee> thanks
11:57 <@krzee> i dont want to make changes to it while im out of the country ;]
11:57 < pekster> Yea, best not to, but I've never used client IP in a server config's --route. Just set --route-gateway properly and stuff works
11:57 <@krzee> nice
11:58 <@krzee> for now i have them being added by --up to add a route, then i just specify the device instead of a gateway ip
11:58 <@krzee> but i may as well do it right instead when i get back ;]
11:59 < pekster> Yea. I'd be fun if --enable-iproute2 did that itself, but it's best not to have too many code changes there
11:59 < pekster> I'd have to do different things in tap verses tun, and it's something easily done with scripts
11:59 < pekster> Patch that if it bugs you ;)
12:00 <@krzee> hehe actually a couple years ago it was said in the dev channel that they wouldnt want patches for that even
12:00  * pekster wishes net-utils would just deprecate Linux's ifconfig and be done with it. netstat already is deprecated, and the hint that ifconfig's replacement is ip
12:01 <@krzee> what is the new netstat?
12:01 < pekster> ss(8)
12:01 -!- clyons [~kvirc@host86-157-15-79.range86-157.btcentralplus.com] has joined #openvpn
12:01 <@krzee> No manual entry for ss
12:01 <@krzee> heh
12:02 <@krzee> got it, http://linux.die.net/man/8/ss
12:02 <@vpnHelper> Title: ss(8): another utility to investigate sockets - Linux man page (at linux.die.net)
12:02 < pekster> It's similar to sockstat on BSDs with less documentation :
12:02 < pekster> :P
12:02 <@krzee> i like sockstat =]
12:02 < pekster> I like it's reasonably-documented status too
12:03 <@krzee> as long as it gets the info right, i dont care much about alignment :D
12:04 < pekster> netstat can't handle IPv6 at all and hides the IPs. Even worse, and no one wants to fix the 2.4 (yes. Linux 2.4) kernel crap
12:04 <@krzee> ahh i dont use ipv6
12:04 < pekster> s/and/becuase it/
12:06 <@krzee> BadCodSmell, im sure they accept patches, you should help them fix the alignment =]
12:06 -!- Cpt-Oblivious [~chatzilla@31-151-71-109.dynamic.upc.nl] has joined #openvpn
12:10 < pekster> krzee: Ah, fixed in -master. Must not be in 2.3.4 then :\
12:12 < pekster> Ah, Jul 13 date on commit 4cc6. Probably going into the next release
12:14 < pekster> This history lesson brought to you by gitk(1) ;)
12:20 <@krzee> hah
12:24 -!- Lolths [~Lolths@unaffiliated/lolths] has quit [Ping timeout: 255 seconds]
12:27 -!- Lolths [~Lolths@unaffiliated/lolths] has joined #openvpn
12:29 -!- st5ve [~hays@unaffiliated/hays] has quit [Read error: Connection reset by peer]
12:31 -!- redpill [~redpill@unaffiliated/redpill] has quit [Ping timeout: 240 seconds]
12:32 -!- hays [~hays@unaffiliated/hays] has joined #openvpn
12:40 -!- drawesome [~awesome@unaffiliated/drawesome] has joined #openvpn
12:40 < drawesome> Is this channel appropriate for OpenVPN-related iptables configuration?
12:46 -!- Pyrogerg [~Gregory@75-173-66-157.albq.qwest.net] has quit [Ping timeout: 240 seconds]
12:47 -!- Pyrogerg [~Gregory@75-173-66-157.albq.qwest.net] has joined #openvpn
12:52 <@krzee> thank you for asking
12:53 <@krzee> depends how deep you need to go, we're usually pretty willing to help but for advanced stuff we may refer you to ##netfilter
12:53 <@krzee> i mean #netfilter
12:53 <@krzee> but, just for asking
12:53 <@krzee> drawesome++
12:53 < drawesome> Ok
12:53 <@krzee> !karma
12:53 <@vpnHelper> "karma" is nick++ adds karma nick-- adds bad karma, as seen in !ircstats
12:54 < drawesome> Thanks :)
12:55 < drawesome> I don't think my question is too advanced - I just need to configure my VPN server so that the source of IPv6 packets coming from the internal IPv6 network is set to a certain IP
12:55 < drawesome> but I can't use SNAT - it's an openvpn VPS and the nat ip6tables module isn't loaded
12:55 <@krzee> ipv6 NAT, eww
12:55 <@krzee> ya thats not something ill be able to help with
12:56 < drawesome> Okay, thanks :)
12:56 <@krzee> maybe ##networking  #netfilter  or #thingsyoushouldNOTdo
12:56 < drawesome> Is there a way to make OpenVPN only use one specific outbound IPv6 address so I could avoid ip6tables altogether?
12:57 <@krzee> how about configuring openvpn with its own routed ipv6 subnet and not needing NAT at all
12:58 < drawesome> How do I do that? I'm a bit of a noob with IPv6 :p
12:58 <@krzee> i dont use ipv6 at all, but it would be the same as in ipv4 im sure
12:58 < drawesome> ok
12:58 <@krzee> you get a subnet routed to you, then you use it in --server
12:58 < drawesome> Thanks
12:58 -!- Envil [~meep@95.211.26.40] has joined #openvpn
12:59 <@krzee> (not just a part of a subnet already in use, but an entire routed subnet)
12:59 <@krzee> then your openvpn server becomes the router for that subnet and it assigns ips to clients who route through it, and boom it should just work
13:00 -!- Pyrogerg [~Gregory@75-173-66-157.albq.qwest.net] has quit [Read error: Connection reset by peer]
13:00 -!- Pyrogerg [~Gregory@75-173-66-157.albq.qwest.net] has joined #openvpn
13:00 < drawesome> Ok, I'll try that. Thanks!
13:04 <@krzee> np
13:12 -!- Six6siX [~Devil@jasmine.sammybakar.com] has quit [Ping timeout: 272 seconds]
13:44 -!- fchmmr [~ask@fsf/member/fchmmr] has joined #openvpn
13:44 < fchmmr> Are there any guides for compiling openvpn from source and then debianizing it (making .deb packages equivalent to the ones in apt-get distros)?
13:45 < fchmmr> Specifically, I am looking to optimize it in every way I can (for speed) for the particular CPU in the system where I plan to run it.
13:45 < fchmmr> so.... gcc/clang parameters specific to this cpu, pgo, etc.
13:45 < fchmmr> (also, are there guides to do that in openvpn?)
13:46 < fchmmr> (pgo / profile guided optimizations)
13:46 < fchmmr> the CPU is a Intel Core 2 Duo T7600
13:46 < fchmmr> (laptop cpu)
13:51 -!- ade_b [~Ade@redhat/adeb] has quit [Ping timeout: 260 seconds]
13:52 -!- plaisthos [~arne@openvpn/community/developer/plaisthos] has joined #openvpn
13:52 -!- mode/#openvpn [+o plaisthos] by ChanServ
13:57 < Envil> I don't know any specific guides but if you just want to add some cflags that shouldn't be much of an issue. You can use 'CFLAGS="-O2 -march=core2" ./configure' to add any cflags of your liking.
13:57 < Envil> Although going from a plain x86_64 march to core2 probably won't make much of an difference ^^
13:57 -!- mattock is now known as mattock_afk
14:16 -!- DrSect0r [~DrSect0r@77-175-125-42.FTTH.ispfabriek.nl] has joined #openvpn
14:34 -!- C-S-B [~C-S-B@host86-129-162-218.range86-129.btcentralplus.com] has quit [Ping timeout: 240 seconds]
14:38 -!- abeehc [~mmeija@198-48-129-227.cpe.pppoe.ca] has joined #openvpn
14:38 < abeehc> !welcome
14:38 <@vpnHelper> "welcome" is (#1) Start by stating your goal, such as 'I would like to access the internet over my vpn' || new to IRC? see the link in !ask || we may need !logs and !configs and maybe !interface to help you. || See !howto for beginners. || See !route for lans behind openvpn. || !redirect for sending inet traffic through the server. || Also interesting: !man !/30 !topology !iporder !sample !forum
14:38 <@vpnHelper> !wiki !mitm or (#2) Don't use 192.168.1.0/24 or 192.168.0.0/24 (too much potential for conflict)
14:38 < abeehc> !howto
14:38 <@vpnHelper> "howto" is (#1) OpenVPN comes with a great howto, http://openvpn.net/howto PLEASE READ IT! or (#2) http://www.secure-computing.net/openvpn/howto.php for a mirror
14:52 -!- Pyrogerg [~Gregory@75-173-66-157.albq.qwest.net] has quit [Quit: Textual IRC Client: www.textualapp.com]
14:55 -!- Poster [~poster@oh-67-77-115-176.sta.embarqhsd.net] has quit [Remote host closed the connection]
14:56 -!- Poster [~poster@cpe-74-140-100-29.swo.res.rr.com] has joined #openvpn
15:05 -!- pnielsen [pnielsen@2a01:7e00::f03c:91ff:fedf:3a21] has quit [Quit: No Ping reply in 180 seconds.]
15:08 -!- pnielsen [pnielsen@2a01:7e00::f03c:91ff:fedf:3a21] has joined #openvpn
15:13 -!- hadi [~Instantbi@151.239.166.102] has joined #openvpn
15:13 < hadi> Hello
15:14 < hadi> I got a VPS recently, is there anyone that could help me configure OpenVPN on it for bypassing  censorship for the client? Or point me to a step by step good guide
15:16 <@Eugene> !howto
15:16 <@vpnHelper> "howto" is (#1) OpenVPN comes with a great howto, http://openvpn.net/howto PLEASE READ IT! or (#2) http://www.secure-computing.net/openvpn/howto.php for a mirror
15:17 < hadi> Eugene:  thank you
15:19 < hadi> Well i can't access the first one, but the second one looks complex for sure...
15:38 -!- Kephael [~Kephael@unaffiliated/kephael] has joined #openvpn
15:57 -!- DrSect0r [~DrSect0r@77-175-125-42.FTTH.ispfabriek.nl] has quit [Quit: Leaving]
16:13 -!- DarkKnightCZ [~lukas@ip-4-11.hlucinnet.cz] has quit [Ping timeout: 240 seconds]
16:32 -!- redpill [~redpill@unaffiliated/redpill] has joined #openvpn
16:40 -!- zoidberg- [~zoidberg@188.165.30.10] has joined #openvpn
16:41 < zoidberg-> Hi all, I am planning on setting up an openvpn server on a debian box so that i can connect into my network, i also want to run an openvpn instance to connect and tunnel my traffic over.. will this cause any problems?
16:41 < zoidberg-> Running a server and client ont he same box
16:42 < adaptr> as long as they have their own configuration, sure
16:42 < adaptr> routing might get...interesting, especially if the client receives routes from its server
16:43 < Hello71> what?
16:43 < zoidberg-> hehe yes i think it may get interesting but we shall see :D
16:44 < zoidberg-> basically its on my home network, i have this:
16:44 < zoidberg-> [internet] <- [bt home hub] <- [raspberry pi] <- [linksys router]
16:45 < zoidberg-> the raspberry pi, is debian wheezy, im wanting to have it act as a openvpn server and client all clients on the network get routed through that box
16:45 < zoidberg-> so hoping to tunnel traffic out over my dedicated server (so isp can't snoop)
16:45 < zoidberg-> and vpn in
16:46 < _FBi> hadi, maybe you should have bought a vpn instead :P
16:47 < hadi> _FBi:  I don't trust local vpn sellers and no paypal for Iranians~, this VPS/ is hosted by my friend.
16:48 < _FBi> hmm, I need another way to accept payment haha
16:59 -!- Envil [~meep@95.211.26.40] has quit [Remote host closed the connection]
17:00 < hadi> heh
17:05 -!- Storm3y [Storm3y@unaffiliated/storm3y] has joined #openvpn
17:05 < Storm3y> Hey, I have 2 VPN servers and put both of the config files in. How do I select which one I want to connect too?
17:07 <@Eugene> Storm3y - in where? what OS? How are you invoking OpenVPN?
17:10 -!- Storm3yy [~MrJoshGed@unaffiliated/storm3y] has joined #openvpn
17:10 -!- Storm3y [Storm3y@unaffiliated/storm3y] has quit [Ping timeout: 255 seconds]
17:10 < Storm3yy> Eugene - Sorry connection dropped. I'm using the OpenVPN GUI. Windows
17:10 <@Eugene> !win_shortcut
17:10 <@Eugene> !shortcut
17:10 <@Eugene> !factoids search shortcut
17:10 <@vpnHelper> "winshortcut" is To start OpenVPN-GUI easily on Windows, make a shortcut and set the Target as: \"C:\Program Files (x86)\OpenVPN\bin\openvpn-gui-1.0.3.exe\" --config_dir \"C:\path\to\config\" --connect client.ovpn --show_balloon 0 --silent_connection 1 --show_script_window 0
17:11 <@Eugene> Except with the proper \\-escaping, because the bot sucks,.
17:11 < loeken> oh that is a handy trigger ;)
17:11 < pekster> Eugene: You launch configs by selecting in from the menu
17:11 < pekster> Erm, Storm3yy
17:11 < pekster> See also:
17:11 <@Eugene> And you launch OpenVPN-GUI by running that shortcut. :v
17:11 < pekster> !gui
17:11 <@vpnHelper> "gui" is (#1) The only official GUI is the OpenVPN-GUI for Windows (see https://community.openvpn.net/openvpn/wiki/OpenVPN-GUI .) While there are other 3rd party GUIs, they may cause unexpected issues or (#2) If you're having problems starting OpenVPN through an unoffiical GUI, try launching it on the command line; if that works, the GUI is your problem
17:11 < pekster> Yea
17:11 <@Eugene> --config-dir being the most important one there
17:12 < pekster> Feel free to toss that trip up on the wiki :)
17:12 < pekster> tip* (unless drugs are also involved)
17:13 <@Eugene> I could ask the GF to load some
17:13 -!- dazo_afk [~dazo@openvpn/community/developer/dazo] has quit [Ping timeout: 250 seconds]
17:17 -!- dazo_afk [~dazo@openvpn/community/developer/dazo] has joined #openvpn
17:17 -!- mode/#openvpn [+o dazo_afk] by ChanServ
17:17 -!- dazo_afk is now known as dazo
17:21 -!- Storm3yy [~MrJoshGed@unaffiliated/storm3y] has quit [Ping timeout: 255 seconds]
17:21 -!- Storm3y [Storm3y@unaffiliated/storm3y] has joined #openvpn
17:21 < Storm3y> Hmm
17:21 < Storm3y> Adding 2 configs, connected the VPN server but for some reason it hasnt changed my IP
17:22 < pekster> !redirect
17:22 <@vpnHelper> "redirect" is (#1) to make all inet traffic flow through the vpn, you will need --redirect-gateway (see !def1), as well as IP forwarding (see !ipforward) and NAT (see !nat) enabled on the server. or (#2) you may need to use a different dns server when redirecting gateway, see !dns or !pushdns or (#3) if using ipv6 try: route-ipv6 2000::/3 or (#4) Handy troubleshooting flowchart:
17:22 <@vpnHelper> http://ircpimps.org/redirect.png | http://pekster.sdf.org/misc/redirect.png
17:25 < Storm3y> !def1
17:25 <@vpnHelper> "def1" is (#1) used in redirect-gateway, Add the def1 flag to override the default gateway by using 0.0.0.0/1 and 128.0.0.0/1 rather than 0.0.0.0/0. This has the benefit of overriding but not wiping out the original default gateway. or (#2) please see --redirect-gateway in the man page ( !man ) to fully understand or (#3) push "redirect-gateway def1"
17:26 < Storm3y> hmm
17:27 < Storm3y> The configs work on android just not windows
17:28 < Storm3y> Ahh it wasnt running as an admin
17:34 -!- Storm3y [Storm3y@unaffiliated/storm3y] has quit []
17:39 -!- liriel [~liriel@asia.feralhosting.com] has quit [Quit: bye]
17:45 -!- shodan45 [~chris@71-15-44-176.dhcp.thbd.la.charter.com] has joined #openvpn
17:49 < shodan45> anyone know of a super trimmed-down distro or "vm appliance" for running an openvpn client & proxy?
17:51 -!- liriel [~liriel@asia.feralhosting.com] has joined #openvpn
17:51 -!- gffa [~unknown@unaffiliated/gffa] has quit [Quit: sleep]
17:55 -!- abeehc [~mmeija@198-48-129-227.cpe.pppoe.ca] has quit [Quit: leaving]
18:04 -!- DomeMaster [~iain@cpc30-lanc6-2-0-cust53.3-3.cable.virginm.net] has joined #openvpn
18:04 < DomeMaster> !welcome
18:05 <@vpnHelper> "welcome" is (#1) Start by stating your goal, such as 'I would like to access the internet over my vpn' || new to IRC? see the link in !ask || we may need !logs and !configs and maybe !interface to help you. || See !howto for beginners. || See !route for lans behind openvpn. || !redirect for sending inet traffic through the server. || Also interesting: !man !/30 !topology !iporder !sample !forum
18:05 <@vpnHelper> !wiki !mitm or (#2) Don't use 192.168.1.0/24 or 192.168.0.0/24 (too much potential for conflict)
18:05 < DomeMaster> !goal
18:05 <@vpnHelper> "goal" is Please clearly state your goal for your vpn: example, I would like to access the lan behind the server , I would like to access the internet over my vpn , I just want a secure connection between 2 computers , etc
18:05 < pekster> shodan45: I've used Alpine Linux before; it works nicely in VMs and lab setups due to its low footprint
18:06 < shodan45> pekster: oh cool, thanks... I was about to give up my search
18:06 < pekster> Depends on what you're looking for. You can find things with a smaller footprint, but that distro IMO has a nice balance between ease of setup and flexibility
18:17 -!- hays [~hays@unaffiliated/hays] has quit [Ping timeout: 246 seconds]
18:17 -!- hays [~hays@unaffiliated/hays] has joined #openvpn
18:20 -!- ahklerner [~nkruzan@unaffiliated/ahklerner] has joined #openvpn
18:21 < ahklerner> hi i have installed openvpn inside a ubuntu 12.04 server virtual machine
18:21 < ahklerner> i have configured the server and the client (iphone)
18:21 < ahklerner> i can successfully make the connection on the iphone
18:22 < ahklerner> but no internet is working
18:22 < ahklerner> i can ping my iphone from the vm when it is connected, it gets ip address 10.0.0.6
18:27 <@Eugene> !welcome
18:27 <@vpnHelper> "welcome" is (#1) Start by stating your goal, such as 'I would like to access the internet over my vpn' || new to IRC? see the link in !ask || we may need !logs and !configs and maybe !interface to help you. || See !howto for beginners. || See !route for lans behind openvpn. || !redirect for sending inet traffic through the server. || Also interesting: !man !/30 !topology !iporder !sample !forum
18:27 <@vpnHelper> !wiki !mitm or (#2) Don't use 192.168.1.0/24 or 192.168.0.0/24 (too much potential for conflict)
18:27 < ahklerner> hi Eugene, i would like to access the internet over my vpn
18:28 <@Eugene> !redirect
18:28 <@vpnHelper> "redirect" is (#1) to make all inet traffic flow through the vpn, you will need --redirect-gateway (see !def1), as well as IP forwarding (see !ipforward) and NAT (see !nat) enabled on the server. or (#2) you may need to use a different dns server when redirecting gateway, see !dns or !pushdns or (#3) if using ipv6 try: route-ipv6 2000::/3 or (#4) Handy troubleshooting flowchart:
18:28 <@vpnHelper> http://ircpimps.org/redirect.png | http://pekster.sdf.org/misc/redirect.png
18:28 <@Eugene> Flowchart is probably a good place for ya ^
18:28 < ahklerner> ok thank you
18:29 <@Eugene> You can connect so you're 90% there ;-)
18:31 < ahklerner> the client is an iphone which does not have ping so i cannot tell if the client can see 8.8.8.8
18:31 < ahklerner> but google.com does not load
18:36 -!- hays [~hays@unaffiliated/hays] has quit [Ping timeout: 246 seconds]
19:01 -!- hadi [~Instantbi@151.239.166.102] has quit [Quit: Instantbird 1.6a1pre -- http://www.instantbird.com]
19:03 -!- st5ve [~hays@unaffiliated/hays] has joined #openvpn
19:06 < ahklerner> ok i think i am at 'you likely have a firewall issue'
19:07 < ahklerner> but i am not sure i have forwarding enabled correctly
19:07 < ahklerner> nor am i sure i have nat enabled correctly
19:08 < ahklerner> for nat i ran iptables -t nat -A POSTROUTING -s 10.0.0.0/24 -o eth0 -j MASQUERADE
19:08 -!- st5ve [~hays@unaffiliated/hays] has quit [Ping timeout: 246 seconds]
19:08 < ahklerner> and checking  cat /proc/sys/net/ipv4/ip_forward
19:09 < ahklerner> results in 1
19:09 -!- hays [~hays@unaffiliated/hays] has joined #openvpn
19:09 < ahklerner> so i think they are correct?
19:16 -!- Orbixx [~orbixx@freenode/sponsor/orbixx] has quit [Read error: Connection reset by peer]
19:40 -!- _FBi [B@Aircrack-NG/User] has quit [Ping timeout: 240 seconds]
19:47 -!- h00 [~h00@c-98-209-10-219.hsd1.mi.comcast.net] has joined #openvpn
19:48 < h00> I am using the openvpn example server config file. my client is getting a default route of 10.8.0.5, which I am guessing is the root of my problem. The server is 10.8.0.1.
19:49 < h00> 1) what is the best method to dictate which default route clients get?
19:50 < h00> 2) I would expect it to pass the proper gateway be default. 10.8.0.5 isn't defined anywhere in the server/client config, so it's interesting that it comes up with that
19:50 < pekster> That's normal for net30. Net30 is old and deprecated, and subnet is recommended instead
19:50 < pekster> See:
19:50 < pekster> !topology
19:50 <@vpnHelper> "topology" is (#1) it is possible to avoid the !/30 behavior if you use 2.1+ with the option: topology subnet This will end up being default in later versions. or (#2) Clients will receive addresses ending in .2, .3, .4, etc, instead of being divided into 2-host subnets. or (#3) details and examples at: https://community.openvpn.net/openvpn/wiki/Topology
19:50 < pekster> wiki link is helpful. Also possibly useful to you:
19:50 < pekster> !/30
19:50 <@vpnHelper> "/30" is (#1) http://goo.gl/SbKrT5 explains why routed clients each use 4 ips or (#2) you can avoid this behavior with by reading !topology
19:51 < h00> pekster, , thanks much
19:53 < pekster> And yes, the howto probably needs a revamp for some modernization ;)
19:53 < h00> this may not even be the root of my problem
19:54 < pekster> 10.8.0.5 is the "other" side of the /30 subnet allocated to clients
19:54 < pekster> In net30, you ruote to that IP to route "across" the VPN. In subnet topology, you more logically use the IP of the server, which is the default when you use --route (or push it from the server)
19:54 < pekster> If you want to redirect _all_ Internet-bound traffic over the VPN, read: !redirect
19:55 < h00> symptoms are I can hit 10.8.0.1 but not .5 from my client
19:56 < h00> and to no surprise network fails since my def gw is .5
19:59 < pekster> Right
19:59 < pekster> .5 is just a "fake endpoint" for 7-year old Windows versions that can't do sane networking
20:00 < pekster> You'll never be able to ping it (just 10.8.0.1, routed "through" the /30 endpoint due to how /30 networing works)
20:00 < h00> thats starting to make more sense
20:00 < pekster> tl;dr: use subnet topology and it's less painful
20:02 < h00> the -- syntax, can that be used in the server.conf?
20:02 < ahklerner> pekster maybe this will be easy for you
20:02 < h00> those look like command line options
20:02 < ahklerner> i can connect and ping the server from my iphone
20:02 < pekster> h00: Yup, see:
20:02 < pekster> !--
20:02 <@vpnHelper> "--" is OpenVPN allows any option to be placed either on the command line or in a configuration file. Though all command line options are preceded by a double-leading-dash ("--"), this prefix is usually omitted when an option is placed in a configuration file.
20:03 < ahklerner> and ping the iphone from my server
20:03 < pekster> It's optional in your configs
20:03 < h00> interesting. thanks, this should probably do it
20:03 < ahklerner> but i am not able to access the internet through my vpn on the iphone
20:03 < pekster> You want to read/follow the info (esp. flowchart) here:
20:03 < pekster> !redirect
20:03 <@vpnHelper> "redirect" is (#1) to make all inet traffic flow through the vpn, you will need --redirect-gateway (see !def1), as well as IP forwarding (see !ipforward) and NAT (see !nat) enabled on the server. or (#2) you may need to use a different dns server when redirecting gateway, see !dns or !pushdns or (#3) if using ipv6 try: route-ipv6 2000::/3 or (#4) Handy troubleshooting flowchart:
20:03 <@vpnHelper> http://ircpimps.org/redirect.png | http://pekster.sdf.org/misc/redirect.png
20:04 < ahklerner> i have seen that and followed it i get to the 'you likely have a firewall issue'
20:04 < ahklerner> but i have no idea what to do
20:05 < pekster> What server OS?
20:06 < pekster> And a sanitized server config would help to review it's set up right (no comments/blank lines, see !configs if you need grep syntax to remove them. And obviously no private keys if you !inline them)
20:07 -!- zeroNones [~textual@187.204.191.171] has joined #openvpn
20:07 < ahklerner> server os is ubuntu 12.04
20:08 < ahklerner> http://pastebin.com/jYRp9Lym
20:08 < ahklerner> the config is from a tutorial
20:09 < h00> !route
20:09 <@vpnHelper> "route" is (#1) http://www.secure-computing.net/wiki/index.php/OpenVPN/Routing or https://community.openvpn.net/openvpn/wiki/RoutedLans (same page mirrored) if you have lans behind openvpn, read it DONT SKIM IT or (#2) READ IT DONT SKIM IT! or (#3) See !tcpip for a basic networking guide or (#4) See !serverlan or !clientlan for steps and troubleshooting flowcharts for LANs behind the server or client
20:10 < pekster> And you're not using 10.0.0.0/24 on either the server or any client you plan to use as the existing physical network, right?
20:10 < ahklerner> http://pastebin.com/THMz56SF
20:10 < pekster> (that's a very common network, and you're usually better off picking a more obscure one. You'll have issues if clients ever use that net)
20:10 < ahklerner> client
20:10 < h00> pekster, not getting a default route out of the box with the --topology subnet. I assume this is by design. should i be specifying a def gw with something like --route <some flags> ?
20:11 < ahklerner> my internal network is 192.168.200.0
20:11 < h00> or is there a better practice
20:11 < pekster> Oh, you're not pulling in that client config
20:12 < ahklerner> the client (iphone) is on the cellular data
20:12 < pekster> Replace line 1 with `client` which not only implies --tls-client, but adds --pull which you need to request options from the server
20:12 < ahklerner> ok
20:12 < pekster> Sure. Cell networks can (and sometimes do) use RFC1918. Or if you wifi on a LAN that uses 10.0.0/24
20:12 < pekster> Just be aware it'll cause issues (probably not work at all in this case)
20:13 < ahklerner> i will evenually change it i am just trying to get it to work one time for now
20:19 < h00> pekster, so I added push "route 0.0.0.0 10.8.0.1" to the server config, but still seeing some strangeness. is there a directory of server directives somewhere I am missing?
20:20 < pekster> No, don't do that
20:20 < h00> I am guessing there is a more direct approach to strictly the gateway
20:20 < pekster> --redirect-gateway is how you change gateways, and you already have it
20:20 < h00> really?
20:20 < h00> I didn't add that in myself..which may be the problem
20:20 < pekster> line 15 of your server paste
20:20 < h00> must have me confused =)
20:20 < h00> was that the other guy?
20:21 < pekster> Oh, yes indeed
20:21 < h00> thanks though, that is likely what I need
20:21 < pekster> Either way, don't do 0/0. Use `def1` to --redirect-gateway
20:21 < h00> !def1
20:21 <@vpnHelper> "def1" is (#1) used in redirect-gateway, Add the def1 flag to override the default gateway by using 0.0.0.0/1 and 128.0.0.0/1 rather than 0.0.0.0/0. This has the benefit of overriding but not wiping out the original default gateway. or (#2) please see --redirect-gateway in the man page ( !man ) to fully understand or (#3) push "redirect-gateway def1"
20:21 < pekster> It's a bad idea to mess with a client's defualt gateway that does other important things, and will usually get overridden on DHCP renewals
20:21 < h00> ya, that makes sense
20:23 < h00> meh, must have something else failing at this point. that got me what I wanted. Ill take a look at that flowchart
20:26 < ahklerner> ok so client profile -> http://pastebin.com/E4URvW41
20:26 < pekster> Yup
20:27 < ahklerner> server -> http://pastebin.com/hMV8M0p1
20:27 < pekster> That actually accepts the pushed --redirect-gateway value your server has
20:27 < pekster> (before your client was not asking for pushed values, and never got them)
20:28 < pekster> Might need proto tcp-client (not sure if --client implies that offhand)
20:28 < ahklerner> iptables rules -> http://pastebin.com/u45Y2wrk
20:28 < ahklerner> so the client does indeed connect
20:28 < ahklerner> and i can ping server from client
20:29 < ahklerner> and i can ping client from server
20:29 < pekster> Those aren't rules, but appaer to be part of some "script." Only ever show Netfilter rules the canonical way, via `iptables-save -c` (-c adds counters, useful for troubleshooting)
20:29 -!- Left_Turn [~Left_Turn@unaffiliated/turn-left/x-3739067] has quit [Remote host closed the connection]
20:29 < pekster> And ideally don't use scripts to load your rules either (load them atomically via iptables-restore(8). ask #Netfilter why)
20:30 < h00> pekster, I was able to solve my issue. thanks for the help.
20:30 < ahklerner> i am attempting to get it set up to work and i can just reboot if they are wrong now
20:30 < pekster> I've no clue if your rules work without seeing a complete ruleset
20:30 -!- h00 [~h00@c-98-209-10-219.hsd1.mi.comcast.net] has quit [Quit: Leaving]
20:30 < pekster> Anything else is inconclusive
20:32 < ahklerner> http://pastebin.com/krHiDMLz
20:34 < ahklerner> does that tell you anything more than i have no idea wtf im doing
20:34 < pekster> No clue why you're only accepting tcp on FORWARD from the VPN, except for traffic bound to the LAN (but only for ctstate NEW?) It's all moot anyway since you never drop packets anyway
20:34 < pekster> NAT looks fine though
20:34 -!- s7r [~s7r@openvpn/user/s7r] has quit [Quit: Leaving]
20:35 < pekster> Oh, your VPN is 10.66.29/24
20:35 < pekster> Still, filtering is goofy, but a non-issue now. NAT is also fine
20:36 -!- zeroNones [~textual@187.204.191.171] has quit [Quit: My MacBook Pro has gone to sleep. ZZZzzz…]
20:36 < pekster> Setup looks fine, configs & firewall. Verify you have IP forwarding on, and all should be okay
20:38 -!- zeroNones [~textual@187.204.191.171] has joined #openvpn
20:38 < ahklerner> /etc/sysctl.conf       net.ipv4.ip_forward=1 is uncommented
20:38 < ahklerner> do i need to do more than that
20:39 < pekster> What's `sysctl net.ipv4.ip_forward` say?
20:39 < Hello71> are there any issues with windows not picking up dhcp-option DNS after register-dns? windows 8
20:40 < ahklerner> http://pastebin.com/Ch1rk6u5
20:41 < pekster> looks fine
20:41 < pekster> Might be DNS problems if your client DNS is off-link and you redirect it over the VPN
20:42 < ahklerner> me? or Hello71
20:42 < pekster> You
20:43 < pekster> Hello71: Windows is finickey. Check `ipconfig /all` for clues after startup
20:43 < pekster> Windows has silly ways of combining the "per interface" settings to its "global" settings
20:43 < ahklerner> pekster: but client cannot ping 8.8.8.8
20:43 < pekster> Send complaints straight to 1 Microsoft Way, Redmond, VA
20:43 < ahklerner> or 192.168.200.1
20:43 < pekster> break out the TCP dump then
20:44 < pekster> `tcpdump -pni tun2 icmp` or similar
20:44 < pekster> If you see requests but no replies, do the same for your egress interface
20:46 < ahklerner> http://pastebin.com/gf441jFp
20:47 < pekster> Is `vs1` also assigned 192.168.200.1?
20:48 < ahklerner> http://pastebin.com/WpMriUwc
20:48 < ahklerner> no sir
20:48 < ahklerner> or ma'am whichever it is
20:48 < ahklerner> :)
20:49 < pekster> Missing return route on your LAN I'm guessing
20:49 < pekster> Is the OpenVPN server the default gateway for 192.168.200.1?
20:49 < pekster> If not, that host has no idea how to reach your VPN LAN
20:50 < pekster> You need to fix that with a return-route to the the VPN LAN routed via your VPN server (and firewall rules to support that) or SNAT it as a bit of a hack if you "can't" route it properly
20:51 < ahklerner> omg
20:51 < ahklerner> it was the router
20:51 < ahklerner> thank you so much i have been trying config changes on openvpn
20:51 < ahklerner> like all afternoon
20:51 < pekster> It helps a bit to think of openvpn as "just a fancy router" -- the basics still apply ;)
20:52 < ahklerner> yeah i mean it was my hardware router
20:52 < ahklerner> thank alot for your help
20:53 < pekster> glad you got it working
20:54 < ahklerner> me too
20:54 < ahklerner> now i can be secure browsing on my phone wherever i am
20:55 < pekster> More or less. Subtle attacks on that can happen by disrupting the VPN link, or if DNS doesn't use your pushed settings, or iOS "overrides" it with DHCP renewals
20:56 < pekster> "More secure" anyway :P
20:56 < ahklerner> ic
20:56 < ahklerner> its slower it must be more secure haha
20:56 < pekster> 100% security: http://bin.smwcentral.net/15753/dsl-modem-condom,6-M-193342-13.jpg
20:57 < pekster> Also 100% unusable, but now we're just splitting hairs
20:57 < ahklerner> LOL
20:57 < Hello71> 2.3.4 doesn't listen on ::?
20:57 < pekster> Hello71: Need `--proto udp6` (or tcp6-client / tcp6-server)
20:58 < pekster> OpenVPN does not dual-stack on the transit traffic today (but is happy to do so over the tunnel)
20:58 < Hello71> can I put multiple protos?
20:58 -!- shodan45 [~chris@71-15-44-176.dhcp.thbd.la.charter.com] has quit [Quit: Konversation terminated!]
20:58 -!- MatToufoutu [~MaT@unaffiliated/mattoufoutu] has quit [Quit: Read Error 1664 (Connection reset by beer)]
20:58 < pekster> No; you'd need to run concurrent instances (with their own network range, unless you bridge them (but please don't bridge them))
20:58 < Hello71> or do I have to run *four* openvpns?
20:59 < Hello71> bit of a combinatorial explosion there
20:59 < pekster> 4? tcp+udp over v4/v6?
20:59 < Hello71> mmhmm.
20:59 < pekster> Yup, 4 instances.
20:59 < pekster> Aggrigate 4 x /24's into a /22
20:59 < Hello71> I have a /32.
20:59 < Hello71> NAT all the things
20:59 -!- MatToufoutu [~MaT@unaffiliated/mattoufoutu] has joined #openvpn
20:59 < pekster> Or however big your VPN LANs need to be
21:00 < pekster> Even if you have public v4 to waste, no point in doing so needlessly
21:00 < pekster> Oh, /32 ~= v6 though :P
21:00 < Hello71> cheap-ass VPS with its 3-second read I/O latency
21:00 < pekster> Or 1 v4 IP. Whatever
21:02 < pekster> chroot hosting (ie: openvz, lxc, or fbsd jails) tend to be more oversold than true VPS virt, but plenty of places overselling and under-delivering to undercut on cost
21:02 < pekster> Could always colo real hardware ;)
21:02 < pekster> Or just find a non-broken VPS with non-insane solutions
21:02 < pekster> But yea, 4 instances, aggrigate them in some sane way
21:03 < Hello71> TCP/UDP: Socket bind failed on local address [undef]: Address already in use
21:03 < Hello71> no, it's KVM.
21:04 < pekster> Ah, sane tech, possibly just run poorly
21:04 < Hello71> the provider puts ns1 and ns2 on the same server.
21:04 < Hello71> that the clients also use.
21:04 < pekster> Cute
21:04 < Hello71> that is also at OVH.
21:04 < pekster> Heh, the place that can't do IPv6 right? We make fun of them elsewhere on this IRC network too!
21:05 < pekster> on-link everything!
21:05 < Hello71> you mean DO?
21:05 < Hello71> oh, OVH.
21:05 < pekster> Yup. /48. On-link. Because.
21:06 < pekster> address in use means something else has already bound to the IP/port
21:06 < Hello71> well, my "reseller" of sorts, when asked, said:
21:06 < Hello71> IPv6 GW: 2607:5300:60:2517::1
21:06 < Hello71> IPv6 NET: /48
21:06 < pekster> Ugh. Becuase 2^64 on-link IPs is too few? Idiots.
21:07 < pekster> IPv6 isn't hard because it's new: it's hard because many people never learned real routing
21:07 -!- MatToufoutu [~MaT@unaffiliated/mattoufoutu] has quit [Read error: Connection reset by peer]
21:08 < Hello71> openvpn seems to listen on :: fine without bind ipv6only
21:08 < Hello71> I dunno if it works though
21:09 < Hello71> seems to work fine
21:12 < pekster> Oh interesting, options include udp / udp4 / udp6. Maybe it got dual-stack transit without my noticing :)
21:13 < Hello71> it needs udp6
21:13 < Hello71> but I have a dual stack
21:13 < pekster> Ah
21:13 < Hello71> *system
21:13 < Hello71> so :: listens on v4 too
21:14 < pekster> And it accepts v4 connections? If so, saves 2 instances for you
21:14 < Hello71> and two of those desperately-needed 10/8 subnets
21:14 < pekster> /8? :\
21:14 < Hello71> well, /16s in 10/
21:14 < Hello71> 8.
21:14 -!- brianblaze420 [~brianblaz@unaffiliated/brianblaze] has joined #openvpn
21:15 < pekster> 65k clients?
21:15 < pekster> s/5/4/
21:16 < Hello71> 2 clients
21:19 -!- MatToufoutu [~MaT@unaffiliated/mattoufoutu] has joined #openvpn
21:25 -!- zeroNones [~textual@187.204.191.171] has quit [Quit: My MacBook Pro has gone to sleep. ZZZzzz…]
21:45 -!- _FBi [B@Aircrack-NG/User] has joined #openvpn
22:11 -!- ender| [krneki@2a01:260:4094:1:42:42:42:42] has quit [Read error: Connection reset by peer]
22:11 -!- ender| [krneki@2a01:260:4094:1:42:42:42:42] has joined #openvpn
22:39 -!- arescorpio [~arescorpi@201-26-245-190.fibertel.com.ar] has joined #openvpn
23:00 -!- Popsikle [~popsikle@pool-108-27-211-233.nycmny.fios.verizon.net] has joined #openvpn
23:02 -!- brianblaze420 [~brianblaz@unaffiliated/brianblaze] has quit [Quit: Leaving...]
23:06 -!- Popsikle [~popsikle@pool-108-27-211-233.nycmny.fios.verizon.net] has quit [Ping timeout: 240 seconds]
23:57 -!- ShadniX [dagger@p5DDFD88D.dip0.t-ipconnect.de] has quit [Ping timeout: 250 seconds]
23:58 -!- ShadniX [dagger@p5DDFFFDF.dip0.t-ipconnect.de] has joined #openvpn
--- Day changed Wed Aug 20 2014
00:10 -!- DarkKnightCZ [~lukas@ip-4-11.hlucinnet.cz] has joined #openvpn
00:41 -!- DarkKnightCZ [~lukas@ip-4-11.hlucinnet.cz] has quit [Ping timeout: 240 seconds]
00:57 -!- Popsikle [~popsikle@pool-108-27-211-233.nycmny.fios.verizon.net] has joined #openvpn
01:02 -!- Popsikle [~popsikle@pool-108-27-211-233.nycmny.fios.verizon.net] has quit [Ping timeout: 260 seconds]
01:05 -!- Kephael [~Kephael@unaffiliated/kephael] has quit [Read error: Connection reset by peer]
01:25 -!- ade_b [~Ade@redhat/adeb] has joined #openvpn
01:34 -!- clyons [~kvirc@host86-157-15-79.range86-157.btcentralplus.com] has quit [Ping timeout: 244 seconds]
01:35 -!- CaTtleyA [~CaTtleyA@185.24.142.82] has joined #openvpn
01:43 -!- arescorpio [~arescorpi@201-26-245-190.fibertel.com.ar] has quit [Excess Flood]
01:58 -!- Popsikle [~popsikle@pool-108-27-211-233.nycmny.fios.verizon.net] has joined #openvpn
02:04 -!- Popsikle [~popsikle@pool-108-27-211-233.nycmny.fios.verizon.net] has quit [Ping timeout: 246 seconds]
02:17 -!- DarkKnightCZ [~lukas@193.179.215.102] has joined #openvpn
02:58 -!- Left_Turn [~Left_Turn@unaffiliated/turn-left/x-3739067] has joined #openvpn
03:01 -!- Popsikle [~popsikle@pool-108-27-211-233.nycmny.fios.verizon.net] has joined #openvpn
03:05 -!- Popsikle [~popsikle@pool-108-27-211-233.nycmny.fios.verizon.net] has quit [Ping timeout: 245 seconds]
03:13 -!- Pandemic_Force [~Pandemic_@unaffiliated/pandemic-force/x-1349428] has quit [Ping timeout: 264 seconds]
03:14 -!- mattock_afk is now known as mattock
03:15 -!- Pandemic_Force [~Pandemic_@unaffiliated/pandemic-force/x-1349428] has joined #openvpn
03:30 -!- Popsikle [~popsikle@pool-108-27-211-233.nycmny.fios.verizon.net] has joined #openvpn
03:38 -!- Popsikle [~popsikle@pool-108-27-211-233.nycmny.fios.verizon.net] has quit [Ping timeout: 260 seconds]
03:46 -!- Left_Turn [~Left_Turn@unaffiliated/turn-left/x-3739067] has quit [Ping timeout: 272 seconds]
03:51 -!- larryone [~larryone@180.234.66.193] has joined #openvpn
04:20 -!- Left_Turn [~Left_Turn@unaffiliated/turn-left/x-3739067] has joined #openvpn
04:31 -!- Cpt-Oblivious [~chatzilla@31-151-71-109.dynamic.upc.nl] has quit [Remote host closed the connection]
04:53 -!- derRichard [~derRichar@pippin.sigma-star.at] has joined #openvpn
04:58 < derRichard> dazo: looks like i hit a sore point with my windows8 mail ;-)
05:29 -!- D-Boy [~D-Boy@unaffiliated/cain] has quit [Excess Flood]
05:32 <@ecrist> derRichard: your approach on the ml could use some redress
05:51 -!- halothe23 [~halothe23@freenode/sponsor/halothe23] has joined #openvpn
05:52 -!- D-Boy [~D-Boy@unaffiliated/cain] has joined #openvpn
05:55 -!- p3rror [~mezgani@41.249.34.190] has joined #openvpn
06:21 -!- terr1 [~terr1@unaffiliated/terr1] has left #openvpn []
06:34 -!- cyberspace- [20253@ninthfloor.org] has quit [Remote host closed the connection]
06:36 -!- cyberspace- [20253@ninthfloor.org] has joined #openvpn
07:11 -!- p3rror [~mezgani@41.249.34.190] has quit [Ping timeout: 240 seconds]
07:29 -!- NucWin [~nucwin@unaffiliated/nucwin] has quit [Remote host closed the connection]
07:29 -!- NucWin [~nucwin@unaffiliated/nucwin] has joined #openvpn
08:07 < fchmmr> <Envil> Although going from a plain x86_64 march to core2 probably won't make much of an difference ^^
08:08 < fchmmr> a 2% difference yields an extra 5Mbps
08:08 < fchmmr> it makes a difference! thank you for your suggestion! I will try it later
08:08 -!- DarkKnightCZ [~lukas@193.179.215.102] has quit [Ping timeout: 240 seconds]
08:10 -!- eristisk [~eristisk@gateway/tor-sasl/eristisk] has quit [Ping timeout: 264 seconds]
08:26 -!- DarkKnightCZ [~lukas@193.179.215.102] has joined #openvpn
08:40 -!- Cpt-Oblivious [~chatzilla@31-151-71-109.dynamic.upc.nl] has joined #openvpn
08:42 -!- DomeMaster [~iain@cpc30-lanc6-2-0-cust53.3-3.cable.virginm.net] has quit [Ping timeout: 240 seconds]
08:43 -!- s7r [~s7r@openvpn/user/s7r] has joined #openvpn
08:43 -!- mode/#openvpn [+v s7r] by ChanServ
08:43 -!- DomeMaster [~iain@cpc30-lanc6-2-0-cust53.3-3.cable.virginm.net] has joined #openvpn
08:45 -!- DomeMaster [~iain@cpc30-lanc6-2-0-cust53.3-3.cable.virginm.net] has quit [Read error: Connection reset by peer]
08:46 -!- DarkKnightCZ [~lukas@193.179.215.102] has quit [Ping timeout: 264 seconds]
08:47 -!- DomeMaster [~iain@cpc30-lanc6-2-0-cust53.3-3.cable.virginm.net] has joined #openvpn
08:49 -!- redpill [~redpill@unaffiliated/redpill] has quit [Ping timeout: 244 seconds]
08:54 -!- DomeMaster [~iain@cpc30-lanc6-2-0-cust53.3-3.cable.virginm.net] has quit [Ping timeout: 250 seconds]
08:59 < fchmmr> <Envil> I don't know any specific guides but if you just want to add some cflags that shouldn't be much of an issue. You can use 'CFLAGS="-O2 -march=core2" ./configure' to add any cflags of your liking.
08:59 < fchmmr> <Envil> Although going from a plain x86_64 march to core2 probably won't make much of an difference ^^
08:59 < fchmmr> what about -03 ?
08:59 < fchmmr> or will this be a problem? (I know that it can cause some errors on some platforms)
09:00 < fchmmr> also may -funrollloops (not sure if i spelled it correctly)
09:02 -!- DarkKnightCZ [~lukas@193.179.215.102] has joined #openvpn
09:09 -!- DomeMaster [~iain@cpc30-lanc6-2-0-cust53.3-3.cable.virginm.net] has joined #openvpn
09:16 -!- DomeMaster [~iain@cpc30-lanc6-2-0-cust53.3-3.cable.virginm.net] has quit [Ping timeout: 260 seconds]
09:20 -!- elfixit [~Icedove@77-58-251-72.dclient.hispeed.ch] has joined #openvpn
09:20 -!- DarkKnightCZ [~lukas@193.179.215.102] has quit [Read error: Connection reset by peer]
09:20 -!- DarkKnightCZ [~lukas@193.179.215.102] has joined #openvpn
09:25 -!- Six6siX [~Devil@jasmine.sammybakar.com] has joined #openvpn
09:25 -!- DarkKnightCZ [~lukas@193.179.215.102] has quit [Ping timeout: 260 seconds]
09:30 -!- Kephael [~Kephael@unaffiliated/kephael] has joined #openvpn
09:34 -!- Six6siX [~Devil@jasmine.sammybakar.com] has quit [Quit: ZNC - http://znc.in]
09:35 -!- DomeMaster [~iain@91.238.214.61] has joined #openvpn
09:35 -!- Six6siX [~Devil@jasmine.sammybakar.com] has joined #openvpn
09:35 -!- redpill [~redpill@unaffiliated/redpill] has joined #openvpn
09:35 -!- Six6siX [~Devil@jasmine.sammybakar.com] has quit [Remote host closed the connection]
09:40 -!- Six6siX [~Devil@jasmine.sammybakar.com] has joined #openvpn
10:07 -!- DomeMaster [~iain@91.238.214.61] has quit [Ping timeout: 272 seconds]
10:18 -!- larryone [~larryone@180.234.66.193] has quit [Quit: Leaving]
10:20 -!- DrSect0r [~DrSect0r@77-175-125-42.FTTH.ispfabriek.nl] has joined #openvpn
10:25 -!- DomeMaster [~iain@cpc30-lanc6-2-0-cust53.3-3.cable.virginm.net] has joined #openvpn
10:33 -!- dazo is now known as dazo_afk
10:36 -!- CaTtleyA [~CaTtleyA@185.24.142.82] has quit [Quit: Lost terminal]
10:45 -!- ade_b [~Ade@redhat/adeb] has quit [Ping timeout: 272 seconds]
10:47 -!- gffa [~unknown@unaffiliated/gffa] has joined #openvpn
10:50 -!- zeroNones [~textual@187.204.173.238] has joined #openvpn
11:00 -!- zeroNones [~textual@187.204.173.238] has quit [Ping timeout: 240 seconds]
11:03 -!- Pyrogerg [~Gregory@75-173-66-157.albq.qwest.net] has joined #openvpn
11:25 -!- ade_b [~Ade@redhat/adeb] has joined #openvpn
11:29 -!- DomeMaster [~iain@cpc30-lanc6-2-0-cust53.3-3.cable.virginm.net] has quit [Read error: Connection reset by peer]
11:30 -!- hyper_ch [~hyper_ch@81.4.108.20] has joined #openvpn
11:30 -!- DomeMaster [~iain@cpc30-lanc6-2-0-cust53.3-3.cable.virginm.net] has joined #openvpn
11:32 < hyper_ch> does openvpn only cause slow poweroffs on *buntu? Problem occurs when you mount shares e.g. cifs through the vpn connection because on *buntu first openvpn gets closed, and only later mounts get umounted. So when it tries to umount a cifs shares it's non-responsive becuase openvpn is already closed and that causes - at least on ubuntu - a 120 second timeout delay
11:35 -!- DomeMaster [~iain@cpc30-lanc6-2-0-cust53.3-3.cable.virginm.net] has quit [Read error: Connection reset by peer]
11:36 -!- DomeMaster [~iain@cpc30-lanc6-2-0-cust53.3-3.cable.virginm.net] has joined #openvpn
11:38 < pekster> hyper_ch: Consider looking at --down and possibly --up-pre in combination to do such "early unmounting" -- or fix your distros insane policy of waiting such a long time to unmount on shutdown
11:38 < hyper_ch> pekster: I just wonder if it's only *buntu or general
11:38 < pekster> If you mount things async and they "take some unspecified time" to flush (and your unmounter blocks on such things) I can see where life would get hard, but it's nothing openvpn has much control over
11:39 < pekster> I shutdown/reboot fine with NFS mounted over openvpn, fwiw. Smells like CIFS or distro problems in ordering/timeouts/async-mounting
11:40 < pekster> Possibly you want to tweak initscript ordering such that openvpn is encouraged to start before (and stop after) your network mounts
11:40 < pekster> Depends on your setup though
11:41 < hyper_ch> to boot up is no problem
11:41 < hyper_ch> just the shut down
11:41 < hyper_ch> but my question remains, is this ubuntu specific or not
11:47 < pekster> Not as such, no. It's a combination of your distro, the software (mount-helpers) and configuration you're using
11:48 < pekster> You'll need to dig into what exactly happens on shutdown to cause the hang. You'll then need to figure out a way to avoid it, either by nicely doing the "right" thing on shutdown wrt. your mounts, or else have some timeout/abort logic in whatever gets stuck
11:49 -!- DomeMaster [~iain@cpc30-lanc6-2-0-cust53.3-3.cable.virginm.net] has quit [Ping timeout: 245 seconds]
11:49 < hyper_ch> pekster: I know what happens
11:49 < pekster> OpenVPN won't help you at all until you can define what you want to DO about This. It can run commands just before bringing the interface down, but you need to figure out if that's the best path here, and then what exactly to do
11:49 < hyper_ch> openvpn gets sĥut down
11:49 < pekster> If you can run `umount blah blah blah` on shutdown, do exactly what I suggested when you first asked
11:49 < hyper_ch> afterwards the system tries to umount a network share that's mounted through the vpn
11:49 < hyper_ch> since openvpn is already down
11:49 < pekster> Yes. I've given you about 3 solutions to that
11:50 < pekster> Pick one and go do it
11:50 -!- DomeMaster [~iain@91.238.214.79] has joined #openvpn
11:50 < hyper_ch> so do I report it to Kubuntu
11:50 < hyper_ch> or is that a general problem accross all distros?
11:51 < pekster> I don't use "all" distros, nor do I do CIFS over VPN that often, certainly not automatically on biit
11:51 < pekster> boot*
11:51 < pekster> Since I've given you a variety of solutions, the venue to follow up on each naturally varies
11:52 < pekster> Until you can define how you wish to solve this, you can't really do anything
11:52 < hyper_ch> it's not about me solving it
11:52 < hyper_ch> it sounds like an obvious bug
11:53 < pekster> Then file it with $yourDistro
11:53 < hyper_ch> to have a networked share trying to umount after the connection is capped
11:53 < pekster> It's an ordering and/or bad unmounter
11:53 < hyper_ch> which causes to fail and timeout
11:53 < pekster> (or bad init that refuses to kill things)
11:53 < pekster> OpenVPN has zero to do with this unless you want to script a solution. For that, see: !hooks
11:53 < pekster> Erm, not that, but: !scripts
11:53 -!- Hello71 [~Hello71@wikipedia/Hello71] has quit [Ping timeout: 240 seconds]
11:53 < hyper_ch> I never said it's openvpn's fault
11:54 < pekster> You'd have the exact same problem if you had a 2nd wired nick, unplugged the cable, then shutdown from the sounds of it
11:54 < hyper_ch> I just came here to ask because I assumed someone else would be able to tell me if they experience the same on another distro
11:54 < pekster> Right, I'm just pointing out openvpn could offer a scripted solution
11:55 < pekster> I doubt it; this is a somewhat low-traffic channel, by comparison to popular distros. It's rather unlikely someone automounting CIFS on boot on debian-based OSes is waiting to help you here; feel free to idle as someone could be ;)
11:55 < hyper_ch> I could just change the shutdown order.... or add specific shutdown stuff for those cifs shares
11:55 < hyper_ch> but that's not what I'm askin about
11:55 < pekster> The bug of "hang forever" is in your distro, yes
12:07 -!- ade_b [~Ade@redhat/adeb] has quit [Quit: Too sexy for his shirt]
12:10 < hyper_ch> thx anyway, pekster
12:11 -!- mwargh [~sistemshi@unaffiliated/mwargh] has joined #openvpn
12:12 < mwargh> how do i tell openvpn server under windows to NOT reconfigure tun adapter so i can manually set its settings in control panel?
12:12 < mwargh> way to do it in linux is ok too
12:12 < mwargh> i think i'll figure it out
12:16 -!- Kephael [~Kephael@unaffiliated/kephael] has quit [Read error: Connection reset by peer]
12:28 <@Eugene> mwargh - don't use any of the --ifconfig options, including --server or --pull
12:35 -!- hyper_ch [~hyper_ch@81.4.108.20] has left #openvpn ["Konversation terminated!"]
12:37 -!- clyons [~kvirc@host86-157-15-79.range86-157.btcentralplus.com] has joined #openvpn
12:46 < mwargh> Eugene: thanks
13:00 -!- DomeMaster [~iain@91.238.214.79] has quit [Ping timeout: 240 seconds]
13:03 -!- Hello71 [~Hello71@wikipedia/Hello71] has joined #openvpn
13:06 -!- spstarr [~spstarr@fedora/spstarr] has joined #openvpn
13:07 < spstarr> im getting this error: 'AUTH: Received control message: AUTH_FAILED,SESSION: Your session has expired, please reauthenticate' every 24 hours.. i have a user that i need to reconnect automatically can I do this?
13:07 < spstarr> or do i need to scripts to workaround
13:24 -!- Reventlov [~reventlov@unaffiliated/reventlov] has joined #openvpn
13:26 < Reventlov> In the logs of my openvpn client, I get that: http://sprunge.us/WZHR . The connection to the vpn worked 20 minutes ago. Now, I cannot ping anything but my local gateway (not the vpn) and the routes didn't change. What could cause that ?
13:30 -!- spstarr [~spstarr@fedora/spstarr] has left #openvpn ["Leaving"]
13:43 < Reventlov> (not a firewall problem, more like a "the routes are not flushed" problem)
13:49 -!- Pyrogerg [~Gregory@75-173-66-157.albq.qwest.net] has quit [Read error: No route to host]
13:50 -!- Pyrogerg [~Gregory@75-173-66-157.albq.qwest.net] has joined #openvpn
14:23 -!- Geriatrix [~kvirc@mail.vancouveronthenet.com] has joined #openvpn
14:23 < Geriatrix> hey guys - just setting up openvpn on centos from scratsh - i am missing the tun interface  - how do i go about coneigurign that ?
14:24 < Geriatrix> err: configuring
14:30 -!- Pyrogerg [~Gregory@75-173-66-157.albq.qwest.net] has quit [Ping timeout: 240 seconds]
14:35 -!- Pyrogerg [~Gregory@75-173-66-157.albq.qwest.net] has joined #openvpn
14:37 < Six6siX> im pretty sure openvpn does it for you
14:37 < Six6siX> Reventlov, what firewall are you using?
14:37 < Six6siX> ConfigServer?
14:37 < Reventlov> iptables
14:38 < Reventlov> it may be because of the client-to-client option in the server.conf, nope ?
14:40 < Six6siX> definitely not using csf?
14:42 < Reventlov> what is csf ?
14:43 < Reventlov> I think it's safe to say: no.
14:44 < Six6siX> what does your iptables forwarding rules look like
14:45 < Reventlov> everything at ACCEPT plus -A POSTROUTING -s 10.8.0.0/24 -o enp1s0 -j MASQUERADE
14:45 < Reventlov> (enp1s0 is my ethernet interface)
14:46 < Reventlov> note: it works most of the time.
14:46 -!- mattock is now known as mattock_afk
14:46 < Reventlov> but sometimes, i lose the connection and I have to restart openvpn (flush the routes, I guess)
14:46 < Geriatrix> does openvpn have a web interface ?
14:47 < Geriatrix> what does this article refer to ? https://www.digitalocean.com/community/tutorials/how-to-setup-and-configure-an-openvpn-server-on-centos-6
14:47 <@vpnHelper> Title: How to Setup and Configure an OpenVPN Server on CentOS 6 | DigitalOcean (at www.digitalocean.com)
14:47 < Reventlov> to a centos cloud server.
14:48 < Geriatrix> oh ... i see
14:49 < Geriatrix> is there a web interface for openvpn - out of the "box"
14:49 <@Eugene> No, openvpn does not have a web intereface of any sort by itself.
14:49 < Geriatrix> i tought so ... ok - thank you
14:49 < Geriatrix> beofre i waste more time reading it :)
14:49 < Six6siX> there are 3rd party management scripts with a web gui
14:49 < Six6siX> never tried any myself
14:49 <@Eugene> !as
14:49 <@vpnHelper> "as" is Please go to #OpenVPN-AS for help with commercial products from OpenVPN Technologies, including Access Server, Android Connect, etc. Access Server is a commercial product, different from open source OpenVPN
14:50 <@Eugene> Pretty sure they've got a gui, tho ^
14:50 < Geriatrix> another question - do i need to have iptables running for openvpn to work ?
14:50 < Six6siX> you need something to route the packets
14:50 <@Eugene> No, openvpn has no dependency upon iptables
14:51 <@Eugene> It's a good idea to have a firewall ruleset in any case
14:51 < Reventlov> only if you want to get a web access or redistribute routes
14:51 < Reventlov> for a "simple" vpn (to share a private network), no need
14:51 < Geriatrix> that's what i thought - thank you
14:52 -!- arescorpio [~arescorpi@201-26-245-190.fibertel.com.ar] has joined #openvpn
15:17 < Reventlov> Six6siX: so it happens again now.
15:18 < Reventlov> the logs on the client: http://sprunge.us/LCVd
15:18 < Reventlov> my ssh connection to the gateway is still up, but I can ping the gateway (10.0.0.1)
15:19 < Reventlov> I can't*
15:19 < Reventlov> ( From 10.8.0.2 icmp_seq=1 Destination Host Unreachable)
15:21 < mdoge> Eugene is my middle name
15:21 < Reventlov> I can give you the output of any command, on the server or on the client.
15:22 -!- s7r [~s7r@openvpn/user/s7r] has quit [Quit: Leaving]
15:25 < Reventlov> so, idea anyone ?
15:29 < Geriatrix> hey guys - what is the p-t-p ip address
15:29 < Geriatrix> as in peer to peer
15:29 < Geriatrix> ?
15:29 < Geriatrix> i am pushing a static ip and i see i have to specify two ips
15:41 <@Eugene> !ptp
15:41 <@Eugene> !/30
15:41 <@vpnHelper> "/30" is (#1) http://goo.gl/SbKrT5 explains why routed clients each use 4 ips or (#2) you can avoid this behavior with by reading !topology
15:42 <@Eugene> By default openvpn uses Point-to-Point links
15:52 < Reventlov> Eugene: do you know how I can make openvpn flush the routes if I get an inactivity timeout on openvpn ?
16:05 < Geriatrix> !/ptp
16:05 < Geriatrix> !ptp
16:06 -!- DomeMaster [~iain@cpc30-lanc6-2-0-cust53.3-3.cable.virginm.net] has joined #openvpn
16:06 < DomeMaster> Hello
16:06 < DomeMaster> is there a way to run a script when openvpn client fails to connect for whatever reason?
16:06 < DomeMaster> Or if the configuration is incorrect?
16:16 < Exagone313> if you are using openvpn command on linux, the openvpn command just end and then you can run another command after it
16:17 -!- gffa [~unknown@unaffiliated/gffa] has quit [Quit: sleep]
16:17 < DomeMaster> oh really?
16:17 < DomeMaster> when I ran it on Linux it keeps running, it doesn't stop running.
16:18 < DomeMaster> Are you saying there is a way for it to go into the background automatically once its connected Exagone313?
16:18 < Exagone313> no it does not
16:18 < Exagone313> the command still running
16:18 < Exagone313> if it fails, for me, it stops
16:19 < Exagone313> i run openvpn in console with an alias
16:19 < DomeMaster> thats the issue Exagone313
16:19 < DomeMaster> I want it to be in background if its succesful
16:19 < DomeMaster> but not if it fails
16:20 < Exagone313> maybe :
16:20 < DomeMaster> I guess I need to rethink how I execute it
16:20 < Exagone313> #!/bin/bash
16:20 < Exagone313> sudo openvpn ..... &
16:20 < Exagone313> wait a time
16:20 < Exagone313> if [ check if openvpn is running] do a dommand
16:20 < DomeMaster> ya thats was the solution I'd come up with
16:21 < DomeMaster> I reckon what I'll do is background another script that runs openvpn
16:21 < DomeMaster> if it ever fails then the script will catch it
16:21 < Exagone313> you may replace sudo by gksudo/kdesudo/other
16:21 < DomeMaster> sure, well thanks a lot for the help man
16:21 < DomeMaster> very useful :)
16:21 < Exagone313> else you can check the log
16:22 < Exagone313> sudo openvpn ...
16:22 -!- kantlivelong [~kantlivel@home.kantlivelong.com] has quit [Excess Flood]
16:22 < Exagone313> check log
16:22 < Exagone313> if [ openvpn didn't running correctly ] do a command;
16:24 -!- kantlivelong [~kantlivel@home.kantlivelong.com] has joined #openvpn
16:25 < Exagone313> DomeMaster: ?
16:25 < DomeMaster> Oh I see Exagone313
16:25 < DomeMaster> ya thats a good idea, but I can just wait for it to fail
16:26 < DomeMaster> thats easier for me
16:26 < DomeMaster> thanks for the suggestions tho
16:26 < Exagone313> it's maybe better if your connection is bad etc ...
16:28 -!- elfixit [~Icedove@77-58-251-72.dclient.hispeed.ch] has quit [Quit: elfixit]
16:30 -!- Pyrogerg [~Gregory@75-173-66-157.albq.qwest.net] has quit [Ping timeout: 250 seconds]
16:57 -!- Pyrogerg [~Gregory@205.167.120.206] has joined #openvpn
17:02 -!- Six6siX [~Devil@jasmine.sammybakar.com] has quit [Ping timeout: 260 seconds]
17:02 -!- Exagone313 [~exa@vps.ewd.xyz] has quit [Remote host closed the connection]
17:05 -!- Pyrogerg [~Gregory@205.167.120.206] has quit [Ping timeout: 250 seconds]
17:07 -!- Exagone313 [~exa@vps.ewd.xyz] has joined #openvpn
17:08 -!- elfixit [~Icedove@77-58-251-72.dclient.hispeed.ch] has joined #openvpn
17:27 -!- keruton [~keruton@cpe-104-34-71-124.socal.res.rr.com] has joined #openvpn
17:28 -!- scyld [~scyld@unaffiliated/wasyl] has joined #openvpn
17:34 -!- Six6siX [~Devil@jasmine.sammybakar.com] has joined #openvpn
17:42 -!- Six6siX [~Devil@jasmine.sammybakar.com] has quit [Read error: Connection reset by peer]
17:49 -!- goldkatze [~nobody@unaffiliated/goldkatze] has quit [Ping timeout: 240 seconds]
17:50 -!- Six6siX [~Devil@jasmine.sammybakar.com] has joined #openvpn
18:08 -!- scyld [~scyld@unaffiliated/wasyl] has quit [Quit: Wychodzi]
18:24 -!- DrSect0r [~DrSect0r@77-175-125-42.FTTH.ispfabriek.nl] has quit [Quit: Leaving]
18:39 -!- Pyrogerg [~Gregory@205.167.120.206] has joined #openvpn
18:40 -!- phreakocious_ [~phreakoci@recalcitrant.phreakocious.net] has joined #openvpn
18:40 -!- phreakocious [~phreakoci@recalcitrant.phreakocious.net] has quit [Ping timeout: 244 seconds]
18:44 -!- MogDog [MogDog@unaffiliated/mogdog66] has quit [Ping timeout: 244 seconds]
18:44 -!- clyons [~kvirc@host86-157-15-79.range86-157.btcentralplus.com] has quit [Ping timeout: 244 seconds]
18:44 -!- mgorbach [~mgorbach@pool-108-20-78-135.bstnma.fios.verizon.net] has quit [Ping timeout: 244 seconds]
18:45 -!- MogDog66 [MogDog@unaffiliated/mogdog66] has joined #openvpn
18:45 -!- MogDog66 is now known as MogDog
18:46 -!- mgorbach [~mgorbach@pool-108-20-78-135.bstnma.fios.verizon.net] has joined #openvpn
18:49 -!- MatToufoutu [~MaT@unaffiliated/mattoufoutu] has quit [Ping timeout: 244 seconds]
18:49 -!- MatToufoutu [~MaT@unaffiliated/mattoufoutu] has joined #openvpn
18:51 -!- Pyrogerg_ [~Gregory@205.167.120.206] has joined #openvpn
18:52 -!- Pyrogerg [~Gregory@205.167.120.206] has quit [Read error: Connection reset by peer]
18:52 -!- cyberanger [~cyberange@swissknife/adak/infocop411] has quit [Ping timeout: 244 seconds]
18:52 -!- cyberanger [cyberanger@swissknife/adak/infocop411] has joined #openvpn
18:55 -!- Pyrogerg_ [~Gregory@205.167.120.206] has quit [Read error: Connection reset by peer]
18:56 -!- Pyrogerg [~Gregory@205.167.120.206] has joined #openvpn
19:03 -!- Pyrogerg [~Gregory@205.167.120.206] has quit [Ping timeout: 264 seconds]
19:23 -!- Geriatrix [~kvirc@mail.vancouveronthenet.com] has quit [Quit: KVIrc 4.2.0 Equilibrium http://www.kvirc.net/]
19:45 -!- ahklerner [~nkruzan@unaffiliated/ahklerner] has left #openvpn []
20:07 -!- brianblaze420 [~brianblaz@unaffiliated/brianblaze] has joined #openvpn
20:08 -!- brianblaze420 [~brianblaz@unaffiliated/brianblaze] has quit [Remote host closed the connection]
20:18 -!- Left_Turn [~Left_Turn@unaffiliated/turn-left/x-3739067] has quit [Remote host closed the connection]
20:50 -!- Kephael [~Kephael@unaffiliated/kephael] has joined #openvpn
20:58 -!- elfixit [~Icedove@77-58-251-72.dclient.hispeed.ch] has quit [Quit: elfixit]
21:24 -!- gardar [~gardar@bnc.giraffi.net] has quit [Ping timeout: 240 seconds]
21:30 -!- gardar [~gardar@bnc.giraffi.net] has joined #openvpn
21:40 -!- DomeMaster [~iain@cpc30-lanc6-2-0-cust53.3-3.cable.virginm.net] has quit [Remote host closed the connection]
21:41 -!- Lya [~Lya@gateway/tor-sasl/lya] has joined #openvpn
21:42 <@ecrist> !ircstats
21:42 <@vpnHelper> "ircstats" is (#1) See http://secure-computing.net/logs/openvpn.html for all-time IRC stats. or (#2) See http://secure-computing.net/logs/openvpn-devel.html for all-time dev channel IRC stats.
21:43 <@krzee> werd eric
21:43 <@krzee> hello from cabo
21:43 <@ecrist> hello sir
21:43 <@krzee> how the intro going?
21:44 <@ecrist> :\
21:44 <@ecrist> though, I talked with jjk a bit and have some direction
21:45 <@krzee> nice
21:46 <@ecrist> yup
21:46 <@ecrist> it's due wednesday
21:46 <@krzee> oh boy
21:46 <@ecrist> one of these days, you and I should chat
21:47 <@ecrist> heard some info today about some things I got involved with that, in hindsight, are kinda spooky
21:47 <@ecrist> NSFIRC
21:47 <@krzee> otr ftw
21:48 <@krzee> or xxx `talk`
21:48 <@ecrist> oooh
21:48 <@ecrist> that's easy
21:48 <@krzee> im in there
21:49 <@krzee> oh god 566 day uptime im prolly so overdue for some updates lol
21:49 <@ecrist> yeah, a few
21:49 <@ecrist> mesg y
21:51 <@krzee> talk krzee
21:51 <@ecrist> :\
21:51 <@krzee> i did mesg y
21:51 <@krzee> if talk no worky then we can write
21:51 < Hello71> command not found: talk
21:52 <@krzee> NAME
21:52 <@krzee>      talk -- talk to another user
21:52 <@krzee> TALK(1)                 FreeBSD General Commands Manual                TALK(1)
21:52 <@ecrist> I'll chat with you later about it
21:52 <@ecrist> it's an interesting story
21:52  * ecrist poofs for now
21:52 <@krzee> ok, otr me sometime then, im always on there when im online… in cabo til after weekend so ill be spotty
21:54 <@krzee> oh and my LPN email has pgp
21:54 <@krzee> with published pubkey
22:19 -!- DrCode [~DrCode@gateway/tor-sasl/drcode] has quit [Remote host closed the connection]
22:20 -!- DrCode [~DrCode@gateway/tor-sasl/drcode] has joined #openvpn
22:24 -!- Popsikle [~popsikle@pool-108-27-211-233.nycmny.fios.verizon.net] has joined #openvpn
22:38 -!- elfixit [~Icedove@77-58-251-72.dclient.hispeed.ch] has joined #openvpn
22:39 -!- elfixit [~Icedove@77-58-251-72.dclient.hispeed.ch] has quit [Client Quit]
22:50 -!- Gsa700 [~Gsa700@unaffiliated/gsa700] has joined #openvpn
23:00 -!- arescorpio [~arescorpi@201-26-245-190.fibertel.com.ar] has quit [Excess Flood]
23:01 -!- Cpt-Oblivious [~chatzilla@31-151-71-109.dynamic.upc.nl] has quit [Ping timeout: 255 seconds]
23:05 -!- Cpt-Oblivious [~chatzilla@31-151-71-109.dynamic.upc.nl] has joined #openvpn
23:11 -!- Cpt-Oblivious [~chatzilla@31-151-71-109.dynamic.upc.nl] has quit [Ping timeout: 240 seconds]
23:13 -!- Cpt-Oblivious [~chatzilla@31-151-71-109.dynamic.upc.nl] has joined #openvpn
23:28 -!- Kephael [~Kephael@unaffiliated/kephael] has quit [Read error: Connection reset by peer]
23:55 -!- ShadniX [dagger@p5DDFFFDF.dip0.t-ipconnect.de] has quit [Ping timeout: 250 seconds]
23:57 -!- ShadniX [dagger@p5DDFE534.dip0.t-ipconnect.de] has joined #openvpn
--- Day changed Thu Aug 21 2014
00:26 -!- Sembei [~Sembei@unaffiliated/sembei] has quit [Read error: Connection reset by peer]
00:27 -!- dazo_afk is now known as dazo
00:28 -!- Sembei [~Sembei@unaffiliated/sembei] has joined #openvpn
00:34 -!- james41382 [~james@unaffiliated/james41382] has quit [Read error: Connection reset by peer]
00:34 -!- james41382 [~james@unaffiliated/james41382] has joined #openvpn
00:56 -!- Popsikle [~popsikle@pool-108-27-211-233.nycmny.fios.verizon.net] has quit [Remote host closed the connection]
01:03 -!- mattock_afk is now known as mattock
01:17 -!- Lya [~Lya@gateway/tor-sasl/lya] has quit [Quit: Leaving.]
01:44 -!- nsrafk [whois@unaffiliated/nsrafk] has quit [Ping timeout: 245 seconds]
01:45 -!- elfixit [~Icedove@77-58-251-72.dclient.hispeed.ch] has joined #openvpn
01:50 -!- ade_b [~Ade@redhat/adeb] has joined #openvpn
02:09 -!- CaTtleyA [~CaTtleyA@185.24.142.82] has joined #openvpn
02:26 -!- jgeboski [~jgeboski@unaffiliated/jgeboski] has quit [Quit: Leaving]
02:26 -!- jgeboski [~jgeboski@unaffiliated/jgeboski] has joined #openvpn
02:45 -!- nsrafk [whois@unaffiliated/nsrafk] has joined #openvpn
02:52 -!- keruton [~keruton@cpe-104-34-71-124.socal.res.rr.com] has quit [Remote host closed the connection]
03:09 -!- Cpt-Oblivious [~chatzilla@31-151-71-109.dynamic.upc.nl] has quit [Quit: ChatZilla 0.9.90.1-rdmsoft [XULRunner 22.0/20130619132145]]
03:10 -!- Left_Turn [~Left_Turn@unaffiliated/turn-left/x-3739067] has joined #openvpn
04:18 -!- troyt_ [~troyt@c-67-161-211-139.hsd1.ut.comcast.net] has quit [Ping timeout: 240 seconds]
04:21 -!- troyt [~troyt@2601:7:6200:1362:44dd:acff:fe85:9c8e] has joined #openvpn
04:21 -!- nsrafk [whois@unaffiliated/nsrafk] has quit [Ping timeout: 245 seconds]
04:27 -!- nsrafk [whois@unaffiliated/nsrafk] has joined #openvpn
04:28 -!- v0lZy [~Thunderbi@BSN-77-81-109.static.dsl.siol.net] has joined #openvpn
04:28 < v0lZy> hi
04:28 < v0lZy> Anyone have a way to push domain search lists to windows clients?
04:28 < v0lZy> I have several domains ... actually they are kind of like <sub>.<sub.>.<domain.tld>
04:29 < v0lZy> and I'd need to send all of those to the remote ends
04:32 -!- dazo is now known as dazo_afk
04:50 -!- bluenemo [~bluenemo@unaffiliated/bluenemo] has joined #openvpn
04:52 < bluenemo> hi guys. I have a routed (tun) openvpn server and I want clients to be able to talk to each other; however restricted by iptables, so I did not enable client-to-client. this works out fine so far, however the server pushes only the route to himself to the client and not the whole subnet. I cant seem to find my error in configuration. i've pasted relevant config files and `ip r` here: http://paste.debian.net/hidden/3c2e11d0/
04:54 < bluenemo> if I manually delete the 10.11.12.1 via 255.255.255.0 route and then set `ip r add 10.11.12.0/24 via 10.11.12.1 dev tun0` on the client, it works out fine. however I want the server to automatically push that route. if i enable client-to-client on the server, it does that, but i want to set permissions by iptables.
04:57 -!- wirehack7 [wirehack7@unaffiliated/wirehack7] has joined #openvpn
04:58 < wirehack7> !heartbleed
04:58 <@vpnHelper> "heartbleed" is (#1) only affects OpenSSL 1.0.1 through 1.0.1f. Does not affect polarssl or (#2) if running vuln openssl then both client and server keys not protected by tls-auth should be considered compromised. or (#3) android 4.1.2_r1 is the first one to have -DOPENSSL_NO_HEARTBEATS and it is still in master. android 4.1 and 4.1.1 are probably affected. or (#4)
04:58 <@vpnHelper> https://community.openvpn.net/openvpn/wiki/heartbleed or (#5) http://xkcd.com/1354/
05:08 < bluenemo> I forgot the pull option in the client config file; however that wasnt it :/
05:18 < bluenemo> ah got it. seems i dont have to give the servers ip with push, when i omit it, it works. I however still get the route 10.11.12.1 via 255.255.255.0 dev tun0 pushed, which I dont really need (as I now have 10.11.12.0/24 via 255.255.255.0 dev tun0). can I disable that somehow?
05:46 -!- D-Boy [~D-Boy@unaffiliated/cain] has quit [Excess Flood]
05:53 -!- D-Boy [~D-Boy@unaffiliated/cain] has joined #openvpn
06:05 -!- goldkatze [~nobody@unaffiliated/goldkatze] has joined #openvpn
06:47 -!- zamba [marius@flage.org] has joined #openvpn
06:47 < zamba> can openvpn perform load balancing / redundancy across different networks?
06:47 < zamba> if one peer goes down, then it should try the next?
07:04 <@ecrist> yes
07:05 <@ecrist> you can specify multiple --remote options in the client configs
07:26 < zamba> ecrist: what about fallback?
07:32 -!- doebi [~doebi@doebi.at] has quit [Ping timeout: 255 seconds]
07:37 <@ecrist> there isn't really any fallback
07:38 <@ecrist> once a client is connected to a server, it will stay connected until it's not
07:40 < zamba> ok
07:48 -!- vali [valentin@monitoring.hostbull.net] has joined #openvpn
07:49 < vali> hi guys, I have an issue with my openvpn server. I just installed it (debian) and it's running but it seems I cannot connect to it. My config is -> http://nopaste.linux-dev.org/?217878
07:50 < vali> I see the client trying to connect in the log, but I cannot see anything error/warning related
07:52 < vali> hmm
07:52 < vali> I think I know whats the issue
07:52 < vali> some firewall between us..
08:00 -!- doebi [~doebi@doebi.at] has joined #openvpn
08:05 -!- v0lZy [~Thunderbi@BSN-77-81-109.static.dsl.siol.net] has quit [Ping timeout: 255 seconds]
08:12 -!- adaptr [~jgeilman@unaffiliated/adaptr] has quit [Quit: WeeChat 0.4.3]
08:20 -!- Latrina [~Latrina@adsl-ull-239-205.50-151.net24.it] has quit [Ping timeout: 264 seconds]
08:25 -!- Latrina [~Latrina@adsl-ull-43-187.50-151.net24.it] has joined #openvpn
08:31 -!- vali [valentin@monitoring.hostbull.net] has left #openvpn []
08:37 -!- DomeMaster [~iain@91.238.214.44] has joined #openvpn
08:37 < DomeMaster> Hello, is there anyway to pass my own parameters to the up script? I tried to export env variable before calling openvpn client but it didn't appear in the up script
08:48 -!- DomeMaster [~iain@91.238.214.44] has quit [Ping timeout: 250 seconds]
09:06 -!- Pyrogerg [~Gregory@205.167.120.206] has joined #openvpn
09:10 -!- bluenemo [~bluenemo@unaffiliated/bluenemo] has quit [Quit: Verlassend]
09:54 -!- Pyrogerg [~Gregory@205.167.120.206] has quit [Ping timeout: 250 seconds]
09:58 -!- Popsikle [~popsikle@pool-108-27-211-233.nycmny.fios.verizon.net] has joined #openvpn
10:09 -!- Pyrogerg [~Gregory@205.167.120.206] has joined #openvpn
10:09 -!- Pyrogerg [~Gregory@205.167.120.206] has quit [Max SendQ exceeded]
10:10 -!- Pyrogerg [~Gregory@205.167.120.206] has joined #openvpn
10:16 -!- Kniaz [~Kniaz@unaffiliated/kniaz] has joined #openvpn
10:22 -!- zeroNones [~textual@187.204.171.227] has joined #openvpn
10:22 -!- Six6siX [~Devil@jasmine.sammybakar.com] has quit [Ping timeout: 240 seconds]
10:23 -!- CaTtleyA [~CaTtleyA@185.24.142.82] has quit [Quit: Lost terminal]
10:27 -!- zeroNones [~textual@187.204.171.227] has quit [Quit: My MacBook Pro has gone to sleep. ZZZzzz…]
10:27 -!- jareth_ [~jareth_@2001:980:e1c0:1:219:66ff:fea0:a502] has quit [Ping timeout: 250 seconds]
10:28 -!- MogDog [MogDog@unaffiliated/mogdog66] has quit [Ping timeout: 246 seconds]
10:29 -!- jareth_ [~jareth_@2001:980:e1c0:1:219:66ff:fea0:a502] has joined #openvpn
10:31 -!- MogDog [MogDog@unaffiliated/mogdog66] has joined #openvpn
10:40 -!- ade_b [~Ade@redhat/adeb] has quit [Ping timeout: 272 seconds]
10:52 -!- dev3lc0d3 [~devilcode@133.88.187.81.in-addr.arpa] has joined #openvpn
10:53 -!- gffa [~unknown@unaffiliated/gffa] has joined #openvpn
10:54 < dev3lc0d3> I have a CentOS on OfficeLAN_A and a webserver on External Network. The Websever can VPN onto OfficeLAN. However I can no access the Webserve's pages
10:56 < dev3lc0d3> the Webserver can ping computers on the Office lan
10:56 < dev3lc0d3> and ssh to them etc..
10:57 -!- Six6siX [~Devil@jasmine.sammybakar.com] has joined #openvpn
11:08 < dev3lc0d3> !welcome
11:08 <@vpnHelper> "welcome" is (#1) Start by stating your goal, such as 'I would like to access the internet over my vpn' || new to IRC? see the link in !ask || we may need !logs and !configs and maybe !interface to help you. || See !howto for beginners. || See !route for lans behind openvpn. || !redirect for sending inet traffic through the server. || Also interesting: !man !/30 !topology !iporder !sample !forum
11:08 <@vpnHelper> !wiki !mitm or (#2) Don't use 192.168.1.0/24 or 192.168.0.0/24 (too much potential for conflict)
11:09 < dev3lc0d3> anyone about ?
11:10 <@Eugene> !anyone
11:10 <@Eugene> Only someone, it appears
11:17 -!- elfixit [~Icedove@77-58-251-72.dclient.hispeed.ch] has quit [Quit: elfixit]
11:18 -!- keruton [keruton@cpe-104-34-71-124.socal.res.rr.com] has joined #openvpn
11:23 < dev3lc0d3> lol
11:29 -!- Pyrogerg [~Gregory@205.167.120.206] has quit [Read error: Connection reset by peer]
11:29 -!- Pyrogerg_ [~Gregory@205.167.120.206] has joined #openvpn
11:45 -!- plaisthos [~arne@openvpn/community/developer/plaisthos] has quit [Read error: Connection reset by peer]
11:47 -!- Denial [~Denial@host86-139-89-191.range86-139.btcentralplus.com] has quit []
12:07 -!- Cpt-Oblivious [~chatzilla@31-151-71-109.dynamic.upc.nl] has joined #openvpn
12:13 -!- Pyrogerg_ [~Gregory@205.167.120.206] has quit [Ping timeout: 260 seconds]
12:36 -!- dev3lc0d3 [~devilcode@133.88.187.81.in-addr.arpa] has quit [Quit: Leaving]
12:39 -!- erikcw [~erikcw@c-73-170-10-192.hsd1.ca.comcast.net] has joined #openvpn
12:43 < erikcw> !welcome
12:43 <@vpnHelper> "welcome" is (#1) Start by stating your goal, such as 'I would like to access the internet over my vpn' || new to IRC? see the link in !ask || we may need !logs and !configs and maybe !interface to help you. || See !howto for beginners. || See !route for lans behind openvpn. || !redirect for sending inet traffic through the server. || Also interesting: !man !/30 !topology !iporder !sample !forum
12:43 <@vpnHelper> !wiki !mitm or (#2) Don't use 192.168.1.0/24 or 192.168.0.0/24 (too much potential for conflict)
12:46 < erikcw> !goal
12:46 <@vpnHelper> "goal" is Please clearly state your goal for your vpn: example, I would like to access the lan behind the server , I would like to access the internet over my vpn , I just want a secure connection between 2 computers , etc
12:46 < erikcw> !logs
12:47 <@vpnHelper> "logs" is (#1) please pastebin your logfiles from both client and server with verb set to 4 (only use 5 if asked) or (#2) In the Windows client(OpenVPN-GUI) right-click the status icon and pick View Log or (#3) In the OS X client(Tunnelblick) right-click it and select Copy log text to clipboard or (#4) if you dont know how to find your logs, see !logfile
12:51 -!- Pyrogerg [~Gregory@mobile-166-137-183-178.mycingular.net] has joined #openvpn
12:56 -!- Chex [Chex@hotlanta.northnook.ca] has joined #openvpn
13:00 < erikcw> I’m trying to get OpenVPN setup on a CentoOS 6 server (cPanel server with csf firewall) with the goal of being able to tunnel my traffic from insecure networks (ie coffeeshops) to the internet at large.  I’m having problems connecting from my client (OSX tunnelblick).  Here are my server logs: http://pastebin.com/i3rPGtpR
13:01 < erikcw> My server config: http://pastebin.com/QgDdQtrw
13:05 < erikcw> ifconfig http://pastebin.com/SzrPnKPj
13:07 < erikcw> Any thoughts on what the problem may be?
13:14 <@krzee> erikcw, from the log the problem is your client didnt connect
13:14 <@krzee> it tried, but timed out.
13:14 <@krzee> TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity)
13:14 <@krzee> seems like a bad connection
13:16 -!- Pyrogerg [~Gregory@mobile-166-137-183-178.mycingular.net] has quit [Read error: Connection reset by peer]
13:23 -!- elfixit [~Icedove@77-58-251-72.dclient.hispeed.ch] has joined #openvpn
13:25 < erikcw> krzee: I tested with nc — and the port seems to be open
13:25 <@krzee> of course the port is open, it STARTS a connection
13:25 <@krzee> it just doesnt complete one, so theres something not allowing that
13:25 <@krzee> my first thought is bad network(s) but it could be a DPI firewall too i guess
13:27 < erikcw> What would be the first step in finding the problem?
13:28 <@krzee> first, what country are both in?  china or iran maybe?
13:29 <@krzee> from your IP it looks like just USA… but i feel the need to be sure
13:29 -!- Kephael [~Kephael@unaffiliated/kephael] has joined #openvpn
13:31 < erikcw> USA
13:31 < erikcw> Client is in CA — server is a VPS in Virgina
13:36 <@krzee> client happen to be at a corporation, or a normal house network?
13:38 < erikcw> client is at a normal home network (router is OpenWRT if that makes a difference).
13:40 <@krzee> ok so i feel like we can safely assume that DPI isnt happening
13:40 <@krzee> show me the client log too
13:42 < erikcw> http://pastebin.com/Fv34MkAS
13:43 -!- Pyrogerg [~Gregory@mobile-166-137-183-178.mycingular.net] has joined #openvpn
13:43 <@krzee> hmm
13:44 <@krzee> ok while trying to connect run a ping from client to server for awhile
13:44 <@krzee> any packet loss?  huuuge ping?  anything seem weird?
13:45 < erikcw> When i first hit connect, some of the ping requests start timing out, then they come back.  ping reports 0% packet loss
13:46 -!- Pyrogerg [~Gregory@mobile-166-137-183-178.mycingular.net] has quit [Read error: Connection reset by peer]
13:48 <@krzee> how you have 0% packet loss when some timed out?
13:49 < erikcw> that’s what it reported after I stopped the process
13:49 < erikcw> I just ran it again and it reported 0.5% packet loss
13:49 -!- Geriatrix [~kvirc@mail.vancouveronthenet.com] has joined #openvpn
13:49 <@krzee> how long did you run the ping?
13:50 < Geriatrix> hey guys - can i pass command line params when executing kuild-key client
13:50 < erikcw> I just let it run for about a minute.  I can try again with the -c parameter if that would be helpful
13:50 < Geriatrix> i woudl like to remotelly execure that over ssh and pass all the CN etc...
13:50 < Geriatrix> and then pull the client cert down via scp
13:51 < Geriatrix> :%s/kuild-key/build-key
13:51 < erikcw> ping -c 50 reports 0 packet loss
13:52 <@krzee> erikcw, actually i want you to run the ping the entire time it tries to connect, let it timeout 2 or 3 times and then show me the statistics it prints at the end
13:52 <@krzee> max min stdev, etc
13:54 < erikcw> krzee: 91 packets transmitted, 91 packets received, 0.0% packet loss
13:54 < erikcw> round-trip min/avg/max/stddev = 84.973/87.727/102.696/3.264 ms
13:55 -!- Pyrogerg [~Gregory@75-173-66-157.albq.qwest.net] has joined #openvpn
13:55 < erikcw> Tunnelblick just keeps saying “Waiting for server response [time elapsed]”.  Shows that it has sent data, but hasn’t recieved anything
13:55 <@krzee> hmm weird the connection is fine
13:55 < erikcw> Could it be the firewall on the server?
13:55 <@krzee> change both sides to verb 5
13:55 <@krzee> then show me both logs
13:56 <@krzee> that'll tell me if i ts firewall issue, i think it is
13:57 <@krzee> r is read, w is write, i bet one side is all wwwwwwww
14:00 < erikcw> client: http://pastebin.com/WKnDyrSL
14:01 < erikcw> server http://pastebin.com/h6Jw2MTD
14:08 -!- erikcw [~erikcw@c-73-170-10-192.hsd1.ca.comcast.net] has quit [Read error: Connection reset by peer]
14:09 <@krzee> weird his client log has no WRWR
14:09 -!- erikcw [~erikcw@c-73-170-10-192.hsd1.ca.comcast.net] has joined #openvpn
14:09 <@krzee> if he comes back someone tell him to check server firewall
14:10 <@krzee> oh there you are
14:10 < drawesome> erikcw, Check server firewall
14:10 < drawesome> xD
14:10 < erikcw> haha
14:10 <@krzee> check server firewall, not sure why client has no WRWRWR at all, thats weird
14:11 <@krzee> if you arent sure what to look for pastebin us iptables-save
14:14 -!- erikcw [~erikcw@c-73-170-10-192.hsd1.ca.comcast.net] has quit [Read error: Connection reset by peer]
14:14 < drawesome> krzee, I think you scared him away
14:15 < drawesome> lol
14:16 -!- erikcw [~erikcw@c-73-170-10-192.hsd1.ca.comcast.net] has joined #openvpn
14:18 < erikcw> krzee: http://pastebin.com/U5LPPbKd
14:18 < erikcw> server iptables-save
14:19 -!- plaisthos [~arne@openvpn/community/developer/plaisthos] has joined #openvpn
14:19 -!- mode/#openvpn [+o plaisthos] by ChanServ
14:21 < erikcw> more info in case it is relevant.  The router the client is connecting through is running OpenWRT.  It has iptables and (a working install) of OpenVPN.  The client is not currently connected to that OpenVPN server though.
14:22 -!- Denial [~Denial@host86-139-89-191.range86-139.btcentralplus.com] has joined #openvpn
14:26 <@krzee> ok so ya im not digging through that firewall, especially with it all ***.*** and whatnot… so try clearing the firewall and see if it works
14:26 <@krzee> if it does, then fix it
14:27 < erikcw> the ***.*** was me sanitzing the server IP before putting the config on pastebin
14:28 <@krzee> i know what it was
14:28 <@krzee> so try clearing the firewall and see if it works
14:28 <@krzee> if it does, then fix it
14:33 < erikcw> With the firewall off, I still get the same result
14:44 -!- lkthomas [~lkthomas@n218250150146.netvigator.com] has quit [Ping timeout: 250 seconds]
14:50 -!- gffa [~unknown@unaffiliated/gffa] has quit [Remote host closed the connection]
14:57 -!- gffa [~unknown@unaffiliated/gffa] has joined #openvpn
15:26 -!- erikcw [~erikcw@c-73-170-10-192.hsd1.ca.comcast.net] has quit [Ping timeout: 245 seconds]
15:26 -!- dvl [~dvl@pdpc/supporter/active/dvl] has quit [Ping timeout: 255 seconds]
15:27 -!- erikcw [~erikcw@c-73-170-10-192.hsd1.ca.comcast.net] has joined #openvpn
15:33 -!- Denial [~Denial@host86-139-89-191.range86-139.btcentralplus.com] has quit [Read error: Connection reset by peer]
15:34 -!- gffa [~unknown@unaffiliated/gffa] has quit [Quit: sleep]
15:35 -!- Denial [~Denial@host86-139-89-191.range86-139.btcentralplus.com] has joined #openvpn
15:38 -!- dvl [~dvl@pdpc/supporter/active/dvl] has joined #openvpn
15:46 -!- Denial [~Denial@host86-139-89-191.range86-139.btcentralplus.com] has quit []
15:53 -!- supergauntlet [~supergaun@unaffiliated/supergauntlet] has quit [Ping timeout: 272 seconds]
15:54 <@krzee> erikcw, then do the same sort of testing on your openwrt router
15:55 <@krzee> with the firewall
15:55 <@krzee> the only thing i can think of that would be stopping you is a firewall
15:55 <@krzee> doesnt mean im right, but thats how it looks to me
16:00 -!- erikcw [~erikcw@c-73-170-10-192.hsd1.ca.comcast.net] has quit [Ping timeout: 250 seconds]
16:00 -!- erikcw [~erikcw@166.78.1.203] has joined #openvpn
16:01 -!- Kniaz [~Kniaz@unaffiliated/kniaz] has quit [Quit: closing IRC]
16:04 -!- supergauntlet [~supergaun@unaffiliated/supergauntlet] has joined #openvpn
16:04 -!- erikcw1 [~erikcw@c-73-170-10-192.hsd1.ca.comcast.net] has joined #openvpn
16:05 -!- erikcw [~erikcw@166.78.1.203] has quit [Ping timeout: 240 seconds]
16:05 -!- erikcw1 is now known as erikcw
16:14 -!- AndrzejL [~AndrzejL@unaffiliated/andrzejl] has joined #openvpn
16:15 -!- mattock is now known as mattock_afk
16:20 -!- batrick [~batrick@nmap/developer/batrick] has quit [Quit: WeeChat 0.4.3]
16:21 -!- arescorpio [~arescorpi@201-26-245-190.fibertel.com.ar] has joined #openvpn
16:25 -!- batrick [~batrick@nmap/developer/batrick] has joined #openvpn
16:38 -!- arescorpio [~arescorpi@201-26-245-190.fibertel.com.ar] has quit [Excess Flood]
16:42 -!- shio [marmot@30.65.73.86.rev.sfr.net] has quit [Remote host closed the connection]
16:48 -!- shio [marmot@30.65.73.86.rev.sfr.net] has joined #openvpn
16:52 -!- Hello71 [~Hello71@wikipedia/Hello71] has quit [Read error: Connection reset by peer]
17:01 < AndrzejL> guys I have few questions
17:01 < AndrzejL> Installation was pretty easy
17:01 < AndrzejL> but I am confused about the authentication mechanisms that are in place by default
17:02 < AndrzejL> the instructions on Arch wiki say to generate the keys but it looks to me like 2 sets of keys are being generated
17:03 < pekster> !intro-to-pki
17:03 < AndrzejL> also there is nothing in there about password authentication - so does openvpn provides 1 server 1 client authentication / mode by default?
17:03 <@vpnHelper> "intro-to-pki" is For an intro to PKI basics, see: https://github.com/OpenVPN/easy-rsa/blob/v3.0.0-rc1/doc/Intro-To-PKI.md
17:04 < AndrzejL> thanks for the link I will study it in a sec
17:04 < pekster> AndrzejL: You have the option of using X.509 (public/private keypairs) with a CA, which requires you have a PKI (that link above has an intro to PKI concepts.) OpenVPN has a static-key mode available (see: !statickey) but that only allows for 2 peers, and does not offer forward-secrecy
17:05 < AndrzejL> I need a rather simple setup where multiple clients can connect using login / password...
17:05 < pekster> You can also use password auth, which still requires as PKI (you still need the CA and server keypairs with a valid and properly signed/issued cert.) You can optionally have clients authenticate entierly by password; they will still need the CA pulblic cert though to authenticate the server
17:06 < pekster> There's an auth-pam plugin if you want to integrate with PAM, otherwise you can see the --auth-user-pass-verify option to script something. Obviously the authentication is only as secure as the credentials are actually private and the auth decision rests fully on the script in that case
17:06 < AndrzejL> I know its not great from a security standpoint but all I need is to connect somebody from outside to my internal network for a gaming in lan purposes
17:06 < pekster> heh, go with plaintext user/pass in a text file if you want; what a plugin does is up to you
17:07 < pekster> $your_favourite_language likely offers a more secure password storage (Perl has Authen::SHA for instance)
17:07 < AndrzejL> I will google the info provided and see what I can come up with
17:07 -!- Cpt-Oblivious [~chatzilla@31-151-71-109.dynamic.upc.nl] has quit [Ping timeout: 245 seconds]
17:08 < AndrzejL> is there a limit to the bits of the keys that I use? Can I use 8192 or will this break stuff?
17:08 < AndrzejL> just curious about it is all
17:08 < pekster> Stick with <=4k
17:09 < pekster> some things handle larger keys badly,a nd it'll take one metric forever to generate keys of that size (nevermind the DH params the server uses)
17:09 < AndrzejL> I would want to investigate the mechanisms before I will set it up - I dont want to configure it badly and leave my internal network open to just about everyone from outside ;)
17:10 < AndrzejL> I will probably read up some more stuff maybe watch a video on youtube
17:11 -!- Cpt-Oblivious [~chatzilla@31-151-71-109.dynamic.upc.nl] has joined #openvpn
18:01 -!- Gsa700 [~Gsa700@unaffiliated/gsa700] has quit [Ping timeout: 255 seconds]
18:02 -!- Cpt-Oblivious [~chatzilla@31-151-71-109.dynamic.upc.nl] has quit [Remote host closed the connection]
18:03 -!- Gsa700 [~Gsa700@unaffiliated/gsa700] has joined #openvpn
18:09 -!- Cpt-Oblivious [~chatzilla@31-151-71-109.dynamic.upc.nl] has joined #openvpn
18:42 -!- Hello71 [~Hello71@wikipedia/Hello71] has joined #openvpn
19:21 -!- Gsa700 [~Gsa700@unaffiliated/gsa700] has quit [Quit: Leaving]
19:30 -!- Gsa700 [~Gsa700@unaffiliated/gsa700] has joined #openvpn
19:34 -!- heraclitus [~heraclitu@unaffiliated/heraclitis] has quit [Remote host closed the connection]
19:35 -!- heraclitus [~heraclitu@unaffiliated/heraclitis] has joined #openvpn
20:08 -!- Left_Turn [~Left_Turn@unaffiliated/turn-left/x-3739067] has quit [Remote host closed the connection]
20:08 -!- Starcraftmazter [~scm@xmatio.lnk.telstra.net] has joined #openvpn
20:08 < Starcraftmazter> hi
20:08 < Starcraftmazter> im having an error using openvp; http://pastie.org/private/awcan1mj40sdsukaayigja
20:08 < Starcraftmazter> does anyone know what might be causing it?
20:11 < Poster> looks like syntax error, please post your server configuration
20:14 -!- Starcraftmazter [~scm@xmatio.lnk.telstra.net] has quit [Ping timeout: 245 seconds]
20:20 <@krzee> ..or not
20:20 <@krzee> haha
20:25 < Poster> heh :(
20:41 -!- arescorpio [~arescorpi@201-26-245-190.fibertel.com.ar] has joined #openvpn
21:21 -!- gardar [~gardar@bnc.giraffi.net] has quit [Ping timeout: 255 seconds]
21:24 -!- gardar [~gardar@bnc.giraffi.net] has joined #openvpn
21:27 -!- Plastefuchs [~fweee@198.98.120.235] has quit [Quit: WeeChat 0.3.2]
21:34 -!- mgorbach [~mgorbach@pool-108-20-78-135.bstnma.fios.verizon.net] has quit [Quit: ZNC - http://znc.in]
21:35 -!- mgorbach [~mgorbach@pool-108-20-78-135.bstnma.fios.verizon.net] has joined #openvpn
21:48 -!- Latrina [~Latrina@adsl-ull-43-187.50-151.net24.it] has quit [Ping timeout: 245 seconds]
21:49 -!- pringlescan1 [~Adium@c-76-98-177-92.hsd1.pa.comcast.net] has joined #openvpn
21:49 < pringlescan1> hello all, I'm trying to set up my router as an openvpn client to my work vpn… it works fine on the router, however, I don't have a route to my work from any computer on the LAN. I tried site-to-site and client mode on the router.
21:50 -!- Latrina [~Latrina@ppp-62-16.26-151.libero.it] has joined #openvpn
22:05 -!- zeroNones [~textual@187.192.224.246] has joined #openvpn
22:14 -!- pringlescan1 [~Adium@c-76-98-177-92.hsd1.pa.comcast.net] has quit [Ping timeout: 240 seconds]
22:16 -!- pringlescan1 [~Adium@172.56.29.160] has joined #openvpn
22:21 -!- Popsikle [~popsikle@pool-108-27-211-233.nycmny.fios.verizon.net] has quit [Remote host closed the connection]
22:26 -!- pringlescan [~Adium@c-76-98-177-92.hsd1.pa.comcast.net] has joined #openvpn
22:29 -!- pringlescan1 [~Adium@172.56.29.160] has quit [Ping timeout: 240 seconds]
22:33 -!- Pyrogerg [~Gregory@75-173-66-157.albq.qwest.net] has quit [Read error: Connection reset by peer]
22:33 -!- Pyrogerg [~Gregory@75-173-66-157.albq.qwest.net] has joined #openvpn
22:37 -!- zeroNones [~textual@187.192.224.246] has quit [Quit: My MacBook Pro has gone to sleep. ZZZzzz…]
22:37 -!- Cpt-Oblivious [~chatzilla@31-151-71-109.dynamic.upc.nl] has quit [Ping timeout: 245 seconds]
22:38 -!- Cpt-Oblivious [~chatzilla@31-151-71-109.dynamic.upc.nl] has joined #openvpn
22:48 -!- Latrina [~Latrina@ppp-62-16.26-151.libero.it] has quit [Ping timeout: 245 seconds]
22:49 -!- Latrina [~Latrina@ppp-50-41.26-151.libero.it] has joined #openvpn
22:54 -!- Lolths [~Lolths@unaffiliated/lolths] has quit [Ping timeout: 260 seconds]
22:56 -!- Lolths [~Lolths@unaffiliated/lolths] has joined #openvpn
22:57 -!- james41382 [~james@unaffiliated/james41382] has quit [Quit: Leaving]
23:04 -!- joako [~joako@opensuse/member/joak0] has quit [Ping timeout: 255 seconds]
23:07 -!- james41382 [~james@unaffiliated/james41382] has joined #openvpn
23:09 -!- Chais [~Chais@chello062178229110.15.15.vie.surfer.at] has quit [Ping timeout: 250 seconds]
23:09 -!- joako [~joako@opensuse/member/joak0] has joined #openvpn
23:15 -!- Chais [~Chais@chello062178229110.15.15.vie.surfer.at] has joined #openvpn
23:20 -!- pringlescan [~Adium@c-76-98-177-92.hsd1.pa.comcast.net] has quit [Quit: Leaving.]
23:32 -!- elfixit [~Icedove@77-58-251-72.dclient.hispeed.ch] has quit [Ping timeout: 245 seconds]
23:35 -!- Kephael [~Kephael@unaffiliated/kephael] has quit [Read error: Connection reset by peer]
23:53 -!- nullsign [~nullsign@daedalus.nullsign.com] has quit [Ping timeout: 245 seconds]
23:55 -!- ShadniX [dagger@p5DDFE534.dip0.t-ipconnect.de] has quit [Ping timeout: 250 seconds]
23:56 -!- ShadniX [dagger@p5DDFDC6A.dip0.t-ipconnect.de] has joined #openvpn
--- Day changed Fri Aug 22 2014
00:13 -!- arescorpio [~arescorpi@201-26-245-190.fibertel.com.ar] has quit [Excess Flood]
00:19 -!- jangerho [~jangerho@24.218.76.202] has joined #openvpn
00:20 < jangerho> Hate to be that guy, but does anyone know of a guide for installing oVPN on Mac via Homebrew?
00:25 -!- MogDog is now known as Laika
00:25 -!- Laika is now known as MogDog
00:26 <@krzee> why not just grab tunnelblick?
00:26 <@krzee> !osx
00:26 <@vpnHelper> "osx" is (#1) Tunnelblick includes everything you need to run OpenVPN on OS X. https://code.google.com/p/tunnelblick/ or (#2) Viscosity is another OpenVPN client for OS X, but it is commercial. http://www.thesparklabs.com/viscosity/
00:28 -!- arescorpio [~arescorpi@201-26-245-190.fibertel.com.ar] has joined #openvpn
00:37 -!- jangerho [~jangerho@24.218.76.202] has quit [Read error: Connection reset by peer]
00:46 -!- arescorpio [~arescorpi@201-26-245-190.fibertel.com.ar] has quit [Excess Flood]
00:50 -!- APTX [~APTX@unaffiliated/aptx] has quit [Ping timeout: 250 seconds]
00:54 -!- APTX [~APTX@unaffiliated/aptx] has joined #openvpn
01:15 -!- rudivd_ [~rudivd@2001:980:74d0:f000::1000] has joined #openvpn
01:23 -!- Poster [~poster@cpe-74-140-100-29.swo.res.rr.com] has quit [Ping timeout: 255 seconds]
01:26 -!- mattock_afk is now known as mattock
01:43 -!- moonkid [~josegarza@99-103-56-12.lightspeed.hstntx.sbcglobal.net] has joined #openvpn
01:52 < moonkid> hello, is any one available to help troubleshoot?
01:59 <@krzee> !ask
01:59 <@vpnHelper> "ask" is (#1) don't ask to ask, just ask your question please, see this link for how to get help on IRC: http://workaround.org/getting-help-on-irc or (#2) See also, How to ask questions the smart way here: http://catb.org/~esr/faqs/smart-questions.html
02:00 <@krzee> !learn ask as if you had asked your question this might be an answer instead of a message from the bot about how to ask questions on IRC =]
02:00 <@vpnHelper> Error: Spurious "]".  You may want to quote your arguments with double quotes in order to prevent extra brackets from being evaluated as nested commands.
02:00 <@krzee> !learn ask as if you had asked your question this might be an answer instead of a message from the bot about how to ask questions on IRC :)
02:00 <@vpnHelper> Joo got it.
02:08 < moonkid> ok, I am recieving “TLS Error: TLS handshake failed” when i try to connect my client to my server.  the client log can be seen at http://pastebin.com/f1KhnkCv
02:09 <@krzee> and the server log?
02:09 < moonkid> i don’t think the server is receiving anything in the first place
02:10 <@krzee> !timeout
02:10 <@vpnHelper> "timeout" is if you see TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity) then your problem is likely one of the following: either the server isnt running, your client is connecting to the wrong ip/port/protocol, the server's firewall/nat has an issue, or the client's isp blocks it
02:10 < moonkid> http://pastebin.com/G6cTaXqN
02:10 < moonkid> that’s the client config file
02:10 <@krzee> i dont need that, i said server log.
02:11 < moonkid> hang on
02:12 < moonkid> http://pastebin.com/K8kj5WY8
02:12 < moonkid> server log
02:13 <@krzee> uhh no
02:13 <@krzee> thats not an openvpn log
02:13 <@krzee> !logfile
02:13 <@vpnHelper> "logfile" is (#1) If you want logging you can easily just specify your own logfile with: log /path/to/logfile or (#2) openvpn will log to syslog if started in daemon mode, but without any log-redirection options, openvpn sends output to stdout. or (#3) verb 3 is good for everyday usage, verb 5 for debugging. see --daemon --log and --verb in the manual (!man) for more info
02:14 < moonkid> syslog is only for debian based systems
02:14 < moonkid> this is messages for centOS
02:14 <@krzee> make a logfile manually and pastebin it
02:14 <@krzee> --log
02:14 < moonkid> got it
02:15 <@krzee> also, centos also uses syslogd ;]
02:15 < moonkid> haha, thanks for the heads up
02:15 <@krzee> and no matter what it does or doesnt use, that thing you posted has 0 lines relating to openvpn in it
02:17 <@krzee> now that i think about it, all linux distros i can think of use syslog, as does freebsd, hell even osx does.
02:18 <@krzee> $ ps auxw|grep [s]yslog ; uname
02:18 <@krzee> root              19   0.0  0.0  2519732   1636   ??  Ss   Mon11PM   0:11.06 /usr/sbin/syslogd
02:18 <@krzee> Darwin
02:19 < moonkid> see, i’m pulling from /vat/log/messages
02:19 <@krzee> ya, dont
02:19 < moonkid> ok
02:20 < moonkid> anyways, i should run openvpn —log /etc/openvpn/server.conf
02:20 < moonkid> ?
02:20 <@krzee> you can go back to doing that after if you want, although if i were you i would properly configure my syslogd to write that to its own file (and then properly configure newsyslog to rotate it)
02:20 <@krzee> !--
02:20 <@vpnHelper> "--" is OpenVPN allows any option to be placed either on the command line or in a configuration file. Though all command line options are preceded by a double-leading-dash ("--"), this prefix is usually omitted when an option is placed in a configuration file.
02:21 <@krzee> no for a couple reasons...
02:21 <@krzee> 1) you need --, not -
02:21 <@krzee> 2) --log needs a log file as a parameter
02:21 <@krzee> 3) when using other options, you cant just stick the config file at the end but rather need --conf
02:22 -!- mattock is now known as mattock_afk
02:22 <@krzee> --config i mean
02:23 < moonkid> therefore openvpn --log ~/log.txt --config /etc/openvpn/server.conf
02:23 < moonkid> ?
02:23 <@krzee> so maybe something closer to:  openvpn --log /etc/openvpn/server.log --config /etc/openvpn/server.conf
02:28 < moonkid> ok, now openvpn won’t start
02:28 < moonkid> when i try ‘service openvpn start’
02:28 < moonkid> it returns [FAILED]
02:28 <@krzee> start it manually
02:28 <@krzee> worry about automating the startup after you get it working.
02:30 < moonkid> Options error: Unrecognized option or missing parameter(s) in /etc/openvpn/server.conf:1: Options (2.3.2)
02:30 < moonkid> that’s all i get in the log file
02:30 <@krzee> show me the server config
02:32 < moonkid> ok
02:32 < moonkid> i know what happened
02:32 < moonkid> i overwrote the conf file
02:32 < moonkid> hang on
02:32 <@krzee> uhh
02:33 < moonkid> when i tried openvpn --og server.conf
02:35 <@krzee> i gave you 3 reasons not to run that ;]
02:39 < moonkid> http://pastebin.com/ED0Wb0xH
02:39 < moonkid> server.conf
02:39 < moonkid> and now that i have a running server.conf
02:40 < moonkid> http://pastebin.com/mzPSmfac
02:40 < moonkid> server.log
02:41 <@krzee> oh boy, didnt know you had a config with all the comments
02:41 <@krzee> !configs
02:41 <@vpnHelper> "configs" is (#1) please pastebin your client and server configs (with comments removed, you can use `grep -vE '^#|^;|^$' server.conf`), also include which OS and version of openvpn. or (#2) dont forget to include any ccd entries or (#3) on pfSense, see http://www.secure-computing.net/wiki/index.php/OpenVPN/pfSense to obtain your config
02:41 <@krzee> paste it like that pls
02:41 <@krzee> grep -vE '^#|^;|^$' server.conf
02:41 < moonkid> kk hang on
02:42 < moonkid> http://pastebin.com/Z7eq5x0g
02:43 <@krzee> cd /etc/openvpn before you run openvpn
02:44 <@krzee> (i would tell you to use full paths, but when you run the centos service scripts it'll chroot to /etc/openvpn so its actually ok how it is
02:46 < moonkid> http://pastebin.com/t0YB3uS2
02:46 < moonkid> alright
02:46 < moonkid> new server.log
02:48 <@krzee> cool, now give me a server.log that includes the client trying to connect
02:49 < moonkid> nothing changes when i try to connect
02:49 <@krzee> iptables-save on the server
02:50 < moonkid> http://pastebin.com/DpS1TysW
02:51 -!- Cpt-Oblivious [~chatzilla@31-151-71-109.dynamic.upc.nl] has quit [Remote host closed the connection]
02:53 <@krzee> -I INPUT -p udp -m udp --dport 1194 -j ACCEPT
02:53 <@krzee> err
02:53 <@krzee> iptables -I INPUT -p udp -m udp --dport 1194 -j ACCEPT
02:53 <@krzee> does the server log show the clients connection attempt now?
02:55 -!- moonkid [~josegarza@99-103-56-12.lightspeed.hstntx.sbcglobal.net] has quit [Read error: Connection reset by peer]
02:56 -!- moonkid [~josegarza@99-103-56-12.lightspeed.hstntx.sbcglobal.net] has joined #openvpn
02:56 < moonkid> ok
02:56 <@krzee> you got my iptables rule?
02:56 < moonkid> so it connects now
02:56 <@krzee> good
02:56 <@krzee> ok so now… whats your goal?
02:56 <@krzee> !goal
02:56 <@vpnHelper> "goal" is Please clearly state your goal for your vpn: example, I would like to access the lan behind the server , I would like to access the internet over my vpn , I just want a secure connection between 2 computers , etc
02:56 < moonkid> but it doesn’t connect to the internet
02:56 <@krzee> ok, show me ifconfig -a
02:58 < moonkid> http://pastebin.com/nz51Sanq
02:58 <@krzee> hmm ok
02:58 <@krzee> well at least your first nat rule hits it
02:59 <@krzee> because you have 4 after that which you should get rid of
02:59 <@krzee> but iptables is first hit goes… so thats fine i guess
02:59 <@krzee> use the flowchart here so i dont have to walk you through everything:
02:59 < moonkid> so leave as is
03:00 <@krzee> !redirect
03:00 <@vpnHelper> "redirect" is (#1) to make all inet traffic flow through the vpn, you will need --redirect-gateway (see !def1), as well as IP forwarding (see !ipforward) and NAT (see !nat) enabled on the server. or (#2) you may need to use a different dns server when redirecting gateway, see !dns or !pushdns or (#3) if using ipv6 try: route-ipv6 2000::/3 or (#4) Handy troubleshooting flowchart:
03:00 <@vpnHelper> http://ircpimps.org/redirect.png | http://pekster.sdf.org/misc/redirect.png
03:00 <@krzee> last link ^
03:00 <@krzee> and you probably dont need bypass-dhcp on your redirect-gateway
03:01 <@krzee> you need it if you keep getting your IP overwritten by dhcp… most dont need it
03:03 <@krzee> if you get stuck on the flowchart tell me where
03:03 < moonkid> ok, i’ll try the VPN again
03:03 <@krzee> http://pekster.sdf.org/misc/redirect.png
03:03 < moonkid> brb
03:03 <@krzee> i made that because the troubleshooting steps are always the same for a redirect setup, so it lets me be lazy
03:04 <@krzee> im in the habit of automating anything i do often (unless it involves females)
03:04 <@krzee> s/females/females or weed/
03:06 < moonkid> is ip forwarding enabled is where i get stuck
03:06 -!- moonkid [~josegarza@99-103-56-12.lightspeed.hstntx.sbcglobal.net] has left #openvpn []
03:07 -!- moonkid [~josegarza@99-103-56-12.lightspeed.hstntx.sbcglobal.net] has joined #openvpn
03:07 <@krzee> !linipforward
03:07 <@vpnHelper> "linipforward" is (#1) echo 1 > /proc/sys/net/ipv4/ip_forward for a temp solution (til reboot) or set net.ipv4.ip_forward = 1 in sysctl.conf for perm solution or (#2) chmod +x /etc/rc.d/rc.ip_forward for perm solution in slackware or (#3) you also must allow forwarding in your forward chain in iptables. iptables -I FORWARD -i tun+ -j ACCEPT
03:07 < moonkid> this is on the client system?
03:07 <@krzee> no
03:08 <@krzee> ip forwarding is needed any time that packets pass from one interface to another
03:08 <@krzee> like in tun0 and out eth0, for example.
03:09 <@krzee> youd need it on the client if you were sharing the client LAN to the vpn
03:09 <@krzee> since you are not, you do not.
03:12 < moonkid> ok, i tried iptables -I FORWARD -i tun+ -j ACCEPT
03:12 < moonkid> still no difference
03:12 < moonkid> do i need to restart the service
03:12 <@krzee> echo 1 > /proc/sys/net/ipv4/ip_forward for a temp solution (til reboot) or set net.ipv4.ip_forward = 1 in sysctl.conf for perm solution
03:12 <@krzee> (i assume you did that, since the bot said to...)
03:13 < moonkid> my sysctl.conf already had the setting net.ipv4.ip_forward = 1
03:13 <@krzee> cat /proc/sys/net/ipv4/ip_forward
03:13 <@krzee> whats the output?
03:13 < moonkid> at: /proc/sys/net/ipv4/ip_forward: No such file or directory
03:14 <@krzee> umm
03:14 <@krzee> in centos?
03:15 < moonkid> oh woops
03:15 <@krzee> whats the output?
03:16 < moonkid> 1
03:16 < moonkid> pinging 8.8.8.8 occurs from the client, correct?
03:16 <@krzee> yes
03:17 <@krzee> does it work?
03:18 -!- mattock_afk is now known as mattock
03:19 < moonkid> no such luck
03:19 <@krzee> show me iptables-save again
03:20 < moonkid> http://pastebin.com/hvip1qsZ
03:21 <@krzee> get rid of the forward REJECT rule
03:21 <@krzee> then try again
03:23 -!- keruton [keruton@cpe-104-34-71-124.socal.res.rr.com] has quit [Remote host closed the connection]
03:26 < moonkid> just so i don’t destroy anything ‘iptables -D -A FORWARD -j REJECT --reject-with icmp-host-prohibited’
03:27 <@krzee> or iptables-save > firewall
03:27 < mdoge> save the wall of fire
03:27 <@krzee> edit the file firewall, then iptables-restore < firewall
03:27 <@krzee> and while you're at it, remove all NAT rules except the first
03:27 <@krzee> then show me the file
03:28 -!- mattock is now known as mattock_afk
03:28 < moonkid> -A POSTROUTING -s 10.8.0.0/24 -o eth0 -j MASQUERADE
03:28 < moonkid> keep that one?
03:28 <@krzee> !linnat
03:28 <@vpnHelper> "linnat" is (#1) for a basic iptables NAT where 10.8.0.x is the vpn network: iptables -t nat -I POSTROUTING -s 10.8.0.0/24 -o eth0 -j MASQUERADE or (#2) to choose what IP address to NAT as, you can use iptables -t nat -I POSTROUTING -o eth0 -j SNAT --to <IP ADDRESS> or (#3) http://netfilter.org/documentation/HOWTO//NAT-HOWTO.html for more info or (#4) openvz see !openvzlinnat
03:28 -!- heraclitus [~heraclitu@unaffiliated/heraclitis] has quit [Remote host closed the connection]
03:28 <@krzee> yep
03:28 <@krzee> keep that one
03:29 <@krzee> remove the other POSTROUTING rules
03:30 < moonkid> http://pastebin.com/b6KkVHDJ
03:31 -!- heraclitus [~heraclitu@unaffiliated/heraclitis] has joined #openvpn
03:31 -!- heraclitus [~heraclitu@unaffiliated/heraclitis] has quit [Remote host closed the connection]
03:32 <@krzee> you can also remove the repeating rules
03:32 <@krzee> -A INPUT -p tcp -m tcp --dport 22 -j fail2ban-SSH
03:32 <@krzee> you only need that one time
03:32 <@krzee> then load it up
03:33 < moonkid> to pastebin?
03:33 <@krzee> then try pinging 8.8.8.8
03:33 <@krzee> iptables-restore < firewall
03:33 < moonkid> alright, brb
03:35 -!- moonkid_ [~josegarza@89.248.166.138] has joined #openvpn
03:35 < moonkid_> look at that
03:35 < moonkid_> it worked
03:35 < moonkid_> thanks dude
03:36 <@krzee> you're welcome
03:36 < moonkid_> can i tip you?
03:36 <@krzee> sure, if you like =]
03:36 <@krzee> !donate
03:36 <@vpnHelper> "donate" is (#1) send monetary donations to openvpn@secure-computing.net via paypal. All money donated goes to staff toward development of the community wiki, forum, and this IRC channel. or (#2) Contributions to this address do *NOT* directly benefit OpenVPN Technologies, Inc. or (#3) http://www.secure-computing.net/wiki/index.php/OpenVPN/Donations for Contribution totals and benefactors
03:36 -!- dazo_afk is now known as dazo
03:36 <@krzee> !karma
03:36 <@vpnHelper> "karma" is nick++ adds karma nick-- adds bad karma, as seen in !ircstats
03:37 < moonkid_> krzee++
03:38 < moonkid_> aw, openvpn doesn’t take bitcoin?
03:38 -!- moonkid [~josegarza@99-103-56-12.lightspeed.hstntx.sbcglobal.net] has quit [Ping timeout: 240 seconds]
03:38 -!- moonkid_ is now known as moonkid
03:38 <@krzee> damn, i do have some bitcoin but i dont manage my own wallet so i dont know how to send them to me :D
03:38 <@krzee> i have a guy in usa that manages my coins for me
03:39 < moonkid> do you have your public address?
03:39 <@krzee> nope
03:39 <@krzee> ive never been sent bitcoin i just had $ dropped to him and he picked them up for me
03:39 < moonkid> i see
03:39 <@krzee> i took them as an investment, like i do with precious metals
03:40 < moonkid> oh well, i’ll donate to openvpn soon then
03:40 <@krzee> just to be clear though, !donate doesnt go to openvpn
03:40 < moonkid> definitely an awesome investment if you got in at the right time
03:40 -!- mattock_afk is now known as mattock
03:41 < moonkid> got it
03:41 < moonkid> ok
03:41 <@krzee> hey ecrist do you have a bitcoin wallet bro?
03:41 < moonkid> i’ll paypal some cash to openvpn@secure-computing.net later
03:41 <@krzee> (hes prolly asleep but worth asking)
03:44 -!- moonkid_ [~josegarza@99-103-56-12.lightspeed.hstntx.sbcglobal.net] has joined #openvpn
03:44 < moonkid_> what is it that motivates you to troubleshoot?
03:45 <@krzee> i care very much about peoples right to communicate without being snooped
03:45 < moonkid_> that’s awesome
03:45 <@krzee> thanks =]
03:45 < moonkid_> how’d you learn so much?
03:46 <@krzee> i actually run an encrypted darknet voip service too =]
03:46 -!- moonkid [~josegarza@89.248.166.138] has quit [Ping timeout: 272 seconds]
03:46 -!- moonkid_ is now known as moonkid
03:46 <@krzee> umm, i guess by reading manuals and playing around, and by doing.
03:46 < moonkid> how long did it take to you become the wizard that you are
03:46 < moonkid> ?
03:46 <@krzee> i been around IRC since the early 90s
03:47 < moonkid> wow
03:47 <@krzee> but i started with openvpn about 7 or 8 years ago
03:47 <@krzee> and helping people in here has been a fantastic source of learning
03:47 < moonkid> i’ve been toying with VPNs since january, but every single time i try to set one up, i run into some new roadblock
03:47 <@krzee> yep, thats how it works… then you knock down the road blocks and gain knowledge =]
03:48 <@krzee> then you find new road blocks… rinse and repeat
03:48 < moonkid> haha
03:48 <@krzee> then you get support on IRC… and then you give it
03:48 <@krzee> which also leads to gaining knowledge
03:49 < moonkid> so VPNs aren’t normally easy if you’re new to the whole scene?
03:49 <@krzee> not at all, its advanced networking so it requires strong knowledge of basic networking
03:49 < moonkid> oh lol
03:50 <@krzee> things like when to ip forward, how to route, firewalls, when to NAT, etc
03:50 < moonkid> can you point me to a good source for basic networking?
03:50 <@krzee> hmm its in here somewhere...
03:50 <@krzee> !101
03:50 <@vpnHelper> "101" is This channel is not a '101' replacement for any of the following topics or others: Networking, Firewalls, Routing, Your OS, Security, etc etc
03:50 <@krzee> thats not it...
03:50 <@krzee> 1sec
03:50 <@krzee> !factoids
03:50 <@vpnHelper> "factoids" is A semi-regularly updated dump of factoids database is available at http://www.secure-computing.net/factoids.php
03:52 < moonkid> alright, i’ll read through this
03:53 < moonkid> once again, thanks for the help
03:53 < moonkid> gonna go to bed
03:54 <@krzee> i didnt find it yet
03:54 < moonkid> oh
03:55 < moonkid> i thought it was the factoids thing
03:55 < moonkid> i can wait
03:55 < moonkid> for networking resources
03:55 < moonkid> because that stuff is basically black magic to me
03:55 -!- Left_Turn [~Left_Turn@unaffiliated/turn-left/x-3739067] has joined #openvpn
03:55 <@krzee> somewhere in there we have a link for learning about networking
03:55 <@krzee> im not sure how good it is or isnt, but its been recommended
03:56 <@krzee> ohhh actually heres something else that is really good
03:56 <@krzee> !book
03:56 <@vpnHelper> "book" is http://www.packtpub.com/openvpn-2-cookbook/book check out JJK's awesome cookbook for openvpn 2!
03:56 <@krzee> i helped proof-read that, so i read every page… a damn good book!
03:56 <@krzee> if you read it and do the excersizes, you will know a shit ton about openvpn
03:57 < moonkid> outstanding!
03:57 <@krzee> but i know theres a link for networking in there too
03:57 <@krzee> somewhere!
03:57 < moonkid> i’ll grab a copy of this
03:59 < moonkid> alright, gonaa head to bed.  thanks!
03:59 <@krzee> np, good night
03:59 -!- moonkid [~josegarza@99-103-56-12.lightspeed.hstntx.sbcglobal.net] has quit [Quit: moonkid]
03:59 <@krzee> !net101
03:59 <@vpnHelper> "net101" is http://www.youtube.com/watch?v=PBWhzz_Gn10 for a good video example
04:14 <@krzee> HAH finally found it
04:14 <@krzee> !tcpip
04:14 <@vpnHelper> "tcpip" is http://www.redbooks.ibm.com/redbooks/pdfs/gg243376.pdf See chapter 3.1 for useful basic TCP/IP networking knowledge you should probably know
04:14 <@krzee> lil late, but ya...
04:14 <@krzee> also i see other bot admins have been adding some good factoids in there! =]
04:26 < Reventlov> so i'm using openvpn (tap) to access the internet via my server. What could make curl -6 fail ? (using a classical routed configuration via ipconfig)
04:27 < Reventlov> (curl -6 google.com, for example, on one of the clients)
04:43 -!- TyrfingMjolnir [~Tyrfing@118.189.1.18] has joined #openvpn
04:44 < TyrfingMjolnir> I installed OpenVPN Connect on Note3 w/android
04:44 < TyrfingMjolnir> My ovpn files are not read
04:44 < TyrfingMjolnir> Yet the same ovpn file works in openvpn command line client on linux and tunnelblick on mac
04:49 -!- mattock is now known as mattock_afk
04:50 -!- roentgen [~none@openvpn/community/support/roentgen] has quit [Ping timeout: 250 seconds]
05:03 < Reventlov> My server configuration: http://sprunge.us/hRBZ, my client configuration: http://sprunge.us/cIgU
05:05 -!- SushiDude [~SushiDude@unaffiliated/sushidude] has quit [Ping timeout: 240 seconds]
05:12 -!- SushiDude [~SushiDude@unaffiliated/sushidude] has joined #openvpn
05:20 -!- mattock_afk is now known as mattock
05:20 < TyrfingMjolnir> Step 3 never occurs for me: http://accc.uic.edu/answer/how-do-i-configure-and-use-openvpn-android
05:20 <@vpnHelper> Title: How do I configure and use OpenVPN with Android? | Academic Computing and Communications Center (at accc.uic.edu)
05:31 -!- D-Boy [~D-Boy@unaffiliated/cain] has quit [Excess Flood]
05:34 -!- Aralucc10 [~Aralucc10@151.77.184.126] has joined #openvpn
05:34 < Aralucc10> hi,
05:34 < Aralucc10> sorry... can anyone show me a tyutorial about redirect all my traffict through a VPS server?
05:35 < Aralucc10> I tried the official one b (redirect def1 command) but didnt work
05:37 < Aralucc10> there are many aroung and each one says different things (puth a push command into ccd file or put the redirect onto client config ) so im not sure what to do
05:40 -!- roentgen [~none@openvpn/community/support/roentgen] has joined #openvpn
05:44 < TyrfingMjolnir> Aralucc10: What would you like to achieve?
05:44 < TyrfingMjolnir> Do you want all your traffic to go through the VPN connection you are connected to?
05:45 < Aralucc10> I wish all my traffic to pass through the VON...so I can show a different IP and services like netflix can work even if Im georestricted.
05:45 < Aralucc10> btw it seems it worked... it was a iptables problem
05:45 -!- D-Boy [~D-Boy@unaffiliated/cain] has joined #openvpn
05:45 < Aralucc10> AND ipfforwarding krnel problem
05:46 < Aralucc10> (basically I missed much config :) )
05:46 < Aralucc10> now it works and my home pc shows vps ip
05:46 < Aralucc10> so I guess it worked
05:46 < TyrfingMjolnir> I only use OpenVPN as a replacement for ssh LocalForward
05:47 < Aralucc10> im complete noob ...so basically use the same exact config since 2009
05:47 < TyrfingMjolnir> I believe you would like to direct certain services through VPN and others outside
05:47 -!- AndrzejL [~AndrzejL@unaffiliated/andrzejl] has left #openvpn []
05:47 < Aralucc10> oh
05:47 < Aralucc10> probably youre right
05:47 < Aralucc10> but not sure how
05:48 < Aralucc10> I tried to use dnsmasq
05:48 < Aralucc10> but it just change dns
05:48 < TyrfingMjolnir> routing of some sort
05:49 < Aralucc10> im not expert enoigh... btw I can use this working configuration as a starting point and tune it
05:50 < Aralucc10> you think I can save this rule on the server so that it resists reboot?iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
05:51 < Aralucc10> does it break anything (sorry for stupid question)
06:36 < TyrfingMjolnir> ask on #netfilter
07:09 < Aralucc10> thanks
07:18 -!- pringlescan [~Adium@8.39.115.8] has joined #openvpn
07:22 -!- pringlescan [~Adium@8.39.115.8] has left #openvpn []
07:22 -!- Pyrogerg [~Gregory@75-173-66-157.albq.qwest.net] has quit [Ping timeout: 260 seconds]
07:25 -!- Aralucc10 [~Aralucc10@151.77.184.126] has quit []
07:27 <@ecrist> krzee: no bitcoin
08:10 -!- TyrfingMjolnir [~Tyrfing@118.189.1.18] has quit [Ping timeout: 255 seconds]
08:16 -!- micko [~micko@203-219-65-120.static.tpgi.com.au] has quit [Ping timeout: 255 seconds]
08:22 -!- micko [~micko@203-219-65-120.static.tpgi.com.au] has joined #openvpn
08:29 -!- rudivd_ [~rudivd@2001:980:74d0:f000::1000] has quit [Quit: Textual IRC Client: www.textualapp.com]
08:29 -!- drawesome [~awesome@unaffiliated/drawesome] has quit [Quit: Leaving]
08:30 -!- elfixit [~Icedove@2001:1620:2777:11:3e97:eff:fe7f:f3ad] has joined #openvpn
09:04 -!- Pyrogerg [~Gregory@75-173-66-157.albq.qwest.net] has joined #openvpn
09:08 -!- darkdrgn2k [~darkdrgn2@209.90.253.66] has joined #openvpn
09:09 < darkdrgn2k> would here be a problem using POLARISSL on a client but openssl on theserver?
09:16 <@dazo> darkdrgn2k: that should normally work fine
09:16 < darkdrgn2k> i get it to connect
09:16 < darkdrgn2k> i see client sending packets
09:16 < darkdrgn2k> and i see server sending packets
09:16 <@dazo> !logs
09:16 < darkdrgn2k> but nothing is recieved on either end!
09:16 <@vpnHelper> "logs" is (#1) please pastebin your logfiles from both client and server with verb set to 4 (only use 5 if asked) or (#2) In the Windows client(OpenVPN-GUI) right-click the status icon and pick View Log or (#3) In the OS X client(Tunnelblick) right-click it and select Copy log text to clipboard or (#4) if you dont know how to find your logs, see !logfile
09:17 < darkdrgn2k> no errors in the logs!
09:17 -!- zeroNones [~textual@187.204.162.95] has joined #openvpn
09:17 <@dazo> darkdrgn2k: it doesn't need to be errors in the logs to not work ... but that said, sounds like firewalling or routing issue
09:17 <@dazo> !flowchart
09:18 < darkdrgn2k> ip did iptables -F
09:18 < darkdrgn2k> and checked routing..
09:18 < darkdrgn2k> all seem good
09:18 <@dazo> http://pekster.sdf.org/misc/serverlan.png
09:18 < darkdrgn2k> and i cant ping the openvpn internet ip from either end
09:18 < darkdrgn2k> sorry internal
09:18 < darkdrgn2k> not internet..
09:19 <@dazo> again, then I need to see logfiles with verb 4
09:19 < darkdrgn2k> and again interace shows NO RX on the tun internface
09:25 < darkdrgn2k> ok client -> http://pastebin.com/BGXkvZRq
09:25 <@dazo> darkdrgn2k: that doesn't look like verb 4
09:26 < darkdrgn2k> "verb 4
09:26 < darkdrgn2k> " is in the config..
09:26 <@dazo> its not the complete config from openvpn started then
09:26 < darkdrgn2k> thatsa my config file http://pastebin.com/vaRJN77N
09:26 < darkdrgn2k> ps show s/usr/sbin/openvpn --syslog openvpn(FreePBX) --cd /var/etc --config openvpn-FreePBX.conf
09:27 < darkdrgn2k> file i posted was openvpn-FreePBX.conf
09:27 < darkdrgn2k> located in /var/etc/
09:27 <@dazo> okay, lets see server side then
09:28 -!- supergauntlet [~supergaun@unaffiliated/supergauntlet] has quit [Ping timeout: 250 seconds]
09:29 <@dazo> (btw, completely side track, --float in client config is probably something you don't want.  You most likely just want it on the server, to allow clients to change IP)
09:29 -!- supergauntlet [~supergaun@unaffiliated/supergauntlet] has joined #openvpn
09:29 < darkdrgn2k> http://pastebin.com/0vuYA5tz
09:31 <@dazo> your server side seems to be running an older openvpn version
09:31 < darkdrgn2k> centos stock....
09:31 < darkdrgn2k> wow.. OpenVPN 2.0.9 i686-redhat-linux-gnu [SSL] [LZO] [EPOLL] built on Nov 12 2010
09:32 <@dazo> that might be your first problem ... OpenVPN in EPEL is newer, I'd recommend to use that one instead
09:33 < darkdrgn2k> bahh i never remember how to install epel
09:33 <@dazo> darkdrgn2k: https://fedoraproject.org/wiki/EPEL
09:33 <@vpnHelper> Title: EPEL - FedoraProject (at fedoraproject.org)
09:34 < darkdrgn2k> i know
09:34 < darkdrgn2k>  i always have to pull tha tup
09:34 < darkdrgn2k> ...updating
09:35 <@dazo> (one of the reasons I like ScientificLinux ... yum install yum-conf-epel  )
09:35 < darkdrgn2k> i shoudl look into that
09:35 < darkdrgn2k> centos is alwyas to old
09:35 < darkdrgn2k> i HATE the path fedora took asp with there SYTEM V
09:35 < darkdrgn2k> and i just dont like ubuntu
09:36 < darkdrgn2k> ..even though tmy first ditro was DEBIAN off 1.44 floppies on my 486!
09:37 < darkdrgn2k> dam no joy
09:37 < darkdrgn2k> hmm
09:37 < darkdrgn2k> barrons/209.90.253.66:12781 IP packet with unknown IP version=15 seen
09:38 <@dazo> darkdrgn2k: if you're still running centos 5, you're on an old centos
09:38 < darkdrgn2k> 6
09:38 <@dazo> but that's the nature of enterprise linux distros
09:38 <@dazo> woot!? 2.0.9 in el6 ...
09:39 < darkdrgn2k> with epl  its OpenVPN 2.3.2 i686-redhat-linux-gnu [SSL (OpenSSL)] [LZO] [EPOLL] [PKCS11] [eurephia] [MH] [IPv6] built on Sep 12 2013
09:39 <@dazo> that's good
09:39 < darkdrgn2k> so why am i flooded with barrons/209.90.253.66:12781 IP packet with unknown IP version=15 seen now?
09:40 <@dazo> which version is on the client side?
09:40 < darkdrgn2k> OpenVPN 2.3.4 mips-openwrt-linux-gnu [SSL (PolarSSL)] [LZO] [EPOLL] [MH] [IPv6] built on Aug 19 2014
09:40 < darkdrgn2k> library versions: PolarSSL 1.3.8, LZO 2.08
09:41 < darkdrgn2k> and pings still dont work
09:41 <@dazo> then there are some config issues ... which is why you have see those unknown IP version messages
09:41 <@dazo> (openvpn 2.0 could easily hide such errors)
09:41 < darkdrgn2k> ....dam thing worked before..
09:42 < darkdrgn2k> just upgraded os on the router
09:42 < darkdrgn2k> ACtualL SWICHED routeres.. and had to use polarissl to fit it in the firmware
09:42 < darkdrgn2k> so no lfloat...
09:42 <@dazo> and using 2.0.9 on the server side would be a security issue ... not maintained since 2006
09:44 -!- Popsikle [~popsikle@209.133.84.147] has joined #openvpn
09:44 < darkdrgn2k> conig is not complicated..
09:45 < darkdrgn2k> here is server config: http://pastebin.com/aCwUnkhH
09:46 <@dazo> try running the client with --mtu-test
09:47 < darkdrgn2k> %^#$^
09:47 < darkdrgn2k> comp-lzo no
09:47  * darkdrgn2k bangs head against the wall!!!
09:47 -!- plaisthos [~arne@openvpn/community/developer/plaisthos] has quit [Remote host closed the connection]
09:47 <@dazo> that is an issue
09:47 < darkdrgn2k> its for voip traffic so i dont compress..
09:47 < darkdrgn2k> should compress
09:48 -!- plaisthos [~arne@openvpn/community/developer/plaisthos] has joined #openvpn
09:48 -!- mode/#openvpn [+o plaisthos] by ChanServ
09:54 -!- zeroNones [~textual@187.204.162.95] has quit [Quit: My MacBook Pro has gone to sleep. ZZZzzz…]
09:55 -!- darkdrgn2k [~darkdrgn2@209.90.253.66] has quit [Ping timeout: 264 seconds]
10:14 -!- Denial [~Denial@host86-139-89-191.range86-139.btcentralplus.com] has joined #openvpn
10:16 -!- Pyrogerg [~Gregory@75-173-66-157.albq.qwest.net] has quit [Ping timeout: 255 seconds]
10:17 -!- Pyrogerg [~Gregory@75-173-66-157.albq.qwest.net] has joined #openvpn
10:25 -!- Popsikle [~popsikle@209.133.84.147] has quit []
10:27 -!- Popsikle [~popsikle@209.133.84.147] has joined #openvpn
10:32 -!- Pyrogerg [~Gregory@75-173-66-157.albq.qwest.net] has quit [Ping timeout: 272 seconds]
10:37 -!- Kephael [~Kephael@unaffiliated/kephael] has joined #openvpn
10:40 -!- Pyrogerg [~Gregory@75-173-66-157.albq.qwest.net] has joined #openvpn
10:41 -!- Popsikle [~popsikle@209.133.84.147] has quit []
10:52 -!- nullsign [~nullsign@tyrion.nullsign.com] has joined #openvpn
10:53 -!- nullsign [~nullsign@tyrion.nullsign.com] has left #openvpn []
11:13 -!- gffa [~unknown@unaffiliated/gffa] has joined #openvpn
11:33 -!- Denial [~Denial@host86-139-89-191.range86-139.btcentralplus.com] has quit []
11:34 -!- Denial [~Denial@host86-139-89-191.range86-139.btcentralplus.com] has joined #openvpn
11:41 -!- Envil [~meep@95.211.26.40] has joined #openvpn
11:47 -!- Denial [~Denial@host86-139-89-191.range86-139.btcentralplus.com] has quit [Ping timeout: 250 seconds]
12:04 -!- Cpt-Oblivious [~chatzilla@31-151-71-109.dynamic.upc.nl] has joined #openvpn
13:03 -!- moonkid [~josegarza@89.248.166.138] has joined #openvpn
13:05 -!- moonkid [~josegarza@89.248.166.138] has quit [Read error: Connection reset by peer]
13:08 -!- moonkid [~josegarza@89.248.166.138] has joined #openvpn
13:10 -!- moonkid [~josegarza@89.248.166.138] has quit [Read error: Connection reset by peer]
13:11 -!- moonkid [~josegarza@89.248.166.138] has joined #openvpn
13:11 -!- mapps [~Mark@97e0b9d3.skybroadband.com] has quit [Ping timeout: 240 seconds]
13:11 -!- moonkid [~josegarza@89.248.166.138] has quit [Client Quit]
13:13 -!- ender| [krneki@2a01:260:4094:1:42:42:42:42] has quit [Ping timeout: 260 seconds]
13:21 -!- moonkid [~josegarza@89.248.166.138] has joined #openvpn
13:22 < moonkid> !goal
13:22 <@vpnHelper> "goal" is Please clearly state your goal for your vpn: example, I would like to access the lan behind the server , I would like to access the internet over my vpn , I just want a secure connection between 2 computers , etc
13:22 < moonkid> !vpnHelper
13:26 -!- moonkid [~josegarza@89.248.166.138] has quit [Read error: Connection reset by peer]
13:28 -!- ender| [krneki@2a01:260:4094:1:42:42:42:42] has joined #openvpn
13:29 <@krzee> !learn vpnHelper as [bot]
13:29 <@vpnHelper> Joo got it.
13:30 -!- moonkid [~josegarza@99-103-56-12.lightspeed.hstntx.sbcglobal.net] has joined #openvpn
13:57 -!- elfixit [~Icedove@2001:1620:2777:11:3e97:eff:fe7f:f3ad] has quit [Quit: elfixit]
14:04 -!- dazo is now known as dazo_afk
14:10 -!- Poster [~poster@cpe-74-140-100-29.swo.res.rr.com] has joined #openvpn
14:12 -!- moonkid [~josegarza@99-103-56-12.lightspeed.hstntx.sbcglobal.net] has quit [Quit: moonkid]
14:15 -!- funky1 [~funky@ip51cf100e.direct-adsl.nl] has joined #openvpn
14:18 -!- moonkid [~josegarza@99-103-56-12.lightspeed.hstntx.sbcglobal.net] has joined #openvpn
14:24 < funky1> hi there, was hoping someone can help me i got a raspbian working and installed/configured openvpn, following this guide:                  http://www.sans.org/reading-room/whitepapers/hsoffice/soho-remote-access-vpn-easy-pie-raspberry-pi-34427 I can connect to the openvpn server but i don't have                  any internet connection or lan on the client, i think maybe something wrong with my iptables, could someone have a look? http://pastebin.
14:26 <@krzee> a) i will not be reading the walkthrough
14:26 <@krzee> b) your pastebin got cut off
14:26 <@krzee> c)
14:26 <@krzee> !goal
14:26 <@vpnHelper> "goal" is Please clearly state your goal for your vpn: example, I would like to access the lan behind the server , I would like to access the internet over my vpn , I just want a secure connection between 2 computers , etc
14:27 <@krzee> funky1, ^^
14:33 < funky1> ok, thanks krzee, my goal is a secure connection that i can access from a client that connects e.g. wifi pulic lan to my vpn server and will let me browse the internet, also I would like to access the lan behind the server
14:33 -!- Geriatrix [~kvirc@mail.vancouveronthenet.com] has quit [Quit: KVIrc 4.2.0 Equilibrium http://www.kvirc.net/]
14:33 < funky1> my pastebin ends with my iptables rules
14:33 <@krzee> ok, so we will do the internet redirection first
14:33 <@krzee> yes, but if you read what got sent to IRC you'll see it got cut off
14:33 <@krzee>  http://pastebin.   is what made it
14:34 < funky1> ah ok sorry I misunderstood
14:34 < funky1> http://pastebin.com/txvEQw8S
14:34 <@krzee> pastebin: iptables-save
14:34 -!- heraclitus [~heraclitu@unaffiliated/heraclitis] has joined #openvpn
14:35 <@krzee> also, read --server in the manual to see why you dont use --ifconfig with it
14:35 <@krzee> once you know what --server expands to it will be obvious to ya
14:35 <@krzee> push "route 10.8.0.1 255.255.255.255"
14:35 <@krzee> push "route 10.8.0.0 255.255.255.0"
14:36 <@krzee> ummm, does that make sense to you? ^
14:36 < funky1> iptables-save returns nothing
14:36 <@krzee> this is why i hate walkthroughs from google
14:36 <@krzee> !walkthrough
14:36 <@vpnHelper> "walkthrough" is if you are using some walkthrough and now you are here cause you have problems and dont understand your setup, type !howto and !man and try to actually learn what you're doing. most those docs about openvpn from google SUCK.
14:36 < funky1> lol
14:36 < funky1> ok
14:36 < funky1> thanks
14:36 <@krzee> is your server and client on the same lan?
14:36 < funky1> no
14:36 <@krzee> "redirect-gateway local def1"
14:36 <@krzee> !local
14:36 <@vpnHelper> "local" is a flag for --redirect-gateway, Add the local flag if both OpenVPN machines are directly connected via a common subnet, such as with wireless.
14:36 <@krzee> you really need the manual man
14:37 <@krzee> please read the manual for EVERY option in your config
14:37 <@krzee> once you understand it, and fix it, send it again
14:37 < funky1> ok, will do, thank you krzee
14:37 <@krzee> no problem
14:37 < funky1> !man
14:37 <@vpnHelper> "man" is (#1) For man pages, see http://openvpn.net/index.php/open-source/documentation/manuals/ or (#2) the man pages are your friend! or (#3) Protip: you can search the manpage for a specific --option (with dashes) to find it quicker
14:45 < moonkid> !howto
14:45 <@vpnHelper> "howto" is (#1) OpenVPN comes with a great howto, http://openvpn.net/howto PLEASE READ IT! or (#2) http://www.secure-computing.net/openvpn/howto.php for a mirror
14:59 -!- Aralucc10 [~Aralucc10@151.77.184.126] has joined #openvpn
15:05 < Aralucc10> hi, can anyone help? i've been able to redirect all my traffic to my vps ip... I just cant filter selective ips/dns to bypass vps this is my server conf http://pastebin.com/FsmwR5yh
15:05 < Aralucc10> basically I followed a tutorial saying I have to use allow-pull-fqdn / route www.whatismyip.it 255.255.255.255 net_gateway
15:06 < Aralucc10> but doesnt work
15:06 <@krzee> no
15:06 < Poster> try by IP address, not sure the daemon supports DNS based lookups
15:06 <@krzee> your tutorial was wrong
15:06 <@krzee> net_gateway was right though
15:06 < Aralucc10> yest I tried with ip too
15:06 < Aralucc10> its just ignored
15:07 <@krzee> your technique is right, just no hostnames to the route command
15:07 <@krzee> show me your configs like this:
15:07 <@krzee> !configs
15:07 <@vpnHelper> "configs" is (#1) please pastebin your client and server configs (with comments removed, you can use `grep -vE '^#|^;|^$' server.conf`), also include which OS and version of openvpn. or (#2) dont forget to include any ccd entries or (#3) on pfSense, see http://www.secure-computing.net/wiki/index.php/OpenVPN/pfSense to obtain your config
15:07 < Aralucc10> ok
15:08 < Aralucc10> http://pastebin.com/c5F4SyW2 this is my client (windows 7)
15:09 < Aralucc10> http://pastebin.com/NA8btRMZ this is my ccd file
15:09 <@krzee> i dont see any net_gateway routes in there
15:09 <@krzee> they are being pushed from server?
15:10 -!- ender| [krneki@2a01:260:4094:1:42:42:42:42] has quit [Quit: Who is this General Failure and why is he reading my hard drive?]
15:10 < Aralucc10> route whatismyip.it 255.255.255.255 net_gateway isnt this enough?
15:11 < Aralucc10> maybe its commented but its because it didnt work it was acrive
15:11 <@krzee> first of all, you cannot use hostnames to the route command (like i said), second of all that does not exist in the config you sent… still waiting on server config tho
15:12 < Aralucc10> allow-pull-fqdn
15:12 < Aralucc10> route www.whatismyip.it 255.255.255.255 net_gateway
15:12 < Aralucc10> its in the server file
15:13 <@krzee> well there you go, that adds the route to the SERVER then
15:13 < Aralucc10> I tried with ip too
15:13 <@krzee> either push it to the client or put it in the client config
15:13 < Aralucc10> I wan it to be valid for all clients
15:13 <@krzee> !push
15:13 <@vpnHelper> "push" is usage: push <command> , goes in the server config and makes the command act as if it was in the client config, can be used in ccd entries
15:14 < Aralucc10> im pretty sure i tried that too... btw I retry
15:14 <@krzee> and ya i see allow-pull-fqdn now
15:14 <@krzee> you plan on ever posting the server config...?
15:14 < Aralucc10> i posted them all wait
15:14 <@krzee> maybe to the web, not to irc.
15:14 < Aralucc10> http://pastebin.com/FsmwR5yh server file
15:15 < Aralucc10> <Aralucc10> http://pastebin.com/c5F4SyW2 this is my client (windows 7)
15:15 < Aralucc10> <Aralucc10> http://pastebin.com/NA8btRMZ this is my ccd file
15:15 <@krzee> right, that was all.
15:15 <@krzee> push "route www.whatismyip.it 255.255.255.255 net_gateway"
15:15 < Aralucc10> allow-pull-fqdn must be pushed too?
15:16 -!- moonkid [~josegarza@99-103-56-12.lightspeed.hstntx.sbcglobal.net] has quit [Ping timeout: 250 seconds]
15:17 <@krzee> lets check
15:17 <@krzee> !man
15:17 <@vpnHelper> "man" is (#1) For man pages, see http://openvpn.net/index.php/open-source/documentation/manuals/ or (#2) the man pages are your friend! or (#3) Protip: you can search the manpage for a specific --option (with dashes) to find it quicker
15:18 <@krzee> it probably goes in the client config, im not sure
15:18 <@krzee> i wonder what happens when the hostname resolves to multiple IPs
15:19 -!- moonkid [~josegarza@172.56.14.90] has joined #openvpn
15:19 < Aralucc10> I read it gets the forst one
15:19 < Aralucc10> first
15:19 <@ecrist> they are returned in random order
15:20 <@ecrist> it's called DNS round-robin
15:20 < Aralucc10> oh
15:20 < Aralucc10> so I guess it will almost neve work?
15:21 <@krzee> no idea, i route with IPs
15:21 <@krzee> i dont require dns for my routing, lol
15:21 <@ecrist> you shouldn't use DNS for routing
15:21 <@krzee> right, i only told him that like 5 times now
15:21 < Aralucc10> ahhh putting the allow-pull-fqdn on client worked... basically the diretive is a client
15:21 <@krzee> well at first i thought you couldnt, but i guess openvpn does have an option
15:21 < Aralucc10> I tried to use it on server
15:22 < Aralucc10> yes but... for example if I want to redirect www.netflix.com
15:22 < Aralucc10> how do I do?
15:23 <@krzee> check what the IPs are, add routes for the ips (or subnet if they fall into 1 subnet)
15:23 < Aralucc10> unfortunately netflix is much aggressiv in renew ips
15:23 < Aralucc10> they do worldwide load balancing
15:23 < Aralucc10> using external server
15:23 < Aralucc10> servers
15:23 -!- moonkid [~josegarza@172.56.14.90] has quit [Ping timeout: 260 seconds]
15:24 <@krzee> well, did openvpn add a route for every IP it resolves to?
15:24 < Aralucc10> no idea, today its the first time I tried
15:24 <@krzee> well, check.
15:24 <@krzee> o.O
15:25 < Aralucc10> (im sorry but im noob... you mean chect the routing tables?)
15:26 <@ecrist> Aralucc10: you're best off redirecting gateway
15:26 <@ecrist> !def1
15:26 <@vpnHelper> "def1" is (#1) used in redirect-gateway, Add the def1 flag to override the default gateway by using 0.0.0.0/1 and 128.0.0.0/1 rather than 0.0.0.0/0. This has the benefit of overriding but not wiping out the original default gateway. or (#2) please see --redirect-gateway in the man page ( !man ) to fully understand or (#3) push "redirect-gateway def1"
15:26  * ecrist poofs
15:26 <@krzee> ecrist, he is, this is for overriding it
15:26 <@krzee> with net_gateway
15:26 < Aralucc10> https://forums.openvpn.net/topic8853.html
15:26 <@vpnHelper> Title: OpenVPN Support Forum Configuration: route specific traffic over Openvpn : Configuration (at forums.openvpn.net)
15:26 < Aralucc10> this ois the totorial
15:26 < Aralucc10> yes I redirect...I just need to provide exceptions
15:26 <@krzee> well jjk knows his shit
15:27 <@krzee> hell, he wrote the book on it!
15:27 <@krzee> he says it only adds the first returned IP
15:27 < Aralucc10> yes
15:27 <@krzee> so for your netflix thing, you're screwed… you need to add the IPs
15:27 < Aralucc10> so its not much use maybe?
15:27 <@krzee> you could write a script to do it for ALL if you want to...
15:27 < Aralucc10> ahah
15:27 < Aralucc10> yeah..I guess so
15:27 < Aralucc10> hmm
15:28 <@krzee> then toss the script in the client's --up, or MAYBE it can be pushed in --client-connect on the server, i dunno
15:28 < Aralucc10> can you advice a starting point...a tutorial maube?
15:28 <@krzee> actually yes, it could
15:28 <@krzee> !client-connect
15:28 <@vpnHelper> "client-connect" is --client-connect <script>, runs script on client connection. This can be useful for generating firewall rules dynamicly, or for assigning static ips. This can do anything that a ccd (see !ccd) entry can do, but dynamicly... to use it that way, you should write your dynamic ccd commands to the file named by $1.
15:28 < Aralucc10> :) thanks
15:28 <@krzee> resolve the hostname, for every ip it returns push a route
15:29 < Aralucc10> I see
15:29 < Aralucc10> never done enything like that but I can try
15:29 <@krzee> thats how ild hack it up
15:29 <@krzee> ya if you arent a scripter i dunno what to tell you
15:29 < Aralucc10> ok ill try... thanks a lot for your help
15:29 < Aralucc10> im not :D
15:29 -!- moonkid [~josegarza@99-103-56-12.lightspeed.hstntx.sbcglobal.net] has joined #openvpn
15:30 < Aralucc10> btw the push dns worked so I can start from there
15:30 <@krzee> you want stuff that is non-standard so you gotta code it up, luckily openvpn comes with hooks for it… but you do have to make the scripts yourself
15:30 <@krzee> sure, but it will only work well for hostnames with 1 ip
15:30 < Aralucc10> yes I see
15:30 <@krzee> not for your netflix example.
15:30 < Aralucc10> btw its already a good pont I can workaroudn the dns
15:30 < Aralucc10> yes
15:31 < Aralucc10> Ill try
15:34 -!- moonkid [~josegarza@99-103-56-12.lightspeed.hstntx.sbcglobal.net] has quit [Ping timeout: 246 seconds]
15:34 <@krzee> while read ip; do echo "push \"route $ip 255.255.255.255 net_gateway\"" >>$1 ;done < <(host google.com|awk '/has address/{print $4}')
15:34 <@krzee> change google.com to your hostname
15:34 <@krzee> you're welcome :-p
15:34 <@krzee> start the file with a proper shbang, and give the script +x permissions
15:34 < Aralucc10> ahhh thanks a lot
15:35 <@krzee> it assumes your host command gives output like:  google.com has address 74.125.130.139
15:35 <@krzee> also assumes you dont need ipv6 ips
15:35 < Aralucc10> well I dont... actually
15:35 <@krzee> and you may need full paths to executables in it
15:36 <@krzee> (like the host command)
15:36 < Aralucc10> well.. its basically for straming video
15:36 -!- moonkid [~josegarza@89.248.166.138] has joined #openvpn
15:36 <@krzee> that doesnt matter
15:36 < Aralucc10> In nitaly hulu and netflix are georestricted
15:36 <@krzee> its routing, what goes over it doesnt matter
15:36 < Aralucc10> even if you pay a subscription
15:36 < Aralucc10> ok
15:36 < moonkid> ok, so i’m trying to include multiple machines on the client side.  what name will the clients take on?  the name of the certificate or their hostname?
15:37 <@krzee> certificate common-name
15:37 < Aralucc10> I try now
15:37 <@krzee> hostname is irrelevant
15:37 <@krzee> moonkid, 1 sec… you trying to include the clients lan, or multiple clients in different places?
15:38 -!- moonkid [~josegarza@89.248.166.138] has quit [Read error: Connection reset by peer]
15:40 -!- moonkid [~josegarza@89.248.166.138] has joined #openvpn
15:41 < Aralucc10> sorry for the noob question... I need a script also to remove the pushes when I stop the openvpn?
15:42 < Aralucc10> probably I can ignore that or I need to clean?
15:42 -!- moonkid [~josegarza@89.248.166.138] has quit [Read error: Connection reset by peer]
15:43 <@krzee> ignore
15:43 < Aralucc10> ok, thanks
15:43 -!- moonkid [~josegarza@89.248.166.138] has joined #openvpn
15:44 <@krzee> moonkid, you trying to include the clients lan, or multiple clients in different places?
15:45 <@krzee> clients will be known by their CN in their cert, which is why each must be unique
15:45 -!- moonkid [~josegarza@89.248.166.138] has quit [Read error: Connection reset by peer]
15:46  * krzee kicks moonkid's connection
15:47 -!- moonkid [~josegarza@89.248.166.138] has joined #openvpn
15:47 <@krzee> moonkid, clients will be known by their CN in their cert, which is why each must be unique
15:48 <@krzee> hostname is irrelevant
15:48 <@krzee> talk in here instead of msg, others might benefit from your questions
15:48 -!- moonkid [~josegarza@89.248.166.138] has quit [Read error: Connection reset by peer]
15:48 <@krzee> omfg
15:51 -!- ender| [krneki@2a01:260:4094:1:42:42:42:42] has joined #openvpn
15:52 -!- moonkid [~josegarza@99-103-56-12.lightspeed.hstntx.sbcglobal.net] has joined #openvpn
15:52 < moonkid> !man
15:52 <@vpnHelper> "man" is (#1) For man pages, see http://openvpn.net/index.php/open-source/documentation/manuals/ or (#2) the man pages are your friend! or (#3) Protip: you can search the manpage for a specific --option (with dashes) to find it quicker
15:52 -!- ender` [krneki@2a01:260:4094:1:42:42:42:42] has joined #openvpn
15:53 <@krzee> [13:47]  <krzee> moonkid, clients will be known by their CN in their cert, which is why each must be unique
15:53 <@krzee> [13:48]  <krzee> hostname is irrelevant
15:53 <@krzee> [13:48]  <krzee> talk in here instead of msg, others might benefit from your questions
15:54 <@krzee> moonkid, fix your connection lol
15:54 <@krzee> every time i respond you are gone
15:55 -!- ender| [krneki@2a01:260:4094:1:42:42:42:42] has quit [Read error: Connection reset by peer]
15:55 < moonkid> the CN is the cert file name?
15:56 < moonkid> or is it a parameter in the file?
15:56 < ender`> no, it's Common Name
15:56 <@krzee> when you made the cert it asked for a commonname
15:56 <@krzee> whatever you put there.
15:56 <@krzee> !certinfo
15:56 <@vpnHelper> "certinfo" is run `openssl x509 -in <file> -noout -text` for info from your cert file
15:56 <@plaisthos> Olivier: openssl x509 -in cert.pem -noout -text
15:56 <@krzee> if you dunno, check with that ^
15:56 < moonkid> oh, that thing i pressed i ignored and just pressed enter through?
15:57 <@krzee> o.O easy-rsa lets a null CN pass through!?
15:57 < moonkid> lemme check
15:57 <@plaisthos> krzee: seems like it :)
15:57 <@krzee> haha
15:57 <@krzee> hopefully thats just easy-rsa2
15:57 <@krzee> !easy-rsa
15:57 <@vpnHelper> "easy-rsa" is (#1) easy-rsa is a certificate generation utility. or (#2) Download here: https://github.com/OpenVPN/easy-rsa/downloads or (#3) https://community.openvpn.net/openvpn/wiki/EasyRSA
15:57 <@krzee> i would make with that if i were to use easy-rsa ^^
15:58 <@krzee> easy-rsa3 =]
15:58 <@krzee> of course i dont use easy-rsa… so ya
16:03 <@krzee> !krzee
16:03 <@vpnHelper> "krzee" is (#1) krzee says happy 4/20 or (#2) http://www.ircpimps.org/pics/krzee/blunt.jpg or (#3) location: moon base where he smokes moonajuana or (#4) takes bonghits on the freeswitch teleconference
16:05 <@Eugene> To be fair, if I was on a teleconference with/about freeswitch I'd need a bonghit too
16:06 <@krzee> hahah
16:06 <@krzee> well i was invited to talk about my darknet voip company
16:06 <@krzee> they like hearing different ways their software is used, and mines a bit different...
16:06 <@Eugene> Meanwhile, I'm dealing with Asterisk bullshit for $DAYJOB
16:06 <@krzee> i think ecrist was in a conference soon after me… i recommended him for it
16:07 <@krzee> oh god, sorry about your luck
16:07 <@krzee> couldnt get them on freeswitch?
16:07 <@Eugene> We're trying to get them to move to a hosted PBX, so we dont' have to deal with it at all
16:07 <@Eugene> This shit was put in by my predecessor
16:08 <@Eugene> Along with PPTP. And so many conflicting RFC1918s. And ugh.
16:08 <@Eugene> They don't pay me enough money for this job, but I work 100% from home and there's health insurance.
16:08 <@krzee> lol
16:08 <@krzee> well 100% from home is real strong
16:08 <@krzee> now you just gotta move to the 3rd world and you'll be a fucking baller
16:09 <@Eugene> Vashon, WA ain't far off
16:09 <@krzee> lol
16:09 <@krzee> well and weed is legal there...
16:09 <@krzee> so ya… why not stay there i guess
16:09 -!- moonkid [~josegarza@99-103-56-12.lightspeed.hstntx.sbcglobal.net] has quit [Quit: moonkid]
16:10 <@Eugene> THe recereational stores have only started to open
16:10 <@krzee> screw a store, its just nice that the cops wont be harassing
16:10 <@krzee> only way id need a store is if it were me opening one
16:10 <@Eugene> Yeah, basically
16:26 < pekster> krzee: I think the only X.509 requirement is that the DN be unique, not enforce the length of your strings :P
16:27 <@krzee> i wonder how openvpn likes null certs
16:27 <@krzee> also wonder what the ccd file would look like
16:27 <@krzee> haha
16:28 < pekster> Someone might be using the --x509-username-field option too
16:28 -!- moonkid [~josegarza@99-103-56-12.lightspeed.hstntx.sbcglobal.net] has joined #openvpn
16:28 < pekster> No requirement you even need to have a CN in your DN
16:28 < pekster> But yea, that'd be a _very_ silly use-case
16:32 < pekster> fwiw, the DN isn't null. Just the CN field, making the full DN: 'CN='
16:33 < pekster> Take that, Anonymous!
16:36 <@krzee> lol
16:38 -!- DrCode [~DrCode@gateway/tor-sasl/drcode] has quit [Ping timeout: 264 seconds]
16:49 -!- DrCode [~DrCode@gateway/tor-sasl/drcode] has joined #openvpn
17:02 -!- nestea [~quassel@chello084115136002.3.graz.surfer.at] has joined #openvpn
17:15 -!- arescorpio [~arescorpi@201-26-245-190.fibertel.com.ar] has joined #openvpn
17:17 -!- keruton [keruton@cpe-104-34-71-124.socal.res.rr.com] has joined #openvpn
17:36 < nestea> Hello, I have an issue with openvpn. I can connect to server but internet (ping) doesnt work. I have no firewall.
17:36 < nestea> Can somebody have a quick look at my logfiles and configs if there is something wrong, please?
17:36 < nestea> Especially the routing.
17:36 < nestea> http://pastebin.com/WfLbGini
17:36 -!- Denial [~Denial@host86-139-89-191.range86-139.btcentralplus.com] has joined #openvpn
17:37 < nestea> I have tried forever and cant get it to work. hope somebody finds time
17:37 < pekster> !goal
17:37 <@vpnHelper> "goal" is Please clearly state your goal for your vpn: example, I would like to access the lan behind the server , I would like to access the internet over my vpn , I just want a secure connection between 2 computers , etc
17:39 < nestea> !goal
17:39 <@vpnHelper> "goal" is Please clearly state your goal for your vpn: example, I would like to access the lan behind the server , I would like to access the internet over my vpn , I just want a secure connection between 2 computers , etc
17:39 -!- Denial [~Denial@host86-139-89-191.range86-139.btcentralplus.com] has quit [Client Quit]
17:40 < nestea> sry,  I would like to access the internet over my vpn, i have a bought vpn server service, to which i have no access. they use openvpn
17:40 < nestea> i mean i have no access to server via ssh or something
17:41 -!- Denial [~Denial@host86-139-89-191.range86-139.btcentralplus.com] has joined #openvpn
17:42 < pekster> Then you'll be largely unable to troubleshoot issues without access to their configs. The routes look fine for a net30 topology setup, but you'd need access to the server to do more than verify packets egress the tun device
17:42 < pekster> The procedure for redirection is here, but again, it's pretty worthelss if you don't own both ends:
17:43 < pekster> !redirect
17:43 <@vpnHelper> "redirect" is (#1) to make all inet traffic flow through the vpn, you will need --redirect-gateway (see !def1), as well as IP forwarding (see !ipforward) and NAT (see !nat) enabled on the server. or (#2) you may need to use a different dns server when redirecting gateway, see !dns or !pushdns or (#3) if using ipv6 try: route-ipv6 2000::/3 or (#4) Handy troubleshooting flowchart:
17:43 <@vpnHelper> http://ircpimps.org/redirect.png | http://pekster.sdf.org/misc/redirect.png
17:44 < pekster> maybe tcpdump the tun0 device as you ping something on the web to get clues. Ping by IP in the event your DNS server isn't accessible (or just use googleDNS that should work anywhere)
17:45 < nestea> ok thank you i will try!
17:46 < nestea> maybe the dns is the problem, because it's the one of my isp
17:46 < pekster> That's why you typically start by pinging a known IP rather than DNS when doing network troubleshooting to rule that out (or identify it as the cause, as the case may be)
17:47 < nestea> yeah, i pinged google, it doesnt work with vpn
17:48 < pekster> Better would be pinging 8.8.8.8, not google's CDN IPs
17:49 < pekster> If that doesn't work and you see egress on the tun device but no return, you can't solve this without server access
17:50 < nestea> ok
17:50 < nestea> i will try that
17:57 < nestea> pekster: i have some news!! this was a very good tip, with my old dns (from isp) i COULD ping 8.8.8.8 but still not www.google.com. Then I changed my nameservice to 8.8.8.8 and now i can ping www.google.com!!
18:05 -!- moonkid [~josegarza@99-103-56-12.lightspeed.hstntx.sbcglobal.net] has quit [Quit: moonkid]
18:13 -!- Denial [~Denial@host86-139-89-191.range86-139.btcentralplus.com] has quit [Ping timeout: 260 seconds]
18:14 -!- nestea [~quassel@chello084115136002.3.graz.surfer.at] has quit [Ping timeout: 245 seconds]
18:15 -!- Denial [~Denial@host86-148-139-67.range86-148.btcentralplus.com] has joined #openvpn
18:16 -!- gffa [~unknown@unaffiliated/gffa] has quit [Quit: sleep]
18:18 -!- mwargh [~sistemshi@unaffiliated/mwargh] has quit [Ping timeout: 255 seconds]
18:19 -!- nestea [~quassel@chello084115136002.3.graz.surfer.at] has joined #openvpn
18:24 -!- nestea [~quassel@chello084115136002.3.graz.surfer.at] has quit [Ping timeout: 246 seconds]
18:28 -!- DrSect0r [~DrSect0r@77-175-125-42.FTTH.ispfabriek.nl] has joined #openvpn
18:41 -!- goldkatze [~nobody@unaffiliated/goldkatze] has quit []
18:43 -!- DrSect0r [~DrSect0r@77-175-125-42.FTTH.ispfabriek.nl] has quit [Quit: Leaving]
19:04 -!- Envil [~meep@95.211.26.40] has quit [Remote host closed the connection]
19:09 < zoidberg-> Hi all, i am having a problem with my openvpn client/server, here is the log from the client and server: http://codepad.org/wnNWPRRT - initially i thought it might be a fireall issue, but i have checked everything on the client and the server and it doesn't appear to be that, logging is turned up but it doesn't really help me know what the problem is, can anyone spot the problem here?
19:09 <@vpnHelper> Title: Plain Text code - 47 lines - codepad (at codepad.org)
19:20 -!- redpill [~redpill@unaffiliated/redpill] has quit [Ping timeout: 245 seconds]
19:33 -!- james41382 [~james@unaffiliated/james41382] has quit [Quit: Leaving]
19:44 <@krzee> zoidberg-,
19:44 <@krzee> !goal
19:44 <@vpnHelper> "goal" is Please clearly state your goal for your vpn: example, I would like to access the lan behind the server , I would like to access the internet over my vpn , I just want a secure connection between 2 computers , etc
19:45 <@krzee> oh i see, its not connecting
19:45 <@krzee> are you the same guy i was helping the other day?
19:46 <@krzee> turn logging up to verb 5 on the client
19:51 -!- james41382 [~james@unaffiliated/james41382] has joined #openvpn
20:27 <@ecrist> what did I do?
20:27 <@ecrist> yes, I did a short talk on faxing for freeswitch with lib_pri and dahdi
20:29 -!- dvl [~dvl@pdpc/supporter/active/dvl] has quit [Quit: ZNC - http://znc.in]
20:33 <@krzee> nice
20:33 <@krzee> i might have to give it a listen sometime
21:05 -!- Sembei [~Sembei@unaffiliated/sembei] has quit [Max SendQ exceeded]
21:06 -!- Sembei [~Sembei@unaffiliated/sembei] has joined #openvpn
21:36 -!- moonkid [~josegarza@99-103-56-12.lightspeed.hstntx.sbcglobal.net] has joined #openvpn
21:55 -!- Irssi: #openvpn: Total of 168 nicks [9 ops, 0 halfops, 2 voices, 157 normal]
21:57 -!- Left_Turn [~Left_Turn@unaffiliated/turn-left/x-3739067] has quit [Ping timeout: 240 seconds]
22:06 -!- james41382 [~james@unaffiliated/james41382] has quit [Quit: Leaving]
22:25 -!- james41382 [~james@unaffiliated/james41382] has joined #openvpn
22:39 -!- arescorpio [~arescorpi@201-26-245-190.fibertel.com.ar] has quit [Remote host closed the connection]
22:41 -!- Cpt-Oblivious [~chatzilla@31-151-71-109.dynamic.upc.nl] has quit [Remote host closed the connection]
22:42 -!- moonkid_ [~josegarza@89.248.166.138] has joined #openvpn
22:43 -!- moonkid [~josegarza@99-103-56-12.lightspeed.hstntx.sbcglobal.net] has quit [Read error: Connection reset by peer]
22:43 -!- moonkid_ [~josegarza@89.248.166.138] has quit [Read error: Connection reset by peer]
22:45 -!- moonkid [~josegarza@99-103-56-12.lightspeed.hstntx.sbcglobal.net] has joined #openvpn
23:12 -!- Latrina [~Latrina@ppp-50-41.26-151.libero.it] has quit [Ping timeout: 260 seconds]
23:15 -!- Latrina [~Latrina@ppp-202-37.26-151.libero.it] has joined #openvpn
23:17 -!- james41382 [~james@unaffiliated/james41382] has quit [Quit: Leaving]
23:19 -!- joako [~joako@opensuse/member/joak0] has quit [Quit: quit]
23:23 -!- joako [~joako@opensuse/member/joak0] has joined #openvpn
23:27 -!- james41382 [~james@unaffiliated/james41382] has joined #openvpn
23:33 -!- moonkid [~josegarza@99-103-56-12.lightspeed.hstntx.sbcglobal.net] has quit [Ping timeout: 250 seconds]
23:53 -!- ShadniX [dagger@p5DDFDC6A.dip0.t-ipconnect.de] has quit [Ping timeout: 250 seconds]
23:54 -!- ShadniX [dagger@p5DDFC13D.dip0.t-ipconnect.de] has joined #openvpn
--- Day changed Sat Aug 23 2014
00:09 -!- Cpt-Oblivious [~chatzilla@31-151-71-109.dynamic.upc.nl] has joined #openvpn
00:16 -!- Kephael [~Kephael@unaffiliated/kephael] has quit [Read error: Connection reset by peer]
00:29 -!- zeroNones [~textual@187.204.162.95] has joined #openvpn
00:39 -!- zeroNones [~textual@187.204.162.95] has quit [Quit: My MacBook Pro has gone to sleep. ZZZzzz…]
01:34 -!- joako [~joako@opensuse/member/joak0] has quit [Ping timeout: 255 seconds]
01:41 -!- joako [~joako@opensuse/member/joak0] has joined #openvpn
02:05 -!- ribasushi [~riba@mujunyku.leporine.io] has quit [Ping timeout: 240 seconds]
02:10 -!- ribasushi [~riba@mujunyku.leporine.io] has joined #openvpn
02:55 -!- gffa [~unknown@unaffiliated/gffa] has joined #openvpn
02:58 -!- Aralucc10 [~Aralucc10@151.77.184.126] has quit [Ping timeout: 250 seconds]
03:15 -!- gallatin [~gallatin@dslb-178-009-103-052.178.009.pools.vodafone-ip.de] has joined #openvpn
03:26 -!- keruton [keruton@cpe-104-34-71-124.socal.res.rr.com] has quit [Remote host closed the connection]
03:48 < zoidberg-> Hello all, I have a strange problem with my VPN server, the clients can't connect for some reason i get a very generic TLS error: http://codepad.org/5DdIh35E <-- has the logs/config files can anyone see what the problem is ?
03:49 <@vpnHelper> Title: Plain Text code - 415 lines - codepad (at codepad.org)
03:56 < zoidberg-> I have regenerated all certs/keys, checked firewall, i've no idea why its giving me this error :(
03:57 <@syzzer> this usually is a connection issue
03:57 <@syzzer> just to rule things out, start with disabling tls-auth
03:57 < zoidberg-> ok cool
03:58 < zoidberg-> let me give that a whirl two seconds
03:58 <@syzzer> (also, unrelated, but why DES-ESE3-CBC? that's a bit outdated)
04:00 < zoidberg-> disabled tls-auth (comment out that line) same thing happens
04:00 < zoidberg-> syzzer: i need to change it to something more secure but not gotten around to it
04:00 < zoidberg-> just trying to get the connection working first before i secure it
04:01 <@syzzer> ok, just making sure you're not assuming it's a good choice ;)
04:01 < zoidberg-> :)
04:02 < zoidberg-> ok so i get the exact same error when tls-auth is commented out
04:02 <@syzzer> is your client connecting from a network outside of the server lan?
04:02 < zoidberg-> well the client is connecting from the internet into my home lan
04:03 < zoidberg-> im dowing fort forwarding on my lan router, to the server in question running openvpn
04:03 <@syzzer> it looks like a routing/firewalling issue where the replies from the server don't reach your client
04:04 < zoidberg-> hmm, thats bizarre because the only iptables rules i have on the server shouldn't affect this - and i'm allowing 1194
04:04 <@syzzer> disclaimer: I'm not really a networking expert - so let's see of how much help I can be
04:05 < zoidberg-> hehe no worries, nor me - far from it.
04:05 <@syzzer> using a router as NAT box?
04:05 < zoidberg-> http://codepad.org/R9bMZLQW
04:05 <@vpnHelper> Title: Ruby code - 31 lines - codepad (at codepad.org)
04:05 < zoidberg-> thats my iptables, syzzer unfortunatley a little more complicated than that. let me explain
04:05 < zoidberg-> internet -> bt home hub router -> raspberry pi -> links sys router -> clients <-- thats my homenetwork
04:05 < zoidberg-> the raspberry pi is the gateway/router/vpnserver
04:06 < zoidberg-> on the bt home hub i have port forwarding to the rpi for the vpn
04:06 < zoidberg-> and then on the raspberry pi i have the iptabels rules i showed you earleir
04:06 < zoidberg-> *earlier
04:06 < zoidberg-> internet/bthomehub/external interface of pi is 172.16.0.0 network, the lan side of the pi is 192.168.1.x netowrk
04:07 < zoidberg-> does that make it any clearer?
04:07 <@syzzer> yeah, got it
04:07 < zoidberg-> cool :)
04:09 <@syzzer> don't see anything weird there; try switching to tcp for a moment - some routers don't handle udp nat very well
04:09 < zoidberg-> can i say what i find really odd about this is the traffic (or client traffic) hist my vpnserver (so its doesn't seem to be an firewall issue) maybe like you say on the outgoing im not allowing it out, but i dont have any default rules (like default block) so that shouldn't happen
04:09 < zoidberg-> sure let em try that
04:11 < zoidberg-> gott achange the portforward
04:11 <@syzzer> just add one extra for tcp :O)
04:13 < zoidberg-> yep, just added that, changing server/client now
04:15 < zoidberg-> hrm dude i've just noticed something i dont have a port set int he client
04:15 <@syzzer> should not be a problem
04:16 < zoidberg-> whoops forgot the iptables rules
04:16 < zoidberg-> let me change that quick too
04:17 <@syzzer> you have 'nobind' in your client conf, which means it lets the OS choose an available UDP port
04:18 < zoidberg-> Sat Aug 23 10:17:47 2014 us=453498 TCP: connect to [AF_INET]81.153.41.36:65535 failed, will try again in 5 seconds: Connection timed out
04:18 < zoidberg-> im getting that on the client this is bizarre
04:18 < zoidberg-> i have portforwarding on the bt home hub
04:18 < zoidberg-> i added these two rules on the pi
04:18 < zoidberg-> /sbin/iptables -A INPUT -p tcp --dport 65535 -j ACCEPT
04:18 < zoidberg-> /sbin/iptables -A INPUT -i eth1 -p tcp --dport 65535 -j ACCEPT
04:18 < zoidberg-> eth1 is the interface connecting raspberry pi to bt home hub
04:19 <@syzzer> so now it's the tcp connection that fails, before openvpn connects - another hint the problem is in the networking
04:19 < zoidberg-> yep
04:19 < zoidberg-> ok but where abouts in the networking i can't see to see where it is failing
04:19 < zoidberg-> it has to be the raspberry pi firewall
04:20 < zoidberg-> but if i dont have default rules it shoudl just allow and if i have a rule allowing incomming on the port and interface
04:20 < zoidberg-> hmm
04:20 < zoidberg-> http://codepad.org/PlphUP8v
04:20 <@vpnHelper> Title: Plain Text code - 32 lines - codepad (at codepad.org)
04:21 < zoidberg-> check that out, its netstat -tuna output on the vpn
04:21 < zoidberg-> you can see the client connecting into the raspberry pi and it forwaring connections to the vpnserver
04:21 < zoidberg-> so i assume its not allowing the vpnserver to communicate back out to the client
04:21 < zoidberg-> what rule would i need to specifically allow that communications to rule out that being the prblem
04:21 < zoidberg-> i assume something likt his:
04:22 < zoidberg-> hrm im not sure actually
04:22 < zoidberg-> as outgoing should work
04:22 < zoidberg-> im really confused now :(
04:22 -!- Envil [~meep@95.211.26.40] has joined #openvpn
04:22 <@syzzer> you, seems that way. maybe disable iptables completely?
04:22 <@syzzer> *yes
04:22 < zoidberg-> i need some rules to allow me to masquerade and actually hit internet
04:22 < zoidberg-> if i pull iptables down then nothing will work
04:23 <@syzzer> ah, right.
04:23 < zoidberg-> but i mean
04:23 < zoidberg-> lets think about this logically
04:23 < zoidberg-> the vpnserver listens on 172.16.0.2
04:23 < zoidberg-> bthome hub is 172.16.0.1
04:23 < zoidberg-> the client can connect to my external ip, and the bthome hub forwards to raspberry pi, and we see syn packets from the client to 172.16.0.2
04:23 < zoidberg-> i just dont see anything comming back and that ties in with the openvpn log
04:23 < zoidberg-> so
04:24 < zoidberg-> its gotta be something to do with iptables and allowing the traffic back out
04:24 < zoidberg-> as its comming in
04:24 < zoidberg-> hmm
04:24 <@syzzer> try tcpdumping your interfaces
04:25 <@syzzer> see what goes in and out. could also be the bt home hub is dropping the return packets (although that would be weird...)
04:25 < zoidberg-> i've tried they dont leave the pi
04:25 < zoidberg-> thats why i know its the pi
04:25 < zoidberg-> to some extent definitley not the bt home hub
04:26 < zoidberg-> as if i do another portforward to the same ip on say port 31337 and run nc -l 31337 on the 172.16.0.2
04:26 < zoidberg-> i can connect to it externally
04:26 <@syzzer> also checked the other interface? if routing is broken it might send them out on the wrong iface
04:26 < zoidberg-> so i know the bt home hub is working as it should
04:26 < zoidberg-> good thinking!
04:26 < zoidberg-> let me check the others
04:26 < zoidberg-> hang on
04:28 < zoidberg-> ok tcpdump from eth1 (172.16.0.2) which is the vpnserver interface that is connected to the bt home hub, yo see traffic from the client: http://codepad.org/WNZThBDQ the client ip is 94.23.170.2
04:28 <@vpnHelper> Title: Plain Text code - 131 lines - codepad (at codepad.org)
04:28 < zoidberg-> you see in that dump the client connecting but nothing comming back
04:29 < zoidberg-> checking other int's now
04:31 <@syzzer> add an 'and tcp' to your filter - that reduces the unrelated stuff in the log
04:31 < zoidberg-> http://codepad.org/EkJ7Qo91 <-- that just vpn traffic on eth1
04:31 <@vpnHelper> Title: Plain Text code - 23 lines - codepad (at codepad.org)
04:32 < zoidberg-> hey
04:32 <@syzzer> yeah, just SYN packets
04:32 < zoidberg-> when i tcpdump tun1 which is the server vpn interface i see traffic
04:33 < zoidberg-> here you go this is for tun1: http://codepad.org/84X1tEAQ
04:33 <@vpnHelper> Title: Plain Text code - 51 lines - codepad (at codepad.org)
04:34 < zoidberg-> ok
04:34 < zoidberg-> dude
04:34 <@syzzer> oh, wow, your return packets are sent out over the tun iface :/
04:34 < zoidberg-> i think i know what the problem is
04:34 < zoidberg-> i have not told u one vital bit of information
04:34 < zoidberg-> also on the raspberry pi is an external vpn tunneling all my lan traffic over it to the internet (so my isp can't mess with me)
04:34 < zoidberg-> that works
04:34 < zoidberg-> and that is tun1
04:34 < zoidberg-> so i have server and client on that raspberry pi
04:34 <@syzzer> ah, right! yes, that's your problem
04:34 < zoidberg-> it seems that because the client is using 182.16.1.x netowrk
04:35 < zoidberg-> ok
04:35 < zoidberg-> how do i fix this though ll
04:35 < zoidberg-> lol
04:35 < zoidberg-> god the last two weeks setting this network up has given me a load of grey hairs :(
04:35 < zoidberg-> should i change the client vpn ips to 10.x network instead of the 172
04:35 < zoidberg-> so they dont clash?
04:35 < zoidberg-> is that the issue..
04:35 < zoidberg-> or is there an easier way to fix this
04:36 < zoidberg-> tun1      Link encap:UNSPEC  HWaddr 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00 inet addr:172.16.1.6  P-t-P:172.16.1.5  Mask:255.255.255.255
04:36 <@syzzer> no, if I understand you right yout Pi routes outgoing internet traffic over tun1
04:36 < zoidberg-> that there is my client on the raspberry pi connecting out
04:36 < zoidberg-> yes
04:36 < zoidberg-> correct
04:36 -!- ValdikSS [~valdikss@95.215.45.33] has joined #openvpn
04:36 < zoidberg-> oh shit
04:36 < zoidberg-> ok
04:36 < zoidberg-> so i do need an explicit rule saying all vpn traffic comming into the server, needs to go out the other interface
04:36 < zoidberg-> hrm how do i do that
04:37 < ValdikSS> Hello. I have a question. What should I do on the server side, if some of the vpn clients are not with MTU 1500?
04:37 <@syzzer> now that is kind of where my networking knowledge ends :p
04:37 < zoidberg-> haha
04:37 < zoidberg-> well dude, i owe you a massive thank you for getting me to this point
04:37 < zoidberg-> at least i now know what i need to fix
04:37 < zoidberg-> so thank you :)
04:37 <@syzzer> at least you've found the issue :)
04:37 < ValdikSS> Right now, I have default settings on server side and set link-mtu 1492 on client side for PPPoE connection, for example
04:38 < ValdikSS> But server always assumes client has MTU 1500 and sometimes sends packets, which cannot be accepted by client
04:38 < ValdikSS> But overall, it works
04:38 < ValdikSS> Is there any better solution?
04:39 <@syzzer> server and client link-mtu values should match I think
04:40 <@syzzer> but openvpn should fragment packets for you anyway afaik
04:40 < ValdikSS> syzzer: that is some kind of problem. OpenVPN by default configured for MTU 1500, even packet fragmentation assumes the client has MTU 1500
04:41 <@syzzer> iirc openvpn assumes tun-mtu 1500, not link-mtu 1500?
04:42 < ValdikSS> well, yes
04:42 < ValdikSS> tun-mtu is indeed 1500
04:42 < ValdikSS> link-mtu could be calculated from link-mtu
04:42 < ValdikSS> by default, openvpn calculates link-mtu from tnn-mtu 1500
04:43 <@syzzer> yeah, exactly
04:43 < ValdikSS> BUT
04:43 < ValdikSS> Like
04:43 < ValdikSS> 1) You can change only fragment and/or mssfix
04:43 < ValdikSS> Set it, like, 20 bytes less
04:44 -!- Left_Turn [~Left_Turn@unaffiliated/turn-left/x-3739067] has joined #openvpn
04:44 < ValdikSS> Set it on both server and client
04:45 < ValdikSS> Then UDP should work fine for low-mtu client, but if client connects to OpenVPN server via TCP, and tries to send UDP packet in tunnel more, then his link can handle, it would fail
04:45 <@syzzer> still, I *think* the networking stack of your OS should take care of fragmenting on either interface before sending out packets on other interfaces?
04:46 < ValdikSS> syzzer: OS doesn't know anything about real MTU in openvpn, because openvpn fragments packets itself and sets non-real mtu on it's interface
04:46 < ValdikSS> You can set tun-mtu 65000 link-mtu 1400 and OS would think you can send 65000 bytes long packets, and you really can
04:46 < ValdikSS> Because openvpn would fragment it internally
04:47 < ValdikSS> But that's not my point
04:47 <@syzzer> yah, and if openvpn sends out 65000 bytes packets, your host will fragment those before forwarding, right?
04:47 < ValdikSS> syzzer: not my host (OS), but openvpn itself
04:48 < ValdikSS> syzzer: openvpn doesn't send 65000 bytes packet, it fragments it into pieces before sending via real link
04:48 < ValdikSS> and OS doesn't know anything about that
04:48 < ValdikSS> OS thinks it's one packet of 65000 bytes length
04:48 < ValdikSS> But that's not the problem anyway
04:49 <@syzzer> ok, nvm, then I just misunderstood your problem
04:49 < ValdikSS> The problem is "what should I do" with the low-mtu clients, as a server and client administrator
04:50 < ValdikSS> Should I configure less fragment/mssfix and/or link-mtu on server, making less speed for high-mtu (1500) clients, or should I ignore openvpn warnings and errors on client and set just link-mtu on client
04:52 <@syzzer> hmm, I can see why openvpn would send out too-big (ciphertext) packets, but I don't see why those are dropped. As long as their IPv4, I thought routers would just fragment them as needed.
04:53 <@syzzer> so that would cause a performance issue for low-mtu links, but no packet loss issue
04:56 -!- Denial [~Denial@host86-148-139-67.range86-148.btcentralplus.com] has quit []
04:56 <@syzzer> but anyway, you might be better off asking this again in a few hours, when the networking guys hanging around here wake up ;)
04:57 < ValdikSS> syzzer: routers don't fragment packets for years
04:58 < ValdikSS> syzzer: it's a pretty expensive operation
04:59 < ValdikSS> syzzer: well, i'm not fully right. Some of them still fragment packets.
04:59 <@syzzer> okay, didn't know. so what do they do, just silently drop packets? send back icmp packet-too-big?
05:00 < ValdikSS> syzzer: ping -s 2000 google.com silently drops packets on my link
05:00 < ValdikSS> >send back icmp packet-too-big?
05:00 < ValdikSS> that's only with DF-flag
05:00 < ValdikSS> (don't fragment)
05:01 < ValdikSS> I'm the owner of VPN service built on openvpn
05:02 < ValdikSS> And right now one of my clients can't use VPN because of MTU issues
05:02 <@syzzer> yeah, I guessed that by now. I'm one of the developers, but I'm really more a crypto guy than a networking guy
05:02 < ValdikSS> He it using ADSL with real MTU 1492
05:02 < ValdikSS> Some time ago, I recommended clients to set tun-mtu 1400, for example
05:03 < ValdikSS> It works, but there are a lot of errors in the log because of that
05:03 < ValdikSS> So I'm looking for a proper solution for low-mtu clients, which won't harm (hard) normal-mtu clients
05:04 < ValdikSS> I suppose I should write on forum or on maillist then
05:04 <@syzzer> yeah, I think the openvpn-users mailinglist is a good place to start
05:29 -!- Cpt-Oblivious [~chatzilla@31-151-71-109.dynamic.upc.nl] has quit [Quit: ChatZilla 0.9.90.1-rdmsoft [XULRunner 22.0/20130619132145]]
05:47 -!- D-Boy [~D-Boy@unaffiliated/cain] has quit [Excess Flood]
06:02 -!- Left_Turn [~Left_Turn@unaffiliated/turn-left/x-3739067] has quit [Ping timeout: 246 seconds]
06:04 < zoidberg-> is anyone familiar with source based routing, im trying to get some of my lan traffic to go over the vpn and some of it not
06:06 -!- D-Boy [~D-Boy@unaffiliated/cain] has joined #openvpn
06:12 -!- ValdikSS [~valdikss@95.215.45.33] has quit [Ping timeout: 240 seconds]
06:21 -!- redpill [~redpill@unaffiliated/redpill] has joined #openvpn
06:38 -!- Netsplit *.net <-> *.split quits: Chex, arkie
06:50 -!- gallatin [~gallatin@dslb-178-009-103-052.178.009.pools.vodafone-ip.de] has quit [Quit: Client exiting]
07:08 -!- arkie [~arkie@unaffiliated/arkie] has joined #openvpn
07:41 < jzaw> zoidberg-, http://backreference.org/2012/10/07/policy-routing-multihoming-and-all-that-jazz/
07:41 <@vpnHelper> Title: Policy routing, multihoming and all that jazz « \1 (at backreference.org)
07:45 < jzaw> zoidberg-, i found these two pages to be most helpful infact i did a variation of that for my selectivity of traffic over vpn
07:46 < jzaw> http://nerdboys.com/2006/05/05/conning-the-mark-multiwan-connections-using-iptables-mark-connmark-and-iproute2/
07:46 <@vpnHelper> Title: Conning the Mark: Multiwan connections using IPTables, MARK, CONNMARK and iproute2 | Nerd Boys (at nerdboys.com)
07:46 < jzaw> http://nerdboys.com/2006/05/08/multiwan-connections-addendum/
07:46 <@vpnHelper> Title: Multiwan connections addendum | Nerd Boys (at nerdboys.com)
07:58 -!- zeroNones [~textual@187.204.139.206] has joined #openvpn
08:46 -!- Netsplit *.net <-> *.split quits: arkie
08:55 -!- zeroNones [~textual@187.204.139.206] has quit [Quit: My MacBook Pro has gone to sleep. ZZZzzz…]
09:08 -!- Netsplit over, joins: arkie
09:22 -!- tyil [~tyil@znc.scriptkitties.moe] has joined #openvpn
09:22 < tyil> hi
09:23 < tyil> I got an OpenVPN server on Ubuntu 14.04, and a OpenVPN client on Windows 7 x64, which tells me I connected succesfully to the server, yet when I go to "whatsmyip.org" it still shows me my "normal" IP, not the VPNs IP
09:23 -!- Left_Turn [~Left_Turn@unaffiliated/turn-left/x-3739067] has joined #openvpn
09:24 < tyil> my client config: http://pastebin.com/knw829yf
09:24 < tyil> I can also paste the server config if it's needed
09:31 -!- Terminus [~null@unaffiliated/terminus] has joined #openvpn
09:32 < Terminus> hello. anybody here using tunnelblick? i'm trying to use password auth instead of certs and i get "Options error: No client-side authentication method is specified.  You must use either --cert/--key, --pkcs12, or --auth-user-pass". where exactly do i specify the username and password?
09:33 < pekster> You cannot put the user/pass in the config. Read the --auth-user-pass option in the manpage if you'd like to provide credentials via a file, and be aware if that file is ever compromised so is your login
09:34 < pekster> If you leave the optional 'file' argument off, it'll prompt you for credentials
09:35 < Terminus> pekster: yeah, i'm aware of that. the problem is i'm using tunnelblick 3.4beta34 on osx 10.9 and i can't find a way to get it to prompt for credentials.
09:36 < pekster> You add that option to your config
09:36 < pekster> And that's it. Your error shows you do not currently have that option
09:37 < Terminus> pekster: and where is that? i don't see any such option in the .ovpn file.
09:38 < pekster> Exactly. You must add it
09:38 < pekster> !--
09:38 <@vpnHelper> "--" is OpenVPN allows any option to be placed either on the command line or in a configuration file. Though all command line options are preceded by a double-leading-dash ("--"), this prefix is usually omitted when an option is placed in a configuration file.
09:38 < pekster> Add it the same way you added all your other config lines (use your preferred text editor)
09:41 < Terminus> pekster: ah... didn't know all parameters can be used as options in the config file. thanks!
09:43 -!- pa [~pa@unaffiliated/pa] has joined #openvpn
09:57 < Terminus> pekster: yep. that did it. thanks again!
09:57 < pekster> sure
10:02 < Terminus> now it's forever stuck in "MANAGEMENT: >STATE:1408806081,WAIT,,," any ideas? the laptop and openvpn server are both on the same subnet.
10:02 < Terminus> oh damn. wait. i should have checked the firewall on the openvpn server.
10:37 -!- Kephael [~Kephael@unaffiliated/kephael] has joined #openvpn
10:43 -!- baus [baus@shield.marvel.se] has joined #openvpn
10:43 < baus> is it true that if i use a vps for my openvpn, like ramnode, that they can still see everything i do?
10:45 < pekster> If you use a hosted VM solution, the owner of the VM host will have technical access to the raw data of your VM disk, yes. They normally can't even log into your system without a password, but in a mallicious situation simply altering the files on-disk could grant them that access
10:46 < pekster> Most hosted VM solutions include a method to access the console, and that would be available to the VM host owner as well; it's typically trivial to root a Unix-alike system from the console, for instance
10:47 < baus> i see. well i like the vps because it's cheaper than buying a vpn solution like private internet access. i guess that's a price to pay
10:47 < baus> thanks for your information and help pekster
10:47 < pekster> Oh, you mean as far as redirecting Internet traffic?
10:47 < pekster> OpenVPN only encrypts between VPN endpoints; if you redirect traffic over it and the inside data is unencrypted, it will be visible as plaintext traffic after that, yes
10:47 < baus> do you know how to encrypt the inside data?
10:48 < pekster> Use a protocol that encrypts. https instead of http, etc. Same way you'd secure any protocol
10:48 < baus> alright
11:05 -!- Pyrogerg [~Gregory@75-173-66-157.albq.qwest.net] has quit [Ping timeout: 250 seconds]
11:51 -!- dvl [~dvl@pdpc/supporter/active/dvl] has joined #openvpn
11:54 -!- Pyrogerg [~Gregory@75-173-66-157.albq.qwest.net] has joined #openvpn
12:07 -!- Terminus [~null@unaffiliated/terminus] has quit [Quit: leaving]
12:20 -!- tapout [~tapout@unaffiliated/tapout] has quit [Ping timeout: 240 seconds]
12:22 -!- RaiNerTsuFal [~RaiNerTsu@akita.vtlx.cn] has quit [Ping timeout: 260 seconds]
12:23 -!- tapout [~tapout@unaffiliated/tapout] has joined #openvpn
12:48 -!- Denial [~Denial@host86-148-139-67.range86-148.btcentralplus.com] has joined #openvpn
13:05 -!- baus [baus@shield.marvel.se] has left #openvpn ["Like A Baus"]
13:22 -!- jfroot [~jfroot@pdpc/supporter/active/jfroot] has quit [Read error: Connection reset by peer]
13:23 -!- jfroot [~jfroot@pdpc/supporter/active/jfroot] has joined #openvpn
13:57 -!- shiin [~shiin@funtoo/core/shiin] has joined #openvpn
14:12 -!- cyberspace- [20253@ninthfloor.org] has quit [Remote host closed the connection]
14:12 -!- moonkid [~josegarza@89.248.166.138] has joined #openvpn
14:14 -!- cyberspace- [20253@ninthfloor.org] has joined #openvpn
14:20 -!- Fusl [Fusl@unaffiliated/fusl] has quit [Ping timeout: 272 seconds]
14:20 -!- moonkid [~josegarza@89.248.166.138] has quit [Remote host closed the connection]
14:21 -!- moonkid [~josegarza@89.248.166.138] has joined #openvpn
14:21 -!- moonkid [~josegarza@89.248.166.138] has left #openvpn []
14:21 -!- moonkid [~josegarza@89.248.166.138] has joined #openvpn
14:38 -!- Fusl [Fusl@unaffiliated/fusl] has joined #openvpn
14:41 -!- Vikinger [~Bumber@unaffiliated/vikinger] has joined #openvpn
14:41 < Vikinger> anyone available to help
14:42 < Vikinger> i lauch openvpn and it connects to the vpn, then i have no internet anyway
14:43 < Vikinger> Eugene
14:43 < Vikinger> ecrist
14:43 < Vikinger> hazardous
14:48 <@Eugene> Don't randomly ping people.
14:49 <@Eugene> !welcome
14:49 <@vpnHelper> "welcome" is (#1) Start by stating your goal, such as 'I would like to access the internet over my vpn' || new to IRC? see the link in !ask || we may need !logs and !configs and maybe !interface to help you. || See !howto for beginners. || See !route for lans behind openvpn. || !redirect for sending inet traffic through the server. || Also interesting: !man !/30 !topology !iporder !sample !forum
14:49 <@vpnHelper> !wiki !mitm or (#2) Don't use 192.168.1.0/24 or 192.168.0.0/24 (too much potential for conflict)
14:49 <@Eugene> Read ^
14:49 < Vikinger> done reading
14:50 -!- Vikinger was kicked from #openvpn by Eugene [Done helping, then]
14:50 -!- Vikinger [~Bumber@unaffiliated/vikinger] has joined #openvpn
14:52 -!- moonkid [~josegarza@89.248.166.138] has quit [Quit: moonkid]
14:52 < Vikinger> I get connection to my vpn but when i try to browse or even ping something i get no connection, i have changed the file resolv.conf back and forth and i still cant get internet after the vpn is connected, what am i doing wrong ?
14:53 < Vikinger> Is this good Engene, is there more information you think is needed ?
14:53 < Vikinger> Eugene
14:54 < loeken> Vikinger, "we may need !logs and !configs and maybe !interface to help you."
14:54 <@Eugene> !redirect
14:54 <@vpnHelper> "redirect" is (#1) to make all inet traffic flow through the vpn, you will need --redirect-gateway (see !def1), as well as IP forwarding (see !ipforward) and NAT (see !nat) enabled on the server. or (#2) you may need to use a different dns server when redirecting gateway, see !dns or !pushdns or (#3) if using ipv6 try: route-ipv6 2000::/3 or (#4) Handy troubleshooting flowchart:
14:54 <@vpnHelper> http://ircpimps.org/redirect.png | http://pekster.sdf.org/misc/redirect.png
14:54 <@Eugene> Flowchart ^
14:54 < loeken> "!redirect for sending inet traffic through the server."
14:54 < Vikinger> ok
14:55 < Vikinger> i just wait now then
14:55 < loeken> works for me ...
15:00 < Vikinger> has anyone had this problem
15:00 < Vikinger> im working with debian
15:00 <@Eugene> Many people. THat's why we have a flowchart to help find what's wrong
15:05 -!- tyil [~tyil@znc.scriptkitties.moe] has left #openvpn ["WeeChat 0.4.3"]
15:07 < Vikinger> o
15:07 < Vikinger> ok
15:14 -!- shiin [~shiin@funtoo/core/shiin] has quit [Ping timeout: 245 seconds]
15:24 -!- Vikinger [~Bumber@unaffiliated/vikinger] has quit [Quit: Tired of this world, gona check the other one.]
15:25 -!- keruton [keruton@cpe-104-34-71-124.socal.res.rr.com] has joined #openvpn
15:26 -!- funnel [~funnel@unaffiliated/espiral] has quit [Ping timeout: 245 seconds]
15:30 -!- mattock is now known as mattock_afk
15:34 -!- Lolths [~Lolths@unaffiliated/lolths] has quit [Ping timeout: 272 seconds]
15:42 -!- moonkid [~josegarza@89.248.166.138] has joined #openvpn
15:50 < moonkid> !redirect
15:50 <@vpnHelper> "redirect" is (#1) to make all inet traffic flow through the vpn, you will need --redirect-gateway (see !def1), as well as IP forwarding (see !ipforward) and NAT (see !nat) enabled on the server. or (#2) you may need to use a different dns server when redirecting gateway, see !dns or !pushdns or (#3) if using ipv6 try: route-ipv6 2000::/3 or (#4) Handy troubleshooting flowchart:
15:50 <@vpnHelper> http://ircpimps.org/redirect.png | http://pekster.sdf.org/misc/redirect.png
15:51 < moonkid> !wiki
15:51 <@vpnHelper> "wiki" is (#1) http://www.secure-computing.net/wiki/index.php/OpenVPN for the Unofficial wiki or (#2) https://community.openvpn.net/openvpn/wiki for the Official wiki
15:52 -!- adaptr [~jgeilman@unaffiliated/adaptr] has joined #openvpn
15:57 -!- keruton [keruton@cpe-104-34-71-124.socal.res.rr.com] has quit [Ping timeout: 255 seconds]
16:00 -!- keruton [keruton@cpe-104-34-71-124.socal.res.rr.com] has joined #openvpn
16:08 -!- shiin [~shiin@funtoo/core/shiin] has joined #openvpn
16:23 -!- moonkid [~josegarza@89.248.166.138] has quit [Quit: moonkid]
16:27 -!- moonkid [~anonymous@89.248.166.138] has joined #openvpn
16:28 -!- ender` [krneki@2a01:260:4094:1:42:42:42:42] has quit [Remote host closed the connection]
16:39 -!- aulait [~irenacob@li629-190.members.linode.com] has joined #openvpn
16:58 -!- dvl [~dvl@pdpc/supporter/active/dvl] has quit [Quit: ZNC - http://znc.in]
17:00 -!- dvl [~dvl@pdpc/supporter/active/dvl] has joined #openvpn
17:02 -!- Lolths [~Lolths@unaffiliated/lolths] has joined #openvpn
17:06 -!- moonkid [~anonymous@89.248.166.138] has quit [Quit: moonkid]
17:18 -!- elfixit [~Icedove@77-58-251-72.dclient.hispeed.ch] has joined #openvpn
17:26 -!- Cpt-Oblivious [~chatzilla@31-151-71-109.dynamic.upc.nl] has joined #openvpn
17:28 -!- ender| [krneki@2a01:260:4094:1:42:42:42:42] has joined #openvpn
17:30 -!- ender` [krneki@2a01:260:4094:1:42:42:42:42] has joined #openvpn
17:32 -!- ender| [krneki@2a01:260:4094:1:42:42:42:42] has quit [Read error: Connection reset by peer]
17:32 -!- arescorpio [~arescorpi@201-26-245-190.fibertel.com.ar] has joined #openvpn
17:37 -!- Cpt-Oblivious [~chatzilla@31-151-71-109.dynamic.upc.nl] has quit [Ping timeout: 240 seconds]
17:39 -!- Envil [~meep@95.211.26.40] has quit [Remote host closed the connection]
18:06 -!- jeev [~j@unaffiliated/jeev] has joined #openvpn
18:27 < jeev> TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity) <- completely random, no firewall issues or anything, certs haven't changed..
18:29 -!- MogDog [MogDog@unaffiliated/mogdog66] has quit [Ping timeout: 250 seconds]
18:31 -!- gffa [~unknown@unaffiliated/gffa] has quit [Quit: sleep]
18:32 < zoidberg-> Hello all, i am getting alot of MULTI bad source address errors on my vpn server - i cannot figure out what is causing this, here is all the info: http://codepad.org/a5XDYH6b - if anyone can provide any insight i would really appriciate it
18:32 <@vpnHelper> Title: Plain Text code - 183 lines - codepad (at codepad.org)
18:35 < zoidberg-> All the googling i'm doing seems to suggest its usually the client ip address in that error yet, its the external client ip in the error i can't find any information rgearding that type of error
18:35 < zoidberg-> or why its happening and what it means (the vpn appears to be functioning correctly)
18:35 < zoidberg-> just lots of those errors
18:42 < jeev> static key works for me, i'll try to recreate
18:42 < jeev> zoidberg-, ccd?
18:43 < loeken> https://www.void.gr/kargig/blog/2008/05/17/openvpn-multi-bad-source-address-from-client-solution/ maybe this helps zoidberg- ?
18:43 <@vpnHelper> Title: Openvpn MULTI: bad source address from client solution | Into.the.Void. (at www.void.gr)
18:45 < zoidberg-> jeev: MULTI: bad source address from client [94.23.170.2], packet dropped - the problem is 94.23.170.2 is the clients external ip not its ip given to it by the vpn
18:45 < jeev> yes..
18:45 < zoidberg-> so ccd wouldn't work as why would i try routing their external interface
18:45 < jeev> hm
18:45 < zoidberg-> im confused as to why thats showing
18:46 < zoidberg-> i was half expecting it to be a local ip assigned by the vpn
18:46 < zoidberg-> then i route that out and masquerade
18:46 < zoidberg-> but that is not the case, why am i seeing a clients external ip there, it should be (as far as i can tell from my googling) the clients vpn ip
18:46 < pekster> You did your SNAT wrong. Show your Netfilter rules the non-insane way: `iptables-save -c`
18:46 < zoidberg-> pekster: ok
18:46 < pekster> Sounds like your SNAT/MASQ rule is not correctly using your uplink interface
18:46 < zoidberg-> pekster: my routing is a bit trippy i'm doing policy based routing..
18:47 < zoidberg-> http://codepad.org/jBUQz31B <-- pekster  :)
18:47 <@vpnHelper> Title: Plain Text code - 31 lines - codepad (at codepad.org)
18:49 < pekster> don't policy route with fwmark like that; use ctmark so you associate policy routing decisions with the entire CONNECTION
18:50 < pekster> That's almost certainly why you get bogus packets going out your wrong link, since it sounds like your --redirect-gateway applies only to the `main` routing table, not the secondary you're using
18:50 < zoidberg-> ok pekster i only learnt about policy route with fwmark today - i have no idea what that is you mention hah, can you talk in layman terms :)
18:51 < pekster> Use CONNMARK instead of MARK on mangle/PREROUTING to identify the source interface, then restore it in mangle/POSTROUTING with `-j CNNMARK --restore-mark` (which takes a mask, if you need it)
18:52 < zoidberg-> and thats it just replace MARK with CNNMARK?
18:52 < zoidberg-> better do some reading up on this
18:52 < pekster> Exactly
18:52 < zoidberg-> thank you for your help.
18:52 < pekster> You need to make the routing decision based on the connmark (ctmark) but since `ip rule` can only see the fwmark, you need to both mark the connection, and then restore it to the fwmark
18:53 < pekster> The reason your public IP shows up on the VPN link is that the nat table is only consulted for NEW packets (not RELATED as it's assumed they follow the same NAT as the original traffic)
18:53 < zoidberg-> ok hmm
18:53 -!- MogDog [MogDog@unaffiliated/mogdog66] has joined #openvpn
18:53 < zoidberg-> some reading required, thanks pekster
18:59 -!- shiin [~shiin@funtoo/core/shiin] has quit [Quit: Wanna pair with me? Twitter/Skype/Gmail: FunTimeCoding]
18:59 < pekster> zoidberg-: Erm, one correction: you need to restore the mark in mangle/PREROUTING for forwarded traffic, ie: before the routing decision is made. See the 'Netfilter packet flow' diagram for details, or ask #Netfilter for more detail
18:59 < pekster> https://en.wikipedia.org/wiki/File:Netfilter-packet-flow.svg
18:59 <@vpnHelper> Title: File:Netfilter-packet-flow.svg - Wikipedia, the free encyclopedia (at en.wikipedia.org)
19:44 -!- ub1quit33_ [~quassel@cpe-23-243-158-241.socal.res.rr.com] has joined #openvpn
20:07 -!- ub1quit33_ [~quassel@cpe-23-243-158-241.socal.res.rr.com] has quit [Ping timeout: 260 seconds]
20:29 -!- jangerhofer [~jangerho@2601:6:5280:c9:1d56:1dd1:9df8:41e0] has joined #openvpn
20:46 -!- n13l [~Daniel@aaa.anect.cz] has joined #openvpn
21:23 < lachesis> hey guys, i'm using openvpn over stunnel, and redirect-gateway def1 breaks my stunnel connection :)
21:25 -!- ryonaloli [~mengele@unaffiliated/ryonaloli] has joined #openvpn
21:25 < lachesis> is there some way i can tell openvpn to add another route override so that my connection to my "real" remote isn't nuked
21:26 < ryonaloli> so suddenly my computer is unable to resolve urls. i have 'nameserver 10.8.0.1' in /etc/resolv.conf which was created by openvpn for 'redirect-gateway def1'. it was working earlier today, but now it's not resolving anything
21:26 < ryonaloli> if i use the 8.8.8.8 nameserver it works, but ofc i don't want that
21:27 < pekster> lachesis: Yup, read --route in the manpage; you can add that as a client
21:28 < lachesis> cool pekster
21:28 < lachesis> net_gateway is what i was missing
21:29 < pekster> ryonaloli: what does `dig @10.8.0.1 google.com` report?
21:30 < pekster> If that fails, there is no DNS that is answering your queries at that IP and you cannot use it as DNS
21:30 < pekster> Just use google DNS anyway
21:30 < ryonaloli> i don't have dig installed
21:31 < ryonaloli> yeah there's no dns because it's suppose to be sent over my vpn with the redirect-gateway thing. is it possible that my vpn suddenly removed support for that today?
21:31 < pekster> No, --redirect-gateway has never done anything with your _local_ DNS servers
21:31 < ryonaloli> what do you mean?
21:31 < pekster> Read --dhcp-option in the manpage, and on non-Windows this requires client-side script hooks to do the right thing
21:31 < pekster> tl;dr: just use Google DNS
21:31 < ryonaloli> i do have those script hooks
21:32 < ryonaloli> if i used google dns, that wouldn't be sent through the vpn
21:32 < pekster> Yes it will, with --redirect-gateway
21:32 < pekster> What OS?
21:32 -!- Left_Turn [~Left_Turn@unaffiliated/turn-left/x-3739067] has quit [Remote host closed the connection]
21:32 < ryonaloli> gentoo linux
21:33 < pekster> And you're supplying --redirect-gateway on the client (or pushing from your server) right?
21:33 < ryonaloli> supplying on the client
21:33 < pekster> Then your routes are getting changed; 8.8.8.8 _will_ go over the DNS assuming you haven't something super silly like add an exception for google to route it out your ISP (that'd be stupid since you don't want it)
21:34 < pekster> `ip route get 8.8.8.8` will show you
21:34 < pekster> So once again, just use that as your DNS. Problem solved.
21:34 < pekster> Or fix your broken DNS server on 10.8.0.1 (your VPN server)
21:34 < ryonaloli> should i disable the routs being changed?
21:34 < pekster> Not if you intend to redirect your Internet traffic
21:35 < pekster> Full details on redirection here:
21:35 < pekster> !redirect
21:35 <@vpnHelper> "redirect" is (#1) to make all inet traffic flow through the vpn, you will need --redirect-gateway (see !def1), as well as IP forwarding (see !ipforward) and NAT (see !nat) enabled on the server. or (#2) you may need to use a different dns server when redirecting gateway, see !dns or !pushdns or (#3) if using ipv6 try: route-ipv6 2000::/3 or (#4) Handy troubleshooting flowchart:
21:35 <@vpnHelper> http://ircpimps.org/redirect.png | http://pekster.sdf.org/misc/redirect.png
21:35 -!- james41382 [~james@unaffiliated/james41382] has quit [Quit: Leaving]
21:35 < pekster> Specific hardware for openwrt has to be supported. Generic x86 targets should work as well, although specific device drivers may need some special handling
21:36 < ryonaloli> so all i have to do is disable the scripts which set 10.8.0.1 in resolv.conf?
21:37 < ryonaloli> why would it be that it worked earlier today, but only now fails?
21:39 < pekster> Until you debug your DNS on that host, you'll never know
21:39 < pekster> That's why I suggested you do that
21:40 < pekster> Go install real DNS tools if you want to know, or read up on nslookup to query hosts (though it's far less useful to dig into DNS problems. Pun somewhat intended)
21:41 < ryonaloli> i'm a bit confused. if 10.8.0.1 is a local ip that forces the dns to go over my vpn, then why would it still be forced to go over my vpn even if that ip isn't present? what would that local ip's purpose be if everything goes over the vpn anyway?
21:41 < ryonaloli> is it that 10.8.0.1 uses my vpn's own dns, rather than using a different dns and sending it through the vpn
21:41 < ryonaloli> ?
21:41 < pekster> It's the IP of the VPN server (in the example RFC1918 in the !howto)
21:42 < pekster> Thus that IP _is_ your server. You say DNS doesn't work, so either your VPN is broken, you have a firewall blocking the DNS traffic, or your DNS on that host is broken
21:42 < pekster> Fix whatever of those is broken, or use a non-broken DNS
21:43 < pekster> And no, "uses your VPNs DNS" is not at all what it's doing. It's *ONLY* sending the DNS request to that IP. You have no clue at all if that host is acting as a forwarder, recursive resolver, or spewing hiacked records back at you
21:43 < pekster> It depends entierly on how _that_ host is set up. If you don't run the server, ask the owner what it's doing
21:44 < ryonaloli> i'm not quite sure what you mean by it is my server. that ip is local
21:44 < ryonaloli> or, it sees it as the server?
21:44 < pekster> Or, like I said earlier: < pekster> tl;dr: just use Google DNS
21:44 < pekster> Unless YOU are the server, that IP is NOT local
21:44 < pekster> (or unless you have one fucked up server config)
21:45 < pekster> If you're still confused, showing me your server and client configs will make this lots easier (sans comments, syntax in !configs to remove the cruft)
21:45 < ryonaloli> !configs
21:45 <@vpnHelper> "configs" is (#1) please pastebin your client and server configs (with comments removed, you can use `grep -vE '^#|^;|^$' server.conf`), also include which OS and version of openvpn. or (#2) dont forget to include any ccd entries or (#3) on pfSense, see http://www.secure-computing.net/wiki/index.php/OpenVPN/pfSense to obtain your config
21:47 < ryonaloli> this is for a commercial vpn, i only have the client config. as for it being the server, it pings with 0.000ms, and it was created with route add by the up.sh script. i'll get my client config now
21:48 < pekster> Then you have zero clue how it's set up
21:48 < pekster> 10.8.0.1 is almost certainly the server, but if DNS on _THAT_ host is not working, go whine to them
21:48 < pekster> !provider
21:48 <@vpnHelper> "provider" is (#1) We are not your provider's free tech support. We support the free open source app OpenVPN, not your provider. Just because they run openvpn does not mean we are their support team. or (#2) Please contact their support team.
21:48 < pekster> Just stop making your life so bloody complicated. Use googleDNS. Problem solved. you win.
21:49 < pekster> It _DOES_ go over the VPN -- I gave you a route command to check that
21:49 < pekster> Anything else is your own doing
21:51 < ryonaloli> alright, i'll use google dns. is there somewhere i can go to read up on what the 10.8.0.1 is for? considering it can only be pinged from a machine with up.sh run and it has no latency (and it's a 10. address) it's hard to believe it's a remote ip. but since using 8.8.8.8 will solve my problem i'm just curious now, so i'm wondering where a good resource to read is
21:51 < pekster> !howto
21:51 <@vpnHelper> "howto" is (#1) OpenVPN comes with a great howto, http://openvpn.net/howto PLEASE READ IT! or (#2) http://www.secure-computing.net/openvpn/howto.php for a mirror
21:51 < ryonaloli> thanks
21:51 < pekster> Unless you try very hard to do strange and non-standard things, the first usable IP of a VPN range in openvpn is the server. Always.
21:52 < pekster> And yes, RFC1918 is typically used; IPv4 space is sparse, and using it for non-routable purposes is wasteful
22:28 -!- arescorpio [~arescorpi@201-26-245-190.fibertel.com.ar] has quit [Excess Flood]
22:38 < jangerhofer> Does anyone have a dead-simple guide to setting up a server (on a mac or platform-agnostic)?  Best I've found is this:  http://openvpn.net/index.php/open-source/documentation/howto.html#config
22:38 <@vpnHelper> Title: HOWTO (at openvpn.net)
23:33 -!- elfixit [~Icedove@77-58-251-72.dclient.hispeed.ch] has quit [Ping timeout: 245 seconds]
23:53 -!- ShadniX [dagger@p5DDFC13D.dip0.t-ipconnect.de] has quit [Ping timeout: 250 seconds]
23:54 -!- ShadniX [dagger@p5DDFE471.dip0.t-ipconnect.de] has joined #openvpn
23:56 -!- zeroNones [~textual@187.146.189.99] has joined #openvpn
--- Day changed Sun Aug 24 2014
00:05 -!- elfixit [~Icedove@77-58-251-72.dclient.hispeed.ch] has joined #openvpn
00:46 -!- zeroNones [~textual@187.146.189.99] has quit [Ping timeout: 240 seconds]
01:06 -!- Kephael [~Kephael@unaffiliated/kephael] has quit [Read error: Connection reset by peer]
01:17 -!- mattock_afk is now known as mattock
01:22 -!- keruton [keruton@cpe-104-34-71-124.socal.res.rr.com] has quit [Remote host closed the connection]
02:56 -!- Denial [~Denial@host86-148-139-67.range86-148.btcentralplus.com] has quit []
02:57 -!- Denial [~Denial@host86-148-139-67.range86-148.btcentralplus.com] has joined #openvpn
03:05 -!- gffa [~unknown@unaffiliated/gffa] has joined #openvpn
03:08 -!- Denial [~Denial@host86-148-139-67.range86-148.btcentralplus.com] has quit []
03:10 -!- Left_Turn [~Left_Turn@unaffiliated/turn-left/x-3739067] has joined #openvpn
03:12 -!- DachesBella [~dachesbel@fsf/member/dachesbella] has joined #openvpn
03:13 -!- Denial [~Denial@host86-148-139-67.range86-148.btcentralplus.com] has joined #openvpn
03:13 -!- Envil [~meep@95.211.26.40] has joined #openvpn
03:30 -!- DachesBella [~dachesbel@fsf/member/dachesbella] has quit []
05:12 -!- jangerho [~jangerho@24.218.76.202] has joined #openvpn
05:15 -!- jangerhofer [~jangerho@2601:6:5280:c9:1d56:1dd1:9df8:41e0] has quit [Ping timeout: 250 seconds]
05:24 -!- erikcw [~erikcw@c-73-170-10-192.hsd1.ca.comcast.net] has quit [Ping timeout: 240 seconds]
05:26 -!- jangerho [~jangerho@24.218.76.202] has quit [Read error: Connection reset by peer]
05:26 -!- jangerhofer [~jangerho@24.218.76.202] has joined #openvpn
05:33 -!- D-Boy [~D-Boy@unaffiliated/cain] has quit [Excess Flood]
05:33 -!- erikcw [~erikcw@c-73-170-10-192.hsd1.ca.comcast.net] has joined #openvpn
05:39 -!- D-Boy [~D-Boy@unaffiliated/cain] has joined #openvpn
05:52 -!- jangerhofer [~jangerho@24.218.76.202] has quit [Read error: Connection reset by peer]
05:55 -!- Denial [~Denial@host86-148-139-67.range86-148.btcentralplus.com] has quit [Ping timeout: 255 seconds]
05:55 -!- Denial [~Denial@host86-148-139-67.range86-148.btcentralplus.com] has joined #openvpn
06:05 -!- Brando753 [~Brando753@unaffiliated/brando753] has quit [Ping timeout: 260 seconds]
06:13 < zoidberg-> pekster: are you around im having serious problems trying to understand the issue you brought to my attention last night :(
08:09 -!- AndrzejL [~AndrzejL@unaffiliated/andrzejl] has joined #openvpn
08:11 < AndrzejL> guys I have a openvpn server running with IP 10.8.0.1 and on the same machine I have a game server running at 192.168.1.50 - I want the 10.x machines to be able to connect to the 192.168.1.50 do I do that in the openvnc config somehow OR do I do that with iptables / shorewall config?
08:14 < Envil> Can't you just configure the game server to listen on both/all interfaces?
08:14 < AndrzejL> or even better I would like to see the game running at 192.168.1.50 but when users type in 10.8.0.1 in the games config they will be actually connecting to 192.168.1.50
08:15 < AndrzejL> Envil: the game wants... wait I am not sure...
08:15 < AndrzejL> let me se
08:15 < AndrzejL> e
08:19 < AndrzejL> No unfortunatelly the game server is very silly and it will work if I will point it to 192.168.0.1 or 192.168.1.50 but if no ip is specified or 0.0.0.0 or 127.0.0.1 is used then the server is not allowing connections
08:22 < AndrzejL> I would google it but I am not entirely sure what I am looking for. Server is working, clients can connect and ping server, server can ping clients but what I would need is and I am not sure if I am using correct terminology its either routing between 192.168.1.50 and 10.8.0.1 OR the address needs to be translated... So if someone could give me a push in the right direction I could be on my ...
08:22 < Envil> Well multiple options then i guess. You could use a proxy to listen on 10.8.0.1 and forward the packets to the game server or you could mess with routing so 192.168.1.50 is reachable through the vpn, but then you'd have to make sure that your ip ranges don't conflicht with the clients network.
08:22 < AndrzejL> ... way trying to figure out the method...
08:23 < AndrzejL> interesting...
08:23 < AndrzejL> 2nd method is what I would be interested in.
08:23 < Envil> The correct method would be making the gameserver listen on both interfaces (if it was possible), next easiest would be the proxy i guess ^^
08:31 < Envil> For the routing way you'd have to push additional routes to the clients telling them that they can reach 192.168.* through the vpn. And maybe some iptables stuff to make it work on the server.
08:51 -!- AndrzejL [~AndrzejL@unaffiliated/andrzejl] has quit [Read error: Connection reset by peer]
09:09 -!- DrSect0r [~DrSect0r@77-175-125-42.FTTH.ispfabriek.nl] has joined #openvpn
09:13 -!- Butch1288 [~butch@69-165-252-203.cable.teksavvy.com] has joined #openvpn
09:14 < Butch1288> Having issues with redirect-gateway to push all traffic through my VPN...  I have 3 clients (dd-wrt routers) connected to a Linode machine.  The clients work and can see eachother fine.  I can push individual routes and those route fine... but when i put redirect-gateway, i always get "bad source address from client...packet dropped"?
09:15 < Butch1288> Now... if I add individual routes they work... so I cannot understand why redirect-gateway does not... does anyone have any ideas?
09:28 <@krzee> Butch1288, show me both logs
09:31 -!- Butch1288 [~butch@69-165-252-203.cable.teksavvy.com] has quit [Ping timeout: 260 seconds]
09:52 -!- ub1quit33 [~quassel@wifi02.la3.routers.zerolag.com] has joined #openvpn
09:53 -!- TyrfingMjolnir [~Tyrfing@cm191.iota111.maxonline.com.sg] has joined #openvpn
10:06 -!- oc [~oc@voyager.nith.no] has joined #openvpn
10:07 < oc> I have a problem setting up iptables to properly route traffic through my tunnel. What am I missing? => https://gist.github.com/oc/6db46ea473141b12f689
10:07 <@vpnHelper> Title: 00 (at gist.github.com)
10:33 -!- Kephael [~Kephael@unaffiliated/kephael] has joined #openvpn
10:34 -!- wallbroken [~wbk@unaffiliated/wallbroken] has joined #openvpn
10:34 < wallbroken> hi
10:34 < wallbroken> does openvpn support http proxy ?
10:43 <@krzee> sure
10:43 <@krzee> !man
10:43 <@vpnHelper> "man" is (#1) For man pages, see http://openvpn.net/index.php/open-source/documentation/manuals/ or (#2) the man pages are your friend! or (#3) Protip: you can search the manpage for a specific --option (with dashes) to find it quicker
10:44 <@krzee> search around for the word proxy, theres a few related options
10:44 < oc> evilman_home: routes are fine (both prefixes are on eth1) don't get much wiser, i see the packets dropping. have to read up on TRACE, ty.
10:45 < wallbroken> krzee, is there some difference between "http proxy" and "https proxy" ?
10:45 < oc> ups wrong chan
10:59 <@krzee> wallbroken, you talking about openvpn or a general question?
11:00 <@krzee> because in the openvpn manual "https" does not appear anywhere near "proxy"
11:00 < wallbroken> i should to implement openvpn with an http proxy, but i'm now stating that there are 2 variants of proxy, http proxy and https proxy
11:00 <@krzee> well except in port-share but thats unrelated
11:00 <@krzee> openvpn supports http-proxy or socks
11:04 -!- julian [~julian@202.66.238.89.in-addr.arpa.manitu.net] has joined #openvpn
11:04 -!- tapout [~tapout@unaffiliated/tapout] has quit [Ping timeout: 240 seconds]
11:04 -!- julian is now known as Guest15333
11:07 -!- tapout [~tapout@unaffiliated/tapout] has joined #openvpn
11:08 -!- Guest15333 [~julian@202.66.238.89.in-addr.arpa.manitu.net] has quit [Read error: Connection reset by peer]
11:12 -!- julianoliver [~julian@91.64.78.61] has joined #openvpn
11:12 < julianoliver> i'm having trouble getting static IPs for clients set up with the 'client-config-dir' directive. it's as though my ccd directory isn't being read at all. rather the pool is always read.
11:12 < julianoliver> I see the client-config-dir being set in the output, but also 'Sun Aug 24 18:18:50 2014 us=981004 ifconfig_pool_read(), in='client1,10.9.8.4', TODO: IPv6'
11:13 < julianoliver> why is this? the ccd directory is group readable, as are its contents.
11:18 <@krzee> pastebin me the server log incluyding the client connecting
11:18 <@krzee> also:
11:18 <@krzee> !configs
11:18 <@vpnHelper> "configs" is (#1) please pastebin your client and server configs (with comments removed, you can use `grep -vE '^#|^;|^$' server.conf`), also include which OS and version of openvpn. or (#2) dont forget to include any ccd entries or (#3) on pfSense, see http://www.secure-computing.net/wiki/index.php/OpenVPN/pfSense to obtain your config
11:18 <@krzee> server side only, with ccd
11:19 < julianoliver> coming soon...
11:20 -!- suprsonic [~suprsonic@66.170.2.190] has joined #openvpn
11:20 < suprsonic> anyone get mutlicast working over tun?
11:21 <@krzee> you'll need tap
11:21 <@krzee> dont need bridge tho if its just between vpn endpoints, just a normal routed tap
11:22 < suprsonic> I thought tap was layer2
11:24 <@krzee> yep, thats why multicast will just work
11:24 <@krzee> it used to be the easiest way for ipv6 as well
11:25 < suprsonic> when you say routed tap… am I specifying an IP range in the server config?
11:26 <@krzee> ya just a normal server config with dev tap
11:26 <@krzee> !tunortap
11:26 <@vpnHelper> "tunortap" is (#1) you ONLY want tap if you need to pass layer2 traffic over the vpn (traffic destined for a MAC address). If you are using IP traffic you want tun. or (#2) and if your reason for wanting tap is windows shares, see !wins or use DNS or (#3) remember layer2 has no security, arp poisoning works over tap vpns or (#4) lan gaming? use tap! or (#5) Normal Android/iOS devices (not
11:26 <@vpnHelper> rooted/jailbroken) support only tun
11:26 < suprsonic> cheers krzee
11:26 < suprsonic> I appreciate it
11:26 <@krzee> oops wrong one
11:26 <@krzee> hmm maybe it was
11:26 <@krzee> !whybridge
11:26 <@vpnHelper> "whybridge" is (#1) you only bridge if you want layer2 to the lan. if you want layer2 only between vpn nodes then routed tap is enough. if you only want layer3 use tun. or (#2) See this URL for a more in-depth discussion on bridging vs routing: https://community.openvpn.net/openvpn/wiki/BridgingAndRouting or (#3) See also !tunortap
11:31 < jeev> krzee, hey dude
11:32 < jeev> yesterday i noticed one of my rarely used vpn's for a client is down..
11:32 < jeev> Sat Aug 23 18:06:22 2014 us=614359 TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity)
11:32 <@krzee> werd jeevs
11:32 <@krzee> !timeout
11:32 < jeev> they keep getting that, i can get it to connect with static config, just nothing. when i create a cert, again.. it does this.
11:32 <@vpnHelper> "timeout" is if you see TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity) then your problem is likely one of the following: either the server isnt running, your client is connecting to the wrong ip/port/protocol, the server's firewall/nat has an issue, or the client's isp blocks it
11:32 < jeev> yea i know but would that explain it connecting without certs?
11:33 < jeev> at this point, the client is a managed fiber, they call it managed fiber, there are no blocks or anything, i control the firewall, nothing has changed.
11:33 < jeev> server is me at the DC.
11:33 < julianoliver> krzee: here's the paste http://pastebin.com/cdrpeyAa
11:34 < julianoliver> krzee: i disabled the ifconfig persistence directive, but still no joy.
11:34 -!- keruton [~keruton@cpe-104-34-71-124.socal.res.rr.com] has joined #openvpn
11:36 <@krzee> you forgot to show me the ccd entries
11:37 <@krzee> also, put a full path to ccd
11:37 < julianoliver> oh, here's one, for 'client1': ifconfig-push 10.9.8.102 10.9.8.1
11:38 < julianoliver> i'll try the full path (though the docs say it's /etc/openvpn on GNU/Linux)
11:38 -!- keruton [~keruton@cpe-104-34-71-124.socal.res.rr.com] has quit [Remote host closed the connection]
11:38 <@krzee> oh ok i see your confusion now
11:38 <@krzee> oh well if your os script is starting it with chroot or something then /ccd is fine
11:38 -!- `neb [~neb@c-98-202-29-62.hsd1.ut.comcast.net] has joined #openvpn
11:38 <@krzee> also: in your server config put this:
11:38 <@krzee> topology subnet
11:39 <@krzee> and then make your ifconfig-push 10.9.8.102 255.255.255.0
11:39  * julianoliver tries this
11:39 < julianoliver> with full path and the IP mask it works. many TYs!
11:40 <@krzee> np
11:40 -!- jfroot [~jfroot@pdpc/supporter/active/jfroot] has quit [Ping timeout: 260 seconds]
11:40 <@krzee> you were in net30, so your ccd had to be way different
11:40  * julianoliver is glad
11:40 <@krzee> !static
11:40 <@vpnHelper> "static" is (#1) use --ifconfig-push in a ccd entry for a static ip for the vpn client or (#2) example in net30 (default): ifconfig-push 10.8.0.6 10.8.0.5 example in subnet (see !topology) or tap (see !tunortap): ifconfig-push 10.8.0.5 255.255.255.0 or (#3) also see !ccd and !iporder or (#4) with static IPs, limit your --ifconfig-pool to exclude the static range or (#5) See also: !addressing
11:40 < julianoliver> krzee: tight
11:40 < `neb> hi all, I'm looking for a way to randomly assign an ip address from a pool of defined ips depending on the common name of the certificate connecting.  Something similar to ifconfig-push 10.8.0.5 10.8.0.6 inside of a CCD file but rather than a single IP of 10.8.0.5 it could be a pool of ips to choose from.  Is this possible?
11:40 <@krzee> so we moved you to subnet cause it makes more sense and would be easier to understand
11:40 <@krzee> !net30
11:40 <@vpnHelper> "net30" is "/30" is (#1) http://openvpn.net/index.php/documentation/faq.html#slash30 explains why routed clients each use 4 ips, or (#2) you can avoid this behavior with by reading !topology
11:40 < julianoliver> krzee: much easier, cheers
11:41 -!- mirco [~mirco@5.146.125.177] has joined #openvpn
11:41 <@krzee> `neb,
11:41 <@krzee> !client-connect
11:41 <@vpnHelper> "client-connect" is --client-connect <script>, runs script on client connection. This can be useful for generating firewall rules dynamicly, or for assigning static ips. This can do anything that a ccd (see !ccd) entry can do, but dynamicly... to use it that way, you should write your dynamic ccd commands to the file named by $1.
11:42 -!- keruton [keruton@cpe-104-34-71-124.socal.res.rr.com] has joined #openvpn
11:44 <@krzee> oc, still having problems?
11:45 < `neb> Interesting, @krzee.  Thanks.  I will give that a shot.
11:46 -!- Toumasu [~Thunderbi@78-23-52-63.access.telenet.be] has joined #openvpn
11:47 <@krzee> `neb, no problem =]
11:49 -!- julianoliver [~julian@91.64.78.61] has quit [Ping timeout: 260 seconds]
11:50 -!- wallbroken [~wbk@unaffiliated/wallbroken] has left #openvpn []
11:50 < suprsonic> tap over tcp?
11:50 -!- julianoliver [~julian@202.66.238.89.in-addr.arpa.manitu.net] has joined #openvpn
11:53 < jeev> krzee, is having a static key authentication enough? i don't care for encryption on this one.
12:00 -!- Toumasu [~Thunderbi@78-23-52-63.access.telenet.be] has quit [Quit: Toumasu]
12:05 < jeev> yea it is
12:06 <@krzee> jeev, enough for what?
12:07 <@krzee> statickey is actually not bad at all, so long as you dont need multiple clients, and rotate your key regularly
12:07 <@krzee> i mean it doesnt even need a handshake!
12:07 <@Eugene> If you don't care about encryption you can just turn it off completely
12:08 <@Eugene> openvpn doesn't mind being run as a dumb tunnel
12:08 <@krzee> or use a gre tun
12:08 <@krzee> !noenc
12:08 <@vpnHelper> "noenc" is (#1) if you're going to disable encryption, you might as well build a GRE tunnel or (#2) but you would use cipher none or (#3) Reference --cipher in the manpage (--auth may also be useful to review)
12:08 < jeev> i just want authentication.
12:08 < jeev> i mean like
12:08 < jeev> i dont want someone to point openvpn client to the port and get access.
12:08 < jeev> it's for one endpoint
12:08 <@Eugene> Then you want a static key
12:09 <@Eugene> Or a good set of firewall rules(if both ends are static IP)
12:09 <@krzee> s/Or/And/
12:10  * Eugene shrugs
12:10 <@Eugene> I have different definition of "don't care about" :-p
12:10 <@Eugene> I'll gladly send some shit over the wire in plain text
12:10 <@Eugene> I'm one of those nuts who sets arcfour for my *cough* linux iso *cough* ssh downloads
12:11 < jeev> no this is cause they have issues reaching a site they use all the time.
12:12 <@krzee> i say encrypt the shit out of everything
12:12 <@Eugene> I like giving the NSA something to chew on
12:12 <@krzee> give those trying to snoop a headache trying to figure out the key to your cat photos
12:13 < jeev> ick.
12:13 < jeev> i'm having packet loss, that's why tls crt was bad
12:13 < jeev> probably
12:13 <@Eugene> Your auth method doesn't care about packet loss; tcp vs udp does.
12:13 < jeev> wait no
12:13 <@Eugene> You should be using udp and let the interior tcp handle it
12:13 < jeev> why wsould i be having loss with the tunnel but not
12:13 <@Eugene> Possibly turn --keepalive up a bit
12:14 <@krzee> !speed
12:14 <@vpnHelper> "speed" is (#1) Having speed problems? The following suggestions may help. or (#2) OpenVPN is often CPU bound; check utilization, and remember it only uses 1 core (single-threaded) or (#3) Prefer UDP over TCP (see !tcp) or (#4) MTU issues? Send max-size DF packets and watch for fragmentation/delivery issues or (#5) iface txqueuelen often needs to be >100 on fast and/or latent links or (#6)
12:14 <@vpnHelper> latenty/slow links don't magically get better with openvpn or (#7) less likely are issues with bad TCP window scaling or the sliding window; generally, don't 2nd guess TCP (in openvpn or your OS knobs)
12:15 < jeev> i did not have this issue before here. what the
12:15 < jeev> i have keepalive 10 120
12:17 < jeev> 18 packets transmitted, 2 received, 88% packet loss, time 17001ms
12:17 < jeev> heh
12:17 <@krzee> tcp?
12:18 < jeev> udp
12:19 <@krzee> tested mtu?
12:20 <@krzee> pinging external ip is good?
12:20 < jeev> no, i was about to set it, i remember a method to have it determine best mtu
12:20 < jeev> yes external IP is fine
12:21 < jeev> let me do mtu-test
12:21 < jeev> i hate this so bad, my isp has cogent when talking to this carrier. it's so much packet loss just for me to be on command line, i have to use an ssh proxy.
12:22 < jeev> krzee, when doing mtu-test, should i be doing anything? any traffic?
12:22 < jeev> i actually can't but.. i can ping at least
12:22 < suprsonic> krzee: is it possible to setup routed tap across two dd-wrt routers?  where one router is a client connecting to the openvpn server on the other router?
12:23 < suprsonic> its a mac environment
12:23 < suprsonic> so a lot of multicast
12:23 < suprsonic> one network is 192.158.0.0/24, other end is 192.168.1.0/24
12:24 < suprsonic> would like the two networks to see eachother via randavous
12:24 < suprsonic> rendezvous rather
12:25 < jeev> Sun Aug 24 10:24:52 2014 us=626869 NOTE: This connection is unable to accomodate a UDP packet size of 1540. Consider using --fragment or --mssfix options as a workaround.
12:28 <@krzee> sup, sure why not, but for that you need bridging (on both sides i think, since both lans need sharing) i cant help with that
12:28 <@krzee> suprsonic, ^
12:29 < oc> krzee: yep, still problems. I'm stuck
12:29 <@krzee> jeev, yay there you go! i have never seen that before :D
12:29 <@krzee> oc, ok whats the situation?
12:29 < jeev> workaround doesn't work though ;)
12:29 < oc> I have a problem setting up iptables to properly route traffic through my openvpn tunnel. What am I missing? => https://gist.github.com/oc/6db46ea473141b12f689
12:29 <@vpnHelper> Title: 00 (at gist.github.com)
12:29 <@krzee> !mtu
12:29 <@vpnHelper> "mtu" is (#1) see --mtu-test to learn how to test your MTU settings. Basically you just use --mtu-test in your normal client config or (#2) mtu debugging guide: http://www.secure-computing.net/wiki/index.php/OpenVPN/Troubleshooting
12:30 <@krzee> oc,
12:30 <@krzee> !goal
12:30 <@vpnHelper> "goal" is Please clearly state your goal for your vpn: example, I would like to access the lan behind the server , I would like to access the internet over my vpn , I just want a secure connection between 2 computers , etc
12:31 < oc> Goal: log in to servers on the lan/mgmt net behind the server (eth1)
12:32 <@krzee> cool, we have a flowchart for that
12:32 <@krzee> !serverlan
12:32 <@vpnHelper> "serverlan" is (#1) for a lan behind a server, the server must have ip forwarding enabled (!ipforward), the server needs to push a route for its lan to clients, and the router of the lan the server is on needs a route added to it (!route_outside_openvpn) or (#2) see !route for a better explanation or (#3) Handy troubleshooting flowchart: http://ircpimps.org/serverlan.png |
12:32 <@vpnHelper> http://pekster.sdf.org/misc/serverlan.png
12:32 <@krzee> see the very last link
12:33 < jeev> ugh i wanna hit myself in the head
12:34 <@krzee> oc, let me know where you hit the wall on the flowchart
12:35 < jeev> krzee, i moved it to another machine in another building and it's fine.
12:36 <@krzee> nice, check things like the router port / switch / cable etc its on
12:36 <@krzee> assuming it has the same ISP uplink
12:37 < jeev> different path though
12:37 <@krzee> ahh
12:37 <@krzee> well it seems that works =]
12:38 < jeev> that route is much higher in latency. 50 ms
12:38 < jeev> no matter how much i tell my friend, the owner of the dc.. they don't do anything to figure out why the layer 2 route to the other building adds 30ms
12:38 <@krzee> 50ms is not high enough to require debugging
12:38 < jeev> 50ms between one building when coming over the net is not normal.
12:38 <@krzee> if it has no jitter have a coke and a smile and stfu :-p
12:39 < jeev> between two buildings
12:39 < jeev> a block apart.
12:39 <@krzee> how many hops?
12:39 <@krzee> its not a direct cable i assume...
12:39 < jeev> they have a 288 count.
12:39 < jeev> yes.
12:39 <@krzee> traceroute it
12:40 < jeev> i can ping fropm building to building fast
12:40 < jeev> i've gone over this so many times, i'm not going to debug their issues
12:40 < jeev> building to building is <1ms
12:40 < jeev> but if it comes into a carrier in building C, it'll add 30-40ms
12:40 <@krzee> oh then maybe i misunderstood whats 50ms
12:40 <@krzee> a to b is fast, a and b to c is slower?
12:41 < jeev> everything to everything is fast
12:41 < jeev> but if i come from an external network and it goes over level3 which is in building C, then welcome to 35ms+
12:41 < jeev> so there are buildilng core routers
12:42 < jeev> i used to be connected to core router, then this 512k shit hit the fan again
12:42 < jeev> although it seems they were unaffected due to only taking 300k routes
12:42 < oc> krzee: the server is the router, (and I have root access). the server has direct access to the network(s) - eth1. Public IP on eth0. I'm confused about what routes to add?
12:42 < jeev> it looked like i had a ton of jitter, so i was moved to a 2970 which has layer 2 to the other building
12:42 < jeev> immediately, my latency went up 30-35ms
12:43 <@krzee> oh i see
12:43 < jeev> krzee, i have other vpn's on this machine and they're all fine.
12:43 <@krzee> ya internal issues for them
12:43 <@krzee> sucks
12:43 <@krzee> oc, where on the flowchart did you hit a wall?
12:43 < oc> on the client side I have to manually add routes as `push "route 10..."` isn't added to the routing table by the openvpn client (mac os x)
12:44 < oc> krzee: as my github gist states: I cannot ping another machine in the lan
12:44 <@krzee> so you CAN ping the lan ip of the server?
12:44 < oc> yup
12:45 <@krzee> can the lan machine ping the vpn server ip?
12:45 <@krzee> vpn server's vpn ip ^
12:46 <@krzee> aka, can 10.2.2.136 ping 10.9.8.1?
12:47 < oc> krzee: um yea, it can ping both sides of the tunnel (64 bytes from 10.9.8.1: icmp_req=1 ttl=64 time=0.132 ms, 64 bytes from 10.9.8.2: icmp_req=1 ttl=64 time=1.66 ms)
12:47 <@krzee> check firewall on 10.2.2.136
12:47 <@krzee> =]
12:48 <@krzee> is 10.2.2.136 windows by chance?  if so disable firewall on tap interface
12:49 <@krzee> also, when showing firewall rules, use iptables-save
12:50 -!- _KaszpiR_ [~quassel@unaffiliated/kaszpir/x-3157048] has quit [Remote host closed the connection]
12:51 -!- `neb [~neb@c-98-202-29-62.hsd1.ut.comcast.net] has quit [Remote host closed the connection]
12:52 < oc> krzee: I figured the problem. it's embarassing: I had set the gateway to the SonicWall piece of shit I'm replacing :~)
12:53 <@krzee> =]
12:54 <@krzee> it happens man, we've all spent time troubleshooting an oops
12:54 < oc> thanks :)
12:54 <@krzee> i hope the flowchart helped
12:55 < oc> !nathack
12:55 <@vpnHelper> "nathack" is see https://community.openvpn.net/openvpn/wiki/NatHack for info on how to solve the problem when you need !route_outside_ovpn but cant add a route to the gateway or the lan machines
12:56 <@krzee> noooo
12:56 <@krzee> ;]
12:56 < oc> was just curious ;)
12:56 <@krzee> dont beat your network with an ugly stick unless you have to
13:03 -!- arescorpio [~arescorpi@201-26-245-190.fibertel.com.ar] has joined #openvpn
13:09 < jeev> dude if i'm having UDP problems along this route, it must have to do with 512
13:09 < jeev> 512k
13:09 < jeev> udp seemed very affected
13:10 < jeev> man this fiber is fast
13:10 < jeev> [ 4] 0.0-10.2 sec 113 MBytes 93.5 Mbits/sec
13:10 < jeev> with tcp
13:11 < jeev> [ 3] 0.0-10.0 sec 1.25 MBytes 1.05 Mbits/sec
13:11 < jeev> [ 3] Sent 893 datagrams
13:11 < jeev> [ 3] WARNING: did not receive ack of last datagram after 10 tries.
13:11 < jeev> that's UDP to the broken network, about same speed with no warning to the working network
13:11 < jeev> !tcp
13:11 <@vpnHelper> "tcp" is (#1) Sometimes you cannot avoid tunneling over tcp, but if you can avoid it, DO. http://sites.inka.de/~bigred/devel/tcp-tcp.html Why TCP Over TCP Is A Bad Idea. or (#2) http://www.openvpn.net/papers/BLUG-talk/14.html for a presentation by James Yonan (OpenVPN lead developer) or (#3) if you must use tcp, you likely want --tcp-nodelay
13:11 < jeev> krzee, i don't want to use the other building, we're talking 4ms vs 55ms.
13:12 < jeev> to tcp or not to tcp ?
13:13 < jeev> ugh, no packet loss
13:16 < Hello71> hm... hypothetically, would it be possible to use valid tcp headers, but disable the congestion algorithm?
13:17 < Hello71> basically paste tcp headers on udp packets
13:17 -!- oc [~oc@voyager.nith.no] has quit [Quit: Lost terminal]
13:23 -!- _KaszpiR_ [~quassel@unaffiliated/kaszpir/x-3157048] has joined #openvpn
13:26 <@krzee> Hello71, yes
13:26 <@krzee> !tcp
13:26 <@vpnHelper> "tcp" is (#1) Sometimes you cannot avoid tunneling over tcp, but if you can avoid it, DO. http://sites.inka.de/~bigred/devel/tcp-tcp.html Why TCP Over TCP Is A Bad Idea. or (#2) http://www.openvpn.net/papers/BLUG-talk/14.html for a presentation by James Yonan (OpenVPN lead developer) or (#3) if you must use tcp, you likely want --tcp-nodelay
13:26 <@krzee> see #3 in the manual
13:27 < Hello71> i said "disable the congestion algorithm", not "turn off buffering"
13:28 < Hello71> nodelay fixes a different issue.
13:28 -!- Mimiko [~Mimiko@89.28.88.177] has joined #openvpn
13:28 <@krzee> i thgouht it says it disabled nagles algorythm
13:28 <@krzee> !man
13:28 <@vpnHelper> "man" is (#1) For man pages, see http://openvpn.net/index.php/open-source/documentation/manuals/ or (#2) the man pages are your friend! or (#3) Protip: you can search the manpage for a specific --option (with dashes) to find it quicker
13:29 < jeev> heh https://community.openvpn.net/openvpn/ticket/429
13:29 <@vpnHelper> Title: #429 (tcp-nodelay in client causes assertion failure) – OpenVPN Community (at community.openvpn.net)
13:30 <@krzee> Hello71, "followed by a read that will not be fulfilled until after the data from the second write has reached the destination, experience a constant delay of up to 500 milliseconds, the "ACK delay". "
13:30 <@krzee> https://en.wikipedia.org/wiki/Nagle's_algorithm
13:30 <@vpnHelper> Title: Nagle's algorithm - Wikipedia, the free encyclopedia (at en.wikipedia.org)
13:30 <@krzee> i think tcp-nodelay does both things you are thinking of
13:31 <@krzee> Applications that expect real time responses can react poorly with Nagle's algorithm. Applications such as networked multiplayer video games expect that actions in the game are sent immediately, while the algorithm purposefully delays transmission, increasing bandwidth efficiency at the expense of latency. For this reason applications with low-bandwidth time-sensitive transmissions typically use TCP_NODELAY to bypass the Nagle delay.[3]
13:31 <@krzee> Another option is to use UDP instead.
13:31 < Hello71> man tcp
13:31 <@krzee> ok well to answer your question, tcp-nodelay is the best you're getting
13:31 -!- Mimiko [~Mimiko@89.28.88.177] has quit [Client Quit]
13:39 -!- Kephael [~Kephael@unaffiliated/kephael] has quit [Read error: Connection reset by peer]
13:42 < jeev> man i can't press enter more than once or twice without dropping from a nc udp test.
13:42 < jeev> but no issues to the other building
13:51 < jeev> hm,. no issues to another server in the same rack
13:51 < jeev> lol
13:51 -!- hays [~hays@unaffiliated/hays] has quit [Quit: No Ping reply in 180 seconds.]
13:54 < jeev> udp looks like when i netcat, it dies after one packet
13:54 -!- hays [~hays@unaffiliated/hays] has joined #openvpn
13:57 < jeev> hm, my primary ip on the machine does not have this issue.
13:57 < jeev> secondary ip does
14:09 -!- Brando753 [~Brando753@unaffiliated/brando753] has joined #openvpn
14:10 <@krzee> well thats real interesting
14:10 < jeev> either way, primary ip does the same thing
14:11 <@krzee> thought you said it ddoes not have the issue
14:11 <@krzee> now you say it does?
14:14 < jeev> secondary ip for some reason dies listening udp
14:16 < jeev> so i moved the vpn to the primary ip and i'm still having loss.
14:16 < jeev> with openvpn
14:16 <@krzee> try iperf with and without openvpn
14:16 <@krzee> then try playing with mtu and do the same
14:19 < jeev> ah i'll try soon
14:19 < jeev> i've got so much work to do, today is catch up day and i'm way too tired
14:20 -!- mirco [~mirco@5.146.125.177] has quit [Quit: mirco]
14:20 <@krzee> and be sure to use iperf over udp
14:22 < pekster> FYI, `ip a` is preferred on Linux instead of ifconfig. This is fine for now, but ifconfig sucks: http://inai.de/2008/0219-ifconfig-sucks.php
14:23 <@vpnHelper> Title: j.eng's site: News, Notes, Quips, Tweets, Things to share. (at inai.de)
14:23 < pekster> Bah, wrong channel :)
14:23 -!- dropje [~yge@546A88C4.cm-12-3c.dynamic.ziggo.nl] has quit [Read error: Connection reset by peer]
14:51 -!- arescorpio [~arescorpi@201-26-245-190.fibertel.com.ar] has quit [Excess Flood]
14:58 -!- Cubox [cubox@unaffiliated/cubox] has joined #openvpn
15:01 < Cubox> Hi! I have a problem with an user having a slow connection through openvpn, and the logs shows some kind of errors (full log http://cubox.me/files/log-ovpn.log) like this "Authenticate/Decrypt packet error". Is that the user's connection dropping packets?
15:31 -!- DrSect0r [~DrSect0r@77-175-125-42.FTTH.ispfabriek.nl] has quit [Quit: Leaving]
16:14 -!- gffa [~unknown@unaffiliated/gffa] has quit [Quit: sleep]
16:23 -!- mirco [~mirco@5.146.125.177] has joined #openvpn
16:24 -!- L0uk3 [~lukethedr@gateway/tor-sasl/lukethedrifter] has joined #openvpn
16:30 -!- mirco [~mirco@5.146.125.177] has quit [Quit: mirco]
16:32 -!- zalzane [~zalzane@unaffiliated/zalzane] has joined #openvpn
16:33 < zalzane> by default, openvpn logs to a file that is readable/writable only by root, but the process runs as nobody. What mechanism does the openvpn process use to write to that log file?
16:35 -!- mattock is now known as mattock_afk
16:37 <@krzee> it opens the file before it drops permissions
16:37 < zalzane> okay, thanks for the A
16:37 <@krzee> and really theres no default =]
16:38 < zalzane> i noticed, haha
16:38 < zalzane> "usually default"
16:38 <@krzee> people usually use daemon i think, which means they log to syslog
16:38 <@krzee> which runs as root =]
16:39 <@krzee> openvpn doesnt make its own file unless you use --log or similar to tell it to
16:39 < zalzane> someone had  recommended i set up a vpn to better learn linux, so far that was good advice lol
16:40 <@krzee> interesting, i would usually say to learn the OS before trying advanced networking in it… but if it works for you then cool
16:40 <@krzee> !bestos
16:40 <@vpnHelper> "bestos" is the best os for openvpn is the one you are most comfortable with
16:40 < zalzane> vmx!
16:40 <@krzee> eww
16:41 <@krzee> i damn near have PTSD from vmx
16:41 < zalzane> or or or
16:41 < zalzane> a sun workstation
16:41 <@krzee> oh wait i meant openVMS
16:41 <@krzee> dont even know vmx haha
16:41 < zalzane> yeayh my bad thats what i meant
16:41 < zalzane> it's been so long since i ragged about it
16:41 <@krzee> sun is fine, openvpn runs fine there
16:42 <@krzee> openvms i dunno… first you gotta get it off decnet onto tcpip, then maybe ;]
16:42 <@krzee> haha
16:42 <@krzee> (which i had to do before, minus the vpn)
16:43 <@krzee> no manuals, and the web had damn near no help for me other than the HP "ask the wizard" which kinda sucked but through seeing enough unhelpful things i was able to learn the syntax and whatnot which led to me figuring * out
16:44 <@krzee> i still remember the app to config network stuff was ucx
16:52 < Hello71> krzee: but then you'd be tunneling tcp over tcp
16:53 <@krzee> yes, but with nagles algorythm disabled you mitigate the tcp in tcp effects
16:53 <@krzee> i still say use udp if you can
16:53 <@krzee> but if you must use tcp, you want that option
16:55 < Hello71> only with regards to latency
16:55 < Hello71> the congestion algorithm is the primary issue
16:56 -!- Envil [~meep@95.211.26.40] has quit [Remote host closed the connection]
16:58 <@krzee> yes, that is why you dont use tcp for your vpn unless you have to
17:01 < jeev> krzee, so you suggest i just move the vpn rather than use tcp eh
17:01 <@krzee> if you can somehow get the vpn moved to avoid that, then of course thats the first choice
17:02 < jeev> ok np
17:03 < jeev> i could move it, just wish i had an idea why it's happening
17:10 -!- `neb [~neb@c-98-202-29-62.hsd1.ut.comcast.net] has joined #openvpn
17:10 -!- krzee [~k@openvpn/community/support/krzee] has quit [Read error: Connection reset by peer]
17:16 -!- Netsplit *.net <-> *.split quits: suprsonic, _FBi
17:16 -!- krzee [~k@openvpn/community/support/krzee] has joined #openvpn
17:16 -!- mode/#openvpn [+o krzee] by ChanServ
17:17 < `neb> @krzee, earlier you told me about the client-connect script.  I've gotten this to work however I'm wondering if there's a way from within that script to get a list of currently used IP addresses so I don't assign the same IP to multiple clients.  Do you know of any way to to this?  Otherwise I'll have to maintain a list using the client-disconnect script which could be error prone.
17:18 < `neb> `neb@krzee, earlier you told me about the client-connect script.  I've gotten this to work however I'm wondering if there's a way from within that script to get a list of currently used IP addresses so I don't assign the same IP to multiple clients.  Do you know of any way to to this?  Otherwise I'll have to maintain a list using the client-disconnect script which could be error prone.
17:18 -!- krzee [~k@openvpn/community/support/krzee] has quit [Excess Flood]
17:18 < `neb> sorry for dups
17:19 -!- krzee [~k@openvpn/community/support/krzee] has joined #openvpn
17:19 -!- mode/#openvpn [+o krzee] by ChanServ
17:27 < `neb> Does anyone have a solution for assigning an IP from a different subnet based on the certificate used to connect?  I've been trying to figure something out for hours.  The client-connect script can assign the IP but I can't figure out how to determine if an IP is unused.
17:28 -!- L0uk3 [~lukethedr@gateway/tor-sasl/lukethedrifter] has quit [Ping timeout: 264 seconds]
17:30 <@Eugene> !static
17:30 <@vpnHelper> "static" is (#1) use --ifconfig-push in a ccd entry for a static ip for the vpn client or (#2) example in net30 (default): ifconfig-push 10.8.0.6 10.8.0.5 example in subnet (see !topology) or tap (see !tunortap): ifconfig-push 10.8.0.5 255.255.255.0 or (#3) also see !ccd and !iporder or (#4) with static IPs, limit your --ifconfig-pool to exclude the static range or (#5) See also: !addressing
17:30 <@Eugene> Normally this is done via config files,and enumerating the addresses in-play. Doing it from a script on a dynamic basis will require you to handle the addressing and tracking live in the script
17:31 < jeev> Eugene, do you think a cheap vps is enough to support 10-15 people with one connection? one core, 512 mb ram, no encryption
17:32 <@Eugene> "Yes."
17:32 < jeev> "Thanks..."
17:32 <@Eugene> For general low-speed web browsing via redirect-gateway, should be no problem.
17:32 < jeev> well they work off sales and stuff, not sure how low-speed it is
17:33 < `neb> Thanks @Eugene, I have client-connect working great for dynamically assigning an IP but I'm having trouble when 2 clients connect and are given the same IP.
17:33 < jeev> they have this one software that shows them listings constantly
17:33 <@Eugene> VPSes typically can push 25mbps+ no problemo. If you're exceeding that on a regular basis you're gonna run out of bandwidth allocation first. ;-)
17:34 <@Eugene> `neb - that's the part where the script needs to be aware. ;-) You're gonna need some persistence, whether it be a flat-file list of assigned IPs, looking it up via the management interface, or some unholy abomination involving SQLite
17:34 < jeev> oh ok cause they have 100M fiber to the office, i've tested both with iperf and it maxes them out
17:35 <@Eugene> But you won't be /filling/ that fiber.
17:35 < jeev> yea i know.
17:36 -!- Kephael [~Kephael@unaffiliated/kephael] has joined #openvpn
17:36 < `neb> Ok, thanks @Eugene
17:47 -!- zalzane [~zalzane@unaffiliated/zalzane] has quit [Quit: [21:26] <frankbro> I've tried stimulating my prostate with a pen covered in saran wrap. All I got out of it was unbearable shame and the fear that I may have hurt myself and would have to explain to my doctor what happened.]
17:48 < ender`> i manage to push a solid 1MB/s through Asus RT-N12 with BF-CBC (copying files over windows filesharing)
17:54 -!- lachesis [~lachesis@unaffiliated/lachesis] has quit [Ping timeout: 240 seconds]
17:55 < jeev> that's the most solid AND solidest thing ever
17:56 -!- L0uk3 [~lukethedr@gateway/tor-sasl/lukethedrifter] has joined #openvpn
17:59 -!- lachesis [~lachesis@unaffiliated/lachesis] has joined #openvpn
18:00 -!- julianoliver [~julian@202.66.238.89.in-addr.arpa.manitu.net] has quit [Ping timeout: 260 seconds]
18:01 -!- `neb [~neb@c-98-202-29-62.hsd1.ut.comcast.net] has quit []
18:02 -!- L0uk3 [~lukethedr@gateway/tor-sasl/lukethedrifter] has quit [Ping timeout: 264 seconds]
18:13 -!- ub1quit33 [~quassel@wifi02.la3.routers.zerolag.com] has quit [Ping timeout: 255 seconds]
18:18 -!- L0uk3 [~lukethedr@gateway/tor-sasl/lukethedrifter] has joined #openvpn
18:44 -!- elfixit [~Icedove@77-58-251-72.dclient.hispeed.ch] has quit [Quit: elfixit]
19:09 -!- ryonaloli [~mengele@unaffiliated/ryonaloli] has quit [Quit: http://zqktlwi4fecvo6ri.onion/wiki/index.php/The_Matrix]
19:28 -!- L0uk3 [~lukethedr@gateway/tor-sasl/lukethedrifter] has quit [Quit: bis später]
19:46 -!- aulait [~irenacob@li629-190.members.linode.com] has quit [Remote host closed the connection]
19:52 -!- centrx [~centrx@pool-72-74-93-20.bstnma.fios.verizon.net] has joined #openvpn
19:58 -!- pfsense_rookie [~socram@2.80.247.139] has joined #openvpn
19:59 -!- james41382 [~james@unaffiliated/james41382] has joined #openvpn
20:06 < zoidberg-> [Cwin 15
20:10 -!- _FBi [B@Aircrack-NG/User] has joined #openvpn
20:14 -!- pfsense_rookie [~socram@2.80.247.139] has quit [Ping timeout: 272 seconds]
20:14 -!- centrx [~centrx@pool-72-74-93-20.bstnma.fios.verizon.net] has left #openvpn ["End transmission"]
20:29 -!- aulait [~irenacob@li629-190.members.linode.com] has joined #openvpn
20:31 -!- G-Known [~smuxi@pool-71-182-188-136.pitbpa.east.verizon.net] has joined #openvpn
20:31 < G-Known> Does anyone know how to change the default port of Openvpn?
20:35 < loeken> did you take a look inside the server config?
20:35 <@Eugene> !man
20:35 <@vpnHelper> "man" is (#1) For man pages, see http://openvpn.net/index.php/open-source/documentation/manuals/ or (#2) the man pages are your friend! or (#3) Protip: you can search the manpage for a specific --option (with dashes) to find it quicker
20:35 <@Eugene> The --port directive does what you want. Please try to exercise at least a bit of reading.
20:36 < G-Known> Yeah, I changed the port number on both the server and client file.
20:38 < loeken> G-Known, restarted the services aswell?
20:38 < G-Known> Yes. I did. Openvpn uses the default port of 1194, I have to kill it in order to run it.
20:39 < G-Known> So I'm trying to change the port to a different number so the conflict won't arise
20:39 -!- TyrfingMjolnir [~Tyrfing@cm191.iota111.maxonline.com.sg] has quit [Quit: Searching for Waimea]
20:41 < pekster> G-Known: Maybe you want --nobind on your client?
20:41 < pekster> You'll never be able to run >1 server on the same port
20:43 < G-Known> nobind is enabled in the config file. I'm testing this setup on a lxc container that I created.
20:59 -!- G-Known [~smuxi@pool-71-182-188-136.pitbpa.east.verizon.net] has quit [Remote host closed the connection]
21:03 -!- elfixit [~Icedove@77-58-251-72.dclient.hispeed.ch] has joined #openvpn
21:08 -!- Cubox [cubox@unaffiliated/cubox] has left #openvpn ["WeeChat 0.4.4-dev"]
21:15 -!- jgeboski [~jgeboski@unaffiliated/jgeboski] has quit [Quit: Leaving]
21:15 -!- jgeboski [~jgeboski@unaffiliated/jgeboski] has joined #openvpn
21:41 -!- Left_Turn [~Left_Turn@unaffiliated/turn-left/x-3739067] has quit [Remote host closed the connection]
22:38 -!- redpill [~redpill@unaffiliated/redpill] has quit [Ping timeout: 260 seconds]
22:38 -!- redpill [~redpill@unaffiliated/redpill] has joined #openvpn
23:11 -!- redpill [~redpill@unaffiliated/redpill] has quit [Ping timeout: 245 seconds]
23:27 -!- Kephael [~Kephael@unaffiliated/kephael] has quit [Read error: Connection reset by peer]
23:34 -!- elfixit [~Icedove@77-58-251-72.dclient.hispeed.ch] has quit [Ping timeout: 264 seconds]
23:37 -!- pa [~pa@unaffiliated/pa] has quit [Read error: Connection reset by peer]
23:38 -!- arescorpio [~arescorpi@201-26-245-190.fibertel.com.ar] has joined #openvpn
23:40 -!- ribasushi [~riba@mujunyku.leporine.io] has quit [Ping timeout: 246 seconds]
23:44 -!- ribasushi [~riba@mujunyku.leporine.io] has joined #openvpn
23:53 -!- ShadniX [dagger@p5DDFE471.dip0.t-ipconnect.de] has quit [Ping timeout: 250 seconds]
23:53 -!- ShadniX [dagger@p5481CA36.dip0.t-ipconnect.de] has joined #openvpn
23:57 -!- jangerho [~jangerho@2601:6:5280:c9:e120:a23c:35da:7d97] has joined #openvpn
--- Day changed Mon Aug 25 2014
00:11 -!- arescorpio [~arescorpi@201-26-245-190.fibertel.com.ar] has quit [Excess Flood]
00:52 -!- Cpt-Oblivious [~chatzilla@31-151-71-109.dynamic.upc.nl] has joined #openvpn
01:24 -!- Cpt-Oblivious [~chatzilla@31-151-71-109.dynamic.upc.nl] has quit [Remote host closed the connection]
01:34 -!- Gsa700 [~Gsa700@unaffiliated/gsa700] has quit [Ping timeout: 250 seconds]
01:46 -!- keruton [keruton@cpe-104-34-71-124.socal.res.rr.com] has left #openvpn []
01:46 -!- Gsa700 [~Gsa700@unaffiliated/gsa700] has joined #openvpn
01:51 -!- mattock_afk is now known as mattock
02:21 -!- Gsa700 [~Gsa700@unaffiliated/gsa700] has quit [Ping timeout: 260 seconds]
02:29 -!- Gsa700 [~Gsa700@unaffiliated/gsa700] has joined #openvpn
02:39 -!- ub1quit33 [~quassel@cpe-23-243-158-241.socal.res.rr.com] has joined #openvpn
02:48 -!- ub1quit33 [~quassel@cpe-23-243-158-241.socal.res.rr.com] has quit [Ping timeout: 246 seconds]
03:04 -!- ub1quit33 [~quassel@cpe-23-243-158-241.socal.res.rr.com] has joined #openvpn
03:11 -!- dazo_afk is now known as dazo
03:13 -!- ub1quit33 [~quassel@cpe-23-243-158-241.socal.res.rr.com] has quit [Ping timeout: 246 seconds]
03:29 -!- ub1quit33_ [~quassel@cpe-23-243-158-241.socal.res.rr.com] has joined #openvpn
03:38 -!- ub1quit33_ [~quassel@cpe-23-243-158-241.socal.res.rr.com] has quit [Ping timeout: 260 seconds]
03:55 -!- ub1quit33 [~quassel@cpe-23-243-158-241.socal.res.rr.com] has joined #openvpn
03:56 -!- Left_Turn [~Left_Turn@unaffiliated/turn-left/x-3739067] has joined #openvpn
04:01 -!- Latrina [~Latrina@ppp-202-37.26-151.libero.it] has quit [Ping timeout: 260 seconds]
04:04 -!- ub1quit33 [~quassel@cpe-23-243-158-241.socal.res.rr.com] has quit [Ping timeout: 255 seconds]
04:05 -!- Latrina [~Latrina@151.56.164.100] has joined #openvpn
04:20 -!- ub1quit33 [~quassel@cpe-23-243-158-241.socal.res.rr.com] has joined #openvpn
04:26 -!- D-Boy [~D-Boy@unaffiliated/cain] has quit [Excess Flood]
04:28 -!- D-Boy [~D-Boy@unaffiliated/cain] has joined #openvpn
04:29 -!- ub1quit33 [~quassel@cpe-23-243-158-241.socal.res.rr.com] has quit [Ping timeout: 272 seconds]
04:42 -!- aulait [~irenacob@li629-190.members.linode.com] has quit [Remote host closed the connection]
04:45 -!- lkthomas [~lkthomas@n218250150146.netvigator.com] has joined #openvpn
04:45 < lkthomas> hey guys
04:49 -!- cheesenbiscuits [~cheesenbi@zaq31fa4aac.zaq.ne.jp] has joined #openvpn
04:49 < cheesenbiscuits> Hi Everybody
04:50 -!- aulait [~irenacob@li629-190.members.linode.com] has joined #openvpn
04:50 -!- cheesenbiscuits [~cheesenbi@zaq31fa4aac.zaq.ne.jp] has quit [Read error: Connection reset by peer]
04:52 -!- cheesenbiscuits [~cheesenbi@zaq31fa4aac.zaq.ne.jp] has joined #openvpn
04:52 < cheesenbiscuits> not sure what happened there...
04:57 < lkthomas> it used to have a guide to show how to build my own Windows OpenVPN client
04:57 -!- cheesenbiscuits [~cheesenbi@zaq31fa4aac.zaq.ne.jp] has quit [Read error: Connection reset by peer]
04:58 < derRichard> https://lkml.org/lkml/2014/8/25/116 <- in kernel tls/ssl. maybe openvpn can benefit from that.
04:58 <@vpnHelper> Title: LKML: Herbert Xu: Re: [PATCH 0/2] Add TLS record layer encryption module (at lkml.org)
04:58 < zamba> hi there.. i have set up ifconfig-pool-persist, but i have some duplicates in that file.. how do i clean that up?
04:59 -!- cheesenbiscuits [~cheesenbi@zaq31fa4aac.zaq.ne.jp] has joined #openvpn
04:59 < cheesenbiscuits> ...
05:02 -!- larryone [~larryone@185.32.152.150] has joined #openvpn
05:10 -!- cheesenbiscuits [~cheesenbi@zaq31fa4aac.zaq.ne.jp] has quit [Read error: Connection reset by peer]
05:11 -!- ub1quit33_ [~quassel@cpe-23-243-158-241.socal.res.rr.com] has joined #openvpn
05:16 -!- cheesenbiscuits [~cheesenbi@zaq31fa4aac.zaq.ne.jp] has joined #openvpn
05:19 -!- ub1quit33_ [~quassel@cpe-23-243-158-241.socal.res.rr.com] has quit [Ping timeout: 240 seconds]
05:36 -!- ub1quit33 [~quassel@cpe-23-243-158-241.socal.res.rr.com] has joined #openvpn
05:45 -!- ub1quit33 [~quassel@cpe-23-243-158-241.socal.res.rr.com] has quit [Ping timeout: 272 seconds]
05:54 -!- Reventlov [~reventlov@unaffiliated/reventlov] has quit [Excess Flood]
05:54 -!- Reventlov [~reventlov@unaffiliated/reventlov] has joined #openvpn
06:01 -!- ub1quit33_ [~quassel@cpe-23-243-158-241.socal.res.rr.com] has joined #openvpn
06:10 -!- ub1quit33_ [~quassel@cpe-23-243-158-241.socal.res.rr.com] has quit [Ping timeout: 255 seconds]
06:14 -!- cheesenbiscuits [~cheesenbi@zaq31fa4aac.zaq.ne.jp] has quit [Ping timeout: 272 seconds]
06:15 -!- elfixit [~Icedove@2001:1620:2777:11:3e97:eff:fe7f:f3ad] has joined #openvpn
06:27 -!- ub1quit33_ [~quassel@cpe-23-243-158-241.socal.res.rr.com] has joined #openvpn
06:35 -!- ub1quit33_ [~quassel@cpe-23-243-158-241.socal.res.rr.com] has quit [Ping timeout: 245 seconds]
06:52 -!- ub1quit33 [~quassel@cpe-23-243-158-241.socal.res.rr.com] has joined #openvpn
07:01 -!- ub1quit33 [~quassel@cpe-23-243-158-241.socal.res.rr.com] has quit [Ping timeout: 246 seconds]
07:17 -!- ub1quit33 [~quassel@cpe-23-243-158-241.socal.res.rr.com] has joined #openvpn
07:21 -!- ub1quit33 [~quassel@cpe-23-243-158-241.socal.res.rr.com] has quit [Ping timeout: 240 seconds]
07:26 -!- heraclitus [~heraclitu@unaffiliated/heraclitis] has quit [Remote host closed the connection]
07:27 -!- heraclitus [~heraclitu@unaffiliated/heraclitis] has joined #openvpn
07:35 -!- CaTtleyA [~CaTtleyA@185.24.142.82] has joined #openvpn
07:45 -!- xrosnight [~quassel@unaffiliated/xrosnight] has joined #openvpn
07:46 -!- Cpt-Oblivious [~chatzilla@31-151-71-109.dynamic.upc.nl] has joined #openvpn
07:49 -!- xrosnight [~quassel@unaffiliated/xrosnight] has quit [Remote host closed the connection]
07:55 -!- redpill [~redpill@unaffiliated/redpill] has joined #openvpn
08:05 -!- Pyrogerg [~Gregory@75-173-66-157.albq.qwest.net] has quit [Ping timeout: 245 seconds]
08:21 < zoidberg-> hey guys, does anyone know why my server log gets filled up with funny characters specifically strings of: WRwrWRwrWR.. example: http://codepad.org/xtdFmL2g <-- what does this mean - it's filling up my logs quite quickly?
08:21 <@vpnHelper> Title: Plain Text code - 12 lines - codepad (at codepad.org)
08:23 -!- funky1 [~funky@ip51cf100e.direct-adsl.nl] has quit [Quit: leaving]
08:25 -!- Hypernova [~ircap@unaffiliated/degreesawesome] has joined #openvpn
08:27 < Hypernova> I am having problems to connect with openvpn
08:28 < Hypernova> can please some one help
08:28 < Hypernova> http://pastebin.com/Si0TvwZn << configuration
08:29 < Hypernova> http://pastebin.com/w14itHB5 << logs
08:29 < Hypernova> I am on windows 7 64 bit
08:32 < Hypernova> it says connecting to client has failed
08:37 < Hypernova> anyone?
08:39 < derRichard> did you read the log?
08:40 -!- funky1 [~funky@ip51cf100e.direct-adsl.nl] has joined #openvpn
08:40 < funky1> hi where can i download a openvpn client for windows 7?
08:40 < lkthomas> guys, my vpn client and server could connect without problem, but my client can't reach internal LAN, any idea why ?
08:42 < Hypernova> [derRichard] but see line 107 i wrote the right path already
08:43 < Hypernova> sorry paste expired
08:43 < Hypernova> http://pastebin.com/yz47ndK5 << here you go
08:44 < Hypernova> tls-auth "C:\Program Files\OpenVPN\config\ta.key" 1
08:44 < derRichard> don't you need double backslashes?
08:44 < Hypernova> i tried with double ones too
08:46 -!- funky1 [~funky@ip51cf100e.direct-adsl.nl] has quit [Ping timeout: 250 seconds]
08:47 <@ecrist> !download
08:47 <@vpnHelper> "download" is (#1) http://openvpn.net/index.php/download/community-downloads.html to download openvpn or (#2) OpenVPN's Windows installer now includes OpenVPN GUI. Don't bother with http://openvpn.se anymore or (#3) Don't trust download.com at all. It provides an extremely old version with malware: http://insecure.org/news/download-com-fiasco.html or (#4) in the community version of openvpn (only
08:47 <@vpnHelper> thing supported here) there is no separate download for client/server, it is the same install with different configs
08:48 -!- funky1 [~funky@ip51cf100e.direct-adsl.nl] has joined #openvpn
08:48 <@ecrist> funky1
08:48 < funky1> yes
08:48 <@ecrist> !download
08:48 <@vpnHelper> "download" is (#1) http://openvpn.net/index.php/download/community-downloads.html to download openvpn or (#2) OpenVPN's Windows installer now includes OpenVPN GUI. Don't bother with http://openvpn.se anymore or (#3) Don't trust download.com at all. It provides an extremely old version with malware: http://insecure.org/news/download-com-fiasco.html or (#4) in the community version of openvpn (only
08:48 <@vpnHelper> thing supported here) there is no separate download for client/server, it is the same install with different configs
08:49 < funky1> ah ok thanks ecrist
08:49 < derRichard> Hypernova: you can also try a relative path
08:50 < derRichard> maybe openvpn hates the blank
08:50 < Hypernova> what's a relative path?
08:51 < derRichard> see http://en.wikipedia.org/wiki/Path_%28computing%29
08:51 <@vpnHelper> Title: Path (computing) - Wikipedia, the free encyclopedia (at en.wikipedia.org)
08:52 -!- Valcorb [Valcorb@unaffiliated/valcorb] has joined #openvpn
08:52 < funky1> ecrist: if i want only a client what i can un-select during install besides openvpn service?
08:53 < Hypernova> thanks a lot for not helping
08:53 -!- Hypernova [~ircap@unaffiliated/degreesawesome] has left #openvpn []
08:53 <@ecrist> funky1: nothing, really
08:54 < funky1> ok so i need to leave openvpn service on as well?
08:54 <@ecrist> nothing you need to do, really
08:55 < funky1> ok
08:55 < funky1> thx
08:55 < lkthomas> guys, I have a question about OpenVPN access server
08:55 <@ecrist> !as
08:55 <@vpnHelper> "as" is Please go to #OpenVPN-AS for help with commercial products from OpenVPN Technologies, including Access Server, Android Connect, etc. Access Server is a commercial product, different from open source OpenVPN
08:55 < lkthomas> ok
08:56 -!- dob1 [~dob@dynamic-adsl-78-13-164-1.clienti.tiscali.it] has joined #openvpn
08:57 < dob1> hi, I used the wrong command to create a client key, i used build-ca instead of build-key,  now how can i fix this?
08:57 < dob1> I just have to update the ca.crt file on the clients?
08:57 < dob1> or i have to generate all the keys?
08:59 < lkthomas> also, my windows VPN client can't reach internal network
08:59 < lkthomas> ERROR: Windows route add command failed [adaptive]: returned error code 1
08:59 < lkthomas> ...
08:59 <@ecrist> you need to run openvpn as an administrator
09:00 < lkthomas> haha :(
09:03 <@ecrist> no, seriously
09:04 < dob1> it has generate a new ca.crt now, i am unable to connect :(
09:06 -!- phreakocious_ is now known as phreakocious
09:06 < lkthomas> ecrist: I know I shouldn't ask here, does access server need all these ?
09:06 -!- zeroNones [~textual@187.204.144.131] has joined #openvpn
09:07 -!- mirco [~mirco@5.146.125.177] has joined #openvpn
09:10 < dob1> or maybe can i reset all the keys and create new ones?
09:10 < dob1> can i use clean-all for this?
09:11 <@ecrist> yes, clean-all removed everything
09:11 < dob1> ecrist, so i can start as the vpn was just installed?
09:23 <@ecrist> yes
09:28 < dob1> ecrist, do you think is better to do in this way to resolve what i did wrong or can i resolve it in another way?
09:28 <@krzee> start over.
09:28 -!- Esya [~zncuser@mini-02.y0y.fr] has joined #openvpn
09:29 -!- abbe_ [having@badti.me] has joined #openvpn
09:30 -!- XJR-9_ [sid2977@pdpc/supporter/active/xjr-9] has joined #openvpn
09:30 -!- XJR-9 [sid2977@pdpc/supporter/active/xjr-9] has quit [Killed (sendak.freenode.net (Nickname regained by services))]
09:30 -!- XJR-9_ is now known as XJR-9
09:30 -!- soapee01_ [~soapee01@65-36-104-170.dyn.grandenetworks.net] has joined #openvpn
09:31 -!- ub1quit33 [~quassel@wifi02.la3.routers.zerolag.com] has joined #openvpn
09:31 -!- Brando753-o_O_o [~Brando753@unaffiliated/brando753] has joined #openvpn
09:32 -!- micko1 [~micko@203-219-65-120.static.tpgi.com.au] has joined #openvpn
09:32 -!- Brando753 [~Brando753@unaffiliated/brando753] has quit [Ping timeout: 260 seconds]
09:32 -!- micko [~micko@203-219-65-120.static.tpgi.com.au] has quit [Ping timeout: 260 seconds]
09:32 -!- Exagone313 [~exa@vps.ewd.xyz] has quit [Ping timeout: 260 seconds]
09:32 -!- liriel [~liriel@asia.feralhosting.com] has quit [Ping timeout: 260 seconds]
09:32 -!- akurilin [~alex@208.185.21.146] has quit [Ping timeout: 260 seconds]
09:32 -!- Cpt-Oblivious [~chatzilla@31-151-71-109.dynamic.upc.nl] has quit [Ping timeout: 260 seconds]
09:32 -!- lachesis [~lachesis@unaffiliated/lachesis] has quit [Ping timeout: 260 seconds]
09:32 -!- syzzer [~syzzer@openvpn/community/developer/syzzer] has quit [Ping timeout: 260 seconds]
09:32 -!- havoc [~havoc@neptune.chaillet.net] has quit [Ping timeout: 260 seconds]
09:32 -!- roentgen [~none@openvpn/community/support/roentgen] has quit [Ping timeout: 260 seconds]
09:32 -!- dazo [~dazo@openvpn/community/developer/dazo] has quit [Ping timeout: 260 seconds]
09:32 -!- Jeroen52 [~Jeroen@milkyway.jeroendeneef.com] has quit [Ping timeout: 260 seconds]
09:32 -!- abbe [having@badti.me] has quit [Ping timeout: 260 seconds]
09:32 -!- meepmeep [meepmeep@end.of.cylind.re] has quit [Ping timeout: 260 seconds]
09:32 -!- jzaw [~jzaw@loki.dzki.co.uk] has quit [Ping timeout: 260 seconds]
09:32 -!- KiNgMaR [~ingmar@2001:41d0:2:ba51::1] has quit [Ping timeout: 260 seconds]
09:32 -!- grrrrr [gr@rikos.org] has quit [Ping timeout: 260 seconds]
09:32 -!- soapee01 [~soapee01@65-36-104-170.dyn.grandenetworks.net] has quit [Ping timeout: 260 seconds]
09:32 -!- Jeroen [~Jeroen@milkyway.jeroendeneef.com] has joined #openvpn
09:32 -!- micko1 is now known as micko
09:32 -!- liriel [~liriel@asia.feralhosting.com] has joined #openvpn
09:32 -!- lachesis [~lachesis@unaffiliated/lachesis] has joined #openvpn
09:33 -!- Brando753-o_O_o is now known as Brando753
09:33 -!- syzzer [~syzzer@openvpn/community/developer/syzzer] has joined #openvpn
09:33 -!- mode/#openvpn [+o syzzer] by ChanServ
09:33 < dob1> krzee, ok
09:33 -!- Exagone313 [~exa@vps.ewd.xyz] has joined #openvpn
09:33 -!- meepmeep [meepmeep@end.of.cylind.re] has joined #openvpn
09:33 -!- KiNgMaR [ingmar@2001:41d0:2:ba51::1] has joined #openvpn
09:34 -!- roentgen [~none@openvpn/community/support/roentgen] has joined #openvpn
09:34 -!- akurilin [~alex@208.185.21.146] has joined #openvpn
09:35 -!- jzaw [~jzaw@loki.dzki.co.uk] has joined #openvpn
09:35 -!- dazo [~dazo@openvpn/community/developer/dazo] has joined #openvpn
09:35 -!- mode/#openvpn [+o dazo] by ChanServ
09:43 -!- abbe_ is now known as abbe
09:45 -!- CaTtleyA [~CaTtleyA@185.24.142.82] has quit [Quit: Lost terminal]
09:47 -!- Pyrogerg [~Gregory@75-173-66-157.albq.qwest.net] has joined #openvpn
09:49 -!- lachesis_ [~lachesis@unaffiliated/lachesis] has joined #openvpn
09:50 -!- Jeroen52 [~Jeroen@milkyway.jeroendeneef.com] has joined #openvpn
09:50 -!- lachesis [~lachesis@unaffiliated/lachesis] has quit [Ping timeout: 260 seconds]
09:50 -!- KiNgMaR [ingmar@2001:41d0:2:ba51::1] has quit [Ping timeout: 260 seconds]
09:50 -!- syzzer [~syzzer@openvpn/community/developer/syzzer] has quit [Ping timeout: 260 seconds]
09:50 -!- Jeroen [~Jeroen@milkyway.jeroendeneef.com] has quit [Ping timeout: 260 seconds]
09:50 -!- lachesis_ is now known as lachesis
09:50 -!- KiNgMaR [ingmar@2001:41d0:2:ba51::1] has joined #openvpn
09:51 -!- syzzer [~syzzer@openvpn/community/developer/syzzer] has joined #openvpn
09:51 -!- mode/#openvpn [+o syzzer] by ChanServ
10:01 -!- shiin [~shiin@funtoo/core/shiin] has joined #openvpn
10:13 -!- jfroot [~jfroot@pdpc/supporter/active/jfroot] has joined #openvpn
10:23 -!- redpill [~redpill@unaffiliated/redpill] has quit [Ping timeout: 240 seconds]
10:35 -!- dob1 [~dob@dynamic-adsl-78-13-164-1.clienti.tiscali.it] has quit [Quit: Leaving]
10:48 -!- orbi [~orbi@pdpc/supporter/student/orbi] has joined #openvpn
10:53 -!- funky1 [~funky@ip51cf100e.direct-adsl.nl] has quit [Remote host closed the connection]
10:55 -!- redpill [~redpill@unaffiliated/redpill] has joined #openvpn
11:03 -!- gffa [~unknown@unaffiliated/gffa] has joined #openvpn
11:06 -!- Chais [~Chais@chello062178229110.15.15.vie.surfer.at] has quit [Read error: Connection reset by peer]
11:10 -!- RBecker [~RBecker@openvpn/user/RBecker] has quit [Ping timeout: 240 seconds]
11:15 -!- Chais [~Chais@chello062178229110.15.15.vie.surfer.at] has joined #openvpn
11:19 -!- RBecker [~RBecker@openvpn/user/RBecker] has joined #openvpn
11:19 -!- mode/#openvpn [+v RBecker] by ChanServ
11:20 -!- larryone [~larryone@185.32.152.150] has quit [Quit: This computer has gone to sleep]
11:33 -!- funnel [~funnel@unaffiliated/espiral] has joined #openvpn
11:33 -!- redpill [~redpill@unaffiliated/redpill] has quit [Ping timeout: 260 seconds]
11:53 -!- Kephael [~Kephael@unaffiliated/kephael] has joined #openvpn
12:01 -!- elfixit [~Icedove@2001:1620:2777:11:3e97:eff:fe7f:f3ad] has quit [Remote host closed the connection]
12:15 -!- wallbroken [~wbk@unaffiliated/wallbroken] has joined #openvpn
12:15 < wallbroken> hi
12:15 < wallbroken> is there a way to configure openvpn like a p2p network?
12:15 < wallbroken> not client-server
12:18 <@ecrist> yes
12:18 <@ecrist> !howto
12:18 <@vpnHelper> "howto" is (#1) OpenVPN comes with a great howto, http://openvpn.net/howto PLEASE READ IT! or (#2) http://www.secure-computing.net/openvpn/howto.php for a mirror
12:19 < wallbroken> how much nodes?
12:21 < wallbroken> but no, there must be a single server to start the connection
12:21 < wallbroken> then you need to switch to p2p
12:22 <@Eugene> !tunnelblick
12:22 <@vpnHelper> "tunnelblick" is http://www.tunnelblick.net - Free OpenVPN GUI Client for Mac OS X
12:22 <@Eugene> !osx
12:22 <@vpnHelper> "osx" is (#1) Tunnelblick includes everything you need to run OpenVPN on OS X. https://code.google.com/p/tunnelblick/ or (#2) Viscosity is another OpenVPN client for OS X, but it is commercial. http://www.thesparklabs.com/viscosity/
12:25 < zoidberg-> hrm why do i get repeated: MULTI: Learn: 192.168.1.x lines in my log?
12:27 <@krzee> its a notification that an internal route was adding to openvpn's internal routing table that lives in the server process
12:28 <@krzee> thats how openvpn knows what client to send packets to, since packets are simply routed to tun0 but tun0 could have many different destinations
12:32 < wallbroken> krzee, do ou know tinc?
12:32 < wallbroken> i want to know if openvpn could work like that
12:32 < wallbroken> completely p2p mode
12:32 < wallbroken> without a central server
12:33 <@ecrist> wallbroken: p2p, openvpn does this
12:33 <@ecrist> but only between two systems
12:33 <@ecrist> not a mesh
12:39 <@krzee> !mesh
12:39 <@vpnHelper> "mesh" is (#1) openvpn does not do mesh networking or (#2) see !rip or (#3) check out http://github.com/darkpixel/openmesher/ for auto-creating openvpn meshes
12:41 < wallbroken> tinc is very easy to configure
12:46 -!- Kephael [~Kephael@unaffiliated/kephael] has quit [Read error: Connection reset by peer]
12:49 -!- DrCode [~DrCode@gateway/tor-sasl/drcode] has quit [Remote host closed the connection]
12:50 -!- redpill [~redpill@unaffiliated/redpill] has joined #openvpn
12:51 <@krzee> looks cool, never played with it but have heard of it
12:52 -!- DrCode [~DrCode@gateway/tor-sasl/drcode] has joined #openvpn
12:56 -!- Pyrogerg [~Gregory@75-173-66-157.albq.qwest.net] has quit [Ping timeout: 246 seconds]
12:57 -!- Pyrogerg [~Gregory@75-173-66-157.albq.qwest.net] has joined #openvpn
13:01 -!- shiin [~shiin@funtoo/core/shiin] has left #openvpn ["Wanna pair with me? Twitter/Skype/Gmail: FunTimeCoding"]
13:08 -!- dazo is now known as dazo_afk
13:16 -!- RBecker [~RBecker@openvpn/user/RBecker] has quit [Ping timeout: 240 seconds]
13:23 -!- RBecker [~RBecker@openvpn/user/RBecker] has joined #openvpn
13:23 -!- mode/#openvpn [+v RBecker] by ChanServ
13:32 -!- Pyrogerg [~Gregory@75-173-66-157.albq.qwest.net] has quit [Ping timeout: 260 seconds]
13:37 -!- Pyrogerg [~Gregory@75-173-66-157.albq.qwest.net] has joined #openvpn
13:43 -!- MogDog [MogDog@unaffiliated/mogdog66] has quit [Ping timeout: 245 seconds]
13:50 -!- MogDog [MogDog@unaffiliated/mogdog66] has joined #openvpn
14:14 -!- justinzane [~justinzan@24.49.207.69] has joined #openvpn
14:20 -!- Pyrogerg [~Gregory@75-173-66-157.albq.qwest.net] has quit [Ping timeout: 272 seconds]
14:38 -!- Toumasu [~Thunderbi@78-23-52-63.access.telenet.be] has joined #openvpn
14:45 -!- Valcorb [Valcorb@unaffiliated/valcorb] has quit [Ping timeout: 246 seconds]
14:46 -!- TonyL [~Tony@unaffiliated/darkg] has joined #openvpn
14:48 -!- Toumasu [~Thunderbi@78-23-52-63.access.telenet.be] has quit [Quit: Toumasu]
14:53 -!- Pyrogerg [~Gregory@75-173-66-157.albq.qwest.net] has joined #openvpn
14:54 -!- zeroNones [~textual@187.204.144.131] has quit [Quit: My MacBook Pro has gone to sleep. ZZZzzz…]
15:10 <+RBecker> !paste
15:10 <@vpnHelper> "paste" is "pastebin" is (#1) please paste anything with more than 5 lines into a pastebin site or (#2) https://gist.github.com is recommended for fewest ads; try fpaste.org or paste.kde.org as backups or (#3) If you're pasting config files, see !configs for grep syntax to remove comments or (#4) gist allows multiple files per paste, useful if you have several files to show
15:11 <+RBecker> !configs
15:11 <@vpnHelper> "configs" is (#1) please pastebin your client and server configs (with comments removed, you can use `grep -vE '^#|^;|^$' server.conf`), also include which OS and version of openvpn. or (#2) dont forget to include any ccd entries or (#3) on pfSense, see http://www.secure-computing.net/wiki/index.php/OpenVPN/pfSense to obtain your config
15:15 <+RBecker> hi guys, having a bit of an issue with openvpn, seems to be only certain locations have an issue. i've got a couple people using my server that can access it from one location but not the other. any ideas? logs and config here: https://gist.github.com/anonymous/caf717f4811374c16ef1
15:15 <@vpnHelper> Title: Config (at gist.github.com)
15:44 -!- mattock is now known as mattock_afk
15:58 -!- gffa [~unknown@unaffiliated/gffa] has quit [Quit: sleep]
16:03 -!- devbug [~quassel@S0106b8c75dc6cdf5.vc.shawcable.net] has joined #openvpn
16:04 -!- krav [~krav@unaffiliated/kravlin] has joined #openvpn
16:05 < krav> i've been looking around the openvpn site and haven't been able to find information on an API besides someone mentioning there was a rest based one. can someone point me in the right direction?
16:10 < devbug> https://gist.github.com/mtwilliams/6d82d49c5e98d9a724f3
16:10 <@vpnHelper> Title: gist:6d82d49c5e98d9a724f3 (at gist.github.com)
16:10  * devbug knows nothing about openvpn
16:11 < krav> :/
16:12 < krav> thanks anyways
16:14 -!- Pyrogerg [~Gregory@75-173-66-157.albq.qwest.net] has quit [Ping timeout: 245 seconds]
16:18 -!- orbi [~orbi@pdpc/supporter/student/orbi] has left #openvpn []
16:22 < devbug> maybe I need to lvl2 this
16:27 -!- mirco [~mirco@5.146.125.177] has quit [Quit: mirco]
16:35 -!- devbug [~quassel@S0106b8c75dc6cdf5.vc.shawcable.net] has quit [Ping timeout: 245 seconds]
16:38 -!- MadTBone [~MadTBone@128.59.37.113] has joined #openvpn
17:01 -!- jeev [~j@unaffiliated/jeev] has quit [Ping timeout: 255 seconds]
17:01 -!- shio [marmot@30.65.73.86.rev.sfr.net] has quit [Disconnected by services]
17:01 -!- shio [marmot@30.65.73.86.rev.sfr.net] has joined #openvpn
17:01 -!- jeev_ [~j@unaffiliated/jeev] has joined #openvpn
17:02 -!- bakhtiya [~me@office.addictivemobility.com] has quit [Ping timeout: 255 seconds]
17:02 -!- bakhtiya [~me@office.addictivemobility.com] has joined #openvpn
17:04 -!- jeev_ is now known as jeev
17:08 -!- ender` [krneki@2a01:260:4094:1:42:42:42:42] has quit [Read error: Connection reset by peer]
17:10 -!- Lolths [~Lolths@unaffiliated/lolths] has quit [Ping timeout: 260 seconds]
17:12 -!- hays [~hays@unaffiliated/hays] has quit [Ping timeout: 246 seconds]
17:12 -!- james41382_ [~james@unaffiliated/james41382] has joined #openvpn
17:12 -!- hays [~hays@unaffiliated/hays] has joined #openvpn
17:13 -!- wallbroken [~wbk@unaffiliated/wallbroken] has quit [Ping timeout: 246 seconds]
17:15 -!- RBecker [~RBecker@openvpn/user/RBecker] has quit [Ping timeout: 246 seconds]
17:15 -!- james41382 [~james@unaffiliated/james41382] has quit [Ping timeout: 246 seconds]
17:18 -!- RBecker [~RBecker@openvpn/user/RBecker] has joined #openvpn
17:18 -!- mode/#openvpn [+v RBecker] by ChanServ
17:22 -!- jangerho [~jangerho@2601:6:5280:c9:e120:a23c:35da:7d97] has quit [Ping timeout: 240 seconds]
17:23 -!- mirco [~mirco@5.146.125.177] has joined #openvpn
17:25 <@krzee> krav, what exactly are you looking for when you say API?
17:26 < krav> krzee: so i'm trying to get a listing of the connected devices to the vpn.
17:26 < krav> I was reading that there was an api, but i wasn't really able to find anything.
17:26 < krav> only thing i found was a couple of vague stack overflow documents.
17:27 < krav> eventually found https://docs.openvpn.net/docs/access-server/openvpn-access-server-command-line-tools.html#controlling-the-access-server-api-remotely-via-web-services-api
17:27 <@vpnHelper> Title: OpenVPN Access Server Command-line Tools (at docs.openvpn.net)
17:27 < krav> so I'm not sure it's possible.
17:27 < krav> which is cool, just was trying to figure out what my options were.
17:27 < krav> and if it was even possible.
17:27 <@krzee> oh the management interface
17:27 < krav> yeah
17:27 <@krzee> first of all, the link you found is for AS
17:28 <@krzee> !as
17:28 <@vpnHelper> "as" is Please go to #OpenVPN-AS for help with commercial products from OpenVPN Technologies, including Access Server, Android Connect, etc. Access Server is a commercial product, different from open source OpenVPN
17:28 < adaptr> the huge management interface?
17:28 < krav> got it.
17:28 <@krzee> so if you want AS and its web admin stuff, thats something else
17:28 <@krzee> but there is a management interface that works over telnet
17:28 <@krzee> (you can write your own frontends)
17:28 <@krzee> !management
17:28 <@vpnHelper> "management" is (#1) see http://openvpn.net/management for doc on management interface or (#2) read https://github.com/OpenVPN/openvpn/blob/release/2.3/doc/management-notes.txt if you are a programmer making a GUI that will interact with OpenVPN or (#3) Enable with `--management 127.0.0.1 1234` (adjust port to taste.) See the manpage for pw and socket options
17:29 < krav> awesome, this gives me a ton of space to at least explore my options.
17:29 < krav> as well as some information on who to talk to, as i believe the system i'm working with is AS.
17:32 < krav> thank you krzee
17:36 -!- kirin` [telex@gateway/shell/anapnea.net/x-umwinaspqrluxnuh] has quit [Ping timeout: 255 seconds]
17:37 -!- kirin` [telex@gateway/shell/anapnea.net/x-oofyqzuyxeabctbc] has joined #openvpn
17:44 -!- kirin` [telex@gateway/shell/anapnea.net/x-oofyqzuyxeabctbc] has quit [Ping timeout: 250 seconds]
17:45 <@krzee> no problem
17:46 <@krzee> !factoids search as
17:46 <@vpnHelper> 'winpass', '2.1-winpass-script', 'easy-rsa-unix', 'broadcast-relay', 'authpass', 'nopaste', 'password-only', 'bcast', 'basic', 'strip-passphrase', 'change-passphrase', 'enable-passwd-save', 'release-notes', 'no_as', 'easy-rsa', 'ask', 'password', 'asbestos', 'pastebin', 'easyrsa-ng', 'easyrsa', 'dnsmasq', 'paste', and 'AS'
17:46 <@krzee> !no_as
17:46 <@vpnHelper> "no_as" is (#1) go to http://openvpn.net/index.php/access-server/support-center.html for support with access server (see !AS to know about access server) or (#2) not only do we not know AS here, but even if we did we would be tainting the professional level of support included in AS by supporting it here. it comes with REAL support. we are just users helping users around here
17:46 <@krzee> thats the one i wanted =]
17:47 < krav> lol
17:52 -!- mirco [~mirco@5.146.125.177] has quit [Quit: mirco]
17:52 -!- akurilin [~alex@208.185.21.146] has quit [Read error: Connection reset by peer]
17:52 -!- kirin` [telex@gateway/shell/anapnea.net/x-pzhrpmvyfnfidiwt] has joined #openvpn
17:57 <@Eugene> Today I billed a half-hour to $CLIENT for the line  "redirect-gateway def1"
17:59 -!- kirin` [telex@gateway/shell/anapnea.net/x-pzhrpmvyfnfidiwt] has quit [Ping timeout: 240 seconds]
18:00 -!- elfixit [~Icedove@77-58-251-72.dclient.hispeed.ch] has joined #openvpn
18:00 -!- kirin` [telex@gateway/shell/anapnea.net/x-vtkkqzoqfxdwgdtb] has joined #openvpn
18:08 -!- ub1quit33 [~quassel@wifi02.la3.routers.zerolag.com] has quit [Ping timeout: 250 seconds]
18:08 -!- kirin` [telex@gateway/shell/anapnea.net/x-vtkkqzoqfxdwgdtb] has quit [Read error: Connection reset by peer]
18:09 -!- kirin` [telex@gateway/shell/anapnea.net/x-cnacfoxznhtpjiqb] has joined #openvpn
18:15 -!- kirin` [telex@gateway/shell/anapnea.net/x-cnacfoxznhtpjiqb] has quit [Ping timeout: 260 seconds]
18:16 -!- kirin` [telex@gateway/shell/anapnea.net/x-gwcscsnmldknletv] has joined #openvpn
18:23 -!- kirin` [telex@gateway/shell/anapnea.net/x-gwcscsnmldknletv] has quit [Ping timeout: 255 seconds]
18:24 -!- asturel [~asturel@unaffiliated/asturel] has quit [Ping timeout: 250 seconds]
18:31 -!- kirin` [telex@gateway/shell/anapnea.net/x-pocwwgwkrjxeyvjx] has joined #openvpn
18:32 -!- fred`` [fred@earthli.ng] has quit [Ping timeout: 256 seconds]
18:32 -!- seba [~seba@kratzbaum.someserver.de] has quit [Ping timeout: 240 seconds]
18:33 -!- asturel [~asturel@unaffiliated/asturel] has joined #openvpn
18:35 -!- seba [~seba@kratzbaum.someserver.de] has joined #openvpn
18:37 -!- kirin` [telex@gateway/shell/anapnea.net/x-pocwwgwkrjxeyvjx] has quit [Read error: Connection reset by peer]
18:38 -!- kirin` [telex@gateway/shell/anapnea.net/x-hkudyuydyzyoqxsx] has joined #openvpn
18:44 -!- kirin` [telex@gateway/shell/anapnea.net/x-hkudyuydyzyoqxsx] has quit [Read error: Connection reset by peer]
18:45 -!- kirin` [telex@gateway/shell/anapnea.net/x-ufqjxobnbipndxcr] has joined #openvpn
18:49 -!- fred`` [fred@earthli.ng] has joined #openvpn
18:53 -!- kirin` [telex@gateway/shell/anapnea.net/x-ufqjxobnbipndxcr] has quit [Read error: Connection reset by peer]
18:53 -!- kirin` [telex@gateway/shell/anapnea.net/x-plilvvepbrzxmhgr] has joined #openvpn
18:56 -!- kirin` [telex@gateway/shell/anapnea.net/x-plilvvepbrzxmhgr] has quit [Read error: Connection reset by peer]
18:57 -!- kirin` [telex@gateway/shell/anapnea.net/x-kpcghfnmjklaqiam] has joined #openvpn
19:00 -!- jangerhofer [~jangerho@2601:6:5280:c9:a4cc:da0:ad24:828c] has joined #openvpn
19:14 -!- Wheelz [~Wheelz@209-253-157-229.ip.mcleodusa.net] has joined #openvpn
19:16 < Wheelz> Hello! I have a question. When I run mtu-test on a client, the results shows: Local -> Remote [1585,1585] and same for Remote -> Local
19:16 < Wheelz> Does that mean my MTU is 1585 or 1500?
19:33 -!- heraclitus [~heraclitu@unaffiliated/heraclitis] has quit [Quit: Ping timeout: 221 seconds]
19:50 -!- arescorpio [~arescorpi@201-26-245-190.fibertel.com.ar] has joined #openvpn
19:51 -!- Pyrogerg [~Gregory@75-173-66-157.albq.qwest.net] has joined #openvpn
19:52 -!- Left_Turn [~Left_Turn@unaffiliated/turn-left/x-3739067] has quit [Remote host closed the connection]
20:11 -!- crus [crusader@121.211.80.56] has joined #openvpn
20:17 -!- Pyrogerg [~Gregory@75-173-66-157.albq.qwest.net] has quit [Ping timeout: 260 seconds]
20:19 -!- Wheelz [~Wheelz@209-253-157-229.ip.mcleodusa.net] has quit [Ping timeout: 272 seconds]
20:30 -!- Pyrogerg [~Gregory@75-173-66-157.albq.qwest.net] has joined #openvpn
20:41 -!- Pyrogerg [~Gregory@75-173-66-157.albq.qwest.net] has quit [Ping timeout: 245 seconds]
20:43 -!- erikcw [~erikcw@c-73-170-10-192.hsd1.ca.comcast.net] has quit [Read error: Connection reset by peer]
20:45 -!- erikcw [~erikcw@c-73-170-10-192.hsd1.ca.comcast.net] has joined #openvpn
20:46 -!- Gsa700 [~Gsa700@unaffiliated/gsa700] has quit [Ping timeout: 260 seconds]
21:03 -!- Pyrogerg [~Gregory@75-173-66-157.albq.qwest.net] has joined #openvpn
21:27 -!- redpill [~redpill@unaffiliated/redpill] has quit [Ping timeout: 250 seconds]
21:39 -!- Kephael [~Kephael@unaffiliated/kephael] has joined #openvpn
22:14 -!- cheesenbiscuits [~cheesenbi@zaq31fa4aac.zaq.ne.jp] has joined #openvpn
22:14 < cheesenbiscuits> Hi Everybody
22:15 < cheesenbiscuits> I'm into my secound day and I can't get openvpn working with my dd-wrt router behind another router.\
22:15 < cheesenbiscuits> it connects fine but it wont pass data beyond the wan router
22:21 -!- Gsa700 [~Gsa700@unaffiliated/gsa700] has joined #openvpn
22:21 -!- cheesenbiscuits [~cheesenbi@zaq31fa4aac.zaq.ne.jp] has quit [Read error: Connection reset by peer]
22:53 -!- Kephael [~Kephael@unaffiliated/kephael] has quit [Read error: Connection reset by peer]
23:04 -!- arescorpio [~arescorpi@201-26-245-190.fibertel.com.ar] has quit [Read error: Connection reset by peer]
23:10 <@ecrist> ping krav 
23:10 <@ecrist> krzee: 
23:10 <@ecrist> ping
23:26 <@krzee> pong
23:31 < krav> ecrist: what's up?
23:34 -!- elfixit [~Icedove@77-58-251-72.dclient.hispeed.ch] has quit [Ping timeout: 260 seconds]
23:53 -!- ShadniX [dagger@p5481CA36.dip0.t-ipconnect.de] has quit [Ping timeout: 250 seconds]
23:53 <@krzee> krav, i think he meant to ping me
23:53 <@krzee> but your question is still valid
23:53 <@krzee> haha
23:53 -!- ShadniX [dagger@p5DDFEDD5.dip0.t-ipconnect.de] has joined #openvpn
23:54 < krav> krzee: lol.
--- Day changed Tue Aug 26 2014
00:24 -!- mirco [~mirco@5.146.125.177] has joined #openvpn
00:42 <@Eugene> !krzee
00:42 <@vpnHelper> "krzee" is (#1) krzee says happy 4/20 or (#2) http://www.ircpimps.org/pics/krzee/blunt.jpg or (#3) location: moon base where he smokes moonajuana or (#4) takes bonghits on the freeswitch teleconference
00:42 <@Eugene> That ^
00:44 -!- redpill [~redpill@unaffiliated/redpill] has joined #openvpn
00:53 <@krzee> =]
01:16 -!- JZA [~jza@187.253.150.239] has joined #openvpn
01:16 < JZA> hi I want to configure my openvpn on my server, I already generate my certificates and keys however I need help setting up the client.conf
01:17 < JZA> I am also a bit lost, where does this client.conf needs to reside? (I assume its on my laptop, but not sure)
01:18 < JZA> I am reading this tutorial right at 'Configure VPN' https://www.digitalocean.com/community/tutorials/how-to-setup-and-configure-an-openvpn-server-on-debian-6
01:18 <@vpnHelper> Title: How to Setup and Configure an OpenVPN Server on Debian 6 | DigitalOcean (at www.digitalocean.com)
01:18 -!- mattock_afk is now known as mattock
01:20 < JZA> anyone around?
01:21 < JZA> to start it doesnt really say much about how to configure client.conf
01:21 <@krzee> whats your question?
01:21 <@krzee> !walkthrough
01:21 <@vpnHelper> "walkthrough" is if you are using some walkthrough and now you are here cause you have problems and dont understand your setup, type !howto and !man and try to actually learn what you're doing. most those docs about openvpn from google SUCK.
01:24 < JZA> where should client.conf reside?
01:25 <@krzee> what os?
01:25 < JZA> on /etc/openvpn/ on /home/<user>/.openvpn/ or client machine's home.
01:25 < JZA> Debian
01:25 < JZA> Debian server.
01:25 <@krzee> if its in /etc/openvpn and ends in .conf the startup scripts will start it
01:25 <@krzee> openvpn itself doesnt care if you start it via commandline
01:26 < JZA> right, but I have a server.conf and a client.conf should both be on /etc/openvpn/?
01:26 <@krzee> is that machine supposed to run them both?
01:26 < JZA> for example, /etc/ssh/ has ssh_config (client) and sshd_config (server)
01:28 < JZA> this is a vps, I want to run a vpn service on it, I want to connect from my laptop/phone client software.
01:30 < JZA> ?
01:33 <@krzee> then why would you give it a client conf?
01:47 -!- ender` [krneki@2a01:260:4094:1:42:42:42:42] has joined #openvpn
01:52 -!- farfromhere [ffh@helios.some-other-doma.in] has joined #openvpn
01:54 -!- farfromhere [ffh@helios.some-other-doma.in] has left #openvpn ["Leaving"]
02:15 < JZA> krzee: when configuring the client, what value should I put on gateway? Does this depends if my server setup used a bridged interface?
02:15 <@krzee> !whybridge
02:15 <@vpnHelper> "whybridge" is (#1) you only bridge if you want layer2 to the lan. if you want layer2 only between vpn nodes then routed tap is enough. if you only want layer3 use tun. or (#2) See this URL for a more in-depth discussion on bridging vs routing: https://community.openvpn.net/openvpn/wiki/BridgingAndRouting or (#3) See also !tunortap
02:15 <@krzee> !tunortap
02:15 <@vpnHelper> "tunortap" is (#1) you ONLY want tap if you need to pass layer2 traffic over the vpn (traffic destined for a MAC address). If you are using IP traffic you want tun. or (#2) and if your reason for wanting tap is windows shares, see !wins or use DNS or (#3) remember layer2 has no security, arp poisoning works over tap vpns or (#4) lan gaming? use tap! or (#5) Normal Android/iOS devices (not
02:15 <@vpnHelper> rooted/jailbroken) support only tun
02:17 <@krzee> you probably shouldnt be bridging
02:18 <@krzee> you need to read the howto
02:18 <@krzee> !howto
02:18 <@vpnHelper> "howto" is (#1) OpenVPN comes with a great howto, http://openvpn.net/howto PLEASE READ IT! or (#2) http://www.secure-computing.net/openvpn/howto.php for a mirror
02:29 < JZA> wow they make it look so easy here https://www.youtube.com/watch?v=uWSIJCXrfY8
02:29 <@vpnHelper> Title: OpenVPN on Debian 7 "Wheezy" - YouTube (at www.youtube.com)
02:29 < JZA> it installs a web interface and the user only copy the some remote data into his client.
02:30 < JZA> yeah bridging and routing seems scary plus is not like I am raising nodes or anything.
02:30 < JZA> I only need to fill out the Gateway I should have.
02:31 < JZA> already load my crt, key and csr
02:32 < JZA> althought I remember doing bridging for virtual machines
02:32 < JZA> for a vLAN
02:33 < JZA> and got far enough to understand that the bridged interfaces uses the same ip as the host just on a different range of ports.
02:42 <@krzee> you dont need bridging.
02:42 <@krzee> that video is about access-server
02:43 <@krzee> !not_as
02:43 <@krzee> no_as
02:43 <@krzee> !no_as
02:43 <@vpnHelper> "no_as" is (#1) go to http://openvpn.net/index.php/access-server/support-center.html for support with access server (see !AS to know about access server) or (#2) not only do we not know AS here, but even if we did we would be tainting the professional level of support included in AS by supporting it here. it comes with REAL support. we are just users helping users around here
02:43 <@krzee> !as
02:43 < JZA> krzee: yes I am on that step at the moment. Afaik my server setup is done.
02:43 <@vpnHelper> "as" is Please go to #OpenVPN-AS for help with commercial products from OpenVPN Technologies, including Access Server, Android Connect, etc. Access Server is a commercial product, different from open source OpenVPN
02:44 < JZA> oh I see, so that video is abotu a commercial version of Openvpn, didn't know. I guess thats why is so simple.
02:44 < JZA> :)
02:45 < JZA> sorry for being such a n00b I just want to test my server, if its working.
02:56 < JZA> how do I know the ip address of my gateway? is it the 10.8.0.0 from server 10.8.0.0 255.255.255.0?
03:15 -!- dazo_afk is now known as dazo
03:18 -!- Left_Turn [~Left_Turn@unaffiliated/turn-left/x-3739067] has joined #openvpn
03:27 -!- JZA [~jza@187.253.150.239] has quit [Ping timeout: 264 seconds]
03:33 -!- Left_Turn [~Left_Turn@unaffiliated/turn-left/x-3739067] has quit [Ping timeout: 255 seconds]
03:44 -!- Left_Turn [~Left_Turn@unaffiliated/turn-left/x-3739067] has joined #openvpn
04:11 -!- JZA [~jza@187.253.150.239] has joined #openvpn
04:24 -!- JZA [~jza@187.253.150.239] has quit [Quit: Konversation terminated!]
04:30 < andi> Hi
04:30 < andi> How can I let my openvpn server listen on ipv6?
04:39 -!- jangerhofer [~jangerho@2601:6:5280:c9:a4cc:da0:ad24:828c] has quit [Quit: Leaving...]
04:43 < shio> https://community.openvpn.net/openvpn/wiki/IPv6
04:43 <@vpnHelper> Title: IPv6 – OpenVPN Community (at community.openvpn.net)
05:17 -!- Six6siX [~Devil@jasmine.sammybakar.com] has quit [Ping timeout: 240 seconds]
05:30 -!- Six6siX [~Devil@jasmine.sammybakar.com] has joined #openvpn
05:35 -!- ade_b [~Ade@redhat/adeb] has joined #openvpn
05:39 -!- Six6siX [~Devil@jasmine.sammybakar.com] has quit [Ping timeout: 255 seconds]
05:40 -!- Six6siX [~Devil@jasmine.sammybakar.com] has joined #openvpn
05:57 -!- Six6siX [~Devil@jasmine.sammybakar.com] has quit [Ping timeout: 250 seconds]
06:20 -!- Six6siX [~Devil@104.131.42.123] has joined #openvpn
06:23 -!- D-Boy [~D-Boy@unaffiliated/cain] has quit [Excess Flood]
06:27 -!- Six6siX [~Devil@104.131.42.123] has quit [Quit: Online all the time]
06:29 -!- Six6siX [~Devil@jasmine.sammybakar.com] has joined #openvpn
06:30 -!- larryone [~larryone@185.32.152.150] has joined #openvpn
06:31 -!- larryone [~larryone@185.32.152.150] has quit [Client Quit]
06:46 -!- D-Boy [~D-Boy@unaffiliated/cain] has joined #openvpn
07:47 -!- mirco [~mirco@5.146.125.177] has quit [Quit: mirco]
07:55 -!- dazo is now known as dazo_afk
07:57 -!- dazo_afk is now known as dazo
08:15 -!- seba [~seba@kratzbaum.someserver.de] has quit [Excess Flood]
08:18 -!- seba [~seba@kratzbaum.someserver.de] has joined #openvpn
08:23 -!- lucidz [~kali@unaffiliated/lucdz/x-1796168] has joined #openvpn
08:25 < lucidz> openvpn with ppp0  ?!
08:25 < lucidz> i have the connection, but no internet
08:25 < lucidz> i need to create the route?
08:25 < lucidz> its on virtualbox
08:42 -!- MadTBone [~MadTBone@128.59.37.113] has quit [Quit: Leaving]
08:42 -!- Pyrogerg [~Gregory@75-173-66-157.albq.qwest.net] has quit [Ping timeout: 272 seconds]
08:44 -!- lucidz [~kali@unaffiliated/lucdz/x-1796168] has left #openvpn []
08:55 -!- Cpt-Oblivious [~chatzilla@31-151-71-109.dynamic.upc.nl] has joined #openvpn
09:03 -!- soapee01_ is now known as soapee01
09:16 -!- ub1quit33_ [~quassel@wifi02.la3.routers.zerolag.com] has joined #openvpn
09:24 -!- ayaz [~Ayaz@linuxpakistan/ayaz] has joined #openvpn
09:24 -!- ayaz [~Ayaz@linuxpakistan/ayaz] has quit [Max SendQ exceeded]
09:25 -!- ayaz [~Ayaz@linuxpakistan/ayaz] has joined #openvpn
09:28 <@ecrist> openvpn doesn't use ppp0
09:32 -!- Pyrogerg [~Gregory@205.167.120.206] has joined #openvpn
09:48 -!- D-Boy [~D-Boy@unaffiliated/cain] has quit [Excess Flood]
09:48 -!- Pyrogerg [~Gregory@205.167.120.206] has quit [Ping timeout: 255 seconds]
09:59 -!- sroy_ [~sroy@secure.innobec.com] has joined #openvpn
10:01 -!- D-Boy [~D-Boy@unaffiliated/cain] has joined #openvpn
10:15 -!- ayaz [~Ayaz@linuxpakistan/ayaz] has quit [Quit: Textual IRC Client: www.textualapp.com]
10:20 -!- D-Boy [~D-Boy@unaffiliated/cain] has quit [Excess Flood]
10:21 -!- u0m3_ [~u0m3@92.80.109.44] has joined #openvpn
10:23 -!- u0m3__ [~u0m3@92.80.109.44] has joined #openvpn
10:24 -!- u0m3 [~u0m3@92.80.109.44] has quit [Ping timeout: 250 seconds]
10:26 -!- u0m3 [~u0m3@92.80.109.44] has joined #openvpn
10:27 -!- u0m3_ [~u0m3@92.80.109.44] has quit [Ping timeout: 255 seconds]
10:29 -!- mistermajestic [~mistermaj@109.201.154.211] has joined #openvpn
10:29 -!- u0m3__ [~u0m3@92.80.109.44] has quit [Ping timeout: 255 seconds]
10:38 -!- lucidz [~kali@unaffiliated/lucdz/x-1796168] has joined #openvpn
10:40 -!- lucidz [~kali@unaffiliated/lucdz/x-1796168] has quit [Quit: lucidz]
10:42 < mistermajestic> is there another channel that talks about VPNs in general? (didn't find anything on freenode)
10:42 -!- D-Boy [~D-Boy@unaffiliated/cain] has joined #openvpn
10:49 -!- mattock is now known as mattock_afk
10:51 -!- nsrafk [whois@unaffiliated/nsrafk] has quit [Ping timeout: 245 seconds]
10:53 -!- nsrafk [whois@unaffiliated/nsrafk] has joined #openvpn
10:56 <@ecrist> not that I know of
10:56 <@ecrist> mistermajestic: what's your question?
10:59 -!- D-Boy [~D-Boy@unaffiliated/cain] has quit [Excess Flood]
10:59 -!- mattock_afk is now known as mattock
10:59 -!- gffa [~unknown@unaffiliated/gffa] has joined #openvpn
11:00 -!- ShadniX [dagger@p5DDFEDD5.dip0.t-ipconnect.de] has quit [Read error: Connection reset by peer]
11:00 -!- ShadniX [dagger@p5DDFEDD5.dip0.t-ipconnect.de] has joined #openvpn
11:23 -!- moonkid [~anonymous@89.248.166.138] has joined #openvpn
11:25 -!- D-Boy [~D-Boy@unaffiliated/cain] has joined #openvpn
11:30 < Six6siX> can I enable both ipv4 and ipv6 in a single openvpn daemon?
11:30 < Six6siX> if so how would I set the config?
11:30 < Six6siX> ipv4 is working perfectly at the moment.
11:33 -!- Six6siX [~Devil@jasmine.sammybakar.com] has quit [Read error: Connection reset by peer]
11:35 -!- Six6siX [~Devil@jasmine.sammybakar.com] has joined #openvpn
11:35 < Six6siX> mmm
11:36 < Six6siX> lost the connection there
11:37 < Six6siX> would a ipv4 and ipv6 config be able to co-exist ?
11:42 <@krzee> sure
11:42 <@krzee> !ipv6
11:42 <@vpnHelper> "ipv6" is (#1) The wiki has IPv6 details: https://community.openvpn.net/openvpn/wiki/IPv6 or (#2) The manpage contains info about IPv6 features present in 2.3+: https://community.openvpn.net/openvpn/wiki/Openvpn23ManPage#lbAQ
11:42 <@krzee> Six6siX, well i guess it depends what you mean when you say ipv6
11:42 <@krzee> you can hand out ipv6 ips from a pool AND ipv4 ips from a pool from the same daemon
11:43 <@krzee> im not sure if it can listen on both at the same time or not… i guess maybe when you have it listen on * it does but im not sure really
11:43 < Six6siX> well client (me) is on ipv4... connect to the server (openvpn) and be routed to both ipv4 and ipv6 websites
11:43 <@krzee> ok
11:44 <@krzee> definitely.
11:44 <@krzee> use server and server-ipv6
11:44 < Six6siX> ok thanks
11:45 <@krzee> im not sure if it is still the case or not, but it used to be that you HAD to give a ipv4 pool to use ipv6
11:49 -!- moonkid [~anonymous@89.248.166.138] has quit [Quit: moonkid]
11:49 -!- ShadniX [dagger@p5DDFEDD5.dip0.t-ipconnect.de] has quit [Quit: Bye.]
11:49 -!- Cpt-Oblivious [~chatzilla@31-151-71-109.dynamic.upc.nl] has quit [Ping timeout: 255 seconds]
11:51 -!- Pyrogerg [~Gregory@75-173-66-157.albq.qwest.net] has joined #openvpn
11:52 < Exagone313> krzee: do you know how to add ipv6 route to #openvpn-as ?
11:52 -!- ShadniX [dagger@p5DDFEDD5.dip0.t-ipconnect.de] has joined #openvpn
11:53 <@krzee> !as
11:53 <@vpnHelper> "as" is Please go to #OpenVPN-AS for help with commercial products from OpenVPN Technologies, including Access Server, Android Connect, etc. Access Server is a commercial product, different from open source OpenVPN
11:53 <@krzee> !no_as
11:53 <@vpnHelper> "no_as" is (#1) go to http://openvpn.net/index.php/access-server/support-center.html for support with access server (see !AS to know about access server) or (#2) not only do we not know AS here, but even if we did we would be tainting the professional level of support included in AS by supporting it here. it comes with REAL support. we are just users helping users around here
11:55 <@krzee> !factoids search transport
11:55 <@vpnHelper> "ipv6_transport" is use --proto udp6
11:55 -!- ShadniX [dagger@p5DDFEDD5.dip0.t-ipconnect.de] has quit [Client Quit]
11:55 -!- moonkid [~anonymous@89.248.166.138] has joined #openvpn
12:03 -!- ade_b [~Ade@redhat/adeb] has quit [Ping timeout: 240 seconds]
12:10 -!- jangerhofer [~jangerho@2601:6:5280:c9:51ae:2121:3116:b15c] has joined #openvpn
12:13 -!- Kephael [~Kephael@unaffiliated/kephael] has joined #openvpn
12:14 -!- elfixit [~Icedove@77-58-251-72.dclient.hispeed.ch] has joined #openvpn
12:18 < mistermajestic> @ecrist i was wondering if there was any thing else to consider regarding purchasing VPN services (other than the ones listed in the torrentfreak VPN article)
12:21 <@krzee> depends what you want to use it for… for example if you want to do voip over it then you need to test your jitter over their servers
12:22 <@krzee> if for downloading then youd wanna test your throughput
12:23 <@krzee> if for redirecting your internet connection youd wanna decide who you trust the most i guess, since they would become the point where all your traffic leaves to the internet from
12:23 -!- ShadniX [dagger@p5DDFEDD5.dip0.t-ipconnect.de] has joined #openvpn
12:23 < mistermajestic> krzee good to know. what about VPN's upstream providers, is that an issue?
12:23 <@krzee> around here we run our own servers, and we generally trust the man in the mirror
12:24 <@krzee> of course it is, their upstream provider becomes your upstream provider
12:25 < mistermajestic> krzee or do people prefer to go with a VPS and install OpenVPN.
12:25 <@krzee> the vpn encrypts client to server. if the traffic is for the internet then its the same as without a vpn after the point of the vpn server
12:25 <@krzee> mistermajestic, some do.
12:25 -!- dazo is now known as dazo_afk
12:26 <@krzee> and many people also use services like you're talking about. but we dont generally get those people here
12:26 <@krzee> btw i believe openvpn technologies provides a service too
12:27 <@krzee> https://openvpn.net
12:27 <@vpnHelper> Title: OpenVPN - Open Source VPN (at openvpn.net)
12:27 <@krzee> then click 'VPN service'
12:28 <@krzee> (i know nothing about it)
12:28 <@krzee> but you can bank on them using openvpn properly lol
12:37 < mistermajestic> krzee thanks. do you know anything about GoldenFrog VPN aka Giganews VPN service ?
12:39 <@krzee> nope
12:40 <@krzee> only one i know of is incloak and the one that openvpn.net links to
12:40 <@krzee> incloak's admin came here for help and ended up giving me an account which i use every now and then… pretty nice they have a lot of countries and whatnot
12:41 <@krzee> but in general i just use my own servers
12:41 <@krzee> im connected to 8 vpn servers right now and none are from a service
12:45 < mistermajestic> krzee ahh so you chose to go on your own, through a VPS ?
12:45 <@krzee> no i have my own servers
12:45 < mistermajestic> krzee or is co-location still popular ?
12:45 <@krzee> i colo, not sure what is popular
12:45 < loeken> co-location is in most cases just too expensive :D
12:45 < loeken> but you cannot really trust the privacy of a vps
12:46 < mistermajestic> loeken agreed.
12:46 < krav> unfortunatley, i'm starting to agree with you :(
12:47 <@ecrist> plenty of places still offer colo
12:47 <@ecrist> I use VPSes for personal stuff
12:47 <@ecrist> I keep all my terrorist activity on google drive though
12:48 <@krzee> haha
12:49 <@krzee> i do have 1 vps, but its on a friends colo that he has a couple vps on
12:49 < mistermajestic> ecrist you mean freedom fighting :D
12:52 -!- jangerho [~jangerho@24.218.76.202] has joined #openvpn
12:55 -!- jangerhofer [~jangerho@2601:6:5280:c9:51ae:2121:3116:b15c] has quit [Ping timeout: 240 seconds]
12:56 -!- zeroNones [~textual@187.204.144.131] has joined #openvpn
12:58 -!- jangerho [~jangerho@24.218.76.202] has quit [Ping timeout: 240 seconds]
13:03 -!- moonkid [~anonymous@89.248.166.138] has quit [Quit: moonkid]
13:10 -!- jangerhofer [~jangerho@75.67.99.91] has joined #openvpn
13:19 -!- elfixit [~Icedove@77-58-251-72.dclient.hispeed.ch] has quit [Quit: elfixit]
13:46 -!- lachesis [~lachesis@unaffiliated/lachesis] has quit [Quit: ZNC - http://znc.in]
13:48 -!- stillaftermath [~stillafte@cpe-075-191-185-177.nc.res.rr.com] has joined #openvpn
13:50 -!- nutron [~nutron@unaffiliated/nutron] has joined #openvpn
13:51 < stillaftermath> Anyone have any ideas why my client still uses DHCP despite having an "ifconfig 10.20.30.20 255.255.255.0" line in the client.conf? If I drop the mask on it it throws an error on the line, so I know it's reading the file, but it seems to not care and still pulls a DHCP address
14:01 -!- jangerho [~jangerho@75.67.99.91] has joined #openvpn
14:04 -!- jangerhofer [~jangerho@75.67.99.91] has quit [Ping timeout: 245 seconds]
14:26 -!- stillaftermath [~stillafte@cpe-075-191-185-177.nc.res.rr.com] has quit [Quit: Leaving]
14:29 -!- RaiNerTsuFal [~RaiNerTsu@akita.vtlx.cn] has joined #openvpn
14:32 -!- jangerho [~jangerho@75.67.99.91] has quit [Ping timeout: 250 seconds]
14:33 -!- ade_b [~Ade@redhat/adeb] has joined #openvpn
14:42 -!- fred`` [fred@earthli.ng] has quit [Ping timeout: 256 seconds]
14:49 -!- ade_b [~Ade@redhat/adeb] has quit [Ping timeout: 264 seconds]
14:50 -!- lfx [~lfx@self-aware.evilmachines.net] has joined #openvpn
14:51 -!- ade_b [~Ade@redhat/adeb] has joined #openvpn
14:53 -!- Synced [Valcorb@81.4.106.67] has joined #openvpn
15:18 -!- Synced [Valcorb@81.4.106.67] has quit [Quit: ZNC - http://znc.in]
15:18 -!- Synced [Valcorb@81.4.106.67] has joined #openvpn
15:18 -!- ade_b [~Ade@redhat/adeb] has quit [Ping timeout: 272 seconds]
15:21 -!- Synced [Valcorb@81.4.106.67] has quit [Changing host]
15:21 -!- Synced [Valcorb@unaffiliated/synced] has joined #openvpn
15:22 -!- lachesis [~lachesis@unaffiliated/lachesis] has joined #openvpn
15:23 -!- brianblaze420 [~brianblaz@unaffiliated/brianblaze] has joined #openvpn
15:27 -!- mattock is now known as mattock_afk
15:31 -!- MyMind [~Sembei@unaffiliated/sembei] has joined #openvpn
15:33 -!- Sembei [~Sembei@unaffiliated/sembei] has quit [Ping timeout: 250 seconds]
16:14 -!- nlb [~nlb@unaffiliated/nlb] has joined #openvpn
16:16 -!- redpill [~redpill@unaffiliated/redpill] has quit [Ping timeout: 250 seconds]
16:38 -!- redpill [~redpill@unaffiliated/redpill] has joined #openvpn
16:38 -!- james41382_ [~james@unaffiliated/james41382] has quit [Quit: Leaving]
16:48 -!- james41382 [~james@unaffiliated/james41382] has joined #openvpn
16:58 -!- gffa [~unknown@unaffiliated/gffa] has quit [Quit: sleep]
16:59 -!- nutron [~nutron@unaffiliated/nutron] has quit [Remote host closed the connection]
17:22 -!- Mike-- [mad@mx.probie.nl] has quit [Ping timeout: 255 seconds]
17:23 -!- Denial [~Denial@host86-148-139-67.range86-148.btcentralplus.com] has quit [Ping timeout: 255 seconds]
17:23 -!- Cultist [~CultOfThe@c-98-223-211-32.hsd1.il.comcast.net] has quit [Ping timeout: 255 seconds]
17:23 -!- defswork [~andy@141.0.50.98] has quit [Ping timeout: 255 seconds]
17:26 -!- seba [~seba@kratzbaum.someserver.de] has quit [Excess Flood]
17:26 -!- Cultist [~CultOfThe@c-98-223-211-32.hsd1.il.comcast.net] has joined #openvpn
17:26 -!- seba [~seba@kratzbaum.someserver.de] has joined #openvpn
17:27 -!- soapee01_ [~soapee01@65-36-104-170.dyn.grandenetworks.net] has joined #openvpn
17:29 -!- Matir_ [~matir@ubuntu/member/matir] has joined #openvpn
17:30 < Six6siX> frustration
17:30  * Six6siX scratches head
17:33 -!- u0m3_ [~u0m3@92.80.109.44] has joined #openvpn
17:36 -!- Tyklol [tykling@gibfest.dk] has joined #openvpn
17:36 -!- james41382_ [~james@unaffiliated/james41382] has joined #openvpn
17:37 -!- james41382 [~james@unaffiliated/james41382] has quit [Read error: Connection reset by peer]
17:37 -!- Netsplit *.net <-> *.split quits: jeev, prettyrobots, Matir, yoavz, TheEternalAbyss, soapee01, bakhtiya, hydrajump
17:39 -!- Netsplit over, joins: hydrajump
17:39 -!- Netsplit over, joins: bakhtiya
17:41 -!- jeev [~j@unaffiliated/jeev] has joined #openvpn
17:42 -!- jareth_ [~jareth_@2001:980:e1c0:1:219:66ff:fea0:a502] has quit [Ping timeout: 240 seconds]
17:42 -!- wirehack7 [wirehack7@unaffiliated/wirehack7] has quit [Ping timeout: 240 seconds]
17:42 -!- SlutaTramsa [~SlutaTram@unaffiliated/slutatramsa] has quit [Ping timeout: 240 seconds]
17:43 -!- aPollO2k [znc1@unaffiliated/apollo2k] has quit [Ping timeout: 240 seconds]
17:43 -!- Netsplit *.net <-> *.split quits: u0m3, Six6siX, Tykling, derRichard, nlb, K1rk, DrCode, Brando753
17:43 -!- pekster [~rewt@openvpn/community/support/pekster] has quit [Ping timeout: 240 seconds]
17:43 -!- yoavz [yoavz@yoavz.net] has joined #openvpn
17:43 -!- nlb_ [~nlb@unaffiliated/nlb] has joined #openvpn
17:43 -!- pekster [~rewt@openvpn/community/support/pekster] has joined #openvpn
17:43 -!- Gsa700 [~Gsa700@unaffiliated/gsa700] has quit [Read error: Connection reset by peer]
17:43 -!- nlb_ is now known as nlb
17:44 -!- Matir_ is now known as Matir
17:44 -!- aPollO2k [znc1@unaffiliated/apollo2k] has joined #openvpn
17:45 -!- SlutaTramsa [~SlutaTram@unaffiliated/slutatramsa] has joined #openvpn
17:45 -!- jareth_ [~jareth_@2001:980:e1c0:1:219:66ff:fea0:a502] has joined #openvpn
17:45 -!- lbft [~lbft@unaffiliated/lbft] has quit [Ping timeout: 240 seconds]
17:46 -!- Brando753 [~Brando753@unaffiliated/brando753] has joined #openvpn
17:47 -!- K1rk [~Kirk@equinox.epecweb.com] has joined #openvpn
17:47 -!- krav [~krav@unaffiliated/kravlin] has quit [Ping timeout: 347 seconds]
17:47 -!- K1rk [~Kirk@equinox.epecweb.com] has quit [Max SendQ exceeded]
17:48 -!- K1rk [~Kirk@equinox.epecweb.com] has joined #openvpn
17:49 -!- krav [krav@unaffiliated/kravlin] has joined #openvpn
17:53 -!- lbft [~lbft@unaffiliated/lbft] has joined #openvpn
18:09 -!- Irssi: #openvpn: Total of 164 nicks [9 ops, 0 halfops, 2 voices, 153 normal]
18:19 -!- erikcw [~erikcw@c-73-170-10-192.hsd1.ca.comcast.net] has quit [Quit: erikcw]
18:26 -!- Synced [Valcorb@unaffiliated/synced] has quit [Quit: ZNC - http://znc.in]
18:27 -!- Synced [Valcorb@unaffiliated/synced] has joined #openvpn
18:33 -!- ub1quit33_ [~quassel@wifi02.la3.routers.zerolag.com] has quit [Ping timeout: 240 seconds]
18:47 -!- Cpt-Oblivious [~chatzilla@31-151-71-109.dynamic.upc.nl] has joined #openvpn
19:09 -!- DrCode [~DrCode@gateway/tor-sasl/drcode] has joined #openvpn
19:10 -!- Six6siX [~Devil@jasmine.sammybakar.com] has joined #openvpn
19:42 -!- CaTtleyA [~CaTtleyA@put92-2-82-66-41-53.fbx.proxad.net] has joined #openvpn
19:55 -!- zeroNones [~textual@187.204.144.131] has quit [Quit: My MacBook Pro has gone to sleep. ZZZzzz…]
19:59 -!- mistermajestic [~mistermaj@109.201.154.211] has quit [Ping timeout: 250 seconds]
20:58 -!- heraclitus [~heraclitu@unaffiliated/heraclitis] has joined #openvpn
20:59 -!- heraclitus [~heraclitu@unaffiliated/heraclitis] has quit [Remote host closed the connection]
20:59 -!- heraclitus [~heraclitu@unaffiliated/heraclitis] has joined #openvpn
21:06 -!- Left_Turn [~Left_Turn@unaffiliated/turn-left/x-3739067] has quit [Remote host closed the connection]
21:14 -!- Gsa700 [~Gsa700@unaffiliated/gsa700] has joined #openvpn
21:24 -!- Ahrotahntee [~ahrotahnt@unaffiliated/ahrotahntee] has joined #openvpn
21:24 < Ahrotahntee> !welcome
21:24 <@vpnHelper> "welcome" is (#1) Start by stating your goal, such as 'I would like to access the internet over my vpn' || new to IRC? see the link in !ask || we may need !logs and !configs and maybe !interface to help you. || See !howto for beginners. || See !route for lans behind openvpn. || !redirect for sending inet traffic through the server. || Also interesting: !man !/30 !topology !iporder !sample
21:24 <@vpnHelper> !forum !wiki !mitm or (#2) Don't use 192.168.1.0/24 or 192.168.0.0/24 (too much potential for conflict)
21:24 < Ahrotahntee> !goal
21:24 <@vpnHelper> "goal" is Please clearly state your goal for your vpn: example, I would like to access the lan behind the server , I would like to access the internet over my vpn , I just want a secure connection between 2 computers , etc
21:27 < Ahrotahntee> Good evening; My intent is to create a highly available vpn - A VPN which has multiple server nodes (in my case 3) accepting connection from all of my servers (total of 5) and allowing them to communicate with each-other regardless of which server-node they're connected to. I am having some difficulty with the routing
21:29 < Ahrotahntee> as I can get Servers to talk to one another, but only when they're connected to the same server-node. I have tried both bridging tap adapters together similar to how the tutorials show bridging the vpn to an eth0 device, as well as creating (in my case probably poorly configured) routes for the tun adapters
21:30 < Ahrotahntee> I was wondering if anybody could help me
21:33 -!- arescorpio [~arescorpi@184-205-17-190.fibertel.com.ar] has joined #openvpn
21:57 -!- justinzane [~justinzan@24.49.207.69] has quit [Ping timeout: 272 seconds]
21:59 < Ahrotahntee> I think what I'm getting at here is I need tun0 to recognize that tun1 is a gateway to 10.0.0.0
22:04 -!- justinzane [~justinzan@64.234.62.67] has joined #openvpn
22:07 <@krzee> you dont need bridging
22:07 <@krzee> !route
22:07 <@vpnHelper> "route" is (#1) http://www.secure-computing.net/wiki/index.php/OpenVPN/Routing or https://community.openvpn.net/openvpn/wiki/RoutedLans (same page mirrored) if you have lans behind openvpn, read it DONT SKIM IT or (#2) READ IT DONT SKIM IT! or (#3) See !tcpip for a basic networking guide or (#4) See !serverlan or !clientlan for steps and troubleshooting flowcharts for LANs behind the server or client
22:08 <@krzee> is that basically what you want?
22:08 <@krzee> Ahrotahntee, ^^
22:08 < Ahrotahntee> krzee: just a moment, reading
22:12 < jeev> jesus
22:12 < jeev> the guy took down my port at the datacenter and got stuck in the elevator
22:26 < Ahrotahntee> krzee: I do believe this is what I am looking for (or at least can be adapted to the specific case)
22:26 < Ahrotahntee> however I've been staring at this for going on 6 hours now and am going to have to go to bed
22:26 < Ahrotahntee> thanks a bunch
22:27 <@krzee> np
22:27 <@krzee> theres also flowcharts for troubleshooting it
22:27 <@krzee> !serverlan
22:27 <@vpnHelper> "serverlan" is (#1) for a lan behind a server, the server must have ip forwarding enabled (!ipforward), the server needs to push a route for its lan to clients, and the router of the lan the server is on needs a route added to it (!route_outside_openvpn) or (#2) see !route for a better explanation or (#3) Handy troubleshooting flowchart: http://ircpimps.org/serverlan.png |
22:27 <@vpnHelper> http://pekster.sdf.org/misc/serverlan.png
22:27 <@krzee> !clientlan
22:27 <@vpnHelper> "clientlan" is (#1) for a lan behind a client, the client must have ip forwarding enabled (!ipforward), the server needs a route to the lan, the server needs to push a route for the lan to clients, the server needs a ccd (!ccd) file for the client with an iroute (!iroute) entry in it, and the router of the lan the client is on needs a route added to it (!route_outside_openvpn) or (#2) see !route for
22:27 <@vpnHelper> a better explanation or (#3) Handy troubleshooting flowchart: http://ircpimps.org/clientlan.png | http://pekster.sdf.org/misc/clientlan.png
22:30 < Ahrotahntee> actually scratch that
22:30 < Ahrotahntee> bed is for suckers
22:30 < Ahrotahntee> I'm trying to get three openvpn servers to act as one big vpn
22:30 <@krzee> ahh making a darknet
22:30 < Ahrotahntee> with static IPs for the clients
22:30 <@krzee> good luck ;]
22:31 -!- kirin` [telex@gateway/shell/anapnea.net/x-kpcghfnmjklaqiam] has quit [Ping timeout: 255 seconds]
22:31 <@krzee> you just gotta learn routing and whatnot
22:31 < Ahrotahntee> the goal is high availability
22:31 <@krzee> right i get it
22:31 < Ahrotahntee> I took a networking thing in college; we mostly made cables
22:31 <@krzee> what ya making?
22:32 -!- kirin` [telex@gateway/shell/anapnea.net/x-sjtnxzrcnqmixbnb] has joined #openvpn
22:32 < Ahrotahntee> I have 5 virtual servers in geographically distinct locations; I have the MariaDB clustering, I have nginx load balancers, I've got redundant mailservers, the last single point of failure in the whole setup was the vpn
22:32 < Ahrotahntee> I had them all running through a single openvpn instance in new york
22:33 < Ahrotahntee> literally the last piece of the puzzle
22:33 <@krzee> it'll require a good strong knowledge of routing… openvpn isnt made to be a mesh
22:33 <@krzee> well i guess you could play with
22:33 <@krzee> !mesh
22:33 <@vpnHelper> "mesh" is (#1) openvpn does not do mesh networking or (#2) see !rip or (#3) check out http://github.com/darkpixel/openmesher/ for auto-creating openvpn meshes
22:34 < Ahrotahntee> would you recommend an alternative?
22:34 <@krzee> gotta build a mesh of some sort
22:34 < Ahrotahntee> it's one thing to say that you can do it; but if it's not a hammer don't use it to drive a nail, you know what I mean?
22:34 <@krzee> requires mapping out the network on paper and how you want it all connected, and then building the connections and then building the routing on top of that
22:35 <@krzee> its not a beginner thing you're talking about, it's quite advanced
22:35 < Ahrotahntee> I might very well go to bed and get some books then
22:35 <@krzee> my crystal ball says you end up paying someone
22:36 -!- brianblaze420 [~brianblaz@unaffiliated/brianblaze] has quit [Quit: Leaving...]
22:36 < Ahrotahntee> your crystal ball doesn't know my budget constraints ;)
22:36 <@krzee> werd, gl
22:36 < Ahrotahntee> thanks
22:36 <@krzee> !rip
22:36 < Ahrotahntee> however in the interim, bed.
22:36 <@vpnHelper> "rip" is http://www.secure-computing.net/wiki/index.php/OpenVPN/RIPRouting for a writeup on using RIP in openvpn
22:37 < Ahrotahntee> have a good night
22:37 <@krzee> you too
22:39 -!- jeraldv [~jerald@fsf/member/jeraldv] has joined #openvpn
22:39 -!- kirin` [telex@gateway/shell/anapnea.net/x-sjtnxzrcnqmixbnb] has quit [Read error: Connection reset by peer]
22:39 -!- kirin` [telex@gateway/shell/anapnea.net/x-boxeauelfbnzorhw] has joined #openvpn
22:59 -!- james41382_ is now known as james41382
23:02 -!- abbe [having@badti.me] has quit [Ping timeout: 260 seconds]
23:03 -!- abbe [having@badti.me] has joined #openvpn
23:11 -!- Kephael [~Kephael@unaffiliated/kephael] has quit [Read error: Connection reset by peer]
23:20 -!- joako [~joako@opensuse/member/joak0] has quit [Ping timeout: 245 seconds]
23:29 -!- joako [~joako@opensuse/member/joak0] has joined #openvpn
23:30 -!- jakhead [~hexx@108-254-136-68.lightspeed.tulsok.sbcglobal.net] has joined #openvpn
23:32 < jakhead> is EASY-RSA just a wrapper for openssl? would it be possible to generate client keys without using EASY-RSA every time?
23:34 < pekster> Sure:
23:34 < pekster> !certman
23:34 <@vpnHelper> "certman" is (#1) Various frontends can help you manage your PKI (certs & keys.) !easy-rsa is the officially supported one for OpenVPN. or (#2) Other choices include: !xca, !ssladmin, and probably others online
23:35 < jakhead> haha, thanks very much!
23:35 < pekster> OpenSSL is rather complex, so you'll generally want to use a suitable frontend unless you are an openssl and X.509 expert. But by all means use the tool that works best
23:36 < jakhead> yea I imagine the frontends exist for a reason, I'm trying to automate generating a specific type of key with only one or two parameters changing so I'm thinking it might be better than wrapping and wrapper
23:41 < jeev> easy-rsa is sex.
23:41 < jeev> man one of my clients has a leaf office that's so slow, it times out after 60 seconds, i can't get openssl to connect
23:41 -!- wirehack7 [wirehack7@unaffiliated/wirehack7] has joined #openvpn
23:49 -!- arescorpio [~arescorpi@184-205-17-190.fibertel.com.ar] has quit [Excess Flood]
23:50 -!- ShadniX [dagger@p5DDFEDD5.dip0.t-ipconnect.de] has quit [Ping timeout: 250 seconds]
23:51 -!- ShadniX [dagger@p5DDFE4F1.dip0.t-ipconnect.de] has joined #openvpn
--- Day changed Wed Aug 27 2014
00:26 -!- Kniaz [~Kniaz@unaffiliated/kniaz] has joined #openvpn
00:35 -!- mattock_afk is now known as mattock
00:45 -!- DrCode [~DrCode@gateway/tor-sasl/drcode] has quit [Ping timeout: 264 seconds]
00:46 -!- DrCode [~DrCode@gateway/tor-sasl/drcode] has joined #openvpn
00:53 -!- jrg [jrg@unaffiliated/jrg] has joined #openvpn
00:54 < jrg> is there a client for winrt? doesn't seem so :/
00:54 < jrg> anybody know of a way to get openvpn to work with rt?
01:02 -!- Cpt-Oblivious [~chatzilla@31-151-71-109.dynamic.upc.nl] has quit [Remote host closed the connection]
01:05 -!- jrg [jrg@unaffiliated/jrg] has quit [Ping timeout: 264 seconds]
01:15 -!- CaTtleyA [~CaTtleyA@put92-2-82-66-41-53.fbx.proxad.net] has quit [Quit: Lost terminal]
01:26 -!- svm_invictvs [~patricktw@unaffiliated/svminvictvs/x-938456] has joined #openvpn
01:26 < svm_invictvs> Hello
01:30 -!- cyberspace- [20253@ninthfloor.org] has quit [Remote host closed the connection]
01:32 -!- cyberspace- [20253@ninthfloor.org] has joined #openvpn
01:34 -!- jackbrown [~se@93-44-41-0.ip95.fastwebnet.it] has joined #openvpn
01:36 -!- svm_invictvs [~patricktw@unaffiliated/svminvictvs/x-938456] has quit [Quit: Lost terminal]
01:37 -!- fred`` [fred@earthli.ng] has joined #openvpn
01:39 -!- Kniaz [~Kniaz@unaffiliated/kniaz] has quit [Read error: Connection reset by peer]
01:51 -!- jackbrown [~se@93-44-41-0.ip95.fastwebnet.it] has quit [Quit: Sto andando via]
02:10 -!- svm_invictvs [~patricktw@unaffiliated/svminvictvs/x-938456] has joined #openvpn
02:11 < svm_invictvs> So i have a configuration file that works perfectly fine on OSX
02:26 < svm_invictvs> But then when I use it on Windows, it doesn't seem to work
02:27 < svm_invictvs> It just shows that hte virtual adapter is in a disconnected state
02:27 < svm_invictvs> COrrect me if I'm wrong but Windows supports both TUn and Tap just like everything else
02:38 -!- heraclitus [~heraclitu@unaffiliated/heraclitis] has quit [Remote host closed the connection]
02:39 -!- heraclitus [~heraclitu@unaffiliated/heraclitis] has joined #openvpn
02:50 -!- svm_invictvs [~patricktw@unaffiliated/svminvictvs/x-938456] has quit [Ping timeout: 272 seconds]
02:50 -!- dazo_afk is now known as dazo
02:51 -!- svm_invictvs [~patricktw@unaffiliated/svminvictvs/x-938456] has joined #openvpn
02:58 -!- heraclitus [~heraclitu@unaffiliated/heraclitis] has quit [Remote host closed the connection]
02:59 -!- heraclitus [~heraclitu@unaffiliated/heraclitis] has joined #openvpn
03:00 -!- Pisuke [~Sembei@unaffiliated/sembei] has joined #openvpn
03:00 -!- u0m3__ [~u0m3@92.80.109.44] has joined #openvpn
03:00 -!- shio [marmot@30.65.73.86.rev.sfr.net] has quit [Disconnected by services]
03:01 -!- svm_invi1tvs [~patricktw@unaffiliated/svminvictvs/x-938456] has joined #openvpn
03:01 -!- shio [marmot@30.65.73.86.rev.sfr.net] has joined #openvpn
03:02 -!- asturel_ [~asturel@unaffiliated/asturel] has joined #openvpn
03:03 -!- soapee01 [~soapee01@65-36-104-170.dyn.grandenetworks.net] has joined #openvpn
03:05 -!- Reventlo1 [~reventlov@unaffiliated/reventlov] has joined #openvpn
03:05 -!- roentgen_ [~none@openvpn/community/support/roentgen] has joined #openvpn
03:08 -!- jgeboski- [~jgeboski@unaffiliated/jgeboski] has joined #openvpn
03:10 -!- Netsplit *.net <-> *.split quits: asturel, svm_invictvs, Six6siX, u0m3_, Reventlov, roentgen, MyMind, Verdi, lbft, jgeboski,  (+1 more, use /NETSPLIT to show all of them)
03:10 -!- jgeboski- is now known as jgeboski
03:10 -!- asturel_ is now known as asturel
03:12 -!- Netsplit over, joins: lbft
03:21 -!- Esya [~zncuser@mini-02.y0y.fr] has quit [Max SendQ exceeded]
03:29 -!- crus [crusader@121.211.80.56] has quit [Read error: Connection reset by peer]
03:30 -!- crus [crusader@121.211.80.56] has joined #openvpn
03:38 -!- svm_invi1tvs [~patricktw@unaffiliated/svminvictvs/x-938456] has quit [Ping timeout: 264 seconds]
03:45 -!- Poster|x [~poster@cpe-74-140-100-29.swo.res.rr.com] has joined #openvpn
03:46 -!- Poster [~poster@cpe-74-140-100-29.swo.res.rr.com] has quit [Ping timeout: 250 seconds]
03:56 -!- heraclitus [~heraclitu@unaffiliated/heraclitis] has quit [Remote host closed the connection]
04:11 -!- pppingme [~pppingme@unaffiliated/pppingme] has quit [Ping timeout: 255 seconds]
04:13 -!- pppingme [~pppingme@unaffiliated/pppingme] has joined #openvpn
04:14 -!- Left_Turn [~Left_Turn@unaffiliated/turn-left/x-3739067] has joined #openvpn
04:17 -!- heraclitus [~heraclitu@unaffiliated/heraclitis] has joined #openvpn
04:19 -!- heraclitus [~heraclitu@unaffiliated/heraclitis] has quit [Read error: Connection reset by peer]
04:19 -!- heraclitus [~heraclitu@unaffiliated/heraclitis] has joined #openvpn
04:24 -!- heraclitus [~heraclitu@unaffiliated/heraclitis] has quit [Ping timeout: 246 seconds]
04:25 -!- SushiDude [~SushiDude@unaffiliated/sushidude] has quit [Ping timeout: 240 seconds]
04:28 -!- Poster [~poster@cpe-74-140-100-29.swo.res.rr.com] has joined #openvpn
04:29 -!- Poster|x [~poster@cpe-74-140-100-29.swo.res.rr.com] has quit [Ping timeout: 246 seconds]
04:32 -!- pppingme [~pppingme@unaffiliated/pppingme] has quit [Ping timeout: 240 seconds]
04:33 -!- Poster [~poster@cpe-74-140-100-29.swo.res.rr.com] has quit [Ping timeout: 272 seconds]
04:41 -!- pppingme [~pppingme@unaffiliated/pppingme] has joined #openvpn
04:53 -!- scyld [~scyld@unaffiliated/wasyl] has joined #openvpn
04:56 -!- CaTtleyA [~CaTtleyA@185.24.142.82] has joined #openvpn
05:01 -!- pppingme [~pppingme@unaffiliated/pppingme] has quit [Ping timeout: 246 seconds]
05:06 -!- scyld [~scyld@unaffiliated/wasyl] has quit [Quit: Wychodzi]
05:08 -!- clyons [~kvirc@host86-184-240-65.range86-184.btcentralplus.com] has joined #openvpn
05:15 -!- JSharpe [~JSharpe@90.216.167.137] has joined #openvpn
05:57 -!- SushiDude [~SushiDude@unaffiliated/sushidude] has joined #openvpn
05:57 -!- Poster [~poster@cpe-74-140-100-29.swo.res.rr.com] has joined #openvpn
05:58 -!- pppingme [~pppingme@unaffiliated/pppingme] has joined #openvpn
06:12 -!- Reventlo1 [~reventlov@unaffiliated/reventlov] has quit [Quit: leaving]
06:12 -!- reventlov [~reventlov@unaffiliated/reventlov] has joined #openvpn
06:27 -!- Tyklol is now known as Tykling
06:45 -!- Plastefuchs [~fweee@198.98.120.235] has joined #openvpn
06:46 < Plastefuchs> hi o/
06:49 -!- Sembei [~Sembei@unaffiliated/sembei] has joined #openvpn
06:50 < Plastefuchs> some (long) time ago i asked how one could setup an openvpn server and allow multiple clients to connect and somehow programmaticly only allow certain connections to communicate with each other. So 4 clients connect, only A and C get to talk to each other and B and D, etc. Someone here mentioned that one could use a firewall in the kernel space (iptables iirc?), but I more or less lost track at that
06:50 < Plastefuchs>  point and couldn't follow up on that suggestion. Has anyone ever seen or heard of such a setup? Atm i don't have really the time to dig deep into iptables to try my luck. <.<
06:51 -!- Pisuke [~Sembei@unaffiliated/sembei] has quit [Read error: Connection reset by peer]
06:58 -!- Six6siX [~Devil@jasmine.sammybakar.com] has joined #openvpn
07:03 -!- u0m3__ is now known as u0m3
07:18 -!- ade_b [~Ade@redhat/adeb] has joined #openvpn
07:25 -!- elfixit [~Icedove@2001:1620:2777:11:3e97:eff:fe7f:f3ad] has joined #openvpn
07:36 < Plastefuchs> oh, even found the right passus in the man, though no working example yet :D
07:48 < zoidberg-> Hello,  I am wondering about configuring my network for OpenVPN.  What I want to do is have all my lan's internet traffic tunneled over a VPN and I also want to allow external users to VPN into my home lan (e.g. if i am working away from home i want to be able to vpn in and access my files, etc).  Question is, this means i a client and server on the same box and im worried about underlying routing issues with this.  What is the best way to go about this
07:49 < zoidberg-> Plastefuchs: set the clients satic ips, and then use iptables firewall to filter who can talk to who.  Openvpn afaik doesn't do that
07:51 -!- ifdm_ [~ifdm@unaffiliated/ifdm/x-0713806] has joined #openvpn
07:51 < Plastefuchs> zoidberg-: yup, i figured as much, i just had not enough knowledge of the related topics that i just wasn't that sure about it
07:52 < zoidberg-> well its pretty simple
07:52 < zoidberg-> set staic ips per client
07:52 < zoidberg-> then 4 ips tabels rules i think
07:53 < zoidberg-> blocking comms from each host and allowing to eac host
07:53 < zoidberg-> make sure you use the openvpn client-to-client option iirc to allow clients to communicate
07:53 < zoidberg-> then block the ones that sholdn't
07:58 < Plastefuchs> zoidberg-: well, i have heard it two ways. using c2c and blocking communication that i do not want. Or not using it, using iptables to rewrite the packages :v
07:58 < Plastefuchs> i roughly remember the person in here saying not to use c2c, but i don't have that conversation at hand :(
08:00 < zoidberg-> not heard of those, im a newb to this :)
08:01 < Plastefuchs> ^^
08:13 -!- gffa [~unknown@unaffiliated/gffa] has joined #openvpn
08:32 < ifdm_> Hi, is there any benchmark with large openvpn deployments (~1000 sessions) ?
08:34 -!- reventlov [~reventlov@unaffiliated/reventlov] has left #openvpn []
08:37 < Plastefuchs> ^ that would be interesting for me too
08:37 < Plastefuchs> ifdm_: the only thing i have seen so far are third hand accounts of the like of 'even the devs said that 200 sessions are the limits', etc.
08:46 <@krzee> Plastefuchs, ^ and i have delivered such accounts
08:47 <@krzee> but i have also seen people get over 1000
08:48 -!- CaTtleyA [~CaTtleyA@185.24.142.82] has quit [Ping timeout: 252 seconds]
08:50 -!- CaTtleyA [~CaTtleyA@185.24.142.82] has joined #openvpn
08:52 -!- ub1quit33 [~quassel@cpe-23-243-158-241.socal.res.rr.com] has joined #openvpn
08:59 < Plastefuchs> krzee: have there been made any efforts to produce benchmarks?
09:00 <@krzee> not in a long time, please do feel free
09:00 < Plastefuchs> https://community.openvpn.net/openvpn/wiki/PerformanceTesting does seem to be one of such, but limited to smaller client numbers
09:00 <@vpnHelper> Title: PerformanceTesting – OpenVPN Community (at community.openvpn.net)
09:10 -!- Ahrotahntee [~ahrotahnt@unaffiliated/ahrotahntee] has quit [Remote host closed the connection]
09:19 -!- rubtdub [~khalil@LPointe-a-Pitre-153-23-222.w81-248.abo.wanadoo.fr] has joined #openvpn
09:19 -!- rubtdub [~khalil@LPointe-a-Pitre-153-23-222.w81-248.abo.wanadoo.fr] has quit [Quit: Ex-Chat]
09:40 -!- `Ile` [~ile@93-86-175-164.dynamic.isp.telekom.rs] has joined #openvpn
09:58 -!- ses1984 [~stachursk@c-68-46-148-31.hsd1.pa.comcast.net] has quit [Remote host closed the connection]
10:17 -!- lfx [~lfx@self-aware.evilmachines.net] has quit [Ping timeout: 240 seconds]
10:17 -!- svm_invictvs [~patricktw@unaffiliated/svminvictvs/x-938456] has joined #openvpn
10:20 -!- CaTtleyA [~CaTtleyA@185.24.142.82] has quit [Quit: Lost terminal]
10:20 -!- Netsplit *.net <-> *.split quits: funnel, redpill, Champi, thumbs, gardar, swebb, dvl, ade_b, andi, shio
10:22 -!- Netsplit over, joins: ade_b, shio, redpill, funnel, dvl, gardar, swebb, Champi, thumbs, andi
10:23 -!- Neal_ [neal@felix.ineal.me] has left #openvpn []
10:23 -!- ade_b [~Ade@redhat/adeb] has quit [Quit: Too sexy for his shirt]
10:31 -!- svm_invictvs [~patricktw@unaffiliated/svminvictvs/x-938456] has quit [Ping timeout: 240 seconds]
10:46 -!- tapout [~tapout@unaffiliated/tapout] has quit [Ping timeout: 240 seconds]
10:49 -!- doebi [~doebi@doebi.at] has quit [Ping timeout: 240 seconds]
10:50 -!- tapout [~tapout@unaffiliated/tapout] has joined #openvpn
11:01 -!- syzzer [~syzzer@openvpn/community/developer/syzzer] has quit [Remote host closed the connection]
11:03 -!- syzzer [~syzzer@openvpn/community/developer/syzzer] has joined #openvpn
11:03 -!- mode/#openvpn [+o syzzer] by ChanServ
11:09 -!- jangerho [~jangerho@75.67.99.91] has joined #openvpn
11:09 -!- dazo is now known as dazo_afk
11:13 -!- `Ile` [~ile@93-86-175-164.dynamic.isp.telekom.rs] has quit [Quit: leaving]
11:13 -!- havoc [~havoc@neptune.chaillet.net] has joined #openvpn
11:16 -!- doebi [~doebi@doebi.at] has joined #openvpn
11:29 -!- D-Boy [~D-Boy@unaffiliated/cain] has quit [Excess Flood]
11:36 -!- D-Boy [~D-Boy@unaffiliated/cain] has joined #openvpn
11:41 -!- AlexRussia [~alx@unaffiliated/alexrussia] has joined #openvpn
11:41 < AlexRussia> Hello, folks!
11:42 < AlexRussia> I have problem with connect, i am user Manjaro Linux(Arch-based distro) and something wrong with connect to openvpn my friend,which use debian everywhere.Somebody can help me get it workable?
11:42 < AlexRussia> I can send logs, configs....
11:43 < AlexRussia> log: https://gist.github.com/cc3e8f8e58da8a0709b7
11:43 <@vpnHelper> Title: openvpn.log (at gist.github.com)
11:43 < AlexRussia> client(my) config: https://gist.github.com/a1a3b7d8466f3aace3b1
11:43 <@vpnHelper> Title: client.conf (at gist.github.com)
11:43 < AlexRussia> anybody? @_@
11:44 -!- jangerho [~jangerho@75.67.99.91] has quit [Quit: Leaving...]
11:46 < AlexRussia> somebody? :(
11:47 < krav> AlexRussia: you might have to wait a bit for someone who knows to respond
11:47 < krav> idle a bit and see what happens.
11:47 < AlexRussia> krav: ....nothing? :)
11:47 < krav> I've had to wait days in channels to get a response sometimes.
11:48 < AlexRussia> krav: @_@ so complicated question?
11:49 < krav> AlexRussia: i'm not all that knowledgeable about openVPN, or i'd help you. It's something i intend to implement personally in a couple weeks, but my company uses so i had questions and i stayed because someone was friendly.
11:51 < AlexRussia> krav: that sad sad story,bro
11:51 < krav> why?
11:52 < AlexRussia> krav: its seems like.
11:52 < AlexRussia> krav: i mean to say, it seems like sad
11:53 < krav> I guess. :P
11:54 < AlexRussia> krav: :(
11:55 < krav> just hang around and someone who knows more than me will answer your question
11:55 < krav> or at least try.
11:56 < AlexRussia> krav: i am hang before get answer :(
11:56 < AlexRussia> krav: btw, server admin have success connect
11:59 < AlexRussia> krav: btw, you dont know how good compared versions between themselves?
12:00 < krav> i dont exactly get what you're saying.
12:00 < krav> sorry.
12:00 < AlexRussia> krav: okay, f.e., if server use 2.0.0 and i use sth like 2.3.4, so, its will work nice?
12:00 < krav> ah, cross compatability?
12:00 < AlexRussia> yes
12:00 < krav> between versions?
12:00 < AlexRussia> beteen versions
12:00 -!- bakhtiya [~me@office.addictivemobility.com] has quit [Read error: Connection reset by peer]
12:01 < AlexRussia> between*
12:01 < AlexRussia> yes
12:02 < AlexRussia> krav: so?
12:02 < krav> I don't personally think so as long as they're close, but as i said, you'll have to wait for someone who knows more, i'm a complete noob.
12:03 < AlexRussia> krav: i see u like me :S
12:03 -!- jangerho [~jangerho@24.218.76.202] has joined #openvpn
12:03 < krav> exactly
12:05 < AlexRussia> krav: :(
12:05 -!- Kephael [~Kephael@unaffiliated/kephael] has joined #openvpn
12:08 < AlexRussia> idk, probabily i need sometime reply my question...
12:10 < AlexRussia> I have problem with connect, i am user Manjaro Linux(Arch-based distro) and something wrong with connect to openvpn my friend,which use debian everywhere.Somebody can help me get it workable?
12:10 < AlexRussia> log: https://gist.github.com/cc3e8f8e58da8a0709b7
12:10 <@vpnHelper> Title: openvpn.log (at gist.github.com)
12:10 < AlexRussia> client(my) config: https://gist.github.com/a1a3b7d8466f3aace3b1
12:10 <@vpnHelper> Title: client.conf (at gist.github.com)
12:17 < AlexRussia> ...
12:17 < AlexRussia> krav: i 3< open source :D
12:25 -!- svm_invictvs [~patricktw@unaffiliated/svminvictvs/x-938456] has joined #openvpn
12:32 -!- shio [marmot@30.65.73.86.rev.sfr.net] has quit [Remote host closed the connection]
13:02 < AlexRussia> hhahhahahhahahhahahahahah
13:02 < AlexRussia> krav: you want to know where was bug?
13:02 < krav> AlexRussia: sure
13:02 < AlexRussia> krav: i'm didn't append 'client' word in start of config file
13:02 < krav> :/
13:02 < krav> seriously?
13:03 < krav> well. at least you found it.
13:03 < krav> !
13:03 < krav> congrats!
13:03 < AlexRussia> krav: yep
13:03 < krav> i hate it when it's silly bugs like that.
13:03 < krav> or just silly syntax stuff.
13:03 < AlexRussia> krav: i...i am still dont know what it was, it was like server connected to other sever before
13:03 < AlexRussia> krav: lol
13:08 < AlexRussia> oh shit
13:08 < AlexRussia> now i have next problem
13:08 < AlexRussia> how to i could move packages by some ports into openvpn tunnel?
13:10 < AlexRussia> krav: ^
13:11 < krav> you keep asking me questions :P I have no idea. I am a complete noob.
13:11 -!- shio [marmot@30.65.73.86.rev.sfr.net] has joined #openvpn
13:13 < AlexRussia> krav: :(
13:13 < krav> sorry :(
13:18 -!- Aralucc10 [~Aralucc10@151.77.151.220] has joined #openvpn
13:27 -!- Aralucc10 [~Aralucc10@151.77.151.220] has quit [Read error: Connection reset by peer]
13:28 -!- Aralucc10 [~Aralucc10@151.77.151.220] has joined #openvpn
13:42 -!- larryone [~larryone@176.61.1.155] has joined #openvpn
13:43 -!- EnergyMatter [u931732@c-98-253-233-157.hsd1.il.comcast.net] has joined #openvpn
13:44 -!- jangerho [~jangerho@24.218.76.202] has quit [Read error: Connection reset by peer]
13:44 -!- jangerho [~jangerho@24.218.76.202] has joined #openvpn
14:02 -!- jangerho is now known as jangerho-ARS
14:03 -!- EnergyMatter [u931732@c-98-253-233-157.hsd1.il.comcast.net] has left #openvpn []
14:10 -!- RaiNerTsuFal [~RaiNerTsu@akita.vtlx.cn] has quit [Quit: Conversation terminated!]
14:12 -!- RaiNerTsuFal [~RaiNerTsu@akita.vtlx.cn] has joined #openvpn
14:20 -!- Aralucc10 [~Aralucc10@151.77.151.220] has quit [Ping timeout: 260 seconds]
14:31 -!- justinzane [~justinzan@64.234.62.67] has quit [Ping timeout: 264 seconds]
14:37 -!- justinzane [~justinzan@24.49.184.81] has joined #openvpn
14:40 -!- FFes [~quassel@5ED1F2B3.cm-7-2d.dynamic.ziggo.nl] has joined #openvpn
14:47 -!- sroy_ [~sroy@secure.innobec.com] has quit [Quit: Leaving]
14:56 -!- svm_invictvs [~patricktw@unaffiliated/svminvictvs/x-938456] has quit [Read error: Connection reset by peer]
14:59 -!- mattock is now known as mattock_afk
15:03 -!- arescorpio [~arescorpi@93-238-16-190.fibertel.com.ar] has joined #openvpn
15:12 -!- justaguy [~justaguy@unaffiliated/justaguy] has joined #openvpn
15:21 -!- heraclitus [~heraclitu@unaffiliated/heraclitis] has joined #openvpn
15:29 -!- jangerho-ARS is now known as Wengers_Forehead
15:29 -!- Wengers_Forehead is now known as jangerho
15:30 -!- mnathani [~mnathani@butterfly.winvive.com] has quit [Quit: WeeChat 0.4.3]
15:33 -!- brianblaze420 [~brianblaz@unaffiliated/brianblaze] has joined #openvpn
15:33 -!- justaguy [~justaguy@unaffiliated/justaguy] has left #openvpn []
16:03 -!- FFes [~quassel@5ED1F2B3.cm-7-2d.dynamic.ziggo.nl] has quit [Remote host closed the connection]
16:06 -!- Pyrogerg [~Gregory@75-173-66-157.albq.qwest.net] has quit [Ping timeout: 246 seconds]
16:15 -!- jangerho [~jangerho@24.218.76.202] has quit [Read error: Connection reset by peer]
16:16 -!- jangerho-ARS [~jangerho@24.218.76.202] has joined #openvpn
16:24 -!- pa [~pa@unaffiliated/pa] has joined #openvpn
16:26 -!- larryone [~larryone@176.61.1.155] has quit [Quit: This computer has gone to sleep]
16:37 -!- Aralucc10 [~Aralucc10@151.77.71.178] has joined #openvpn
16:44 < Aralucc10> hi, can anyone help? (complete noob sorry). I want to limit the use of the vpn just to one lan ip while all the other lan ips use the wan. I used a tutorial to crete a custom routing table and put the vpn ip inside. this is the script I used http://pastebin.com/bF0q4jtt . It basically worked but I also want to tell openvp that on that ip in the VPN routing table not ALL the traffic has to pass
16:44 < Aralucc10> through the vpn but a few wan ips still have to use the wan GW. I tried this https://community.openvpn.net/openvpn/wiki/IgnoreRedirectGateway  to do that but it's ignored (it worked fine using the normal redirect-gatway method). Can it be done? (basically I need to mix source based touting with wan ip based routing)
16:44 <@vpnHelper> Title: IgnoreRedirectGateway – OpenVPN Community (at community.openvpn.net)
16:46 -!- svm_invictvs [~patricktw@unaffiliated/svminvictvs/x-938456] has joined #openvpn
16:47 -!- gffa [~unknown@unaffiliated/gffa] has quit [Quit: sleep]
16:47 -!- woshty [~irc@84.200.211.57] has quit [Ping timeout: 250 seconds]
17:08 -!- jeraldv [~jerald@fsf/member/jeraldv] has quit [Quit: leaving]
17:12 -!- Aralucc10 [~Aralucc10@151.77.71.178] has quit [Read error: Connection reset by peer]
17:12 -!- Aralucc10 [~Aralucc10@151.77.71.178] has joined #openvpn
17:13 -!- jeraldv [~jerald@fsf/member/jeraldv] has joined #openvpn
17:21 -!- zeroNones [~textual@187.192.203.73] has joined #openvpn
18:05 -!- Cybertinus [~Cybertinu@cybertinus.customer.cloud.nl] has quit [Remote host closed the connection]
18:06 -!- Aralucc10 [~Aralucc10@151.77.71.178] has quit [Read error: Connection reset by peer]
18:09 -!- justinzane [~justinzan@24.49.184.81] has quit [Read error: Connection reset by peer]
18:10 -!- cmanns [~cmanns@68-185-89-221.dhcp.snlo.ca.charter.com] has joined #openvpn
18:11 < cmanns> Is this channel to get OpenVPN server support?
18:11 -!- JSharpe [~JSharpe@90.216.167.137] has quit [Ping timeout: 240 seconds]
18:13 -!- justinzane [~justinzan@host-69-59-81-105.nctv.com] has joined #openvpn
18:13 <@Eugene> We support the GPL OpenVPN(aka "Community Edition") here, not any of the commercial products
18:13 <@Eugene> !as
18:13 <@vpnHelper> "as" is Please go to #OpenVPN-AS for help with commercial products from OpenVPN Technologies, including Access Server, Android Connect, etc. Access Server is a commercial product, different from open source OpenVPN
18:14 < cmanns> I am using the open source commuity edition
18:14 <@Eugene> Then ask away. No guarantees on an answer, but you're at least in the right place
18:14 < cmanns> I’d like to make one OS X OpenVPN client (TunnelBrick app probably will be used on both clients) to see DNLA server on other so I can proxy it I guess
18:15 <@Eugene> I think DLNA is one of those (annoying) protocols that requires L2 broadcasts? I don't actually know or use it.
18:15 < cmanns> I see
18:16 < cmanns> I will try to find an application
18:17 -!- jangerho-ARS is now known as jangerho
18:29 -!- CaTtleyA [~CaTtleyA@put92-2-82-66-41-53.fbx.proxad.net] has joined #openvpn
18:30 -!- Aralucc10 [~Aralucc10@151.77.71.178] has joined #openvpn
18:44 -!- jangerho [~jangerho@24.218.76.202] has quit [Read error: Connection reset by peer]
18:44 -!- jangerho-ARS [~jangerho@24.218.76.202] has joined #openvpn
18:46 -!- jangerho-ARS [~jangerho@24.218.76.202] has quit [Client Quit]
18:54 < cmanns> Anybody have link to good guide for openvpn on centos / el6
18:59 < Six6siX> sort of... whats your config.. vps? kvm ? pc?
18:59 < Six6siX> https://www.digitalocean.com/community/tutorials/how-to-setup-and-configure-an-openvpn-server-on-centos-6
18:59 <@vpnHelper> Title: How to Setup and Configure an OpenVPN Server on CentOS 6 | DigitalOcean (at www.digitalocean.com)
19:10 < cmanns> It’s a VPS sorry for delay Six6siX
19:11 < cmanns> xen based so is like a dedi ^_^, I have one already setup but the guide was kinda flakey
19:11 < cmanns> fine if I use the openvpn tools to make the pub key files on one system of identical setup of openvpn?
19:12 -!- jangerho [~jangerho@24.218.76.202] has joined #openvpn
19:15 -!- jangerho [~jangerho@24.218.76.202] has quit [Client Quit]
19:18 -!- Cybertinus [~Cybertinu@cybertinus.customer.cloud.nl] has joined #openvpn
19:18 -!- Cybertinus [~Cybertinu@cybertinus.customer.cloud.nl] has quit [Read error: Connection reset by peer]
19:23 -!- Cybertinus [~Cybertinu@cybertinus.customer.cloud.nl] has joined #openvpn
19:29 -!- Pyrogerg [~Gregory@205.167.120.206] has joined #openvpn
19:35 -!- jangerho [~jangerho@24.218.76.202] has joined #openvpn
19:36 -!- Pyrogerg [~Gregory@205.167.120.206] has quit [Ping timeout: 250 seconds]
19:39 <@Eugene> !howto
19:39 <@vpnHelper> "howto" is (#1) OpenVPN comes with a great howto, http://openvpn.net/howto PLEASE READ IT! or (#2) http://www.secure-computing.net/openvpn/howto.php for a mirror
19:39 <@Eugene> That is the recommended howto(and the only one that should be linked here, Six6siX)
19:39 <@Eugene> As for the crt/key files; it doesn't matter what is generated where, only that the right machines have the right type of certs. There's a table in there outlining who needs what.
19:40 <@Eugene> If you have multiple instances of openvpn on a single server they can share a crt/key pair no problemo.
19:46 -!- elfixit1 [~Icedove@77-58-251-72.dclient.hispeed.ch] has joined #openvpn
19:51 < cmanns> man TunnelBrick is annoying software on OS X
20:01 -!- Pyrogerg [~Gregory@75-173-66-157.albq.qwest.net] has joined #openvpn
20:01 < cmanns> Almost got openvpn going
20:01 < cmanns> now stuck on authorization now that i got the key files loaded
20:03 < cmanns> was I supposed to specify passphrase? Seems to of connected now too :D
20:05 < loeken> !heartbleed
20:05 <@vpnHelper> "heartbleed" is (#1) only affects OpenSSL 1.0.1 through 1.0.1f. Does not affect polarssl or (#2) if running vuln openssl then both client and server keys not protected by tls-auth should be considered compromised. or (#3) android 4.1.2_r1 is the first one to have -DOPENSSL_NO_HEARTBEATS and it is still in master. android 4.1 and 4.1.1 are probably affected. or (#4)
20:05 <@vpnHelper> https://community.openvpn.net/openvpn/wiki/heartbleed or (#5) http://xkcd.com/1354/
20:05 < cmanns> So yeah the vpn works but no internet
20:06 < cmanns> I had it working before
20:06 < loeken> !def
20:06 < cmanns> am on 1.2
20:13 -!- cmanns [~cmanns@68-185-89-221.dhcp.snlo.ca.charter.com] has quit [Ping timeout: 245 seconds]
20:16 -!- cmanns [~cmanns@68-185-89-221.dhcp.snlo.ca.charter.com] has joined #openvpn
20:16 < cmanns> Yeah the vpn works but no public internet
20:18 < cmanns> setup as needed here https://openvpn.net/index.php/open-source/documentation/howto.html
20:18 <@vpnHelper> Title: HOWTO (at openvpn.net)
20:25 -!- james41382 [~james@unaffiliated/james41382] has quit [Quit: Leaving]
20:30 -!- cmanns [~cmanns@68-185-89-221.dhcp.snlo.ca.charter.com] has quit [Quit: cmanns]
20:30 < loeken> !def1
20:30 <@vpnHelper> "def1" is (#1) used in redirect-gateway, Add the def1 flag to override the default gateway by using 0.0.0.0/1 and 128.0.0.0/1 rather than 0.0.0.0/0. This has the benefit of overriding but not wiping out the original default gateway. or (#2) please see --redirect-gateway in the man page ( !man ) to fully understand or (#3) push "redirect-gateway def1"
20:30 -!- Pyrogerg [~Gregory@75-173-66-157.albq.qwest.net] has quit [Ping timeout: 240 seconds]
20:38 -!- Pyrogerg [~Gregory@75-173-66-157.albq.qwest.net] has joined #openvpn
20:43 -!- Pyrogerg [~Gregory@75-173-66-157.albq.qwest.net] has quit [Ping timeout: 255 seconds]
20:56 -!- svm_invictvs [~patricktw@unaffiliated/svminvictvs/x-938456] has quit [Ping timeout: 255 seconds]
21:10 -!- lachesis [~lachesis@unaffiliated/lachesis] has quit [Quit: ZNC - http://znc.in]
21:11 -!- Aralucc10 [~Aralucc10@151.77.71.178] has quit [Remote host closed the connection]
21:15 -!- CaTtleyA [~CaTtleyA@put92-2-82-66-41-53.fbx.proxad.net] has quit [Quit: Lost terminal]
21:22 -!- brianblaze420 [~brianblaz@unaffiliated/brianblaze] has quit [Quit: Leaving...]
21:31 -!- Gsa700 [~Gsa700@unaffiliated/gsa700] has quit [Ping timeout: 240 seconds]
21:40 -!- svm_invictvs [~patricktw@unaffiliated/svminvictvs/x-938456] has joined #openvpn
21:41 -!- Left_Turn [~Left_Turn@unaffiliated/turn-left/x-3739067] has quit [Remote host closed the connection]
21:44 -!- arescorpio [~arescorpi@93-238-16-190.fibertel.com.ar] has quit [Excess Flood]
21:59 -!- jangerho [~jangerho@24.218.76.202] has quit [Quit: Linkinus - http://linkinus.com]
22:01 -!- Gsa700 [~Gsa700@unaffiliated/gsa700] has joined #openvpn
22:02 -!- zeroNones [~textual@187.192.203.73] has quit [Ping timeout: 250 seconds]
22:03 -!- svm_invictvs [~patricktw@unaffiliated/svminvictvs/x-938456] has quit [Ping timeout: 264 seconds]
22:13 -!- Pyrogerg [~Gregory@75-173-66-157.albq.qwest.net] has joined #openvpn
22:28 -!- zeroNones [~textual@187.204.138.140] has joined #openvpn
22:29 -!- Pyrogerg [~Gregory@75-173-66-157.albq.qwest.net] has quit [Read error: No route to host]
22:29 -!- Pyrogerg [~Gregory@75-173-66-157.albq.qwest.net] has joined #openvpn
22:46 -!- svm_invictvs [~patricktw@unaffiliated/svminvictvs/x-938456] has joined #openvpn
22:55 < svm_invictvs> Hello
22:55 < svm_invictvs> So, I have a windows client runing openvpn
23:01 < svm_invictvs> No errors repored in the log.
23:01 < svm_invictvs> But the tun/tap adapter is still showing as disconnected.
23:12 < svm_invictvs> Let me get a log...
23:32 -!- elfixit1 [~Icedove@77-58-251-72.dclient.hispeed.ch] has quit [Ping timeout: 240 seconds]
23:50 -!- ShadniX [dagger@p5DDFE4F1.dip0.t-ipconnect.de] has quit [Ping timeout: 250 seconds]
23:52 -!- ShadniX [dagger@p5DDFE4A0.dip0.t-ipconnect.de] has joined #openvpn
--- Day changed Thu Aug 28 2014
00:05 -!- raidz [~raidz@openvpn/corp/admin/andrew] has quit [Ping timeout: 250 seconds]
00:06 -!- mattock_afk [~mattock@openvpn/corp/admin/mattock] has quit [Remote host closed the connection]
00:07 -!- mattock [~mattock@openvpn/corp/admin/mattock] has joined #openvpn
00:07 -!- mode/#openvpn [+o mattock] by ChanServ
00:09 -!- raidz [~raidz@openvpn/corp/admin/andrew] has joined #openvpn
00:09 -!- mode/#openvpn [+o raidz] by ChanServ
00:10 -!- Kephael [~Kephael@unaffiliated/kephael] has quit [Read error: Connection reset by peer]
00:25 < svm_invictvs> Finally got a log from the windows machine.
00:25 < svm_invictvs> http://mysticpaste.com/private/eVx5yeeD6v?2
00:43 -!- Cybertinus [~Cybertinu@cybertinus.customer.cloud.nl] has quit [Read error: Connection reset by peer]
00:43 -!- Cybertinus [~Cybertinu@cybertinus.customer.cloud.nl] has joined #openvpn
00:48 -!- svm_invictvs [~patricktw@unaffiliated/svminvictvs/x-938456] has quit [Ping timeout: 240 seconds]
00:48 -!- Cybertinus [~Cybertinu@cybertinus.customer.cloud.nl] has quit [Ping timeout: 260 seconds]
00:52 -!- Cybertinus [~Cybertinu@cybertinus.customer.cloud.nl] has joined #openvpn
00:56 -!- zeroNones [~textual@187.204.138.140] has quit [Quit: My MacBook Pro has gone to sleep. ZZZzzz…]
00:58 -!- svm_invictvs [~patricktw@unaffiliated/svminvictvs/x-938456] has joined #openvpn
01:14 -!- u0m3_ [~u0m3@92.80.109.44] has joined #openvpn
01:17 -!- u0m3 [~u0m3@92.80.109.44] has quit [Ping timeout: 246 seconds]
01:17 -!- svm_invictvs [~patricktw@unaffiliated/svminvictvs/x-938456] has quit [Ping timeout: 255 seconds]
02:00 -!- ifdm_ [~ifdm@unaffiliated/ifdm/x-0713806] has quit [Ping timeout: 250 seconds]
02:03 -!- ifdm_ [~ifdm@unaffiliated/ifdm/x-0713806] has joined #openvpn
02:15 -!- Poster [~poster@cpe-74-140-100-29.swo.res.rr.com] has quit [Remote host closed the connection]
02:15 -!- ifdm_ [~ifdm@unaffiliated/ifdm/x-0713806] has quit [Ping timeout: 260 seconds]
02:17 -!- Con [vict@prison.uk.to] has joined #openvpn
02:17 < Con> hello
02:18 < Con> !heartbleed
02:18 <@vpnHelper> "heartbleed" is (#1) only affects OpenSSL 1.0.1 through 1.0.1f. Does not affect polarssl or (#2) if running vuln openssl then both client and server keys not protected by tls-auth should be considered compromised. or (#3) android 4.1.2_r1 is the first one to have -DOPENSSL_NO_HEARTBEATS and it is still in master. android 4.1 and 4.1.1 are probably affected. or (#4)
02:18 <@vpnHelper> https://community.openvpn.net/openvpn/wiki/heartbleed or (#5) http://xkcd.com/1354/
02:22 -!- Cybertinus [~Cybertinu@cybertinus.customer.cloud.nl] has quit [Remote host closed the connection]
02:26 -!- Cybertinus [~Cybertinu@cybertinus.customer.cloud.nl] has joined #openvpn
02:27 -!- Cybert1nus [~Cybertinu@cybertinus.customer.cloud.nl] has joined #openvpn
02:28 -!- ifdm_ [~ifdm@unaffiliated/ifdm/x-0713806] has joined #openvpn
02:31 -!- Cybertinus [~Cybertinu@cybertinus.customer.cloud.nl] has quit [Ping timeout: 260 seconds]
02:33 -!- Cybert1nus is now known as Cybertinus
02:39 -!- dazo_afk is now known as dazo
02:52 -!- heraclitus [~heraclitu@unaffiliated/heraclitis] has quit [Quit: Ping timeout: 221 seconds]
02:52 -!- Cybertinus [~Cybertinu@cybertinus.customer.cloud.nl] has quit [Remote host closed the connection]
02:58 -!- AlexRussia [~alx@unaffiliated/alexrussia] has quit [Ping timeout: 260 seconds]
03:19 -!- ifdm_ [~ifdm@unaffiliated/ifdm/x-0713806] has quit [Ping timeout: 240 seconds]
03:37 -!- ifdm_ [~ifdm@unaffiliated/ifdm/x-0713806] has joined #openvpn
03:51 -!- AlexRussia [~alx@unaffiliated/alexrussia] has joined #openvpn
04:05 -!- hyponic [~DJ@cm-84.210.218.117.getinternet.no] has joined #openvpn
04:06 < hyponic> hi.. i am trying to use openvpn on my vps. i can connect but i can't: nable to redirect default gateway -- Cannot read current default gateway from system
04:06 < hyponic> can't redirect the default gateway..
04:06 < hyponic> it's my first time using openvpn and i need help fixing this issue on my vps please
04:10 < hyponic> anyone?
04:16 -!- pa [~pa@unaffiliated/pa] has quit [Remote host closed the connection]
04:21 -!- Cybertinus [~Cybertinu@2a00:6960:1:1:0:24:107:1] has joined #openvpn
04:25 -!- ender` [krneki@2a01:260:4094:1:42:42:42:42] has quit [Ping timeout: 260 seconds]
04:26 -!- Left_Turn [~Left_Turn@unaffiliated/turn-left/x-3739067] has joined #openvpn
04:33 -!- pa [~pa@unaffiliated/pa] has joined #openvpn
05:04 -!- ender| [krneki@2a01:260:4094:1:42:42:42:42] has joined #openvpn
05:05 -!- Left_Turn [~Left_Turn@unaffiliated/turn-left/x-3739067] has quit [Ping timeout: 260 seconds]
05:47 -!- hyponic [~DJ@cm-84.210.218.117.getinternet.no] has quit [Ping timeout: 255 seconds]
05:59 -!- DrCode [~DrCode@gateway/tor-sasl/drcode] has quit [Remote host closed the connection]
06:00 -!- DrCode [~DrCode@gateway/tor-sasl/drcode] has joined #openvpn
06:38 -!- Left_Turn [~Left_Turn@unaffiliated/turn-left/x-3739067] has joined #openvpn
07:35 -!- Left_Turn [~Left_Turn@unaffiliated/turn-left/x-3739067] has quit [Ping timeout: 264 seconds]
07:38 -!- clyons [~kvirc@host86-184-240-65.range86-184.btcentralplus.com] has quit [Quit: KVIrc 4.2.0 Equilibrium http://www.kvirc.net/]
07:42 -!- Left_Turn [~Left_Turn@unaffiliated/turn-left/x-3739067] has joined #openvpn
07:44 -!- elfixit [~Icedove@2001:1620:2777:11:3e97:eff:fe7f:f3ad] has quit [Quit: elfixit]
07:48 -!- elfixit [~Icedove@2001:1620:2777:11:3e97:eff:fe7f:f3ad] has joined #openvpn
07:56 -!- Poster [~poster@cpe-74-140-100-29.swo.res.rr.com] has joined #openvpn
08:14 -!- kami`` [~user@unaffiliated/kami-] has joined #openvpn
08:14 < kami``> Hello
08:14 -!- kami`` is now known as kami
08:15 < kami> I have a problem with a tunnel between an openwrt box running 2.3.4 and an ubuntu server running openvpn 2.0.
08:16 < kami> I guess I shouldn't continue but install a newer version of openvpn on the server, right?
08:27 -!- kareem-ali [~kareem@217.138.20.162] has joined #openvpn
08:32 <@syzzer> kami: yes, definitely update your ubuntu server openvpn version first. The problem might persist, but you'll probably get better logging at least - which will make it easier to spot the issue
08:33 < kami> syzzer: I'm installing on another server with ovpn 2.2. I hope 2.3 on the client and 2.2 on the server is OK.
08:42 -!- Pyrogerg [~Gregory@75-173-66-157.albq.qwest.net] has quit [Ping timeout: 250 seconds]
08:57 <@syzzer> 2.0 and 2.3 *should* work too, I think. 2.2 and 2.3 should work for sure
09:06 -!- Pyrogerg [~Gregory@205.167.120.206] has joined #openvpn
09:28 < kami> syzzer: I have configured 2.2 on the server and the firewall, increased verbosity and see this in the logs: after each UDPv4 read log line, there is a 'IP packet with unknown IP version=15 seen' line
09:30 -!- zeroNones [~textual@187.204.184.26] has joined #openvpn
09:36 < kami> s/and the firewall/and configured the firewall/
09:40 -!- prettyrobots [~prettyrob@do.inputrc.com] has joined #openvpn
09:40 < kami> syzzer: for the records, this post solves the problems for me.
09:41 -!- prettyrobots is now known as Guest60036
09:41 < kami> I had comp-lzo no in the client configuration (openwrt) and no comp-lzo line at all in the server config.
09:41 <@dazo> 2.0 against anything newer than 2.1 may work, unless you start with pushing options or tweak some of the networking parameters ... then it gets really fragile
09:41 <@dazo> (and the 2.0 instance will complain about a lot of non-sense)
09:42 <@dazo> kami: ensure you use the same --comp-lzo parameters on both sides
09:42 < kami> dazo: the problem has nothing to do with the versions. It's jj
09:42 <@dazo> not doing that will give odd IP version issues
09:43 < kami> It's just the comp-lzo parameter which leads to problems
09:43 < kami> I'm sure 2.3 client with 2.0 server will also work.
09:43 <@dazo> kami: running an outdated and unmaintained openvpn release from 2006 probably will get you in trouble anyway
09:43 < kami> dazo: that's true
09:44 <@dazo> in this channel we generally only support 2.3 and to some degree 2.2
09:44 < kami> dazo: I promise to switch. :) I have configured the 2.2 server anyway.
09:44 < kami> dazo, syzzer: thank you for your help.
09:47 -!- kami [~user@unaffiliated/kami-] has left #openvpn ["ERC Version 5.3 (IRC client for Emacs)"]
10:21 -!- KiNgMaR [ingmar@2001:41d0:2:ba51::1] has quit [Ping timeout: 260 seconds]
10:21 -!- Pyrogerg [~Gregory@205.167.120.206] has quit [Ping timeout: 250 seconds]
10:23 -!- KiNgMaR [ingmar@2001:41d0:2:ba51::1] has joined #openvpn
10:24 -!- zeroNones [~textual@187.204.184.26] has quit [Read error: Connection reset by peer]
10:28 -!- KiNgMaR [ingmar@2001:41d0:2:ba51::1] has quit [Ping timeout: 260 seconds]
10:30 -!- KiNgMaR [ingmar@2001:41d0:2:ba51::1] has joined #openvpn
10:33 -!- Maksa [Maksa@b702.ip14.netikka.fi] has joined #openvpn
10:36 -!- KiNgMaR [ingmar@2001:41d0:2:ba51::1] has quit [Ping timeout: 260 seconds]
10:42 -!- Pyrogerg [~Gregory@75-173-66-157.albq.qwest.net] has joined #openvpn
10:47 -!- KiNgMaR [ingmar@2001:41d0:2:ba51::1] has joined #openvpn
10:57 -!- asturel [~asturel@unaffiliated/asturel] has quit [Ping timeout: 246 seconds]
11:01 -!- hnsz2002_ [~hnsz2002@hercules.unreachable.hu] has joined #openvpn
11:01 -!- asturel [~asturel@unaffiliated/asturel] has joined #openvpn
11:01 < hnsz2002_> hi all! there is anybody use the latest openvpn gui on windows?
11:01 < hnsz2002_> i have problem with tap interface
11:02 < hnsz2002_> everything semms to be OK, but the package is going to the default gw
11:02 < hnsz2002_> additionally, unable to disconnect
11:10 < shio> something like this: https://community.openvpn.net/openvpn/ticket/432 ?
11:10 <@vpnHelper> Title: #432 (OpenVPN.exe hangs upon reconnecting) – OpenVPN Community (at community.openvpn.net)
11:12 -!- dazo is now known as dazo_afk
11:17 -!- svm_invictvs [~patricktw@unaffiliated/svminvictvs/x-938456] has joined #openvpn
11:21 -!- seba [~seba@kratzbaum.someserver.de] has quit [Excess Flood]
11:24 -!- seba [~seba@kratzbaum.someserver.de] has joined #openvpn
11:24 < hnsz2002_> shio: yes, but also stop doesnt works
11:25 < hnsz2002_> and neither the connection
11:25 < hnsz2002_> now i installed the 2.3.2, and works fine
11:25 < shio> probably related
11:25 < shio> you can use 2.3.4 with the old ndis driver
11:25 < shio> they're both linked on the download page
11:26 < shio> it works fine (running it atm)
11:33 -!- gffa [~unknown@unaffiliated/gffa] has joined #openvpn
11:36 -!- clu5ter [~staff@unaffiliated/clu5ter] has quit [Read error: No route to host]
11:43 -!- svm_invictvs [~patricktw@unaffiliated/svminvictvs/x-938456] has quit [Ping timeout: 244 seconds]
11:45 -!- D-Boy [~D-Boy@unaffiliated/cain] has quit [Excess Flood]
11:54 -!- DArqueBishop [drkbish@tyrande.darquecathedral.org] has joined #openvpn
12:00 -!- jfroot [~jfroot@pdpc/supporter/active/jfroot] has quit [Read error: Connection reset by peer]
12:00 < DArqueBishop> At the risk of sounding like an idiot, I was wondering if anyone knew of any recent updates to Windows 7 that might cause incompatibility with OpenVPN 2.3.4 (I603). I just reloaded one of my laptops, and used the same config and certs as before. It connects fine, but when I try to connect to services over the VPN like IRC or RDP, NETIO.SYS throws a STOP error.
12:04 -!- clu5ter [~staff@unaffiliated/clu5ter] has joined #openvpn
12:04 < DArqueBishop> I have another Windows 7 box connected to the VPN that's having no issues, but it's using the I003 drivers instead.
12:07 -!- D-Boy [~D-Boy@unaffiliated/cain] has joined #openvpn
12:08 -!- svm_invictvs [~patricktw@unaffiliated/svminvictvs/x-938456] has joined #openvpn
12:09 -!- larryone [~larryone@178.167.254.154.threembb.ie] has joined #openvpn
12:23 -!- larryone [~larryone@178.167.254.154.threembb.ie] has quit [Ping timeout: 260 seconds]
12:48 -!- s7r [~s7r@openvpn/user/s7r] has joined #openvpn
12:48 -!- mode/#openvpn [+v s7r] by ChanServ
12:59 < shio> DArqueBishop: maybe this https://community.openvpn.net/openvpn/ticket/432 ?
12:59 <@vpnHelper> Title: #432 (OpenVPN.exe hangs upon reconnecting) – OpenVPN Community (at community.openvpn.net)
13:00 < shio> use I003 instead of I603 :)
13:00 < shio> the new ndis driver doesn't seem stable enough, you can use the version built with old one linked on the download page
13:01 -!- clyons [~kvirc@host86-184-240-65.range86-184.btcentralplus.com] has joined #openvpn
13:02 -!- Kephael [~Kephael@unaffiliated/kephael] has joined #openvpn
13:13 -!- Kniaz [~Kniaz@unaffiliated/kniaz] has joined #openvpn
13:16 -!- s7r [~s7r@openvpn/user/s7r] has quit [Remote host closed the connection]
13:24 < DArqueBishop> shio: yeah, I switched back to I003, and now I have a new problem. :-/ It seems like there's some packet loss, as traffic is coming through garbled.
13:25 < DArqueBishop> I even used pnputil on the box to remove all TAP drivers for a clean reload, and it's still doing it. IRC doesn't connect properly to the bouncer, and RDP throws encryption errors.
13:27 < shio> you've downgraded all ur openvpn installations?
13:29 < DArqueBishop> It's just the one box.
13:30 < DArqueBishop> The PC I'm connected to IRC through now is also on the VPN and has no problems.
13:30 < DArqueBishop> It's using the I003 drivers.
13:30 < DArqueBishop> It's just my laptop that's having a problem.
13:32 < shio> ur laptop was the only one upgraded to 2.3.4 i003?
13:32 < DArqueBishop> Yes. What happened was that I had to wipe/reload the laptop yesterday. I loaded 2.3.4 I603, and it worked fine... until I had the laptop go through all its updates.
13:33 < DArqueBishop> After that, it would BSOD when connecting to services over the VPN.
13:33 < DArqueBishop> The desktop PC I'm on now is running 2.3.3 I003 with no problems.
13:34 -!- goldkatze [~nobody@unaffiliated/goldkatze] has joined #openvpn
13:34 < DArqueBishop> I've since completely removed 2.3.4 I603, and used pnputil to remove the TAP driver from the driver store. I've reloaded 2.3.4 I003, and I'm connecting to services without crashing, but the data being sent is corrupted.
13:34 < shio> have u tried restarting the server?
13:34 < DArqueBishop> That last line was in reference to the laptop.
13:35 < DArqueBishop> Nope, but I can give it a go. One minute.
13:37 < shio> i installed the win7 updates 2 days ago without any sort of issues
13:38 -!- RaiNerTsuFal [~RaiNerTsu@akita.vtlx.cn] has quit [Quit: Conversation terminated!]
13:38 < shio> everyone (including the server) is running 2.3.4 I002/I003 though
13:38 < DArqueBishop> No go. Desktop PC works fine, laptop is still suffering data corruption.
13:42 < shio> haven't kept the error message in that bsod by any chance?
13:42 < DArqueBishop> I really don't want to have to wipe and reload this laptop. :-/
13:43 < DArqueBishop> It was a paging error in NETIO.SYS, if I remember correctly.
13:45 < shio> i don't think openvpn would lead to bsod on it own
13:45 < shio> if it's up to date, i'd say that netio.sys isn't really the cause either
13:46 < DArqueBishop> Believe me, the only common thread was OpenVPN.
13:46 < shio> what kind of laptop is it?
13:47 < shio> by reload you mean reinstalling from the manufacturer dvd of from scratch with a clean os?
13:48 < shio> could be some faulty driver that causing the issue
13:48 < DArqueBishop> It only ever happened when I connected to a service like RDP and IRC over the VPN.
13:48 < DArqueBishop> It's a Dell Latitude E5410. I installed from a clean OS using a provided OEM Windows 7 Professional disc.
13:49 < DArqueBishop> The weird thing was, the only thing I didn't do yesterday was apply all of the Windows updates. OpenVPN ran completely fine and I was connected to IRC with no issues.
13:50 < DArqueBishop> Then overnight I applied the updates. When I got back to it this morning, that's when OpenVPN started going nuts.
13:50 < shio> wifi/lan drivers were updated too?
13:51 < DArqueBishop> No. Those were installed before I installed OpenVPN.
13:52 < shio> well, i'm far from being "fluent" in openvpn, but by the look of it, i'd say it's drivers related
13:53 < shio> i'd start with updating your drivers to see if that helps
13:53 < DArqueBishop> They're the most recent versions from Dell's website.
13:55 < shio> what's the version of the openvpn server btw?
13:55 < DArqueBishop> 2.1.4. It's the version that came with this version of Slackware I'm using.
13:57 < shio> have u tried running the 2.3.3 on that laptop?
13:59 < DArqueBishop> Nope, but it's worth a try.
13:59 < shio> oh and, are u using a different antivirus?
14:00 < DArqueBishop> Not really. Same antivirus as when it worked before.
14:00 < shio> can u also try unloading it and check if the issue's still there
14:02 < shio> one thing i noticed after updating earlier this week is that windows had trouble ackowledging that my av was in fact running
14:08 < DArqueBishop> Downgrade to 2.3.3 didn't help.
14:08 -!- RaiNerTsuFal [~RaiNerTsu@akita.vtlx.cn] has joined #openvpn
14:08 < shio> so that kinda confirms it's not that
14:09 < shio> can u try unloading the av?
14:11 -!- DrCode [~DrCode@gateway/tor-sasl/drcode] has quit [Ping timeout: 264 seconds]
14:14 -!- Mike-- [mad@mx.probie.nl] has joined #openvpn
14:16 < DArqueBishop> That didn't help either.
14:18 -!- DrCode [~DrCode@gateway/tor-sasl/drcode] has joined #openvpn
14:19 < shio> does windows update have some drivers update still waiting (you've only updated with the recommended patch right?)
14:20 < DArqueBishop> This is via a WSUS server - no driver patches.
14:23 < shio> then i have no clue... the usual suspects for a netio bsod are the av and then some faulty drivers
14:23 < shio> maybe get an openvpn log on verbose 4
14:25 < shio> (edit it to remove the public IPs)
14:30 -!- RBecker [~RBecker@openvpn/user/RBecker] has quit [Ping timeout: 240 seconds]
14:31 -!- mattock is now known as mattock_afk
14:32 -!- RBecker [~RBecker@openvpn/user/RBecker] has joined #openvpn
14:32 -!- mode/#openvpn [+v RBecker] by ChanServ
14:47 -!- ylluminate [~ylluminat@198.144.156.140] has joined #openvpn
14:49 < ylluminate> curious, i have a scenario where i need to make a virtual machine that will be used to connect to several openvpn connections at the same time in order to provide randomized ip addresses for inbound connections; essentially a vpn multiplexer to facilitate use of randomized ip addresses for a client application
14:49 < ylluminate> so i have an inbound connection request, it passes into this vm and the vm runs the request with the randomized ip and then feeds the data back out to the client requesting the connection(s)
14:50 < ylluminate> has anyone seen such a scenario before?  i'm curious about what components i need to research or dig into in order to make this feasible
14:51 -!- elfixit1 [~Icedove@77-58-251-72.dclient.hispeed.ch] has joined #openvpn
15:03 -!- dob1 [~dob@dynamic-adsl-78-13-165-156.clienti.tiscali.it] has joined #openvpn
15:04 < dob1> hi, i have an android client, the client can access to the various services on the vpn, it can ping the other pcs, but i cannot ping it from the vpn.  It is instead possible to ping it in the real lan, so there are nothing blocking icmp packets
15:05 < dob1> someone has a similar poblem?
15:16 -!- svm_invictvs [~patricktw@unaffiliated/svminvictvs/x-938456] has quit [Read error: Connection reset by peer]
15:30 -!- Kniaz [~Kniaz@unaffiliated/kniaz] has quit [Quit: closing IRC]
15:40 -!- Kephael_ [~Kephael@unaffiliated/kephael] has joined #openvpn
15:41 -!- Kephael [~Kephael@unaffiliated/kephael] has quit [Ping timeout: 250 seconds]
15:41 -!- Maksa [Maksa@b702.ip14.netikka.fi] has left #openvpn []
15:42 -!- goldkatze [~nobody@unaffiliated/goldkatze] has quit [Ping timeout: 240 seconds]
16:34 -!- gffa [~unknown@unaffiliated/gffa] has quit [Quit: sleep]
16:45 -!- ender| [krneki@2a01:260:4094:1:42:42:42:42] has quit [Ping timeout: 260 seconds]
17:00 -!- dob1 [~dob@dynamic-adsl-78-13-165-156.clienti.tiscali.it] has left #openvpn ["Leaving"]
17:19 -!- svm_invictvs [~patricktw@unaffiliated/svminvictvs/x-938456] has joined #openvpn
17:20 -!- ylluminate [~ylluminat@198.144.156.140] has quit [Quit: Bye!]
17:24 -!- ender| [krneki@2a01:260:4094:1:42:42:42:42] has joined #openvpn
18:02 -!- maniacal [~maniacal@ec2-54-164-223-104.compute-1.amazonaws.com] has joined #openvpn
18:04 < maniacal> I have an issue where local lan traffic is getting routed over the vpn but I don't want it to.  I want it to go to my default gateway.  I can add     push "route <subnet> <mask> <gateway>"   but I'd like to not specify the gateway IP and instead just tell it to use the "default" gateway of the client
18:05 < maniacal> is that possible?  and still ahve internet traffic route over the vpn?
18:15 -!- maniacal [~maniacal@ec2-54-164-223-104.compute-1.amazonaws.com] has quit [Ping timeout: 260 seconds]
18:25 <@krzee> too bad he didnt stick around for an answer, it was an easy one
18:25 <@krzee> !route_bypass
18:26 <@krzee> !factoids search net_
18:26 <@vpnHelper> 'netman', 'net30', 'net101', and 'netfilter'
18:26 <@krzee> !factoids search --invalues net_
18:26 <@vpnHelper> (factoids search [<channel>] [--values] [--{regexp} <value>] [<glob> ...]) -- Searches the keyspace for keys matching <glob>. If --regexp is given, it associated value is taken as a regexp and matched against the keys. If --values is given, search the value space instead of the keyspace.
18:26 <@krzee> !factoids search --values net_
18:26 <@vpnHelper> More than 100 keys matched that query; please narrow your query.
18:26 <@krzee> !factoids search --values net_g
18:26 <@vpnHelper> 'git', 'git', 'git', and 'subnet'
18:26 <@krzee> !factoids search route
18:26 <@vpnHelper> 'winroute', 'iroute', 'router', 'dlink_static_route', 'external_routes', 'route_override', 'splitroute', 'route_outside_openvpn', 'route_outside_ovpn', 'routebyapp', 'route', 'ppp_defaultroute', and 'route-nopull'
18:26 <@krzee> !route_override
18:26 <@vpnHelper> "route_override" is (#1) https://forums.openvpn.net/viewtopic.php?f=15&t=7161 for how to override --redirect-gateway for a certain subnet or (#2) to see how to make it so the client will still reply to requests to its public ip over the internet and not the vpn see !splitroute
18:27 -!- maniacal [~maniacal@ec2-54-164-223-104.compute-1.amazonaws.com] has joined #openvpn
18:27 <@krzee> maniacal,
18:27 <@krzee> !route_override
18:27 <@vpnHelper> "route_override" is (#1) https://forums.openvpn.net/viewtopic.php?f=15&t=7161 for how to override --redirect-gateway for a certain subnet or (#2) to see how to make it so the client will still reply to requests to its public ip over the internet and not the vpn see !splitroute
18:27 < maniacal> hey.  don't know if anyone answered
18:27 < maniacal> ok.  cool
18:27 <@krzee> basically you just want the net_gateway variable
18:28 < maniacal> nice
18:29 < maniacal> I'll try it out.   thx.  I was disconnected right after asking due to screwing around with it.  that's the dangers of screwing with vpn :)
18:29 <@krzee> haha got ya, i thought you were a fly-by for a minute there ;]
18:29 <@krzee> but it seems we got rid of those with the webchat ban
18:30 < maniacal> do you know about openvpnas server?  we're using that.  it's pretty awesome.  but most of the config is through a gui.  not my preferred option but that as well is pretty awesome
18:30 <@krzee> !as
18:30 <@vpnHelper> "as" is Please go to #OpenVPN-AS for help with commercial products from OpenVPN Technologies, including Access Server, Android Connect, etc. Access Server is a commercial product, different from open source OpenVPN
18:31 < maniacal> oh, cool.  thanks again
18:31 <@krzee> np
18:31 <@krzee> !no_as
18:31 <@vpnHelper> "no_as" is (#1) go to http://openvpn.net/index.php/access-server/support-center.html for support with access server (see !AS to know about access server) or (#2) not only do we not know AS here, but even if we did we would be tainting the professional level of support included in AS by supporting it here. it comes with REAL support. we are just users helping users around here
18:39 -!- cmanns [~cmanns@68-185-89-221.dhcp.snlo.ca.charter.com] has joined #openvpn
18:40 < cmanns> How can I get support with OpenVPN community, I can login fine but there is no internet (There used to be) I’m duplicating setup on another server to identify if it’s any weird stuff
18:40 <@krzee> !redirect
18:40 <@vpnHelper> "redirect" is (#1) to make all inet traffic flow through the vpn, you will need --redirect-gateway (see !def1), as well as IP forwarding (see !ipforward) and NAT (see !nat) enabled on the server. or (#2) you may need to use a different dns server when redirecting gateway, see !dns or !pushdns or (#3) if using ipv6 try: route-ipv6 2000::/3 or (#4) Handy troubleshooting flowchart:
18:40 <@vpnHelper> http://ircpimps.org/redirect.png | http://pekster.sdf.org/misc/redirect.png
18:40 <@krzee> probably firewall issues
18:41 < cmanns> I have done all of those, removed firewalls
18:41 < cmanns> The setup used to work week or two ago, no configs changed all I did recently was made new pub/priv keys
18:41 <@krzee> removing firewall could cause the problem
18:41 <@krzee> note that you need to NAT the vpn subnet
18:42 <@krzee> look over the flowchart
18:43 -!- elfixit1 [~Icedove@77-58-251-72.dclient.hispeed.ch] has quit [Remote host closed the connection]
18:47 < cmanns> I will try on other system
18:51 -!- maniacal [~maniacal@ec2-54-164-223-104.compute-1.amazonaws.com] has quit [Ping timeout: 240 seconds]
18:59 -!- Gsa700 [~Gsa700@unaffiliated/gsa700] has quit [Ping timeout: 264 seconds]
19:03 -!- Gsa700 [~Gsa700@unaffiliated/gsa700] has joined #openvpn
19:17 -!- Gsa700 [~Gsa700@unaffiliated/gsa700] has quit [Ping timeout: 240 seconds]
19:18 -!- Gsa700 [~Gsa700@unaffiliated/gsa700] has joined #openvpn
19:27 -!- Gsa700_ [~Gsa700@unaffiliated/gsa700] has joined #openvpn
19:27 -!- Gsa700_ [~Gsa700@unaffiliated/gsa700] has quit [Client Quit]
19:30 -!- Gsa700_ [~Gsa700@unaffiliated/gsa700] has joined #openvpn
19:30 -!- Gsa700_ [~Gsa700@unaffiliated/gsa700] has quit [Client Quit]
19:30 -!- Gsa700 [~Gsa700@unaffiliated/gsa700] has quit [Ping timeout: 260 seconds]
19:38 -!- cmanns [~cmanns@68-185-89-221.dhcp.snlo.ca.charter.com] has quit [Ping timeout: 255 seconds]
20:00 -!- RBecker [~RBecker@openvpn/user/RBecker] has quit [Quit: Quit]
20:01 -!- RBecker [~RBecker@openvpn/user/RBecker] has joined #openvpn
20:01 -!- mode/#openvpn [+v RBecker] by ChanServ
20:02 -!- Gsa700 [~Gsa700@unaffiliated/gsa700] has joined #openvpn
20:14 -!- smrtz|nix [~smrtz@unaffiliated/smrtznix/x-9775867] has joined #openvpn
20:16 -!- u0m3_ [~u0m3@92.80.109.44] has quit [Read error: Connection reset by peer]
20:18 < smrtz|nix> !welcome
20:18 <@vpnHelper> "welcome" is (#1) Start by stating your goal, such as 'I would like to access the internet over my vpn' || new to IRC? see the link in !ask || we may need !logs and !configs and maybe !interface to help you. || See !howto for beginners. || See !route for lans behind openvpn. || !redirect for sending inet traffic through the server. || Also interesting: !man !/30 !topology !iporder !sample !forum
20:18 <@vpnHelper> !wiki !mitm or (#2) Don't use 192.168.1.0/24 or 192.168.0.0/24 (too much potential for conflict)
20:20 -!- Suhler [~Suhler@ip68-0-37-60.hr.hr.cox.net] has joined #openvpn
20:20 < smrtz|nix> Hey, I'm trying to host a minecraft server for my friends and I.  I'd idealy like to just give everyone a config and have them connect, and then have it show up in their local games.  Like a layer 3 vlan.
20:22 < Suhler> config file pastebin: http://pastebin.com/w2Vna1hs
20:23 < smrtz|nix> Suhler: is working with me...
20:23 < smrtz|nix> That's our server.conf
20:31 -!- Suhler [~Suhler@ip68-0-37-60.hr.hr.cox.net] has quit []
20:41 -!- u0m3 [~u0m3@92.80.109.44] has joined #openvpn
20:47 -!- svm_invictvs [~patricktw@unaffiliated/svminvictvs/x-938456] has quit [Ping timeout: 250 seconds]
20:49 -!- troyt [~troyt@2601:7:6200:1362:44dd:acff:fe85:9c8e] has quit [Remote host closed the connection]
21:01 -!- Pyrogerg [~Gregory@75-173-66-157.albq.qwest.net] has quit [Ping timeout: 240 seconds]
21:03 -!- Pyrogerg [~Gregory@75-173-66-157.albq.qwest.net] has joined #openvpn
21:44 -!- jangerhofer [~jangerho@0587370344.wireless.umich.net] has joined #openvpn
21:45 < jangerhofer> Hello, I have what I think should be a trivial question.  I have a Tunnelblick server+client configured and I can connect via the client config to the running server without issue.
21:45 < jangerhofer> When I try to access anything other than the subnet I suppose OpenVPN is running on (10.8.0.1), I cannot connect -- can't access my other devices on server's network nor the outside internet.
21:46 < jangerhofer> Is there a modification I need to make in the server config file?
21:50 < Poster> ok so 2 things to check
21:50 < Poster> 1) do you have a route being pushed to your client that includes the IP network behind the OpenVPN host?
21:50 < Poster> 2) Do you have IP forwarding enabled on your OpenVPN host?
21:50 -!- krav [krav@unaffiliated/kravlin] has left #openvpn ["Leaving"]
21:58 < jangerhofer> Sorry, you're beyond me already Poster.  I doubt that the answer is "yes" to either, but I can't be sure.
21:58 < jangerhofer> When I'm connected and run a traceroute to any domain, my request goes through 10.8.0.1 and then times out, if that's helpful...
21:58 -!- G_Known [~Instantbi@pool-72-95-239-76.pitbpa.east.verizon.net] has joined #openvpn
21:58 < Poster> ok what OS is your OpenVPN server?
21:58 < G_Known> I'm getting this error whenever I'm putting redirect gateway def1 command: NOTE: unable to redirect default gateway -- Cannot obtain current remote host address
22:00 < jangerhofer> Running Tunnelblick server on OS X 10.9.  Client on 10.10 beta.
22:00 < Poster> I would think that error would be present when the openvpn server isn't presenting it's own address
22:01 < jangerhofer> Let me comb my config file.
22:01 < jangerhofer> The local IP it listens on shouldn't matter.
22:02 < jangerhofer> Oh!  I'm blind.  "Configure server mode and supply a VPN subnet
22:02 < jangerhofer> # for OpenVPN to draw client addresses from.
22:02 < jangerhofer> # The server will take 10.8.0.1 for itself,
22:02 < jangerhofer> # the rest will be made available to clients."
22:03 < Poster> jangerhofer: ok I am going to be at a bit of a disadvantage on OSX, going under the guise that it is FreeBSDlike, try this:
22:03 < Poster> sysctl net.inet.ip.forwarding
22:03 < jangerhofer> "net.inet.ip.forwarding: 1"
22:03 -!- arescorpio [~arescorpi@37-58-245-190.fibertel.com.ar] has joined #openvpn
22:03 < Poster> ok so that's good, what is the remote network on the other side of the OSX server?
22:03 < jangerhofer> That's without the server running.
22:07 < jangerhofer> I have a home network set up.  Server connected via WiFi to this network.
22:07 < Poster> ok need to talk in terms of IP addresses
22:07 < jangerhofer> Ah, ok.  Server is at 10.0.1.2.  Router at 10.0.1.1.  Subnet Mask:  255.255.255.0.
22:07 < Poster> ok and your network is 10.0.1.0/24 ?
22:08 < jangerhofer> Again, sorry to ask the stupid question.  What is the "/" notation?
22:08 < Poster> ok that is CIDR, short hand for subnet masks, /24 equates to 255.255.255.0
22:08 < jangerhofer> Ah, ok.  Yes.  That is correct then.
22:08 < Poster> ok, on your OpenVPN server, are you pushing routes to your clients for 10.0.1.0 255.255.255.0 ?
22:09 < jangerhofer> I see mention in the sample config of "ethernet bridging."  Is that the functionality I need to pass thorugh requests?
22:09 < Poster> you can but you probably don't want to
22:09 < jangerhofer> No, currently the "push" lines are commented out (from the sample config).
22:09 < jangerhofer> ;push "route 192.168.10.0 255.255.255.0"
22:09 < Poster> ok, set one
22:11 < Poster> push "route 10.0.1.0 255.255.255.0"
22:11  * jangerhofer is testing it.
22:11 < Poster> well you're not done there
22:11 < jangerhofer> Ooh :O
22:11 < Poster> though you should be able to ping 10.0.1.2 when done
22:13 -!- tapout [~tapout@unaffiliated/tapout] has quit [Quit: ZNC - http://znc.sourceforge.net]
22:20 -!- jangerhofer [~jangerho@0587370344.wireless.umich.net] has quit [Read error: Connection reset by peer]
22:20 -!- jangerhofer [~jangerho@0587370344.wireless.umich.net] has joined #openvpn
22:20 -!- troyt [~troyt@2601:7:6200:1362:44dd:acff:fe85:9c8e] has joined #openvpn
22:20 -!- jangerhofer [~jangerho@0587370344.wireless.umich.net] has left #openvpn []
22:20 -!- jangerhofer [~jangerho@0587370344.wireless.umich.net] has joined #openvpn
22:20 < jangerhofer> Confirming I can ping 10.0.1.2 now.
22:20 < Poster> so yes?
22:20 < G_Known> Has anyone tried OpenVPN on a LXC container? I'm trying to get redirect gateway to work.
22:20 < jangerhofer> Oddly I cannot load the page that 10.0.1.2 hosts in a browser, but traceroute did respond.
22:20 < Poster> jangerhofer: ok the issue you have now is the return route from all other devices on your local network.  You have two options:
22:20 < Poster> 1) Setup some flavor of NAT, I am guessing OSX uses either pf or ipfw, this will "hide" all OpenVPN client traffic behind 10.0.1.2
22:20 < Poster> 2) On your router (10.0.1.1) you can add a static route to 10.8.0.0 255.255.255.0 via 10.0.1.2
22:20 < jangerhofer> Yep, it's definitely pf and it's definitely ugly :)
22:20 < jangerhofer> Ok, both are equally challenging given that the router is also an Apple product (lacking such powerful features).
22:20 < jangerhofer> In an attempt to be of some help to myself I found people have used this line: push "redirect-gateway def1"
22:21 < jangerhofer> Is that relevant?
22:21 < Poster> well that doesn't really help here
22:21 < jangerhofer> Got it.
22:21 < Poster> the return route problem still exists
22:21 < jangerhofer> Ah, I see.
22:21 < Poster> so I guess you're going to be forced to use pf
22:21 -!- Left_Turn [~Left_Turn@unaffiliated/turn-left/x-3739067] has quit [Remote host closed the connection]
22:21 < jangerhofer> Alright -- guess it's time for a learning experience.
22:21 < Poster> do you know the interface name of your ethernet adapter on the OpenVPN server?
22:22 < jangerhofer> No.  Let me figure out the command I need.  Could be ifconfig
22:22 < Poster> yeah it is
22:23 < jangerhofer> Which line would it be?  I see the usual en0, en1, etc.
22:23 < jangerhofer> P2p0 and utun0 stand out.
22:23 < Poster> ok I am guessing one of the en, which one has 10.0.1.2 assigned to it?
22:24 < jangerhofer> en1.
22:24 < jangerhofer> Good call.
22:24 < Poster> ok, do you have an /etc/pf.conf ?
22:25 < jangerhofer> I do.
22:25 < Poster> ok I am not sure what version of pf you have there, are there any example lines that are something to the effect of
22:25 < jangerhofer> It contains about 6 lines that are not commented at the moment.
22:25 < jangerhofer> "Instead,
22:25 < jangerhofer> # each component which utilizes PF is responsible for enabling and disabling
22:25 < jangerhofer> # PF via -E and -X as documented in pfctl(8)"
22:26 < Poster> pass out on em0 from 192.168.0.0/24 nat-to (em0)
22:26 < Poster> or maybe
22:26 < jangerhofer> Nope.  The closest I have is a "load anchor".
22:31 < Poster> ok I'll assume older, try adding this line
22:31 < Poster> hang on double checking syntax, little rusty
22:31 < jangerhofer> No hurry!
22:31 < Poster> ok try this
22:31 < Poster> nat on en1 from 10.8.0.0/24 to any -> (en1)
22:31 < Poster> save that then run
22:31 < jangerhofer> Do I need to reload the .conf somehow?
22:31 < Poster> pfctl -ef /etc/pf.conf
22:31 < jangerhofer> Ah, there it is.  I couldn't figure out what the associated command was :)
22:31 < Poster> hopefully it doesn't throw an error, but it might
22:32 < jangerhofer> It did.  And it's ugly :/
22:32 < jangerhofer> No ALTQ support in kernel
22:32 < jangerhofer> ALTQ related functions disabled
22:32 < jangerhofer> pfctl: Syntax error in config file: pf rules not loaded
22:32 < Poster> ok review pf.conf and put a # in front of any lines that contain the word altq and try again
22:34 < jangerhofer> No lines with altq...
22:34 < jangerhofer> etc/pf.conf:28: Rules must be in order: options, normalization, queueing, translation, filtering
22:34 < jangerhofer> pfctl: Syntax error in config file: pf rules not loaded
22:34 < Poster> ok this would fall in the translation category
22:34 < jangerhofer> Sorry, I just realized I copy+pasted multiple lines and the leading slash triggered an IRC command.
22:34 < jangerhofer> Got it.
22:35 < Poster> ok with that line commented out, rerun: pfctl -ef /etc/pf.conf
22:35 < jangerhofer> No ALTQ support in kernel
22:35 < jangerhofer> ALTQ related functions disabled
22:35 < jangerhofer> pf enabled
22:36 < Poster> ok can you paste the contents of /etc/pf.conf on something like pastebin?
22:36 < jangerhofer> Right away.
22:37 < jangerhofer> http://pastie.org/9511971
22:39 < Poster> ok above the #nat on line
22:40 < Poster> add: set optimization normal
22:40 < jangerhofer> Leaving the final line commented out?
22:40 < Poster> for now yeah
22:40 < Poster> reapply pf rules and see if it errors
22:41 < jangerhofer> Back to a syntax error.
22:41 < Poster> ok comment out the set optimization
22:41 < jangerhofer> Is the order out of line there?
22:41 -!- Aelius [~Aelius@unaffiliated/aelius] has joined #openvpn
22:41 < Poster> let's try basic, add a line:
22:41 < Poster> pass out quick on en1
22:41 < Poster> then rerun
22:42 < jangerhofer> ALTQ related functions disabled
22:42 < jangerhofer> pfctl: pf already enabled
22:42 < Poster> ok that's good
22:42 < Poster> ok let's try this, not sure if it will work, before your "pass out quick" line add
22:43 < Poster> pass out quick on en1 from 10.8.0.0/24 nat-to (en1)
22:43 < Poster> then reapply
22:43 < jangerhofer> Syntax error.
22:46 < Poster> ok let's remove that line and try
22:46 < Poster> nat on en1 from 10.8.0.0/24 -> 10.0.1.2
22:47 < jangerhofer> Syntax w/ order error.
22:47 < Poster> :|
22:47 < jangerhofer> Quite a pain.
22:47 < jangerhofer> Just to check we are on the same page:  http://pastie.org/9511986
22:48 < jangerhofer> Assuming so, I have no problem abandoning ship.  Don't mean to shackle you to this in any way at all.
22:51 < Poster> I am just not really sure what Apple has done to pf here
22:51 < Poster> I've used it on OpenBSD for many years without much issue
22:52 < Poster> it looks like there may be a Security & Privacy management interface within the GUI
22:52 < Poster> though I have no idea if it will allow you to enable NAT
22:53 < Poster> I am wondering if Apple removed nat
22:53 < Poster> :(
22:53 < Poster> it's in the man pages, though I'm at a loss on the syntax
22:54 < Poster> https://developer.apple.com/library/mac/documentation/Darwin/Reference/Manpages/man5/pf.conf.5.html
22:54 <@vpnHelper> Title: pf.conf(5) Mac OS X Manual Page (at developer.apple.com)
22:54 < jangerhofer> Yeah, I landed there too but couldn't make heads or tails of it.
22:54 < Poster>    nat on $ext_if from 144.19.74.0/24 to any -> 204.92.77.100
22:54 < Poster> is more or less what we want
22:55 < Poster> replacing $ext_if with en1 144.19.74.0/24 with 10.8.0.0/24 and 204.92.77.100 with 10.0.1.2
22:55 < Poster> I guess try that verbatim
22:55 < Poster> nat on en1 from 10.8.0.0/24 to any -> 10.0.1.2
22:55 < jangerhofer> Can't hurt, right? :D
22:56 -!- arescorpio [~arescorpi@37-58-245-190.fibertel.com.ar] has quit [Excess Flood]
22:56 < jangerhofer> "Rules must be in order: options, normalization, queueing, translation, filtering."
22:57 < jangerhofer> Which parts are which?
22:57 < Poster> ok can you paste pf.conf on pastie again?
22:57 < jangerhofer> Yeah yeah.
22:57 < Poster> we're only working on translation
22:58 < jangerhofer> http://pastebin.com/rHkB9aNU
22:58 < jangerhofer> Do I need some sort of null value then, perhaps?
22:59 < Poster> I am not actually sure what is wrong
22:59 -!- clyons [~kvirc@host86-184-240-65.range86-184.btcentralplus.com] has quit [Read error: Connection reset by peer]
22:59 < jangerhofer> Lots of posts found via a Google search, but they are all far too dense.
22:59 < Poster> we don't have queueing after or filtering before
23:00 -!- clyons [~kvirc@host86-184-240-65.range86-184.btcentralplus.com] has joined #openvpn
23:00 < Poster> you may need to track down an OSX power user, I am not sure what more to try
23:00 < jangerhofer> Is this something worthy of an issues ticket?
23:01 < jangerhofer> Slash discussion group post...
23:01 < Poster> I honestly don't know, I can't imagine you're the first person attempting to do NAT on OSX
23:01 < Poster> only other thing I can think is maybe put a line at the end of pf.conf
23:01 < Poster> pass quick on en1
23:01 < jangerhofer> Keep everything else?
23:02 < Poster> yeah
23:02 < jangerhofer> Same result hah.
23:02 < Poster> ok yeah I don't think I can be of much more help on this one
23:03 < jangerhofer> Alrighty.  It isn't listed in the "Known Issues" page of Tunnelblick.
23:03 < Poster> the last option would be to add static routes on all of your LAN devices pointing 10.8.0.0/24 via 10.0.1.2
23:03 < Poster> which will vary slightly between OSes
23:03 < jangerhofer> Not worth that pain.  Is there anyway I can quickly pass through everything _outside_ my own network?
23:03 < jangerhofer> I'll give up on trying to get intra-network access for the moment.
23:04 < jangerhofer> Is that a one-line fix?
23:04 < Poster> well the return route problem still exists
23:04 < Poster> do you have access to a Linux or BSD based system?
23:04 < jangerhofer> Oh, I suppose I don't follow.
23:04 < jangerhofer> Negative.
23:04 < jangerhofer> Suppose I could partition the server, but I hardly want to go through that.
23:05 < Poster> so if you route all your traffic through OpenVPN, it will hit your OSX system, be routed through, the source address will be 10.8.0.x, it may make it through your 10.0.1.1 router, but when the return packet comes back, 10.0.1.1 will not know where to send it
23:05 < Poster> and then nothing will work :|
23:05 < Poster> getting pf to NAT in OSX is probably the "best"
23:06 < Poster> past that we can make it work on something small like a raspberrypi
23:06 < jangerhofer> Oooh, I see.  I can't point OpenVPN to the current IP.
23:06 < jangerhofer> https://groups.google.com/forum/#!topic/tunnelblick-discuss/xq-2XQFCZyQ
23:06 < jangerhofer> Hmmm
23:06 <@vpnHelper> Title: Google Groups (at groups.google.com)
23:06 < jangerhofer> Sounds similar, though perhaps not related.
23:07 < Poster> similar symtpoms, but could be a few causes
23:07 < Poster> I am unaware of virtualization options on OSX
23:07 < Poster> you have a few for Windows
23:08 < jangerhofer> Yeah, I know I could do it with little fuss on OS X.  It just seems pointless to do it exclusively for OpenVPN.
23:08 < Poster> yeah, if you can find how to do nat on OSX pf, you'd be in good shape
23:08 < jangerhofer> I trust you if you say the routing problem exists, but I'm going to follow this thread's solution just to try it.
23:08 < jangerhofer> Got it.
23:09 < Poster> yeah give it a go
23:09 < Poster> there may be something else needed I am unaware of
23:10 < Poster> there might be an osx channel on here somewhere that you can ask
23:10 < jangerhofer> ##mac probably isn't that advanced.
23:10 < jangerhofer> I'll try #pf just on a whim.
23:10 -!- Chais [~Chais@chello062178229110.15.15.vie.surfer.at] has quit [Ping timeout: 264 seconds]
23:10 < Poster> pretty quiet in there, but good luck
23:10 < jangerhofer> ^
23:11 < jangerhofer> Thank you very much for the assistance.
23:11 < Poster> np, good luck
23:11 < jangerhofer> Sorry to be a stubborn problem.
23:11 < jangerhofer> Take care.
23:15 -!- Chais [~Chais@chello062178229110.15.15.vie.surfer.at] has joined #openvpn
23:23 -!- Kephael_ [~Kephael@unaffiliated/kephael] has quit [Quit: Leaving]
23:25 -!- joako [~joako@opensuse/member/joak0] has quit [Ping timeout: 264 seconds]
23:35 -!- joako [~joako@opensuse/member/joak0] has joined #openvpn
23:51 -!- ShadniX [dagger@p5DDFE4A0.dip0.t-ipconnect.de] has quit [Ping timeout: 250 seconds]
23:52 -!- ShadniX [dagger@p5DDFE9C7.dip0.t-ipconnect.de] has joined #openvpn
--- Day changed Fri Aug 29 2014
00:41 < G_Known> has anyone tried OpenVPN on a lxc container?
00:48 -!- ender` [krneki@2a01:260:4094:1:42:42:42:42] has joined #openvpn
00:48 -!- ender| [krneki@2a01:260:4094:1:42:42:42:42] has quit [Read error: Connection reset by peer]
00:54 -!- mattock_afk is now known as mattock
01:01 -!- G_Known [~Instantbi@pool-72-95-239-76.pitbpa.east.verizon.net] has quit [Quit: Instantbird 1.5 -- http://www.instantbird.com]
01:11 -!- ender^ [krneki@2a01:260:4094:1:42:42:42:42] has joined #openvpn
01:11 -!- wirehack7 [wirehack7@unaffiliated/wirehack7] has quit [Ping timeout: 260 seconds]
01:11 -!- jareth_ [~jareth_@2001:980:e1c0:1:219:66ff:fea0:a502] has quit [Ping timeout: 260 seconds]
01:11 -!- Cybertinus [~Cybertinu@2a00:6960:1:1:0:24:107:1] has quit [Quit: No Ping reply in 180 seconds.]
01:12 -!- Cybertinus [~Cybertinu@2a00:6960:1:1:0:24:107:1] has joined #openvpn
01:12 -!- ender` [krneki@2a01:260:4094:1:42:42:42:42] has quit [Ping timeout: 260 seconds]
01:12 -!- abbe [having@badti.me] has quit [Ping timeout: 260 seconds]
01:12 -!- pnielsen [pnielsen@2a01:7e00::f03c:91ff:fedf:3a21] has quit [Ping timeout: 260 seconds]
01:13 -!- pnielsen [pnielsen@2a01:7e00::f03c:91ff:fedf:3a21] has joined #openvpn
01:14 -!- jareth_ [~jareth_@2001:980:e1c0:1:219:66ff:fea0:a502] has joined #openvpn
01:14 -!- abbe [having@badti.me] has joined #openvpn
01:16 -!- wirehack7 [wirehack7@unaffiliated/wirehack7] has joined #openvpn
01:34 -!- kareem-ali [~kareem@217.138.20.162] has quit [Read error: Connection reset by peer]
01:34 -!- svm_invictvs [~patricktw@unaffiliated/svminvictvs/x-938456] has joined #openvpn
01:36 -!- kareem-ali [~kareem@217.138.20.162] has joined #openvpn
01:40 -!- clyons [~kvirc@host86-184-240-65.range86-184.btcentralplus.com] has quit [Ping timeout: 244 seconds]
01:51 -!- kareem-ali [~kareem@217.138.20.162] has quit [Ping timeout: 240 seconds]
02:01 -!- Cybertinus [~Cybertinu@2a00:6960:1:1:0:24:107:1] has quit [Ping timeout: 260 seconds]
02:04 -!- Cybertinus [~Cybertinu@cybertinus.customer.cloud.nl] has joined #openvpn
02:08 -!- Cybertinus [~Cybertinu@cybertinus.customer.cloud.nl] has quit [Read error: Connection reset by peer]
02:09 -!- Cybertinus [~Cybertinu@2a00:6960:1:1:0:24:107:1] has joined #openvpn
02:09 < svm_invictvs> Hello
02:09 < svm_invictvs> How goes it?
02:09 -!- Hello71 [~Hello71@wikipedia/Hello71] has quit [Ping timeout: 240 seconds]
02:11 -!- Hello71 [~Hello71@wikipedia/Hello71] has joined #openvpn
02:14 <@krzee> werd
02:14 -!- Cybertinus [~Cybertinu@2a00:6960:1:1:0:24:107:1] has quit [Ping timeout: 260 seconds]
02:16 -!- Cybertinus [~Cybertinu@2a00:6960:1:1:0:24:107:1] has joined #openvpn
02:16 < n13l> hey all
02:16 -!- mattock is now known as mattock_afk
02:17  * krzee turns on the light and waits for the first question
02:17 <@krzee> :D
02:17 < n13l> anyone cross building git/master openvpn using mingw ?
02:18 < n13l> got some issue related to sockets: socket.c:3098:45: error: ‘struct link_socket_addr’ has no member named ‘local’
02:18 <@krzee> https://community.openvpn.net/openvpn/wiki/BuildingUsingGenericBuildsystem
02:19 <@vpnHelper> Title: BuildingUsingGenericBuildsystem – OpenVPN Community (at community.openvpn.net)
02:19 <@krzee> nothing on mingw tho
02:19 < n13l> krzee: i did read many docs allready
02:19 < n13l> krzee: actually i found the problem here: http://permalink.gmane.org/gmane.network.openvpn.devel/8646
02:19 <@vpnHelper> Title: socket.c issues when building snapshots on windows... (at permalink.gmane.org)
02:20 <@krzee> oh ya they actually do talk about mingw on there
02:20 < n13l> krzee: just asking if anyone workin on fix and/or searchin some advices
02:20 < n13l> krzee: i forced openvpn for ip4 only but then tls reports error related to no synch keys
02:23 -!- Cybertinus [~Cybertinu@2a00:6960:1:1:0:24:107:1] has quit [Remote host closed the connection]
02:24 -!- Cybertinus [~Cybertinu@cybertinus.customer.cloud.nl] has joined #openvpn
02:24 <@krzee> hmm im not sure, might wanna ask that in the devel channel
02:26 -!- Hello71 [~Hello71@wikipedia/Hello71] has quit [Ping timeout: 240 seconds]
02:29 -!- Hello71 [~Hello71@wikipedia/Hello71] has joined #openvpn
02:29 -!- ender^ [krneki@2a01:260:4094:1:42:42:42:42] has quit [Remote host closed the connection]
02:29 -!- ender^ [krneki@2a01:260:4094:1:42:42:42:42] has joined #openvpn
02:31 -!- CaTtleyA [~CaTtleyA@185.24.142.82] has joined #openvpn
02:33 <@syzzer> n13l: ask plaisthos (in the devel channel), the windows build problems are fallout from the dual stack patches iirc
02:36 -!- Cybertinus [~Cybertinu@cybertinus.customer.cloud.nl] has quit [Remote host closed the connection]
02:37 -!- Cybertinus [~Cybertinu@cybertinus.customer.cloud.nl] has joined #openvpn
02:40 -!- Cybertinus [~Cybertinu@cybertinus.customer.cloud.nl] has quit [Remote host closed the connection]
02:48 < n13l> syzzer: hey btw i did build win32 with few code fixes and i see TLS Error: local/remote TLS keys are out of sync: [AF_INET]85.239.80.148:1195 [0]
02:49 < n13l> syzzer: is it possible that actual master is not compatible with stable client ?
02:49 < n13l> syzzer: and btw got same error for udp and tcp so it looks like error on app layer
02:54 -!- svm_invictvs [~patricktw@unaffiliated/svminvictvs/x-938456] has quit [Ping timeout: 250 seconds]
02:58 -!- Cybertinus [~Cybertinu@cybertinus.customer.cloud.nl] has joined #openvpn
03:00 -!- kareem-ali [~kareem@217.138.20.162] has joined #openvpn
03:02 <@syzzer> n13l: 2.3 and master *should* be compatible
03:03 <@syzzer> I'd have to explicitly test to be entirely sure - but at least master client vs stable server works perfectly for me
03:16 -!- mattock_afk is now known as mattock
03:36 -!- mattock is now known as mattock_afk
04:09 -!- dazo_afk is now known as dazo
04:16 -!- Netsplit *.net <-> *.split quits: @mattock_afk, DArqueBishop, kirin`, @raidz, Cybertinus
04:17 -!- Cybertinus [~Cybertinu@cybertinus.customer.cloud.nl] has joined #openvpn
04:17 -!- Netsplit *.net <-> *.split quits: jeev, AsadH, Mike--, sauce, Olivier, Intensity, lbft, Pandemic_Force, jefferai
04:17 -!- Netsplit over, joins: DArqueBishop, @raidz, @mattock_afk, kirin`
04:17 -!- kirin` [telex@gateway/shell/anapnea.net/x-boxeauelfbnzorhw] has quit [Max SendQ exceeded]
04:19 -!- kirin` [telex@gateway/shell/anapnea.net/x-stqgphzuzphmplft] has joined #openvpn
04:22 -!- Left_Turn [~Left_Turn@unaffiliated/turn-left/x-3739067] has joined #openvpn
04:28 -!- kirin` [telex@gateway/shell/anapnea.net/x-stqgphzuzphmplft] has quit [Read error: Connection reset by peer]
04:29 -!- kirin` [telex@gateway/shell/anapnea.net/x-eujlnsxwaqcnqicx] has joined #openvpn
04:30 -!- Mike-- [mad@mx.probie.nl] has joined #openvpn
04:30 -!- lbft [~lbft@unaffiliated/lbft] has joined #openvpn
04:30 -!- jeev [~j@unaffiliated/jeev] has joined #openvpn
04:30 -!- Pandemic_Force [~Pandemic_@unaffiliated/pandemic-force/x-1349428] has joined #openvpn
04:30 -!- jefferai [sid1300@kde/mitchell] has joined #openvpn
04:30 -!- AsadH [~AsadH@unaffiliated/asadh] has joined #openvpn
04:30 -!- sauce [sauce@unaffiliated/sauce] has joined #openvpn
04:30 -!- Olivier [Olivier@185.13.226.177] has joined #openvpn
04:30 -!- jefferai [sid1300@kde/mitchell] has quit [Max SendQ exceeded]
04:30 -!- jefferai_ [sid1300@kde/mitchell] has joined #openvpn
04:35 -!- elfixit1 [~Icedove@77-58-251-72.dclient.hispeed.ch] has joined #openvpn
04:35 -!- kirin` [telex@gateway/shell/anapnea.net/x-eujlnsxwaqcnqicx] has quit [Ping timeout: 240 seconds]
04:36 -!- kirin` [telex@gateway/shell/anapnea.net/x-idyxvaodzremvaiy] has joined #openvpn
04:40 -!- Guest60036 [~prettyrob@do.inputrc.com] has quit [Ping timeout: 255 seconds]
04:43 -!- kirin` [telex@gateway/shell/anapnea.net/x-idyxvaodzremvaiy] has quit [Read error: Connection reset by peer]
04:44 -!- kirin` [telex@gateway/shell/anapnea.net/x-szfedpqtdidcmxgo] has joined #openvpn
04:46 -!- NucWin [~nucwin@unaffiliated/nucwin] has quit [Ping timeout: 272 seconds]
04:48 -!- Fusl_ [Fusl@unaffiliated/fusl] has joined #openvpn
04:48 -!- halothe23_ [~halothe23@freenode/sponsor/halothe23] has joined #openvpn
04:48 -!- NucWin [~nucwin@unaffiliated/nucwin] has joined #openvpn
04:50 -!- kirin` [telex@gateway/shell/anapnea.net/x-szfedpqtdidcmxgo] has quit [Ping timeout: 244 seconds]
04:50 -!- Zimsky [~alice@unaffiliated/zimsky] has quit [Ping timeout: 272 seconds]
04:50 -!- halothe23 [~halothe23@freenode/sponsor/halothe23] has quit [Quit: Quit]
04:50 -!- fchmmr [~ask@fsf/member/fchmmr] has quit [Ping timeout: 272 seconds]
04:50 -!- hydrajump [~hydrajump@unaffiliated/hydrajump] has quit [Ping timeout: 272 seconds]
04:50 -!- aulait [~irenacob@li629-190.members.linode.com] has quit [Max SendQ exceeded]
04:50 -!- hid3 [~arnoldas@78.157.71.116] has quit [Ping timeout: 272 seconds]
04:50 -!- loeken [~lknfnd@static.123.253.76.144.clients.your-server.de] has quit [Ping timeout: 272 seconds]
04:50 -!- Jeroen52 [~Jeroen@milkyway.jeroendeneef.com] has quit [Ping timeout: 272 seconds]
04:50 -!- Fusl [Fusl@unaffiliated/fusl] has quit [Read error: Connection reset by peer]
04:51 -!- fchmmr [~ask@fsf/member/fchmmr] has joined #openvpn
04:51 -!- hydrajump [~hydrajump@unaffiliated/hydrajump] has joined #openvpn
04:54 -!- TonyL [~Tony@unaffiliated/darkg] has quit [Ping timeout: 240 seconds]
04:54 -!- Eugene [eugene@kashpureff.org] has quit [Ping timeout: 240 seconds]
04:54 -!- SushiDude [~SushiDude@unaffiliated/sushidude] has quit [Ping timeout: 240 seconds]
--- Log closed Fri Aug 29 04:59:34 2014
--- Log opened Fri Aug 29 07:59:56 2014
07:59 -!- ecrist_ [~ecrist@freebsd/contributor/openvpn.community.support.ecrist] has joined #openvpn
07:59 -!- Irssi: #openvpn: Total of 144 nicks [7 ops, 0 halfops, 1 voices, 136 normal]
07:59 -!- Irssi: Join to #openvpn was synced in 0 secs
07:59 -!- mode/#openvpn [+o ecrist_] by ChanServ
08:00 -!- You're now known as ecrist
08:05 -!- smrtz|nix [~smrtz@unaffiliated/smrtznix/x-9775867] has quit [Ping timeout: 250 seconds]
08:25 -!- pa [~pa@unaffiliated/pa] has joined #openvpn
08:28 -!- adac [~adac@chello080109174123.tirol.surfer.at] has quit [Ping timeout: 245 seconds]
08:32 -!- lbft [~lbft@unaffiliated/lbft] has quit [Excess Flood]
08:34 -!- lbft [~lbft@unaffiliated/lbft] has joined #openvpn
08:41 < zoidberg-> Hello, I am planning an openvpn configuration and would like a bit of advice, I have a network that has one external point and the rest NAT.  I have a dedicated server that i would like to run an OpenVPN server on.  My plan is this: Run the vpn server on the dedicated server, install a client on the network with one physical host, get the client to connect to the server and create a tunnel.  I then want to be able to push all network traffic out via thi
08:42 -!- pa [~pa@unaffiliated/pa] has quit [Remote host closed the connection]
08:46 -!- pa [~pa@unaffiliated/pa] has joined #openvpn
08:47 -!- lucidz [~kali@unaffiliated/lucdz/x-1796168] has joined #openvpn
08:48 < lucidz> Hello! is openvpn going to be capable of being used with ppp0 in a near future?
08:51 < zoidberg-> lucidz: what do you mean? you can use it with ppp0 afaik?
08:52 < lucidz> OpenVPN creates not the path, the connection is, but not Internet
08:53 < zoidberg-> what?
08:54 -!- y4h0 [~yavor@94.155.134.12] has joined #openvpn
08:54 < y4h0> hi all
08:54 <@ecrist> lucidz: no
08:54 < y4h0> i need some help
08:54 <@ecrist> openvpn uses the tun or tap interface
08:54 < lucidz> hum
08:54 < lucidz> ok
08:54 < y4h0> after deleting the tun interface, openvpn doesn't create it automatically
08:55 -!- pa [~pa@unaffiliated/pa] has quit [Quit: Sto andando via]
08:55 < y4h0> i've tried openvpn --mktun --dev tun0 , assigned an ip address
08:55 < y4h0> ifconfig tun0 up, tun0 stays down
08:55 < lucidz> ;/
08:56 < y4h0> when i start openvpn it constantly restart
08:56 <@ecrist> !logs
08:56 <@vpnHelper> "logs" is (#1) please pastebin your logfiles from both client and server with verb set to 4 (only use 5 if asked) or (#2) In the Windows client(OpenVPN-GUI) right-click the status icon and pick View Log or (#3) In the OS X client(Tunnelblick) right-click it and select Copy log text to clipboard or (#4) if you dont know how to find your logs, see !logfile
08:56 <@ecrist> !configs
08:56 <@vpnHelper> "configs" is (#1) please pastebin your client and server configs (with comments removed, you can use `grep -vE '^#|^;|^$' server.conf`), also include which OS and version of openvpn. or (#2) dont forget to include any ccd entries or (#3) on pfSense, see http://www.secure-computing.net/wiki/index.php/OpenVPN/pfSense to obtain your config
09:08 < y4h0> ok for start i am using ubuntu 12.04
09:09 < y4h0> i will paste the log files and messages , stand by...
09:11 -!- Kephael [~Kephael@unaffiliated/kephael] has joined #openvpn
09:23 < y4h0> here is the output from openvpn --config client.conf and the file client.conf
09:23 < y4h0> http://pastebin.com/MamxQDDk
09:26 < y4h0> here is updated version with server.conf , why is openvpn not creating the tun device ?
09:26 < y4h0> http://pastebin.com/5kqrtTRr
09:36 -!- DrCode [~DrCode@gateway/tor-sasl/drcode] has quit [Write error: Connection reset by peer]
09:38 -!- DrCode [~DrCode@gateway/tor-sasl/drcode] has joined #openvpn
09:38 -!- CaTtleyA [~CaTtleyA@185.24.142.82] has quit [Quit: Lost terminal]
09:40 -!- jangerho [~jangerho@0587370344.wireless.umich.net] has quit [Read error: Connection reset by peer]
09:43 -!- swebb [~swebb@c-71-237-49-232.hsd1.co.comcast.net] has quit [Ping timeout: 240 seconds]
09:55 -!- swebb [~swebb@c-71-237-49-232.hsd1.co.comcast.net] has joined #openvpn
09:56 -!- bakhtiya [~me@office.addictivemobility.com] has joined #openvpn
10:10 -!- krav [~krav@unaffiliated/kravlin] has joined #openvpn
10:12 < DArqueBishop> I admit, I'm just about at my wits' end. I've got a really odd problem, and I'm hoping someone might have some ideas.
10:13 < DArqueBishop> I'm running a brand new install of Windows 7 Professional on a Dell Latitude E5410. It has all the latest updates from Microsoft and the most recent drivers from Dell. I've installed OpenVPN 2.3.4 x86_64 I003 on it, and when I connect to my VPN I'm getting data corruption. RDP fails with data encryption problems, IRC doesn't work properly, etc.
10:15 < DArqueBishop> I've confirmed it's only the laptop that has the problem. I've got a desktop PC at home with a fully up-to-date Win 7 with no problems. Likewise, an iPhone connecting to the VPN at the same location as the laptop has no problem.
10:17 < DArqueBishop> I experience the issue whether I'm on via wired or wireless. I've reloaded Windows and it has had no effect. The only other thing I had noticed is that I had no problems in Windows 8.1 on this laptop, and when I reloaded Windows 7 a couple of days ago, it worked fine until I loaded the patches.
10:17 < DArqueBishop> Rather, loaded the Windows updates.
10:19 -!- mifritscher [~michaelfr@zft-server-1.telematik-zentrum.de] has joined #openvpn
10:20 < mifritscher> hi
10:21 < mifritscher> following problem: ping comes through the vpn, udp-pakets not (videostreaming) - openvpn client sees them, can also write them to the tap-interface, but e.g. the taskmanager doesn't see this traffic on the tap-interface
10:21 < mifritscher> the firewall is completly off (public and private zone)
10:21 < mifritscher> how can I debug this?
10:22 < mifritscher> server is a WIn2008R8, client is a Win7
10:23 < mifritscher> streaming is plain udp-streaming from server to client
10:24 < DArqueBishop> Oh, I just started the server with verbose level 4; no unusual messages.
10:34 -!- krzee [~k@openvpn/community/support/krzee] has quit [Excess Flood]
10:35 -!- krzee [~k@openvpn/community/support/krzee] has joined #openvpn
10:35 -!- mode/#openvpn [+o krzee] by ChanServ
10:40 -!- mifritscher [~michaelfr@zft-server-1.telematik-zentrum.de] has quit [Disconnected by services]
10:53 -!- krav [~krav@unaffiliated/kravlin] has left #openvpn ["WeeChat 0.3.8"]
10:56 -!- svm_invictvs [~patricktw@unaffiliated/svminvictvs/x-938456] has joined #openvpn
10:58 -!- Chais [~Chais@chello062178229110.15.15.vie.surfer.at] has quit [Quit: ZNC - http://znc.in]
11:00 -!- Chais [~Chais@chello062178229110.15.15.vie.surfer.at] has joined #openvpn
11:04 -!- svm_invictvs [~patricktw@unaffiliated/svminvictvs/x-938456] has quit [Ping timeout: 246 seconds]
11:13 -!- Cybertinus [~Cybertinu@cybertinus.customer.cloud.nl] has quit [Ping timeout: 250 seconds]
11:18 -!- Pyrogerg [~Gregory@75-173-66-157.albq.qwest.net] has quit [Quit: Textual IRC Client: www.textualapp.com]
11:20 -!- Cybertinus [~Cybertinu@cybertinus.customer.cloud.nl] has joined #openvpn
11:24 -!- Cybertinus [~Cybertinu@cybertinus.customer.cloud.nl] has quit [Ping timeout: 244 seconds]
11:28 -!- mifritscher [~michaelfr@zft-server-1.telematik-zentrum.de] has joined #openvpn
11:29 < mifritscher> ok, the problem was the mtu - the udp-packets were 1500 byte big. I used the fragment-workaround, now it works. Thanks for the documentation :-)
11:30 -!- D-Boy [~D-Boy@unaffiliated/cain] has quit [Excess Flood]
11:33 -!- Asrael [~azrael@lya14-4-78-226-76-164.fbx.proxad.net] has joined #openvpn
11:35 < Asrael> Hi everyone. I have a noob question although I am pretty sure of the answer, but I'd like to be sure : is it possible to force the routing of the loopback (127.0.0.1) address of a client through the server ? In other words, is it possible to push a route that'd act in such a way that if the client pings 127.0.0.1, he's not pinging his own machine but the OpenVPN server machine ?
11:39 -!- gffa [~unknown@unaffiliated/gffa] has joined #openvpn
11:45 < DArqueBishop> I don't know of a way offhand, but my question would be, "Why would you want to do that?"
11:47 < Asrael> I don't want to, I'd just want to be sure it's impossible, as I think it is.
11:48 < Asrael> I'd tend to think it's hard-coded in any OS's IP stack that 127.0.0.1 IS really the local machine and nothing else and there's no easy/standard way around this, but I'm curious whether I'm wrong about this or not
11:48 < DArqueBishop> I've never heard of a way to change it.
11:49 -!- lucidz [~kali@unaffiliated/lucdz/x-1796168] has quit [Quit: lucidz]
11:50 < DArqueBishop> Oh, and I finally found an answer to the problem I was having. Apparently it was the Citrix DNE Lightweight Filter that got installed when I installed the Dell tools.
11:52 -!- elfixit [~Icedove@2001:1620:2777:11:3e97:eff:fe7f:f3ad] has quit [Quit: elfixit]
11:52 -!- mode/#openvpn [+o Eugene] by ChanServ
11:53 -!- D-Boy [~D-Boy@unaffiliated/cain] has joined #openvpn
11:59 -!- mifritscher [~michaelfr@zft-server-1.telematik-zentrum.de] has quit [Quit: Leaving.]
11:59 -!- Cybertinus [~Cybertinu@cybertinus.customer.cloud.nl] has joined #openvpn
11:59 -!- Kephael [~Kephael@unaffiliated/kephael] has quit [Read error: Connection reset by peer]
12:07 -!- svm_invictvs [~patricktw@unaffiliated/svminvictvs/x-938456] has joined #openvpn
12:08 -!- goldkatze [~nobody@unaffiliated/goldkatze] has joined #openvpn
12:09 -!- clyons [~kvirc@host86-184-240-65.range86-184.btcentralplus.com] has joined #openvpn
12:17 < shio> DArqueBishop: ur install wasn't that clean after all :p
12:21 < DArqueBishop> Hey, it was an official Dell update. *shrug* I only figured it out after doing a Google search and thinking to add "dell" to the search terms. :-)
12:25 < shio> at least u figured it out :)
12:26 <@Eugene> Asrael - there is no way around that in any (sane) IP stack, no.
12:35 -!- Cpt-Oblivious [~chatzilla@31-151-71-109.dynamic.upc.nl] has quit [Remote host closed the connection]
12:38 < Asrael> Thanks Eugene
12:38 < Asrael> That's what I thought indeed
12:38 -!- jefferai_ is now known as jefferai
12:41 -!- Cpt-Oblivious [~chatzilla@31-151-71-109.dynamic.upc.nl] has joined #openvpn
12:51 <@krzee> Asrael, whats your real goal?
13:05 <@ecrist> heh
13:05 <@ecrist> http://imgur.com/gallery/vAFCK
13:05 <@vpnHelper> Title: Concentrate, Brookfield! - Imgur (at imgur.com)
13:09 < Asrael> none really krzee : The idea was to be able to call a service from remote even though it was set-up to only listen to connections made from/to 127.0.0.1, by setting-up a VPN on the machine that has the service setup. But the way I see it, it can't work because if I call 127.0.0.1 from my remote machine, it'll try to connect to itself, and not to the machine that has the service+VPN.
13:10 < Asrael> But I'm not actually trying to do that : I wanted to make sure someone hadn't been able to do that, to prove a point. :)
13:11 <@krzee> oh
13:11 <@krzee> well i mean you could proxy in or something, but not directly communicate with 127.0.0.1 over internet or vpn or whatev
13:12 < Asrael> so would you say I'm right in my assumption that it just wouldn't work and the only sane way to do it is to have the service to listen to another IP than just 127.0.0.1 ?
13:12 <@krzee> yes
13:12 < Asrael> thought so, thanks
13:38 -!- jackbrown [~se@93-44-41-0.ip95.fastwebnet.it] has joined #openvpn
13:45 -!- jackbrown [~se@93-44-41-0.ip95.fastwebnet.it] has quit [Quit: Sto andando via]
13:46 -!- Asrael [~azrael@lya14-4-78-226-76-164.fbx.proxad.net] has quit [Ping timeout: 255 seconds]
13:50 -!- Cybertinus [~Cybertinu@cybertinus.customer.cloud.nl] has quit [Ping timeout: 264 seconds]
13:56 < svm_invictvs> So I'm having trouble with a Windows client
13:56 < svm_invictvs> The key and the .ovpn file works perfectly fine on OSX but fails on Windows
13:57 < svm_invictvs> On Windows, the connection succeeds, and it shows as good...but I can't access anything through the VPN
13:57 < svm_invictvs> I've tried fiddling with firewalls and what not as well
13:57 < svm_invictvs> Nothing seems to work
13:59 <@krzee> did you get the windows client from here:
13:59 <@krzee> !download
13:59 <@vpnHelper> "download" is (#1) http://openvpn.net/index.php/download/community-downloads.html to download openvpn or (#2) OpenVPN's Windows installer now includes OpenVPN GUI. Don't bother with http://openvpn.se anymore or (#3) Don't trust download.com at all. It provides an extremely old version with malware: http://insecure.org/news/download-com-fiasco.html or (#4) in the community version of openvpn (only
13:59 <@vpnHelper> thing supported here) there is no separate download for client/server, it is the same install with different configs
13:59 <@krzee> #1 ^
14:02 < svm_invictvs> krzee: I doownloaded the official client from openvpn.org
14:03 <@krzee> from what page
14:03 <@krzee> because you probably have the wrong one if not from the link in #1 above
14:03 < svm_invictvs> Heh
14:03 < svm_invictvs> Why is that?
14:03 <@krzee> !website
14:03 <@krzee> !factoids search --values web
14:03 <@vpnHelper> 'pfsense', 'webgui', 'nopaste', 'static_key_details', 'git', and 'license'
14:03 < svm_invictvs> Let's see
14:04 <@krzee> !license
14:04 <@vpnHelper> "license" is (#1) OpenVPN 2 is a GPLv2 project and can be distributed, modified, and used under the GPLv2 license. or (#2) Note that any commercial products are under their own EULA; these include AS, Connect, and any services provided by 'OpenVPN Technologies, Inc.' These are not maintained by the open-source community. or (#3) The website is somewhat confusing on purpose to lead you to the non-free
14:04 <@vpnHelper> Access Server stuff. OpenVPN is fully GPL with no fees required for use under that license. If you want to download the GPL openvpn see !download
14:04 < svm_invictvs> openvpn.net/https://openvpn.net/index.php/open-source/downloads.html
14:04 <@vpnHelper> Title: Downloads (at openvpn.net)
14:04 -!- Cybertinus [~Cybertinu@cybertinus.customer.cloud.nl] has joined #openvpn
14:04 <@krzee> the website is confusing and tries to get you to the non opensource stuff
14:05 < svm_invictvs> Yeah
14:05 < svm_invictvs> 'cause they want ot make money
14:05 < svm_invictvs> For shits and giggles let me try...
14:05 < svm_invictvs> *try to reinstall
14:05 <@krzee> i do like their revenue system though, a nice easy configurable openvpn interface with autoinstalling clients and corp support
14:06 < svm_invictvs> Yeah
14:06 < svm_invictvs> I'm using pfsense
14:06 < svm_invictvs> Which I like a lot
14:06 < svm_invictvs> krzee: I go to openvpn.net -> community -> downloads
14:07 <@krzee> thats where you got it from before?
14:07 < svm_invictvs> krzee: But the link doesn't match the URL you pasted
14:08 < svm_invictvs> Seems to be the same
14:08 < svm_invictvs> But let me try
14:08 <@krzee> whatev, same thing
14:08 < svm_invictvs> Yeah
14:08 <@krzee> they have the same page in 2 places
14:08 < svm_invictvs> Same file, same size sam hash
14:08 <@krzee> community - downloads, and downloads - community
14:09 <@ecrist> verify!
14:09 <@ecrist> !verify
14:09 <@vpnHelper> "verify" is (#1) If you receive certificate-based 'VERIFY ERROR' messages, you can manually verify the remote cert against a local CA using openssl: `openssl verify -verbose -CAfile /local/ca.crt /remote/copy/of/other.crt` or (#2) Note that this requires you to manually transfer the remote certificate to the local system for testing or (#3) You can also manually check issuer fingerprints with
14:09 <@vpnHelper> detailed cert output: `openssl x509 -in /some/cert.crt -noout -text` and compare against the CA cert fingerprint
14:14 < svm_invictvs> krzee: After a reinstall, no dice
14:14 <@krzee> make the config verb 5 and show me logs
14:14 < svm_invictvs> It's verb 10
14:14 < svm_invictvs> log is here
14:14 < svm_invictvs> http://mysticpaste.com/private/S0MzihUsPm?4
14:15 <@krzee> i dont want verb 10
14:15 <@krzee> verb 5 please
14:15 < Hello71> I get the impression that the log should start with the log level of the msg
14:15 < Hello71> *each line
14:30 -!- dsockwell [~twgs@199.167.199.97] has joined #openvpn
14:34 -!- dazo is now known as dazo_afk
14:35 < svm_invictvs> krzee: heh< i jsut realized i'm in the office so the logs won't tell me much
14:36 < svm_invictvs> Becuase the conneciton will work
14:37 -!- Pandemic_Force [~Pandemic_@unaffiliated/pandemic-force/x-1349428] has quit [Ping timeout: 263 seconds]
14:37 -!- clyons [~kvirc@host86-184-240-65.range86-184.btcentralplus.com] has quit [Read error: Connection reset by peer]
14:38 -!- clyons [~kvirc@host86-184-240-65.range86-184.btcentralplus.com] has joined #openvpn
14:39 -!- Pandemic_Force [~Pandemic_@unaffiliated/pandemic-force/x-1349428] has joined #openvpn
14:46 < svm_invictvs> krzee: http://mysticpaste.com/private/S0MzihUsPm?4
14:46 < svm_invictvs> krzee: er...wrong log
14:47 <@krzee> firewall
14:47 <@krzee> turn off the windows firewall on the tap device
14:47 <@krzee> then post log at verb 5
14:49 -!- Kephael [~Kephael@unaffiliated/kephael] has joined #openvpn
14:52 < svm_invictvs> krzee: I turne dit off on all devices
14:54 <@krzee> and verb 5 log?
14:57 -!- svm_invictvs [~patricktw@unaffiliated/svminvictvs/x-938456] has quit [Ping timeout: 244 seconds]
15:10 -!- moviuro [~moviuro@ginfo.ext.ec-m.fr] has joined #openvpn
15:11 < moviuro> Hi all! On ArchLinux, I get some error messages when the server pushes its routes: openvpn@profile[6649]: /usr/bin/ip route add 10.3.14.0/24 via 10.3.16.1 ; openvpn@profile[6649]: ERROR: Linux route add command failed: external program exited with error status: 2
15:11 < moviuro> any idea where that comes from?
15:13 <@krzee> comes from the route command, are you starting it as root?
15:14 <@krzee> from the ip command rather*
15:14 <@krzee> openvpn calls your systems ip command,   /usr/bin/ip route add 10.3.14.0/24 via 10.3.16.1
15:15 <@krzee> which exited error status 2
15:15 < moviuro> openvpn is spawned as root
15:15 < moviuro> (systemd unit)
15:15 <@krzee> paste the whole log at verb 4
15:15 <@krzee> (or 5 if already on it)
15:19 < moviuro> silly me, I just shot myself in the foot
15:19 < moviuro> http://ix.io/e5K
15:19 -!- TonyL [~Tony@unaffiliated/darkg] has joined #openvpn
15:19 < TonyL> rv help
15:19 < TonyL> oops
15:19 < moviuro> (bouncer is only available through the VPN)
15:20 -!- ShadniX [dagger@p5DDFE9C7.dip0.t-ipconnect.de] has quit [Quit: Bye.]
15:22 -!- ShadniX [dagger@p5DDFE9C7.dip0.t-ipconnect.de] has joined #openvpn
15:26 -!- mattock is now known as mattock_afk
15:28 < moviuro> hehehe, trying route-delay
15:28 < moviuro> (because my tap0 is DHCP addressed)
15:30 < moviuro> yeah :D that works :D
15:35 < dsockwell> I have a vpn that routes to a LAN subnet, 10.0.0.0/24, but sometimes the clients connect to that LAN directly and have their default route through it. When that happens, they stop responding to their LAN addresses and only seem to work with their VPN addresses, 10.8.0.0/24.
15:35 < dsockwell> The VPN pushes a route to 10.0.0.0/24
15:35 < dsockwell> this is, of course, openvpn
15:36 < dsockwell> workstations seem to be OK even though they're configured the same way as some headless boxes that are not OK.
15:37 < dsockwell> my question is, can this possibly work, or are my users disabling openvpn without telling me?
15:37 < dsockwell> and if it can, how can I get these headless machines to behave?
15:39 < dsockwell> I understand 10.0.0.0/24 is the worst subnet, but I don't imagine it would make a difference since these machines will have 2 routes to wherever they connect unless the topology changes a lot.
15:42 -!- ub1quit33 [~quassel@cpe-23-243-158-241.socal.res.rr.com] has quit [Read error: Connection reset by peer]
16:14 -!- elfixit [~Icedove@77-58-251-72.dclient.hispeed.ch] has joined #openvpn
16:18 -!- u0m3_ [~u0m3@92.80.78.98] has joined #openvpn
16:20 -!- u0m3 [~u0m3@92.80.109.44] has quit [Ping timeout: 250 seconds]
16:30 -!- krthnz [~aehm@unaffiliated/krthnz] has joined #openvpn
16:39 -!- goldkatze [~nobody@unaffiliated/goldkatze] has quit [Ping timeout: 244 seconds]
16:51 -!- jeev_ [~j@unaffiliated/jeev] has joined #openvpn
16:52 -!- Netsplit *.net <-> *.split quits: jeev, AsadH, Mike--, zamba, sauce, Olivier, hydrajump, andi, Cpt-Oblivious, Pandemic_Force
16:52 -!- Netsplit over, joins: sauce
16:54 -!- Netsplit over, joins: andi
16:59 -!- AsadH [~AsadH@unaffiliated/asadh] has joined #openvpn
17:00 -!- u0m3__ [~u0m3@92.80.78.98] has joined #openvpn
17:03 -!- u0m3_ [~u0m3@92.80.78.98] has quit [Ping timeout: 244 seconds]
17:05 -!- Synced [Valcorb@unaffiliated/synced] has quit [Remote host closed the connection]
17:11 -!- Pandemic_Force [~Pandemic_@unaffiliated/pandemic-force/x-1349428] has joined #openvpn
17:11 -!- Cpt-Oblivious [~chatzilla@31-151-71-109.dynamic.upc.nl] has joined #openvpn
17:11 -!- zamba [marius@flage.org] has joined #openvpn
17:11 -!- hydrajump [~hydrajump@unaffiliated/hydrajump] has joined #openvpn
17:12 -!- Pandemic_Force [~Pandemic_@unaffiliated/pandemic-force/x-1349428] has quit [Max SendQ exceeded]
17:12 -!- Cpt-Oblivious [~chatzilla@31-151-71-109.dynamic.upc.nl] has quit [Max SendQ exceeded]
17:13 -!- Pandemic_Force [~Pandemic_@unaffiliated/pandemic-force/x-1349428] has joined #openvpn
17:14 -!- XJR-9 [sid2977@pdpc/supporter/active/xjr-9] has quit [Ping timeout: 250 seconds]
17:16 -!- XJR-9 [sid2977@pdpc/supporter/active/xjr-9] has joined #openvpn
17:21 -!- swebb [~swebb@c-71-237-49-232.hsd1.co.comcast.net] has quit [Ping timeout: 260 seconds]
17:24 -!- svm_invictvs [~patricktw@unaffiliated/svminvictvs/x-938456] has joined #openvpn
17:24 < svm_invictvs> Hm
17:41 < svm_invictvs> krzee: So...
17:42 < svm_invictvs> krzee: You think it's a firewall issue?
17:49 -!- Cybertinus [~Cybertinu@cybertinus.customer.cloud.nl] has quit [Ping timeout: 260 seconds]
18:00 -!- Cybertinus [~Cybertinu@2a00:6960:1:1:0:24:107:1] has joined #openvpn
18:18 -!- swebb [~swebb@c-71-237-49-232.hsd1.co.comcast.net] has joined #openvpn
18:23 -!- redpill [~redpill@unaffiliated/redpill] has quit [Ping timeout: 240 seconds]
18:29 < krthnz> is it possible to have openvpn automatically create a sub tun interface for every openvpn connection? so programs on the server can use the correct peer ips to send packets ?
18:30 < Hello71> "the correct peer ips"???
18:31 < krthnz> only the "main" peer ip is on the tun interface, I am trying to get unicast ospf running over openvpn between multiple neighbors
18:32 < krthnz> and when the IP it is supposed to source the packets from isnt on the interface, it just wont work
18:32 < krthnz> just the first /30 peer pair is on the tun0 interface here, the others dont show up at all, or I'm doing something completely wrong
18:33 < Hello71> get static routing working first
18:34 < krthnz> openvpn works without problems
18:35 < krthnz> just ospf doesnt, it cannot send packets sourced from IPs that arent bound to any interface
18:37 < krthnz> thats why I thought there may be an option that ospf adds the peer ip pairs from current connections to the tun interrface or maybe create a subinterface for every openvpn connection
18:59 -!- gffa [~unknown@unaffiliated/gffa] has quit [Quit: sleep]
19:17 -!- svm_invictvs [~patricktw@unaffiliated/svminvictvs/x-938456] has quit [Ping timeout: 244 seconds]
19:17 -!- svm_invictvs [~patricktw@unaffiliated/svminvictvs/x-938456] has joined #openvpn
19:18 -!- clyons [~kvirc@host86-184-240-65.range86-184.btcentralplus.com] has quit [Ping timeout: 244 seconds]
19:22 -!- swebb [~swebb@c-71-237-49-232.hsd1.co.comcast.net] has quit [Ping timeout: 244 seconds]
19:25 -!- batrick [~batrick@nmap/developer/batrick] has quit [Quit: WeeChat 1.0]
19:32 -!- hazardous [~hz@openvpn/user/hazardous] has quit [Ping timeout: 250 seconds]
19:37 -!- dvl [~dvl@pdpc/supporter/active/dvl] has joined #openvpn
19:47 -!- hazardous [~hz@openvpn/user/hazardous] has joined #openvpn
19:47 -!- mode/#openvpn [+v hazardous] by ChanServ
19:47 -!- batrick [~batrick@nmap/developer/batrick] has joined #openvpn
19:49 -!- swebb [~swebb@c-71-237-49-232.hsd1.co.comcast.net] has joined #openvpn
19:51 -!- raidz is now known as raidz_away
20:04 < Aelius> Is there a solution for Window firewall 'unidentified network' and openvpn tun adapter?
20:10 -!- u0m3__ is now known as u0m3
20:13 -!- _KaszpiR__ [~quassel@unaffiliated/kaszpir/x-3157048] has quit [Ping timeout: 255 seconds]
20:13 -!- zalami [~realnameo@cpe-74-73-165-167.nyc.res.rr.com] has joined #openvpn
20:15 -!- aulait [~irenacob@li629-190.members.linode.com] has quit [Ping timeout: 255 seconds]
20:15 -!- _KaszpiR_ [~quassel@unaffiliated/kaszpir/x-3157048] has joined #openvpn
20:15 -!- s7r [~s7r@openvpn/user/s7r] has joined #openvpn
20:15 -!- mode/#openvpn [+v s7r] by ChanServ
20:17 -!- moviuro [~moviuro@ginfo.ext.ec-m.fr] has quit [Ping timeout: 255 seconds]
--- Log closed Fri Aug 29 20:19:49 2014
--- Log opened Fri Aug 29 20:19:56 2014
20:19 -!- ecrist_ [~ecrist@freebsd/contributor/openvpn.community.support.ecrist] has joined #openvpn
20:19 -!- Irssi: #openvpn: Total of 144 nicks [9 ops, 0 halfops, 2 voices, 133 normal]
20:19 -!- mode/#openvpn [+o ecrist_] by ChanServ
20:20 -!- hazardous [~hz@openvpn/user/hazardous] has quit [Ping timeout: 246 seconds]
20:20 -!- Irssi: Join to #openvpn was synced in 55 secs
20:20 -!- vpnHelper [~vpnHelper@openvpn/bot/vpnHelper] has quit [Disconnected by services]
20:22 -!- vpnHelper [~vpnHelper@openvpn/bot/vpnHelper] has joined #openvpn
20:22 -!- mode/#openvpn [+o vpnHelper] by ChanServ
20:24 -!- hazardous [~hz@openvpn/user/hazardous] has joined #openvpn
20:24 -!- mode/#openvpn [+v hazardous] by ChanServ
20:27 -!- joako_ [~joako@opensuse/member/joak0] has joined #openvpn
20:27 -!- mete [~mete@91.247.253.160] has joined #openvpn
20:28 -!- Netsplit *.net <-> *.split quits: u0m3, dvl, joako, @ecrist
20:31 -!- XJR-9 [sid2977@pdpc/supporter/active/xjr-9] has quit [Ping timeout: 246 seconds]
20:32 -!- hazardous [~hz@openvpn/user/hazardous] has quit [Ping timeout: 246 seconds]
20:38 -!- Netsplit *.net <-> *.split quits: arkie, hydrajump, yoavz, sauce, Hello71, @dazo_afk, mete, jeev_, clu5ter, Cultist,  (+5 more, use /NETSPLIT to show all of them)
20:39 -!- Netsplit *.net <-> *.split quits: haasn, @Eugene, Tykling, Ring0`, mgorbach, swebb, catsup, jefferai, KiNgMaR, troyt,  (+109 more, use /NETSPLIT to show all of them)
20:39 -!- Kephael [~Kephael@unaffiliated/kephael] has quit [Ping timeout: 246 seconds]
20:50 -!- aulait [~irenacob@li629-190.members.linode.com] has joined #openvpn
20:50 -!- Kephael_ [~Kephael@unaffiliated/kephael] has joined #openvpn
20:50 -!- hazardous [~hz@openvpn/user/hazardous] has joined #openvpn
20:50 -!- XJR-9 [sid2977@pdpc/supporter/active/xjr-9] has joined #openvpn
20:50 -!- Denial [~Denial@host86-148-139-67.range86-148.btcentralplus.com] has joined #openvpn
20:50 -!- Netsplit over, joins: mete, joako, @vpnHelper, u0m3_, +s7r, _KaszpiR_, zalami, swebb, batrick, svm_invictvs (+16 more)
20:50 -!- ServerMode/#openvpn [+vovo hazardous vpnHelper s7r krzee] by tepper.freenode.net
20:50 -!- Netsplit over, joins: bakhtiya, DrCode, y4h0, lbft, liriel, someone, Fusl, fchmmr, hid3, Gsa700 (+98 more)
20:56 -!- svm_invictvs [~patricktw@unaffiliated/svminvictvs/x-938456] has quit [Ping timeout: 245 seconds]
21:02 -!- skibur [~skibur@cpe-72-177-185-230.satx.res.rr.com] has joined #openvpn
21:02 < skibur> hello
21:04 < skibur> I have an issue trying to connect to my OpenVPN.  I can connect to it using my External IP while I'm connected to my wifi network.  I can't connect to when I'm using the phone's network.  I know that my modem and router are configured correctly because I can see my openvpn log.   What am I missing?
21:37 < jakhead> skibur: I can't remember if it's sprint or verizon, but a friend of mine had the same problem. I believe your service provider is blocking ports, its a known issue.
21:39 -!- jakhead [~hexx@108-254-136-68.lightspeed.tulsok.sbcglobal.net] has quit [Quit: WeeChat 1.0-dev]
21:39 -!- jakhead [~hexx@2602:306:cfe8:8440::40] has joined #openvpn
21:41 -!- redpill [~redpill@unaffiliated/redpill] has joined #openvpn
21:42 -!- Left_Turn [~Left_Turn@unaffiliated/turn-left/x-3739067] has quit [Remote host closed the connection]
21:48 -!- skibur [~skibur@cpe-72-177-185-230.satx.res.rr.com] has quit [Quit: leaving]
21:52 -!- arescorpio [~arescorpi@92-202-17-190.fibertel.com.ar] has joined #openvpn
22:31 -!- jakhead [~hexx@2602:306:cfe8:8440::40] has quit [Ping timeout: 260 seconds]
23:10 -!- hazardous [~hz@openvpn/user/hazardous] has quit [Ping timeout: 245 seconds]
23:16 -!- hazardous [~hz@openvpn/user/hazardous] has joined #openvpn
23:16 -!- mode/#openvpn [+v hazardous] by ChanServ
23:17 -!- syzzer [~syzzer@openvpn/community/developer/syzzer] has quit [Ping timeout: 250 seconds]
23:23 -!- syzzer [~syzzer@openvpn/community/developer/syzzer] has joined #openvpn
23:23 -!- mode/#openvpn [+o syzzer] by ChanServ
23:35 -!- svm_invictvs [~patricktw@unaffiliated/svminvictvs/x-938456] has joined #openvpn
23:49 -!- ShadniX [dagger@p5DDFE9C7.dip0.t-ipconnect.de] has quit [Ping timeout: 250 seconds]
23:51 -!- ShadniX [dagger@p5481D999.dip0.t-ipconnect.de] has joined #openvpn
23:55 -!- crus [crusader@121.211.80.56] has quit [Read error: Connection reset by peer]
--- Day changed Sat Aug 30 2014
00:15 -!- arescorpio [~arescorpi@92-202-17-190.fibertel.com.ar] has quit [Excess Flood]
00:16 -!- elfixit [~Icedove@77-58-251-72.dclient.hispeed.ch] has quit [Ping timeout: 260 seconds]
00:29 -!- Kephael_ [~Kephael@unaffiliated/kephael] has quit [Read error: Connection reset by peer]
00:31 -!- joako [~joako@opensuse/member/joak0] has quit [Ping timeout: 240 seconds]
00:38 -!- joako [~joako@opensuse/member/joak0] has joined #openvpn
01:16 -!- mattock_afk is now known as mattock
01:22 -!- svm_invictvs [~patricktw@unaffiliated/svminvictvs/x-938456] has quit [Ping timeout: 246 seconds]
01:36 -!- skibur [~skibur@cpe-72-177-185-230.satx.res.rr.com] has joined #openvpn
01:36 < skibur> Morning
01:40 -!- moviuro [~moviuro@ginfo.ext.ec-m.fr] has joined #openvpn
01:50 -!- skibur [~skibur@cpe-72-177-185-230.satx.res.rr.com] has quit [Quit: leaving]
01:55 -!- cesurasean [~Sean@c-71-207-227-197.hsd1.al.comcast.net] has joined #openvpn
01:55 < cesurasean> is there a guide to hook two openvpn servers together?
02:35 -!- cesurasean [~Sean@c-71-207-227-197.hsd1.al.comcast.net] has left #openvpn []
02:56 -!- Sembei [~Sembei@unaffiliated/sembei] has quit [Quit: WeeChat 1.1-dev]
03:00 <@krzee> !ircstats
03:00 <@vpnHelper> "ircstats" is (#1) See http://secure-computing.net/logs/openvpn.html for all-time IRC stats. or (#2) See http://secure-computing.net/logs/openvpn-devel.html for all-time dev channel IRC stats.
03:04 < moviuro> Hi all! I'm unsure what this option does: push "dhcp-option DOMAIN ginfo"
03:19 -!- gffa [~unknown@unaffiliated/gffa] has joined #openvpn
03:27 -!- Latrina [~Latrina@151.56.164.100] has quit [Ping timeout: 250 seconds]
03:40 -!- Latrina [~Latrina@ppp-167-58.26-151.libero.it] has joined #openvpn
04:21 -!- Left_Turn [~Left_Turn@unaffiliated/turn-left/x-3739067] has joined #openvpn
04:27 < moviuro> I'm experiencing major slowdowns with openvpn: pinging server: rtt min/avg/max/mdev = 1379.164/1644.433/1849.441/209.822 ms, pipe 2; pinging remote machine: rtt min/avg/max/mdev = 1699.886/2403.233/3352.104/600.854 ms, pipe 4; pinging an other client that is physically next to me: rtt min/avg/max/mdev = 7325.102/14367.114/19819.857/3872.812 ms, pipe 20
04:34 -!- mattock is now known as mattock_afk
04:36 < moviuro> so in the end, IDK what caused the major slowdown. Rebooting the clients however fixed the issue.... weird
04:45 -!- pa [~pa@unaffiliated/pa] has joined #openvpn
05:09 -!- mete [~mete@91.247.253.160] has quit [Ping timeout: 245 seconds]
05:13 -!- pa [~pa@unaffiliated/pa] has quit [Remote host closed the connection]
05:17 -!- svm_invictvs [~patricktw@unaffiliated/svminvictvs/x-938456] has joined #openvpn
05:18 -!- pa [~pa@unaffiliated/pa] has joined #openvpn
05:22 -!- mete [~mete@91.247.253.160] has joined #openvpn
05:26 -!- svm_invictvs [~patricktw@unaffiliated/svminvictvs/x-938456] has quit [Ping timeout: 244 seconds]
05:32 -!- s7r [~s7r@openvpn/user/s7r] has quit [Ping timeout: 264 seconds]
05:38 -!- cyberspace- [20253@ninthfloor.org] has quit [Remote host closed the connection]
05:40 -!- cyberspace- [20253@ninthfloor.org] has joined #openvpn
05:48 -!- clyons [~kvirc@host86-184-240-65.range86-184.btcentralplus.com] has joined #openvpn
06:15 -!- Poster|x [~poster@cpe-74-140-100-29.swo.res.rr.com] has joined #openvpn
06:24 -!- havoc [~havoc@neptune.chaillet.net] has quit [Disconnected by services]
06:25 -!- Chais_ [~Chais@chello062178229110.15.15.vie.surfer.at] has joined #openvpn
06:26 -!- havoc [~havoc@neptune.chaillet.net] has joined #openvpn
06:29 -!- bakhtiya [~me@office.addictivemobility.com] has quit [Ping timeout: 260 seconds]
06:29 -!- Poster [~poster@cpe-74-140-100-29.swo.res.rr.com] has quit [Ping timeout: 260 seconds]
06:29 -!- RaiNerTsuFal [~RaiNerTsu@akita.vtlx.cn] has quit [Ping timeout: 260 seconds]
06:29 -!- kantlivelong [~kantlivel@home.kantlivelong.com] has quit [Ping timeout: 260 seconds]
06:29 -!- justinzane [~justinzan@host-69-59-81-105.nctv.com] has quit [Ping timeout: 260 seconds]
06:29 -!- Chais [~Chais@chello062178229110.15.15.vie.surfer.at] has quit [Ping timeout: 260 seconds]
06:29 -!- cyberspace- [20253@ninthfloor.org] has quit [Ping timeout: 260 seconds]
06:29 -!- Chais_ is now known as Chais
06:29 -!- bakhtiya [~me@office.addictivemobility.com] has joined #openvpn
06:33 -!- Cpt-Oblivious [~chatzilla@31-151-71-109.dynamic.upc.nl] has joined #openvpn
06:34 -!- asturel_ [~asturel@unaffiliated/asturel] has joined #openvpn
06:36 -!- supergauntlet [~supergaun@unaffiliated/supergauntlet] has quit [Ping timeout: 250 seconds]
06:36 -!- ribasushi [~riba@mujunyku.leporine.io] has quit [Ping timeout: 250 seconds]
06:36 -!- mgorbach [~mgorbach@pool-108-20-78-135.bstnma.fios.verizon.net] has quit [Ping timeout: 250 seconds]
06:36 -!- asturel [~asturel@unaffiliated/asturel] has quit [Ping timeout: 250 seconds]
06:36 -!- asturel_ is now known as asturel
06:36 -!- supergauntlet [~supergaun@unaffiliated/supergauntlet] has joined #openvpn
06:37 -!- mgorbach [~mgorbach@pool-108-20-78-135.bstnma.fios.verizon.net] has joined #openvpn
06:38 -!- ribasushi [~riba@mujunyku.leporine.io] has joined #openvpn
06:40 -!- pekster [~rewt@openvpn/community/support/pekster] has quit [Ping timeout: 250 seconds]
06:40 -!- Exagone313 [~exa@vps.ewd.xyz] has quit [Ping timeout: 250 seconds]
06:41 -!- MacGyver [~macgyver@unaffiliated/macgyvernl] has quit [Ping timeout: 250 seconds]
06:41 -!- pekster [~rewt@openvpn/community/support/pekster] has joined #openvpn
06:43 -!- Exagone313 [~exa@vps.ewd.xyz] has joined #openvpn
--- Log closed Sat Aug 30 06:53:20 2014
--- Log opened Sat Aug 30 12:11:10 2014
12:11 -!- ecrist [~ecrist@freebsd/contributor/openvpn.community.support.ecrist] has joined #openvpn
12:11 -!- Irssi: #openvpn: Total of 132 nicks [6 ops, 0 halfops, 1 voices, 125 normal]
12:11 -!- mode/#openvpn [+o ecrist] by ChanServ
12:11 -!- Irssi: Join to #openvpn was synced in 1 secs
12:13 -!- kirin` [telex@gateway/shell/anapnea.net/x-pxvknhbghkjmzvsp] has joined #openvpn
12:15 <@krzee> VoidPsi,
12:15 <@krzee> !configs
12:15 <@vpnHelper> "configs" is (#1) please pastebin your client and server configs (with comments removed, you can use `grep -vE '^#|^;|^$' server.conf`), also include which OS and version of openvpn. or (#2) dont forget to include any ccd entries or (#3) on pfSense, see http://www.secure-computing.net/wiki/index.php/OpenVPN/pfSense to obtain your config
12:15 <@krzee> !logs
12:15 <@vpnHelper> "logs" is (#1) please pastebin your logfiles from both client and server with verb set to 4 (only use 5 if asked) or (#2) In the Windows client(OpenVPN-GUI) right-click the status icon and pick View Log or (#3) In the OS X client(Tunnelblick) right-click it and select Copy log text to clipboard or (#4) if you dont know how to find your logs, see !logfile
12:15 <@krzee> just the side with the error for now
12:17 <@krzee> thenyck, basically you're asking about building a darknet
12:17 <@krzee> you need to read:
12:17 <@krzee> !route
12:17 <@vpnHelper> "route" is (#1) http://www.secure-computing.net/wiki/index.php/OpenVPN/Routing or https://community.openvpn.net/openvpn/wiki/RoutedLans (same page mirrored) if you have lans behind openvpn, read it DONT SKIM IT or (#2) READ IT DONT SKIM IT! or (#3) See !tcpip for a basic networking guide or (#4) See !serverlan or !clientlan for steps and troubleshooting flowcharts for LANs behind the server or client
12:17 <@krzee> a vpn is basically just an ethernet cable, you gotta setup the routing as desired =]
12:20 -!- kirin` [telex@gateway/shell/anapnea.net/x-pxvknhbghkjmzvsp] has quit [Ping timeout: 240 seconds]
12:20 < VoidPsi> http://pastebin.com/4ZmZBcm3 is my ovpn file, and http://pastebin.com/9DMesiXK is my logfile.
12:21 <@krzee> !fullpath
12:21 <@krzee> !path
12:21 <@vpnHelper> "path" is (#1) use full paths in your config! or (#2) if you use windows, see !winpath
12:22 < VoidPsi> !winpath
12:22 <@vpnHelper> "winpath" is (#1) Remember on Windows to quote pathnames and use double backslashes, e.g.: "C:\\Program Files\\OpenVPN\\config\\foo.key" or (#2) also, you can use forward slashes to avoid needing double backslashes, but you still need quotes, e.g.: C:/Program Files/OpenVPN/config/foo.key (but surrounded by quotes)
12:23 -!- kirin` [telex@gateway/shell/anapnea.net/x-fqgfofsbdogajxbe] has joined #openvpn
12:24 < VoidPsi> well I don't see any paths in this ovpn file, and it seems like it expects ca.crt to be in the current directory.  I don't have any file called ca.crt anywhere on my pc.  This ovpn file was provided by my employer, I didn't make any of it myself.  They also provided a csr, crt, and key file
12:25 < VoidPsi> Which are all in my config directory
12:25 < thenyck> ok. however. routing between different client subnets is possible?
12:25 < thenyck> even though these are /30 subnets using CCD
12:25 < thenyck> ?
12:25 <@krzee> VoidPsi, they gave you a csr crt and key but no ca.crt?
12:26 <@krzee> VoidPsi, you need the ca.crt file. go back to whoever gave you the files and ask them to stop sucking
12:26 <@krzee> thenyck, maybe if you make a network diagram it'll help me understand your question
12:26 <@krzee> !diagram
12:26 < VoidPsi> Lol, thank your krz
12:26 <@vpnHelper> "diagram" is You can use a site such as http://gliffy.com to create a network diagram as well as programs such as Visio, Dia, or OmniGraffle
12:27 <@krzee> i used gliffy while making the flowcharts and the image in !route
12:29 -!- kirin` [telex@gateway/shell/anapnea.net/x-fqgfofsbdogajxbe] has quit [Ping timeout: 245 seconds]
12:31 -!- kirin` [telex@gateway/shell/anapnea.net/x-zjnbkmwwzceqtnvv] has joined #openvpn
12:39 -!- kirin` [telex@gateway/shell/anapnea.net/x-zjnbkmwwzceqtnvv] has quit [Ping timeout: 245 seconds]
12:40 -!- kirin` [telex@gateway/shell/anapnea.net/x-vwdjoxbqkpdmffqo] has joined #openvpn
12:45 -!- elfixit [~Icedove@77-58-251-72.dclient.hispeed.ch] has joined #openvpn
12:48 -!- kirin` [telex@gateway/shell/anapnea.net/x-vwdjoxbqkpdmffqo] has quit [Read error: Connection reset by peer]
12:49 -!- s7r [~s7r@openvpn/user/s7r] has joined #openvpn
12:49 -!- mode/#openvpn [+v s7r] by ChanServ
12:49 -!- kirin` [telex@gateway/shell/anapnea.net/x-rhscxkfptjeemfgs] has joined #openvpn
12:54 -!- skibur [~skibur@cpe-72-177-185-230.satx.res.rr.com] has joined #openvpn
12:54 < skibur> Morning
12:55 -!- kirin` [telex@gateway/shell/anapnea.net/x-rhscxkfptjeemfgs] has quit [Ping timeout: 245 seconds]
12:57 -!- kirin` [telex@gateway/shell/anapnea.net/x-gkzqrvqbswojjacv] has joined #openvpn
12:59 < skibur> When I use the openvpn --config name.ovpn, I get an error that the route is wrong.  What can I do to fix it?
13:00 <@krzee> show us
13:04 -!- kirin` [telex@gateway/shell/anapnea.net/x-gkzqrvqbswojjacv] has quit [Read error: Connection reset by peer]
13:04 -!- kirin` [telex@gateway/shell/anapnea.net/x-uhhnfxsauzyyaruw] has joined #openvpn
13:08 < skibur> http://pastebin.com/JNXaw8Kz
13:08 -!- Chex [Chex@hotlanta.northnook.ca] has joined #openvpn
13:10 -!- Aelius [~Aelius@unaffiliated/aelius] has left #openvpn []
13:12 -!- kirin` [telex@gateway/shell/anapnea.net/x-uhhnfxsauzyyaruw] has quit [Read error: Connection reset by peer]
13:13 -!- kirin` [telex@gateway/shell/anapnea.net/x-jcisvntxaxwontfr] has joined #openvpn
13:13 < skibur> I'm still able to connect and everything is cool, but not sure why the error.
13:14 <@krzee> dont use the same subnet for your lan and vpn subnet
13:14 <@Eugene> It's right there in the error message: you've got a subnet conflict.
13:14 <@krzee> Sat Aug 30 13:04:57 2014 WARNING: potential route subnet conflict between local LAN [10.12.80.0/255.255.255.0] and remote VPN [10.12.80.0/255.255.255.0]
13:15 < skibur> hum... let me connect via phone
13:16 -!- skibur [~skibur@cpe-72-177-185-230.satx.res.rr.com] has quit [Quit: leaving]
13:19 -!- kirin` [telex@gateway/shell/anapnea.net/x-jcisvntxaxwontfr] has quit [Ping timeout: 260 seconds]
13:21 -!- kirin` [telex@gateway/shell/anapnea.net/x-wbvjlhzpsejxpwvv] has joined #openvpn
13:21 -!- skibur [~skibur@cpe-72-177-185-230.satx.res.rr.com] has joined #openvpn
13:21 < skibur> http://pastebin.com/n78DJsSN
13:22 < skibur> Same issue
13:22 <@krzee> !configs
13:22 <@vpnHelper> "configs" is (#1) please pastebin your client and server configs (with comments removed, you can use `grep -vE '^#|^;|^$' server.conf`), also include which OS and version of openvpn. or (#2) dont forget to include any ccd entries or (#3) on pfSense, see http://www.secure-computing.net/wiki/index.php/OpenVPN/pfSense to obtain your config
13:26 < skibur> ?
13:29 -!- kirin` [telex@gateway/shell/anapnea.net/x-wbvjlhzpsejxpwvv] has quit [Read error: Connection reset by peer]
13:29 -!- kirin` [telex@gateway/shell/anapnea.net/x-tnngqcdacdpsonwo] has joined #openvpn
13:30 -!- Gsa700 [~Gsa700@unaffiliated/gsa700] has quit [Quit: Seeya!]
13:34 -!- Gsa700 [~Gsa700@unaffiliated/gsa700] has joined #openvpn
13:34 -!- soapee01 [~soapee01@65-36-104-170.dyn.grandenetworks.net] has joined #openvpn
13:38 -!- kirin` [telex@gateway/shell/anapnea.net/x-tnngqcdacdpsonwo] has quit [Read error: Connection reset by peer]
13:38 -!- kirin` [telex@gateway/shell/anapnea.net/x-llpyszkiqhszihvv] has joined #openvpn
13:45 -!- kirin` [telex@gateway/shell/anapnea.net/x-llpyszkiqhszihvv] has quit [Ping timeout: 255 seconds]
13:46 -!- kirin` [telex@gateway/shell/anapnea.net/x-ccxvactsopvdlwvz] has joined #openvpn
13:47 <@krzee> ?
13:49 -!- nvdpl [~textual@proxy.teleaudio.pl] has quit [Quit: ZZZzzz…]
13:53 -!- kirin` [telex@gateway/shell/anapnea.net/x-ccxvactsopvdlwvz] has quit [Read error: Connection reset by peer]
13:53 -!- kirin` [telex@gateway/shell/anapnea.net/x-hpxmdqwlgvgjrwpa] has joined #openvpn
14:01 -!- L0uk3 [~lukethedr@gateway/tor-sasl/lukethedrifter] has quit [Ping timeout: 264 seconds]
14:01 -!- skibur [~skibur@cpe-72-177-185-230.satx.res.rr.com] has quit [Quit: leaving]
14:02 -!- kirin` [telex@gateway/shell/anapnea.net/x-hpxmdqwlgvgjrwpa] has quit [Read error: Connection reset by peer]
14:02 -!- kirin` [telex@gateway/shell/anapnea.net/x-mlxdambkalvyghvo] has joined #openvpn
14:08 <@Eugene> ?
14:09 -!- kirin` [telex@gateway/shell/anapnea.net/x-mlxdambkalvyghvo] has quit [Ping timeout: 250 seconds]
14:10 -!- kirin` [telex@gateway/shell/anapnea.net/x-ysyxquzynoqtnfxr] has joined #openvpn
14:17 -!- kirin` [telex@gateway/shell/anapnea.net/x-ysyxquzynoqtnfxr] has quit [Read error: Connection reset by peer]
14:18 -!- kirin` [telex@gateway/shell/anapnea.net/x-zcthjiqyhzsuewhw] has joined #openvpn
14:21 -!- pa [~pa@unaffiliated/pa] has quit [Quit: Sto andando via]
14:24 -!- kirin` [telex@gateway/shell/anapnea.net/x-zcthjiqyhzsuewhw] has quit [Ping timeout: 245 seconds]
14:26 -!- pa [~pa@unaffiliated/pa] has joined #openvpn
14:26 -!- kirin` [telex@gateway/shell/anapnea.net/x-yjmeqeycylvafcka] has joined #openvpn
14:34 -!- kirin` [telex@gateway/shell/anapnea.net/x-yjmeqeycylvafcka] has quit [Read error: Connection reset by peer]
14:34 -!- kirin` [telex@gateway/shell/anapnea.net/x-gdsulawiabnmhvol] has joined #openvpn
14:39 -!- AlexRussia [~alx@unaffiliated/alexrussia] has quit [Ping timeout: 250 seconds]
14:41 -!- thenyck [~micele@194.95.62.114] has quit [Quit: Leaving.]
14:41 -!- Kephael [~Kephael@unaffiliated/kephael] has quit [Read error: Connection reset by peer]
14:42 -!- soapee01 [~soapee01@65-36-104-170.dyn.grandenetworks.net] has quit [Quit: ZNC - http://znc.sourceforge.net]
14:43 -!- kirin` [telex@gateway/shell/anapnea.net/x-gdsulawiabnmhvol] has quit [Read error: Connection reset by peer]
14:43 -!- kirin` [telex@gateway/shell/anapnea.net/x-xyrscvevrjyejrnu] has joined #openvpn
14:48 -!- AlexRussia [~alx@unaffiliated/alexrussia] has joined #openvpn
14:52 -!- kirin` [telex@gateway/shell/anapnea.net/x-xyrscvevrjyejrnu] has quit [Read error: Connection reset by peer]
14:52 -!- kirin` [telex@gateway/shell/anapnea.net/x-zijtacgisbmnnoqj] has joined #openvpn
14:58 -!- kirin` [telex@gateway/shell/anapnea.net/x-zijtacgisbmnnoqj] has quit [Ping timeout: 240 seconds]
15:00 -!- kirin` [telex@gateway/shell/anapnea.net/x-ckqtkaelzfbpwbiu] has joined #openvpn
15:06 -!- L0uk3 [~lukethedr@gateway/tor-sasl/lukethedrifter] has joined #openvpn
15:07 -!- kirin` [telex@gateway/shell/anapnea.net/x-ckqtkaelzfbpwbiu] has quit [Read error: Connection reset by peer]
15:08 -!- kirin` [telex@gateway/shell/anapnea.net/x-iafcdmarbneoatmf] has joined #openvpn
15:15 -!- kirin` [telex@gateway/shell/anapnea.net/x-iafcdmarbneoatmf] has quit [Ping timeout: 250 seconds]
15:16 -!- kirin` [telex@gateway/shell/anapnea.net/x-eanzkkvgngfjfkgj] has joined #openvpn
15:21 -!- moviuro_ is now known as moviuro
15:24 -!- kirin` [telex@gateway/shell/anapnea.net/x-eanzkkvgngfjfkgj] has quit [Ping timeout: 245 seconds]
15:24 -!- kirin` [telex@gateway/shell/anapnea.net/x-rhjocrselfcxhsgj] has joined #openvpn
15:32 -!- kirin` [telex@gateway/shell/anapnea.net/x-rhjocrselfcxhsgj] has quit [Read error: Connection reset by peer]
15:32 -!- kirin` [telex@gateway/shell/anapnea.net/x-cknmezcqikuvfgkb] has joined #openvpn
15:40 -!- kirin` [telex@gateway/shell/anapnea.net/x-cknmezcqikuvfgkb] has quit [Ping timeout: 250 seconds]
15:40 -!- kirin` [telex@gateway/shell/anapnea.net/x-wezncghxonormgws] has joined #openvpn
15:44 -!- K1rk [~Kirk@equinox.epecweb.com] has joined #openvpn
15:48 -!- kirin` [telex@gateway/shell/anapnea.net/x-wezncghxonormgws] has quit [Read error: Connection reset by peer]
15:48 -!- kirin` [telex@gateway/shell/anapnea.net/x-qoambczbvbqxdxkp] has joined #openvpn
15:53 -!- Chex [Chex@hotlanta.northnook.ca] has quit [Ping timeout: 252 seconds]
15:57 -!- kirin` [telex@gateway/shell/anapnea.net/x-qoambczbvbqxdxkp] has quit [Read error: Connection reset by peer]
15:57 -!- kirin` [telex@gateway/shell/anapnea.net/x-vbapwbiqofrvexjp] has joined #openvpn
16:01 -!- fred`` [fred@earthli.ng] has quit [Quit: +++ATH0]
16:04 -!- kirin` [telex@gateway/shell/anapnea.net/x-vbapwbiqofrvexjp] has quit [Ping timeout: 245 seconds]
16:05 -!- kirin` [telex@gateway/shell/anapnea.net/x-mudzyaxsehsjsjkj] has joined #openvpn
16:12 -!- RaiNerTsuFal [~RaiNerTsu@akita.vtlx.cn] has joined #openvpn
16:13 -!- kirin` [telex@gateway/shell/anapnea.net/x-mudzyaxsehsjsjkj] has quit [Read error: Connection reset by peer]
16:13 -!- kirin` [telex@gateway/shell/anapnea.net/x-zmjhnpgsfrmvfdsv] has joined #openvpn
16:19 -!- kirin` [telex@gateway/shell/anapnea.net/x-zmjhnpgsfrmvfdsv] has quit [Ping timeout: 250 seconds]
16:21 -!- kirin` [telex@gateway/shell/anapnea.net/x-bavhtfdmktcvfopb] has joined #openvpn
16:24 -!- larryone [~larryone@176.61.1.155] has joined #openvpn
16:24 -!- Nyoom [Nyoom@unaffiliated/nyoom] has joined #openvpn
16:24 < Nyoom> beep, anyone there?
16:27 -!- kirin` [telex@gateway/shell/anapnea.net/x-bavhtfdmktcvfopb] has quit [Ping timeout: 240 seconds]
16:29 -!- kirin` [telex@gateway/shell/anapnea.net/x-atvkoewkgxdxwper] has joined #openvpn
16:33 -!- fred`` [fred@earthli.ng] has joined #openvpn
16:38 -!- kirin` [telex@gateway/shell/anapnea.net/x-atvkoewkgxdxwper] has quit [Read error: Connection reset by peer]
16:47 -!- cesurasean [~Sean@c-71-207-227-197.hsd1.al.comcast.net] has joined #openvpn
16:53 -!- VoidPsi [~ilioth@pc50.oaks6.selu.edu] has quit []
17:12 -!- fred`` [fred@earthli.ng] has quit [Ping timeout: 256 seconds]
17:16 -!- s7r [~s7r@openvpn/user/s7r] has quit [Remote host closed the connection]
17:16 -!- Cultist [~CultOfThe@c-98-223-211-32.hsd1.il.comcast.net] has joined #openvpn
17:17 -!- s7r [~s7r@openvpn/user/s7r] has joined #openvpn
17:17 -!- mode/#openvpn [+v s7r] by ChanServ
17:27 < moviuro> would it be better to create a ssh socks proxy (ssh -D) or a tunnel (ssh -L localport:far_remote_server:1194 some_server_in_the_middle) to use with openvpn?...
17:30 -!- fred`` [fred@earthli.ng] has joined #openvpn
17:33 -!- gffa [~unknown@unaffiliated/gffa] has quit [Quit: sleep]
17:46 <@Eugene> Neither; openvpn is perfectly capable of existing outside of a SSH session
17:49 < moviuro> Eugene: not when the server is _not_ reachable from the outside world
17:50 < moviuro> the server is inside my college and a firewall I don't control blocks everything to this machine
17:50 -!- cesurasean [~Sean@c-71-207-227-197.hsd1.al.comcast.net] has quit [Quit: Leaving.]
17:50 -!- redpill [~redpill@unaffiliated/redpill] has quit [Ping timeout: 250 seconds]
17:51 < moviuro> so I do need to put openvpn inside a SSH link between myself and this 'machine in the middle'
18:00 < Hello71> sshuttle
18:00 < Hello71> actually, never mind
18:01 < moviuro> no, I really need a VPN with this far remote server (there are machines next to it that I need to access) and the VPN config is fine
18:01 < moviuro> so: are there performance issues with either SOCKS5 or simple tunneling?
18:02 < moviuro> ssh -D port and then socks-proxy 127.0.0.1 port OR ssh -L port:farremote:1194 and remote 127.0.0.1 port ?
18:08 < Hello71> not really.
18:09 < Hello71> you may want to use --cipher none if the LAN is secure
18:09 < Hello71> !tcpintcp
18:09 < Hello71> !tcp
18:09 <@vpnHelper> "tcp" is (#1) Sometimes you cannot avoid tunneling over tcp, but if you can avoid it, DO. http://sites.inka.de/~bigred/devel/tcp-tcp.html Why TCP Over TCP Is A Bad Idea. or (#2) http://www.openvpn.net/papers/BLUG-talk/14.html for a presentation by James Yonan (OpenVPN lead developer) or (#3) if you must use tcp, you likely want --tcp-nodelay
18:12 < moviuro> UDP server simply won't work in my case (I tried many things but I suppose the firewall in front of machine_in_the_middle blocks UDP on port 22
18:13 < moviuro> and the remote LAN is not secure
18:13 < moviuro> at least, not between machine_in_the_middle and far_remote_server
18:22 -!- redpill [~redpill@unaffiliated/redpill] has joined #openvpn
18:44 -!- Kephael [~Kephael@unaffiliated/kephael] has joined #openvpn
18:50 -!- s7r [~s7r@openvpn/user/s7r] has quit [Quit: Leaving]
19:12 -!- L0uk3 [~lukethedr@gateway/tor-sasl/lukethedrifter] has quit [Quit: bis später]
19:18 -!- Latrina [~Latrina@adsl-ull-200-177.50-151.net24.it] has quit [Ping timeout: 245 seconds]
19:19 -!- Latrina [~Latrina@ppp-112-7.26-151.libero.it] has joined #openvpn
19:35 < K1rk> moviuro: So add a firewall exception?
19:36 < K1rk> oh
19:36 < K1rk> nvm
19:36 < K1rk> moviuro: So the problem is with outbound udp 22 not inbound?
19:36 < K1rk> Try running on port 53
19:37 < K1rk> College firewall probably allows outbound udp 53 because that's DNS usually
19:37 < K1rk> :)
20:13 -!- cesurasean [~Sean@c-71-207-227-197.hsd1.al.comcast.net] has joined #openvpn
20:37 -!- _FBi [B@Aircrack-NG/User] has joined #openvpn
21:41 -!- Left_Turn [~Left_Turn@unaffiliated/turn-left/x-3739067] has quit [Remote host closed the connection]
21:54 -!- Kephael [~Kephael@unaffiliated/kephael] has quit [Read error: Connection reset by peer]
22:02 -!- arescorpio [~arescorpi@92-202-17-190.fibertel.com.ar] has joined #openvpn
22:16 < cesurasean> is it possible to use a client connecting to a client/server that connects to a server?
22:17 < cesurasean> moviuro, drop out of school, please.
22:17 < cesurasean> wasting everyone's time.
22:17 < cesurasean> lol
22:18 -!- jeraldv [~jerald@fsf/member/jeraldv] has joined #openvpn
22:40 -!- Gsa700 [~Gsa700@unaffiliated/gsa700] has quit [Quit: Seeya!]
22:45 -!- c0ded [~c0ded@unaffiliated/c0ded] has quit [Remote host closed the connection]
22:55 -!- c0ded [~c0ded@unaffiliated/c0ded] has joined #openvpn
23:16 -!- lxb [~lxb@li378-41.members.linode.com] has joined #openvpn
23:41 -!- Kephael [~Kephael@unaffiliated/kephael] has joined #openvpn
23:48 -!- ShadniX [dagger@p5481D999.dip0.t-ipconnect.de] has quit [Ping timeout: 250 seconds]
23:49 -!- ShadniX [dagger@p5DDFFECC.dip0.t-ipconnect.de] has joined #openvpn
--- Day changed Sun Aug 31 2014
00:10 -!- cesurasean [~Sean@c-71-207-227-197.hsd1.al.comcast.net] has left #openvpn []
00:19 -!- mapps [~Mark@97e0b9d3.skybroadband.com] has joined #openvpn
00:50 -!- Kephael [~Kephael@unaffiliated/kephael] has quit [Read error: Connection reset by peer]
00:50 -!- arescorpio [~arescorpi@92-202-17-190.fibertel.com.ar] has quit [Excess Flood]
01:10 -!- zalami is now known as ajoox
02:58 -!- Cybertinus [~Cybertinu@2a00:6960:1:1:0:24:107:1] has quit [Ping timeout: 260 seconds]
02:59 -!- Cybertinus [~Cybertinu@2a00:6960:1:1:0:24:107:1] has joined #openvpn
03:04 -!- Cybertinus [~Cybertinu@2a00:6960:1:1:0:24:107:1] has quit [Ping timeout: 260 seconds]
03:16 -!- early [~early@192.241.198.49] has joined #openvpn
03:30 -!- Cybertinus [~Cybertinu@2a00:6960:1:1:0:24:107:1] has joined #openvpn
03:34 -!- AlexRussia [~alx@unaffiliated/alexrussia] has quit [Ping timeout: 245 seconds]
03:42 -!- AlexRussia [~alx@unaffiliated/alexrussia] has joined #openvpn
03:51 < moviuro> LOL@ cesurasean (even though he's not here)
03:52 < moviuro> K1rk: indeed, it seems after many tries that my UDP setup does not work (UDP over SSH tunneling, be it SOCKS [-D] or tunnel [-L]) just keeps searching for the remote
04:15 -!- larryone [~larryone@176.61.1.155] has quit [Quit: This computer has gone to sleep]
04:19 -!- catsup [~d@iad1-vshost12.dreamhost.com] has quit [Remote host closed the connection]
04:19 -!- catsup [~d@iad1-vshost12.dreamhost.com] has joined #openvpn
05:03 -!- Left_Turn [~Left_Turn@unaffiliated/turn-left/x-3739067] has joined #openvpn
05:09 -!- Nyoom [Nyoom@unaffiliated/nyoom] has quit [Excess Flood]
05:10 -!- jeraldv [~jerald@fsf/member/jeraldv] has quit [Ping timeout: 250 seconds]
05:16 -!- Nyoom [Nyoom@unaffiliated/nyoom] has joined #openvpn
05:38 -!- stf [~stf@p4FC3A2F6.dip0.t-ipconnect.de] has joined #openvpn
05:39 < stf> hello guyz, has anyone of you a guide for me to build openvpn2 or my macosx?
06:47 -!- gffa [~unknown@unaffiliated/gffa] has joined #openvpn
07:10 -!- JackWinter [~jack@vodsl-11028.vo.lu] has joined #openvpn
07:35 -!- opti2k4 [~opti2k4@cpe-109-60-42-117.st4.cable.xnet.hr] has joined #openvpn
07:36 < opti2k4> Hi, since repos.openvpn.net turned off, where can i find latest repos for centos 6?
07:38 -!- vpnHelper [~vpnHelper@openvpn/bot/vpnHelper] has quit [Disconnected by services]
07:40 -!- vpnHelper [~vpnHelper@openvpn/bot/vpnHelper] has joined #openvpn
07:40 -!- mode/#openvpn [+o vpnHelper] by ChanServ
07:41 -!- Netsplit *.net <-> *.split quits: arkie
07:43 -!- Netsplit over, joins: arkie
07:46 -!- vpnHelper is now known as 23LABFSSI
07:46 -!- 23LABFSSI is now known as vpnHelper
07:57 -!- Netsplit *.net <-> *.split quits: K1rk, Brando753, DrCode
07:58 -!- Netsplit over, joins: K1rk
07:58 -!- K1rk [~Kirk@equinox.epecweb.com] has quit [Max SendQ exceeded]
07:59 -!- sauce [sauce@unaffiliated/sauce] has quit [Quit: sauce]
07:59 -!- sauce [sauce@unaffiliated/sauce] has joined #openvpn
08:00 -!- Netsplit over, joins: Brando753
08:00 -!- K1rk [~Kirk@equinox.epecweb.com] has joined #openvpn
08:13 -!- Cultist [~CultOfThe@c-98-223-211-32.hsd1.il.comcast.net] has quit [Ping timeout: 474 seconds]
08:13 -!- jeev [~j@unaffiliated/jeev] has quit [Ping timeout: 474 seconds]
08:14 -!- jeev [~j@unaffiliated/jeev] has joined #openvpn
08:15 -!- Cultist [~CultOfThe@c-98-223-211-32.hsd1.il.comcast.net] has joined #openvpn
08:17 -!- APTX [~APTX@unaffiliated/aptx] has quit [Ping timeout: 250 seconds]
08:31 -!- APTX [~APTX@unaffiliated/aptx] has joined #openvpn
08:33 -!- Netsplit *.net <-> *.split quits: clu5ter, Olipro, Nothing4You, Ulrar, fred``, tekk
08:44 -!- Netsplit over, joins: fred``, Nothing4You, clu5ter, Ulrar
08:47 -!- Olipro [~Olipro@uncyclopedia/pdpc.21for7.olipro] has joined #openvpn
08:55 -!- Hello71 [~Hello71@wikipedia/Hello71] has quit [Ping timeout: 240 seconds]
09:34 -!- ub1quit33 [~quassel@wifi02.la3.routers.zerolag.com] has joined #openvpn
09:37 -!- brianblaze420 [~brianblaz@unaffiliated/brianblaze] has joined #openvpn
09:38 -!- jangerhofer [~jangerho@0587370344.wireless.umich.net] has joined #openvpn
09:50 -!- larryone [~larryone@89.100.23.131] has joined #openvpn
10:07 -!- larryone [~larryone@89.100.23.131] has quit [Quit: This computer has gone to sleep]
10:14 < opti2k4> Hi, since repos.openvpn.net turned off, where can i find latest repos for centos 6?
10:17 -!- DrCode [~DrCode@gateway/tor-sasl/drcode] has joined #openvpn
10:20 -!- Hello71 [~Hello71@wikipedia/Hello71] has joined #openvpn
10:27 -!- Tux_Fighter [~Tux_Fight@p54874A87.dip0.t-ipconnect.de] has joined #openvpn
10:31 -!- elfixit [~Icedove@77-58-251-72.dclient.hispeed.ch] has quit [Quit: elfixit]
10:32 -!- s7r [~s7r@openvpn/user/s7r] has joined #openvpn
10:32 -!- mode/#openvpn [+v s7r] by ChanServ
10:34 -!- jangerhofer [~jangerho@0587370344.wireless.umich.net] has quit [Quit: Leaving...]
10:35 < Tux_Fighter> Hi Guys, I got problems with a openvpn setup via tap. It works fine between the linux server and linux clients, but windows clients aren´t pingable from the server and no gateway is set on the windows clients.
10:36 < Tux_Fighter> This are the configs: http://pastebin.com/HLx1hMe2
10:38 -!- Fruckiwacki [daniel@ns3265753.ip-37-59-53.eu] has joined #openvpn
10:41 < Fruckiwacki> Hello, I want to specify a iproute2 rule after my vpn connection is up. My problem is that the ip adress the tun device gets is dynamic. How can I pass the ip to a --route-up script?
10:45 -!- gffa [~unknown@unaffiliated/gffa] has quit [Remote host closed the connection]
10:49 -!- JackWinter [~jack@vodsl-11028.vo.lu] has quit [Quit: Konversation terminated!]
10:56 -!- JackWinter [~jack@vodsl-11028.vo.lu] has joined #openvpn
10:59 -!- gffa [~unknown@unaffiliated/gffa] has joined #openvpn
11:00 -!- Fruckiwacki [daniel@ns3265753.ip-37-59-53.eu] has quit [Read error: Connection reset by peer]
11:06 -!- fchmmr [~ask@fsf/member/fchmmr] has quit [Quit: http://minifree.org/isp]
11:06 -!- jangerhofer [~jangerho@0587370344.wireless.umich.net] has joined #openvpn
11:08 -!- JackWinter [~jack@vodsl-11028.vo.lu] has quit [Quit: Konversation terminated!]
11:15 -!- Tux_Fighter [~Tux_Fight@p54874A87.dip0.t-ipconnect.de] has quit []
11:15 -!- JackWinter [~jack@vodsl-11028.vo.lu] has joined #openvpn
11:20 -!- Six6siX [~Devil@jasmine.sammybakar.com] has quit [Read error: Connection reset by peer]
11:21 -!- Six6siX [~Devil@jasmine.sammybakar.com] has joined #openvpn
11:21 -!- JackWinter [~jack@vodsl-11028.vo.lu] has quit [Quit: Konversation terminated!]
11:24 -!- JackWinter [~jack@vodsl-11028.vo.lu] has joined #openvpn
11:28 -!- jangerho [~jangerho@0587370344.wireless.umich.net] has joined #openvpn
11:28 -!- jangerhofer [~jangerho@0587370344.wireless.umich.net] has quit [Read error: Connection reset by peer]
11:31 -!- jangerho [~jangerho@0587370344.wireless.umich.net] has quit [Read error: Connection reset by peer]
11:31 -!- JackWinter [~jack@vodsl-11028.vo.lu] has quit [Quit: Konversation terminated!]
11:36 -!- JackWinter [~jack@vodsl-11028.vo.lu] has joined #openvpn
11:42 -!- stf [~stf@p4FC3A2F6.dip0.t-ipconnect.de] has quit [Ping timeout: 250 seconds]
11:47 -!- D-Boy [~D-Boy@unaffiliated/cain] has quit [Excess Flood]
11:59 -!- D-Boy [~D-Boy@unaffiliated/cain] has joined #openvpn
12:10 -!- Kephael [~Kephael@unaffiliated/kephael] has joined #openvpn
12:17 -!- G_Known [~Instantbi@pool-72-95-235-34.pitbpa.east.verizon.net] has joined #openvpn
12:22 < G_Known> I'm having trouble getting to direct my traffic to the browser: NOTE: unable to redirect default gateway — Cannot obtain current remote host address.
12:23 < G_Known> The logs are in here: http://pastie.org/9517245
12:23 < Hello71> browser? what browser
12:23 < G_Known> I'm trying to pass my internet traffic over the VPN
12:24 < G_Known> so when I browse on the internet, it'll be encrypted.
12:24 -!- linuxthefish [~ltf@unaffiliated/edmundf] has joined #openvpn
12:25 < linuxthefish> hi, in /etc/openvpn/ipp.txt i have "linuxthefish,10.8.0.4", but when client linuxthefish joins he has IP 10.8.0.6 :(
12:25 < Hello71> you have to put ipp in the config file.
12:26 < linuxthefish> i have "ifconfig-pool-persist ipp.txt"
12:26 < Hello71> !logs
12:26 <@vpnHelper> "logs" is (#1) please pastebin your logfiles from both client and server with verb set to 4 (only use 5 if asked) or (#2) In the Windows client(OpenVPN-GUI) right-click the status icon and pick View Log or (#3) In the OS X client(Tunnelblick) right-click it and select Copy log text to clipboard or (#4) if you dont know how to find your logs, see !logfile
12:26 -!- brianblaze420 [~brianblaz@unaffiliated/brianblaze] has quit [Remote host closed the connection]
12:28 <@krzee> well
12:28 <@krzee> !ipp
12:28 <@vpnHelper> "ipp" is (#1) the option --ifconfig-pool-persist ipp.txt does NOT create static ips or (#2) Note that the entries in this file are treated by OpenVPN as suggestions only, based on past associations between a common name and IP address. They do not guarantee that the given common name will always receive the given IP address. If you want guaranteed assignment, see !iporder and !static
12:28 <@krzee> as you see, ipp does not do what you think… it is merely a suggestion
12:28 <@krzee> if you want static ips, give static ips
12:28 <@krzee> !static
12:28 <@vpnHelper> "static" is (#1) use --ifconfig-push in a ccd entry for a static ip for the vpn client or (#2) example in net30 (default): ifconfig-push 10.8.0.6 10.8.0.5 example in subnet (see !topology) or tap (see !tunortap): ifconfig-push 10.8.0.5 255.255.255.0 or (#3) also see !ccd and !iporder or (#4) with static IPs, limit your --ifconfig-pool to exclude the static range or (#5) See also: !addressing
12:28 -!- seba [~seba@kratzbaum.someserver.de] has quit [Excess Flood]
12:30 -!- seba [~seba@2001:4d88:3503:c001:216:3eff:fe73:fab7] has joined #openvpn
12:30 < linuxthefish> There is a problem in your selection of --ifconfig endpoints [local=10.8.0.1, remote=10.8.0.254]. The local and remote VPN endpoints must exist within the same 255.255.255.252 subnet. This is a limitation of --dev tun when used with the TAP-WIN32 driver. Try 'openvpn --show-valid-subnets' option for more info.
12:30 < linuxthefish> oh
12:30 < linuxthefish> why is there such a small subnet limit?
12:30 <@krzee> !topology
12:30 <@vpnHelper> "topology" is (#1) it is possible to avoid the !/30 behavior if you use 2.1+ with the option: topology subnet This will end up being default in later versions. or (#2) Clients will receive addresses ending in .2, .3, .4, etc, instead of being divided into 2-host subnets. or (#3) details and examples at: https://community.openvpn.net/openvpn/wiki/Topology
12:30 <@krzee> !net30
12:31 <@vpnHelper> "net30" is "/30" is (#1) http://openvpn.net/index.php/documentation/faq.html#slash30 explains why routed clients each use 4 ips, or (#2) you can avoid this behavior with by reading !topology
12:33 < linuxthefish> oh thanks, confusing! :((
12:33 <@krzee> why confusing?
12:33 < linuxthefish> all different topology things
12:33 <@krzee> change to topology subnet and you can use all ips in the subnet
12:34 < linuxthefish> will i need to change client config also?
12:34 <@krzee> then use static ips in ccd entries like this:  ifconfig-push 10.8.0.250 255.255.255.0
12:34 <@krzee> no.
12:34 <@krzee> !ccd
12:34 <@vpnHelper> "ccd" is (#1) entries that are basically included into server.conf, but only for the specified client based on common-name. use --client-config-dir <dir> to enable it, then put the config options for the client in <dir>/common-name or (#2) the ccd file is parsed each time the client connects.
12:36 -!- kirin` [telex@gateway/shell/anapnea.net/x-upsdqlbvpfdmgzzb] has joined #openvpn
12:37 < linuxthefish> it seems to work for assigning that ip with subnet toplogy thing (Set TAP-Windows TUN subnet mode network/local/netmask = 10.8.0.0/10.8.0.254/10.8.0.1 [SUCCEEDED]), but i get the error message "ERROR: --ip-win32 dynamic [offset] : offset is outside of --ifconfig subnet" in the client!
12:38 <@krzee> show me your --server config line in the server config
12:38 < G_Known> !redirect-gateway
12:39 <@krzee> !redirect
12:39 <@vpnHelper> "redirect" is (#1) to make all inet traffic flow through the vpn, you will need --redirect-gateway (see !def1), as well as IP forwarding (see !ipforward) and NAT (see !nat) enabled on the server. or (#2) you may need to use a different dns server when redirecting gateway, see !dns or !pushdns or (#3) if using ipv6 try: route-ipv6 2000::/3 or (#4) Handy troubleshooting flowchart:
12:39 <@vpnHelper> http://ircpimps.org/redirect.png | http://pekster.sdf.org/misc/redirect.png
12:40 < linuxthefish> krzee i use "http://pastebin.com/raw.php?i=SL7XktWN"
12:40 < G_Known> !nat
12:40 <@vpnHelper> "nat" is (#1) http://openvpn.net/howto.html#redirect for an explanation of NAT as it applies to openvpn or (#2) http://www.secure-computing.net/wiki/index.php/OpenVPN/FAQ#Traffic_forwarding_doesn.27t_work_when_using_client_specific_access_rules or (#3) dont forget to turn on ip forwarding or (#4) please choose between !linnat !openvznat !winnat and !fbsdnat for specific howto
12:40 < linuxthefish> "dev tun" and "topology subnet" are the only changed bits
12:41 -!- kirin` [telex@gateway/shell/anapnea.net/x-upsdqlbvpfdmgzzb] has quit [Ping timeout: 245 seconds]
12:42 < linuxthefish> oh wait it's an issue with my ccd file :(
12:43 < linuxthefish> the ccd file for my user only has "ifconfig-push 10.8.0.254 10.8.0.1" in, yet removing that line makes openvpn work fine
12:44 < linuxthefish> oh wait wrong way around!
12:46 < linuxthefish> argh it's assigning the client the server ip now! wtf
12:46 <@krzee> then use static ips in ccd entries like this:  ifconfig-push 10.8.0.250 255.255.255.0
12:46 <@krzee> like i said
12:48 < linuxthefish> oh 250 works, thanks
12:48 < linuxthefish> solved now, thanks all! :)
12:48 <@krzee> its not the 250, its the fact that you put the subnet in
12:48 <@krzee> yw
12:48 < linuxthefish> oh
13:16 -!- opti2k4 [~opti2k4@cpe-109-60-42-117.st4.cable.xnet.hr] has quit [Ping timeout: 250 seconds]
13:24 -!- G_Known [~Instantbi@pool-72-95-235-34.pitbpa.east.verizon.net] has quit [Remote host closed the connection]
13:25 -!- G_Known [~Instantbi@pool-72-95-235-34.pitbpa.east.verizon.net] has joined #openvpn
13:25 -!- G_Known [~Instantbi@pool-72-95-235-34.pitbpa.east.verizon.net] has quit [Client Quit]
13:33 -!- p3rror [~mezgani@41.249.22.201] has joined #openvpn
13:37 -!- arescorpio [~arescorpi@92-202-17-190.fibertel.com.ar] has joined #openvpn
13:41 -!- G_Known [~Instantbi@pool-72-95-235-34.pitbpa.east.verizon.net] has joined #openvpn
13:41 < G_Known> !redirect
13:41 <@vpnHelper> "redirect" is (#1) to make all inet traffic flow through the vpn, you will need --redirect-gateway (see !def1), as well as IP forwarding (see !ipforward) and NAT (see !nat) enabled on the server. or (#2) you may need to use a different dns server when redirecting gateway, see !dns or !pushdns or (#3) if using ipv6 try: route-ipv6 2000::/3 or (#4) Handy troubleshooting flowchart:
13:41 <@vpnHelper> http://ircpimps.org/redirect.png | http://pekster.sdf.org/misc/redirect.png
13:43 < G_Known> !nat
13:43 <@vpnHelper> "nat" is (#1) http://openvpn.net/howto.html#redirect for an explanation of NAT as it applies to openvpn or (#2) http://www.secure-computing.net/wiki/index.php/OpenVPN/FAQ#Traffic_forwarding_doesn.27t_work_when_using_client_specific_access_rules or (#3) dont forget to turn on ip forwarding or (#4) please choose between !linnat !openvznat !winnat and !fbsdnat for specific howto
13:44 < G_Known> !linnat
13:44 <@vpnHelper> "linnat" is (#1) for a basic iptables NAT where 10.8.0.x is the vpn network: iptables -t nat -I POSTROUTING -s 10.8.0.0/24 -o eth0 -j MASQUERADE or (#2) to choose what IP address to NAT as, you can use iptables -t nat -I POSTROUTING -o eth0 -j SNAT --to <IP ADDRESS> or (#3) http://netfilter.org/documentation/HOWTO//NAT-HOWTO.html for more info or (#4) openvz see !openvzlinnat
13:45 < G_Known> Does redirect gateway only requires IP forward and NAt to be enabled on the server side?
13:46 < G_Known> Right now my server doesn't have any firewall installed and the client does.
13:48 <@krzee> yes, you need to nat on the servers network
13:48 <@krzee> either the server itself, or the router that the server connects to (if it doesnt connect directly), they will both work
13:50 < G_Known> Well, the server is in a lxc container and is connected by libvirt.
13:50 < G_Known> So that means that setting up NAT on the client side is pointless?
13:52 < G_Known> Last time I've heard was that IP forwarding is to be enabled on both machines.
13:53 -!- Denial [~Denial@host86-148-139-67.range86-148.btcentralplus.com] has quit []
13:55 <@krzee> no, only on the machine that needs to forward traffic between interfaces
13:55 <@krzee> so definitely the server
13:55 <@krzee> also the client if you happen to be sharing its lan
14:03 -!- Denial [~Denial@host86-148-139-67.range86-148.btcentralplus.com] has joined #openvpn
14:08 < G_Known> Is there a way to test if NAT works?
14:09 <@krzee> tcpdump i guess would be how i would check
14:09 <@krzee> !redirect
14:09 <@vpnHelper> "redirect" is (#1) to make all inet traffic flow through the vpn, you will need --redirect-gateway (see !def1), as well as IP forwarding (see !ipforward) and NAT (see !nat) enabled on the server. or (#2) you may need to use a different dns server when redirecting gateway, see !dns or !pushdns or (#3) if using ipv6 try: route-ipv6 2000::/3 or (#4) Handy troubleshooting flowchart:
14:09 <@vpnHelper> http://ircpimps.org/redirect.png | http://pekster.sdf.org/misc/redirect.png
14:12 < G_Known> !dns
14:12 <@vpnHelper> "dns" is (#1) Level3 open recursive DNS server at 4.2.2.[1-6] or (#2) Google open recursive DNS server at 8.8.8.8 / 8.8.4.4 or (#3) you might be looking for !pushdns
14:14 -!- debbie10t [~guest3459@openvpn/community/support/debbie10t] has joined #openvpn
14:15 -!- mode/#openvpn [+v debbie10t] by ChanServ
14:17 <+debbie10t> https://forums.openvpn.net/topic98.html#p44509
14:17 <@vpnHelper> Title: OpenVPN Support Forum Lans behind OpenVPN : Tutorials (at forums.openvpn.net)
14:17 <+debbie10t> something for krzee
14:18 -!- mode/#openvpn [-v debbie10t] by ChanServ
14:18 <@krzee> i meant for that topic to be about the doc itself, not a place for everybody with lans behind openvpn to ask for support. i will make that its own thread
14:19 <@krzee> wow 19 new messages
14:19 -!- mode/#openvpn [+v debbie10t] by ChanServ
14:19 <+debbie10t> well that is exactly why i bring your attention to it
14:19 <+debbie10t> if you want i will split it etc
14:19 <@krzee> cool thanks
14:20 <+debbie10t> sure :)
14:20 <@krzee> pls do split, while i check these 19 msgs
14:20 <@krzee> haha
14:20 <+debbie10t> all the requests for help have been suitably dealt with
14:21 <+debbie10t> re: pms
14:21 <@krzee> oh i see, its all those, i like that we can see the mod reactions now
14:21 -!- CygniX [~CygniX@unaffiliated/twois10] has joined #openvpn
14:21 <+debbie10t> lol
14:21 <+debbie10t> fk 'em
14:22 <+debbie10t> ;)
14:32 <+debbie10t> krzee: out of shear curiosity .. does this mean you are not ignoring me no more ?
14:32 <+debbie10t> or is this a one off ?
14:33 <@krzee> your hostname changed and you havnt made me feel the need to since
14:33 <+debbie10t> ok .. i will endevour not to not make you feel that in future
14:34 <@krzee> ;]
14:34 <+debbie10t> thanks :)
14:34 <@krzee> np
14:34  * debbie10t breaths major sigh of relief !
14:39 -!- mode/#openvpn [-v debbie10t] by ChanServ
14:41 -!- mcp [~mcp@wolk-project.de] has joined #openvpn
15:13 -!- ahklerner1 [~nkruzan@unaffiliated/ahklerner] has joined #openvpn
15:14 -!- ahklerner1 [~nkruzan@unaffiliated/ahklerner] has left #openvpn []
15:14 -!- s7r [~s7r@openvpn/user/s7r] has quit [Remote host closed the connection]
15:15 -!- s7r [~s7r@openvpn/user/s7r] has joined #openvpn
15:15 -!- mode/#openvpn [+v s7r] by ChanServ
15:17 -!- n13l [~Daniel@aaa.anect.cz] has joined #openvpn
15:24 -!- Nyoom [Nyoom@unaffiliated/nyoom] has quit [Excess Flood]
15:26 -!- Nyoom [Nyoom@unaffiliated/nyoom] has joined #openvpn
15:37 -!- gffa [~unknown@unaffiliated/gffa] has quit [Quit: sleep]
15:43 < G_Known> !nat
15:43 <@vpnHelper> "nat" is (#1) http://openvpn.net/howto.html#redirect for an explanation of NAT as it applies to openvpn or (#2) http://www.secure-computing.net/wiki/index.php/OpenVPN/FAQ#Traffic_forwarding_doesn.27t_work_when_using_client_specific_access_rules or (#3) dont forget to turn on ip forwarding or (#4) please choose between !linnat !openvznat !winnat and !fbsdnat for specific howto
15:43 < G_Known> !linnat
15:43 <@vpnHelper> "linnat" is (#1) for a basic iptables NAT where 10.8.0.x is the vpn network: iptables -t nat -I POSTROUTING -s 10.8.0.0/24 -o eth0 -j MASQUERADE or (#2) to choose what IP address to NAT as, you can use iptables -t nat -I POSTROUTING -o eth0 -j SNAT --to <IP ADDRESS> or (#3) http://netfilter.org/documentation/HOWTO//NAT-HOWTO.html for more info or (#4) openvz see !openvzlinnat
15:44 -!- mode/#openvpn [+v debbie10t] by ChanServ
15:44 <+debbie10t> !openvzlinnat
15:45 < G_Known> Does anyone have a clue what does the error: redirect default gateway: cannot current remote host address, is?
15:45 <+debbie10t> yes ..
15:46 < G_Known> I don't know how to get confirmation on making sure that NAT works except to input iptable commands.
15:47 <+debbie10t> NAT is a part of iptables .. therefore you must ask iptables what NAT it is doing ...
15:47 <+debbie10t> try:
15:47 <+debbie10t> iptables -t nat -L
15:49 -!- CygniX [~CygniX@unaffiliated/twois10] has quit [Read error: Connection reset by peer]
15:50 < G_Known> SNAT       all  --  anywhere             anywhere             to:192.168.X.XX
15:50 < G_Known> MASQUERADE  all  --  10.8.0.0/24          anywhere
15:50 <+debbie10t> did you post your configs ?
15:51 < G_Known> you mean my client/server configs?
15:52 <+debbie10t> of course
15:54 < G_Known> http://pastie.org/9517580
15:54 -!- CygniX [~CygniX@unaffiliated/twois10] has joined #openvpn
15:55 < G_Known> I've tried to connect via 443 port but it doesn't seem to be reading my config files as it'll bind to 1194. I had to specify the port option.
15:56 <+debbie10t> you do _not_ want it to bind
15:56 <+debbie10t> the client that is
15:57 <+debbie10t> did you run your sever as R00T
16:00 < G_Known> Yeah, I did enable nobind option in the conf files but it doesn't appear to take in effect when I try to connect to it. Specifying it will require a remote option on both machines. Yes the server is root.
16:02 < G_Known> While the client is able to connect, the server doesn't.
16:03 <+debbie10t> eh?
16:04 <+debbie10t> https://forums.openvpn.net/topic16127.html
16:04 <@vpnHelper> Title: OpenVPN Support Forum Save password in OpenVPN Connect : Access Server (at forums.openvpn.net)
16:04 <+debbie10t> ^^
16:07 < G_Known> So I guess that really isn't a problem since I could just use the port option to do it.
16:09 <+debbie10t> did you read this : https://community.openvpn.net/openvpn/wiki/Openvpn23ManPage#lbAG
16:09 <@vpnHelper> Title: Openvpn23ManPage – OpenVPN Community (at community.openvpn.net)
16:12 <+debbie10t> use --port n on the server
16:12 <+debbie10t> use --nobind on the client
16:22 < G_Known> the server doesn't seem to reacting, while the client is looking for [AF_INET]192.168.122.2:1194
16:24 <+debbie10t> are your server & client on the same LAN ?
16:26 < G_Known> No, they each have different IP addresses
16:29 <+debbie10t> Are you server & cliewnt in different locations ?
16:31 < G_Known> Not exactly, server is my lxc container.
16:32 <+debbie10t> yeah got it
16:32 <+debbie10t> no need for server side lan ?
16:35 -!- mode/#openvpn [-v debbie10t] by ChanServ
16:36 < G_Known> Well, this server is all I have. Not sure why creating another one would help
16:36 -!- mode/#openvpn [+v debbie10t] by ChanServ
16:36 <+debbie10t> all you have ..
16:37 < G_Known> Mainly is that this server is to SSH during my initial progress of copying static key.
16:38 < G_Known> By default, LXC shares with my network stack so it has the same IP address.
16:39 -!- mode/#openvpn [-v debbie10t] by ChanServ
16:40 < G_Known> It's getting late, I'll come back later to talk more.
16:56 -!- cap3lla [~cap3lla@unaffiliated/cap3lla] has joined #openvpn
16:57 -!- kirin` [telex@gateway/shell/anapnea.net/x-jajfrhgkrpztkhnm] has joined #openvpn
16:57 < cap3lla> hi all. I am facing following problem after tunnel has been successfully initiated --> I am pinging and I am seeing the error "Authenticate/Decrypt packet error: cipher final failed". So I checked ...
16:58 < cap3lla> my configs. I am NOT using any "cipher ..." line in both configs (server+client). But I also tried to use "cipher BF-CBC" on both sides and restarted. It didn't help. I am clueless. Any help appreciated
16:58 -!- mode/#openvpn [+v debbie10t] by ChanServ
16:59 < cap3lla> server is running "OpenVPN 2.1.4 mipsel-openwrt-linux" and client is running "OpenVPN 2.3.1 mips-unknown-linux-gnu"
16:59 <+debbie10t> !paste cap3lla
17:00 -!- debbie10t [~guest3459@openvpn/community/support/debbie10t] has quit [Quit: Leaving]
17:00 -!- G_Known [~Instantbi@pool-72-95-235-34.pitbpa.east.verizon.net] has quit [Ping timeout: 240 seconds]
17:03 -!- kirin` [telex@gateway/shell/anapnea.net/x-jajfrhgkrpztkhnm] has quit [Read error: Connection reset by peer]
17:04 -!- kirin` [telex@gateway/shell/anapnea.net/x-hbrgpxufoxbuomyf] has joined #openvpn
17:05 -!- fred`` [fred@earthli.ng] has quit [Ping timeout: 256 seconds]
17:06 -!- cap3lla [~cap3lla@unaffiliated/cap3lla] has quit [Quit: protect yourself! --> www.govspy.com <-- be informed, share that!]
17:10 -!- keatont [~keatont@ip-66-172-11-126.chunkhost.com] has joined #openvpn
17:25 -!- ub1quit33 [~quassel@wifi02.la3.routers.zerolag.com] has quit [Ping timeout: 240 seconds]
17:29 < zoidberg-> Hi, i have a linux router/gateway for a home ADSL - which tunnels all traffic over a openvpn tunnel.  This works great, i've come to want to lock the firewall down some with the default policies of FORWARD allow, INPUT drop, OUTPUT allow.  What rules do I need to add to allow the openvpn clien tto communicate with the server ? When i set those default policies i can't seem to get out to the internet or tunnel ?
17:30 -!- fred`` [fred@earthli.ng] has joined #openvpn
17:30 < zoidberg-> i had the nat/forward rules in there before the default policies and that made it work, now i added the default policies i obviously need other rules to allow the openvpn traffic
17:30 < zoidberg-> can't seem to figure out what those are
17:35 -!- jzaw [~jzaw@loki.dzki.co.uk] has quit [Ping timeout: 272 seconds]
17:40 -!- jzaw [~jzaw@loki.dzki.co.uk] has joined #openvpn
17:48 -!- CaTtleyA [~CaTtleyA@put92-2-82-66-41-53.fbx.proxad.net] has joined #openvpn
17:59 -!- G_Known [~Instantbi@pool-72-95-235-34.pitbpa.east.verizon.net] has joined #openvpn
18:06 -!- notregistered [~unknown@134.255.161.114] has joined #openvpn
18:06 < notregistered> hi
18:06 < notregistered> after updating my system, it seems openvpn is bugged
18:06 < dvl> yo
18:06 < dvl> oops.
18:07 < notregistered> it connects fine but ip stays always the same
18:07 < notregistered> I noticed metric changed to 1024 and 20 on the route table
18:07 < notregistered> I'm using manjaro, it's based on arch
18:09 < notregistered> but it's wierd
18:09 < notregistered> because my ping changed
18:09 < notregistered> like if I ping google.com it's different when it's connected
18:09 < notregistered> but all tcp connections are still going through the enp4s0 interface
18:09 < notregistered> instead of tun0
18:11 < notregistered> I think I updated network-manger
18:11 -!- lachesis [~lachesis@unaffiliated/lachesis] has joined #openvpn
18:11 < notregistered> manager*
18:11 < notregistered> what is the DCB tab ?
18:12 < notregistered> do I need to changed something on there?
18:13 < dvl> Sorry, I do not know.
18:13 -!- jangerhofer [~jangerho@0587370344.wireless.umich.net] has joined #openvpn
18:13 -!- lachesis [~lachesis@unaffiliated/lachesis] has left #openvpn []
18:18 < notregistered> I really would appreciate someone to help, I'm kinda frustrated surfing at 5kb/s
18:18 < notregistered> and openvpn helps me bypass traffic shaping
18:22 < _FBi> ?
18:26 < _FBi> I thought IPtables designated your route out
18:26 -!- elfixit [~Icedove@77-58-251-72.dclient.hispeed.ch] has joined #openvpn
18:28 < notregistered> no aditional rules into iptables
18:34 -!- Raelith [~Raelith@host81-158-60-239.range81-158.btcentralplus.com] has joined #openvpn
18:36 -!- Buba1 [~Buba1@unaffiliated/buba1] has joined #openvpn
18:38 < G_Known> !linnat
18:38 <@vpnHelper> "linnat" is (#1) for a basic iptables NAT where 10.8.0.x is the vpn network: iptables -t nat -I POSTROUTING -s 10.8.0.0/24 -o eth0 -j MASQUERADE or (#2) to choose what IP address to NAT as, you can use iptables -t nat -I POSTROUTING -o eth0 -j SNAT --to <IP ADDRESS> or (#3) http://netfilter.org/documentation/HOWTO//NAT-HOWTO.html for more info or (#4) openvz see !openvzlinnat
18:40 -!- notregistered [~unknown@134.255.161.114] has quit [Ping timeout: 250 seconds]
18:55 -!- RaiNerTsuFal [~RaiNerTsu@akita.vtlx.cn] has quit [Ping timeout: 260 seconds]
19:01 -!- arescorpio [~arescorpi@92-202-17-190.fibertel.com.ar] has quit [Excess Flood]
19:02 -!- Wolfbutt [~Jeroen@milkyway.jeroendeneef.com] has joined #openvpn
19:02 -!- pekster_ [~rewt@openvpn/community/support/pekster] has joined #openvpn
19:02 -!- st5ve [~hays@unaffiliated/hays] has joined #openvpn
19:04 -!- plai [~arne@openvpn/community/developer/plaisthos] has joined #openvpn
19:04 -!- mode/#openvpn [+o plai] by ChanServ
19:06 -!- EugeneKay [eugene@kashpureff.org] has joined #openvpn
19:06 -!- Exagone313_ [~exa@vps.ewd.xyz] has joined #openvpn
19:06 -!- SushiDude [~SushiDude@unaffiliated/sushidude] has joined #openvpn
19:07 -!- pekster [~rewt@openvpn/community/support/pekster] has quit [Remote host closed the connection]
19:07 -!- Gman32 [~Gman32@2607:2200:0:3400::5616:cdbc] has quit [Write error: Broken pipe]
19:07 -!- Exagone313 [~exa@vps.ewd.xyz] has quit [Write error: Connection reset by peer]
19:07 -!- Latrina [~Latrina@ppp-112-7.26-151.libero.it] has quit [Write error: Broken pipe]
19:07 -!- plaisthos [~arne@openvpn/community/developer/plaisthos] has quit [Remote host closed the connection]
19:07 -!- Eugene [eugene@kashpureff.org] has quit [Remote host closed the connection]
19:07 -!- EugeneKay is now known as Eugene
19:07 -!- Gman32 [~Gman32@2607:2200:0:3400::5616:cdbc] has joined #openvpn
19:11 -!- Jeroen52 [~Jeroen@milkyway.jeroendeneef.com] has quit [Ping timeout: 250 seconds]
19:11 -!- hays [~hays@unaffiliated/hays] has quit [Ping timeout: 250 seconds]
19:12 -!- erratic [erratic@2607:f2f8:a2c4:1001::2] has joined #openvpn
19:17 -!- arescorpio [~arescorpi@92-202-17-190.fibertel.com.ar] has joined #openvpn
19:33 -!- CaTtleyA [~CaTtleyA@put92-2-82-66-41-53.fbx.proxad.net] has quit [Ping timeout: 252 seconds]
19:33 -!- svm_invictvs [~patricktw@unaffiliated/svminvictvs/x-938456] has joined #openvpn
19:37 -!- notregistered [~unknown@134.255.161.114] has joined #openvpn
19:37 < notregistered> http://pastebin.com/RjBJYG9M
19:37 < notregistered> turns out it's not adding the default route
19:38 -!- svm_invictvs [~patricktw@unaffiliated/svminvictvs/x-938456] has quit [Ping timeout: 245 seconds]
19:38 < notregistered> I think this has to do with lzo 2.08
19:41 < notregistered> write to TUN/TAP : Invalid argument (code=22)
19:49 -!- redpill [~redpill@unaffiliated/redpill] has quit [Ping timeout: 260 seconds]
19:50 -!- redpill [~redpill@unaffiliated/redpill] has joined #openvpn
19:53 < notregistered> so lzo broke my openvpn :|
19:55 -!- p3rror [~mezgani@41.249.22.201] has quit [Ping timeout: 245 seconds]
19:56 -!- redpill [~redpill@unaffiliated/redpill] has quit [Max SendQ exceeded]
19:57 -!- redpill [~redpill@unaffiliated/redpill] has joined #openvpn
19:57 -!- early [~early@192.241.198.49] has quit [Remote host closed the connection]
20:00 -!- CaTtleyA [~CaTtleyA@put92-2-82-66-41-53.fbx.proxad.net] has joined #openvpn
20:02 -!- redpill [~redpill@unaffiliated/redpill] has quit [Max SendQ exceeded]
20:02 -!- redpill [~redpill@unaffiliated/redpill] has joined #openvpn
20:02 -!- early [~early@192.241.198.49] has joined #openvpn
20:05 -!- early [~early@192.241.198.49] has quit [Remote host closed the connection]
20:07 -!- early [~early@192.241.198.49] has joined #openvpn
20:17 -!- early [~early@192.241.198.49] has quit [Remote host closed the connection]
20:17 -!- svm_invictvs [~patricktw@unaffiliated/svminvictvs/x-938456] has joined #openvpn
20:21 -!- early [~early@192.241.198.49] has joined #openvpn
20:21 < notregistered> anyone here usign arch
20:27 -!- redpill [~redpill@unaffiliated/redpill] has quit [Ping timeout: 250 seconds]
20:28 -!- redpill [~redpill@unaffiliated/redpill] has joined #openvpn
20:34 -!- pekster_ is now known as pekster
20:35 -!- notregistered [~unknown@134.255.161.114] has quit [Ping timeout: 240 seconds]
20:36 < G_Known> does anyone knows the list of known error with redirect gateway?
20:37 < G_Known> I was hoping to see that the the error I'm seeing is what it says it is
20:39 -!- Buba1 [~Buba1@unaffiliated/buba1] has quit [Ping timeout: 245 seconds]
20:57 < G_Known> !ssl
21:02 -!- Buba1 [~Buba1@unaffiliated/buba1] has joined #openvpn
21:05 < G_Known> does anyone know where to find vpn subnet?
21:30 -!- Left_Turn [~Left_Turn@unaffiliated/turn-left/x-3739067] has quit [Remote host closed the connection]
21:39 -!- svm_invictvs [~patricktw@unaffiliated/svminvictvs/x-938456] has quit [Ping timeout: 240 seconds]
22:19 < G_Known> https://forums.openvpn.net/topic10923.html
22:19 <@vpnHelper> Title: OpenVPN Support Forum troubleshooting flowchart for using the internet over VPN : Configuration (at forums.openvpn.net)
22:19 < G_Known> Shouldn't redirect gateway be enabled on the SERVER?
22:20 < Hello71> !redirect
22:20 <@vpnHelper> "redirect" is (#1) to make all inet traffic flow through the vpn, you will need --redirect-gateway (see !def1), as well as IP forwarding (see !ipforward) and NAT (see !nat) enabled on the server. or (#2) you may need to use a different dns server when redirecting gateway, see !dns or !pushdns or (#3) if using ipv6 try: route-ipv6 2000::/3 or (#4) Handy troubleshooting flowchart:
22:20 <@vpnHelper> http://ircpimps.org/redirect.png | http://pekster.sdf.org/misc/redirect.png
22:21 < Hello71> !gateway
22:21 < G_Known> The flowchart either have a misprint or a typo
22:22 -!- redpill [~redpill@unaffiliated/redpill] has quit [Ping timeout: 250 seconds]
22:23 < Hello71> no.
22:23 -!- redpill [~redpill@unaffiliated/redpill] has joined #openvpn
22:24 -!- CaTtleyA [~CaTtleyA@put92-2-82-66-41-53.fbx.proxad.net] has quit [Quit: Lost terminal]
22:25 < G_Known> So it needs to be enabled on both machines?
22:25 < G_Known> Or just on the client?
22:25 < Hello71> man openvpn
22:26 -!- svm_invictvs [~patricktw@unaffiliated/svminvictvs/x-938456] has joined #openvpn
22:28 -!- redpill [~redpill@unaffiliated/redpill] has quit [Max SendQ exceeded]
22:28 < G_Known> ok
22:28 -!- redpill [~redpill@unaffiliated/redpill] has joined #openvpn
22:33 -!- redpill [~redpill@unaffiliated/redpill] has quit [Ping timeout: 240 seconds]
22:34 < G_Known> Seems like if I enable redirect gateway on the client, it will hang.
22:35 < G_Known> !linnat
22:35 <@vpnHelper> "linnat" is (#1) for a basic iptables NAT where 10.8.0.x is the vpn network: iptables -t nat -I POSTROUTING -s 10.8.0.0/24 -o eth0 -j MASQUERADE or (#2) to choose what IP address to NAT as, you can use iptables -t nat -I POSTROUTING -o eth0 -j SNAT --to <IP ADDRESS> or (#3) http://netfilter.org/documentation/HOWTO//NAT-HOWTO.html for more info or (#4) openvz see !openvzlinnat
22:37 -!- redpill [~redpill@unaffiliated/redpill] has joined #openvpn
22:38 -!- G_Known [~Instantbi@pool-72-95-235-34.pitbpa.east.verizon.net] has quit [Read error: Connection reset by peer]
22:38 -!- G_Known1 [~Instantbi@pool-72-95-235-34.pitbpa.east.verizon.net] has joined #openvpn
22:41 -!- svm_invictvs [~patricktw@unaffiliated/svminvictvs/x-938456] has quit [Ping timeout: 260 seconds]
22:43 -!- redpill [~redpill@unaffiliated/redpill] has quit [Ping timeout: 255 seconds]
22:46 -!- zeroNones [~textual@187.204.186.123] has joined #openvpn
22:49 -!- redpill [~redpill@unaffiliated/redpill] has joined #openvpn
22:53 -!- redpill [~redpill@unaffiliated/redpill] has quit [Max SendQ exceeded]
22:54 -!- redpill [~redpill@unaffiliated/redpill] has joined #openvpn
23:09 -!- redpill [~redpill@unaffiliated/redpill] has quit [Ping timeout: 255 seconds]
23:12 -!- arescorpio [~arescorpi@92-202-17-190.fibertel.com.ar] has quit [Excess Flood]
23:14 -!- Buba1 [~Buba1@unaffiliated/buba1] has quit [Quit: On the other hand, you have different fingers.]
23:34 -!- elfixit [~Icedove@77-58-251-72.dclient.hispeed.ch] has quit [Ping timeout: 240 seconds]
23:46 -!- G_Known1 [~Instantbi@pool-72-95-235-34.pitbpa.east.verizon.net] has left #openvpn []
23:48 -!- ShadniX [dagger@p5DDFFECC.dip0.t-ipconnect.de] has quit [Ping timeout: 250 seconds]
23:49 -!- ShadniX [dagger@p57941ABF.dip0.t-ipconnect.de] has joined #openvpn
--- Day changed Mon Sep 01 2014
00:18 -!- Kniaz [~Kniaz@unaffiliated/kniaz] has quit [Read error: Connection reset by peer]
00:21 -!- jangerhofer [~jangerho@0587370344.wireless.umich.net] has quit [Quit: Leaving...]
00:26 -!- svm_invictvs [~patricktw@unaffiliated/svminvictvs/x-938456] has joined #openvpn
00:35 -!- G_Known1 [~Instantbi@pool-72-95-235-34.pitbpa.east.verizon.net] has joined #openvpn
00:35 < G_Known1> Just wondering, does this channel block users who use webchat?
00:42 -!- G_Known1 [~Instantbi@pool-72-95-235-34.pitbpa.east.verizon.net] has quit [Quit: Instantbird 1.5 -- http://www.instantbird.com]
00:51 -!- zeroNones [~textual@187.204.186.123] has quit [Read error: Connection reset by peer]
01:14 -!- svm_invictvs [~patricktw@unaffiliated/svminvictvs/x-938456] has quit [Ping timeout: 245 seconds]
01:32 -!- Cybertinus [~Cybertinu@2a00:6960:1:1:0:24:107:1] has quit [Ping timeout: 260 seconds]
01:34 -!- Cybertinus [~Cybertinu@2a00:6960:1:1:0:24:107:1] has joined #openvpn
01:39 -!- s7r [~s7r@openvpn/user/s7r] has quit [Remote host closed the connection]
01:39 -!- s7r [~s7r@openvpn/user/s7r] has joined #openvpn
01:39 -!- mode/#openvpn [+v s7r] by ChanServ
01:49 -!- Kephael [~Kephael@unaffiliated/kephael] has quit [Quit: Leaving]
01:56 -!- ifdm_ [~ifdm@unaffiliated/ifdm/x-0713806] has joined #openvpn
01:57 -!- nvdpl [~textual@proxy.teleaudio.pl] has joined #openvpn
02:09 -!- SushiDude [~SushiDude@unaffiliated/sushidude] has quit [Quit: Quit]
02:12 -!- SushiDude [~SushiDude@unaffiliated/sushidude] has joined #openvpn
02:14 -!- AlexRussia [~alx@unaffiliated/alexrussia] has quit [Ping timeout: 250 seconds]
02:17 -!- cap3lla [~cap3lla@unaffiliated/cap3lla] has joined #openvpn
02:23 < cap3lla> hi all. I have two sites connected through OpenVPN. The endpoints both are behind a NAT internet router (classic scenario). LAN2 is running the server, LAN1 the client. LAN1=192.168.111.0/24 LAN2=172.16.0.0/24. The tunneling interface on LAN1 is 10.15.34.6 P-t-P:10.15.34.5 and on LAN2 10.15.34.1 P-t-P:10.15.34.2.
02:23 < cap3lla> On server side I am using the config "iroute" in combination with custom-client-dir, so all clients on LAN1 can access the hosts on LAN2. So far so good. My question is:
02:25 < cap3lla> which static routes do I need to setup on both internet routers LAN1 and LAN2 ? On LAN1 do I have to add a static route "172.16.0.0/24" with gateway of the LAN1 internet router? And on LAN2 I add the static route "192.168.111.0/24" with IP of internet router LAN2 ? Is that enough? Or do I also have to add the 10.15.34.0/24 subnet on BOTH sides?
02:25 -!- nvdpl [~textual@proxy.teleaudio.pl] has quit [Ping timeout: 260 seconds]
02:26 -!- nvdpl [~textual@proxy.teleaudio.pl] has joined #openvpn
02:31 -!- JackWinter_ [~jack@vodsl-11028.vo.lu] has joined #openvpn
02:31 -!- JackWinter [~jack@vodsl-11028.vo.lu] has quit [Read error: Connection reset by peer]
02:37 -!- CaTtleyA [~CaTtleyA@185.24.142.82] has joined #openvpn
02:47 < cap3lla> anyone?
02:51 -!- cap3lla [~cap3lla@unaffiliated/cap3lla] has left #openvpn ["protect yourself! --> govspy.com <-- it's your privacy"]
04:06 -!- s7r_m [~s7r@openvpn/user/s7r] has joined #openvpn
04:06 -!- mode/#openvpn [+v s7r_m] by ChanServ
04:06 -!- s7r [~s7r@openvpn/user/s7r] has quit [Ping timeout: 264 seconds]
04:06 -!- CygniX [~CygniX@unaffiliated/twois10] has quit [Ping timeout: 250 seconds]
04:20 -!- Left_Turn [~Left_Turn@unaffiliated/turn-left/x-3739067] has joined #openvpn
04:46 -!- s7r_m is now known as s7r
05:01 -!- scyld [~scyld@unaffiliated/wasyl] has joined #openvpn
05:09 -!- mattock_ [~mattock@openvpn/corp/admin/mattock] has joined #openvpn
05:09 -!- mode/#openvpn [+o mattock_] by ChanServ
05:09 -!- mattock_ [~mattock@openvpn/corp/admin/mattock] has quit [Client Quit]
05:09 -!- APTX [~APTX@unaffiliated/aptx] has quit [Quit: No Ping reply in 180 seconds.]
05:15 -!- APTX [~APTX@unaffiliated/aptx] has joined #openvpn
05:25 -!- nath_schwarz [~nath_schw@2605:6400:1:fed5:22:d508:7193:e73f] has joined #openvpn
05:27 -!- scyld [~scyld@unaffiliated/wasyl] has quit [Ping timeout: 240 seconds]
05:33 < nath_schwarz> Oy mates; I have a small problem. Openvpn runs as a service on my fedora-machine and creates the pid-file '/run/openvpn/$serverName.pid' correctly. Thing is - it resets the permissions of the folder '/run/openvpn/' to be only readable by openvpn (u+rwx, g+x), while the pid-file has the correct permissions (u+rw, g+r, o+r). Due to the folder not being executable scripts can't check for the pid-file - is this
05:33 < nath_schwarz> a problem of openvpn or systemd and if openvpn is there a workaround?
05:44 <@krzee> nath_schwarz, what user needs to manage openvpn?
05:44 <@krzee> i would expect openvpn user or root...
05:48 < nath_schwarz> openvpn
05:48 < nath_schwarz> the owner of the folder is set to root, the group to openvpn; the pid-file however is set to root user and root group. Seems like systemd doesn't like openvpn to switch to its own user
05:48 < nath_schwarz> In theory it would be sufficient to set a cronjob under root that waits until the pid-file is created and sets o+x on the folder; But thats neither nice nor clean.
05:59 -!- jzaw [~jzaw@loki.dzki.co.uk] has quit [Ping timeout: 260 seconds]
06:03 < nath_schwarz> Ok, systemd has a setting ExecStartPost that allows to execute commands after the service has been started. Still not really neat since it doesn't wait for the connection to be established.
06:21 -!- jzaw [~jzaw@loki.dzki.co.uk] has joined #openvpn
06:28 -!- CaTtleyA [~CaTtleyA@185.24.142.82] has quit [Ping timeout: 252 seconds]
06:29 -!- CaTtleyA [~CaTtleyA@185.24.142.82] has joined #openvpn
06:46 <@krzee> i dont think the pid waits for that either
06:48 < nath_schwarz> It doesn't, but this way the script can't access it (and see it as nonexistent)
06:48 < nath_schwarz> s/see/sees
06:48 -!- livelace [~livelace@195.239.112.118] has joined #openvpn
06:50 <@krzee> you saying openvpn changes the permissions on that dir?  i think its probably made according to the umask
06:51 <@krzee> so if the dir comes up as 710 the umask is prolly 067
06:51 < nath_schwarz> Actually I'm working on a more complex post-command. A pre-command unsets the executable flag on the directory purposefully (in case the defaults are changed), the post-command then runs a while-loop until a ping to the server responds and the sets the executable flag again
06:52 <@krzee> what if the server changes subnets? does it figure out the new server ip?
06:52 < nath_schwarz> Well, the dirs of other sevices have the executable flag set so I don't think that it is a default of systemd
06:55 < nath_schwarz> Won't happen, it's just a small private vpn
06:57 <@krzee> cool
06:58 < livelace> hello. raw throughput speed is ~500Mb/s but over tap device speed ~140Mb/s. I disable cipher for payload and nothing.
06:59 <@krzee> !speed
06:59 <@vpnHelper> "speed" is (#1) Having speed problems? The following suggestions may help. or (#2) OpenVPN is often CPU bound; check utilization, and remember it only uses 1 core (single-threaded) or (#3) Prefer UDP over TCP (see !tcp) or (#4) MTU issues? Send max-size DF packets and watch for fragmentation/delivery issues or (#5) iface txqueuelen often needs to be >100 on fast and/or latent links or (#6)
06:59 <@vpnHelper> latenty/slow links don't magically get better with openvpn or (#7) less likely are issues with bad TCP window scaling or the sliding window; generally, don't 2nd guess TCP (in openvpn or your OS knobs)
06:59 -!- Mimiko [~Mimiko@89.28.88.177] has joined #openvpn
06:59 < livelace> 50-60% of cpu usage
06:59 <@krzee> livelace, dual core box?
07:00 < livelace> CPU support aes-ni
07:00 < livelace> E5-2620
07:00 <@krzee> im supposed to look that up to answer my question?
07:00 < livelace> openssl component, BZ#1022002
07:00 < livelace>     The external Advanced Encryption Standard (AES) New Instructions (AES-NI) engine is no longer available in openssl; the engine is now built-in and therefore no longer needs to be manually enabled.
07:00 < livelace> openssl also support aes-ni
07:01 <@krzee> !google E5-2620 dual core
07:01 <@vpnHelper> PassMark - [Dual CPU] Intel Xeon E5-2620 @ 2.00GHz - Price ...: <http://cpubenchmark.net/cpu.php?cpu=Intel+Xeon+E5-2620+%40+2.00GHz&id=1214&cpuCount=2>; ARK | Intel® Xeon® Processor E5-2620 (15M Cache, 2.00 GHz ...: <http://ark.intel.com/products/64594/Intel-Xeon-Processor-E5-2620-15M-Cache-2_00-GHz-7_20-GTs-Intel-QPI>; Intel Xeon E5-2620 Sandy Bridge-EP 2.0GHz (2.5GHz Turbo Boost ...:
07:01 <@vpnHelper> <http://www.newegg.com/Product/Product.aspx?Item=N82E16819117269>
07:01 < livelace> But nothing
07:01 <@krzee> 50% on a dual core box is probably 100% on a single core
07:01 <@krzee> and openvpn only runs on a single core
07:01 < livelace> I know
07:02 <@krzee> also, are you sure openvpn was built with your openssl which supports aes-ni?
07:02 <@krzee> !mtu
07:02 <@vpnHelper> "mtu" is (#1) see --mtu-test to learn how to test your MTU settings. Basically you just use --mtu-test in your normal client config or (#2) mtu debugging guide: http://www.secure-computing.net/wiki/index.php/OpenVPN/Troubleshooting
07:02 <@krzee> oh no, wrong one
07:02 <@krzee> !gigabit
07:02 <@vpnHelper> "gigabit" is https://community.openvpn.net/openvpn/wiki/Gigabit_Networks_Linux for JJK's writeup on getting the most out of openvpn over gigabit
07:02 < livelace> But my system have two E5-2620, with 24 core
07:02 < nath_schwarz> Damn, it works, and it works great.
07:02 <@krzee> he talks about aes-ni a lil there
07:02 <@krzee> livelace, does not matter. openvpn runs on 1 core.
07:02 < livelace> I know
07:02 < livelace> One core use 50%
07:03 < livelace> With cipher payload off
07:03 < livelace> I can turn off cipher for signal protocol ?
07:03 < livelace> For testing purpose
07:04 -!- Mimiko [~Mimiko@89.28.88.177] has quit [Client Quit]
07:04 -!- redpill [~redpill@unaffiliated/redpill] has joined #openvpn
07:04 <@krzee> what you mean
07:04 <@krzee> "signal protocol" = ?
07:04 < livelace> I test speed with --cipher none - speed was 140Mb/s == encryption disabled
07:05 <@krzee> are you getting a reading from every cpu core separately?
07:05 < livelace> But control message always tls enabled
07:05 <@krzee> 50% still sounds like a maxxed out core to me
07:05 < livelace> Main question: why speed is low with disabled encryption ?
07:06 <@krzee> hell even if it is a single core that could be the display if it expects to be allowed to do hyperthreading and cannot because its a single threaded app
07:06 <@krzee> main answer: because encryption isnt your bottleneck right now.
07:07 < livelace> Then what ?
07:07 <@krzee> i still think you're maxxing the cpu
07:07 < livelace> I disable compression too
07:07 <@krzee> is it using 50% with no real traffic?
07:08 <@krzee> or only when you push it?
07:08 < livelace> With iperf over tunnel
07:08 <@krzee> tried playing with mtu?
07:09 < livelace> Yes, i set tun-mtu, but i use tap device
07:09 < livelace> tap for bridge
07:09 <@krzee> oh god
07:09 <@krzee> first off, why are you bridging?
07:09 < livelace> ?
07:09 < livelace> I connect two networks in one subnet
07:10 <@krzee> just to access lans over openvpn?
07:10 <@krzee> do you specifically need layer2?
07:10 < livelace> Yes
07:10 <@krzee> for...?
07:10 < livelace> l2 need
07:10 < livelace> For rip and other things
07:10 <@krzee> you dont need l2 for rip dude
07:10 <@krzee> so in other words you dont know why you need l2?
07:11 < livelace> Ok, l2 not need for rip
07:11 <@krzee> (unless rip is a user of yours who needs l2)
07:12 < livelace> I want that addressing was the same between data center sites
07:12 <@krzee> aka layer3 routing?
07:12 < livelace> No
07:12 <@krzee> why do you feel you need layer2 to accomplish that?
07:13 < livelace> Routing for clients, also as tun device
07:13 < livelace> Yes
07:13 < livelace> No routing
07:13 < livelace> L2 bridging
07:13 <@krzee> i assume you're saying you want to use addresses from 1 DC in another DC
07:13 < livelace> Between sites - l2
07:13 <@krzee> (without having to learn bgp)
07:13 < livelace> :)
07:13 <@krzee> in which case, you dont need layer2
07:13 <@krzee> ESPECIALLY a bridge
07:14 < livelace> I ask about speed
07:14 <@krzee> shit i would never bridge between datacenters, just asking for breaches to go way bigger than necessary
07:14 <@krzee> !whybridge
07:14 < livelace> No about l2
07:14 <@vpnHelper> "whybridge" is (#1) you only bridge if you want layer2 to the lan. if you want layer2 only between vpn nodes then routed tap is enough. if you only want layer3 use tun. or (#2) See this URL for a more in-depth discussion on bridging vs routing: https://community.openvpn.net/openvpn/wiki/BridgingAndRouting or (#3) See also !tunortap
07:14 <@krzee> your speed is effected by transmitting that extra layer on EVERY single packet
07:14 <@krzee> !tunortap
07:14 <@vpnHelper> "tunortap" is (#1) you ONLY want tap if you need to pass layer2 traffic over the vpn (traffic destined for a MAC address). If you are using IP traffic you want tun. or (#2) and if your reason for wanting tap is windows shares, see !wins or use DNS or (#3) remember layer2 has no security, arp poisoning works over tap vpns or (#4) lan gaming? use tap! or (#5) Normal Android/iOS devices (not
07:14 <@vpnHelper> rooted/jailbroken) support only tun
07:15 < livelace> I don't want routing between sites
07:15 < livelace> Routes enough with clients and their subnets
07:15 <@krzee> you keep focusing on what you think the right solution is instead of what problem you are looking to solve
07:16 <@krzee> "<livelace> Routes enough with clients and their subnets"   <-- what does that mean?
07:16 < livelace> My question: why my tap device is so slow, even if i disable encryption and compression ?
07:17 <@krzee> once again, because compression and encryption are not related to your problem
07:17 <@krzee> same answer as last time you asked it
07:17 <@krzee> but since you're not interested in improving your setup, ill go back to rolling a blunt
07:17 < livelace> krzee, Route enough for customers and their subnets to be a routing table servers.
07:20 < livelace> krzee, I thought of you, the last time you advised me not to use the opportunity to refuse a client to connect to the server through the control message (TEMPORARY_AUTH_FAILURE).
07:21 < livelace> krzee, or i confuse ?
07:21 <@krzee> not that i remember
07:22 <@krzee> i would write a ccd entry with disable, unless of course i was using a database driven backend
07:22 <@krzee> but theres more than 1 way to deny access
07:22 <@krzee> if it was permanent i would suggest a CRL
07:22 < livelace> Ok
07:23 <@krzee> not sure i would suggest against any method, so long as it works
07:23 < livelace> now i show
07:23 <@krzee> crl is a little better since it blocks access early in the connection, and does so cryptographically
07:23 <@krzee> earlier*
07:23 <@krzee> anyways, make a tun and test iperf on it
07:24 <@krzee> test your mtu
07:24 <@krzee> etc
07:24 <@krzee> (systematically, not just by testing random settings with iperf)
07:25 <@krzee> did you say you are trying to give customers l2 access to eachother over the vpn?
07:26 <@krzee> or you to each of theirs?
07:32 < livelace> http://i68.fastpic.ru/big/2014/0901/36/502b232991e50725773fa7f7fa430036.png
07:36 < livelace> l2 between data center sites
07:36 < livelace> customers over tun
07:37 < livelace> With different settings and access servers
07:38 < livelace> krzee, What openvpn do with CPU (50% of one core) if encryption and compression disabled ?
07:38 <@krzee> dont know… maybe its trying to process a ton of mtu mischopped l2 packets
07:39 <@krzee> if you refuse to troubleshoot you'll never find out either
07:39 < livelace> nonsense
07:39 <@krzee> ok you're right, you'll argue yourself to knowing whats wrong
07:40 <@krzee> let me know how that goes
07:44 < livelace> l2 speed the same , even enabled encryption and/or compression -> no increase in the rate of
07:45 < livelace> Nothing
07:45 <@krzee> no shit
07:45 <@krzee> <krzee> once again, because compression and encryption are not related to your problem
07:45 < livelace> As it was - and remains
07:45 < livelace> Ha
07:45 < livelace> But what about the overhead ?
07:46 <@krzee> test iperf over a tun vpn
07:46 <@krzee> just for fun
07:46 < livelace> I need tap
07:46 <@krzee> test it anyways
07:46 < livelace> I need tap
07:46 <@krzee> or sit there complaining that you disabled encryption and it doesnt help
07:46 <@krzee> whatev, im ignoring you now, later
07:47 < livelace> :)
07:48 -!- AlexRussia [~alx@unaffiliated/alexrussia] has joined #openvpn
08:48 -!- Netsplit *.net <-> *.split quits: MacGyver
08:49 -!- deranged_user [deranged_u@unaffiliated/deranged-user/x-2475585] has joined #openvpn
08:49 -!- Netsplit over, joins: MacGyver
08:50 < deranged_user> what did I get wrong if I have set an openvpn to have ipv6 and the client can only access "local" ips?
08:50 < deranged_user> (I'm assigning the clients and the servers real ips within a subnet
08:50 < deranged_user> )
08:50 < deranged_user> a real addressable subnet
08:52 < deranged_user> talking to other addresses on the server in the full /64 I own works from the client
08:52 < deranged_user> although clients are being assigned within a /112
08:52 < deranged_user> but any other ipv6 addresses don't work
08:52 < deranged_user> ipv6.google.com for exacmple
08:52 < deranged_user> example*
08:53 < deranged_user> tried flushing ip6tables
08:53 < deranged_user> enabled ipv6 packet forwarding in /etc/sysctl.conf
08:54 < deranged_user> echo'd "1" to /proc/sys/net/ipv6/conf/all/forwarding
08:56 < kareem-ali> deranged_user: to understand your problem better. An OpenVPN client can connect to other OpenVPN clients on your OpenVPN IPv6 addresses but any OpenVPN client can't connect to Google over IPv6 ?
08:56 < kareem-ali> is that your problem ?
08:56 < deranged_user> indeed
08:56 < kareem-ali> does your routers, announcing your IPv6 range, know about the route to your IPv6 assigned subnet for OpenVPN ?
08:57 < deranged_user> it should, let me check
08:57 < kareem-ali> there must be a static route from your routers pointing to your OpenVPN server for OpenVPN's IPv6 subnet
08:58 < kareem-ali> try pinging your ovpn V6 subnet from your routers
08:58 < deranged_user> "my routers"?
08:58 < kareem-ali> or router
08:58 < deranged_user> it's a vpn
08:58 < deranged_user> I don't have router access but I have a /64 forwarded to my machin
08:58 < deranged_user> e
08:58 < kareem-ali> sorry I assumed you have your own Ipv6 assigned subnet which you are using for v6 connectivity
08:58 < deranged_user> I am
08:58 < deranged_user> a /64
08:59 < kareem-ali> is it from a tunnel broker ?
08:59 < kareem-ali> or your own assigned from local reginal registrar
08:59 < kareem-ali> like RIPE or ARIN
09:00 < deranged_user> I don't know how ramnode do it, I'll see if I can find out
09:00 < kareem-ali> basically you need to make sure that Google knows how to route to your /64
09:00 < kareem-ali> there should be a router that is doing that
09:00 < kareem-ali> or a server connected to a tunnel broker if you are using one of those services
09:01 < deranged_user> ping6 -I tun0 ipv6.google.com
09:01 < deranged_user> that works
09:01 < deranged_user> hmm, that doesn't seem to actually be sending by tun0
09:01 < deranged_user> uno momento
09:01 < kareem-ali> so it's RIPE :)
09:02 < deranged_user> http://pastebin.com/raw.php?i=5c6rQYuw
09:02 < kareem-ali> is that from your OVPN server ?
09:03 < deranged_user> ignore the fairly sketchy looking current dir, it's not anything sketchy
09:03 < deranged_user> yep
09:03 < deranged_user> tun0 should be using 2a00:d880:5:3a:4::
09:03 < deranged_user>           inet6 addr: 2a00:d880:5:3a:4::1/112 Scope:Global
09:05 < deranged_user> (I'm using debian linux, by the way.)
09:06 < kareem-ali> what is your OVPN subnet ?
09:06 < kareem-ali> the one you push for clients ?
09:06 < deranged_user> 2a00:d880:5:3a:4::/112
09:06 < deranged_user> should be
09:07 < deranged_user> my client gets assigned:
09:07 < deranged_user> 2a00:d880:5:3a:4::1000
09:07 < deranged_user>           inet6 addr: 2a00:d880:5:3a:4::1000/112 Scope:Global
09:07 < kareem-ali> your /64 is from a tunnel broker, right ?
09:07 < deranged_user> I haven't a clue
09:10 < kareem-ali> how many tun interfaces do you have?, including the one for OVPN
09:10 < deranged_user> 1
09:10 < kareem-ali> on your OVPN server
09:10 < deranged_user> 1
09:10 < kareem-ali> ok so I think you have your own routed /64 subnet, either from your own routers or from your ISP
09:11 < kareem-ali> disable rp_filter
09:12 < deranged_user> I don't see an ipv6 one of those
09:12 < deranged_user> only an ipv4, in /etc/sysctl.conf that is
09:15 < kareem-ali> to make sure that packets are being routed back to your server
09:15 < kareem-ali> open a ping6 from an OVPN client
09:15 < kareem-ali> like 'ping6 google.com'
09:15 < kareem-ali> and do a tcpdump for icmp6
09:15 < kareem-ali> tcpdump -nn -i any icmp6
09:15 < deranged_user> tcpdump on the server?
09:15 < kareem-ali> see if you're getting replies from google
09:15 < kareem-ali> yes
09:17 < deranged_user> I don't have a clue what tcpdump's output means
09:17 < deranged_user> shall I pastebin?
09:18 < deranged_user> http://pastebin.com/raw.php?i=dHVAgkQn
09:19 < kareem-ali> no replies received
09:19 < kareem-ali> so Google doesn't know about your subnet
09:19 -!- AlexRussia [~alx@unaffiliated/alexrussia] has quit [Ping timeout: 255 seconds]
09:19 < deranged_user> strange
09:20 < deranged_user> ... I think I have an idea
09:21 < deranged_user> oh, nope
09:21 < deranged_user> tried adding;
09:21 < deranged_user>         up /sbin/ifconfig eth0 inet6 add 2a00:d880:5:3a:4::/64
09:21 < deranged_user> to /etc/networking/interfaces, just in case
09:21 < kareem-ali> your /64 is 2a00:d880:5:3a::/64
09:21 < deranged_user> ... right
09:22 < kareem-ali> 2a00:d880:5:3a:3:: is visible to the internet
09:22 < kareem-ali> 2a00:d880:5:3a:4:: is not
09:22 -!- AlexRussia [~alx@unaffiliated/alexrussia] has joined #openvpn
09:22 < kareem-ali> I can ping 2a00:d880:5:3a:3::4
09:24 < deranged_user> that's weird
09:24 < kareem-ali> that is the address shown in your first pastebin
09:24 < kareem-ali> http://pastebin.com/raw.php?i=5c6rQYuw
09:24 < deranged_user> ya
09:24 < deranged_user> I know
09:25 < deranged_user> strange that 4:: is not visible
09:25 < kareem-ali> what is your tun0 address, and what subnet do you push on your OVPN server file ?
09:26 < deranged_user>           inet6 addr: 2a00:d880:5:3a:4::1/112 Scope:Global
09:26 < deranged_user> tun0 addr
09:26 < deranged_user> server-ipv6 2a00:d880:5:3a:4::/112
09:26 < deranged_user> is what I have in server.confg
09:26 < deranged_user> conf*
09:26 < kareem-ali> Does tun0 have two addresses ?
09:27 < deranged_user> two ipv6?
09:27 < kareem-ali> or another interface configured with 2a00:d880:5:3a:3::4?
09:27 < deranged_user> it has 1 ipv4 and 1 ipv6
09:27 < deranged_user> yeah another interface has that address
09:27 < deranged_user> eth0, to be precise
09:27 < kareem-ali> is it on /64 ?
09:27 < deranged_user> ... it is
09:27 < kareem-ali> your tun0 is in same broadcast domain as your eth0
09:28 < deranged_user> up /sbin/ifconfig eth0 inet6 add 2a00:d880:5:3a:3::4/64
09:28 < deranged_user> is what it was, in /etc/network/interfaces
09:28 < deranged_user> should that be /112?
09:28 < kareem-ali> if you can change it, yes
09:28 < deranged_user> can
09:28 < deranged_user> done
09:29 < kareem-ali> ping6 -I tun0 ipv6.google.com
09:29 < deranged_user> PING ipv6.google.com(par10s09-in-x09.1e100.net) from 2a00:d880:5:3a:3::4 tun0: 56 data bytes
09:29 < deranged_user> (did /etc/init.d/networking restart)
09:31 < kareem-ali> and ?
09:31 < deranged_user> http://pastebin.com/raw.php?i=9szHdpjQ
09:31 < deranged_user> >http://pastebin.com/raw.php?i=9szHdpjQ
09:31 < deranged_user> uh
09:31 < deranged_user> >from 2a00:d880:5:3a:3::4
09:32 < kareem-ali> also going out from eth0
09:32 < kareem-ali> did eth0 pick the new address ?
09:32 < deranged_user> yep
09:32 < deranged_user> yep
09:32 < deranged_user> ifconfig says so
09:32 < deranged_user>           inet6 addr: 2a00:d880:5:3a:3::1/112 Scope:Global
09:32 < deranged_user> uh
09:32 < deranged_user>           inet6 addr: 2a00:d880:5:3a:3::4/112 Scope:Global
09:33 -!- jangerhofer [~jangerho@0587370344.wireless.umich.net] has joined #openvpn
09:34 -!- zeroNones [~textual@187.192.211.187] has joined #openvpn
09:36 -!- deranged_user [deranged_u@unaffiliated/deranged-user/x-2475585] has quit [Remote host closed the connection]
09:38 -!- deranged_user [deranged_u@unaffiliated/deranged-user/x-2475585] has joined #openvpn
09:38 < deranged_user> (ooops)
09:38 < kareem-ali> what ?
09:38 < deranged_user> I reconnected :P
09:39 < kareem-ali> :)
09:39 < deranged_user> but yeah, still no dice
09:39 < kareem-ali> your upstream, whether your own routers or your ISP, knows about 2a00:d880:5:3a:3::
09:39 < kareem-ali> but they don't know about 2a00:d880:5:3a:4::
09:41 < deranged_user> in the vm control panel there is a section on subnets, didn't seem to actually be a necessary thing but about 20 minutes ago I added 2a00:d880:5:3a:4::/64
09:41 < deranged_user> because it had 4 3:: in there for rdns purposes
09:41 < deranged_user> doesn't seem to have helped
09:43 < kareem-ali> should be /112
09:43 < kareem-ali> and is there anything for 3:: ?
09:44 < deranged_user> yes
09:44 < deranged_user> 3 things
09:44 < deranged_user> and I can't seem to be able to change the /64 part
09:44 < deranged_user> that's added for me
09:44 < deranged_user> and specifying it causes an error
09:46 < kareem-ali> so you have one VM hosted with some supplier, right ?
09:46 < deranged_user> that section though is just for setting rdns though, I think
09:46 < deranged_user> indeed
09:46 < deranged_user> one vm hosted with ramndoe
09:46 < deranged_user> ramnode*
09:46 < kareem-ali> then your setup won't work I'm afraid
09:47 < deranged_user> why?
09:47 < kareem-ali> because you can only have one broadcast domain, which is on your eth0
09:47 < kareem-ali> what you can do
09:47 < kareem-ali> is setup an RA
09:47 < kareem-ali> to your VPN clients
09:47 < kareem-ali> I mean make an IPv6 router and enable router advertisements over the tunnel
09:47 < kareem-ali> they will get a private IPv6 address
09:48 < kareem-ali> but it will be NATted over eth0's public IPv6 address
09:48 < deranged_user> fair enough, I can deal with that
09:49 < deranged_user> any pointers to a guide?
09:49 < kareem-ali> make sure you have IPv6 forwarding enabled, which I think you already done, and ip6tables  allowing that
09:49 < deranged_user> yep
09:49 < kareem-ali> not that I know of to be honest
09:49 < kareem-ali> but logically, it's doable
09:50 < deranged_user> was just asking to prevent me bothering others
09:50 < deranged_user> :P
10:02 -!- zeroNones [~textual@187.192.211.187] has quit [Quit: My MacBook Pro has gone to sleep. ZZZzzz…]
10:05 <@krzee> !ipv6
10:05 <@vpnHelper> "ipv6" is (#1) The wiki has IPv6 details: https://community.openvpn.net/openvpn/wiki/IPv6 or (#2) The manpage contains info about IPv6 features present in 2.3+: https://community.openvpn.net/openvpn/wiki/Openvpn23ManPage#lbAQ
10:06 <@krzee> maybe "Split netblock configuration"  would help
10:07 <@krzee> "Splitting a single routable IPv6 netblock"  rather
10:07 < kareem-ali> that's his current setup
10:08 <@krzee> oh, i admit i skimmed since i dont know ipv6 i figured id give it a shot
10:12 < deranged_user> ipv6 hurts my head
10:13 < kareem-ali> can you pastebin ifconfigs on eth0 and tun0 please ?
10:13 -!- nvdpl [~textual@proxy.teleaudio.pl] has quit [Quit: ZZZzzz…]
10:14 < kareem-ali> splitting the network should've worked too, don't know why it's not working for you
10:16 < kareem-ali> I'm going to try and do it on my own VM tonight actually
10:16 < kareem-ali> I have a /64 which I never used
10:18 < kareem-ali> deranged_user: what is your IPv6 gateway ?
10:18 < deranged_user> 2a00:d880:5::1
10:18 < deranged_user> sorry stopped paying attention here
10:18 < deranged_user> still want ifconfigs?
10:19 < kareem-ali> yes
10:19 < deranged_user> http://pastebin.com/raw.php?i=nZKdAxe7
10:21 < kareem-ali> can you do the tcpdump on the server for icmp6, whilst pinging google from a client please ?
10:21 < kareem-ali> the pastebin you sent earlier is removed for some reason
10:22 < deranged_user> yeah I set them to expire within an hour, sorry, force of habbit
10:22 < kareem-ali> it's a good practice actually
10:23 < deranged_user> http://pastebin.com/raw.php?i=6ntH1RGP
10:23 < deranged_user> there might be some extra noise in there and stuff
10:24 -!- redpill [~redpill@unaffiliated/redpill] has quit [Ping timeout: 245 seconds]
10:26 -!- redpill [~redpill@unaffiliated/redpill] has joined #openvpn
10:27 < kareem-ali> do it again with "tcpdump -nn -i eth0 icmp6"
10:27 < deranged_user> http://pastebin.com/qG7gvktW
10:27 < deranged_user> http://pastebin.com/raw.php?i=qG7gvktW
10:28 < kareem-ali> so your server is definitely sending the packets
10:29 < kareem-ali> it's just not receiving any replies
10:29 < deranged_user> seems that way
10:32 < kareem-ali> I'm going to ping 2a00:d880:5:3a:4::1000 from an external device
10:32 < kareem-ali> can you please do tcpdump like so
10:32 < kareem-ali> tcpdump -nn -i any host 2a00:d880:5:3a:4::1000
10:32 < kareem-ali> leave it
10:32 < kareem-ali> if you see anything
10:32 < kareem-ali> let me know
10:32 < kareem-ali> on the server
10:33 < kareem-ali> is your tcpdump ready ?
10:33 < deranged_user> tcpdump -nn -i eth0 icmp6?
10:33 < kareem-ali> tcpdump -nn -i any host 2a00:d880:5:3a:4::1000
10:33 < deranged_user> oh
10:33 < deranged_user> sorry
10:33 -!- ender^ [krneki@2a01:260:4094:1:42:42:42:42] has quit [Read error: Connection reset by peer]
10:33 < deranged_user> ya
10:33 < deranged_user> it's going
10:33 < deranged_user> :o
10:33 < deranged_user> I see those
10:33 < deranged_user> want paste?
10:33 -!- ender^ [krneki@2a01:260:4094:1:42:42:42:42] has joined #openvpn
10:34 < kareem-ali> yes
10:34 < kareem-ali> it stopped, right ?
10:34 < deranged_user> http://pastebin.com/raw.php?i=MCYeCBjv
10:34 < deranged_user> what stopped? the pinging?
10:34 < kareem-ali> are you still pinging google from the client ?
10:34 < kareem-ali> if so, please stop that
10:34 -!- arkie [~arkie@unaffiliated/arkie] has quit [Quit: Bye]
10:35 < deranged_user> o
10:35 < deranged_user> crap I am
10:35 -!- CaTtleyA [~CaTtleyA@185.24.142.82] has quit [Quit: Lost terminal]
10:35 -!- mode/#openvpn [+v kareem-ali] by krzee
10:35 <+kareem-ali> ok, restarting tcpdump now then
10:35 < deranged_user> k
10:36 < deranged_user> I see nothing
10:36 <+kareem-ali> nothing ?
10:36 < deranged_user> nada
10:36 < deranged_user> nothing
10:36 <+kareem-ali> ok stop that
10:36 -!- jangerhofer [~jangerho@0587370344.wireless.umich.net] has quit [Quit: Leaving...]
10:36 <+kareem-ali> and try this
10:37 <+kareem-ali> sysctl net.ipv6.conf.eth0.proxy_ndp=1
10:37 < deranged_user> done
10:37 <+kareem-ali> ip -6 neigh add proxy 2a00:d880:5:3a:4::/112 dev eth0
10:37 < deranged_user> Error: an inet address is expected rather than "2a00:d880:5:3a:4::/112".
10:37 <+kareem-ali> ip -6 neigh add proxy 2a00:d880:5:3a:4::1000 dev eth0
10:38 -!- arkie [~arkie@unaffiliated/arkie] has joined #openvpn
10:38 < deranged_user> done
10:38 < deranged_user> I see pings
10:38 < deranged_user> inbound pings
10:38 <+kareem-ali> ok good
10:38 < deranged_user> 2a02:348:82:cb69::6 ?
10:39 < deranged_user> :p
10:39 <+kareem-ali> we have one thing solved then
10:39 <+kareem-ali> basically your device needs to do neighbour advertisements to your ISP
10:39 <+kareem-ali> now the ISP knows about the network
10:39 <+kareem-ali> sending packets to your server
10:39 < deranged_user> wonderful
10:39 <+kareem-ali> but we need to find why your client didn't reply
10:40 <+kareem-ali> so, was it a single line of each packet or two lines ?
10:40 < deranged_user> uh, I had openvpn stopped on my client
10:40 < deranged_user> just started it
10:40 <+kareem-ali> I can ping 2a00:d880:5:3a:4::1000
10:40 <+kareem-ali> :)
10:40 <+kareem-ali> try pinging google now from your client
10:40 <+kareem-ali> ping6 google
10:40 < deranged_user> yep, can
10:40 <+kareem-ali> it should work
10:41 < deranged_user> AHHH hello masspings
10:41 < deranged_user> oh, not pings
10:41 < deranged_user> mass packets :O
10:42 <+kareem-ali> is it working ?
10:42 < deranged_user> yep
10:42 <+kareem-ali> great
10:42 <+kareem-ali> so that's it then
10:42 <+kareem-ali> you need to proxy NDP on your eth0 for your tun0 address
10:43 <+kareem-ali> the problem is with that command you're only proxying a single IPv6 address, which is 1000
10:43 < deranged_user> wouldn't learn-address be useful here?
10:44 <+kareem-ali> no idea
10:45 < deranged_user> -learn-address cmd
10:45 < deranged_user> Run script or shell command cmd to validate client virtual addresses or routes.
10:46 <+kareem-ali> at least we know what was missing now :)
10:46 < deranged_user> indeed
10:46 <+kareem-ali> so the command "sysctl net.ipv6.conf.eth0.proxy_ndp=1" is what enables proxy NDP on eth0
10:47 <+kareem-ali> it won't survive reboot or network restart
10:47 <+kareem-ali> you need to edit your /etc/sysctl.conf and add that line
10:49 -!- pa [~pa@unaffiliated/pa] has quit [Quit: Sto andando via]
10:49 < deranged_user> done
10:49 <+kareem-ali> ip -6 neigh add proxy 2a00:d880:5:3a:4::1000 dev eth0, will also be lost with reboot or restart networking
10:50 <+kareem-ali> you also need to put it somewhere
10:50 < deranged_user> http://pastebin.com/raw.php?i=KK1ALeRw
10:50 < deranged_user> put that in a script and set it to the learn-address in server.conf
10:51 < deranged_user> seems to have worked
10:51 <+kareem-ali> I don't have much knowledge with scripting :)
10:51 <+kareem-ali> good
10:51 < deranged_user> cheers for all the help
10:51 <+kareem-ali> np
10:58 -!- JackWinter_ [~jack@vodsl-11028.vo.lu] has quit [Remote host closed the connection]
11:00 -!- redpill [~redpill@unaffiliated/redpill] has quit [Ping timeout: 255 seconds]
11:00 -!- JackWinter [~jack@vodsl-11028.vo.lu] has joined #openvpn
11:01 -!- redpill [~redpill@unaffiliated/redpill] has joined #openvpn
11:02 -!- svm_invictvs [~patricktw@unaffiliated/svminvictvs/x-938456] has joined #openvpn
11:06 -!- Chais [~Chais@chello062178229110.15.15.vie.surfer.at] has quit [Read error: Connection reset by peer]
11:14 -!- svm_invictvs [~patricktw@unaffiliated/svminvictvs/x-938456] has quit [Ping timeout: 255 seconds]
11:15 -!- Chais [~Chais@chello062178229110.15.15.vie.surfer.at] has joined #openvpn
11:22 -!- elfixit [~Icedove@77-58-251-72.dclient.hispeed.ch] has joined #openvpn
11:25 -!- svm_invictvs [~patricktw@unaffiliated/svminvictvs/x-938456] has joined #openvpn
11:32 -!- D-Boy [~D-Boy@unaffiliated/cain] has quit [Excess Flood]
11:41 -!- pa [~pa@unaffiliated/pa] has joined #openvpn
11:51 -!- soapee01 [~soapee01@65-36-104-170.dyn.grandenetworks.net] has joined #openvpn
11:51 -!- D-Boy [~D-Boy@unaffiliated/cain] has joined #openvpn
12:28 -!- nvdpl [~textual@89-67-140-170.dynamic.chello.pl] has joined #openvpn
12:30 -!- nvdpl_ [~textual@proxy.teleaudio.pl] has joined #openvpn
12:33 -!- nvdpl [~textual@89-67-140-170.dynamic.chello.pl] has quit [Ping timeout: 260 seconds]
13:29 -!- nvdpl_ [~textual@proxy.teleaudio.pl] has quit [Quit: ZZZzzz…]
13:36 -!- nvdpl [~textual@89-67-140-170.dynamic.chello.pl] has joined #openvpn
13:40 -!- nvdpl_ [~textual@proxy.teleaudio.pl] has joined #openvpn
13:41 -!- nvdpl [~textual@89-67-140-170.dynamic.chello.pl] has quit [Ping timeout: 245 seconds]
13:45 -!- Kephael [~Kephael@unaffiliated/kephael] has joined #openvpn
13:56 -!- cesurasean [~Sean@c-71-207-227-197.hsd1.al.comcast.net] has joined #openvpn
13:56 < cesurasean> how do i test an openvpn client ( linux ) to linux server connection?
13:57 <@krzee> ping the other side?
13:58 -!- arescorpio [~arescorpi@63-203-17-190.fibertel.com.ar] has joined #openvpn
13:58 < cesurasean> what do you mean ping the otherside?
13:58 < cesurasean> is there not a command to run that says openvpn connection established?
14:01 <@krzee> i guess you could check the management interface, but i say ping the other side because in networking thats how you check a connection is up
14:01 <@krzee> !management
14:01 <@vpnHelper> "management" is (#1) see http://openvpn.net/management for doc on management interface or (#2) read https://github.com/OpenVPN/openvpn/blob/release/2.3/doc/management-notes.txt if you are a programmer making a GUI that will interact with OpenVPN or (#3) Enable with `--management 127.0.0.1 1234` (adjust port to taste.) See the manpage for pw and socket options
14:02 < cesurasean> how can i test a linux client's outside ip it's giving when surfing the internet?
14:02 <@krzee> well see now your entire question changes
14:02 <@krzee> you see, a vpn doesnt automatically mean you direct internet over it
14:03 <@krzee> so if your question was not "<cesurasean> how do i test an openvpn client ( linux ) to linux server connection?"  but rather "how do i test that my internet is being redirected over my vpn?"
14:03 <@krzee> then let me know
14:04 < cesurasean> ive configured the server to direct internet over it.
14:04 < cesurasean> and it doesn't seem to be.
14:04 < cesurasean> curl -s checkip.dyndns.org | sed 's/.*IP Address: \([0-9\.]*\).*/\1/g'
14:04 < cesurasean> shows my current ip address on the client, and not the server's ip address.
14:04 < cesurasean> i followed this guide, too! - cp -pv /root/easy-rsa/keys/{ca.{crt,key},server.{crt,key},ta.key,dh2048.pem} /etc/openvpn/certs/
14:04 < cesurasean> whoops
14:04 < cesurasean> https://d.stavrovski.net/blog/how-to-install-and-set-up-openvpn-in-debian-7-wheezy
14:05 <@vpnHelper> Title: How to install and set-up OpenVPN in Debian 7 (Wheezy) | Stavrovski.Net (at d.stavrovski.net)
14:05 < cesurasean> this line obviously needs to be fixed. - iptables -t nat -A POSTROUTING -s 192.168.88.0/24 -o eth0 -j MASQUERADE
14:05 < cesurasean> eth0 is not my interface, i don't think.
14:06 < cesurasean> i tried iptables -t nat -A POSTROUTING -s 192.168.88.0/24 -j SNAT --to-source <PUBLIC_VPN_IP>
14:06 < cesurasean> but its not working.
14:06 < cesurasean> krzee, any idea?
14:12 -!- shio [marmot@30.65.73.86.rev.sfr.net] has quit [Remote host closed the connection]
14:21 -!- roy78 [~tiger@ip68-11-211-43.br.br.cox.net] has joined #openvpn
14:21 < roy78> yum install openvpn No package openvpn available.
14:21 < roy78> fedora 20
14:21 -!- roy78 [~tiger@ip68-11-211-43.br.br.cox.net] has left #openvpn []
14:22 -!- shio [marmot@30.65.73.86.rev.sfr.net] has joined #openvpn
14:51 -!- jangerhofer [~jangerho@0587370344.wireless.umich.net] has joined #openvpn
14:55 -!- jangerhofer [~jangerho@0587370344.wireless.umich.net] has quit [Read error: Connection reset by peer]
14:55 -!- jangerho [~jangerho@0587370344.wireless.umich.net] has joined #openvpn
14:57 -!- Poster [~poster@cpe-74-140-100-29.swo.res.rr.com] has quit [Read error: Connection reset by peer]
14:59 -!- Poster [~poster@cpe-74-140-100-29.swo.res.rr.com] has joined #openvpn
15:03 < cesurasean> krzee, you still around?
15:07 -!- cesurasean [~Sean@c-71-207-227-197.hsd1.al.comcast.net] has left #openvpn []
15:27 -!- capo [~user@lorea/faerie] has joined #openvpn
15:37 -!- ub1quit33_ [~quassel@cpe-23-243-158-241.socal.res.rr.com] has joined #openvpn
15:45 -!- ub1quit33_ [~quassel@cpe-23-243-158-241.socal.res.rr.com] has quit [Ping timeout: 255 seconds]
15:51 -!- ub1quit33_ [~quassel@cpe-23-243-158-241.socal.res.rr.com] has joined #openvpn
15:56 -!- ub1quit33_ [~quassel@cpe-23-243-158-241.socal.res.rr.com] has quit [Ping timeout: 245 seconds]
16:16 -!- s7r [~s7r@openvpn/user/s7r] has quit [Quit: Leaving]
16:18 -!- ub1quit33_ [~quassel@cpe-23-243-158-241.socal.res.rr.com] has joined #openvpn
16:20 -!- elfixit [~Icedove@77-58-251-72.dclient.hispeed.ch] has quit [Quit: elfixit]
16:22 -!- nvdpl_ [~textual@proxy.teleaudio.pl] has quit [Quit: ZZZzzz…]
16:24 -!- mapps [~Mark@97e0b9d3.skybroadband.com] has quit [Read error: Connection reset by peer]
16:31 -!- shio [marmot@30.65.73.86.rev.sfr.net] has quit [Remote host closed the connection]
16:36 -!- ub1quit33_ [~quassel@cpe-23-243-158-241.socal.res.rr.com] has quit [Ping timeout: 255 seconds]
16:41 -!- Intensity [MtoM6bWb0_@unaffiliated/intensity] has joined #openvpn
17:30 -!- Latrina [~Latrina@ppp-7-17.26-151.libero.it] has joined #openvpn
18:17 -!- zeroNones [~textual@187.192.234.228] has joined #openvpn
18:33 -!- elfixit [~Icedove@77-58-251-72.dclient.hispeed.ch] has joined #openvpn
18:38 -!- s7r [~s7r@openvpn/user/s7r] has joined #openvpn
18:38 -!- mode/#openvpn [+v s7r] by ChanServ
18:49 -!- Shinobi [~Wynn@2601:6:5c80:b4a:4c50:6fdb:fa50:7488] has joined #openvpn
18:50 < Shinobi> Can I run openvpn on a windows 7 machine over the wifi adapter?
18:52 -!- svm_invictvs [~patricktw@unaffiliated/svminvictvs/x-938456] has quit [Ping timeout: 260 seconds]
19:00 -!- Airwave [~Airwave@94.246.37.45] has joined #openvpn
19:00 < Airwave> Any way to make a client first try to connect using UDP, and if that fails, try TCP?
19:00 -!- s7r [~s7r@openvpn/user/s7r] has quit [Remote host closed the connection]
19:00 -!- s7r [~s7r@openvpn/user/s7r] has joined #openvpn
19:00 -!- mode/#openvpn [+v s7r] by ChanServ
19:37 -!- shio [marmot@30.65.73.86.rev.sfr.net] has joined #openvpn
19:55 -!- cryptone [~jerald@fsf/member/jeraldv] has joined #openvpn
21:19 < Shinobi> openvpngui doesn't show anything when trying to connect and eventually fails.
21:19 < Shinobi> verbosity is at 9
21:24 -!- Shinobi [~Wynn@2601:6:5c80:b4a:4c50:6fdb:fa50:7488] has quit [Quit: Leaving]
21:39 -!- net125mp [~Home@unaffiliated/net125mp] has joined #openvpn
21:40 < net125mp> i have an openvpn config file that im trying to use via command line on linux to connect to my vpn connection
21:40 < net125mp> im using #openvpn --config configfile and its reading the config but i get this error
21:40 < net125mp> options error: unrecognized option or missing parameter verify-x509-name
21:41 < net125mp> my config after that line has the name it should have listed there
21:48 <@krzee> Airwave, see <connection> blocks
21:50 -!- Left_Turn [~Left_Turn@unaffiliated/turn-left/x-3739067] has quit [Remote host closed the connection]
21:52 <@krzee> net125mp, you need to show that line from your config
21:53 <@krzee> it obviously has a problem.
21:53 <@krzee> --verify-x509-name 'C=KG, ST=NA, L=Bishkek, CN=Server-1' and --verify-x509-name Server-1 name or you could use --verify-x509-name Server- name-prefix if you want a client to only accept connections to "Server-1", "Server-2", etc.
21:54 < net125mp> verify-x509-name "SEC-ca" name
21:54 < net125mp> is what my config file has for the user
21:55 <@krzee> what version openvpn do they have?
21:55 <@plai> net125mp: you openvpn version is probably too old
21:55 <@krzee> right, that option is only 2.3
21:56 < net125mp> my openvpn version on my computer that im trying to connect from, or on the openvpn server?
21:56 <@krzee> the one spitting out the error
21:57 < net125mp> updating and then rechecking the version
22:09 < net125mp> on linux, running after the update openvpn --version shows im using 2.2.1
22:09 < net125mp> im assuming this is my problem?
22:27 <@krzee> yes
22:27 <@krzee> which linux distro?
22:28 < net125mp> kali
22:28 < net125mp> so, i remove that line from the config and i get
22:29 < net125mp> Tue Sep  2 03:35:41 2014 WARNING: No server certificate verification method has been enabled.  See http://openvpn.net/howto.html#mitm for more info.
22:29 < net125mp> Tue Sep  2 03:35:41 2014 NOTE: OpenVPN 2.1 requires '--script-security 2' or higher to call user-defined scripts or executables
22:29 < net125mp> Tue Sep  2 03:35:41 2014 Error opening file snowbird-udp-1194-squid.p12 (OpenSSL)
22:29 < net125mp> Tue Sep  2 03:35:41 2014 Exiting
22:31 <@krzee> and you dont understand the problem?
22:31 -!- arescorpio [~arescorpi@63-203-17-190.fibertel.com.ar] has quit [Excess Flood]
22:31 <@krzee> !repo
22:31 <@vpnHelper> "repo" is openvpn runs some software repositories for your installing pleasure, http://community.openvpn.net/openvpn/wiki/OpenvpnSoftwareRepos
22:32 <@krzee> that'll help you update
22:33 < net125mp> i didnt follow that last error
22:34 < net125mp> 2.1 requires, im on 2.2
22:38 < net125mp> krzee: uname -a shows im using debian 3, which isnt an option for istalling the repo
22:39 <@krzee> the last error was it not finding the cert file
22:39 <@krzee> because you didnt give the path to it
22:40 -!- capo [~user@lorea/faerie] has quit [Excess Flood]
22:41 <@krzee> 3 is the kernel, not the distro version
22:44 < net125mp>  cat /proc/version
22:44 < net125mp> Linux version 3.7-trunk-686-pae (debian-kernel@lists.debian.org) (gcc version 4.7.2 (Debian 4.7.2-5) ) #1 SMP Debian 3.7.2-0+kali8
22:45 < net125mp> guess i could try squeeze
22:46 <@krzee> join their chan and ask which to use
22:47 < net125mp> just to make sure i undersatnd, the problem is that i need to use openvpn v2.3 or higher right
22:52 <@krzee> the verify-x509-name problem
22:54 <@krzee> the other problem is you are not pointing openvpn to the file
22:54 <@krzee> if you just use filename it must be in the directory you are in
22:54 <@krzee> !fullpath
22:54 <@krzee> !path
22:54 <@vpnHelper> "path" is (#1) use full paths in your config! or (#2) if you use windows, see !winpath
22:56 -!- MogDog66 [MogDog@unaffiliated/mogdog66] has joined #openvpn
22:59 -!- MogDog [MogDog@unaffiliated/mogdog66] has quit [Ping timeout: 250 seconds]
22:59 -!- MogDog66 is now known as MogDog
23:11 -!- svm_invictvs [~patricktw@unaffiliated/svminvictvs/x-938456] has joined #openvpn
23:32 -!- elfixit [~Icedove@77-58-251-72.dclient.hispeed.ch] has quit [Ping timeout: 245 seconds]
23:42 -!- Kephael [~Kephael@unaffiliated/kephael] has quit [Read error: Connection reset by peer]
23:46 -!- AlexRussia [~alx@unaffiliated/alexrussia] has quit [Ping timeout: 260 seconds]
23:48 -!- ShadniX [dagger@p57941ABF.dip0.t-ipconnect.de] has quit [Ping timeout: 250 seconds]
23:49 -!- ShadniX [dagger@p5DDFCB34.dip0.t-ipconnect.de] has joined #openvpn
--- Day changed Tue Sep 02 2014
00:00 -!- svm_invictvs [~patricktw@unaffiliated/svminvictvs/x-938456] has quit [Ping timeout: 245 seconds]
00:12 -!- zeroNones [~textual@187.192.234.228] has quit [Quit: Textual IRC Client: www.textualapp.com]
00:19 -!- svm_invictvs [~patricktw@unaffiliated/svminvictvs/x-938456] has joined #openvpn
00:24 -!- svm_invictvs [~patricktw@unaffiliated/svminvictvs/x-938456] has quit [Ping timeout: 260 seconds]
00:33 -!- micko [~micko@203-219-65-120.static.tpgi.com.au] has quit [Remote host closed the connection]
00:33 < Airwave> krzee: Awesome, thanks.
01:48 -!- nvdpl [~textual@proxy.teleaudio.pl] has joined #openvpn
02:01 -!- Nyoom [Nyoom@unaffiliated/nyoom] has quit [Remote host closed the connection]
02:11 -!- Nyoom [Nyoom@unaffiliated/nyoom] has joined #openvpn
02:27 -!- svm_invictvs [~patricktw@unaffiliated/svminvictvs/x-938456] has joined #openvpn
02:47 -!- nvdpl [~textual@proxy.teleaudio.pl] has quit [Ping timeout: 260 seconds]
02:49 -!- nvdpl [~textual@195.8.220.207] has joined #openvpn
02:53 -!- SlutaTramsa [~SlutaTram@unaffiliated/slutatramsa] has quit [Ping timeout: 260 seconds]
02:56 -!- SlutaTramsa [~SlutaTram@unaffiliated/slutatramsa] has joined #openvpn
03:16 -!- cryptone [~jerald@fsf/member/jeraldv] has quit [Remote host closed the connection]
03:18 -!- svm_invictvs [~patricktw@unaffiliated/svminvictvs/x-938456] has quit [Ping timeout: 255 seconds]
03:36 -!- Mike-- [mad@mx.probie.nl] has joined #openvpn
03:36 -!- cemotyz09 [~cesqueret@cpe-70-121-153-36.satx.res.rr.com] has joined #openvpn
03:37 -!- cemotyz09 [~cesqueret@cpe-70-121-153-36.satx.res.rr.com] has left #openvpn []
03:49 -!- akv [~akv@195.88.36.18] has joined #openvpn
03:52 < akv> Hey - I'm trying to setup OpenVPN on shared windows 7 workstations - but as none of the users have administration rights, the routes cannot be set and the connection is useless :/ I've found an old guide that gives two options - run OpenVPN as a service (not possible for us) or let the users use the "Run as Administrator" option - which only works for users who are a member of the administrators group... i've been looking for sudo like tools, but it doesn't look li
04:01 <+kareem-ali> akv: I think you can see permissions for users who can run the .exe file for ovpn
04:02 <+kareem-ali> set*
04:35 < akv> kareem-ali: yes, but it will still run as the user and if the user doesn't have administration rights, the routes will fail :/
04:39 -!- Airwave [~Airwave@94.246.37.45] has left #openvpn ["Bye"]
04:49 -!- net125mp [~Home@unaffiliated/net125mp] has quit [Quit: Leaving.]
04:49 -!- Left_Turn [~Left_Turn@unaffiliated/turn-left/x-3739067] has joined #openvpn
04:55 -!- Mike-- [mad@mx.probie.nl] has quit [Ping timeout: 240 seconds]
05:06 -!- davegb3 [~davegb3@p54BE46E9.dip0.t-ipconnect.de] has joined #openvpn
05:29 -!- radiator [~radiator@host86-177-27-97.range86-177.btcentralplus.com] has joined #openvpn
05:52 -!- radiator [~radiator@host86-177-27-97.range86-177.btcentralplus.com] has quit [Ping timeout: 260 seconds]
05:52 -!- radiator_ [~radiator@104.131.17.63] has joined #openvpn
05:55 -!- AlexRussia [~alx@unaffiliated/alexrussia] has joined #openvpn
06:07 -!- pa [~pa@unaffiliated/pa] has quit [Quit: Sto andando via]
06:11 -!- radiator [~radiator@host86-177-27-97.range86-177.btcentralplus.com] has joined #openvpn
06:11 -!- radiator_ [~radiator@104.131.17.63] has quit [Ping timeout: 240 seconds]
06:12 -!- radiator [~radiator@host86-177-27-97.range86-177.btcentralplus.com] has quit [Client Quit]
06:19 -!- Shinobi [~Wynn@2601:6:5c80:b4a:642d:104:3922:3f24] has joined #openvpn
06:23 < Shinobi> I cannot seem to get openvpn server running on windows 7. I see no meesages in the the gui. Nothing in the logs. Any ideas
06:23 < Shinobi> ?
06:28 -!- pa [~pa@unaffiliated/pa] has joined #openvpn
07:04 -!- nath_schwarz [~nath_schw@2605:6400:1:fed5:22:d508:7193:e73f] has quit [Ping timeout: 240 seconds]
07:26 -!- pa [~pa@unaffiliated/pa] has quit [Remote host closed the connection]
07:29 -!- pa [~pa@unaffiliated/pa] has joined #openvpn
07:50 -!- akv [~akv@195.88.36.18] has left #openvpn []
08:04 -!- pa [~pa@unaffiliated/pa] has quit [Remote host closed the connection]
08:11 -!- nath_schwarz [~nath_schw@2605:6400:1:fed5:22:d508:7193:e73f] has joined #openvpn
08:28 -!- jangerho-ARS [~jangerho@0587370344.wireless.umich.net] has joined #openvpn
08:30 -!- jangerho [~jangerho@0587370344.wireless.umich.net] has quit [Read error: Connection reset by peer]
08:30 -!- jangerho-ARS [~jangerho@0587370344.wireless.umich.net] has quit [Read error: Connection reset by peer]
08:30 -!- jangerho [~jangerho@0587370344.wireless.umich.net] has joined #openvpn
08:30 -!- jangerho [~jangerho@0587370344.wireless.umich.net] has quit [Read error: Connection reset by peer]
08:50 -!- AlexRussia [~alx@unaffiliated/alexrussia] has quit [Ping timeout: 264 seconds]
08:54 -!- AlexRussia [~alx@unaffiliated/alexrussia] has joined #openvpn
09:13 <@krzee> Shinobi, make sure you have the .ovpn file in the config dir, and make sure you start the config
09:15 < Shinobi> what do you mean start the config? I thougt a separate ovpn process would start for each ovpn file in the config dir.
09:15 < Shinobi> krzee ^
09:16 <@krzee> right click the gui icon my the clock
09:16 <@krzee> and run the config
09:16 <@krzee> windows isnt like linux, it doesnt just run every config on its own
09:16 <@krzee> in fact it cant, you would need a tap device setup for each one
09:16 -!- seba [~seba@2001:4d88:3503:c001:216:3eff:fe73:fab7] has quit [Excess Flood]
09:17 -!- pa [~pa@unaffiliated/pa] has joined #openvpn
09:17 <@krzee> of course if you WANT it to start on its own, then you arent looking for the gui at all, you want a windows service
09:17 -!- _KaszpiR_ [~quassel@unaffiliated/kaszpir/x-3157048] has quit [Ping timeout: 240 seconds]
09:21 -!- seba [~seba@kratzbaum.someserver.de] has joined #openvpn
09:22 < Shinobi> krzee: Yes, the windows 7 machine will run the server. I set it up to autorun as a service, but thought I would see some info in the gui such as errors
09:22 < Shinobi> tap is installed
09:23 -!- ub1quit33_ [~quassel@wifi02.la3.routers.zerolag.com] has joined #openvpn
09:24 <@krzee> cool
09:24 < Shinobi> should the server log appear in the gui log window or is that a separate log for the client?
09:24 < Shinobi> krzee ^
09:28 -!- Pyrogerg [~Gregory@75-173-66-157.albq.qwest.net] has joined #openvpn
09:32 -!- _KaszpiR_ [~quassel@unaffiliated/kaszpir/x-3157048] has joined #openvpn
09:43 < Shinobi> Do I need to specify the config file in the service? It only lists the path to openvpnser.exe   Should I add server.ovpn after it?
09:51 <@krzee> well
09:51 <@krzee> if its running as a service you will see nothing in the log window
09:51 <@krzee> if you think its up as a service, check your ipconfig, or just try to ping the vpn server ip
09:52 <@krzee> if you ARENT running it as a service, then the log shows in the vpn gui log window, but only after you start the config from the gui
09:52 -!- outofbounds [~outofboun@gateway/tor-sasl/outofbounds] has joined #openvpn
09:52 -!- moviuro [~moviuro@ginfo.ext.ec-m.fr] has quit [Ping timeout: 240 seconds]
09:52 <@krzee> when you start the gui it does not start the config, thats another step (as you may have multiple configs)
10:01 -!- nvdpl [~textual@195.8.220.207] has quit [Quit: ZZZzzz…]
10:04 -!- mattock_afk is now known as mattock
10:13 -!- pa [~pa@unaffiliated/pa] has quit [Remote host closed the connection]
10:16 -!- pa [~pa@unaffiliated/pa] has joined #openvpn
10:20 -!- pa [~pa@unaffiliated/pa] has quit [Remote host closed the connection]
10:24 -!- pa [~pa@unaffiliated/pa] has joined #openvpn
10:29 -!- davegb3 [~davegb3@p54BE46E9.dip0.t-ipconnect.de] has quit [Ping timeout: 260 seconds]
10:33 -!- Gravitron [~admin@unaffiliated/gravitron] has joined #openvpn
10:37 -!- Gravitron [~admin@unaffiliated/gravitron] has left #openvpn []
10:37 -!- Denial [~Denial@host86-148-139-67.range86-148.btcentralplus.com] has quit [Remote host closed the connection]
10:38 -!- Denial [~Denial@host86-148-139-67.range86-148.btcentralplus.com] has joined #openvpn
10:42 -!- nvdpl [~textual@178.180.231.92.nat.umts.dynamic.t-mobile.pl] has joined #openvpn
11:00 -!- Shinobi [~Wynn@2601:6:5c80:b4a:642d:104:3922:3f24] has quit [Quit: Leaving]
11:03 -!- tiblock [~tiblock@23.252.106.118.16clouds.com] has joined #openvpn
11:05 < tiblock> Hi. I use openvpn client on win7 and i launch it with "openvpn my.ovpn". It initializes okay, bot no ping, i try to fix it but my problem is that its not closing. F4 not closing it, close button not closing, task manager not tclosing, taskill /f /im says succes killed, error - not running, "process killer" too not killing it
11:05 < tiblock> how to kill openvpn?
11:06 < tiblock> only solution is rebooting PC
11:06 -!- Geriatrix [~kvirc@mail.vancouveronthenet.com] has joined #openvpn
11:08 < Geriatrix> hey guys - can anyone recomment an open solution to two factor autentication
11:09 -!- moviuro [~moviuro@ginfo.ext.ec-m.fr] has joined #openvpn
11:15 <@syzzer> Geriatrix: "open' is hard in that world
11:15 <@syzzer> you could take a look and the smartcardhsm, at least that uses open middleware
11:16 < Geriatrix> just looking at linotp
11:16 <@syzzer> ah, otp, sorry I don't know much about those - I was thinking smartcards
11:17 < Geriatrix> oh - sorry shoudl have been more specific
11:17 <@syzzer> tiblock: uninstall your openvpn and install the 'Windows XP' version - that uses the old (NDIS5) tap driver. What you're seeing seems to be a bug in the new driver/openvpn
11:18 < tiblock> syzzer, thank you
11:18 <@syzzer> tiblock: you're welcome. Could you maybe add your experience to this ticket: http://community.openvpn.net/openvpn/ticket/432
11:18 <@vpnHelper> Title: #432 (OpenVPN.exe hangs upon reconnecting) – OpenVPN Community (at community.openvpn.net)
11:19 < _FBi> tiblock, are you running as admin?
11:19 < tiblock> _FBi, uhm, no
11:20 < _FBi> disregard, try syzzer's fix
11:20 -!- svm_invictvs [~patricktw@unaffiliated/svminvictvs/x-938456] has joined #openvpn
11:26 -!- takeyourhatoff [~tyho@home.ub.vc] has joined #openvpn
11:28 < takeyourhatoff> This is killing me. I am trying to connect to my openvpn server using tls auth (config: http://paste.debian.net/118970/) using network-manager-openvpn-gnome and it is connecting fine but I cannot route to the internet. I can ping the vpn server. I was previously able to route to the internet when I was using static keys and hardcoded client settings of ifconfig.
11:31 < tiblock> syzzer, _FBi, XP version closing great. Even ping works now, awesome! Thank you very much!
11:49 -!- D-Boy [~D-Boy@unaffiliated/cain] has quit [Excess Flood]
11:51 -!- ifdm_ [~ifdm@unaffiliated/ifdm/x-0713806] has quit [Ping timeout: 245 seconds]
11:51 -!- ifdm_ [~ifdm@unaffiliated/ifdm/x-0713806] has joined #openvpn
11:54 -!- takeyourhatoff [~tyho@home.ub.vc] has quit [Remote host closed the connection]
11:56 -!- nvdpl [~textual@178.180.231.92.nat.umts.dynamic.t-mobile.pl] has quit [Quit: ZZZzzz…]
11:58 -!- gffa [~unknown@unaffiliated/gffa] has joined #openvpn
12:10 -!- D-Boy [~D-Boy@unaffiliated/cain] has joined #openvpn
12:26 -!- DrSect0r [~DrSect0r@77-175-125-42.FTTH.ispfabriek.nl] has joined #openvpn
12:29 -!- Exagone313_ is now known as Exagone313
12:32 -!- takeyourhatoff [~tyho@home.ub.vc] has joined #openvpn
12:54 -!- nvdpl [~textual@proxy.teleaudio.pl] has joined #openvpn
13:01 -!- mcp [~mcp@wolk-project.de] has quit [Ping timeout: 240 seconds]
13:13 -!- Toumasu [~Thunderbi@78-23-52-63.access.telenet.be] has joined #openvpn
13:17 -!- svm_invictvs [~patricktw@unaffiliated/svminvictvs/x-938456] has quit [Read error: Connection reset by peer]
13:27 -!- jangerho [~jangerho@0587370639.wireless.umich.net] has joined #openvpn
13:37 -!- reventlov [~reventlov@unaffiliated/reventlov] has joined #openvpn
13:37 -!- reventlov [~reventlov@unaffiliated/reventlov] has quit [Client Quit]
13:38 -!- reventlov [~reventlov@unaffiliated/reventlov] has joined #openvpn
13:49 -!- jangerho [~jangerho@0587370639.wireless.umich.net] has quit [Quit: Leaving...]
13:49 -!- mcp [~mcp@wolk-project.de] has joined #openvpn
14:03 -!- nath_schwarz [~nath_schw@2605:6400:1:fed5:22:d508:7193:e73f] has quit [Ping timeout: 240 seconds]
14:04 -!- nath_schwarz [~nath_schw@2605:6400:1:fed5:22:d508:7193:e73f] has joined #openvpn
14:27 -!- jangerho [~jangerho@0587370639.wireless.umich.net] has joined #openvpn
14:27 -!- jangerho-ARS [~jangerho@0587370639.wireless.umich.net] has joined #openvpn
14:28 -!- jangerho [~jangerho@0587370639.wireless.umich.net] has quit [Read error: Connection reset by peer]
14:28 -!- nvdpl [~textual@proxy.teleaudio.pl] has quit [Quit: ZZZzzz…]
14:31 -!- jangerho-ARS [~jangerho@0587370639.wireless.umich.net] has quit [Read error: Connection reset by peer]
14:32 -!- Toumasu [~Thunderbi@78-23-52-63.access.telenet.be] has quit [Quit: Toumasu]
14:32 -!- jangerho [~jangerho@0587370639.wireless.umich.net] has joined #openvpn
14:33 -!- jangerho [~jangerho@0587370639.wireless.umich.net] has quit [Read error: Connection reset by peer]
14:34 -!- nath_schwarz [~nath_schw@2605:6400:1:fed5:22:d508:7193:e73f] has quit [Ping timeout: 240 seconds]
14:34 -!- davegb3 [~davegb3@p50817C78.dip0.t-ipconnect.de] has joined #openvpn
14:35 -!- nvdpl [~textual@89-67-140-170.dynamic.chello.pl] has joined #openvpn
14:36 -!- nath_schwarz [~nath_schw@2605:6400:1:fed5:22:d508:7193:e73f] has joined #openvpn
14:45 -!- nsrafk [whois@unaffiliated/nsrafk] has quit [Ping timeout: 245 seconds]
14:52 -!- mattock is now known as mattock_afk
14:56 -!- nsrafk [whois@unaffiliated/nsrafk] has joined #openvpn
15:03 -!- nvdpl [~textual@89-67-140-170.dynamic.chello.pl] has quit [Quit: ZZZzzz…]
15:32 -!- DrSect0r [~DrSect0r@77-175-125-42.FTTH.ispfabriek.nl] has quit [Read error: Connection reset by peer]
15:33 -!- _genuser_ [~bobby@pool-173-57-187-209.dllstx.fios.verizon.net] has joined #openvpn
15:35 < _genuser_> hello folks. If I understand it correctly, using openvpn I can setup my own server at home and then VPN to it. But there is not public server list. Is that correct?
15:39 -!- svm_invictvs [~patricktw@unaffiliated/svminvictvs/x-938456] has joined #openvpn
15:42 -!- BiSiKLeT [~cycle@178.245.130.212] has joined #openvpn
15:42 < BiSiKLeT> hi
15:43 < BiSiKLeT> i have installed openvpn. my client connecting to server without any problem. And pinging each.
15:43 < BiSiKLeT> but cannot ping any other machine on same network
15:43 < BiSiKLeT> what am i overlookin
15:45 <@syzzer> _genuser_: that is correct
15:46 <@syzzer> BiSiKLeT: probably your routing, either on your vpn machine, or the vpn config
15:47 < BiSiKLeT> let me check
15:48 < moviuro> BiSiKLeT: one option in the server configuration : client-to-client
15:48 < BiSiKLeT> do i need to remove it ?
15:48 <@syzzer> there is this bot here that has useful links, but I don't know the correct commands by heart. Let's see...
15:48 <@syzzer> !routing
15:48 <@syzzer> !route
15:48 <@vpnHelper> "route" is (#1) http://www.secure-computing.net/wiki/index.php/OpenVPN/Routing or https://community.openvpn.net/openvpn/wiki/RoutedLans (same page mirrored) if you have lans behind openvpn, read it DONT SKIM IT or (#2) READ IT DONT SKIM IT! or (#3) See !tcpip for a basic networking guide or (#4) See !serverlan or !clientlan for steps and troubleshooting flowcharts for LANs behind the server or
15:48 <@vpnHelper> client
15:50 < _genuser_> syzzer: thanks. Sorry was looking away at google reading more. :) Now to decide which of my laptops will be my openvpn servers!!
15:52 < BiSiKLeT> moviuro : i have only 1 vpn client. all other PC's are on same network
15:52 < BiSiKLeT> moviuro : so i dont need client-to-client
15:52 < BiSiKLeT> am i wrong?
15:53 < moviuro> BiSiKLeT: are your vpn client and your other machines on the same network (e.g. 10.1.2.0/24)?
15:53 < moviuro> if yes, then you need it. If not, then not
15:54 < BiSiKLeT> my all machines are on same network 192.168.1.0/24
15:54 < BiSiKLeT> vpn client is running over internet
15:55 < moviuro> then you do need the option
15:57 < BiSiKLeT> tried
15:57 < BiSiKLeT> same
15:59 < linuxthefish> is it possible so i can still SSH into my PC's when they are connected to VPN?
15:59 < linuxthefish> like make sshd listen on all IP's when VPN connected
16:01 -!- davegb3 [~davegb3@p50817C78.dip0.t-ipconnect.de] has quit [Ping timeout: 246 seconds]
16:01 < moviuro> linuxthefish: that's the default behavior of ssh. man sshd_config
16:01 < linuxthefish> but when i do "openvpn --config file.ovpn" i can only SSH into the box from inside the vpn network
16:06 -!- BiSiKLeT [~cycle@178.245.130.212] has quit []
16:08 -!- brianblaze420 [~brianblaz@unaffiliated/brianblaze] has joined #openvpn
16:09 -!- AlexRussia [~alx@unaffiliated/alexrussia] has quit [Quit: WeeChat 1.0-dev]
16:10 -!- KWhat4 [~kwhat@pool-173-55-234-215.lsanca.fios.verizon.net] has joined #openvpn
16:10 < KWhat4> What is the diff between starting as a server and a daemon
16:12 < moviuro> KWhat4: daemon will go in the bg ; they are not antonyms
16:16 -!- Geriatrix [~kvirc@mail.vancouveronthenet.com] has quit [Quit: KVIrc 4.2.0 Equilibrium http://www.kvirc.net/]
16:37 -!- jangerho [~jangerho@0587370639.wireless.umich.net] has joined #openvpn
16:45 -!- gffa [~unknown@unaffiliated/gffa] has quit [Quit: sleep]
17:44 -!- KWhat4 [~kwhat@pool-173-55-234-215.lsanca.fios.verizon.net] has quit [Read error: Connection reset by peer]
17:47 -!- KWhat4 [~kwhat@pool-173-55-234-215.lsanca.fios.verizon.net] has joined #openvpn
17:55 -!- Pyrogerg [~Gregory@75-173-66-157.albq.qwest.net] has quit [Ping timeout: 255 seconds]
18:03 -!- brianblaze420 [~brianblaz@unaffiliated/brianblaze] has quit [Quit: Leaving...]
18:27 -!- KWhat4 [~kwhat@pool-173-55-234-215.lsanca.fios.verizon.net] has quit [Ping timeout: 240 seconds]
18:40 -!- ub1quit33_ [~quassel@wifi02.la3.routers.zerolag.com] has quit [Ping timeout: 272 seconds]
18:45 -!- KWhat4 [~kwhat@pool-173-55-234-215.lsanca.fios.verizon.net] has joined #openvpn
19:19 -!- tiblock [~tiblock@23.252.106.118.16clouds.com] has quit [Ping timeout: 252 seconds]
19:32 -!- dtrainor [~dtrainor@ip72-208-196-164.ph.ph.cox.net] has joined #openvpn
19:33 < dtrainor> Howdy.  I have a few obscure networks through my VPN that I need access to.  Right now I have a bridged network that my server is connected to, and that works fine.  But I need to be able to hit two additional networks behind my server over the VPN from my client.
19:33 < dtrainor> Never done anything like this before so even a starting point would be great, I can figure it out from there.  What's this called?
19:34 < Hello71> "hit two additional networks behind my server over the VPN from my client"
19:34 < Hello71> wut
19:35 < dtrainor> So, I have a VPN server and it does openvpn stuff.  I have a client - a laptop - that connects to it, and that's how my VPN works.  In addition to the network that I'm able to access through the VPN, I need access to two additional networks behind the server.
19:35 < dtrainor> is this a bunch of ifconfig-push?
19:40 < dtrainor> http://openvpn.net/index.php/open-source/documentation/howto.html#scope
19:40 <@vpnHelper> Title: HOWTO (at openvpn.net)
19:40 < dtrainor> i think that's my ticket, just wanted to make sure.
19:48 -!- s7r [~s7r@openvpn/user/s7r] has quit [Quit: Leaving]
19:49 -!- Pyrogerg [~Gregory@75-173-66-157.albq.qwest.net] has joined #openvpn
19:49 -!- dtrainor [~dtrainor@ip72-208-196-164.ph.ph.cox.net] has quit [Ping timeout: 246 seconds]
19:54 -!- KWhat4 [~kwhat@pool-173-55-234-215.lsanca.fios.verizon.net] has quit [Ping timeout: 245 seconds]
19:57 -!- elfixit [~Icedove@77-58-251-72.dclient.hispeed.ch] has joined #openvpn
20:02 -!- KWhat4 [~kwhat@pool-173-55-234-215.lsanca.fios.verizon.net] has joined #openvpn
20:04 -!- hiyo [~Puppy@unaffiliated/hiyo] has joined #openvpn
20:06 -!- outofbounds [~outofboun@gateway/tor-sasl/outofbounds] has quit []
20:13 < hiyo> How do I speed up the generation of the Diffie Hellman key?
20:14 < KWhat4> is it waiting for entropy
20:14 < hiyo> KWhat4: I think so, it has a bunch of periods with a couple + showing up every once in a while
20:16 < KWhat4> hiyo: besides some type of faster secure random number generator ... nothing
20:17 < hiyo> I waited over and hour already... is it supposed to take this long?
20:17 < KWhat4> depends on how big you made it
20:18 < hiyo> 2048
20:20 < pekster> Either your PC is really slow, or it's out of entropy. Try `find / >/dev/null 2>&1` on a Unix-alike
20:22 < hiyo> Well it's an ancient machine so I think the first is probably the explanation
20:23 < hiyo> pekster: that command ran fine
20:26 < hiyo> OH TEHRE WE GO
20:26 < hiyo> It's done
20:26 < hiyo> first time took an hour
20:26 < hiyo> second time less than 20 min
20:26 < hiyo> that's weird but ok
20:26 < KWhat4> you needed to do more work to generate some entropy
20:27 -!- hiyo [~Puppy@unaffiliated/hiyo] has left #openvpn []
20:48 < MogDog> Hi. This might be more of an iptables/firewall question but it involves a vpn so I'll throw it in here and see what happens :p. I'm trying to configure a machine in such a way that it's impossible for it to reach the internet by any means unless it goes through a vpn. This means that regardless of the vpn server being down, networkmanager or something crashing, or the vpn being manually shut down, no error would ever allow the machine to default back
20:48 < MogDog> to a set of rules that could allow it to reach the internet without going through the vpn. Does anyone have any help for this? Google is being pretty hit or miss and I can't quite get the hang of linux's iptables
21:00 < jzaw> MogDog, you mention iptables so i assume linux[like] system
21:01 < jzaw> how about looking at /etc/network/interfaces
21:01 < jzaw> and manually set your ip and gateway to the (predicable) ip of the vpn endpoint
21:01 < jzaw> default gateway
21:01 < jzaw> you can do this with dhcp and MAC reservation too
21:02 < MogDog> Yes, it's a linux machine
21:03 < jzaw> this is assuming your vpn endpoint is some other machine ?
21:03 < jzaw> a router perhaps ?
21:03 < MogDog> Well its a standard vpn service so the endpoint is a domain address that gets resolved to one of their exit machines
21:03 < jzaw> else the machine in question must at least be able to get to the vpn server to set up the tunnel in the first place
21:08 -!- KWhat4 [~kwhat@pool-173-55-234-215.lsanca.fios.verizon.net] has quit [Ping timeout: 260 seconds]
21:12 -!- KWhat4 [~kwhat@pool-173-55-234-215.lsanca.fios.verizon.net] has joined #openvpn
21:12 -!- fxhnd [~fxhnd@li394-8.members.linode.com] has joined #openvpn
21:23 -!- KWhat4 [~kwhat@pool-173-55-234-215.lsanca.fios.verizon.net] has left #openvpn []
21:25 -!- svm_invictvs [~patricktw@unaffiliated/svminvictvs/x-938456] has quit [Ping timeout: 272 seconds]
21:49 -!- arescorpio [~arescorpi@58-241-16-190.fibertel.com.ar] has joined #openvpn
21:50 -!- Left_Turn [~Left_Turn@unaffiliated/turn-left/x-3739067] has quit [Remote host closed the connection]
22:07 -!- ub1quit33_ [~quassel@cpe-23-243-158-241.socal.res.rr.com] has joined #openvpn
22:22 -!- ub1quit33_ [~quassel@cpe-23-243-158-241.socal.res.rr.com] has quit [Ping timeout: 268 seconds]
22:33 -!- jangerho [~jangerho@0587370639.wireless.umich.net] has quit [Quit: Leaving...]
23:32 -!- elfixit [~Icedove@77-58-251-72.dclient.hispeed.ch] has quit [Remote host closed the connection]
23:34 -!- ub1quit33 [~quassel@cpe-23-243-158-241.socal.res.rr.com] has joined #openvpn
23:45 -!- ShadniX [dagger@p5DDFCB34.dip0.t-ipconnect.de] has quit [Ping timeout: 250 seconds]
23:47 -!- ShadniX [dagger@p5481CA05.dip0.t-ipconnect.de] has joined #openvpn
23:57 -!- G_Known [~Instantbi@pool-72-95-237-125.pitbpa.east.verizon.net] has joined #openvpn
23:58 -!- G_Known [~Instantbi@pool-72-95-237-125.pitbpa.east.verizon.net] has quit [Client Quit]
--- Day changed Wed Sep 03 2014
00:21 -!- DrCode [~DrCode@gateway/tor-sasl/drcode] has quit [Ping timeout: 264 seconds]
00:32 -!- DrCode [~DrCode@gateway/tor-sasl/drcode] has joined #openvpn
00:42 -!- mattock_afk is now known as mattock
00:56 -!- ub1quit33 [~quassel@cpe-23-243-158-241.socal.res.rr.com] has quit [Ping timeout: 245 seconds]
01:00 -!- Toumasu [~Thunderbi@78-23-52-63.access.telenet.be] has joined #openvpn
01:04 -!- arescorpio [~arescorpi@58-241-16-190.fibertel.com.ar] has quit [Excess Flood]
01:16 -!- Toumasu [~Thunderbi@78-23-52-63.access.telenet.be] has quit [Quit: Toumasu]
01:24 -!- svm_invictvs [~patricktw@unaffiliated/svminvictvs/x-938456] has joined #openvpn
01:47 -!- mattock is now known as mattock_afk
01:53 -!- davegb3 [~davegb3@p54BE4BB5.dip0.t-ipconnect.de] has joined #openvpn
01:56 -!- moviuro_ [~moviuro@ginfo.ext.ec-m.fr] has joined #openvpn
01:56 -!- moviuro [~moviuro@ginfo.ext.ec-m.fr] has quit [Ping timeout: 245 seconds]
01:57 -!- moviuro_ is now known as moviuro
02:05 -!- ade_b [~Ade@redhat/adeb] has joined #openvpn
02:23 -!- Mimiko [~Mimiko@89.28.88.177] has joined #openvpn
02:23 -!- nvdpl [~textual@proxy.teleaudio.pl] has joined #openvpn
02:24 -!- Mimiko [~Mimiko@89.28.88.177] has quit [Client Quit]
02:34 -!- svm_invictvs [~patricktw@unaffiliated/svminvictvs/x-938456] has quit [Ping timeout: 268 seconds]
03:06 -!- nvdpl [~textual@proxy.teleaudio.pl] has quit [Ping timeout: 255 seconds]
03:06 -!- livelace [~livelace@195.239.112.118] has quit [Quit: Leaving]
03:09 -!- nvdpl [~textual@proxy.teleaudio.pl] has joined #openvpn
03:50 -!- ribasushi [~riba@mujunyku.leporine.io] has quit [Ping timeout: 245 seconds]
03:55 -!- ribasushi [~riba@mujunyku.leporine.io] has joined #openvpn
04:04 -!- larryone [~larryone@185.32.152.150] has joined #openvpn
04:40 < davegb3> what's the best way of adding a secondary ip address to a tun openvpn server device (linux)?   I want to basically "ip addr add 10.8.0.100 dev tun0" (in addition to the 10.8.0.1) when the vpn is started.
04:45 -!- gffa [~unknown@unaffiliated/gffa] has joined #openvpn
04:49 -!- Left_Turn [~Left_Turn@unaffiliated/turn-left/x-3739067] has joined #openvpn
05:04 <+kareem-ali> hey guys
05:04 <+kareem-ali> anyone has connection between different ovpn tunnels ?
05:04 <+kareem-ali> I mean is that doable ?
05:05 <+kareem-ali> on Linux
05:41 -!- Chais [~Chais@chello062178229110.15.15.vie.surfer.at] has quit [Read error: Connection reset by peer]
05:43 < ender^> sure, you just treat them like regular network connections
05:50 -!- Chais [~Chais@chello062178229110.15.15.vie.surfer.at] has joined #openvpn
05:54 -!- Kephael [~Kephael@unaffiliated/kephael] has joined #openvpn
06:01 -!- Nyoom [Nyoom@unaffiliated/nyoom] has quit [Ping timeout: 272 seconds]
06:03 -!- s7r [~s7r@openvpn/user/s7r] has joined #openvpn
06:03 -!- mode/#openvpn [+v s7r] by ChanServ
06:06 -!- Nyoom [Nyoom@unaffiliated/nyoom] has joined #openvpn
06:18 <+kareem-ali> ender^: thanks, that wasn't enough
06:18 <+kareem-ali> the solution was to disable rp_filter, enable forwarding, use route in server config, and iroute in ccd
06:22 <+kareem-ali> my scenario is a server is also a client on another server
06:23 -!- redpill [~redpill@unaffiliated/redpill] has quit [Ping timeout: 255 seconds]
06:43 -!- br4ndon [~br4ndon@195.33.51.31] has joined #openvpn
06:52 -!- br4ndon [~br4ndon@195.33.51.31] has quit [Quit: br4ndon]
06:56 < shio> something like this kareem-ali: http://www.secure-computing.net/wiki/index.php/OpenVPN/Routing ?
06:56 <@vpnHelper> Title: OpenVPN/Routing - Secure Computing Wiki (at www.secure-computing.net)
06:57 -!- cellardoor [~quassel@unaffiliated/cellardoor] has joined #openvpn
06:58 <+kareem-ali> yes
06:58 <+kareem-ali> but in my case all nodes are servers :)
06:58 < cellardoor> Would anyone here be willing to look at my config file? I can connect and authenticate with certs to my server, but then no traffic ever gets out the other side from what I can tell..... My SSH Sessions stay up and I can ping the server on it's IP, but no DNS, Web Traffic, or anything similar are getting through
06:59 <+kareem-ali> cellardoor: are you trying to route all your client traffic through the VPN ?
06:59 <+kareem-ali> can you pastebin your file ?
07:01 < cellardoor> kareem-ali: Most of the day (when I'm on the move) - yes. However when I get home I also want to be able to access my local machines, so will later get around to having openvpn push a route for 192.168.0.0/24 to my devices. Here is the pastebin, thank you - http://pastebin.com/nPg79rJe
07:02 <+kareem-ali> is your client a windows machine ?
07:03 < cellardoor> kareem-ali: linux.
07:04 <+kareem-ali> have you enabled forwarding your OVPN server ?
07:05 <+kareem-ali> also, you need to disable rp_filter I think, depending on your iptables
07:06 < cellardoor> kareem-ali: the forwarding has often confused me. I've got it set in UFW to allow it.....
07:06 <+kareem-ali> your OVPN server is Linux, right ?
07:06 < cellardoor> kareem-ali: yup
07:06 <+kareem-ali> can you check output of command
07:06 <+kareem-ali> sysctl -a | grep ipv4 | grep forwarding
07:07 < cellardoor> kareem-ali: sure, got root right here
07:07 < cellardoor> ok
07:07 <+kareem-ali> do you see any 1s ?
07:07 < cellardoor> Sure, plenty, will psatebin
07:07 < cellardoor> kareem-ali: http://pastebin.com/KREajWc0
07:08 <+kareem-ali> also pastebin
07:08 <+kareem-ali> sysctl -a | grep ipv4 | grep rp_filter
07:08 < cellardoor> kareem-ali: http://pastebin.com/rQUD8Xzu
07:09 <+kareem-ali> ok try this
07:09 <+kareem-ali> sysctl et.ipv4.conf.all.rp_filter=0
07:09 <+kareem-ali> sorry
07:09 <+kareem-ali> sysctl net.ipv4.conf.all.rp_filter=0
07:09 < cellardoor> kareem-ali: restart openvpn and reconnect?
07:09 <+kareem-ali> and turn off iptables on the server (if you can)
07:10 <+kareem-ali> no, no need
07:10 <+kareem-ali> test connection
07:11 < cellardoor> kareem-ali: diddly squat :(
07:12 <+kareem-ali> have you turned off iptables on the server ?
07:12 <+kareem-ali> just temporarily at least
07:13 <+kareem-ali> also try those commands
07:13 <+kareem-ali> sysctl net.ipv4.conf.eth0.rp_filter=0
07:13 <+kareem-ali> sysctl net.ipv4.conf.tun0.rp_filter=0
07:13 <+kareem-ali> all on server
07:13 < cellardoor> kareem-ali: stopped iptables service - Still happening
07:14 < cellardoor> Still nothing
07:14 <+kareem-ali> ok
07:14 <+kareem-ali> on the client do "ping 8.8.8.8
07:15 <+kareem-ali> and on server open a tcpdump to see if that's getting through to the server
07:15 <+kareem-ali> tcpdump -nn -i any 8.8.8.8
07:15 <+kareem-ali> sorry
07:15 <+kareem-ali> tcpdump -nn -i  any host 8.8.8.8
07:16 < cellardoor> kareem-ali: I can see all the domains my device is trying to get to through here.
07:16 < cellardoor> good command!
07:17 < cellardoor> kareem-ali: because 8.8.8.8 is set as my dns, stuff on my device is trying to call home and it's appearing here
07:17 <+kareem-ali> :)
07:17 <+kareem-ali> ok you need to limit it then
07:17 <+kareem-ali> do
07:17 <+kareem-ali> tcpdump -nn -i any "host YOUR_CLIENT_VPN_IP and host 8.8.8.8"
07:17 <+kareem-ali> replace your_client_vpn_ip with your client VPN IP
07:19 < cellardoor> kareem-ali: ICMP echo requests are going through.
07:19 < cellardoor> but nothing coming back on the device.
07:19 <+kareem-ali> ok
07:20 <+kareem-ali> it's because the echo request is generated from a private range
07:20 <+kareem-ali> which the public doesn't know about
07:20 <+kareem-ali> you need to do NAT
07:20 <+kareem-ali> # (The OpenVPN server machine may need to NAT # or bridge the TUN/TAP interface to the internet # in order for this to work properly)
07:20 <+kareem-ali> quoted from OVPN conf file
07:21 < cellardoor> kareem-ali: I see it... I know what NAT is and how it works, but how do I quickly enable it here?
07:22 <+kareem-ali> is your server behind a router in your network ?
07:23 <+kareem-ali> might be easier to do it on the router
07:23 <+kareem-ali> I'm not the expert on NAT on Linux boxes I'm afraid
07:23 <+kareem-ali> but I know that you need iptables for it to work
07:23 < cellardoor> kareem-ali: I'm afraid this a VPS. I only have control of te server.
07:24 <+kareem-ali> ok then you need to do it with iptables
07:24 <+kareem-ali> this is a quick quide that I found
07:24 <+kareem-ali> http://www.revsys.com/writings/quicktips/nat.html
07:24 <@vpnHelper> Title: HOWTO: Linux NAT in Four Steps using iptables (at www.revsys.com)
07:30 < cellardoor> kareem-ali: you might be a hero.....
07:30 < cellardoor> kareem-ali: my device ID changed from enp1s0 to eth0 some time ago.... I think the old iptable rule for NAT forwarding (because this all did use to work) may still be in there... effectively blackholing all my traffic..
07:31 <+kareem-ali> Glad to be of help
07:31 -!- mattock_afk is now known as mattock
07:33 < cellardoor> kareem-ali: you may have found it! Thanks very much
07:33 < cellardoor> look at this mess Chain POSTROUTING (policy ACCEPT 0 packets, 0 bytes)
07:33 < cellardoor>  pkts bytes target     prot opt in     out     source               destination
07:33 < cellardoor>     0     0 MASQUERADE  all  --  *      enp0s3  10.0.0.0/8           0.0.0.0/0
07:33 < cellardoor>     0     0 MASQUERADE  all  --  *      enp0s3  10.0.0.0/8           0.0.0.0/0
07:33 < cellardoor>    77  4719 MASQUERADE  all  --  *      eth0    0.0.0.0/0            0.0.0.0/0
07:33 < cellardoor>     0     0 MASQUERADE  all  --  *      eth0    10.8.0.0/24          0.0.0.0/0
07:43 -!- elfixit [~Icedove@2001:1620:2777:11:3e97:eff:fe7f:f3ad] has joined #openvpn
07:45 -!- Left_Turn [~Left_Turn@unaffiliated/turn-left/x-3739067] has quit [Ping timeout: 246 seconds]
07:46 -!- Left_Turn [~Left_Turn@unaffiliated/turn-left/x-3739067] has joined #openvpn
07:47 <@ecrist> cellardoor: no more pasting
07:54 < cellardoor> kareem-ali: for some reason, ping now works fine.... but nothing else is..... email and web for example... nothing.
08:03 <+kareem-ali> are you sure ping is going through your VPN server ?
08:04 < cellardoor> kareem-ali: Yes I can see it going psat
08:04 <+kareem-ali> so ICMP works, but TCP doesn't
08:04 <+kareem-ali> can you try a UDP
08:04 < cellardoor> kareem-ali: DNS also work
08:04 < cellardoor> so UDP must work
08:04 <+kareem-ali> ok
08:04 <+kareem-ali> so it's a firewall issue maybe
08:05 < cellardoor> kareem-ali: disabled the firewall. nothing.
08:05 <+kareem-ali> on either the client or the server
08:05 -!- Hello71_ [~Hello71@wikipedia/Hello71] has joined #openvpn
08:06 -!- Hello71 [~Hello71@wikipedia/Hello71] has quit [Ping timeout: 252 seconds]
08:10 < cellardoor> kareem-ali: fixed it!
08:10 < cellardoor> I've switched over to tcp from udp
08:11 <+kareem-ali> good
08:11 < cellardoor> thanks for all of your help
08:11 <+kareem-ali> you're welcome
08:15 <+kareem-ali> remember to save your sysctl settings in /etc/sysctl.conf file
08:15 <+kareem-ali> they won't survive network restart or reboot
08:28 -!- jangerho [~jangerho@0587370639.wireless.umich.net] has joined #openvpn
08:29 -!- g00gz [~Adium@199.244.84.14] has joined #openvpn
08:39 -!- Pyrogerg [~Gregory@75-173-66-157.albq.qwest.net] has quit [Ping timeout: 252 seconds]
08:40 -!- redpill [~redpill@unaffiliated/redpill] has joined #openvpn
08:42 -!- redpill [~redpill@unaffiliated/redpill] has quit [Max SendQ exceeded]
08:42 -!- ade_b [~Ade@redhat/adeb] has quit [Ping timeout: 268 seconds]
08:47 -!- jangerho [~jangerho@0587370639.wireless.umich.net] has quit [Quit: Leaving...]
08:48 -!- jangerho [~jangerho@0587370639.wireless.umich.net] has joined #openvpn
08:53 -!- Hello71_ is now known as Hello71
08:53 -!- jangerho [~jangerho@0587370639.wireless.umich.net] has quit [Ping timeout: 268 seconds]
08:58 -!- jangerho [~jangerho@0587370639.wireless.umich.net] has joined #openvpn
09:02 -!- Pyrogerg [~Gregory@205.167.120.203] has joined #openvpn
09:02 -!- ub1quit33_ [~quassel@cpe-23-243-158-241.socal.res.rr.com] has joined #openvpn
09:12 -!- Pyrogerg [~Gregory@205.167.120.203] has quit [Ping timeout: 268 seconds]
09:13 -!- g00gz [~Adium@199.244.84.14] has quit [Quit: Leaving.]
09:14 -!- jangerho [~jangerho@0587370639.wireless.umich.net] has quit [Quit: Leaving...]
09:16 -!- jangerho [~jangerho@0587370639.wireless.umich.net] has joined #openvpn
09:17 -!- jangerho-ARS [~jangerho@0587370639.wireless.umich.net] has joined #openvpn
09:17 -!- jangerho [~jangerho@0587370639.wireless.umich.net] has quit [Read error: Connection reset by peer]
09:17 -!- jangerho-ARS [~jangerho@0587370639.wireless.umich.net] has quit [Client Quit]
09:18 -!- Pyrogerg [~Gregory@205.167.120.203] has joined #openvpn
09:19 -!- g00gz [~Adium@199.244.84.14] has joined #openvpn
09:20 -!- zeroNones [~textual@187.204.142.126] has joined #openvpn
09:30 -!- Chais [~Chais@chello062178229110.15.15.vie.surfer.at] has quit [Read error: Connection reset by peer]
09:35 -!- ub1quit33_ [~quassel@cpe-23-243-158-241.socal.res.rr.com] has quit [Ping timeout: 260 seconds]
09:39 -!- Chais [~Chais@chello062178229110.15.15.vie.surfer.at] has joined #openvpn
09:57 -!- nvdpl [~textual@proxy.teleaudio.pl] has quit [Quit: ZZZzzz…]
10:10 -!- svm_invictvs [~patricktw@unaffiliated/svminvictvs/x-938456] has joined #openvpn
10:14 -!- _ikke_ [~kevin@ikke.info] has joined #openvpn
10:16 -!- zeroNones [~textual@187.204.142.126] has quit [Quit: My MacBook Pro has gone to sleep. ZZZzzz…]
10:17 -!- deeville [~deeville@38.117.108.108] has joined #openvpn
10:22 -!- dtrainor [~dtrainor@ip72-208-196-164.ph.ph.cox.net] has joined #openvpn
10:22 -!- dtrainor [~dtrainor@ip72-208-196-164.ph.ph.cox.net] has quit [Remote host closed the connection]
10:27 -!- Pyrogerg [~Gregory@205.167.120.203] has quit [Ping timeout: 240 seconds]
10:31 -!- g00gz [~Adium@199.244.84.14] has quit [Quit: Leaving.]
10:34 -!- ub1quit33_ [~quassel@rrcs-173-197-67-106.west.biz.rr.com] has joined #openvpn
10:35 -!- svm_invictvs [~patricktw@unaffiliated/svminvictvs/x-938456] has quit [Ping timeout: 252 seconds]
10:39 -!- zeroNones [~textual@187.204.142.126] has joined #openvpn
10:47 -!- Raelith [~Raelith@host81-158-60-239.range81-158.btcentralplus.com] has quit [Quit: Raelith]
10:48 -!- svm_invictvs [~patricktw@unaffiliated/svminvictvs/x-938456] has joined #openvpn
10:50 -!- H__ [~H__@unaffiliated/h/x-9670680] has joined #openvpn
10:52 -!- svm_invictvs [~patricktw@unaffiliated/svminvictvs/x-938456] has quit [Ping timeout: 240 seconds]
10:53 < H__> !welcome
10:53 <@vpnHelper> "welcome" is (#1) Start by stating your goal, such as 'I would like to access the internet over my vpn' || new to IRC? see the link in !ask || we may need !logs and !configs and maybe !interface to help you. || See !howto for beginners. || See !route for lans behind openvpn. || !redirect for sending inet traffic through the server. || Also interesting: !man !/30 !topology !iporder !sample !forum !wiki
10:53 <@vpnHelper> !mitm or (#2) Don't use 192.168.1.0/24 or 192.168.0.0/24 (too much potential for conflict)
11:04 -!- stephan48 [stephan@opennic/stephan] has joined #openvpn
11:04 -!- abbe_ [having@badti.me] has joined #openvpn
11:05 -!- Cybert1nus [~Cybertinu@2a00:6960:1:1:0:24:107:1] has joined #openvpn
11:05 -!- nvdpl [~textual@proxy.teleaudio.pl] has joined #openvpn
11:06 -!- takeyourhatoff [~tyho@home.ub.vc] has quit [Ping timeout: 255 seconds]
11:06 -!- davegb3 [~davegb3@p54BE4BB5.dip0.t-ipconnect.de] has quit [Ping timeout: 276 seconds]
11:08 -!- ender| [krneki@2a01:260:4094:1:42:42:42:42] has joined #openvpn
11:08 -!- XJR-9_ [sid2977@pdpc/supporter/active/xjr-9] has joined #openvpn
11:08 -!- XJR-9 [sid2977@pdpc/supporter/active/xjr-9] has quit [Killed (hobana.freenode.net (Nickname regained by services))]
11:08 -!- XJR-9_ is now known as XJR-9
11:08 -!- abbe [having@badti.me] has quit [Ping timeout: 260 seconds]
11:08 -!- Nyoom [Nyoom@unaffiliated/nyoom] has quit [Ping timeout: 260 seconds]
11:08 -!- SlutaTramsa [~SlutaTram@unaffiliated/slutatramsa] has quit [Ping timeout: 260 seconds]
11:08 -!- _FBi [B@Aircrack-NG/User] has quit [Ping timeout: 260 seconds]
11:08 -!- pekster [~rewt@openvpn/community/support/pekster] has quit [Ping timeout: 260 seconds]
11:08 -!- syzzer [~syzzer@openvpn/community/developer/syzzer] has quit [Ping timeout: 260 seconds]
11:08 -!- jefferai [sid1300@kde/mitchell] has quit [Ping timeout: 260 seconds]
11:08 -!- wirehack7 [wirehack7@unaffiliated/wirehack7] has quit [Ping timeout: 260 seconds]
11:08 -!- cyberanger [cyberanger@swissknife/adak/infocop411] has quit [Ping timeout: 260 seconds]
11:08 -!- pa [~pa@unaffiliated/pa] has quit [Ping timeout: 260 seconds]
11:08 -!- Cybertinus [~Cybertinu@2a00:6960:1:1:0:24:107:1] has quit [Ping timeout: 260 seconds]
11:08 -!- krzee [~k@openvpn/community/support/krzee] has quit [Ping timeout: 260 seconds]
11:08 -!- ender^ [krneki@2a01:260:4094:1:42:42:42:42] has quit [Ping timeout: 260 seconds]
11:08 -!- liriel [~liriel@asia.feralhosting.com] has quit [Ping timeout: 260 seconds]
11:08 -!- Tykling [tykling@gibfest.dk] has quit [Ping timeout: 260 seconds]
11:08 -!- swebb [~swebb@c-71-237-49-232.hsd1.co.comcast.net] has quit [Ping timeout: 260 seconds]
11:08 -!- pnielsen [pnielsen@2a01:7e00::f03c:91ff:fedf:3a21] has quit [Ping timeout: 260 seconds]
11:08 -!- meepmeep [meepmeep@end.of.cylind.re] has quit [Ping timeout: 260 seconds]
11:08 -!- phreakocious [~phreakoci@recalcitrant.phreakocious.net] has quit [Ping timeout: 260 seconds]
11:08 -!- deranged_user [deranged_u@unaffiliated/deranged-user/x-2475585] has quit [Ping timeout: 260 seconds]
11:08 -!- andi [~andi@unaffiliated/fr00d] has quit [Ping timeout: 260 seconds]
11:08 -!- phreakocious_ [~phreakoci@recalcitrant.phreakocious.net] has joined #openvpn
11:09 -!- Tykling [tykling@gibfest.dk] has joined #openvpn
11:09 -!- SlutaTramsa [~SlutaTram@unaffiliated/slutatramsa] has joined #openvpn
11:09 -!- meepmeep [meepmeep@end.of.cylind.re] has joined #openvpn
11:09 -!- wirehack7 [wirehack7@unaffiliated/wirehack7] has joined #openvpn
11:09 -!- liriel [~liriel@asia.feralhosting.com] has joined #openvpn
11:09 -!- deranged_user [deranged_u@unaffiliated/deranged-user/x-2475585] has joined #openvpn
11:09 -!- cyberanger [~cyberange@swissknife/adak/infocop411] has joined #openvpn
11:09 -!- andi [~andi@unaffiliated/fr00d] has joined #openvpn
11:10 -!- krzee [~k@openvpn/community/support/krzee] has joined #openvpn
11:10 -!- mode/#openvpn [+o krzee] by ChanServ
11:10 -!- jefferai [sid1300@kde/mitchell] has joined #openvpn
11:11 -!- svm_invictvs [~patricktw@unaffiliated/svminvictvs/x-938456] has joined #openvpn
11:12 -!- elfixit [~Icedove@2001:1620:2777:11:3e97:eff:fe7f:f3ad] has quit [Quit: elfixit]
11:13 < H__> question : i have a half-working openvpn on linux; i can ping from the vpn startpoint through the tunnel to a machine behind the vpn endpoint, but i cannot ping through the vpn startpoint. Now net.ipv4.ip_forward=1 for both vpn points and i've flushed iptables. I see a ping packet with tcpdump entering the tunnel, but not coming out on the other side. Any hints where I should look next ?
11:14 -!- dtrainor [~dtrainor@ip72-208-196-164.ph.ph.cox.net] has joined #openvpn
11:14 -!- pekster [~rewt@openvpn/community/support/pekster] has joined #openvpn
11:14 -!- kirin` [telex@gateway/shell/anapnea.net/x-hbrgpxufoxbuomyf] has quit [Ping timeout: 250 seconds]
11:15 -!- kirin` [telex@gateway/shell/anapnea.net/x-calhwnloqdcykndf] has joined #openvpn
11:15 < dtrainor> Hello71, I know you didn't understand what I was trying to do yesterday for some reason.  It came down to push "route 10.17.0.0 255.255.255.0"
11:16 <@krzee> sounds like a lan behind openvpn
11:17 <@krzee> i hope you read this, it would help i think
11:17 <@krzee> !route
11:17 <@vpnHelper> "route" is (#1) http://www.secure-computing.net/wiki/index.php/OpenVPN/Routing or https://community.openvpn.net/openvpn/wiki/RoutedLans (same page mirrored) if you have lans behind openvpn, read it DONT SKIM IT or (#2) READ IT DONT SKIM IT! or (#3) See !tcpip for a basic networking guide or (#4) See !serverlan or !clientlan for steps and troubleshooting flowcharts for LANs behind the server or client
11:18 < dtrainor> I did, and it did.  I'm operating in bridged mode so I had to think about it for a minute.
11:18 -!- pa [~pa@unaffiliated/pa] has joined #openvpn
11:18 <@krzee> why are you bridging?
11:18 -!- swebb [~swebb@c-71-237-49-232.hsd1.co.comcast.net] has joined #openvpn
11:18 < H__> that also applies to me i guess, i do have static host routes on all 4 machines involved
11:18 <@krzee> what specific layer2 protocol do you need over the vpn?
11:19 <@krzee> H__, all lan machines?
11:19 <@krzee> !route_outside_ovpn
11:19 <@vpnHelper> "route_outside_ovpn" is "route_outside_openvpn" is (#1) If your server is not the default gateway for the LAN, you will need to add routes to your gateway. See ROUTES TO ADD OUTSIDE OPENVPN in !route or (#2) Here are 2 diagrams that explain how this works: http://www.secure-computing.net/wiki/index.php/Graph http://i.imgur.com/BM9r1.png
11:19 <@krzee> if so ^^
11:19 < H__> krzee: just these 4 involved machines. I'm testing a migration-to-come
11:20 < dtrainor> Because that's how it was set up.  I think I was trying to push dhcp and pxe over the VPN so that's what I went with and haven't changed it since.
11:20 <@krzee> if those machines are lan machines routing to the local vpn node, then just know you can add the route to the router for that lan
11:20 -!- larryone [~larryone@185.32.152.150] has quit [Quit: This computer has gone to sleep]
11:20 < dtrainor> But then I get responses like that from people like you and it makes me want to reconsider that decision.
11:20 < H__> bbl
11:20 -!- ikkuplio [~IceChat77@ipservice-092-210-027-060.092.210.pools.vodafone-ip.de] has joined #openvpn
11:22 <@krzee> theres usually no good reason to need dhcp over openvpn
11:22 < dtrainor> I won't completely disagree.
11:22 <@krzee> i say usually cause there is the rare dhcp option… maybe something for voip phones or whatnot
11:22 <@krzee> but in general it is better to use tun
11:23 <@krzee> for a couple different reasons…
11:23 -!- kirin` [telex@gateway/shell/anapnea.net/x-calhwnloqdcykndf] has quit [Read error: Connection reset by peer]
11:23 < dtrainor> again, don't completely disagree.  i was trying to extend a lab environment from home to my laptop
11:23 -!- kirin` [telex@gateway/shell/anapnea.net/x-pamogeucshufxyni] has joined #openvpn
11:23 <@krzee> if you dont have a reason for that lab to be l2, make it l3
11:24 < dtrainor> yep, just haven't gotten to it.
11:24 < dtrainor> and i'm not going to do that remotely :)
11:24 <@krzee> its really easy, much easier than a bridge setup
11:24 <@krzee> btu ya if you plan on being there may as well wait
11:24 < dtrainor> i get it, honestly :)
11:24 < dtrainor> yep
11:24 <@krzee> although really you could have both at once for the switch
11:24 < dtrainor> i'll tackle it tonight
11:25 < dtrainor> eh.
11:25 < dtrainor> rather not risk it
11:25 <@krzee> theres no risk if you dont remove the bridge setup until after, but either way you said you're gunna be there later anyways
11:29 -!- dazo [~dazo@openvpn/community/developer/dazo] has joined #openvpn
11:29 -!- mode/#openvpn [+o dazo] by ChanServ
11:32 -!- kirin` [telex@gateway/shell/anapnea.net/x-pamogeucshufxyni] has quit [Read error: Connection reset by peer]
11:32 -!- kirin` [telex@gateway/shell/anapnea.net/x-nwjnyhgfmclfxvrn] has joined #openvpn
11:38 -!- kirin` [telex@gateway/shell/anapnea.net/x-nwjnyhgfmclfxvrn] has quit [Ping timeout: 255 seconds]
11:39 -!- kirin` [telex@gateway/shell/anapnea.net/x-tblggcutwrcowvry] has joined #openvpn
11:40 -!- Toumasu [~Thunderbi@78-23-52-63.access.telenet.be] has joined #openvpn
11:44 -!- D-Boy [~D-Boy@unaffiliated/cain] has quit [Excess Flood]
11:45 -!- kirin` [telex@gateway/shell/anapnea.net/x-tblggcutwrcowvry] has quit [Ping timeout: 246 seconds]
11:46 -!- kirin` [telex@gateway/shell/anapnea.net/x-quvgskfhvmljrxll] has joined #openvpn
11:48 -!- justinzane [~justinzan@host-69-59-81-105.nctv.com] has joined #openvpn
11:53 -!- kirin` [telex@gateway/shell/anapnea.net/x-quvgskfhvmljrxll] has quit [Ping timeout: 268 seconds]
11:56 -!- Pyrogerg [~Gregory@75-173-66-157.albq.qwest.net] has joined #openvpn
11:58 -!- zeroNones [~textual@187.204.142.126] has quit [Ping timeout: 255 seconds]
11:59 -!- Ahrotahntee [~ahrotahnt@unaffiliated/ahrotahntee] has joined #openvpn
11:59 < Ahrotahntee> !route
12:00 <@vpnHelper> "route" is (#1) http://www.secure-computing.net/wiki/index.php/OpenVPN/Routing or https://community.openvpn.net/openvpn/wiki/RoutedLans (same page mirrored) if you have lans behind openvpn, read it DONT SKIM IT or (#2) READ IT DONT SKIM IT! or (#3) See !tcpip for a basic networking guide or (#4) See !serverlan or !clientlan for steps and troubleshooting flowcharts for LANs behind the server or
12:00 <@vpnHelper> client
12:00 < Ahrotahntee> that's the one
12:02 -!- erratic [erratic@2607:f2f8:a2c4:1001::2] has quit [Ping timeout: 240 seconds]
12:05 -!- brianblaze420 [~brianblaz@unaffiliated/brianblaze] has joined #openvpn
12:05 -!- u0m3_ [~u0m3@92.80.78.98] has quit [Ping timeout: 240 seconds]
12:07 -!- brianblaze420 [~brianblaz@unaffiliated/brianblaze] has quit [Client Quit]
12:09 -!- D-Boy [~D-Boy@unaffiliated/cain] has joined #openvpn
12:15 -!- kirin` [telex@gateway/shell/anapnea.net/x-jjpmrzipvogaqiat] has joined #openvpn
12:17 -!- erratic [erratic@2607:f2f8:a2c4:1001::2] has joined #openvpn
12:22 -!- dtrainor [~dtrainor@ip72-208-196-164.ph.ph.cox.net] has quit [Ping timeout: 246 seconds]
12:42 < Ahrotahntee> !serverlan
12:42 <@vpnHelper> "serverlan" is (#1) for a lan behind a server, the server must have ip forwarding enabled (!ipforward), the server needs to push a route for its lan to clients, and the router of the lan the server is on needs a route added to it (!route_outside_openvpn) or (#2) see !route for a better explanation or (#3) Handy troubleshooting flowchart: http://ircpimps.org/serverlan.png |
12:42 <@vpnHelper> http://pekster.sdf.org/misc/serverlan.png
12:42 < Ahrotahntee> !route_outside_openvpn
12:42 <@vpnHelper> "route_outside_openvpn" is (#1) If your server is not the default gateway for the LAN, you will need to add routes to your gateway. See ROUTES TO ADD OUTSIDE OPENVPN in !route or (#2) Here are 2 diagrams that explain how this works: http://www.secure-computing.net/wiki/index.php/Graph http://i.imgur.com/BM9r1.png
12:46 -!- abbe_ is now known as abbe
12:47 -!- Lolths [~Lolths@unaffiliated/lolths] has joined #openvpn
12:55 -!- svm_invictvs [~patricktw@unaffiliated/svminvictvs/x-938456] has quit [Ping timeout: 245 seconds]
13:01 -!- svm_invictvs [~patricktw@unaffiliated/svminvictvs/x-938456] has joined #openvpn
13:02 -!- g00gz [~Adium@199.244.84.14] has joined #openvpn
13:04 -!- u0m3 [~u0m3@92.80.111.55] has joined #openvpn
13:05 -!- g00gz [~Adium@199.244.84.14] has left #openvpn []
13:10 -!- Matir_ is now known as Matir
13:17 -!- ajoox is now known as zalami
13:20 < H__> question : can we expect to see the same packets with tcpdump on both sides of a tunnel ?
13:22 -!- nvdpl [~textual@proxy.teleaudio.pl] has quit [Quit: ZZZzzz…]
13:42 -!- mattock is now known as mattock_afk
13:46 <@dazo> H__: yes.  Otherwise the tunnel is broken ... the tun/tap devices can be considered similar to normal ethernet devices, and in particular tap devices as tun devices only do IP traffic.
13:46 <@dazo> so the vpn tunnel should not mangle the packets
13:48 -!- dazo is now known as dazo_afk
13:52 -!- Chais [~Chais@chello062178229110.15.15.vie.surfer.at] has quit [Read error: Connection reset by peer]
14:01 -!- Chais [~Chais@chello062178229110.15.15.vie.surfer.at] has joined #openvpn
14:03 -!- nvdpl [~textual@89-67-140-170.dynamic.chello.pl] has joined #openvpn
14:12 -!- Chais [~Chais@chello062178229110.15.15.vie.surfer.at] has quit [Read error: Connection reset by peer]
14:14 < H__> dazo_afk: that's what i hoped. Yet i see different; in a-b_vpn_c-d c can ping a and b, but d cannot. i see its packets enter the tunnel at c but not emerge at b. Routing is enabled. firewalls are off. routing here is the oddball ; fully static with host routes. any ideas where to look next ?
14:21 -!- Chais [~Chais@chello062178229110.15.15.vie.surfer.at] has joined #openvpn
14:23 -!- ub1quit33_ [~quassel@rrcs-173-197-67-106.west.biz.rr.com] has quit [Quit: No Ping reply in 180 seconds.]
14:27 -!- ub1quit33_ [~quassel@rrcs-173-197-67-106.west.biz.rr.com] has joined #openvpn
14:35 -!- nsrafk [whois@unaffiliated/nsrafk] has quit [Quit: France sucks but Paris swallows]
14:42 -!- nath_schwarz [~nath_schw@2605:6400:1:fed5:22:d508:7193:e73f] has quit [Ping timeout: 240 seconds]
14:45 -!- nvdpl [~textual@89-67-140-170.dynamic.chello.pl] has quit [Ping timeout: 246 seconds]
14:49 -!- nvdpl [~textual@proxy.teleaudio.pl] has joined #openvpn
14:49 -!- nsrafk [whois@unaffiliated/nsrafk] has joined #openvpn
14:49 -!- nath_schwarz [~nath_schw@2605:6400:1:fed5:22:d508:7193:e73f] has joined #openvpn
14:59 -!- nvdpl [~textual@proxy.teleaudio.pl] has quit [Quit: ZZZzzz…]
15:04 -!- Glitches [~glitch@213-213-143-128.xdsl.is] has joined #openvpn
15:10 -!- Toumasu [~Thunderbi@78-23-52-63.access.telenet.be] has quit [Quit: Toumasu]
15:15 -!- deeville [~deeville@38.117.108.108] has quit [Quit: This computer has gone to sleep]
15:35 -!- nvdpl [~textual@proxy.teleaudio.pl] has joined #openvpn
15:54 -!- Pyrogerg [~Gregory@75-173-66-157.albq.qwest.net] has quit [Ping timeout: 260 seconds]
16:02 -!- gffa [~unknown@unaffiliated/gffa] has quit [Quit: sleep]
16:12 -!- nvdpl [~textual@proxy.teleaudio.pl] has quit [Quit: ZZZzzz…]
16:22 -!- ub1quit33_ [~quassel@rrcs-173-197-67-106.west.biz.rr.com] has quit [Quit: No Ping reply in 210 seconds.]
16:27 -!- ub1quit33_ [~quassel@rrcs-173-197-67-106.west.biz.rr.com] has joined #openvpn
16:33 -!- moviuro [~moviuro@ginfo.ext.ec-m.fr] has quit [Read error: Connection reset by peer]
16:36 -!- moviuro [~moviuro@ginfo.ext.ec-m.fr] has joined #openvpn
17:37 -!- Raelith [~Raelith@host81-130-98-156.in-addr.btopenworld.com] has joined #openvpn
17:41 -!- ahklerner [~nkruzan@unaffiliated/ahklerner] has joined #openvpn
17:44 < ahklerner> i have been reading, and i think it is not possible, but can i have a profile setup on an iOS device that uses google authenticator 2 factor auth
17:45 < ahklerner> i understand it is not possible with an 'autologin' type profile, but is it possible without autologin?
17:59 -!- arescorpio [~arescorpi@120-239-16-190.fibertel.com.ar] has joined #openvpn
18:10 -!- hazardous [~hz@openvpn/user/hazardous] has quit [Ping timeout: 245 seconds]
18:10 -!- ahklerner [~nkruzan@unaffiliated/ahklerner] has left #openvpn []
18:13 -!- hazardous [~hz@openvpn/user/hazardous] has joined #openvpn
18:13 -!- mode/#openvpn [+v hazardous] by ChanServ
18:26 -!- ub1quit33_ [~quassel@rrcs-173-197-67-106.west.biz.rr.com] has quit [Ping timeout: 255 seconds]
18:46 -!- Raelith [~Raelith@host81-130-98-156.in-addr.btopenworld.com] has quit [Ping timeout: 240 seconds]
18:58 -!- brianblaze420 [~brianblaz@unaffiliated/brianblaze] has joined #openvpn
19:08 -!- Poster|x [~poster@cpe-74-140-100-29.swo.res.rr.com] has joined #openvpn
19:09 -!- JackWinter_ [~jack@vodsl-11028.vo.lu] has joined #openvpn
19:11 -!- svm_invictvs [~patricktw@unaffiliated/svminvictvs/x-938456] has quit [Ping timeout: 245 seconds]
19:12 -!- phreakocious_ [~phreakoci@recalcitrant.phreakocious.net] has quit [Ping timeout: 255 seconds]
19:12 -!- Poster [~poster@cpe-74-140-100-29.swo.res.rr.com] has quit [Ping timeout: 270 seconds]
19:12 -!- Six6siX [~Devil@jasmine.sammybakar.com] has quit [Ping timeout: 270 seconds]
19:12 -!- Intensity [MtoM6bWb0_@unaffiliated/intensity] has quit [Ping timeout: 255 seconds]
19:12 -!- cellardoor [~quassel@unaffiliated/cellardoor] has quit [Ping timeout: 255 seconds]
19:12 -!- jeev [~j@unaffiliated/jeev] has quit [Ping timeout: 255 seconds]
19:12 -!- JackWinter [~jack@vodsl-11028.vo.lu] has quit [Ping timeout: 255 seconds]
19:12 -!- phreakocious [~phreakoci@recalcitrant.phreakocious.net] has joined #openvpn
19:13 -!- jeev [~j@unaffiliated/jeev] has joined #openvpn
19:21 -!- brianblaze420 [~brianblaz@unaffiliated/brianblaze] has quit [Quit: Leaving...]
19:37 -!- Glitches [~glitch@213-213-143-128.xdsl.is] has quit [Ping timeout: 245 seconds]
19:50 -!- phreakocious [~phreakoci@recalcitrant.phreakocious.net] has quit [Ping timeout: 255 seconds]
19:51 -!- jeraldv [~jerald@fsf/member/jeraldv] has joined #openvpn
19:54 -!- _FBi [B@Aircrack-NG/User] has joined #openvpn
19:57 -!- phreakocious [~phreakoci@recalcitrant.phreakocious.net] has joined #openvpn
19:58 < _FBi> is it true openvpn works on computers?
20:05 -!- ub1quit33_ [~quassel@cpe-23-243-158-241.socal.res.rr.com] has joined #openvpn
20:41 -!- RBecker [~RBecker@openvpn/user/RBecker] has joined #openvpn
20:41 -!- mode/#openvpn [+v RBecker] by ChanServ
21:11 -!- Pyrogerg [~Gregory@75-173-66-157.albq.qwest.net] has joined #openvpn
21:15 -!- Pyrogerg [~Gregory@75-173-66-157.albq.qwest.net] has quit [Ping timeout: 240 seconds]
21:38 -!- cyberspace- [20253@ninthfloor.org] has joined #openvpn
21:47 <@krzee> no.
21:48 -!- ub1quit33_ [~quassel@cpe-23-243-158-241.socal.res.rr.com] has quit [Ping timeout: 260 seconds]
22:00 -!- Poster|x is now known as Poster
22:05 -!- Left_Turn [~Left_Turn@unaffiliated/turn-left/x-3739067] has quit [Remote host closed the connection]
22:24 -!- Pyrogerg [~Gregory@75-173-66-157.albq.qwest.net] has joined #openvpn
22:25 -!- ub1quit33_ [~quassel@cpe-23-243-158-241.socal.res.rr.com] has joined #openvpn
22:26 -!- jgeboski [~jgeboski@unaffiliated/jgeboski] has quit [Ping timeout: 240 seconds]
22:26 -!- clu5ter [~staff@unaffiliated/clu5ter] has quit [Ping timeout: 256 seconds]
22:27 -!- jgeboski [~jgeboski@unaffiliated/jgeboski] has joined #openvpn
22:28 -!- clu5ter [~staff@unaffiliated/clu5ter] has joined #openvpn
23:18 -!- Kephael [~Kephael@unaffiliated/kephael] has quit [Read error: Connection reset by peer]
23:40 -!- arescorpio [~arescorpi@120-239-16-190.fibertel.com.ar] has quit [Excess Flood]
23:46 -!- ShadniX [dagger@p5481CA05.dip0.t-ipconnect.de] has quit [Ping timeout: 250 seconds]
23:47 -!- ShadniX [dagger@p5DDFD635.dip0.t-ipconnect.de] has joined #openvpn
23:49 -!- ub1quit33_ [~quassel@cpe-23-243-158-241.socal.res.rr.com] has quit [Ping timeout: 272 seconds]
--- Day changed Thu Sep 04 2014
00:13 -!- cesurasean [~Sean@c-71-207-227-197.hsd1.al.comcast.net] has joined #openvpn
00:13 < cesurasean> what does this mean? - Thu Sep  4 01:12:36 2014 ERROR: Linux route add command failed: external program exited with error status: 7
00:14 < cesurasean> Thu Sep  4 01:13:57 2014 NOTE: unable to redirect default gateway -- Cannot read current default gateway from system
00:14 < cesurasean> SIOCADDRT: File exists
00:16 < cesurasean> what file is it speaking of?
00:18 -!- svm_invictvs [~patricktw@unaffiliated/svminvictvs/x-938456] has joined #openvpn
00:20 <@krzee> its an error from the route command
00:21 < cesurasean> krzee, how do i fix it?
00:21 <@krzee> the error from openvpn is "unable to redirect default gateway -- Cannot read current default gateway from system"
00:21 <@krzee> whats weird about your system?
00:21 <@krzee> ppp?
00:22 < cesurasean> its a server and client.
00:23 <@krzee> to itself?
00:23 < cesurasean> no
00:23 < cesurasean> i have 1 openvpn server it's going to connect to, and it's going to have it's own vpn server within itself as well to connect to.
00:23 < cesurasean> i want to tunnel over multiple machines to an endpoint.
00:23 <@krzee> ahh like this:
00:23 <@krzee> !vpnchains
00:23 <@krzee> hmm
00:24 <@krzee> !google vpnchains
00:24 <@vpnHelper> VPNCHAINS | SourceForge.net: <http://sourceforge.net/projects/vpnchains/>; OpenVPN/VpnChains - Secure Computing Wiki: <https://www.secure-computing.net/wiki/index.php/OpenVPN/VpnChains>; How to Chain VPNs for Complete Anonymity « Null Byte: <http://null-byte.wonderhowto.com/how-to/chain-vpns-for-complete-anonymity-0131368/>
00:24 <@krzee> link #2
00:26 < cesurasean> well
00:26 < cesurasean> i already followed a tutorial.
00:27 < cesurasean> now im trying to connect both servers together as 1 being a client.
00:27 <@krzee> well
00:28 <@krzee> !walkthrough
00:28 <@vpnHelper> "walkthrough" is if you are using some walkthrough and now you are here cause you have problems and dont understand your setup, type !howto and !man and try to actually learn what you're doing. most those docs about openvpn from google SUCK.
00:28 <@krzee> and
00:28 <@krzee> !route
00:28 <@vpnHelper> "route" is (#1) http://www.secure-computing.net/wiki/index.php/OpenVPN/Routing or https://community.openvpn.net/openvpn/wiki/RoutedLans (same page mirrored) if you have lans behind openvpn, read it DONT SKIM IT or (#2) READ IT DONT SKIM IT! or (#3) See !tcpip for a basic networking guide or (#4) See !serverlan or !clientlan for steps and troubleshooting flowcharts for LANs behind the server or client
00:28 <@krzee> you wanna build vpnchains, you better become a master of the material in !route
00:29 <@krzee> as for your redirect-gateway issue, for some reason openvpn cant read your default gateway
00:29 < cesurasean> what is my "default gateway" exactly though?
00:29 <@krzee> sounds to me like your walkthrough is doing it very wrong
00:29 <@krzee> your default route
00:30 <@krzee> was that a language question or are you totally new to networking?
00:30 < cesurasean> im not pushing a route though
00:30 <@krzee> you're attempting to redirect-gateway obviously from the error
00:31 < cesurasean> http://pastebin.com/WvWC78tt
00:31 <@krzee> client config too
00:32 < cesurasean> http://pastebin.com/iKEEnsxr
00:32 <@krzee> and logs
00:32 <@krzee> oh wait no
00:33 <@krzee> look at your server config line 13 oj your pastebin
00:33 <@krzee> and then tell me you arent pushing redirect-gateway
00:33 <@krzee> !walkthrough
00:33 < cesurasean> of course i am.
00:33 <@vpnHelper> "walkthrough" is if you are using some walkthrough and now you are here cause you have problems and dont understand your setup, type !howto and !man and try to actually learn what you're doing. most those docs about openvpn from google SUCK.
00:33 < cesurasean> so thats a route command?
00:33 <@krzee> !man
00:33 <@vpnHelper> "man" is (#1) For man pages, see http://openvpn.net/index.php/open-source/documentation/manuals/ or (#2) the man pages are your friend! or (#3) Protip: you can search the manpage for a specific --option (with dashes) to find it quicker
00:33 <@krzee> you should not be asking what options in your config do
00:34 < _FBi> ^
00:35 <@krzee> those people writing crappy walkthroughs on google think they're helping people
00:35 < cesurasean> yeah but why is that command not working correctly?
00:36 <@krzee> !spoonfeeding
00:36 <@vpnHelper> "spoonfeeding" is http://www.mp3car.com/the-faq-emporium/53368-faq-what-is-spoon-feeding.html
00:36 < _FBi> I don't get it -- you want a VPS that has two VPNs?
00:37 <@krzee> he wants to build vpnchains
00:37 <@krzee> which is crazy advanced
00:37 < _FBi> but with one server?
00:37 <@krzee> and he wants to do it without learning
00:37 <@krzee> no, but 1 server must have 2 links
00:37 < cesurasean> connect a client to a server, which is a client to another server.
00:37 <@krzee> to build the links in the chain
00:37 <@krzee> that was a poorly built topology
00:37 <@krzee> which will expand in a poor manner
00:38 <@krzee> i wrote up a better way to do it, and gave you the link
00:38 < cesurasean> i read the article.
00:38 <@krzee> but it requires understanding what you're doing
00:38 < _FBi> I second chains
00:38 < cesurasean> doesn't explain well enough.
00:38 <@krzee> i refuse to hold hands on that topic
00:38 <@krzee> because its advanced networking and you want spoonfeeding
00:38 < _FBi> will... will you hold me hand?
00:38 < _FBi> my
00:38 <@krzee> i held your hand :-p
00:39 <@krzee> but you were willing to learn *
00:39 <@krzee> just wanted tips on what to learn
00:39 < cesurasean> so, can a server not be pushing that route while its receiving it?
00:39 -!- Toumasu [~Thunderbi@78-23-52-63.access.telenet.be] has joined #openvpn
00:39 < cesurasean> thats what the problem seems to be.
00:40 <@krzee> cesurasean, your error isnt coming from openvpn its coming from the os, and you're working on a very complex way of doing an already complex task
00:40 <@krzee> and have shown non-interest in learning about it
00:40 <@krzee> so im going back to my coding
00:41 < _FBi> I'm going back to being awesome -- done
00:43 -!- Toumasu [~Thunderbi@78-23-52-63.access.telenet.be] has quit [Client Quit]
00:55 < cesurasean> how do i route add default gateway instead of push it?
00:55 < cesurasean> with that default gateway thing
00:55 < cesurasean> http://pastebin.com/geGMkmzk
00:55 < cesurasean> here is my routing table.
01:05 -!- keatont [~keatont@ip-66-172-11-126.chunkhost.com] has quit [Ping timeout: 245 seconds]
01:10 -!- keatont [~keatont@ip-66-172-11-126.chunkhost.com] has joined #openvpn
01:12 -!- ub1quit33 [~quassel@cpe-23-243-158-241.socal.res.rr.com] has joined #openvpn
01:15 -!- svm_invictvs [~patricktw@unaffiliated/svminvictvs/x-938456] has quit [Remote host closed the connection]
01:57 -!- nvdpl [~textual@proxy.teleaudio.pl] has joined #openvpn
02:06 -!- ub1quit33 [~quassel@cpe-23-243-158-241.socal.res.rr.com] has quit [Read error: Connection reset by peer]
02:06 -!- ub1quit33 [~quassel@cpe-23-243-158-241.socal.res.rr.com] has joined #openvpn
02:09 -!- ub1quit33 [~quassel@cpe-23-243-158-241.socal.res.rr.com] has quit [Read error: Connection reset by peer]
02:10 -!- ub1quit33 [~quassel@cpe-23-243-158-241.socal.res.rr.com] has joined #openvpn
02:33 -!- Chais [~Chais@chello062178229110.15.15.vie.surfer.at] has quit [Read error: Connection reset by peer]
02:42 -!- Chais [~Chais@chello062178229110.15.15.vie.surfer.at] has joined #openvpn
02:51 -!- pekster [~rewt@openvpn/community/support/pekster] has quit [Ping timeout: 260 seconds]
02:52 -!- pekster [~rewt@openvpn/community/support/pekster] has joined #openvpn
02:58 -!- dazo_afk is now known as dazo
03:14 -!- Cybert1nus is now known as Cybertinus
03:27 -!- joako [~joako@opensuse/member/joak0] has quit [Ping timeout: 240 seconds]
03:32 -!- justinzane [~justinzan@host-69-59-81-105.nctv.com] has quit [Read error: No route to host]
03:37 -!- joako [~joako@opensuse/member/joak0] has joined #openvpn
03:50 -!- larryone [~larryone@185.32.152.150] has joined #openvpn
04:00 -!- ub1quit33 [~quassel@cpe-23-243-158-241.socal.res.rr.com] has quit [Ping timeout: 245 seconds]
04:07 -!- ub1quit33 [~quassel@cpe-23-243-158-241.socal.res.rr.com] has joined #openvpn
04:12 -!- ub1quit33 [~quassel@cpe-23-243-158-241.socal.res.rr.com] has quit [Ping timeout: 245 seconds]
04:12 -!- syzzer [~syzzer@openvpn/community/developer/syzzer] has joined #openvpn
04:12 -!- mode/#openvpn [+o syzzer] by ChanServ
04:32 -!- nvdpl [~textual@proxy.teleaudio.pl] has quit [Ping timeout: 255 seconds]
04:34 -!- nvdpl [~textual@proxy.teleaudio.pl] has joined #openvpn
05:00 -!- ifdm_ [~ifdm@unaffiliated/ifdm/x-0713806] has quit [Ping timeout: 264 seconds]
05:04 -!- ender| [krneki@2a01:260:4094:1:42:42:42:42] has quit [Ping timeout: 268 seconds]
05:10 -!- Left_Turn [~Left_Turn@unaffiliated/turn-left/x-3739067] has joined #openvpn
05:13 -!- ifdm_ [~ifdm@unaffiliated/ifdm/x-0713806] has joined #openvpn
05:16 -!- ender| [krneki@2a01:260:4094:1:42:42:42:42] has joined #openvpn
05:21 -!- ifdm_ [~ifdm@unaffiliated/ifdm/x-0713806] has quit [Ping timeout: 246 seconds]
05:24 -!- Left_Turn [~Left_Turn@unaffiliated/turn-left/x-3739067] has quit [Ping timeout: 276 seconds]
05:24 -!- le0 [~fin@unaffiliated/le0] has joined #openvpn
05:36 -!- ifdm_ [~ifdm@unaffiliated/ifdm/x-0713806] has joined #openvpn
05:51 -!- Six6siX [~Devil@jasmine.sammybakar.com] has joined #openvpn
06:14 -!- wallbroken [wallbroken@unaffiliated/wallbroken] has joined #openvpn
06:14 < wallbroken> hi
06:14 < wallbroken> is there some version of openvpn for osx mavericks?
06:17 -!- JackWinter_ [~jack@vodsl-11028.vo.lu] has quit [Quit: Konversation terminated!]
06:17 -!- JackWinter_ [~jack@vodsl-11028.vo.lu] has joined #openvpn
06:17 <@syzzer> wallbroken: take a look at tunnelblick
06:18 < wallbroken> why openvpn official software is not developed for osx?
06:21 <@syzzer> it is, there is just no binary package available
06:22 <@syzzer> you can just download the source and compile it yourself
06:23 <@syzzer> tunnelblick actually uses the same openvpn (probably with a few extra patches for their GUI), and bundles it with a GUI
06:25 -!- le0 [~fin@unaffiliated/le0] has quit [Quit: Leaving]
06:36 -!- Khanivore [~Khanivore@cpc41-craw6-2-0-cust170.16-3.cable.virginm.net] has joined #openvpn
06:36 < Khanivore> !welcome
06:36 <@vpnHelper> "welcome" is (#1) Start by stating your goal, such as 'I would like to access the internet over my vpn' || new to IRC? see the link in !ask || we may need !logs and !configs and maybe !interface to help you. || See !howto for beginners. || See !route for lans behind openvpn. || !redirect for sending inet traffic through the server. || Also interesting: !man !/30 !topology !iporder !sample !forum
06:36 <@vpnHelper> !wiki !mitm or (#2) Don't use 192.168.1.0/24 or 192.168.0.0/24 (too much potential for conflict)
06:40 -!- larryone [~larryone@185.32.152.150] has quit [Quit: This computer has gone to sleep]
06:47 < Khanivore> I'm not sure what the terminology is for what i'm trying to do. I hope you can help me so i can google for guidance on how to achieve it. I want to set up my ubuntu server as a default gateay for specifc devices. I want the ubuntu server to push that internet destined traffic via VPN to a VPN server on the internet. Can anyone tell me what this function is called so i can look it up?
06:47 -!- Left_Turn [~Left_Turn@unaffiliated/turn-left/x-3739067] has joined #openvpn
06:48 < Khanivore> i.e. i want my television's internet traffic to go via the ubuntu server in to a vpn tunnel rather than via my router straight out on to the internet.
06:48 -!- hays [~hays@unaffiliated/hays] has joined #openvpn
06:49 -!- plaisthos [~arne@openvpn/community/developer/plaisthos] has joined #openvpn
06:50 -!- mode/#openvpn [+o plaisthos] by ChanServ
06:50 -!- MogDog66 [MogDog@unaffiliated/mogdog66] has joined #openvpn
06:50 -!- Exagone313_ [~exa@2001:41d0:51:1::cf1] has joined #openvpn
06:50 -!- Jeroen52 [~Jeroen@milkyway.jeroendeneef.com] has joined #openvpn
06:50 -!- Brando753-o_O_o [~Brando753@unaffiliated/brando753] has joined #openvpn
06:50 -!- clu5ter [~staff@unaffiliated/clu5ter] has quit [Ping timeout: 260 seconds]
06:50 -!- MogDog [MogDog@unaffiliated/mogdog66] has quit [Ping timeout: 260 seconds]
06:50 -!- abbe [having@badti.me] has quit [Ping timeout: 260 seconds]
06:50 -!- wallbroken [wallbroken@unaffiliated/wallbroken] has quit [Ping timeout: 260 seconds]
06:50 -!- _ikke_ [~kevin@ikke.info] has quit [Ping timeout: 260 seconds]
06:50 -!- MacGyver [~macgyver@unaffiliated/macgyvernl] has quit [Ping timeout: 260 seconds]
06:51 -!- Brando753 [~Brando753@unaffiliated/brando753] has quit [Ping timeout: 260 seconds]
06:51 -!- soapee01 [~soapee01@65-36-104-170.dyn.grandenetworks.net] has quit [Ping timeout: 260 seconds]
06:51 -!- dazo [~dazo@openvpn/community/developer/dazo] has quit [Ping timeout: 260 seconds]
06:51 -!- Exagone313 [~exa@vps.ewd.xyz] has quit [Ping timeout: 260 seconds]
06:51 -!- plai [~arne@openvpn/community/developer/plaisthos] has quit [Ping timeout: 260 seconds]
06:51 -!- jareth_ [~jareth_@2001:980:e1c0:1:219:66ff:fea0:a502] has quit [Ping timeout: 260 seconds]
06:51 -!- KiNgMaR [ingmar@2001:41d0:2:ba51::1] has quit [Ping timeout: 260 seconds]
06:51 -!- jzaw [~jzaw@loki.dzki.co.uk] has quit [Ping timeout: 260 seconds]
06:51 -!- APTX [~APTX@unaffiliated/aptx] has quit [Ping timeout: 260 seconds]
06:51 -!- st5ve [~hays@unaffiliated/hays] has quit [Ping timeout: 260 seconds]
06:51 -!- Wolfbutt [~Jeroen@milkyway.jeroendeneef.com] has quit [Ping timeout: 260 seconds]
06:51 -!- pppingme [~pppingme@unaffiliated/pppingme] has quit [Ping timeout: 260 seconds]
06:51 -!- MogDog66 is now known as MogDog
06:51 -!- Exagone313_ is now known as Exagone313
06:51 -!- abbe [having@badti.me] has joined #openvpn
06:51 -!- soapee01 [~soapee01@65.36.104.170] has joined #openvpn
06:51 -!- iokill [~dave@pippin.sigma-star.at] has joined #openvpn
06:51 -!- KiNgMaR [ingmar@2001:41d0:2:ba51::1] has joined #openvpn
06:51 -!- MacGyver [~macgyver@unaffiliated/macgyvernl] has joined #openvpn
06:52 -!- APTX [~APTX@unaffiliated/aptx] has joined #openvpn
06:52 -!- Brando753-o_O_o is now known as Brando753
06:52 -!- _ikke_ [~kevin@2a02:2308::4a1:300:300] has joined #openvpn
06:54 -!- jzaw [~jzaw@loki.dzki.co.uk] has joined #openvpn
06:54 -!- dazo [~dazo@openvpn/community/developer/dazo] has joined #openvpn
06:54 -!- mode/#openvpn [+o dazo] by ChanServ
06:57 < H__> I like to control the 'client side iroute' ... does such a beast exists ? (client side, not in ccd/ on server side)
07:00 -!- mattock_afk is now known as mattock
07:03 <@ecrist> what do you mean?
07:03 <@ecrist> iroute is a server-side argument
07:05 -!- Khanivore [~Khanivore@cpc41-craw6-2-0-cust170.16-3.cable.virginm.net] has left #openvpn ["Leaving"]
07:11 -!- Ahrotahntee [~ahrotahnt@unaffiliated/ahrotahntee] has left #openvpn ["."]
07:22 < H__> ecrist: I know, but i want better control over the inside-openvpn routing and the regular kernel routing
07:24 < H__> soemthing like : if this packet arrives at tun0 for a subnet that is locally available on some ethernet interface, I still want you to follow this iroute which says you stuff it into the tunnel instead
07:26 -!- Pyrogerg [~Gregory@75-173-66-157.albq.qwest.net] has quit [Ping timeout: 260 seconds]
07:36 <+kareem-ali> H__: if the subnet is configured on the physical, it won't be reachable on the tunnel unless the kernel gets involved
07:38 -!- Pyrogerg [~Gregory@75-173-66-157.albq.qwest.net] has joined #openvpn
07:38 < H__> kareem-ali: it is via host routes, yes im doing ugly things :)
07:39 <+kareem-ali> Khanivore: you need to set your TV to use your Ubuntu server as a default gateway, then on Ubuntu server use policy based routing to route traffic from the TV to the openvpn remote server, then you need to NAT you internal TVs address to a public address for return traffic, or NAT it to tun address on Ubuntu server
07:39 <@ecrist> H__: you need to do things with routing metrics
07:39 <@ecrist> you could use an up script on the client that modified the routing metric to favor the tunnel
07:40 < H__> interesting, i'll look into that
07:40 <+kareem-ali> I don't think I understand what you are trying to do here
07:40 <+kareem-ali> you need to reach the subnet configured on the physical interface, using your tunnel interface, without touching the physical interface, is that right ?
07:41 < H__> kareem-ali: ugly stuff; same subnet on both sides of routed tunnel, trying to get some hosts reachable via static routes
07:41 -!- _KaszpiR_ [~quassel@unaffiliated/kaszpir/x-3157048] has quit [Ping timeout: 246 seconds]
07:41 < H__> only for 4 weeks, its a migration
07:41 -!- _KaszpiR_ [~quassel@unaffiliated/kaszpir/x-3157048] has joined #openvpn
07:42 < H__> i think i'm going to continue with static host routes and natting on tun0 on 1 side for now, that at least gives me the most important half of what i need :)
07:42 -!- le0 [~fin@unaffiliated/le0] has joined #openvpn
07:48 -!- Khanivore [~Khanivore@cpc41-craw6-2-0-cust170.16-3.cable.virginm.net] has joined #openvpn
07:50 < Khanivore> I have set up openvpn on my ubuntu server at home so it sends all internet destined traffic via VPN to an anonymizer. Can someone tell me how I can get other machiens on the LAN to use this VPN connection via my ubuntu server? The other machiens can not run openvpn or any vpn client (they are televisions).
08:00 -!- fin__ [~fin@unaffiliated/le0] has joined #openvpn
08:02 -!- le0 [~fin@unaffiliated/le0] has quit [Ping timeout: 245 seconds]
08:05 -!- justinzane [~justinzan@host-69-59-81-105.nctv.com] has joined #openvpn
08:35 -!- Pyrogerg [~Gregory@75-173-66-157.albq.qwest.net] has quit [Ping timeout: 276 seconds]
08:36 -!- Khanivore [~Khanivore@cpc41-craw6-2-0-cust170.16-3.cable.virginm.net] has left #openvpn ["Leaving"]
08:42 -!- ribasushi [~riba@mujunyku.leporine.io] has quit [Ping timeout: 268 seconds]
08:45 -!- ribasushi [~riba@mujunyku.leporine.io] has joined #openvpn
08:59 -!- deeville [~deeville@38.117.108.108] has joined #openvpn
09:01 -!- ub1quit33 [~quassel@cpe-23-243-158-241.socal.res.rr.com] has joined #openvpn
09:02 -!- copper [~copper@unaffiliated/copper] has joined #openvpn
09:02 < copper> !welcome
09:02 <@vpnHelper> "welcome" is (#1) Start by stating your goal, such as 'I would like to access the internet over my vpn' || new to IRC? see the link in !ask || we may need !logs and !configs and maybe !interface to help you. || See !howto for beginners. || See !route for lans behind openvpn. || !redirect for sending inet traffic through the server. || Also interesting: !man !/30 !topology !iporder !sample !forum
09:02 <@vpnHelper> !wiki !mitm or (#2) Don't use 192.168.1.0/24 or 192.168.0.0/24 (too much potential for conflict)
09:02 < copper> !goal
09:02 <@vpnHelper> "goal" is Please clearly state your goal for your vpn: example, I would like to access the lan behind the server , I would like to access the internet over my vpn , I just want a secure connection between 2 computers , etc
09:02 < copper> hi
09:03 < copper> I'm wondering if tunneling all trafic from a smartphone over 3G/4G could accelerate web browsing somehow
09:04 < copper> I don't know what exactly makes web browsing over 3G so slow
09:04 <+kareem-ali> it won't
09:05 < copper> I've been doing it in the past, but I can't tell if it really made anything faster
09:06 < copper> Does anyone have any insights on mobile networking?
09:07 < copper> I could redirect traffic to a caching proxy, but the cached data still has to go from the server to the smartphone
09:07 -!- Pyrogerg [~Gregory@205.167.120.206] has joined #openvpn
09:07 < copper> so I was wondering if having a single network route (the client to the caching server / vpn) might improve things
09:07 -!- cesurasean1 [~Sean@c-71-207-227-197.hsd1.al.comcast.net] has joined #openvpn
09:07 -!- Pyrogerg [~Gregory@205.167.120.206] has quit [Read error: Connection reset by peer]
09:08 < copper> it doesn't seem to improve latency much, since the ping time to the server is pretty much the same as the ping time to other web servers
09:09 < copper> I was also wondering if having a well located server would improve anything
09:09 < copper> (the question would be, where)
09:11 < copper> my observation on normal networking without tunneling through a VPN, is infinitely faster on a computer with an ADSL line, than on a top of the line smartphone over 3G (over here, anyway)
09:11 -!- g00gz [~Adium@199.244.84.14] has joined #openvpn
09:11 < copper> I don't really understand why, and how to fix it
09:13 < copper> latency and the number of objects to load, seem to be the worst offenders
09:14 -!- jeev_ [~j@unaffiliated/jeev] has joined #openvpn
09:15 -!- Pyrogerg [~Gregory@205.167.120.206] has joined #openvpn
09:15 < copper> maybe the problem lies within my carrier's "point of entry"?
09:16 < copper> in which case, I don't suppose anything would help
09:17 -!- Netsplit *.net <-> *.split quits: jeev, zamba, cesurasean, Pandemic_Force
09:18 -!- Netsplit over, joins: Pandemic_Force
09:24 -!- zamba [marius@flage.org] has joined #openvpn
09:33 -!- abbe [having@badti.me] has quit [Ping timeout: 260 seconds]
09:33 -!- 17SAA3AKQ [~Pandemic_@unaffiliated/pandemic-force/x-1349428] has joined #openvpn
09:33 -!- 17SAA2B6B [marius@flage.org] has joined #openvpn
09:33 -!- 17SAA3AKQ [~Pandemic_@unaffiliated/pandemic-force/x-1349428] has quit [Max SendQ exceeded]
09:33 -!- 17SAA2B6B [marius@flage.org] has quit [Max SendQ exceeded]
09:34 -!- abbe [having@badti.me] has joined #openvpn
09:35 -!- wirehack7 [wirehack7@unaffiliated/wirehack7] has quit [Ping timeout: 260 seconds]
09:36 -!- wirehack7 [wirehack7@unaffiliated/wirehack7] has joined #openvpn
09:42 -!- nvdpl [~textual@proxy.teleaudio.pl] has quit [Quit: ZZZzzz…]
09:59 -!- Pyrogerg [~Gregory@205.167.120.206] has quit [Ping timeout: 245 seconds]
10:01 -!- jeev_ is now known as jeev
10:04 -!- ifdm_ [~ifdm@unaffiliated/ifdm/x-0713806] has quit [Ping timeout: 255 seconds]
10:18 -!- dtrainor [~dtrainor@ip72-208-196-164.ph.ph.cox.net] has joined #openvpn
10:19 -!- ifdm_ [~ifdm@unaffiliated/ifdm/x-0713806] has joined #openvpn
10:20 -!- dtrainor [~dtrainor@ip72-208-196-164.ph.ph.cox.net] has quit [Client Quit]
10:21 -!- dazo is now known as dazo_afk
10:29 -!- ifdm_ [~ifdm@unaffiliated/ifdm/x-0713806] has quit [Ping timeout: 264 seconds]
10:42 -!- ifdm_ [~ifdm@unaffiliated/ifdm/x-0713806] has joined #openvpn
10:45 -!- fin__ [~fin@unaffiliated/le0] has quit [Quit: Leaving]
10:48 -!- Chais [~Chais@chello062178229110.15.15.vie.surfer.at] has quit [Read error: Connection reset by peer]
10:57 -!- Chais [~Chais@chello062178229110.15.15.vie.surfer.at] has joined #openvpn
11:17 -!- Chais [~Chais@chello062178229110.15.15.vie.surfer.at] has quit [Read error: Connection reset by peer]
11:26 -!- Chais [~Chais@chello062178229110.15.15.vie.surfer.at] has joined #openvpn
11:30 -!- Pyrogerg [~Gregory@75-173-66-157.albq.qwest.net] has joined #openvpn
11:32 -!- nvdpl [~textual@89-67-140-170.dynamic.chello.pl] has joined #openvpn
11:36 -!- nvdpl [~textual@89-67-140-170.dynamic.chello.pl] has quit [Client Quit]
11:36 -!- gffa [~unknown@unaffiliated/gffa] has joined #openvpn
11:45 -!- nvdpl [~textual@89-67-140-170.dynamic.chello.pl] has joined #openvpn
11:49 -!- D-Boy [~D-Boy@unaffiliated/cain] has quit [Excess Flood]
12:10 -!- D-Boy [~D-Boy@unaffiliated/cain] has joined #openvpn
12:20 -!- erratic [erratic@2607:f2f8:a2c4:1001::2] has quit [Ping timeout: 272 seconds]
12:34 -!- erratic [erratic@2607:f2f8:a2c4:1001::2] has joined #openvpn
12:38 -!- g00gz [~Adium@199.244.84.14] has quit [Quit: Leaving.]
12:49 -!- nvdpl [~textual@89-67-140-170.dynamic.chello.pl] has quit [Quit: ZZZzzz…]
12:52 -!- nvdpl [~textual@89-67-140-170.dynamic.chello.pl] has joined #openvpn
13:00 -!- SPESSMEHREN [~SpaceMehr@192.121.167.5] has joined #openvpn
13:04 -!- nvdpl [~textual@89-67-140-170.dynamic.chello.pl] has quit [Ping timeout: 240 seconds]
13:08 -!- g00gz [~Adium@199.244.84.14] has joined #openvpn
13:08 -!- nvdpl [~textual@proxy.teleaudio.pl] has joined #openvpn
13:11 -!- Kephael [~Kephael@unaffiliated/kephael] has joined #openvpn
13:17 -!- nvdpl [~textual@proxy.teleaudio.pl] has quit [Quit: ZZZzzz…]
13:19 -!- nvdpl [~textual@89-67-140-170.dynamic.chello.pl] has joined #openvpn
13:22 -!- nvdpl [~textual@89-67-140-170.dynamic.chello.pl] has quit [Read error: Connection reset by peer]
13:22 -!- nvdpl [~textual@proxy.teleaudio.pl] has joined #openvpn
13:43 -!- mattock is now known as mattock_afk
14:07 -!- mutl1975 [~Helmut@host192-34-dynamic.31-79-r.retail.telecomitalia.it] has joined #openvpn
14:07 < mutl1975> hi@all
14:07 < mutl1975> anybody speak germany?
14:07 < mutl1975> or italian ?
14:08 < mutl1975> i search a little hardware that make open vpn client to a open vpn server
14:09 < mutl1975> this hardware i will put intro different networks is possible that 2 networks have the same local network
14:09 < ender|> mutl1975: what's your price range, and how fast transfers do you expect?
14:09 < mutl1975> no ideea 300-500 €
14:10 < mutl1975> the openvpn client receive a virtual ip
14:10 -!- SPESSMEHREN [~SpaceMehr@192.121.167.5] has quit [Remote host closed the connection]
14:10 < mutl1975> this virtual ip i configure a dst nat to the end point
14:11 < ender|> http://store.pfsense.org/VK-T40E/
14:11 <@vpnHelper> Title: VK-T40E Desktop pfSense Network Firewall Router Hardware Appliance (at store.pfsense.org)
14:12 < mutl1975> ok nice product
14:13 < mutl1975> on the server is possible create different user that receive static ips
14:13 < mutl1975> the user are the openvpn client pfsense
14:13 < ender|> otherwise i use Asus RT-N12s at one client (that's really low on cash), which can push through around 10Mbps with BF-CBC (running Tomato firmware)
14:14 < mutl1975> ok but on the server is posiible create user with static ips
14:15 < mutl1975> i need 1 windows user that connect to the server and has the right to connect to all client vpn sites
14:15 < ender|> i never used user authentication with openvpn, but it should be possible
14:15 < mutl1975> and 1 user that can connect only to some sites
14:15 < mutl1975> is possible?
14:15 < ender|> (i always use PKI/certificate authentication, and it's definitely possible there)
14:16 < mutl1975> the problem are that some site has the same local network
14:16 < ender|> use ifconfig-push  for each client, then limit what the pushed IP can access
14:16 -!- g00gz [~Adium@199.244.84.14] has quit [Quit: Leaving.]
14:17 < ender|> are you doing site-to-site VPN or road warriors (single computer clients)?
14:17 < mutl1975> ok with ifconfig-push i push the routes to the clients
14:18 < mutl1975> i will configure a device that i cand connect in a network without configure the internal router
14:18 < ender|> for site-to-site i'm not sure what to do with openvpn if subnets on both sides are the same (never had that happen); for single clients it just means that they won't be able to access their LAN while connected to VPN
14:18 < mutl1975> this device (pfsense) create a tunnel to my pfsense
14:18 -!- kareem-ali [~kareem@217.138.20.162] has quit [Ping timeout: 240 seconds]
14:18 < mutl1975> 1 admin connect to my pfsense and has the security rights to connect to all remote sites
14:19 < mutl1975> a other admin has the right only to 2 sites.
14:20 < mutl1975> on the pfsense server site i cand define fw rules that admin 1 with the ip 172.10.10.1 can access to all 172.10.10.0/24 remote sites
14:20 < mutl1975> and admin 2 with the ip 172.10.10.2 can only access to 172.10.10.3,4,5 etc. ?
14:21 < mutl1975> on the remote site i configure a dst nat from 172.10.10.3 to push all trafic to the windows PC
14:21 < ender|> yes. note that the 172 RFC subnet is 172.16.x.x to 172.31.x.x - 172.10.x.x is not private network
14:22 < ender|> RFC1918*
14:22 < mutl1975> so the admin 1 can connect to rdp to 172.10.10.3  to the pc
14:22 < mutl1975> ok is not private :)
14:23 < mutl1975> but is possible to make fw rules on the pfsense for vpn traffic ?
14:23 < mutl1975> or need iptables ?
14:23 < mutl1975> is more complicated :)
14:23 < ender|> you can do it on pfsense - look at the OpenVPN firewall tab
14:24 < mutl1975> perfekt and is possible create 10 user site1 site2 site3 etc
14:24 < mutl1975> assign fixed ips
14:24 < ender|> yes, with client-specific overrides
14:24 < mutl1975> the configuration on the client site must used certificates or?
14:25 < ender|> should work with user authentication, but i only ever used certificates
14:26 < mutl1975> ok certificates and the client overright for the dn of the certificate right?
14:26 -!- kareem-ali [~kareem@217.138.20.162] has joined #openvpn
14:26 < ender|> the overrides are set on the common name of the certificate
14:26 < mutl1975> ok and on the client site is possible to create a dst nat to my windows machine using the vpn IP Adress?
14:27 < mutl1975> ok the CN Thx
14:27 < mutl1975> so wen i have the same local network i not have any problem
14:28 < ender|> i've never done NAT on openvpn, and i'm not sure if pfsense supports that
14:28 < mutl1975> the admin 1 connect to the server  and then connect ot the virtual ips this will be forwarded to the windows machine.
14:29 < mutl1975> this are the idee
14:29 < mutl1975> otherwise i have the problem with same remote networks
14:30 < mutl1975> i need a hardware that is preconfigured put in the network from the remote site will established a vpn and that its
14:30 < mutl1975> ok i try with a testlab
14:31 < mutl1975> thx @ all and  sorry for my bad english ;)
14:33 -!- g00gz [~Adium@199.244.84.14] has joined #openvpn
14:39 -!- heraclitus [~phobos@unaffiliated/heraclitis] has joined #openvpn
14:59 < cesurasean1> NOTE: unable to redirect default gateway -- Cannot read current default gateway from system
14:59 < cesurasean1> how do i fix such an error?
15:13 -!- mutl1975 [~Helmut@host192-34-dynamic.31-79-r.retail.telecomitalia.it] has quit [Read error: Connection reset by peer]
15:30 -!- Nothing4You [N4Y@Nothing4You.w.tf-w.tf] has quit [Quit: Gone...]
15:32 -!- deeville [~deeville@38.117.108.108] has quit [Quit: This computer has gone to sleep]
15:34 -!- Nothing4You [N4Y@Nothing4You.w.tf-w.tf] has joined #openvpn
15:53 -!- g00gz [~Adium@199.244.84.14] has quit [Quit: Leaving.]
15:53 < cesurasean1> my default route is 0.0.0.0
15:53 < cesurasean1> is that why default gateway cannot be added by openvpn?
16:02 < cesurasean1> anyone know how to fix this error? - unable to redirect default gateway -- Cannot read current default gateway from system
16:03 -!- SlutaTramsa [~SlutaTram@unaffiliated/slutatramsa] has quit [Ping timeout: 260 seconds]
16:04 -!- SlutaTramsa [~SlutaTram@unaffiliated/slutatramsa] has joined #openvpn
16:04 -!- Kephael [~Kephael@unaffiliated/kephael] has quit [Ping timeout: 245 seconds]
16:15 -!- gffa [~unknown@unaffiliated/gffa] has quit [Quit: sleep]
16:16 <@krzee> cesurasean1, you still need to learn networking, if your default route is really 0.0.0.0 then thats why openvpn cant read it.
16:17 -!- Kephael [~Kephael@unaffiliated/kephael] has joined #openvpn
16:18 <@krzee> ender|, you can nat over openvpn no problem so long as openvpn knows what to do with the packets when it goes over the tunnel… so you send over the tun with openvpn ip (or lan ip that is setup for it) and then you nat it after… or traffic comes to lan ip and you nat it to openvpn then send over the tun
16:18 <@krzee> depending on direction of the nat of course
16:19 -!- ub1quit33 [~quassel@cpe-23-243-158-241.socal.res.rr.com] has quit [Ping timeout: 268 seconds]
16:20 < cesurasean1> krzee, my webhost has set the default gateway to 0.0.0.0.
16:20 < cesurasean1> please don't assume.
16:21 -!- fred`` [fred@earthli.ng] has left #openvpn ["bye"]
16:21 < cesurasean1> i also tried to set the default gateway and got kicked off the server.
16:21 -!- Kephael [~Kephael@unaffiliated/kephael] has quit [Read error: Connection reset by peer]
16:21 < cesurasean1> so im bringing the webhost into the conversation now to see what they can come up with.
16:21 <@krzee> right, but thats why it cant find the gateway
16:21 <@krzee> try reading the manual and see about telling openvpn where to send the traffic
16:22 <@krzee> you must have an ip to the next hop...
16:22 < cesurasean1> what should the gateway be set to?
16:22 < cesurasean1> the default gateway for tun1?
16:22 -!- Kephael [~Kephael@unaffiliated/kephael] has joined #openvpn
16:22 <@krzee> whereever your traffic goes to the isp
16:22 <@krzee> there must be a next hop
16:22 -!- ub1quit33_ [~quassel@cpe-23-243-158-241.socal.res.rr.com] has joined #openvpn
16:23 <@krzee> if not you may need to make the routes manually using a script and use a device instead of a gateway
16:24 <@krzee> but i have 0 plans on walking you through that, you'll have to learn about whats going on to do it or find someone else who wants to use their spoon
16:24 < cesurasean1> hmm...
16:25 <@krzee> either way, troubleshooting routing issues without caring to learn anything about routing… good luck
16:25 < cesurasean1> obviously there has not been much testing done for opevpn in chaining vpns together.
16:25 < cesurasean1> seems like a bug to me.
16:25 <@krzee> sure there has, it requires LEARNING
16:25 <@krzee> lol @ bug
16:25 < cesurasean1> why can't openvpn learn to deal with VPS systems in this setup?
16:26 <@krzee> anyways, ignore list
16:26 < cesurasean1> and yes, there has already been bug reports filed for this.
16:27 <@krzee> before i click enter on the ignore:
16:27 < cesurasean1> then i found this; http://petesblog.net/blog/openvpn-on-proxmox-openvz-container
16:27 < cesurasean1> route add default dev tun0
16:27 < cesurasean1> seems it may be an openvz issue.
16:27 <@krzee> you are doing it wrong, shouldnt be redirecting gateway on that server in the first place but you have to because you're using a terrible walkthrough, because you dont have any desire to learn the required information to build what you want.
16:27 <@krzee> and with that, /ignore
16:29 -!- Pyrogerg [~Gregory@75-173-66-157.albq.qwest.net] has quit [Ping timeout: 272 seconds]
16:38 -!- nvdpl [~textual@proxy.teleaudio.pl] has quit [Quit: ZZZzzz…]
16:38 -!- Kephael [~Kephael@unaffiliated/kephael] has quit [Read error: Connection reset by peer]
16:39 -!- Kephael [~Kephael@unaffiliated/kephael] has joined #openvpn
16:39 -!- copper [~copper@unaffiliated/copper] has left #openvpn []
16:40 -!- Kephael [~Kephael@unaffiliated/kephael] has quit [Read error: Connection reset by peer]
16:40 -!- Kephael [~Kephael@unaffiliated/kephael] has joined #openvpn
16:40 -!- mode/#openvpn [+o Eugene] by ChanServ
16:41 -!- w00ds [w00ds@c-24-6-177-107.hsd1.ca.comcast.net] has joined #openvpn
16:43 -!- Kephael [~Kephael@unaffiliated/kephael] has quit [Read error: Connection reset by peer]
16:49 -!- ub1quit33_ [~quassel@cpe-23-243-158-241.socal.res.rr.com] has quit [Ping timeout: 264 seconds]
16:50 -!- w00ds [w00ds@c-24-6-177-107.hsd1.ca.comcast.net] has quit []
16:51 -!- ub1quit33_ [~quassel@cpe-23-243-158-241.socal.res.rr.com] has joined #openvpn
17:05 -!- larryone [~larryone@176.61.1.155] has joined #openvpn
17:13 -!- Pyrogerg [~Gregory@mobile-166-137-182-240.mycingular.net] has joined #openvpn
17:14 -!- Pyrogerg [~Gregory@mobile-166-137-182-240.mycingular.net] has quit [Max SendQ exceeded]
17:15 -!- Pyrogerg [~Gregory@mobile-166-137-182-240.mycingular.net] has joined #openvpn
17:15 -!- Pyrogerg [~Gregory@mobile-166-137-182-240.mycingular.net] has quit [Max SendQ exceeded]
17:16 -!- Pyrogerg [~Gregory@mobile-166-137-182-240.mycingular.net] has joined #openvpn
17:20 -!- Pyrogerg [~Gregory@mobile-166-137-182-240.mycingular.net] has quit [Read error: Connection reset by peer]
17:21 -!- Pyrogerg [~Gregory@75-173-153-142.albq.qwest.net] has joined #openvpn
17:30 -!- pppingme [~pppingme@unaffiliated/pppingme] has joined #openvpn
17:32 -!- Kephael [~Kephael@unaffiliated/kephael] has joined #openvpn
17:33 -!- larryone [~larryone@176.61.1.155] has quit [Quit: This computer has gone to sleep]
17:37 -!- Cybertinus [~Cybertinu@2a00:6960:1:1:0:24:107:1] has quit [Remote host closed the connection]
17:38 < ender|> krzee: i'm aware that it's possible to NAT over openvpn (it's an option in dd-wrt and tomato firmwares), but i never used it personally, and since the talk was (also) about pfSense, i said that i don't know how to do NAT over openvpn on pfSense
17:38 <@krzee> gotchya
17:39 -!- Cybertinus [~Cybertinu@cybertinus.customer.cloud.nl] has joined #openvpn
17:44 -!- Pyrogerg [~Gregory@75-173-153-142.albq.qwest.net] has quit [Ping timeout: 246 seconds]
17:44 -!- Cybertinus [~Cybertinu@cybertinus.customer.cloud.nl] has quit [Ping timeout: 245 seconds]
17:45 -!- Cybertinus [~Cybertinu@cybertinus.customer.cloud.nl] has joined #openvpn
17:50 -!- Cybertinus [~Cybertinu@cybertinus.customer.cloud.nl] has quit [Ping timeout: 255 seconds]
17:50 -!- Cybertinus [~Cybertinu@cybertinus.customer.cloud.nl] has joined #openvpn
17:51 -!- Pyrogerg [~Gregory@75-173-153-142.albq.qwest.net] has joined #openvpn
17:55 -!- Cybertinus [~Cybertinu@cybertinus.customer.cloud.nl] has quit [Ping timeout: 245 seconds]
18:03 -!- Cybertinus [~Cybertinu@cybertinus.customer.cloud.nl] has joined #openvpn
18:05 -!- Pyrogerg [~Gregory@75-173-153-142.albq.qwest.net] has quit [Ping timeout: 260 seconds]
18:06 -!- s7r [~s7r@openvpn/user/s7r] has quit [Remote host closed the connection]
18:13 -!- Hello71 [~Hello71@wikipedia/Hello71] has quit [Quit: Bye.]
18:17 -!- maniacal [~maniacal@208.99.166.84] has joined #openvpn
18:29 -!- jb [corrupt@shell.vaerchi.com] has joined #openvpn
18:33 -!- Six6siX [~Devil@jasmine.sammybakar.com] has quit [Read error: Connection reset by peer]
18:34 -!- Six6siX [~Devil@jasmine.sammybakar.com] has joined #openvpn
18:36 -!- maniacal [~maniacal@208.99.166.84] has quit [Quit: Leaving...]
18:37 -!- Chais [~Chais@chello062178229110.15.15.vie.surfer.at] has quit [Read error: Connection reset by peer]
18:39 -!- Six6siX [~Devil@jasmine.sammybakar.com] has quit [Ping timeout: 276 seconds]
18:44 -!- Six6siX [~Devil@jasmine.sammybakar.com] has joined #openvpn
18:46 -!- Chais [~Chais@chello062178229110.15.15.vie.surfer.at] has joined #openvpn
18:53 -!- lukethedrifter [~lukethedr@gateway/tor-sasl/lukethedrifter] has joined #openvpn
18:57 -!- lukethedrifter is now known as L0uk3
19:23 -!- AngryNapkin [~Eighty@97-90-144-70.static.mtpk.ca.charter.com] has joined #openvpn
19:25 < AngryNapkin> Hi, I was trying to create some new client keys after updating to the latest version of openvpn using the existing easy-rsa files from the previous versions. This no longer works, and I am not sure how to update the scripts. I dont know where they are on github. Can anyone assist?
19:26 <@krzee> how does it no longer work?
19:26 <@krzee> if you're ready to make a completely new pki then i agree you should upgrade
19:27 < AngryNapkin> Not really sure, whet ever is executed when running the build script, it crashes and stops responding
19:27 <@krzee> is it a small vpn that you can change client keys on easily?
19:27 -!- Pyrogerg [~Gregory@75-173-66-157.albq.qwest.net] has joined #openvpn
19:27 <@krzee> (this 1 time)
19:28 < AngryNapkin> yeah, very small. 2 people, wanted to add one more and un able. I upgraded to the lastest openvpn thinking it might work, but same problem. I checked github for new easr-rsa scrips, but not sure where they are.
19:28 <@krzee> !easy-rsa
19:28 <@vpnHelper> "easy-rsa" is (#1) easy-rsa is a certificate generation utility. or (#2) Download here: https://github.com/OpenVPN/easy-rsa/downloads or (#3) https://community.openvpn.net/openvpn/wiki/EasyRSA
19:30 < AngryNapkin> krzee: Thanks.
19:30 <@krzee> np
19:30 < AngryNapkin> are the steps the same as listed on the openvpn community HowTo?
19:31 < pekster> That's the offical howto for v2, yes. v3 uses a completely different model and the wiki link above has the info there (as do the docs in the project tree or downloads)
19:31 -!- ub1quit33_ [~quassel@cpe-23-243-158-241.socal.res.rr.com] has quit [Read error: Connection reset by peer]
19:32 < pekster> There's no reason either should "crash" since they're just shell scripts
19:33 < AngryNapkin> yeah I am not sure why its crashing. didnt look much into it. I figure maybe I shouold just update everything.
19:34 < AngryNapkin> never updated antyhung since heartbleed either, so now is a good time i guess.
19:35 < pekster> key generation wouldn't have been impacted by heartbleed, only TLS negotiations where one end was vulnerable
19:35 <@krzee> im sure the word crash is being misused but its ok, changing to easy-rsa3 will be good anyways and its not a huge vpn where migration is an issue
19:36 <@krzee> so download with link in #2 and learn with link in #3
19:36 < pekster> yea, v3 tries to apply sanity to the mess that was v2. I've a few issues to fix, but much isn't show-stopping. I'm coming off a hardware failure so my last week has been just full of fun :(
19:37 <@krzee> sucks
19:37 < pekster> No data losss, just loss of a primary workstation laptop. Turns on one day, good as a paper-weight the next
19:40 < AngryNapkin> no, something is definitely crashing, or I should say "This program has stopped responding and will not close" something on the line of that. Cant remember what program was the offender off the top of my head, not in front of the computer I was running it on.
19:41 < pekster> easyrsa v2 is "just batch scripts" (v3 uses POSIX shell, and ships a minimal shell on windows which is notably not POSIX.) It's possibly openssl is the thing crashing though
19:42 < pekster> latest openvpn should ship recent-ish openssl, or you can always grab the 'Shining Light Productions' openssl for windows installer
19:42 < AngryNapkin> possible. I can get back to you tomorrow if you really want to know what is crashing. I figure it might just be incompatibility between the new openvpn and the old scrips, maybe Im wrong.
19:43 <@krzee> v2 comes with md5 in the .cnf too, whereas v3 uses what? im guessing sha256
19:43 < pekster> That's possible too, depending on the version of openssl and the config you're using. OpenSSL is very picky about how that config file is formatted
19:43 < pekster> sha256 by default; latest v2 release updates the default hash, mostly as a stop-gap
19:44 <@krzee> oh i didnt know v2 was updated
19:44 < pekster> Not to worry, it still does everything else wrong ;)
19:44 < AngryNapkin> Can I issue the commands on a seperate machine of the main openvpn and just copy the files over for use? I dont have to run the commands on the actual computer running openvpn right/
19:45 < AngryNapkin> to generate the new keys that is
19:45 < pekster> Yes, in fact that's how you're supposed to do private key generation
19:46 < pekster> You still need to send the request to your CA for signing, but each end should generate their own keypairs and ideally they never leave that host
19:46 < pekster> (it's a reduction of security to do so, commonly called "key escrow" where another system and/or person has your private key)
19:46 < AngryNapkin> I dont have a CA
19:46 < AngryNapkin> I was doing the self signing way
19:47 < pekster> OpenVPN in TLS mode requires you set up a PKI with a CA
19:47 < pekster> That's the whole point of the documentation ;)
19:47 < AngryNapkin> sorry if I dont use terms properly, the whole certs and keys thing is a bit over my head. trying to learn, but as it is now, i am just a follow instructions monkey
19:47 < pekster> Maybe this will help you understand the basics:
19:48 < pekster> !intro-to-pki
19:48 <@vpnHelper> "intro-to-pki" is For an intro to PKI basics, see: https://github.com/OpenVPN/easy-rsa/blob/v3.0.0-rc1/doc/Intro-To-PKI.md
19:50 < AngryNapkin> Thanks
19:52 < AngryNapkin> I was creating all keys and certs on the same machine people were tunneling into, lol. Ill start to not do that.
19:53 < pekster> That's the model some people use, and then deploy those. It's done out of convenience sometimes (so end-users don't have to generate keypairs and send a CSR.) If you're happy with it, *and* have a pre-existing secure way to exchange the keys, you can still do that
19:54 < pekster> openvpn doesn't care one bit, of course ;). Use what works best for your needs
19:57 < AngryNapkin> k ,one question. extracted the files, started the shell, Went to the "The basics" section and ran "easyrsa init-pki" and received an error not able to find openssl.
19:57 < pekster> Did you install openssl with openvpn? It's not installed by default, so easiest is to check the box for openssl utilities and add to the system %PATH%
19:58 < AngryNapkin> if its not installed by default, then i would say i probablt have not installed it
19:58 < pekster> The README has an entire section on alternatives if you'd rather use your "own" openssl, but you shouldn't need that (it's more complex)
20:00 < AngryNapkin> No, I am fine with installing the one it comes with.
20:01 < AngryNapkin> Should I need the managments scripts?
20:01 < pekster> v2? Not if you're planning to use the v3 ones instead. You will still need the openssl and add to %PATH% though
20:02 < pekster> You could install them anyway (it won't hurt)
20:09 < jb> can someone help me understand if I actually need access server to allow users on the internet to connect and access internal LAN resources?
20:09 < jb> vs something like a point-to-point VPN.
20:10 < pekster> OpenVPN can do that, sure. AS is a commercial wrapper for people averse to the open-source solution that requires things like config files. It's a GUI and web-centric solution that requires licensing, but some people want that
20:11 < pekster> OpenVPN (the GPL project, what we discuss in this channel) can operate in either point-to-point or multi-client modes
20:11 < jb> oh, so it's actually the same core functionality then?
20:11 < pekster> Yup. Think of AS as a web-driven frontend (it's actually using a somewhat-older openvpn as its core anyway. You're just paying licensing for the "pretty" frontend)
20:12 < jb> ah!  thanks for the explanation.. I wasn't sure.
20:12 < jb> doesn't look like there are EL7 packages for AS yet, either.
20:12 < pekster> For LAN behind server, you first need a basic VPN able to ping between endpoints, then you want: !serverlan
20:14 < jb> i'm assuming the openvpn box would need two interfaces, one on a 'public' network, and one on the 'private LAN' network.
20:14 < jb> does it handle things like DHCP for client connections, or do I need to handle that elsewhere?
20:15 < jb> sorry for the stupid questions.  I'll start reading the docs.
20:15 < pekster> openvpn can run on a single physical interface (the "2nd" interface is the virtual adapter)
20:16 < jb> ie, VLANs?
20:16 < pekster> No. tun.
20:17 < jb> ok - but, it COULD use two separate interfaces?
20:17 < pekster> (or tap, but you don't need Ethernet frame support for routing between networks)
20:17 < pekster> Sure. OpenVPN is "just a software router" (with some cool crypto on top)
20:19 < jb> gotcha.  just need to figure out where to run it now.. :)
20:19 < jb> I guess it would be stupid to run it on a VM on the same cluster that I would be needing to manage through the VPN.
20:20 < pekster> Depends. If it goes down it's not like you'd need a VPN to manage it anyway ;). Same decision you'd make for classic routing really
20:21 < pekster> Unless you mean the host managing the cluster could still be accessible. But yea, openvpn is happy to run wherever, and you end up thinking about it in your topology like any other router
20:26 < jb> yeah, makes sense.
20:32 -!- L0uk3 [~lukethedr@gateway/tor-sasl/lukethedrifter] has quit [Quit: bis später]
20:39 -!- kirin` [telex@gateway/shell/anapnea.net/x-jjpmrzipvogaqiat] has quit [Ping timeout: 246 seconds]
20:40 -!- kirin` [telex@gateway/shell/anapnea.net/x-lpblmrwdvrmiqzaa] has joined #openvpn
20:42 -!- AngryNapkin [~Eighty@97-90-144-70.static.mtpk.ca.charter.com] has quit [Read error: Connection reset by peer]
21:04 -!- arescorpio [~arescorpi@193-205-17-190.fibertel.com.ar] has joined #openvpn
21:37 -!- Left_Turn [~Left_Turn@unaffiliated/turn-left/x-3739067] has quit [Read error: Connection reset by peer]
21:55 -!- zeroNones [~textual@189.182.21.106] has joined #openvpn
22:02 -!- arescorpio [~arescorpi@193-205-17-190.fibertel.com.ar] has quit [Read error: Connection reset by peer]
22:15 -!- u0m3_ [~u0m3@92.80.102.69] has joined #openvpn
22:17 -!- u0m3 [~u0m3@92.80.111.55] has quit [Ping timeout: 245 seconds]
22:58 -!- zeroNones [~textual@189.182.21.106] has quit [Quit: Textual IRC Client: www.textualapp.com]
23:06 -!- Chais [~Chais@chello062178229110.15.15.vie.surfer.at] has quit [Read error: Connection reset by peer]
23:09 -!- ub1quit33_ [~quassel@cpe-23-243-158-241.socal.res.rr.com] has joined #openvpn
23:16 -!- Chais [~Chais@chello062178229110.15.15.vie.surfer.at] has joined #openvpn
23:25 -!- Kephael [~Kephael@unaffiliated/kephael] has quit [Read error: Connection reset by peer]
23:41 -!- clu5ter [~staff@unaffiliated/clu5ter] has joined #openvpn
23:44 -!- ShadniX [dagger@p5DDFD635.dip0.t-ipconnect.de] has quit [Ping timeout: 250 seconds]
23:46 -!- ShadniX [dagger@p5DDFD607.dip0.t-ipconnect.de] has joined #openvpn
--- Day changed Fri Sep 05 2014
01:24 -!- heraclitus [~phobos@unaffiliated/heraclitis] has quit [Remote host closed the connection]
02:27 -!- le0 [~fin@unaffiliated/le0] has joined #openvpn
02:30 -!- nath_schwarz [~nath_schw@2605:6400:1:fed5:22:d508:7193:e73f] has quit [Ping timeout: 272 seconds]
02:32 -!- nath_schwarz [~nath_schw@2605:6400:1:fed5:22:d508:7193:e73f] has joined #openvpn
02:45 -!- fxhnd [~fxhnd@li394-8.members.linode.com] has quit [Ping timeout: 245 seconds]
02:48 -!- fxhnd [~fxhnd@nothingtoseehere.today] has joined #openvpn
02:55 -!- ayaz [~Ayaz@linuxpakistan/ayaz] has joined #openvpn
02:57 -!- nvdpl [~textual@proxy.teleaudio.pl] has joined #openvpn
03:00 -!- v0lZy [~Thunderbi@BSN-77-81-109.static.dsl.siol.net] has joined #openvpn
03:00 < v0lZy> Hi everyone
03:01 < v0lZy> I need some help... second time I came accross this issue in two days, on windows 8 and windows 2008 ...
03:01 < v0lZy> I store the username and password in a file called auth.txt
03:01 < v0lZy> I put auth-user-pass "C:\\Program Files\\OpenVPN\\config\\auth.txt" into the config file
03:02 < v0lZy> and openvpn just doesnt do anything
03:03 < v0lZy> if i right click on the .ovpn file and select 'start openvpn on this config file', the command line informs me that auth-user-pass failed with "C:\Program Files\OpenVPN\config\auth.txt" -- no such file or directory
03:03 < v0lZy> but the file exists
03:03 < v0lZy> i dont understand, what gives?
03:04 < v0lZy> ah
03:05 < v0lZy> never mind
03:05 < v0lZy> fucking windows hidding endings
03:16 -!- Lolths [~Lolths@unaffiliated/lolths] has quit [Ping timeout: 252 seconds]
03:16 -!- swebb [~swebb@c-71-237-49-232.hsd1.co.comcast.net] has quit [Ping timeout: 276 seconds]
03:18 -!- joako [~joako@opensuse/member/joak0] has quit [Ping timeout: 252 seconds]
03:25 -!- dazo_afk is now known as dazo
03:26 -!- Lolths [~Lolths@unaffiliated/lolths] has joined #openvpn
03:28 -!- Lolths [~Lolths@unaffiliated/lolths] has quit [Max SendQ exceeded]
03:29 -!- joako [~joako@opensuse/member/joak0] has joined #openvpn
03:42 -!- lachesis_ [~lachesis@unaffiliated/lachesis] has joined #openvpn
03:46 -!- swebb [~swebb@c-71-237-49-232.hsd1.co.comcast.net] has joined #openvpn
03:51 -!- Left_Turn [~Left_Turn@unaffiliated/turn-left/x-3739067] has joined #openvpn
04:13 -!- joako [~joako@opensuse/member/joak0] has quit [Ping timeout: 276 seconds]
04:14 -!- nath_schwarz [~nath_schw@2605:6400:1:fed5:22:d508:7193:e73f] has quit [Ping timeout: 272 seconds]
04:15 -!- nath_schwarz [~nath_schw@2605:6400:1:fed5:22:d508:7193:e73f] has joined #openvpn
04:23 -!- joako [~joako@opensuse/member/joak0] has joined #openvpn
05:03 -!- ifdm_ [~ifdm@unaffiliated/ifdm/x-0713806] has quit [Ping timeout: 245 seconds]
05:10 -!- Chais [~Chais@chello062178229110.15.15.vie.surfer.at] has quit [Read error: Connection reset by peer]
05:15 -!- Chais [~Chais@chello062178229110.15.15.vie.surfer.at] has joined #openvpn
05:15 -!- ifdm_ [~ifdm@unaffiliated/ifdm/x-0713806] has joined #openvpn
05:20 -!- Chais [~Chais@chello062178229110.15.15.vie.surfer.at] has quit [Read error: Connection reset by peer]
05:27 -!- Chais [~Chais@chello062178229110.15.15.vie.surfer.at] has joined #openvpn
05:33 -!- VSpike [~johncc@62.6.177.34] has joined #openvpn
05:33 < VSpike> When setting up site to site tunnels with OpenVPN, my firewall GUI presents the idea of client and server. Is this distinction real in this scenario, or artifical?
05:33 < VSpike> I'd imagine real, since I'd have though one end still has to initiate the connection, and the other listen for it
05:36 < ender|> one side is the server, and it can have multiple client sites
05:37 < ender|> server side listens for incoming connections, clients connect outwards to the server
05:37 < VSpike> ender|: right, that makes sense to me. I just wanted to check whether there was some special mode for 2 peer site-to-site tunnels where both ends were equal in some way
05:37 < VSpike> Didn't think so
05:38 < ender|> nope, not with openvpn at least
05:38 < ender|> (ipsec works this way, but ipsec's an order of magnitude more complicated)
05:40 < VSpike> We're trying to connect our pfSense box with a supplier that runs vyatta. Looking at their config file, there's no mention of client or server, and their tech said it had to be "site-to-site" mode. Looking at http://www.brocade.com/downloads/documents/html_product_manuals/vyatta/vyatta_5400_manual/VPN_OpenVPN/wwhelp/wwhimpl/common/html/wwhelp.htm#context=VPN_OpenVPN&file=OpenVPN%20Configuration.3.03.html it
05:40 < VSpike> almost seems like that OS allows connections either way
05:40 < VSpike> Or am i reading it wrong?
05:43 < ender|> openvpn has a peer-to-peer mode, but it has some limitations
05:45 < ender|> i'm not sure if that's what vyatta is using (and they don't mention how to configure non-vyatta routers there either)
05:46 < VSpike> No.. not very helpful
05:47 < VSpike> http://www.brocade.com/downloads/documents/html_product_manuals/vyatta/vyatta_5400_manual/VPN_OpenVPN/wwhelp/wwhimpl/common/html/wwhelp.htm#context=VPN_OpenVPN&file=OpenVPN%20Commands.4.01.html gives some clues
05:52 < VSpike> Their engineer says it has to be in site-to-site mode, but I think they need to put their side into client mdoe, as ours is configured as a server.
05:53 < VSpike> On pfsense, you can only push routes to clients if you're using certificates, not if you're using pre-shared keys. Is that an inherent OpenVPN limitation, or is it a pfSense thing?
05:54 < ender|> AFAIK, you can only push routes in client-server mode, but not in peer-to-peer mode
05:55 < ender|> (and that's an openvpn limitation)
05:58 < VSpike> Is there a special config key for peer-to-peer mode in openvpn?
05:59 < ender|> yes, remote
06:00 -!- v0lZy [~Thunderbi@BSN-77-81-109.static.dsl.siol.net] has quit [Ping timeout: 268 seconds]
06:11 -!- ifdm_ [~ifdm@unaffiliated/ifdm/x-0713806] has quit [Ping timeout: 252 seconds]
06:18 < VSpike> ender|: thanks for the helP!
06:26 -!- ifdm_ [~ifdm@unaffiliated/ifdm/x-0713806] has joined #openvpn
06:47 -!- elfixit [~Icedove@211-236.197-178.cust.bluewin.ch] has joined #openvpn
06:53 -!- elfixit [~Icedove@211-236.197-178.cust.bluewin.ch] has quit [Ping timeout: 260 seconds]
07:07 -!- elfixit [~Icedove@2001:1620:2777:11:3e97:eff:fe7f:f3ad] has joined #openvpn
07:29 -!- g00gz [~Adium@199.244.84.14] has joined #openvpn
07:36 -!- lachesis_ [~lachesis@unaffiliated/lachesis] has quit [Quit: ZNC - http://znc.in]
07:37 -!- lachesis_ [~lachesis@unaffiliated/lachesis] has joined #openvpn
07:38 -!- phreakocious [~phreakoci@recalcitrant.phreakocious.net] has quit [Ping timeout: 268 seconds]
07:40 -!- phreakocious [~phreakoci@recalcitrant.phreakocious.net] has joined #openvpn
07:45 -!- GrantK [~GrantK@bolt.sonic.net] has joined #openvpn
07:46 < GrantK> Hi.  I want to test/troubleshoot openvpn's ping/restart mechanism (my connection drops, and the keepalive doesn't reestablish ...).  With openvpn up & connected, I want to force-drop the connection -- *without* otherwise disturbing openvpn's operation, so that it'll execute its ping/reconnect sequence.  What's the best, least-intrusive method to drop that connection for such a test?  A simple 'ifdown' seems too intrusive ...
07:52 <@ecrist> send a reset from the server?
07:52 <@ecrist> TCP reset I mean
07:54 -!- Netsplit *.net <-> *.split quits: arkie
07:57 < GrantK> @ecrist hi.  It's a UDP -- not TCP -- connection 'tween the two.  Do you mean a reset from 'within' Openvpn, or just at the server's os/network level?
07:58 -!- arkie [~arkie@unaffiliated/arkie] has joined #openvpn
08:01 <@ecrist> network level - make the client think the connection needs to be restarted.
08:07 -!- nath_schwarz [~nath_schw@2605:6400:1:fed5:22:d508:7193:e73f] has quit [Ping timeout: 272 seconds]
08:10 -!- nath_schwarz [~nath_schw@2605:6400:1:fed5:22:d508:7193:e73f] has joined #openvpn
08:12 < GrantK> ecrist: Fair enough, thx.  I'm wondering if 'this' issue might be an example of the "lesser reliability" of UDP, vs TCP, connection.  Read a lot about the diff -- never got a compelling understanding of when one must ( or really-should ) use TCP, or what the actual "lower performance" of TCP measure out to be.  Yet ...
08:12 -!- ayaz [~Ayaz@linuxpakistan/ayaz] has quit [Quit: Textual IRC Client: www.textualapp.com]
08:14 -!- lachesis_ [~lachesis@unaffiliated/lachesis] has quit [Quit: ZNC - http://znc.in]
08:14 -!- lachesis_ [~lachesis@unaffiliated/lachesis] has joined #openvpn
08:15 -!- ifdm_ [~ifdm@unaffiliated/ifdm/x-0713806] has quit [Ping timeout: 245 seconds]
08:20 < GrantK> Refreshing my openvpn git sources from sourceforge, it looks like no updates/activity since July.  Seems odd/wrong ... has current development moved? Or slowed?
08:23 -!- VSpike [~johncc@62.6.177.34] has left #openvpn ["WeeChat 1.0"]
08:25 -!- Netsplit *.net <-> *.split quits: arkie
08:27 -!- Netsplit over, joins: arkie
08:30 -!- ifdm_ [~ifdm@unaffiliated/ifdm/x-0713806] has joined #openvpn
08:35 <@ecrist> GrantK: that is the latest commit
08:35 < GrantK> ecrist: k. so it IS, finally perfect? ;-p
08:36 <@ecrist> of course.
08:36 <@ecrist> ;)
08:41 -!- jb [corrupt@shell.vaerchi.com] has left #openvpn []
08:48 -!- arlion_ [~arlion@107.161.181.110] has joined #openvpn
08:53 < arlion_> helloH
08:53 < arlion_> anyone have tiem to assist me configuring SPEEDY compression on Openvpn
08:56 -!- vixus [~as2122@cpc66946-cmbg14-2-0-cust120.5-4.cable.virginm.net] has joined #openvpn
08:58 < arlion_> **snappy compression
09:02 -!- le0 [~fin@unaffiliated/le0] has quit [Quit: Leaving]
09:02 < vixus> Hi there, I'm having some issues with my bridging setup -- the server seems to be running correctly: both the eth0 and br0 devices have IPs assigned via DHCP and can connect outside.
09:02 < vixus> I'm using the setup-bridge parameter with my router's netmask, gateway and assign IPs from 192.168.0.200-255
09:02 < vixus> when i run openvpn on my client for testing (which happens to be on the same LAN connected via wifi), the tap0 device created by openvpn is correctly assigned an IP of 192.168.0.200
09:02 < vixus> however, i can no longer connect to anything, within or outside the VPN/LAN
09:02 < vixus> is there any way of testing what is going wrong?
09:02 < vixus> i can see from the output of `ip addr show` that wlan0 is down and tap0 is up and assigned
09:02 -!- Pyrogerg [~Gregory@75-173-66-157.albq.qwest.net] has quit [Ping timeout: 246 seconds]
09:02 <@krzee> perfect is a loaded word ;]
09:03 -!- Kephael [~Kephael@unaffiliated/kephael] has joined #openvpn
09:04 -!- zeroNones [~textual@187.204.134.104] has joined #openvpn
09:06 -!- Pyrogerg [~Gregory@205.167.120.206] has joined #openvpn
09:11 <@dazo> arlion_: I'm no expert on compression ... but you need support for it on both sides, and an openvpn build with snappy enabled.  From there, the man page describes it quite well ... look at --compress
09:12 <@krzee> dont listen to his modesty, hes an expert on everything :D
09:12 <@dazo> GrantK: yeah, we've been too busy to have some new goodies for you .... but I just pushed out a tiny systemd patch I just ack'd
09:13 <@dazo> krzee: trying to throw me under a bus? ;-)
09:13 < GrantK> dazo: mush! mush! ;-)
09:13 <@krzee> http://englishfromfriends.com/blog/wp-content/uploads/2013/03/underthebus.jpg
09:14 <@dazo> lol
09:14 <@krzee> 08/32/d10832a7dacb47517130515718fcdac2.jpg
09:14 <@krzee> err
09:14 <@krzee> http://media-cache-ak0.pinimg.com/736x/d1/08/32/d10832a7dacb47517130515718fcdac2.jpg
09:15 < arlion_> dazo: Do you have any documentation on this process?
09:15 <@dazo> arlion_: man openvpn
09:16 < vixus> sorry, i forgot to post my server config: http://sprunge.us/EfOJ?conf
09:16 <@dazo> arlion_: or did you mean building openvpn?
09:16 -!- ifdm_ [~ifdm@unaffiliated/ifdm/x-0713806] has quit [Ping timeout: 276 seconds]
09:16 <@krzee> vixus, why bridging?
09:16 <@dazo> GrantK: please feel free to join reviewing patches on the ML too ... in the beginning we will be suspicious to new-comers, but if your arguments are right, ACKs from you will be processed quicker :)
09:17 < arlion_> The man page was written in 2008, before snappy was intoduced.
09:17 < vixus> krzee: so i can use services on any machine within my LAN. when i first started setting up i thought that bridging was necessary for this
09:17 < GrantK> Dunno abt 'right arguments' ... been married 26 years, apparently haven't made one yet ;-)
09:17 < arlion_> Building openvpn with snappy would also be welcomed
09:17 <@krzee> !route
09:17 <@vpnHelper> "route" is (#1) http://www.secure-computing.net/wiki/index.php/OpenVPN/Routing or https://community.openvpn.net/openvpn/wiki/RoutedLans (same page mirrored) if you have lans behind openvpn, read it DONT SKIM IT or (#2) READ IT DONT SKIM IT! or (#3) See !tcpip for a basic networking guide or (#4) See !serverlan or !clientlan for steps and troubleshooting flowcharts for LANs behind the server or client
09:17 <@dazo> arlion_: then you are using the wrong version
09:17 <@krzee> !whybridge
09:17 <@vpnHelper> "whybridge" is (#1) you only bridge if you want layer2 to the lan. if you want layer2 only between vpn nodes then routed tap is enough. if you only want layer3 use tun. or (#2) See this URL for a more in-depth discussion on bridging vs routing: https://community.openvpn.net/openvpn/wiki/BridgingAndRouting or (#3) See also !tunortap
09:17 <@krzee> vixus, nope, you dont need or want bridging for that
09:17 <@krzee> !tunortap
09:18 <@vpnHelper> "tunortap" is (#1) you ONLY want tap if you need to pass layer2 traffic over the vpn (traffic destined for a MAC address). If you are using IP traffic you want tun. or (#2) and if your reason for wanting tap is windows shares, see !wins or use DNS or (#3) remember layer2 has no security, arp poisoning works over tap vpns or (#4) lan gaming? use tap! or (#5) Normal Android/iOS devices (not
09:18 <@vpnHelper> rooted/jailbroken) support only tun
09:18 < arlion_> dazo: OpenVPN 2.3.4 x86_64-unknown-linux-gnu [SSL (OpenSSL)] [LZO] [EPOLL] [MH] [IPv6] built on Sep  5 2014
09:18 -!- Netsplit *.net <-> *.split quits: arkie
09:18 < vixus> krzee: ok, time for some reading. thanks
09:18 <@krzee> np
09:19 <@dazo> GrantK: oh well, we're good at arguing arguments too ;-)
09:19 < vixus> krzee: on the RoutedLans page, when an IP is quoted next to the word lan, does that mean the gateway IP?
09:19 <@dazo> arlion_: oh, sorry, my fault ... snappy will come in the 2.4 release
09:20 < arlion_> Is there a place where I can opt in the beta for that version?
09:20 <@krzee> vixus, huh?
09:21 <@dazo> arlion_: http://community.openvpn.net/openvpn/#GettingOpenVPN .... we announce beta's to the mailing lists when they're ready ... but we have no dates yet for next releases
09:21 <@vpnHelper> Title: OpenVPN Community (at community.openvpn.net)
09:21 < vixus> krzee: "Our user had a openvpn server with a lan (10.10.2.0) behind it"
09:21 < vixus> krzee: "client1 with lan 10.10.1.0 client2 with lan 10.10.3.0 "
09:21 <@krzee> subnet
09:22 <@krzee> thats a network address
09:22 <@krzee> doesnt mean much without the /24 though, i guess ill go add it
09:22 <@krzee> although if you read the whole thing you'll see netmasks later
09:22 < arlion_> dazo: Thank you very much, as you could probally tell I really need to get off of LZO compression.
09:23 <@dazo> arlion_: how come?
09:24 < arlion_> LZO compression poorly compresses the files and when uncompressed does not align the bits int he packet header back up.
09:24 < arlion_> It poorly compresses images/movies
09:24 < vixus> krzee: ah, thanks
09:25 < arlion_> I support a couple thousand of these configs and we have disabled it company wide in favor of UDP (for quick delivery, no TCP handshake)
09:25 < arlion_> and the error packets recieved
09:26 < arlion_> We just now begun researching alternatives and thats how I stumpled on your work with snappy.
09:27 -!- Netsplit over, joins: arkie
09:27 <@dazo> arlion_: ahh, right ... the version in git supports both lz4 (poorer but faster compression) and snappy, in addition to lzo ... so you'll have something to play with there then :)
09:30 < arlion_> Sweet, thank you.
09:30 -!- Hello71 [~Hello71@wikipedia/Hello71] has joined #openvpn
09:33 -!- ifdm_ [~ifdm@unaffiliated/ifdm/x-0713806] has joined #openvpn
09:35 -!- Pyrogerg [~Gregory@205.167.120.206] has quit [Ping timeout: 268 seconds]
09:37 <@krzee> wow
09:37 <@krzee> You will need it any time a source ip address different than what the client connected from tries to send (or respond to) traffic over the VPN.
09:37 <@krzee> english, do i speak it?
09:37 <@krzee> new version:
09:37 <@krzee> You will need it any time a source ip address is different from the IP given to the vpn client by the vpn server.
09:38 <@krzee> You will need it any time a clients source IP address is different from the IP given to it by the vpn server.
09:39 <@krzee> there we go, now people besides me can know what i meant there o.O
09:40 -!- Pyrogerg [~Gregory@205.167.120.206] has joined #openvpn
09:44 < vixus> krzee: brilliant! it works, thank you :)
09:44 <@krzee> np man
09:44 < vixus> krzee: i am now going to test LAN routing
09:44 <@krzee> oh i thought thats what you meant works :D
09:45 < vixus> well, connecting to the openvpn server works
09:45 <@krzee> changed to tun?
09:45 < vixus> yes
09:45 <@krzee> nice
09:46 < vixus> does this now mean all requests are being routed through the tun0 device?
09:46 < vixus> that part i wasn't clear about
09:46 < GrantK> With a UDP connection between server/client, when I restart client, the connection is remade almost instantly.  When switching to TCP, on client restart I get a bunch ( ~9-10 ) of these, "Fri Sep  5 07:44:09 2014 Attempting to establish TCP connection with [AF_INET]xx.xx.xx.xx:1194 [nonblock]", and then it just reestablished the connection.
09:46 < vixus> because my wlan0 device is still assigned an IP from the router
09:46 < GrantK> Not sure which setting/config is causing that tcp-only can't-connect-then-suddently-connect ...
09:55 < GrantK> `man openvpn` states "A  peer  started
09:55 < GrantK>               with tcp-client will attempt to connect, and if that fails, will sleep for 5 seconds", which is apparently what's happening. But, why's it failing -- then not -- to begin with?
09:57 < vixus> i believe i need to push the redirect-gateway and dhcp-option directives to route all traffic through my VPN server
10:03 < vixus> ok, traceroute shows requests are going through my VPN server
10:04 -!- nvdpl [~textual@proxy.teleaudio.pl] has quit [Quit: ZZZzzz…]
10:04 < vixus> however i get: "ERROR: Linux route add command failed: external program exited with error status: 2" when starting openvpn on the client
10:07 < GrantK> ecrist: at my server, I'm trying to force-drop the VPN connection, `ifdown tun1 -o force`.  syslog @ server says "Stopped ifup managed network interface tun1."  BUT, the openvpn connection is completely unaffected -- neither server nor client vpn log shows a blip, and pings continue between the two uninterrupted.
10:08 < GrantK> Why, or more important HOW, is Openvpn still "up" when the tun connection is supposedly down?
10:14 -!- stephan48 [stephan@opennic/stephan] has quit [Ping timeout: 240 seconds]
10:14 < vixus> here is the entire log: http://sprunge.us/JUWd?log
10:15 < vixus> so my server can connect out fine
10:15 < vixus> and i can connect to my vpn server fine
10:16 < vixus> but i can't connect out on the client (presumably via the server)
10:16 -!- stephan48 [stephan@opennic/stephan] has joined #openvpn
10:22 -!- Pyrogerg [~Gregory@205.167.120.206] has quit [Read error: Connection reset by peer]
10:22 -!- Pyrogerg [~Gregory@205.167.120.206] has joined #openvpn
10:24 < vixus> hmm, i guess it's because i'm trying to duplicate a route since i'm already on my LAN
10:27 -!- Pyrogerg [~Gregory@205.167.120.206] has quit [Ping timeout: 252 seconds]
10:29 -!- GrantK [~GrantK@bolt.sonic.net] has quit [Quit: GrantK]
10:35 -!- Pyrogerg [~Gregory@205.167.120.206] has joined #openvpn
10:41 -!- Pyrogerg [~Gregory@205.167.120.206] has quit [Read error: Connection reset by peer]
10:41 -!- Pyrogerg [~Gregory@205.167.120.206] has joined #openvpn
11:00 -!- CygniX [~CygniX@unaffiliated/twois10] has joined #openvpn
11:01 -!- g00gz [~Adium@199.244.84.14] has quit [Quit: Leaving.]
11:01 < CygniX> so when you push "dhcp-option DNS #.#.#.#"  and if the first on the list is dead, does it not try the next?
11:05 -!- Kephael [~Kephael@unaffiliated/kephael] has quit [Read error: Connection reset by peer]
11:07 -!- Pyrogerg [~Gregory@205.167.120.206] has quit [Ping timeout: 276 seconds]
11:12 -!- DrSect0r [~DrSect0r@77-175-125-42.FTTH.ispfabriek.nl] has joined #openvpn
11:22 -!- nvdpl [~textual@proxy.teleaudio.pl] has joined #openvpn
11:26 -!- g00gz [~Adium@199.244.84.14] has joined #openvpn
11:28 -!- dtrainor [~dtrainor@ip72-208-196-164.ph.ph.cox.net] has joined #openvpn
11:29 < dtrainor> Hi.  Is there a way to test config validity before restarting openvpn?
11:29 < CygniX> doubtful
11:32 < dtrainor> I don't want to break my vpn remotely heh
11:33 < CygniX> uh, just back up your current config, and if the new one does not work, replace it
11:34 < dtrainor> I'm connected to it and wanted to make a change remotely, soo....
11:34 < dtrainor> yeah.
11:34 < dtrainor> Like I said, I don't want to break it remotely.
11:34 < CygniX> how are you connected to it?
11:34 < CygniX> via ssh?
11:34 < dtrainor> How am I connected to my VPN?  Using OpenVPN.  Because VPN.
11:35 < CygniX> we are talking about two different things
11:36 < CygniX> even if you break the server config file which I assume you are attempting to modify, it does not lock you out of the server itself
11:36 < dtrainor> I don't think so but... I'musing OpenVPN right now to connect to my OpenVPN server and that's how I connect to the remote network.  I want to make openvpn server-side changes and I'd rather not bounce openvpn on the remote side, have an erroneous config or simple parse error, and have it not come back up to the effect that I cannot connect to it.
11:36 -!- D-Boy [~D-Boy@unaffiliated/cain] has quit [Excess Flood]
11:36 < dtrainor> Pretty sure I couldn't connect to the VPN server if OpenVPN failed to restart
11:36 < dtrainor> using openvpn
11:37 < CygniX> again, we are on different pages
11:37 < dtrainor> are you suggesting i stop using openvpn and fall back to ssh?
11:38 < H__> i smell troll
11:38 < CygniX> what am saying is, backup the server.conf, do your modification, restart openvpn, and if you can't connect, ssh into the server and restore the old config file
11:38 < dtrainor> Not trolling one bit, I'm genuinely confused.  I asked about testing a server config before I restart openvpn on the server so I don't lock myself out in the event that openvpn doesn't come up due to erroneous configuraitons or parse errors.
11:39 < CygniX> H__: probably not, he may not understand what he is trying to do
11:39 < dtrainor> I completely understand what I'm trying to do. I promise.  I just don't have SSH access.
11:39 < H__> ok
11:39 < CygniX> how are you accessing the openvpn config files?
11:40 < dtrainor> like i said, through a currently configured, working, operating openvpn connection from my client to my openvpn server
11:41 < dtrainor> eh, even if there was a way to test, i prob wouldn't be comfortable testing it remotely.  i was just curious about the config test.
11:41 < CygniX> I am lost
11:41 < dtrainor> I can't ssh because I'm having to go through a really sad proxy server connecting to my openvpn server which is listening on port 443
11:42 < dtrainor> Sorry - I can't ssh to my openvpn server out-of-bounds of the openvpn connection
11:42 < CygniX> let's start over
11:42 < dtrainor> no need
11:42 < dtrainor> thanks for your time
11:42 < CygniX> where is the openvpn server located, with you or remote location
11:43 < dtrainor> rmeote
11:43 < CygniX> OK, good luck
11:43 < dtrainor> remote
11:43 < dtrainor> it's working fine, just wanted to learn more about openvpn, that's all.
11:44 < CygniX> what you are saying is, without another vpn that you have configured, you can't access that server
11:45 < dtrainor> without the *current* VPN I have configured, I have no access to that server
11:45 < dtrainor> Nothing stops me from running two instances of openvpn to test this, except for the fact that I only have one port that I can use and punch out of this proxy with, which is 443
11:46 < dtrainor> it's a hot mess.
11:46 -!- dtrainor [~dtrainor@ip72-208-196-164.ph.ph.cox.net] has quit [Quit: Leaving]
11:46 < CygniX> how does the current working vpn access files on the other remote server that you want to test new openvpn configurations on?
11:47 < CygniX> never mind
11:47 -!- gffa [~unknown@unaffiliated/gffa] has joined #openvpn
11:47 -!- dtrainor [~dtrainor@ip72-208-196-164.ph.ph.cox.net] has joined #openvpn
11:47 < dtrainor> oops.
11:47 < CygniX> dtrainor: how does the current working vpn access files on the other remote server that you want to test new openvpn configurations on?
11:48 < CygniX> ssh, ftp, remote desktop?
11:48 < dtrainor> I ssh to that remote openvpn server through the openvpn tunnel
11:49 < CygniX> so right now we are dealing with 3 computers, A, is you, B is the working vpn, C is the test or the one you want to test
11:50 < CygniX> right?
11:50 < CygniX> I am just trying to understand the setup
11:51 < dtrainor> no, two.  A, me, my client, my laptop.  B, my working openvpn server.  I want to test C on B.  I want to modify B's configuration and reconnect A to B and want to know ahead of itme if B's configuration is going to break or not
11:51 < dtrainor> if B's configuration breaks them I'm SOL and can't connect back to the vpn server
11:51 < CygniX> if we are dealing with only 2, there wouldn't be a C :P
11:52 < dtrainor> correct
11:52 < dtrainor> i mean if you want to continue to talk hypotheticals that's cool and i might learn something but i'm not making this config change over the wire, i'll do it when i'm back on-site
11:54 < CygniX> OK i think I am following now
11:55 < CygniX> you are at a location where you wont be able to access the vpn files due to port issues?
11:55 < dtrainor> correct :) lots of policies and firewalls and proxies prevent me from doing anything fun.
11:58 < CygniX> if you are only restricted to only a few ports on the server side, then it makes thing complicated
11:58 < dtrainor> right
11:58 -!- D-Boy [~D-Boy@unaffiliated/cain] has joined #openvpn
11:58 < dtrainor> restriicted to one port actually, 443, since the proxy only allows 80/443 but my ISP blocks 80
11:59 < CygniX> are any other higher ports opened?
11:59 < CygniX>  say 16634 for example
11:59 < dtrainor> nope, proxy blocks
12:00 < dtrainor> when i say proxy,i mean http proxy
12:00 < dtrainor> i'm using the 'http-proxy' directive which is actually pretty cool
12:01 < CygniX> so you can't send emails at all?
12:01 < dtrainor> well i can, since i have def1 set through my vpn
12:02 < dtrainor> isp blocks inbound 25 as well
12:03 < CygniX> 25 is more outbound, not inbound
12:03 < CygniX> OK, well, that is what happens when you live in Iran :)
12:04 < dtrainor> i understand what you're suggesting, and no it won't work.
12:04 < dtrainor> If by Iran you mean a bank, then yes.  I live in a bank.
12:04 < CygniX> West Bank?
12:04 -!- MaddinXx [~racksteri@91.108.183.34] has joined #openvpn
12:05 < CygniX> running openvpn out of the bank's server. smh
12:05 < CygniX> don't get in trouble
12:05 < dtrainor> haha
12:06 -!- Pyrogerg [~Gregory@75-173-66-157.albq.qwest.net] has joined #openvpn
12:06 < CygniX> bank network, not server, i meant
12:06 < MaddinXx> Hi there. How can I tell my existing OpenVPN profile (from a VPN supplier) tell to not route a network? E.g. I have private network 192.168.1.0/26 (that works) and enabled static routing on the router for 10.1.0.0/24 -- how can I make 10.1.0.0/24 behave like my 192 net?
12:32 -!- heraclitus [~phobos@unaffiliated/heraclitis] has joined #openvpn
12:33 -!- MaddinXx [~racksteri@91.108.183.34] has quit [Quit: Computer has gone to sleep.]
12:58 -!- Axeman [~axeman3@openvpn/user/axeman] has joined #openvpn
12:58 -!- mode/#openvpn [+v Axeman] by ChanServ
12:58 <+Axeman> !welcome
12:58 <@vpnHelper> "welcome" is (#1) Start by stating your goal, such as 'I would like to access the internet over my vpn' || new to IRC? see the link in !ask || we may need !logs and !configs and maybe !interface to help you. || See !howto for beginners. || See !route for lans behind openvpn. || !redirect for sending inet traffic through the server. || Also interesting: !man !/30 !topology !iporder !sample !forum
12:58 <@vpnHelper> !wiki !mitm or (#2) Don't use 192.168.1.0/24 or 192.168.0.0/24 (too much potential for conflict)
12:59 <+Axeman> !goal
12:59 <@vpnHelper> "goal" is Please clearly state your goal for your vpn: example, I would like to access the lan behind the server , I would like to access the internet over my vpn , I just want a secure connection between 2 computers , etc
13:06 <@krzee> if maddinkx shows back up, someone show him:
13:06 <@krzee> !route_override
13:06 <@vpnHelper> "route_override" is (#1) https://forums.openvpn.net/viewtopic.php?f=15&t=7161 for how to override --redirect-gateway for a certain subnet or (#2) to see how to make it so the client will still reply to requests to its public ip over the internet and not the vpn see !splitroute
13:10 < CygniX> sorry for having to ask again, what's the purpose of pushing mulitple dhcp-option dns where if the 1st on the list fails, it does not choose the next?
13:10 -!- JackWinter_ [~jack@vodsl-11028.vo.lu] has quit [Quit: Konversation terminated!]
13:10 <@krzee> thats your os resolver, not openvpn
13:11 <@krzee> or if both are given but only 1 is added then its your up script
13:11 < CygniX> you know what, after a ping test, I notice though the dns is not working, the ip is
13:11 < CygniX> that probably explains why it is not picking the next one on the list
13:14 -!- JackWinter [~jack@vodsl-11028.vo.lu] has joined #openvpn
13:22 -!- zeroNones [~textual@187.204.134.104] has quit [Quit: My MacBook Pro has gone to sleep. ZZZzzz…]
13:29 -!- JackWinter [~jack@vodsl-11028.vo.lu] has quit [Quit: Konversation terminated!]
13:30 -!- JackWinter [~jack@vodsl-11028.vo.lu] has joined #openvpn
13:35 <+Axeman> is it relatively easy to "downgrade" from access server to community edition?
13:51 -!- Kephael [~Kephael@unaffiliated/kephael] has joined #openvpn
14:18 -!- Esya [~zncuser@195-154-90-140.rev.poneytelecom.eu] has joined #openvpn
14:34 -!- dougy [~dbh2@65.200.176.106] has joined #openvpn
14:34 < dougy> Afternoon all
14:34 < dougy> krzee: you around partna
14:48 -!- Pyrogerg [~Gregory@75-173-66-157.albq.qwest.net] has quit [Ping timeout: 240 seconds]
14:48 -!- dougy [~dbh2@65.200.176.106] has quit [Quit: leaving]
14:56 -!- Cybertinus [~Cybertinu@cybertinus.customer.cloud.nl] has quit [Ping timeout: 260 seconds]
14:58 -!- Cybertinus [~Cybertinu@cybertinus.customer.cloud.nl] has joined #openvpn
14:59 -!- g00gz [~Adium@199.244.84.14] has quit [Quit: Leaving.]
15:10 -!- redpill [~redpill@unaffiliated/redpill] has joined #openvpn
15:16 -!- x69x [w00t@try.catch.fail] has joined #openvpn
15:18 -!- x69x [w00t@try.catch.fail] has quit [Client Quit]
15:21 < CygniX> Axeman: community version requires a little work, but it's really easy
15:21 < CygniX> which OS?
15:31 < CygniX> how does the fallback to ipv4 work with ipv6 capable server?
15:46 < CygniX> say client using ipv6 connects to openvpn server with and needs to access a site that is only ipv4
15:48 <+Axeman> yeah CygniX that's what i am trying to figure out - if a noooby like me can do it
15:49 < CygniX> Axeman: easy as the multiplication table of up to 12 :)
15:49  * Axeman takes out calculator ... okay shoot
15:49 < CygniX> lol
15:50 < CygniX> I have done it in 3 different linux distros
15:50 <+Axeman> i got -AS working ... but can't aford to buy 10 licenses for just me and the wife lol
15:51 < CygniX> opensuse, centos, debian
15:51 < CygniX> what is your operating system?
15:51 <+Axeman> what about ldap support?
15:51 <+Axeman> right now, NOTHIGN lol
15:52 <+Axeman> my other option is to fire up a pfSense install and use the package there
15:52 <+Axeman> but iknow nothing of that
15:52 < CygniX> well, AS must have ran on something  :)
15:52 <+Axeman> esxi, using the appliance
15:52 <+Axeman> debian, i me thinks
15:53 -!- kcaj [~kcaj@2a01:7e00:e001:2a1e::1] has joined #openvpn
15:53 < CygniX> OK, if it's debian it's really easy
15:53 < kcaj> Can I set specific DNS resolvers for a client either in the client config file or server side for a specific client?
15:55 <+Axeman> hmm - can i keep that same OS and isntall community on top of it?
15:55 <+Axeman> or is that a surefired way to flux ish up?
15:55 < CygniX> I don't think it can be done for specific user on the server side
15:55 < CygniX> but then again, anything is possible if you can visualize it ;)
15:56 < CygniX> Axeman: is this a VPS?
15:56 < kcaj> CygniX is there an option I can include in the client config?
15:57 <+Axeman> it's a VM on my esxi host
15:57 <+Axeman> CygniX, more on it later. i gotta run. food for thought though
15:57 <+Axeman> i'll be here a bit
15:57 < CygniX> kcaj: see the client example https://openvpn.net/index.php/open-source/documentation/howto.html#examples
15:57 <@vpnHelper> Title: HOWTO (at openvpn.net)
15:58 -!- kcaj [~kcaj@2a01:7e00:e001:2a1e::1] has left #openvpn ["Leaving"]
16:00 -!- arlion_ [~arlion@107.161.181.110] has quit [Quit: Lost terminal]
16:00 -!- dtrainor [~dtrainor@ip72-208-196-164.ph.ph.cox.net] has quit [Ping timeout: 272 seconds]
16:02 -!- dtrainor [~dtrainor@ip72-208-196-164.ph.ph.cox.net] has joined #openvpn
16:05 -!- Axeman [~axeman3@openvpn/user/axeman] has quit [Ping timeout: 264 seconds]
16:17 -!- ub1quit33_ [~quassel@cpe-23-243-158-241.socal.res.rr.com] has quit [Ping timeout: 240 seconds]
16:19 -!- ub1quit33_ [~quassel@cpe-23-243-158-241.socal.res.rr.com] has joined #openvpn
16:21 -!- linuxthefish [~ltf@unaffiliated/edmundf] has quit [Ping timeout: 256 seconds]
16:48 -!- dtrainor [~dtrainor@ip72-208-196-164.ph.ph.cox.net] has quit [Ping timeout: 264 seconds]
17:22 -!- gffa [~unknown@unaffiliated/gffa] has quit [Quit: sleep]
17:41 -!- AngryNapkin [~Eighty@97-90-144-70.static.mtpk.ca.charter.com] has joined #openvpn
17:43 -!- dazo is now known as dazo_afk
17:45 < AngryNapkin> Hello, aside from my not being able to get my vpn working atm, I have a bridged setup that was working. the network I was tunneling into was a 192.168.1.x subnet as well as my home network. I was using the openvpn ip address leasing option to issue an ip in the same subnet. I was able to do things ok through the vpn, but there were some issues when I needed to connect to something that I belive had the same IP on both networks.
17:46 -!- arescorpio [~arescorpi@193-205-17-190.fibertel.com.ar] has joined #openvpn
17:47 < AngryNapkin> Will the tap-bridge interface take care if that for me?
17:55 -!- JackWinter [~jack@vodsl-11028.vo.lu] has quit [Quit: Konversation terminated!]
17:57 -!- JackWinter [~jack@vodsl-11028.vo.lu] has joined #openvpn
18:03 -!- nvdpl [~textual@proxy.teleaudio.pl] has quit [Quit: ZZZzzz…]
18:27 <@krzee> why are you bridging?
18:29 < AngryNapkin> yeah
18:29 < AngryNapkin> well. I was until it no longer works. currently trying to work out what is wrong
18:30 < AngryNapkin> I am starting from scratch so i can begin to wrap my head around what I am actually doing, so I thought I would start with my IP issue
18:31 <@krzee> good, since we're starting from scratch, why are you considering bridging?
18:31 <@krzee> !whybridge
18:31 <@vpnHelper> "whybridge" is (#1) you only bridge if you want layer2 to the lan. if you want layer2 only between vpn nodes then routed tap is enough. if you only want layer3 use tun. or (#2) See this URL for a more in-depth discussion on bridging vs routing: https://community.openvpn.net/openvpn/wiki/BridgingAndRouting or (#3) See also !tunortap
18:31 <@krzee> !tunortap
18:31 <@vpnHelper> "tunortap" is (#1) you ONLY want tap if you need to pass layer2 traffic over the vpn (traffic destined for a MAC address). If you are using IP traffic you want tun. or (#2) and if your reason for wanting tap is windows shares, see !wins or use DNS or (#3) remember layer2 has no security, arp poisoning works over tap vpns or (#4) lan gaming? use tap! or (#5) Normal Android/iOS devices (not
18:31 <@vpnHelper> rooted/jailbroken) support only tun
18:34 < AngryNapkin> bridging because I have shares I need access too as well as programs that run that require data on them shares
18:34 < AngryNapkin> I do not have a wins server nor do I want to deal with setting one up right now.
18:36 < AngryNapkin> Im not sure what is going on. eveytyhing was working well untill yesturday when I tried to create a new crt for someone else, which failed and something kept crashing, so I updated to the latest version hoping that might fix the issue. long story short....I uninstalled "everything vpn" rebooted, and am now starting from scratch, because....well I just have no clue how I was able to get this working in the past, lol
18:37 <@krzee> sounds like your shares are mounted
18:38 <@krzee> if so, couldnt you mount by ip?
18:38 < AngryNapkin> some yes
18:39 < AngryNapkin> So instead of accessing everything from //server_shares, I could access them by //Server_IP? and do away with bridge?
18:39 <@krzee> yep
18:39 <@krzee> the only part of windows sharing that is l2 is the netbios resolution, which is easily replaced by dns or wins, or ignored all together by using IP
18:40 < AngryNapkin> what of a few apps that use the computer name for data base usage?
18:40 <@krzee> which is why windows smb sharing isnt such a good reason to use a bridge
18:40 <@krzee> depends on the app, does it communicate by IP or mac address?
18:40 < AngryNapkin> that Im not sure. Guess I could setup "tun" and see if the apps stop
18:41 < AngryNapkin> Well where I am at now is i am able to connect and get an IP, just cant seem to ping any IP on the network.
18:47 <@krzee> or you could replace the name with an IP and see if they work
18:47 <@krzee> also, name to IP can be done in hosts file (lmhosts or something like that in windows), or dns
18:49 < AngryNapkin> Well I use this mainly to access files on the work network. As it is, both my Home network and my work network share the common 192.168.1.x ip range
18:49 < AngryNapkin> I have had issues accessing stuff at home when connected to vpn.
18:50 < AngryNapkin> for obvious reasons :) just never bothered me that much
18:50 < AngryNapkin> Will switching to "tun" allow me to access resources on both home and work networks?
18:51 < AngryNapkin> worst case I was going to change the ip range of my home to maybe a 10.x.x.x . just was never a priority. now that I am starting over, I might as well learn all i can
19:09 <@krzee> you should really change your home network
19:09 <@krzee> i would suggest changing both really, but i understand if you're not in that position at $work
19:10 <@krzee> !randomsubnet
19:10 <@vpnHelper> "randomsubnet" is (#1) http://scarydevilmonastery.net/subnet.cgi for a random !1918 subnet or (#2) If your shell has $RANDOM support, perhaps try this: `echo 10.$((RANDOM%256)).$((RANDOM%256)).0/24 `
19:11 -!- CygniX [~CygniX@unaffiliated/twois10] has quit [Ping timeout: 264 seconds]
19:11 -!- hays [~hays@unaffiliated/hays] has quit [Read error: Connection reset by peer]
19:12 -!- hays [~hays@unaffiliated/hays] has joined #openvpn
19:20 -!- DrSect0r [~DrSect0r@77-175-125-42.FTTH.ispfabriek.nl] has quit [Quit: Leaving]
19:21 < AngryNapkin> it would be easiest to change my home network
19:21 -!- CygniX [~CygniX@unaffiliated/twois10] has joined #openvpn
19:24 -!- zeroNones [~textual@187.204.154.143] has joined #openvpn
20:20 -!- zeroNones [~textual@187.204.154.143] has quit [Ping timeout: 268 seconds]
20:22 -!- Stargazers [stargazers@hilla.kapsi.fi] has joined #openvpn
20:22 < Stargazers> !welcome
20:22 <@vpnHelper> "welcome" is (#1) Start by stating your goal, such as 'I would like to access the internet over my vpn' || new to IRC? see the link in !ask || we may need !logs and !configs and maybe !interface to help you. || See !howto for beginners. || See !route for lans behind openvpn. || !redirect for sending inet traffic through the server. || Also interesting: !man !/30 !topology !iporder !sample !forum
20:22 <@vpnHelper> !wiki !mitm or (#2) Don't use 192.168.1.0/24 or 192.168.0.0/24 (too much potential for conflict)
20:23 -!- zeroNones [~textual@187.204.190.48] has joined #openvpn
20:24 < Stargazers> Well. I just came to ask one question. I made a script which echo enviroment variable $REMOTE_ADDR. If I put that script on same server than my VPN server is and run it (when OpenVPN is running), I see my actual IP. When I put that script on another server -> I see my VPN IP.
20:24 < Stargazers> Just curious, why I see my actual IP if that script is running on same server than my VPN?
20:32 -!- zeroNones [~textual@187.204.190.48] has quit [Quit: My MacBook Pro has gone to sleep. ZZZzzz…]
20:41 < AngryNapkin> So In trying to learn about this, i installed openVPN in virtualbox. Im having TLS issues connecting to it. Is there a known issue trying to do this using virtualbox?
20:46 <@krzee> "tls issues" ?
20:46 <@krzee> as in, timeout?
20:48 < AngryNapkin> got a bunch of: "tls inital packet from [af_inet]my_host_ip, sid=random_numbers
20:48 <@krzee> always initial packets?
20:48 <@krzee> post the logs at verb 5
20:49 < AngryNapkin> tried to paste them in here, but its not alowing me to paste
20:49 <@krzee> !paste
20:49 <@vpnHelper> "paste" is "pastebin" is (#1) please paste anything with more than 5 lines into a pastebin site or (#2) https://gist.github.com is recommended for fewest ads; try fpaste.org or paste.kde.org as backups or (#3) If you're pasting config files, see !configs for grep syntax to remove comments or (#4) gist allows multiple files per paste, useful if you have several files to show
20:50 < AngryNapkin> this is on the server Side: https://gist.github.com/anonymous/1283e455a994e932043f
20:50 <@vpnHelper> Title: gist:1283e455a994e932043f (at gist.github.com)
20:52 < AngryNapkin> this is on my side trying to connect: https://gist.github.com/anonymous/717fc07268adf4f43565
20:52 <@vpnHelper> Title: gist:717fc07268adf4f43565 (at gist.github.com)
20:52 -!- zeroNones [~textual@187.204.190.48] has joined #openvpn
20:58 < AngryNapkin> I did create the server and clients certs on the same machine and did not do a request. could this be the issue its rejecting it?
21:05 <@krzee> ya you made certs wrong
21:05 <@krzee> start over
21:05 <@krzee> !easy-rsa
21:05 <@vpnHelper> "easy-rsa" is (#1) easy-rsa is a certificate generation utility. or (#2) Download here: https://github.com/OpenVPN/easy-rsa/downloads or (#3) https://community.openvpn.net/openvpn/wiki/EasyRSA
21:05 <@krzee> #2 for newest easy-rsa and #3 for how to use it
21:06 < AngryNapkin> k, Ill redo it.
21:15 < AngryNapkin> I am getting the same errors. Used QuickStart on #3
21:16 < AngryNapkin> Dropped both firwalls as well
21:18 <@krzee> its certs
21:18 <@krzee> !certverify
21:18 <@vpnHelper> "certverify" is (#1) verify your certs are signed correctly by running `openssl verify -CAfile <ca.crt> <client.crt>` for client.crt and server.crt or (#2) also make sure you use the same ca.crt on both sides by checking their md5
21:20 < AngryNapkin> this has nothing to so with being self signed correct?
21:21 <@krzee> no, self-signed is good
21:21 <@krzee> means you are only trusting you
21:21 <@krzee> as opposed to having some 3rd party control your access
21:22 < AngryNapkin> Well i copied them over through vb shared network, I didnt check if the check sum was good through. Ill look at that now.
21:24 -!- Left_Turn [~Left_Turn@unaffiliated/turn-left/x-3739067] has quit [Remote host closed the connection]
21:29 -!- moonkid [~anonymous@89.248.166.138] has joined #openvpn
21:40 < AngryNapkin> Im sorry, but running openssl in windows 8 is proving to be something that is not likley going to happen. argggg
21:40 -!- Kephael [~Kephael@unaffiliated/kephael] has quit [Quit: Leaving]
21:41 <@krzee> cant say id really want to trust the MS RNG anyways
21:42 < AngryNapkin> lol
21:43 <@krzee> well we know MS works with nsa, and we know the NSA has weakened RNG in some places
21:43 <@krzee> so ya, im being serious, i really wouldnt use ms stuff to make my keys
21:43 <@krzee> of course thats me
21:48 < AngryNapkin> well security reduced by nsa aside, this should still be working I would think
21:51 -!- moonkid [~anonymous@89.248.166.138] has quit [Quit: moonkid]
21:51 <@krzee> yep, if you did it right
21:51 <@krzee> !certverify
21:51 <@vpnHelper> "certverify" is (#1) verify your certs are signed correctly by running `openssl verify -CAfile <ca.crt> <client.crt>` for client.crt and server.crt or (#2) also make sure you use the same ca.crt on both sides by checking their md5
21:52 < AngryNapkin> This might sound stupid, but which files do I need to copy to the server? The ca.crt, the server.crt, the server.key and the dh.pem right?
21:52 <@krzee> the howto goes over it
21:52 <@krzee> !howto
21:52 <@vpnHelper> "howto" is (#1) OpenVPN comes with a great howto, http://openvpn.net/howto PLEASE READ IT! or (#2) http://www.secure-computing.net/openvpn/howto.php for a mirror
21:53 <@krzee> it has a table of what files go where
21:54 -!- CygniX [~CygniX@unaffiliated/twois10] has quit [Ping timeout: 255 seconds]
21:56 < AngryNapkin> yeah because the checksums all look good, so i have to have missed something
21:57 <@krzee> you ran the openssl command… right?
21:57 <@krzee> aka #1 in certverify
21:57 < AngryNapkin> The openssl command would not execute, I was given errors
21:58 <@krzee> right
21:58 <@krzee> those errors are your system rejecting it, i bet
21:58 < AngryNapkin> 2480:error:0200107B:system library:fopen:Unknown error:bss_file.c:169:fopen('"c:\Program Files\OpenVPN\easy-rsa\openssl-
21:58 < AngryNapkin> 1.0.0.cnf"','rb')
21:58 < AngryNapkin> 2480:error:2006D002:BIO routines:BIO_new_file:system lib:bss_file.c:174:
21:58 < AngryNapkin> 2480:error:0E078002:configuration file routines:DEF_LOAD:system lib:conf_def.c:199:
21:58 < AngryNapkin> well there wasnt a happy face on the command line, lol
21:59 <@krzee> thats just your irc client, i dont see happy faces
21:59 < AngryNapkin> oh ok
21:59 <@krzee> ya i dunno what the problem is, i dont use windows
21:59 <@krzee> !windows
21:59 <@vpnHelper> "windows" is (#1) computers are like air conditioners, they work well until you open windows. or (#2) http://secure-computing.net/files/windows.jpg for funny or (#3) http://secure-computing.net/files/windows_2.jpg for more funny
22:00 < AngryNapkin> yeah those explain it
22:01 < AngryNapkin> so this should be working, even with virtual box (set in bridged mode) if ihave done everything correct/
22:02 < AngryNapkin> Maybe I should try running it nativly on my comp and try connecting to it from another comp on my network and see if it connects
22:02 <@krzee> i know others have used virtualbox, and i dunno about them being on the same computer, but i do know your error is bad certs
22:03 < AngryNapkin> well tomorrow I launch a live cd and do it from in linux and see if that fixes it. Maybe your onto somehting and windows / nsa breaking something
22:04 < AngryNapkin> I mean I am am running the poster child of security operating systems. Its so secure it doesnt wok.
22:05 < AngryNapkin> But I have a fully functioning mouse pad.
22:06 <@krzee> nsa has nothing to do with your problem
22:06 <@krzee> all i said is that i wouldnt be trusting a closed source RNG from ms
22:07 <@krzee> and that ms has a history of working with nsa
22:08 < AngryNapkin> well if its alright, I would still like to place blame on them :0
22:09 < AngryNapkin> Well thank you for all the help. I have much reading to do on this. I hope  get this back up over the weekend. Have a good night.
22:09 < pekster> krzee: That's why openssl uses RAND_screen from RAND_add(3) for PRNG seeding
22:10 -!- AngryNapkin [~Eighty@97-90-144-70.static.mtpk.ca.charter.com] has left #openvpn []
22:15 < pekster> Sort of an improvement anyway, for those without open OSes
22:18 <@krzee> the licensed impaired ;)
23:04 -!- arescorpio [~arescorpi@193-205-17-190.fibertel.com.ar] has quit [Excess Flood]
23:43 -!- ShadniX [dagger@p5DDFD607.dip0.t-ipconnect.de] has quit [Ping timeout: 248 seconds]
23:44 -!- ShadniX [dagger@p5481C721.dip0.t-ipconnect.de] has joined #openvpn
--- Day changed Sat Sep 06 2014
00:03 -!- nsrafk [whois@unaffiliated/nsrafk] has quit [Ping timeout: 245 seconds]
00:09 -!- zeroNones [~textual@187.204.190.48] has quit [Quit: Textual IRC Client: www.textualapp.com]
00:30 -!- nvdpl [~textual@89-67-140-170.dynamic.chello.pl] has joined #openvpn
00:32 -!- nvdpl_ [~textual@proxy.teleaudio.pl] has joined #openvpn
00:36 -!- nvdpl [~textual@89-67-140-170.dynamic.chello.pl] has quit [Ping timeout: 276 seconds]
00:55 -!- nvdpl_ [~textual@proxy.teleaudio.pl] has quit [Quit: ZZZzzz…]
00:59 -!- gardar [~gardar@bnc.giraffi.net] has quit [Ping timeout: 245 seconds]
01:38 -!- pppingme [~pppingme@unaffiliated/pppingme] has quit [Excess Flood]
01:40 -!- pppingme [~pppingme@unaffiliated/pppingme] has joined #openvpn
01:47 -!- gardar [~gardar@bnc.giraffi.net] has joined #openvpn
01:57 -!- nsrafk [whois@unaffiliated/nsrafk] has joined #openvpn
01:59 -!- Denial [~Denial@host86-148-139-67.range86-148.btcentralplus.com] has quit [Ping timeout: 260 seconds]
02:42 < cesurasean1> how would i go about adding ip route add 192.168.88.5/32 dev ppp0 (tun1) ?
02:43 -!- erratic [erratic@2607:f2f8:a2c4:1001::2] has quit [Ping timeout: 272 seconds]
02:43 -!- ryn`_ [~ryn@1-163-181-46.dynamic.hinet.net] has joined #openvpn
02:57 -!- erratic [erratic@2607:f2f8:a2c4:1001::2] has joined #openvpn
03:03 -!- gffa [~unknown@unaffiliated/gffa] has joined #openvpn
03:09 -!- heraclitus [~phobos@unaffiliated/heraclitis] has quit [Quit: Leaving]
03:18 -!- nvdpl [~textual@proxy.teleaudio.pl] has joined #openvpn
03:57 -!- nvdpl [~textual@proxy.teleaudio.pl] has quit [Quit: ZZZzzz…]
04:08 -!- aulait [~irenacob@li629-190.members.linode.com] has quit [Remote host closed the connection]
04:11 -!- aulait [~irenacob@li629-190.members.linode.com] has joined #openvpn
04:41 -!- Left_Turn [~Left_Turn@unaffiliated/turn-left/x-3739067] has joined #openvpn
04:50 -!- joako [~joako@opensuse/member/joak0] has quit [Ping timeout: 245 seconds]
05:05 -!- Guest73367 [~ltf@unaffiliated/edmundf] has joined #openvpn
05:22 -!- Guest73367 [~ltf@unaffiliated/edmundf] has quit [Ping timeout: 256 seconds]
05:23 -!- blacklight [~blackligh@dhcp-077-248-103-251.chello.nl] has joined #openvpn
05:24 < blacklight> hi all, i've got an issue with the new easy-rsa system...i am going to set up a new client on an existing openvpn system, and i've just realized that easy-rsa is no longer part of the distribution
05:25 < blacklight> i've cloned the new easy-rsa project, but i can't find any documentation on how to generate client crt/key for an existing openvpn installation
05:25 < blacklight> all the examples report how to do a ca+server+client installation from scratch
05:49 -!- blacklight [~blackligh@dhcp-077-248-103-251.chello.nl] has left #openvpn [":wq!"]
05:52 -!- PersonX [~Px12@117.199.169.203] has joined #openvpn
05:52 -!- PersonX [~Px12@117.199.169.203] has quit [Max SendQ exceeded]
06:00 -!- PersonX [~Px12@117.199.169.203] has joined #openvpn
06:00 -!- jackbrown [~se@93-44-41-0.ip95.fastwebnet.it] has joined #openvpn
06:00 -!- PersonX [~Px12@117.199.169.203] has quit [Max SendQ exceeded]
06:21 -!- abbe [having@badti.me] has quit [Ping timeout: 260 seconds]
06:23 -!- Nothing4You [N4Y@Nothing4You.w.tf-w.tf] has quit [Ping timeout: 260 seconds]
06:23 -!- MacGyver [~macgyver@unaffiliated/macgyvernl] has quit [Ping timeout: 260 seconds]
06:23 -!- wirehack7 [wirehack7@unaffiliated/wirehack7] has quit [Ping timeout: 260 seconds]
06:24 -!- PersonX [~Px12@117.199.169.203] has joined #openvpn
06:25 -!- PersonX [~Px12@117.199.169.203] has quit [Max SendQ exceeded]
06:25 -!- abbe [having@badti.me] has joined #openvpn
06:26 -!- wirehack7 [wirehack7@unaffiliated/wirehack7] has joined #openvpn
06:27 -!- Nothing4You [N4Y@Nothing4You.w.tf-w.tf] has joined #openvpn
06:28 -!- MacGyver [~macgyver@unaffiliated/macgyvernl] has joined #openvpn
06:51 -!- PersonX [~Px12@117.199.169.203] has joined #openvpn
07:01 -!- PersonX [~Px12@117.199.169.203] has quit [Remote host closed the connection]
07:13 -!- jackbrown [~se@93-44-41-0.ip95.fastwebnet.it] has quit [Ping timeout: 264 seconds]
07:15 -!- PersonX [~Px12@117.199.169.203] has joined #openvpn
07:19 -!- PersonX [~Px12@117.199.169.203] has quit [Read error: Connection reset by peer]
07:23 -!- aub [~aubrey@cpe-98-14-102-62.nyc.res.rr.com] has joined #openvpn
07:26 < aub> i’m trying to connect to a client’s VPN hosted on Softlayer, which gives instructions for connecting with PPTP (http://knowledgelayer.softlayer.com/procedure/set-pptp-vpn-ubuntu). i’m having a million problems: hangs, modem drops, packet loss. would it be possible to connect with OpenVPN, or anything else?
07:26 <@vpnHelper> Title: Set Up PPTP VPN for Ubuntu | KnowledgeLayer (at knowledgelayer.softlayer.com)
07:30 -!- jackbrown [~se@93-44-41-0.ip95.fastwebnet.it] has joined #openvpn
07:30 -!- jackbrown [~se@93-44-41-0.ip95.fastwebnet.it] has quit [Read error: Connection reset by peer]
07:34 -!- Sicelo [Sicelo@unaffiliated/sicelo] has joined #openvpn
07:54 -!- PersonX [~Px12@117.199.169.203] has joined #openvpn
07:56 < zoidberg-> Hello all, I have a dual homed linux router 1 gateway is my ISP another is the VPN (openvpn tunnel).  I have a dns server (dnsmasq) running on the linux router.  all lan traffic goes out the vpn, but when i do dns queries or ping or resolve anything, the dns goes out over ppp0 and not tun0 and i have no idea why? iproutes set to route 192.168.1.x through the vpn, which it does, but when i tcpdump ppp0 i see just dn requests from 192.168.1.0 going out ov
07:56 < zoidberg-> dns sever is 192.168.1.1
07:57 < zoidberg-> but the router itself routes out by default via ppp0 so i think thats the issue although im not sure why
08:00 -!- PersonX [~Px12@117.199.169.203] has quit [Remote host closed the connection]
08:00 -!- aub [~aubrey@cpe-98-14-102-62.nyc.res.rr.com] has quit [Quit: aub]
08:00 -!- Left_Turn [~Left_Turn@unaffiliated/turn-left/x-3739067] has quit [Ping timeout: 268 seconds]
08:11 -!- Left_Turn [~Left_Turn@unaffiliated/turn-left/x-3739067] has joined #openvpn
08:11 -!- zeroNones [~textual@187.204.190.48] has joined #openvpn
08:18 -!- PersonX [~Px12@117.199.169.203] has joined #openvpn
08:23 -!- PersonX [~Px12@117.199.169.203] has quit [Read error: Connection reset by peer]
08:26 -!- PersonX [~Px12@117.199.169.203] has joined #openvpn
08:30 -!- PersonX [~Px12@117.199.169.203] has quit [Read error: Connection reset by peer]
08:36 -!- Latrina [~Latrina@ppp-7-17.26-151.libero.it] has quit [Ping timeout: 245 seconds]
08:40 -!- Latrina [~Latrina@adsl-ull-101-252.45-151.net24.it] has joined #openvpn
08:43 -!- zeroNones [~textual@187.204.190.48] has quit [Quit: My MacBook Pro has gone to sleep. ZZZzzz…]
08:43 -!- Kephael [~Kephael@unaffiliated/kephael] has joined #openvpn
08:46 -!- PersonX [~Px12@117.199.169.203] has joined #openvpn
08:49 -!- PersonX [~Px12@117.199.169.203] has quit [Read error: Connection reset by peer]
08:54 -!- PersonX [~Px12@117.199.169.203] has joined #openvpn
08:55 -!- DrSect0r [~DrSect0r@77-175-125-42.FTTH.ispfabriek.nl] has joined #openvpn
08:55 -!- PersonX [~Px12@117.199.169.203] has quit [Max SendQ exceeded]
09:01 -!- PersonX [~Px12@117.199.169.203] has joined #openvpn
09:11 -!- PersonX [~Px12@117.199.169.203] has quit [Remote host closed the connection]
09:16 -!- PersonX [~Px12@117.199.169.203] has joined #openvpn
09:23 -!- linuxthefish_ [~linuxthef@unaffiliated/edmundf] has joined #openvpn
09:27 -!- serzuz [~serzuz@2a03:ca81:1200:4:1234:1234:3fb2:b79] has joined #openvpn
09:27 < serzuz> Hay there someone who can help me?
09:27 -!- Toumasu [~Thunderbi@78-23-52-63.access.telenet.be] has joined #openvpn
09:28 -!- Toumasu [~Thunderbi@78-23-52-63.access.telenet.be] has quit [Client Quit]
09:29 <@plaisthos> !ask
09:29 <@vpnHelper> "ask" is (#1) don't ask to ask, just ask your question please, see this link for how to get help on IRC: http://workaround.org/getting-help-on-irc or (#2) See also, How to ask questions the smart way here: http://catb.org/~esr/faqs/smart-questions.html or (#3) if you had asked your question this might be an answer instead of a message from the bot about how to ask questions on IRC :)
09:29 < serzuz> !ask
09:29 <@vpnHelper> "ask" is (#1) don't ask to ask, just ask your question please, see this link for how to get help on IRC: http://workaround.org/getting-help-on-irc or (#2) See also, How to ask questions the smart way here: http://catb.org/~esr/faqs/smart-questions.html or (#3) if you had asked your question this might be an answer instead of a message from the bot about how to ask questions on IRC :)
09:30 < linuxthefish_> ok
09:31 < serzuz> I have a OpenVPN Server running on Wheezy, i connected with a Client running on Ubuntu to the Server, i added route-nopull to my config to ensure i dont use the openvn connection as default gateway but i cant ping the openvpn server after i did that any ideas?
09:31 < serzuz> route missing?
09:32 < serzuz> my config from the client: http://pastebin.com/zKWTCqej
09:33 <@plaisthos> serzuz: do you try to ping the internal or external IP?
09:34 < serzuz> internal, the server uses 10.8.0.1 and the client as i rember 10.8.0.6 and i tried to ping the Server from the Client it didnt worked
09:35 < serzuz> when i am not using route-nopull it works but then its using the default gateway what i dont want
09:35 < serzuz> the vpn connection as default gateway
09:36 -!- AngryNapkin [~Eighty@97-90-144-70.static.mtpk.ca.charter.com] has joined #openvpn
09:42 -!- PersonX [~Px12@117.199.169.203] has quit [Remote host closed the connection]
09:47 < serzuz> no idea?
09:48 -!- PersonX [~Px12@117.199.170.188] has joined #openvpn
09:50 -!- PersonX [~Px12@117.199.170.188] has quit [Read error: Connection reset by peer]
09:54 -!- PersonX [~Px12@117.199.170.188] has joined #openvpn
10:05 < AngryNapkin> I was having issues with TLS errors when trying to connect. Did some reading and found it was because the line in the openvpn config file "ns-cert-type server". Commenting this out allowed me to connect. I read this is depreciated? Is that true and its not needed anymore?
10:26 <@krzee> !mitm
10:26 <@vpnHelper> "mitm" is (#1) http://openvpn.net/index.php/documentation/howto.html#mitm to know about stopping Man-in-the-Middle attacks by signing the server cert specially or (#2) use !servercert to generate the server cert manually or use the easy-rsa build-key-server script to build your server certificates or (#3) then use: remote-cert-tls server in the client config
10:26 <@krzee> see #3
10:34 < AngryNapkin> this stuff is really confusing. Most these links refer to the old version of easy-rsa. Is there still a "build-key-server" in 3?
10:40 < AngryNapkin> It seems just adding "remote-cert-tls server" to the client config works too.
10:40 <@krzee> right
10:40 <@krzee> which was said above in #3
10:40 < AngryNapkin> no "build-key-server" needed then anymore?
10:40 <@krzee> dunno i dont use easy-rsa
10:40 <@krzee> just follow the instructions ;]
10:40 <@krzee> (for the version you're using)
10:41 < AngryNapkin> I wasnt clear what you were saying. I looked at all, didnt know you were pointing m to #3 alone :)
10:41 <@krzee> well i said <krzee> see #3
10:41 <@krzee> then i gave you time to figure it out, which you did
10:41 < AngryNapkin> yeah I understand now. Hind signt
10:42 < AngryNapkin> So is this the line that says I am indeed using "remote-cert-tls"?
10:42 < AngryNapkin> Validating certificate extended key usage
10:42 < AngryNapkin> Sat Sep 06 08:38:51 2014 ++ Certificate has EKU (str) TLS Web Server Authentication, expects TLS Web Server Authentication
10:42 < AngryNapkin> Sat Sep 06 08:38:51 2014 VERIFY EKU OK
10:48 -!- Tykling [tykling@gibfest.dk] has quit [Ping timeout: 260 seconds]
10:51 <@krzee> so it was built in such a way that remote-cert-tls works.
10:51 <@krzee> if it was built the old way then ns-cert-type would work
10:51 <@krzee> different ways of doing the same thing
10:52 <@krzee> openvpn supported it before the remote-cert-tls way became standard
10:54 -!- CygniX [~CygniX@unaffiliated/twois10] has joined #openvpn
10:56 < AngryNapkin> cant believe how many times i rebuilt the certs thinking i did something wrong and here all it was is a config setting. Which is not listed in the sample config for the new version of openvpn.
10:56 < CygniX> when one set up ipv6 connection and connect through it, is it possible for the server to also assign ipv4 to the client, this way accessing none ipv6 sites wont be an issue?
10:57 -!- Tykling [tykling@gibfest.dk] has joined #openvpn
11:00 <@krzee> CygniX, yes, also use --server
11:00 <@krzee> they arent exclusive to eachother
11:00 <@krzee> in fact you used to HAVE TO use --server to use --server-ipv6
11:03 < CygniX> krzee: i am not familiar with "--server" usage, while, ipv4 is working file, and I have both a /64 /112, the wiki is not clear on how to enable ipv6 support
11:03 <@krzee> !ipv6
11:03 <@vpnHelper> "ipv6" is (#1) The wiki has IPv6 details: https://community.openvpn.net/openvpn/wiki/IPv6 or (#2) The manpage contains info about IPv6 features present in 2.3+: https://community.openvpn.net/openvpn/wiki/Openvpn23ManPage#lbAQ
11:04 <@krzee> if you're not familiar with --server you may want to read about it in the manual, i suggest that for ANY config option you may need or already be using
11:06 < CygniX> let me read up on it again, though like I said, I have read the ipv6 wiki and it's not clear
11:07 <@krzee> i bet the section of the manual linked in !ipv6 helps :-p
11:07 <@krzee> "IPv6 Related Options" and theres only 6 of them
11:08 <@krzee> if you have ideas for how to make the wiki more clear, please do feel free to contribute, the wiki and forum use the same login/password
11:08 <@krzee> it seems pretty clear to me, but i also dont use ipv6
11:09 < CygniX> if i can get it working, sure, i'll be able to see why i was not understanding it
11:09 <@krzee> i thought you said you had ipv6 working
11:09 <@krzee> do you not?
11:10 < CygniX> no, no, I have ipv4 working, and the server has ipv6
11:10 < CygniX> i meet the ipv6 requirement just don't have it setup yet
11:11 <@krzee> assuming the entire ipv6 netblock is routed to you and you are not already using ANY of it
11:11 <@krzee> then its pretty easy...
11:11 <@krzee> Config stanza using the helper ¶
11:11 <@krzee>  Add the following to a functioning OpenVPN config:
11:11 <@krzee> server-ipv6 2001:db8:123::/64
11:16 < CygniX> for example, here is my my block abcd:ef12:3456:7890/64
11:17 < CygniX> f it, here is the ip6 block 2605:6400:0020:4f80:0000:0000:0000:0000/64
11:17 <@krzee> are you already using ANY of it?
11:18 < CygniX> no
11:18 <@krzee> nice
11:18 <@krzee> but its already routed to you, right?
11:18 < CygniX> all of it is routed to my vps
11:18 <@krzee> --server-ipv6 2605:6400:0020:4f80::/64
11:19 < CygniX> let me verify, am not already using one or 2 on the bock for ssh
11:19 <@krzee> im not just talking if you're "using", i mean none can be assigned
11:19 <@krzee> for the easy way its all or none of the routed block goes to openvpn
11:20 <@krzee> so im not asking if there is active traffic to them, im asking if they exist on any ifconfig's anywhere
11:22 < CygniX> krzee: here is the interface setup http://paste.debian.net/plain/119611
11:23 <@krzee> it cant be there
11:23 <@krzee> openvpn will handle that
11:23 <@krzee> oh wait you have the whole bigger subnet?
11:23 <@krzee> and routed that to the vps?
11:24 < CygniX> I have an /64 subnet
11:24 <@krzee> ok and thats you taking control of it?
11:24 < CygniX> right
11:24 <@krzee> ya i think you need to comment that stuff out
11:25 -!- Tykling [tykling@gibfest.dk] has quit [Excess Flood]
11:25 < CygniX> see, this is why the wiki is confusing
11:25 <@krzee> well thats kinda general networking
11:26 <@krzee> you dont put 10.8.0.1 on your eth0 before you claim the subnet for openvpn
11:27 <@krzee> you can also have --server give out an ipv4 subnet directly if you happen to have an entire free subnet routed to the box, but you cannot split a bigger allocation, gotta be using the network ip for openvpn
11:27 <@krzee> instead of using a rfc1918 non-routable subnet for --server
11:30 < CygniX> so instead of using the entire /64 for openvpn, i could just take a /112 out of that
11:31 <@krzee> thats what i was just saying you cannot do while doing stuff the easy way
11:31 <@krzee> but in the wiki they talk about how you may do that
11:32 -!- DrCode [~DrCode@gateway/tor-sasl/drcode] has quit [Ping timeout: 264 seconds]
11:32 <@krzee> https://community.openvpn.net/openvpn/wiki/IPv6#SplittingasingleroutableIPv6netblock
11:32 <@vpnHelper> Title: IPv6 – OpenVPN Community (at community.openvpn.net)
11:33 -!- AngryNapkin [~Eighty@97-90-144-70.static.mtpk.ca.charter.com] has left #openvpn []
11:34 -!- Tykling [tykling@gibfest.dk] has joined #openvpn
11:35 -!- D-Boy [~D-Boy@unaffiliated/cain] has quit [Excess Flood]
11:36 -!- DrCode [~DrCode@gateway/tor-sasl/drcode] has joined #openvpn
11:37 < CygniX> krzee: ok I added '--server-ipv6 2605:6400:0020:4f80::/64' to the bottom of the server.conf
11:37 <@krzee> did you already stop using the subnet everywhere else first?
11:38 -!- Tykling [tykling@gibfest.dk] has quit [Excess Flood]
11:38 < CygniX> i commented out the settings I linked earlier from the interface
11:38 <@krzee> and rebooted or manually got rid of them too?
11:38 < CygniX> not yet
11:38 <@krzee> well
11:39 <@krzee> heh
11:39 < CygniX> but you mean, all i needed was that single line?
11:39 < CygniX> how about the gateway, netmask
11:40 -!- Tykling [tykling@gibfest.dk] has joined #openvpn
11:43 < CygniX> krzee: 'ip a' does not show the ip 6
11:43 < CygniX> i restarted the interface
11:51 -!- D-Boy [~D-Boy@unaffiliated/cain] has joined #openvpn
11:58 -!- DrCode [~DrCode@gateway/tor-sasl/drcode] has quit [Ping timeout: 264 seconds]
12:06 -!- Sidewinder [~de@unaffiliated/sidewinder] has joined #openvpn
12:06 -!- DrCode [~DrCode@gateway/tor-sasl/drcode] has joined #openvpn
12:16 -!- Sidewinder [~de@unaffiliated/sidewinder] has quit [Quit: Leaving]
12:38 < CygniX> so after adding the configurations, running 'netstat -tapnu' does not show openvpn on udp6 listening
12:48 -!- roentgen_ [~none@openvpn/community/support/roentgen] has quit [Remote host closed the connection]
12:50 -!- roentgen [~none@openvpn/community/support/roentgen] has joined #openvpn
12:52 -!- roentgen [~none@openvpn/community/support/roentgen] has quit [Remote host closed the connection]
12:54 <@krzee> you didnt say anything about it LISTENING on ipv6
12:54 <@krzee> you said you wanted it to hand out ipv6 ips
12:54 -!- roentgen [~none@openvpn/community/support/roentgen] has joined #openvpn
13:09 < CygniX> krzee: the reason i wanted to get ipv6 working is because phone isp only offer ip6 now
13:09 < CygniX> so in order to use vpn, i need it to be able to connect via ipv6
13:09 <@krzee> you were pretty clear that you were talking about handing out ipv6 ips
13:10 <@krzee> di you see the top of the wiki?
13:10 <@krzee> did*
13:10 <@krzee> its pretty clear about how easy it is to listen on ipv6, of course your server needs to have an ipv6 IP to do that
13:10 < CygniX> add proto udp6
13:10 <@krzee> listening on ipv6 and handing out ipv6 ips are TOTALLY separate and not really even related
13:10 <@krzee> yes
13:11 < CygniX> somehow i over looked that
13:12 < CygniX> ok that did it
13:13 < CygniX> and just my luck, am on android 4.4.2 which has a bug
13:14 -!- roentgen [~none@openvpn/community/support/roentgen] has quit [Ping timeout: 260 seconds]
13:14 <@krzee> no wonder the wiki was confusing, you skimmed it
13:15 < CygniX> honestly, that wasn't it
13:16 < CygniX> I read the entire wiki months ago when I first tried getting it to work
13:17 < CygniX> I was having a hard time with the helper vs the directive
13:17 <@krzee> ya i added that part 11 days ago
13:17 < CygniX> it makes a little more sense now that I spent more time with ipv6
13:17 <@krzee> 7 	11 days	krzee	added udp6 for ipv6 transport
13:18 < CygniX> I see
13:20 < CygniX> and to my luck, i also bricked my router that allowed me ipv6 connection from home
13:20 < CygniX> lol
13:20 < CygniX> so now, I have no way to test it
13:20 <@krzee> the helper is just to try and make things easier for you. when you require more control than given by the helper you must do the individual commands, --server and --server-ipv6 are merely macros that expand to multiple config options
13:21 < CygniX> krzee: it makes sense now
13:21 -!- DrSect0r [~DrSect0r@77-175-125-42.FTTH.ispfabriek.nl] has quit [Read error: Connection reset by peer]
13:23 < CygniX> this is my server.conf ipv6  settings http://paste.debian.net/plain/119624
13:25 <@krzee> i thought you didnt need ipv6 inside
13:25 <@krzee> thought you just said you were just looking for ipv6 transport
13:25 <@krzee> o.O
13:25 < CygniX> you mean the udp
13:25 < CygniX> oh, that is added at the top
13:26 < CygniX> i didn't add it to the paste
13:26 <@krzee> <CygniX> krzee: the reason i wanted to get ipv6 working is because phone isp only offer ip6 now
13:26 <@krzee> you can still just use ipv4 inside the tunnel if thats all you want
13:26 <@krzee> you dont need server-ipv6 to use proto udp6
13:26 <@krzee> they are totally different and unrelated
13:28 < CygniX> hmmm
13:41 < CygniX> success, I can now connect via ip6
13:41 < CygniX> thanks for the guidance krzee
13:41 <@krzee> np
13:43 < CygniX> i am now only using proto udp6, --server-ipv6 2605:6400:0020:4f80::/64, and push "route-ipv6 2000::/3" in server.conf
13:43 <@krzee> you only need proto udp6 to listen on ipv6
13:44 <@krzee> we only talked about --server-ipv6 and stuff because:
13:44 <@krzee> !xy
13:44 <@vpnHelper> "xy" is http://mywiki.wooledge.org/XyProblem -- I want to do X, but I'm asking how to do Y...
13:44 < CygniX> I guess you could say, i didn't really know what I wanted
13:45 < CygniX> or well, I know what the problem was, but didn't really know the right solution
13:45 < CygniX> more importantly, i learned :)
13:46 < CygniX> the server option assigns ipv6 to the client, while if i used just proto udp6, i can connect via ip6 and get ipv4
13:47 <@krzee> ++
13:49 < Sicelo> krzee: how would one know if the whole ipv6 subnet is routed to them?
13:49 < CygniX> thanks again for the help and patience krzeei really appreciate it
13:50 <@krzee> right
13:50 <@krzee> Sicelo, not sure how to answer that
13:50 < Sicelo> ok :)
13:51 < CygniX> Sicelo: your provider will usually tell you
13:53 < Sicelo> the vps is my friend's, and he seems to believe so. but we're having problems with the vpn which make me wonder if the subnet is really routed to his vps. problem is also that his english is awful (chinese, no offence)
13:53 < CygniX> the provider 99.99% of vps provider will tell you if you get a subnet or just a few ipv6
13:54 < CygniX> if you know the provider, you can check their network configuration page
13:55 < Sicelo> thanks. that should help
14:12 -!- sauce [sauce@unaffiliated/sauce] has quit [Ping timeout: 252 seconds]
14:12 -!- pppingme [~pppingme@unaffiliated/pppingme] has quit [Ping timeout: 252 seconds]
14:12 -!- sauce [sauce@unaffiliated/sauce] has joined #openvpn
14:13 -!- moviuro [~moviuro@ginfo.ext.ec-m.fr] has quit [Ping timeout: 252 seconds]
14:14 -!- cesurasean1 [~Sean@c-71-207-227-197.hsd1.al.comcast.net] has quit [Ping timeout: 245 seconds]
14:15 -!- cesurasean [~Sean@c-71-207-227-197.hsd1.al.comcast.net] has joined #openvpn
14:16 -!- dazo_afk [~dazo@openvpn/community/developer/dazo] has quit [Ping timeout: 252 seconds]
14:16 -!- Netsplit *.net <-> *.split quits: Chais, nsrafk, Cultist, _FBi, jgeboski
14:18 -!- aub [~aubrey@cpe-98-14-102-62.nyc.res.rr.com] has joined #openvpn
14:18 -!- CygniX [~CygniX@unaffiliated/twois10] has quit [Quit: Konversation terminated!]
14:18 -!- dazo [~dazo@openvpn/community/developer/dazo] has joined #openvpn
14:18 -!- mode/#openvpn [+o dazo] by ChanServ
14:18 -!- CygniX [~CygniX@unaffiliated/twois10] has joined #openvpn
14:20 -!- nsrafk [whois@unaffiliated/nsrafk] has joined #openvpn
14:25 -!- tiblock [~tiblock@23.252.106.118.16clouds.com] has joined #openvpn
14:26 -!- pppingme [~pppingme@unaffiliated/pppingme] has joined #openvpn
14:26 < tiblock> Hi. I have linux server running openvpn and i had client on windows and all was good. But now i have linux client and after connect internet stops working, here is my configs http://pastebin.com/5gDCAxY6 if i remove "push "redirect-gateway def1"" then internet works and ping to server too. ip_forwarding=1 and iptable rule to change source IP. What problem can me?
14:27 < tiblock> also i do this for my friend true teamviewer and i lost control after internet stop working, so its hard.
14:29 -!- jgeboski [~jgeboski@unaffiliated/jgeboski] has joined #openvpn
14:29 -!- _FBi [B@Aircrack-NG/User] has joined #openvpn
14:29 -!- Cultist [~CultOfThe@c-98-223-211-32.hsd1.il.comcast.net] has joined #openvpn
14:29 -!- roentgen [~none@openvpn/community/support/roentgen] has joined #openvpn
14:30 -!- Chais [~Chais@chello062178229110.15.15.vie.surfer.at] has joined #openvpn
14:31 -!- Tykling [tykling@gibfest.dk] has quit [Read error: Connection reset by peer]
14:34 -!- Tykling [~tykling@gibfest.dk] has joined #openvpn
14:35 < tiblock> is there some option in linux client to make "push "redirect-gateway def1"" work?
14:36 -!- H__ [~H__@unaffiliated/h/x-9670680] has left #openvpn ["bye"]
14:37 -!- krzee [~k@openvpn/community/support/krzee] has quit [Ping timeout: 240 seconds]
14:40 < tiblock> not actual anymore, user will install windows back
14:40 -!- Tykling [~tykling@gibfest.dk] has quit [Ping timeout: 260 seconds]
14:40 -!- PersonX [~Px12@117.199.170.188] has quit [Ping timeout: 260 seconds]
14:40 -!- aub [~aubrey@cpe-98-14-102-62.nyc.res.rr.com] has quit [Quit: aub]
14:43 -!- krzee [~k@openvpn/community/support/krzee] has joined #openvpn
14:43 -!- mode/#openvpn [+o krzee] by ChanServ
14:47 -!- Tykling [tykling@gibfest.dk] has joined #openvpn
14:48 < CygniX> so opnvpn wont use ip6 nat?
14:48 -!- aub [~aubrey@cpe-98-14-102-62.nyc.res.rr.com] has joined #openvpn
14:52 < Hello71> "opnvpn" doesn't care how to access the internet
14:55 < CygniX> maybe the question was framed wrongly
14:56 < CygniX> could openvpn be setup with ipv6 nat to assign ip6 from that address from that block.
14:56 < CygniX> i was under the impression ipv6 does not do nat, but someone says, it does
14:56 < Hello71> you shouldn't be using ipv6 nat in the first place.
14:57 < Hello71> !next
15:05 < pekster> There are advanced reasons for wanting NAT on IPv6, but using it for the purpose of "NAT Overload" is Almost Always Wrong™
15:06  * CygniX is saying no to IPV6 NAT
15:06 < CygniX> it require at least kernel 3.7
15:07 < Hello71> lol
15:09 < CygniX> the reason i might be forced to use it is, vps provider may require each ip be define in the system before it can be used on the vps even though you have a /64 block
15:10 -!- joe9 [~user@ip68-103-51-213.ks.ok.cox.net] has joined #openvpn
15:11 < joe9> Does openvpn client need to bind to a local port? Without nobind, it binds to *::1194 and with nobind, it binds to a random port, *:32138. I am trying to figure out if openvpn client actually needs to bind to a port? and, does that port have to be opened in the firewall?
15:12 < Hello71> *:: makes no sense
15:12 -!- jackbrown [~se@93-44-41-0.ip95.fastwebnet.it] has joined #openvpn
15:15 < pekster> joe9: Typically there's no use doing that on a client (web browsers just let the OS pick an ephemeral source port.) Strict outbound firewalls might require more care, though
15:15 < pekster> General rule: use --nobind on clients unless you have a good reason not to
15:15 -!- Fusl [Fusl@unaffiliated/fusl] has quit [Ping timeout: 245 seconds]
15:17 -!- deranged_user [deranged_u@unaffiliated/deranged-user/x-2475585] has quit [Ping timeout: 260 seconds]
15:17 -!- deranged_user [deranged_u@unaffiliated/deranged-user/x-2475585] has joined #openvpn
15:18 < joe9> pekster: Hello71: Thanks for the response. I do not like services listening on *: interface. Hence, I wanted to check if it would work with localhost:32138  or localhost:1194 (as nobind does not go along with lport).
15:18 < joe9> Hello71: sorry about the *::, it should be *:
15:18 < pekster> Nnetwork services do not listen on an interface; they bind to IPs (bind(2) says so)
15:18 < joe9> as nobind does not go along with local
15:19 < pekster> Binding to anything on 127/8 is silly for a VPN unless you are testing and strictly want to allow connections from your _own_ system only
15:19 < pekster> Adjust your bind IP with --local
15:19 < Hello71> "do not like services listening on *: interface"
15:19 < Hello71> 1. *: isn't an interface
15:20 < Hello71> 2. that is still dumb
15:20 < Hello71> 3. :::1194, better?
15:20 < joe9> Hello71: sorry to upset you.
15:21 < joe9> pekster: I understand the need for the openvpn server to bind to *:1194 (as the clients connect to it) and to open the port in the firewall.
15:21 < pekster> It's largely useless to use --local on a client for 2 reasons: 1) clients are not typically multi-homed, and 2) openvpn already verifies the traffic from the peer is cryptographically signed
15:22 < pekster> use it if you want, but clients on dynamic connections will require extra care doing so
15:24 < pekster> You might also wish to review more useful ways to be security-concious here:
15:24 < pekster> !hardening
15:24 <@vpnHelper> "hardening" is https://community.openvpn.net/openvpn/wiki/Hardening
15:25 -!- skd5aner [~skd5aner@241.sub-70-198-68.myvzw.com] has joined #openvpn
15:25 < skd5aner> Hello everyone!
15:26 < joe9> pekster: thanks.
15:26 < skd5aner> I'm a newb when it comes to OpenVPN, but I've made great progress over the last few days getting a site-to-site VPN working between two routers that run openvpn...
15:27 < skd5aner> I'm using Tun, and I'm able to ping everything on the server side, from the client side...
15:27 < skd5aner> but, I can no do the opposite
15:27 < skd5aner> I have a feeling I'm misisng something simple like a route on the server router
15:28 < skd5aner> thoughts?
15:28 < Hello71> skd5aner: ping = ping request + reply?
15:30 < skd5aner> correct... on the client side, I can ping (and get a reply) from any machine that is in the client subnet, vpn subnet, or server subnet
15:30 < skd5aner> however, on the server side, I can't ping anything on the client subnet
15:30 < Hello71> nat?
15:31 < skd5aner> It's possible that NAT is the issue
15:31 < skd5aner> how can I check?
15:31 < pekster> !clientlan
15:31 <@vpnHelper> "clientlan" is (#1) for a lan behind a client, the client must have ip forwarding enabled (!ipforward), the server needs a route to the lan, the server needs to push a route for the lan to clients, the server needs a ccd (!ccd) file for the client with an iroute (!iroute) entry in it, and the router of the lan the client is on needs a route added to it (!route_outside_openvpn) or (#2) see !route
15:31 <@vpnHelper> for a better explanation or (#3) Handy troubleshooting flowchart: http://ircpimps.org/clientlan.png | http://pekster.sdf.org/misc/clientlan.png
15:31 < pekster> Flowchart++
15:32 < skd5aner> ok, thank you - sorry if I'm not leveraging the right terminology, I'll check that out...
15:32 < pekster> That's what you should follow for allowing the server (or a LAN behind your server) to reach the LAN behind the client
15:32 < skd5aner> pekster: awesome flow chart, I'll go through it and come back in a few
15:33 < skd5aner> ty
15:33 -!- Fusl [Fusl@unaffiliated/fusl] has joined #openvpn
15:37 -!- CygniX [~CygniX@unaffiliated/twois10] has quit [Quit: Konversation terminated!]
15:39 < Sicelo> trying to configure ipv6 through the openvpn tunnel. having spoken to the owner of the server, it appears split netblock configuration must be used. however i don't quite get step 2 of https://community.openvpn.net/openvpn/wiki/IPv6#Splitnetblockconfiguration
15:39 <@vpnHelper> Title: IPv6 – OpenVPN Community (at community.openvpn.net)
15:40 < pekster> That's a dirty hack
15:40 < pekster> It's really stupid, used for when your network is badly managed
15:41 < pekster> Get a properly routed block of any sane size and use that. Surely your network can be set up such that you get routed a /112 or something?
15:41 < pekster> If not, find a provider who's not clueless (which sadly, not many)
15:41 < pekster> "Bottom of the barrel" has its drawbacks
15:41 < Sicelo> so i can't make it work as is for now?
15:42 < pekster> I've no clue without seeing the configs from both sides
15:42 < pekster> But anyitme you're trying to "subnet an existing broadcast domain" you're doing things very wrong from the start
15:42 < pekster> Just route properly and life is far better
15:43 < Sicelo> the guy who owns the vps tried to explain to me the 'differences' in this setup, but i was kinda lost. let me show you the existing config ..
15:43 < pekster> _both_ sides or this won't be very helpful
15:43 -!- Kieran [~Kieran@ip-45-19.bnaa.dk] has joined #openvpn
15:44 < joe9> pekster: quick question, i understand the need for the server to bind and listen on an interface. But, I do not understand if the client needs to do that too? http://askubuntu.com/questions/507721/is-it-normal-for-openvpn-client-to-do-this is my question too.
15:44 < Kieran> !welcome
15:44 <@vpnHelper> "welcome" is (#1) Start by stating your goal, such as 'I would like to access the internet over my vpn' || new to IRC? see the link in !ask || we may need !logs and !configs and maybe !interface to help you. || See !howto for beginners. || See !route for lans behind openvpn. || !redirect for sending inet traffic through the server. || Also interesting: !man !/30 !topology !iporder !sample !forum
15:44 <@vpnHelper> !wiki !mitm or (#2) Don't use 192.168.1.0/24 or 192.168.0.0/24 (too much potential for conflict)
15:44 <@vpnHelper> Title: networking - Is it normal for openvpn-client to do this? - Ask Ubuntu (at askubuntu.com)
15:44 < Kieran> !goal
15:44 <@vpnHelper> "goal" is Please clearly state your goal for your vpn: example, I would like to access the lan behind the server , I would like to access the internet over my vpn , I just want a secure connection between 2 computers , etc
15:44 < pekster> joe9: No, it does not. Doing so makes your life needlessly complex, so do not do it
15:44 < pekster> If you do so, you _will_ break things if you *ever* change your client IP. So don't do that
15:45 < Sicelo> http://paste.debian.net/119649/ << pekster, this is the config for the server. on client i add the default route manually for now
15:46 < Sicelo> his block is 2001:19f0:7000:8404::/64
15:46 < serzuz> how can i stop openvpn to overwrite my default route?
15:46 < pekster> huh?
15:46 < pekster> wtf are you doing with a /65?
15:46 < pekster> !goal
15:46 <@vpnHelper> "goal" is Please clearly state your goal for your vpn: example, I would like to access the lan behind the server , I would like to access the internet over my vpn , I just want a secure connection between 2 computers , etc
15:46 < pekster> What are you trying to _do_ here?
15:47 < Sicelo> my client is on IPv4, and i want to be able to use IPv6 on client through the vpn
15:47 < pekster> And what is "his block" -- you can *ONLY* route traffic that you are routed initially
15:47 < joe9> pekster: this is my client.conf http://codepad.org/QbC6atOI. without the "nobind", the openvpn binds to *:1194, with that, it binds to a dynamic port.
15:47 < pekster> Yes. Just use --nobind. Why would you not do that?
15:48 < pekster> It's not a security problem; stop pretending it is
15:49 < pekster> Sicelo: Then you need a properly _routed_ block sent to your VPN client for your use on downstream clients, _or_ you need NAT. Why don't you just get a real IPv6 tunnel broker?
15:49 < pekster> Or an ISP that provides native-v6 ;)
15:49 < Sicelo> :)
15:49 < joe9> pekster: Even with --nobind, openvpn client still listens on some port, correct?
15:50 -!- ub1quit33_ [~quassel@cpe-23-243-158-241.socal.res.rr.com] has quit [Read error: Connection reset by peer]
15:50 < pekster> Naturally. How do you expect UDP to work if it's not bound to a port?
15:50 < Sicelo> easier said than done here in South Africa .. no IPv6
15:50 -!- jackbrown [~se@93-44-41-0.ip95.fastwebnet.it] has quit [Quit: Sto andando via]
15:50 -!- Kieran [~Kieran@ip-45-19.bnaa.dk] has quit [Quit: Leaving]
15:50 < pekster> So broker?
15:50 < pekster> google: IPv6 Tunnel Broker. Wikipedia has an entire list of them
15:51 < Sicelo> i don't even have a public IPv4 address. my friend was hoping we could get openvpn running nicely enough for me to use Ipv6 if need too
15:51 < pekster> Then route it correctly
15:51 < serzuz> how can i stop openvpn to overwrite my default route? when i use route-nopull it works but i cant ping any vpn clients
15:51 < pekster> If you want to use a block for your LAN, you can _NOT_ use it on the VPN. You could potentially _route_ it across your VPN, but do not do stupid things like "splitting a tap netblock" -- that's retarted
15:52 < pekster> SLAAC requires you get routed a /64 anyway, so if you have less than that you can't use SLAAC, which is probably not what you want
15:52 < pekster> tl;dr: get a bloody tunnel broker and be done with it. You can get a /48 if you need it
15:52 -!- jackbrown [~se@93-44-41-0.ip95.fastwebnet.it] has joined #openvpn
15:52 < Sicelo> thanks. looks like we're trying to rape openvpn :D
15:53 < pekster> And sane networking
15:53 < Sicelo> i'll be happy with having access to my computer from anywhere via my phone
15:53 < pekster> OpenVPN is just a router; sounds to me like you're having trouble with routing basics more than anything
15:53 < serzuz> no one who can help?
15:54 < Sicelo> i agree. that's where i was hoping you'd help :(
15:54 < pekster> Ignore the bullshit about "splitting" networks on that IPv6 page. I need to re-write it so it sucks less, by putting the hacky shit on a subpage. You need a _ROUTED_ block if you want to route it to a LAN downstream
15:54 < Sicelo> thanks. will note
15:55 < pekster> You can not use this block _for_ the VPN. You need to route it the traditional way to the VPN server from the upstream network provider, then use an --iroute-ipv6 to route it to the VPN client
15:55 < pekster> *then* you assign it to a LAN behind that VPN client (which could be a VPN server-based LAN -- that doesn't matter from a routing standpoint)
15:55 < Sicelo> serzuz: i think you won't ping other clients without 'client-to-client' enabled in your server config
15:55 < pekster> They will, if you allow IP-forwarding and configure your fireall to do so
15:55 < pekster> !c2c
15:55 <@vpnHelper> "c2c" is "client-to-client" is with this option packets from 1 client to another are routed inside the server process. without it packets leave the server process, hit the kernel (firewall, routing table) and if allowed by firewall and routed back to server process, they go to the client. you use this option when you do not want to use selective firewall rules on what clients can access things
15:55 <@vpnHelper> behind other clients
15:56 < pekster> c2c is for "bypassing" your firewall/routing in the OS/kernel and asking openvpn to do it for you, without any firewalling
15:56 < Sicelo> wow. didn't understand that either
15:56 < serzuz> hmmm
15:56 < serzuz> Options error: --client-to-client requires --mode server
15:56 < serzuz> but i dont want to run it as server
15:57 < pekster> serzuz: Don't use --redirect-gateway if you don't want your route changing. You should use def1 anyway (read: !def1 for detail)
15:57 < Sicelo> serzuz: i can't help. got my own mess here :D
15:57 < Sicelo> !def1
15:57 <@vpnHelper> "def1" is (#1) used in redirect-gateway, Add the def1 flag to override the default gateway by using 0.0.0.0/1 and 128.0.0.0/1 rather than 0.0.0.0/0. This has the benefit of overriding but not wiping out the original default gateway. or (#2) please see --redirect-gateway in the man page ( !man ) to fully understand or (#3) push "redirect-gateway def1"
15:57 < pekster> OpenVPN does _not_ mess with your OS routes by default
15:57 < pekster> You must ask it to do so
15:57 < pekster> c2c is a server option, not a client 1
15:57 < serzuz> !def1
15:58 <@vpnHelper> "def1" is (#1) used in redirect-gateway, Add the def1 flag to override the default gateway by using 0.0.0.0/1 and 128.0.0.0/1 rather than 0.0.0.0/0. This has the benefit of overriding but not wiping out the original default gateway. or (#2) please see --redirect-gateway in the man page ( !man ) to fully understand or (#3) push "redirect-gateway def1"
15:58 -!- CygniX [~CygniX@unaffiliated/twois10] has joined #openvpn
15:58 < CygniX> are you able to select multiple local ips or you must run different instance, or allow all?
16:01 < pekster> huh?
16:01 < pekster> context?
16:02 < CygniX> if you have multiple public ips, and you want it to listen on say jus two of the ips
16:02 < serzuz> redirect-gateway def1 breaks everything
16:02 < pekster> Then you listen on * as your IP and learn to use a firewall
16:03 < pekster> serzuz: What are you trying to do?
16:03 < pekster> !goal
16:03 <@vpnHelper> "goal" is Please clearly state your goal for your vpn: example, I would like to access the lan behind the server , I would like to access the internet over my vpn , I just want a secure connection between 2 computers , etc
16:03 < CygniX> OK, so there is no way then, thanks, that answers the question
16:03 < pekster> There never is. Read your documentation for bind(2) if you'd like to know why
16:03 < pekster> again: a firewall is what you use if you want that, or I suppose multiple VPN instances (that require their own unique networking)
16:04 < serzuz> I just want to ping or reach other clients and the vpnserver without tounching my default gateway which works with route-nopull but then i cant reach anything on the vpn
16:04 < CygniX> it depends on the software no?
16:04 < serzuz> i am just a newcomer so sorry
16:04 < CygniX> for example, i could listen on multiple ips with dovecot
16:05 < CygniX> but anyway, i will use iptable
16:05 < pekster> Then it's doing multiple bind(2) calls. OpenVPN does not do that. Firewall allow syou to.
16:05 < pekster> serzuz: I'd need to see configs from your server & client. See:
16:05 < pekster> !configs
16:05 <@vpnHelper> "configs" is (#1) please pastebin your client and server configs (with comments removed, you can use `grep -vE '^#|^;|^$' server.conf`), also include which OS and version of openvpn. or (#2) dont forget to include any ccd entries or (#3) on pfSense, see http://www.secure-computing.net/wiki/index.php/OpenVPN/pfSense to obtain your config
16:05 < serzuz> yeah gimme a moment
16:07 < serzuz> Client: http://pastebin.com/75neKRM1
16:07 < serzuz> Using Ubuntu 14.04 wjth http://pastebin.com/75neKRM1
16:07 < serzuz> ups
16:08 < serzuz> OpenVPN 2.3.2 x86_64-pc-linux-gnu
16:08 < serzuz> and the server moment
16:09 < serzuz> Server: http://pastebin.com/wDMadYau
16:10 < serzuz> Using Wheezy and OpenVPN 2.2.1 i486-linux-gnu
16:10 < pekster> Ugh, grep to remove the comments, or wait for a break in the game I'm watching to do it myself
16:11 < serzuz> Server: http://pastebin.com/HhzKErgr again
16:11 < serzuz> without comments
16:12 < pekster> line 10. If you don't want to redirect your gateway, do not use that
16:12 < serzuz> yeah but some clients need that
16:12 < serzuz> thats why i used route-nopull
16:12 < pekster> You said you didn't want that
16:12 < serzuz> For my Servers i dont want it
16:12 < pekster> You could push it to some clients only by using a ccd
16:12 < pekster> !ccd
16:12 <@vpnHelper> "ccd" is (#1) entries that are basically included into server.conf, but only for the specified client based on common-name. use --client-config-dir <dir> to enable it, then put the config options for the client in <dir>/common-name or (#2) the ccd file is parsed each time the client connects.
16:13 < serzuz> and when i dont push it it should work?
16:13 < serzuz> lemme try
16:13 < pekster> If you don't want to redirect on your clients, sure
16:13 < pekster> Also, use of the 'subnet' topology will "fix" your issue by letting you you --route-nopull since the VPN network is on-link
16:13 < pekster> !topology
16:13 <@vpnHelper> "topology" is (#1) it is possible to avoid the !/30 behavior if you use 2.1+ with the option: topology subnet This will end up being default in later versions. or (#2) Clients will receive addresses ending in .2, .3, .4, etc, instead of being divided into 2-host subnets. or (#3) details and examples at: https://community.openvpn.net/openvpn/wiki/Topology
16:13 < pekster> net30 is the default, but it's old and stupid, for 7-year-old support with Windows
16:15 < CygniX> so you can't use both udp and udp6  in the same server config?
16:15 -!- aub [~aubrey@cpe-98-14-102-62.nyc.res.rr.com] has quit [Quit: aub]
16:15 < pekster> Nope. OpenVPN will dual-stack inside the tunnel, but not on the outside
16:16 < CygniX> so it looks like i have to run multiple instances then
16:16 < serzuz> that breaks everything
16:17 < serzuz> same as overwriting the routes but no ethernet etc
16:17 < serzuz> dosent really helps
16:17 < pekster> OpenVPN won't "overwrite" any routes if you don't tell it to. Don't use --redirect-gateway if you don't want it to mess with your gateway
16:17 < pekster> That, or clarify "breaks everything" -- it didn't break my Internet connection
16:18 < pekster> Not sure if you really intend to be pushing DNS like that either
16:18 < pekster> Probably not useful if you're not also redirecting network traffic (might consider using googleDNS instead anyway)
16:19 < serzuz> nah
16:19 < serzuz> redirect-gateway blocks all ethernet traffic
16:19 < pekster> No, it doesn't
16:19 < serzuz> seems like openvpn still overwriting
16:19 < pekster> It adds two /1 routes as the manpage describes
16:19 < pekster> This is not "blocks all ethernet traffic" -- in fact in tun there is no Ethernet frame transmission at all to speak of
16:19 < pekster> !redirect
16:19 <@vpnHelper> "redirect" is (#1) to make all inet traffic flow through the vpn, you will need --redirect-gateway (see !def1), as well as IP forwarding (see !ipforward) and NAT (see !nat) enabled on the server. or (#2) you may need to use a different dns server when redirecting gateway, see !dns or !pushdns or (#3) if using ipv6 try: route-ipv6 2000::/3 or (#4) Handy troubleshooting flowchart:
16:19 <@vpnHelper> http://ircpimps.org/redirect.png | http://pekster.sdf.org/misc/redirect.png
16:19 < pekster> If you're trying ot redirect, do that
16:20 < pekster> If not, do not use it. Rather simple
16:20 < pekster> You said you _just_ wanted access to the 10.8.0/24 LAN. No need for any redirect, or DNS, or other such nonsense for it
16:20 < pekster> If you want something else, you failed to explain it
16:20  * pekster shrugs
16:20 -!- Tykling [tykling@gibfest.dk] has quit [Ping timeout: 260 seconds]
16:20 < CygniX> is there a wiki for multiple instances? I saw only this  http://openvpn.net/index.php/open-source/faq/79-client/283-can-i-run-multiple-openvpn-tunnels-on-a-single-machine.html
16:20 <@vpnHelper> Title: Can I run multiple OpenVPN tunnels on a single machine? (at openvpn.net)
16:21 < serzuz> i can't be so hard to run openvpn and the normal gateway
16:21 < serzuz> but everything dont works
16:23 < serzuz> that is depressing me
16:24 -!- Tykling [tykling@gibfest.dk] has joined #openvpn
16:24 -!- skd5aner [~skd5aner@241.sub-70-198-68.myvzw.com] has quit [Ping timeout: 245 seconds]
16:26 -!- Tykling [tykling@gibfest.dk] has quit [Excess Flood]
16:27 -!- Tykling [tykling@gibfest.dk] has joined #openvpn
16:30 -!- linuxthefish_ is now known as linuxthefish
16:36 -!- Tykling [tykling@gibfest.dk] has quit [Excess Flood]
16:36 -!- joe9 [~user@ip68-103-51-213.ks.ok.cox.net] has quit [Remote host closed the connection]
16:37 -!- jackbrown [~se@93-44-41-0.ip95.fastwebnet.it] has quit [Quit: Sto andando via]
16:49 -!- jackbrown [~se@93-44-41-0.ip95.fastwebnet.it] has joined #openvpn
16:51 -!- jackbrown [~se@93-44-41-0.ip95.fastwebnet.it] has quit [Read error: Connection reset by peer]
16:52 -!- Tykling [tykling@gibfest.dk] has joined #openvpn
16:53 -!- AngryNapkin [~Eighty@97-90-144-70.static.mtpk.ca.charter.com] has joined #openvpn
16:53 -!- Stargazers [stargazers@hilla.kapsi.fi] has left #openvpn []
16:56 < AngryNapkin> well I finally got it working. Turns out it was the newest version of openVPN causing the problem of not being able to ping any computer on the other side. Maybe not directly the newest version, probably had more configuring to do then whats listed in the basic how to's, but reverting back to 2.3.2 fixed what ever was going on.
16:59 -!- skd5aner [~skd5aner@241.sub-70-198-68.myvzw.com] has joined #openvpn
16:59 < skd5aner> OK... I'm pretty sure I've got a routing issue...
17:00 < skd5aner> pekster: I went through your flowchart... I'm able to get to "can you ping the lan ip of the client" and that's where it fails
17:00 < skd5aner> I added the push route line, I've added the ccd...
17:07 -!- skd5aner [~skd5aner@241.sub-70-198-68.myvzw.com] has quit [Ping timeout: 240 seconds]
17:10 -!- skd5aner [~skd5aner@241.sub-70-198-68.myvzw.com] has joined #openvpn
17:11 < skd5aner> OK... so, that little test didn't work...
17:11 < skd5aner> !paste
17:11 <@vpnHelper> "paste" is "pastebin" is (#1) please paste anything with more than 5 lines into a pastebin site or (#2) https://gist.github.com is recommended for fewest ads; try fpaste.org or paste.kde.org as backups or (#3) If you're pasting config files, see !configs for grep syntax to remove comments or (#4) gist allows multiple files per paste, useful if you have several files to show
17:16 < skd5aner> So, to recap, Client can ping everytihng, Client subnet IPs, Server Subnet IPs, and VPN subnet addresses... but Server can't ping anything on the client subnet (192.168.1.x)
17:16 < skd5aner> here's the routing table and details on subnets: http://pastebin.com/1skmuESW
17:18 < skd5aner> !ipforward
17:18 <@vpnHelper> "ipforward" is (#1) ip forwarding is needed any time you want packets to flow from 1 interface to another, so from tun to eth, eth to tun, tun to tun, etc etc. it must be enabled in the kernel AND allowed in the firewall or (#2) please choose between !linipforward !winipforward !osxipforward and !fbsdipforward
17:18 < skd5aner> !linipforward
17:18 <@vpnHelper> "linipforward" is (#1) echo 1 > /proc/sys/net/ipv4/ip_forward for a temp solution (til reboot) or set net.ipv4.ip_forward = 1 in sysctl.conf for perm solution or (#2) chmod +x /etc/rc.d/rc.ip_forward for perm solution in slackware or (#3) you also must allow forwarding in your forward chain in iptables. iptables -I FORWARD -i tun+ -j ACCEPT
17:23 -!- moviuro_ [~moviuro@ginfo.ext.ec-m.fr] has joined #openvpn
17:28 -!- Cultist [~CultOfThe@c-98-223-211-32.hsd1.il.comcast.net] has quit [Ping timeout: 252 seconds]
17:33 -!- Cultist [~CultOfThe@c-98-223-211-32.hsd1.il.comcast.net] has joined #openvpn
17:47 -!- Cultist [~CultOfThe@c-98-223-211-32.hsd1.il.comcast.net] has quit [Ping timeout: 264 seconds]
17:49 -!- moviuro_ is now known as moviuro
17:49 -!- CygniX [~CygniX@unaffiliated/twois10] has quit [Quit: Konversation terminated!]
17:52 -!- Cultist [~CultOfThe@c-98-223-211-32.hsd1.il.comcast.net] has joined #openvpn
18:08 -!- AngryNapkin [~Eighty@97-90-144-70.static.mtpk.ca.charter.com] has left #openvpn []
18:18 -!- CygniX [~CygniX@unaffiliated/twois10] has joined #openvpn
18:25 < CygniX> not sure where I am going wrong, or it is just the bug describe on the wiki. i have ipv6 setup, where I can connect to it, or connect via ipv4 and still get ipv6 on the client, but when tested on ipv6 site, it doesnt work
18:26 < CygniX> also, when I connect using kde network manager, i don't get ipv6 addresses
18:33 < CygniX> ok, it looks like the kde knetwork manager opvnvpn module does not have ipv6 support
18:35 < pekster> skd5aner: Sounds like firewall issues or lack of IP forwarding
18:36 < pekster> Or you're not doing this from the VPN server and forgot to add a LAN-gateway route for the network
18:36 < pekster> Or you forgot the --iroute entry
18:46 < CygniX> so what do i need to check? I no that ipv6 is being assigned to the client, but client can't access ipv6 sites or ping ipv6 addresses
18:46 < CygniX> s/no/know
18:48 < skd5aner> pekster: is there any output on the server or client side I can provide that would help diagnose further?
18:49 < pekster> CygniX: You're the one with the really silly /65, right? How are you getting _that_ routed to that host?
18:49 < CygniX> no
18:49 < CygniX> http://paste.debian.net/119664/
18:50 < CygniX> i just change my actual public ip on that
18:50 < CygniX> let me paste the config
18:53 < skd5aner> pekster: fyi, the server is a ddwrt router (so linux) and the client is a merlin asus router (linux as well)...
18:56 < pekster> tcpdump the egress on the server's tun device. If you see traffic leave there, firewall and routing server-side is likely fine and you have a firewall or routing problem client-side
18:58 < CygniX> pekster: http://paste.debian.net/119669/
18:59 < pekster> CygniX: The v6 network on line 27, how are you getting that assigned? Is it part of a larger block routed to this system?
19:00 < CygniX> pekster: the vps has a /64 subnet block
19:00 < pekster> This is in _addition_ to the on-link network, yes?
19:00 < pekster> ie: this is a 2nd network you are assigned that you get by a routed allocation?
19:00 < pekster> Also, openDNS sucks. Don't sue them
19:00 < pekster> use*
19:00 < pekster> !opendns
19:01 <@vpnHelper> "opendns" is You should avoid using OpenDNS for pushed DNS servers as they violate spec and send you to ad/search domains for mistyped URLs. Use GoogleDNS instead. See !dns for more info.
19:01 < CygniX> this is my interface config http://paste.debian.net/119670/
19:01 -!- linuxthefish [~linuxthef@unaffiliated/edmundf] has quit [Quit: Leaving]
19:02 < pekster> CygniX: You can't use the on-link network fo rthe VPN. You need to ask for a properly routed allocation
19:02 < pekster> RFC6177 should make this easy to obtain. If not, your network provider is clueless and you'd be best to find one that isn't ignorant of how IPv6 works
19:02 < pekster> Sadly, lots of VPS places are in fact clueless
19:02 < CygniX> i am as cluelses to be honest :P
19:02 < pekster> The network you use for OpenVPN can _not_ be in-use on another adapter
19:03 < CygniX> so onlink meaning it first has to be configured on the network before it can be used?
19:03 < pekster> That entire /64 is already used; you need another network for the VPN
19:03 < pekster> No
19:03 < pekster> It needs to be _routed_ to you
19:03 < pekster> ie: the network upstream of you must route a network for you use to your host
19:03 < CygniX> the /64 is rounted to me
19:03 < CygniX> it is not used
19:03 < pekster> No, it's on-link
19:03 < pekster> Line 2 of your interface config
19:03 < Hello71> could be broken config
19:03 < CygniX> 2605:6400:20:4f80::/64 is mine
19:03 < pekster> Right
19:04 < pekster> What's the network you are routed then?
19:04 < pekster> That's on-link
19:04 < skd5aner> pekster: this command on the server seems to have fixed it: route add -net 192.168.1.0 netmask 255.255.255.0 gw 192.168.50.1
19:04 < pekster> ie: unusable to a VPN
19:04  * pekster really hates how no one does routing properly and act all surprised when IPv6 requires real routing
19:04 < pekster> Stupid fucking VPSes
19:04 < pekster> They're all run by idiots
19:05 < pekster> Go ask for a routed block
19:05 < pekster> Also, how the hellis your gateway off-link like that?
19:05 < pekster> CygniX: Pastebin `ip a` please
19:05 < pekster> Oh, ffs
19:06 < pekster> a /48 on-link?
19:06 < pekster> Your VPS is retarted
19:06 < Hello71> i'm going to go for "broken config" over "broken provider"
19:06 < Hello71> not that the latter is rare
19:06 < pekster> No
19:06 < pekster> They're putting a /48 on-link. Braindead idiots do that
19:06 < CygniX> i beleive the vps provided has a /48 block and form that is assigning /64 blocks
19:06 < pekster> No
19:06 < pekster> That /48 is on-link. Your VPS is retarted
19:07 < pekster> Find one that isn't mentally challanged and has a clue about routing
19:07 < Hello71> pekster: if nobody tests local routing then nobody will be able to tell it's not actually on-link
19:07 < pekster> No, the way the gateway is setup is a dead giveaway that the network config is stupidly wrong
19:07 < pekster> There is ZERO reason to use more than a /64 on-link. Or do you mean to tell me that you actually need 19342813113834066795298816 hosts on a single broadcast domain?
19:08 < pekster> Routing. Tastes great, less filling.
19:08 < pekster> You either need to do stupid things like NDP Proxying, or bridge a VPN to your stupidly large on-link network
19:08 < pekster> Both are horrible choices
19:09 < CygniX> pekster: http://paste.debian.net/119671/
19:09 < pekster> Find a provider that isn't clueless would be your better option. Or ask them to do the right thing by assigning you a /64 on-link and routing you a sane block for your use with VPNs, like a /56 (though you really only need a single /64 for that)
19:09 < pekster> Right, line 11. The *ENTIRE* /48 is already used up
19:09 < pekster> You cannot use anything in it for routing on your VPN becuase your VPS is stupid.
19:09 < CygniX> ignore the ipv4 line, i failed at changing it
19:09 < pekster> Find a provider that doesn't fail at basic networking skills
19:10 < skd5aner> I have to admit, trying to get OpenVPN has truly reminded me how little practiced I am when it comes to my networking skills
19:10 < pekster> Sadly, people who sell hosted servers (virtual or not) ought to know better. From what I've seen here and in #ipv6, many of them are just as clueless, but happy to take your money
19:11 < CygniX> pekster: according to  my vps,  'Dedicated IPv6 Subnet 2605:6400:0020:4f80:0000:0000:0000:0000/64 '
19:11 < pekster> CygniX: What you need to do this properly is 1) a sane allocation on-link, no larger than a single /64. 2) you need a block routed to you for use with OpenVPN. It could be a /48 (from which you assign a single /64 of that to the VPN) but could just as easily be any smaller size too, such as a /56 or even a single /64
19:12 < pekster> No, it's not. Not with the gateway set like that
19:12 < pekster> The gateway you're using is off that /64 network
19:13 < pekster> If it works and you can `ping6 2600::` then they are most certainly using a /48 on-link, which is evidence of brain damage
19:13 < CygniX> this is the gateway 2605:6400:0020:0000:0000:0000:0000:0001
19:13 < pekster> Yes, i Know
19:13 < pekster> THAT'S OFF YOUR FUCKING NETWORK
19:14 < pekster> But it's not actually a /64
19:14 < pekster> It's a /48, becuase your ISP is stupid. Find one that isn't, or ask them for a routed IP block that's otuside the /48. They'll likely refuse because they'll claim you "have an entire /48", which is only true if you're willing to use it in the same broadcast domain
19:14 < pekster> You don't want that, and I'm not going to help you work around such retarted network design
19:15 < pekster> Stop giving these idiots money. If people stop, the morons will start doing it right
19:15 < CygniX> well, maybe someone else is willing to help :P
19:15 < CygniX> i have a year left on the vps
19:16  * pekster adds FranTech Solutions to the list of companies with no knowledge of basic routing fundamentals
19:18 < skd5aner> pekster: thanks for your assistance and leads earlier...
19:19 < skd5aner> pekster: It's working for me now... your flowchart was a pretty nice tool
19:19 < pekster> Not mine, I just mirror it
19:19 < skd5aner> :)
19:19 < pekster> But yes, it's generally useful to identify where the break-down occurs
19:27 -!- fzombie [~gplgeek@pdpc/supporter/student/GPLGeek] has joined #openvpn
19:36 < CygniX> i have /64 from he.net, maybe i can use that
19:37 < CygniX> pekster: will that work?
19:41 -!- aub [~aubrey@cpe-98-14-102-62.nyc.res.rr.com] has joined #openvpn
19:46 < fzombie> Anyone know how to nat ip6? Might be possible?
19:47 < CygniX> it's possible apparently, but those who know wont talk or share :P
19:48 < fzombie> learning ip6 is like learning a new language that randomly kicks you in the balls
19:51 -!- lachesis_ is now known as lachesis
20:23 -!- gffa [~unknown@unaffiliated/gffa] has quit [Quit: sleep]
20:35 -!- Tykling [tykling@gibfest.dk] has quit [Ping timeout: 260 seconds]
20:37 -!- Tykling [tykling@gibfest.dk] has joined #openvpn
20:51 -!- aub [~aubrey@cpe-98-14-102-62.nyc.res.rr.com] has quit [Quit: aub]
20:53 -!- mgorbach [~mgorbach@pool-108-20-78-135.bstnma.fios.verizon.net] has quit [Quit: ZNC - http://znc.in]
20:53 -!- mgorbach [~mgorbach@pool-108-20-78-135.bstnma.fios.verizon.net] has joined #openvpn
20:56 -!- mgorbach [~mgorbach@pool-108-20-78-135.bstnma.fios.verizon.net] has quit [Client Quit]
20:58 -!- mgorbach [~mgorbach@pool-108-20-78-135.bstnma.fios.verizon.net] has joined #openvpn
21:01 -!- mgorbach [~mgorbach@pool-108-20-78-135.bstnma.fios.verizon.net] has quit [Client Quit]
21:02 -!- mgorbach [~mgorbach@pool-108-20-78-135.bstnma.fios.verizon.net] has joined #openvpn
21:04 -!- mgorbach [~mgorbach@pool-108-20-78-135.bstnma.fios.verizon.net] has quit [Client Quit]
21:06 -!- mgorbach [~mgorbach@pool-108-20-78-135.bstnma.fios.verizon.net] has joined #openvpn
21:15 -!- mgorbach [~mgorbach@pool-108-20-78-135.bstnma.fios.verizon.net] has quit [Quit: ZNC - http://znc.in]
21:16 -!- mgorbach [~mgorbach@pool-108-20-78-135.bstnma.fios.verizon.net] has joined #openvpn
21:17 -!- mgorbach [~mgorbach@pool-108-20-78-135.bstnma.fios.verizon.net] has quit [Client Quit]
21:18 -!- mgorbach [~mgorbach@pool-108-20-78-135.bstnma.fios.verizon.net] has joined #openvpn
21:19 -!- mgorbach [~mgorbach@pool-108-20-78-135.bstnma.fios.verizon.net] has quit [Client Quit]
21:20 -!- mgorbach [~mgorbach@pool-108-20-78-135.bstnma.fios.verizon.net] has joined #openvpn
21:30 -!- PersonX [~Px12@117.199.165.213] has joined #openvpn
21:30 -!- mgorbach [~mgorbach@pool-108-20-78-135.bstnma.fios.verizon.net] has quit [Quit: ZNC - http://znc.in]
21:31 -!- mgorbach [~mgorbach@pool-108-20-78-135.bstnma.fios.verizon.net] has joined #openvpn
21:32 -!- mgorbach [~mgorbach@pool-108-20-78-135.bstnma.fios.verizon.net] has quit [Remote host closed the connection]
21:33 -!- mgorbach [~mgorbach@pool-108-20-78-135.bstnma.fios.verizon.net] has joined #openvpn
21:38 -!- mgorbach [~mgorbach@pool-108-20-78-135.bstnma.fios.verizon.net] has quit [Quit: ZNC - http://znc.in]
21:39 -!- mgorbach [~mgorbach@pool-108-20-78-135.bstnma.fios.verizon.net] has joined #openvpn
21:40 -!- Tykling [tykling@gibfest.dk] has quit [Ping timeout: 260 seconds]
21:42 -!- mgorbach [~mgorbach@pool-108-20-78-135.bstnma.fios.verizon.net] has quit [Client Quit]
21:42 -!- arescorpio [~arescorpi@193-205-17-190.fibertel.com.ar] has joined #openvpn
21:44 -!- mgorbach [~mgorbach@pool-108-20-78-135.bstnma.fios.verizon.net] has joined #openvpn
21:44 -!- mgorbach [~mgorbach@pool-108-20-78-135.bstnma.fios.verizon.net] has quit [Remote host closed the connection]
21:45 -!- mgorbach [~mgorbach@pool-108-20-78-135.bstnma.fios.verizon.net] has joined #openvpn
21:47 -!- mgorbach [~mgorbach@pool-108-20-78-135.bstnma.fios.verizon.net] has quit [Client Quit]
21:48 -!- mgorbach [~mgorbach@pool-108-20-78-135.bstnma.fios.verizon.net] has joined #openvpn
21:53 -!- PersonX [~Px12@117.199.165.213] has quit [Ping timeout: 272 seconds]
21:54 -!- Tykling [tykling@gibfest.dk] has joined #openvpn
21:58 -!- krzee [~k@openvpn/community/support/krzee] has quit [Excess Flood]
21:59 -!- krzee [~k@openvpn/community/support/krzee] has joined #openvpn
22:00 -!- mode/#openvpn [+o krzee] by ChanServ
22:00 <@krzee> fzombie, it is possible, but this isnt especially the place for it
22:00 <@krzee> not to say you'll get booted for asking, but you'll have better luck asking in a channel that has something to do with that
22:00 <@krzee> like #netfilter if you're in linux
22:01 < fzombie> Well when I find a way to do it I aim to make the documentation public for the specific purpose of helping challenged openvpn users.
22:01 < fzombie> just too busy to fiddle with it right now
22:03 <@krzee> the wiki page in !ipv6 would be a good place for it =]
22:03 -!- justinzane [~justinzan@host-69-59-81-105.nctv.com] has quit []
22:04 <@krzee> thats the great thing about opensource! i dont know much about ipv6 but i added the small section on tipv6 ransport after helping a user find how to do it… you'll add part about ipv6 NAT… everybody adds what they can and in the end its a great page for users!
22:05 -!- justinzane [~justinzan@host-69-59-81-105.nctv.com] has joined #openvpn
22:19 -!- Left_Turn [~Left_Turn@unaffiliated/turn-left/x-3739067] has quit [Remote host closed the connection]
22:58 < CygniX> krzee: so "we" figured the reason i was getting assigned ipv6 and yet could not reach the web with it was because my /64 is not a true route, but embedded in a /48 that i have no control over
22:58 < CygniX> something like that
22:58 -!- cesurasean [~Sean@c-71-207-227-197.hsd1.al.comcast.net] has left #openvpn []
22:58 <@krzee> ahh
22:59 < CygniX> though I tried my he.net tunneled ipv6 and had not luck
23:43 -!- ShadniX [dagger@p5481C721.dip0.t-ipconnect.de] has quit [Ping timeout: 250 seconds]
23:45 -!- ShadniX [dagger@p5481D8DD.dip0.t-ipconnect.de] has joined #openvpn
23:51 -!- arescorpio [~arescorpi@193-205-17-190.fibertel.com.ar] has quit [Excess Flood]
--- Day changed Sun Sep 07 2014
00:12 -!- Kephael [~Kephael@unaffiliated/kephael] has quit [Read error: Connection reset by peer]
00:36 -!- ub1quit33 [~quassel@cpe-23-243-158-241.socal.res.rr.com] has joined #openvpn
01:10 -!- juztin_ [~juztin_@c-67-186-216-8.hsd1.ut.comcast.net] has joined #openvpn
01:18 -!- ender| [krneki@2a01:260:4094:1:42:42:42:42] has quit [Ping timeout: 260 seconds]
01:56 -!- juztin__ [~juztin_@172.56.31.56] has joined #openvpn
01:59 -!- juztin_ [~juztin_@c-67-186-216-8.hsd1.ut.comcast.net] has quit [Ping timeout: 252 seconds]
02:06 -!- juztin__ [~juztin_@172.56.31.56] has quit [Remote host closed the connection]
02:07 -!- juztin_ [~juztin_@c-67-186-216-8.hsd1.ut.comcast.net] has joined #openvpn
02:11 -!- fzombie [~gplgeek@pdpc/supporter/student/GPLGeek] has quit [Ping timeout: 255 seconds]
02:26 -!- PersonX [~Px12@117.220.82.228] has joined #openvpn
02:27 -!- CaTtleyA [~CaTtleyA@put92-2-82-66-41-53.fbx.proxad.net] has joined #openvpn
02:41 -!- APTX [~APTX@unaffiliated/aptx] has quit [Ping timeout: 272 seconds]
02:50 -!- PersonX [~Px12@117.220.82.228] has quit [Ping timeout: 272 seconds]
02:51 -!- roentgen [~none@openvpn/community/support/roentgen] has quit [Remote host closed the connection]
02:53 -!- APTX [~APTX@unaffiliated/aptx] has joined #openvpn
02:56 -!- roentgen [~none@openvpn/community/support/roentgen] has joined #openvpn
03:02 -!- juztin__ [~juztin_@172.56.31.56] has joined #openvpn
03:04 -!- juztin_ [~juztin_@c-67-186-216-8.hsd1.ut.comcast.net] has quit [Ping timeout: 245 seconds]
03:04 -!- juztin__ [~juztin_@172.56.31.56] has quit [Remote host closed the connection]
03:06 -!- juztin_ [~juztin_@c-67-186-216-8.hsd1.ut.comcast.net] has joined #openvpn
03:07 -!- PersonX [~Px12@117.207.133.18] has joined #openvpn
03:08 -!- eristisk [~eristisk@gateway/tor-sasl/eristisk] has joined #openvpn
03:23 -!- PersonX [~Px12@117.207.133.18] has quit [Ping timeout: 245 seconds]
03:24 -!- juztin__ [~juztin_@172.56.31.56] has joined #openvpn
03:25 -!- juztin_ [~juztin_@c-67-186-216-8.hsd1.ut.comcast.net] has quit [Ping timeout: 245 seconds]
03:35 -!- gffa [~unknown@unaffiliated/gffa] has joined #openvpn
03:37 -!- PersonX [~Px12@117.199.171.10] has joined #openvpn
03:39 -!- juztin__ [~juztin_@172.56.31.56] has quit [Remote host closed the connection]
03:40 -!- juztin_ [~juztin_@c-67-186-216-8.hsd1.ut.comcast.net] has joined #openvpn
03:41 -!- juztin__ [~juztin_@172.56.31.56] has joined #openvpn
03:42 -!- juztin__ [~juztin_@172.56.31.56] has quit [Remote host closed the connection]
03:42 -!- juztin_ [~juztin_@c-67-186-216-8.hsd1.ut.comcast.net] has quit [Read error: Connection reset by peer]
03:43 -!- juztin_ [~juztin_@c-67-186-216-8.hsd1.ut.comcast.net] has joined #openvpn
03:46 -!- juztin__ [~juztin_@172.56.31.56] has joined #openvpn
03:49 -!- juztin_ [~juztin_@c-67-186-216-8.hsd1.ut.comcast.net] has quit [Ping timeout: 245 seconds]
04:21 -!- PersonX [~Px12@117.199.171.10] has quit [Remote host closed the connection]
04:23 -!- PersonX [~Px12@117.199.171.10] has joined #openvpn
04:24 -!- PersonX [~Px12@117.199.171.10] has quit [Max SendQ exceeded]
04:27 -!- ender| [krneki@2a01:260:4094:1:42:42:42:42] has joined #openvpn
04:37 -!- juztin__ [~juztin_@172.56.31.56] has quit [Ping timeout: 260 seconds]
04:39 -!- ub1quit33 [~quassel@cpe-23-243-158-241.socal.res.rr.com] has quit [Ping timeout: 245 seconds]
04:41 -!- roentgen [~none@openvpn/community/support/roentgen] has quit [Remote host closed the connection]
04:41 -!- PersonX [~Px12@117.199.171.10] has joined #openvpn
04:42 -!- PersonX [~Px12@117.199.171.10] has quit [Max SendQ exceeded]
04:42 -!- roentgen [~none@openvpn/community/support/roentgen] has joined #openvpn
04:49 -!- PersonX [~Px12@117.199.171.10] has joined #openvpn
04:49 -!- PersonX [~Px12@117.199.171.10] has quit [Max SendQ exceeded]
04:53 -!- PersonX [~Px12@117.199.171.10] has joined #openvpn
05:01 -!- tekk [~me@93.93.135.50] has joined #openvpn
05:01 -!- tiblock [~tiblock@23.252.106.118.16clouds.com] has quit []
05:02 -!- Left_Turn [~Left_Turn@unaffiliated/turn-left/x-3739067] has joined #openvpn
05:04 -!- ago [~ago@gentoo/developer/ago] has joined #openvpn
05:04 < ago> Hello folks
05:05 < ago> during the review of the easy-rsa default config, I made there changes: http://bpaste.net/show/aba5635787b5
05:05 < ago> The first change, deleted the deprecated sha1.
05:06 < ago> The second change use the value of KEY_SIZE instead of a static 1024.
05:06 < ago> and the third is optional.
05:07 < ago> Do you guess is fine add them upstream?
05:09 -!- aub [~aubrey@cpe-98-14-102-62.nyc.res.rr.com] has joined #openvpn
05:11 < ago> mattock_afk: ^
05:28 -!- clyons [~kvirc@host86-157-14-125.range86-157.btcentralplus.com] has joined #openvpn
06:02 -!- DrCode [~DrCode@gateway/tor-sasl/drcode] has quit [Remote host closed the connection]
06:04 -!- DrCode [~DrCode@gateway/tor-sasl/drcode] has joined #openvpn
06:04 -!- Tykling [tykling@gibfest.dk] has quit [Read error: Connection reset by peer]
06:09 -!- Mike-- [mad@mx.probie.nl] has joined #openvpn
06:11 -!- Tykling [tykling@gibfest.dk] has joined #openvpn
06:16 -!- DrSect0r [~DrSect0r@77-175-125-42.FTTH.ispfabriek.nl] has joined #openvpn
06:31 -!- eristisk [~eristisk@gateway/tor-sasl/eristisk] has quit [Ping timeout: 264 seconds]
06:36 -!- Chais [~Chais@chello062178229110.15.15.vie.surfer.at] has quit [Read error: Connection reset by peer]
06:44 -!- eristisk [~eristisk@gateway/tor-sasl/eristisk] has joined #openvpn
06:45 -!- Chais [~Chais@chello062178229110.15.15.vie.surfer.at] has joined #openvpn
06:45 -!- zeroNones [~textual@187.204.152.240] has joined #openvpn
06:51 -!- aub [~aubrey@cpe-98-14-102-62.nyc.res.rr.com] has quit [Quit: aub]
07:07 -!- stephan48 [stephan@opennic/stephan] has left #openvpn []
07:33 -!- shio [marmot@30.65.73.86.rev.sfr.net] has quit [Read error: Connection reset by peer]
07:35 -!- shio [marmot@30.65.73.86.rev.sfr.net] has joined #openvpn
07:42 -!- s7r [~s7r@openvpn/user/s7r] has joined #openvpn
07:42 -!- mode/#openvpn [+v s7r] by ChanServ
08:06 -!- serzuz [~serzuz@2a03:ca81:1200:4:1234:1234:3fb2:b79] has quit [Ping timeout: 272 seconds]
08:10 -!- aub [~aubrey@cpe-98-14-102-62.nyc.res.rr.com] has joined #openvpn
08:14 -!- aub [~aubrey@cpe-98-14-102-62.nyc.res.rr.com] has quit [Client Quit]
08:30 -!- wallbroken [wallbroken@unaffiliated/wallbroken] has joined #openvpn
08:30 < wallbroken> hi
08:30 < wallbroken> do you know if openvpn is detectable by a packet inspector? or simply is plain ssl ?
08:49 -!- jareth_ [~jareth_@2001:980:e1c0:1:219:66ff:fea0:a502] has joined #openvpn
09:15 -!- clyons|2 [~kvirc@host81-152-140-32.range81-152.btcentralplus.com] has joined #openvpn
09:19 -!- clyons [~kvirc@host86-157-14-125.range86-157.btcentralplus.com] has quit [Ping timeout: 276 seconds]
09:20 -!- zeroNones [~textual@187.204.152.240] has quit [Read error: Connection reset by peer]
09:44 -!- elfixit1 [~Icedove@77-58-251-72.dclient.hispeed.ch] has joined #openvpn
09:48 -!- ub1quit33_ [~quassel@wifi02.la3.routers.zerolag.com] has joined #openvpn
09:52 -!- ub1quit33_ [~quassel@wifi02.la3.routers.zerolag.com] has quit [Remote host closed the connection]
09:53 -!- clyons [~kvirc@host86-157-14-49.range86-157.btcentralplus.com] has joined #openvpn
09:53 -!- ub1quit33 [~quassel@wifi02.la3.routers.zerolag.com] has joined #openvpn
09:55 -!- clyons|2 [~kvirc@host81-152-140-32.range81-152.btcentralplus.com] has quit [Ping timeout: 276 seconds]
09:57 -!- redpill [~redpill@unaffiliated/redpill] has quit [Ping timeout: 268 seconds]
09:58 -!- redpill [~redpill@unaffiliated/redpill] has joined #openvpn
10:03 -!- juztin_ [~juztin_@c-67-186-216-8.hsd1.ut.comcast.net] has joined #openvpn
10:11 -!- jareth_ [~jareth_@2001:980:e1c0:1:219:66ff:fea0:a502] has quit [Quit: ZNC - http://znc.in]
10:13 -!- jareth_ [~jareth_@2001:980:e1c0:1:219:66ff:fea0:a502] has joined #openvpn
10:13 -!- CygniX [~CygniX@unaffiliated/twois10] has quit [Remote host closed the connection]
10:21 -!- Kephael [~Kephael@unaffiliated/kephael] has joined #openvpn
10:28 -!- PersonX [~Px12@117.199.171.10] has quit [Remote host closed the connection]
10:36 -!- alexxtasi [~alex@unaffiliated/alexxtasi] has joined #openvpn
10:38 < alexxtasi> hi all!! is there a guide on creating a windows installer with nsis for the latest openvpn version and also my settings file (inside \config folder) ?
10:38 < alexxtasi> I found this (http://openvpn.se/files/howto/openvpn-howto_roll_your_own_installation_package.html) but is for a former openvpn release.... How can I use the latest (2.3.4 I think...) ?
10:38 <@vpnHelper> Title: HowTo Roll Your Own OpenVPN Windows Installation Package (at openvpn.se)
10:40 -!- Synced [Valcorb@unaffiliated/synced] has joined #openvpn
10:40 < alexxtasi> !goal
10:40 <@vpnHelper> "goal" is Please clearly state your goal for your vpn: example, I would like to access the lan behind the server , I would like to access the internet over my vpn , I just want a secure connection between 2 computers , etc
10:40 < alexxtasi> !installer
10:41 < alexxtasi> !windows
10:41 <@vpnHelper> "windows" is (#1) computers are like air conditioners, they work well until you open windows. or (#2) http://secure-computing.net/files/windows.jpg for funny or (#3) http://secure-computing.net/files/windows_2.jpg for more funny
10:41 < alexxtasi> xaxaxa
10:42 < alexxtasi> !nsis
10:42 < alexxtasi> !package
10:42 -!- nath_schwarz [~nath_schw@2605:6400:1:fed5:22:d508:7193:e73f] has quit [Quit: ErrMessage: UserNotFoundException(0x00929e9)]
10:44 -!- roentgen [~none@openvpn/community/support/roentgen] has quit [Remote host closed the connection]
10:46 -!- Synced [Valcorb@unaffiliated/synced] has quit [Quit: ZNC - http://znc.in]
10:48 < alexxtasi> I see that having the latest openvpn.exe and latest openvpn-gui.exe I can make again the windows installer using nsis (as I see in the link above)
10:49 -!- Synced [Valcorb@unaffiliated/synced] has joined #openvpn
10:49 < alexxtasi> ...but where can I find them ? I can only download the installer from the openvpn.net site ?
10:49 < alexxtasi> ....should I built openvpn from code in order to do so ?
10:52 -!- CygniX [~CygniX@unaffiliated/twois10] has joined #openvpn
10:52 < CygniX> wallbroken:  it is detected
10:53 < CygniX> and can be blocked using deep packet inspection
10:54 < CygniX> there are ways to overcome it where the traffic could look as just ssl
10:55 -!- PersonX [~Px12@117.199.171.10] has joined #openvpn
10:56 < wallbroken> CygniX, how?
10:57 < CygniX> http://lowendtalk.com/discussion/21539/tutorial-build-your-ultimate-scrambled-vpn
10:57 <@vpnHelper> Title: [Tutorial] Build Your Ultimate Scrambled VPN - LowEndTalk (at lowendtalk.com)
10:57 < CygniX> it does require port 443
10:58 < CygniX> apparently, none of my vps have properly configure ipv6 subnetting, no static assigment
10:59 < wallbroken> CygniX, i have my already configured openvpn network
11:00 < wallbroken> i need to change configuration?
11:00 < CygniX> you have to following the instructions there
11:00 < wallbroken> instructions shows new configurations
11:00 < CygniX> I don't need it and never tried it, but you could read the comments there, it works
11:01 < CygniX> yea, it requires a modified version of openvpn
11:01 < wallbroken> need to ask to an OP, i need details on it
11:01 < wallbroken> maybe an http proxy could solve the problem
11:02 < CygniX> openvpn needs to be patched for it to support scrambling the connection
11:03 -!- PersonX [~Px12@117.199.171.10] has quit [Remote host closed the connection]
11:04 -!- nath_schwarz [~nath_schw@p54A303CE.dip0.t-ipconnect.de] has joined #openvpn
11:06 -!- PersonX [~Px12@117.199.171.10] has joined #openvpn
11:06 -!- PersonX [~Px12@117.199.171.10] has quit [Max SendQ exceeded]
11:10 -!- PersonX [~Px12@117.199.172.11] has joined #openvpn
11:10 -!- PersonX [~Px12@117.199.172.11] has quit [Max SendQ exceeded]
11:14 -!- elfixit1 [~Icedove@77-58-251-72.dclient.hispeed.ch] has quit [Quit: elfixit1]
11:22 -!- PersonX [~Px12@117.199.172.11] has joined #openvpn
11:23 -!- PersonX [~Px12@117.199.172.11] has quit [Max SendQ exceeded]
11:24 -!- c0ded [~c0ded@unaffiliated/c0ded] has quit [Ping timeout: 240 seconds]
11:25 -!- eristisk [~eristisk@gateway/tor-sasl/eristisk] has quit [Ping timeout: 264 seconds]
11:29 -!- PersonX [~Px12@117.199.172.11] has joined #openvpn
11:30 -!- PersonX [~Px12@117.199.172.11] has quit [Read error: Connection reset by peer]
11:33 -!- PersonX [~Px12@117.199.164.82] has joined #openvpn
11:33 -!- c0ded [~c0ded@unaffiliated/c0ded] has joined #openvpn
11:38 -!- PersonX [~Px12@117.199.164.82] has quit [Remote host closed the connection]
11:40 -!- juztin__ [~juztin_@172.56.31.188] has joined #openvpn
11:43 -!- juztin_ [~juztin_@c-67-186-216-8.hsd1.ut.comcast.net] has quit [Ping timeout: 240 seconds]
11:45 -!- juztin_ [~juztin_@c-67-186-216-8.hsd1.ut.comcast.net] has joined #openvpn
11:45 -!- juztin__ [~juztin_@172.56.31.188] has quit [Ping timeout: 264 seconds]
11:46 -!- PersonX [~Px12@117.199.164.82] has joined #openvpn
11:46 -!- PersonX [~Px12@117.199.164.82] has quit [Max SendQ exceeded]
11:49 -!- PersonX [~Px12@117.199.164.82] has joined #openvpn
11:50 -!- PersonX [~Px12@117.199.164.82] has quit [Max SendQ exceeded]
11:52 -!- D-Boy [~D-Boy@unaffiliated/cain] has quit [Excess Flood]
11:53 -!- PersonX [~Px12@117.199.164.82] has joined #openvpn
11:53 -!- PersonX [~Px12@117.199.164.82] has quit [Max SendQ exceeded]
11:56 -!- D-Boy [~D-Boy@unaffiliated/cain] has joined #openvpn
11:58 -!- juztin__ [~juztin_@172.56.31.188] has joined #openvpn
11:59 -!- troyt_ [~troyt@2601:7:6200:1362:44dd:acff:fe85:9c8e] has quit [Quit: AAAGH!  IT BURNS!]
12:00 -!- troyt [~troyt@2601:7:6200:1362:44dd:acff:fe85:9c8e] has joined #openvpn
12:01 -!- juztin_ [~juztin_@c-67-186-216-8.hsd1.ut.comcast.net] has quit [Ping timeout: 268 seconds]
12:04 -!- roentgen [~none@openvpn/community/support/roentgen] has joined #openvpn
12:06 < pekster> ago: Already fixed in the latest 2.x series. The v3 series fixes lots of other stupidity in v2 as well, like "requiring" the Country/Locality/Organization/Organizational Unit nonsense
12:07 < pekster> nsCertType has also been deprecated ;) (but still available for use, if someone "can't" switch to the new standardized TLS keyUsage flags)
12:12 -!- CygniX [~CygniX@unaffiliated/twois10] has quit [Ping timeout: 276 seconds]
12:12 -!- juztin__ [~juztin_@172.56.31.188] has quit [Ping timeout: 260 seconds]
12:14 -!- CygniX [~CygniX@unaffiliated/twois10] has joined #openvpn
12:18 -!- CygniX [~CygniX@unaffiliated/twois10] has quit [Ping timeout: 245 seconds]
12:21 -!- PersonX [~Px12@117.199.164.82] has joined #openvpn
12:22 -!- PersonX [~Px12@117.199.164.82] has quit [Read error: Connection reset by peer]
12:23 < wallbroken> pekster, hi, do you know something about my problem?
12:23 < wallbroken> i should forward openvpn over a gateway that does packet inspection
12:24 < wallbroken> this firewall allows CONNECT method to make https pages work. so should i use this opportunity? maybe with an http proxy
12:25 < wallbroken> but openvpn data should look like a ssl traffic
12:26 -!- PersonX [~Px12@117.199.161.164] has joined #openvpn
12:28 < pekster> It's TLS-secured, but it's *NOT* HTTPS traffic
12:28 < pekster> It's very clearly still OpenVPN traffic. If you need to pretend it isn't, see:
12:28 < pekster> !obfs
12:28 <@vpnHelper> "obfs" is (#1) if you are looking to obfuscate your traffic to get through a firewall that recognizes and blocks openvpn, try using this proxy: obfsproxy https://www.torproject.org/projects/obfsproxy.html.en to encapsulate your packets in other protocols or (#2) http://community.openvpn.net/openvpn/wiki/TrafficObfuscation or (#3) in client/server mode an admin can know that openvpn is being used.
12:28 <@vpnHelper> in static-key mode they only know that it is some encrypted data, but not specifically openvpn; however with static-key you lose forward security (!forwardsecurity)
12:29 < wallbroken> pekster, "https traffic" doesn't exist in a packet sniffer point of view. but SSL does. so: can I incapsulate openvpn traffic in an ssl tunnel over the http proxy?
12:30 < wallbroken> tor is not a good idea at this time
12:31 < pekster> Sure https does. wireshark is happy to tell me whawt is https
12:32 < pekster> OpenVPN can use a SOCKS proxy, but beyond that you need to use some obfuscation technique if you're behind an abusive firewall
12:33 < pekster> Either statickey shown to you above, or obfs or similar
12:33 < wallbroken> wireshark tell https only why is using 443 port, that is a https pourpose port
12:33 -!- skd5aner [~skd5aner@241.sub-70-198-68.myvzw.com] has quit [Quit: Leaving]
12:33 < pekster> Right, but openvpn is not vainlla TLS; it's a multi-plexed protocol that has a known header format
12:34 < pekster> The control and data channels are multiplexed together, so it's quite identifiable in TLS mode as OpenVPN
12:34 < pekster> vanilla*
12:35 < wallbroken> yes i know, infact i used sslh to multiplex various protocol into the same port
12:35 < wallbroken> do you know it?
12:35 < wallbroken> http://www.rutschle.net/tech/sslh.shtml
12:35 <@vpnHelper> Title: ssl/ssh multiplexer (at www.rutschle.net)
12:35 < wallbroken> it's able to recognize openvpn protocol as well
12:37 < wallbroken> !forwardsecurity
12:37 <@vpnHelper> "forwardsecurity" is (#1) in server/client mode with certs your key renegotiates (changes) every hour (by default), so if someone captures your traffic, and then gets your key, they can only decrypt the traffic within the timeframe since last renegotiation or (#2) in ptp mode (static key) you do not have this, so if someone gets your key they can decrypt ANY past traffic that they captured
12:38 < wallbroken> if i'm not wrong, many time ago you disapproved using static key because is dangerous
12:38 -!- PersonX [~Px12@117.199.161.164] has quit [Ping timeout: 264 seconds]
12:46 < pekster> It's a trade-off
12:46 < pekster> It's less secure, but not fingerprintable as-such
12:48 < wallbroken> and there is not a way to create an external ssl tunnel where to forward openvpn traffic? it should be more good
12:49 < pekster> NFI what "ssl tunnel" is. OpenVPN uses its own form of TLS that is 100% identifyable when you're using a TLS (server/client) operating mode
12:50 < pekster> If this is a problem for you, either use statickey or wrap the openvpn traffic in an obfuscation layer. You have no other options with Openvpn.
12:58 -!- juztin_ [~juztin_@67.186.216.8] has joined #openvpn
12:58 < ago> pekster: great!
13:00 -!- Denial [~Denial@host86-132-52-56.range86-132.btcentralplus.com] has joined #openvpn
13:12 -!- PersonX [~Px12@117.199.164.242] has joined #openvpn
13:17 -!- PersonX [~Px12@117.199.164.242] has quit [Ping timeout: 272 seconds]
13:18 -!- juztin_ [~juztin_@67.186.216.8] has quit [Remote host closed the connection]
13:22 -!- PersonX [~Px12@117.199.161.228] has joined #openvpn
13:30 -!- nath_schwarz [~nath_schw@p54A303CE.dip0.t-ipconnect.de] has quit [Ping timeout: 255 seconds]
13:37 -!- nath_schwarz [~nath_schw@p54A303CE.dip0.t-ipconnect.de] has joined #openvpn
13:45 -!- cyberspace- [20253@ninthfloor.org] has quit [Remote host closed the connection]
13:46 -!- cyberspace- [20253@ninthfloor.org] has joined #openvpn
13:52 -!- DrSect0r [~DrSect0r@77-175-125-42.FTTH.ispfabriek.nl] has quit [Quit: Leaving]
13:53 -!- aub [~aubrey@cpe-98-14-102-62.nyc.res.rr.com] has joined #openvpn
13:59 -!- Sicelo [Sicelo@unaffiliated/sicelo] has left #openvpn []
13:59 -!- PersonX [~Px12@117.199.161.228] has quit [Ping timeout: 272 seconds]
14:10 -!- Pyrogerg [~Gregory@75-173-66-157.albq.qwest.net] has joined #openvpn
14:12 -!- Kephael [~Kephael@unaffiliated/kephael] has quit [Read error: Connection reset by peer]
14:12 -!- nath_schwarz [~nath_schw@p54A303CE.dip0.t-ipconnect.de] has quit [Quit: ErrMessage: UserNotFoundException(0x00929e9)]
14:15 -!- nath_schwarz [~nath_schw@p54A303CE.dip0.t-ipconnect.de] has joined #openvpn
14:29 -!- elfixit1 [~Icedove@77-58-251-72.dclient.hispeed.ch] has joined #openvpn
14:33 -!- PersonX [~Px12@117.199.164.155] has joined #openvpn
14:35 -!- lfx [~lfx@self-aware.evilmachines.net] has joined #openvpn
14:40 -!- aub [~aubrey@cpe-98-14-102-62.nyc.res.rr.com] has quit [Quit: aub]
14:44 -!- PersonX [~Px12@117.199.164.155] has quit [Remote host closed the connection]
14:49 -!- mgorbach [~mgorbach@pool-108-20-78-135.bstnma.fios.verizon.net] has quit [Read error: No route to host]
14:49 -!- mgorbach_ [~mgorbach@pool-108-20-78-135.bstnma.fios.verizon.net] has joined #openvpn
14:50 -!- mgorbach_ is now known as mgorbach
15:22 -!- nath_schwarz [~nath_schw@p54A303CE.dip0.t-ipconnect.de] has quit [Ping timeout: 272 seconds]
15:37 -!- nath_schwarz [~nath_schw@p54A303CE.dip0.t-ipconnect.de] has joined #openvpn
15:44 -!- gffa [~unknown@unaffiliated/gffa] has quit [Quit: sleep]
16:07 -!- wallbroken [wallbroken@unaffiliated/wallbroken] has left #openvpn []
16:15 -!- wirehack7 [wirehack7@unaffiliated/wirehack7] has quit [Ping timeout: 260 seconds]
16:15 -!- DrCode [~DrCode@gateway/tor-sasl/drcode] has quit [Ping timeout: 264 seconds]
16:15 -!- ryn`_ [~ryn@1-163-181-46.dynamic.hinet.net] has quit [Read error: Connection reset by peer]
16:16 -!- wirehack7 [wirehack7@unaffiliated/wirehack7] has joined #openvpn
16:16 -!- Nothing4You [N4Y@Nothing4You.w.tf-w.tf] has quit [Ping timeout: 256 seconds]
16:19 -!- fzombie [~gplgeek@pdpc/supporter/student/GPLGeek] has joined #openvpn
16:20 -!- doebi [~doebi@doebi.at] has quit [Ping timeout: 250 seconds]
16:20 -!- ryn` [~ryn@1-161-224-62.dynamic.hinet.net] has joined #openvpn
16:23 -!- haasn [~haasn@static.102.126.46.78.clients.your-server.de] has quit [Quit: haasn]
16:25 -!- mcp [~mcp@wolk-project.de] has quit [Ping timeout: 245 seconds]
16:25 -!- DrCode [~DrCode@gateway/tor-sasl/drcode] has joined #openvpn
16:27 -!- haasn [~haasn@2a01:4f8:d13:5245::2] has joined #openvpn
16:36 -!- haasn [~haasn@2a01:4f8:d13:5245::2] has quit [Ping timeout: 260 seconds]
16:37 -!- Nothing4You [N4Y@Nothing4You.w.tf-w.tf] has joined #openvpn
16:40 -!- haasn [~haasn@static.102.126.46.78.clients.your-server.de] has joined #openvpn
16:43 -!- abbe [having@badti.me] has quit [Read error: Connection reset by peer]
16:44 -!- wirehack7 [wirehack7@unaffiliated/wirehack7] has quit [Ping timeout: 260 seconds]
16:44 -!- joako [~joako@opensuse/member/joak0] has joined #openvpn
16:44 -!- halothe23 [~halothe23@freenode/sponsor/halothe23] has quit [Ping timeout: 245 seconds]
16:46 -!- iokill [~dave@pippin.sigma-star.at] has quit [Ping timeout: 240 seconds]
16:46 -!- MacGyver [~macgyver@unaffiliated/macgyvernl] has quit [Ping timeout: 268 seconds]
16:47 -!- doebi [~doebi@doebi.at] has joined #openvpn
16:50 -!- abbe_ [~abbe@badti.me] has joined #openvpn
16:51 -!- wirehack7 [~wirehack7@unaffiliated/wirehack7] has joined #openvpn
16:51 -!- halothe23 [~halothe23@freenode/sponsor/halothe23] has joined #openvpn
16:56 -!- halothe23 [~halothe23@freenode/sponsor/halothe23] has quit [Ping timeout: 245 seconds]
17:11 -!- s7r [~s7r@openvpn/user/s7r] has quit [Quit: Leaving]
17:16 -!- elfixit1 [~Icedove@77-58-251-72.dclient.hispeed.ch] has quit [Quit: elfixit1]
17:25 -!- halothe23 [~halothe23@freenode/sponsor/halothe23] has joined #openvpn
17:33 -!- alexxtasi [~alex@unaffiliated/alexxtasi] has quit [Quit: Leaving.]
17:36 -!- MacGyver [~macgyver@unaffiliated/macgyvernl] has joined #openvpn
17:41 -!- emul16 [~bf3@37.203.209.18] has joined #openvpn
17:41 < emul16> is x509-username-field available in openvpn 2.3.4 ?
18:00 -!- ub1quit33 [~quassel@wifi02.la3.routers.zerolag.com] has quit [Ping timeout: 268 seconds]
18:26 -!- juztin_ [~juztin_@c-67-186-216-8.hsd1.ut.comcast.net] has joined #openvpn
18:36 -!- arescorpio [~arescorpi@193-205-17-190.fibertel.com.ar] has joined #openvpn
19:14 -!- catsup [~d@iad1-vshost12.dreamhost.com] has quit [Ping timeout: 240 seconds]
19:16 -!- catsup [~d@iad1-vshost12.dreamhost.com] has joined #openvpn
19:24 -!- emul16 [~bf3@37.203.209.18] has quit [Quit: leaving]
19:42 -!- cirkit [dethwish@peanut-butter.net] has joined #openvpn
19:45 -!- abbe_ is now known as abbe
20:04 -!- elfixit1 [~Icedove@77-58-251-72.dclient.hispeed.ch] has joined #openvpn
20:25 -!- nath_schwarz [~nath_schw@p54A303CE.dip0.t-ipconnect.de] has quit [Ping timeout: 264 seconds]
21:25 -!- hid3 [~arnoldas@78.157.71.116] has quit [Ping timeout: 240 seconds]
21:31 -!- Denial [~Denial@host86-132-52-56.range86-132.btcentralplus.com] has quit [Ping timeout: 268 seconds]
21:32 -!- juztin_ [~juztin_@c-67-186-216-8.hsd1.ut.comcast.net] has quit [Ping timeout: 272 seconds]
21:34 -!- u0m3 [~u0m3@92.80.68.194] has joined #openvpn
21:34 -!- Denial [~Denial@host86-148-140-172.range86-148.btcentralplus.com] has joined #openvpn
21:34 -!- Synced [Valcorb@unaffiliated/synced] has quit [Ping timeout: 260 seconds]
21:35 -!- juztin_ [~juztin_@c-67-186-216-8.hsd1.ut.comcast.net] has joined #openvpn
21:36 -!- u0m3_ [~u0m3@92.80.102.69] has quit [Ping timeout: 245 seconds]
22:09 -!- Left_Turn [~Left_Turn@unaffiliated/turn-left/x-3739067] has quit [Remote host closed the connection]
22:23 -!- dli [~dli@162.221.125.219] has joined #openvpn
22:24 -!- aulait [~irenacob@li629-190.members.linode.com] has quit [Remote host closed the connection]
22:26 < dli> what's the way to route all traffic for specify client? can I push "redirect-gateway def1" in a ccd folder?
22:39 -!- juztin_ [~juztin_@c-67-186-216-8.hsd1.ut.comcast.net] has quit [Remote host closed the connection]
22:42 -!- juztin_ [~juztin_@c-67-186-216-8.hsd1.ut.comcast.net] has joined #openvpn
22:55 -!- Brando753 [~Brando753@unaffiliated/brando753] has quit [Ping timeout: 245 seconds]
23:03 -!- juztin_ [~juztin_@c-67-186-216-8.hsd1.ut.comcast.net] has quit [Remote host closed the connection]
23:05 -!- Brando753 [~Brando753@unaffiliated/brando753] has joined #openvpn
23:20 -!- juztin_ [~juztin_@c-67-186-216-8.hsd1.ut.comcast.net] has joined #openvpn
23:23 -!- hid3 [~arnoldas@78.157.71.116] has joined #openvpn
23:24 -!- arescorpio [~arescorpi@193-205-17-190.fibertel.com.ar] has quit [Excess Flood]
23:33 -!- elfixit1 [~Icedove@77-58-251-72.dclient.hispeed.ch] has quit [Ping timeout: 252 seconds]
23:36 -!- juztin_ [~juztin_@c-67-186-216-8.hsd1.ut.comcast.net] has quit [Remote host closed the connection]
23:36 -!- juztin_ [~juztin_@c-67-186-216-8.hsd1.ut.comcast.net] has joined #openvpn
23:40 -!- dli [~dli@162.221.125.219] has quit [Ping timeout: 260 seconds]
23:41 -!- ShadniX [dagger@p5481D8DD.dip0.t-ipconnect.de] has quit [Ping timeout: 250 seconds]
23:42 -!- ShadniX [dagger@p579418E2.dip0.t-ipconnect.de] has joined #openvpn
--- Day changed Mon Sep 08 2014
01:15 -!- mattock_afk is now known as mattock
01:26 -!- juztin__ [~juztin_@172.56.31.71] has joined #openvpn
01:30 -!- juztin_ [~juztin_@c-67-186-216-8.hsd1.ut.comcast.net] has quit [Ping timeout: 268 seconds]
01:30 -!- juztin__ [~juztin_@172.56.31.71] has quit [Read error: Connection reset by peer]
01:30 -!- juztin___ [~juztin_@172.56.31.71] has joined #openvpn
01:31 -!- juztin___ [~juztin_@172.56.31.71] has quit [Remote host closed the connection]
01:31 -!- clyons [~kvirc@host86-157-14-49.range86-157.btcentralplus.com] has quit [Ping timeout: 276 seconds]
01:32 -!- juztin_ [~juztin_@c-67-186-216-8.hsd1.ut.comcast.net] has joined #openvpn
01:39 -!- juztin__ [~juztin_@172.56.31.71] has joined #openvpn
01:42 -!- juztin_ [~juztin_@c-67-186-216-8.hsd1.ut.comcast.net] has quit [Ping timeout: 245 seconds]
01:43 -!- juztin__ [~juztin_@172.56.31.71] has quit [Ping timeout: 260 seconds]
01:46 -!- juztin_ [~juztin_@c-67-186-216-8.hsd1.ut.comcast.net] has joined #openvpn
02:00 -!- Px12 [~Px12@117.220.82.37] has joined #openvpn
02:01 -!- juztin_ [~juztin_@c-67-186-216-8.hsd1.ut.comcast.net] has quit [Ping timeout: 245 seconds]
02:15 -!- SushiDude [~SushiDude@unaffiliated/sushidude] has quit [Ping timeout: 240 seconds]
02:15 -!- juztin_ [~juztin_@c-67-186-216-8.hsd1.ut.comcast.net] has joined #openvpn
02:16 -!- juztin_ [~juztin_@c-67-186-216-8.hsd1.ut.comcast.net] has quit [Read error: Connection reset by peer]
02:16 -!- juztin__ [~juztin_@c-67-186-216-8.hsd1.ut.comcast.net] has joined #openvpn
02:21 -!- SushiDude [~SushiDude@unaffiliated/sushidude] has joined #openvpn
02:37 -!- Px12 [~Px12@117.220.82.37] has quit [Ping timeout: 260 seconds]
02:38 -!- le0 [~fin@unaffiliated/le0] has joined #openvpn
02:41 -!- juztin__ [~juztin_@c-67-186-216-8.hsd1.ut.comcast.net] has quit [Remote host closed the connection]
02:51 -!- arkie [~arkie@unaffiliated/arkie] has quit [Quit: Bye]
02:52 -!- arkie [~arkie@unaffiliated/arkie] has joined #openvpn
02:57 -!- CaTtleyA [~CaTtleyA@put92-2-82-66-41-53.fbx.proxad.net] has quit [Ping timeout: 252 seconds]
03:00 -!- Px12 [~Px12@117.220.80.13] has joined #openvpn
03:01 -!- Left_Turn [~Left_Turn@unaffiliated/turn-left/x-3739067] has joined #openvpn
03:07 < cirkit> hey all .. whenever you get a chance, can you please take a look at this and advise? The topic is probably right about a firewall, but hoping to get some input: https://forum.linode.com/viewtopic.php?f=19&t=11289
03:07 <@vpnHelper> Title: Linode Forum :: View topic - OpenVPN: Unable to reach internal services outside firewall (at forum.linode.com)
03:20 -!- clu5ter [~staff@unaffiliated/clu5ter] has quit [Ping timeout: 276 seconds]
03:21 -!- jeraldv [~jerald@fsf/member/jeraldv] has quit [Quit: Lost terminal]
03:25 -!- clu5ter [~staff@unaffiliated/clu5ter] has joined #openvpn
03:35 < fzombie> cirkit, what type of server do you have?
03:37 < fzombie> it doesnt even say if its a kvm or openvz or other
03:50 < kareem-ali> cirkit can you  ping internal servers?
03:51 < kareem-ali> sorry just read on ur post that you can ping
03:52 < kareem-ali> the issue is assymetric routing
03:53 < kareem-ali> I think your firewall is the gateway for internal servers
03:53 < kareem-ali> so TCP won't work between your internal network and OVPN clients
03:53 < kareem-ali> but icmp and udp will word
03:53 < kareem-ali> work*
03:53 < kareem-ali> simply because your firewall can't see original SYN packet and it sends a tcp-rst most likely back
03:54 < kareem-ali> the solution is to have a static route on internal servers pointing to VPN network via the ovpn server
03:54 -!- mattock is now known as mattock_afk
03:58 < kareem-ali> or if you have a layer-3 switch that can sit before your firewall and become your gateway for internal sever that will solve it too
03:59 < kareem-ali> or disable tcp-bit-check on your firewall globally, and enable it per policy, but that  is not a good solution
04:00 -!- larryone [~larryone@185.32.152.150] has joined #openvpn
04:00 -!- Tykling [tykling@gibfest.dk] has quit [Ping timeout: 260 seconds]
04:03 -!- Tykling [tykling@gibfest.dk] has joined #openvpn
04:05 -!- Px12 [~Px12@117.220.80.13] has quit [Ping timeout: 245 seconds]
04:05 < cirkit> fzombie: it's an Arch VPS [Xen]
04:05 < cirkit> yes pinging the servers is ok
04:05 < cirkit> internal that is
04:07 < cirkit> before switching OVPN to TCP -- it was originally using UDP/1194 with identical behavior
04:09 -!- Px12 [~Px12@59.89.48.32] has joined #openvpn
04:09 < cirkit> yeah, that makes sense about the SYN packet not getting seen resulting in TCP-RST response
04:38 < cirkit> added `push "route  10.8.0.0 255.255.255.0"` to server.conf, restarted -- something still blocking
04:38 < cirkit> will try switching the server/client config to UDP/1194 instead of TCP..
04:39 -!- redpill [~redpill@unaffiliated/redpill] has quit [Ping timeout: 252 seconds]
04:42 -!- Megaf_ [~Megaf@unaffiliated/megaf] has joined #openvpn
04:57 < kareem-ali> you need a static route on your internal servers, not to be pushed to your clients
04:57 -!- Megaf_ is now known as Megaf
04:57 < kareem-ali> internal servers local to your ovpn server
04:58 < kareem-ali> the static route from your internal servers to your ovpn network via your ovpn server
05:01 -!- larryone [~larryone@185.32.152.150] has quit [Quit: This computer has gone to sleep]
05:05 -!- fzombie [~gplgeek@pdpc/supporter/student/GPLGeek] has quit [Ping timeout: 252 seconds]
05:43 -!- ifdm_ [~ifdm@unaffiliated/ifdm/x-0713806] has quit [Ping timeout: 240 seconds]
05:50 -!- ifdm_ [~ifdm@unaffiliated/ifdm/x-0713806] has joined #openvpn
06:24 -!- linuxthefish [~ltf@unaffiliated/edmundf] has joined #openvpn
06:27 -!- keaza [~Keaza@2001:41d0:a:381c::1] has joined #openvpn
06:28 -!- kaben [~kaben@1F2E905E.catv.pool.telekom.hu] has joined #openvpn
06:30 < keaza> Hi im having a issue, i think its a routing issue, i can connect to the openvpn server but the traffic from my computer doesnt get passed through it? i know this as my ip doesnt change like its ment to... When i first set the server up it worked perfectly, and no it wont do it.
06:34 < keaza> im apprently connected to it now, But no diffrence same IP same everything
06:48 -!- MaddinXx [~racksteri@zux221-226-214.adsl.green.ch] has joined #openvpn
06:55 -!- eristisk [~eristisk@gateway/tor-sasl/eristisk] has joined #openvpn
06:57 -!- ryn` [~ryn@1-161-224-62.dynamic.hinet.net] has quit [Remote host closed the connection]
06:58 -!- MaddinXx_ [~racksteri@2a01:2a8:8104:3401:c422:20ab:a8a2:8f63] has joined #openvpn
06:58 -!- MaddinXx_ [~racksteri@2a01:2a8:8104:3401:c422:20ab:a8a2:8f63] has quit [Client Quit]
07:00 -!- MaddinXx [~racksteri@zux221-226-214.adsl.green.ch] has quit [Ping timeout: 246 seconds]
07:13 -!- redpill [~redpill@unaffiliated/redpill] has joined #openvpn
07:24 -!- u0m3_ [~u0m3@92.80.68.194] has joined #openvpn
07:27 -!- mattock_afk is now known as mattock
07:28 -!- u0m3 [~u0m3@92.80.68.194] has quit [Ping timeout: 252 seconds]
07:29 -!- redpill [~redpill@unaffiliated/redpill] has quit [Ping timeout: 245 seconds]
07:32 -!- redpill [~redpill@unaffiliated/redpill] has joined #openvpn
07:53 -!- Megaf is now known as Megaf|Away
07:59 -!- Pyrogerg [~Gregory@75-173-66-157.albq.qwest.net] has quit [Ping timeout: 245 seconds]
08:21 -!- sroy [~sroy@secure.innobec.com] has joined #openvpn
08:25 -!- Denial [~Denial@host86-148-140-172.range86-148.btcentralplus.com] has quit [Ping timeout: 252 seconds]
08:36 -!- debbie10t [~guest3459@openvpn/community/support/debbie10t] has joined #openvpn
08:37 -!- debbie10t [~guest3459@openvpn/community/support/debbie10t] has left #openvpn []
08:39 -!- eristisk [~eristisk@gateway/tor-sasl/eristisk] has quit [Quit: killall -9 irc]
09:00 -!- elfixit [~Icedove@2001:1620:2777:11:3e97:eff:fe7f:f3ad] has quit [Remote host closed the connection]
09:06 -!- mgorbach [~mgorbach@pool-108-20-78-135.bstnma.fios.verizon.net] has quit [Ping timeout: 260 seconds]
09:06 -!- g00gz [~Adium@199.244.84.14] has joined #openvpn
09:07 -!- Megaf|Away [~Megaf@unaffiliated/megaf] has quit [Read error: Connection reset by peer]
09:09 -!- Megaf [~Megaf@unaffiliated/megaf] has joined #openvpn
09:16 -!- ub1quit33 [~quassel@wifi02.la3.routers.zerolag.com] has joined #openvpn
09:20 -!- zeroNones [~textual@189.182.21.36] has joined #openvpn
09:23 -!- Pyrogerg [~Gregory@75-173-66-157.albq.qwest.net] has joined #openvpn
09:23 -!- Px12 [~Px12@59.89.48.32] has quit [Ping timeout: 245 seconds]
09:26 -!- Px12 [~Px12@117.207.135.66] has joined #openvpn
09:26 -!- Px12 [~Px12@117.207.135.66] has quit [Max SendQ exceeded]
09:30 -!- Px12 [~Px12@117.207.129.48] has joined #openvpn
09:35 -!- Px12 [~Px12@117.207.129.48] has quit [Ping timeout: 240 seconds]
09:37 -!- mcp [~mcp@wolk-project.de] has joined #openvpn
09:37 -!- g00gz [~Adium@199.244.84.14] has left #openvpn []
09:42 -!- Kephael [~Kephael@unaffiliated/kephael] has joined #openvpn
09:53 -!- elfixit [~Icedove@2001:1620:2777:11:3e97:eff:fe7f:f3ad] has joined #openvpn
09:56 -!- bakhtiya [~me@office.addictivemobility.com] has quit [Remote host closed the connection]
09:57 -!- bakhtiya [~me@office.addictivemobility.com] has joined #openvpn
10:01 -!- Tykling [tykling@gibfest.dk] has quit [Ping timeout: 260 seconds]
10:03 -!- Tykling [tykling@gibfest.dk] has joined #openvpn
10:08 < vixus> keaza: what OS?
10:09 -!- bakhtiya [~me@office.addictivemobility.com] has quit [Read error: Connection reset by peer]
10:17 -!- bakhtiya [~me@office.addictivemobility.com] has joined #openvpn
10:22 < cirkit> to add a static route from my server to the OpenVPN network so that clients can access internal services (i.e httpd(s), sshd) - would setting up a static file accomplish this?  http://openvpn.net/index.php/open-source/documentation/miscellaneous/78-static-key-mini-howto.html
10:22 <@vpnHelper> Title: Static Key Mini-HOWTO (at openvpn.net)
10:22 <@krzee> cirkit, those internal services on the machine that runs openvpn or its lan?
10:23 < cirkit> krzee: on the machine that runs openvpn
10:25 < cirkit> i basically have a VPS running ovpn and a couple clients on a different WAN
10:25 < cirkit> the clients can connect just fine, but unable to reach services on port 22, 80, 443 and others
10:26 < kareem-ali> those are all TCP
10:26 < cirkit> default iptables policy is DROP
10:26 < kareem-ali> did you add static routes on your network to point to your ovpn network via the ovpn server ?
10:27 -!- bakhtiya [~me@office.addictivemobility.com] has quit [Ping timeout: 252 seconds]
10:27 < cirkit> kareem-ali: so on the server i added 'route 10.8.0.2 255.255.255.0' and client 'route 66.175.xxx.0 255.255.255.0'
10:28 < cirkit> i should probably now switch from udp to tcp
10:28 < kareem-ali> for instance, your internal web server is on 192.168.1.80, your ovpn server is on 192.168.1.100, and you have an ovpn client on 10.8.0.200
10:28 < vixus> i can access services on the machine running the ovpn server on any port by default.
10:28 < kareem-ali> the static route would be on your web server, to be like:
10:28 < kareem-ali> ip route add 10.8.0.0/24 via 192.168.1.100
10:29 < kareem-ali> this way the web server knows that network 10.8.0.0/24 is sitting behind your ovpn server, which is on 192.168.1.100
10:29 < kareem-ali> so it won't use the firewall to reply to it, and no tcp gets blocked
10:33 < cirkit> kareem-ali: the server has a static IP in the 66.175.x.0 range which httpd and ovpn reside on the same, so then this should also work -- ip route add 10.8.0.0/24 via 66.175.x.120
10:33 < cirkit> should this still be fine?
10:34 < kareem-ali> that static route will need to be added on the internal servers yes
10:36 < cirkit> oh...evidently this route is already present - RTNETLINK answers: File exists
10:36 -!- bakhtiya [~me@office.addictivemobility.com] has joined #openvpn
10:37 < cirkit> vixus: and you didn't need to create new routes?
10:39 < kareem-ali> do a 'route -n' see what else has it
10:41 < cirkit> this is the current table - http://codepad.org/d3FVQJBH
10:41 <@vpnHelper> Title: Plain Text code - 7 lines - codepad (at codepad.org)
10:43 < cirkit> from my home network i can access services behind the remote server's firewall with and without OpenVPN, but not from any external source that is not my own home network
10:44 < cirkit> from work, can connect OpenVPN, but no services behind the firewall
10:44 < cirkit> default FORWARD policy = ACCEPT
10:45 -!- mgorbach [~mgorbach@pool-108-20-78-135.bstnma.fios.verizon.net] has joined #openvpn
10:49 <@krzee> cirkit,
10:49 <@krzee> cirkit> krzee: on the machine that runs openvpn
10:49 <@krzee> you dont need any special routes then, just access the daemon on the VPN ip and you're done.
10:49 < kareem-ali> your internal server is also a VPN client ?
10:50 < cirkit> internal server is only serving .. the clients are on a completely different WAN
10:51 -!- zeroNones [~textual@189.182.21.36] has quit [Ping timeout: 260 seconds]
10:51 < kareem-ali> just wondering how your internal server had the route for 10.8.0.2
10:51 -!- le0 [~fin@unaffiliated/le0] has quit [Quit: Leaving]
10:52 < vixus> cirkit: once the client has connected to the ovpn server, it's essentially part of the same LAN as the server, right? with an IP assigned according to the arguments to the "server" directive
10:54 < cirkit> vixus: that's correct .. all the connected clients obtain the same IP of the ovpn server
10:55 < vixus> well, IPs within the subnet..
10:55 < vixus> and you can ping the server using its VPN LAN address?
10:55 < cirkit> ah yea, they do gather an IP within 10.8.0.0/24
10:55 < vixus> ok, so you can ping 10.8.0.1
10:56 < cirkit> the 10.8.0.2 i could not ping from the server even, but 10.8.0.1 and another client with 10.8.0.10 were pinging
10:56 < vixus> what is 10.8.0.2?
10:56 < cirkit> i am not entirely sure why 10.8.0.2 is actually there
10:56 < vixus> just a normal client?
10:56 < cirkit> i do not recall ever making that route
10:57 < vixus> but how do you know 10.8.0.2 has been assigned?
10:57 < cirkit> it hasn't - it just shows as a Gateway for 10.8.0.0 in the routing table
10:58 < cirkit> 10.8.0.2 also shows in the Destination portion of the table
11:01 < vixus> hmm
11:02 < vixus> that's odd
11:03 < cirkit> i just stopped the ovpn process and the routing table is cleared .. just shows server's local routing table now
11:03 < cirkit> and added ip route add 10.8.0.0/24 via 66.xxx.xxx.41
11:03 -!- gffa [~unknown@unaffiliated/gffa] has joined #openvpn
11:04 < cirkit> will compare routing changes after starting ovpn
11:04 < vixus> cirkit: oh hold on, i have a route at x.x.x.2 as well
11:04 < cirkit> vixus: ah .. interesting
11:06 < vixus> anyway, i don't think it should affect accessing services on the ovpn server machine
11:06 < vixus> it's probably something to do with your iptables config
11:06 < vixus> if there is some way of allowing all traffic on the VPN subnet, you should be ok
11:09 -!- Chais [~Chais@chello062178229110.15.15.vie.surfer.at] has quit [Ping timeout: 260 seconds]
11:16 -!- Chais [~Chais@chello062178229110.15.15.vie.surfer.at] has joined #openvpn
11:16 -!- jason_rad [~jason_rad@208.86.45.134] has joined #openvpn
11:17 < jason_rad> Hi guys.  I'm trying to ignore any pushdown routes / def1 from the server via adding the following to my client config.  --route-nopull.  However, this still accepts the push downs from the server
11:17 < jason_rad> Anything else I'm missing?
11:19 -!- brad_mssw [~brad@shop.monetra.com] has joined #openvpn
11:24 -!- jason_rad [~jason_rad@208.86.45.134] has quit [Quit: leaving]
11:28 -!- stundenull [~wired@unaffiliated/xombie] has joined #openvpn
11:33 < stundenull> anyone here?
11:36 -!- D-Boy [~D-Boy@unaffiliated/cain] has quit [Excess Flood]
11:42 < kaben> Hi all, I am trying to use PIA. Openvpn seems to connect but I cannot ping the server at all. I have opened the port. I get TLS handshake failed in logs if I use networkmanager-openvpn and no mention of it if I use cli openvpn. Any ideas?
11:43 -!- D-Boy [~D-Boy@unaffiliated/cain] has joined #openvpn
11:57 -!- g00gz [~Adium@2601:6:62c0:9:91f7:5ae1:3db7:e83a] has joined #openvpn
12:04 -!- kaben [~kaben@1F2E905E.catv.pool.telekom.hu] has quit [Ping timeout: 268 seconds]
12:10 -!- g00gz [~Adium@2601:6:62c0:9:91f7:5ae1:3db7:e83a] has left #openvpn []
12:13 -!- nsrafk [whois@unaffiliated/nsrafk] has quit [Ping timeout: 245 seconds]
12:14 -!- nsrafk [whois@unaffiliated/nsrafk] has joined #openvpn
12:21 -!- elfixit [~Icedove@2001:1620:2777:11:3e97:eff:fe7f:f3ad] has quit [Quit: elfixit]
12:24 -!- dazo is now known as dazo_afk
12:34 -!- juztin_ [~juztin_@c-67-186-216-8.hsd1.ut.comcast.net] has joined #openvpn
12:43 -!- clyons [~kvirc@host86-157-14-49.range86-157.btcentralplus.com] has joined #openvpn
12:43 -!- juztin__ [~juztin_@c-67-186-216-8.hsd1.ut.comcast.net] has joined #openvpn
12:45 -!- juztin__ [~juztin_@c-67-186-216-8.hsd1.ut.comcast.net] has quit [Remote host closed the connection]
12:46 -!- juztin__ [~juztin_@c-67-186-216-8.hsd1.ut.comcast.net] has joined #openvpn
12:46 -!- juztin_ [~juztin_@c-67-186-216-8.hsd1.ut.comcast.net] has quit [Ping timeout: 246 seconds]
12:51 -!- kirin` [telex@gateway/shell/anapnea.net/x-lpblmrwdvrmiqzaa] has quit [Ping timeout: 240 seconds]
12:54 -!- kirin` [telex@gateway/shell/anapnea.net/x-debmlurgvregnfjx] has joined #openvpn
12:54 -!- wallbroken [wallbroken@unaffiliated/wallbroken] has joined #openvpn
13:10 -!- juztin_ [~juztin_@172.56.31.60] has joined #openvpn
13:11 -!- juztin_ [~juztin_@172.56.31.60] has quit [Remote host closed the connection]
13:12 -!- juztin__ [~juztin_@c-67-186-216-8.hsd1.ut.comcast.net] has quit [Ping timeout: 260 seconds]
13:16 -!- kaben [~kaben@1F2E905E.catv.pool.telekom.hu] has joined #openvpn
13:20 -!- Kephael [~Kephael@unaffiliated/kephael] has quit [Read error: Connection reset by peer]
13:20 -!- Kephael [~Kephael@unaffiliated/kephael] has joined #openvpn
13:28 -!- Pyrogerg [~Gregory@75-173-66-157.albq.qwest.net] has quit [Ping timeout: 268 seconds]
13:29 -!- Pyrogerg [~Gregory@75-173-66-157.albq.qwest.net] has joined #openvpn
13:31 -!- ShadniX [dagger@p579418E2.dip0.t-ipconnect.de] has quit [Read error: Connection reset by peer]
13:32 -!- ShadniX [dagger@p579418E2.dip0.t-ipconnect.de] has joined #openvpn
13:38 -!- wallbroken [wallbroken@unaffiliated/wallbroken] has left #openvpn []
13:39 -!- Px12 [~Px12@117.207.131.245] has joined #openvpn
13:40 -!- Px12 [~Px12@117.207.131.245] has quit [Max SendQ exceeded]
13:43 -!- Px12 [~Px12@117.207.131.245] has joined #openvpn
13:43 -!- Px12 [~Px12@117.207.131.245] has quit [Max SendQ exceeded]
13:47 -!- Px12 [~Px12@117.199.165.226] has joined #openvpn
13:47 -!- Px12 [~Px12@117.199.165.226] has quit [Max SendQ exceeded]
13:55 -!- Px12 [~Px12@117.199.162.172] has joined #openvpn
13:56 -!- Px12 [~Px12@117.199.162.172] has quit [Max SendQ exceeded]
14:04 -!- Px12 [~Px12@117.199.162.172] has joined #openvpn
14:10 -!- mattock is now known as mattock_afk
14:20 -!- ayaka [~ayaka@220.160.76.124] has joined #openvpn
14:21 < ayaka> I have to deploy openvpn on a wrong design ipv6 network
14:21 < ayaka> I have to use the ndp proxy to make the interface used by  openvpn pingable
14:22 < ayaka> but it won't work for the client of openvpn
14:22 < ayaka> is there anyway to solve it?
14:23 -!- kaben [~kaben@1F2E905E.catv.pool.telekom.hu] has quit [Quit: Leaving]
14:47 -!- redpill [~redpill@unaffiliated/redpill] has quit [Ping timeout: 246 seconds]
14:51 -!- arescorpio [~arescorpi@57-240-16-190.fibertel.com.ar] has joined #openvpn
14:53 -!- law [~law@173-160-196-154-Washington.hfc.comcastbusiness.net] has joined #openvpn
14:53 -!- ShadniX_ [dagger@p579418E2.dip0.t-ipconnect.de] has joined #openvpn
14:54 -!- Fetch [fetch@gimel.cepheid.org] has joined #openvpn
14:54 -!- ShadniX [dagger@p579418E2.dip0.t-ipconnect.de] has quit [Ping timeout: 250 seconds]
14:54 -!- ShadniX_ is now known as ShadniX
14:56 < Fetch> Has anyone seen a pattern on a website or whatnot for using something like quagga to inject routes into VPN configurations? The use case is that I don't set a default route for openvpn clients, so they need to be aware of the multitude of networks I host. Right now I manually add routes to VPN configurations when networks are created, but it's pretty suboptimal
15:03 -!- Slippern [~Slippern@76.109-247-208.customer.lyse.net] has joined #openvpn
15:05 < Slippern> I have a openvpn on a win7 server, which has a 1,87 intel dual core cpu, but i can only get 20-25mbps down, and 10-20mbps.. servers internet connection is 35/35mbps and my client has 1000/1000mbits..
15:16 -!- law [~law@173-160-196-154-Washington.hfc.comcastbusiness.net] has quit [Ping timeout: 250 seconds]
15:17 <@Eugene> !bottleneck
15:17 <@vpnHelper> "bottleneck" is (#1) OpenVPN uses userland crypto unless you have HW accel available (as shown with `openvpn --show-engines`.) This means the CPU is frequently the performance bottleneck; remember that OVPN is single-threaded or (#2) See also: !gigabit for ideas on advanced performance tuning options
15:17 -!- gffa [~unknown@unaffiliated/gffa] has quit [Quit: sleep]
15:22 < brad_mssw> !gigabit
15:22 <@vpnHelper> "gigabit" is https://community.openvpn.net/openvpn/wiki/Gigabit_Networks_Linux for JJK's writeup on getting the most out of openvpn over gigabit
15:24 -!- Pyrogerg [~Gregory@75-173-66-157.albq.qwest.net] has quit [Ping timeout: 252 seconds]
15:26 -!- sauce [sauce@unaffiliated/sauce] has quit [Quit: sauce]
15:28 -!- sauce [sauce@unaffiliated/sauce] has joined #openvpn
15:32 -!- thefinn93 [~finn@unaffiliated/thefinn93] has joined #openvpn
15:34 -!- redpill [~redpill@unaffiliated/redpill] has joined #openvpn
15:35 -!- Px12 [~Px12@117.199.162.172] has quit [Ping timeout: 268 seconds]
15:37 -!- fzombie [~gplgeek@pdpc/supporter/student/GPLGeek] has joined #openvpn
15:38 -!- Px12 [~Px12@117.199.162.172] has joined #openvpn
15:38 -!- Px12 [~Px12@117.199.162.172] has quit [Max SendQ exceeded]
15:40 -!- redpill [~redpill@unaffiliated/redpill] has quit [Ping timeout: 264 seconds]
15:45 -!- juztin_ [~juztin_@172.56.39.65] has joined #openvpn
15:46 -!- juztin_ [~juztin_@172.56.39.65] has quit [Remote host closed the connection]
15:46 -!- juztin_ [~juztin_@c-174-52-87-120.hsd1.ut.comcast.net] has joined #openvpn
15:49 -!- juztin__ [~juztin_@172.56.39.65] has joined #openvpn
15:50 -!- juztin__ [~juztin_@172.56.39.65] has quit [Remote host closed the connection]
15:50 -!- juztin__ [~juztin_@c-174-52-87-120.hsd1.ut.comcast.net] has joined #openvpn
15:50 -!- juztin_ [~juztin_@c-174-52-87-120.hsd1.ut.comcast.net] has quit [Read error: Connection reset by peer]
15:51 -!- shio [marmot@30.65.73.86.rev.sfr.net] has quit [Ping timeout: 246 seconds]
15:51 -!- shio [marmot@203.188.103.84.rev.sfr.net] has joined #openvpn
16:01 -!- juztin_ [~juztin_@172.56.39.65] has joined #openvpn
16:03 -!- juztin_ [~juztin_@172.56.39.65] has quit [Remote host closed the connection]
16:03 -!- juztin__ [~juztin_@c-174-52-87-120.hsd1.ut.comcast.net] has quit [Read error: Connection reset by peer]
16:03 -!- juztin_ [~juztin_@c-174-52-87-120.hsd1.ut.comcast.net] has joined #openvpn
16:04 -!- brad_mssw [~brad@shop.monetra.com] has quit [Quit: Leaving]
16:05 -!- ayaka [~ayaka@220.160.76.124] has left #openvpn ["离开"]
16:08 -!- juztin__ [~juztin_@c-174-52-87-120.hsd1.ut.comcast.net] has joined #openvpn
16:09 -!- Hello71 [~Hello71@wikipedia/Hello71] has quit [Quit: Bye.]
16:10 -!- juztin_ [~juztin_@c-174-52-87-120.hsd1.ut.comcast.net] has quit [Ping timeout: 245 seconds]
16:14 -!- juztin__ [~juztin_@c-174-52-87-120.hsd1.ut.comcast.net] has quit [Ping timeout: 240 seconds]
16:18 -!- juztin_ [~juztin_@172.56.39.65] has joined #openvpn
16:19 -!- juztin_ [~juztin_@172.56.39.65] has quit [Remote host closed the connection]
16:20 -!- juztin_ [~juztin_@c-174-52-87-120.hsd1.ut.comcast.net] has joined #openvpn
16:21 -!- ago [~ago@gentoo/developer/ago] has quit [Ping timeout: 252 seconds]
16:21 -!- ago [~ago@gentoo/developer/ago] has joined #openvpn
16:22 -!- juztin__ [~juztin_@c-174-52-87-120.hsd1.ut.comcast.net] has joined #openvpn
16:22 -!- arescorpio [~arescorpi@57-240-16-190.fibertel.com.ar] has quit [Excess Flood]
16:25 -!- juztin_ [~juztin_@c-174-52-87-120.hsd1.ut.comcast.net] has quit [Ping timeout: 245 seconds]
16:28 -!- juztin_ [~juztin_@c-174-52-87-120.hsd1.ut.comcast.net] has joined #openvpn
16:31 -!- juztin__ [~juztin_@c-174-52-87-120.hsd1.ut.comcast.net] has quit [Ping timeout: 260 seconds]
16:35 -!- juztin__ [~juztin_@172.56.39.65] has joined #openvpn
16:38 -!- juztin_ [~juztin_@c-174-52-87-120.hsd1.ut.comcast.net] has quit [Ping timeout: 245 seconds]
16:45 -!- juztin__ [~juztin_@172.56.39.65] has quit [Remote host closed the connection]
16:46 -!- n1md4 [~root@pod-231.dolphin-server.co.uk] has joined #openvpn
17:05 -!- wallbroken [wallbroken@unaffiliated/wallbroken] has joined #openvpn
17:18 -!- Kephael [~Kephael@unaffiliated/kephael] has quit [Read error: Connection reset by peer]
17:30 -!- wallbroken [wallbroken@unaffiliated/wallbroken] has left #openvpn []
17:30 -!- wallbroken [wallbroken@unaffiliated/wallbroken] has joined #openvpn
17:30 -!- wallbroken [wallbroken@unaffiliated/wallbroken] has left #openvpn []
17:37 -!- s7r [~s7r@openvpn/user/s7r] has joined #openvpn
17:37 -!- mode/#openvpn [+v s7r] by ChanServ
18:00 -!- DrCode [~DrCode@gateway/tor-sasl/drcode] has quit [Remote host closed the connection]
18:01 -!- DrCode [~DrCode@gateway/tor-sasl/drcode] has joined #openvpn
18:19 -!- Px12 [~Px12@117.199.168.210] has joined #openvpn
18:26 -!- ub1quit33 [~quassel@wifi02.la3.routers.zerolag.com] has quit [Ping timeout: 268 seconds]
18:39 -!- brianblaze420 [~brianblaz@unaffiliated/brianblaze] has joined #openvpn
19:12 -!- n1md4 [~root@pod-231.dolphin-server.co.uk] has left #openvpn []
19:15 -!- s7r [~s7r@openvpn/user/s7r] has quit [Remote host closed the connection]
19:38 -!- linuxthefish [~ltf@unaffiliated/edmundf] has quit [Ping timeout: 272 seconds]
19:39 -!- linuxthefish [~ltf@unaffiliated/edmundf] has joined #openvpn
19:50 -!- ohhmaar [ohhmaar@irc.louis6321.com] has joined #openvpn
19:55 < ohhmaar> so i installed openvpn on windows following the easy_windows_guide on the site what do i have to install on my mac to connect to it
19:57 < cirkit> try tunneblick or viscosity.. i use viscosity on os x clients
19:58 < ohhmaar> cirkit but is the client the only thing i have to install?
19:59 -!- linuxthefish [~ltf@unaffiliated/edmundf] has quit [Ping timeout: 256 seconds]
19:59 < ohhmaar> because i get this when i add the config files http://cl.ly/XQhY
19:59 <@vpnHelper> Title: Image 2014-09-08 at 7.59.22 PM.png (at cl.ly)
20:00 -!- linuxthefish [~ltf@unaffiliated/edmundf] has joined #openvpn
20:01 < cirkit> looks like you didn't include your ca.crt in the tunnelblick config
20:02 -!- Px12 [~Px12@117.199.168.210] has quit [Ping timeout: 264 seconds]
20:09 < ohhmaar> which files should i include?
20:10 < ohhmaar> i have the .crt, .key, .ovpn, .pem
20:11 < ohhmaar> whoops, i meant ca.crt, client.crt, client.key, and client.ovpn
20:12 -!- linuxthefish [~ltf@unaffiliated/edmundf] has quit [Ping timeout: 272 seconds]
20:14 < ohhmaar> cirkit is there a file path i have to specify?
20:17 < cirkit> ohhmaar: include them all in a folder and give it an extension of .tblk
20:17 < cirkit> you don't need to include the .pem file, that's not necessary
20:18 < cirkit> ohhmaar: that .pem should really only be on the server, not client
20:18 < ohhmaar> i know, i corrected myself sorry for the confusion
20:21 < ohhmaar> so attempt #2: i copied the client files from my windows laptop and i have them in a tunnelblick config file, when i run it I get this.. http://cl.ly/XRDl
20:21 <@vpnHelper> Title: Image 2014-09-08 at 8.20.04 PM.png (at cl.ly)
20:27 -!- linuxthefish [~ltf@unaffiliated/edmundf] has joined #openvpn
20:27 -!- ub1quit33_ [~quassel@cpe-23-243-158-241.socal.res.rr.com] has joined #openvpn
20:29 < cirkit> ohhmaar: the dialog is saying the ca.crt location you specified from client.conf cannot be found in 'C:\\Program Files\OpenVPN\config\ca.crt'
20:30 < cirkit> check the path again and correct
20:30 < ohhmaar> so i removed the file path in the .ovpn file and i just moved the files in the easy-rsa folder on the client
20:31 -!- linuxthefish [~ltf@unaffiliated/edmundf] has quit [Ping timeout: 272 seconds]
20:33 -!- linuxthefish [~ltf@unaffiliated/edmundf] has joined #openvpn
20:43 -!- linuxthefish [~ltf@unaffiliated/edmundf] has quit [Ping timeout: 256 seconds]
20:45 -!- juztin_ [~juztin_@c-67-186-216-8.hsd1.ut.comcast.net] has joined #openvpn
20:46 -!- redpill [~redpill@unaffiliated/redpill] has joined #openvpn
20:47 -!- linuxthefish [~ltf@unaffiliated/edmundf] has joined #openvpn
20:47 -!- juztin_ [~juztin_@c-67-186-216-8.hsd1.ut.comcast.net] has quit [Remote host closed the connection]
20:48 -!- wirehack7 [~wirehack7@unaffiliated/wirehack7] has quit [Ping timeout: 260 seconds]
20:49 -!- juztin_ [~juztin_@c-174-52-87-120.hsd1.ut.comcast.net] has joined #openvpn
20:49 -!- wirehack7 [wirehack7@unaffiliated/wirehack7] has joined #openvpn
20:50 -!- elfixit [~Icedove@77-58-251-72.dclient.hispeed.ch] has joined #openvpn
20:50 -!- skd5aner [~skd5aner@241.sub-70-198-68.myvzw.com] has joined #openvpn
20:51 < skd5aner> I'm having an issue with port forwarding.  I have DDNS set up, and working fine.  However, I'm trying to run a web server on my network.  If I hit the LAN IP of the server from the LAN, it works, if I hit the URL (WAN IP) of the server from the LAN it works
20:51 < skd5aner> if I hit the URL from outside of hte LAN, it doesn't work
20:53 < skd5aner> I can't seem to figure out what's going on
20:57 < skd5aner> oops, wrong channel
21:02 -!- linuxthefish [~ltf@unaffiliated/edmundf] has quit [Ping timeout: 272 seconds]
21:05 -!- elfixit [~Icedove@77-58-251-72.dclient.hispeed.ch] has quit [Remote host closed the connection]
21:05 < cirkit> yea, skd5aner .. i still haven't resolved that specific issue
21:08 -!- linuxthefish [~ltf@unaffiliated/edmundf] has joined #openvpn
21:09 -!- juztin_ [~juztin_@c-174-52-87-120.hsd1.ut.comcast.net] has quit [Ping timeout: 276 seconds]
21:15 -!- linuxthefish [~ltf@unaffiliated/edmundf] has quit [Ping timeout: 256 seconds]
21:16 -!- brianblaze420 [~brianblaz@unaffiliated/brianblaze] has quit [Remote host closed the connection]
21:22 -!- linuxthefish [~ltf@unaffiliated/edmundf] has joined #openvpn
21:51 -!- ub1quit33_ [~quassel@cpe-23-243-158-241.socal.res.rr.com] has quit [Ping timeout: 245 seconds]
22:05 -!- cemotyz09 [~cesqueret@cpe-70-121-153-36.satx.res.rr.com] has joined #openvpn
22:05 -!- cemotyz09 [~cesqueret@cpe-70-121-153-36.satx.res.rr.com] has left #openvpn []
22:13 -!- ub1quit33 [~quassel@cpe-23-243-158-241.socal.res.rr.com] has joined #openvpn
22:17 -!- linuxthefish [~ltf@unaffiliated/edmundf] has quit [Ping timeout: 272 seconds]
22:29 -!- linuxthefish [~ltf@unaffiliated/edmundf] has joined #openvpn
22:31 -!- u0m3__ [~u0m3@92.80.68.194] has joined #openvpn
22:35 -!- Wolfbutt [~Jeroen@milkyway.jeroendeneef.com] has joined #openvpn
22:36 -!- kirin` [telex@gateway/shell/anapnea.net/x-debmlurgvregnfjx] has quit [Disconnected by services]
22:36 -!- kirin` [telex@gateway/shell/anapnea.net/x-mdcocslkdypidlcs] has joined #openvpn
22:38 -!- jgeboski- [~jgeboski@unaffiliated/jgeboski] has joined #openvpn
22:38 -!- Netsplit *.net <-> *.split quits: doebi, Cultist, MacGyver, sauce, jgeboski, _FBi
22:39 -!- jgeboski- is now known as jgeboski
22:39 -!- APTX_ [~APTX@unaffiliated/aptx] has joined #openvpn
22:39 -!- krzie [~k@openvpn/community/support/krzee] has joined #openvpn
22:40 -!- mode/#openvpn [+o krzie] by ChanServ
22:40 -!- warehouse13 [~Left_Turn@unaffiliated/turn-left/x-3739067] has joined #openvpn
22:40 -!- Netsplit *.net <-> *.split quits: APTX, @krzee, troyt, jareth_, Jeroen52, Six6siX, @syzzer, erratic, ub1quit33, stundenull,  (+7 more, use /NETSPLIT to show all of them)
22:40 -!- krzie is now known as krzee
22:42 -!- Netsplit over, joins: troyt
22:42 -!- Netsplit over, joins: sauce, MacGyver, doebi, Cultist, _FBi
22:45 -!- syzzer [~syzzer@2001:610:697::12] has joined #openvpn
22:45 -!- stundenull [~wir3d@00000008.ipv6.lennon.mtbnc.us] has joined #openvpn
22:45 -!- lachesis [~lachesis@lachesis-3-pt.tunnel.tserv13.ash1.ipv6.he.net] has joined #openvpn
22:45 -!- dazo_afk [~dazo@2001:470:de40:1021::14] has joined #openvpn
22:46 -!- syzzer [~syzzer@2001:610:697::12] has quit [Changing host]
22:46 -!- syzzer [~syzzer@openvpn/community/developer/syzzer] has joined #openvpn
22:46 -!- mode/#openvpn [+o syzzer] by ChanServ
22:46 -!- dazo_afk [~dazo@2001:470:de40:1021::14] has quit [Changing host]
22:46 -!- dazo_afk [~dazo@openvpn/community/developer/dazo] has joined #openvpn
22:46 -!- mode/#openvpn [+o dazo_afk] by ChanServ
22:46 -!- dazo_afk is now known as dazo
22:46 -!- lachesis is now known as Guest72241
22:47 -!- erratic [erratic@2607:f2f8:a2c4:1001::2] has joined #openvpn
22:49 -!- linuxthefish [~ltf@unaffiliated/edmundf] has quit [Ping timeout: 256 seconds]
22:55 -!- linuxthefish [~ltf@unaffiliated/edmundf] has joined #openvpn
23:09 -!- Guest72241 [~lachesis@lachesis-3-pt.tunnel.tserv13.ash1.ipv6.he.net] has quit [Ping timeout: 272 seconds]
23:11 -!- lachesis [~lachesis@unaffiliated/lachesis] has joined #openvpn
23:12 -!- linuxthefish [~ltf@unaffiliated/edmundf] has quit [Ping timeout: 272 seconds]
23:15 -!- linuxthefish [~ltf@unaffiliated/edmundf] has joined #openvpn
23:17 -!- plaisthos [~arne@openvpn/community/developer/plaisthos] has quit [Read error: Connection reset by peer]
23:18 -!- abbe [~abbe@badti.me] has quit [Read error: Connection reset by peer]
23:18 -!- abbe [having@badti.me] has joined #openvpn
23:19 -!- linuxthefish [~ltf@unaffiliated/edmundf] has quit [Ping timeout: 256 seconds]
23:24 -!- plaisthos [~arne@openvpn/community/developer/plaisthos] has joined #openvpn
23:24 -!- mode/#openvpn [+o plaisthos] by ChanServ
23:25 -!- KNERD [~KNERD@23.227.189.101] has joined #openvpn
23:29 -!- linuxthefish [~ltf@unaffiliated/edmundf] has joined #openvpn
23:35 -!- abbe_ [having@badti.me] has joined #openvpn
23:35 -!- wirehack7 [wirehack7@unaffiliated/wirehack7] has quit [Ping timeout: 260 seconds]
23:35 -!- wirehack7 [wirehack7@unaffiliated/wirehack7] has joined #openvpn
23:36 -!- abbe [having@badti.me] has quit [Ping timeout: 260 seconds]
23:41 -!- ShadniX [dagger@p579418E2.dip0.t-ipconnect.de] has quit [Ping timeout: 250 seconds]
23:43 -!- ShadniX [dagger@p579413CF.dip0.t-ipconnect.de] has joined #openvpn
23:50 -!- linuxthefish [~ltf@unaffiliated/edmundf] has quit [Ping timeout: 272 seconds]
23:53 -!- DrCode [~DrCode@gateway/tor-sasl/drcode] has quit [Remote host closed the connection]
23:54 -!- linuxthefish [~ltf@unaffiliated/edmundf] has joined #openvpn
23:56 -!- DrCode [~DrCode@gateway/tor-sasl/drcode] has joined #openvpn
--- Day changed Tue Sep 09 2014
00:02 -!- fzombie [~gplgeek@pdpc/supporter/student/GPLGeek] has quit [Quit: Leaving]
00:04 -!- linuxthefish [~ltf@unaffiliated/edmundf] has quit [Ping timeout: 256 seconds]
00:07 -!- mattock_afk is now known as mattock
00:16 -!- joako [~joako@opensuse/member/joak0] has quit [Ping timeout: 245 seconds]
00:17 -!- Megaf_ [~Megaf@unaffiliated/megaf] has joined #openvpn
00:18 -!- Megaf [~Megaf@unaffiliated/megaf] has quit [Ping timeout: 268 seconds]
00:24 -!- fzombie [~gplgeek@pdpc/supporter/student/GPLGeek] has joined #openvpn
00:27 -!- joako [~joako@opensuse/member/joak0] has joined #openvpn
00:38 -!- cirkit [dethwish@peanut-butter.net] has joined #openvpn
00:42 -!- linuxthefish [~ltf@unaffiliated/edmundf] has joined #openvpn
01:12 -!- D-Boy [~D-Boy@unaffiliated/cain] has quit [Ping timeout: 276 seconds]
01:24 -!- clyons [~kvirc@host86-157-14-49.range86-157.btcentralplus.com] has quit [Ping timeout: 276 seconds]
01:31 -!- linuxthefish [~ltf@unaffiliated/edmundf] has quit [Ping timeout: 256 seconds]
01:46 -!- linuxthefish [~ltf@unaffiliated/edmundf] has joined #openvpn
01:51 -!- fzombie [~gplgeek@pdpc/supporter/student/GPLGeek] has quit [Quit: Leaving]
01:55 -!- linuxthefish [~ltf@unaffiliated/edmundf] has quit [Ping timeout: 256 seconds]
01:58 -!- linuxthefish [~ltf@unaffiliated/edmundf] has joined #openvpn
02:03 -!- c0ded [~c0ded@unaffiliated/c0ded] has joined #openvpn
02:21 -!- linuxthefish [~ltf@unaffiliated/edmundf] has quit [Ping timeout: 272 seconds]
02:26 < cirkit> http://openvpn.net/index.php/open-source/documentation/miscellaneous/76-ethernet-bridging.html
02:26 <@vpnHelper> Title: Ethernet Bridging (at openvpn.net)
02:27 < cirkit> what if my VPS only gives me an external IP like 66.x.x.40 instead of 192.168.1.1 -- how would you specify the 'server-bridge' section?
02:28 -!- ago [~ago@gentoo/developer/ago] has quit [Quit: leaving]
02:29 -!- linuxthefish [~ltf@unaffiliated/edmundf] has joined #openvpn
02:31 -!- zalami [~realnameo@cpe-74-73-165-167.nyc.res.rr.com] has quit [Ping timeout: 245 seconds]
02:37 -!- linuxthefish [~ltf@unaffiliated/edmundf] has quit [Ping timeout: 256 seconds]
02:41 -!- joako [~joako@opensuse/member/joak0] has quit [Ping timeout: 240 seconds]
02:41 -!- linuxthefish [~ltf@unaffiliated/edmundf] has joined #openvpn
02:46 -!- linuxthefish [~ltf@unaffiliated/edmundf] has quit [Ping timeout: 272 seconds]
02:48 -!- joako [~joako@opensuse/member/joak0] has joined #openvpn
03:02 -!- linuxthefish [~ltf@unaffiliated/edmundf] has joined #openvpn
03:12 -!- linuxthefish [~ltf@unaffiliated/edmundf] has quit [Ping timeout: 272 seconds]
03:27 -!- linuxthefish [~ltf@unaffiliated/edmundf] has joined #openvpn
03:41 -!- abbe_ [having@badti.me] has quit [Ping timeout: 260 seconds]
03:42 -!- Nothing4You [N4Y@Nothing4You.w.tf-w.tf] has quit [Ping timeout: 260 seconds]
03:43 -!- Nothing4You [N4Y@Nothing4You.w.tf-w.tf] has joined #openvpn
03:44 -!- abbe [having@badti.me] has joined #openvpn
03:50 -!- le0 [~fin@unaffiliated/le0] has joined #openvpn
03:57 -!- davegb3 [~davegb3@p5B2C3039.dip0.t-ipconnect.de] has joined #openvpn
04:15 -!- thumbs [1000@unaffiliated/thumbs] has quit [Ping timeout: 240 seconds]
04:17 -!- thumbs [1000@unaffiliated/thumbs] has joined #openvpn
04:27 -!- Chais [~Chais@chello062178229110.15.15.vie.surfer.at] has quit [Quit: ZNC - http://znc.in]
04:29 -!- Chais [~Chais@chello062178229110.15.15.vie.surfer.at] has joined #openvpn
04:50 -!- Sicelo [Sicelo@unaffiliated/sicelo] has joined #openvpn
04:57 < Sicelo> question: the administrator of the openvpn server i connect to does not want to push IPv6 default route to clients for some reason. adding it manually on client after the connection is established works fine. i tried to automate this by using the 'up' command in my client's config, but it does not work. what would be the best way to handle this?
04:59 < Sicelo> #script-security 2
04:59 < Sicelo> # up '/sbin/ip -6 r a default via 2001:19f0:..... dev tun0
04:59 -!- Px12 [~Px12@59.89.49.151] has joined #openvpn
05:06 -!- mattock is now known as mattock_afk
05:29 -!- Ring0` is now known as ringo
05:29 -!- ringo is now known as ring0`
05:39 -!- mattock_afk is now known as mattock
05:42 -!- wallbroken [wallbroken@unaffiliated/wallbroken] has joined #openvpn
06:04 -!- le0 [~fin@unaffiliated/le0] has quit [Quit: Leaving]
06:33 -!- Px12 [~Px12@59.89.49.151] has quit [Remote host closed the connection]
06:51 <@ecrist> Sicelo: that should work.  What do the logs say?
06:51 <@ecrist> you can also, iirc, just add a route "... .. .. " in your client config
06:54 -!- krzee [~k@openvpn/community/support/krzee] has quit [Ping timeout: 272 seconds]
06:54 -!- MacGyver [~macgyver@unaffiliated/macgyvernl] has quit [Ping timeout: 252 seconds]
06:54 -!- MacGyver [~macgyver@unaffiliated/macgyvernl] has joined #openvpn
06:56 -!- krzee [~k@openvpn/community/support/krzee] has joined #openvpn
06:56 -!- mode/#openvpn [+o krzee] by ChanServ
07:01 -!- Netsplit *.net <-> *.split quits: doebi, _FBi, Cultist, sauce
07:04 -!- Netsplit over, joins: sauce
07:05 -!- doebi [~doebi@doebi.at] has joined #openvpn
07:05 -!- Cultist [~CultOfThe@c-98-223-211-32.hsd1.il.comcast.net] has joined #openvpn
07:05 -!- _FBi [B@Aircrack-NG/User] has joined #openvpn
07:08 -!- ade_b [~Ade@redhat/adeb] has joined #openvpn
07:15 -!- g00gz [~Adium@199.244.84.14] has joined #openvpn
07:20 -!- vixus [~as2122@cpc66946-cmbg14-2-0-cust120.5-4.cable.virginm.net] has quit [Quit: WeeChat 1.0]
07:26 -!- thumbs [1000@unaffiliated/thumbs] has quit [Ping timeout: 240 seconds]
07:28 -!- thumbs [1000@unaffiliated/thumbs] has joined #openvpn
07:35 -!- Px12 [~Px12@117.199.171.75] has joined #openvpn
07:39 -!- MaddinXx [~racksteri@2a01:2a8:8303:fe01:b09d:efbb:b4c1:ae0c] has joined #openvpn
07:45 -!- mgorbach [~mgorbach@pool-108-20-78-135.bstnma.fios.verizon.net] has quit [Read error: Connection reset by peer]
07:45 -!- mgorbach [~mgorbach@pool-108-20-78-135.bstnma.fios.verizon.net] has joined #openvpn
07:46 -!- mgorbach [~mgorbach@pool-108-20-78-135.bstnma.fios.verizon.net] has quit [Remote host closed the connection]
07:47 -!- mgorbach [~mgorbach@pool-108-20-78-135.bstnma.fios.verizon.net] has joined #openvpn
08:03 -!- g00gz [~Adium@199.244.84.14] has quit [Ping timeout: 260 seconds]
08:04 -!- APTX_ [~APTX@unaffiliated/aptx] has quit [Quit: No Ping reply in 180 seconds.]
08:06 -!- APTX [~APTX@unaffiliated/aptx] has joined #openvpn
08:10 -!- deeville [~deeville@38.117.108.108] has joined #openvpn
08:12 -!- DrSect0r [~DrSect0r@77-175-125-42.FTTH.ispfabriek.nl] has joined #openvpn
08:21 -!- wallbroken [wallbroken@unaffiliated/wallbroken] has left #openvpn []
08:54 -!- DrCode [~DrCode@gateway/tor-sasl/drcode] has quit [Remote host closed the connection]
08:55 -!- DrCode [~DrCode@gateway/tor-sasl/drcode] has joined #openvpn
08:58 -!- dvl [~dvl@pdpc/supporter/active/dvl] has quit [Quit: ZNC - http://znc.in]
09:00 -!- dvl [~dvl@pdpc/supporter/active/dvl] has joined #openvpn
09:12 -!- zeroNones [~textual@187.204.142.142] has joined #openvpn
09:13 < zeroNones> !welcome
09:13 <@vpnHelper> "welcome" is (#1) Start by stating your goal, such as 'I would like to access the internet over my vpn' || new to IRC? see the link in !ask || we may need !logs and !configs and maybe !interface to help you. || See !howto for beginners. || See !route for lans behind openvpn. || !redirect for sending inet traffic through the server. || Also interesting: !man !/30 !topology !iporder !sample !forum
09:13 <@vpnHelper> !wiki !mitm or (#2) Don't use 192.168.1.0/24 or 192.168.0.0/24 (too much potential for conflict)
09:17 -!- brad_mssw [~brad@shop.monetra.com] has joined #openvpn
09:26 -!- MaddinXx [~racksteri@2a01:2a8:8303:fe01:b09d:efbb:b4c1:ae0c] has quit [Quit: Computer has gone to sleep.]
09:36 -!- ub1quit33_ [~quassel@wifi02.la3.routers.zerolag.com] has joined #openvpn
09:38 -!- Pyrogerg [~Gregory@192.67.133.200] has joined #openvpn
09:49 -!- Hello71 [~Hello71@wikipedia/Hello71] has joined #openvpn
09:53 -!- Plastefuchs [~fweee@198.98.120.235] has left #openvpn ["WeeChat 0.3.2"]
09:55 -!- Megaf_ [~Megaf@unaffiliated/megaf] has quit [Ping timeout: 276 seconds]
10:04 -!- ohhmaar [ohhmaar@irc.louis6321.com] has left #openvpn ["Textual IRC Client: www.textualapp.com"]
10:06 -!- mattupstate [~Adium@static-71-183-236-90.nycmny.fios.verizon.net] has joined #openvpn
10:08 < mattupstate> i'm a bit of a networking novice, but i'm curious, can i push some config form the server that tells a client to route all traffic for a given domain through the vpn connection?
10:09 < mattupstate> and perform DNS queries for that domain against a server in the VPN?
10:22 -!- ade_b [~Ade@redhat/adeb] has quit [Ping timeout: 255 seconds]
10:24 -!- ikkuplio [~IceChat77@ipservice-092-210-027-060.092.210.pools.vodafone-ip.de] has quit [Quit: Pull the pin and count to what?]
10:25 -!- Megaf_ [~Megaf@unaffiliated/megaf] has joined #openvpn
10:31 -!- mattupstate [~Adium@static-71-183-236-90.nycmny.fios.verizon.net] has quit [Ping timeout: 240 seconds]
10:38 -!- loomsen [~loomsen@gateway/tor-sasl/loomsen] has joined #openvpn
10:39 < loomsen> hi folks, i'm having kind of a hard time. i have a server, where one client connects to to build a site to site vpn. this is working so far. now i want another client to connect to the server, and be able to use the first clients remote LAN. but i can't seem to figure out how to push a route to one client only
10:40 < loomsen> i created a client config dir, and placed the desired push "route foo bar" in there, named the file like the user
10:40 < loomsen> but the route doesn't get pushed
10:40 < loomsen> if i add the route manually, it works
10:43 < loomsen> i thought the client-config-dir was there to distinguish between different clients and giving them custom configs
10:47 < loomsen> whoopsie, please ignore my question, i found my mistake
10:51 -!- Megaf_ [~Megaf@unaffiliated/megaf] has quit [Read error: Connection reset by peer]
10:52 -!- Megaf [~Megaf@unaffiliated/megaf] has joined #openvpn
10:52 -!- ub1quit33_ [~quassel@wifi02.la3.routers.zerolag.com] has quit [Quit: No Ping reply in 180 seconds.]
10:56 -!- ub1quit33_ [~quassel@wifi02.la3.routers.zerolag.com] has joined #openvpn
11:00 -!- loomsen [~loomsen@gateway/tor-sasl/loomsen] has quit [Quit: Leaving]
11:02 -!- davegb3 [~davegb3@p5B2C3039.dip0.t-ipconnect.de] has quit [Ping timeout: 255 seconds]
11:03 -!- ade_b [~Ade@redhat/adeb] has joined #openvpn
11:11 -!- wallbroken [wallbroken@unaffiliated/wallbroken] has joined #openvpn
11:11 -!- wallbroken [wallbroken@unaffiliated/wallbroken] has left #openvpn []
11:14 -!- g00gz [~Adium@199.244.84.14] has joined #openvpn
11:15 -!- gffa [~unknown@unaffiliated/gffa] has joined #openvpn
11:19 -!- phreakocious [~phreakoci@recalcitrant.phreakocious.net] has quit [Ping timeout: 245 seconds]
11:21 -!- phreakocious [~phreakoci@recalcitrant.phreakocious.net] has joined #openvpn
11:46 -!- moonkid [~anonymous@99-103-56-12.lightspeed.hstntx.sbcglobal.net] has joined #openvpn
12:04 -!- ValdikSS [~valdikss@2001:470:dd8a:dead::64f] has joined #openvpn
12:04 < ValdikSS> Hello guys.
12:05 < ValdikSS> New versions of networkmanager are intercepting all interface changes and add them into their configs. However, OpenVPN often add routes too fast and networkmanager can't keep up with it
12:06 < ValdikSS> So, almost all the time, when openvpn adds redirect-gateway def1 routes 0.0.0.0/1 and 128.0.0.0/1, 0.0.0.0/1 is almost always missing
12:06 < ValdikSS> It just disappears from the routing table right after ip route execution
12:06 < ValdikSS> This can be fixed by route-delay 1
12:07 < ValdikSS> So, should I report this to networkmanager developers, to openvpn developers or to both?
12:08 -!- g00gz [~Adium@199.244.84.14] has quit [Quit: Leaving.]
12:19 -!- gdoermann [~gdoermann@23.30.58.242] has joined #openvpn
12:21 < gdoermann> Hey guys, I recently changed the IP address on my vpn server and now the server won't allow me to route between networks.  I have promiscuous mode on the devices and I have ip forwarding on (echo 1 > /proc/sys/net/ipv4/ip_forward).  Any ideas why?
12:22 < pekster> gdoermann: flowcharts for you in !serverlan and !clientlan depending where the LAN you want to route to/from is located
12:24 < gdoermann> pekster: the vpn server has access to our lan and when I connect I can access everything over the lan correctly, but I want to be able to also use the vpn server as my default gateway for all traffic
12:24 < gdoermann> so I am able to connect, hit internal servers but if I ping 8.8.8.8 everything fails
12:25 < pekster> Firewall or lack of NAT would be my guess
12:28 < gdoermann> there is no firewall outside of ip tables
12:33 -!- dazo is now known as dazo_afk
12:35 -!- g00gz [~Adium@199.244.84.14] has joined #openvpn
12:43 -!- g00gz [~Adium@199.244.84.14] has left #openvpn []
12:49 -!- zeroNones [~textual@187.204.142.142] has quit [Quit: My MacBook Pro has gone to sleep. ZZZzzz…]
12:50 -!- MadTBone [~MadTBone@128.59.37.113] has joined #openvpn
12:51 -!- ValdikSS [~valdikss@2001:470:dd8a:dead::64f] has quit [Quit: Konversation terminated!]
12:52 -!- Kephael [~Kephael@unaffiliated/kephael] has joined #openvpn
12:53 -!- elfixit [~Icedove@77-58-251-72.dclient.hispeed.ch] has joined #openvpn
12:55 -!- lachesis [~lachesis@unaffiliated/lachesis] has quit [Quit: ZNC - http://znc.in]
13:06 -!- joako [~joako@opensuse/member/joak0] has quit [Ping timeout: 272 seconds]
13:07 -!- alexxtasi [~alex@unaffiliated/alexxtasi] has joined #openvpn
13:12 -!- joako [~joako@opensuse/member/joak0] has joined #openvpn
13:14 -!- Px12 [~Px12@117.199.171.75] has quit [Read error: Connection reset by peer]
13:21 -!- Denial [~Denial@host86-148-140-172.range86-148.btcentralplus.com] has joined #openvpn
13:37 -!- funnel [~funnel@unaffiliated/espiral] has quit [Remote host closed the connection]
13:37 -!- u0m3__ [~u0m3@92.80.68.194] has quit [Read error: Connection reset by peer]
13:37 -!- funnel [~funnel@unaffiliated/espiral] has joined #openvpn
13:37 -!- u0m3__ [~u0m3@92.80.68.194] has joined #openvpn
13:39 -!- joako [~joako@opensuse/member/joak0] has quit [Ping timeout: 245 seconds]
13:49 -!- joako [~joako@opensuse/member/joak0] has joined #openvpn
13:59 -!- ub1quit33_ [~quassel@wifi02.la3.routers.zerolag.com] has quit [Ping timeout: 264 seconds]
14:08 -!- Mimiko [~Mimiko@89.28.88.177] has joined #openvpn
14:10 -!- moonkid [~anonymous@99-103-56-12.lightspeed.hstntx.sbcglobal.net] has quit [Quit: moonkid]
14:11 -!- ub1quit33 [~quassel@wifi02.la3.routers.zerolag.com] has joined #openvpn
14:17 -!- mattock is now known as mattock_afk
14:26 -!- fzombie [~gplgeek@pdpc/supporter/student/GPLGeek] has joined #openvpn
14:27 -!- g00gz [~Adium@199.244.84.14] has joined #openvpn
14:28 -!- g00gz [~Adium@199.244.84.14] has left #openvpn []
14:28 -!- alexxtasi [~alex@unaffiliated/alexxtasi] has quit [Ping timeout: 240 seconds]
14:32 -!- moonkid [~anonymous@99-103-56-12.lightspeed.hstntx.sbcglobal.net] has joined #openvpn
14:37 -!- clyons [~kvirc@host86-184-244-32.range86-184.btcentralplus.com] has joined #openvpn
14:42 -!- joako [~joako@opensuse/member/joak0] has quit [Ping timeout: 252 seconds]
14:54 -!- joako [~joako@opensuse/member/joak0] has joined #openvpn
14:54 -!- gdoermann [~gdoermann@23.30.58.242] has quit [Ping timeout: 245 seconds]
15:04 -!- sroy [~sroy@secure.innobec.com] has quit [Quit: Leaving]
15:11 -!- RBecker is now known as ryanb
15:15 -!- gdoermann [~gdoermann@23.30.58.242] has joined #openvpn
15:17 -!- DrSect0r [~DrSect0r@77-175-125-42.FTTH.ispfabriek.nl] has quit [Quit: Leaving]
15:25 -!- ryanb is now known as RBecker
15:30 -!- WinstonSmith [~WinstonSm@unaffiliated/winstonsmith] has joined #openvpn
15:38 -!- ade_b [~Ade@redhat/adeb] has quit [Ping timeout: 245 seconds]
15:41 -!- WinstonSmith [~WinstonSm@unaffiliated/winstonsmith] has quit [Quit: off to do some thoughtcrime]
15:45 -!- WinstonSmith [~WinstonSm@unaffiliated/winstonsmith] has joined #openvpn
15:56 -!- gffa [~unknown@unaffiliated/gffa] has quit [Quit: sleep]
16:07 -!- Mimiko [~Mimiko@89.28.88.177] has quit []
16:17 -!- arescorpio [~arescorpi@57-240-16-190.fibertel.com.ar] has joined #openvpn
16:19 -!- brad_mssw [~brad@shop.monetra.com] has quit [Quit: Leaving]
16:29 -!- deeville [~deeville@38.117.108.108] has quit [Quit: This computer has gone to sleep]
16:37 -!- redpill [~redpill@unaffiliated/redpill] has quit [Ping timeout: 240 seconds]
16:39 -!- redpill [~redpill@unaffiliated/redpill] has joined #openvpn
16:44 -!- redpill [~redpill@unaffiliated/redpill] has quit [Max SendQ exceeded]
16:45 -!- redpill [~redpill@unaffiliated/redpill] has joined #openvpn
16:49 -!- ahklerner [~nkruzan@unaffiliated/ahklerner] has joined #openvpn
16:49 < ahklerner> hi a few weeks ago i set up an iphone client, i am now wanting to add another client
16:50 < ahklerner> what is the terminology for the 'single file config' so i can search
16:50 < pekster> ahklerner: Maybe you're referring to the 'INLINE FILE SUPPORT' in the manpage?
16:50 < ahklerner> thank you
16:53 -!- moonkid [~anonymous@99-103-56-12.lightspeed.hstntx.sbcglobal.net] has quit [Ping timeout: 245 seconds]
16:55 < ahklerner> ok the part i am having trouble with is i have forgotten which files go in which parts. i have them named android.xxx . i know android.key goes in the <key></key>
16:56 < pekster> Your X.509 key in base-64 encoded PEM format goes in <key>
16:56 < pekster> Each <thing> replaces the command-line option --thingk
16:57 < pekster> Mind keys though; both your X.509 private key and tls-auth keys are usually named *.key by convention
16:59 < ahklerner> !paste
16:59 <@vpnHelper> "paste" is "pastebin" is (#1) please paste anything with more than 5 lines into a pastebin site or (#2) https://gist.github.com is recommended for fewest ads; try fpaste.org or paste.kde.org as backups or (#3) If you're pasting config files, see !configs for grep syntax to remove comments or (#4) gist allows multiple files per paste, useful if you have several files to show
17:00 < ahklerner> here is the format that is working http://pastebin.com/Tp1QFGTj
17:00 < ahklerner> on the iphone
17:01 < pekster> Yup
17:02 < pekster> You just put the file contents referenced by each --keyword in the <keyword> brackets
17:02 < pekster> Literally paste it in
17:03 < ahklerner> ok it looks like i opened ca.crt client.crt and client.key are those the correct to use (except replace client.key with android.key)
17:04 < ahklerner> or can i just copy the entire file and replace the <key> contents with the newly generated key ?
17:05 < pekster> If you have a new keypair and want to use it, sure
17:05 < pekster> See also:
17:05 < pekster> !dupecn
17:05 < pekster> !dupe
17:05 <@vpnHelper> "dupe" is (#1) see --duplicate-cn in the manual (!man) to see how to allow multiple clients to use the same key (NOT recommended) or (#2) instead, use !pki to make a cert for each user
17:05 < ahklerner> !man --duplicate-cn
17:05 < ahklerner> !man
17:05 <@vpnHelper> "man" is (#1) For man pages, see http://openvpn.net/index.php/open-source/documentation/manuals/ or (#2) the man pages are your friend! or (#3) Protip: you can search the manpage for a specific --option (with dashes) to find it quicker
17:07 < ahklerner> !pki
17:07 <@vpnHelper> "pki" is (#1) http://openvpn.net/index.php/open-source/documentation/howto.html#pki for how to make your PKI stuff (ca, and certs) or (#2) Heres a basic rundown of how it works... The server, client, and ca certs are all signed by the same ca.key. The server and client use the ca.crt to check that eachother were signed by the right ca.key. Optionally, the client also checks that the server cert
17:07 <@vpnHelper> was signed specially as a server (see !servercert) or (#3) See !certman for various PKI management frontends
17:09 -!- MadTBone [~MadTBone@128.59.37.113] has quit [Quit: Leaving]
17:10 < ahklerner> ok so it seems best to generate new keys for each client
17:10 < pekster> Right, that way you can revoke each one uniqiuely
17:10 -!- zeroNones [~textual@187.204.142.142] has joined #openvpn
17:10 < pekster> If you have the same cert used by multiple clients and 1 is compromised, you have no choice but to deny access to them all, which is typically inconvenient
17:11 < zeroNones> Hi guys, whats the most common reason people are setting up openvpn boxes for?
17:11 -!- arescorpio [~arescorpi@57-240-16-190.fibertel.com.ar] has quit [Excess Flood]
17:11 < ahklerner> will the <ca> stay the same between the client configs and the <cert> and <key> will change ?
17:11 < pekster> zeroNones: Lots. Some examples:
17:11 < pekster> !goal
17:11 <@vpnHelper> "goal" is Please clearly state your goal for your vpn: example, I would like to access the lan behind the server , I would like to access the internet over my vpn , I just want a secure connection between 2 computers , etc
17:11 < pekster> ahklerner: Right, the CA is the root CA for your PKI. Each PKI only has 1 root CA
17:12 < zeroNones> pekster so whats the difference between say using osx built in vpn solution to have a secure connection between two computers?
17:12 < zeroNones> isnt it essentially the same thing?
17:12 < zeroNones> I do use a VPN to surf the net
17:12 < ahklerner> i am using openvpn to allow me access to my home network stuffs <more> securely also for internet browsing on insecure wifi's
17:13 < pekster> In the same way that pasta and salad are both food items, sure
17:13 < zeroNones> ahklerner so you have openvpn setup on your local machine?
17:13 < zeroNones> pekster so openvpn has a lot of benefits?
17:13 < zeroNones> compared to osx
17:13 < zeroNones> is osx not secure or?
17:13 < ahklerner> i have openvpn setup in a vm that is running on an always on machine
17:14 < pekster> openvpn is cross-platform and TLS-based. It's incompatible with any other VPN protocol
17:14 < pekster> Other popular VPN implementations are IPSec with IKE or a handful of vendor-propritary solutions
17:15 < zeroNones> ahklerner but say you have a windows or mac desktop and have a vm with ubuntu and openvpn cant you only access files on the ubuntu system and not your windows or mac
17:15 < zeroNones> pekster yeah ipsec is what mac uses I bleieve
17:16 < pekster> They're wildly different solutions. IPSec support is built into some software OOTB, but it's generally more complex to set up and not as NAT friendly
17:16 < pekster> It's a trade-off depending on what your needs are
17:16 < ahklerner> zeroNones i have to defer to others, i am really just a noob
17:16 < ahklerner> BUT
17:16 < ahklerner> i am able to access any services on my lan through the vpn
17:17 -!- Px12 [~Px12@117.199.167.32] has joined #openvpn
17:17 < zeroNones> pekster so would you say security between computers is the primary service of openvpn?
17:17 < ahklerner> so if file sharing is turned on, on a box i can access the files
17:17 < zeroNones> or primary feature?
17:17 < pekster> zeroNones: Or networks, yup. OpenVPN doesn't do much good unless you intend to connect to "something" at the other end
17:17 < zeroNones> I didnt know you could do that, cool thanks ahklerner
17:18 < pekster> Think of openvpn kind of like a "really long network cable" -- it's a bit more complex, but that's basically what it does. With security added for the traffic
17:18 < ahklerner> right, it just acts like you are directly connected
17:19 < zeroNones> so this would be a good solution for encrypted chat, messaging, or phone calls?
17:19 < zeroNones> between two connected computers
17:19 < pekster> Sure, if those aren't encrypted for you already, or you just want a unified access solution to ensure security at the network level
17:20 < pekster> That's common for businesses to use to secure employee-to-company traffic, but many home users use it for the same reasons
17:20 < ahklerner> i have asterisk server internally and i am able to connect to the vpn remotely and make phone calls
17:20 < zeroNones> pekster Im thinking as in Skype, they encrypt the data but they save all the data and supposdly record calls
17:21 < zeroNones> sweet so thats all encrypted ahklerner?
17:21 < ahklerner> the tunnel is encrypted and the sip is also encrypted (i think) as i said i am noob
17:22 < shio> for one second i though i was on another room and was about to say: just set up an openvpn server and use yate/asterisk x)
17:22 < zeroNones> never heard of yate
17:22 < zeroNones> heard of asterisks
17:23 < shio> a simplier alternative to asterisk
17:23 < zeroNones> searching ...
17:23 < ahklerner> asterisk isnt really that hard to configure for simple things
17:23 < shio> http://yate.null.ro/pmwiki/
17:23 <@vpnHelper> Title: Yate | Main / HomePage (at yate.null.ro)
17:24 -!- moviuro [~moviuro@ginfo.ext.ec-m.fr] has left #openvpn ["Bye!"]
17:24 < ahklerner> a bit off topic, but i have asterisk running on a raspberry pi and it really amazes me
17:25 < shio> i was considering building a pi too just for openvpn and a pbx server
17:26 < ahklerner> make sure if you choose 2048 key lenght you generate them on another box
17:26 < ahklerner> took like 4.5 hours to generate the server dh key
17:26 < ahklerner> on the pi
17:26 -!- MadTBone [~MadTBone@128.59.37.113] has joined #openvpn
17:27 < ahklerner> (i think thats what it was anyway)
17:27 < shio> not really surprising, the pi isn't really a beast, apart from its price
17:27 < ahklerner> i was expecting like a few extra minutes
17:28 < ahklerner> like 20 maybe
17:29 < ahklerner> but then again i dont understand what all goes into generating the key aside from it needs to find the random prime numbers
17:29 < shio> that would be tremendous lol
17:31 < pekster> Embedded solutions tend to have horrible entropy and it's best not to generate keys on them regardless of the time it takes
17:31 < pekster> !facthacks
17:32 < ahklerner> so you are saying i should regen them on a different machine now ?
17:32 < pekster> !learn facthacks as For an ~hour long talk on entropy in embedded solutions, see: http://www.youtube.com/watch?v=IuSnY_O8DqQ
17:32 <@vpnHelper> Joo got it.
17:32 < pekster> Depends on how decent the entropy is
17:32 < pekster> It's not "horrible", just not ideal. Usually.
17:33 < pekster> It's extra bad when keys are auto-generated on first-boot (like host ssh keys tend to be)
17:33 < shio> i'd that on my main comp anyway, everything's already setup including the backup, i'd go on generating on this one and move the required files afterwards
17:33 < shio> +do
17:37 -!- ribasushi [~riba@mujunyku.leporine.io] has quit [Ping timeout: 276 seconds]
17:38 -!- ribasushi [~riba@mujunyku.leporine.io] has joined #openvpn
17:38 < ahklerner> ok so i ran the pkitool and it says 'failed to update database' TXT_DB error number 2
17:38 < ahklerner> is that bad
17:38 -!- elfixit [~Icedove@77-58-251-72.dclient.hispeed.ch] has quit [Quit: elfixit]
17:39 < pekster> Most common cause of that is a duplicate CN
17:39 < pekster> Your CN (or technically speaking, the full DN) must be unique for all valid certs
17:39 < pekster> Either choose a new name, or revoke the active one first
17:40 < ahklerner> ok maybe i will start over
17:41 < ahklerner> i only have one client right now and would like to move to 2048 bit key anyway
17:41 -!- Px12 [~Px12@117.199.167.32] has quit [Remote host closed the connection]
17:44 < ahklerner> should there be two entries in the vars file for KEY_EMAIL
17:47 -!- zeroNones [~textual@187.204.142.142] has quit [Ping timeout: 276 seconds]
17:51 -!- zeroNones [~textual@189.182.25.60] has joined #openvpn
17:53 -!- zeroNones [~textual@189.182.25.60] has quit [Read error: Connection reset by peer]
18:07 < pekster> Not really; if both are uncommented the 2nd overwrites the first
18:07 < pekster> Feel free to remove the first one as it's pointless
18:08 < ahklerner> ok i did that
18:08 < ahklerner> and am now generating the dh
18:10 < ahklerner> i forgot to use screen again
18:25 -!- gdoermann [~gdoermann@23.30.58.242] has quit [Ping timeout: 255 seconds]
18:33 < ahklerner> i cannot find the article i followed last time
18:39 -!- ub1quit33 [~quassel@wifi02.la3.routers.zerolag.com] has quit [Ping timeout: 240 seconds]
18:40 -!- s7r [~s7r@openvpn/user/s7r] has joined #openvpn
18:40 -!- mode/#openvpn [+v s7r] by ChanServ
18:43 < ahklerner> how do i get the client.crt converted to the inline format ?
18:52 < ahklerner> i am missing some step
18:59 < pekster> "coverted" ?
18:59 < pekster> It's just a PEM format in plaintext. You literally copy the contents of the .crt file between the <cert> and </cert> lines. That's it.
19:00 -!- Pyrogerg [~Gregory@192.67.133.200] has quit [Ping timeout: 260 seconds]
19:01 -!- CygniX [~CygniX@unaffiliated/twois10] has joined #openvpn
19:01 -!- u0m3_ [~u0m3@92.80.68.194] has joined #openvpn
19:04 < ahklerner> but my crt file is like this -
19:04 < ahklerner> Certificate:
19:04 < ahklerner>     Data:
19:04 < ahklerner>         Version: 3 (0x2)
19:04 < ahklerner>         Serial Number: 11 (0xb)
19:04 < ahklerner>     Signature Algorithm: sha1WithRSAEncryption
19:04 < ahklerner> not ------BEGIN blah
19:05 -!- u0m3__ [~u0m3@92.80.68.194] has quit [Ping timeout: 276 seconds]
19:05 < ahklerner> i even looked through my bash history to see how i did it the first time and i do not see what i am missing
19:06 < Hello71> you did openssl x509 -text > file
19:07 < ahklerner> no
19:10 < ahklerner> i need some more nudging
19:10 -!- Pyrogerg [~Gregory@c-76-113-46-234.hsd1.nm.comcast.net] has joined #openvpn
19:12 < ahklerner> i did the ./build-key blah
19:12 -!- CygniX [~CygniX@unaffiliated/twois10] has quit [Ping timeout: 245 seconds]
19:15 -!- brianblaze420 [~brianblaz@unaffiliated/brianblaze] has joined #openvpn
19:16 < ahklerner> i have no idea if this matters, but
19:16 < ahklerner> http://openvpn.net/index.php/open-source/documentation/miscellaneous/77-rsa-key-management.html
19:16 <@vpnHelper> Title: RSA Key Management (at openvpn.net)
19:17 < ahklerner> shows what the build-key script should say (i guess) where mine has http://pastebin.com/uSjRm02F
19:24 < ahklerner> i am very lost
19:27 -!- s7r [~s7r@openvpn/user/s7r] has quit [Quit: Leaving]
19:32 < ahklerner> ok ok
19:46 -!- gdoermann [~gdoermann@199.30.184.239] has joined #openvpn
19:46 -!- SushiDude [~SushiDude@unaffiliated/sushidude] has quit [Ping timeout: 272 seconds]
19:47 -!- elfixit [~Icedove@77-58-251-72.dclient.hispeed.ch] has joined #openvpn
19:48 -!- c0ded [~c0ded@unaffiliated/c0ded] has quit [Ping timeout: 272 seconds]
19:49 -!- SushiDude [~SushiDude@unaffiliated/sushidude] has joined #openvpn
19:49 -!- c0ded [~c0ded@unaffiliated/c0ded] has joined #openvpn
19:57 < pekster> ahklerner: You can paste all the leading "human-friendly" text too, but all you need is the -------BEGIN CERTIFIATE------- stuff
19:57 < pekster> The rest is silently ignored by X.509 parsers
19:58 < ahklerner> oh good god i just didnt scroll down
19:58 < ahklerner> ha
20:03 < ahklerner> ok now i think i have the .ovpn files figured out
20:06 < ahklerner> yay it works
20:08 < ahklerner> on multiple devices even
20:10 < ahklerner> thanks you everyone
20:17 -!- warehouse13 [~Left_Turn@unaffiliated/turn-left/x-3739067] has quit [Ping timeout: 245 seconds]
20:18 -!- zeroNones [~textual@187.146.189.81] has joined #openvpn
20:23 < cirkit> at my work's VPN .. i can access internal services once connected from any outside source - how come OpenVPN does not provide the same behavior?
20:24 < cirkit> so now i have to resort to opening up the firewall from a specific subnet
20:26 < ahklerner> did you configure the iptables on your machine
20:26 < ahklerner> the ovpn server
20:28 -!- Pyrogerg [~Gregory@c-76-113-46-234.hsd1.nm.comcast.net] has quit [Ping timeout: 276 seconds]
20:28 < cirkit> i did.. forwarding and NAT / masquerading
20:29 -!- Pyrogerg [~Gregory@192.67.133.200] has joined #openvpn
20:29 -!- redpill [~redpill@unaffiliated/redpill] has quit [Read error: Connection reset by peer]
20:29 -!- warehouse13 [~Left_Turn@unaffiliated/turn-left/x-3739067] has joined #openvpn
20:31 < ahklerner> if the server is running a firewall you will need a hole in it
20:34 -!- redpill [~redpill@unaffiliated/redpill] has joined #openvpn
20:35 < cirkit> for a scenario like this - is it necessary to create a static route and tell iptables to route OpenVPN traffic on port 1194 to go theough the static route that is not on tun0 ?
20:35 < cirkit> hrm actually im not entirely sure if that would solve this
20:36 < cirkit> so far the only hole in the firewall is for opening up specific subnets i am conmecting from externally
20:36 < cirkit> work / phone's LTE
20:37 -!- OakdaleHutch [~Hutch@c-98-240-156-222.hsd1.mn.comcast.net] has joined #openvpn
20:37 < OakdaleHutch> !welcome
20:37 <@vpnHelper> "welcome" is (#1) Start by stating your goal, such as 'I would like to access the internet over my vpn' || new to IRC? see the link in !ask || we may need !logs and !configs and maybe !interface to help you. || See !howto for beginners. || See !route for lans behind openvpn. || !redirect for sending inet traffic through the server. || Also interesting: !man !/30 !topology !iporder !sample
20:37 <@vpnHelper> !forum !wiki !mitm or (#2) Don't use 192.168.1.0/24 or 192.168.0.0/24 (too much potential for conflict)
20:38 < OakdaleHutch> !logs
20:38 <@vpnHelper> "logs" is (#1) please pastebin your logfiles from both client and server with verb set to 4 (only use 5 if asked) or (#2) In the Windows client(OpenVPN-GUI) right-click the status icon and pick View Log or (#3) In the OS X client(Tunnelblick) right-click it and select Copy log text to clipboard or (#4) if you dont know how to find your logs, see !logfile
20:39 < OakdaleHutch> !route
20:39 <@vpnHelper> "route" is (#1) http://www.secure-computing.net/wiki/index.php/OpenVPN/Routing or https://community.openvpn.net/openvpn/wiki/RoutedLans (same page mirrored) if you have lans behind openvpn, read it DONT SKIM IT or (#2) READ IT DONT SKIM IT! or (#3) See !tcpip for a basic networking guide or (#4) See !serverlan or !clientlan for steps and troubleshooting flowcharts for LANs behind the server or
20:39 <@vpnHelper> client
21:03 -!- zeroNones [~textual@187.146.189.81] has quit [Ping timeout: 255 seconds]
21:06 -!- OakdaleHutch [~Hutch@c-98-240-156-222.hsd1.mn.comcast.net] has quit [Ping timeout: 276 seconds]
21:41 -!- arescorpio [~arescorpi@57-240-16-190.fibertel.com.ar] has joined #openvpn
21:46 < ahklerner> !client
21:54 -!- zeroNones [~textual@187.146.191.27] has joined #openvpn
22:04 -!- ahklerner [~nkruzan@unaffiliated/ahklerner] has quit [Quit: Leaving.]
22:07 -!- zeroNones [~textual@187.146.191.27] has quit [Ping timeout: 268 seconds]
22:14 -!- DrCode [~DrCode@gateway/tor-sasl/drcode] has quit [Ping timeout: 264 seconds]
22:19 -!- DrCode [~DrCode@gateway/tor-sasl/drcode] has joined #openvpn
22:26 -!- skd5aner [~skd5aner@241.sub-70-198-68.myvzw.com] has quit [Ping timeout: 245 seconds]
22:33 -!- warehouse13 [~Left_Turn@unaffiliated/turn-left/x-3739067] has quit [Remote host closed the connection]
22:44 -!- arescorpio [~arescorpi@57-240-16-190.fibertel.com.ar] has quit [Excess Flood]
23:01 -!- cesurasean [~Sean@c-71-207-227-197.hsd1.al.comcast.net] has joined #openvpn
23:04 < cesurasean> unable to redirect default gateway -- Cannot read current default gateway from system
23:04 < cesurasean> how do i fix this?
23:09 < cesurasean> i specified the gateway manually, and now its just giving me this; Wed Sep 10 00:08:35 2014 /sbin/ifconfig tun1 192.168.88.6 pointopoint 192.168.88.5 mtu 1500
23:09 < cesurasean> SIOCADDRT: File exists
23:09 < cesurasean> Wed Sep 10 00:08:35 2014 ERROR: Linux route add command failed: external program exited with error status: 7
23:16 < cesurasean> i fixed this by specifying the gateway manually.
23:16 -!- cesurasean [~Sean@c-71-207-227-197.hsd1.al.comcast.net] has left #openvpn []
23:28 -!- G_Known [~Instantbi@pool-71-182-179-45.pitbpa.east.verizon.net] has joined #openvpn
23:28 < G_Known> Does anyone know what this error is all about? : ERROR while getting interface flags: No such device
23:28 < G_Known> SIOCSIFDSTADDR: No such device
23:29 -!- Kephael [~Kephael@unaffiliated/kephael] has quit [Read error: Connection reset by peer]
23:29 < G_Known> It's obviously said that it's trying to bring up a unknown device, this occurs whenever I'm restarting openvpn
23:30 -!- cesurasean [~Sean@c-71-207-227-197.hsd1.al.comcast.net] has joined #openvpn
23:32 < _FBi> windows?
23:32 < G_Known> I'm running debian
23:34 -!- elfixit [~Icedove@77-58-251-72.dclient.hispeed.ch] has quit [Ping timeout: 276 seconds]
23:38 -!- krzee [~k@openvpn/community/support/krzee] has quit [Excess Flood]
23:40 -!- krzee [~k@openvpn/community/support/krzee] has joined #openvpn
23:40 -!- mode/#openvpn [+o krzee] by ChanServ
23:41 -!- ub1quit33 [~quassel@cpe-23-243-158-241.socal.res.rr.com] has joined #openvpn
23:41 -!- ShadniX [dagger@p579413CF.dip0.t-ipconnect.de] has quit [Ping timeout: 250 seconds]
23:42 -!- G_Known [~Instantbi@pool-71-182-179-45.pitbpa.east.verizon.net] has quit [Quit: Instantbird 1.5 -- http://www.instantbird.com]
23:42 -!- ShadniX [dagger@p5481D932.dip0.t-ipconnect.de] has joined #openvpn
23:46 -!- _FBi [B@Aircrack-NG/User] has quit [Ping timeout: 252 seconds]
--- Day changed Wed Sep 10 2014
00:36 < cesurasean> hey guys. any help to get my server to mask my ip?
00:36 < cesurasean> i can connect just fine, and when i specify route-gateway 199.103.62.130, it doesnt seem to work.
00:36 < cesurasean> redirect-gateway cant find my gateway.
01:25 -!- clyons [~kvirc@host86-184-244-32.range86-184.btcentralplus.com] has quit [Ping timeout: 276 seconds]
01:51 -!- ade_b [~Ade@redhat/adeb] has joined #openvpn
02:05 -!- Px12 [~Px12@117.199.169.250] has joined #openvpn
02:06 -!- dazo_afk is now known as dazo
02:10 -!- ifdm_ [~ifdm@unaffiliated/ifdm/x-0713806] has quit [Remote host closed the connection]
02:12 -!- ifdm_ [~ifdm@unaffiliated/ifdm/x-0713806] has joined #openvpn
02:19 -!- Px12 [~Px12@117.199.169.250] has quit [Ping timeout: 260 seconds]
02:33 -!- Px12 [~Px12@117.207.131.55] has joined #openvpn
02:49 -!- Px12 [~Px12@117.207.131.55] has quit [Remote host closed the connection]
02:54 -!- ub1quit33 [~quassel@cpe-23-243-158-241.socal.res.rr.com] has quit [Ping timeout: 252 seconds]
02:58 -!- cmanns [~cmanns@75.140.156.85] has joined #openvpn
02:58 < cmanns> So openvpn with virtual lan option will let me play a gameserver over open port?
02:58 -!- ub1quit33 [~quassel@cpe-23-243-158-241.socal.res.rr.com] has joined #openvpn
03:07 < shio> a basic setup will let u create a virtual lan server indeed cmanns
03:07 < cmanns> sweet
03:07 < cmanns> Just trying to connect via openvpn windows client
03:07 < cmanns> wont connect though no error besides it can
03:07 < cmanns> t
03:08 < shio> on the server u have to open the port 1194 on ur router
03:08 < shio> also, if it's for gaming, i strongly suggest to use udp instead of tcp in your config file
03:10 < shio> and to also add "client-to-client" on that config file to allow clients to host games (otherwise only you will be able to host)
03:11 < cmanns> I'm using UDP
03:11 < cmanns> this is a server in a datacenter and I have client to client
03:11 < cmanns> Whats this openvpn private tunnel for Xp?
03:11 < cmanns> that is not what i want lul
03:12 < cmanns> rebooted xp computer, still says current state connecting
03:12 < shio> installing openvpn on ur computer will create a virtual lan network and so it'll act like a virtual ethernet card if you want, hence why you're seeing a new "card" in your list
03:13 < shio> firewall?
03:15 < cmanns> oh wait I didnt put the keys
03:15 < cmanns> How do I put the path to keys and where do I put keys
03:15 < cmanns> can I just puyt them in the config dir and put name with no path
03:15 < shio> client side u mean?
03:16 < cmanns> yeah
03:17 < cmanns> is like
03:17 < cmanns> ca keys\ca.crt fine for windows?
03:17 < shio> on windows, by default it'll look inside the config folder if you don't add a folder
03:17 < cmanns> On OS X I use full path
03:17 < cmanns> can I move keys folder in there?
03:17 < shio> rather keys/ca.cart
03:17 < shio> yeah you can
03:17 < shio> create the subfolder you want in the config folder
03:18 < shio> then: ca folder/ca.crt
03:18 < cmanns> Got it
03:18 < cmanns> now it says UDPv4 connection reset by peer
03:18 < shio> paste your config (hide ur IPs) in a pastebin
03:19 < cmanns> http://pastebin.com/z0t9pVyb
03:19 < cmanns> I went dev tun to dev tap for xp
03:19 < cmanns> This OpenVPN server works for Android and OS X clients
03:20 -!- Poster [~poster@cpe-74-140-100-29.swo.res.rr.com] has quit [Read error: Connection reset by peer]
03:21 -!- alexxtasi [~alex@unaffiliated/alexxtasi] has joined #openvpn
03:21 < shio> yeah that's fine, i don't see anything wrong with it
03:22 < cmanns> weird
03:22 < shio> can you ping the server?
03:22 < cmanns> How do I make it route all for interface?
03:22 < cmanns> like make internet chrome show IP inw hatismyip like my mac does
03:23 < shio> using ur server as a gateway you mean?
03:23 < cmanns> Myvbox gets same error so must be ok
03:24 < cmanns> Yeah use the openvpn server as gateway
03:24 -!- arkie [~arkie@unaffiliated/arkie] has quit [Quit: Bye]
03:25 < shio> there: http://openvpn.net/index.php/open-source/documentation/howto.html#redirect :)
03:25 <@vpnHelper> Title: HOWTO (at openvpn.net)
03:25 < shio> this subsection should answer your question :)
03:25 < cmanns> actually both are connecting and disconnecting
03:25 < cmanns> So im not even connected :(
03:26 < shio> also, before i forget, on windows you'll have to switch the priority of the network, especially for gaming
03:27 < shio> windows will look for the first network and by default, it won't be the vpn one
03:27 -!- ub1quit33 [~quassel@cpe-23-243-158-241.socal.res.rr.com] has quit [Ping timeout: 252 seconds]
03:27 -!- arkie [~arkie@unaffiliated/arkie] has joined #openvpn
03:28 < shio> can you also paste in pastebin ur server config?
03:28 < cmanns> restarting openvpn server fixed it
03:28 < cmanns> now they have ips
03:28 < shio> good :)
03:28 < shio> green on ur side?
03:29 < cmanns> yep! :D
03:29 < cmanns> now to test video game
03:29 < shio> did you change the metrics to force windows to use openvpn first?
03:30 < shio> if not, most games won't work
03:31 < cmanns> no how do I force windows to use it?
03:31 < cmanns> that url?
03:31 < shio> nope, not related :)
03:31 < cmanns> I already had that setup in the openvpn config but not windows
03:31 < shio> windows look for the first connected network and it stops
03:32 < shio> by default, it'll either be ur physical ethernet/wifi card
03:32 < cmanns> hm
03:33 < cmanns> its not doing that
03:33 -!- alexxtasi [~alex@unaffiliated/alexxtasi] has left #openvpn []
03:33 < shio> have you ever been in that config window where you can change you network ip?
03:33 < shio> usually right-click on the card then properties
03:34 < cmanns> oh ok
03:34 < cmanns> The tap adaptr?
03:35 < shio> you'll have to edit your config on all the cards you're using
03:35 < shio> and manually set the priority
03:35 < shio> on that window, double-click on TCP/IP v4
03:35 < shio> on the new panel, you'll have an advanced button
03:36 < cmanns> hm
03:36 < cmanns> I set it to 1
03:37 < shio> the lowest will be the first
03:37 < shio> so 1 for openvpn
03:37 < shio> 2 for ethernet
03:37 < shio> 3 for wifi
03:37 < shio> once you're done, you'll have to restart your computer if it's xp (not required for vista+)
03:37 < cmanns> I also noticed the tun adapter has no packets recieved
03:37 < cmanns> ok ill try reboot
03:38 < cmanns> doing this on friends PC and virtualbox both XP
03:39 < shio> if your config works than it should work on ur friend too
03:39 < shio> if not, something wrong with the firewall
03:40 < cmanns> ah ok my config is missing route gateway
03:40 < shio> for web browsing, it's indeed required
03:43 < cmanns> says it needs gateway paramater
03:43 < cmanns> I put the push one
03:43 < cmanns> push "redirect-gateway def1 bypass-dhcp"
03:44 < cmanns> oh I hate
03:44 < cmanns> had push "route 192.4.20.0 255.255.255.0"
03:44 < cmanns> in config
03:45 < cmanns> cant ping other system
03:46 < cmanns> 10.8.0.22 cant ping 10.8.0.14
03:46 < cmanns> also still no rec packets
03:47 < cmanns> yep its failing to get the route for host network 10.8.0.0
03:47 < shio> push route is mostly for reaching other subnets on the vpn, the gateway & dhcp options are the ones u need to redirect traffic
03:48 < cmanns> yeah it doesnt let me talk to the openvpn gateway though
03:48 < kareem-ali> 10.8.0.22 and 10.8.0.14 are both VPN clients?, for that you need 'client-to-client' directive in your server config file
03:49 < cmanns> I have client to client directive
03:49 < cmanns> both clients dont even recieve any data from the tap interfaces
03:49 < cmanns> This VPN works fien if I use tunnelbrik
03:49 < kareem-ali> tap ??
03:49 < kareem-ali> why tap ?
03:49 < cmanns> windows?
03:50 < shio> client-to-client is mostly for ur gaming needs
03:50 < shio> allows clients to host games
03:50 < kareem-ali> ah, windows, not a lot of experience there sorry
03:50 < cmanns> theres no default gatway for the tap adapter just says ip 10.8.0.22 and 10.8.0.21 subnet
03:50 < kareem-ali> but I guess it should be tunnel mode
03:51 < kareem-ali> actually I remember doing it on my windows machine now, didn't use tap
03:51 < cmanns> ill try removing tap
03:51 < kareem-ali> well your systems needs to be consistent
03:51 < kareem-ali> they must follow what the server is running
03:51 < kareem-ali> either all tap, or all tun
03:51 < kareem-ali> and tun is the right way to go
03:52 < shio> i remember reading a thing about tun & tap, and ended up using tap, which works fine on our windows environment
03:53 < kareem-ali> cool
03:53 < cmanns> with tun I got gateway
03:53 < cmanns> and his internet broke
03:53 < cmanns> and my vbox cant connect to internet now too
03:53 < cmanns> :D
03:53 < kareem-ali> I think krzee will defo know
03:53 < kareem-ali> that's because windows defaults traffic over VPN
03:53 < kareem-ali> don't let your internet traffic goes over the VPN
03:53 < kareem-ali> there should be an option to disable that
03:55 < shio> but i think tun is indeed better, tap will be enough if it's to act like a lan
03:55 < cmanns> Guys I got it
03:56 < cmanns> Now his internet and my vbox say my openvpn IP
03:56 < cmanns> yey
03:56 < shio> :)
03:56 -!- Px12 [~Px12@117.207.131.55] has joined #openvpn
03:57 < shio> ah, found the explanations: http://serverfault.com/questions/21157/should-i-use-tap-or-tun-for-openvpn
03:57 <@vpnHelper> Title: vpn - Should I use tap or tun for openvpn? - Server Fault (at serverfault.com)
04:01 < cmanns> We can ping eachother
04:02 < cmanns> still dont see eachother in flightgear
04:02 -!- Px12 [~Px12@117.207.131.55] has quit [Remote host closed the connection]
04:04 < shio> had ur friend changed his metrics too? have u rebooted urs?
04:04 < cmanns> his whatismyip shows my openvpn address
04:04 < cmanns> and we used openvpn ips for multiplayer ip
04:05 < shio> you'll still have to changed the metrics, windows is very annoying with this
04:06 < cmanns> weird
04:06 < cmanns> ok ill have him change it
04:06 < cmanns> mines been changed
04:07 < cmanns> oh we are connected
04:08 -!- DrSect0r [~DrSect0r@77-175-125-42.FTTH.ispfabriek.nl] has joined #openvpn
04:10 < shio> have fun ;)
04:15 < cmanns> thanks
04:18 -!- fzombie [~gplgeek@pdpc/supporter/student/GPLGeek] has quit [Ping timeout: 255 seconds]
04:48 -!- Left_Turn [~Left_Turn@unaffiliated/turn-left/x-3739067] has joined #openvpn
05:24 -!- Sicelo [Sicelo@unaffiliated/sicelo] has left #openvpn []
05:24 -!- APTX [~APTX@unaffiliated/aptx] has quit [Ping timeout: 272 seconds]
05:28 -!- Left_Turn [~Left_Turn@unaffiliated/turn-left/x-3739067] has quit [Ping timeout: 255 seconds]
05:29 -!- APTX [~APTX@unaffiliated/aptx] has joined #openvpn
05:37 -!- xdcc [~xdcc@webproxy.us.com] has joined #openvpn
05:40 -!- cmanns [~cmanns@75.140.156.85] has quit [Quit: Textual IRC Client: www.textualapp.com]
05:46 -!- Cybertinus [~Cybertinu@cybertinus.customer.cloud.nl] has quit [Ping timeout: 260 seconds]
05:46 < xdcc> Hi, my openvpn client doesn't have a dafault gateway, only a static route to the openvpn server. When a connection is established, I want the default gateway of the openvpn to be set, but it doesn't work. Is there an official way to accomplish this or do I have to use an up script to set a default gateway afterwards?
05:54 -!- brianblaze420 [~brianblaz@unaffiliated/brianblaze] has quit [Quit: Leaving...]
05:55 -!- nox-Hand [~nox-Hand@fu/design/noxie] has joined #openvpn
05:56 -!- Cybertinus [~Cybertinu@cybertinus.customer.cloud.nl] has joined #openvpn
05:57 < nox-Hand> Hey guys!
05:58 < nox-Hand> I'm fairly new to openvpn, yet wishing to port forward with my openvpn. I'm using Private Internet Access, and the information I could get from them was posted on their support page: 	
05:58 < nox-Hand> goo.gl/qfgIXt
05:59 < nox-Hand> I understand I may have to make a script, but not entirely certain on what I should put where. I'm on FreeBSD (jail on a FreeNAS system) (non-shortened here in case of paranoia: https://www.privateinternetaccess.com/forum/index.php?p=/discussion/180/port-forwarding-without-the-application-advanced-users/p1)
05:59 <@vpnHelper> Title: Port Forwarding Without the Application (Advanced Users) - Privacy Online Forum (at www.privateinternetaccess.com)
06:00 < nox-Hand> Does anyone have a suggestion for where I should read up on what I am trying to do? :)
06:06 -!- tiblock [~tiblock@23.252.106.118.16clouds.com] has joined #openvpn
06:07 < tiblock> Hi. My friend tryed to install OpenVPN server on debian6 but he failed. Here is config http://pastebin.com/C7ZysG0Y and what happens is "openvpn server.conf" exits immediately with error code=1, no output at all, empty log, nothing. I dont know what he did before on that server. Where problem can be?
06:08 < tiblock> Oh my. Sorry. Wrong log path.
06:21 -!- mattock_afk is now known as mattock
06:37 -!- ekarlso- [~ekarlso@unaffiliated/zykes] has joined #openvpn
06:38 < ekarlso-> Hi, in easyrsa 3 how can I get the altnames included in the certificate when signing ?
06:38 < ekarlso-> extensions doesn't seem to be included after signing
06:39  * nox-Hand got his issue fixed - have a good one!
06:39 -!- nox-Hand [~nox-Hand@fu/design/noxie] has left #openvpn ["dum deee dummm"]
06:41 -!- elfixit [~Icedove@77-58-251-72.dclient.hispeed.ch] has joined #openvpn
06:44 -!- Left_Turn [~Left_Turn@unaffiliated/turn-left/x-3739067] has joined #openvpn
06:53 -!- elfixit [~Icedove@77-58-251-72.dclient.hispeed.ch] has quit [Ping timeout: 264 seconds]
06:54 -!- Px12 [~Px12@59.89.48.51] has joined #openvpn
06:56 -!- lewiz [~lthompson@195.59.118.200] has joined #openvpn
06:58 -!- gffa [~unknown@unaffiliated/gffa] has joined #openvpn
07:01 < lewiz> I can't connect to my new openvpn server from Windows 8.  I configured it to listen on tcp and from Windows I can telnet to the port and see messages in /var/log/messages.  But if I click connect via the GUI nothing shows up.  I'm suspecting this could be to do with the TAP driver.  Does anybody have any thoughts/suggestions?
07:08 < xdcc> you have to run openvpn gui as administrator on windows 8
07:14 < lewiz> xdcc: Interesting.  I just manually started it as n administrator but receive the same result
07:18 -!- sh00p [~sh00p@static-213-115-27-219.sme.bredbandsbolaget.se] has joined #openvpn
07:19 < sh00p> Excuse my french, but what is going on with openvpn.net nowadays? It feels like a nest of traps leading you on to some privatetunnel installer file
07:33 -!- g00gz [~Adium@199.244.84.14] has joined #openvpn
07:41 -!- redpill [~redpill@unaffiliated/redpill] has quit [Ping timeout: 252 seconds]
07:41 -!- redpill [~redpill@unaffiliated/redpill] has joined #openvpn
07:58 -!- Cybertinus [~Cybertinu@cybertinus.customer.cloud.nl] has quit [Ping timeout: 252 seconds]
07:59 -!- lewiz [~lthompson@195.59.118.200] has quit [Ping timeout: 252 seconds]
08:00 -!- lewiz [~lthompson@195.59.118.200] has joined #openvpn
08:01 -!- Cybertinus [~Cybertinu@cybertinus.customer.cloud.nl] has joined #openvpn
08:01 -!- Poster [~poster@cpe-74-140-100-29.swo.res.rr.com] has joined #openvpn
08:03 <@krzee> sh00p, ya man =/
08:03 <@krzee> the word you want is "community"
08:03 <@krzee> !factoids search web
08:03 <@vpnHelper> "webgui" is (#1) http://openvpn-web-gui.sourceforge.net/ if you have tried this please give us feedback or (#2) http://sourceforge.net/projects/openvpn-status/ also pls let us know if you use that
08:03 <@krzee> hmm
08:04 <@krzee> !factoids search --invalues web
08:04 <@vpnHelper> (factoids search [<channel>] [--values] [--{regexp} <value>] [<glob> ...]) -- Searches the keyspace for keys matching <glob>. If --regexp is given, it associated value is taken as a regexp and matched against the keys. If --values is given, search the value space instead of the keyspace.
08:04 <@krzee> !factoids search --values web
08:04 <@vpnHelper> 'pfsense', 'webgui', 'nopaste', 'static_key_details', 'git', and 'license'
08:04 <@krzee> !license
08:04 <@vpnHelper> "license" is (#1) OpenVPN 2 is a GPLv2 project and can be distributed, modified, and used under the GPLv2 license. or (#2) Note that any commercial products are under their own EULA; these include AS, Connect, and any services provided by 'OpenVPN Technologies, Inc.' These are not maintained by the open-source community. or (#3) The website is somewhat confusing on purpose to lead you to the non-free
08:04 <@vpnHelper> Access Server stuff. OpenVPN is fully GPL with no fees required for use under that license. If you want to download the GPL openvpn see !download
08:05 -!- g00gz [~Adium@199.244.84.14] has quit [Quit: Leaving.]
08:11 -!- ade_b [~Ade@redhat/adeb] has quit [Ping timeout: 265 seconds]
08:13 -!- lewiz [~lthompson@195.59.118.200] has quit [Quit: Leaving.]
08:18 -!- hays [~hays@unaffiliated/hays] has quit [Quit: No Ping reply in 180 seconds.]
08:21 -!- hays [~hays@unaffiliated/hays] has joined #openvpn
08:25 -!- CasperVector [~CasperVec@2001:cc0:2020:4019:9e4e:36ff:fec1:d8d4] has joined #openvpn
08:26 -!- g00gz [~Adium@199.244.84.14] has joined #openvpn
08:30 -!- linuxthefish [~ltf@unaffiliated/edmundf] has quit [Excess Flood]
08:31 -!- linuxthefish [~ltf@unaffiliated/edmundf] has joined #openvpn
08:34 < CasperVector> Hello #openvpn, I set up an L2 openvpn on one machine without iptables/arptables/ebtables, and can connect to it on another machine and do dhcp on the vpn interfaces, but cannot ping/traceroute/nmap the gateway obtained from dhcp.  Any idea?  Thank you all :)
08:35 < CasperVector> Ping test on shell: <https://p.6core.net/p/dWETatnB2AwAJOfnLV4pEA4G>.
08:37 <@krzee> why l2 tap?
08:39 <@krzee> because thats what the walkthrough used or because you have a specific l2 protocol you need over the vpn?
08:40 < CasperVector> krzee: I personally found a switch easier to understand than a router.  At least I do not need to set dedicated routing table and firewall config...
08:40 < CasperVector> krzee: Plus, the server is in a subnet with dhcp :)
08:40 < sh00p> !download
08:40 <@vpnHelper> "download" is (#1) http://openvpn.net/index.php/download/community-downloads.html to download openvpn or (#2) OpenVPN's Windows installer now includes OpenVPN GUI. Don't bother with http://openvpn.se anymore or (#3) Don't trust download.com at all. It provides an extremely old version with malware: http://insecure.org/news/download-com-fiasco.html or (#4) in the community version of openvpn (only
08:40 <@vpnHelper> thing supported here) there is no separate download for client/server, it is the same install with different configs
08:40 <@krzee> !tunortap
08:41 <@vpnHelper> "tunortap" is (#1) you ONLY want tap if you need to pass layer2 traffic over the vpn (traffic destined for a MAC address). If you are using IP traffic you want tun. or (#2) and if your reason for wanting tap is windows shares, see !wins or use DNS or (#3) remember layer2 has no security, arp poisoning works over tap vpns or (#4) lan gaming? use tap! or (#5) Normal Android/iOS devices (not
08:41 <@vpnHelper> rooted/jailbroken) support only tun
08:41 <@krzee> !whybridge
08:41 <@vpnHelper> "whybridge" is (#1) you only bridge if you want layer2 to the lan. if you want layer2 only between vpn nodes then routed tap is enough. if you only want layer3 use tun. or (#2) See this URL for a more in-depth discussion on bridging vs routing: https://community.openvpn.net/openvpn/wiki/BridgingAndRouting or (#3) See also !tunortap
08:41 -!- MadTBone [~MadTBone@128.59.37.113] has quit [Quit: Leaving]
08:42 <@krzee> !route
08:42 <@vpnHelper> "route" is (#1) http://www.secure-computing.net/wiki/index.php/OpenVPN/Routing or https://community.openvpn.net/openvpn/wiki/RoutedLans (same page mirrored) if you have lans behind openvpn, read it DONT SKIM IT or (#2) READ IT DONT SKIM IT! or (#3) See !tcpip for a basic networking guide or (#4) See !serverlan or !clientlan for steps and troubleshooting flowcharts for LANs behind the server or client
08:48 < CasperVector> krzee: I did the bridging settings, and suspect it's the culprit somehow, because tinc on the same server can dhcp as well and cannot ping/traceroute/nmap the dhcp'd gateway.  If you are interested, this is the config (with tinc-related things removed): <https://p.6core.net/p/tinGQvZ3YBP29wuiROaNxRbh>.
08:49 < CasperVector> krzee: another vpn server in another subnet can provide dhcp as well as ping-able gateway, so I think there's something wrong with my config...
08:53 -!- ade_b [~Ade@redhat/adeb] has joined #openvpn
08:55 < CasperVector> !welcome
08:55 <@vpnHelper> "welcome" is (#1) Start by stating your goal, such as 'I would like to access the internet over my vpn' || new to IRC? see the link in !ask || we may need !logs and !configs and maybe !interface to help you. || See !howto for beginners. || See !route for lans behind openvpn. || !redirect for sending inet traffic through the server. || Also interesting: !man !/30 !topology !iporder !sample
08:55 <@vpnHelper> !forum !wiki !mitm or (#2) Don't use 192.168.1.0/24 or 192.168.0.0/24 (too much potential for conflict)
08:55 -!- Kephael [~Kephael@unaffiliated/kephael] has joined #openvpn
08:55 < CasperVector> !logs
08:55 <@vpnHelper> "logs" is (#1) please pastebin your logfiles from both client and server with verb set to 4 (only use 5 if asked) or (#2) In the Windows client(OpenVPN-GUI) right-click the status icon and pick View Log or (#3) In the OS X client(Tunnelblick) right-click it and select Copy log text to clipboard or (#4) if you dont know how to find your logs, see !logfile
08:56 < CasperVector> !topology
08:56 <@vpnHelper> "topology" is (#1) it is possible to avoid the !/30 behavior if you use 2.1+ with the option: topology subnet This will end up being default in later versions. or (#2) Clients will receive addresses ending in .2, .3, .4, etc, instead of being divided into 2-host subnets. or (#3) details and examples at: https://community.openvpn.net/openvpn/wiki/Topology
08:56 < CasperVector> !/30
08:56 <@vpnHelper> "/30" is (#1) http://goo.gl/SbKrT5 explains why routed clients each use 4 ips or (#2) you can avoid this behavior with by reading !topology
08:58 -!- elfixit [~Icedove@2001:1620:2777:11:3e97:eff:fe7f:f3ad] has joined #openvpn
09:00 -!- D-Boy [~D-Boy@unaffiliated/cain] has joined #openvpn
09:02 -!- ub1quit33 [~quassel@cpe-23-243-158-241.socal.res.rr.com] has joined #openvpn
09:03 -!- OakdaleHutch [~Hutch@c-98-240-156-222.hsd1.mn.comcast.net] has joined #openvpn
09:04 -!- CasperVector [~CasperVec@2001:cc0:2020:4019:9e4e:36ff:fec1:d8d4] has left #openvpn []
09:18 -!- gdoermann [~gdoermann@199.30.184.239] has quit [Quit: Leaving.]
09:23 -!- lewiz [~lthompson@195.59.118.200] has joined #openvpn
09:42 -!- brianblaze420 [~brianblaz@unaffiliated/brianblaze] has joined #openvpn
09:43 -!- brianblaze420 [~brianblaz@unaffiliated/brianblaze] has quit [Remote host closed the connection]
09:47 -!- jackbrown [~se@93-44-41-0.ip95.fastwebnet.it] has joined #openvpn
09:47 -!- ade_b [~Ade@redhat/adeb] has quit [Quit: Too sexy for his shirt]
09:49 < jackbrown> hi there is anyone available to help me with the WIFI settings?
09:50 -!- brianblaze420 [~brianblaz@unaffiliated/brianblaze] has joined #openvpn
09:58 -!- brianblaze420 [~brianblaz@unaffiliated/brianblaze] has quit [Remote host closed the connection]
10:04 -!- Achillion [~ach@unaffiliated/achillion] has joined #openvpn
10:04 < Achillion> !welcome
10:04 <@vpnHelper> "welcome" is (#1) Start by stating your goal, such as 'I would like to access the internet over my vpn' || new to IRC? see the link in !ask || we may need !logs and !configs and maybe !interface to help you. || See !howto for beginners. || See !route for lans behind openvpn. || !redirect for sending inet traffic through the server. || Also interesting: !man !/30 !topology !iporder !sample !forum
10:04 <@vpnHelper> !wiki !mitm or (#2) Don't use 192.168.1.0/24 or 192.168.0.0/24 (too much potential for conflict)
10:04 < Achillion> maybe I should query the bot instead
10:04 -!- jackbrown [~se@93-44-41-0.ip95.fastwebnet.it] has quit [Quit: Sto andando via]
10:06 -!- thefinn93 [~finn@unaffiliated/thefinn93] has quit [Quit: cya]
10:09 -!- Achillion [~ach@unaffiliated/achillion] has left #openvpn [":wq"]
10:26 -!- ifdm_ [~ifdm@unaffiliated/ifdm/x-0713806] has quit [Ping timeout: 268 seconds]
10:28 -!- blinky_ [~blinky@blinkydamo.plus.com] has joined #openvpn
10:31 < blinky_> Hi guys.  I have installed openvpn-as-2.0.10.  I have run through the config screen using ovpn-init and am now trying to connect to the web gui, unsuccessfully.  I am running centos on the server that has openvpn and as far as I am aware have opened the firewall for the connection.  All I get is 'No data received'.  Any ideas?
10:32 -!- dazo is now known as dazo_afk
10:33 -!- kaben [~kaben@1F2E905E.catv.pool.telekom.hu] has joined #openvpn
10:38 -!- ifdm_ [~ifdm@unaffiliated/ifdm/x-0713806] has joined #openvpn
10:40 <@Eugene> !as
10:40 <@vpnHelper> "as" is Please go to #OpenVPN-AS for help with commercial products from OpenVPN Technologies, including Access Server, Android Connect, etc. Access Server is a commercial product, different from open source OpenVPN
10:40 < blinky_> ok cheers
10:40 < blinky_> ok cheers/join #openvpn-as
10:40 -!- blinky_ [~blinky@blinkydamo.plus.com] has left #openvpn ["Leaving"]
10:50 <@ecrist> krzee: you around?
10:54 -!- _FBi [B@Aircrack-NG/User] has joined #openvpn
10:54 < _FBi> damn you +r!!! damn you!!!
10:55 <@ecrist> heh
10:55 <@ecrist> keeps ass-hats out
10:57 < _FBi> if you make it ass hat proof, they'll invent a better ass hat
10:57 -!- ifdm_ [~ifdm@unaffiliated/ifdm/x-0713806] has quit [Ping timeout: 245 seconds]
10:58 <@ecrist> http://i.lvme.me/dlfzow1.jpg
10:59 <@ecrist> anyone in here use OpenVPN Connect on iOS with tls-auth?
10:59 < _FBi> https://fbcdn-sphotos-b-a.akamaihd.net/hphotos-ak-xpf1/t31.0-8/p480x480/10483230_10152762196212318_7736093032696912921_o.jpg
11:01 -!- jackbrown [~se@93-44-41-0.ip95.fastwebnet.it] has joined #openvpn
11:02 -!- kaben [~kaben@1F2E905E.catv.pool.telekom.hu] has quit [Ping timeout: 245 seconds]
11:06 <@ecrist> heh
11:08 -!- tiblock [~tiblock@23.252.106.118.16clouds.com] has quit []
11:10 -!- ifdm_ [~ifdm@unaffiliated/ifdm/x-0713806] has joined #openvpn
11:11 -!- fzombie [~gplgeek@pdpc/supporter/student/GPLGeek] has joined #openvpn
11:17 -!- jackbrown [~se@93-44-41-0.ip95.fastwebnet.it] has quit [Quit: Sto andando via]
11:17 -!- lewiz [~lthompson@195.59.118.200] has quit [Ping timeout: 276 seconds]
11:18 -!- lewiz [~lthompson@195.59.118.200] has joined #openvpn
11:20 < OakdaleHutch> This may be an odd/terrible use case of OpenVPN, but can it be used to *only* secure communication between the client and the OpenVPN server? And use split tunneling so that everything else goes out the client's default gateway? Looking to secure communication with a Windows server and wanted to see if this would work vs. Windows' IPsec implementation.
11:27 -!- kaben [~kaben@1F2E905E.catv.pool.telekom.hu] has joined #openvpn
11:28 <@krzee> ecrist, kinda
11:32 -!- jackbrown [~se@93-44-41-0.ip95.fastwebnet.it] has joined #openvpn
11:39 < DArqueBishop> ecrist: I do.
11:39 -!- jackbrown [~se@93-44-41-0.ip95.fastwebnet.it] has quit [Remote host closed the connection]
11:47 -!- D-Boy [~D-Boy@unaffiliated/cain] has quit [Excess Flood]
11:49 -!- jackbrown [~se@93-44-41-0.ip95.fastwebnet.it] has joined #openvpn
11:53 <@Eugene> OakdaleHutch - at its core openvpn is just an encrypted tunnel. All of the routing(include full-redirection) is just piled on top of that. So, yes!
11:53 <@Eugene> You would just not use the redirect-gateway option
11:53 -!- aPollO2k [znc1@unaffiliated/apollo2k] has quit [Quit: irc panic]
11:55 -!- aPollO2k [znc1@unaffiliated/apollo2k] has joined #openvpn
12:01 -!- aPollO2k [znc1@unaffiliated/apollo2k] has quit [Quit: irc panic]
12:01 -!- aPollO2k [aPollO@unaffiliated/apollo2k] has joined #openvpn
12:03 -!- D-Boy [~D-Boy@unaffiliated/cain] has joined #openvpn
12:10 -!- jackbrown [~se@93-44-41-0.ip95.fastwebnet.it] has quit [Quit: Sto andando via]
12:27 -!- Six6siX [~Devil@jasmine.sammybakar.com] has joined #openvpn
12:28 -!- g00gz [~Adium@199.244.84.14] has left #openvpn []
12:47 < pekster> ekarlso-: You'd need to use the --subject-alt-name option before your `sign-req` command. See `./easyrsa altname` for details. Note that it goes before the sign-req command, not after
12:47 < pekster> ekarlso-: Sorry, that's `./easyrsa help altname`
12:53 -!- DrSect0r [~DrSect0r@77-175-125-42.FTTH.ispfabriek.nl] has quit [Read error: Connection reset by peer]
12:54 -!- Six6siX [~Devil@jasmine.sammybakar.com] has quit [Ping timeout: 272 seconds]
13:13 -!- Six6siX [~Devil@jasmine.sammybakar.com] has joined #openvpn
13:16 -!- stefanoneri [~stefanone@p4FF1604F.dip0.t-ipconnect.de] has joined #openvpn
13:16 < stefanoneri> Good Evening ;)
13:18 < stefanoneri> !welcome
13:18 <@vpnHelper> "welcome" is (#1) Start by stating your goal, such as 'I would like to access the internet over my vpn' || new to IRC? see the link in !ask || we may need !logs and !configs and maybe !interface to help you. || See !howto for beginners. || See !route for lans behind openvpn. || !redirect for sending inet traffic through the server. || Also interesting: !man !/30 !topology !iporder !sample
13:18 <@vpnHelper> !forum !wiki !mitm or (#2) Don't use 192.168.1.0/24 or 192.168.0.0/24 (too much potential for conflict)
13:18 < stefanoneri> !logs
13:18 <@vpnHelper> "logs" is (#1) please pastebin your logfiles from both client and server with verb set to 4 (only use 5 if asked) or (#2) In the Windows client(OpenVPN-GUI) right-click the status icon and pick View Log or (#3) In the OS X client(Tunnelblick) right-click it and select Copy log text to clipboard or (#4) if you dont know how to find your logs, see !logfile
13:19 < stefanoneri> !configs
13:19 <@vpnHelper> "configs" is (#1) please pastebin your client and server configs (with comments removed, you can use `grep -vE '^#|^;|^$' server.conf`), also include which OS and version of openvpn. or (#2) dont forget to include any ccd entries or (#3) on pfSense, see http://www.secure-computing.net/wiki/index.php/OpenVPN/pfSense to obtain your config
13:24 < stefanoneri> I can connect to my openvpn server over, but i cannot access websites other than google and openvpn.net. How can I reach all websites and redirect the whole interntet traffic through my vpn?
13:24 < stefanoneri> Server.conf: http://pastebin.com/rrMzd8wD
13:25 < stefanoneri> Client.conf: http://pastebin.com/mxS057gc
13:26 -!- goldkatze [~nobody@unaffiliated/goldkatze] has joined #openvpn
13:32 -!- Six6siX [~Devil@jasmine.sammybakar.com] has quit [Ping timeout: 240 seconds]
13:34 -!- rooth [tomte@stuck.in.the.basement.at.fritzl.nu] has joined #openvpn
13:36 < rooth> Can someone tell me where I can get this Windows-GUI-client -- http://blog.erben.sk/wp-content/uploads/2013/02/openvpn-client1.png ? Was it just shipped with some versions of openvpn or? I tried installing 2.3.4 but just found the "old" Windows GUI client, or what am I not doing ...
13:36 < rooth> ... right? =)
13:40 < Hello71> !access
13:40  * Hello71 grumbles
13:44 -!- Six6siX [~Devil@jasmine.sammybakar.com] has joined #openvpn
13:51 -!- Six6siX [~Devil@jasmine.sammybakar.com] has quit [Ping timeout: 260 seconds]
13:52 -!- Six6siX [~Devil@jasmine.sammybakar.com] has joined #openvpn
14:05 -!- kaben [~kaben@1F2E905E.catv.pool.telekom.hu] has quit [Quit: Leaving]
14:07 -!- stefanoneri [~stefanone@p4FF1604F.dip0.t-ipconnect.de] has quit []
14:20 -!- c0ded [~c0ded@unaffiliated/c0ded] has quit [Ping timeout: 272 seconds]
14:24 -!- vpnHelper [~vpnHelper@openvpn/bot/vpnHelper] has quit [Quit: Ctrl-C at console.]
14:25 -!- vpnHelper [~vpnHelper@openvpn/bot/vpnHelper] has joined #openvpn
14:25 -!- mode/#openvpn [+o vpnHelper] by ChanServ
14:25 -!- roshi [~root@fedora/roshi] has joined #openvpn
14:26 -!- mattock is now known as mattock_afk
14:27 < roshi> is selinux policy causing "Cannot open TUN/TAP dev /dev/net/tun: Permission denied (errno=13)" a known issue?
14:28 < roshi> after update from 2.3.2 on Fedora 21
14:29 < roshi> !welcome
14:30 <@vpnHelper> "welcome" is (#1) Start by stating your goal, such as 'I would like to access the internet over my vpn' || new to IRC? see the link in !ask || we may need !logs and !configs and maybe !interface to help you. || See !howto for beginners. || See !route for lans behind openvpn. || !redirect for sending inet traffic through the server. || Also interesting: !man !/30 !topology !iporder !sample !forum
14:30 <@vpnHelper> !wiki !mitm or (#2) Don't use 192.168.1.0/24 or 192.168.0.0/24 (too much potential for conflict)
14:33 <@ecrist> sorry, I was on the wrong terminal wehn I ctl-c
14:34 -!- Six6siX [~Devil@jasmine.sammybakar.com] has quit [Quit: Online all the time]
14:34 -!- Six6siX [~Devil@jasmine.sammybakar.com] has joined #openvpn
15:16 -!- arescorpio [~arescorpi@57-240-16-190.fibertel.com.ar] has joined #openvpn
15:22 -!- getup [~textual@dhcp-077-251-206-162.chello.nl] has joined #openvpn
15:23 -!- roshi [~root@fedora/roshi] has left #openvpn []
15:29 -!- fxhnd [~fxhnd@nothingtoseehere.today] has quit [Quit: WeeChat 0.4.2]
15:37 -!- OakdaleHutch [~Hutch@c-98-240-156-222.hsd1.mn.comcast.net] has quit [Ping timeout: 246 seconds]
15:37 -!- gffa [~unknown@unaffiliated/gffa] has quit [Quit: sleep]
15:41 -!- _FBi [B@Aircrack-NG/User] has quit [Ping timeout: 272 seconds]
15:41 -!- erratic [erratic@2607:f2f8:a2c4:1001::2] has quit [Ping timeout: 272 seconds]
15:41 -!- Sidewinder [~de@unaffiliated/sidewinder] has joined #openvpn
15:43 -!- Sidewinder [~de@unaffiliated/sidewinder] has quit [Client Quit]
15:49 -!- erratic [erratic@shells.yourstruly.sx] has joined #openvpn
15:50 -!- elfixit [~Icedove@2001:1620:2777:11:3e97:eff:fe7f:f3ad] has quit [Quit: elfixit]
16:16 -!- getup [~textual@dhcp-077-251-206-162.chello.nl] has quit [Read error: Connection reset by peer]
16:31 -!- goldkatze [~nobody@unaffiliated/goldkatze] has quit [Ping timeout: 276 seconds]
16:46 -!- Kephael [~Kephael@unaffiliated/kephael] has quit [Read error: Connection reset by peer]
16:46 -!- Kephael_ [~Kephael@unaffiliated/kephael] has joined #openvpn
16:48 -!- Kephael_ [~Kephael@unaffiliated/kephael] has quit [Read error: Connection reset by peer]
16:48 -!- Kephael_ [~Kephael@unaffiliated/kephael] has joined #openvpn
16:52 -!- Kephael_ [~Kephael@unaffiliated/kephael] has quit [Read error: Connection reset by peer]
17:33 -!- nutron [~nutron@unaffiliated/nutron] has joined #openvpn
17:58 -!- _FBi [B@Aircrack-NG/User] has joined #openvpn
18:01 < pekster> rooth: "Connect" is a completely different program that's got no code in common with OpenVPN. See:
18:01 < pekster> !connect
18:01 <@vpnHelper> "connect" is (#1) OpenVPN Connect is part of the commercial, non-free (non-GPL) corporate offering; see #openvpn-as for help with these. For the community-maintained GPL OpenVPN, see !download for download links, !android for GPL-openvpn on Android, or !howto for the beginner how-to guide or (#2) https://forums.openvpn.net/post34969.html#p34969 or (#3) the source is here:
18:01 <@vpnHelper> http://staging.openvpn.net/openvpn3/ except for the portion that may not be released because of NDA with apple (for its vpn API)
18:02  * pekster really hates how the "Connect" client doesn't even mention that it's Connect, not OpenVPN. Still.
18:03 < rooth> pekster: Thank you again!
18:03 < pekster> np. And yes, it's a common misunderstanding; obviously the company is hoping people try out the licensed server products and end up paying licensing fees to use it
18:07 -!- debbie10t [~guest3459@openvpn/community/support/debbie10t] has joined #openvpn
18:08 -!- redpill [~redpill@unaffiliated/redpill] has quit [Read error: Connection timed out]
18:09 -!- redpill [~redpill@unaffiliated/redpill] has joined #openvpn
18:10 -!- mode/#openvpn [+v debbie10t] by ChanServ
18:10 <+debbie10t> rooth:
18:11 -!- redpill [~redpill@unaffiliated/redpill] has quit [Max SendQ exceeded]
18:13 -!- ub1quit33 [~quassel@cpe-23-243-158-241.socal.res.rr.com] has quit [Ping timeout: 255 seconds]
18:14 -!- stundenull [~wir3d@00000008.ipv6.lennon.mtbnc.us] has quit [Changing host]
18:14 -!- stundenull [~wir3d@unaffiliated/xombie] has joined #openvpn
18:18 -!- redpill [~redpill@unaffiliated/redpill] has joined #openvpn
18:20 -!- redpill [~redpill@unaffiliated/redpill] has quit [Max SendQ exceeded]
18:39 <+debbie10t> ecrist: more spam .. see your PMS
18:56 -!- redpill [~redpill@unaffiliated/redpill] has joined #openvpn
18:57 < rooth> I would like to offer a bundled Windows-client + user unique .ovpn file for my users. Can this be done from the Linux build environment? Or is there an easier way? Couldn't find much docs about it, or I'm (again) blind. Just found the openvpn-build and wanted to know if that is what ...
18:58 < rooth> ... I'm looking for?
18:59 < pekster> Quite frankly you might want to consider just "wrapping" your own config files and some documentation around the GPL installer. Unless you wanted to go for a full-blown GUI of your own, that allows you to have the user "click through" the openvpn installation, then just key off the registry locations to get the config dirs to drop in your own configs and provide any docs/messages to the user
19:00 -!- redpill [~redpill@unaffiliated/redpill] has quit [Max SendQ exceeded]
19:01 -!- redpill [~redpill@unaffiliated/redpill] has joined #openvpn
19:03 -!- redpill [~redpill@unaffiliated/redpill] has quit [Max SendQ exceeded]
19:03 -!- redpill [~redpill@unaffiliated/redpill] has joined #openvpn
19:06 -!- clyons [~kvirc@host86-184-244-32.range86-184.btcentralplus.com] has joined #openvpn
19:07 -!- redpill [~redpill@unaffiliated/redpill] has quit [Max SendQ exceeded]
19:07 -!- Px12 [~Px12@59.89.48.51] has quit [Ping timeout: 246 seconds]
19:07 -!- redpill [~redpill@unaffiliated/redpill] has joined #openvpn
19:08 < rooth> pekster: I'm afraid the full-blown is what I wanted to do, no need to do much more than just using the standard GUI but would like to drop in the config in the right locations so the user can just "click connect".
19:09 < pekster> Why would you need your "own" GUI frontend for that?
19:10 < pekster> It would probably take less than 50 lines of NSIS script to give a message to the user to click-through the openvpn installer, launch it if it's not installed (or you deam an upgrade necessary,) wait for it to succeed, drop your .ovpn files in the config dir, and tell the user they're set
19:11 < rooth> http://edoceo.com/creo/openvpn-config-installer <-- Just follow/do something like that you mean or?
19:11 <@vpnHelper> Title: OpenVPN + Config Windows Installer (at edoceo.com)
19:12 < pekster> Something like that, yea
19:12 -!- redpill [~redpill@unaffiliated/redpill] has quit [Max SendQ exceeded]
19:12 < pekster> 2.2.2 is a bit dated, but the idea is roughly what I was talking about (having skimmed it for all of 30 seconds)
19:13 -!- redpill [~redpill@unaffiliated/redpill] has joined #openvpn
19:13 < rooth> pekster: Thank you again! I'll investigate and try, but change to 2.3.4.
19:16 -!- redpill [~redpill@unaffiliated/redpill] has quit [Max SendQ exceeded]
19:17 -!- redpill [~redpill@unaffiliated/redpill] has joined #openvpn
19:21 -!- redpill [~redpill@unaffiliated/redpill] has quit [Ping timeout: 246 seconds]
19:25 -!- mode/#openvpn [-v debbie10t] by ChanServ
19:25 -!- debbie10t [~guest3459@openvpn/community/support/debbie10t] has left #openvpn []
19:26 -!- cyberspace- [20253@ninthfloor.org] has quit [Remote host closed the connection]
19:28 -!- cyberspace- [20253@ninthfloor.org] has joined #openvpn
19:43 -!- shio [marmot@203.188.103.84.rev.sfr.net] has quit [Read error: Connection reset by peer]
20:05 -!- maps|wrk [mark@97e0b9d3.skybroadband.com] has joined #openvpn
20:05 < maps|wrk> hi y'all
20:05 < maps|wrk> can someone lend a hand - ive installed openvpn setup the certs/server key etc but it doesnt seem to be starting service openvpn start and then ps aux shows it isnt running
20:08 < rooth> pekster: Worked well, need to fiddle a bit more on it but this is a good first step got it to install and add the config =)
20:11 -!- maps|wrk [mark@97e0b9d3.skybroadband.com] has quit [Quit: Page closed]
20:12 -!- Kephael [~Kephael@unaffiliated/kephael] has joined #openvpn
20:28 -!- Pyrogerg [~Gregory@192.67.133.200] has quit [Ping timeout: 240 seconds]
20:34 -!- Cybertinus [~Cybertinu@cybertinus.customer.cloud.nl] has quit [Ping timeout: 276 seconds]
20:38 -!- DrCode [~DrCode@gateway/tor-sasl/drcode] has quit [Remote host closed the connection]
20:39 -!- DrCode [~DrCode@gateway/tor-sasl/drcode] has joined #openvpn
20:42 -!- elfixit [~Icedove@77-58-251-72.dclient.hispeed.ch] has joined #openvpn
20:46 -!- CygniX [~CygniX@unaffiliated/twois10] has joined #openvpn
20:47 < CygniX> so i finally got ipv6 tunneling working, i had to use ip6tables nat
21:23 -!- gardar [~gardar@bnc.giraffi.net] has quit [Ping timeout: 264 seconds]
21:24 < CygniX> and of course, android fails
21:26 -!- gardar [~gardar@bnc.giraffi.net] has joined #openvpn
21:43 -!- Cybertinus [~Cybertinu@cybertinus.customer.cloud.nl] has joined #openvpn
21:50 -!- Left_Turn [~Left_Turn@unaffiliated/turn-left/x-3739067] has quit [Remote host closed the connection]
22:35 -!- arescorpio [~arescorpi@57-240-16-190.fibertel.com.ar] has quit [Excess Flood]
22:41 -!- WinstonSmith [~WinstonSm@unaffiliated/winstonsmith] has quit [Ping timeout: 252 seconds]
22:45 -!- Kephael [~Kephael@unaffiliated/kephael] has quit [Quit: Leaving]
22:45 -!- cyberspace- [20253@ninthfloor.org] has quit [Ping timeout: 252 seconds]
22:45 -!- cyberspace- [20253@ninthfloor.org] has joined #openvpn
22:47 -!- WinstonSmith [~WinstonSm@unaffiliated/winstonsmith] has joined #openvpn
23:07 -!- c0ded [~c0ded@unaffiliated/c0ded] has joined #openvpn
23:09 -!- CygniX [~CygniX@unaffiliated/twois10] has quit [Ping timeout: 268 seconds]
23:10 -!- c0ded [~c0ded@unaffiliated/c0ded] has left #openvpn []
23:10 -!- c0ded [~c0ded@unaffiliated/c0ded] has joined #openvpn
23:16 -!- u0m3_ [~u0m3@92.80.68.194] has quit [Read error: Connection reset by peer]
23:32 -!- elfixit [~Icedove@77-58-251-72.dclient.hispeed.ch] has quit [Remote host closed the connection]
23:39 -!- ShadniX [dagger@p5481D932.dip0.t-ipconnect.de] has quit [Ping timeout: 250 seconds]
23:40 -!- ShadniX [dagger@p5DDFC883.dip0.t-ipconnect.de] has joined #openvpn
--- Day changed Thu Sep 11 2014
00:00 -!- goldkatze [~nobody@unaffiliated/goldkatze] has joined #openvpn
00:03 -!- mattock_afk is now known as mattock
00:27 <@krzee> rooth,
00:27 <@krzee> !win_rollup
00:27 <@vpnHelper> "win_rollup" is please see http://www.secure-computing.net/wiki/index.php/OpenVPN/HowTo_for_Windows_2 for dazo's writeup on making unattended windows installers for openvpn
01:06 -!- clyons [~kvirc@host86-184-244-32.range86-184.btcentralplus.com] has quit [Ping timeout: 276 seconds]
01:10 -!- Cybertinus [~Cybertinu@cybertinus.customer.cloud.nl] has quit [Ping timeout: 240 seconds]
01:45 -!- Px12 [~Px12@117.199.165.8] has joined #openvpn
01:46 -!- Denial [~Denial@host86-148-140-172.range86-148.btcentralplus.com] has quit []
01:49 -!- Denial [~Denial@host86-148-140-172.range86-148.btcentralplus.com] has joined #openvpn
01:55 -!- hid3 [~arnoldas@78.157.71.116] has quit [Ping timeout: 255 seconds]
02:07 -!- dazo_afk is now known as dazo
02:22 -!- Px12 [~Px12@117.199.165.8] has quit [Ping timeout: 276 seconds]
02:22 -!- xrosnight [~quassel@unaffiliated/xrosnight] has joined #openvpn
02:46 -!- xrosnight [~quassel@unaffiliated/xrosnight] has quit [Remote host closed the connection]
02:50 -!- shio [marmot@203.188.103.84.rev.sfr.net] has joined #openvpn
03:00 -!- Six6siX [~Devil@jasmine.sammybakar.com] has quit [Quit: Online all the time]
03:01 -!- Six6siX [~Devil@jasmine.sammybakar.com] has joined #openvpn
03:03 -!- Px12 [~Px12@117.199.170.248] has joined #openvpn
03:10 -!- scyld [~scyld@unaffiliated/wasyl] has joined #openvpn
03:53 -!- hid3 [~arnoldas@78.157.71.116] has joined #openvpn
04:01 < rooth> krzee: Thank you!
04:25 -!- Left_Turn [~Left_Turn@unaffiliated/turn-left/x-3739067] has joined #openvpn
04:29 -!- lewiz [~lthompson@195.59.118.200] has quit [Ping timeout: 245 seconds]
04:41 -!- fzombie [~gplgeek@pdpc/supporter/student/GPLGeek] has quit [Ping timeout: 246 seconds]
04:42 -!- lewiz [~lthompson@195.59.118.200] has joined #openvpn
04:55 -!- hexwax [~ghastly@179.43.148.2] has joined #openvpn
04:55 < hexwax> I've decided to setup my vpn manually.  it's probably for the best.  poking around the filesystem, it looks like /etc/rc.d/rc.local, and /etc/openvpn are where I need to be.  moved my vpn providers ca.crt to the later.  downloaded a preconfigured package of worldwide .ovpn's.  now, where I am a little stuck is where do I need to throw those ovpn's, where do I need to point from and to (the ovpn of my choice, from said list), and then what do
04:55 < hexwax> I need to append to /etc/rc.d/rc.local to make sure openvpn is starting, and pointing where it needs to at startup?
04:57 < hexwax> and also, in the vpn provider's .ovpn's, there is a line in each which reads 'ca ca.rt'.  I moved the ca to the certs folder.  will it automatically read from there?
05:01 < hexwax> I unfortunately need to set this up manually, because my provider's client is not working in the distro I use.
05:06 -!- liriel [~liriel@asia.feralhosting.com] has quit [Quit: bye]
05:10 -!- liriel [~liriel@asia.feralhosting.com] has joined #openvpn
05:16 -!- lewiz [~lthompson@195.59.118.200] has quit [Ping timeout: 264 seconds]
05:27 -!- Schrostfutz [~who@pptp-194-95-1-83.pptp.padnet.de] has joined #openvpn
05:27 < Schrostfutz> can I configure a OpenVPN server to do the mtu-test only clients who want to do so?
05:28 < Schrostfutz> ah, I missread something, forget what I said
05:42 -!- vpnHelper [~vpnHelper@openvpn/bot/vpnHelper] has quit [Disconnected by services]
05:44 -!- vpnHelper [~vpnHelper@openvpn/bot/vpnHelper] has joined #openvpn
05:44 -!- mode/#openvpn [+o vpnHelper] by ChanServ
05:45 -!- hexwax [~ghastly@179.43.148.2] has quit [Ping timeout: 245 seconds]
05:47 -!- mapps [~Mark@97e0b9d3.skybroadband.com] has joined #openvpn
05:47 < mapps> hi all - ive installed and setup the ca /client/server files etc but openvpn isnt starting -
05:47 < mapps> wher would it log to? i checked syslog and cant see anything
05:50 -!- ifdm_ [~ifdm@unaffiliated/ifdm/x-0713806] has quit [Ping timeout: 276 seconds]
05:51 -!- Schrostfutz [~who@pptp-194-95-1-83.pptp.padnet.de] has quit [Quit: Verlassend]
06:04 -!- ifdm_ [~ifdm@unaffiliated/ifdm/x-0713806] has joined #openvpn
06:06 -!- eneepo [~eneepo@5.238.64.206] has joined #openvpn
06:07 -!- ifdm_ [~ifdm@unaffiliated/ifdm/x-0713806] has quit [Max SendQ exceeded]
06:07 -!- ifdm_ [~ifdm@unaffiliated/ifdm/x-0713806] has joined #openvpn
06:10 -!- u0m3 [~u0m3@92.80.68.194] has joined #openvpn
06:12 -!- redpill [~redpill@unaffiliated/redpill] has joined #openvpn
06:23 < kareem-ali> mapps: what os ?
06:24 < mapps> using raspberry pi ..raspbian  basically debian
06:24 < mapps> got it working but trouble connecting now
06:25 < mapps> getting the following - Thu Sep 11 12:23:52 2014 UDPv4 link local: [undef]
06:25 < mapps> Thu Sep 11 12:23:52 2014 UDPv4 link remote: [AF_INET]192.168.0.9:1994
06:25 < mapps> Thu Sep 11 12:24:52 2014 TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity)
06:25 < mapps> Thu Sep 11 12:24:52 2014 TLS Error: TLS handshake failed
06:25 < kareem-ali> is that on the client ?
06:26 < mapps> yea
06:26 < mapps> ive checked client.ovpn and server.conf
06:26 < mapps> and cant see why
06:26 < mapps> could it be iptables rules|
06:26 < kareem-ali> is there a firewall on teh server blocking port 1194
06:26 < mapps> ?
06:26 < kareem-ali> that what I just asked :)
06:26 < mapps> hm
06:26 < mapps> it says it has a firewall..but i added rules for it
06:27 < kareem-ali> did you use -I or -A
06:27 < kareem-ali> there might be a 'reject' or 'drop' at the end
06:28 -!- Mike-- [mad@mx.probie.nl] has quit [Read error: Connection reset by peer]
06:28 < mapps> http://paste.debian.net/120386/
06:28 < kareem-ali> 192.168.0.9:1994
06:28 < kareem-ali> why 1994 ?
06:28 < mapps> i did
06:28 < kareem-ali> did you change the port on both files ?
06:28 < kareem-ali> I mean server and clients
06:28 < mapps> iptables -t nat -A INPUT -i eth0 -p udp -m udp --dport 1194 -j ACCEPT iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o eth0 -j SNAT --to-source 192.168.0.9
06:28 < mapps> LOL ive made a typo
06:28 < mapps> omg
06:28 < mapps> is that all it is
06:28 < kareem-ali> could be
06:29 < kareem-ali> and I'd recommend using tcp rather than udp on the connection
06:29 < mapps> why? everywhere i read always uses tcp??
06:29 < kareem-ali> that's what I'm recommending, use TCP
06:30 < mapps> yep
06:30 < mapps> had i typo in client config
06:30 < mapps> omg
06:30 < mapps> so stupid
06:30 < mapps> how did i overlook it
06:31 < kareem-ali> it's usually typos, duplex mismatch, speed mismatch configs, these small things that brings down big ISPs :)
06:32 < mapps> :D
06:42 < mapps> connected
06:42 < mapps> thanks MATE
06:43 < kareem-ali> you welcome
06:43 < kareem-ali> mate!, you in UK ?
06:51 -!- ifdm_ [~ifdm@unaffiliated/ifdm/x-0713806] has quit [Ping timeout: 245 seconds]
06:56 < mapps> yep
06:56 < mapps> :)
06:58 -!- Px12 [~Px12@117.199.170.248] has quit [Remote host closed the connection]
06:59 -!- ifdm_ [~ifdm@unaffiliated/ifdm/x-0713806] has joined #openvpn
07:02 < kareem-ali> me too :)
07:04 -!- Px12 [~Px12@117.199.170.248] has joined #openvpn
07:06 -!- deeville [~deeville@38.117.108.108] has joined #openvpn
07:06 < mapps> :D
07:09 < mapps> moving country soon:D
07:22 -!- redpill [~redpill@unaffiliated/redpill] has quit [Quit: redpill]
07:27 -!- shio [marmot@203.188.103.84.rev.sfr.net] has quit [Read error: Connection reset by peer]
07:30 -!- shio [marmot@203.188.103.84.rev.sfr.net] has joined #openvpn
07:46 -!- scyld [~scyld@unaffiliated/wasyl] has quit [Quit: Wychodzi]
07:48 -!- Latrina [~Latrina@adsl-ull-101-252.45-151.net24.it] has quit [Ping timeout: 276 seconds]
07:49 -!- Latrina [~Latrina@151.56.186.36] has joined #openvpn
08:01 -!- eneepo [~eneepo@5.238.64.206] has quit [Ping timeout: 276 seconds]
08:05 -!- Latrina [~Latrina@151.56.186.36] has quit [Ping timeout: 245 seconds]
08:11 -!- redpill [~redpill@unaffiliated/redpill] has joined #openvpn
08:24 -!- Pyrogerg [~Gregory@192.67.133.200] has joined #openvpn
08:38 -!- lewiz [~lthompson@195.59.118.200] has joined #openvpn
08:38 -!- g00gz [~Adium@199.244.84.14] has joined #openvpn
08:40 -!- g00gz [~Adium@199.244.84.14] has left #openvpn []
08:41 -!- deeville [~deeville@38.117.108.108] has quit [Read error: Connection reset by peer]
08:46 -!- lewiz [~lthompson@195.59.118.200] has quit [Ping timeout: 276 seconds]
08:57 -!- shio [marmot@203.188.103.84.rev.sfr.net] has quit [Disconnected by services]
08:57 -!- shio [marmot@203.188.103.84.rev.sfr.net] has joined #openvpn
09:01 -!- rulezzz [~rulezzz@189-212-141-193.static.axtel.net] has joined #openvpn
09:02 -!- lewiz [~lthompson@195.59.118.200] has joined #openvpn
09:18 -!- ub1quit33_ [~quassel@99-19-237-151.lightspeed.sndgca.sbcglobal.net] has joined #openvpn
09:27 -!- zeroNones [~textual@187.204.177.50] has joined #openvpn
09:35 -!- provizon [~provizon@209.64.127.194] has joined #openvpn
09:36 -!- juztin_ [~juztin_@c-67-186-216-8.hsd1.ut.comcast.net] has joined #openvpn
09:36 < provizon> good morning everyone
09:36 < provizon> what service should i use if i need to paste some logs for you guys?
09:37 < kareem-ali> pastebin
09:37 -!- juztin_ [~juztin_@c-67-186-216-8.hsd1.ut.comcast.net] has quit [Remote host closed the connection]
09:38 < provizon> if i need help troubleshooting connection issues, what should i paste? my openvpn.log + server/client configS?
09:39 < kareem-ali> ovpn log
09:40 -!- jgeboski [~jgeboski@unaffiliated/jgeboski] has quit [Excess Flood]
09:40 -!- jgeboski [~jgeboski@unaffiliated/jgeboski] has joined #openvpn
09:42 < provizon> http://pastebin.com/1NsF2Gae
09:42 < provizon> heres some background info:
09:44 < provizon> i have a server at home with 2 NICs, 1 connected to modem, other connected to home lan (192.168.0.0/24). I have 2 laptops at my office network (192.168.1.0/24), we'll call them LT-old and LT-new
09:45 < provizon> I set up openvpn about a year ago and have been connecting to it with no problems with LT-old, I recently aquired LT-new, and gave it the exact same configs, same version of openvpn, but unique certs
09:46 < provizon> the very first time i connected, everything worked as expected, for about 5 minutes.. when i connect to the vpn i lose internet, can't ping vpn host (10.8.0.0/24), nothing...
09:47 -!- eneepo [~eneepo@91.109.23.148] has joined #openvpn
09:48 < kareem-ali> what OS ?
09:52 < provizon> server is running ubuntu server 12.04 and both laptops are running win 8.1
09:52 -!- elfixit [~Icedove@77-58-251-72.dclient.hispeed.ch] has joined #openvpn
09:52 -!- sh00p [~sh00p@static-213-115-27-219.sme.bredbandsbolaget.se] has quit [Quit: Leaving]
09:53 < kareem-ali> there's an option to not let internet traffic go over the vpn
09:54 < provizon> but i want all internet traffic to go thru the vpn
09:54 -!- zeroNones [~textual@187.204.177.50] has quit [Quit: My MacBook Pro has gone to sleep. ZZZzzz…]
09:54 < provizon> when LT-new connects to the vpn, not only can he not access the internet, but he can't access anything at all, including the vpn
09:55 < kareem-ali> the log shows complaints about connections from IPv6
09:55 < provizon> i would like to disable ipv6 completely
09:55 < provizon> in that case
09:55 < kareem-ali> disable it then
09:56 < kareem-ali> but the client log shows comopleted connection
09:56 < provizon> is that server or client side configuration
09:56 < kareem-ali> completed*
09:56 < kareem-ali> client side
09:56 < provizon> right, the client connects to the vpn and it "appears" successful, but i cant reach anything once it is
09:57 < kareem-ali> the weird thing is that the connection is going IPv4, your log shows bad source address of fe80::d12e:1372:5802:efaa
09:57 -!- liriel [~liriel@asia.feralhosting.com] has quit [Quit: bye]
09:57 < kareem-ali> I'd also recommend tcp
09:58 <@Eugene> What the fuck?
09:59 <@Eugene> No. Never TCP.
09:59 <@Eugene> And no, you don't need to worry about IPv6 disabling; that's just stupid.
10:00 < provizon> ok... even though i don't use it, and that wouldnt clear my openvpn log of the tons of bad source from client address?
10:01 <@Eugene> Turn your logging level down or upgrade to a version of openvpn that speaks IPv6
10:01 < kareem-ali> are you always this polite
10:01 -!- kareem-ali was kicked from #openvpn by Eugene [Yes]
10:01 < provizon> ^lol
10:01 -!- ifdm_ [~ifdm@unaffiliated/ifdm/x-0713806] has quit [Ping timeout: 245 seconds]
10:02 < provizon> alright, i'll turn logging down. any suggestions on my connection issues?
10:02 <@Eugene> !config
10:02 <@vpnHelper> (config <name> [<value>]) -- If <value> is given, sets the value of <name> to <value>. Otherwise, returns the current value of <name>. You may omit the leading "supybot." in the name if you so choose.
10:02 <@Eugene> !configs
10:02 <@vpnHelper> "configs" is (#1) please pastebin your client and server configs (with comments removed, you can use `grep -vE '^#|^;|^$' server.conf`), also include which OS and version of openvpn. or (#2) dont forget to include any ccd entries or (#3) on pfSense, see http://www.secure-computing.net/wiki/index.php/OpenVPN/pfSense to obtain your config
10:02 < provizon> http://pastebin.com/1NsF2Gae
10:03 -!- liriel [~liriel@asia.feralhosting.com] has joined #openvpn
10:03 <@Eugene> You're pushing a route for 192.168.0.0/24 over the VPN. That's a terrible idea
10:04 < provizon> but i thought i need it to access the rest of my home LAN
10:04 <@Eugene> My guess? Your laptop is on a Public WiFi that's also using that network, and is confused over how to get out to the rest of the internet
10:04 <@Eugene> So renumber your home LAN
10:04 <@Eugene> !1918
10:04 <@vpnHelper> "1918" is (#1) RFC1918 makes three unique netblocks available for private use: 10.0.0.0/8, 172.16.0.0/12, and 192.168.0.0/16 or (#2) see also: http://en.wikipedia.org/wiki/Private_network or http://www.faqs.org/rfcs/rfc1918.html or (#3) Too lazy to find your own subnet? Try this one: http://scarydevilmonastery.net/subnet.cgi or (#4) See !5737 for addresses to use for examples and documentation
10:04 < provizon> i'm using the laptops at work, which use 192.168.1.0/24
10:04 < provizon> my home uses 192.168.0.0/24
10:04 < provizon> not public wi fi, im at my office
10:05 < provizon> heres some background info:
10:06 < provizon> i have a server at home with 2 NICs, 1 connected to modem, other connected to home lan (192.168.0.0/24). I have 2 laptops at my office network (192.168.1.0/24), we'll call them LT-old and LT-new
10:06 < provizon> <provizon> I set up openvpn about a year ago and have been connecting to it with no problems with LT-old, I recently aquired LT-new, and gave it the exact same configs, same version of openvpn, but unique certs
10:06 <@Eugene> Next step would be to examine your `ip -4 route` info just after a connection is established, and then when it's become broken
10:06 < provizon> on the client?
10:06 <@Eugene> Yes
10:08 < provizon> would you like me to post the routes before and after vpn connection? they appear the same as the other laptop that works
10:08 <@Eugene> Yes.
10:08 <@Eugene> Also of interest would be `iptables-save`
10:08 <@Eugene> Oh, and are both clients connected at the same time?
10:09 < provizon> server side? both of my laptops are win8.1, server is ubuntu server 12.04
10:09 <@Eugene> Ahhhh windows client.
10:09 < provizon> having both clients connected at the same time is the ultimate goal, but i have only been trying 1 at a time since it's not working as expected
10:12 < provizon> http://pastebin.com/k6rEkEYy
10:13 <@Eugene>  And can you still ping 73.183.blah ?
10:14 < provizon> no, i can only ping myself
10:14 <@Eugene> Something's screwy, then. Comment-out redirect-gateway line and start from there - establishing basic connectivity.
10:15 < provizon> i certainly agree on the screwy part, and i appreciate your help as well. i'd buy you a drink if i could
10:15 <@Eugene> I have plenty
10:18 -!- ifdm_ [~ifdm@unaffiliated/ifdm/x-0713806] has joined #openvpn
10:18 < provizon> ok, i disabled the 3 push commands from the server.conf and i can now ping the server @ 10.8.0.1
10:19 <@Eugene> Now add back route, dhcp-option, and redirect-gateway, in that order, doing ping-tests as you go.
10:29 -!- ifdm_ [~ifdm@unaffiliated/ifdm/x-0713806] has quit [Ping timeout: 246 seconds]
10:30 < provizon> everything works fine until i add the redirect-gateway back in
10:30 < provizon> i probably need to examine my firewall settings?
10:31 < provizon> but still, the fact that my other laptop works just fine from the same network kind of makes me think that the firewall is set up properly, but who knows
10:32 <@Eugene> Almost definitely firewall, yup.
10:37 -!- dazo is now known as dazo_afk
10:38 -!- eneepo [~eneepo@91.109.23.148] has quit [Ping timeout: 252 seconds]
10:42 -!- ifdm_ [~ifdm@unaffiliated/ifdm/x-0713806] has joined #openvpn
10:56 -!- Megaf_ [~Megaf@unaffiliated/megaf] has joined #openvpn
10:56 -!- Megaf [~Megaf@unaffiliated/megaf] has quit [Ping timeout: 255 seconds]
10:59 -!- provizon [~provizon@209.64.127.194] has quit [Ping timeout: 260 seconds]
11:04 -!- provizon [~provizon@209.64.127.194] has joined #openvpn
11:22 -!- evil_andy [~evil_andy@2001:470:e29f:1:204:4bff:fe15:fd2e] has joined #openvpn
11:22 < evil_andy> Can easy-rsa be used to manage a full-blown CA? (i.e. not just for generating OpenVPN certs)
11:24 <@Eugene> Sure.
11:24 < evil_andy> Ok, I was hoping to do a 'root' CA and then have a signing CA type setup.  I guess I'd use one to create the other?
11:25 <@Eugene> Yup.
11:25 < evil_andy> Awesome
11:25 <@Eugene> !xca
11:25 <@vpnHelper> "xca" is (#1) XCA is a GUI to create/manage a PKI, much more user-friendly than easy-rsa. or (#2) Example XCA PKI for OpenVPN(writeup pending): https://community.openvpn.net/openvpn/wiki/XCA
11:25 <@Eugene> I'd recommend a friendlier tool for day-to-day management. Like that one ^
11:25 < evil_andy> I feel bad, I haven't kept up with OpenVPN at all over the past few years
11:25 < pekster> You probably want easy-rsa v3 (currently available as an -rc1)
11:25 < evil_andy> mainly because it's worked perfectly for that long :D
11:26 < pekster> or of course any other certificate manager you want
11:26 < evil_andy> pekster, I've got the git repo tagged at rc2
11:26 < pekster> easyrsa v2 does sub-CA and accepting external requests very poorly
11:26 < evil_andy> sorry, I had it checked out to the v3-rc2 tag
11:27 < evil_andy> so I'm using up-to-date v3. I'll try out both tools! thanks
11:27 < pekster> XCA is a GUI-tool; they all manage a PKI, they just vary in frontend and features
11:27 < pekster> --use-what-works-best
11:27 < evil_andy> Yeah, I got OpenVPN set up (a couple always-on vpns and some on-demand ones) and I've just never had to touch it since, it. just. works. so thanks again
11:28 < evil_andy> Yep. I'll try them both out. the main thing is it's going to be running on an offline USB key, so that may constrain some things, but now I have options
11:35 -!- s7r [~s7r@openvpn/user/s7r] has joined #openvpn
11:35 -!- mode/#openvpn [+v s7r] by ChanServ
11:39 -!- D-Boy [~D-Boy@unaffiliated/cain] has quit [Excess Flood]
11:53 -!- Px12 [~Px12@117.199.170.248] has quit [Remote host closed the connection]
11:54 -!- D-Boy [~D-Boy@unaffiliated/cain] has joined #openvpn
11:58 -!- DrSect0r [~DrSect0r@77-175-125-42.FTTH.ispfabriek.nl] has joined #openvpn
12:07 -!- elfixit [~Icedove@77-58-251-72.dclient.hispeed.ch] has quit [Ping timeout: 240 seconds]
12:27 < shio> thx for the xca link Eugene, was looking for something like this
12:28 -!- ShadniX [dagger@p5DDFC883.dip0.t-ipconnect.de] has quit [Quit: Bye.]
12:29 -!- ShadniX [dagger@p5DDFC883.dip0.t-ipconnect.de] has joined #openvpn
12:40 -!- mete [~mete@91.247.253.160] has joined #openvpn
12:42 < provizon> Eugene: I think I've found something interesting about my problem
12:44 -!- Kephael [~Kephael@unaffiliated/kephael] has joined #openvpn
12:52 -!- Megaf_ is now known as Megaf
12:57 < provizon> no i didnt
12:58 < provizon> im freakin stumped, i don't understand how adding the redirect gateway breaks the entire connection
13:02 -!- alexxtasi [~alex@unaffiliated/alexxtasi] has joined #openvpn
13:04 < alexxtasi> hi everyone, I am trying to create an openvpn nsis installer for windows. Using instructions on wiki and also on openvpn-build README file, I came through an error "POD document had syntax errors at /usr/bin/pod2man line 71."
13:04 < alexxtasi> being almost a newbie (;-)) I cannot find out what to do... any suggestions ??
13:05 -!- Kephael [~Kephael@unaffiliated/kephael] has quit [Quit: Leaving]
13:15 < alexxtasi> I am on ubuntu 14.04 and run "sudo apt-get install mingw-w64 man2html dos2unix nsis\ git clone https://github.com/OpenVPN/openvpn-build.git\ cd windows-nsis/ \ ./build-complete" and errors started like "POD document had syntax errors at /usr/bin/pod2man line 71.\ make: *** [install_docs] Error 255\ FATAL: make openssl\ FATAL: build i686 >&2"
13:32 -!- hid3 [~arnoldas@78.157.71.116] has quit [Read error: Connection reset by peer]
14:08 -!- evil_andy [~evil_andy@2001:470:e29f:1:204:4bff:fe15:fd2e] has quit [Quit: ZNC - http://znc.in]
14:30 -!- Kephael [~Kephael@unaffiliated/kephael] has joined #openvpn
14:37 -!- krzee [~k@openvpn/community/support/krzee] has quit [Ping timeout: 272 seconds]
14:39 -!- doebi1 [~doebi@doebi.at] has joined #openvpn
14:40 -!- krzee [~k@openvpn/community/support/krzee] has joined #openvpn
14:40 -!- mode/#openvpn [+o krzee] by ChanServ
14:40 -!- phreakocious [~phreakoci@recalcitrant.phreakocious.net] has quit [Ping timeout: 252 seconds]
14:40 -!- doebi [~doebi@doebi.at] has quit [Ping timeout: 252 seconds]
14:40 -!- Cultist [~CultOfThe@c-98-223-211-32.hsd1.il.comcast.net] has quit [Ping timeout: 252 seconds]
14:40 -!- rulezzz [~rulezzz@189-212-141-193.static.axtel.net] has quit [Ping timeout: 252 seconds]
14:40 -!- phreakocious_ [~phreakoci@recalcitrant.phreakocious.net] has joined #openvpn
14:40 -!- mattock is now known as mattock_afk
14:40 -!- phreakocious_ is now known as phreakocious
14:48 -!- fzombie [~gplgeek@pdpc/supporter/student/GPLGeek] has joined #openvpn
14:51 -!- evil_andy [~evil_andy@2001:470:e29f:1:204:4bff:fe15:fd2e] has joined #openvpn
15:11 -!- gffa [~unknown@unaffiliated/gffa] has joined #openvpn
15:25 -!- kenyon [kenyon@darwin.kenyonralph.com] has joined #openvpn
15:26 -!- kenyon [kenyon@darwin.kenyonralph.com] has quit [Client Quit]
15:26 -!- kenyon [kenyon@darwin.kenyonralph.com] has joined #openvpn
15:50 -!- clyons [~kvirc@host86-184-244-32.range86-184.btcentralplus.com] has joined #openvpn
15:56 -!- diametric [~diametric@2604:3400:dc1:43:216:3eff:fe27:bf9d] has joined #openvpn
15:57 < diametric> Quick question, what user does the auth-user-pass-verify script run as?
15:59 < phreakocious> whatever user the openvpn process runs as
16:01 < diametric> okay cool, just checking. Couldn't find any docs on whether it runs as 'nobody' or something special. Thanks.
16:05 -!- gffa [~unknown@unaffiliated/gffa] has quit [Quit: sleep]
16:08 -!- Left_Turn [~Left_Turn@unaffiliated/turn-left/x-3739067] has quit [Quit: Leaving]
16:09 -!- Left_Turn [~Left_Turn@unaffiliated/turn-left/x-3739067] has joined #openvpn
16:09 -!- diametric [~diametric@2604:3400:dc1:43:216:3eff:fe27:bf9d] has left #openvpn ["Leaving..."]
16:10 -!- zeroNones [~textual@187.204.177.50] has joined #openvpn
16:13 -!- provizon [~provizon@209.64.127.194] has quit [Remote host closed the connection]
16:29 -!- DrSect0r [~DrSect0r@77-175-125-42.FTTH.ispfabriek.nl] has quit [Quit: Leaving]
16:37 < alexxtasi> !bug
16:38 < alexxtasi> !help
16:38 <@vpnHelper> (help [<plugin>] [<command>]) -- This command gives a useful description of what <command> does. <plugin> is only necessary if the command is in more than one plugin.
16:38 < alexxtasi> !built
16:38 < alexxtasi> !build
16:41 < alexxtasi> Hi, I think there is an issue in building openvpn windows-nsis installer using https://github.com/OpenVPN/openvpn-build ... and has to do with openssl build on ubuntu according to https://github.com/openssl/openssl/issues/57
16:41 <@vpnHelper> Title: OpenVPN/openvpn-build · GitHub (at github.com)
16:42 < alexxtasi> I cant find a way to download the patched openssl version in the openvpn-build process or cant find a way to report this possible issue on https://github.com/OpenVPN/openvpn-build
16:42 <@vpnHelper> Title: OpenVPN/openvpn-build · GitHub (at github.com)
16:42 -!- elfixit [~Icedove@77-58-251-72.dclient.hispeed.ch] has joined #openvpn
16:42 -!- debbie10t [~guest3459@openvpn/community/support/debbie10t] has joined #openvpn
16:43 -!- debbie10t [~guest3459@openvpn/community/support/debbie10t] has left #openvpn []
16:56 < alexxtasi> actually the hole built process that is automated with https://github.com/OpenVPN/openvpn-build for the nsis case, should download and use openssl "Commit 23f5908" https://github.com/openssl/openssl/commit/23f5908ac753b176af2a0690e0ebb53c95ef192b. This is made clear from issue on https://github.com/openssl/openssl/issues/57 but have not test it...
16:56 <@vpnHelper> Title: OpenVPN/openvpn-build · GitHub (at github.com)
17:00 -!- Kephael [~Kephael@unaffiliated/kephael] has quit [Read error: Connection reset by peer]
17:05 -!- mapps [~Mark@97e0b9d3.skybroadband.com] has quit [Ping timeout: 276 seconds]
17:16 -!- redpill [~redpill@unaffiliated/redpill] has quit [Read error: Connection timed out]
17:17 -!- redpill [~redpill@unaffiliated/redpill] has joined #openvpn
17:20 -!- redpill [~redpill@unaffiliated/redpill] has quit [Max SendQ exceeded]
17:24 -!- alexxtasi [~alex@unaffiliated/alexxtasi] has quit [Quit: Leaving.]
17:32 -!- krzee [~k@openvpn/community/support/krzee] has quit [Ping timeout: 272 seconds]
17:37 -!- redpill [~redpill@unaffiliated/redpill] has joined #openvpn
17:39 -!- krzee [~k@openvpn/community/support/krzee] has joined #openvpn
17:39 -!- mode/#openvpn [+o krzee] by ChanServ
17:54 -!- arescorpio [~arescorpi@190.19.140.155] has joined #openvpn
18:05 -!- Cybertinus [~Cybertinu@cybertinus.customer.cloud.nl] has joined #openvpn
18:11 -!- seba [~seba@kratzbaum.someserver.de] has quit [Excess Flood]
18:17 -!- seba [~seba@kratzbaum.someserver.de] has joined #openvpn
18:29 -!- Megaf is now known as Megaf|Asleep
18:33 -!- _ikke_ [~kevin@2a02:2308::4a1:300:300] has quit [Ping timeout: 272 seconds]
18:35 -!- mutilator [~muti@61.sub-70-194-10.myvzw.com] has joined #openvpn
18:37 < mutilator> hey all, if i have two clients connected to a server w/ a bridge, both clients can talk to addresses on the servers LAN and vice versa but the vpn clients cant talk to each other, what might be the issue?
18:42 -!- krzee [~k@openvpn/community/support/krzee] has quit [Excess Flood]
18:43 -!- krzee [~k@openvpn/community/support/krzee] has joined #openvpn
18:43 -!- mode/#openvpn [+o krzee] by ChanServ
18:44 -!- phreakocious [~phreakoci@recalcitrant.phreakocious.net] has quit [Read error: Connection reset by peer]
18:57 -!- redpill [~redpill@unaffiliated/redpill] has quit [Ping timeout: 240 seconds]
18:58 -!- redpill [~redpill@unaffiliated/redpill] has joined #openvpn
19:00 -!- phreakocious [~phreakoci@recalcitrant.phreakocious.net] has joined #openvpn
19:21 -!- Latrina [~Latrina@ppp-205-42.26-151.libero.it] has joined #openvpn
19:30 -!- ghastly_ [~ghastly@198.15.111.170] has joined #openvpn
19:31 < ghastly_> Looking for someone who's well hearsed in openvpn manual configuration.  This involved a paid for VPN service, which does not offer support outside of ubuntu, or use of their application.  Which isn't working on my distro (Slackware 14.1, fully updated).
19:33 <@krzee> !provider
19:33 <@vpnHelper> "provider" is (#1) We are not your provider's free tech support. We support the free open source app OpenVPN, not your provider. Just because they run openvpn does not mean we are their support team. or (#2) Please contact their support team.
19:34 < ghastly_> It's taken me about 13 hours to just get a connection established to them, and finally got my dns to resolve to their servers upon reboot.  Where I am at now is the security layer. I have looked at other people's configs (for different vpns), and they have their openvpn confs pointing to three things.  a ca.crt (which I do have, was provided by the vpn service), another certificate, and a key.  I don't know how to get openvpn to generate those last two.
19:34 < ghastly_> this is an openvpn question vpnHelper...
19:34 < ghastly_> or rather, krzee
19:34 < ghastly_> this is all on my end, and all relying on openvpn.
19:35 <@krzee> but it all depends on their server config
19:35 < ghastly_> are you referring to the generation of those two things I need?
19:36 <@krzee> they have to give you a working config and the files that go with it
19:37 <@krzee> you dont generate anything, unless they want you to make your own .key and send them a .csr to get signed by their CA and be your .crt
19:37 -!- elfixit [~Icedove@77-58-251-72.dclient.hispeed.ch] has quit [Quit: elfixit]
19:37 < ghastly_> oh.
19:37 <@krzee> this is why you cant get support here
19:37 <@krzee> its something they must do, we dont know their setup
19:37 <@krzee> alternatively, get their server config
19:37 <@krzee> ;]
19:38 < ghastly_> well then the generation question is out the window.  onto my other.  cipher setup in openvpn.  they support and recommend aes-12/SHA1/RSA-2048
19:38 <@krzee> "and finally got my dns to resolve to their servers upon reboot."   <--- what?
19:39 <@krzee> see --cipher in the manual
19:39 < ghastly_> I'm a noob here krzee, so my use of stringing words together to describe things may not be accurate.
19:39 <@krzee> but without their server config we cant help with that either
19:39 < ghastly_> what I meant with dns is that I kept changing my resolv.conf, but it would get overwritten.  until I changed resolv.conf.head
19:39 <@krzee> seriously, you're in the wrong place. consider a vpn company that offers support
19:40 < ghastly_> are you saying that I am unable to cipher out without their config?
19:40 <@krzee> it must match whats in their config.
19:40 <@krzee> what are you talking about with the resolv.conf though?  if openvpn isnt even connecting to them they cannot change your dns server.
19:40 < ghastly_> it is connecting
19:41 < ghastly_> like I said, I can openvpn bleh.conf and enter my authentications
19:41 < ghastly_> and get an overseas ip.
19:41 <@krzee> oh then what were you talking about making key files for?
19:41 -!- lxb [~lxb@li378-41.members.linode.com] has quit [Quit: leaving]
19:41 < ghastly_> because I don't know what I am talking about
19:41 <@krzee> if you're authed what would the keys do?
19:41 <@krzee> oh
19:41 < ghastly_> :P
19:41 <@krzee> ok lets start over
19:41 <@krzee> !goal
19:41 < ghastly_> I'm only now starting to study information security
19:41 <@vpnHelper> "goal" is Please clearly state your goal for your vpn: example, I would like to access the lan behind the server , I would like to access the internet over my vpn , I just want a secure connection between 2 computers , etc
19:42 < ghastly_> I want a secure connection :)
19:42 <@krzee> to what?
19:42 < ghastly_> another thing is that for some reason openvpn has a [IPv6] flag on startup.  that is also confusing me.
19:42 <@krzee> no, no changing the subject
19:42 < ghastly_> ok lol
19:43 < ghastly_> I want a secure connection to a VPN which I am able to establish connection to.
19:43 < ghastly_> ?
19:43 <@krzee> why!?
19:43 <@krzee> for web browsing?
19:43 < ghastly_> anonymity in a country where surveillance is out of control.
19:43 <@krzee> because it will not make your web browsing more secure (except from you to the vpn server)
19:44 < ghastly_> not just web.  torrenting as well.  I want all traffic tunneled
19:44 <@krzee> all the vpn secures is the connection between you and the vpn
19:44 <@krzee> what you send then leaves the vpn without any added protection, and goes to the internet
19:44 <@krzee> !vpn
19:44 <@vpnHelper> "vpn" is http://openvpn.net/index.php/open-source/faq/75-general/293-what-is-the-principle-behind-openvpn-tunnels.html for a basic rundown of what a vpn is
19:44 <@krzee> just want to make sure you know what you're getting
19:45 < ghastly_> it is my understanding that connecting to this vpn is tunneling all web traffic
19:45 <@krzee> its probably redirecting all traffic, using redirect-gateway
19:45 < ghastly_> I realize there is tor and so on for even greater anonymity.  I just want to make sure that I am getting the most security from this connection as it stands.
19:45 < ghastly_> I do not have a redirect-gateway in my conf.  Is that server side?
19:46 <@krzee> also use torrent encryption and https, encrypt whats inside the tunnel whenever possible
19:46 <@krzee> it can be server side, can be client side
19:46 <@krzee> because server can push all sorts of options to the client
19:47 <@krzee> and know that the vpn provider themselves can sniff your traffic now
19:47 < ghastly_> I looked at a windows log of their app when it runs.  and all sorts of cipher/encryption connections are made.  I do not see those on my nix box.
19:47 < ghastly_> they do not keep logs.
19:47 <@krzee> (but not the evil person on your same wifi access-point
19:47 <@krzee> nice, what company is it?
19:47 < ghastly_> pia.
19:48 < ghastly_> they ARE based in the us... so I realize what that COULD mean
19:48 < ghastly_> but they explicitly state that they would move all servers overseas if this ever became an issue.
19:48 <@krzee> hehe when it becomes an issue thats not an option
19:49 <@krzee> they dont ask nicely, they issue an NSL
19:49 < ghastly_> gag orders I realize
19:49 <@krzee> when you get an NSL, simply stating you got it is punishable by prison
19:49 <@krzee> 2 options that i know of:
19:49 <@krzee> 1) comply
19:49 <@krzee> 2) kill your company
19:49 < ghastly_> yes.
19:49 <@krzee> i guess 3) prison
19:50 <@krzee> !google lavabit
19:50 <@vpnHelper> Lavabit: <http://lavabit.com/>; Lavabit - Wikipedia, the free encyclopedia: <http://en.wikipedia.org/wiki/Lavabit>; why I was forced to shut down Lavabit - The Guardian: <http://www.theguardian.com/commentisfree/2014/may/20/why-did-lavabit-shut-down-snowden-email>
19:50 < ghastly_> so back to encryption.  would appending cipher <type of cipher> to my config not do anything?
19:50 <@krzee> it would change your cipher, and if the cipher doesnt match what they have it breaks.
19:50 <@krzee> !man
19:50 <@vpnHelper> "man" is (#1) For man pages, see http://openvpn.net/index.php/open-source/documentation/manuals/ or (#2) the man pages are your friend! or (#3) Protip: you can search the manpage for a specific --option (with dashes) to find it quicker
19:51 <@krzee> see --cipher
19:51 <@krzee> also, if you dont understand crypto, don't change your crypto
19:53 <@krzee> first read up
19:53 <@krzee> not saying you gotta be able to code your own ssl app, but at least knowing what certs are and plenty more should be a requirement
19:53 < ghastly_> if it's as simple as pointing my conf to use ciphers that they support, I don't see how it could hurt anything.
19:53 <@krzee> haha
19:54 < ghastly_> I'm serious.  crypto get pretty complex pretty quickly.
19:54 <@krzee> i bet thats how people end up using ROT32
19:54 <@krzee> "what could it hurt!?"
19:54 < ghastly_> that's simply not the case though.
19:54 < ghastly_> they recommend aes-128/sha1/rsa-2048
19:55 <@krzee> cool
19:55 <@krzee> gthen wtf are you asking>
19:55 < ghastly_> it's simple.  I just need to setup my machine to use those three
19:55 <@krzee> gah nevermind
19:55 <@krzee> !provider
19:55 <@vpnHelper> "provider" is (#1) We are not your provider's free tech support. We support the free open source app OpenVPN, not your provider. Just because they run openvpn does not mean we are their support team. or (#2) Please contact their support team.
19:55 <@krzee> hah
19:55 < ghastly_> pfft
19:56 < ghastly_> that's a cop out
19:56 < Hello71> if that's what you want to call it
19:57 < ghastly_> yes, I must just not be understanding the relationship between my machine and the servers
19:58 < ghastly_> I know it's not required that anyone in here help me, I was just hoping that someone who has experience in this could help save me many dozens of hours of research and grant me a more secure vpn connection using openvpn in the meanwhile.
19:58 < ghastly_> I don't feel entitled to this.  Coming from a humble place here.
20:20 < ghastly_> well, all that needed to change to add aes-128-cbc was the port
20:20 < ghastly_> so that's up.
20:21 < ghastly_> openvpn says sha1 is the default data auth.  does this mean nothing should have to be changed on my config?
20:37 -!- ghastly_ [~ghastly@198.15.111.170] has quit [Quit: Leaving]
20:53 -!- ub1quit33_ [~quassel@99-19-237-151.lightspeed.sndgca.sbcglobal.net] has quit [Ping timeout: 264 seconds]
21:03 -!- mode/#openvpn [+q *_!*@*] by Eugene
21:04 -!- mode/#openvpn [+q _*!*@*] by Eugene
21:04  * Eugene is a bastard
21:05 <@krzee> haha
21:05 <@krzee> i just used /ignore
21:06 <@krzee> my /ignore list is larger than the /ban list
21:10 -!- elfixit [~Icedove@77-58-251-72.dclient.hispeed.ch] has joined #openvpn
21:25 -!- ub1quit33_ [~quassel@99-19-237-151.lightspeed.sndgca.sbcglobal.net] has joined #openvpn
21:40 -!- redpill [~redpill@unaffiliated/redpill] has quit [Quit: redpill]
22:12 -!- nutron [~nutron@unaffiliated/nutron] has quit [Quit: I must go eat my cheese!]
22:29 -!- Left_Turn [~Left_Turn@unaffiliated/turn-left/x-3739067] has quit [Remote host closed the connection]
22:48 -!- juztin_ [~juztin_@c-67-186-216-8.hsd1.ut.comcast.net] has joined #openvpn
22:56 -!- juztin_ [~juztin_@c-67-186-216-8.hsd1.ut.comcast.net] has quit [Remote host closed the connection]
23:01 -!- arescorpio [~arescorpi@190.19.140.155] has quit [Excess Flood]
23:09 -!- Chais [~Chais@chello062178229110.15.15.vie.surfer.at] has quit [Ping timeout: 245 seconds]
23:16 -!- Chais [~Chais@chello062178229110.15.15.vie.surfer.at] has joined #openvpn
23:33 -!- ub1quit33_ [~quassel@99-19-237-151.lightspeed.sndgca.sbcglobal.net] has quit [Ping timeout: 246 seconds]
23:33 -!- elfixit [~Icedove@77-58-251-72.dclient.hispeed.ch] has quit [Ping timeout: 255 seconds]
23:39 -!- ShadniX [dagger@p5DDFC883.dip0.t-ipconnect.de] has quit [Ping timeout: 250 seconds]
23:39 -!- ShadniX [dagger@p5481D5A1.dip0.t-ipconnect.de] has joined #openvpn
23:39 -!- juztin__ [~juztin_@c-67-186-216-8.hsd1.ut.comcast.net] has joined #openvpn
23:43 -!- juztin__ [~juztin_@c-67-186-216-8.hsd1.ut.comcast.net] has quit [Client Quit]
--- Day changed Fri Sep 12 2014
00:35 -!- zeroNones [~textual@187.204.177.50] has quit [Quit: Textual IRC Client: www.textualapp.com]
00:52 -!- xdcc [~xdcc@webproxy.us.com] has quit [Read error: Connection reset by peer]
01:07 -!- clyons [~kvirc@host86-184-244-32.range86-184.btcentralplus.com] has quit [Ping timeout: 276 seconds]
01:10 -!- jackbrown [~se@93-44-41-0.ip95.fastwebnet.it] has joined #openvpn
01:44 -!- Cybertinus [~Cybertinu@cybertinus.customer.cloud.nl] has quit [Ping timeout: 268 seconds]
01:48 -!- Cybertinus [~Cybertinu@cybertinus.customer.cloud.nl] has joined #openvpn
02:08 -!- Px12 [~Px12@59.89.50.190] has joined #openvpn
02:10 -!- Px12 [~Px12@59.89.50.190] has quit [Remote host closed the connection]
02:14 -!- jackbrown [~se@93-44-41-0.ip95.fastwebnet.it] has quit [Quit: Sto andando via]
02:22 -!- s7r_b [~s7r@openvpn/user/s7r] has joined #openvpn
02:22 -!- mode/#openvpn [+v s7r_b] by ChanServ
02:22 -!- s7r [~s7r@openvpn/user/s7r] has quit [Ping timeout: 264 seconds]
02:23 -!- DrCode [~DrCode@gateway/tor-sasl/drcode] has quit [Ping timeout: 264 seconds]
02:24 -!- Px12 [~Px12@59.89.50.190] has joined #openvpn
02:25 -!- mutilator [~muti@61.sub-70-194-10.myvzw.com] has quit []
02:25 -!- DrCode [~DrCode@gateway/tor-sasl/drcode] has joined #openvpn
02:27 -!- Px12 [~Px12@59.89.50.190] has quit [Remote host closed the connection]
02:29 -!- early [~early@192.241.198.49] has quit [Quit: ERC Version 5.3 (IRC client for Emacs)]
02:32 -!- early [~early@192.241.198.49] has joined #openvpn
02:46 -!- dazo_afk is now known as dazo
03:19 -!- fzombie [~gplgeek@pdpc/supporter/student/GPLGeek] has quit [Read error: Connection reset by peer]
03:31 -!- Px12 [~Px12@117.199.165.249] has joined #openvpn
03:35 -!- Px12 [~Px12@117.199.165.249] has quit [Remote host closed the connection]
04:28 -!- Left_Turn [~Left_Turn@unaffiliated/turn-left/x-3739067] has joined #openvpn
05:05 -!- seba [~seba@kratzbaum.someserver.de] has quit [Excess Flood]
05:07 -!- s7r_b is now known as s7r
05:07 <@krzee> !script
05:07 <@vpnHelper> "script" is See SCRIPTING AND ENVIRONMENTAL VARIALBES in the manual for a list of places that scripts can hook into openvpn. Online reference at: https://community.openvpn.net/openvpn/wiki/Openvpn23ManPage#lbAR
05:09 -!- funky1 [~funky@ip51cf100e.direct-adsl.nl] has joined #openvpn
05:10 -!- seba [~seba@kratzbaum.someserver.de] has joined #openvpn
05:15 < funky1> hi everyone, I'm running openvpn as tun
05:15 < funky1> [vpn-client]client onlocal lan1-->router/modem-->internet<--router/modem<--client onlocal lan2[vpn-server and upnp]
05:15 < funky1> from the client I can surf the web over the vpnserver as well access local lan1 and local2, just as I wanted to. only upnp services (from local lan2) are not seen on local lan1 (vpn client). how can I forward multicast broadcasting?
05:19 < funky1> here my server config and iptables rules: http://pastebin.com/UVjy0QF5
05:33 -!- Left_Turn [~Left_Turn@unaffiliated/turn-left/x-3739067] has quit [Ping timeout: 246 seconds]
06:05 -!- Megaf|Asleep is now known as Megaf
06:20 -!- seba [~seba@kratzbaum.someserver.de] has quit [Excess Flood]
06:21 -!- seba [~seba@kratzbaum.someserver.de] has joined #openvpn
06:31 -!- pa [~pa@unaffiliated/pa] has quit [Ping timeout: 245 seconds]
06:45 -!- pa [~pa@unaffiliated/pa] has joined #openvpn
06:49 -!- Left_Turn [~Left_Turn@unaffiliated/turn-left/x-3739067] has joined #openvpn
07:03 -!- loa [~nyaaa@188.233.132.195] has joined #openvpn
07:26 -!- warehouse13 [~Left_Turn@unaffiliated/turn-left/x-3739067] has joined #openvpn
07:28 -!- Left_Turn [~Left_Turn@unaffiliated/turn-left/x-3739067] has quit [Ping timeout: 245 seconds]
07:31 -!- g00gz [~Adium@199.244.84.14] has joined #openvpn
07:34 -!- g00gz [~Adium@199.244.84.14] has left #openvpn []
07:36 -!- ShadniX [dagger@p5481D5A1.dip0.t-ipconnect.de] has quit [Ping timeout: 250 seconds]
07:38 -!- ShadniX [dagger@p5481D5A1.dip0.t-ipconnect.de] has joined #openvpn
08:30 -!- jgeboski [~jgeboski@unaffiliated/jgeboski] has quit [Quit: Leaving]
08:31 -!- jgeboski [~jgeboski@unaffiliated/jgeboski] has joined #openvpn
08:40 -!- ifdm_ [~ifdm@unaffiliated/ifdm/x-0713806] has quit [Ping timeout: 245 seconds]
08:56 -!- ifdm_ [~ifdm@unaffiliated/ifdm/x-0713806] has joined #openvpn
08:59 -!- elfixit [~Icedove@2001:1620:2777:11:3e97:eff:fe7f:f3ad] has joined #openvpn
09:10 -!- s7r [~s7r@openvpn/user/s7r] has quit [Remote host closed the connection]
09:11 -!- s7r [~s7r@openvpn/user/s7r] has joined #openvpn
09:11 -!- mode/#openvpn [+v s7r] by ChanServ
09:21 -!- brianblaze420 [~brianblaz@unaffiliated/brianblaze] has joined #openvpn
09:23 -!- brianblaze420 [~brianblaz@unaffiliated/brianblaze] has quit [Client Quit]
09:27 -!- kareem-ali [~kareem@217.138.20.162] has joined #openvpn
09:31 -!- kareem-ali [~kareem@217.138.20.162] has left #openvpn []
09:33 -!- kareem-ali [~kareem@217.138.20.162] has joined #openvpn
09:33 -!- ifdm_ [~ifdm@unaffiliated/ifdm/x-0713806] has quit [Remote host closed the connection]
09:45 -!- mattock_afk is now known as mattock
09:48 -!- rulezzz [~rulezzz@189-212-141-193.static.axtel.net] has joined #openvpn
09:59 -!- kareem-ali [~kareem@217.138.20.162] has left #openvpn []
10:06 -!- ifdm_ [~ifdm@unaffiliated/ifdm/x-0713806] has joined #openvpn
10:35 -!- g00gz [~Adium@199.244.84.14] has joined #openvpn
10:40 -!- g00gz [~Adium@199.244.84.14] has quit [Ping timeout: 260 seconds]
10:43 -!- g00gz [~Adium@199.244.84.14] has joined #openvpn
10:47 -!- roger_rabbit [~admin@unaffiliated/roger-rabbit/x-7769789] has joined #openvpn
10:49 -!- fzombie [~gplgeek@pdpc/supporter/student/GPLGeek] has joined #openvpn
10:51 -!- f-zombie [~gplgeek@pdpc/supporter/student/GPLGeek] has joined #openvpn
10:54 -!- fzombie [~gplgeek@pdpc/supporter/student/GPLGeek] has quit [Ping timeout: 252 seconds]
10:56 -!- g00gz [~Adium@199.244.84.14] has left #openvpn []
11:10 -!- KiloJuliet__ [~gplgeek@pdpc/supporter/student/GPLGeek] has joined #openvpn
11:11 -!- f-zombie [~gplgeek@pdpc/supporter/student/GPLGeek] has quit [Ping timeout: 252 seconds]
11:14 < rulezzz> hi if I try to connect to my vpn server where I can find the log for that try
11:15 < rulezzz> I have log openvpn.log, log-append openvpn.log and verb 4 on my .conf
11:16 <@krzee> !logfile
11:16 <@vpnHelper> "logfile" is (#1) If you want logging you can easily just specify your own logfile with: log /path/to/logfile or (#2) openvpn will log to syslog if started in daemon mode, but without any log-redirection options, openvpn sends output to stdout. or (#3) verb 3 is good for everyday usage, verb 5 for debugging. see --daemon --log and --verb in the manual (!man) for more info
11:20 -!- Pyrogerg [~Gregory@192.67.133.200] has quit [Ping timeout: 272 seconds]
11:23 -!- dazo is now known as dazo_afk
11:55 -!- D-Boy [~D-Boy@unaffiliated/cain] has quit [Excess Flood]
12:05 -!- kevin [~keady@wsip-184-183-183-90.dc.dc.cox.net] has joined #openvpn
12:06 < kevin> hey guys. in a client configuration file, how can i change the location of the ifconfig binary that is called when setting up the interface's ip, netmask, etc?
12:12 <@krzee> thats a configure time option i believe
12:13 <@krzee> like when compiling
12:15 -!- D-Boy [~D-Boy@unaffiliated/cain] has joined #openvpn
12:16 <@krzee>   --with-ifconfig-path=PATH   Path to ifconfig tool
12:16 <@krzee>   --with-iproute-path=PATH    Path to iproute tool
12:16 <@krzee>   --with-route-path=PATH  Path to route tool
12:17 <@krzee> kevin, ^^
12:18 -!- gffa [~unknown@unaffiliated/gffa] has joined #openvpn
12:19 < kevin> ah okay
12:19 < kevin> thanks
12:20 <@krzee> np
12:28 -!- s7r [~s7r@openvpn/user/s7r] has quit [Quit: Leaving]
12:36 -!- mutilator [~muti@61.sub-70-194-10.myvzw.com] has joined #openvpn
12:37 < mutilator> hey all, same issue as yesterday...
12:37 < mutilator> if i have two clients connected to a server w/ a bridge, both clients can talk to addresses on the servers LAN and vice versa but the vpn clients cant talk to each other, what might be the issue?
12:42 <@krzee> mutilator, tried client-to-client?
12:42 <@krzee> im trying my best to not ask why you're using a bridge, but its not easy
12:44 -!- xdcc [~xdcc@webproxy.us.com] has joined #openvpn
12:45 < mutilator> heh
12:45 -!- Px12 [~Px12@117.199.170.252] has joined #openvpn
12:45 < mutilator> is there something wrong with a bridge
12:48 <@krzee> !whybridge
12:48 <@vpnHelper> "whybridge" is (#1) you only bridge if you want layer2 to the lan. if you want layer2 only between vpn nodes then routed tap is enough. if you only want layer3 use tun. or (#2) See this URL for a more in-depth discussion on bridging vs routing: https://community.openvpn.net/openvpn/wiki/BridgingAndRouting or (#3) See also !tunortap
12:48 <@krzee> !tunortap
12:48 <@vpnHelper> "tunortap" is (#1) you ONLY want tap if you need to pass layer2 traffic over the vpn (traffic destined for a MAC address). If you are using IP traffic you want tun. or (#2) and if your reason for wanting tap is windows shares, see !wins or use DNS or (#3) remember layer2 has no security, arp poisoning works over tap vpns or (#4) lan gaming? use tap! or (#5) Normal Android/iOS devices (not
12:48 <@vpnHelper> rooted/jailbroken) support only tun
12:50 < mutilator> right so.. if i need it then there is nothing wrong with it
12:51 < mutilator> it's not for security it's to place my pc on the home LAN
12:51 < mutilator> play games with the kids or do whatever
12:51 <@krzee> old games that actually communicate by MAC address?
12:52 <@krzee> most newer stuff should be l3
12:52 < kevin> hmm
12:52 <@krzee> so with less overhead the gaming should be more enjoyable over tun (if it works at all)
12:53 <@krzee> but ya theres plenty of old games that use l2, it is a good reason for a bridge
12:53 <@krzee> did you try client-to-client on the server?
12:54 <@krzee> !c2c
12:54 <@vpnHelper> "c2c" is "client-to-client" is with this option packets from 1 client to another are routed inside the server process. without it packets leave the server process, hit the kernel (firewall, routing table) and if allowed by firewall and routed back to server process, they go to the client. you use this option when you do not want to use selective firewall rules on what clients can access things behind
12:54 <@vpnHelper> other clients
12:54 < mutilator> ok
12:54 <@krzee> i dont use bridges but the manual says it works for tap too
12:54 < mutilator> well i assumed it might be some weird forwarding issue
12:54 <@krzee> well it might be, this would hopefully bypass it
12:55 <@krzee> otherwise you need to find whatever system tunable is stopping you
12:55 <@krzee> (if you choose to send the packets to the system)
12:55 <@krzee> this option bypasses the system by keeping the client to client packets within the openvpn server process
12:55 < mutilator> k i'll give it a shot
13:38 < mutilator> thx krzee
13:39 <@krzee> did it work?
13:40 < mutilator> yea
13:40 <@krzee> nice =]
13:40 <@krzee> yw
13:40 < mutilator> was just reading more on it, it seems in bridge mode it's all or nothing
13:40 < mutilator> client-to-client enabled or no routing between clients happen
13:40 <@krzee> !factoids search --values bridge
13:40 <@vpnHelper> 'samba', 'tap', 'bridge-dhcp', 'bridge', 'bridge', 'ebtables', 'bridge-fw', 'bridging', 'whybridge', 'bridge', and 'tap'
13:40 < mutilator> which.. i dunno why but a few places seemed to say that
13:41 <@krzee> !bridge-fw
13:41 <@vpnHelper> "bridge-fw" is "ebtables" is Linux uses ebtables for firewalling layer 2 bridges. See http://ebtables.sourceforge.net/br_fw_ia/br_fw_ia.html and http://ebtables.sourceforge.net/br_fw_ia/PacketFlow.png to understand how layer 2 and layer 3 works in linux and how to use ebtables
13:41 <@krzee> but you said you're just gaming with the kids anyways
13:43 -!- naitso [~naitso@adsl-ull-142-133.46-151.net24.it] has joined #openvpn
13:43 < naitso> !welcome
13:43 <@vpnHelper> "welcome" is (#1) Start by stating your goal, such as 'I would like to access the internet over my vpn' || new to IRC? see the link in !ask || we may need !logs and !configs and maybe !interface to help you. || See !howto for beginners. || See !route for lans behind openvpn. || !redirect for sending inet traffic through the server. || Also interesting: !man !/30 !topology !iporder !sample !forum
13:43 <@vpnHelper> !wiki !mitm or (#2) Don't use 192.168.1.0/24 or 192.168.0.0/24 (too much potential for conflict)
13:44 < naitso> !howto
13:44 <@vpnHelper> "howto" is (#1) OpenVPN comes with a great howto, http://openvpn.net/howto PLEASE READ IT! or (#2) http://www.secure-computing.net/openvpn/howto.php for a mirror
13:44 < naitso> !wiki
13:44 <@vpnHelper> "wiki" is (#1) http://www.secure-computing.net/wiki/index.php/OpenVPN for the Unofficial wiki or (#2) https://community.openvpn.net/openvpn/wiki for the Official wiki
13:45 < naitso> !sample
13:45 <@vpnHelper> "sample" is (#1) http://www.ircpimps.org/openvpn.configs for a working sample config or (#2) DO NOT use these configs until you understand the commands in them, read up on each first column of the configs in the manpage (see !man) or (#3) these configs are for a basic multi-user vpn, which you can then build upon to add lans or internet redirecting
13:50 < naitso> hi, i don't have problem with openvpn but i am searching if is possible to temporary disable a user certificate without revoking it.
13:51 < naitso> thanks in advance
13:51 <@krzee> see --disable in the manual
13:51 <@krzee> !man
13:51 <@vpnHelper> "man" is (#1) For man pages, see http://openvpn.net/index.php/open-source/documentation/manuals/ or (#2) the man pages are your friend! or (#3) Protip: you can search the manpage for a specific --option (with dashes) to find it quicker
13:51 <@krzee> its used in a ccd entry
13:51 <@krzee> !ccd
13:51 <@vpnHelper> "ccd" is (#1) entries that are basically included into server.conf, but only for the specified client based on common-name. use --client-config-dir <dir> to enable it, then put the config options for the client in <dir>/common-name or (#2) the ccd file is parsed each time the client connects.
13:52 -!- larryone [~larryone@89.100.23.131] has joined #openvpn
14:08 -!- naitso [~naitso@adsl-ull-142-133.46-151.net24.it] has quit [Ping timeout: 252 seconds]
14:16 -!- naitso [~naitso@adsl-ull-142-133.46-151.net24.it] has joined #openvpn
14:19 -!- redpill [~redpill@unaffiliated/redpill] has joined #openvpn
14:31 -!- naitso [~naitso@adsl-ull-142-133.46-151.net24.it] has quit [Quit: bye]
14:34 -!- joako [~joako@opensuse/member/joak0] has quit [K-Lined]
14:46 -!- dtrainor [~dtrainor@ip72-208-196-164.ph.ph.cox.net] has joined #openvpn
14:46 -!- krzee [~k@openvpn/community/support/krzee] has quit [Quit: your mom - its whats for breakfast]
14:47 -!- krzee [~k@openvpn/community/support/krzee] has joined #openvpn
14:47 -!- mode/#openvpn [+o krzee] by ChanServ
14:49 < dtrainor> Hi.  Trying to learn more about why my connection drops often.  i can't help but think it's due to inactivity on the link.  I thought 'ping 5' and 'ping-restart 60' would help but that doesn't seem to do it.  openvpn exits silently without logging anything.  trying with verb 5 right now to see if i can find anything fishy.  but my question is, is it ridiculous to use something like 'ping-restart 10' or something?  Is there a better way
14:49 < dtrainor>  to start a connection back up immediately upon failure?  because as of right now, the client just dies.
14:50 < linuxthefish> fish
14:50 < dtrainor> I'm seeing rWWrRWwr etc etc in verb 5, I think that's reading and writing on the wire, and I do see a lot of delays between some reads and writes.... so I'm going to guess that the link is dropped due to inactivity.
14:53 -!- nath_schwarz [~nath_schw@p54A3290C.dip0.t-ipconnect.de] has joined #openvpn
14:55 -!- zeroNones [~textual@187.204.132.107] has joined #openvpn
15:08 -!- dtrainor [~dtrainor@ip72-208-196-164.ph.ph.cox.net] has quit [Read error: Connection reset by peer]
15:11 -!- krzee [~k@openvpn/community/support/krzee] has quit [Excess Flood]
15:12 -!- krzee [~k@openvpn/community/support/krzee] has joined #openvpn
15:12 -!- mode/#openvpn [+o krzee] by ChanServ
15:16 -!- Six6siX [~Devil@jasmine.sammybakar.com] has quit [Ping timeout: 246 seconds]
15:22 -!- larryone [~larryone@89.100.23.131] has quit [Quit: This computer has gone to sleep]
15:25 -!- Six6siX [~Devil@jasmine.sammybakar.com] has joined #openvpn
15:49 -!- goldkatze [~nobody@unaffiliated/goldkatze] has quit []
16:10 -!- dtrainor [~dtrainor@ip72-208-196-164.ph.ph.cox.net] has joined #openvpn
16:10 < dtrainor> ah ha, i found it:
16:10 < dtrainor> Fri Sep 12 14:08:14 2014 us=694631 ERROR: could not read Auth username from stdin
16:10 < dtrainor> Fri Sep 12 14:08:14 2014 us=694947 Exiting due to fatal error
16:10 < dtrainor> Well.. it's not supposed to.  I'm using auth-user-pass /etc/openvpn/home-password.txt
16:10 -!- KiloJuliet__ [~gplgeek@pdpc/supporter/student/GPLGeek] has quit [Quit: Leaving]
16:11 -!- fzombie [~gplgeek@pdpc/supporter/student/GPLGeek] has joined #openvpn
16:11 < dtrainor> So what gives?
16:16 -!- cesurasean [~Sean@c-71-207-227-197.hsd1.al.comcast.net] has quit [Ping timeout: 268 seconds]
16:17 -!- cesurasean [~Sean@c-71-207-227-197.hsd1.al.comcast.net] has joined #openvpn
16:17 -!- nath_schwarz [~nath_schw@p54A3290C.dip0.t-ipconnect.de] has quit [Ping timeout: 246 seconds]
16:18 -!- nath_schwarz [~nath_schw@p54A32F14.dip0.t-ipconnect.de] has joined #openvpn
16:19 -!- Fusl [Fusl@unaffiliated/fusl] has quit [Ping timeout: 245 seconds]
16:20 < funky1> is there anyway to make upnp work over internet in openvpn?
16:20 -!- kevin [~keady@wsip-184-183-183-90.dc.dc.cox.net] has quit [Ping timeout: 264 seconds]
16:22 -!- dtrainor [~dtrainor@ip72-208-196-164.ph.ph.cox.net] has quit [Ping timeout: 255 seconds]
16:23 -!- Fusl [Fusl@unaffiliated/fusl] has joined #openvpn
16:27 -!- clyons [~kvirc@host86-184-244-32.range86-184.btcentralplus.com] has joined #openvpn
16:35 -!- fenris_kcf [~fenris@p549BD19A.dip0.t-ipconnect.de] has joined #openvpn
16:37 < fenris_kcf> hy. i got a working vpn-server running with clients connected to it. i'm trying to host a warcraft-3-lan-game, but the game is not found by the clients. this is not a vpn-issue. winehq suggests to add a default gateway: https://appdb.winehq.org/objectManager.php?sClass=version&iId=3126 . the question: how should i do this for my vpn?
16:37 <@vpnHelper> Title: WineHQ - Warcraft III The Frozen Throne: 1.x (at appdb.winehq.org)
16:37 < fenris_kcf> in the server.conf?
16:40 -!- cyberanger1 [cyberanger@swissknife/adak/infocop411] has joined #openvpn
16:41 -!- XJR-9 [sid2977@pdpc/supporter/active/xjr-9] has quit [Ping timeout: 268 seconds]
16:42 -!- XJR-9 [sid2977@pdpc/supporter/active/xjr-9] has joined #openvpn
16:42 -!- cyberspace- [20253@ninthfloor.org] has quit [Disconnected by services]
16:42 -!- cyberspace- [20253@ninthfloor.org] has joined #openvpn
16:43 -!- phreakocious_ [~phreakoci@recalcitrant.phreakocious.net] has joined #openvpn
16:43 -!- JackWinter [~jack@vodsl-11028.vo.lu] has quit [Remote host closed the connection]
16:43 -!- cyberanger [~cyberange@swissknife/adak/infocop411] has quit [Ping timeout: 276 seconds]
16:43 -!- phreakocious [~phreakoci@recalcitrant.phreakocious.net] has quit [Ping timeout: 276 seconds]
16:43 -!- pa [~pa@unaffiliated/pa] has quit [Ping timeout: 276 seconds]
16:43 -!- roger_rabbit [~admin@unaffiliated/roger-rabbit/x-7769789] has quit [Ping timeout: 276 seconds]
16:43 -!- cyberanger1 is now known as cyberanger
16:43 -!- WinstonSmith [~WinstonSm@unaffiliated/winstonsmith] has quit [Ping timeout: 268 seconds]
16:43 -!- aPollO2k [aPollO@unaffiliated/apollo2k] has quit [Ping timeout: 268 seconds]
16:44 -!- aPollO2k [aPollO@unaffiliated/apollo2k] has joined #openvpn
16:44 -!- WinstonSmith [~WinstonSm@unaffiliated/winstonsmith] has joined #openvpn
16:44 -!- mcp [~mcp@wolk-project.de] has quit [Ping timeout: 268 seconds]
16:44 -!- zamba [marius@flage.org] has quit [Ping timeout: 268 seconds]
16:45 -!- frank-- [1000@unaffiliated/thumbs] has joined #openvpn
16:45 -!- doebi1 [~doebi@doebi.at] has quit [Ping timeout: 276 seconds]
16:45 -!- nsrafk [whois@unaffiliated/nsrafk] has quit [Ping timeout: 276 seconds]
16:45 -!- soapee01 [~soapee01@65.36.104.170] has quit [Ping timeout: 276 seconds]
16:45 -!- thumbs [1000@unaffiliated/thumbs] has quit [Remote host closed the connection]
16:45 -!- shio [marmot@203.188.103.84.rev.sfr.net] has quit [Ping timeout: 276 seconds]
16:46 -!- mattock is now known as mattock_afk
16:46 -!- mutilator [~muti@61.sub-70-194-10.myvzw.com] has quit [Ping timeout: 276 seconds]
16:46 -!- soapee01 [~soapee01@65-36-104-170.dyn.grandenetworks.net] has joined #openvpn
16:46 -!- nsrafk [whois@unaffiliated/nsrafk] has joined #openvpn
16:46 -!- Px12 [~Px12@117.199.170.252] has quit [Ping timeout: 245 seconds]
16:47 -!- bluepill [~redpill@unaffiliated/redpill] has joined #openvpn
16:47 -!- bluepill [~redpill@unaffiliated/redpill] has quit [Client Quit]
16:48 -!- zamba [marius@flage.org] has joined #openvpn
16:54 -!- pa [~pa@unaffiliated/pa] has joined #openvpn
16:59 -!- frank-- is now known as thumbs
17:06 -!- redpill [~redpill@unaffiliated/redpill] has quit [Read error: Connection timed out]
17:07 -!- redpill [~redpill@unaffiliated/redpill] has joined #openvpn
17:08 -!- redpill [~redpill@unaffiliated/redpill] has quit [Max SendQ exceeded]
17:11 -!- doebi1 [~doebi@doebi.at] has joined #openvpn
17:11 -!- Slippern [~Slippern@76.109-247-208.customer.lyse.net] has quit [Ping timeout: 250 seconds]
17:13 -!- JackWinter [~jack@vodsl-11028.vo.lu] has joined #openvpn
17:14 -!- MogDog66 [MogDog@unaffiliated/mogdog66] has joined #openvpn
17:15 -!- moonkid [~anonymous@99-103-56-12.lightspeed.hstntx.sbcglobal.net] has joined #openvpn
17:15 -!- Poster|x [~poster@cpe-74-140-100-29.swo.res.rr.com] has joined #openvpn
17:16 -!- phreakocious [~phreakoci@recalcitrant.phreakocious.net] has joined #openvpn
17:16 -!- cesurasean1 [~Sean@c-71-207-227-197.hsd1.al.comcast.net] has joined #openvpn
17:17 -!- andi [~andi@unaffiliated/fr00d] has quit [Disconnected by services]
17:18 -!- Netsplit *.net <-> *.split quits: pekster, kenyon, MogDog, keatont
17:18 -!- MogDog66 is now known as MogDog
17:19 -!- Megaf_ [~Megaf@unaffiliated/megaf] has joined #openvpn
17:21 -!- Netsplit over, joins: kenyon
17:22 -!- gffa [~unknown@unaffiliated/gffa] has quit [Quit: sleep]
17:22 -!- Chais_ [~Chais@chello062178229110.15.15.vie.surfer.at] has joined #openvpn
17:22 -!- cyberspace- [20253@ninthfloor.org] has quit [Disconnected by services]
17:22 -!- cyberspace- [20253@ninthfloor.org] has joined #openvpn
17:24 -!- pekster [~rewt@openvpn/community/support/pekster] has joined #openvpn
17:25 -!- Netsplit *.net <-> *.split quits: Brando753, KiNgMaR
17:28 -!- jeev [~j@unaffiliated/jeev] has quit [Ping timeout: 255 seconds]
17:28 -!- Cybert1nus [~Cybertinu@cybertinus.customer.cloud.nl] has joined #openvpn
17:28 -!- nath_schwarz [~nath_schw@p54A32F14.dip0.t-ipconnect.de] has quit [Ping timeout: 255 seconds]
17:28 -!- lewiz [~lthompson@195.59.118.200] has quit [Ping timeout: 255 seconds]
17:28 -!- cirkit [dethwish@peanut-butter.net] has quit [Ping timeout: 255 seconds]
17:28 -!- catsup [~d@iad1-vshost12.dreamhost.com] has quit [Ping timeout: 255 seconds]
17:29 -!- mete [~mete@91.247.253.160] has quit [Ping timeout: 255 seconds]
17:29 -!- erratic [erratic@shells.yourstruly.sx] has quit [Ping timeout: 255 seconds]
17:29 -!- mgorbach [~mgorbach@pool-108-20-78-135.bstnma.fios.verizon.net] has quit [Ping timeout: 255 seconds]
17:29 -!- justinzane [~justinzan@host-69-59-81-105.nctv.com] has quit [Ping timeout: 255 seconds]
17:29 -!- cyberspace- [20253@ninthfloor.org] has quit [Ping timeout: 255 seconds]
17:29 -!- dvl [~dvl@pdpc/supporter/active/dvl] has quit [Ping timeout: 255 seconds]
17:30 -!- catsup [~d@ps38852.dreamhost.com] has joined #openvpn
17:30 -!- cyberspace- [20253@ninthfloor.org] has joined #openvpn
17:30 -!- Netsplit *.net <-> *.split quits: sauce
17:31 -!- Kephael [~Kephael@unaffiliated/kephael] has joined #openvpn
17:32 -!- Netsplit *.net <-> *.split quits: Megaf, phreakocious_, Chais, Poster, Cybertinus, cesurasean
17:33 -!- Netsplit *.net <-> *.split quits: pppingme, DrCode, K1rk, ekarlso-, lfx
17:34 -!- mete [~mete@91.247.253.160] has joined #openvpn
17:34 -!- Netsplit over, joins: pppingme
17:34 -!- mgorbach [~mgorbach@pool-108-20-78-135.bstnma.fios.verizon.net] has joined #openvpn
17:35 -!- plai [~arne@openvpn/community/developer/plaisthos] has joined #openvpn
17:35 -!- mode/#openvpn [+o plai] by ChanServ
17:36 -!- mcp [~mcp@wolk-project.de] has joined #openvpn
17:37 -!- krzie [~k@openvpn/community/support/krzee] has joined #openvpn
17:37 -!- mode/#openvpn [+o krzie] by ChanServ
17:37 -!- soapee01_ [~soapee01@65-36-104-170.dyn.grandenetworks.net] has joined #openvpn
17:38 -!- Netsplit *.net <-> *.split quits: @syzzer, soapee01, @dazo_afk, pa, @plaisthos, loa, @krzee, cesurasean1, seba, stundenull,  (+1 more, use /NETSPLIT to show all of them)
17:38 -!- krzie is now known as krzee
17:38 -!- Netsplit over, joins: seba
17:39 -!- u0m3_ [~u0m3@92.80.68.194] has joined #openvpn
17:39 -!- cirkit [dethwish@peanut-butter.net] has joined #openvpn
17:39 -!- Kephael_ [~Kephael@unaffiliated/kephael] has joined #openvpn
17:40 -!- shio [~marmot@203.188.103.84.rev.sfr.net] has joined #openvpn
17:40 -!- dazo_afk [~dazo@openvpn/community/developer/dazo] has joined #openvpn
17:40 -!- mode/#openvpn [+o dazo_afk] by ChanServ
17:41 -!- dazo_afk is now known as dazo
17:41 -!- mgorbach [~mgorbach@pool-108-20-78-135.bstnma.fios.verizon.net] has quit [Ping timeout: 246 seconds]
17:41 -!- u0m3 [~u0m3@92.80.68.194] has quit [Ping timeout: 246 seconds]
17:42 -!- fzombie [~gplgeek@pdpc/supporter/student/GPLGeek] has quit [Ping timeout: 246 seconds]
17:42 -!- gardar [~gardar@bnc.giraffi.net] has quit [Ping timeout: 246 seconds]
17:42 -!- mattock_afk [~mattock@openvpn/corp/admin/mattock] has quit [Ping timeout: 246 seconds]
17:43 -!- zeroNones [~textual@187.204.132.107] has quit [Ping timeout: 246 seconds]
17:44 -!- lewiz [~lthompson@195.59.118.200] has joined #openvpn
17:44 -!- kirin` [telex@gateway/shell/anapnea.net/x-mdcocslkdypidlcs] has quit [Ping timeout: 246 seconds]
17:44 -!- hays [~hays@unaffiliated/hays] has quit [Ping timeout: 246 seconds]
17:45 -!- mattock [~mattock@openvpn/corp/admin/mattock] has joined #openvpn
17:45 -!- mode/#openvpn [+o mattock] by ChanServ
17:45 -!- Cybert1nus is now known as Cybertinus
17:46 -!- kirin` [~kirin`@gateway/shell/anapnea.net/session] has joined #openvpn
17:46 -!- Olipro [~Olipro@uncyclopedia/pdpc.21for7.olipro] has quit [Max SendQ exceeded]
17:46 -!- APTX [~APTX@unaffiliated/aptx] has joined #openvpn
17:48 -!- clyons [~kvirc@host86-184-244-32.range86-184.btcentralplus.com] has quit [Ping timeout: 276 seconds]
17:48 -!- Kephael [~Kephael@unaffiliated/kephael] has quit [Ping timeout: 276 seconds]
17:48 -!- moonkid [~anonymous@99-103-56-12.lightspeed.hstntx.sbcglobal.net] has quit [Ping timeout: 276 seconds]
17:48 -!- mcp [~mcp@wolk-project.de] has quit [Ping timeout: 276 seconds]
17:48 -!- clu5ter [~staff@unaffiliated/clu5ter] has quit [Ping timeout: 276 seconds]
17:48 -!- doebi1 [~doebi@doebi.at] has quit [Ping timeout: 276 seconds]
17:48 -!- gardar [~gardar@bnc.giraffi.net] has joined #openvpn
17:54 -!- mcp [~mcp@wolk-project.de] has joined #openvpn
17:54 -!- KiNgMaR [ingmar@2001:41d0:2:ba51::1] has joined #openvpn
17:56 -!- Olipro [~Olipro@uncyclopedia/pdpc.21for7.olipro] has joined #openvpn
17:57 -!- erratic [erratic@2607:f2f8:a2c4:1001::2] has joined #openvpn
17:59 -!- julienth37 [~Thunderbi@251.200.91.92.rev.sfr.net] has joined #openvpn
17:59 < julienth37> !welcome
17:59 <@vpnHelper> "welcome" is (#1) Start by stating your goal, such as 'I would like to access the internet over my vpn' || new to IRC? see the link in !ask || we may need !logs and !configs and maybe !interface to help you. || See !howto for beginners. || See !route for lans behind openvpn. || !redirect for sending inet traffic through the server. || Also interesting: !man !/30 !topology !iporder !sample !forum
17:59 <@vpnHelper> !wiki !mitm or (#2) Don't use 192.168.1.0/24 or 192.168.0.0/24 (too much potential for conflict)
18:00 < julienth37> !goal
18:00 <@vpnHelper> "goal" is Please clearly state your goal for your vpn: example, I would like to access the lan behind the server , I would like to access the internet over my vpn , I just want a secure connection between 2 computers , etc
18:00 < julienth37> hi all
18:00 < julienth37> i've some question for OpenVPN guru !
18:01 < julienth37> does they are there at this hour ?
18:01 <@Eugene> !ask
18:01 <@vpnHelper> "ask" is (#1) don't ask to ask, just ask your question please, see this link for how to get help on IRC: http://workaround.org/getting-help-on-irc or (#2) See also, How to ask questions the smart way here: http://catb.org/~esr/faqs/smart-questions.html or (#3) if you had asked your question this might be an answer instead of a message from the bot about how to ask questions on IRC :)
18:02 < julienth37> ryokai Eugene !
18:02 -!- Orbixx [~orbixx@2a00:e740:1::1:4037:d534] has joined #openvpn
18:02 -!- Orbixx [~orbixx@2a00:e740:1::1:4037:d534] has quit [Changing host]
18:02 -!- Orbixx [~orbixx@freenode/sponsor/orbixx] has joined #openvpn
18:02 -!- KiNgMaR [ingmar@2001:41d0:2:ba51::1] has quit [Ping timeout: 260 seconds]
18:04 -!- krzee [~k@openvpn/community/support/krzee] has quit [Quit: your mom - its whats for breakfast]
18:05 -!- dazo [~dazo@openvpn/community/developer/dazo] has quit [Ping timeout: 252 seconds]
18:08 -!- mete [~mete@91.247.253.160] has quit [Ping timeout: 252 seconds]
18:08 -!- Cybertinus [~Cybertinu@cybertinus.customer.cloud.nl] has quit [Ping timeout: 252 seconds]
18:08 -!- julienth37 [~Thunderbi@251.200.91.92.rev.sfr.net] has quit [Read error: Connection reset by peer]
18:10 -!- Cybertinus [~Cybertinu@cybertinus.customer.cloud.nl] has joined #openvpn
18:10 -!- mete [~mete@91.247.253.160] has joined #openvpn
18:11 -!- Orbixx [~orbixx@freenode/sponsor/orbixx] has quit [Ping timeout: 260 seconds]
18:11 -!- KiNgMaR [ingmar@2001:41d0:2:ba51::1] has joined #openvpn
18:14 -!- K1rk [~Kirk@equinox.epecweb.com] has joined #openvpn
18:14 -!- doebi1 [~doebi@doebi.at] has joined #openvpn
18:14 -!- dazo [~dazo@openvpn/community/developer/dazo] has joined #openvpn
18:14 -!- pekster [~rewt@openvpn/community/support/pekster] has quit [Remote host closed the connection]
18:14 -!- mode/#openvpn [+o dazo] by ChanServ
18:16 -!- lewiz [~lthompson@195.59.118.200] has quit [Ping timeout: 252 seconds]
18:17 -!- KiNgMaR [ingmar@2001:41d0:2:ba51::1] has quit [Max SendQ exceeded]
18:20 -!- dazo [~dazo@openvpn/community/developer/dazo] has quit [Ping timeout: 252 seconds]
18:20 -!- _FBi [B@Aircrack-NG/User] has quit [Excess Flood]
18:22 -!- doebi1 is now known as doebi
18:23 -!- nsrafk [whois@unaffiliated/nsrafk] has quit [Ping timeout: 252 seconds]
18:25 -!- cesurasean [~Sean@c-71-207-227-197.hsd1.al.comcast.net] has joined #openvpn
18:25 -!- nsrafk [whois@unaffiliated/nsrafk] has joined #openvpn
18:26 -!- krzee [~k@openvpn/community/support/krzee] has joined #openvpn
18:26 -!- mode/#openvpn [+o krzee] by ChanServ
18:37 -!- rulezzz [~rulezzz@189-212-141-193.static.axtel.net] has quit [Quit: Leaving]
18:38 -!- nath_schwarz [~nath_schw@p54A32F14.dip0.t-ipconnect.de] has joined #openvpn
18:38 -!- mgorbach [~mgorbach@pool-108-20-78-135.bstnma.fios.verizon.net] has joined #openvpn
18:38 -!- loa [~nyaaa@188.233.132.195] has joined #openvpn
18:38 -!- pekster [~rewt@cl-466.chi-03.us.sixxs.net] has joined #openvpn
18:38 -!- pekster [~rewt@cl-466.chi-03.us.sixxs.net] has quit [Changing host]
18:38 -!- pekster [~rewt@openvpn/community/support/pekster] has joined #openvpn
18:38 -!- pekster is now known as 6JTAAFVO1
18:39 -!- mgorbach [~mgorbach@pool-108-20-78-135.bstnma.fios.verizon.net] has quit [Max SendQ exceeded]
18:40 < cesurasean> is there not a way to use openvpn with a default route of 0.0.0.0?
18:40 -!- mgorbach [~mgorbach@pool-108-20-78-135.bstnma.fios.verizon.net] has joined #openvpn
18:40 -!- Brando753 [~Brando753@unaffiliated/brando753] has joined #openvpn
18:41 <@Eugene> Sure, don't specify that option
18:41 <@Eugene> !redirect
18:41 <@vpnHelper> "redirect" is (#1) to make all inet traffic flow through the vpn, you will need --redirect-gateway (see !def1), as well as IP forwarding (see !ipforward) and NAT (see !nat) enabled on the server. or (#2) you may need to use a different dns server when redirecting gateway, see !dns or !pushdns or (#3) if using ipv6 try: route-ipv6 2000::/3 or (#4) Handy troubleshooting flowchart:
18:41 <@vpnHelper> http://ircpimps.org/redirect.png | http://pekster.sdf.org/misc/redirect.png
18:41 <@Eugene> Don't do that ^
18:41 -!- lewiz [~lthompson@195.59.118.200] has joined #openvpn
18:41 -!- syzzer [~syzzer@2001:610:697::12] has joined #openvpn
18:42 -!- syzzer [~syzzer@2001:610:697::12] has quit [Changing host]
18:42 -!- syzzer [~syzzer@openvpn/community/developer/syzzer] has joined #openvpn
18:42 -!- mode/#openvpn [+o syzzer] by ChanServ
18:44 -!- sauce [sauce@unaffiliated/sauce] has joined #openvpn
18:44 -!- sauce [sauce@unaffiliated/sauce] has quit [Max SendQ exceeded]
18:45 -!- jeev [~j@unaffiliated/jeev] has joined #openvpn
18:49 -!- fenris_kcf [~fenris@p549BD19A.dip0.t-ipconnect.de] has quit [Remote host closed the connection]
18:52 -!- elfixit1 [~Icedove@77-58-251-72.dclient.hispeed.ch] has joined #openvpn
18:52 -!- redpill [~redpill@unaffiliated/redpill] has joined #openvpn
18:54 -!- 6JTAAFVO1 is now known as pekster
18:55 -!- DrCode [~DrCode@gateway/tor-sasl/drcode] has joined #openvpn
18:56 -!- pa [~pa@unaffiliated/pa] has joined #openvpn
18:59 -!- kirin` [~kirin`@gateway/shell/anapnea.net/session] has quit [Changing host]
18:59 -!- kirin` [~kirin`@gateway/shell/anapnea.net/x-rkfqesihssmfgwzr] has joined #openvpn
19:03 -!- redpill [~redpill@unaffiliated/redpill] has quit [Ping timeout: 260 seconds]
19:04 -!- redpill [~redpill@unaffiliated/redpill] has joined #openvpn
19:13 -!- krzie [~k@openvpn/community/support/krzee] has joined #openvpn
19:13 -!- mode/#openvpn [+o krzie] by ChanServ
19:13 -!- CygniX [~CygniX@unaffiliated/twois10] has joined #openvpn
19:14 < CygniX> it would be nice if the ipv6 subnet range goes beyond /64 and /112
19:15 -!- jefferai_ [sid1300@kde/mitchell] has joined #openvpn
19:15 -!- elfixit2 [~Icedove@2001:1620:2777:11:3e97:eff:fe7f:f3ad] has joined #openvpn
19:16 < CygniX> maybe my configuration is just messed up, on a /64 i could split the subnet into 2 /112, lower for connecting through ipv4 and upper for connecting via ipv6
19:16 < CygniX> on a /112 though, i can't use 2 instances, one ipv4 and ipv6
19:17 -!- Jeroen52 [~Jeroen@milkyway.jeroendeneef.com] has joined #openvpn
19:17 -!- vpnHelper [~vpnHelper@openvpn/bot/vpnHelper] has quit [Disconnected by services]
19:19 < CygniX> is there a special way of setting two instances (ipv4 and ipv6) using the same ivp6 subnet?
19:19 -!- vpnHelper [~vpnHelper@openvpn/bot/vpnHelper] has joined #openvpn
19:20 -!- mode/#openvpn [+o vpnHelper] by ChanServ
19:20 -!- arescorpio [~arescorpi@180-56-245-190.fibertel.com.ar] has joined #openvpn
19:21 -!- jefferai [sid1300@kde/mitchell] has quit [Ping timeout: 272 seconds]
19:21 -!- kenyon [kenyon@darwin.kenyonralph.com] has quit [Ping timeout: 272 seconds]
19:21 -!- seba [~seba@kratzbaum.someserver.de] has quit [Ping timeout: 272 seconds]
19:21 -!- BladedThesis [~BladedThe@2001:1af8:4010:a027:3::] has quit [Ping timeout: 272 seconds]
19:21 -!- krzee [~k@openvpn/community/support/krzee] has quit [Ping timeout: 272 seconds]
19:21 -!- APTX [~APTX@unaffiliated/aptx] has quit [Ping timeout: 272 seconds]
19:21 -!- elfixit [~Icedove@2001:1620:2777:11:3e97:eff:fe7f:f3ad] has quit [Ping timeout: 272 seconds]
19:21 -!- c0ded [~c0ded@unaffiliated/c0ded] has quit [Ping timeout: 272 seconds]
19:21 -!- Wolfbutt [~Jeroen@milkyway.jeroendeneef.com] has quit [Ping timeout: 272 seconds]
19:21 -!- keaza [~Keaza@2001:41d0:a:381c::1] has quit [Ping timeout: 272 seconds]
19:21 -!- erratic [erratic@2607:f2f8:a2c4:1001::2] has quit [Ping timeout: 272 seconds]
19:21 -!- MacGyver [~macgyver@unaffiliated/macgyvernl] has quit [Ping timeout: 272 seconds]
19:21 -!- SushiDude [~SushiDude@unaffiliated/sushidude] has quit [Ping timeout: 272 seconds]
19:21 -!- Pandemic_Force [~Pandemic_@unaffiliated/pandemic-force/x-1349428] has quit [Ping timeout: 272 seconds]
19:21 -!- troyt [~troyt@2601:7:6200:1362:44dd:acff:fe85:9c8e] has quit [Ping timeout: 272 seconds]
19:21 -!- Exagone313 [~exa@2001:41d0:51:1::cf1] has quit [Ping timeout: 272 seconds]
19:21 -!- krzie is now known as krzee
19:21 -!- plai [~arne@openvpn/community/developer/plaisthos] has quit [Ping timeout: 272 seconds]
19:21 -!- plaisthos [~arne@openvpn/community/developer/plaisthos] has joined #openvpn
19:21 -!- mode/#openvpn [+o plaisthos] by ChanServ
19:21 -!- APTX [~APTX@unaffiliated/aptx] has joined #openvpn
19:21 -!- Pandemic_Force [~Pandemic_@unaffiliated/pandemic-force/x-1349428] has joined #openvpn
19:21 -!- troyt [~troyt@2601:7:6200:1362:44dd:acff:fe85:9c8e] has joined #openvpn
19:22 -!- BladedThesis [~BladedThe@2001:1af8:4010:a027:3::] has joined #openvpn
19:22 -!- Exagone313 [~exa@vps.ewd.xyz] has joined #openvpn
19:23 -!- MacGyver [~macgyver@unaffiliated/macgyvernl] has joined #openvpn
19:23 -!- seba [~seba@kratzbaum.someserver.de] has joined #openvpn
19:45 -!- Netsplit *.net <-> *.split quits: BladedThesis, seba
19:45 -!- Netsplit over, joins: seba
19:48 -!- Px12 [~Px12@117.199.170.210] has joined #openvpn
19:49 -!- erratic [erratic@2607:f2f8:a2c4:1001::2] has joined #openvpn
19:50 -!- BladedThesis [~BladedThe@2001:1af8:4010:a027:3::] has joined #openvpn
19:51 -!- DrCode [~DrCode@gateway/tor-sasl/drcode] has quit [Ping timeout: 264 seconds]
19:55 -!- APTX [~APTX@unaffiliated/aptx] has quit [Quit: No Ping reply in 180 seconds.]
19:55 -!- Jeroen52 [~Jeroen@milkyway.jeroendeneef.com] has quit [Quit: No Ping reply in 180 seconds.]
19:55 -!- elfixit2 [~Icedove@2001:1620:2777:11:3e97:eff:fe7f:f3ad] has quit [Remote host closed the connection]
19:55 -!- Pandemic_Force [~Pandemic_@unaffiliated/pandemic-force/x-1349428] has quit [Ping timeout: 241 seconds]
19:55 -!- vpnHelper [~vpnHelper@openvpn/bot/vpnHelper] has quit [Ping timeout: 241 seconds]
19:55 -!- jeev [~j@unaffiliated/jeev] has quit [Ping timeout: 241 seconds]
19:55 -!- krzee [~k@openvpn/community/support/krzee] has quit [Excess Flood]
19:55 -!- Pandemic_Force_ [~Pandemic_@unaffiliated/pandemic-force/x-1349428] has joined #openvpn
19:56 -!- krzee [~k@openvpn/community/support/krzee] has joined #openvpn
19:56 -!- mode/#openvpn [+o krzee] by ChanServ
19:59 -!- Netsplit *.net <-> *.split quits: Brando753
20:00 < cesurasean> Eugene, --redirect-gateway (see !def1) is not working though.
20:00 < cesurasean> I get this error; NOTE: unable to redirect default gateway -- Cannot read current default gateway from system
20:01 <@Eugene> If oyu DONT want 0.0.0.0 stuff then you DONT want that
20:02 -!- pekster_ [~rewt@openvpn/community/support/pekster] has joined #openvpn
20:03 < cesurasean> what is the --route-up flag?
20:03 < CygniX> OK i was able to split the 112 into 2 /113 using -route-ipv6
20:03 < cesurasean> dude, my host won't change the 0.0.0.0 default gateway.
20:03 < cesurasean> ive already asked them to, and they won't.
20:03 < cesurasean> so how do i get openvpn to work using this setup? it's impossible?
20:04 < CygniX> cesurasean: which OS?
20:04 < cesurasean> debian wheezy
20:05 < CygniX> cool, what kind of server?
20:05 < CygniX> kvm, openvz?
20:05 < cesurasean> openvz.
20:05 < CygniX> I normally only deal with kvm
20:05 -!- Exagone313_ [~exa@vps.ewd.xyz] has joined #openvpn
20:06 -!- SushiDude [~SushiDude@unaffiliated/sushidude] has joined #openvpn
20:06 -!- seba [~seba@kratzbaum.someserver.de] has quit [Ping timeout: 268 seconds]
20:07 -!- nath_schwarz [~nath_schw@p54A32F14.dip0.t-ipconnect.de] has quit [Ping timeout: 268 seconds]
20:07 -!- pekster [~rewt@openvpn/community/support/pekster] has quit [Ping timeout: 268 seconds]
20:07 -!- loa [~nyaaa@188.233.132.195] has quit [Ping timeout: 268 seconds]
20:07 -!- mgorbach [~mgorbach@pool-108-20-78-135.bstnma.fios.verizon.net] has quit [Ping timeout: 268 seconds]
20:07 -!- K1rk [~Kirk@equinox.epecweb.com] has quit [Ping timeout: 268 seconds]
20:07 -!- erratic [erratic@2607:f2f8:a2c4:1001::2] has quit [Excess Flood]
20:07 -!- plaisthos [~arne@openvpn/community/developer/plaisthos] has quit [Remote host closed the connection]
20:07 -!- redpill [~redpill@unaffiliated/redpill] has quit [Excess Flood]
20:07 -!- Exagone313 [~exa@vps.ewd.xyz] has quit [Write error: Broken pipe]
20:07 -!- syzzer [~syzzer@openvpn/community/developer/syzzer] has quit [Quit: ZNC - http://znc.in]
20:07 < CygniX> what makes openvz difficult is lack of access to iptables
20:07 -!- seba [~seba@kratzbaum.someserver.de] has joined #openvpn
20:07 < cesurasean> that's ok. i don't think anyone in this channel is smart enough to get past the error, personally.
20:07 < CygniX> what is the issue cesurasean?
20:08 < cesurasean> seems a bug in openvpn, anyways.
20:08 < cesurasean> I get this error; NOTE: unable to redirect default gateway -- Cannot read current default gateway from system
20:08 < cesurasean> https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=592088
20:08 -!- syzzer [~syzzer@openvpn/community/developer/syzzer] has joined #openvpn
20:08 -!- mode/#openvpn [+o syzzer] by ChanServ
20:08 -!- K1rk [~Kirk@equinox.epecweb.com] has joined #openvpn
20:09 < CygniX>  cesurasean did you add any iptables rule?
20:09 -!- Px12 [~Px12@117.199.170.210] has quit [Ping timeout: 251 seconds]
20:09 < cesurasean> yes.
20:09 < cesurasean> that's not the issue.
20:10 < cesurasean> the issue is my host has setup a 0.0.0.0 default gateway.
20:10 < cesurasean> and openvpn doesn't know how to detect it.
20:11 -!- erratic [erratic@2607:f2f8:a2c4:1001::2] has joined #openvpn
20:11 < CygniX> cesurasean: you have something like "iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -j SNAT --to yourip" ?
20:11 < cesurasean> yep.
20:11 < cesurasean> that's not the issue.
20:12 -!- Brando753 [~Brando753@unaffiliated/brando753] has joined #openvpn
20:12 < cesurasean> when i first connect openvpn it throws that error.
20:12 -!- jeev [~j@107.170.196.88] has joined #openvpn
20:12 -!- elfixit [~Icedove@2001:1620:2777:11:3e97:eff:fe7f:f3ad] has joined #openvpn
20:12 < CygniX> cesurasean: why not upgrade your openvpn?
20:13 < cesurasean> will that fix the issue?
20:13 < CygniX> well, this is an old bug
20:13 < CygniX> you are running which version 2.?
20:14 -!- jeev [~j@107.170.196.88] has quit [Changing host]
20:14 -!- jeev [~j@unaffiliated/jeev] has joined #openvpn
20:16 < cesurasean> 2.2.1
20:16 < CygniX> upgrade
20:17 < Hello71> !2.x
20:17 -!- APTX [~APTX@unaffiliated/aptx] has joined #openvpn
20:17 < CygniX> cesurasean: do you know how to use debian backport?
20:18 < cesurasean> not really, no.
20:19 < CygniX> append to the file /etc/apt/sources.list the following:
20:19 < CygniX> deb http://http.debian.net/debian/ wheezy-backports main contrib non-free
20:19 < CygniX> deb-src http://http.debian.net/debian/ wheezy-backports main contrib non-free
20:20 < cesurasean> ueaj o gpt tjat [art/
20:20 < cesurasean> yeah i got that part.
20:20 < cesurasean> how do i install the openvpn different version though? :)
20:20 -!- Netsplit *.net <-> *.split quits: lewiz, @syzzer, MacGyver, troyt, jefferai_
20:20 < CygniX> the run 'apt-get update && apt-get -t wheezy-backports install openvpn'
20:21 < cesurasean> got it.
20:21 < cesurasean> cool.
20:21 < cesurasean> hopefully this works.
20:22 < cesurasean> still same error.
20:22 < cesurasean> but
20:22 < CygniX> did you restart openvpn
20:22 < cesurasean> i havent updated the client yet.
20:23 < cesurasean> having some distro issues when upgrading on the client. so need the web host to fix it.
20:25 -!- troyt [~troyt@2601:7:6200:1362:44dd:acff:fe85:9c8e] has joined #openvpn
20:26 -!- cesurasean1 [~Sean@c-71-207-227-197.hsd1.al.comcast.net] has joined #openvpn
20:28 -!- MacGyver [~macgyver@unaffiliated/macgyvernl] has joined #openvpn
20:28 -!- lewiz [~lthompson@195.59.118.200] has joined #openvpn
20:29 -!- pppingme is now known as pppingme-test
20:31 -!- hays [~hays@unaffiliated/hays] has joined #openvpn
20:32 -!- elfixit1 [~Icedove@77-58-251-72.dclient.hispeed.ch] has quit [Ping timeout: 276 seconds]
20:32 -!- cesurasean [~Sean@c-71-207-227-197.hsd1.al.comcast.net] has quit [Ping timeout: 276 seconds]
20:32 -!- doebi [~doebi@doebi.at] has quit [Ping timeout: 276 seconds]
20:32 -!- arescorpio [~arescorpi@180-56-245-190.fibertel.com.ar] has quit [Ping timeout: 276 seconds]
20:32 -!- Cybertinus [~Cybertinu@cybertinus.customer.cloud.nl] has quit [Ping timeout: 276 seconds]
20:32 -!- mcp [~mcp@wolk-project.de] has quit [Ping timeout: 276 seconds]
20:38 -!- Cybertinus [~Cybertinu@cybertinus.customer.cloud.nl] has joined #openvpn
20:59 -!- mgorbach [~mgorbach@108.20.78.135] has joined #openvpn
21:29 -!- redpill [~redpill@unaffiliated/redpill] has joined #openvpn
21:30 -!- arescorpio [~arescorpi@180-56-245-190.fibertel.com.ar] has joined #openvpn
21:56 -!- vpnHelper [~vpnHelper@openvpn/bot/vpnHelper] has joined #openvpn
21:56 -!- mode/#openvpn [+o vpnHelper] by ChanServ
22:07 -!- warehouse13 [~Left_Turn@unaffiliated/turn-left/x-3739067] has quit [Remote host closed the connection]
22:33 -!- pppingme-test [~pppingme@unaffiliated/pppingme] has quit [Quit: Leaving]
23:18 -!- clu5ter [~staff@unaffiliated/clu5ter] has joined #openvpn
23:36 -!- pppingme [~pppingme@unaffiliated/pppingme] has joined #openvpn
23:36 -!- moonkid [~anonymous@99-103-56-12.lightspeed.hstntx.sbcglobal.net] has joined #openvpn
23:38 -!- ShadniX [dagger@p5481D5A1.dip0.t-ipconnect.de] has quit [Ping timeout: 250 seconds]
23:41 -!- ShadniX [dagger@p5794185C.dip0.t-ipconnect.de] has joined #openvpn
23:59 -!- DrCode [~DrCode@gateway/tor-sasl/drcode] has joined #openvpn
--- Day changed Sat Sep 13 2014
00:03 -!- moonkid [~anonymous@99-103-56-12.lightspeed.hstntx.sbcglobal.net] has quit [Quit: moonkid]
00:14 -!- Kephael_ [~Kephael@unaffiliated/kephael] has quit [Read error: Connection reset by peer]
00:25 -!- arescorpio [~arescorpi@180-56-245-190.fibertel.com.ar] has quit [Excess Flood]
00:32 -!- XJR-9 [sid2977@pdpc/supporter/active/xjr-9] has quit [Ping timeout: 260 seconds]
00:46 -!- roger_rabbit [~admin@unaffiliated/roger-rabbit/x-7769789] has joined #openvpn
01:14 -!- Brutser [~Roger@d51A48718.access.telenet.be] has joined #openvpn
01:18 < Brutser> I have a test setup for openvpn in vmware but i need some help with it
01:19 < Brutser> Two boxes: Windows 2008 R2 and CentOS 6.5
01:19 < Brutser> Two Eth on both: NAT on 192.168.64.0/24 and VNet2 on 10.22.22.0/24
01:19 < Brutser> I setup default OpenVPN on CentOS listening on 10.22.22.1
01:20 < Brutser> Now I need to tell CentOS server to route from the 10.22.22.0/24 to the 192.168.64.0/24
01:21 < Brutser> The last is not working, as the Windows server not can get to the NAT
01:21 < Brutser> On the server config, this is the only config I made:
01:21 < Brutser> push "route 192.168.64.0 255.255.255.0"
01:21 < Brutser> push "redirect-gateway def1 bypass-dhcp"
01:21 < Brutser> push "dhcp-option DNS 8.8.8.8"
01:21 < Brutser> push "dhcp-option DNS 8.8.4.4"
01:22 < Brutser> iptables is stopped for the moment
01:22 < Brutser> if anyone can help me, it will be appreciated!
01:26 < Brutser> First thing I notice is that I cannot ping 10.8.0.1 which is the tun IP for the server
01:34 -!- fzombie [~gplgeek@pdpc/supporter/student/GPLGeek] has joined #openvpn
02:04 -!- linuxthefish [~ltf@unaffiliated/edmundf] has quit [Excess Flood]
02:04 -!- linuxthefish [~ltf@unaffiliated/edmundf] has joined #openvpn
02:12 -!- XJR-9 [sid2977@pdpc/supporter/active/xjr-9] has joined #openvpn
02:21 -!- funky1 [~funky@ip51cf100e.direct-adsl.nl] has quit [Remote host closed the connection]
02:24 -!- Px12 [~Px12@117.207.128.149] has joined #openvpn
02:40 -!- Px12 [~Px12@117.207.128.149] has quit [Read error: Connection reset by peer]
03:01 -!- Left_Turn [~Left_Turn@unaffiliated/turn-left/x-3739067] has joined #openvpn
03:03 -!- fzombie [~gplgeek@pdpc/supporter/student/GPLGeek] has quit [Ping timeout: 246 seconds]
03:05 -!- gffa [~unknown@unaffiliated/gffa] has joined #openvpn
03:11 -!- Px12 [~Px12@117.199.172.185] has joined #openvpn
03:15 -!- Netsplit *.net <-> *.split quits: jeev, @vpnHelper
03:15 -!- D-Boy [~D-Boy@unaffiliated/cain] has quit [Excess Flood]
03:16 -!- Netsplit over, joins: jeev
03:18 -!- vpnHelper [~vpnHelper@openvpn/bot/vpnHelper] has joined #openvpn
03:18 -!- mode/#openvpn [+o vpnHelper] by ChanServ
03:21 -!- Poster [~poster@cpe-74-140-100-29.swo.res.rr.com] has joined #openvpn
03:22 -!- c0ded [~c0ded@unaffiliated/c0ded] has joined #openvpn
03:23 -!- D-Boy [~D-Boy@unaffiliated/cain] has joined #openvpn
03:24 -!- Poster|x [~poster@cpe-74-140-100-29.swo.res.rr.com] has quit [Ping timeout: 252 seconds]
03:24 -!- Px12 [~Px12@117.199.172.185] has quit [Ping timeout: 252 seconds]
03:29 -!- CygniX [~CygniX@unaffiliated/twois10] has quit [Ping timeout: 240 seconds]
03:30 -!- aszeszo [~aszeszo@mgmt01.bytemark.everycity.co.uk] has joined #openvpn
03:34 < Brutser> anyone have time to help me with openvpn setup in vmware, it is simple test setup, i want to get this working
03:35 < Brutser> please pm me
03:36 -!- Px12 [~Px12@117.199.172.185] has joined #openvpn
03:37 <@krzee> Brutser, thats not really how getting help on irc works
03:37 <@krzee> !ask
03:37 <@vpnHelper> "ask" is (#1) don't ask to ask, just ask your question please, see this link for how to get help on IRC: http://workaround.org/getting-help-on-irc or (#2) See also, How to ask questions the smart way here: http://catb.org/~esr/faqs/smart-questions.html or (#3) if you had asked your question this might be an answer instead of a message from the bot about how to ask questions on IRC :)
03:37 < Brutser> I have a test setup for openvpn in vmware but i need some help with it
03:37 <@krzee> see one of the links for how to get help on irc
03:37 < Brutser> Two boxes: Windows 2008 R2 and CentOS 6.5
03:37 < Brutser> Two Eth on both: NAT on 192.168.64.0/24 and VNet2 on 10.22.22.0/24
03:37 < Brutser> I setup default OpenVPN on CentOS listening on 10.22.22.1
03:37 < Brutser> Now I need to tell CentOS server to route from the 10.22.22.0/24 to the 192.168.64.0/24
03:37 < Brutser> The last is not working, as the Windows server not can get to the NAT
03:37 < Brutser> On the server config, this is the only config I made:
03:37 < Brutser> push "route 192.168.64.0 255.255.255.0"
03:38 <@krzee> !goal
03:38 <@vpnHelper> "goal" is Please clearly state your goal for your vpn: example, I would like to access the lan behind the server , I would like to access the internet over my vpn , I just want a secure connection between 2 computers , etc
03:38 < Brutser> push "redirect-gateway def1 bypass-dhcp"
03:38 < Brutser> push "dhcp-option DNS 8.8.8.8"
03:38 < Brutser> push "dhcp-option DNS 8.8.4.4"
03:38 -!- clyons [~kvirc@host86-184-244-32.range86-184.btcentralplus.com] has joined #openvpn
03:38 < Brutser> if anyone can help me, it will be appreciated!
03:38 < Brutser> First thing I notice is that I cannot ping 10.8.0.1 which is the tun IP for the server
03:38 < Brutser> So it is some config and iptables problem I am sure
03:38 < Brutser> and routing
03:38 <@krzee> Brutser, are you pasting all that?
03:39 < Brutser> i type really fast :)
03:39 <@krzee> riiiight
03:39 <@krzee> !goal
03:39 <@vpnHelper> "goal" is Please clearly state your goal for your vpn: example, I would like to access the lan behind the server , I would like to access the internet over my vpn , I just want a secure connection between 2 computers , etc
03:40 < Brutser> goal: i want my test setup in vmware, where box 1 connects thru openvpn to box 2 and use the internet of box 2
03:42 < Brutser> box 1 have nat and vnet2 (10.22.22.0/24)
03:42 < Brutser> runs Centos 6.5
03:42 < Brutser> box 2 have only vnet2 (10.22.22.0/24)
03:42 < Brutser> runs windows os
03:42 < Brutser> and is client
03:43 < Brutser> nat network runs on 192.168.64.0/24
03:43 < Brutser> and openvpn server listen on 10.22.22.1 (box 1)
03:44 <@krzee> why are they on the same subnet?
03:44 <@krzee> !1918
03:44 <@vpnHelper> "1918" is (#1) RFC1918 makes three unique netblocks available for private use: 10.0.0.0/8, 172.16.0.0/12, and 192.168.0.0/16 or (#2) see also: http://en.wikipedia.org/wiki/Private_network or http://www.faqs.org/rfcs/rfc1918.html or (#3) Too lazy to find your own subnet? Try this one: http://scarydevilmonastery.net/subnet.cgi or (#4) See !5737 for addresses to use for examples and documentation
03:44 <@krzee> its a big spec...
03:44 <@krzee> !randomsubnet
03:44 <@vpnHelper> "randomsubnet" is (#1) http://scarydevilmonastery.net/subnet.cgi for a random !1918 subnet or (#2) If your shell has $RANDOM support, perhaps try this: `echo 10.$((RANDOM%256)).$((RANDOM%256)).0/24 `
03:45 < Brutser> vmware just put NAT by default on 192.168.64.0
03:45 -!- RaiNerTsuFal [~RaiNerTsu@akita.vtlx.cn] has joined #openvpn
03:45 < Brutser> and vnet2 i just configured on 10.22.22.0 because box 2 must be able to reach box 1
03:47 < Brutser> the vpn box is local, so i cannot use any external ip
03:47 < Brutser> i use the 10.22.22.0 as internal network
03:48 <@krzee> you're doing the vpn from 1 vm to another on the same box?
03:49 < Brutser> yes
03:52 < aszeszo> hi all, i did set set up couple of openvpn links between two machines over separate wan links, all without pushing any routes around (want to do it manually afterwards), each link has got its own /29 network and endpoint IPs are pingable, etc.
03:52 < aszeszo> rp_filter=0, ip_forward=1 however, I don't seem to be able to push traffic with IPs other than from /29 network via the tunnels
03:53 < aszeszo> is there a setting which controls that?
04:02 -!- Left_Turn [~Left_Turn@unaffiliated/turn-left/x-3739067] has quit [Ping timeout: 268 seconds]
04:21 -!- Px12 [~Px12@117.199.172.185] has quit [Ping timeout: 260 seconds]
04:23 -!- cesurasean [~Sean@c-71-207-227-197.hsd1.al.comcast.net] has joined #openvpn
04:23 -!- cesurasean1 [~Sean@c-71-207-227-197.hsd1.al.comcast.net] has quit [Read error: Connection reset by peer]
05:01 -!- Wolfbutt [~Jeroen@milkyway.jeroendeneef.com] has joined #openvpn
05:22 -!- cesurasean [~Sean@c-71-207-227-197.hsd1.al.comcast.net] has quit [Read error: Connection timed out]
05:24 -!- cesurasean [~Sean@c-71-207-227-197.hsd1.al.comcast.net] has joined #openvpn
05:36 -!- shio [~marmot@203.188.103.84.rev.sfr.net] has quit [Read error: Connection reset by peer]
05:37 -!- shio [marmot@203.188.103.84.rev.sfr.net] has joined #openvpn
05:57 -!- goldkatze [~nobody@unaffiliated/goldkatze] has joined #openvpn
06:13 -!- redpill [~redpill@unaffiliated/redpill] has quit [Ping timeout: 268 seconds]
06:14 -!- redpill [~redpill@unaffiliated/redpill] has joined #openvpn
06:37 -!- aszeszo [~aszeszo@mgmt01.bytemark.everycity.co.uk] has left #openvpn []
06:44 -!- Left_Turn [~Left_Turn@unaffiliated/turn-left/x-3739067] has joined #openvpn
07:08 -!- xMopxShell [~xMopxShel@dpedu.io] has quit [Ping timeout: 250 seconds]
07:28 -!- fzombie [~gplgeek@pdpc/supporter/student/GPLGeek] has joined #openvpn
07:33 -!- s7r [~s7r@openvpn/user/s7r] has joined #openvpn
07:33 -!- mode/#openvpn [+v s7r] by ChanServ
07:59 -!- Pyrogerg [~Gregory@dpc6744115111.direcpc.com] has joined #openvpn
08:15 -!- redpill [~redpill@unaffiliated/redpill] has quit [Ping timeout: 246 seconds]
08:17 -!- zeroNones [~textual@187.204.132.228] has joined #openvpn
08:18 -!- Pyrogerg [~Gregory@dpc6744115111.direcpc.com] has quit [Read error: Connection reset by peer]
08:20 -!- Pyrogerg [~Gregory@dpc6744115111.direcpc.com] has joined #openvpn
08:30 -!- CygniX [~CygniX@unaffiliated/twois10] has joined #openvpn
08:34 -!- Pyrogerg [~Gregory@dpc6744115111.direcpc.com] has quit [Read error: Connection reset by peer]
08:47 -!- _FBi [B@Aircrack-NG/User] has joined #openvpn
08:48 -!- Pyrogerg [~Gregory@dpc6744115111.direcpc.com] has joined #openvpn
08:51 -!- Pyrogerg [~Gregory@dpc6744115111.direcpc.com] has quit [Read error: Connection reset by peer]
08:55 -!- Netsplit *.net <-> *.split quits: someone, Samopotamus, early, tapout, Fiouz, Haigha, havoc, TonyL, Gman32, @Eugene,  (+1 more, use /NETSPLIT to show all of them)
08:55 -!- Netsplit over, joins: Eugene
08:55 -!- Netsplit over, joins: Samopotamus, Hello71
08:55 -!- Netsplit *.net <-> *.split quits: mgorbach, Brutser, K1rk, Cybertinus, elfixit
08:55 -!- Netsplit over, joins: Fiouz
08:55 -!- Netsplit over, joins: elfixit
08:56 -!- mgorbach [~mgorbach@pool-108-20-78-135.bstnma.fios.verizon.net] has joined #openvpn
08:56 -!- Netsplit over, joins: Gman32
08:56 -!- Netsplit *.net <-> *.split quits: arkie, clu5ter
08:56 -!- Netsplit over, joins: Haigha
08:57 -!- Netsplit over, joins: TonyL, Cybertinus
08:57 -!- Netsplit over, joins: havoc, K1rk
08:58 -!- Netsplit over, joins: clu5ter
08:58 -!- XJR-9 [sid2977@pdpc/supporter/active/xjr-9] has quit [Ping timeout: 272 seconds]
09:00 -!- XJR-9 [sid2977@pdpc/supporter/active/xjr-9] has joined #openvpn
09:02 -!- halothe23 [~halothe23@freenode/sponsor/halothe23] has quit [Quit: Quit]
09:03 -!- halothe23 [~halothe23@freenode/sponsor/halothe23] has joined #openvpn
09:05 -!- redpill [~redpill@unaffiliated/redpill] has joined #openvpn
09:26 -!- Netsplit *.net <-> *.split quits: roger_rabbit, clyons, cesurasean, zeroNones
09:29 -!- doebi [~doebi@doebi.at] has joined #openvpn
09:31 -!- Pyrogerg [~Gregory@dpc6744115111.direcpc.com] has joined #openvpn
09:33 -!- liriel [~liriel@asia.feralhosting.com] has quit [Quit: bye]
09:41 -!- DrCode [~DrCode@gateway/tor-sasl/drcode] has quit [Remote host closed the connection]
09:42 -!- DrCode [~DrCode@gateway/tor-sasl/drcode] has joined #openvpn
09:43 -!- liriel [~liriel@asia.feralhosting.com] has joined #openvpn
09:44 -!- redpill [~redpill@unaffiliated/redpill] has quit [Quit: redpill]
09:44 -!- mattock is now known as mattock_afk
09:45 -!- redpill [~redpill@unaffiliated/redpill] has joined #openvpn
10:01 -!- xMopxShell [~xMopxShel@dpedu.io] has joined #openvpn
10:31 -!- Pyrogerg [~Gregory@dpc6744115111.direcpc.com] has quit [Read error: Connection reset by peer]
10:46 -!- Px12 [~Px12@117.207.130.119] has joined #openvpn
10:56 -!- Pyrogerg [~Gregory@dpc6744115111.direcpc.com] has joined #openvpn
10:57 -!- Megaf [~Megaf@unaffiliated/megaf] has joined #openvpn
10:57 -!- Megaf_ [~Megaf@unaffiliated/megaf] has quit [Ping timeout: 240 seconds]
11:00 -!- Istalantar [~Istalanta@46.128.28.224.dynamic.cablesurf.de] has joined #openvpn
11:01 < Istalantar> !welcome
11:01 <@vpnHelper> "welcome" is (#1) Start by stating your goal, such as 'I would like to access the internet over my vpn' || new to IRC? see the link in !ask || we may need !logs and !configs and maybe !interface to help you. || See !howto for beginners. || See !route for lans behind openvpn. || !redirect for sending inet traffic through the server. || Also interesting: !man !/30 !topology !iporder !sample !forum
11:01 <@vpnHelper> !wiki !mitm or (#2) Don't use 192.168.1.0/24 or 192.168.0.0/24 (too much potential for conflict)
11:01 < Istalantar> !goal
11:01 <@vpnHelper> "goal" is Please clearly state your goal for your vpn: example, I would like to access the lan behind the server , I would like to access the internet over my vpn , I just want a secure connection between 2 computers , etc
11:02 < Istalantar> !howto
11:02 <@vpnHelper> "howto" is (#1) OpenVPN comes with a great howto, http://openvpn.net/howto PLEASE READ IT! or (#2) http://www.secure-computing.net/openvpn/howto.php for a mirror
11:07 -!- Pyrogerg [~Gregory@dpc6744115111.direcpc.com] has quit [Read error: Connection reset by peer]
11:23 < Eugene> Megaf - it's the _.. I'm a bastard and arbitrarily decided that people too lazy to fix their client to auto-re-nick
11:25 -!- moonkid [~anonymous@99-103-56-12.lightspeed.hstntx.sbcglobal.net] has joined #openvpn
11:26 < Eugene> are lazy gits and don't need to talk
11:26 < Eugene> So far you're the first to complain. ;-)
11:26 -!- mode/#openvpn [+o Eugene] by ChanServ
11:26 -!- arlion_ [~root@108-215-117-231.lightspeed.miamfl.sbcglobal.net] has joined #openvpn
11:40 -!- D-Boy [~D-Boy@unaffiliated/cain] has quit [Excess Flood]
11:53 -!- Kephael [~Kephael@unaffiliated/kephael] has joined #openvpn
11:54 -!- Istalantar [~Istalanta@46.128.28.224.dynamic.cablesurf.de] has left #openvpn ["Leaving"]
11:57 -!- moonkid [~anonymous@99-103-56-12.lightspeed.hstntx.sbcglobal.net] has quit [Quit: moonkid]
11:59 -!- D-Boy [~D-Boy@unaffiliated/cain] has joined #openvpn
12:10 -!- moonkid [~anonymous@99-103-56-12.lightspeed.hstntx.sbcglobal.net] has joined #openvpn
12:17 -!- dvl [~dvl@pdpc/supporter/active/dvl] has joined #openvpn
12:29 -!- arlion_ [~root@108-215-117-231.lightspeed.miamfl.sbcglobal.net] has quit [Ping timeout: 252 seconds]
12:30 -!- early [~early@192.241.198.49] has joined #openvpn
12:41 <@Eugene> Megaf - no PMs, please
12:41 < Megaf> Hello?
12:42 <@Eugene> Yes, we can hear you.....
12:43 < Megaf> FInally... So, it's not my clients fault if freenode get lots of DDoS and nickserv go crazy...
12:43 <@Eugene> No, it's your fault for not setting your client's Alternate Nickfield to something that isn't MyNick_.
12:44 <@Eugene> Similarly anything involving |away
12:45 <@Eugene> And before you even start, no, I don't really care what you have to say on the issue. If you were a fellow channel op in here I'd defer on it, but you aren't, so this ain't a debate.
12:45 < Megaf> Whats the problem in using Nick_ as alternative?
12:46 < Megaf> Eugene: so go and ban mattock_afk, Exagone313_, ifdm_, pekster_, nsrafk and other
12:46 <@Eugene> They are. ;-)
12:47 < nsrafk> ?
12:47 < Megaf> others*
12:47 < Megaf> for fecks sake. I'm out of here
12:47 <@Eugene> Bye!
12:47 < nsrafk> why u highlight me
12:47 <@Eugene> Because he's a petulant lil whiner. Carry on.
12:47 -!- moonkid [~anonymous@99-103-56-12.lightspeed.hstntx.sbcglobal.net] has quit [Quit: moonkid]
12:48 -!- Megaf [~Megaf@unaffiliated/megaf] has left #openvpn ["http://quassel-irc.org - Chat comfortably. Anywhere."]
12:50 < nsrafk> thought i did smth wrong cos ban was in same line lol
12:51 -!- funky1 [~funky@ip51cf100e.direct-adsl.nl] has joined #openvpn
12:52 < funky1> hi there, so in order to be able to use upnp on two seperate local lan's connected over internet i need to use bridged openvpn, right?
12:53 <@Eugene> Yes, because UPNP is a horrible mix of Layer2 and Layer3 protocols.
12:53 <@Eugene> We recommend against bridging whenever possible because it clubs baby seals to death with an old lady
12:53 < funky1> lol
12:54 < funky1> ok thank you Eugene is there an alternative to get upnp working over internet?
12:54 <@Eugene> Generally speaking, "don't use upnp"
12:55 < funky1> hm i kinda need it for media shareing with transcoding on the fly for xbmc user client
12:55 < funky1> and would i be able to run 2 openvpn servers on one machine, one with bridging and one with tunneling?
12:55 <@Eugene> Yup. Pick which one you want more: baby seals or media sharing.
12:55 < funky1> rofl
12:55 <@Eugene> Though unless its completelyi nsane xbmc should have a way to connect to a hostname
12:56 < funky1> there are other ways to add sources, smb, nfs, http, but none of them except upnp source offers transcoding on the fly
12:57  * Eugene shrugs
12:57 <@Eugene> Then bridge away. But beware: it will suck.
12:57 < funky1> in what way, unstable connection, high cpu or what are the biggest 3 annoyances?
12:58 <@Eugene> Layer2 stuff expects to be run over a LAN, meaning high-bandwidth and sub-ms response times
12:58 <@Eugene> Bridging this across a WAN link means low-bandwidth and dozens-of-ms
12:58 <@Eugene> Hilarity ensues
12:59 < funky1> i c the point
12:59 < funky1> well thank you for the information Eugene :-)
12:59 <@Eugene> It works OK if you've got one or two clients on the far side from most of the network, but if you're doing big transfers or have lots of clients on either end.... yeah.
13:00 <@Eugene> Rather than doing a full bridge you could just bridge the single media-serving machine's tap0 interface over to the other network. Then the only thing that will break will be your media transcoding ;-)
13:00 < funky1> good idea
13:01 < funky1> i'll play around with it and see how it goes, ty
13:05 -!- moonkid [~anonymous@99-103-56-12.lightspeed.hstntx.sbcglobal.net] has joined #openvpn
13:07 -!- moonkid [~anonymous@99-103-56-12.lightspeed.hstntx.sbcglobal.net] has quit [Client Quit]
13:11 -!- moonkid [~anonymous@99-103-56-12.lightspeed.hstntx.sbcglobal.net] has joined #openvpn
13:33 -!- Slippern [~Slippern@76.109-247-208.customer.lyse.net] has joined #openvpn
13:34 -!- gffa [~unknown@unaffiliated/gffa] has quit [Quit: leaving]
13:34 -!- gffa [~unknown@unaffiliated/gffa] has joined #openvpn
13:37 < CygniX> the multiple instance wiki if it can even be called that needs improvement
13:44 <@Eugene> It's a wiki. edit away.
13:44 -!- Pyrogerg [~Gregory@dpc6744115111.direcpc.com] has joined #openvpn
13:56 -!- Exagone313_ [~exa@vps.ewd.xyz] has left #openvpn []
13:56 <@Eugene> Exagone313_ - no PMs please; if you read up a bit you'll see that I instituted a +q against *_!*@*. This matches you. Fix it. ;-)
13:57 -!- Exagone313 [~exa@vps.ewd.xyz] has joined #openvpn
13:57 < Exagone313> .
13:58 -!- Pyrogerg [~Gregory@dpc6744115111.direcpc.com] has quit [Read error: Connection reset by peer]
14:01 -!- Eugene [eugene@kashpureff.org] has quit [Ping timeout: 272 seconds]
14:04 -!- ashpokemonmaster [~arlion@108-215-117-231.lightspeed.miamfl.sbcglobal.net] has joined #openvpn
14:04 < ashpokemonmaster> !welcome
14:04 <@vpnHelper> "welcome" is (#1) Start by stating your goal, such as 'I would like to access the internet over my vpn' || new to IRC? see the link in !ask || we may need !logs and !configs and maybe !interface to help you. || See !howto for beginners. || See !route for lans behind openvpn. || !redirect for sending inet traffic through the server. || Also interesting: !man !/30 !topology !iporder !sample
14:04 <@vpnHelper> !forum !wiki !mitm or (#2) Don't use 192.168.1.0/24 or 192.168.0.0/24 (too much potential for conflict)
14:05 < ashpokemonmaster> Good afternoon. Would someone be able to point me in the direction of getting into the openvpn 3.0 beta.
14:05 -!- Pyrogerg [~Gregory@dpc6744115111.direcpc.com] has joined #openvpn
14:05 -!- Samopotamus [~IRCIdent@2607:5300:60:a0d::1] has quit [Ping timeout: 272 seconds]
14:05 < ashpokemonmaster> I explored the avialable git repositories but only found 2.3 avial there.
14:06 -!- c0ded [~c0ded@unaffiliated/c0ded] has quit [Ping timeout: 272 seconds]
14:16 -!- Exagone313 [~exa@vps.ewd.xyz] has quit [Quit: see ya!]
14:17 -!- Exagone313 [~exa@vps.ewd.xyz] has joined #openvpn
14:26 -!- Samopotamus [~IRCIdent@2607:5300:60:a0d::1] has joined #openvpn
14:28 -!- Eugene [eugene@kashpureff.org] has joined #openvpn
14:29 -!- Wolfbutt is now known as Jeroen52
14:39 -!- joako [~joako@opensuse/member/joak0] has joined #openvpn
14:40 -!- mattock_afk [~mattock@openvpn/corp/admin/mattock] has quit [Ping timeout: 245 seconds]
14:42 -!- mattock [~mattock@openvpn/corp/admin/mattock] has joined #openvpn
14:42 -!- mode/#openvpn [+o mattock] by ChanServ
14:47 -!- dubwoc [~meh@pool-71-190-138-124.nycmny.fios.verizon.net] has joined #openvpn
14:48 -!- brycefisherfleig [~chatzilla@204-195-74-59.wavecable.com] has joined #openvpn
14:49 < dubwoc> I am running openvpn in docker. When I run services in my docker instance without openvpn running I can connect to them from other systems on my local network (e.g. apache in a docker instance is connectable from my laptop on the same LAN). However, when I start openvpn in the docker instance I can no longer access apache from my laptop, the only way I can access it is from the host system and reference
14:49 < dubwoc> "localhost" the IP of the host machine like 192.168.2.3 does not route. I assume this has something to do with how openvpn is setting up routes but it is unclear where I should poke around. Any information here would be greatly appreciated
14:52 < brycefisherfleig> !goal
14:52 <@vpnHelper> "goal" is Please clearly state your goal for your vpn: example, I would like to access the lan behind the server , I would like to access the internet over my vpn , I just want a secure connection between 2 computers , etc
14:52 < brycefisherfleig> !welcome
14:52 <@vpnHelper> "welcome" is (#1) Start by stating your goal, such as 'I would like to access the internet over my vpn' || new to IRC? see the link in !ask || we may need !logs and !configs and maybe !interface to help you. || See !howto for beginners. || See !route for lans behind openvpn. || !redirect for sending inet traffic through the server. || Also interesting: !man !/30 !topology !iporder !sample
14:52 <@vpnHelper> !forum !wiki !mitm or (#2) Don't use 192.168.1.0/24 or 192.168.0.0/24 (too much potential for conflict)
14:53 < brycefisherfleig> !redirect
14:53 <@vpnHelper> "redirect" is (#1) to make all inet traffic flow through the vpn, you will need --redirect-gateway (see !def1), as well as IP forwarding (see !ipforward) and NAT (see !nat) enabled on the server. or (#2) you may need to use a different dns server when redirecting gateway, see !dns or !pushdns or (#3) if using ipv6 try: route-ipv6 2000::/3 or (#4) Handy troubleshooting flowchart:
14:53 <@vpnHelper> http://ircpimps.org/redirect.png | http://pekster.sdf.org/misc/redirect.png
15:01 -!- moonkid [~anonymous@99-103-56-12.lightspeed.hstntx.sbcglobal.net] has quit [Quit: moonkid]
15:05 -!- moonkid [~anonymous@99-103-56-12.lightspeed.hstntx.sbcglobal.net] has joined #openvpn
15:12 < brycefisherfleig> !pushdns
15:12 <@vpnHelper> "pushdns" is (#1) push dhcp-option DNS a.b.c.d to push dns to the client or (#2) For pushing DNS to a Windows client, see: !windns or (#3) Unix-alikes are required to process the env-var in an --up script; read about --dhcp-option in the manpage or (#4) For distros that use resolvconf(8) you can try the pull-resolv-conf script under the contrib/ source dir
15:14 -!- someone [someone@2600:3c01::f03c:91ff:fedf:feb8] has joined #openvpn
15:31 -!- Chais_ [~Chais@chello062178229110.15.15.vie.surfer.at] has left #openvpn []
15:32 -!- outofbounds [~outofboun@gateway/tor-sasl/outofbounds] has joined #openvpn
15:34 -!- outofbounds [~outofboun@gateway/tor-sasl/outofbounds] has quit [Client Quit]
15:34 -!- outofbounds [~outofboun@gateway/tor-sasl/outofbounds] has joined #openvpn
15:34 -!- outofbounds [~outofboun@gateway/tor-sasl/outofbounds] has quit [Client Quit]
15:37 -!- Chais [~Chais@chello062178229110.15.15.vie.surfer.at] has joined #openvpn
15:38 < Chais> test
15:38 < Chais> ok. no idea why I was banned...
15:43 -!- Brutser [~Roger@d51A48718.access.telenet.be] has joined #openvpn
15:43 < Brutser> i want my test setup in vmware, where box 1 connects thru openvpn to box 2 and use the internet of box 2
15:44 < Brutser> vmware put NAT by default on 192.168.64.0 for box 1 (centos with openvpn server)
15:44 < Brutser> on box 2 have windows with vpn client
15:44 < Brutser> have vnet2 on 10.22.22.0/24
15:44 < Brutser> this is how boxes communicate
15:45 < Brutser> i need to get this working, the connection is made, but the routing and iptables give problem most likely
15:45 < Brutser> can anyone try help me?
15:51 < ashpokemonmaster> Do you have the push route for internet access?
15:51 < ashpokemonmaster> on the server.conf file
15:51 < Brutser> yes, you mean:
15:51 < Brutser>  push "route 192.168.64.0 255.255.255.0"
15:51 < Brutser>  push "redirect-gateway def1 bypass-dhcp"
15:52 < Brutser> ?
15:53 < ashpokemonmaster> thats it
15:53 < ashpokemonmaster> do you have the proper nat and firewall rules in place on the server?
15:53 < ashpokemonmaster> iptables -nvL
15:53 < ashpokemonmaster> and
15:53 < ashpokemonmaster> iptables -nvL -t nat
15:53 < ashpokemonmaster> is how to check
15:53 < Brutser> moment
15:57 -!- Pyrogerg [~Gregory@dpc6744115111.direcpc.com] has quit [Read error: Connection reset by peer]
15:57 < ashpokemonmaster> Use the command 'iptables-save' and copy that to pastebin.
15:58 < Brutser> it seems there is no iptables set yet
15:58 < ashpokemonmaster> You will need to add two rules
15:58 < ashpokemonmaster> One is a nat rule
15:59 < ashpokemonmaster> iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o eth0 -j MASQUERADE
15:59 < ashpokemonmaster> replace 10.8.0.0 with the local subnet given by your server.conf
15:59 < ashpokemonmaster> the second is a firewall rule
15:59 < Brutser> that allow the udp traffic?
15:59 < ashpokemonmaster> iptables -I FORWARD -s 10.8.0.0/24 -j ACCEPT
16:00 < ashpokemonmaster> no, this rule will
16:00 < ashpokemonmaster> iptables -I INPUT -p udp --dport 1194 -j ACCEPT
16:00 < ashpokemonmaster> replace 1194 with your port
16:00 < ashpokemonmaster> last
16:00 < ashpokemonmaster> service iptables save
16:01 < ashpokemonmaster> to save your new fw rules
16:01 < Brutser> ok, let me add those rules and upload iptables to pastebin to see if all good
16:06 < Brutser> http://pastie.org/private/xesqoxsumy8bopehngribw
16:08 < ashpokemonmaster> I noticed that you copied my rules exactly. Were those the correct configuration for your setup?
16:09 < Brutser> yes it is default test setup in vmware
16:09 < Brutser> no modification from default
16:09 < ashpokemonmaster> Alright, go ahead and test
16:09 < Brutser> do i need : net.ipv4.ip_forward = 1 ?
16:09 < ashpokemonmaster> yes, of course.
16:09 < Brutser> in sysctl
16:09 -!- keatont [~keatont@ip-66-172-11-126.chunkhost.com] has joined #openvpn
16:10 < Brutser> give some errors:
16:10 < Brutser> error: "net.bridge.bridge-nf-call-ip6tables" is an unknown key
16:10 < Brutser> i can disable those lines?
16:11 < ashpokemonmaster> Test lab, not production. Yes.
16:11 < ashpokemonmaster> that line is for ipv6 bridges
16:11 < Brutser> ok ;)
16:13 < Brutser> handshake failed
16:13 < Brutser> time synch issue?
16:14 < ashpokemonmaster> would  you please post the log file to pastbin
16:15 < Brutser> http://pastie.org/private/73ye5hj39z7igqguaaeqjw
16:16 < ashpokemonmaster> on the centos box.
16:16 < ashpokemonmaster> do
16:16 < ashpokemonmaster> service openvpn status
16:17 < Brutser> written to /var/log/messages
16:17 < Brutser> need pastie?
16:17 < ashpokemonmaster> yes, go ahead and writ ethe last 500 lines there
16:17 < ashpokemonmaster> tail -n 500 /var/log/messages
16:18 -!- XJR-9 [sid2977@pdpc/supporter/active/xjr-9] has quit [Quit: Updating details, brb]
16:18 < Brutser> http://pastie.org/private/pgaqhqshgydtxkxig4sa6g
16:19 < ashpokemonmaster> So, Before I tell you whats wrong. What do you think is wrong?
16:20 < ashpokemonmaster> Based on everything you have seen.
16:20 < Brutser> moment
16:21 -!- XJR-9 [sid2977@pdpc/supporter/active/xjr-9] has joined #openvpn
16:22 < Brutser> i was thinking about certificate really, but not sure
16:22 < Brutser> self signed certificate in chain, verify error
16:23 < Brutser> i guess it's something silly
16:23 < ashpokemonmaster> Why do you think its a certificate error?
16:23 < Brutser> handshake failed..
16:24 < ashpokemonmaster> Actually, that means it wasn't able to negiotate with the server
16:24 < ashpokemonmaster> further, in your var/log/messages
16:24 < ashpokemonmaster> nothing was written
16:24 < ashpokemonmaster> I don't think your openvpn service is running
16:25 < Brutser> ok then it must shut down
16:25 < Brutser> because it started OK
16:25 < Brutser> service openvpn start
16:25 < Brutser> Starting openvpn:                                          [  OK  ]
16:26 < Brutser> http://pastie.org/private/xi6xyutv8uw8ljm1unrrdw
16:27 < Brutser> end of the log file openvpn.log
16:27 < ashpokemonmaster> Please post your server.conf and your client configuration
16:28 < Brutser> sorry!
16:29 < Brutser> i left old ovpn in config
16:29 < Brutser> i had other folder open, i thought that was the config folder :/
16:29 < Brutser> so i was right lol, it was the certs
16:29 < Brutser> connecting now, let's test the connection
16:30 < Brutser> 10.8.0.6 is windows box
16:30 < Brutser> should i be able to ping 10.8.0.1?
16:30 < ashpokemonmaster> uhh
16:30 < ashpokemonmaster> yes
16:30 < ashpokemonmaster> but
16:30 < ashpokemonmaster> you need to more your windows box off the subnet
16:31 < ashpokemonmaster> You have a routing issue with 10.8.06 and 10.8.0.1 on the same subnet
16:31 < Brutser> but 10.8.0.6 is tun interface on the windows i mean
16:32 < ashpokemonmaster> alright
16:32 < ashpokemonmaster> yes, you should be able to ping 10.8.0.1
16:32 < Brutser> windows box have one nic on 10.22.22.10
16:32 < Brutser> centos two nic, 1. 10.22.22.1 2. 192.168.64.120 (nat network)
16:33 < Brutser> ok, i cannot ping 10.8.0.1 from windows
16:33 < Brutser> this is where i was stuck last time
16:34 < Brutser> server say: Sat Sep 13 07:07:23 2014 client1/10.22.22.10:64197 MULTI: primary virtual IP for client1/10.22.22.10:64197: 10.8.0.6
16:34 < Brutser> so the dhcp give the ip to client
16:35 < Brutser> and of course:
16:35 < Brutser> tun0      Link encap:UNSPEC  HWaddr 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00
16:35 < Brutser>           inet addr:10.8.0.1  P-t-P:10.8.0.2  Mask:255.255.255.255
16:36 < Brutser> hhmm, but i also cannot ping 10.22.22.1, i think iptables prevent it?
16:38 < ashpokemonmaster> You don't have routes set to allow you to 10.22.22.0/24
16:39 < ashpokemonmaster> You will need an aditional push route
16:39 < Brutser> ah the way back you mean?
16:39 < ashpokemonmaster> iptables is set to ACCEPT, you should be able to ping 10.8.0.1
16:39 -!- moonkid_ [~anonymous@99-103-56-12.lightspeed.hstntx.sbcglobal.net] has joined #openvpn
16:39 -!- nutron [~nutron@unaffiliated/nutron] has joined #openvpn
16:39 < ashpokemonmaster> "way bck"?
16:39 < Brutser> what would be syntax?
16:40 < ashpokemonmaster> post your server.conf and client configuraitons please
16:40 < Brutser> ok moment
16:41 < Brutser> server.conf: http://pastie.org/private/9uwjoke3vfpensmh0ahgsq
16:42 < ashpokemonmaster> local
16:42 < ashpokemonmaster> 10.22.22.1
16:42 < Brutser> client: http://pastie.org/private/lnvvvwahhv5xwgx4luevow
16:43 < ashpokemonmaster> so your push route needs to refrlect that
16:43 < ashpokemonmaster> wooo
16:43 < ashpokemonmaster> dude
16:43 < ashpokemonmaster> client config you need to specifiy your ca, crt and key files
16:43 < Brutser> yes
16:43 < ashpokemonmaster> put actual names in there
16:44 < Brutser> well you can also copy the keys into there
16:44 < Brutser> i just removed them to be more clean view, keys not interesting
16:44 < ashpokemonmaster> keys are very intreasting
16:44 < ashpokemonmaster> and they are all self signed right?
16:44 < Brutser> yes wrong word choice
16:44 < Brutser> yea
16:44 < Brutser> this is ok, i just copy the content of the key and pasted it into the client config
16:45 < Brutser> it's same as if i put link to the key
16:45 -!- Netsplit *.net <-> *.split quits: moonkid, Hello71
16:45 < ashpokemonmaster> server 10.8.0.0 255.255.255.0
16:45 < ashpokemonmaster> disregard last message, im thinking
16:46 < ashpokemonmaster> okay
16:46 < ashpokemonmaster> then get rid of all the stuff in carrorts
16:46 < Brutser> yes, so the tun interface works on 10.8.0.0 then the vpn connects on the 10.22.22.0 network and needs to be rerouted to the 192.168.64.0 for internet
16:46 < Brutser> probably wrong word choices again, but this is how i see it
16:46 < ashpokemonmaster> push "route 192.168.64.0 255.255.255.0"
16:46 < ashpokemonmaster> add this line
16:46 < ashpokemonmaster> push "route 192.168.8.0 255.255.255.0"
16:47 < ashpokemonmaster> oops
16:47 < ashpokemonmaster> push "route 10.8.0.0 255.255.255.0"
16:48 < ashpokemonmaster> push "route 10.22.22.0 255.255.255.0"
16:48 < ashpokemonmaster> add that as well
16:49 < ashpokemonmaster> you also don;'t see your
16:49 < ashpokemonmaster> "push "redirect-gateway def1 bypass-dhcp" line
16:51 < Brutser> ok done, i can still not ping
16:51 < Brutser> i think some iptables is blocking now
16:51 < ashpokemonmaster> you will need to disconnect and reconnect
16:51 < Brutser> yes i did
16:51 < ashpokemonmaster> if you think iptables is blocking it
16:51 < Brutser> i agree we needed those lines you wrote
16:52 < Brutser> i can disable iptables, but we need some rules dont we?
16:52 < ashpokemonmaster> iptables -I FORWARD -s 10.8.0.0/24 -j ACCEPT
16:53 < Brutser> no, still cannot ping :S
16:53 < Brutser> show you iptables again?
16:54 < Brutser> because i cannot even ping 10.22.22.1 and that is where i connect to!
16:54 < Brutser> if i disable iptables, i can ping 10.22.22.1 no problem
16:55 < Brutser> oh wait, i can ping 10.22.22.1
16:55 < Brutser> even with iptables on
16:55 < Brutser> only after i connect openvpn, no more ping
16:59 < ashpokemonmaster> So, you connect with the openvpn and you are no longer able to ping?
16:59 < Brutser> yes
17:00 < ashpokemonmaster> There is an issue
17:01 < ashpokemonmaster> That means you have routes to the other device before openvpn
17:02 < Brutser> like through the vmware network?
17:02 < ashpokemonmaster> yes
17:02 < Brutser> let me check
17:03 < Brutser> yes you are right
17:03 < Brutser> windows was use vnet8 which also use NAT, so it can go with the NAT
17:03 < Brutser> i move to vnet2 now
17:03 < Brutser> and can ping
17:04 < Brutser> 10.8.0.0
17:04 < Brutser> and 10.22.22.0
17:04 < Brutser> except cannot ping outside yet
17:04 < Brutser> i can ping 192.168.64.129
17:05 < Brutser> which is ip of the centos NAT
17:05 < Brutser> probably gateway problem?
17:10 < ashpokemonmaster> can you ping 8.8.8.8
17:12 -!- st5ve [~hays@unaffiliated/hays] has joined #openvpn
17:13 -!- pppingme [~pppingme@unaffiliated/pppingme] has quit [Excess Flood]
17:14 -!- TonyL [~Tony@unaffiliated/darkg] has quit [Excess Flood]
17:14 -!- hays [~hays@unaffiliated/hays] has quit [Quit: No Ping reply in 180 seconds.]
17:14 -!- TonyL [~Tony@unaffiliated/darkg] has joined #openvpn
17:14 -!- pppingme [~pppingme@unaffiliated/pppingme] has joined #openvpn
17:14 < Brutser> no, it say: Reply from 192.168.64.128L Destination host unreachable
17:16 < ashpokemonmaster> Your gateway is saying that it doesn't know how to route the packet
17:17 < ashpokemonmaster> needs a way to get there.
17:17 < Brutser> ok but ping 8.8. from server works
17:17 < Brutser> so server knows how to get there
17:19 < ashpokemonmaster> oh
17:19 < ashpokemonmaster> 8.8.8.8
17:19 < ashpokemonmaster> works?
17:19 < ashpokemonmaster> DNS problem
17:20 < Brutser> from the server
17:20 < Brutser> not from the client
17:20 < ashpokemonmaster> oh i see
17:20 -!- goldkatze_ [~nobody@unaffiliated/goldkatze] has joined #openvpn
17:21 < Brutser> client know how to get to server , know how to route from 10.8. to 10.22 to 192.168.64
17:21 < Brutser> but then it does not know the gateway for 192.168 network
17:21 < Brutser> i guess?
17:21 < ashpokemonmaster> and you hate that nat rule in place?
17:21 < Brutser> well i not hate it yet
17:22 < Brutser> :)
17:22 < Brutser> remind me which you mean?
17:22 -!- gffa [~unknown@unaffiliated/gffa] has quit [Quit: sleep]
17:22 < ashpokemonmaster> enat rule on the centos server
17:23 < Brutser> ip forward?
17:23 < ashpokemonmaster> ip forward has to enabled
17:23 < ashpokemonmaster> but there also has to be a nat rule on the nat cahin
17:23 < Brutser> sysctl -p
17:23 < Brutser> net.ipv4.ip_forward = 1
17:24 < ashpokemonmaster> yes
17:24 < ashpokemonmaster> but also
17:24 < ashpokemonmaster> iptables -t nat -nvL
17:24 < ashpokemonmaster> run that command
17:24 -!- havoc [~havoc@neptune.chaillet.net] has quit [Disconnected by services]
17:25 < Brutser> http://pastie.org/private/dkjxwgirolfbqej9p9to5q
17:25 < Brutser> we need also for 192. network?
17:25 -!- havoc [~havoc@neptune.chaillet.net] has joined #openvpn
17:25 < ashpokemonmaster> yes, lets try that
17:25 < Brutser> say me so i dont make mistake pls
17:26 < Brutser> iptables -t nat -A POSTROUTING -s 192.168.64.0/24 -o eth0 -j MASQUERADE
17:26 < Brutser> like this?
17:26 < Brutser> on eth1 then?
17:26 < ashpokemonmaster> yes
17:26 < ashpokemonmaster> eth0
17:26 < Brutser> ok
17:27 -!- Netsplit *.net <-> *.split quits: redpill, +s7r, dvl, K1rk, DrCode, goldkatze, Left_Turn, mgorbach
17:28 < Brutser> same
17:28 < Brutser> say: Reply from 192.168.64.128L Destination host unreachable
17:29 -!- Netsplit over, joins: Left_Turn
17:29 -!- Netsplit over, joins: mgorbach
17:30 -!- Netsplit over, joins: K1rk
17:30 < Brutser> 0     0 MASQUERADE  all  --  *      eth0    10.8.0.0/24          0.0.0.0/0
17:30 < Brutser>     1   108 MASQUERADE  all  --  *      eth0    192.168.64.0/24      0.0.0.0/0
17:30 < Brutser> have both active now
17:33 < Brutser> now i get: PING:  transmit failed. General failure.
17:35 -!- Nyoom [Nyoom@unaffiliated/nyoom] has joined #openvpn
17:39 -!- s7r [~s7r@openvpn/user/s7r] has joined #openvpn
17:39 -!- mode/#openvpn [+v s7r] by ChanServ
17:43 -!- ashpokemonmaster [~arlion@108-215-117-231.lightspeed.miamfl.sbcglobal.net] has quit [Ping timeout: 250 seconds]
17:45 -!- goldkatze_ [~nobody@unaffiliated/goldkatze] has quit [Ping timeout: 245 seconds]
17:53 -!- CygniX [~CygniX@unaffiliated/twois10] has quit [Ping timeout: 246 seconds]
17:53 -!- shio [marmot@203.188.103.84.rev.sfr.net] has quit [Ping timeout: 246 seconds]
17:53 -!- joako [~joako@opensuse/member/joak0] has quit [Ping timeout: 246 seconds]
17:54 -!- fzombie [~gplgeek@pdpc/supporter/student/GPLGeek] has quit [Ping timeout: 246 seconds]
17:55 -!- Px12 [~Px12@117.207.130.119] has quit [Ping timeout: 250 seconds]
18:05 -!- Magiobiwan [IRC@unaffiliated/magiobiwan] has quit [Ping timeout: 250 seconds]
18:08 -!- shio [marmot@203.188.103.84.rev.sfr.net] has joined #openvpn
18:12 -!- Magiobiwan [IRC@unaffiliated/magiobiwan] has joined #openvpn
18:23 -!- brycefisherfleig [~chatzilla@204-195-74-59.wavecable.com] has quit [Ping timeout: 272 seconds]
18:30 -!- joako [~joako@opensuse/member/joak0] has joined #openvpn
18:35 -!- joako [~joako@opensuse/member/joak0] has quit [Quit: quit]
18:36 -!- joako [~joako@opensuse/member/joak0] has joined #openvpn
18:40 -!- DrCode [~DrCode@gateway/tor-sasl/drcode] has joined #openvpn
18:51 -!- cyberspace- [20253@ninthfloor.org] has quit [Remote host closed the connection]
18:52 -!- cyberspace- [20253@ninthfloor.org] has joined #openvpn
19:29 -!- Hello71 [~Hello71@wikipedia/Hello71] has joined #openvpn
19:29 -!- fzombie [~gplgeek@pdpc/supporter/student/GPLGeek] has joined #openvpn
20:00 -!- moonkid_ [~anonymous@99-103-56-12.lightspeed.hstntx.sbcglobal.net] has quit [Quit: moonkid_]
20:06 < funky1> hi there the ios openvpn client, does it support only 1 profile? can i somehow store several vpn profiles on it and click to connect on the selected?
20:07 -!- Nyoom [Nyoom@unaffiliated/nyoom] has quit [Quit: I'm using a Free IRC Bouncer from BNC4FREE - http://bnc4free.com/]
20:11 -!- Nyoom [Nyoom@unaffiliated/nyoom] has joined #openvpn
20:14 -!- WinstonSmith [~WinstonSm@unaffiliated/winstonsmith] has quit [Ping timeout: 245 seconds]
20:15 -!- WinstonSmith [~WinstonSm@unaffiliated/winstonsmith] has joined #openvpn
20:22 -!- moonkid [~anonymous@99-103-56-12.lightspeed.hstntx.sbcglobal.net] has joined #openvpn
20:29 -!- moonkid [~anonymous@99-103-56-12.lightspeed.hstntx.sbcglobal.net] has quit [Quit: moonkid]
20:51 -!- Kniaz [~Kniaz@unaffiliated/kniaz] has joined #openvpn
20:53 -!- Kniaz [~Kniaz@unaffiliated/kniaz] has quit [Client Quit]
21:05 -!- Left_Turn [~Left_Turn@unaffiliated/turn-left/x-3739067] has quit [Remote host closed the connection]
21:25 < cirkit> yes, funky1 - it supports multiple profiles
21:41 -!- square-r00t [~bts@g.rainwreck.com] has joined #openvpn
21:42 < square-r00t> howdy, all! i have a question. so i have  great setup on a dedicated routerbox with shorewall, etc.
21:42 < square-r00t> now, i push certain routes to my clients
21:43 < square-r00t> i'd like to specify that only certain VLAN's in my local physical network use those pushed routes from the router's ...err, routing table, and everything else should use the default route (0.0.0.0/0) for those destination IPs
21:43 < square-r00t> that'd be done via a masquerade for the restricted VLANs, right?
21:51 -!- Pyrogerg [~Gregory@75-173-66-157.albq.qwest.net] has joined #openvpn
22:22 -!- DrCode [~DrCode@gateway/tor-sasl/drcode] has quit [Ping timeout: 264 seconds]
22:28 -!- DrCode [~DrCode@gateway/tor-sasl/drcode] has joined #openvpn
22:29 -!- Px12 [~Px12@117.207.130.119] has joined #openvpn
22:38 -!- cesurasean [~Sean@c-71-207-227-197.hsd1.al.comcast.net] has joined #openvpn
23:37 -!- ShadniX [dagger@p5794185C.dip0.t-ipconnect.de] has quit [Ping timeout: 250 seconds]
23:38 -!- ShadniX [dagger@p5DDFEFBE.dip0.t-ipconnect.de] has joined #openvpn
23:44 -!- n6 [NumberSix@unaffiliated/n6] has joined #openvpn
23:48 < n6> i'm getting an error when i try to connect pastebin.com/wvryh116 using same ca.crt on both server and client followed http://wyliebayes.com/openbsd-5-5-and-openvpn-with-easyrsa3/ any ideas google inst helping
--- Day changed Sun Sep 14 2014
00:01 -!- Px12 [~Px12@117.207.130.119] has quit [Read error: Connection reset by peer]
00:20 -!- pie__ [~pie_@unaffiliated/pie-/x-0787662] has joined #openvpn
00:21 -!- pie__ [~pie_@unaffiliated/pie-/x-0787662] has left #openvpn []
00:33 -!- Daemoen [~quassel@2607:ff68:100:1e:20e:2eff:fee8:e5c5] has joined #openvpn
00:33 < Daemoen> lo all
00:57 -!- Kephael [~Kephael@unaffiliated/kephael] has quit [Read error: Connection reset by peer]
01:27 -!- cesurasean [~Sean@c-71-207-227-197.hsd1.al.comcast.net] has quit [Read error: Connection reset by peer]
01:27 -!- tapout [~tapout@unaffiliated/tapout] has joined #openvpn
01:28 -!- c0ded [~c0ded@unaffiliated/c0ded] has joined #openvpn
02:24 -!- Px12 [~Px12@117.220.86.129] has joined #openvpn
02:35 -!- xrosnight [~quassel@unaffiliated/xrosnight] has joined #openvpn
02:41 -!- cesurasean [~Sean@c-71-207-227-197.hsd1.al.comcast.net] has joined #openvpn
02:45 -!- xrosnight [~quassel@unaffiliated/xrosnight] has quit [Ping timeout: 240 seconds]
02:53 < cesurasean> can someone tell me why im getting this error with openvpn now? i upgraded, and now its disconnecting me when openvpn connects, and can't reconnect to server. - http://pastebin.com/r9QM3Wm1
03:03 -!- Px12 [~Px12@117.220.86.129] has quit [Ping timeout: 272 seconds]
03:05 < cesurasean> anyone around?
03:06 < cesurasean> krzee, you here bud?
03:23 -!- Px12 [~Px12@117.207.132.148] has joined #openvpn
03:26 -!- mozar [~jos@77-172-213-212.ip.telfort.nl] has joined #openvpn
03:27 -!- gffa_ [~unknown@unaffiliated/gffa] has joined #openvpn
03:28 < mozar> Hi, I'm setting up OpenVPN and I was wondering how important the KEY_COUNTRY, KEY_PROVINCE etc location details are
03:28 < mozar> it probably doesn't really matter if i put a bunch of bogus information there right?
03:29 < mozar> is the email address at KEY_EMAIL ever used for anything?
03:43 < Brutser> hi, when i ping from client box to internet, ping give transmit failed. general failure. what can be the reason?
03:44 < Brutser> i can ping the vpn, the external network and the gateway to internet
03:44 < Brutser> but i cannot ping external ips
03:50 < Brutser> mozar: this is all information for the certificates as far as i know, you can put any detail you want
03:50 < Brutser> but it give information to the client who connect, so for a company you can put relevant information there
03:51 < Brutser> to identify the server for the client
03:51 < mozar> thanks
03:52 -!- Cybertinus [~Cybertinu@cybertinus.customer.cloud.nl] has quit [Ping timeout: 260 seconds]
03:54 -!- Cybertinus [~Cybertinu@cybertinus.customer.cloud.nl] has joined #openvpn
04:04 < Brutser> the problem is that client can ping the gateway, but probably does not know it is the gateway
04:04 < Brutser> i tried: push route "10.8.0.0 255.255.255.0 192.168.64.2 1"
04:04 < Brutser> but does not work
04:04 < Brutser> i must be missing something..
04:06 < mozar> i'm only starting out with openvpn so i can't help you with your issue, sorry
04:07 < Brutser> no problem, sunday morning, not many people here, but maybe i find myself :)
04:14 -!- Px12 [~Px12@117.207.132.148] has quit [Ping timeout: 245 seconds]
04:17 -!- Mike-- [mad@mx.probie.nl] has joined #openvpn
04:20 -!- catsup [~d@ps38852.dreamhost.com] has quit [Read error: Connection reset by peer]
04:20 -!- catsup [~d@ps38852.dreamhost.com] has joined #openvpn
04:53 -!- fzombie [~gplgeek@pdpc/supporter/student/GPLGeek] has quit [Ping timeout: 246 seconds]
05:07 -!- goldkatze [~nobody@unaffiliated/goldkatze] has joined #openvpn
05:18 -!- Envil [~meep@95.211.26.40] has joined #openvpn
05:26 -!- cesurasean [~Sean@c-71-207-227-197.hsd1.al.comcast.net] has quit [Ping timeout: 245 seconds]
05:27 -!- cesurasean [~Sean@c-71-207-227-197.hsd1.al.comcast.net] has joined #openvpn
05:36 < cesurasean> can someone tell me why im getting this error with openvpn now? i upgraded, and now its disconnecting me when openvpn connects, and can't reconnect to server. - http://pastebin.com/r9QM3Wm1
05:52 < funky1> cirkit: thx, i'm adding the *.ovpn profile by emailing them to my ipad, but everytime i want to add a new profile, the old profile is gone, i also sshed into my ipad to look for the *.ovpn file but it is not stored anywhere on the filesystem, how and where to add it? or how to add mutiple profiles, installed version is openvpn 1.0.4 build 140 ios 32 bit, is that the rgith one?
05:59 -!- cesurasean [~Sean@c-71-207-227-197.hsd1.al.comcast.net] has quit [Quit: Leaving.]
06:36 -!- Left_Turn [~Left_Turn@unaffiliated/turn-left/x-3739067] has joined #openvpn
07:01 -!- Px12 [~Px12@117.199.163.200] has joined #openvpn
07:07 -!- Px12 [~Px12@117.199.163.200] has quit [Ping timeout: 272 seconds]
07:19 -!- DrSect0r [~DrSect0r@77-175-125-42.FTTH.ispfabriek.nl] has joined #openvpn
07:30 -!- Px12 [~Px12@117.199.171.242] has joined #openvpn
07:46 -!- shio [marmot@203.188.103.84.rev.sfr.net] has quit [Read error: Connection reset by peer]
07:51 -!- Nyoom [Nyoom@unaffiliated/nyoom] has quit [Max SendQ exceeded]
07:52 -!- redpill [~redpill@unaffiliated/redpill] has joined #openvpn
08:00 -!- Nyoom [Nyoom@unaffiliated/nyoom] has joined #openvpn
08:18 -!- JackWinter [~jack@vodsl-11028.vo.lu] has quit [Ping timeout: 240 seconds]
08:18 -!- JackWinter_ [~jack@vodsl-11198.vo.lu] has joined #openvpn
08:19 -!- shio [marmot@203.188.103.84.rev.sfr.net] has joined #openvpn
08:36 -!- fzombie [~gplgeek@pdpc/supporter/student/GPLGeek] has joined #openvpn
08:44 -!- erratic [erratic@2607:f2f8:a2c4:1001::2] has quit [Ping timeout: 272 seconds]
08:46 -!- Px12 [~Px12@117.199.171.242] has quit [Remote host closed the connection]
08:52 -!- Px12 [~Px12@117.199.173.5] has joined #openvpn
09:27 -!- zeroNones [~textual@187.204.184.235] has joined #openvpn
09:55 -!- zeroNones [~textual@187.204.184.235] has quit [Quit: My MacBook Pro has gone to sleep. ZZZzzz…]
10:18 -!- f-zombie [~gplgeek@pdpc/supporter/student/GPLGeek] has joined #openvpn
10:21 -!- cyberspace- [20253@ninthfloor.org] has quit [Disconnected by services]
10:21 -!- cyberspace- [20253@ninthfloor.org] has joined #openvpn
10:22 -!- MagiC3PO [IRC@unaffiliated/magiobiwan] has joined #openvpn
10:24 -!- Magiobiwan [IRC@unaffiliated/magiobiwan] has quit [Ping timeout: 246 seconds]
10:24 -!- redpill [~redpill@unaffiliated/redpill] has quit [Ping timeout: 246 seconds]
10:24 -!- st5ve [~hays@unaffiliated/hays] has quit [Ping timeout: 246 seconds]
10:24 -!- fzombie [~gplgeek@pdpc/supporter/student/GPLGeek] has quit [Ping timeout: 246 seconds]
10:24 -!- MagiC3PO is now known as Magiobiwan
10:25 -!- redpill [~redpill@unaffiliated/redpill] has joined #openvpn
10:38 -!- Netsplit *.net <-> *.split quits: redpill
10:38 -!- Netsplit *.net <-> *.split quits: joako, K1rk, +s7r, DrCode
10:39 -!- Px12 [~Px12@117.199.173.5] has quit [Read error: Connection reset by peer]
10:39 -!- Netsplit over, joins: K1rk
10:40 -!- Netsplit over, joins: redpill
10:43 -!- joako [~joako@opensuse/member/joak0] has joined #openvpn
10:45 -!- Px12 [~Px12@117.199.173.5] has joined #openvpn
10:50 -!- dvl_ [~dvl@pdpc/supporter/active/dvl] has joined #openvpn
10:58 -!- Kephael [~Kephael@unaffiliated/kephael] has joined #openvpn
11:08 -!- moonkid [~anonymous@99-103-56-12.lightspeed.hstntx.sbcglobal.net] has joined #openvpn
11:39 -!- f-zombie [~gplgeek@pdpc/supporter/student/GPLGeek] has quit [Quit: Leaving]
11:39 -!- fzombie [~gplgeek@pdpc/supporter/student/GPLGeek] has joined #openvpn
11:41 -!- D-Boy [~D-Boy@unaffiliated/cain] has quit [Excess Flood]
11:42 -!- alexxtasi [~alex@unaffiliated/alexxtasi] has joined #openvpn
11:45 < alexxtasi> hi all , I am trying to build openvpn so I can make my own installer (coping the .conf file)... but following the instructions I get "POD document had syntax errors at /usr/bin/pod2man line 71. \ make: *** [install_docs] Error 255 \ FATAL: make openssl \ FATAL: build i686 >&2"
11:50 -!- DrSect0r [~DrSect0r@77-175-125-42.FTTH.ispfabriek.nl] has quit [Quit: Leaving]
11:51 -!- D-Boy [~D-Boy@unaffiliated/cain] has joined #openvpn
11:58 < Brutser> Got this problem already this morning, was talking with Mike about it, but he had to leave: I just have a test setup with a centos box as vpn gateway and a windows client. all clean installed. windows client after connecting can reach the vpn network 10.8.0.0/24 the internal network 10.22.22.0/24 and the NAT network (that provide the internet) 192.168.64.0/24
11:58 < Brutser> But windows client cannot reach outside
11:59 < Brutser> I must be overlooking something, but Mike also was puzzled that it did not work yet :/
11:59 < Brutser> it's a VMware setup, so just one NAT and one VNet2 network
11:59 < Brutser> really frustrating me, if anyone got time, please pm
12:12 -!- Synced [Valcorb@unaffiliated/synced] has joined #openvpn
12:14 -!- DrCode [~DrCode@gateway/tor-sasl/drcode] has joined #openvpn
12:18 < Envil> @Brutser: does the client have the necessary route added? (default over the NAT gw)
12:18 < Brutser> Envil: I am not very good with that, but Mike really tried a lot of options and yes we added routes on client, i pasted him many outputs of route print
12:19 < Envil> And what routes did you end up with on the client?
12:19 < Brutser> moment i will pastebin
12:26 -!- DrCode [~DrCode@gateway/tor-sasl/drcode] has quit [Write error: Connection reset by peer]
12:29 -!- DrCode [~DrCode@gateway/tor-sasl/drcode] has joined #openvpn
12:45 -!- mozar [~jos@77-172-213-212.ip.telfort.nl] has quit [Remote host closed the connection]
13:35 -!- moonkid [~anonymous@99-103-56-12.lightspeed.hstntx.sbcglobal.net] has quit [Quit: moonkid]
13:44 -!- d3lphi [~d3lphi@unaffiliated/d3lphi] has joined #openvpn
13:45 < d3lphi> hi all. I am facing following issue: client is Win7 SP1 and user is a normal "domain user" with no special admin rights. The user logged-in has normal user rights. After he successfully connects to OpenVPN server, the "route" commands fail because it seems he has no rightsto add routes to the system.
13:45 < d3lphi> How the hell should I solve that? any help appreciated
13:49 -!- Pandemic_Force_ [~Pandemic_@unaffiliated/pandemic-force/x-1349428] has quit [Quit: Bye!]
13:50 -!- Pandemic_Force [~Pandemic_@unaffiliated/pandemic-force/x-1349428] has joined #openvpn
14:09 -!- mattock is now known as mattock_afk
14:33 -!- cyberanger [cyberanger@swissknife/adak/infocop411] has quit [Quit: ZNC - http://znc.in]
14:35 -!- cyberanger [cyberanger@swissknife/adak/infocop411] has joined #openvpn
14:37 -!- s7r [~s7r@openvpn/user/s7r] has joined #openvpn
14:37 -!- mode/#openvpn [+v s7r] by ChanServ
14:44 -!- Nyoom [Nyoom@unaffiliated/nyoom] has quit [Excess Flood]
14:49 -!- Nyoom [Nyoom@unaffiliated/nyoom] has joined #openvpn
14:59 -!- Nyoom [Nyoom@unaffiliated/nyoom] has quit [Excess Flood]
15:06 -!- Nyoom [Nyoom@unaffiliated/nyoom] has joined #openvpn
15:07 < Eugene> Run openvpn as a Service rather than launching the gui directly
15:07 < Eugene> You can build a GPO which will allow domain users to stop/start Services
15:10 -!- Chex [sss@kjax.northnook.ca] has joined #openvpn
15:14 -!- scyld [~scyld@unaffiliated/wasyl] has joined #openvpn
15:14 < scyld> nru-pl
15:14 < scyld> sorry ;)
15:21 -!- erratic [erratic@2607:f2f8:a2c4:1001::2] has joined #openvpn
15:27 -!- Px12 [~Px12@117.199.173.5] has quit [Ping timeout: 260 seconds]
15:31 -!- redpill [~redpill@unaffiliated/redpill] has quit [Ping timeout: 250 seconds]
15:39 -!- erratic [erratic@2607:f2f8:a2c4:1001::2] has quit [Ping timeout: 272 seconds]
15:42 -!- plaisthos [~arne@openvpn/community/developer/plaisthos] has joined #openvpn
15:42 -!- mode/#openvpn [+o plaisthos] by ChanServ
15:43 -!- moonkid [~anonymous@99-103-56-12.lightspeed.hstntx.sbcglobal.net] has joined #openvpn
15:51 -!- moonkid [~anonymous@99-103-56-12.lightspeed.hstntx.sbcglobal.net] has quit [Quit: moonkid]
15:53 -!- moonkid [~anonymous@99-103-56-12.lightspeed.hstntx.sbcglobal.net] has joined #openvpn
15:53 -!- fzombie [~gplgeek@pdpc/supporter/student/GPLGeek] has quit [Disconnected by services]
15:55 -!- moonkid [~anonymous@99-103-56-12.lightspeed.hstntx.sbcglobal.net] has quit [Client Quit]
15:57 -!- RaiNerTsuFal [~RaiNerTsu@akita.vtlx.cn] has quit [Quit: Conversation terminated!]
15:57 -!- moonkid [~anonymous@99-103-56-12.lightspeed.hstntx.sbcglobal.net] has joined #openvpn
16:01 -!- gffa_ [~unknown@unaffiliated/gffa] has quit [Quit: sleep]
16:02 -!- moonkid [~anonymous@99-103-56-12.lightspeed.hstntx.sbcglobal.net] has quit [Client Quit]
16:03 -!- moonkid [~anonymous@99-103-56-12.lightspeed.hstntx.sbcglobal.net] has joined #openvpn
16:05 -!- jangerho [~jangerho@0587377554.wireless.umich.net] has joined #openvpn
16:15 -!- erratic [erratic@2607:f2f8:a2c4:1001::2] has joined #openvpn
16:21 -!- scyld [~scyld@unaffiliated/wasyl] has quit [Quit: Wychodzi]
16:26 -!- RaiNerTsuFal [~RaiNerTsu@akita.vtlx.cn] has joined #openvpn
16:31 -!- moonkid [~anonymous@99-103-56-12.lightspeed.hstntx.sbcglobal.net] has quit [Quit: moonkid]
16:36 -!- yoavz [yoavz@yoavz.net] has quit [Ping timeout: 240 seconds]
16:38 -!- jeraldv [~jerald@fsf/member/jeraldv] has joined #openvpn
16:47 -!- yoavz [yoavz@yoavz.net] has joined #openvpn
16:52 -!- ayaka [~ayaka@ayaka-2-pt.tunnel.tserv21.tor1.ipv6.he.net] has joined #openvpn
16:52 < ayaka> if I have use the mtu-test, then I don't need to set fragment?
17:19 -!- alexxtasi [~alex@unaffiliated/alexxtasi] has quit [Quit: Leaving.]
17:22 -!- cesurasean [~Sean@c-71-207-227-197.hsd1.al.comcast.net] has joined #openvpn
17:49 -!- DonRichie [~DonRichie@ricl.de] has joined #openvpn
17:49 < DonRichie> Quick question: Is a tun or tap device needed as client?
17:51 < ayaka> yep
17:51 < ayaka> also in windows, then you use the tun, you need tap driver
17:51 -!- moonkid [~anonymous@99-103-56-12.lightspeed.hstntx.sbcglobal.net] has joined #openvpn
17:52 < DonRichie> thx ayaka
18:13 -!- Envil [~meep@95.211.26.40] has quit [Remote host closed the connection]
18:27 -!- s7r [~s7r@openvpn/user/s7r] has quit [Quit: Leaving]
18:29 -!- roger_rabbit [~admin@unaffiliated/roger-rabbit/x-7769789] has joined #openvpn
18:33 -!- cesurasean [~Sean@c-71-207-227-197.hsd1.al.comcast.net] has quit [Quit: Leaving.]
18:36 -!- Kniaz [~Kniaz@unaffiliated/kniaz] has joined #openvpn
18:36 -!- arescorpio [~arescorpi@180-56-245-190.fibertel.com.ar] has joined #openvpn
18:38 -!- yoavz [yoavz@yoavz.net] has quit [Ping timeout: 258 seconds]
18:39 -!- Haigha [~root@dovahkiin.xomg.net] has quit [Ping timeout: 272 seconds]
18:43 -!- yoavz [yoavz@yoavz.net] has joined #openvpn
19:03 -!- vpnHelper [~vpnHelper@openvpn/bot/vpnHelper] has quit [Disconnected by services]
19:04 -!- pekster [~rewt@openvpn/community/support/pekster] has joined #openvpn
19:05 -!- Wolfbutt [~Jeroen@milkyway.jeroendeneef.com] has joined #openvpn
19:05 -!- vpnHelper [~vpnHelper@openvpn/bot/vpnHelper] has joined #openvpn
19:05 -!- mode/#openvpn [+o vpnHelper] by ChanServ
19:06 -!- krzie [~k@openvpn/community/support/krzee] has joined #openvpn
19:06 -!- mode/#openvpn [+o krzie] by ChanServ
19:08 -!- APTX_ [~APTX@unaffiliated/aptx] has joined #openvpn
19:08 -!- troyt_ [~troyt@2601:7:6200:1362:44dd:acff:fe85:9c8e] has joined #openvpn
19:10 -!- Pandemic_Force_ [~Pandemic_@unaffiliated/pandemic-force/x-1349428] has joined #openvpn
19:10 -!- cyberanger1 [cyberanger@swissknife/adak/infocop411] has joined #openvpn
19:13 -!- Netsplit *.net <-> *.split quits: arescorpio, D-Boy, catsup, cyberanger, moonkid, erratic, mgorbach, d3lphi, Magiobiwan, Pandemic_Force
19:13 -!- Netsplit *.net <-> *.split quits: APTX, troyt, @krzee, Jeroen52, BladedThesis, DrCode, n6, ayaka, jeraldv, seba,  (+3 more, use /NETSPLIT to show all of them)
19:13 -!- cyberanger1 is now known as cyberanger
19:13 -!- krzie is now known as krzee
19:14 -!- Netsplit over, joins: D-Boy
19:14 -!- Netsplit over, joins: Magiobiwan
19:16 -!- Netsplit over, joins: seba
19:18 -!- erratic [erratic@2607:f2f8:a2c4:1001::2] has joined #openvpn
19:18 -!- cirkit [dethwish@peanut-butter.net] has left #openvpn []
19:18 -!- cirkit [dethwish@peanut-butter.net] has joined #openvpn
19:18 -!- mgorbach [~mgorbach@pool-108-20-78-135.bstnma.fios.verizon.net] has joined #openvpn
19:18 -!- n6 [NumberSix@unaffiliated/n6] has joined #openvpn
19:19 -!- BladedThesis [~BladedThe@2001:1af8:4010:a027:3::] has joined #openvpn
19:35 -!- vpnHelper [~vpnHelper@openvpn/bot/vpnHelper] has quit [Read error: Connection reset by peer]
19:36 -!- vpnHelper [~vpnHelper@openvpn/bot/vpnHelper] has joined #openvpn
19:36 -!- mode/#openvpn [+o vpnHelper] by ChanServ
19:36 -!- vpnHelper [~vpnHelper@openvpn/bot/vpnHelper] has quit [Remote host closed the connection]
19:37 -!- goldkatze [~nobody@unaffiliated/goldkatze] has quit [Excess Flood]
19:37 -!- JackWinter_ [~jack@vodsl-11198.vo.lu] has quit [Excess Flood]
19:37 -!- vpnHelper [~vpnHelper@openvpn/bot/vpnHelper] has joined #openvpn
19:37 -!- mode/#openvpn [+o vpnHelper] by ChanServ
19:37 -!- JackWinter_ [~jack@vodsl-11198.vo.lu] has joined #openvpn
20:25 -!- zeroNones [~textual@187.192.245.107] has joined #openvpn
20:28 -!- raspberrypifan [~raspberry@186.42.152.149] has joined #openvpn
20:32 -!- zeroNones [~textual@187.192.245.107] has quit [Quit: My MacBook Pro has gone to sleep. ZZZzzz…]
20:33 -!- zeroNones [~textual@187.192.245.107] has joined #openvpn
21:16 -!- justinzane [~justinzan@host-69-59-81-105.nctv.com] has joined #openvpn
21:21 -!- Left_Turn [~Left_Turn@unaffiliated/turn-left/x-3739067] has quit [Remote host closed the connection]
21:31 -!- raspberrypifan [~raspberry@186.42.152.149] has quit []
21:48 -!- krzee [~k@openvpn/community/support/krzee] has quit [Excess Flood]
21:49 -!- krzee [~k@openvpn/community/support/krzee] has joined #openvpn
21:49 -!- mode/#openvpn [+o krzee] by ChanServ
22:02 -!- KiNgMaR [ingmar@2001:41d0:2:ba51::1] has joined #openvpn
23:37 -!- ShadniX [dagger@p5DDFEFBE.dip0.t-ipconnect.de] has quit [Ping timeout: 250 seconds]
23:38 -!- ShadniX [dagger@p5481C68F.dip0.t-ipconnect.de] has joined #openvpn
23:39 -!- raspberrypifan [~raspberry@186.42.152.149] has joined #openvpn
23:47 -!- raspberrypifan [~raspberry@186.42.152.149] has quit []
23:52 -!- yoavz [yoavz@yoavz.net] has quit [Ping timeout: 258 seconds]
23:53 -!- yoavz [yoavz@yoavz.net] has joined #openvpn
--- Day changed Mon Sep 15 2014
00:26 -!- jangerho [~jangerho@0587377554.wireless.umich.net] has quit [Quit: Leaving...]
00:46 -!- fischli [~fischli@data.fischer-ing.de] has joined #openvpn
01:21 -!- Kephael [~Kephael@unaffiliated/kephael] has quit [Read error: Connection reset by peer]
01:24 -!- fischli [~fischli@data.fischer-ing.de] has quit [Ping timeout: 258 seconds]
01:25 -!- fischli [~fischli@data.fischer-ing.de] has joined #openvpn
01:25 -!- fischli [~fischli@data.fischer-ing.de] has left #openvpn []
01:44 -!- goldkatze [~nobody@unaffiliated/goldkatze] has joined #openvpn
02:01 -!- ade_b [~Ade@redhat/adeb] has joined #openvpn
02:03 -!- u0m3 [~u0m3@92.80.106.41] has joined #openvpn
02:05 -!- u0m3_ [~u0m3@92.80.68.194] has quit [Ping timeout: 240 seconds]
02:19 -!- d3lphi [~d3lphi@unaffiliated/d3lphi] has joined #openvpn
02:23 -!- mattock_afk is now known as mattock
02:28 -!- cesurasean [~Sean@c-71-207-227-197.hsd1.al.comcast.net] has joined #openvpn
02:36 -!- Nyoom [Nyoom@unaffiliated/nyoom] has quit [Excess Flood]
02:40 -!- Nyoom [Nyoom@unaffiliated/nyoom] has joined #openvpn
02:54 -!- zeroNones [~textual@187.192.245.107] has quit [Quit: Textual IRC Client: www.textualapp.com]
02:59 -!- jeraldv [~jerald@fsf/member/jeraldv] has joined #openvpn
02:59 -!- DrCode [~DrCode@gateway/tor-sasl/drcode] has joined #openvpn
02:59 -!- K1rk [~Kirk@equinox.epecweb.com] has joined #openvpn
02:59 -!- linuxthefish [~ltf@unaffiliated/edmundf] has quit [Excess Flood]
02:59 -!- K1rk [~Kirk@equinox.epecweb.com] has quit [Max SendQ exceeded]
02:59 -!- DrCode [~DrCode@gateway/tor-sasl/drcode] has quit [Max SendQ exceeded]
03:00 -!- DrCode [~DrCode@gateway/tor-sasl/drcode] has joined #openvpn
03:00 -!- u0m3_ [~u0m3@92.80.106.41] has joined #openvpn
03:01 -!- linuxthefish [~ltf@unaffiliated/edmundf] has joined #openvpn
03:01 -!- K1rk [~Kirk@equinox.epecweb.com] has joined #openvpn
03:05 -!- u0m3 [~u0m3@92.80.106.41] has quit [Ping timeout: 258 seconds]
03:12 < Brutser> anyone experience with setup openvpn on vmware boxes and promiscuous mode for vmware networking? the last is needed if you want vpn server as a internet gateway, else the packets won't be accepted.
04:25 -!- edakiri [~edakiri@unaffiliated/edakiri] has joined #openvpn
04:45 -!- Left_Turn [~Left_Turn@unaffiliated/turn-left/x-3739067] has joined #openvpn
05:00 -!- cesurasean [~Sean@c-71-207-227-197.hsd1.al.comcast.net] has quit [Quit: Leaving.]
05:10 -!- ribasushi [~riba@mujunyku.leporine.io] has quit [Ping timeout: 260 seconds]
05:10 -!- w0jtas [~Adium@host8925152170.ppcom.3s.pl] has joined #openvpn
05:22 -!- Left_Turn [~Left_Turn@unaffiliated/turn-left/x-3739067] has quit [Ping timeout: 258 seconds]
05:22 -!- Left_Turn [~Left_Turn@unaffiliated/turn-left/x-3739067] has joined #openvpn
05:26 -!- lewiz [~lthompson@195.59.118.200] has quit [Ping timeout: 272 seconds]
05:29 -!- lewiz [~lthompson@195.59.118.200] has joined #openvpn
05:38 -!- ribasushi [~riba@mujunyku.leporine.io] has joined #openvpn
05:47 -!- tachibana [~fghhfg@133.sub-174-240-1.myvzw.com] has joined #openvpn
06:44 -!- Six6siX [~Devil@jasmine.sammybakar.com] has quit [Ping timeout: 260 seconds]
07:04 -!- dazo [~dazo@openvpn/community/developer/dazo] has joined #openvpn
07:04 -!- mode/#openvpn [+o dazo] by ChanServ
07:04 <@dazo> vel
07:04 <@dazo> duh .. wrong window
07:21 -!- lewiz [~lthompson@195.59.118.200] has quit [Ping timeout: 250 seconds]
07:25 -!- lewiz [~lthompson@195.59.118.200] has joined #openvpn
07:25 -!- lewiz [~lthompson@195.59.118.200] has left #openvpn []
07:35 -!- elfixit1 [~Icedove@77-58-251-72.dclient.hispeed.ch] has joined #openvpn
08:07 -!- ifdm_ [~ifdm@unaffiliated/ifdm/x-0713806] has quit [Ping timeout: 245 seconds]
08:13 -!- deeville [~deeville@38.117.108.108] has joined #openvpn
08:20 -!- Irssi: #openvpn: Total of 153 nicks [6 ops, 0 halfops, 2 voices, 145 normal]
08:20 -!- ifdm_ [~ifdm@unaffiliated/ifdm/x-0713806] has joined #openvpn
08:23 -!- g00gz [~Adium@199.244.84.14] has joined #openvpn
08:34 -!- agentbob [anonymoose@unaffiliated/agentbob] has left #openvpn []
08:34 -!- jangerho [~jangerho@0587377554.wireless.umich.net] has joined #openvpn
08:43 -!- dvl_ [~dvl@pdpc/supporter/active/dvl] has left #openvpn []
08:44 -!- dvl [~dvl@pdpc/supporter/active/dvl] has joined #openvpn
08:46 -!- Pyrogerg [~Gregory@75-173-66-157.albq.qwest.net] has quit [Ping timeout: 250 seconds]
08:54 -!- zeroNones [~textual@187.204.176.23] has joined #openvpn
09:01 -!- Kniaz [~Kniaz@unaffiliated/kniaz] has quit [Quit: closing IRC]
09:10 -!- ifdm_ [~ifdm@unaffiliated/ifdm/x-0713806] has quit [Read error: Connection reset by peer]
09:16 -!- ifdm_ [~ifdm@unaffiliated/ifdm/x-0713806] has joined #openvpn
09:18 -!- Zimsky [~alice@unaffiliated/zimsky] has quit [Read error: Connection reset by peer]
09:18 -!- Zimsky-- [~alice@unaffiliated/zimsky] has joined #openvpn
09:22 -!- ub1quit33_ [~quassel@wifi02.la3.routers.zerolag.com] has joined #openvpn
09:26 -!- Zimsky-- [~alice@unaffiliated/zimsky] has quit [Quit: por que no los dos]
09:28 -!- Zimsky [~alice@unaffiliated/zimsky] has joined #openvpn
09:32 -!- Zimsky [~alice@unaffiliated/zimsky] has quit [Client Quit]
09:34 -!- Zimsky [~alice@unaffiliated/zimsky] has joined #openvpn
09:36 -!- Poster [~poster@cpe-74-140-100-29.swo.res.rr.com] has quit [Remote host closed the connection]
09:39 -!- Pyrogerg [~Gregory@75-173-66-157.albq.qwest.net] has joined #openvpn
09:41 -!- Poster [~poster@cpe-74-140-100-29.swo.res.rr.com] has joined #openvpn
09:44 -!- DrCode [~DrCode@gateway/tor-sasl/drcode] has quit [Ping timeout: 264 seconds]
09:45 -!- DrCode [~DrCode@gateway/tor-sasl/drcode] has joined #openvpn
09:56 -!- outofbounds [~outofboun@gateway/tor-sasl/outofbounds] has joined #openvpn
09:58 -!- elfixit1 [~Icedove@77-58-251-72.dclient.hispeed.ch] has quit [Quit: elfixit1]
10:00 -!- Nyoom [Nyoom@unaffiliated/nyoom] has quit [Excess Flood]
10:01 -!- Nyoom [Nyoom@unaffiliated/nyoom] has joined #openvpn
10:02 -!- w0jtas [~Adium@host8925152170.ppcom.3s.pl] has quit [Ping timeout: 255 seconds]
10:17 -!- g00gz [~Adium@199.244.84.14] has left #openvpn []
10:28 -!- zeroNones [~textual@187.204.176.23] has quit [Quit: My MacBook Pro has gone to sleep. ZZZzzz…]
10:37 -!- Nyoom [Nyoom@unaffiliated/nyoom] has quit [Excess Flood]
10:49 -!- Kephael [~Kephael@unaffiliated/kephael] has joined #openvpn
11:01 -!- Brutser [~Roger@d51A48718.access.telenet.be] has quit []
11:07 -!- elfixit1 [~Icedove@77-58-251-72.dclient.hispeed.ch] has joined #openvpn
11:10 -!- s7r [~s7r@openvpn/user/s7r] has joined #openvpn
11:10 -!- mode/#openvpn [+v s7r] by ChanServ
11:10 -!- Chais [~Chais@chello062178229110.15.15.vie.surfer.at] has quit [Ping timeout: 245 seconds]
11:15 -!- elfixit1 [~Icedove@77-58-251-72.dclient.hispeed.ch] has quit [Quit: elfixit1]
11:16 -!- gffa [~unknown@unaffiliated/gffa] has joined #openvpn
11:19 -!- Synced [Valcorb@unaffiliated/synced] has quit [Ping timeout: 260 seconds]
11:20 -!- ade_b [~Ade@redhat/adeb] has quit [Ping timeout: 250 seconds]
11:21 -!- needspeed [~needspeed@HSI-KBW-046-005-002-104.hsi8.kabel-badenwuerttemberg.de] has joined #openvpn
11:33 -!- funky1 [~funky@ip51cf100e.direct-adsl.nl] has quit [Remote host closed the connection]
11:40 -!- Envil [~meep@95.211.26.40] has joined #openvpn
11:48 -!- Six6siX [~Devil@jasmine.sammybakar.com] has joined #openvpn
11:57 -!- D-Boy [~D-Boy@unaffiliated/cain] has quit [Excess Flood]
11:59 -!- ade_b [~Ade@redhat/adeb] has joined #openvpn
12:08 -!- jangerho [~jangerho@0587377554.wireless.umich.net] has quit [Ping timeout: 272 seconds]
12:10 -!- D-Boy [~D-Boy@unaffiliated/cain] has joined #openvpn
12:14 -!- DF3D2 [~x@unaffiliated/df3d2] has joined #openvpn
12:15 < DF3D2> !paste
12:15 <@vpnHelper> "paste" is "pastebin" is (#1) please paste anything with more than 5 lines into a pastebin site or (#2) https://gist.github.com is recommended for fewest ads; try fpaste.org or paste.kde.org as backups or (#3) If you're pasting config files, see !configs for grep syntax to remove comments or (#4) gist allows multiple files per paste, useful if you have several files to show
12:16 < DF3D2> getting this error: http://fpaste.org/133712/41080137/
12:17 < DF3D2> http://fpaste.org/133713/01433141
12:17 < DF3D2> is my config
12:29 -!- ade_b [~Ade@redhat/adeb] has quit [Ping timeout: 246 seconds]
12:36 < square-r00t> DF3D2: that cnfig doesn't seem to match up. that's /etc/openvpn/pulsar-vpn.conf correct? try a systemctl daemon-reload perhaps
12:36 <@dazo> DF3D2: Your error is straight in your face
12:36 <@dazo> Options error: Unrecognized option or missing parameter(s) in /etc/openvpn/pulsar-vpn.conf:2: pp.txt (2.3.4)
12:37 < square-r00t> and then a systemctl restart openvpn@pulsar-vpn
12:37 < square-r00t> though do note it's considered poor form to have a hyphen in systemd sub-units
12:37 < DF3D2> dazo, I'm not even sure what that means
12:37 < DF3D2> pp.txt, my line doesn't even look like that
12:37 <@dazo> DF3D2: that's interpreted as line 2 in pulsar-vpn.conf
12:38 <@dazo> maybe a corrupt config file?  Or having some odd characters?
12:38 -!- Nyoom [Nyoom@unaffiliated/nyoom] has joined #openvpn
12:38 < square-r00t> dazo: but check the config he pasted (second link), line 2 has nothing like that
12:38 < DF3D2> mine says ipp.txt
12:38 <@dazo> square-r00t: I see that
12:38 < DF3D2> not pp.txt ?
12:38 <@dazo> (ensure there's a line feed at the end of each line)
12:38 < DF3D2> how do I do that?
12:39 < square-r00t> DF3D2: try my suggestions above. and rename the config to something without a hyphen as well
12:39 <@dazo> that could be as well
12:39 < DF3D2> square-r00t, okay I'm just following a guide for arch linux :-P
12:39 < square-r00t> DF3D2: i'm running mine on arch. :)
12:40 <@dazo> also ensure there's no other config file mess in /etc/openvpn
12:40 < DF3D2> there are no others
12:40 < square-r00t> remember to leave off the .conf as well. example from my system:
12:40 < square-r00t> [bts@workhorse openvpn]$ pwd;ls
12:40 < square-r00t> /etc/openvpn
12:40 < square-r00t> certs  dev-vm.conf  dev-vm.log  foxyproxy.conf  grainwreck.conf  keys  logs  phree.conf  phreelab.conf  scripts  square-r00t.conf
12:40 < square-r00t> i would (as root) do systemctl <action> foxyproxy, for instance
12:41 < square-r00t> but yeah, something weird with that config or with a cached config for openvpn
12:42 < DF3D2> trying to get to the bottom of it now
12:42 < square-r00t> when in doubt, try openvpn --config /etc/openvpn/<config file> and make sure that starts okay
12:43 -!- ade_b [~Ade@redhat/adeb] has joined #openvpn
12:44 < DF3D2> Yeah
12:44 < DF3D2> so I changed it around a bit to this:
12:45 < DF3D2> http://ur1.ca/i6zsl
12:45 <@vpnHelper> Title: #133718 Fedora Project Pastebin (at ur1.ca)
12:45 < DF3D2> that seems to work
12:46 < square-r00t> with systemd?
12:46 < square-r00t> or on the cli?
12:46 < DF3D2> command line
12:47 < square-r00t> gotcha. now give it a shot with systemd
12:47 < DF3D2> yeah seems to work
12:47 < DF3D2> no errors anyway
12:48 < DF3D2> actually status is showing a bunch of TLS errors from my client
12:48 < square-r00t> wait a little bit and do an ip addr show to see if the tun device is popping up
12:48 < square-r00t> hrm
12:48 < DF3D2> IP:37395 TLS_ERROR
12:48 < DF3D2> let me paste my client config
12:48 < DF3D2> bear in mind i'm very new to this and working off a guide
12:49 < DF3D2> http://paste.ubuntu.com/8352029/
12:49 < DF3D2> and i'm running that with:
12:49 < square-r00t> no worries. i've found that while arch's wiki's pretty incredible, their openvpn article needs some work. the howto at https://openvpn.net/index.php/open-source/documentation/howto.html tends to be much better :)
12:49 <@vpnHelper> Title: HOWTO (at openvpn.net)
12:50 < DF3D2> sudo openvpn --config /etc/openvpn/client.conf
12:50 < square-r00t> what distro is the client?
12:50 < DF3D2> ubuntu
12:50 < DF3D2> server is arch
12:50 < square-r00t> ahh gotcha
12:51 < DF3D2> needed to reinstall my server recently so figured i'd give arch a try this rig is just an HTPC so haven't bothered switching it
12:52 < square-r00t> oooh
12:52 < square-r00t> DF3D2: your cipher's don't match, first off
12:52 < DF3D2> can you explain?
12:52 < square-r00t> server's using BF-CDC (the default)
12:53 < DF3D2> oh i see
12:53 < DF3D2> client is using DES
12:53 < square-r00t> (CBC, rather)  client, per line 6, is using DES-EDE3-CBC
12:53 < square-r00t> they need to match. :)
12:53 < DF3D2> so just change it to BF-CDC ?
12:53 < square-r00t> yep
12:54 < DF3D2> on Sep 15 13:53:48 2014 Cipher algorithm 'BF-CDC' not found (OpenSSL)
12:54 < DF3D2> I should have openssl installed though
12:54 -!- ade_b [~Ade@redhat/adeb] has quit [Quit: Too sexy for his shirt]
12:54 < square-r00t> CBC, not CDC. sorry :)
12:54 < DF3D2> ahh
12:54 < DF3D2> k it seems to be running
12:54 < square-r00t> (alternatively, since it's the default, you can just comment out the cipher option i believe)
12:54 < DF3D2> how do I want to test things ?
12:54 < square-r00t> ping, nmap, etc.- your choice
12:55 < DF3D2> ping what the vpn or?
12:55 < square-r00t> yep
12:55 < square-r00t> ping 10.8.0.1 from the client
12:55 < square-r00t> assuming you haven't applied firewalling or a default drop policy to the vpn, it should ping
12:55 < DF3D2> not reachable
12:55 < DF3D2> :S
12:55 < DF3D2> I supposedly opened it with iptables per the guide...
12:56 < DF3D2> I'm no networking expert obviously so I'm not sure what the issue is here
12:56 < square-r00t> sec
12:57 < DF3D2> the log seems to show nothing
12:57 < DF3D2> stats info but it is all blank
12:57 < square-r00t> yeah, if it connects and the tun defice is up and has an IP on the server and on the client, chances are the actual VPN is up and working
12:57 < square-r00t> but sounds moreso like this is a firewall issue
12:58 < DF3D2> tun shows 10.8.01 on the server
12:58 < DF3D2> 10.8.0.1
12:58 < DF3D2> according to ifconfig -a
12:58 < DF3D2> do I need to do the iptables command that he has commented out with "nat" ?
12:58 < DF3D2> https://stavrovski.net/blog/installing-and-setting-up-openvpn-in-archlinux
12:58 <@vpnHelper> Title: Installing and setting up OpenVPN in ArchLinux | Stavrovski.Net (at stavrovski.net)
12:59 < DF3D2> I changedall the other ones for 10.8.0.1 obviously
12:59 < square-r00t> ooohhh
12:59 < square-r00t> the iptables rule for the nat?
12:59 < DF3D2> yeah he has it commented out
12:59 < DF3D2> so I didn't do it
12:59 < square-r00t> that's if you want to route ALL traffic from the client through the server
12:59 < DF3D2> hm
13:00 < DF3D2> so I don't need it?
13:00 < DF3D2> how do I choose now which apps go through the vpn? Ping doesn't seem to work
13:00 < Eugene> !routebyapp
13:00 <@vpnHelper> "routebyapp" is (#1) if you want to send only certain apps over the VPN you need to run a socks server on the internal VPN subnet (see !sockd) then get an app like proxifier (windows, osx) or tsocks (linux, BSD) to selectively route traffic over the socks proxy based on port/app/subnet or any combination. or (#2) Alternatively, read up about Policy Routing to make routing decisions based on defined
13:00 <@vpnHelper> policies you set. For Linux, read about !lartc
13:01 < DF3D2> Okay so if we just assume I want to send it "all" now, then I need to run that iptables command with nat for ANYTHING to work ?
13:01 < DF3D2> eventually I just want to have a vpn while browsing really.
13:02 < DF3D2> but trying to get it to work at all now..
13:02 -!- Nyoom [Nyoom@unaffiliated/nyoom] has quit [Excess Flood]
13:02 < square-r00t> DF3D2: you might want to learn a bit more about some networking basics first. http://www.penguintutor.com/linux/basic-network-reference
13:02 <@vpnHelper> Title: Basic TCP/IP networking reference guide - Linux tutorial from PenguinTutor (at www.penguintutor.com)
13:03 < square-r00t> or you can (shameless self-plug) get a VPN from FoxyProxy. http://getfoxyproxy.org
13:03 <@vpnHelper> Title: FoxyProxy (at getfoxyproxy.org)
13:03 < square-r00t> ;)
13:03 < DF3D2> so i'm really that far away from making this work ?
13:03 < DF3D2> seems like i'm pretty close
13:04 < square-r00t> but yeah, you'll want to start with how routing works and what it is, and then NAT (SNAT/DNAT, MASQUERADE)
13:04 < square-r00t> once you can tell someone why you need it for the VPN to work the way you want, you're ready :)
13:04 < DF3D2> really I just want to protect my home ip etc.
13:05 <@dazo> DF3D2: Networking is hard and full of pitfalls ... adding VPN makes things much more complicated
13:05 < DF3D2> and I have a small dedicated server I thought I could use for this purpose
13:05 < DF3D2> it seems like everything is setup now, but I can't ping my server vpn address
13:05 < DF3D2> the log shows nothing really helpful
13:06 < square-r00t> because you'd want to run a packet dump or log dropped packets from your firewall and check those
13:06 < DF3D2> my client, server or router?
13:06 <@dazo> firewall or routing ... that's where you need to look now .... tcpdump is a good tool to get to know
13:06 < square-r00t> it's out of the VPN's hands now, it's firewall, if it connects to the vpn, that part's done :P
13:06 < square-r00t> DF3D2: all three, ideally
13:06 < square-r00t> +1 to what dazo said
13:06 < DF3D2> how do I even know what it connected ?
13:06 < DF3D2> that it*
13:06 < DF3D2> seems it didn't since I can't ping ?
13:06 -!- mode/#openvpn [+v square-r00t] by krzee
13:06 <+square-r00t> because it got an address from the vpn server
13:07 <+square-r00t> because the tun device initialized
13:07 <+square-r00t> etc.
13:07 < DF3D2> I checked that on the vpn not the client
13:07 < DF3D2> hold on
13:08 <@dazo> well, it could be MTU issues (link-mtu) as well ... but it's worth checking firewall and routing first
13:08 -!- mattock is now known as mattock_afk
13:08 < DF3D2> it's a tls error
13:08 < DF3D2> according to systemctl status
13:08 < DF3D2> hold on ill paste it
13:08 -!- Nyoom [Nyoom@unaffiliated/nyoom] has joined #openvpn
13:08 <+square-r00t> sure that's not from before?
13:09  * dazo heads out for food
13:09 < DF3D2> nah I restarted it
13:09 < DF3D2> hold on ill paste
13:09 < DF3D2> http://paste.ubuntu.com/8352143
13:10 <@krzee> DF3D2, whats your goal? you want to redirect everything over the vpn?
13:11 <@krzee> only some things?
13:11 <@krzee> if only some, which?
13:11 < DF3D2> well not everything, only some things. But I'd like to get it to work in any event
13:11 < DF3D2> Mainly web browsing
13:11 <@krzee> then why do you want to use a vpn instead of a proxy?
13:12 < DF3D2> I don't know but i've spent all this time trying to get this to work so i'd like to see it through now
13:12 < DF3D2> seems I just have some encryption problem
13:12 <@krzee> ok well openvpn routes by the routing table
13:12 <@krzee> so its easiest to just route by subnet, which can easily mean all
13:12 <@krzee> wanna get that up for now?
13:12 < DF3D2> sure but like I said, I have some encryption problem it seems like I need to solve
13:13 <@krzee> !logs
13:13 <@vpnHelper> "logs" is (#1) please pastebin your logfiles from both client and server with verb set to 4 (only use 5 if asked) or (#2) In the Windows client(OpenVPN-GUI) right-click the status icon and pick View Log or (#3) In the OS X client(Tunnelblick) right-click it and select Copy log text to clipboard or (#4) if you dont know how to find your logs, see !logfile
13:13 < DF3D2> I did paste it
13:13 < DF3D2> for the server anyway
13:13 <@krzee> cool, i lost my scroll
13:13 < DF3D2> http://paste.ubuntu.com/8352143
13:13 <@krzee> so post both now
13:13 < DF3D2> k let me find the client one
13:13 <@krzee> !configs
13:13 <@vpnHelper> "configs" is (#1) please pastebin your client and server configs (with comments removed, you can use `grep -vE '^#|^;|^$' server.conf`), also include which OS and version of openvpn. or (#2) dont forget to include any ccd entries or (#3) on pfSense, see http://www.secure-computing.net/wiki/index.php/OpenVPN/pfSense to obtain your config
13:13 -!- g00gz [~Adium@199.244.84.14] has joined #openvpn
13:14 < DF3D2> server: http://pastebin.com/dHnvXP9K
13:15 < DF3D2> trying to figure out where the client log is
13:15 < DF3D2> client conf: http://paste.ubuntu.com/8352193/
13:15 <@krzee> where is 10.1.0.0/16?
13:16 < DF3D2> I don't really know. lol
13:16 <@krzee> then dont have route 10.1.0.0 255.255.0.0
13:16 < DF3D2> yeah
13:16 <@krzee> in fact
13:16 <@krzee> before we continue AT ALL
13:16 <@krzee> go to the openvpn manual and read about every option in both configs
13:16 <@krzee> !man
13:16 <@vpnHelper> "man" is (#1) For man pages, see http://openvpn.net/index.php/open-source/documentation/manuals/ or (#2) the man pages are your friend! or (#3) Protip: you can search the manpage for a specific --option (with dashes) to find it quicker
13:17 <@krzee> just so you know what they do
13:17 -!- dtrainor [~dtrainor@ip72-208-196-164.ph.ph.cox.net] has joined #openvpn
13:17 <@krzee> when done, get the client log
13:17 < dtrainor> My connection keeps dying, which normally wouldn't be such a huge problem, so long as it reconnected properly.  I keep running in to this:  Enter Auth Username:Mon Sep 15 11:09:59 2014 ERROR: could not read Auth username from stdin
13:18 < dtrainor> though I'm using:  auth-user-pass /etc/openvpn/home-password.txt
13:19 <@krzee> do you have --auto-nocache ?
13:20 <@krzee> also, do you have --auth-retry nointeract ?
13:20 < dtrainor> for some reason i do have auth-nocache
13:20 < dtrainor> that sucks
13:21 <@krzee> there ya go =]
13:21 < dtrainor> ping
13:21 <@krzee> !ping
13:21 <@vpnHelper> pong
13:21 < dtrainor> ok, cool, changed it and reconnected.  let's try this out.
13:21 < dtrainor> awesome thanks!
13:21 <@krzee> np
13:22 < DF3D2> I don't see anything obviosly wrong besides  that errant route entry
13:22 <@krzee> DF3D2, cool, now grab me the client config
13:22 <@krzee> err
13:22 <@krzee> client log
13:22 < DF3D2> k
13:22 < DF3D2> i'm trying to find it not sure where it is on this system doesn't appear to be in /etc/openvpn or /var/log
13:22 <@krzee> !logfile
13:23 <@vpnHelper> "logfile" is (#1) If you want logging you can easily just specify your own logfile with: log /path/to/logfile or (#2) openvpn will log to syslog if started in daemon mode, but without any log-redirection options, openvpn sends output to stdout. or (#3) verb 3 is good for everyday usage, verb 5 for debugging. see --daemon --log and --verb in the manual (!man) for more info
13:23 < DF3D2> k ill do that
13:24 < DF3D2> Mon Sep 15 14:23:35 2014 WARNING: No server certificate verification method has been enabled.  See http://openvpn.net/howto.html#mitm for more info.
13:24 <@krzee> i didnt say to paste me 1 line of it
13:24 < DF3D2> checking that link
13:24 < DF3D2> sorry that just jumped out at me
13:24 <@krzee> pastebin the logfile
13:25 < DF3D2> http://paste.ubuntu.com/8352236/
13:25 <@krzee> !certverify
13:25 <@vpnHelper> "certverify" is (#1) verify your certs are signed correctly by running `openssl verify -CAfile <ca.crt> <client.crt>` for client.crt and server.crt or (#2) also make sure you use the same ca.crt on both sides by checking their md5
13:25 <@krzee> do that on both sides
13:25 < DF3D2> k
13:27 < DF3D2> supposed to be slow right ?
13:28 <@krzee> not really no
13:28 < DF3D2> hmm well it seems to be taking awhile on ca.crt
13:28 <@krzee> show me the command
13:29 < DF3D2> sudo openssl verify -CAfile ca.crt
13:29 <@krzee> heh
13:29 <@krzee> read it again
13:29 < DF3D2> so you don't need -CAfile
13:30 < DF3D2> error 18 on both the client/server file
13:30 < DF3D2> sudo openssl verify ca.crt
13:30 < DF3D2> ca.crt: C = MK, ST = MK, L = veles, O = Fort-Funston, OU = MyOrg anizationalUnit, CN = Fort-Funston CA, name = EasyRSA, emailAddress = me@myhost.mydomain
13:30 < DF3D2> error 18 at 0 depth lookup:self signed certificate
13:32 < DF3D2> https://stavrovski.net/blog/installing-and-setting-up-openvpn-in-archlinux -- I made all my keys the way it said there
13:32 <@krzee> umm
13:32 <@vpnHelper> Title: Installing and setting up OpenVPN in ArchLinux | Stavrovski.Net (at stavrovski.net)
13:32 <@krzee> show me the command now
13:32 < DF3D2> sudo openssl verify ca.crt
13:32 <@krzee> heh
13:32 <@krzee> dude
13:32 <@krzee> i gave you the syntax
13:33 <@krzee> openssl verify -CAfile ca.crt client.crt
13:33 <@krzee> "verify your certs are signed correctly by running `openssl verify -CAfile <ca.crt> <client.crt>` for client.crt and server.crt"
13:33 <@krzee> what wasnt clear???
13:33 < DF3D2> I have no client.crt hm
13:34 < DF3D2> I have ca.crt nexus4.crt pulsar.crt
13:34 <@krzee> if you cant figure that out i cant help
13:34 <@krzee> cause i mean… damn man
13:34 <@krzee> !spoonfeeding
13:34 <@vpnHelper> "spoonfeeding" is http://www.mp3car.com/the-faq-emporium/53368-faq-what-is-spoon-feeding.html
13:35 < DF3D2> Yeah nexus4.crt should be client.crt I'm guessing
13:35 <@krzee> the crt your client uses
13:35 < DF3D2> enerate client certificate using the build-key script
13:35 < DF3D2> ./build-key nexus4
13:35 <@krzee> which according to your configs *IS THE SAME*
13:35 < DF3D2> is what I did per the guide
13:35 <@krzee> you need to use the server cert on the server and the client cert on the client
13:35 <@krzee> maybe thats the problem here
13:36 -!- elfixit1 [~Icedove@77-58-251-72.dclient.hispeed.ch] has joined #openvpn
13:42 < DF3D2> works now
13:42 < DF3D2> had the pulsar/nexus bullshit switched. I didn't notice because he didn't just use "client" and "server"
13:42 < DF3D2> so I can ping the vpn now
13:42 < DF3D2> !routing
13:42 < DF3D2> !routebyapp
13:42 <@vpnHelper> "routebyapp" is (#1) if you want to send only certain apps over the VPN you need to run a socks server on the internal VPN subnet (see !sockd) then get an app like proxifier (windows, osx) or tsocks (linux, BSD) to selectively route traffic over the socks proxy based on port/app/subnet or any combination. or (#2) Alternatively, read up about Policy Routing to make routing decisions based on defined
13:42 <@vpnHelper> policies you set. For Linux, read about !lartc
13:42 -!- DF3D2 [~x@unaffiliated/df3d2] has left #openvpn ["Leaving"]
13:42 <@krzee> !redirect
13:42 <@vpnHelper> "redirect" is (#1) to make all inet traffic flow through the vpn, you will need --redirect-gateway (see !def1), as well as IP forwarding (see !ipforward) and NAT (see !nat) enabled on the server. or (#2) you may need to use a different dns server when redirecting gateway, see !dns or !pushdns or (#3) if using ipv6 try: route-ipv6 2000::/3 or (#4) Handy troubleshooting flowchart:
13:42 <@vpnHelper> http://ircpimps.org/redirect.png | http://pekster.sdf.org/misc/redirect.png
13:42 -!- DF3D2 [~x@unaffiliated/df3d2] has joined #openvpn
13:43 -!- DF3D2 [~x@unaffiliated/df3d2] has quit [Quit: Leaving]
13:43 <@krzee> !redirect
13:43 <@vpnHelper> "redirect" is (#1) to make all inet traffic flow through the vpn, you will need --redirect-gateway (see !def1), as well as IP forwarding (see !ipforward) and NAT (see !nat) enabled on the server. or (#2) you may need to use a different dns server when redirecting gateway, see !dns or !pushdns or (#3) if using ipv6 try: route-ipv6 2000::/3 or (#4) Handy troubleshooting flowchart:
13:43 <@vpnHelper> http://ircpimps.org/redirect.png | http://pekster.sdf.org/misc/redirect.png
13:43 <@krzee> lol
13:43 -!- DF3D2 [~x@unaffiliated/df3d2] has joined #openvpn
13:44 < DF3D2> Okay so I think I got it working
13:44 < DF3D2> but after a minute my connection died.
13:45 < DF3D2> still their krzee ?
13:45 < DF3D2> there*
13:46 -!- kirin` [~kirin`@gateway/shell/anapnea.net/x-rkfqesihssmfgwzr] has quit [Ping timeout: 260 seconds]
13:47 -!- kirin` [telex@gateway/shell/anapnea.net/x-rikqclgzjtudbyyq] has joined #openvpn
13:48 -!- DF3D2 [~x@unaffiliated/df3d2] has quit [Read error: Connection reset by peer]
13:49 -!- DF3D2 [~x@unaffiliated/df3d2] has joined #openvpn
13:49 < DF3D2> Yeah so it works I can ping the vpn, but I can't seem to do anything else lol
13:51 -!- Nyoom [Nyoom@unaffiliated/nyoom] has quit [Max SendQ exceeded]
13:51 < DF3D2> http://paste.ubuntu.com/8352424/
13:51 < DF3D2> recent client log
13:54 -!- Six6siX [~Devil@jasmine.sammybakar.com] has quit [Remote host closed the connection]
13:55 -!- Six6siX [~Devil@jasmine.sammybakar.com] has joined #openvpn
13:57 -!- Nyoom [Nyoom@unaffiliated/nyoom] has joined #openvpn
13:59 -!- DF3D2 [~x@unaffiliated/df3d2] has quit [Quit: Leaving]
14:01 -!- DF3D2 [~x@unaffiliated/df3d2] has joined #openvpn
14:01 < DF3D2> everyone gave up on meh
14:02 -!- Pyrogerg [~Gregory@75-173-66-157.albq.qwest.net] has quit [Ping timeout: 245 seconds]
14:03 -!- Pyrogerg [~Gregory@75-173-66-157.albq.qwest.net] has joined #openvpn
14:05 -!- DF3D2 [~x@unaffiliated/df3d2] has quit [Quit: Leaving]
14:05 -!- g00gz [~Adium@199.244.84.14] has left #openvpn []
14:24 -!- moonkid [~anonymous@99-103-56-12.lightspeed.hstntx.sbcglobal.net] has joined #openvpn
14:27 -!- glphvgacs [~glphvgacs@unaffiliated/glphvgacs] has joined #openvpn
14:28 < glphvgacs> i am looking into using vpn for couple of things
14:29 < glphvgacs> 1. to authenticate from school and use resources (nfs mounted homes) left behind at home
14:29 < glphvgacs> 2. give access to my friends and family in a country that filters the internet
14:29 < glphvgacs> -- obviously share those resources mentioned in part 1 with them as well
14:30 < glphvgacs> hmm, just two reason apparently
14:31 < glphvgacs> i have openwrt running on a micky mouse cpu on this linksys WRT160N
14:31 < glphvgacs> which seems to not have enough firmware to fit any vpn server on
14:31 < glphvgacs> also network topology goes like this:
14:32 < glphvgacs> ISP -> modem -> wrt -> my_machine
14:33 < glphvgacs> our ISP doesn't do IPv6 and i would like to not pay for their overpriced static ips
14:33 < glphvgacs> no questions:
14:34 < glphvgacs> a. which layer is best to try for what i'm tying to do?
14:34 < glphvgacs> a1. is this the write place to ask this question?
14:35 < glphvgacs> b. can vpn (any type) run on my_machine rather than the router (wrt)?
14:39 -!- DF3D2 [~x@unaffiliated/df3d2] has joined #openvpn
14:40 < DF3D2> well I have it working for everything thanks for all the help krzee
14:48 -!- L0uk3 [~lukethedr@gateway/tor-sasl/lukethedrifter] has joined #openvpn
14:52 -!- oozbooz [~ocherno@85.65.213.206.dynamic.barak-online.net] has joined #openvpn
14:53 -!- moonkid [~anonymous@99-103-56-12.lightspeed.hstntx.sbcglobal.net] has quit [Quit: moonkid]
14:56 -!- DF3D2 [~x@unaffiliated/df3d2] has quit [Quit: Leaving]
14:57 < oozbooz> How to install openvpn client on Centos 7?
14:57 < oozbooz> does EPEL repo offer it as binary?
15:02 -!- n6 [NumberSix@unaffiliated/n6] has left #openvpn ["Textual IRC Client: www.textualapp.com"]
15:08 <+square-r00t> glphvgacs: a. doesn't really matter too much, but you'll want the bridged network model, not the peer-to-peer for what you're trying to do (i.e. tun, not tap)
15:08 <+square-r00t> a1. sure
15:08 -!- goldkatze [~nobody@unaffiliated/goldkatze] has quit []
15:08 <+square-r00t> b. yep, assuming you mean the client
15:13 -!- moonkid [~anonymous@99-103-56-12.lightspeed.hstntx.sbcglobal.net] has joined #openvpn
15:14 < glphvgacs> square-r00t: i meant the server
15:15 < glphvgacs> i don't seem to have enought space on the router and modem is just black box, can't touch it
15:16 <+square-r00t> oh! well yeah, you can run the server on my_machine
15:16 <+square-r00t> but you'll need to forward whatever port you choose to that machine
15:16 <+square-r00t> AND you'll want to have some sort of dynamic DNS method set up
15:16 < glphvgacs> what about ipv6 from brokers?
15:17 < glphvgacs> they do assign static ones actually
15:17 <+square-r00t> oh, like HE? hrm... i haven't tried that yet
15:18 < glphvgacs> yes
15:18 <+square-r00t> but that would require the clients to use IPv6 to access the vpn
15:18 < glphvgacs> the only odd client is windows 7, everyone else is linux (gentoo/androin)
15:18 < glphvgacs> i dunnon if win7 supports ipv6
15:19 < glphvgacs> i assume it does
15:19 <@krzee> square-r00t, whyd you say he needs bridge?
15:19 <@krzee> !redirect
15:19 <@vpnHelper> "redirect" is (#1) to make all inet traffic flow through the vpn, you will need --redirect-gateway (see !def1), as well as IP forwarding (see !ipforward) and NAT (see !nat) enabled on the server. or (#2) you may need to use a different dns server when redirecting gateway, see !dns or !pushdns or (#3) if using ipv6 try: route-ipv6 2000::/3 or (#4) Handy troubleshooting flowchart:
15:19 <@vpnHelper> http://ircpimps.org/redirect.png | http://pekster.sdf.org/misc/redirect.png
15:19 <@krzee> bbl
15:19 -!- dvl [~dvl@pdpc/supporter/active/dvl] has left #openvpn ["Leaving"]
15:20 <@krzee> glphvgacs, thats what you need ^
15:20 <+square-r00t> krzee: multiple clients, wants to access nfs on the other end, etc.
15:20 < glphvgacs> nfs, sip, voip (tox)
15:21 < glphvgacs> and samba
15:21 < glphvgacs> for windows
15:21 -!- gffa [~unknown@unaffiliated/gffa] has quit [Quit: sleep]
15:30 -!- Hello71 [~Hello71@wikipedia/Hello71] has quit [Ping timeout: 272 seconds]
15:32 <+square-r00t> glphvgacs: win7 supports ipv6 but i moreso meant they'd need carrier support- either via ISP native or another tunnel- on the clients as well
15:33 <+square-r00t> dynamic DNS for the server is generally the way to go in that sense
15:36 -!- Hello71 [~Hello71@wikipedia/Hello71] has joined #openvpn
15:48 -!- deeville [~deeville@38.117.108.108] has quit [Quit: This computer has gone to sleep]
15:49 -!- Denial [~Denial@host86-148-140-172.range86-148.btcentralplus.com] has quit [Ping timeout: 240 seconds]
15:50 -!- Denial [~Denial@host86-148-140-172.range86-148.btcentralplus.com] has joined #openvpn
15:50 -!- dazo is now known as dazo_afk
15:55 -!- deeville [~deeville@38.117.108.108] has joined #openvpn
15:56 < glphvgacs> square-r00t: dns.he.net
15:57 -!- deeville [~deeville@38.117.108.108] has quit [Client Quit]
15:58 -!- deeville [~deeville@38.117.108.108] has joined #openvpn
16:02 -!- needspeed [~needspeed@HSI-KBW-046-005-002-104.hsi8.kabel-badenwuerttemberg.de] has quit [Quit: Konversation terminated!]
16:02 <+square-r00t> i mean for ipv4
16:03 -!- deeville [~deeville@38.117.108.108] has quit [Ping timeout: 272 seconds]
16:06 <+square-r00t> unless you'd like to set up an ipv6 tunnel for every client
16:07 -!- busch [~busch@datenschleuder.com] has joined #openvpn
16:16 -!- Envil [~meep@95.211.26.40] has quit [Remote host closed the connection]
16:17 -!- oozbooz [~ocherno@85.65.213.206.dynamic.barak-online.net] has quit [Quit: Leaving]
16:28 -!- glphvgacs [~glphvgacs@unaffiliated/glphvgacs] has quit [Quit: WeeChat 0.4.3]
16:36 -!- cesurasean [~Sean@c-71-207-227-197.hsd1.al.comcast.net] has joined #openvpn
16:36 -!- Pyrogerg [~Gregory@75-173-66-157.albq.qwest.net] has quit [Ping timeout: 258 seconds]
16:37 -!- edakiri [~edakiri@unaffiliated/edakiri] has quit []
16:44 -!- linuxthefish [~ltf@unaffiliated/edmundf] has quit [Ping timeout: 256 seconds]
16:49 -!- cesurasean [~Sean@c-71-207-227-197.hsd1.al.comcast.net] has quit [Quit: Leaving.]
16:51 -!- linuxthefish [~ltf@unaffiliated/edmundf] has joined #openvpn
17:03 -!- Hello71 [~Hello71@wikipedia/Hello71] has quit [Ping timeout: 258 seconds]
17:06 -!- Hello71 [~Hello71@wikipedia/Hello71] has joined #openvpn
17:09 -!- Hello71 [~Hello71@wikipedia/Hello71] has quit [Excess Flood]
17:11 -!- Hello71 [~Hello71@wikipedia/Hello71] has joined #openvpn
17:13 -!- elfixit1 [~Icedove@77-58-251-72.dclient.hispeed.ch] has quit [Quit: elfixit1]
17:25 -!- moonkid [~anonymous@99-103-56-12.lightspeed.hstntx.sbcglobal.net] has quit [Quit: moonkid]
17:31 -!- moonkid [~anonymous@99-103-56-12.lightspeed.hstntx.sbcglobal.net] has joined #openvpn
17:39 -!- moonkid [~anonymous@99-103-56-12.lightspeed.hstntx.sbcglobal.net] has quit [Quit: moonkid]
17:44 -!- moonkid [~anonymous@99-103-56-12.lightspeed.hstntx.sbcglobal.net] has joined #openvpn
17:46 -!- blaman [~blaman@host81-136-205-6.in-addr.btopenworld.com] has joined #openvpn
17:48 < blaman> hi there, how do I specify the underlying network interface for openvpn to use when creating the tunnel? I can't find any docs on this
17:52 < tachibana> seconded
17:59 -!- moonkid [~anonymous@99-103-56-12.lightspeed.hstntx.sbcglobal.net] has quit [Quit: moonkid]
18:00 -!- moonkid [~anonymous@99-103-56-12.lightspeed.hstntx.sbcglobal.net] has joined #openvpn
18:00 -!- moonkid [~anonymous@99-103-56-12.lightspeed.hstntx.sbcglobal.net] has quit [Client Quit]
18:27 -!- deb|minus3k [~guest3459@openvpn/community/support/debbie10t] has joined #openvpn
18:31 -!- mode/#openvpn [+v deb|minus3k] by ChanServ
18:37 <+square-r00t> blaman: tachibana: --remote
18:39 <+square-r00t> assuming you have the default route set
18:40 <+square-r00t> for servers, you can set the local variable
18:41 <+square-r00t> e.g. local 123.123.123.123 will listen on that IP (and therefore that specific interface)
18:43 <+square-r00t> actually, i believe you can use that for the client too, if you don't want to manually specify a route
18:44 <+square-r00t> it seems so:
18:44 <+square-r00t>        --local host
18:44 <+square-r00t>               Local host name or IP address for bind.  If specified, OpenVPN will bind to this address only.  If unspecified, OpenVPN will bind to all interfaces.
18:44 <+square-r00t> HTH
18:49 < blaman> thanks square-r00t
18:50 <+square-r00t> np
18:51 -!- blaman [~blaman@host81-136-205-6.in-addr.btopenworld.com] has quit [Read error: Connection reset by peer]
18:52 -!- Netsplit *.net <-> *.split quits: Six6siX, BladedThesis, Nyoom
18:54 -!- Netsplit over, joins: BladedThesis
18:55 -!- ub1quit33_ [~quassel@wifi02.la3.routers.zerolag.com] has quit [Ping timeout: 250 seconds]
19:02 -!- tachibana [~fghhfg@133.sub-174-240-1.myvzw.com] has quit [Remote host closed the connection]
19:13 -!- L0uk3 [~lukethedr@gateway/tor-sasl/lukethedrifter] has quit [Quit: bis später]
19:13 -!- L0uk3 [~lukethedr@gateway/tor-sasl/lukethedrifter] has joined #openvpn
19:17 -!- deb|minus3k [~guest3459@openvpn/community/support/debbie10t] has left #openvpn ["Leaving"]
19:17 -!- elfixit1 [~Icedove@77-58-251-72.dclient.hispeed.ch] has joined #openvpn
19:30 -!- L0uk3 [~lukethedr@gateway/tor-sasl/lukethedrifter] has quit [Quit: bis später]
19:33 -!- L0uk3 [~lukethedr@gateway/tor-sasl/lukethedrifter] has joined #openvpn
19:56 -!- outofbounds [~outofboun@gateway/tor-sasl/outofbounds] has quit []
19:59 -!- cesurasean [~Sean@c-71-207-227-197.hsd1.al.comcast.net] has joined #openvpn
20:05 -!- Starthunder [~blackl@unaffiliated/moonlightning] has joined #openvpn
20:05 < Starthunder> Is it possible to use OpenVPN on a network that has ~50% packet loss?
20:06 < Starthunder> I have an existing OpenVPN that uses UDP, and it works fine, just not on this one network.
20:06 < Starthunder> I tried pinging both Google and my server, and was getting around 42 to 46% of packets dropped
20:16 < Starthunder> I'm assuming it's not working because too many packets are getting dropped, and UDP (being UDP) doesn't notice.
20:17 < Starthunder> I don't see anything at all in the server's log during the time I was trying to connect.
20:25 -!- Left_Turn [~Left_Turn@unaffiliated/turn-left/x-3739067] has quit [Remote host closed the connection]
20:28 -!- dtrainor [~dtrainor@ip72-208-196-164.ph.ph.cox.net] has quit [Ping timeout: 245 seconds]
20:29 -!- xup [~xup@unaffiliated/othermth] has joined #openvpn
20:34 -!- xup [~xup@unaffiliated/othermth] has quit [Ping timeout: 260 seconds]
20:49 -!- linuxthefish [~ltf@unaffiliated/edmundf] has quit [Excess Flood]
20:50 -!- linuxthefish [~ltf@unaffiliated/edmundf] has joined #openvpn
20:53 -!- elfixit1 [~Icedove@77-58-251-72.dclient.hispeed.ch] has quit [Remote host closed the connection]
20:55 -!- n6 [NumberSix@unaffiliated/n6] has joined #openvpn
21:23 <+square-r00t> Starthunder: you can try running in TCP mode instead
21:24 < Starthunder> Yeah…I'd rather not have to change everything around to TCP, though.
21:24 < Starthunder> And then have TCP over ... over TCP >.<
21:25 <+square-r00t> eh, the TCP overhead isn't too bad as long as you aren't trying to stream media or play whatever it is kids play these days. call of duty? is that it?
21:26 < Starthunder> xD
21:26 < Starthunder> Do you have a VPN that uses TCP?
21:28 <+square-r00t> maaayyyybe. :)
21:28 <+square-r00t> and it maaaayyyy run on 443.
21:28 <+square-r00t> (yes and yes.)
21:30 -!- moonkid [~anonymous@99-103-56-12.lightspeed.hstntx.sbcglobal.net] has joined #openvpn
21:52 -!- tachibana [~fghhfg@170.sub-174-240-37.myvzw.com] has joined #openvpn
21:52 < tachibana> help
21:53 < tachibana> Signal Recieved from management interface, exiting
21:55 < Starthunder> Someone or something connected to the UNIX socket that your OpenVPN instance listens on, and told it to quit.
21:56 < tachibana> interesting
21:58 < tachibana> im trying to run an airtel config file on a serviceless phone w/ openvpn
21:58 < tachibana> do you think that msg comes up because I need an Airtel sim to match the config?
21:59 < tachibana> or could it be I have no apn setup for it
22:00 -!- moonkid [~anonymous@99-103-56-12.lightspeed.hstntx.sbcglobal.net] has quit [Quit: moonkid]
22:03 -!- arescorpio [~arescorpi@195-27-245-190.fibertel.com.ar] has joined #openvpn
22:06 < tachibana> the generated config file lists a bunch of stuff that doesnt 'map to config settings'
22:07 -!- moonkid [~anonymous@99-103-56-12.lightspeed.hstntx.sbcglobal.net] has joined #openvpn
22:07 < tachibana> http-proxy-timeout 33
22:07 < tachibana> fast-io
22:07 < tachibana> resolve etry infinite
22:12 -!- zeroNones [~textual@187.204.190.154] has joined #openvpn
22:28 <@krzee> square-r00t, you do not need a bridge for those things
22:28 <@krzee> !tunortap
22:28 <@vpnHelper> "tunortap" is (#1) you ONLY want tap if you need to pass layer2 traffic over the vpn (traffic destined for a MAC address). If you are using IP traffic you want tun. or (#2) and if your reason for wanting tap is windows shares, see !wins or use DNS or (#3) remember layer2 has no security, arp poisoning works over tap vpns or (#4) lan gaming? use tap! or (#5) Normal Android/iOS devices (not
22:28 <@vpnHelper> rooted/jailbroken) support only tun
22:35 -!- zeroNones [~textual@187.204.190.154] has quit [Quit: My MacBook Pro has gone to sleep. ZZZzzz…]
22:35 -!- Hello71 [~Hello71@wikipedia/Hello71] has quit [Ping timeout: 258 seconds]
22:36 -!- Hello71 [~Hello71@wikipedia/Hello71] has joined #openvpn
22:54 -!- Pyrogerg [~Gregory@75-173-66-157.albq.qwest.net] has joined #openvpn
23:06 -!- cyberanger [cyberanger@swissknife/adak/infocop411] has quit [Read error: Connection reset by peer]
23:13 -!- arescorpio [~arescorpi@195-27-245-190.fibertel.com.ar] has quit [Excess Flood]
23:18 < tachibana> tunertap for me?
23:21 -!- s7r [~s7r@openvpn/user/s7r] has quit [Ping timeout: 264 seconds]
23:21 -!- L0uk3 [~lukethedr@gateway/tor-sasl/lukethedrifter] has quit [Ping timeout: 264 seconds]
23:21 -!- DrCode [~DrCode@gateway/tor-sasl/drcode] has quit [Ping timeout: 264 seconds]
23:27 -!- WinstonSmith [~WinstonSm@unaffiliated/winstonsmith] has quit [Ping timeout: 272 seconds]
23:37 -!- s7r [~s7r@openvpn/user/s7r] has joined #openvpn
23:37 -!- mode/#openvpn [+v s7r] by ChanServ
23:37 -!- DrCode [~DrCode@gateway/tor-sasl/drcode] has joined #openvpn
23:37 -!- ShadniX [dagger@p5481C68F.dip0.t-ipconnect.de] has quit [Ping timeout: 250 seconds]
23:38 -!- ShadniX [dagger@p5481C0A3.dip0.t-ipconnect.de] has joined #openvpn
23:46 -!- mattock_afk is now known as mattock
--- Day changed Tue Sep 16 2014
00:07 -!- Kephael [~Kephael@unaffiliated/kephael] has quit [Read error: Connection reset by peer]
00:13 <@krzee> no, ill look at yours now
00:14 <@krzee> sorry was handling business
00:17 -!- moonkid [~anonymous@99-103-56-12.lightspeed.hstntx.sbcglobal.net] has quit [Quit: moonkid]
00:18 -!- mebigfatguy [~dave@128.177.74.147] has joined #openvpn
00:19 -!- moonkid [~anonymous@99-103-56-12.lightspeed.hstntx.sbcglobal.net] has joined #openvpn
00:20 -!- cesurasean [~Sean@c-71-207-227-197.hsd1.al.comcast.net] has quit [Quit: Leaving.]
00:32 < mebigfatguy> greetings, been using openvpn for quite some time. upgraded to mint 17, and now can't get it to work. wondered if there's a way to see what's going on ... when i run nmcli it fails at 'getting IP configuration
00:32 <+square-r00t> have log-append in your client conf?
00:34 <@krzee> could it be that you dont have tun+ allowed in your iptables for INPUT?
00:34 < mebigfatguy> you are over my head
00:34 <@krzee> !logs
00:34 <@vpnHelper> "logs" is (#1) please pastebin your logfiles from both client and server with verb set to 4 (only use 5 if asked) or (#2) In the Windows client(OpenVPN-GUI) right-click the status icon and pick View Log or (#3) In the OS X client(Tunnelblick) right-click it and select Copy log text to clipboard or (#4) if you dont know how to find your logs, see !logfile
00:34 <@krzee> use verb 5
00:34 <@krzee> !logfile
00:34 <@vpnHelper> "logfile" is (#1) If you want logging you can easily just specify your own logfile with: log /path/to/logfile or (#2) openvpn will log to syslog if started in daemon mode, but without any log-redirection options, openvpn sends output to stdout. or (#3) verb 3 is good for everyday usage, verb 5 for debugging. see --daemon --log and --verb in the manual (!man) for more info
00:37 -!- Hello71 [~Hello71@wikipedia/Hello71] has quit [Ping timeout: 272 seconds]
00:40 -!- Hello71 [~Hello71@wikipedia/Hello71] has joined #openvpn
00:46 <+hazardous> using standard openvpn, does anyone know why my stdout is totally full of "Authenticate/Decrypt packet error: bad packet ID"
00:49 <+hazardous> would it have anything to do with the fact that i'm on an incredibly lossy, extremely terrible internet connection
00:56 -!- mebigfatguy [~dave@128.177.74.147] has left #openvpn ["Leaving"]
01:03 <@krzee> hazardous,
01:03 <@krzee> well, it could be a replay attack attempt, probably not
01:03 <@krzee> more likely… are you on wifi?
01:05 <@krzee> http://openvpn.net/archive/openvpn-users/2004-07/msg00361.html
01:05 <@vpnHelper> Title: Re: [Openvpn-users] Authenticate/Decrypt packet error: bad packet ID (may be a replay) (at openvpn.net)
01:07  * Eugene replays krzee 
01:08 <@krzee> nice, you hitting a blunt?
01:08 <@krzee> pshhh your replay is broken if not
01:09 < Eugene> I don't roll, but there's a water-bong with my name on it
01:09 < Eugene> brb
01:11 <@krzee> nice
01:12 < Eugene> Righty
01:13 <@krzee> makes me feel like i should have a beer to even the channel back out
01:13 <@krzee> ;]
01:16 <+hazardous> i am on wired
01:16 <+hazardous> but 25% packetloss wired
01:16 <+hazardous> i'm nearly totally sure there's no replay attack attempt
01:16 <+hazardous> at least i'm not being actively compromised here
01:18 <@krzee> right
01:18 <@krzee> so ya prolly related to the packet loss
01:18 <@krzee> "or packets are arriving extremely out-of-order."
01:43 -!- mattock [~mattock@openvpn/corp/admin/mattock] has left #openvpn []
01:49 <+hazardous> thx
02:27 -!- aPollO2k [aPollO@unaffiliated/apollo2k] has quit [Quit: irc panic]
02:41 -!- ifdm_ [~ifdm@unaffiliated/ifdm/x-0713806] has quit [Ping timeout: 245 seconds]
02:47 -!- _genuser_ [~bobby@pool-173-57-187-209.dllstx.fios.verizon.net] has quit [Quit: leaving]
02:52 -!- ifdm_ [~ifdm@unaffiliated/ifdm/x-0713806] has joined #openvpn
03:18 -!- d3lphi [~d3lphi@unaffiliated/d3lphi] has left #openvpn []
03:21 -!- krthnz [~aehm@unaffiliated/krthnz] has quit [Ping timeout: 250 seconds]
03:28 -!- Hello71 [~Hello71@wikipedia/Hello71] has quit [Ping timeout: 258 seconds]
03:44 -!- Left_Turn [~Left_Turn@unaffiliated/turn-left/x-3739067] has joined #openvpn
04:07 -!- krthnz [~aehm@unaffiliated/krthnz] has joined #openvpn
04:22 -!- Hello71 [~Hello71@wikipedia/Hello71] has joined #openvpn
04:54 -!- ShadniX [dagger@p5481C0A3.dip0.t-ipconnect.de] has quit [Ping timeout: 250 seconds]
04:56 -!- ShadniX [dagger@p5481C0A3.dip0.t-ipconnect.de] has joined #openvpn
05:46 -!- abbe [having@badti.me] has quit [Ping timeout: 260 seconds]
05:47 -!- abbe_ [having@badti.me] has joined #openvpn
05:47 -!- DonRichie [~DonRichie@ricl.de] has quit [Ping timeout: 260 seconds]
05:48 -!- DonRichie [~DonRichie@ricl.de] has joined #openvpn
05:59 -!- ayaka [~ayaka@ayaka-2-pt.tunnel.tserv21.tor1.ipv6.he.net] has joined #openvpn
05:59 < ayaka> I have a problem with static key vpn
05:59 < ayaka> I could access to the subnet of the server
05:59 < ayaka> but I can't connect to the route behind the server
06:03 < ayaka> the server is at 192.168.0.0/25
06:03 < ayaka> then via 192.168.0.2 to access to 192.168.0.128/25
06:04 < ayaka> but I can't ping the 192.168.0.2 or 192.168.0.129
06:04 < ayaka> but at 192.168.0.129, it could ping the client
06:07 -!- kedare [~kedare@188.226.137.239] has joined #openvpn
06:07 < kedare> Hello o/
06:08 -!- DrSect0r [~DrSect0r@77-175-125-42.FTTH.ispfabriek.nl] has joined #openvpn
06:08 < kedare> I have an issue, I've setup an openvpn server that authenticate using PAM (PAM using radius, using OTP), but it reauthentify after 1 hours, and the connection is shown as "TLS reset" from the client side", I tried to modify the reneg-sec on the server config but it don't works (tried both 0 or a very high value)
06:35 -!- Nothing4You [N4Y@Nothing4You.w.tf-w.tf] has quit [Ping timeout: 260 seconds]
06:35 -!- Nothing4You [N4Y@Nothing4You.w.tf-w.tf] has joined #openvpn
06:35 -!- wirehack7 [wirehack7@unaffiliated/wirehack7] has quit [Ping timeout: 260 seconds]
06:39 -!- arkie [~arkie@unaffiliated/arkie] has joined #openvpn
06:55 -!- WinstonSmith [~WinstonSm@unaffiliated/winstonsmith] has joined #openvpn
07:11 -!- mattock_afk [~mattock@openvpn/corp/admin/mattock] has joined #openvpn
07:11 -!- mode/#openvpn [+o mattock_afk] by ChanServ
07:11 -!- mattock_afk is now known as mattock
07:21 -!- DrSect0r [~DrSect0r@77-175-125-42.FTTH.ispfabriek.nl] has quit [Read error: Connection reset by peer]
07:31 -!- Champi [Champi@damn.e-leet.be] has quit [Ping timeout: 250 seconds]
07:32 -!- Champi [Champi@damn.e-leet.be] has joined #openvpn
07:53 < ayaka> sorry, 192.168.0.129, it couldn't ping the client
08:05 -!- ifdm_ [~ifdm@unaffiliated/ifdm/x-0713806] has quit [Remote host closed the connection]
08:07 -!- ifdm_ [~ifdm@unaffiliated/ifdm/x-0713806] has joined #openvpn
08:09 -!- KiNgMaR [ingmar@2001:41d0:2:ba51::1] has quit [Ping timeout: 260 seconds]
08:11 -!- KiNgMaR [ingmar@2001:41d0:2:ba51::1] has joined #openvpn
08:16 -!- KiNgMaR [ingmar@2001:41d0:2:ba51::1] has quit [Ping timeout: 260 seconds]
08:18 -!- Pyrogerg [~Gregory@75-173-66-157.albq.qwest.net] has quit [Quit: Textual IRC Client: www.textualapp.com]
08:19 -!- KiNgMaR [ingmar@2001:41d0:2:ba51::1] has joined #openvpn
08:20 -!- g00gz [~Adium@199.244.84.14] has joined #openvpn
08:20 -!- g00gz [~Adium@199.244.84.14] has quit [Max SendQ exceeded]
08:20 -!- g00gz [~Adium@199.244.84.14] has joined #openvpn
08:21 -!- g00gz [~Adium@199.244.84.14] has left #openvpn []
08:23 -!- deeville [~deeville@38.117.108.108] has joined #openvpn
08:33 < ayaka> or I should said if I want debug openvpn route problem, which level of verb should I use
08:49 <@ecrist> 3 
08:49 <@ecrist> and from there, you look at your system routing tables
08:54 < phreakocious> does anyone know if there's a way to achieve a reload of the config without punting all the users?  I've read the docs and tried various things but there seems to be no way to get this to happen gracefully.
08:58 -!- dvl [~dvl@pdpc/supporter/active/dvl] has joined #openvpn
09:10 -!- wirehack7 [wirehack7@unaffiliated/wirehack7] has joined #openvpn
09:11 -!- eKKiM [~eKKiM@d54C5D0BE.access.telenet.be] has joined #openvpn
09:12 < eKKiM> !goal
09:12 <@vpnHelper> "goal" is Please clearly state your goal for your vpn: example, I would like to access the lan behind the server , I would like to access the internet over my vpn , I just want a secure connection between 2 computers , etc
09:12 < eKKiM> !welcome
09:12 <@vpnHelper> "welcome" is (#1) Start by stating your goal, such as 'I would like to access the internet over my vpn' || new to IRC? see the link in !ask || we may need !logs and !configs and maybe !interface to help you. || See !howto for beginners. || See !route for lans behind openvpn. || !redirect for sending inet traffic through the server. || Also interesting: !man !/30 !topology !iporder !sample !forum
09:12 <@vpnHelper> !wiki !mitm or (#2) Don't use 192.168.1.0/24 or 192.168.0.0/24 (too much potential for conflict)
09:12 < eKKiM> !redirect
09:12 <@vpnHelper> "redirect" is (#1) to make all inet traffic flow through the vpn, you will need --redirect-gateway (see !def1), as well as IP forwarding (see !ipforward) and NAT (see !nat) enabled on the server. or (#2) you may need to use a different dns server when redirecting gateway, see !dns or !pushdns or (#3) if using ipv6 try: route-ipv6 2000::/3 or (#4) Handy troubleshooting flowchart:
09:12 <@vpnHelper> http://ircpimps.org/redirect.png | http://pekster.sdf.org/misc/redirect.png
09:13 < eKKiM> !nat
09:13 <@vpnHelper> "nat" is (#1) http://openvpn.net/howto.html#redirect for an explanation of NAT as it applies to openvpn or (#2) http://www.secure-computing.net/wiki/index.php/OpenVPN/FAQ#Traffic_forwarding_doesn.27t_work_when_using_client_specific_access_rules or (#3) dont forget to turn on ip forwarding or (#4) please choose between !linnat !openvznat !winnat and !fbsdnat for specific howto
09:14 < eKKiM> is there an !solarisnat?
09:14 < eKKiM> !solarisnat
09:14 < eKKiM> !solnat
09:16 -!- pekster [~rewt@openvpn/community/support/pekster] has quit [Ping timeout: 260 seconds]
09:20 -!- ub1quit33 [~quassel@wifi02.la3.routers.zerolag.com] has joined #openvpn
09:23 -!- ub1quit33 [~quassel@wifi02.la3.routers.zerolag.com] has quit [Remote host closed the connection]
09:38 -!- dazo_afk is now known as dazo
09:49 <@krzee> no
09:49 <@krzee> if you use solaris, you should be able to figure out their nat
09:52 < eKKiM> lol thx for the help!
09:53 -!- pekster [~rewt@openvpn/community/support/pekster] has joined #openvpn
09:55 < eKKiM> !linnat
09:55 <@vpnHelper> "linnat" is (#1) for a basic iptables NAT where 10.8.0.x is the vpn network: iptables -t nat -I POSTROUTING -s 10.8.0.0/24 -o eth0 -j MASQUERADE or (#2) to choose what IP address to NAT as, you can use iptables -t nat -I POSTROUTING -o eth0 -j SNAT --to <IP ADDRESS> or (#3) http://netfilter.org/documentation/HOWTO//NAT-HOWTO.html for more info or (#4) openvz see !openvzlinnat
10:05 < eKKiM> !fbsdnat
10:05 <@vpnHelper> "fbsdnat" is nat on $ext_if from $vpn_network to any -> ($ext_if) (this is for PF)
10:05 -!- doebi [~doebi@doebi.at] has left #openvpn ["WeeChat 0.4.3"]
10:11 -!- square-r00t [~bts@g.rainwreck.com] has quit [Quit: i don’t know why i think pressing ctrl-c harder will help.]
10:12 -!- square-r00t [~bts@g.rainwreck.com] has joined #openvpn
10:13 -!- moonkid [~anonymous@99-103-56-12.lightspeed.hstntx.sbcglobal.net] has quit [Quit: moonkid]
10:13 -!- moonkid [~anonymous@99-103-56-12.lightspeed.hstntx.sbcglobal.net] has joined #openvpn
10:45 -!- roentgen [~none@openvpn/community/support/roentgen] has quit [Remote host closed the connection]
10:46 -!- ayaz [~Ayaz@linuxpakistan/ayaz] has joined #openvpn
10:47 -!- roentgen [~none@openvpn/community/support/roentgen] has joined #openvpn
10:56 -!- outofbounds [~outofboun@gateway/tor-sasl/outofbounds] has joined #openvpn
10:57 -!- outofbounds [~outofboun@gateway/tor-sasl/outofbounds] has quit [Max SendQ exceeded]
11:01 -!- ayaz [~Ayaz@linuxpakistan/ayaz] has quit [Quit: Textual IRC Client: www.textualapp.com]
11:11 -!- dazo is now known as dazo_afk
11:13 -!- zamba [marius@flage.org] has quit [Ping timeout: 240 seconds]
11:14 -!- Slippern [~Slippern@76.109-247-208.customer.lyse.net] has quit [Ping timeout: 245 seconds]
11:17 -!- DomiX [~dom@rai93-2-82-231-187-222.fbx.proxad.net] has joined #openvpn
11:20 -!- Slippern [~Slippern@76.109-247-208.customer.lyse.net] has joined #openvpn
11:21 < DomiX> Hi, I've setup an openvpn server in bridge mode with arround 10 clients, connection works as expected but bandwidth usage is always at 200kb/s (30% of bandwith allowed) even with no user usage, is there a way to reduce it ?
11:28 -!- zamba [marius@flage.org] has joined #openvpn
11:30 < square-r00t> yeah, run a tcpdump and see why the heck it's so high
11:30 < square-r00t> because that doesn't seem right
11:30 < square-r00t> does that occur in both tcp and udp mode?
11:31 -!- gffa [~unknown@unaffiliated/gffa] has joined #openvpn
11:39 < DomiX> I only used udp mode atm
11:40 < DomiX> server side there is arround 100 computers, could it be caused by arp ?
11:41 < square-r00t> i don't believe arp passes through but i could be mustaken
11:42 < square-r00t> are all clients using keepalives? are they the same value?
11:43 < DomiX> dunno what value is used for keepalives (I use pfsense, let me check)
11:43 < square-r00t> i mean in the ovpn config
11:44 < DomiX> yes (I don't have access to my config atm)
11:45 < DomiX> I think it's default value
11:45 < square-r00t> i'd be curious what the keepalives are set to.. though i have a hard time believing it'd add up to 200k/s for 10 clients
11:45 < square-r00t> is the ovpn server running a management interface?
11:45 < square-r00t> one of the log levels tracks the packets coming/going.. i think it's level 6
11:46 <@krzee> DomiX, yes, stop using bridge mode.
11:46 <@krzee> if you can
11:46 <@krzee> why do you use bridge?
11:46 <@krzee> it is very rarely the correct solution?
11:46 <@krzee> s/?/!/
11:46 < DomiX> to connect remote computer to active directory
11:47 <@krzee> 6 or 5, 6 says READ WRITE 5 says R W
11:47 <@krzee> DomiX, active directory does not require l2
11:47 <@krzee> i have added AD machines over l3 tun vpns
11:47 <@krzee> all you lose is netbios resolution, which can be made up for with EITHER properly configured WINS or DNS
11:47 < DomiX> I know but I want to have the same subnet (easier maintenance)
11:48 -!- pisto [~pisto@222.ip-37-187-180.eu] has joined #openvpn
11:48 -!- Prelude2004c [Prelude200@dsl-67-55-28-3.acanac.net] has joined #openvpn
11:48 <@krzee> why would that be easier?
11:48 < Prelude2004c> hello everyoen
11:48 < pisto> hello. openvpn is driving me mad because it reufses to start in server mode without any authentication and encrytion
11:48 <@krzee> plenty easy when you setup routing properly
11:48 < pisto> trying --auth none --cipher none, and still will ask for cert, ca, etc
11:48 <@krzee> is it really that hard to type in different first 3 octets?
11:49 < pisto> I'm trying openvpn --dev tun --topology subnet --server 10.8.0.0 255.255.255.0 --auth none --cipher none
11:49 < Prelude2004c> can an expert message me please about Openvpn ( speed issues ).  We are willing to pay for assistance
11:49 < DomiX> krzee, each site will need a different network
11:50 < DomiX> krzee, you think it's because I use bridge mode I see this bandwidth usage ?
11:50 <@krzee> pisto, to have --server you need some way to differentiate clients… certs or pw auth… you can use ifconfig instead of --server if you like
11:50 <@krzee> Prelude2004c, just ask your question
11:50 <@krzee> DomiX, im not sure, but i do think so. did you try tcpdump to SEE what it is?
11:51 -!- swebb [~swebb@c-71-237-49-232.hsd1.co.comcast.net] has quit [Ping timeout: 240 seconds]
11:52 < DomiX> I tried to use ntopng but it needs to run more time, I will capture a tcpdump log and see it with wireshark to diagnostic the bandwidth
11:53 < Prelude2004c> I have having speed issues with openvpn. We are trying to run it on a STB but speed performance is horrible. For example.. Without VPN i get 4MB/s ... with VPN ( auth none and cipher none ) Goes down to 2MB/s. With Cipher AES128 or BF i get down to 1-1.5MB/s
11:53 < Prelude2004c> not sure why
11:53 <@krzee> !speed
11:53 <@vpnHelper> "speed" is (#1) Having speed problems? The following suggestions may help. or (#2) OpenVPN is often CPU bound; check utilization, and remember it only uses 1 core (single-threaded) or (#3) Prefer UDP over TCP (see !tcp) or (#4) MTU issues? Send max-size DF packets and watch for fragmentation/delivery issues or (#5) iface txqueuelen often needs to be >100 on fast and/or latent links or (#6)
11:53 <@vpnHelper> latenty/slow links don't magically get better with openvpn or (#7) less likely are issues with bad TCP window scaling or the sliding window; generally, don't 2nd guess TCP (in openvpn or your OS knobs)
11:55 <@krzee> !learn speed as Prefer tun over tap (see !tunortap and !whybridge)
11:55 <@vpnHelper> Joo got it.
11:56 < DomiX> !whybridge
11:56 <@vpnHelper> "whybridge" is (#1) you only bridge if you want layer2 to the lan. if you want layer2 only between vpn nodes then routed tap is enough. if you only want layer3 use tun. or (#2) See this URL for a more in-depth discussion on bridging vs routing: https://community.openvpn.net/openvpn/wiki/BridgingAndRouting or (#3) See also !tunortap
11:56 < DomiX> !tunortap
11:56 <@vpnHelper> "tunortap" is (#1) you ONLY want tap if you need to pass layer2 traffic over the vpn (traffic destined for a MAC address). If you are using IP traffic you want tun. or (#2) and if your reason for wanting tap is windows shares, see !wins or use DNS or (#3) remember layer2 has no security, arp poisoning works over tap vpns or (#4) lan gaming? use tap! or (#5) Normal Android/iOS devices (not
11:56 <@vpnHelper> rooted/jailbroken) support only tun
11:57 < pisto> krzee, thanks, it seems to work. I see it sets the tunnel mtu to 1500, isn't that wrong?
11:57 -!- abbe_ [having@badti.me] has left #openvpn []
11:57 -!- abbe [having@badti.me] has joined #openvpn
11:57 < Prelude2004c> BTW, i use TAP
11:57 <@krzee> pisto, show me your configs
11:58 < Prelude2004c> also, the cpu usage is like 15-20%
11:58 <@krzee> Prelude2004c, sorry to hear that… why?
11:58 < Prelude2004c> of one core
11:58 -!- D-Boy [~D-Boy@unaffiliated/cain] has quit [Excess Flood]
11:59 < pisto> krzee, it's just server:
11:59 < pisto> openvpn --dev tun --topology p2p --ifconfig 10.1.0.1 10.1.0.2 --auth none --cipher none
11:59 < pisto> client:
11:59 < pisto> openvpn --dev tun --topology p2p --ifconfig 10.1.0.2 10.1.0.1 --auth none --cipher none --remote <ip>
11:59 < pisto> I can ping between the two
12:00 -!- swebb [~swebb@c-71-237-49-232.hsd1.co.comcast.net] has joined #openvpn
12:03 <@krzee> pisto, if you can ping between the 2 its working… right?
12:03 <@krzee> Prelude2004c, msg vpnHelper exactly like this:   /msg vpnHelper factoids whatis #openvpn speed
12:03 < pisto> of course because ping packets are smaller than 1500 bytes
12:04 < pisto> problem will happen when sending bigger paylods
12:04 <@krzee> !mtu
12:04 <@vpnHelper> "mtu" is (#1) see --mtu-test to learn how to test your MTU settings. Basically you just use --mtu-test in your normal client config or (#2) mtu debugging guide: http://www.secure-computing.net/wiki/index.php/OpenVPN/Troubleshooting
12:04 <@krzee> test it like shown in #2
12:05 < pisto> ok
12:05 -!- swebb [~swebb@c-71-237-49-232.hsd1.co.comcast.net] has quit [Ping timeout: 260 seconds]
12:10 -!- swebb [~swebb@c-71-237-49-232.hsd1.co.comcast.net] has joined #openvpn
12:10 < Prelude2004c> "Krzee" --> I am using tap as a bridge. I want to show the source ip on the stream servers not the VPN ip.. Do you think that is a problem?
12:10 < Prelude2004c> meaning tun will be faster?
12:10 -!- goldkatze [~nobody@unaffiliated/goldkatze] has joined #openvpn
12:10 < Prelude2004c> i have tried almost everything
12:10 < Prelude2004c> MTU has no fragmentation
12:10 <@krzee> yes tun will be faster.
12:11 < Prelude2004c> utilization seems ok.
12:11 < Prelude2004c> does tun have the ability to act like bridge?
12:11 <@krzee> i mean why wouldnt it be faster to send 1 less packet layer on every packet?
12:11 <@krzee> no
12:11 <@krzee> your reason for a bridge isnt even a reason, its you not wanting to look at other ips
12:12 < Prelude2004c> not sure what you mean by that. Basically, customers will connect and get a 192.168.x.x ip range .. i want that to show up in the apache stream servers
12:12 < Prelude2004c> when they watch the streams
12:12 <@krzee> why?
12:12 < Prelude2004c> not everyone having the same IP
12:12 <@krzee> not the same ip, their vpn ip
12:12 < Prelude2004c> because we track people
12:12 <@krzee> which you can log to a database, or make unique
12:13 < Prelude2004c> how much performance imrpovement would i see with tun over tap?
12:13 <@krzee> 1 layer per packet.
12:13 < Prelude2004c> and what does tap do?
12:13 <@krzee> gives you layer2
12:13 -!- Billy2 [~nwnkirc@pool-98-110-181-88.bstnma.fios.verizon.net] has joined #openvpn
12:13 < Prelude2004c> the interesting part is i have more bw available
12:13 < Prelude2004c> so i go down to 2M but i still have room
12:14 < Prelude2004c> it is as if ehternet can't keep up and slows down
12:14 <@krzee> so try tun and give it a test
12:14 -!- moonkid [~anonymous@99-103-56-12.lightspeed.hstntx.sbcglobal.net] has quit [Quit: moonkid]
12:14 <@krzee> what will it hurt?
12:14 < Prelude2004c> have to learn how to do that one .. been so long :)
12:15 < Prelude2004c> any other suggestions that make a big difference?
12:15 <@krzee> !speed
12:15 <@vpnHelper> "speed" is (#1) Having speed problems? The following suggestions may help. or (#2) OpenVPN is often CPU bound; check utilization, and remember it only uses 1 core (single-threaded) or (#3) Prefer UDP over TCP (see !tcp) or (#4) MTU issues? Send max-size DF packets and watch for fragmentation/delivery issues or (#5) iface txqueuelen often needs to be >100 on fast and/or latent links or (#6)
12:15 <@vpnHelper> latenty/slow links don't magically get better with openvpn or (#7) less likely are issues with bad TCP window scaling or the sliding window; generally, don't 2nd guess TCP (in openvpn or your OS knobs) or (#8) Prefer tun over tap (see !tunortap and !whybridge)
12:15 <@krzee> its all there
12:15 < Prelude2004c> odd that even with cipher none and auth none it still is much slower
12:15 <@krzee> not really odd, just means its not the auth and cipher causing issues
12:15 < Prelude2004c> MTU is 1500 with no fragmentation. i set it much higher just in case.. i also set the source to 1400 to make sure it would get through
12:16 < Prelude2004c> i use UDP
12:16 <@krzee> dont go setting options unless you know why (test is fine, then undo after)
12:16 < Prelude2004c> i have txqueuelen at 1000
12:16 < Prelude2004c> latency is like 15ms
12:17 <@krzee> eventually you'll decide to test tun
12:20 -!- swebb [~swebb@c-71-237-49-232.hsd1.co.comcast.net] has quit [Ping timeout: 245 seconds]
12:21 -!- D-Boy [~D-Boy@unaffiliated/cain] has joined #openvpn
12:23 < Prelude2004c> going to test tun now
12:23 < Prelude2004c> to see what happens
12:26 -!- Hello71 [~Hello71@wikipedia/Hello71] has quit [Ping timeout: 258 seconds]
12:27 -!- tachibana [~fghhfg@170.sub-174-240-37.myvzw.com] has quit [Remote host closed the connection]
12:27 -!- ShadniX [dagger@p5481C0A3.dip0.t-ipconnect.de] has quit [Ping timeout: 250 seconds]
12:28 -!- ShadniX [dagger@p5481C0A3.dip0.t-ipconnect.de] has joined #openvpn
12:30 -!- Hello71 [~Hello71@wikipedia/Hello71] has joined #openvpn
12:32 -!- outofbounds [~outofboun@gateway/tor-sasl/outofbounds] has joined #openvpn
12:34 -!- pisto [~pisto@222.ip-37-187-180.eu] has left #openvpn ["Leaving"]
12:35 < Prelude2004c> hey krzee.. mtu set to 1500 by default no ?
12:36 < Prelude2004c> what do you think it should be set as customers are on cable and DSL connectyions
12:36 < Prelude2004c> should it stay at 1500?
12:36 < Prelude2004c> some routers may still be set at the old 1492 or 1472 or something
12:37 <@krzee> leave it until you find why to move it
12:37 <@krzee> you dont just tune those things for fun, you test and find a problem and tune away the problem
12:37 < Prelude2004c> right ok i see a slow speed on the tun too
12:37 < Prelude2004c> same problm as tap
12:38 -!- swebb [~swebb@c-71-237-49-232.hsd1.co.comcast.net] has joined #openvpn
12:38 <@krzee> running openvpn 2.3.4?
12:41 < Prelude2004c> 2.33
12:41 < Prelude2004c> 2.3.3
12:41 < Prelude2004c> ya bw cut in half
12:42 -!- moonkid [~anonymous@99-103-56-12.lightspeed.hstntx.sbcglobal.net] has joined #openvpn
12:47 <@krzee> show me your configs
12:47 <@krzee> !configs
12:47 <@vpnHelper> "configs" is (#1) please pastebin your client and server configs (with comments removed, you can use `grep -vE '^#|^;|^$' server.conf`), also include which OS and version of openvpn. or (#2) dont forget to include any ccd entries or (#3) on pfSense, see http://www.secure-computing.net/wiki/index.php/OpenVPN/pfSense to obtain your config
12:49 < Prelude2004c> http://pastebin.com/zMVVrmKA
12:52 -!- DomiX [~dom@rai93-2-82-231-187-222.fbx.proxad.net] has quit [Ping timeout: 258 seconds]
12:52 <@krzee> remove txqueuelen and then do the ping test in !mtu
12:52 <@krzee> !mtu
12:52 <@vpnHelper> "mtu" is (#1) see --mtu-test to learn how to test your MTU settings. Basically you just use --mtu-test in your normal client config or (#2) mtu debugging guide: http://www.secure-computing.net/wiki/index.php/OpenVPN/Troubleshooting
12:52 <@krzee> remove it from both sides
12:56 < Prelude2004c> ok running test
12:59 -!- MogDog [MogDog@unaffiliated/mogdog66] has quit [Ping timeout: 245 seconds]
12:59 < Prelude2004c>  NOTE: Empirical MTU test completed [Tried,Actual] local->remote=[1501,1501] remote->local=[1501,1451]
12:59 < Prelude2004c> Tue Sep 16 17:59:10 2014 NOTE: This connection is unable to accomodate a UDP packet size of 1501. Consider using --fragment or --mssfix options as a workaround.
13:00 <@krzee> now try the manual one in the link
13:01 <@krzee> (#2) mtu debugging guide: http://www.secure-computing.net/wiki/index.php/OpenVPN/Troubleshooting
13:01 <@vpnHelper> Title: OpenVPN/Troubleshooting - Secure Computing Wiki (at www.secure-computing.net)
13:01 <@krzee> read that
13:05 -!- MogDog [MogDog@unaffiliated/mogdog66] has joined #openvpn
13:12 -!- cesurasean [~Sean@c-71-207-227-197.hsd1.al.comcast.net] has joined #openvpn
13:20 -!- cesurasean1 [~Sean@c-71-207-227-197.hsd1.al.comcast.net] has joined #openvpn
13:20 -!- cesurasean [~Sean@c-71-207-227-197.hsd1.al.comcast.net] has quit [Ping timeout: 272 seconds]
13:21 -!- c0ded [~c0ded@unaffiliated/c0ded] has quit [Ping timeout: 260 seconds]
13:21 -!- pisto [~pisto@222.ip-37-187-180.eu] has joined #openvpn
13:22 < pisto> is there a way to make openvpn call connect() on the udp socket when following the example in the man pages "Example 1: A simple tunnel without security"?
13:24 < pisto> so only packets from the remote are forwarded to the socket b the kernel
13:24 < Prelude2004c> krzee, is it normal that speed is jumping around a lot?
13:25 < Prelude2004c> like i show 3.6M then goes down to 3.2, and up and don
13:25 < Prelude2004c> down*
13:25 < Prelude2004c> while without VPN it's stable?
13:25 <@krzee> hey you got it WAY improvedQ!
13:25 <@krzee> not sure about "normal" but it sure sounds "better"
13:26 <@krzee> pisto, afraid im not sure what you're trying to do
13:27 < pisto> so openvpn opens this socket
13:27 < pisto> udp        0      0 0.0.0.0:1194            0.0.0.0:*                           6007/openvpn
13:27 < pisto> you can actually call connect() on an udp socket, to bind it to a single host
13:27 <@krzee> client?
13:27 < pisto> server
13:27 < pisto> well
13:27 <@krzee> --local
13:27 < pisto> actually
13:27 < pisto> it's point to point
13:27 <@krzee> --local can be used on both sides
13:28 -!- Kephael [~Kephael@unaffiliated/kephael] has joined #openvpn
13:28 <@krzee> if a side is not listening and only connecting via --remote it can also use --nobind if you want
13:29 < Prelude2004c> hey kree , for some reason when i use fragment it kills the openvpn
13:29 < Prelude2004c> doesn't allow me to use fragment on the server side
13:29 < Prelude2004c> i use mssfix and i want to set mtu max size to 1472
13:29 < pisto> krzee, you didn't understand. --local binds the local end of the socket
13:31 < pisto> krzee, if I was using tcp, openvpn would try to connect() to the remote host, and in netstat I would see the remote end associated to the socket
13:31 <@krzee> Prelude2004c, i've never been able to play with mtu much, all my links have always worked proper with default settings
13:31 <@krzee> btu now you know the problem
13:31 <@krzee> pisto, whats the problem you're trying to solve?
13:31 < pisto> the linux kernel allows you to call connect() on a udp socket, which actually means nothing but prevent other hosts to send packets to this socket
13:31 <@krzee> oh
13:31 <@krzee> the crypto does that
13:31 < pisto> ah
13:32 < pisto> which I disabled, I see
13:32 <@krzee> maybe theres something that does what you said, but if so i dont know about it
13:32  * krzee pokes plaisthos 
13:33 <@krzee> pisto, you only disabled for testing tho… right?
13:33 < pisto> I don't really need cryptography
13:33 < pisto> I wouldn't be here if I could use gre tunnels in this god forsaken openvz host
13:33 <@krzee> ahh beat me to it
13:33 <@krzee> haha
13:34 <@krzee> it was here:
13:34 <@krzee> !noenc
13:34 <@vpnHelper> "noenc" is (#1) if you're going to disable encryption, you might as well build a GRE tunnel or (#2) but you would use cipher none or (#3) Reference --cipher in the manpage (--auth may also be useful to review)
13:34 < pisto> yeah
13:34 <@krzee> !forget noenc 2
13:34 <@vpnHelper> Joo got it.
13:35 <@krzee> too bad, because i think openvpn is not the most efficient way to tunnel when crypto doesnt matter
13:36 < pisto> yeah I know
13:36 <@krzee> but if its all that works for you, then ya
13:36 <@krzee> weird that gre tunnels dont work but ovpn does
13:36 < pisto> it depends on which modules are loaded in the kernel running openvz
13:36 <@krzee> oh
13:36 < pisto> no gre module here, just tun/tap
13:37 <@krzee> they told you to deal with it?
13:37 -!- cesurasean1 [~Sean@c-71-207-227-197.hsd1.al.comcast.net] has quit [Quit: Leaving.]
13:37 < pisto> didn't even bother to ask the ovh support
13:37 < pisto> it's 2.5€/m
13:37 < pisto> I get what I pay for
13:37 <@krzee> http://global3.memecdn.com/grumpy-cat-deal-with-it_o_1296093.jpg
13:38 < pisto> eheh
13:38 -!- dazo_afk is now known as dazo
13:40 -!- moonkid [~anonymous@99-103-56-12.lightspeed.hstntx.sbcglobal.net] has quit [Quit: moonkid]
13:41 -!- moonkid [~anonymous@99-103-56-12.lightspeed.hstntx.sbcglobal.net] has joined #openvpn
13:59 <@krzee> hey dazo, know anything about what pisto was asking above about the udp connect() ?
14:14  * dazo looks up
14:14 <@ecrist> !openvz
14:14 <@vpnHelper> "openvz" is (#1) http://wiki.openvz.org/VPN_via_the_TUN/TAP_device to learn bout openvz specific stuff with regards to openvpn or (#2) It is usually less painful to switch to a host with better virtualization technology, eg KVM or Xen
14:18 <@dazo> pisto: (krzee) Just tossing in another idea ... what about using ipip tunnel in Linux instead? ... http://lartc.org/howto/lartc.tunnel.ip-ip.html
14:18 <@vpnHelper> Title: IP in IP tunneling (at lartc.org)
14:18 <@dazo> (this is probably somewhat better described: http://www.linuxfoundation.org/collaborate/workgroups/networking/tunneling#IPIP_tunnels )
14:18 <@vpnHelper> Title: tunneling | The Linux Foundation (at www.linuxfoundation.org)
14:20 -!- averagecase [~anon@cl-6544.cgn-01.de.sixxs.net] has joined #openvpn
14:41 -!- goldkatze [~nobody@unaffiliated/goldkatze] has quit [Ping timeout: 255 seconds]
14:47 -!- pisto [~pisto@222.ip-37-187-180.eu] has quit [Ping timeout: 245 seconds]
14:56 -!- jeraldv [~jerald@fsf/member/jeraldv] has quit [Ping timeout: 245 seconds]
15:02 -!- eKKiM [~eKKiM@d54C5D0BE.access.telenet.be] has quit [Remote host closed the connection]
15:03 -!- yoavz [yoavz@yoavz.net] has quit [Ping timeout: 240 seconds]
15:05 -!- esde [~esde@unaffiliated/esde] has joined #openvpn
15:05 < esde> ?config
15:05 < esde> !config
15:05 <@vpnHelper> (config <name> [<value>]) -- If <value> is given, sets the value of <name> to <value>. Otherwise, returns the current value of <name>. You may omit the leading "supybot." in the name if you so choose.
15:05 <@dazo> !configs
15:05 <@krzee> !configs
15:05 <@vpnHelper> "configs" is (#1) please pastebin your client and server configs (with comments removed, you can use `grep -vE '^#|^;|^$' server.conf`), also include which OS and version of openvpn. or (#2) dont forget to include any ccd entries or (#3) on pfSense, see http://www.secure-computing.net/wiki/index.php/OpenVPN/pfSense to obtain your config
15:05 <@vpnHelper> "configs" is (#1) please pastebin your client and server configs (with comments removed, you can use `grep -vE '^#|^;|^$' server.conf`), also include which OS and version of openvpn. or (#2) dont forget to include any ccd entries or (#3) on pfSense, see http://www.secure-computing.net/wiki/index.php/OpenVPN/pfSense to obtain your config
15:06 < esde> I was considering adding an "s". Thank you! :)
15:07 <@krzee> dazo, http://people.redhat.com/duffy/selinux/selinux-coloring-book_A4-Stapled.pdf
15:07 <@dazo> krzee: hehe ... that's a good one :)
15:08  * krzee considers printing it out at work and coloring it when im bored
15:08 <@dazo> hahaha :)
15:08 <@krzee> red & blue pens
15:08 <@dazo> :)
15:08 <@dazo> krzee: It's a really nice intro to SELinux ... and suddenly, SELinux makes a lot of sense :)
15:09 -!- s7r [~s7r@openvpn/user/s7r] has quit [Remote host closed the connection]
15:09 <@dazo> Máirin Duffy did a good job on the drawings ... all made using F/OSS tools only :)
15:10 -!- yoavz [yoavz@yoavz.net] has joined #openvpn
15:11 <@krzee> i liked it a lot
15:12 -!- mattock is now known as mattock_afk
15:14 <@dazo> krzee: she does a lot of cool stuff on the user experience in Fedora these days ... and is good at thinking out-of-the-box in co-operation with developers  .... http://blog.linuxgrrl.com/
15:15 <@vpnHelper> Title: Máirín Duffy | Open design forever. (at blog.linuxgrrl.com)
15:49 -!- deeville [~deeville@38.117.108.108] has quit [Quit: This computer has gone to sleep]
15:58 -!- linuxthefish [~ltf@unaffiliated/edmundf] has quit [Ping timeout: 256 seconds]
15:59 -!- g00gz [~Adium@2601:6:62c0:9:2d63:a923:ba88:73a4] has joined #openvpn
16:01 -!- linuxthefish [~ltf@unaffiliated/edmundf] has joined #openvpn
16:07 < Prelude2004c> Krzee .. sorry was away for a while.... so running at MTU 1471 and it seems ok but still with AES128 its 1/2 the bw
16:07 < Prelude2004c> i lost 50%
16:10 -!- kedare [~kedare@188.226.137.239] has quit [Ping timeout: 245 seconds]
16:42 -!- g00gz [~Adium@2601:6:62c0:9:2d63:a923:ba88:73a4] has quit [Quit: Leaving.]
16:53 -!- Adie [~adie2@ogdn-04-236-180.dsl.netins.net] has joined #openvpn
16:53 -!- n13l [~Daniel@aaa.anect.cz] has quit [Ping timeout: 240 seconds]
17:06 -!- moonkid [~anonymous@99-103-56-12.lightspeed.hstntx.sbcglobal.net] has quit [Quit: moonkid]
17:15 -!- moonkid [~anonymous@99-103-56-12.lightspeed.hstntx.sbcglobal.net] has joined #openvpn
17:20 -!- RaiNerTsuFal [~RaiNerTsu@akita.vtlx.cn] has quit [Quit: Conversation terminated!]
17:28 -!- gffa [~unknown@unaffiliated/gffa] has quit [Quit: sleep]
18:01 -!- symptom_ [~symptom@unaffiliated/h4dorno-x/x-6450635] has joined #openvpn
18:12 -!- mete [~mete@91.247.253.160] has quit [Ping timeout: 245 seconds]
18:14 -!- outofbounds [~outofboun@gateway/tor-sasl/outofbounds] has quit [Ping timeout: 264 seconds]
18:14 -!- APTX_ [~APTX@unaffiliated/aptx] has quit [Ping timeout: 272 seconds]
18:15 -!- mete [~mete@91.247.253.160] has joined #openvpn
18:20 -!- APTX [~APTX@unaffiliated/aptx] has joined #openvpn
18:23 -!- moonkid [~anonymous@99-103-56-12.lightspeed.hstntx.sbcglobal.net] has quit [Quit: moonkid]
18:25 -!- L0uk3 [~lukethedr@gateway/tor-sasl/lukethedrifter] has joined #openvpn
18:43 -!- Chais [~Chais@chello062178229110.15.15.vie.surfer.at] has joined #openvpn
19:12 -!- dazo is now known as dazo_afk
19:21 -!- moonkid [~anonymous@89.248.166.138] has joined #openvpn
19:47 -!- GoldenGlovez [~GG@212.83.63.239] has joined #openvpn
19:53 -!- akurilin [~alex@208.185.21.146] has joined #openvpn
19:53 < akurilin> quick question: do I need a user's .crt to be able to revoke it?
19:54 -!- arescorpio [~arescorpi@178-31-245-190.fibertel.com.ar] has joined #openvpn
19:56 < akurilin> or more specifically, can I not block a cert if I have all of the easyrsa "database" but not the public ce
19:56 < akurilin> public key
20:01 -!- nath_schwarz [~nath_schw@p54A32655.dip0.t-ipconnect.de] has joined #openvpn
20:01 <@krzee> akurilin, the info from that cert should be in your easyrsa "database"
20:02 <@krzee> but if you lost it, you can use --disable (kills the connection after the crypto verifies, but still kills it)
20:02 <@krzee> crl is better in that it kills the connection earlier
20:03 < akurilin> THe point I was trying to make is that revoke-full script seems to require the .crt
20:03 < akurilin> Is that correct?
20:04 <@krzee> dunno, i dont actually use easy-rsa
20:04 < akurilin> On an unrelated note: I don't need to keep revoke-test.pem for later, do I?
20:04 <@krzee> and i always keep my .csr's
20:04 <@krzee> (the unsigned client public key)
20:06 < akurilin> that's a good idea, I didn't realize I had to do that
20:06 <@krzee> here ill look over the code really quick
20:06 <@krzee> !easy-rsa
20:06 <@vpnHelper> "easy-rsa" is (#1) easy-rsa is a certificate generation utility. or (#2) Download here: https://github.com/OpenVPN/easy-rsa/downloads or (#3) https://community.openvpn.net/openvpn/wiki/EasyRSA
20:09 -!- elfixit1 [~Icedove@77-58-251-72.dclient.hispeed.ch] has joined #openvpn
20:21 -!- averagecase [~anon@cl-6544.cgn-01.de.sixxs.net] has quit [Quit: Verlassend]
20:24 -!- nath_schwarz [~nath_schw@p54A32655.dip0.t-ipconnect.de] has quit [Ping timeout: 260 seconds]
20:27 -!- nath_schwarz [~nath_schw@p54A32751.dip0.t-ipconnect.de] has joined #openvpn
20:31 -!- moonkid [~anonymous@89.248.166.138] has quit [Quit: moonkid]
20:46 < Adie> highlight me
20:46 <@krzee> Adie, ok
20:46 < Adie> ty
20:46 <@krzee> np
20:48 -!- Netsplit *.net <-> *.split quits: deranged_user, ifdm_, gardar, liriel, Tykling, ender|, evil_andy, wirehack7, pa, Latrina,  (+4 more, use /NETSPLIT to show all of them)
20:51 <@krzee> akurilin, ya it does take a crt
20:51 -!- Olipro [~Olipro@uncyclopedia/pdpc.21for7.olipro] has quit [Ping timeout: 256 seconds]
20:52 <@krzee> akurilin, if your pki is small you could start it over and redistribute keys to your client machines. if it is large and that is not an option you may need to use --disable in a ccd entry (see !ccd if you dont know what that is)
20:54 -!- wirehack7 [wirehack7@unaffiliated/wirehack7] has joined #openvpn
20:54 -!- ifdm_ [~ifdm@unaffiliated/ifdm/x-0713806] has joined #openvpn
20:54 -!- liriel [~liriel@asia.feralhosting.com] has joined #openvpn
20:54 -!- elfixit [~Icedove@2001:1620:2777:11:3e97:eff:fe7f:f3ad] has joined #openvpn
20:54 -!- Fiouz [~Fiouz@2001:bc8:3068::dead:beef] has joined #openvpn
20:54 -!- pa [~pa@unaffiliated/pa] has joined #openvpn
20:54 -!- gardar [~gardar@bnc.giraffi.net] has joined #openvpn
20:54 -!- Latrina [~Latrina@ppp-205-42.26-151.libero.it] has joined #openvpn
20:54 -!- evil_andy [~evil_andy@2001:470:e29f:1:204:4bff:fe15:fd2e] has joined #openvpn
20:54 -!- Tykling [tykling@gibfest.dk] has joined #openvpn
20:54 -!- ender| [krneki@2a01:260:4094:1:42:42:42:42] has joined #openvpn
20:54 -!- deranged_user [deranged_u@unaffiliated/deranged-user/x-2475585] has joined #openvpn
20:54 -!- Esya [~zncuser@195-154-90-140.rev.poneytelecom.eu] has joined #openvpn
20:54 -!- SlutaTramsa [~SlutaTram@unaffiliated/slutatramsa] has joined #openvpn
21:04 < akurilin> krzee: ok appreciate it
21:04 <@krzee> np
21:05 -!- c0ded [~c0ded@unaffiliated/c0ded] has joined #openvpn
21:06 -!- Olipro [~Olipro@uncyclopedia/pdpc.21for7.olipro] has joined #openvpn
21:11 -!- wirehack7 [wirehack7@unaffiliated/wirehack7] has quit [Ping timeout: 260 seconds]
21:11 -!- symptom_ [~symptom@unaffiliated/h4dorno-x/x-6450635] has left #openvpn []
21:11 -!- symptom_ [~symptom@unaffiliated/h4dorno-x/x-6450635] has joined #openvpn
21:12 < akurilin> krzee: luckily most peeps who have been issued credentials still have their crts so I can retrieve them and save them for later :)
21:13 -!- wirehack7 [wirehack7@unaffiliated/wirehack7] has joined #openvpn
21:15 -!- ifdm_ [~ifdm@unaffiliated/ifdm/x-0713806] has quit [Ping timeout: 260 seconds]
21:17 -!- Olipro [~Olipro@uncyclopedia/pdpc.21for7.olipro] has quit [Max SendQ exceeded]
21:19 -!- Olipro [~Olipro@uncyclopedia/pdpc.21for7.olipro] has joined #openvpn
21:44 -!- symptom_ [~symptom@unaffiliated/h4dorno-x/x-6450635] has left #openvpn []
21:50 -!- nyx_o [~nyx@cav33-1-78-231-214-8.fbx.proxad.net] has joined #openvpn
22:16 -!- Left_Turn [~Left_Turn@unaffiliated/turn-left/x-3739067] has quit [Remote host closed the connection]
22:16 -!- DrCode [~DrCode@gateway/tor-sasl/drcode] has quit [Remote host closed the connection]
22:17 -!- DrCode [~DrCode@gateway/tor-sasl/drcode] has joined #openvpn
22:20 < pekster> akurilin: easyrsa also saves them in the `certs-by-serial` dir. Technically the CRL only contains the serials of revoked certs, but openssl requires that you provide it a cert during the revocation process
22:20 < pekster> ie: if you run a CA, keep at least the certs by serial reference, which is referenced by the index text-based "database" anyway
22:35 -!- obscurehero [~obscurehe@via.arcis.pw] has joined #openvpn
22:35 < obscurehero> So, I'm having this same issue - https://forums.openvpn.net/topic14122.html
22:35 <@vpnHelper> Title: OpenVPN Support Forum Slow speeds with Windows 7 client : Server Administration (at forums.openvpn.net)
22:35 < obscurehero> and it doesn't look like it's resolved :/
22:37 < obscurehero> Android and Mac OS X clients have zero issues and have full throughput. Windows 7 client limits the down bandwidth to 2 Mbps (sometimes higher), but upload is fine.
22:52 -!- syzzer [~syzzer@openvpn/community/developer/syzzer] has joined #openvpn
22:52 -!- mode/#openvpn [+o syzzer] by ChanServ
23:12 < akurilin> pekster: I keep the database around, I'll keep the publics from now on. I didn't find "certs by serial" folder
23:12 < akurilin> however I'm guessing those 01.pem 02.pem etc were exactly that
23:12 < akurilin> I remember asking back in the day if I should have kept them and people were like meh
23:13 < akurilin> :P
23:13 -!- L0uk3 [~lukethedr@gateway/tor-sasl/lukethedrifter] has quit [Remote host closed the connection]
23:29 -!- ub1quit33 [~quassel@cpe-23-243-158-241.socal.res.rr.com] has joined #openvpn
23:32 -!- elfixit1 [~Icedove@77-58-251-72.dclient.hispeed.ch] has quit [Remote host closed the connection]
23:35 -!- Chais [~Chais@chello062178229110.15.15.vie.surfer.at] has quit [Ping timeout: 245 seconds]
23:36 -!- ShadniX [dagger@p5481C0A3.dip0.t-ipconnect.de] has quit [Ping timeout: 250 seconds]
23:38 -!- ShadniX [dagger@p5481C03A.dip0.t-ipconnect.de] has joined #openvpn
23:38 -!- joako [~joako@opensuse/member/joak0] has quit [Ping timeout: 246 seconds]
23:41 -!- Chais [~Chais@chello062178229110.15.15.vie.surfer.at] has joined #openvpn
23:43 -!- Kephael [~Kephael@unaffiliated/kephael] has quit [Read error: Connection reset by peer]
23:52 -!- CaTtleyA [~CaTtleyA@put92-2-82-66-41-53.fbx.proxad.net] has joined #openvpn
23:57 -!- CaTtleyA_ [~CaTtleyA@put92-2-82-66-41-53.fbx.proxad.net] has joined #openvpn
23:59 -!- CaTtleyA [~CaTtleyA@put92-2-82-66-41-53.fbx.proxad.net] has quit [Ping timeout: 276 seconds]
--- Day changed Wed Sep 17 2014
00:14 -!- arescorpio [~arescorpi@178-31-245-190.fibertel.com.ar] has quit [Excess Flood]
00:29 -!- mattock_afk is now known as mattock
01:02 -!- ub1quit33 [~quassel@cpe-23-243-158-241.socal.res.rr.com] has quit [Remote host closed the connection]
01:29 -!- Fusl [Fusl@unaffiliated/fusl] has quit [Ping timeout: 245 seconds]
01:32 -!- Fusl [Fusl@unaffiliated/fusl] has joined #openvpn
02:07 -!- ifdm_ [~ifdm@unaffiliated/ifdm/x-0713806] has joined #openvpn
02:23 -!- ifdm_ [~ifdm@unaffiliated/ifdm/x-0713806] has quit [Ping timeout: 272 seconds]
02:33 -!- plaisthos [~arne@openvpn/community/developer/plaisthos] has quit [Remote host closed the connection]
02:35 -!- ifdm_ [~ifdm@unaffiliated/ifdm/x-0713806] has joined #openvpn
02:50 -!- DrivenMad [~driven@c-76-28-208-170.hsd1.wa.comcast.net] has joined #openvpn
02:50 < DrivenMad> !welcome
02:50 <@vpnHelper> "welcome" is (#1) Start by stating your goal, such as 'I would like to access the internet over my vpn' || new to IRC? see the link in !ask || we may need !logs and !configs and maybe !interface to help you. || See !howto for beginners. || See !route for lans behind openvpn. || !redirect for sending inet traffic through the server. || Also interesting: !man !/30 !topology !iporder !sample !forum
02:50 <@vpnHelper> !wiki !mitm or (#2) Don't use 192.168.1.0/24 or 192.168.0.0/24 (too much potential for conflict)
02:52 < DrivenMad> I noticeed that ther is a speed cap both on openvpn and ddwrt vpn of about 256 to 320 k/s .. How do i speed that up??
02:52 < DrivenMad> !howto
02:52 <@vpnHelper> "howto" is (#1) OpenVPN comes with a great howto, http://openvpn.net/howto PLEASE READ IT! or (#2) http://www.secure-computing.net/openvpn/howto.php for a mirror
02:53 < DrivenMad> !/30
02:53 <@vpnHelper> "/30" is (#1) http://goo.gl/SbKrT5 explains why routed clients each use 4 ips or (#2) you can avoid this behavior with by reading !topology
02:54 < DrivenMad> 1topology
02:54 < DrivenMad> !topology
02:54 <@vpnHelper> "topology" is (#1) it is possible to avoid the !/30 behavior if you use 2.1+ with the option: topology subnet This will end up being default in later versions. or (#2) Clients will receive addresses ending in .2, .3, .4, etc, instead of being divided into 2-host subnets. or (#3) details and examples at: https://community.openvpn.net/openvpn/wiki/Topology
02:55 < DrivenMad> I have been doing google searches.. and cant find a definative solution... i cant be the only one running into this
03:02 <@krzee> DrivenMad, a "speed cap" ?
03:02 <@krzee> no idea what you're referring to
03:02 < DrivenMad> yes
03:02 < DrivenMad> ohh lol
03:02 <@krzee> you're saying openvpn itself has a "speed cap" of 320k/s?
03:02 < DrivenMad> im transfering files through the vpn.. and the speed is capped
03:03 <@krzee> that is unrelated to openvpn
03:03 < DrivenMad> both connections are slow compaird to the avalible internet pipe it is on.
03:03 <@krzee> but you said its a capo
03:03 <@krzee> cap*
03:03 < DrivenMad> ok..
03:03 < DrivenMad> hehe
03:03 < DrivenMad> it seems like it capped... like by the ISP
03:04 <@krzee> if it is, then its not openvpn
03:04 < DrivenMad> just wondering if anyone has run into this?
03:04 < DrivenMad> ok i understand that..
03:04 <@krzee> ran into people running QOS?  sure
03:04 <@krzee> are you using a vpn provider or your own server?
03:05 < DrivenMad> so i guess the question is: on a vpn connection you have made yourseldf.. does it use all availible bandwithc it can?
03:05 < DrivenMad> my own server..
03:05 <@krzee> not necessarily, depends on other stuff
03:05 <@krzee> !speed
03:05 <@vpnHelper> "speed" is (#1) Having speed problems? The following suggestions may help. or (#2) OpenVPN is often CPU bound; check utilization, and remember it only uses 1 core (single-threaded) or (#3) Prefer UDP over TCP (see !tcp) or (#4) MTU issues? Send max-size DF packets and watch for fragmentation/delivery issues or (#5) iface txqueuelen often needs to be >100 on fast and/or latent links or (#6)
03:05 <@vpnHelper> latenty/slow links don't magically get better with openvpn or (#7) less likely are issues with bad TCP window scaling or the sliding window; generally, don't 2nd guess TCP (in openvpn or your OS knobs) or (#8) Prefer tun over tap (see !tunortap and !whybridge)
03:05 < DrivenMad> its a openvpn running in vmware server
03:05 <@krzee> is english your native language?
03:06 < DrivenMad> yes
03:06 <@krzee> k
03:06 < DrivenMad> speelibng i know lol
03:06 < DrivenMad> omg
03:06 < DrivenMad> spelling
03:08 -!- ub1quit33 [~quassel@cpe-23-243-158-241.socal.res.rr.com] has joined #openvpn
03:12 -!- goldkatze [~nobody@unaffiliated/goldkatze] has joined #openvpn
03:13 -!- DrivenMad [~driven@c-76-28-208-170.hsd1.wa.comcast.net] has quit [Ping timeout: 260 seconds]
03:38 -!- cesurasean [~Sean@c-71-207-227-197.hsd1.al.comcast.net] has joined #openvpn
03:41 -!- Pandemic_Force_ [~Pandemic_@unaffiliated/pandemic-force/x-1349428] has quit [Quit: Bye!]
03:42 -!- Pandemic_Force [~Pandemic_@unaffiliated/pandemic-force/x-1349428] has joined #openvpn
03:50 -!- cesurasean [~Sean@c-71-207-227-197.hsd1.al.comcast.net] has quit [Quit: Leaving.]
04:16 -!- dazo_afk is now known as dazo
04:51 -!- deed02392 [~deed02392@2001:41d0:2:ab60::1] has joined #openvpn
04:52 < deed02392> hi guys, I've established an OpenVPN setup with TLS, server and one client so far.
04:52 < deed02392> I can ping the client from the server but seemingly not the other way around
04:52 < deed02392> (over the VPN IP that is)
04:52 < deed02392> any clues as to why?
04:58 < deed02392> oh never mind
04:58 < deed02392> I had thought the server IP from the client was .5 due to the 10.8.1.5 default gateway that got created
04:59 < deed02392> i had to find that with a ping scan... is there an easier way to refer to what IP addresses have been assigned for both clients and server
05:07 -!- Left_Turn [~Left_Turn@unaffiliated/turn-left/x-3739067] has joined #openvpn
06:23 -!- Adie [~adie2@ogdn-04-236-180.dsl.netins.net] has left #openvpn []
06:24 -!- gffa [~unknown@unaffiliated/gffa] has joined #openvpn
06:31 -!- hyper_ch [~hyper_ch@81.4.108.20] has joined #openvpn
06:34 < hyper_ch> hmmm, how do you add the ca and cert files into the config so that you have an all-in-one file?
06:47 < deed02392> hyper_ch, i believe it's <ca>filecontents</ca>
06:47 < hyper_ch> yeah, found an example
06:48 < hyper_ch> at the ende <ca>\n------BEGIN[.....]\n</ca>\n<cert>[...]</cert>\n<key>[...]</key>
06:57 < havoc> yeah, I had to do that for the android client
07:02 < hyper_ch> deed02392: trying to add my new sip phone to the vpn
07:03 < deed02392> hyper_ch, cool
07:04 < hyper_ch> well, once I get it working
07:04 < hyper_ch> that way I don't have to deal with all that nat stuff between home and office
07:07 < hyper_ch> I might create a new CA though
07:10 <@ecrist> !inline
07:10 <@vpnHelper> "inline" is (#1) Inline files (e.g. <ca> ... </ca> are supported since OpenVPN 2.1rc1 and documented in the OpenVPN 2.3 man page at https://community.openvpn.net/openvpn/wiki/Openvpn23ManPage#lbAV or (#2) https://community.openvpn.net/openvpn/wiki/IOSinline for a writeup that includes how to use inline certs
07:20 < hyper_ch> deed02392: basically using that right now:   http://paste.debian.net/121453/
07:34 < hyper_ch> vpn error :(
07:38 < hyper_ch> ah... reading helps :)
07:38 < hyper_ch> 'Please Note the filepaths must point to /openvpn and the config file is named vpn.cnf. '
07:49 < hyper_ch> using netcat server to protocol the vpn connection on the phone.... seem sto work fine
07:50 < hyper_ch> it works
07:55 -!- mirco [~mirco@5.146.125.177] has joined #openvpn
08:11 -!- cyberspace- [20253@ninthfloor.org] has quit [Remote host closed the connection]
08:12 -!- cyberspace- [20253@ninthfloor.org] has joined #openvpn
08:18 -!- br4ndon [~br4ndon@80.215.198.151] has joined #openvpn
08:29 -!- mirco [~mirco@5.146.125.177] has quit [Remote host closed the connection]
08:29 -!- mirco [~mirco@5.146.125.177] has joined #openvpn
08:41 -!- plaisthos [~arne@openvpn/community/developer/plaisthos] has joined #openvpn
08:42 -!- mode/#openvpn [+o plaisthos] by ChanServ
08:55 <@krzee>  <hyper_ch> 'Please Note the filepaths must point to /openvpn and the config file is named vpn.cnf.
08:55 <@krzee> sounds like an snom
08:55 < hyper_ch> krzee: it is
08:55 < hyper_ch> seems you know your sip phones
08:55 <@krzee> i have root on them
08:55 -!- mirco [~mirco@5.146.125.177] has quit [Remote host closed the connection]
08:55 <@krzee> :-p
08:56 < hyper_ch> you don't like them?
08:56 -!- mirco [~mirco@5.146.125.177] has joined #openvpn
08:56 <@krzee> i like them, i use them, my company sells them, i rooted them
08:56 <@krzee> i modify them
08:56 <@krzee> them = the phones themselves
08:56 < hyper_ch> btw, for generating CA and certs for SIP phones (also mobile), what do you recommend to use as parameters? bitlength, cipher etc?
08:57 < hyper_ch> my cell phones has issues with VOIP over OpenVPN
08:57 <@krzee> sorry i dont have a recommendation for you on that
08:57 <@krzee> especially because i run a business that only does voip over openvpn
08:57 < hyper_ch> so I thought I might use something that computationally not as challenging
08:58 < hyper_ch> the vpn is mainly there for avoiding all the NAT problems
08:58 <@krzee> nat problems?  freeswitch handles nat easily
08:58 < hyper_ch> well, you have to open more ports than I prefer to
08:58 < hyper_ch> with VPN it's just one port ;)
09:00 -!- mirco [~mirco@5.146.125.177] has quit [Remote host closed the connection]
09:00 <@krzee> i can tell you that if your crypto is too strong the phone wont handle it well when it renegs
09:00 <@krzee> so be sure you test that
09:00 < hyper_ch> well, the snom works fine
09:00 < hyper_ch> snom 370
09:01 -!- mirco [~mirco@5.146.125.177] has joined #openvpn
09:01 < hyper_ch> but my Nexus 4 has issues
09:01 <@krzee> or dont… on my service i told the only people who complained to just remember that when it freezes hourly for a moment, that it just means they're more secure :D
09:02 < hyper_ch> well, you can always lock yourself into a faraday cage ;)
09:02 <@krzee> nexus 4...
09:02 <@krzee> but that has a baseband
09:02 -!- ifdm_ [~ifdm@unaffiliated/ifdm/x-0713806] has quit [Ping timeout: 258 seconds]
09:02 <@krzee> which means the call isnt secure even if on a vpn
09:02 < hyper_ch> what's a baseband?
09:02 <@krzee> the part that makes it a phone
09:03 <@krzee> the part that connects to the cell towers
09:03 < hyper_ch> right... someone mentioned that before
09:03 < hyper_ch> whiche cell phone does not have a baseband?
09:03 <@krzee> none, it wouldnt be a cellphone
09:04 <@krzee> well if you arent concerned with call security it doesnt matter
09:14 <@krzee> hyper, you need to use the netcat server config option or you'll never get anywhere
09:14 <@krzee> once you have that you have openvpn logging, and you can figure it out
09:15 -!- mirco [~mirco@5.146.125.177] has quit [Ping timeout: 272 seconds]
09:16 -!- ifdm_ [~ifdm@unaffiliated/ifdm/x-0713806] has joined #openvpn
09:35 -!- RaiNerTsuFal [~RaiNerTsu@akita.vtlx.cn] has joined #openvpn
09:36 -!- ifdm_ [~ifdm@unaffiliated/ifdm/x-0713806] has quit [Ping timeout: 258 seconds]
09:36 -!- XJR-9 [sid2977@pdpc/supporter/active/xjr-9] has quit [Write error: Connection reset by peer]
09:47 -!- br4ndon [~br4ndon@80.215.198.151] has quit [Read error: Connection reset by peer]
09:47 -!- XJR-9 [sid2977@pdpc/supporter/active/xjr-9] has joined #openvpn
09:51 -!- ifdm_ [~ifdm@unaffiliated/ifdm/x-0713806] has joined #openvpn
10:04 -!- ifdm_ [~ifdm@unaffiliated/ifdm/x-0713806] has quit [Ping timeout: 255 seconds]
10:08 -!- ikkuplio [~IceChat77@ipservice-092-210-027-060.092.210.pools.vodafone-ip.de] has joined #openvpn
10:17 -!- ifdm_ [~ifdm@unaffiliated/ifdm/x-0713806] has joined #openvpn
10:18 < Prelude2004c> Hi krzee good day
10:18 < Prelude2004c> you around?
10:22 -!- MogDog [MogDog@unaffiliated/mogdog66] has quit [Ping timeout: 245 seconds]
10:27 -!- ub1quit33 [~quassel@cpe-23-243-158-241.socal.res.rr.com] has quit [Read error: Connection reset by peer]
10:29 -!- MogDog [MogDog@unaffiliated/mogdog66] has joined #openvpn
10:30 -!- elfixit [~Icedove@2001:1620:2777:11:3e97:eff:fe7f:f3ad] has quit [Remote host closed the connection]
10:32 -!- ub1quit33 [~quassel@cpe-23-243-158-241.socal.res.rr.com] has joined #openvpn
10:33 -!- Dropje [~yge@546A88C4.cm-12-3c.dynamic.ziggo.nl] has joined #openvpn
10:45 -!- br4ndon [~br4ndon@80.215.198.151] has joined #openvpn
10:47 -!- br4ndon [~br4ndon@80.215.198.151] has quit [Client Quit]
10:48 -!- br4ndon [~br4ndon@80.215.198.151] has joined #openvpn
10:48 -!- ifdm_ [~ifdm@unaffiliated/ifdm/x-0713806] has quit [Remote host closed the connection]
10:50 -!- br4ndon [~br4ndon@80.215.198.151] has quit [Client Quit]
10:50 -!- br4ndon [~br4ndon@80.215.198.151] has joined #openvpn
10:57 -!- br4ndon [~br4ndon@80.215.198.151] has quit [Quit: br4ndon]
10:58 -!- br4ndon [~br4ndon@80.215.198.151] has joined #openvpn
11:01 -!- br4ndon_ [~br4ndon@80.215.162.61] has joined #openvpn
11:03 -!- ifdm_ [~ifdm@unaffiliated/ifdm/x-0713806] has joined #openvpn
11:04 -!- br4ndon [~br4ndon@80.215.198.151] has quit [Ping timeout: 246 seconds]
11:28 -!- br4ndon_ [~br4ndon@80.215.162.61] has quit [Quit: br4ndon_]
11:30 < hyper_ch> strange, in the office the vpn connection worked... now at home it doesn't anymore
11:30 < hyper_ch> gotta debug
11:43 < hyper_ch> I think I found the problem
11:57 -!- D-Boy [~D-Boy@unaffiliated/cain] has quit [Excess Flood]
11:59 -!- Netsplit *.net <-> *.split quits: CaTtleyA_
12:00 -!- Netsplit over, joins: CaTtleyA_
12:00 -!- Netsplit *.net <-> *.split quits: arkie, Magiobiwan, yoavz, Poster, Hello71
12:00 -!- Netsplit over, joins: yoavz, Hello71, arkie, Poster, Magiobiwan
12:01 -!- Netsplit *.net <-> *.split quits: Denial, square-r00t, mgorbach, JackWinter_, ub1quit33, swebb
12:02 -!- Netsplit over, joins: ub1quit33, swebb, square-r00t, Denial, JackWinter_, mgorbach
12:02 -!- Netsplit *.net <-> *.split quits: tapout, jeev, dvl, justinzane, Dropje
12:02 -!- Netsplit over, joins: Dropje, dvl, justinzane, tapout, jeev
12:03 -!- D-Boy [~D-Boy@unaffiliated/cain] has joined #openvpn
12:03 -!- nyx_o [~nyx@cav33-1-78-231-214-8.fbx.proxad.net] has quit [Ping timeout: 271 seconds]
12:04 -!- hays [~hays@unaffiliated/hays] has joined #openvpn
12:12 -!- pisto [~pisto@222.ip-37-187-180.eu] has joined #openvpn
12:12 < pisto> is it possible to write an openvpn module that receives the full packet being sent and can possibly drop it?
12:22 -!- dvl [~dvl@pdpc/supporter/active/dvl] has quit [Quit: ZNC - http://znc.in]
12:23 < hyper_ch> pisto: ?
12:23 < hyper_ch> but I'd guess yes
12:23 -!- dvl [~dvl@pdpc/supporter/active/dvl] has joined #openvpn
12:24 < pisto> https://community.openvpn.net/openvpn/browser/openvpn-plugin.h?rev=d423cd3042c65b497142fd1817d298f5f8707135
12:24 <@vpnHelper> Title: openvpn-plugin.h – OpenVPN Community (at community.openvpn.net)
12:24 < pisto> this doesn't seem to hint so
12:24 -!- Left_Turn [~Left_Turn@unaffiliated/turn-left/x-3739067] has quit [Ping timeout: 272 seconds]
12:25 < hyper_ch> [19:12] <pisto> is it possible to write an openvpn module    -->  since it's open source, you can write a module that will do what you want I tend to think
12:27 < pisto> well module == plugin with the standard interface
12:27 -!- jangerhofer [~jangerho@0587334915.wireless.umich.net] has joined #openvpn
12:28 < hyper_ch> interface?
12:29 < pisto> the thing I just pointed to you.
12:30 < pisto> aka what you load with --plugin
12:30 -!- cyberanger [~cyberange@swissknife/adak/infocop411] has joined #openvpn
12:31 -!- DrSect0r [~DrSect0r@77-175-125-42.FTTH.ispfabriek.nl] has joined #openvpn
12:33 -!- cyberanger [~cyberange@swissknife/adak/infocop411] has quit [Quit: ZNC - http://znc.in]
12:42 < hyper_ch> krzee: hmmm, it works now but the snom is pretty slow to boot up
12:51 -!- DrSect0r [~DrSect0r@77-175-125-42.FTTH.ispfabriek.nl] has quit [Read error: Connection reset by peer]
13:00 -!- jangerhofer [~jangerho@0587334915.wireless.umich.net] has quit [Quit: Leaving...]
13:02 -!- Left_Turn [~Left_Turn@unaffiliated/turn-left/x-3739067] has joined #openvpn
13:02 -!- jangerhofer [~jangerho@0587334915.wireless.umich.net] has joined #openvpn
13:10 -!- Popsikle [~popsikle@rrcs-24-103-41-58.nyc.biz.rr.com] has joined #openvpn
13:42 -!- jangerhofer [~jangerho@0587334915.wireless.umich.net] has quit [Read error: Connection reset by peer]
13:42 -!- jangerhofer [~jangerho@0587334915.wireless.umich.net] has joined #openvpn
13:42 -!- jangerhofer [~jangerho@0587334915.wireless.umich.net] has quit [Read error: Connection reset by peer]
13:42 -!- jangerho [~jangerho@0587334915.wireless.umich.net] has joined #openvpn
13:44 -!- jangerho [~jangerho@0587334915.wireless.umich.net] has quit [Read error: Connection reset by peer]
13:53 -!- goldkatze [~nobody@unaffiliated/goldkatze] has quit [Ping timeout: 272 seconds]
13:56 <@dazo> pisto: there's no plug-in API for inspecting packets ... but that is an interesting thought, though
13:59 <@dazo> pisto: if you're interested in looking into extending the API with such support, I'm willing to discuss that in more details with you ... I'm the one who implemented the v3 plug-in API, and it just waits to be extended further.  However, not completely without control :)
13:59 <@krzee> you could do DPI on the server just like you could without openvpn
13:59 <@dazo> that's true ... it depends on what kind of inspection you want to do
13:59 <@krzee> or could IDS/IPS
14:00 <@krzee> sure it could be added directly into openvpn, but surely doesnt need to
14:00 <@krzee> just dont use client-to-client
14:01 <@dazo> I mean, we have packet filtering already in openvpn, as a light-weight firewall ... so some kind of packet inspection would be an interesting idea, as a light-weight filter to avoid certain types of traffic over the tunnel
14:01 <@dazo> but for high performance DPI, openvpn is not the solution, no matter what
14:04  * dazo heads home
14:04 -!- dazo is now known as dazo_afk
14:06 -!- Pandemic_Force [~Pandemic_@unaffiliated/pandemic-force/x-1349428] has quit [Quit: Bye!]
14:06 -!- Pandemic_Force [~Pandemic_@unaffiliated/pandemic-force/x-1349428] has joined #openvpn
14:09 < pisto> basically my problem is that I am working around missing gre and iptables u32 support
14:09 < pisto> so I use openvpn to establish a tunnel
14:10 < pisto> and I would need some DPI at that point
14:12 < pisto> sigh, I don't have even -m bpf
14:15 < hyper_ch> question: with the certs and stuff, they always seem to line break after 85 characters. Is that any convention or important? or can there be linebreaks wherever, as long as there's nothing else?
14:32 -!- mattock is now known as mattock_afk
14:37 -!- seba [~seba@kratzbaum.someserver.de] has quit [Excess Flood]
14:38 -!- pekster [~rewt@openvpn/community/support/pekster] has quit [Ping timeout: 260 seconds]
14:39 -!- pekster [~rewt@openvpn/community/support/pekster] has joined #openvpn
14:40 -!- seba [~seba@kratzbaum.someserver.de] has joined #openvpn
14:51 -!- CaTtleyA_ [~CaTtleyA@put92-2-82-66-41-53.fbx.proxad.net] has quit [Remote host closed the connection]
15:03 -!- ShadniX [dagger@p5481C03A.dip0.t-ipconnect.de] has quit [Ping timeout: 250 seconds]
15:04 -!- ShadniX [dagger@p5DDFD81F.dip0.t-ipconnect.de] has joined #openvpn
15:05 -!- moonkid [~anonymous@99-103-56-12.lightspeed.hstntx.sbcglobal.net] has joined #openvpn
15:30 -!- Kephael [~Kephael@unaffiliated/kephael] has joined #openvpn
15:49 -!- cesurasean [~Sean@c-71-207-227-197.hsd1.al.comcast.net] has joined #openvpn
15:54 -!- cesurasean [~Sean@c-71-207-227-197.hsd1.al.comcast.net] has quit [Client Quit]
15:56 -!- ompaul [~ompaul@unaffiliated/ompaul] has joined #openvpn
16:08 -!- gffa [~unknown@unaffiliated/gffa] has quit [Quit: sleep]
16:19 -!- ompaul [~ompaul@unaffiliated/ompaul] has quit [Quit: and zebedee said its time for other stuff]
16:23 -!- Popsikle [~popsikle@rrcs-24-103-41-58.nyc.biz.rr.com] has quit [Remote host closed the connection]
16:50 -!- nath_schwarz [~nath_schw@p54A32751.dip0.t-ipconnect.de] has quit [Ping timeout: 272 seconds]
16:52 -!- nath_schwarz [~nath_schw@p54A32751.dip0.t-ipconnect.de] has joined #openvpn
17:13 -!- mvmdata [~Meadows@97.87.204.44] has joined #openvpn
17:16 < mvmdata> anyone here have time to help me something? I am trying to print between vpn networks, I have a diagram and I just want to be pointed in the right direction
17:29 -!- moonkid [~anonymous@99-103-56-12.lightspeed.hstntx.sbcglobal.net] has quit [Quit: moonkid]
17:36 -!- elfixit [~Icedove@77-58-251-72.dclient.hispeed.ch] has joined #openvpn
17:48 -!- ausjke [~xxiao@li259-246.members.linode.com] has joined #openvpn
17:49 < ausjke> a real newbie question, is it possible for multiple VPN servers to have the same CA certificates? so my openvpn client can talk to multiple servers using the same CA public key and the client's keypairs?
17:49 < ausjke> or I need use a different CA.crt each time when I connect a different OpenVPN server?
17:50 -!- debbie10t [~guest3459@openvpn/community/support/debbie10t] has joined #openvpn
17:50 < Hello71> !g pki
17:51 < ausjke> was reading and kind of getting lost, so want to see if there is a straight answer for this
17:56 < pekster> ausjke: Sure, you can do that. That's how you'd want to do any kind of "clustering" (multiple servers for high-availability, and/or geographically separated.)
17:57 < pekster> In most cases you'd want to issue unique server certs to each host so you could revoke them if one system was compromised. To do that securely you need to consider how you publish a CRL to clients, or have some other form of auth like OCSP which you'd need to script as openvpn won't do natively for you
17:57 < pekster> Some ideas on security at:
17:57 < pekster> !hardening
17:57 <@vpnHelper> "hardening" is https://community.openvpn.net/openvpn/wiki/Hardening
18:03 < ausjke> pekster: thanks. our products have an openvpn server installed and we need connect to any of them from many different client devices, thus the CA sharing question
18:04 < ausjke> otherwise it's very hard to manage the certificates and their associated keys
18:06 -!- elfixit [~Icedove@77-58-251-72.dclient.hispeed.ch] has quit [Ping timeout: 246 seconds]
18:06 < pekster> Right, that's the whole point of a CA. At the very least you'd want a single CA, but you're also able to create sub-CAs if that suites your needs better (say you had a master, secure and posibly offline root CA, and then deligated control of various regions to be managed by their own teams. You could issue each a sub-CA and they could then issue their own certs)
18:21 -!- moonkid [~anonymous@ng1.cptxoffice.net] has joined #openvpn
18:41 -!- ayaka [~ayaka@ayaka-2-pt.tunnel.tserv21.tor1.ipv6.he.net] has quit [Ping timeout: 260 seconds]
18:42 -!- debbie10t [~guest3459@openvpn/community/support/debbie10t] has quit [Quit: Closing]
18:52 -!- catsup [~d@ps38852.dreamhost.com] has joined #openvpn
19:01 < ausjke> pekster: will this work ? http://pastebin.com/hSwqfhSg
19:04 < pekster> Do not ever transport your CA key to any device but the place you are running your CA on
19:04 < pekster> Doing so is a giant security risk, moreso if that key isn't encrypted
19:05 < pekster> The 1 exception would be backups, which you shouldn't be doing to servers that run application code like that anyway
19:05 < ausjke> yes the ca.key is private and they should only reside on the deviceNNNN, this device is a FIPS 140-2 Level3 product which means nobody can break into it, well in theory
19:05 < ausjke> it has lots of sensors designed and tamper alert stuff from mechnical to electrical
19:05 < pekster> No, the CA _key_ should reside only on your PKI host and any secure backup systems
19:05 < pekster> You should _never_ put your CA key on your VPN servers
19:06 < pekster> It's bad practice to run your PKI on one of your VPN servers, but some people do. See the hardening URL above for recommendations about separate accounts in such cases
19:06 < ausjke> will read that(just come back), you mean a better practice will be running a standalone CA server
19:07 < pekster> Right. In any event, why on earth would you put the CA key on all your servers? That's silly
19:07 -!- erratic [erratic@2607:f2f8:a2c4:1001::2] has quit [Quit: ZNC - http://znc.sourceforge.net]
19:08 < pekster> No clue what 01.pem is. Certs are stored by serial number for reference only; you don't need anything on hosts besides the CA cert and the device's keypair
19:08 < pekster> Not sure why you'd want the "first" issued client cert on each device; it won't do any good
19:09 < ausjke> http://www.openlogic.com/wazi/bid/188052/From-Zero-to-OpenVPN-in-30-Minutes  for the pem file: "Diffie-Hellman is the protocol that allows two users to exchange a secret key over an insecure medium without any prior secrets"
19:09 <@vpnHelper> Title: From Zero to OpenVPN in 30 Minutes (at www.openlogic.com)
19:09 < pekster> That file has nothing to do with DH params
19:09 < pekster> That or it's grossly misnamed
19:10 < pekster> The server is the only system that needs dhparams. 01.pem (with easyrsa anyway) is the client certificate with serial number 0x01
19:10 < pekster> Presumably you're going to give that client a more obviously named cert file, so just happily ignore it
19:11 < pekster> each node needs just 3 things: ca.crt, that_device.crt, and that_device.key
19:11 < ausjke> so, a CA with ca.crt, ca.key; a server with ca.crt, server.crt, server.key, and a client with a ca.crt, client.crt, client.key, is the normal way of doing it. the key is to put ca.crt and ca.key on a separate server
19:11 < pekster> Ideally you geneate the device keypair on that device, send the CSR to your CA, sign it, and return a cert
19:11 < pekster> See:
19:11 < pekster> !intro-to-pki
19:11 <@vpnHelper> "intro-to-pki" is For an intro to PKI basics, see: https://github.com/OpenVPN/easy-rsa/blob/v3.0.0-rc1/doc/Intro-To-PKI.md
19:12 < pekster> No, your CA has everything except (when you're doing things securely) the keys of all the issued certificates
19:13 < pekster> Some people generate keys from the CA system (or whatever "secure environment" you're using -- some people use a dedicated user, and some don't care at all and run them as root with world-readable permissions. Tune your paranoia to suit your needs)
19:13 < ausjke> you mean CA also stores the crt for all the openvpn servers and clients?
19:13 < pekster> The CA _generates_ the certificates
19:14 < pekster> From the CSR that can be generated by any device, and should only be generated by the device using it if you require high security and more gaurenteed proof of ownership
19:14 < pekster> Ref that intro document
19:15 < pekster> 1) you set up a CA PKI on a secure environment, whatever that means to you. 2) each of your systems (VPN servers and clients) geneate their own keypairs. 3) each endpoint sends the request to the CA 4) the CA signs them. 5) the CA returns valid certificates, plus its own CA cert. 6) each device installs the certs and has all the parts they need to participate in the security
19:16 < ausjke> yes the CA can generate all ca.crt, ca.key ,then use the ca pair to produce crt/key pairs for all openvpn devices, be it server or client, instead of sign certificates for them using the certificate openvpn generates, to ease management a bit
19:16 < pekster> Ugh. No. The "CA keypair" is not used to do anything bug _sign_ the client CSRs
19:17 < pekster> I can generate a keypair just fine all on my own. So can every other person in this channel, and they don't need your CA at all. It won't do any good unless signed by _your_ CA though
19:17 < pekster> CAs sign requests. Anyone can generate one
19:18 < pekster> Read that intro document; it'll help you understand what happens a lot better
19:18 < pekster> Best to ask a follow-up question if you're still confused
19:18 < ausjke> understand that. by each device generating keys, since we have multiple platforms it's hard to manage, so we want the CA to generate the key, sign them, then assign them to openvpn devices(both server and clients)
19:19 < ausjke> the easy-rsa has a server and client key generating script, from what you just said here it seems server and client have no difference in keys, why two scripts then
19:19 < pekster> Right. A key is a key. It's just an RSA key with nothing special about it at all
19:20 < pekster> The public component is integrated into the request, which is a special format that contains the public key component and some requested information that uniquely identify the requestor
19:20 < ausjke> ./build-key-server ./build-ke  the former is for server the latter is for client
19:20 < pekster> That does 3 things: generates the keypair, generates the CSR, and signs it all at once
19:21 < pekster> If that's the model you wish to use, go for it. Just don't send the ca key or that 01.pem to any of the end-systems
19:23 < ausjke> one last question, if i use this model, since i will have multipl servers, should I run './build-key-server serverXYZ' multiple times for each openvpn server? or all the server can share the same key generated by one 'build-key-server' that is only run once?
19:24 < pekster> If you geneate a single key that you re-use on multiple servers, you'll be unable to revoke just one of them individually
19:24 < pekster> If you're not planning to do client-side verification of revoked server-certs it's a moot point anyway since that kind of compromise would require that you re-do your entire PKI anyway
19:25 < pekster> As the Hardening wiki page I linked you to notes, multiple servers sometimes requires more careful planning regarding compromised servers. But that depends on your security needs
19:25 < ausjke> great thanks. will study those pages
19:26 < pekster> That's part of the "tune your effort to your level of paranoia" bit
19:36 < ausjke> For pre-shared keys, I can do that easy between one client and one server, but is it technically possible to use the same pre-shared key to do many-to-many openvpn connections, e.g. two pcs and two devices establish four vpn connection using the exact same pre-shared key, pc1-device1, pc1-device2, pc2-device1, pc2-device2
19:37 < ausjke> all at the same time
19:38 < pekster> Sure
19:38 < pekster> If the same client cert is used to connect multiple times to a single server you need:
19:38 < pekster> !dupe
19:39 <@vpnHelper> "dupe" is (#1) see --duplicate-cn in the manual (!man) to see how to allow multiple clients to use the same key (NOT recommended) or (#2) instead, use !pki to make a cert for each user
19:42 < ausjke> awesome! thanks again!!
19:53 -!- Adie [~adie2@ogdn-04-236-180.dsl.netins.net] has joined #openvpn
20:01 -!- Adie [~adie2@ogdn-04-236-180.dsl.netins.net] has left #openvpn ["Leaving"]
20:15 -!- WinstonSmith [~WinstonSm@unaffiliated/winstonsmith] has quit [Ping timeout: 272 seconds]
20:15 -!- n6 [NumberSix@unaffiliated/n6] has left #openvpn ["Textual IRC Client: www.textualapp.com"]
20:15 -!- WinstonSmith [~WinstonSm@unaffiliated/winstonsmith] has joined #openvpn
20:25 -!- nath_schwarz [~nath_schw@p54A32751.dip0.t-ipconnect.de] has quit [Ping timeout: 260 seconds]
20:26 -!- nath_schwarz [~nath_schw@p54A327CE.dip0.t-ipconnect.de] has joined #openvpn
20:32 -!- elfixit [~Icedove@77-58-251-72.dclient.hispeed.ch] has joined #openvpn
21:06 -!- moonkid [~anonymous@ng1.cptxoffice.net] has quit [Quit: moonkid]
21:28 -!- dubwoc [~meh@pool-71-190-138-124.nycmny.fios.verizon.net] has left #openvpn ["WeeChat 0.4.3"]
21:30 -!- Kephael [~Kephael@unaffiliated/kephael] has quit [Read error: Connection reset by peer]
21:36 <@krzee> note, that is not pre-shared keys, that is PKI
21:41 -!- Skcream [~skunkcrea@173.192.81.189-static.reverse.softlayer.com] has joined #openvpn
21:41 < Skcream> !welcome
21:41 <@vpnHelper> "welcome" is (#1) Start by stating your goal, such as 'I would like to access the internet over my vpn' || new to IRC? see the link in !ask || we may need !logs and !configs and maybe !interface to help you. || See !howto for beginners. || See !route for lans behind openvpn. || !redirect for sending inet traffic through the server. || Also interesting: !man !/30 !topology !iporder !sample !forum
21:41 <@vpnHelper> !wiki !mitm or (#2) Don't use 192.168.1.0/24 or 192.168.0.0/24 (too much potential for conflict)
21:42 < Skcream> I would like to be able to tunnel multiple VPN connections through each other (UDP only), I want to write a python script to do this dynamically with VPN accounts of my choice. I'm familiar with iproute2 and linux networking, but I'm looking for suggestions on the optimal way to do it.
21:43 < Skcream> Unfortunately according to my experience with IRC help channels, this whole room will be dead.
21:43 <@krzee> depends how you want to do it
21:43 < Skcream> Of course I'm glad to be mistaken. :3
21:43 <@krzee> you looking to do it on servers you dont control?
21:43 <@krzee> like vpn providers and whatnot?
21:43 < Skcream> I'm looking to do it entirely with my client using commerical VPN providers I paid for.
21:43 <@krzee> ya, thats what i figured
21:43 < Skcream> I was thinking multiple tun devices networked with iproute but I'm not sure if that's a good way.
21:43 < Skcream> Any suggestions?
21:44 <@krzee> i like the idea, keep me informed on your progress if you would ;]
21:44 <@krzee> yes, i have a suggestion
21:44 <@krzee> heres how you bust it...
21:44 < Skcream> krzee: I'm gonna write a blog about the whole thing.
21:44 <@krzee> you familiar with how def1 flag to redirect-gateway works in openvpn?
21:44 < Skcream> I am not.
21:44 <@krzee> familiar with how routing works, and cidr?
21:44 < Skcream> Yes, yes.
21:45 <@krzee> k, good, heres what def1 does
21:45 <@krzee> overrides 0.0.0.0/0 with 2 routes, 0.0.0.0/1 and 128.0.0.0/1
21:45 <@krzee> so you keep your default gateway
21:45 < Skcream> I see.
21:45 <@krzee> but it also first gives a route to the vpn server going over the original default gateway
21:46 < Skcream> I've been passing environment variables to my own scripts with --route-up and setting up 128.0.0.0/1 manually.
21:46 <@krzee> so then you connect to another vpn server, and set 4 new /2 routes to override the /1 routes
21:46 <@krzee> and also make a direct route to the second vpn server going over the first vpn server
21:47 <@krzee> basically, you keep doing what redirect-gateway does, but you override the routes with double the amount of the next cidr entry
21:47 <@krzee> btw, i like to call that vpnchains
21:47 <@krzee> i have a few different topologies for doing it
21:47 < Skcream> I want to eventually expand the functionality of my program to work with Socks5 and HTTP proxies.
21:47 <@krzee> some being darknets and some being what you are looking for
21:47 < Skcream> And anything else I feel like adding.
21:48 <@krzee> yes, that is a good idea, and socks inside the vpn
21:48 <@krzee> for:
21:48 <@krzee> !routebyapp
21:48 <@vpnHelper> "routebyapp" is (#1) if you want to send only certain apps over the VPN you need to run a socks server on the internal VPN subnet (see !sockd) then get an app like proxifier (windows, osx) or tsocks (linux, BSD) to selectively route traffic over the socks proxy based on port/app/subnet or any combination. or (#2) Alternatively, read up about Policy Routing to make routing decisions based on defined
21:48 <@vpnHelper> policies you set. For Linux, read about !lartc
21:48 < Skcream> krzee: Is there a way to do it without iptables? As in just forcing the OpenVPN program to do it...oh wait.
21:48 <@krzee> iptables?  when did i bring up iptables?
21:48 < Skcream> Whoops.
21:48 < Skcream> *iproute
21:48 <@krzee> well you can ask openvpn to do the routes
21:49 <@krzee> but it'll still just call iproute
21:49 < Skcream> Right, and I guess if I know what I'm doing it won't be too messy.
21:49 <@krzee> the other problem is that many moronic vpn providers push redirect-gateway at you
21:49 < Skcream> This is a good way to force myself to learn more about the internals of linux networking.
21:49 <@krzee> instead of letting it be in the client config
21:49 < Skcream> They can force it?
21:49 <@krzee> sure
21:49 <@krzee> !push
21:49 <@vpnHelper> "push" is usage: push <command> , goes in the server config and makes the command act as if it was in the client config, can be used in ccd entries
21:49 <@krzee> if that is the case, you first have to ignore the routes from the server, and then add your own
21:50 <@krzee> at least on all but the first
21:51 <@krzee> or if you find a cool tech at the provider you can ask them to make you a ccd entry with push-reset and the other necessary push entries after, to lose the redirect-gateway option
21:51 < Skcream> krzee: I'm sure I can set up my script to do that. Although I'm trying to think of an architecture that will allow me to easily expand it with modules for other protocols.
21:51 <@krzee> since if they "did it right" (according to me) they would leave redirect-gateway in the client configs for people to optionally use it
21:52 <@krzee> i think it should be modules for different transports
21:53 < Skcream> krzee: Part of me wants to set up multiple LXC containers or chroot jails or something to encapsulate all the routes from one another. I guess I can just multiple iproute2 tables that take priority over one another...I dunno maybe I'm just not that familiar with the tools but it seems a bit messy to me.
21:53 <@krzee> but thats none of my business ;]
21:53 < Skcream> krzee: That's what I was thinking.
21:53 < Skcream> No no, I appreciate the input.
21:53 < Skcream> You're like...the first person to immediately help me out with this.
21:53 <@krzee> i happen to have done a bit of stuff with vpnchains
21:54 <@krzee> i usually dont help people with it really other than pointers to docs i wrote… but you're not asking for anything to do it for you, you just want ideas for how to design your topology
21:54 < Skcream> krzee: If I remember that's how iproute works right? You can create multiple tables that take priority? So I could create one for each vpn connection as I layer them on top of each other? Or am I completely mistaken?
21:54 <@krzee> its advanced networking for sure
21:54 < Skcream> Docs? Anything useful to me?
21:55 < Skcream> krzee: Yeah and it's real linux hacker stuff, it will look great on my resume.
21:55 < Skcream> Besides I should really be contributing to the open source world at my age.
21:55 <@krzee> you wont need multiple tables for the vpnchains
21:55 < Skcream> I've used linux for over a decade now.
21:55 <@krzee> you will need multiple tables IF you still want to serve things to the internet over the original ISP ip
21:55 <@krzee> which would be like:
21:56 <@krzee> !splitroute
21:56 <@vpnHelper> "splitroute" is (#1) https://forums.openvpn.net/topic7175.html to see how to add a second routing table so you can use --redirect-gateway AND still serve things to the internet or (#2) see !route_override for how to override --redirect-gateway for a certain subnet
21:56 <@krzee> (normally your replys would go over the vpn and get lost because they dont come from the expected ip)
21:56 < Skcream> krzee: They wouldn't simplify setting all this up? I'm just thinking of it from the perspective of my python script, I don't want the table to become an unholy mess.
21:57 <@krzee> well my docs arent suited towards your needs, they are more for when you run your own servers
21:57 <@krzee> !google vpnchains secure-computing
21:57 <@vpnHelper> OpenVPN/VpnChains - Secure Computing Wiki: <https://www.secure-computing.net/wiki/index.php/OpenVPN/VpnChains>; How to Chain VPNs for Complete Anonymity « Null Byte: <http://null-byte.wonderhowto.com/how-to/chain-vpns-for-complete-anonymity-0131368/>; Is this VPN chaining or VPN nesting? Is it better than TOR ...: <http://www.wilderssecurity.com/threads/is-this-vpn-chaining-or-vpn-nesting-is-
21:57 <@vpnHelper> it-better-than-tor.275888/>
21:57 <@krzee> link #1
21:57 < Skcream> Wow.
21:57 < Skcream> That's incredibly useful.
21:57 <@krzee> not especially
21:57 < Skcream> It seems like I found barely anything with google.
21:57 <@krzee> its for darknet building
21:57 <@krzee> when its your servers
21:58 <@krzee> its still cool stuff and i think you'll love it
21:58 <@krzee> the key to chaining them like i did there is understanding my other document:
21:58 <@krzee> !route
21:58 <@vpnHelper> "route" is (#1) http://www.secure-computing.net/wiki/index.php/OpenVPN/Routing or https://community.openvpn.net/openvpn/wiki/RoutedLans (same page mirrored) if you have lans behind openvpn, read it DONT SKIM IT or (#2) READ IT DONT SKIM IT! or (#3) See !tcpip for a basic networking guide or (#4) See !serverlan or !clientlan for steps and troubleshooting flowcharts for LANs behind the server or client
21:58 < Skcream> krzee: You don't think it adds anything to anonymity?
21:58 < Skcream> I'm really glad I found you. :3
21:58 <@krzee> Skcream, sure it can, but you want to use accounts from providers
21:59 < Skcream> Right.
21:59 <@krzee> mine isnt for that
22:00 -!- nutron [~nutron@unaffiliated/nutron] has quit [Remote host closed the connection]
22:00 <@krzee> i run many servers, so i concern myself more with building sane darknet topologies than using accounts on servers that i dont control
22:00 <@krzee> with that said, i like the idea you're talking about
22:00 < Skcream> krzee: Ever hear of Uplink? It's a silly hacker game that's about as far form real penetration testing as you can get. But they have this neat proxy screen and I thought "You know I want to learn GUI programming and low-level networking using Python, and I have a lot of VPN accounts, I should make a real version of that!" http://www.youtube.com/watch?v=3be57MENqXw
22:00 <@vpnHelper> Title: Uplink: attempt to bank hacking - YouTube (at www.youtube.com)
22:01 < Skcream> krzee: Your interest in Darknets interests me, tell me about it.
22:01 <@krzee> well i run a voip darknet service
22:01 < Skcream> Really? I've played around with Voip over Tor a bit.
22:01 < Skcream> It was...surprisingly usable.
22:01 <@krzee> encrypted phones that only operate within my darknet
22:01 <@krzee> it was!?
22:01 <@krzee> i would NOT expect it to be
22:01 < Skcream> Well I had to use it like a radio.
22:01 < Skcream> Neither did I.
22:02 < Skcream> I used mumble.
22:02 <@krzee> id expect it to be very unusable because of the high jitter
22:03 < Skcream> krzee: Ever hear of Retroshare?
22:03 < Skcream> I wanted to contribute to it before I realized I wasn't a good enough programmer.
22:03 < Skcream> They offer a decentralized Voip service.
22:03 < Skcream> The friend-2-friend connection protocol is a nice compromise between darknets and speed in my opinion.
22:03 <@krzee> darknets dont have to be slow
22:03 <@krzee> tor just happens to be
22:04 <@krzee> mine are very much not
22:04 <@krzee> but they also have nowhere near the activity tor has, obviously
22:04 < Skcream> krzee: So what are the features of your darknets? Can I play too?
22:04 <@krzee> ahh so retroshare is gpg
22:05 <@krzee> so no forward security im guessing?
22:05 < Skcream> I doubt it. Actually I think using PGP is a bad idea to begin with.
22:06 <@krzee> no special features, just a closed phone network
22:06 < Skcream> What I would really like to see is an alternative web-of-trust model build on blockchain technology.
22:06 < Skcream> *built.
22:06 < Skcream> With the ability to add comments and varying levels of trust for users.
22:06 < Skcream> Something like Bitcoin-OTC.
22:06 < Skcream> But on a massive scale.
22:07 < Skcream> krzee: You on here often?
22:07 <@krzee> remember when you use blockchains you have to have more computing power than the adversaries… if you dont have enough early adopters it can be a dangerous technology
22:07 <@krzee> !ircstats
22:07 <@vpnHelper> "ircstats" is (#1) See http://secure-computing.net/logs/openvpn.html for all-time IRC stats. or (#2) See http://secure-computing.net/logs/openvpn-devel.html for all-time dev channel IRC stats.
22:07 < Skcream> Ha!
22:08 <@krzee> :D
22:08 < Skcream> Are you one of the developers krzee?
22:08 <@krzee> am not
22:08 <@krzee> would be if i was much of a coder
22:08 < Skcream> Well you're impressive in either case.
22:08 <@krzee> thx
22:09 < Skcream> I would like to be your friend.
22:09 < Skcream> Also, I can't believe someone hasn't already made an OpenVPN chaining script.
22:11 <@krzee> someone was explaining to me that i couldnt be done
22:11 <@krzee> so i came up with the method i just told you to shut him up
22:12 <@krzee> after he didnt like my way in my doc because he was talking about with vpn providers, like you are talking about
22:13 < Skcream> krzee: It is still silly to say it can't be done.
22:13 < Skcream> After all people do it in virtual machines all the time.
22:14 <@krzee> especially when it can.
22:14 < Skcream> In my experience most of the time (but not always) when people say "It can't be done." or "Why would you want to do that?" they mean "I don't know how to do that."
22:14 < Skcream> At least with this kind of thing.
22:14 < Skcream> They're just packets.
22:15 <@krzee> the nice thing about the def1 overriding i talked about was that if you lose a piece of the chain you keep your default route over the last vpn in the chain
22:16 <@krzee> i forgot to mention you add the route to the next vpn server with the gateway set as the last vpn server's interal VPN ip
22:16 <@krzee> but im sure that just makes sense
22:17 < Skcream> krzee: I was just looking at that. I guess I'll want to save a backup of the table before modification in my script in case something goes wrong.
22:18 < Skcream> krzee: Part of me still wants to isolate this from iptables, you mentioned earlier other topologies, did you have something in mind or is this probably my best bet?
22:18 <@krzee> iptables??
22:18 -!- Left_Turn [~Left_Turn@unaffiliated/turn-left/x-3739067] has quit [Remote host closed the connection]
22:19 < Skcream> Ugh, iproute.
22:19 < Skcream> I'm sorry, I don't know why I keep doing that.
22:19 <@krzee> you'll be dealing with the routing table no matter what
22:19 < Skcream> Besides I'd use nftables instead of iptables for a firewall anyway.
22:36 < Skcream> (02:46:16 AM) krzee: so then you connect to another vpn server, and set 4 new /2 routes to override the /1 routes << 4 Routes? Could you go into more detail?
22:36 < Skcream> Wouldn't you only have two routes?
22:36 -!- arescorpio [~arescorpi@178-31-245-190.fibertel.com.ar] has joined #openvpn
22:52 < Skcream> Anyway thanks krzee, I'll probably be on another time. Good to meet you.
22:53 -!- Skcream [~skunkcrea@173.192.81.189-static.reverse.softlayer.com] has quit [Remote host closed the connection]
23:05 -!- arescorpio [~arescorpi@178-31-245-190.fibertel.com.ar] has quit [Excess Flood]
23:10 -!- ShadniX [dagger@p5DDFD81F.dip0.t-ipconnect.de] has quit [Ping timeout: 250 seconds]
23:12 -!- ShadniX [dagger@p5481D395.dip0.t-ipconnect.de] has joined #openvpn
23:25 -!- cesurasean [~Sean@c-71-207-227-197.hsd1.al.comcast.net] has joined #openvpn
23:33 -!- elfixit [~Icedove@77-58-251-72.dclient.hispeed.ch] has quit [Ping timeout: 245 seconds]
23:47 < hyper_ch> krzee: are you there?
--- Day changed Thu Sep 18 2014
00:08 -!- keatont [~keatont@ip-66-172-11-126.chunkhost.com] has quit [Ping timeout: 245 seconds]
00:11 -!- keatont [~keatont@ip-66-172-11-126.chunkhost.com] has joined #openvpn
01:08 -!- mvmdata [~Meadows@97.87.204.44] has quit [Ping timeout: 246 seconds]
01:29 -!- ub1quit33 [~quassel@cpe-23-243-158-241.socal.res.rr.com] has quit [Read error: Connection reset by peer]
01:30 -!- ub1quit33 [~quassel@cpe-23-243-158-241.socal.res.rr.com] has joined #openvpn
01:38 -!- ade_b [~Ade@redhat/adeb] has joined #openvpn
01:51 -!- dazo_afk is now known as dazo
02:00 -!- cirkit [dethwish@peanut-butter.net] has quit [Ping timeout: 245 seconds]
02:00 -!- esde [~esde@unaffiliated/esde] has quit [Ping timeout: 240 seconds]
02:25 -!- nath_schwarz [~nath_schw@p54A327CE.dip0.t-ipconnect.de] has quit [Ping timeout: 246 seconds]
02:28 -!- CaTtleyA [~CaTtleyA@put92-2-82-66-41-53.fbx.proxad.net] has joined #openvpn
02:30 -!- tapout [~tapout@unaffiliated/tapout] has quit [Ping timeout: 255 seconds]
02:33 -!- nath_schwarz [~nath_schw@p54A327CE.dip0.t-ipconnect.de] has joined #openvpn
02:33 -!- JackWinter_ [~jack@vodsl-11198.vo.lu] has quit [Excess Flood]
02:33 -!- JackWinter_ [~jack@vodsl-11198.vo.lu] has joined #openvpn
02:35 -!- ub1quit33 [~quassel@cpe-23-243-158-241.socal.res.rr.com] has quit [Ping timeout: 260 seconds]
02:39 -!- Netsplit *.net <-> *.split quits: meepmeep, RaiNerTsuFal
03:00 -!- Netsplit over, joins: RaiNerTsuFal, meepmeep
03:05 -!- Poster [~poster@cpe-74-140-100-29.swo.res.rr.com] has quit [Ping timeout: 258 seconds]
03:06 -!- Poster [~poster@cpe-74-140-100-29.swo.res.rr.com] has joined #openvpn
03:08 < KNERD> The android client needs a change. On my device sdcard fold is built in storage. The SD card I stick in is called extsd,...so when try to inport a profile I get an error stating no certificate found in sdcard
03:28 -!- cesurasean [~Sean@c-71-207-227-197.hsd1.al.comcast.net] has left #openvpn []
03:45 -!- dvl [~dvl@pdpc/supporter/active/dvl] has quit [Ping timeout: 255 seconds]
04:06 -!- M^tt [~matt@mjleonard.com] has joined #openvpn
04:07 < M^tt> Hello, I have created a tap adapter on my windows machine using the addtap.bat file, when i try and set a static ip on this adapter as soon as i close it and reopen its back to dhcp, what am i doing wrong ?
04:11 -!- elfixit [~Icedove@77-58-251-72.dclient.hispeed.ch] has joined #openvpn
04:13 -!- goldkatze [~nobody@unaffiliated/goldkatze] has joined #openvpn
04:22 <@dazo> M^tt: you need to set the IP address in the openvpn config file
04:23 <@dazo> KNERD: file a bug ticket
04:24 < M^tt> i just wanted to use the tap interface like with a tap interface in linux
04:24 < M^tt> not actually building an openvpn tunnel
04:31 <@dazo> M^tt: then your application needs to configure the IP address in a similar way as OpenVPN does ... I'm no Windows developer, so in this case I'm on a very thin ice
04:32 < M^tt> no problem, thank you for your help :)
04:42 -!- Left_Turn [~Left_Turn@unaffiliated/turn-left/x-3739067] has joined #openvpn
04:43 -!- M^tt [~matt@mjleonard.com] has left #openvpn ["Leaving"]
05:02 -!- ifdm_ [~ifdm@unaffiliated/ifdm/x-0713806] has quit [Ping timeout: 245 seconds]
05:05 -!- br4ndon [~br4ndon@80.215.133.251] has joined #openvpn
05:06 -!- br4ndon [~br4ndon@80.215.133.251] has quit [Client Quit]
05:06 -!- br4ndon [~br4ndon@80.215.133.251] has joined #openvpn
05:07 -!- br4ndon [~br4ndon@80.215.133.251] has quit [Client Quit]
05:08 -!- br4ndon [~br4ndon@80.215.133.251] has joined #openvpn
05:18 -!- ifdm_ [~ifdm@unaffiliated/ifdm/x-0713806] has joined #openvpn
05:25 -!- Chais [~Chais@chello062178229110.15.15.vie.surfer.at] has quit [Ping timeout: 272 seconds]
05:30 -!- Chais [~Chais@chello062178229110.15.15.vie.surfer.at] has joined #openvpn
05:32 -!- br4ndon [~br4ndon@80.215.133.251] has quit [Quit: br4ndon]
05:55 -!- wallbroken [wallbroken@unaffiliated/wallbroken] has joined #openvpn
05:55 < wallbroken> hi guys
05:55 < wallbroken> is there some way to store user and password directly in ovpn file?
05:57 <@dazo> wallbroken: not directly in the config file ... but you can use an additional file
05:57 < wallbroken> auth-user-pass requires a file with credential
05:58 < wallbroken> i do need to store it directly in config file
05:58 < wallbroken> is there no way to do it?
05:58 <@dazo> that's not possible
05:58 < wallbroken> i need to create an "autologin profile"
05:58 <@dazo> it's still not possible
05:58 < wallbroken> to put it in openvpn connect app for ios
06:01 -!- br4ndon [~br4ndon@80.215.133.251] has joined #openvpn
06:17 -!- ifdm_ [~ifdm@unaffiliated/ifdm/x-0713806] has quit [Ping timeout: 258 seconds]
06:30 -!- mattock_afk is now known as mattock
06:34 -!- mz` [~emerick@unaffiliated/mz/x-5510238] has joined #openvpn
06:35 -!- ifdm_ [~ifdm@unaffiliated/ifdm/x-0713806] has joined #openvpn
06:40 -!- elfixit [~Icedove@77-58-251-72.dclient.hispeed.ch] has quit [Ping timeout: 246 seconds]
06:55 -!- pisto [~pisto@222.ip-37-187-180.eu] has left #openvpn ["Leaving"]
06:57 -!- br4ndon [~br4ndon@80.215.133.251] has quit [Quit: br4ndon]
07:26 -!- knob [~knob@76.76.202.243] has joined #openvpn
07:26 < knob> !welcome
07:26 <@vpnHelper> "welcome" is (#1) Start by stating your goal, such as 'I would like to access the internet over my vpn' || new to IRC? see the link in !ask || we may need !logs and !configs and maybe !interface to help you. || See !howto for beginners. || See !route for lans behind openvpn. || !redirect for sending inet traffic through the server. || Also interesting: !man !/30 !topology !iporder !sample !forum !wiki
07:26 <@vpnHelper> !mitm or (#2) Don't use 192.168.1.0/24 or 192.168.0.0/24 (too much potential for conflict)
07:27 < knob> !forum
07:27 <@vpnHelper> "forum" is (#1) The official OpenVPN support forum is available at http://forums.openvpn.net or (#2) you can join #OpenVPN-Forum to see the forum-feed announcements if you want to.
07:31 < knob> !paste
07:31 <@vpnHelper> "paste" is "pastebin" is (#1) please paste anything with more than 5 lines into a pastebin site or (#2) https://gist.github.com is recommended for fewest ads; try fpaste.org or paste.kde.org as backups or (#3) If you're pasting config files, see !configs for grep syntax to remove comments or (#4) gist allows multiple files per paste, useful if you have several files to show
07:35 -!- hyper_ch [~hyper_ch@81.4.108.20] has left #openvpn ["Konversation terminated!"]
07:36 -!- Droolio [~drool@host109-155-184-0.range109-155.btcentralplus.com] has joined #openvpn
07:46 -!- elfixit [~Icedove@2001:1620:2777:11:3e97:eff:fe7f:f3ad] has joined #openvpn
08:15 -!- ifdm_ [~ifdm@unaffiliated/ifdm/x-0713806] has quit [Ping timeout: 272 seconds]
08:24 -!- Skcream [~skunkcrea@173.192.81.163] has joined #openvpn
08:28 < Skcream> !lartc
08:28 <@vpnHelper> "lartc" is LARTC is the de-facto guide to policy routing and QoS (tc, or traffic control) on Linux. http://lartc.org/howto/ . Policy routing in Ch. 4, QoS in Ch. 9. Start at the beginning if you're new to advanced routing on Linux
08:30 -!- ifdm_ [~ifdm@unaffiliated/ifdm/x-0713806] has joined #openvpn
08:54 -!- runa [~runa@190.55.90.71] has joined #openvpn
08:55 < runa> heyas. avahi over openvpn is still a dream, right? :)
08:57 < Skcream> Heyas is a nice name.
08:58 < runa> avahi is nicer :)
09:00 -!- ub1quit33_ [~quassel@cpe-23-243-158-241.socal.res.rr.com] has joined #openvpn
09:01 -!- dvl [~dvl@pdpc/supporter/active/dvl] has joined #openvpn
09:13 < Skcream> runa: You familiar with CIDR? Perhaps you can answer a question of mine.
09:34 -!- soapee01_ [~soapee01@65-36-104-170.dyn.grandenetworks.net] has quit [Quit: ZNC - http://znc.sourceforge.net]
09:36 -!- soapee01 [~soapee01@65-36-104-170.dyn.grandenetworks.net] has joined #openvpn
09:49 -!- Skcream [~skunkcrea@173.192.81.163] has quit [Quit: Leaving.]
09:59 -!- ade_b [~Ade@redhat/adeb] has quit [Remote host closed the connection]
10:07 -!- Fiouz [~Fiouz@2001:bc8:3068::dead:beef] has quit [Quit: Lost terminal]
10:08 -!- moonkid [~anonymous@99-103-56-12.lightspeed.hstntx.sbcglobal.net] has joined #openvpn
10:19 -!- Fiouz [~Fiouz@2001:bc8:3068::dead:beef] has joined #openvpn
10:45 -!- ifdm_ [~ifdm@unaffiliated/ifdm/x-0713806] has quit [Ping timeout: 272 seconds]
10:49 -!- dazo is now known as dazo_afk
10:54 -!- Kephael [~Kephael@unaffiliated/kephael] has joined #openvpn
11:00 -!- ifdm_ [~ifdm@unaffiliated/ifdm/x-0713806] has joined #openvpn
11:58 -!- D-Boy [~D-Boy@unaffiliated/cain] has quit [Excess Flood]
12:05 -!- D-Boy [~D-Boy@unaffiliated/cain] has joined #openvpn
12:22 -!- APTX [~APTX@unaffiliated/aptx] has quit [Ping timeout: 260 seconds]
12:25 -!- APTX [~APTX@unaffiliated/aptx] has joined #openvpn
12:44 -!- ikkuplio [~IceChat77@ipservice-092-210-027-060.092.210.pools.vodafone-ip.de] has quit [Quit: Say What?]
12:48 -!- Popsikle [~popsikle@67.110.154.218.ptr.us.xo.net] has joined #openvpn
12:59 -!- Popsikle [~popsikle@67.110.154.218.ptr.us.xo.net] has quit [Ping timeout: 272 seconds]
13:21 -!- mete [~mete@91.247.253.160] has quit [Ping timeout: 272 seconds]
13:53 -!- wallbroken [wallbroken@unaffiliated/wallbroken] has quit [Read error: Connection reset by peer]
13:56 -!- wallbroken [wallbroken@unaffiliated/wallbroken] has joined #openvpn
14:04 < KNERD> bug report filed ; https://community.openvpn.net/openvpn/ticket/448#ticket
14:05 <@vpnHelper> Title: #448 (Android client needs ability to change default directory from "sdcard") – OpenVPN Community (at community.openvpn.net)
14:52 -!- cyberanger [~cyberange@swissknife/adak/infocop411] has joined #openvpn
14:53 -!- s7r [~s7r@openvpn/user/s7r] has joined #openvpn
14:53 -!- mode/#openvpn [+v s7r] by ChanServ
14:53 -!- wallbroken [wallbroken@unaffiliated/wallbroken] has left #openvpn []
15:24 -!- goldkatze [~nobody@unaffiliated/goldkatze] has quit [Ping timeout: 245 seconds]
15:54 -!- gffa [~unknown@unaffiliated/gffa] has joined #openvpn
15:55 -!- mattock is now known as mattock_afk
16:08 -!- knob is now known as Guest22269
16:09 -!- averagecase [~anon@cl-6544.cgn-01.de.sixxs.net] has joined #openvpn
16:09 -!- averagecase [~anon@cl-6544.cgn-01.de.sixxs.net] has quit [Read error: Connection reset by peer]
16:17 -!- khaldrogox [~anonymous@64.13.138.81] has joined #openvpn
16:18 -!- khaldrogox [~anonymous@64.13.138.81] has left #openvpn []
16:20 -!- gffa [~unknown@unaffiliated/gffa] has quit [Quit: sleep]
16:27 -!- xdcc [~xdcc@webproxy.us.com] has quit [Read error: Connection reset by peer]
16:27 -!- Prelude2004c [Prelude200@dsl-67-55-28-3.acanac.net] has quit [Ping timeout: 240 seconds]
16:27 -!- bakhtiya [~me@office.addictivemobility.com] has quit [Ping timeout: 240 seconds]
16:28 -!- bakhtiya [~me@office.addictivemobility.com] has joined #openvpn
16:31 -!- wallbroken [wallbroken@unaffiliated/wallbroken] has joined #openvpn
17:02 -!- Ulrar [~Ulrar@luwin.ulrar.net] has left #openvpn ["WeeChat 0.4.3"]
17:07 -!- wallbroken [wallbroken@unaffiliated/wallbroken] has left #openvpn []
17:18 -!- moonkid [~anonymous@99-103-56-12.lightspeed.hstntx.sbcglobal.net] has quit [Quit: moonkid]
17:23 -!- gardar [~gardar@bnc.giraffi.net] has quit [Ping timeout: 260 seconds]
17:43 -!- gardar [~gardar@bnc.giraffi.net] has joined #openvpn
18:02 -!- moonkid [~anonymous@50.244.97.170] has joined #openvpn
18:03 -!- mz` is now known as Wurst
18:12 -!- wallbroken [wallbroken@unaffiliated/wallbroken] has joined #openvpn
18:12 -!- wallbroken [wallbroken@unaffiliated/wallbroken] has left #openvpn []
18:16 -!- DrCode [~DrCode@gateway/tor-sasl/drcode] has quit [Ping timeout: 264 seconds]
18:18 -!- DrCode [~DrCode@gateway/tor-sasl/drcode] has joined #openvpn
18:19 -!- u0m3_ [~u0m3@92.80.106.41] has quit [Ping timeout: 250 seconds]
18:20 -!- u0m3 [~u0m3@92.80.106.41] has joined #openvpn
18:57 -!- moonkid [~anonymous@50.244.97.170] has quit [Quit: moonkid]
18:58 -!- elfixit1 [~Icedove@77-58-251-72.dclient.hispeed.ch] has joined #openvpn
19:01 -!- u0m3_ [~u0m3@92.80.106.41] has joined #openvpn
19:05 -!- u0m3 [~u0m3@92.80.106.41] has quit [Ping timeout: 260 seconds]
19:09 -!- L0uk3 [~lukethedr@gateway/tor-sasl/lukethedrifter] has joined #openvpn
19:19 -!- jzaw [~jzaw@loki.dzki.co.uk] has joined #openvpn
19:32 -!- moonkid [~anonymous@50.244.97.170] has joined #openvpn
19:42 -!- nath_schwarz [~nath_schw@p54A327CE.dip0.t-ipconnect.de] has quit [Ping timeout: 260 seconds]
20:21 -!- L0uk3 [~lukethedr@gateway/tor-sasl/lukethedrifter] has quit [Ping timeout: 264 seconds]
20:21 -!- moonkid [~anonymous@50.244.97.170] has quit [Quit: moonkid]
20:26 -!- L0uk3 [~lukethedr@gateway/tor-sasl/lukethedrifter] has joined #openvpn
20:27 -!- Popsikle [~popsikle@pool-108-27-211-233.nycmny.fios.verizon.net] has joined #openvpn
20:28 -!- moonkid [~anonymous@50.244.97.170] has joined #openvpn
20:43 -!- ub1quit33_ [~quassel@cpe-23-243-158-241.socal.res.rr.com] has quit [Read error: Connection reset by peer]
20:44 -!- ub1quit33_ [~quassel@cpe-23-243-158-241.socal.res.rr.com] has joined #openvpn
20:53 -!- ub1quit33_ [~quassel@cpe-23-243-158-241.socal.res.rr.com] has quit [Read error: Connection reset by peer]
20:54 -!- ub1quit33_ [~quassel@cpe-23-243-158-241.socal.res.rr.com] has joined #openvpn
21:00 -!- moonkid [~anonymous@50.244.97.170] has quit [Quit: moonkid]
21:05 -!- Popsikle [~popsikle@pool-108-27-211-233.nycmny.fios.verizon.net] has quit [Remote host closed the connection]
21:23 -!- u0m3 [~u0m3@92.80.106.41] has joined #openvpn
21:25 -!- u0m3_ [~u0m3@92.80.106.41] has quit [Ping timeout: 255 seconds]
21:35 -!- u0m3_ [~u0m3@92.80.106.41] has joined #openvpn
21:38 -!- Skcream [~skunkcrea@173.192.81.163] has joined #openvpn
21:38 -!- u0m3 [~u0m3@92.80.106.41] has quit [Ping timeout: 260 seconds]
21:38 < Skcream> Hey krzee, you around? I have a quick question.
21:51 -!- arescorpio [~arescorpi@178-31-245-190.fibertel.com.ar] has joined #openvpn
21:52 -!- Skcream [~skunkcrea@173.192.81.163] has quit [Ping timeout: 272 seconds]
21:52 <@krzee> sup
22:09 < KNERD> per
22:13 -!- Left_Turn [~Left_Turn@unaffiliated/turn-left/x-3739067] has quit [Remote host closed the connection]
22:31 -!- Kephael [~Kephael@unaffiliated/kephael] has quit [Read error: Connection reset by peer]
23:03 -!- moonkid [~anonymous@99-103-56-12.lightspeed.hstntx.sbcglobal.net] has joined #openvpn
23:08 -!- arescorpio [~arescorpi@178-31-245-190.fibertel.com.ar] has quit [Excess Flood]
23:11 -!- ShadniX [dagger@p5481D395.dip0.t-ipconnect.de] has quit [Ping timeout: 250 seconds]
23:12 -!- ShadniX [dagger@p5481D6A8.dip0.t-ipconnect.de] has joined #openvpn
23:14 -!- Droolio [~drool@host109-155-184-0.range109-155.btcentralplus.com] has quit [Ping timeout: 260 seconds]
23:18 -!- ub1quit33_ [~quassel@cpe-23-243-158-241.socal.res.rr.com] has quit [Ping timeout: 245 seconds]
23:21 -!- L0uk3 [~lukethedr@gateway/tor-sasl/lukethedrifter] has quit [Quit: bis später]
23:32 -!- elfixit1 [~Icedove@77-58-251-72.dclient.hispeed.ch] has quit [Ping timeout: 240 seconds]
--- Day changed Fri Sep 19 2014
00:05 -!- ub1quit33 [~quassel@cpe-23-243-158-241.socal.res.rr.com] has joined #openvpn
00:17 -!- Samopotamus [~IRCIdent@2607:5300:60:a0d::1] has quit [Ping timeout: 260 seconds]
00:18 -!- Eugene [eugene@kashpureff.org] has quit [Ping timeout: 272 seconds]
00:18 -!- c0ded [~c0ded@unaffiliated/c0ded] has quit [Ping timeout: 272 seconds]
00:23 -!- Samopotamus [~IRCIdent@2607:5300:60:a0d::1] has joined #openvpn
00:24 -!- Eugene [eugene@kashpureff.org] has joined #openvpn
00:41 -!- moonkid [~anonymous@99-103-56-12.lightspeed.hstntx.sbcglobal.net] has quit [Quit: moonkid]
00:44 -!- Samopotamus [~IRCIdent@2607:5300:60:a0d::1] has quit [Ping timeout: 272 seconds]
00:45 -!- Eugene [eugene@kashpureff.org] has quit [Ping timeout: 272 seconds]
00:45 -!- xMopxShell [~xMopxShel@dpedu.io] has quit [Ping timeout: 250 seconds]
00:46 -!- Eugene [eugene@kashpureff.org] has joined #openvpn
00:46 < KNERD> For the Android client. Is there a method to not have the requirement of a password setup for the device?
00:57 -!- Samopotamus [~IRCIdent@ks4002259.ip-198-100-147.net] has joined #openvpn
00:57 -!- mattock_afk is now known as mattock
00:59 -!- c0ded [~c0ded@unaffiliated/c0ded] has joined #openvpn
01:11 -!- RBecker [~RBecker@openvpn/user/RBecker] has quit [Ping timeout: 240 seconds]
01:12 -!- xMopxShell [~xMopxShel@dpedu.io] has joined #openvpn
01:20 -!- CryptoSiD [SiD@CryptoSiD.DonSiD.net] has joined #openvpn
01:20 -!- CryptoSiD [SiD@CryptoSiD.DonSiD.net] has left #openvpn []
01:28 -!- hyper_ch [~hyper_ch@81.4.108.20] has joined #openvpn
01:28 < hyper_ch> krzee: online?
01:30 -!- Samopotamus [~IRCIdent@ks4002259.ip-198-100-147.net] has quit [Ping timeout: 272 seconds]
01:30 -!- Latrina [~Latrina@ppp-205-42.26-151.libero.it] has quit [Ping timeout: 260 seconds]
01:30 -!- Latrina [~Latrina@ppp-205-42.26-151.libero.it] has joined #openvpn
01:31 -!- Samopotamus [~IRCIdent@2607:5300:60:a0d::1] has joined #openvpn
01:34 -!- gehidore [~username@unaffiliated/man] has joined #openvpn
01:34 -!- gehidore [~username@unaffiliated/man] has left #openvpn ["WeeChat 0.4.3"]
01:38 -!- wirehack7 [wirehack7@unaffiliated/wirehack7] has quit [Ping timeout: 260 seconds]
01:58 -!- gehidore [~username@unaffiliated/man] has joined #openvpn
02:00 -!- ifdm_ [~ifdm@unaffiliated/ifdm/x-0713806] has quit [Ping timeout: 260 seconds]
02:01 -!- svm_invictvs1 [~patricktw@unaffiliated/svminvictvs/x-938456] has joined #openvpn
02:01 < svm_invictvs1> Hello
02:01 < gehidore> you made
02:01 < gehidore> it
02:01 -!- gehidore [~username@unaffiliated/man] has left #openvpn ["wc"]
02:02 < svm_invictvs1> heh
02:03 < svm_invictvs1> If I want to run local traffic through the VPN for specific IP addresses, can that be accomplished using the following?
02:04 < svm_invictvs1> push route <external ip> ?
02:04 < svm_invictvs1> That seems to work for OSX clients, but in windows I get something saying...<external ip> is not a network address in relation to netmask
02:10 -!- svm_invictvs1 is now known as svm_invictvs
02:11 -!- ub1quit33 [~quassel@cpe-23-243-158-241.socal.res.rr.com] has quit [Ping timeout: 245 seconds]
02:13 -!- ifdm_ [~ifdm@unaffiliated/ifdm/x-0713806] has joined #openvpn
02:35 -!- haasn [~haasn@static.102.126.46.78.clients.your-server.de] has quit [Ping timeout: 250 seconds]
02:37 -!- svm_invictvs [~patricktw@unaffiliated/svminvictvs/x-938456] has quit [Ping timeout: 244 seconds]
02:40 -!- ifdm_ [~ifdm@unaffiliated/ifdm/x-0713806] has quit [Ping timeout: 245 seconds]
02:41 -!- ifdm_ [~ifdm@unaffiliated/ifdm/x-0713806] has joined #openvpn
02:47 -!- goldkatze [~nobody@unaffiliated/goldkatze] has joined #openvpn
03:05 < hyper_ch> !def1
03:05 <@vpnHelper> "def1" is (#1) used in redirect-gateway, Add the def1 flag to override the default gateway by using 0.0.0.0/1 and 128.0.0.0/1 rather than 0.0.0.0/0. This has the benefit of overriding but not wiping out the original default gateway. or (#2) please see --redirect-gateway in the man page ( !man ) to fully understand or (#3) push "redirect-gateway def1"
03:08 -!- wirehack7 [wirehack7@unaffiliated/wirehack7] has joined #openvpn
03:22 -!- Chais [~Chais@chello062178229110.15.15.vie.surfer.at] has quit [Ping timeout: 258 seconds]
03:27 -!- Chais [~Chais@chello062178229110.15.15.vie.surfer.at] has joined #openvpn
03:54 -!- ifdm_ [~ifdm@unaffiliated/ifdm/x-0713806] has quit [Ping timeout: 272 seconds]
04:06 -!- dazo_afk is now known as dazo
04:07 -!- ifdm_ [~ifdm@unaffiliated/ifdm/x-0713806] has joined #openvpn
04:21 < hyper_ch> krthnz: how to reset the snom to factory settings
04:25 < hyper_ch> krzee: something totally strange going on with my snom
04:44 -!- xMopxShell [~xMopxShel@dpedu.io] has quit [Ping timeout: 240 seconds]
04:44 -!- xMopxShell [~xMopxShel@dpedu.io] has joined #openvpn
04:51 < hyper_ch> krzee: http://images.sjau.ch/img/1ae86eae.jpg also why is there a /!\ next to the vpn?
05:03 -!- DrCode [~DrCode@gateway/tor-sasl/drcode] has quit [Ping timeout: 264 seconds]
05:11 -!- DrCode [~DrCode@gateway/tor-sasl/drcode] has joined #openvpn
05:14 -!- nath_schwarz [~nath_schw@p54A327E1.dip0.t-ipconnect.de] has joined #openvpn
05:35 -!- Left_Turn [~Left_Turn@unaffiliated/turn-left/x-3739067] has joined #openvpn
05:38 -!- theTroy [~troy@unaffiliated/thetroy] has joined #openvpn
05:38 < theTroy> Is there a syntax for client configuration file that is relative and works both on linux and windows?
05:46 < hyper_ch> theTroy: is relative?
05:47 < hyper_ch> theTroy: you can add the keys and certs into the config file itself
05:47 < theTroy> hyper_ch: interesting! I will look into that, might even be an easier option than trying to have them as separate files
05:47 < theTroy> thank you!
05:48 < hyper_ch> http://paste.debian.net/121912/
05:49 < hyper_ch> you have the begin and end section in the certs and key files... so just fill that in
05:50 < theTroy> hyper_ch: perfect, thank you!
05:55 < theTroy> wish there was a way to automatically assemble such a config >.> guess a bit of java scripting will do the job
05:56 < hyper_ch> ?
05:58 < theTroy> hyper_ch: I meant to have the key generator automatically attach keys to a provided config file, as otherwise you have to manually assemble the config by pasting the keys into it. I will be writing a script to do it for me, but it would have been nice to have something that could do it automatically
05:58 -!- troyt_ [~troyt@2601:7:6200:1362:44dd:acff:fe85:9c8e] has quit [Ping timeout: 260 seconds]
05:59 < hyper_ch> bash, incron
05:59 < hyper_ch> whenever new keys are added the the key folder
05:59 < hyper_ch> incron picks them up and runs a bash script
05:59 < hyper_ch> that will assemble a new config
05:59 < theTroy> java is just more convenient for me, its not a biggie :)
05:59 < hyper_ch> and then you have automagic :)
05:59 < hyper_ch> java != javascript
05:59 < theTroy> thanks for the idea though :P
05:59 < theTroy> I meant java script, not javascript
06:00 < theTroy> script coded in java :)
06:00 < hyper_ch> it should be easy to do with bash
06:00 < hyper_ch> and way more efficient than running java
06:28 < hyper_ch> theTroy: still there?
06:34 -!- Guest22269 [~knob@76.76.202.243] has quit [Quit: Leaving]
06:37 < hyper_ch> theTroy: maybe soemthing like this:  http://paste.debian.net/121920/
06:38 < hyper_ch> not sure about the user.cert file... that contains a bit more than just  ----- begin -----   and    ------ end -------
07:08 -!- DonRichie [~DonRichie@ricl.de] has quit [Ping timeout: 260 seconds]
07:10 -!- DonRichie [~DonRichie@ricl.de] has joined #openvpn
07:11 < theTroy> hyper_ch: client.cert contains a lot of lines before begin, nothing after end, and thanks! I'll look into that example, was halfway done with my java implementation >.> I am simply too used to it...
07:11 < hyper_ch> theTroy: yeah, I don't know if you'd have to filter those lines out... I did this far but never tested it with them inside
07:12 < hyper_ch> I mean you have ---- begin ---- and ----- end ----- as actual markers for the cert... so it might well be the other lines won't matter at all
07:12 < hyper_ch> since they are also included if you have the client.crt as external file and reference it in the config
07:13 < theTroy> hyper_ch: yeah it works, you can add whatever you like between the <cert> </cert>, it seems to search for begin/end
07:13 < theTroy> so just catting those files should work
07:14 < hyper_ch> :)
07:14 < theTroy> thank you so much :P
07:14 < hyper_ch> :) good luck
07:14 < hyper_ch> of course, in my script, remove lines 28 and 30
07:15 < theTroy> yeah, I got that
07:15 < hyper_ch> and it could be altered to overwrite existing confs if you supply a second parameter
07:15 < hyper_ch> instead of aborting
07:15 < hyper_ch> or you can do it just in java
07:16 < hyper_ch> shouldn't be too hard either... except java taxes a lot heavier on the system than bash ;)
07:16 < theTroy> yeah, well my signing machine can handle java
07:16 < hyper_ch> you know that phrase with cannons and sparrows :)
07:17 < hyper_ch> but it was a good excercise for me also :)
07:23 -!- theTroy [~troy@unaffiliated/thetroy] has quit [Ping timeout: 260 seconds]
07:29 -!- mattock is now known as mattock_afk
07:30 -!- theTroy [~troy@unaffiliated/thetroy] has joined #openvpn
07:31 -!- s7r_i [~s7r@openvpn/user/s7r] has joined #openvpn
07:31 -!- mode/#openvpn [+v s7r_i] by ChanServ
07:31 -!- s7r [~s7r@openvpn/user/s7r] has quit [Remote host closed the connection]
07:36 -!- s7r_i_w [~s7r@openvpn/user/s7r] has joined #openvpn
07:36 -!- mode/#openvpn [+v s7r_i_w] by ChanServ
07:36 -!- s7r_i [~s7r@openvpn/user/s7r] has quit [Remote host closed the connection]
07:38 -!- s7r_i_w_g [~s7r@openvpn/user/s7r] has joined #openvpn
07:38 -!- mode/#openvpn [+v s7r_i_w_g] by ChanServ
07:39 -!- s7r_i_w [~s7r@openvpn/user/s7r] has quit [Remote host closed the connection]
07:52 -!- Popsikle [~popsikle@pool-108-27-211-233.nycmny.fios.verizon.net] has joined #openvpn
07:53 -!- Popsikle [~popsikle@pool-108-27-211-233.nycmny.fios.verizon.net] has quit [Remote host closed the connection]
07:53 -!- Popsikle [~popsikle@pool-108-27-211-233.nycmny.fios.verizon.net] has joined #openvpn
07:54 -!- Popsikle [~popsikle@pool-108-27-211-233.nycmny.fios.verizon.net] has quit [Remote host closed the connection]
08:24 <@krzee> hyper_ch, the /!\ is unrelated to the vpn, check the manual
08:25 -!- cheesenbiscuts [~cheesenbi@110.159.10.166] has joined #openvpn
08:30 < hyper_ch> krzee: another strange thing.... now I've taken the phone home again but it didn't build teh vpn connectiona nymore
08:31 < hyper_ch> aren't config and stuff stored permanently on the phone?
08:31 <@krzee> ya, you did enable netcat logging… right?
08:31 <@krzee> cause if not, you shouldnt even be asking me anything, or telling me anything… since last time we talked i told you to do that...
08:32 < cheesenbiscuts> Hi Everybody, I asked my question in openvpn-as but nobody answered :(
08:32 <@krzee> cheesenbiscuts, try their web support
08:32 < cheesenbiscuts> Should I ask here for openvpn dd-wrt server problems?
08:32 <@krzee> !as
08:32 <@vpnHelper> "as" is Please go to #OpenVPN-AS for help with commercial products from OpenVPN Technologies, including Access Server, Android Connect, etc. Access Server is a commercial product, different from open source OpenVPN
08:32 <@krzee> cheesenbiscuts, dont ask anything about AS here =]
08:32 < hyper_ch> well, it worked at the office.... now I took it home and now it doesn't seem to work anymore... also the displays get scratched quite easily :(
08:33 < cheesenbiscuts> it's not a commercial product.
08:33 <@krzee> !factoids search as
08:33 <@vpnHelper> 'winpass', '2.1-winpass-script', 'easy-rsa-unix', 'broadcast-relay', 'authpass', 'nopaste', 'password-only', 'bcast', 'basic', 'strip-passphrase', 'change-passphrase', 'enable-passwd-save', 'release-notes', 'no_as', 'easy-rsa', 'ask', 'password', 'asbestos', 'pastebin', 'easyrsa-ng', 'easyrsa', 'dnsmasq', 'paste', and 'AS'
08:33 <@krzee> !no_as
08:33 <@vpnHelper> "no_as" is (#1) go to http://openvpn.net/index.php/access-server/support-center.html for support with access server (see !AS to know about access server) or (#2) not only do we not know AS here, but even if we did we would be tainting the professional level of support included in AS by supporting it here. it comes with REAL support. we are just users helping users around here
08:33 <@krzee> there, that's the AS link
08:33 <@krzee> cheesenbiscuts, why would you be asking in AS if its not a commercial product?  if its AS related it is.
08:34 <@krzee> hyper_ch, you still didnt look at your log?
08:34 <@krzee> you been here for years, you know better.
08:34 < hyper_ch> I've had a snom 370 for 24h :) not for years
08:34 <@krzee> but you know to look at the log
08:34 < cheesenbiscuts> it's OpenVPN running on a DD-WRT firmware on an ole' router. it's not a commercial product.
08:35 <@krzee> then i told you to look at the log
08:35 <@krzee> cheesenbiscuts, then why were you looking at #openvpn-as?
08:35 < hyper_ch> rebooted it, now vpn is there
08:35 < cheesenbiscuts> I just thought you guys had seperate channels for client and server problems...
08:35 <@krzee> cheesenbiscuts, i feel like there must be more to it
08:35 <@krzee> cheesenbiscuts, ok please do ask your question in here
08:35 <@krzee> if its about opensource openvpn this is the right place
08:37 < cheesenbiscuts> ok... thanks
08:38 < cheesenbiscuts> so I've setup openvpn on my dd-wrt DIR-825 router as a server. I'm 99% of the way there with one problem.
08:40 < cheesenbiscuts> my clients can connect to my openvpn server fine and they can browse to the dd-wrt server configuration page, but they cannot get out onto the internet. I've been using the iptables masquerade command to fix what I belive is a natting problem, but I still can't get my clients internet access no matter what interface I uses as the output interface.
08:40 <@krzee> cheesenbiscuts,
08:40 <@krzee> !redirect
08:40 <@vpnHelper> "redirect" is (#1) to make all inet traffic flow through the vpn, you will need --redirect-gateway (see !def1), as well as IP forwarding (see !ipforward) and NAT (see !nat) enabled on the server. or (#2) you may need to use a different dns server when redirecting gateway, see !dns or !pushdns or (#3) if using ipv6 try: route-ipv6 2000::/3 or (#4) Handy troubleshooting flowchart:
08:40 <@vpnHelper> http://ircpimps.org/redirect.png | http://pekster.sdf.org/misc/redirect.png
08:40 <@krzee> see the flowchart
08:43 < cheesenbiscuts> thanks. I will reconfirm but I belive the new builds of dd-wrt openvpn server setup have a radio button called 'Redirect default Gateway' this adds readirect gateway you speak of.
08:45 < hyper_ch> krzee: are there also recommended wireless headsets for the snoms?
08:53 < cheesenbiscuts> @krzee. I have in my config: PUSH_REPLY redirect-gateway def1 route-gateway 10.1.4.1
09:00 < cheesenbiscuts> so, using this diagram I'm back to the Natting problem.
09:01 -!- brad_mssw [~brad@shop.monetra.com] has joined #openvpn
09:02 <@ecrist> yes
09:02 <@ecrist> soory
09:05 < brad_mssw> I'm new to openvpn and just trying to research before I deploy.  When using tunneling mode, on the server, does each new connection create a new tunX device?  And does that tunX device show the ip address it got from the ip pool?
09:05 < brad_mssw> (via ip addr or similar)
09:05 <@ecrist> no, only a single tun device is used
09:06 < brad_mssw> oh, interesting, so it isn't like l2tp where each user gets a pppX interface
09:07 <@krzee> hyper_ch, yes there are. we dont use them (against the idea of secure calls to broadcast your stuff with a wireless headset)
09:08 < brad_mssw> ok, next question ... I noticed in the access server, you can assign groups of users to different subnets/ip pools ... I'd like to drop users of different privileges into different subnets, but I don't necessarily want my linux machine to be the one that handles the firewall rules, we have a juniper srx for that.
09:08 < hyper_ch> krzee: well, the bad people in black could just be outside my office with one of those microphones and just record me anyway.... :)
09:08 < brad_mssw> Is there general guidance on this?  Should you use policy based routing and maintain different routing tables for each subnet?
09:08 < brad_mssw> (within linux ... therefore multiple default gateways)
09:09 <@krzee> brad_mssw,
09:09 <@krzee> you said access-server
09:09 <@krzee> !no_as
09:09 <@vpnHelper> "no_as" is (#1) go to http://openvpn.net/index.php/access-server/support-center.html for support with access server (see !AS to know about access server) or (#2) not only do we not know AS here, but even if we did we would be tainting the professional level of support included in AS by supporting it here. it comes with REAL support. we are just users helping users around here
09:09 <@krzee> !as
09:09 <@vpnHelper> "as" is Please go to #OpenVPN-AS for help with commercial products from OpenVPN Technologies, including Access Server, Android Connect, etc. Access Server is a commercial product, different from open source OpenVPN
09:10 <@krzee> wrong channel brochacho
09:10 < brad_mssw> krzee: well, I assume the community edition can do the same, no?
09:10 -!- Netsplit *.net <-> *.split quits: jeev, ifdm_, dvl, justinzane, Dropje, keatont, xMopxShell
09:10 < brad_mssw> or is that a feature missing in the community edition?
09:10 <@krzee> brad_mssw, sure, but we dont know how its done in AS
09:10 <@krzee> if you are using the community version we could help you, you are not. that means you're asking in the wrong place.
09:10 -!- Netsplit over, joins: jeev
09:11 < brad_mssw> i'm not using anything ... yet ;)
09:11 < brad_mssw> just doing research
09:11 <@krzee> !policy
09:11 <@vpnHelper> "policy" is (#1) http://openvpn.net/howto.html#policy for Configuring client-specific rules and access policies or (#2) http://www.secure-computing.net/wiki/index.php/OpenVPN/FAQ#Traffic_forwarding_doesn.27t_work_when_using_client_specific_access_rules for a lil writeup by mario or (#3) dynamic OpenVPN policy github project: https://github.com/QueuingKoala/openvpn-dynamic
09:11 <@krzee> ok, well your answer is in the howto =]
09:11 <@krzee> link #1
09:11 < brad_mssw> great, thanks
09:11 <@krzee> np
09:11 <@ecrist> brad_mssw: you can do that with CCDs and such
09:12 <@krzee> yep ^ thats how the howto does it
09:13 <@krzee> ccd if the network is small enough, or for a larger deployment, easier to manage like this:
09:13 <@krzee> !client-connect
09:13 <@vpnHelper> "client-connect" is --client-connect <script>, runs script on client connection. This can be useful for generating firewall rules dynamicly, or for assigning static ips. This can do anything that a ccd (see !ccd) entry can do, but dynamicly... to use it that way, you should write your dynamic ccd commands to the file named by $1.
09:14 <@krzee> since you havnt made the certs yet, you could assign different subnets based on a tag you put in the common-name of the cert
09:15 <@krzee> and if you want to stop dealing with /30 stuff, see:
09:15 <@krzee> !topology
09:15 <@vpnHelper> "topology" is (#1) it is possible to avoid the !/30 behavior if you use 2.1+ with the option: topology subnet This will end up being default in later versions. or (#2) Clients will receive addresses ending in .2, .3, .4, etc, instead of being divided into 2-host subnets. or (#3) details and examples at: https://community.openvpn.net/openvpn/wiki/Topology
09:17 -!- ifdm_ [~ifdm@unaffiliated/ifdm/x-0713806] has joined #openvpn
09:18 -!- pie_ [~pie_@unaffiliated/pie-/x-0787662] has joined #openvpn
09:18 -!- dvl [~dvl@pdpc/supporter/active/dvl] has joined #openvpn
09:19 -!- AsadH [~AsadH@unaffiliated/asadh] has joined #openvpn
09:20 < AsadH> hazardous
09:21 < cheesenbiscuts> Krzee... do you have any other advice?
09:22 <@krzee> cheesenbiscuts, show me both logfiles with ver b5
09:22 <@krzee> verb 5*
09:22 <@krzee> !logs
09:22 <@vpnHelper> "logs" is (#1) please pastebin your logfiles from both client and server with verb set to 4 (only use 5 if asked) or (#2) In the Windows client(OpenVPN-GUI) right-click the status icon and pick View Log or (#3) In the OS X client(Tunnelblick) right-click it and select Copy log text to clipboard or (#4) if you dont know how to find your logs, see !logfile
09:22 <@krzee> and iptables-save
09:23 -!- troyt [~troyt@2601:7:6200:1362:44dd:acff:fe85:9c8e] has joined #openvpn
09:23 < cheesenbiscuts> ok... hangon...
09:23 -!- pie_ [~pie_@unaffiliated/pie-/x-0787662] has left #openvpn []
09:24 -!- pie_ [~pie_@unaffiliated/pie-/x-0787662] has joined #openvpn
09:28 -!- only_the_bear [~only_the_@gateway/tor-sasl/onlythebear/x-52658424] has joined #openvpn
09:28 -!- only_the_bear [~only_the_@gateway/tor-sasl/onlythebear/x-52658424] has left #openvpn []
09:28 -!- pie_ [~pie_@unaffiliated/pie-/x-0787662] has left #openvpn []
09:29 -!- cakesalad [~pie_@unaffiliated/pie-/x-0787662] has joined #openvpn
09:29 < cakesalad> hey guys
09:29 < cakesalad> how can i set up a firewall properly on freebsd so that i can nat/use the internet through my vpn?
09:30 < cakesalad> !firewall
09:30 <@vpnHelper> "firewall" is (#1) please see https://community.openvpn.net/openvpn/wiki/Openvpn23ManPage#lbBG for more info or (#2) see http://www.secure-computing.net/wiki/index.php/OpenVPN/Firewall for brief notes on disabling firewall rulesets. or (#3) Please see this for a better method to unloading netfilter (aka iptables ) rules: https://gist.github.com/QueuingKoala/6350127
09:30 <@krzee> !pfnat
09:30 <@vpnHelper> "pfnat" is nat on <inf> from <subnet/ip> to <subnet/ip> -> <nat_ip>
09:30 < cakesalad> !freebsd
09:30 <@vpnHelper> "freebsd" is http://www.secure-computing.net/wiki/index.php/OpenVPN_Server
09:30 < cakesalad> !ipfnat
09:30 <@krzee> hahah people still use ipf?  nice
09:30 <@krzee> the syntax is similar, see your manual
09:31 < cakesalad> krzee: i dont use anything
09:31 < cakesalad> im pretty new to freebsd and im yet to learn the syntax for firewalls on any os ;P
09:31 <@krzee> oh well you will find that the freebsd handbook is your new best friend
09:31 < cakesalad> yeah its pretty nice
09:31 <@krzee> www.freebsd.org/handbook
09:31 < cakesalad> what sucks is that im in a rush atm
09:32 <@krzee> so you were hoping others would walk you through it instead of learning your new os?
09:32 < cakesalad> everything works except sending packets over the vpn
09:32 <@krzee> http://www.freebsd.org/doc/en_US.ISO8859-1/books/handbook/firewalls.html
09:32 <@vpnHelper> Title: Chapter 30. Firewalls (at www.freebsd.org)
09:32 < cakesalad> krzee: ive done this before, i just cant remember how :/ and yeah you're right about the fact that i shouldnt expect that
09:33 <@krzee> although above i did give you the pf nat rule
09:33 <@krzee> http://www.freebsd.org/doc/en_US.ISO8859-1/books/handbook/firewalls-pf.html
09:33 < cakesalad> yeah im about to look into that
09:33 <@vpnHelper> Title: 30.3. PF (at www.freebsd.org)
09:33 < cheesenbiscuts> ok... pastebin done. please have a look: http://pastebin.com/YY5M1uNA
09:33 <@krzee> and i did find every link you need
09:33 <@krzee> so i mean… ya
09:33 < cakesalad> thanks
09:34 < cakesalad> do i need any rules other than nat?
09:35 < cakesalad> brb
09:36 -!- runa [~runa@190.55.90.71] has left #openvpn []
09:36 <@krzee> cakesalad, as long as everything is allowing, then the nat is all you need for the redirect part
09:37 <@krzee> cheesenbiscuts, do you have multiple locations running clients right now?
09:37 <@krzee> cheesenbiscuts, also, that is not verb 5 like i asked for
09:38 < cheesenbiscuts> oh, sorry.
09:38 <@krzee> and i did not want "iptables -L"
09:38 <@krzee> i said show me iptables-save
09:39 < cheesenbiscuts> no worires!
09:39 -!- ifdm_ [~ifdm@unaffiliated/ifdm/x-0713806] has quit [Ping timeout: 260 seconds]
09:39 <@krzee> they are different, iptables -L is no bueno
09:40 < cakesalad> ok now i have another issue before i even get to the firewall
09:40 < cakesalad> on the server: Cannot open TUN/TAP dev /dev/tun1: No such file or directory (errno=2)
09:40 < cakesalad> whereas ifconfig clearly lists tun1
09:40 < cakesalad> and /dev does not contain tun1
09:40 < cheesenbiscuts> errr... iptables-save isn't a command.
09:41 <@krzee> what distro?
09:42 < cheesenbiscuts> DD-WRT
09:43 < cakesalad> i needed to load a kernel module
09:43 <@krzee> ls -l /usr/sbin/iptables*
09:44 <@krzee> cakesalad, yes, you did
09:44 -!- MadTBone [~MadTBone@128.59.37.113] has joined #openvpn
09:44 -!- elfixit1 [~Icedove@2001:1620:2777:11:3e97:eff:fe7f:f3ad] has joined #openvpn
09:45 < cheesenbiscuts> root@DD-WRT:~# ls -l /usr/sbin/iptables*
09:45 < cheesenbiscuts> -rwxr-xr-x    1 root     root        116227 Dec 24  2013 /usr/sbin/iptables
09:45 < cheesenbiscuts> lrwxrwxrwx    1 root     root            18 Dec 24  2013 /usr/sbin/iptables-restore -> /usr/sbin/iptables
09:46 <@krzee> ok 1sec
09:47 <@krzee> cd /usr/bin
09:47 <@krzee> ln -s /usr/sbin/iptables ./iptables-save
09:47 <@krzee> ./iptables-save
09:47 -!- plai [~arne@openvpn/community/developer/plaisthos] has joined #openvpn
09:47 -!- mode/#openvpn [+o plai] by ChanServ
09:47 <@krzee> sup arne
09:48 -!- elfixit [~Icedove@2001:1620:2777:11:3e97:eff:fe7f:f3ad] has quit [Ping timeout: 272 seconds]
09:48 -!- Pandemic_Force [~Pandemic_@unaffiliated/pandemic-force/x-1349428] has quit [Ping timeout: 272 seconds]
09:48 -!- krthnz [~aehm@unaffiliated/krthnz] has quit [Ping timeout: 272 seconds]
09:48 -!- BladedThesis [~BladedThe@2001:1af8:4010:a027:3::] has quit [Ping timeout: 272 seconds]
09:48 -!- D-Boy [~D-Boy@unaffiliated/cain] has quit [Ping timeout: 272 seconds]
09:48 -!- Nothing4You [N4Y@Nothing4You.w.tf-w.tf] has quit [Ping timeout: 272 seconds]
09:48 -!- soapee01 [~soapee01@65-36-104-170.dyn.grandenetworks.net] has quit [Ping timeout: 272 seconds]
09:48 -!- plaisthos [~arne@openvpn/community/developer/plaisthos] has quit [Ping timeout: 272 seconds]
09:48 <@krzee> oh haha sorry
09:49 -!- BladedThesis [~BladedThe@2001:1af8:4010:a027:3::] has joined #openvpn
09:49 -!- Pandemic_Force [~Pandemic_@unaffiliated/pandemic-force/x-1349428] has joined #openvpn
09:49 <@krzee> might need slight change, howd those commands work cheesenbiscuts?
09:49 -!- hyper_ch [~hyper_ch@81.4.108.20] has left #openvpn ["Konversation terminated!"]
09:50 < cheesenbiscuts> why do I need to create links?
09:50 -!- ifdm_ [~ifdm@unaffiliated/ifdm/x-0713806] has joined #openvpn
09:50 <@krzee> thats all iptables-save and iptables-restore are
09:50 < cakesalad> hm after loading the kernel module i still get the error...
09:50 <@krzee> as the iptables-restore in your paste should show you
09:51 -!- Nothing4You [N4Y@Nothing4You.w.tf-w.tf] has joined #openvpn
09:51 <@krzee> cakesalad, i bet you skimmed the handbook page you were given, didnt you
09:51 < cakesalad> i havent started on the firewall stuff yet
09:52 <@krzee> cakesalad, as what you're working on is unrelated to openvpn and is really you trying to learn your os, you might find #freebsd better
09:52 -!- soapee01 [~soapee01@65-36-104-170.dyn.grandenetworks.net] has joined #openvpn
09:52 < cakesalad> krzee: yeah thanks
09:52 <@krzee> lots more people, and they all use freebsd =]
09:53 <@krzee> here theres a handfull of us
09:54 < cheesenbiscuts> I don't see how creating links is going to help krzee.
09:54 <@krzee> cheesenbiscuts, then maybe you need to read the manual for iptables-save
09:55 <@krzee> hmm actually its not in there that i see
09:55 -!- elfixit1 [~Icedove@2001:1620:2777:11:3e97:eff:fe7f:f3ad] has quit [Quit: elfixit1]
09:55 <@krzee> but if you make a link NAMED iptables-save, the binary will act as iptables-save when called
09:56 <@krzee> and either way, do you really want to question every command i give you and make me want to ignore you?
09:56 <@krzee> or maybe just follow directions so you can help me help you?
10:00 < cheesenbiscuts> No worries. Didn't mean to get you angry. Inqusitive is all.
10:01 <@krzee> not that it made me angry, but here we are 15 minutes later you still havnt done it
10:01 <@krzee> asking questions about why you need to make links, i dont want to waste an hour helping you show me firewall rules
10:04 < cheesenbiscuts> The command ./iptables-save: not found
10:04 <@krzee> ls -l /usr/sbin/iptables*
10:05 <@krzee> ln -s /usr/sbin/iptables /tmp/iptables-save
10:05 <@krzee> /tmp/iptables-save
10:05 < cakesalad> sweet openvpn is running
10:05 -!- cyberanger [~cyberange@swissknife/adak/infocop411] has quit [Ping timeout: 260 seconds]
10:05 -!- catsup [~d@ps38852.dreamhost.com] has quit [Ping timeout: 260 seconds]
10:05 -!- Poster [~poster@cpe-74-140-100-29.swo.res.rr.com] has quit [Ping timeout: 260 seconds]
10:05 < cakesalad> devfs issues
10:06 < cakesalad> brb
10:06 <@krzee> cakesalad, oh openvpn wasnt running before?  i thought you said you just needed help getting the nat / firewall
10:06 -!- Poster [~poster@cpe-74-140-100-29.swo.res.rr.com] has joined #openvpn
10:06 <@krzee> oh now i see where you said that too
10:06 < cheesenbiscuts> Unfortunatly: /tmp/iptables-save: not found
10:06 <@krzee> sorry cakesalad
10:07 <@krzee> cheesenbiscuts, hmm, no error when you gave the ln command?
10:07 < cheesenbiscuts> hangon...
10:07 < cheesenbiscuts> iptables multi-purpose version: unknown applet name iptables-save
10:08 < cheesenbiscuts> no error for: ln -s /usr/sbin/iptables /tmp/iptables-save
10:08 <@krzee> gah, gotta lose ddwrt
10:08 <@krzee> love*
10:08 < cheesenbiscuts> yes. stripped
10:08 <@krzee> hah lose would be valid too lol
10:08 <@krzee> !ddwrt
10:08 <@krzee> !dd-wrt
10:08 <@vpnHelper> "dd-wrt" is (#1) While some users have success with dd-wrt, the build system isn't very accessible to users and there have been security issues with the distro. Consider carefully if this is the platform you want to use for OpenVPN or (#2) Firewall oopsie : http://www.dd-wrt.com/phpBB2/viewtopic.php?t=35783 or (#3) more issues: http://www.dd-wrt.com/phpBB2/viewtopic.php?t=84536
10:08 <@krzee> im not saying to change it tho, you dont need to
10:09 <@krzee> i would, but its not required
10:09 < cheesenbiscuts> Doesn't iptables -L show you the chains?
10:09 <@krzee> you see your NAT rules in it?
10:09 <@krzee> it doesnt show everything
10:09 < cheesenbiscuts> no, I've deleleted them as the ones I tried didn't work.
10:09 <@krzee> iptables-save gives every iptables command to rebuild the chains exactly
10:10 <@krzee> it doesnt show them anyways
10:10 <@krzee> iptables -L doesnt
10:10 < cheesenbiscuts> I'm trying to get the msaquerade working, which for dd-wrt I belive should be: iptables -t nat -A POSTROUTING -s 10.1.4.0/24 -o vlan1 -j MASQUERADE
10:11 -!- cakesalad [~pie_@unaffiliated/pie-/x-0787662] has quit [Ping timeout: 272 seconds]
10:11 <@krzee> you definitely want -I not -A
10:12 <@krzee> also, you will have nat rules for your lan, so you really think you dont have ANY nat rules on your router?
10:12 <@krzee> you also need to allow forwarding on the tun+ device
10:12 <@krzee> !linipforward
10:12 <@vpnHelper> "linipforward" is (#1) echo 1 > /proc/sys/net/ipv4/ip_forward for a temp solution (til reboot) or set net.ipv4.ip_forward = 1 in sysctl.conf for perm solution or (#2) chmod +x /etc/rc.d/rc.ip_forward for perm solution in slackware or (#3) you also must allow forwarding in your forward chain in iptables. iptables -I FORWARD -i tun+ -j ACCEPT
10:12 <@krzee> iptables -I FORWARD -i tun+ -j ACCEPT
10:12 <@krzee> iptables -I INPUT -i tun+ -j ACCEPT
10:13 < cheesenbiscuts> they're done by default when you turn on the openvpn server, it adds the firewall rules to the router
10:13 <@krzee> iptables -t nat -I POSTROUTING -s 10.1.4.0/24 -o vlan1 -j MASQUERADE      <--- assuming subnet and device were right when you gave them
10:13 -!- cakesalad [~pie_@unaffiliated/pie-/x-0787662] has joined #openvpn
10:13 <@krzee> cheesenbiscuts, openvpn does not do that.
10:13 < cakesalad> krzee: yeah i thought it was working, i havent been able to touch the machine since last weekend when stuff kinda borked(i waited to reboot after installing and issues came up which i didnt anticipate), it worked, just not after reboot(now),now its back to trying out the firewall stuff
10:13 -!- svm_invictvs [~patricktw@unaffiliated/svminvictvs/x-938456] has joined #openvpn
10:13 -!- D-Boy [~D-Boy@unaffiliated/cain] has joined #openvpn
10:14 <@krzee> if your os does, then either start openvpn without the os crap, or go to the help channel for your os to get that stuff working right
10:14 < cheesenbiscuts> Sorry, I'm going to have to look at this with fresh eyes tommorrow. Thanks for your help krzee.
10:15 <@krzee> np
10:15 <@krzee> remember the difference between -A and -I
10:15 < cheesenbiscuts> -Insert
10:15 < cheesenbiscuts> - Append
10:15 <@krzee> -I puts the rule in the front, -A puts it at the back
10:15 <@krzee> you probably want to insert them all for this.
10:15 < cheesenbiscuts> will give it a go. thanks!
10:15 < cheesenbiscuts> bye!
10:15 <@krzee> np
10:16 -!- cheesenbiscuts [~cheesenbi@110.159.10.166] has quit [Remote host closed the connection]
10:16 -!- moonkid [~anonymous@99-103-56-12.lightspeed.hstntx.sbcglobal.net] has joined #openvpn
10:16 -!- xMopxShell [~xMopxShel@dpedu.io] has joined #openvpn
10:18 -!- outofbounds [~outofboun@gateway/tor-sasl/outofbounds] has joined #openvpn
10:21 -!- ub1quit33 [~quassel@cpe-23-243-158-241.socal.res.rr.com] has joined #openvpn
10:27 -!- ub1quit33 [~quassel@cpe-23-243-158-241.socal.res.rr.com] has quit [Ping timeout: 260 seconds]
10:29 -!- ketas- [~ketas@92.38.190.90.dyn.estpak.ee] has joined #openvpn
10:30 -!- cakesalad [~pie_@unaffiliated/pie-/x-0787662] has quit [Ping timeout: 258 seconds]
10:30 -!- cakesalad [~pie_@unaffiliated/pie-/x-0787662] has joined #openvpn
10:31 -!- pradeepc_ [~pradeepc@198.199.90.215] has joined #openvpn
10:31 -!- NChief [~nchief@unaffiliated/nchief] has joined #openvpn
10:31 -!- rooth [tomte@stuck.in.the.basement.at.fritzl.nu] has quit [Ping timeout: 250 seconds]
10:31 -!- NChief_ [~nchief@unaffiliated/nchief] has quit [Ping timeout: 250 seconds]
10:31 -!- MatToufoutu [~MaT@unaffiliated/mattoufoutu] has quit [Ping timeout: 252 seconds]
10:31 -!- ketas [~ketas@92.38.190.90.dyn.estpak.ee] has quit [Ping timeout: 252 seconds]
10:31 -!- pradeepc [~pradeepc@198.199.90.215] has quit [Ping timeout: 252 seconds]
10:31 -!- ShadniX [dagger@p5481D6A8.dip0.t-ipconnect.de] has quit [Ping timeout: 250 seconds]
10:31 -!- riddle [riddle@us.yunix.net] has quit [Ping timeout: 250 seconds]
10:31 -!- Zimsky [~alice@unaffiliated/zimsky] has quit [Ping timeout: 250 seconds]
10:31 -!- zoidberg- [~zoidberg@188.165.30.10] has quit [Ping timeout: 250 seconds]
10:32 -!- ShadniX [dagger@p5481D6A8.dip0.t-ipconnect.de] has joined #openvpn
10:32 -!- riddle [riddle@us.yunix.net] has joined #openvpn
10:34 -!- Zimsky [~alice@unaffiliated/zimsky] has joined #openvpn
10:34 -!- ub1quit33_ [~quassel@cpe-23-243-158-241.socal.res.rr.com] has joined #openvpn
10:37 -!- zeroNones [~textual@187.192.245.177] has joined #openvpn
10:40 -!- cyberanger [cyberanger@swissknife/adak/infocop411] has joined #openvpn
10:42 -!- MatToufoutu [~MaT@unaffiliated/mattoufoutu] has joined #openvpn
10:46 -!- mattock_afk [~mattock@openvpn/corp/admin/mattock] has quit [Ping timeout: 250 seconds]
10:46 -!- ShadniX [dagger@p5481D6A8.dip0.t-ipconnect.de] has quit [Ping timeout: 250 seconds]
10:46 -!- dsockwell [~twgs@199.167.199.97] has quit [Ping timeout: 250 seconds]
10:46 -!- adaptr [~jgeilman@unaffiliated/adaptr] has quit [Ping timeout: 250 seconds]
10:46 -!- ShadniX [dagger@p5481D6A8.dip0.t-ipconnect.de] has joined #openvpn
10:47 -!- mattock [~mattock@openvpn/corp/admin/mattock] has joined #openvpn
10:47 -!- mode/#openvpn [+o mattock] by ChanServ
10:50 < cakesalad> i cant ping my server but the vpn seems to be running fine :/
10:50 -!- svm_invictvs [~patricktw@unaffiliated/svminvictvs/x-938456] has quit [Ping timeout: 260 seconds]
10:56 -!- cakesalad [~pie_@unaffiliated/pie-/x-0787662] has quit [Ping timeout: 260 seconds]
11:08 -!- Eugene [eugene@kashpureff.org] has quit [Ping timeout: 272 seconds]
11:10 -!- Samopotamus [~IRCIdent@2607:5300:60:a0d::1] has quit [Ping timeout: 272 seconds]
11:12 -!- c0ded [~c0ded@unaffiliated/c0ded] has quit [Ping timeout: 272 seconds]
11:12 -!- outofbounds [~outofboun@gateway/tor-sasl/outofbounds] has quit []
11:18 -!- moonkid [~anonymous@99-103-56-12.lightspeed.hstntx.sbcglobal.net] has quit [Quit: moonkid]
11:19 -!- svm_invictvs [~patricktw@unaffiliated/svminvictvs/x-938456] has joined #openvpn
11:34 -!- Samopotamus [~IRCIdent@2607:5300:60:a0d::1] has joined #openvpn
11:36 -!- Eugene [eugene@kashpureff.org] has joined #openvpn
11:36 -!- Skcream [~skunkcrea@50.97.94.54-static.reverse.softlayer.com] has joined #openvpn
11:38 -!- s7r_i_w_g is now known as s7r
11:45 -!- outofbounds [~outofboun@gateway/tor-sasl/outofbounds] has joined #openvpn
11:59 -!- D-Boy [~D-Boy@unaffiliated/cain] has quit [Excess Flood]
12:03 -!- JackWinter_ [~jack@vodsl-11198.vo.lu] has quit [Quit: Konversation terminated!]
12:06 -!- D-Boy [~D-Boy@unaffiliated/cain] has joined #openvpn
12:06 -!- JackWinter [~jack@vodsl-11198.vo.lu] has joined #openvpn
12:19 -!- L0uk3 [~lukethedr@gateway/tor-sasl/lukethedrifter] has joined #openvpn
12:41 -!- dazo is now known as dazo_afk
12:47 < KNERD> For the Android client, is there no method to get around the requirement of having to setup a system password?
12:53 -!- keatont [~keatont@ip-66-172-11-126.chunkhost.com] has joined #openvpn
12:54 -!- deranged_user [deranged_u@unaffiliated/deranged-user/x-2475585] has quit [Quit: et nos unum sumus]
12:55 -!- deranged_user [deranged_u@unaffiliated/deranged-user/x-2475585] has joined #openvpn
13:02 -!- s7r [~s7r@openvpn/user/s7r] has quit [Ping timeout: 264 seconds]
13:09 -!- L0uk3 [~lukethedr@gateway/tor-sasl/lukethedrifter] has quit [Ping timeout: 264 seconds]
13:20 -!- ub1quit33_ [~quassel@cpe-23-243-158-241.socal.res.rr.com] has quit [Ping timeout: 260 seconds]
13:30 -!- ketas- is now known as ketas
13:32 -!- Chais [~Chais@chello062178229110.15.15.vie.surfer.at] has quit [Quit: ZNC - http://znc.in]
13:34 -!- Chais [~Chais@chello062178229110.15.15.vie.surfer.at] has joined #openvpn
13:36 -!- L0uk3 [~lukethedr@gateway/tor-sasl/lukethedrifter] has joined #openvpn
13:40 -!- nvdpl [~textual@proxy.teleaudio.pl] has joined #openvpn
13:45 -!- brad_mssw [~brad@shop.monetra.com] has quit [Ping timeout: 260 seconds]
13:50 -!- L0uk3 [~lukethedr@gateway/tor-sasl/lukethedrifter] has quit [Ping timeout: 264 seconds]
13:58 -!- ub1quit33 [~quassel@cpe-23-243-158-241.socal.res.rr.com] has joined #openvpn
13:59 -!- brad_mssw [~brad@shop.monetra.com] has joined #openvpn
14:31 -!- Thermi [~Thermi@unaffiliated/thermi] has joined #openvpn
14:31 < Thermi> Hello, I have a self signed CA which issues my server certificate and client certificates.
14:33 < Thermi> These are my config files vor OpenVPN: https://gist.github.com/anonymous/802b903e66fc869abc35
14:33 <@vpnHelper> Title: client.ovpn (at gist.github.com)
14:33 < Thermi> This happens when I try to connect to my server:
14:33 < Thermi> https://gist.github.com/Thermi/cbfd6c8e52565f71ab62
14:33 <@vpnHelper> Title: gist:cbfd6c8e52565f71ab62 (at gist.github.com)
14:34 < Thermi> The certificates check out okay: https://gist.github.com/Thermi/cbfd6c8e52565f71ab62#file-verify
14:35 <@vpnHelper> Title: Client attempt (at gist.github.com)
14:37 -!- L0uk3 [~lukethedr@gateway/tor-sasl/lukethedrifter] has joined #openvpn
14:40 -!- svm_invictvs [~patricktw@unaffiliated/svminvictvs/x-938456] has quit [Ping timeout: 245 seconds]
14:46 -!- svm_invictvs [~patricktw@unaffiliated/svminvictvs/x-938456] has joined #openvpn
14:47 -!- L0uk3 [~lukethedr@gateway/tor-sasl/lukethedrifter] has quit [Ping timeout: 264 seconds]
14:48 -!- goldkatze [~nobody@unaffiliated/goldkatze] has quit [Ping timeout: 245 seconds]
15:09 -!- Chais [~Chais@chello062178229110.15.15.vie.surfer.at] has quit [Ping timeout: 272 seconds]
15:14 -!- Chais [~Chais@chello062178229110.15.15.vie.surfer.at] has joined #openvpn
15:14 -!- L0uk3 [~lukethedr@gateway/tor-sasl/lukethedrifter] has joined #openvpn
15:21 -!- MadTBone [~MadTBone@128.59.37.113] has quit [Quit: Leaving]
15:26 -!- zeroNones [~textual@187.192.245.177] has quit [Quit: My MacBook Pro has gone to sleep. ZZZzzz…]
15:32 < KNERD> Thermi: TLS errorlooks like you make the cetrticate with unsupported hash
15:32 < Thermi> It's sha1.
15:32 < KNERD> where>
15:33 < Thermi> OOps. The CA has sha256 as signature function
15:33 < Thermi> And the server has, too
15:33 < KNERD> md5 or sha1 on many devices
15:33 < Thermi> The client certificates have sha1
15:34 < Thermi> I'm on Arch with OpenVPN version 2.3.4 and openssl 1.0.1i
15:34 < Thermi> Sha256 _should_ be supported by those versions
15:34 < Thermi> Anything else would be ... very wrong,.
15:35 < KNERD> open vpn may support it, but the thing you are connecting may not
15:36 < KNERD> so use sha1 or md5 hash to be safe
15:36 < Thermi> It's both Arch.
15:36 < Thermi> With said software versions
15:36 < Thermi> And it's both my stuff.
15:36 < Thermi> I am root on those boxes.
15:37 < Thermi> How can I debug what OpenVPN doesn't like about the certificate?
15:37 < KNERD> with your eyes ;-)
15:37 < KNERD> i dont know
15:38 < KNERD> make sure everything matches
15:38 < Thermi> :(
15:38 < KNERD> i got the very same error recentlyu because the device I was connecting had sha256 hash in the certificate
15:38 <@krzee> !certverify
15:38 <@vpnHelper> "certverify" is (#1) verify your certs are signed correctly by running `openssl verify -CAfile <ca.crt> <client.crt>` for client.crt and server.crt or (#2) also make sure you use the same ca.crt on both sides by checking their md5
15:38 < KNERD> it did not like it
15:41 <@krzee> its all handled by openssl, if openssl likes it openvpn doesnt care
15:41 <@krzee> thats why you verify with just an openssl command
15:41 <@krzee> @ Thermi ^
15:41 < KNERD> groovy
15:41 < Thermi> Yes
15:42 < Thermi> That's why I'm very disturbed by openssl verify working out fine but openssl doesn't liking it
15:42 <@krzee> !logs
15:42 <@vpnHelper> "logs" is (#1) please pastebin your logfiles from both client and server with verb set to 4 (only use 5 if asked) or (#2) In the Windows client(OpenVPN-GUI) right-click the status icon and pick View Log or (#3) In the OS X client(Tunnelblick) right-click it and select Copy log text to clipboard or (#4) if you dont know how to find your logs, see !logfile
15:42 <@krzee> !configs
15:42 <@vpnHelper> "configs" is (#1) please pastebin your client and server configs (with comments removed, you can use `grep -vE '^#|^;|^$' server.conf`), also include which OS and version of openvpn. or (#2) dont forget to include any ccd entries or (#3) on pfSense, see http://www.secure-computing.net/wiki/index.php/OpenVPN/pfSense to obtain your config
15:42 < Thermi> Scroll up
15:42 < Thermi> 21:30
15:42 < Thermi> GMT+2 TZ
15:43 <@krzee> and you md5 the ca.crt's?
15:43 < KNERD> now if I can only find out to avoid setting up a system password using the OpenVPN Android client
15:44 < Thermi> The client cert, key and CA cert for the client are packed in an pkcs12 file. The hash of the original file and the transmitted file match
15:45 <@krzee> lol
15:45 <@krzee> thats not the test
15:45 < Thermi> I know
15:45 <@krzee> you may have transmitted pkcs12 files that are no good
15:46 < Thermi> But I can't extract the CA cert from the pkcs12 file
15:46 <@krzee> !pk12
15:46 <@krzee> !p12
15:46 <@vpnHelper> "p12" is openssl pkcs12 -export -out filename.p12 -inkey filename.key -in filename.crt -certfile ca.crt
15:46 <@krzee> thats backwards
15:46 < brad_mssw> if a server has    push "redirect-gateway def1"    specified, can a client ignore that?  I see some people saying in their client configs they put route "0.0.0.0/192.0.0.0" + "64.0.0.0/192.0.0.0" + "128.0.0.0/192.0.0.0" + "192.0.0.0/192.0.0.0" ... but that seems odd to me
15:46 <@krzee> but it'll lead you the other way too
15:46 <@krzee> !route_override
15:46 <@vpnHelper> "route_override" is (#1) https://forums.openvpn.net/viewtopic.php?f=15&t=7161 for how to override --redirect-gateway for a certain subnet or (#2) to see how to make it so the client will still reply to requests to its public ip over the internet and not the vpn see !splitroute
15:47 <@krzee> brad_mssw, their solution sounds right
15:47 <@krzee> using net_gateway as the gateway
15:47 <@krzee> which openvpn turns into the standard gateway before the vpn
15:47 < Thermi> ARGH
15:48 <@krzee> brad_mssw, heres why that works:
15:48 < Thermi> OPENSSL WTF
15:48 <@krzee> !def1
15:48 <@vpnHelper> "def1" is (#1) used in redirect-gateway, Add the def1 flag to override the default gateway by using 0.0.0.0/1 and 128.0.0.0/1 rather than 0.0.0.0/0. This has the benefit of overriding but not wiping out the original default gateway. or (#2) please see --redirect-gateway in the man page ( !man ) to fully understand or (#3) push "redirect-gateway def1"
15:48 <@krzee> see how def1 overrides 0.0.0.0/0 with 2 /1 routes… to override those you use 4 /2 routes =]
15:48 < Thermi> certfile != Cafile
15:48 <@krzee> same principle
15:48 < Thermi> NOW it bagged the CA certificate into the p12 file
15:48 < brad_mssw> ok
15:48 < Thermi> It's 1,4 kilo byte bigger
15:49 <@krzee> you'll need it somewhere either way
15:49 -!- Chais [~Chais@chello062178229110.15.15.vie.surfer.at] has quit [Ping timeout: 272 seconds]
15:55 -!- brad_mssw [~brad@shop.monetra.com] has quit [Ping timeout: 260 seconds]
15:56 -!- Chais [~Chais@chello062178229110.15.15.vie.surfer.at] has joined #openvpn
16:08 -!- brad_mssw [~brad@shop.monetra.com] has joined #openvpn
16:11 -!- prettyrobots [~prettyrob@do.inputrc.com] has joined #openvpn
16:14 -!- L0uk3 [~lukethedr@gateway/tor-sasl/lukethedrifter] has quit [Ping timeout: 264 seconds]
16:17 -!- Chais [~Chais@chello062178229110.15.15.vie.surfer.at] has quit [Ping timeout: 260 seconds]
16:23 -!- Chais [~Chais@chello062178229110.15.15.vie.surfer.at] has joined #openvpn
16:24 -!- s7r [~s7r@openvpn/user/s7r] has joined #openvpn
16:24 -!- mode/#openvpn [+v s7r] by ChanServ
16:42 -!- brad_mssw [~brad@shop.monetra.com] has quit [Ping timeout: 244 seconds]
16:46 -!- L0uk3 [~lukethedr@gateway/tor-sasl/lukethedrifter] has joined #openvpn
16:46 -!- nvdpl [~textual@proxy.teleaudio.pl] has quit [Quit: ZZZzzz…]
17:07 -!- gffa [~unknown@unaffiliated/gffa] has joined #openvpn
17:50 -!- Chais [~Chais@chello062178229110.15.15.vie.surfer.at] has quit [Ping timeout: 272 seconds]
17:55 -!- Chais [~Chais@chello062178229110.15.15.vie.surfer.at] has joined #openvpn
18:20 -!- Chais [~Chais@chello062178229110.15.15.vie.surfer.at] has quit [Ping timeout: 246 seconds]
18:26 -!- Chais [~Chais@chello062178229110.15.15.vie.surfer.at] has joined #openvpn
18:38 -!- L0uk3 [~lukethedr@gateway/tor-sasl/lukethedrifter] has quit [Ping timeout: 264 seconds]
18:47 -!- L0uk3 [~lukethedr@gateway/tor-sasl/lukethedrifter] has joined #openvpn
18:58 -!- outofbounds [~outofboun@gateway/tor-sasl/outofbounds] has quit []
19:06 -!- u0m3__ [~u0m3@92.80.106.41] has joined #openvpn
19:08 -!- u0m3_ [~u0m3@92.80.106.41] has quit [Ping timeout: 245 seconds]
19:18 -!- L0uk3 [~lukethedr@gateway/tor-sasl/lukethedrifter] has quit [Ping timeout: 264 seconds]
19:24 -!- Chais [~Chais@chello062178229110.15.15.vie.surfer.at] has quit [Ping timeout: 244 seconds]
19:29 -!- Chais [~Chais@chello062178229110.15.15.vie.surfer.at] has joined #openvpn
19:32 -!- prelude2004c [~sandro@dsl-67-55-28-3.acanac.net] has joined #openvpn
19:32 < prelude2004c> hi everyone
19:32 < prelude2004c> does anyone know why running an openvpn server between 2 servers causes 1/2 the packets per second as without the vpn tunnel?
19:33 < prelude2004c> noticed that we were doing 100,000 packets per second without vpn but only 48 with VPN
19:33 < prelude2004c> why would it slow down?
19:35 -!- L0uk3 [~lukethedr@gateway/tor-sasl/lukethedrifter] has joined #openvpn
19:35 -!- u0m3_ [~u0m3@92.80.106.41] has joined #openvpn
19:38 -!- u0m3__ [~u0m3@92.80.106.41] has quit [Ping timeout: 260 seconds]
19:40 -!- L0uk3 [~lukethedr@gateway/tor-sasl/lukethedrifter] has quit [Quit: bis später]
19:45 < prelude2004c> hello?
20:00 -!- ub1quit33 [~quassel@cpe-23-243-158-241.socal.res.rr.com] has quit [Ping timeout: 240 seconds]
20:11 < prelude2004c> can anyone tell me the weakest vpn cipher can use ?
20:11 < prelude2004c> i want to take up as little cpu as possible
20:16 -!- ub1quit33_ [~quassel@cpe-23-243-158-241.socal.res.rr.com] has joined #openvpn
20:22 -!- nath_schwarz [~nath_schw@p54A327E1.dip0.t-ipconnect.de] has quit [Ping timeout: 240 seconds]
20:23 -!- nath_schwarz [~nath_schw@p54A30E0E.dip0.t-ipconnect.de] has joined #openvpn
20:24 -!- gffa [~unknown@unaffiliated/gffa] has quit [Quit: sleep]
20:32 -!- elfixit [~Icedove@77-58-251-72.dclient.hispeed.ch] has joined #openvpn
20:56 -!- elfixit [~Icedove@77-58-251-72.dclient.hispeed.ch] has quit [Quit: elfixit]
21:01 -!- square-r00t is now known as root^2
21:13 -!- haasn [~haasn@static.102.126.46.78.clients.your-server.de] has joined #openvpn
21:16 -!- Left_Turn [~Left_Turn@unaffiliated/turn-left/x-3739067] has quit [Remote host closed the connection]
21:16 -!- Skcream [~skunkcrea@50.97.94.54-static.reverse.softlayer.com] has quit [Remote host closed the connection]
21:17 -!- svm_invictvs [~patricktw@unaffiliated/svminvictvs/x-938456] has quit [Ping timeout: 245 seconds]
21:48 -!- arescorpio [~arescorpi@14-200-17-190.fibertel.com.ar] has joined #openvpn
21:49 -!- ub1quit33_ [~quassel@cpe-23-243-158-241.socal.res.rr.com] has quit [Ping timeout: 272 seconds]
21:49 -!- svm_invictvs [~patricktw@unaffiliated/svminvictvs/x-938456] has joined #openvpn
21:50 -!- ub1quit33 [~quassel@cpe-23-243-158-241.socal.res.rr.com] has joined #openvpn
22:09 -!- ub1quit33 [~quassel@cpe-23-243-158-241.socal.res.rr.com] has quit [Ping timeout: 272 seconds]
22:11 -!- prelude2004c [~sandro@dsl-67-55-28-3.acanac.net] has quit [Quit: prelude2004c]
22:14 < svm_invictvs> Heya
22:28 -!- u0m3__ [~u0m3@92.80.106.41] has joined #openvpn
22:30 -!- u0m3_ [~u0m3@92.80.106.41] has quit [Ping timeout: 260 seconds]
22:55 -!- arescorpio [~arescorpi@14-200-17-190.fibertel.com.ar] has quit [Excess Flood]
23:10 -!- ShadniX [dagger@p5481D6A8.dip0.t-ipconnect.de] has quit [Ping timeout: 250 seconds]
23:11 -!- ShadniX [dagger@p5DDFCB7C.dip0.t-ipconnect.de] has joined #openvpn
23:13 -!- nvdpl [~textual@89-67-140-170.dynamic.chello.pl] has joined #openvpn
23:15 -!- svm_invictvs [~patricktw@unaffiliated/svminvictvs/x-938456] has quit [Ping timeout: 260 seconds]
23:17 -!- nvdpl [~textual@89-67-140-170.dynamic.chello.pl] has quit [Client Quit]
23:48 -!- ifdm_ [~ifdm@unaffiliated/ifdm/x-0713806] has quit [Ping timeout: 245 seconds]
--- Day changed Sat Sep 20 2014
00:52 -!- XJR-9 [sid2977@pdpc/supporter/active/xjr-9] has quit [Ping timeout: 260 seconds]
01:12 -!- XJR-9 [sid2977@pdpc/supporter/active/xjr-9] has joined #openvpn
01:20 -!- SushiDude [~SushiDude@unaffiliated/sushidude] has joined #openvpn
02:04 -!- nvdpl [~textual@proxy.teleaudio.pl] has joined #openvpn
02:08 -!- nvdpl [~textual@proxy.teleaudio.pl] has quit [Client Quit]
02:15 -!- roentgen [~none@openvpn/community/support/roentgen] has quit [Remote host closed the connection]
02:55 -!- roentgen [~none@openvpn/community/support/roentgen] has joined #openvpn
03:06 -!- roentgen [~none@openvpn/community/support/roentgen] has quit [Remote host closed the connection]
03:35 -!- nvdpl [~textual@46.205.198.203.nat.umts.dynamic.t-mobile.pl] has joined #openvpn
03:51 -!- joako [~joako@opensuse/member/joak0] has joined #openvpn
04:12 -!- Wulf [~Wulf@unaffiliated/wulf] has joined #openvpn
04:12 < Wulf> Hi
04:12 < Wulf> Does someone have a video tutorial to install OpenVPN on an iphone 5?
04:13 -!- xeon-enouf [~xeon-enou@unaffiliated/xeon-enouf] has joined #openvpn
04:14 -!- gffa [~unknown@unaffiliated/gffa] has joined #openvpn
04:27 -!- joako [~joako@opensuse/member/joak0] has quit [Ping timeout: 272 seconds]
04:31 -!- roentgen [~none@openvpn/community/support/roentgen] has joined #openvpn
04:49 -!- eristisk [~eristisk@gateway/tor-sasl/eristisk] has joined #openvpn
05:04 -!- nvdpl_ [~textual@proxy.teleaudio.pl] has joined #openvpn
05:06 -!- nvdpl [~textual@46.205.198.203.nat.umts.dynamic.t-mobile.pl] has quit [Ping timeout: 260 seconds]
05:08 -!- eristisk [~eristisk@gateway/tor-sasl/eristisk] has quit [Quit: killall -9 irc]
05:22 -!- Hello71 [~Hello71@wikipedia/Hello71] has quit [Ping timeout: 258 seconds]
05:22 -!- arkie [~arkie@unaffiliated/arkie] has quit [Ping timeout: 258 seconds]
05:27 -!- ketas [~ketas@92.38.190.90.dyn.estpak.ee] has quit [Ping timeout: 258 seconds]
05:29 -!- ketas [~ketas@92.38.190.90.dyn.estpak.ee] has joined #openvpn
05:31 -!- Magiobiwan [IRC@unaffiliated/magiobiwan] has quit [Ping timeout: 258 seconds]
05:34 -!- Hello71 [~Hello71@wikipedia/Hello71] has joined #openvpn
05:36 -!- Magiobiwan [IRC@unaffiliated/magiobiwan] has joined #openvpn
06:58 -!- prelude2004c [~sandro@dsl-67-55-28-3.acanac.net] has joined #openvpn
07:10 -!- MaddinXx [~racksteri@zux221-152-057.adsl.green.ch] has joined #openvpn
07:12 -!- nvdpl_ [~textual@proxy.teleaudio.pl] has quit [Quit: ZZZzzz…]
07:14 -!- prelude2004c [~sandro@dsl-67-55-28-3.acanac.net] has quit [Quit: prelude2004c]
07:19 -!- NP-Hardass [~NP-Hardas@unaffiliated/np-hardass] has joined #openvpn
07:24 -!- MaddinXx [~racksteri@zux221-152-057.adsl.green.ch] has quit [Quit: Lingo - http://www.lingoirc.com]
07:29 -!- prelude2004c [~sandro@dsl-67-55-28-3.acanac.net] has joined #openvpn
07:34 -!- goldkatze [~nobody@unaffiliated/goldkatze] has joined #openvpn
07:35 -!- nvdpl [~textual@proxy.teleaudio.pl] has joined #openvpn
07:38 -!- Left_Turn [~Left_Turn@unaffiliated/turn-left/x-3739067] has joined #openvpn
07:43 <@krzee> Wulf, not specifically 5, but here you go
07:43 <@krzee> !iphone
07:43 <@vpnHelper> "iphone" is (#1) OpenVPN Connect is now available for iOS in the App Store (see also: !connect) or (#2) https://community.openvpn.net/openvpn/wiki/IOSinline
08:30 <@krzee> !man
08:30 <@vpnHelper> "man" is (#1) For man pages, see http://openvpn.net/index.php/open-source/documentation/manuals/ or (#2) the man pages are your friend! or (#3) Protip: you can search the manpage for a specific --option (with dashes) to find it quicker
08:32 -!- Latrina [~Latrina@ppp-205-42.26-151.libero.it] has quit [Ping timeout: 260 seconds]
08:35 -!- Latrina [~Latrina@151.56.184.90] has joined #openvpn
08:40 < Wulf> krzee: I'm specifically lookink for a video
08:40 <@krzee> lol
08:40 <@krzee> and whys that
08:41 < Wulf> krzee: To give it to someone else, in the hope that it helps them install openvpn.
08:41 <@krzee> guess you can make a video then
08:41 <@krzee> i dont make walkthroughs, i made tutorials
08:41 < Wulf> krzee: haven't got an iphone.
08:43 -!- KiNgMaR [ingmar@2001:41d0:2:ba51::1] has quit [Ping timeout: 260 seconds]
08:44 <@krzee> you trying to use openvpn on IOS for access-server or opensource openvpn?
08:44 < Wulf> krzee: connect to opensource openvpn
08:45 <@krzee> ahh i figured if it was AS maybe their team would be willing to make a video or something
08:45 <@krzee> i know i have 0 interest in it.
08:45 <@krzee> i did write that doc for you at !iphone
08:45 < Wulf> I gave them a similar doc already, without success
08:45 <@krzee> (and i also dont use or have an iphone)
08:46 < Wulf> but I assume you did have access to one?
08:46 <@krzee> when i made the doc? yes, it actually says that i had to work on other peoples i-devices on the page
09:05 -!- nvdpl [~textual@proxy.teleaudio.pl] has quit [Read error: Connection reset by peer]
09:06 -!- nvdpl [~textual@proxy.teleaudio.pl] has joined #openvpn
09:09 -!- dvl [~dvl@pdpc/supporter/active/dvl] has quit [Changing host]
09:09 -!- dvl [~dvl@freebsd/developer/dvl] has joined #openvpn
09:11 -!- JackWinter [~jack@vodsl-11198.vo.lu] has quit [Ping timeout: 260 seconds]
09:26 -!- elfixit [~Icedove@77-58-251-72.dclient.hispeed.ch] has joined #openvpn
09:28 -!- JackWinter [~jack@vodsl-11198.vo.lu] has joined #openvpn
09:32 -!- KiNgMaR [ingmar@2001:41d0:2:ba51::1] has joined #openvpn
09:38 -!- Envil [~meep@95.211.26.40] has joined #openvpn
09:38 -!- shio [marmot@203.188.103.84.rev.sfr.net] has quit [Read error: Connection reset by peer]
09:41 -!- shio [marmot@48.121.101.84.rev.sfr.net] has joined #openvpn
09:46 -!- nvdpl [~textual@proxy.teleaudio.pl] has quit [Quit: ZZZzzz…]
09:49 -!- zeroNones [~textual@187.192.245.177] has joined #openvpn
10:12 -!- KiNgMaR [ingmar@2001:41d0:2:ba51::1] has quit [Quit: ZNC - http://znc.sourceforge.net]
10:14 -!- Kephael [~Kephael@unaffiliated/kephael] has joined #openvpn
10:15 -!- KiNgMaR [ingmar@2001:41d0:2:ba51::1] has joined #openvpn
10:21 -!- nvdpl [~textual@89-67-140-170.dynamic.chello.pl] has joined #openvpn
10:36 -!- nvdpl [~textual@89-67-140-170.dynamic.chello.pl] has quit [Ping timeout: 272 seconds]
10:39 -!- nvdpl [~textual@proxy.teleaudio.pl] has joined #openvpn
10:47 -!- seba [~seba@kratzbaum.someserver.de] has quit [Excess Flood]
10:48 -!- seba [~seba@kratzbaum.someserver.de] has joined #openvpn
11:00 -!- nvdpl [~textual@proxy.teleaudio.pl] has quit [Quit: ZZZzzz…]
11:23 -!- goldkatze [~nobody@unaffiliated/goldkatze] has quit []
12:00 -!- D-Boy [~D-Boy@unaffiliated/cain] has quit [Excess Flood]
12:12 -!- D-Boy [~D-Boy@unaffiliated/cain] has joined #openvpn
12:13 -!- goldkatze [~nobody@unaffiliated/goldkatze] has joined #openvpn
12:28 -!- joako [~joako@opensuse/member/joak0] has joined #openvpn
12:42 -!- ub1quit33 [~quassel@cpe-23-243-158-241.socal.res.rr.com] has joined #openvpn
13:03 -!- ub1quit33 [~quassel@cpe-23-243-158-241.socal.res.rr.com] has quit [Ping timeout: 246 seconds]
13:17 < prelude2004c> hi
13:17 < prelude2004c> anyone around?
13:17 -!- DrCode [~DrCode@gateway/tor-sasl/drcode] has quit [Ping timeout: 264 seconds]
13:17 < prelude2004c> trying to run multiple instances of openvpn , one of them gives me a tun/tap error code 22 ( the second one ) .. something about no tls channel avaialble
13:20 -!- DrCode [~DrCode@gateway/tor-sasl/drcode] has joined #openvpn
13:46 -!- nvdpl [~textual@89-67-140-170.dynamic.chello.pl] has joined #openvpn
13:49 -!- Pyrogerg [~Gregory@205.167.120.206] has joined #openvpn
13:50 -!- nvdpl [~textual@89-67-140-170.dynamic.chello.pl] has quit [Ping timeout: 245 seconds]
13:51 -!- Fusl [Fusl@unaffiliated/fusl] has quit [Ping timeout: 245 seconds]
13:53 -!- u0m3 [~u0m3@92.80.106.41] has joined #openvpn
13:53 -!- u0m3__ [~u0m3@92.80.106.41] has quit [Ping timeout: 240 seconds]
13:54 < prelude2004c> nevermind.. found the problem ( no-iv ) had to be on both sides
13:54 -!- nvdpl [~textual@proxy.teleaudio.pl] has joined #openvpn
14:05 -!- Fusl [Fusl@unaffiliated/fusl] has joined #openvpn
14:06 -!- nvdpl [~textual@proxy.teleaudio.pl] has quit [Quit: ZZZzzz…]
14:07 -!- joako [~joako@opensuse/member/joak0] has quit [Ping timeout: 246 seconds]
14:17 -!- joako [~joako@opensuse/member/joak0] has joined #openvpn
14:37 -!- ub1quit33_ [~quassel@cpe-23-243-158-241.socal.res.rr.com] has joined #openvpn
14:45 -!- Pyrogerg [~Gregory@205.167.120.206] has quit [Ping timeout: 260 seconds]
14:56 -!- NP-Hardass [~NP-Hardas@unaffiliated/np-hardass] has quit [Quit: WeeChat 0.4.3]
15:00 -!- goldkatze [~nobody@unaffiliated/goldkatze] has quit []
15:09 -!- aulait [~irenacob@li629-190.members.linode.com] has joined #openvpn
15:10 -!- ub1quit33_ [~quassel@cpe-23-243-158-241.socal.res.rr.com] has quit [Read error: Connection reset by peer]
15:11 -!- ub1quit33_ [~quassel@cpe-23-243-158-241.socal.res.rr.com] has joined #openvpn
15:37 -!- prelude2004c [~sandro@dsl-67-55-28-3.acanac.net] has quit [Quit: prelude2004c]
15:59 -!- ub1quit33_ [~quassel@cpe-23-243-158-241.socal.res.rr.com] has quit [Read error: Connection reset by peer]
16:00 -!- ub1quit33_ [~quassel@cpe-23-243-158-241.socal.res.rr.com] has joined #openvpn
16:09 -!- evil_andy is now known as evil_andy|away
16:15 -!- Pyrogerg [~Gregory@205.167.120.206] has joined #openvpn
16:52 -!- gffa [~unknown@unaffiliated/gffa] has quit [Quit: sleep]
17:02 -!- evil_andy|away is now known as evil_andy
17:06 -!- JRL [~jrl@207.96.146.194] has joined #openvpn
17:08 < JRL> With the last update iOS app update (1.0.5) my config stopped working.  PolarSSL is returning a certificate validation error.  I see it was updated in the release, anyone know a way around this?
17:18 -!- ub1quit33_ [~quassel@cpe-23-243-158-241.socal.res.rr.com] has quit [Ping timeout: 260 seconds]
17:22 -!- svm_invictvs [~patricktw@unaffiliated/svminvictvs/x-938456] has joined #openvpn
17:27 -!- evil_andy is now known as evil_andy|away
17:46 -!- Starthunder [~blackl@unaffiliated/moonlightning] has quit [Quit: The Nightmares will Collide. And become a Dream. <3]
17:46 -!- Moonlightning [~blackl@unaffiliated/moonlightning] has joined #openvpn
17:47 < KNERD> I created a client.key, ca.crt, and a client.crt and now using them for a client device  with openvpn, but I want to use those same for the OpenVPN Adroid client. It seems it wants a pkcs12 instead of a ca.crt
17:48 < KNERD> .pfx. or .p12
17:48 -!- Envil [~meep@95.211.26.40] has quit [Remote host closed the connection]
17:50 -!- Wulf [~Wulf@unaffiliated/wulf] has left #openvpn []
17:56 -!- joako [~joako@opensuse/member/joak0] has quit [Ping timeout: 246 seconds]
18:02 -!- ub1quit33_ [~quassel@cpe-23-243-158-241.socal.res.rr.com] has joined #openvpn
18:05 -!- joako [~joako@opensuse/member/joak0] has joined #openvpn
18:39 -!- joako [~joako@opensuse/member/joak0] has quit [Ping timeout: 246 seconds]
18:49 -!- joako [~joako@opensuse/member/joak0] has joined #openvpn
19:05 -!- ub1quit33_ [~quassel@cpe-23-243-158-241.socal.res.rr.com] has quit [Ping timeout: 260 seconds]
19:10 -!- ub1quit33_ [~quassel@cpe-23-243-158-241.socal.res.rr.com] has joined #openvpn
19:17 -!- krkhan [~krkhan@2601:8:9780:4f9:d12d:179e:9fd4:b3b6] has joined #openvpn
19:20 -!- Pyrogerg [~Gregory@205.167.120.206] has quit [Quit: Textual IRC Client: www.textualapp.com]
19:28 -!- Pyrogerg [~Gregory@205.167.120.206] has joined #openvpn
19:31 < krkhan> I'm trying to use ethernet bridging. My client successfully connects to the server, and if I ping 192.168.1.4 (the server address) I see ARP queries in tcpdump at server but the client does not get a response back
19:31 < krkhan> config, route and log: https://gist.github.com/krkhan/84c546495eab55d787e7
19:31 <@vpnHelper> Title: OpenVPN Ethernet Bridging (at gist.github.com)
19:31 < krkhan> any ideas what's wrong?
20:00 -!- lbft [~lbft@unaffiliated/lbft] has quit [Ping timeout: 240 seconds]
20:01 -!- lbft [~lbft@unaffiliated/lbft] has joined #openvpn
20:05 < KNERD> krkhan: iptables running?
20:07 -!- cyberspace- [20253@ninthfloor.org] has quit [Remote host closed the connection]
20:07 < krkhan> KNERD: yes, and forwarding is enabled in /proc/sys/net/ipv4/ip_forward
20:08 < krkhan> (on the server)
20:08 -!- cyberspace- [20253@ninthfloor.org] has joined #openvpn
20:08 -!- prelude2004c [~sandro@dsl-67-55-28-3.acanac.net] has joined #openvpn
20:13 < KNERD> i see the server has  IP address of 10.0.0.100, but the client has no IP address in the same block
20:20 -!- nath_schwarz [~nath_schw@p54A30E0E.dip0.t-ipconnect.de] has quit [Ping timeout: 272 seconds]
20:22 < KNERD> on my setup  I also issued this"iptables -t nat -A POSTROUTING -s 10.8.0.1/24 -o eth0 -j MASQUERADE"
20:22 -!- nath_schwarz [~nath_schw@p54A323B8.dip0.t-ipconnect.de] has joined #openvpn
20:23 < pekster> Either you shouldn't be bridging or 192.168.8.4 is bogus as it's not on any interface on your server
20:23 < pekster> Further you didn't show bridge output, which is highly relevant for actual bridging. Why are you briding in the first place?
20:23 < pekster> !whybridge
20:23 <@vpnHelper> "whybridge" is (#1) you only bridge if you want layer2 to the lan. if you want layer2 only between vpn nodes then routed tap is enough. if you only want layer3 use tun. or (#2) See this URL for a more in-depth discussion on bridging vs routing: https://community.openvpn.net/openvpn/wiki/BridgingAndRouting or (#3) See also !tunortap
20:26 -!- u0m3_ [~u0m3@92.80.106.41] has joined #openvpn
20:29 -!- u0m3 [~u0m3@92.80.106.41] has quit [Ping timeout: 272 seconds]
20:33 < pekster> Or it is and since you're using tools on Linux outdated by over a decade it won't show secondary IPs. ifconfig sucks, try ip
20:33 < pekster> !linux-ifconfig
20:33 < pekster> !ifconfig-linux
20:33 <@vpnHelper> "ifconfig-linux" is Avoid use of 'ifconfig' and 'route' commands on modern Linux distros. It's old, deprecated, and often misleading/wrong. Use the 'ip a' and 'ip r' commands instead. More info: http://inai.de/2008/0219-ifconfig-sucks.php
20:38 -!- zeroNones [~textual@187.192.245.177] has quit [Quit: My MacBook Pro has gone to sleep. ZZZzzz…]
20:40 < prelude2004c> HI everyone. What is the most important part of a computer for openvpn. We have a system ( xeon 5130 2Ghz ).. i show no load waht so ever ( 5% on one vpn process) No encryption nothing. The speed is sooooo slow.. 5Mbit/s ??? why
20:40 < prelude2004c> anyone know.. what is openvpn highly dependent on ?
20:41 < prelude2004c> i want to know in order to always buy the right hardware
20:45 < prelude2004c> anyone?
20:46 < pekster> In no particular order, bandwidth, interrupts, CPU, and context switching
20:47 < pekster> Which one limits your usecase depends on load, CPU features, configuration, and utilization. In other words, there is no simple answer for you
20:47 < KNERD> Bah...no how-to setup for the openVPN Connect for Android
20:47 < KNERD> not even any mention of it on openvpn web site
20:48 < pekster> It's becuase the "website" is overrun by the corporate "Connect" client that is a completely different codebase that isn't written/maintained by the open-source community
20:48 < pekster> Grab 'OpenVPN for Android' (not Connect) and use inline files
20:48 < pekster> !inline
20:48 <@vpnHelper> "inline" is (#1) Inline files (e.g. <ca> ... </ca> are supported since OpenVPN 2.1rc1 and documented in the OpenVPN 2.3 man page at https://community.openvpn.net/openvpn/wiki/Openvpn23ManPage#lbAV or (#2) https://community.openvpn.net/openvpn/wiki/IOSinline for a writeup that includes how to use inline certs
20:48 < pekster> Also:
20:48 < pekster> !connect
20:48 <@vpnHelper> "connect" is (#1) OpenVPN Connect is part of the commercial, non-free (non-GPL) corporate offering; see #openvpn-as for help with these. For the community-maintained GPL OpenVPN, see !download for download links, !android for GPL-openvpn on Android, or !howto for the beginner how-to guide or (#2) https://forums.openvpn.net/post34969.html#p34969 or (#3) the source is here:
20:48 <@vpnHelper> http://staging.openvpn.net/openvpn3/ except for the portion that may not be released because of NDA with apple (for its vpn API)
20:49 < pekster> It's recently been open-sourced, but isn't community maintained
20:51 < KNERD> pekster: the one by "Arne Schwabe"?
21:00 < pekster> Yup
21:03 -!- hazardous [~hz@openvpn/user/hazardous] has quit [Quit: Lost terminal]
21:05 < KNERD> pekster: thanks...it seems this one also wants pkcs12 certificates.bah humbiug
21:06 < pekster> It'll accept inline configs just fine
21:06 < pekster> You can use pkcs12 if you want, otherwise just create the "usual" inline config with your <ca> and <cert> and <key> components
21:06 < pekster> Whatever you're planning to use
21:08 < KNERD> pekster: oh..so I have to put the ca cert and key inline in the config file?
21:09 < prelude2004c> hey, is there a way to turn off tls-pre-encrypt?
21:10 < prelude2004c> i want to issue the tunnel with no encrypiton at all.. i did cipher none and auth none but i still see in logs “ tls: tls_pre_encrypt “
21:10 < prelude2004c> why is that?
21:14 < pekster> Becuase TLS uses the TLS protocol
21:14 < pekster> !statickey
21:14 <@vpnHelper> "statickey" is (#1) you can use static keys by using --secret </path/to/key> or (#2) static keys only work for ptp links, not client/server. They also do not provide forward encryption. A forward-secure encryption scheme (such as openvpn uses with certs) protects secret keys from exposure by evolving the keys with time. or (#3) see !forwardsecurity for more info
21:15 < pekster> X.509 is based on public/private keys. If you don't want that, fine, but you'll have to use the p2p mode of openvpn
21:15 < prelude2004c> but i am using p2p mode
21:15 < pekster> Evidently not. Have some configs handy?
21:16 < prelude2004c> topoploty is set to p2p
21:16 < prelude2004c> ya i do
21:16 < pekster> You can use p2p topology with TLS
21:16 < pekster> You need to _not_ use TLS mode if you don't want it
21:16 < pekster> --mode != --topology
21:16 < prelude2004c> really ok how do i turn it off
21:16 < pekster> Use p2p mode
21:16 < prelude2004c> so mode p2p thats it
21:17 < prelude2004c> instead of server
21:17 < prelude2004c> so at the top just use mode p2p?
21:17 < pekster> Not quite, since p2p won't accept any of the X.509 stuff
21:17 < pekster> So you'll have to remove them or you'll get an options error
21:17 < prelude2004c> what i am trying to do is create a very very basic tunnel
21:17 < prelude2004c> with nothing in it.. just gives me the route
21:18 < prelude2004c> then i want to add BF cipher to it
21:18 < pekster> openvpn --dev tun --mode p2p --ifconfig 172.16.0.1 172.16.0.2
21:18 < prelude2004c> and that’s it
21:18 < prelude2004c> i dont’ want all the rest of the stuff
21:18 < pekster> Then reverse the IPs on the other side
21:18 < pekster> That's it
21:18 < prelude2004c> i am using /dev/tap is that ok ?
21:18 < pekster> Why?
21:18 < prelude2004c> tap because i am using UDP and i have it in forwar mode
21:18 < pekster> No, dont' do that
21:18 < pekster> UDP sits on top of IP
21:18 < pekster> tun is for IP traffic
21:18 < pekster> tap is for Ethernet traffic that is *non* IP
21:18 < pekster> What non-IP traffic are you intending to support?
21:19 < prelude2004c> none
21:19 < prelude2004c> its all ip
21:19 < pekster> Then don't use tap.
21:19 < pekster> Also, there is no /dev/tap on Unix-alikes. It's still the tun driver (which can operate in an OSI L2 mode for tap devices)
21:20 < pekster> The nomenclature is reversed on Windows where the driver is called the Win32-TAP driver, but it likewise does both
21:21 < pekster> Well, no. It only does tap and just fakes tun with Ethernet networks now that I think of it
21:21 < prelude2004c> check this out and tell me what i should remove
21:21 < pekster> Just set up what I showed you
21:21 < prelude2004c> http://pastebin.com/GY87v4gs
21:21 < pekster> That does exactly what you want, after you corect the IPs
21:21 -!- Left_Turn [~Left_Turn@unaffiliated/turn-left/x-3739067] has quit [Remote host closed the connection]
21:24 < pekster> You don't get to push things in non-TLS mode
21:24 < pekster> There is _no_ control channel to push things over; you need TLS for that
21:24 < pekster> A tunnel is "just" the endpoint setup without that extra layer. You need to do the rest manually, like you would with any other tunneling protocol
21:25 < krkhan> KNERD: i tried "iptables -t nat -A POSTROUTING -s 10.0.0.0/24 -o tap0 -j MASQUERADE" on the client but that didn't help
21:25 < KNERD> your client still not on the same IP block
21:25 < KNERD> if that makes any difference
21:25 < pekster> why on earth are you using a tap to do redirection?
21:26 < prelude2004c> pekster i dont know
21:26 < prelude2004c> i am learning
21:26 < prelude2004c> i was told tap is faster
21:26 < prelude2004c> on udp
21:26 < pekster> That was more for krkhan
21:26 < prelude2004c> sorry
21:26 < prelude2004c> :)
21:27 < pekster> tap is stupid unless you need raw Ethernet frame support. It's slightly _slower_ at least in a theoretical sense since it has to stuff more header data into the inner packet. It's also going to open you up to MAC spoofing on the L2 link via classic ARP cache posioning
21:27 < pekster> Unless you need broadcast support like IPX, NBNS, uPnP, or similar (usually shoddy) protocols, there's no need for tap
21:28 < pekster> And realistically, all of those that I mentioned have more sane alternatives
21:28 < prelude2004c> ic
21:28 < prelude2004c> if you look at my pastebin , what should it look like?
21:28 < prelude2004c> not sure i have all the right info there.
21:28 < pekster> Nothing like that
21:28 < prelude2004c> oh
21:29 < krkhan> KNERD: I tried using "server-bridge 10.0.0.50 255.255.255.0 10.0.0.150 10.0.0.160" so that server and client will be on the same ip block
21:29 -!- ub1quit33_ [~quassel@cpe-23-243-158-241.socal.res.rr.com] has quit [Ping timeout: 240 seconds]
21:29 -!- joako [~joako@opensuse/member/joak0] has quit [Ping timeout: 272 seconds]
21:29 < krkhan> pekster: I need layer 2 for netbios
21:29 < pekster> Try DNS
21:29 < pekster> dnsmasq if you don
21:29 < pekster> don't want to run a "real" DNS system
21:30 < pekster> openwrt ships with it out of the box ;)
21:30 -!- cyberanger [cyberanger@swissknife/adak/infocop411] has quit [Ping timeout: 260 seconds]
21:31 < pekster> If you're bridging, it's up to you to set up your local bridge on the server properly
21:31 -!- Esya [~zncuser@195-154-90-140.rev.poneytelecom.eu] has quit [Ping timeout: 260 seconds]
21:31 < pekster> OpenVPN won't do it (although some people use the --up script to hook into their OS dynamicall. I think that's insane and you should configure your OS network properly on-boot for that)
21:31 < pekster> That's assuming you refuse to use DNS and would rather complicate your server's network setup instead
21:32 -!- pnielsen [pnielsen@2a01:7e00::f03c:91ff:fedf:3a21] has joined #openvpn
21:32 < pekster> Also, 10.0.0.0/24 is usually a horrible choice; clients will have problems reaching it since lots of popular networks also use it (wifi cafes, other people's homes, etc)
21:32 < pekster> !randomsubnet
21:32 <@vpnHelper> "randomsubnet" is (#1) http://scarydevilmonastery.net/subnet.cgi for a random !1918 subnet or (#2) If your shell has $RANDOM support, perhaps try this: `echo 10.$((RANDOM%256)).$((RANDOM%256)).0/24 `
21:33 < prelude2004c> pekster, i tried to remove a bunch of settings but it complains of “ Options error: You must define DH file (--dh) “
21:33 < pekster> prelude2004c: You're still in a TLS mode. I gave you syntax for a "bare bones tunnel"
21:33 < pekster> Stop using *ANY* mode that uses TLS, no --server, no --mode server, none of that nonsense
21:33 < pekster> 21:18:08 < pekster> openvpn --dev tun --mode p2p --ifconfig 172.16.0.1 172.16.0.2
21:34 < prelude2004c> the 172.16.0.1
21:34 < prelude2004c> and 0.2
21:34 < prelude2004c> where do you give away the ips ? for dhcp ?
21:35 < pekster> You don't. That's the ENTIRE point of a "stupid" tunnel
21:35 < prelude2004c> but what happens when each customer needs a unique IP to track them
21:35 -!- DrCode [~DrCode@gateway/tor-sasl/drcode] has quit [Ping timeout: 264 seconds]
21:35 -!- s7r [~s7r@openvpn/user/s7r] has quit [Ping timeout: 264 seconds]
21:35 < pekster> huh? You cann't have "customers" on a non-TLS tunenl. It's just a SINGLE PC at each end
21:35 < prelude2004c> man am i confused :)
21:36 < pekster> If you want a multi-client mode, you _need_ the TLS mode which is based on a TLS and X.509 handshake
21:36 -!- s7r [~s7r@openvpn/user/s7r] has joined #openvpn
21:36 -!- mode/#openvpn [+v s7r] by ChanServ
21:36 -!- cyberspace- [20253@ninthfloor.org] has quit [Ping timeout: 272 seconds]
21:36 < pekster> This requires at a bare minimum you have a CA and a server-side keypair with a certificate signed by the CA, and all clients have the CA cert
21:36 -!- cyberspace- [20253@ninthfloor.org] has joined #openvpn
21:37 < pekster> And yes, this means you will be securing the control channel with a TLS handshake and asymmetric crypto. The data channel can remain encrypted, authenticated, both, or neither as you see fit
21:37 < prelude2004c> ok i am trying to loose very little traffic speed
21:37 < prelude2004c> whatever that does
21:37 < pekster> TLS is for the _control_ seesion. It has absolutely nothing to do wtih the speed of the data transport
21:38 < prelude2004c> i am having a huge problem with a server that is simply doing one tunnel and the speed is super slow
21:38 < prelude2004c> i a not sure why.. nothing overloaded
21:38 < prelude2004c> at all
21:38 < prelude2004c> i can’t figure out why
21:39 < pekster> How have you determined this? And did you test raw throughput between the endpoints? And how?
21:39 -!- joako [~joako@opensuse/member/joak0] has joined #openvpn
21:40 -!- hazardous [~hz@openvpn/user/hazardous] has joined #openvpn
21:40 -!- mode/#openvpn [+v hazardous] by ChanServ
21:41 < prelude2004c> well i did a regular wget or curl from server to server withoout tunnel
21:41 < prelude2004c> i get like 50MB/s
21:42 < prelude2004c> like 400mbit/s
21:42 < prelude2004c> then i turn on tunnel
21:42 < prelude2004c> i get 5MB/s
21:42 < prelude2004c> with cipher none, and everything none
21:42 < prelude2004c> not sure why such a loss
21:42 < pekster> That answered none of my questions
21:42 < pekster> When you can be bothered to answer them, I'll be bothered to answer
21:42 < pekster> Oh, wait, "from server"?
21:43 < pekster> Using what?
21:43 < pekster> The server's external IP?
21:43 < pekster> If you use the same external IP after that it'll still go over the public Internet. You' doing the same wget/curl to the VPN IP?
21:43 < pekster> Also
21:43 < pekster> Less enter
21:43 < pekster> Means I can read
21:43 < pekster> Your text
21:43 < pekster> Easier
21:43 < pekster> And miss less
21:44 < pekster> You're config also shows you using the BF cipher, which is going to be CPU-limited at one end in nearly all cases
21:46 < pekster> Set `cipher none` if you really want to disable encryption. You've already disabled authentication (lines 36/37 in the server, but you'll need to match that on the client) and you'll turn off all security features for the data transport
21:50 < prelude2004c> sorry ok i will try to do it on one line.  Basically  i tried curl tests on the public ips from server to server and it was very fast. Then I tried through the tunnel and it came to a halt. Trying it with cipher none improved it but not by much.  CPU  usage is low so i am not sure why it is even doing that.  BTW, on the p2p connection, how do i do the client? I am trying but it wont pull any of the default routes + how do i enable at least
21:50 < prelude2004c> password auth to use with the radius plugin?
21:50 -!- u0m3__ [~u0m3@92.80.106.41] has joined #openvpn
21:51 -!- sudormrf_ [~sudormrf@unaffiliated/sudormrf] has joined #openvpn
21:51 < pekster> You don't. There is _no_ way to exchange a "password" on a mode p2p connection. It's just blasting raw packets down the wire, optionally encrypted and/or authenticated with a static, pre-shared key
21:51 < pekster> That's it. If you want more, you want a TLS-mode that uses TLS _strictly_ for the control channel, and negotiation of the ephemeral data transport key
21:52 -!- sudormrf_ [~sudormrf@unaffiliated/sudormrf] has left #openvpn []
21:53 -!- u0m3_ [~u0m3@92.80.106.41] has quit [Ping timeout: 246 seconds]
21:53 < pekster> And what does "through the tunnel" mean here, the RFC6598 IP you're using for the VPN?
21:53 < prelude2004c> yes
21:53 < prelude2004c> through that ip 100.64.x.x
21:53 < pekster> FYI, you'll run into problems using that range if you have clients connecting from behind CGN, so you'd best avoid it
21:54 < prelude2004c> CGN ? I wanted to stay away from 192.168.x.x for conflicts
21:54 < pekster> Stick with RFC1918, or if you insist on doing stupid things, do them "less stupidly" by using RFC5736 or maybe RFC2544
21:54 < pekster> CGN is allocated and widely used today
21:54 < pekster> What you probably want:
21:54 < pekster> !randomsubnet
21:54 <@vpnHelper> "randomsubnet" is (#1) http://scarydevilmonastery.net/subnet.cgi for a random !1918 subnet or (#2) If your shell has $RANDOM support, perhaps try this: `echo 10.$((RANDOM%256)).$((RANDOM%256)).0/24 `
21:54 < pekster> Pick a /24 in the middle of 10/8, or perhaps inside 172.16/12 instead
21:55 < pekster> CGN, yes. This is what RFC6598 allocates, and your IP is from what is possibly the most common /24 side the /10 allocated to CGN
21:56 < pekster> http://tools.ietf.org/html/rfc6598 (best not to use IP ranges you aren't supposed to unless you're an expert who knows why you're doing Evil™ things.)
21:56 <@vpnHelper> Title: RFC 6598 - IANA-Reserved IPv4 Prefix for Shared Address Space (at tools.ietf.org)
21:56 < prelude2004c> first .. thank you very much for all your help. I am learning quite a bit here.
21:58 < prelude2004c> 2nd. What do you suggest I DO ? I would like to have the following. 1. ( encryption [ weakest possible ] ) 2. Give Ips to each client ( from dhcp pool ) in order for us to track who they are. The destinatio stream servers don’t want to see everyone coming from the same IP .. it should be unique for each member connected.
21:59 < prelude2004c> Also, the cipher is simply a legal thing. The files inside are already AES256
21:59 < prelude2004c> the problem is the tunnel also has to remain private but does not state what encryption level. So any level taht says “ encrypted “ is good for me
22:00 <@krzee> what benefit will you get from weaker crypto?
22:00 <@krzee> as opposed to strong crypto
22:00 < pekster> Blowfish is likely to be the fastest CPU cipher unless your hardware suppores AES-NI, in which case an AES cipher will be far faster
22:00 < pekster> I read that as fast vs weak, but RC4 is both weaker and slower ;)
22:00 < pekster> Depends on how you wish to split the hair. Also depends on the quality of your IV, but you can debate *that* point in ##crypto :P
22:00 <@krzee> ya, prolly what he meant
22:01 -!- elfixit [~Icedove@77-58-251-72.dclient.hispeed.ch] has quit [Quit: elfixit]
22:01 -!- s7r [~s7r@openvpn/user/s7r] has quit [Ping timeout: 264 seconds]
22:01 <@krzee> heh nice sized channel, i didnt know about ##crypto
22:01 <@krzee> time for me to lurk there
22:01 < pekster> As to what to do, first you need to identify why the speed is slow. Did you check CPU utilization at *both* ends? OpenVPN is single-threaded, so if you max out a single core, that's all you get
22:03 <@krzee> prelude2004c, also please stop private messaging me, i'll respond in here when im around =]
22:03 < prelude2004c> krzee oh sorry was that today ? maybe from a few days ago.
22:03 < pekster> Bandwidth doesn't sound like a problem if you can pull ~50 Mbps, though be sure to use a properly sized file to reach that measurement; a file of several megs should suffice
22:04 < prelude2004c> ya i tried to pull 3Gig
22:04 <@krzee> not sure, and no problem / no big deal
22:04 < prelude2004c> i love this channel.. you guys are awsome
22:04 < prelude2004c> :)
22:04 < pekster> 5Mbps is rather low though; I can get better performance out of 600 MHz MIPS routers than that
22:04 < prelude2004c> if i can only wrap my head around this whole thing….  yes i agree its slow.. that is why it is driving me crazy !!
22:05 < pekster> Could be some bandwidth throttling outside of your control too
22:05 -!- zeroNones [~textual@187.192.245.177] has joined #openvpn
22:05 < pekster> Might not hurt to try an iperf test between endpoints if you control them
22:05 <@krzee> using the same port / protocol ^^
22:06 < pekster> Right. THat'll be a "pretty good" indication, although really invasive ISP's use DPI to stomp on TLS-type traffic (think China, for instance)
22:06 < krkhan> question about tun vpn
22:07 < krkhan> server: inet addr:10.8.0.1  P-t-P:10.8.0.2
22:07 < krkhan> client: inet addr:10.8.0.6  P-t-P:10.8.0.5
22:07 <@krzee> i have never seen DPI used for just qos… it could totally be done but im not familiar with people actually doing it
22:07 < krkhan> server can ping 10.8.0.6 and vice versa just fine
22:07 <@krzee> !/30
22:07 <@vpnHelper> "/30" is (#1) http://goo.gl/SbKrT5 explains why routed clients each use 4 ips or (#2) you can avoid this behavior with by reading !topology
22:07 < krkhan> what is the P-t-P address
22:07 <@krzee> krkhan, ^^
22:08 < pekster> Point-to-Point; wikipedia has a wonderful article if you've never heard of it
22:08 < pekster> It's just a lazy way to assign IPs to the end of a tunnel; strictly speaking a PtP link doesn't even need that to work
22:09 <@krzee> and see !/30 link above for why openvpn has them, and !topology to rid yourself of the ugly outdated windows-compatibility hack
22:09 < pekster> `openvpn --mode p2p --dev tun && ip route add 10.20.30/24 dev tun0` would work fine (for Linux) but wouldn't allow you to ping the endpoint, and is thus unwise anyway
22:10 < krkhan> okay, thanks for the links!
22:10 < KNERD> in the OpenVPN for Anrdoid,  I have to put the ca cert and key inline in the config file?
22:10 <@krzee> that reminds me of jjk's cookbook entry for a VPN with no vpn endpoint addresses
22:10 <@krzee> (which tripped me out)
22:11 <@krzee> KNERD, no, the importer will do it
22:11 < pekster> krzee: More fun is to issue the same addressing topology on both sides
22:11 < krkhan> i have two routers connected via tun. as i mentioned, both can ping each other on respective tunnel endpoints
22:12 < pekster> ie: `--ifconfig 10.0.0.0 10.0.0.1` on *both* sides. So 10.0.0.1 always means "my peer" regardless of which host you do it from
22:12 < krkhan> router A has clients in the 10.0.0.0/24 subnet, router B has clients in the 192.168.2.0/24 subnet
22:12 < KNERD> krzee: it states I have an error..."You must select User certificate," though the certificates are in the same directory as the profile
22:12 < pekster> I did that a couple jobs ago via a direct-connect network cable and a PtP setup to transfer some files. Co-worker swore it wouldn't work until he saw my ssh pipe working :P
22:13 <@krzee> KNERD, this is "openvpn for android" and not "openvpn connect"  right?
22:13 < krkhan> [Client subnet: 10.0.0.0/24] Router A (OpenVPN server) 10.8.0.1 <------> Router B (OpenVPN Client) 10.8.0.6 [Client subnet: 192.168.2.0/24]
22:14 < krkhan> now that tun is established
22:14 < krkhan> i want a client in subnet B to be able to ping a client in subnet A
22:14 <@krzee> pekster, i would have also sworn it wouldnt work lol
22:14 < KNERD> krzee: that is correct...pekster suggested I use OpenVPN ofr Android
22:14 <@krzee> then when it did i would have hidden in a cave with books trying to figure out wtf you did
22:14 < krkhan> which route should i add to router B
22:14 <@krzee> KNERD, good, i would suggest the same, just making sure because i have imported configs with it and it always worked for me
22:15 <@krzee> KNERD, post the config?
22:15 -!- prelude2004c [~sandro@dsl-67-55-28-3.acanac.net] has left #openvpn []
22:15 <@krzee> kr
22:15 <@krzee> krkhan,
22:15 -!- s7r [~s7r@openvpn/user/s7r] has joined #openvpn
22:15 <@krzee> !route
22:15 < pekster> krkhan: You need return-routing and firewalls set up to handle that
22:15 <@vpnHelper> "route" is (#1) http://www.secure-computing.net/wiki/index.php/OpenVPN/Routing or https://community.openvpn.net/openvpn/wiki/RoutedLans (same page mirrored) if you have lans behind openvpn, read it DONT SKIM IT or (#2) READ IT DONT SKIM IT! or (#3) See !tcpip for a basic networking guide or (#4) See !serverlan or !clientlan for steps and troubleshooting flowcharts for LANs behind the server or client
22:15 -!- prelude2004c [~sandro@dsl-67-55-28-3.acanac.net] has joined #openvpn
22:15 -!- mode/#openvpn [+v s7r] by ChanServ
22:16 < pekster> Yea, good links for you above. with near-certainty you need to fix routing, firewalls, or both. Same as you would any routing interlink
22:17 < prelude2004c> Pekster : to create routes for an ip range through that p2p tunnel
22:17 -!- almostworking [~almostwor@unaffiliated/almostworking] has joined #openvpn
22:17 <@krzee> pekster, with your "same addressing topology" why did the peer answer?  some sort of NAT?
22:17 < prelude2004c> just route add <range>  gw 100.64.0.1 ?
22:17 < prelude2004c> gave me an error
22:17 < KNERD> prelude2004c: http://pastebin.com/GqsTzvzv
22:18 <@krzee> you meant me ;]
22:18 < pekster> krzee: Nope. PtP just means "blast packets down this tunnel" -- the packets have _no_ notion of IP at all; that's only asserted as a convenience, but remember, a PtP device _only_ means "this" or "that" end
22:18 <@krzee> ohhhh
22:18 <@krzee> lol
22:18 <@krzee> got ya
22:18 < pekster> So when a packet arrives on the receiving end, it's not "from" 10.0.0.0, it's from "the other end of this device"
22:19 < prelude2004c> Knerd , thank you.. what does the server side look like?
22:19 < pekster> Think of it more like a serial connection, less like classic IP
22:19 <@krzee> KNERD, you need a space after the key and cert in the config
22:19 <@krzee> certclient.crt   ---> cert client.crt
22:19 < KNERD> krzee: sorry...there is one
22:19 <@krzee> prelude2004c, he only pasted that file for me to help him ;]
22:20 <@krzee> KNERD, how did it get changed between your copy and paste?
22:20 <@krzee> re-paste it EXACTLY as it is
22:20 < KNERD> i just grabbed  this form another device....the only difference is the directoty..which i removed ..that is why no space
22:20 <@krzee> ya dude, directory is what is was looking for
22:20 < KNERD> i just made this error during editing now
22:21 <@krzee> do NOT change shit when you post it
22:21 <@krzee> and remove the directories and try importing again
22:21 < KNERD> no...it is for ANOTHER device
22:21 <@krzee> well man
22:21 < KNERD> thus the directory is NOT the same
22:21 <@krzee> if you cant post the EXACT config you are trying to import i cant waste time guessing
22:21 -!- ub1quit33 [~quassel@cpe-23-243-158-241.socal.res.rr.com] has joined #openvpn
22:21 < KNERD> i just did
22:22 < KNERD> as I mentione dthe only difference is I removed the diretcoryies
22:22 <@krzee> time for me to get offline i guess
22:22 <@krzee> later
22:22 < KNERD> fromt his key /yealink/config/openvpn/keys/client.key to this -> key client.key
22:22 < prelude2004c> pekster , can a route be added via the 100.64.10.1 for example?  i got the p2p up and i can get data from the other side
22:22 < prelude2004c> but i want to route other ips through it
22:23 < prelude2004c> and I am sorry i will wait for knerd to finish :)
22:25 < pekster> Sure, you can route across a tun device just fine
22:26 < pekster> (tap too for that matter, but if you're routing in 99.9% of cases you don't want tap)
22:27 < prelude2004c> eg. ~ # route add 22.22.0.0/23 dev tun0
22:27 < prelude2004c> route: netmask 000001ff and host route conflict
22:28 < pekster> Naturally. Try `ip` which will make routing more logical rather than the `route` utility on Linux
22:29 < pekster> Stick with the actually-maintained ifconfig and route commands if you're on a BSD where those utilities are still current
22:29 < prelude2004c> i absolutely love the idea of a tunnel that just just pushes the traffic for a particular route.. it is everything i want except the fact that its not encrypted Is there any way to encrypt @ all anything in order to keep the tunnel somewhat private from seeing the data inside? As i said i dont really need to encrypt hte data as it is already encrypted with AES256 but for the sake of some legal paperwork i want to not have them see the file
22:29 < prelude2004c> namess.
22:29 < krkhan> i added a push route 10.0.0.0 255.255.255.0 to the server
22:29 < krkhan> client receives and updates its routing table
22:29 < krkhan> 10.0.0.0        10.8.0.5        255.255.255.0   UG    0      0        0 tun0
22:29 < krkhan> 10.8.0.0        10.8.0.5        255.255.255.0   UG    0      0        0 tun0
22:30 < krkhan> but client still cannot ping 10.0.0.1
22:30 < pekster> You see the links above that were for you?
22:30 < pekster> You likely forgot return routing or firewall support
22:31 < krkhan> pekster: Yeah that's where I got the push route idea from :)
22:31 < pekster> _return_ routing. As in the LAN that is 10/24
22:31 < pekster> If it can't route back to the VPN range, you need to fix that. And if the return traffic is firewalled, it must be allowed
22:32 < pekster> OpenVPN is just a fancy route; the same rule still apply
22:32 < pekster> router*
22:33 < krkhan> i'm trying to figure out which return route is missing, the server has route "back" to 10.8.0.0:
22:33 < krkhan> Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
22:33 < krkhan> default         10.0.0.1        0.0.0.0         UG    0      0        0 br-wan
22:33 < krkhan> 10.0.0.0        *               255.255.255.0   U     0      0        0 br-wan
22:33 < krkhan> 10.8.0.0        10.8.0.2        255.255.255.0   UG    0      0        0 tun0
22:33 < krkhan> 10.8.0.2        *               255.255.255.255 UH    0      0        0 tun0
22:35 < krkhan> the client has route "to" server as pasted above (10.0.0.0/24) and the server has route "back" to client (10.8.0.0/24)
22:36 < krkhan> firewall is off at both locations
22:37 < pekster> !serverlan
22:37 <@vpnHelper> "serverlan" is (#1) for a lan behind a server, the server must have ip forwarding enabled (!ipforward), the server needs to push a route for its lan to clients, and the router of the lan the server is on needs a route added to it (!route_outside_openvpn) or (#2) see !route for a better explanation or (#3) Handy troubleshooting flowchart: http://ircpimps.org/serverlan.png |
22:37 <@vpnHelper> http://pekster.sdf.org/misc/serverlan.png
22:37 < pekster> You seem to have completely ignored the return routing from the 10/24 LAN
22:37 < pekster> ie: the _gateway_ there
22:37 < pekster> Again, a VPN doesn't magically change the rules of routing
22:38 < pekster> Given that your server uses 10.0.0.1 as its default gateway, it's clearly not the LAN's gateway. If that gateway doesn't have a return route and a firewall that permits return traffic, it won't get returned
22:44 < prelude2004c> Pekster, so i got the tunnel working well with P2P … i  have traffic flowing and it is very good… doesn’t help me any i guess where the traffic is not encrypted.. now i would like to do the same thing with some sort of tunnel encryption.. what is the best method to get as close as possible to this kind of performance
22:45 < pekster> So set a --cipher and --auth?
22:45 < pekster> Or omit both of the "none" values for the defaults (which is --auth sha1 --cipher BF`
22:46 < prelude2004c> tried cipher but it still says its in plain text
22:46 < krkhan> pekster: bingo!
22:46 < krkhan> okay, all i need to figure out now is how to add static route to comcast's *#$@ router
22:46 < pekster> Or toss it into bridged/pass-through mode and run your own router behind it
22:47 < pekster> residential-ISP solutions tend to universally suck
22:47 -!- zeroNones [~textual@187.192.245.177] has quit [Quit: Textual IRC Client: www.textualapp.com]
22:48 < KNERD> well...i got mine working...now to disbaled that pesky screen lock
22:48 < krkhan> agreed
22:48 < prelude2004c> one thing i like about this p2p thing is that the customer will keep their public ip on our side right?
22:48 < krkhan> thanks for your time though, you guys rock
22:48 < prelude2004c> and can i have more then one user connect to the same connection? i guess not :(
22:48 < pekster> huh? "keep"?
22:48 < prelude2004c> ehh doesn’t make sense.
22:49 < prelude2004c> i need to have a tunnel setup for each user .. would be nice to have them keep their public IP as the passthrough IP though instead of showing a dhcp ip
22:49 -!- cheesenbiscuts [~cheesenbi@203.106.79.166] has joined #openvpn
22:49 < prelude2004c> doesn’t make sense becuase i dont know the ip since the route back would not be setup propertly :( .. damn
22:50 < prelude2004c> but i could do a source / redirct back to the same path
22:50 < pekster> You can't magically change where packets go
22:50 < pekster> (if you do, firewalls at the far end will reject them as bogus)
22:51 < prelude2004c> Pekster, please help me if you can.. how do i connect multiple users with some very basic tunnel encryption.. Would love to keep their public ips showing up on the apache server but if not possible then i guess some dhcp would be ok too
22:51 < pekster> OpenVPN won't let you use the public IP on the far side of a connection as the source for packets going across the tunenl
22:51 < pekster> tunnel*
22:51 < pekster> You don't. Try IPSec if you need that
22:51 < prelude2004c> it does if acts like a router
22:51 < prelude2004c> i control the source and destination
22:52 < pekster> Set up a generic server and issue static IPs if knowing them in advance is so important
22:52 < pekster> Or log the connections
22:52 < pekster> !static
22:52 <@vpnHelper> "static" is (#1) use --ifconfig-push in a ccd entry for a static ip for the vpn client or (#2) example in net30 (default): ifconfig-push 10.8.0.6 10.8.0.5 example in subnet (see !topology) or tap (see !tunortap): ifconfig-push 10.8.0.5 255.255.255.0 or (#3) also see !ccd and !iporder or (#4) with static IPs, limit your --ifconfig-pool to exclude the static range or (#5) See also: !addressing
22:52 < prelude2004c> no i dont have to know them….. i dont’ mind using dhcp
22:52 < pekster> (mind the part about reducing the pool range of you'll possibly have unplesant surprises)
22:52 < prelude2004c> and then just cat the log file
22:52 < prelude2004c> i am ok with that
22:53 < pekster> OpenVPN doens't use DHCP -- it issues them out of a pool, or statically. DHCP only comes into play if you're bridging
22:53 < prelude2004c> right .. ok so out of a pool is fine
22:53 < prelude2004c> i can set that pool range.
22:54 -!- krkhan [~krkhan@2601:8:9780:4f9:d12d:179e:9fd4:b3b6] has quit [Quit: Converting the Comcast crap into a bridge]
22:55 < pekster> There's the --client-connect hook for logging, though if you want to log IPs in a way you can more easily dig them out by time, I have this as an option: https://github.com/QueuingKoala/openvpn-db-log
22:55 <@vpnHelper> Title: QueuingKoala/openvpn-db-log · GitHub (at github.com)
22:56 < cheesenbiscuts> hello everybody
22:56 < cheesenbiscuts> I'm importing a static key into a mikrotik router as an openvpn client...
22:57 < cheesenbiscuts> I can't import the client.key and from what I've read here: http://forum.mikrotik.com/viewtopic.php?f=2&t=53110
22:57 <@vpnHelper> Title: MikroTik RouterOS View topic - [SOLVED] Can't import client private key for OVPN (at forum.mikrotik.com)
22:57 < cheesenbiscuts> Haha... I'm looking at the same forum post...
22:58 < cheesenbiscuts> anyway, openvpn throws an error converting the key from .key to .pem
22:58 < cheesenbiscuts> C:\easy-rsa>openssl rsa -in Wdc.key -out Wdc.pem
22:58 < cheesenbiscuts> unable to load Private Key
22:58 < cheesenbiscuts> 5424:error:0906D06C:PEM routines:PEM_read_bio:no start line:pem_lib.c:703:Expect
22:58 < cheesenbiscuts> ing: ANY PRIVATE KEY
22:58 < pekster> A static key is not an X.509 private key (which in reality is an RSA key *pair*)
22:59 < pekster> Static keys are not "converted" -- they're merely used
22:59 -!- Chais [~Chais@chello062178229110.15.15.vie.surfer.at] has quit [Ping timeout: 246 seconds]
22:59 < cheesenbiscuts> ahh, so as I don't have access to the private key (i'm using a commercial vpn product) I can't do anything?
23:00 < pekster> If you're using a static key, you need a copy of it
23:00 < pekster> static key is _not_ the same as a private key component of an asymmetric keypair
23:00 < pekster> If you want to rename a file, the `mv` command does that on Unix
23:01 < cheesenbiscuts> ok.
23:01 < pekster> Call your private key .mp3 if it suits you
23:02 < cheesenbiscuts> will renaming the extension fix the import issue?
23:02 < pekster> No idea; depends on what this "import" business is doing
23:02 < pekster> OpenVPN doesn't have any care in the world what you call the files you pass it
23:02 < cheesenbiscuts> true, but routeros might
23:02 < pekster> Then consult its documentation?
23:03 < cheesenbiscuts> it's documentation is vague at best
23:03 < pekster> Bummer.
23:03 < cheesenbiscuts> I think it'd work fine if you were generating your own keys. not when you've only got access the public key
23:04 < cheesenbiscuts> sorry static key
23:05 < prelude2004c> pekster —> http://pastebin.com/2GMk2tH4   . Can you please look at that and tell me what it should look like for my simple config. Basically, give users an IP , use BF encryption for the tunnel but try to have everything else off. I want to make it as easy on the CPU as possible.
23:05 -!- Chais [~Chais@chello062178229110.15.15.vie.surfer.at] has joined #openvpn
23:07 < pekster> Lines 18/19 are probably worthless (don't use persist-ip -- if you want static IPs, read !static)
23:07 < pekster> I'd suggest you don't use line 23 (read !dupe for alternatives if you actually have >1 client using the same cert)
23:07 -!- ShadniX [dagger@p5DDFCB7C.dip0.t-ipconnect.de] has quit [Ping timeout: 250 seconds]
23:08 < pekster> Don't disable packet authentication unless you actually want MITM to be able to tamper with your packets. Remove line 39 unless you Know What You're Doing
23:08 < pekster> You probably want to remove line 40 as well unless you have good reason to mess with it yourself
23:09 < pekster> Also, rip out lines 43, and 46
23:09 < pekster> Best to keep the renegotation in too, so remove line 45. That's only once per hour, though you can incraese it if you want
23:09 -!- ShadniX [dagger@p5481C028.dip0.t-ipconnect.de] has joined #openvpn
23:10 < prelude2004c> it is the same key for everyone
23:11 < pekster> Duplicate that on the client side. Also, lines 50, 67, and 69 are worthless as line 11 pushes them
23:12 < prelude2004c> !dupe
23:12 <@vpnHelper> "dupe" is (#1) see --duplicate-cn in the manual (!man) to see how to allow multiple clients to use the same key (NOT recommended) or (#2) instead, use !pki to make a cert for each user
23:13 < prelude2004c> remember, the only purpose of this whole thing is to somewhat encrypt the tunnel I don’t really care how secure it is
23:13  * pekster shrugs. Still no reason to supply params you don't need
23:13 < pekster> Makes live painful if you ever change things as you need to do more work
23:13 < pekster> Suit yourself though
23:13 < prelude2004c> packet inspection.. what line is that ?
23:13 -!- c0ded [~c0ded@unaffiliated/c0ded] has joined #openvpn
23:19 < prelude2004c> ok so, i did everything you said.  Without VPN i get 4MB/s on my test connection. With VPN i get less than 2MB/s
23:19 < prelude2004c> i loose 50%
23:22 -!- krkhan [~krkhan@2601:8:9780:4f9:d12d:179e:9fd4:b3b6] has joined #openvpn
23:22 < krkhan> Okay, instead of calling comcast I tried pushing the route on a client directly
23:22 < krkhan> Like this
23:23 < krkhan> Laptop A <-> Router A (Server) <-> Internet <-> Router B (Client) <-> Laptop B
23:23 < krkhan> So router A and router B are connected with tun
23:23 < krkhan> both can ping each other
23:23 < krkhan> Router B can ping Router A's lan address as well
23:24 < krkhan> When Router B pings Laptop A, the ping reaches laptop A, and the response goes back until router A
23:24 < krkhan> which is the openvpn server
23:24 < krkhan> where it is dropped
23:24 <@krzee> !serverlan
23:24 <@vpnHelper> "serverlan" is (#1) for a lan behind a server, the server must have ip forwarding enabled (!ipforward), the server needs to push a route for its lan to clients, and the router of the lan the server is on needs a route added to it (!route_outside_openvpn) or (#2) see !route for a better explanation or (#3) Handy troubleshooting flowchart: http://ircpimps.org/serverlan.png |
23:24 <@vpnHelper> http://pekster.sdf.org/misc/serverlan.png
23:24 <@krzee> probably this:
23:24 <@krzee> !route_outside_ovpn
23:25 <@vpnHelper> "route_outside_ovpn" is "route_outside_openvpn" is (#1) If your server is not the default gateway for the LAN, you will need to add routes to your gateway. See ROUTES TO ADD OUTSIDE OPENVPN in !route or (#2) Here are 2 diagrams that explain how this works: http://www.secure-computing.net/wiki/index.php/Graph http://i.imgur.com/BM9r1.png
23:25 < krkhan> 06:20:43.725996 IP 10.8.0.6 > 10.0.0.13: ICMP echo request, id 10627, seq 4, length 64
23:25 < krkhan> 06:20:43.736871 IP 10.0.0.13 > 10.8.0.6: ICMP echo reply, id 10627, seq 4, length 64
23:25 < krkhan> 06:20:43.736995 IP 10.0.0.100 > 10.0.0.13: ICMP 10.8.0.6 protocol 1 port 38364 unreachable, length 92
23:26 < krkhan> this is the tcpdump at the openvpn server
23:26 < krkhan> which has a lan address of 10.0.0.100
23:26 <@krzee> did you read my doc?
23:26 < krkhan> yes
23:26 < krkhan> i think the red arrow of response is not red in my case
23:26 <@krzee> k, now focus on the lan on the server side and follow the flowchart
23:27 < krkhan> i added the route to 10.0.0.13
23:27 <@krzee> on the router?
23:27 <@krzee> for the vpn subnet?
23:27 < krkhan> route add -net 10.8.0.0/24 gw 10.0.0.100
23:27 < krkhan> on the laptop A
23:27 < krkhan> yes
23:27 < krkhan> 10.8.0.0 is the vpn subnet
23:27 < krkhan> and 10.0.0.100 is the vpn server's lan address
23:28 < krkhan> so the icmp response makes it back to the vpn server
23:28 <@krzee> what is the address of the default gateway for the lan?
23:28 < krkhan> it is 10.0.0.1
23:28 <@krzee> on 10.0.0.1 you added that route?
23:29 < krkhan> i cannot, it's a comcast device. to work *around* that i added the route to the target device manually
23:29 <@krzee> ahh ok
23:29 < krkhan> so instead of it sending the response to 10.0.0.1 which would forward it to 10.0.0.100
23:29 < krkhan> i added it directly
23:29 <@krzee> got ya
23:29 < krkhan> so 10.0.0.13 receives icmp request
23:29 < krkhan> sends it back to 10.0.0.100
23:29 < krkhan> which receives the response
23:29 < krkhan> but for some reason drops it
23:29 <@krzee> tcpdump on .13 shows stuff?
23:29 < krkhan> i think i'm messing the iptables masquerade
23:29 < krkhan> yes
23:30 < krkhan> 06:20:43.725996 IP 10.8.0.6 > 10.0.0.13: ICMP echo request, id 10627, seq 4, length 64
23:30 < krkhan> 06:20:43.736871 IP 10.0.0.13 > 10.8.0.6: ICMP echo reply, id 10627, seq 4, length 64
23:30 < krkhan> 06:20:43.736995 IP 10.0.0.100 > 10.0.0.13: ICMP 10.8.0.6 protocol 1 port 38364 unreachable, length 92
23:30 <@krzee> oh dont masquerade at all
23:30 < krkhan> this is on 13
23:30 < krkhan> *sorry
23:30 < krkhan> this is on 10.0.0.100
23:30 < krkhan> it shows the reply coming back from 13
23:30 <@krzee> iptables-save
23:31 -!- Chais [~Chais@chello062178229110.15.15.vie.surfer.at] has quit [Ping timeout: 245 seconds]
23:33 < krkhan> krzee: https://gist.github.com/krkhan/84fe0293d22074ba96a5
23:33 <@vpnHelper> Title: iptables-save (at gist.github.com)
23:35 <@krzee> omfg eye bleach
23:36 -!- Chais [~Chais@chello062178229110.15.15.vie.surfer.at] has joined #openvpn
23:39 < krkhan> yup openwrt does that
23:39 < krkhan> although the important one is just the first line
23:39 < krkhan> iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o tap0 -j MASQUERADE
23:40 <@krzee> why do you have that?
23:41 < krkhan> so that the router would forward 10.8.0.0/24 traffic to tap0?
23:41 < krkhan> actually, should be using -d
23:41 < krkhan> iptables -t nat -A POSTROUTING -d 10.8.0.0/24 -o tap0 -j MASQUERADE
23:42 < krkhan> but icmp replies still get dropped
23:42 < cheesenbiscuts> ohhh masquerade...
23:42 < cheesenbiscuts> what's the deal?
23:43 < krkhan> to summarize: 10.0.0.100 can ping 10.8.0.6
23:43 < krkhan> 10.0.0.13 wants to send icmp reply back to 10.8.0.6
23:44 < krkhan> i added a route at 10.0.0.13: route add -net 10.8.0.0/24 gw 10.0.0.100
23:44 < krkhan> now the icmp reply makes it back to 10.0.0.100
23:44 < krkhan> but it doesn't make it to 10.8.0.6
23:44 < krkhan> "iptables -t nat -A POSTROUTING -d 10.8.0.0/24 -o tap0 -j MASQUERADE" doesn't help
23:45 <@krzee> its lan traffic being masq'ed
23:45 <@krzee> guard your MASQ rules
23:45 <@krzee> source network not to dest network -- masq
23:45 <@krzee> protect the traffic you dont want to nat from the nat rules
23:55 -!- sudormrf [~sudormrf@unaffiliated/sudormrf] has joined #openvpn
23:59 -!- cheesenbiscuts [~cheesenbi@203.106.79.166] has quit [Remote host closed the connection]
23:59 -!- cheesenbiscuts [~cheesenbi@203.106.79.166] has joined #openvpn
--- Day changed Sun Sep 21 2014
00:04 < prelude2004c> hey guys… so  i think pekster went to bed
00:05 < prelude2004c> anyone can help… so basically direct download on a dual core xeon system 2.2Ghz i believe.. i get 40MB/s
00:05 < prelude2004c> running a vpn tunnel i get 4MB/s
00:05 < prelude2004c> anyone know why such a drop?
00:05 < prelude2004c> i am using BF as cipher
00:06 < prelude2004c> CPU shows 20%
00:08 -!- DrCode [~DrCode@gateway/tor-sasl/drcode] has joined #openvpn
00:09 < cheesenbiscuts> what os?
00:10 < prelude2004c> checking..
00:10 < prelude2004c> CENTOS 6.5
00:11 < cheesenbiscuts> what's 'top' command say?
00:12 < prelude2004c> only 20% usage on the cpu
00:12 < cheesenbiscuts> openvpn server?
00:12 < prelude2004c> load is 0.03
00:13 < prelude2004c> server seems to be doing nothing :(
00:13 < cheesenbiscuts> yep
00:14 < prelude2004c> so why the drop in BW ?
00:14 < cheesenbiscuts> hangon, are you the server or the client?
00:14 < prelude2004c> i am at such a loss
00:14 < prelude2004c> client
00:14 < prelude2004c> well both
00:14 < prelude2004c> i control both
00:14 < cheesenbiscuts> how do you know your server has enough bw?
00:14 -!- u0m3_ [~u0m3@92.80.106.41] has joined #openvpn
00:14 < prelude2004c> yes server is connected on a 1Gbit/s link
00:15 < prelude2004c> all available
00:15 < cheesenbiscuts> are they directly connected to each-other?
00:15 < prelude2004c> no via the internet
00:15 < prelude2004c> but when i run a speed test “ curl file “ from the same ip , same server , via the same path .. the speed is 40MB/s
00:16 < prelude2004c> soon as i turn on vpn, same path it goes to 4MB/s
00:16 < cheesenbiscuts> can you run without encryption for testing?
00:16 < prelude2004c> yup.
00:16 < prelude2004c> one sec
00:16 < sudormrf> hey guys, I am having trouble creating a new cert and key file for a new device.  when I run the build-key-pass it tells me to run clean-all.  but wouldn’t that wipe out all the preexisting items that other clients are already using?
00:17 -!- u0m3__ [~u0m3@92.80.106.41] has quit [Ping timeout: 260 seconds]
00:17 < cheesenbiscuts> you should be running: build-key-pass (client name)
00:18 < prelude2004c> done.. same
00:18 < sudormrf> cheesenbiscuts: that is what I was doing.  sorry for omitting it from my sentence above
00:18 < prelude2004c> cheesenbiscuts, seems that its even lower :) with cipher none
00:18 < cheesenbiscuts> prelude2004c - hmmm ok, so the problem isn't encryption
00:19 < cheesenbiscuts> sudormrf - run vars again, then try.
00:19 < sudormrf> cheesenbiscuts: doing that now. :)  sec.
00:19 < prelude2004c> right.. i dont know what it is :(
00:20 < cheesenbiscuts> what protocol prelude2004c?
00:20 < prelude2004c> udp
00:20 < cheesenbiscuts> wanna try swapping it over?
00:20 < prelude2004c> tried tcp.. about the same
00:20 < cheesenbiscuts> ok...
00:21 < prelude2004c> not sure what the limit on the server could be
00:21 < prelude2004c> cpu at 20% .. so
00:21 < prelude2004c> it’s not that
00:21 < prelude2004c> i dont’ get it
00:21 < cheesenbiscuts> lzo on or off?
00:21 < sudormrf> cheesenbiscuts: hmm.  ok.  so I tweaked some things, getting a different message now.  now I get “pkitool: Need a readable ca.crt and ca.key in /etc/openvpn/easy-rsa/keys
00:21 < sudormrf> Try pkitool --initca to build a root certificate/key.” the files in that dir are as follows: ca.crt, dh1024.pem, server.crt, server.key
00:22 < sudormrf> just ran that command
00:22 < sudormrf> let me try it again
00:22 < sudormrf> the one it was telling me to run
00:23 < cheesenbiscuts> you've already generated keys haven't you sudormrf?
00:23 < sudormrf> cheesenbiscuts: there was no ca.key in that directory.  not sure if server.key should be named ca.key :S
00:23 < cheesenbiscuts> prelude2004c - lzo on or off?
00:23 < cheesenbiscuts> sudormfr - please explain what you're tying to do exactly.
00:24 -!- sudormrf [~sudormrf@unaffiliated/sudormrf] has quit [Quit: I'm Dr. Rockso, the rock n' roll clown! I do cocaine! C-c-c-c-yeah!]
00:24 < prelude2004c> lzo is off.. well i don’t have it as supported
00:24 < prelude2004c> so its def off.. compiled with lzo disabled
00:24 -!- sudormrf [~sudormrf@unaffiliated/sudormrf] has joined #openvpn
00:26 -!- Kephael [~Kephael@unaffiliated/kephael] has quit [Read error: Connection reset by peer]
00:26 < prelude2004c> any ideas?
00:26 < cheesenbiscuts> prelude2004c - I'm reading a guide here which says to try adding comp-lzo to the udp server .conf file. how do you compile without lzo?
00:27 < sudormrf> cheesenbiscuts: sorry.  ok here is exactly what is going on.  I have amahi installed on my server.  I used their installation of openvpn.  because of that, things are in different places than they should be.  there are default certificates that can be found that were generated by installing the amahi openvpn app, however I would like to be able to have multiple clients logged in at once, each client using their own certificate.  I am trying to
00:27 < sudormrf> generate a new certificate for a client as a test.  I was able to generate them earlier and I tested from an iOS client, however I was getting an error in the syslog of the server that indicated there was a certificate problem “TLS_ERROR: BIO read tls_read_plaintext error: error:140890B2:SSL routines:SSL3_GET_CLIENT_CERTIFICATE:no certificate returned”
00:27 < sudormrf> trying to get that going
00:27 < prelude2004c> Options error: Unrecognized option or missing parameter(s) in main.conf-tun:43: comp-lzo (2.3.4)
00:27 < prelude2004c> Use --help for more information.
00:28 < prelude2004c> i turned it off
00:29 < cheesenbiscuts> hangon...
00:31 < cheesenbiscuts> I've never heard of Amahi
00:31 < sudormrf> cheesenbiscuts: Amahi is a sort of add on thing for ubuntu/fedora.  includes a bunch of packages for creating a NAS type thing
00:32 < sudormrf> sort of like openmediavault (have you heard of this one?)
00:32 < cheesenbiscuts> I use freenas. I assume it's similar?
00:33 < prelude2004c> is LZo a good or bad thing?
00:33 < sudormrf> ah.  along the same lines
00:33 < prelude2004c> i was told lzo uses up more cpu power
00:33 < cheesenbiscuts> LZO is good...
00:33 < prelude2004c> now reading it says it may speed things up
00:33 < prelude2004c> hum..
00:33 < cheesenbiscuts> you've got shite loads of cpu available...
00:34 < sudormrf> cheesenbiscuts: amahi has these click to install package things in their app store.  openvpn is one of them.  so basically it installs everything for you, but it appears that it is installing the stuff in non-standard locations.  so I think that is why I am running in to issues generating the certificate
00:34 < cheesenbiscuts> right...
00:34 < cheesenbiscuts> did you have to generate keys yourself?
00:35 < sudormrf> cheesenbiscuts: the ones that I use now? no.  they look to be generated at time of install without user interaction
00:35 < cheesenbiscuts> hmmm...
00:36 < sudormrf> if it helps, this particular amahi install is installed on top of ubuntu
00:36 < cheesenbiscuts> can you find where the files (keys, certificates, etc) are installed on amahi install?
00:36 < sudormrf> like where they live?
00:36 < sudormrf> they look to be in /etc/openvpn/amahi
00:37 < sudormrf> well in that directory
00:37 < sudormrf> are the following files
00:37 < sudormrf> ca.crt, dh1024.pem, server.crt, server.key
00:38 < cheesenbiscuts> okdokie
00:38 < cheesenbiscuts> any other files? like... build-key-pass, vars, build-ca etc?
00:39 < sudormrf> cheesenbiscuts: the only place I see those is /usr/share/doc/openvpn/easy-rsa/2.0/
00:40 < cheesenbiscuts> hmm....
00:41 < cheesenbiscuts> thing is... would it be easier to build new keys and overwrite the existing keys or try and get the old keys working - as I'm not familar with that setup.
00:42 < sudormrf> cheesenbiscuts: ideally I would like to keep the current keys
00:42 < cheesenbiscuts> does the gui have an interface for generating more keys?
00:43 < sudormrf> cheesenbiscuts: unfortunately not (I am going to suggest one)
00:43 < cheesenbiscuts> :(
00:45 < cheesenbiscuts> what does the home directory and keys directory say in your vars file?
00:45 < sudormrf> let me check the example location.  the vars file does not exist in /etc/openvpn :S
00:46 < sudormrf> that didn’t help.  those are just the default files
00:47 < sudormrf> saying `pwd`
00:47 < sudormrf> let me search the computer for anything else called vars
00:47 < sudormrf> cheesenbiscuts: do you think it would be easier to start from scratch?
00:47 < sudormrf> meaning regenerate everything?
00:48 < cheesenbiscuts> yes.
00:48 < sudormrf> I am trying to find where the openvpn app installs to.  that way I may be able to locate some conf file that I am missing that could help us figure out what is going on
00:49 < cheesenbiscuts> It sounds like a bunch of scripts run that setup everything for you. why would they limit you to only 1 client?
00:50 < sudormrf> cheesenbiscuts: I don’t think they are limiting you on purpose.  I don’t think they planned for this
00:51 < cheesenbiscuts> ok.
00:52 -!- Chais [~Chais@chello062178229110.15.15.vie.surfer.at] has quit [Ping timeout: 245 seconds]
00:53 -!- Pyrogerg [~Gregory@205.167.120.206] has quit [Ping timeout: 246 seconds]
00:54 < sudormrf> hmm.  not turning up anything new
00:54 < sudormrf> hmm
00:54 < sudormrf> could we try regenerating them and having them drop in to the /etc/openvpn/amahi directory?
00:56 < cheesenbiscuts> is that where they are now?
00:56 < sudormrf> correct
00:57 < sudormrf> I just created a subdirectory in there called “backup” and copied all the stuff in /etc/openvpn/amahi to that subdirectory so if anything goes wrong it won’t be complicated to revert
00:57 -!- Chais [~Chais@chello062178229110.15.15.vie.surfer.at] has joined #openvpn
00:57 < cheesenbiscuts> sounds good
00:58 < cheesenbiscuts> did you try the amahi forums?
00:58 < sudormrf> ok just did source ./vars, then ./clean-all
00:58 < cheesenbiscuts> there is a lot of good info on there.
00:58 < sudormrf> cheesenbiscuts: not yet.  I am in their IRC channel talking to the lead developer
00:58 < cheesenbiscuts> okdokie
01:00 < cheesenbiscuts> I'd be starting around here if you already have the packages installed: http://openvpn.net/index.php/open-source/documentation/howto.html#pki
01:00 <@vpnHelper> Title: HOWTO (at openvpn.net)
01:00 < sudormrf> cheesenbiscuts: running through this: http://readwrite.com/2014/04/10/raspberry-pi-vpn-tutorial-server-secure-web-browsing#awesm=~oBvYD8BOiTdCQN
01:01 < cheesenbiscuts> this would probbably help too as it's spercific to centos: https://www.digitalocean.com/community/tutorials/how-to-setup-and-configure-an-openvpn-server-on-centos-6
01:01 <@vpnHelper> Title: How to Setup and Configure an OpenVPN Server on CentOS 6 | DigitalOcean (at www.digitalocean.com)
01:03 < sudormrf> cheesenbiscuts: I am using ubuntu :)
01:04 < sudormrf> looking at this now I think I may understand where the problem is
01:04 < cheesenbiscuts> sorry...my mistake
01:04 < cheesenbiscuts> where's the problem?
01:04 < sudormrf> hang on.  let me test it first.  if this works, I am a colossal idiot :D
01:04 < sudormrf> lel
01:10 -!- ub1quit33 [~quassel@cpe-23-243-158-241.socal.res.rr.com] has quit [Ping timeout: 260 seconds]
01:13 < sudormrf> copying the ovpn file now
01:15 -!- u0m3__ [~u0m3@92.80.106.41] has joined #openvpn
01:19 -!- u0m3_ [~u0m3@92.80.106.41] has quit [Ping timeout: 272 seconds]
01:40 < sudormrf> cheesenbiscuts: last question
01:40 < sudormrf> maybe :D
01:45 < sudormrf> connection may drop.  brb
01:47 -!- sudormrf [~sudormrf@unaffiliated/sudormrf] has quit [Read error: Connection reset by peer]
01:48 -!- sudormrf [~sudormrf@unaffiliated/sudormrf] has joined #openvpn
01:54 -!- prelude2004c [~sandro@dsl-67-55-28-3.acanac.net] has quit [Quit: prelude2004c]
01:59 < sudormrf> ok
01:59 < sudormrf> cheesenbiscuts: still around?
02:01 < cheesenbiscuts> back from lunch
02:01 < cheesenbiscuts> what's up?
02:03 < KNERD> on the "OpenVPN for Android," is there no method to to start it on boot and load a profile?
02:05 < KNERD> i see it has the permissions to do startup
02:07 < cheesenbiscuts> I have guizmoOVPN which i belive is simlar?
02:11 -!- almostworking [~almostwor@unaffiliated/almostworking] has left #openvpn ["Leaving"]
02:14 < KNERD> i found it...
02:15 < KNERD> obscure menu item.
02:15 < sudormrf> cheesenbiscuts: sorry having one last issue
02:15 < sudormrf> got all but one client connected
02:15 < sudormrf> using fedora 20 and the openvpn package in network manager
02:16 < cheesenbiscuts> ok...
02:16 < sudormrf> can’t seem to get the connection to establish.  syslog on vpn server says “TLS error: cannot locate HMAC in incoming packet from [AF_NET]…”
02:17 -!- nvdpl [~textual@89-67-140-170.dynamic.chello.pl] has joined #openvpn
02:17 < sudormrf> not sure how to correct that
02:18 < cheesenbiscuts> so, it's not connecting at all?
02:19 < sudormrf> with this particular client, no.  I know I must be missing something.
02:19 < cheesenbiscuts> check your connection.
02:19 < cheesenbiscuts> can you ping the server?
02:20 < cheesenbiscuts> brb...
02:20 < sudormrf> on the remote end?  if so the server is live
02:20 < sudormrf> k
02:20 -!- cheesenbiscuts [~cheesenbi@203.106.79.166] has quit [Remote host closed the connection]
02:21 -!- nvdpl [~textual@89-67-140-170.dynamic.chello.pl] has quit [Read error: Connection reset by peer]
02:21 < sudormrf> solved.  I am an idiot again :D
02:21 -!- nvdpl [~textual@proxy.teleaudio.pl] has joined #openvpn
02:22 < KNERD> https://www.youtube.com/watch?v=L3R2Lm5kh-E
02:22 <@vpnHelper> Title: The Idiot Choir - YouTube (at www.youtube.com)
02:22 < sudormrf> KNERD: thanks ;D
02:22 < sudormrf> lol
02:22 < KNERD> anytime
02:22 < sudormrf> hah
02:26 < sudormrf> ok.  going to hit the hay.  thank you again cheesenbiscuits.
02:26 < sudormrf> and you KNERD ;D
02:26 < sudormrf> laters
02:26 < KNERD> see ya...2:30 here
02:26 < KNERD> AM
02:26 < krkhan> what could be the reason for an icmp packet going in one side of the tunnel and never making it out of the other side?
02:26 -!- sudormrf [~sudormrf@unaffiliated/sudormrf] has quit [Quit: I'm Dr. Rockso, the rock n' roll clown! I do cocaine! C-c-c-c-yeah!]
02:26 < krkhan> tcpdump at client shows the packet
02:27 < krkhan> tcpdump at server end of the tunnel shows other things but not this packet
02:27 < krkhan> if firewall was blocking the packet i would at least see it in tcpdump, right?
02:32 -!- nvdpl [~textual@proxy.teleaudio.pl] has quit [Ping timeout: 272 seconds]
02:35 -!- cirkit [dethwish@peanut-butter.net] has joined #openvpn
02:36 -!- nvdpl [~textual@89-67-140-170.dynamic.chello.pl] has joined #openvpn
02:38 -!- u0m3_ [~u0m3@92.80.106.41] has joined #openvpn
02:41 -!- u0m3__ [~u0m3@92.80.106.41] has quit [Ping timeout: 245 seconds]
02:46 -!- nvdpl [~textual@89-67-140-170.dynamic.chello.pl] has quit [Quit: ZZZzzz…]
03:01 -!- Envil [~meep@95.211.26.40] has joined #openvpn
03:29 -!- krkhan [~krkhan@2601:8:9780:4f9:d12d:179e:9fd4:b3b6] has quit [Quit: Leaving]
03:34 -!- u0m3__ [~u0m3@92.80.106.41] has joined #openvpn
03:36 -!- arkie [~arkie@unaffiliated/arkie] has joined #openvpn
03:37 -!- u0m3_ [~u0m3@92.80.106.41] has quit [Ping timeout: 260 seconds]
03:45 -!- u0m3_ [~u0m3@92.80.106.41] has joined #openvpn
03:48 -!- u0m3__ [~u0m3@92.80.106.41] has quit [Ping timeout: 272 seconds]
03:54 -!- gffa [~unknown@unaffiliated/gffa] has joined #openvpn
04:04 -!- joako [~joako@opensuse/member/joak0] has quit [Ping timeout: 246 seconds]
04:13 -!- joako [~joako@opensuse/member/joak0] has joined #openvpn
04:32 -!- nvdpl [~textual@89-67-140-170.dynamic.chello.pl] has joined #openvpn
04:39 -!- nvdpl [~textual@89-67-140-170.dynamic.chello.pl] has quit [Ping timeout: 260 seconds]
04:42 -!- nvdpl [~textual@proxy.teleaudio.pl] has joined #openvpn
04:46 -!- Fusl [Fusl@unaffiliated/fusl] has quit [Read error: Connection reset by peer]
04:47 -!- nvdpl [~textual@proxy.teleaudio.pl] has quit [Quit: ZZZzzz…]
04:49 -!- Fusl [Fusl@unaffiliated/fusl] has joined #openvpn
05:10 -!- u0m3__ [~u0m3@92.80.106.41] has joined #openvpn
05:12 -!- eddq [~eddq@li645-74.members.linode.com] has joined #openvpn
05:12 -!- u0m3_ [~u0m3@92.80.106.41] has quit [Ping timeout: 246 seconds]
05:13 < eddq> !welcome
05:13 <@vpnHelper> "welcome" is (#1) Start by stating your goal, such as 'I would like to access the internet over my vpn' || new to IRC? see the link in !ask || we may need !logs and !configs and maybe !interface to help you. || See !howto for beginners. || See !route for lans behind openvpn. || !redirect for sending inet traffic through the server. || Also interesting: !man !/30 !topology !iporder !sample !forum !wiki
05:13 <@vpnHelper> !mitm or (#2) Don't use 192.168.1.0/24 or 192.168.0.0/24 (too much potential for conflict)
05:13 < eddq> !howto
05:13 <@vpnHelper> "howto" is (#1) OpenVPN comes with a great howto, http://openvpn.net/howto PLEASE READ IT! or (#2) http://www.secure-computing.net/openvpn/howto.php for a mirror
05:13 < eddq> !goal
05:13 <@vpnHelper> "goal" is Please clearly state your goal for your vpn: example, I would like to access the lan behind the server , I would like to access the internet over my vpn , I just want a secure connection between 2 computers , etc
05:14 < eddq> !firewall
05:14 <@vpnHelper> "firewall" is (#1) please see https://community.openvpn.net/openvpn/wiki/Openvpn23ManPage#lbBG for more info or (#2) see http://www.secure-computing.net/wiki/index.php/OpenVPN/Firewall for brief notes on disabling firewall rulesets. or (#3) Please see this for a better method to unloading netfilter (aka iptables ) rules: https://gist.github.com/QueuingKoala/6350127
05:16 -!- Left_Turn [~Left_Turn@unaffiliated/turn-left/x-3739067] has joined #openvpn
05:20 -!- eddq [~eddq@li645-74.members.linode.com] has quit [Remote host closed the connection]
05:38 -!- Tuju [~tuju@214.204.50.195.sta.estpak.ee] has joined #openvpn
05:38 < Tuju> any idea why my packets won't come out from tunnel? They do enter to it at other end.
05:39 < Tuju> i can see entering with wireshark, but nothing comes out at other end.
05:44 -!- u0m3_ [~u0m3@92.80.106.41] has joined #openvpn
05:47 -!- u0m3__ [~u0m3@92.80.106.41] has quit [Ping timeout: 260 seconds]
06:08 -!- nvdpl [~textual@proxy.teleaudio.pl] has joined #openvpn
06:25 -!- Slippern [~Slippern@76.109-247-208.customer.lyse.net] has quit [Ping timeout: 272 seconds]
06:31 -!- Slippern [~Slippern@76.109-247-208.customer.lyse.net] has joined #openvpn
07:02 -!- nvdpl_ [~textual@81.15.254.82] has joined #openvpn
07:04 -!- nvdpl [~textual@proxy.teleaudio.pl] has quit [Ping timeout: 240 seconds]
07:08 -!- nvdpl [~textual@46.205.121.86.nat.umts.dynamic.t-mobile.pl] has joined #openvpn
07:10 -!- nvdpl_ [~textual@81.15.254.82] has quit [Ping timeout: 260 seconds]
07:11 < jzaw> Tuju, do you see encapsulated pkts going to your openvpn endpoint ?
07:11 -!- nvdpl_ [~textual@proxy.teleaudio.pl] has joined #openvpn
07:11 < Tuju> jzaw: haven't checked
07:12 < Tuju> now i managed to get some progress, some packets come out of tunnel, but still wont receive response packets.
07:12 < jzaw> well before they can exit the endpoint (be decripted) theyd have to reach it
07:12 -!- u0m3_ [~u0m3@92.80.106.41] has quit [Ping timeout: 240 seconds]
07:13 < Tuju> jzaw: i was able to ping the server-end 10.8.0.1 from client, even from lan client so tunnel must be working.
07:14 -!- nvdpl [~textual@46.205.121.86.nat.umts.dynamic.t-mobile.pl] has quit [Ping timeout: 272 seconds]
07:14 -!- u0m3__ [~u0m3@92.80.106.41] has joined #openvpn
07:15 < Tuju> i like a lot how 'simple' openvpn appears to be, just if I would get it working.
07:16 < Tuju> especially it's seems simple and easy on areas where typically there is a lot of pain, like certs.
07:17 -!- seba [~seba@kratzbaum.someserver.de] has quit [Excess Flood]
07:21 < Tuju> hmm.... i think....it might work now.
07:21 -!- seba [~seba@kratzbaum.someserver.de] has joined #openvpn
07:57 -!- Samopotamus [~IRCIdent@2607:5300:60:a0d::1] has quit [Read error: Connection reset by peer]
08:01 < Tuju> yeah, it works now. you guys don't know how long i've been planning to do this.
08:01 < Tuju> damn it feels good to get tunnels running!
08:06 < Tuju> jzaw: thanks for helping. Good that someone at least tries. :)
08:31 -!- nvdpl_ [~textual@proxy.teleaudio.pl] has quit [Ping timeout: 245 seconds]
08:36 -!- nvdpl [~textual@proxy.teleaudio.pl] has joined #openvpn
09:09 -!- nvdpl [~textual@proxy.teleaudio.pl] has quit [Quit: ZZZzzz…]
09:11 -!- knob [~knob@adsl-72-50-81-13.prtc.net] has joined #openvpn
09:12 -!- Toumasu [~Thunderbi@78-23-52-63.access.telenet.be] has joined #openvpn
09:12 -!- Pyrogerg [~Gregory@75-173-111-87.albq.qwest.net] has joined #openvpn
09:26 -!- james41382 [~james@unaffiliated/james41382] has joined #openvpn
09:35 -!- ub1quit33 [~quassel@wifi02.la3.routers.zerolag.com] has joined #openvpn
09:59 -!- Prelude2004c [~Prelude20@dsl-67-55-28-3.acanac.net] has joined #openvpn
10:10 -!- nvdpl [~textual@proxy.teleaudio.pl] has joined #openvpn
10:17 -!- ayaka [~ayaka@ayaka-2-pt.tunnel.tserv21.tor1.ipv6.he.net] has joined #openvpn
10:17 < ayaka> I know there is static key, but it has too much limit
10:18 < ayaka> could I use static key to do key exchange?
10:18 < ayaka> starting static connection first, then key exchange in that connection
10:38 -!- nvdpl [~textual@proxy.teleaudio.pl] has quit [Quit: ZZZzzz…]
10:46 -!- knob [~knob@adsl-72-50-81-13.prtc.net] has quit [Quit: Leaving]
10:52 -!- Wurst is now known as mz
10:54 -!- Pyrogerg [~Gregory@75-173-111-87.albq.qwest.net] has quit [Ping timeout: 258 seconds]
10:57 -!- nvdpl [~textual@89-67-140-170.dynamic.chello.pl] has joined #openvpn
11:03 -!- Pyrogerg [~Gregory@75-173-111-87.albq.qwest.net] has joined #openvpn
11:10 -!- nvdpl [~textual@89-67-140-170.dynamic.chello.pl] has quit [Ping timeout: 272 seconds]
11:13 -!- nvdpl [~textual@proxy.teleaudio.pl] has joined #openvpn
11:30 -!- zeroNones [~textual@187.192.245.177] has joined #openvpn
11:37 -!- DrSect0r [~DrSect0r@77-175-125-42.FTTH.ispfabriek.nl] has joined #openvpn
12:00 -!- D-Boy [~D-Boy@unaffiliated/cain] has quit [Excess Flood]
12:21 -!- D-Boy [~D-Boy@unaffiliated/cain] has joined #openvpn
12:26 <@krzee> ayaka, no
12:27 <@krzee> although you could write your own app to swap static keys for freshly generated, and then trigger restarts on both sides to switch over (or you could just use certs)
12:27 <@krzee> <Tuju> especially it's seems simple and easy on areas where typically there is a lot of pain, like certs.
12:27 <@krzee> Tuju, openvpn doesnt actually make certs
12:28 <@krzee> openssl does. people have written tools such as easy-rsa and ssl-admin to generate the certs, these are not part of openvpn, but they are definitely on-topic here
12:32 -!- evil_andy|away is now known as evil_andy
12:45 -!- Pyrogerg [~Gregory@75-173-111-87.albq.qwest.net] has quit [Ping timeout: 245 seconds]
12:46 -!- d10n [~d10n@unaffiliated/d10n] has joined #openvpn
12:46 -!- Pyrogerg [~Gregory@75-173-103-62.albq.qwest.net] has joined #openvpn
12:46 < d10n> !welcome
12:46 <@vpnHelper> "welcome" is (#1) Start by stating your goal, such as 'I would like to access the internet over my vpn' || new to IRC? see the link in !ask || we may need !logs and !configs and maybe !interface to help you. || See !howto for beginners. || See !route for lans behind openvpn. || !redirect for sending inet traffic through the server. || Also interesting: !man !/30 !topology !iporder !sample !forum !wiki
12:46 <@vpnHelper> !mitm or (#2) Don't use 192.168.1.0/24 or 192.168.0.0/24 (too much potential for conflict)
12:46 < d10n> !goal
12:46 <@vpnHelper> "goal" is Please clearly state your goal for your vpn: example, I would like to access the lan behind the server , I would like to access the internet over my vpn , I just want a secure connection between 2 computers , etc
12:47 < d10n> !mitm
12:47 <@vpnHelper> "mitm" is (#1) http://openvpn.net/index.php/documentation/howto.html#mitm to know about stopping Man-in-the-Middle attacks by signing the server cert specially or (#2) use !servercert to generate the server cert manually or use the easy-rsa build-key-server script to build your server certificates or (#3) then use: remote-cert-tls server in the client config
12:47 < d10n> !heartbleed
12:47 <@vpnHelper> "heartbleed" is (#1) only affects OpenSSL 1.0.1 through 1.0.1f. Does not affect polarssl or (#2) if running vuln openssl then both client and server keys not protected by tls-auth should be considered compromised. or (#3) android 4.1.2_r1 is the first one to have -DOPENSSL_NO_HEARTBEATS and it is still in master. android 4.1 and 4.1.1 are probably affected. or (#4)
12:47 <@vpnHelper> https://community.openvpn.net/openvpn/wiki/heartbleed or (#5) http://xkcd.com/1354/
12:50 < d10n> !interface
12:50 <@vpnHelper> "interface" is (#1) paste interface configuration from both client and server, while being disconnected and when beeing connected. Be sure to also add the routing tables for both situations from client and from server or (#2) For Windows: iface: 'ipconfig /all' routing: 'route print' (add -4 or -6 for just IPv4 or v6) or (#3) For Unix: iface: 'ifconfig -a' routing: 'netstat -rn' or (#4) For Linux:
12:50 <@vpnHelper> iface: 'ip a' routing: 'ip r' (use ip -6 for IPv6 routes)
12:50 < d10n> !route
12:50 <@vpnHelper> "route" is (#1) http://www.secure-computing.net/wiki/index.php/OpenVPN/Routing or https://community.openvpn.net/openvpn/wiki/RoutedLans (same page mirrored) if you have lans behind openvpn, read it DONT SKIM IT or (#2) READ IT DONT SKIM IT! or (#3) See !tcpip for a basic networking guide or (#4) See !serverlan or !clientlan for steps and troubleshooting flowcharts for LANs behind the server or client
12:51 < d10n> !/30
12:51 <@vpnHelper> "/30" is (#1) http://goo.gl/SbKrT5 explains why routed clients each use 4 ips or (#2) you can avoid this behavior with by reading !topology
12:51 < d10n> !topology
12:51 <@vpnHelper> "topology" is (#1) it is possible to avoid the !/30 behavior if you use 2.1+ with the option: topology subnet This will end up being default in later versions. or (#2) Clients will receive addresses ending in .2, .3, .4, etc, instead of being divided into 2-host subnets. or (#3) details and examples at: https://community.openvpn.net/openvpn/wiki/Topology
12:51 < d10n> !iporder
12:51 <@vpnHelper> "iporder" is (#1) OpenVPN's internal client IP address selection algorithm works as follows: 1 -- Use --client-connect script generated file for static IP (first choice). or (#2) Use --client-config-dir file for static IP (next choice) !static for more info or (#3) Use --ifconfig-pool allocation for dynamic IP (last choice) or (#4) if you use --ifconfig-pool-persist see !ipp
13:01 < d10n> !tcpip
13:01 <@vpnHelper> "tcpip" is http://www.redbooks.ibm.com/redbooks/pdfs/gg243376.pdf See chapter 3.1 for useful basic TCP/IP networking knowledge you should probably know
13:10 -!- Mimiko [~Mimiko@89.28.88.177] has joined #openvpn
13:14 -!- JRL [~jrl@207.96.146.194] has left #openvpn ["PART #openvpn-as :PING 1411323258"]
13:17 -!- hays [~hays@unaffiliated/hays] has quit [Read error: Connection reset by peer]
13:20 -!- hays [~hays@unaffiliated/hays] has joined #openvpn
13:20 -!- elfixit [~Icedove@77-58-251-72.dclient.hispeed.ch] has joined #openvpn
13:36 -!- Mimiko [~Mimiko@89.28.88.177] has quit []
13:52 -!- almostworking [~almostwor@unaffiliated/almostworking] has joined #openvpn
13:54 -!- theTroy [~troy@unaffiliated/thetroy] has quit [Ping timeout: 246 seconds]
14:03 -!- nvdpl [~textual@proxy.teleaudio.pl] has quit [Quit: ZZZzzz…]
14:19 < WinstonSmith> hi #openvpn! i have the following setup: a friends server is the OVPN server. my homeserver with a bridged OVPN client connects to it. so all boxes in my lan have transparent access to that server. that worked wonderfully for month. however since about 3 weeks its gotten slow. it is only the VPN conn., if i download stuff from that server over for example http it saturates my downlink. OVPN gives my about 150-250 kb. any ideas?
14:23 < WinstonSmith> the is no connection problem, connection establishes itself quickly, no dropped packets etc. i am stumped why this happens. as i said, it worked fine for months. using all available bandwidth
14:25 -!- nvdpl [~textual@proxy.teleaudio.pl] has joined #openvpn
14:27 < WinstonSmith> so any ideas to further diagnose the issue?
14:33 -!- elfixit [~Icedove@77-58-251-72.dclient.hispeed.ch] has quit [Quit: elfixit]
14:46 -!- prelude2004c_ [~sandro@dsl-67-55-28-3.acanac.net] has joined #openvpn
15:12 -!- Prelude2004c [~Prelude20@dsl-67-55-28-3.acanac.net] has quit []
15:13 -!- u0m3 [~u0m3@92.80.106.16] has joined #openvpn
15:16 -!- u0m3__ [~u0m3@92.80.106.41] has quit [Ping timeout: 244 seconds]
15:17 -!- dvl [~dvl@freebsd/developer/dvl] has quit [Quit: ZNC - http://znc.in]
15:20 -!- prelude2004c_ [~sandro@dsl-67-55-28-3.acanac.net] has quit [Quit: prelude2004c_]
15:21 -!- dvl [~dvl@freebsd/developer/dvl] has joined #openvpn
15:33 -!- Toumasu [~Thunderbi@78-23-52-63.access.telenet.be] has quit [Quit: Toumasu]
15:39 < KNERD> WinstonSmith: how about using compression?
15:41 -!- DrSect0r [~DrSect0r@77-175-125-42.FTTH.ispfabriek.nl] has quit [Read error: Connection reset by peer]
15:49 -!- elfixit [~Icedove@77-58-251-72.dclient.hispeed.ch] has joined #openvpn
15:59 -!- gffa [~unknown@unaffiliated/gffa] has quit [Quit: sleep]
16:03 -!- james41382 [~james@unaffiliated/james41382] has quit [Quit: Leaving]
16:06 -!- nvdpl [~textual@proxy.teleaudio.pl] has quit [Remote host closed the connection]
16:17 -!- almostworking [~almostwor@unaffiliated/almostworking] has quit [Read error: Connection reset by peer]
16:18 -!- almostworking [~almostwor@unaffiliated/almostworking] has joined #openvpn
16:21 -!- elfixit [~Icedove@77-58-251-72.dclient.hispeed.ch] has quit [Quit: elfixit]
16:22 < WinstonSmith> KNERD: hi sorry was afk
16:22 < WinstonSmith> KNERD: i tried with/without, with the same result
16:30 -!- mz|` [~emerick@unaffiliated/mz/x-5510238] has joined #openvpn
16:31 -!- shio [marmot@48.121.101.84.rev.sfr.net] has quit [Ping timeout: 272 seconds]
16:31 -!- Envil [~meep@95.211.26.40] has quit [Ping timeout: 272 seconds]
16:31 -!- MogDog [MogDog@unaffiliated/mogdog66] has quit [Ping timeout: 272 seconds]
16:31 -!- mz [~emerick@unaffiliated/mz/x-5510238] has quit [Ping timeout: 272 seconds]
16:31 -!- MogDog [MogDog@unaffiliated/mogdog66] has joined #openvpn
16:36 -!- Envil [~meep@95.211.26.40] has joined #openvpn
16:39 -!- jzaw [~jzaw@loki.dzki.co.uk] has quit [Quit: really? must I leave? aw pls let me stay!]
16:45 -!- krkhan [~krkhan@2601:8:9780:4f9:d12d:179e:9fd4:b3b6] has joined #openvpn
16:46 < krkhan> If I'm not using client cert auth (in favor of username/password auth), is there still a way of associating an iroute with a client?
16:46 < krkhan> The server fails doesn't have a CN for the client and therefore doesn't lookup the associated file in ccd
16:48 < krkhan> I cannot specify --iroute at the command line when launching the server
16:48 < krkhan> Any other ideas?
16:48 < pekster> krkhan: Read --username-as-common-name in the manpage
16:50 -!- prelude2004c [~sandro@dsl-67-55-28-3.acanac.net] has joined #openvpn
16:51 -!- shio [marmot@48.121.101.84.rev.sfr.net] has joined #openvpn
16:51 < krkhan> perfect, thanks!
16:53 -!- jzaw [~jzaw@loki.dzki.co.uk] has joined #openvpn
16:59 -!- Envil [~meep@95.211.26.40] has quit [Remote host closed the connection]
17:10 -!- ub1quit33 [~quassel@wifi02.la3.routers.zerolag.com] has quit [Ping timeout: 245 seconds]
17:11 -!- prelude2004c [~sandro@dsl-67-55-28-3.acanac.net] has quit [Quit: prelude2004c]
17:18 -!- prelude2004c [~sandro@dsl-67-55-28-3.acanac.net] has joined #openvpn
17:19 -!- cirkit [dethwish@peanut-butter.net] has quit [Read error: Connection reset by peer]
17:21 -!- mz|` [~emerick@unaffiliated/mz/x-5510238] has quit [Ping timeout: 245 seconds]
17:21 -!- JackWinter [~jack@vodsl-11198.vo.lu] has quit [Ping timeout: 245 seconds]
17:47 -!- prelude2004c [~sandro@dsl-67-55-28-3.acanac.net] has left #openvpn []
17:51 -!- zeroNones [~textual@187.192.245.177] has quit [Quit: My MacBook Pro has gone to sleep. ZZZzzz…]
17:59 -!- prelude2004c [~sandro@dsl-67-55-28-3.acanac.net] has joined #openvpn
18:02 -!- krkhan [~krkhan@2601:8:9780:4f9:d12d:179e:9fd4:b3b6] has quit [Quit: Leaving]
18:05 -!- svm_invictvs [~patricktw@unaffiliated/svminvictvs/x-938456] has quit [Ping timeout: 244 seconds]
19:01 -!- svm_invictvs [~patricktw@unaffiliated/svminvictvs/x-938456] has joined #openvpn
19:08 -!- svm_invictvs [~patricktw@unaffiliated/svminvictvs/x-938456] has quit [Ping timeout: 246 seconds]
19:21 -!- Chais [~Chais@chello062178229110.15.15.vie.surfer.at] has quit [Ping timeout: 260 seconds]
19:26 -!- Chais [~Chais@chello062178229110.15.15.vie.surfer.at] has joined #openvpn
19:27 -!- svm_invictvs [~patricktw@unaffiliated/svminvictvs/x-938456] has joined #openvpn
19:54 -!- arescorpio [~arescorpi@155-27-245-190.fibertel.com.ar] has joined #openvpn
19:59 -!- elfixit [~Icedove@77-58-251-72.dclient.hispeed.ch] has joined #openvpn
20:03 -!- mapps [~Mark@97e0b9d3.skybroadband.com] has joined #openvpn
20:15 -!- WinstonSmith [~WinstonSm@unaffiliated/winstonsmith] has quit [Ping timeout: 272 seconds]
20:16 -!- WinstonSmith [~WinstonSm@unaffiliated/winstonsmith] has joined #openvpn
20:20 -!- nath_schwarz [~nath_schw@p54A323B8.dip0.t-ipconnect.de] has quit [Ping timeout: 245 seconds]
20:28 -!- svm_invictvs [~patricktw@unaffiliated/svminvictvs/x-938456] has quit [Ping timeout: 245 seconds]
21:01 -!- prelude2004c [~sandro@dsl-67-55-28-3.acanac.net] has quit [Quit: prelude2004c]
21:08 -!- Left_Turn [~Left_Turn@unaffiliated/turn-left/x-3739067] has quit [Remote host closed the connection]
22:03 <@krzee> WinstonSmith,
22:03 <@krzee> !speed
22:03 <@vpnHelper> "speed" is (#1) Having speed problems? The following suggestions may help. or (#2) OpenVPN is often CPU bound; check utilization, and remember it only uses 1 core (single-threaded) or (#3) Prefer UDP over TCP (see !tcp) or (#4) MTU issues? Send max-size DF packets and watch for fragmentation/delivery issues or (#5) iface txqueuelen often needs to be >100 on fast and/or latent links or (#6)
22:03 <@vpnHelper> latenty/slow links don't magically get better with openvpn or (#7) less likely are issues with bad TCP window scaling or the sliding window; generally, don't 2nd guess TCP (in openvpn or your OS knobs) or (#8) Prefer tun over tap (see !tunortap and !whybridge)
22:22 -!- ub1quit33_ [~quassel@cpe-23-243-158-241.socal.res.rr.com] has joined #openvpn
22:25 -!- theTroy [~troy@unaffiliated/thetroy] has joined #openvpn
22:30 < ayaka> krzee, thank you
22:33 -!- arescorpio [~arescorpi@155-27-245-190.fibertel.com.ar] has quit [Excess Flood]
22:33 <@krzee> not sure for what, but yw
22:46 -!- Moonlightning [~blackl@unaffiliated/moonlightning] has quit [Ping timeout: 244 seconds]
22:48 -!- Moonlightning [~blackl@unaffiliated/moonlightning] has joined #openvpn
22:59 -!- svm_invictvs [~patricktw@unaffiliated/svminvictvs/x-938456] has joined #openvpn
23:08 -!- james41382 [~james@unaffiliated/james41382] has joined #openvpn
23:08 -!- ShadniX [dagger@p5481C028.dip0.t-ipconnect.de] has quit [Ping timeout: 250 seconds]
23:09 -!- ShadniX [dagger@p5481D1F9.dip0.t-ipconnect.de] has joined #openvpn
23:33 -!- elfixit [~Icedove@77-58-251-72.dclient.hispeed.ch] has quit [Ping timeout: 245 seconds]
--- Day changed Mon Sep 22 2014
00:01 -!- raspberrypifan [~raspberry@186.42.33.108] has joined #openvpn
00:14 -!- raspberrypifan [~raspberry@186.42.33.108] has quit []
00:20 -!- Pyrogerg [~Gregory@75-173-103-62.albq.qwest.net] has quit [Ping timeout: 244 seconds]
01:02 -!- svm_invictvs [~patricktw@unaffiliated/svminvictvs/x-938456] has quit [Ping timeout: 272 seconds]
01:07 -!- s7r [~s7r@openvpn/user/s7r] has quit [Remote host closed the connection]
01:07 -!- s7r [~s7r@openvpn/user/s7r] has joined #openvpn
01:07 -!- mode/#openvpn [+v s7r] by ChanServ
01:10 -!- prelude2004c [~sandro@24.114.72.239] has joined #openvpn
01:33 < ayaka> there are two openvpn services in the same server
01:33 < ayaka> could I make a client of a service to access the client of the other service
01:34 < ayaka> client-to-client is not what I want as it only works for the same service
01:38 -!- prelude2004c [~sandro@24.114.72.239] has left #openvpn []
01:48 -!- ub1quit33_ [~quassel@cpe-23-243-158-241.socal.res.rr.com] has quit [Ping timeout: 260 seconds]
02:04 -!- fluter [~fluter@fedora/fluter] has joined #openvpn
02:10 -!- ifdm_ [~ifdm@unaffiliated/ifdm/x-0713806] has joined #openvpn
02:24 -!- theTroy [~troy@unaffiliated/thetroy] has quit [Remote host closed the connection]
02:51 -!- Cybertinus [~Cybertinu@cybertinus.customer.cloud.nl] has quit [Ping timeout: 245 seconds]
02:52 -!- plai is now known as plaisthos
02:52 -!- plaisthos [~arne@openvpn/community/developer/plaisthos] has quit [Quit: foo!]
03:00 -!- Thermi [~Thermi@unaffiliated/thermi] has quit [Quit: Meet your opposition - Profane and disciplined - Take back your pride - With a pounding hammer]
03:04 -!- Thermi [~Thermi@unaffiliated/thermi] has joined #openvpn
03:05 -!- plaisthos [~arne@openvpn/community/developer/plaisthos] has joined #openvpn
03:05 -!- mode/#openvpn [+o plaisthos] by ChanServ
03:05 -!- plaisthos [~arne@openvpn/community/developer/plaisthos] has quit [Client Quit]
03:07 -!- plaisthos [~arne@openvpn/community/developer/plaisthos] has joined #openvpn
03:07 -!- mode/#openvpn [+o plaisthos] by ChanServ
03:20 -!- Thermi [~Thermi@unaffiliated/thermi] has quit [Read error: Connection reset by peer]
03:25 -!- Thermi [~Thermi@unaffiliated/thermi] has joined #openvpn
04:13 < Tuju> my friend is in china, is there an easy way to give him a configuration to android?
04:13 < Tuju> any tools to generate such config?
04:13 < Tuju> my server is already up-n-running
04:15 <@plaisthos> test yourself a configuration
04:15 <@plaisthos> and then send it to him
04:15 <@plaisthos> see also !inline
04:28 -!- Chais [~Chais@chello062178229110.15.15.vie.surfer.at] has quit [Ping timeout: 272 seconds]
04:33 -!- Chais [~Chais@chello062178229110.15.15.vie.surfer.at] has joined #openvpn
04:34 -!- Left_Turn [~Left_Turn@unaffiliated/turn-left/x-3739067] has joined #openvpn
04:46 < Tuju> plaisthos: i don't have android here.
05:10 -!- shio [marmot@48.121.101.84.rev.sfr.net] has quit [Disconnected by services]
05:10 -!- shio [marmot@48.121.101.84.rev.sfr.net] has joined #openvpn
05:13 <@plaisthos> Tuju: generate a regular configuration (preferable with inline certificates)
05:13 <@plaisthos> that should work fine
05:27 < Tuju> ack, i try
05:31 -!- SilentKoala [~SilentKoa@boobytrapped.openslowly.com] has joined #openvpn
05:32 -!- ifdm_ [~ifdm@unaffiliated/ifdm/x-0713806] has quit [Ping timeout: 260 seconds]
05:33 -!- goldkatze [~nobody@unaffiliated/goldkatze] has joined #openvpn
05:36 < SilentKoala> Good morning. I'm hoping someone can point me in the correct direction. (googling hasn't helped much) I'm wanting to setup one client that randomly picks a new host from a pool of hosts. I see this is possible just by studying the client.conf but I've been unable to find a tutorial. I'm not asking anyone to do it for me, just to point me to a good documented resource, Thank you...
05:44 -!- ifdm_ [~ifdm@unaffiliated/ifdm/x-0713806] has joined #openvpn
05:56 -!- darxmurf [~darxmurf@68-203.203-62.cust.bluewin.ch] has joined #openvpn
05:56 < darxmurf> hi
05:57 < darxmurf> !Welcome
05:57 <@vpnHelper> "Welcome" is (#1) Start by stating your goal, such as 'I would like to access the internet over my vpn' || new to IRC? see the link in !ask || we may need !logs and !configs and maybe !interface to help you. || See !howto for beginners. || See !route for lans behind openvpn. || !redirect for sending inet traffic through the server. || Also interesting: !man !/30 !topology !iporder !sample !forum
05:57 <@vpnHelper> !wiki !mitm or (#2) Don't use 192.168.1.0/24 or 192.168.0.0/24 (too much potential for conflict)
06:02 < SilentKoala> !howto
06:02 <@vpnHelper> "howto" is (#1) OpenVPN comes with a great howto, http://openvpn.net/howto PLEASE READ IT! or (#2) http://www.secure-computing.net/openvpn/howto.php for a mirror
06:22 -!- DomeMaster [~iain@85.234.150.223] has joined #openvpn
06:22 < DomeMaster> Hi everyone
06:23 < DomeMaster> I'm using openvpn client to connect to a VPN server
06:23 < DomeMaster> I'm noticing ping spikes occasionally
06:23 < DomeMaster> so I thought I'd run a tcpdump experiment
06:23 < DomeMaster> on the tap0 interface and the physical out interface eth0
06:24 -!- Droolio [~drool@host109-158-212-196.range109-158.btcentralplus.com] has joined #openvpn
06:24 < DomeMaster> to see if tap0 was the cause of the ping spike.
06:24 < DomeMaster> I used tcpdump for the timestamps
06:24 < DomeMaster> is this a bad idea? Because its not accurate?
06:47 < darxmurf> I have a routing issue, it's weird.
06:48 < darxmurf> My openVPN Server on site A is an Ubuntu machine. From site B, I have a pfSense machine connected to it. when the VPN is up, I can ping machines on Site A from pfSense without problems.
06:49 < darxmurf> but I want all the machines behind the pfSense able to access machines behind the openvpn server
06:50 < darxmurf> but they can only ping the server itself, not others
06:51 < darxmurf> should I add a route or something on server or client side to allow that ?
06:52 -!- almostworking [~almostwor@unaffiliated/almostworking] has left #openvpn ["Leaving"]
06:56 -!- iamtakingiteasy [~Wooga@80.252.155.28] has joined #openvpn
06:56 < iamtakingiteasy> hello, can openvpn be used without any certificates on clientside?
06:56 < iamtakingiteasy> i mean, including ca
06:56 < iamtakingiteasy> is there a way to tell openvpn client to trust any CA?
06:59 < darxmurf> well this sounds strange no ?
06:59 <@plaisthos> iamtakingiteasy: that is like trying https without certificates
06:59 < iamtakingiteasy> yeah
06:59 < iamtakingiteasy> i need the tunneling part
06:59 < iamtakingiteasy> not secure
06:59 <@plaisthos> TLS just does not without certificates
07:00 < iamtakingiteasy> damnit
07:00 < iamtakingiteasy> okay, thanks
07:00 <@plaisthos> if you have unix only you can use gre or something like that
07:00 < SilentKoala> iamtakingiteasy, you're looking for a different type of application for sure
07:00 < iamtakingiteasy> i need to tunnel windows machine
07:00 < iamtakingiteasy> openvpn seems to be most commong software for that task
07:00 < iamtakingiteasy> connecting unix and windwos worlds
07:01 < iamtakingiteasy> behind NATs or other VPNs
07:01 <@plaisthos> yeah
07:01 <@plaisthos> but OpenVPN is build as VPN solution first
07:01 < SilentKoala> well there is stunnel, but that still uses ssl
07:02 <@plaisthos> SilentKoala: stunnel also requires certificates, right? :)
07:02 -!- dazo_afk is now known as dazo
07:02 < SilentKoala> ^
07:02 < iamtakingiteasy> VirtualPrivateNetwork, nothing about security here :)
07:02 <@plaisthos> yeah
07:02 <@plaisthos> still
07:03 < SilentKoala> iamtakingiteasy, what is the use case for NOT having security? I mean, openvpn has made it so simple to use, why the want to NOT be secure?
07:03 <@plaisthos> for p to multipoint in OpenVPN you need TLS which in turn needs at least a server certificate
07:03 < iamtakingiteasy> just some option like "let me blow every bit of security off and use some kind of embedded null-cert" would be nice
07:03 < iamtakingiteasy> SilentKoala: the need to send to client TWO files is troublesome
07:03 <@plaisthos> iamtakingiteasy: nah
07:03 < SilentKoala> o.O
07:03 <@plaisthos> see !inline
07:03 < iamtakingiteasy> eh...
07:03 < iamtakingiteasy> !inline
07:03 <@vpnHelper> "inline" is (#1) Inline files (e.g. <ca> ... </ca> are supported since OpenVPN 2.1rc1 and documented in the OpenVPN 2.3 man page at https://community.openvpn.net/openvpn/wiki/Openvpn23ManPage#lbAV or (#2) https://community.openvpn.net/openvpn/wiki/IOSinline for a writeup that includes how to use inline certs
07:03 < iamtakingiteasy> omg
07:04 < iamtakingiteasy> okay, sorry
07:04 < iamtakingiteasy> i am an idiot
07:04 < SilentKoala> darxmurf, are you asking about bridging?
07:05 -!- DomeMaster [~iain@85.234.150.223] has quit [Ping timeout: 260 seconds]
07:06 < darxmurf> SilentKoala: well, just a solution to make SITE A accessible to SITE B
07:07 < darxmurf> it's almost done ... but I can only access the VPN Server from clients on SITE B
07:09 < SilentKoala> welp, now that people are awake, I'll re-ask my question. I'm looking for documentation / how-to on setting up a single client to to randomly to geographically diverse hosts. I see within the client.conf this can be done, but I'm unsure on how to setup the certs within the client.conf to allow me to connect to different hosts. Seems like I would need a different ca.crt for each server (but maybe that is the key to my confusion)
07:09 <@plaisthos> SilentKoala: remote-random
07:09 <@plaisthos> I am not sure if you can configure --ca on remote basis
07:10 <@plaisthos> I think not
07:10 <@plaisthos> all your servers need to be signed by the same CA
07:10 < SilentKoala> plaisthos, that is what I'm looking for yes, I see the switch within the config, but no howto / docs on how to setup the rest of the config
07:10 <@plaisthos> SilentKoala: just multiple --remote
07:10 <@plaisthos> or multiple <connection> blocks
07:11 < SilentKoala> plaisthos, so, I have a dozen servers, I can connect to each one manually (different config right now)
07:11 <@plaisthos> yeah
07:11 <@plaisthos> unify them
07:11 < SilentKoala> not sure how I go about signing all of the servers with the same ca to be honest
07:11 <@plaisthos> use <connection> for the differences in configuration
07:11 <@plaisthos>       The  following  OpenVPN options may be used inside of a <connec-
07:11 <@plaisthos>               tion> block:
07:12 < SilentKoala> so I need to research that
07:12 <@plaisthos> if your options that differ are not in that list, you are out of luck
07:14 < SilentKoala> is it literally as simple as creating the crt on one server and uploading to the openvpn folder of another server?
07:15 < SilentKoala> or is there other magic I need to do
07:15 <@plaisthos> ?
07:15 <@plaisthos> I am not sure what you are asking
07:17 < SilentKoala> plaisthos, so, if I'm understanding you correct (I'm sorry it's very early here and I'm tired) then what I need to do is create a ca.crt and other associated files on one server and use those on each of the other servers
07:17 < SilentKoala> just not sure if I'm over thinking this or not. Is it literally as easy as creating those files on one server and uploading them to /etc/openvpn on the other servers?
07:18 < SilentKoala> or is there some sort of import process
07:32 -!- Chais [~Chais@chello062178229110.15.15.vie.surfer.at] has quit [Ping timeout: 246 seconds]
07:39 -!- Chais [~Chais@chello062178229110.15.15.vie.surfer.at] has joined #openvpn
07:42 -!- fluter [~fluter@fedora/fluter] has quit [Ping timeout: 260 seconds]
08:00 -!- ender| [krneki@2a01:260:4094:1:42:42:42:42] has quit [Ping timeout: 260 seconds]
08:03 -!- WinstonSmith [~WinstonSm@unaffiliated/winstonsmith] has quit [Ping timeout: 272 seconds]
08:03 < SilentKoala> plaisthos, thanks, I do believe I was able to figure it out with your help
08:05 -!- WinstonSmith [~WinstonSm@unaffiliated/winstonsmith] has joined #openvpn
08:06 < darxmurf> SilentKoala: any idea about this routing issue with my VPN tunnel ?
08:14 -!- ender| [krneki@2a01:260:4094:1:42:42:42:42] has joined #openvpn
08:15 < SilentKoala> darxmurf, those kinds of things are very hard to troubleshoot with only a little information given. BUT I can safely say that any time I've ever setup openvpn and it didn't work, it was the FIREWALL or a DNS issue
08:16 < SilentKoala> within the pf firewall make sure it is allowing access to the subnet you want as well as the iptables firewall on the other end (assuming those are the firewalls in question)
08:17 < SilentKoala> then make sure your resolv.conf file has the correct info in it > cat /etc/resolv.conf
08:18 < SilentKoala> sorry, last but not least I've had issues with IPFORWARDING in the past as well
08:19 < SilentKoala> IPForwarding - http://www.ducea.com/2006/08/01/how-to-enable-ip-forwarding-in-linux/
08:19 <@vpnHelper> Title: How to enable IP Forwarding in Linux - MDLog:/sysadmin (at www.ducea.com)
08:20 < SilentKoala> Howto for setting up IPTABLES (in some cases) - http://www.clearcenter.com/support/documentation/clearos_guides/forcing_openvpn_traffic_for_clients_through_server
08:20 <@vpnHelper> Title: ClearOS Guides | Forcing OpenVPN Traffic For Clients Through Server | ClearCenter Support (at www.clearcenter.com)
08:21 -!- ifdm_ [~ifdm@unaffiliated/ifdm/x-0713806] has quit [Ping timeout: 272 seconds]
08:21 < SilentKoala> I'm just googling these really quick, you can do the same
08:22 < SilentKoala> Hope that helps...
08:25 < darxmurf> Well, the ip forwarding is enabled, there is no iptables rules
08:25 -!- ifdm_ [~ifdm@unaffiliated/ifdm/x-0713806] has joined #openvpn
08:25 < darxmurf> from my windows computer I can ping the vpn-server through the pfsense
08:26 < darxmurf> but can't ping the server next to it.
08:26 < darxmurf> but from the pfsense shell I can
08:26 < SilentKoala> create a masq rule from your vpn subnet to the subnet you're looking to access
08:26 < SilentKoala> that was the clearos guide I just pasted
08:27 < SilentKoala> obviously you need to change the info to reflect your networks
08:27 < SilentKoala> fine tune it as needed, meaning restrict it as needed
08:27 < darxmurf> well I don't want to force all the traffic
08:28 < darxmurf> just to link the 2 offices
08:29 -!- ender| [krneki@2a01:260:4094:1:42:42:42:42] has quit [Ping timeout: 260 seconds]
08:41 -!- ender| [krneki@2a01:260:4094:1:42:42:42:42] has joined #openvpn
09:11 -!- zeroNones [~textual@187.192.245.177] has joined #openvpn
09:19 -!- goldkatze [~nobody@unaffiliated/goldkatze] has quit []
09:19 -!- Moonlightning [~blackl@unaffiliated/moonlightning] has quit [Ping timeout: 246 seconds]
09:27 -!- Moonlightning [~blackl@unaffiliated/moonlightning] has joined #openvpn
09:31 -!- ub1quit33 [~quassel@wifi02.la3.routers.zerolag.com] has joined #openvpn
09:32 -!- ifdm_ [~ifdm@unaffiliated/ifdm/x-0713806] has quit [Read error: Connection reset by peer]
09:32 -!- svm_invictvs [~patricktw@unaffiliated/svminvictvs/x-938456] has joined #openvpn
09:33 -!- ifdm_ [~ifdm@unaffiliated/ifdm/x-0713806] has joined #openvpn
09:34 -!- darxmurf [~darxmurf@68-203.203-62.cust.bluewin.ch] has quit [Quit: Leaving.]
09:35 -!- TheSov [~TheSov4@50-76-75-45-static.hfc.comcastbusiness.net] has joined #openvpn
09:36 < TheSov> Hey, I am setting up some openvpn's in the cloud and I want to join a couple of networks together. I would like to not have to route between them for a seamless network. Is bridge mode my best bet?
09:39 -!- ifdm_ [~ifdm@unaffiliated/ifdm/x-0713806] has quit [Ping timeout: 272 seconds]
09:43 -!- zeroNones [~textual@187.192.245.177] has quit [Quit: My MacBook Pro has gone to sleep. ZZZzzz…]
09:46 -!- ylluminate [~ylluminat@199.21.149.125] has joined #openvpn
09:53 -!- ifdm_ [~ifdm@unaffiliated/ifdm/x-0713806] has joined #openvpn
10:02 <@ecrist> TheSov: you should route between them
10:02 <@ecrist> the other method is misuing bridging, and just plain lazy
10:10 -!- mapps [~Mark@97e0b9d3.skybroadband.com] has quit [Ping timeout: 258 seconds]
10:13 -!- svm_invictvs [~patricktw@unaffiliated/svminvictvs/x-938456] has quit [Ping timeout: 260 seconds]
10:27 -!- ifdm_ [~ifdm@unaffiliated/ifdm/x-0713806] has quit [Ping timeout: 260 seconds]
10:27 -!- ylluminate [~ylluminat@199.21.149.125] has quit [Quit: Bye!]
10:39 -!- ifdm_ [~ifdm@unaffiliated/ifdm/x-0713806] has joined #openvpn
10:44 < TheSov> ecrist: how can i route with 2 different subnets with the same ip's?
10:45 < havoc> I'd guess you need to 1:1 NAT one of them
10:47 -!- svm_invictvs [~patricktw@unaffiliated/svminvictvs/x-938456] has joined #openvpn
10:48 < havoc> 1:1 subent mapping, rather
10:49 < havoc> http://openvpn.net/index.php/open-source/faq/77-server/321-remap-local-addresses-to-connect-two-networks-with-an-overlap-in-the-private-address-range.html
10:49 <@vpnHelper> Title: Remap local addresses, to connect two networks with an overlap in the private address range? (at openvpn.net)
10:50 < TheSov> i dont think u guys understand the vm's, same ones are made to move between the vpc's
10:54 < TheSov> thanks for the help
10:54 -!- TheSov [~TheSov4@50-76-75-45-static.hfc.comcastbusiness.net] has quit [Quit: #openvpn]
10:59 -!- Kephael [~Kephael@unaffiliated/kephael] has joined #openvpn
11:02 -!- gffa [~unknown@unaffiliated/gffa] has joined #openvpn
11:16 < Eugene> krzee - /msg utkanos yo
11:16 -!- s7r [~s7r@openvpn/user/s7r] has quit [Quit: Leaving]
11:19 -!- elfixit [~Icedove@77-58-251-72.dclient.hispeed.ch] has joined #openvpn
11:22 -!- Pyrogerg [~Gregory@75-173-103-62.albq.qwest.net] has joined #openvpn
11:23 -!- svm_invi1tvs [~patricktw@unaffiliated/svminvictvs/x-938456] has joined #openvpn
11:26 -!- svm_invictvs [~patricktw@unaffiliated/svminvictvs/x-938456] has quit [Ping timeout: 272 seconds]
11:30 -!- dazo is now known as dazo_afk
11:31 -!- Envil [~meep@95.211.26.40] has joined #openvpn
11:36 -!- cktsoi [~cktsoi@123203198062.ctinets.com] has joined #openvpn
11:38 -!- cktsoi [~cktsoi@123203198062.ctinets.com] has quit [Remote host closed the connection]
11:45 -!- D-Boy [~D-Boy@unaffiliated/cain] has quit [Excess Flood]
11:52 -!- darxmurf [~darxmurf@68-203.203-62.cust.bluewin.ch] has joined #openvpn
11:52 < darxmurf> hi again
11:58 -!- oniichaNj [~hm@80-69-77-244.colo.transip.net] has joined #openvpn
12:04 < oniichaNj> is there any reason this config http://sprunge.us/RUaC shouldn't work with this server config http://sprunge.us/REPE ? My error message is "MULTI: bad source address from client [10.0.0.150], packet dropped", The server is on FreeBSD and the client is Gentoo GNU/Linux.
12:07 -!- ayaka [~ayaka@ayaka-2-pt.tunnel.tserv21.tor1.ipv6.he.net] has left #openvpn ["离开"]
12:09 -!- moonkid [~anonymous@99-103-56-12.lightspeed.hstntx.sbcglobal.net] has joined #openvpn
12:09 -!- cyberanger [cyberanger@swissknife/adak/infocop411] has joined #openvpn
12:10 -!- D-Boy [~D-Boy@unaffiliated/cain] has joined #openvpn
12:14 -!- DrCode [~DrCode@gateway/tor-sasl/drcode] has quit [Remote host closed the connection]
12:14 -!- DrCode [~DrCode@gateway/tor-sasl/drcode] has joined #openvpn
12:19 -!- DrCode [~DrCode@gateway/tor-sasl/drcode] has quit [Ping timeout: 264 seconds]
12:21 -!- DrCode [~DrCode@gateway/tor-sasl/drcode] has joined #openvpn
12:24 -!- moonkid [~anonymous@99-103-56-12.lightspeed.hstntx.sbcglobal.net] has quit [Quit: moonkid]
12:28 < svm_invi1tvs> Hello
12:28 < svm_invi1tvs> Got a question that pertains only to Windows clients...
12:34 -!- moonkid [~anonymous@99-103-56-12.lightspeed.hstntx.sbcglobal.net] has joined #openvpn
12:35 -!- moonkid [~anonymous@99-103-56-12.lightspeed.hstntx.sbcglobal.net] has quit [Client Quit]
12:36 -!- moonkid [~anonymous@99-103-56-12.lightspeed.hstntx.sbcglobal.net] has joined #openvpn
12:39 -!- darxmurf [~darxmurf@68-203.203-62.cust.bluewin.ch] has quit [Quit: Leaving.]
12:39 < oniichaNj> Anyone?
12:57 -!- Kniaz [~Kniaz@unaffiliated/kniaz] has joined #openvpn
12:59 < KNERD> svm_invi1tvs: http://catb.org/~esr/faqs/smart-questions.html
12:59 <@vpnHelper> Title: How To Ask Questions The Smart Way (at catb.org)
13:00 < oniichaNj> wasn't my question proper, or does no one know
13:00 < oniichaNj> or am i just being rude
13:04 -!- WinstonSmith [~WinstonSm@unaffiliated/winstonsmith] has quit [Ping timeout: 272 seconds]
13:05 -!- WinstonSmith [~WinstonSm@unaffiliated/winstonsmith] has joined #openvpn
13:06 < KNERD> just being rude, sometimes peolpe don;t knwo they answer, or those who can answer are not here at the moment
13:07 -!- darxmurf [~darxmurf@68-203.203-62.cust.bluewin.ch] has joined #openvpn
13:08 < darxmurf> re
13:08 < oniichaNj> alright
13:08 -!- elfixit [~Icedove@77-58-251-72.dclient.hispeed.ch] has quit [Quit: elfixit]
13:20 < darxmurf> anybody to fight to fix a configuration of 2 networks connected through openvpn ?
13:43 <@ecrist> !route
13:43 <@vpnHelper> "route" is (#1) http://www.secure-computing.net/wiki/index.php/OpenVPN/Routing or https://community.openvpn.net/openvpn/wiki/RoutedLans (same page mirrored) if you have lans behind openvpn, read it DONT SKIM IT or (#2) READ IT DONT SKIM IT! or (#3) See !tcpip for a basic networking guide or (#4) See !serverlan or !clientlan for steps and troubleshooting flowcharts for LANs behind the server or
13:43 <@vpnHelper> client
14:00 -!- Zimsky [~alice@unaffiliated/zimsky] has quit [Ping timeout: 272 seconds]
14:01 -!- Zimsky [~alice@unaffiliated/zimsky] has joined #openvpn
14:18 -!- Droolio [~drool@host109-158-212-196.range109-158.btcentralplus.com] has quit [Quit: If it wasn't for venetian blinds, it would be curtains for all of us.]
14:27 -!- moonkid [~anonymous@99-103-56-12.lightspeed.hstntx.sbcglobal.net] has quit [Quit: moonkid]
14:47 -!- brad_mssw [~brad@shop.monetra.com] has joined #openvpn
14:48 < brad_mssw> i'm playing with ethernet bridging and openvpn.  I vpn in, and I can ping the ip address of the bridge on the openvpn server from the vpn client, but I cannot ping another machine on that same network.  I can, however ping that other machine from the openvpn server itself.  any idea where to look for this?
14:53 < brad_mssw> i see the arp request come in to tap0 on the server for the address, but no are reply is sent back
14:54 < brad_mssw> i also see the arp request make it to the bridge
14:55 < brad_mssw> the server is rhel7 if that helps
14:57 -!- moonkid [~anonymous@23.124.169.46] has joined #openvpn
15:01 < brad_mssw> the remote machine is receiving and responding to the arp request
15:03 -!- Kniaz [~Kniaz@unaffiliated/kniaz] has quit [Quit: closing IRC]
15:06 -!- prelude2004c [~prelude20@internal--router.canaca.com] has joined #openvpn
15:08 < prelude2004c> hi everyone.. good day to you. anyone know why the openvpn log shows Multi: Learn.. ( it is showing hundreds of routes for 1 customer ) .. hwo do i turn that off so it does't discover their internal routers
15:12 < brad_mssw> ack, ignore me ... I'm testing with virtualbox and I had to enable promiscuous mode in there for the bridge to actually forward packets properly
15:19 < darxmurf> time to bed
15:20 < darxmurf> see you tomorrow
15:22 -!- darxmurf [~darxmurf@68-203.203-62.cust.bluewin.ch] has quit [Quit: zzzz]
15:22 < prelude2004c> anyone?
15:22 < prelude2004c> how to turn off the learn feature so it does not get every mac address on that connected users network
15:24 -!- almostworking [~almostwor@unaffiliated/almostworking] has joined #openvpn
15:39 -!- absence [eC96ifobjL@horisont.pvv.ntnu.no] has joined #openvpn
15:41 < absence> i downloaded tap-windows-9.9.2_3.exe, but the driver version is 9.0.0.9. has an old version been included in the installer by accident?
15:42 < KNERD> !paste
15:42 <@vpnHelper> "paste" is "pastebin" is (#1) please paste anything with more than 5 lines into a pastebin site or (#2) https://gist.github.com is recommended for fewest ads; try fpaste.org or paste.kde.org as backups or (#3) If you're pasting config files, see !configs for grep syntax to remove comments or (#4) gist allows multiple files per paste, useful if you have several files to show
15:46 < KNERD> I am trying out the windows client... I am getting connected, but getting a routing eror in the log and cannot ping the remote vpn ip address  https://gist.github.com/anonymous/633d273ae13b59cb678f
15:46 <@vpnHelper> Title: openvpn windows log (at gist.github.com)
15:46 -!- gffa [~unknown@unaffiliated/gffa] has quit [Quit: sleep]
15:47 < KNERD> i am added openvpn.exe exception to the firewall
15:57 -!- moonkid [~anonymous@23.124.169.46] has quit [Quit: moonkid]
16:02 < svm_invi1tvs> KNERD: eh?
16:02 < svm_invi1tvs> KNERD: I'm trying ot pull up the logs.
16:03 < KNERD> svm_invi1tvs:  sorry?
16:03 < svm_invi1tvs> KNERD: RE your post from before
16:04 < KNERD> okay
16:09 < DArqueBishop> KNERD, stupid question: are you running OpenVPN as an administrator?
16:10 < KNERD> DArqueBishop: i went into properities and had the openvpn.exe file to set it run as admin always
16:11 < DArqueBishop> Hrm.
16:11 < DArqueBishop> I ask because it looks like it's not running as admin. I could always be wrong, though.
16:13 < KNERD> DArqueBishop: maybe another method to run it as admin?
16:13 -!- brad_mssw [~brad@shop.monetra.com] has quit [Quit: Leaving]
16:19 < DArqueBishop> How are you running OpenVPN? Are you using OpenVPN-GUI, running it as a service...?
16:21 < KNERD> DArqueBishop: I have tried right clicking on the .ovpn file then selecting "Start OpenVPN on this config file". I have also started openvpnserv.exe then used OpenVPN GUI to start the connection...both same log results
16:23 < DArqueBishop> Hrm. I usually have OpenVPN-GUI set to run as administrator (and as such a UAC prompt pops up whenever I run it). Unfortunately, the two machines I run OpenVPN through as a service are at home right now and shut down so I can't use those as references.
16:23 < KNERD> yes, but it seems openvpn-gui does not want to run properly if openvpnserv.exe is not running
16:24 < KNERD> let me try now
16:25 -!- Envil [~meep@95.211.26.40] has quit [Remote host closed the connection]
16:25 < KNERD> DArqueBishop: that got it..thanks a bunch!
16:30 < KNERD> DArqueBishop: now a bit of a problem. Regular connections through non VPN seem to fail now
16:31 < DArqueBishop> Might be a configuration issue, then.
16:32 < KNERD> i think the DNS stufff
16:32 -!- moonkid [~anonymous@23.124.169.46] has joined #openvpn
16:33 -!- plaisthos [~arne@openvpn/community/developer/plaisthos] has quit [Read error: Connection reset by peer]
16:39 -!- Pyrogerg [~Gregory@75-173-103-62.albq.qwest.net] has quit [Ping timeout: 272 seconds]
16:56 -!- rooth [tomte@stuck.in.the.basement.at.fritzl.nu] has joined #openvpn
17:05 -!- moonkid [~anonymous@23.124.169.46] has quit [Quit: moonkid]
17:10 -!- DArqueBishop [drkbish@tyrande.darquecathedral.org] has quit [Ping timeout: 245 seconds]
17:12 -!- DArqueBishop [drkbish@tyrande.darquecathedral.org] has joined #openvpn
17:19 -!- shio [marmot@48.121.101.84.rev.sfr.net] has quit [Read error: Connection reset by peer]
17:24 -!- DArqueBishop [drkbish@tyrande.darquecathedral.org] has quit [Ping timeout: 244 seconds]
17:27 -!- joako [~joako@opensuse/member/joak0] has quit [Ping timeout: 260 seconds]
17:28 -!- moonkid [~anonymous@99-103-56-12.lightspeed.hstntx.sbcglobal.net] has joined #openvpn
17:29 -!- justinzane [~justinzan@host-69-59-81-105.nctv.com] has joined #openvpn
17:30 -!- zeroNones [~textual@187.192.245.177] has joined #openvpn
17:31 -!- prelude2004c [~prelude20@internal--router.canaca.com] has quit []
17:34 -!- Slippern [~Slippern@76.109-247-208.customer.lyse.net] has quit [Read error: Connection reset by peer]
17:36 -!- joako [~joako@opensuse/member/joak0] has joined #openvpn
17:49 -!- DArqueBishop [drkbish@tyrande.darquecathedral.org] has joined #openvpn
17:50 -!- moonkid [~anonymous@99-103-56-12.lightspeed.hstntx.sbcglobal.net] has quit [Quit: moonkid]
17:53 -!- DArqueBishop [drkbish@tyrande.darquecathedral.org] has quit [Ping timeout: 246 seconds]
17:59 -!- DArqueBishop [drkbish@tyrande.darquecathedral.org] has joined #openvpn
18:13 -!- shio [~marmot@48.121.101.84.rev.sfr.net] has joined #openvpn
18:13 -!- DArqueBishop [drkbish@tyrande.darquecathedral.org] has quit [Ping timeout: 245 seconds]
18:27 -!- DArqueBishop [drkbish@tyrande.darquecathedral.org] has joined #openvpn
18:29 -!- ub1quit33 [~quassel@wifi02.la3.routers.zerolag.com] has quit [Ping timeout: 260 seconds]
18:30 -!- akurilin [~alex@208.185.21.146] has quit [Ping timeout: 240 seconds]
18:37 -!- devios [~devi@71-33-206-119.hlrn.qwest.net] has joined #openvpn
18:38 < devios> hi all, just tried to set up openvpn server on debian wheezy and server won't start and its not throwing any error message - tried openvpn --config /etc/openvpn/server.conf --verb 6 and the command just returns with no errors but ps aux openvpn shows nothing
18:40 < devios> server.conf : http://pastebin.com/36ka84T4
18:43 -!- DArqueBishop [drkbish@tyrande.darquecathedral.org] has quit [Ping timeout: 240 seconds]
18:46 -!- Daemoen [~quassel@2607:ff68:100:1e:20e:2eff:fee8:e5c5] has quit [Quit: No Ping reply in 180 seconds.]
18:46 -!- Daemoen [~quassel@2607:ff68:100:1e:20e:2eff:fee8:e5c5] has joined #openvpn
18:46 < devios> used apt-get install openvpn to do the install
18:47 -!- Brando753 [~Brando753@unaffiliated/brando753] has quit [Ping timeout: 260 seconds]
18:48 -!- Brando753 [~Brando753@unaffiliated/brando753] has joined #openvpn
19:02 -!- svm_invi1tvs [~patricktw@unaffiliated/svminvictvs/x-938456] has quit [Ping timeout: 272 seconds]
19:03 -!- DArqueBishop [drkbish@tyrande.darquecathedral.org] has joined #openvpn
19:09 -!- svm_invictvs [~patricktw@unaffiliated/svminvictvs/x-938456] has joined #openvpn
19:13 -!- akurilin [~alex@208.185.21.146] has joined #openvpn
19:42 -!- james41382 [~james@unaffiliated/james41382] has quit [Quit: Leaving]
19:44 -!- james41382 [~james@unaffiliated/james41382] has joined #openvpn
19:47 -!- joako [~joako@opensuse/member/joak0] has quit [Ping timeout: 272 seconds]
19:57 -!- Pyrogerg [~Gregory@75-173-103-62.albq.qwest.net] has joined #openvpn
19:57 -!- joako [~joako@opensuse/member/joak0] has joined #openvpn
19:57 < devios> now i get Parameter ca_file can only be specified in TLS-mode, i.e. where --tls-server or --tls-client is also specified. Use --help for more information.  Is this a change since openvpn server on debian recently?
19:59 < Hello71> no.
19:59 < Hello71> and that sentence makes little sense.
20:01 < devios> i often make little sense amidst you geniouses.  my apologies.  the same config file works fine on two other debian servers I run.  not sure why it won't start on this one.
20:01 < devios> i set the others up about 6 months ago
20:02 < devios> so was wondering if an openvpn server version change since then makes my config file obsolete
20:03 < devios> !heartbleed
20:03 <@vpnHelper> "heartbleed" is (#1) only affects OpenSSL 1.0.1 through 1.0.1f. Does not affect polarssl or (#2) if running vuln openssl then both client and server keys not protected by tls-auth should be considered compromised. or (#3) android 4.1.2_r1 is the first one to have -DOPENSSL_NO_HEARTBEATS and it is still in master. android 4.1 and 4.1.1 are probably affected. or (#4)
20:03 <@vpnHelper> https://community.openvpn.net/openvpn/wiki/heartbleed or (#5) http://xkcd.com/1354/
20:04  * Hello71 uses psychic debugging
20:04 < Hello71> the init script on the other servers has --server as a parameter
20:06 < devios> you think the /etc/init.d/openvpn init script has changed since then?
20:06 < devios> server.conf : http://pastebin.com/36ka84T4 - btw from earlier
20:19 -!- jzaw [~jzaw@loki.dzki.co.uk] has quit [Ping timeout: 272 seconds]
20:22 < svm_invictvs> So, I'm getting a problem that seems to happen with Windows clients only.
20:23 < svm_invictvs> I can confirm that other clients connect no problem, but in Windows I'm getting the mesage "Warning: address <xxx.xxx.xxx.xxx> is not a network address in relation to netmask 255.0.0.0"
20:23 < svm_invictvs> The thing is, the OSX clients have no problem pushing that route
20:32 -!- james41382 [~james@unaffiliated/james41382] has quit [Quit: Leaving]
20:34 -!- james41382 [~james@unaffiliated/james41382] has joined #openvpn
20:34 -!- jzaw [~jzaw@loki.dzki.co.uk] has joined #openvpn
20:46 < devios> added:  tls-server and commented out: #ifconfig-pool-persist ipp.txt in server.conf : http://pastebin.com/36ka84T4 and now my server starts, but the client won't connect with a a TLS key negotiation failed to occur within 60 seconds error
20:47 < devios> why six months later does the same server config file not work on debian without adding tls-server to the server.conf file?  same server.conf worked on debian 6 months ago.
21:01 -!- elfixit [~Icedove@77-58-251-72.dclient.hispeed.ch] has joined #openvpn
21:02 -!- devios [~devi@71-33-206-119.hlrn.qwest.net] has quit [Quit: Going offline, see ya! (www.adiirc.com)]
21:09 -!- evil_andy [~evil_andy@2001:470:e29f:1:204:4bff:fe15:fd2e] has quit [Ping timeout: 260 seconds]
21:13 -!- evil_andy [~evil_andy@2001:470:e29f:1:204:4bff:fe15:fd2e] has joined #openvpn
21:30 < svm_invictvs> hm
21:30 <@krzee> tls-server is part of --server, so red herring there
21:34 -!- APTX [~APTX@unaffiliated/aptx] has quit [Ping timeout: 272 seconds]
21:35 -!- _KaszpiR_ [~quassel@unaffiliated/kaszpir/x-3157048] has quit [Ping timeout: 240 seconds]
21:47 -!- devios [~devios@71-33-206-119.hlrn.qwest.net] has joined #openvpn
21:48 < devios> ok ignore all of the above.  now im just at a point where TLS handshake fails.
21:48 < devios> tls handshake fails after 60 seconds
21:48 < devios> dunno how to troubleshoot further
21:49 < devios> i think my above problems were due to paste of unicode chars into my config file from saved config file
21:50 <@krzee> devios, look at the other log too
21:50 <@krzee> anything?
21:50 < devios> server side log ya mean?
21:51 <@krzee> well theres only 2
21:51 <@krzee> ;]
21:51 <@krzee> sorry i see what you meant now
21:51 <@krzee> yes, the server
21:52 <@krzee> and theres only 1 logfile per openvpn instance (there can be a status file or whatever, but 1 log)
21:52 < devios> ok maybe some progress there
21:53 < devios> "cannot locate HMAC in incoming packet from"
21:53 <@krzee> !hmac
21:53 <@vpnHelper> "hmac" is (#1) The tls-auth directive adds an additional HMAC signature to all SSL/TLS handshake packets for integrity verification. Any UDP packet not bearing the correct HMAC signature can be dropped without further processing. The tls-auth HMAC signature provides an additional level of security above and beyond that provided by SSL/TLS. or (#2) openvpn --genkey --secret ta.key to make the tls
21:53 <@vpnHelper> static key , in configs: tls-auth ta.key # , 1 for client or 0 for server in the configs
21:53 < devios> my client config file doesn't load the tls-auth ta.key that the server config loads
21:53 <@krzee> that is a problem, fix it
21:54 <@krzee> Eugene++
21:54 -!- svm_invictvs [~patricktw@unaffiliated/svminvictvs/x-938456] has quit [Ping timeout: 260 seconds]
22:00 -!- Left_Turn [~Left_Turn@unaffiliated/turn-left/x-3739067] has quit [Remote host closed the connection]
22:01 < devios> nope
22:01 < devios> now just getting TLS Error: TLS key negotiation failed to occur within 60 seconds again
22:02 <@krzee> post new logs from both sides with verb 5 on both sides
22:02 <@krzee> and comment out mute from both sides
22:11 < devios> working on it
22:13 < devios> http://pastebin.com/SeDCYpYK
22:14 < KNERD> I have notices on many clients I have set up, once the VPN connection is made, it wants to use that connection as the primary gateway to connect, thus cutting the machine off from the open internet. Is there was way to use internet as primary connection and only use VPN when told to in let's say client applications you only want those to connec to the VPN?
22:17 <@krzee> KNERD, dont use any redirect-gateway options
22:19 < KNERD> krzee: here is my config file..not much to it  http://pastebin.com/hma2c4kY
22:19 <@krzee> you using network manager or something?
22:19 <@krzee> or are they?
22:20 <@krzee> someone is using redirect-gateway, or they would not redirect their gateway, it could be a lame frontend doing it (network manager has been known to offend)
22:20 < KNERD> not that I am aware of..this is the same config used on various clients...they all do the same thinhg..Android...windows...proprietary...
22:21 < KNERD> i am doing all the setups
22:22 <@krzee> devios, your server.log wasnt verb 5, try again
22:23 < devios> knew that was coming - was collecting verb 5 while you were looking - stand by
22:23 <@krzee> and i am to assume EVERY instance of xxx.xxx.xxx.xxx is EXACTLY the same?
22:24 < devios> yes
22:24 <@krzee> why do people feel the need to hide public ips of vpn servers?  think i know some ninja hack for openvpn and dont bother to tell the devs?
22:24 <@krzee> and it actually *could* hide the problem from me
22:25 < devios> http://pastebin.com/Nf29URsf
22:25 -!- _KaszpiR_ [quasselcor@unaffiliated/kaszpir/x-3157048] has joined #openvpn
22:26 < devios> there's verb 5
22:27 -!- APTX [~APTX@unaffiliated/aptx] has joined #openvpn
22:27 <@krzee> k, now go remove mute from both sides and try again
22:27 -!- ylluminate [~ylluminat@199.21.149.246] has joined #openvpn
22:28 <@krzee> <krzee> post new logs from both sides with verb 5 on both sides
22:28 <@krzee> <krzee> and comment out mute from both sides
22:28 < devios> does # comment work in windows?
22:28 <@krzee> yes
22:29 <@krzee> it's openvpn specific, not windows =]
22:33 < devios> client http://pastebin.com/L3AbEirw
22:36 < devios> server http://pastebin.com/6SnkCNya
22:38 < KNERD> krzee: some of us hav emore than just VPN on our servers and sick of them being attacked 24/7
22:38 -!- james41382 [~james@unaffiliated/james41382] has quit [Quit: Leaving]
22:38 < devios> guh i messed up server that time lemme try again
22:39 <@krzee> if your issue is about establishing a connection, expect to catch shit when changing the ips of logs and asking people for help, thats why we have this one:
22:39 <@krzee> !topsecret
22:39 <@vpnHelper> "topsecret" is (#1) if your setup is so top secret that you cant post your configs or logs, please leave now and go find support you trust. or (#2) Clever readers may attempt to use RFC5737/RFC3849 to represent arbitrary public IPs one wishes to hide. Unclever attempts may be ignored with prejudice.
22:40 < KNERD> but we post things in open making them suitable for interested parties
22:40 <@krzee> devios, dont worry though, i dont need the ips in this case
22:41 < KNERD> "ghee there mustr be something good one the server so lets attack the crap out of it to try to break it"
22:42 <@krzee> KNERD, cool the decision of what to do with your stuff is yours, just understand that if it gets in the way of helping you, you wont get helped… i think this is not your case anyways so it shouldnt be a problem
22:42 < KNERD> me..i don't post Public IP addresses to try avoide more attacks
22:42 <@krzee> sometimes ip is irrelevant, and those times i dont mind it
22:42 <@krzee> but when troubleshooting initial connection stuff, it can matter
22:43 < KNERD> yes that I can understand
22:43 <@krzee> hell sometimes its a LAN ip and them hiding it makes me not know they should have local on the redirect-gateway flags
22:43 < KNERD> but it getrs kinda old when your logs are fileld with nothign but attempsa to gain access
22:43 <@krzee> its annoying to try and donate your time to help people and have them get in your way of helping them
22:44 -!- ylluminate [~ylluminat@199.21.149.246] has quit [Quit: Bye!]
22:44 < KNERD> so far I hav ebeen lucky and have only one intrusion in the past 6 years
22:44 <@krzee> same 1, ever… led to making a good friend
22:45 <@krzee> he's a cool guy haha
22:45 < devios> http://pastebin.com/nLEx3JSm - Here's the server log verb5 finally
22:45 < KNERD> groovy
22:45 < devios> and all i did was a find and replace on the server ip in the client log with 123.123.123.123
22:45 <@krzee> ok so devios
22:45 <@krzee> your client writes data to the server
22:45 <@krzee> your server recieves and responds
22:46 <@krzee> your client does not recieve any responses
22:46 <@krzee> this sounds like a firewall issue to me
22:46 -!- moonkid [~anonymous@99-103-56-12.lightspeed.hstntx.sbcglobal.net] has joined #openvpn
22:46 <@krzee> please post iptables-save from both sides
22:46  * krzee prays its not a wrt router, i HATE those gui generated firewalls
22:46 < devios> the client is running windows.  i don't control the edge device but i can disable the windows firewall on it and try
22:47 <@krzee> its not edge devices
22:47 <@krzee> its only the 2 machines
22:47 <@krzee> only disable windows firewall on the tap device
23:06 <@krzee> also check things such as antivirus to see if they have a firewall
23:06 <@krzee> or maybe an outbound firewall on the server?
23:06 -!- ShadniX [dagger@p5481D1F9.dip0.t-ipconnect.de] has quit [Ping timeout: 250 seconds]
23:06 < devios> ah ha i know what's going on
23:06 <@krzee> ya? a packet filter?
23:07 < devios> server has two ip addresses - the one im connecting to is eth1.  the handshake is being sent back to the client from eth0.  the client is not accepting
23:07 -!- ShadniX [dagger@p5DDFCF57.dip0.t-ipconnect.de] has joined #openvpn
23:07 < devios> how do i make the openvpn server only work on eth1?
23:07 < devios> not a packet filter, believe it or not
23:08 < devios> just happens to have an old ip and a new ip
23:08 < devios> im im not one to trn down a free ip address
23:08 <@krzee> ahh
23:09 <@krzee> see the thing is, your os by default sends stuff out that interface
23:09 <@krzee> you might need policy routing to do it, lets google it
23:11 -!- james41382 [~james@unaffiliated/james41382] has joined #openvpn
23:12 < devios> http://kindlund.wordpress.com/2007/11/19/configuring-multiple-default-routes-in-linux/
23:12 < devios> i think you're right
23:18 <@krzee> i mean we can definitely make openvpn only bind to the second ip
23:18 <@krzee> --local
23:19 <@krzee> but i think that wont change whats happening
23:19 < devios> i don't either but just put local (eth1 ip) in the server.conf file?
23:20 <@krzee> yep
23:30 < devios> ok doing that allows my client to connect to the server finally... but my client cant get out to the internet through the server
23:32 <@krzee> !redirect
23:32 <@vpnHelper> "redirect" is (#1) to make all inet traffic flow through the vpn, you will need --redirect-gateway (see !def1), as well as IP forwarding (see !ipforward) and NAT (see !nat) enabled on the server. or (#2) you may need to use a different dns server when redirecting gateway, see !dns or !pushdns or (#3) if using ipv6 try: route-ipv6 2000::/3 or (#4) Handy troubleshooting flowchart:
23:32 <@vpnHelper> http://ircpimps.org/redirect.png | http://pekster.sdf.org/misc/redirect.png
23:33 <@krzee> !linipforward
23:33 <@vpnHelper> "linipforward" is (#1) echo 1 > /proc/sys/net/ipv4/ip_forward for a temp solution (til reboot) or set net.ipv4.ip_forward = 1 in sysctl.conf for perm solution or (#2) chmod +x /etc/rc.d/rc.ip_forward for perm solution in slackware or (#3) you also must allow forwarding in your forward chain in iptables. iptables -I FORWARD -i tun+ -j ACCEPT
23:33 <@krzee> !linnat
23:33 <@vpnHelper> "linnat" is (#1) for a basic iptables NAT where 10.8.0.x is the vpn network: iptables -t nat -I POSTROUTING -s 10.8.0.0/24 -o eth0 -j MASQUERADE or (#2) to choose what IP address to NAT as, you can use iptables -t nat -I POSTROUTING -o eth0 -j SNAT --to <IP ADDRESS> or (#3) http://netfilter.org/documentation/HOWTO//NAT-HOWTO.html for more info or (#4) openvz see !openvzlinnat
23:34 -!- elfixit [~Icedove@77-58-251-72.dclient.hispeed.ch] has quit [Ping timeout: 272 seconds]
23:35 < devios> ya its something to do with eth0 and eth1
23:41 < devios> so i can now connect to the net, but it's connecting out from the eth0 ip instead of the eth1 ip
23:41 < devios> :-(
23:45 <@krzee> (#2) to choose what IP address to NAT as, you can use iptables -t nat -I POSTROUTING -o eth0 -j SNAT --to <IP ADDRESS>
23:45 <@krzee> but eth1 and the eth1 ip
23:48 < devios> krzee: i dont have that quite figured out yet but thx so much for pointing me in the right direction today
23:48 < devios> i gotta afk for now to sleep
23:48 < devios> hopefully ill get it working tomorrow
23:48 < devios> iptables fun
23:49 -!- Kephael [~Kephael@unaffiliated/kephael] has quit [Quit: Leaving]
23:49 <@krzee> and ip rule
23:49 <@krzee> goodluck
23:53 <@krzee> goodnight
--- Day changed Tue Sep 23 2014
00:01 -!- raspberrypifan [~raspberry@181.113.111.232] has joined #openvpn
00:05 -!- zeroNones [~textual@187.192.245.177] has quit [Ping timeout: 258 seconds]
00:31 -!- raspberrypifan [~raspberry@181.113.111.232] has quit []
00:44 -!- moonkid [~anonymous@99-103-56-12.lightspeed.hstntx.sbcglobal.net] has quit [Quit: moonkid]
00:52 -!- sudormrf_ [~sudormrf@unaffiliated/sudormrf] has joined #openvpn
00:52 -!- sudormrf_ [~sudormrf@unaffiliated/sudormrf] has quit [Client Quit]
00:54 -!- sudormrf [~sudormrf@unaffiliated/sudormrf] has joined #openvpn
00:57 < sudormrf> hey guys.  having issues connecting back to my server.  getting tls auth errors
00:57 < sudormrf> also some errors about the openvpn-auth-pam.so module
00:59 < sudormrf> auth-pam failed to authenticate error in service module
00:59 -!- mete [~mete@91.247.253.160] has joined #openvpn
01:01 -!- james41382 [~james@unaffiliated/james41382] has quit [Quit: Leaving]
01:01 < sudormrf> suggestions
01:01 < sudormrf> ?
01:07 -!- james41382 [~james@unaffiliated/james41382] has joined #openvpn
01:09 -!- _FBi [B@Aircrack-NG/User] has left #openvpn []
01:09 -!- _FBi [B@Aircrack-NG/User] has joined #openvpn
01:11 -!- james41382 [~james@unaffiliated/james41382] has quit [Client Quit]
01:16 -!- Pyrogerg [~Gregory@75-173-103-62.albq.qwest.net] has quit [Ping timeout: 272 seconds]
01:23 < sudormrf> nm solved
01:23 -!- james41382 [~james@unaffiliated/james41382] has joined #openvpn
01:23 -!- sudormrf [~sudormrf@unaffiliated/sudormrf] has quit [Quit: I'm Dr. Rockso, the rock n' roll clown! I do cocaine! C-c-c-c-yeah!]
01:27 -!- mode/#openvpn [-o krzee] by krzee
01:28 < krzee> !ping
01:28 <@vpnHelper> pong
01:28 -!- krzee [~k@openvpn/community/support/krzee] has left #openvpn []
01:28 -!- krzee [~k@openvpn/community/support/krzee] has joined #openvpn
01:28 -!- mode/#openvpn [+o krzee] by ChanServ
01:28 -!- mode/#openvpn [+v _FBi] by krzee
01:29 <+_FBi> !ping
01:29 <@vpnHelper> pong
01:29 <+_FBi> :S
01:29 <@krzee> weird
01:29 <@krzee> anyone else having problems sending text to the channel?  msg me
01:29 <+_FBi> lol  ... in PM
01:30 -!- SushiDude [~SushiDude@unaffiliated/sushidude] has quit [Ping timeout: 272 seconds]
01:36 <+_FBi> I didn't htink I matched any of the ban list either -- plus I could rejoin
01:36 <+_FBi> I dunno
01:40 -!- svm_invictvs [~patricktw@unaffiliated/svminvictvs/x-938456] has joined #openvpn
01:43 -!- james41382 [~james@unaffiliated/james41382] has quit [Quit: Leaving]
01:48 -!- almostworking [~almostwor@unaffiliated/almostworking] has left #openvpn ["Leaving"]
01:59 < KNERD> nope
02:07 -!- ifdm_ [~ifdm@unaffiliated/ifdm/x-0713806] has quit [Quit: Leaving]
02:07 -!- svm_invictvs [~patricktw@unaffiliated/svminvictvs/x-938456] has quit [Ping timeout: 272 seconds]
02:10 -!- ifdm_ [~ifdm@unaffiliated/ifdm/x-0713806] has joined #openvpn
02:23 -!- SushiDude [~SushiDude@unaffiliated/sushidude] has joined #openvpn
03:10 -!- Six6siX [~Devil@jasmine.sammybakar.com] has joined #openvpn
03:30 -!- goldkatze [~nobody@unaffiliated/goldkatze] has joined #openvpn
03:47 -!- goldkatze [~nobody@unaffiliated/goldkatze] has quit []
03:54 -!- dazo_afk is now known as dazo
04:11 -!- plaisthos [~arne@openvpn/community/developer/plaisthos] has joined #openvpn
04:11 -!- mode/#openvpn [+o plaisthos] by ChanServ
04:25 < Tuju> http://talk.maemo.org/showthread.php?t=89703 meego n9 instructions :)
04:25 <@vpnHelper> Title: [Tutorial] OpenVPN on N9 MeeGo Harmattan - maemo.org - Talk (at talk.maemo.org)
04:25 -!- BtbN [btbn@btbn.de] has joined #openvpn
04:26 < BtbN> Hello, how do i tell OpenVPN from which IP to send outgoing UDP packets? I have a server with multiple IPs, and OpenVPN sends its packets from a diffrent IP than the one it's listening on.
05:22 -!- keatont [~keatont@ip-66-172-11-126.chunkhost.com] has quit [Ping timeout: 246 seconds]
05:32 -!- Left_Turn [~Left_Turn@unaffiliated/turn-left/x-3739067] has joined #openvpn
05:48 -!- keatont [~keatont@ip-66-172-11-126.chunkhost.com] has joined #openvpn
05:54 -!- keatont [~keatont@ip-66-172-11-126.chunkhost.com] has quit [Ping timeout: 244 seconds]
06:05 -!- keatont [~keatont@ip-66-172-11-126.chunkhost.com] has joined #openvpn
06:17 < Tuju> any suggestions for fanless embedded computer for openvpn client?
06:40 -!- CaTtleyA [~CaTtleyA@put92-2-82-66-41-53.fbx.proxad.net] has quit [Quit: leaving]
06:49 -!- darxmurf [~darxmurf@office.wng.ch] has joined #openvpn
06:49 < darxmurf> hi all
06:49 < darxmurf> !route
06:49 <@vpnHelper> "route" is (#1) http://www.secure-computing.net/wiki/index.php/OpenVPN/Routing or https://community.openvpn.net/openvpn/wiki/RoutedLans (same page mirrored) if you have lans behind openvpn, read it DONT SKIM IT or (#2) READ IT DONT SKIM IT! or (#3) See !tcpip for a basic networking guide or (#4) See !serverlan or !clientlan for steps and troubleshooting flowcharts for LANs behind the server or
06:49 <@vpnHelper> client
06:51 < rooth> Tuju: Just search for "industrial computers" and you should find a bunch. As one of our daughter companies are selling things like that I don't want to spam the chan with "marketing".
06:55 -!- Droolio [~drool@host109-158-212-196.range109-158.btcentralplus.com] has joined #openvpn
06:56 -!- Brando753 [~Brando753@unaffiliated/brando753] has quit [Ping timeout: 245 seconds]
06:58 < Hello71> !multihomed
06:58 < Hello71> BtbN: man openvpn
06:58 < BtbN> Hello71, there is no setting for that.
06:59 < BtbN> I'd expect it to use the IP it listens on, but it doesn't. It sends from the default IP of the interface.
07:09 -!- CaTtleyA [~CaTtleyA@put92-2-82-66-41-53.fbx.proxad.net] has joined #openvpn
07:39 -!- havoc [~havoc@neptune.chaillet.net] has left #openvpn []
07:53 -!- Six6siX [~Devil@jasmine.sammybakar.com] has quit [Ping timeout: 246 seconds]
07:58 -!- Six6siX [~Devil@jasmine.sammybakar.com] has joined #openvpn
08:11 -!- ade_b [~Ade@redhat/adeb] has joined #openvpn
08:41 -!- zeroNones [~textual@187.192.245.177] has joined #openvpn
08:42 -!- james41382 [~james@unaffiliated/james41382] has joined #openvpn
08:52 -!- joako [~joako@opensuse/member/joak0] has quit [Ping timeout: 244 seconds]
08:52 -!- esde [~esde@unaffiliated/esde] has joined #openvpn
08:58 -!- jefferai [sid1300@kde/mitchell] has joined #openvpn
09:00 -!- joako [~joako@opensuse/member/joak0] has joined #openvpn
09:06 -!- jefferai [sid1300@kde/mitchell] has quit [Ping timeout: 272 seconds]
09:06 -!- jefferai [sid1300@kde/mitchell] has joined #openvpn
09:18 -!- ub1quit33 [~quassel@wifi02.la3.routers.zerolag.com] has joined #openvpn
09:27 -!- Pyrogerg [~Gregory@75-173-103-62.albq.qwest.net] has joined #openvpn
09:29 -!- esde [~esde@unaffiliated/esde] has left #openvpn ["Leaving"]
09:36 -!- joe9 [~user@ip68-103-51-213.ks.ok.cox.net] has joined #openvpn
09:36 < joe9> Thermi, hello.
09:39 -!- outofbounds [~outofboun@gateway/tor-sasl/outofbounds] has joined #openvpn
09:40 -!- elfixit [~Icedove@77-58-251-72.dclient.hispeed.ch] has joined #openvpn
09:43 -!- DrSect0r [~DrSect0r@77-175-125-42.FTTH.ispfabriek.nl] has joined #openvpn
10:12 -!- Left_Turn [~Left_Turn@unaffiliated/turn-left/x-3739067] has quit [Ping timeout: 272 seconds]
10:17 < Tuju> rooth: ack, i look into that.
10:17 < devios> !linnat
10:17 <@vpnHelper> "linnat" is (#1) for a basic iptables NAT where 10.8.0.x is the vpn network: iptables -t nat -I POSTROUTING -s 10.8.0.0/24 -o eth0 -j MASQUERADE or (#2) to choose what IP address to NAT as, you can use iptables -t nat -I POSTROUTING -o eth0 -j SNAT --to <IP ADDRESS> or (#3) http://netfilter.org/documentation/HOWTO//NAT-HOWTO.html for more info or (#4) openvz see !openvzlinnat
10:18 < devios> does anyone know of a "for dummies" level explaination of the iptables rules needed for openvpn to work?
10:18 < devios> im sure i could google example firewall rules for openvpn and hack something that works together but looking to better understand what the rules actually mean and why they are needed.
10:19 < darxmurf> see you
10:20 -!- darxmurf [~darxmurf@office.wng.ch] has quit [Quit: plop]
10:23 -!- ade_b [~Ade@redhat/adeb] has quit [Quit: Too sexy for his shirt]
10:23 <@krzee> devios,
10:23 <@krzee> !101
10:23 <@vpnHelper> "101" is This channel is not a '101' replacement for any of the following topics or others: Networking, Firewalls, Routing, Your OS, Security, etc etc
10:24 <@krzee> you probably want #netfilter
10:25 < devios> why hello again!  figured that a channel full of people that work with openvpn would be the ones to have a good resource for learning specifically about iptables rules required for openvpn.
10:25 <@krzee> you arent asking about a rule required by openvpn, you're asking for something to teach you iptables
10:25 <@krzee> so the iptables help channel #netfilter
10:26 <@krzee> !notovpn
10:26 <@vpnHelper> "notovpn" is (#1) "notopenvpn" is your problem is not about openvpn, and while we try to be helpful, you may have a better chance of finding your answer if you ask your question in a channel related to your problem or (#2) sorry, but we dont care. this channel is only for help with openvpn.
10:26 < devios> lol you just like playing with your bot.  admit it. :-)
10:26 <@krzee> hell yes i do!
10:27 < devios> cant blame you its helpful
10:29 <@krzee> im down to take a look at your rulesets, but i stand by my statement that the other channel is better for trying to learn it
10:29 < devios> dont worry im in that channel getting yelled at too
10:29 < devios> :P
10:30 <@krzee> ya and seeing you finish your question i didnt realize you were still stuck there
10:30 <@krzee> dont you remember i told you that you need policy routing?
10:30 < devios> i actually have a self professed networking pro working on the rules for me now so i literally am just looking for a learning resource so i don't have to bother him next time
10:30 <@krzee> its not even an iptables problem
10:31 <@krzee> then tell your guru to setup your policy routing so that it will work how you want
10:31 < devios> i sent him that link i sent you last night too
10:32 < devios> http://kindlund.wordpress.com/2007/11/19/configuring-multiple-default-routes-in-linux/
10:32 < devios> that one
10:32 <@krzee> its kinda like:
10:32 <@krzee> !splitroute
10:32 <@vpnHelper> "splitroute" is (#1) https://forums.openvpn.net/topic7175.html to see how to add a second routing table so you can use --redirect-gateway AND still serve things to the internet or (#2) see !route_override for how to override --redirect-gateway for a certain subnet
10:32 <@krzee> only with a different rule
10:33 <@krzee> yes, that link is correct
10:33 <@krzee> your link
10:33 < devios> i have a socks5 proxy on that same server that listens and goes out to the internet on eth1.  no special policy routing to make it happen either, but i think the proxy software fully binds to the eth1 adapter.
10:34 <@krzee> dunno bout yours, my socks server i specify which address the outbound will flow
10:34 <@krzee> so ya
10:35 <@krzee> if you have all the info why do you need some "guru" instead of playing with it?
10:36 <@krzee> and why is he:
10:36 <@krzee> !spoonfeeding
10:36 <@vpnHelper> "spoonfeeding" is http://www.mp3car.com/the-faq-emporium/53368-faq-what-is-spoon-feeding.html
10:36 <@krzee> :D
10:36 < devios> just couldn't help yourself, could you?! hahahaha
10:38 -!- joe9 [~user@ip68-103-51-213.ks.ok.cox.net] has quit [Remote host closed the connection]
10:42 -!- Left_Turn [~Left_Turn@unaffiliated/turn-left/x-3739067] has joined #openvpn
10:57 -!- moonkid [~anonymous@99-103-56-12.lightspeed.hstntx.sbcglobal.net] has joined #openvpn
11:01 <+_FBi> Can OpenVPN help me take of the world?
11:06 <@krzee> what is taking of the world?
11:07 <@krzee> like collect rocks?
11:21 -!- james41382 [~james@unaffiliated/james41382] has quit [Quit: Leaving]
11:22 -!- svm_invictvs [~patricktw@unaffiliated/svminvictvs/x-938456] has joined #openvpn
11:28 -!- moparisthebest [~quassel@cpe-74-140-228-213.swo.res.rr.com] has joined #openvpn
11:28 -!- moparisthebest [~quassel@cpe-74-140-228-213.swo.res.rr.com] has quit [Client Quit]
11:30 -!- moparisthebest [~quassel@cpe-74-140-228-213.swo.res.rr.com] has joined #openvpn
11:34 <+_FBi> I seem to have missed "over" and "taking"  ...  I'm going to sit down with a glass of water and play by myself
11:35 < Hello71> http://xkcd.com/1198/
11:35 <@vpnHelper> Title: xkcd: Geologist (at xkcd.com)
11:38 -!- moparisthebest [~quassel@cpe-74-140-228-213.swo.res.rr.com] has quit [Quit: http://quassel-irc.org - Chat comfortably. Anywhere.]
11:41 -!- moparisthebest [~quassel@gateway/tor-sasl/moparisthebest] has joined #openvpn
11:43 <@krzee> lol nice Hello71
11:48 -!- iamtakingiteasy [~Wooga@80.252.155.28] has quit [Ping timeout: 260 seconds]
11:52 -!- MacGyver [~macgyver@unaffiliated/macgyvernl] has quit [Quit: Exiting]
11:55 < Tuju> is ccd dir filenames supposed to be exactly the DN? and that's the way to match clients and client config files?
12:00 < Tuju> i'm trying something kinky here, using goverment issued PKI smart cards.
12:02 -!- MacGyver [~macgyver@unaffiliated/macgyvernl] has joined #openvpn
12:03 -!- Envil [~meep@95.211.26.40] has joined #openvpn
12:08 -!- D-Boy [~D-Boy@unaffiliated/cain] has quit [Excess Flood]
12:11 <+_FBi> oxymoron -- Government smart cards
12:11 <@krzee> Tuju,
12:12 <@krzee> !ccd
12:12 <@vpnHelper> "ccd" is (#1) entries that are basically included into server.conf, but only for the specified client based on common-name. use --client-config-dir <dir> to enable it, then put the config options for the client in <dir>/common-name or (#2) the ccd file is parsed each time the client connects.
12:12 < Tuju> yup
12:12 <@krzee> CN, not DN
12:12 <@krzee> although...
12:12 <@krzee> !client-connect
12:12 <@vpnHelper> "client-connect" is --client-connect <script>, runs script on client connection. This can be useful for generating firewall rules dynamicly, or for assigning static ips. This can do anything that a ccd (see !ccd) entry can do, but dynamicly... to use it that way, you should write your dynamic ccd commands to the file named by $1.
12:13 < Tuju> hmm....
12:14 < Tuju> ouh, sorry, yes, I already used CN
12:14 < Tuju> my CN has spaces, so i put those spaces into file name too.
12:15 < Tuju> so if I don't have matching CN in file names, no connection is allowed?
12:16 <@krzee> only if you use --ccd-exclusive
12:16 < Tuju> is there an option to run server process in foreground?
12:17 < Tuju> krzee: ha, i need to add that ccd-exclusivuuu
12:17 <@krzee> Tuju, you are aware there is a manual, right?
12:17 <@krzee> !man
12:17 <@vpnHelper> "man" is (#1) For man pages, see http://openvpn.net/index.php/open-source/documentation/manuals/ or (#2) the man pages are your friend! or (#3) Protip: you can search the manpage for a specific --option (with dashes) to find it quicker
12:17 < Tuju> i am and I've looked that many times.
12:18 < Tuju> there is only --daemon and if i leave it out, it still goes background
12:18 <@krzee> how are you starting openvpn?
12:19 <@krzee> what version of openvpn are you using?
12:19 < Tuju> 2.3.2
12:19 < Tuju> i use it directly from cli while debugging.
12:20 <@krzee> !configs
12:20 <@vpnHelper> "configs" is (#1) please pastebin your client and server configs (with comments removed, you can use `grep -vE '^#|^;|^$' server.conf`), also include which OS and version of openvpn. or (#2) dont forget to include any ccd entries or (#3) on pfSense, see http://www.secure-computing.net/wiki/index.php/OpenVPN/pfSense to obtain your config
12:20 <@krzee> just post the 1 side
12:20 <@krzee> and show me the exact command you use from the clu
12:20 <@krzee> cli
12:21 <@krzee> when i said "how are you starting openvpn" i was looking for a command itself ;]
12:22 <@krzee> and are both sides 2.3?
12:33 -!- moparisthebest [~quassel@gateway/tor-sasl/moparisthebest] has quit [Quit: http://quassel-irc.org - Chat comfortably. Anywhere.]
12:34 -!- D-Boy [~D-Boy@unaffiliated/cain] has joined #openvpn
12:35 -!- Kephael [~Kephael@unaffiliated/kephael] has joined #openvpn
12:35 -!- moparisthebest [~quassel@gateway/tor-sasl/moparisthebest] has joined #openvpn
12:35 -!- moparisthebest [~quassel@gateway/tor-sasl/moparisthebest] has quit [Client Quit]
12:39 < devios> krzee: turns out eth1 can't pass traffic at all.  can't even ping the gateway for the network the eth1 ip fals in.  all traffic goes out of eth0.  so unless i can make openvpn assign the eth1 ip to outgoing packets somehow (like the socks proxy does), this isn't gonna work as intended.
12:39 -!- MacGyver [~macgyver@unaffiliated/macgyvernl] has quit [Quit: Exiting]
12:39 -!- moonkid [~anonymous@99-103-56-12.lightspeed.hstntx.sbcglobal.net] has quit [Quit: moonkid]
12:39 -!- MacGyver [~macgyver@unaffiliated/macgyvernl] has joined #openvpn
12:39 <@krzee> policy routing.
12:40 <@krzee> or, you running linux?
12:40 < devios> ya it is debian
12:40 <@krzee> see if --multihome helps, but i think you'll still need policy routing
12:42 <@krzee> and what happened to your guru?
12:42 < devios> !multihome
12:42 <@krzee> I've told you since the very beginning you need policy routing, you even posted me a link to a doc about it, why havnt you done it?
12:43 <@krzee> you been here talking for 2 hours today and still havnt done what i told you that you needed last night
12:47 < Tuju> now i got much further, daemon says in log "Need password(s) from management interface", i telnet into it and say "password type 1234", but then log says that it doesn't need passwords.
12:51 <@krzee> Tuju, i didnt see a pastebin'ed config
12:51 < Tuju> i don't have network in that box where the config is
12:51 <@krzee> k, i cant help ya
12:52 < devios> krzee: this fixed it: -A POSTROUTING -s 10.8.0.0/24 -j SNAT --to-source 123.123.123.123
12:52 <@krzee> i guess thats a workaround, i bet down the line when you learn about policy routing you'll impliment it
12:52 < devios> krzee: no table-fu required.
12:53 <@krzee> but you need to nat either way so good job
12:54 <@krzee> are you also sharing the server lan to the vpn clients?
12:55 <@krzee> if so, you'll want to add -d ! <lan_subnet>
13:01 < devios> ill grab the rules i used out of the config and share them asap
13:05 -!- zeroNones [~textual@187.192.245.177] has quit [Quit: My MacBook Pro has gone to sleep. ZZZzzz…]
13:21 < Tuju> i cannot get ahead from NEED-OK: Need 'token-insertion-request'
13:22 <@krzee> you have an option forcing that
13:22 <@krzee> its not default
13:22 < Tuju> any word to search from docs?
13:22 <@krzee> dunno, without configs im not gunna bother
13:23 < Tuju> that's the spirit!
13:25 <@krzee> !psychic
13:25 <@vpnHelper> "psychic" is We're not psychic -- please !paste your !configs and !logs and a description of the issue
13:25 <@krzee> !crystal
13:25 <@vpnHelper> "crystal" is (#1) Our crystal ball is out of service. Try explaining your !goal, a description of your problem, and relevant !configs and !logs. See also: !welcome. or (#2) unless reiffert is here, his crystal ball is functional again
13:26 <@krzee> devios,
13:26 <@krzee> !hotpotato
13:26 <@vpnHelper> "hotpotato" is if you have 2 uplinks and the traffic comes in one and out the other you have hot potato routing. read this: http://www.rjsystems.nl/en/2100-adv-routing.php
13:27 <@krzee> maybe that doc will help you for later =]
13:31 < Tuju> it's the: needok token-insertion-request <pincode>
13:31 < devios> krzee: http://pastebin.com/hvYsBaPx
13:31 < Tuju> but i think my card went to PUK-lock.
13:32 -!- elfixit [~Icedove@77-58-251-72.dclient.hispeed.ch] has quit [Quit: elfixit]
13:32 <@krzee> devios, are there any interfaces you dont want forwarding with tun0?
13:32 < Tuju> nope, it works: Myöntäjä: Vaestorekisterikeskus CA - FI, VRK Gov. CA for Citizen Qualified Certificates
13:33 < Tuju> days left, 583
13:39 -!- dazo is now known as dazo_afk
13:43 -!- moonkid [~anonymous@99-103-56-12.lightspeed.hstntx.sbcglobal.net] has joined #openvpn
13:43 -!- cyberspace- [20253@ninthfloor.org] has quit [Ping timeout: 240 seconds]
13:45 -!- cyberspace- [20253@ninthfloor.org] has joined #openvpn
13:50 < devios> krzee: i think so?  i.e. i don't want openvpn listening nor going out on the eth0 ip address - just the eth1 address
13:52 <@krzee> i mean,
13:52 <@krzee> -A FORWARD -i eth1 -o tun0 -m state --state RELATED,ESTABLISHED -j ACCEPT
13:52 <@krzee> -A FORWARD -i eth0 -o tun0 -m state --state RELATED,ESTABLISHED -j ACCEPT
13:52 <@krzee> maybe just:
13:52 <@krzee> -A FORWARD -o tun0 -m state --state RELATED,ESTABLISHED -j ACCEPT
13:53 <@krzee> hah then you have it again 2x
13:54 <@krzee> maybe just:
13:54 <@krzee> iptables -I FORWARD -i tun+ -j ACCEPT
13:54 <@krzee> iptables -I FORWARD -o tun+ -j ACCEPT
13:57 -!- Daemoen [~quassel@2607:ff68:100:1e:20e:2eff:fee8:e5c5] has quit [Quit: No Ping reply in 180 seconds.]
13:57 -!- Daemoen [~quassel@2607:ff68:100:1e:20e:2eff:fee8:e5c5] has joined #openvpn
14:04 < devios> if you wanna save me a google, what's the "tun+" notation
14:06 < devios> ah To match all interfaces of a type, use the plus sign such as eth+
14:06 < devios> nvm
14:06 -!- mopar [~quassel@gateway/tor-sasl/moparisthebest] has joined #openvpn
14:07 <@krzee> shouldnt be google, should be 'man'
14:07 <@krzee> specifically, man iptables
14:07 -!- DomeMaster [~iain@cpc30-lanc6-2-0-cust53.3-3.cable.virginm.net] has joined #openvpn
14:07 <@krzee> "If the interface name ends in a "+", then any interface which begins with this name will match.  If this option is omitted, any interface name will match."
14:08 < DomeMaster> Is there anyway I can ascertain that the openvpn tap device is adding the latency. So the processing like encryption, compression is adding latency?
14:08 < DomeMaster> I'm trying to think of an experiment to determine this for sure. I used tcpdump on eth0 and tap0 before. And there was only 1ms more latency for a ping request using tap0. But maybe tcpdump isn't accurate in this instance.
14:10 <@krzee> not sure what you're looking for really, but why tap instead of tun if concerned about speed?
14:10 <@krzee> what layer2 protocol do you need over the vpn?
14:11 -!- Chex [sss@kjax.northnook.ca] has quit [Ping timeout: 256 seconds]
14:23 -!- phunyguy [~vortex@unaffiliated/phunyguy] has joined #openvpn
14:24 -!- Chex [sss@kjax.northnook.ca] has joined #openvpn
14:25 < phunyguy> Now why didn't you all tell me about the port-share option......  OH MAN that came in so handy.... Just wanted to give kudos if there are any devs in here.  Now my little home internet connection can have many things sharing port 443 with openvpn+squid reverse proxy...   (forced to use port 443 to get out at work)
14:27 < devios> krzee: your iptables simplicifaction suggestions worked great - looks like im all sorted out. thank you very much for all the help and information - very much appreciated
14:27 <@krzee> you're welcome
14:33 < devios> can i pm?
14:34 < devios> errr may* i pm?
14:37 <@krzee> sure, i wont get it for a few mins tho, im headed to work
14:52 -!- DrSect0r [~DrSect0r@77-175-125-42.FTTH.ispfabriek.nl] has quit [Read error: Connection reset by peer]
15:01 -!- james41382 [~james@unaffiliated/james41382] has joined #openvpn
15:13 < DomeMaster> krzee: sorry was on the phone
15:13 < DomeMaster> I don't have a choice unfortunately, its the service the VPN provides
15:14 < DomeMaster> but I had the same issue with other VPN services that used tun
15:15 -!- outofbounds [~outofboun@gateway/tor-sasl/outofbounds] has quit [Remote host closed the connection]
15:16 -!- D-Boy [~D-Boy@unaffiliated/cain] has quit [Excess Flood]
15:17 <@krzee> oh, speed issues with the provider need to be supported by them
15:18 < DomeMaster> thats the thing krzee I don't know if tis the provider
15:19 < DomeMaster> I want a way to determine if it is
15:19 < Eugene> If there's a provider involved its not our problem
15:19 < Eugene> !both
15:19 <@vpnHelper> "both" is If you do not control both ends of the link (server and client) then there is not much we can do to help you. Please talk to your network admin instead.
15:19 < DomeMaster> or if its local, i.e. the openvpn client
15:19 -!- Chais [~Chais@chello062178229110.15.15.vie.surfer.at] has quit [Ping timeout: 272 seconds]
15:19 < DomeMaster> I understand that logic Eugene
15:19 < DomeMaster> but is there an experiment I could do to determine this?
15:19 < Eugene> Nope.
15:19 < DomeMaster> If not, I'll try run an openvpn server here
15:20 < DomeMaster> well thats a bit presumptions isn't it?
15:20 < DomeMaster> I came up with a pretty good experiment using the physical and virtaul interface
15:20 < DomeMaster> and packet timestamps
15:20 < DomeMaster> anyway, I'll setup an openvpn server
15:20 < DomeMaster> and figure it out that wya
15:20 < Eugene> Sure, and you could do laser interferometry to determine how many people are i nthe next room
15:20 < Eugene> Or you could fucking look
15:21 -!- D-Boy [~D-Boy@unaffiliated/cain] has joined #openvpn
15:22 -!- almostworking [~almostwor@unaffiliated/almostworking] has joined #openvpn
15:23 < DomeMaster> Its easier to get a tcpdump timestamp of two interfaces then setup an openvpn serer
15:23 < DomeMaster> so your analogy kinda breaks down there
15:24 -!- Chais [~Chais@chello062178229110.15.15.vie.surfer.at] has joined #openvpn
15:40 -!- brianblaze420 [~brianblaz@unaffiliated/brianblaze] has joined #openvpn
16:05 -!- devios [~devios@71-33-206-119.hlrn.qwest.net] has quit [Quit: Going offline, see ya! (www.adiirc.com)]
16:27 <@krzee> Course, I could get a hell of a good look at a T-Bone steak by sticking my head up a bull's ass, but I'd rather take the butcher's word for it.
16:31 -!- moonkid [~anonymous@99-103-56-12.lightspeed.hstntx.sbcglobal.net] has quit [Quit: moonkid]
16:36 -!- Brando753 [~Brando753@unaffiliated/brando753] has joined #openvpn
16:37 -!- eat-me-now [~leftovers@46.166.186.228] has joined #openvpn
16:42 -!- nlb [~nlb@unaffiliated/nlb] has joined #openvpn
16:44 < DomeMaster> hah krzee
16:44 < DomeMaster> goodnight
16:46 < eat-me-now> having some issues allowing openvpn through fwbuilder.  created a rule that any traffic is allowed on 1194 (the vpn is setup to use this, also tried the other ports my vpn supports).  wondering if tun interface creation will be required for this?
17:00 -!- eat-me-now [~leftovers@46.166.186.228] has quit [Quit: Leaving]
17:03 < jefferai> If you have multiple VPNs configured, will OpenVPN refuse to send traffic from one to another, even if all have client-to-client specified?
17:04 < jefferai> I have two VPN servers connected to each other, and from those I can ping each of the others' interfaces successfully, but a client behind a different VPN on one of the servers cannot ping interfaces on the other server
17:04 < jefferai> If I use tshark I can see the pings coming in from the client, but they don't get routed out the other connection
17:04 < jefferai> but if the pings originate directly on the server, they get routed just fine, and replies come back
17:05 -!- akasoldats [~akasoldat@unaffiliated/akasoldats] has joined #openvpn
17:06 -!- Pyrogerg [~Gregory@75-173-103-62.albq.qwest.net] has quit [Ping timeout: 272 seconds]
17:09 -!- Envil [~meep@95.211.26.40] has quit [Remote host closed the connection]
17:28 -!- RaiNerTsuFal [~RaiNerTsu@akita.vtlx.cn] has quit [Quit: Conversation terminated!]
17:31 -!- RaiNerTsuFal [~RaiNerTsu@akita.vtlx.cn] has joined #openvpn
17:46 -!- DomeMaster [~iain@cpc30-lanc6-2-0-cust53.3-3.cable.virginm.net] has quit [Remote host closed the connection]
18:06 -!- moonkid [~anonymous@73.166.197.215] has joined #openvpn
18:09 -!- cyberspace- [20253@ninthfloor.org] has quit [Ping timeout: 272 seconds]
18:10 -!- cyberspace- [20253@ninthfloor.org] has joined #openvpn
18:14 -!- brianblaze420 [~brianblaz@unaffiliated/brianblaze] has quit [Quit: Leaving...]
18:38 <@krzee> jefferai,
18:38 <@krzee> !route
18:38 <@vpnHelper> "route" is (#1) http://www.secure-computing.net/wiki/index.php/OpenVPN/Routing or https://community.openvpn.net/openvpn/wiki/RoutedLans (same page mirrored) if you have lans behind openvpn, read it DONT SKIM IT or (#2) READ IT DONT SKIM IT! or (#3) See !tcpip for a basic networking guide or (#4) See !serverlan or !clientlan for steps and troubleshooting flowcharts for LANs behind the server or client
18:38 <@krzee> they are different lans.
18:39 <@krzee> treat them as such as configure routing for it
18:42 -!- Pyrogerg [~Gregory@75-173-103-62.albq.qwest.net] has joined #openvpn
18:44 -!- moonkid [~anonymous@73.166.197.215] has quit [Quit: moonkid]
18:46 -!- ub1quit33 [~quassel@wifi02.la3.routers.zerolag.com] has quit [Ping timeout: 260 seconds]
18:48 -!- elfixit [~Icedove@77-58-251-72.dclient.hispeed.ch] has joined #openvpn
19:24 -!- moonkid [~anonymous@99-103-56-12.lightspeed.hstntx.sbcglobal.net] has joined #openvpn
19:46 -!- Olipro [~Olipro@uncyclopedia/pdpc.21for7.olipro] has quit [Ping timeout: 256 seconds]
19:48 < jefferai> krzee: of course
19:51 -!- Olipro [~Olipro@uncyclopedia/pdpc.21for7.olipro] has joined #openvpn
20:14 <@krzee> jefferai, so did the !route doc help you get it?
20:18 -!- moonkid [~anonymous@99-103-56-12.lightspeed.hstntx.sbcglobal.net] has quit [Quit: moonkid]
20:21 -!- moonkid [~anonymous@99-103-56-12.lightspeed.hstntx.sbcglobal.net] has joined #openvpn
20:55 < jefferai> krzee: didn't look, because they are already configured as different lans and routes are in place
20:55 < jefferai> Although the "route" command doesn't quite work as expected
20:56 < jefferai> Docs say to put in server conf to put routes in on that interface
20:56 < jefferai> Doesn't happen though
20:56 < jefferai> If I manually add routes after connection, much better
20:59 -!- zeroNones [~textual@187.192.245.177] has joined #openvpn
21:00 < jefferai> krzee: what I'm trying to do is this: http://sourceforge.net/p/openvpn/mailman/message/32860631/
21:00 <@vpnHelper> Title: OpenVPN / Mailing Lists (at sourceforge.net)
21:00 < jefferai> although at this point my configurations are a bit different
21:00 < jefferai> I think basically I have two options for doing what I want
21:01 < jefferai> one is a full mesh of connections from each site to the other...that's what I've been trying to do but clients behind each server can't ping all the way through -- I see the pings come in to the remote server but then get dropped there. I have a feeling I would need to play with custom route tables
21:01 <@krzee> you didnt read the doc i wrote that solves your problem, yet you think ill read that?
21:01 <@krzee> heh
21:01 < jefferai> krzee: I've read that doc multiple times
21:01 < jefferai> Which is why my configurations have appropriate iroute statements
21:01 < jefferai> and client-config-dir files
21:02 <@krzee> "as different lans and routes are in place"  <-- huh?
21:02 < jefferai> "@krzee> they are different lans.
21:02 < jefferai> 19:39:03 <@krzee> treat them as such as configure routing for it"
21:02 < jefferai> I am treating them as different lans
21:02 < jefferai> and they are in fact subnetted as different lans
21:02 < jefferai> and routes are in place
21:03 < jefferai> each vpn server has a different lan behind it, and each server has appropriate route entries to get to the other behind their connections
21:03 < jefferai> each vpn server can ping all of each other's interfaces
21:04 < jefferai> the problem is when a client behind each server tries to ping to the other server, two-hops
21:04 <@krzee> you need to consider each vpn subnet as a lan, regardless of if its a wired lan or a vpn subnet
21:05 < jefferai> Sur
21:05 < jefferai> Sure
21:05 <@krzee> when you write it out like that i think you'll get it much easier
21:05 <@krzee> because it literally *is* !route
21:05 < jefferai> krzee: except you haven't actually listened to the problem and the behavior I'm seeing
21:05 <@krzee> hell, i wrote !route after figuring out how to do what you want
21:05 <@krzee> you're building a darknet
21:05 <@krzee> with servers linked to eachother
21:05 < jefferai> in your scenario you have a single openvpn server
21:05 <@krzee> no?
21:06 < jefferai> krzee: sure
21:06 <@krzee> i wrote !route after learning how to design things like you're talking about
21:06 <@krzee> thats WHY i learned the stuff in !route, and then i documented it
21:06 < jefferai> Yes, and I've read it multiple times
21:06 < jefferai> and I followed its advice
21:06 <@krzee> right, so its likely a conceptual issue
21:07 < jefferai> and I don't have "bad source address from client" issues in my logs
21:07 <@krzee> then its not iroute
21:07 <@krzee> thats not all the doc talks about :-p
21:07 < jefferai> Sure, but it means it's not an iroute issue
21:07 <@krzee> correct
21:07 < jefferai> so that's one thing checked off the list
21:07 < jefferai> krzee: as far as concept, it's laid out in the email I linked you to
21:08 <@krzee> !serverlan
21:08 <@vpnHelper> "serverlan" is (#1) for a lan behind a server, the server must have ip forwarding enabled (!ipforward), the server needs to push a route for its lan to clients, and the router of the lan the server is on needs a route added to it (!route_outside_openvpn) or (#2) see !route for a better explanation or (#3) Handy troubleshooting flowchart: http://ircpimps.org/serverlan.png |
21:08 <@vpnHelper> http://pekster.sdf.org/misc/serverlan.png
21:08 <@krzee> use the flowchart
21:09 <@krzee> k reading the email, thats you who wrote it right?
21:09 <@krzee> (like, its not just similar, but its exactly you)
21:09 < jefferai> krzee: yes
21:09 <@krzee> k
21:09 < jefferai> my server configs have changed slightly
21:09 <@krzee> thank you for telling me that =]
21:09 < jefferai> in that I think I didn't have the right route/push statements in the right places before
21:10 < jefferai> krzee: can I explain what behavior I'm seeing and what I think the issue might be, and see what you think?
21:10 <@krzee> sure, i'll be ignoring for a minute while i read the email but ill read it after
21:12 < jefferai> OK. So what happens is a client behind Ingress A (10.88.8.3) trying to ping 10.88.16.1 -- which is Ingress B's tun2 interface -- will have that ping go through Ingress A tun0 and out Ingress A tun2
21:12 < jefferai> I see the echo request come in to Ingress B tun2, but there it stops -- no reply is sent
21:12 < jefferai> So one possibility is that Ingress B is confused because it's getting a ping from 10.88.8.x which it thinks should be through tun1
21:13 <@krzee> can you check if a reply *is* being sent, but out of another interface?
21:13 < jefferai> and I need to use custom routing tables based on ingress interface or source net
21:13 < jefferai> krzee: it's not
21:13 < jefferai> it's just being dropped
21:13 < jefferai> if I ping that address from Ingress A, I get a reply
21:13 < jefferai> although I haven't tried specifying the interface when doing so
21:13 < jefferai> but from a client behind Ingress A's tun0, it goes to Ingress B and then drops
21:14 <@krzee> whoa whoa
21:14 <@krzee> why are you staying in the same subnet?
21:14 < jefferai> eh?
21:14 < jefferai> what do you mean?
21:15 <@krzee> "Local LAN clients" are the same on both sides
21:15 <@krzee> same subnet
21:15 < jefferai> they're not
21:15 < jefferai>  /28
21:15 <@krzee> you are aware that you have entire 1918 to pick from, right?
21:15 < jefferai> sure
21:15 <@krzee> i mean, its huuuuge
21:15 < jefferai> but I don't need many clients there
21:16 < jefferai> I'm using all of 10.88/16
21:16 <@krzee> im sure you could spare a /24 per subnet, no?
21:16 < jefferai> Eh, probably, sure.  :-)
21:16 < jefferai> Regardless, they're not the same subnet
21:16 <@krzee> ya i missed that
21:16 < jefferai> 0-15/16-31/32-47/48-53
21:16 < jefferai> OK
21:17 < jefferai> krzee: so my first question really is, is this mesh idea a bad idea, e.g. should I not have two connections between each set of servers
21:17 < jefferai> or should I, for each pair, desginate one as the server and one as the client
21:17 < jefferai> and then manually add routes
21:18 <@krzee> well thats up to you really, but if you do you will need to use a routing protocol to make it make any sense
21:18 < jefferai> (when I used the route statement per the !route doc, it didn't actually add entries to the routing table)
21:18 <@krzee> like ospf or rip or something
21:18 < jefferai> krzee: so you think that the issue is probably that according to the routes, return traffic should be going out different interfaces than incoming traffic
21:18 < jefferai> so I either need to manually use custom tables
21:19 < jefferai> or hook things up in a mesh and use rip or ospf
21:19 <@krzee> well yes that was my first thought, but according to your response above you used tcpdump to be sure that the ping reply was not going out a wrong interface
21:19 <@krzee> !hotpotato
21:19 <@vpnHelper> "hotpotato" is if you have 2 uplinks and the traffic comes in one and out the other you have hot potato routing. read this: http://www.rjsystems.nl/en/2100-adv-routing.php
21:20 < jefferai> krzee: yeah, exactly what I said -- having to munge routing tables manually
21:20 <@krzee> but even if it worked, you would have no failover from doing it
21:20 <@krzee> which im sure is what you were hoping for
21:20 < jefferai> actually, no
21:20 < jefferai> I'm not too worried about failover
21:20 <@krzee> oh, then what could 2 links between the servers be for??
21:21 < jefferai> practical reasons, actually
21:21 < jefferai> that come from not having asymmetric server/client connections between each pair
21:21 <@krzee> i do that between important links sometimes because if 1 isp goes down then my traffic still works
21:21 < jefferai> sure
21:22 < jefferai> in this case I don't actually have two uplinks, so
21:22 < jefferai> this was really just to push routes both ways
21:22 <@krzee> lol
21:22 <@krzee> oh god no
21:22 < jefferai> and actually
21:22 <@krzee> no no no
21:22 < jefferai> because it's easier with ansible to generate symmetrical configs
21:22 < jefferai> than assymetic
21:22 < jefferai> slightly
21:23 < jefferai> krzee: also because if any segment were disconnected I wanted the rest to still talk to each other
21:23 < jefferai> which can still happen with an assymetric setup
21:23 < jefferai> asymmetric
21:23 <@krzee> see, thats called "failover"
21:23 < jefferai> yeah, except I don't have dual uplinks
21:23 < jefferai> I'm not concerned about the disconnected segment talking to everyone else
21:24 < jefferai> just making sure that each other segment could talk to each other
21:24 < jefferai> which is why I don't want a centralized server
21:24 < jefferai> each server needs to stand alone and allow clients to talk
21:24 <@krzee> well in your drawing there are only 2 servers
21:24 < jefferai> yes, because I'm getting it working between two before adding more :-)
21:24 <@krzee> !mesh
21:24 <@vpnHelper> "mesh" is (#1) openvpn does not do mesh networking or (#2) see !rip or (#3) check out http://github.com/darkpixel/openmesher/ for auto-creating openvpn meshes
21:24 <@krzee> it changes very much with every server
21:24 <@krzee> until you have a real topology figured out
21:25 < jefferai> krzee: the real topology looks like the figure, just with more nodes
21:25 < jefferai> I'm fine with an answer of "openvpn doesn't do mesh"
21:25 <@krzee> no such thing, thats too much for me to imagine
21:26 <@krzee> !factoids search --values gliffy
21:26 <@vpnHelper> "diagram" is You can use a site such as http://gliffy.com to create a network diagram as well as programs such as Visio, Dia, or OmniGraffle
21:26 <@krzee> look at #3
21:26 < jefferai> krzee: ok, so -- in your estimation, either I need to add rip/ospf
21:26 <@krzee> or:
21:26 <@krzee> !rip
21:26 < jefferai> or do a non-mesh setup
21:26 <@vpnHelper> "rip" is http://www.secure-computing.net/wiki/index.php/OpenVPN/RIPRouting for a writeup on using RIP in openvpn
21:27 < jefferai> where for each pair I desginate one as the server and one as the client
21:27 < jefferai> and not both ways
21:31 < jefferai> krzee: assuming I just convert to client/server for each set of two openvpn servers, what is the right way to tell openvpn server to add routes pointing to the client?
21:31 < jefferai> the !route doc indicates that the right way is to use a "route" command, but this didn't actually do it
21:31 < jefferai> and looking at the ccd doc in the man page it doesn't seem like you can use "route" there
21:31 -!- svm_invictvs [~patricktw@unaffiliated/svminvictvs/x-938456] has quit [Ping timeout: 246 seconds]
21:40 -!- c0ded [~c0ded@unaffiliated/c0ded] has quit [Ping timeout: 260 seconds]
21:45 -!- Left_Turn [~Left_Turn@unaffiliated/turn-left/x-3739067] has quit [Remote host closed the connection]
21:48 -!- c0ded [~c0ded@unaffiliated/c0ded] has joined #openvpn
21:50 -!- svm_invictvs [~patricktw@unaffiliated/svminvictvs/x-938456] has joined #openvpn
22:00 -!- svm_invictvs [~patricktw@unaffiliated/svminvictvs/x-938456] has quit [Ping timeout: 260 seconds]
22:41 -!- moonkid [~anonymous@99-103-56-12.lightspeed.hstntx.sbcglobal.net] has quit [Quit: moonkid]
22:49 -!- Pyrogerg [~Gregory@75-173-103-62.albq.qwest.net] has quit [Ping timeout: 240 seconds]
22:49 -!- moonkid [~anonymous@99-103-56-12.lightspeed.hstntx.sbcglobal.net] has joined #openvpn
22:50 -!- zeroNones [~textual@187.192.245.177] has quit [Quit: My MacBook Pro has gone to sleep. ZZZzzz…]
22:51 -!- Pyrogerg [~Gregory@75-173-103-62.albq.qwest.net] has joined #openvpn
23:04 -!- moonkid [~anonymous@99-103-56-12.lightspeed.hstntx.sbcglobal.net] has quit [Quit: moonkid]
23:06 -!- root^2 [~bts@g.rainwreck.com] has quit [Ping timeout: 246 seconds]
23:06 -!- ShadniX [dagger@p5DDFCF57.dip0.t-ipconnect.de] has quit [Ping timeout: 250 seconds]
23:07 -!- hays [~hays@unaffiliated/hays] has quit [Remote host closed the connection]
23:07 -!- ShadniX [dagger@p5481D5D5.dip0.t-ipconnect.de] has joined #openvpn
23:08 -!- root^2 [~bts@g.rainwreck.com] has joined #openvpn
23:09 -!- hays [~hays@unaffiliated/hays] has joined #openvpn
23:14 -!- Kephael [~Kephael@unaffiliated/kephael] has quit [Read error: Connection reset by peer]
23:33 -!- elfixit [~Icedove@77-58-251-72.dclient.hispeed.ch] has quit [Ping timeout: 245 seconds]
23:50 -!- moonkid [~anonymous@99-103-56-12.lightspeed.hstntx.sbcglobal.net] has joined #openvpn
23:57 -!- SushiDude [~SushiDude@unaffiliated/sushidude] has quit [Quit: Quit]
--- Day changed Wed Sep 24 2014
00:00 -!- SushiDude [~SushiDude@unaffiliated/sushidude] has joined #openvpn
00:07 -!- Moonlightning [~blackl@unaffiliated/moonlightning] has quit [Ping timeout: 272 seconds]
00:35 -!- svm_invictvs [~patricktw@unaffiliated/svminvictvs/x-938456] has joined #openvpn
00:43 -!- svm_invictvs [~patricktw@unaffiliated/svminvictvs/x-938456] has quit [Ping timeout: 244 seconds]
01:08 -!- hays [~hays@unaffiliated/hays] has quit [Ping timeout: 246 seconds]
01:11 -!- moonkid [~anonymous@99-103-56-12.lightspeed.hstntx.sbcglobal.net] has quit [Quit: moonkid]
01:11 -!- CaTtleyA [~CaTtleyA@put92-2-82-66-41-53.fbx.proxad.net] has quit [Remote host closed the connection]
01:21 -!- dazo_afk is now known as dazo
01:24 -!- svm_invictvs [~patricktw@unaffiliated/svminvictvs/x-938456] has joined #openvpn
01:48 -!- svm_invictvs [~patricktw@unaffiliated/svminvictvs/x-938456] has quit [Ping timeout: 244 seconds]
02:09 -!- deranged_user [deranged_u@unaffiliated/deranged-user/x-2475585] has quit [Quit: et nos unum sumus]
02:09 -!- deranged_user [deranged@unaffiliated/deranged-user/x-2475585] has joined #openvpn
02:13 -!- james41382 [~james@unaffiliated/james41382] has quit [Quit: Leaving]
02:15 -!- almostworking [~almostwor@unaffiliated/almostworking] has quit [Quit: Leaving]
02:16 -!- sickn3ss [~sickn3ss@unaffiliated/sickn3ss] has joined #openvpn
02:18 < sickn3ss> Hey guys, quick question. Is there some way of completely killing an OpenVPN connection when a client issues more than 1 active one at the same time ? I see that for some reason if someone spams OpenVPN with a lot of connections at the same time the CPU goes crazy
02:21 < BtbN> What do you mean by "connections"? Just someone sending a lot of UDP packets?
02:23 < sickn3ss> BtbN I initiate for example 50 different connections with valid credentials to my OpenVPN server
02:23 < sickn3ss> (same account of course)
02:23 < BtbN> Well, encryping and decrypting 50 sessions is cpu intensive
02:24 < BtbN> specialy if you use a more complicated cipher
02:25 < sickn3ss> BtbN I agree but that leads to a very undesireble scenario, where if anyone wants to crash my VPN server they can do it pretty fast. (Until I ban them)
02:25 < sickn3ss> so I was wondering if there is some kind of option that I have missed, something like kill a connection instead of just trying to reconnect over and over again
02:26 < BtbN> Well, if you give that "anyone" valid crdentials, that's very possible, yes
02:26 < BtbN> Are you using TCP? Cause otherwise there isn't any connection.
02:26 < sickn3ss> BtbN no using UDP
02:29 < BtbN> Did you realy hand out 50 certificates, or what is it you are testing?
02:29 < BtbN> Or can someone cause high CPU load without a valid cert?
02:30 < sickn3ss> BtbN I am just testing the stability of the server, doesn't work without a valid cert
02:31 < BtbN> By default, OpenVPN allows only exactly one session per cn
02:31 < BtbN> Unless you set duplicate-cn
02:31 < sickn3ss> BtbN correct, however, even if the sessions don't work due to that they still make the CPU crawl
02:32 < BtbN> Sounds like you have a very weak CPU in that machine.
02:32 < BtbN> But as long as you can't cause that without a valid cert, i don't see a problem.
02:33 < sickn3ss> BtbN true, I was just curious if there was an option to somehow prevent that
02:33 < BtbN> a faster CPU.
02:33 < sickn3ss> BtbN 4 cores at 3GHz seems kind of enough
02:34 < sickn3ss> BtbN no matter how much I give it, if I just raise the number of active connections from the same account eventually I reach 100%
02:45 <@dazo> sickn3ss: If you use the recommended PKI setup, remove --duplicate-cn from your config
02:46 < sickn3ss> dazo I will try to look into that and make sure that is removed, thanks
02:47 <@dazo> sickn3ss: otherwise, your hw setup should be fine ... but if you have 50 clients connecting or re-negotiating keys at the same time it will cause a lag.  But once the key negotiation is done, the tunnel should flow just fine
02:48 < sickn3ss> dazo I see, I will try this and give it a few minutes to see if everything gets back to normal
02:49 <@dazo> It's the key exchange which is heavy on the CPU.  The key exchange establishes as temporary static key for symmetric encryption which is used for the tunnel data.  And symmetric encryption is really fast and not so CPU intensive
02:49 <@dazo> (the key exchange uses asymmetric encryption, which is the key/cert key-pairs)
02:50 <@dazo> s/ is / uses /
02:51 < sickn3ss> ok so only the first part hits the CPU hard and after that is done everything should be back to normal
02:51 <@dazo> right
02:52 <@dazo> I'd recommend reading about the --reneg-* options, to help reduce the risk of everyone doing a renegotiation of keys (key exchange) later on approximately at the same time
02:52 <@dazo> the default is every 60 minutes
02:53 -!- DrCode [~DrCode@gateway/tor-sasl/drcode] has quit [Remote host closed the connection]
02:53 < sickn3ss> cool thanks
02:54 <@dazo> yw!
02:55 -!- DrCode [~DrCode@gateway/tor-sasl/drcode] has joined #openvpn
03:13 -!- creshal [~Creshal@91.143.96.4] has joined #openvpn
03:16 < creshal> Can OpenVPN handle subnets larger than /24? From the manpage it seems it could (assuming sufficient hardware), are there any problems with such setups (e.g. on Windows)?
03:27 <@dazo> creshal: what do you try to do?
03:29 < creshal> dazo: We have an OpenVPN server with a /24 (subnet topology), and I want to bump it up to /22 to handle additional clients – they all have static, unique IPs and are only connected a few hours a week each, so load / pool size shouldn't be an issue.
03:33 -!- gffa [~unknown@unaffiliated/gffa] has joined #openvpn
03:44 -!- prettyrobots [~prettyrob@do.inputrc.com] has quit [Ping timeout: 244 seconds]
03:57 <@dazo> creshal: IIRC, OpenVPN supports subnets up to /16 ... however, there are some limitations to how many clients each openvpn server instance is capable to tackle (some experience slower tunnels with 150 users, others with 500 users; it all depends on tunnel payload and how aggressive each client is on the tunnel)
03:57 -!- CaTtleyA [~CaTtleyA@185.24.142.82] has joined #openvpn
03:58 <@dazo> (to get around that, you usually add more openvpn server processes on different ports, combined with multiple --remote lines in client configs + --remote-random)
03:59 < creshal> dazo: I think we never had more than 20 hosts online at the same time – they're all dial-up.
04:00 < creshal> So I'm not terribly concerned about that, and I can scale out if necessary. We have some VPNs with multiple servers already, it just would be a waste here.
04:00 < BtbN> If the IPs don't matter, just assign them dynamicaly without persisting them?
04:00 < creshal> They have to be static, sadly.
04:02 <@dazo> why?
04:03 <@dazo> (in most cases, dynamic firewalls helps sorting the need for that)
04:05 < creshal> It's, among other things, for remote access to the machines, and I'd rather have static IPs than needing DNS/other ways to find clients.
04:14 -!- Left_Turn [~Left_Turn@unaffiliated/turn-left/x-3739067] has joined #openvpn
04:20 < creshal> I mean, if there's a way that's as trivial as putting static IPs into ccd and /etc/hosts once, I'm all ears. :) Until then I'd rather just bump the subnet size.
04:31 -!- eristisk [~eristisk@gateway/tor-sasl/eristisk] has joined #openvpn
04:32 <@dazo> if you don't want DNS ... well, that's what DNS is supposed to help with, not needing to "remember" IP addresses
05:04 < sickn3ss> well it's me again with another "genius" question, is there any way to disable --ping-restart ?
05:08 < sickn3ss> more interested on server side rather than client side, for example on my client.conf I can do something like single-session / ping-exit 30 / tls-exit /
05:08 < sickn3ss> is it possible to have this somehow pushed by the server ?
05:16 -!- eristisk [~eristisk@gateway/tor-sasl/eristisk] has quit [Ping timeout: 264 seconds]
05:20 <@dazo> sickn3ss: read the --keepalive and how that "macro" is expanded
05:20 -!- eristisk [~eristisk@gateway/tor-sasl/eristisk] has joined #openvpn
05:20 < sickn3ss> dazo cool, will do
05:20 <@dazo> read the *man page* for --keepalive, I meant
05:24 < sickn3ss> dazo it seems that --keepalive is basically an if statement that pushes the "ping" and "ping-restart" parameters. So I assume that putting ping-restart to 0 would disable it
05:27 <@dazo> sickn3ss: I believe so, yes
06:35 -!- akasoldats [~akasoldat@unaffiliated/akasoldats] has quit [Ping timeout: 245 seconds]
06:57 -!- N-Mi [~nicolas@calvix/staff/N-Mi] has joined #openvpn
06:57 < N-Mi> !welcome
06:57 <@vpnHelper> "welcome" is (#1) Start by stating your goal, such as 'I would like to access the internet over my vpn' || new to IRC? see the link in !ask || we may need !logs and !configs and maybe !interface to help you. || See !howto for beginners. || See !route for lans behind openvpn. || !redirect for sending inet traffic through the server. || Also interesting: !man !/30 !topology !iporder !sample !forum !wiki
06:57 <@vpnHelper> !mitm or (#2) Don't use 192.168.1.0/24 or 192.168.0.0/24 (too much potential for conflict)
07:00 < N-Mi> Hi all. Has anyone managed to connect to a Fortigate SSL VPN server using openvpn instead of their official "forticlient" ?
07:08 -!- mopar [~quassel@gateway/tor-sasl/moparisthebest] has quit [Quit: http://quassel-irc.org - Chat comfortably. Anywhere.]
07:13 -!- Tuju [~tuju@214.204.50.195.sta.estpak.ee] has quit []
07:27 -!- CaTtleyA [~CaTtleyA@185.24.142.82] has quit [Ping timeout: 276 seconds]
07:29 -!- CaTtleyA [~CaTtleyA@185.24.142.82] has joined #openvpn
07:29 -!- moparisthebest [~quassel@gateway/tor-sasl/moparisthebest] has joined #openvpn
07:57 -!- goldkatze [~nobody@unaffiliated/goldkatze] has joined #openvpn
08:07 -!- dazo is now known as dazo_afk
08:07 -!- dazo_afk is now known as dazo
08:26 -!- PGNd [~PGNd@unaffiliated/pgngw] has joined #openvpn
08:27 -!- phutchins [~phutchins@12.219.170.153] has joined #openvpn
08:28 < phutchins> Anyone know why a debian based openvpn client wouldn't get it's DNS server set according to the push that is set up on the server side? My osx clients get the dns server just fine...
08:32 < PGNd> Hi.  I need to specify "local <ip address>" in an openvpn client-side config where <ip address> is a dynamically allocated IP.  The listener interface is multihomed, and I want to listen on only one, specified IP.  I do not want a dependency on DNS, so no F.Q.D.N., just an actual IP address.  What/where is the best/correct way to to get that dynamic IP "into" Openvpn config?
08:32 -!- phutchins [~phutchins@12.219.170.153] has left #openvpn []
08:37 < sickn3ss> dazo in case anyone else asks I have managed to figure out a couple of ways to get it working. The first one stops the actual multiple connections which is to add "single-session / ping 5 / ping-exit 60" to both server & client side, this will stop multiple connections after 60 seconds only keeping one active). The second way is as you said using the keepalive option, using this you can basically change the time for the reconnect that way all
08:37 < sickn3ss>  the CPU has some time to cool off after the key exchanges before the reconnect starts.
08:38 <@dazo> sickn3ss: have a look at --reneg-* options too, that way you can maybe manipulate that the clients reneg doesn't necessarily happen at the same time
08:38 <@dazo> (time skewing the clients, kind of, based on number of network packets and/or bytes transferred over the tunnel)
08:38 < sickn3ss> dazo yep that's what I'm looking in right now, I feel like using the keepalive option alongside --reneg-* would be the optimal way of doing this
08:53 -!- dazo is now known as dazo_afk
09:09 -!- Misaka42 [~misaka42@80.255.7.137] has joined #openvpn
09:12 < Misaka42> Hi! I have successfully set up a closed VPN on a single host machine, and I would like to bind certain hostnames (i.e. myservice.local) to local ip of said machine, is that possible? I've used google to no avail, but maybe I was trying wrong keywords.
09:13 < Misaka42> And no, modifying /etc/hosts in client machine is not an option. Thanks in advance, and sorry if it's a stupid or unrelated question.
09:19 -!- PGNd [~PGNd@unaffiliated/pgngw] has left #openvpn []
09:19 < creshal> .local is a Bad Idea™ for domain names, as it collides with zeroconf, you should pick a unique domain.
09:19 < creshal> DNS (e.g. dnsmasq) might be an option, if you're willing/allowed to override the client's DNS server…
09:24 -!- Misaka42_ [~misaka42@178.217.31.16] has joined #openvpn
09:25 <@krzee> local ip of machine, like 127.0.0.1 ?
09:25 -!- elfixit [~Icedove@2001:1620:2777:11:3e97:eff:fe7f:f3ad] has joined #openvpn
09:25 -!- Misaka42 [~misaka42@80.255.7.137] has quit [Ping timeout: 240 seconds]
09:28 -!- Misaka42 [~misaka42@80.255.7.137] has joined #openvpn
09:28 < Misaka42> Jesus christ, my network has gone crazy.
09:30 -!- Misaka42_ [~misaka42@178.217.31.16] has quit [Ping timeout: 246 seconds]
09:31 < Misaka42> !logs
09:31 <@vpnHelper> "logs" is (#1) please pastebin your logfiles from both client and server with verb set to 4 (only use 5 if asked) or (#2) In the Windows client(OpenVPN-GUI) right-click the status icon and pick View Log or (#3) In the OS X client(Tunnelblick) right-click it and select Copy log text to clipboard or (#4) if you dont know how to find your logs, see !logfile
09:33 < creshal> Misaka42: .local is a Bad Idea™ for domain names, as it collides with zeroconf, you should pick a unique domain.
09:33 < creshal> DNS (e.g. dnsmasq) might be an option, if you're willing/allowed to override the client's DNS server…
09:34 < creshal> Hope it went through this time. :D
09:34 < Misaka42> Thanks, yeah, that one I've seen, but never managed to reply to it. Or I did. I'm not sure now.
09:34 < creshal> I've never gotten a reply.
09:35 < Misaka42> I've read through dnsmasq readmes, is there any lighter way to do that? All I need is to route, say, jira.mycompany to localhost. Or any other domain, name does not matter.
09:35 <@krzee> "local ip of machine" …  like 127.0.0.1 ?
09:36 < creshal> Do you want to change domain mapping on the server, on clients, on both?
09:36 <@krzee> or do you mean the vpn server ip?
09:36 < Misaka42> Well, it's not actually localhost. It's docker's network, but essentialy this is the same.
09:36 <@krzee> Misaka42, please be more specific
09:36 < Misaka42> Okay, let me explain it.
09:37 <@krzee> just tell me *what ip*
09:37 <@krzee> in fact, give me the actual ip, some examples
09:37 < Misaka42> 172.17.42.1
09:37 <@krzee> is the the vpn server's ip?
09:37 < Misaka42> It's a local ip only available inside host machine (or thorugh VPN).
09:37 <@krzee> as in, clients get addresses in that subnet?
09:37 < Misaka42> No.
09:37 <@krzee> lan ip?
09:38 < Misaka42> Yes, kinda. Maybe it would be better if I explain what is going on with extra details?
09:38 <@krzee> will that be the ONLY ip that needs to be resolved?
09:38 < Misaka42> Yes.
09:38 <@krzee> just use dns, on ANY dns server
09:38 <@krzee> hell, ill make you a hostname if you want
09:38 < Misaka42> Would other domain names resolve just as they were?
09:39 <@krzee> sure
09:39 <@krzee> you wont even change DNS servers
09:39 <@krzee> just put the resolution on the internet and forget about it
09:39 < Misaka42> I can't do that.
09:39 < Misaka42> Has to be a solution hosted on said machine.
09:39 <@krzee> why? is it reachable by the internet?
09:39 -!- Kephael [~Kephael@unaffiliated/kephael] has joined #openvpn
09:40 <@krzee> its a friggen rfc 1918 ip, who cares who else can resolve it
09:40 <@krzee> lol
09:41 < Misaka42> Oh, okay, here's the story. I have a host machine, which runs docker, which has it's own local network available only localy from that machine. Using docker, I've deployed some services for a rather personal use (jira, stash, conf, a couple of others), and I want them only to be accessible over VPN.
09:41 <@krzee> allowing them to resolve over the internet does not magically give people access to your lan
09:41 <@krzee> i know the ip, i cannot reach it.
09:41 <@krzee> its INTERNAL ip
09:41 < Misaka42> That I did just fine, but services can only be accessible by ip. I know, but that's not my decision. Someone I'm answering to is batshit crazy about it.
09:42 <@krzee> *shrug*
09:42 < creshal> Then you'll either need to modify the clients' /etc/hosts, or tunnel DNS through the VPN as well and have that DNS server add the IPs. That's what, six config lines in dnsmasq?
09:42 < Misaka42> Oh, it is?
09:42 <@krzee> ya pretty small
09:42 <@krzee> !splitdns
09:42 <@vpnHelper> "splitdns" is see http://www.thekelleys.org.uk/dnsmasq/doc.html for dnsmasq, which will let you do split-dns setups
09:42 < creshal> Or make the customer stop being anal about it, good luck. :D
09:42 <@krzee> but seriously, whoever cares that nobody knows their secret lan ip is an idiot
09:42 < Misaka42> *shurgs* customers.
09:43 <@krzee> cause if i get in his lan, that wont save him
09:43 < creshal> I wonder what those people do if they realize IPv6 doesn't even have private IPs…
09:43 <@krzee> i mean, it doesnt matter until i have access, and then it REALLY doesnt matter
09:43 <@krzee> sure ipv6 has private ips
09:43 < creshal> Oh? :S
09:43 <@krzee> it has unroutable subnets like ipv4 does
09:43 < Misaka42> Btw, I follwed the link, but all I see is dnskasq's index, with no mentions of splitdns
09:43 < Misaka42> Am I just being stupid here?
09:44 <@krzee> Misaka42, nope, you have to learn how to use it
09:44 <@krzee> its not a walkthrough
09:44 < Misaka42> Oh, okay.
09:44 < creshal> Misaka42: The manpage is a quite long read, but yeah, it's easy. Basically, add new hosts, add upstream servers, maybe add some filtering, done.
09:45 < Misaka42> 'Kay, thanks.
09:45 < creshal> 2/3 of the manpage is DHCP/TFTP anyway and can be skipped.
09:46 < creshal> Actually, if you can modify the /etc/hosts on the machine running dnsmasq and have a working /etc/resolv.conf, you probably don't need to configure anything extra…
09:47 <@krzee> creshal, rfc 4193 says fc00::/7 should not be routed on the internet
09:48 <@krzee> (but i dont actually use ipv6, for the record)
09:49 < creshal> krzee: Ah, good to know.
09:49 < creshal> (I probably read up on that some years ago, but I'm not using it actively either… it's always "just one more year" until it's deployed.)
09:49 < Misaka42> Now to set up dnsmasq using docker...
09:53 -!- creshal [~Creshal@91.143.96.4] has quit [Ping timeout: 260 seconds]
10:23 -!- N-Mi [~nicolas@calvix/staff/N-Mi] has quit [Ping timeout: 244 seconds]
10:27 -!- sickn3ss [~sickn3ss@unaffiliated/sickn3ss] has quit [Quit: Textual IRC Client: www.textualapp.com]
10:36 -!- CaTtleyA [~CaTtleyA@185.24.142.82] has quit [Remote host closed the connection]
10:38 -!- elfixit [~Icedove@2001:1620:2777:11:3e97:eff:fe7f:f3ad] has quit [Quit: elfixit]
10:42 -!- ifdm_ [~ifdm@unaffiliated/ifdm/x-0713806] has quit [Remote host closed the connection]
10:44 -!- ifdm_ [~ifdm@unaffiliated/ifdm/x-0713806] has joined #openvpn
10:44 -!- elfixit [~Icedove@2001:1620:2777:11:3e97:eff:fe7f:f3ad] has joined #openvpn
10:44 -!- eristisk [~eristisk@gateway/tor-sasl/eristisk] has quit [Remote host closed the connection]
10:45 -!- eristisk [~eristisk@gateway/tor-sasl/eristisk] has joined #openvpn
10:49 -!- elfixit [~Icedove@2001:1620:2777:11:3e97:eff:fe7f:f3ad] has quit [Remote host closed the connection]
10:51 < Eugene> Man, I hate NetworkManager
10:51 -!- moonkid [~anonymous@99-103-56-12.lightspeed.hstntx.sbcglobal.net] has joined #openvpn
10:52 <@krzee> yes
10:52 <@krzee> that's the spirit!
10:52 < Eugene> $USER insists on keeping it :-|
10:52 < Eugene> Hi ho, `openvpn` bash wrapper here we come
10:53 < Eugene> All because the stupid fucking GNOME guys don't know how to implement a field for custom options
10:53 <@krzee> seems to be a lot of ${USER}s demanding dumb things of ${ADMIN}s lately
10:54 < Eugene> We must revolt
10:54 < Eugene> --ping-restart is on the --push list, right?
10:54 <@krzee> sure, isnt it part of keepalive?
10:55 <@krzee> if mode server:
10:55 <@krzee>    ping 10
10:55 <@krzee>    ping-restart 120
10:55 <@krzee>    push "ping 10"
10:55 <@krzee>    push "ping-restart 60"
10:55 <@krzee>  else
10:55 <@krzee>    ping 10
10:55 <@krzee>    ping-restart 60
10:55 < Eugene> So it is, yeah
10:55 -!- svm_invictvs [~patricktw@unaffiliated/svminvictvs/x-938456] has joined #openvpn
10:55 < Misaka42> Fucking shite. Damn systemd, and damn CoreOS, and damn docker.
10:55 -!- elfixit [~Icedove@2001:1620:2777:11:3e97:eff:fe7f:f3ad] has joined #openvpn
10:55 < Eugene> I agree fully
10:56 < Misaka42> Figuring out the config was pecie of a cake.
10:56 <@krzee> yep.
10:56 <@krzee> shite!
10:56 < Misaka42> NOW HERE'S THE HARD PART - actually making my coreos instance use the damn dns i provided.
10:56 -!- goldkatze [~nobody@unaffiliated/goldkatze] has quit []
10:57 -!- outofbounds [~outofboun@gateway/tor-sasl/outofbounds] has joined #openvpn
10:57 -!- Misaka42 [~misaka42@80.255.7.137] has quit [Read error: Connection reset by peer]
10:57 -!- Misaka42 [~misaka42@80.255.7.137] has joined #openvpn
10:58 < Eugene> I've yet to understand the advantage of Docker versus just running a VM for everything, since that's what the docker experts recommend doing in production anyway.....
10:58 < Eugene> Proper hypervisors being better at prvilege separation than the linux kernel
10:59 < Misaka42> Docker is modular, and easily deployable.
11:00 <@krzee> isnt anything you're good at easily deployable?
11:00 < Eugene> So is an RPM
11:00 < Eugene> Or a tarball
11:00 < Misaka42> The core feature of docer is not in isolating, but rather incapsulating. And CoreOS with docker and etcd allows you to easily create, deploy and interconnect various docker containers across multiple nodes.
11:01 <@krzee> ive never even heard of docker, is it simply jails for linux?
11:01 <@krzee> (like freebsd jails)
11:01 < Misaka42> I don't know what jails is, so i can't really answer to that.
11:01 <@krzee> Eugene will know
11:01 < Misaka42> But here's the link: http://docker.com
11:01 <@vpnHelper> Title: Docker - Build, Ship, and Run Any App, Anywhere (at docker.com)
11:01 < Eugene> It's a fancy wrapper for LXC
11:02 < Eugene> Which is basically the same thing, I guess
11:02 <@krzee> oh werd
11:02 < Misaka42> Well, maybe. Haven't used LXC either, so I can't really say.
11:02 < Eugene> Docker /is/ LXC ;-)
11:03 -!- batrick [~batrick@nmap/developer/batrick] has quit [Quit: WeeChat 1.0]
11:03 < Misaka42> Oh. Just with images repos and other stuff out of the box?
11:03 -!- elfixit [~Icedove@2001:1620:2777:11:3e97:eff:fe7f:f3ad] has quit [Quit: elfixit]
11:03 < Eugene> It's what makes it pretty, yes
11:03 < Misaka42> Oh, well.
11:04 < Eugene> The only "big" advantage of Docker AFAIK is that it provides the same platform regardless of the hosting linux distribution.... which is a bit stupid to say, becuase you're basically exposing only networking primitives at that point
11:04 < Eugene> You could do the same thing with a few lines of bash wrapping `ip`
11:05 -!- nath_schwarz [~nath_schw@HSI-KBW-078-043-253-130.hsi4.kabel-badenwuerttemberg.de] has joined #openvpn
11:06 < Misaka42> Well, somehow a lot of people are using and enjoying it.
11:06 < Eugene> A lot of people are idiots
11:06 <@krzee> a lot of people use and enjoy the iphone
11:06 <@krzee> and windows
11:06 < Misaka42> Don't really say that shows how docker good, but hey, ALL of them can't be idiots.
11:07 < Misaka42> And I don't see how using windows and iPhone really makes you an idiot.
11:07 < Misaka42> (Although I don't use either, but still)
11:07 <@krzee> didnt mean to say they're idiots, but they probably did take a wrong turn somewhere
11:07 <@krzee> haha
11:08 <@krzee> ive seen large corporations with remote desktop listening to the world
11:08 <@krzee> doesnt make it a good idea… but it happens
11:09 < Misaka42> I don't know, really. It's just a phone, and just an OS. It depends on what you use it for. Don't see anything wrong with using iPhone as your smartphone if you're satisfied with it's functionality and don't need anything but.
11:09 <@krzee> what we're saying is, following the herd is a good way to have a terrible setup :-p
11:10 < Misaka42> I wasn't suggesting following the herd, but a lot of folks use Docker in more ways than just playing around and doing hobbie projects, I guess. Or else it wouldn't grow that large and popular. People are actually making business and running production on Docker, so I guess IT SHOULD have some strong points about it that made people use it in the first place.
11:10 -!- SilentKoala [~SilentKoa@boobytrapped.openslowly.com] has quit [Ping timeout: 246 seconds]
11:11 < Misaka42> Of course, you should decide on your own if you are to use it or not, based on your own knowledge and experience.
11:11 < Misaka42> Popularity just shows that there's a demand for such product, is all, really.
11:12 -!- reventlov [~reventlov@unaffiliated/reventlov] has quit [Quit: leaving]
11:13 <@krzee> i have no opinion on it since i know nothing about it, but i do trust Eugene's opinion so id have to take a good hard look at it before i would use it
11:14 < Eugene> I just don't see the point
11:14 < Eugene> It certainly smells like cargo-culting to me
11:14 < Eugene> "Google is using it, must be good!"
11:14 < Misaka42> It' doesn't really make any sense when you think of one VPS, I think.
11:15 -!- Chais [~Chais@chello062178229110.15.15.vie.surfer.at] has quit [Ping timeout: 250 seconds]
11:15 < Misaka42> When you look at CoreOS's usecase, the real goal of docker becomes a bit more clear.
11:15 < Misaka42> The point of it is that using a clean and lightweith image with etcd, cloudinit and docker you can easily deploy your shit on new remote and local nodes.
11:16 < Eugene> So why is it still using the linux kernel, then ;-)
11:16 < Eugene> Lightweight laff
11:17 < Misaka42> YOU CAN techicaly do that on your own by writing your own shit or using other technology, but Core makes it a little bit easier by providing necessary means out of the box. To trust, or not to trust, to use or not to use is entierly up to you
11:18 < Misaka42> Again, it all depends on your circumstances. People will still use or not use it, either of their blindness or because they really need to.
11:18 < Misaka42> Like with any other technology, it's just a damn tool in the end. Some people can't stand PHP and always blame it, and some just go and build their apps on php, and they just work.
11:20 -!- Chais [~Chais@chello062178229110.15.15.vie.surfer.at] has joined #openvpn
11:21 -!- d10n [~d10n@unaffiliated/d10n] has quit [Ping timeout: 245 seconds]
11:23 -!- cyberspace- [20253@ninthfloor.org] has quit [Remote host closed the connection]
11:24 -!- cyberspace- [20253@ninthfloor.org] has joined #openvpn
11:24 < jefferai> Eugene: Docker is not LXC; Docker used to use LXC as a backend for configuring cgroups and namespaces, but does not any longer (by default). LXC is a userspace package that does the same, configures cgroups and namespaces
11:24 < jefferai> They use the same parts of the kernel, but they're not the same
11:26 < jefferai> FWIW, long-time LXC user here that has found a decent use-case for Docker: running application containers instead of OS containers. Application containers on LXC were technically possible but always a pain in the ass.
11:26 < jefferai> Both have their uses, though
11:27 -!- d10n [~d10n@unaffiliated/d10n] has joined #openvpn
11:28 -!- svm_invictvs [~patricktw@unaffiliated/svminvictvs/x-938456] has quit [Ping timeout: 245 seconds]
11:31 -!- james41382 [~james@unaffiliated/james41382] has joined #openvpn
11:41 -!- elfixit [~Icedove@2001:1620:2018:11:5e51:4fff:fec8:5b90] has joined #openvpn
11:46 -!- svm_invictvs [~patricktw@unaffiliated/svminvictvs/x-938456] has joined #openvpn
11:46 -!- BtbN [btbn@btbn.de] has quit [Quit: Bye]
11:48 -!- elfixit [~Icedove@2001:1620:2018:11:5e51:4fff:fec8:5b90] has quit [Quit: elfixit]
12:00 < Misaka42> After a long and tiresome struggle with $user, I've managed to convince him into setting up our externall dns to point to local ip.
12:00 < Misaka42> hoo-fucking-ray, now I think I'll go and get drunk.
12:01 -!- jareth_ [~jareth_@2001:980:e1c0:1:219:66ff:fea0:a502] has joined #openvpn
12:06 -!- xTz [~xtz@77.70.6.141] has joined #openvpn
12:08 < Eugene> A good idea
12:22 -!- rooth [tomte@stuck.in.the.basement.at.fritzl.nu] has quit [Ping timeout: 240 seconds]
12:34 -!- N-Mi [~nicolas@calvix/staff/N-Mi] has joined #openvpn
12:47 -!- Misaka42 [~misaka42@80.255.7.137] has quit [Ping timeout: 272 seconds]
12:47 -!- moparisthebest [~quassel@gateway/tor-sasl/moparisthebest] has quit [Changing host]
12:47 -!- moparisthebest [~quassel@unaffiliated/moparisthebest] has joined #openvpn
12:47 -!- moparisthebest [~quassel@unaffiliated/moparisthebest] has quit [Changing host]
12:47 -!- moparisthebest [~quassel@gateway/tor-sasl/moparisthebest] has joined #openvpn
13:02 -!- nath_schwarz [~nath_schw@HSI-KBW-078-043-253-130.hsi4.kabel-badenwuerttemberg.de] has quit [Ping timeout: 244 seconds]
13:19 -!- mattock [~mattock@openvpn/corp/admin/mattock] has quit [Ping timeout: 260 seconds]
13:24 -!- moonkid [~anonymous@99-103-56-12.lightspeed.hstntx.sbcglobal.net] has quit [Quit: moonkid]
13:30 -!- BtbN [btbn@btbn.de] has joined #openvpn
13:31 -!- moonkid [~anonymous@99-103-56-12.lightspeed.hstntx.sbcglobal.net] has joined #openvpn
13:33 -!- root^2 [~bts@g.rainwreck.com] has quit [Quit: i don’t know why i think pressing ctrl-c harder will help.]
13:39 -!- moonkid [~anonymous@99-103-56-12.lightspeed.hstntx.sbcglobal.net] has quit [Quit: moonkid]
14:07 -!- N-Mi [~nicolas@calvix/staff/N-Mi] has quit [Ping timeout: 260 seconds]
14:08 -!- moonkid [~anonymous@c-98-201-98-243.hsd1.tx.comcast.net] has joined #openvpn
14:10 -!- rooth [tomte@stuck.in.the.basement.at.fritzl.nu] has joined #openvpn
14:15 -!- cm_ [~chris@2a01:e34:ef30:94f1:90a9:afb2:918a:f24d] has joined #openvpn
14:18 -!- Pyrogerg [~Gregory@75-173-103-62.albq.qwest.net] has quit [Read error: No route to host]
14:18 -!- Pyrogerg [~Gregory@75-173-103-62.albq.qwest.net] has joined #openvpn
14:39 -!- pcfreak30 [~pcfreak30@cpe-075-177-116-215.triad.res.rr.com] has joined #openvpn
14:41 < pcfreak30> Can anyone explain how vpn providers can track a user down that may be torrenting if given an abuse request, but not on a dedicated IP?
14:42 < Eugene> logs of session history and nat
14:42 < pcfreak30> So only based on access timestamps?
14:43 < Eugene> !xy
14:43 <@vpnHelper> "xy" is http://mywiki.wooledge.org/XyProblem -- I want to do X, but I'm asking how to do Y...
14:43 < Eugene> if you can watch a session in progress that's basically it
14:44 < Eugene> logs of people connecting with a given ip and then establishing sessions on that ip and there you go
14:45 < pcfreak30> Thanks. I am researching this for a possible vpn service, and my only issue is DMCA takedowns on a shared IP.
14:45 -!- moonkid [~anonymous@c-98-201-98-243.hsd1.tx.comcast.net] has quit [Quit: moonkid]
14:47 < Eugene> the best way to avoid that is to not steal media ;-)
14:47 < pcfreak30> Well, if its a commercial service
14:47 < pcfreak30> Its going to happen
14:47 < pcfreak30> Well public service
14:47 < Eugene> That said, I've had great luck with EU-based seedboxes for obtaining "linux isos" myself
14:47 < Eugene> So you're wanting to sell this service?
14:48 < pcfreak30> So I am trying to figure out all security components to implement
14:48 < Eugene> if you're asking these questions, don't. just don't.
14:48 < Eugene> there's literally zero margin in the vpn service market
14:49 < pcfreak30> I only consider it due to the fact I have a rather memorable name
14:49 < pcfreak30> I have had a domain for over 2 years sitting and nodes in 2 dc's able to sell resources.
14:49 < pcfreak30> So im trying to figure things out right now.
14:50 < Eugene> itll all end in tears
14:51 -!- cm_ [~chris@2a01:e34:ef30:94f1:90a9:afb2:918a:f24d] has quit [Ping timeout: 260 seconds]
14:51 < pcfreak30> My only other option in planning is to force an IP per user, so that if  a complaint comes from upstream, its easy to track.
15:03 -!- Pyrogerg [~Gregory@75-173-103-62.albq.qwest.net] has quit [Ping timeout: 246 seconds]
15:06 -!- Pyrogerg [~Gregory@75-173-103-62.albq.qwest.net] has joined #openvpn
15:17 -!- D-Boy [~D-Boy@unaffiliated/cain] has quit [Excess Flood]
15:29 -!- gffa [~unknown@unaffiliated/gffa] has quit [Quit: sleep]
15:31 -!- moonkid [~anonymous@99-103-56-12.lightspeed.hstntx.sbcglobal.net] has joined #openvpn
15:35 -!- Droolio [~drool@host109-158-212-196.range109-158.btcentralplus.com] has quit [Quit: File not found. Should I fake it? (Y/N)]
15:39 -!- D-Boy [~D-Boy@unaffiliated/cain] has joined #openvpn
15:39 -!- gardar [~gardar@bnc.giraffi.net] has quit [Quit: ZNC - http://znc.in]
15:40 -!- Pyrogerg [~Gregory@75-173-103-62.albq.qwest.net] has quit [Ping timeout: 245 seconds]
15:46 -!- Pyrogerg [~Gregory@75-173-103-62.albq.qwest.net] has joined #openvpn
15:57 -!- sand3r [~user@unaffiliated/sand3r] has joined #openvpn
15:57 < sand3r> hi
15:57 < sand3r> how do you secure ur network access?
15:58 -!- mulga [~mulga_afk@unaffiliated/mulga] has joined #openvpn
15:59 < mulga> !welcome
15:59 <@vpnHelper> "welcome" is (#1) Start by stating your goal, such as 'I would like to access the internet over my vpn' || new to IRC? see the link in !ask || we may need !logs and !configs and maybe !interface to help you. || See !howto for beginners. || See !route for lans behind openvpn. || !redirect for sending inet traffic through the server. || Also interesting: !man !/30 !topology !iporder !sample !forum
15:59 <@vpnHelper> !wiki !mitm or (#2) Don't use 192.168.1.0/24 or 192.168.0.0/24 (too much potential for conflict)
16:01 < sand3r> hi
16:01 < sand3r> is it possible to chain VPN?
16:02 <@krzee> yes, with a thorough understanding of routing
16:03 <@krzee> its not easy or standard
16:03 < sand3r> krzee: VPN 1 host -> VPN 2 virtualbox
16:03 < sand3r> krezee: are you talking about this method?
16:04 <@krzee> no idea what you're trying to say
16:04 -!- mulga [~mulga_afk@unaffiliated/mulga] has quit [Ping timeout: 260 seconds]
16:04 < sand3r> krzee: could u please explain more about how to chain VPN?
16:04 <@krzee> only if you can explain more about what you want
16:13 -!- ShadniX [dagger@p5481D5D5.dip0.t-ipconnect.de] has quit [Quit: Bye.]
16:14 -!- ShadniX [dagger@p5481D5D5.dip0.t-ipconnect.de] has joined #openvpn
16:14 -!- ShadniX [dagger@p5481D5D5.dip0.t-ipconnect.de] has quit [Client Quit]
16:15 -!- mcp [~mcp@wolk-project.de] has joined #openvpn
16:16 -!- ShadniX [dagger@p5481D5D5.dip0.t-ipconnect.de] has joined #openvpn
16:20 -!- Pyrogerg_ [~Gregory@75-173-103-62.albq.qwest.net] has joined #openvpn
16:20 -!- Pyrogerg [~Gregory@75-173-103-62.albq.qwest.net] has quit [Read error: Connection reset by peer]
16:26 -!- moonkid [~anonymous@99-103-56-12.lightspeed.hstntx.sbcglobal.net] has quit [Quit: moonkid]
16:57 -!- rooth [tomte@stuck.in.the.basement.at.fritzl.nu] has quit [Quit: reboot]
17:02 -!- rooth [tomte@stuck.in.the.basement.at.fritzl.nu] has joined #openvpn
17:03 -!- moonkid [~anonymous@99-103-56-12.lightspeed.hstntx.sbcglobal.net] has joined #openvpn
17:16 -!- rooth [tomte@stuck.in.the.basement.at.fritzl.nu] has quit [Remote host closed the connection]
17:22 -!- shio [~marmot@48.121.101.84.rev.sfr.net] has quit [Read error: Connection reset by peer]
17:29 -!- almostworking [~almostwor@unaffiliated/almostworking] has joined #openvpn
17:31 -!- shio [marmot@48.121.101.84.rev.sfr.net] has joined #openvpn
17:39 -!- moonkid [~anonymous@99-103-56-12.lightspeed.hstntx.sbcglobal.net] has quit [Quit: moonkid]
17:41 -!- deranged_user [deranged@unaffiliated/deranged-user/x-2475585] has quit [Ping timeout: 260 seconds]
17:41 -!- BtbN [btbn@btbn.de] has quit [Ping timeout: 260 seconds]
17:43 -!- gardar [~gardar@bnc.giraffi.net] has joined #openvpn
17:46 -!- BtbN [btbn@btbn.de] has joined #openvpn
18:31 -!- Droolio [~drool@host109-158-212-196.range109-158.btcentralplus.com] has joined #openvpn
18:36 -!- Kephael [~Kephael@unaffiliated/kephael] has quit [Read error: Connection reset by peer]
18:36 -!- Kephael [~Kephael@unaffiliated/kephael] has joined #openvpn
18:45 -!- outofbounds [~outofboun@gateway/tor-sasl/outofbounds] has quit []
19:23 -!- sand3r [~user@unaffiliated/sand3r] has quit [Ping timeout: 260 seconds]
19:27 -!- rooth [tomte@stuck.in.the.basement.at.fritzl.nu] has joined #openvpn
19:36 -!- mulga| [~mulga_afk@unaffiliated/mulga] has joined #openvpn
19:47 -!- mulga| is now known as mulg
19:47 -!- elfixit [~Icedove@77-58-251-72.dclient.hispeed.ch] has joined #openvpn
20:04 -!- mulg is now known as mulga
20:25 -!- eristisk [~eristisk@gateway/tor-sasl/eristisk] has quit [Remote host closed the connection]
20:25 -!- eristisk [~eristisk@gateway/tor-sasl/eristisk] has joined #openvpn
20:28 -!- Starthunder [~blackl@unaffiliated/moonlightning] has joined #openvpn
20:59 -!- jgeboski [~jgeboski@unaffiliated/jgeboski] has quit [Quit: Leaving]
21:00 -!- jgeboski [~jgeboski@unaffiliated/jgeboski] has joined #openvpn
21:16 -!- Left_Turn [~Left_Turn@unaffiliated/turn-left/x-3739067] has quit [Ping timeout: 250 seconds]
21:29 -!- svm_invictvs [~patricktw@unaffiliated/svminvictvs/x-938456] has quit [Ping timeout: 260 seconds]
22:10 -!- moonkid [~anonymous@99-103-56-12.lightspeed.hstntx.sbcglobal.net] has joined #openvpn
22:12 -!- TheEternalAbyss [~IRCIdent@unaffiliated/theeternalabyss] has joined #openvpn
22:15 -!- cesurasean [~Sean@c-71-207-227-197.hsd1.al.comcast.net] has joined #openvpn
22:16 < cesurasean> when i connect with my openvpn client, im getting this error; SIOCADDRT: File exists
22:16 -!- deranged_user [deranged@unaffiliated/deranged-user/x-2475585] has joined #openvpn
22:47 -!- Droolio [~drool@host109-158-212-196.range109-158.btcentralplus.com] has quit [Ping timeout: 245 seconds]
22:48 -!- cesurasean [~Sean@c-71-207-227-197.hsd1.al.comcast.net] has left #openvpn []
22:49 -!- Kephael [~Kephael@unaffiliated/kephael] has quit [Quit: Leaving]
22:57 -!- moonkid [~anonymous@99-103-56-12.lightspeed.hstntx.sbcglobal.net] has quit [Quit: moonkid]
23:05 -!- ShadniX [dagger@p5481D5D5.dip0.t-ipconnect.de] has quit [Ping timeout: 250 seconds]
23:06 -!- ShadniX [dagger@p5481CFB5.dip0.t-ipconnect.de] has joined #openvpn
23:27 -!- almostworking [~almostwor@unaffiliated/almostworking] has quit [Quit: Leaving]
23:29 -!- Pyrogerg_ [~Gregory@75-173-103-62.albq.qwest.net] has quit [Ping timeout: 245 seconds]
23:33 -!- elfixit [~Icedove@77-58-251-72.dclient.hispeed.ch] has quit [Ping timeout: 272 seconds]
23:35 -!- cesurasean [~Sean@c-71-207-227-197.hsd1.al.comcast.net] has joined #openvpn
23:36 < cesurasean> anyone here?
23:43 < cesurasean> getting this error; siocaddrt: file exists
23:49 -!- JuddyJacob [~androirc@unaffiliated/juddyjacob] has joined #openvpn
23:50 -!- JuddyJacob [~androirc@unaffiliated/juddyjacob] has quit [Client Quit]
--- Day changed Thu Sep 25 2014
00:07 -!- almostworking [~almostwor@unaffiliated/almostworking] has joined #openvpn
00:07 -!- almostworking [~almostwor@unaffiliated/almostworking] has quit [Remote host closed the connection]
00:08 < cesurasean> when i use #push "redirect-gateway def1", im getting that error.
00:09 < cesurasean> using the newest version of openvpn out.
00:11 -!- almostworking [~almostwor@unaffiliated/almostworking] has joined #openvpn
00:11 <@krzee> cesurasean, show me your routing table without openvpn running, and with it running
00:15 < cesurasean> server or client?
00:16 < cesurasean> krzee, ?
00:16 <@krzee> which is getting the error?
00:16 < cesurasean> client
00:16 <@krzee> that
00:16 < cesurasean> how do i paste in here using debian if im on console?
00:16 <@krzee> also show me the log
00:17 <@krzee> google it, prolly some sort of pastebin app
00:17 < cesurasean> do you have teamviewer?
00:17 < cesurasean> :D
00:17 < cesurasean> would be easier if i could just show you.
00:17 <@krzee> yes but im not doing it for you for free, but ill help you do it yourself
00:20 <@krzee> !google pastebin cli
00:20 <@vpnHelper> Pastebin.com - Tools & Applications: <http://pastebin.com/tools>; pastebin-cli - A CLI to pastebin.com - Google Project Hosting: <http://code.google.com/p/pastebin-cli/>; clbin: command line pastebin.: <https://clbin.com/>
00:20 < cesurasean> krzee, http://snag.gy/CszDw.jpg
00:20 <@krzee> my first hit was: http://sprunge.us
00:20 < cesurasean> this is the best i could do.
00:21 < cesurasean> i just need to get past this one error.
00:21 <@krzee> ok so thats after, right?
00:21 < cesurasean> thats a route command with openvpn started.
00:21 < cesurasean> no internet though.
00:21 <@krzee> you run the server?
00:21 < cesurasean> yeah so i had to screenshot it, cause internet is down.
00:21 < cesurasean> yes
00:21 <@krzee> ok so
00:21 <@krzee> !redirect
00:21 <@vpnHelper> "redirect" is (#1) to make all inet traffic flow through the vpn, you will need --redirect-gateway (see !def1), as well as IP forwarding (see !ipforward) and NAT (see !nat) enabled on the server. or (#2) you may need to use a different dns server when redirecting gateway, see !dns or !pushdns or (#3) if using ipv6 try: route-ipv6 2000::/3 or (#4) Handy troubleshooting flowchart:
00:21 <@vpnHelper> http://ircpimps.org/redirect.png | http://pekster.sdf.org/misc/redirect.png
00:21 < cesurasean> its a kvm VPS.
00:21 <@krzee> use the flowchart
00:22 < cesurasean> i tried the redirect gateway
00:22 <@krzee> its redirecting gateway
00:22 < cesurasean> getting this error; siocaddrt: file exists
00:22 <@krzee> well its doing it
00:22 <@krzee> show me your log
00:22 < cesurasean> how do i fix this error? siocaddrt : file exists?
00:22 < cesurasean> how do i get the log off the client?
00:23 <@krzee> i googled it for you above and gave you the link i found
00:23 < cesurasean> to find the client log?
00:23 <@krzee> oh, you dont know where it is?
00:23 <@krzee> i thought you didnt know how to pastebin from cli
00:24 <@krzee> !logfile
00:24 <@vpnHelper> "logfile" is (#1) If you want logging you can easily just specify your own logfile with: log /path/to/logfile or (#2) openvpn will log to syslog if started in daemon mode, but without any log-redirection options, openvpn sends output to stdout. or (#3) verb 3 is good for everyday usage, verb 5 for debugging. see --daemon --log and --verb in the manual (!man) for more info
00:26 < cesurasean> this is thebest i could find - http://pastebin.com/xrahA4jA
00:28 < cesurasean> krzee, ?
00:29 <@krzee> i dont see the error you claimed to have
00:29 <@krzee>  <cesurasean> how do i fix this error? siocaddrt : file exists?
00:29 < cesurasean> i get that error when i run openvpn client.conf
00:29 < cesurasean> and watch it connect.
00:29 <@krzee> you probably already have openvpn running
00:30 < cesurasean> no
00:30 <@krzee> that error means you are trying to add a route that exists
00:30 <@krzee> so most likely, yes
00:30 < cesurasean> how do i fix that?
00:30 <@krzee> especially since that logfile doesnt have it
00:30 < cesurasean> i shut off openvpn.
00:30 <@krzee> by killing openvpn before running it again
00:31 < cesurasean> root      2609  0.0  0.0   7832   840 pts/0    R+   00:31   0:00 grep openvpn
00:32 <@krzee> k, now run it and paste me the output
00:32 < cesurasean> its not running.
00:32 <@krzee> or take a pic
00:32 < cesurasean> run from openvpn client.conf?
00:32 < cesurasean> or /etc/init.d?
00:32 <@krzee> ya
00:32 <@krzee> manually
00:33 < cesurasean> krzee, http://pastebin.com/BSb9pv3h
00:34 < cesurasean> it loses internet connection of that.
00:34 <@krzee> ok now make sure its not running again
00:34 <@krzee> then show me your routing table
00:35 < cesurasean> http://snag.gy/oMMoB.jpg
00:37 <@krzee> weird, its not there
00:37 <@krzee> it was before when you showed me, were you running it from init.d then?
00:37 < cesurasean> yes
00:37 < cesurasean> but even then that doesnt show it
00:38 <@krzee> cool, run it from init.d and then show me your routing table again
00:38 < cesurasean> thats because i had removed the redirecting -gateway thing
00:38 < cesurasean> init.d routing table is the same.
00:38 <@krzee> good, that was right
00:39 < cesurasean> it has to do with redirecting gateway not working.
00:39 -!- mulga [~mulga_afk@unaffiliated/mulga] has quit [Ping timeout: 260 seconds]
00:39 <@krzee> no shit, get the routing back to how it was when you took that picture
00:40 <@krzee> and then use my flowchart i gave you like 20 minutes ago
00:40 <@krzee> theres more to redirecting gateway than just the client routes, which you had right back then
00:42 < cesurasean> got it
00:42 < cesurasean> from termianl
00:42 < cesurasean> http://snag.gy/4NYC6.jpg
00:43 <@krzee> !configs
00:43 <@vpnHelper> "configs" is (#1) please pastebin your client and server configs (with comments removed, you can use `grep -vE '^#|^;|^$' server.conf`), also include which OS and version of openvpn. or (#2) dont forget to include any ccd entries or (#3) on pfSense, see http://www.secure-computing.net/wiki/index.php/OpenVPN/pfSense to obtain your config
00:43 < cesurasean> my configs are here; https://stavrovski.net/blog/how-to-install-and-set-up-openvpn-in-debian-7-wheezy
00:43 <@vpnHelper> Title: How to install and set-up OpenVPN in Debian 7 (Wheezy) | Stavrovski.Net (at stavrovski.net)
00:48 <@krzee> oh boy another walkthrough that will lead to people with setups they know nothing about
00:48 <@krzee> yay
00:48 <@krzee> !walkthrough
00:48 <@vpnHelper> "walkthrough" is if you are using some walkthrough and now you are here cause you have problems and dont understand your setup, type !howto and !man and try to actually learn what you're doing. most those docs about openvpn from google SUCK.
00:48 -!- Poster [~poster@cpe-74-140-100-29.swo.res.rr.com] has quit [Remote host closed the connection]
00:48 -!- Poster [~poster@cpe-74-140-100-29.swo.res.rr.com] has joined #openvpn
00:49 < cesurasean> how do i fix my system, krzee?
00:49 <@krzee> you start by learning about it
00:49 <@krzee> wait, we had this conversation before didnt we
00:51 < cesurasean> dude, its got to be an easy fix.
00:52 < cesurasean> you seemed to act like you were going to help me.
00:52 < cesurasean> not tell me to learn on my own.
00:53 <@krzee> i asked for your configs and was given a walkthrough
00:53 <@krzee> thats enough to get on my ignore list
00:54 < cesurasean> when i connect, i lose internet connection.
00:54 < cesurasean> ok,
00:54 <@krzee> i gave you a flowchart for troubleshooting that awhile ago
00:54 < cesurasean> it connects fine, and i can ping google
00:55 <@krzee> then you're done
00:55 < cesurasean> but redirect gateway isnt masquerading my ip.
00:55 < cesurasean> plus, ssh access goes dead.
00:57 < cesurasean> ok cool
00:57 < cesurasean> its working now!
00:57 < cesurasean> but ssh acess goes dead.
00:57 < cesurasean> it is working though!
00:57 < cesurasean> so how do i get ssh access to start working again?
01:26 -!- SushiDude [~SushiDude@unaffiliated/sushidude] has quit [Ping timeout: 260 seconds]
01:40 -!- SushiDude [~SushiDude@unaffiliated/sushidude] has joined #openvpn
01:57 -!- creshal [~Creshal@91.143.96.4] has joined #openvpn
02:20 < cesurasean> what causes a windows system to not resolve DNS across openvpn?
02:22 < creshal> Windows assigns priorities to DNS servers, those are probably in the wrong order. I think you need some registry magic to fix that…
02:28 < cesurasean> normally this works, but this time its not.
02:28 < cesurasean> what could by my issue?
02:29 < creshal> Still that.
02:30 < creshal> cf. http://serverfault.com/questions/163401/change-the-order-of-dns-lookup-when-connected-in-the-vpn , http://hydrous.net/weblog/2009/10/28/force-windows-to-use-a-vpns-dns-server
02:30 <@vpnHelper> Title: windows 7 - Change the order of DNS lookup when connected in the VPN - Server Fault (at serverfault.com)
02:34 < cesurasean> creshal, i tried that. no luck!
02:34 -!- james41382 [~james@unaffiliated/james41382] has quit [Quit: Leaving]
02:43 < cesurasean> i can ping my router, but nothing else.
02:51 -!- dazo_afk is now known as dazo
03:08 -!- CaTtleyA [~CaTtleyA@185.24.142.82] has joined #openvpn
04:01 -!- almostworking [~almostwor@unaffiliated/almostworking] has quit [Ping timeout: 272 seconds]
04:06 -!- lfx [~lfx@self-aware.evilmachines.net] has joined #openvpn
04:33 -!- Left_Turn [~Left_Turn@unaffiliated/turn-left/x-3739067] has joined #openvpn
04:50 -!- creshal [~Creshal@91.143.96.4] has quit [Quit: Leaving.]
04:58 -!- creshal [~Creshal@91.143.96.4] has joined #openvpn
05:02 < creshal> Is OpenVPN affected by bash's CVE-2014-6271 when using scripts, by the way? E.g. client certificate with a forged CN?
05:03 -!- CaTtleyA [~CaTtleyA@185.24.142.82] has quit [Remote host closed the connection]
05:08 -!- ifdm_ [~ifdm@unaffiliated/ifdm/x-0713806] has quit [Ping timeout: 260 seconds]
05:11 < BtbN> username is propably the easiest attack vector
05:12 < creshal> So… yes?
05:14 -!- CaTtleyA [~CaTtleyA@185.24.142.82] has joined #openvpn
05:17 -!- mulga| [~mulga_afk@unaffiliated/mulga] has joined #openvpn
05:20 -!- mulga| is now known as mulga|afk
05:20 -!- mulga|afk is now known as muga|
05:20 -!- muga| is now known as mulga|
05:21 -!- ifdm_ [~ifdm@unaffiliated/ifdm/x-0713806] has joined #openvpn
05:28 -!- _bt [~bt@unaffiliated/bt/x-192343] has joined #openvpn
05:34 < creshal> Mh, I just tried it, but can't seem to trigger it. That said, I had to bypass easy-rsa and hand-generate everything because it fails to correctly handle shell scripts as CNs, so it might be an unrelated openssl issue/feature.
05:35 -!- ifdm_ [~ifdm@unaffiliated/ifdm/x-0713806] has quit [Ping timeout: 244 seconds]
05:38 -!- ribasushi [~riba@mujunyku.leporine.io] has quit [Ping timeout: 260 seconds]
05:43 -!- ribasushi [~riba@mujunyku.leporine.io] has joined #openvpn
05:45 -!- Tuju [~tuju@214.204.50.195.sta.estpak.ee] has joined #openvpn
05:45 < Tuju> any idea why i get flood of these: MULTI: bad source address from client [195.50.204.214], packet dropped
05:47 < creshal> https://openvpn.net/index.php/open-source/faq/79-client/317-qmulti-bad-source-address-from-client--packet-droppedq-or-qget-inst-by-virt-failedq.html ?
05:47 <@vpnHelper> Title: "MULTI: bad source address from client , packet dropped" or "GET INST BY VIRT: [failed]"? (at openvpn.net)
05:47 < Tuju> creshal: i'm reading that but i don't understand it.
05:47 < Tuju> i get that message on-line having connection from that ip to this openvpn box.
05:48 < Tuju> i doubt that openvpn can read routing table.
05:48 -!- ifdm_ [~ifdm@unaffiliated/ifdm/x-0713806] has joined #openvpn
06:08 < Tuju> creshal: now i got it, something causes that client side packets are being sent to tunnel with client-end-gw's public ip-address
06:28 -!- Droolio [~drool@host109-158-212-196.range109-158.btcentralplus.com] has joined #openvpn
06:55 -!- spodletela [~irukandji@94.242.213.94] has joined #openvpn
06:56 < spodletela> !welcome
06:56 <@vpnHelper> "welcome" is (#1) Start by stating your goal, such as 'I would like to access the internet over my vpn' || new to IRC? see the link in !ask || we may need !logs and !configs and maybe !interface to help you. || See !howto for beginners. || See !route for lans behind openvpn. || !redirect for sending inet traffic through the server. || Also interesting: !man !/30 !topology !iporder !sample !forum
06:56 <@vpnHelper> !wiki !mitm or (#2) Don't use 192.168.1.0/24 or 192.168.0.0/24 (too much potential for conflict)
07:00 < spodletela> When openvpn client is up, all the packets are routed to it (routing table destination 0.0.0.0 points to vpn gateway) while i would like to have outgoing smtp leave the computer on default interface... i just cant figure out how to do it :(
07:01 < spodletela> "default interface" as non tunnel...
07:10 < Tuju> my ip route command displays: 172.16.1.0/24 dev eth1.21  proto kernel  scope link  src 172.16.1.254
07:10 < Tuju> apparently that is causing those MULTI lines
07:15 -!- NucWin [~nucwin@unaffiliated/nucwin] has joined #openvpn
07:22 -!- jareth_ [~jareth_@2001:980:e1c0:1:219:66ff:fea0:a502] has quit [Quit: ZNC - http://znc.in]
07:23 -!- mulga| [~mulga_afk@unaffiliated/mulga] has quit [Quit: off grid]
07:24 -!- jareth_ [~jareth_@bak.project-treadstone.nl] has joined #openvpn
07:38 -!- spodletela [~irukandji@94.242.213.94] has quit [Ping timeout: 244 seconds]
07:52 -!- Chais [~Chais@chello062178229110.15.15.vie.surfer.at] has quit [Quit: ZNC - http://znc.in]
07:53 -!- Esya [~zncuser@195-154-90-140.rev.poneytelecom.eu] has joined #openvpn
07:53 -!- Chais [~Chais@chello062178229110.15.15.vie.surfer.at] has joined #openvpn
07:56 -!- Fusl [Fusl@unaffiliated/fusl] has quit [Ping timeout: 245 seconds]
07:57 -!- aep [~aep@libqxt/developer/aep] has joined #openvpn
07:57 < aep> any idea how i can tunnel _all_ client traffic? instead of just opening a tun/tap on the client that i can set routes on
07:58 < aep> the client does not understand networks at all and may run into networks that have identical ip addresses to the tunneled network. specifically when they are _inside_ the other network
08:01 -!- Fusl [Fusl@unaffiliated/fusl] has joined #openvpn
08:01 < BtbN> what?
08:02 < aep> err, i basically need a layer2 tunnel where all traffic of the client is tunneled
08:02 < aep> instead of having layer3 routing on the client
08:02 < Tuju> aep there is a bridged mode
08:02 < aep> yeah that works on the server
08:02 < aep> but i dont know how to make it work on the client
08:03 < aep> since obviously i dont want to bridge the clients network interface into the vpn
08:03 < BtbN> set the default route on the vpn interface, add static route to old default gateway for VPN server ip.
08:03 < BtbN> That's what OpenVPN does itself anyway if you tell it to reroute all client traffic.
08:03 < aep> i dont know the old ip, it could be anything
08:04 < BtbN> It's not possible to configure routing "for anything"
08:04 < aep> ah yeah but whats the option to do that :)
08:04 < BtbN> There is no routing below the IP layer.
08:07 -!- eristisk [~eristisk@gateway/tor-sasl/eristisk] has quit [Quit: killall -9 irc]
08:11 < aep> well, so push "redirect-gateway def1"
08:11 < aep> that seems to set the gw on the client to the tunnel
08:11 < aep> or something
08:11 < aep> but the tunnel and the local network have identical ip ranges
08:15 -!- JackWinter_ [~jack@vodsl-11198.vo.lu] has joined #openvpn
08:17 < BtbN> Yeah, don't do that. That doesn't work.
08:17 < BtbN> They _have_ to be diffrent subnets
08:20 < aep> i cant do that
08:20 < aep> any other options?
08:21 < BtbN> no
08:21 < BtbN> That's how networks work.
08:31 -!- DrSect0r [~DrSect0r@77-175-125-42.FTTH.ispfabriek.nl] has joined #openvpn
08:38 < Hello71> 'identical ip ranges'
08:38 < Hello71> learn how cidr works
08:47 -!- SlutaTramsa [~SlutaTram@unaffiliated/slutatramsa] has quit [Ping timeout: 260 seconds]
08:50 -!- SlutaTramsa [~SlutaTram@unaffiliated/slutatramsa] has joined #openvpn
08:52 <@ecrist> bridged mode is usually the wrong way to do whatever you're trying to do
08:53 <@ecrist> BtbN: it *is* possible to route all traffic over the VPN
08:53 <@ecrist> !def1
08:53 <@vpnHelper> "def1" is (#1) used in redirect-gateway, Add the def1 flag to override the default gateway by using 0.0.0.0/1 and 128.0.0.0/1 rather than 0.0.0.0/0. This has the benefit of overriding but not wiping out the original default gateway. or (#2) please see --redirect-gateway in the man page ( !man ) to fully understand or (#3) push "redirect-gateway def1"
08:54 < BtbN> ecrist, read everything before making suggestions.
08:54 <@ecrist> aep: regarding IP conflict, you'll need to set a different IP range on either the VPN or LAN.  No way around that, really.
08:54 <@ecrist> BtbN: don't be a douche nozzle
08:58 < creshal> ecrist: He's still right.
08:59 < creshal> The setup is 100% fucked up, your suggestions are just distracting from the fact that it cannot work.
09:00 <@ecrist> sure
09:01 <@ecrist> 100% is going a bit far, but I agree it's a messed up setup
09:01 -!- zeroNones [~textual@187.204.145.229] has joined #openvpn
09:01 <@ecrist> initially, I assumed BtbN and aep where having separate issues.
09:06 -!- arkie [~arkie@unaffiliated/arkie] has quit [Ping timeout: 246 seconds]
09:11 -!- zeroNones [~textual@187.204.145.229] has quit [Ping timeout: 272 seconds]
09:20 -!- arkie [~arkie@unaffiliated/arkie] has joined #openvpn
10:08 -!- james41382 [~james@unaffiliated/james41382] has joined #openvpn
10:21 -!- zeroNones [~textual@189.182.27.177] has joined #openvpn
10:25 < Tuju> can't say that typical (documentented) way to use route and iroute config directives without destination is very intuitive and clear.
10:26 < aep> ecrist: nah, we need bridge. the person wants to use apple bounjour stuff between sites
10:26 < Tuju> in contrary, it leaves the essential hanging in the air, something that you can determine by reading man page.
10:27 < aep> but yeah, i have no idea why it works with ipsec at all (having the same net as target and local)
10:28 < aep> i'm guessing it doesn't and the test is flawed
10:30 < Tuju> ouh shit, here we go again - getting floods of MULTI-wrong-src-address+dropped-packets.
10:38 -!- eristisk [~eristisk@gateway/tor-sasl/eristisk] has joined #openvpn
10:41 -!- CaTtleyA [~CaTtleyA@185.24.142.82] has quit [Remote host closed the connection]
10:42 -!- Pyrogerg [~Gregory@75-173-103-62.albq.qwest.net] has joined #openvpn
10:48 -!- creshal [~Creshal@91.143.96.4] has quit [Ping timeout: 260 seconds]
11:20 -!- gffa [~unknown@unaffiliated/gffa] has joined #openvpn
11:23 -!- elfixit [~Icedove@2001:1620:2018:11:5e51:4fff:fec8:5b90] has joined #openvpn
11:25 -!- moonkid [~anonymous@99-103-56-12.lightspeed.hstntx.sbcglobal.net] has joined #openvpn
11:40 -!- Envil [~meep@95.211.26.40] has joined #openvpn
11:41 -!- jareth_ [~jareth_@bak.project-treadstone.nl] has quit [Quit: ZNC - http://znc.in]
11:47 < aep> in a regular bridge configuration, what would one side cause to ignore arp responses to its own requests?
11:47 < aep> like, i can see them on tap0, but arp says (incomplete)
11:48 < aep> 16:45:40.644120 ARP, Reply 10.0.0.2 is-at b0:00:b4:b6:07:75, length 46
11:48 < aep> ip-10-0-44-100.eu-west-          (incomplete)                              tap0
11:48 < aep> err wrong entry, but same thing
11:49 -!- jareth_ [~jareth_@2001:980:e1c0:1:219:66ff:fea0:a502] has joined #openvpn
11:49 -!- jareth_ [~jareth_@2001:980:e1c0:1:219:66ff:fea0:a502] has quit [Client Quit]
11:51 -!- jareth_ [~jareth_@2001:980:e1c0:1:219:66ff:fea0:a502] has joined #openvpn
12:03 < aep> hm started working magically
12:09 -!- Left_Turn [~Left_Turn@unaffiliated/turn-left/x-3739067] has quit [Ping timeout: 272 seconds]
12:17 -!- DrSect0r [~DrSect0r@77-175-125-42.FTTH.ispfabriek.nl] has quit [Quit: Leaving]
12:22 -!- aulait [~irenacob@li629-190.members.linode.com] has quit [Write error: Broken pipe]
12:28 -!- KarlBauman [~SoWhat@87.246.136.13] has joined #openvpn
12:29 < KarlBauman> guys, I am trying to set up static ip for one of clients, can you please explain what does this rote pushing does? why do I need it and what numbers I have to set?
12:29 < KarlBauman> if I want my client to have an ip 10.8.0.10
12:33 -!- aulait [~irenacob@li629-190.members.linode.com] has joined #openvpn
12:39 -!- KarlBauman [~SoWhat@87.246.136.13] has quit [Ping timeout: 260 seconds]
12:47 -!- KarlBauman [~SoWhat@87.246.136.13] has joined #openvpn
12:48 -!- zeroNones [~textual@189.182.27.177] has left #openvpn ["Textual IRC Client: www.textualapp.com"]
12:51 -!- Left_Turn [~Left_Turn@unaffiliated/turn-left/x-3739067] has joined #openvpn
12:55 <+_FBi> have your subnet setup correctly?
12:56 < xTz> KarlBauman, static IP to clients is not related to pushing routes
12:57 < KarlBauman> I was fallowing this tutorial http://michlstechblog.info/blog/openvpn-set-a-static-ip-address-for-a-client/
12:57 <@vpnHelper> Title: OpenVPN: Set a static IP Address for a client | Michls Tech Blog (at michlstechblog.info)
12:57 <+_FBi> !version
12:57 <@vpnHelper> The current (running) version of this Supybot is 0.83.4.1.  The newest version available online is 0.83.4.1.
12:58 < KarlBauman> so I can ignore the line push "route 10.1.135.0 255.255.255.0 10.1.134.62"   ?
13:00 < KarlBauman> I don´t know if my subnet is setup correctly, but everything seems to work fine
13:03 < KarlBauman> this is how my client ipconfig looks https://www.dropbox.com/s/xrlbwhjiv1p9p73/Screenshot%202014-09-25%2020.02.40.png?dl=0
13:08 -!- eristisk [~eristisk@gateway/tor-sasl/eristisk] has quit [Quit: killall -9 irc]
13:08 < xTz> I dont have time right now man, if I manage to finish with what Im doing earlier and you're still here, I'll take a look
13:10 -!- DomiX [~dom@rai93-2-82-231-187-222.fbx.proxad.net] has joined #openvpn
13:10 -!- eristisk [~eristisk@gateway/tor-sasl/eristisk] has joined #openvpn
13:10 < KarlBauman> tnx!
13:11 < DomiX> hi
13:14 -!- imsomeoneelse [~eh@wsip-98-190-221-98.dc.dc.cox.net] has joined #openvpn
13:15 < imsomeoneelse> hello everyone
13:16 < imsomeoneelse> Can I use an asterisk as a wildcard in openvpn client configuration file? I want to do this to point out to the client certificate files, such as: "cert keys/c1*.crt" instead of the full file name
13:17 < Hello71> why doesn't that make any sense
13:17 <@ecrist> aep: you don't need bridging for that
13:17 <@ecrist> SRV records in DNS can handle it
13:18 < DomiX> I've an openvpn bridge but I'm seeing a lot of traffic openvpn/udp to wan while my tap interface there is not so much traffic, I know openvpn add ssl part but on tap I see 5Kb/s traffic and on wan I see 50Kbs/ it's 10 more time ! any idea what can I do ? I enabled compression mode server/client
13:18 < imsomeoneelse> The reason behind that is, I'd like to mass deploy the client configurations to all my clients and only push the client certificates without touching the .ovpn client config file each and every time.
13:22 -!- novaflash [~novaflash@openvpn/corp/support/novaflash] has joined #openvpn
13:22 -!- mode/#openvpn [+o novaflash] by ChanServ
13:33 < Hello71> tip: cp can take a destination *file* too
13:37 < imsomeoneelse> Domix: In tun mode, I believe packet overhead with TLS setup and 128bit keys are around 60-70bytes, in TAP mode this will even bigger since ethernet header is added.
13:38 < imsomeoneelse> And if you packets are not really compressible (e.g. an already compressed data stream), you won't gain it back.
13:38 < imsomeoneelse> I mean you won't gain it back much by enabling compression on the openvpn
13:39 < DomiX> There is a big part of arp packets
13:39 < imsomeoneelse> I'm not an expert by the way, just making an educated guess :)
13:39 < DomiX> by default cipher used is AES-128-CBC
13:40 < DomiX> me too :)
13:40 < imsomeoneelse> Eh, if you are seeing this especially with ARP packets, well I guess it's kind of normal, ARP itself is not a big packet, so majority of your packet size will be coming from the VPN encapsulation overhead.
13:42 < DomiX> without doing nothing my wan bandwidth is used at 50Kb/s (it's hight for my connection)
13:43 < imsomeoneelse> ARP itself should be around ~30 bytes or so, and padded to 64byte (because smallest legitimate ethernet packet should be 64byte by standards), so compression will take of the ARP pretty good since half of it is padding anyway, but you still end up having that 70bytes+ overhead on the VPN
13:43 < imsomeoneelse> constant 50Kb/s?
13:43 < DomiX> yes
13:43 < imsomeoneelse> with a K? well ok that's weird
13:44 < DomiX> yes Kilo bytes :)
13:44 < imsomeoneelse> ok, I'm out of ideas in that case :)
13:45 -!- RaiNerTsuFal [~RaiNerTsu@akita.vtlx.cn] has quit [Quit: Conversation terminated!]
13:46 < DomiX> I think there is too much packets sent by openvpn for only some arp packets
13:47 < imsomeoneelse> you don't have any obscenely small MTU settings in between your client and server I suppose?
13:47 < DomiX> I enabled tls auth for packets, dh1024 and AES-128-CBC
13:48 -!- RaiNerTsuFal [~RaiNerTsu@akita.vtlx.cn] has joined #openvpn
13:48 < DomiX> well I'm connected from ADSL line (server and client)
13:49 -!- Hello71_ [~Hello71@wikipedia/Hello71] has joined #openvpn
13:49 -!- Hello71 [~Hello71@wikipedia/Hello71] has quit [Ping timeout: 258 seconds]
13:50 < DomiX> it's all default
13:51 -!- gffa [~unknown@unaffiliated/gffa] has quit [Quit: quit]
13:51 < imsomeoneelse> With the same setup except 2048 bit DH, I see less than a 1KB/sec idle on either side
13:52 < imsomeoneelse> One of your computers must be doing something else, did you look at it with wireshark/tcpdump?
13:52 < DomiX> you are using birdge or routed mode ?
13:53 < imsomeoneelse> oh crap, mine is routed, sorry
13:53 < DomiX> :)
14:00 <@dazo> imsomeoneelse: routed mode is the best approach
14:01 < imsomeoneelse> dazo: I know, never needed bridging yet :)
14:01 <@dazo> good!
14:01  * dazo sends imsomeoneelse a cookie
14:01 < imsomeoneelse> Right one time, I was drinking coffee, yay for the cookies!
14:02 < imsomeoneelse> Now if only I could find a way to use wildcards on the client config certificate file name...
14:03 <@dazo> thats not supported
14:04 <@dazo> but ... use inline certs and keys in the configs ;-)
14:04 <@dazo> <cert>__contents_of_cert_file</cert>
14:04 <@dazo> <key>....</key>
14:04 <@dazo> <ca>....</ca>
14:05 < imsomeoneelse> hmm, never though about that, even though I used it before :)
14:05 <@dazo> :)
14:05 < DomiX> dazo, I knwo bridge is not the better option, in my projets it's needed, do you have an idea about this bandwidth usage ?
14:05 <@dazo> I've not looked into that part of the discussion ... I noticed 'bridged' and the alarm went off :)
14:06 <@dazo> !gigabit
14:06 <@vpnHelper> "gigabit" is https://community.openvpn.net/openvpn/wiki/Gigabit_Networks_Linux for JJK's writeup on getting the most out of openvpn over gigabit
14:06 <@dazo> that should provide some info about how to understand bandwidth issues
14:07 <@dazo> also beware that AES requires more CPU power than BF ... BF is strictly CPU frequency bound, while AES is much heavier on the CPUs
14:07 < imsomeoneelse> Unless you have a newer Intel processor that has AES-NI, than AES is ~7 times faster than Blowfish
14:08 <@dazo> true
14:08 < imsomeoneelse> and also assuming that your openssl version supports that AES-NI engine..
14:08 < DomiX> well client run soekris4801
14:08 <@dazo> imsomeoneelse: using --engine aesni ....
14:08 < imsomeoneelse> dazo: do I have to specify --engine if my OpenSSL version supports it by default?
14:09 <@dazo> imsomeoneelse: You need to tell it to use the aesni accelerator in OpenSSL, otherwise I believe it defaults to a standard implementation
14:09 < imsomeoneelse> Got it, thanks
14:10 < DomiX> dazo, I'll give a try to bf-cbc, both client and server need to have the same cipher or client use server cipher ?
14:10 <@dazo> DomiX: All cipher settings must be the same on both sides
14:10 < DomiX> ok
14:10 <@dazo> DomiX: go the soekris RSA accelerator card?
14:10 <@dazo> got*
14:10 < DomiX> dunno
14:11 < DomiX> from description it's optional
14:11 <@dazo> okay, then you most likely don't have it :)  It's an additional add-on card
14:12 <@plaisthos> that addon card is today also dwarfed by even cheap aes ni processors
14:13 <@dazo> yeah, that's true
14:15 -!- ausjke [~xxiao@li259-246.members.linode.com] has quit [Read error: Connection reset by peer]
14:16 < DomiX> you think I see a lot of traffic because my processor is slow ?
14:16 <@dazo> nope
14:16 <@dazo> but you said bridging ... then you do get all the broadcast traffic on both sides of the tunnel passing over to the remote side and back
14:18 < DomiX> yeah I know it does not help but 50Kb/s seems really hight
14:18 <@dazo> if you got enough broadcast traffic, that will hurt you
14:18 <@plaisthos> 50KB/s or 50Kb/s?
14:19 < imsomeoneelse> dazo: it looks like with OpenSSL 1.0.1+, AES-NI gets enabled automatically and won't even show up on the engine list (when you do "openssl engine"), or in other words it's not really an engine from the SSL point of view, by default it's being used.
14:19 < DomiX> plaisthos, yes 50Kb/s
14:20 -!- moonkid [~anonymous@99-103-56-12.lightspeed.hstntx.sbcglobal.net] has quit [Quit: moonkid]
14:26 < imsomeoneelse> Is there a way to manage huge OpenVPN deployments easily, like a frontend, some sort of automation scripts etc.? Huge = 1000 or 10000+ clients, revocation lists (and un-revoking some), mass generation of certificates, etc.? ,
14:27 < imsomeoneelse> Both free or commerical/paid options are ok by me
14:27 <@plaisthos> I have no idea how much the commercial solution of OpenVPN.net does scale
14:27 <@plaisthos> but you can try to contact them
14:29 <+_FBi> !nobody
14:30 -!- elfixit [~Icedove@2001:1620:2018:11:5e51:4fff:fec8:5b90] has quit [Ping timeout: 272 seconds]
14:30 -!- dazo is now known as dazo_afk
14:31 < imsomeoneelse> I guess I better do that, couldn't find any info for the past few days, I guess no one wants to talk about their large scale OpenVPN deployments :)
14:33 -!- moonkid [~anonymous@99-103-56-12.lightspeed.hstntx.sbcglobal.net] has joined #openvpn
14:34 < cesurasean> can ping my router, but not google's ip, any ideas what my issue is?
14:36 < Eugene> !goal
14:36 <@vpnHelper> "goal" is Please clearly state your goal for your vpn: example, I would like to access the lan behind the server , I would like to access the internet over my vpn , I just want a secure connection between 2 computers , etc
14:37 < cesurasean> my goal is to link two vpns together in a chain, and have a 3rd client route through the first vpn's ip.
14:38 < cesurasean> i have both linux vps setup correctly, but when the client one connects to the other one, it drops ssh access.
14:38 < cesurasean> but in kvm, it's working fine. even gives off the server's ip as a masquerade.
14:38 < cesurasean> then, when i connect using a windows client to the server, it doesn't ping anything but my local router.
14:39 < cesurasean> i wish there were someone in here smart enough to help me out.
14:40 -!- Slippern [~Slippern@76.109-247-208.customer.lyse.net] has joined #openvpn
14:44 -!- Hello71_ [~Hello71@wikipedia/Hello71] has left #openvpn []
14:45 -!- james41382 [~james@unaffiliated/james41382] has quit [Quit: Leaving]
14:48 -!- moonkid [~anonymous@99-103-56-12.lightspeed.hstntx.sbcglobal.net] has quit [Quit: moonkid]
14:50 -!- james41382 [~james@unaffiliated/james41382] has joined #openvpn
14:58 -!- moparisthebest [~quassel@gateway/tor-sasl/moparisthebest] has quit [Remote host closed the connection]
14:59 -!- moparisthebest [~quassel@gateway/tor-sasl/moparisthebest] has joined #openvpn
15:02 -!- D-Boy [~D-Boy@unaffiliated/cain] has quit [Excess Flood]
15:12 -!- D-Boy [~D-Boy@unaffiliated/cain] has joined #openvpn
15:12 -!- mete [~mete@91.247.253.160] has quit [Ping timeout: 258 seconds]
15:16 -!- mete [~mete@91.247.253.160] has joined #openvpn
15:19 -!- almostworking [~almostwor@unaffiliated/almostworking] has joined #openvpn
15:44 -!- evil_andy [~evil_andy@2001:470:e29f:1:204:4bff:fe15:fd2e] has left #openvpn ["Leaving"]
16:19 -!- Pyrogerg [~Gregory@75-173-103-62.albq.qwest.net] has quit [Ping timeout: 272 seconds]
16:23 -!- DomiX [~dom@rai93-2-82-231-187-222.fbx.proxad.net] has quit [Quit: Quitte]
16:26 <@ecrist> cesurasean: plenty of smart people.  Not all of us have time
16:33 -!- raidz [~raidz@openvpn/corp/admin/andrew] has joined #openvpn
16:33 -!- mode/#openvpn [+o raidz] by ChanServ
16:58 -!- KarlBauman [~SoWhat@87.246.136.13] has quit [Ping timeout: 260 seconds]
16:59 -!- Pyrogerg [~Gregory@75-173-153-10.albq.qwest.net] has joined #openvpn
17:22 -!- Envil [~meep@95.211.26.40] has quit [Remote host closed the connection]
17:23 -!- Kephael [~Kephael@unaffiliated/kephael] has joined #openvpn
17:27 -!- moonkid [~anonymous@99-103-56-12.lightspeed.hstntx.sbcglobal.net] has joined #openvpn
17:39 -!- Pyrogerg [~Gregory@75-173-153-10.albq.qwest.net] has quit [Read error: Connection reset by peer]
17:39 -!- Pyrogerg_ [~Gregory@75-173-153-10.albq.qwest.net] has joined #openvpn
17:44 -!- Pyrogerg_ [~Gregory@75-173-153-10.albq.qwest.net] has quit [Read error: Connection reset by peer]
17:45 -!- Pyrogerg [~Gregory@75-173-153-10.albq.qwest.net] has joined #openvpn
17:59 -!- Pyrogerg [~Gregory@75-173-153-10.albq.qwest.net] has quit [Ping timeout: 260 seconds]
18:05 -!- shio [marmot@48.121.101.84.rev.sfr.net] has quit [Ping timeout: 258 seconds]
18:05 -!- pa [~pa@unaffiliated/pa] has quit [Read error: Connection reset by peer]
18:07 -!- rmelcer [~rmelcer@crucis.meridian-enviro.com] has joined #openvpn
18:19 < rmelcer> Hey guys. I'm not sure if this belongs here or in @openvpn-devel, but I was wondering if openvpn ever needs to access keys after the daemon starts the server. Does the question make sense?
18:23 < pekster> rmelcer: See --persist-key in the manpage if you plan to restart your server via the USR1 signal and are downgrading permission or chrooting
18:24 -!- pa [~pa@unaffiliated/pa] has joined #openvpn
18:28 -!- pissfrog [~chatzilla@96.48.146.208] has joined #openvpn
18:29 < rmelcer> pekster: Thanks!
18:33 -!- rmelcer [~rmelcer@crucis.meridian-enviro.com] has quit []
18:44 -!- pissfrog [~chatzilla@96.48.146.208] has quit [Ping timeout: 272 seconds]
18:59 -!- Denial [~Denial@host86-148-140-172.range86-148.btcentralplus.com] has quit [Ping timeout: 246 seconds]
19:00 < phreakocious> howdy.. anyone know if it's possible to get openvpn to reread the config file without knocking all the users offline?
19:01 -!- jridden [~xorgate@198-91-131-86.cpe.distributel.net] has joined #openvpn
19:02 < jridden> When setting up an OpenVPN server, does the server need multiple IP addresses that it can hand out to connecting clients?
19:02 < pekster> Yes, but you're free to use RFC1918 (or IPv6 ULA) for such needs
19:02 < pekster> Strictly speaking you can connect openvpn fine without any IP, but it's not likely to be very useful
19:05 < jridden> If the server is passing out ULAs I'm guessing the clients won't have access to the internet?
19:06 -!- Denial [~Denial@host86-148-139-5.range86-148.btcentralplus.com] has joined #openvpn
19:08 < Eugene> Typically you hand out a 1918 block and then do NAT on the outbound traffic. You can use any routed block of sufficient size, though.
19:10 < jridden> I see. Would it be possible to have the server configured with a single Iv4 address, have it hand out IPv6 ULAs to clients, and still provide those clients internet access through NAT?
19:11 -!- donspaulding [~donspauld@c-50-151-34-164.hsd1.il.comcast.net] has joined #openvpn
19:12 -!- shio [marmot@48.121.101.84.rev.sfr.net] has joined #openvpn
19:12 < donspaulding> Hi there, I'm setting up a VPN so that I can have an ElasticSearch cluster where each ES node can communicate with the others over a private connection.  If I don't want to configure each ES node with the addresses of its peers on startup, am I correct in assuming that I'll need to use ethernet bridging to allow the nodes to find each other by broadcasting at Layer 2?
19:12 < donspaulding> Or is it possible for ES to have been written in such a way that it can find its peers on a routed VPN?
19:13 -!- Droolio [~drool@host109-158-212-196.range109-158.btcentralplus.com] has quit [Ping timeout: 246 seconds]
19:13 < pekster> ULA could NAT, sure. You "should" be using global-IPs with IPv6, but ULA is an option should you not need to route onto the Internet (ex: if the access is _just_ for use within your own network, ULA would be fine)
19:13 < pekster> ULA plus NAT onto the public Internet is almost always a Very Naughty Thing™
19:14 < donspaulding> (I know the question sounds like it's specific to ElasticSearch, but I'm really asking about the general behavior of daemons on a routed vs bridged VPN)
19:14 < pekster> Bridged won't deal with OSI L3 at all. There is no v6, or v4 to worry about, just Ethernet frames
19:15 < pekster> ie: routing is all on you to figure out, as always. "Just a long, virtual, dumb Ethernet cable" is what tap is. If you want to route, don't use tap as it needlessly adds complexity to everything
19:16 < jridden> @pekster Ah, shame. I'm in a situation where I've set up a small squadon (6) of servers with a fairly new VPS provider. I want one of those six to act as a VPN server, and lock down the others to only accept certain kinds of traffic (SSH for example) from it as well as my public IP. Thing is they don't yet allow you to purchase multiple IPs, so it looks like I might be out of luck.
19:18 < Starthunder> !ipv6
19:18 <@vpnHelper> "ipv6" is (#1) The wiki has IPv6 details: https://community.openvpn.net/openvpn/wiki/IPv6 or (#2) The manpage contains info about IPv6 features present in 2.3+: https://community.openvpn.net/openvpn/wiki/Openvpn23ManPage#lbAQ
19:20 < donspaulding> pekster: what I'm after here is the equivalent of having all of these servers plugged into a private switch (private switch == openvpn server) I'm seeing all kinds of warnings regarding the performance and complexity penalties of tap, so I'm trying to figure out if it's necessary, or whether "routed" mode will allow the same types of broadcasts to be made such that the ES nodes will still find each other.
19:35 < pekster> tun won't deal with broadcasts, no
19:36 < pekster> jridden: If your internal systems are on a common backend subnet, you can use a VPN to connect "inside" the network and use RFC1918 for both the VPN and the inside management LAN
19:37 < pekster> But that's not really any of openvpn's concern; it'll happily route any network you'd like it to
19:43 -!- eristisk [~eristisk@gateway/tor-sasl/eristisk] has quit [Remote host closed the connection]
19:43 -!- eristisk [~eristisk@gateway/tor-sasl/eristisk] has joined #openvpn
20:18 < cesurasean> ecrist, do you have time to assist me?
20:23 -!- Popsikle [~popsikle@pool-108-27-211-233.nycmny.fios.verizon.net] has joined #openvpn
20:23 < cesurasean> does anyone here have any time to assist me?
20:31 -!- SushiDude [~SushiDude@unaffiliated/sushidude] has quit [Quit: Quit]
20:33 -!- jgeboski [~jgeboski@unaffiliated/jgeboski] has quit [Quit: Leaving]
20:34 -!- jgeboski [~jgeboski@unaffiliated/jgeboski] has joined #openvpn
20:34 -!- SushiDude [~SushiDude@unaffiliated/sushidude] has joined #openvpn
20:35 <@krzee> donspaulding, "by broadcasting at Layer 2"  only tap does layer2
20:37 < donspaulding> krzee: yeah, I guess I'm just not sure I understand the Layer 2 thing correctly.  I'm assuming the ES nodes are finding each other via some layer 2 mechanism because I don't have to give each node a list of the other nodes' addresses.  So I guess I'm wondering if there's a layer 3 mechanism by which they'd find each other and thus I could use tun instead of tap.
20:38 <@krzee> thats not an openvpn question, but im sure its very easy to test
20:38 -!- Pyrogerg [~Gregory@75-173-103-62.albq.qwest.net] has joined #openvpn
20:41 < donspaulding> krzee: yes, testing is what I've been doing.  But I'm going slow because I'm trying to make sure my process is repeatable via ansible.
20:42 < donspaulding> (no good finding a solution and then forgetting all the files I changed to get it working)
20:44 < donspaulding> Does multicast work over tun?
20:44 <@krzee> no
20:45 <@krzee> well not last i knew
20:45 < pekster> You can route multicast, but you need a multicast routing daemon to do that (pimd or similar options)
21:27 -!- donspaulding [~donspauld@c-50-151-34-164.hsd1.il.comcast.net] has quit [Quit: donspaulding]
21:52 -!- Kniaz [~Kniaz@unaffiliated/kniaz] has joined #openvpn
21:57 -!- c0ded [~c0ded@unaffiliated/c0ded] has quit [Read error: Connection reset by peer]
21:58 -!- Left_Turn [~Left_Turn@unaffiliated/turn-left/x-3739067] has quit [Remote host closed the connection]
22:05 -!- c0ded [~c0ded@unaffiliated/c0ded] has joined #openvpn
22:31 -!- Pyrogerg [~Gregory@75-173-103-62.albq.qwest.net] has quit [Read error: No route to host]
22:31 -!- Pyrogerg [~Gregory@75-173-103-62.albq.qwest.net] has joined #openvpn
22:33 -!- eristisk [~eristisk@gateway/tor-sasl/eristisk] has quit [Ping timeout: 264 seconds]
22:38 -!- Popsikle [~popsikle@pool-108-27-211-233.nycmny.fios.verizon.net] has quit [Remote host closed the connection]
23:03 -!- ShadniX [dagger@p5481CFB5.dip0.t-ipconnect.de] has quit [Ping timeout: 250 seconds]
23:06 -!- ShadniX [dagger@p57941779.dip0.t-ipconnect.de] has joined #openvpn
23:07 -!- moonkid [~anonymous@99-103-56-12.lightspeed.hstntx.sbcglobal.net] has quit [Quit: moonkid]
23:08 -!- moonkid [~anonymous@99-103-56-12.lightspeed.hstntx.sbcglobal.net] has joined #openvpn
23:16 -!- moonkid [~anonymous@99-103-56-12.lightspeed.hstntx.sbcglobal.net] has quit [Quit: moonkid]
23:23 -!- jareth_ [~jareth_@2001:980:e1c0:1:219:66ff:fea0:a502] has quit [Ping timeout: 272 seconds]
23:25 -!- jareth_ [~jareth_@2001:980:e1c0:1:219:66ff:fea0:a502] has joined #openvpn
23:28 -!- mulga [~mulga_afk@unaffiliated/mulga] has joined #openvpn
23:45 -!- Kephael [~Kephael@unaffiliated/kephael] has quit [Read error: Connection reset by peer]
--- Day changed Fri Sep 26 2014
00:02 -!- ShadniX [dagger@p57941779.dip0.t-ipconnect.de] has quit [Ping timeout: 250 seconds]
00:03 -!- ShadniX [dagger@p5DDFE980.dip0.t-ipconnect.de] has joined #openvpn
00:21 -!- mulga [~mulga_afk@unaffiliated/mulga] has quit [Ping timeout: 260 seconds]
00:53 -!- donspaulding [~donspauld@98.215.46.106] has joined #openvpn
01:15 -!- mulga| [~mulga_afk@unaffiliated/mulga] has joined #openvpn
01:16 -!- Chais [~Chais@chello062178229110.15.15.vie.surfer.at] has quit [Ping timeout: 260 seconds]
01:23 -!- Chais [~Chais@chello062178229110.15.15.vie.surfer.at] has joined #openvpn
01:26 -!- mulga| [~mulga_afk@unaffiliated/mulga] has quit [Ping timeout: 250 seconds]
01:27 -!- jgeboski [~jgeboski@unaffiliated/jgeboski] has quit [Ping timeout: 240 seconds]
01:28 -!- aulait [~irenacob@li629-190.members.linode.com] has quit [Remote host closed the connection]
01:32 -!- aulait [~irenacob@li629-190.members.linode.com] has joined #openvpn
01:34 -!- jgeboski [~jgeboski@unaffiliated/jgeboski] has joined #openvpn
01:52 -!- james41382 [~james@unaffiliated/james41382] has quit [Quit: Leaving]
01:54 -!- SushiDude [~SushiDude@unaffiliated/sushidude] has quit [Quit: Quit]
01:58 -!- creshal [~Creshal@91.143.96.4] has joined #openvpn
01:58 -!- SushiDude [~SushiDude@unaffiliated/sushidude] has joined #openvpn
02:00 -!- sep [~sep@2a04:2740:1:0:52e5:49ff:feeb:32] has joined #openvpn
02:00 -!- sep [~sep@2a04:2740:1:0:52e5:49ff:feeb:32] has left #openvpn ["Leaving"]
02:04 -!- dazo_afk is now known as dazo
02:05 -!- mulga [~mulga_afk@unaffiliated/mulga] has joined #openvpn
02:15 -!- aulait [~irenacob@li629-190.members.linode.com] has quit [Remote host closed the connection]
02:18 -!- aulait [~irenacob@li629-190.members.linode.com] has joined #openvpn
02:21 -!- clu5ter [~staff@unaffiliated/clu5ter] has quit [Read error: Connection reset by peer]
02:21 -!- donspaulding [~donspauld@98.215.46.106] has quit [Quit: donspaulding]
02:28 -!- Kniaz [~Kniaz@unaffiliated/kniaz] has quit [Read error: Connection timed out]
02:56 -!- clu5ter [~staff@unaffiliated/clu5ter] has joined #openvpn
03:42 -!- mulga [~mulga_afk@unaffiliated/mulga] has quit [Ping timeout: 240 seconds]
03:43 -!- milligan [~milligan@voyage.vhost.usr.no] has joined #openvpn
03:44 < milligan> I'm getting some "TLS key negotiation failed to occur within 60 seconds" errors and a tunnel P-t-P tunnel isn't coming up as it should. Is Firewall/Policy the *only* possible cause of this? Apparently, this tunnel has been working before, but has now stopped for some reason.
03:47 < creshal> Well, *something* is blocking your traffic from coming through. Firewall, NAT, weird routing issues, etc.
03:48 < milligan> So the certificates will be fine..? No need to regenerate them ?
03:48 < creshal> …probably. Crank up the log level and see whether you get a connection. Cert failures should be logged as such.
03:50 < milligan> how high can "verb" go ?
03:50 < creshal> 10
03:50 -!- aulait [~irenacob@li629-190.members.linode.com] has quit [Remote host closed the connection]
03:51 < milligan> oh snap, that's a lot of output :p
03:51 < creshal> :D
03:51 < creshal> Well, higher levels log every single packet.
03:52 < milligan> OK, I get things like  TLS: tls_multi_process: i=0 state=S_START, mysid=5e50618b 09957b87, stored-sid=8e2f635f c5b1751e, stored-ip=[AF_INET]removed:44835 and ACK reliable_can_send active=4 current=0 : [22] 21 18 19 20 etc. Does that mean the certs are OK ?
03:53 < creshal> Seems like it.
03:53 -!- aulait [~irenacob@li629-190.members.linode.com] has joined #openvpn
03:54 < milligan> ACK output sequence broken: [22] 21 18 19 20
03:55 < creshal> …and that's why it says "Your problem is probably firewall, Really" and not "It's probably X.509" in the topic. :D
03:55 < milligan> hehe. OK, so someone has changed something in a firewall, somewhere. perfect.
03:56 < creshal> Good hunting. :D
03:57 < milligan> Bloody hate this
03:58 -!- CaTtleyA [~CaTtleyA@185.24.142.82] has joined #openvpn
04:06 -!- Left_Turn [~Left_Turn@unaffiliated/turn-left/x-3739067] has joined #openvpn
04:07 -!- mulga [~mulga_afk@unaffiliated/mulga] has joined #openvpn
04:15 -!- ub1quit33 [~quassel@cpe-23-243-158-241.socal.res.rr.com] has joined #openvpn
04:43 -!- goldkatze [~nobody@unaffiliated/goldkatze] has joined #openvpn
04:47 < milligan> creshal, I can't seem to spot anything mate. Doing a tcpdump, I see packets going back and forth as well, so it looks like nothing is being filtered :(
04:48 < creshal> milligan: back and forth = client receives them, too?
04:49 < milligan> Seems like it - the handshake does start
04:49 -!- somnium [~somnium@31.44.232.188] has joined #openvpn
04:49 < creshal> Then I guess we'll need the anonymized logs and/or configs.
04:51 < somnium> hello, I am having some really big issues and I can't figure out what is wrong. The openvpn server is behind a monowall firewall. its a bridging setup and the openvpn server can ping www.google.com for example, the client gets information of the routes and so on, however when I try to ping I get the (Network is unreachable), have tested different gateway addresses and so on but still can't find what is wrong any ideas?
04:52 < somnium> should note also that the server is a vmware server
04:54 < milligan> creshal, oh snap! Look what I found: VERIFY ERROR: depth=1, error=certificate has expired:
04:55 < creshal> milligan: . . .
04:56 < milligan> creshal, would that be the cert on the client or the server that has expired?
04:56 < creshal> milligan: Probably client. You can view cert data with openssl x509 -text -in $filename
04:57 < milligan> wtf
04:58 < milligan> server cert expires in 2018, client in 2016
04:58 < creshal> …huh.
04:58 < creshal> Clock terribly wrong? :D
04:58 < milligan> both are spot on
04:59 < milligan> brb - need some coffee
05:01 -!- mulga [~mulga_afk@unaffiliated/mulga] has left #openvpn ["Leaving"]
05:01 < milligan> damnit. Still having problems, and roosters vs rabbithos kicking off
05:02 -!- Left_Turn [~Left_Turn@unaffiliated/turn-left/x-3739067] has quit [Ping timeout: 245 seconds]
06:12 -!- almostworking [~almostwor@unaffiliated/almostworking] has quit [Quit: Leaving]
06:26 -!- eristisk [~eristisk@gateway/tor-sasl/eristisk] has joined #openvpn
06:29 -!- ub1quit33 [~quassel@cpe-23-243-158-241.socal.res.rr.com] has quit [Ping timeout: 260 seconds]
06:39 -!- ub1quit33 [~quassel@cpe-23-243-158-241.socal.res.rr.com] has joined #openvpn
06:40 -!- eristisk [~eristisk@gateway/tor-sasl/eristisk] has quit [Remote host closed the connection]
06:52 -!- Left_Turn [~Left_Turn@unaffiliated/turn-left/x-3739067] has joined #openvpn
06:57 -!- ShadniX [dagger@p5DDFE980.dip0.t-ipconnect.de] has quit [Quit: Bye.]
06:58 -!- ShadniX [dagger@p5DDFE980.dip0.t-ipconnect.de] has joined #openvpn
07:04 -!- Tuju [~tuju@214.204.50.195.sta.estpak.ee] has quit [Remote host closed the connection]
07:04 < milligan> creshal, how does the SSL part of OpenVPN work? If I create a new root CA on one machine, do I have to send over new certificates to the machine it connects to ?
07:05 < creshal> milligan: Yes, OpenVPN verifies certs against its configured CA cert.
07:06 < milligan> so the same root CA needs to exist on both client and server?
07:06 < creshal> And the client cert needs to be signed by it, yes.
07:06 -!- tuju_ [~tuju@214.204.50.195.sta.estpak.ee] has joined #openvpn
07:07 < milligan> hmmm
07:07 < milligan> Means I need to do some more investigation then. Seems different versions exist on client/server, but used to work
07:14 -!- creshal [~Creshal@91.143.96.4] has quit [Ping timeout: 240 seconds]
07:43 -!- sickn3ss [~sickn3ss@unaffiliated/sickn3ss] has joined #openvpn
07:46 -!- Droolio [~drool@host86-143-180-191.range86-143.btcentralplus.com] has joined #openvpn
07:54 <@ecrist> good morning
08:02 -!- julienth37 [~Thunderbi@156.190.91.92.rev.sfr.net] has joined #openvpn
08:05 -!- julienth37 [~Thunderbi@156.190.91.92.rev.sfr.net] has quit [Read error: Connection reset by peer]
08:09 < milligan> morning
08:10 -!- kirin` [telex@gateway/shell/anapnea.net/x-rikqclgzjtudbyyq] has quit [Ping timeout: 260 seconds]
08:12 -!- moparsthbest [~quassel@gateway/tor-sasl/moparisthebest] has joined #openvpn
08:15 -!- moparisthebest [~quassel@gateway/tor-sasl/moparisthebest] has quit [Ping timeout: 264 seconds]
08:16 -!- Popsikle [~popsikle@rrcs-24-103-41-58.nyc.biz.rr.com] has joined #openvpn
08:24 -!- DrSect0r [~DrSect0r@77-175-125-42.FTTH.ispfabriek.nl] has joined #openvpn
08:26 -!- br4ndon [~br4ndon@80.215.135.162] has joined #openvpn
08:41 -!- Pyrogerg [~Gregory@75-173-103-62.albq.qwest.net] has quit [Ping timeout: 260 seconds]
08:46 -!- donspaulding [~donspauld@98.215.46.106] has joined #openvpn
08:55 -!- james41382 [~james@unaffiliated/james41382] has joined #openvpn
08:56 -!- jangerhofer [~jangerho@0587337997.wireless.umich.net] has joined #openvpn
08:59 -!- jangerhofer [~jangerho@0587337997.wireless.umich.net] has quit [Read error: Connection reset by peer]
09:08 -!- Popsikle [~popsikle@rrcs-24-103-41-58.nyc.biz.rr.com] has quit [Ping timeout: 244 seconds]
09:12 -!- jangerhofer [~jangerho@0587378969.wireless.umich.net] has joined #openvpn
09:13 -!- Pyrogerg [~Gregory@205.167.120.206] has joined #openvpn
09:22 -!- Popsikle [~popsikle@rrcs-24-103-41-58.nyc.biz.rr.com] has joined #openvpn
09:32 -!- tuju_ [~tuju@214.204.50.195.sta.estpak.ee] has quit [Ping timeout: 272 seconds]
09:33 -!- somnium [~somnium@31.44.232.188] has quit [Quit: none]
09:37 -!- TheSov [~TheSov4@8.40.0.2] has joined #openvpn
09:38 < TheSov> have any of you guys ever seen a linux system drop the routes that were configured to go out over the openvpn connection?
09:40 <@krzee> sure, when openvpn is stopped or stops itself it closes the device and all routes for that device go away
09:41 < TheSov> so for a corporate type thing, where openvpn connects aws endpoints, how would i resolve this issue? should i put a cron.hourly to re-enter the routes?
09:41 <@krzee> find why they are going away and fix it
09:42 < TheSov> I know why they are going away, there are dropouts from AWS
09:42 <@krzee> im sure you went through the logs, right?
09:42 < TheSov> yes
09:42 < TheSov> it shows re-established connection
09:42 <@krzee> why doesnt openvpn re-add the routes?
09:42 <@krzee> you're adding them manually?
09:42 < TheSov> its not configured to add routes
09:43 < TheSov> depending on the client, i need different routes to be added so i have not configured the server to push routes
09:44 < TheSov> I can configure the client ovpn file to set the routes correct?
09:44 <@krzee> yes
09:44 < TheSov> perfect!
09:44 <@krzee> and you can add them in ccd entries
09:44 <@krzee> !ccd
09:44 <@vpnHelper> "ccd" is (#1) entries that are basically included into server.conf, but only for the specified client based on common-name. use --client-config-dir <dir> to enable it, then put the config options for the client in <dir>/common-name or (#2) the ccd file is parsed each time the client connects.
09:47 < TheSov> thank you so very much!
09:50 -!- KaiForce [~chatzilla@107-223-70-10.lightspeed.bcvloh.sbcglobal.net] has joined #openvpn
09:50 -!- CaTtleyA [~CaTtleyA@185.24.142.82] has quit [Remote host closed the connection]
09:50 <@krzee> np
09:51 -!- Pyrogerg [~Gregory@205.167.120.206] has quit [Read error: Connection reset by peer]
09:51 -!- Pyrogerg [~Gregory@205.167.120.206] has joined #openvpn
09:53 -!- Kephael [~Kephael@unaffiliated/kephael] has joined #openvpn
09:55 -!- ifdm_ [~ifdm@unaffiliated/ifdm/x-0713806] has quit [Quit: Leaving]
10:05 -!- Pyrogerg [~Gregory@205.167.120.206] has quit [Ping timeout: 245 seconds]
10:05 -!- br4ndon [~br4ndon@80.215.135.162] has quit [Quit: br4ndon]
10:17 -!- r00t^2 [~bts@g.rainwreck.com] has joined #openvpn
10:21 -!- jangerhofer [~jangerho@0587378969.wireless.umich.net] has quit [Quit: Leaving...]
10:34 -!- Pyrogerg [~Gregory@75-173-103-62.albq.qwest.net] has joined #openvpn
10:47 -!- donspaulding [~donspauld@98.215.46.106] has quit [Quit: donspaulding]
10:48 -!- Pyrogerg [~Gregory@75-173-103-62.albq.qwest.net] has quit [Read error: No route to host]
10:48 -!- Pyrogerg_ [~Gregory@75-173-103-62.albq.qwest.net] has joined #openvpn
10:48 <@dazo> milligan: got your CA/PKI question answered?
11:11 -!- dazo is now known as dazo_afk
11:20 -!- donspaulding [~donspauld@38.89.245.83] has joined #openvpn
12:10 -!- jangerhofer [~jangerho@0587347842.wireless.umich.net] has joined #openvpn
12:11 -!- jangerhofer [~jangerho@0587347842.wireless.umich.net] has quit [Read error: Connection reset by peer]
12:11 -!- jangerhofer [~jangerho@0587347842.wireless.umich.net] has joined #openvpn
12:23 -!- DrSect0r [~DrSect0r@77-175-125-42.FTTH.ispfabriek.nl] has quit [Quit: Leaving]
12:31 -!- Chex [sss@kjax.northnook.ca] has quit [Ping timeout: 256 seconds]
12:32 -!- Sidewinder [~de@unaffiliated/sidewinder] has joined #openvpn
12:37 -!- jangerho [~jangerho@24.218.76.202] has joined #openvpn
12:37 -!- Chex [sss@kjax.northnook.ca] has joined #openvpn
12:41 -!- jangerhofer [~jangerho@0587347842.wireless.umich.net] has quit [Ping timeout: 260 seconds]
12:43 -!- deranged_user [deranged@unaffiliated/deranged-user/x-2475585] has quit [Ping timeout: 260 seconds]
12:46 -!- pissfrog [~chatzilla@S010600301b4029ea.vs.shawcable.net] has joined #openvpn
12:46 < pissfrog> hi there
12:46 -!- xTz [~xtz@77.70.6.141] has quit [Ping timeout: 245 seconds]
12:47 < pissfrog> i'm trying to connect with a windows machine to an openvpn server which is our gw as well
12:47 < pissfrog> http://fpaste.org/136810/14117533/
12:47 < pissfrog> openvpn client for windows seems to create a tap adapter whereas the openvpn server has a tun adapter
12:50 < pissfrog> i'm using the official openvpn client installer from openvpn.net
12:50 -!- jangerho [~jangerho@24.218.76.202] has quit [Quit: Leaving...]
12:51 -!- Sidewinder [~de@unaffiliated/sidewinder] has quit [Quit: Leaving]
12:57 -!- not_phunyguy [~vortex@unaffiliated/phunyguy] has joined #openvpn
12:58 -!- phunyguy [~vortex@unaffiliated/phunyguy] has quit [Remote host closed the connection]
12:58 -!- not_phunyguy is now known as phunyguy
13:01 -!- phunyguy [~vortex@unaffiliated/phunyguy] has quit [Remote host closed the connection]
13:02 -!- deranged_user [deranged@unaffiliated/deranged-user/x-2475585] has joined #openvpn
13:02 -!- phunyguy [~vortex@unaffiliated/phunyguy] has joined #openvpn
13:04 -!- Pyrogerg_ [~Gregory@75-173-103-62.albq.qwest.net] has quit [Ping timeout: 246 seconds]
13:07 -!- elfixit [~Icedove@77-58-251-72.dclient.hispeed.ch] has joined #openvpn
13:09 <+_FBi> and?
13:11 < pissfrog> i can't surf the network behind the openvpn server
13:12 < pissfrog> i was wondering if windows needed a tun device as well for ovpn to work correctly
13:12 < pissfrog> it seems that the client connects thou
13:12 -!- Pyrogerg [~Gregory@75-173-103-62.albq.qwest.net] has joined #openvpn
13:12 < pissfrog> and the routes are pushed
13:12 < pissfrog> because i can see them with the 'route print' command in windows
13:25 < donspaulding> I've read that tap mode (bridging) doesn't scale as well as tun mode, does anyone have any concrete numbers on what they've seen the performance hit to be?
13:27 -!- Kephael [~Kephael@unaffiliated/kephael] has quit [Read error: Connection reset by peer]
13:28 -!- Kephael_ [~Kephael@unaffiliated/kephael] has joined #openvpn
13:28 < Eugene> tun vs tap and route vs bridge are two separate discussions
13:28 < donspaulding> Eugene: AWESOME!  I was actually hoping to hear that as well.
13:28 < donspaulding> Because I think I want to use tap WITHOUT a bridge, but I don't see much discussion around that.
13:28 < Eugene> tap devices in a routed layout add extra overhead that you just don't need(L2 vs L3 tunnel)
13:29 < Eugene> Unless you do need, in which case go for it
13:29 < Eugene> bridging basically turns openvpn into a very long Ethernet cable; some things need this, but 99% don't
13:30 < donspaulding> Does multicast work over a routed layout?  I was under the impression that required L2 broadcasting capability.
13:30 < Eugene> I've never done it, but no reason it wouldn't. I think you'll need tap devices.
13:31 < Eugene> At its core openvpn just sets you up with a tunnel that's encrypted. Packets go in one hole, come out the other ;-)
13:31 < Eugene> Routing/bridging is just fluff
13:32 < donspaulding> Specifically, I have 3 nodes all sitting next to each other in a datacenter.  They don't have a private switch between them, and I want to use openvpn to be that private switch.  But I don't want to bridge out from the VPN to any of the other interfaces on each node.
13:32 < donspaulding> All the configuration examples I've seen tell you to install bridge-utils and bridge from br0 out to eth0.
13:33 < Eugene> They'd all be completely wrong, thenb
13:33 < donspaulding> :-)
13:33 < Eugene> What you really want is a secured overlay network
13:33 < donspaulding> yes
13:33 < Eugene> Can you broadcast on the physical LAN?
13:33 -!- ZZRMike [~ZZRMike@162-229-199-57.lightspeed.irvnca.sbcglobal.net] has joined #openvpn
13:34 < donspaulding> I don't think so.  These are linode VPS instances.
13:34 < Eugene> Ahhhhh Linode, hah
13:34 < Eugene> I've had the same nag with them for ages, no VPC
13:35 < Eugene> To be honest, their ARP protections are Good Enough for most things. Doing openvpn is going to be a pain in your ass for that
13:36 < Eugene> Unless you're passing plaintext crypto keys over NFS I would just do strong iptables on the 192.168.128.0/17 block and call it a day
13:36 < donspaulding> Yeah, but I'd prefer to have a consistent solution for connecting nodes to the network.  We may want to connect non-Linode nodes, so I thought having an openvpn server setup would ease that pain.
13:36 < Eugene> The core issue is that you'll then have a single point-of-failure, and as you add more machines you WILL get regular failures
13:36 -!- jangerhofer [~jangerho@lloyd-153233.reshall.umich.edu] has joined #openvpn
13:37 < donspaulding> Why, openvpn will fall over?
13:37 < Eugene> Doing HA openvpn is not really a thing, so suddenly you're layering Quagga and OSPF on top
13:37 < Eugene> Not instantly, no.
13:37 < donspaulding> why would it ever?
13:37 < donspaulding> I mean, are we talking capacity planning or a buggy product?
13:37 < Eugene> Host Maintenance ;-)
13:37 < Eugene> No, failure of the node itself
13:37 < donspaulding> Ah, gotcha.
13:38 < donspaulding> Have any recommendations for a P2P VPN that doesn't suck, then?
13:38 -!- ub1quit33 [~quassel@cpe-23-243-158-241.socal.res.rr.com] has quit [Ping timeout: 244 seconds]
13:39 < Eugene> OpenVPN is great as a tunnel. You want a mesh, which openvpn isn't.
13:39 -!- JackWinter_ [~jack@vodsl-11198.vo.lu] has quit [Quit: Konversation terminated!]
13:39 < Eugene> And my usual recommendation for this scenario would be Open vSwitch, but Linode doesn't do VXLAN
13:40 -!- Pyrogerg [~Gregory@75-173-103-62.albq.qwest.net] has quit [Ping timeout: 260 seconds]
13:41 < ZZRMike> I have openvpn installed on raspbian. It's not listening on 1194, though the log for it says "UDPv4 link local (bound): [AF_INET]192.168.1.26:1194". Am I doing something wrong?
13:42 -!- JackWinter [~jack@vodsl-11198.vo.lu] has joined #openvpn
13:42 -!- Pyrogerg [~Gregory@75-173-103-62.albq.qwest.net] has joined #openvpn
13:42 < Eugene> Define "not listening"
13:42 < Eugene> `lsof -i` ? `telnet` ?
13:44 < ZZRMike> losf -i returns nothing
13:44 < donspaulding> Eugene: So if they supported VXLAN (not sure what that is), wouldn't openvswitch still be a single point of failure?  Or does it do mesh?
13:45 < Eugene> What are you grep-ing for?
13:45 < pissfrog> | grep
13:46 < Eugene> donspaulding - OVS is mesh, yeah
13:46 < Eugene> VXLAN encapsulates the L2 frames inside UDP packets and sends to the other nodes
13:47 < donspaulding> Does it do encryption between nodes as well?
13:47 < Eugene> It takes broadcast & arbitrary L2 stuff, which Linode won't let you do.
13:47 < Eugene> Yup, IPsec.
13:47 < ZZRMike> If I do 'lsof | grep vpn' it gives me a few lines with "(readlink: Permission denied)"
13:47 < Eugene> ZZRMike - root ;-)
13:49 -!- deranged_user [deranged@unaffiliated/deranged-user/x-2475585] has quit [Quit: et nos unum sumus]
13:49 < ZZRMike> Eugene - ah, okay it looks like it's actually running... strange. Okay now I've gotta figure out why my client is not connecting. Thanks.
13:50 < Eugene> !logs
13:50 <@vpnHelper> "logs" is (#1) please pastebin your logfiles from both client and server with verb set to 4 (only use 5 if asked) or (#2) In the Windows client(OpenVPN-GUI) right-click the status icon and pick View Log or (#3) In the OS X client(Tunnelblick) right-click it and select Copy log text to clipboard or (#4) if you dont know how to find your logs, see !logfile
13:51 -!- deranged_user [deranged@unaffiliated/deranged-user/x-2475585] has joined #openvpn
13:57 < ZZRMike> Alright, I figured it out, everything's all in order now. Thanks!
14:01 -!- Magiobiwan [IRC@unaffiliated/magiobiwan] has quit [Ping timeout: 260 seconds]
14:03 -!- Magiobiwan [IRC@unaffiliated/magiobiwan] has joined #openvpn
14:05 -!- CaTtleyA [~CaTtleyA@put92-2-82-66-41-53.fbx.proxad.net] has joined #openvpn
14:07 -!- ub1quit33_ [~quassel@cpe-23-243-158-241.socal.res.rr.com] has joined #openvpn
14:14 -!- jangerhofer [~jangerho@lloyd-153233.reshall.umich.edu] has quit [Quit: Leaving...]
14:29 -!- CaTtleyA [~CaTtleyA@put92-2-82-66-41-53.fbx.proxad.net] has quit [Remote host closed the connection]
14:30 -!- c|oneman [cloneman@1337.montrealdark.com] has joined #openvpn
14:34 < Chex> c|oneman: hi cloney.. whats up
14:34 < c|oneman> lol
14:35 < c|oneman> After a successful setup on my router, which took 30 minutes
14:35 < c|oneman> I got greedy, tried to setup another open VPN server, 4 hours of nothingness
14:36 < c|oneman> I typically use www.canyouseeme.org to test port forwarding issues, but what can I use for a UDp port?
14:40 -!- CaTtleyA [~CaTtleyA@put92-2-82-66-41-53.fbx.proxad.net] has joined #openvpn
14:55 < c|oneman> .
15:11 < imsomeoneelse> Hi all, is there a way to make OpenVPN re-read the configuration, more specifically certificate revocation list, while server is running, in order to not disconnect everyone from the vpn, but just the revoked ones?
15:15 -!- pissfrog [~chatzilla@S010600301b4029ea.vs.shawcable.net] has quit [Quit: ChatZilla 0.9.90.1 [Firefox 24.8.1/20140923194127]]
15:18 -!- D-Boy [~D-Boy@unaffiliated/cain] has quit [Excess Flood]
15:19 -!- moonkid [~anonymous@99-103-56-12.lightspeed.hstntx.sbcglobal.net] has joined #openvpn
15:20 -!- d-fens_ [~dfs@dslb-088-077-154-113.088.077.pools.vodafone-ip.de] has joined #openvpn
15:21 <@krzee> imsomeoneelse, if you didnt change reneg options, the CRL will automagically take effect when they reneg (hourly by default)
15:21 <@krzee> you dont need to restart openvpn at all
15:21 <@krzee> just drop in the new crl, it'll be used on new connections
15:21 <@krzee> this is in the howto under "Modifying a live server configuration"
15:21 <@krzee> !howto
15:21 <@vpnHelper> "howto" is (#1) OpenVPN comes with a great howto, http://openvpn.net/howto PLEASE READ IT! or (#2) http://www.secure-computing.net/openvpn/howto.php for a mirror
15:22 < imsomeoneelse> got it, any other way? I was planning on setting the reneg period to 8-12 hours (thousands of clients on the server, hourly renegs would hammer the server?)
15:23 < imsomeoneelse> management interface, thanks :)
15:23 -!- d-fens_ [~dfs@dslb-088-077-154-113.088.077.pools.vodafone-ip.de] has left #openvpn []
15:25 <@krzee> yep
15:25 <@krzee> !management
15:25 <@vpnHelper> "management" is (#1) see http://openvpn.net/management for doc on management interface or (#2) read https://github.com/OpenVPN/openvpn/blob/release/2.3/doc/management-notes.txt if you are a programmer making a GUI that will interact with OpenVPN or (#3) Enable with `--management 127.0.0.1 1234` (adjust port to taste.) See the manpage for pw and socket options
15:32 -!- D-Boy [~D-Boy@unaffiliated/cain] has joined #openvpn
15:53 -!- novaflash is now known as novaflash_away
15:57 < imsomeoneelse> what is the best practice for the crl.pem revocation file? Leave it in the same folder with all the keys, and make that folder world readable, or put crl.pem in its own world readable folder?
15:57 -!- novaflash_away is now known as novaflash
16:03 < imsomeoneelse> my problem is, when I enable verifying crl.pem in the config with "crl-verify /etc/openvpn/keys/crl.pem", openvpn always complains and shuts off for " CRL: cannot read: /etc/openvpn/keys/crl.pem: Permission denied (errno=13)
16:04 -!- sickn3ss [~sickn3ss@unaffiliated/sickn3ss] has quit [Quit: Textual IRC Client: www.textualapp.com]
16:04 < imsomeoneelse> I'm using "group nobody" "user nobody" in the config as well.
16:13 -!- KaiForce [~chatzilla@107-223-70-10.lightspeed.bcvloh.sbcglobal.net] has quit [Quit: ChatZilla 0.9.90.1 [Firefox 32.0.2/20140917194002]]
16:14 -!- almostworking [~almostwor@unaffiliated/almostworking] has joined #openvpn
16:20 -!- Droolio [~drool@host86-143-180-191.range86-143.btcentralplus.com] has quit [Quit: The more people I meet, the more I like my dog.]
16:41 -!- obnauticus [~obnauticu@unaffiliated/obnauticus] has joined #openvpn
16:41 < obnauticus> Hey, I have a client behind a CGNAT (basically just a normal NAT). Is there any way to get a tunnel working from behind a NAT? I am getting: "N TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity) "
16:42 < imsomeoneelse> your client side nat/firewall might be blocking your Ovpn port?
16:43 < obnauticus> It is.
16:43 < obnauticus> The internet in my apartment is behind a CGNAT and I want to get around that.
16:44 < obnauticus> (by tunneling to a digitalocean instance)
16:45 < obnauticus> imsomeoneelse are there no options?
16:48 < imsomeoneelse> well, if you cannot go out from some other port, I guess not?
16:48 < imsomeoneelse> there must be something that they are not blocking?
16:48 < obnauticus> hmm
16:48 < obnauticus> let me check
16:49 < imsomeoneelse> instead of using default port, find a port that they don't screw around with, and use that would be my best suggestion
16:49 < obnauticus> That's a good reccomendation --how would i find that port?
16:49 < imsomeoneelse> second one is, call the internet provider and tell them to give you a real IP address (which worked for me in the past)
16:49 < obnauticus> It did not work, I asked for a static IP and they said "you need your own private line". Entirely stupid.
16:50 < obnauticus> Apparently they dont even know what 1:1 NAT is.
16:50 -!- Popsikle [~popsikle@rrcs-24-103-41-58.nyc.biz.rr.com] has quit [Ping timeout: 272 seconds]
16:50 < imsomeoneelse> uh, that sucks
16:50 < obnauticus> imsomeoneelse do you have any reccomendations for finding an open port?
16:51 < imsomeoneelse> I'm not sure really, they might be allowing some generic ports, say SMPT (port 25, tcp)
16:51 < obnauticus> i seriously doubt they'd allow people to run an SMTP server
16:51 < obnauticus> That's the first thing i'd block. Lol.
16:51 < imsomeoneelse> Fair enough :)
16:51 <@krzee> could easily script the testing of it with nc
16:52 < imsomeoneelse> I wonder what happens if you run Ovpn over tcp 80 or 443
16:52 <@krzee> you could even use --port-share
16:52 <@krzee> !port-share
16:52 <@vpnHelper> "port-share" is When run in TCP server mode, share the OpenVPN port with another application, such as an HTTPS server. If OpenVPN senses a connection to its port which is using a non-OpenVPN protocol, it will proxy the connection to the server at host:port. Currently only designed to work with HTTP/HTTPS, though it would be theoretically possible to extend to other protocols such as ssh. Not
16:52 <@vpnHelper> implemented on Windows.
16:52 < imsomeoneelse> holy crap I didn't know that :)
16:53 < obnauticus> 80 and 443 are blocked.
16:53 <@krzee> then manual inspection yields a real https server
16:53 < obnauticus> (I already tried running a webserver)(
16:53 < obnauticus> krzee thats hilarious
16:53 <@krzee> (thats handy in a game of cat & mouse)
16:54 < imsomeoneelse> obnauticus: this is kind of different than a webserver though. They might be allowing those two ports statefully, meaning only accept traffic back if it's originating from inside, which is the case for your client
16:54 < obnauticus> Oh, that makes sense
16:54 < imsomeoneelse> you might want to give it a shot
16:54 < obnauticus> What an interesting problem
16:54 < obnauticus> is that the port share thing?
16:54 < imsomeoneelse> yes sir
16:54 < obnauticus> I cannot find any documentation on it?
16:55 < imsomeoneelse> Uhm, that's all I can say, I'm not an expert, came here for my own questions actually :)
16:55 < obnauticus> nevermind i got it.
16:57 -!- deranged_user [deranged@unaffiliated/deranged-user/x-2475585] has quit [Quit: et nos unum sumus]
16:58 -!- goldkatze [~nobody@unaffiliated/goldkatze] has quit [Ping timeout: 240 seconds]
16:58 -!- donspaulding [~donspauld@38.89.245.83] has quit [Quit: donspaulding]
17:03 -!- deranged_user [deranged@unaffiliated/deranged-user/x-2475585] has joined #openvpn
17:05 < obnauticus> hmm krzee it seems to work?
17:06 <@krzee> huh?
17:07 < obnauticus>  20140926 18:06:48 N TCP: connect to [AF_INET]192.241.240.229:443 failed will try again in 5 seconds: Connection refused
17:07 < obnauticus> nevermind
17:07 < obnauticus> ugh
17:07 -!- moonkid [~anonymous@99-103-56-12.lightspeed.hstntx.sbcglobal.net] has quit [Quit: moonkid]
17:07 < obnauticus> oh--i should probably srtart the server
17:07 < obnauticus> that might help
17:08 < obnauticus> krzee: http://pastebin.com/aBvjrUQZ
17:09 <@krzee> !hmac
17:09 <@vpnHelper> "hmac" is (#1) The tls-auth directive adds an additional HMAC signature to all SSL/TLS handshake packets for integrity verification. Any UDP packet not bearing the correct HMAC signature can be dropped without further processing. The tls-auth HMAC signature provides an additional level of security above and beyond that provided by SSL/TLS. or (#2) openvpn --genkey --secret ta.key to make the tls
17:09 <@vpnHelper> static key , in configs: tls-auth ta.key # , 1 for client or 0 for server in the configs
17:09 < obnauticus> krzee client-side: http://pastebin.com/jbFGyZip
17:09 < obnauticus> yeah-- i have the ta.key in the right place...the error is a bit odd from the client side
17:10 <@krzee> hmac error, test the md5 of your tls-auth key matches
17:10 < obnauticus> k
17:10 < obnauticus> I'm just ensuring that the ta.keys match on either end?
17:11 <@krzee> yes, checking their md5 is a good way
17:11 < obnauticus> got it.
17:13 -!- moonkid [~anonymous@99-103-56-12.lightspeed.hstntx.sbcglobal.net] has joined #openvpn
17:13 < obnauticus> krzee the only reason they did not match was because of the comments at the top of the file, i manually transferred it just in case anyway
17:14 <@krzee> dont do that
17:15 < obnauticus> still not working krzee :(. Is it possible that someone is sending an RST to me?
17:15 <@krzee> do not add comments to your tls-auth key lol
17:15 <@krzee> get them with matching hmac
17:15 <@krzee> THEN test
17:15 < obnauticus> got it./
17:16 -!- elfixit [~Icedove@77-58-251-72.dclient.hispeed.ch] has quit [Quit: elfixit]
17:17 < obnauticus> krzee md5sums match and im getting the same error.
17:18 <@krzee> grep tls-auth /path/to/config
17:18 <@krzee> on both sides
17:18 <@krzee> in other words, show me the lines from each config with tls-auth
17:18 < obnauticus> got it, one sec
17:19 < obnauticus> http://pastebin.com/Lq7PNBJi
17:19 < obnauticus> the only discrepncy i see is that there is a 0 at the EOL of the server.conf
17:19 < obnauticus> but from what i read that is correct.
17:19 <@krzee> ya thats good
17:20 <@krzee> !configs
17:20 <@vpnHelper> "configs" is (#1) please pastebin your client and server configs (with comments removed, you can use `grep -vE '^#|^;|^$' server.conf`), also include which OS and version of openvpn. or (#2) dont forget to include any ccd entries or (#3) on pfSense, see http://www.secure-computing.net/wiki/index.php/OpenVPN/pfSense to obtain your config
17:21 < obnauticus> http://pastebin.com/E2aA6ugr
17:22 < obnauticus> http://pastebin.com/Ax9kgtp7
17:22 < obnauticus> ^^ OS+distro, etc.
17:25 < obnauticus> krzee let me know if you need anything else, i'll provide it :)
17:28 <@krzee> omg why auth md5?
17:30 -!- Denial [~Denial@host86-148-139-5.range86-148.btcentralplus.com] has quit [Ping timeout: 260 seconds]
17:30 -!- obnauticus [~obnauticu@unaffiliated/obnauticus] has quit [Remote host closed the connection]
17:31 -!- obnauticus [~obnauticu@unaffiliated/obnauticus] has joined #openvpn
17:31 < obnauticus> krzee if you said anything after 18:25 i didn't get it -- the connection dropped.
17:31 <@krzee> <krzee> omg why auth md5?
17:31 -!- deranged_user [deranged@unaffiliated/deranged-user/x-2475585] has quit [Quit: et nos unum sumus]
17:31 < obnauticus> krzee im going to do SHA1 --i'll swithc it now.
17:32 <@krzee> just leave it alone then
17:32 < obnauticus> okay.
17:32 < obnauticus> i'll fix that later...ish
17:32 < obnauticus> or something
17:34 <@krzee> try setting the server to comp-lzo adaptive
17:35 < obnauticus> copy.
17:36 < obnauticus> krzee I set `comp-lzo adaptive` and I am getting the same problem. Should I change something on the client-side as well?
17:36 < obnauticus> I might be following your logic here--Is it reasonable to suspect someone might be resetting the connection in the middle?
17:37 <@krzee> did you remove auth md5?
17:38 < obnauticus> No, that's the only change I made. Should I just delete that line?
17:38 <@krzee> i just noticed those dont match, thats a problem
17:38 <@krzee> yes
17:38 -!- deranged_user [deranged@unaffiliated/deranged-user/x-2475585] has joined #openvpn
17:38 < obnauticus> deleted the line on client-side and i am retrying.
17:38 <@krzee> also, you dont need to specify blowfish, its default
17:38 <@krzee> what line on client side?
17:38 < obnauticus> I figured--i was just playing around trying to get it to work earlier.
17:39 <@krzee> oh ya, it was *only* on client side
17:39 <@krzee> not on server
17:39 < obnauticus> yeah, i made sure of that
17:39 < obnauticus> it's gone now.
17:39 < obnauticus> sti;; getting weird resets.
17:40 <@krzee> different tho?
17:40 < obnauticus> still*
17:40 < obnauticus> not sure, wait one
17:40 < obnauticus> No. The error remains the same as pasted before.
17:42 -!- ZZRMike [~ZZRMike@162-229-199-57.lightspeed.irvnca.sbcglobal.net] has quit [Ping timeout: 250 seconds]
17:42 -!- jangerhofer [~jangerho@lloyd-153233.reshall.umich.edu] has joined #openvpn
17:43 <@krzee> remove cipher from both sides
17:44 < obnauticus> krzee just remove the cipher line from both sides? Will the server-side expect blowfish?
17:45 <@krzee> its default
17:45 < obnauticus> krzee i think the client-side error changed slightly
17:45 -!- Kniaz [~Kniaz@unaffiliated/kniaz] has joined #openvpn
17:45 < obnauticus> nope, it didn't.
17:45 <@krzee> post both
17:46 <@krzee> also, verb 3 isnt enough, verb 4 pls
17:46 -!- TheSov [~TheSov4@8.40.0.2] has quit [Quit: Leaving]
17:47 -!- obnauticus [~obnauticu@unaffiliated/obnauticus] has quit [Remote host closed the connection]
17:48 -!- obnauticus [~obnauticu@unaffiliated/obnauticus] has joined #openvpn
17:48 < obnauticus> sorry krzee i didn't get anything after xx:45:
17:48 < obnauticus> (if you sand anything
17:54 < obnauticus> krzee is there any way to make it ignore an RST?
17:54 < obnauticus> lol
17:54 <@krzee> im working on some other stuff in other windows
17:54 <@krzee> and its a bad handshake, not some random rst from an attacker lol
17:54 < obnauticus> fak
17:54 <@krzee> post both logs at verb 4
17:55 <@krzee> and both configs as they are now
17:59 -!- obnauticus [~obnauticu@unaffiliated/obnauticus] has quit []
17:59 -!- obnauticus [~obnauticu@unaffiliated/obnauticus] has joined #openvpn
18:00 < obnauticus> krzee: krzee: verb 4 -> http://pastebin.com/mhAypG3J ; configs -> http://pastebin.com/9JBbyiXe
18:02 <@krzee> you still have cipher in your client config
18:02 < obnauticus> ugh
18:02 < obnauticus> sec
18:02 <@krzee> AND auth
18:02 < obnauticus> sorry about that --it's this shitty GUI..im going to stop using it.
18:02 <@krzee> YES
18:02 <@krzee> stop using a gui to configure the vpn
18:03 < obnauticus> it *was* doing an ok job
18:03 < obnauticus> ok, i removed those two lines
18:03 < obnauticus> i...think it worked?
18:03 < obnauticus> lol amazing! now to make it secure :D
18:04 <@krzee> enjoy
18:04 <@krzee> bbl
18:06 -!- jangerhofer [~jangerho@lloyd-153233.reshall.umich.edu] has quit [Quit: Leaving...]
18:23 -!- Denial [~Denial@host86-148-141-27.range86-148.btcentralplus.com] has joined #openvpn
18:27 -!- elfixit [~Icedove@77-58-251-72.dclient.hispeed.ch] has joined #openvpn
18:34 -!- jangerhofer [~jangerho@lloyd-153233.reshall.umich.edu] has joined #openvpn
18:34 -!- jangerhofer [~jangerho@lloyd-153233.reshall.umich.edu] has quit [Remote host closed the connection]
18:38 -!- prelude2004c [~prelude20@dsl-67-55-28-3.acanac.net] has joined #openvpn
18:38 < prelude2004c> good day everyone
18:38 < prelude2004c> does anyone know why openvpn cuts the BW on the connection in half.
18:39 < prelude2004c> i tried it on different hardware speeds and with a super powerful system i am always doing about half of what the total is
18:39 < prelude2004c> why half ? some limit
18:39 < prelude2004c> ?
19:03 -!- Kniaz [~Kniaz@unaffiliated/kniaz] has quit [Quit: closing IRC]
19:09 -!- prelude2004c [~prelude20@dsl-67-55-28-3.acanac.net] has quit [Ping timeout: 260 seconds]
19:09 -!- Olipro [~Olipro@uncyclopedia/pdpc.21for7.olipro] has quit [Ping timeout: 256 seconds]
19:10 -!- Olipro [~Olipro@uncyclopedia/pdpc.21for7.olipro] has joined #openvpn
19:21 -!- james41382 [~james@unaffiliated/james41382] has quit [Quit: Leaving]
19:23 < obnauticus> Where should i put the client-config-dir ?
19:25 -!- james41382 [~james@unaffiliated/james41382] has joined #openvpn
19:55 < Eugene> Typically in the same place as the .conf that calls it
19:55 < Eugene> Eg, /etc/openvpn/server-udp.conf will have "ccd /etc/openvpn/server-udp/
20:06 -!- WinstonSmith [~WinstonSm@unaffiliated/winstonsmith] has quit [Ping timeout: 260 seconds]
20:08 -!- WinstonSmith [~WinstonSm@unaffiliated/winstonsmith] has joined #openvpn
20:26 -!- r00t^2 [~bts@g.rainwreck.com] has quit [Remote host closed the connection]
20:27 -!- r00t^2 [~bts@g.rainwreck.com] has joined #openvpn
20:36 -!- XJR-9 [sid2977@pdpc/supporter/active/xjr-9] has quit [Ping timeout: 260 seconds]
20:38 -!- jefferai [sid1300@kde/mitchell] has quit [Ping timeout: 272 seconds]
20:55 -!- chrisb [~chrisb@pool-71-185-1-206.phlapa.east.verizon.net] has joined #openvpn
21:17 < obnauticus> Eugene
21:17 < obnauticus> are you there?
21:22 < Eugene> No
21:22 < obnauticus> lol
21:22 < Eugene> Only Zuul
21:41 -!- obnauticus [~obnauticu@unaffiliated/obnauticus] has quit [Ping timeout: 245 seconds]
21:52 -!- rich0 [~quassel@gentoo/developer/rich0] has joined #openvpn
21:53 < rich0> quick question, can openvpn/iptables be configured on a router so that all traffic goes out over the VPN by default, but incoming connections via the WAN interface still work (ie replies to those packets go out over the WAN and not the VPN)?
21:54 < rich0> I'd think that setting the VPN to the default route would cause replies to connections coming in over the WAN to get set out over the VPN where they're going to be NATed with the wrong IP.
21:54 < rich0> The incoming connections over the WAN would be forwarded to a host on the LAN.
21:59 -!- Left_Turn [~Left_Turn@unaffiliated/turn-left/x-3739067] has quit [Remote host closed the connection]
22:00 < rich0> Ah, just found this: http://linux-ip.net/html/adv-multi-internet.html
22:01 < rich0> It suggests giving the LAN hosts that receive traffic two IPs, so that incoming connections go to one IP, and outgoing connections come from another, and then I can have a rule to direct traffic from the one IP out the WAN and not the VPN.
22:35 -!- chrisb [~chrisb@pool-71-185-1-206.phlapa.east.verizon.net] has quit [Ping timeout: 260 seconds]
22:37 -!- L0uk3 [~lukethedr@gateway/tor-sasl/lukethedrifter] has joined #openvpn
22:52 -!- L0uk3 [~lukethedr@gateway/tor-sasl/lukethedrifter] has quit [Quit: bis später]
23:12 -!- jefferai [sid1300@kde/mitchell] has joined #openvpn
23:14 -!- XJR-9 [sid2977@pdpc/supporter/active/xjr-9] has joined #openvpn
23:23 -!- chrisb [~chrisb@pool-71-185-1-206.phlapa.east.verizon.net] has joined #openvpn
23:32 -!- elfixit [~Icedove@77-58-251-72.dclient.hispeed.ch] has quit [Remote host closed the connection]
23:44 -!- Lolths [~Lolths@unaffiliated/lolths] has joined #openvpn
--- Day changed Sat Sep 27 2014
00:02 -!- ShadniX [dagger@p5DDFE980.dip0.t-ipconnect.de] has quit [Ping timeout: 250 seconds]
00:03 -!- Pyrogerg [~Gregory@75-173-103-62.albq.qwest.net] has quit [Ping timeout: 246 seconds]
00:04 -!- ShadniX [dagger@p5481C1F2.dip0.t-ipconnect.de] has joined #openvpn
00:07 -!- moonkid [~anonymous@99-103-56-12.lightspeed.hstntx.sbcglobal.net] has quit [Quit: moonkid]
00:09 -!- rooth [tomte@stuck.in.the.basement.at.fritzl.nu] has quit [Ping timeout: 245 seconds]
00:10 -!- rooth [tomte@stuck.in.the.basement.at.fritzl.nu] has joined #openvpn
00:32 -!- jangerhofer [~jangerho@lloyd-153233.reshall.umich.edu] has joined #openvpn
00:33 -!- jangerhofer [~jangerho@lloyd-153233.reshall.umich.edu] has quit [Client Quit]
01:54 -!- Kephael__ [~Kephael@unaffiliated/kephael] has joined #openvpn
01:54 -!- Kephael_ [~Kephael@unaffiliated/kephael] has quit [Read error: Connection reset by peer]
01:56 -!- Kephael__ [~Kephael@unaffiliated/kephael] has quit [Read error: Connection reset by peer]
02:25 -!- XJR-9 [sid2977@pdpc/supporter/active/xjr-9] has quit [K-Lined]
02:25 -!- jefferai [sid1300@kde/mitchell] has quit [K-Lined]
02:35 -!- jefferai [sid1300@kde/mitchell] has joined #openvpn
02:37 -!- CaTtleyA [~CaTtleyA@put92-2-82-66-41-53.fbx.proxad.net] has quit [Ping timeout: 276 seconds]
03:08 -!- ub1quit33_ [~quassel@cpe-23-243-158-241.socal.res.rr.com] has quit [Ping timeout: 245 seconds]
03:15 -!- XJR-9 [sid2977@pdpc/supporter/active/xjr-9] has joined #openvpn
03:19 -!- ub1quit33_ [~quassel@cpe-23-243-158-241.socal.res.rr.com] has joined #openvpn
03:45 -!- CaTtleyA [~CaTtleyA@put92-2-82-66-41-53.fbx.proxad.net] has joined #openvpn
03:51 -!- Belliash [znc@asiotec/constitutive/belliash] has joined #openvpn
03:51 < Belliash> hello
03:52 < Belliash> is it possible to set tap-based connection w/o bridging?
04:08 -!- gffa [~unknown@unaffiliated/gffa] has joined #openvpn
04:15 -!- CaTtleyA [~CaTtleyA@put92-2-82-66-41-53.fbx.proxad.net] has quit [Remote host closed the connection]
04:22 -!- CaTtleyA [~CaTtleyA@put92-2-82-66-41-53.fbx.proxad.net] has joined #openvpn
04:38 -!- xTz [~xtz@77.70.6.141] has joined #openvpn
04:41 <@krzee> Belliash, sure
04:41 <@krzee> !whybridge
04:41 <@vpnHelper> "whybridge" is (#1) you only bridge if you want layer2 to the lan. if you want layer2 only between vpn nodes then routed tap is enough. if you only want layer3 use tun. or (#2) See this URL for a more in-depth discussion on bridging vs routing: https://community.openvpn.net/openvpn/wiki/BridgingAndRouting or (#3) See also !tunortap
04:43 < Belliash> krzee: one more question, how can i disable client-to client communication, if it is ever possible?
04:43 <@krzee> !c2c
04:43 <@vpnHelper> "c2c" is "client-to-client" is with this option packets from 1 client to another are routed inside the server process. without it packets leave the server process, hit the kernel (firewall, routing table) and if allowed by firewall and routed back to server process, they go to the client. you use this option when you do not want to use selective firewall rules on what clients can access things behind
04:43 <@vpnHelper> other clients
04:48 < Belliash> krzee: thank you
04:48 <@krzee> yw
04:49 <@krzee> i think im *almost* done with another root on my snom
04:51 < Belliash> one more thing, krzee
04:51 < Belliash> is it possible to push single domain name resultion via vpn? like the client would add it to /etc/hosts?
04:52 <@krzee> well you can pretty much script up anything you want
04:52 <@krzee> or
04:52 <@krzee> !splitdns
04:52 <@vpnHelper> "splitdns" is see http://www.thekelleys.org.uk/dnsmasq/doc.html for dnsmasq, which will let you do split-dns setups
04:52 <@krzee> !dnsmasq
04:52 <@vpnHelper> "dnsmasq" is http://rob0.nodns4.us/dnsmasq.html for a writeup on how to handle DNS for lans shared with !route
04:52 <@krzee> !learn splitdns as [dnsmasq]
04:52 <@vpnHelper> Joo got it.
04:53 <@krzee> !splitdns
04:53 <@vpnHelper> "splitdns" is (#1) see http://www.thekelleys.org.uk/dnsmasq/doc.html for dnsmasq, which will let you do split-dns setups or (#2) "dnsmasq" is http://rob0.nodns4.us/dnsmasq.html for a writeup on how to handle DNS for lans shared with !route
04:53 <@krzee> but the short answer is theres nothing out of the box for it, you'll have to hack it up
04:58 -!- CaTtleyA [~CaTtleyA@put92-2-82-66-41-53.fbx.proxad.net] has quit [Remote host closed the connection]
05:01 -!- CaTtleyA [~CaTtleyA@put92-2-82-66-41-53.fbx.proxad.net] has joined #openvpn
05:02 -!- CaTtleyA [~CaTtleyA@put92-2-82-66-41-53.fbx.proxad.net] has quit [Client Quit]
05:04 -!- CaTtleyA [~CaTtleyA@put92-2-82-66-41-53.fbx.proxad.net] has joined #openvpn
05:05 < Belliash> krzee: ty
05:05 <@krzee> yw
05:12 -!- chrisb [~chrisb@pool-71-185-1-206.phlapa.east.verizon.net] has quit [Ping timeout: 272 seconds]
05:28 -!- pie_ [~pie_@unaffiliated/pie-/x-0787662] has joined #openvpn
05:31 -!- pie_ [~pie_@unaffiliated/pie-/x-0787662] has left #openvpn []
05:31 -!- piee [~pie_@unaffiliated/pie-/x-0787662] has joined #openvpn
05:32 < piee> hi guys, if i have push redirect-gateway set on the server, is there a way to override that on the client side?
05:32 <@krzee> !route_override
05:32 <@vpnHelper> "route_override" is (#1) https://forums.openvpn.net/viewtopic.php?f=15&t=7161 for how to override --redirect-gateway for a certain subnet or (#2) to see how to make it so the client will still reply to requests to its public ip over the internet and not the vpn see !splitroute
05:32 < piee> tyvm
05:32 < piee> is there a list of this !xxxx stuff somewhere?
05:32 <@krzee> you can override 0.0.0.0 with 2 /1 routes, or if already using def1 then 4 /2 routes
05:33 <@krzee> !factoids
05:33 <@vpnHelper> "factoids" is A semi-regularly updated dump of factoids database is available at http://www.secure-computing.net/factoids.php
05:33 < piee> cool thanks
05:33 <@krzee> np
05:37 -!- Olivier [~Olivier@unaffiliated/olivier] has joined #openvpn
05:47 < piee> krzee: img just getting around to this now, reading the factoid, im not sure if this is what i need, i want to override redirect gateway for everything except the vpn subnet
06:12 -!- Chais [~Chais@chello062178229110.15.15.vie.surfer.at] has quit [Ping timeout: 245 seconds]
06:18 -!- Chais [~Chais@chello062178229110.15.15.vie.surfer.at] has joined #openvpn
06:21 -!- pppingme [~pppingme@unaffiliated/pppingme] has quit [Ping timeout: 240 seconds]
06:24 -!- rich0_ [~quassel@gentoo/developer/rich0] has joined #openvpn
06:25 -!- rich0 [~quassel@gentoo/developer/rich0] has quit [Read error: Connection reset by peer]
06:40 -!- rich0_ [~quassel@gentoo/developer/rich0] has quit [Ping timeout: 240 seconds]
06:41 -!- rich0 [~quassel@gentoo/developer/rich0] has joined #openvpn
06:47 -!- CaTtleyA [~CaTtleyA@put92-2-82-66-41-53.fbx.proxad.net] has quit [Quit: Lost terminal]
06:47 -!- rich0 [~quassel@gentoo/developer/rich0] has quit [Read error: Connection reset by peer]
06:50 -!- rich0 [~quassel@gentoo/developer/rich0] has joined #openvpn
06:57 -!- rich0 [~quassel@gentoo/developer/rich0] has quit [Read error: Connection reset by peer]
06:58 -!- CaTtleyA [~CaTtleyA@put92-2-82-66-41-53.fbx.proxad.net] has joined #openvpn
07:00 -!- rich0 [~quassel@gentoo/developer/rich0] has joined #openvpn
07:05 -!- rich0_ [~quassel@gentoo/developer/rich0] has joined #openvpn
07:08 -!- Left_Turn [~Left_Turn@unaffiliated/turn-left/x-3739067] has joined #openvpn
07:09 -!- rich0 [~quassel@gentoo/developer/rich0] has quit [Ping timeout: 272 seconds]
07:09 -!- Chais [~Chais@chello062178229110.15.15.vie.surfer.at] has quit [Ping timeout: 272 seconds]
07:11 -!- almostworking [~almostwor@unaffiliated/almostworking] has quit [Ping timeout: 245 seconds]
07:15 -!- Chais [~Chais@chello062178229110.15.15.vie.surfer.at] has joined #openvpn
07:15 -!- jangerhofer [~jangerho@lloyd-153233.reshall.umich.edu] has joined #openvpn
07:15 -!- rich0 [~quassel@gentoo/developer/rich0] has joined #openvpn
07:18 -!- rich0__ [~quassel@gentoo/developer/rich0] has joined #openvpn
07:18 -!- rich0_ [~quassel@gentoo/developer/rich0] has quit [Read error: Connection reset by peer]
07:21 -!- rich0 [~quassel@gentoo/developer/rich0] has quit [Ping timeout: 240 seconds]
07:28 -!- rich0__ [~quassel@gentoo/developer/rich0] has quit [Read error: Connection reset by peer]
07:32 -!- rich0 [~quassel@gentoo/developer/rich0] has joined #openvpn
07:38 -!- Chais [~Chais@chello062178229110.15.15.vie.surfer.at] has quit [Ping timeout: 272 seconds]
07:41 -!- eristisk [~eristisk@gateway/tor-sasl/eristisk] has joined #openvpn
07:43 -!- Chais [~Chais@chello062178229110.15.15.vie.surfer.at] has joined #openvpn
07:48 -!- goldkatze [~nobody@unaffiliated/goldkatze] has joined #openvpn
07:48 -!- rich0 [~quassel@gentoo/developer/rich0] has quit [Ping timeout: 245 seconds]
07:51 -!- rich0 [~quassel@gentoo/developer/rich0] has joined #openvpn
07:59 -!- rich0 [~quassel@gentoo/developer/rich0] has quit [Read error: Connection reset by peer]
08:00 -!- rich0 [~quassel@gentoo/developer/rich0] has joined #openvpn
08:04 -!- rich0 [~quassel@gentoo/developer/rich0] has quit [Read error: Connection reset by peer]
08:07 -!- rich0 [~quassel@gentoo/developer/rich0] has joined #openvpn
08:19 -!- CaTtleyA_ [~CaTtleyA@put92-2-82-66-41-53.fbx.proxad.net] has joined #openvpn
08:20 -!- CaTtleyA_ [~CaTtleyA@put92-2-82-66-41-53.fbx.proxad.net] has quit [Client Quit]
08:20 -!- CaTtleyA [~CaTtleyA@put92-2-82-66-41-53.fbx.proxad.net] has quit [Remote host closed the connection]
08:21 -!- CaTtleyA [~CaTtleyA@put92-2-82-66-41-53.fbx.proxad.net] has joined #openvpn
08:37 -!- prettyrobots [~prettyrob@do.inputrc.com] has joined #openvpn
08:48 -!- eristisk [~eristisk@gateway/tor-sasl/eristisk] has quit [Quit: killall -9 irc]
08:50 -!- eristisk [~eristisk@gateway/tor-sasl/eristisk] has joined #openvpn
08:53 -!- jangerhofer [~jangerho@lloyd-153233.reshall.umich.edu] has quit [Quit: Leaving...]
09:00 -!- jangerhofer [~jangerho@0587379973.wireless.umich.net] has joined #openvpn
09:01 -!- jangerhofer [~jangerho@0587379973.wireless.umich.net] has quit [Read error: Connection reset by peer]
09:21 -!- eristisk [~eristisk@gateway/tor-sasl/eristisk] has quit [Quit: killall -9 irc]
09:26 -!- eristisk [~eristisk@gateway/tor-sasl/eristisk] has joined #openvpn
09:28 -!- piee is now known as pie_
09:31 -!- xTz [~xtz@77.70.6.141] has quit [Quit: Leaving]
09:37 -!- jangerhofer [~jangerho@0587379973.wireless.umich.net] has joined #openvpn
09:38 -!- jangerhofer [~jangerho@0587379973.wireless.umich.net] has quit [Read error: Connection reset by peer]
09:38 -!- jangerho [~jangerho@0587379973.wireless.umich.net] has joined #openvpn
09:48 -!- elfixit [~Icedove@77-58-251-72.dclient.hispeed.ch] has joined #openvpn
09:48 -!- pie_ [~pie_@unaffiliated/pie-/x-0787662] has left #openvpn []
09:54 -!- Mik3C [~miguelc@77.202.37.188.rev.vodafone.pt] has joined #openvpn
09:57 -!- Mik3C [~miguelc@77.202.37.188.rev.vodafone.pt] has quit [Client Quit]
09:57 -!- Mik3C [~miguelc@77.202.37.188.rev.vodafone.pt] has joined #openvpn
09:58 -!- Mik3C [~miguelc@77.202.37.188.rev.vodafone.pt] has quit [Client Quit]
09:58 -!- piee [~pie_@unaffiliated/pie-/x-0787662] has joined #openvpn
09:59 < piee> is there a more long winded description of the topologies that in the wiki?
09:59 -!- Mik3C [~miguelc@77.202.37.188.rev.vodafone.pt] has joined #openvpn
10:16 -!- jangerho [~jangerho@0587379973.wireless.umich.net] has quit [Read error: Connection reset by peer]
10:17 -!- jangerhofer [~jangerho@0587379973.wireless.umich.net] has joined #openvpn
10:19 -!- jangerhofer [~jangerho@0587379973.wireless.umich.net] has quit [Read error: Connection reset by peer]
10:44 -!- rich0 [~quassel@gentoo/developer/rich0] has quit [Read error: Connection reset by peer]
10:47 <@krzee> piee, tried the manual?
10:47 -!- rich0 [~quassel@gentoo/developer/rich0] has joined #openvpn
10:51 -!- rich0 [~quassel@gentoo/developer/rich0] has quit [Read error: Connection reset by peer]
11:02 -!- rich0 [~quassel@gentoo/developer/rich0] has joined #openvpn
11:05 -!- Kniaz [~Kniaz@unaffiliated/kniaz] has joined #openvpn
11:16 -!- rich0 [~quassel@gentoo/developer/rich0] has quit [Ping timeout: 260 seconds]
11:16 -!- mulga [~mulga_afk@unaffiliated/mulga] has joined #openvpn
11:23 -!- rich0 [~quassel@gentoo/developer/rich0] has joined #openvpn
11:27 -!- s7r [~s7r@openvpn/user/s7r] has joined #openvpn
11:27 -!- mode/#openvpn [+v s7r] by ChanServ
11:28 -!- Kniaz [~Kniaz@unaffiliated/kniaz] has quit [Quit: closing IRC]
11:32 -!- moonkid [~anonymous@99-103-56-12.lightspeed.hstntx.sbcglobal.net] has joined #openvpn
11:36 -!- Kniaz [~Kniaz@unaffiliated/kniaz] has joined #openvpn
11:40 -!- mulga [~mulga_afk@unaffiliated/mulga] has quit [Ping timeout: 272 seconds]
11:42 -!- spyro1248 [~ian@87.114.1.81] has joined #openvpn
11:43 < spyro1248> Hi folks
11:43 < spyro1248> I'm trying to set up a VPN - and I think I have both sides talking to each other (one is my VPS, the client is just a ubuntu laptop using 14.04 and networkmanager + openvpn
11:43 < spyro1248> )
11:44 < spyro1248> however, the laptop never gets an IP
11:44 < spyro1248> It occurs to me that there might need to be an additional IP made available at the server end
11:44 < spyro1248> but thats not likely to happen
11:44 < spyro1248> so do I need some kind of NAT ?
11:45 <@krzee> !goal
11:45 <@vpnHelper> "goal" is Please clearly state your goal for your vpn: example, I would like to access the lan behind the server , I would like to access the internet over my vpn , I just want a secure connection between 2 computers , etc
11:46 <@krzee> and what do you mean by "however, the laptop never gets an IP"
11:47 <@krzee> im guessing you mean "i want to access the internet over the vpn, but when my client connects to my server it does not have access to the internet"    is that basically right??
11:47 < spyro1248> I'm attempting to use my VPS (which I can contact from my mobile phone) to act as a VPN gateway for my phone (Im testing with a laptop, though)
11:47 < spyro1248> I want all internet traffic for my phone to go via the VPS over the VPN
11:48 < spyro1248> Im not certain the client is getting an IP, the little lock icon on network manager keeps blinking and eventually it gives up.
11:49 < spyro1248> krzee: your summary seems about right, yes.
11:49 <@krzee> yes you do need to nat the vpn subnet
11:49 <@krzee> !redirect
11:49 <@vpnHelper> "redirect" is (#1) to make all inet traffic flow through the vpn, you will need --redirect-gateway (see !def1), as well as IP forwarding (see !ipforward) and NAT (see !nat) enabled on the server. or (#2) you may need to use a different dns server when redirecting gateway, see !dns or !pushdns or (#3) if using ipv6 try: route-ipv6 2000::/3 or (#4) Handy troubleshooting flowchart:
11:49 <@vpnHelper> http://ircpimps.org/redirect.png | http://pekster.sdf.org/misc/redirect.png
11:50 <@krzee> !netman
11:50 <@vpnHelper> "netman" is (#1) if you are using network manager for linux to configure your vpn, dont! http://openvpn.net/archive/openvpn-users/2008-01/msg00046.html to read the same thing from the author of the openvpn 2 cookbook on the mail list or (#2) Have OpenVPN working but not NetworkManager? Ask the n-m folks for help: http://projects.gnome.org/NetworkManager/
11:51 < spyro1248> let me see what I get out of the flowchart :)
11:53 -!- elfixit [~Icedove@77-58-251-72.dclient.hispeed.ch] has quit [Quit: elfixit]
11:53 < spyro1248> ok, first box on the flowchart - what does it mean by VPN IP of the server?
11:54 < spyro1248> krzee: I can ping the server itself, but I dont think thats what it means.
11:55 <@krzee> !configs
11:55 <@vpnHelper> "configs" is (#1) please pastebin your client and server configs (with comments removed, you can use `grep -vE '^#|^;|^$' server.conf`), also include which OS and version of openvpn. or (#2) dont forget to include any ccd entries or (#3) on pfSense, see http://www.secure-computing.net/wiki/index.php/OpenVPN/pfSense to obtain your config
11:58 < spyro1248> krzee: http://pastebin.com/zznHqFf3
11:58 <@krzee> !goal
11:58 <@vpnHelper> "goal" is Please clearly state your goal for your vpn: example, I would like to access the lan behind the server , I would like to access the internet over my vpn , I just want a secure connection between 2 computers , etc
11:58 < spyro1248> running the server on debian wheezy
11:59 < spyro1248> krzee: OpenVPN 2.2.1
12:00 <@krzee> you only looking for internet access over the vpn? any reason you're using tap?
12:00 -!- Kniaz1 [~Kniaz@unaffiliated/kniaz] has joined #openvpn
12:00 -!- Kniaz1 [~Kniaz@unaffiliated/kniaz] has left #openvpn []
12:00 < spyro1248> krzee: it seemed like a good idea at the time / the tutorials are vague and multiple?
12:00 -!- Kniaz [~Kniaz@unaffiliated/kniaz] has quit [Disconnected by services]
12:01 <@krzee> !tunortap
12:01 < spyro1248> krzee: yes, just internet access
12:01 <@vpnHelper> "tunortap" is (#1) you ONLY want tap if you need to pass layer2 traffic over the vpn (traffic destined for a MAC address). If you are using IP traffic you want tun. or (#2) and if your reason for wanting tap is windows shares, see !wins or use DNS or (#3) remember layer2 has no security, arp poisoning works over tap vpns or (#4) lan gaming? use tap! or (#5) Normal Android/iOS devices (not
12:01 <@vpnHelper> rooted/jailbroken) support only tun
12:01 <@krzee> so change to dev tun   also add   server 10.8.0.0 255.255.255.0
12:02 < spyro1248> my android is running Cyanogen - does it matter?
12:02 <@krzee> you were right, you probably were not getting any ip at all (i didnt see the client config so im not sure)
12:02 <@krzee> spyro1248, i love cm
12:02 <@krzee> in fact im waiting on my oneplus one right now
12:02 < spyro1248> krzee: I have no idea where to find the client config :)
12:02 <@krzee> spyro1248, you have to make it!
12:03 < spyro1248> krzee: my handsets a moto G 4G LTE - super easy to get fully rooted
12:03 < spyro1248> krzee: its networkmanager atm. :)
12:03 <@krzee> eww no
12:03 < spyro1248> TBH, I've used nm before and it worked - and I dont think nm is the issue right now :)
12:03 <@krzee> ok so, show me your new server config
12:04 <@krzee> nm is part of the issue, because the problem is you dont know how to configure your vpn
12:04 <@krzee> so you just proved the problem ;]
12:04 < spyro1248> ok, fair comment...
12:05 <@krzee> another big part of the problem is the walkthroughs on google
12:05 <@krzee> !walkthrough
12:05 <@vpnHelper> "walkthrough" is if you are using some walkthrough and now you are here cause you have problems and dont understand your setup, type !howto and !man and try to actually learn what you're doing. most those docs about openvpn from google SUCK.
12:05 <@krzee> so ya, make the changes i said to your server config'
12:05 < spyro1248> Yeah, you're not kidding. I *hate* walkthroughs that dont tell you WHAT you're walking through.
12:05 <@krzee> then show me the new config
12:05 < spyro1248> its like wearing a blindfold
12:06 <@krzee> i suggest taking your config and reading about every option used in the manual, the manual is huge so i get not reading it all, but you definitely want to understand the options you're using (including --server which i told you to add)
12:07 <@krzee> !man
12:07 <@vpnHelper> "man" is (#1) For man pages, see http://openvpn.net/index.php/open-source/documentation/manuals/ or (#2) the man pages are your friend! or (#3) Protip: you can search the manpage for a specific --option (with dashes) to find it quicker
12:07 <@krzee> then we'll make a matching client config
12:07 < spyro1248> krzee: http://pastebin.com/MpGY2jjp
12:07 <@krzee> after reading the server config options you'll get the idea that everything must match but a lot of stuff is pushed from the server
12:08 <@krzee> good
12:08 < spyro1248> yeah, its chicken and egg- the manuals huge, but the config doesnt work. so reading based on the config doesnt work... :)
12:09 < spyro1248> krzee: btw - I'm a kernel dev (not networking really though) so I can follow instructions :)
12:09 <@krzee> the new config is good
12:09 <@krzee> (server side)
12:13 < spyro1248> krzee: :)
12:15 <@krzee> read up a little and get an attempt at a client config that matches this server config, then i'll help you doctor it up
12:15 <@krzee> (if needed)
12:18 < spyro1248> btw - TCP or UDP? does it matter ?
12:19 -!- mt [mt@unaffiliated/supermat] has joined #openvpn
12:20 -!- Pyrogerg [~Gregory@205.167.120.206] has joined #openvpn
12:21 < spyro1248> krzee: ^^
12:21 <@krzee> !tcp
12:21 <@vpnHelper> "tcp" is (#1) Sometimes you cannot avoid tunneling over tcp, but if you can avoid it, DO. http://sites.inka.de/~bigred/devel/tcp-tcp.html Why TCP Over TCP Is A Bad Idea. or (#2) http://www.openvpn.net/papers/BLUG-talk/14.html for a presentation by James Yonan (OpenVPN lead developer) or (#3) if you must use tcp, you likely want --tcp-nodelay
12:26 < spyro1248> http://pastebin.com/xvw1ASRM
12:31 -!- Lolths [~Lolths@unaffiliated/lolths] has quit [Ping timeout: 240 seconds]
12:39 -!- Netsplit *.net <-> *.split quits: MogDog, JackWinter, WinstonSmith, nsrafk, liriel, goldkatze, soapee01, roger_rabbit, lfx, Olivier,  (+141 more, use /NETSPLIT to show all of them)
12:46 -!- Lolths [~Lolths@unaffiliated/lolths] has joined #openvpn
12:46 -!- nath_schwarz [~nath_schw@HSI-KBW-078-043-139-201.hsi4.kabel-badenwuerttemberg.de] has joined #openvpn
12:46 -!- Netsplit over, joins: troyt, Pyrogerg, mt, spyro1248, moonkid, +s7r, rich0, Mik3C, piee, eristisk (+140 more)
12:48 -!- ketas [~ketas@92.38.190.90.dyn.estpak.ee] has quit [Max SendQ exceeded]
12:48 -!- abrkn [~abrkn@ec2-54-77-69-161.eu-west-1.compute.amazonaws.com] has joined #openvpn
12:48 -!- ketas [~ketas@92.38.190.90.dyn.estpak.ee] has joined #openvpn
12:49 < spyro1248> krzee: I can no longer ping the VPN server VPN IP with that in the client config.
12:49 < abrkn> are there shellshock issues with openvpn access server (installed from official AMI on AWS)?
12:49 <@krzee> spyro1248,
12:49 <@krzee> !logs
12:49 <@vpnHelper> "logs" is (#1) please pastebin your logfiles from both client and server with verb set to 4 (only use 5 if asked) or (#2) In the Windows client(OpenVPN-GUI) right-click the status icon and pick View Log or (#3) In the OS X client(Tunnelblick) right-click it and select Copy log text to clipboard or (#4) if you dont know how to find your logs, see !logfile
12:49 <@krzee> abrkn,
12:49 <@krzee> !no_as
12:49 <@vpnHelper> "no_as" is (#1) go to http://openvpn.net/index.php/access-server/support-center.html for support with access server (see !AS to know about access server) or (#2) not only do we not know AS here, but even if we did we would be tainting the professional level of support included in AS by supporting it here. it comes with REAL support. we are just users helping users around here
12:49 <@krzee> !as
12:49 <@vpnHelper> "as" is Please go to #OpenVPN-AS for help with commercial products from OpenVPN Technologies, including Access Server, Android Connect, etc. Access Server is a commercial product, different from open source OpenVPN
12:50 < abrkn> thank you
12:50 <@krzee> np
12:50 -!- abrkn [~abrkn@ec2-54-77-69-161.eu-west-1.compute.amazonaws.com] has left #openvpn []
12:56 < spyro1248> krzee: aha. part of the problem seems to be DNS on the client
12:56 < spyro1248> krzee: possibly becasue it doesnt appear packets are escaping to the internet from the serrver :)
12:57 <@krzee> probably because its using its ISP nameserver but not contacting it from isp_ip
12:57 < spyro1248> 8.8.8.8
12:57 < spyro1248> I think I founf it
12:57 < spyro1248> servers ethernet is not eth0
12:57 <@krzee> hehe
12:58 < spyro1248> aaaand its working.
12:58 < spyro1248> o/
12:58 <@krzee> goodjob
12:58 <@krzee> and now i think you understand a lot more about how and why its working too
12:58 < spyro1248> quite probably
12:59 <@krzee> still need to get it going on android?
12:59 <@krzee> i recommend "openvpn for android"
12:59 <@krzee> it'll import your configs and boom done
12:59 <@krzee> i know its built in to cyanogenmod, but its cumbersome as compared to "openvpn for android"
13:00 <@krzee> hmm well it used to be at least, i dont see it on my cm11 right now
13:02 < spyro1248> cheers, thats the next step :)
13:02 < spyro1248> impressively fast - 18.39Mbits / 5.5Mbits -  indistinguishable from my actual landline.
13:03 -!- nath_schwarz [~nath_schw@HSI-KBW-078-043-139-201.hsi4.kabel-badenwuerttemberg.de] has quit [Quit: ErrMessage: UserNotFoundException(0x00929e9)]
13:06 -!- elfixit [~Icedove@77-58-251-72.dclient.hispeed.ch] has joined #openvpn
13:25 -!- moonkid [~anonymous@99-103-56-12.lightspeed.hstntx.sbcglobal.net] has quit [Quit: moonkid]
13:29 -!- pppingme [~pppingme@unaffiliated/pppingme] has joined #openvpn
13:38 -!- linuxthefish [~ltf@unaffiliated/edmundf] has quit [Excess Flood]
13:38 -!- linuxthefish [~ltf@unaffiliated/edmundf] has joined #openvpn
13:46 -!- joako [~joako@opensuse/member/joak0] has quit [Quit: quit]
13:50 -!- joako [~joako@opensuse/member/joak0] has joined #openvpn
14:11 -!- moonkid [~anonymous@99-103-56-12.lightspeed.hstntx.sbcglobal.net] has joined #openvpn
14:17 -!- Nyoom [Nyoom@unaffiliated/nyoom] has joined #openvpn
14:28 -!- goldkatze [~nobody@unaffiliated/goldkatze] has quit [Ping timeout: 245 seconds]
14:38 -!- rich0 [~quassel@gentoo/developer/rich0] has quit [Read error: Connection reset by peer]
14:38 -!- rich0 [~quassel@gentoo/developer/rich0] has joined #openvpn
14:49 -!- Mik3C [~miguelc@77.202.37.188.rev.vodafone.pt] has quit [Ping timeout: 260 seconds]
14:49 -!- Nyoom [Nyoom@unaffiliated/nyoom] has quit [Max SendQ exceeded]
14:54 -!- Mik3C [~miguelc@77.202.37.188.rev.vodafone.pt] has joined #openvpn
15:04 -!- rich0 [~quassel@gentoo/developer/rich0] has quit [Read error: Connection reset by peer]
15:04 -!- rich0 [~quassel@gentoo/developer/rich0] has joined #openvpn
15:06 -!- phunyguy [~vortex@unaffiliated/phunyguy] has quit [Quit: ZNC - http://znc.in]
15:08 -!- Nyoom [Nyoom@unaffiliated/nyoom] has joined #openvpn
15:15 -!- ub1quit33_ [~quassel@cpe-23-243-158-241.socal.res.rr.com] has quit [Ping timeout: 260 seconds]
15:16 -!- phunyguy [~vortex@unaffiliated/phunyguy] has joined #openvpn
15:17 -!- phunyguy [~vortex@unaffiliated/phunyguy] has quit [Remote host closed the connection]
15:18 -!- D-Boy [~D-Boy@unaffiliated/cain] has quit [Excess Flood]
15:19 -!- phunyguy [~vortex@unaffiliated/phunyguy] has joined #openvpn
15:27 -!- rich0 [~quassel@gentoo/developer/rich0] has quit [Read error: Connection reset by peer]
15:27 -!- rich0 [~quassel@gentoo/developer/rich0] has joined #openvpn
15:32 -!- cesurasean [~Sean@c-71-207-227-197.hsd1.al.comcast.net] has quit [Write error: Connection reset by peer]
15:32 -!- cesurasean [~Sean@c-71-207-227-197.hsd1.al.comcast.net] has joined #openvpn
15:32 -!- jefferai_ [sid1300@kde/mitchell] has joined #openvpn
15:33 -!- jefferai [sid1300@kde/mitchell] has quit [Ping timeout: 256 seconds]
15:33 -!- pppingme [~pppingme@unaffiliated/pppingme] has quit [Excess Flood]
15:34 -!- pppingme [~pppingme@unaffiliated/pppingme] has joined #openvpn
15:34 -!- Moonlightning [~blackl@unaffiliated/moonlightning] has joined #openvpn
15:36 < spyro1248> Hey guys
15:36 < spyro1248> I've got my open VPN server working
15:36 < spyro1248> and I can connect via the VPN through it to the internet form both my laptop and phone
15:37 < spyro1248> However trying to use tethering on the phone results in packets from the tethered device bypassing the VPN and being routed directly.
15:38 -!- hazard0us [~hz@openvpn/user/hazardous] has joined #openvpn
15:38 -!- mode/#openvpn [+v hazard0us] by ChanServ
15:38 -!- clu5ter [~staff@unaffiliated/clu5ter] has quit [Ping timeout: 260 seconds]
15:38 -!- hazardous [~hz@openvpn/user/hazardous] has quit [Ping timeout: 260 seconds]
15:38 -!- Mik3C [~miguelc@77.202.37.188.rev.vodafone.pt] has quit [Ping timeout: 260 seconds]
15:38 -!- BtbN [btbn@btbn.de] has quit [Ping timeout: 260 seconds]
15:38 -!- gffa [~unknown@unaffiliated/gffa] has quit [Ping timeout: 260 seconds]
15:38 -!- Starthunder [~blackl@unaffiliated/moonlightning] has quit [Ping timeout: 260 seconds]
15:38 -!- riddle [riddle@us.yunix.net] has quit [Ping timeout: 260 seconds]
15:39 -!- BtbN [btbn@btbn.de] has joined #openvpn
15:39 -!- gffa [~unknown@unaffiliated/gffa] has joined #openvpn
15:39 -!- hazard0us is now known as hazardous
15:39 -!- riddle [riddle@us.yunix.net] has joined #openvpn
15:40 -!- D-Boy [~D-Boy@unaffiliated/cain] has joined #openvpn
15:41 -!- vpnHelper [~vpnHelper@openvpn/bot/vpnHelper] has quit [Disconnected by services]
15:41 -!- XJR-9_ [sid2977@pdpc/supporter/active/xjr-9] has joined #openvpn
15:41 -!- XJR-9 [sid2977@pdpc/supporter/active/xjr-9] has quit [Killed (wilhelm.freenode.net (Nickname regained by services))]
15:41 -!- XJR-9_ is now known as XJR-9
15:41 -!- Mik3C [~miguelc@77.202.37.188.rev.vodafone.pt] has joined #openvpn
15:43 -!- vpnHelper [~vpnHelper@openvpn/bot/vpnHelper] has joined #openvpn
15:43 -!- mode/#openvpn [+o vpnHelper] by ChanServ
15:43 -!- Olipro [~Olipro@uncyclopedia/pdpc.21for7.olipro] has quit [Remote host closed the connection]
15:43 -!- pekster_ [~rewt@openvpn/community/support/pekster] has joined #openvpn
15:44 -!- vpnHelper is now known as 17SAAEECG
15:44 -!- 17SAAEECG is now known as vpnHelper
15:44 -!- badaptr [~jgeilman@unaffiliated/adaptr] has joined #openvpn
15:44 -!- pekster [~rewt@openvpn/community/support/pekster] has quit [Read error: Connection reset by peer]
16:04 < spyro1248> ^^ Anyone?
16:24 -!- moonkid [~anonymous@99-103-56-12.lightspeed.hstntx.sbcglobal.net] has quit [Quit: moonkid]
16:27 -!- moonkid [~anonymous@99-103-56-12.lightspeed.hstntx.sbcglobal.net] has joined #openvpn
16:28 < spyro1248> ^^ Anyone?
16:51 -!- DrCode [~DrCode@gateway/tor-sasl/drcode] has quit [Remote host closed the connection]
16:53 -!- DrCode [~DrCode@gateway/tor-sasl/drcode] has joined #openvpn
17:02 -!- gffa [~unknown@unaffiliated/gffa] has quit [Quit: sleep]
17:13 -!- Cultist [~CultOfThe@c-67-175-170-187.hsd1.il.comcast.net] has joined #openvpn
17:15 < piee> whats the status of openvpn and that one lzo compression vulnerability?
17:17 < dvl> https://community.openvpn.net/openvpn/ticket/419 ?
17:17 <@vpnHelper> Title: #419 (Vulnerability in bundled LZO compression code) – OpenVPN Community (at community.openvpn.net)
17:20 < piee> thanks
17:28 < dvl> FYI, I used google to find that.  I had no idea what you were referring to.
17:29 < dvl> spyro1248: I have no idea, but that sounds like a routing issue.  Are you running OpenVPN on the phone when tethered?
17:37 -!- justinzane [~justinzan@host-69-59-81-105.nctv.com] has quit []
17:47 -!- justinzane [~justinzan@host-69-59-81-105.nctv.com] has joined #openvpn
17:49 -!- Pyrogerg [~Gregory@205.167.120.206] has quit [Ping timeout: 244 seconds]
18:02 -!- Fusl [Fusl@unaffiliated/fusl] has quit [Ping timeout: 245 seconds]
18:07 -!- Fusl [Fusl@unaffiliated/fusl] has joined #openvpn
18:17 -!- u0m3_ [~u0m3@92.80.70.55] has joined #openvpn
18:20 -!- u0m3 [~u0m3@92.80.106.16] has quit [Ping timeout: 260 seconds]
18:44 < piee> I guess it's a loaded question, but I would still like to get some opinions; how do you guys see tinc vs openvpn?
19:02 -!- moonkid [~anonymous@99-103-56-12.lightspeed.hstntx.sbcglobal.net] has quit [Quit: moonkid]
19:04 -!- moonkid [~anonymous@99-103-56-12.lightspeed.hstntx.sbcglobal.net] has joined #openvpn
19:08 -!- akurilin [~alex@208.185.21.146] has quit [Quit: WeeChat 0.4.2]
19:38 -!- Olipro [~Olipro@uncyclopedia/pdpc.21for7.olipro] has joined #openvpn
19:48 -!- phunyguy [~vortex@unaffiliated/phunyguy] has quit [Remote host closed the connection]
19:49 -!- phunyguy [~vortex@unaffiliated/phunyguy] has joined #openvpn
19:49 -!- phunyguy [~vortex@unaffiliated/phunyguy] has quit [Remote host closed the connection]
19:51 -!- phunyguy [~vortex@unaffiliated/phunyguy] has joined #openvpn
20:15 -!- phunyguy [~vortex@unaffiliated/phunyguy] has quit [Remote host closed the connection]
20:16 -!- phunyguy [~vortex@unaffiliated/phunyguy] has joined #openvpn
20:33 -!- moonkid [~anonymous@99-103-56-12.lightspeed.hstntx.sbcglobal.net] has quit [Quit: moonkid]
20:34 -!- Popsikle [~popsikle@pool-108-27-211-233.nycmny.fios.verizon.net] has joined #openvpn
20:34 -!- piee [~pie_@unaffiliated/pie-/x-0787662] has quit [Ping timeout: 250 seconds]
20:53 -!- uberjar [~gabe@99-171-140-172.lightspeed.tukrga.sbcglobal.net] has joined #openvpn
20:54 < uberjar> How can I launch openVPN server on startup ?  Everytime I launch: openvpn --daemon  it asks for a password
20:54 < uberjar> but on server bootup nobody will be there to type it in :(
20:55 < uberjar> correction... the nobody user will be there, but since he's nobody he doesn't know my password :)
20:56 -!- soapee01 [~soapee01@65-36-104-170.dyn.grandenetworks.net] has quit [Excess Flood]
20:56 -!- soapee01 [~soapee01@65-36-104-170.dyn.grandenetworks.net] has joined #openvpn
20:58 < uberjar> oh.. maybe I shouldn't have protected my CA certificate with a password
20:58 < uberjar> now I"m stuck with it aye ?
21:00 < uberjar> problem solved... it was the --askpass option I was looking for
21:00 < uberjar> sudo openvpn --daemon --config /etc/openvpn/server.conf --askpass /etc/openvpn/password
21:00 -!- uberjar [~gabe@99-171-140-172.lightspeed.tukrga.sbcglobal.net] has quit [Quit: thnx]
21:19 -!- s7r [~s7r@openvpn/user/s7r] has quit [Remote host closed the connection]
21:21 -!- phunyguy [~vortex@unaffiliated/phunyguy] has quit [Remote host closed the connection]
21:22 -!- phunyguy [~vortex@unaffiliated/phunyguy] has joined #openvpn
21:39 -!- elfixit [~Icedove@77-58-251-72.dclient.hispeed.ch] has quit [Quit: elfixit]
21:48 -!- DrCode [~DrCode@gateway/tor-sasl/drcode] has quit [Remote host closed the connection]
21:52 -!- DrCode [~DrCode@gateway/tor-sasl/drcode] has joined #openvpn
21:57 -!- Popsikle [~popsikle@pool-108-27-211-233.nycmny.fios.verizon.net] has quit [Remote host closed the connection]
22:13 -!- DrCode [~DrCode@gateway/tor-sasl/drcode] has quit [Remote host closed the connection]
22:15 -!- DrCode [~DrCode@gateway/tor-sasl/drcode] has joined #openvpn
22:15 -!- Pyrogerg [~Gregory@75-173-103-62.albq.qwest.net] has joined #openvpn
22:23 -!- Left_Turn [~Left_Turn@unaffiliated/turn-left/x-3739067] has quit [Remote host closed the connection]
22:24 -!- jridden [~xorgate@198-91-131-86.cpe.distributel.net] has quit [Quit: Leaving]
22:37 -!- elfixit [~Icedove@77-58-251-72.dclient.hispeed.ch] has joined #openvpn
23:08 <@krzee> encrypts private key with password, leaves a file on the filesystem with the password in it
23:08 <@krzee> hah
23:24 -!- cyberspace- [20253@ninthfloor.org] has quit [Remote host closed the connection]
23:24 -!- L0uk3 [~lukethedr@gateway/tor-sasl/lukethedrifter] has joined #openvpn
23:26 -!- cyberspace- [20253@ninthfloor.org] has joined #openvpn
23:32 -!- elfixit [~Icedove@77-58-251-72.dclient.hispeed.ch] has quit [Remote host closed the connection]
23:38 -!- L0uk3 [~lukethedr@gateway/tor-sasl/lukethedrifter] has quit [Quit: bis später]
23:48 -!- Pyrogerg [~Gregory@75-173-103-62.albq.qwest.net] has quit [Ping timeout: 246 seconds]
23:48 -!- aulait [~irenacob@li629-190.members.linode.com] has quit [Remote host closed the connection]
23:53 -!- aulait [~irenacob@li629-190.members.linode.com] has joined #openvpn
--- Day changed Sun Sep 28 2014
00:01 -!- ShadniX [dagger@p5481C1F2.dip0.t-ipconnect.de] has quit [Ping timeout: 250 seconds]
00:01 -!- ShadniX [dagger@p5481D63D.dip0.t-ipconnect.de] has joined #openvpn
00:42 -!- pekster_ [~rewt@openvpn/community/support/pekster] has left #openvpn []
00:42 -!- pekster [~rewt@openvpn/community/support/pekster] has joined #openvpn
01:30 -!- Billy2 [~nwnkirc@pool-98-110-181-88.bstnma.fios.verizon.net] has quit [Ping timeout: 240 seconds]
01:53 -!- sickn3ss [~sickn3ss@unaffiliated/sickn3ss] has joined #openvpn
02:24 -!- ribasushi [~riba@mujunyku.leporine.io] has quit [Ping timeout: 272 seconds]
02:26 -!- linuxthefish [~ltf@unaffiliated/edmundf] has quit [Excess Flood]
02:27 -!- ribasushi [~riba@mujunyku.leporine.io] has joined #openvpn
02:27 -!- linuxthefish [~ltf@unaffiliated/edmundf] has joined #openvpn
02:30 -!- rhct [~DMZ@fedora/rhct] has joined #openvpn
03:30 -!- CaTtleyA_ [~CaTtleyA@82.66.41.53] has joined #openvpn
04:21 -!- catsup [~d@ps38852.dreamhost.com] has joined #openvpn
04:34 -!- roentgen [~none@openvpn/community/support/roentgen] has quit [Remote host closed the connection]
04:36 -!- roentgen [~none@openvpn/community/support/roentgen] has joined #openvpn
04:40 -!- gffa [~unknown@unaffiliated/gffa] has joined #openvpn
05:25 -!- Left_Turn [~Left_Turn@unaffiliated/turn-left/x-3739067] has joined #openvpn
05:54 -!- JSharpe [~JSharpe@31.205.60.241] has joined #openvpn
05:56 -!- linuxthefish [~ltf@unaffiliated/edmundf] has left #openvpn ["Leaving"]
06:11 -!- Left_Turn [~Left_Turn@unaffiliated/turn-left/x-3739067] has quit [Ping timeout: 272 seconds]
06:24 -!- clu5ter [~staff@unaffiliated/clu5ter] has joined #openvpn
06:54 < deranged_user> anyone around able to help me figure out why ipv6 proxying works but not ipv4?
07:03 -!- DrSect0r [~DrSect0r@77-175-125-42.FTTH.ispfabriek.nl] has joined #openvpn
07:48 -!- Left_Turn [~Left_Turn@unaffiliated/turn-left/x-3739067] has joined #openvpn
07:55 -!- mulga [~mulga_afk@unaffiliated/mulga] has joined #openvpn
07:55 -!- Haigha [~root@dovahkiin.xomg.net] has joined #openvpn
08:04 -!- mulga| [~mulga_afk@unaffiliated/mulga] has joined #openvpn
08:05 -!- mulga [~mulga_afk@unaffiliated/mulga] has quit [Ping timeout: 260 seconds]
08:08 -!- mulga| [~mulga_afk@unaffiliated/mulga] has quit [Ping timeout: 260 seconds]
08:25 -!- mulga [~mulga_afk@unaffiliated/mulga] has joined #openvpn
08:48 -!- Pyrogerg [~Gregory@75-173-103-62.albq.qwest.net] has joined #openvpn
09:31 <+_FBi> deranged_user, that's bass akwards of the norm haha
09:31 < deranged_user> lol
09:32 <+_FBi> deranged_user, you can only have of instance <ip4|ip6> per server
09:32 < deranged_user> no? it worked fine before.
09:32 < deranged_user> it suddenly stopped working ;P
09:32 <+_FBi> what's your error?
09:33 < deranged_user> none
09:33 < deranged_user> well no error in text
09:33 < deranged_user> error is ipv4 just doesn't work
09:33 < deranged_user> as if infinitely trying to connect
09:34 <+_FBi> any server errors?
09:34 <+_FBi> .... is it running :D
09:34 < deranged_user> yes >.>
09:34 < deranged_user> again
09:34 < deranged_user> ipv6 works
09:34 < deranged_user> ipv4 doesn't
09:34 <+_FBi> you would need to run it twice, one ip6 one ipv4
09:35 < deranged_user> I didn't have to in the past :P
09:35 < deranged_user> not to mention, when I comment out server-ipv6 in the server conf, ipv4 /still/ doesn't work.
09:35 <+_FBi> I think that's correct.  You might have to wait until someone smart joins the chat haha
09:36 <+_FBi> !newb
09:36 <+_FBi> !wiki
09:36 <@vpnHelper> "wiki" is (#1) http://www.secure-computing.net/wiki/index.php/OpenVPN for the Unofficial wiki or (#2) https://community.openvpn.net/openvpn/wiki for the Official wiki
09:39 <+_FBi> deranged_user, is the port open -- can you get a header or anything from the port
09:39 < deranged_user> what port? openvpn's port?
09:40 <+_FBi> for ipv6
09:40 <+_FBi> err
09:40 <+_FBi> 4
09:40 < deranged_user> again. ipv6 works. not connecting to the server via ipv6, but tunneling ipv6
09:40 < deranged_user> same server instance
09:40 <+_FBi> oic
09:40 < deranged_user> connecting via ipv4 for both versions
09:42 <+_FBi> geez, totally misunderstanding lol sorry man..  re-read your question
09:43 < deranged_user> no worries
09:48 -!- Kniaz [~Kniaz@unaffiliated/kniaz] has joined #openvpn
09:49 -!- Kniaz [~Kniaz@unaffiliated/kniaz] has left #openvpn []
09:50 -!- elfixit [~Icedove@77-58-251-72.dclient.hispeed.ch] has joined #openvpn
09:56 -!- Samopotamus [~IRCIdent@2607:5300:60:a0d::1] has joined #openvpn
10:02 -!- Kniaz1 [kvirc@unaffiliated/kniaz] has joined #openvpn
10:03 -!- sickn3ss [~sickn3ss@unaffiliated/sickn3ss] has quit [Quit: Textual IRC Client: www.textualapp.com]
10:17 -!- Kniaz1 [kvirc@unaffiliated/kniaz] has quit [Ping timeout: 260 seconds]
10:45 -!- jgeboski [~jgeboski@unaffiliated/jgeboski] has quit [Ping timeout: 258 seconds]
10:47 -!- jgeboski [~jgeboski@unaffiliated/jgeboski] has joined #openvpn
10:52 -!- Kephael [~Kephael@unaffiliated/kephael] has joined #openvpn
11:45 -!- busch [~busch@datenschleuder.com] has quit [Ping timeout: 272 seconds]
11:59 -!- batrick [batrick@nmap/developer/batrick] has joined #openvpn
12:14 -!- mulga [~mulga_afk@unaffiliated/mulga] has quit [Ping timeout: 240 seconds]
12:18 -!- Kniaz [~Kniaz@unaffiliated/kniaz] has joined #openvpn
12:44 -!- mulga| [~mulga_afk@unaffiliated/mulga] has joined #openvpn
12:53 -!- L0uk3 [~lukethedr@gateway/tor-sasl/lukethedrifter] has joined #openvpn
13:34 -!- rich0 [~quassel@gentoo/developer/rich0] has quit [Ping timeout: 258 seconds]
13:36 -!- rich0 [~quassel@gentoo/developer/rich0] has joined #openvpn
13:39 -!- reventlov [~reventlov@unaffiliated/reventlov] has joined #openvpn
13:40 -!- Zerock [~0ck@173.216.34.69] has joined #openvpn
13:41 < Zerock> Some colleagues of mine are looking for a VPN solution. I know OpenVPN is reputable, but these guys are... noobs to say the least. Does OpenVPN have supported graphical frontends?
13:48 -!- Kniaz1 [~Kniaz@unaffiliated/kniaz] has joined #openvpn
13:49 -!- mulga| [~mulga_afk@unaffiliated/mulga] has quit [Ping timeout: 244 seconds]
13:51 -!- Kniaz [~Kniaz@unaffiliated/kniaz] has quit [Ping timeout: 245 seconds]
14:00 <@krzee> Zerock, well there is:
14:00 <@krzee> !as
14:00 <@vpnHelper> "as" is Please go to #OpenVPN-AS for help with commercial products from OpenVPN Technologies, including Access Server, Android Connect, etc. Access Server is a commercial product, different from open source OpenVPN
14:16 -!- SlutaTramsa [~SlutaTram@unaffiliated/slutatramsa] has quit [Ping timeout: 260 seconds]
14:21 -!- `Ile` [~ile@93-86-119-16.dynamic.isp.telekom.rs] has joined #openvpn
14:22 -!- SlutaTramsa [~SlutaTram@unaffiliated/slutatramsa] has joined #openvpn
14:23 -!- DrSect0r [~DrSect0r@77-175-125-42.FTTH.ispfabriek.nl] has quit [Read error: Connection reset by peer]
14:30 < deranged_user> anyone able to help my diagnose why ipv4 tunneling isn't working while ipv6 tunneling is?
14:32 < Zerock> Um, open source (free software) does not mean non-commercial...
14:33 < Zerock> wat
14:33 -!- Kniaz1 is now known as Kniaz
14:34 < Zerock> Whoever wrote vpnHelper needs to do their research.
14:36 <@krzee> Zerock, it does in this case
14:36 < Zerock> But that's not any part of the open source definition.
14:36 <@krzee> i wasnt defining "open source"
14:36 <@krzee> nor do i care about its definition
14:36 <@krzee> i was giving info about openvpn versus openvpn AS
14:37 < Zerock> Right, but there is a published definition. Such verbiage is erroneous and breeds misconceptions.
14:37 <@krzee> AS is commercial, and not open source (but still based on the opensource version)
14:38 < Zerock> Then it is "proprietary."
14:38 < Zerock> Proprietary != Commercial
14:38 <@krzee> cool, need help with something?
14:39 -!- Zerock [~0ck@173.216.34.69] has left #openvpn ["Leaving"]
14:40 <@krzee> exactly 0 fucks given
14:44 -!- Kniaz [~Kniaz@unaffiliated/kniaz] has quit [Ping timeout: 260 seconds]
14:53 < reventlov> Hello.
14:54 < reventlov> I read that by using push "dhcp-option DNS X.X.X.X" i can tell to client to use those dns
14:55 < reventlov> it seems it does not work here. resolv.conf stays the same. How exactly the DNS is supposed to be written in my resolv.conf ?
14:56 -!- elfixit [~Icedove@77-58-251-72.dclient.hispeed.ch] has quit [Quit: elfixit]
15:03 -!- D-Boy [~D-Boy@unaffiliated/cain] has quit [Excess Flood]
15:05 -!- mgorbach [~mgorbach@pool-108-20-78-135.bstnma.fios.verizon.net] has quit [Quit: ZNC - http://znc.in]
15:05 < reventlov> krzee: any idea ?
15:09 -!- mgorbach [~mgorbach@pool-108-20-78-135.bstnma.fios.verizon.net] has joined #openvpn
15:15 -!- D-Boy [~D-Boy@unaffiliated/cain] has joined #openvpn
15:18 <@krzee> reventlov,
15:18 <@krzee> !pushdns
15:18 <@vpnHelper> "pushdns" is (#1) push dhcp-option DNS a.b.c.d to push dns to the client or (#2) For pushing DNS to a Windows client, see: !windns or (#3) Unix-alikes are required to process the env-var in an --up script; read about --dhcp-option in the manpage or (#4) For distros that use resolvconf(8) you can try the pull-resolv-conf script under the contrib/ source dir
15:18 <@krzee> reventlov, if a unix-like os you must use an --up script like in #3
15:20 < reventlov> ok, thank you.
15:20 < reventlov> I just found
15:20 < reventlov> client.up and client.down *
15:20 -!- Kniaz [~Kniaz@unaffiliated/kniaz] has joined #openvpn
15:29 -!- Kniaz [~Kniaz@unaffiliated/kniaz] has quit [Ping timeout: 245 seconds]
15:29 -!- L0uk3 [~lukethedr@gateway/tor-sasl/lukethedrifter] has quit [Ping timeout: 264 seconds]
15:30 -!- Kniaz [~Kniaz@unaffiliated/kniaz] has joined #openvpn
15:36 -!- Kniaz [~Kniaz@unaffiliated/kniaz] has quit [Quit: closing IRC]
15:39 -!- ub1quit33 [~quassel@wifi02.la3.routers.zerolag.com] has joined #openvpn
15:39 -!- Buba1 [~Buba1@unaffiliated/buba1] has joined #openvpn
15:41 -!- Kniaz [~Kniaz@unaffiliated/kniaz] has joined #openvpn
15:43 -!- L0uk3 [~lukethedr@gateway/tor-sasl/lukethedrifter] has joined #openvpn
15:54 < lfx> !windns
15:54 <@vpnHelper> "windns" is (#1) http://thread.gmane.org/gmane.network.openvpn.user/25139/focus=25147 see that mail archive for some info on pushing dns or (#2) http://article.gmane.org/gmane.network.openvpn.user/25149 for a perm fix via regedit or (#3) http://comments.gmane.org/gmane.network.openvpn.user/31975 reports --register-dns as fixing their problems pushing DNS to windows 7
15:59 -!- gffa [~unknown@unaffiliated/gffa] has quit [Quit: sleep]
16:23 -!- Popsikle [~popsikle@pool-108-27-211-233.nycmny.fios.verizon.net] has joined #openvpn
16:29 -!- Chais [~Chais@chello062178229110.15.15.vie.surfer.at] has quit [Ping timeout: 272 seconds]
16:34 -!- Chais [~Chais@chello062178229110.15.15.vie.surfer.at] has joined #openvpn
16:36 -!- rich0_ [~quassel@gentoo/developer/rich0] has joined #openvpn
16:37 -!- rich0_ [~quassel@gentoo/developer/rich0] has quit [Read error: Connection reset by peer]
16:37 -!- rich0__ [~quassel@gentoo/developer/rich0] has joined #openvpn
16:39 -!- Buba1 [~Buba1@unaffiliated/buba1] has quit [Quit: There's nothing dirtier then a giant ball of oil]
16:39 -!- Mik3C [~miguelc@77.202.37.188.rev.vodafone.pt] has quit [Remote host closed the connection]
16:40 -!- rich0 [~quassel@gentoo/developer/rich0] has quit [Ping timeout: 245 seconds]
16:42 -!- L0uk3 [~lukethedr@gateway/tor-sasl/lukethedrifter] has quit [Ping timeout: 264 seconds]
16:46 -!- L0uk3 [~lukethedr@gateway/tor-sasl/lukethedrifter] has joined #openvpn
16:46 -!- Kniaz1 [~Kniaz@unaffiliated/kniaz] has joined #openvpn
16:49 -!- Kniaz [~Kniaz@unaffiliated/kniaz] has quit [Ping timeout: 272 seconds]
16:54 -!- Kniaz1 [~Kniaz@unaffiliated/kniaz] has quit [Ping timeout: 272 seconds]
17:03 -!- rich0 [~quassel@gentoo/developer/rich0] has joined #openvpn
17:07 -!- rich0__ [~quassel@gentoo/developer/rich0] has quit [Ping timeout: 250 seconds]
17:48 -!- rich0 [~quassel@gentoo/developer/rich0] has quit [Ping timeout: 260 seconds]
17:48 -!- rich0 [~quassel@gentoo/developer/rich0] has joined #openvpn
17:53 -!- L0uk3 [~lukethedr@gateway/tor-sasl/lukethedrifter] has quit [Ping timeout: 264 seconds]
18:00 -!- rich0 [~quassel@gentoo/developer/rich0] has quit [Ping timeout: 260 seconds]
18:07 -!- rich0_ [~quassel@gentoo/developer/rich0] has joined #openvpn
18:11 -!- rich0 [~quassel@gentoo/developer/rich0] has joined #openvpn
18:14 -!- rich0_ [~quassel@gentoo/developer/rich0] has quit [Ping timeout: 272 seconds]
18:31 -!- Kniaz [~Kniaz@unaffiliated/kniaz] has joined #openvpn
18:34 -!- rich0_ [~quassel@gentoo/developer/rich0] has joined #openvpn
18:35 -!- rich0 [~quassel@gentoo/developer/rich0] has quit [Ping timeout: 246 seconds]
18:40 -!- `Ile` [~ile@93-86-119-16.dynamic.isp.telekom.rs] has quit [Quit: leaving]
18:53 -!- L0uk3 [~lukethedr@gateway/tor-sasl/lukethedrifter] has joined #openvpn
19:19 -!- moonkid [~anonymous@99-103-56-12.lightspeed.hstntx.sbcglobal.net] has joined #openvpn
19:24 -!- Esya [~zncuser@195-154-90-140.rev.poneytelecom.eu] has quit [Ping timeout: 246 seconds]
19:34 -!- arkie [~arkie@unaffiliated/arkie] has quit [Ping timeout: 258 seconds]
19:49 -!- arkie [~arkie@unaffiliated/arkie] has joined #openvpn
19:51 -!- Kniaz [~Kniaz@unaffiliated/kniaz] has quit [Ping timeout: 272 seconds]
20:07 -!- JackWinter [~jack@vodsl-11198.vo.lu] has quit [Excess Flood]
20:07 -!- JackWinter [~jack@vodsl-11198.vo.lu] has joined #openvpn
20:09 -!- rich0_ [~quassel@gentoo/developer/rich0] has quit [Remote host closed the connection]
20:09 -!- rich0 [~quassel@gentoo/developer/rich0] has joined #openvpn
20:11 -!- Popsikle [~popsikle@pool-108-27-211-233.nycmny.fios.verizon.net] has quit [Remote host closed the connection]
20:11 -!- pacoS [~paco@S0106c8fb2685dee9.vc.shawcable.net] has joined #openvpn
20:11 < pacoS> hi I installed openVPN and run it with a few VPN's servers but my wireless stop working I untinstall openVPN but still I have not been able to connect via wireless does anyone know what settings I should look at?
20:19 -!- L0uk3 [~lukethedr@gateway/tor-sasl/lukethedrifter] has quit [Quit: bis später]
20:20 < pacoS> any help here?
21:03 -!- Left_Turn [~Left_Turn@unaffiliated/turn-left/x-3739067] has quit [Remote host closed the connection]
21:04 -!- donspaulding [~donspauld@98.215.46.106] has joined #openvpn
21:08 -!- jgeboski [~jgeboski@unaffiliated/jgeboski] has quit [Quit: Leaving]
21:08 -!- jgeboski [~jgeboski@unaffiliated/jgeboski] has joined #openvpn
21:13 -!- pacoS [~paco@S0106c8fb2685dee9.vc.shawcable.net] has quit [Ping timeout: 240 seconds]
22:05 -!- obscurehero [~obscurehe@via.arcis.pw] has quit [Ping timeout: 245 seconds]
22:07 -!- obscurehero [~obscurehe@via.arcis.pw] has joined #openvpn
22:29 -!- eristisk [~eristisk@gateway/tor-sasl/eristisk] has quit [Ping timeout: 264 seconds]
22:30 -!- learner [~Learner@www.fastformer.net] has joined #openvpn
22:30 < learner> hey guys, I need help with my git repo set up, any good suggesions are appreciated. So I have a gitlab repository installed on my server, running on nginx, right now only access is possible from localhost and using ssh tunnel we connect to it. but I wanted to change that to openvpn, as I don't want all users to have bash access to the server. how would i go about doing this?
22:31 -!- eristisk [~eristisk@gateway/tor-sasl/eristisk] has joined #openvpn
22:48 -!- Popsikle [~popsikle@pool-108-27-211-233.nycmny.fios.verizon.net] has joined #openvpn
22:53 -!- c0ded [~c0ded@unaffiliated/c0ded] has quit [Ping timeout: 272 seconds]
22:56 -!- K1rk [~Kirk@equinox.epecweb.com] has quit [Remote host closed the connection]
22:57 -!- Pyrogerg [~Gregory@75-173-103-62.albq.qwest.net] has quit [Ping timeout: 260 seconds]
22:57 -!- c0ded [~c0ded@unaffiliated/c0ded] has joined #openvpn
23:02 < Eugene> I have no idea what openvpn would have to do with wireless, but it's not like you had any interest in sticking aroudn to hear that, either.
23:02  * Eugene sighs, drinks
23:31 -!- SushiDude [~SushiDude@unaffiliated/sushidude] has quit [Quit: Quit]
23:35 -!- SushiDude [~SushiDude@unaffiliated/sushidude] has joined #openvpn
23:35 < KNERD> Eugene: i think he means his internet connection is not routing through the OpenVPN connection, and not his WiFi connection, resulting in a loss of internet access
23:35 < KNERD> is now*
23:36 < Eugene> I don't care, he's not here ;-)
23:36 < Eugene> My guess is that it involves GNOME NetworkManager
23:36 < Eugene> !ubuntu
23:36 <@vpnHelper> "ubuntu" is dont use network manager!
23:37 < KNERD> well..i care i have the same issue on every device I have installed the clien on to connect to the server
23:40 < KNERD> basically it is forcing the client to be on gateway of the OpenVPN server, than the LAN the device sits on
--- Day changed Mon Sep 29 2014
00:00 -!- ShadniX [dagger@p5481D63D.dip0.t-ipconnect.de] has quit [Ping timeout: 250 seconds]
00:00 -!- moonkid [~anonymous@99-103-56-12.lightspeed.hstntx.sbcglobal.net] has quit [Quit: moonkid]
00:01 -!- ShadniX [dagger@p5DDFFA66.dip0.t-ipconnect.de] has joined #openvpn
00:12 -!- ub1quit33 [~quassel@wifi02.la3.routers.zerolag.com] has quit [Ping timeout: 240 seconds]
00:15 -!- SushiDude [~SushiDude@unaffiliated/sushidude] has quit [Ping timeout: 260 seconds]
00:26 -!- SushiDude [~SushiDude@unaffiliated/sushidude] has joined #openvpn
00:32 -!- Popsikle [~popsikle@pool-108-27-211-233.nycmny.fios.verizon.net] has quit [Remote host closed the connection]
00:47 -!- SushiDude [~SushiDude@unaffiliated/sushidude] has quit [Ping timeout: 260 seconds]
00:52 -!- SushiDude [~SushiDude@unaffiliated/sushidude] has joined #openvpn
00:53 -!- james41382 [~james@unaffiliated/james41382] has quit [Quit: Leaving]
00:54 -!- james41382 [~james@unaffiliated/james41382] has joined #openvpn
01:03 -!- ph0x [~ph0x@unaffiliated/ph0x] has joined #openvpn
01:04 < ph0x> oh damn
01:04 < ph0x> its my firewall
01:04 < ph0x> thanks
01:04 < ph0x> no, just kidding
01:04 < ph0x> anyone here?
01:04 < ph0x> i want to use the ubuntu initscript for starting .conf files
01:04 < ph0x> but i use a passfile
01:05 < ph0x> do i just add an auth-user-pass */filepath/passfile*
01:05 < ph0x> im going to try it
01:05 < ph0x> was hoping people were here :(
01:11 -!- ub1quit33_ [~quassel@cpe-23-243-158-241.socal.res.rr.com] has joined #openvpn
01:20 -!- ph0x [~ph0x@unaffiliated/ph0x] has quit [Ping timeout: 244 seconds]
01:20 -!- Kephael [~Kephael@unaffiliated/kephael] has quit [Quit: Leaving]
01:22 -!- CaTtleyA_ [~CaTtleyA@82.66.41.53] has quit [Ping timeout: 276 seconds]
01:23 -!- CaTtleyA [~CaTtleyA@put92-2-82-66-41-53.fbx.proxad.net] has quit [Ping timeout: 276 seconds]
01:48 -!- goldkatze [~nobody@unaffiliated/goldkatze] has joined #openvpn
01:59 -!- iokill [~dave@pippin.sigma-star.at] has joined #openvpn
02:07 -!- hazardous [~hz@openvpn/user/hazardous] has quit [Ping timeout: 250 seconds]
02:08 -!- hazardous [~hz@openvpn/user/hazardous] has joined #openvpn
02:08 -!- mode/#openvpn [+v hazardous] by ChanServ
02:12 -!- SushiDude [~SushiDude@unaffiliated/sushidude] has quit [Ping timeout: 272 seconds]
02:14 -!- ub1quit33_ [~quassel@cpe-23-243-158-241.socal.res.rr.com] has quit [Ping timeout: 258 seconds]
02:15 -!- SushiDude [~SushiDude@unaffiliated/sushidude] has joined #openvpn
02:16 -!- hazardous [~hz@openvpn/user/hazardous] has quit [Ping timeout: 250 seconds]
02:16 -!- donspaulding [~donspauld@98.215.46.106] has quit [Quit: donspaulding]
02:20 -!- hazardous [~hz@openvpn/user/hazardous] has joined #openvpn
02:20 -!- mode/#openvpn [+v hazardous] by ChanServ
02:41 -!- mattock [~mattock@openvpn/corp/admin/mattock] has joined #openvpn
02:41 -!- mode/#openvpn [+o mattock] by ChanServ
02:54 -!- fjor [~fjor@182.55.144.75] has joined #openvpn
03:08 < Belliash> hello
03:12 < Belliash> does openvpnover tap block some connections on windows?
03:28 -!- goldkatze [~nobody@unaffiliated/goldkatze] has quit []
04:05 -!- dazo_afk is now known as dazo
04:16 -!- Slippern [~Slippern@76.109-247-208.customer.lyse.net] has quit [Read error: Connection reset by peer]
04:19 -!- Slippern [~Slippern@76.109-247-208.customer.lyse.net] has joined #openvpn
04:27 -!- eristisk [~eristisk@gateway/tor-sasl/eristisk] has quit [Ping timeout: 264 seconds]
04:35 -!- SushiDude [~SushiDude@unaffiliated/sushidude] has quit [Ping timeout: 272 seconds]
04:39 -!- SushiDude [~SushiDude@unaffiliated/sushidude] has joined #openvpn
04:47 -!- plaisthos [~arne@openvpn/community/developer/plaisthos] has quit [Remote host closed the connection]
04:48 -!- plaisthos [~arne@openvpn/community/developer/plaisthos] has joined #openvpn
04:48 -!- mode/#openvpn [+o plaisthos] by ChanServ
04:51 -!- u0m3 [~u0m3@92.80.111.231] has joined #openvpn
04:53 -!- u0m3_ [~u0m3@92.80.70.55] has quit [Ping timeout: 244 seconds]
04:56 -!- Left_Turn [~Left_Turn@unaffiliated/turn-left/x-3739067] has joined #openvpn
04:57 -!- jzaw [~jzaw@loki.dzki.co.uk] has quit [Ping timeout: 260 seconds]
04:59 -!- CaTtleyA [~CaTtleyA@185.24.142.82] has joined #openvpn
05:09 < Belliash> anyone around?
05:13 -!- eristisk [~eristisk@gateway/tor-sasl/eristisk] has joined #openvpn
05:29 -!- urbanendeavour [~xoveruk@217.150.106.82] has joined #openvpn
05:29 < urbanendeavour> hi
05:30 < urbanendeavour> What is the main advantage of using openvpnas versus using a VPN hardware appliance like a integrated services router>
05:38 -!- eristisk [~eristisk@gateway/tor-sasl/eristisk] has quit [Ping timeout: 264 seconds]
05:38 -!- JackWinter [~jack@vodsl-11198.vo.lu] has quit [Excess Flood]
05:38 -!- JackWinter [~jack@vodsl-11198.vo.lu] has joined #openvpn
05:53 -!- Billy2 [~nwnkirc@pool-98-110-181-88.bstnma.fios.verizon.net] has joined #openvpn
05:57 -!- SushiDude [~SushiDude@unaffiliated/sushidude] has quit [Ping timeout: 258 seconds]
06:02 -!- SushiDude [~SushiDude@unaffiliated/sushidude] has joined #openvpn
06:03 -!- jzaw [~jzaw@loki.dzki.co.uk] has joined #openvpn
06:18 <@novaflash> i think you should install it and see for yourself to make that determination
06:34 < rhct> novaflash : is there any limit on free trial 2 users of OPENVPN AS
06:39 <@novaflash> just the 2 simultaneous connections
06:39 <@novaflash> otherwise no limits
06:39 <@novaflash> so you can try it absolutely for free
06:40 <@novaflash> and if you like it, well, then get a license key for the amount of connections you'd like to have active simultaneously and put that in
06:55 -!- Slippern [~Slippern@76.109-247-208.customer.lyse.net] has quit [Read error: Connection reset by peer]
06:56 -!- Droolio [~drool@host86-143-180-191.range86-143.btcentralplus.com] has joined #openvpn
06:57 -!- Slippern [~Slippern@76.109-247-208.customer.lyse.net] has joined #openvpn
07:29 -!- N-Mi [~nicolas@calvix/staff/N-Mi] has joined #openvpn
07:40 -!- Pyrogerg [~Gregory@75-173-103-62.albq.qwest.net] has joined #openvpn
07:44 < rhct> novaflash : 2 simultaneous connections means, 2 connections per ip, or just only 2 users will be availble on trial
07:44 <@novaflash> neither, it means 2 VPN tunnels can be active at the same time
07:44 < rhct> so this means i can make lot of users, but only 2 users can login at one time ?
07:46 < rhct> I am currently using it. and it is no doubt the ultimate solution, also, i wanted to know, if android user browse http://vpn-ip:port , they will get APK to be download with their configuration ? like we have for windows pcs ?
07:47 < rhct> Novaflash : sorry i didnt put your nick in above questions..
07:47 -!- moparsthbest [~quassel@gateway/tor-sasl/moparisthebest] has quit [Remote host closed the connection]
07:49 -!- sickn3ss [~sickn3ss@unaffiliated/sickn3ss] has joined #openvpn
07:51 <@novaflash> no, it's a bad idea to offer apk files
07:51 -!- moparisthebest [~quassel@gateway/tor-sasl/moparisthebest] has joined #openvpn
07:51 <@novaflash> instead we show a page that lists the client software
07:51 <@novaflash> and it has a link to the play market
07:51 <@novaflash> to openvpn connect
07:52 <@novaflash> then they can install it through the play store thingee
07:52 <@novaflash> and then use the import feature in that program to fetch a connection profile
07:52 <@novaflash> it has an import from access server thingee
08:06 < rhct> i understand
08:06 < rhct> this sounds really good
08:07 <@novaflash> glad to be of help
08:11 -!- urbanendeavour [~xoveruk@217.150.106.82] has quit [Read error: Connection reset by peer]
08:11 -!- Popsikle [~popsikle@pool-108-27-211-233.nycmny.fios.verizon.net] has joined #openvpn
08:11 -!- Pyrogerg [~Gregory@75-173-103-62.albq.qwest.net] has quit [Ping timeout: 272 seconds]
08:15 -!- Popsikle [~popsikle@pool-108-27-211-233.nycmny.fios.verizon.net] has quit [Ping timeout: 245 seconds]
08:18 -!- chrisb [~chrisb@pool-71-185-1-206.phlapa.east.verizon.net] has joined #openvpn
08:19 < chrisb> i don't get a password prompt when i run from init or systemd, but i do get a password prompt when i run from the command line, how do i troubleshoot?
08:20 <@novaflash> :) go for a profile that doesn't ask for username/password
08:20 <@novaflash> or live life dangerously and stick it in a text file and add auth-user-pass filename.txt ;)
08:21 <@krzee> chrisb, when do you get prompted?
08:21 -!- elfixit [~Icedove@2001:1620:2777:11:3e97:eff:fe7f:f3ad] has joined #openvpn
08:21 <@krzee> immediately when you start the service or when its connecting already?
08:22 <@novaflash> krzee!! long time no see
08:22 <@krzee> (it could be a passphrase on your private key, or a password from the server)
08:22 <@krzee> hey there novaflash how you been man
08:22 <@novaflash> i've been renovating a house
08:22 <@novaflash> still not finished
08:22 <@novaflash> otherwise pretty good
08:22 <@krzee> ouch sounds like a lot of work
08:22 <@krzee> i just found a new hack for my snom phones :D
08:23 <@krzee> (to get root while i provision them for my service so i can modify the inside)
08:23 <@krzee> well i say "just" but that was 2 days ago… same thing tho
08:24 -!- shio [marmot@48.121.101.84.rev.sfr.net] has quit [Remote host closed the connection]
08:26 <@novaflash> huh
08:26 <@novaflash> what's a snom phone?
08:26 <@novaflash> yeah i know, "google it"
08:27 <@novaflash> sounds like a candy phone. designed to be nommed
08:29 <@krzee> haha
08:29 <@krzee> a voip phone
08:29 <@krzee> !google snom 821
08:29 <@vpnHelper> snom 821: <http://www.snom.com/en/products/snom-advanced-line/snom-821/>; Snom821/Documentation - Snom User Wiki: <http://wiki.snom.com/Snom821/Documentation>; Amazon.com : Snom 821 Ip Phone : Voip Telephones : Electronics: <http://www.amazon.com/SNOM-Technology-2346-Snom-Phone/dp/B003V3213W>
08:29 <@novaflash> huh okay
08:29 <@krzee> comes with openvpn
08:29 <@novaflash> neat
08:29 <@novaflash> openvpn ftw
08:29 <@krzee> its really just a linux computer
08:29 < chrisb> krzee: i get prompted correctly when i run openvpn --config <file>
08:30 <@krzee> chrisb, does it do anything before it prompts you?
08:30 <@krzee> do you have "daemon" in your config?
08:31 <@krzee> if so, comment daemon so that you may correctly answer my question
08:31 -!- xeon-enouf [~xeon-enou@unaffiliated/xeon-enouf] has quit [Ping timeout: 244 seconds]
08:31 -!- xorol [~xorol@86.39.200.161.static.hosted.by.easyhost.be] has joined #openvpn
08:31 < xorol> hi
08:31 <@krzee> actually, even easier
08:31 <@krzee> chrisb, does it ask for a passphrase or a username/password?
08:32 <@krzee> show me
08:32 < xorol> i got a small question; is it possible to use a dedicated private/public key to ensure that clientA is in fact really clientA ? (so username & password linked to the key)
08:32 <@krzee> !tls-verify
08:32 <@krzee> hmm
08:32 <@krzee> !script
08:32 <@vpnHelper> "script" is See SCRIPTING AND ENVIRONMENTAL VARIALBES in the manual for a list of places that scripts can hook into openvpn. Online reference at: https://community.openvpn.net/openvpn/wiki/Openvpn23ManPage#lbAR
08:33 -!- xeon-enouf [~xeon-enou@unaffiliated/xeon-enouf] has joined #openvpn
08:33 <@krzee> xorol, ^^ see --tls-verify in the manual and in the scripts section
08:33 < xorol> @krzee thanks ;. is this implemented in openvpn access server ?
08:33 < chrisb> krzee: doesn't do anything before it prompts, this config used to work on debian testing and no "daemon" in the conf
08:33 <@krzee> xorol, you'll have to ask them
08:33 <@krzee> !as
08:33 <@vpnHelper> "as" is Please go to #OpenVPN-AS for help with commercial products from OpenVPN Technologies, including Access Server, Android Connect, etc. Access Server is a commercial product, different from open source OpenVPN
08:33 <@krzee> !no_as
08:33 <@vpnHelper> "no_as" is (#1) go to http://openvpn.net/index.php/access-server/support-center.html for support with access server (see !AS to know about access server) or (#2) not only do we not know AS here, but even if we did we would be tainting the professional level of support included in AS by supporting it here. it comes with REAL support. we are just users helping users around here
08:34 < xorol> okido!
08:34 <@krzee> chrisb, just decrypt your private key
08:34 <@krzee> !factoids search phrase
08:34 <@vpnHelper> 'strip-passphrase' and 'change-passphrase'
08:34 <@krzee> !strip-passphrase
08:34 <@vpnHelper> "strip-passphrase" is see http://blog.lib.umn.edu/silvi003/codenotes/2008/08/how_to_strip_a_passphrase_from.html to learn how to strip a passphrase from a key file
08:35 < chrisb> krzee: it only asks for the username, it doesn't get to the passphrase
08:35 <@krzee> if it asks for a username then its connecting, because the server forces the username/password check
08:35 <@krzee> which is exactly the reason i was asking :-p
08:35 <@krzee> !pwfile
08:35 <@vpnHelper> "pwfile" is (#1) OpenVPN will only read passwords from a file if it has been built with the --enable-password-save configure option, or on Windows by defining ENABLE_PASSWORD_SAVE in config-win32.h or (#2) see --auth-user-pass in the manual (!man) for more info or (#3) if you're using this with the windows service, you will need --askpass
08:39 <@krzee> i asked about daemon in the config, but i bet you're starting it with the debian startup scripts which add --daemon to the commandline. i was only asking about dameon because it'll block you from seeing the output from openvpn trying to connect
08:39 <@krzee> no biggie tho, you know what to do now if you want to destroy any security that using a login/password had by writing it to your filesystem in cleartext =]
08:39 -!- chrisb [~chrisb@pool-71-185-1-206.phlapa.east.verizon.net] has quit [Ping timeout: 260 seconds]
08:46 <@novaflash> wow i step away for a few minutes and boom, text
08:54 -!- Popsikle [~popsikle@pool-108-27-211-233.nycmny.fios.verizon.net] has joined #openvpn
08:54 -!- pqatsi [~leonardo@unaffiliated/leleobhz] has joined #openvpn
08:55 < pqatsi> I remember there is a option in openvpn that allow client to change public IP address w/o lose VPN connection (Afaik using HMAC). Someone can remember what option allows this roaming?
08:56 <@novaflash> wow now my interest is peaked, where is this magic? krzee, do you know this magic?
08:57 < BtbN> Uhm, that's how it normaly works?
08:58 < BtbN> Unless you have the other end configured staticaly in both configd
08:59 < pqatsi> Sometime ago i read something about the HMAC header authentication, but i cant remember if tls-auth is enough
09:00 < pqatsi> --float
09:02 -!- phreakocious [~phreakoci@recalcitrant.phreakocious.net] has quit [Ping timeout: 240 seconds]
09:03 < dvl> I have a client which reconnects every hour at 51 past the hour.   I have another which does this at 7 past the hour, every hour.  The logs on both clients contain: "TLS: tls_process: killed expiring key".
09:03 < dvl> Other clients do not have this issue, and all clients have the same configuration.
09:04 < pqatsi> Well, im worried about this: https://github.com/avalentin/openvpn/commit/8ff6c8934a6f9f16a279cefa5aa5d829a52f431c
09:04 <@vpnHelper> Title: Floating: Add support for floating in TLS mode · 8ff6c89 · avalentin/openvpn · GitHub (at github.com)
09:05 -!- phreakocious [~phreakoci@recalcitrant.phreakocious.net] has joined #openvpn
09:10 -!- lbft [~lbft@unaffiliated/lbft] has quit [Ping timeout: 240 seconds]
09:11 < dvl> My 'reconnects every hour' my be inaccurate.  What I'm seeing is log entries.  verb is > 1 for both clients in question.
09:14 -!- donspaulding [~donspauld@38.89.245.83] has joined #openvpn
09:16 -!- xeon-enouf [~xeon-enou@unaffiliated/xeon-enouf] has quit [Ping timeout: 245 seconds]
09:16 -!- lbft [~lbft@unaffiliated/lbft] has joined #openvpn
09:18 -!- xeon-enouf [~xeon-enou@unaffiliated/xeon-enouf] has joined #openvpn
09:21 <@novaflash> dvl; maybe for some reason the firewall on the client side is somehow blocking the tsl renegotiation, and it is set to once every hour force a tls rethingee
09:21 <@novaflash> try increasing the interval for that refresh and see what happens
09:21 -!- moonkid [~anonymous@99-103-56-12.lightspeed.hstntx.sbcglobal.net] has joined #openvpn
09:22 < dvl> novaflash: I think my original statement (recoonects every hour) is incorrect.  I was basing this on seeing log entries on two clients which had verb>4.
09:22 <@novaflash> oh. well. balls.
09:23 < dvl> novaflash: your suggestion sounds good, based on what I said.  I'll show the logs here..
09:24 < dvl> novaflash: I think this is just standard key negotiation: http://dpaste.com/196NH3E.txt
09:24 <@novaflash> well
09:24 < dvl> I had *assumed* incorrectly that it was a reconnection.
09:25 <@novaflash> the message 'killed expiring key' sounds a bit like "okay this key has had its time, time for a new one"
09:25 < dvl> And the reason I saw it only on two clients, was.... verb.
09:25 < dvl> I agree.
09:25 <@novaflash> and normally with openvpn it negotiates for a new key BEFORE it expires the old key
09:25 <@novaflash> so it can keep functioning seamlessly
09:25 <@novaflash> but in case that don't work then boom, connection dies when the key expires
09:25 <@novaflash> just repeating what i heard elsewhere, lol
09:26 <@novaflash> gasp
09:26 <@novaflash> i know your email address now
09:26 <@novaflash> mr xxx@gmail.com
09:27 < dvl> Here's a better one: http://dpaste.com/38QRJR7.txt
09:27 < dvl> novaflash: reading about it, I don't think the connection just dies: http://openvpn.net/archive/openvpn-users/2007-07/msg00104.html
09:27 <@vpnHelper> Title: Re: [Openvpn-users] TLS: tls_process, killed expiring key - What does this mean? (at openvpn.net)
09:28 <@novaflash> yeah okay
09:28 <@novaflash> but how about you increase the time the key lasts? see what happens then :-D
09:29 <@novaflash> but yeah it could be what josh wrote
09:29 <@novaflash> which would be odd thugh
09:29 <@novaflash> though *
09:30 <@novaflash> hm. why the hell did someone send me an invoice printed on photopaper
09:31 <@novaflash> so shiny
09:39 -!- SushiDude [~SushiDude@unaffiliated/sushidude] has quit [Ping timeout: 260 seconds]
09:40 -!- SushiDude [~SushiDude@unaffiliated/sushidude] has joined #openvpn
09:44 -!- chrisb [~chrisb@li482-205.members.linode.com] has joined #openvpn
09:47 -!- outofbounds [~outofboun@gateway/tor-sasl/outofbounds] has joined #openvpn
09:51 < imsomeoneelse> so you can put it on your wall?
09:57 -!- learner [~Learner@www.fastformer.net] has quit [Ping timeout: 246 seconds]
09:59 <@novaflash> i guess i'll have to, now
10:00 <@krzee> dvl, ya you were just seeing reneg
10:00 <@krzee> totally normal, default is hourly
10:05 < dvl> krzee: thanks.
10:06 <@krzee> =]
10:08 < dvl> I have set verb=1 on all clients and restarted them.  Now watching tail -F /var/log/messages | grep openvpn
10:08 <@krzee> erm
10:08 < dvl> csshX on my Mac is one of my most used apps.
10:08 <@krzee> and hows that tail -F | grep working for you
10:09 < dvl> Working rather well, thanks.  What are you referring to?
10:10 <@krzee> i would expect buffering issues
10:11 < dvl> Hmmm.  How would those buffering issues manifest themselves?  I've done such things many times.
10:11 <@krzee> <greybot> http://mywiki.wooledge.org/BashFAQ/009 -- What is buffering?  Or, why does my command line produce no output: tail -f logfile | grep 'foo bar' | awk ...
10:11 <@vpnHelper> Title: BashFAQ/009 - Greg's Wiki (at mywiki.wooledge.org)
10:11 <@krzee> ohh
10:11 < dvl> $ tail -F /var/log/messages | grep openvpn
10:11 < dvl> Sep 29 14:46:00 nyi openvpn[37629]: TUN/TAP device /dev/tun0 opened
10:11 < dvl> for example.
10:11 <@krzee> thats if you piped grep to another command
10:11 <@krzee> my bad
10:12 < dvl> And I often pipe grep to other commands...
10:12 <@krzee> "because grep does not buffer its output if its standard output is a terminal. "
10:12 <@krzee> ya but not from tail -f
10:13 <@krzee> see above link for details
10:13 < dvl> I take your point.  Read it.
10:13 <@krzee> anyways i was wrong =]
10:14 -!- shpank [~schorsch@kabelbrand.at] has joined #openvpn
10:17 < dvl> krzee: no worries!  We're all wrong occasionally.
10:17 -!- chrisb [~chrisb@li482-205.members.linode.com] has quit [Ping timeout: 258 seconds]
10:18 < dvl> OK, I need a new hostname....  it'll be an svn repo.  oh, I know: svn.bsdcan.org
10:18 < shpank> hey guys, is creating a tap device my only chance if i cannot route my /64 ipv6 netblock?
10:18 <@krzee> !ipv6
10:18 <@vpnHelper> "ipv6" is (#1) The wiki has IPv6 details: https://community.openvpn.net/openvpn/wiki/IPv6 or (#2) The manpage contains info about IPv6 features present in 2.3+: https://community.openvpn.net/openvpn/wiki/Openvpn23ManPage#lbAQ
10:19 <@krzee> but shpank maybe you could split it or something?  to be honest i dont know
10:19 <@krzee> if you see pekster around i see him help people with ipv6 often
10:20 < shpank> okay
10:20 < shpank> but the manpage isn't particularly helpful in my case
10:20 <@krzee> actually i meant the wiki
10:21 < shpank> the wiki is neither :)
10:21 < shpank> but thanks anyways
10:21 <@krzee> i figured you might be able to split the subnet
10:21 < shpank> we'll have to look at it
10:23 < shpank> https://community.openvpn.net/openvpn/wiki/IPv6#SplittingasingleroutableIPv6netblock <- would this work with a tun device as well?
10:23 <@vpnHelper> Title: IPv6 – OpenVPN Community (at community.openvpn.net)
10:24 <@krzee> that wiki page is only talking about tun
10:25 < shpank> oh
10:25 <@krzee> with tap its layer2 so addressing is as normal
10:25 < shpank> you're right
10:25 < shpank> but how do i route then?
10:25 <@krzee> i dont use ipv6 so i dont want to guess too much
10:37 -!- jzaw [~jzaw@loki.dzki.co.uk] has quit [Ping timeout: 260 seconds]
10:38 -!- dvl [~dvl@freebsd/developer/dvl] has quit [Quit: ZNC - http://znc.in]
10:40 -!- dvl [~dvl@freebsd/developer/dvl] has joined #openvpn
10:45 -!- CaTtleyA [~CaTtleyA@185.24.142.82] has quit [Ping timeout: 276 seconds]
10:53 <@novaflash> ipv6 is old fashioned
10:53 <@novaflash> i mean
10:53 <@novaflash> krzee is old fashioned about ipv6
10:53 <@novaflash> just like me
10:53 <@novaflash> all you young whippersnappers with your ipv6, 7, 8
11:01 -!- xorol [~xorol@86.39.200.161.static.hosted.by.easyhost.be] has quit [Ping timeout: 272 seconds]
11:01 -!- ub1quit33_ [~quassel@cpe-23-243-158-241.socal.res.rr.com] has joined #openvpn
11:06 -!- jzaw [~jzaw@loki.dzki.co.uk] has joined #openvpn
11:08 -!- Popsikle [~popsikle@pool-108-27-211-233.nycmny.fios.verizon.net] has quit []
11:13 -!- krthnz [~aehm@unaffiliated/krthnz] has joined #openvpn
11:17 -!- Pyrogerg [~Gregory@75-173-103-62.albq.qwest.net] has joined #openvpn
11:26 -!- gffa [~unknown@unaffiliated/gffa] has joined #openvpn
11:41 -!- averagecase [~anon@cl-6544.cgn-01.de.sixxs.net] has joined #openvpn
11:42 < Eugene> shpank - what sort of "IPv6 netblock" are you getting from your provider? an on-link /64? A routed /64(better a /56 or /48)?
11:44 -!- fjor [~fjor@182.55.144.75] has quit []
12:08 -!- dazo is now known as dazo_afk
12:22 -!- Toumasu [~Thunderbi@78-23-52-63.access.telenet.be] has joined #openvpn
12:43 < Belliash> hello
12:43 < Belliash> I have set openvpn over tap and i got problems with it
12:43 < Belliash> I can connect to server, but cannot access any services on it via vpn
12:51 < Belliash> any ideas?
12:51 < imsomeoneelse> iptables blocking it?
12:51 < imsomeoneelse> assuming it's linux/unix
12:52 < Belliash> no, iptables has those ports opened
12:52 < imsomeoneelse> uh, I thought I'd just suggest Iptables and magically I would be right, no more ideas from me, sorry :)
12:53 < Belliash> ACCEPT     tcp  --  anywhere             anywhere             tcp dpt:http.load
12:53 < Belliash> ACCEPT     tcp  --  anywhere             anywhere             tcp dpt:http
12:54 < Belliash> copy-paste mistake
12:55 < Belliash> Authenticate/Decrypt packet error: cipher final failed
12:55 < Belliash> what does this error mean?
12:58 < Belliash> never mind :D
12:58  * Belliash stupid
12:59 -!- moonkid [~anonymous@99-103-56-12.lightspeed.hstntx.sbcglobal.net] has quit [Quit: moonkid]
13:00 -!- Polochon_street [~Polochon_@asa-eclille.ec-lille.fr] has joined #openvpn
13:01 -!- Polochon_street [~Polochon_@asa-eclille.ec-lille.fr] has quit [Read error: Connection reset by peer]
13:01 -!- Latrina [~Latrina@adsl-ull-5-189.50-151.net24.it] has joined #openvpn
13:02 -!- badaptr is now known as adaptr
13:03 -!- Polochon_street [~Polochon_@asa-eclille.ec-lille.fr] has joined #openvpn
13:03 < Polochon_street> Hi everyone!
13:06 -!- elfixit [~Icedove@2001:1620:2777:11:3e97:eff:fe7f:f3ad] has quit [Quit: elfixit]
13:09 -!- Polochon_street [~Polochon_@asa-eclille.ec-lille.fr] has quit [Ping timeout: 260 seconds]
13:10 < Eugene> !welcome
13:10 <@vpnHelper> "welcome" is (#1) Start by stating your goal, such as 'I would like to access the internet over my vpn' || new to IRC? see the link in !ask || we may need !logs and !configs and maybe !interface to help you. || See !howto for beginners. || See !route for lans behind openvpn. || !redirect for sending inet traffic through the server. || Also interesting: !man !/30 !topology !iporder !sample !forum
13:10 <@vpnHelper> !wiki !mitm or (#2) Don't use 192.168.1.0/24 or 192.168.0.0/24 (too much potential for conflict)
13:11 -!- Latrina [~Latrina@adsl-ull-5-189.50-151.net24.it] has quit [Ping timeout: 250 seconds]
13:16 -!- moonkid [~anonymous@99-103-56-12.lightspeed.hstntx.sbcglobal.net] has joined #openvpn
13:20 -!- Latrina [~Latrina@adsl-ull-64-181.50-151.net24.it] has joined #openvpn
13:22 -!- Polochon_street [~Polochon_@asa-eclille.ec-lille.fr] has joined #openvpn
13:22 < Polochon_street> hmm, so
13:22 < Polochon_street> Is it possible to create a wi-fi access point which uses openvpn but let local request unchanged?
13:23 < Polochon_street> for the moment, my connected computers can't access the local network my AP « sees »
13:32 < Eugene> "which uses openvpn but let local request unchanged" doesn't parse for me.
13:33 < Polochon_street> sorry, I'm struggling with english;
13:33 < Polochon_street> -;
13:33 < Eugene> That's OK. Maybe describe your network(s), and what you want to happen for devices attached to them
13:34 < Polochon_street> I got a computer configured as a wifi access point, with openvpn installed and configured.
13:35 < Polochon_street> when I connect a computer to it, I want it to go through the VPN normally for all addresses, except 172.30.*.*
13:35 < Polochon_street> the access point should not give 172.30.*.* requests to tun0, but to enp2s0
13:35 < Polochon_street> is that a bit clearer?
13:37 < Polochon_street> I tried to add « route 172.30.0.0 255.255.0.0 172.30.128.1 » on my .conf and to use my local network DNS, but it won't work (I can still ping 8.8.8.8 though)
13:41 < Polochon_street> here's my configuration: http://pastebin.com/dhXZALHj
13:45 < Polochon_street> I also saw this post (http://stackoverflow.com/questions/16302138/openvpn-route-all-except-local-network), and I've done what it recommends...
13:45 <@vpnHelper> Title: windows - OpenVPN: route all except local network - Stack Overflow (at stackoverflow.com)
13:47 -!- Toumasu [~Thunderbi@78-23-52-63.access.telenet.be] has quit [Quit: Toumasu]
13:48 -!- Polochon_street [~Polochon_@asa-eclille.ec-lille.fr] has quit [Read error: Connection reset by peer]
13:49 -!- Polochon_street [~Polochon_@asa-eclille.ec-lille.fr] has joined #openvpn
13:49 < Polochon_street> dammit...
13:50 -!- Polochon_street [~Polochon_@asa-eclille.ec-lille.fr] has quit [Read error: Connection reset by peer]
13:50 -!- RaiNerTsuFal [~RaiNerTsu@akita.vtlx.cn] has quit [Quit: Conversation terminated!]
13:51 -!- Polochon_street [~Polochon_@asa-eclille.ec-lille.fr] has joined #openvpn
13:52 < c|oneman> maybe you also need the push route line
13:52 < Polochon_street> should I add « push " " » between my route?
13:52 < Polochon_street> what's the difference between push "route ..." and route ... ?
13:53 < c|oneman> push sends the instructions to the client
13:53 < c|oneman> so that the client knows what to do
13:53 < c|oneman> I think, I'm a friggin noob
13:53 < Polochon_street> hmm, okay
13:53 < c|oneman> I think you need both
13:54 < Polochon_street> and when I restarted the AP's openvpn server, should it work immediately? Or should I restart the AP? Re-connect?
13:54 < c|oneman> just restarting openvpn should work
13:55 < Polochon_street> okay, thanks
13:55 < c|oneman> and reocnnecting to the AP
13:55 < Polochon_street> I'll try
13:55 < Polochon_street> let's try this
13:58 < Polochon_street> :/
13:58 < Polochon_street> it didn't work
14:00 < c|oneman> 128.1 is your default gateway for local right?
14:00 < Polochon_street> yes
14:00 < Polochon_street> I'm on a big network, and 172.30.128.1 is the default gatewy
14:00 < Polochon_street> +a
14:01 < c|oneman> so the internet works, but not local stuff
14:01 < Polochon_street> that's it
14:02 < c|oneman> maybe just do push "route 172.30.0.0 255.255.0.0"
14:02 < c|oneman> it doesn't need to know what the  gateway is
14:02 < c|oneman> because it doesnt use a gateway for local
14:02 < Polochon_street> should I del the simple « route ... » ?
14:02 < c|oneman> do both
14:02 < c|oneman> route 172.30.0.0 255.255.0.0 and push "route 172.30.0.0 255.255.0.0"
14:03 < Polochon_street> okay, let's try this
14:03 < c|oneman> that seems like it would work
14:03 < Polochon_street> well... nope
14:04 < c|oneman> eh. I tried :)
14:05 < Polochon_street> that was kind of you
14:05 < c|oneman> well
14:05 < c|oneman> it it possible that theres a double nat of sors
14:05 < c|oneman> that prevents the network from being accessed at al
14:05 < Polochon_street> HA!
14:05 < Polochon_street> « ip route » 
14:05 < Polochon_street> « 172.30.0.0/16 via 10.8.0.241 dev tun0 » 
14:06 < Polochon_street> it's not normal, isn't it?
14:06 < c|oneman> I dunno
14:06 -!- james41382_ [~james@unaffiliated/james41382] has joined #openvpn
14:07 -!- james41382_ [~james@unaffiliated/james41382] has quit [Read error: Connection reset by peer]
14:10 -!- james41382 [~james@unaffiliated/james41382] has quit [Ping timeout: 260 seconds]
14:10 -!- MogDog [MogDog@unaffiliated/mogdog66] has quit [Ping timeout: 258 seconds]
14:15 -!- MogDog [~MogDog@unaffiliated/mogdog66] has joined #openvpn
14:20 -!- AlexWingman [~AlexWingm@179.150.185.31] has joined #openvpn
14:21 -!- Polochon_street [~Polochon_@asa-eclille.ec-lille.fr] has quit [Read error: Connection reset by peer]
14:23 -!- AlexWingman [~AlexWingm@179.150.185.31] has left #openvpn []
14:41 -!- kenyon [kenyon@darwin.kenyonralph.com] has joined #openvpn
14:44 -!- Belliash [znc@asiotec/constitutive/belliash] has left #openvpn ["No boundaries on the net!"]
14:50 -!- Netsplit *.net <-> *.split quits: MogDog
14:51 -!- Netsplit over, joins: MogDog
14:51 -!- Polochon_street [~Polochon_@asa-eclille.ec-lille.fr] has joined #openvpn
14:51 < Polochon_street> hi again
14:51 < Polochon_street> so, here's my iptable configuration: http://pastebin.com/avU70RTL
14:52 < Polochon_street> I believe the important line is « iptables --table nat --append POSTROUTING --out-interface enp2s0 -j MASQUERADE » 
14:52 < Polochon_street> when I use this, I can access so the local network, but not the internet
14:53 < Polochon_street> et when I change enp2s0 by tun0, I can access the internet, but not the local network
14:53 -!- rpetrano [~Thunderbi@93-139-52-189.adsl.net.t-com.hr] has joined #openvpn
14:53 < Polochon_street> I believe there is an iptables configuration that would make both work, but I really don't know how to use iptables :\
14:54 < Polochon_street> what I find weird is that https://openvpn.net/index.php/open-source/documentation/howto.html#redirect make me believe that
14:54 <@vpnHelper> Title: HOWTO (at openvpn.net)
14:54 < Polochon_street> iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o eth0 -j MASQUERADE
14:54 < Polochon_street> will be sufficient, but it's not
14:54 < Polochon_street> so... Does somebody know what to do?
15:03 < Polochon_street> it tried to add « iptables -t nat -A POSTROUTING -s 172.30.0.0/16 -o enp2s0 -j MASQUERADE », but... nope
15:03 -!- Kephael [~Kephael@unaffiliated/kephael] has joined #openvpn
15:05 -!- rpetrano [~Thunderbi@93-139-52-189.adsl.net.t-com.hr] has quit [Ping timeout: 258 seconds]
15:12 -!- rpetrano [~Thunderbi@93-139-52-189.adsl.net.t-com.hr] has joined #openvpn
15:16 -!- rpetrano [~Thunderbi@93-139-52-189.adsl.net.t-com.hr] has quit [Ping timeout: 240 seconds]
15:18 -!- rpetrano [~Thunderbi@93-139-52-189.adsl.net.t-com.hr] has joined #openvpn
15:18 -!- Belliash [znc@asiotec/constitutive/belliash] has joined #openvpn
15:18 < Belliash> re
15:19 -!- eatkin [~eatkin@204.228.139.196] has joined #openvpn
15:19 < eatkin> hi folks
15:19 < Belliash> On windows I can connect to server over  established VPN, but HTTP response get truncated and I captured many duplicated packages with tcpdump
15:19 < Belliash> any ideas what might be wrong?
15:19 < Belliash> on linux client its working correctly
15:20 < eatkin> can i mark packets based on a CCD file for client specific filtering in iptables?
15:20 < eatkin> ie 'mark 1234' in ccd file?
15:20 -!- D-Boy [~D-Boy@unaffiliated/cain] has quit [Excess Flood]
15:33 -!- donspaulding [~donspauld@38.89.245.83] has quit [Quit: donspaulding]
15:39 -!- D-Boy [~D-Boy@unaffiliated/cain] has joined #openvpn
15:41 -!- moonkid [~anonymous@99-103-56-12.lightspeed.hstntx.sbcglobal.net] has quit [Quit: moonkid]
15:46 < Belliash> looks like VPN truncates data
15:47 < Belliash> eg. file that has 5MB on server after download has only 34KB
15:54 -!- Pyrogerg [~Gregory@75-173-103-62.albq.qwest.net] has quit [Ping timeout: 272 seconds]
15:56 < rpetrano> Hey people! I really need your help. I have a Linux OpenVPN server. When I connect from Linux client, everything works perfectly. When I connect from Windows client, everything seems to work perfectly but I can't ping each other. Yes, I have disabled firewall. I hope you'll find everything you need here: https://gist.github.com/rpetrano/8a1826bf5fd9cb94d4a3. I have explained the situation better in README. Thanks for your time.
16:03 -!- sickn3ss [~sickn3ss@unaffiliated/sickn3ss] has quit [Quit: Textual IRC Client: www.textualapp.com]
16:04 < Belliash> any ideas?
16:04 < Belliash> MTU problems?
16:05 -!- tsbtmn [~tsbtmn@unaffiliated/tsbtmn] has joined #openvpn
16:08 -!- moonkid [~anonymous@99-103-56-12.lightspeed.hstntx.sbcglobal.net] has joined #openvpn
16:09 -!- gffa [~unknown@unaffiliated/gffa] has quit [Quit: sleep]
16:14 -!- Polochon_street [~Polochon_@asa-eclille.ec-lille.fr] has quit [Ping timeout: 245 seconds]
16:15 -!- pqatsi [~leonardo@unaffiliated/leleobhz] has quit [Quit: leaving]
16:15 -!- mattock is now known as mattock_afk
16:23 -!- CaTtleyA [~CaTtleyA@put92-2-82-66-41-53.fbx.proxad.net] has joined #openvpn
16:30 -!- james41382 [~james@unaffiliated/james41382] has joined #openvpn
16:32 -!- CaTtleyA [~CaTtleyA@put92-2-82-66-41-53.fbx.proxad.net] has quit [Quit: leaving]
16:33 -!- CaTtleyA [~CaTtleyA@put92-2-82-66-41-53.fbx.proxad.net] has joined #openvpn
16:38 -!- Pyrogerg [~Gregory@205.167.120.206] has joined #openvpn
16:43 -!- Pyrogerg_ [~Gregory@205.167.120.206] has joined #openvpn
16:44 -!- Pyrogerg [~Gregory@205.167.120.206] has quit [Read error: Connection reset by peer]
16:59 -!- moonkid [~anonymous@99-103-56-12.lightspeed.hstntx.sbcglobal.net] has quit [Quit: moonkid]
16:59 -!- Belliash [znc@asiotec/constitutive/belliash] has left #openvpn ["No boundaries on the net!"]
17:00 -!- Pyrogerg_ [~Gregory@205.167.120.206] has quit [Ping timeout: 260 seconds]
17:10 -!- Daemoen [~quassel@2607:ff68:100:1e:20e:2eff:fee8:e5c5] has quit [Ping timeout: 260 seconds]
17:11 -!- Daemoen [~quassel@2607:ff68:100:1e:20e:2eff:fee8:e5c5] has joined #openvpn
17:22 -!- duelle [~duelle@gateway/tor-sasl/duelle] has joined #openvpn
17:23 < duelle> Hi there, is there a guide for setting up a custom PKI-environment (CA, server-cert, client-certs) with openssl commands instead of the easy-rsa scripts? I would like to change some parameters (e.g. hashing algorithm).
17:31 < pekster> duelle: You could just edit the digest setting in the vars file. OpenSSL is rather non-trivial to invoke from the command line depending on what you're doing, and you'll have to be comfortable editing your system openssl.cnf file (or providing an alternative for your invocation) to change things like digests
17:31 -!- moonkid [~anonymous@99-103-56-12.lightspeed.hstntx.sbcglobal.net] has joined #openvpn
17:32 < pekster> If you're looking to change the certificate process, you might fine the easyrsa3 code branch more flexible. If you have advanced extension needs, check out the 'Advanced extension handling' part of the Advanced readme. If you just want to tweak some basic settings like digest, the vars.example describes those
17:33 < pekster> There are also other cert-manager programs if you're looking to see how other programs deal with these issues: !certman for a few of them
17:34 < duelle> Thank you for the hint pekster. Is the vars.example shipped with the openvpn installation or where can I find it?
17:35 < pekster> openvpn for windows currently bundles easyrsa v2; v3 is available on github for windows and Unixes, and via source
17:36 < pekster> v3 is more flexible if you have other complex needs dealing with arbitrary extensions. If you just want to edit the digest, v2 is able to do that fine without bumping into its other limitations
17:36 < pekster> And yes, both ship with a vars file
17:36 < pekster> Docs here:
17:36 < pekster> !easyrsa
17:36 <@vpnHelper> "easyrsa" is (#1) easy-rsa is a certificate generation utility. or (#2) Download here: https://github.com/OpenVPN/easy-rsa/releases or (#3) Source checkouts available from the github project; current official release download is 2.2.2 with 3.x code in git-master. or (#4) Helpful wiki info about easyrsa at: https://community.openvpn.net/openvpn/wiki/EasyRSA
17:37 < pekster> See #4 for the wiki, with links to the v2 and v3 documentation
17:37 -!- Denial [~Denial@host86-148-141-27.range86-148.btcentralplus.com] has quit []
17:38 < duelle> pekster, thank you! I will look into that. May it be, that the default hashing algo in the debian openvpn package is still sha1? I created ca and certs and the qualys sslcheck page complains about using old/deprecated/insecure sha1.
17:39 < pekster> Could be. v2 has a recent-ish (months, not years) to set the default to sha256. v3 has used sha256 from the start
17:39 < pekster> Debian is in general not known for being very up to date
17:39 -!- Denial [~Denial@host86-148-141-27.range86-148.btcentralplus.com] has joined #openvpn
17:40 < pekster> Since it's just a shell script and supporting config files, you could just extract the tarball into a directory as your PKI user (hopefully not root!) and get the latet and greatest
17:41 < pekster> Shouldn't be doing PKI as root in the system install dir anyway as there's no need for it
17:42 < duelle> pekster, It might be a "silly" question, but where is the problem of generating the certificates (etc) as root? The openvpn part is set to use different users.
17:42 < pekster> Doing anything you don't need to do as root is generally ill-advised
17:46 < pekster> It's also a minor advantage to keep your PKI out of a directory your package manager will overwrite on upgrades/uninstalls/reinstalls
17:47 < duelle> pekster, So you would recommend creating some kind of PKI-user that has the cert/key... files within its home-dir? Is there a guide containing such best-practices?
17:48 < pekster> !hardening
17:48 <@vpnHelper> "hardening" is https://community.openvpn.net/openvpn/wiki/Hardening
17:49 < pekster> Ideally you only have the CA's key on your CA system. Any client/server should generate their own key and a certificate request, unless you plan to do "key escrow" where your CA system generates the private component itself and hands it to each client/server. That's a reduction in security as you have to exchange those private keys somehow, and they're now on more than 1 physical system
17:49 < pekster> Depends on your desired workflow and how much security you want/need
17:50 -!- MogDog [~MogDog@unaffiliated/mogdog66] has quit [Quit: Server shutdown]
17:51 -!- MogDog [MogDog@unaffiliated/mogdog66] has joined #openvpn
17:53 < duelle> Great, thank you. For now I have a quite small system with not-really top-secret data. But playing around with it and trying to make it as secure as possible - simply to learn how all of this stuff works. If I may ask one more question: As far as I understood it yet, the CA is some kind of authority (in my case myself) which says that the certs it signs are "good" and belong to me. In which way do I need a "CA system". Wouldnt it be enough to
17:53 < duelle> have a system where I store the key/cert for the CA separately and hopefully as secure as possible?
17:56 < pekster> Right. Whatever "secure as possible" means to you. Enterprises with mission-critical data might keep their CA in a locked room with physical access logs on an offline-only server that never touches a live network. Home users might consider a locked-down user account enough security
18:00 < duelle> pekster, thanks for the clarification and your helpful hints. As my environment is not that "mission-critical" I will see what fits best regarding effort and efficiency (e.g. separate locked-down user account on up-to-date machine that doesn't move around the world)
18:02 < pekster> Probably fine for your needs, yea. Of note, easyrsa v3 more readily supports a "PKI per dir" model (and in fact forces you to use it, although the default is called simply 'pki'). You can use even a single-server like this to practice creating the key/request in a "different" directory, which could just as easily be a different system
18:03 < pekster> If you already have some secure transport for your keys (ssh and you have all your hostkeys already) you can use the old-school method of housing all the keys in one spot and send them to boxes. Again, pick a workflow that sounds reasonable
18:04 < duelle> What would be the advantage of using different directories for the keys? Just for the sake of "simulating" different machines?
18:05 < pekster> Exactly
18:05 < pekster> Otherwise there isn't any really
18:05 < pekster> In a real-world setup, anytime you send your keys (encrypted or not) across a network, you're trusting that transport with the security of your keys
18:06 < pekster> Extra bad if you just email keys across the Internet ;)
18:06 -!- moonkid [~anonymous@99-103-56-12.lightspeed.hstntx.sbcglobal.net] has quit [Quit: moonkid]
18:08 < duelle> Okay, I will give it a try to recreate a setup that fits the best practises regarding ca/key and general security advices. Thanks a lot
18:23 -!- Kniaz [~Kniaz@unaffiliated/kniaz] has joined #openvpn
18:55 -!- busch [~busch@datenschleuder.com] has joined #openvpn
19:01 -!- Joe-T [~Joe-T@97e76cf9.skybroadband.com] has joined #openvpn
19:01 < Joe-T> is it possible to see what route script of whatever a vpn server runs, so I can use some of it when using nopull?
19:02 -!- busch [~busch@datenschleuder.com] has quit [Ping timeout: 272 seconds]
19:07 -!- duelle [~duelle@gateway/tor-sasl/duelle] has quit [Quit: Leaving]
19:07 < pekster> Joe-T: Perhaps you want to use --route-noexec along with --route-up
19:08 < pekster> See also the 'ENVIRONMENTAL VARIABLES' manpage section for the route_{param}_{n} vars
19:15 < Joe-T> ok thanks I'll look into it
19:15 < Joe-T> --route-up didn't seem to exist
19:16 < Joe-T> I basically just don't want the vpn to be the default route, so I can have just one thing going through it
19:17 < pekster> Right. If you don't want to blindly accept any route the server pushes you have 2 options: use --route-noexec to ignore them all, or also do that and use --route-up so you can inspect what the server pushed via the env-var so you can do things with that information
19:17 < pekster> There's also --route-nopull, but then you can never inspect them
19:17 -!- Irrelephant [Irrelephan@2a02:908:e26a:7200:f90c:4271:455:86da] has joined #openvpn
19:17 < pekster> Better would be to fix your server-side not to push routes you don't want to select clients
19:18 < Joe-T> I'm using private internet access, so I can't do anything about the server right?
19:18 < Irrelephant> Hi. I just set up an OVPN server on a linux machine. Connection works fine, traffic is routed and client -> server ping works. Server -> client ping however does not ...
19:18 < pekster> If this is a service provider you don't manage, then you're SoL outside of scripting your end to do what you want
19:18 < Irrelephant> I am not a linux guy but googling the issue pointed me towards iptables
19:19 < pekster> Irrelephant: Routing is fine, so you have a firewall issue (that, or you're not pinging the host you think you are)
19:19 < Irrelephant> Is there a short comprehensive guide on what has to be set in iptables to make server-> client ping workß
19:20 < pekster> You need to allow it in your firewall: that's it
19:21 < pekster> Maybe review the 'icmp' match in iptables-extensions(8)
19:21 < Irrelephant> Not sure what that means
19:22 < pekster> Explaining that you're using windows on the client would have changed my advice; don't leave details like that out. You need to allow inbound pings, at least on that interface, or the "zone" it's in in Windows
19:23 < pekster> use their GUI firewall thingy, or the obscene netsh syntax if you're into that kind of thing
19:23 < Irrelephant> Sorry for missing that important bit. I was under the impression that the server needed to be configured with iptables, that's why I left it out
19:24 < Irrelephant> Have used neither of those before. Will do some more googling tho. Thank you for your help :)
19:24 < pekster> In nearly all (99.9%+) when you can't ping the client, it's the client's firewall
19:24 < pekster> Stupid setups that restrict outbound pings from the server might change that, as would complex routing setups. You probably don't have either of those.
19:25 < pekster> IOW: fix your client to do what you want
19:25  * pekster suggests googling for "accept ping in windows 8" or the like
19:27 < Eugene> I use a Group Policy to force that firewall rule
19:27 < Eugene> Such a stupid behaviour. I get why its the default, but I strongly disagree with it.
19:29 < Joe-T> I forgot to set script security -.-
19:29 < Irrelephant> Googled exactly that. Found a short step-by-step guide only to find my anti-virus blocking inbound connections based on rather complex rules ...
19:29 < Irrelephant> dang, won't finish this tonight
19:41 -!- averagecase [~anon@cl-6544.cgn-01.de.sixxs.net] has quit [Quit: Verlassend]
19:41 -!- Irrelephant [Irrelephan@2a02:908:e26a:7200:f90c:4271:455:86da] has quit [Quit: off to sleepyland]
20:03 -!- outofbounds [~outofboun@gateway/tor-sasl/outofbounds] has quit []
20:04 -!- phi0x [~phi0x@216.227.131.2] has joined #openvpn
20:05 < phi0x> hey guys, i've been having an issue with inline openvpn ovpn client config files, was wondering if anyone with some experience with them could take a look at my issue I posted online but have yet to receive an answer on in days? would be greatly appreciated as I've tried so many different solutions which have yet to turn out a solution that works for me. http://serverfault.com/questions/631131/openvpn-inline-cert-ovpn-file-creation-issue-how-to-configure-ser
20:05 < phi0x> ver-client-to
20:05 <@vpnHelper> Title: openVPN inline cert ovpn file creation issue, how to configure server/client to accept inline files? - Server Fault (at serverfault.com)
20:14 -!- Droolio [~drool@host86-143-180-191.range86-143.btcentralplus.com] has quit [Quit: Got Kleptomania? Take something for it!]
20:17 -!- Kniaz1 [~Kniaz@unaffiliated/kniaz] has joined #openvpn
20:18 -!- Kniaz [~Kniaz@unaffiliated/kniaz] has quit [Ping timeout: 240 seconds]
20:20 -!- Kniaz1 [~Kniaz@unaffiliated/kniaz] has quit [Client Quit]
20:20 -!- Kniaz [~Kniaz@unaffiliated/kniaz] has joined #openvpn
20:30 -!- Pyrogerg [~Gregory@75-173-103-62.albq.qwest.net] has joined #openvpn
21:11 -!- rpetrano1 [~Thunderbi@93-139-52-189.adsl.net.t-com.hr] has joined #openvpn
21:12 -!- moonkid [~anonymous@99-103-56-12.lightspeed.hstntx.sbcglobal.net] has joined #openvpn
21:13 -!- rpetrano [~Thunderbi@93-139-52-189.adsl.net.t-com.hr] has quit [Ping timeout: 245 seconds]
21:31 -!- ub1quit33_ [~quassel@cpe-23-243-158-241.socal.res.rr.com] has quit [Ping timeout: 244 seconds]
21:32 -!- moonkid [~anonymous@99-103-56-12.lightspeed.hstntx.sbcglobal.net] has quit [Quit: moonkid]
21:38 -!- phunyguy [~vortex@unaffiliated/phunyguy] has quit [Quit: ZNC - http://znc.in]
21:39 -!- phunyguy [~vortex@unaffiliated/phunyguy] has joined #openvpn
21:46 -!- Left_Turn [~Left_Turn@unaffiliated/turn-left/x-3739067] has quit [Remote host closed the connection]
21:46 -!- pcfreak30 [~pcfreak30@cpe-075-177-116-215.triad.res.rr.com] has quit [Ping timeout: 260 seconds]
21:59 -!- SushiDude [~SushiDude@unaffiliated/sushidude] has quit [Ping timeout: 260 seconds]
22:08 -!- SushiDude [~SushiDude@unaffiliated/sushidude] has joined #openvpn
22:19 -!- phi0x [~phi0x@216.227.131.2] has quit [Ping timeout: 272 seconds]
22:19 -!- Kniaz1 [~Kniaz@unaffiliated/kniaz] has joined #openvpn
22:22 -!- moonkid [~anonymous@99-103-56-12.lightspeed.hstntx.sbcglobal.net] has joined #openvpn
22:22 -!- Kniaz [~Kniaz@unaffiliated/kniaz] has quit [Ping timeout: 272 seconds]
22:27 -!- SushiDude [~SushiDude@unaffiliated/sushidude] has quit [Ping timeout: 272 seconds]
22:28 -!- SushiDude [~SushiDude@unaffiliated/sushidude] has joined #openvpn
22:47 -!- Pyrogerg [~Gregory@75-173-103-62.albq.qwest.net] has quit [Ping timeout: 258 seconds]
23:21 -!- c0ded [~c0ded@unaffiliated/c0ded] has quit [Ping timeout: 272 seconds]
23:32 -!- pppingme [~pppingme@unaffiliated/pppingme] has quit [Quit: Leaving]
23:35 -!- pppingme [~pppingme@unaffiliated/pppingme] has joined #openvpn
23:35 -!- Kniaz1 [~Kniaz@unaffiliated/kniaz] has quit [Quit: closing IRC]
23:35 -!- c0ded [~c0ded@unaffiliated/c0ded] has joined #openvpn
23:56 -!- phi0x [~phi0x@S01069072400a5d42.vs.shawcable.net] has joined #openvpn
--- Day changed Tue Sep 30 2014
00:00 -!- ShadniX [dagger@p5DDFFA66.dip0.t-ipconnect.de] has quit [Ping timeout: 250 seconds]
00:01 -!- ShadniX [dagger@p5DDFE88A.dip0.t-ipconnect.de] has joined #openvpn
00:11 -!- Kephael [~Kephael@unaffiliated/kephael] has quit [Read error: Connection reset by peer]
00:24 -!- phunyguy is now known as phunyguy1
00:25 -!- phunyguy1 is now known as phunyguy
00:32 -!- SushiDude [~SushiDude@unaffiliated/sushidude] has quit [Ping timeout: 272 seconds]
00:35 -!- moonkid [~anonymous@99-103-56-12.lightspeed.hstntx.sbcglobal.net] has quit [Quit: moonkid]
00:38 -!- SushiDude [~SushiDude@unaffiliated/sushidude] has joined #openvpn
01:15 -!- SushiDude [~SushiDude@unaffiliated/sushidude] has quit [Ping timeout: 260 seconds]
01:18 -!- SushiDude [~SushiDude@unaffiliated/sushidude] has joined #openvpn
01:34 -!- SushiDude [~SushiDude@unaffiliated/sushidude] has quit [Ping timeout: 260 seconds]
01:37 -!- SushiDude [~SushiDude@unaffiliated/sushidude] has joined #openvpn
01:50 -!- sickn3ss [~sickn3ss@unaffiliated/sickn3ss] has joined #openvpn
02:26 -!- CaTtleyA_ [~CaTtleyA@put92-2-82-66-41-53.fbx.proxad.net] has joined #openvpn
02:26 -!- CaTtleyA_ [~CaTtleyA@put92-2-82-66-41-53.fbx.proxad.net] has quit [Client Quit]
02:26 -!- CaTtleyA [~CaTtleyA@put92-2-82-66-41-53.fbx.proxad.net] has quit [Remote host closed the connection]
02:26 -!- CaTtleyA [~CaTtleyA@put92-2-82-66-41-53.fbx.proxad.net] has joined #openvpn
02:33 -!- CaTtleyA [~CaTtleyA@put92-2-82-66-41-53.fbx.proxad.net] has quit [Ping timeout: 276 seconds]
02:40 -!- CaTtleyA [~CaTtleyA@put92-2-82-66-41-53.fbx.proxad.net] has joined #openvpn
02:48 -!- mattock_afk is now known as mattock
02:48 -!- phi0x [~phi0x@S01069072400a5d42.vs.shawcable.net] has quit [Ping timeout: 272 seconds]
04:00 -!- KarlBauman [~SoWhat@87.246.136.13] has joined #openvpn
04:01 < KarlBauman> can you tell me why OpenVPN client starts disconnecting when I turn on my torrent client?
04:06 -!- dazo_afk is now known as dazo
04:11 -!- ade_b [~Ade@redhat/adeb] has joined #openvpn
04:11 < KarlBauman> actually it is reconnecting, not disconnecting
04:27 -!- KarlBauman [~SoWhat@87.246.136.13] has quit [Ping timeout: 244 seconds]
04:38 -!- KarlBaumann [~SoWhat@87.246.136.13] has joined #openvpn
04:38 < KarlBaumann> it looks like it was because of my OpenVPN portable client
04:48 -!- Droolio [~drool@host86-143-180-191.range86-143.btcentralplus.com] has joined #openvpn
05:24 -!- Belliash [znc@asiotec/constitutive/belliash] has joined #openvpn
05:24 < Belliash> hello
05:24 < Belliash> can you take a look at http://forum.openvpn.eu/viewtopic.php?f=25&t=9303 ?
05:24 <@vpnHelper> Title: OpenVPN.eu View topic - Problem accessing server resources (at forum.openvpn.eu)
05:53 -!- Left_Turn [~Left_Turn@unaffiliated/turn-left/x-3739067] has joined #openvpn
06:02 -!- sickn3ss [~sickn3ss@unaffiliated/sickn3ss] has quit [Ping timeout: 272 seconds]
06:03 -!- rpetrano1 [~Thunderbi@93-139-52-189.adsl.net.t-com.hr] has quit [Ping timeout: 250 seconds]
06:03 -!- sickn3ss [~sickn3ss@unaffiliated/sickn3ss] has joined #openvpn
06:08 -!- mattock is now known as mattock_afk
06:09 -!- rpetrano [~Thunderbi@93-139-52-189.adsl.net.t-com.hr] has joined #openvpn
06:10 -!- sickn3ss [~sickn3ss@unaffiliated/sickn3ss] has quit [Ping timeout: 260 seconds]
06:10 -!- milligan [~milligan@voyage.vhost.usr.no] has quit [Ping timeout: 260 seconds]
06:14 -!- sickn3ss [~sickn3ss@unaffiliated/sickn3ss] has joined #openvpn
06:21 -!- sickn3ss_ [~sickn3ss@unaffiliated/sickn3ss] has joined #openvpn
06:23 -!- milligan [~milligan@voyage.vhost.usr.no] has joined #openvpn
06:24 -!- sickn3ss [~sickn3ss@unaffiliated/sickn3ss] has quit [Ping timeout: 260 seconds]
06:24 -!- rpetrano [~Thunderbi@93-139-52-189.adsl.net.t-com.hr] has quit [Remote host closed the connection]
06:28 -!- KarlBaumann [~SoWhat@87.246.136.13] has quit [Ping timeout: 260 seconds]
06:40 -!- Slippern [~Slippern@76.109-247-208.customer.lyse.net] has quit [Read error: Connection reset by peer]
06:40 -!- Poster|x [~poster@cpe-74-140-100-29.swo.res.rr.com] has joined #openvpn
06:42 -!- Slippern [~Slippern@76.109-247-208.customer.lyse.net] has joined #openvpn
06:42 -!- Poster [~poster@cpe-74-140-100-29.swo.res.rr.com] has quit [Ping timeout: 272 seconds]
07:13 -!- mattock_afk is now known as mattock
07:24 -!- Pyrogerg [~Gregory@75-173-103-62.albq.qwest.net] has joined #openvpn
07:28 -!- Slippern [~Slippern@76.109-247-208.customer.lyse.net] has quit [Read error: Connection reset by peer]
07:31 -!- Slippern [~Slippern@76.109-247-208.customer.lyse.net] has joined #openvpn
07:55 -!- Slippern [~Slippern@76.109-247-208.customer.lyse.net] has quit [Read error: Connection reset by peer]
07:55 < shpank> is there a way to use more than one shared secret on server side when using tls_auth?
07:57 -!- Slippern [~Slippern@76.109-247-208.customer.lyse.net] has joined #openvpn
07:58 -!- Slippern [~Slippern@76.109-247-208.customer.lyse.net] has quit [Read error: Connection reset by peer]
08:00 -!- Slippern [~Slippern@76.109-247-208.customer.lyse.net] has joined #openvpn
08:03 -!- Left_Turn is now known as pgicxplzs
08:05 <@plaisthos> shpank: no
08:05 < shpank> dangit.
08:05 < shpank> thanks for the clarification!
08:05 <@plaisthos> shpank: that would not work :)
08:06 <@plaisthos> and the server would have to try every tls-auth key to see which one is used by the client
08:06 <@plaisthos> that does not really scale well ;)
08:06 < shpank> i guess that makes sense...#
08:07 -!- Slippern [~Slippern@76.109-247-208.customer.lyse.net] has quit [Read error: Connection reset by peer]
08:12 -!- Slippern [~Slippern@76.109-247-208.customer.lyse.net] has joined #openvpn
08:23 -!- jefferai_ [sid1300@kde/mitchell] has left #openvpn []
08:23 -!- jefferai [sid1300@kde/mitchell] has joined #openvpn
08:23 < jefferai> krzee: Hey, thanks for your help the other day
08:24 < jefferai> I had led myself down a rabbit hole with trying to do both-way meshing. I changed things around and now do one-way connections and set up a post script to set routes on the server side down to the client.
08:26 < shpank> plaisthos: so it is like outer authentication with eap?
08:30 < Belliash> any1? :)
08:33 -!- Slippern [~Slippern@76.109-247-208.customer.lyse.net] has quit [Read error: Connection reset by peer]
08:35 -!- Slippern [~Slippern@76.109-247-208.customer.lyse.net] has joined #openvpn
08:38 -!- mattock is now known as mattock_afk
08:43 -!- Pyrogerg [~Gregory@75-173-103-62.albq.qwest.net] has quit [Ping timeout: 272 seconds]
08:44 -!- liriel [~liriel@asia.feralhosting.com] has quit [Ping timeout: 260 seconds]
08:46 -!- liriel [~liriel@asia.feralhosting.com] has joined #openvpn
08:51 -!- liriel [~liriel@asia.feralhosting.com] has quit [Ping timeout: 240 seconds]
08:56 -!- hyponic [~DJ@cm-84.210.219.124.getinternet.no] has joined #openvpn
08:58 -!- Otacon22 [~otacon22@englishman.otacon22.it] has joined #openvpn
08:58 -!- liriel [~liriel@asia.feralhosting.com] has joined #openvpn
09:01 < Otacon22> Hello, I can't use openvpn over UDP because UDP it's blocked on my network. I would use TCP-server instead, but I know that using TCP connections inside another TCP connection give bad performance (jitter and latency). Is it possible to use TCP but force openvpn to disable the congestion algorithm of TCP for the connection?
09:01 < Otacon22> Otherwise, what do you suggest as solution?
09:08 -!- liriel [~liriel@asia.feralhosting.com] has quit [Ping timeout: 260 seconds]
09:10 -!- liriel [~liriel@asia.feralhosting.com] has joined #openvpn
09:16 < hyponic> I am using openvpn and it has created something called tap1 how can i test it? ping from the tap1 interface? i am on ubuntu server.
09:23 -!- Otacon22 [~otacon22@englishman.otacon22.it] has quit [Ping timeout: 250 seconds]
09:31 -!- ub1quit33_ [~quassel@wifi02.la3.routers.zerolag.com] has joined #openvpn
09:34 -!- liriel [~liriel@asia.feralhosting.com] has quit [Ping timeout: 245 seconds]
09:36 -!- outofbounds [~outofboun@gateway/tor-sasl/outofbounds] has joined #openvpn
09:37 -!- liriel [~liriel@asia.feralhosting.com] has joined #openvpn
09:46 -!- buechse [~buechse@p5DD2F330.dip0.t-ipconnect.de] has joined #openvpn
09:46 < buechse> hellp
09:47 < buechse> seems like a froidian slip. meant hello, but i also need some help :D
09:48 -!- CaTtleyA [~CaTtleyA@put92-2-82-66-41-53.fbx.proxad.net] has quit [Quit: leaving]
09:52 <@plaisthos> shpank: no different
09:52 <@plaisthos> outer encryption of EAP is a TLS session
09:53 -!- eristisk [~eristisk@gateway/tor-sasl/eristisk] has joined #openvpn
09:58 < buechse> i have a cute little home server running ubuntu. i want to access my network via vpn. after reading the whole day, im getting more and more confused. my server has only one nic and id like to have a bridged vpn
09:58 < buechse> can somebody help me clarify some things?
10:00 <@plaisthos> !ask
10:00 <@vpnHelper> "ask" is (#1) don't ask to ask, just ask your question please, see this link for how to get help on IRC: http://workaround.org/getting-help-on-irc or (#2) See also, How to ask questions the smart way here: http://catb.org/~esr/faqs/smart-questions.html or (#3) if you had asked your question this might be an answer instead of a message from the bot about how to ask questions on IRC :)
10:00 < buechse> :D
10:02 < buechse> as far as i understand, the vpn server is running on my bridge adapter, for me: vpnbr0. the openvpn server has to listen on the same ip, that is configured in /etc/network/interfaces
10:03 < buechse> is that correct?
10:03 < buechse> the bridge shall "bridge" eth0 and tap0 for me, is that right?
10:03 -!- moonkid [~anonymous@99-103-56-12.lightspeed.hstntx.sbcglobal.net] has joined #openvpn
10:05 -!- sickn3ss_ [~sickn3ss@unaffiliated/sickn3ss] has quit [Quit: Textual IRC Client: www.textualapp.com]
10:22 -!- liriel [~liriel@asia.feralhosting.com] has quit [Read error: Connection reset by peer]
10:42 <@krzee> jefferai, sounds complicated, cool =]
10:45 < jefferai> krzee: no, the configs are generated automatically and which host is server/client algorithmically so it's not bad at all. And for now avoids the need for RIP/OSPF which would be even more complicated purely in terms of tying it into OpenVPN. Wouldn't even need a post script to add routes if the "route" statement in the server config works the way that I
10:45 < jefferai> think it's supposed to work.
10:45 <@krzee> hey thats cool
10:45 <@krzee> was this the automesher app?
10:46 <@krzee> or something you made
10:46 <@krzee> route command in any config adds a route to the local machine
10:46 <@krzee> server may also push routes to clients to act like it was in the client config (which can be done on a per client basis)
10:50 -!- mattock_afk is now known as mattock
10:54 -!- buechse [~buechse@p5DD2F330.dip0.t-ipconnect.de] has quit [Ping timeout: 272 seconds]
10:59 -!- dimitry7 [~dimitry7@gate.aaamerica.com.mx] has joined #openvpn
10:59 < dimitry7> hello guys!
11:00 < dimitry7> what are the pros of IPsec from OpenVPN point of view?
11:01 < BtbN> What?
11:01 < BtbN> OpenVPN is not IPSec based.
11:01 <@krzee> !notcompat
11:01 <@vpnHelper> "notcompat" is (#1) IPsec, PPTP, & L2TP are _not_ compatible with OpenVPN. OpenVPN uses SSL whereas PPTP and IPSEC use their own protocols and therefore cannot be compatible. or (#2) OpenVPN connects only to OpenVPN
11:02 < dimitry7> BtbN, No I know. I mean, compared to OpenVPN, what are the pros of using OpenVPN instead of IPsec?
11:02 < dimitry7> or viceversa
11:02 < dimitry7> which is better?
11:02 < dimitry7> I use OpenVPN
11:02 <@plaisthos> apples are better oranges
11:03 < dimitry7> IPsec is used mostly for windows environments right?
11:04 -!- ade_b [~Ade@redhat/adeb] has quit [Quit: Too sexy for his shirt]
11:08 -!- hays [~hays@unaffiliated/hays] has joined #openvpn
11:16 < Eugene> IPsec gets a lot of usage in nix environments because it's built-in to the kernel
11:27 -!- natanvarga [~natanvarg@gateway/tor-sasl/natanvarga] has joined #openvpn
11:28 < natanvarga> hi, how can i set my laptop to allow internet traffic only if the vpn is connected?
11:28 -!- mattock is now known as mattock_afk
11:28 -!- Pyrogerg [~Gregory@75-173-103-62.albq.qwest.net] has joined #openvpn
11:31 -!- hyponic [~DJ@cm-84.210.219.124.getinternet.no] has quit [Ping timeout: 272 seconds]
11:34 <@krzee> natanvarga, firewall rules.
11:36 < natanvarga> is there something to edit in the openvpn config file?
11:37 -!- elfixit [~Icedove@77-58-251-72.dclient.hispeed.ch] has joined #openvpn
11:38 -!- natanvarga [~natanvarg@gateway/tor-sasl/natanvarga] has quit [Quit: WeeChat 1.0.1]
11:38 -!- mattock_afk is now known as mattock
11:41 -!- natanvarga [~natanvarg@gateway/tor-sasl/natanvarga] has joined #openvpn
11:42 -!- dimitry7 [~dimitry7@gate.aaamerica.com.mx] has quit [Read error: Connection reset by peer]
11:52 -!- moonkid [~anonymous@99-103-56-12.lightspeed.hstntx.sbcglobal.net] has quit [Quit: moonkid]
11:53 -!- Chex [sss@kjax.northnook.ca] has quit [Ping timeout: 256 seconds]
11:56 -!- moparisthebest [~quassel@gateway/tor-sasl/moparisthebest] has quit [Remote host closed the connection]
11:56 -!- moparisthebest [~quassel@gateway/tor-sasl/moparisthebest] has joined #openvpn
11:59 -!- liriel [~liriel@asia.feralhosting.com] has joined #openvpn
12:03 <@plaisthos> natanvarga: no OpenVPN has no such feature
12:07 <@krzee> natanvarga, what OS are you on?
12:07 -!- goldkatze [~nobody@unaffiliated/goldkatze] has joined #openvpn
12:07 <@krzee> the client
12:09 <@dazo> natanvarga: all you need is a text editor ... the config files are easy despite openvpn being incredibly flexible, which makes it's harder to make a usable gui (something networkmanager-openvpn boldly shows)
12:10 <@krzee> :D
12:10 <@krzee> his goal cannot be achieved from the config tho, he needs an outbound firewall
12:10 <@dazo> heh
12:10 <@krzee> like little snitch (if on osx)
12:11 < natanvarga> im on manjaro
12:11 <@krzee> !google manjaro
12:11 <@vpnHelper> Manjaro Linux: <http://manjaro.org/>; Get Manjaro | Manjaro Linux: <http://manjaro.org/get-manjaro/>; DistroWatch.com: Manjaro Linux: <http://distrowatch.com/manjaro>
12:11 < natanvarga> arch based
12:11 <@krzee> oh then use iptables
12:11 < natanvarga> yeah thats what i thought
12:11 <@krzee> only allow outbound to the vpn server
12:11 < natanvarga> i guess i'll just have to take the time to configure it
12:12 <@krzee> shouldnt take long
12:12 < natanvarga> alright
12:12 < natanvarga> thanks
12:12 < natanvarga> gotta go
12:12 <@krzee> took longer to get the answer than impliment the solution ;]
12:12 < natanvarga> haha probably you're right
12:13 -!- natanvarga [~natanvarg@gateway/tor-sasl/natanvarga] has quit [Quit: WeeChat 1.0.1]
12:21 -!- prettyrobots is now known as blogometer
12:21 -!- blogometer is now known as prettyrobots
12:29 -!- mattock is now known as mattock_afk
12:33 < jefferai> krzee: Nope, not automesher, it's just some logic I added to Ansible playbooks
12:34 -!- XJR-9 [sid2977@pdpc/supporter/active/xjr-9] has quit [Ping timeout: 272 seconds]
12:34 < jefferai> krzee: thing is, route command is *not* adding routes to the local machine. When a client connects -- and there's only one of them, for a given server config -- I have route statements but I need to add those same exact routes via a script or they are not added to the kernel table
12:34 < jefferai> Which maybe is a bug
12:34 -!- XJR-9 [sid2977@pdpc/supporter/active/xjr-9] has joined #openvpn
12:38 <@krzee> jefferai, the server adds the routes in its config when you start the server
12:39 <@krzee> you could add them in ccd entries or client-connect script if you want them added when the client connects
12:40 -!- prettyrobots is now known as blogometer
12:40 -!- blogometer is now known as prettyrobots
12:40 -!- prettyrobots is now known as demarius
12:40 -!- demarius is now known as prettyrobots
12:43 < jefferai> krzee: interesting, --client-config-dir text says
12:43 < jefferai> "The following options are legal in a client-specific context: --push, --push-reset, --iroute, --ifconfig-push, and --config."
12:43 < jefferai> note, not --route
12:44 <@krzee> ahh ok
12:44 <@krzee> then client-connect script only i guess
12:44 <@krzee> or maybe --route-up
12:45 <@krzee> or maybe dazo has a better way?
12:45 <@krzee> (sounds like something eurephia probably tackled)
12:46 -!- prettyrobots is now known as jgpelletier
12:48 -!- jgpelletier is now known as prettyrobots
12:50 -!- prettyrobots is now known as pelletier
12:50 -!- pelletier is now known as prettyrobots
12:52 < jefferai> krzee: yeah, client-connect -- had to as it's the only one providing ${ifconfig_pool_remote_ip}
12:52 < jefferai> but it works fine
12:53 <@krzee> cool
13:05 -!- mattock_afk is now known as mattock
13:06 -!- Envil [~meep@95.211.26.40] has joined #openvpn
13:13 -!- moonkid [~anonymous@99-103-56-12.lightspeed.hstntx.sbcglobal.net] has joined #openvpn
13:21 -!- moonkid [~anonymous@99-103-56-12.lightspeed.hstntx.sbcglobal.net] has quit [Quit: moonkid]
13:25 -!- moonkid [~anonymous@99-103-56-12.lightspeed.hstntx.sbcglobal.net] has joined #openvpn
13:46 -!- dazo is now known as dazo_afk
13:53 -!- moonkid [~anonymous@99-103-56-12.lightspeed.hstntx.sbcglobal.net] has quit [Quit: moonkid]
13:59 -!- mback2k [~freenode@gateway.uxnr.de] has joined #openvpn
14:00 -!- eristisk [~eristisk@gateway/tor-sasl/eristisk] has quit [Ping timeout: 264 seconds]
14:07 < Belliash> I got one question
14:07 < Belliash> does mssfix influent on traffic ?
14:11 -!- CaTtleyA [~CaTtleyA@put92-2-82-66-41-53.fbx.proxad.net] has joined #openvpn
14:15 -!- Latrina [~Latrina@adsl-ull-64-181.50-151.net24.it] has quit [Read error: Connection reset by peer]
14:20 -!- ambro718 [~ambro@gentoo/contributor/ambro718] has joined #openvpn
14:20 -!- Latrina [~Latrina@adsl-ull-64-181.50-151.net24.it] has joined #openvpn
14:20 < ambro718> Hey. I'm using the TAP-windows driver in a project of mine and I'm getting bug reports about the GET_MTU ioctl failing. Anyone knows something about that?
14:22 < ambro718> This seems to be a very recent occurrence, possibly related to new openvpn/tap-windows versions. The code I use is here: https://github.com/ambrop72/badvpn/blob/master/tuntap/BTap.c#L270
14:22 <@vpnHelper> Title: badvpn/BTap.c at master · ambrop72/badvpn · GitHub (at github.com)
14:29 -!- Droolio [~drool@host86-143-180-191.range86-143.btcentralplus.com] has quit [Quit: If you believe in telekinesis, raise my hand.]
14:41 -!- gffa [~unknown@unaffiliated/gffa] has joined #openvpn
14:46 -!- JSharpe [~JSharpe@31.205.60.241] has quit [Ping timeout: 245 seconds]
14:56 -!- mback2k is now known as mback2k_
15:13 -!- nutron [~nutron@unaffiliated/nutron] has joined #openvpn
15:21 -!- D-Boy [~D-Boy@unaffiliated/cain] has quit [Excess Flood]
15:34 -!- elfixit [~Icedove@77-58-251-72.dclient.hispeed.ch] has quit [Remote host closed the connection]
15:41 -!- Otacon22 [~otacon22@93-36-32-49.ip58.fastwebnet.it] has joined #openvpn
15:42 -!- D-Boy [~D-Boy@unaffiliated/cain] has joined #openvpn
15:57 -!- imsomeoneelse [~eh@wsip-98-190-221-98.dc.dc.cox.net] has quit [Remote host closed the connection]
16:09 -!- mattock [~mattock@openvpn/corp/admin/mattock] has left #openvpn []
16:29 -!- Chais [~Chais@chello062178229110.15.15.vie.surfer.at] has quit [Ping timeout: 246 seconds]
16:34 -!- Chais [~Chais@chello062178229110.15.15.vie.surfer.at] has joined #openvpn
16:50 -!- prettyrobots [~prettyrob@do.inputrc.com] has quit [Quit: ZNC - http://znc.in]
16:58 -!- gffa [~unknown@unaffiliated/gffa] has quit [Quit: sleep]
17:13 -!- Envil [~meep@95.211.26.40] has quit [Remote host closed the connection]
17:18 -!- elfixit [~Icedove@77-58-251-72.dclient.hispeed.ch] has joined #openvpn
17:31 -!- Irrelephant [Irrelephan@2a02:908:e26a:7200:f5fe:d98e:da63:a24c] has joined #openvpn
17:32 < Irrelephant> Hi all. Today I tried to set up a tap bridge using bridge-start script. When the bridge is up, the system looses its internet connectivity. How do I fix this?
17:34 -!- goldkatze [~nobody@unaffiliated/goldkatze] has quit []
17:36 < Eugene> The general-case answer is "don't use bridging".
17:36 < Eugene> !goal
17:36 <@vpnHelper> "goal" is Please clearly state your goal for your vpn: example, I would like to access the lan behind the server , I would like to access the internet over my vpn , I just want a secure connection between 2 computers , etc
17:39 < Irrelephant> Long story shot: I want to access my plex server on one of the clients that will be connected to the vpn server running on my linux box
17:40 < Irrelephant> tried using a tun interface which turned out to not work the way I wanted
17:40 -!- AsadH [~AsadH@unaffiliated/asadh] has quit [Ping timeout: 260 seconds]
17:40 < BtbN> tun is what you want for that, though.
17:41 < Irrelephant> I want to use a bridge on the openvpn server to be able to directly nat the required port (32400 in this case) to the vpn client
17:41 < Eugene> You can add a Plex server manually, indeed.
17:41 < Eugene> bridge and nat don't exist in the same sentence
17:42 < Irrelephant> Okay ... so ... rephrasing this ...
17:43 < Irrelephant> If I set up a bridge and connect the vpn client to the vpn server, my router will be able to see the client ...
17:43 < Irrelephant> I could therefore forward the required port to the vpn client directly using the router
17:43 < Eugene> Sure, that puts the client "on" the server's LAN(in a standard setup).
17:43 < BtbN> And why wouldn't it "see" a normal openvpn client?
17:44 < Eugene> You don't need to do that to forward a port
17:44 < Eugene> And that's very, very convoluted
17:44 < Eugene> !xy
17:44 <@vpnHelper> "xy" is http://mywiki.wooledge.org/XyProblem -- I want to do X, but I'm asking how to do Y...
17:45 < Irrelephant> Not sure what you want to tell me with this, Eugene
17:45 < Eugene> What's yur goal
17:45 < Eugene> What's the problem being solved
17:45 < Eugene> openvpn is an answer to what question
17:46 < Irrelephant> well ...
17:46 < Irrelephant> It's not an answer exavtly. It's more like the means to achieve connectivity to my plex machine
17:47 < Eugene> That woud be the goal, then. Connectivity from where? To what?
17:47 < Irrelephant> the problem I need to solve is that the server looses internet connectivity once the bridge is up
17:47 < Irrelephant> Connectivity from my network to my parents' network
17:48 < Irrelephant> Windows client on my end to a linux box on my parents'
17:49 -!- AsadH [~AsadH@unaffiliated/asadh] has joined #openvpn
17:50 < Eugene> And Plex runs where?
17:50 < Irrelephant> on the windows client in my network
17:51 < Eugene> So what you really want to do is talk between those two networks, which is routing.
17:52 < Eugene> You don't need autodiscovery; Plex supports manually specifying a server
17:52 < Eugene> So toss bridging out the window and make life much simpler
17:52 < Eugene> !route
17:52 <@vpnHelper> "route" is (#1) http://www.secure-computing.net/wiki/index.php/OpenVPN/Routing or https://community.openvpn.net/openvpn/wiki/RoutedLans (same page mirrored) if you have lans behind openvpn, read it DONT SKIM IT or (#2) READ IT DONT SKIM IT! or (#3) See !tcpip for a basic networking guide or (#4) See !serverlan or !clientlan for steps and troubleshooting flowcharts for LANs behind the server or
17:52 <@vpnHelper> client
17:52 < Eugene> Follow #4 & associated flowcharts ^
17:53 < Irrelephant> Thank you for the links you just provided ...
17:54 < Irrelephant> However, what do you mean by "manually specifying a server"?
17:55 < Eugene> For example, in the Android client, Menu --> Settings --> Manual connections
17:55 < Irrelephant> Ah, I see.
17:55 < Irrelephant> My situation however is more complex ...
17:55 < Eugene> Trust me, I've built worse.
17:56 < Eugene> Adding simplicity fixes it
17:56 < Irrelephant> My ISP uses Dual Stack Lite to assign IPs to customers ...
17:56 < Irrelephant> Meaning I don't have a public ipv4 address
17:56 < Irrelephant> but a public ipv6 on all devices in my network ...
17:57 < Eugene> So what? You've already got openvpn tunnel running
17:57 < Eugene> All you really need to do is ensure that the client(your laptop, running Plex) can reach the server's LAN, and vice-versa.
17:58 < Irrelephant> I don't quite follow ...
17:58 < Irrelephant> Even if the client can reach the server's LAN
18:01 -!- Irreleph4nt [Irrelephan@2a02:908:e26a:7200:f5fe:d98e:da63:a24c] has joined #openvpn
18:01 < Irreleph4nt> Ŝo I was either kicked from the server or my modem just diconnected
18:03 -!- Irrelephant [Irrelephan@2a02:908:e26a:7200:f5fe:d98e:da63:a24c] has quit [Ping timeout: 260 seconds]
18:03 -!- milligan [~milligan@voyage.vhost.usr.no] has quit [Excess Flood]
18:06 < Irreleph4nt> You may call me stupid or ignorant but setting up a tun connection between my network and my parents', I will have to manually forward all traffic on port 32400 to the client in my network. I would most likely use iptables to accomplish this because my parents' router will only be able to see the vpn server, not the connected clients ...
18:06 < Irreleph4nt> Or am I completely off base?
18:08 <@krzee> !clientlan
18:08 <@vpnHelper> "clientlan" is (#1) for a lan behind a client, the client must have ip forwarding enabled (!ipforward), the server needs a route to the lan, the server needs to push a route for the lan to clients, the server needs a ccd (!ccd) file for the client with an iroute (!iroute) entry in it, and the router of the lan the client is on needs a route added to it (!route_outside_openvpn) or (#2) see !route for
18:08 <@vpnHelper> a better explanation or (#3) Handy troubleshooting flowchart: http://ircpimps.org/clientlan.png | http://pekster.sdf.org/misc/clientlan.png
18:09 <@krzee> if theres already a vpn between the 2 networks, just route the lans over it
18:09 <@krzee> (i just jumped in so i could possibly misunderstand the issue)
18:12 < Irreleph4nt> krzee thanks for the flow-chart link ... you have not misunderstood the issue ...
18:12 < Irreleph4nt> I set up a tun connection eralier today ...
18:13 < Irreleph4nt> server and client could ping each other, but I could not access the plex or the webserver on the client when entering the client's vpn IP into the server's webbrowser
18:14 < Irreleph4nt> and in this case the flow chart is not helpful as I am a very early beginner concerning networking ...
18:14 <@krzee> probably something like this:
18:14 <@krzee> !route_outside_ovpn
18:14 <@vpnHelper> "route_outside_ovpn" is "route_outside_openvpn" is (#1) If your server is not the default gateway for the LAN, you will need to add routes to your gateway. See ROUTES TO ADD OUTSIDE OPENVPN in !route or (#2) Here are 2 diagrams that explain how this works: http://www.secure-computing.net/wiki/index.php/Graph http://i.imgur.com/BM9r1.png
18:14 < Irreleph4nt> No idea what the issue may be and that's why I came here to ask for advice regarding bridge mode
18:14 <@krzee> but really, if you cant understand the flowchart it means you're not ready for this
18:15 <@krzee> you dont need bridge mode, you need to learn how routing works
18:15 <@krzee> the doc in !route attempts to teach you some stuff
18:15 < Irreleph4nt> I do understand the chart, I just don't know where to start to fix my issue
18:15 -!- ub1quit33_ [~quassel@wifi02.la3.routers.zerolag.com] has quit [Ping timeout: 272 seconds]
18:15 <@krzee> at the top
18:15 < Irreleph4nt> oh, and the router for the target network does not support customn routes
18:15 <@krzee> lol, thats how flowcharts work, literally
18:15 <@krzee> if you had READ !route you would know what to do about that
18:16 <@krzee> i wrote !route and the flowcharts, but you will have to actually read them before i'll help you
18:16 <@krzee> !read
18:16 <@vpnHelper> "read" is <krzee> ive been known to overreact when people look for 2 minutes and ask me to explain it to them
18:16 <@krzee> !route
18:16 <@vpnHelper> "route" is (#1) http://www.secure-computing.net/wiki/index.php/OpenVPN/Routing or https://community.openvpn.net/openvpn/wiki/RoutedLans (same page mirrored) if you have lans behind openvpn, read it DONT SKIM IT or (#2) READ IT DONT SKIM IT! or (#3) See !tcpip for a basic networking guide or (#4) See !serverlan or !clientlan for steps and troubleshooting flowcharts for LANs behind the server or client
18:16 <@krzee> link #1
18:17 <@krzee> read the whole thing like 2x then use the flowcharts
18:18 <@krzee> then ask questions when you get stuck on the flowchart, whether its not knowing what the test wants from you, or not knowing how to handle the solution it gives
18:31 -!- abbe [having@badti.me] has quit [Read error: Connection reset by peer]
18:31 -!- abbe [having@badti.me] has joined #openvpn
18:32 -!- DrCode [~DrCode@gateway/tor-sasl/drcode] has quit [Ping timeout: 264 seconds]
18:32 < Irreleph4nt> Just to make sure I understood the doc: To accomplish connectivity to either client's network, a ccd file is needed with iroute and the server config needs the corresponding push commands, correct?
18:35 < Irreleph4nt> Which means if the target network's gateway (my parents' router) has a route to the vpn subnet, it can route incoming requests to my plex machine
18:35 -!- DrCode [~DrCode@gateway/tor-sasl/drcode] has joined #openvpn
18:35 -!- adaptr [~jgeilman@unaffiliated/adaptr] has quit [Remote host closed the connection]
18:35 < Irreleph4nt> what beats me is how to set up the latter. My parents have an easy box dsl router which does not support customn routes
18:37 < Irreleph4nt> !serverlan
18:37 <@vpnHelper> "serverlan" is (#1) for a lan behind a server, the server must have ip forwarding enabled (!ipforward), the server needs to push a route for its lan to clients, and the router of the lan the server is on needs a route added to it (!route_outside_openvpn) or (#2) see !route for a better explanation or (#3) Handy troubleshooting flowchart: http://ircpimps.org/serverlan.png |
18:37 <@vpnHelper> http://pekster.sdf.org/misc/serverlan.png
18:37 -!- adaptr [~jgeilman@unaffiliated/adaptr] has joined #openvpn
18:37 < Irreleph4nt> BTW: http://ircpimps.org/serverlan.png does not work
18:38 < Belliash> does mssfix parameter influent somehow on bandwidth?
18:40 < Irreleph4nt> krzee, going back to what you said last, I don't know what the very last "yes" box on serverlan.png is supposed to mean
18:41 -!- Kniaz [~Kniaz@unaffiliated/kniaz] has joined #openvpn
18:41 < Eugene> !route_outside_ovpn
18:41 <@vpnHelper> "route_outside_ovpn" is "route_outside_openvpn" is (#1) If your server is not the default gateway for the LAN, you will need to add routes to your gateway. See ROUTES TO ADD OUTSIDE OPENVPN in !route or (#2) Here are 2 diagrams that explain how this works: http://www.secure-computing.net/wiki/index.php/Graph http://i.imgur.com/BM9r1.png
18:42 < Eugene> Diagram ^
18:43 < Irreleph4nt> Eugene, I just told you that I can't add routes to the gateway as it's my parents' router which does not support such thing
18:43 < Eugene> So you add the route to the OTHER machine
18:43 < Irreleph4nt> But nevertheless thanks again for pointing out that it's mentioned beneath the diagram
18:45 <@krzee> "See ROUTES TO ADD OUTSIDE OPENVPN in !route"
18:46 < Irreleph4nt> Eugene, by OTHER machine you mean the vpn server, I suppose?
18:46 <@krzee> "the annoying work-around would be to add the route to every box on the LAN, in which case step 3 above would work."
18:47 < Eugene> Whichever one is trying to reach back to the vpn, and needs to know to go via the vpn server
18:49 < Irreleph4nt> If I add the route to all relevant machines, except for the router, doesn't that mean that port 32400 in the router would need to be forwarded to the vpn server and from there to the correct client on the vpn?
18:51 < Eugene> No....
18:51 -!- jzaw [~jzaw@loki.dzki.co.uk] has quit [Ping timeout: 272 seconds]
18:51 < Eugene> They'd never touch the router
18:51 < Eugene> Connection goes to the vpn server, and out the vpn to the client
18:53 < Irreleph4nt> How is that supposed to work if the server is behind the router? If I point my browser outside any of those networks to <myparentsIP>:32400 their router would not know what to do with the package and drop it
18:54 < Eugene> IT doesn't go to that IP
18:54 < Eugene> It goes to the on-VPN IP of the machine hosting the service
18:55 < Eugene> Bonus: you can avoid the route-hackery by making the VPN Server do the NAT out to the VPN Client, and then just connect to <vpn server>:3400
18:56 < Eugene> If you want to access it from outside the network(eg, while on your phone), THEN you'd need the NAT from the router to the server(and then onwards to the client hosting the service)
18:56 -!- Irrelephant [Irrelephan@2a02:908:e26a:7200:f5fe:d98e:da63:a24c] has joined #openvpn
18:56 < Irrelephant> My connection just dropped ... did any of you reply to my last statement?
18:57 < Eugene> Some days I regret my decision to make join/parts hidden on my client.
18:57 -!- Irreleph4nt [Irrelephan@2a02:908:e26a:7200:f5fe:d98e:da63:a24c] has quit [Ping timeout: 260 seconds]
18:58 < Irrelephant> Sorry about that
18:58 < Eugene> https://gist.github.com/EugeneKay/d60523949a09e57b31d7
18:58 <@vpnHelper> Title: gist:d60523949a09e57b31d7 (at gist.github.com)
18:59 < Irrelephant> Thank you for the copy-paste
18:59 < Irrelephant> and yes, that is exactly what I intend to do - access all that from the outside while on the go
18:59 < Eugene> NATed NAT it is, then!
19:00 < Irrelephant> I should have spelled that out from the beginning
19:00 < Eugene> Yes, hence !goal and !xy ;-)
19:01 < Irrelephant> And yet, after reading all that and looking at the flow charts I still don't like the idea of using nat and routes
19:02 < Eugene> Alternate option: https://www.linode.com
19:02 < Irrelephant> I am never ever going to upload anything randomly personal to the cloud ...
19:03 < Eugene> $10/mo buys you 1GB of ram and 24GB of storage ;-)
19:03 < Irrelephant> so thanks, but no thanks
19:03 < Eugene> Good news: nobody cares.
19:03 < Irrelephant> I do. That's one person too much
19:03 < Eugene> You're right though, NAT-within-NAT is a bad hat
19:03 < Irrelephant> yaaay, I am right. Now I don't have to feel all that stupid anymore ;)
19:04 < Irrelephant> Which brings me back to my original question: How do I fix my bridge?
19:05 < Eugene> You don't bridge. Bridging is worse.
19:05 < Eugene> NAT has a chance of working here; bridge will just eat your cat.
19:07 < Irrelephant> I am afraid I won't be able to configure a double NAT successfully, though ...
19:07 < Irrelephant> So even if it might be a bad choice, bridging to me still seems far easier
19:07 <@krzee> why would it be double?
19:08 < Irrelephant> just call it NATed NAT then, if double does not make sense to you
19:08 <@krzee> why not just nat once?
19:08 <@krzee> …maybe get a router you control
19:09 < Irrelephant> No can do
19:09 < Irrelephant> my parents' ISP does not tollerate anything other then their own junk connected to WAN
19:10 < Irrelephant> And it has no bridge mode
19:10 < Irrelephant> If their router could be removed, I would actually set up the vpn server on their router ...
19:10 < Irrelephant> Makes all this far easier
19:11 -!- BtbN [btbn@btbn.de] has quit [Ping timeout: 260 seconds]
19:12 < Irrelephant> What bugs me is: Even if you don't agree with my premature choice of bridging rather than natting, why won't you help me set up the bridge correctly? :D
19:15 -!- BtbN [btbn@btbn.de] has joined #openvpn
19:25 < Irrelephant> Well, as this isn't going anywhere I'll go to bed now. Thank you krzee and Eugene for the help you provided. Still wish the issue could have been resolved, though. Good night.
19:28 -!- Irrelephant [Irrelephan@2a02:908:e26a:7200:f5fe:d98e:da63:a24c] has quit [Quit: Leaving]
19:33 -!- jzaw [~jzaw@loki.dzki.co.uk] has joined #openvpn
19:45 -!- outofbounds [~outofboun@gateway/tor-sasl/outofbounds] has quit [Ping timeout: 264 seconds]
19:46 -!- Kniaz1 [~Kniaz@unaffiliated/kniaz] has joined #openvpn
19:46 -!- jzaw [~jzaw@loki.dzki.co.uk] has quit [Ping timeout: 260 seconds]
19:49 -!- Kniaz [~Kniaz@unaffiliated/kniaz] has quit [Ping timeout: 245 seconds]
19:59 -!- Belliash [znc@asiotec/constitutive/belliash] has quit [Ping timeout: 260 seconds]
20:03 -!- jzaw [~jzaw@loki.dzki.co.uk] has joined #openvpn
20:06 -!- JackWinter [~jack@vodsl-11198.vo.lu] has quit [Excess Flood]
20:06 -!- CaTtleyA [~CaTtleyA@put92-2-82-66-41-53.fbx.proxad.net] has quit [Ping timeout: 276 seconds]
20:06 -!- WinstonSmith [~WinstonSm@unaffiliated/winstonsmith] has quit [Ping timeout: 272 seconds]
20:07 -!- JackWinter [~jack@vodsl-11198.vo.lu] has joined #openvpn
20:08 -!- WinstonSmith [~WinstonSm@unaffiliated/winstonsmith] has joined #openvpn
20:13 -!- jzaw [~jzaw@loki.dzki.co.uk] has quit [Ping timeout: 272 seconds]
20:14 -!- joako [~joako@opensuse/member/joak0] has quit [Ping timeout: 260 seconds]
20:15 -!- Kniaz1 is now known as Kniaz
20:21 -!- joako [~joako@opensuse/member/joak0] has joined #openvpn
20:33 -!- jzaw [~jzaw@loki.dzki.co.uk] has joined #openvpn
20:41 -!- catsup [~d@ps38852.dreamhost.com] has quit [Ping timeout: 244 seconds]
20:42 -!- catsup [~d@ps38852.dreamhost.com] has joined #openvpn
20:45 -!- phi0x [~phi0x@S01069072400a5d42.vs.shawcable.net] has joined #openvpn
20:46 < phi0x> hey guys, having a DNS leak issue only on windows OS machines, (only tested on windows 8 machines so far) please see my serverfault post with more details to the issue: http://serverfault.com/questions/632601/openvpn-dns-leak-in-windows-systems
20:46 <@vpnHelper> Title: openvpn DNS leak in windows systems - Server Fault (at serverfault.com)
20:46 -!- catsup [~d@ps38852.dreamhost.com] has quit [Ping timeout: 240 seconds]
20:47 -!- catsup [~d@ps38852.dreamhost.com] has joined #openvpn
20:52 -!- jzaw [~jzaw@loki.dzki.co.uk] has quit [Ping timeout: 260 seconds]
20:54 <@krzee> try --register-dns
20:54 < phi0x> register-dns is already in the server config for push
20:54 < phi0x> its the last item on the post.
20:54 <@krzee> oh cool i didnt know that was pushable
20:54 < phi0x> yeah but it doesnt quite work.
20:54 <@krzee> does the client apply it (visable in client logs)
20:55 <@krzee> or did you try it in the client config then?
20:55 < phi0x> when it gets pushed
20:55 < phi0x> the client config complains about not being able to execute it
20:55 < phi0x> however if you manually run the commands, it still does not work
20:56 < phi0x> register-dns appears to be for windows xp/older OS's
20:56 < phi0x> tried adding security 2 and doing a up/down cmd config as well but that didn't work.
20:56 -!- catsup [~d@ps38852.dreamhost.com] has quit [Remote host closed the connection]
20:56 -!- catsup [~d@ps38852.dreamhost.com] has joined #openvpn
21:00 -!- phi0x [~phi0x@S01069072400a5d42.vs.shawcable.net] has quit [Ping timeout: 250 seconds]
21:00 <@krzee> does windows apply the new ns?
21:01 <@krzee> and it goes to the internet without the vpn...?
21:01 <@krzee> or windows just doesnt apply it?
21:02 -!- jzaw [~jzaw@loki.dzki.co.uk] has joined #openvpn
21:04 -!- phi0x [~phi0x@S01069072400a5d42.vs.shawcable.net] has joined #openvpn
21:04 < phi0x> sorry had to reset my comp to get my tap driver working again. did you say something?
21:04 <@krzee> <krzee> does windows apply the new ns?  krzee> and it goes to the internet without the vpn...?    <krzee> or windows just doesnt apply it?
21:05 -!- Chex [sss@northnook-4-pt.tunnel.tserv15.lax1.ipv6.he.net] has joined #openvpn
21:05 < phi0x> the TAP adapter shows the DNS i've inputed, which is 1.1.1.1
21:05 < phi0x> for primary and secondary on the TAP
21:05 < phi0x> the regular ethernet adapter has ISP DNS obtained automatically.
21:06 < phi0x> DNS queries go through TAP but then when the system does a ping function, it doesn't appear to read from the TAP and reads from the ethernet DNS
21:07 < phi0x> for instance google.ca shows 1.1.1.1 as response. but when pinged it shows IP 173.194.33.127
21:07 <@krzee> you looked with wireshark right?
21:08 < phi0x> no
21:08 <@krzee> i wouldnt even use the word "leak" before i sniff traffic
21:08 <@krzee> til then its assumption
21:08 <@krzee> sniff it up, see whats really going on
21:08 <@krzee> it'll only take you a sec
21:08 < phi0x> but when I set the ethernet adapters DNS manually, it replies 1.1.1.1 for google.
21:09 < phi0x> thus thought that was good enough but i will try wireshark
21:10 <@krzee> ya that probably does mean what you said, still use wireshark and see whats going on
21:17 < phi0x> it appears as though no queries go through TAP and all go through ethernet first
21:17 -!- pgicxplzs [~Left_Turn@unaffiliated/turn-left/x-3739067] has quit [Remote host closed the connection]
21:17 < phi0x> which is confusing as when I nslookup it returns the 1.1.1.1
21:18 <@krzee> now that i look, i dont even see redirect-gateway being used
21:18 < phi0x> so im not sure why nslookup returns 1.1.1.1 when the query originates from ethernet and not TAP, TAP adapter appears to not be transmitting anything when I do nslookup.
21:18 <@krzee> and no route to 1.1.1.1
21:18 < phi0x> yes I didn't want to redirect all my traffic through the vpn. i wanted only to direct DNS
21:18 <@krzee> oh 1.1.1.1 is the servers external IP
21:19 < phi0x> yes
21:19 <@krzee> ya, you cant reach that over the vpn, you must use the servers VPN ip
21:19 <@krzee> 10.8.0.1
21:19 < phi0x> oh
21:19 <@krzee> if you routed 1.1.1.1 over the vpn which is on 1.1.1.1, there would be a routing loop
21:19 <@krzee> and shit would kaboom
21:21 < phi0x> so have to change dns-option from 1.1.1.1 to 10.8.0.1
21:21 <@krzee> and be sure its running on that o[
21:21 <@krzee> ip*]
21:22 < phi0x> yes it is running on that IP
21:22 < phi0x> however i believe i need to also add a route
21:22 <@krzee> i mean the NS
21:22 <@krzee> you have a route when on the vpn
21:22 < phi0x> when I just set the dns-option 10.8.0.1 it returns back 1.1.1.1 for the nslookup
21:22 <@krzee> and thats what you want?
21:23 < phi0x> yes and no, because when you ping a site, it doesnt say the site is 1.1.1.1 it says the sites real IP
21:23 <@krzee> or you want the lookup to show 10.8.0.1 so the connections goes over vpn?
21:23 <@krzee> you said you didnt want internet going over the vpn.
21:23 <@krzee> <phi0x> yes I didn't want to redirect all my traffic through the vpn. i wanted only to direct DNS
21:24 < phi0x> yes, only wanted the DNS lookups to be masked
21:24 <@krzee> is dns going over the vpn now? (only wireshark answers this)
21:25 < phi0x> nope
21:25 <@krzee> be sure you restarted the server after the config entry changed
21:25 < phi0x> yes restarted server and reconnected vpn on client
21:25 <@krzee> so now the client gets 10.8.0.1?
21:26 <@krzee> how can the client reach 10.8.0.1 over the internet...?
21:26 < phi0x> no it appears somehow the server ip is still showing up for dns resolution on the tap instead of 10.8.0.1
21:26 <@krzee> oh
21:26 <@krzee> im not much of a windows guy
21:27 <@krzee> what version of windows?
21:27 < phi0x> 8.1
21:27 <@krzee> hehe i havnt touched windows since xp
21:27 -!- Pyrogerg [~Gregory@75-173-103-62.albq.qwest.net] has quit [Ping timeout: 272 seconds]
21:27 < phi0x> restarted the server and tap/client again and it appears to be routing dns through tap now on wireshark going to test
21:28 < phi0x> it appears that when i do nslookup now, it times out however shows 10.8.0.1 as the server to ask.
21:29 <@krzee> so go back to your server and be sure nameserver listens on 10.8.0.1, probably requires adding that ip to the listen block
21:30 -!- elfixit [~Icedove@77-58-251-72.dclient.hispeed.ch] has quit [Quit: elfixit]
21:30 < phi0x> ah yes ill try that
21:36 < phi0x> it appears my name server was listening on anything.
21:36 < phi0x> not sure if its a iptables issue then maybe
21:36 < phi0x> however if i route all traffic through VPN it appeared to work before, just it was routing all traffic via vpn server.
21:36 < phi0x> so that made me believe my iptables was ok
21:38 < phi0x> for my nat table i have
21:38 < phi0x> -A POSTROUTING -o eth0 -j MASQUERADE
21:38 < phi0x> -A POSTROUTING -j MASQUERADE
21:40 -!- ub1quit33_ [~quassel@cpe-23-243-158-241.socal.res.rr.com] has joined #openvpn
21:41 -!- ub1quit33_ [~quassel@cpe-23-243-158-241.socal.res.rr.com] has quit [Read error: Connection reset by peer]
21:49 -!- Kniaz [~Kniaz@unaffiliated/kniaz] has quit [Ping timeout: 245 seconds]
22:11 -!- mulga [~mulga_afk@unaffiliated/mulga] has joined #openvpn
23:18 -!- james41382 [~james@unaffiliated/james41382] has quit [Read error: Connection reset by peer]
23:19 -!- james41382 [~james@unaffiliated/james41382] has joined #openvpn
23:29 -!- james41382 [~james@unaffiliated/james41382] has quit [Read error: Connection reset by peer]
23:57 -!- Chex [sss@northnook-4-pt.tunnel.tserv15.lax1.ipv6.he.net] has quit [Ping timeout: 256 seconds]
23:59 -!- ShadniX [dagger@p5DDFE88A.dip0.t-ipconnect.de] has quit [Ping timeout: 250 seconds]
--- Day changed Wed Oct 01 2014
00:00 -!- ShadniX [dagger@p5DDFE5C8.dip0.t-ipconnect.de] has joined #openvpn
00:06 -!- JuddyJacob [~androirc@unaffiliated/juddyjacob] has joined #openvpn
00:21 -!- JuddyJ [~androirc@unaffiliated/juddyjacob] has joined #openvpn
00:28 -!- JuddyJacob [~androirc@unaffiliated/juddyjacob] has quit [Remote host closed the connection]
00:28 -!- JuddyJ [~androirc@unaffiliated/juddyjacob] has quit [Remote host closed the connection]
00:29 -!- JuddyJacob [~androirc@unaffiliated/juddyjacob] has joined #openvpn
00:29 -!- JuddyJ [~androirc@unaffiliated/juddyjacob] has joined #openvpn
00:31 -!- JuddyJacob [~androirc@unaffiliated/juddyjacob] has quit [Client Quit]
00:40 -!- JuddyJ [~androirc@unaffiliated/juddyjacob] has quit [Quit: AndroIRC - Android IRC Client ( http://www.androirc.com )]
01:00 -!- james41382 [~james@unaffiliated/james41382] has joined #openvpn
01:21 -!- moparisthebest [~quassel@gateway/tor-sasl/moparisthebest] has quit [Ping timeout: 264 seconds]
01:21 -!- moparisthebest [~quassel@gateway/tor-sasl/moparisthebest] has joined #openvpn
01:34 -!- ambro718 [~ambro@gentoo/contributor/ambro718] has quit [Ping timeout: 245 seconds]
01:37 -!- ambro718 [~ambro@gentoo/contributor/ambro718] has joined #openvpn
01:52 -!- sickn3ss [~sickn3ss@unaffiliated/sickn3ss] has joined #openvpn
02:00 -!- mulga [~mulga_afk@unaffiliated/mulga] has quit [Ping timeout: 245 seconds]
02:17 -!- ambro718 [~ambro@gentoo/contributor/ambro718] has quit [Ping timeout: 250 seconds]
02:59 -!- SushiDude [~SushiDude@unaffiliated/sushidude] has quit [Ping timeout: 272 seconds]
03:11 -!- SushiDude [~SushiDude@unaffiliated/sushidude] has joined #openvpn
03:33 -!- justinzane [~justinzan@host-69-59-81-105.nctv.com] has quit [Remote host closed the connection]
03:33 -!- justinzane [~justinzan@host-69-59-81-105.nctv.com] has joined #openvpn
03:52 -!- Otacon22 [~otacon22@93-36-32-49.ip58.fastwebnet.it] has quit [Ping timeout: 244 seconds]
03:53 -!- joako [~joako@opensuse/member/joak0] has quit [Ping timeout: 265 seconds]
03:54 -!- jzaw [~jzaw@loki.dzki.co.uk] has quit [Ping timeout: 272 seconds]
04:02 -!- joako [~joako@opensuse/member/joak0] has joined #openvpn
04:15 -!- jzaw [~jzaw@loki.dzki.co.uk] has joined #openvpn
04:25 -!- Left_Turn [~Left_Turn@unaffiliated/turn-left/x-3739067] has joined #openvpn
04:39 -!- jzaw [~jzaw@loki.dzki.co.uk] has quit [Ping timeout: 272 seconds]
04:39 -!- Left_Turn [~Left_Turn@unaffiliated/turn-left/x-3739067] has quit [Ping timeout: 245 seconds]
04:39 -!- dazo_afk is now known as dazo
04:41 -!- jzaw [~jzaw@loki.dzki.co.uk] has joined #openvpn
04:44 -!- moparsthbest [~quassel@gateway/tor-sasl/moparisthebest] has joined #openvpn
04:45 -!- moparisthebest [~quassel@gateway/tor-sasl/moparisthebest] has quit [Ping timeout: 264 seconds]
04:53 -!- Left_Turn [~Left_Turn@unaffiliated/turn-left/x-3739067] has joined #openvpn
05:15 -!- Thermi [~Thermi@unaffiliated/thermi] has quit [Ping timeout: 256 seconds]
05:20 -!- Thermi [~Thermi@unaffiliated/thermi] has joined #openvpn
05:32 -!- Droolio [~drool@host86-143-180-191.range86-143.btcentralplus.com] has joined #openvpn
05:34 -!- elfixit [~Icedove@77-58-251-72.dclient.hispeed.ch] has joined #openvpn
05:47 -!- elfixit [~Icedove@77-58-251-72.dclient.hispeed.ch] has quit [Quit: elfixit]
05:54 -!- krthnz [~aehm@unaffiliated/krthnz] has quit [Ping timeout: 245 seconds]
05:55 -!- instigator [~synthesis@ti-228-57-222.telkomadsl.co.za] has joined #openvpn
06:16 -!- instigator [~synthesis@ti-228-57-222.telkomadsl.co.za] has left #openvpn []
06:21 -!- joako [~joako@opensuse/member/joak0] has quit [Ping timeout: 272 seconds]
06:26 -!- joako [~joako@opensuse/member/joak0] has joined #openvpn
06:30 -!- goldkatze [~nobody@unaffiliated/goldkatze] has joined #openvpn
06:38 -!- urbanendeavour [~xoveruk@217.150.106.82] has joined #openvpn
06:38 < urbanendeavour> hi
06:39 < urbanendeavour> I am getting this error, please assist 'CPage error in CLogin/locateChild'
06:40 < urbanendeavour> I am using the openvpnas appliance
06:51 -!- Thermi [~Thermi@unaffiliated/thermi] has quit [Quit: Meet your opposition - Profane and disciplined - Take back your pride - With a pounding hammer]
06:54 -!- Thermi [~Thermi@unaffiliated/thermi] has joined #openvpn
06:59 -!- goldkatze [~nobody@unaffiliated/goldkatze] has quit []
07:08 -!- prettyrobots [~prettyrob@do.inputrc.com] has joined #openvpn
07:16 -!- shio [marmot@175.121.101.84.rev.sfr.net] has joined #openvpn
07:29 -!- esde [~esde@unaffiliated/esde] has joined #openvpn
07:29 < esde> !configs
07:29 <@vpnHelper> "configs" is (#1) please pastebin your client and server configs (with comments removed, you can use `grep -vE '^#|^;|^$' server.conf`), also include which OS and version of openvpn. or (#2) dont forget to include any ccd entries or (#3) on pfSense, see http://www.secure-computing.net/wiki/index.php/OpenVPN/pfSense to obtain your config
07:33 -!- Droolio [~drool@host86-143-180-191.range86-143.btcentralplus.com] has quit [Ping timeout: 260 seconds]
07:50 -!- Droolio [~drool@host86-143-180-191.range86-143.btcentralplus.com] has joined #openvpn
07:55 -!- capri [svedrin@elwing.funzt-halt.net] has joined #openvpn
07:55 -!- capri [svedrin@elwing.funzt-halt.net] has quit [Client Quit]
07:59 -!- capri [svedrin@elwing.funzt-halt.net] has joined #openvpn
08:08 -!- capri [svedrin@elwing.funzt-halt.net] has quit [Quit: ZNC - http://znc.sourceforge.net]
08:11 -!- capri [svedrin@elwing.funzt-halt.net] has joined #openvpn
08:12 -!- shio [marmot@175.121.101.84.rev.sfr.net] has quit [Remote host closed the connection]
08:18 -!- shio [marmot@175.121.101.84.rev.sfr.net] has joined #openvpn
08:27 -!- indy [~indy@fantomas.bestit.cz] has joined #openvpn
08:38 < deranged_user> Doea openvpn by default use tls for client <-> server?
08:38 < deranged_user> If using keys for auth
08:44 -!- elfixit [~Icedove@2001:1620:2777:11:3e97:eff:fe7f:f3ad] has joined #openvpn
08:47 -!- eristisk [~eristisk@gateway/tor-sasl/eristisk] has joined #openvpn
09:00 -!- ub1quit33 [~quassel@cpe-23-243-158-241.socal.res.rr.com] has joined #openvpn
09:14 -!- ayaz [~Ayaz@linuxpakistan/ayaz] has joined #openvpn
09:18 -!- outofbounds [~outofboun@gateway/tor-sasl/outofbounds] has joined #openvpn
10:05 -!- sickn3ss [~sickn3ss@unaffiliated/sickn3ss] has quit [Quit: Textual IRC Client: www.textualapp.com]
10:09 < Eugene> Yes.
10:16 -!- KaiForce [~chatzilla@107-223-70-10.lightspeed.bcvloh.sbcglobal.net] has joined #openvpn
10:19 < urbanendeavour> Has anyone got this working with DUO?
10:19 < urbanendeavour> It seems to bypass 2FA and just log me straight in using my vpn password.
10:30 < urbanendeavour> I want to use remote access vpn with 2FA do I need the openvpnas version?
10:33 < Eugene> !as
10:33 <@vpnHelper> "as" is Please go to #OpenVPN-AS for help with commercial products from OpenVPN Technologies, including Access Server, Android Connect, etc. Access Server is a commercial product, different from open source OpenVPN
10:33 < Eugene> (I have no idea what you're talking about)
10:36 -!- cyberspace- [20253@ninthfloor.org] has quit [Remote host closed the connection]
10:38 -!- cyberspace- [20253@ninthfloor.org] has joined #openvpn
10:58 -!- Skcream [~skunkcrea@rrcs-71-41-4-106.sw.biz.rr.com] has joined #openvpn
10:58 < Skcream> Hey guys, long time no see.
11:02 < Eugene> Welcome, to zombocom
11:08 -!- rooth [tomte@stuck.in.the.basement.at.fritzl.nu] has quit [Remote host closed the connection]
11:11 < Skcream> Eugene: I love that joke.
11:11 < Skcream> !seen krzee
11:11 -!- Envil [~meep@95.211.26.40] has joined #openvpn
11:11 < Skcream> Guess your bot doesn't have that.
11:11 <@krzee> phi0x, why do you have NAT rules if you dont need NAT?
11:11 < Eugene> Nope. He was here yesterdayish
11:12 < Eugene> There we go
11:12 <@krzee> !seen krzee
11:12 <@krzee> hmm
11:12 <@krzee> !seen
11:12 < Skcream> krzee: Hey, I was hoping to ask you about something you mentioned in a conversation with me a few weeks ago before I got distracted with this new job.
11:12 <@krzee> was it regarding tun versus tap? :D
11:13 <@krzee> i tend to lecture people on that
11:13 < Skcream> I know the difference. :p
11:13 < Skcream> http://pastebin.com/d3t0vPQd
11:13 < Skcream> It was your suggestions for using iproute to chain VPNs.
11:13 < Skcream> I got distracted with school and work stuff for a while but now I want to go back to writing a program to do that.
11:14 < Skcream> But I was confused when you mentioned incrementing the cidr network prefix and doubling the routes.
11:14 < Skcream> Could you explain that a little more?
11:14 -!- phreakocious_ [~phreakoci@recalcitrant.phreakocious.net] has joined #openvpn
11:15 -!- vpnHelper [~vpnHelper@openvpn/bot/vpnHelper] has quit [Disconnected by services]
11:17 -!- vpnHelper [~vpnHelper@openvpn/bot/vpnHelper] has joined #openvpn
11:17 -!- mode/#openvpn [+o vpnHelper] by ChanServ
11:17 -!- phreakocious [~phreakoci@recalcitrant.phreakocious.net] has quit [Ping timeout: 244 seconds]
11:17 -!- MogDog [MogDog@unaffiliated/mogdog66] has quit [Ping timeout: 244 seconds]
11:17 -!- keatont [~keatont@ip-66-172-11-126.chunkhost.com] has quit [Ping timeout: 244 seconds]
11:17 -!- c|oneman [cloneman@1337.montrealdark.com] has quit [Ping timeout: 244 seconds]
11:17 -!- Pandemic_Force [~Pandemic_@unaffiliated/pandemic-force/x-1349428] has quit [Ping timeout: 244 seconds]
11:17 -!- jeev [~j@unaffiliated/jeev] has quit [Ping timeout: 244 seconds]
11:17 -!- indy [~indy@fantomas.bestit.cz] has quit [Ping timeout: 244 seconds]
11:17 -!- prettyrobots [~prettyrob@do.inputrc.com] has quit [Ping timeout: 244 seconds]
11:17 -!- Lolths [~Lolths@unaffiliated/lolths] has quit [Ping timeout: 244 seconds]
11:17 -!- DArqueBishop [drkbish@tyrande.darquecathedral.org] has quit [Ping timeout: 244 seconds]
11:17 -!- phi0x [~phi0x@S01069072400a5d42.vs.shawcable.net] has quit [Ping timeout: 244 seconds]
11:17 -!- soapee01 [~soapee01@65-36-104-170.dyn.grandenetworks.net] has quit [Ping timeout: 244 seconds]
11:18 -!- Lolths [~Lolths@unaffiliated/lolths] has joined #openvpn
11:18 < Skcream> Woah.
11:18 -!- MogDog [MogDog@unaffiliated/mogdog66] has joined #openvpn
11:18 < Skcream> Netsplit?
11:18 -!- Pandemic_Force [~Pandemic_@unaffiliated/pandemic-force/x-1349428] has joined #openvpn
11:19 -!- keatont [~keatont@ip-66-172-11-126.chunkhost.com] has joined #openvpn
11:19 -!- DArqueBishop [drkbish@tyrande.darquecathedral.org] has joined #openvpn
11:19 <@krzee> Skcream, it's kinda baseic routing, learn how def1 works when used in --redirect-gateway
11:19 -!- c|oneman [cloneman@1337.montrealdark.com] has joined #openvpn
11:19 -!- jeev [~j@unaffiliated/jeev] has joined #openvpn
11:19 -!- soapee01 [~soapee01@65-36-104-170.dyn.grandenetworks.net] has joined #openvpn
11:19 <@krzee> which works that way so the default route can be overridden without being deleted
11:20 <@krzee> if you dont understand what it does you arent ready for vpnchainas
11:20 -!- indy [~indy@fantomas.bestit.cz] has joined #openvpn
11:25 -!- ayaz [~Ayaz@linuxpakistan/ayaz] has quit [Quit: Textual IRC Client: www.textualapp.com]
11:28 < Skcream> krzee: I know how --redirect-gateway works, and I know how cidr works. I'm having trouble figuring out what the routes I added would look like.
11:28 < Skcream> I looked over the log and googled for a few hours before returning here. And I'm a little embarassed at that.
11:29 <@krzee> i said def1
11:31 -!- ambro718 [~ambro@gentoo/contributor/ambro718] has joined #openvpn
11:34 -!- jzaw [~jzaw@loki.dzki.co.uk] has quit [Ping timeout: 260 seconds]
11:37 -!- ambro718 [~ambro@gentoo/contributor/ambro718] has quit [Ping timeout: 272 seconds]
11:37 -!- s7r [~s7r@openvpn/user/s7r] has joined #openvpn
11:37 -!- mode/#openvpn [+v s7r] by ChanServ
11:38 < Skcream> krzee: def1 -- Use this flag to override the default gateway by using 0.0.0.0/1 and 128.0.0.0/1 rather than 0.0.0.0/0. This has the benefit of overriding but not wiping out the original default gateway. << If that is what you mean then yes, I understand that. And I know how CIDR works. What I don't understand is the following: Let's say I'm connected to VPN1 and I want to chain VPN2. I create a direct route to VPN1 via VPN2 and override 
11:38 <@krzee> rather you create a direct route to VPN2 via VPN1
11:45 < Skcream> krzee: I'd be angry at you for doing this to me if I hadn't done it so much myself.
11:45 < Skcream> I guess I'll go back to researching.
11:45 <@krzee> well i mean
11:46 <@krzee> really you're just recreating redirect-gateway def1
11:46 <@krzee> direct route to the new server over the old default route (which is the last vpn server already connected to)
11:47 <@krzee> then override the default route with more specific routes
11:47 <@krzee> to override /0 you need 2 routes of /1
11:47 <@krzee> to override those 2 routes of /1 you need 4 routes of /2
11:48 <@krzee> this makes it so you still have internet if a vpn goes down, if that is not desired you may delete the default route and add a new one
11:49 < Skcream> krzee: Oh. I thought it was a critical part of the chain.
11:49 < Skcream> I was under the impression that when searching for routes we cascade down the replaced routes every time
11:49 <@krzee> that means you didnt understand def1
11:49 < Skcream> I see what you mean now.
11:49 < Skcream> Maybe...Let's see if I can make it work.
11:50 <@krzee> i mean, you knew def1 wasnt critical to making redirect-gateway work
11:50 < Skcream> That's why I was so confused.
11:50 <@krzee> so why would extending def1 to the chain be critical to extending redirect-gateway to the chain
11:50 <@krzee> hehe
11:51 < Skcream> So, the process is as follows:
11:51 < Skcream> Connect to VPN1.
11:51 < Skcream> Override
11:51 < Skcream> Connect to VPN2.
11:51 < Skcream> Override.
11:51 < Skcream> Etc until we get to the end, correct?
11:51 <@krzee> assuming "override" = correct, sure
11:52 < Skcream> Thanks.
11:52 <@krzee> i mean thats 1 step removed from "configure vpnchains, done."
11:52 <@krzee> haha
11:52 <@krzee> literally says nothing
11:52 < Skcream> Sorry if it seemed like I was being rude back there krzee.
11:52 < Skcream> I'm just anzy because I thought I broke this server.
11:53 -!- jzaw [~jzaw@loki.dzki.co.uk] has joined #openvpn
11:53 <@krzee> nah you were fine, unless you mean another day back in which case i dont remember but you dont seem to be on my ignore list so you were prolly fine
11:53 < Skcream> Thanks for your help. I'll get to work on this script soon, I think I understand how it will work now.
11:53 -!- urbanendeavour [~xoveruk@217.150.106.82] has quit [Quit: Leaving]
11:54 < Skcream> Also, turns out the server isn't broken.
11:54 <@krzee> yw
11:54 < Skcream> So I'm not getting fired!
11:54 <@krzee> you're testing on production servers?!?
11:54  * krzee fires you
11:55 < Skcream> I'm not testing. It got shut down during the middle of an upgrade.
11:55 < Skcream> But I didn't realize it at the time.
11:55 < Skcream> I just noticed all of a sudden mysql server stopped running and had no idea why.
11:55 < Skcream> I just got this job and once I'm here for a week or two they'll let me just VPN in from then on, only showing up once in a while. Which would be great.
11:57 -!- catsup [~d@ps38852.dreamhost.com] has quit [Remote host closed the connection]
11:58 <@krzee> yep love remote work
11:58 <@krzee> any job where pants are optional is worth doing
11:59 < Skcream> krzee: I shall remember that statement. See you later!
11:59 -!- Skcream [~skunkcrea@rrcs-71-41-4-106.sw.biz.rr.com] has left #openvpn []
12:02 -!- u0m3 [~u0m3@92.80.111.231] has quit [Read error: Connection reset by peer]
12:02 -!- wallbroken [wallbroken@unaffiliated/wallbroken] has joined #openvpn
12:02 < wallbroken> hi
12:02 < wallbroken> is it possible to push an openvpn connection into an ssh tunnel?
12:02 < wallbroken> ssh tunnel allows only tcp connetions
12:02 < wallbroken> *c
12:02 -!- moonkid [~anonymous@99-103-56-12.lightspeed.hstntx.sbcglobal.net] has joined #openvpn
12:03 <@krzee> wallbroken, you say you want to run openvpn over a ssh tunnel?
12:03 < wallbroken> yes
12:03 <@krzee> youd vpn will suck, but it is possible
12:03 <@krzee> you would need to run it on tcp, and use the socks proxy config options
12:03 < wallbroken> there will be too much overhead?
12:03 <@krzee> !tcp
12:03 <@vpnHelper> "tcp" is (#1) Sometimes you cannot avoid tunneling over tcp, but if you can avoid it, DO. http://sites.inka.de/~bigred/devel/tcp-tcp.html Why TCP Over TCP Is A Bad Idea. or (#2) http://www.openvpn.net/papers/BLUG-talk/14.html for a presentation by James Yonan (OpenVPN lead developer) or (#3) if you must use tcp, you likely want --tcp-nodelay
12:03 <@krzee> it will be tcp in tcp in tcp
12:03 < wallbroken> [19:03] <@krzee> you would need to run it on tcp, and use the socks proxy config options
12:03 < wallbroken> no
12:03 <@krzee> aka nagles alorythm meltdown as hell
12:03 < wallbroken> no socks configuration
12:04 < wallbroken> but a remote configuration
12:04 <@krzee> wallbroken, thats how ssh proxy works
12:04 <@krzee> like say you use ssh forwarding to send firefox over ssh tunnel
12:04 < wallbroken> vpn will connect to 127.0.0.1, ssh tunnel will connect to a ssh server with vpn server as a destination
12:04 <@krzee> yes, it will connect to the socks proxy at 127.0.0.1
12:05 <@krzee> like how youd configure firefox
12:05 < wallbroken> no!!!
12:05 <@krzee> you wouldnt put 127.0.0.1 in the address bar
12:05 <@krzee> YES
12:05 <@krzee> im telling you, not asking you
12:05 < wallbroken> openvpn client will not use proxy
12:05 <@krzee> you asked, im telling you.
12:05 <@krzee> "openvpn client" ?
12:05 < wallbroken> yes
12:05 <@krzee> !download
12:05 <@vpnHelper> "download" is (#1) http://openvpn.net/index.php/download/community-downloads.html to download openvpn or (#2) OpenVPN's Windows installer now includes OpenVPN GUI. Don't bother with http://openvpn.se anymore or (#3) Don't trust download.com at all. It provides an extremely old version with malware: http://insecure.org/news/download-com-fiasco.html or (#4) in the community version of openvpn (only
12:05 <@krzee> !as
12:05 <@vpnHelper> thing supported here) there is no separate download for client/server, it is the same install with different configs
12:05 <@vpnHelper> "as" is Please go to #OpenVPN-AS for help with commercial products from OpenVPN Technologies, including Access Server, Android Connect, etc. Access Server is a commercial product, different from open source OpenVPN
12:05 < wallbroken> you know that ssh tunnel provides 3 connetion ways?
12:05 <@krzee> "openvpn client" is a commercial product
12:06 < wallbroken> local, remote, forwarding
12:06 <@krzee> you are in the opensource help channel.
12:06 -!- u0m3 [~u0m3@109.96.164.216] has joined #openvpn
12:06 < wallbroken> i do know that i'm in the opensource help channel, but who cares? i'm talking about the opensource openvpn
12:07 <@krzee> not if you're talking about "openvpn client"
12:07 <@krzee> did it come from here:  http://openvpn.net/index.php/download/community-downloads.html
12:07 <@vpnHelper> Title: Community Downloads (at openvpn.net)
12:07 < wallbroken> yes
12:07 <@krzee> ok then its not "openvpn client"
12:07 < wallbroken> openvpn in client mode, that's better?
12:07 <@krzee> very much so
12:08 <@krzee> to do what you're asking about you need to setup a ssh connection like this:   http://wiki.vpslink.com/Instant_SOCKS_Proxy_over_SSH
12:08 <@vpnHelper> Title: Instant SOCKS Proxy over SSH - VPSLink Wiki (at wiki.vpslink.com)
12:08 < wallbroken> ok, taking back to the problem: openvpn "client" ---> ssh client tunnel -----(internet)-----> ssh server ------> openvpn server
12:08 <@krzee> then you tell openvpn to use socks proxy of 127.0.0.1
12:09 <@krzee> and it'll connect to the server over the ssh tunnel
12:09 -!- catsup [d@ps38852.dreamhost.com] has joined #openvpn
12:09 < wallbroken> remote 127.0.0.1 443
12:10 <@krzee> no
12:10 <@krzee> thats the same as putting 127.0.0.1 443 in your firefox address bar
12:10 < wallbroken> yes, and it works, because it is not working in a proxy way
12:11 <@krzee> why are you here asking?
12:11 <@krzee> since you know better than me
12:11 <@krzee> btw when you get tired of it not working, here you go:  socks-proxy 127.0.0.1 443
12:11 < wallbroken> simply is there some ssh client on my pc that listen on local and forward to openvpn server trough ssh server.
12:11 < wallbroken> because i need to know how openvpn works on tcp
12:12 <@krzee> assumin you did ssh -p ssh_server_port -D 443 username@ssh_server_ip
12:12 <@krzee> ok and when you put the forwarder in remote, how does it know the vpn server ip?
12:12 <@krzee> since you know so much, you can teach me
12:13 < wallbroken> you need to tell it to ssh client as the "destination"
12:14 <@krzee> ok then what do you need to know about how openvpn works on tcp?
12:14 <@krzee> besides the fact that tcp-in-tcp-in-tcp will be horrible?
12:15 < wallbroken> i heard some time ago that there could be some problem caused by congestion advoiance algorithm implemented in tcp stack
12:15 <@krzee> yep,
12:15 <@krzee> !tcp
12:15 <@vpnHelper> "tcp" is (#1) Sometimes you cannot avoid tunneling over tcp, but if you can avoid it, DO. http://sites.inka.de/~bigred/devel/tcp-tcp.html Why TCP Over TCP Is A Bad Idea. or (#2) http://www.openvpn.net/papers/BLUG-talk/14.html for a presentation by James Yonan (OpenVPN lead developer) or (#3) if you must use tcp, you likely want --tcp-nodelay
12:18 <@krzee> according to that presentation by james 11 years ago, one of the big reasons why openvpn is cool is that it can avoid the problem of tcp in tcp that ssh tunnels gives
12:19 < wallbroken> do you know if openvpn connect iOS client could redirect traffic incoming from other hosts?
12:20 <@krzee> give me an example of what that would be
12:22 < wallbroken> i do need to make tethering trought openvpn
12:22 <@krzee> you will need iroute
12:22 <@krzee> !iroute
12:22 <@vpnHelper> "iroute" is does not bypass or alter the kernel's routing table, it allows openvpn to know it should handle the routing when the kernel points to it but the network is not one that openvpn knows about. This is only needed when connecting a LAN which is behind a client, and therefor belongs in a ccd entry. Also see !route and !ccd
12:22 < Eugene> You want traffic from your tethered laptop to go through openvpn?
12:22 < Eugene> Just run openvpn on the laptop.
12:22 <@krzee> ^ that
12:23 < Eugene> You can proooobably do it via the phone, but it'll be a giant pain in the ass.
12:23 <@krzee> or will it be multiple wifi tethered things?
12:24 < wallbroken> iphone doesn't allow tethering without paying extra money. so, i'd like to find a workaround with openvpn
12:24 <@krzee> Eugene, well it'll basically just be a normal redirect setup with an iroute for the tethered guys and an extra nat rule for them
12:24 <@krzee> oh lol
12:24 <@krzee> are you at least jailbroken?
12:24 < wallbroken> no
12:25 <@krzee> they probably block you way before the network
12:25 < wallbroken> i do have a software called openvpn connect on iphone that make me use opensource configuration
12:25 <@krzee> they control your entire phone
12:25 <@krzee> lol
12:25 <@krzee> but i wouldnt know, i dont use ios
12:26 < wallbroken> how to try? just adding redirect def1 on iphone configuration?
12:26 <@krzee> "well it'll basically just be a normal redirect setup with an iroute for the tethered guys and an extra nat rule for them"
12:27 <@krzee> !redirect
12:27 <@vpnHelper> "redirect" is (#1) to make all inet traffic flow through the vpn, you will need --redirect-gateway (see !def1), as well as IP forwarding (see !ipforward) and NAT (see !nat) enabled on the server. or (#2) you may need to use a different dns server when redirecting gateway, see !dns or !pushdns or (#3) if using ipv6 try: route-ipv6 2000::/3 or (#4) Handy troubleshooting flowchart:
12:27 <@vpnHelper> http://ircpimps.org/redirect.png | http://pekster.sdf.org/misc/redirect.png
12:27 <@krzee> !iroute
12:27 <@vpnHelper> "iroute" is does not bypass or alter the kernel's routing table, it allows openvpn to know it should handle the routing when the kernel points to it but the network is not one that openvpn knows about. This is only needed when connecting a LAN which is behind a client, and therefor belongs in a ccd entry. Also see !route and !ccd
12:27 <@krzee> what OS is your server?
12:27 < wallbroken> debian
12:27 <@krzee> !linnat
12:27 <@vpnHelper> "linnat" is (#1) for a basic iptables NAT where 10.8.0.x is the vpn network: iptables -t nat -I POSTROUTING -s 10.8.0.0/24 -o eth0 -j MASQUERADE or (#2) to choose what IP address to NAT as, you can use iptables -t nat -I POSTROUTING -o eth0 -j SNAT --to <IP ADDRESS> or (#3) http://netfilter.org/documentation/HOWTO//NAT-HOWTO.html for more info or (#4) openvz see !openvzlinnat
12:27 <@krzee> !linipforward
12:27 <@vpnHelper> "linipforward" is (#1) echo 1 > /proc/sys/net/ipv4/ip_forward for a temp solution (til reboot) or set net.ipv4.ip_forward = 1 in sysctl.conf for perm solution or (#2) chmod +x /etc/rc.d/rc.ip_forward for perm solution in slackware or (#3) you also must allow forwarding in your forward chain in iptables. iptables -I FORWARD -i tun+ -j ACCEPT
12:28 <@krzee> you'll also need to nat the same network as the iroute
12:28 < wallbroken> i'm a little confused about new topology
12:28 <@krzee> ?
12:30 < wallbroken> iphone openvpn should connect to linux server over carrier, then, laptop will connect via wifi to the iphone, then openvpn on laptop where should connect?
12:31 <@krzee> in the new version iphone doesnt run openvpn
12:32 <@krzee> it just gives wifi to laptop, who runs openvpn
12:32 <@krzee> same idea.
12:32 <@krzee> if 1 works, the other will too
12:32 <@krzee> because the network will see the same thing
12:33 <@krzee> i dont expect it works in any case
12:33 <@krzee> because i dont expect the only way the block it is a firewall
12:33 < wallbroken> so, maybe linux server could be removed
12:33 <@krzee> id imagine they do it the easy way, by using the fact that you have no control over the device you bought
12:33 < wallbroken> it could be a p2p between laptop and iphone
12:34 <@krzee> the iphone does not need to run openvpn for what you're saying
12:34 <@krzee> just the device connecting over the laptop
12:35 <@krzee> just the device connecting over the wifi hotspot through the iphone*
12:35 < wallbroken> the iphone needs to run openvpn, openvpn on the iphone should router traffic from wifi to 3g
12:35 < wallbroken> -r
12:35 <@krzee> hows that different?
12:36 <@krzee> whether the phone initiates the vpn or the client who is already tethered does
12:36 <@krzee> either way its the same traffic leaving your iphone
12:38 < wallbroken> i don't know if openvpn on ios could run as server
12:38 -!- outofbounds [~outofboun@gateway/tor-sasl/outofbounds] has quit [Remote host closed the connection]
12:38 <@krzee> no
12:38 <@krzee> maybe the real openvpn on a jailbroken iphone
12:38 -!- outofbounds [~outofboun@gateway/tor-sasl/outofbounds] has joined #openvpn
12:39 <@krzee> but not that official app from the app store
12:39 -!- dazo is now known as dazo_afk
12:39 < wallbroken> so, openvpn on laptop should run as a server, then openvpn on ios will be connect to it. setting openvpn redirect traffic to iphone
12:40 <@krzee> lol no
12:40 <@krzee> where did you get that?
12:40 < wallbroken> from my imagination :)
12:40 < wallbroken> why that could not work?
12:40 <@krzee> servers dont redirect over clients
12:40 < wallbroken> ah ok
12:40 <@krzee> besides
12:40 <@krzee> why do you think ios needs to run a vpn?
12:41 < wallbroken> i often run vpn to avoid public wifi restrictions
12:41 <@krzee> but specifically for this tethering thing
12:43 < wallbroken> i'm trying something to make tethering for free, the only closer thing that works is ssh tunnel. but then, i referred to openvpn. but i'm not sure how to use it in this way
12:43 <@krzee> right, so you are saying that you can tether, but the traffic when it goes out the 3g will only work for the tethered client if going out to the vpn
12:44 <@krzee> and what i keep saying is that means you dont need openvpn on the iphone, you need it on the tethered machine
12:44 <@krzee> much easier that way.
12:44 <@krzee> or is your response that there will be many random tethered machines and this is not an option?
12:45 < wallbroken> let me explain better:
12:45 <@krzee> i understand you
12:45 < wallbroken> tether in what i'm talking about is to use 3g internet from other devices trought the iphone
12:45 <@krzee> but there is no way the carrier knows which machine is connecting to the vpn
12:46 < wallbroken> no
12:46 < wallbroken> the limitation is about the iphone software
12:46 <@krzee> then how does openvpn help bypass software limitations?
12:46 < wallbroken> carrier unlocks tether on the iphone only if i pay
12:47 <@krzee> carrier only knows its tethered traffic if its http headers and such
12:47 <@krzee> like the headers say windows and you're on an iphone
12:47 < wallbroken> i don't know how openvpn could be, maybe redirecting all incoming traffic to 3g
12:48 <@krzee> if openvpn helps tethered clients access the internet, then it'll work when openvpn is run on a tethered machine too
12:48 < wallbroken> yes, but that's not a real problem, you talking about a sort of deep packet inspection
12:48 < wallbroken> but you can hide traffic with an ssl tunnel
12:48 <@krzee> right, because thats how a carrier would know
12:48 <@krzee> what im saying is that the tunnel itself can be established by the tethered user
12:48 < wallbroken> but there is another common way that "my" carrier uses to allow or not tethering
12:48 <@krzee> because theres no way for the carrier to know its a tethered user doing it
12:48 < BtbN> Well, but if a carrier can block your iphone from letting anything connect to it, there's not anything OpenVPN can do for you there.
12:49 <@krzee> exactly ^^'
12:49 <@krzee> if openvpn can really help, then it doesnt matter if the tethered client runs it
12:49 < wallbroken> yes but in some cases, like ssh tunnel, iphone can't notice that is thetering
12:50 <@krzee> then it wont notice the tethered client started the vpn tunnel!
12:50 <@krzee> lol
12:50 < BtbN> So you want to connect to your phone through the 3G link, just to tunnel out again...? oO
12:50 < wallbroken> iphone doesn't know that traffic from ssh app is incoming from another host
12:51 < wallbroken> yes
12:51 <@krzee> wallbroken, then it wont know the openvpn traffic is coming from the tethered client, give it a try
12:52 < wallbroken> but if you told me that openvpn on ios can't run in a server mode... and in a client mode can't make redirect, there is no way.
12:53 < BtbN> There's also no point.
12:53 <@krzee> mainly no point
12:53 <@krzee> especially no point.
12:55 <@krzee> hmm actually there could be, maybe i get it
12:55 <@krzee> if the iphone software sees the ssh tunneled traffic as being generated by the iphone itself
12:56 <@krzee> because its not being routed like all other traffic would be
12:57 <@krzee> i dont think you can use ios connect in a way that would help you
12:57 <@krzee> id still try running openvpn on a tethered client
12:57 <@krzee> and not on the phone
12:59 < wallbroken> i can't get tethering for free.
12:59 -!- moonkid [~anonymous@99-103-56-12.lightspeed.hstntx.sbcglobal.net] has quit [Quit: moonkid]
12:59 < wallbroken> there is not somebody knows openvpn connect as well?
12:59 < wallbroken> maybe novaflash
13:00 <@krzee> !connect
13:00 <@vpnHelper> "connect" is (#1) OpenVPN Connect is part of the commercial, non-free (non-GPL) corporate offering; see #openvpn-as for help with these. For the community-maintained GPL OpenVPN, see !download for download links, !android for GPL-openvpn on Android, or !howto for the beginner how-to guide or (#2) https://forums.openvpn.net/post34969.html#p34969 or (#3) the source is here:
13:00 <@vpnHelper> http://staging.openvpn.net/openvpn3/ except for the portion that may not be released because of NDA with apple (for its vpn API)
13:01 <@krzee> how do the clients connect to the ssh tunnel without some sort of tethering already working?
13:03 < wallbroken> ssh listens on a socket
13:03 < wallbroken> you can connect to it from another host over the same network
13:03 <@krzee> how do you get on the same network when the phones in tethering mode?
13:03 < wallbroken> ad-hoc wifi between phone and laptop
13:04 <@krzee> then do that, and try starting a vpn connection from the laptop
13:04 < wallbroken> ... you already said that openvpn connect won't run in server mode
13:04 < wallbroken> maybe you are not sure about it?
13:04 <@krzee> correct, notice how i never said anything about running openvpn on the iphone?
13:05 <@krzee> i said to run it on the laptop, connecting to the server
13:05 <@krzee> which is on the internet
13:05 <@krzee> give that a try
13:05 < wallbroken> can you give me the simplest configuration to try?
13:05 <@krzee> if that doesnt work, try configuring a lan behind the client
13:06 <@krzee> no, i cannot
13:07 <@krzee> what i mean by lan behind the client is:
13:07 <@krzee> run openvpn on the iphone connecting to server on the internet
13:07 <@krzee> !clientlan
13:07 <@vpnHelper> "clientlan" is (#1) for a lan behind a client, the client must have ip forwarding enabled (!ipforward), the server needs a route to the lan, the server needs to push a route for the lan to clients, the server needs a ccd (!ccd) file for the client with an iroute (!iroute) entry in it, and the router of the lan the client is on needs a route added to it (!route_outside_openvpn) or (#2) see !route for
13:07 <@vpnHelper> a better explanation or (#3) Handy troubleshooting flowchart: http://ircpimps.org/clientlan.png | http://pekster.sdf.org/misc/clientlan.png
13:07 <@krzee> for the ad-hoc network
13:07 -!- moonkid [~anonymous@99-103-56-12.lightspeed.hstntx.sbcglobal.net] has joined #openvpn
13:09 -!- s7r [~s7r@openvpn/user/s7r] has quit [Quit: Leaving]
13:10 < wallbroken> [20:07] <@krzee> run openvpn on the iphone connecting to server on the internet
13:10 < wallbroken> the only thing on internet is the iphone
13:10 < wallbroken> laptop has no access to internet without thetering
13:11 -!- Pyrogerg [~Gregory@192.81.213.92] has joined #openvpn
13:11 -!- DrCode [~DrCode@gateway/tor-sasl/drcode] has quit [Remote host closed the connection]
13:13 -!- DrCode [~DrCode@gateway/tor-sasl/drcode] has joined #openvpn
13:14 <@krzee> ok so do that
13:14 <@krzee> give it a try
13:15 <@krzee> i cant say it'll work, but you can try running openvpn on the iphone to the server with redirect-gateway, once that is working you need to add an iroute in a ccd entry for whatever subnet the ad-hoc laptop gets when connecting ad-hoc
13:15 <@krzee> and make sure the server also nats that subnet
13:15 <@krzee> then you tell the laptop to route default over the ad-hoc
13:16 <@krzee> that'll make the ad-hoc traffic go over the vpn that the iphone established
13:26 -!- mattock [~mattock@openvpn/corp/admin/mattock] has joined #openvpn
13:26 -!- mode/#openvpn [+o mattock] by ChanServ
13:27 < wallbroken> krzee, which one need to be set in server mode?
13:28 < wallbroken> iphone o laptop?
13:28 <@krzee> neither
13:28 <@krzee> the iphone connects to the server on the internet
13:29 <@krzee> and the laptop connects to iphone in ad-hoc mode
13:29 <@krzee> oh wait that would require ip forwarding on the iphone
13:29 <@krzee> and no jailbreak
13:29 <@krzee> so ya, you cannot use openvpn for this.
13:29 <@krzee> ssh tunnels for you.
13:31 < wallbroken> but why i cannot use a p2p mode between laptop and iphone?
13:32 <@krzee> ios connect uses the vpn interface in ios to configure network stuff
13:32 <@krzee> that gives limited control
13:35 -!- outofbounds [~outofboun@gateway/tor-sasl/outofbounds] has quit [Remote host closed the connection]
13:35 -!- CaTtleyA [~CaTtleyA@put92-2-82-66-41-53.fbx.proxad.net] has joined #openvpn
13:35 -!- outofbounds [~outofboun@gateway/tor-sasl/outofbounds] has joined #openvpn
13:36 -!- outofbounds [~outofboun@gateway/tor-sasl/outofbounds] has quit [Remote host closed the connection]
13:38 < wallbroken> i was thinking to do that: ovpn connect runs in client mode and connects to ovpn server that runs over the laptop trought wifi. then ovpn connect forwards traffic to 3g, and laptop has ovpn as the default gateway
13:44 <@krzee> can you enable ip forwarding on the iphone?
13:45 <@krzee> im pretty sure you cannot...
13:45 -!- outofbounds [~outofboun@gateway/tor-sasl/outofbounds] has joined #openvpn
13:48 < wallbroken> ip forwarding on openvpn configuration?
13:48 < wallbroken> of on the OS?
13:48 < wallbroken> *or
13:49 <@krzee> os
13:49 <@krzee> do you know what ip forwarding is?
13:50 < wallbroken> maybe not, pushing traffic from one to another subnet?
13:50 -!- outofbounds [~outofboun@gateway/tor-sasl/outofbounds] has quit [Ping timeout: 264 seconds]
13:51 <@krzee> ip forwarding is needed any time traffic will go from one interface to another
13:51 <@krzee> like in eth0 and out tun0 for example
13:52 -!- Cyclohexane [~cyclohexa@unaffiliated/cyclohexane] has joined #openvpn
13:52 < Cyclohexane> !paste
13:52 <@vpnHelper> "paste" is "pastebin" is (#1) please paste anything with more than 5 lines into a pastebin site or (#2) https://gist.github.com is recommended for fewest ads; try fpaste.org or paste.kde.org as backups or (#3) If you're pasting config files, see !configs for grep syntax to remove comments or (#4) gist allows multiple files per paste, useful if you have several files to show
13:55 < Cyclohexane> Can someone point me in the right direction please? What was previously working has stopped, here's what I've scrapped from the client logs: http://pastebin.com/jXz4DHbc
14:00 <@krzee> !certverify
14:00 <@vpnHelper> "certverify" is (#1) verify your certs are signed correctly by running `openssl verify -CAfile <ca.crt> <client.crt>` for client.crt and server.crt or (#2) also make sure you use the same ca.crt on both sides by checking their md5
14:06 < wallbroken> krzee, i think that if it works for ssh, is enabled
14:07 <@krzee> nope
14:07 <@krzee> thats not how its happening when you proxy through ssh
14:08 -!- elfixit [~Icedove@2001:1620:2777:11:3e97:eff:fe7f:f3ad] has quit [Quit: elfixit]
14:08 <@krzee> in fact if i wanted to detect / block tethering i guess thats how i would attack it
14:08 <@krzee> detect / block any forwarding, which would leave me open to ssh tunnels, lol
14:08 <@krzee> so ya im back to believing openvpn cannot solve your problem
14:09 <@krzee> on android it prolly could ;]
14:09 <@krzee> although on android you could just get a better rom and not need to hack around their crap
14:09 <@krzee> since tethering is a function of the device, not the carrier
14:12 < DArqueBishop> I'm still a little confused as to what he's trying to accomplish.
14:13 <@krzee> i get it i think
14:13 <@krzee> his phone is an iphone unjailbroken, it wont allow him to tether without paying (because they dont give him access to his own device)
14:13 -!- Kniaz [~Kniaz@unaffiliated/kniaz] has joined #openvpn
14:13 <@krzee> but if he makes an ad-hoc network he can connect to an ssh tunnel on his iphone which will allow him to route out to the internet
14:14 <@krzee> he was hoping openvpn could do it, but no because it would require ip forwarding
14:14 <@krzee> which he cannot enable without control over his device
14:14 < DArqueBishop> Yeah, I don't think what he's after is technically possible.
14:19 -!- Slippern [~Slippern@76.109-247-208.customer.lyse.net] has quit [Ping timeout: 245 seconds]
14:22 -!- Slippern [~Slippern@76.109-247-208.customer.lyse.net] has joined #openvpn
14:30 < wallbroken> krzee, i tried to connect to ssh tunnel from lan without gateway, and use as a destination an internet ip class to make it use 3g
14:30 < wallbroken> and it works
14:31 < wallbroken> so, ip forward should be enabled
14:37 -!- phreakocious_ [~phreakoci@recalcitrant.phreakocious.net] has left #openvpn []
14:37 -!- phreakocious [~phreakoci@recalcitrant.phreakocious.net] has joined #openvpn
14:42 <@krzee> unrelated
14:42 <@krzee> ssh tunnels dont need ip forwarding
14:43 -!- moonkid [~anonymous@99-103-56-12.lightspeed.hstntx.sbcglobal.net] has quit [Quit: moonkid]
14:43 < wallbroken> neither to forward traffic from wifi adapter to 3g?
14:44 <@krzee> its not traversing seperate interfaces
14:44 <@krzee> in via a socket, out via an interface, as far as the kernel is concerned it came from the iphone itself, which is probably why you can bypass the tethering block with it
14:45 <@krzee> they probably decided forwarding = tethering
14:45 <@krzee> which really is about right
14:49 < wallbroken> my idea is always connect in p2p mode iphone and laptop
14:49 <@krzee> your idea requires ip forwarding, aka jailbreaking
14:50 -!- Kephael [~Kephael@unaffiliated/kephael] has joined #openvpn
14:50 <@krzee> and if you jailbreak i think you can tether without openvpn and ssh tunnels anyways
14:50 <@krzee> lol
14:50 < wallbroken> your idea was that iphone needs to connect to an external server via internet
14:51 <@krzee> you dont tunnel out to the internet with your setup?
14:51 -!- moonkid [~anonymous@99-103-56-12.lightspeed.hstntx.sbcglobal.net] has joined #openvpn
14:51 <@krzee> either way with openvpn approach you need ip forwarding
14:51 <@krzee> the difference is openvpn uses a device (tun) internally and sshd does not
14:52 <@krzee> openvpn is NOT your solution.
14:58 -!- eristisk [~eristisk@gateway/tor-sasl/eristisk] has quit [Ping timeout: 264 seconds]
14:58 -!- Pyrogerg [~Gregory@192.81.213.92] has quit [Ping timeout: 272 seconds]
15:04 -!- Pyrogerg [~Gregory@75-173-103-62.albq.qwest.net] has joined #openvpn
15:04 -!- Prelude2004c [~Prelude20@dsl-67-55-28-3.acanac.net] has joined #openvpn
15:04 < Prelude2004c> hi everyone good day
15:05 < Prelude2004c> is there a reason why the openvpn connection speed would be so sporatic ? meaning it goes up 15mbit/s then goes to 13 then 15 then 12 athen 10 then 15 etc etc
15:05 < Prelude2004c> just keeps jumping around
15:05 < Prelude2004c> testing without the VPN doesn't have that problem
15:05 -!- D-Boy [~D-Boy@unaffiliated/cain] has quit [Excess Flood]
15:12 -!- mattock is now known as mattock_afk
15:14 -!- jzaw [~jzaw@loki.dzki.co.uk] has quit [Ping timeout: 260 seconds]
15:14 -!- eristisk [~eristisk@gateway/tor-sasl/eristisk] has joined #openvpn
15:15 -!- Pyrogerg [~Gregory@75-173-103-62.albq.qwest.net] has quit [Ping timeout: 272 seconds]
15:20 -!- batrick [batrick@nmap/developer/batrick] has quit [Quit: WeeChat 1.0]
15:20 -!- batrick [batrick@nmap/developer/batrick] has joined #openvpn
15:24 < Prelude2004c> hey, in linux ( centos ) how do i install openvpn on /etc/openvpn instead of the default /usr/local/openvpn diretory?
15:24 < Prelude2004c> what ist he param to intall in alternative destination
15:24 -!- D-Boy [~D-Boy@unaffiliated/cain] has joined #openvpn
15:25 -!- CaTtleyA [~CaTtleyA@put92-2-82-66-41-53.fbx.proxad.net] has quit [Ping timeout: 276 seconds]
15:32 -!- jzaw [~jzaw@loki.dzki.co.uk] has joined #openvpn
15:49 -!- KaiForce [~chatzilla@107-223-70-10.lightspeed.bcvloh.sbcglobal.net] has quit [Quit: ChatZilla 0.9.90.1 [Firefox 32.0.3/20140923175406]]
16:02 -!- jzaw [~jzaw@loki.dzki.co.uk] has quit [Ping timeout: 272 seconds]
16:09 -!- jzaw [~jzaw@loki.dzki.co.uk] has joined #openvpn
16:15 -!- Kephael [~Kephael@unaffiliated/kephael] has quit [Ping timeout: 258 seconds]
16:19 -!- jzaw [~jzaw@loki.dzki.co.uk] has quit [Ping timeout: 272 seconds]
16:34 -!- moonkid [~anonymous@99-103-56-12.lightspeed.hstntx.sbcglobal.net] has quit [Quit: moonkid]
16:40 -!- jzaw [~jzaw@community-wifi.dzki.co.uk] has joined #openvpn
16:48 -!- adaptr is now known as aquibblr
16:49 -!- aquibblr is now known as adaptr
16:51 -!- shio [marmot@175.121.101.84.rev.sfr.net] has quit [Disconnected by services]
16:52 -!- shio [marmot@137.121.101.84.rev.sfr.net] has joined #openvpn
16:57 -!- Envil [~meep@95.211.26.40] has quit [Remote host closed the connection]
16:58 -!- jzaw [~jzaw@community-wifi.dzki.co.uk] has quit [Ping timeout: 245 seconds]
17:00 -!- spyro1248 [~ian@87.114.1.81] has quit [Quit: Lost terminal]
17:02 -!- jzaw [~jzaw@community-wifi.dzki.co.uk] has joined #openvpn
17:10 -!- jzaw [~jzaw@community-wifi.dzki.co.uk] has quit [Ping timeout: 250 seconds]
17:12 -!- james41382 [~james@unaffiliated/james41382] has quit [Read error: Connection reset by peer]
17:13 -!- james41382 [~james@unaffiliated/james41382] has joined #openvpn
17:14 -!- jzaw [~jzaw@loki.dzki.co.uk] has joined #openvpn
17:17 < Eugene> Installing from source will usually put things into local. You want to grab one of the pre-built packages made available from epel instead.
17:18 -!- moonkid [~anonymous@107-211-136-240.lightspeed.hstntx.sbcglobal.net] has joined #openvpn
17:22 -!- Slippern [~Slippern@76.109-247-208.customer.lyse.net] has quit [Ping timeout: 272 seconds]
17:35 -!- moonkid [~anonymous@107-211-136-240.lightspeed.hstntx.sbcglobal.net] has quit [Read error: Connection reset by peer]
17:36 -!- moonkid [~anonymous@107-211-136-240.lightspeed.hstntx.sbcglobal.net] has joined #openvpn
17:46 -!- absence [eC96ifobjL@horisont.pvv.ntnu.no] has left #openvpn []
17:47 -!- moonkid [~anonymous@107-211-136-240.lightspeed.hstntx.sbcglobal.net] has quit [Quit: moonkid]
18:05 -!- moonkid [~anonymous@ng1.cptxoffice.net] has joined #openvpn
18:13 -!- Slippern [~Slippern@76.109-247-208.customer.lyse.net] has joined #openvpn
18:15 -!- rich0_ [~quassel@gentoo/developer/rich0] has joined #openvpn
18:17 -!- Slippern [~Slippern@76.109-247-208.customer.lyse.net] has quit [Ping timeout: 250 seconds]
18:20 -!- rich0 [~quassel@gentoo/developer/rich0] has quit [Ping timeout: 272 seconds]
18:20 -!- rich0_ [~quassel@gentoo/developer/rich0] has quit [Ping timeout: 272 seconds]
18:20 -!- rich0 [~quassel@gentoo/developer/rich0] has joined #openvpn
18:25 -!- Pyrogerg [~Gregory@205.167.120.206] has joined #openvpn
18:31 -!- elfixit [~Icedove@77-58-251-72.dclient.hispeed.ch] has joined #openvpn
18:35 -!- Pyrogerg [~Gregory@205.167.120.206] has quit [Ping timeout: 260 seconds]
18:43 -!- Pyrogerg [~Gregory@205.167.120.206] has joined #openvpn
18:44 -!- Kephael [~Kephael@unaffiliated/kephael] has joined #openvpn
18:49 -!- Pyrogerg [~Gregory@205.167.120.206] has quit [Read error: Connection reset by peer]
18:49 -!- Pyrogerg_ [~Gregory@205.167.120.206] has joined #openvpn
18:53 -!- N-Mi [~nicolas@calvix/staff/N-Mi] has quit [Ping timeout: 240 seconds]
18:55 -!- Pyrogerg_ [~Gregory@205.167.120.206] has quit [Read error: Connection reset by peer]
18:55 -!- Pyrogerg [~Gregory@205.167.120.206] has joined #openvpn
19:01 -!- Pyrogerg_ [~Gregory@205.167.120.206] has joined #openvpn
19:02 -!- Pyrogerg [~Gregory@205.167.120.206] has quit [Read error: Connection reset by peer]
19:03 -!- Moonlightning [~blackl@unaffiliated/moonlightning] has quit [Quit: The Nightmares will Collide. And become a Dream. <3]
19:09 -!- Pyrogerg_ [~Gregory@205.167.120.206] has quit [Ping timeout: 260 seconds]
19:41 -!- elfixit [~Icedove@77-58-251-72.dclient.hispeed.ch] has quit [Quit: elfixit]
19:45 -!- twistie [~tristan@58.162.232.10] has joined #openvpn
19:46 < twistie> Hi all, looking for some assistance in getting a problematic VPN link connection working.
19:52 <@krzee> what is the problem?
19:57 -!- Belliash [znc@asiotec/constitutive/belliash] has joined #openvpn
20:07 -!- joako [~joako@opensuse/member/joak0] has quit [Ping timeout: 265 seconds]
20:16 -!- Slippern [~Slippern@76.109-247-208.customer.lyse.net] has joined #openvpn
20:19 -!- moonkid [~anonymous@ng1.cptxoffice.net] has quit [Quit: moonkid]
20:20 -!- Slippern [~Slippern@76.109-247-208.customer.lyse.net] has quit [Ping timeout: 240 seconds]
20:34 -!- twistie [~tristan@58.162.232.10] has quit [Quit: Lost terminal]
20:46 -!- moonkid [~anonymous@99-103-56-12.lightspeed.hstntx.sbcglobal.net] has joined #openvpn
20:59 -!- Pyrogerg [~Gregory@75-173-103-62.albq.qwest.net] has joined #openvpn
21:04 -!- Moonlightning [~blackl@unaffiliated/moonlightning] has joined #openvpn
21:21 -!- wallbroken [wallbroken@unaffiliated/wallbroken] has quit [Quit: have fun]
21:29 -!- fakhir_ [~fakhir@unaffiliated/fakhir] has joined #openvpn
21:36 -!- Left_Turn [~Left_Turn@unaffiliated/turn-left/x-3739067] has quit [Remote host closed the connection]
21:50 -!- moonkid [~anonymous@99-103-56-12.lightspeed.hstntx.sbcglobal.net] has quit [Quit: moonkid]
22:29 -!- someone [someone@2600:3c01::f03c:91ff:fedf:feb8] has quit [Quit: ZNC - http://znc.in]
23:43 -!- Moonlightning [~blackl@unaffiliated/moonlightning] has quit [Quit: The Nightmares will Collide. And become a Dream. <3]
23:57 -!- ShadniX [dagger@p5DDFE5C8.dip0.t-ipconnect.de] has quit [Ping timeout: 250 seconds]
23:57 -!- ShadniX [dagger@p5DDFDAFA.dip0.t-ipconnect.de] has joined #openvpn
--- Day changed Thu Oct 02 2014
00:05 -!- AKBlindy [~jticket@jt-lx.info] has joined #openvpn
00:18 -!- joako [~joako@cpe-199.21.149.122.ca.yorkinet.com] has joined #openvpn
00:19 -!- joako [~joako@cpe-199.21.149.122.ca.yorkinet.com] has quit [Changing host]
00:19 -!- joako [~joako@opensuse/member/joak0] has joined #openvpn
00:30 -!- Kephael [~Kephael@unaffiliated/kephael] has quit [Read error: Connection reset by peer]
00:36 -!- NullEntity_ [~NullEntit@unaffiliated/nullentity] has joined #openvpn
00:41 -!- mattock_afk is now known as mattock
00:51 -!- ub1quit33 [~quassel@cpe-23-243-158-241.socal.res.rr.com] has quit [Ping timeout: 245 seconds]
01:08 -!- Poster|x [~poster@cpe-74-140-100-29.swo.res.rr.com] has quit [Ping timeout: 272 seconds]
01:09 -!- deed02392 [~deed02392@2001:41d0:2:ab60::1] has quit [Ping timeout: 260 seconds]
01:24 -!- Poster [~poster@cpe-74-140-100-29.swo.res.rr.com] has joined #openvpn
01:29 -!- Slippern [~Slippern@76.109-247-208.customer.lyse.net] has joined #openvpn
01:52 -!- mattock is now known as mattock_afk
01:58 -!- sickn3ss [~sickn3ss@unaffiliated/sickn3ss] has joined #openvpn
02:07 -!- _KaszpiR_ [quasselcor@unaffiliated/kaszpir/x-3157048] has quit [Read error: Connection reset by peer]
02:07 -!- _KaszpiR_ [quasselcor@unaffiliated/kaszpir/x-3157048] has joined #openvpn
02:47 -!- dazo_afk is now known as dazo
02:48 -!- goldkatze [~nobody@unaffiliated/goldkatze] has joined #openvpn
03:34 -!- goldkatze [~nobody@unaffiliated/goldkatze] has quit [Max SendQ exceeded]
03:37 -!- goldkatze [~nobody@unaffiliated/goldkatze] has joined #openvpn
03:47 -!- shio [marmot@137.121.101.84.rev.sfr.net] has quit [Remote host closed the connection]
03:48 -!- james41382_ [~james@unaffiliated/james41382] has joined #openvpn
03:50 -!- rhct [~DMZ@fedora/rhct] has quit [Ping timeout: 250 seconds]
03:50 -!- james41382 [~james@unaffiliated/james41382] has quit [Read error: Connection reset by peer]
04:20 -!- cheesenbiscuts [~cheesenbi@175.144.84.206] has joined #openvpn
04:35 -!- kar [~kar@user-164-127-41-47.play-internet.pl] has joined #openvpn
04:35 < kar> !welcome
04:35 <@vpnHelper> "welcome" is (#1) Start by stating your goal, such as 'I would like to access the internet over my vpn' || new to IRC? see the link in !ask || we may need !logs and !configs and maybe !interface to help you. || See !howto for beginners. || See !route for lans behind openvpn. || !redirect for sending inet traffic through the server. || Also interesting: !man !/30 !topology !iporder !sample !forum !wiki
04:35 <@vpnHelper> !mitm or (#2) Don't use 192.168.1.0/24 or 192.168.0.0/24 (too much potential for conflict)
04:41 -!- shio [marmot@137.121.101.84.rev.sfr.net] has joined #openvpn
05:07 -!- Left_Turn [~Left_Turn@unaffiliated/turn-left/x-3739067] has joined #openvpn
05:14 -!- wallbroken [wallbroken@unaffiliated/wallbroken] has joined #openvpn
05:50 -!- Left_Turn [~Left_Turn@unaffiliated/turn-left/x-3739067] has quit [Ping timeout: 245 seconds]
06:13 -!- eristisk [~eristisk@gateway/tor-sasl/eristisk] has quit [Quit: killall -9 irc]
06:18 -!- mattock_afk is now known as mattock
06:33 -!- urbanendeavour [~xoveruk@217.150.106.82] has joined #openvpn
06:33 < urbanendeavour> hi
06:34 < urbanendeavour> does anyone have experience integrating duosecurity with openvpn?
06:34 < urbanendeavour> I am being prompted for the passcode but it fails. duosec report the failure and the logs on openvpn show the failure.
06:35 -!- Slippern [~Slippern@76.109-247-208.customer.lyse.net] has quit [Ping timeout: 245 seconds]
06:52 -!- Slippern [~Slippern@76.109-247-208.customer.lyse.net] has joined #openvpn
06:59 -!- rich0 [~quassel@gentoo/developer/rich0] has quit [Ping timeout: 250 seconds]
07:02 -!- Left_Turn [~Left_Turn@unaffiliated/turn-left/x-3739067] has joined #openvpn
07:11 -!- rich0 [~quassel@gentoo/developer/rich0] has joined #openvpn
07:43 -!- SushiDude [~SushiDude@unaffiliated/sushidude] has quit [Ping timeout: 260 seconds]
07:48 -!- SushiDude [~SushiDude@unaffiliated/sushidude] has joined #openvpn
08:08 -!- Kniaz [~Kniaz@unaffiliated/kniaz] has quit [Read error: Connection reset by peer]
08:18 -!- _bt [~bt@unaffiliated/bt/x-192343] has quit [Ping timeout: 260 seconds]
08:20 -!- jzaw [~jzaw@loki.dzki.co.uk] has quit [Ping timeout: 260 seconds]
08:24 -!- jzaw [~jzaw@loki.dzki.co.uk] has joined #openvpn
08:25 -!- moparsthbest [~quassel@gateway/tor-sasl/moparisthebest] has quit [Remote host closed the connection]
08:25 -!- moparisthebest [~quassel@gateway/tor-sasl/moparisthebest] has joined #openvpn
08:30 -!- someone [~someone@chronostasis.net] has joined #openvpn
08:37 -!- deed02392 [~deed02392@2001:41d0:2:ab60::1] has joined #openvpn
08:42 -!- Pyrogerg [~Gregory@75-173-103-62.albq.qwest.net] has quit [Ping timeout: 250 seconds]
09:10 -!- Pyrogerg [~Gregory@205.167.120.203] has joined #openvpn
09:30 -!- Kniaz [~Kniaz@unaffiliated/kniaz] has joined #openvpn
09:46 -!- AKBlindy [~jticket@jt-lx.info] has left #openvpn ["Textual IRC Client: www.textualapp.com"]
09:52 -!- dbear [~Thunderbi@75-174-205-70.phnx.qwest.net] has joined #openvpn
09:53 -!- gffa [~unknown@unaffiliated/gffa] has joined #openvpn
09:54 -!- kar [~kar@user-164-127-41-47.play-internet.pl] has quit [Quit: WeeChat 1.0.1]
09:58 -!- Pyrogerg [~Gregory@205.167.120.203] has quit [Ping timeout: 245 seconds]
10:00 -!- s7r [~s7r@openvpn/user/s7r] has joined #openvpn
10:01 -!- mode/#openvpn [+v s7r] by ChanServ
10:02 -!- moonkid [~anonymous@99-103-56-12.lightspeed.hstntx.sbcglobal.net] has joined #openvpn
10:04 -!- sickn3ss [~sickn3ss@unaffiliated/sickn3ss] has quit [Quit: Textual IRC Client: www.textualapp.com]
10:22 < dbear> I have an openvpn setup to talk with my pfsense firewall. All was working well last week. Now, this week, authentication fails. This makes no sense. We did not change the password for the openvpn user on the fw. Can anyone tell me my authentication would start to fail after a week ? Or point me to the log files to search for an answer?
10:30 <@dazo> dbear: are clocks in sync?  maybe some certificates expired?
10:30 <@dazo> check server logs ... they might provide the best clues in this case
10:31 < dbear> dazo: hm, didn't consider clocks. Will look in to it. Thanks
10:31 <@dazo> clocks are important when certificate validation periods are checked
10:31 < dbear> Also, where does openvpn put its logs? what does it name them ?
10:31 <@dazo> dbear: either via syslog or wherever the --log option configures them
10:33 < dbear> dazo: ok -- so openvpn probably doesn't put them someplace unique. If I grep through /var/log/syslog will there be an openvpn string I can use to filter everything else out?
10:33 <@dazo> again, depends on the config ... normally you can grep for 'openvpn'
10:33 <@dazo> but it might be that either --daemon or --syslog have modified the program name
10:34 <@dazo> it uses in syslog
10:34 < dbear> ok: I'm using an openvpn that was packaged for pfsense -- so I'm not sure how things are configured.
10:34 <@dazo> I dunno much about pfsense, except it usually gets positive kudos from users
10:35 < dbear> what amount of clock skew is permissible for authentication ?
10:35 -!- ub1quit33_ [~quassel@cpe-23-243-158-241.socal.res.rr.com] has joined #openvpn
10:35 <@dazo> dbear: a few minutes
10:36 <@dazo> dbear: but if the local clock is outside the validity period of the certificates, then there's no clock skew allowed
10:38 < dbear> is it possible to have an openvpn connection that is just based on the ssl certificates without authentication ?
10:38 <@dazo> nope
10:39 <@dazo> that's actually a contradiction, as certificates is used for authentication
10:39 < dbear> ok
10:39 < dbear> thanks
10:40 <@dazo> a certificate contains a validity period, a public key and a signature which can be confirmed if you have the signers certificate.  That signature ensures that the information in the certificate has not been modified
10:40 <@dazo> (a certificate contains more information, like subject, valid use cases and such things too, just didn't mention it to avoid confusion)
10:46 -!- dazo is now known as dazo_afk
10:49 -!- urbanendeavour [~xoveruk@217.150.106.82] has quit [Quit: Leaving]
10:54 -!- dbear1 [~Thunderbi@174-19-219-76.phnx.qwest.net] has joined #openvpn
10:57 -!- dbear [~Thunderbi@75-174-205-70.phnx.qwest.net] has quit [Ping timeout: 272 seconds]
10:57 -!- dbear [~Thunderbi@174-19-222-25.phnx.qwest.net] has joined #openvpn
10:58 -!- dbear1 [~Thunderbi@174-19-219-76.phnx.qwest.net] has quit [Ping timeout: 240 seconds]
10:59 < dbear> dazo: thanks. I just checked my logs. On the openvpn server I can't see any indication of a remote connecation failing because of a failed authentication. However, on the client I see the message is 'auth-failure' Thu Oct 02 08:56:13 2014 [ha-vpnserver] Peer Connection Initiated with [AF_INET]98.174.245.186:1195
10:59 < dbear> Thu Oct 02 08:56:15 2014 AUTH: Received control message: AUTH_FAILED
10:59 < dbear> Thu Oct 02 08:56:15 2014 SIGUSR1[soft,auth-failure] received, process restarting
11:00 < dbear> So I assume this means the password failed for the openvpn user..
11:00 < dbear> It's strange that I can't find a corresponding failure on the openvpn server though
11:01 < dbear> WAIT:
11:01 < dbear> I take it back.
11:01 < dbear> I did find the error.
11:02 < dbear> ath-user-pass-verify failed on the server
11:02 < dbear> now -- why..
11:02 < dbear> I know the password is correct
11:02 < dbear> I've even reset it to something very easy to check
11:12 -!- ub1quit33_ [~quassel@cpe-23-243-158-241.socal.res.rr.com] has quit [Read error: Connection reset by peer]
11:14 -!- dbear [~Thunderbi@174-19-222-25.phnx.qwest.net] has quit [Ping timeout: 272 seconds]
11:20 -!- Pyrogerg [~Gregory@75-173-103-62.albq.qwest.net] has joined #openvpn
11:53 -!- gffa [~unknown@unaffiliated/gffa] has quit [Ping timeout: 260 seconds]
11:56 -!- rulezzz [~rulezzz@189-212-141-193.static.axtel.net] has joined #openvpn
12:27 -!- moonkid [~anonymous@99-103-56-12.lightspeed.hstntx.sbcglobal.net] has quit [Quit: moonkid]
12:30 -!- moonkid [~anonymous@99-103-56-12.lightspeed.hstntx.sbcglobal.net] has joined #openvpn
12:46 -!- Kephael [~Kephael@unaffiliated/kephael] has joined #openvpn
12:54 -!- eristisk [~eristisk@gateway/tor-sasl/eristisk] has joined #openvpn
12:55 -!- ambro718 [~ambro@gentoo/contributor/ambro718] has joined #openvpn
13:01 -!- goldkatze [~nobody@unaffiliated/goldkatze] has quit []
13:08 -!- moonkid [~anonymous@99-103-56-12.lightspeed.hstntx.sbcglobal.net] has quit [Quit: moonkid]
13:33 -!- moonkid [~anonymous@99-103-56-12.lightspeed.hstntx.sbcglobal.net] has joined #openvpn
13:34 -!- Chex [sss@northnook-4-pt.tunnel.tserv15.lax1.ipv6.he.net] has joined #openvpn
13:46 -!- knob [~knob@76.76.202.243] has joined #openvpn
13:48 -!- moonkid [~anonymous@99-103-56-12.lightspeed.hstntx.sbcglobal.net] has quit [Quit: moonkid]
13:50 < knob> Hello, I have a n00b doubts: I am following the link.    Can I tunnel all traffic from ONE client via the VPN?                From reading the link, I am not sure if the change I have to do is over in the server-side of things.       link: https://openvpn.net/index.php/open-source/documentation/howto.html#redirect
13:50 -!- Slippern [~Slippern@76.109-247-208.customer.lyse.net] has quit [Read error: Connection reset by peer]
13:50 <@vpnHelper> Title: HOWTO (at openvpn.net)
13:51 -!- Slippern [~Slippern@76.109-247-208.customer.lyse.net] has joined #openvpn
13:52 -!- Slippern [~Slippern@76.109-247-208.customer.lyse.net] has quit [Read error: Connection reset by peer]
13:53 < Eugene> Yes. Typically that directive is put in server-side, but you can put it in the client's config too
13:53 < Eugene> Or you can have the server send it to only specific clients
13:53 < Eugene> !ccd
13:53 <@vpnHelper> "ccd" is (#1) entries that are basically included into server.conf, but only for the specified client based on common-name. use --client-config-dir <dir> to enable it, then put the config options for the client in <dir>/common-name or (#2) the ccd file is parsed each time the client connects.
13:53 < knob> Eugene, thanks.   I am reading the HowTo... yet I am a little bit confused.
13:53 -!- Slippern [~Slippern@76.109-247-208.customer.lyse.net] has joined #openvpn
13:54 < Eugene> It's a client-side option; the server push-es it to the client
13:54 < knob> Oh.  That's handy.
14:11 -!- mattock is now known as mattock_afk
14:13 < ambro718> Hey. I'm using the TAP-windows driver in a project of mine and I'm getting bug reports about the GET_MTU ioctl failing. Anyone knows something about that?  This seems to be a very recent occurrence, possibly related to new openvpn/tap-windows versions. The code I use is here: https://github.com/ambrop72/badvpn/blob/master/tuntap/BTap.c#L270
14:13 <@vpnHelper> Title: badvpn/BTap.c at master · ambrop72/badvpn · GitHub (at github.com)
14:14 < ambro718> the user claims the latest OpenVPN has the problem but not the latest tap-windows as distributed stand-alone.  https://github.com/ambrop72/badvpn/issues/2
14:14 <@vpnHelper> Title: ERROR(BTap): DeviceIoControl(TAP_IOCTL_GET_MTU) failed · Issue #2 · ambrop72/badvpn · GitHub (at github.com)
14:23 < BtbN> Windows has ioctls?
14:24 < BtbN> Isn't that a linux syscall?
14:29 < ambro718> no it's windows
14:30 < ambro718> the GET_MTU is implemented in tap-windows driver, https://github.com/OpenVPN/tap-windows/blob/master/src/tapdrvr.c#L1960
14:30 <@vpnHelper> Title: tap-windows/tapdrvr.c at master · OpenVPN/tap-windows · GitHub (at github.com)
14:30 < ambro718> don't mind the different macro, they're the same value
15:06 -!- D-Boy [~D-Boy@unaffiliated/cain] has quit [Excess Flood]
15:06 -!- someone [~someone@chronostasis.net] has quit [Quit: ZNC - http://znc.in]
15:15 -!- someone [~someone@chronostasis.net] has joined #openvpn
15:26 -!- D-Boy [~D-Boy@unaffiliated/cain] has joined #openvpn
15:57 -!- jzaw [~jzaw@loki.dzki.co.uk] has quit [Ping timeout: 272 seconds]
15:59 -!- jzaw [~jzaw@loki.dzki.co.uk] has joined #openvpn
16:11 -!- JackWinter [~jack@vodsl-11198.vo.lu] has quit [Quit: Konversation terminated!]
16:12 -!- jzaw [~jzaw@loki.dzki.co.uk] has quit [Ping timeout: 260 seconds]
16:13 -!- NullEntity_ [~NullEntit@unaffiliated/nullentity] has quit [Ping timeout: 246 seconds]
16:13 -!- JackWinter [~jack@vodsl-11198.vo.lu] has joined #openvpn
16:19 -!- Droolio [~drool@host86-143-180-191.range86-143.btcentralplus.com] has quit [Ping timeout: 245 seconds]
16:25 -!- jzaw [~jzaw@loki.dzki.co.uk] has joined #openvpn
16:25 -!- jzaw [~jzaw@loki.dzki.co.uk] has quit [Excess Flood]
16:26 -!- jzaw [~jzaw@loki.dzki.co.uk] has joined #openvpn
16:26 -!- Pyrogerg [~Gregory@75-173-103-62.albq.qwest.net] has quit [Ping timeout: 272 seconds]
16:28 -!- Chais [~Chais@chello062178229110.15.15.vie.surfer.at] has quit [Ping timeout: 272 seconds]
16:33 <@krzee> Eugene, my OPO came, no issues =]
16:34 < Eugene> I hope your pants catch fire
16:34 <@krzee> gonorrhea?
16:35 -!- Chais [~Chais@chello062178229110.15.15.vie.surfer.at] has joined #openvpn
16:47 < jeev> ugh
16:47 < jeev> so bored
16:48 < jeev> trying to get a big client
16:51 -!- joako [~joako@opensuse/member/joak0] has quit [Ping timeout: 255 seconds]
16:51  * krzee gives jeev a forklift
16:57 -!- Kniaz1 [~Kniaz@unaffiliated/kniaz] has joined #openvpn
16:57 < jeev> heh no
16:57 < jeev> if i can get this one, i'm done, i can't grow anymore
16:58 < jeev> i shouldn't be growing now, i'm extremely happy. but i want this one.
16:58 -!- joako [~joako@opensuse/member/joak0] has joined #openvpn
17:09 -!- Pyrogerg [~Gregory@75-173-154-17.albq.qwest.net] has joined #openvpn
17:13 -!- shio [marmot@137.121.101.84.rev.sfr.net] has quit [Remote host closed the connection]
17:17 -!- rulezzz [~rulezzz@189-212-141-193.static.axtel.net] has quit [Quit: Leaving]
17:28 -!- speaker1234 [speaker123@2601:6:3380:992:2c7a:461f:523d:551] has joined #openvpn
17:39 -!- Pyrogerg_ [~Gregory@75-173-154-17.albq.qwest.net] has joined #openvpn
17:40 -!- Pyrogerg [~Gregory@75-173-154-17.albq.qwest.net] has quit [Ping timeout: 260 seconds]
17:41 -!- jzaw [~jzaw@loki.dzki.co.uk] has quit [Ping timeout: 272 seconds]
17:42 -!- ambro718 [~ambro@gentoo/contributor/ambro718] has quit [Ping timeout: 258 seconds]
17:45 -!- jzaw [~jzaw@loki.dzki.co.uk] has joined #openvpn
18:02 < Eugene> 2-3 big clients is better than 20 small ones
18:04 -!- Pyrogerg_ [~Gregory@75-173-154-17.albq.qwest.net] has quit [Ping timeout: 250 seconds]
18:46 -!- jzaw [~jzaw@loki.dzki.co.uk] has quit [Ping timeout: 260 seconds]
18:46 -!- NullEntity_ [~NullEntit@unaffiliated/nullentity] has joined #openvpn
19:00 -!- ahklerner [~ahklerner@unaffiliated/ahklerner] has joined #openvpn
19:01 -!- ahklerner [~ahklerner@unaffiliated/ahklerner] has quit [Remote host closed the connection]
19:02 -!- ahklerner [~ahklerner@unaffiliated/ahklerner] has joined #openvpn
19:06 -!- ahklerner [~ahklerner@unaffiliated/ahklerner] has quit [Client Quit]
19:07 -!- dbear [~Thunderbi@wsip-98-174-245-186.ph.ph.cox.net] has joined #openvpn
19:17 < dbear> how might I troubleshoot an auth-failure with openvpn?
19:17 < dbear> I have verified the password
19:17 < dbear> I have verified the time
19:18 <@krzee> whats the auth?
19:18 <@krzee> pam?
19:19 <@krzee> you checking logs from the auth stuff?
19:22 < dbear> krzee: use local auth -- the openvpn server is running on a pfsense firewall
19:22 < dbear> krzee: the thing thats frustrating is that it was working for the last two weeks.
19:23 < dbear> sometime this week the credentials just stopped working
19:23 -!- jzaw [~jzaw@community-wifi.dzki.co.uk] has joined #openvpn
19:24 < dbear> is it possible to turn up logging on the server to get more info?
19:24 <@krzee> its not openvpn, openvpn just takes the exit success or fail from the script doing the auth
19:24 <@krzee> but probably yes
19:25 <@krzee> it would depend on the script and what it does
19:49 -!- dbear [~Thunderbi@wsip-98-174-245-186.ph.ph.cox.net] has quit [Ping timeout: 244 seconds]
19:49 -!- dbear [~Thunderbi@184-98-142-62.phnx.qwest.net] has joined #openvpn
19:52 -!- dbear1 [~Thunderbi@wsip-98-174-245-186.ph.ph.cox.net] has joined #openvpn
19:54 -!- dbear [~Thunderbi@184-98-142-62.phnx.qwest.net] has quit [Ping timeout: 272 seconds]
19:54 -!- dbear1 [~Thunderbi@wsip-98-174-245-186.ph.ph.cox.net] has quit [Client Quit]
20:11 -!- jzaw [~jzaw@community-wifi.dzki.co.uk] has quit [Ping timeout: 240 seconds]
20:13 -!- Olipro [~Olipro@uncyclopedia/pdpc.21for7.olipro] has quit [Read error: Connection reset by peer]
20:16 -!- fakhir [~fakhir@unaffiliated/fakhir] has joined #openvpn
20:17 -!- Moonlightning [~blackl@unaffiliated/moonlightning] has joined #openvpn
20:18 -!- jzaw [~jzaw@loki.dzki.co.uk] has joined #openvpn
20:19 -!- fakhir_ [~fakhir@unaffiliated/fakhir] has quit [Ping timeout: 260 seconds]
21:26 -!- Pyrogerg [~Gregory@75-173-103-62.albq.qwest.net] has joined #openvpn
21:28 -!- speaker1234 [speaker123@2601:6:3380:992:2c7a:461f:523d:551] has quit [Ping timeout: 260 seconds]
22:13 -!- Left_Turn [~Left_Turn@unaffiliated/turn-left/x-3739067] has quit [Remote host closed the connection]
22:18 -!- sand3r [~user@unaffiliated/sand3r] has joined #openvpn
22:18 < sand3r> ho
22:18 < sand3r> hi
22:18 < sand3r> how to i change resolv DNS settings for my openvpn server?
22:24 < sand3r> nv
22:24 -!- sand3r [~user@unaffiliated/sand3r] has quit [Quit: leaving]
23:56 -!- ShadniX [dagger@p5DDFDAFA.dip0.t-ipconnect.de] has quit [Ping timeout: 250 seconds]
23:59 -!- ShadniX [dagger@p5DDFCF6E.dip0.t-ipconnect.de] has joined #openvpn
--- Day changed Fri Oct 03 2014
00:06 -!- Kephael [~Kephael@unaffiliated/kephael] has quit [Quit: Leaving]
00:10 -!- jackbrown [~se@93-44-41-0.ip95.fastwebnet.it] has joined #openvpn
00:34 -!- SushiDude [~SushiDude@unaffiliated/sushidude] has quit [Ping timeout: 260 seconds]
00:39 -!- SushiDude [~SushiDude@unaffiliated/sushidude] has joined #openvpn
00:42 -!- jackbrown [~se@93-44-41-0.ip95.fastwebnet.it] has quit [Quit: Sto andando via]
00:48 -!- knob [~knob@76.76.202.243] has quit [Ping timeout: 245 seconds]
00:50 -!- LanDi [~LanDi@186.232.216.90] has joined #openvpn
01:00 -!- LanDi [~LanDi@186.232.216.90] has quit [Quit: fui !]
01:08 -!- Nyoom [Nyoom@unaffiliated/nyoom] has quit [Ping timeout: 260 seconds]
01:21 -!- MisterE [~MisterE@unaffiliated/mistere] has joined #openvpn
01:22 -!- mattock_afk is now known as mattock
01:38 -!- ambro718 [~ambro@gentoo/contributor/ambro718] has joined #openvpn
01:38 -!- ambro718 [~ambro@gentoo/contributor/ambro718] has quit [Client Quit]
01:40 -!- alexw [~textual@unaffiliated/alexw] has joined #openvpn
01:40 < alexw> Is it possible to limit users based on private subnets
01:50 -!- james41382_ [~james@unaffiliated/james41382] has quit [Quit: Leaving]
01:51 -!- james41382 [~james@unaffiliated/james41382] has joined #openvpn
01:51 -!- james41382 [~james@unaffiliated/james41382] has quit [Read error: Connection reset by peer]
01:53 -!- james41382 [~james@unaffiliated/james41382] has joined #openvpn
01:53 <@krzee> alexw, please expand on what you mean
01:53 < alexw> Never mind found it :P
01:53 < alexw> Using open access server here
01:53 <@krzee> are you asking if you can firewall the port?
01:53 <@krzee> oh
01:53 <@krzee> !as
01:53 <@vpnHelper> "as" is Please go to #OpenVPN-AS for help with commercial products from OpenVPN Technologies, including Access Server, Android Connect, etc. Access Server is a commercial product, different from open source OpenVPN
01:53 <@krzee> !no_as
01:53 <@vpnHelper> "no_as" is (#1) go to http://openvpn.net/index.php/access-server/support-center.html for support with access server (see !AS to know about access server) or (#2) not only do we not know AS here, but even if we did we would be tainting the professional level of support included in AS by supporting it here. it comes with REAL support. we are just users helping users around here
01:55 -!- ub1quit33 [~quassel@cpe-23-243-158-241.socal.res.rr.com] has joined #openvpn
01:59 < james41382> anyone have experience with openvpn and homegroup for windows? i want to know how to get my laptop to communicate with my desktop through the homegroup automatically when i connect to the vpn.
01:59 -!- aulait [~irenacob@li629-190.members.linode.com] has quit [Remote host closed the connection]
02:00 -!- james41382 [~james@unaffiliated/james41382] has quit [Quit: Leaving]
02:01 <@krzee> …that was quick
02:01 -!- james41382 [~james@unaffiliated/james41382] has joined #openvpn
02:01 -!- aulait [~irenacob@li629-190.members.linode.com] has joined #openvpn
02:05 <@krzee> james41382, what do you really want?
02:05 <@krzee> like what app
02:06 < james41382> not an app.. files to able to get to my files.
02:06 < james41382> like say i'm at work and i'm thinking.. "oh i wish i had that". i can just connect and pull it off the desktop hard drive.
02:08 <@krzee> you can easily mount it by ip?
02:08 <@krzee> otherwise i suggest a wins server
02:08 <@krzee> or dns
02:09 <@krzee> it would work in bridge mode, but that would be a poor reason to bridge
02:11 < james41382> yeah i was thinking about bridging it and just putting the vpn clients on the same subnet as the lan...
02:11 <@krzee> !wins
02:11 <@vpnHelper> "wins" is http://oreilly.com/catalog/samba/chapter/book/ch07_03.html is a good link for seeing how to run WINS on samba
02:13 < james41382> thanks i'll take a look.
02:18 -!- Nyoom [Nyoom@unaffiliated/nyoom] has joined #openvpn
02:21 -!- suexec [~suexec@10.79-161-231.customer.lyse.net] has joined #openvpn
02:27 -!- cheesenbiscuts [~cheesenbi@175.144.84.206] has quit [Ping timeout: 244 seconds]
02:30 -!- rooth [tomte@stuck.in.the.basement.at.fritzl.nu] has joined #openvpn
02:38 -!- Exagone313 [~exa@vps.ewd.xyz] has quit [Ping timeout: 272 seconds]
02:46 -!- aulait [~irenacob@li629-190.members.linode.com] has quit [Remote host closed the connection]
02:48 -!- aulait [~irenacob@li629-190.members.linode.com] has joined #openvpn
02:55 -!- shio [marmot@102.188.103.84.rev.sfr.net] has joined #openvpn
03:00 -!- goldkatze [~nobody@unaffiliated/goldkatze] has joined #openvpn
03:13 -!- alexw [~textual@unaffiliated/alexw] has quit [Quit: My MacBook Pro has gone to sleep. ZZZzzz…]
03:14 -!- dazo_afk is now known as dazo
03:20 <@krzee> dazo you still rocking the nokia?
03:21 <@dazo> krzee: nope, got myself a Jolla phone around new year
03:21 <@krzee> I just got my new oneplus one
03:21 <@krzee> finished configuring it and all, love it!
03:21 <@dazo> My N900s began to slowly die, so it was needed :)
03:22 < shpank> dazo: how is the jolla? a colleague of mine also needs a replacement for his n900
03:22 < shpank> and he was considering buying one
03:23 <@dazo> shpank: The only big downside, as I see it with the Jolla ... lack of hw-keyboard.  Except of that, I love it completely.  It's really working very well, and the gesture oriented Sailfish OS fits me very well
03:24 <@dazo> krzee: looks like a great phone!
03:24 <@krzee> ya man and it feels real nice in my hand
03:24 -!- alexw [~textual@unaffiliated/alexw] has joined #openvpn
03:25 <@dazo> (even though I don't understand the megapix battle on the cameras ... if you want more than 2mpix, you really need proper lenses, and not the microscopic plastic shite you find on phones)
03:25 <@krzee> full disk crypto is setup, cyanogenmod is the stock os, unlocking the bootloader does not voice the warranty
03:25 <@krzee> it has a 6 piece lense
03:25 <@dazo> that's a really good start for an open phone :)
03:25 <@krzee> s/voice/void/
03:26 <@krzee> you literally unlock the bootloader with:  fastboot oem unlock
03:27 < shpank> kewl.
03:27 <@krzee> and 350 with no contract is pretty nuts considering the specs
03:27 <@dazo> I saw that ... but actually the fewer lense pieces you have, the better the image gets, as each layer adds some kind of distortion ... but on the other hand, you can't have too few, as some of them does some correction too.  Which means each lense piece has to have a really high quality glass to add as little distortion as possible (which is why pro-lenses for SLR cameras often cost as much or more as the camera housing)
03:28 <@krzee> finally done, im going to crash
03:28 <@krzee> g'nite
03:29 <@dazo> another thing with the mpix hysteria.  With 2Mpix, you can usually do a fairly good A4 full size print
03:29 <@dazo> krzee: gnite
03:29 -!- alexw [~textual@unaffiliated/alexw] has quit [Ping timeout: 272 seconds]
03:51 -!- suexec [~suexec@10.79-161-231.customer.lyse.net] has quit [Ping timeout: 246 seconds]
04:00 -!- suexec [~suexec@10.79-161-231.customer.lyse.net] has joined #openvpn
04:00 < suexec> Hey. I am a client to a vpn server. I found the option "route-nopull" that I can add if I don't want any routes added. Is there any way I can do that command, but ONLY not pull any ipv6 routes?
04:10 -!- cyberspace- [20253@ninthfloor.org] has quit [Ping timeout: 272 seconds]
04:14 <@dazo> suexec: no, that's not possible.  But iirc, you can use --route-up and a script which can filter out the routes you don't want.  This script will need to add the pushed routes you want.
04:17 -!- suexec [~suexec@10.79-161-231.customer.lyse.net] has quit [Ping timeout: 260 seconds]
04:29 -!- cyberspace- [20253@ninthfloor.org] has joined #openvpn
04:29 -!- Billy2 [~nwnkirc@pool-98-110-181-88.bstnma.fios.verizon.net] has quit [Ping timeout: 272 seconds]
04:29 -!- shio [marmot@102.188.103.84.rev.sfr.net] has quit [Remote host closed the connection]
04:41 -!- c0ded [~c0ded@unaffiliated/c0ded] has quit [Ping timeout: 260 seconds]
04:49 -!- c0ded [~c0ded@unaffiliated/c0ded] has joined #openvpn
04:51 < MisterE> oh I wanted to ask krzee about soft ether
04:51 < MisterE> too late
05:11 -!- ub1quit33 [~quassel@cpe-23-243-158-241.socal.res.rr.com] has quit [Ping timeout: 272 seconds]
05:23 -!- eristisk [~eristisk@gateway/tor-sasl/eristisk] has quit [Ping timeout: 264 seconds]
05:33 -!- c0ded [~c0ded@unaffiliated/c0ded] has quit [Ping timeout: 272 seconds]
05:38 -!- Left_Turn [~Left_Turn@unaffiliated/turn-left/x-3739067] has joined #openvpn
05:45 -!- c0ded [~c0ded@unaffiliated/c0ded] has joined #openvpn
05:47 -!- DrCode [~DrCode@gateway/tor-sasl/drcode] has quit [Remote host closed the connection]
05:48 -!- elfixit [~Icedove@77-58-251-72.dclient.hispeed.ch] has joined #openvpn
05:49 -!- DrCode [~DrCode@gateway/tor-sasl/drcode] has joined #openvpn
05:50 -!- knob [~knob@76.76.202.243] has joined #openvpn
05:52 -!- c0ded [~c0ded@unaffiliated/c0ded] has quit [Ping timeout: 272 seconds]
05:56 -!- elfixit [~Icedove@77-58-251-72.dclient.hispeed.ch] has quit [Ping timeout: 260 seconds]
06:10 -!- alexw [~textual@unaffiliated/alexw] has joined #openvpn
06:14 -!- alexw [~textual@unaffiliated/alexw] has quit [Client Quit]
06:18 -!- c0ded [~c0ded@unaffiliated/c0ded] has joined #openvpn
06:23 -!- shio [marmot@102.188.103.84.rev.sfr.net] has joined #openvpn
06:39 -!- Kniaz1 [~Kniaz@unaffiliated/kniaz] has quit [Read error: Connection reset by peer]
06:51 -!- elfixit [~Icedove@2001:1620:2777:11:3e97:eff:fe7f:f3ad] has joined #openvpn
07:11 -!- elfixit [~Icedove@2001:1620:2777:11:3e97:eff:fe7f:f3ad] has quit [Ping timeout: 272 seconds]
07:13 -!- soapee01 [~soapee01@65-36-104-170.dyn.grandenetworks.net] has quit [Ping timeout: 240 seconds]
07:22 -!- moparisthebest [~quassel@gateway/tor-sasl/moparisthebest] has quit [Remote host closed the connection]
07:23 -!- moparisthebest [~quassel@gateway/tor-sasl/moparisthebest] has joined #openvpn
07:51 -!- lorens [~lorenzo@213.27.241.114] has joined #openvpn
08:02 -!- goldkatze [~nobody@unaffiliated/goldkatze] has quit []
08:24 -!- soapee01 [~soapee01@65-36-104-170.dyn.grandenetworks.net] has joined #openvpn
08:50 < knob> Hey guys... question: I am following the link, and I have a question.  If I drop this following command into a client machine, which is connected to my VPN, will the client machine route all the traffic through the VPN?
08:50 < knob> https://openvpn.net/index.php/open-source/documentation/howto.html#redirect
08:50 <@vpnHelper> Title: HOWTO (at openvpn.net)
08:50 < knob> iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o eth0 -j MASQUERADE
08:52 < knob> I don't know if I am doing something that even makes sense...  wrote that line on the command line, and when I do a traceroute google.com      I am still getting routed through the local interface, instead of the VPN tunnel tun0
08:54 < DArqueBishop> As a not-entirely-expert person... is this something that this client will always need?
08:55 < DArqueBishop> In any event, that won't help at all. That command needs to go onto the server, not the client.
08:55 -!- elfixit [~Icedove@2001:1620:2777:11:3e97:eff:fe7f:f3ad] has joined #openvpn
08:57 < DArqueBishop> The configuration option 'push "redirect-gateway def1"' needs to be added to the server config file; if it's only for specific clients, then you need to use a ccd directory/configs for client-specific options.
08:58 < knob> DArqueBishop, thank you.   I was reading about the ccd, yet I don't understand it well.
08:58 < knob> !ccd
08:58 <@vpnHelper> "ccd" is (#1) entries that are basically included into server.conf, but only for the specified client based on common-name. use --client-config-dir <dir> to enable it, then put the config options for the client in <dir>/common-name or (#2) the ccd file is parsed each time the client connects.
08:59 < DArqueBishop> So, if the specific client uses the common name of "client1", and you have the ccd directory set as /etc/openvpn/ccd (for example), you'd pop that push config option into /etc/openvpn/ccd/client1.
09:00 < knob> Oh wow... that explains a lot.
09:00 < knob> Really.
09:00 < knob> So, I am testing  client99
09:01 < knob> I would do   /etc/openvpn/ccd/client99
09:01 < DArqueBishop> Right.
09:01 < DArqueBishop> Just make sure you have 'client-config-dir /etc/openvpn/ccd' in server.conf (or whatever you call the config file on the server).
09:02 < knob> Ok ok... cool.            And ultra-n00b question:      Can I have a   /etc/openvpn/ccd/client99   ONLY,         and nothing for my other clients?
09:02 < DArqueBishop> Absolutely.
09:02 < knob> Awesome.  Ok, testing now.  :)
09:03 < DArqueBishop> All you pop in client99 are the config options that should ONLY apply to that client.
09:05 < lorens> !welcome
09:05 <@vpnHelper> "welcome" is (#1) Start by stating your goal, such as 'I would like to access the internet over my vpn' || new to IRC? see the link in !ask || we may need !logs and !configs and maybe !interface to help you. || See !howto for beginners. || See !route for lans behind openvpn. || !redirect for sending inet traffic through the server. || Also interesting: !man !/30 !topology !iporder !sample !forum
09:05 <@vpnHelper> !wiki !mitm or (#2) Don't use 192.168.1.0/24 or 192.168.0.0/24 (too much potential for conflict)
09:06 < lorens> !goal
09:06 <@vpnHelper> "goal" is Please clearly state your goal for your vpn: example, I would like to access the lan behind the server , I would like to access the internet over my vpn , I just want a secure connection between 2 computers , etc
09:16 -!- eristisk [~eristisk@gateway/tor-sasl/eristisk] has joined #openvpn
09:27 -!- jzaw [~jzaw@loki.dzki.co.uk] has quit [Ping timeout: 272 seconds]
09:33 -!- jzaw [~jzaw@loki.dzki.co.uk] has joined #openvpn
09:35 -!- mattock is now known as mattock_afk
09:46 -!- pekster [~rewt@openvpn/community/support/pekster] has quit [Ping timeout: 260 seconds]
09:49 -!- DrCode [~DrCode@gateway/tor-sasl/drcode] has quit [Remote host closed the connection]
09:49 -!- jzaw [~jzaw@loki.dzki.co.uk] has quit [Ping timeout: 272 seconds]
09:50 -!- DrCode [~DrCode@gateway/tor-sasl/drcode] has joined #openvpn
10:04 -!- Kephael [~Kephael@unaffiliated/kephael] has joined #openvpn
10:11 -!- jzaw [~jzaw@loki.dzki.co.uk] has joined #openvpn
10:13 -!- natanvarga [~natanvarg@se2x.mullvad.net] has joined #openvpn
10:14 < natanvarga> if i wanna get my vpn to autoconnect when ive logged in
10:14 < natanvarga> is that enough to set connection.autoconnect in nmcli to true?
10:14 < natanvarga> cos i've done that and it does not start up
10:18 <@ecrist> sort of answers your own question, doesn't it?
10:18 < natanvarga> i suppose there's more to do then
10:19 < natanvarga> is that what you mean?
10:19 -!- Slippern [~Slippern@76.109-247-208.customer.lyse.net] has quit [Read error: Connection reset by peer]
10:20 <@ecrist> you can set openvpn up as a service
10:20 <@ecrist> and have it connect that way
10:20 < natanvarga> o yeah, i've read something about that
10:21 < natanvarga> thanks i'll look into that and if i cant get it to work we'll see
10:26 -!- pekster [~rewt@openvpn/community/support/pekster] has joined #openvpn
10:29 -!- natanvarga [~natanvarg@se2x.mullvad.net] has quit [Ping timeout: 260 seconds]
10:42 -!- DrCode [~DrCode@gateway/tor-sasl/drcode] has quit [Remote host closed the connection]
10:46 -!- DrCode [~DrCode@gateway/tor-sasl/drcode] has joined #openvpn
10:58 -!- lorens [~lorenzo@213.27.241.114] has quit [Ping timeout: 260 seconds]
11:20 -!- elfixit [~Icedove@2001:1620:2777:11:3e97:eff:fe7f:f3ad] has quit [Quit: elfixit]
11:23 -!- DrSect0r [~DrSect0r@77-175-125-42.FTTH.ispfabriek.nl] has joined #openvpn
11:24 -!- DrCode [~DrCode@gateway/tor-sasl/drcode] has quit [Remote host closed the connection]
11:24 -!- gffa [~unknown@unaffiliated/gffa] has joined #openvpn
11:25 -!- DrCode [~DrCode@gateway/tor-sasl/drcode] has joined #openvpn
11:33 -!- eristisk [~eristisk@gateway/tor-sasl/eristisk] has quit [Remote host closed the connection]
11:41 -!- DrSect0r [~DrSect0r@77-175-125-42.FTTH.ispfabriek.nl] has quit [Quit: Leaving]
12:11 -!- ub1quit33_ [~quassel@cpe-23-243-158-241.socal.res.rr.com] has joined #openvpn
12:13 -!- outofbounds [~outofboun@gateway/tor-sasl/outofbounds] has joined #openvpn
12:23 -!- jzaw [~jzaw@loki.dzki.co.uk] has quit [Ping timeout: 260 seconds]
12:29 -!- Han [~han@unaffiliated/han] has joined #openvpn
12:30 < Han> http://openvpn.net/index.php/open-source/faq/79-client/253-tls-error-tls-key-negotiation-failed-to-occur-within-60-seconds-check-your-network-connectivity.html
12:30 <@vpnHelper> Title: TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity) (at openvpn.net)
12:30 -!- ub1quit33_ [~quassel@cpe-23-243-158-241.socal.res.rr.com] has quit [Quit: No Ping reply in 180 seconds.]
12:31 < Han> I just changed the connection on my wlan from b/g/n to g, and the security from wpa to wpa2 and now I get this error while connecting.
12:32 < Han> What's happening here?
12:32 -!- ub1quit33_ [~quassel@cpe-23-243-158-241.socal.res.rr.com] has joined #openvpn
12:33 <@ecrist> wtf does your wlan have to do with openvpn?
12:33 <@ecrist> sounds like a routing or other network issue
12:34 -!- jzaw [~jzaw@loki.dzki.co.uk] has joined #openvpn
12:34 < Han> You tell me. That's all I changed. And now I get that error.
12:34 <@ecrist> that error is indicative of openvpn being unable to contact the remote server
12:34 <@ecrist> i.e. a local (LAN) issue
12:35 < Han> Let me set up a netcat link on udp 1194 from one to the other.
12:36 <@ecrist> that's not going to really do anything
12:36 <@ecrist> nmap maybe
12:36 <@ecrist> what does the server log show?
12:38 < Han> can I paste you 3 lines in a pm?
12:38 <@ecrist> what's wrong with here, or a PM?
12:38 <@ecrist> 3 lines, in channel is ok
12:38 < Han> because it contain my ip addresses
12:39 <@ecrist> so what
12:39 <@ecrist> !topsecret
12:39 <@vpnHelper> "topsecret" is (#1) if your setup is so top secret that you cant post your configs or logs, please leave now and go find support you trust. or (#2) Clever readers may attempt to use RFC5737/RFC3849 to represent arbitrary public IPs one wishes to hide. Unclever attempts may be ignored with prejudice.
12:39 < Han> I proposed a PM.
12:39 <@ecrist> s/PM/pastebin/
12:42 < Han> http://paste.debian.net/124369/
12:45 < Han> ecrist, so what news did you learn from my log entries?
12:47 -!- DrCode [~DrCode@gateway/tor-sasl/drcode] has quit [Remote host closed the connection]
12:47 < Han> Ah, I should have used the 128.66.0.0/16 range?
12:48 < DArqueBishop> I agree with ecrist. That looks far more like a router/AP issue than an OpenVPN one.
12:48 < DArqueBishop> More to the point, if all you changed had to do with the WLAN, then it's your WLAN that's the issue.
12:50 < Han> everything else still works fine. I'm connected with it as we speak. Let me reconnect for experiments sake.
12:50 < DArqueBishop> If you didn't change anything on OpenVPN, and it worked before, I seriously doubt OpenVPN is the problem.
12:51 -!- DrCode [~DrCode@gateway/tor-sasl/drcode] has joined #openvpn
12:51 < Han> I even have another connection... Check, openvpn works. Now lets change back to the wlan that didn't work but worked before.
12:54 < Han> Doesn't work. If I use nc to check traffic on port 1194 I see incomming encryted data.
12:58 -!- dazo is now known as dazo_afk
12:59 < Han> There! Changed wpa2 back to wpa and I can connect. Weirdness!
13:03 < Eugene> !man
13:03 <@vpnHelper> "man" is (#1) For man pages, see http://openvpn.net/index.php/open-source/documentation/manuals/ or (#2) the man pages are your friend! or (#3) Protip: you can search the manpage for a specific --option (with dashes) to find it quicker
13:03 < Han> Ah! wpa2/aes does work!
13:03 < Han> But not with aes-tkip
13:03 < Han> WPA has, as of 2006, been officially superseded by WPA2. One of the most significant changes between WPA and WPA2 was the mandatory use of AES algorithms and the introduction of CCMP (Counter Cipher Mode with Block Chaining Message Authentication Code Protocol) as a replacement for TKIP (still preserved in WPA2 as a fallback system and for interoperability with WPA).
13:04 < Eugene> !download
13:04 <@vpnHelper> "download" is (#1) http://openvpn.net/index.php/download/community-downloads.html to download openvpn or (#2) OpenVPN's Windows installer now includes OpenVPN GUI. Don't bother with http://openvpn.se anymore or (#3) Don't trust download.com at all. It provides an extremely old version with malware: http://insecure.org/news/download-com-fiasco.html or (#4) in the community version of openvpn (only
13:05 <@vpnHelper> thing supported here) there is no separate download for client/server, it is the same install with different configs
13:06  * Han wishes ecrist to be foreever haunted by flakey helpdesk that always play the blame game.
13:07 -!- Han [~han@unaffiliated/han] has left #openvpn []
13:07 < Eugene> Don't be bringing that dark magic up in here
13:07 < Eugene> What the FUCK, windows.
13:35 -!- ub1quit33_ [~quassel@cpe-23-243-158-241.socal.res.rr.com] has quit [Ping timeout: 250 seconds]
13:50 -!- Pyrogerg [~Gregory@75-173-103-62.albq.qwest.net] has quit [Read error: Connection reset by peer]
13:50 -!- Pyrogerg [~Gregory@75-173-103-62.albq.qwest.net] has joined #openvpn
13:51 < Eugene> I revise my earlier: what the FUCK, pfsense.
14:10 -!- eatkin [~eatkin@204.228.139.196] has left #openvpn ["Konversation terminated!"]
14:11 -!- Pyrogerg [~Gregory@75-173-103-62.albq.qwest.net] has quit [Read error: Connection reset by peer]
14:11 -!- Pyrogerg_ [~Gregory@75-173-103-62.albq.qwest.net] has joined #openvpn
14:32 -!- mode/#openvpn [+b *!*@unaffiliated/han] by ecrist
14:33 -!- rob0 [rob0@pdpc/valentine/postfixninja/rob0] has joined #openvpn
14:33 -!- mode/#openvpn [+o rob0] by ChanServ
14:34 -!- mode/#openvpn [+e *!*@~a:PeterFA] by rob0
14:36 -!- mode/#openvpn [-o rob0] by rob0
14:36 -!- mode/#openvpn [-e *!*@~a:PeterFA] by rob0
14:36 <@ecrist> :\
14:37 -!- mode/#openvpn [+o Eugene] by ChanServ
14:37  * Eugene removes pants from ecrist
14:39 < rob0> hiya, I just forget to /join here sometimes
14:39 -!- ShadniX [dagger@p5DDFCF6E.dip0.t-ipconnect.de] has quit [Ping timeout: 250 seconds]
14:43 -!- ShadniX [dagger@p5DDFE210.dip0.t-ipconnect.de] has joined #openvpn
14:47 -!- jzaw [~jzaw@loki.dzki.co.uk] has quit [Ping timeout: 260 seconds]
14:59 -!- jzaw [~jzaw@loki.dzki.co.uk] has joined #openvpn
15:05 -!- Kniaz [~Kniaz@unaffiliated/kniaz] has quit [Quit: closing IRC]
15:15 -!- NullEntity_ [~NullEntit@unaffiliated/nullentity] has quit [Ping timeout: 244 seconds]
15:19 -!- NullEntity_ [~NullEntit@unaffiliated/nullentity] has joined #openvpn
15:22 -!- D-Boy [~D-Boy@unaffiliated/cain] has quit [Excess Flood]
15:29 -!- knob [~knob@76.76.202.243] has quit [Quit: Leaving]
15:42 -!- D-Boy [~D-Boy@unaffiliated/cain] has joined #openvpn
15:53 -!- Prelude2004c [~Prelude20@dsl-67-55-28-3.acanac.net] has quit [Read error: Connection reset by peer]
15:58 -!- imsomeoneelse [~eh@wsip-98-190-221-98.dc.dc.cox.net] has joined #openvpn
16:06 -!- eristisk [~eristisk@gateway/tor-sasl/eristisk] has joined #openvpn
16:08 -!- Pyrogerg_ [~Gregory@75-173-103-62.albq.qwest.net] has quit [Ping timeout: 245 seconds]
16:13 -!- eristisk [~eristisk@gateway/tor-sasl/eristisk] has quit [Ping timeout: 264 seconds]
16:35 -!- alexw [~textual@unaffiliated/alexw] has joined #openvpn
16:39 -!- Kniaz [~Kniaz@unaffiliated/kniaz] has joined #openvpn
16:41 -!- c0ded [~c0ded@unaffiliated/c0ded] has quit [Ping timeout: 272 seconds]
17:06 -!- Pyrogerg [~Gregory@75-173-103-62.albq.qwest.net] has joined #openvpn
17:08 -!- shio [marmot@102.188.103.84.rev.sfr.net] has quit [Disconnected by services]
17:08 -!- shio [marmot@102.188.103.84.rev.sfr.net] has joined #openvpn
17:21 -!- gffa [~unknown@unaffiliated/gffa] has quit [Quit: sleep]
17:26 -!- eristisk [~eristisk@gateway/tor-sasl/eristisk] has joined #openvpn
17:36 -!- rich0__ [~quassel@gentoo/developer/rich0] has joined #openvpn
17:40 -!- rich0 [~quassel@gentoo/developer/rich0] has quit [Ping timeout: 245 seconds]
17:54 -!- alexw [~textual@unaffiliated/alexw] has quit [Quit: My MacBook Pro has gone to sleep. ZZZzzz…]
18:04 -!- alexw [~textual@unaffiliated/alexw] has joined #openvpn
18:31 -!- busch [~busch@datenschleuder.com] has joined #openvpn
18:35 -!- alexw [~textual@unaffiliated/alexw] has quit [Quit: My MacBook Pro has gone to sleep. ZZZzzz…]
18:42 < Moonlightning> What's this about OpenVPN invoking bash?
18:44 -!- alexw [~textual@unaffiliated/alexw] has joined #openvpn
18:45 -!- jzaw [~jzaw@loki.dzki.co.uk] has quit [Ping timeout: 272 seconds]
18:50 -!- jzaw [~jzaw@loki.dzki.co.uk] has joined #openvpn
18:59 -!- c0ded [~c0ded@unaffiliated/c0ded] has joined #openvpn
19:07 -!- rich0__ [~quassel@gentoo/developer/rich0] has quit [Ping timeout: 260 seconds]
19:08 -!- rich0 [~quassel@gentoo/developer/rich0] has joined #openvpn
19:09 -!- alexw [~textual@unaffiliated/alexw] has quit [Quit: Textual IRC Client: www.textualapp.com]
19:25 <@krzee> Moonlightning, sure, if you tell it to
19:25 <@krzee> Moonlightning,
19:25 <@krzee> !script
19:25 <@vpnHelper> "script" is See SCRIPTING AND ENVIRONMENTAL VARIALBES in the manual for a list of places that scripts can hook into openvpn. Online reference at: https://community.openvpn.net/openvpn/wiki/Openvpn23ManPage#lbAR
19:25 < Moonlightning> Oh, okay.
19:26 <@krzee> note, this is needed in linux for accepting pushed dns
19:26 <@krzee> --up script is used for that
19:27 <@krzee> but to my knowledge it only does so when asked
19:27 <@krzee> (also needed for pw auth)
19:29 -!- jzaw [~jzaw@loki.dzki.co.uk] has quit [Ping timeout: 272 seconds]
19:30 -!- outofbounds [~outofboun@gateway/tor-sasl/outofbounds] has quit [Remote host closed the connection]
20:02 -!- jzaw [~jzaw@loki.dzki.co.uk] has joined #openvpn
20:30 -!- rich0 [~quassel@gentoo/developer/rich0] has quit [Quit: No Ping reply in 180 seconds.]
20:31 -!- rich0 [~quassel@gentoo/developer/rich0] has joined #openvpn
21:29 -!- Kniaz [~Kniaz@unaffiliated/kniaz] has quit [Quit: closing IRC]
21:40 -!- shio [marmot@102.188.103.84.rev.sfr.net] has quit [Read error: Connection reset by peer]
21:40 -!- u0m3_ [~u0m3@109.96.164.216] has joined #openvpn
21:50 -!- Chex [sss@northnook-4-pt.tunnel.tserv15.lax1.ipv6.he.net] has quit [Ping timeout: 256 seconds]
21:51 -!- Left_Turn [~Left_Turn@unaffiliated/turn-left/x-3739067] has quit [Remote host closed the connection]
21:52 -!- Olivier| [~Olivier@unaffiliated/olivier] has joined #openvpn
21:56 -!- Netsplit *.net <-> *.split quits: u0m3, pa, Olivier, catsup, liriel
21:56 -!- Netsplit over, joins: liriel
21:59 -!- pa [~pa@unaffiliated/pa] has joined #openvpn
22:05 -!- Pyrogerg [~Gregory@75-173-103-62.albq.qwest.net] has quit [Ping timeout: 258 seconds]
22:16 -!- Pyrogerg [~Gregory@75-173-103-62.albq.qwest.net] has joined #openvpn
22:20 -!- c0ded [~c0ded@unaffiliated/c0ded] has quit [Ping timeout: 260 seconds]
22:47 -!- ub1quit33_ [~quassel@cpe-23-243-158-241.socal.res.rr.com] has joined #openvpn
22:47 -!- Teqonix [~quassel@c-174-51-153-217.hsd1.co.comcast.net] has joined #openvpn
23:00 -!- kossy [a@unaffiliated/kossy] has joined #openvpn
23:04 -!- eristisk [~eristisk@gateway/tor-sasl/eristisk] has quit [Remote host closed the connection]
23:04 -!- eristisk [~eristisk@gateway/tor-sasl/eristisk] has joined #openvpn
23:26 -!- c0ded [~c0ded@unaffiliated/c0ded] has joined #openvpn
23:50 -!- ShadniX [dagger@p5DDFE210.dip0.t-ipconnect.de] has quit [Ping timeout: 250 seconds]
23:50 -!- ShadniX [dagger@p5DDFDB33.dip0.t-ipconnect.de] has joined #openvpn
23:52 -!- almostworking [~almostwor@unaffiliated/almostworking] has joined #openvpn
--- Day changed Sat Oct 04 2014
00:07 -!- Kephael [~Kephael@unaffiliated/kephael] has quit [Read error: Connection reset by peer]
00:21 -!- ub1quit33_ [~quassel@cpe-23-243-158-241.socal.res.rr.com] has quit [Ping timeout: 272 seconds]
00:30 -!- james41382 [~james@unaffiliated/james41382] has quit [Read error: Connection reset by peer]
00:31 -!- james41382 [~james@unaffiliated/james41382] has joined #openvpn
00:33 -!- james41382 [~james@unaffiliated/james41382] has quit [Max SendQ exceeded]
00:34 -!- james41382 [~james@unaffiliated/james41382] has joined #openvpn
00:35 -!- mulga [~mulga_afk@unaffiliated/mulga] has joined #openvpn
00:36 -!- james41382 [~james@unaffiliated/james41382] has quit [Max SendQ exceeded]
00:36 -!- james41382 [~james@unaffiliated/james41382] has joined #openvpn
00:38 -!- james41382 [~james@unaffiliated/james41382] has quit [Max SendQ exceeded]
00:39 -!- james41382 [~james@unaffiliated/james41382] has joined #openvpn
00:53 -!- mgorbach [~mgorbach@pool-108-20-78-135.bstnma.fios.verizon.net] has quit [Read error: Connection reset by peer]
00:54 -!- mgorbach [~mgorbach@pool-108-20-78-135.bstnma.fios.verizon.net] has joined #openvpn
01:01 -!- Dis__ [~NullEntit@unaffiliated/nullentity] has joined #openvpn
01:03 -!- NullEntity_ [~NullEntit@unaffiliated/nullentity] has quit [Ping timeout: 244 seconds]
01:07 -!- mulga [~mulga_afk@unaffiliated/mulga] has quit [Ping timeout: 272 seconds]
02:03 -!- Belliash [znc@asiotec/constitutive/belliash] has quit [Quit: No matter how dark the night, somehow the Sun rises once again...]
02:06 -!- Belliash [znc@asiotec/constitutive/belliash] has joined #openvpn
02:14 -!- lerra [~lerra@c-979872d5.029-136-73746f3.cust.bredbandsbolaget.se] has joined #openvpn
02:16 < lerra> Hi, im playing around with openvpn access server and google authenticator, im on the included license of 2 users for testing. When I do enable google auhenticator all codes I do put in when I login as a user in the webgui to download the config is failing, the machine is ntp synced and time is ok. Is it failing because I dont have a proper license or for something else ?
02:27 -!- Nyoom [Nyoom@unaffiliated/nyoom] has quit [Ping timeout: 272 seconds]
02:27 -!- JackWinter [~jack@vodsl-11198.vo.lu] has quit [Read error: Connection reset by peer]
02:28 -!- JackWinter [~jack@vodsl-11198.vo.lu] has joined #openvpn
02:30 < KNERD> i never got that gogle crap to work
02:33 -!- gffa [~unknown@unaffiliated/gffa] has joined #openvpn
02:34 < lerra> in the access server or in the community version ?
02:37 < KNERD> just the gooogle services
02:38 < KNERD> in anything
02:47 -!- Nyoom [Nyoom@unaffiliated/nyoom] has joined #openvpn
02:53 < lerra> got it working,was the time on the phone that was a bit out of sync
03:25 -!- shio [marmot@102.188.103.84.rev.sfr.net] has joined #openvpn
03:35 -!- Envil [~meep@95.211.26.40] has joined #openvpn
03:59 -!- JackWinter [~jack@vodsl-11198.vo.lu] has quit [Quit: Konversation terminated!]
04:01 -!- JackWinter [~jack@vodsl-11198.vo.lu] has joined #openvpn
04:51 -!- Six6siX [~Devil@jasmine.sammybakar.com] has quit [Ping timeout: 260 seconds]
05:08 -!- Left_Turn [~Left_Turn@unaffiliated/turn-left/x-3739067] has joined #openvpn
05:08 < rob0> !as
05:08 <@vpnHelper> "as" is Please go to #OpenVPN-AS for help with commercial products from OpenVPN Technologies, including Access Server, Android Connect, etc. Access Server is a commercial product, different from open source OpenVPN
05:09 -!- wallbroken [wallbroken@unaffiliated/wallbroken] has left #openvpn []
05:58 -!- jzaw [~jzaw@loki.dzki.co.uk] has quit [Ping timeout: 260 seconds]
06:05 -!- jzaw [~jzaw@loki.dzki.co.uk] has joined #openvpn
06:28 -!- rich0_ [~quassel@gentoo/developer/rich0] has joined #openvpn
06:29 -!- jzaw [~jzaw@loki.dzki.co.uk] has quit [Ping timeout: 260 seconds]
06:32 -!- rich0 [~quassel@gentoo/developer/rich0] has quit [Ping timeout: 245 seconds]
06:33 -!- rich0 [~quassel@gentoo/developer/rich0] has joined #openvpn
06:33 -!- rich0_ [~quassel@gentoo/developer/rich0] has quit [Ping timeout: 272 seconds]
06:33 -!- jzaw [~jzaw@loki.dzki.co.uk] has joined #openvpn
06:44 -!- s7r [~s7r@openvpn/user/s7r] has quit [Quit: Leaving]
06:46 -!- rich0_ [~quassel@gentoo/developer/rich0] has joined #openvpn
06:50 -!- rich0 [~quassel@gentoo/developer/rich0] has quit [Ping timeout: 245 seconds]
06:51 -!- rich0_ [~quassel@gentoo/developer/rich0] has quit [Ping timeout: 260 seconds]
06:51 -!- rich0__ [~quassel@gentoo/developer/rich0] has joined #openvpn
07:17 -!- rich0__ [~quassel@gentoo/developer/rich0] has quit [Remote host closed the connection]
07:18 -!- rich0 [~quassel@gentoo/developer/rich0] has joined #openvpn
07:34 -!- oniichaNj [~hm@80-69-77-244.colo.transip.net] has quit [Quit: bye]
08:58 -!- janine27 [~janine27@91.66.165.174] has joined #openvpn
08:58 < janine27> !paste
08:58 <@vpnHelper> "paste" is "pastebin" is (#1) please paste anything with more than 5 lines into a pastebin site or (#2) https://gist.github.com is recommended for fewest ads; try fpaste.org or paste.kde.org as backups or (#3) If you're pasting config files, see !configs for grep syntax to remove comments or (#4) gist allows multiple files per paste, useful if you have several files to show
09:17 < janine27> !logs
09:17 <@vpnHelper> "logs" is (#1) please pastebin your logfiles from both client and server with verb set to 4 (only use 5 if asked) or (#2) In the Windows client(OpenVPN-GUI) right-click the status icon and pick View Log or (#3) In the OS X client(Tunnelblick) right-click it and select Copy log text to clipboard or (#4) if you dont know how to find your logs, see !logfile
09:20 < janine27> Hi! I am new to linux and I installed OpenVPN on my openSuse 13.1 Server with this manual: http://en.opensuse.org/SDB:OpenVPN_Installation_and_Setup The connection is working via OpenVPN, but I cannot use the Internetconnection or even "ping". This is my openvpn.log: http://fpaste.org/139171/41243217/  It's probably the firewall isn't it? :/
09:20 <@vpnHelper> Title: SDB:OpenVPN Installation and Setup - openSUSE (at en.opensuse.org)
09:22 -!- seba [~seba@kratzbaum.someserver.de] has quit [Excess Flood]
09:22 -!- seba [~seba@kratzbaum.someserver.de] has joined #openvpn
09:38 -!- Pyrogerg [~Gregory@75-173-103-62.albq.qwest.net] has quit [Ping timeout: 260 seconds]
09:44 <+_FBi> Ìû
09:49 -!- fling [~fling@fsf/member/fling] has joined #openvpn
09:49 < fling> Stopped working yesterday on one of my clients.
09:50 < fling> This is what I see in server log -> http://dpaste.com/2H23491
09:50 < fling> How to fix 'TLS Error: TLS handshake failed' ?
09:51 <+_FBi> Ìû
09:52 < fling> _FBi: use unicode?
09:52 <+_FBi> I hear my client is being lame
10:02 -!- NoNamesLeft [~ChairmanM@cpc14-wake7-2-0-cust129.17-1.cable.virginm.net] has joined #openvpn
10:10 -!- Exagone313 [~exa@vps.ewd.xyz] has joined #openvpn
10:12 -!- Left_Turn is now known as pgicxplzs
10:20 -!- markelite [croftworth@gateway/shell/yourbnc/x-kktovbrdtbslwfqw] has joined #openvpn
10:30 < fling> !goal
10:30 <@vpnHelper> "goal" is Please clearly state your goal for your vpn: example, I would like to access the lan behind the server , I would like to access the internet over my vpn , I just want a secure connection between 2 computers , etc
10:31 -!- markelite [croftworth@gateway/shell/yourbnc/x-kktovbrdtbslwfqw] has quit [Read error: Connection reset by peer]
10:43 -!- marklite [croftworth@gateway/shell/yourbnc/x-oamucxocdajfqtzp] has joined #openvpn
10:46 -!- RobertoBenzi [~RobertoBe@78-134-122-162.v4.ngi.it] has joined #openvpn
10:47 -!- reventlov [~reventlov@unaffiliated/reventlov] has quit [Quit: leaving]
10:48 -!- reventlov [~reventlov@unaffiliated/reventlov] has joined #openvpn
10:48 -!- funnel_ [~funnel@unaffiliated/espiral] has joined #openvpn
10:50 -!- Exagone313 [~exa@vps.ewd.xyz] has quit [Quit: see ya!]
10:55 -!- RobertoBenzi [~RobertoBe@78-134-122-162.v4.ngi.it] has quit [Remote host closed the connection]
10:57 -!- cyberspace- [20253@ninthfloor.org] has quit [Ping timeout: 245 seconds]
10:58 -!- cyberspace- [20253@ninthfloor.org] has joined #openvpn
11:03 -!- funnel_ [~funnel@unaffiliated/espiral] has quit [Quit: leaving]
11:22 < janine27> Hi! I am new to linux and I installed OpenVPN on my openSuse 13.1 Server with this manual: http://en.opensuse.org/SDB:OpenVPN_Installation_and_Setup The connection is working via OpenVPN, but I cannot use the Internetconnection or even "ping". This is my openvpn.log: http://fpaste.org/139171/41243217/  It's probably the firewall isn't it? :/
11:22 <@vpnHelper> Title: SDB:OpenVPN Installation and Setup - openSUSE (at en.opensuse.org)
11:37 -!- Kniaz [~Kniaz@unaffiliated/kniaz] has joined #openvpn
11:40 -!- Kephael [~Kephael@unaffiliated/kephael] has joined #openvpn
12:00 -!- funnel_ [~funnel@unaffiliated/espiral] has joined #openvpn
12:01 -!- manu92 [~manu92@de.freedom-ip.com] has joined #openvpn
12:06 -!- r4sp [~r4sp@107.170.28.221] has joined #openvpn
12:07 < r4sp> Hi guys, im having a problem with my openvpn configuration. The client has no problems connecting to the server but I think that the problem is the server is not forwarding between tun0 and eth0
12:08 <@krzee> !linipforward
12:08 <@vpnHelper> "linipforward" is (#1) echo 1 > /proc/sys/net/ipv4/ip_forward for a temp solution (til reboot) or set net.ipv4.ip_forward = 1 in sysctl.conf for perm solution or (#2) chmod +x /etc/rc.d/rc.ip_forward for perm solution in slackware or (#3) you also must allow forwarding in your forward chain in iptables. iptables -I FORWARD -i tun+ -j ACCEPT
12:09 < r4sp> Yep, the forwarding is on
12:09 < r4sp> The iptables forwarding rules are ok too
12:11 <@krzee> then youre wrong about the problem
12:11 <@krzee> whats the REAL problem?
12:11 <@krzee> cant talk to the server lan?
12:11 <@krzee> !goal
12:11 <@vpnHelper> "goal" is Please clearly state your goal for your vpn: example, I would like to access the lan behind the server , I would like to access the internet over my vpn , I just want a secure connection between 2 computers , etc
12:11 < r4sp> I would like to access the internet over my vpn
12:11 <@krzee> !redirect
12:11 <@vpnHelper> "redirect" is (#1) to make all inet traffic flow through the vpn, you will need --redirect-gateway (see !def1), as well as IP forwarding (see !ipforward) and NAT (see !nat) enabled on the server. or (#2) you may need to use a different dns server when redirecting gateway, see !dns or !pushdns or (#3) if using ipv6 try: route-ipv6 2000::/3 or (#4) Handy troubleshooting flowchart:
12:11 <@vpnHelper> http://ircpimps.org/redirect.png | http://pekster.sdf.org/misc/redirect.png
12:12 -!- marklite is now known as markelite
12:13 < r4sp> push "redirect-gateway def1"
12:13 < r4sp> push "redirect-gateway def1"
12:14 < r4sp> this is actually in my conf.
12:14 <@krzee> use the flowchart
12:15 <@krzee> tell me where you get stuck
12:16 < r4sp> lol.. hehe.. "is redirect-gateway enabled on the client"
12:16 -!- manu92 [~manu92@de.freedom-ip.com] has quit [Ping timeout: 272 seconds]
12:16 <@krzee> well ya
12:16 <@krzee> !push
12:16 <@vpnHelper> "push" is usage: push <command> , goes in the server config and makes the command act as if it was in the client config, can be used in ccd entries
12:17 <@krzee> you chose to push the option at the client instead of putting it in the client config
12:17 < r4sp> ah, then wait
12:17 <@krzee> basically the same thing, unless you run a vpn provider then its just annoying because clients have to go through extra effort to override it when desired
12:19 < r4sp> "is NAT enabled on the VPN subnet"
12:19 < r4sp> how do i check this
12:19 <@krzee> show me:   iptables-save
12:19 <@krzee> (pastebin, gist, or similar)
12:22 < r4sp> no rules setted up yet: http://pastebin.com/ukMQSWZY
12:23 <@krzee> !linipnat
12:23 <@krzee> !linnat
12:23 <@vpnHelper> "linnat" is (#1) for a basic iptables NAT where 10.8.0.x is the vpn network: iptables -t nat -I POSTROUTING -s 10.8.0.0/24 -o eth0 -j MASQUERADE or (#2) to choose what IP address to NAT as, you can use iptables -t nat -I POSTROUTING -o eth0 -j SNAT --to <IP ADDRESS> or (#3) http://netfilter.org/documentation/HOWTO//NAT-HOWTO.html for more info or (#4) openvz see !openvzlinnat
12:24 -!- Exagone313 [~exa@vps.ewd.xyz] has joined #openvpn
12:25 < r4sp> iptables -t nat -I POSTROUTING -o eth0 \ -s 192.168.88.0/24 -j MASQUERADE
12:26 < r4sp> yes!
12:26 < r4sp> It's working :) thanks
12:26 <@krzee> no problem =]
12:26 < r4sp> another doubt
12:27 < r4sp> hmm how to explain this (a little bit hard in elgish)
12:28 < r4sp> I needed to set up the "client-config-dir" option to route my LAN IP address
12:28 < r4sp> i guess this configuration wont work if i am somewhere else right?
12:28 <@krzee> you have a lan behind the client that you want to share to the server and other clients?
12:29 < r4sp> without that option i was recieving bad address client ... [private ip] in the logs
12:29 <@krzee> comment the option, see if your traffic still works
12:29 < r4sp> okey
12:30 <@krzee> that error pops up when your client sends traffic with the lan ip as source over the tunnel
12:30 <@krzee> but just because that happens doesnt mean its ALL your traffic
12:30 <@krzee> could just be a misconfigured app, probably is that.
12:32 < r4sp> aaaah great so now it's working
12:32 < r4sp> thank you very much
12:32 < r4sp> three hours with this
12:33 < r4sp> lets have some beers with my friends :)
12:33 <@krzee> enjoy =]
12:33 <@krzee> !beer
12:33 <@vpnHelper> "beer" is what's for dinner (and occasionally breakfast)
12:33 < r4sp> :)
12:36 -!- r4sp [~r4sp@107.170.28.221] has left #openvpn []
12:38 -!- funnel_ [~funnel@unaffiliated/espiral] has quit [Quit: leaving]
12:41 -!- funnel_ [~funnel@unaffiliated/espiral] has joined #openvpn
12:43 -!- funnel_ [~funnel@unaffiliated/espiral] has quit [Client Quit]
12:51 -!- SCHAAP137 [dorian@77-173-0-137.ip.telfort.nl] has joined #openvpn
12:53 -!- seba [~seba@kratzbaum.someserver.de] has quit [Excess Flood]
12:55 -!- funnel [~funnel@unaffiliated/espiral] has quit [Quit: leaving]
12:57 -!- funnel_ [~funnel@unaffiliated/espiral] has joined #openvpn
12:59 -!- seba [~seba@kratzbaum.someserver.de] has joined #openvpn
13:01 -!- SCHAAP137 [dorian@77-173-0-137.ip.telfort.nl] has quit [Remote host closed the connection]
13:09 -!- SCHAAP137 [dorian@77-173-0-137.ip.telfort.nl] has joined #openvpn
13:16 -!- SCHAAP137 [dorian@77-173-0-137.ip.telfort.nl] has quit [Remote host closed the connection]
13:16 -!- Simson-san [~Simson-sa@klaxa.eu] has joined #openvpn
13:20 -!- funnel_ [~funnel@unaffiliated/espiral] has left #openvpn []
13:20 -!- funnel [~funnel@unaffiliated/espiral] has joined #openvpn
13:29 -!- Exagone313 [~exa@vps.ewd.xyz] has quit [Quit: see ya!]
13:30 -!- Exagone313 [~exa@vps.ewd.xyz] has joined #openvpn
13:32 -!- ribasushi [~riba@mujunyku.leporine.io] has quit [Ping timeout: 240 seconds]
13:34 -!- Exagone313 [~exa@vps.ewd.xyz] has quit [Client Quit]
13:35 -!- Exagone313 [~exa@ewd.ovh] has joined #openvpn
13:37 -!- ribasushi [~riba@mujunyku.leporine.io] has joined #openvpn
13:42 -!- RaiNerTsuFal [~RaiNerTsu@akita.vtlx.cn] has joined #openvpn
13:56 -!- Mattias [~mattias@unaffiliated/mattias] has joined #openvpn
14:00 -!- james41382_ [~james@unaffiliated/james41382] has joined #openvpn
14:03 -!- Brando753 [~Brando753@unaffiliated/brando753] has quit [Ping timeout: 260 seconds]
14:04 -!- james41382 [~james@unaffiliated/james41382] has quit [Ping timeout: 272 seconds]
14:04 -!- pppingme [~pppingme@unaffiliated/pppingme] has quit [Ping timeout: 272 seconds]
14:05 -!- Brando753 [~Brando753@unaffiliated/brando753] has joined #openvpn
14:05 -!- pppingme [~pppingme@unaffiliated/pppingme] has joined #openvpn
14:08 < Mattias> I've setup openvpn with ubuntu in gnome using the network manager, However, I want to use it with the i3 wm. After enabling it in gnome and logging out then logging in to i3 I seem to still have the vpn enabled. How can I check openvpn status as well as turn it on/off when I want in i3? (settings already taken care of thanks to that network manager while inside gnome)
14:09 <@krzee> you probably need to ask the network manager guys
14:09 <@krzee> your issue is not an openvpn issue, but rather about 3rd party frontends
14:10 < Mattias> krzee: so I can't do it from the terminal using openvpn? I mean, in the end it's openvpn that runs in the background.
14:10 <@krzee> oh ok
14:10 <@krzee> whats i3?
14:10 <@krzee> different windows manager?
14:10 < Mattias> krzee: i3 is a window manager
14:10 <@krzee> got ya
14:10 < Mattias> tiled window manager to be exact :)
14:10 <@krzee> so you're switching back and forth?
14:11 <@krzee> and im assuming you want to do this programatically?
14:11 < Mattias> krzee: I only use gnome to set up the openvpn connection, because I don't know how to do it through the terminal, and the vpn service had a guide for ubuntu gnome
14:12 <@krzee> you can start openvpn from terminal with openvpn --config /path/to/config
14:12 < Mattias> krzee: I assume the network manager creates a config on-the-fly from the gui. openvpn should be running using that config right now, how can I turn it off or display status?
14:12 < Mattias> in the gui I set gateway and user/pass stuff
14:13 < Mattias> I'm fine if I have to go to the gui to turn it on using the on-the-fly config
14:15 <@krzee> well you see, network manager makes it own weird config
14:15 <@krzee> !netman
14:15 <@vpnHelper> "netman" is (#1) if you are using network manager for linux to configure your vpn, dont! http://openvpn.net/archive/openvpn-users/2008-01/msg00046.html to read the same thing from the author of the openvpn 2 cookbook on the mail list or (#2) Have OpenVPN working but not NetworkManager? Ask the n-m folks for help: http://projects.gnome.org/NetworkManager/
14:15 <@krzee> thats why i say your issue is a frontend issue
14:15 <@krzee> get openvpn working from a client config file
14:16 < Mattias> Hm, I should learn writing a config for this :)
14:16 <@novaflash> beer, beer, beer
14:17 < Mattias> krzee: Thanks! I'll do this the right way and write my own config file. Too bad they don't write a guide for this. Or is there a third-party guide I could use? I basically only need to know how to add a gateway and the authentication related stuff
14:17 <@krzee> !howto
14:17 <@vpnHelper> "howto" is (#1) OpenVPN comes with a great howto, http://openvpn.net/howto PLEASE READ IT! or (#2) http://www.secure-computing.net/openvpn/howto.php for a mirror
14:18 <@krzee> you basically just write a config that matches your server config
14:18 <@krzee> most the stuff is handled in the server
14:18 <@krzee> as for the auth
14:18 <@krzee> !authpass
14:18 <@vpnHelper> "authpass" is (#1) please see --auth-user-pass-verify in the manual to learn how to force clients to use passwords in addition to certs or (#2) or to ONLY use passwords (no certs, highly NOT recommended) also use --client-cert-not-required or (#3) and if you want the login name to be used as the common-name for things like ccd entries, use --username-as-common-name
14:18 < Mattias> krzee: if VPN is active and I get an ip which is not mine from both curl and firefox, it should be global on the system right?
14:18 < Mattias> This is the only way I'm verifying this is working right now :P
14:20 <@krzee> Mattias, except for any subnets with an overriding route, yes
14:20 <@krzee> i mean, you could make that true by only adding a route to the server you curl from
14:20 <@krzee> but if the routing table makes it true, then yes...
14:20 < Mattias> I have not modified anything on my system for that kind of thing
14:21 <@krzee> you understand my answer though?
14:21 < Mattias> basically, that you can override the routing somehow, which I guess I should know if I have done? :P
14:22 < Mattias> I'm not very good with networking and new to VPNs :)
14:22 <@krzee> the routing table works by finding the most specific route to your destination and sending the traffic there
14:23 <@krzee> openvpn does not decide where traffic goes, your routing table does
14:23 < Mattias> curl ifconfig.me  <-- this command is what I try with in the terminal to verify VPN
14:23 <@krzee> openvpn has hooks to add routes to your routing table
14:24 < Mattias> any command I can use to check that an application goes through the correct connection?
14:25 < Mattias> Anyways, I guess I'll read the howto to start with, get some basics down.
14:25 <@krzee> sure, tcpdump / iptables
14:26 <@krzee> ya vpns also require a knowledge of networking, at least basic networking
14:26 <@krzee> !101
14:26 <@vpnHelper> "101" is This channel is not a '101' replacement for any of the following topics or others: Networking, Firewalls, Routing, Your OS, Security, etc etc
14:39 < Mattias> krzee: ovpn, these are the config files? I believe I got one for every country gateway they have with the zip file they sent O.o
14:40 < Mattias> great, I'm ready to just use openvpn without a gui :)
14:40 <@krzee> yes they likely sent you openvpn configs
14:40 <@krzee> and also
14:40 <@krzee> !provider
14:40 <@vpnHelper> "provider" is (#1) We are not your provider's free tech support. We support the free open source app OpenVPN, not your provider. Just because they run openvpn does not mean we are their support team. or (#2) Please contact their support team.
14:40 <@krzee> hehe
14:41 < Mattias> I was afraid you would show me that eventually :)
14:41 <@krzee> but so far you arent asking anything where that matters
14:49 -!- SCHAAP137 [dorian@77-173-0-137.ip.telfort.nl] has joined #openvpn
15:06 -!- Cyclohexane [~cyclohexa@unaffiliated/cyclohexane] has quit [Ping timeout: 240 seconds]
15:17 -!- Latrina [~Latrina@adsl-ull-64-181.50-151.net24.it] has quit [Ping timeout: 260 seconds]
15:17 -!- Latrina [~Latrina@adsl-ull-94-194.50-151.net24.it] has joined #openvpn
15:28 -!- KarlBauman [~SoWhat@87.246.136.13] has joined #openvpn
15:29 < KarlBauman> hello
15:29 < KarlBauman> I wanted to know, is it possible to run only some programms through VPN on WIndows?
15:32 -!- D-Boy [~D-Boy@unaffiliated/cain] has quit [Excess Flood]
15:40 -!- D-Boy [~D-Boy@unaffiliated/cain] has joined #openvpn
15:46 -!- moonkid [~anonymous@99-103-56-12.lightspeed.hstntx.sbcglobal.net] has joined #openvpn
15:48 -!- u0m3 [~u0m3@92.80.114.210] has joined #openvpn
15:49 -!- KarlBauman [~SoWhat@87.246.136.13] has quit [Ping timeout: 272 seconds]
15:50 -!- u0m3_ [~u0m3@109.96.164.216] has quit [Ping timeout: 272 seconds]
16:06 -!- moonkid [~anonymous@99-103-56-12.lightspeed.hstntx.sbcglobal.net] has quit [Quit: moonkid]
16:07 -!- Mattias [~mattias@unaffiliated/mattias] has quit [Ping timeout: 272 seconds]
16:08 -!- Mattias [~mattias@unaffiliated/mattias] has joined #openvpn
16:23 < janine27> Hi everyone! I read some manuals/tutorials, and some use the IP 10.9.8.0/24 and other use 10.8.0.0/24. Whats the difference/the meaning of those IPs?
16:25 < rob0> RFC 1918 defines/reserves networks for internal use only.  10/8 is one of those.  Pick something unique, do not copy someone else.
16:25 < rob0> !subnet
16:25 <@vpnHelper> "subnet" is (#1) http://www.subnet-calculator.com/ or http://en.wikipedia.org/wiki/Subnetwork or (#2) Want a random subnet generator? See: !randomsubnet or (#3) You may be looking for !toplogy
16:25 < rob0> !randomsubnet
16:25 <@vpnHelper> "randomsubnet" is (#1) http://scarydevilmonastery.net/subnet.cgi for a random !1918 subnet or (#2) If your shell has $RANDOM support, perhaps try this: `echo 10.$((RANDOM%256)).$((RANDOM%256)).0/24 `
16:27 < janine27> Ahhh nice! Thanks rob0
16:30 -!- Chais [~Chais@chello062178229110.15.15.vie.surfer.at] has quit [Ping timeout: 272 seconds]
16:34 -!- Chais [~Chais@chello062178229110.15.15.vie.surfer.at] has joined #openvpn
16:37 < janine27> Well, I can connect to my openVPN-Server, but it doesn't forward my IPv4 traffic to the internet. I actually even tried with firewall=off, but it won't work. Thats the openvpn.log: http://fpaste.org/139233/14124585/
16:38 -!- moonkid [~anonymous@99-103-56-12.lightspeed.hstntx.sbcglobal.net] has joined #openvpn
16:53 <@syzzer> krzee: thanks. will fix!
16:53 <@syzzer> oh, wrong channel, still, thanks ;)
16:56 < rob0> Jan, what is this "firewall=off" setting?
16:56 < rob0> !ipforward
16:56 <@vpnHelper> "ipforward" is (#1) ip forwarding is needed any time you want packets to flow from 1 interface to another, so from tun to eth, eth to tun, tun to tun, etc etc. it must be enabled in the kernel AND allowed in the firewall or (#2) please choose between !linipforward !winipforward !osxipforward and !fbsdipforward
16:58 < rob0> also, why in the world are you using "topology net30"?
16:59 < rob0> !linipforward
16:59 <@vpnHelper> "linipforward" is (#1) echo 1 > /proc/sys/net/ipv4/ip_forward for a temp solution (til reboot) or set net.ipv4.ip_forward = 1 in sysctl.conf for perm solution or (#2) chmod +x /etc/rc.d/rc.ip_forward for perm solution in slackware or (#3) you also must allow forwarding in your forward chain in iptables. iptables -I FORWARD -i tun+ -j ACCEPT
17:00 < rob0> An RFC 1918 address requires source NAT to reach the Internet.  In Linux that is done by the firewall.
17:12 < janine27> rob0: firewall=off is not a setting, it's just my way to say that i even shut my firewall down for a moment ;)
17:13 < janine27> Well I have now a quite funny problem with iptables. It just tells me: "Memory allocation problem"
17:13 < rob0> hmm
17:13 < janine27> and
17:15 < janine27> http://fpaste.org/139238/14124608/
17:16 < janine27> I don't know how an why, but it seems that I reached some mysterious barrier...
17:30 -!- Envil [~meep@95.211.26.40] has quit [Remote host closed the connection]
17:38 < rob0> !openvz
17:38 <@vpnHelper> "openvz" is (#1) http://wiki.openvz.org/VPN_via_the_TUN/TAP_device to learn bout openvz specific stuff with regards to openvpn or (#2) It is usually less painful to switch to a host with better virtualization technology, eg KVM or Xen
17:40 < janine27> :'(
17:42 < rob0> So I guessed right?
17:43 < janine27> rob0: Its a virtual server, yes. But I think, thats really sad, because I just have a few rules, shown via iptables-save: http://fpaste.org/139242/62310141/
17:44 < rob0> There are other sorts of virtualization.
17:44 < janine27> I don't have hardware access, so...
17:44 < rob0> Anyway, there is no SNAT/MASQ rule in nat, and it appears also that you did not enable IP forwarding.
17:45 < rob0> so that dog won't hunt
17:45 < janine27> Actually, I did. But it's not there, because of the "Memory Problem"
17:46 < rob0> which is probably an openvz problem
17:46 < janine27> this is my rule:
17:46 < janine27> iptables -A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT
17:46 < janine27> iptables -A FORWARD -s 10.8.0.0/24 -j ACCEPT
17:46 < janine27> iptables -A FORWARD -j REJECT
17:46 < janine27> iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -j SNAT --to SERVERIP
17:46 < janine27> rob0: yes :'(
17:49 -!- gffa [~unknown@unaffiliated/gffa] has quit [Quit: sleep]
17:53 -!- janine27 [~janine27@91.66.165.174] has quit [Quit: Verlassend]
18:04 -!- jzaw [~jzaw@loki.dzki.co.uk] has quit [Ping timeout: 260 seconds]
18:14 -!- jzaw [~jzaw@loki.dzki.co.uk] has joined #openvpn
18:16 -!- NoNamesLeft [~ChairmanM@cpc14-wake7-2-0-cust129.17-1.cable.virginm.net] has quit [Ping timeout: 258 seconds]
18:27 -!- hays [~hays@unaffiliated/hays] has quit [Quit: No Ping reply in 180 seconds.]
18:29 -!- hays [~hays@unaffiliated/hays] has joined #openvpn
18:46 -!- jzaw [~jzaw@loki.dzki.co.uk] has quit [Ping timeout: 260 seconds]
18:53 -!- jzaw [~jzaw@loki.dzki.co.uk] has joined #openvpn
19:07 -!- cyberspace- [20253@ninthfloor.org] has quit [Remote host closed the connection]
19:08 -!- dan_j [~IceChat77@unaffiliated/danfromuk] has joined #openvpn
19:08 -!- cyberspace- [20253@ninthfloor.org] has joined #openvpn
19:10 < dan_j> Hi, I'm having problems setting up a new openvpn client + server. I'm using the sample scripts, the connection is established and new routes are received, but no data is being transferred and ping doesnt work.
19:10 < dan_j> Could anyone help diagnose?
19:10 < dan_j> Server Config: http://pastebin.com/suNfpU45
19:10 < dan_j> Client config: http://pastebin.com/VLEvLN85
19:30 -!- moonkid [~anonymous@99-103-56-12.lightspeed.hstntx.sbcglobal.net] has quit [Quit: moonkid]
19:39 -!- dan_j [~IceChat77@unaffiliated/danfromuk] has quit [Quit: IceChat - Keeping PC's cool since 2000]
19:40 -!- dan_j [~IceChat77@unaffiliated/danfromuk] has joined #openvpn
19:55 -!- jzaw [~jzaw@loki.dzki.co.uk] has quit [Ping timeout: 260 seconds]
20:00 -!- jzaw [~jzaw@loki.dzki.co.uk] has joined #openvpn
20:06 -!- WinstonSmith [~WinstonSm@unaffiliated/winstonsmith] has quit [Ping timeout: 260 seconds]
20:08 -!- WinstonSmith [~WinstonSm@unaffiliated/winstonsmith] has joined #openvpn
20:13 <+_FBi> sorry dan_j your configs have been removed :/
20:30 -!- s7r [~s7r@openvpn/user/s7r] has joined #openvpn
20:30 -!- mode/#openvpn [+v s7r] by ChanServ
20:45 -!- moonkid [~anonymous@99-103-56-12.lightspeed.hstntx.sbcglobal.net] has joined #openvpn
20:46 -!- Simson-san is now known as Simson-san|away
20:49 -!- RaiNerTsuFal [~RaiNerTsu@akita.vtlx.cn] has quit [Ping timeout: 260 seconds]
20:50 -!- knob [~knob@adsl-72-50-82-77.prtc.net] has joined #openvpn
20:50 < knob> Hey guys, question:   What would you suggest in order to get an alert in case a client disconnects?
20:51 < knob> I thought of a cron job running every minute and checking to see if it can ping the client...
20:51 < knob> Can you think of a better way?  Something more... intelligent?
20:51 -!- SCHAAP137 [dorian@77-173-0-137.ip.telfort.nl] has quit [Remote host closed the connection]
--- Log opened Mon Oct 06 07:13:01 2014
07:13 -!- ecrist [~ecrist@freebsd/contributor/openvpn.community.support.ecrist] has joined #openvpn
07:13 -!- Irssi: #openvpn: Total of 177 nicks [9 ops, 0 halfops, 2 voices, 166 normal]
07:13 -!- mode/#openvpn [+o ecrist] by ChanServ
07:13 -!- Irssi: Join to #openvpn was synced in 14 secs
07:43 -!- Delfyn [~alexis@134.171.50.66] has joined #openvpn
07:48 -!- Latrina [~Latrina@adsl-ull-7-178.50-151.net24.it] has quit [Ping timeout: 260 seconds]
07:49 < lorens> !welcoe
07:49 < lorens> !welcome
07:49 <@vpnHelper> "welcome" is (#1) Start by stating your goal, such as 'I would like to access the internet over my vpn' || new to IRC? see the link in !ask || we may need !logs and !configs and maybe !interface to help you. || See !howto for beginners. || See !route for lans behind openvpn. || !redirect for sending inet traffic through the server. || Also interesting: !man !/30 !topology !iporder !sample !forum
07:49 <@vpnHelper> !wiki !mitm or (#2) Don't use 192.168.1.0/24 or 192.168.0.0/24 (too much potential for conflict)
07:49 -!- Latrina [~Latrina@151.56.170.187] has joined #openvpn
07:50 < lorens> !howto
07:50 <@vpnHelper> "howto" is (#1) OpenVPN comes with a great howto, http://openvpn.net/howto PLEASE READ IT! or (#2) http://www.secure-computing.net/openvpn/howto.php for a mirror
07:52 < lorens> hi! I would like just to allow access to the Internet for a group. Can be done by Group Permissions?
07:54 -!- Latrina [~Latrina@151.56.170.187] has quit [Ping timeout: 245 seconds]
07:54 -!- Pyrogerg [~Gregory@75-173-103-62.albq.qwest.net] has joined #openvpn
07:56 < Delfyn> hi, i want to connect an android phone to my home (Linux) VPN server. I've already set up linux-to-linux VPN connections without problem, but android-to-vpn is proving more difficult. The android client has http://pastebin.com/nXTUA6U4 as its config file (host, port and key blanked). when I try to connect the server only reports "Authenticate/Decrypt packet error: missing authentication info" and they never establish a connection. Any clues please?
07:56 < Delfyn> (i've googled the message but not found anything that seems to fit my situation)
07:57 -!- Kniaz [~Kniaz@unaffiliated/kniaz] has quit [Quit: closing IRC]
07:57 < Delfyn> i'm not even sure which end the message is indicating has an error.
07:57 -!- almostworking [~almostwor@unaffiliated/almostworking] has quit [Quit: Leaving]
07:59 < Delfyn> !sample
07:59 <@vpnHelper> "sample" is (#1) http://www.ircpimps.org/openvpn.configs for a working sample config or (#2) DO NOT use these configs until you understand the commands in them, read up on each first column of the configs in the manpage (see !man) or (#3) these configs are for a basic multi-user vpn, which you can then build upon to add lans or internet redirecting
08:03 -!- jzaw [~jzaw@loki.dzki.co.uk] has quit [Ping timeout: 260 seconds]
08:04 < rob0> lorens, no, I can't imagine how that would work.  You would need:
08:04 < rob0> !ccd
08:04 <@vpnHelper> "ccd" is (#1) entries that are basically included into server.conf, but only for the specified client based on common-name. use --client-config-dir <dir> to enable it, then put the config options for the client in <dir>/common-name or (#2) the ccd file is parsed each time the client connects.
08:05 < rob0> with a DEFAULT file which does not push the redirect-gateway option, and individual override files for those with Internet access.
08:05 < rob0> (or vice versa, DEFAULT pushes Internet options, overrides cancel it)
08:15 -!- jzaw [~jzaw@loki.dzki.co.uk] has joined #openvpn
08:17 < dan_j> I'm trying to set up a lan to lan connection. So far, i've got the openvpn client being able to ping the lan ip belonging to the openvpn server.
08:17 < dan_j> But i cant ping any other lan ip's
08:18 < dan_j> even though i've set up routing on a few of the lan pc's
08:18 < dan_j> and also set up a static route on the server lan router.
08:18 < dan_j> Any ideas what could be wrong?
08:18 < dan_j> I've uninstalled all firewalls for now to ensure they arent getting in the way.
08:37 < dan_j> Ping tests from a lan PC to the vpn client are being seen by the vpn server so i know routing is correct on the lan pc.
08:53 -!- DrSect0r [~DrSect0r@77-175-125-42.FTTH.ispfabriek.nl] has joined #openvpn
08:54 -!- jzaw [~jzaw@loki.dzki.co.uk] has quit [Ping timeout: 272 seconds]
08:55 -!- tsbtmn [~tsbtmn@unaffiliated/tsbtmn] has quit [Quit: leaving]
09:01 -!- lorens [~lorenzo@213.27.241.114] has quit [Ping timeout: 260 seconds]
09:11 <@krzee> dan_j,
09:11 <@krzee> !serverlan
09:11 <@vpnHelper> "serverlan" is (#1) for a lan behind a server, the server must have ip forwarding enabled (!ipforward), the server needs to push a route for its lan to clients, and the router of the lan the server is on needs a route added to it (!route_outside_openvpn) or (#2) see !route for a better explanation or (#3) Handy troubleshooting flowchart: http://ircpimps.org/serverlan.png |
09:11 <@vpnHelper> http://pekster.sdf.org/misc/serverlan.png
09:11 <@krzee> you have been following the flowchart?
09:18 < dan_j> Yes. I managed to work out the problem. Windows wasnt performing packet forwarding.
09:19 < dan_j> Whats the difference between the 'route' command and the 'push route' command?
09:19 < dan_j> Is there a way to insert routes into the server's routing table?
09:20 -!- ub1quit33_ [~quassel@wifi02.la3.routers.zerolag.com] has joined #openvpn
09:22 <@syzzer> dan_j: 'route' adds a route locally (on the machine where the config file resides), 'push route' pushes a route to the peer (i.e. adds a route on the remote machine)
09:23 <@syzzer> so, if you are configuring the server and want to add routes to the server routing table, use 'route'
09:24 <@krzee> !push
09:24 <@vpnHelper> "push" is usage: push <command> , goes in the server config and makes the command act as if it was in the client config, can be used in ccd entries
09:24 <@krzee> yes, by putting the command in the server config without push.
09:26 -!- Delfyn [~alexis@134.171.50.66] has left #openvpn []
09:27 -!- lorens [~lorenzo@213.27.241.114] has joined #openvpn
09:27 < dan_j> I've added this to the server config
09:27 < dan_j> route 192.168.11.0 255.255.255.0
09:27 < dan_j> but now i'm seeing this
09:27 < dan_j> bad source address from client [192.168.11.44], packet dropped
09:27 < dan_j> I cant see the route being added in the logs.
09:28 -!- jzaw [~jzaw@loki.dzki.co.uk] has joined #openvpn
09:30 -!- cesurasean [~Sean@c-71-207-227-197.hsd1.al.comcast.net] has quit [Ping timeout: 246 seconds]
09:31 < lorens> !rob0 I will give it a try, thanks. But I was thinking on a more easy way to manage the config...
09:31 <@krzee> dan_j, i thought you said SERVER lan?
09:32 <@krzee> where is the lan 192.168.11.0/24?
09:33 -!- cesurasean [~Sean@c-71-207-227-197.hsd1.al.comcast.net] has joined #openvpn
09:33 < dan_j> 192.168.12.0/24 is the server lan. 192.168.11.0/24 is the client lan
09:34 < dan_j> 10.10.0.0/24 is the vpn
09:36 < dan_j> Ok, i didnt realise that I also have to put the route into the ccd directory. Now the logs show: internal route 192.168.11.0/24 -> manchserver/IP:61026
09:39 -!- Kniaz [~Kniaz@unaffiliated/kniaz] has joined #openvpn
09:48 -!- Komplanar [~Komplanar@46.22.223.200] has joined #openvpn
09:51 -!- elfixit [~Icedove@77-58-251-72.dclient.hispeed.ch] has joined #openvpn
09:52 <@krzee> that was the iroute
09:52 <@krzee> and if you didnt realize that, you need to read this a few times
09:52 < dan_j> Yes
09:52 <@krzee> !route
09:52 <@vpnHelper> "route" is (#1) http://www.secure-computing.net/wiki/index.php/OpenVPN/Routing or https://community.openvpn.net/openvpn/wiki/RoutedLans (same page mirrored) if you have lans behind openvpn, read it DONT SKIM IT or (#2) READ IT DONT SKIM IT! or (#3) See !tcpip for a basic networking guide or (#4) See !serverlan or !clientlan for steps and troubleshooting flowcharts for LANs behind the server or client
09:53 -!- Slippern [~Slippern@76.109-247-208.customer.lyse.net] has joined #openvpn
09:53 -!- Slippern [~Slippern@76.109-247-208.customer.lyse.net] has quit [Read error: Connection reset by peer]
09:54 -!- eristisk [~eristisk@gateway/tor-sasl/eristisk] has quit [Remote host closed the connection]
09:55 -!- eristisk [~eristisk@gateway/tor-sasl/eristisk] has joined #openvpn
09:55 -!- jzaw [~jzaw@loki.dzki.co.uk] has quit [Ping timeout: 260 seconds]
09:56 -!- Slippern [~Slippern@76.109-247-208.customer.lyse.net] has joined #openvpn
09:56 -!- Slippern [~Slippern@76.109-247-208.customer.lyse.net] has quit [Read error: Connection reset by peer]
09:57 -!- Slippern [~Slippern@76.109-247-208.customer.lyse.net] has joined #openvpn
09:57 -!- Slippern [~Slippern@76.109-247-208.customer.lyse.net] has quit [Read error: Connection reset by peer]
10:00 -!- Slippern [~Slippern@76.109-247-208.customer.lyse.net] has joined #openvpn
10:00 -!- Slippern [~Slippern@76.109-247-208.customer.lyse.net] has quit [Read error: Connection reset by peer]
10:00 -!- Slippern [~Slippern@76.109-247-208.customer.lyse.net] has joined #openvpn
10:00 -!- Slippern [~Slippern@76.109-247-208.customer.lyse.net] has quit [Read error: Connection reset by peer]
10:02 < dan_j> I had to do route-method exe. All working now. Thanks for your help
10:03 < Komplanar> !serverlan
10:03 <@vpnHelper> "serverlan" is (#1) for a lan behind a server, the server must have ip forwarding enabled (!ipforward), the server needs to push a route for its lan to clients, and the router of the lan the server is on needs a route added to it (!route_outside_openvpn) or (#2) see !route for a better explanation or (#3) Handy troubleshooting flowchart: http://ircpimps.org/serverlan.png |
10:03 <@vpnHelper> http://pekster.sdf.org/misc/serverlan.png
10:03 -!- jzaw [~jzaw@community-wifi.dzki.co.uk] has joined #openvpn
10:08 -!- jzaw [~jzaw@community-wifi.dzki.co.uk] has quit [Ping timeout: 272 seconds]
10:10 -!- Slippern [~Slippern@76.109-247-208.customer.lyse.net] has joined #openvpn
10:15 -!- sickn3ss [~sickn3ss@unaffiliated/sickn3ss] has quit [Quit: Textual IRC Client: www.textualapp.com]
10:18 -!- jzaw [~jzaw@community-wifi.dzki.co.uk] has joined #openvpn
10:26 <@krzee> dan_j, nice good job =]
10:29 -!- Slippern [~Slippern@76.109-247-208.customer.lyse.net] has quit [Read error: Connection reset by peer]
10:34 -!- outofbounds [~outofboun@gateway/tor-sasl/outofbounds] has joined #openvpn
10:34 -!- outofbounds [~outofboun@gateway/tor-sasl/outofbounds] has quit [Max SendQ exceeded]
10:34 -!- Slippern [~Slippern@76.109-247-208.customer.lyse.net] has joined #openvpn
10:34 -!- Slippern [~Slippern@76.109-247-208.customer.lyse.net] has quit [Read error: Connection reset by peer]
10:35 < Komplanar> Hello! I need a little hint how to do the following: I want to create a network interface on the client which tunnles all traffic to it through the server, so that I can bind some programs to the interface.
10:36 < Komplanar> currently I can tunnel ALL traffic on client side through openvpn, then the interface works, if I delete the routes, or none and the interface doesnt accept any traffic
10:36 -!- Slippern [~Slippern@76.109-247-208.customer.lyse.net] has joined #openvpn
10:36 -!- Slippern [~Slippern@76.109-247-208.customer.lyse.net] has quit [Read error: Connection reset by peer]
10:37 <@krzee> it works by routes
10:37 -!- Slippern [~Slippern@76.109-247-208.customer.lyse.net] has joined #openvpn
10:37 -!- Slippern [~Slippern@76.109-247-208.customer.lyse.net] has quit [Read error: Connection reset by peer]
10:38 <@krzee> if the source address from a client is different than its vpn ip, you need iroute
10:38 <@krzee> !iroute
10:38 <@vpnHelper> "iroute" is does not bypass or alter the kernel's routing table, it allows openvpn to know it should handle the routing when the kernel points to it but the network is not one that openvpn knows about. This is only needed when connecting a LAN which is behind a client, and therefor belongs in a ccd entry. Also see !route and !ccd
10:39 < Komplanar> !ccd
10:39 <@vpnHelper> "ccd" is (#1) entries that are basically included into server.conf, but only for the specified client based on common-name. use --client-config-dir <dir> to enable it, then put the config options for the client in <dir>/common-name or (#2) the ccd file is parsed each time the client connects.
10:40 <@krzee> you'll know thats needed if you see the MULTI error in the server log
10:41 -!- jzaw [~jzaw@community-wifi.dzki.co.uk] has quit [Ping timeout: 272 seconds]
10:42 -!- Slippern [~Slippern@76.109-247-208.customer.lyse.net] has joined #openvpn
10:42 -!- Slippern [~Slippern@76.109-247-208.customer.lyse.net] has quit [Read error: Connection reset by peer]
10:43 -!- outofbounds [~outofboun@gateway/tor-sasl/outofbounds] has joined #openvpn
10:43 < Komplanar> krzee, there is only "MULTI: new connection by client 'client1' will cause prev. conns from this user to be dropped"
10:45 < Komplanar> I only need one client, since I only need this vpn to forward ports to the client in order to bypass Carrier-grade NAT
10:46 -!- jzaw [~jzaw@loki.dzki.co.uk] has joined #openvpn
10:48 -!- Slippern [~Slippern@76.109-247-208.customer.lyse.net] has joined #openvpn
10:49 -!- cesurasean1 [~Sean@c-71-207-227-197.hsd1.al.comcast.net] has joined #openvpn
10:49 -!- cesurasean [~Sean@c-71-207-227-197.hsd1.al.comcast.net] has quit [Ping timeout: 245 seconds]
10:52 -!- ribasushi [~riba@mujunyku.leporine.io] has quit [Ping timeout: 245 seconds]
10:53 -!- Kephael [~Kephael@unaffiliated/kephael] has joined #openvpn
10:54 -!- jzaw [~jzaw@loki.dzki.co.uk] has quit [Ping timeout: 272 seconds]
10:59 -!- jzaw [~jzaw@loki.dzki.co.uk] has joined #openvpn
11:01 -!- gffa [~unknown@unaffiliated/gffa] has joined #openvpn
11:08 -!- ribasushi [~riba@mujunyku.leporine.io] has joined #openvpn
11:12 -!- Exagone313 [~exa@ewd.ovh] has quit [Ping timeout: 260 seconds]
11:13 -!- Exagone313 [~exa@ewd.ovh] has joined #openvpn
11:18 -!- lorens [~lorenzo@213.27.241.114] has quit [Remote host closed the connection]
11:30 -!- dazo is now known as dazo_afk
12:10 -!- Slippern [~Slippern@76.109-247-208.customer.lyse.net] has quit [Read error: Connection reset by peer]
12:15 -!- Slippern [~Slippern@76.109-247-208.customer.lyse.net] has joined #openvpn
12:15 -!- Slippern [~Slippern@76.109-247-208.customer.lyse.net] has quit [Read error: Connection reset by peer]
12:16 -!- Slippern [~Slippern@76.109-247-208.customer.lyse.net] has joined #openvpn
12:16 -!- dan_j [~IceChat77@unaffiliated/danfromuk] has quit [Quit: Give a man a fish and he will eat for a day. Teach him how to fish, and he will sit in a boat and drink beer all day]
12:16 -!- Slippern [~Slippern@76.109-247-208.customer.lyse.net] has quit [Read error: Connection reset by peer]
12:19 -!- Latrina [~Latrina@adsl-ull-249-195.50-151.net24.it] has joined #openvpn
12:21 -!- Slippern [~Slippern@76.109-247-208.customer.lyse.net] has joined #openvpn
12:21 -!- Slippern [~Slippern@76.109-247-208.customer.lyse.net] has quit [Read error: Connection reset by peer]
12:27 -!- Slippern [~Slippern@76.109-247-208.customer.lyse.net] has joined #openvpn
12:37 -!- jzaw [~jzaw@loki.dzki.co.uk] has quit [Ping timeout: 272 seconds]
12:42 -!- cesurasean [~Sean@c-71-207-227-197.hsd1.al.comcast.net] has joined #openvpn
12:43 -!- jzaw [~jzaw@loki.dzki.co.uk] has joined #openvpn
12:45 -!- cesurasean1 [~Sean@c-71-207-227-197.hsd1.al.comcast.net] has quit [Ping timeout: 244 seconds]
12:47 -!- Slippern [~Slippern@76.109-247-208.customer.lyse.net] has quit [Read error: Connection reset by peer]
12:47 -!- CaTtleyA [~CaTtleyA@put92-2-82-66-41-53.fbx.proxad.net] has joined #openvpn
12:52 -!- Slippern [~Slippern@76.109-247-208.customer.lyse.net] has joined #openvpn
12:52 -!- Slippern [~Slippern@76.109-247-208.customer.lyse.net] has quit [Read error: Connection reset by peer]
12:55 -!- jzaw [~jzaw@loki.dzki.co.uk] has quit [Ping timeout: 272 seconds]
12:57 -!- Slippern [~Slippern@76.109-247-208.customer.lyse.net] has joined #openvpn
12:57 -!- Slippern [~Slippern@76.109-247-208.customer.lyse.net] has quit [Read error: Connection reset by peer]
12:58 -!- Slippern [~Slippern@76.109-247-208.customer.lyse.net] has joined #openvpn
12:58 -!- Slippern [~Slippern@76.109-247-208.customer.lyse.net] has quit [Read error: Connection reset by peer]
13:01 -!- Slippern [~Slippern@76.109-247-208.customer.lyse.net] has joined #openvpn
13:01 -!- Slippern [~Slippern@76.109-247-208.customer.lyse.net] has quit [Read error: Connection reset by peer]
13:02 -!- Slippern [~Slippern@76.109-247-208.customer.lyse.net] has joined #openvpn
13:02 -!- Slippern [~Slippern@76.109-247-208.customer.lyse.net] has quit [Read error: Connection reset by peer]
13:03 -!- Slippern [~Slippern@76.109-247-208.customer.lyse.net] has joined #openvpn
13:03 -!- Slippern [~Slippern@76.109-247-208.customer.lyse.net] has quit [Read error: Connection reset by peer]
13:07 -!- jzaw [~jzaw@loki.dzki.co.uk] has joined #openvpn
13:08 -!- Slippern [~Slippern@76.109-247-208.customer.lyse.net] has joined #openvpn
13:08 -!- Slippern [~Slippern@76.109-247-208.customer.lyse.net] has quit [Read error: Connection reset by peer]
13:09 -!- Slippern [~Slippern@76.109-247-208.customer.lyse.net] has joined #openvpn
13:09 -!- Slippern [~Slippern@76.109-247-208.customer.lyse.net] has quit [Read error: Connection reset by peer]
13:10 -!- Slippern [~Slippern@76.109-247-208.customer.lyse.net] has joined #openvpn
13:10 -!- Slippern [~Slippern@76.109-247-208.customer.lyse.net] has quit [Read error: Connection reset by peer]
13:19 -!- Slippern [~Slippern@76.109-247-208.customer.lyse.net] has joined #openvpn
13:19 -!- Slippern [~Slippern@76.109-247-208.customer.lyse.net] has quit [Read error: Connection reset by peer]
13:20 -!- Slippern [~Slippern@76.109-247-208.customer.lyse.net] has joined #openvpn
13:20 -!- Slippern [~Slippern@76.109-247-208.customer.lyse.net] has quit [Read error: Connection reset by peer]
13:24 -!- Droolio [~drool@host109-158-214-180.range109-158.btcentralplus.com] has quit [Quit: Black Holes are where God divided by zero.]
13:26 -!- Slippern [~Slippern@76.109-247-208.customer.lyse.net] has joined #openvpn
13:28 -!- c0mrade_ [~c0mrade_@unaffiliated/c0mrade/x-3310965] has joined #openvpn
13:28 -!- eristisk [~eristisk@gateway/tor-sasl/eristisk] has quit [Remote host closed the connection]
13:34 -!- Slippern [~Slippern@76.109-247-208.customer.lyse.net] has quit [Read error: Connection reset by peer]
13:39 -!- Slippern [~Slippern@76.109-247-208.customer.lyse.net] has joined #openvpn
14:03 -!- nutron [~nutron@unaffiliated/nutron] has joined #openvpn
14:06 -!- elfixit [~Icedove@77-58-251-72.dclient.hispeed.ch] has quit [Quit: elfixit]
14:23 -!- Eagleman [~Eagleman@546BC778.cm-12-4d.dynamic.ziggo.nl] has joined #openvpn
14:24 < Eagleman> Am i supposed to use -duplicate-cn to allow the same user (radius login) with different certificates? I get disconnected if i connect to my openvpn server with the same username but different certificates
15:01 -!- jzaw [~jzaw@loki.dzki.co.uk] has quit [Ping timeout: 260 seconds]
15:04 -!- Chex [~Chex@2602:ffca:b:92::2] has quit [Quit: leaving]
15:04 -!- ribasushi [~riba@mujunyku.leporine.io] has quit [Ping timeout: 245 seconds]
15:08 -!- jzaw [~jzaw@loki.dzki.co.uk] has joined #openvpn
15:09 -!- D-Boy [~D-Boy@unaffiliated/cain] has quit [Excess Flood]
15:12 -!- D-Boy [~D-Boy@unaffiliated/cain] has joined #openvpn
15:26 -!- ribasushi [~riba@mujunyku.leporine.io] has joined #openvpn
15:27 -!- jzaw [~jzaw@loki.dzki.co.uk] has quit [Ping timeout: 260 seconds]
15:30 -!- jzaw [~jzaw@loki.dzki.co.uk] has joined #openvpn
15:31 -!- gffa [~unknown@unaffiliated/gffa] has quit [Quit: sleep]
15:38 <@Eugene> Yup, that's why it exists.
15:38 -!- RaiNerTsuFal [~RaiNerTsu@akita.vtlx.cn] has joined #openvpn
15:40 -!- mattock is now known as mattock_afk
15:42 -!- jzaw [~jzaw@loki.dzki.co.uk] has quit [Ping timeout: 260 seconds]
15:50 -!- jzaw [~jzaw@loki.dzki.co.uk] has joined #openvpn
15:53 -!- DrSect0r [~DrSect0r@77-175-125-42.FTTH.ispfabriek.nl] has quit [Quit: Leaving]
16:27 -!- SlutaTramsa [~SlutaTram@unaffiliated/slutatramsa] has quit [Ping timeout: 260 seconds]
16:33 -!- SlutaTramsa [~SlutaTram@unaffiliated/slutatramsa] has joined #openvpn
16:40 -!- SlutaTramsa [~SlutaTram@unaffiliated/slutatramsa] has quit [Ping timeout: 260 seconds]
16:43 -!- Pyrogerg [~Gregory@75-173-103-62.albq.qwest.net] has quit [Ping timeout: 245 seconds]
16:43 -!- SlutaTramsa [~SlutaTram@unaffiliated/slutatramsa] has joined #openvpn
16:58 -!- c0mrade_ [~c0mrade_@unaffiliated/c0mrade/x-3310965] has quit []
17:45 -!- Kniaz [~Kniaz@unaffiliated/kniaz] has quit [Quit: closing IRC]
18:16 -!- ub1quit33_ [~quassel@wifi02.la3.routers.zerolag.com] has quit [Ping timeout: 244 seconds]
18:30 < rob0> I thought --duplicate-cn was for multiple connections with the same CERT.  He's asking about different certs but the same Radius login.
18:33 < pekster> Depends what supplies the common-name as openvpn sees it. Normally this comes from the X.509 cert, but this can change with --username-as-common-name or --x509-username-field
18:57 -!- Kniaz [~Kniaz@unaffiliated/kniaz] has joined #openvpn
19:09 < rob0> oh, I forgot about those
19:31 -!- Pyrogerg [~Gregory@75-173-103-62.albq.qwest.net] has joined #openvpn
19:47 -!- outofbounds [~outofboun@gateway/tor-sasl/outofbounds] has quit [Remote host closed the connection]
20:01 -!- Pyrogerg [~Gregory@75-173-103-62.albq.qwest.net] has quit [Ping timeout: 272 seconds]
20:29 -!- Latrina [~Latrina@adsl-ull-249-195.50-151.net24.it] has quit [Ping timeout: 246 seconds]
20:29 -!- iokill [~dave@pippin.sigma-star.at] has quit [Ping timeout: 246 seconds]
20:29 -!- ub1quit33_ [~quassel@cpe-23-243-158-241.socal.res.rr.com] has joined #openvpn
20:30 -!- Latrina [~Latrina@adsl-ull-249-195.50-151.net24.it] has joined #openvpn
20:32 -!- L0uk3 [~lukethedr@gateway/tor-sasl/lukethedrifter] has joined #openvpn
20:43 -!- ub1quit33_ [~quassel@cpe-23-243-158-241.socal.res.rr.com] has quit [Ping timeout: 250 seconds]
21:01 -!- L0uk3 [~lukethedr@gateway/tor-sasl/lukethedrifter] has quit [Quit: bis später]
21:05 -!- Pyrogerg [~Gregory@75-173-103-62.albq.qwest.net] has joined #openvpn
22:08 -!- Left_Turn [~Left_Turn@unaffiliated/turn-left/x-3739067] has quit [Remote host closed the connection]
22:13 -!- Kniaz [~Kniaz@unaffiliated/kniaz] has quit [Quit: closing IRC]
22:43 -!- NP-Hardass [~NP-Hardas@unaffiliated/np-hardass] has joined #openvpn
22:50 -!- ku1918 [~ku1918@121.121.20.241] has joined #openvpn
22:50 < ku1918> hi all
22:51 < ku1918> i have question to ask.
22:51 -!- c0ded [~c0ded@unaffiliated/c0ded] has quit [Remote host closed the connection]
23:07 -!- ku1918 [~ku1918@121.121.20.241] has quit [Ping timeout: 240 seconds]
23:12 -!- Kephael [~Kephael@unaffiliated/kephael] has quit [Quit: Leaving]
23:16 -!- ku1918 [~ku1918@121.121.20.241] has joined #openvpn
23:16 < ku1918> helo anyone here?
23:18 -!- ub1quit33 [~quassel@cpe-23-243-158-241.socal.res.rr.com] has joined #openvpn
23:22 -!- NP-Hardass [~NP-Hardas@unaffiliated/np-hardass] has quit [Quit: WeeChat 0.4.3]
23:48 -!- ShadniX [dagger@p5DDFF6E0.dip0.t-ipconnect.de] has quit [Ping timeout: 250 seconds]
23:50 -!- ShadniX [dagger@p5DDFEF67.dip0.t-ipconnect.de] has joined #openvpn
--- Day changed Tue Oct 07 2014
00:22 <@krzee> !ask
00:22 <@vpnHelper> "ask" is (#1) don't ask to ask, just ask your question please, see this link for how to get help on IRC: http://workaround.org/getting-help-on-irc or (#2) See also, How to ask questions the smart way here: http://catb.org/~esr/faqs/smart-questions.html or (#3) if you had asked your question this might be an answer instead of a message from the bot about how to ask questions on IRC :)
00:29 < ku1918> I have a openvpn server and a openvpn client. Both are connected.
00:31 < ku1918> I have a openvpn server and a openvpn client. Both are connected. My client can reach the Local IP Address of the server. But my server cant reach the Local IP Address of the connected client. I have enable client-to-client. Please advice.
00:57 -!- mattock_afk is now known as mattock
00:58 -!- Pyrogerg [~Gregory@75-173-103-62.albq.qwest.net] has quit [Ping timeout: 260 seconds]
01:04 -!- APTX [~APTX@unaffiliated/aptx] has quit [Remote host closed the connection]
01:04 -!- APTX [~APTX@unaffiliated/aptx] has joined #openvpn
01:09 <@krzee> ku1918,
01:09 <@krzee> !goal
01:09 <@vpnHelper> "goal" is Please clearly state your goal for your vpn: example, I would like to access the lan behind the server , I would like to access the internet over my vpn , I just want a secure connection between 2 computers , etc
01:13 -!- Slippern [~Slippern@76.109-247-208.customer.lyse.net] has quit [Ping timeout: 240 seconds]
01:16 -!- CaTtleyA [~CaTtleyA@put92-2-82-66-41-53.fbx.proxad.net] has quit [Ping timeout: 276 seconds]
01:16 -!- Slippern [~Slippern@76.109-247-208.customer.lyse.net] has joined #openvpn
01:29 < ku1918> i would like to access the lan behind the client.
01:30 -!- james41382_ [~james@unaffiliated/james41382] has quit [Ping timeout: 258 seconds]
01:30 < ku1918> !configs
01:30 <@vpnHelper> "configs" is (#1) please pastebin your client and server configs (with comments removed, you can use `grep -vE '^#|^;|^$' server.conf`), also include which OS and version of openvpn. or (#2) dont forget to include any ccd entries or (#3) on pfSense, see http://www.secure-computing.net/wiki/index.php/OpenVPN/pfSense to obtain your config
01:38 -!- ub1quit33 [~quassel@cpe-23-243-158-241.socal.res.rr.com] has quit [Ping timeout: 246 seconds]
01:43 < ku1918> http://pastebin.com/hEhsxRJM here is server config file.
01:45 < ku1918> http://pastebin.com/nHqmfmQq here is the client config file
01:56 -!- ribasushi [~riba@mujunyku.leporine.io] has quit [Ping timeout: 250 seconds]
01:59 -!- mattock is now known as mattock_afk
02:05 -!- ribasushi [~riba@mujunyku.leporine.io] has joined #openvpn
02:17 -!- _bt [~bt@unaffiliated/bt/x-192343] has joined #openvpn
02:23 -!- dazo_afk is now known as dazo
02:25 <@krzee> !clientlan
02:25 <@vpnHelper> "clientlan" is (#1) for a lan behind a client, the client must have ip forwarding enabled (!ipforward), the server needs a route to the lan, the server needs to push a route for the lan to clients, the server needs a ccd (!ccd) file for the client with an iroute (!iroute) entry in it, and the router of the lan the client is on needs a route added to it (!route_outside_openvpn) or (#2) see !route for
02:25 <@vpnHelper> a better explanation or (#3) Handy troubleshooting flowchart: http://ircpimps.org/clientlan.png | http://pekster.sdf.org/misc/clientlan.png
02:26 <@krzee> what is the lan subnet behind the client?
02:26 <@krzee> ku1918,  ^
02:26 <@krzee> ping me when you answer in case im in another windpw
02:31 < ku1918> 10.20.44.0/27 its a windows machines
02:32  * ku1918 slaps APTX around a bit with a large trout
02:34 <@krzee> hehe by ping i meant say my name
02:35 <@krzee> what is  10.20.42.0 255.255.255.0
02:35 < ku1918> oh hahaha
02:35 < ku1918> client lan?
02:35 < ku1918> oh
02:35 < ku1918> that is the server
02:35 <@krzee> are you also trying to share the servers lan?
02:35 < ku1918> yes..i have done that.
02:36 < ku1918> it is working.. problem is just vice versa
02:36 <@krzee> show me the ccd entry
02:36 < ku1918> have no ccd entry
02:36 <@krzee> !iroute
02:36 <@vpnHelper> "iroute" is does not bypass or alter the kernel's routing table, it allows openvpn to know it should handle the routing when the kernel points to it but the network is not one that openvpn knows about. This is only needed when connecting a LAN which is behind a client, and therefor belongs in a ccd entry. Also see !route and !ccd
02:36 <@krzee> !clientlan
02:36 <@vpnHelper> "clientlan" is (#1) for a lan behind a client, the client must have ip forwarding enabled (!ipforward), the server needs a route to the lan, the server needs to push a route for the lan to clients, the server needs a ccd (!ccd) file for the client with an iroute (!iroute) entry in it, and the router of the lan the client is on needs a route added to it (!route_outside_openvpn) or (#2) see !route for
02:36 <@vpnHelper> a better explanation or (#3) Handy troubleshooting flowchart: http://ircpimps.org/clientlan.png | http://pekster.sdf.org/misc/clientlan.png
02:37 < ku1918> iroute 10.20.44.0 255.255.255.224
02:37 < ku1918> i try with this before..still not working
02:37 <@krzee> after its there, connect the client
02:37 <@krzee> then follow the flowchart
02:38 <@krzee> it has a series of tests, the exact same tests i would have you run… except i got tired of asking the same thing over and over
02:39 <@krzee> so just let me know where you get stuck
02:39 -!- _0x5eb_ [~seb@seb-hpws2.w1.tele.crt1.net] has joined #openvpn
02:47 -!- Slippern [~Slippern@76.109-247-208.customer.lyse.net] has quit [Read error: Connection reset by peer]
02:52 -!- Slippern [~Slippern@76.109-247-208.customer.lyse.net] has joined #openvpn
02:57 -!- lorens [~lorenzo@213.27.241.114] has joined #openvpn
03:05 -!- eike_52n [~eike@80.156.182.234] has joined #openvpn
03:05 < eike_52n> !welcome
03:05 <@vpnHelper> "welcome" is (#1) Start by stating your goal, such as 'I would like to access the internet over my vpn' || new to IRC? see the link in !ask || we may need !logs and !configs and maybe !interface to help you. || See !howto for beginners. || See !route for lans behind openvpn. || !redirect for sending inet traffic through the server. || Also interesting: !man !/30 !topology !iporder !sample !forum
03:05 <@vpnHelper> !wiki !mitm or (#2) Don't use 192.168.1.0/24 or 192.168.0.0/24 (too much potential for conflict)
03:06 < eike_52n> !/30
03:06 <@vpnHelper> "/30" is (#1) http://goo.gl/SbKrT5 explains why routed clients each use 4 ips or (#2) you can avoid this behavior with by reading !topology
03:14 < ku1918> @krzee. i done until iroute.then ping client.still fail. ipforward enabble. w
03:14 <@krzee> !winipforward
03:14 <@vpnHelper> "winipforward" is http://support.microsoft.com/kb/315236 to enable ip forwarding on windows
03:20 < ku1918> done already. still same
03:22 <@krzee> show me the server log at verb 5
03:22 <@krzee> include the client connecting fully, and you doing the tests
03:23 <@krzee> (in other words, the log should include the time when the tests are run)
03:28 -!- lorens [~lorenzo@213.27.241.114] has quit [Ping timeout: 245 seconds]
03:33 < ku1918> http://pastebin.com/vnDdKpQr
03:33 < ku1918> here you go
03:35 <@krzee> you sure you ran the tests after the client was connected and before giving the log?
03:36 < ku1918> yup
03:37 <@krzee> what are the contents of the ccd file
03:37 <@krzee> oh nevermind you pasted that above
03:38 < ku1918> ok now.i getting Tue Oct  7 08:37:17 2014 us=727036 witnessnat1/x.x.x.x:49321 MULTI: bad source address from client [fe80::a102:cbaa:b39b:8fbe], packet dropped
03:38 <@krzee> thats probably nothing importan
03:38 <@krzee> so you cannot ping the lan ip on the server?
03:38 <@krzee> err i mean
03:39 < ku1918> client
03:39 <@krzee> from the server, on the client?
03:39 < ku1918> yes.
03:39 <@krzee> the server can ping the clients lan ip?
03:40 < ku1918> server cannot ping client lan ip. client can ping server lan ip.
03:40 <@krzee> try disabling windows firewall on the tap device
03:41 < ku1918> already temp disable all firewall
03:41 <@krzee> run a packet dump while doing the ping
03:41 <@krzee> wireshark will work
03:42 < ku1918> will tcpdump works?
03:42 <@krzee> i want the packet dump on the client
03:42 <@krzee> since you said that is windows… i figure no
03:42 <@krzee> but if windows has tcpdump and i did not know, then sure
03:42 < ku1918> oh ok.
03:45 -!- tuor-work [~quassel@212.25.21.185] has joined #openvpn
03:50 <@krzee> did you reboot after enabling ip forwarding in windows?
03:56 <@krzee> ku1918, ^
03:57 < ku1918> no..i rebooting now and test.
03:57 <@krzee> o lol
03:58 <@krzee> !learn winipforward as reboot after enabling it
03:58 <@vpnHelper> Joo got it.
03:58 -!- blaubarschbube [~adads@nat.hamburg.contentfleet.com] has joined #openvpn
04:01 <@krzee> sleep time, goodnight
04:15 -!- Zune [~Zune@93-161-219-103-dynamic.dk.customer.tdc.net] has joined #openvpn
04:17 -!- james41382 [~james@unaffiliated/james41382] has joined #openvpn
04:18 < Zune> hey i have a little trouble error on line 117 of /etc/openvpn/easyrsa/openssl-1.0.0.cnf
04:19 < Zune> any ideas, its a brand new debian install
04:20 < Zune> found it my self.. I just deleted to much in vars
04:27 -!- ku1918 [~ku1918@121.121.20.241] has quit []
04:35 < blaubarschbube> hi. last night something happend to my vpn server, I assume the internet connection got broken, since almost all clients reconnected at the same time. but one client isnt accessable anymore. in the log I found this http://pastebin.com/DZSzWrPZ what could have caused this? unfortunately, to get access to that machine, I need to spend an hour in a train
04:37 < blaubarschbube> all I can do and already did is to tell somebody to power that machine off and on again (it is a raspberry pi)
04:37 < blaubarschbube> but it doesnt show up in the logs anymore
04:45 -!- eike_52n [~eike@80.156.182.234] has quit [Excess Flood]
04:46 -!- Exagone313 [~exa@ewd.ovh] has quit [Ping timeout: 467 seconds]
04:47 -!- Exagone313 [~exa@ewd.ovh] has joined #openvpn
05:25 < BtbN> And now you want someone to drive there for you?
05:27 < Eagleman> How do i allow the same user (radius account) with different certificates on my openvpn server, it currently drops the connection if he is connected twice.
05:30 -!- mattock_afk is now known as mattock
05:31 -!- DrCode [~DrCode@gateway/tor-sasl/drcode] has quit [Remote host closed the connection]
05:33 -!- Latrina [~Latrina@adsl-ull-249-195.50-151.net24.it] has quit [Ping timeout: 250 seconds]
05:36 -!- Latrina [~Latrina@ppp-8-24.26-151.libero.it] has joined #openvpn
05:41 -!- Exagone313 [~exa@ewd.ovh] has quit [Ping timeout: 277 seconds]
05:42 -!- Latrina [~Latrina@ppp-8-24.26-151.libero.it] has quit [Ping timeout: 260 seconds]
05:44 -!- Latrina [~Latrina@ppp-212-24.26-151.libero.it] has joined #openvpn
05:54 -!- Netsplit *.net <-> *.split quits: clu5ter, fakhir_, Joe-T
06:06 -!- Netsplit over, joins: fakhir_, Joe-T, clu5ter
06:06 -!- arkie [~arkie@unaffiliated/arkie] has quit [Ping timeout: 250 seconds]
06:07 -!- arkie [~arkie@unaffiliated/arkie] has joined #openvpn
06:10 -!- Exagone313 [~exa@ewd.ovh] has joined #openvpn
06:14 -!- gorkhaan [~gorkhaan@94.31.49.67] has joined #openvpn
06:16 < gorkhaan> Hi guys. I am experiencing some problem with the Latest TUN/TAP driver on Windows 8.1 x64. (TUN/TAP version:  9.21) Installed from latest community installer. I tested it with the Stable version of TUN/TAP driver, with the connection works. Basically it get stucked when it tries to acquire IP address from my isc-dhcp-server. However as I said with the stable tun/tap driver it works. What do you think the solution is? how can I send you bugreport of this
06:16 < gorkhaan> if necessary? Thanks
06:18 -!- Droolio [~drool@host109-158-214-180.range109-158.btcentralplus.com] has joined #openvpn
06:20 -!- Left_Turn [~Left_Turn@unaffiliated/turn-left/x-3739067] has joined #openvpn
06:26 < gorkhaan> Actually I was using unstable. it works with "I003". My bad. Thanks.
06:55 <@dazo> gorkhaan: I003 is the old "stable" TAP adapter, while I603 is basically the same OpenVPN with the new NDIS6 based driver ... so we surely would like to get bug reports on the new driver!
06:57 <@dazo> gorkhaan: bug reports can be submitted here: https://community.openvpn.net/openvpn/newticket  (you need a login, as we want to get in touch with you if there are questions or to ask you to test some things for us)
07:03 -!- tuor-work [~quassel@212.25.21.185] has quit [Remote host closed the connection]
07:18 -!- WinstonSmith [~WinstonSm@unaffiliated/winstonsmith] has quit [Read error: Connection reset by peer]
07:21 -!- WinstonSmith [~WinstonSm@unaffiliated/winstonsmith] has joined #openvpn
07:21 <@dazo> Eagleman: look at --duplicate-cn in the man page
07:22 <@dazo> that's the only restriction openvpn has ... if it is still rejected, then it's related to your radius integration.  I have no idea how that would work
07:27 -!- Slippern [~Slippern@76.109-247-208.customer.lyse.net] has quit [Ping timeout: 245 seconds]
07:29 -!- Slippern [~Slippern@76.109-247-208.customer.lyse.net] has joined #openvpn
07:39 < blaubarschbube> BtbN, no. I just wanted you to know that I cannot acces the logfiles on the client
07:40 < blaubarschbube> but if you have time..
07:41 -!- Droolio [~drool@host109-158-214-180.range109-158.btcentralplus.com] has quit [Ping timeout: 272 seconds]
07:41 < BtbN> I don't think there is anything you can do from remote
07:43 < blaubarschbube> BtbN, I know. my solution is to send an new SD card there. but I am just curios what happened
07:58 -!- Droolio [~drool@host81-152-93-189.range81-152.btcentralplus.com] has joined #openvpn
08:00 < gorkhaan> dazo, I reported it. I hope the format is all right.: https://community.openvpn.net/openvpn/ticket/456
08:00 <@vpnHelper> Title: #456 (TUN/TAP V9.21 does not get dhcp settings whereas V9.9 works) – OpenVPN Community (at community.openvpn.net)
08:00 <@dazo> gorkhaan: thx!
08:09 -!- Vindicar [~vindicar@access-46-42-18-81.kmtn.ru] has joined #openvpn
08:11 -!- fakhir__ [~fakhir@unaffiliated/fakhir] has joined #openvpn
08:11 -!- Exagone313 [~exa@ewd.ovh] has quit [Ping timeout: 258 seconds]
08:11 -!- fakhir_ [~fakhir@unaffiliated/fakhir] has quit [Ping timeout: 249 seconds]
08:12 -!- Exagone313 [~exa@ewd.ovh] has joined #openvpn
08:16 -!- Exagone313 [~exa@ewd.ovh] has quit [Excess Flood]
08:17 -!- Exagone313 [~exa@ewd.ovh] has joined #openvpn
08:17 -!- seba [~seba@kratzbaum.someserver.de] has quit [Excess Flood]
08:19 -!- disharmony [~johan@5ED5530F.cm-7-6b.dynamic.ziggo.nl] has joined #openvpn
08:19 < disharmony> Hi all
08:20 -!- seba [~seba@kratzbaum.someserver.de] has joined #openvpn
08:21 -!- Droolio [~drool@host81-152-93-189.range81-152.btcentralplus.com] has quit [Ping timeout: 245 seconds]
08:24 < disharmony> I have a device that uses OpenVPN to connect to a remote OpenVPN server. This appliance is sort of closed box, so I cannot run debug tools on it. I don't have access to the OpenVPN server either, but I do have access to the certificate and key file from this device
08:24 < disharmony> Is it possible to decrypt sniffed traffic with this key/certificate somehow ?
08:25 < disharmony> I want to see what it's sending over the wire in order to debug a problem (currently I am totally blind)
08:26 < Thermi> Wireshark?
08:26 <@krzee> just sniff the tun device on the other side
08:27 <@krzee> also, what is the black box which runs openvpn?
08:27 -!- elfixit [~Icedove@77-58-251-72.dclient.hispeed.ch] has joined #openvpn
08:27 < disharmony> krzee: the problem is that I don't have access to the devices
08:27 < disharmony> there is no login
08:28 < disharmony> no shell; nothing
08:28 < disharmony> just some FTP to upload the certificate/key file
08:28 <@krzee> that was not what i asked
08:28 < disharmony> it's a custom box
08:28 <@krzee> and i said to sniff the OTHER side
08:29 < Vindicar> on server side?
08:29 < disharmony> I don't have access on the other side, it's a 3rd party the box is talking to
08:29 <@krzee> lol, so you dont have access to EITHER side?
08:29 <@krzee> !nologs
08:29 <@krzee> !router
08:29 <@vpnHelper> "router" is if you are using one of those hacked up linksys linux routers, and you are not logging... dont expect help until you turn on logging so you can post them
08:29 < disharmony> that is correct, except for FTP to upload the certificate and key file ;)
08:29 <@krzee> your case you say you cannot access EITHER side of the connection
08:30 <@krzee> so i say go get support from whoever gave you that crap
08:30 < disharmony> yes, indeed
08:30 < Vindicar> or try to shellshock the box =J
08:31 < disharmony> I did that, but that doesn't really help for now. I am not trying to hack into that thing; I am just wondering whether it is possible to decrypt sniffed data with the keys in hand...
08:31 < Vindicar> bc I think you're trying to do something openvpn was designed to prevent...
08:31 <@krzee> possible?  yes. will you get help doing it?  no
08:32 <@krzee> now, were you really "just wondering" ?
08:32 < disharmony> Is it so weird to ask whether it's possible to decrypt your own traffic with your own set of keys?
08:32 < disharmony> yes
08:33 <@krzee> disharmony, well its the first time i seen the question in like 8+ years… so yes.
08:33 < disharmony> ;-)
08:35 < Vindicar> Anyway... I'm trying to configure ziggurat29's OpenVPN port for Windows Mobile, and I've run into a problem. It connects just fine, but seemingly can't send anything over the tunnel. Configs are here: http://pastebin.com/25tnTUzw Logs: http://pastebin.com/AcfmRFz1
08:35 < Vindicar> All I managed to google up is that error probably means "Buffer is too small", so I tried to play with MTU, but with no avail. I've also found the line in tap driver source code that corresponds for that error message, but it will take a while for me to figure out what went wrong.
08:42 -!- gorkhaan [~gorkhaan@94.31.49.67] has quit [Quit: Leaving]
08:43 < Vindicar> have anyone encountered similar error message?
08:44 -!- Pip0 [~quassel@node242.seg200.ucf.edu] has joined #openvpn
08:44 < Pip0> Hello OpenVPN people !!!!!
08:48 -!- Pip0 [~quassel@node242.seg200.ucf.edu] has quit [Read error: Connection reset by peer]
08:50 < Vindicar> Hmmm, I was wrong. It seems it can send packets, but fails to read any.
08:52 -!- disharmony [~johan@5ED5530F.cm-7-6b.dynamic.ziggo.nl] has left #openvpn []
09:05 -!- Kniaz [~Kniaz@unaffiliated/kniaz] has joined #openvpn
09:16 -!- ub1quit33 [~quassel@wifi02.la3.routers.zerolag.com] has joined #openvpn
09:20 -!- goldkatze [~nobody@unaffiliated/goldkatze] has joined #openvpn
09:29 -!- Blancakes [~blancake@91.183.142.178] has joined #openvpn
09:30 < Blancakes> !welcome
09:30 <@vpnHelper> "welcome" is (#1) Start by stating your goal, such as 'I would like to access the internet over my vpn' || new to IRC? see the link in !ask || we may need !logs and !configs and maybe !interface to help you. || See !howto for beginners. || See !route for lans behind openvpn. || !redirect for sending inet traffic through the server. || Also interesting: !man !/30 !topology !iporder !sample !forum
09:30 <@vpnHelper> !wiki !mitm or (#2) Don't use 192.168.1.0/24 or 192.168.0.0/24 (too much potential for conflict)
09:31 -!- sickn3ss [~sickn3ss@unaffiliated/sickn3ss] has joined #openvpn
09:37 < Blancakes> hi, i would like to make a setup as follows: 1) i'm talking about setting up a vpn server on aws amazon, 2) on there is a vpc setup => management on x.x.1x. subnet, backend on x.x.2.x subnet and so on ..., first i have setup the vpn with tun, this workes fine but when i go to a local server ofcource the server thinks i'm the maintenance (vpn) server who is connected.
09:38 < Blancakes> what i want to be able to do is say that i have a subnet on x.x.3.x that provide's ip's (dhcp) and the vpn give's the's ip's zo the clint, like that there in the x.x.3.x subnet and i can direct where the clinet can and can't go to
09:39 < Blancakes> as far as i looked into the conf i would have to setup a tap not a tun and setup a bridge, and you guessed it thats where i am stuck and get cunfuced with the params
09:39 < Blancakes> can some one provide me with some info ar basic config so i can contuni
09:40 -!- Vindicar [~vindicar@access-46-42-18-81.kmtn.ru] has quit [Quit: Vindicar]
09:46 < Blancakes> !goal
09:46 <@vpnHelper> "goal" is Please clearly state your goal for your vpn: example, I would like to access the lan behind the server , I would like to access the internet over my vpn , I just want a secure connection between 2 computers , etc
09:53 -!- Blancakes [~blancake@91.183.142.178] has quit [Quit: Konversation terminated!]
09:56 -!- gorkhaan [~gorkhaan@94.31.49.67] has joined #openvpn
10:00 < gorkhaan> Hi. Let's say I have 2 openvpn servers. Cisco ASA, SNAT 2222 to vpn1 2222, and SNAT 2223 to vpn2 2223.  two vpn server are running identical config. Clients gets their ip from isc-dhcp-server. I am trying to achieve multimode vpn. It sort of works. There is a little problem on the client side. Client has the following: remote-random   plus 2 remote addresses with each vpn server addresses. if the client connects to vpn1, then I shutdown vpn1 server, I wa
10:00 < gorkhaan> nt to see openvpn client to automatically fail to the next remote server. Is there an option for this please? thanks.
10:02 -!- Pip0 [~quassel@node49.seg179.ucf.edu] has joined #openvpn
10:06 < Pip0> I was wondering if anyone here can help set up a double vpn connection
10:07 < Pip0> I need to be able to connect to a PC --> VPN SERVER  --> VPN SERVER --> Internet
10:09 -!- moparisthebest [~quassel@gateway/tor-sasl/moparisthebest] has quit [Quit: http://quassel-irc.org - Chat comfortably. Anywhere.]
10:09 < gorkhaan> got it: I had to lower keepalive values to make the failover quicker.
10:09 -!- moparisthebest [~quassel@gateway/tor-sasl/moparisthebest] has joined #openvpn
10:26 -!- Kniaz [~Kniaz@unaffiliated/kniaz] has quit [Quit: closing IRC]
10:28 -!- jeremybrown82 [~jeremybro@68.71.44.126] has joined #openvpn
10:30 < jeremybrown82> has anyone had troubled connecting to boxpn using openvpn and Ubuntu?
10:35 -!- akp [~akp@c-50-169-193-161.hsd1.ma.comcast.net] has joined #openvpn
10:39 <@ecrist> krzee: would you want roundcube instead of squirrelmail, perhaps?
10:43 < jeremybrown82> http://pastebin.com/FXqraVaG
11:20 -!- gffa [~unknown@unaffiliated/gffa] has joined #openvpn
11:30 -!- gorkhaan [~gorkhaan@94.31.49.67] has quit [Quit: Leaving]
11:30 -!- ub1quit33 [~quassel@wifi02.la3.routers.zerolag.com] has quit [Ping timeout: 245 seconds]
11:33 -!- ub1quit33_ [~quassel@wifi02.la3.routers.zerolag.com] has joined #openvpn
11:38 -!- Pyrogerg [~Gregory@75-173-103-62.albq.qwest.net] has joined #openvpn
11:40 -!- cyberanger [cyberanger@swissknife/adak/infocop411] has quit [Quit: ZNC - http://znc.in]
12:19 <@dazo> jeremybrown82: server logs please
12:22 -!- Pip0 [~quassel@node49.seg179.ucf.edu] has quit [Ping timeout: 258 seconds]
12:29 < jeremybrown82> dazo, i am guessing that server logs come from the vpn provider? On another note i am able to ping ips outside to the internet, but not able to surf the web, which leads me to believe that it is a dns problem..
12:30 <@dazo> jeremybrown82: if you don't control your server, you need to ask those controlling the server why your connection fails
12:30 <@dazo> your VPN server, that is
12:39 < jeremybrown82> i have. hopefully they will have a solution...
12:41 < KNERD> What can I do to prevent the clients from switching setting the gateway from the LAN to the VPN one once connected to the VPN server? It is cutting off internet access locally then
12:42 -!- APTX [~APTX@unaffiliated/aptx] has quit [Ping timeout: 272 seconds]
12:42 < KNERD> I guess setting a static IP would be an option, but that cannot always be done
12:53 -!- dazo is now known as dazo_afk
12:54 -!- APTX [~APTX@unaffiliated/aptx] has joined #openvpn
13:14 -!- jeremybrown82 [~jeremybro@68.71.44.126] has quit [Ping timeout: 272 seconds]
13:22 -!- BtbN [btbn@btbn.de] has quit [Quit: Bye]
13:23 -!- BtbN [btbn@btbn.de] has joined #openvpn
13:25 -!- Pyrogerg [~Gregory@75-173-103-62.albq.qwest.net] has quit [Read error: No route to host]
13:26 -!- Pyrogerg [~Gregory@75-173-103-62.albq.qwest.net] has joined #openvpn
13:40 <@plaisthos> from an OpenVPN log:
13:40 <@plaisthos> 2014-08-22 16:48:54 Send to HTTP proxy: 'User-Agent: Opera/9.80 (J2ME/MIDP; Opera Mini/528.16 (iPhone; U; CPU iPhone OS 3.0 like Mac OS X; en-us; compatible; Googlebot/870; U; en) Presto/2.4.15'
13:40 <@plaisthos> that is probably a valid use ...
13:49 <@krzee> ecrist, never used it, so not sure
13:53 <@plaisthos> that user against seem very strange for openvpn :)
13:54 <@plaisthos> GoogleBot that is also opera mini on an Iphone
14:15 -!- Mattias [~mattias@unaffiliated/mattias] has quit [Ping timeout: 258 seconds]
14:16 -!- Mattias [~mattias@unaffiliated/mattias] has joined #openvpn
14:23 -!- rooth [tomte@stuck.in.the.basement.at.fritzl.nu] has quit [Ping timeout: 246 seconds]
14:41 -!- Pip0 [~quassel@199.87.224.33] has joined #openvpn
14:42 -!- elfixit [~Icedove@77-58-251-72.dclient.hispeed.ch] has quit [Quit: elfixit]
14:45 -!- Slippern [~Slippern@76.109-247-208.customer.lyse.net] has quit [Ping timeout: 272 seconds]
14:46 -!- Pip0 [~quassel@199.87.224.33] has quit [Ping timeout: 260 seconds]
14:46 -!- Slippern [~Slippern@76.109-247-208.customer.lyse.net] has joined #openvpn
14:56 -!- eristisk [~eristisk@gateway/tor-sasl/eristisk] has joined #openvpn
15:05 -!- reventlov [~reventlov@unaffiliated/reventlov] has quit [Ping timeout: 260 seconds]
15:09 -!- reventlov [~reventlov@unaffiliated/reventlov] has joined #openvpn
15:15 < lerra> Hi, is there any known problems with having mac clients add specific routes via the tunnel ? It works fine on android,windows and linux but the mac client with the same configuratio does not route the specific ip's via the vpn
15:22 -!- elfixit [~Icedove@77-58-251-72.dclient.hispeed.ch] has joined #openvpn
15:26 -!- D-Boy [~D-Boy@unaffiliated/cain] has quit [Excess Flood]
15:26 -!- D-Boy [~D-Boy@unaffiliated/cain] has joined #openvpn
15:36 -!- gffa [~unknown@unaffiliated/gffa] has quit [Quit: sleep]
15:52 -!- u0m3_ [~u0m3@92.80.114.210] has joined #openvpn
15:52 -!- u0m3 [~u0m3@92.80.114.210] has quit [Ping timeout: 260 seconds]
16:02 -!- sickn3ss [~sickn3ss@unaffiliated/sickn3ss] has quit [Quit: Textual IRC Client: www.textualapp.com]
16:06 -!- mattock is now known as mattock_afk
16:29 -!- michaelhart [~michaelha@192-0-241-148.cpe.teksavvy.com] has joined #openvpn
16:45 -!- eristisk [~eristisk@gateway/tor-sasl/eristisk] has quit [Ping timeout: 264 seconds]
16:52 -!- krzie [~k@openvpn/community/support/krzee] has joined #openvpn
16:52 -!- mode/#openvpn [+o krzie] by ChanServ
16:54 -!- krzee [~k@openvpn/community/support/krzee] has quit [Read error: Connection reset by peer]
16:54 -!- krzie is now known as krzee
17:20 -!- Irrelephant [Irrelephan@2a02:908:e263:6400:91e2:7164:2ad1:3b4a] has joined #openvpn
17:21 < Irrelephant> Hi all. I got a bridged connection working windows to windows. All works well, can ping in any direction etc ...
17:21 < Irrelephant> But the port forward I set up in my router to forward to the bridged client does not work
17:22 < Irrelephant> I can access the client's webserver using its local IP but using my global IP does not work
17:22 < Irrelephant> Any hints what might be the cause?
17:22 < Irrelephant> Firewall and anti-virus are disabled on both machines
17:40 -!- eristisk [~eristisk@gateway/tor-sasl/eristisk] has joined #openvpn
17:41 -!- Steven_ [~deepstar@pegasus.singularity.be] has joined #openvpn
17:42 -!- Steven_ [~deepstar@pegasus.singularity.be] has left #openvpn []
17:47 -!- jzaw [~jzaw@loki.dzki.co.uk] has quit [Ping timeout: 260 seconds]
17:48 -!- eristisk [~eristisk@gateway/tor-sasl/eristisk] has quit [Ping timeout: 264 seconds]
17:52 -!- Kniaz [~Kniaz@unaffiliated/kniaz] has joined #openvpn
17:59 < Irrelephant> Got it working. I put down the VPN server's IP as first parameter for server-bridge which looks to be wrong ... putting the router's IP instead works perfectly
18:01 -!- Irrelephant [Irrelephan@2a02:908:e263:6400:91e2:7164:2ad1:3b4a] has quit [Quit: Leaving]
18:03 -!- michaelhart [~michaelha@192-0-241-148.cpe.teksavvy.com] has quit [Quit: michaelhart]
18:04 -!- jzaw [~jzaw@loki.dzki.co.uk] has joined #openvpn
18:04 -!- julieeharshaw [~julie@juliekoubova.net] has joined #openvpn
18:10 -!- julieeharshaw [~julie@juliekoubova.net] has quit [Quit: ZNC - http://znc.in]
18:10 -!- julieeharshaw [~julie@juliekoubova.net] has joined #openvpn
18:16 -!- Pip0 [~quassel@72.188.112.179] has joined #openvpn
18:17 -!- imsomeoneelse [~eh@wsip-98-190-221-98.dc.dc.cox.net] has quit [Remote host closed the connection]
18:18 -!- fakhir__ [~fakhir@unaffiliated/fakhir] has left #openvpn []
18:25 -!- ub1quit33_ [~quassel@wifi02.la3.routers.zerolag.com] has quit [Ping timeout: 260 seconds]
18:25 -!- jzaw [~jzaw@loki.dzki.co.uk] has quit [Ping timeout: 272 seconds]
18:32 -!- Kephael [~Kephael@unaffiliated/kephael] has joined #openvpn
18:44 -!- jzaw [~jzaw@loki.dzki.co.uk] has joined #openvpn
18:44 -!- jzaw [~jzaw@loki.dzki.co.uk] has quit [Excess Flood]
18:47 -!- jzaw [~jzaw@loki.dzki.co.uk] has joined #openvpn
19:10 -!- jzaw [~jzaw@loki.dzki.co.uk] has quit [Ping timeout: 272 seconds]
19:12 -!- CaTtleyA [~CaTtleyA@put92-2-82-66-41-53.fbx.proxad.net] has joined #openvpn
19:14 -!- jzaw [~jzaw@loki.dzki.co.uk] has joined #openvpn
19:36 -!- APTX [~APTX@unaffiliated/aptx] has quit [Quit: No Ping reply in 180 seconds.]
19:37 -!- shio [marmot@102.188.103.84.rev.sfr.net] has quit [Ping timeout: 250 seconds]
19:37 -!- MaliusArth1 [~MaliusArt@chello062178184068.18.14.vie.surfer.at] has joined #openvpn
19:37 -!- MaliusArth1 [~MaliusArt@chello062178184068.18.14.vie.surfer.at] has left #openvpn []
19:38 -!- shpank [~schorsch@kabelbrand.at] has quit [Remote host closed the connection]
19:39 -!- blaubarschbube [~adads@nat.hamburg.contentfleet.com] has quit [Ping timeout: 260 seconds]
19:40 -!- MaliusArth1 [~MaliusArt@chello062178184068.18.14.vie.surfer.at] has joined #openvpn
19:41 -!- APTX [~APTX@unaffiliated/aptx] has joined #openvpn
19:47 -!- MaliusArth1 [~MaliusArt@chello062178184068.18.14.vie.surfer.at] has left #openvpn []
19:48 -!- shio [marmot@102.188.103.84.rev.sfr.net] has joined #openvpn
19:53 -!- jzaw [~jzaw@loki.dzki.co.uk] has quit [Ping timeout: 260 seconds]
19:58 -!- jzaw [~jzaw@loki.dzki.co.uk] has joined #openvpn
20:05 -!- tekk [~me@93.93.135.50] has quit [Ping timeout: 245 seconds]
20:36 -!- AsadH [~AsadH@unaffiliated/asadh] has quit [Ping timeout: 258 seconds]
20:42 -!- alexw [~textual@unaffiliated/alexw] has joined #openvpn
20:47 -!- liriel [~liriel@asia.feralhosting.com] has quit [Ping timeout: 244 seconds]
20:47 -!- liriel [~liriel@asia.feralhosting.com] has joined #openvpn
20:52 -!- AsadH [~AsadH@unaffiliated/asadh] has joined #openvpn
21:12 -!- CaTtleyA [~CaTtleyA@put92-2-82-66-41-53.fbx.proxad.net] has quit [Ping timeout: 276 seconds]
21:30 -!- Left_Turn [~Left_Turn@unaffiliated/turn-left/x-3739067] has quit [Remote host closed the connection]
21:41 -!- alexw [~textual@unaffiliated/alexw] has quit [Quit: Textual IRC Client: www.textualapp.com]
21:44 -!- rich0 [~quassel@gentoo/developer/rich0] has quit [Remote host closed the connection]
21:51 -!- Kniaz [~Kniaz@unaffiliated/kniaz] has quit [Quit: closing IRC]
23:10 -!- Pip0 [~quassel@72.188.112.179] has quit [Ping timeout: 244 seconds]
23:32 -!- elfixit [~Icedove@77-58-251-72.dclient.hispeed.ch] has quit [Remote host closed the connection]
23:46 -!- ShadniX [dagger@p5DDFEF67.dip0.t-ipconnect.de] has quit [Ping timeout: 250 seconds]
23:49 -!- ShadniX [dagger@p5DDFC5B4.dip0.t-ipconnect.de] has joined #openvpn
--- Day changed Wed Oct 08 2014
00:29 -!- mattock_afk is now known as mattock
01:27 -!- Kephael [~Kephael@unaffiliated/kephael] has quit [Read error: Connection reset by peer]
02:14 -!- thumbs [1000@unaffiliated/thumbs] has quit [Ping timeout: 240 seconds]
02:17 -!- CaTtleyA [~CaTtleyA@185.24.142.82] has joined #openvpn
02:21 -!- Blancakes [~blancake@91.183.142.178] has joined #openvpn
02:23 < Blancakes> Hi can someone help me on this question; i would like to vpn to internal server bihind vpn with the ip provided from vpn
02:23 < Blancakes> i'll explane a little bit more :
02:23 < Blancakes> VPN SETUP
02:23 < Blancakes> AWV AMAZON CLOUD
02:23 < Blancakes> subnet 10.0.0.0 => internal servers (only reacable bij management server (ssh, vpn))
02:23 < Blancakes> subnet 10.0.10.0 => management subnet // can be accesed externaly
02:23 < Blancakes> subnet 10.0.20.0 => subnet for vpn
02:23 < Blancakes> from client we should be able to ssh user@10.0.0.1 trough vpn
02:23 < Blancakes> on the management server (ssh, vpn) there are 2 interfaces : eth0 => 10.0.10.x, eth1 =>10.0.20.x
02:23 < Blancakes> when we ssh to the internal machine's it needs to be clear that i logged in with 10.0.20.x ip instead of 10.0.10.x (ip from eth0 on vpn)
02:23 < Blancakes> this is needed because we block ssh connection on to many attemptes or incorrect,
02:23 < Blancakes> if it would block 10.0.10.x nobody would be able to login to that server ...
02:23 < Blancakes> How would it be the best way to set it up ?
02:28 -!- tekk [~me@93.93.135.50] has joined #openvpn
02:36 -!- blaubarschbube [~adads@nat.hamburg.contentfleet.com] has joined #openvpn
02:39 -!- CaTtleyA [~CaTtleyA@185.24.142.82] has quit [Remote host closed the connection]
02:44 -!- thumbs [1000@unaffiliated/thumbs] has joined #openvpn
02:46 -!- lev__ [~lev@stipakov.com] has joined #openvpn
02:58 -!- lev__ [~lev@stipakov.com] has quit [Quit: leaving]
02:58 -!- lev__ [~lev@stipakov.com] has joined #openvpn
03:08 -!- goldkatze [~nobody@unaffiliated/goldkatze] has quit []
03:33 -!- ade_b [~Ade@redhat/adeb] has joined #openvpn
03:46 -!- goldkatze [~nobody@unaffiliated/goldkatze] has joined #openvpn
04:11 -!- dazo_afk is now known as dazo
04:15 -!- joako [~joako@opensuse/member/joak0] has quit [Ping timeout: 244 seconds]
04:15 -!- ayaka [~ayaka@ayaka-2-pt.tunnel.tserv21.tor1.ipv6.he.net] has quit [Ping timeout: 272 seconds]
04:19 -!- _FBi [B@Aircrack-NG/User] has quit [Ping timeout: 272 seconds]
04:20 -!- joako [~joako@opensuse/member/joak0] has joined #openvpn
04:21 -!- goldkatze [~nobody@unaffiliated/goldkatze] has quit []
04:22 -!- ayaka [~ayaka@ayaka-2-pt.tunnel.tserv21.tor1.ipv6.he.net] has joined #openvpn
04:23 -!- c0ded [~c0ded@unaffiliated/c0ded] has joined #openvpn
04:26 -!- rich0 [~quassel@gentoo/developer/rich0] has joined #openvpn
04:49 -!- jzaw [~jzaw@loki.dzki.co.uk] has quit [Ping timeout: 272 seconds]
04:52 -!- jzaw [~jzaw@loki.dzki.co.uk] has joined #openvpn
04:59 -!- Cyclohexane [~cyclohexa@unaffiliated/cyclohexane] has joined #openvpn
04:59 -!- rich0_ [~quassel@gentoo/developer/rich0] has joined #openvpn
04:59 < Cyclohexane> !logs
04:59 <@vpnHelper> "logs" is (#1) please pastebin your logfiles from both client and server with verb set to 4 (only use 5 if asked) or (#2) In the Windows client(OpenVPN-GUI) right-click the status icon and pick View Log or (#3) In the OS X client(Tunnelblick) right-click it and select Copy log text to clipboard or (#4) if you dont know how to find your logs, see !logfile
05:01 -!- rich0__ [~quassel@gentoo/developer/rich0] has joined #openvpn
05:02 -!- rich0 [~quassel@gentoo/developer/rich0] has quit [Ping timeout: 260 seconds]
05:04 -!- rich0_ [~quassel@gentoo/developer/rich0] has quit [Ping timeout: 240 seconds]
05:05 -!- rich0 [~quassel@gentoo/developer/rich0] has joined #openvpn
05:09 -!- rich0__ [~quassel@gentoo/developer/rich0] has quit [Ping timeout: 250 seconds]
05:26 -!- Left_Turn [~Left_Turn@unaffiliated/turn-left/x-3739067] has joined #openvpn
05:29 -!- jzaw [~jzaw@loki.dzki.co.uk] has quit [Ping timeout: 260 seconds]
05:39 -!- jzaw [~jzaw@loki.dzki.co.uk] has joined #openvpn
05:45 -!- jzaw [~jzaw@loki.dzki.co.uk] has quit [Ping timeout: 260 seconds]
05:52 <@ecrist> Blancakes: need to see your configs, if you have them.
05:53 <@ecrist> and, you should really be passing your VPN clients a separate range of IPs, say 10.0.30.0/24
05:53 <@ecrist> any access rules you have should allow the VPN as well as your 10.0.20.0/24 range.
05:55 -!- jzaw [~jzaw@loki.dzki.co.uk] has joined #openvpn
05:56 < Blancakes> ecrist thx for replying, i'm getting online whitin an hours again
05:56 < Blancakes> i'll send you the config file's then
05:56 < Blancakes> i have to replace myself so i'll be back later on
05:56 <@ecrist> ok.  pastebin or similar is appropriate
05:56 < Blancakes> thx up till now
05:56 < Blancakes> i will
05:57 < Blancakes> see you in approx hour if your still here by then
06:02 -!- Blancakes [~blancake@91.183.142.178] has quit [Ping timeout: 272 seconds]
--- Log closed Wed Oct 08 06:11:04 2014
--- Log opened Wed Oct 08 06:43:08 2014
06:43 -!- ecrist [~ecrist@freebsd/contributor/openvpn.community.support.ecrist] has joined #openvpn
06:43 -!- Irssi: #openvpn: Total of 174 nicks [9 ops, 0 halfops, 1 voices, 164 normal]
06:43 -!- mode/#openvpn [+o ecrist] by ChanServ
06:43 -!- Irssi: Join to #openvpn was synced in 1 secs
06:43 < rooth> Can the cipher configuration option be a list of ciphers? Would have like to be able to run both bf and aes until all clients have been upgraded to use just aes. Sort of like the negotiation in ipsec.
06:45 -!- Nyoom [Nyoom@unaffiliated/nyoom] has joined #openvpn
06:56 -!- Left_Turn [~Left_Turn@unaffiliated/turn-left/x-3739067] has quit [Ping timeout: 240 seconds]
07:02 -!- Left_Turn [~Left_Turn@unaffiliated/turn-left/x-3739067] has joined #openvpn
07:23 -!- gffa [~unknown@unaffiliated/gffa] has joined #openvpn
07:26 -!- ade_b [~Ade@redhat/adeb] has quit [Remote host closed the connection]
07:29 -!- jzaw [~jzaw@loki.dzki.co.uk] has quit [Ping timeout: 272 seconds]
07:33 -!- Blancakes [~blancake@2a02:1812:200c:4f00:8d2c:433d:b6a0:176f] has joined #openvpn
08:06 -!- elfixit [~Icedove@2001:1620:2777:11:3e97:eff:fe7f:f3ad] has joined #openvpn
08:06 -!- jzaw [~jzaw@community-wifi.dzki.co.uk] has joined #openvpn
08:14 -!- jzaw [~jzaw@community-wifi.dzki.co.uk] has quit [Ping timeout: 272 seconds]
08:35 <@dazo> rooth: no, not currently.  It's been discussed how to do the cipher negotiations, but it has not yet resulted in any patches
08:37 -!- jzaw [~jzaw@loki.dzki.co.uk] has joined #openvpn
08:56 -!- Pyrogerg [~Gregory@75-173-103-62.albq.qwest.net] has quit [Read error: No route to host]
09:01 -!- Droolio [~drool@host86-132-103-182.range86-132.btcentralplus.com] has joined #openvpn
09:03 -!- MatToufoutu [~MaT@unaffiliated/mattoufoutu] has quit [Quit: Read Error 1664 (Connection reset by beer)]
09:19 -!- MatToufoutu [~MaT@unaffiliated/mattoufoutu] has joined #openvpn
09:22 -!- jzaw [~jzaw@loki.dzki.co.uk] has quit [Ping timeout: 260 seconds]
09:25 -!- james41382_ [~james@unaffiliated/james41382] has joined #openvpn
09:25 -!- james41382 [~james@unaffiliated/james41382] has quit [Read error: Connection reset by peer]
09:28 -!- jzaw [~jzaw@loki.dzki.co.uk] has joined #openvpn
09:32 -!- james41382 [~james@unaffiliated/james41382] has joined #openvpn
09:35 -!- james41382_ [~james@unaffiliated/james41382] has quit [Ping timeout: 240 seconds]
09:37 -!- Blancakes [~blancake@2a02:1812:200c:4f00:8d2c:433d:b6a0:176f] has quit [Quit: Konversation terminated!]
09:52 -!- Pyrogerg [~Gregory@75-173-103-62.albq.qwest.net] has joined #openvpn
10:06 < rooth> dazo: Thank you for the information!
10:07 <@dazo> yw!
10:36 -!- CaTtleyA [~CaTtleyA@185.24.142.82] has quit [Quit: Lost terminal]
10:44 -!- efiop [~efiop@95.111.227.137] has joined #openvpn
10:44 < efiop> hi! Sorry, i'm a complete noob. Could someone give me some links where to start with openvpn and python?
10:48 < rob0> uh ... "and python?"
10:49 < rob0> The /topic has some starting points for openvpn.
10:49 < efiop> rob0: well, "in python"? =)
10:49 < rob0> No idea what you mean, sorry.
10:50 < efiop> i have no idea what i mean too=) Well, i don't anything about openvpn, but i need to use it in python program.
10:50 -!- jzaw [~jzaw@loki.dzki.co.uk] has quit [Ping timeout: 260 seconds]
10:50 < efiop> Am I saying complete nonsence? =)
10:53 < efiop> i need to establish connection that will be encrypted and data whould be compressed
10:54 < efiop> excuse me if i'm saying some strange or wrong things
10:55 -!- jzaw [~jzaw@loki.dzki.co.uk] has joined #openvpn
10:57 < efiop> !welcome
10:57 <@vpnHelper> "welcome" is (#1) Start by stating your goal, such as 'I would like to access the internet over my vpn' || new to IRC? see the link in !ask || we may need !logs and !configs and maybe !interface to help you. || See !howto for beginners. || See !route for lans behind openvpn. || !redirect for sending inet traffic through the server. || Also interesting: !man !/30 !topology !iporder !sample !forum
10:57 <@vpnHelper> !wiki !mitm or (#2) Don't use 192.168.1.0/24 or 192.168.0.0/24 (too much potential for conflict)
10:58 -!- Kephael [~Kephael@unaffiliated/kephael] has joined #openvpn
10:58 < DArqueBishop> Is the machine you're going to be transferring data to the same machine that will run OpenVPN?
10:58 < DArqueBishop> Er, run the OpenVPN server?
10:58 <@Eugene> !man
10:58 <@vpnHelper> "man" is (#1) For man pages, see http://openvpn.net/index.php/open-source/documentation/manuals/ or (#2) the man pages are your friend! or (#3) Protip: you can search the manpage for a specific --option (with dashes) to find it quicker
10:59 < Cyclohexane> How should I go about debugging my VPN being unable to access the internet? i.e. it can access 10.8.0.1 and the VPN external IP but it can't access 8.8.8.8 (internet). It was previously working until a server restart
10:59 <@Eugene> !redirect
10:59 <@vpnHelper> "redirect" is (#1) to make all inet traffic flow through the vpn, you will need --redirect-gateway (see !def1), as well as IP forwarding (see !ipforward) and NAT (see !nat) enabled on the server. or (#2) you may need to use a different dns server when redirecting gateway, see !dns or !pushdns or (#3) if using ipv6 try: route-ipv6 2000::/3 or (#4) Handy troubleshooting flowchart:
10:59 <@vpnHelper> http://ircpimps.org/redirect.png | http://pekster.sdf.org/misc/redirect.png
11:00 <@Eugene> !ipforward
11:00 <@vpnHelper> "ipforward" is (#1) ip forwarding is needed any time you want packets to flow from 1 interface to another, so from tun to eth, eth to tun, tun to tun, etc etc. it must be enabled in the kernel AND allowed in the firewall or (#2) please choose between !linipforward !winipforward !osxipforward and !fbsdipforward
11:00 <@Eugene> !linipforward
11:00 <@vpnHelper> "linipforward" is (#1) echo 1 > /proc/sys/net/ipv4/ip_forward for a temp solution (til reboot) or set net.ipv4.ip_forward = 1 in sysctl.conf for perm solution or (#2) chmod +x /etc/rc.d/rc.ip_forward for perm solution in slackware or (#3) you also must allow forwarding in your forward chain in iptables. iptables -I FORWARD -i tun+ -j ACCEPT
11:00 <@Eugene> Most likely you did echo, but not sysctl ^
11:00 <@Eugene> But follow the chart from the first link
11:00 < efiop> DArgueBishop: if i can start OpenVPN server on destination using python =) can i? Sorry for stupid questions, i'm noob.
11:01 <@krzee> Cyclohexane, see the flowchart that Eugene gave you in !redirect #4
11:01 <@krzee> "on destination" ?
11:02 < Cyclohexane> Will do thanks Eugene and krzee
11:02 < DArqueBishop> efiop, so let me see if I understand your problem: you want the client running a program in Python to transfer data to a server that's directly connected to the internet over a secure encrypted connection?
11:03 < efiop> DArgueBishop: Well, let me put it this way: i have two computers and i need to transfer data from one computer to another
11:04 < DArqueBishop> Yeah, I'm not sure OpenVPN is your best solution. You COULD do it that way, but unless the receiving computer is behind a firewall/router, it might just be easier to use rsync over ssh or something similar.
11:04 <@krzee> !vpn
11:04 <@vpnHelper> "vpn" is http://openvpn.net/index.php/open-source/faq/75-general/293-what-is-the-principle-behind-openvpn-tunnels.html for a basic rundown of what a vpn is
11:16 -!- jzaw [~jzaw@loki.dzki.co.uk] has quit [Ping timeout: 260 seconds]
11:19 -!- jzaw [~jzaw@loki.dzki.co.uk] has joined #openvpn
11:24 < Cyclohexane> !def1
11:24 <@vpnHelper> "def1" is (#1) used in redirect-gateway, Add the def1 flag to override the default gateway by using 0.0.0.0/1 and 128.0.0.0/1 rather than 0.0.0.0/0. This has the benefit of overriding but not wiping out the original default gateway. or (#2) please see --redirect-gateway in the man page ( !man ) to fully understand or (#3) push "redirect-gateway def1"
11:27 -!- efiop [~efiop@95.111.227.137] has quit [Quit: Ухожу я от вас]
11:32 < Cyclohexane> krzee: Eugene: good diagram :) turned out one of the ip_forward settings was set to 0 something must of changed it during an upgrade/restart -- all working again
11:33 <@Eugene> I like being right based upon a hunch
11:33 <@Eugene> Did you bother to set it permanently in sysctl
11:33 < Cyclohexane> yeah
11:33 <@Eugene> !beer
11:33 <@vpnHelper> "beer" is what's for dinner (and occasionally breakfast)
11:34 < Cyclohexane> lol
11:34 <@krzee> Cyclohexane, did you reboot AFTER setting it to 1 in sysctl.conf?
11:34 < Cyclohexane> /proc/sys/net/ipv4/ip_forward was 0, the sysctl was 1
11:38 -!- SCHAAP137 [dorian@77-173-0-137.ip.telfort.nl] has joined #openvpn
11:38 -!- SCHAAP137 [dorian@77-173-0-137.ip.telfort.nl] has quit [Excess Flood]
11:43 -!- cyberspace- [20253@ninthfloor.org] has quit [Remote host closed the connection]
11:44 -!- cyberspace- [20253@ninthfloor.org] has joined #openvpn
12:11 -!- elfixit [~Icedove@2001:1620:2777:11:3e97:eff:fe7f:f3ad] has quit [Quit: elfixit]
12:36 <@dazo> Cyclohexane: if sysctl net.ipv4.ip_forward returned 0 ... then your system is behaving odd.  as sysctl and /proc/sys/* basically does the same things under the hood in the kernel
12:37 <@dazo> but if you meant /etc/sysctl.conf ... then that's a different issue
12:39 <@dazo> running sysctl -p   will set your system according to /etc/sysctl.conf
13:16 -!- dazo is now known as dazo_afk
14:04 -!- xeon-enouf [~xeon-enou@unaffiliated/xeon-enouf] has quit [Remote host closed the connection]
14:07 -!- funnel [~funnel@unaffiliated/espiral] has quit [Remote host closed the connection]
14:08 -!- funnel [~funnel@unaffiliated/espiral] has joined #openvpn
14:09 -!- scyld [~scyld@unaffiliated/wasyl] has joined #openvpn
14:10 -!- x00e [~itch@188.27.207.8] has joined #openvpn
14:20 -!- prettyrobots [~prettyrob@do.inputrc.com] has joined #openvpn
14:22 < x00e> Hello guys. Anyone willing to take a peek a my openvpn config (http://pastebin.com/VgnhDaYg) and lemme know if they spot something wrong. So far, I`m able to connect to the vpn server, but can`t access the internet through it. Also, it keep disconnecting on me
14:26 <@krzee> push "route 192.168.1.0 255.255.255.0"
14:26 <@krzee> whats that for?
14:27 <@krzee> you accessing a lan behind the server over the vpn?
14:29 < x00e> krzee, the machine hosting the server is behind a router .
14:29 < x00e> ..and i`m not sure if that answered your question ..
14:29 <@krzee> so?
14:29 < x00e> my networking skillz are not that good :(
14:29 <@krzee> ok, remove push "route 192.168.1.0 255.255.255.0"
14:29 <@krzee> what OS is your server running?
14:30 < x00e> debian
14:33 <@krzee> did you configure NAT and ip forwarding in the OS?
14:33 < x00e> Uhum
14:34 -!- imsomeoneelse [~eh@wsip-98-190-221-98.dc.dc.cox.net] has joined #openvpn
14:34 < imsomeoneelse> Hi all
14:35 < x00e> Hmm. Hold. Lemme check on NAT. ip fwd is enabled. just checked
14:36 < imsomeoneelse> Is there a proper way to unrevoke users? I know it's generally frowned upon to unrevoke users, but basically what I need is a way to temporarily disable/enable access of individual clients to the OVPN server.
14:36 -!- james41382 [~james@unaffiliated/james41382] has quit [Read error: Connection reset by peer]
14:36 -!- james41382_ [~james@unaffiliated/james41382] has joined #openvpn
14:42 <@krzee> use --disable in a ccd entry
14:42 <@krzee> imsomeoneelse, ^
14:42 < scyld> hah I was renaming files there ;)
14:42  * scyld learned something today :)
14:42 < scyld> thx krzee
14:43 <@krzee> np
14:43 <@krzee> renaming files?
14:44 < imsomeoneelse> krzee: this server will have ~1000 clients, does that also mean I have to create ~1000 individual files? Or let me put it in this way, if I have client-config-dir in the server config, but no ccd file for a client, would it break things?
14:44 < x00e> krzee: ok, I have NAT running
14:45 <@krzee> imsomeoneelse, only if you tell it to… with --ccd-exclusive or something like that
14:45 <@krzee> you could also use a script to do it dynamically (database?)
14:45 <@krzee> !client-connect
14:45 <@vpnHelper> "client-connect" is --client-connect <script>, runs script on client connection. This can be useful for generating firewall rules dynamicly, or for assigning static ips. This can do anything that a ccd (see !ccd) entry can do, but dynamicly... to use it that way, you should write your dynamic ccd commands to the file named by $1.
14:53 < imsomeoneelse> thank you sir, seems like this will do the trick
14:54 < scyld> krzee: yup. like client1 client1-disabled
14:54 -!- Droolio [~drool@host86-132-103-182.range86-132.btcentralplus.com] has quit [Quit: If at first you don't succeed then skydiving is not for you.]
14:55 < scyld> krzee: if client1 connects it will be rejected
14:56 <@krzee> ahh i see :D
14:56 <@krzee> imsomeoneelse, np
14:56 < imsomeoneelse> New question, I might have asked this few weeks ago, has anyone ever seen a huge deployment of OpenVPN, as in 1,000 to 10,000 clients or more?
14:56 <@krzee> x00e, try this flowchart:
14:56 <@krzee> !redirect
14:56 <@vpnHelper> "redirect" is (#1) to make all inet traffic flow through the vpn, you will need --redirect-gateway (see !def1), as well as IP forwarding (see !ipforward) and NAT (see !nat) enabled on the server. or (#2) you may need to use a different dns server when redirecting gateway, see !dns or !pushdns or (#3) if using ipv6 try: route-ipv6 2000::/3 or (#4) Handy troubleshooting flowchart:
14:56 <@vpnHelper> http://ircpimps.org/redirect.png | http://pekster.sdf.org/misc/redirect.png
14:57 <@krzee> imsomeoneelse, not personally but i have heard of very large amounts of users on a single box, but i have also heard of shit breaking wayyyy before that
14:57 <@krzee> if you hit a bottleneck you will want multiple servers (which can exist on 1 machine if you have multiple cores'
14:57 <@krzee> because openvpn is single threaded it only runs on 1 core
14:58 < scyld> or run multiple instances on the same machine
14:58 < imsomeoneelse> server is a multi-core xeon with AES-NI support, yes
14:58 < imsomeoneelse> Are there any numbers on how many concurrent connections a single openvpn instance can handle?
14:59 < scyld> if AES-NI even used as it must me enabled in openssl engine? afaik it isnt right now...
14:59 < imsomeoneelse> scyld, openssl 1.0.1 and up automatically enables it, I've tested it.
14:59 < scyld> how?
15:00 < imsomeoneelse> by benchmarking blowfish and AES back to back. In a non-AESNI system (or on a system with non-AES supporting openssl version), blowfish should be faster than AES
15:01 < imsomeoneelse> However, on an AES-NI capable system, AES, well, blows blowfish out of the water, as in 6 to 8 times faster
15:01 < scyld> ow benchmarking... I found there is some streight way.
15:01 < imsomeoneelse> in case someone needs, command to test is:
15:02 < imsomeoneelse> Blowfish:  openssl speed -evp bf-cbc
15:02 < imsomeoneelse> AES: openssl speed -evp aes-128-cbc
15:02 < imsomeoneelse> in Linux of course.
15:02 < scyld> cyup
15:02 < scyld> sure ;)
15:03 <@krzee> !gigabit
15:03 <@vpnHelper> "gigabit" is https://community.openvpn.net/openvpn/wiki/Gigabit_Networks_Linux for JJK's writeup on getting the most out of openvpn over gigabit
15:03 <@krzee> you may enjoy reading that too
15:04 < scyld> tnx
15:04 < imsomeoneelse> Thx kreeze
15:04 <@krzee> np
15:05 < imsomeoneelse> My main problem is the number of clients in this project, bandwidth is secondary as the data going through will be pretty low, but tunnels will be always on for all clients
15:05 -!- moparisthebest [~quassel@gateway/tor-sasl/moparisthebest] has quit [Remote host closed the connection]
15:06 <@krzee> i dont know where you'll hit the wall, sorry
15:06 <@krzee> but i do know you can run multiple server processes
15:06 < imsomeoneelse> It's essentially a connection to the mothership for pulling updates, pushing stats etc. for thousand+ residential routers/access points
15:06 < imsomeoneelse> Well, I guess we'll all learn in a few months :)
15:06 <@krzee> please document!
15:07 <@krzee> we have a wiki you can feel free to use
15:07 < adaptr> don't actually use it, that's forbidden. but feel free!
15:07 <@krzee> it can sit there as a work in progress, we just wont link to it
15:08 < imsomeoneelse> will do, and will share as much as I can (commercial project, need to get permission from the big boss, etc.)
15:08 <@krzee> yep, just the feeling, no action allowed
15:08 <@krzee> imsomeoneelse, leave out the stuff about client specific (what devices, why, etc), just keep it specific about openvpn and i bet the boss wont mind
15:09 <@krzee> let him know that this is why its free, people contribute what they can :D
15:09 < imsomeoneelse> oh yeah, more than likely he'll be ok, we are a pretty open source shop, at least I can safely share the performance metrics for sure.
15:09 <@krzee> some code, some answer questions, some document stuff, etc
15:22 -!- gffa [~unknown@unaffiliated/gffa] has quit [Quit: sleep]
15:25 -!- D-Boy [~D-Boy@unaffiliated/cain] has quit [Excess Flood]
15:28 -!- mt [mt@unaffiliated/supermat] has quit [Ping timeout: 272 seconds]
15:30 -!- scyld [~scyld@unaffiliated/wasyl] has quit [Quit: Wychodzi]
15:32 -!- mt [mt@unaffiliated/supermat] has joined #openvpn
15:39 -!- mattock is now known as mattock_afk
15:41 -!- funnel [~funnel@unaffiliated/espiral] has quit [Remote host closed the connection]
15:42 -!- funnel [~funnel@unaffiliated/espiral] has joined #openvpn
15:43 -!- D-Boy [~D-Boy@unaffiliated/cain] has joined #openvpn
15:57 -!- moparisthebest [~quassel@gateway/tor-sasl/moparisthebest] has joined #openvpn
16:03 -!- Pyrogerg [~Gregory@75-173-103-62.albq.qwest.net] has quit [Ping timeout: 272 seconds]
16:23 -!- nutron [~nutron@unaffiliated/nutron] has quit [Read error: Connection reset by peer]
16:25 -!- Maxel [~Maxel@24-159-207-34.static.roch.mn.charter.com] has joined #openvpn
16:26 < Maxel> I was hoping to set up openvpn on a virtual machine I have on an esxi server. First question is, do I need to have 2 nics to be able to set this up?
16:27 < Maxel> I was looking through a bridge util guide and it seems to imply I need to different IP addresses on the server to set this up
16:29 -!- Chais [~Chais@chello062178229110.15.15.vie.surfer.at] has quit [Ping timeout: 245 seconds]
16:35 -!- Chais [~Chais@chello062178229110.15.15.vie.surfer.at] has joined #openvpn
16:45 -!- Pyrogerg [~Gregory@205.167.120.206] has joined #openvpn
17:04 -!- Pyrogerg [~Gregory@205.167.120.206] has quit [Read error: Connection reset by peer]
17:04 -!- Pyrogerg [~Gregory@205.167.120.206] has joined #openvpn
17:09 -!- x00e [~itch@188.27.207.8] has quit [Read error: Connection reset by peer]
17:17 -!- Kniaz [~Kniaz@unaffiliated/kniaz] has joined #openvpn
17:43 -!- Pyrogerg [~Gregory@205.167.120.206] has quit [Read error: Connection reset by peer]
17:43 -!- Pyrogerg [~Gregory@205.167.120.206] has joined #openvpn
18:15 < rob0> !goal
18:15 <@vpnHelper> "goal" is Please clearly state your goal for your vpn: example, I would like to access the lan behind the server , I would like to access the internet over my vpn , I just want a secure connection between 2 computers , etc
18:28 -!- Pyrogerg [~Gregory@205.167.120.206] has quit [Ping timeout: 260 seconds]
18:38 -!- c|oneman [cloneman@1337.montrealdark.com] has quit [Ping timeout: 244 seconds]
18:39 -!- nsrafk [whois@unaffiliated/nsrafk] has quit [Ping timeout: 245 seconds]
18:46 -!- c|oneman [cloneman@1337.montrealdark.com] has joined #openvpn
18:49 -!- nsrafk [whois@unaffiliated/nsrafk] has joined #openvpn
19:00 -!- speaker1234 [~speaker12@173-14-129-9-NewEngland.hfc.comcastbusiness.net] has joined #openvpn
19:09 < speaker1234> I think this is a tun forwarding problem.  I'm trying to build a net-2-net vpn.  The link comes up and stays up, I can ping from "client" to machine on the server-side network what if I try to ping the other way, nothing happens. I can ping both ends of the tunnel from the server-side but not anything further that
19:09 < speaker1234> I turned on IPv4 forwarding
19:09 < speaker1234> so I'm a bit puzzled as to what to do now
19:14 <@krzee> sounds like a firewall problem
19:14 <@krzee> !1way
19:14 <@vpnHelper> "1way" is a 1-way ping between client and server indicates that you have a firewall problem on the end that cannot be pinged but is able to ping the other side
19:14 <@krzee> !forget 1way
19:14 <@vpnHelper> Joo got it.
19:14 <@krzee> !learn 1way as a 1-way ping between client and server usually indicates that you have a firewall problem on the end that cannot be pinged but is able to ping the other side
19:14 <@vpnHelper> Joo got it.
19:16 < speaker1234> a firewall problem.  like this? http://pastebin.com/WKP9GAvc
19:17 <@krzee> thats not how you see your rules
19:17 <@krzee> iptables-save
19:17 < speaker1234> ok, trying
19:20 < speaker1234> http://pastebin.com/pYcRus99
19:20 < speaker1234> there are no rules active
19:21 <@krzee> which machine is that?
19:21 < speaker1234> claent side
19:21 < speaker1234> client side
19:21 <@krzee> ok so server-side lan works as desired, right?
19:21 < speaker1234> this is net-2-net config
19:21 <@krzee> right, like i wrote about here:
19:21 <@krzee> !route
19:21 <@vpnHelper> "route" is (#1) http://www.secure-computing.net/wiki/index.php/OpenVPN/Routing or https://community.openvpn.net/openvpn/wiki/RoutedLans (same page mirrored) if you have lans behind openvpn, read it DONT SKIM IT or (#2) READ IT DONT SKIM IT! or (#3) See !tcpip for a basic networking guide or (#4) See !serverlan or !clientlan for steps and troubleshooting flowcharts for LANs behind the server or client
19:22 <@krzee> ok so server-side lan works as desired, right?
19:22 < speaker1234> server side has worked well for a long time
19:22 <@krzee> good, so its only client side we're working on
19:22 <@krzee> can the server ping the lan ip of the client?
19:22 < speaker1234> I added and can verify the routes are in place on both sides
19:23 <@krzee> here work through this flowchart:
19:23 <@krzee> !clientlan
19:23 <@vpnHelper> "clientlan" is (#1) for a lan behind a client, the client must have ip forwarding enabled (!ipforward), the server needs a route to the lan, the server needs to push a route for the lan to clients, the server needs a ccd (!ccd) file for the client with an iroute (!iroute) entry in it, and the router of the lan the client is on needs a route added to it (!route_outside_openvpn) or (#2) see !route for
19:23 <@vpnHelper> a better explanation or (#3) Handy troubleshooting flowchart: http://ircpimps.org/clientlan.png | http://pekster.sdf.org/misc/clientlan.png
19:23 < speaker1234>  server to client IP no, client to server IP yes, client to IP on server network, yes
19:24 <@krzee> specify lan ip / vpn ip
19:24 < speaker1234> did the ccd route file
19:24 <@krzee> otherwise i have no clue what you're trying to say
19:24 < speaker1234> ok
19:24 < speaker1234> lan ip == ip address on server side?
19:25 <@krzee> each side is on its own lan
19:25 <@krzee> which you are trying to route to eachother using openvpn
19:25 <@krzee> ...right?
19:25 < speaker1234> yes.
19:25 <@krzee> ok so the client has a lan ip (same as before using openvpn) and a vpn ip (comes from vpn)
19:26 <@krzee> <krzee> can the server ping the lan ip of the client?
19:26 < speaker1234> yes,  client lans is 192.168.2.0/24.  vpn ip is 10.199.188.222
19:27 <@krzee> *facepalm*
19:27 <@krzee> ok heres what i need before we go any further
19:27 <@krzee> ifconfig -a from client and from server, after vpn is connected.
19:28 <@krzee> then ill just ask based on ip address, which i think will get me the direct answers i want
19:29 -!- alexw [~textual@unaffiliated/alexw] has joined #openvpn
19:31 < speaker1234> krzee, http://pastebin.com/gF9anHRf
19:31 <@krzee> can the vpn server ping 192.168.2.25 ?
19:32 < speaker1234> part of the language problem comes from my using speech recognition. The client lan is the network, the client interface is the ethernet device connecting to the network
19:32 < speaker1234> answer to your question, no
19:32 <@krzee> ok
19:32 <@krzee> speech recognition?  handicap or just enjoying a new toy?
19:33 < speaker1234> handicap. Broken hands
19:33 <@krzee> damn that sucks, ill try to be understanding =]
19:33 <@krzee> shit im impressed you pastebinned that
19:33 < speaker1234>  thank you. I appreciate it I'm trying to build interfaces that let disabled people like myself do IT work easier with speech recognition but it's not quite getting there as fast as I want
19:33 < speaker1234> I burned my hands.
19:34 <@krzee> thought you broke them
19:34 < speaker1234> Unfortunately, none of the Dragon naturally speaking cut-and-paste operations work with terminal emulators
19:34 < speaker1234> and burning my hands is the shorthand for I use them and now they hurt
19:34 < speaker1234> we are broken in the form that I have persistent neuropathy/nerve pain of some sort that makes my hands feel like they're on fire all the time
19:35 <@krzee> on the client:  /proc/sys/net/ipv4/ip_forward
19:35 <@krzee> err
19:35 <@krzee> cat /proc/sys/net/ipv4/ip_forward
19:35 < speaker1234> $ cat /proc/sys/net/ipv4/ip_forward
19:35 < speaker1234>     yields 1
19:36 < speaker1234> is there some sort of tun forwarding as well?
19:36 <@krzee> !configs
19:36 <@vpnHelper> "configs" is (#1) please pastebin your client and server configs (with comments removed, you can use `grep -vE '^#|^;|^$' server.conf`), also include which OS and version of openvpn. or (#2) dont forget to include any ccd entries or (#3) on pfSense, see http://www.secure-computing.net/wiki/index.php/OpenVPN/pfSense to obtain your config
19:36 < speaker1234> client and server?
19:36 <@krzee> yes
19:36 <@krzee> and ccd entries
19:37 < speaker1234> okay, I need to strip keys on the client side so this may take me a while
19:37 <@krzee> the keys are inline?
19:37 < speaker1234> yes
19:37 <@krzee> ahh yep you gotta strip them
19:38 < speaker1234> with doing that here because too many people were losing the keys and getting cranky at us stupid IT people... You know the drill
19:39 <@krzee> they lose keys but not configs?
19:40 < speaker1234>  they lose a little of everything. Mind you, it's not most of the people, just a few special ones
19:40 <@krzee> haha
19:41 < speaker1234> http://pastebin.com/ZcCyitjT  slient side
19:41 < speaker1234> speech recognition drops words and typing garbled sequences :-)
19:43 -!- alexw [~textual@unaffiliated/alexw] has quit [Quit: Textual IRC Client: www.textualapp.com]
19:45 < speaker1234> http://pastebin.com/EyZ3j2XA
19:46 < speaker1234> I just had a horrible thought. I'm wondering if the server-side firewall needs to be adjusted to accommodate the new networks because when you do a routed network over the VPN, I think the only address the server sees is on the client side of the VPN tunnel
19:54 < speaker1234> firewall looks ok
19:57 <@krzee> ok so i removed the comments myself
19:57 <@krzee> why do you have replay-window?
19:57 < speaker1234> not sure.  it predates me.
19:58 < speaker1234> there is way too much myth arounf here
19:58 -!- fbsd [~hjkl@a89-153-123-253.cpe.netcabo.pt] has joined #openvpn
19:58 < fbsd> hi
20:00 <@krzee> speaker1234, also you can replace a bunch of those /24 routes with a single /20
20:00 <@krzee> a /20 is 16 /24's
20:01 < fbsd> is it possible forward a vpn client to vpn server?
20:01 <@krzee> fbsd, huh?
20:01 < speaker1234> we are adding more x-nets (as we call them) but you are right, /20 /19 nbd for us
20:02 < fbsd> the goal is use vpn in my tablet android
20:02 <@krzee> !android
20:02 <@vpnHelper> "android" is (#1) an open source OpenVPN client for ICS is available in Google Play, look for OpenVPN for Android. FAQ is here: http://code.google.com/p/ics-openvpn/wiki/FAQ or (#2) Direct Play link: https://play.google.com/store/apps/details?id=de.blinkt.openvpn or (#3) Old (pre-ICS) device? See: !android-old or (#4) You can get the apk directly from http://plai.de/android/
20:02 < fbsd> krzee: but my server have 100 Mb/s
20:02 <@krzee> so?
20:02 < fbsd> is more faster than using wifi
20:03 < fbsd> this is the reason i need forward
20:03 <@krzee> if you are stuck on wifi a, b, or G, that is true
20:03 <@krzee> not sure what you mean by "forward"
20:03 <@krzee> you'll still be on wifi
20:04 < speaker1234> I think he means he wants to have the client work in both places or may be once connected on the android, redirect the connection to the server
20:04 < fbsd> VPN Server (on internet) ---- My personal server (with vpn server) ---- My tablet with android
20:04 < speaker1234>  oh, you want to route your tablet through your server over the VPN (that's how I read it)
20:05 <@krzee> yes, doing it has NOTHING to do with openvpn and is not really related to this channel
20:05 <@krzee> and what do you think you will gain from it?
20:06 < fbsd> krzee: more speed i think
20:06 < speaker1234> fbsd, pointer the right direction is to look at adding a route to your android for the VPN server but it might be easier just to run a VPN client on your tablet over to your VPN server
20:06 <@krzee> fbsd, nope.
20:06 < speaker1234> fbsd, you are limited by your Internet connection speed
20:06 -!- Nyoom [Nyoom@unaffiliated/nyoom] has quit [Ping timeout: 272 seconds]
20:06 <@krzee> his internet connection is faster than the android interface
20:07 <@krzee> so he'll be limited by that interface, no change based on where the vpn runs
20:07 < fbsd> krzee: if i do a speetest in my server... is greater than in my tablet
20:07 < fbsd> using vpn
20:07 <@krzee> at least thats what i gathered
20:07 <@krzee> fbsd, sure, but then you plan on using THE TABLET
20:07 <@krzee> so it will be no change.
20:08 <@krzee> your tablet will not magically become faster lol
20:08 <@krzee> your goal can be done, but is both a) outside the scope of this channel and b) pointless.
20:09 < fbsd> okay thanks :)
20:09 -!- almostworking [~almostwor@unaffiliated/almostworking] has joined #openvpn
20:10 <@krzee> np
20:12 < speaker1234> so, any ideas? I'm still wondering about forwarding for the tun device.
20:14 <@krzee> nothing to do with that
20:14 <@krzee> if you're on when i come back ill keep looking at it
20:15 <@krzee> or you could use the flowcharts i suggested awhile ago
20:16 < speaker1234> found something.  the iroute statement had the documennted subnet and not the real one
20:25 < speaker1234> ok I confised on iroute
20:26 < speaker1234> I am confused on iwrote
20:26 < speaker1234> I am confused on iroute
20:26 <@krzee> !route
20:26 <@vpnHelper> "route" is (#1) http://www.secure-computing.net/wiki/index.php/OpenVPN/Routing or https://community.openvpn.net/openvpn/wiki/RoutedLans (same page mirrored) if you have lans behind openvpn, read it DONT SKIM IT or (#2) READ IT DONT SKIM IT! or (#3) See !tcpip for a basic networking guide or (#4) See !serverlan or !clientlan for steps and troubleshooting flowcharts for LANs behind the server or client
20:26 <@krzee> !iroute
20:26 <@vpnHelper> "iroute" is does not bypass or alter the kernel's routing table, it allows openvpn to know it should handle the routing when the kernel points to it but the network is not one that openvpn knows about. This is only needed when connecting a LAN which is behind a client, and therefor belongs in a ccd entry. Also see !route and !ccd
20:26 < speaker1234> do I want to set it to the subnet on the client side?
20:27 < speaker1234> !ccd
20:27 <@vpnHelper> "ccd" is (#1) entries that are basically included into server.conf, but only for the specified client based on common-name. use --client-config-dir <dir> to enable it, then put the config options for the client in <dir>/common-name or (#2) the ccd file is parsed each time the client connects.
20:31 -!- Nyoom [Nyoom@unaffiliated/nyoom] has joined #openvpn
20:31 < speaker1234> hooray! that pesky ccd file is a network specification
21:04 -!- Pyrogerg [~Gregory@75-173-103-62.albq.qwest.net] has joined #openvpn
21:37 -!- speaker1234 [~speaker12@173-14-129-9-NewEngland.hfc.comcastbusiness.net] has quit [Quit: Leaving]
21:57 -!- Left_Turn [~Left_Turn@unaffiliated/turn-left/x-3739067] has quit [Remote host closed the connection]
22:23 -!- Kniaz [~Kniaz@unaffiliated/kniaz] has quit [Quit: closing IRC]
22:25 -!- Pyrogerg [~Gregory@75-173-103-62.albq.qwest.net] has quit [Ping timeout: 244 seconds]
22:46 -!- hays [~hays@unaffiliated/hays] has quit [Ping timeout: 246 seconds]
23:03 -!- GaryOak [~GaryOak@unaffiliated/garyoak] has joined #openvpn
23:03 < GaryOak> !welcome
23:03 <@vpnHelper> "welcome" is (#1) Start by stating your goal, such as 'I would like to access the internet over my vpn' || new to IRC? see the link in !ask || we may need !logs and !configs and maybe !interface to help you. || See !howto for beginners. || See !route for lans behind openvpn. || !redirect for sending inet traffic through the server. || Also interesting: !man !/30 !topology !iporder !sample !forum
23:03 <@vpnHelper> !wiki !mitm or (#2) Don't use 192.168.1.0/24 or 192.168.0.0/24 (too much potential for conflict)
23:04 < GaryOak> I would like to set up an OpenVPN server with Tomato.
23:04 < GaryOak> I just need help with generating keys/dh/etc.
23:05 < GaryOak> I've done it before, but it was before the heartbleed fix and now it keeps throwing errors where "config not found" etc.
23:05 < GaryOak> Also using windows
23:16 -!- Kephael [~Kephael@unaffiliated/kephael] has quit [Read error: Connection reset by peer]
23:18 -!- SASDOE [~maxime@unaffiliated/sasdoe1] has joined #openvpn
23:19 < SASDOE> Hey all, I would like to make openvpn obligatory for a single user, having all others use eth0, does anyone know how I can do that? Or just not make openvpn default for other users I can try to take it from there.
23:47 -!- ShadniX [dagger@p5DDFC5B4.dip0.t-ipconnect.de] has quit [Ping timeout: 250 seconds]
23:48 -!- ShadniX [dagger@p5DDFF1D3.dip0.t-ipconnect.de] has joined #openvpn
--- Day changed Thu Oct 09 2014
00:04 -!- deranged_user [deranged@unaffiliated/deranged-user/x-2475585] has quit [Ping timeout: 260 seconds]
00:06 -!- deranged_user [deranged@unaffiliated/deranged-user/x-2475585] has joined #openvpn
00:42 -!- mattock_afk is now known as mattock
01:08 -!- GaryOak [~GaryOak@unaffiliated/garyoak] has quit [Ping timeout: 272 seconds]
01:10 -!- D-Boy [~D-Boy@unaffiliated/cain] has quit [Ping timeout: 260 seconds]
02:15 -!- CaTtleyA [~CaTtleyA@185.24.142.82] has joined #openvpn
02:16 -!- CaTtleyA [~CaTtleyA@185.24.142.82] has quit [Client Quit]
02:24 -!- CaTtleyA [~CaTtleyA@185.24.142.82] has joined #openvpn
02:43 -!- networkpro [~networkpr@87-126-182-163.btc-net.bg] has joined #openvpn
02:45 < networkpro> Hi guys I have a question of migrating a working OVPN server on pfsense to mikrotik, I'm concerned about the certs and the clients from the ofsense. Thank you in advance!
03:19 -!- GoldenGlovez [~GG@212.83.63.239] has quit [Quit: Eh...]
03:26 -!- CaTtleyA [~CaTtleyA@185.24.142.82] has quit [Ping timeout: 276 seconds]
03:31 -!- GoldenGlovez [~GG@212.83.63.239] has joined #openvpn
03:32 -!- CaTtleyA [~CaTtleyA@185.24.142.82] has joined #openvpn
03:37 -!- u0m3__ [~u0m3@92.80.114.210] has joined #openvpn
03:38 -!- JackWinter [~jack@vodsl-11198.vo.lu] has quit [Excess Flood]
03:38 -!- JackWinter [~jack@vodsl-11198.vo.lu] has joined #openvpn
03:40 -!- u0m3_ [~u0m3@92.80.114.210] has quit [Ping timeout: 260 seconds]
03:41 -!- dazo_afk is now known as dazo
04:07 -!- Thermi [~Thermi@unaffiliated/thermi] has quit [Quit: Meet your opposition - Profane and disciplined - Take back your pride - With a pounding hammer]
04:11 -!- Thermi [~Thermi@unaffiliated/thermi] has joined #openvpn
04:20 -!- CaTtleyA [~CaTtleyA@185.24.142.82] has quit [Ping timeout: 276 seconds]
04:45 -!- ValdikSS [~valdikss@95.215.45.33] has joined #openvpn
04:47 -!- Left_Turn [~Left_Turn@unaffiliated/turn-left/x-3739067] has joined #openvpn
05:06 -!- CaTtleyA [~CaTtleyA@185.24.142.82] has joined #openvpn
05:13 -!- GoldenGlovez [~GG@212.83.63.239] has quit [Ping timeout: 260 seconds]
05:16 -!- GoldenGlovez [~GG@212.83.63.239] has joined #openvpn
05:35 -!- Left_Turn [~Left_Turn@unaffiliated/turn-left/x-3739067] has quit [Ping timeout: 245 seconds]
06:04 -!- volkswagner [~Adium@cpe-98-15-160-220.hvc.res.rr.com] has joined #openvpn
06:05 < volkswagner> Greetings!
06:06 < volkswagner> Is it possible to create a reliable server on Windows 7, behind NAT? I'm  getting unexpected and inconsistent results
06:07 < volkswagner> I don't know if this is due to nature of Windows or not. I never tried Windows as the server
06:08 < volkswagner> Here is server config http://pastebin.com/405aDsRx
06:09 < SASDOE> Seems to be only questions and no answers here
06:10 < volkswagner> I have port 1194 forwarded on Netgear UTM25, Clients can successfully connect and local DNS queries work using NSLOOKUP
06:10 < volkswagner> but clients sometimes can't ping by name and/or FQDN of other LAN clients
06:11 < volkswagner> I have windows firewall on server opened for all on port 1194, I also created custom rule to allow all taffic for tun adapter
06:13 < volkswagner> One of the oddest symptoms is trying to access local website hosted on the OpenVPN server
06:14 < volkswagner> I can't access the site via LAN ip, but I can using the tun ip, for this I suspect some odd NAT issue on the router???
06:15 < volkswagner> Should I be creating any routes on the router?
06:16 < volkswagner> So my first and most important question… is it possible to have a reliable server on Windows?
06:16 < volkswagner> Here is guide I followed for server http://blog.defron.org/2013/01/openvpn-server-on-windows.html
06:16 <@vpnHelper> Title: OpenVPN Server on Windows ~ Defron.org: Technology, Security, Privacy (at blog.defron.org)
06:18 < volkswagner> The only changes I made from the how to, was creating second rule on server to allow all traffic on 192.168.137.1
06:40 -!- Left_Turn [~Left_Turn@unaffiliated/turn-left/x-3739067] has joined #openvpn
06:45 -!- TonyL [~Tony@unaffiliated/darkg] has quit [Ping timeout: 260 seconds]
06:49 -!- TonyL [~Tony@unaffiliated/darkg] has joined #openvpn
06:49 -!- Belliash [znc@asiotec/constitutive/belliash] has quit [Ping timeout: 260 seconds]
06:52 -!- Belliash [znc@asiotec/constitutive/belliash] has joined #openvpn
07:33 -!- Thermi [~Thermi@unaffiliated/thermi] has quit [Ping timeout: 256 seconds]
07:35 -!- Thermi [~Thermi@unaffiliated/thermi] has joined #openvpn
07:42 -!- jzaw [~jzaw@loki.dzki.co.uk] has quit [Ping timeout: 260 seconds]
07:44 -!- jzaw [~jzaw@loki.dzki.co.uk] has joined #openvpn
07:53 -!- netan [~netan@94.254.51.246] has joined #openvpn
07:56 < volkswagner> Also it seems I cant force a 255.255.255.0 subnet on the Windows server's 'MyTap' as per the how to :(
07:59 < netan> hi all, I have bought a  VPN service provided by a company but I can't understand what kind of protection this give me,  The key can be downloaded from there website and then I got a 8 characters password sent to my by post
07:59 < netan> It must be really easy to crack this encryption or am I wrong ?
08:01 < netan> can somebody give me a hint on where I can find documentation on how the information are encrypted and how this can be consider safe
08:02 < SASDOE> http://openvpn.net/index.php/open-source/documentation/security-overview.html
08:02 <@vpnHelper> Title: Security Overview (at openvpn.net)
08:02 < SASDOE> google can be useful from time to time
08:04 -!- linuxthefish [~ltf@unaffiliated/edmundf] has joined #openvpn
08:05 < linuxthefish> hi, is it possible to tunnel openvpn over a HTTPS proxy?
08:05 < rob0> SASDOE, yes, but we don't even know if the service in question is openvpn-based. :)
08:06 < SASDOE> Well I guessed the op knew since he did manage to land in #openvpn !
08:08 -!- GoldenGlovez [~GG@212.83.63.239] has quit [Quit: Eh...]
08:09 -!- ryuiop [~chatzilla@62-210-193-154.rev.poneytelecom.eu] has joined #openvpn
08:09 < ryuiop> hello there
08:09 <@dazo> netan: depends a lot on the configuration.  OpenVPN is so flexibly so you can easily shoot yourself in the foot, or you can really do really safe things always hitting only what you aim at
08:09 < ryuiop> is there any graphical user interface to manage openvpvn ?
08:10 <@dazo> netan: the password itself isn't necessarily the weakest link ... it all depends on where this password is used and what it is aiming to protect .... a VPN tunnel consists of several security aspects, and this password most likely aims at just one of these aspects
08:10 <@dazo> ryuiop: nope
08:11 <@dazo> ryuiop: well, there is network-manager, for configuring openvpn clients ... but it's really limited in what it can do, because of the broad feature set in OpenVPN
08:15 < ryuiop> ok forme
08:15 <@dazo> linuxthefish: over an https proxy ... I doubt that.  We have code for http proxy, but afair, it does not support SSL ... but why would you want to encapsulate VPN traffic (normally encrypted already) over https?  That's sounds like an additional overhead
08:15 -!- netan [~netan@94.254.51.246] has quit [Ping timeout: 245 seconds]
08:15 < linuxthefish> oh
08:15 < linuxthefish> so i can set openvpn to port 80?
08:16 <@dazo> linuxthefish: that's not about proxying at all
08:16 < rob0> !goal
08:16 <@vpnHelper> "goal" is Please clearly state your goal for your vpn: example, I would like to access the lan behind the server , I would like to access the internet over my vpn , I just want a secure connection between 2 computers , etc
08:16 < linuxthefish> most places i go to have a proxy server that only allows http or https over the proxy
08:17 < linuxthefish> all other traffic is blocked, so if i don't use the proxy server i can't access the internet
08:18 < rob0> yes, you can use TCP and you can use port 80 or 443.
08:18 < rob0> TCP is not ideal, but it sometimes is the best you can do when there are firewalls you don't control.
08:19 < rob0> See --proto and --port in the man page.
08:19 < rob0> Probably also a few hundred examples of people doing the same thing on the mailing list.
08:28 -!- SASDOE [~maxime@unaffiliated/sasdoe1] has left #openvpn []
08:34 -!- ayaz [~Ayaz@linuxpakistan/ayaz] has joined #openvpn
08:37 -!- CaTtleyA [~CaTtleyA@185.24.142.82] has quit [Quit: Lost terminal]
08:45 -!- Oins [~Oins@unaffiliated/oins] has joined #openvpn
08:47 < Oins> Used the server.conf example from the website, edited it. But when I try to start it with 'openvpn server.conf' nothing happens. No error, no failure, nothing. Any idea?
08:48 <@ecrist> try
08:49 <@ecrist> openvpn --config server.conf
08:49 -!- elfixit [~Icedove@2001:1620:2777:11:3e97:eff:fe7f:f3ad] has joined #openvpn
08:50 < Oins> ecrist: thanks. tried this. same result. But now found the problem. I defined a log file, so every output goes to the log :)
08:50 < Oins> now it starts
08:51 <@ecrist> :)
08:51 <@ecrist> !man
08:51 <@vpnHelper> "man" is (#1) For man pages, see http://openvpn.net/index.php/open-source/documentation/manuals/ or (#2) the man pages are your friend! or (#3) Protip: you can search the manpage for a specific --option (with dashes) to find it quicker
08:52 <@ecrist> probably a needed read.
08:52 -!- Nyoom [Nyoom@unaffiliated/nyoom] has quit [Quit: I'm using a Free IRC Bouncer from BNC4FREE - http://bnc4free.com/]
08:54 -!- ayaka [~ayaka@ayaka-2-pt.tunnel.tserv21.tor1.ipv6.he.net] has left #openvpn ["离开"]
09:05 -!- Nyoom [Nyoom@unaffiliated/nyoom] has joined #openvpn
09:16 < volkswagner> starting openVPN causes static settings on MyTap to become automatic, can I add "netsh" command to openvpn server config?
09:16 < volkswagner> netsh interface ip set address my-tap static 192.168.137.1 255.255.255.0
09:16 -!- Pyrogerg [~Gregory@205.167.120.206] has joined #openvpn
09:32 < Oins> ecrist: right :) But I was so confused, that NOTHING happens :)
09:33 -!- Oins [~Oins@unaffiliated/oins] has left #openvpn []
09:33 <@ecrist> volkswagner: sure, --up and --down
09:33 <@ecrist> what's changing you don't want to change?
09:36 < volkswagner> I want to force MyTap to get 255.255.255.0 netmask instead of default 255.255.255.252
09:36 < volkswagner> Manually making changes in adapter profile settings does not stick after restart of pc nor restart of OpenVPN
09:37 <@ecrist> you're going about that wrong
09:37 <@ecrist> !topology
09:37 <@vpnHelper> "topology" is (#1) it is possible to avoid the !/30 behavior if you use 2.1+ with the option: topology subnet This will end up being default in later versions. or (#2) Clients will receive addresses ending in .2, .3, .4, etc, instead of being divided into 2-host subnets. or (#3) details and examples at: https://community.openvpn.net/openvpn/wiki/Topology
09:38 -!- aulait [~irenacob@li629-190.members.linode.com] has quit [Max SendQ exceeded]
09:38 < volkswagner> ecrist, thanks for the link, I'll let you know how I make out.
09:38 <@ecrist> hint - you need to adjust a setting on the server config
09:40 -!- aulait [~irenacob@li629-190.members.linode.com] has joined #openvpn
09:43 < volkswagner> ecrist: Thank you so much. I can't believe how simple. So far restarting OpenVPN gave me correct netmask
09:43 < volkswagner> rebooting machine now to see if it sticks!
09:44 < volkswagner> I think the OpenVPN docs need to be updated ;) https://openvpn.net/index.php/open-source/documentation/howto.html topology is not found in this page
09:44 <@vpnHelper> Title: HOWTO (at openvpn.net)
09:45 <@ecrist> volkswagner: it's a quick howto
09:45 <@ecrist> read the man page
09:45 <@ecrist> !man
09:45 <@vpnHelper> "man" is (#1) For man pages, see http://openvpn.net/index.php/open-source/documentation/manuals/ or (#2) the man pages are your friend! or (#3) Protip: you can search the manpage for a specific --option (with dashes) to find it quicker
09:48 < volkswagner> ecrist, I added "topology subnet" to my server config, after reboot openVPN errors
09:48 < volkswagner> TCP/UDP: Socket bind failed on local address [AF_INET]10.0.1.3:1194: The requested address is not valid in its context.
09:49 < volkswagner> I use connection sharing between lan adapter and Tun
09:49 <@ecrist> !configs
09:49 <@vpnHelper> "configs" is (#1) please pastebin your client and server configs (with comments removed, you can use `grep -vE '^#|^;|^$' server.conf`), also include which OS and version of openvpn. or (#2) dont forget to include any ccd entries or (#3) on pfSense, see http://www.secure-computing.net/wiki/index.php/OpenVPN/pfSense to obtain your config
09:49 < volkswagner> guess I tried to go to quick, more reading to come ;)
09:52 < volkswagner> server config > http://pastebin.com/4fu394B0 perhaps now I need to get rid of "local" setting??
09:52 < volkswagner> server lan = 10.0.1.0/24
09:53 < volkswagner> I know server lan is a common and should not be used… I'll get client to change that soon!
09:56 < volkswagner> perhaps the server needs a delayed start? I can manually restart ovpn service and all is well
09:58 -!- ayaz [~Ayaz@linuxpakistan/ayaz] has quit [Quit: Textual IRC Client: www.textualapp.com]
10:08 < volkswagner> I removed "local 10.0.1.3" and rebooting does not break OpenVPN nor network config
10:08 < volkswagner> ecrist Thank you! I really appreciate your help.
10:14 -!- troyt [~troyt@2601:7:6200:1362:44dd:acff:fe85:9c8e] has quit [Ping timeout: 260 seconds]
10:19 <@ecrist> no problem.
10:48 -!- Pandemic_Force [~Pandemic_@unaffiliated/pandemic-force/x-1349428] has quit [Ping timeout: 260 seconds]
10:56 -!- ade_b [~Ade@redhat/adeb] has joined #openvpn
10:56 -!- Pandemic_Force [~Pandemic_@unaffiliated/pandemic-force/x-1349428] has joined #openvpn
11:06 -!- Pyrogerg [~Gregory@205.167.120.206] has quit [Ping timeout: 244 seconds]
11:08 -!- Scramblejams [~Scramblej@ip174-65-75-5.sd.sd.cox.net] has joined #openvpn
11:09 < Scramblejams> Hi all. I'm connecting to a VPN server which occasionally, incorrectly, gives me an auth-failure. OpenVPN then gives up, when I would rather that it retry, because eventually the server on the other end will do the right thing. What directive can I use to get OpenVPN to keep retrying no matter what?
11:11 -!- pppingme [~pppingme@unaffiliated/pppingme] has quit [Ping timeout: 260 seconds]
11:12 < Scramblejams> ahh auth-retry
11:13 -!- pppingme [~pppingme@unaffiliated/pppingme] has joined #openvpn
11:16 -!- Scramblejams [~Scramblej@ip174-65-75-5.sd.sd.cox.net] has quit [Quit: leaving]
11:32 -!- _FBi [B@Aircrack-NG/User] has joined #openvpn
11:44 -!- Pyrogerg [~Gregory@mobile-166-171-120-001.mycingular.net] has joined #openvpn
11:44 -!- Pyrogerg [~Gregory@mobile-166-171-120-001.mycingular.net] has quit [Max SendQ exceeded]
11:45 -!- Pyrogerg [~Gregory@mobile-166-171-120-001.mycingular.net] has joined #openvpn
11:59 -!- GoldenGlovez [~GG@78.129.218.25] has joined #openvpn
12:19 -!- networkpro [~networkpr@87-126-182-163.btc-net.bg] has quit [Quit: Leaving]
12:21 -!- dtrainor [~dtrainor@ip72-208-196-164.ph.ph.cox.net] has joined #openvpn
12:22 < dtrainor> Hi.  I know other VPN vendors have a layer 7 component, a browser that downloads a plugin and that's your client.  Does OpenVPN have anything similar?
12:22 < dtrainor> I know there's a Windows client and that's cool too, but Internets are hard for a lot of people.
12:32 -!- someone [~someone@chronostasis.net] has quit [Quit: ZNC - http://znc.in]
12:32 -!- troyt [~troyt@2601:7:6200:1362:44dd:acff:fe85:9c8e] has joined #openvpn
12:34 -!- Pyrogerg [~Gregory@mobile-166-171-120-001.mycingular.net] has quit [Read error: Connection reset by peer]
12:39 -!- fling [~fling@fsf/member/fling] has quit [Ping timeout: 244 seconds]
12:49 -!- GaryOak [~GaryOak@unaffiliated/garyoak] has joined #openvpn
12:50 -!- gffa [~unknown@unaffiliated/gffa] has joined #openvpn
12:58 -!- someone [~someone@chronostasis.net] has joined #openvpn
13:00 -!- kenyon [kenyon@darwin.kenyonralph.com] has quit [Ping timeout: 260 seconds]
13:00 -!- kenyon [kenyon@darwin.kenyonralph.com] has joined #openvpn
13:00 -!- ade_b [~Ade@redhat/adeb] has quit [Ping timeout: 245 seconds]
13:11 -!- Pyrogerg [~Gregory@75-173-103-62.albq.qwest.net] has joined #openvpn
13:15 < GaryOak>  please respond
13:16 <@ecrist> no
13:17 <@ecrist> dtrainor: openvpn does not have a browser client
13:17 < dtrainor> haha
13:17 < dtrainor> cool, thanks for confirming
13:17 < GaryOak> ;_;
13:23 -!- Gregor3000 [~quassel@BSN-77-54-206.static.dsl.siol.net] has joined #openvpn
13:23 <@ecrist> GaryOak: you haven't asked or said anything other than, please respond
13:26 < Gregor3000> a strange problem - i can connect to OpenVPN server (Debian) from external network, but how do i connect to it from internal LAN using the OpenVPN windows client? is that a complicated thing to do?
13:27 < GaryOak> Well hold on
13:27 < GaryOak> Anyways I was here last night but no responses
13:27 < GaryOak> I asked a question involving openvpn server hosting on Tomato
13:27 <@ecrist> Gregor3000: it depends on your LAN setup, and what IPs the VPN server is listening on
13:27 < GaryOak> and also creating all they key/cert files on windows
13:28 <@ecrist> if your VPN server isn't listening on the LAN subnet, then your traffic is going to go out the WAN gateway, bounce back in, and the VPN server is giong to reply on the LAN IP, and things get messed up
13:28 -!- _skycrash_ [~sknz@187.95.114.242] has joined #openvpn
13:28 <@ecrist> GaryOak: I'm here now, and not about to scroll up to last night.
13:28 <@ecrist> re-ask your question
13:28 < GaryOak> lol
13:29 < GaryOak> Well for some reason it throws a lot of errors about how easyrsa can't find the config files among other things
13:29 < GaryOak> even after editing the bats so it goes to an absolute path to it, there's still problems
13:29 < GaryOak> let me see what the error messages are specifically
13:29 <@ecrist> which version of easy-rsa?
13:30 < GaryOak> The one included in the 2.3.4 installer vista x64
13:30 < GaryOak> for open vpn
13:30 <@ecrist> can you pastebin your vars file and the errors you're getting?
13:30 < Gregor3000> Lan setup= 4 PC connected to modem (which is assigning IP addresses - DHCP), Server is connected as fifth PC.
13:30 < GaryOak> sure hold on a sec
13:31 < Gregor3000> i am trying to use openmediavault GUI to configure it (so it's posisbel that the needed settigns are missing)
13:32 <@ecrist> why do you want to connect to the VPN on a LAN you're local to?
13:32 < Gregor3000> we have VPn network 10.8.0.0, mask 255.255.255.0, somethign called default gateway (disabled - If enabled, this directive will configure all clients to redirect their default network gateway through the VPN. If disabled, a static route to the private subnet is configured on all clients.)
13:32 < Gregor3000> Client to client is set to allow
13:33 -!- _skycrash_ [~sknz@187.95.114.242] has quit [Quit: Lost terminal]
13:33 < Gregor3000> DHCP options:  DNS server, DNS search domains and Wins server (all fields empty)( and then somethign which is apparetnly just address for client's certificate
13:34 <@ecrist> Gregor3000: can you answer my question?
13:34 < Gregor3000> i want to have it like home made Logmein Hamachi so i could assign the IP and such
13:35 < Gregor3000> there is plenty tutorials on web but most do not explain what the commands or settings entered mean
13:35 <@ecrist> does the media server run on the VPN server, or a separate system?
13:35 <@ecrist> openvpn is no logmein
13:35 < Gregor3000> VPN server is a plugin for Openmediavault
13:36 <@ecrist> with openvpn, openmediavault should end up with two IPs
13:36 <@ecrist> a VPN server IP, likely 10.0.8.1 and a LAN IP
13:36 <@ecrist> you should, when you're on the LAN, use the LAN Ip
13:37 < Gregor3000> user can connect from outside network to server and get's an iP assigned: 10.0.8.6 i can not connect to it
13:37 <@ecrist> you're on the LAN, right?
13:37 < Gregor3000> i am connecting to 192.168.1.9 (LAN web server address) and it says TLS Error: TLS handshake failed
13:38 < Gregor3000> yes
13:38 <@ecrist> why are you trying to connect to the VPN?
13:38 < Gregor3000> i am on 192.168.1.3
13:38 <@ecrist> so what?
13:38 < Gregor3000> the diea of VPN is that i can see other users who are in another LAN correct?
13:39 < Gregor3000> idea
13:39 <@ecrist> the idea of a VPN is so you can security connect from one network to another network
13:39 < Gregor3000> in external lan there are 2 users and VPN is supposed to make it look like we are all in same LAN
13:39 <@ecrist> NO
13:39 < Gregor3000> exactly
13:39 < Gregor3000> no?
13:39 <@ecrist> no
13:40 <@ecrist> your VPN will allow users on remote LANs to connect ot the VPN, which in your case is 10.0.8.0/24.  That network has the ability to route to the real LAN, 192.168.1.0/24
13:40 <@ecrist> that's a horrible address range to share across the internet, btw
13:40 <@ecrist> !1918
13:41 <@vpnHelper> "1918" is (#1) RFC1918 makes three unique netblocks available for private use: 10.0.0.0/8, 172.16.0.0/12, and 192.168.0.0/16 or (#2) see also: http://en.wikipedia.org/wiki/Private_network or http://www.faqs.org/rfcs/rfc1918.html or (#3) Too lazy to find your own subnet? Try this one: http://scarydevilmonastery.net/subnet.cgi or (#4) See !5737 for addresses to use for examples and documentation
13:42 < Gregor3000> well yes that's what i want that they look like they are on my LAN
13:42 <@ecrist> !goal
13:42 <@vpnHelper> "goal" is Please clearly state your goal for your vpn: example, I would like to access the lan behind the server , I would like to access the internet over my vpn , I just want a secure connection between 2 computers , etc
13:43 < Gregor3000> i will be back a bit later to clarify...
13:45 -!- ribasushi [~riba@mujunyku.leporine.io] has quit [Ping timeout: 250 seconds]
13:48 < GaryOak> well the keys and certs actually don't have any problems generating for some reason now.
13:49 < GaryOak> But when using OpenVPN from my laptop it disconnects
13:49 < GaryOak> hang on I got a pastebin
13:49 < GaryOak> http://pastebin.com/msqm5qsn
13:49 <@ecrist> I'm guessing you're sharing certificates between a couple different machines, and connecting simultaneously 
13:50 < GaryOak> No, just the laptop to my router
13:50 -!- SupaYoshii [~SupaYoshi@158.206.109.145.hva.nl] has joined #openvpn
13:50 <@ecrist> you need to run openvpn as an administrator on your laptop
13:50 < SupaYoshii> Hi, im having issues with my vpn and redirect route.
13:50 < GaryOak> oh hurp
13:50 < SupaYoshii> After a few minutes my Windows re-routes
13:50 <@ecrist> !logs
13:50 <@vpnHelper> "logs" is (#1) please pastebin your logfiles from both client and server with verb set to 4 (only use 5 if asked) or (#2) In the Windows client(OpenVPN-GUI) right-click the status icon and pick View Log or (#3) In the OS X client(Tunnelblick) right-click it and select Copy log text to clipboard or (#4) if you dont know how to find your logs, see !logfile
13:51 < SupaYoshii> and I can't ping anything anymore because it seems to change the DHCP server to something wrong?
13:51 < SupaYoshii> http://paste.ubuntu.com/8528483/
13:51 < SupaYoshii> Look at line 47 and around
13:51 < SupaYoshii> im so clueless why it is doing this.
13:51 < SupaYoshii> Linux doesn't seem to have this problem? On a linux raspberry box Im fine.
13:51 < SupaYoshii> :)
13:53 <@ecrist> !configs
13:53 <@vpnHelper> "configs" is (#1) please pastebin your client and server configs (with comments removed, you can use `grep -vE '^#|^;|^$' server.conf`), also include which OS and version of openvpn. or (#2) dont forget to include any ccd entries or (#3) on pfSense, see http://www.secure-computing.net/wiki/index.php/OpenVPN/pfSense to obtain your config
13:53 -!- ribasushi [~riba@mujunyku.leporine.io] has joined #openvpn
13:54 < SupaYoshii> Client config?
13:54 <@ecrist> both
13:54 <@ecrist> and
13:54 <@ecrist> !logs
13:54 <@ecrist> both
13:54 <@vpnHelper> "logs" is (#1) please pastebin your logfiles from both client and server with verb set to 4 (only use 5 if asked) or (#2) In the Windows client(OpenVPN-GUI) right-click the status icon and pick View Log or (#3) In the OS X client(Tunnelblick) right-click it and select Copy log text to clipboard or (#4) if you dont know how to find your logs, see !logfile
13:54 < SupaYoshii> http://paste.ubuntu.com/8528496/
13:54 < SupaYoshii> okay i cant post logs now not at my home and my vpn isnt working well x.
13:54 < SupaYoshii> meh
13:54 < SupaYoshii> I already posted the client log.
13:55 < SupaYoshii> As you see it re-routes somehow.
13:55 < SupaYoshii> I dont understand why :/
13:56 <@ecrist> where's the server config?
13:56 < SupaYoshii> at the server, i cant access that right now.
13:56 < SupaYoshii> x.x im home in 2 hours.
13:57 <@ecrist> ok
13:57 < SupaYoshii> funny thing it works at the start, and keeps working fine on a linux client
13:57 < SupaYoshii> with a similiar or same client config
13:57 < SupaYoshii> but windows client somehow acts funny doing this :P
13:57 < SupaYoshii> BUt let me get back to you in 2 hurs.
13:57 <@ecrist> what version of openvpn?
13:58 < SupaYoshii> idk right now.
13:58 < SupaYoshii> :x
13:58 < SupaYoshii> Let me get back to you in 2 hours, i thought it was something simple according to the log of the windows client.
13:59 < SupaYoshii> I thought this would be influencing it? resolv-retry infinite
13:59 < SupaYoshii> ?
14:03 -!- c|oneman [cloneman@1337.montrealdark.com] has quit [Ping timeout: 244 seconds]
14:03 -!- nsrafk [whois@unaffiliated/nsrafk] has quit [Ping timeout: 245 seconds]
14:04 -!- reventlov [~reventlov@unaffiliated/reventlov] has quit [Ping timeout: 258 seconds]
14:05 < Gregor3000> ecrist: you threw a great deal of links at me. :-) Hamachi is a VPN client only difference is they provide the server or rather if oyu pay you can configure the stuff quite a bit too. so my goal would be to see computers in another LAN liek they are in my own lan. let's say my lan is LAN A and their is LAN B. they share a folder to  all LAN B users and they can see it modify it etc. can openVPn make it look like i am in the sam LAN
14:05 < Gregor3000> so i can also share my fodler with them an duse their shared folders?
14:06 -!- c|oneman [cloneman@1337.montrealdark.com] has joined #openvpn
14:06 -!- nsrafk [whois@unaffiliated/nsrafk] has joined #openvpn
14:07 -!- reventlov [~reventlov@unaffiliated/reventlov] has joined #openvpn
14:08 < Gregor3000> many times people on Linux forums ask hwo to install hamachi and they are kind of looked down as in " why would you use proprietary software when there is OpenVPN?"
14:16 -!- fixxxermet [~lopan@vps.gnulnx.net] has joined #openvpn
14:19 -!- ryuiop [~chatzilla@62-210-193-154.rev.poneytelecom.eu] has quit [Ping timeout: 250 seconds]
14:24 < SupaYoshii> okay 2 hours from now ill be back
14:25 < SupaYoshii> wondering why my vpn traffic stops working haha :P goign to post the server results.
14:25 < SupaYoshii> :)
14:33 -!- dazo is now known as dazo_afk
14:39 -!- almostworking [~almostwor@unaffiliated/almostworking] has quit [Quit: Leaving]
14:58 -!- SupaYoshii [~SupaYoshi@158.206.109.145.hva.nl] has quit [Ping timeout: 245 seconds]
15:01 -!- Gregor3000 [~quassel@BSN-77-54-206.static.dsl.siol.net] has quit [Remote host closed the connection]
15:01 -!- dtrainor [~dtrainor@ip72-208-196-164.ph.ph.cox.net] has quit [Ping timeout: 272 seconds]
15:20 -!- dtrainor [~dtrainor@ip72-208-196-164.ph.ph.cox.net] has joined #openvpn
15:50 -!- moonkid [~anonymous@108-242-212-69.lightspeed.hstntx.sbcglobal.net] has joined #openvpn
15:56 -!- gffa [~unknown@unaffiliated/gffa] has quit [Quit: sleep]
16:03 -!- dreamcat4 [~dreamcat4@62.49.10.153] has joined #openvpn
16:04 < dreamcat4> hi. any other decent openvpn clients on windows ? (apart from viscosity)
16:05 -!- Pyrogerg [~Gregory@75-173-103-62.albq.qwest.net] has quit [Ping timeout: 250 seconds]
16:05 < dreamcat4> what about softetherVPN ? any good ?
16:13 -!- mattock is now known as mattock_afk
16:13 < dreamcat4> another question: i've read that routed mode is a better idea than bridged (for performance etc) ?
16:14 < dreamcat4> which mode (bridged or routed) is better for a slow WAN link, 60-90 kilobytes / sec
16:22 -!- dtrainor [~dtrainor@ip72-208-196-164.ph.ph.cox.net] has quit [Quit: Leaving]
16:27 < BtbN> !tuntap
16:27 < BtbN> hm
16:34 -!- ade_b [~Ade@redhat/adeb] has joined #openvpn
16:35 -!- jzaw [~jzaw@loki.dzki.co.uk] has quit [Quit: really? must I leave? aw pls let me stay!]
16:36 -!- cyberspace- [20253@ninthfloor.org] has quit [Ping timeout: 246 seconds]
16:37 -!- nutron [~nutron@unaffiliated/nutron] has joined #openvpn
16:49 -!- Latrina [~Latrina@ppp-212-24.26-151.libero.it] has quit [Ping timeout: 260 seconds]
16:49 -!- Latrina [~Latrina@ppp-124-53.26-151.libero.it] has joined #openvpn
16:54 -!- ade_b [~Ade@redhat/adeb] has quit [Ping timeout: 260 seconds]
17:02 -!- moonkid [~anonymous@108-242-212-69.lightspeed.hstntx.sbcglobal.net] has quit [Quit: moonkid]
17:10 -!- SupaYoshi [Elite9191@gateway/shell/elitebnc/x-sphvhonoudknsyec] has joined #openvpn
17:10 < SupaYoshi> hi. im back. ecrist
17:10 < SupaYoshi> are you still around? :)
17:12 < SupaYoshi> http://paste.ubuntu.com/8529457/ this is my server log /var/log/openvpn.
17:13 -!- SupaYoshii [~SupaYoshi@ip4da5d319.direct-adsl.nl] has joined #openvpn
17:13 < SupaYoshii> http://paste.ubuntu.com/8528496/ and this is my client log file on Windows.
17:14 < SupaYoshi> correction that is my config, wait.
17:15 < SupaYoshi> server logfile: http://paste.ubuntu.com/8529457/ server config file: http://paste.ubuntu.com/8529480/
17:16 < SupaYoshi> client log file: http://paste.ubuntu.com/8528483/ client config file:  http://paste.ubuntu.com/8528496/
17:17 < SupaYoshi> The problem I have, is that after a few minutes the client gets unable to ping literally anything. / connect to any devices.
17:17 < SupaYoshi> It can't ping internet anymore, it cant do anything it could do when the connection was just established.
17:17 < SupaYoshi> It works fine right away when the connection is established with the VPN server. Then it works for approx. 3 minutes.
17:17 < SupaYoshi> And then it stops working.
17:19 < SupaYoshi> I cant find anything in the config file or the log of the server, but the client logfile shows me this line, http://paste.ubuntu.com/8528483/ till line 34 on the logfile of the client. SENT CONTROL [HOMESRV]: 'PUSH_REQUEST' (status=1)
17:19 -!- _KaszpiR_ [quasselcor@unaffiliated/kaszpir/x-3157048] has quit [Ping timeout: 240 seconds]
17:20 < SupaYoshi> Can anyone help me and tell me why it works, and then stops working all of a asudden?
17:24 < SupaYoshi> I want to block traffic between my "guest" zone and my "lan" zone.
17:24 < SupaYoshi> My guest zone is a wifi network. :P
17:24 < SupaYoshi> Im trying to do this with the webgui, :p
17:26 -!- _KaszpiR_ [quasselcor@unaffiliated/kaszpir/x-3157048] has joined #openvpn
17:28 -!- nutron [~nutron@unaffiliated/nutron] has quit [Quit: I must go eat my cheese!]
17:29 -!- GaryOak [~GaryOak@unaffiliated/garyoak] has quit [Ping timeout: 245 seconds]
17:36 -!- _KaszpiR_ [quasselcor@unaffiliated/kaszpir/x-3157048] has quit [Ping timeout: 245 seconds]
17:38 -!- SupaYoshii [~SupaYoshi@ip4da5d319.direct-adsl.nl] has quit [Ping timeout: 246 seconds]
17:42 -!- _KaszpiR_ [quasselcor@unaffiliated/kaszpir/x-3157048] has joined #openvpn
17:49 -!- joat [~freenode@ip70-160-158-40.hr.hr.cox.net] has joined #openvpn
17:56 -!- nutron [~nutron@unaffiliated/nutron] has joined #openvpn
18:05 -!- volkswagner [~Adium@cpe-98-15-160-220.hvc.res.rr.com] has quit [Quit: Leaving.]
18:08 -!- funnel [~funnel@unaffiliated/espiral] has quit [Remote host closed the connection]
18:11 < SupaYoshi> Ah i figured it out
18:12 < SupaYoshi> I am using certificates with the same name HOMESRV.
18:12 < SupaYoshi> But I am sure the client name isnt the same?
18:12 < SupaYoshi> on the certificates?
18:15 -!- fbsd [~hjkl@a89-153-123-253.cpe.netcabo.pt] has quit [Quit: leaving]
18:20 -!- dreamcat4 [~dreamcat4@62.49.10.153] has quit [Quit: Lost terminal]
18:20 < SupaYoshi> does the ca file have to be unique on each client?
18:23 <@krzee> ca is the same on all, each client must have a unique common name
18:24 -!- funnel [~funnel@unaffiliated/espiral] has joined #openvpn
18:24 < SupaYoshi> nvm got it.
18:24 < SupaYoshi> tyeah
18:25 < SupaYoshi> #fail at me.
18:26 < SupaYoshi> btw, how do i revoke a certificate?
18:26 <@krzee> !crl
18:26 <@vpnHelper> "crl" is (#1) --crl-verify <crl> A CRL (certificate revocation list) is used when a particular key is compromised but when the overall PKI is still intact. The only time when it would be necessary to rebuild the entire PKI from scratch would be if the root certificate key itself was compromised. or (#2) you can make use of CRL by using the revoke-full script in easy-rsa (packaged with openvpn) that
18:26 <@vpnHelper> will create the CRL file for you. ssl-admin will also build a crl for you or (#3) openssl ca -config openssl-1.0.0.cnf -gencrl -out keys/crl.pem
18:28 < SupaYoshi> got it thanks :D
18:29 < SupaYoshi> ./revoke-full clientname is wha i did.
18:41 < SupaYoshi> any idea how to get netbios name resolving working over openvpn?
18:42 < SupaYoshi> if thats even possible :p
19:03 -!- moonkid [~anonymous@99-103-56-12.lightspeed.hstntx.sbcglobal.net] has joined #openvpn
19:03 -!- jzaw [~jzaw@loki.dzki.co.uk] has joined #openvpn
19:08 <@krzee> !wins
19:08 <@vpnHelper> "wins" is http://oreilly.com/catalog/samba/chapter/book/ch07_03.html is a good link for seeing how to run WINS on samba
19:22 -!- mode/#openvpn [+v _FBi] by ecrist
20:11 -!- dxirinac [~dxirinac@186.176.56.228] has joined #openvpn
20:18 -!- moonkid [~anonymous@99-103-56-12.lightspeed.hstntx.sbcglobal.net] has quit [Quit: moonkid]
20:25 -!- Lolths [~Lolths@unaffiliated/lolths] has quit [Ping timeout: 240 seconds]
20:26 < dxirinac> wazzupp people! have a question for you, why when I configure openvpn client using a virtual IP for the remote server, it replies back with the physical IP address of whatever device has the master at that point?
20:27 < dxirinac> is there a way to have the server respond from the Virtual IP itself? because connection attempts are failing because of that
20:31 -!- Lolths [~Lolths@unaffiliated/lolths] has joined #openvpn
20:55 <@ecrist> dxirinac: openvpn is going to use the first IP on the interface
20:55 <@ecrist> I believe this is a known limitation that's going to be fixed in the future.
20:56 <@ecrist> but, it'll only reply from an IP that has a route
20:58 -!- fling [~fling@fsf/member/fling] has joined #openvpn
21:09 -!- Pyrogerg [~Gregory@75-173-103-62.albq.qwest.net] has joined #openvpn
21:26 -!- ub1quit33_ [~quassel@cpe-23-243-158-241.socal.res.rr.com] has joined #openvpn
21:32 < dxirinac> @ecrist thanks for the reply! do you know where I can find some documentation regarding this known limitation?
21:33 <@krzee> ecrist, cant he use policy routing to make it happen?
21:34 <@ecrist> yes
21:35 <@krzee> werd
21:35 <@ecrist> he could also use interface IP aliases instead of virtual interfaces
21:35 <@krzee> hmm
21:35 <@ecrist> or, he could quit trying to connect to an interface "through" the server, and connect to the proper "local" interface of the machine
21:36 <@krzee> if hes actually using virtual interfaces i wonder if --multihome would fix his issue
21:36 <@krzee> i think it might
21:37 <@krzee> dxirinac, can you try putting:    multihome           in the server config?
21:38 <@krzee> (assuming its a linux server)
21:40 -!- moonkid [~anonymous@23.124.169.46] has joined #openvpn
21:45 < dxirinac> servers are 2 vyattas on HA config
21:47 < dxirinac> @ecrist, the problem is if I connect to the proper local interface, then the HA environment would be worth nothing
21:47 < dxirinac> vpn will fail when the master has a problem and failover occurs
21:47 <@ecrist> dxirinac: it will fail anyway
21:48 <@ecrist> the only good way to do that is to put both server addresses in the client config in --remote lines
21:48 <@ecrist> remote server1.example.org 1194
21:48 <@ecrist> remote server2.example.org 1194
21:48 <@ecrist> your HA isn't going to hold up
21:54 <@ecrist> dxirinac: ^^^
21:55 <@ecrist> krzee: FYI, I should be able to poke at the mail server stuff tomorrow, finally.
21:55 <@ecrist> we're migrating forums to an upgraded box, both in hardware, and in OS version
21:55 <@ecrist> I've been working to clear a lot of cruft, so forums is a fresh install
21:56 <@ecrist> I'm moving my mail server to a new machine, as well, so I need to roll through all the config needed to do that.  squirrelmail will still live at the same URL, but I might as well get the backend moved now.
21:57 -!- Left_Turn [~Left_Turn@unaffiliated/turn-left/x-3739067] has quit [Remote host closed the connection]
21:58 < dxirinac> @ecrist why it won't? it should!
21:58 < dxirinac> vyatta has connection tracking
21:59 < dxirinac> so they share state information between master/backup?
21:59 <@ecrist> no
21:59 <@ecrist> the SSL negotiation between openvpn and the client will reset when the other openvpn instance takes over
22:00 <@ecrist> that will result in a restart for the client
22:00 <@ecrist> restart of the openvpn session, not the machine, obviously
22:25 -!- CaTtleyA [~CaTtleyA@put92-2-82-66-41-53.fbx.proxad.net] has joined #openvpn
22:29 -!- moonkid [~anonymous@23.124.169.46] has quit [Quit: moonkid]
22:37 < pekster> dxirinac: Maybe you want --local which uses bind(2). Alternatively you could policy route if your have exotic needs that won't work for
22:39 <@krzee> --local wont help the traffic on its way back out
22:40 <@krzee> but really even if he gets that working it wont do what he wants
22:40 <@krzee> it was what he thought he needed, but what he thought he needed wouldnt do what he thought it would ;]
22:41 < dxirinac> at least I peaked your brains a little, seems my situation is of interest to you guys :D
22:42 < dxirinac> I will test with that multihome setup and if it doesn't work or doesn't do what is expected, try out the policy routing! you may see me around tomorrow as well on this channel
22:42 < dxirinac> thanks a lot for the help and the tips so far!
22:43 <@krzee> dxirinac,
22:43 <@krzee> what ecrist said is true, you dont need HA failover at all with openvpn, the ssl connection will break either way
22:44 <@krzee> just use multiple --remote statements and the client will try them til it gets on one, when that goes down it'll get on the next one it can (according to your --keepalive settings)
22:46 < dxirinac> what if by any chance it connects over the one that is on backup state at that time? nothing will work in that case
22:47 <@krzee> a) you can configure routing so that everything still works fine
22:47 <@krzee> b) you can decide to use whatever triggered the HA to trigger starting openvpn, and not have it running on the backup when not being used
22:48 <@krzee> personally i go with a) when in those situations
22:48 <@ecrist> dxirinac: you need to configure it properly.  your HA will failover the server as you may anticipate, but the SSL session will reset, resulting in the client reconnecting.
22:48 <@ecrist> either move your openvpn instance to a single server behind the HA cluster, or setup routing properly so each instance on the HA cluster is able to route and function.
22:49 < dxirinac> so to summarize, there is no such thing as "Highly available OpenVPN" using just the VIP
22:50 <@ecrist> no
22:50 < dxirinac> that's a downer! :P
22:50 < dxirinac> anyways thanks for the help and sharing!
22:51 <@ecrist> np
22:51 -!- dxirinac [~dxirinac@186.176.56.228] has quit [Quit: Leaving]
22:52 <@ecrist> !ha
22:53 <@krzee> not sure id be a fan of servers sharing state info with eachother
23:05 <@ecrist> !learn ha as See http://www.secure-computing.net/wiki/index.php/OpenVPN/High-Availability for a brief explaination about OpenVPN and HA
23:05 <@vpnHelper> Error: You don't have the factoids.learn capability. If you think that you should have this capability, be sure that you are identified before trying again. The 'whoami' command can tell you if you're identified.
23:05 <@ecrist> krzee: please ^^^
23:26 <@ecrist> more work to do on that wiki page, but the basis is there.
23:26 -!- nutron [~nutron@unaffiliated/nutron] has quit [Ping timeout: 244 seconds]
23:29 <@krzee> !learn ha as See http://www.secure-computing.net/wiki/index.php/OpenVPN/High-Availability for a brief explaination about OpenVPN and HA
23:29 <@vpnHelper> Joo got it.
23:31 <@krzee> nice diagrams
23:34 <@ecrist> thanks
23:34 <@ecrist> added some text.
23:34 -!- nutron [~nutron@unaffiliated/nutron] has joined #openvpn
23:35  * ecrist poofs
23:35 <@krzee> "or use DNS round-robin"
23:36 <@krzee> i have found issues with that when the OS resolver doesnt do what i wanted back when i tested that
23:36 <@krzee> some clients would continually get the same IP for the hostname
23:37 <@krzee> (of course this was years ago)
23:37 -!- nutron [~nutron@unaffiliated/nutron] has quit [Read error: Connection reset by peer]
23:45 -!- ShadniX [dagger@p5DDFF1D3.dip0.t-ipconnect.de] has quit [Ping timeout: 250 seconds]
23:47 -!- ShadniX [dagger@p5DDFF8CA.dip0.t-ipconnect.de] has joined #openvpn
--- Day changed Fri Oct 10 2014
00:14 -!- almostworking [~almostwor@unaffiliated/almostworking] has joined #openvpn
00:35 -!- SushiDude [~SushiDude@unaffiliated/sushidude] has quit [Ping timeout: 260 seconds]
00:41 -!- SushiDude [~SushiDude@unaffiliated/sushidude] has joined #openvpn
00:55 -!- CaTtleyA [~CaTtleyA@put92-2-82-66-41-53.fbx.proxad.net] has quit [Ping timeout: 276 seconds]
01:10 < KNERD> Trying out this android irc client on this tablet
01:11 < KNERD> Not bad at all . just hate pecking at the screen
01:15 -!- mattock_afk is now known as mattock
01:44 -!- mattock is now known as mattock_afk
01:47 -!- mattock_afk is now known as mattock
02:28 -!- pa [~pa@unaffiliated/pa] has quit [Ping timeout: 240 seconds]
02:37 -!- Belliash [znc@asiotec/constitutive/belliash] has quit [Ping timeout: 260 seconds]
02:39 -!- Belliash [znc@asiotec/constitutive/belliash] has joined #openvpn
02:42 -!- pa [~pa@unaffiliated/pa] has joined #openvpn
02:49 -!- Belliash [znc@asiotec/constitutive/belliash] has quit [Ping timeout: 260 seconds]
02:50 -!- Belliash [znc@asiotec/constitutive/belliash] has joined #openvpn
03:39 -!- dazo_afk is now known as dazo
03:47 -!- CaTtleyA [~CaTtleyA@185.24.142.82] has joined #openvpn
04:12 -!- Lukimya [~quassel@das525136.ulapland.fi] has joined #openvpn
04:20 < Lukimya> anybody having proplems with arch+myprivateinternetaccess lately?
04:25 < Lukimya> !welcome
04:25 <@vpnHelper> "welcome" is (#1) Start by stating your goal, such as 'I would like to access the internet over my vpn' || new to IRC? see the link in !ask || we may need !logs and !configs and maybe !interface to help you. || See !howto for beginners. || See !route for lans behind openvpn. || !redirect for sending inet traffic through the server. || Also interesting: !man !/30 !topology !iporder !sample !forum
04:25 <@vpnHelper> !wiki !mitm or (#2) Don't use 192.168.1.0/24 or 192.168.0.0/24 (too much potential for conflict)
04:26 < Lukimya> !logs
04:26 <@vpnHelper> "logs" is (#1) please pastebin your logfiles from both client and server with verb set to 4 (only use 5 if asked) or (#2) In the Windows client(OpenVPN-GUI) right-click the status icon and pick View Log or (#3) In the OS X client(Tunnelblick) right-click it and select Copy log text to clipboard or (#4) if you dont know how to find your logs, see !logfile
05:01 -!- elfixit1 [~Icedove@229-227.197-178.cust.bluewin.ch] has joined #openvpn
05:01 -!- Denial [~Denial@host86-148-141-27.range86-148.btcentralplus.com] has quit [Read error: Connection reset by peer]
05:04 -!- Denial [~Denial@host86-148-141-27.range86-148.btcentralplus.com] has joined #openvpn
05:17 -!- Lolths [~Lolths@unaffiliated/lolths] has quit [Ping timeout: 260 seconds]
05:19 -!- Lolths [~Lolths@unaffiliated/lolths] has joined #openvpn
05:31 -!- asturel [~asturel@unaffiliated/asturel] has quit [Ping timeout: 245 seconds]
05:36 -!- ub1quit33_ [~quassel@cpe-23-243-158-241.socal.res.rr.com] has quit [Ping timeout: 245 seconds]
05:37 -!- Left_Turn [~Left_Turn@unaffiliated/turn-left/x-3739067] has joined #openvpn
05:48 < Lukimya> http://pastebin.com/YCcxX402 trying to connect with this on a linux box to privateinternetacces. it shows connected in the network manager, but when i go to whatsmyip.org it shows my real location so its not really connected
05:48 < Lukimya> annoying...
06:11 -!- CaTtleyA [~CaTtleyA@185.24.142.82] has quit [Quit: leaving]
06:14 -!- CaTtleyA [~CaTtleyA@185.24.142.82] has joined #openvpn
06:17 -!- CaTtleyA [~CaTtleyA@185.24.142.82] has quit [Client Quit]
06:17 -!- CaTtleyA [~CaTtleyA@185.24.142.82] has joined #openvpn
06:31 -!- Lukimya [~quassel@das525136.ulapland.fi] has quit [Remote host closed the connection]
06:37 -!- Droolio [~drool@host86-132-103-182.range86-132.btcentralplus.com] has joined #openvpn
06:55 -!- goldkatze [~nobody@unaffiliated/goldkatze] has joined #openvpn
06:58 -!- Belliash [znc@asiotec/constitutive/belliash] has quit [Ping timeout: 260 seconds]
07:03 -!- Belliash [znc@asiotec/constitutive/belliash] has joined #openvpn
07:15 -!- Belliash [znc@asiotec/constitutive/belliash] has quit [Ping timeout: 260 seconds]
07:18 <@krzee> lol @ debugging with verb 1
07:20 -!- urbanendeavour [~xoveruk@217.150.106.82] has joined #openvpn
07:20 < urbanendeavour> hi
07:21 < urbanendeavour> I am not able to copy files over the VPN, it is failing on multiple windows clients.
07:21 <@krzee> but you are able to ping?
07:25 < urbanendeavour> I can copy small files
07:25 <@krzee> !speed
07:25 <@vpnHelper> "speed" is (#1) Having speed problems? The following suggestions may help. or (#2) OpenVPN is often CPU bound; check utilization, and remember it only uses 1 core (single-threaded) or (#3) Prefer UDP over TCP (see !tcp) or (#4) MTU issues? Send max-size DF packets and watch for fragmentation/delivery issues or (#5) iface txqueuelen often needs to be >100 on fast and/or latent links or (#6)
07:25 < urbanendeavour> anything above 3mb and it freezes
07:25 <@vpnHelper> latenty/slow links don't magically get better with openvpn or (#7) less likely are issues with bad TCP window scaling or the sliding window; generally, don't 2nd guess TCP (in openvpn or your OS knobs) or (#8) Prefer tun over tap (see !tunortap and !whybridge)
07:25 < urbanendeavour> I can copy the files using another VPN on the same network
07:26 < urbanendeavour> krzee, It is a 100Mb/100mb link
07:26 <@krzee> see all of the above.
07:26 <@krzee> ALL
07:26 < urbanendeavour> "make sure you are connected to the network and try again"
07:26 <@krzee> ALLLLL
07:27 <@krzee> !read
07:27 <@vpnHelper> "read" is <krzee> ive been known to overreact when people look for 2 minutes and ask me to explain it to them
07:30 < urbanendeavour> It is not a speed issue, it fails
07:30 <@krzee> no shit, check ALL the same things
07:30 <@krzee> something about what i said was confusing?
07:30 -!- SushiDude [~SushiDude@unaffiliated/sushidude] has quit [Quit: Quit]
07:31 < urbanendeavour> One user on the network and I need to check utilization.
07:31 < urbanendeavour> WTF
07:31 <@krzee> i mean do you need me to say each one to you seperately so you feel like it applies to you?
07:31 < urbanendeavour> !tcp
07:31 <@vpnHelper> "tcp" is (#1) Sometimes you cannot avoid tunneling over tcp, but if you can avoid it, DO. http://sites.inka.de/~bigred/devel/tcp-tcp.html Why TCP Over TCP Is A Bad Idea. or (#2) http://www.openvpn.net/papers/BLUG-talk/14.html for a presentation by James Yonan (OpenVPN lead developer) or (#3) if you must use tcp, you likely want --tcp-nodelay
07:34 -!- netan [~netan@94.254.51.252] has joined #openvpn
07:34 -!- SushiDude [~SushiDude@unaffiliated/sushidude] has joined #openvpn
07:35 -!- CaTtleyA [~CaTtleyA@185.24.142.82] has quit [Quit: leaving]
07:39 < netan> hi all, yesterday I ask here for some docs about how openVPN works and got this link: http://openvpn.net/index.php/open-source/documentation/security-overview.html . I read it but it is just to technical and assume you already have a lot of knowledge
07:39 <@vpnHelper> Title: Security Overview (at openvpn.net)
07:40 -!- urbanendeavour [~xoveruk@217.150.106.82] has quit [Read error: Connection reset by peer]
07:40 -!- andres [~andres@crystalspace3d.org] has joined #openvpn
07:40 < netan> do anybody know some docs that is easer to understand for a newbie ?
07:41 < BtbN> Well, there isn't realy something easy about it.
07:41 -!- urbanendeavour [~xoveruk@217.150.106.82] has joined #openvpn
07:41 < andres> Hi. Is there a way to get the remove public key cert if it fails verification? I'm trying to connect to some host (I don't have administrative control over) and  I don't understand why the cert won't validate. And it's hard to debug without seing hte cert.
07:41 < urbanendeavour> krzee, none of those work
07:42 < netan> BtbN, I was hoping I could find some kind of step by step explanation like 1. you send something and then 2 get something in return
07:42 < urbanendeavour> andres, do you know how to resolve file copy hanging?
07:42 < urbanendeavour> above 3mb and it dies.
07:42 < BtbN> netan, what?
07:44 < netan> BtbN,  yea, sorry,  some kind of step by step guide for how information are sent / encrypted / received
07:45 < BtbN> Something like that doesn't exist.
07:45 <@krzee> urbanendeavour, so you checked your MTU already?
07:45 < urbanendeavour> krzee, configured where?
07:46 < netan> .actually I just want to know if my connection is secure,
07:46 < urbanendeavour> On the switches they are set to 1500
07:46 < netan> I have bought a  VPN service provided by a company but I can't understand what kind of protection this give me,  The key can be downloaded from there website and then I got a 8 characters password sent to my by post
07:46 <@krzee> i thought you tried them all and none worked
07:46 <@krzee> !mtu
07:46 <@vpnHelper> "mtu" is (#1) see --mtu-test to learn how to test your MTU settings. Basically you just use --mtu-test in your normal client config or (#2) mtu debugging guide: http://www.secure-computing.net/wiki/index.php/OpenVPN/Troubleshooting
07:46  * krzee adds you to ignore list, i dontn want to fight you to help you
07:46 <@krzee> makes my life easier to filter it out
07:47 < netan>  It must be really easy to crack this encryption just by brutal force or am I wrong ?
07:47 <@krzee> netan, wrong.
07:47 < netan> krzee, how come ?
07:47 <@krzee> netan, what cipher do they use?
07:48 <@krzee> to make it easy to brute force they would have to purposely break their crypto or really not know wtf they're doing
07:48 <@krzee> default cipher in openvpn is blowfish, which is quite resistant to brute forcing
07:49 < BtbN> I use aes-256-cbc everywhere, to take advantage of aes acceleration.
07:49 <@krzee> netan, but really i dont know your provider so i cant get exact on their configuration… you might want to talk to THEIR tech support and then read up on what they use
07:50 < netan> the cipher are  AES-256-CBC but all the keys are just downloaded here  https://bahnhof.se/filestorage/userfiles/file/Bahnhof-OpenVPN_v3.zip
07:52 < netan> what I been doing is downloading this files and add them to /etc/openvpn/  is that the right way to do it, don't I need to create my own key ?
07:52 <@krzee> since im not downloading that, tell me what it contains
07:52 < BtbN> The private key...
07:52 <@krzee> or better yet, show me your config
07:52 < BtbN> the config is also in there
07:52 <@krzee> BtbN, no promise there IS a private key
07:53 <@krzee> likely there is not from the looks of the static filename on the zip
07:53 < BtbN> "tls-auth tls.key 1"
07:53 < BtbN> And that tls.key is also in there
07:54 <@krzee> thats not a private key
07:54 <@krzee> !hmac
07:54 <@vpnHelper> "hmac" is (#1) The tls-auth directive adds an additional HMAC signature to all SSL/TLS handshake packets for integrity verification. Any UDP packet not bearing the correct HMAC signature can be dropped without further processing. The tls-auth HMAC signature provides an additional level of security above and beyond that provided by SSL/TLS. or (#2) openvpn --genkey --secret ta.key to make the tls
07:54 <@vpnHelper> static key , in configs: tls-auth ta.key # , 1 for client or 0 for server in the configs
07:54 < Mattias> !recommended vpn
07:54 < BtbN> ah!
07:54 <@krzee> Mattias, what ya looking for?
07:54 < BtbN> auth-user-pass
07:54 <@krzee> BtbN, aye.
07:54 < netan> the zip contain 3 files, ca.crt , client.ovpn,  tls.key
07:55 < BtbN> Not the most secure authentication, but the resultion connection is basicaly impossible to decrypt
07:55 < Mattias> krzee: I found some site, I think it was called vpnreviews. It shows the best vpns with user reviews I believe. the vpn I use now is on rank #23. I was thinking vpnHelper might have suggestions for even better vpns :P
07:55 <@krzee> pastebin client.ovpn
07:55 < BtbN> *resulting
07:55 -!- goldkatze [~nobody@unaffiliated/goldkatze] has quit []
07:55 < netan> BtbN, wait I will create a gist with my config file
07:55 <@krzee> Mattias, you can check, i dont think it does (we usually dont deal with people with providers here  (see !provider ))
07:55 <@krzee> !factoids
07:55 <@vpnHelper> "factoids" is A semi-regularly updated dump of factoids database is available at http://www.secure-computing.net/factoids.php
07:57 -!- CaTtleyA [~CaTtleyA@185.24.142.82] has joined #openvpn
07:57 <@krzee> netan, the auth itself might be brutable, especially if admins dont have an eye on auth failures… like BtbN said the resulting crypto would still be tough as hell… but i guess it should be theorhetically possible for someone with wayway more skills than i to do
07:58 < BtbN> breaking aes256? That still takes geological ages.
07:58 <@krzee> BtbN, no
07:58 <@krzee> breaking the auth and then following the crypto
07:58 <@krzee> theres no PKI
07:59 < netan> BtbN,  here is my config  https://gist.github.com/anonymous/e437023b03d049c95028
07:59 <@vpnHelper> Title: gist:e437023b03d049c95028 (at gist.github.com)
07:59 < BtbN> Isn't the aes key exchanges using dh on each connection?
07:59 <@krzee> maybe the dh still makes that impossible tho
07:59 < BtbN> *d
07:59 <@krzee> i would want syzzer to speak up before i would talk like im sure.
07:59 < netan> krzee, ... wait . I will read what you been writing
07:59 <@krzee> (that was me pinging him)
08:05 -!- CaTtleyA [~CaTtleyA@185.24.142.82] has quit [Quit: leaving]
08:06 < netan> krzee, sorry, I try to understand what I am doing, reading the answer and posting gists at the same time,  my question is basically how my connection can be secure then I download all files except a 8 digits password from the Internet?
08:06 <@krzee> !dh
08:07 <@vpnHelper> "dh" is (#1) build-dh from easy-rsa and option dh in ssl-admin, creates a file which is a prime number the size of bits you defined (1024 default) which is used in the diffie-hellman algorithm to provide a method to negotiate a secure connection over an insecure channel. just one of the layers of encryption available to you in your VPN or (#2) openssl gendh [numbits]
08:07 <@krzee> like i said i would like syzzer to speak on it, but im pretty sure that is what you're relying on for security all together
08:08 <@krzee> your auth is drastically weakened by not having pki, but your effective cipher key should be protected by dh
08:09 < netan> krzee, Is it me you are talking to ?
08:09 -!- CaTtleyA [~CaTtleyA@185.24.142.82] has joined #openvpn
08:09 <@krzee> yes
08:09 < urbanendeavour> krzee, tried all your suggestions, now I cannot connect at all
08:09 < urbanendeavour> it should work out of the bag really.
08:09 -!- CaTtleyA [~CaTtleyA@185.24.142.82] has quit [Client Quit]
08:10 < urbanendeavour> it just says disconnected when I try and connect.
08:16 -!- urbanendeavour [~xoveruk@217.150.106.82] has quit [Read error: Connection reset by peer]
08:17 -!- MadHatter42 [~tuwid@109.69.2.62] has joined #openvpn
08:26 -!- urbanendeavour [~xoveruk@217.150.106.82] has joined #openvpn
08:27 < urbanendeavour> !speed
08:27 <@vpnHelper> "speed" is (#1) Having speed problems? The following suggestions may help. or (#2) OpenVPN is often CPU bound; check utilization, and remember it only uses 1 core (single-threaded) or (#3) Prefer UDP over TCP (see !tcp) or (#4) MTU issues? Send max-size DF packets and watch for fragmentation/delivery issues or (#5) iface txqueuelen often needs to be >100 on fast and/or latent links or (#6)
08:27 <@vpnHelper> latenty/slow links don't magically get better with openvpn or (#7) less likely are issues with bad TCP window scaling or the sliding window; generally, don't 2nd guess TCP (in openvpn or your OS knobs) or (#8) Prefer tun over tap (see !tunortap and !whybridge)
08:27 < andres> FWIW, there really doesn't seem to be an option to get the remote certificate. It can be relatively easily patched into the source tho.
08:27 < urbanendeavour> !tunortap
08:27 <@vpnHelper> "tunortap" is (#1) you ONLY want tap if you need to pass layer2 traffic over the vpn (traffic destined for a MAC address). If you are using IP traffic you want tun. or (#2) and if your reason for wanting tap is windows shares, see !wins or use DNS or (#3) remember layer2 has no security, arp poisoning works over tap vpns or (#4) lan gaming? use tap! or (#5) Normal Android/iOS devices (not
08:27 <@vpnHelper> rooted/jailbroken) support only tun
08:28 < urbanendeavour> !mtu
08:28 <@vpnHelper> "mtu" is (#1) see --mtu-test to learn how to test your MTU settings. Basically you just use --mtu-test in your normal client config or (#2) mtu debugging guide: http://www.secure-computing.net/wiki/index.php/OpenVPN/Troubleshooting
08:28 < urbanendeavour> !--mtu-test
08:31 <@krzee> andres, remote certificates? what is it you wanna do?
08:32 < netan> I clean up the gist I was posting before and also try to explain my problem, I spent hours trying to find an answer so I should really appreciate your help : )
08:33 < netan> https://gist.github.com/anonymous/99e7606b7efb5995860d
08:33 <@vpnHelper> Title: gist:99e7606b7efb5995860d (at gist.github.com)
08:35 <@krzee> netan, learn what DH is
08:36 <@krzee> and AES-256-cbc
08:36 < andres> krzee: I had a case where the server's certificate didn't validate against the CA certificate I was given. Without control over the server it's hard to debug such a case currently.
08:36 <@krzee> !certverify
08:36 <@vpnHelper> "certverify" is (#1) verify your certs are signed correctly by running `openssl verify -CAfile <ca.crt> <client.crt>` for client.crt and server.crt or (#2) also make sure you use the same ca.crt on both sides by checking their md5
08:36 <@krzee> checked if YOUR cert and the CA validate?
08:36 <@krzee> maybe a corrupted ca download?
08:36 < andres> vpnHelper: the problem was that the server's cert didn't validate. And I didn't have access to the server.
08:37 <@krzee> andres, im asking if you checked YOURS
08:37 <@krzee> not theirs.
08:37 < andres> To debug the issue I thus needed the cert from the server side - which I didn't have access to.
08:37 <@krzee> no.
08:37 < andres> Yes, my local cert validated.
08:37 <@krzee> ok
08:37 <@krzee> then yes ;]
08:37 <@krzee> you need to get support from them.
08:38 < andres> I hacked openvpn to do fcrt = X509_STORE_CTX_get_current_cert(crt); PEM_write_X509(stderr, fcrt);.
08:38 < andres> Did the trick.
08:38 <@krzee> hah nice
08:39 < andres> (in verify_callback())
08:39 <@krzee> and their cert in fact does not verify with your locally stored CA, but yours does?
08:39 < andres> The server's cert was signed by an intermediate CA...
08:39 < andres> Which $annoying_admin didn't send out.
08:39 <@krzee> yep definitely need support from them. =;/
08:40 <@krzee> s/;//
08:40 < andres> It helps to tell them exactly what they did wrong ;)
08:40 <@krzee> totally!
08:40 < andres> I do wonder why openvpn doesn't support displaying the cert somehow in such cases.
08:40 < andres> Makes debugging rather annoyin.
08:40 <@krzee> you're the first person ive seen do that to get the cert btw ;]
08:41 <@krzee> good question i guess, feel free to send a request in trac
08:41 < fixxxermet> Hey guys.  Having an issue with connecting a client while using TAP.  My configs and errors are here: http://pastie.org/private/jxd9puklcpcug3ynyk0hhw#12
08:41 <@krzee> !trac
08:41 <@vpnHelper> "trac" is (#1) see https://community.openvpn.net for development information and bug tracker. or (#2) if you have a forum login, use that for trac, its the same database.
08:41 < fixxxermet> Unfortunately the server is TAP and I can't change that
08:41 < fixxxermet> I'm also not able to upgrade the version of the server at this time.
08:41 < andres> My guess is that not everyone has written openssl using code ;)
08:41 <@krzee> andres, in debugging i think its usually assumes you have access to the server
08:42 < andres> I wish. There's sufficiently paranoid (which doesn't equate to capable unfortunately) people around...
08:42 <@krzee> dont sufficiently paranoid people wish to run their own servers?
08:42 <@krzee> you know, instead of routing through unknown people who may sniff and whatnot...
08:43 < andres> Uh. When you need access to foreign networks...
08:43 < andres> Not everyone uses openvpn to hide filesharing and such ;)
08:44 < andres> Most clients I work for only allow access to their network via some VPN. Openvpn if I'm lucky...
08:45 <@krzee> if its just for access to another country (china firewall for example) i miss where paranoia comes in
08:46 < andres> "No, we can't tell you how the server is configured! That'd violate our security policy! And we have imporant data!!!"
08:46 <@krzee> oh lol
08:46 <@krzee> got ya
08:47 <@krzee> thought you meant suffienctly paranoid users, now i understand
08:49 < urbanendeavour> krzee, I am ssh into the server while I do a file copy and the server starts to become unresponsive, any ideas?
08:51 < urbanendeavour> RDP to servers and web access to vmware seems ok, just the large files that kill it.
08:59 -!- netan [~netan@94.254.51.252] has quit [Quit: Leaving]
08:59 < andres> krzee: reported as #458... We'll see if something comes out of that.
09:12 < urbanendeavour> when I copy files it says 0bytes.
09:12 < urbanendeavour> and then fails, why?
09:13 -!- mihok [~mihok@CPE6c198f9b60bf-CM00222d76471d.cpe.net.cable.rogers.com] has joined #openvpn
09:13 < mihok> !welcome
09:13 <@vpnHelper> "welcome" is (#1) Start by stating your goal, such as 'I would like to access the internet over my vpn' || new to IRC? see the link in !ask || we may need !logs and !configs and maybe !interface to help you. || See !howto for beginners. || See !route for lans behind openvpn. || !redirect for sending inet traffic through the server. || Also interesting: !man !/30 !topology !iporder !sample !forum
09:13 <@vpnHelper> !wiki !mitm or (#2) Don't use 192.168.1.0/24 or 192.168.0.0/24 (too much potential for conflict)
09:13 < mihok> Is there somewhere to download the openvpn docs for offline consumption?
09:14 < mihok> Or a pdf of them?
09:14 -!- esde [~esde@unaffiliated/esde] has quit [Ping timeout: 246 seconds]
09:14 -!- andres [~andres@crystalspace3d.org] has left #openvpn ["WeeChat 1.0.1"]
09:15 <@Eugene> They're included in the source
09:15 <@Eugene> !man
09:15 <@vpnHelper> "man" is (#1) For man pages, see http://openvpn.net/index.php/open-source/documentation/manuals/ or (#2) the man pages are your friend! or (#3) Protip: you can search the manpage for a specific --option (with dashes) to find it quicker
09:15 <@Eugene> Or save as HTML
09:15 < mihok> Alrighty, thank you Eugene
09:16 <@Eugene> I don't know of any pdf or ebook form. you can probably find a man page app for $MOBILE_OS
09:20 < ValdikSS> By the way, why recvbuf and sndbuf are default to 64K? Sometimes, it is very speed limiting. I suppose, OpenVPN should either use system values or increase defaults
09:20 -!- lukimya [~Lukimya@178.162.199.143] has joined #openvpn
09:26 -!- cwillu_at_work [cwillu@2600:3c02::f03c:91ff:fe96:df43] has joined #openvpn
09:48 < cwillu_at_work> Hi; I've got a small vpn installed on a windows server to permit access to a box at another site
09:49 < cwillu_at_work> Currently, there's a windows laptop, and two linux machines logging into it
09:49 < imsomeoneelse> Good morning all (or evening depending on wherever you are) another day, another openvpn question: Can I run the same instance as both client and server, or do I need two OpenVPN instances for that?
09:49 < cwillu_at_work> It worked for a while, but recently, for no apparent reason, the windows machine has stopped installing a route for the vpn
09:50 < cwillu_at_work> so it can't reach any other machines on the vpn
09:50 < imsomeoneelse> I mean, client to another OpenVPN server but at the same time a VPN server to some totally different clients
09:50 < cwillu_at_work> any common gotchyas that I might be tripping over?
09:50 < cwillu_at_work> if I manually add the route to that machine, it can reach everyone on the vpn
09:51 < cwillu_at_work> windows client config: http://cwillu.com:8080/184.69.58.98/3
09:51 < cwillu_at_work> linux client configs: http://cwillu.com:8080/216.197.164.251/1
09:51 < cwillu_at_work> server config: http://cwillu.com:8080/184.69.58.98/4
09:54 < cwillu_at_work> imsomeoneelse, not sure if there's a better way, but running one instance of openvpn as a regular server, and a second one as a client with --no-bind should work
09:54 < cwillu_at_work> you'd just have to set up routing or bridging between the two tap/tun's
09:55 < urbanendeavour> Can anyone advise me on why copying files from a windows server to windows client dies if the file is larger than 1MB?
09:56 < urbanendeavour> On my other VPN I get 1MB/sec transfer speeds and no disconnects.
09:56 < cwillu_at_work> urbanendeavour, openvpn on udp or tcp?
09:56 < cwillu_at_work> also, define dies
09:56 < urbanendeavour> I have tried both.
09:57  * cwillu_at_work subscribes to the theory that he's more likely to get help if he tries to help answer questions while waiting :p
09:57 < cwillu_at_work> urbanendeavour, which are you on currently though?
09:57 < cwillu_at_work> (tcp has some unfortunateness when putting another tcp-based protocol over it, so I'd stick to udp)
09:57 < urbanendeavour> "network error there is an issue accessing the resource"
09:58 < cwillu_at_work> after some amount has transferred, or?
09:58 < urbanendeavour> I can traverse the folders, I can download the same file using a different VPN solution.
09:58 < urbanendeavour> after 1MB is hangs, then the error comes up.
09:59 < urbanendeavour> cwillu_at_work, how to check which I am using?
09:59 < cwillu_at_work> udp is the default
09:59 < urbanendeavour> "adaptive is enabled"
09:59 < urbanendeavour> I put back the defaultafter trying manually.
09:59 < cwillu_at_work> look for "udp" or "tcp" in your config
09:59 < cwillu_at_work> if it doesn't say either, than it should be udp
10:01 < urbanendeavour> there is no entry.
10:01 < cwillu_at_work> so, udp
10:02 < cwillu_at_work> any mtu settings enabled?
10:02 < urbanendeavour> none
10:03 < cwillu_at_work> mss-fix or fragment?
10:03 < imsomeoneelse> cwillu_at_work: for your routing problem try adding something like this to your server.conf: push "route 192.168.1.0 255.255.255.0"
10:03 < urbanendeavour> no
10:03 < cwillu_at_work> imsomeoneelse, server already expands to that though
10:03 < cwillu_at_work> and the other clients work fine
10:04 < imsomeoneelse> hmm does it? Ok, that was my only proposed solution, sorry :)
10:04 < cwillu_at_work> :p
10:04 -!- soulisson [~soulisson@unaffiliated/soulisson] has joined #openvpn
10:04 < cwillu_at_work> urbanendeavour, try adding "fragment 1300" and "mssfix" to your config
10:05 < urbanendeavour> those two on separate lines?
10:05 < cwillu_at_work> yes
10:06 < soulisson> Hi, i have an issue with OpenVPN, i'm doing an online lab which requires creating two tap interfaces, i'm running on Ubuntu 14.04.1, how can i create a second tap?
10:06 < cwillu_at_work> soulisson, are you following instructions intended for some variant of linux?
10:07 < soulisson> Yes
10:08 <@krzee> it makes itself, just use 'dev tap'
10:08 < cwillu_at_work> ^
10:08 < cwillu_at_work> urbanendeavour, any luck?
10:08 < cwillu_at_work> soulisson, you a regular?
10:08 < urbanendeavour> same problem
10:09 < urbanendeavour> it says 0 bytes/second on a 17mb file.
10:09 < cwillu_at_work> any chance there's a stateful firewall on either end of the connection that's cutting off the connection?
10:09 < cwillu_at_work> (and which would be configured to not do that with the other vpn?)
10:10 < urbanendeavour> How can that be when I am tunneling?
10:10 < cwillu_at_work> the vpn's packets themselves
10:10 < cwillu_at_work> i.e., it would be seeing openvpn packets, not smb packets
10:11 < urbanendeavour> The VPN connection is not breaking
10:11 < urbanendeavour> only the file transfer.
10:11 < cwillu_at_work> so, for instance, if you have a ping running continuously during the transfer, the ping doesn't drop, but the transfer does?
10:11 -!- ub1quit33_ [~quassel@cpe-23-243-158-241.socal.res.rr.com] has joined #openvpn
10:11 < cwillu_at_work> (also, both sides of the connection are windows, or?)
10:12 < urbanendeavour> win7 to win2012r2
10:13 < cwillu_at_work> are any of the machines involved the same ones as on the other installation where things work properly?
10:13 < urbanendeavour> I am getting packet loss to the VPN server
10:13 < cwillu_at_work> i.e., are both transfers going to your laptop or some such?
10:13 < urbanendeavour> from my laptop to the server.
10:18 < soulisson> Have you ever successfully encapsulated an openvpn tunnel in an another openvpn tunnel?
10:19 < cwillu_at_work> I have
10:20 < cwillu_at_work> Not recently though; these days, I tend to abuse ssh for those purposes via nested port forwards (which don't suffer from the tcp-over-tcp issues, before you ask :p)
10:22 -!- elfixit1 [~Icedove@229-227.197-178.cust.bluewin.ch] has quit [Ping timeout: 246 seconds]
10:23 <@krzee> soulisson, yes, i even wrote a doc about it
10:24 <@krzee> NOT about walking people through doing it, but just keeping some info i found interesting while doing it
10:24 <@krzee> !google vpnchains
10:24 <@vpnHelper> VPNCHAINS | SourceForge.net: <http://sourceforge.net/projects/vpnchains/>; VPNCHAINS / Wiki / Home - SourceForge: <http://sourceforge.net/p/vpnchains/wiki/>; OpenVPN/VpnChains - Secure Computing Wiki: <https://www.secure-computing.net/wiki/index.php/OpenVPN/VpnChains>
10:24 <@krzee> the secure computing wiki link
10:24 < soulisson> krzee, thanks :)
10:24 <@krzee> i dont walk people through doing it, but if you plan on learning what it takes i suggest reading my doc at:
10:24 <@krzee> !route
10:24 <@vpnHelper> "route" is (#1) http://www.secure-computing.net/wiki/index.php/OpenVPN/Routing or https://community.openvpn.net/openvpn/wiki/RoutedLans (same page mirrored) if you have lans behind openvpn, read it DONT SKIM IT or (#2) READ IT DONT SKIM IT! or (#3) See !tcpip for a basic networking guide or (#4) See !serverlan or !clientlan for steps and troubleshooting flowcharts for LANs behind the server or client
10:24 < urbanendeavour> how do I configure the IP addresses with bridging mod?
10:24 < urbanendeavour> mode
10:30 < urbanendeavour> why do I reveived this error?
10:30 < urbanendeavour> IP network is not canonical: '192.168.5.0/16'
10:30 < cwillu_at_work> urbanendeavour, have you read https://community.openvpn.net/openvpn/wiki/311-what-are-the-fundamental-differences-between-bridging-and-routing-in-terms-of-configuration?
10:30 <@vpnHelper> Title: 311-what-are-the-fundamental-differences-between-bridging-and-routing-in-terms-of-configuration – OpenVPN Community (at community.openvpn.net)
10:31 < urbanendeavour> I just need this working and fast. I thought it was all good until I found that I cannot copy any files.
10:31 < urbanendeavour> Surely this should work straight from the offset.
10:32 -!- DrSect0r [~DrSect0r@77-175-125-42.FTTH.ispfabriek.nl] has joined #openvpn
10:32 < cwillu_at_work> <include std-working-fast-free-choose-two-disclaimer>
10:33 < cwillu_at_work> urbanendeavour, myself, I'd start by connecting the vpn from within the same network segment, seeing if the problem still occurs, and moving outwards until it starts happening again
10:34 < cwillu_at_work> combined with very carefully and exhaustively reading the docs and examples, even of configurations you're not planning on using so you understand what the knobs are actually doing
10:34 < urbanendeavour> connect internally?
10:34 < urbanendeavour> everything appears to be working correctly I just am unable to copy large files.
10:35 < cwillu_at_work> i.e., plug the laptop into the same switch as the server, or similar
10:36 -!- urbanendeavour [~xoveruk@217.150.106.82] has quit [Quit: Leaving]
10:38 < cwillu_at_work> heh
10:38 < cwillu_at_work> the line in the topic:  "Your problem is probably firewall, Really"
10:40 <@krzee> cwillu_at_work, we used to have to fight people to make them understand that it was their firewall (after figuring it out)
10:40 <@krzee> although now when i give advice and get arguments in return i /ignore
10:40 <@krzee> it makes my irc support experience much much nicer i must say =]
10:42 < rob0> I can't work as hard in IRC support because I have a $dayjob which pulls me away.  But yeah, I do the same, more or less.  I tell them something, they disregard it, I stop participating.
10:43 <@krzee> my $dayjob has gotten pretty boring, i scripted up most of it
10:43 -!- urbanendeavour [~xoveruk@217.150.106.82] has joined #openvpn
10:43 < urbanendeavour> cwillu_at_work, thanks for your help, sorry had to restart as moving back to routing from bridge it refused to connect
10:43 <@krzee> but im not complaining ;]
10:44 < cwillu_at_work> krzee, yeah, I'm opped in a bunch of other channels, I know the drill :p
10:44 <@krzee> =]
10:45 < cwillu_at_work> <cwillu_at_work> heh
10:45 < cwillu_at_work> <cwillu_at_work> the line in the topic:  "Your problem is probably firewall, Really"
10:45 < cwillu_at_work> urbanendeavour, that's about all you missed that I had directed at you :)
10:45 < cwillu_at_work> (but that's basically what we're ruling out by doing this, assuming there isn't a relevant firewall on the server or client)
10:45 < urbanendeavour> ok I will do that now and check.
10:46 < cwillu_at_work> krzee, speaking of which, is there any recommendations for commercial support for openvpn deployments?
10:46 < cwillu_at_work> aside from the turn-key stuff I'm seeing on openvpn.net
10:47 < cwillu_at_work> (i.e., to point someone at when someone says "I just need this working, and I need it working now")
10:47  * cwillu_at_work nudges urbanendeavour gently :)
10:48 < urbanendeavour> cwillu_at_work, I am paying for commercial support and getting none so not sure why I am really.
10:48 < cwillu_at_work> heh
10:48 < cwillu_at_work> urbanendeavour, oh, and I might have screwed up my earlier suggestion:
10:48 < cwillu_at_work> fragment 1200 and mssfix on one sid
10:48 < cwillu_at_work> e
10:48 < cwillu_at_work> and just fragment 1200 on the other
10:49 < urbanendeavour> sorry what do you mean the other/
10:49 < cwillu_at_work> (but it needs to be specified on both sides, the same number)
10:49 < urbanendeavour> I am using remote access vpn.
10:49 < cwillu_at_work> client and server config
10:49 < urbanendeavour> how do i configure the client settings globally?
10:49 < cwillu_at_work> oh, I've got no idea about the turn-key stuff, sorry
10:49 < cwillu_at_work> I'm just a guy looking for help with a windows issue on my own vpn deployment
10:49 <@krzee> cwillu_at_work, not especially, although a few of us here have been willing to take on side jobs in the past
10:50 <@krzee> cwillu_at_work, there is access-server, which comes with commercial support, but that is the "aside from the turn-key stuff" you mentioned
10:50 < cwillu_at_work> yeah
10:50 <@krzee> cwillu_at_work, although you could hit up the AS support channel, corp might be willing to take contract jobs
10:50 <@krzee> !as
10:50 <@vpnHelper> "as" is Please go to #OpenVPN-AS for help with commercial products from OpenVPN Technologies, including Access Server, Android Connect, etc. Access Server is a commercial product, different from open source OpenVPN
10:52 <@krzee>  <cwillu_at_work> fragment 1200 and mssfix    <---- you guys tested that those are needed first, right? i linked him to docs on how to test that before i ignored him
10:55 < cwillu_at_work> krzee, I came in after that, sorry
10:55 < cwillu_at_work> I was figuring to add it to test if it made the difference, but also to work locally to the vpn server
10:55 <@krzee> no problem, in case youd like to look:
10:55 <@krzee> !mtu
10:55 <@vpnHelper> "mtu" is (#1) see --mtu-test to learn how to test your MTU settings. Basically you just use --mtu-test in your normal client config or (#2) mtu debugging guide: http://www.secure-computing.net/wiki/index.php/OpenVPN/Troubleshooting
10:56 < cwillu_at_work> but I don't know that either thing will help given the third-party server
10:56 < cwillu_at_work> given that I have no experience with it
10:57 < cwillu_at_work> urbanendeavour, so, ping -c 1 -l 400 -f other-machine-on-the-vpn
10:57 -!- mode/#openvpn [+v cwillu_at_work] by krzee
10:58 <+cwillu_at_work> urbanendeavour, so, ping -c 1 -l 400 -f other-machine-on-the-vpn, and increase 400 to 1500 until it stops working
10:58  * cwillu_at_work feels very loud
10:58 <@krzee> gotta make sure they hear ya ;)
10:59 <+cwillu_at_work> krzee, vpn used to work on a windows client, stopped working all of a sudden; is it likely that it was originally run as administrator, but now the gui isn't being run as admin, and an easy solution would be to add the user to their local network operator admin group?
11:00 <@krzee> im not much of a windows user, but theres this:
11:00 <@krzee> !win_noadmin
11:00 <@vpnHelper> "win_noadmin" is (#1) http://openvpn.se/files/howto/openvpn-howto_run_openvpn_as_nonadmin-Rev1.1.html for HowTo Run OpenVPN as a non-admin user in Windows or (#2) and http://article.gmane.org/gmane.network.openvpn.user/24873 for vista
11:00 < urbanendeavour> So 1400 is ok
11:00 <+cwillu_at_work> what about 1500?
11:00 < urbanendeavour> no
11:01 < urbanendeavour> gets fragmented
11:01 < urbanendeavour> can I set mtu on openvpn?
11:01 <+cwillu_at_work> what about 1450?
11:02 < urbanendeavour> 1472 is my max
11:02 <+cwillu_at_work> and you're pinging over the vpn, corrent?
11:02 <+cwillu_at_work> correct?
11:02 < urbanendeavour> yes
11:03 <+cwillu_at_work> k
11:03 <+cwillu_at_work> I'm back to suspecting a firewall issue
11:03 < urbanendeavour> same on the lanb
11:03 < urbanendeavour> lan
11:04 <+cwillu_at_work> aren't you connecting out to a third-party vpn provider though?
11:04 < urbanendeavour> no
11:04 -!- soulisson [~soulisson@unaffiliated/soulisson] has quit [Ping timeout: 272 seconds]
11:04 <+cwillu_at_work> does a copy work right now, over the vpn, but connecting via the lan?
11:05 < urbanendeavour> using openvpn client on windows to connect to the vmware appliance
11:05 < urbanendeavour> about to try
11:07 <+cwillu_at_work> krzee, thanks; good info
11:07 <@krzee> np
11:07 <+cwillu_at_work> any idea if the default manifest might have been already updated as mentioned in the link?
11:08  * cwillu_at_work expects a no, but asks anyway ;p
11:08 < urbanendeavour> it breaks locally also
11:08 -!- MadHatter42 [~tuwid@109.69.2.62] has quit [Read error: Connection reset by peer]
11:09 -!- MadHatter42 [~tuwid@109.69.2.62] has joined #openvpn
11:10 < urbanendeavour> cwillu_at_work, what do you suspect?
11:10 <@krzee> no idea ^
11:10 <+cwillu_at_work> krzee, thanks anyways
11:13 <@krzee> should be easy to check tho ;]
11:13 <+cwillu_at_work> given a windows machine, sure
11:13 <+cwillu_at_work> I don't have any of those though :p
11:13 <@krzee> time for me to leave for awhile, later =]
11:13 <@krzee> me neither :D
11:14 < urbanendeavour> cwillu_at_work, any ideas cwillu_at_work ?
11:14 < urbanendeavour> the transferred failed on the LAN using the VPN.
11:14 < urbanendeavour> and over the WAN using VPN.
11:14 <+cwillu_at_work> not really
11:14 <+cwillu_at_work> standard procedure would be to remove things until you get a working configuration
11:15 <+cwillu_at_work> or, starting from the other end, start with a barebones fresh machine / vm, confirm that it works, and add things until it breaks
11:16 < urbanendeavour> I am using the vmware appliance
11:16 <+cwillu_at_work> doesn't really change anything
11:17 -!- MadHatter42 [~tuwid@109.69.2.62] has quit [Ping timeout: 260 seconds]
11:18 -!- MadHatter42 [~tuwid@109.69.2.62] has joined #openvpn
11:21 < urbanendeavour> cwillu_at_work, I entered the local IP address for VPN and the copy was successful
11:21 < urbanendeavour> So perhaps it is the firewall
11:22 < urbanendeavour> I have noticed that I have to disconnect twice as the first time it does not disconnect.
11:24 < urbanendeavour> I have forwarded the three ports.
11:27 < urbanendeavour> If I configured the server for udp only it does not connect
11:27 -!- MadHatter42 [~tuwid@109.69.2.62] has quit [Read error: Connection reset by peer]
11:27 < urbanendeavour> I'm guessing it should work with only one ?
11:28 -!- MadHatter42 [~tuwid@109.69.2.62] has joined #openvpn
11:29 <+cwillu_at_work> should only require udp
11:30 < urbanendeavour> cwillu_at_work, it looks like only TCP works
11:30 <+cwillu_at_work> can  you pastebin your client config?
11:32 -!- MadHatter42 [~tuwid@109.69.2.62] has quit [Remote host closed the connection]
11:34 < urbanendeavour> where do i find that?
11:34 < urbanendeavour> i just installed it. did not do any configuring.
11:37 <+cwillu_at_work> so, where were you setting fragment and mssfix before?
11:41 -!- urbanendeavour [~xoveruk@217.150.106.82] has quit [Read error: Connection reset by peer]
11:41 -!- JackWinter [~jack@vodsl-11198.vo.lu] has quit [Quit: Konversation terminated!]
11:44 -!- moonkid [~anonymous@99-103-56-12.lightspeed.hstntx.sbcglobal.net] has joined #openvpn
11:45 -!- DrSect0r [~DrSect0r@77-175-125-42.FTTH.ispfabriek.nl] has quit [Quit: Leaving]
11:46 -!- JackWinter [~jack@vodsl-11198.vo.lu] has joined #openvpn
11:47 -!- pushpop [~pushpop@unaffiliated/pushpop] has joined #openvpn
11:55 -!- asturel [~asturel@unaffiliated/asturel] has joined #openvpn
12:03 -!- CygniX [~CygniX@unaffiliated/twois10] has joined #openvpn
12:07 < CygniX> ipv6 inside the tunnel is working fine, but can't get it working outside the tunnel. the instruction on this is not clear
12:07 -!- elfixit [~Icedove@2001:1620:2777:11:3e97:eff:fe7f:f3ad] has quit [Quit: elfixit]
12:07 < CygniX> I am using https://community.openvpn.net/openvpn/wiki/IPv6
12:07 <@vpnHelper> Title: IPv6 – OpenVPN Community (at community.openvpn.net)
12:18 < CygniX> here is what my server.conf looks like http://paste.opensuse.org/50a85194
12:21 < CygniX> ignore the the double server-ipv6 on line 17, corrected, not the issue
12:25 -!- kirin` [telex@gateway/shell/anapnea.net/x-ewxeurxzybbwvitd] has joined #openvpn
12:29 -!- moonkid [~anonymous@99-103-56-12.lightspeed.hstntx.sbcglobal.net] has quit [Quit: moonkid]
12:30 -!- soulisson [~soulisson@unaffiliated/soulisson] has joined #openvpn
12:31 <@krzee> CygniX, i dont use ipv6 but ive seen others get support for the same thing
12:31 < soulisson> Hi, i've the following issue, any idea how to solve this problem please:  VERIFY ERROR: depth=0, error=certificate is not yet valid?
12:31 <@krzee> problem usually seems to be that the subnet was not properly routed to the user by the ISP, or the user is already using some of the subnet themselves.
12:32 < CygniX> krzee: I am a able to get it working inside the tunnel
12:32 <@krzee> if those are true, you may be able to get by with some ip6 NAT i think, although it makes me cringe just to say that
12:32 <@krzee> soulisson, correctly make your certificates after fixing the time on all involved machines (ca, client, server)
12:32 < CygniX> meaning if I connect via ipv4, i get ipv6 from the the openvpn server and it works fine
12:33 <@krzee> time/date ^
12:33 <@krzee> !time
12:33 <@vpnHelper> "time" is if you see VERIFY ERROR: depth=1, error=certificate is not yet valid: then make sure you update the clocks of your client,server,ca via ntp
12:33 < CygniX> the issue I am having is, if I connect via ipv6, i am unable to reach out
12:33 < soulisson> Ok, thanks
12:34 <@krzee> CygniX, interesting… hopefully pekster or cron or someone else who uses ipv6 pops up and can help
12:34 <@krzee> since i dont, i can really only say what ive absorbed from seeing others get helped
12:36 -!- Denial [~Denial@host86-148-141-27.range86-148.btcentralplus.com] has quit []
12:38 -!- Denial [~Denial@host86-148-141-27.range86-148.btcentralplus.com] has joined #openvpn
12:38 -!- dazo is now known as dazo_afk
12:39 < CygniX> I am going to check my firewall configuration again
12:39 < CygniX> I use NAT to get it working inside the tunnel
12:44 -!- CygniX [~CygniX@unaffiliated/twois10] has quit [Quit: Konversation terminated!]
12:51 -!- Pyrogerg [~Gregory@75-173-103-62.albq.qwest.net] has quit [Quit: Textual IRC Client: www.textualapp.com]
12:59 -!- Kephael [~Kephael@unaffiliated/kephael] has joined #openvpn
13:05 <@ecrist> I'll be able to help later tonight.  I'm doing some specific project work with IPv6 right nwo
13:05 <@ecrist> now*
13:05 <+_FBi> ecrist, do you see any reason why I need to be voiced to talk here?
13:06 <@ecrist> what error do you get when you're not voiced?
13:06 <+_FBi> you'll need to unvoice me for a sec lol
13:07 -!- mode/#openvpn [-v _FBi] by ecrist
13:07 -!- mode/#openvpn [+v _FBi] by ecrist
13:07 <+_FBi> <_FBi> !ping
13:07 <+_FBi> * #openvpn :Cannot send to channel
13:12 <@ecrist> _FBi: I'm not sure
13:12 <@krzee> i dont get why ^
13:12 <@ecrist> maybe it has to do with your IRC client?
13:12 <@ecrist> even chanserv doesn't see anything funny
13:12 <@krzee> or your bouncer?
13:12 <@ecrist> foo
13:13 <@krzee> maybe connect to a webchat (over a vpn if you like) and auth to nickserv and test from there?
13:13 <@krzee> that'll rule out you.
13:22 <+cwillu_at_work> _FBi, where you previously known by FBi_?
13:22 <+cwillu_at_work> or some other nick with a trailing underscore?
13:23 <+cwillu_at_work> oh, nevermind
13:23 <+cwillu_at_work> it's the leading underscore
13:23 <+cwillu_at_work> * #openvpn q *_!*@* wilhelm.freenode.net 1410825243
13:23 <+cwillu_at_work> * #openvpn q _*!*@* wilhelm.freenode.net 1410825243
13:23 <+cwillu_at_work> ecrist, krzee ^
13:23 <@krzee> hah so it is
13:23  * ecrist looks
13:23 <@krzee> thanks man
13:23 <+cwillu_at_work> np
13:23 -!- mode/#openvpn [-q *_!*@*] by krzee
13:23 <+cwillu_at_work> procrastination can be a powerful force for problem solving :p
13:24 -!- mode/#openvpn [-q _*!*@*] by krzee
13:24 <@ecrist> ahhh, I wasn't looking at the quiet list
13:24 <+_FBi> I couldn't see the in the ban window list :/
13:24 -!- mode/#openvpn [-v _FBi] by krzee
13:24 < _FBi> :o
13:24 <+cwillu_at_work> /mode +q
13:24 <@krzee> _FBi, test
13:24 < _FBi> lol
13:24 <@krzee> nice!
13:24 < _FBi> !ping !ping !ping
13:24 <+cwillu_at_work> wasn't remotely the first thing I checked either :p
13:24 <@vpnHelper> pong
13:24 -!- mode/#openvpn [+v _FBi] by krzee
13:24 <@ecrist> I'm surprised chanserv didn't figurei it out with the why command
13:25 <@krzee> well we just got 8 more users here
13:25 <+_FBi> lol
13:25 <@krzee> not counting _FBi since he was the squeaky wheel that got voiced ;]
13:25 <+_FBi> squeak squeak
13:25 <+_FBi> lol
13:26 <+_FBi> any of you heard of the company edis.at
13:26 -!- mode/#openvpn [+v dvl] by krzee
13:26 <+cwillu_at_work> I'
13:26 <+cwillu_at_work> hate my enter key
13:26 <+cwillu_at_work> I'm tempted to ping the relevant _*_'s
13:26 <@krzee> lol ecrist look at the +q list
13:26 <+_FBi> I was oping to buy a server from them, then during check out they tacked on a 2 euro charge -- unexplained
13:27 <@ecrist> cwillu_at_work: feel free
13:27 <+cwillu_at_work> _0x5eb_, _bt, _KaszpiR_, u0m3__, ub1quit33_, james41382_, jareth_, lev__, pradeepc_, hold your tongues no longer, you shall not be ignored!
13:27 <@ecrist> ah, that person has complained.  I haven't looked into it
13:27  * ecrist leaves it
13:27 <+cwillu_at_work> *!*@gateway/web/* and Guest*!*@* may be troublesome yet
13:28 <+cwillu_at_work> might be better to just +b them with a punt to a different channel to explain the issue
13:28 <@krzee> *shrug* no objection from me
13:28 <@ecrist> cwillu_at_work: the gateway/web has a +b
13:29 <+cwillu_at_work> then it doesn't need a +q :p\
13:29 <+cwillu_at_work> not to tell you how to run your channel, of course :p
13:30 <+cwillu_at_work> _FBi, quite the /version string you have though :)
13:30 <@krzee> well you did find _FBi's problem and all, so i certainly wont be dismissing automatically, but a +q matching a +b doesnt especially bother me, i wouldnt mind a few more +noweb flags too
13:30 <@krzee> haha
13:30 <+cwillu_at_work> fair enough
13:31 <+_FBi> cwillu_at_work, ping fbi.gov ;)  they use to match up lol
13:31 <+cwillu_at_work> although the identified user thing should be sufficient
13:31 <+cwillu_at_work> how many web-only users have registered nicks?
13:31 <+cwillu_at_work> ah, I see
13:31 <+cwillu_at_work> yep, still matches
13:32 <+_FBi> lol :)
13:32 -!- moonkid [~anonymous@99-103-56-12.lightspeed.hstntx.sbcglobal.net] has joined #openvpn
13:32  * ecrist considers zeroing ban, quiet, akick lists
13:33 <@krzee> werd, mind if i reset the webchat ban after? :-p
13:33  * cwillu_at_work restates his point about identified users
13:33 <@krzee> cwillu_at_work, when i identify from webchat i join no problem
13:34 <+cwillu_at_work> krzee, hmm, you shouldn't be able to based on the /mdoe list
13:34 <@krzee> you get your host
13:34 <@krzee> when you identify
13:34 <+cwillu_at_work> oh, yeah
13:34 <+cwillu_at_work> but not everyone uses a hostmask
13:34 -!- mode/#openvpn [-bbbb *!*@unaffiliated/han $a:vitilitigate $a:vaillor *!*@gateway/web/freenode/*] by ecrist
13:34 -!- mode/#openvpn [-bb *!*@rrcs-70-63-10-98.central.biz.rr.com *!*Liber@liber.in] by ecrist
13:34 <@krzee> banned!
13:34 <+cwillu_at_work> for instance, I don't use one :p
13:34 <@krzee> want one?
13:34 <+cwillu_at_work> not really :p
13:34 -!- mode/#openvpn [-bbbb *!*@pdpc/supporter/monthlybronze/synapt *!*@46.19.137.78 *!*@5.153.234.* *!*fuck*@*] by ecrist
13:34 <@krzee> k
13:34 -!- mode/#openvpn [-bbbb backz!*@* *!*@gateway/web/* *!*@37.235.53.237 *!*@unaffiliated/ndak] by ecrist
13:35 <+cwillu_at_work> I usually have my reverse dns set up to show cwillu@cwillu.com
13:35 <+cwillu_at_work> but I don't have ipv6 records, and I'm proxied through a host that has ipv6 access to freenode
13:36 -!- mode/#openvpn [-qqq $a:darkpriest JoeyJoeJo!*@* $a:tortib] by ecrist
13:36 -!- mode/#openvpn [-qq *!*@crius.pantheon.fused.net *!*@c-76-111-137-31.hsd1.de.comcast.net] by ecrist
13:37 -!- mode/#openvpn [+b *!*@gateway/web/*] by krzee
13:37  * cwillu_at_work curses :p
13:37 -!- mode/#openvpn [-v cwillu_at_work] by ecrist
13:37 <@ecrist> :P
13:37  * cwillu_at_work curses more quietly
13:37 <@krzee> lol
13:38 <@ecrist> lol
13:38 <@krzee> we had webchat -b for years, it literally never led to a single person who knew how to operate their computer or irc that i can remember
13:38 <@krzee> as i recall we finally went +b after i had them on ignore and later found that everybody felt the same about them
13:39 < cwillu_at_work> sure, but I'd imagine that the identified user ban came after that
13:39 < cwillu_at_work> because if you can't work your computer, you definitely can't work nickserv
13:40 <@krzee> banning identified happens time to time when people ban evade etc
13:42 < rob0> unidentified?
13:42 -!- moonkid [~anonymous@99-103-56-12.lightspeed.hstntx.sbcglobal.net] has quit [Quit: moonkid]
13:43 <@krzee> lol yes
13:43 <@krzee> :x
13:44 -ChanServ:#openvpn- ecrist set flags -b on CoolGurl13!*@*.
13:44 -!- mode/#openvpn [-vv dvl _FBi] by ChanServ
13:44 -ChanServ:#openvpn- ecrist set flags -b on *!*Liber@liber.in.
13:44 -ChanServ:#openvpn- ecrist set flags -b on *!*@unaffiliated/l0uis.
13:44 -ChanServ:#openvpn- ecrist set flags -b on *!*@2.29.141.*.
13:45 -ChanServ:#openvpn- ecrist set flags -b on pants!*@*.
13:45 -ChanServ:#openvpn- ecrist set flags -b on *!*@dumbhead.net.
13:45 -ChanServ:#openvpn- ecrist set flags -b on *!*@fedcirc.net.
13:45 -!- moonkid [~anonymous@99-103-56-12.lightspeed.hstntx.sbcglobal.net] has joined #openvpn
13:45 -!- moonkid [~anonymous@99-103-56-12.lightspeed.hstntx.sbcglobal.net] has quit [Client Quit]
13:45 -ChanServ:#openvpn- ecrist set flags -b on *!*mis7er@*.ock.in.
13:45 <@krzee> pants!*@* oh god i remember that one
13:46 < deranged_user> I was like
13:46 < deranged_user> why the fuck is my client beeping
13:46 < deranged_user> and it was you butts
13:46 -ChanServ:#openvpn- ecrist set flags -b on *!*lol2@*.ip179.fastwebnet.it.
13:46 < deranged_user> STAP
13:46 < deranged_user> UR MAKIN ME BOOP >:V
13:46 -ChanServ:#openvpn- ecrist set flags -b on *!*Rhomber@*.static.tpgi.com.au.
13:46 <@krzee> lol
13:46 < deranged_user> >:|
13:46 <@krzee> fall cleaning
13:46 -!- Anodl [~Anodl@p5DC5A78A.dip0.t-ipconnect.de] has joined #openvpn
13:46 <@krzee> it'll be over soon
13:46 -!- deranged_user was kicked from #openvpn by ecrist [no more boop]
13:47 < cwillu_at_work> deranged_user, if your client pings you on channel notifies, you should turn that off
13:47 <@krzee> !friday
13:47 <@vpnHelper> "friday" is It's Friday, be warned that, due to him working at home, our resident guard-dog, ecrist, is likely already in the bag. Tread carefully.
13:47 -!- deranged_user [deranged@unaffiliated/deranged-user/x-2475585] has joined #openvpn
13:47 < deranged_user> >:(
13:47  * deranged_user rawr
13:47 < cwillu_at_work> deranged_user, if your client pings you on channel notifies, you should turn that off
13:47 -ChanServ:#openvpn- ecrist set flags -b on *!*brads@*.members.linode.com.
13:47 <@krzee> oops you were still gone
13:47 <@krzee> !friday
13:47 <@vpnHelper> "friday" is It's Friday, be warned that, due to him working at home, our resident guard-dog, ecrist, is likely already in the bag. Tread carefully.
13:47 -ChanServ:#openvpn- ecrist set flags -b on *!*tortib@*.ph.ph.cox.net.
13:47 < deranged_user> cwillu_at_work: I should, I should also switch over this client to weechat
13:47 -ChanServ:#openvpn- ecrist set flags -b on *!09dkqaz32@2001:470:d:1eb:*.
13:47 < deranged_user> still using irssi here
13:47 -!- Anodl [~Anodl@p5DC5A78A.dip0.t-ipconnect.de] has left #openvpn []
13:47 -ChanServ:#openvpn- ecrist set flags -b on *!*Zimsky@rozznet.net.
13:48 -ChanServ:#openvpn- ecrist set flags -b on *!*@gateway/web/freenode/*.
13:48 -ChanServ:#openvpn- ecrist set flags -b on *!*@31-151-115-29.dynamic.upc.nl.
13:48 <@krzee> lol i think we scared off anod1
13:48 -ChanServ:#openvpn- ecrist set flags -b on *!*@176.67.84.12.
13:48 -ChanServ:#openvpn- ecrist set flags -b on *!massivedi@*.
13:49 -ChanServ:#openvpn- ecrist set flags -b on *!*@209.124.51.200.
13:49 -ChanServ:#openvpn- ecrist set flags -b on *!*@static.88-198-57-152.clients.your-server.de.
13:49 < cwillu_at_work> deranged_user, beep_msg_level
13:49 < cwillu_at_work> kill NOTICES or whatever
13:49 -ChanServ:#openvpn- ecrist set flags -b on baitnfatty.
13:49 -ChanServ:#openvpn- ecrist set flags -b on *!uid22146@gateway/web/irccloud.com/*.
13:49 < deranged_user> aah
13:49 < deranged_user> cheers
13:49 < cwillu_at_work> what was that about people not knowing how to use their irc clients? :p
13:50 < deranged_user> I don't like irssi
13:50 <@ecrist> the following remain:  *!root@*  *rommel*!*@* and *!*@unaffiliated/ivenkys
13:50 < deranged_user> trying to migrate away from
13:50 < cwillu_at_work> nobody does
13:50 < deranged_user> but got my odd weird connections still on irssi
13:50 < deranged_user> not sure why freenode falls under that
13:51 <@ecrist> lol @ !friday
13:51 <@ecrist> I could have turned off chanserv notices for the time
13:51 <@krzee> totally, you wrote that or did someone else?
13:52 <@ecrist> was not me
13:52 <@ecrist> but it's fitting
13:52 <@krzee> lol lol
13:52 <@krzee> i totally assumed it was your warning, i saw it while browsing the factoids one day
13:52 <@krzee> was waiting for the chance to bust it out
13:53 <@ecrist> that's an old factoid even
13:54 <@ecrist> it's not in my current log file, and that starts Jan1 , 2013
13:56 <@ecrist> it *was* added by me.  Firday, July 6, 2012
14:05 -!- moonkid [~anonymous@99-103-56-12.lightspeed.hstntx.sbcglobal.net] has joined #openvpn
14:26 -!- jzaw [~jzaw@loki.dzki.co.uk] has quit [Excess Flood]
14:26 -!- jzaw [~jzaw@loki.dzki.co.uk] has joined #openvpn
14:27 -!- moonkid [~anonymous@99-103-56-12.lightspeed.hstntx.sbcglobal.net] has quit [Quit: moonkid]
14:31 -!- moonkid [~anonymous@99-103-56-12.lightspeed.hstntx.sbcglobal.net] has joined #openvpn
14:41 -!- pqatsi [~leonardo@unaffiliated/leleobhz] has joined #openvpn
14:42 <@krzee> friendly reminder, the free stanford law class on surveilance law starts in 3 days
14:42 <@krzee> https://surveillancelaw.org/
14:42 <@vpnHelper> Title: Surveillance Law (at surveillancelaw.org)
14:48 -!- ub1quit33_ [~quassel@cpe-23-243-158-241.socal.res.rr.com] has quit [Ping timeout: 250 seconds]
14:49 -!- james41382_ [~james@unaffiliated/james41382] has quit [Read error: Connection reset by peer]
14:56 < pqatsi> Conceptual question: OpenVPN when using HMAC + UDP can receive packets from any IP address but i can listen from any IP too?
14:56 < pqatsi> In a multi-wan scenario + listen in 0.0.0.0
14:59 <@krzee> just dont use --local
15:00 < pqatsi> and same HMAC scenario?
15:00 <@krzee> and you'll want --multihome
15:00 <@krzee> !hmac
15:00 <@vpnHelper> "hmac" is (#1) The tls-auth directive adds an additional HMAC signature to all SSL/TLS handshake packets for integrity verification. Any UDP packet not bearing the correct HMAC signature can be dropped without further processing. The tls-auth HMAC signature provides an additional level of security above and beyond that provided by SSL/TLS. or (#2) openvpn --genkey --secret ta.key to make the tls
15:00 <@vpnHelper> static key , in configs: tls-auth ta.key # , 1 for client or 0 for server in the configs
15:00 <@krzee> the hmac is unrelated to what you're asking, or i dont understand the question
15:01 < Joe-T> if I run openvpn normally, I can't ping with ping -I eth0, it gets stuck, and vice versa if I change the default route with ip route to what it was
15:01 < pqatsi> krzee: tls-auth does not provide per-packet authentication and allow the IP changes from botch sides?
15:01 < pqatsi> *both
15:01 <@krzee> Joe-T,
15:01 < Joe-T> it gets stuck with ping -I tun0, what am I meant to do do have both an eth0 (default) and a tun0 for programs to use?
15:01 <@krzee> !goal
15:01 <@vpnHelper> "goal" is Please clearly state your goal for your vpn: example, I would like to access the lan behind the server , I would like to access the internet over my vpn , I just want a secure connection between 2 computers , etc
15:02 <@krzee> pqatsi, hmac has nothing to do with ip
15:02 < Joe-T> to have everything going through eth0, accept one application to go through the vpn
15:02 < pqatsi> krzee: so what provides per-packet authentication? May i understood wrong
15:02 < Joe-T> transmission supports interfaces, afaik, so I can just set that to use tun0
15:02 <@krzee> pqatsi, it does, via cryptographic signature from the file, nothing to do with IP address.
15:03 <@krzee> Joe-T, routing tables dont really work by application
15:03 <@krzee> so, does that aplication only contact a certain subnet?
15:05 < Joe-T> I have no idea about subnets tbh, but transmission has an interface option to use tun0, like ping can use -I I think
15:05 < pqatsi> krzee: so in any config, openvpn does not cares about what IP address is delivering or receiving the packet
15:05 <@krzee> Joe-T, thats not how it works.
15:05 < Joe-T> oh
15:05 <@krzee> it works by routing tables
15:05 <@krzee> i mean sure ping does have an -I command
15:06 <@krzee> but thats not your real question
15:06 <@krzee> heres how i accomplished what you are saying:
15:06 <@krzee> !routebyapp
15:06 <@vpnHelper> "routebyapp" is (#1) if you want to send only certain apps over the VPN you need to run a socks server on the internal VPN subnet (see !sockd) then get an app like proxifier (windows, osx) or tsocks (linux, BSD) to selectively route traffic over the socks proxy based on port/app/subnet or any combination. or (#2) Alternatively, read up about Policy Routing to make routing decisions based on defined
15:06 <@vpnHelper> policies you set. For Linux, read about !lartc
15:06 < Joe-T> thanks
15:07 < Joe-T> !lartc
15:07 <@vpnHelper> "lartc" is LARTC is the de-facto guide to policy routing and QoS (tc, or traffic control) on Linux. http://lartc.org/howto/ . Policy routing in Ch. 4, QoS in Ch. 9. Start at the beginning if you're new to advanced routing on Linux
15:41 -!- Pip0 [~quassel@node85.seg97.ucf.edu] has joined #openvpn
15:59 < pqatsi> OpenVPN foreach 2 minutes looses conectivity here and i need to reconnect, what can it be?
15:59 <@krzee> pqatsi, you getting a message in the server about a new connection killing an old one?
16:00 <@krzee> you probably have 2 clients with the same cert, or openvpn running 2x
16:00 -!- SlutaTramsa [~SlutaTram@unaffiliated/slutatramsa] has quit [Ping timeout: 260 seconds]
16:00 <@krzee> (same cert or common-name)
16:00 -!- mattock is now known as mattock_afk
16:04 < pqatsi> krzee: just 2 lines:
16:04 < pqatsi> Oct 10 18:00:21 dora ovpn-MyConf[13316]: Initialization Sequence Completed
16:04 < pqatsi> Oct 10 18:02:22 dora ovpn-MyConf[13316]: [<hidden-host>] Inactivity timeout (--ping-restart), restarting
16:05 <@krzee> whats your keepalive set to?
16:05 < pqatsi> 10 60
16:05 <@krzee> set to verb 5 and tell me if you get RWRWRWRW
16:06 < pqatsi> Also im seeing if my other notebook is opening a connection. a bit.
16:06 <@krzee> also after you connect can you ping the vpn server?
16:07 < pqatsi> yeap
16:08 < pqatsi> i did a remote shutdown in my other notebook. Dunno if my fault to let it on and if vpn was connecting
16:17 -!- Latrina [~Latrina@ppp-124-53.26-151.libero.it] has quit [Ping timeout: 245 seconds]
16:18 -!- Latrina [~Latrina@ppp-120-26.26-151.libero.it] has joined #openvpn
16:24 -!- julieeharshaw [~julie@juliekoubova.net] has quit [Remote host closed the connection]
16:25 -!- mihok [~mihok@CPE6c198f9b60bf-CM00222d76471d.cpe.net.cable.rogers.com] has quit [Ping timeout: 260 seconds]
16:25 -!- julieeharshaw [~julie@juliekoubova.net] has joined #openvpn
16:28 -!- Chais [~Chais@chello062178229110.15.15.vie.surfer.at] has quit [Ping timeout: 250 seconds]
16:30 -!- Pip0 [~quassel@node85.seg97.ucf.edu] has quit [Ping timeout: 244 seconds]
16:35 -!- Chais [~Chais@chello062178229110.15.15.vie.surfer.at] has joined #openvpn
16:47 -!- brianblaze420 [~brianblaz@unaffiliated/brianblaze] has joined #openvpn
17:00 -!- soulisson [~soulisson@unaffiliated/soulisson] has quit [Ping timeout: 260 seconds]
17:07 -!- nutron [~nutron@unaffiliated/nutron] has joined #openvpn
17:17 -!- lukimya [~Lukimya@178.162.199.143] has quit [Ping timeout: 250 seconds]
17:21 -!- pqatsi [~leonardo@unaffiliated/leleobhz] has quit [Quit: leaving]
17:32 -!- dxirinac [~dxirinac@200.122.139.69] has joined #openvpn
17:33 < dxirinac> hi guys! quick question, how can I regenarate a client cert bundle with the same name?
17:33 < dxirinac> I am getting failed to update database TXT_DB error number 2
17:37 < dxirinac> do I need to just remove the files and the entry on index.txt?
17:42 -!- soulisson [~soulisson@unaffiliated/soulisson] has joined #openvpn
17:44 < soulisson> Hi, i'm running openvpn version 2.3.2 under Ubuntu 14.04.1 but when i try to establish the tunnel o get the following error: http://pastebin.com/fm2kLzwc
17:44 < soulisson> Any help would be greatly appreciated
17:46 -!- julieeharshaw [~julie@juliekoubova.net] has quit [Remote host closed the connection]
17:47 -!- julieeharshaw [~julie@juliekoubova.net] has joined #openvpn
18:41 -!- james41382 [~james@unaffiliated/james41382] has joined #openvpn
18:42 -!- dxirinac [~dxirinac@200.122.139.69] has quit [Quit: Leaving]
19:41 -!- moonkid [~anonymous@99-103-56-12.lightspeed.hstntx.sbcglobal.net] has quit [Quit: moonkid]
19:41 -!- moonkid [~anonymous@99-103-56-12.lightspeed.hstntx.sbcglobal.net] has joined #openvpn
19:43 -!- moonkid [~anonymous@99-103-56-12.lightspeed.hstntx.sbcglobal.net] has quit [Client Quit]
19:54 -!- elfixit [~Icedove@77-58-37-45.dclient.hispeed.ch] has joined #openvpn
20:22 -!- SCHAAP137 [dorian@77-173-0-137.ip.telfort.nl] has joined #openvpn
21:31 -!- soulisson [~soulisson@unaffiliated/soulisson] has quit [Remote host closed the connection]
21:48 -!- Left_Turn [~Left_Turn@unaffiliated/turn-left/x-3739067] has quit [Remote host closed the connection]
22:39 -!- SCHAAP137 [dorian@77-173-0-137.ip.telfort.nl] has quit [Remote host closed the connection]
23:07 -!- nutron [~nutron@unaffiliated/nutron] has quit [Quit: I must go eat my cheese!]
23:32 -!- elfixit [~Icedove@77-58-37-45.dclient.hispeed.ch] has quit [Remote host closed the connection]
23:39 -!- Nyoom [Nyoom@unaffiliated/nyoom] has quit [Ping timeout: 260 seconds]
23:46 -!- ShadniX [dagger@p5DDFF8CA.dip0.t-ipconnect.de] has quit [Ping timeout: 250 seconds]
23:47 -!- ShadniX [dagger@p5DDFDED0.dip0.t-ipconnect.de] has joined #openvpn
--- Day changed Sat Oct 11 2014
01:15 < ValdikSS> By the way, why recvbuf and sndbuf are default to 64K? Sometimes, it is very speed limiting. I suppose, OpenVPN should either use system values or increase defaults
01:26 -!- mattock_afk is now known as mattock
01:32 -!- brianblaze420 [~brianblaz@unaffiliated/brianblaze] has quit [Remote host closed the connection]
01:52 -!- Kephael [~Kephael@unaffiliated/kephael] has quit [Quit: Leaving]
01:54 -!- lbft [~lbft@unaffiliated/lbft] has quit [Quit: Bye]
01:57 -!- lbft [~lbft@unaffiliated/lbft] has joined #openvpn
03:07 -!- Envil [~meep@95.211.26.40] has joined #openvpn
03:56 -!- gffa [~unknown@unaffiliated/gffa] has joined #openvpn
04:35 -!- Left_Turn [~Left_Turn@unaffiliated/turn-left/x-3739067] has joined #openvpn
04:50 -!- rich0_ [~quassel@gentoo/developer/rich0] has joined #openvpn
04:52 -!- rich0 [~quassel@gentoo/developer/rich0] has quit [Ping timeout: 260 seconds]
05:01 -!- rich0 [~quassel@gentoo/developer/rich0] has joined #openvpn
05:03 -!- rich0_ [~quassel@gentoo/developer/rich0] has quit [Ping timeout: 245 seconds]
05:07 -!- rich0_ [~quassel@gentoo/developer/rich0] has joined #openvpn
05:09 -!- rich0 [~quassel@gentoo/developer/rich0] has quit [Ping timeout: 245 seconds]
05:22 -!- gallatin [~gallatin@dslb-178-009-099-098.178.009.pools.vodafone-ip.de] has joined #openvpn
05:52 -!- Left_Turn [~Left_Turn@unaffiliated/turn-left/x-3739067] has quit [Ping timeout: 244 seconds]
05:59 -!- Chais [~Chais@chello062178229110.15.15.vie.surfer.at] has quit [Quit: ZNC - http://znc.in]
06:00 -!- Chais [~Chais@chello062178229110.15.15.vie.surfer.at] has joined #openvpn
06:20 -!- Left_Turn [~Left_Turn@unaffiliated/turn-left/x-3739067] has joined #openvpn
06:27 -!- s7r [~s7r@openvpn/user/s7r] has joined #openvpn
06:27 -!- mode/#openvpn [+v s7r] by ChanServ
07:06 -!- u0m3 [~u0m3@92.80.124.118] has joined #openvpn
07:08 -!- u0m3__ [~u0m3@92.80.114.210] has quit [Ping timeout: 258 seconds]
07:15 -!- gallatin [~gallatin@dslb-178-009-099-098.178.009.pools.vodafone-ip.de] has quit [Ping timeout: 245 seconds]
07:50 -!- JackWinter [~jack@vodsl-11198.vo.lu] has quit [Quit: Konversation terminated!]
07:52 -!- JackWinter [~jack@vodsl-11198.vo.lu] has joined #openvpn
08:16 -!- cheesenbiscuts [~cheesenbi@182.27.50.60.kmr03-home.tm.net.my] has joined #openvpn
08:16 < cheesenbiscuts> Hi everybody
08:16 < cheesenbiscuts> I've got a curly question for you guys...
08:17 < cheesenbiscuts> I think it's a dns related issue...
08:18 < cheesenbiscuts> When I tether my iphone to my laptop and run openvpn and connect to my dd-wrt openvpn server, It connects fine and I have internet access. but...
08:19 < cheesenbiscuts> When I connect with only my iPhone using Guizmovpn and use another app to ping google.com, I get no response.
08:19 < cheesenbiscuts> but... if I ping to google dns (8.8.8.8) works fine.
08:19 < cheesenbiscuts> Any ideas?
08:22 <@krzee> sounds like a question for the other app people
08:22 <@krzee> i mean you said that openvpn works fine, and some other app based on openvpn does not
08:22 < cheesenbiscuts> the app works when I use another config from a commerical openvpn server provider
08:23 <@krzee> but i have no intention on troubleshooting some company's bastardized version of openvpn
08:23 <@krzee> why not use openvpn connect on ios?
08:24 < cheesenbiscuts> This is the jailbroken version, with full access as I understand it.
08:26 <@krzee> why do you need "the jailbroken version"?
08:26 < cheesenbiscuts> What I'd really like to know is if I should be adding an additional line in my config, such as: push "dhcp-option DNS 10.10.49.1" to push dns as currently I'm only using: push "redirect-gateway def1"
08:26 <@krzee> i dont know if ios supports it, but why havnt you tried it?
08:27 <@krzee> also, you could simply change dns to 8.8.8.8 and not worry about it
08:27 -!- Maxel [~Maxel@24-159-207-34.static.roch.mn.charter.com] has quit [Ping timeout: 272 seconds]
08:28 < cheesenbiscuts> When I initally was using openvpn on ios, it wasn't available from the app store. only after jailbreaking.
08:28 -!- pythonsnake [~pythonsna@fedora/pythonsnake] has joined #openvpn
08:28 < pythonsnake> hi
08:28 < pythonsnake> I am setting up my first openvpn server
08:28 < pythonsnake> I can ping the openvpn server from client
08:29 < pythonsnake> but accessing other ips fails
08:29 < pythonsnake> should I post config files?
08:30 < cheesenbiscuts> to pastebin pythonsnake would be a good idea.
08:30 < pythonsnake> cheesenbiscuts: server and client ok
08:30 < pythonsnake> cheesenbiscuts: http://pastie.org/private/cfv37fxppsu3fd4mxkjxq
08:30 < cheesenbiscuts> what os are these?
08:31 < pythonsnake> client win8.1
08:31 < pythonsnake> server deb 7
08:31 < pythonsnake> http://pastie.org/private/dzvxzd9qstmnkuxciemhsg
08:45 <@krzee> !ipp
08:45 <@vpnHelper> "ipp" is (#1) the option --ifconfig-pool-persist ipp.txt does NOT create static ips or (#2) Note that the entries in this file are treated by OpenVPN as suggestions only, based on past associations between a common name and IP address. They do not guarantee that the given common name will always receive the given IP address. If you want guaranteed assignment, see !iporder and !static
08:46 <@krzee> on your client config, please paste it without the 100 lines of comments
08:46 < cheesenbiscuts> (remove all the text with a # infront of it pythonsnake)
08:47 <@krzee> those configs should not work together at all.
08:47 <@krzee> the cipher does not even match
08:48 < cheesenbiscuts> :/
08:48 <@krzee> server on 3des client on blowfish
08:48 <@krzee> from what i can tell, its not easy ignoring 100 lines of useless comments
08:48 < cheesenbiscuts> I wonder if it can be done with notepad++
08:49 <@krzee> also windows paths should be quoted
08:49 <@krzee> although he may have gotten lucky there
08:50 <@krzee> once hes done with that stuff...
08:50 <@krzee> !redirect
08:50 <@vpnHelper> "redirect" is (#1) to make all inet traffic flow through the vpn, you will need --redirect-gateway (see !def1), as well as IP forwarding (see !ipforward) and NAT (see !nat) enabled on the server. or (#2) you may need to use a different dns server when redirecting gateway, see !dns or !pushdns or (#3) if using ipv6 try: route-ipv6 2000::/3 or (#4) Handy troubleshooting flowchart:
08:50 <@vpnHelper> http://ircpimps.org/redirect.png | http://pekster.sdf.org/misc/redirect.png
08:50 <@krzee> follow the flowchart ^^
08:54 -!- Left_Turn [~Left_Turn@unaffiliated/turn-left/x-3739067] has quit [Ping timeout: 255 seconds]
08:54 -!- Left_Turn [~Left_Turn@unaffiliated/turn-left/x-3739067] has joined #openvpn
08:54 < cheesenbiscuts> !pushdns
08:54 <@vpnHelper> "pushdns" is (#1) push dhcp-option DNS a.b.c.d to push dns to the client or (#2) For pushing DNS to a Windows client, see: !windns or (#3) Unix-alikes are required to process the env-var in an --up script; read about --dhcp-option in the manpage or (#4) For distros that use resolvconf(8) you can try the pull-resolv-conf script under the contrib/ source dir
08:56 < cheesenbiscuts> hey krzee, that first link: ircpimp.org doesn't work.
08:56 <@krzee> so use the second one
08:57 <@krzee>  (thats why theres 2...)
08:57 < cheesenbiscuts> haha, the diagram tells me what I already knew... dns problem.
08:59 <@krzee> well it was for pythonsnake
08:59 <@krzee> :-p
09:01 <@krzee> as for your problem, im still wondering why you arent asking the people who support the app you are using
09:01 <@krzee> "Guizmovpn" you called it
09:02 < cheesenbiscuts> pythonsnake client config without the extra rubbish: http://pastie.org/9639882
09:03 <@krzee> "New Relic" ?
09:03 < cheesenbiscuts> I could but I belive it's a configuration setting of my openvpn dd-wrt server or the client config.
09:03 <@krzee> but it works on the other stuff. not a problem with your server or config
09:04 < cheesenbiscuts> no, it works with a commercial openvpn service provider.
09:04 < cheesenbiscuts> using thier config.
09:04 <@krzee> you said it works on ios connect, the problem is with "Guizmovpn"
09:04 <@krzee> and that "Guizmovpn" works with a commercial service provider, no?
09:04 < cheesenbiscuts> I'll try and explain it another way...
09:05 <@krzee> how about this
09:05 <@krzee> answer these yes or no:
09:05 <@krzee> does ios connect work with your server?
09:06 < cheesenbiscuts> What is ios connect?
09:06 <@krzee> seriously?
09:06 <@krzee> the app in ios named openvpn connect
09:07 <@krzee> you know… the official openvpn for ios
09:07 < cheesenbiscuts> oh, that's made by guizmovpn i'm pretty sure.
09:07 <@krzee> the app WE support
09:07 <@krzee> so you havnt even tried the official openvpn app?
09:08 <@krzee> see, i misunderstood this:
09:08 <@krzee> cheesenbiscuts> When I tether my iphone to my laptop and run openvpn and connect to my dd-wrt openvpn server, It connects fine
09:08 < cheesenbiscuts> no... as when I started using openvpn on ios there wasn't an offical app...
09:08 <@krzee> cause you said you run openvpn
09:08 <@krzee> well theres been an official app for years now
09:08 <@krzee> !ios
09:08 <@krzee> !iphone
09:08 <@vpnHelper> "iphone" is (#1) OpenVPN Connect is now available for iOS in the App Store (see also: !connect) or (#2) https://community.openvpn.net/openvpn/wiki/IOSinline
09:08 <@krzee> !connect
09:08 <@vpnHelper> "connect" is (#1) OpenVPN Connect is part of the commercial, non-free (non-GPL) corporate offering; see #openvpn-as for help with these. For the community-maintained GPL OpenVPN, see !download for download links, !android for GPL-openvpn on Android, or !howto for the beginner how-to guide or (#2) https://forums.openvpn.net/post34969.html#p34969 or (#3) the source is here:
09:08 <@vpnHelper> http://staging.openvpn.net/openvpn3/ except for the portion that may not be released because of NDA with apple (for its vpn API)
09:09 < cheesenbiscuts> O.K. I'll check out the app and report back.
09:11 < cheesenbiscuts> Guizmovpn was first released in 2010.
09:11 <@krzee> cool, but they never came here to support it… that was done by them elsewhere
09:13 <@krzee> now, as for the dns thing
09:13 <@krzee> i have no idea if its supported by EITHER app in ios
09:13 < cheesenbiscuts> :/
09:13 <@krzee> so test it on yours, test it on ours if that doesnt work, or do what i said 40min ago and just set the os to 8.8.8.8 and it wont even matter
09:14 < cheesenbiscuts> will do.
09:15 <@krzee> the reason why dns broke when you redirect is because your ISP dns server does not like you coming from the vpn IP
09:15 < rob0> good for them :)
09:16 < rob0> we see way too many ISPs running open resolvers :(
09:16 -!- s7r [~s7r@openvpn/user/s7r] has quit [Remote host closed the connection]
09:16 -!- s7r [~s7r@openvpn/user/s7r] has joined #openvpn
09:16 -!- mode/#openvpn [+v s7r] by ChanServ
09:16 <@krzee> it refuses to do recursive queries for random IPs, because that is a way to be used as a ddos amplification relay
09:16 <@krzee> rob0, totally.
09:16 < cheesenbiscuts> OIC...
09:17 < cheesenbiscuts> so... couldn't I push 8.8.8.8 and not worry about it?
09:17 <@krzee> <krzee> i have no idea if its supported by EITHER app in ios
09:17 <@krzee> krzee> so test it on yours, test it on ours if that doesnt work, or do what i said 40min ago and just set the os to 8.8.8.8 and it wont even matter
09:17 < rob0> that's what was suggested
09:18 <@krzee> you see, normally in unix you must run a script to accept pushed dns
09:18 <@krzee> so if gizmodo does that, then it may work there
09:18 <@krzee> ios connect uses the ios VPN API
09:18 <@krzee> so if they have a hook for changing dns, it may work there
09:19 <@krzee> i personally hate iphones and ios in general… so i dont know if its supported by either
09:19 <@krzee> but i do know that if it is not, you can still just change DNS yourself, and it will work in both situations.
09:19 <@krzee> (just change it back when at an airport or hotel and not seeing the captive portal)
09:20 < rob0> A proper captive portal would just redirect all DNS into their own nameserver.
09:20 <@krzee> notice the word proper
09:20 <@krzee> that word is a mofo
09:21 < rob0> :)
09:22 < rob0> DNSSEC defeats (or is defeated by, depending on perspective) DNS redirection.
09:22 <@krzee> reminds me i need to configure my dns tunnel before my next vacation
09:22 <@krzee> i keep forgetting
09:25 < cheesenbiscuts> The config using the openvpn app works.
09:25 < cheesenbiscuts> I'll just make sure it's not cached my dns requests...
09:27 < cheesenbiscuts> looks alright.
09:29 <@krzee> cool
09:29 < cheesenbiscuts> Thanks for the help krezee.
09:29 <@krzee> no problem
09:30 < jeev> https://secure.newegg.com/NewMyAccount/Membership.aspx <- does this work for you guys in firefox? cert is coming back as untrusted... maybe intermediate is missing
09:31 <@vpnHelper> Title: Newegg.com Account Login Page (at secure.newegg.com)
09:33 <@krzee> secure.newegg.com uses an invalid security certificate. The certificate is not trusted because no issuer chain was provided.
09:34 < jeev> hmm
09:36 -!- joat [~freenode@ip70-160-158-40.hr.hr.cox.net] has quit [Remote host closed the connection]
09:38 < jeev> so krzee
09:38 <@krzee> so jeev
09:38 < jeev> this potential client uses a stupid company's fiber
09:38 < jeev> so stupid company has some cogent.
09:38 < jeev> i'm trying to get the acc converted to a 1000mbit ptp but it'll probably be very expensive
09:38 <@krzee> ok, $client and $stupid, got it
09:39 < jeev> i forgot i could tunnel it through a good connection
09:39 < jeev> if i cant ptp, i'm about 10 seconds away
09:39 < jeev> 10ms
09:39 < jeev> cogent has some packet loss sometimes ;)
09:39 <@krzee> sure, you can make your own ptp
09:40 < jeev> yea, i wanted the real deal though, i might get dark fiber
09:40 < jeev> but i still need a contract with them for IT services
09:40 < jeev> they're being stingy
09:40 < jeev> keep having me quote a ton of stuff, then uh.. no mention of how much i get.
09:40 < jeev> finally sent them an email of how much i want and now they're quiet.
09:45 <@krzee> at $job i go the other direction, i save us $ whereever possible and never get denied things i want
09:48 < cheesenbiscuts> always tell the person you're doing the job for, it'll take [time] X 2, that way when you finnish early, you'll look awesome and if it's a pain in the ass, you'll have time to spare.
09:51 < jeev> krzee, this is just a potential client..
09:51 < jeev> it's not my job, i have 50+ clients.
09:54 <@krzee> oh its that big client you were talking about?
09:54 <@krzee> (i think that was you...)
09:54 < jeev> yea
09:55 < jeev> it's not that they got quiet after the money necessarily, it's that they got "busy" but are in a "rush" for what they need
09:55 < jeev> they had the audacity to get mad about some wires hanging in the server room...
09:55 < jeev> i said "these are my equipment to make you functional, why would i clean it up if i have no idea i'm hired?"
09:56 < jeev> my issue is that i'm working with the business development guy, he's a great guy... he just is not technical, the owner is.. but he's too busy to talk, even though he's there.
09:56 < jeev> and he's the one who got mad, i at that point knew, every communication, costs.. and this and that was not forwarded to him.
09:56 < jeev> or else he would never have gotten pissed about a few other things, his response was "i never said no" heh
09:57 < jeev> anyway man, i don't need the job, i'd love it though. it's extremely nearby and they are truly good people.
09:57 < jeev> i just dont like my time being wasted and disrespected.. to sit and wait
09:57 <@krzee> sounds like a headache of a place to work for
09:57 <@krzee> i usually dont bother with those
09:57 < jeev> you know what, it may be.. the headache that referred me has been good since he gave me some issues.
09:58 < jeev> krzee, they'll be a billion dollar business in the next 5 years.
09:58 <@krzee> that could sway my decision ;]
09:58 < jeev> although i tell myself, they'll have A LOT of employees, can i handle this.. with all my other workload? we'll have to see.
09:58 < jeev> i'm hoping to start phase 1 which is the main, second phase is 5 times bigger
09:59 <@krzee> or <voice= godfather> do they make you an offer you cant refuse </voice>
09:59 <@krzee> one day
09:59 < jeev> heh yea well i gave them a fluffed price retainer, take it or leave it, i don't care.
10:00 -!- lord4163 [~lord4163@81-232-61-81-no226.tbcn.telia.com] has joined #openvpn
10:02 < jeev> krzee, did a live chat to tell the newegg guy that the web team needs to look at the cert
10:02 < jeev> he said please enable cookies
10:03 <@krzee> lol
10:03 <@krzee> lol
10:03 <@krzee> nice
10:03 < Komplanar> I've tested and tried since more than three days to do the following: to create a network interface (like tun0) on the client, to which I can bind some programs, but let the other traffic untouched. Is this even possible? Or am I just stupid?
10:04 <@krzee> !routebyapp
10:04 <@vpnHelper> "routebyapp" is (#1) if you want to send only certain apps over the VPN you need to run a socks server on the internal VPN subnet (see !sockd) then get an app like proxifier (windows, osx) or tsocks (linux, BSD) to selectively route traffic over the socks proxy based on port/app/subnet or any combination. or (#2) Alternatively, read up about Policy Routing to make routing decisions based on defined
10:04 <@vpnHelper> policies you set. For Linux, read about !lartc
10:04 <@krzee> otherwise, routes reach the internet according to the routing table.
10:05 <@krzee> s/routes/apps/
10:06 < Komplanar> but openvpn creates on the client a tun0 network interface, can you use it directly?
10:06 < lord4163> Hello
10:06 < Komplanar> socks etc isnt usefull in this case, since I want to tunnel outgoing traffic, too
10:07 < Komplanar> portforwading
10:07 < lord4163> Trying to setup openvpn, I can connect to the openvpn server, but it doesn't connect to the internet, or well I think it's the DNS which doesn't work, I can ping 8.8.8.8. DNS is set to 8.8.8.8
10:07 < lord4163> Any ideas what could be wrong?
10:08 < Komplanar> which works perfectly, if openvpn alters the routes on the client to tunnel all traffic, but I want only two apps to use the specific interface (they let you choose the network interface they listen on, e.g. eth0 or eth1)
10:09 < Komplanar> so no socks with tsocks or proxifer needed
10:09 < pythonsnake> sorry I'm back
10:09 <@krzee> Komplanar, then try it. i suspect they will route according to your routing table since thats generally how things work. but go for it
10:10 <@krzee> lord4163,
10:10 <@krzee> !redirect
10:10 <@vpnHelper> "redirect" is (#1) to make all inet traffic flow through the vpn, you will need --redirect-gateway (see !def1), as well as IP forwarding (see !ipforward) and NAT (see !nat) enabled on the server. or (#2) you may need to use a different dns server when redirecting gateway, see !dns or !pushdns or (#3) if using ipv6 try: route-ipv6 2000::/3 or (#4) Handy troubleshooting flowchart:
10:10 <@vpnHelper> http://ircpimps.org/redirect.png | http://pekster.sdf.org/misc/redirect.png
10:10 <@krzee> see the flowchart ^
10:11 -!- brianblaze420 [~brianblaz@unaffiliated/brianblaze] has joined #openvpn
10:11 < lord4163> krzee: this is my openvpn.conf http://paste.kde.org/ptethwcwt
10:12 < lord4163> !nat
10:12 <@vpnHelper> "nat" is (#1) http://openvpn.net/howto.html#redirect for an explanation of NAT as it applies to openvpn or (#2) http://www.secure-computing.net/wiki/index.php/OpenVPN/FAQ#Traffic_forwarding_doesn.27t_work_when_using_client_specific_access_rules or (#3) dont forget to turn on ip forwarding or (#4) please choose between !linnat !openvznat !winnat and !fbsdnat for specific howto
10:15 <@krzee> push "route $dropletip 255.255.192.0"
10:15 <@krzee> lol
10:15 <@krzee> !linnat
10:15 <@vpnHelper> "linnat" is (#1) for a basic iptables NAT where 10.8.0.x is the vpn network: iptables -t nat -I POSTROUTING -s 10.8.0.0/24 -o eth0 -j MASQUERADE or (#2) to choose what IP address to NAT as, you can use iptables -t nat -I POSTROUTING -o eth0 -j SNAT --to <IP ADDRESS> or (#3) http://netfilter.org/documentation/HOWTO//NAT-HOWTO.html for more info or (#4) openvz see !openvzlinnat
10:15 <@krzee> openvpn doesnt know what $dropletip is by the way
10:16 < pythonsnake> hey so
10:16 < pythonsnake> my vpn works
10:16 < pythonsnake> fixed with the cipher
10:16 < pythonsnake> I can ping google.com
10:16 < lord4163> krzee: it's just hidden in the paste ;)
10:16 < pythonsnake> but when I try to access it on chrome
10:16 < pythonsnake> it's really really slow
10:16 <@krzee> !speed
10:16 <@vpnHelper> "speed" is (#1) Having speed problems? The following suggestions may help. or (#2) OpenVPN is often CPU bound; check utilization, and remember it only uses 1 core (single-threaded) or (#3) Prefer UDP over TCP (see !tcp) or (#4) MTU issues? Send max-size DF packets and watch for fragmentation/delivery issues or (#5) iface txqueuelen often needs to be >100 on fast and/or latent links or (#6)
10:16 <@vpnHelper> latenty/slow links don't magically get better with openvpn or (#7) less likely are issues with bad TCP window scaling or the sliding window; generally, don't 2nd guess TCP (in openvpn or your OS knobs) or (#8) Prefer tun over tap (see !tunortap and !whybridge)
10:16 < pythonsnake> and ends up with Error code: ERR_TIMED_OUT
10:17 <@krzee> lord4163, well, whats the point of that route when already redirecting default over that same gateway?
10:18 < lord4163> krzee: Uh it should be 255.255.255.0?
10:18 <@krzee> unless the os already have a less specific route for a subnet that the route is inside, of course
10:18 <@krzee> lord4163, how would i know, i dont even know wtf it is
10:18 <@krzee> but you're already making a route for DEFAULT to go over the vpn
10:18 < pythonsnake> krzee: cpu and ram is plenty
10:19 <@krzee> so that route is likely just nothing
10:19 <@krzee> pythonsnake, did you check or you just saying that cause of whats in the box?
10:19 <@krzee> also, the bot says a TON of things to check
10:19 <@krzee> so you dont need to tell me the results of each thing as  you go
10:19 < lord4163> krzee: I should remove that line you say?
10:20 <@krzee> lord4163, i dont know, i asked why it exists and so far it sounds like you dont know...
10:20 <@krzee> it *could* have a valid reason
10:20 < pythonsnake> krzee: can ping but times out on browser = speed problem?
10:20 < lord4163> krzee: I don't have one I guess.
10:20 <@krzee> i dont know what your routing table looks like, and i dont even know what the subnet IS, you obfuscated your config and now it seems like you dont even know what the line you obfuscated DOES
10:21 <@krzee> you said it was slow, did you not?
10:21 <@krzee>   <pythonsnake> it's really really slow
10:21 <@krzee> try testing your mtu stuff
10:21 <@krzee> !mtu
10:21 <@vpnHelper> "mtu" is (#1) see --mtu-test to learn how to test your MTU settings. Basically you just use --mtu-test in your normal client config or (#2) mtu debugging guide: http://www.secure-computing.net/wiki/index.php/OpenVPN/Troubleshooting
10:21 <@krzee> also, try EVERYTHING the bot gave you to look at
10:21 <@krzee> mtu was one of them
10:22 < pythonsnake> sorry I mean it slowly tries to load before timing out *
10:22 <@krzee> !read
10:22 <@vpnHelper> "read" is <krzee> ive been known to overreact when people look for 2 minutes and ask me to explain it to them
10:22 < lord4163> krzee: I will, gotta eat now first :)
10:22 <@krzee> lord4163, that stuff ^was for pythonsnake
10:23 <@krzee> as for you lord4163, do not obfuscate your configs when you dont know what your configs actually do
10:23 <@krzee> !topsecret
10:23 <@vpnHelper> "topsecret" is (#1) if your setup is so top secret that you cant post your configs or logs, please leave now and go find support you trust. or (#2) Clever readers may attempt to use RFC5737/RFC3849 to represent arbitrary public IPs one wishes to hide. Unclever attempts may be ignored with prejudice.
10:23 <@krzee> if you had been able to answer why that line was there, i would not have minded
10:24 <@krzee> also:
10:24 <@krzee> !linnat
10:24 <@vpnHelper> "linnat" is (#1) for a basic iptables NAT where 10.8.0.x is the vpn network: iptables -t nat -I POSTROUTING -s 10.8.0.0/24 -o eth0 -j MASQUERADE or (#2) to choose what IP address to NAT as, you can use iptables -t nat -I POSTROUTING -o eth0 -j SNAT --to <IP ADDRESS> or (#3) http://netfilter.org/documentation/HOWTO//NAT-HOWTO.html for more info or (#4) openvz see !openvzlinnat
10:24 <@krzee> !linipforward
10:24 <@vpnHelper> "linipforward" is (#1) echo 1 > /proc/sys/net/ipv4/ip_forward for a temp solution (til reboot) or set net.ipv4.ip_forward = 1 in sysctl.conf for perm solution or (#2) chmod +x /etc/rc.d/rc.ip_forward for perm solution in slackware or (#3) you also must allow forwarding in your forward chain in iptables. iptables -I FORWARD -i tun+ -j ACCEPT
10:24 <@krzee> those may help
10:31 < pythonsnake> krzee: awesomeness, thank you very much
10:33 <@krzee> yw
10:50 -!- elfixit [~Icedove@77-58-37-45.dclient.hispeed.ch] has joined #openvpn
11:28 < pythonsnake> krzee: is there a way to use openvpn only for specific windows applications?
11:29 <@krzee> !routebyapp
11:29 <@vpnHelper> "routebyapp" is (#1) if you want to send only certain apps over the VPN you need to run a socks server on the internal VPN subnet (see !sockd) then get an app like proxifier (windows, osx) or tsocks (linux, BSD) to selectively route traffic over the socks proxy based on port/app/subnet or any combination. or (#2) Alternatively, read up about Policy Routing to make routing decisions based on defined
11:29 <@vpnHelper> policies you set. For Linux, read about !lartc
11:29 <@krzee> or if those applications only communicate with predictable subnets, then just add a route for those subnets to use the vpn.
11:31 < pythonsnake> krzee: is it better to use a vm for apps using vpn?
11:32 < pythonsnake> or people just do it because faster/easier?
11:33 < pythonsnake> !sockd
11:33 <@vpnHelper> "sockd" is if you want !routebyapp you can use this dante config www.ircpimps.org/sockd.conf but BE SURE TO ONLY RUN THIS ON THE INTERNAL VPN IP! otherwise you will be an open proxy. that config has no security because its expected to run inside openvpn
11:35 < pythonsnake> url doesnt even work
11:51 < Komplanar> krzee, do you have any tutorial or tipps how to bypass carrier grade nat with openvpn? I'm really desperate now :(
11:52 <@krzee> pythonsnake, ya my servers down, guess you'll have to configure the app yourself
11:52 <@krzee> Komplanar, i dont understand the question.
11:54 <@krzee> Komplanar, is the problem that your outbound IP changes on you without notice?
11:54 < Komplanar> since my ISP hasnt enough ipv4 addresses, many people uses the same ipv4 address
11:54 <@krzee> what exactly are you trying to 'bypass'?
11:54 < pekster> You can't "bypass" CGN -- hopefully an ISP that forces it without option to get a real IPv4 IP gives you IPv6, so best choice: use that. Otherwise, you can only make outbound connections. Maybe what you wanted to say was "I'm behind CGN I don't control and would like to create a tunnel where I can initiate connections to an IP on the far end to reach the machine behind CGN"
11:54 < pekster> If that's what you meant to ask, ask it rather than broad and unclarified questions
11:54 <@krzee> ^^ that
11:55 < Komplanar> pekster, yes sorry for my ambiguous question
11:55 < Komplanar> your summary brings it quite to the point
11:56 < pekster> So you'd need a server you _do_ control, ideall with multiple public IPs available (otherwise you need to NAT _there_ to reach internal systems, just like any "home router" style setup)
11:57 < pekster> The other issue is return routing. Either you must redirect _all_ your Internet-bound traffic over the VPN, or set up policy routing by which traffic arriving from the VPN (on your client, behind-CGN-box) tags VPN-inbound traffic and routes it back out
11:57 < Komplanar> pekster, yeah I've servers that I fully control, and that could be used completely for this use
11:58 <@krzee> could make that machine behind the cgn a client, use --float, connect to an outside server and make client to client traffic allowed (and lans if needed)
11:58 <@krzee> thats how id prolly do it
12:01 -!- Slippern [~Slippern@76.109-247-208.customer.lyse.net] has quit [Ping timeout: 250 seconds]
12:01 -!- Slippern [~Slippern@76.109-247-208.customer.lyse.net] has joined #openvpn
12:13 -!- Six6siX [~Devil@jasmine.sammybakar.com] has joined #openvpn
12:29 < lord4163> krzee: I don't really know what to do to be honest :(
12:30 <@krzee> !goal
12:30 <@vpnHelper> "goal" is Please clearly state your goal for your vpn: example, I would like to access the lan behind the server , I would like to access the internet over my vpn , I just want a secure connection between 2 computers , etc
12:31 < lord4163> krzee: I just want my mobile phone to connect through my VPS running OpenVPN, to be secure :)
12:31 < Komplanar> nope no chance for me :D iptables wont work as desired, tun0 doesnt accept any conns if I dont route ALL traffic. i think i'll use SSH port forwarding
12:31 <@krzee> lord4163, to route your internet connection over the vpn?
12:31 < pekster> Komplanar: Right, see my comment above about policy routing
12:32 < lord4163> krzee: yes phone -> public wifi ->  vps/vpn -> internet :)
12:32 <@krzee> yep, you were told thats not how routing works
12:32 < pekster> You can do what you want, but it falls squarely into the "advanced routing category"
12:32 <@krzee> @ Komplanar ^
12:32 <@krzee> lord4163, use the flowchart here:
12:32 <@krzee> !redirect
12:32 <@vpnHelper> "redirect" is (#1) to make all inet traffic flow through the vpn, you will need --redirect-gateway (see !def1), as well as IP forwarding (see !ipforward) and NAT (see !nat) enabled on the server. or (#2) you may need to use a different dns server when redirecting gateway, see !dns or !pushdns or (#3) if using ipv6 try: route-ipv6 2000::/3 or (#4) Handy troubleshooting flowchart:
12:32 <@vpnHelper> http://ircpimps.org/redirect.png | http://pekster.sdf.org/misc/redirect.png
12:32 <@krzee> tell me where you get stuck
12:33 < lord4163> krzee: Ok
12:35 < lord4163> krzee: So I can ping 10.8.0.1, http://paste.kde.org/ptjoio3tr, must I add push "redirect-gateway" to it?
12:35 <@krzee> !configs
12:35 <@vpnHelper> "configs" is (#1) please pastebin your client and server configs (with comments removed, you can use `grep -vE '^#|^;|^$' server.conf`), also include which OS and version of openvpn. or (#2) dont forget to include any ccd entries or (#3) on pfSense, see http://www.secure-computing.net/wiki/index.php/OpenVPN/pfSense to obtain your config
12:37 < lord4163> krzee: Android
12:37 <@krzee> both configs dude
12:39 < lord4163> krzee: you mean the server? http://paste.kde.org/pnxloxy3d
12:40 <@krzee> you have push "redirect-gateway def1 bypass-dhcp"
12:41 <@krzee> you REALLY need to look at your own configs before asking questions
12:41 <@krzee> you probably dont need bypass-dhcp
12:41 <@krzee> unless you know why you do.
12:43 -!- SupaYoshi [Elite9191@gateway/shell/elitebnc/x-sphvhonoudknsyec] has quit [Ping timeout: 265 seconds]
12:43 < lord4163> krzee: well I was just try everything till it works, that was in one tutorial :P
12:44 < lord4163> krzee: so, must I add push "redirect-gateway" to the clients config?
12:45 <@krzee> *facepalm*
12:45 <@krzee> !push
12:45 <@vpnHelper> "push" is usage: push <command> , goes in the server config and makes the command act as if it was in the client config, can be used in ccd entries
12:45 <@krzee> you ALREADY DO
12:45 <@krzee> !man
12:45 <@vpnHelper> "man" is (#1) For man pages, see http://openvpn.net/index.php/open-source/documentation/manuals/ or (#2) the man pages are your friend! or (#3) Protip: you can search the manpage for a specific --option (with dashes) to find it quicker
12:45 <@krzee> !walkthrough
12:45 <@vpnHelper> "walkthrough" is if you are using some walkthrough and now you are here cause you have problems and dont understand your setup, type !howto and !man and try to actually learn what you're doing. most those docs about openvpn from google SUCK.
12:46 <@krzee> read EVERY option in your config in the manual
12:46 <@krzee> tell me when you're done.
12:46 <@krzee> then we'll go back to the flowchart
13:01 < lord4163> krzee: yes, "is redirect-gateway enabled ON THE CLIENT"? Is it by setting on the servers config?
13:01 <@krzee> !push
13:01 <@vpnHelper> "push" is usage: push <command> , goes in the server config and makes the command act as if it was in the client config, can be used in ccd entries
13:02 <@krzee> if you had done what i said you would have read what push does in the manual
13:02 <@krzee> krzee> read EVERY option in your config in the manual
13:02 <@krzee> <krzee> tell me when you're done.
13:02 <@krzee> do not ping me until you have done that
13:02 <@krzee> i do not feel like spoonfeeding, sorry.
13:25 < lord4163> I'll give up for today before I destroy everything in my room :P
13:25 <@krzee> you cant read the manual?
13:25 <@krzee> i dont get it, is it asking too much?
13:27 <@krzee> its been 40min since i said that, you probably could have read it, came back, troubleshot with me, and have everything fixed by now
13:29 <@krzee> you dont have *that many* things in your config to read about
13:33 -!- Kephael [~Kephael@unaffiliated/kephael] has joined #openvpn
13:35 < lord4163> krzee: The config is clear.
13:36 < lord4163> krzee: But I just don't understand how it can ping 8.8.8.8, but when I try to access a website (using a webservers IP) it doesn't make a connection.
13:38 < ValdikSS> By the way, why recvbuf and sndbuf are default to 64K? Sometimes, it is very speed limiting. I suppose, OpenVPN should either use system values or increase defaults
13:39 < ValdikSS> !help
13:39 <@vpnHelper> (help [<plugin>] [<command>]) -- This command gives a useful description of what <command> does. <plugin> is only necessary if the command is in more than one plugin.
13:40 -!- brianblaze420 [~brianblaz@unaffiliated/brianblaze] has quit [Quit: Leaving...]
13:40 <@krzee> lord4163, the point is that helping you before you understand your own config is senseless
13:41 <@krzee> now that you hopefully did that, go back to the flowchart
13:41 <@krzee> !redirect
13:41 <@vpnHelper> "redirect" is (#1) to make all inet traffic flow through the vpn, you will need --redirect-gateway (see !def1), as well as IP forwarding (see !ipforward) and NAT (see !nat) enabled on the server. or (#2) you may need to use a different dns server when redirecting gateway, see !dns or !pushdns or (#3) if using ipv6 try: route-ipv6 2000::/3 or (#4) Handy troubleshooting flowchart:
13:41 <@vpnHelper> http://ircpimps.org/redirect.png | http://pekster.sdf.org/misc/redirect.png
13:41 < lord4163> krzee: That website is down :(
13:41 <@krzee> lord4163, notice 2 links?
13:41 <@krzee> ValdikSS, feel free to change the options as you wish
13:42 < ValdikSS> krzee: I know. I see a lot of people don't know about this options, since they are not mentioned in howtos and manuals
13:42 < ValdikSS> krzee: and this is almost the main thing which can influence on speed
13:43 <@krzee> feel free to also submit a trac ticket if you can prove why they should be changed
13:43 < ValdikSS> krzee: I will.
13:43 <@krzee> also if you have data on it increasing your speed please consider adding a writeup to the wiki
13:43 <@krzee> id be happy to link to it in !speed if you can show data that it helps you
13:43 <@krzee> !trac
13:43 <@vpnHelper> "trac" is (#1) see https://community.openvpn.net for development information and bug tracker. or (#2) if you have a forum login, use that for trac, its the same database.
13:43 <@krzee> !wiki
13:43 <@vpnHelper> "wiki" is (#1) http://www.secure-computing.net/wiki/index.php/OpenVPN for the Unofficial wiki or (#2) https://community.openvpn.net/openvpn/wiki for the Official wiki
13:43 < lord4163> krzee: sure, but then I come to "dns is your problem", no it is not, why can't I connect to my webserver by it's IP? There must be more wrong?
13:44 < ValdikSS> krzee: By the way, Windows client changes this parameters quietly to bigger values, and some people complain that all the clients except Windows are slow
13:44 <@krzee> lord4163,
13:44 <@krzee> !logs
13:44 <@vpnHelper> "logs" is (#1) please pastebin your logfiles from both client and server with verb set to 4 (only use 5 if asked) or (#2) In the Windows client(OpenVPN-GUI) right-click the status icon and pick View Log or (#3) In the OS X client(Tunnelblick) right-click it and select Copy log text to clipboard or (#4) if you dont know how to find your logs, see !logfile
13:45 <@krzee> ValdikSS, interesting. i dont use windows or ever have speed issues
13:45 <@krzee> and jjk did this without using those options:
13:45 <@krzee> !gigabit
13:45 <@vpnHelper> "gigabit" is https://community.openvpn.net/openvpn/wiki/Gigabit_Networks_Linux for JJK's writeup on getting the most out of openvpn over gigabit
13:45 < ValdikSS> krzee: It has influence on high-latency links or over wifi
13:46 <@krzee> sweet i look forward to your writeup (please do make it, and include data from tests)!
13:46 < ValdikSS> krzee: I get 20-25 mbit/s with standard values (64K) and ~80mbit/s (my internet connection speed) with increased to 512K
13:46 < ValdikSS> krzee: Actually, OpenVPN doesn't need to set custom buffers by default, it should use OS values
13:47 <@krzee> ValdikSS, thats for the trac ticket id say ;]
13:47 < ValdikSS> krzee: yes, i will do it.
13:47 < ValdikSS> krzee: By the way, where can I get all the texts from vpnHelper?
13:47 <@krzee> !factoids
13:47 <@vpnHelper> "factoids" is A semi-regularly updated dump of factoids database is available at http://www.secure-computing.net/factoids.php
13:47 < lord4163> krzee: Ok, are there logs available for the android client too?
13:47 < ValdikSS> krzee: awesome! Thanks!
13:47 <@krzee> lord4163, sure, in "openvpn for android" it has a logs section iirc
13:48 <@krzee> ValdikSS, no no thank you! that writeup may end up helping some people, speed issues is a FAQ
13:48 < lord4163> krzee: ok
13:48 -!- james41382 [~james@unaffiliated/james41382] has quit [Quit: Leaving]
13:48 <@krzee> ValdikSS, theres already a list of suggestions, but another item on the list is great if improvement can be proved in 1 instance (which it can in your case)
13:49 < ValdikSS> krzee: Actually, I can re-do some information about MTU, because it's a bit knotty now
13:49 <@krzee> !mtu
13:49 <@vpnHelper> "mtu" is (#1) see --mtu-test to learn how to test your MTU settings. Basically you just use --mtu-test in your normal client config or (#2) mtu debugging guide: http://www.secure-computing.net/wiki/index.php/OpenVPN/Troubleshooting
13:49 <@krzee> thats what we have for you to build on
13:50 < ValdikSS> krzee: I mean, there are some documentation flaws
13:50 -!- mode/#openvpn [+vvv ValdikSS cwillu_at_work _FBi] by krzee
13:50 <@krzee> ValdikSS, in the manual?
13:50 <+ValdikSS> krzee: yes
13:50 <+ValdikSS> krzee: in the man i mean
13:50 <@krzee> ValdikSS, ahh ok, in that case please make trac tickets with proposed fixes
13:51 <+ValdikSS> krzee: Yes I will, thank you, I'll do it now
13:51 <@krzee> documentation is an option there
13:53 <+ValdikSS> !ta
14:00 < lord4163> krzee: May I PM this?
14:00 <@krzee> why?
14:00 <@krzee> im not the only person here capable of helping you
14:00 < lord4163> krzee: containing ip addresses and email address etc...
14:03 -!- rantic [~kevin@unaffiliated/metap0d] has joined #openvpn
14:03 < rantic> !welcome
14:03 <@vpnHelper> "welcome" is (#1) Start by stating your goal, such as 'I would like to access the internet over my vpn' || new to IRC? see the link in !ask || we may need !logs and !configs and maybe !interface to help you. || See !howto for beginners. || See !route for lans behind openvpn. || !redirect for sending inet traffic through the server. || Also interesting: !man !/30 !topology !iporder !sample !forum
14:03 <@vpnHelper> !wiki !mitm or (#2) Don't use 192.168.1.0/24 or 192.168.0.0/24 (too much potential for conflict)
14:03 < rantic> !howto
14:03 <@vpnHelper> "howto" is (#1) OpenVPN comes with a great howto, http://openvpn.net/howto PLEASE READ IT! or (#2) http://www.secure-computing.net/openvpn/howto.php for a mirror
14:03 < lord4163> krzee: yes?
14:04 < Eagleman> How do i allow the same user (radius account) with different certificates on my openvpn server, it currently drops the connection if i am connected twice.
14:05 <@krzee> real emails, fair enough
14:08 < lord4163> krzee: perhaps Sat Oct 11 13:44:30 2014 /sbin/ip route del 10.8.0.0/24 ?
14:08 <@krzee> Eagleman,
14:08 <@krzee> !dupe
14:08 <@vpnHelper> "dupe" is (#1) see --duplicate-cn in the manual (!man) to see how to allow multiple clients to use the same key (NOT recommended) or (#2) instead, use !pki to make a cert for each user
14:08 < Eagleman> Yeh but thats for duplicate certificates, i got different certs
14:08 < Eagleman> Why does it drop the connection?
14:08 <@krzee> lord4163, you only sent 1 side
14:09 <@krzee> Eagleman, you use --username-as-commonname
14:09 < lord4163> krzee: yes, although I have not seen something strange, I will try to send you it, but I'm not sure if I can copy the log
14:10 <@krzee> lord4163, also, that does not look like verb 5 to me
14:10 <@krzee> try reading this again
14:10 <@krzee> !logs
14:10 <@vpnHelper> "logs" is (#1) please pastebin your logfiles from both client and server with verb set to 4 (only use 5 if asked) or (#2) In the Windows client(OpenVPN-GUI) right-click the status icon and pick View Log or (#3) In the OS X client(Tunnelblick) right-click it and select Copy log text to clipboard or (#4) if you dont know how to find your logs, see !logfile
14:10 <@krzee> oh sorry, i didnt say use verb 5
14:10 <@krzee> but please do =]
14:10 <@krzee> im pretty sick in bed right now :-p
14:12 <@krzee> lord4163,
14:12 <@krzee> Sat Oct 11 13:17:23 2014 MULTI: new connection by client 'phone' will cause previous active sessions by this client to be dropped.
14:12 <@krzee> looks like you have the same client cert being used more than once
14:12 <@krzee> that is a problem.
14:13 -!- Teqonix [~quassel@c-174-51-153-217.hsd1.co.comcast.net] has quit [Ping timeout: 260 seconds]
14:13 < lord4163> krzee: you asked for verb 4 :) well I just have this phone I use so don't know how that could happen....
14:14 -!- rich0_ is now known as rich0
14:15 -!- rich0 [~quassel@gentoo/developer/rich0] has quit [Quit: http://quassel-irc.org - Chat comfortably. Anywhere.]
14:16 <@krzee> get me verb 5 from the server
14:16 < rantic> Hi everyone, I've setup the OpenVPN Access Server appliance on an ESXI host behind my NATTED router and as a newb... I'm completely lost.
14:17 <@krzee> !as
14:17 <@vpnHelper> "as" is Please go to #OpenVPN-AS for help with commercial products from OpenVPN Technologies, including Access Server, Android Connect, etc. Access Server is a commercial product, different from open source OpenVPN
14:17 <@krzee> !no_as
14:17 <@vpnHelper> "no_as" is (#1) go to http://openvpn.net/index.php/access-server/support-center.html for support with access server (see !AS to know about access server) or (#2) not only do we not know AS here, but even if we did we would be tainting the professional level of support included in AS by supporting it here. it comes with REAL support. we are just users helping users around here
14:17 < rantic> but I'm not using the commercial license offerings :(
14:17 < rantic> and i'm 98.8% sure this is a generic openvpn configuration issue
14:17 <@krzee> we do not support AS here, they support it.
14:18 <@krzee> wrong channel.
14:18 < rantic> but the issue isn't with AS :o
14:18 <@krzee> shall i ban?
14:18 <@krzee> !as
14:18 <@vpnHelper> "as" is Please go to #OpenVPN-AS for help with commercial products from OpenVPN Technologies, including Access Server, Android Connect, etc. Access Server is a commercial product, different from open source OpenVPN
14:18 < rantic> What on earth?
14:18 <@krzee> you are in the wrong channel.
14:18 < lord4163> krzee: Ok
14:19 < rantic> Please ban me
14:19 <@krzee> ok
14:19 -!- rich0 [~quassel@gentoo/developer/rich0] has joined #openvpn
14:19 < rantic> I've never met such a non sensical hostile e-admin in my life
14:19 -!- rantic was kicked from #openvpn by krzee [please join the channel you have continually been asked to join]
14:20 -!- toredl [~tned@h-36-189.a254.priv.bahnhof.se] has joined #openvpn
14:21 -!- james41382 [~james@unaffiliated/james41382] has joined #openvpn
14:24 <@krzee> lord4163, seems like you killed the connection right away
14:25 <@krzee> i need more, in fact start it again and then i'll have you run some tests
14:25 <@krzee> then ill tell you when to stop it and send it again
14:25 < lord4163> krzee: yeah well, my phone my phone locks it shuts down wifi, but before that I pinged google.com and 8.8.8.8
14:25 <@krzee> turn off the lock for now
14:26 <@krzee> that explains why it kept reconnecting and triggering the duplicate certs message
14:26 < lord4163> krzee: yes I'll do that
14:28 -!- brianblaze420 [~brianblaz@unaffiliated/brianblaze] has joined #openvpn
14:41 -!- brianblaze420 [~brianblaz@unaffiliated/brianblaze] has quit [Quit: Leaving...]
14:47 -!- Bretos [~Bretos@vps.tyborek.pl] has joined #openvpn
14:50 < pythonsnake> krzee: dante works with openssh right?
14:50 <@krzee> not sure what you mean
14:51 <@krzee> dante is a socks proxy
14:53 < pythonsnake> krzee: well I don't really understand it
14:53 < pythonsnake> on the tutorials they say I have to open an ssh tunnel to use it
14:53 < pythonsnake> which totally defeats the purpore
14:53 <@krzee> im guessing the tutorials are not about dante then… are they
14:54 <@krzee> or are you saying you do have dante running?
14:54 <@krzee> because openssh makes a tunnel that is also socks, but it can only handle tcp
14:55 < pythonsnake> yes exactly
14:55 <@krzee> so if you're trying to USE the dante server using a walkthrough that assumes you have openssh tunnel running, then yes the dante server is also socks
14:55 <@krzee> dante is just better at it
14:55 < pythonsnake> wait
14:55 <@krzee> (handles udp)
14:55 < pythonsnake> socks5 supports udp
14:55 < pythonsnake> openssh tunnels do not
14:55 <@krzee> right.
14:55 < pythonsnake> so if I'm setting everything up right
14:56 < pythonsnake> i should be using the ip of the server on proxifier on client
14:56 < pythonsnake> not through an ssh tunnel
14:56 < pythonsnake> right?
14:56 <@krzee> right but that socks ip is running inside the vpn
14:56 <@krzee> (if you told it to)
14:56 <@krzee> thats how i force apps over the vpn, by sending them to a socks proxy running on the vpn ip
14:57 < pythonsnake> how do i tell it to run inside the vpn?
14:57 < pythonsnake> by using the right IPs?
14:57 <@krzee> by correctly confugring dante
14:58 < pythonsnake> vokay
14:58 < pythonsnake> but now I'm just trying to use it without the vpn
14:58 <@krzee> internal : vpn_ip <port>
14:58 <@krzee> external: public_ip
14:58 <@krzee> or actually
14:59 <@krzee> internal: $vpn_ip port = $port
14:59 <@krzee> i turn off auth all together and run it ONLY inside the vpn
14:59 <@krzee> if you run it public and dont use good auth, you become an open relay
14:59 <@krzee> which is bad.
14:59 < pythonsnake> yeah
14:59 < pythonsnake> but it's just for testing
15:00 < pythonsnake> I can't even get it to work
15:00 <@krzee> bad.
15:00 < pythonsnake> What works for me is opening ssh tunnel
15:00 < pythonsnake> 1080:localhost:1080 myserver
15:00 < pythonsnake> works for tcp
15:00 < pythonsnake> obviously not udp
15:00 < pythonsnake> one sec I'm retrying to set it up and I'll send you the errors
15:01 <@krzee> http://pastebin.com/NDrm11JL
15:01 <@krzee> dont send me the errors
15:01 <@krzee> i dont want to debug your socks server really, sorry
15:02 <@krzee> lord4163, your log shows you still cant get a stable connection
15:03 <@krzee> your phone continues to simply reconnect and reconnect
15:03 < pythonsnake> krzee: yes i have the same config
15:03 <@krzee> lord4163, have you ever tested this server without using the phone?
15:03 < pythonsnake> it just says server refused connection
15:03 < pythonsnake> no long error or anything
15:04 <@krzee> pythonsnake, sorry if i gave the impression that i support dante just cause i use it
15:04 <@krzee> but i dont, i havnt even looked at it in years
15:04 <@krzee> im the wrong guy to help with dante
15:04 < pythonsnake> oh :(
15:04 < pythonsnake> alright thanks anyways
15:04 < lord4163> krzee: I haven't, I'll try that tomorrow.
15:04 < pythonsnake> I'll try to troubleshoot this
15:05 < pythonsnake> else I'll  just use a VM
15:05 < pythonsnake> lol
15:05 < pythonsnake> so unefficient
15:05 <@krzee> pythonsnake, the other way is policy routing, if you decide you want to do it another way
15:05 <@krzee> ive never done it that way, but plenty of others have
15:05 < pythonsnake> = using windwos firewall :D
15:06 <@krzee> oh god
15:06 < lord4163> krzee: Thanks so far ;)
15:07 < pythonsnake> aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaah
15:07 < pythonsnake> i think i figured this out
15:10 <@krzee> lord4163, yw so far
15:14 < pythonsnake> :( nope
15:23 < rob0> krzee, I bet "rantic" is using a pirated copy of AS, thus the hesitation to go in there. :)
15:24 <@krzee> lol people pirate that?
15:25 < rob0> I didn't say it was a clever thing to do.
15:25 <@krzee> i assumed he just was using a client or 2 (which is free iirc)
15:25 <@krzee> and afaik the AS chan still helps people with that
15:36 -!- Joe-T [~Joe-T@97e76cf9.skybroadband.com] has quit [Quit: ZNC - http://znc.in]
15:49 -!- ub1quit33_ [~quassel@cpe-23-243-158-241.socal.res.rr.com] has joined #openvpn
15:50 < pythonsnake> krzee: one question please
15:50 < pythonsnake> if i make an ssh tunnel, then pinging localhost = ping the server
15:50 < pythonsnake> and for vpn
15:50 < pythonsnake> i got tun0
15:50 < pythonsnake> Ipv4 192.168.88.6
15:51 < pythonsnake> gateway 255.255.255.252
15:51 < pythonsnake> gateway 192.168.88.5
15:51 < pythonsnake> so if I ping 192.168.88.5 = ping server?
15:54 < rob0> !/30
15:54 <@vpnHelper> "/30" is (#1) http://goo.gl/SbKrT5 explains why routed clients each use 4 ips or (#2) you can avoid this behavior with by reading !topology
15:55 -!- moonkid [~anonymous@99-103-56-12.lightspeed.hstntx.sbcglobal.net] has joined #openvpn
16:13 -!- Joe-T [~Joe-T@97e76cf9.skybroadband.com] has joined #openvpn
16:14 < pythonsnake> what the fuck, traffic to openvpn ip doesn't get vpn'ed
16:14 < Joe-T> if I end up with IPs of the form 192.1.2.5, 192.1.2.6, what's the best way to get the 192.1.2.1 one? or do I have to do some string replacement?
16:14 < Joe-T> what I'm trying to achieve: getting the .1 route in ip route
16:18 < Joe-T> or has anyone set up openvpn using just transmission with bind-address-ipv4?
16:30 < Joe-T> and if I use no-pull, is it just "ip route" that get affected?
16:32 < rob0> yikes, another /30, when is that going to go away?
16:32 < rob0> !/30
16:32 <@vpnHelper> "/30" is (#1) http://goo.gl/SbKrT5 explains why routed clients each use 4 ips or (#2) you can avoid this behavior with by reading !topology
16:32 < rob0> !topology
16:32 <@vpnHelper> "topology" is (#1) it is possible to avoid the !/30 behavior if you use 2.1+ with the option: topology subnet This will end up being default in later versions. or (#2) Clients will receive addresses ending in .2, .3, .4, etc, instead of being divided into 2-host subnets. or (#3) details and examples at: https://community.openvpn.net/openvpn/wiki/Topology
16:35 < Joe-T> thanks
16:46 -!- ub1quit33_ [~quassel@cpe-23-243-158-241.socal.res.rr.com] has quit [Ping timeout: 245 seconds]
16:52 -!- ub1quit33_ [~quassel@cpe-23-243-158-241.socal.res.rr.com] has joined #openvpn
17:06 -!- gffa [~unknown@unaffiliated/gffa] has quit [Quit: sleep]
17:09 <+ValdikSS> krzee: Is it possible to route connection address via VPN?
17:09 <+ValdikSS> krzee: If yes, how can I do this easily (without policy-based routing)
17:09 <+ValdikSS> krzee: It is the default behaviour on Android, and I'd like to know how can I do this on Linux box
17:21 -!- Envil [~meep@95.211.26.40] has quit [Remote host closed the connection]
17:24 < pekster> ValdikSS: What are you trying to do? Route some IP over the VPN connection (for which there's --route) or something more complex?
17:24 <+ValdikSS> pekster: no, to route VPN's IP over VPN
17:25 < pekster> 3 options: 1) use the VPN IP (not the one you connected the VPN itself to), 2) use a second routable IP on the server, or 3) policy routing
17:25 <+ValdikSS> pekster: I know all of this, but thanks anyway
17:25 -!- Xunie [~Xunie@unaffiliated/xunie] has joined #openvpn
17:26 <+ValdikSS> I hoped there is something to make it easier, because on Android this works by default
17:26 < Xunie> So I am running OpenVPN as a client on Windows 7 x64 home premium, and the damn thing hangs sometimes.
17:26 < Xunie> The process just sits there. Can't terminate it, can't close the terminal window, nothing.
17:26 < pekster> If you have control over DNS and are willing to mandate use of a DNS across the VPN, maybe set low-TTLs on the records and once you connect provide RFC1918 IPs across the VPN
17:27 < pekster> That's a bit fragile, and prone to tampering by mallicious DNS servers on the physical link (that could set a 1-year TTL, for instance)
17:27 < Joe-T> Am I missing anything with these routes:
17:27 < Joe-T> 10.194.1.1 via 10.194.1.5 dev tun0  proto static
17:27 < Joe-T> 10.194.1.5 dev tun0  proto kernel  scope link  src 10.194.1.6
17:27 -!- havingFun [~quassel@unaffiliated/xrosnight] has joined #openvpn
17:28 < pekster> Joe-T: Those are the 2 basic routes you'll get in the net30 mode as a client. Best to avoid net30 unless you _actually_ require support with 7+ year old Windows client versions: see !topology for details
17:28 <+ValdikSS> pekster: well, I already do this
17:28 < pekster> net30 is silly and deprecated, kept as the defautl for fear of breaking backwards-compat for people that _are_ using ancient things
17:29 -!- havingFun is now known as xrosnight
17:36 < Joe-T> is there anything I can do if my provider uses net30 though
17:36 < pekster> Nope
17:40 < rob0> Complain and go to another provider. :)
17:50 < Joe-T> maybe it would just be easier for me to pull the routes still, but then change the default route back to normal after
17:50 < Joe-T> but its hard as I don't have physical access to my server atm so I can lock myself out :(
17:51 < pekster> crontab and a `reboot` command do wonders
17:52 < Joe-T> hmm I might do that, have it reboot more frequent when I do this work on it
17:54 < Joe-T> on my pc here, theres this one route that gets added, to a random ip via myip dev eth0 proto static, no idea where that ip is derived from
17:59 < pekster> Read --redirect-gateway in the manpage
18:00 -!- nsrafk [whois@unaffiliated/nsrafk] has quit [Remote host closed the connection]
18:00 -!- Xunie [~Xunie@unaffiliated/xunie] has quit [Quit: Leaving]
18:04 < pekster> In most legal jurisdictions, "contacting" all authorors is not enough; they need explicit _permission_ from them to re-license their contributions
18:04 < pekster> That, or re-write whatever they did entierly
18:05 < pekster> Or have otherwise taken legal ownership of the copyright upon submission. Either works
18:05 < pekster> AFAIK the latter isn't common, at least not from what I've seen
18:08 -!- mattock is now known as mattock_afk
18:18 -!- Joe-T [~Joe-T@97e76cf9.skybroadband.com] has quit [Ping timeout: 260 seconds]
18:26 < pekster> Hmm, window 4 != 14. Go figure.
18:39 -!- elfixit [~Icedove@77-58-37-45.dclient.hispeed.ch] has quit [Quit: elfixit]
18:47 -!- xrosnight [~quassel@unaffiliated/xrosnight] has quit [Ping timeout: 250 seconds]
18:56 -!- Joe-T [~Joe-T@97e76cf9.skybroadband.com] has joined #openvpn
19:01 -!- nsrafk [whois@unaffiliated/nsrafk] has joined #openvpn
19:17 < Joe-T> thanks to this http://blog.darkgreenmeme.com/2014/05/building-private-gateway-part-1.html I got it working :D
19:17 <@vpnHelper> Title: The Dark Green Meme's Tek Geek Blog: Building a Private Gateway Part 1 (at blog.darkgreenmeme.com)
19:38 -!- MadHatter42 [~tuwid@217.73.143.43] has joined #openvpn
20:12 -!- ub1quit33_ [~quassel@cpe-23-243-158-241.socal.res.rr.com] has quit [Ping timeout: 260 seconds]
20:27 -!- s7r_m [~s7r@openvpn/user/s7r] has joined #openvpn
20:27 -!- mode/#openvpn [+v s7r_m] by ChanServ
20:28 -!- s7r [~s7r@openvpn/user/s7r] has quit [Ping timeout: 264 seconds]
20:37 -!- elfixit [~Icedove@77-58-37-45.dclient.hispeed.ch] has joined #openvpn
21:58 -!- Left_Turn [~Left_Turn@unaffiliated/turn-left/x-3739067] has quit [Remote host closed the connection]
22:07 -!- Kniaz [~Kniaz@unaffiliated/kniaz] has joined #openvpn
22:12 -!- hiyo [~Puppy@unaffiliated/hiyo] has joined #openvpn
22:21 -!- WinstonSmith [~WinstonSm@unaffiliated/winstonsmith] has quit [Ping timeout: 245 seconds]
22:23 -!- WinstonSmith [~WinstonSm@unaffiliated/winstonsmith] has joined #openvpn
22:50 -!- hiyo [~Puppy@unaffiliated/hiyo] has left #openvpn []
22:57 -!- MadHatter42 [~tuwid@217.73.143.43] has quit [Remote host closed the connection]
23:32 -!- elfixit [~Icedove@77-58-37-45.dclient.hispeed.ch] has quit [Remote host closed the connection]
23:44 -!- ShadniX [dagger@p5DDFDED0.dip0.t-ipconnect.de] has quit [Ping timeout: 250 seconds]
23:45 -!- ShadniX [dagger@p5481D5B6.dip0.t-ipconnect.de] has joined #openvpn
--- Day changed Sun Oct 12 2014
00:29 -!- Kephael [~Kephael@unaffiliated/kephael] has quit [Read error: Connection reset by peer]
00:40 -!- s7r_m [~s7r@openvpn/user/s7r] has quit [Remote host closed the connection]
00:40 -!- s7r_m [~s7r@openvpn/user/s7r] has joined #openvpn
00:40 -!- mode/#openvpn [+v s7r_m] by ChanServ
01:37 -!- mistermajestic [~mistermaj@109.201.154.211] has joined #openvpn
02:39 -!- gffa [~unknown@unaffiliated/gffa] has joined #openvpn
02:54 -!- Envil [~meep@95.211.26.40] has joined #openvpn
03:08 -!- moonkid [~anonymous@99-103-56-12.lightspeed.hstntx.sbcglobal.net] has quit [Quit: moonkid]
03:35 <+ValdikSS> krzee: https://community.openvpn.net/openvpn/ticket/461
03:35 <@vpnHelper> Title: #461 (Change default sndbuf and rcvbuf values) – OpenVPN Community (at community.openvpn.net)
04:05 -!- moonkid [~anonymous@99-103-56-12.lightspeed.hstntx.sbcglobal.net] has joined #openvpn
04:25 -!- flickabic [~marston@162-228-95-62.lightspeed.sntcca.sbcglobal.net] has joined #openvpn
04:31 < flickabic> I'm trying to use CybgerGhost VPN with linux over a cli. I am trying to execute "sudo openvpn client.ovpn" in the dir where I have that particular config. http://pastebin.com/eGjXdqEw is the config I am trying to use. I am getting this error http://pastebin.com/ivaw0NRC
04:43 -!- mattock_afk [~mattock@openvpn/corp/admin/mattock] has quit [Ping timeout: 260 seconds]
04:43 < cheesenbiscuts> flickabic: http://talk.maemo.org/showthread.php?t=71725
04:43 <@vpnHelper> Title: [solved] Problem with OpenVPN - maemo.org - Talk (at talk.maemo.org)
04:45 -!- mattock [~mattock@openvpn/corp/admin/mattock] has joined #openvpn
04:45 -!- mode/#openvpn [+o mattock] by ChanServ
04:45 < cheesenbiscuts> and...
04:46 < cheesenbiscuts> https://forums.openvpn.net/topic10599.html
04:46 <@vpnHelper> Title: OpenVPN Support Forum Unrecognized option or missing parameter(s) : Configuration (at forums.openvpn.net)
04:46 < flickabic> Thanks cheesenbiscuts, gimme a minute to read up
04:48 < flickabic> It was a hidden tab
04:48 < cheesenbiscuts> np...
04:48 < flickabic> I would have never guessed
04:48 < cheesenbiscuts> openvpn config file is very touchy... best to use notepad++
05:01 < flickabic> wow so, it was executing, then it threw an error because I accidentally misnamed my ca file in the .ovpn file. I changed it to the right one and im getting the same error. No tabs this time. I am using nano over the command line so I dont think im changing the encoding at all
05:01 < flickabic> by same error I mean Options error: Unrecognized option or missing parameter(s) in openvpn.ovpn:1: client (2.2.1)
05:14 < flickabic> see anything wrong with this? http://pastebin.com/MKshirK0
05:29 -!- Droolio [~drool@host86-132-103-182.range86-132.btcentralplus.com] has quit [Ping timeout: 260 seconds]
05:33 -!- ribasushi [~riba@mujunyku.leporine.io] has quit [Read error: Connection reset by peer]
06:33 -!- s7r_m is now known as s7r
06:42 -!- Left_Turn [~Left_Turn@unaffiliated/turn-left/x-3739067] has joined #openvpn
06:49 < lord4163> krzee: I resolved the issue, I set up a new machine with the same settings. It was the firewall (ufw) causing the problem. Now it works
07:00 -!- gffa [~unknown@unaffiliated/gffa] has quit [Quit: quit]
07:01 -!- gffa [~unknown@unaffiliated/gffa] has joined #openvpn
07:02 -!- bendoin [~bendoin@7.37.95.91.static.m-sp.siw.siwnet.net] has joined #openvpn
07:04 -!- gffa [~unknown@unaffiliated/gffa] has quit [Client Quit]
07:07 -!- gffa [~unknown@unaffiliated/gffa] has joined #openvpn
07:46 < pythonsnake> hm, hi gffa !
07:46 < pythonsnake> how are you?
08:17 -!- ValdikSS [~valdikss@95.215.45.33] has quit [Ping timeout: 258 seconds]
08:27 -!- bendoin [~bendoin@7.37.95.91.static.m-sp.siw.siwnet.net] has quit [Read error: Connection reset by peer]
08:31 -!- ring0` [~mike@unaffiliated/ring0/x-8667941] has quit [Quit: bai]
08:34 -!- shio [marmot@102.188.103.84.rev.sfr.net] has quit [Remote host closed the connection]
08:42 -!- Droolio [~drool@host86-132-103-182.range86-132.btcentralplus.com] has joined #openvpn
08:45 -!- shio [marmot@102.188.103.84.rev.sfr.net] has joined #openvpn
08:57 -!- ribasushi [~riba@mujunyku.leporine.io] has joined #openvpn
09:10 -!- ValdikSS [~valdikss@95.215.45.33] has joined #openvpn
09:21 -!- lord4163 [~lord4163@81-232-61-81-no226.tbcn.telia.com] has left #openvpn []
09:32 -!- ValdikSS [~valdikss@95.215.45.33] has quit [Quit: Konversation terminated!]
09:35 -!- ub1quit33_ [~quassel@wifi02.la3.routers.zerolag.com] has joined #openvpn
09:37 -!- ub1quit33_ [~quassel@wifi02.la3.routers.zerolag.com] has quit [Remote host closed the connection]
09:38 -!- ub1quit33_ [~quassel@wifi02.la3.routers.zerolag.com] has joined #openvpn
09:39 -!- Droolio [~drool@host86-132-103-182.range86-132.btcentralplus.com] has quit [Quit: If you believe in telekinesis, raise my hand.]
09:43 -!- julieeharshaw [~julie@juliekoubova.net] has quit [Remote host closed the connection]
09:44 -!- julieeharshaw [~julie@juliekoubova.net] has joined #openvpn
09:46 < pythonsnake> !route
09:46 <@vpnHelper> "route" is (#1) http://www.secure-computing.net/wiki/index.php/OpenVPN/Routing or https://community.openvpn.net/openvpn/wiki/RoutedLans (same page mirrored) if you have lans behind openvpn, read it DONT SKIM IT or (#2) READ IT DONT SKIM IT! or (#3) See !tcpip for a basic networking guide or (#4) See !serverlan or !clientlan for steps and troubleshooting flowcharts for LANs behind the server or
09:46 <@vpnHelper> client
09:54 < pythonsnake> ...
09:54 < pythonsnake> what's the opposite of redirect-gateway
09:55 <@krzee> not putting it
09:55 <@krzee> lol
09:55 < pythonsnake> I mean
09:55 < pythonsnake> 192.168.88.1 = server
09:55 < pythonsnake> .6 = client
09:55 < pythonsnake> I want to only route traffic to .88.1
09:56 < pythonsnake> not all the traffic
09:56 <@krzee> like i said
09:56 < pythonsnake> tried route 192.168.88.0 255.255.255.0 didn't work
09:56 <@krzee> dont redirect-gateway then
09:56 < pythonsnake> without it then I can't ping anything
09:56 < pythonsnake> just ping myself (.6)
09:56 <@krzee> then you have other issues
09:57 <@krzee> do you still have NAT enabled on the server (part of the redirect-gateway setup)
09:57 < pythonsnake> lemme check
09:58 < pythonsnake> iptables -t nat -A POSTROUTING -s 192.168.88.0/24 -o eth0 -j MASQUERADE
09:58 < pythonsnake> that?
09:58 <@krzee> get rid of it
09:58 < pythonsnake> okay
09:58 <@krzee> whyd you setup redirect-gateway if you didnt want to redirect your gateway?
09:59 < pythonsnake> well
09:59 < pythonsnake> I thought I wanted it
09:59 < pythonsnake> lol
09:59 < pythonsnake> krzee: so now
09:59 < pythonsnake> If i want to redirect-gateway again i always have to set that iptables rule back?
10:00 < pythonsnake> :/ I thought it would be as ssimple as changing client config
10:01 <@krzee> of course its not that simple
10:01 <@krzee> your vpn subnet is unroutable by the internet
10:01 <@krzee> must nat it, just like any lan in the same subnet would need to be NAT'ed
10:01 <@krzee> (to reach the internet)
10:02 < pythonsnake> krzee: Can't I just let the subnet be able to reach the internet
10:03 < pythonsnake> and tell client openvpn to only route 192.168.88.0 subnet?
10:03 < pythonsnake> and not the other external IPs
10:04 < pythonsnake> so just restedted it
10:04 < pythonsnake> tested*
10:04 < pythonsnake> iptables -A INPUT -p udp -m state --state NEW -m udp --dport 1194 -j ACCEPT
10:04 < pythonsnake> iptables -A FORWARD -s 192.168.88.0/24 -j ACCEPT
10:04 < pythonsnake> iptables -A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT
10:04 < pythonsnake> I only have these 3 rules
10:04 < pythonsnake> without reditect-gateway or route 192.168.88.0
10:04 < pythonsnake> and I still can't ping the server
10:05 <@krzee> yes, you should be able to leave it
10:05 <@krzee> why are you keeping state if those are truely the ONLY rules than state doesnt matter
10:05 <@krzee> iptables-save
10:06 <@krzee> thats the ONLY way to look at rules for posting here, you're using that right?
10:06 < pythonsnake> yes
10:06 < pythonsnake> # iptables-save > /etc/iptables.rules
10:06 <@krzee> when you cat the file theres only 3 lines?
10:07 < pythonsnake> nope
10:07 < pythonsnake> there is generated completed and stuff
10:07 < pythonsnake> http://pastie.org/private/802zcvdjz94twvoz8xvy9q
10:07 < pythonsnake> this is iptables -L
10:08 -!- ub1quit33_ [~quassel@wifi02.la3.routers.zerolag.com] has quit [Quit: No Ping reply in 180 seconds.]
10:09 < pythonsnake> please excuse me I am so noob at this :(
10:11 -!- ub1quit33_ [~quassel@wifi02.la3.routers.zerolag.com] has joined #openvpn
10:11 <@krzee> wtf
10:11 <@krzee> i JUST told you to ONLY show iptables-save
10:11 <@krzee> and you pasted me iptables -L?
10:11 <@krzee> why?
10:12 <@krzee> <krzee> iptables-save <krzee> thats the ONLY way to look at rules for posting here, you're using that right?
10:12 <@krzee> literally 1 minute prior, and you said yes and then showed me
10:12 <@krzee> so wtf?
10:13 < pythonsnake> http://pastie.org/private/r6qkwqxgkogujxfetwjg
10:14 <@krzee> and you call that 3 rules?
10:14 <@krzee> you have 5 nat rules, remove them.
10:14 < pythonsnake> shit no
10:14 < pythonsnake> not the right machine
10:14 <@krzee> -A POSTROUTING -s 192.168.88.0/24 -j SNAT --to-source 37.187.180.157
10:14 <@krzee> guess what that does
10:14 <@krzee> lol
10:15 <@krzee> yes, thats the same machine
10:15 <@krzee> iptables -L didnt show you everything
10:15 < pythonsnake> okay done
10:16 <@krzee> show iptables-save again
10:16 <@krzee> NOT a modified file, but the output of the command
10:20 < pythonsnake> http://pastie.org/private/4dfmyya3v4ajrk8bufxczq
10:20 < pythonsnake> krzee: ^
10:23 -!- Nyoom [Nyoom@unaffiliated/nyoom] has joined #openvpn
10:26 <@krzee> try your test again
10:26 < pythonsnake> krzee: didnt work
10:27 < pythonsnake> krzee: just timing out :/
10:27 <@krzee> !logs
10:27 <@vpnHelper> "logs" is (#1) please pastebin your logfiles from both client and server with verb set to 4 (only use 5 if asked) or (#2) In the Windows client(OpenVPN-GUI) right-click the status icon and pick View Log or (#3) In the OS X client(Tunnelblick) right-click it and select Copy log text to clipboard or (#4) if you dont know how to find your logs, see !logfile
10:27 <@krzee> verb 5 on both sides.
10:29 < pythonsnake> http://pastebin.com/vcsMzfh6
10:29 < pythonsnake> krzee: for server grep VPN /var/log/syslog
10:29 < pythonsnake> ?
10:30 <@krzee> !logfile
10:30 <@vpnHelper> "logfile" is (#1) If you want logging you can easily just specify your own logfile with: log /path/to/logfile or (#2) openvpn will log to syslog if started in daemon mode, but without any log-redirection options, openvpn sends output to stdout. or (#3) verb 3 is good for everyday usage, verb 5 for debugging. see --daemon --log and --verb in the manual (!man) for more info
10:30 < pythonsnake> nvm
10:31 <@krzee> please tell me you actually looked at your logs during your troubleshooting
10:32 <@krzee> cause thats basically the first step in troubleshooting *anything*
10:32 <@krzee> reboot that windows machine.
10:32 < pythonsnake> okay
10:32 < pythonsnake> then be right back
10:33 < pythonsnake> krzee: server logs http://pastebin.com/dDWz4zw7
10:36 <@krzee> and then get verb 5 client logs
10:41 < pythonsnake> krzee: win is updating
10:41 < pythonsnake> so it might take some time
10:43 -!- ValdikSS [~valdikss@95.215.45.33] has joined #openvpn
10:49 < pythonsnake> krzee: http://pastebin.com/nPPDHpnp
10:49 < pythonsnake> the end is odd o_O
10:50 <@krzee> and the accompanying server log please
10:51 <@krzee> and then:
10:52 <@krzee> !configs
10:52 <@vpnHelper> "configs" is (#1) please pastebin your client and server configs (with comments removed, you can use `grep -vE '^#|^;|^$' server.conf`), also include which OS and version of openvpn. or (#2) dont forget to include any ccd entries or (#3) on pfSense, see http://www.secure-computing.net/wiki/index.php/OpenVPN/pfSense to obtain your config
11:26 < pythonsnake> krzee: sorry
11:26 < pythonsnake> back
11:26 < pythonsnake> tested various shit and it didnt work
11:26 < pythonsnake> okay pasting server log
11:27 <@krzee> oh god
11:27 <@krzee> hella stuff may have changed
11:27 <@krzee> im going to leave irc for the day
11:27 <@krzee> adios
11:27 < pythonsnake> you come back tomorrow/
11:27 < pythonsnake> ?
11:48 -!- brianblaze420 [~brianblaz@unaffiliated/brianblaze] has joined #openvpn
12:13 -!- Bretos [~Bretos@vps.tyborek.pl] has quit [Remote host closed the connection]
12:14 -!- Pip0 [~quassel@node244.seg69.ucf.edu] has joined #openvpn
12:24 -!- Pyrogerg [~Gregory@99-197-95-83.cust.wildblue.net] has joined #openvpn
12:43 -!- brianblaze420 [~brianblaz@unaffiliated/brianblaze] has quit [Remote host closed the connection]
12:43 -!- brianblaze420 [~brianblaz@unaffiliated/brianblaze] has joined #openvpn
12:44 -!- brianblaze420 [~brianblaz@unaffiliated/brianblaze] has quit [Remote host closed the connection]
12:49 -!- Wolfbutt [~Jeroen@milkyway.jeroendeneef.com] has quit [Remote host closed the connection]
12:51 -!- Jeroen52 [~Jeroen@milkyway.jeroendeneef.com] has joined #openvpn
13:04 -!- Orbixx [~orbixx@freenode/sponsor/orbixx] has joined #openvpn
13:05 < Orbixx> How does the digest algorithm of the certificate increase/decrease security?
13:06 < Orbixx> And does raising it to say, SHA512 affect the performance of an entire OpenVPN session?
13:06 < Orbixx> With simultaneous users all using SHA512 as a digest, would that increase load on the server that OpenVPN is on?
13:12 < pekster> The data session? Exactly 0%. X.509 only matters for the TLS process, for initial connections, TLS re-keys, and control data like the one-way keepalive packets
13:14 -!- Irrelephant [Irrelephan@2a02:908:e263:6400:f460:4186:55e4:a485] has joined #openvpn
13:15 < Irrelephant> !welcome
13:15 <@vpnHelper> "welcome" is (#1) Start by stating your goal, such as 'I would like to access the internet over my vpn' || new to IRC? see the link in !ask || we may need !logs and !configs and maybe !interface to help you. || See !howto for beginners. || See !route for lans behind openvpn. || !redirect for sending inet traffic through the server. || Also interesting: !man !/30 !topology !iporder !sample
13:15 <@vpnHelper> !forum !wiki !mitm or (#2) Don't use 192.168.1.0/24 or 192.168.0.0/24 (too much potential for conflict)
13:17 < Irrelephant> !howto
13:17 <@vpnHelper> "howto" is (#1) OpenVPN comes with a great howto, http://openvpn.net/howto PLEASE READ IT! or (#2) http://www.secure-computing.net/openvpn/howto.php for a mirror
13:22 < ValdikSS> Can I speak with someone who fully understands OpenVPN crypto and negotiation process?
13:24 < Irrelephant>  Hi all. Is it possible to tell windows 8 to access a network share not over VPN but locally? Goal: Have a shared drive mounted with either local IP or, only if not reachable locally, with VPN IP.
13:24 < Irrelephant> Question might not be openvpn related, though
13:55 -!- cesurasean [~Sean@c-71-207-227-197.hsd1.al.comcast.net] has quit [Ping timeout: 258 seconds]
13:55 -!- mattock is now known as mattock_afk
13:59 < flickabic> I'm trying to setup openvpn over a cli, I'm getting an error when trying to execute a config file with openvpn. Options error: Unrecognized option or missing parameter(s) in openvpn.ovpn:1: client (2.2.1)" see anything wrong with this config file? http://pastebin.com/MKshirK0
14:02 < flickabic> I made sure there were no hidden tabs or anything
14:05 -!- moonkid [~anonymous@99-103-56-12.lightspeed.hstntx.sbcglobal.net] has quit [Quit: moonkid]
14:11 -!- jzaw [~jzaw@loki.dzki.co.uk] has quit [Read error: Connection reset by peer]
14:26 -!- moonkid [~anonymous@50-194-167-97-static.hfc.comcastbusiness.net] has joined #openvpn
15:00 -!- Netsplit *.net <-> *.split quits: capri, JackWinter, Brando753, riddle, Poster, pradeepc_, lerra, +s7r, @raidz, Zimsky,  (+5 more, use /NETSPLIT to show all of them)
15:01 -!- Netsplit over, joins: thumbs
15:01 -!- Netsplit over, joins: JackWinter, xMopxShell, Poster, raidz
15:01 -!- mode/#openvpn [+o raidz] by ChanServ
15:01 -!- Netsplit over, joins: riddle
15:01 -!- Netsplit over, joins: Zimsky
15:03 -!- capri [svedrin@elwing.funzt-halt.net] has joined #openvpn
15:05 -!- Pyrogerg [~Gregory@99-197-95-83.cust.wildblue.net] has joined #openvpn
15:05 -!- Brando753 [~Brando753@unaffiliated/brando753] has joined #openvpn
15:05 -!- Kephael [~Kephael@unaffiliated/kephael] has joined #openvpn
15:06 -!- s7r [~s7r@openvpn/user/s7r] has joined #openvpn
15:06 -!- moparisthebest [~quassel@gateway/tor-sasl/moparisthebest] has joined #openvpn
15:06 -!- ServerMode/#openvpn [+v s7r] by sinisalo.freenode.net
15:06 -!- moparisthebest [~quassel@gateway/tor-sasl/moparisthebest] has quit [Max SendQ exceeded]
15:06 -!- moparisthebest [~quassel@unaffiliated/moparisthebest] has joined #openvpn
15:11 -!- jzaw [~jzaw@loki.dzki.co.uk] has joined #openvpn
15:11 -!- moparisthebest [~quassel@unaffiliated/moparisthebest] has quit [Changing host]
15:11 -!- moparisthebest [~quassel@gateway/tor-sasl/moparisthebest] has joined #openvpn
15:28 -!- flickabic [~marston@162-228-95-62.lightspeed.sntcca.sbcglobal.net] has quit [Ping timeout: 240 seconds]
15:34 -!- Moonlightning [~blackl@unaffiliated/moonlightning] has quit [Quit: The Nightmares will Collide. And become a Dream. <3]
15:42 -!- moonkid [~anonymous@50-194-167-97-static.hfc.comcastbusiness.net] has quit [Quit: moonkid]
16:04 -!- Lolths [~Lolths@unaffiliated/lolths] has quit [Quit: Leaving]
16:06 -!- Lolths [~Lolths@unaffiliated/lolths] has joined #openvpn
16:12 -!- moonkid [~anonymous@99-103-56-12.lightspeed.hstntx.sbcglobal.net] has joined #openvpn
16:25 -!- MadHatter42 [~tuwid@217.73.143.43] has joined #openvpn
16:26 -!- Pip0 [~quassel@node244.seg69.ucf.edu] has quit [Ping timeout: 258 seconds]
16:30 -!- Chais [~Chais@chello062178229110.15.15.vie.surfer.at] has quit [Ping timeout: 246 seconds]
16:36 -!- Chais [~Chais@chello062178229110.15.15.vie.surfer.at] has joined #openvpn
16:37 -!- gffa [~unknown@unaffiliated/gffa] has quit [Quit: sleep]
17:00 -!- ShadniX [dagger@p5481D5B6.dip0.t-ipconnect.de] has quit [Ping timeout: 250 seconds]
17:09 -!- u0m3_ [~u0m3@92.80.124.118] has joined #openvpn
17:10 -!- ub1quit33_ [~quassel@wifi02.la3.routers.zerolag.com] has quit [Ping timeout: 250 seconds]
17:12 -!- u0m3 [~u0m3@92.80.124.118] has quit [Ping timeout: 258 seconds]
17:31 -!- moonkid [~anonymous@99-103-56-12.lightspeed.hstntx.sbcglobal.net] has quit [Quit: moonkid]
17:44 -!- ShadniX [dagger@p5DDFE2B5.dip0.t-ipconnect.de] has joined #openvpn
17:48 -!- raeflondon [raeflondon@got.ourback.net] has joined #openvpn
17:56 -!- funnel [~funnel@unaffiliated/espiral] has quit [Remote host closed the connection]
17:56 -!- funnel [~funnel@unaffiliated/espiral] has joined #openvpn
18:28 -!- NP-Hardass [~NP-Hardas@unaffiliated/np-hardass] has joined #openvpn
19:34 -!- s7r [~s7r@openvpn/user/s7r] has quit [Quit: Leaving]
20:00 -!- MadHatter42 [~tuwid@217.73.143.43] has quit [Remote host closed the connection]
20:00 -!- u0m3_ [~u0m3@92.80.124.118] has quit [Read error: Connection reset by peer]
20:10 -!- elfixit [~Icedove@77-58-37-45.dclient.hispeed.ch] has joined #openvpn
20:21 -!- scottyob [~scottyob@104.131.140.184] has joined #openvpn
20:22 -!- Kniaz [~Kniaz@unaffiliated/kniaz] has quit [Read error: Connection reset by peer]
20:22 < scottyob> howdy all.  I’m looking the road warrior configuration and it’s almost what I want (have a bunch of OpenGear 3G console units I want to hook up).  Is there a way the client can push a route to the server?
20:25 < scottyob> found what I was after.  Cheers http://serverfault.com/questions/90589/openvpn-client-pushing-route-to-server
20:25 <@vpnHelper> Title: linux - OpenVPN: client pushing route to server? - Server Fault (at serverfault.com)
20:26 < pekster> Instead you should read/follow this:
20:26 < pekster> !clientlan
20:26 <@vpnHelper> "clientlan" is (#1) for a lan behind a client, the client must have ip forwarding enabled (!ipforward), the server needs a route to the lan, the server needs to push a route for the lan to clients, the server needs a ccd (!ccd) file for the client with an iroute (!iroute) entry in it, and the router of the lan the client is on needs a route added to it (!route_outside_openvpn) or (#2) see !route
20:26 <@vpnHelper> for a better explanation or (#3) Handy troubleshooting flowchart: http://ircpimps.org/clientlan.png | http://pekster.sdf.org/misc/clientlan.png
21:15 -!- almostworking [~almostwor@unaffiliated/almostworking] has quit [Ping timeout: 260 seconds]
21:19 -!- Irrelephant [Irrelephan@2a02:908:e263:6400:f460:4186:55e4:a485] has quit [Quit: Leaving]
21:58 -!- butch128 [~butch128@bas4-oshawa95-1177900294.dsl.bell.ca] has joined #openvpn
21:59 < butch128> I am connecting to an openvpn server as a client - is it possible to route all traffic of only specific programs over that connection?  E.g. via socks?
21:59 -!- Left_Turn [~Left_Turn@unaffiliated/turn-left/x-3739067] has quit [Remote host closed the connection]
21:59 < butch128> I can reject all routes from the server, and get a local tun interface, but don't know where to go from there?
22:06 -!- justinzane [~justinzan@host-69-59-81-105.nctv.com] has quit [Remote host closed the connection]
22:07 -!- justinzane [~justinzan@host-69-59-81-105.nctv.com] has joined #openvpn
22:19 -!- elfixit [~Icedove@77-58-37-45.dclient.hispeed.ch] has quit [Quit: elfixit]
22:22 -!- butch128 [~butch128@bas4-oshawa95-1177900294.dsl.bell.ca] has quit [Ping timeout: 260 seconds]
22:35 -!- brianblaze420 [~brianblaz@unaffiliated/brianblaze] has joined #openvpn
23:46 -!- moonkid [~anonymous@99-103-56-12.lightspeed.hstntx.sbcglobal.net] has joined #openvpn
23:53 -!- ShadniX [dagger@p5DDFE2B5.dip0.t-ipconnect.de] has quit [Ping timeout: 250 seconds]
23:54 -!- ShadniX [dagger@p5481C615.dip0.t-ipconnect.de] has joined #openvpn
23:56 -!- brianblaze420 [~brianblaz@unaffiliated/brianblaze] has quit [Quit: Leaving...]
--- Day changed Mon Oct 13 2014
00:02 -!- TyrfingMjolnir [~Tyrfing@cm191.iota111.maxonline.com.sg] has joined #openvpn
00:02 < TyrfingMjolnir> Is there an openvpn implementation that has postgreSQL for the account?
00:02 < TyrfingMjolnir> s
00:29 -!- NP-Hardass [~NP-Hardas@unaffiliated/np-hardass] has quit [Quit: WeeChat 0.4.3]
00:30 -!- mattock_afk is now known as mattock
00:44 -!- hazardous [~hz@openvpn/user/hazardous] has quit [Ping timeout: 245 seconds]
00:46 -!- hazardous [~hz@openvpn/user/hazardous] has joined #openvpn
00:46 -!- mode/#openvpn [+v hazardous] by ChanServ
01:19 -!- moonkid [~anonymous@99-103-56-12.lightspeed.hstntx.sbcglobal.net] has quit [Quit: moonkid]
01:20 -!- TyrfingMjolnir [~Tyrfing@cm191.iota111.maxonline.com.sg] has quit [Quit: Searching for Waimea]
01:22 -!- julieeharshaw [~julie@juliekoubova.net] has quit [Ping timeout: 272 seconds]
01:25 -!- julieeharshaw [~julie@juliekoubova.net] has joined #openvpn
01:39 -!- Kephael [~Kephael@unaffiliated/kephael] has quit [Read error: Connection reset by peer]
02:19 -!- TyrfingMjolnir [~Tyrfing@118.189.1.18] has joined #openvpn
02:36 < TyrfingMjolnir> Is there an openvpn implementation that has postgreSQL to store the accounts?
02:37 < TyrfingMjolnir> How can I dump my current OpenVPN database?
03:06 <@plaisthos> OpenVPN database?
03:07 < BtbN> OpenVPN doesn't have accounts or a database.
03:24 -!- ayaz [~Ayaz@linuxpakistan/ayaz] has joined #openvpn
03:47 -!- plaisthos [~arne@openvpn/community/developer/plaisthos] has quit [Ping timeout: 260 seconds]
03:50 -!- plaisthos [~arne@openvpn/community/developer/plaisthos] has joined #openvpn
03:50 -!- mode/#openvpn [+o plaisthos] by ChanServ
04:09 -!- dazo_afk is now known as dazo
04:15 -!- urbanendeavour [~xoveruk@217.150.106.82] has joined #openvpn
04:15 < urbanendeavour> !speed
04:15 <@vpnHelper> "speed" is (#1) Having speed problems? The following suggestions may help. or (#2) OpenVPN is often CPU bound; check utilization, and remember it only uses 1 core (single-threaded) or (#3) Prefer UDP over TCP (see !tcp) or (#4) MTU issues? Send max-size DF packets and watch for fragmentation/delivery issues or (#5) iface txqueuelen often needs to be >100 on fast and/or latent links or (#6)
04:15 <@vpnHelper> latenty/slow links don't magically get better with openvpn or (#7) less likely are issues with bad TCP window scaling or the sliding window; generally, don't 2nd guess TCP (in openvpn or your OS knobs) or (#8) Prefer tun over tap (see !tunortap and !whybridge)
04:15 < urbanendeavour> !MTU
04:15 <@vpnHelper> "MTU" is (#1) see --mtu-test to learn how to test your MTU settings. Basically you just use --mtu-test in your normal client config or (#2) mtu debugging guide: http://www.secure-computing.net/wiki/index.php/OpenVPN/Troubleshooting
04:24 -!- urbanendeavour [~xoveruk@217.150.106.82] has quit [Read error: Connection reset by peer]
04:28 -!- BaNzounet [~ubuntu@ec2-54-72-61-12.eu-west-1.compute.amazonaws.com] has joined #openvpn
04:29 -!- phreakocious [~phreakoci@recalcitrant.phreakocious.net] has quit [Ping timeout: 240 seconds]
04:30 < BaNzounet> Hi guys, how do I only send through openvpn ip from that range 10.0.0.0/16 :?
04:35 -!- phreakocious [~phreakoci@recalcitrant.phreakocious.net] has joined #openvpn
04:38 -!- ShadniX [dagger@p5481C615.dip0.t-ipconnect.de] has quit [Ping timeout: 250 seconds]
04:40 -!- phreakocious [~phreakoci@recalcitrant.phreakocious.net] has quit [Ping timeout: 244 seconds]
04:46 -!- phreakocious [~phreakoci@recalcitrant.phreakocious.net] has joined #openvpn
04:51 -!- indy [~indy@fantomas.bestit.cz] has quit [Excess Flood]
04:52 -!- indy [~indy@fantomas.bestit.cz] has joined #openvpn
04:55 < BaNzounet> I don't know if this is the good way to do it
04:56 < BaNzounet> but adding this : "push `route 10.0.0.0 255.0.0.0"` to the server conf
04:56 < BaNzounet> did the trick
04:59 -!- cheesenbiscuts [~cheesenbi@182.27.50.60.kmr03-home.tm.net.my] has quit [Remote host closed the connection]
05:04 -!- ayaz [~Ayaz@linuxpakistan/ayaz] has quit [Quit: Textual IRC Client: www.textualapp.com]
05:13 -!- NP-Hardass [~NP-Hardas@unaffiliated/np-hardass] has joined #openvpn
05:16 < TyrfingMjolnir> BtbN: I would like to store the keys in postgreSQL
05:17 < TyrfingMjolnir> plaisthos: Every time I build a new key it tells me that it's adding the key to the database
05:17 <@plaisthos> TyrfingMjolnir: oh you mean the certificate management?
05:18 <@plaisthos> there are a lot of CA management systems
05:18 < TyrfingMjolnir> Yes
05:18 <@plaisthos> just pick one that suits you
05:18 <@plaisthos> easy-rsa is a very basic and easy one
05:19 < TyrfingMjolnir> What do you mean easy?
05:19 < TyrfingMjolnir> I would like to put the certificates in postgreSQL and build my own HTML5/CSS/REST API
05:21 <@plaisthos> TyrfingMjolnir: yeah
05:21 <@plaisthos> TyrfingMjolnir: just pick something that supports that
05:21 <@plaisthos> !easy-rsa
05:21 <@vpnHelper> "easy-rsa" is (#1) easy-rsa is a certificate generation utility. or (#2) Download here: https://github.com/OpenVPN/easy-rsa/downloads or (#3) https://community.openvpn.net/openvpn/wiki/EasyRSA
05:21 <@plaisthos> easy-rsa is just one of many options
05:21 <@plaisthos> !certs
05:21 <@vpnHelper> "certs" is (#1) use !easy-rsa-unix for easy-rsa or (#2) use !ssl-admin for ecrists copy of ssl-admin to make and manage your certs
05:22 <@plaisthos> TyrfingMjolnir: that stuff is not openvpn specific
05:27 < TyrfingMjolnir> I already have like 150 keys
05:29 < TyrfingMjolnir> 1 for each user.
05:29 < TyrfingMjolnir> I m tired of keying them in
05:29 < TyrfingMjolnir> I would like to manage them from a database
05:29 < TyrfingMjolnir> What does easyRSA do?
05:29 < TyrfingMjolnir> I donwloaded the 3.0.0rc2
05:29 < TyrfingMjolnir> There are 2 shell scripts, is that it?
05:29 < TyrfingMjolnir> and numerous .md files
05:30 < TyrfingMjolnir> There is a binary: easyrsa
05:31 < TyrfingMjolnir> a bit weird, no? As I downloaded that source package
05:32 < TyrfingMjolnir> mv easyrsa easyrsa.sh
05:35 < TyrfingMjolnir> I made a pull request
05:35 < BtbN> a PullRequest to rename the file? oO
05:35 < TyrfingMjolnir> Yes
05:36 < BtbN> And why? The extension doesn't matter at all and it's also wrong to rename it.
05:36 < TyrfingMjolnir> Why?
05:36 < TyrfingMjolnir> Why is it wrong to rename it?
05:36 < TyrfingMjolnir> For it to look like a elf binary, when it's a shell script...
05:36 < BtbN> Because it potentialy breaks a lot of guides and scripts
05:37 < BtbN> And there's absolutely no reason to have .sh
05:37 < TyrfingMjolnir> Consitency
05:37 < BtbN> With what?
05:37 < TyrfingMjolnir> Consistency
05:37 < TyrfingMjolnir> The rest of the files in the same project
05:39 < BtbN> I don't see a single .sh file there.
05:39 < TyrfingMjolnir> builld/build-dist.sh
05:39 < BtbN> That's not in the easyrsa distribution.
05:40 < TyrfingMjolnir> distro/windows/bin/easyrsa-shell-init.sh
05:40 < BtbN> Well, have fun arguing in the PR then. Breaking compatiblity with everything is extremely pointless. And there's also no need for anyone using it to know it's a shell script. Could be python, an actual binary, or whatever
05:41 < TyrfingMjolnir> true...
05:45 -!- Pandemic_Force [~Pandemic_@unaffiliated/pandemic-force/x-1349428] has quit [Ping timeout: 244 seconds]
05:45 -!- mcp [~mcp@wolk-project.de] has quit [Quit: ZNC - http://znc.sourceforge.net]
05:46 < TyrfingMjolnir> plaisthos: Thank you
05:47 -!- Pandemic_Force [~Pandemic_@unaffiliated/pandemic-force/x-1349428] has joined #openvpn
05:52 -!- Pandemic_Force [~Pandemic_@unaffiliated/pandemic-force/x-1349428] has quit [Ping timeout: 260 seconds]
05:53 -!- TyrfingMjolnir [~Tyrfing@118.189.1.18] has quit [Ping timeout: 255 seconds]
05:55 -!- ShadniX [dagger@p5DDFE0F4.dip0.t-ipconnect.de] has joined #openvpn
05:57 -!- Pandemic_Force [~Pandemic_@unaffiliated/pandemic-force/x-1349428] has joined #openvpn
06:00  * ecrist doesn't see a pull request
06:14 -!- Left_Turn [~Left_Turn@unaffiliated/turn-left/x-3739067] has joined #openvpn
06:16 < rob0> Pull my finger.
06:29 -!- Droolio [~drool@host86-132-103-182.range86-132.btcentralplus.com] has joined #openvpn
06:43 -!- NP-Hardass [~NP-Hardas@unaffiliated/np-hardass] has quit [Quit: WeeChat 0.4.3]
06:56 -!- mcp [~mcp@wolk-project.de] has joined #openvpn
07:15 -!- Adie [~adie2@ogdn-04-236-180.dsl.netins.net] has joined #openvpn
07:15 < Adie> Is there any good way to kill my internet if/when my VPN disconnects? (ubuntu)
07:17 -!- Left_Turn [~Left_Turn@unaffiliated/turn-left/x-3739067] has quit [Ping timeout: 272 seconds]
07:19 -!- Mike-- [mad@mx.probie.nl] has quit [Read error: Connection reset by peer]
07:22 -!- wirehack7 [wirehack7@unaffiliated/wirehack7] has quit [Ping timeout: 245 seconds]
07:22 -!- halothe23 [~halothe23@freenode/sponsor/halothe23] has quit [Ping timeout: 245 seconds]
07:22 -!- mcp [~mcp@wolk-project.de] has quit [Ping timeout: 240 seconds]
07:22 -!- pythonsnake [~pythonsna@fedora/pythonsnake] has quit [Ping timeout: 240 seconds]
07:24 -!- Latrina [~Latrina@ppp-120-26.26-151.libero.it] has quit [Ping timeout: 245 seconds]
07:24 -!- wirehack7 [wirehack7@unaffiliated/wirehack7] has joined #openvpn
07:26 -!- Latrina [~Latrina@ppp-120-26.26-151.libero.it] has joined #openvpn
07:27 -!- pythonsnake [~pythonsna@fedora/pythonsnake] has joined #openvpn
07:27 -!- halothe23 [~halothe23@freenode/sponsor/halothe23] has joined #openvpn
07:37 -!- ade_b [~Ade@redhat/adeb] has joined #openvpn
07:41 -!- halothe23 [~halothe23@freenode/sponsor/halothe23] has quit [Quit: Quit]
07:42 -!- halothe23 [~halothe23@freenode/sponsor/halothe23] has joined #openvpn
07:44 -!- halothe23 [~halothe23@freenode/sponsor/halothe23] has quit [Client Quit]
07:44 -!- halothe23 [~halothe23@freenode/sponsor/halothe23] has joined #openvpn
07:51 -!- NP-Hardass [~NP-Hardas@unaffiliated/np-hardass] has joined #openvpn
08:12 -!- Maxel [~Maxel@24-159-207-34.static.roch.mn.charter.com] has joined #openvpn
08:15 <@ecrist> Adie: what do you mean?
08:16 < Adie> :\
08:17 < Adie> Well you know how people tend to use VPNs for privacy?
08:17 < Adie> and how sometimes VPNs aren't the most reliable thing in the world
08:18 < Adie> It's kinda shitty when you go through all this work for privacy when any little burp in the VPN starts leaking out your real IP and stuff
08:18 < Adie> so I'm looking for a good way to kill my internet if/when my VPN disconnects? (ubuntu)
08:27 <@ecrist> just web browsing, or?
08:28 <@ecrist> you could force everything out a proxy server at the VPN server end of things
08:28 <@ecrist> if the VPN is down, then nothing will be able to connect
08:29 <@ecrist> also, OpenVPN isn't built as an anonymizing tool, it's designed to support building virtual private networks.  Routing in to that VPN shouldn't be possible unless you're connected to that VPN
08:29 <@ecrist> in that case, your problem is sort of self-resolving
08:30 -!- Left_Turn [~Left_Turn@unaffiliated/turn-left/x-3739067] has joined #openvpn
08:37 -!- Slippern [~Slippern@76.109-247-208.customer.lyse.net] has quit [Ping timeout: 245 seconds]
08:38 < Adie> ~_~
08:38 <@ecrist> I don't know what that means
08:38 < Adie> Tell that to every privatizing service that uses OpenVPN
08:38 <@ecrist> how they use it isn't really my concern
08:39 <@ecrist> and really, how you choose to route your traffic is your own responsibility.
08:39 <@ecrist> regardless, you can null route everything with a --down script
08:39 <@ecrist> that effectively will kill your internet
08:40 <@ecrist> you'll want to make sure you can route out to the VPN server, though, so you can get reconnected
08:43 -!- Slippern [~Slippern@76.109-247-208.customer.lyse.net] has joined #openvpn
08:52 -!- u0m3_ [~u0m3@92.80.124.118] has joined #openvpn
08:59 <@krzee> or just use a firewall
08:59 <@krzee> only allow outbound to what you WANT outbound to go to
09:00 <@krzee> in your case, the vpn.
09:01 <@krzee> Adie, ^
09:02 <@krzee> and if you want to understand why openvpn is not an anonymizing tool, look up how misattribution networks work.
09:02 <@krzee> you could build one using openvpn links, but that has nothing to do with openvpn itself, it has to do with network design
09:17 -!- ub1quit33 [~quassel@wifi02.la3.routers.zerolag.com] has joined #openvpn
09:28 -!- flickabic [~marston@162-228-95-62.lightspeed.sntcca.sbcglobal.net] has joined #openvpn
09:36 -!- Kephael [~Kephael@unaffiliated/kephael] has joined #openvpn
09:41 -!- elfixit [~Icedove@2001:1620:2777:11:3e97:eff:fe7f:f3ad] has joined #openvpn
09:46 -!- ade_b [~Ade@redhat/adeb] has quit [Remote host closed the connection]
10:08 -!- Nyoom [Nyoom@unaffiliated/nyoom] has quit [Excess Flood]
10:21 -!- Papey [~Papey@ks3364303.kimsufi.com] has joined #openvpn
10:21 < Papey> hi everyone.
10:22 -!- Nyoom [Nyoom@unaffiliated/nyoom] has joined #openvpn
10:23 < Papey> Can anyone give me some info or ressources on how openvpn handles brodcast using a layer 2 tap interface. Is the packet transform into an unicast ?
10:35 <@plaisthos> Papey: ?
10:35 <@plaisthos> it is handled as broadcast
10:35 <@plaisthos> with n client that means sending a unicast data packet to each VPN client
10:36 -!- seba [~seba@kratzbaum.someserver.de] has quit [Excess Flood]
10:42 -!- seba [~seba@kratzbaum.someserver.de] has joined #openvpn
10:43 -!- creshal [~Creshal@91.143.96.4] has joined #openvpn
10:46 -!- D-Boy [~D-Boy@unaffiliated/cain] has joined #openvpn
10:46 < Papey> plaisthos: ok thank you
10:50 -!- urbanendeavour [~xoveruk@217.150.106.82] has joined #openvpn
10:50 < urbanendeavour> hi
10:51 < urbanendeavour> How can I view the client logs?
10:53 < creshal> I have two OpenVPN servers with different subnets; both are configured to forward and masq any traffic. A is client of B. A, and clients of A, can ping clients of B. But B and its clients cannot ping A's subnet (neither A nor clients, but pinging A's client IP works), even if I configure a route for it. :?
11:00 < julieeharshaw> !paste
11:00 <@vpnHelper> "paste" is "pastebin" is (#1) please paste anything with more than 5 lines into a pastebin site or (#2) https://gist.github.com is recommended for fewest ads; try fpaste.org or paste.kde.org as backups or (#3) If you're pasting config files, see !configs for grep syntax to remove comments or (#4) gist allows multiple files per paste, useful if you have several files to show
11:01 <@Eugene> !clientlan
11:01 <@vpnHelper> "clientlan" is (#1) for a lan behind a client, the client must have ip forwarding enabled (!ipforward), the server needs a route to the lan, the server needs to push a route for the lan to clients, the server needs a ccd (!ccd) file for the client with an iroute (!iroute) entry in it, and the router of the lan the client is on needs a route added to it (!route_outside_openvpn) or (#2) see !route for
11:01 <@vpnHelper> a better explanation or (#3) Handy troubleshooting flowchart: http://ircpimps.org/clientlan.png | http://pekster.sdf.org/misc/clientlan.png
11:01 <@Eugene> creshal ^ flowchart
11:01 <@Eugene> My guess is you forgot iroute
11:01 < urbanendeavour> Has anyone had an issue with file copies failing?
11:02 -!- rich0 [~quassel@gentoo/developer/rich0] has quit [Read error: Connection reset by peer]
11:02 -!- creshal [~Creshal@91.143.96.4] has left #openvpn []
11:02 -!- creshal [~Creshal@91.143.96.4] has joined #openvpn
11:03 < julieeharshaw> hi! i am trying to make viscosity send dns queries for my domain to the openvpn dns server, while resolving the rest of the internet via the local default dns
11:03 < creshal> Eugene: …well, now I feel silly.
11:03  * Eugene waves magic wand
11:03 < julieeharshaw> i have enabled the "simultaneous DNS" option in viscosity, and specified the domain name
11:03 < julieeharshaw> dns server address is pushed from the openvpn server
11:03  * creshal applies forehead to wall.
11:04 <@Eugene> Was I right?
11:04 < julieeharshaw> viscosity sets up a resolver in OS X: https://gist.github.com/juliekoubova/828f38cb571764a0b679
11:04 <@vpnHelper> Title: viscosity dns configuratio (at gist.github.com)
11:04 < creshal> Yes.
11:04 <@Eugene> I love being right.
11:04 < julieeharshaw> but unfortunately it creates two resolvers, the #1 which references the local router (10.0.0.138), and #2, which is the correct vpn dns
11:05 < julieeharshaw> how can i make it stop from creating the first one? why does it even do?
11:05 -!- rich0 [~quassel@gentoo/developer/rich0] has joined #openvpn
11:07 -!- gffa [~unknown@unaffiliated/gffa] has joined #openvpn
11:08 -!- rich0_ [~quassel@gentoo/developer/rich0] has joined #openvpn
11:08 -!- urbanendeavour [~xoveruk@217.150.106.82] has quit [Read error: Connection reset by peer]
11:10 -!- rich0 [~quassel@gentoo/developer/rich0] has quit [Ping timeout: 255 seconds]
11:14 -!- creshal [~Creshal@91.143.96.4] has quit [Ping timeout: 260 seconds]
11:40 < julieeharshaw> oh. looks like dig only uses /etc/resolv.conf, while the rest of the system uses the OS X system configuration thing
11:40 < julieeharshaw> pings go to the vpn address, yay! :)
11:53 < rob0> That's a dig feature, BTW.  You need to know you're really doing a DNS lookup.
11:53 < rob0> See also dig's @server feature, which avoids the use of resolv.conf
11:56 -!- moonkid [~anonymous@99-103-56-12.lightspeed.hstntx.sbcglobal.net] has joined #openvpn
12:08 -!- SCHAAP137 [dorian@77-173-0-137.ip.telfort.nl] has joined #openvpn
12:14 -!- elfixit [~Icedove@2001:1620:2777:11:3e97:eff:fe7f:f3ad] has quit [Quit: elfixit]
12:33 -!- julieeharshaw [~julie@juliekoubova.net] has quit [Quit: ZZZZZzzzz]
12:33 -!- julieeharshaw [~julie@juliekoubova.net] has joined #openvpn
12:38 -!- Pyrogerg [~Gregory@99-197-95-83.cust.wildblue.net] has quit [Ping timeout: 260 seconds]
12:38 -!- Maxel [~Maxel@24-159-207-34.static.roch.mn.charter.com] has quit [Ping timeout: 240 seconds]
12:39 -!- dazo is now known as dazo_afk
12:43 -!- Pyrogerg [~Gregory@75-105-161-25.cust.wildblue.net] has joined #openvpn
12:48 -!- Pyrogerg [~Gregory@75-105-161-25.cust.wildblue.net] has quit [Ping timeout: 240 seconds]
13:14 -!- fling [~fling@fsf/member/fling] has quit [Ping timeout: 272 seconds]
13:37 -!- Maxel [~Maxel@24-159-207-34.static.roch.mn.charter.com] has joined #openvpn
13:46 -!- networkpro [~Dim@93.183.142.29] has joined #openvpn
13:46 < networkpro> hi guys i have a problem importing certs from pfsense to mikrotik
13:47 < networkpro> if someone can help please :)
13:48 < networkpro> I've coppied the certs from the pfbox and try to upload them in mikrotik certificates but it doesn't seems to be right according to the tuto for mikrotik
13:49 <+_FBi> I'm not sure about either of those -- what are you trying to do?
13:52 <@ecrist> !notovpn
13:52 <@vpnHelper> "notovpn" is (#1) "notopenvpn" is your problem is not about openvpn, and while we try to be helpful, you may have a better chance of finding your answer if you ask your question in a channel related to your problem or (#2) sorry, but we dont care. this channel is only for help with openvpn.
13:52 -!- Synthead [~Synthead@98.99.251.254] has joined #openvpn
14:00 < networkpro> Let me clear that I'm using and migrating Open VPN so what it's not relevant. That some users with experience want to help like +_FBi but some "witch don't care they shouldn't be commenting on solutions they don't understand thank you for the good first impressions from this channel.
14:01 <+_FBi> glad I could help a pro ;)
14:03 < rob0> I don't know what mikrotik is.  I don't use pfsense.  Seems to me, this channel is not likely to know your answer.
14:05 < networkpro> http://www.mikrotik.com/ - suppors OpenVPN you should know that one of the few doing that.
14:05 <@vpnHelper> Title: MikroTik Routers and Wireless (at www.mikrotik.com)
14:05 -!- Synthead [~Synthead@98.99.251.254] has quit [Remote host closed the connection]
14:05 <+_FBi> I support OpenVPN too
14:06 < networkpro> the last was for rob0
14:06 <+_FBi> neat
14:06 <+_FBi> doesn't OpenWRT do that too?
14:06 < networkpro> and whis is also for him https://www.pfsense.org/
14:07 <@vpnHelper> Title: Home of the pfSense Project - Open Source Firewall and Router Software Distribution (at www.pfsense.org)
14:07 < networkpro> Yes it's supported
14:08 <+_FBi> networkpro, are you undertaking a big project or tinkering?
14:08 -!- aulait [~irenacob@li629-190.members.linode.com] has quit [Max SendQ exceeded]
14:09 < networkpro> no
14:09 < networkpro> i'm trying to help some users to understand my question not first telling me to try elsewere
14:10 < rob0> I am familiar with pfsense, thanks.  I said: I am not a pfsense user.
14:10 < rob0> I am merely trying to explain that ecrist's factoid was meant to be helpful.
14:10 < rob0> If you don't want to understand that, fine.
14:10 < jeev> krzee, i'm starting to doubt that i'll get that client now
14:10 < networkpro> so you made my question irrelevant for that you're not a pfsense user
14:11 <+_FBi> I'm trying to understand the problem
14:11 <+_FBi> does mikrotik require a different cert than the one you made?
14:11 -!- aulait [~irenacob@li629-190.members.linode.com] has joined #openvpn
14:12 -!- roger_rabbit [~admin@unaffiliated/roger-rabbit/x-7769789] has quit [Quit: WeeChat 0.3.8]
14:14 <@ecrist> so, we, in this channel, need to support everything that includes OpenVPN?
14:14 <@ecrist> doesn't make sense to me
14:15 <+_FBi> I agree with you ecrist, but if I can help -- I'll do what I can.  Most of the time I cannot haha
14:15 -!- s7r [~s7r@openvpn/user/s7r] has joined #openvpn
14:15 -!- mode/#openvpn [+v s7r] by ChanServ
14:15 <@ecrist> we don't have a problem, directly, which helping when we can.  I usually point out that factoid so people doesn't bunch up their panties if nobody can or is willing to help, though.
14:16 <@ecrist> and networkpro seems to have is underoos in quite a knot
14:16 <+_FBi> yes, I agree again.  you smart guys are awesome to be around
14:18 -!- CaTtleyA [~CaTtleyA@put92-2-82-66-41-53.fbx.proxad.net] has joined #openvpn
14:21 < networkpro> Thank you for the help!
14:21 -!- networkpro [~Dim@93.183.142.29] has left #openvpn ["Closing Window"]
14:21  * ecrist notices user name, considers it appropriate.
14:22 <+_FBi> the windows is a nice touch too
14:23 < rob0> haha
14:28 -!- CaTtleyA [~CaTtleyA@put92-2-82-66-41-53.fbx.proxad.net] has quit [Read error: Connection reset by peer]
14:29 < Adie> is there any good way to reduce sublimation in the freezer?
14:29 < rob0> Most openvpn users also have freezers, so this is a good place to ask! ;)
14:29 <@ecrist> indeed.
14:30 < Adie> :D
14:30 <@ecrist> really, first, you need to identify the cause of sublimation in the matter at hand.
14:30 < rob0> Keep everything sealed tightly, and try to use things before you forget they're in there.
14:30 <@ecrist> if it's icecream, tell your fat wife to stay out of the freezer - it's not sublimation.  If it's ice cubes, perhaps your drinking more rum/coke's than you remmber?  also not sublimation
14:31 < Adie> uh
14:31 < Adie> All I have in my freezer is my automatic ice maker
14:31 < Adie> and sublimation kinda screws with it and I don't like it
14:31 <@ecrist> plenty of room for that dead hooker this weekend, then.
14:33 <+_FBi> now!  Dead hookers I know about!
14:33 <@ecrist> if you apply a positive pressure to your freezer, it will reduce sublimation.  I don't think freezers are designed as positive pressure vessles, however
14:51 -!- elfixit [~Icedove@77-58-37-45.dclient.hispeed.ch] has joined #openvpn
15:24 -!- D-Boy [~D-Boy@unaffiliated/cain] has quit [Excess Flood]
15:25 -!- D-Boy [~D-Boy@unaffiliated/cain] has joined #openvpn
15:29 -!- mattock is now known as mattock_afk
15:56 -!- gffa [~unknown@unaffiliated/gffa] has quit [Quit: sleep]
15:59 -!- rich0_ [~quassel@gentoo/developer/rich0] has quit [Read error: Connection reset by peer]
16:06 -!- elfixit [~Icedove@77-58-37-45.dclient.hispeed.ch] has quit [Quit: elfixit]
16:15 -!- s7r [~s7r@openvpn/user/s7r] has quit [Quit: Leaving]
16:27 -!- rich0 [~quassel@gentoo/developer/rich0] has joined #openvpn
16:33 -!- TheSov [~TheSov4@8.40.0.2] has joined #openvpn
16:33 < TheSov> hello all, i have a personal openvpn connection setup at home and I wanted to know, other than a proxy how do i tunnel my internet via it?
16:34 < TheSov> i have access to my home network, but my internet is still local. when i setup a 0.0.0.0 route my connection drops
16:46 -!- s7r [~s7r@openvpn/user/s7r] has joined #openvpn
16:46 -!- mode/#openvpn [+v s7r] by ChanServ
16:55 -!- jefferai [sid1300@kde/mitchell] has quit [Ping timeout: 260 seconds]
16:57 -!- jefferai [sid1300@kde/mitchell] has joined #openvpn
18:14 -!- ub1quit33 [~quassel@wifi02.la3.routers.zerolag.com] has quit [Ping timeout: 240 seconds]
18:28 -!- Maxel [~Maxel@24-159-207-34.static.roch.mn.charter.com] has quit [Read error: Connection reset by peer]
18:28 -!- Maxel [~Maxel@24-159-207-34.static.roch.mn.charter.com] has joined #openvpn
18:51 -!- jzaw [~jzaw@loki.dzki.co.uk] has quit [Quit: really? must I leave? aw pls let me stay!]
18:54 -!- jzaw [~jzaw@loki.dzki.co.uk] has joined #openvpn
19:12 -!- elfixit [~Icedove@77-58-37-45.dclient.hispeed.ch] has joined #openvpn
19:12 -!- julieeharshaw [~julie@juliekoubova.net] has quit [Remote host closed the connection]
19:12 -!- julieeharshaw [~julie@juliekoubova.net] has joined #openvpn
19:19 -!- SCHAAP137 [dorian@77-173-0-137.ip.telfort.nl] has quit [Remote host closed the connection]
19:25 <@krzee> !redirect
19:25 <@vpnHelper> "redirect" is (#1) to make all inet traffic flow through the vpn, you will need --redirect-gateway (see !def1), as well as IP forwarding (see !ipforward) and NAT (see !nat) enabled on the server. or (#2) you may need to use a different dns server when redirecting gateway, see !dns or !pushdns or (#3) if using ipv6 try: route-ipv6 2000::/3 or (#4) Handy troubleshooting flowchart:
19:25 <@vpnHelper> http://ircpimps.org/redirect.png | http://pekster.sdf.org/misc/redirect.png
19:25 <@krzee> TheSov, ^^
19:27 <+_FBi> sup krzee
19:27 <@krzee> sup man
19:27 <+_FBi> dang, sounds like the wife if pulling into the driveway :/
19:27 <+_FBi> I mean... that's a good thing ;)
19:28 <+_FBi> I was at work working on my workings.  finally got uWant's network setup properly.  SMH
19:28 -!- Pyrogerg [~Gregory@75-173-103-62.albq.qwest.net] has joined #openvpn
19:48 -!- NP-Hardass [~NP-Hardas@unaffiliated/np-hardass] has quit [Quit: WeeChat 0.4.3]
19:48 -!- Pyrogerg [~Gregory@75-173-103-62.albq.qwest.net] has quit [Read error: No route to host]
19:49 -!- Pyrogerg [~Gregory@75-173-103-62.albq.qwest.net] has joined #openvpn
19:52 -!- NP-Hardass [~NP-Hardas@unaffiliated/np-hardass] has joined #openvpn
19:59 -!- NP-Hardass [~NP-Hardas@unaffiliated/np-hardass] has quit [Quit: WeeChat 0.4.3]
20:01 -!- fling [~fling@fsf/member/fling] has joined #openvpn
20:45 -!- Pyrogerg [~Gregory@75-173-103-62.albq.qwest.net] has quit [Ping timeout: 260 seconds]
21:27 <@ecrist> muahaha
21:27 <@ecrist> hello, nerds
21:29 <@krzee> ahoy
21:29 <@ecrist> traded in the BMW a couple weeks ago
21:31 <@krzee> for this?    http://www.pulpfictionwallets.com/images/umawagon.jpg
21:33 < pushpop> you guys can't help me with access server right
21:33 < pushpop> trying to connect to a to openvpn via a proxy
21:33 <@krzee> right, theres a different channel for it, with a paid support team
21:33 <@krzee> !as
21:33 <@vpnHelper> "as" is Please go to #OpenVPN-AS for help with commercial products from OpenVPN Technologies, including Access Server, Android Connect, etc. Access Server is a commercial product, different from open source OpenVPN
21:33 <@ecrist> krzee: this http://secure-computing.net/truck/
21:33 <@vpnHelper> Title: Index of /truck (at secure-computing.net)
21:34 <@krzee> thats a bit more manly than what i linked to
21:34 <@krzee> *tim taylor grunt*
21:34 <@krzee> !no_as
21:34 <@vpnHelper> "no_as" is (#1) go to http://openvpn.net/index.php/access-server/support-center.html for support with access server (see !AS to know about access server) or (#2) not only do we not know AS here, but even if we did we would be tainting the professional level of support included in AS by supporting it here. it comes with REAL support. we are just users helping users around here
21:34 <@ecrist> krzee: 2015 3/4ton 6.6L Diesel LTZ
21:40 -!- Pyrogerg [~Gregory@75-173-103-62.albq.qwest.net] has joined #openvpn
21:47 -!- abbe_ [having@badti.me] has joined #openvpn
21:48 -!- jefferai_ [sid1300@kde/mitchell] has joined #openvpn
21:49 -!- ketas- [~ketas@92.38.190.90.dyn.estpak.ee] has joined #openvpn
21:50 -!- abbe [having@badti.me] has quit [Disconnected by services]
21:50 -!- abbe_ is now known as abbe
21:51 -!- MogDog66 [MogDog@unaffiliated/mogdog66] has joined #openvpn
21:51 < d10n> !goal
21:51 <@vpnHelper> "goal" is Please clearly state your goal for your vpn: example, I would like to access the lan behind the server , I would like to access the internet over my vpn , I just want a secure connection between 2 computers , etc
21:51 < d10n> !welcome
21:51 <@vpnHelper> "welcome" is (#1) Start by stating your goal, such as 'I would like to access the internet over my vpn' || new to IRC? see the link in !ask || we may need !logs and !configs and maybe !interface to help you. || See !howto for beginners. || See !route for lans behind openvpn. || !redirect for sending inet traffic through the server. || Also interesting: !man !/30 !topology !iporder !sample !forum !wiki
21:51 <@vpnHelper> !mitm or (#2) Don't use 192.168.1.0/24 or 192.168.0.0/24 (too much potential for conflict)
21:52 -!- badaptr [~jgeilman@unaffiliated/adaptr] has joined #openvpn
21:52 < d10n> !configs
21:52 <@vpnHelper> "configs" is (#1) please pastebin your client and server configs (with comments removed, you can use `grep -vE '^#|^;|^$' server.conf`), also include which OS and version of openvpn. or (#2) dont forget to include any ccd entries or (#3) on pfSense, see http://www.secure-computing.net/wiki/index.php/OpenVPN/pfSense to obtain your config
21:52 < d10n> !redirect
21:52 <@vpnHelper> "redirect" is (#1) to make all inet traffic flow through the vpn, you will need --redirect-gateway (see !def1), as well as IP forwarding (see !ipforward) and NAT (see !nat) enabled on the server. or (#2) you may need to use a different dns server when redirecting gateway, see !dns or !pushdns or (#3) if using ipv6 try: route-ipv6 2000::/3 or (#4) Handy troubleshooting flowchart:
21:52 <@vpnHelper> http://ircpimps.org/redirect.png | http://pekster.sdf.org/misc/redirect.png
21:52 -!- plai [~arne@openvpn/community/developer/plaisthos] has joined #openvpn
21:52 -!- mode/#openvpn [+o plai] by ChanServ
21:52 -!- Brando753-o_O_o [~Brando753@unaffiliated/brando753] has joined #openvpn
21:53 -!- roentgen_ [~none@openvpn/community/support/roentgen] has joined #openvpn
21:54 -!- Netsplit *.net <-> *.split quits: elfixit, jareth_, keatont, pushpop, _0x5eb_, scottyob, pppingme, DonRichie, NucWin, jefferai,  (+21 more, use /NETSPLIT to show all of them)
21:54 -!- MogDog66 is now known as MogDog
21:54 -!- Netsplit over, joins: NucWin
21:54 -!- Brando753-o_O_o is now known as Brando753
21:54 -!- jefferai_ is now known as jefferai
21:54 -!- Netsplit over, joins: jareth_, linuxthefish
21:55 -!- Netsplit over, joins: Champi
21:55 -!- Netsplit over, joins: APTX
21:55 < d10n> It seems all my traffic is being sent through openvpn (linux host, windows client) and I only want to redirect traffic to the host's lan. Help appreciated. This is my config: https://dpaste.de/Zo0i
21:56 < d10n> er, that is my client config. Server config coming in a minute
21:56 <@ecrist> see --no-pull
21:57 <@ecrist> and then add routes
21:57 -!- Left_Turn [~Left_Turn@unaffiliated/turn-left/x-3739067] has quit [Remote host closed the connection]
21:59 < d10n> ecrist: manually add the routes that --no-pull causes to be left out?
22:00 -!- pppingme [~pppingme@unaffiliated/pppingme] has joined #openvpn
22:00 <@ecrist> yup
22:00 -!- syzzer [~syzzer@openvpn/community/developer/syzzer] has joined #openvpn
22:00 -!- mode/#openvpn [+o syzzer] by ChanServ
22:00 -!- zamba [marius@flage.org] has joined #openvpn
22:01 < d10n> It seems like there should be a way to still pull but use a route as the last priority / not default route
22:01 <@ecrist> no
22:02 <@ecrist> the server is probably pushing def1
22:02 -!- troyt [~troyt@2601:7:6200:1362:44dd:acff:fe85:9c8e] has joined #openvpn
22:03 < d10n> this is the server config for reference https://dpaste.de/xS6d
22:04 < d10n> you are right
22:06 < d10n> I'd prefer to pull redirect-gateway on clients that I do want all traffic redirected than to manually specify routes - is pull redirect-gateway (or just redirect-gateway?) the client-side equivalent of push redirect-gateway def1?
22:07 <@ecrist>  then you need CCD
22:07 <@ecrist> send default only to the ones you want.
22:08 -!- marklite [croftworth@gateway/shell/yourbnc/x-nxukbvacbpvqsqkz] has joined #openvpn
22:15 < d10n> thanks ecrist
22:15 <@ecrist> no prob
22:18 -!- mt [mt@unaffiliated/supermat] has quit [Ping timeout: 272 seconds]
22:21 -!- KiNgMaR [ingmar@2001:41d0:2:ba51::1] has joined #openvpn
22:21 -!- deed02392 [~deed02392@2001:41d0:2:ab60::1] has joined #openvpn
22:21 -!- Gman32 [~Gman32@2607:2200:0:3400::5616:cdbc] has joined #openvpn
22:22 -!- _0x5eb_ [~seb@seb-hpws2.w1.tele.crt1.net] has joined #openvpn
22:23 -!- Eugene [eugene@kashpureff.org] has joined #openvpn
22:23 -!- mt [mt@unaffiliated/supermat] has joined #openvpn
22:38 -!- someone [~someone@173.255.245.70] has joined #openvpn
22:40 -!- TyrfingMjolnir [~Tyrfing@118.189.1.18] has joined #openvpn
23:09 -!- kirin` [telex@gateway/shell/anapnea.net/x-ewxeurxzybbwvitd] has quit [Remote host closed the connection]
23:21 -!- Neal_ [neal@felix.ineal.me] has joined #openvpn
23:23 -!- kirin` [telex@gateway/shell/anapnea.net/x-sjggcgwsedfekasl] has joined #openvpn
23:28 -!- kirin` [telex@gateway/shell/anapnea.net/x-sjggcgwsedfekasl] has quit [Ping timeout: 260 seconds]
23:29 -!- kirin` [telex@gateway/shell/anapnea.net/x-dxtyhfoymbyvbtie] has joined #openvpn
23:38 -!- keatont [~keatont@ip-66-172-11-126.chunkhost.com] has joined #openvpn
23:47 -!- ShadniX [dagger@p5DDFE0F4.dip0.t-ipconnect.de] has quit [Ping timeout: 250 seconds]
23:48 -!- ShadniX [dagger@p5481C289.dip0.t-ipconnect.de] has joined #openvpn
--- Day changed Tue Oct 14 2014
00:12 -!- c0ded [~c0ded@unaffiliated/c0ded] has joined #openvpn
00:16 -!- ValdikSS [~valdikss@95.215.45.33] has quit [Read error: Connection reset by peer]
00:18 -!- flickabic [~marston@162-228-95-62.lightspeed.sntcca.sbcglobal.net] has quit [Quit: Leaving]
00:29 < Eugene> Are you trying to give me an erection
00:35 -!- Kephael [~Kephael@unaffiliated/kephael] has quit [Read error: Connection reset by peer]
00:36 -!- mattock_afk is now known as mattock
00:40 < jeev> hm
00:40  * jeev walks away
00:40 -!- Netsplit *.net <-> *.split quits: c|oneman, james41382, AsadH, akp, zamba, fixxxermet, pa, Cyclohexane, Pandemic_Force
00:46 -!- Netsplit over, joins: zamba, Pandemic_Force, james41382, pa, fixxxermet, c|oneman, Cyclohexane, AsadH, akp
00:46 -!- zamba [marius@flage.org] has quit [Max SendQ exceeded]
00:47 -!- zamba [marius@flage.org] has joined #openvpn
00:48 -!- ketas- is now known as ketas
01:03 -!- s7r [~s7r@openvpn/user/s7r] has quit [Remote host closed the connection]
01:03 -!- s7r [~s7r@openvpn/user/s7r] has joined #openvpn
01:03 -!- mode/#openvpn [+v s7r] by ChanServ
01:45 -!- tuor-work [~quassel@212.25.21.185] has joined #openvpn
01:52 -!- Nyoom [Nyoom@unaffiliated/nyoom] has quit [Remote host closed the connection]
01:59 -!- mattock is now known as mattock_afk
02:00 -!- creshal [~Creshal@91.143.96.4] has joined #openvpn
02:10 -!- Nyoom [Nyoom@unaffiliated/nyoom] has joined #openvpn
03:05 -!- JackWinter [~jack@vodsl-11198.vo.lu] has quit [Quit: Konversation terminated!]
03:07 -!- JackWinter [~jack@vodsl-11198.vo.lu] has joined #openvpn
03:11 -!- dazo_afk is now known as dazo
04:15 -!- Mattias [~mattias@unaffiliated/mattias] has left #openvpn ["WeeChat 0.4.2"]
04:18 -!- livelace [~livelace@77.93.110.30] has joined #openvpn
04:20 < livelace> Hello. Wath mean "Max bcast/mcast queue length,2" ? How can I influence these parameters ?
04:28 -!- ValdikSS [~valdikss@95.215.45.33] has joined #openvpn
04:32 -!- indy [~indy@fantomas.bestit.cz] has quit [Excess Flood]
04:33 -!- indy [~indy@fantomas.bestit.cz] has joined #openvpn
04:41 -!- TyrfingMjolnir [~Tyrfing@118.189.1.18] has quit [Ping timeout: 240 seconds]
05:05 -!- Maxel [~Maxel@24-159-207-34.static.roch.mn.charter.com] has quit [Ping timeout: 260 seconds]
05:05 -!- urbanendeavour [~xoveruk@217.150.106.82] has joined #openvpn
05:06 < urbanendeavour> hi
05:06 < urbanendeavour> !speed
05:06 <@vpnHelper> "speed" is (#1) Having speed problems? The following suggestions may help. or (#2) OpenVPN is often CPU bound; check utilization, and remember it only uses 1 core (single-threaded) or (#3) Prefer UDP over TCP (see !tcp) or (#4) MTU issues? Send max-size DF packets and watch for fragmentation/delivery issues or (#5) iface txqueuelen often needs to be >100 on fast and/or latent links or (#6)
05:06 <@vpnHelper> latenty/slow links don't magically get better with openvpn or (#7) less likely are issues with bad TCP window scaling or the sliding window; generally, don't 2nd guess TCP (in openvpn or your OS knobs) or (#8) Prefer tun over tap (see !tunortap and !whybridge)
05:06 < urbanendeavour> !tunortap
05:06 <@vpnHelper> "tunortap" is (#1) you ONLY want tap if you need to pass layer2 traffic over the vpn (traffic destined for a MAC address). If you are using IP traffic you want tun. or (#2) and if your reason for wanting tap is windows shares, see !wins or use DNS or (#3) remember layer2 has no security, arp poisoning works over tap vpns or (#4) lan gaming? use tap! or (#5) Normal Android/iOS devices (not
05:06 <@vpnHelper> rooted/jailbroken) support only tun
05:06 < urbanendeavour> !tap
05:06 <@vpnHelper> "tap" is (#1) "bridge" is (#1) http://openvpn.net/index.php/documentation/faq.html#bridge1, or (#2) http://openvpn.net/index.php/documentation/miscellaneous/ethernet-bridging.html, or (#3) Bridging looks like a good choice to people who don't know how to set up IP routing, but to learn routing is generally far better., or (#4) useful for windows sharing (without wins server) and LAN gaming,
05:06 <@vpnHelper> anything where the protocol uses MAC addresses instead of IP addresses. or (#2) For tun/tap and route/bridge comparing, see https://community.openvpn.net/openvpn/wiki/BridgingAndRouting
05:08 < urbanendeavour> Can anyone advise on broken windows file transfers
05:18 -!- scottyob [~scottyob@104.131.140.184] has joined #openvpn
05:28 <@dazo> !welcome
05:28 <@vpnHelper> "welcome" is (#1) Start by stating your goal, such as 'I would like to access the internet over my vpn' || new to IRC? see the link in !ask || we may need !logs and !configs and maybe !interface to help you. || See !howto for beginners. || See !route for lans behind openvpn. || !redirect for sending inet traffic through the server. || Also interesting: !man !/30 !topology !iporder !sample !forum !wiki
05:28 <@vpnHelper> !mitm or (#2) Don't use 192.168.1.0/24 or 192.168.0.0/24 (too much potential for conflict)
05:35 -!- CaTtleyA [~CaTtleyA@185.24.142.82] has joined #openvpn
05:38 < urbanendeavour> I would like to be able to transfer files without them stopping using openvpn, please advise?
05:38 <@dazo> !configs
05:38 <@vpnHelper> "configs" is (#1) please pastebin your client and server configs (with comments removed, you can use `grep -vE '^#|^;|^$' server.conf`), also include which OS and version of openvpn. or (#2) dont forget to include any ccd entries or (#3) on pfSense, see http://www.secure-computing.net/wiki/index.php/OpenVPN/pfSense to obtain your config
05:38 <@dazo> !logs
05:38 <@vpnHelper> "logs" is (#1) please pastebin your logfiles from both client and server with verb set to 4 (only use 5 if asked) or (#2) In the Windows client(OpenVPN-GUI) right-click the status icon and pick View Log or (#3) In the OS X client(Tunnelblick) right-click it and select Copy log text to clipboard or (#4) if you dont know how to find your logs, see !logfile
05:49 -!- Magiobiwan [IRC@unaffiliated/magiobiwan] has quit [Ping timeout: 260 seconds]
05:56 -!- ValdikSS [~valdikss@95.215.45.33] has quit [Read error: Connection reset by peer]
05:56 -!- Magiobiwan [IRC@unaffiliated/magiobiwan] has joined #openvpn
06:17 -!- detha [~detha@unaffiliated/detha] has joined #openvpn
06:21 -!- Left_Turn [~Left_Turn@unaffiliated/turn-left/x-3739067] has joined #openvpn
06:25 -!- mattock_afk is now known as mattock
06:41 -!- livelace [~livelace@77.93.110.30] has quit [Quit: Leaving]
07:14 -!- Latrina [~Latrina@ppp-120-26.26-151.libero.it] has quit [Ping timeout: 272 seconds]
07:14 -!- urbanendeavour [~xoveruk@217.150.106.82] has quit [Quit: Leaving]
07:15 -!- Latrina [~Latrina@151.56.162.79] has joined #openvpn
07:54 < julieeharshaw> hey! i want to update resolv.conf from --up and --down scripts, AND i want to run openvpn in a chroot. is that even possible? (FreeBSD 10.1)
07:58 < rob0> !dnsmasq
07:58 <@vpnHelper> "dnsmasq" is http://rob0.nodns4.us/dnsmasq.html for a writeup on how to handle DNS for lans shared with !route
07:59 < rob0> I'd use dnsmasq rather than change resolv.conf
07:59 < creshal> Wouldn't this more be a case for resolvconf? That *should* be able to update the /etc/resolv.conf through chroot/from unprivileged processes.
08:00 <@dazo> with dnsmasq you get more easily split-dns implemented, which often is a better solution (not sending all dns queries via the vpn tunnel)
08:01 < creshal> dazo: How'd you configure that from a chroot, though? Dbus API?
08:03 <@dazo> creshal: iirc, the chroot() happens after the connection has been established (given that --chroot is used in the openvpn config, and not some chroot outside openvpn) ... so /etc/resolv.conf gets updated before the chroot() happens
08:03 <@dazo> or the dnsmasq config
08:03 < julieeharshaw> up is called before chroot, down, obviously, from inside of the chroot
08:03 < creshal> Ah, nevermind then.
08:04 < julieeharshaw> i am using unbound on the vpn server, would be possible to use it on the client, too, instead of dnsmasq?
08:04 <@dazo> julieeharshaw: regarding --down ... unless you use --plugin openvpn-downroot.so
08:04 -!- cm_ [~chris@datura.ielf.org] has joined #openvpn
08:04 -!- Pyrogerg [~Gregory@75-173-103-62.albq.qwest.net] has quit [Ping timeout: 272 seconds]
08:04 < rob0> Best I can think is for --down to set something which was picked up by inotify or the like
08:04 < rob0> ah, or that
08:05 < rob0> I don't use unbound, so my writeup was for what I do use.  And I also dabble in BIND a bit.
08:05 < julieeharshaw> @dazo, thanks, that looks very useful!
08:06 < rob0> BIND, being a complete DNS implementation, is a bit more difficult in some cases, but it could do this also.
08:06 <@dazo> I'm using ISC Bind with split-dns ... but just because I knew how to do that before I discovered dnsmasq's abilities
08:07 < julieeharshaw> rob0, thanks, i'm gonna read your article and try to find out if unbound has the required features, too. i'd rather not use two different DNS servers, if possible, and unbound is part of the FreeBSD base system
08:12 < rob0> I use BIND where appropriate (authoritative service, or recursion for a LAN), but I like dnsmasq on laptops and for LAN DHCP+DNS.
08:16 <@ecrist> we use BIND with views. 
08:16 <@ecrist> PITA to setup, but once it is, it works well
08:17 -!- ylluminate [~ylluminat@cpe-198.144.157.121.ca.yorkinet.com] has joined #openvpn
08:18 <@dazo> ecrist++
08:20 < julieeharshaw> i think i'm gonna use resolvconf with openvpn-downroot after all. i want the configuration to change, so i can use the same hostnames whether connected via vpn or not, resolved by my unbound instance in the former case, and by the domain registrar's DNS in the latter
08:20 -!- ylluminate [~ylluminat@cpe-198.144.157.121.ca.yorkinet.com] has quit [Client Quit]
08:23 < julieeharshaw> i could use unbound/dnsmasq as a local caching resolver—and i probably will, eventually—but i'd still need to update its configuration via resolvconf, right?
08:24 <@dazo> julieeharshaw: not really.  You have /etc/resolv.conf always pointing at ::1 or 127.0.0.1 ... and then your --up script may want to update the dnsmasq/unbound config and reload the daemon
08:25 -!- ylluminate [~ylluminat@cpe-198.144.157.121.ca.yorkinet.com] has joined #openvpn
08:25 <@dazo> unless you use a static config with just some domains going via the tunnel ... and unbound/dnsmasq will query whichever upstream DNS server you've configured (and caches those results)
08:26 <@dazo> (in that case, no --up/--down is needed at all)
08:27 < julieeharshaw> yep, that's what i mean. FreeBSD's resolvconf can automatically update unbound's, dnsmasq's, bind's and pdnsd's config files
08:27 <@dazo> ahh, okay ... I didn't know that ... well, then yes :)
08:28 < julieeharshaw> and i want my domain to resolve via my private dns when connected to the vpn, and via a public dns server when not. if i install unbound, resolvconf will update unbound's config, if i don't, it will update directly /etc/resolv.conf. there's no way around that i think
08:32 -!- Maxel [~Maxel@24-159-207-34.static.roch.mn.charter.com] has joined #openvpn
08:42 -!- ValdikSS [~valdikss@95.215.45.33] has joined #openvpn
09:01 -!- s7r [~s7r@openvpn/user/s7r] has quit [Quit: Leaving.]
09:04 -!- elfixit [~Icedove@77-58-37-45.dclient.hispeed.ch] has joined #openvpn
09:07 -!- halothe23 [~halothe23@freenode/sponsor/halothe23] has quit [Quit: Quit]
09:07 -!- halothe23 [~halothe23@freenode/sponsor/halothe23] has joined #openvpn
09:08 -!- cm_ [~chris@datura.ielf.org] has quit [Quit: Lost terminal]
09:13 <@dazo> krzee: http://inversepath.com/usbarmory
09:13 <@vpnHelper> Title: Inverse Path - USB armory (at inversepath.com)
09:22 -!- Pyrogerg [~Gregory@75-173-103-62.albq.qwest.net] has joined #openvpn
09:41 -!- TyrfingMjolnir [~Tyrfing@cm191.iota111.maxonline.com.sg] has joined #openvpn
09:46 -!- TyrfingMjolnir [~Tyrfing@cm191.iota111.maxonline.com.sg] has quit [Quit: Searching for Waimea]
10:08 -!- TyrfingMjolnir [~Tyrfing@cm191.iota111.maxonline.com.sg] has joined #openvpn
10:09 -!- TyrfingMjolnir [~Tyrfing@cm191.iota111.maxonline.com.sg] has quit [Client Quit]
10:13 -!- elfixit [~Icedove@77-58-37-45.dclient.hispeed.ch] has quit [Ping timeout: 240 seconds]
10:22 -!- TyrfingMjolnir [~Tyrfing@cm191.iota111.maxonline.com.sg] has joined #openvpn
10:26 -!- urbanendeavour [~xoveruk@217.150.106.82] has joined #openvpn
10:30 < urbanendeavour> How can you prevent a user from installing the client on their personal computer as there user account will allow them to download the client again when they connect using the web browser?
10:33 < Eugene> That's a Group Policy question, and not one that I'm really qualified to answer
10:33 < Eugene> "don't let them install software"
10:34 < urbanendeavour> Eugene, Not really, if a user has vpn access they can download the client from home
10:34 < urbanendeavour> Once logged in the clients are available to download.
10:35 < Eugene> What the hell are you talking about? The openvpn client is publically available
10:35 < Eugene> !download
10:35 <@vpnHelper> "download" is (#1) http://openvpn.net/index.php/download/community-downloads.html to download openvpn or (#2) OpenVPN's Windows installer now includes OpenVPN GUI. Don't bother with http://openvpn.se anymore or (#3) Don't trust download.com at all. It provides an extremely old version with malware: http://insecure.org/news/download-com-fiasco.html or (#4) in the community version of openvpn (only
10:35 <@vpnHelper> thing supported here) there is no separate download for client/server, it is the same install with different configs
10:35 < Eugene> Anybody can grab that ^
10:35 < Eugene> Anybody can install that, if they have admin privileges to a system
10:36 < urbanendeavour> WTF, the certificates don't match.
10:39 -!- urbanendeavour [~xoveruk@217.150.106.82] has quit [Quit: Leaving]
10:48 -!- CaTtleyA [~CaTtleyA@185.24.142.82] has quit [Quit: Lost terminal]
10:52 -!- Airwave [~Airwave@94.246.37.45] has joined #openvpn
10:58 < Airwave> Is there any way to select which SSL/TLS versions OpenVPN allows?
10:58 < creshal> Good question.
10:59 < creshal> Airwave: --tls-version-min according to the man page.
11:01 < Airwave> creshal: I can't see it in my man page. Running 2.3.2.
11:05 -!- creshal [~Creshal@91.143.96.4] has quit [Ping timeout: 240 seconds]
11:17 < Airwave> Looks like it was added in 2.3.3.
11:21 < Airwave> What's the difference between --cipher and --tls-cipher?
11:22 < pekster> --tls-cipher is for selecting the allowable TLS Cipher-suite methods you accept, while --cipher is the _single_ symmetric data-channel cipher you want to use
11:23 < pekster> Sounds to me like you want --tls-cipher. The --tls-version-* stuff is for selecting the TLS _version_ you're willing to negotiate, not the actual cipher
11:23 < pekster> And TLSv1.2 is in >=2.3.3 only
11:27 -!- tuor-work [~quassel@212.25.21.185] has quit [Ping timeout: 255 seconds]
11:28 < Airwave> pekster: So --tls-cipher is for the control channel?
11:28 < Airwave> And --cipher for the data channel? Am I understanding it correctly?
11:37 < pekster> Yup
11:37 < Airwave> Great. Thank you very much.
11:38 <@krzee> but he brings a good point, the manual cold use that info
11:38 <@krzee> could*
11:38 <@krzee> since i feel like he read the manual and did not get that from it...
11:39 < Airwave> I did read the manual, yes.
11:39 -!- ShadniX [dagger@p5481C289.dip0.t-ipconnect.de] has quit [Quit: Bye.]
11:41 -!- Pyrogerg [~Gregory@75-173-103-62.albq.qwest.net] has quit [Ping timeout: 255 seconds]
11:41 -!- ShadniX [dagger@p5481C289.dip0.t-ipconnect.de] has joined #openvpn
11:42 <@krzee> https://community.openvpn.net/openvpn/ticket/463
11:42 <@vpnHelper> Title: #463 (Small note about --cipher and --tls-cipher) – OpenVPN Community (at community.openvpn.net)
11:45 < Airwave> Very nice!
11:49 -!- Pyrogerg [~Gregory@75-173-103-62.albq.qwest.net] has joined #openvpn
11:52 -!- gffa [~unknown@unaffiliated/gffa] has joined #openvpn
12:16 -!- dazo is now known as dazo_afk
12:23 -!- TyrfingMjolnir [~Tyrfing@cm191.iota111.maxonline.com.sg] has quit [Quit: Searching for Waimea]
12:42 -!- fannet [~naegelin@cpe-74-73-241-209.nyc.res.rr.com] has joined #openvpn
12:43 < fannet> Can someone please explain to me if openvpn is affected by the new SSLv3 vulnerability. I understand it is not disclosed fully yet but can SSLV3 be disabled completely?
12:48 < Eugene> No idea. You're the first one to ask in here.
12:55 <@krzee> fannet, got link?
12:56 < Eugene> The CVE hasn't dropped yet
12:57 <@krzee> fannet, you might need to wait til people know what it is til we know what it effects.
12:57 < rob0> But we'll certainly say we heard it here first!
12:58 -!- Latrina [~Latrina@151.56.162.79] has quit [Ping timeout: 250 seconds]
12:58 <@krzee> :D
13:00 <@ecrist> krzee: http://www.theregister.co.uk/2014/10/14/nasty_ssl_30_vulnerability_to_drop_tomorrow/
13:00 <@vpnHelper> Title: Nasty SSL 3.0 vuln to be revealed soon – sources • The Register (at www.theregister.co.uk)
13:00 <@krzee> thank you
13:00 <@krzee> ecrist, any talk in dev chan about it yet? i dont see any
13:01 -!- Latrina [~Latrina@151.56.179.207] has joined #openvpn
13:01 <@ecrist> nope
13:02 <@ecrist> CVE 2014-4114 looks neat, too
13:02 <@ecrist> https://www.virusbtn.com/blog/2014/10_14.xml
13:02 <@krzee> looks windows specific from the article
13:02 <@vpnHelper> Title: Virus Bulletin : Blog - Windows zero-day used in targeted attacks (at www.virusbtn.com)
13:04 -!- Tykling [tykling@gibfest.dk] has quit [Ping timeout: 260 seconds]
13:06 -!- Airwave [~Airwave@94.246.37.45] has quit [Ping timeout: 260 seconds]
13:07 -!- Tykling [tykling@gibfest.dk] has joined #openvpn
13:07 <@ecrist> http://pastebin.com/rfYAdRrF
13:07 -!- Latrina [~Latrina@151.56.179.207] has quit [Ping timeout: 240 seconds]
13:20 < fannet> glad I was the first =)
13:21 <@krzee> http://www.reactionface.info/sites/default/files/images/1310498559979.png   <--- me when i see a windows only bug
13:32 -!- Maxel [~Maxel@24-159-207-34.static.roch.mn.charter.com] has quit [Quit: Leaving]
13:33 -!- Airwave [~Airwave@94.246.37.45] has joined #openvpn
13:35 -!- Maxel [~Maxel@24-159-207-34.static.roch.mn.charter.com] has joined #openvpn
13:38 < ValdikSS> Hello. Can someone explain me mssfix?
13:39 < ValdikSS> It is 1450 by default, so it allows packets no more than 1490 or 1498?
13:40 < ValdikSS> (8 bytes udp header)
14:00 <@ecrist> !mssfix
14:01 <@ecrist> no
14:01 <@ecrist> it allows packets no bigger than 1450
14:23 -!- moonkid [~anonymous@99-103-56-12.lightspeed.hstntx.sbcglobal.net] has quit [Quit: moonkid]
14:31 < ValdikSS> ecrist: packets? You type MTU in mssfix?
14:32 < ValdikSS> ecrist: From my tests, this seems right indeed
14:32 < ValdikSS> ecrist: so, by default, it is configured for 1450 MTU (not MSS), right?
14:34 -!- badaptr is now known as adaptr
14:34 -!- Joe-T [~Joe-T@97e76cf9.skybroadband.com] has quit [Quit: ZNC - http://znc.in]
14:40 -!- badhatter [~badhatter@unaffiliated/plotplanexe] has joined #openvpn
14:42 <@ecrist> ValdikSS: read the man page
14:42 <@ecrist> !man
14:42 <@vpnHelper> "man" is (#1) For man pages, see http://openvpn.net/index.php/open-source/documentation/manuals/ or (#2) the man pages are your friend! or (#3) Protip: you can search the manpage for a specific --option (with dashes) to find it quicker
14:42 <@ecrist> Announce to TCP sessions running over the tunnel that they should limit their send packet sizes such that after OpenVPN has encapsulated them, the resulting UDP packet size that OpenVPN sends to its peer will not exceed max bytes. The default value is 1450.
14:43 <@ecrist> mtu is for the ENTIRE packet size.  MSS is for the encapsulated packet size
14:43 < ValdikSS> ecrist: It's not clear should I enter MSS or MTU there
14:44 <@ecrist> what are you trying to fix?
14:44 < ValdikSS> ecrist: Let's assume I have link with 1500 MTU. I need that TCP don't fragment over OpenVPN. I can set link-mtu 1500, but let's handle with mssfix
14:44 < ValdikSS> ecrist: I'm trying to understand how mssfix works
14:44 < ValdikSS> ecrist: So, if I set mssfix to 1500, it sends TCP MSS 1401 (OpenVPN is over TCP)
14:44 -!- badhatter [~badhatter@unaffiliated/plotplanexe] has quit [Ping timeout: 265 seconds]
14:45 <@ecrist> you should just leave it alone
14:45 < ValdikSS> ecrist: I can't. Sometimes I connect from links with broken pmtu (blocked ICMP) and not 1500 mtu
14:46 <@ecrist> have you tried --mtu-test
14:46 <@ecrist> !mtu
14:46 <@vpnHelper> "mtu" is (#1) see --mtu-test to learn how to test your MTU settings. Basically you just use --mtu-test in your normal client config or (#2) mtu debugging guide: http://www.secure-computing.net/wiki/index.php/OpenVPN/Troubleshooting
14:46 < ValdikSS> ecrist: Yes. I know my MTU.
14:46 <@ecrist> mss should be less than your link mtu minus UDP header
14:47 < ValdikSS> ecrist: Lets assume I have link with 1400 MTU and with broken PMTU
14:47 < ValdikSS> ecrist: Should I set mssfix 1400 or 1460?
14:47 < ValdikSS> 1360*
14:47 <@ecrist> 1360
14:47 < ValdikSS> ecrist: I though so earlier. But why so much overhead then?
14:47 < ValdikSS> ecrist: mssfix 1500 gives me MSS 1401
14:48 <@ecrist> you shouldn't be using mssfix 1500
14:48 <@ecrist> the arg to mssfix is the max - it can still be smaller
14:48 <@ecrist> read the man page, please
14:50 < fannet> Is there a way to disable sslv3 completely in openvpn
14:50 <@ecrist> why?
14:50 < fannet> http://www.theregister.co.uk/2014/10/14/nasty_ssl_30_vulnerability_to_drop_tomorrow/
14:50 <@vpnHelper> Title: Nasty SSL 3.0 vuln to be revealed soon – sources • The Register (at www.theregister.co.uk)
14:51 < ValdikSS> ecrist: Man is not clear for me. It says, that mssfix is only useful for UDP and it doesn't include UDP overhead (8 bytes)
14:51 < ValdikSS> ecrist: But from my tests, that's not so
14:51 <@ecrist> seems to be fine
14:51 < fannet> In otherwords can you force openvpn into using purely TLS v1.1
14:51 < fannet> (or 1.2
14:52 <@ecrist> --tls-version-min
14:52 <@ecrist> fannet: 
14:52 <@ecrist> see above
14:52 < fannet> thx
14:55 <@ecrist> ValdikSS: if you want to understand further, you're likely going to need to go follow the code paths yourself
14:55 < ValdikSS> ecrist: yes, it seems so. Thanks anyway
15:00 -!- Taftse|Mac [~taftse@unaffiliated/taftse] has joined #openvpn
15:00 < Taftse|Mac> !welcome
15:00 <@vpnHelper> "welcome" is (#1) Start by stating your goal, such as 'I would like to access the internet over my vpn' || new to IRC? see the link in !ask || we may need !logs and !configs and maybe !interface to help you. || See !howto for beginners. || See !route for lans behind openvpn. || !redirect for sending inet traffic through the server. || Also interesting: !man !/30 !topology !iporder !sample !forum
15:00 <@vpnHelper> !wiki !mitm or (#2) Don't use 192.168.1.0/24 or 192.168.0.0/24 (too much potential for conflict)
15:02 < Taftse|Mac> !goal
15:02 <@vpnHelper> "goal" is Please clearly state your goal for your vpn: example, I would like to access the lan behind the server , I would like to access the internet over my vpn , I just want a secure connection between 2 computers , etc
15:02 < ValdikSS> ecrist: Hrmm. It definitely seems that mssfix MTU, not mssfix MSS
15:03 -!- mattock is now known as mattock_afk
15:04 < ValdikSS> ecrist: ping -s 1168 IP_INSIDE_TUNNEL gives raw ip packet with size 1255
15:04 < ValdikSS> ecrist: ping -s 1168 sends IP packet with length 1196
15:04 < ValdikSS> So, 59 bytes maximum raw overhead (with filled aes-128 padding)
15:05 < ValdikSS> set mssfix 1500
15:05 < ValdikSS> should be 1460 - 59 = 1401
15:05 < ValdikSS> mss is 1401 with mssfix 1500
15:05 < ValdikSS> mss is 1361 with mssfix 1460
15:05 < ValdikSS> so mssfix needs mtu not mss
15:06 < ValdikSS> (mssfix 0 on server side)
15:06 <@ecrist> yes
15:06 <@ecrist> if you had read the man page, you'd have understood that
15:07 <@ecrist> the --mssfix section is quite large
15:08 < ValdikSS> ecrist: Why the man page says about UDP and UDP encapsulation? This is very confusing
15:09 < ValdikSS> ecrist: >The max parameter is interpreted in the same way as the --link-mtu parameter, i.e. the UDP packet size after encapsulation overhead has been added in, but not including the UDP header itself.
15:09 < ValdikSS> ecrist: it DOES include TCP header incapsulation (didn't test with UDP yet)
15:10 < ValdikSS> ecrist: >The --mssfix option only makes sense when you are using the UDP protocol for OpenVPN peer-to-peer communication, i.e.  --proto udp
15:10 < ValdikSS> ecrist: wrong!
15:11 < ValdikSS> ecrist: http://openvpn.net/archive/openvpn-users/2005-04/msg00362.html this message confused me initially
15:11 <@vpnHelper> Title: Re: [Openvpn-users] ADSL->ADSL OpenVPN, what MTU? 1492? (at openvpn.net)
15:12 < ValdikSS> ecrist: >it down-negotiates the TCP MSS to 1450 by default
15:13 < ValdikSS> >
15:13 < ValdikSS> [23:47] <ValdikSS> ecrist: Should I set mssfix 1400 or 1460?
15:13 < ValdikSS> [23:47] <ValdikSS> 1360*
15:13 < ValdikSS> [23:47] <ecrist> 1360
15:13 < ValdikSS> ecrist: So I should use mssfix 1400
15:22 -!- ahuemer [ahuemer@unaffiliated/ahuemer] has joined #openvpn
15:22 < ahuemer> hi all
15:24 < ahuemer> i want to configure several site-to-site VPNs with one common node, in a tree-like fashon. can that be done with one tun device? i seem to only find examples of site-to-site setups with just one connection
15:31 -!- GoldenGlovez [~GG@78.129.218.25] has quit [Ping timeout: 258 seconds]
15:31 -!- D-Boy [~D-Boy@unaffiliated/cain] has quit [Excess Flood]
15:33 -!- GoldenGlovez [~GG@78.129.218.25] has joined #openvpn
15:37 -!- jzaw [~jzaw@loki.dzki.co.uk] has quit [Excess Flood]
15:40 -!- jzaw [~jzaw@loki.dzki.co.uk] has joined #openvpn
15:40 -!- almostworking [~almostwor@unaffiliated/almostworking] has joined #openvpn
15:45 -!- ValdikSS [~valdikss@95.215.45.33] has quit [Read error: Connection reset by peer]
15:49 -!- D-Boy [~D-Boy@unaffiliated/cain] has joined #openvpn
15:51 -!- ValdikSS [~valdikss@95.215.45.33] has joined #openvpn
15:54 -!- jzaw [~jzaw@loki.dzki.co.uk] has quit [Ping timeout: 260 seconds]
15:56 -!- jzaw [~jzaw@loki.dzki.co.uk] has joined #openvpn
16:18 -!- TyrfingMjolnir [~Tyrfing@cm191.iota111.maxonline.com.sg] has joined #openvpn
16:26 -!- Chais [~Chais@chello062178229110.15.15.vie.surfer.at] has quit [Read error: Connection reset by peer]
16:36 -!- Chais [~Chais@chello062178229110.15.15.vie.surfer.at] has joined #openvpn
17:08 < Eugene> Sure
17:08 < Eugene> !clientlan
17:08 <@vpnHelper> "clientlan" is (#1) for a lan behind a client, the client must have ip forwarding enabled (!ipforward), the server needs a route to the lan, the server needs to push a route for the lan to clients, the server needs a ccd (!ccd) file for the client with an iroute (!iroute) entry in it, and the router of the lan the client is on needs a route added to it (!route_outside_openvpn) or (#2) see !route for
17:08 <@vpnHelper> a better explanation or (#3) Handy troubleshooting flowchart: http://ircpimps.org/clientlan.png | http://pekster.sdf.org/misc/clientlan.png
17:08 < Eugene> !route
17:08 <@vpnHelper> "route" is (#1) http://www.secure-computing.net/wiki/index.php/OpenVPN/Routing or https://community.openvpn.net/openvpn/wiki/RoutedLans (same page mirrored) if you have lans behind openvpn, read it DONT SKIM IT or (#2) READ IT DONT SKIM IT! or (#3) See !tcpip for a basic networking guide or (#4) See !serverlan or !clientlan for steps and troubleshooting flowcharts for LANs behind the server or
17:08 <@vpnHelper> client
17:08 < Eugene> Each client which has a net behind it gets an iroute entry.
17:09 < Eugene> As long as all clients get the proper routes pushed to them, everything works
17:13 -!- jzaw [~jzaw@loki.dzki.co.uk] has quit [Ping timeout: 265 seconds]
17:32 -!- jzaw [~jzaw@community-wifi.dzki.co.uk] has joined #openvpn
17:35 -!- gffa [~unknown@unaffiliated/gffa] has quit [Quit: sleep]
17:39 -!- Taftse|Mac [~taftse@unaffiliated/taftse] has quit [Quit: Textual IRC Client: www.textualapp.com]
17:40 < ahuemer> Eugene: thanks for your answer. i am not sure if i really get it. the idea is that i manually assign the ip address each 'client' (router of that site) gets. each site should have a seperate subnet behind it. like 192.168.101.x for site A, 192.168.102.x for site B, you get the idea
17:40 < Eugene> Yup.
17:40 < ahuemer> what would be an example config for that scenario?
17:41 < Eugene> The one linked in !route
17:41 < Eugene> There they use 10.10.1.0/24, 10.10.2.0/24, and 10.10.3.0/24, but it's the exact same thing.
17:41 < Eugene> See the diagram halfway through
17:42 < ahuemer> ok, i'll read that completely. thanks
18:03 -!- ylluminate [~ylluminat@cpe-198.144.157.121.ca.yorkinet.com] has quit [Ping timeout: 245 seconds]
18:08 -!- elfixit [~Icedove@77-58-37-45.dclient.hispeed.ch] has joined #openvpn
19:11 -!- Licenser [znc@178.62.181.153] has joined #openvpn
19:12 < Licenser> Hi everyone, I was wondering since OpenVPN uses SSl/TLS is it affected by POODLE? Saying are there scenarios where SSLv3 is used instead of TLS and if so is there a way to force TLS?
19:14 < pekster> OpenVPN will use TLSv1.0, or optionally 1.2 (as of 2.3.3, if both sides support it, and you use --tls-version-min on any 2.3.4 nodes that will otherwise force use of TLSv1.0))
19:15 < pekster> You may also wish to review the tls cipher-suites you allow; some info on that at our !hardening factoid
19:15 < Licenser> wonderful thank you so much pekster :)
19:15 < Licenser> !hardening
19:15 <@vpnHelper> "hardening" is https://community.openvpn.net/openvpn/wiki/Hardening
19:20 <@krzee> oh cool it got a name, poodle
19:21 < Licenser> yea it's a pretty cool name too!
19:21 < rob0> They all get names now.
19:21 < Licenser> the big ones at least
19:21 < rob0> Speaking of which, I wrote an awesome little song about shellshock.
19:21 <@krzee> oh god
19:21 < rob0> If I can get it produced as a video, you will love it.
19:22 < pekster> !learn poodle as http://googleonlinesecurity.blogspot.com/2014/10/this-poodle-bites-exploiting-ssl-30.html . OpenVPN uses TLSv1.0, or (with >=2.3.3) optionally TLSv1.2 and is thus not impacted by POODLE. See also: !hardening for some unrelated TLS security options OpenVPN has
19:22 <@vpnHelper> Joo got it.
19:22 <@krzee> pekster++
19:28 < pekster> FYI, the magic in the source is src/openvpn/ssl_openssl.c:220, with SSL_OP_NO_SSLv3
19:34 -!- jzaw [~jzaw@community-wifi.dzki.co.uk] has quit [Ping timeout: 260 seconds]
19:37 -!- ChanServ changed the topic of #openvpn to: OpenVPN Community Support Channel || PLEASE read entire topic || Current Release: 2.3.4 (02 May 2014) || First time? Use !welcome and !goal || Access-Server? /join #openvpn-as || We're not psychic - please !paste your !configs and !logs and a description of the issue  || Your problem is probably firewall, Really || Vulninfo: !heartbleed & !poodle
19:39 -!- jzaw [~jzaw@loki.dzki.co.uk] has joined #openvpn
19:43 -!- elfixit [~Icedove@77-58-37-45.dclient.hispeed.ch] has quit [Ping timeout: 245 seconds]
20:28 -!- detha [~detha@unaffiliated/detha] has quit [Ping timeout: 250 seconds]
20:28 -!- Zimsky-- [~alice@unaffiliated/zimsky] has joined #openvpn
20:29 -!- BtbN [btbn@btbn.de] has quit [Ping timeout: 260 seconds]
20:29 -!- deranged_user [deranged@unaffiliated/deranged-user/x-2475585] has quit [Ping timeout: 260 seconds]
20:29 -!- XJR-9 [sid2977@pdpc/supporter/active/xjr-9] has quit [Ping timeout: 260 seconds]
20:30 -!- Nyoom [Nyoom@unaffiliated/nyoom] has quit [Ping timeout: 260 seconds]
20:30 -!- mt [mt@unaffiliated/supermat] has quit [Ping timeout: 260 seconds]
20:30 -!- plai [~arne@openvpn/community/developer/plaisthos] has quit [Ping timeout: 260 seconds]
20:30 -!- ender| [krneki@2a01:260:4094:1:42:42:42:42] has quit [Ping timeout: 260 seconds]
20:30 -!- Fiouz [~Fiouz@2001:bc8:3068::dead:beef] has quit [Ping timeout: 260 seconds]
20:31 -!- APTX [~APTX@unaffiliated/aptx] has quit [Ping timeout: 260 seconds]
20:31 -!- Haigha [~root@dovahkiin.xomg.net] has quit [Ping timeout: 260 seconds]
20:31 -!- batrick [batrick@nmap/developer/batrick] has quit [Ping timeout: 260 seconds]
20:31 -!- pnielsen [pnielsen@2a01:7e00::f03c:91ff:fedf:3a21] has quit [Ping timeout: 260 seconds]
20:33 -!- ValdikSS [~valdikss@95.215.45.33] has quit [Read error: Connection reset by peer]
20:33 -!- Pyrogerg_ [~Gregory@75-173-103-62.albq.qwest.net] has joined #openvpn
20:33 -!- XJR-9_ [sid2977@pdpc/supporter/active/xjr-9] has joined #openvpn
20:33 -!- XJR-9_ is now known as XJR-9
20:33 -!- Pyrogerg [~Gregory@75-173-103-62.albq.qwest.net] has quit [Ping timeout: 272 seconds]
20:33 -!- Zimsky [~alice@unaffiliated/zimsky] has quit [Ping timeout: 272 seconds]
20:33 -!- batrick_ [batrick@nmap/developer/batrick] has joined #openvpn
20:33 -!- pnielsen [pnielsen@2a01:7e00::f03c:91ff:fedf:3a21] has joined #openvpn
20:33 -!- deranged_user [deranged@unaffiliated/deranged-user/x-2475585] has joined #openvpn
20:33 -!- BtbN [btbn@btbn.de] has joined #openvpn
20:34 -!- plaisthos [~arne@openvpn/community/developer/plaisthos] has joined #openvpn
20:34 -!- mode/#openvpn [+o plaisthos] by ChanServ
20:34 -!- APTX [~APTX@unaffiliated/aptx] has joined #openvpn
20:34 -!- Nyoom [Nyoom@unaffiliated/nyoom] has joined #openvpn
20:38 -!- deranged_user [deranged@unaffiliated/deranged-user/x-2475585] has quit [Ping timeout: 260 seconds]
--- Log closed Tue Oct 14 20:41:34 2014
--- Log opened Tue Oct 14 20:42:31 2014
20:42 -!- ecrist_ [~ecrist@freebsd/contributor/openvpn.community.support.ecrist] has joined #openvpn
20:42 -!- Irssi: #openvpn: Total of 176 nicks [10 ops, 0 halfops, 3 voices, 163 normal]
20:42 -!- mode/#openvpn [+o ecrist_] by ChanServ
20:42 -!- Irssi: Join to #openvpn was synced in 0 secs
20:42 -!- thumbs [1000@unaffiliated/thumbs] has quit [Ping timeout: 272 seconds]
20:42 -!- Droolio [~drool@host86-132-103-182.range86-132.btcentralplus.com] has quit [Ping timeout: 272 seconds]
20:42 -!- deranged_user [deranged@unaffiliated/deranged-user/x-2475585] has quit [Ping timeout: 260 seconds]
20:42 -!- plaisthos [~arne@openvpn/community/developer/plaisthos] has quit [Ping timeout: 260 seconds]
20:42 -!- Nyoom [Nyoom@unaffiliated/nyoom] has quit [Ping timeout: 260 seconds]
20:42 -!- pnielsen [pnielsen@2a01:7e00::f03c:91ff:fedf:3a21] has quit [Ping timeout: 260 seconds]
20:42 -!- Six6siX [~Devil@jasmine.sammybakar.com] has quit [Ping timeout: 260 seconds]
20:42 -!- Tykling [tykling@gibfest.dk] has quit [Ping timeout: 260 seconds]
20:42 -!- _KaszpiR_ [quasselcor@unaffiliated/kaszpir/x-3157048] has quit [Ping timeout: 260 seconds]
20:42 -!- ecrist [~ecrist@freebsd/contributor/openvpn.community.support.ecrist] has quit [Ping timeout: 260 seconds]
20:42 -!- TheSov [~TheSov4@8.40.0.2] has quit [Ping timeout: 260 seconds]
20:43 -!- You're now known as ecrist
20:43 <@ecrist> it would seem the internet is bumpy tonight.
20:44 -!- frank-- is now known as httpd
20:44 -!- httpd is now known as thumbs
20:47 -!- debbie10t [~debbie10t@openvpn/community/support/debbie10t] has joined #openvpn
20:50 -!- mode/#openvpn [+v debbie10t] by ChanServ
20:50 <+debbie10t> !poodle
20:50 <@vpnHelper> "poodle" is http://googleonlinesecurity.blogspot.com/2014/10/this-poodle-bites-exploiting-ssl-30.html . OpenVPN uses TLSv1.0, or (with >=2.3.3) optionally TLSv1.2 and is thus not impacted by POODLE. See also: !hardening for some unrelated TLS security options OpenVPN has
20:51 -!- debbie10t [~debbie10t@openvpn/community/support/debbie10t] has left #openvpn []
20:51 -!- badhatter_ [~badhatter@unaffiliated/plotplanexe] has joined #openvpn
20:52 < badhatter_> !poodle
20:52 <@vpnHelper> "poodle" is http://googleonlinesecurity.blogspot.com/2014/10/this-poodle-bites-exploiting-ssl-30.html . OpenVPN uses TLSv1.0, or (with >=2.3.3) optionally TLSv1.2 and is thus not impacted by POODLE. See also: !hardening for some unrelated TLS security options OpenVPN has
20:52 -!- mt [mt@unaffiliated/supermat] has joined #openvpn
20:52 -!- Tykling [tykling@gibfest.dk] has joined #openvpn
20:52 -!- Nyoom [Nyoom@unaffiliated/nyoom] has joined #openvpn
20:56 -!- badhatter_ [~badhatter@unaffiliated/plotplanexe] has quit [Read error: Connection reset by peer]
20:59  * ecrist realizes what thumbs was doing
20:59 <@ecrist> :P
21:08 <@krzee> hitchhiking?
21:20 < rob0> Hitchhikers Take Turns Petting Dogs (httpd)
21:21 -!- Magiobiwan [IRC@unaffiliated/magiobiwan] has quit [Ping timeout: 260 seconds]
21:21 < rob0> thumbs are opposed to fingers.
21:23 < thumbs> grr
21:23 < thumbs> ecrist: sorry, I just used my grouped nickname
21:23 < thumbs> (prevent it from expiring)
21:25 -!- Magiobiwan [IRC@unaffiliated/magiobiwan] has joined #openvpn
21:26 < rob0> Having (a) Terrible Time (with) Personal Disguises
21:28 < thumbs> rob0: I'm not the one hiding behind that name :)
21:33 < rob0> Thumbs Heard Unique Make-Believe Stories
21:35 < rob0> The Hardest Undertaking Must Begin Somewhere
21:37 -!- TyrfingMjolnir [~Tyrfing@cm191.iota111.maxonline.com.sg] has quit [Quit: Searching for Waimea]
21:40 < fannet> !hardening
21:40 <@vpnHelper> "hardening" is https://community.openvpn.net/openvpn/wiki/Hardening
21:42 <@ecrist> heh
21:46 < fannet> If openvpn uses TLSv1.0 then why does it say TLSv1.0/SSLv3 during connect
21:46 < fannet> Tue Sep 30 15:26:54 2014 us=870729 Control Channel: TLSv1, cipher TLSv1/SSLv3 DHE-RSA-AES256-SHA, 4096 bit RSA
21:47 < rob0> that's describing the cipher in use, see the commas?
21:48 < fannet> ah
21:48 < fannet> less beers would help
21:49 < rob0> Perfectly placating Poodle panic
22:04 <@ecrist> thumbs: don't you have +o is some channel or another I frequent?
22:07 < thumbs> ecrist: probably.
22:10 <@ecrist> hrm, my IRC logs would seems to think otherwise.
22:10 <@ecrist> apparently you have +v here once in a while
22:10 < pekster> fannet: Internally, the codebase has to rely on "SSL" function calls, but the SSLv3 stuff is explicitly disabled (in the 2.3.4 sources, see ssl_openssl.c:220 to confirm ;)
22:11 < pekster> You'll sometimes see reference to "SSL" at various log outputs, but that's just a reference to the internal API
22:11 < thumbs> ecrist: I blame rob0 !
22:12 -!- mode/#openvpn [+o thumbs] by ecrist
22:12 <@ecrist> at least now you'll show up with @ in my logs.
22:12 -!- mode/#openvpn [-vo rob0 thumbs] by thumbs
22:12 < thumbs> wee
22:12 < fannet> what about in 2.3.2
22:13 < thumbs> and I get to devoice rob0, bonus.
22:13 <@ecrist> fannet: you can review the source yourself.
22:13 < fannet> I believe thats what debian stable and others are shipping
22:13 <@ecrist> historically, we don't officially support old versions of the software.
22:13 < pekster> fannet: They explicitly relied in the TLSv1_* calls there, but still no SSLv3, just a different OpenSSL C-API way of doing the samem thing
22:13 <@ecrist> we don't backport patches, etc,
22:13 < fannet> I could but many others wont
22:14 <@ecrist> there are some instances where a package maintainer will port a patch to an old verions, but we don't do that.
22:14 < pekster> f.ex, 2.3.2 src/openvpn/ssl_openssl.c:130
22:15 < pekster> We've got special poodle-fencing here
22:15 < fannet> so how do you control security patches from package sources on official distros like debian?
22:15 <@ecrist> we don't
22:15 < fannet> so you just say “too bad let everyone get pwned”?
22:15 <@ecrist> yup
22:15 -!- Left_Turn [~Left_Turn@unaffiliated/turn-left/x-3739067] has quit [Remote host closed the connection]
22:15 < fannet> nice
22:16 <@ecrist> we distribute openvpn, not xyz package
22:16 <@ecrist> if you want the latest/greatest/security-patched-uber-foo, download source and compile it yourself
22:16 < fannet> mkay.
22:16 < fannet> good thing the rest of the world didn’t treat heartbleed like that
22:17 <@ecrist> all that in mind, the package maintainers generally keep a close eye on commits, and a few maintainers are around here
22:17 <@ecrist> fannet: you're looking at this from the wrong angle.
22:17 < pekster> heartbleed was pretty easy from an openvpn standpoint since it was the distro's (for binary-distros) job to ship fixed libs
22:17 <@ecrist> the only one that can fix a package distribution is that maintainer
22:17 <@ecrist> we don't do that.
22:17 < thumbs> now, don't take that too harshly - most maintained distros try to apply patches to most recently shipped versions.
22:18 < fannet> typically there is coordination between the developer and the maintainer no?
22:18 <@ecrist> I am, for instance, involved with the FreeBSD port of openvpn, and I am the actual maintainer for -devel and -beta packages, so those are generally well-kept
22:18 <@ecrist> the primary maintainer is also active
22:18 <@ecrist> openvpn technologies maintains an openvpn debian repo, directly, you can get your packages from
22:19 <@ecrist> fannet: yes, but it's maintainer->project, not project->maintainer
22:19 < fannet> is that the OSS comnuity build?
22:19 < fannet> community
22:19 < pekster> If the links are valid, there's:
22:19 < pekster> !repos
22:19 < pekster> !repo
22:19 <@vpnHelper> "repo" is openvpn runs some software repositories for your installing pleasure, http://community.openvpn.net/openvpn/wiki/OpenvpnSoftwareRepos
22:19 <@ecrist> we, as a project, did our work by fixing the main source (for the record, no work for us to do with CVE-2014-3566)
22:21 <@ecrist> the only work "we" had to do for CVE-2014-0160 was to rebuild and redistribute a non-vulnerable copy of the Windows binary
22:21 <@ecrist> since we do maintain that "distro"
22:21 <@ecrist> x-1060 was heartbleed, ftr
22:21 <@ecrist> x-0160
22:21  * ecrist rum
22:24 <@ecrist> !factoids
22:24 <@vpnHelper> "factoids" is A semi-regularly updated dump of factoids database is available at http://www.secure-computing.net/factoids.php
22:25 -!- TyrfingMjolnir [~Tyrfing@118.189.1.18] has joined #openvpn
22:28 < fannet> while im here - is there any good tutorials or discussions involving elliptic curve w/ openvpn
22:32 -!- linuxthefish [~ltf@unaffiliated/edmundf] has quit [Ping timeout: 256 seconds]
23:13 <@krzee> !factoids search tls
23:13 <@vpnHelper> 'tls-cipher' and 'tls-auth'
23:14 < pekster> fannet: Probably not for ECC since any supporting bits would be git-master only at this point
23:15 < pekster> GCM for the data-channel was reported to be working with one of the patches IIRC, but I'm not sure about the TLS negotiation since that involves more complex parts like options/API-calls for the keypairs, curve params, etc
23:26 < fannet> ah ok thanks
23:47 -!- ShadniX [dagger@p5481C289.dip0.t-ipconnect.de] has quit [Ping timeout: 250 seconds]
23:48 -!- ShadniX [dagger@p5DDFEC87.dip0.t-ipconnect.de] has joined #openvpn
--- Day changed Wed Oct 15 2014
00:38 < TyrfingMjolnir> How many keys should be made when using OpenVPN?
00:38 < TyrfingMjolnir> One pr user?
00:38 < TyrfingMjolnir> One pr unit?
00:38 < TyrfingMjolnir> One pr department?
00:41 -!- linuxthefish [~ltf@unaffiliated/edmundf] has joined #openvpn
00:58 <@krzee> per user
00:59 <@krzee> !easy-rsa
00:59 <@vpnHelper> "easy-rsa" is (#1) easy-rsa is a certificate generation utility. or (#2) Download here: https://github.com/OpenVPN/easy-rsa/downloads or (#3) https://community.openvpn.net/openvpn/wiki/EasyRSA
01:16 < TyrfingMjolnir> What is a phone is lost?
01:16 < TyrfingMjolnir> :s/is/if
01:26 <@krzee> !crl
01:26 <@vpnHelper> "crl" is (#1) --crl-verify <crl> A CRL (certificate revocation list) is used when a particular key is compromised but when the overall PKI is still intact. The only time when it would be necessary to rebuild the entire PKI from scratch would be if the root certificate key itself was compromised. or (#2) you can make use of CRL by using the revoke-full script in easy-rsa (packaged with openvpn) that
01:26 <@vpnHelper> will create the CRL file for you. ssl-admin will also build a crl for you or (#3) openssl ca -config openssl-1.0.0.cnf -gencrl -out keys/crl.pem
01:34 -!- Latrina [~Latrina@adsl-ull-205-204.50-151.net24.it] has joined #openvpn
01:43 < TyrfingMjolnir> crl would be pr user? or pr node?
01:43 < TyrfingMjolnir>  /unit?
01:46 <@krzee> normally it goes on the server and tells it which clients are revoked
01:48 -!- creshal [~Creshal@91.143.96.4] has joined #openvpn
01:49 -!- detha [~detha@unaffiliated/detha] has joined #openvpn
01:50 -!- dazo_afk is now known as dazo
01:53 < TyrfingMjolnir> But each client has 3 certs in my case
01:53 < TyrfingMjolnir> iPhone
01:54 < TyrfingMjolnir> laptop
01:54 < TyrfingMjolnir> android/tablet
01:54 <@krzee> thats 3 clients.
01:54 <@krzee> each person can have 3 clients.
01:54 <@krzee> or however many
01:54 < TyrfingMjolnir> Some have 1 some have 3
01:54 <@krzee> but each gets a different cert per device
01:54 < TyrfingMjolnir> Ahhh
01:54 <@krzee> and they get blocked seperately
01:55 < TyrfingMjolnir> So I do not need to make one cert pr unit?
01:55 <@krzee> <krzee> per user
01:55 <@krzee> wasnt clear?
02:01 < TyrfingMjolnir> Yes
02:01 < TyrfingMjolnir> But I started this 4 years ago
02:01 -!- Taftse|Mac [~taftse@unaffiliated/taftse] has joined #openvpn
02:01 <@krzee> seems a long time to not know how to distribute the certs
02:02 < TyrfingMjolnir> I use IMAP for distributing the certs
02:05 -!- eristisk [~eristisk@gateway/tor-sasl/eristisk] has joined #openvpn
02:07 -!- JackWinter [~jack@vodsl-11198.vo.lu] has quit [Quit: Konversation terminated!]
02:09 -!- JackWinter [~jack@vodsl-11198.vo.lu] has joined #openvpn
02:13 -!- SushiDude [~SushiDude@unaffiliated/sushidude] has quit [Ping timeout: 272 seconds]
02:15 -!- eristisk [~eristisk@gateway/tor-sasl/eristisk] has quit [Ping timeout: 264 seconds]
02:19 -!- SushiDude [~SushiDude@unaffiliated/sushidude] has joined #openvpn
02:24 -!- CaTtleyA [~CaTtleyA@185.24.142.82] has joined #openvpn
02:46 -!- cm_ [~chris@datura.ielf.org] has joined #openvpn
03:40 < julieeharshaw> good morning everyone!
03:40 < julieeharshaw> my resolvconf up script works nicely (https://github.com/juliekoubova/home/blob/master/ansible/roles/openvpn/provision-client-freebsd/files/update-resolvconf)
03:40 <@vpnHelper> Title: home/update-resolvconf at master · juliekoubova/home · GitHub (at github.com)
03:41 < julieeharshaw> but openvpn-plugin-down-root never seems to call the down variant?
03:43 -!- plai [~arne@openvpn/community/developer/plaisthos] has quit [Ping timeout: 260 seconds]
03:46 < julieeharshaw> here's my openvpn.conf and log: https://gist.github.com/juliekoubova/407825c075c6ddb4fe26
03:46 <@vpnHelper> Title: openvpn ups and downs (at gist.github.com)
03:46 -!- plaisthos [~arne@openvpn/community/developer/plaisthos] has joined #openvpn
03:46 -!- mode/#openvpn [+o plaisthos] by ChanServ
03:47 < julieeharshaw> is there any gentler way of stopping openvpn than what FreeBSD rc.d script uses? it seems to me like openvpn is getting killed
03:47 < julieeharshaw> i mean, it's not a big deal, only thing that happens is that the now unavailable internal vpn dns server keeps on hanging in the resolv.conf file
03:47 < julieeharshaw> but still
03:48 < julieeharshaw> i'd like it to work :)
03:48 <@krzee> !learn poodle as https://www.tinfoilsecurity.com/poodle for a tool for testing your websites
03:48 <@vpnHelper> Joo got it.
03:49 <@krzee> julieeharshaw, you can stop it with signals or management interface
03:49 <@krzee> !management
03:49 <@vpnHelper> "management" is (#1) see http://openvpn.net/management for doc on management interface or (#2) read https://github.com/OpenVPN/openvpn/blob/release/2.3/doc/management-notes.txt if you are a programmer making a GUI that will interact with OpenVPN or (#3) Enable with `--management 127.0.0.1 1234` (adjust port to taste.) See the manpage for pw and socket options
03:50 <@krzee> julieeharshaw, i dont see a --down script
03:50 < julieeharshaw> @krzee, i use down-root plugin. do i need to specify a --down option as well?
03:50 <@krzee> the plugin is for running that down script as root
03:51 <@krzee> you still need to run a script if you want to
03:51 < julieeharshaw> ah, i thought i need to specify  the down script as an argument to the plugin
03:51 <@krzee> the plugin is so you can run a --down script as root even if you drop permissions with --user --group
03:52 <@krzee> if the script doesnt need root, or you dont drop permissionsm then you dont need the plugin.
03:52 <@krzee> and the plugin with no script to call will do nothing
03:54 < julieeharshaw> i nede root for updating resolv.conf
03:54 < julieeharshaw> i can't specify the script as --down because it isn't inside of the openvpn chroot
03:54 < julieeharshaw> if i do, openvpn fails to validate the config file
03:55 <@krzee> well of course the script needs to be in the chroot
03:56 < julieeharshaw> i am supposed to pass the script as an argument to the down root plugin, according to https://github.com/OpenVPN/openvpn/blob/master/src/plugins/down-root/README.down-root
03:56 <@vpnHelper> Title: openvpn/README.down-root at master · OpenVPN/openvpn · GitHub (at github.com)
03:56 < julieeharshaw> not as --down
03:57 <@krzee> ahh ok
03:57 <@krzee> ive never actually used the plugin, sorry
03:58 < julieeharshaw> thanks anyway!
03:58 <@krzee> (i never use down scripts)
04:00 -!- c0mrade_ [~c0mrade_@unaffiliated/c0mrade/x-3310965] has joined #openvpn
04:00 < c0mrade_> Anyone interested in free hosting? :D I've got some space on my home server...
04:00 <@krzee> julieeharshaw, when openvpn dies another way does it run?
04:00 <@krzee> julieeharshaw, if so, you could add a line to fix the dns into your rc script i guess
04:00 <@krzee> c0mrade_, no thanks
04:00 < c0mrade_> krzee: Okay.
04:01 <@krzee> but out of curiousity where is home?
04:01 < julieeharshaw> ok, i'll try to stop it via the management interface
04:02 < c0mrade_> krzee: Lebanon.
04:02 <@krzee> or send it a sigterm
04:03 <@krzee> damn, that must be an interesting place to be lately
04:03 -!- mcp [~mcp@wolk-project.de] has joined #openvpn
04:04 < c0mrade_> krzee: No really.
04:04 -!- tuor-work [~quassel@212.25.21.185] has joined #openvpn
04:04 < c0mrade_> Not*
04:04 < c0mrade_> It's like the most fu**ed up place you would want to live in.
04:06 <@krzee> ya thats what i imagined, it just didnt seem like the right way for me to say it
04:07 <@krzee> ;]
04:07 < c0mrade_> krzee: It's a fact and we live with it...
04:07 < c0mrade_> No other choice.
04:08 <@krzee> does your country impose national internet filters?
04:08 < julieeharshaw> @krzee, SIGTERM is what the rc script does
04:09 < julieeharshaw> it looks exactly the same
04:09 <@krzee> ahh
04:09 < c0mrade_> It's pretty harsh. You walk down the street and you always have the fear of some explosion, like a car or a terrorist or something...
04:09 <@krzee> julieeharshaw, by looks do you mean in the log?  can you try running a nice simple script that just makes a file somewhere? also be sure it has the right permissions and a valid shbang
04:09 < c0mrade_> And here am I, like out of no where offering free hosting like life is so good and beautiful :D
04:10 <@krzee> im not sure if the plugin would output to the log or not tbh
04:10 <@krzee> c0mrade_, if life was that good and beautiful it would not be so important to encrypt ;]
04:15 < julieeharshaw> WOOOHOO
04:15 < julieeharshaw> @krzee thanks:)
04:15 < julieeharshaw> it does indeed run the script, but it doesn't set the ${script_type} variable
04:16 < julieeharshaw> which my script was kinda expecting :)
04:17 <@krzee> np
04:17 -!- gffa [~unknown@unaffiliated/gffa] has joined #openvpn
04:34 < c0mrade_> krzee: If you own a company? Would you encrypt internal traffic?
04:34 <@krzee> absolutely.
04:34 < c0mrade_> Hehe.
04:34 < c0mrade_> Bad for you.
04:34 <@krzee> i do, and i do.
04:34 <@krzee> why bad for me?
04:35 < c0mrade_> You're making it hard for yourself too.
04:36 <@krzee> how so?
04:37 <@krzee> how am i making it hard for myself?
04:37 < c0mrade_> I don't know :P
04:37 < c0mrade_> Like...
04:38 < c0mrade_> What if someone breaks into your network is it possible to analyse to gobbldey gook?
04:39 -!- TyrfingMjolnir [~Tyrfing@118.189.1.18] has quit [Ping timeout: 244 seconds]
04:40 <@krzee> my services still log
04:40 <@krzee> my tripwires are still in place
04:41 <@krzee> what do you do that requires everything you do to be in cleartext to monitor your network?
04:41 < ahuemer> if i have /etc/openvpn/ccd/a and /etc/openvpn/ccd/b, how does openvpn know to which connecting client it has to assign which config?
04:42 <@krzee> ahuemer, based on the common-name of the certificate connecting, or username if you happen to use login/password auth AND --username-as-commonname
04:42 <@krzee> was the explanation in --client-config-dir in the manual not sufficient?
04:43 < ahuemer> maybe i have overread that. thanks for the explanation
04:43 <@krzee> no problem
04:43 <@krzee> !ccd
04:43 <@vpnHelper> "ccd" is (#1) entries that are basically included into server.conf, but only for the specified client based on common-name. use --client-config-dir <dir> to enable it, then put the config options for the client in <dir>/common-name or (#2) the ccd file is parsed each time the client connects.
04:44 <@krzee> c0mrade_, at least the hash is good in lebanon
04:44  * krzee rolls a joint
04:57 < c0mrade_> krzee: The hash? Um I don't think so, they only use crypt no hash functions like MD5 or SHA1.
04:57 < c0mrade_> :P
04:58 <@krzee> hehe
04:58 <@krzee> !krzee
04:58 <@vpnHelper> "krzee" is (#1) krzee says happy 4/20 or (#2) http://www.ircpimps.org/pics/krzee/blunt.jpg or (#3) location: moon base where he smokes moonajuana or (#4) takes bonghits on the freeswitch teleconference
05:25 -!- Latrina [~Latrina@adsl-ull-205-204.50-151.net24.it] has quit [Ping timeout: 244 seconds]
05:25 -!- Latrina [~Latrina@ppp-186-10.26-151.libero.it] has joined #openvpn
05:29 -!- rap_wrk [~reshad@unaffiliated/rap-wrk/x-769542] has joined #openvpn
05:29 < rap_wrk> !welcome
05:29 <@vpnHelper> "welcome" is (#1) Start by stating your goal, such as 'I would like to access the internet over my vpn' || new to IRC? see the link in !ask || we may need !logs and !configs and maybe !interface to help you. || See !howto for beginners. || See !route for lans behind openvpn. || !redirect for sending inet traffic through the server. || Also interesting: !man !/30 !topology !iporder !sample !forum
05:29 <@vpnHelper> !wiki !mitm or (#2) Don't use 192.168.1.0/24 or 192.168.0.0/24 (too much potential for conflict)
05:30 < rap_wrk> !wiki
05:30 <@vpnHelper> "wiki" is (#1) http://www.secure-computing.net/wiki/index.php/OpenVPN for the Unofficial wiki or (#2) https://community.openvpn.net/openvpn/wiki for the Official wiki
05:38 < rap_wrk> !ask
05:38 <@vpnHelper> "ask" is (#1) don't ask to ask, just ask your question please, see this link for how to get help on IRC: http://workaround.org/getting-help-on-irc or (#2) See also, How to ask questions the smart way here: http://catb.org/~esr/faqs/smart-questions.html or (#3) if you had asked your question this might be an answer instead of a message from the bot about how to ask questions on IRC :)
05:38 -!- rap_wrk [~reshad@unaffiliated/rap-wrk/x-769542] has quit [Quit: Konversation terminated!]
05:38 -!- rap_wrk [~reshad@unaffiliated/rap-wrk/x-769542] has joined #openvpn
05:39 < rap_wrk> Hi, I would like to tunnel all traffic through an OpenVPN tunnel.
05:41 -!- tuor-work [~quassel@212.25.21.185] has left #openvpn ["Tuor gone"]
05:42 < rap_wrk> I have openVPN running on an ubuntu server usinf mostly the basic configuration available at http://openvpn.net/index.php/open-source/documentation/howto.html and with push "redirect-gatewat def1" and push "dhcp-option DNS 8.8.8.8"
05:42 <@vpnHelper> Title: HOWTO (at openvpn.net)
05:43 < rap_wrk> I am on linix (arch with KDE) and my wifi router gives me a DNS IP of 10.0.0.1
05:43 < rap_wrk> when I check resolv.conf after connecting to the VPN I see both 8.8.8.8 and 10.0.0.1 as nameservers
05:44 < rap_wrk> futher If I look at the traffic on the wlan interface using wireshark I see dns requests
05:46 < rap_wrk> Any help would be much appreciated
05:56 -!- debbie10t [~debbie10t@openvpn/community/support/debbie10t] has joined #openvpn
05:56 -!- mode/#openvpn [+v debbie10t] by ChanServ
05:56 <+debbie10t> !poodle
05:56 <@vpnHelper> "poodle" is (#1) http://googleonlinesecurity.blogspot.com/2014/10/this-poodle-bites-exploiting-ssl-30.html . OpenVPN uses TLSv1.0, or (with >=2.3.3) optionally TLSv1.2 and is thus not impacted by POODLE. See also: !hardening for some unrelated TLS security options OpenVPN has or (#2) https://www.tinfoilsecurity.com/poodle for a tool for testing your websites
05:58 -!- Latrina [~Latrina@ppp-186-10.26-151.libero.it] has quit [Ping timeout: 244 seconds]
05:59 -!- shio [marmot@102.188.103.84.rev.sfr.net] has quit [Remote host closed the connection]
06:00 -!- Latrina [~Latrina@adsl-ull-185-187.50-151.net24.it] has joined #openvpn
06:00 -!- Left_Turn [~Left_Turn@unaffiliated/turn-left/x-3739067] has joined #openvpn
06:01 < julieeharshaw> rap_wrk, how exactly do you update your resolv.conf? does the arch linux distritbution ship openvpn with some kind of --up script that does the update?
06:01 < julieeharshaw> i just had to write my own for FreeBSD
06:02 < julieeharshaw> i guess it should be a matter of changing that script so it removes the 10.0.0.1 from resolv.conf...
06:03 <+debbie10t> julieeharshaw, there is a script called update-resolv-conf that comes with ubuntu .. but arch does not come with it
06:03 <+debbie10t> not sure why
06:04 < rap_wrk> im using network manager to update the resolv.conf
06:06 < rap_wrk> julieeharshaw: writing a script shouldnt be too hard, i just want it to run on connection start and still be able to use network managher
06:06 < rap_wrk> *manager
06:07 -!- Latrina [~Latrina@adsl-ull-185-187.50-151.net24.it] has quit [Ping timeout: 272 seconds]
06:07 < julieeharshaw> and the network manager puts the pushed DNS server *before* 10.0.0.1, or after?
06:07 < julieeharshaw> maybe you can make it to remove the 10.0.0.1 altogether
06:07 < julieeharshaw> i don't know KDE at all, sorry
06:10 < rap_wrk> mine does that too
06:10 < rap_wrk> however I see dns requests going out that interface
06:11 < rap_wrk> its probably requesting both 10.0.0.1 and 8.8.8.8
06:11 < rap_wrk> Arch does ship with an /etc/openvpn/update-resolv-conf  script
06:11 < rap_wrk> am looking through it, but dont know how to call it through the network manager interface
06:13 -!- tris_ [~tris_@unaffiliated/tris/x-6638183] has joined #openvpn
06:14 < tris_> hi I have some pain to install OpenVPN on my Windows Seven 'cause of TAP Device
06:14 < tris_> I tried all solutions that I read on forums/documentations
06:15 < tris_> nothing works :'(
06:17 < julieeharshaw> rap_wrk, i would be surprised if dns resolver tried more than one dns server at a time
06:18 < rap_wrk> I can see 8.8.8.8 on top of the list in /etc/resolv.conf
06:19 < julieeharshaw> and you still see queries to 10.0.0.1? hm.
06:19 < rap_wrk> and can see DNS packets in wireshark on interface wlan0 going to 10.0.0.1
06:20 < rap_wrk> so its either selecting 10.0.0.1 and not sendign anything to 8.8.8.8 or its sending queries to both simultaniously
06:20 < julieeharshaw> are those packets really from your machine? wireshark captures everything on the link, no?
06:21 < rap_wrk> its me
06:22 < rap_wrk> I can veryfy the source and the content of the dns queries
06:22 < julieeharshaw> huh
06:23 <+debbie10t> julieeharshaw, do you have a paste of your script for arch ?
06:24 < rap_wrk> debbie10t arch comes with the script
06:24 < julieeharshaw> i don't use arch
06:24 < julieeharshaw> https://github.com/juliekoubova/home/blob/master/ansible/roles/openvpn/provision-client-freebsd/files/update-resolvconf
06:24 <@vpnHelper> Title: home/update-resolvconf at master · juliekoubova/home · GitHub (at github.com)
06:24 < rap_wrk> https://raw.githubusercontent.com/masterkorp/openvpn-update-resolv-conf/master/update-resolv-conf.sh
06:24 <+debbie10t> rap_wrk, what is the script called and where is it stored ?
06:25 < rap_wrk> debbie10t: /etc/openvpn/update-resolv-conf.sh
06:25 <+debbie10t> hmm .. i dont have it ?
06:25 < rap_wrk> check the arch wiki https://wiki.archlinux.org/index.php/OpenVPN#DNS
06:25 <@vpnHelper> Title: OpenVPN - ArchWiki (at wiki.archlinux.org)
06:25 <+debbie10t> sorry .. found it
06:26 < rap_wrk> no worries
06:26 <+debbie10t> thanks
06:26 < rap_wrk> im trying to get network manager to call it
06:26 -!- c0mrade_ [~c0mrade_@unaffiliated/c0mrade/x-3310965] has quit []
06:27 <+debbie10t> strange .. i have two arch machines but only one has update-resolv-conf
06:27 < rap_wrk> hmm that is strange
06:27 -!- shio [marmot@102.188.103.84.rev.sfr.net] has joined #openvpn
06:27 < rap_wrk> do both have the openvpn package istalled
06:28 <+debbie10t> i am checking
06:28 <+debbie10t> hmm .. third arch also does not have the script
06:29 < rap_wrk> its not part of the openvpn package
06:29 < rap_wrk> Mine seems to have it
06:31 < rap_wrk> debbie10t: you should be able to download a copy and put it there, it should work
06:32 < rap_wrk> let me try a running my vpn from the terminal
06:33 <+debbie10t> i don't think arch comes with it by default .. i think i did download it
06:34 < rap_wrk> debbie10t:  check /usr/share/openvpn/contrib/pull-resolv-conf/client.up
06:34 < rap_wrk> and client.down
06:35 < rap_wrk> 1 of my boxes has the update resolv.conf
06:35 < rap_wrk> the other has the client up adn down
06:35 <+debbie10t> ahh yep .. it is there .. theanks ;)
06:37 <+debbie10t> i know people don't like systemd but i think arch is wicked :)
06:38 < rap_wrk> debbie10t: are you using networkmanager
06:38 < rap_wrk> to run your vpn
06:39 <+debbie10t> no .. all done by hand .. command prompt only
06:39 < rap_wrk> ah sweet
06:39 <+debbie10t> from my experience with NM .. it is generally not considered to be very reliable for openvpn
06:39 < rap_wrk> I want the nm integration though
06:40 <+debbie10t> once you have config files from NM .. check them by hand
06:40 < rap_wrk> thanks for the heads up, will need to figure the up and down script with nm
06:40 <+debbie10t> make sure there are no obvious errors
06:40 < rap_wrk> will do
06:40 <+debbie10t> common errors are things like using keepalive in a client config
06:41 <+debbie10t> it wont break the vpn but it is wrong
06:41 <+debbie10t> if you want to paste your configs I will double check them for u
06:41 < rap_wrk> will pm you
06:41 <+debbie10t> sure
06:42 <+debbie10t> * This time only * .. I would not PM mods as a rule ;)
06:42 < tris_> what version of openvpn installer for windows I have to install to bypass/resolve the problem of TAP device ?
06:45 <+debbie10t> tris_, do not use i603 .. use i003
06:47 <+debbie10t> tris_,  or update the TAP driver if you do use i603
06:47 <+debbie10t> tris_,  https://forums.openvpn.net/topic16933.html
06:47 <@vpnHelper> Title: OpenVPN Support Forum OpenVPN 2.3.4 i603 Windows x64 - TAP driver buggy : Server Administration (at forums.openvpn.net)
06:48 < tris_> same problem "an error ocurred installing the TAP device driver"
06:50 <+debbie10t> are you logged in as administrator ?
06:50 < tris_> yes
06:50 <+debbie10t> hmm .. might be registry problem
06:50 < tris_> I already checked that
06:50 <+debbie10t> try running the uninstall
06:50 <+debbie10t> first
06:51 < tris_> so I uninstall the i003 ?
06:51 <+debbie10t> yes .. totally uninstall openvpn first
06:51 < tris_> done
06:51 <+debbie10t> so the uninstall run completely with no errors ?
06:52 < tris_> exact : no errors during uninstalling
06:52 < tris_> (sorry for English mistakes)
06:52 <+debbie10t> and so what happens on a fresh install ?
06:52 < tris_> an error occured installing the TAP device driver
06:52 <+debbie10t> what version of windows ?
06:53 < tris_> the installation continues anyway but when I want to connect to somewhere : fail
06:53 < tris_> seven
06:53 <+debbie10t> yes - you cannot use openvpn without a TAP driver
06:53 <+debbie10t> try that link i gave you .. download the separate TAP installer
06:53 < tris_> that's the point :) I need to pass by OpenVPN to be connect to my work ...
06:56 < tris_> when I try to install the TAP driver I have the same error "an error occured installing the TAP device driver"
06:56 <+debbie10t> sorry guys .. i have to go now :(
06:56 < tris_> :'(
06:56 -!- debbie10t [~debbie10t@openvpn/community/support/debbie10t] has left #openvpn ["Leaving"]
06:56 -!- Left_Turn [~Left_Turn@unaffiliated/turn-left/x-3739067] has quit [Ping timeout: 240 seconds]
06:57 < creshal> Just randomly guessing, but is there anything in the Windows event log about the error?
06:59 < tris_> no information about it
07:00 < creshal> Derp.
07:02 < tris_> I don't understand what's happening
07:14 -!- larsemil [~larsemil@pamela.daladevelop.se] has joined #openvpn
07:14 < larsemil> Options error: --server directive network/netmask combination is invalid
07:15 < larsemil> option server '83.109.243.222 255.255.255.0'
07:15 < larsemil> why?
07:18 -!- rap_wrk [~reshad@unaffiliated/rap-wrk/x-769542] has quit [Ping timeout: 260 seconds]
07:18 < julieeharshaw> i would think only private subnets are allowed
07:19 < creshal> Manpage. It expects a private network, not a public IP address.
07:23 < larsemil> ah cool
07:23 < larsemil> thought it was public ip.
07:24 < larsemil> Cannot load private key file /etc/openvpn/my-client.key: error:0B080074:lib(11):func(128):reason(116)
07:29 < creshal> Well, does it exist?
07:36 <@syzzer> if anyone comes asking about OpenVPN and POODLE: https://community.openvpn.net/openvpn/wiki/Poodle
07:36 <@vpnHelper> Title: Poodle – OpenVPN Community (at community.openvpn.net)
07:49 -!- toredl [~tned@h-36-189.a254.priv.bahnhof.se] has quit [Quit: Lost terminal]
07:54 -!- BtbN [btbn@btbn.de] has quit [Quit: Bye]
07:54 -!- BtbN [btbn@btbn.de] has joined #openvpn
07:55 -!- ValdikSS [~valdikss@95.215.45.33] has joined #openvpn
07:56 -!- _KaszpiR__ is now known as _KaszpiR_
08:08 -!- jackbrown [~se@93-44-41-0.ip95.fastwebnet.it] has joined #openvpn
08:08 -!- Pyrogerg [~Gregory@75-173-103-62.albq.qwest.net] has joined #openvpn
08:08 -!- Pyrogerg_ [~Gregory@75-173-103-62.albq.qwest.net] has quit [Read error: No route to host]
08:11 -!- Left_Turn [~Left_Turn@unaffiliated/turn-left/x-3739067] has joined #openvpn
08:19 -!- Pyrogerg [~Gregory@75-173-103-62.albq.qwest.net] has quit [Ping timeout: 246 seconds]
08:21 -!- Pyrogerg [~Gregory@75-173-103-62.albq.qwest.net] has joined #openvpn
08:25 -!- esde [~esde@unaffiliated/esde] has joined #openvpn
08:36 -!- Pyrogerg [~Gregory@75-173-103-62.albq.qwest.net] has quit [Ping timeout: 250 seconds]
08:37 -!- elfixit [~Icedove@dhcp-129-146.office.init7.net] has joined #openvpn
08:39 -!- mattock_afk is now known as mattock
08:44 -!- julieeharshaw [~julie@juliekoubova.net] has quit [Remote host closed the connection]
08:45 -!- julieeharshaw [~julie@juliekoubova.net] has joined #openvpn
08:51 -!- NChief [~nchief@unaffiliated/nchief] has quit [Ping timeout: 240 seconds]
08:51 -!- ValdikSS [~valdikss@95.215.45.33] has quit [Read error: Connection reset by peer]
08:52 -!- reventlov [~reventlov@unaffiliated/reventlov] has quit [Ping timeout: 240 seconds]
08:52 -!- NChief [~nchief@unaffiliated/nchief] has joined #openvpn
08:52 -!- reventlov [~reventlov@unaffiliated/reventlov] has joined #openvpn
08:54 -!- ValdikSS [~valdikss@95.215.45.33] has joined #openvpn
08:55 -!- fixxxermet [~lopan@vps.gnulnx.net] has left #openvpn []
08:58 -!- ValdikSS [~valdikss@95.215.45.33] has quit [Read error: Connection reset by peer]
09:03 -!- batrick_ is now known as batrick
09:17 -!- ender| [krneki@2a01:260:4094:1:42:42:42:42] has joined #openvpn
09:28 -!- Pyrogerg [~Gregory@205.167.120.206] has joined #openvpn
09:39 -!- Maxel [~Maxel@24-159-207-34.static.roch.mn.charter.com] has quit [Quit: Leaving]
09:42 -!- Maxel [~Maxel@24-159-207-34.static.roch.mn.charter.com] has joined #openvpn
09:42 -!- linuxthefish [~ltf@unaffiliated/edmundf] has left #openvpn ["Leaving"]
09:47 -!- Pyrogerg [~Gregory@205.167.120.206] has quit [Ping timeout: 260 seconds]
09:53 < julieeharshaw> hi, it's me again :)
09:53 < julieeharshaw> i started getting "Authenticate/Decrypt packet error: packet HMAC authentication failed" on the server out of a sudden
09:53 < julieeharshaw> what might be wrong?
09:54 < julieeharshaw> there's "tls-auth openvpn.ta-key 1" on the client and "tls-auth openvpn.ta-key 0" on the server
09:54 < julieeharshaw> the file is the same
09:54 < julieeharshaw> the keys and certs seem to be correct, too
09:54 < julieeharshaw> the time on the machines is within a few seconds
09:55 < julieeharshaw> and the client actually gets an IP address, as specified in it's client config
09:55 < julieeharshaw> but no packets get through
09:55 < julieeharshaw> s/it's/its
09:56 < julieeharshaw> and no errors in the client log
09:57 < julieeharshaw> ha! it's the client-config-dir
09:58 < julieeharshaw> the file /var/openvpn/client-config/bydlenka contains "ifconfig-push 10.42.2.42 10.42.2.41"
09:59 < julieeharshaw> and when i remove the client-config-dir, it works without a hitch
10:00 < julieeharshaw> when i put it back, the client bydlenka gets the specified IP address, but nothing goes thru and the server log is full of "packet HMAC authentication failed" messages
10:00 < julieeharshaw> so wtf is wrong?
10:01 -!- Pyrogerg [~Gregory@75-173-103-62.albq.qwest.net] has joined #openvpn
10:08 < julieeharshaw> i guess the static IP address has to be part of the vpn subnet, right?
10:08 < julieeharshaw> right
10:09 < julieeharshaw> the error message isn't very helpful :(
10:11 < julieeharshaw> i was thinking that i need to assign an IP outside of the range so OpenVPN doesn't try to assign it to another client. guess it's smarter than that:)
10:15 -!- creshal [~Creshal@91.143.96.4] has quit [Ping timeout: 260 seconds]
10:20 -!- creshal [~Creshal@91.143.96.4] has joined #openvpn
10:22 -!- Eagleman [~Eagleman@546BC778.cm-12-4d.dynamic.ziggo.nl] has quit [Quit: ZNC - http://znc.in]
10:22 -!- mirco [~mirco@ip-176-198-211-199.hsi05.unitymediagroup.de] has joined #openvpn
10:28 -!- creshal [~Creshal@91.143.96.4] has quit [Ping timeout: 240 seconds]
10:32 -!- pnielsen [pnielsen@2a01:7e00::f03c:91ff:fedf:3a21] has joined #openvpn
10:35 < Airwave> !hardening
10:35 <@vpnHelper> "hardening" is https://community.openvpn.net/openvpn/wiki/Hardening
10:39 -!- mirco [~mirco@ip-176-198-211-199.hsi05.unitymediagroup.de] has quit [Remote host closed the connection]
10:41 -!- mt [mt@unaffiliated/supermat] has quit [Quit: WeeChat 1.1-dev]
10:45 -!- mt [mt@unaffiliated/supermat] has joined #openvpn
10:45 -!- mirco [~mirco@ip-176-198-211-199.hsi05.unitymediagroup.de] has joined #openvpn
10:47 -!- novaflash is now known as novaflash_away
10:56 -!- jackbrown [~se@93-44-41-0.ip95.fastwebnet.it] has quit [Quit: Sto andando via]
10:59 -!- Nyoom [Nyoom@unaffiliated/nyoom] has quit [Max SendQ exceeded]
11:06 -!- Nyoom [Nyoom@unaffiliated/nyoom] has joined #openvpn
11:09 -!- CaTtleyA [~CaTtleyA@185.24.142.82] has quit [Quit: Lost terminal]
11:17 -!- tris_ [~tris_@unaffiliated/tris/x-6638183] has quit [Ping timeout: 272 seconds]
11:23 -!- brianblaze420 [~brianblaz@unaffiliated/brianblaze] has joined #openvpn
11:24 -!- pnielsen [pnielsen@2a01:7e00::f03c:91ff:fedf:3a21] has quit [Quit: No Ping reply in 180 seconds.]
11:24 -!- pnielsen [pnielsen@2a01:7e00::f03c:91ff:fedf:3a21] has joined #openvpn
11:26 -!- brianblaze420 [~brianblaz@unaffiliated/brianblaze] has quit [Read error: Connection reset by peer]
11:26 -!- novaflash_away is now known as novaflash
11:37 -!- tris_ [~tris_@unaffiliated/tris/x-6638183] has joined #openvpn
11:47 -!- brianblaze420 [~brianblaz@unaffiliated/brianblaze] has joined #openvpn
12:03 -!- Maxel [~Maxel@24-159-207-34.static.roch.mn.charter.com] has quit [Ping timeout: 265 seconds]
12:10 -!- Latrina [~Latrina@adsl-ull-215-248.45-151.net24.it] has joined #openvpn
12:18 -!- pnielsen [pnielsen@2a01:7e00::f03c:91ff:fedf:3a21] has quit [Read error: Connection reset by peer]
12:21 -!- pnielsen [pnielsen@2a01:7e00::f03c:91ff:fedf:3a21] has joined #openvpn
12:21 -!- dazo is now known as dazo_afk
12:27 -!- pnielsen [pnielsen@2a01:7e00::f03c:91ff:fedf:3a21] has quit [Ping timeout: 260 seconds]
12:29 -!- pnielsen [pnielsen@2a01:7e00::f03c:91ff:fedf:3a21] has joined #openvpn
12:39 -!- BtbN [btbn@btbn.de] has quit [Ping timeout: 260 seconds]
12:44 -!- Licenser [znc@178.62.181.153] has left #openvpn ["https://project-fifo.net | https://dalmatiner.io"]
12:44 -!- BtbN [btbn@btbn.de] has joined #openvpn
12:49 -!- kossy [a@unaffiliated/kossy] has quit [Max SendQ exceeded]
12:50 -!- kossy [a@unaffiliated/kossy] has joined #openvpn
12:56 -!- brianblaze420 [~brianblaz@unaffiliated/brianblaze] has quit [Quit: Leaving...]
12:56 -!- moparisthebest [~quassel@gateway/tor-sasl/moparisthebest] has quit [Quit: No Ping reply in 180 seconds.]
12:56 -!- moparisthebest [~quassel@gateway/tor-sasl/moparisthebest] has joined #openvpn
13:04 -!- pnielsen [pnielsen@2a01:7e00::f03c:91ff:fedf:3a21] has quit [Read error: Connection reset by peer]
13:06 -!- pnielsen [pnielsen@2a01:7e00::f03c:91ff:fedf:3a21] has joined #openvpn
13:15 <@novaflash> poodle poodle poodle
13:16 -!- mirco [~mirco@ip-176-198-211-199.hsi05.unitymediagroup.de] has quit [Quit: mirco]
13:18 -!- mirco [~mirco@ip-176-198-211-199.hsi05.unitymediagroup.de] has joined #openvpn
13:18 < phreakocious> heh
13:18 <@novaflash> i love these weird names they give stuff
13:18 <@novaflash> BEAST vulnerability
13:18 <@novaflash> HEARTBLEED vulnerability
13:18 <@novaflash> POODLE vulne.. hang on that's not even in any way scary
13:18 < phreakocious> I was hoping for more marketing a la heartbleed, but no....
13:19 <@novaflash> yeah, maybe, LOCKSMITHBATMANKILLERTHORSHAMMERSUPERMEGABUG
13:26 -!- Pyrogerg [~Gregory@75-173-103-62.albq.qwest.net] has quit [Ping timeout: 260 seconds]
13:27 -!- SCHAAP137 [dorian@77-173-0-137.ip.telfort.nl] has joined #openvpn
13:42 -!- elfixit [~Icedove@dhcp-129-146.office.init7.net] has quit [Quit: elfixit]
13:42 -!- Belliash [znc@asiotec/constitutive/belliash] has joined #openvpn
13:48 -!- mirco [~mirco@ip-176-198-211-199.hsi05.unitymediagroup.de] has quit [Quit: mirco]
13:51 -!- mirco [~mirco@ip-176-198-211-199.hsi05.unitymediagroup.de] has joined #openvpn
13:51 -!- obscurehero [~obscurehe@via.arcis.pw] has quit [Ping timeout: 246 seconds]
13:52 -!- swebb [~swebb@c-71-237-49-232.hsd1.co.comcast.net] has quit [Ping timeout: 246 seconds]
--- Log closed Wed Oct 15 13:58:24 2014
--- Log opened Wed Oct 15 14:45:58 2014
14:45 -!- ecrist [~ecrist@freebsd/contributor/openvpn.community.support.ecrist] has joined #openvpn
14:45 -!- Irssi: #openvpn: Total of 173 nicks [8 ops, 0 halfops, 3 voices, 162 normal]
14:45 -!- mode/#openvpn [+o ecrist] by ChanServ
14:45 -!- Irssi: Join to #openvpn was synced in 1 secs
14:53 -!- ValdikSS [~valdikss@95.215.45.33] has joined #openvpn
14:58 -!- mirco [~mirco@ip-176-198-211-199.hsi05.unitymediagroup.de] has quit [Quit: mirco]
14:59 -!- zalami [~realnameo@unaffiliated/zalami] has joined #openvpn
15:04 -!- mirco [~mirco@ip-176-198-211-199.hsi05.unitymediagroup.de] has joined #openvpn
15:24 -!- mattock is now known as mattock_afk
15:36 -!- mirco [~mirco@ip-176-198-211-199.hsi05.unitymediagroup.de] has quit [Quit: mirco]
15:37 -!- mirco [~mirco@ip-176-198-211-199.hsi05.unitymediagroup.de] has joined #openvpn
15:42 -!- SCHAAP137 [dorian@77-173-0-137.ip.telfort.nl] has quit [Remote host closed the connection]
15:45 -!- indy [~indy@fantomas.bestit.cz] has quit [Quit: ZNC - http://znc.sourceforge.net]
15:47 -!- SCHAAP137 [dorian@77-173-0-137.ip.telfort.nl] has joined #openvpn
15:52 -!- Pyrogerg [~Gregory@205.167.120.206] has joined #openvpn
15:54 -!- Taftse|Mac [~taftse@unaffiliated/taftse] has quit [Quit: Textual IRC Client: www.textualapp.com]
16:00 -!- gffa [~unknown@unaffiliated/gffa] has quit [Quit: sleep]
16:05 -!- scyld [~scyld@unaffiliated/wasyl] has joined #openvpn
16:07 -!- mirco [~mirco@ip-176-198-211-199.hsi05.unitymediagroup.de] has quit [Quit: mirco]
16:08 -!- brianblaze420 [~brianblaz@unaffiliated/brianblaze] has joined #openvpn
16:08 -!- mirco [~mirco@ip-176-198-211-199.hsi05.unitymediagroup.de] has joined #openvpn
16:22 -!- Pyrogerg_ [~Gregory@205.167.120.206] has joined #openvpn
16:23 -!- Pyrogerg [~Gregory@205.167.120.206] has quit [Read error: Connection reset by peer]
16:29 -!- Pyrogerg_ [~Gregory@205.167.120.206] has quit [Ping timeout: 260 seconds]
16:33 -!- Pyrogerg [~Gregory@205.167.120.206] has joined #openvpn
16:39 -!- Magiobiwan [IRC@unaffiliated/magiobiwan] has quit [Ping timeout: 272 seconds]
16:46 -!- scyld [~scyld@unaffiliated/wasyl] has quit [Quit: Wychodzi]
16:51 -!- Magiobiwan [IRC@unaffiliated/magiobiwan] has joined #openvpn
16:53 -!- pnielsen [pnielsen@2a01:7e00::f03c:91ff:fedf:3a21] has quit [Read error: Connection reset by peer]
16:56 -!- pnielsen [pnielsen@2a01:7e00::f03c:91ff:fedf:3a21] has joined #openvpn
17:01 -!- Pyrogerg [~Gregory@205.167.120.206] has quit [Ping timeout: 240 seconds]
17:01 -!- Magiobiwan [IRC@unaffiliated/magiobiwan] has quit [Ping timeout: 245 seconds]
17:19 -!- mirco [~mirco@ip-176-198-211-199.hsi05.unitymediagroup.de] has quit [Quit: mirco]
17:20 -!- mirco [~mirco@ip-176-198-211-199.hsi05.unitymediagroup.de] has joined #openvpn
17:31 -!- CaTtleyA [~CaTtleyA@put92-2-82-66-41-53.fbx.proxad.net] has joined #openvpn
17:48 -!- ender| [krneki@2a01:260:4094:1:42:42:42:42] has quit [Ping timeout: 260 seconds]
17:53 -!- brianblaze420 [~brianblaz@unaffiliated/brianblaze] has quit [Remote host closed the connection]
17:53 -!- SCHAAP137 [dorian@77-173-0-137.ip.telfort.nl] has quit [Remote host closed the connection]
18:00 -!- mirco [~mirco@ip-176-198-211-199.hsi05.unitymediagroup.de] has quit [Quit: mirco]
18:01 -!- ender| [krneki@foo.eternallybored.org] has joined #openvpn
18:01 -!- mirco [~mirco@ip-176-198-211-199.hsi05.unitymediagroup.de] has joined #openvpn
18:02 -!- pEYEd [~pEYEd@69.84.168.16] has quit [Ping timeout: 255 seconds]
18:07 -!- _bt [~bt@unaffiliated/bt/x-192343] has quit [Ping timeout: 245 seconds]
18:20 -!- Pyrogerg [~Gregory@205.167.120.206] has joined #openvpn
18:32 -!- mirco [~mirco@ip-176-198-211-199.hsi05.unitymediagroup.de] has quit [Quit: mirco]
18:33 -!- mirco [~mirco@ip-176-198-211-199.hsi05.unitymediagroup.de] has joined #openvpn
18:53 -!- Kniaz [~Kniaz@unaffiliated/kniaz] has joined #openvpn
18:55 -!- Pyrogerg [~Gregory@205.167.120.206] has quit [Ping timeout: 250 seconds]
18:57 -!- Pyrogerg [~Gregory@205.167.120.206] has joined #openvpn
18:58 -!- pnielsen [pnielsen@2a01:7e00::f03c:91ff:fedf:3a21] has quit [Ping timeout: 260 seconds]
18:59 -!- pnielsen [pnielsen@2a01:7e00::f03c:91ff:fedf:3a21] has joined #openvpn
19:07 -!- Pyrogerg [~Gregory@205.167.120.206] has quit [Ping timeout: 260 seconds]
19:27 -!- Pyrogerg [~Gregory@75-173-103-62.albq.qwest.net] has joined #openvpn
19:31 -!- mirco [~mirco@ip-176-198-211-199.hsi05.unitymediagroup.de] has quit [Quit: mirco]
19:32 -!- mirco [~mirco@ip-176-198-211-199.hsi05.unitymediagroup.de] has joined #openvpn
19:45 -!- Pyrogerg [~Gregory@75-173-103-62.albq.qwest.net] has quit [Ping timeout: 272 seconds]
19:49 -!- Pyrogerg [~Gregory@75-173-103-62.albq.qwest.net] has joined #openvpn
19:51 -!- fannet [~naegelin@cpe-74-73-241-209.nyc.res.rr.com] has quit [Read error: Connection reset by peer]
20:00 -!- Belliash [znc@asiotec/constitutive/belliash] has quit [Ping timeout: 260 seconds]
20:01 -!- pnielsen [pnielsen@2a01:7e00::f03c:91ff:fedf:3a21] has quit [Read error: Connection reset by peer]
20:02 -!- Pyrogerg [~Gregory@75-173-103-62.albq.qwest.net] has quit [Ping timeout: 250 seconds]
20:03 -!- mirco [~mirco@ip-176-198-211-199.hsi05.unitymediagroup.de] has quit [Quit: mirco]
20:03 -!- pnielsen [pnielsen@2a01:7e00::f03c:91ff:fedf:3a21] has joined #openvpn
20:04 -!- mirco [~mirco@ip-176-198-211-199.hsi05.unitymediagroup.de] has joined #openvpn
20:15 -!- Funv2 [~Fun@unaffiliated/fun] has joined #openvpn
20:15 -!- jgeboski [~jgeboski@unaffiliated/jgeboski] has quit [Quit: Leaving]
20:15 < Funv2> hello
20:15 < Funv2> openvpn - is it easy to assign use id and password in back end?
20:15 < Funv2> say I got 10 ips and 100 users
20:15 -!- jgeboski [~jgeboski@unaffiliated/jgeboski] has joined #openvpn
20:15 < Funv2> 10 users per IP
20:22 < Funv2> :)
20:31 -!- Pyrogerg [~Gregory@75-173-103-62.albq.qwest.net] has joined #openvpn
20:37 <@ecrist> what?
20:37 <+_FBi> ^
20:40 <+_FBi> !poodle
20:40 <@vpnHelper> "poodle" is (#1) http://googleonlinesecurity.blogspot.com/2014/10/this-poodle-bites-exploiting-ssl-30.html . OpenVPN uses TLSv1.0, or (with >=2.3.3) optionally TLSv1.2 and is thus not impacted by POODLE. See also: !hardening for some unrelated TLS security options OpenVPN has or (#2) https://www.tinfoilsecurity.com/poodle for a tool for testing your websites
20:47 -!- Kniaz [~Kniaz@unaffiliated/kniaz] has quit [Quit: closing IRC]
20:50 -!- volkswagner [~Adium@cpe-98-15-160-220.hvc.res.rr.com] has joined #openvpn
20:51 < volkswagner> Greetings gang.
20:51 < Funv2> :)
20:51 -!- Funv2 is now known as Fun
20:51 -!- brianblaze420 [~brianblaz@unaffiliated/brianblaze] has joined #openvpn
20:53 <@ecrist> hello volkswagner 
20:53 <+_FBi> I'm out -- ciao
20:54 < volkswagner> I have a functioning setup: Win7 Server behind NAT using routed Tun, topology = subnet, server 192.168.137.0 255.255.255.0
20:54 < Fun> volkswagner: is it easy to manage users in open vpn backend?
20:55 < volkswagner> Howdy ecrist
20:56 < volkswagner> Fun, I don't fully understand your question :(
20:58 < volkswagner> Win 7 server hosting OpenVPN is on 10.0.1.0/24 LAN, which has Server 2012 AD/file server at 10.0.1.5
20:58 < volkswagner> When VPN users connect to the fileserver, Windows computer management shows connection coming from hostname of the Win7 OVPN server
20:59 < volkswagner> I think this may cause multiple simultaneous connections, as I believe windows does not allow multiple logins from same machine
21:00 < volkswagner> Do I need to add a route or  some sort of trusted network to server 2012, or how do I get vpn clients to present their vpn ip to the fileserver?
21:01 < Fun> volkswagner: my idea - install open vpn server say 10 ips 100 clients, how easy it is to assign username IP and password to each user
21:01 < Fun> even manually
21:01 < volkswagner> This is where ecrist tells me I'm going about it the wrong way :D
21:02 < volkswagner> Fun, I use key authentication
21:02 < volkswagner> I'm sure you can script the creation, but I'm not a programmer.
21:03 < Fun> volkswagner: same here:D
21:07 < volkswagner> Fun, it would take me way longer to program it with a script, so I'd have to power through it manually.
21:07 < volkswagner> I really gotta learn some scripting
21:09 < volkswagner> Fun, I do sacrifice security for convenience. I don't enter a password when creating the client keys
21:10 -!- brianblaze420 [~brianblaz@unaffiliated/brianblaze] has quit [Quit: Leaving...]
21:12 -!- mirco [~mirco@ip-176-198-211-199.hsi05.unitymediagroup.de] has quit [Quit: mirco]
21:14 < volkswagner> Well, I think this is a false alarm. I see there are currently two users connected to fileserver
21:14 -!- mirco [~mirco@ip-176-198-211-199.hsi05.unitymediagroup.de] has joined #openvpn
21:14 < volkswagner> even though both show connections coming from the same hostname
21:14 < volkswagner> guess my problem is local to me/my machine
21:14 < volkswagner> I may have to restart networking
21:14 < volkswagner> enjoy!
21:17 < volkswagner> I should have noticed some possible problem. Normally when I connect to the vpn via TunnelBlick on my Mac
21:18 < volkswagner> all local shares disappear from Finder.  They are still showing, hence why I
21:18 < volkswagner> I'll do  a full network restart.
21:18 < volkswagner> Cheers!
21:18 -!- volkswagner [~Adium@cpe-98-15-160-220.hvc.res.rr.com] has quit [Quit: Leaving.]
21:29 -!- Fun [~Fun@unaffiliated/fun] has quit [Ping timeout: 240 seconds]
21:39 -!- pnielsen [pnielsen@2a01:7e00::f03c:91ff:fedf:3a21] has quit [Read error: Connection reset by peer]
21:42 -!- pnielsen [pnielsen@2a01:7e00::f03c:91ff:fedf:3a21] has joined #openvpn
21:48 -!- mirco [~mirco@ip-176-198-211-199.hsi05.unitymediagroup.de] has quit [Quit: mirco]
21:49 -!- mirco [~mirco@ip-176-198-211-199.hsi05.unitymediagroup.de] has joined #openvpn
21:56 -!- BladedThesis [~BladedThe@2001:1af8:4010:a027:3::] has quit [Ping timeout: 272 seconds]
22:14 -!- Adie [~adie2@ogdn-04-236-180.dsl.netins.net] has left #openvpn ["Leaving"]
22:16 -!- pnielsen [pnielsen@2a01:7e00::f03c:91ff:fedf:3a21] has quit [Quit: No Ping reply in 180 seconds.]
22:17 -!- pnielsen [pnielsen@2a01:7e00::f03c:91ff:fedf:3a21] has joined #openvpn
22:22 -!- WinstonSmith [~WinstonSm@unaffiliated/winstonsmith] has quit [Ping timeout: 260 seconds]
22:23 -!- Left_Turn [~Left_Turn@unaffiliated/turn-left/x-3739067] has quit [Remote host closed the connection]
22:23 -!- WinstonSmith [~WinstonSm@unaffiliated/winstonsmith] has joined #openvpn
22:47 -!- mirco [~mirco@ip-176-198-211-199.hsi05.unitymediagroup.de] has quit [Quit: mirco]
22:48 -!- mirco [~mirco@ip-176-198-211-199.hsi05.unitymediagroup.de] has joined #openvpn
22:50 -!- BladedThesis [~BladedThe@2001:1af8:4010:a027:3::] has joined #openvpn
23:05 -!- almostworking [~almostwor@unaffiliated/almostworking] has joined #openvpn
23:09 -!- BladedThesis [~BladedThe@2001:1af8:4010:a027:3::] has quit [Ping timeout: 272 seconds]
23:10 < KNERD> is there a way to prevent the client from using the address of the VPN server as a gateway? Once clients are connected, they no longer have internet access because they are no longer using the LAN gateway address
23:13 -!- BladedThesis [~BladedThe@2001:1af8:4010:a027:3::] has joined #openvpn
23:30 -!- TyrfingMjolnir [~Tyrfing@118.189.1.18] has joined #openvpn
23:39 < Eugene> !redirect
23:39 <@vpnHelper> "redirect" is (#1) to make all inet traffic flow through the vpn, you will need --redirect-gateway (see !def1), as well as IP forwarding (see !ipforward) and NAT (see !nat) enabled on the server. or (#2) you may need to use a different dns server when redirecting gateway, see !dns or !pushdns or (#3) if using ipv6 try: route-ipv6 2000::/3 or (#4) Handy troubleshooting flowchart:
23:39 <@vpnHelper> http://ircpimps.org/redirect.png | http://pekster.sdf.org/misc/redirect.png
23:39 < Eugene> ^ do the opposite of that
23:40 < Eugene> I'm guessing you're following a random blog-o-guide?
23:42 -!- ValdikSS [~valdikss@95.215.45.33] has quit [Quit: Konversation terminated!]
23:46 -!- ShadniX [dagger@p5DDFEC87.dip0.t-ipconnect.de] has quit [Ping timeout: 250 seconds]
23:46 -!- mirco [~mirco@ip-176-198-211-199.hsi05.unitymediagroup.de] has quit [Quit: mirco]
23:47 -!- ShadniX [dagger@p5DDFFDCF.dip0.t-ipconnect.de] has joined #openvpn
23:47 -!- mirco [~mirco@ip-176-198-211-199.hsi05.unitymediagroup.de] has joined #openvpn
23:50 -!- u0m3_ [~u0m3@92.80.124.118] has quit [Read error: Connection reset by peer]
23:53 <@krzee> must be
23:54 <@krzee> KNERD, openvpn does not do anything regarding internet route unless you tell it to.
23:58 <@ecrist> my guess, he's not the admin
23:59 <@krzee> KNERD, is that the case ^ ?
--- Day changed Thu Oct 16 2014
00:20 < Eugene> My guess is he's too busy for free IRC support
00:20 < Eugene> !beer
00:20 <@vpnHelper> "beer" is what's for dinner (and occasionally breakfast)
00:36 < KNERD> krzee: Yes I am the admin
00:37 < KNERD> Eugene: yes I am!
00:38 < KNERD> Please explain..what I have added it : iptables -I INPUT -p udp -m udp --dport 1194 -j ACCEPT
00:38 < KNERD> and iptables -t nat -A POSTROUTING -s 10.8.0.1/24 -o eth0 -j MASQUERADE
00:38 < KNERD> maybe that is incorrect for my needs?
00:39 < KNERD> ecrist: I am the admin
00:40 < Eugene> The INPUT rule allows openvpn traffic into your server
00:41 < Eugene> The POSTROUTING rule says that traffic coming out of your servr, from the VPN network, should be NATed to the internet
00:41 < Eugene> But this is orthogonal to the redirect directive mentioned above, which is what is causing your client's traffic to flow via the VPN
00:42 < Eugene> Remove that directive and it won't happen anymore
00:42 < KNERD> Eugene: okay...thanks
00:43 < KNERD> WHat I want is to have only traffice directed to use the VPN to use that only, not all clients on the local device
00:43 < Eugene> !routebyapp
00:43 <@vpnHelper> "routebyapp" is (#1) if you want to send only certain apps over the VPN you need to run a socks server on the internal VPN subnet (see !sockd) then get an app like proxifier (windows, osx) or tsocks (linux, BSD) to selectively route traffic over the socks proxy based on port/app/subnet or any combination. or (#2) Alternatively, read up about Policy Routing to make routing decisions based on defined
00:43 <@vpnHelper> policies you set. For Linux, read about !lartc
00:43 < Eugene> Is that what you mean ^ ?
00:44 < KNERD> ouch yes
00:45 -!- mirco [~mirco@ip-176-198-211-199.hsi05.unitymediagroup.de] has quit [Quit: mirco]
00:46 < KNERD> Eugene:   in other words let's say the VPN server network address is 10.8.0.1. Anything I have pointed to it directly should onyl be using it...for example SSH client
00:46 -!- mirco [~mirco@ip-176-198-211-199.hsi05.unitymediagroup.de] has joined #openvpn
00:47 < Eugene> Sure
00:47 < Eugene> Use a proxy, or policy routing
00:47 < KNERD> i have noticed the clients gusing DHCP grab a gateway address of the VPN
00:48 < Eugene> Are you using bridging?
00:48 < KNERD> no
00:49 < KNERD> !sockd
00:49 <@vpnHelper> "sockd" is if you want !routebyapp you can use this dante config www.ircpimps.org/sockd.conf but BE SURE TO ONLY RUN THIS ON THE INTERNAL VPN IP! otherwise you will be an open proxy. that config has no security because its expected to run inside openvpn
00:52 < KNERD> Eugene: wouldn't this be a client issue setup issue which is telling the client to grab a gateway from the VPN?
00:52 < Eugene> Yes.... that's what redirect-gateway does
00:52 < KNERD> or server?
00:52 < Eugene> That option can be specified on either the client or server side
00:53 < KNERD> maybe this is it? A line from my client file: push "redirect-gateway def1 bypass-dhcp"
00:54 < Eugene> That'd be it, yup
00:54 < KNERD> i guess I need to change that
00:55 < KNERD> !push
00:55 <@vpnHelper> "push" is usage: push <command> , goes in the server config and makes the command act as if it was in the client config, can be used in ccd entries
00:55 < KNERD> oops..I mean that is on the server.conf file
00:58 -!- Magiobiwan [IRC@unaffiliated/magiobiwan] has joined #openvpn
00:59 < Eugene> I figured
01:04 < KNERD> Eugene: so if I delete the line  --> push "redirect-gateway def1 bypass-dhcp"  then the client being directed to use the OpenVPN IP address will funtion correctly with the applications on the server end?
01:05 < Eugene> The client will no longer forward all the client over the vpn link
01:06 < KNERD> thanks a bunch for helping me understand this
01:07 < KNERD> however, will it stil get an address via DHCP  on the server?
01:25 -!- Pyrogerg [~Gregory@75-173-103-62.albq.qwest.net] has quit [Ping timeout: 260 seconds]
01:28 -!- creshal [~Creshal@91.143.96.4] has joined #openvpn
01:34 < zamba> got lots of these: TLS Error: Unroutable control packet received from
01:34 < Airwave> !def1
01:34 <@vpnHelper> "def1" is (#1) used in redirect-gateway, Add the def1 flag to override the default gateway by using 0.0.0.0/1 and 128.0.0.0/1 rather than 0.0.0.0/0. This has the benefit of overriding but not wiping out the original default gateway. or (#2) please see --redirect-gateway in the man page ( !man ) to fully understand or (#3) push "redirect-gateway def1"
01:39 < KNERD> yeah...it worked...still working as expect after removing "redirect-gateway def1 bypass-dhcp"'
02:24 -!- CaTtleyA [~CaTtleyA@put92-2-82-66-41-53.fbx.proxad.net] has quit [Quit: Lost terminal]
03:58 -!- mirco [~mirco@ip-176-198-211-199.hsi05.unitymediagroup.de] has quit [Remote host closed the connection]
03:59 -!- Mimiko [~Mimiko@77.89.245.38] has joined #openvpn
04:06 -!- mirco [~mirco@ip-176-198-211-199.hsi05.unitymediagroup.de] has joined #openvpn
04:07 -!- tore_ [~tore@login.redpill-linpro.com] has joined #openvpn
04:07 < tore_> !poodle
04:07 <@vpnHelper> "poodle" is (#1) http://googleonlinesecurity.blogspot.com/2014/10/this-poodle-bites-exploiting-ssl-30.html . OpenVPN uses TLSv1.0, or (with >=2.3.3) optionally TLSv1.2 and is thus not impacted by POODLE. See also: !hardening for some unrelated TLS security options OpenVPN has or (#2) https://www.tinfoilsecurity.com/poodle for a tool for testing your websites
04:10 -!- tore_ [~tore@login.redpill-linpro.com] has left #openvpn []
04:23 < zamba> we're getting VERIFY ERROR: depth=0, error=certificate has expired.. how can we get more details about that? what certificate?
04:25 -!- Mimiko [~Mimiko@77.89.245.38] has quit []
04:27 -!- Poster|x [~poster@cpe-74-140-100-29.swo.res.rr.com] has quit [Read error: Connection reset by peer]
04:28 < creshal> Look at the client cert, look at the server cert, determine which one expired.
04:37 -!- TyrfingMjolnir [~Tyrfing@118.189.1.18] has quit [Ping timeout: 245 seconds]
04:38 < zamba> creshal: i don't have access to the server certs
04:38 < zamba> creshal: and looking at the client side, i see no certs that has expired
04:39 < zamba> and according to the people at the other end (server side), everything should be fine there as well
04:39 < zamba> no way i can download the certs?
04:44 < creshal> If all certs are fine, check your clock settings.
04:47 -!- tris_ [~tris_@unaffiliated/tris/x-6638183] has left #openvpn ["A plus tard"]
05:08 -!- dazo_afk is now known as dazo
05:30 -!- ade_b [~Ade@redhat/adeb] has joined #openvpn
05:31 <@plaisthos> !git
05:31 <@vpnHelper> "git" is (#1) For the stable git tree: git clone git://openvpn.git.sourceforge.net/gitroot/openvpn/openvpn.git or (#2) For the development git tree: git clone git://openvpn.git.sourceforge.net/gitroot/openvpn/openvpn-testing.git or (#3) Browse the git repositories here: http://openvpn.git.sourceforge.net/git/gitweb-index.cgi or (#4) See !git-doc how to use git
05:31 -!- mattock_afk is now known as mattock
05:32 -!- mattock is now known as mattock_afk
05:36 -!- james41382 [~james@unaffiliated/james41382] has quit [Read error: Connection reset by peer]
05:36 -!- james41382_ [~james@unaffiliated/james41382] has joined #openvpn
05:40 -!- mattock_afk is now known as mattock
06:07 -!- Left_Turn [~Left_Turn@unaffiliated/turn-left/x-3739067] has joined #openvpn
06:11 -!- Tykling [tykling@gibfest.dk] has left #openvpn []
06:19 <@dazo> !forget git
06:19 <@vpnHelper> Error: 4 factoids have that key.  Please specify which one to remove, or use * to designate all of them.
06:19 <@dazo> !forget git *
06:19 <@vpnHelper> Joo got it.
06:20 <@dazo> !learn git as For the stable git tree: git clone git://git.code.sf.net/p/openvpn/openvpn
06:20 <@vpnHelper> Joo got it.
06:21 <@dazo> !learn git as For the development git tree: git://git.code.sf.net/p/openvpn/openvpn-testin
06:21 <@vpnHelper> Joo got it.
06:21 <@dazo> !learn git as Browse the git repositories here: http://sourceforge.net/p/openvpn/openvpn-testing/ci/master/tree/
06:21 <@vpnHelper> Joo got it.
06:21 <@dazo> !learn git as See !git-doc how to use git
06:21 <@vpnHelper> Joo got it.
06:21 <@dazo> !learn git as git troubles? http://justinhileman.info/article/git-pretty/git-pretty.png
06:21 <@vpnHelper> Joo got it.
06:22 <@dazo> !git
06:22 <@vpnHelper> "git" is (#1) For the stable git tree: git clone git://git.code.sf.net/p/openvpn/openvpn or (#2) For the development git tree: git://git.code.sf.net/p/openvpn/openvpn-testin or (#3) Browse the git repositories here: http://sourceforge.net/p/openvpn/openvpn-testing/ci/master/tree/ or (#4) See !git-doc how to use git or (#5) git troubles? http://justinhileman.info/article/git-pretty/git-pretty.png
07:23 -!- nicolaw [~nicolaw@93.186.33.103] has joined #openvpn
07:23 < nicolaw> !poodle
07:23 <@vpnHelper> "poodle" is (#1) http://googleonlinesecurity.blogspot.com/2014/10/this-poodle-bites-exploiting-ssl-30.html . OpenVPN uses TLSv1.0, or (with >=2.3.3) optionally TLSv1.2 and is thus not impacted by POODLE. See also: !hardening for some unrelated TLS security options OpenVPN has or (#2) https://www.tinfoilsecurity.com/poodle for a tool for testing your websites
07:43 -!- D-Boy [~D-Boy@unaffiliated/cain] has quit [Excess Flood]
07:53 -!- s7r [~s7r@openvpn/user/s7r] has joined #openvpn
07:53 -!- mode/#openvpn [+v s7r] by ChanServ
07:54 -!- D-Boy [~D-Boy@unaffiliated/cain] has joined #openvpn
08:23 -!- ValdikSS [~valdikss@95.215.45.33] has joined #openvpn
08:26 -!- pythonsnake [~pythonsna@fedora/pythonsnake] has quit [Remote host closed the connection]
08:37 -!- wingnut2626 [~ronald@pool-173-49-208-245.phlapa.fios.verizon.net] has joined #openvpn
08:37 < wingnut2626> Is it possible to generate an ovpn file from certificates?
08:38 < creshal> No.
08:38 < wingnut2626> Allrighty then.
08:39 -!- u0m3_ [~u0m3@92.80.124.118] has joined #openvpn
08:39 -!- u0m3_ [~u0m3@92.80.124.118] has quit [Read error: Connection reset by peer]
08:40 -!- u0m3 [~u0m3@92.80.124.118] has joined #openvpn
08:57 -!- pythonsnake [~pythonsna@fedora/pythonsnake] has joined #openvpn
08:57 -!- Irrelephant [~Irrelepha@213.136.81.155] has joined #openvpn
08:57 -!- Irrelephant [~Irrelepha@213.136.81.155] has quit [Client Quit]
08:59 -!- Irrelephant [~Irrelepha@88.128.80.14] has joined #openvpn
08:59 < Irrelephant> !client
09:00 < Irrelephant> !configs
09:00 <@vpnHelper> "configs" is (#1) please pastebin your client and server configs (with comments removed, you can use `grep -vE '^#|^;|^$' server.conf`), also include which OS and version of openvpn. or (#2) dont forget to include any ccd entries or (#3) on pfSense, see http://www.secure-computing.net/wiki/index.php/OpenVPN/pfSense to obtain your config
09:12 < Irrelephant> Hi. Can somebody please point me to the flow charts used to debug problems with internet connectivity through vpn? I thought it was !client but that did not work.
09:32 -!- Irrelephant [~Irrelepha@88.128.80.14] has quit [Ping timeout: 258 seconds]
09:45 -!- elfixit [~Icedove@77-58-37-45.dclient.hispeed.ch] has joined #openvpn
09:56 -!- elfixit [~Icedove@77-58-37-45.dclient.hispeed.ch] has quit [Quit: elfixit]
10:00 -!- detha [~detha@unaffiliated/detha] has quit [Ping timeout: 250 seconds]
10:03 -!- detha [~detha@unaffiliated/detha] has joined #openvpn
10:06 -!- creshal [~Creshal@91.143.96.4] has quit [Ping timeout: 255 seconds]
10:08 -!- detha [~detha@unaffiliated/detha] has quit [Max SendQ exceeded]
10:08 -!- detha [~detha@unaffiliated/detha] has joined #openvpn
10:09 -!- s7r [~s7r@openvpn/user/s7r] has quit [Ping timeout: 264 seconds]
10:11 -!- s7r [~s7r@openvpn/user/s7r] has joined #openvpn
10:11 -!- mode/#openvpn [+v s7r] by ChanServ
10:12 -!- fannet [~fannet@cpe-74-73-241-209.nyc.res.rr.com] has joined #openvpn
10:14 -!- moparisthebest [~quassel@gateway/tor-sasl/moparisthebest] has quit [Ping timeout: 264 seconds]
10:15 -!- moparisthebest [~quassel@gateway/tor-sasl/moparisthebest] has joined #openvpn
10:41 -!- ValdikSS [~valdikss@95.215.45.33] has quit [Ping timeout: 255 seconds]
10:49 -!- pythonsnake [~pythonsna@fedora/pythonsnake] has quit [Quit: WeeChat 0.4.2]
10:49 -!- pythonsnake [~pythonsna@fedora/pythonsnake] has joined #openvpn
10:54 -!- pythonsnake [~pythonsna@fedora/pythonsnake] has quit [Client Quit]
10:54 -!- roentgen_ [~none@openvpn/community/support/roentgen] has quit [Remote host closed the connection]
10:55 -!- pythonsnake [~pythonsna@fedora/pythonsnake] has joined #openvpn
10:59 -!- fannet [~fannet@cpe-74-73-241-209.nyc.res.rr.com] has quit [Read error: Connection reset by peer]
11:00 -!- pberis [~Thunderbi@rrcs-24-73-251-230.sw.biz.rr.com] has joined #openvpn
11:02 -!- roentgen [~none@openvpn/community/support/roentgen] has joined #openvpn
11:02 -!- roentgen [~none@openvpn/community/support/roentgen] has quit [Remote host closed the connection]
11:05 -!- roentgen [~none@openvpn/community/support/roentgen] has joined #openvpn
11:10 -!- ade_b [~Ade@redhat/adeb] has quit [Ping timeout: 246 seconds]
11:15 -!- SCHAAP137 [dorian@77-173-0-137.ip.telfort.nl] has joined #openvpn
11:22 -!- fannet [~fannet@cpe-74-73-241-209.nyc.res.rr.com] has joined #openvpn
11:24 -!- c0ded [~c0ded@unaffiliated/c0ded] has quit [Quit: I Was Just De-c0ded!]
11:24 -!- c0ded [~c0ded@unaffiliated/c0ded] has joined #openvpn
11:26 -!- gffa [~unknown@unaffiliated/gffa] has joined #openvpn
11:26 -!- elfixit [~Icedove@77-58-37-45.dclient.hispeed.ch] has joined #openvpn
11:45 -!- dazo is now known as dazo_afk
11:47 -!- khaldrogox [~anonymous@64.13.138.81] has joined #openvpn
11:47 < khaldrogox> raidz: around?
11:47 <@krzee> khaldrogox, have a question or just wanna talk to him?
11:48 -!- mirco [~mirco@ip-176-198-211-199.hsi05.unitymediagroup.de] has quit [Quit: mirco]
11:48 < khaldrogox> he owes me money :P
11:48 <@krzee> yep i'll leave that to him :D
11:49 -!- mirco [~mirco@ip-176-198-211-199.hsi05.unitymediagroup.de] has joined #openvpn
11:49 <@raidz> sup khaldrogox
11:50 -!- ade_b [~Ade@redhat/adeb] has joined #openvpn
11:54 < khaldrogox> sup man!
12:14 -!- Belliash [znc@asiotec/constitutive/belliash] has joined #openvpn
12:19 -!- mirco [~mirco@ip-176-198-211-199.hsi05.unitymediagroup.de] has quit [Quit: mirco]
12:19 -!- Pyrogerg [~Gregory@75-173-103-62.albq.qwest.net] has joined #openvpn
12:20 -!- mirco [~mirco@ip-176-198-211-199.hsi05.unitymediagroup.de] has joined #openvpn
12:23 -!- Kephael [~Kephael@unaffiliated/kephael] has joined #openvpn
12:29 -!- Denial [~Denial@host86-148-141-27.range86-148.btcentralplus.com] has quit []
12:47 -!- knob [~knob@76.76.202.243] has joined #openvpn
12:47 < knob> Hello everyone
12:47 < knob> Got a noob question
12:47 < knob> !ccd
12:47 <@vpnHelper> "ccd" is (#1) entries that are basically included into server.conf, but only for the specified client based on common-name. use --client-config-dir <dir> to enable it, then put the config options for the client in <dir>/common-name or (#2) the ccd file is parsed each time the client connects.
12:48 < knob> From ^^,   when it says "use --client-config-dir <dir> to enable it"               is that a flag to run in addition to the command             openvpn --config ~/path/to/client.opvn         ?
12:48 < knob> So, like,           openvpn --client-config-dir ~/path/to/client.opvn            ??
12:50 <@krzee> !--
12:50 <@vpnHelper> "--" is OpenVPN allows any option to be placed either on the command line or in a configuration file. Though all command line options are preceded by a double-leading-dash ("--"), this prefix is usually omitted when an option is placed in a configuration file.
12:51 < knob> krzee, ahh ok ok....  wow, that helps.
12:51 < knob> On my way to try it out
12:56 -!- syzzer [~syzzer@openvpn/community/developer/syzzer] has quit [Ping timeout: 260 seconds]
12:59 -!- syzzer [~syzzer@openvpn/community/developer/syzzer] has joined #openvpn
12:59 -!- mode/#openvpn [+o syzzer] by ChanServ
13:17 -!- adamben [~Adam@binpress/adamben] has joined #openvpn
13:17 -!- SCHAAP137 [dorian@77-173-0-137.ip.telfort.nl] has quit [Remote host closed the connection]
13:29 -!- khaldrogox [~anonymous@64.13.138.81] has quit [Quit: khaldrogox]
13:31 -!- khaldrogox [~anonymous@64.13.138.81] has joined #openvpn
13:31 -!- khaldrogox [~anonymous@64.13.138.81] has quit [Client Quit]
13:37 -!- Denial [~Denial@host81-151-0-116.range81-151.btcentralplus.com] has joined #openvpn
13:45 -!- ade_b [~Ade@redhat/adeb] has quit [Quit: Too sexy for his shirt]
13:45 -!- Taftse|Mac [~taftse@unaffiliated/taftse] has joined #openvpn
13:48 -!- Denial [~Denial@host81-151-0-116.range81-151.btcentralplus.com] has quit []
13:51 -!- Denial [~Denial@host81-151-0-116.range81-151.btcentralplus.com] has joined #openvpn
13:52 -!- ValdikSS [~valdikss@95.215.45.33] has joined #openvpn
14:13 -!- moparisthebest [~quassel@gateway/tor-sasl/moparisthebest] has quit [Remote host closed the connection]
14:13 -!- moparisthebest [~quassel@gateway/tor-sasl/moparisthebest] has joined #openvpn
14:17 -!- ValdikSS [~valdikss@95.215.45.33] has quit [Ping timeout: 272 seconds]
14:19 -!- elfixit [~Icedove@77-58-37-45.dclient.hispeed.ch] has quit [Quit: elfixit]
14:26 -!- adamben [~Adam@binpress/adamben] has quit [Quit: Computer has gone to sleep.]
14:59 -!- khaldrogox [~anonymous@64.13.138.81] has joined #openvpn
15:08 -!- Denial [~Denial@host81-151-0-116.range81-151.btcentralplus.com] has quit []
15:14 -!- Denial [~Denial@host81-151-0-116.range81-151.btcentralplus.com] has joined #openvpn
15:16 -!- ValdikSS [~valdikss@95.215.45.33] has joined #openvpn
15:25 -!- mattock is now known as mattock_afk
15:29 -!- knob [~knob@76.76.202.243] has quit [Quit: Leaving]
15:30 -!- fannet [~fannet@cpe-74-73-241-209.nyc.res.rr.com] has quit [Ping timeout: 260 seconds]
15:33 -!- Irrelephant [Irrelephan@2a02:908:e263:6400:953e:6927:5a22:b977] has joined #openvpn
15:33 -!- rich0 [~quassel@gentoo/developer/rich0] has quit [Remote host closed the connection]
15:34 < Irrelephant> Running a vpn on port 443, what could be the reason for internet traffic not being forwarded when connected to a public hotspot?
15:34 < Irrelephant> In all other networks I have tested so far the same config works like a charm
15:35 < Irrelephant> It's only the public hotspot that, whilst connected to the vpn and having successfully accuired a VPN IP, won't let me access the internet
15:36 < Irrelephant> I can ping google but when I enter google.com into a browser, it loads and loads whith nothing really happening
15:39 < Irrelephant> my goal is to have all internet traffic from a client routed through the VPN. Gateway is set, ip forwarding enabled, iptables configured. As I said, it works in all other cases, just not for the hotspot
15:39 -!- rich0_ [~quassel@gentoo/developer/rich0] has joined #openvpn
15:41 -!- SCHAAP137 [dorian@77-173-0-137.ip.telfort.nl] has joined #openvpn
15:43 < Irrelephant> Is there a way to troubleshoot my issue?
15:45 < phreakocious> are you using UDP or TCP?
15:46 <@krzee> Irrelephant, maybe dns related?
15:46 < phreakocious> it's possibly an MTU issue as well
15:46 <@krzee> ya could be mtu
15:48 <@krzee> although id expect that to just fragment and maybe lower speed, not cut the connection off
15:49 <@krzee> i was thinking maybe dns simply cause i know captive portal networks are picky about dns stuff, but its just a guess
15:49 <@krzee> s/are/can be/
15:50 <@krzee> Irrelephant, you dont happen to be *at* one of those places, do you?
16:22 < Irrelephant> Hey, thanks for replying. I am currently not at one of those places, though ...
16:22 < Irrelephant> Do you know whether hotspots support manually setting another dns server?
16:23 < Irrelephant> If so I could use google dns before connecting to the VPN
16:23 < pekster> I rather doubt it's DNS since browsers generally give up after a while and tell you the page can't be found
16:24 < pekster> If `link-mtu 1200` on both ends fixes it (be sure you set that on _both_ configs, and restart them both) then it's almost certainly MTU
16:24 < Irrelephant> I don't remember exactly for how long I left the browsers open ...
16:24 < Irrelephant> But it must have been at least 5 minutes
16:24 < Irrelephant> I tried chrome, IE and firefox, all showing the same behaviour
16:25 < Irrelephant> what puzzles me is that pings inside and outside the VPN work while browsers won't load any web pages
16:25 < pekster> Were you pinging with DF set and ~1472 byte data?
16:25 < pekster> I'm guessing not
16:25 < pekster> Might want to read about why MTU is important
16:25 < Irrelephant> Will do! What does DF stand for?
16:26 < pekster> https://duckduckgo.com/?q=DF+bit
16:26 <@vpnHelper> Title: DF bit at DuckDuckGo (at duckduckgo.com)
16:27 -!- Chais [~Chais@chello062178229110.15.15.vie.surfer.at] has quit [Read error: Connection reset by peer]
16:28 < Irrelephant> I'll do some reading and try a few settings tomorrow when connected to a hotspot. Thank you all for your input and pointing me towards possible causes
16:28 < Irrelephant> I'll report back as well
16:31 -!- Raionic[NYG] [~Raion@unaffiliated/raionicnyg/x-7414136] has joined #openvpn
16:31 < Irrelephant> Another question: When the vpn server is running on a VPS with a unique external IPv4 address, is setting up a bridged VPN even possible?
16:33 -!- khaldrogox [~anonymous@64.13.138.81] has quit [Quit: khaldrogox]
16:33 < Raionic[NYG]> Hi I'm attempting to setup an OpenVPN server (first time) ...but am having trouble connecting to it because my client-connect script cannot be executed according to open VPN logs but if it run the script myself it works with exit status 0, additionally i've executed chmod 777 on the script...any thoughts on what may be causing the error? this is the log entry: "Failed running command
16:33 < Raionic[NYG]> (--client-connect): could not execute external program"
16:34 -!- Poster [~poster@cpe-74-140-100-29.swo.res.rr.com] has joined #openvpn
16:34 < pekster> Irrelephant: You don't want to bridge in that situation, no. You could do stand-alone tap, but you'd only ever want that if you needed to send non-IP Ethernet frames between clients
16:35 < pekster> Or were for some very poor reason attempting to use additional on-link IPs on the uplink, but that's 1) likely not supported, and 2) brain-dead stupid if it is
16:36 -!- Chais [~Chais@chello062178229110.15.15.vie.surfer.at] has joined #openvpn
16:38 -!- Maxel [~Maxel@24-159-207-34.static.roch.mn.charter.com] has joined #openvpn
16:41 -!- gffa [~unknown@unaffiliated/gffa] has quit [Quit: sleep]
16:42 -!- Pyrogerg [~Gregory@75-173-103-62.albq.qwest.net] has quit [Ping timeout: 245 seconds]
16:44 <@krzee> Raionic[NYG], maybe a bad shbang
16:45 <@krzee> also, 777 is almost never the right solution for anything… and certainly not for this
16:47 < Raionic[NYG]> shbang?
16:47 <@krzee> the top line of the script which points to the interpreter for the script
16:47 < Raionic[NYG]> Oh
16:47 <@krzee> such as #!/bin/sh
16:48 < Raionic[NYG]> yeah I've tried with and without that
16:48 < Raionic[NYG]> My script is simple...#!/bin/bash (newline) exit 0
16:48 <@krzee> it must be there, and must point to a valid interpreter
16:48 <@krzee> make it echo out to a file
16:48 <@krzee> just for a test
16:48 < Raionic[NYG]> k one sec
16:48 <@krzee> maybe env > /tmp/vpn.test
16:49 <@krzee> or whatev
16:50 < Raionic[NYG]> echo "test" > /tmp/vtst
16:50 < Raionic[NYG]> pi@raspberrypi /etc $ ls /tmp/vtst
16:50 < Raionic[NYG]> ls: cannot access /tmp/vtst: No such file or directory
16:50 < Raionic[NYG]> (i restarted openvpn before testing btw)
16:51 -!- liriel is now known as Miss
16:51 -!- Miss is now known as Miss_Nomer
16:51 <@krzee> and your system does have /tmp/ right?
16:51 < Raionic[NYG]> yeah i see a bunch of openvpn files there
16:51 <@krzee> how are you starting openvpn?
16:51 <@krzee> oh wait you said you restarted openvpn
16:51 < Raionic[NYG]> sudo /etc/init.d/openvpn restart
16:52 <@krzee> but did you ALSO connect with a client?
16:52 < Raionic[NYG]> Yes of course, and I saw the same error in the log
16:52 < Raionic[NYG]> "WARNING: Failed running command (--client-connect): could not execute external program"
16:52 <@krzee> you say of course, but after long enough here you learn to get specific ;]
16:52 < Raionic[NYG]> :) i hear ya
16:53 <@krzee> !configs
16:53 <@vpnHelper> "configs" is (#1) please pastebin your client and server configs (with comments removed, you can use `grep -vE '^#|^;|^$' server.conf`), also include which OS and version of openvpn. or (#2) dont forget to include any ccd entries or (#3) on pfSense, see http://www.secure-computing.net/wiki/index.php/OpenVPN/pfSense to obtain your config
16:53 <@krzee> should just need server side
16:54 < Raionic[NYG]> k will do one sec
16:54 <@krzee> also, you dont have selinux blocking stuff, right?
16:54 < Raionic[NYG]> http://pastebin.com/DP7c3nr0
16:55 < Raionic[NYG]> ignorant question maybe, what's selinux?
16:56 <@krzee> if you have to ask that, you dont
16:56 <@krzee> :D
16:56 <@krzee> !google selinux
16:56 <@vpnHelper> SELinux - Wikipedia: <http://en.wikipedia.org/wiki/Security-Enhanced_Linux>; SELinux - FedoraProject: <http://fedoraproject.org/wiki/SELinux>; Main Page - SELinux Wiki: <http://selinuxproject.org/>
16:56 < Raionic[NYG]> haha
16:56 <@krzee> your script is really sitting in / ?
16:56 < Raionic[NYG]> well... for testing...
16:56 < Raionic[NYG]> it wasn't before
16:56 <@krzee> wheres your config? in /etc/openvpn ?
16:56 < Raionic[NYG]> I've just been trying random things
16:57 < Raionic[NYG]> Right, /etc/openvpn/openvpn.conf
16:57 <@krzee> ps auxwwwww|grep [o]penvpn
16:57 <@krzee> i want to see what flags your os startup script adds on top of the config
16:57 < Raionic[NYG]> pi 4182 0.1 0.4 5320 2340 ? Ss 21:49 0:00 /usr/sbin/openvpn --writepid /var/run/openvpn.openvpn.pid --daemon ovpn-openvpn --cd /etc/openvpn --config /etc/openvpn/openvpn.conf
16:58 <@krzee> cd /etc/openvpn
16:58 <@krzee> ls -la
16:58 <@krzee> pastebin
16:58 < Raionic[NYG]> http://pastebin.com/6r3sdsxz
16:59 <@krzee> mv /openvpn_client_connected.sh /etc/openvpn/
17:00 <@krzee> then show me ls -l openvpn_client_connected.sh
17:00 <@krzee> and cat openvpn_client_connected.sh
17:00 < Raionic[NYG]> -rwxr-xr-x 1 root root 86 Oct 16 21:40 openvpn_client_connected.sh
17:00 < Raionic[NYG]> Oh , I'm a FREAKING genius. I just realized when you asked me to output to a file i editted the wrong file
17:01 < Raionic[NYG]> Let me add the shbang here and that test again
17:01 <@krzee> and remember to change path to script in config
17:01 < Raionic[NYG]> yup will do
17:02 < Raionic[NYG]> Hmm, that did it
17:02 < Raionic[NYG]> it must've been the missing shbang
17:02 < Raionic[NYG]> Sorry :/
17:02 < Raionic[NYG]> Thanks a lot for your help!
17:03 <@krzee> np man
17:16 -!- Miss_Nomer is now known as liriel
17:19 < Raionic[NYG]> If I can connect to my VPN using the local IP but can't connect with the global IP - could that be an issue with configuration of OpenVPN or would that strictly be configuring the appropriate port forwarding rules in my router?
17:22 -!- wirehack7 [wirehack7@unaffiliated/wirehack7] has quit [Ping timeout: 258 seconds]
17:24 -!- Cyclohexane [~cyclohexa@unaffiliated/cyclohexane] has quit [Ping timeout: 244 seconds]
17:24 -!- mcp [~mcp@wolk-project.de] has quit [Ping timeout: 258 seconds]
17:24 -!- Lolths [~Lolths@unaffiliated/lolths] has quit [Ping timeout: 260 seconds]
17:24 -!- moparisthebest [~quassel@gateway/tor-sasl/moparisthebest] has quit [Ping timeout: 264 seconds]
17:24 -!- s7r [~s7r@openvpn/user/s7r] has quit [Ping timeout: 264 seconds]
17:25 -!- Airwave [~Airwave@94.246.37.45] has quit [Ping timeout: 258 seconds]
17:25 < Raionic[NYG]> Disregard my last question - found it.
17:28 -!- wirehack7 [wirehack7@unaffiliated/wirehack7] has joined #openvpn
17:29 -!- Cyclohexane [~cyclohexa@unaffiliated/cyclohexane] has joined #openvpn
17:30 -!- Lolths [~Lolths@unaffiliated/lolths] has joined #openvpn
17:30 -!- Airwave [~Airwave@94.246.37.45] has joined #openvpn
17:35 -!- Raionic[NYG] [~Raion@unaffiliated/raionicnyg/x-7414136] has quit []
17:41 -!- Haigha [~root@dovahkiin.xomg.net] has joined #openvpn
17:46 -!- jangerhofer [~jangerho@lloyd-153233.reshall.umich.edu] has joined #openvpn
17:47 -!- mirco [~mirco@ip-176-198-211-199.hsi05.unitymediagroup.de] has quit [Quit: mirco]
17:52 -!- elfixit [~Icedove@77-58-37-45.dclient.hispeed.ch] has joined #openvpn
17:57 -!- Taftse|Mac [~taftse@unaffiliated/taftse] has quit [Quit: Textual IRC Client: www.textualapp.com]
18:10 -!- kirin` [telex@gateway/shell/anapnea.net/x-xnosohwfmndfvoal] has joined #openvpn
18:15 -!- pushpop [~pushpop@unaffiliated/pushpop] has joined #openvpn
18:18 -!- kirin` [telex@gateway/shell/anapnea.net/x-xnosohwfmndfvoal] has quit [Read error: Connection reset by peer]
18:19 -!- kirin` [telex@gateway/shell/anapnea.net/x-eryivykduhebenoq] has joined #openvpn
18:26 -!- kirin` [telex@gateway/shell/anapnea.net/x-eryivykduhebenoq] has quit [Ping timeout: 260 seconds]
18:27 -!- SCHAAP137 [dorian@77-173-0-137.ip.telfort.nl] has quit [Remote host closed the connection]
18:27 -!- kirin` [telex@gateway/shell/anapnea.net/x-zxdtbdgnbnsdrjcd] has joined #openvpn
18:34 -!- kirin` [telex@gateway/shell/anapnea.net/x-zxdtbdgnbnsdrjcd] has quit [Ping timeout: 260 seconds]
18:35 -!- kirin` [telex@gateway/shell/anapnea.net/x-qnkmysytkeokyasz] has joined #openvpn
18:40 -!- kirin` [telex@gateway/shell/anapnea.net/x-qnkmysytkeokyasz] has quit [Read error: Connection reset by peer]
18:44 -!- jzaw [~jzaw@loki.dzki.co.uk] has joined #openvpn
18:48 -!- Airwave [~Airwave@94.246.37.45] has quit [Ping timeout: 258 seconds]
18:50 -!- Irrelephant [Irrelephan@2a02:908:e263:6400:953e:6927:5a22:b977] has quit [Quit: Leaving]
18:53 -!- Airwave [~Airwave@94.246.37.45] has joined #openvpn
19:06 -!- joako [~joako@opensuse/member/joak0] has quit [K-Lined]
19:08 -!- Gman32 [~Gman32@2607:2200:0:3400::5616:cdbc] has quit [Quit: Headin Out...]
19:19 -!- Teqonix [~quassel@c-174-51-153-217.hsd1.co.comcast.net] has joined #openvpn
19:23 -!- mefistof1les [~crush@unaffiliated/mefistofeles] has joined #openvpn
19:27 < mefistof1les> hey, I have an OpenDNS where I work and I can connect to it but I can't access other machines using the DNS from work... how to accomplish this?
19:28 -!- mefistof1les is now known as mefistofeles
19:45 <@krzee> !pushdns
19:45 <@vpnHelper> "pushdns" is (#1) push dhcp-option DNS a.b.c.d to push dns to the client or (#2) For pushing DNS to a Windows client, see: !windns or (#3) Unix-alikes are required to process the env-var in an --up script; read about --dhcp-option in the manpage or (#4) For distros that use resolvconf(8) you can try the pull-resolv-conf script under the contrib/ source dir
19:50 -!- Kniaz [~Kniaz@unaffiliated/kniaz] has joined #openvpn
19:56 -!- Gl4di4t0r [~Gl4di4t0r@unaffiliated/gl4di4t0r] has joined #openvpn
19:56 < Gl4di4t0r> Where do I download the openvpn client for Linux Mint?
19:59 -!- Belliash [znc@asiotec/constitutive/belliash] has quit [Ping timeout: 260 seconds]
20:05 < mefistofeles> thanks krzee , gonna take a look
20:07 < mefistofeles> Gl4di4t0r: in the official repos, openvpn package
20:07 < mefistofeles> now if you want the GUI interface I don't know
20:08 < mefistofeles> I don't think linux mint uses network-manager applet does it?
20:08 < Gl4di4t0r> Linux is a total mess. It's a disaster!
20:12 -!- Gl4di4t0r [~Gl4di4t0r@unaffiliated/gl4di4t0r] has left #openvpn ["Leaving"]
20:16 < mefistofeles> lol
20:42 -!- Kniaz [~Kniaz@unaffiliated/kniaz] has quit [Quit: closing IRC]
20:48 -!- halothe23 [~halothe23@freenode/sponsor/halothe23] has quit [Ping timeout: 250 seconds]
20:50 -!- halothe23 [~halothe23@freenode/sponsor/halothe23] has joined #openvpn
20:59 -!- almostworking [~almostwor@unaffiliated/almostworking] has quit [Quit: Leaving]
21:19 -!- detha [~detha@unaffiliated/detha] has quit [Ping timeout: 250 seconds]
21:19 -!- fling [~fling@fsf/member/fling] has quit [Ping timeout: 260 seconds]
21:24 -!- Pyrogerg [~Gregory@75-173-103-62.albq.qwest.net] has joined #openvpn
21:28 -!- nicolaw [~nicolaw@93.186.33.103] has quit [Quit: Lost terminal]
21:31 -!- detha [~detha@unaffiliated/detha] has joined #openvpn
21:36 -!- fling [~fling@fsf/member/fling] has joined #openvpn
22:06 -!- Left_Turn [~Left_Turn@unaffiliated/turn-left/x-3739067] has quit [Remote host closed the connection]
22:29 -!- mefistofeles [~crush@unaffiliated/mefistofeles] has quit [Quit: Hay the guachu!]
23:11 -!- mefistofeles [~crush@unaffiliated/mefistofeles] has joined #openvpn
23:11 < mefistofeles> !push-dns
23:11 < mefistofeles> !pushdns
23:11 <@vpnHelper> "pushdns" is (#1) push dhcp-option DNS a.b.c.d to push dns to the client or (#2) For pushing DNS to a Windows client, see: !windns or (#3) Unix-alikes are required to process the env-var in an --up script; read about --dhcp-option in the manpage or (#4) For distros that use resolvconf(8) you can try the pull-resolv-conf script under the contrib/ source dir
23:11 < mefistofeles> !windns
23:11 <@vpnHelper> "windns" is (#1) http://thread.gmane.org/gmane.network.openvpn.user/25139/focus=25147 see that mail archive for some info on pushing dns or (#2) http://article.gmane.org/gmane.network.openvpn.user/25149 for a perm fix via regedit or (#3) http://comments.gmane.org/gmane.network.openvpn.user/31975 reports --register-dns as fixing their problems pushing DNS to windows 7
23:28 -!- Kephael [~Kephael@unaffiliated/kephael] has quit [Read error: Connection reset by peer]
23:33 -!- elfixit [~Icedove@77-58-37-45.dclient.hispeed.ch] has quit [Ping timeout: 244 seconds]
23:36 -!- jangerhofer [~jangerho@lloyd-153233.reshall.umich.edu] has quit [Quit: Leaving...]
23:40 < mefistofeles> damn, this isn't working...
23:46 -!- ShadniX [dagger@p5DDFFDCF.dip0.t-ipconnect.de] has quit [Ping timeout: 250 seconds]
23:46 -!- james41382_ [~james@unaffiliated/james41382] has quit [Quit: Leaving]
23:47 -!- ShadniX [dagger@p5DDFF99F.dip0.t-ipconnect.de] has joined #openvpn
23:50 -!- james41382 [~james@unaffiliated/james41382] has joined #openvpn
--- Day changed Fri Oct 17 2014
00:05 < mefistofeles> the LAN subnet for the VPN server must be different from the client one?
00:05 < mefistofeles> my client "lives" in a 192.168.0.0 and the VPN server does as well... that seems like it will conflict, right?
00:10 <@krzee> you saying both sides have the same subnet for their lan?
00:10 < pekster> yup, best to avoid common networks on your server side
00:10 <@krzee> are you trying to share a lan over the vpn?  you never stated much of a goal
00:10 <@krzee> !goal
00:10 <@vpnHelper> "goal" is Please clearly state your goal for your vpn: example, I would like to access the lan behind the server , I would like to access the internet over my vpn , I just want a secure connection between 2 computers , etc
00:11  * pekster will let the man not on a 3g cell irc client take this
00:11 < mefistofeles> krzee: yes, I'm trying to reach the server's LAN
00:11 <@krzee> haha irc on the go!
00:11 <@krzee> mefistofeles,
00:11 <@krzee> !randomsubnet
00:11 <@vpnHelper> "randomsubnet" is (#1) http://scarydevilmonastery.net/subnet.cgi for a random !1918 subnet or (#2) If your shell has $RANDOM support, perhaps try this: `echo 10.$((RANDOM%256)).$((RANDOM%256)).0/24 `
00:11 < pekster> bloody small font too
00:12 <@krzee> mefistofeles, theres your new server LAN subnet, change to it =]
00:12 < pekster> wonder what decade this stops working
00:12 < mefistofeles> krzee: it's not that easy though, but yeah, I think I'll have to
00:12 < mefistofeles> there are many servers in that LAN/subnet
00:12  * pekster poofs
00:12 < mefistofeles> will have to reconfigure them all
00:12 <@krzee> mefistofeles, and they have static ips?
00:12 < mefistofeles> yes
00:12 <@krzee> why dont you set that in the dhcp server?
00:13 <@krzee> you know… centralize the admin job...
00:13 < mefistofeles> because it doesn't work... I'm using dnsmasq but it's not working with linux containers
00:13 <@krzee> it doesnt work??
00:13 <@krzee> what do you mean it doesnt work
00:13 -!- jangerhofer [~jangerho@lloyd-153233.reshall.umich.edu] has joined #openvpn
00:13 < mefistofeles> the containers don't receive and IP from the dhcp server
00:14 <@krzee> what do they receive it from?
00:14 < mefistofeles> I think it's because of the virtual interface and bridging stuff
00:14 < mefistofeles> krzee: they don't they are just configured manually
00:14 <@krzee> well anyways
00:14 <@krzee> !samesubnet
00:14 <@vpnHelper> "samesubnet" is (#1) clients can not connect to a server pushing its lan if on the same subnet. you can only reach your subnet on layer2 or through your gateway, when you create a route for it you will try to reach your gateway over the vpn which dies because you cant reach your gateway or (#2) you can use --client-nat if on 2.3 to work around changing the subnet, but you should still just change the
00:14 <@vpnHelper> subnet
00:15 <@krzee> so never use common subnets. especially when looking to share it over a vpn
00:15 <@krzee> rfc 1918 leaves SO MUCH ip space, theres no reason for using the default of most routers
00:15 < mefistofeles> yeah
00:16 < mefistofeles> I wish windows had a sshuttle client xD
00:16 < mefistofeles> sshuttle makes it so easy :P
00:28 < mefistofeles> thanks krzee
00:29 < mefistofeles> I'll change the subnet in the remote site tomorrow and see what happens
00:30 <@krzee> also
00:30 <@krzee> !serverlan
00:30 <@krzee> !route
00:30 <@vpnHelper> "serverlan" is (#1) for a lan behind a server, the server must have ip forwarding enabled (!ipforward), the server needs to push a route for its lan to clients, and the router of the lan the server is on needs a route added to it (!route_outside_openvpn) or (#2) see !route for a better explanation or (#3) Handy troubleshooting flowchart: http://ircpimps.org/serverlan.png |
00:30 <@vpnHelper> http://pekster.sdf.org/misc/serverlan.png
00:30 <@vpnHelper> "route" is (#1) http://www.secure-computing.net/wiki/index.php/OpenVPN/Routing or https://community.openvpn.net/openvpn/wiki/RoutedLans (same page mirrored) if you have lans behind openvpn, read it DONT SKIM IT or (#2) READ IT DONT SKIM IT! or (#3) See !tcpip for a basic networking guide or (#4) See !serverlan or !clientlan for steps and troubleshooting flowcharts for LANs behind the server or client
00:31 < mefistofeles> thanks
00:36 -!- DrMac|Beep [~iamgroot1@unaffiliated/drmacinyasha] has joined #openvpn
00:47 -!- almostworking [~almostwor@unaffiliated/almostworking] has joined #openvpn
00:58 < DrMac|Beep> Hi all, I'm running OpenVPN-AS and am looking for a way to basically disable IPv6 on clients when they connect to OpenVPN automatically. I tried "./sacli --user __DEFAULT__ --key prop_block_ipv6 --value true UserPropPut" as per the documentation (https://docs.openvpn.net/docs/access-server/openvpn-access-server-command-line-tools.html#block-client-access-to-public-ipv6-subnets) however clients
00:58 < DrMac|Beep> (latest Android OpenVPN Connect, OpenVPN Connect 2.0.7.100 on Windows) are still sending out traffic over IPv6.
00:58 <@vpnHelper> Title: OpenVPN Access Server Command-line Tools (at docs.openvpn.net)
01:02 -!- jangerhofer [~jangerho@lloyd-153233.reshall.umich.edu] has quit [Quit: Leaving...]
01:02 <@krzee> hi, we dont support AS here
01:02 <@krzee> !as
01:02 <@vpnHelper> "as" is Please go to #OpenVPN-AS for help with commercial products from OpenVPN Technologies, including Access Server, Android Connect, etc. Access Server is a commercial product, different from open source OpenVPN
01:03 <@krzee> !no_as
01:03 <@vpnHelper> "no_as" is (#1) go to http://openvpn.net/index.php/access-server/support-center.html for support with access server (see !AS to know about access server) or (#2) not only do we not know AS here, but even if we did we would be tainting the professional level of support included in AS by supporting it here. it comes with REAL support. we are just users helping users around here
01:03 < DrMac|Beep> krzee: #openvpnn-as is dead, and I am unable to afford licenses.
01:03 < DrMac|Beep> So no "professional" support
01:03 <@krzee> no support here for it, wait for the dead channel
01:03 < DrMac|Beep> Furthermore, the issue would also apply to the community version of OpenVPN.
01:03 <@krzee> they have normal hours
01:04 <@krzee> furthermore, we dont support AS here.
01:04 <@krzee> and it doesnt apply
01:04 < DrMac|Beep> If I'm running the Community version of OpenVPN, I would run into the same problem.
01:04 <@krzee> you arent.
01:05 <@krzee> no reason to argue, you wont get support for AS here.  #OpenVPN-AS
01:11 -!- mefistofeles [~crush@unaffiliated/mefistofeles] has quit [Quit: Hay the guachu!]
01:12 -!- almostworking [~almostwor@unaffiliated/almostworking] has quit [Quit: Leaving]
01:17 -!- halothe23 [~halothe23@freenode/sponsor/halothe23] has quit [Quit: Quit]
01:30 -!- mattock_afk is now known as mattock
01:32 -!- creshal [~Creshal@91.143.96.4] has joined #openvpn
01:32 -!- creshal [~Creshal@91.143.96.4] has quit [Client Quit]
01:52 -!- Taftse|Mac [~taftse@unaffiliated/taftse] has joined #openvpn
01:54 -!- halothe23 [~halothe23@freenode/sponsor/halothe23] has joined #openvpn
02:08 -!- mirco [~mirco@ip-176-198-211-199.hsi05.unitymediagroup.de] has joined #openvpn
02:34 -!- Taftse|Mac [~taftse@unaffiliated/taftse] has quit [Quit: Textual IRC Client: www.textualapp.com]
03:37 -!- troyt [~troyt@2601:7:6200:1362:44dd:acff:fe85:9c8e] has quit [Ping timeout: 272 seconds]
03:38 -!- troyt [~troyt@2601:7:6200:1362:44dd:acff:fe85:9c8e] has joined #openvpn
03:56 -!- dazo_afk is now known as dazo
04:14 <@plaisthos> krzee: yes, you are
04:15 <@plaisthos> we have not implemented disabling ipv6 access when using are v4 only vpn
04:16 < DrMac|Beep> Well, it's a whole pile of naught now. Somehow OpenVPN has broken IPv6 routing on my server, and I have no freaking clue how. Even uninstalled it and rebooted, still can't get anything to work right. Talk about a waste of time.
04:18 -!- wingnut2626 [~ronald@pool-173-49-208-245.phlapa.fios.verizon.net] has quit [Ping timeout: 272 seconds]
04:36 <@dazo> plaisthos: isn't it enough not to use any of the ipv6 options?
04:51 -!- Simson-san|away [~Simson-sa@klaxa.eu] has quit [Ping timeout: 245 seconds]
04:51 -!- aep [~aep@libqxt/developer/aep] has quit [Ping timeout: 240 seconds]
04:52 -!- seba [~seba@kratzbaum.someserver.de] has quit [Ping timeout: 272 seconds]
04:52 -!- aep [~aep@libqxt/developer/aep] has joined #openvpn
05:03 -!- ayaz [~Ayaz@linuxpakistan/ayaz] has joined #openvpn
05:17 <@plaisthos> dazo: suppose your client has native v4 and v6
05:17 <@plaisthos> dazo: now you connect to your v4 only vpn
05:18 <@plaisthos> dazo: and now "half" of your traffic is going through the vpn and the other half through your native connection
05:19 <@dazo> fair enough ... that is of course if you want all the traffic to go via the VPN
05:20 <@dazo> So the request is actually to disable IPv6 all over on the client when the connection is established?
05:21 <@dazo> and only use IPv4 and route everything over that connection?
05:21 < BtbN> Just push a new ipv6 default route to localhost
05:22 -!- DrMacinyasha [Denham@unaffiliated/drmacinyasha] has joined #openvpn
05:22 -!- CaTtleyA [~CaTtleyA@185.24.142.82] has joined #openvpn
05:23 < DrMac|Beep> BtbN: ChromeOS for one doesn't obey that route.
05:23 < DrMac|Beep> Pretty sure Android/iOS doesn't either.
05:23 -!- DrMac|Beep [~iamgroot1@unaffiliated/drmacinyasha] has quit [Remote host closed the connection]
05:24 < DrMacinyasha> But I'll be starting over from scratch once Linode gives me another /64 block to play with that I can hand out to clients.
05:25 <@plaisthos> android will honour this
05:25 <@plaisthos> kind of
05:25 <@plaisthos> you will end up with a route to the VPN device
05:25 <@plaisthos> but as a TODO item, I might implement generating IMCPv6 unreachable
05:25 <@plaisthos> in OpenVPN
05:25 <@plaisthos> as a stopgab
05:28 -!- Nyoom [Nyoom@unaffiliated/nyoom] has quit [Ping timeout: 260 seconds]
05:39 -!- nsrafk [whois@unaffiliated/nsrafk] has quit [Ping timeout: 265 seconds]
05:45 -!- nsrafk [whois@unaffiliated/nsrafk] has joined #openvpn
05:52 -!- Left_Turn [~Left_Turn@unaffiliated/turn-left/x-3739067] has joined #openvpn
06:51 -!- klaxa [~klaxa@klaxa.eu] has joined #openvpn
06:54 -!- elfixit [~Icedove@dhcp-129-165.office.init7.net] has joined #openvpn
06:56 -!- klaxa [~klaxa@klaxa.eu] has left #openvpn ["Bye."]
07:07 -!- Left_Turn [~Left_Turn@unaffiliated/turn-left/x-3739067] has quit [Ping timeout: 260 seconds]
07:15 -!- Irrelephant [~Irrelepha@213.136.81.155] has joined #openvpn
07:21 -!- Irrelephant [~Irrelepha@213.136.81.155] has quit [Quit: Leaving]
07:44 -!- bakhtiya [~me@office.addictivemobility.com] has quit [Read error: Connection reset by peer]
07:45 -!- bakhtiya [~me@office.addictivemobility.com] has joined #openvpn
07:50 -!- aep [~aep@libqxt/developer/aep] has quit [Ping timeout: 250 seconds]
07:53 -!- aep [~aep@libqxt/developer/aep] has joined #openvpn
07:58 -!- D-Boy [~D-Boy@unaffiliated/cain] has quit [Excess Flood]
08:00 -!- capri [svedrin@elwing.funzt-halt.net] has quit [Ping timeout: 260 seconds]
08:02 -!- capri [svedrin@elwing.funzt-halt.net] has joined #openvpn
08:08 -!- D-Boy [~D-Boy@unaffiliated/cain] has joined #openvpn
08:11 -!- rap_wrk [~reshad@unaffiliated/rap-wrk/x-769542] has joined #openvpn
08:12 -!- moparisthebest [~quassel@gateway/tor-sasl/moparisthebest] has joined #openvpn
08:21 -!- elfixit [~Icedove@dhcp-129-165.office.init7.net] has quit [Ping timeout: 245 seconds]
08:27 -!- Left_Turn [~Left_Turn@unaffiliated/turn-left/x-3739067] has joined #openvpn
08:56 -!- mirco [~mirco@ip-176-198-211-199.hsi05.unitymediagroup.de] has quit [Quit: mirco]
08:57 -!- plaisthos [~arne@openvpn/community/developer/plaisthos] has quit [Remote host closed the connection]
09:00 -!- plaisthos [~arne@openvpn/community/developer/plaisthos] has joined #openvpn
09:00 -!- mode/#openvpn [+o plaisthos] by ChanServ
09:02 -!- jangerhofer [~jangerho@lloyd-153233.reshall.umich.edu] has joined #openvpn
09:08 -!- seba [~seba@kratzbaum.someserver.de] has joined #openvpn
09:21 -!- ayaz [~Ayaz@linuxpakistan/ayaz] has quit [Quit: Textual IRC Client: www.textualapp.com]
09:25 -!- Pyrogerg [~Gregory@75-173-103-62.albq.qwest.net] has quit [Read error: No route to host]
09:31 -!- Ahrotahntee [~ahrotahnt@unaffiliated/ahrotahntee] has joined #openvpn
09:31 < Ahrotahntee> !welcome
09:31 <@vpnHelper> "welcome" is (#1) Start by stating your goal, such as 'I would like to access the internet over my vpn' || new to IRC? see the link in !ask || we may need !logs and !configs and maybe !interface to help you. || See !howto for beginners. || See !route for lans behind openvpn. || !redirect for sending inet traffic through the server. || Also interesting: !man !/30 !topology !iporder !sample
09:31 <@vpnHelper> !forum !wiki !mitm or (#2) Don't use 192.168.1.0/24 or 192.168.0.0/24 (too much potential for conflict)
09:32 < Ahrotahntee> !route
09:32 <@vpnHelper> "route" is (#1) http://www.secure-computing.net/wiki/index.php/OpenVPN/Routing or https://community.openvpn.net/openvpn/wiki/RoutedLans (same page mirrored) if you have lans behind openvpn, read it DONT SKIM IT or (#2) READ IT DONT SKIM IT! or (#3) See !tcpip for a basic networking guide or (#4) See !serverlan or !clientlan for steps and troubleshooting flowcharts for LANs behind the server or
09:32 <@vpnHelper> client
09:32 -!- mirco [~mirco@ip-176-198-211-199.hsi05.unitymediagroup.de] has joined #openvpn
09:37 < Ahrotahntee> !serverlan
09:37 <@vpnHelper> "serverlan" is (#1) for a lan behind a server, the server must have ip forwarding enabled (!ipforward), the server needs to push a route for its lan to clients, and the router of the lan the server is on needs a route added to it (!route_outside_openvpn) or (#2) see !route for a better explanation or (#3) Handy troubleshooting flowchart: http://ircpimps.org/serverlan.png |
09:37 <@vpnHelper> http://pekster.sdf.org/misc/serverlan.png
09:53 -!- moparisthebest [~quassel@gateway/tor-sasl/moparisthebest] has quit [Remote host closed the connection]
09:53 -!- moparisthebest [~quassel@gateway/tor-sasl/moparisthebest] has joined #openvpn
10:03 -!- mirco [~mirco@ip-176-198-211-199.hsi05.unitymediagroup.de] has quit [Quit: mirco]
10:04 -!- elfixit [~Icedove@2001:1620:2777:11:3e97:eff:fe7f:f3ad] has joined #openvpn
10:05 -!- resixian [~akira@unaffiliated/resixian] has joined #openvpn
10:05 < resixian> i have created a --secret tunnel between my workplace's main office and a remote lab. status->openvpn shows the remote site is connected, and bytes are sent & received, however i can't ping/see machines between the sites
10:08 < resixian> fro m
10:09 < resixian> server router is a soekris box with pfsense 2.1.5-RELEASE, and the client router is an old wrt54g with ddrwt-vpn build on it
10:09 < resixian> server config: http://pastebin.com/rbij6DkR
10:14 -!- Nyoom [Nyoom@unaffiliated/nyoom] has joined #openvpn
10:16 < resixian> client config: http://pastebin.com/2LB856Np
10:17 -!- deranged_user [deranged@unaffiliated/deranged-user/x-2475585] has joined #openvpn
10:24 -!- Nyoom [Nyoom@unaffiliated/nyoom] has quit [Ping timeout: 260 seconds]
10:29 < resixian> the autogenerated client config (from a pfsense packae) needde some tweaks to run
10:29 -!- deranged_user [deranged@unaffiliated/deranged-user/x-2475585] has quit [Ping timeout: 260 seconds]
10:30 -!- CaTtleyA [~CaTtleyA@185.24.142.82] has quit [Remote host closed the connection]
10:31 < resixian> i had to comment out the ifconfig and route commands, but i do run them outside the client.conf, and using 'pull' in the client.conf throws an error
10:33 -!- scottyob [~scottyob@104.131.140.184] has left #openvpn []
10:33 -!- Nyoom [Nyoom@unaffiliated/nyoom] has joined #openvpn
10:34 -!- deranged_user [deranged@unaffiliated/deranged-user/x-2475585] has joined #openvpn
10:34 -!- deranged_user [deranged@unaffiliated/deranged-user/x-2475585] has quit [Remote host closed the connection]
10:35 -!- jangerhofer [~jangerho@lloyd-153233.reshall.umich.edu] has quit [Quit: Leaving...]
10:40 -!- almostworking [~almostwor@unaffiliated/almostworking] has joined #openvpn
10:47 -!- Kephael [~Kephael@unaffiliated/kephael] has joined #openvpn
10:50 -!- gffa [~unknown@unaffiliated/gffa] has joined #openvpn
10:51 < resixian> oh, i have opened port 1195 on server router, which operates bridged behind our comcast modem. the client firewall is off for testing
11:20 -!- mistermajestic [~mistermaj@109.201.154.211] has quit []
11:21 -!- eristisk [~eristisk@gateway/tor-sasl/eristisk] has joined #openvpn
11:33 -!- Nyoom [Nyoom@unaffiliated/nyoom] has quit [Max SendQ exceeded]
11:49 -!- Nyoom [Nyoom@unaffiliated/nyoom] has joined #openvpn
11:54 -!- mirco [~mirco@ip-176-198-211-199.hsi05.unitymediagroup.de] has joined #openvpn
12:00 -!- mirco [~mirco@ip-176-198-211-199.hsi05.unitymediagroup.de] has quit [Ping timeout: 255 seconds]
12:09 -!- mirco [~mirco@ip-176-198-211-199.hsi05.unitymediagroup.de] has joined #openvpn
12:09 -!- jangerhofer [~jangerho@0587345014.wireless.umich.net] has joined #openvpn
12:10 -!- jangerho [~jangerho@0587345014.wireless.umich.net] has joined #openvpn
12:10 -!- jangerhofer [~jangerho@0587345014.wireless.umich.net] has quit [Read error: Connection reset by peer]
12:16 -!- mirco [~mirco@ip-176-198-211-199.hsi05.unitymediagroup.de] has quit [Ping timeout: 258 seconds]
12:16 -!- mirco [~mirco@ip-176-198-211-199.hsi05.unitymediagroup.de] has joined #openvpn
12:25 -!- Kniaz [~Kniaz@unaffiliated/kniaz] has joined #openvpn
12:25 -!- Pyrogerg [~Gregory@75-173-103-62.albq.qwest.net] has joined #openvpn
12:58 -!- jangerho [~jangerho@0587345014.wireless.umich.net] has quit [Quit: Leaving...]
13:04 -!- julieeharshaw [~julie@juliekoubova.net] has quit [Ping timeout: 260 seconds]
13:08 < ender|> resixian: i've had problems with openvpn on dd-wrt, because at least when i used it, you couldn't disable NAT on the tunnel
13:08 -!- julieeharshaw [~julie@juliekoubova.net] has joined #openvpn
13:09 -!- julieeharshaw [~julie@juliekoubova.net] has quit [Max SendQ exceeded]
13:12 < pekster> !dd-wrt
13:12 <@vpnHelper> "dd-wrt" is (#1) While some users have success with dd-wrt, the build system isn't very accessible to users and there have been security issues with the distro. Consider carefully if this is the platform you want to use for OpenVPN or (#2) Firewall oopsie : http://www.dd-wrt.com/phpBB2/viewtopic.php?t=35783 or (#3) more issues: http://www.dd-wrt.com/phpBB2/viewtopic.php?t=84536
13:13 < ender|> i'm using openvpn on tomato, which works well enough for me
13:13 -!- julieeharshaw [~julie@37.157.194.41] has joined #openvpn
13:14 < ender|> (and openwrt and pfsense and regular linux and windows)
13:14 -!- julieeharshaw [~julie@37.157.194.41] has quit [Max SendQ exceeded]
13:16 -!- dazo is now known as dazo_afk
13:20 -!- julieeharshaw [~julie@juliekoubova.net] has joined #openvpn
13:23 -!- Belliash [znc@asiotec/constitutive/belliash] has joined #openvpn
13:29 -!- jangerhofer [~jangerho@lloyd-153233.reshall.umich.edu] has joined #openvpn
13:33 -!- mistermajestic [~mistermaj@109.201.154.211] has joined #openvpn
13:34 -!- Kephael [~Kephael@unaffiliated/kephael] has quit [Read error: Connection reset by peer]
13:46 -!- Belliash [znc@asiotec/constitutive/belliash] has quit [Quit: No matter how dark the night, somehow the Sun rises once again...]
13:47 -!- Belliash [znc@asiotec/constitutive/belliash] has joined #openvpn
14:08 -!- imsomeoneelse [~eh@wsip-98-190-221-98.dc.dc.cox.net] has quit [Remote host closed the connection]
14:09 -!- Maxel [~Maxel@24-159-207-34.static.roch.mn.charter.com] has quit [Quit: Leaving]
14:13 -!- Maxel [~Maxel@24-159-207-34.static.roch.mn.charter.com] has joined #openvpn
14:14 -!- s7r [~s7r@openvpn/user/s7r] has joined #openvpn
14:14 -!- mode/#openvpn [+v s7r] by ChanServ
14:18 -!- jangerhofer [~jangerho@lloyd-153233.reshall.umich.edu] has quit [Quit: Leaving...]
14:26 -!- mirco [~mirco@ip-176-198-211-199.hsi05.unitymediagroup.de] has quit [Quit: mirco]
14:27 -!- mirco [~mirco@ip-176-198-211-199.hsi05.unitymediagroup.de] has joined #openvpn
14:34 -!- Belliash [znc@asiotec/constitutive/belliash] has quit [Quit: No matter how dark the night, somehow the Sun rises once again...]
14:36 -!- Belliash [znc@asiotec/constitutive/belliash] has joined #openvpn
14:48 -!- moparisthebest [~quassel@gateway/tor-sasl/moparisthebest] has quit [Remote host closed the connection]
14:52 -!- Zimsky-- [~alice@unaffiliated/zimsky] has quit [Ping timeout: 265 seconds]
14:53 -!- Zimsky [~alice@unaffiliated/zimsky] has joined #openvpn
14:55 -!- Thermi [~Thermi@unaffiliated/thermi] has quit [Quit: Meet your opposition - Profane and disciplined - Take back your pride - With a pounding hammer]
15:04 -!- Thermi [~Thermi@unaffiliated/thermi] has joined #openvpn
15:08 -!- almostworking [~almostwor@unaffiliated/almostworking] has quit [Quit: Leaving]
15:19 -!- moparisthebest [~quassel@gateway/tor-sasl/moparisthebest] has joined #openvpn
15:19 -!- Belliash [znc@asiotec/constitutive/belliash] has quit [Quit: No matter how dark the night, somehow the Sun rises once again...]
15:20 -!- Belliash [znc@asiotec/constitutive/belliash] has joined #openvpn
15:22 -!- brianblaze420 [~brianblaz@unaffiliated/brianblaze] has joined #openvpn
15:23 -!- moparisthebest [~quassel@gateway/tor-sasl/moparisthebest] has quit [Ping timeout: 264 seconds]
15:25 -!- Fetch [fetch@gimel.cepheid.org] has quit [Ping timeout: 240 seconds]
15:28 -!- moparisthebest [~quassel@gateway/tor-sasl/moparisthebest] has joined #openvpn
15:32 -!- Belliash [znc@asiotec/constitutive/belliash] has quit [Quit: No matter how dark the night, somehow the Sun rises once again...]
15:35 -!- Belliash [znc@asiotec/constitutive/belliash] has joined #openvpn
15:45 -!- moparisthebest [~quassel@gateway/tor-sasl/moparisthebest] has quit [Remote host closed the connection]
15:48 -!- almostworking [~almostwor@unaffiliated/almostworking] has joined #openvpn
15:59 -!- Fun [~Fun@unaffiliated/fun] has joined #openvpn
15:59 -!- mattock is now known as mattock_afk
16:02 < Fun> hi folks
16:03 < Fun> is it ok to talk about various vpn solutions here?
16:04 < Fun> like soft ether?
16:08 -!- elfixit1 [~Icedove@77-58-37-45.dclient.hispeed.ch] has joined #openvpn
16:10 -!- mirco [~mirco@ip-176-198-211-199.hsi05.unitymediagroup.de] has quit [Quit: mirco]
16:16 -!- RaiNerTsuFal [~RaiNerTsu@akita.vtlx.cn] has quit [Quit: Conversation terminated!]
16:18 -!- nutron [~nutron@unaffiliated/nutron] has joined #openvpn
16:20 -!- RaiNerTsuFal [~RaiNerTsu@akita.vtlx.cn] has joined #openvpn
16:24 -!- elfixit1 [~Icedove@77-58-37-45.dclient.hispeed.ch] has quit [Quit: elfixit1]
16:28 < Fun> is there binary for trusy?
16:28 < Fun> trusty?
16:33 < ValdikSS> Fun: It's OpenVPN-only channel
16:34 < Fun> cool
16:34 < Fun> is it possible to use open vpn from china?
16:34 < Fun> to access facebook and likes?
16:34 < ValdikSS> Guys, could someone confirm bug? Connect via management interface and try to kill a username with cyrillic uppercase characters and space
16:34 < ValdikSS> Like: kill 'тест Имени с Заглавными'
16:34 < ValdikSS> Would it hang?
16:35 < ValdikSS> kill 'Говно и Моча' - hangs
16:36 < ValdikSS> Fun: yes it is with static keys
16:37 < Fun> ValdikSS: what do u mean by static keys? any link I can read?
16:37 < ValdikSS> !static
16:37 <@vpnHelper> "static" is (#1) use --ifconfig-push in a ccd entry for a static ip for the vpn client or (#2) example in net30 (default): ifconfig-push 10.8.0.6 10.8.0.5 example in subnet (see !topology) or tap (see !tunortap): ifconfig-push 10.8.0.5 255.255.255.0 or (#3) also see !ccd and !iporder or (#4) with static IPs, limit your --ifconfig-pool to exclude the static range or (#5) See also: !addressing
16:37 -!- Belliash [znc@asiotec/constitutive/belliash] has quit [Quit: No matter how dark the night, somehow the Sun rises once again...]
16:37 < ValdikSS> Fun: whoops, sorry, that's a wrong one
16:37 < ValdikSS> Fun: OpenVPN Management Interface
16:37 < ValdikSS> Fun: http://openvpn.net/index.php/open-source/documentation/miscellaneous/78-static-key-mini-howto.html
16:37 <@vpnHelper> Title: Static Key Mini-HOWTO (at openvpn.net)
16:38 < Fun> ValdikSS:  is this feature available in community software version?
16:38 < ValdikSS> Fun: Sure
16:38 < Fun> awesome
16:38 -!- moparisthebest [~quassel@gateway/tor-sasl/moparisthebest] has joined #openvpn
16:38 < Fun> Limited scalability -- one client, one server hmm
16:38 < Fun> what if I want 10 clients one server?
16:38 < Fun> can they simply share same key?
16:39 < ValdikSS> Fun: You can try TLS server (usual configuration) and obfsproxy
16:39 < ValdikSS> Fun: google for obfsproxy, it might help
16:39 < Fun> ValdikSS: if I just use openvpn protocol is it able to bypass chinese gov firewall?
16:40 < Fun> or they detect it
16:40 -!- Belliash [znc@asiotec/constitutive/belliash] has joined #openvpn
16:40 < Fun> I saw some people using even pptp and it works
16:40 < ValdikSS> Fun: They would detect if you won't use obfsproxy
16:40 < ValdikSS> Fun: with obfsproxy, it should work
16:40 -!- moparisthebest [~quassel@gateway/tor-sasl/moparisthebest] has quit [Remote host closed the connection]
16:41 < Fun> obfsproxy is tor based means very slow
16:43 -!- moparisthebest [~quassel@gateway/tor-sasl/moparisthebest] has joined #openvpn
16:44 -!- jangerhofer [~jangerho@lloyd-153233.reshall.umich.edu] has joined #openvpn
16:45 < Fun> ValdikSS: what about L2TP/IPSec?
16:45 < ValdikSS> Fun: Can't say anything, but you could try. The easiest thing is strongswan
16:46 < ValdikSS> Fun: obfsproxy has nothing with Tor except it was used by Tor developers
16:46 < ValdikSS> Fun: it's just an obfuscating proxy, nothing more, nothing less
16:48 < Fun> i see
16:49 -!- Taftse|Mac [~taftse@unaffiliated/taftse] has joined #openvpn
16:52 -!- ValdikSS [~valdikss@95.215.45.33] has quit [Read error: Connection reset by peer]
16:53 -!- Belliash [znc@asiotec/constitutive/belliash] has quit [Quit: No matter how dark the night, somehow the Sun rises once again...]
16:53 -!- ValdikSS [~valdikss@95.215.45.33] has joined #openvpn
16:54 -!- jangerhofer [~jangerho@lloyd-153233.reshall.umich.edu] has quit [Quit: Leaving...]
16:54 -!- Belliash [znc@asiotec/constitutive/belliash] has joined #openvpn
16:57 < Thermi> Fun: I'm a strongswan supporter. Using ipsec to try to go around the chinese firewall is futile. IPsec is extremely distinguishable from other traffic. I'd go for openvpn and obfsproxy
16:58 < Fun> Thermi cool so what is strongwan role in obfsproxy setup?
16:59 < Thermi> Quote: "I'd go for openvpn and obfsproxy"
16:59 < Fun> I'm a strongswan supporter lol
16:59 < Thermi> To be more clear: I do 60% of the support work in #strongswan and on the mailing list.
17:00 < Fun> cool so strongwan can be intergrated with open vpn server?
17:00 < Fun> wonders
17:01 < Fun> or its a seperate software
17:01 < Fun> *separate
17:01 < Thermi> Argh
17:01 < Thermi> No it can't. strongSwan and openvpn are totally different things for the same purpose
17:02 < Fun> cool
17:02 < Thermi> Use OpenVPN with obfsproxy!
17:03 < Fun> Thermi: oki so openvpn + obfsproxy also work, cool. since i got custom open vpn GUI :)
17:06 -!- jangerhofer [~jangerho@lloyd-153233.reshall.umich.edu] has joined #openvpn
17:11 < Fun> I read howto, how I can change admin login to different IP? so its accessible for ip nr 2?
17:11 < Fun>  OpenVPN AS access
17:20 -!- eristisk [~eristisk@gateway/tor-sasl/eristisk] has quit [Ping timeout: 264 seconds]
17:22 < Fun> I installed ready made deb
17:22 < Fun> and it havent asked for IP
17:23 < kenyon> !as
17:23 <@vpnHelper> "as" is Please go to #OpenVPN-AS for help with commercial products from OpenVPN Technologies, including Access Server, Android Connect, etc. Access Server is a commercial product, different from open source OpenVPN
17:23 < kenyon> !no_as
17:23 <@vpnHelper> "no_as" is (#1) go to http://openvpn.net/index.php/access-server/support-center.html for support with access server (see !AS to know about access server) or (#2) not only do we not know AS here, but even if we did we would be tainting the professional level of support included in AS by supporting it here. it comes with REAL support. we are just users helping users around here
17:27 -!- jangerhofer [~jangerho@lloyd-153233.reshall.umich.edu] has quit [Quit: Leaving...]
17:42 < Fun> kenyon: hmm I was sure I installed community version
17:42 < Fun> 1 moment
17:44 < Fun> kenyon so this wget http://swupdate.openvpn.org/as/openvpn-as-2.0.                      7-Ubuntu13.amd_64.deb
17:44 < Fun> is not a community version?
17:44 < kenyon> no
17:44 < kenyon> you run "aptitude install openvpn" to install the community version
17:44 < Fun> kenyon: ok so I have to remove it somehow before installing community one?
17:45 < kenyon> yes
17:45 < Fun> like apt-get purge openvpn?
17:45 < kenyon> I would do aptitude purge openvpn-as
17:45 < kenyon> apt-get purge openvpn-as should work too
17:47 < Fun> dpkg: warning: while removing openvpn-as, directory '/usr/local/openvpn_as/etc/web-ssl' not empty so not removed dpkg: warning: while removing openvpn-as, directory '/usr/local/openvpn_as/etc/db' not empty so not removed dpkg: warning: while removing openvpn-as, directory '/usr/local/openvpn_as/etc/tmp' not empty so not removed - I simply delete them manually?
17:48 < Eugene> !as
17:48 <@vpnHelper> "as" is Please go to #OpenVPN-AS for help with commercial products from OpenVPN Technologies, including Access Server, Android Connect, etc. Access Server is a commercial product, different from open source OpenVPN
17:48 < Fun> Eugene: the question relates to install of community version
17:49 < Fun> anyhow I rm -rf them
17:49 < kenyon> you can ignore that dpkg warning, just remove that directory manually
17:49 < Eugene> Uninstalling AS is not a community problem ;-)
17:49 < Eugene> And to be honest, neither would be installing openvpn - strictly speaking that's a Debian/Ubuntu issue.
17:50 < Fun> :)
17:50 < Fun> that is your opinion true
17:50 < Eugene> My opinion has the profound benefit of being correct.
17:50 < Fun> Eugene: does open vpn have any easy ways to manage users?
17:50 < Eugene> openvpn has no concept of users, only of a "common name" for a given client
17:51 < Eugene> This is generally derived from either the CN field of the certificate used to authenticate, or the username= under --auth-user-pass
17:51 < Eugene> If the latter then it's handed off to --auth-user-pass-verify(or a PAM-based local system auth)
17:52 -!- Taftse|Mac [~taftse@unaffiliated/taftse] has quit [Quit: Textual IRC Client: www.textualapp.com]
17:53 < Fun> cool
17:53 -!- elfixit1 [~Icedove@77-58-37-45.dclient.hispeed.ch] has joined #openvpn
17:53 < Fun> and does community version have any windows client gui?
17:54 < Eugene> Yes, openvpn-gui.exe is a Tray-icon-centric app which lets you selectively start/stop/restart openvpn.exe
17:54 < Eugene> !download
17:54 <@vpnHelper> "download" is (#1) http://openvpn.net/index.php/download/community-downloads.html to download openvpn or (#2) OpenVPN's Windows installer now includes OpenVPN GUI. Don't bother with http://openvpn.se anymore or (#3) Don't trust download.com at all. It provides an extremely old version with malware: http://insecure.org/news/download-com-fiasco.html or (#4) in the community version of openvpn (only
17:54 <@vpnHelper> thing supported here) there is no separate download for client/server, it is the same install with different configs
17:54 < Eugene> It runs just fine in either client or server modes
17:54 < Eugene> Note: you need to invoke as Admin to handle the TAP device properly.
17:58 < Fun> seems pretty easy to start with
18:04 < Fun> to add pam users I simply make new one in terminal?
18:13 -!- s7r [~s7r@openvpn/user/s7r] has quit [Quit: Leaving]
18:24 < Fun> ok and how do I config win ui hmm
18:24 < Fun> :d
18:24 < Fun> gotta find conf location
18:26 -!- moparisthebest [~quassel@gateway/tor-sasl/moparisthebest] has quit [Ping timeout: 264 seconds]
18:27 -!- moparisthebest [~quassel@gateway/tor-sasl/moparisthebest] has joined #openvpn
18:28 -!- gffa [~unknown@unaffiliated/gffa] has quit [Quit: sleep]
18:32 -!- moparisthebest [~quassel@gateway/tor-sasl/moparisthebest] has quit [Ping timeout: 264 seconds]
18:33 -!- moparisthebest [~quassel@gateway/tor-sasl/moparisthebest] has joined #openvpn
18:50 -!- tamazaki_ [~tamazaki@95.85.35.109] has joined #openvpn
18:51 < tamazaki_> !poodle
18:51 <@vpnHelper> "poodle" is (#1) http://googleonlinesecurity.blogspot.com/2014/10/this-poodle-bites-exploiting-ssl-30.html . OpenVPN uses TLSv1.0, or (with >=2.3.3) optionally TLSv1.2 and is thus not impacted by POODLE. See also: !hardening for some unrelated TLS security options OpenVPN has or (#2) https://www.tinfoilsecurity.com/poodle for a tool for testing your websites
18:52 < tamazaki_> Does anyone know if OpenVPN is vulnerable to the recent memory leak vulnerabilities (SRTP Memory Leak & Session Ticket Memory Leak) - https://www.openssl.org/news/secadv_20141015.txt
18:54 -!- moparisthebest [~quassel@gateway/tor-sasl/moparisthebest] has quit [Ping timeout: 264 seconds]
18:54 < tamazaki_> !hardening
18:54 <@vpnHelper> "hardening" is https://community.openvpn.net/openvpn/wiki/Hardening
18:54 -!- moparisthebest [~quassel@gateway/tor-sasl/moparisthebest] has joined #openvpn
19:07 -!- joako [~joako@opensuse/member/joak0] has joined #openvpn
19:07 -!- Kniaz [~Kniaz@unaffiliated/kniaz] has quit [Read error: Connection reset by peer]
19:12 < resixian> ender|: thanks, its actually working with ddwrt. I looked for a tomato-vpn but didn't see any mention of openvpn with it, sigh. i would rather tomato also
19:13 < resixian> now i have my tunnel working and almost every client PC is able to see the other end but for some reason one windows 7 PC can't see anything.
19:13 < resixian> that pc has a gw of 10.1.50.1 (the client lan) while the working PCs have  a gw of 10.1.1.1 (the server lan)
20:27 -!- brianblaze420 [~brianblaz@unaffiliated/brianblaze] has quit [Remote host closed the connection]
20:29 -!- jzaw [~jzaw@loki.dzki.co.uk] has quit [Ping timeout: 260 seconds]
20:34 -!- jzaw [~jzaw@loki.dzki.co.uk] has joined #openvpn
21:08 -!- jgeboski [~jgeboski@unaffiliated/jgeboski] has quit [Quit: Leaving]
21:10 -!- jgeboski [~jgeboski@unaffiliated/jgeboski] has joined #openvpn
21:24 -!- moparisthebest [~quassel@gateway/tor-sasl/moparisthebest] has quit [Ping timeout: 264 seconds]
21:27 -!- moparisthebest [~quassel@gateway/tor-sasl/moparisthebest] has joined #openvpn
21:27 -!- jangerhofer [~jangerho@lloyd-153233.reshall.umich.edu] has joined #openvpn
21:35 -!- Pyrogerg [~Gregory@75-173-103-62.albq.qwest.net] has quit [Ping timeout: 272 seconds]
21:49 -!- rap_wrk [~reshad@unaffiliated/rap-wrk/x-769542] has quit [Ping timeout: 245 seconds]
21:51 -!- Pyrogerg [~Gregory@75-173-103-62.albq.qwest.net] has joined #openvpn
22:16 -!- Left_Turn [~Left_Turn@unaffiliated/turn-left/x-3739067] has quit [Remote host closed the connection]
22:24 <+_FBi> resixian, have you looked at OpenWRT?
22:40 -!- almostworking [~almostwor@unaffiliated/almostworking] has quit [Quit: Leaving]
22:52 -!- jangerhofer [~jangerho@lloyd-153233.reshall.umich.edu] has quit [Quit: Linkinus - http://linkinus.com]
23:01 -!- brianblaze420 [~brianblaz@unaffiliated/brianblaze] has joined #openvpn
23:05 -!- brianblaze420 [~brianblaz@unaffiliated/brianblaze] has quit [Ping timeout: 255 seconds]
23:11 -!- Moonlightning [~blackl@unaffiliated/moonlightning] has joined #openvpn
23:11 < Moonlightning> I don't suppose I can allocate two distinct v6 address blocks for the same network?
23:19 -!- Pyrogerg [~Gregory@75-173-103-62.albq.qwest.net] has quit [Ping timeout: 244 seconds]
23:26 -!- almostworking [~almostwor@unaffiliated/almostworking] has joined #openvpn
23:32 -!- elfixit1 [~Icedove@77-58-37-45.dclient.hispeed.ch] has quit [Remote host closed the connection]
23:43 -!- ShadniX [dagger@p5DDFF99F.dip0.t-ipconnect.de] has quit [Ping timeout: 250 seconds]
23:44 -!- ShadniX [dagger@p5DDFEDF9.dip0.t-ipconnect.de] has joined #openvpn
23:52 -!- jgeboski [~jgeboski@unaffiliated/jgeboski] has quit [Quit: Leaving]
23:56 -!- jgeboski [~jgeboski@unaffiliated/jgeboski] has joined #openvpn
--- Day changed Sat Oct 18 2014
00:46 -!- Brando753 is now known as Anon827812
00:47 -!- Anon827812 is now known as Brando753
00:49 -!- brianblaze420 [~brianblaz@unaffiliated/brianblaze] has joined #openvpn
00:54 -!- brianblaze420 [~brianblaz@unaffiliated/brianblaze] has quit [Ping timeout: 240 seconds]
01:15 -!- jgeboski [~jgeboski@unaffiliated/jgeboski] has quit [Quit: Leaving]
01:21 -!- jgeboski [~jgeboski@unaffiliated/jgeboski] has joined #openvpn
01:36 -!- Fun [~Fun@unaffiliated/fun] has quit [Quit: Leaving.]
01:48 -!- SushiDude [~SushiDude@unaffiliated/sushidude] has quit [Quit: Quit]
01:52 -!- SushiDude [~SushiDude@unaffiliated/sushidude] has joined #openvpn
02:30 < ender|>  resixian: http://tomato.groov.pl/
02:31 <@vpnHelper> Title: Tomato by Shibby » Alternatywne oprogramowamie na routery (at tomato.groov.pl)
02:38 -!- brianblaze420 [~brianblaz@unaffiliated/brianblaze] has joined #openvpn
02:43 -!- brianblaze420 [~brianblaz@unaffiliated/brianblaze] has quit [Ping timeout: 258 seconds]
02:51 -!- mattock_afk is now known as mattock
02:57 < kenyon> Moonlightning: maybe not with the openvpn config commands, but otherwise sure
02:57 -!- Kniaz [~Kniaz@unaffiliated/kniaz] has joined #openvpn
04:14 -!- detha [~detha@unaffiliated/detha] has quit [Read error: Connection reset by peer]
04:22 -!- Left_Turn [~Left_Turn@unaffiliated/turn-left/x-3739067] has joined #openvpn
04:27 -!- brianblaze420 [~brianblaz@unaffiliated/brianblaze] has joined #openvpn
04:31 -!- brianblaze420 [~brianblaz@unaffiliated/brianblaze] has quit [Ping timeout: 244 seconds]
04:33 -!- Taftse|Mac [~taftse@unaffiliated/taftse] has joined #openvpn
04:36 -!- almostworking [~almostwor@unaffiliated/almostworking] has quit [Ping timeout: 244 seconds]
05:17 -!- ade_b [~Ade@redhat/adeb] has joined #openvpn
05:23 -!- gffa [~unknown@unaffiliated/gffa] has joined #openvpn
05:24 -!- mxms [~Max@opensn0w/developer/mxms] has joined #openvpn
05:24 < mxms> !welcome
05:24 <@vpnHelper> "welcome" is (#1) Start by stating your goal, such as 'I would like to access the internet over my vpn' || new to IRC? see the link in !ask || we may need !logs and !configs and maybe !interface to help you. || See !howto for beginners. || See !route for lans behind openvpn. || !redirect for sending inet traffic through the server. || Also interesting: !man !/30 !topology !iporder !sample !forum !wiki
05:24 <@vpnHelper> !mitm or (#2) Don't use 192.168.1.0/24 or 192.168.0.0/24 (too much potential for conflict)
05:24 < mxms> !goal
05:24 <@vpnHelper> "goal" is Please clearly state your goal for your vpn: example, I would like to access the lan behind the server , I would like to access the internet over my vpn , I just want a secure connection between 2 computers , etc
05:25 < mxms> Hey, openvpns pretty cool. Anyways, I'd like to get rid of "Authenticate/Decrypt packet error: cipher final failed" withuot simply ignoring it :-) Yes, both server and client have the static key
05:26 -!- ade_b [~Ade@redhat/adeb] has quit [Ping timeout: 240 seconds]
05:27 < mxms> you guys should consider putting xyproblem.info in the topic ;-)
05:33 < mxms> whoops I fixed it :-)
05:33 < mxms> tchau~
05:33 -!- mxms [~Max@opensn0w/developer/mxms] has left #openvpn ["WeeChat 1.1-dev"]
05:41 -!- ade_b [~Ade@redhat/adeb] has joined #openvpn
06:10 -!- almostworking [~almostwor@unaffiliated/almostworking] has joined #openvpn
06:16 -!- brianblaze420 [~brianblaz@unaffiliated/brianblaze] has joined #openvpn
06:20 -!- brianblaze420 [~brianblaz@unaffiliated/brianblaze] has quit [Ping timeout: 244 seconds]
06:28 -!- rich0_ [~quassel@gentoo/developer/rich0] has quit [Read error: Connection reset by peer]
06:44 -!- eristisk [~eristisk@gateway/tor-sasl/eristisk] has joined #openvpn
08:01 -!- D-Boy [~D-Boy@unaffiliated/cain] has quit [Excess Flood]
08:05 -!- brianblaze420 [~brianblaz@unaffiliated/brianblaze] has joined #openvpn
08:09 -!- brianblaze420 [~brianblaz@unaffiliated/brianblaze] has quit [Ping timeout: 260 seconds]
08:12 -!- D-Boy [~D-Boy@unaffiliated/cain] has joined #openvpn
08:14 -!- vlayn [~vlayn@jor31-1-78-225-230-209.fbx.proxad.net] has joined #openvpn
08:14 -!- ade_b [~Ade@redhat/adeb] has quit [Quit: Too sexy for his shirt]
08:29 -!- Pyrogerg [~Gregory@75-173-103-62.albq.qwest.net] has joined #openvpn
08:30 -!- rich0 [~quassel@gentoo/developer/rich0] has joined #openvpn
08:38 -!- Pyrogerg [~Gregory@75-173-103-62.albq.qwest.net] has quit [Ping timeout: 250 seconds]
08:41 -!- CaTtleyA [~CaTtleyA@put92-2-82-66-41-53.fbx.proxad.net] has joined #openvpn
08:59 -!- rich0 [~quassel@gentoo/developer/rich0] has quit [Remote host closed the connection]
09:32 < pushpop> Is there any open source clientless SSL VPNs out there?
09:49 -!- deranged_user [deranged@unaffiliated/deranged-user/x-2475585] has joined #openvpn
10:05 -!- rich0 [~quassel@gentoo/developer/rich0] has joined #openvpn
10:16 < Moonlightning> Hmm…
10:16 < Moonlightning> !p2p
10:16 <@vpnHelper> "p2p" is "statickey" is (#1) you can use static keys by using --secret </path/to/key> or (#2) static keys only work for ptp links, not client/server. They also do not provide forward encryption. A forward-secure encryption scheme (such as openvpn uses with certs) protects secret keys from exposure by evolving the keys with time. or (#3) see !forwardsecurity for more info
10:17 < Moonlightning> kenyon: hmm?
10:18 < Moonlightning> I'm looking at RFC 6296; if it is what it says on the tin, then it's probably what I want
12:09 -!- mapps [~RV520@37.195.208.178.dsl.dynamic.gibconnect.com] has joined #openvpn
12:09 < mapps> hi all
12:09 < mapps> having trouble with openvpn starting just says failed to start
12:09 < mapps> where can i see the log? checked openvpn.log and openvpn=-status nothing useful
12:10 <@krzee> !logfile
12:10 <@vpnHelper> "logfile" is (#1) If you want logging you can easily just specify your own logfile with: log /path/to/logfile or (#2) openvpn will log to syslog if started in daemon mode, but without any log-redirection options, openvpn sends output to stdout. or (#3) verb 3 is good for everyday usage, verb 5 for debugging. see --daemon --log and --verb in the manual (!man) for more info
12:10 < mapps> so i need to change to verb 5
12:10 <@krzee> and it says "failed to start" because you're starting it with the OS startup script.
12:10 < mapps> probably
12:10 < mapps> oh
12:10 < mapps> thanks krzee  didnt know that was why
12:11 <@krzee> verb 5 is what you got from that?
12:11 < mapps> i was doing sudo service openvpn start
12:11 <@krzee> it shows you that --log gives a logfile
12:11 < mapps> ive specified log file in the server.conf
12:11 < mapps> so i need to start it manually rather than service openvpn start?
12:12 <@krzee> you prolly didnt specify --log
12:12 <@krzee> which is very different than --status
12:13 <@krzee> if you DID use --log /path/to/log then you can start it as a service fine and grab the logfile from /path/to/log
12:13 < mapps> yea i didnt i just had like log openvpn.log
12:13 < mapps> yea
12:13 <@krzee> and before you did that, it was being logged by syslog
12:13 <@krzee> (since your OS startup script adds --daemon)
12:15 < mapps> hmm
12:15 < mapps> it fails with servoice start and yet when i do ps aux it shows it running?!
12:15 <@krzee> kill it
12:16 <@krzee> how many config files are in your /etc/openvpn/ ?
12:16 <@krzee> your script will probably try to start them all
12:16 < mapps> ahhhh
12:16 <@krzee> and report failure if 1 cant
12:16 < mapps> ive got 2 , didnt even consider it
12:16 < mapps> got an old one too
12:16 <@krzee> yep
12:16 < mapps> thanks:)
12:16 <@krzee> just name it config.bak or whatev
12:17 <@krzee> your script prolly starts .conf and .ovpn files
12:17 < mapps> yep starts now!
12:17 <@krzee> or something similar
12:17 < mapps> it starts but i cant connect at all..any ideas? besides port forwarding? as the machines set as DMZ
12:18 <@krzee> firewall
12:18 <@krzee> !timeout
12:18 <@vpnHelper> "timeout" is if you see TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity) then your problem is likely one of the following: either the server isnt running, your client is connecting to the wrong ip/port/protocol, the server's firewall/nat has an issue, or the client's isp blocks it
12:18 < mapps> i dont get anything connecting from a windows7 laptop.nothing at all in the status
12:18 < mapps> as if it doesnt even make a connection
12:19 <@krzee> !logfile
12:19 <@vpnHelper> "logfile" is (#1) If you want logging you can easily just specify your own logfile with: log /path/to/logfile or (#2) openvpn will log to syslog if started in daemon mode, but without any log-redirection options, openvpn sends output to stdout. or (#3) verb 3 is good for everyday usage, verb 5 for debugging. see --daemon --log and --verb in the manual (!man) for more info
12:19 <@krzee> in windows too :-p
12:19 <@krzee> !winpath
12:19 <@vpnHelper> "winpath" is (#1) Remember on Windows to quote pathnames and use double backslashes, e.g.: "C:\\Program Files\\OpenVPN\\config\\foo.key" or (#2) also, you can use forward slashes to avoid needing double backslashes, but you still need quotes, e.g.: C:/Program Files/OpenVPN/config/foo.key (but surrounded by quotes)
12:19 < mapps> yea nothing in windows log as it doesnt connect so dont get any errors
12:20 < mapps> wonder if the ISP block 1194
12:20 < mapps> unlikely?
12:20 <@krzee> not likely
12:20 < mapps> yep nothing in logs
12:20 <@krzee> more likely you did something wrong in the firewall/nat or wrong ip/port/protocol
12:21 < mapps> http://pastebin.com/ffNad3W8 -- client config
12:21 < mapps>  http://paste.debian.net/127475/ server config
12:21 <@krzee> LOL
12:21 < mapps> it cant be port forwarding..as i can SSH in and access apache
12:21 <@krzee> verb 1? really?
12:22 <@krzee> not gunna get much debugging done with verb 1
12:22 < mapps> that wouldnt stop it connecting tho:)
12:22 < mapps> yea
12:22 < mapps> il change
12:22 <@krzee> and dont post configs with 100 lines of useless comments
12:22 <@krzee> !configs
12:22 <@vpnHelper> "configs" is (#1) please pastebin your client and server configs (with comments removed, you can use `grep -vE '^#|^;|^$' server.conf`), also include which OS and version of openvpn. or (#2) dont forget to include any ccd entries or (#3) on pfSense, see http://www.secure-computing.net/wiki/index.php/OpenVPN/pfSense to obtain your config
12:22 <@krzee> im not reading the server config like that, please repost it without them
12:23 <@krzee> your client doesnt have any certs?
12:23 < mapps> ah wrong config file
12:23 <@krzee> omg
12:23 <@krzee> dude
12:23 < mapps> sorry
12:23 <@krzee> you gotta help me help you
12:25 <@krzee> use verb 5 on both sides when you need to debug
12:25 < mapps> will do
12:27 < mapps> see the server starts fine but i just get no response when connecting
12:27 -!- vlayn [~vlayn@jor31-1-78-225-230-209.fbx.proxad.net] has quit [Ping timeout: 255 seconds]
12:27 -!- Belliash [znc@asiotec/constitutive/belliash] has quit [Quit: No matter how dark the night, somehow the Sun rises once again...]
12:28 <@krzee> you dont need to keep repeating that
12:29 < mapps> sorry mate
12:29 <@krzee> because i dont want to keep repeating <krzee> more likely you did something wrong in the firewall/nat or wrong ip/port/protocol
12:29 <@krzee> heh
12:29 < mapps> yea
12:29 -!- Belliash [znc@asiotec/constitutive/belliash] has joined #openvpn
12:29 < mapps> the host in config for client and port is right..specified protocol too
12:29 <@krzee> you gunna post the configs?
12:30 <@krzee> (the right configs, posted without 100+ lines of useless comments)
12:30 < mapps> yea
12:32 -!- jareth_ [~jareth_@2001:980:e1c0:1:219:66ff:fea0:a502] has quit [Quit: ZNC - http://znc.in]
12:34 -!- jareth_ [~jareth_@2001:980:e1c0:1:219:66ff:fea0:a502] has joined #openvpn
12:35 < mapps> http://paste.debian.net/127479/ server
12:35 < mapps> http://pastebin.com/0HNxNhV3 client
12:36 <@krzee> key-direction 1
12:36 <@krzee> why do you have that, when you arent even using tls-auth?
12:37 <@krzee> !hmac
12:37 <@vpnHelper> "hmac" is (#1) The tls-auth directive adds an additional HMAC signature to all SSL/TLS handshake packets for integrity verification. Any UDP packet not bearing the correct HMAC signature can be dropped without further processing. The tls-auth HMAC signature provides an additional level of security above and beyond that provided by SSL/TLS. or (#2) openvpn --genkey --secret ta.key to make the tls
12:37 <@vpnHelper> static key , in configs: tls-auth ta.key # , 1 for client or 0 for server in the configs
12:37 < mapps> oh, i followed a tutorial my mistake:(
12:37 <@krzee> also you may not have mismatching --cipher
12:37 <@krzee> !walkthrough
12:37 <@vpnHelper> "walkthrough" is if you are using some walkthrough and now you are here cause you have problems and dont understand your setup, type !howto and !man and try to actually learn what you're doing. most those docs about openvpn from google SUCK.
12:37 <@krzee> i recommend you go to the manual and read EVERYTHING in your configs
12:38 <@krzee> !man
12:38 <@vpnHelper> "man" is (#1) For man pages, see http://openvpn.net/index.php/open-source/documentation/manuals/ or (#2) the man pages are your friend! or (#3) Protip: you can search the manpage for a specific --option (with dashes) to find it quicker
12:38 < mapps> ok:)
12:38 <@krzee> so to know what cipher does, read --cipher
12:38 <@krzee> etc
12:39 <@krzee> it shouldnt take *too* long, you dont need to read the entire manual (although it is a great read, and i do recommend doing it sometime if you find the time)
12:39 < mapps> will have a read after work..i was just trying to get one running asap so i could watch UK on demand..as im away for a bit..i had one working at home but someone turned it off;(
12:40 -!- jgeboski [~jgeboski@unaffiliated/jgeboski] has quit [Quit: Leaving]
12:43 <@krzee> cool, talk to ya later
12:44 -!- JackWinter [~jack@vodsl-11198.vo.lu] has quit [Ping timeout: 255 seconds]
12:54 -!- mapps [~RV520@37.195.208.178.dsl.dynamic.gibconnect.com] has quit [Ping timeout: 258 seconds]
12:54 -!- jgeboski [~jgeboski@unaffiliated/jgeboski] has joined #openvpn
13:00 -!- fling [~fling@fsf/member/fling] has quit [Ping timeout: 255 seconds]
13:01 < Moonlightning> Hmm
13:01 < Moonlightning> I don't suppose there's any way to get OpenVPN to assign IPs from a hosts file?
13:02 < Moonlightning> Right now I have a client config dir, and that's really all I'm using it for
13:02 < Moonlightning> And I have to manage that /and/ the hosts file
13:10 < Moonlightning> …hmmmm.
13:10 < Moonlightning> Maybe I could make a script instead
13:11 < Moonlightning> a client-connect script, I guess, pull the hostname from the client cert, resolve it, push `ifconfig` options for those addresses
13:11 < Moonlightning> Speaking of. /Can/ you assign multiple addresses by specifying multiple `ifconfig` and `ifconfig-ipv6` options?
13:12 -!- JackWinter [~jack@vodsl-11198.vo.lu] has joined #openvpn
13:19 -!- jgeboski [~jgeboski@unaffiliated/jgeboski] has quit [Read error: Connection reset by peer]
13:20 -!- jgeboski [~jgeboski@unaffiliated/jgeboski] has joined #openvpn
13:22 -!- flickabic [~marston@162-228-95-62.lightspeed.sntcca.sbcglobal.net] has joined #openvpn
13:23 < flickabic> I'm trying to make my online services available when I turn on the VPN. it seems when I engage the vpn all the incoming traffic is blocked and my servers are unavailable. Is it possible to setup ovpn to only use 1 program?
13:30 -!- tgm4883 [uid23806@ubuntu/member/tgm4883] has joined #openvpn
13:31 -!- jgeboski [~jgeboski@unaffiliated/jgeboski] has quit [Read error: Connection reset by peer]
13:31 -!- jgeboski [~jgeboski@unaffiliated/jgeboski] has joined #openvpn
13:40 < tgm4883> I'm trying to setup openvpn on my openwrt routers to connect two houses so we can do some lan gaming. Both houses are on separate subnets (192.168.0.x and 192.168.1.x) and I can see that the connection is up and I can ssh from the "client" router to the "server" router, but I'm unable to connect from the client router to anything beyond the server router,
13:40 < tgm4883> and unable to connect from anything behind the client router to the server router (or anything behind it). I'm not seeing any errors in the logs but I'm unsure where else to look
13:40 -!- acovrig [~acovrig@host-216-229-233-5.public.southern.edu] has joined #openvpn
13:41 < tgm4883> that is an attempt to setup just subnet routing through the VPN, not all ip traffic routing
13:50 < Moonlightning> What are the security implications of setting `script-security 2`?
13:51 < Moonlightning> Are scripts ever run besides one specified in the script options (`up`, `client-connect`, `down`, etc)?
13:51 < Moonlightning> besides ones *
13:51 < Moonlightning> I feel like there's an important security consideration I've forgotten about
13:52 -!- JackWinter_ [~jack@vodsl-11198.vo.lu] has joined #openvpn
13:53 -!- JackWinter [~jack@vodsl-11198.vo.lu] has quit [Ping timeout: 260 seconds]
13:53 < Moonlightning> !scripts
13:53 <@vpnHelper> "scripts" is "script" is See SCRIPTING AND ENVIRONMENTAL VARIALBES in the manual for a list of places that scripts can hook into openvpn. Online reference at: https://community.openvpn.net/openvpn/wiki/Openvpn23ManPage#lbAR
13:55 -!- c0ded [~c0ded@unaffiliated/c0ded] has quit [Quit: I Was Just De-c0ded!]
13:59 -!- Kephael [~Kephael@unaffiliated/kephael] has joined #openvpn
14:01 -!- Netsplit *.net <-> *.split quits: CaTtleyA
14:02 < Moonlightning> …wait. Can scripts even push settings to clients?
14:06 -!- CaTtleyA [~CaTtleyA@put92-2-82-66-41-53.fbx.proxad.net] has joined #openvpn
14:19 -!- c0ded [~c0ded@unaffiliated/c0ded] has joined #openvpn
15:01 -!- MaddinXx [~racksteri@zux221-179-150.adsl.green.ch] has joined #openvpn
15:06 -!- MaddinXx [~racksteri@zux221-179-150.adsl.green.ch] has quit [Read error: Connection reset by peer]
15:10 -!- JackWinter_ [~jack@vodsl-11198.vo.lu] has quit [Excess Flood]
15:11 < Moonlightning> What's the equivalent of $ifconfig_pool_local_ip for v6 addresses?
15:11 < Moonlightning> If there's a v4 and a v6 DHCP pool, are clients assigned an address from both?
15:11 -!- JackWinter_ [~jack@vodsl-11198.vo.lu] has joined #openvpn
15:12 -!- c0ded [~c0ded@unaffiliated/c0ded] has quit [Ping timeout: 272 seconds]
15:22 -!- JackWinter_ [~jack@vodsl-11198.vo.lu] has quit [Excess Flood]
15:26 -!- JackWinter_ [~jack@85.93.209.190] has joined #openvpn
15:47 -!- JackWinter_ [~jack@85.93.209.190] has quit [Ping timeout: 244 seconds]
15:50 -!- JackWinter_ [~jack@vodsl-11198.vo.lu] has joined #openvpn
15:50 -!- c0ded [~c0ded@unaffiliated/c0ded] has joined #openvpn
15:56 -!- mattock is now known as mattock_afk
16:11 -!- acovrig [~acovrig@host-216-229-233-5.public.southern.edu] has quit [Quit: acovrig]
16:31 -!- Chais [~Chais@chello062178229110.15.15.vie.surfer.at] has quit [Ping timeout: 272 seconds]
16:32 -!- batrick [batrick@nmap/developer/batrick] has quit [Quit: WeeChat 1.0.1]
16:36 -!- Chais [~Chais@chello062178229110.15.15.vie.surfer.at] has joined #openvpn
16:36 -!- joako [~joako@opensuse/member/joak0] has quit [Ping timeout: 250 seconds]
16:40 -!- batrick [batrick@nmap/developer/batrick] has joined #openvpn
16:43 -!- joako [~joako@opensuse/member/joak0] has joined #openvpn
17:17 -!- gffa [~unknown@unaffiliated/gffa] has quit [Quit: quit]
17:45 -!- camedwardo [~camedward@173.192.176.162] has joined #openvpn
17:45 -!- c0ded [~c0ded@unaffiliated/c0ded] has quit [Ping timeout: 272 seconds]
18:03 -!- camedwardo [~camedward@173.192.176.162] has quit [Ping timeout: 244 seconds]
18:12 -!- FLHerne [~flh@dsl-217-155-24-22.zen.co.uk] has joined #openvpn
18:15 -!- FLHerne [~flh@dsl-217-155-24-22.zen.co.uk] has left #openvpn ["There's a real world out here!"]
18:16 -!- Dave001 [~Dave001@73.39.139.76] has joined #openvpn
18:18 < Dave001> So anybody up to helping me with a OpenVPN issue on Linux Mint 17?
18:19 -!- CygniX [~CygniX@unaffiliated/twois10] has joined #openvpn
18:20 < CygniX> is there still no fix/workaround for android openvpn client and ipv6
18:37 <@plaisthos> CygniX: For Android 4.4 there never will a fix
18:38 < CygniX> never will be I think you meant plaisthos
18:41 < CygniX> I suspected so.
18:42 < CygniX> I am guessing kernel related, and iptables
18:44 <@ecrist> !nopull
18:44 <@vpnHelper> "nopull" is "route-nopull" is If you want to accept pushed options from the server but not apply the routes (including --redirect-gateway) you can use --route-nopull to ignore all pushed routes
18:45 <@ecrist> that wasf for me
18:51 -!- brianblaze420 [~brianblaz@unaffiliated/brianblaze] has joined #openvpn
18:52 -!- CygniX [~CygniX@unaffiliated/twois10] has quit [Ping timeout: 260 seconds]
18:53 -!- Dave001 [~Dave001@73.39.139.76] has quit [Read error: Connection reset by peer]
18:55 -!- c0ded [~c0ded@unaffiliated/c0ded] has joined #openvpn
19:10 -!- CygniX [~CygniX@unaffiliated/twois10] has joined #openvpn
19:49 -!- CaTtleyA [~CaTtleyA@put92-2-82-66-41-53.fbx.proxad.net] has quit [Quit: Lost terminal]
19:51 -!- CygniX [~CygniX@unaffiliated/twois10] has quit [Ping timeout: 260 seconds]
19:53 -!- CaTtleyA [~CaTtleyA@put92-2-82-66-41-53.fbx.proxad.net] has joined #openvpn
19:57 -!- Taftse|Mac [~taftse@unaffiliated/taftse] has quit [Ping timeout: 255 seconds]
19:58 -!- juztin_ [~juztin_@c-67-186-216-8.hsd1.ut.comcast.net] has joined #openvpn
20:19 -!- CygniX [~CygniX@unaffiliated/twois10] has joined #openvpn
20:27 -!- phunyguy [~vortex@unaffiliated/phunyguy] has quit [Remote host closed the connection]
20:29 -!- phunyguy [~vortex@unaffiliated/phunyguy] has joined #openvpn
20:48 -!- juztin_ [~juztin_@c-67-186-216-8.hsd1.ut.comcast.net] has quit [Remote host closed the connection]
21:03 -!- fling [~fling@fsf/member/fling] has joined #openvpn
21:38 -!- elfixit1 [~Icedove@77-58-37-45.dclient.hispeed.ch] has joined #openvpn
21:52 -!- Pyrogerg [~Gregory@75-105-161-25.cust.wildblue.net] has joined #openvpn
21:56 -!- teksimian [~chatzilla@209-197-163-221.cpe.distributel.net] has joined #openvpn
22:02 -!- Pyrogerg [~Gregory@75-105-161-25.cust.wildblue.net] has quit [Ping timeout: 265 seconds]
22:02 -!- Left_Turn [~Left_Turn@unaffiliated/turn-left/x-3739067] has quit [Remote host closed the connection]
22:08 -!- Airwave [~Airwave@94.246.37.45] has quit [Quit: Bye]
22:14 < Moonlightning> Is there an equivalent of $ifconfig_pool_local_ip for v6 addresses? The /environment variables/ section of the manual page doesn't mention one.
22:27 -!- phunyguy [~vortex@unaffiliated/phunyguy] has quit [Remote host closed the connection]
22:29 -!- phunyguy [vortex@unaffiliated/phunyguy] has joined #openvpn
23:10 -!- Pyrogerg [~Gregory@75-105-161-25.cust.wildblue.net] has joined #openvpn
23:11 -!- Pyrogerg [~Gregory@75-105-161-25.cust.wildblue.net] has quit [Client Quit]
23:23 -!- phunyguy [vortex@unaffiliated/phunyguy] has quit [Remote host closed the connection]
23:24 -!- phunyguy [vortex@unaffiliated/phunyguy] has joined #openvpn
23:32 -!- elfixit1 [~Icedove@77-58-37-45.dclient.hispeed.ch] has quit [Remote host closed the connection]
23:43 -!- ShadniX [dagger@p5DDFEDF9.dip0.t-ipconnect.de] has quit [Ping timeout: 250 seconds]
23:44 -!- ShadniX [dagger@p5DDFE17D.dip0.t-ipconnect.de] has joined #openvpn
23:58 <@krzee> Moonlightning, just send env to a file and take a look at whats available to ya
23:58 < Moonlightning> yeah, that's what I'm doing right now
23:58 < Moonlightning> Really, though, it should be documented >.>
23:58 <@krzee> prolly is but i dont care to look to show you
23:59 <@krzee> (cause its so easy to just send env to a file)
23:59 <@krzee> but if you're convinced it's not after you find it, feel free to document it.
--- Day changed Sun Oct 19 2014
00:19 < Moonlightning> Well, I mean…it's not in the manual page.
00:19 < Moonlightning> So either it doesn't exist, or it's not documented.
00:19 < Moonlightning> Either way, I have a problem. :P
00:20 -!- james41382 [~james@unaffiliated/james41382] has quit [Quit: Leaving]
00:20 -!- james41382 [~james@unaffiliated/james41382] has joined #openvpn
00:24 -!- phunyguy [vortex@unaffiliated/phunyguy] has quit [Remote host closed the connection]
00:26 -!- phunyguy [vortex@unaffiliated/phunyguy] has joined #openvpn
00:44 < Moonlightning> Hmm
00:44 < Moonlightning> So openvpn's complaining about bad options on my `ifconfig-ipv6` line
00:44 <@krzee> openvpn --version
00:44 < Moonlightning> 2.3.4
00:45 <@krzee> show your config
00:46 < Moonlightning> bluh, okay
00:50 <@krzee> and your log
00:50 <@krzee> (verb 4)
00:52 -!- jgeboski [~jgeboski@unaffiliated/jgeboski] has quit [Quit: Leaving]
00:53 -!- mxms [~Max@opensn0w/developer/mxms] has joined #openvpn
00:53 -!- X420sK1DxbluNtZX [~dank@107.170.211.61] has joined #openvpn
00:54 < mxms> hey do you think a 512mb server running debian 7 could handle like 1000 users
00:54 < mxms> at a reasonable speed
00:55 < mxms> with aes256 on
00:55 -!- jgeboski [~jgeboski@unaffiliated/jgeboski] has joined #openvpn
00:57 < Moonlightning> Never mind; I got it.
00:57 < Moonlightning> > Options error: ifconfig-ipv6: /netbits must be between 64 and 124, not '/47'
00:57 < Moonlightning> Why is this?
01:02 <@krzee> Moonlightning, openvpn would shit itself WAY before using a /64
01:02 < Moonlightning> krzee, what
01:03 <@krzee> how many addresses in a /64?
01:03 < Moonlightning> A ton. xD
01:04 < Moonlightning> 18446744073709551616
01:04 -!- Kephael [~Kephael@unaffiliated/kephael] has quit [Read error: Connection reset by peer]
01:04 <@krzee> why do you feel you need more than that for openvpn?  openvpn is single threaded you most likely wont get even 1000 clients
01:06 < Moonlightning> Shouldn't v6 networks always be at least /64s?
01:06 < Moonlightning> Any smaller than that and you lose features.
01:06 <@krzee> i dont use ipv6 or know it much, so i guess i shouldnt answer
01:06 < mxms> :-(
01:06 < mxms> 25?
01:06 <@krzee> whoa sorry mxms i didnt even see your question
01:06 <@krzee> lol
01:06 <@krzee> kinda funny
01:07 < Moonlightning> You're right. I'm only going to have half a dozen clients.
01:07 <@krzee> mxms, i dont know exactly where you'll hit your bottleneck, 25 is small though
01:07 < Moonlightning> Buuut…
01:08 <@krzee> mxms, if you have aes support in your cpu make sure to enable it
01:08 <@krzee> !gigabit
01:08 <@vpnHelper> "gigabit" is https://community.openvpn.net/openvpn/wiki/Gigabit_Networks_Linux for JJK's writeup on getting the most out of openvpn over gigabit
01:08 < Moonlightning> If you want automatic address assignment, you need at least a /64.
01:08 < Moonlightning> And also other things.
01:08 < Neal_> !hardening
01:08 <@vpnHelper> "hardening" is https://community.openvpn.net/openvpn/wiki/Hardening
01:08 <@krzee> he mentions it in that writeup ^
01:08 <@krzee> Moonlightning, automatic address assignment?  openvpn does that.
01:09 < Moonlightning> < and also other things
01:09 <@krzee> prolly shoulda mentioned one of those things instead :-p
01:23 < Moonlightning> …still. Why /not/ allow it?
01:26 <@krzee> i dont remember the specifics but i know they had to draw the line somewhere in the code, if you care enough to write a patch maybe they'll accept it
01:27 <@krzee> i remember it coming up in a meeting and the point that openvpn could not possibly handle ANYWHERE NEAR that many machines made it irrelevant
01:38 -!- jgeboski [~jgeboski@unaffiliated/jgeboski] has quit [Quit: Leaving]
01:39 -!- jgeboski [~jgeboski@unaffiliated/jgeboski] has joined #openvpn
02:31 -!- mattock_afk is now known as mattock
02:45 < Neal_> can you make the client use the server's /etc/hosts?
02:52 -!- yoavz [yoavz@yoavz.net] has quit [Ping timeout: 258 seconds]
02:54 -!- yoavz [yoavz@yoavz.net] has joined #openvpn
02:55 <@krzee> Neal_, yes, by running dnsmasq on the server
02:55 <@krzee> its a nameserver that can be configured to use /etc/hosts
02:56 < Neal_> so i'd change the "dhcp-option DNS 8.8.8.8" to the server IP then?
02:56 <@krzee> right
02:56 < Neal_> makes sense
02:56 < Neal_> thank
02:56 < Neal_> s
02:56 <@krzee> and then have dnsmasq setup to forward to 8.8.8.8 if you like
02:56 <@krzee> for the hosts not in /etc/hosts
02:57 < Neal_> yeah, i'll check out dnsmasq
02:57 < Neal_> i've heard of it just never used it
02:58 < Neal_> also i was testing something right now and i was able to use the same certs to connect from two devices, can this is not allowed? like if a user is already connected, don't allow another connection or disconnect the other connection?
02:58 <@krzee> !dupe
02:58 <@vpnHelper> "dupe" is (#1) see --duplicate-cn in the manual (!man) to see how to allow multiple clients to use the same key (NOT recommended) or (#2) instead, use !pki to make a cert for each user
02:59 <@krzee> by default they will knock eachother off
03:00 <@krzee> then if keepalive is used they fight eachother, a related faq is "why do i get disconnected after a couple minutes?"
03:00 < Neal_> here are my configs https://ghostbin.com/paste/vzt6p
03:01 <@krzee> for what?
03:01 < Neal_> server and conf
03:01 < Neal_> clietn*
03:01 <@krzee> i mean what am i looking for?
03:01 < Neal_> they aren't knocking each other off
03:01 < Neal_> i can connect twice
03:01 <@krzee> you dont even have certs in your client
03:02 < Neal_> i just didn't include them
03:02 <@krzee> cool
03:02 <@krzee> do you have a question?
03:03 < Neal_> i don't want clients to be able to connect twice
03:03 < Neal_> (from multiple devices)
03:03 <@krzee> then dont use duplicate-cn
03:03 < Neal_> i don't think i am :<
03:03 <@krzee> then the first one is getting knocked off, and then reconnecting and knocking off the other one, and back and forth
03:04 <@krzee> i answered you already, you just didnt like the answer :-p
03:04 <@krzee> watch your server config, you'll see a message that its knocking off the old client.
03:04 <@krzee> server log*
03:04 < Neal_> aah
03:05 <@krzee> the speed of this battle is based on your keepalive
03:08 < Neal_> krzee: you're right
03:08 < Neal_> thanks man
03:08 <@krzee> np
03:43 -!- DrCode [~DrCode@gateway/tor-sasl/drcode] has joined #openvpn
03:59 -!- someone [~someone@173.255.245.70] has quit [Quit: ZNC - http://znc.in]
04:01 -!- d10n [~d10n@unaffiliated/d10n] has quit [Ping timeout: 250 seconds]
04:09 -!- d10n [~d10n@unaffiliated/d10n] has joined #openvpn
04:20 -!- catsup [~d@ps38852.dreamhost.com] has joined #openvpn
04:31 -!- roentgen [~none@openvpn/community/support/roentgen] has quit [Remote host closed the connection]
04:35 -!- gffa [~unknown@unaffiliated/gffa] has joined #openvpn
04:36 -!- roentgen [~none@openvpn/community/support/roentgen] has joined #openvpn
04:39 -!- mxms [~Max@opensn0w/developer/mxms] has left #openvpn ["WeeChat 1.1-dev"]
05:01 -!- Taftse|Mac [~taftse@unaffiliated/taftse] has joined #openvpn
05:19 -!- Left_Turn [~Left_Turn@unaffiliated/turn-left/x-3739067] has joined #openvpn
06:32 -!- novaflash is now known as novaflash_away
06:56 -!- elfixit1 [~Icedove@77-58-37-45.dclient.hispeed.ch] has joined #openvpn
07:01 -!- james41382 [~james@unaffiliated/james41382] has quit [Read error: Connection reset by peer]
07:02 -!- james41382_ [~james@unaffiliated/james41382] has joined #openvpn
07:37 -!- cwillu_at_work [cwillu@2600:3c02::f03c:91ff:fe96:df43] has quit [Quit: poking people with sticks never pays]
07:37 -!- cwillu_at_work [cwillu@cwillu.com] has joined #openvpn
07:38 -!- pushpop [~pushpop@unaffiliated/pushpop] has quit [Ping timeout: 255 seconds]
07:53 -!- D-Boy [~D-Boy@unaffiliated/cain] has quit [Excess Flood]
08:10 -!- D-Boy [~D-Boy@unaffiliated/cain] has joined #openvpn
08:10 -!- mattock is now known as mattock_afk
08:14 -!- ValdikSS [~valdikss@95.215.45.33] has quit [Quit: Konversation terminated!]
08:57 -!- someone [~someone@chronostasis.net] has joined #openvpn
09:12 -!- zbcm [~Evan@125.253.96.5] has joined #openvpn
09:14 < zbcm> Hi, I'm using the Windows OpenVPN client and I like using the GUI, say I have 5 different VPN configurations, what would be the fastest way to switch between them? Should I just write batch files to copy the right file in to the config folder or?
09:19 < zbcm> Eh, I'll just do that.
09:22 <@plaisthos> you can select the configuration from the menu
09:29 -!- james41382__ [~james@unaffiliated/james41382] has joined #openvpn
09:30 -!- ub1quit33_ [~quassel@wifi02.la3.routers.zerolag.com] has joined #openvpn
09:32 -!- james41382_ [~james@unaffiliated/james41382] has quit [Ping timeout: 240 seconds]
09:46 -!- juztin_ [~juztin_@c-67-186-216-8.hsd1.ut.comcast.net] has joined #openvpn
10:35 < zbcm> how?
11:14 -!- elfixit1 [~Icedove@77-58-37-45.dclient.hispeed.ch] has quit [Quit: elfixit1]
11:26 -!- kirin` [telex@gateway/shell/anapnea.net/x-enopjxgjhpmrkyuc] has joined #openvpn
11:34 -!- juztin__ [~juztin_@c-174-52-87-120.hsd1.ut.comcast.net] has joined #openvpn
11:37 -!- juztin_ [~juztin_@c-67-186-216-8.hsd1.ut.comcast.net] has quit [Ping timeout: 246 seconds]
11:40 -!- juztin__ [~juztin_@c-174-52-87-120.hsd1.ut.comcast.net] has quit [Ping timeout: 260 seconds]
11:42 -!- flickabic [~marston@162-228-95-62.lightspeed.sntcca.sbcglobal.net] has quit [Read error: Connection reset by peer]
11:48 -!- juztin_ [~juztin_@c-67-186-216-8.hsd1.ut.comcast.net] has joined #openvpn
11:48 -!- Slippern [~Slippern@76.109-247-208.customer.lyse.net] has quit [Ping timeout: 250 seconds]
11:55 -!- Slippern [~Slippern@76.109-247-208.customer.lyse.net] has joined #openvpn
12:14 -!- CygniX [~CygniX@unaffiliated/twois10] has quit [Remote host closed the connection]
12:16 -!- kirin` [telex@gateway/shell/anapnea.net/x-enopjxgjhpmrkyuc] has quit [Quit: leaving]
12:17 -!- kirin` [telex@gateway/shell/anapnea.net/x-fppvaquovkrptznh] has joined #openvpn
12:20 -!- Nyoom is now known as iNeo
12:20 -!- iNeo is now known as iNeo19
12:21 -!- iNeo19 is now known as Nyoom
12:37 -!- Netsplit *.net <-> *.split quits: KiNgMaR, Eugene, APTX, roentgen, someone, mt, _0x5eb_, Left_Turn, hays, rich0,  (+4 more, use /NETSPLIT to show all of them)
12:37 -!- Netsplit over, joins: rich0
12:38 -!- Netsplit over, joins: roentgen
12:38 -!- CygniX [~CygniX@unaffiliated/twois10] has joined #openvpn
12:38 -!- Netsplit over, joins: Eugene
12:38 -!- Netsplit over, joins: Left_Turn, _0x5eb_
12:38 -!- Netsplit over, joins: juztin_
12:38 -!- Netsplit over, joins: deed02392
12:39 -!- zbcm [~Evan@125.253.96.5] has quit [Read error: Connection reset by peer]
12:39 -!- Netsplit over, joins: APTX
12:40 -!- Netsplit over, joins: hays
12:41 -!- mt [mt@unaffiliated/supermat] has joined #openvpn
12:43 -!- phunyguy [vortex@unaffiliated/phunyguy] has joined #openvpn
12:50 < CygniX> when using both ipv6/ipv4, you can't access forums.openvpn.net
12:51 < CygniX> "We're migrating to a new server. Sit tight."
12:53 -!- asturel [~asturel@unaffiliated/asturel] has quit [Ping timeout: 258 seconds]
12:59 -!- asturel [~asturel@unaffiliated/asturel] has joined #openvpn
13:07 -!- juztin_ [~juztin_@c-67-186-216-8.hsd1.ut.comcast.net] has quit [Remote host closed the connection]
13:13 -!- Belliash [znc@asiotec/constitutive/belliash] has quit [Ping timeout: 272 seconds]
13:15 <@syzzer> mattock_afk: I can confirm what CygniX reports
13:15 <@syzzer> forums.openvpn.net doesn't seem to work over ipv6
13:16 <@syzzer> or is this maybe more something for ecrist?
13:17 -!- Belliash [znc@asiotec/constitutive/belliash] has joined #openvpn
13:29 -!- Olipro [~Olipro@uncyclopedia/pdpc.21for7.olipro] has joined #openvpn
13:56 -!- mattock_afk is now known as mattock
14:10 -!- u0m3 [~u0m3@92.80.124.118] has quit [Read error: Connection reset by peer]
14:14 -!- X420sK1DxbluNtZX is now known as MaybeJonSeals
14:16 -!- kirin` [telex@gateway/shell/anapnea.net/x-fppvaquovkrptznh] has quit [Remote host closed the connection]
14:16 -!- kirin` [telex@gateway/shell/anapnea.net/x-finywqmsuvqigdcg] has joined #openvpn
14:24 -!- cyberspace- [20253@ninthfloor.org] has joined #openvpn
14:24 -!- phunyguy [vortex@unaffiliated/phunyguy] has quit [Remote host closed the connection]
14:26 -!- flickabic [~marston@162-228-95-62.lightspeed.sntcca.sbcglobal.net] has joined #openvpn
14:27 -!- phunyguy [vortex@unaffiliated/phunyguy] has joined #openvpn
14:27 -!- u0m3 [~u0m3@92.80.124.118] has joined #openvpn
14:30 -!- c0ded [~c0ded@unaffiliated/c0ded] has joined #openvpn
14:37 -!- kirin` [telex@gateway/shell/anapnea.net/x-finywqmsuvqigdcg] has quit [Ping timeout: 272 seconds]
14:39 -!- kirin` [telex@gateway/shell/anapnea.net/x-mbvplbjtopjfkkcx] has joined #openvpn
14:45 -!- kirin` [telex@gateway/shell/anapnea.net/x-mbvplbjtopjfkkcx] has quit [Ping timeout: 272 seconds]
14:47 -!- flickabic [~marston@162-228-95-62.lightspeed.sntcca.sbcglobal.net] has quit [Remote host closed the connection]
14:50 -!- Kniaz [~Kniaz@unaffiliated/kniaz] has quit [Quit: closing IRC]
15:17 -!- mattock is now known as mattock_afk
15:21 -!- CygniX [~CygniX@unaffiliated/twois10] has quit [Read error: Connection reset by peer]
15:21 -!- CygniX [~CygniX@unaffiliated/twois10] has joined #openvpn
15:30 -!- CygniX [~CygniX@unaffiliated/twois10] has quit [Read error: Connection reset by peer]
15:32 -!- s7r [~s7r@openvpn/user/s7r] has joined #openvpn
15:32 -!- mode/#openvpn [+v s7r] by ChanServ
15:43 -!- CygniX [~CygniX@unaffiliated/twois10] has joined #openvpn
15:52 -!- CygniX [~CygniX@unaffiliated/twois10] has quit [Quit: Konversation terminated!]
15:53 -!- CygniX [~CygniX@unaffiliated/twois10] has joined #openvpn
15:53 -!- Kniaz [~Kniaz@unaffiliated/kniaz] has joined #openvpn
16:11 -!- Olipro [~Olipro@uncyclopedia/pdpc.21for7.olipro] has quit [Read error: Connection reset by peer]
16:12 -!- P-NuT [~P-NuT@www.daveharker.com] has joined #openvpn
16:13 -!- gffa [~unknown@unaffiliated/gffa] has quit [Quit: sleep]
16:14 < P-NuT> Is there any reason that openvpn would stop UDP traffic working?
16:17 -!- Olipro [~Olipro@uncyclopedia/pdpc.21for7.olipro] has joined #openvpn
16:19 -!- almostworking [~almostwor@unaffiliated/almostworking] has quit [Quit: Leaving]
16:20 -!- almostworking [~almostwor@unaffiliated/almostworking] has joined #openvpn
16:22 -!- P-NuT [~P-NuT@www.daveharker.com] has quit [Quit: Leaving]
16:50 -!- KiNgMaR [ingmar@2001:41d0:2:ba51::1] has joined #openvpn
16:59 -!- MadHatter42 [~tuwid@217.73.143.43] has joined #openvpn
17:00 < MadHatter42> i just installed openvpn (via apt-get) on my laptop and no tun device was created
17:00 < MadHatter42> shouldnt it install another interface or something
17:01 < MadHatter42> ?
17:01 < MadHatter42> a tun or a tap
17:01 < MadHatter42> and i have specified a pem file on the config file and on the logs i keep getting a TLS handshake error
17:04 < MadHatter42> Oct 19 22:28:26 valhalla ovpn-ghdialog[9954]: TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity)
17:04 < MadHatter42> Oct 19 22:28:26 valhalla ovpn-ghdialog[9954]: TLS Error: TLS handshake failed
17:20 -!- MaybeJonSeals [~dank@107.170.211.61] has quit [Quit: ZNC - http://znc.in]
17:25 -!- ub1quit33_ [~quassel@wifi02.la3.routers.zerolag.com] has quit [Ping timeout: 255 seconds]
17:27 -!- Taftse|Mac [~taftse@unaffiliated/taftse] has quit [Quit: Textual IRC Client: www.textualapp.com]
17:32 -!- teksimian [~chatzilla@209-197-163-221.cpe.distributel.net] has quit [Quit: ChatZilla 0.9.91 [Firefox 33.0/20141011015303]]
17:37 -!- SCHAAP137 [dorian@77-173-0-137.ip.telfort.nl] has joined #openvpn
17:49 -!- xx7 [~jfo729Nf@freetheshellcodes.net] has joined #openvpn
17:50 < xx7> hiya. im using OpenVPN 2.3.4 x86_64-w64-mingw32 on windows 8.1 and having some issues. the TAP adapter doesnt seem to be receiving any data (wont route)
17:50 < xx7> not sure how to debug the issue further (it worked fine on windows 7)
17:51 < xx7> eventually i get no reply from server after sending 12 push requests
17:51 < xx7> then unroutable control packet received
17:51 < xx7> any ideas? ive tried all the things i could find regarding removing/re-adding adapters, changing compat on devcon, etc
17:51 < Eugene> Usually its "run as Admin"
17:52 < Eugene> But pastebin configs & logs
17:52 < xx7> yeah, everything is running as admin, openvpn command line, gui, devcon
17:52 < xx7> ok one sec
17:52 -!- prometheanfire [~promethea@gentoo/developer/prometheanfire] has joined #openvpn
17:52 < prometheanfire> !poodle
17:52 <@vpnHelper> "poodle" is (#1) http://googleonlinesecurity.blogspot.com/2014/10/this-poodle-bites-exploiting-ssl-30.html . OpenVPN uses TLSv1.0, or (with >=2.3.3) optionally TLSv1.2 and is thus not impacted by POODLE. See also: !hardening for some unrelated TLS security options OpenVPN has or (#2) https://www.tinfoilsecurity.com/poodle for a tool for testing your websites
17:53 < xx7> http://pastebin.com/2s9GPiRv
17:54 < xx7> config: http://pastebin.com/A26gm9Rx
17:54 < Eugene> And the other side? ;-)
17:54 < xx7> if i could vpn i might be able to grab logs server side :(
17:55 < Eugene> Well without those I can't tell you much
17:55 < xx7> ok, shucks
17:55 < xx7> was hoping someone else had win8.1 problems + solutions
17:55 < Eugene> I can tell you that "TLS Error: local/remote TLS keys are out of sync:" is probably related here
17:56 < xx7> ok
17:56 < Eugene> Note on line 12 that you've got a ping-restart happening; if the server isn't doing the same then there's your issue
17:56 < xx7> hm ok, ill have to check the server when i get back in town i suppose
17:57 < Eugene> My guess? Some sort of mismatch between the two ends, and then your client is eating the connection.
17:57 < Eugene> So, not a Win8-specific problem ;-)
17:57 < Eugene> I say this to you via a Win8.1 machine, btw. It's fine.
17:57 < xx7> yeah i just attributed it to win8.1 as it worked for me fine, but both myself and a coworker have the same issue on win8.1
17:58 < xx7> oh well, not much more i can do atm
17:58 < xx7> thx anyway
17:58 < Eugene> Most problems with W8 & family are usually "I moved form Win7 to Win8 and forgot to change X so it must be W8"
18:13 -!- Gman32 [~Gman32@2607:2200:0:3400::5616:cdbc] has joined #openvpn
18:25 -!- sluckxz [~sluckxz@unaffiliated/sluckxz] has joined #openvpn
18:40 < sluckxz> any recommended way to test link quality to vpn server list before connecting?  hoping for something much lighter than smokeping and graphite.  thinking fping and sort script maybe.
18:48 < CygniX> i posted early that openvpn forum fails if you are using ipv6, still fails
18:55 -!- someone [~someone@chronostasis.net] has joined #openvpn
18:56 -!- CaTtleyA [~CaTtleyA@put92-2-82-66-41-53.fbx.proxad.net] has quit [Ping timeout: 272 seconds]
19:01 < sluckxz> i dont mean officially recommended or anything,  does anybody test link quality before connect (even as simple as latencie)and if yes how.?
19:05 < MadHatter42> i got zip file with with 2 crt files and a pem file as a "here is your openvpn client config"
19:05 < MadHatter42> i created a conf file
19:06 < MadHatter42> with the IP
19:06 < MadHatter42> but i get a tsl handshake error
19:06 < MadHatter42> i remember having another vpn profile before
19:06 < MadHatter42> it was with a key file (not pem) and worked fine
19:07 < MadHatter42> does openvpn have issue with .pem files ?
19:10 < MadHatter42> Eugene, any ideas ?
19:10 < Eugene> !beer
19:10 <@vpnHelper> "beer" is what's for dinner (and occasionally breakfast)
19:11 < Eugene> Talk to whoever handed you that zip and get a .conf/.ovpn
19:11 < MadHatter42> well I cant, you see, my german is not that good
19:12 < MadHatter42> besides after installing openvpn i didnt get a tun device
19:12 < MadHatter42> shouldnt it be created automatically ?
19:13 < Eugene> On windows systems the installer creates a TUN/TAP device. On *nix systems, no, it's allocated dynamically by the kernel.
19:14 < MadHatter42> so its created after a successful connection ?
19:14 < MadHatter42> so i have here ca.crt test.crt and test.pem
19:15 < MadHatter42> a friend of mine managed to set it up on a mikrotik but i want to set it up on my laptop
19:15 < Eugene> It's during the handshake process
19:15 < MadHatter42> arent there additional confs using a pem file ?
19:15 < MadHatter42> i've seen it with .key file works well
19:16 < Eugene> You need to specify various things, yes.
19:16 < MadHatter42> like ?
19:16 < MadHatter42> the .pem file pass ?
19:16 < Eugene> A minimalist setup would be `openvpn --dev tun --ca myca.pem --remote somehost --client
19:17 < Eugene> Probably with a --key and --cert, or --auth-user-pass
19:17 < MadHatter42> beside this, why there is a ca.crt file, a test.crt file and a pem file
19:17 < MadHatter42> arent that a bit too much XD
19:18 < Eugene> That'd be --ca ca.crt --cert test.crt --key test.pem ;-)
19:18 < MadHatter42> and beside those i also got a username and passw
19:18 < MadHatter42> thnx
19:18 < Eugene> So --auth-user-pass, too
19:18 < Eugene> But really, talk to your admin.
19:18 < Eugene> We don't know how the server is setup so this is all guesswork
19:19 < MadHatter42> the guy got fired and until we get another one
19:19 < MadHatter42> i'm stuck xD
19:19 < MadHatter42> i did something similar
19:20 < MadHatter42> ca ca.crt
19:20 < MadHatter42> cert test.crt
19:20 < MadHatter42> key test.pem
19:20 < MadHatter42> in that custom config file i did
19:20 < MadHatter42> but still got a TSL negotiation failed error
19:23 < MadHatter42> aaaaand i'm locked out
19:24 < MadHatter42> for too many tries
19:24 < MadHatter42> damn IDS
19:30 -!- CygniX [~CygniX@unaffiliated/twois10] has quit [Ping timeout: 265 seconds]
19:46 -!- MadHatter42 [~tuwid@217.73.143.43] has quit [Remote host closed the connection]
19:49 -!- ub1quit33_ [~quassel@cpe-23-243-158-241.socal.res.rr.com] has joined #openvpn
20:05 -!- ub1quit33_ [~quassel@cpe-23-243-158-241.socal.res.rr.com] has quit [Ping timeout: 255 seconds]
20:18 -!- elfixit1 [~Icedove@77-58-37-45.dclient.hispeed.ch] has joined #openvpn
20:24 -!- Kniaz [~Kniaz@unaffiliated/kniaz] has quit [Read error: Connection reset by peer]
20:36 -!- ub1quit33 [~quassel@cpe-23-243-158-241.socal.res.rr.com] has joined #openvpn
20:53 -!- Kephael [~Kephael@unaffiliated/kephael] has joined #openvpn
21:00 -!- ub1quit33 [~quassel@cpe-23-243-158-241.socal.res.rr.com] has quit [Ping timeout: 250 seconds]
21:04 -!- CygniX [~CygniX@unaffiliated/twois10] has joined #openvpn
21:07 -!- ExtraCarpety [~ExtraCarp@2607:5300:60:a0d::1] has joined #openvpn
21:07 -!- brianblaze420 [~brianblaz@unaffiliated/brianblaze] has quit [Quit: Leaving...]
21:09 -!- prometheanfire [~promethea@gentoo/developer/prometheanfire] has left #openvpn []
21:10 < ExtraCarpety> Hi, I've got a VPN set up that I connect my laptop to when I need to use its IP as a proxy, but I would also just like to connect DD-WRT to it for the sake of mountin its HD as a network share.  When I connect DD-WRT to it, it seems that internet access for clients connected to the router just stops.
21:10 < ExtraCarpety> I do not know a whole lot about OpenVPN, maybe I'm going about something all wrong.
21:23 -!- ub1quit33 [~quassel@cpe-23-243-158-241.socal.res.rr.com] has joined #openvpn
21:41 -!- Left_Turn [~Left_Turn@unaffiliated/turn-left/x-3739067] has quit [Ping timeout: 244 seconds]
22:22 -!- WinstonSmith [~WinstonSm@unaffiliated/winstonsmith] has quit [Ping timeout: 244 seconds]
22:23 -!- WinstonSmith [~WinstonSm@unaffiliated/winstonsmith] has joined #openvpn
23:00 -!- Moonlightning [~blackl@unaffiliated/moonlightning] has quit [Quit: The Nightmares will Collide. And become a Dream. <3]
23:01 <+_FBi> ExtraCarpety, can you ping your server in DDwrt
23:02 < ExtraCarpety> _FBi, yes
23:02 < ExtraCarpety> I figured out part of it with the help of ##networking
23:02 <+_FBi> which was, forwarding?
23:02 <+_FBi> iptables and such?
23:03 < ExtraCarpety> The tunnel was slurping up all of the traffic on my network because I had not specified anything under Additional Config.  Also, for my purposes I have been told that I should use TAP instead of TUN.
23:04 < ExtraCarpety> I was able to restore local internet with route-nopull
23:04 < ExtraCarpety> But then I was still unable to ping the 10.8.0.1 address of the server, or treat it like a network device from any of my other devices.
23:07 < ExtraCarpety> _FBi, any insight?
23:07 < ExtraCarpety> The purpose of this whole endeavor, in case I'm going about accomplishing it totally wrongly, is to simply mount a samba share from my OpenVPN server on my client network like it is a local network volume.
23:07 <+_FBi> I'm no expert (by far)
23:08 <+_FBi> can't you do that like you do with any shared drive?
23:10 < ExtraCarpety> By just connecting to smb://FARAWAYDRIVE/?  Yes, but it doesn't have the security of the VPN.
23:11 < ExtraCarpety> The VPN is also kind of turn-key, all the config is encapsulated in OpenVPN instead of having to edit fstab, etc.
23:13 <+_FBi> turn key like generating your own keys?
23:13 <+_FBi> that no one else in the world should have?
23:15 < ExtraCarpety> turnkey like it's all in one package
23:32 -!- elfixit1 [~Icedove@77-58-37-45.dclient.hispeed.ch] has quit [Ping timeout: 245 seconds]
23:43 -!- ShadniX [dagger@p5DDFE17D.dip0.t-ipconnect.de] has quit [Ping timeout: 250 seconds]
23:43 -!- ExtraCarpety [~ExtraCarp@2607:5300:60:a0d::1] has quit [Ping timeout: 258 seconds]
23:45 -!- ShadniX [dagger@p5DDFD5C4.dip0.t-ipconnect.de] has joined #openvpn
23:51 -!- ExtraCarpety [~ExtraCarp@2607:5300:60:a0d::1] has joined #openvpn
23:51 -!- ub1quit33 [~quassel@cpe-23-243-158-241.socal.res.rr.com] has quit [Ping timeout: 240 seconds]
23:57 -!- aulait [~irenacob@li629-190.members.linode.com] has quit [Remote host closed the connection]
--- Day changed Mon Oct 20 2014
00:00 -!- aulait [~irenacob@li629-190.members.linode.com] has joined #openvpn
00:01 -!- rap_wrk [~rap_wrk@unaffiliated/rap-wrk/x-769542] has joined #openvpn
00:09 -!- SushiDude [~SushiDude@unaffiliated/sushidude] has quit [Ping timeout: 265 seconds]
00:12 -!- SushiDude [~SushiDude@unaffiliated/sushidude] has joined #openvpn
01:08 -!- Kephael [~Kephael@unaffiliated/kephael] has quit [Read error: Connection reset by peer]
01:14 -!- CygniX [~CygniX@unaffiliated/twois10] has quit [Read error: Connection reset by peer]
01:30 -!- elfixit1 [~Icedove@2001:1620:2018:11:863a:4bff:fe93:6310] has joined #openvpn
01:34 -!- elfixit [~Icedove@2001:1620:2777:11:3e97:eff:fe7f:f3ad] has quit [Ping timeout: 272 seconds]
01:39 -!- s7r [~s7r@openvpn/user/s7r] has quit [Remote host closed the connection]
01:40 -!- SCHAAP137 [dorian@77-173-0-137.ip.telfort.nl] has quit [Remote host closed the connection]
01:42 -!- mattock_afk is now known as mattock
02:51 -!- larsemil [~larsemil@pamela.daladevelop.se] has left #openvpn []
03:32 -!- dazo_afk is now known as dazo
03:45 -!- swiftkey [swiftkey@unaffiliated/swiftkey] has joined #openvpn
03:46 < swiftkey> hi there everytime i connect to my vpn i have no internet connection at all
04:16 -!- mirco [~mirco@ip-176-198-211-199.hsi05.unitymediagroup.de] has joined #openvpn
04:51 -!- ayaz [~Ayaz@linuxpakistan/ayaz] has joined #openvpn
05:00 -!- aulait [~irenacob@li629-190.members.linode.com] has quit [Max SendQ exceeded]
05:03 -!- aulait [~irenacob@li629-190.members.linode.com] has joined #openvpn
05:04 -!- Left_Turn [~Left_Turn@unaffiliated/turn-left/x-3739067] has joined #openvpn
05:08 < rap_wrk> swiftkey: can you ping the gateway
05:31 < swiftkey> Yes
05:31 < swiftkey> I already found the problem
05:31 < swiftkey> push redirect-gateway def1 is the key
05:35 < rap_wrk> ok great
05:48 -!- Left_Turn [~Left_Turn@unaffiliated/turn-left/x-3739067] has quit [Ping timeout: 255 seconds]
05:49 -!- ade_b [~Ade@redhat/adeb] has joined #openvpn
06:00 -!- osolus [~user@unaffiliated/osolus] has joined #openvpn
06:04 -!- osolus [~user@unaffiliated/osolus] has quit [Ping timeout: 246 seconds]
06:05 -!- elfixit [~Icedove@2001:1620:2777:11:3e97:eff:fe7f:f3ad] has joined #openvpn
06:06 -!- elfixit1 [~Icedove@2001:1620:2018:11:863a:4bff:fe93:6310] has quit [Ping timeout: 272 seconds]
06:21 -!- odium [~user@unaffiliated/osolus] has joined #openvpn
06:22 -!- Droolio [~drool@host86-143-190-82.range86-143.btcentralplus.com] has joined #openvpn
06:38 -!- CaTtleyA [~CaTtleyA@185.24.142.82] has joined #openvpn
06:38 -!- eristisk [~eristisk@gateway/tor-sasl/eristisk] has quit [Ping timeout: 264 seconds]
06:40 -!- wmp [~wmp@sored/admin/wmp] has joined #openvpn
06:40 < wmp> hello, i have problem with default route to 10.8.0.0, i dont know why my clients has route /32
06:40 < wmp> this is default in openvpn?
06:49 <@dazo>  !welcome
06:49 <@dazo> !welcome
06:49 <@vpnHelper> "welcome" is (#1) Start by stating your goal, such as 'I would like to access the internet over my vpn' || new to IRC? see the link in !ask || we may need !logs and !configs and maybe !interface to help you. || See !howto for beginners. || See !route for lans behind openvpn. || !redirect for sending inet traffic through the server. || Also interesting: !man !/30 !topology !iporder !sample !forum !wiki
06:49 <@vpnHelper> !mitm or (#2) Don't use 192.168.1.0/24 or 192.168.0.0/24 (too much potential for conflict)
07:05 -!- Left_Turn [~Left_Turn@unaffiliated/turn-left/x-3739067] has joined #openvpn
07:18 < wmp> dazo: i uncommend client-to-client but dont work
07:30 -!- moparisthebest [~quassel@gateway/tor-sasl/moparisthebest] has quit [Ping timeout: 264 seconds]
07:34 -!- moparisthebest [~quassel@gateway/tor-sasl/moparisthebest] has joined #openvpn
07:34 <@ecrist> syzzer: I'm working on it
07:38 -!- ayaz [~Ayaz@linuxpakistan/ayaz] has quit [Quit: Textual IRC Client: www.textualapp.com]
07:45 -!- seba [~seba@kratzbaum.someserver.de] has quit [Excess Flood]
07:47 -!- seba [~seba@kratzbaum.someserver.de] has joined #openvpn
07:47 -!- CaTtleyA [~CaTtleyA@185.24.142.82] has quit [Quit: leaving]
07:49 -!- CaTtleyA [~CaTtleyA@185.24.142.82] has joined #openvpn
07:58 <@dazo> wmp: as you obviously didn't read !welcome, I'm going somewhere else now
08:00 -!- mirco_ [~mirco@176.198.211.199] has joined #openvpn
08:00 -!- D-Boy [~D-Boy@unaffiliated/cain] has quit [Excess Flood]
08:01 -!- mirco [~mirco@ip-176-198-211-199.hsi05.unitymediagroup.de] has quit [Ping timeout: 260 seconds]
08:01 -!- mirco_ is now known as mirco
08:01 -!- ade_b [~Ade@redhat/adeb] has quit [Ping timeout: 246 seconds]
08:06 -!- eristisk [~eristisk@gateway/tor-sasl/eristisk] has joined #openvpn
08:09 -!- D-Boy [~D-Boy@unaffiliated/cain] has joined #openvpn
08:12 -!- Mowee [~Mowee@195-154-194-139.rev.poneytelecom.eu] has joined #openvpn
08:12 < Mowee> Hi there
08:12 < Mowee> Can a client assign itself an ip address ?
08:13 < Mowee> I mean, a static one
08:47 -!- CaTtleyA [~CaTtleyA@185.24.142.82] has quit [Quit: Lost terminal]
08:50 -!- odium [~user@unaffiliated/osolus] has quit [Quit: Leaving.]
08:51 -!- odium [~user@unaffiliated/osolus] has joined #openvpn
08:51 -!- moparisthebest [~quassel@gateway/tor-sasl/moparisthebest] has quit [Ping timeout: 264 seconds]
08:56 -!- moparisthebest [~quassel@gateway/tor-sasl/moparisthebest] has joined #openvpn
08:59 <@dazo> Mowee: no, they cannot easily do that ... but if you use TAP mode it might be more likely possible than compared to a TUN based tunnel
09:00 < Mowee> sadly I use tun, thanks anyawy
09:00 <@dazo> tun is the best way to do tunnels ... and clients shouldn't really do that, so consider it a feature
09:01 < Mowee> dazo: I was thinkink openvpn-client as a network card
09:02 < Mowee> you can force an ip on a network, sometimes it's better than use dhcp
09:02 <@dazo> well, the tun/tap device is a virtual network device
09:02 < Mowee> yes
09:02 < Mowee> Well maybe you could help me on that case
09:03 <@dazo> nah, probably not ... my focus is on reducing the possibilities clients have ;-)
09:03 < Mowee> :)
09:06 < odium> whenever I run systemctl start openvpn@con, my system seems to work fine, but my web-server nginx stops responding to requests, I am not sure whats happening.
09:14 -!- mjkr [jzhmer@gateway/shell/blinkenshell.org/x-jlrljxjlctpvrlrj] has joined #openvpn
09:14 -!- ub1quit33 [~quassel@wifi02.la3.routers.zerolag.com] has joined #openvpn
09:15 < mjkr> suppose my remote host runs on a public wan ip, say a.a.a.a and it's gonna assign 192.168.192.0/24 for openvpn clients to access WAN through a.a.a.a what should i put for routes in "push" and "route" directives?
09:16 < mjkr> also, how can i include a client's cert and key plus the server's ca cert and server cert in the client conf?
09:17 < mjkr> i use cert as public key plus csr and key as private key (rsa/dss/ecdsa)
09:33 < wmp> !welcome
09:33 <@vpnHelper> "welcome" is (#1) Start by stating your goal, such as 'I would like to access the internet over my vpn' || new to IRC? see the link in !ask || we may need !logs and !configs and maybe !interface to help you. || See !howto for beginners. || See !route for lans behind openvpn. || !redirect for sending inet traffic through the server. || Also interesting: !man !/30 !topology !iporder !sample !forum !wiki
09:33 <@vpnHelper> !mitm or (#2) Don't use 192.168.1.0/24 or 192.168.0.0/24 (too much potential for conflict)
09:35 < mjkr> wmp: thank you. it's a roadwarrior configuration here. so the answer is yes to the first question, though i'm not sure where shipping certs/keys in .conf files belong
09:35 < wmp> mjkr: emmm, no, i need help ;)
09:35 < mjkr> !route
09:35 <@vpnHelper> "route" is (#1) http://www.secure-computing.net/wiki/index.php/OpenVPN/Routing or https://community.openvpn.net/openvpn/wiki/RoutedLans (same page mirrored) if you have lans behind openvpn, read it DONT SKIM IT or (#2) READ IT DONT SKIM IT! or (#3) See !tcpip for a basic networking guide or (#4) See !serverlan or !clientlan for steps and troubleshooting flowcharts for LANs behind the server or client
09:35 < wmp> but thank for thanks ;)
09:36 < mjkr> oh. great.
09:37 < wmp> !log
09:37 <@vpnHelper> Error: You don't have the owner capability. If you think that you should have this capability, be sure that you are identified before trying again. The 'whoami' command can tell you if you're identified.
09:37 < wmp> !logs
09:37 <@vpnHelper> "logs" is (#1) please pastebin your logfiles from both client and server with verb set to 4 (only use 5 if asked) or (#2) In the Windows client(OpenVPN-GUI) right-click the status icon and pick View Log or (#3) In the OS X client(Tunnelblick) right-click it and select Copy log text to clipboard or (#4) if you dont know how to find your logs, see !logfile
09:37 < wmp> !logfile
09:38 <@vpnHelper> "logfile" is (#1) If you want logging you can easily just specify your own logfile with: log /path/to/logfile or (#2) openvpn will log to syslog if started in daemon mode, but without any log-redirection options, openvpn sends output to stdout. or (#3) verb 3 is good for everyday usage, verb 5 for debugging. see --daemon --log and --verb in the manual (!man) for more info
09:39 -!- odium [~user@unaffiliated/osolus] has quit [Quit: Leaving.]
09:42 < wmp> !config
09:42 <@vpnHelper> (config <name> [<value>]) -- If <value> is given, sets the value of <name> to <value>. Otherwise, returns the current value of <name>. You may omit the leading "supybot." in the name if you so choose.
09:50 -!- MadHatter42 [~tuwid@109.69.2.62] has joined #openvpn
09:55 < mjkr> !configs
09:55 <@vpnHelper> "configs" is (#1) please pastebin your client and server configs (with comments removed, you can use `grep -vE '^#|^;|^$' server.conf`), also include which OS and version of openvpn. or (#2) dont forget to include any ccd entries or (#3) on pfSense, see http://www.secure-computing.net/wiki/index.php/OpenVPN/pfSense to obtain your config
09:56 < mjkr> i've expected a more detailed version...
09:56 < mjkr> !howtos
09:56 < mjkr> !howto
09:56 <@vpnHelper> "howto" is (#1) OpenVPN comes with a great howto, http://openvpn.net/howto PLEASE READ IT! or (#2) http://www.secure-computing.net/openvpn/howto.php for a mirror
10:05 < mjkr> can someone give me an example *.ovpn client conf that include certs in the conf itself?
10:06 < mjkr> a monolithic one that does not refer to another file that is.
10:11 <@dazo> mjkr: use <ca>\n{content of ca file}\n</ca> ... same for cert and key
10:12 <@dazo> (\n == new line)
10:15 < mjkr> dazo: thank you. however, suppose that i have this line: "ca /etc/openvpn/ca/ca.crt" should i put "ca <ca>\n{blah}\n</ca>" or "ca\n<ca>\n{blah}\n<ca>" instead?
10:15 <@dazo> just <ca>....</ca>
10:16 < mjkr> so newline doesn't parse well, am i right?
10:16 -!- Kephael [~Kephael@unaffiliated/kephael] has joined #openvpn
10:17 < mjkr> does that mean i should get those key/crt files into a single line though?
10:17 < mjkr> like removing line breaks
10:17 <@dazo> mjkr: like this http://fpaste.org/143547/14138182/
10:17 <@dazo> whoops ... a line "rt" sneaked in my mistake
10:18 <@dazo> (delete line 4)
10:18 < mjkr> oh, thank you. so it's replacing the entire ca line with xml-like syntax
10:18 <@dazo> yeah
10:19 < mjkr> thank you very much
10:19 <@dazo> np!
10:20 < mjkr> a last question though, are directives such as user/group/chroot/persist-key/persist-tun needed on the client side?
10:21 <@dazo> mjkr: they can be used on the client side, --user, --group and --chroot doesn't work well on Windows, though ... but they do enhance the security on the client side too
10:22 < mjkr> ah. i see. so i probably wanna remove then if my inhouse openvpn binary is supposed to handle them on its own
10:25 < wmp> dazo: Sorry, so i want to connect my computers to network 10.8.1.0/24, and i want to this computers can pings other computers in vpn. This is log from my openvpn server with verbose 4: http://paste.ubuntu.com/8602517 and this is openvpn server config: http://paste.ubuntu.com/8602558 , and this is interfaces: http://paste.ubuntu.com/8602919 . From client side, this is log from my cmoputer: http://paste.ubuntu.com/8602956 and this is configuration: http://paste.
10:25 < wmp> ubuntu.com/8602971 . This is log from second client: http://paste.ubuntu.com/8603005 and this is configuration: http://paste.ubuntu.com/8602989
10:25 < wmp> oughhh...
10:25 < wmp> http://paste.ubuntu.com/8602956 and this is configuration: http://paste.ubuntu.com/8602971 . This is log from second client: http://paste.ubuntu.com/8603005 and this is configuration: http://paste.ubuntu.com/8602989
10:26 <@dazo> wmp: config files without comments please
10:26 < wmp> ;) ok
10:26 < wmp> dazo: without # or ; ?
10:26 <@dazo> both
10:26 <@dazo> !configs
10:26 <@vpnHelper> "configs" is (#1) please pastebin your client and server configs (with comments removed, you can use `grep -vE '^#|^;|^$' server.conf`), also include which OS and version of openvpn. or (#2) dont forget to include any ccd entries or (#3) on pfSense, see http://www.secure-computing.net/wiki/index.php/OpenVPN/pfSense to obtain your config
10:27 <@dazo> #1 says how to do it
10:27 < wmp> yes, thanks
10:28 < mjkr> hmm, is the tls-auth directive available inline now as well?
10:29 <@dazo> mjkr: yes, it is
10:30 < mjkr> dazo: but what about the number 0/1 after the path to the key though?
10:30 <@dazo> but there's a twist to it ... on the old days, you used <tls-auth>...</tls-auth> and added tls-auth [INLINE] 1|0 .... but I think that's improved with a key-direction option (don't recall now)
10:30 <@dazo> mjkr: look for --key-direction in the man page
10:30 < wmp> dazo: Sorry, so i want to connect my computers to network 10.8.1.0/24, and i want to this computers can pings other computers in vpn. This is log from my openvpn server with verbose 4: http://paste.ubuntu.com/8602517 and this is openvpn server config: http://paste.ubuntu.com/8603046 , and this is interfaces: http://paste.ubuntu.com/8602919 .
10:30 < wmp> dazo: From client side, this is log from my cmoputer: http://paste.ubuntu.com/8602956 and this is configuration: http://paste.ubuntu.com/8603065 . This is log from second client: http://paste.ubuntu.com/8603005 and this is configuration: http://paste.ubuntu.com/8603087
10:30 < mjkr> thank you, i will read the man now, dazo
10:32 -!- gffa [~unknown@unaffiliated/gffa] has joined #openvpn
10:32 <@dazo> wmp: ensure your firewall allows traffic to pass from tun to tun devices ... and ensure your server allows ip forwarding
10:32 < mjkr> doesn't give much example, honestly, dazo
10:32 <@dazo> !ipforward
10:32 <@vpnHelper> "ipforward" is (#1) ip forwarding is needed any time you want packets to flow from 1 interface to another, so from tun to eth, eth to tun, tun to tun, etc etc. it must be enabled in the kernel AND allowed in the firewall or (#2) please choose between !linipforward !winipforward !osxipforward and !fbsdipforward
10:33 < mjkr> only telling you to look it up in the section called inline file support
10:33 <@dazo> mjkr: but it explains ;-)
10:33 < mjkr> for now, i'm gonna keep it a one liner
10:33 < wmp> dazo: yes, i have 1 in ipforward
10:34 < wmp> dazo: can i paste you iptables-save output?
10:34 <@dazo> wmp: please do!
10:34 <@dazo> wmp: and you must ensure the firewall on your clients allow traffic from the tunnel too
10:34 < wmp> in clients i havent any entry in iptables
10:35 <@dazo> and the default policy is ACCEPT?
10:35 < wmp> yes
10:36 < wmp> dazo: iptables-save: http://paste.ubuntu.com/8603130
10:36 <@dazo> wmp: one thing ... I would have added --topology subnet in all configs ... it makes things behave more like a traditional subnet instead of the odd p2p subnet
10:36 -!- mirco [~mirco@176.198.211.199] has quit [Quit: mirco]
10:37 < wmp> dazo: so "echo topology >> /etc/openvpn/*.conf" ?
10:37 <@dazo> that's one bad way to edit config files
10:37 <@dazo> you need: topology subnet
10:37 <@dazo> (the default is: topology net30)
10:38 < wmp> ok, i understand
10:39 <@dazo> wmp: your firewall config is ... well, full of holes
10:39 < wmp> ;) i need have only nfs over firewall
10:40 <@dazo> wmp: when default policy is ACCEPT or the last rule in INPUT/FORWARD is not -j DROP ... then you can just ditch all explicit the ACCEPT rules, as they do not allow anything extra ordinary
10:41 < wmp> hmmm, thanks ;) But i have write script for this and for now it is good ;)
10:42 <@dazo> well, what you pastebinned here is not good (from a security perspective) ... but I don't care, its your box and these rules won't stop openvpn traffic
10:43 < wmp> dazo: maybe do you know why ifconfig dont show tun0?
10:43 < wmp> i must execute ifconfig tun0
10:43 -!- novaflash_away [~novaflash@openvpn/corp/support/novaflash] has quit [Ping timeout: 250 seconds]
10:43 <@dazo> well, that's interesting ... as I see it configures it in the log files
10:44 < wmp> dazo: ahen i add topology subnet i can pings other server :D
10:44 <@dazo> are any of these openvpn configs running in openvz or something like that?
10:44 < wmp> so this is good
10:44 <@dazo> okay, good
10:44 < wmp> no
10:44 < wmp> dazo: how to move few hosts to other subnet?
10:45 <@dazo> wmp: uhm ... your question does not really parse well
10:45 < wmp> dazo: i want to have few hosts in 10.8.1.0/24 subnet
10:46 <@dazo> wmp: normally you don't want to d that... then you need separate openvpn server configs for that
10:46 <@dazo> wmp: what's the purpose of doing that?
10:47 < wmp> dazo: becouse in one subnet i want have servers, and in second i want to have programers computers
10:48 <@dazo> wmp: well, I'd rather remove 'client-to-client' in the server config file, give all servers static VPN IPs using --client-config-dir ... and then firewall things properly in the FORWARD chain
10:49 < wmp> hmmm, so no, i dont't want this
10:49 < wmp> :)
10:50 < wmp> dazo: can i make my openvpn configuration better? Did you see any mistakes or probles?
10:50 < wmp> problems*
10:50 <@dazo> I'd add --tls-auth
10:51 < wmp> to all configurations?
10:51 < wmp> or only server?
10:51 <@dazo> please read the man page
10:51 < wmp> ok
10:51 <+_FBi> morning dazo
10:51 < wmp> thanks for help, good day ;)
10:51 <@dazo> np!
10:51 <@dazo> hey, _FBi
10:52 -!- MadHatter42 [~tuwid@109.69.2.62] has quit [Remote host closed the connection]
10:58 -!- mjkr [jzhmer@gateway/shell/blinkenshell.org/x-jlrljxjlctpvrlrj] has quit [Quit: WeeChat 0.4.2]
11:18 -!- moparisthebest [~quassel@gateway/tor-sasl/moparisthebest] has quit [Remote host closed the connection]
11:19 -!- moparisthebest [~quassel@gateway/tor-sasl/moparisthebest] has joined #openvpn
11:31 -!- eristisk [~eristisk@gateway/tor-sasl/eristisk] has quit [Ping timeout: 264 seconds]
11:42 -!- dazo is now known as dazo_afk
11:51 -!- jmacdonald [~jmacdonal@li127-104.members.linode.com] has joined #openvpn
11:51 < jmacdonald> hi.
11:51 < jmacdonald> does anyone have experience tuning openvpn/oracle to work nicely together? We're getting some really slow performance.
11:56 -!- khaldrogox [~anonymous@64.13.138.81] has joined #openvpn
12:04 <+_FBi> 100mbps?
12:29 -!- ShadniX [dagger@p5DDFD5C4.dip0.t-ipconnect.de] has quit [Quit: Bye.]
12:29 -!- ShadniX [dagger@p5DDFD5C4.dip0.t-ipconnect.de] has joined #openvpn
12:30 -!- khaldrogox [~anonymous@64.13.138.81] has quit [Quit: khaldrogox]
12:31 -!- khaldrogox [~anonymous@64.13.138.81] has joined #openvpn
12:37 -!- nianoniano [~nil@104.29.217.87.dynamic.jazztel.es] has joined #openvpn
12:39 -!- nianoniano [~nil@104.29.217.87.dynamic.jazztel.es] has quit [Quit: Lost terminal]
12:39 < jmacdonald> around that.
12:42 -!- linuxthefish [~ltf@unaffiliated/edmundf] has joined #openvpn
12:43 -!- Kodeinjc [~Kode@unaffiliated/kodeinjc] has joined #openvpn
12:43 < Kodeinjc> Hello
12:44 < Kodeinjc> I need assistant with openvpn configs
12:45 < Kodeinjc> i created my ovpn > https://isitonline.me/ovpn-freevpn.zip
12:45 < Kodeinjc> 'freevpn'
12:45 < Kodeinjc> but it doesn't ask for username and pass
12:46 < Kodeinjc> it works though
12:46 < Kodeinjc> but how to set a username and pass
12:47 < Kodeinjc> raidz , shit u r here too
12:48 < Kodeinjc> hazardous too
12:48 -!- elfixit [~Icedove@2001:1620:2777:11:3e97:eff:fe7f:f3ad] has quit [Quit: elfixit]
12:48 < linuxthefish> please ask in here before PM'ing me, cheers
12:49 < Kodeinjc> i am asking
12:49 < linuxthefish> good
12:49 < Kodeinjc> thank you
12:50 < Kodeinjc> can someone please test on my openvpn ? and tell me how to set a username and pass :D
12:52 < Kodeinjc> http://pastebin.com/raw.php?i=1tNMjpHT
12:53 < Kodeinjc> i used this script https://raw.githubusercontent.com/cwaffles/ezopenvpn/master/ezopenvpn.sh
12:54 < Kodeinjc> I will be glad for any help :)
12:54 < jmacdonald> ell, it appaers openvpn is not my problem. going around it directly over internet.. this is slow as heck too.
12:54 -!- jmacdonald [~jmacdonal@li127-104.members.linode.com] has left #openvpn []
12:56 -!- Jack007 [~Jack007@unaffiliated/jack007] has joined #openvpn
12:56 < Jack007> HEY
12:56 < Kodeinjc> damn Jack007 is here too
12:56 < Kodeinjc> jmacdonald , it is online.net dedi server
12:57 -!- khaldrogox [~anonymous@64.13.138.81] has quit [Quit: khaldrogox]
13:01 < Kodeinjc> why ppl are dead ? .O.o. Zombies
13:05 -!- khaldrogox [~anonymous@64.13.138.81] has joined #openvpn
13:33 -!- acovrig [~acovrig@216.249.113.36] has joined #openvpn
13:33 < acovrig> When I try to connect, I get this in my server log (http://pastebin.com/WnuN9uWM) and my client bounces between connecting and authorizing, why?
13:38 < acovrig> http://paste.ubuntu.com/8604997/ is my server config
13:40 < acovrig> http://pastebin.com/jC4uX6V3 is my client config
13:41 -!- khaldrogox [~anonymous@64.13.138.81] has quit [Quit: khaldrogox]
13:47 -!- khaldrogox [~anonymous@64.13.138.81] has joined #openvpn
13:50 -!- mattock is now known as mattock_afk
13:51 -!- acovrig [~acovrig@216.249.113.36] has quit [Quit: acovrig]
13:54 -!- ItsYoda [Yoda@leader.of.the.coolkidz.club] has joined #openvpn
14:02 -!- Taftse|Mac [~taftse@unaffiliated/taftse] has joined #openvpn
14:05 -!- eristisk [~eristisk@gateway/tor-sasl/eristisk] has joined #openvpn
14:23 -!- atmosx [~atma@gateway/tor-sasl/atmosx] has joined #openvpn
14:24 < atmosx> hello, anyone configured OpenVPN on OpenWRT?
14:24 <@ecrist> lots of people.
14:24 < atmosx> I have installed openvpn 2.2.2 and I get this error: Options error: Unrecognized option or missing parameter(s) in sample.conf:1 ... any ideas why?
14:25 < atmosx> my config works on various systems (windows, rpi, etc.) it's pretty standard.
14:25 <@krzee> pastebin it.
14:25 <@krzee> sample.conf
14:26 < atmosx> Sure here https://gist.github.com/atmosx/d8c0728b5ee41c709883
14:26 <@vpnHelper> Title: sample.conf (at gist.github.com)
14:27 <@krzee> you're starting it with:  openvpn sample.conf    ?
14:27 <@krzee> (as the command)
14:27 < atmosx> krzee: yes
14:27 <@krzee> shown me the command and following output
14:27 < atmosx> refresh the page I added cli and output
14:27 <@krzee> (pastebin)
14:28 <@krzee> nice
14:28 <@krzee> oh lol
14:28 <@krzee> typo
14:28 <@krzee> the l is a 1
14:28 <@krzee> or so i think
14:28 <@krzee> c[one]ient
14:29 < atmosx> nope, I removed the 'client' from the first line still comes up with an error 'unknown parameter ca'
14:29 <@krzee> weird
14:29 < atmosx> I know :-/
14:29 <@krzee> try upgrading to more current openvpn and see if it goes away
14:29 <@krzee> its not an openvpn bug, seems it compiled bad or something...
14:29 < atmosx> oh I see.
14:29 < atmosx> hmm
14:30 < atmosx> I will try reinstalling the package
14:32 -!- Nyr [~Nyr@unaffiliated/nyr] has joined #openvpn
14:34 -!- Nyr [~Nyr@unaffiliated/nyr] has left #openvpn ["Textual IRC Client: www.textualapp.com"]
14:35 -!- krzee [~k@openvpn/community/support/krzee] has quit [Read error: Connection reset by peer]
14:37 -!- krzee [~k@openvpn/community/support/krzee] has joined #openvpn
14:37 -!- mode/#openvpn [+o krzee] by ChanServ
14:38 <@krzee> atmosx, not sure when it disconnected, did you see my suggestion to upgrade?
14:38 -!- ade_b [~Ade@redhat/adeb] has joined #openvpn
14:38 < atmosx> krzee: no, upgrade you say. Hmm that's a little bit tricky fo rthis device.
14:39 <@krzee> well i feel like you have a bad compile
14:39 <@krzee> embedded device?
14:39 < atmosx> Yes might be
14:39 < atmosx> yes
14:39 <@krzee> did you compile it yourself?
14:39 < atmosx> a carambola router http://shop.8devices.com/carambola no no, I'm using their repo. It's old they don't upgrade packages for this version any more
14:39 <@vpnHelper> Title: Carambola (at shop.8devices.com)
14:40 < atmosx> I'll have to build the toolchain and recompile everything
14:40 <@krzee> hmm and nobody else with that has your problem?
14:40 < atmosx> no idea, didn't contact anyone through the forums... But the forums are not very active anyway.
14:41 < atmosx> I'll probably install OpenVPN on the RPi, using the tun1 virtual-device and see how it goes.
14:47 -!- ade_b [~Ade@redhat/adeb] has quit [Quit: Too sexy for his shirt]
14:57 -!- Cultist [~CultOfThe@c-67-175-170-187.hsd1.il.comcast.net] has quit [Ping timeout: 258 seconds]
14:57 -!- miruoy [~quassel@d51a4ceb0.access.telenet.be] has joined #openvpn
14:57 <@ecrist> the forum is very active
15:00 <@krzee> ecrist, the carambola forum :-p
15:00 <@krzee> not ours
15:02 < atmosx> thanks guys
15:02 <@krzee> np, good luck man
15:03 -!- Cultist [~CultOfThe@c-67-175-170-187.hsd1.il.comcast.net] has joined #openvpn
15:09 -!- eristisk [~eristisk@gateway/tor-sasl/eristisk] has quit [Ping timeout: 264 seconds]
15:18 -!- u0m3_ [~u0m3@92.80.111.131] has joined #openvpn
15:21 -!- u0m3 [~u0m3@92.80.124.118] has quit [Ping timeout: 260 seconds]
15:29 <@ecrist> krzee: ah
15:50 -!- thesov [~TheSov4@8.40.0.2] has joined #openvpn
15:50 < thesov> When is ver 3 slated to come out?
16:00 -!- khaldrogox [~anonymous@64.13.138.81] has quit [Quit: khaldrogox]
16:01 -!- khaldrogox [~anonymous@64.13.138.81] has joined #openvpn
16:11 -!- gffa [~unknown@unaffiliated/gffa] has quit [Quit: sleep]
16:14 -!- khaldrogox [~anonymous@64.13.138.81] has quit [Quit: khaldrogox]
16:15 -!- Kottizen [martin@trekweb/supporter/kottizen] has joined #openvpn
16:15 -!- khaldrogox [~anonymous@64.13.138.81] has joined #openvpn
16:15 < Kottizen> Hi everyone. I am running FreeBSD and I've just got my OpenVPN tun server up and running. I am able to connect and I can ping the server, but I can't go any further than that. What have I missed?
16:16 < Kottizen> I am able to ping the server on both its VPN IP and its "real", Internet-facing IP.
16:17 < Kottizen> The FreeBSD system is freshly installed and I have not touched any firewall related settings.
16:27 -!- Chais [~Chais@chello062178229110.15.15.vie.surfer.at] has quit [Read error: Connection reset by peer]
16:36 -!- Chais [~Chais@chello062178229110.15.15.vie.surfer.at] has joined #openvpn
16:38 < pekster> Kottizen: What is "further" than the server in your toplogy?
16:38 < pekster> !goal
16:38 <@vpnHelper> "goal" is Please clearly state your goal for your vpn: example, I would like to access the lan behind the server , I would like to access the internet over my vpn , I just want a secure connection between 2 computers , etc
16:44 < Kottizen> pekster: The Internet. My server is not behind any NAT; the reason I want to use OpenVPN is to tunnel all traffic through that server.
16:44 < pekster> Are you routed a block of public IPs you're using for openvpn clients, or using RFC1918 on the VPN network?
16:45 < Kottizen> pekster: I've given 10.8.0.0/24 for VPN clients.
16:45 < Kottizen> It is defined in openvpn.conf, only.
16:45 < pekster> So you need NAT on the VPN-to-Internet border (ie: the server.) 10.8/24 can't be routed on the Internet
16:46 < pekster> Plus routing enabled on the fBSD server, and presuambly a firewall ruleset to protect things correctly
16:46 < Kottizen> That sounds reasonable... I think the routing is up, because I get an error about it already existing when I try to route 10.8.0.0/24 to the VPN's Internet IP address.
16:48 < pekster> as in `gateway_enable="YES"` in rc.conf?
16:48 < pekster> You'll still need NAT, presumably with pf.conf
16:49 < Kottizen> pekster: gateway_enable="YES" is there. Do you know how I would enable NAT via pf.conf?
16:50 < Kottizen> net.inet.ip.forwarding = 1, btw
16:52 < pekster> pf.conf(5) is pretty complete, discussing both `TRANSLATION` and a possibly useful `TRANSLATION EXAMPLES` section
16:53 < Kodeinjc> can some check my vpn ? http://isitonline.me/freevpn/
16:53 <@vpnHelper> Title: Is it Online - Free Openvpn access. (at isitonline.me)
16:54 < Kodeinjc> also how to make it ask for username and password instead of this method
16:54 < Kodeinjc> thanks inadvance
16:54 < Kodeinjc> :)
16:57 < Kottizen> pekster: Thanks, that solved it! :)
17:00 < pekster> It'd be wise to look at a filter policy that allows the inside networks to reach out, lets PF allow the return traffic, and denies inbound unless you need to open specific ports for clients. And you really want !static for openvpn to do that anyway
17:01 -!- acovrig [~acovrig@216.249.113.36] has joined #openvpn
17:01 < acovrig> Is it possible for a client to connect to a LAN behind another client (see this diagram: http://paste.ubuntu.com/8606998/)?
17:02 -!- Kodeinjc [~Kode@unaffiliated/kodeinjc] has quit [Ping timeout: 260 seconds]
17:03 < pekster> Kottizen: Read about --auth-user-pass-verify, --client-cert-not-required, and --username-as-common-name in the manpage
17:03 < pekster> Erm, the one that quit instead. Oh well.
17:03 < pekster> acovrig: Sounds like you want:
17:04 < pekster> !clientlan
17:04 <@vpnHelper> "clientlan" is (#1) for a lan behind a client, the client must have ip forwarding enabled (!ipforward), the server needs a route to the lan, the server needs to push a route for the lan to clients, the server needs a ccd (!ccd) file for the client with an iroute (!iroute) entry in it, and the router of the lan the client is on needs a route added to it (!route_outside_openvpn) or (#2) see !route
17:04 <@vpnHelper> for a better explanation or (#3) Handy troubleshooting flowchart: http://ircpimps.org/clientlan.png | http://pekster.sdf.org/misc/clientlan.png
17:04 -!- KodeInjc [~Kode@unaffiliated/kodeinjc] has joined #openvpn
17:06 < acovrig> pekster: thanks, that sounds right, however the 1st image isn’t loading, u know if they’re the same image?
17:07 < pekster> Yup
17:07 -!- acovrig [~acovrig@216.249.113.36] has quit [Quit: acovrig]
17:08 < KodeInjc> How to combine key in config file ?
17:08 < pekster> openvpn(8) under `INLINE FILE SUPPORT`
17:10 < KodeInjc> well i am noob with openvpn
17:21 < KodeInjc> i used this script https://raw.githubusercontent.com/cwaffles/ezopenvpn/master/ezopenvpn.sh
17:22 < KodeInjc> it gave me a zip file out , the vpn works fine but it doesn't ask for username and password but for a PKCS_12
17:24 < pekster> 17:03:08 < pekster> Read about --auth-user-pass-verify, --client-cert-not-required, and --username-as-common-name in the manpage
17:24 < KodeInjc> oh i missed this
17:24 < KodeInjc> thank you :)
17:39 -!- Orbixx [~orbixx@freenode/sponsor/orbixx] has quit [Remote host closed the connection]
17:45 -!- eristisk [~eristisk@gateway/tor-sasl/eristisk] has joined #openvpn
18:01 -!- CaTtleyA [~CaTtleyA@put92-2-82-66-41-53.fbx.proxad.net] has joined #openvpn
18:04 -!- eristisk [~eristisk@gateway/tor-sasl/eristisk] has quit [Ping timeout: 264 seconds]
18:06 -!- CaTtleyA [~CaTtleyA@put92-2-82-66-41-53.fbx.proxad.net] has quit [Client Quit]
18:17 -!- ub1quit33 [~quassel@wifi02.la3.routers.zerolag.com] has quit [Ping timeout: 260 seconds]
18:22 -!- khaldrogox [~anonymous@64.13.138.81] has quit [Quit: khaldrogox]
18:23 -!- Taftse|Mac [~taftse@unaffiliated/taftse] has quit [Quit: Textual IRC Client: www.textualapp.com]
18:26 -!- elfixit [~Icedove@77-58-37-45.dclient.hispeed.ch] has joined #openvpn
19:03 < Eugene> !howto
19:03 <@vpnHelper> "howto" is (#1) OpenVPN comes with a great howto, http://openvpn.net/howto PLEASE READ IT! or (#2) http://www.secure-computing.net/openvpn/howto.php for a mirror
19:04 < Eugene> Ok, one of you easy-rsa wizards: I'm inheriting an easy-rsa PKI, and need to regenerate an expired cert
19:04 < Eugene> I'm blessed with a keys/ dir and a vars file, including clientname.csr
19:05 < Eugene> What's the magic invocation to spit out a fresh crt
19:06 < Eugene> Aha, got it: ./pkitool --sign
19:06 < Eugene> And here I was trying sign-req :-|
19:16 -!- eristisk [~eristisk@gateway/tor-sasl/eristisk] has joined #openvpn
19:16 -!- justinzane [~justinzan@host-69-59-81-105.nctv.com] has quit []
19:22 -!- GeekSV [~Marduk@198.23.71.126-static.reverse.softlayer.com] has joined #openvpn
19:23 < GeekSV> hi.. I am having some issues. I am behind a firewall. I can connect to my openvpn server. If I go to see-my-ip.com I get the IP from the server but if I go to dnsleaktest.com it shows my real IP. The nameservers on my computer are configured to use the DNS of my VPN.
19:24 -!- KodeInjc [~Kode@unaffiliated/kodeinjc] has quit [Ping timeout: 260 seconds]
19:24 -!- acovrig [~acovrig@216.249.113.36] has joined #openvpn
19:27 -!- GeekSV [~Marduk@198.23.71.126-static.reverse.softlayer.com] has quit [Quit: Leaving]
19:40 -!- acovrig [~acovrig@216.249.113.36] has quit [Quit: acovrig]
19:45 -!- acovrig [~acovrig@216.249.113.36] has joined #openvpn
19:54 -!- justinzane [~justinzan@host-69-59-81-105.nctv.com] has joined #openvpn
19:59 -!- dvl [~dvl@freebsd/developer/dvl] has quit [Quit: Ride fast. Take chances.]
20:01 -!- dvl [~dvl@freebsd/developer/dvl] has joined #openvpn
20:11 -!- acovrig [~acovrig@216.249.113.36] has quit [Quit: acovrig]
20:54 -!- Left_Turn [~Left_Turn@unaffiliated/turn-left/x-3739067] has quit [Remote host closed the connection]
21:03 -!- Trab [~Trab@162.220.17.10] has joined #openvpn
21:08 <+hazardous> is it possible to 'pass through' a real interface directly or something? for example, i have EXTERNAL_IP_1 allocated my vpn server and i want to allow another machine to use EXTERNAL_IP_1 directly as a bound interface
21:08 <+hazardous> using NAT/10.x IPs causes it to not pass through the end user's real ip
21:12 -!- Eugene [eugene@kashpureff.org] has quit [Quit: ZNC - http://znc.sourceforge.net]
21:19 -!- jzaw [~jzaw@loki.dzki.co.uk] has quit [Ping timeout: 265 seconds]
21:22 -!- Eugene [eugene@kashpureff.org] has joined #openvpn
21:41 < pekster> hazardous: OpenVPN does not let you spoof IPs you don't manage (read: run your own AS for) on the public Internet (and neither will any sane ISP you have either.)
21:43 < pekster> If you're routed an actual block of IPs, OpenVPN can use that. Or you can do 1:1 "bidirectional" NAT between RFC1918 an IPs you are properly routed
21:46 -!- almostworking [~almostwor@unaffiliated/almostworking] has quit [Quit: Leaving]
21:52 -!- Trab [~Trab@162.220.17.10] has quit [Read error: Connection reset by peer]
21:57 -!- jzaw [~jzaw@loki.dzki.co.uk] has joined #openvpn
22:02 -!- Maxel [~Maxel@24-159-207-34.static.roch.mn.charter.com] has quit [Read error: Connection reset by peer]
22:11 -!- clu5ter [~staff@unaffiliated/clu5ter] has quit [Ping timeout: 260 seconds]
22:14 -!- jgeboski [~jgeboski@unaffiliated/jgeboski] has quit [Ping timeout: 240 seconds]
22:33 -!- justinzane [~justinzan@host-69-59-81-105.nctv.com] has quit [Remote host closed the connection]
22:35 -!- jgeboski [~jgeboski@unaffiliated/jgeboski] has joined #openvpn
22:35 -!- justinzane [~justinzan@host-69-59-81-105.nctv.com] has joined #openvpn
22:36 -!- Nyoom [Nyoom@unaffiliated/nyoom] has quit [Ping timeout: 260 seconds]
22:40 -!- jgeboski [~jgeboski@unaffiliated/jgeboski] has quit [Ping timeout: 244 seconds]
22:51 -!- jgeboski [~jgeboski@unaffiliated/jgeboski] has joined #openvpn
22:51 -!- Nyoom [Nyoom@unaffiliated/nyoom] has joined #openvpn
23:20 -!- Nyoom [Nyoom@unaffiliated/nyoom] has quit [Quit: I'm using a Free IRC Bouncer from BNC4FREE - http://bnc4free.com/]
23:31 -!- Kephael [~Kephael@unaffiliated/kephael] has quit [Read error: Connection reset by peer]
23:32 -!- elfixit [~Icedove@77-58-37-45.dclient.hispeed.ch] has quit [Remote host closed the connection]
23:41 -!- ShadniX [dagger@p5DDFD5C4.dip0.t-ipconnect.de] has quit [Ping timeout: 250 seconds]
23:42 -!- ShadniX [dagger@p5481D30D.dip0.t-ipconnect.de] has joined #openvpn
23:46 -!- Nyoom [Nyoom@unaffiliated/nyoom] has joined #openvpn
23:49 -!- james41382__ [~james@unaffiliated/james41382] has quit [Read error: Connection reset by peer]
23:49 -!- james41382 [~james@unaffiliated/james41382] has joined #openvpn
23:55 -!- ahuemer [ahuemer@unaffiliated/ahuemer] has quit [Excess Flood]
23:55 -!- Nyoom [Nyoom@unaffiliated/nyoom] has quit [Ping timeout: 260 seconds]
23:57 -!- ahuemer [ahuemer@unaffiliated/ahuemer] has joined #openvpn
--- Day changed Tue Oct 21 2014
00:01 -!- james41382 [~james@unaffiliated/james41382] has quit [Quit: Leaving]
00:06 -!- Nyoom [Nyoom@unaffiliated/nyoom] has joined #openvpn
00:09 -!- james41382 [~james@unaffiliated/james41382] has joined #openvpn
00:59 -!- rooth [tomte@stuck.in.the.basement.at.fritzl.nu] has joined #openvpn
01:40 -!- mattock_afk is now known as mattock
02:01 -!- Nyoom [Nyoom@unaffiliated/nyoom] has quit [Ping timeout: 260 seconds]
02:31 -!- Nyoom [Nyoom@unaffiliated/nyoom] has joined #openvpn
02:58 -!- fling [~fling@fsf/member/fling] has quit [Ping timeout: 250 seconds]
03:32 -!- Left_Turn [~Left_Turn@unaffiliated/turn-left/x-3739067] has joined #openvpn
03:48 -!- mjkr [jzhmer@gateway/shell/blinkenshell.org/x-eggtkqvuxfnzouyh] has joined #openvpn
03:49 < mjkr> is it possible for the host side to use 4096-bit RSA key with only 1024-bit dh for exchange and 2048-bit tls-auth?
03:49 < mjkr> the client rsa key is also 4096-bit.
03:50 < mjkr> i'm getting TKS key negotiation failed to occur within 60 seconds (check your neetwork connectivity) error, -
03:50 < mjkr> along with TLS Error: TLS handshake filed, followed by SIGUSR1[soft,tls-error] received, client-instance restarting.
03:51 < mjkr> s/TKS/TLS
04:20 <@syzzer> mjkr: iirc, that should be possible, but it doesn't make much sense. You should aim to keep your dh and rsa keys in the same range, otherwise you're just wasting CPU cycles
04:21 <@syzzer> one could make an argument that having slightly smaller dh parameters is okay, but 1024 vs 4096 really doesn't make much sense
04:22 <@syzzer> furthermore, the key you feed to tls-auth is only partly used by openvpn, depending on the auth algo you're using (probably SHA-1?)
04:24 < mjkr> i see.. i'm getting connection resets on the tcp side this time... likely gov's blocking openvpn
04:26 <@syzzer> sounds plausible, or some other firewalling issue
04:28 < mjkr> i'm launching the openvpn client directly from a router with a wn ip, syzzer
04:28 < mjkr> ubnt's edgerouter to be specific, the client shipped therein from vyatta
04:28 < mjkr> s/wn/wan
04:30 -!- WinstonSmith [~WinstonSm@unaffiliated/winstonsmith] has quit [Ping timeout: 245 seconds]
04:34 < mjkr> private tunnel's ovpn file freezes p here in loking up dns name...
04:35 < mjkr> so i guess it's gov's problem
04:49 -!- WinstonSmith [~WinstonSm@unaffiliated/winstonsmith] has joined #openvpn
04:54 -!- mjkr [jzhmer@gateway/shell/blinkenshell.org/x-eggtkqvuxfnzouyh] has quit [Quit: WeeChat 0.4.2]
06:03 -!- elfixit [~Icedove@2001:1620:2777:11:3e97:eff:fe7f:f3ad] has joined #openvpn
06:33 -!- dazo_afk is now known as dazo
06:37 -!- Netsplit *.net <-> *.split quits: eristisk, moparisthebest, atmosx, DrCode
06:37 -!- Netsplit *.net <-> *.split quits: Brando753, Denial, @mattock, ketas
06:37 -!- Netsplit over, joins: ketas, Denial
06:37 -!- Netsplit over, joins: mattock
06:37 -!- mode/#openvpn [+o mattock] by ChanServ
06:41 -!- Brando753 [~Brando753@unaffiliated/brando753] has joined #openvpn
06:44 -!- mcp [~mcp@wolk-project.de] has joined #openvpn
07:12 -!- moparisthebest [~quassel@gateway/tor-sasl/moparisthebest] has joined #openvpn
07:12 -!- DrCode [~DrCode@gateway/tor-sasl/drcode] has joined #openvpn
07:27 -!- atmosx [~atma@gateway/tor-sasl/atmosx] has joined #openvpn
07:28 -!- chrisb [~chrisb@pool-71-175-244-36.phlapa.east.verizon.net] has joined #openvpn
07:33 -!- chrisb [~chrisb@pool-71-175-244-36.phlapa.east.verizon.net] has quit [Ping timeout: 260 seconds]
07:42 -!- chrisb [~chrisb@li482-205.members.linode.com] has joined #openvpn
07:43 -!- D-Boy [~D-Boy@unaffiliated/cain] has quit [Excess Flood]
07:46 -!- D-Boy [~D-Boy@unaffiliated/cain] has joined #openvpn
07:51 < Kottizen> Good morning! If I try to connect a second client with the same certificate as the one previously connected, the first client will lose connectivity. That is good and expected behaviour. However, the first client doesn't really disconnect; it just sort of "hangs". How can I force a disconnection, in a similar fashion to what the "client-kill" does?
07:52 < Kottizen> Or, deny the second client from connecting. That would also work.
08:05 -!- Kodeinjc [~Kode@unaffiliated/kodeinjc] has joined #openvpn
08:06 -!- elfixit [~Icedove@2001:1620:2777:11:3e97:eff:fe7f:f3ad] has quit [Quit: elfixit]
08:11 -!- fling [~fling@fsf/member/fling] has joined #openvpn
08:16 -!- bakhtiya [~me@office.addictivemobility.com] has quit []
08:16 -!- michaelhart [~michaelha@69-165-175-193.dsl.teksavvy.com] has joined #openvpn
08:22 <@krzee> Kottizen, check out keepalive and other --ping* options
08:24 < Kottizen> krzee: Would it be possible to reject incoming connections if there already is an existing connection autenticated with the same certficate, like the Access Server?
08:25 <@krzee> i guess that would be a --client-connect script, and youd need --management interface to check the connection… i guess you would check if the client is logged in, then run a ping to make sure its still alive
08:26 <@krzee> openvpn doesnt do it, but you can if you code the script
08:28 < Kottizen> Hm, alright... I think I'll stick to keepalive and ping*. :)
08:29 <@krzee> or you could make new certs for each user
08:31 < Kottizen> krzee: Each user ("human being") will have their unique certificate, but I don't want people to be able to connect to the VPN from more than one device at a time.
08:31 <@krzee> by default openvpn will not allow it
08:31 <@krzee> when the second connection happens it takes over the first one
08:32 <@krzee> the first one then reconnects as keepalive said to (assuming you use keepalive)
08:32 < Kottizen> krzee: Yes, that's what I realized. The issue I am facing is that the first client is not notified about this.
08:32 <@krzee> then the second reconnects, etc
08:32 < Kottizen> krzee: I would like the first client to receive a "client-kill" like signal when the second client connects, if possible.
08:32 <@krzee> just tell the users that if they connect with a second device, it will battle the first
08:32 <@krzee> so dont do it.
08:33 <@krzee> the client-kill will start the reconnect faster
08:33 <@krzee> and your battle between the clients will be intense
08:33 < Kottizen> krzee: I guess they will realize what's going on, if nothing else.
08:33 <@krzee> nonstop reconnects
08:34 < Kottizen> krzee: Is it possible to make OpenVPN send a client-kill upon new connects? Even if it means an "intense reconnect battle".
08:34 <@krzee> i answered that already
08:34 <@krzee> <krzee> i guess that would be a --client-connect script, and youd need --management interface to check the connection… i guess you would check if the client is logged in, then run a ping to make sure its still alive
08:34 <@krzee> same idea, slightly different script
08:34 < Kottizen> Ah, okay. I see. Thank you!
08:35 <@krzee> np, i dont recommend what you're talking about, but thats how id do it
08:37 < Kottizen> krzee: One last thing... Do you know if such script already exists? I would like to try it, and then decide whether I should go for that, or stay with the currect set-up.
08:38 <@krzee> no, im pretty sure nobody would purposely make their clients reconnect nonstop instantly
08:38 <@krzee> (except you)
08:40 < Kottizen> Heh alright, thanks!
08:46 <@krzee> np
08:47 <@krzee> BUT
08:47 <@krzee> now that i think about it
08:47 <@krzee> if you are writing the script, you could push an echo
08:47 <@krzee> that way a message gets tossed in the client log
08:47 <@krzee> i *think* you can push echo
08:48 <@krzee> since what you're planning will just lead the client to wonder why he reconnects over and over
08:49 <@krzee> but remember that scripts block openvpn from running, so you dont want to use sleep(8) from in a script unless you disowned the script and exited so that openvpn doesnt wait on it
08:53 < Papey> hi, I have some troubles with openvpn as a layer 2 vpn. I want my clients to get adresses from dhcp local server. I wrote a script to up tap0 interface and exec a dhcp request. When I use it with the "up" command in a config file it doesn't work, if I launch it after openvpn is completely up : it works.
08:57 <@krzee> dhcp is usually a poor reason to run a layer2 vpn
08:57 <@krzee> and while i dont know if theres a better way, i can say that starting openvpn via a wrapper script would fix your issue
08:57 <@krzee> since it can start openvpn and THEN run the script.
08:58 <@krzee> !tunortap
08:58 <@vpnHelper> "tunortap" is (#1) you ONLY want tap if you need to pass layer2 traffic over the vpn (traffic destined for a MAC address). If you are using IP traffic you want tun. or (#2) and if your reason for wanting tap is windows shares, see !wins or use DNS or (#3) remember layer2 has no security, arp poisoning works over tap vpns or (#4) lan gaming? use tap! or (#5) Normal Android/iOS devices (not
08:58 <@vpnHelper> rooted/jailbroken) support only tun
09:02 < Papey> krzee: this is not the primary reason, yes I write a wrapper script, thanks.
09:02 <@krzee> may i ask the primary reason?
09:03 < Papey> krzee: I have to pass multicast in it for remote station config
09:05 <@krzee> yep thats a good reason for tap
09:05 <@krzee> ;]
09:05 <@krzee> (i dont say that often around here)
09:20 -!- julieeharshaw [~julie@juliekoubova.net] has quit [Remote host closed the connection]
09:21 -!- julieeharshaw [~julie@juliekoubova.net] has joined #openvpn
09:26 -!- Kodeinjc [~Kode@unaffiliated/kodeinjc] has quit [Ping timeout: 255 seconds]
09:41 -!- ub1quit33 [~quassel@wifi02.la3.routers.zerolag.com] has joined #openvpn
09:50 -!- ub1quit33 [~quassel@wifi02.la3.routers.zerolag.com] has quit [Read error: Connection reset by peer]
09:51 -!- ub1quit33 [~quassel@wifi02.la3.routers.zerolag.com] has joined #openvpn
10:00 < thesov> does anyone have the ETA for openvpn 3 I want to be able to get a tunnel open via ICMP
10:06 -!- KaiForce [~chatzilla@107-223-70-10.lightspeed.bcvloh.sbcglobal.net] has joined #openvpn
10:12 < Kottizen> Wow. ICMP tunnels. Fancy.
10:14 < thesov> indeed
10:17 -!- brianblaze420 [~brianblaz@unaffiliated/brianblaze] has joined #openvpn
10:19 -!- almostworking [~almostwor@unaffiliated/almostworking] has joined #openvpn
10:25 -!- mcp [~mcp@wolk-project.de] has quit [Remote host closed the connection]
10:26 -!- smellis_werk [~smellis@2001:470:c452:2:224:e8ff:fe45:ee53] has joined #openvpn
10:27 < smellis_werk> hello all, I've got issues with 2.3.4 on windows 7 and inactivity timeouts, anyone seeing the same?  My linux clients are ok and site to site links are good.
10:28 <@ecrist> nope
10:28 < smellis_werk> we're running as a service btw
10:28 <@ecrist> that doesn't matter
10:28 < smellis_werk> we just tested running the service on the client as a domain admin and the problem has gone away
11:01 -!- seba [~seba@kratzbaum.someserver.de] has quit [Excess Flood]
11:08 -!- seba [~seba@kratzbaum.someserver.de] has joined #openvpn
11:20 < Kottizen> Is it possible to build bundled installers for Windows and Mac OS X, like it is with the Access Server?
11:21 <@krzee> for osx, tunnelblick makes it easy to give a vpn package
11:21 <@krzee> for windows:
11:21 <@krzee> !win_rollup
11:21 <@vpnHelper> "win_rollup" is please see http://www.secure-computing.net/wiki/index.php/OpenVPN/HowTo_for_Windows_2 for dazo's writeup on making unattended windows installers for openvpn
11:21 < Kottizen> Thank you!
11:22 <@dazo> thesov: we're always open to patches ... openvpn 3 server side isn
11:22 <@dazo> isn't on any ETA plan at all yet
11:44 -!- chrisb [~chrisb@li482-205.members.linode.com] has quit [Ping timeout: 260 seconds]
12:14 -!- Six6siX [~Devil@jasmine.sammybakar.com] has joined #openvpn
12:14 -!- gffa [~unknown@unaffiliated/gffa] has joined #openvpn
12:17 -!- wmp [~wmp@sored/admin/wmp] has left #openvpn ["Konversation terminated!"]
12:39 -!- KodeInjc [~Kode@unaffiliated/kodeinjc] has joined #openvpn
13:00 < KodeInjc> http://isitonline.me/freevpn/ :D
13:00 <@vpnHelper> Title: Free openvpn access. (at isitonline.me)
13:26 -!- Taftse|Mac [~taftse@unaffiliated/taftse] has joined #openvpn
13:27 -!- mcp [~mcp@wolk-project.de] has joined #openvpn
13:40 -!- Six6siX [~Devil@jasmine.sammybakar.com] has quit [Ping timeout: 245 seconds]
13:42 -!- rich0_ [~quassel@gentoo/developer/rich0] has joined #openvpn
13:42 -!- rich0 [~quassel@gentoo/developer/rich0] has quit [Ping timeout: 255 seconds]
13:42 -!- Six6siX [~Devil@jasmine.sammybakar.com] has joined #openvpn
13:46 -!- rich0_ is now known as rich0
14:05 -!- Kephael [~Kephael@unaffiliated/kephael] has joined #openvpn
14:41 -!- DrCode [~DrCode@gateway/tor-sasl/drcode] has quit [Ping timeout: 246 seconds]
14:42 -!- brianblaze420 [~brianblaz@unaffiliated/brianblaze] has quit [Quit: Peace!]
14:42 -!- hays [~hays@unaffiliated/hays] has quit [Quit: No Ping reply in 180 seconds.]
14:45 -!- hays [~hays@unaffiliated/hays] has joined #openvpn
14:49 -!- DrCode [~DrCode@gateway/tor-sasl/drcode] has joined #openvpn
14:52 -!- Latrina [~Latrina@adsl-ull-215-248.45-151.net24.it] has quit [Ping timeout: 255 seconds]
14:55 -!- Latrina [~Latrina@adsl-ull-152-211.50-151.net24.it] has joined #openvpn
15:09 -!- Latrina [~Latrina@adsl-ull-152-211.50-151.net24.it] has quit [Read error: Connection reset by peer]
15:09 -!- Latrina [~Latrina@adsl-ull-152-211.50-151.net24.it] has joined #openvpn
15:10 -!- atmosx [~atma@gateway/tor-sasl/atmosx] has quit [Remote host closed the connection]
15:10 -!- atmosx [~atma@gateway/tor-sasl/atmosx] has joined #openvpn
15:14 -!- SCHAAP137 [dorian@77-173-0-137.ip.telfort.nl] has joined #openvpn
15:18 -!- dazo is now known as dazo_afk
15:22 -!- mattock is now known as mattock_afk
15:27 -!- wmp [~wmp@sored/admin/wmp] has joined #openvpn
15:27 < wmp> hello
15:29 < wmp> i have 3 nods, and one virtual system on each node. I want to make openvpn network on all virtuals, but i want to create this in high avability, without center server. This is possible, to make one network with 3 servers, each openvpn-server on each node?
15:38 < Jack007> o
15:42 -!- Latrina [~Latrina@adsl-ull-152-211.50-151.net24.it] has quit [Ping timeout: 260 seconds]
15:56 -!- KaiForce [~chatzilla@107-223-70-10.lightspeed.bcvloh.sbcglobal.net] has quit [Quit: ChatZilla 0.9.91 [Firefox 32.0.3/20140923175406]]
16:19 < resixian> ender|: ty
16:21 -!- Latrina [~Latrina@adsl-ull-253-196.50-151.net24.it] has joined #openvpn
16:25 -!- CaTtleyA [~CaTtleyA@put92-2-82-66-41-53.fbx.proxad.net] has joined #openvpn
16:30 <@ecrist> wmp: yes/no, and HA is hard
16:30 <@ecrist> !ha
16:30 <@vpnHelper> "ha" is See http://www.secure-computing.net/wiki/index.php/OpenVPN/High-Availability for a brief explaination about OpenVPN and HA
16:31 < wmp> ecrist: so if i dont build HA and node with openvpn server has down, openvpn stop works, yes?
16:31 <@ecrist> openvpn doesn't do HA
16:32 <@ecrist> you can build in redundancy, but HA is a "nobody notices, seamless failover" sense
16:33 < wmp> ok, multiple --remote lines should make what i want
16:33 -!- Latrina [~Latrina@adsl-ull-253-196.50-151.net24.it] has quit [Ping timeout: 246 seconds]
16:35 <@ecrist> and you don't need/want bridging for that.
16:35 -!- Latrina [~Latrina@ppp-28-3.26-151.libero.it] has joined #openvpn
16:36 < wmp> ecrist: remote lines in client config must have this same order, yes?
16:36 < wmp> clients*
16:36 -!- ender| [krneki@foo.eternallybored.org] has quit [Ping timeout: 245 seconds]
16:38 <@ecrist> nope
16:38 <@ecrist> the order determines just their priority
16:39 < wmp> ecrist: but if i want have this servers on one network, all clients must be connected to this same openvpn server, yes?
16:41 <@ecrist> no
16:41 <@ecrist> you just need to route them to eachother properly
16:42 < wmp> could you tell me how to do it?
16:43 -!- ender| [krneki@2a01:260:4094:1:42:42:42:42] has joined #openvpn
16:43 <@ecrist> just think of each VPN segment/server as it's own network.  each one needs to be passed/routed to each other
16:44 <@ecrist> !route
16:44 <@vpnHelper> "route" is (#1) http://www.secure-computing.net/wiki/index.php/OpenVPN/Routing or https://community.openvpn.net/openvpn/wiki/RoutedLans (same page mirrored) if you have lans behind openvpn, read it DONT SKIM IT or (#2) READ IT DONT SKIM IT! or (#3) See !tcpip for a basic networking guide or (#4) See !serverlan or !clientlan for steps and troubleshooting flowcharts for LANs behind the server or
16:44 <@vpnHelper> client
17:01 -!- seba [~seba@kratzbaum.someserver.de] has quit [Excess Flood]
17:04 -!- L0uk3 [~lukethedr@gateway/tor-sasl/lukethedrifter] has joined #openvpn
17:05 -!- khaldrogox [~anonymous@64.13.138.81] has joined #openvpn
17:05 -!- GDevenyi [~ace@184.175.0.141] has joined #openvpn
17:05 < khaldrogox> raixz
17:05 < khaldrogox> raidz
17:05 < khaldrogox> around?
17:06 < khaldrogox> I need a 50 user trial key
17:06 < GDevenyi> !welcome
17:06 <@vpnHelper> "welcome" is (#1) Start by stating your goal, such as 'I would like to access the internet over my vpn' || new to IRC? see the link in !ask || we may need !logs and !configs and maybe !interface to help you. || See !howto for beginners. || See !route for lans behind openvpn. || !redirect for sending inet traffic through the server. || Also interesting: !man !/30 !topology !iporder !sample !forum
17:06 <@vpnHelper> !wiki !mitm or (#2) Don't use 192.168.1.0/24 or 192.168.0.0/24 (too much potential for conflict)
17:06 < GDevenyi> !route
17:06 <@vpnHelper> "route" is (#1) http://www.secure-computing.net/wiki/index.php/OpenVPN/Routing or https://community.openvpn.net/openvpn/wiki/RoutedLans (same page mirrored) if you have lans behind openvpn, read it DONT SKIM IT or (#2) READ IT DONT SKIM IT! or (#3) See !tcpip for a basic networking guide or (#4) See !serverlan or !clientlan for steps and troubleshooting flowcharts for LANs behind the server or
17:06 <@vpnHelper> client
17:06 < GDevenyi> !clientlan
17:06 <@vpnHelper> "clientlan" is (#1) for a lan behind a client, the client must have ip forwarding enabled (!ipforward), the server needs a route to the lan, the server needs to push a route for the lan to clients, the server needs a ccd (!ccd) file for the client with an iroute (!iroute) entry in it, and the router of the lan the client is on needs a route added to it (!route_outside_openvpn) or (#2) see !route
17:06 <@vpnHelper> for a better explanation or (#3) Handy troubleshooting flowchart: http://ircpimps.org/clientlan.png | http://pekster.sdf.org/misc/clientlan.png
17:07 -!- seba [~seba@kratzbaum.someserver.de] has joined #openvpn
17:09 < GDevenyi> Hey all, I think this is a simple question, I'm running an openvpn client to connect out to the internet, but when I connect it clobbers access to my local lan at 172.133.*.*, I think I can just add a local route to my client config to re-enable it, but I'm not sure how, can anyone point me to appropriate documentation?
17:09 < khaldrogox> andrewwwwwww
17:09 < khaldrogox> raidz
17:10 -!- gffa [~unknown@unaffiliated/gffa] has quit [Quit: sleep]
17:12 -!- outofbounds [~outofboun@gateway/tor-sasl/outofbounds] has joined #openvpn
17:15 -!- dvl [~dvl@freebsd/developer/dvl] has quit [Quit: Ride fast. Take chances.]
17:17 -!- dvl [~dvl@freebsd/developer/dvl] has joined #openvpn
17:43 -!- Taftse|Mac [~taftse@unaffiliated/taftse] has quit [Quit: Textual IRC Client: www.textualapp.com]
17:47 -!- khaldrogox [~anonymous@64.13.138.81] has quit [Quit: khaldrogox]
17:47 -!- shio [marmot@102.188.103.84.rev.sfr.net] has quit [Disconnected by services]
17:48 -!- shio [marmot@102.188.103.84.rev.sfr.net] has joined #openvpn
17:51 -!- elfixit [~Icedove@77-58-37-45.dclient.hispeed.ch] has joined #openvpn
17:59 -!- SupaYoshi [Elite9191@gateway/shell/elitebnc/x-mrnlvgihajwaltus] has joined #openvpn
17:59 < SupaYoshi> Hey guys, Im strullign here with a openwrt and a vpn setup.
17:59 < SupaYoshi> I keep getting this error while connecting. http://paste.ubuntu.com/8620664/  TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity)
18:06 < SupaYoshi> pekster are you around?
18:08 -!- Latrina [~Latrina@ppp-28-3.26-151.libero.it] has quit [Read error: Connection reset by peer]
18:08 -!- Latrina [~Latrina@ppp-28-3.26-151.libero.it] has joined #openvpn
18:13 -!- brianblaze420 [~brianblaz@unaffiliated/brianblaze] has joined #openvpn
18:15 -!- ub1quit33 [~quassel@wifi02.la3.routers.zerolag.com] has quit [Ping timeout: 260 seconds]
18:30 -!- GDevenyi [~ace@184.175.0.141] has left #openvpn []
18:35 -!- michaelhart [~michaelha@69-165-175-193.dsl.teksavvy.com] has quit [Quit: michaelhart]
18:37 -!- hays [~hays@unaffiliated/hays] has quit [Ping timeout: 246 seconds]
18:38 -!- hays [~hays@unaffiliated/hays] has joined #openvpn
18:46 -!- st5ve [~hays@unaffiliated/hays] has joined #openvpn
18:47 -!- hays [~hays@unaffiliated/hays] has quit [Ping timeout: 246 seconds]
18:51 < st5ve> I just upgraded my internet speed and openvpn is now cpu-limited on my little rounter
18:52 < st5ve> is there anything I can do to make this better? maybe a less secure cipher?
18:52 < st5ve> its topping out at 20mbit vice 130mbit without
18:53 < st5ve> top shows cpu at 50-75% so there is a possibility it is not cpu, but some other resource
18:54 -!- st5ve is now known as hays
18:54 < hays> do I just need to get a real machine to be a router
19:00 -!- L0uk3 [~lukethedr@gateway/tor-sasl/lukethedrifter] has quit [Quit: bis später]
19:06 -!- mete [~mete@91.247.253.160] has quit [Ping timeout: 255 seconds]
19:07 -!- Thermi [~Thermi@unaffiliated/thermi] has quit [Ping timeout: 256 seconds]
19:09 -!- APTX [~APTX@unaffiliated/aptx] has quit [Ping timeout: 265 seconds]
19:09 -!- squinty [~squinty@S01069cd643d2c8a1.du.shawcable.net] has joined #openvpn
19:09 -!- Nyoom [Nyoom@unaffiliated/nyoom] has quit [Ping timeout: 260 seconds]
19:09 -!- mete [~mete@91.247.253.160] has joined #openvpn
19:09 -!- squinty [~squinty@S01069cd643d2c8a1.du.shawcable.net] has left #openvpn ["Leaving"]
19:20 -!- Netsplit *.net <-> *.split quits: adaptr, Papey, NucWin, hydrajump, lev__, aep, @krzee, Nothing4You, moparisthebest, nsrafk,  (+176 more, use /NETSPLIT to show all of them)
19:26 -!- APTX [~APTX@unaffiliated/aptx] has joined #openvpn
19:26 -!- Thermi [~Thermi@unaffiliated/thermi] has joined #openvpn
19:26 -!- mete [~mete@91.247.253.160] has joined #openvpn
19:26 -!- Netsplit over, joins: fling, jzaw, @krzee, @mattock_afk, roentgen, @plaisthos, syzzer, hays, brianblaze420, Latrina (+89 more)
19:26 -!- BladedThesis [~BladedThe@2001:1af8:4010:a027:3::] has joined #openvpn
19:26 -!- Netsplit over, joins: akp, pnielsen, zalami, Chex, swebb, keatont, funnel, obscurehero, kossy, BtbN (+25 more)
19:26 -!- ServerMode/#openvpn [+o syzzer] by sinisalo.freenode.net
19:26 -!- Netsplit over, joins: pekster, soapee01, KNERD, riddle, @dazo_afk, @vpnHelper, +hazardous, raeflondon, @raidz, xMopxShell (+36 more)
19:26 -!- Poster [~poster@cpe-74-140-100-29.swo.res.rr.com] has quit [Read error: Connection reset by peer]
19:26 -!- Netsplit over, joins: ketas, Kottizen, nutron, aep
19:27 -!- ketas [~ketas@92.38.190.90.dyn.estpak.ee] has quit [Max SendQ exceeded]
19:27 -!- nutron [~nutron@unaffiliated/nutron] has quit [Max SendQ exceeded]
19:27 -!- Nyoom [Nyoom@unaffiliated/nyoom] has joined #openvpn
19:28 -!- ketas [~ketas@92.38.190.90.dyn.estpak.ee] has joined #openvpn
19:28 -!- nutron [~nutron@unaffiliated/nutron] has joined #openvpn
19:36 -!- Belliash [znc@asiotec/constitutive/belliash] has quit [Ping timeout: 260 seconds]
19:42 -!- Belliash [znc@asiotec/constitutive/belliash] has joined #openvpn
19:42 -!- Nyoom [Nyoom@unaffiliated/nyoom] has quit [Ping timeout: 260 seconds]
19:49 -!- Nyoom [Nyoom@unaffiliated/nyoom] has joined #openvpn
19:53 <@ecrist> hays: what?
19:54 <@ecrist> certainly sounds like you need more CPU
19:54 <@ecrist> other ciphers are doable, best bet is try them all and see what works.
19:56 -!- brianblaze420 [~brianblaz@unaffiliated/brianblaze] has quit [Quit: Peace!]
19:59 -!- Belliash [znc@asiotec/constitutive/belliash] has quit [Ping timeout: 265 seconds]
19:59 -!- outofbounds [~outofboun@gateway/tor-sasl/outofbounds] has quit []
20:23 -!- shodan45 [~chris@71-15-44-176.dhcp.thbd.la.charter.com] has joined #openvpn
20:28 -!- lkthomas [~lkthomas@n218250150146.netvigator.com] has joined #openvpn
20:28 < lkthomas> hey guys
20:29 < shodan45> anyone know of a distro or VM "appliance" that has packages for openvpn w/ polarssl?
20:30 < lkthomas> currently I am using openvpn tap to run point to point connection, no routing involve, the service provider have a limitation on firewall which keep dropping session every 5 hours, after session cut, openvpn seems can't connect back online. I have ping and ping-restart but seems doesn't do the trick, anyone have idea what I should do?
21:09 -!- Left_Turn [~Left_Turn@unaffiliated/turn-left/x-3739067] has quit [Remote host closed the connection]
21:23 < lkthomas> I am not sure if it's because I am using peer to peer
21:23 < lkthomas> and ping doesn't help
21:33 -!- ljvb [~jason@us.vps.vanbrecht.com] has joined #openvpn
21:40 -!- jzaw [~jzaw@loki.dzki.co.uk] has quit [Ping timeout: 265 seconds]
21:44 -!- jzaw [~jzaw@loki.dzki.co.uk] has joined #openvpn
22:37 -!- Kephael [~Kephael@unaffiliated/kephael] has quit [Read error: Connection reset by peer]
23:24 -!- SushiDude [~SushiDude@unaffiliated/sushidude] has quit [Ping timeout: 272 seconds]
23:25 -!- SushiDude [~SushiDude@unaffiliated/sushidude] has joined #openvpn
23:35 -!- elfixit [~Icedove@77-58-37-45.dclient.hispeed.ch] has quit [Ping timeout: 272 seconds]
23:42 -!- ShadniX [dagger@p5481D30D.dip0.t-ipconnect.de] has quit [Ping timeout: 250 seconds]
23:42 -!- ShadniX [dagger@p5481C921.dip0.t-ipconnect.de] has joined #openvpn
--- Day changed Wed Oct 22 2014
01:03 -!- CaTtleyA [~CaTtleyA@put92-2-82-66-41-53.fbx.proxad.net] has quit [Quit: Lost terminal]
01:18 -!- mattock_afk is now known as mattock
01:24 -!- lfx [~lfx@self-aware.evilmachines.net] has quit [Ping timeout: 245 seconds]
01:32 -!- SCHAAP137 [dorian@77-173-0-137.ip.telfort.nl] has quit [Remote host closed the connection]
02:11 -!- Poster [~poster@cpe-74-140-100-29.swo.res.rr.com] has joined #openvpn
02:26 -!- fling [~fling@fsf/member/fling] has quit [Ping timeout: 258 seconds]
02:28 -!- ade_b [~Ade@redhat/adeb] has joined #openvpn
02:33 -!- CaTtleyA [~CaTtleyA@185.24.142.82] has joined #openvpn
02:33 -!- CaTtleyA_ [~CaTtleyA@185.24.142.82] has joined #openvpn
02:40 -!- Taftse|Mac [~taftse@unaffiliated/taftse] has joined #openvpn
02:43 -!- fling [~fling@fsf/member/fling] has joined #openvpn
03:11 -!- axscode1 [~axscode@49.150.219.131] has joined #openvpn
03:14 < axscode1> Hi guys, can someone point me to a documentation how to achieve this   (vpnclient) ---> PC1(1public-ip|vpnserver,vpnclient) ---> VPN-SERVER can someone help me how to configure like this its like a vpn chaining. Thank you very much
03:17 -!- JackWinter_ [~jack@vodsl-11198.vo.lu] has quit [Quit: Konversation terminated!]
03:18 -!- JackWinter [~jack@vodsl-11198.vo.lu] has joined #openvpn
03:26 -!- mirco [~mirco@ip-176-198-211-199.hsi05.unitymediagroup.de] has joined #openvpn
04:02 -!- atmosx [~atma@gateway/tor-sasl/atmosx] has left #openvpn ["WeeChat 0.4.4-dev"]
04:11 -!- d10n [~d10n@unaffiliated/d10n] has quit [Ping timeout: 260 seconds]
04:12 -!- d10n [~d10n@unaffiliated/d10n] has joined #openvpn
04:46 -!- Left_Turn [~Left_Turn@unaffiliated/turn-left/x-3739067] has joined #openvpn
05:17 -!- dazo_afk is now known as dazo
05:37 -!- lorens [~lorenzo@213.27.241.114] has joined #openvpn
05:45 -!- mykey0815 [~mykey0815@HSI-KBW-134-3-20-249.hsi14.kabel-badenwuerttemberg.de] has joined #openvpn
05:55 -!- mykey0815 [~mykey0815@HSI-KBW-134-3-20-249.hsi14.kabel-badenwuerttemberg.de] has quit [Quit: Miranda IM! Smaller, Faster, Easier. http://miranda-im.org]
06:00 -!- pa [~pa@unaffiliated/pa] has quit [Quit: Sto andando via]
06:04 -!- michaelhart [~michaelha@192-0-241-148.cpe.teksavvy.com] has joined #openvpn
06:08 -!- michaelhart [~michaelha@192-0-241-148.cpe.teksavvy.com] has quit [Client Quit]
06:11 -!- pa [~pa@unaffiliated/pa] has joined #openvpn
06:44 -!- seba [~seba@kratzbaum.someserver.de] has quit [Excess Flood]
06:45 -!- seba [~seba@kratzbaum.someserver.de] has joined #openvpn
07:00 -!- Chex [~Chex@swampjax.northnook.ca] has quit [Ping timeout: 256 seconds]
07:07 -!- mirco_ [~mirco@ip-176-198-211-199.hsi05.unitymediagroup.de] has joined #openvpn
07:08 -!- mirco [~mirco@ip-176-198-211-199.hsi05.unitymediagroup.de] has quit [Ping timeout: 245 seconds]
07:08 -!- mirco_ is now known as mirco
07:08 -!- almostworking [~almostwor@unaffiliated/almostworking] has left #openvpn ["Leaving"]
07:20 -!- gffa [~unknown@unaffiliated/gffa] has joined #openvpn
07:23 -!- michaelhart [~michaelha@69-165-175-193.dsl.teksavvy.com] has joined #openvpn
07:38 -!- D-Boy [~D-Boy@unaffiliated/cain] has quit [Excess Flood]
07:40 -!- D-Boy [~D-Boy@unaffiliated/cain] has joined #openvpn
08:06 < SupaYoshi> Hey
08:10 < KodeInjc> Hai
08:19 < lkthomas> hey guys
08:23 < lkthomas> if I want to check PING packet, how could I check it using tcpdump ?
08:39 -!- rap_wrk [~rap_wrk@unaffiliated/rap-wrk/x-769542] has quit [Ping timeout: 258 seconds]
08:48 -!- CaTtleyA_ [~CaTtleyA@185.24.142.82] has quit [Quit: leaving]
08:57 <@krzee> lkthomas, man tcpdump, /j ##networking    (proto icmp)
08:58 < lkthomas> krzee: glad you are around
08:58 < lkthomas> I am having issue with OpenVPN peer to peer connection
08:58 < lkthomas> sometime I see the tunnel on both side is up
08:58 < lkthomas> but I can't ping the another point IP
08:59 <@krzee> can the other point ping you?
08:59 < lkthomas> since it's point to point, I should be able to ping the another point IP when tunnel is up
08:59 < lkthomas> I haven't check
08:59 <@krzee> sure, if the connection is up correctly and firewall isnt blocking
08:59 < lkthomas> let me see if I could reproduce this issue
09:01 < lkthomas> the another side is pfsense
09:01 < lkthomas> I got this: ping: sendto: Invalid argument
09:01 <@krzee> !configs
09:01 <@vpnHelper> "configs" is (#1) please pastebin your client and server configs (with comments removed, you can use `grep -vE '^#|^;|^$' server.conf`), also include which OS and version of openvpn. or (#2) dont forget to include any ccd entries or (#3) on pfSense, see http://www.secure-computing.net/wiki/index.php/OpenVPN/pfSense to obtain your config
09:01 <@krzee> !logs
09:01 <@vpnHelper> "logs" is (#1) please pastebin your logfiles from both client and server with verb set to 4 (only use 5 if asked) or (#2) In the Windows client(OpenVPN-GUI) right-click the status icon and pick View Log or (#3) In the OS X client(Tunnelblick) right-click it and select Copy log text to clipboard or (#4) if you dont know how to find your logs, see !logfile
09:01 <@krzee> carefully follow the above directions, and get me logs with verb 5
09:10 -!- nomad_fr [~nomad_fr@ks397872.ip-192-95-25.net] has joined #openvpn
09:10 < lkthomas> krzee: may I send you the pastebin link via PM?
09:11 -!- mjkr_ [jzhmer@gateway/shell/blinkenshell.org/x-ietuzcfzpkhkklot] has joined #openvpn
09:12 < nomad_fr> Hi
09:13 < nomad_fr> I set up an Openvpn server and 2 clients. all seems. but when I have my 2 client connected I obtain deconection of the other client and an error on the server : openvpn[76843]: TLS Error: local/remote TLS keys are out of sync: [AF_INET]
09:14 < nomad_fr> With only one client all is ok
09:14 < nomad_fr> I use udp on port 443
09:14 < lkthomas> ha
09:14 < nomad_fr> and virtual ethernet tap device
09:14 < lkthomas> I can't reproduce this problem after remove tun-mtu on server side
09:15 < mjkr_> suppose that i'm connecting to a openvpn server tunneld through an ssh tunnel with -L 8443:localhost:8443, and the client's connecting to the server with remote localhost 8443. however, i'm then getting certificate invalid errors... my server's cn is localhost, and my client's cn is localhost as well... so what is supposed to be the right cert cn's in this case?
09:16 < lkthomas> krzee:  I will pastebin again if I see another problem
09:20 < lkthomas> I got another host which have similar problem
09:20 < lkthomas> tunnel still up but IP can't be reach
09:22 -!- smellis_werk [~smellis@2001:470:c452:2:224:e8ff:fe45:ee53] has quit [Quit: Leaving]
09:34 -!- Kephael [~Kephael@unaffiliated/kephael] has joined #openvpn
09:35 < lkthomas> HA!
09:35 < lkthomas> I just realize that tun-mtu could be problem causing factor
09:37 -!- chrisb [~chrisb@li482-205.members.linode.com] has joined #openvpn
09:38 -!- brianblaze420 [~brianblaz@unaffiliated/brianblaze] has joined #openvpn
09:42 < lkthomas> can I use one shared key file for multiple tunnels ?
09:45 <@dazo> lkthomas: only if the shared key is used by tls-auth
09:46 < lkthomas> right, I am doing simple shared key peer to peer connection
09:46 < lkthomas> so I need to generate one key per tunnel
09:47 <@dazo> lkthomas: p2p setups can only handle one client ... you need PKI setup (--ca, --cert, --key) to make multi-client to one server
09:47 <@dazo> (one server == one openvpn server process)
09:47 < lkthomas> understood
09:47 < lkthomas> hey
09:47 < lkthomas> I just hit same issue again
09:48 <@dazo> what does the log files say?
09:48 <@dazo> !logs
09:48 <@vpnHelper> "logs" is (#1) please pastebin your logfiles from both client and server with verb set to 4 (only use 5 if asked) or (#2) In the Windows client(OpenVPN-GUI) right-click the status icon and pick View Log or (#3) In the OS X client(Tunnelblick) right-click it and select Copy log text to clipboard or (#4) if you dont know how to find your logs, see !logfile
09:48 < lkthomas> checking, 1 second
09:51 < lkthomas> ha
09:51 < lkthomas> looks like packet loss causing it to restart
09:52 <@dazo> udp or tcp?
09:52 < lkthomas> tcp
09:53 < lkthomas> UDP worse
09:53 < lkthomas> provider is using stateful firewall
09:53 < lkthomas> my tunnel stuck after a few hours
09:53 <@dazo> try to reduce --keepalive
09:53 < lkthomas> "reduce" ?
09:53 < lkthomas> in terms of what ?
09:54 <@dazo> if you don't have --keepalive or --ping/--ping-restart in your configs ... try adding it
09:54 < lkthomas> I do
09:54 < lkthomas> 10 60
09:54 <@dazo> !configs
09:54 <@vpnHelper> "configs" is (#1) please pastebin your client and server configs (with comments removed, you can use `grep -vE '^#|^;|^$' server.conf`), also include which OS and version of openvpn. or (#2) dont forget to include any ccd entries or (#3) on pfSense, see http://www.secure-computing.net/wiki/index.php/OpenVPN/pfSense to obtain your config
09:54 <@dazo> okay
09:55 <@dazo> try reducing the 60 to 20
09:56 <@dazo> --keepalive 10 20 means that it will do a ping every 10 seconds, and if the client dont get a a response within 20 seconds, it will reconnect.  If the server doesn't get a response to its pings, it will close the connection after 40 seconds
09:56 -!- KodeInjc [~Kode@unaffiliated/kodeinjc] has quit [Quit: Leaving]
09:57 <@dazo> if that won't help ... then you might have a shitty ISP
09:57 <@dazo> on either client or server side ... or both
09:58 <@krzee> s/might//
09:58 <@dazo> heh
09:58 < lkthomas> heh
09:58 <@dazo> krzee: it could be a shitty router/switch/firewall between the ISP and the openvpn box too ;-)
09:59 <@krzee> ooo true
09:59 < lkthomas> dazo: I feel they are so screw up
09:59 <@krzee> dazo++
09:59 < lkthomas> they are NAT over NAT over NAT
09:59 <@dazo> ehm ... why do you give them your money?
09:59 < lkthomas> because it's a stock exchange?
09:59 <@dazo> *that* is most likely the reason you have troubles
10:00 < lkthomas> I just reduced it to 20
10:00 < lkthomas> let's hope it runs
10:00 <@dazo> a single NAT is often bad ... and when you do NAT^3, that's insane
10:00 < lkthomas> dazo: not sure if I observe it wrong, is it even possible that ping packet could pass but another point of IP can't be reach ?
10:01 < lkthomas> dazo: you can't complain to stock exchange infrastructure :P
10:01 <@dazo> you mean /bin/ping ... or openvpn built-in ping?
10:01 < lkthomas> built-in
10:01 <@dazo> that ping is not a normal ICMP packet.  That's an encrypted control packet going between two openvpn instances
10:02 <@dazo> so if that ping does not pass ... the connection to the server is borken
10:02 < lkthomas> what if other way around ?
10:02 < lkthomas> I mean, IP can't be reach but ping packet could pass ?
10:02 <@dazo> that doesn't make sense
10:02 < lkthomas> or PING packet is using IP protocol to send ?
10:03 < lkthomas> I seen it when I messing around with MTU
10:03 <@dazo> still doesn't make sense ... if an ICMP packet can get through ... it gets through because the IP is reachable
10:03 <@dazo> of course you could have --link-mtu issues
10:04 <@dazo> that could cause some odd latencies on packets some router along the way decides to chop-up
10:04 < lkthomas> this part I am confused, how do I tell if MTU having issue ?
10:04 < lkthomas> dazo: it's funny because when I set 1400 on both side, one side complain 32 bytes longer/shorter
10:04 <@dazo> try using netperf between client and server (public IPs, not VPN)
10:04 < lkthomas> not sure if it's a bug
10:06 <@dazo> hmmm ... try --fragment 0 --mssfix ... and remove any --link-mtu and --tun-mtu for now
10:07 < lkthomas> dazo: wait, how exactly do I know the strange problem is related with these settings ?
10:07 <@dazo> tcpdump, most likely ... and that openvpn doesn't get the packets it expects
10:07 <@dazo> otherwise, you can test mtu by adding --mtu-test on the client  (that will slow down the setup of the tunnel while the test runs, so only for debugging)
10:08 <@dazo> another way to test MTU is by using netperf and similar tools ... some hints can be extracted from !gigabit
10:08 < lkthomas> dazo: for fragement 0 mssfix, do I need to put it on both side ?
10:08 <@dazo> yes
10:08 < lkthomas> I see, I will check it tomorrow
10:09 < lkthomas> I have changed so much config, need to try out for longer run first
10:09 < lkthomas> else we will have no idea what cause problem and what fixed it :P
10:10 < lkthomas> on verb 5, I see a low of RwrW...etc on syslog, it's PING packet right ?
10:11 <@dazo> nope ... rWRw indicators are traffic (read/write) on either tunnel or TCP/UDP socket
10:11 < lkthomas> I see
10:11 <@dazo> you can go down to --verb 4 ... --verb 5 is pretty intense and is more useful when logging to file (--log) or in foreground
10:11 <@dazo> *running* in foreground
10:11 < lkthomas> okay
10:12 < lkthomas> thanks man
10:12 < lkthomas> you are really gelpful
10:12 < lkthomas> helpful*
10:12 <@dazo> yw!
10:12 < lkthomas> krzee is a bit something, maybe he is busy all the time
10:12 <@krzee> i asked for configs / logs, you solved your problem
10:12 <@krzee> then you found another, then you solved it
10:13 <@krzee> i figure i should give you a little time to think between questions :-p
10:13 < lkthomas> krzee: I mean, sometime it's hard to catch a random issue which I can't reproduce it at all
10:13 < lkthomas> once I hit the issue and change verbose level, problem is gone
10:13 < lkthomas> then I scratched my head what to do
10:14 <@krzee> plus dazo is smarter than me.
10:14 <@krzee> thats just fact :-p
10:14 <@dazo> lkthomas: krzee is usually the nicest one of him and me .... I'm known for kicking out people just because they annoy me with questions .... ;-)
10:14 < lkthomas> WHAT?
10:14 < lkthomas> dazo: LOL
10:14  * lkthomas glad he could stay
10:14 <@dazo> :)
10:14 < lkthomas> OK, let's go back to old problem
10:15 < lkthomas> the reason why I change from UDP to TCP because of their stateful firewall shit
10:15 < lkthomas> I have my keepalive on all the time
10:15 < lkthomas> how come it can't detect fail link on UDP ?!
10:15 <@dazo> Perhaps because UDP isn't stateful?
10:16 < lkthomas> but they have session timeout limit
10:16 <@dazo> krzee: I'll remember your "smart" comment ... even though we both know that's not completely true ;-)
10:16 < lkthomas> each UDP session max 5 hours on their firewall
10:16 <@dazo> lkthomas: some firewalls kills longs lasting session ... just because ...
10:16 -!- chuck_f [~chuck_f@255.Red-2-136-243.dynamicIP.rima-tde.net] has joined #openvpn
10:16 < lkthomas> yeah, does keepalive work on UDP connection ?
10:16 <@dazo> yeah, it does
10:16 <@krzee> hah but i stand by the statement!
10:18 <@dazo> krzee: I think we can agree that our combined knowledge most likely trumps the majority here :)
10:18 < Mowee> hey there
10:19 < Mowee> what does pkitool clientname needs to works ?
10:19 < lkthomas> ok thanks guys
10:19 <@krzee> :D
10:19 <@krzee> dazo, thanks
10:19 < lkthomas> I update you guys tomorrow
10:19 < lkthomas> once I got TCP working, I will try UDP
10:19 < Mowee> If I build keys with build-key, it works like a charm but if I use pkitool, it says to me "Cannot load certificate"
10:19 -!- outofbounds [~outofboun@gateway/tor-sasl/outofbounds] has joined #openvpn
10:19 <@dazo> Mowee: don't use pkitool directly ... rather read the easy-rsa readme and use the ./build-* tools instead
10:19 < Mowee> I'm using pkitool this time because I need to automatically generate clients with a script
10:20 -!- outofbounds [~outofboun@gateway/tor-sasl/outofbounds] has quit [Max SendQ exceeded]
10:20 <@dazo> then look at what ./build-* scripts does
10:20 < Mowee> Don't you know the difference ,
10:20 < Mowee> ?
10:20 -!- chuck_f [~chuck_f@255.Red-2-136-243.dynamicIP.rima-tde.net] has quit [Client Quit]
10:21 <@dazo> Mowee: I haven't used easy-rsa in ages (I use xca) ... but I know that ./build-* scripts use ./pkitool under the hood, which again uses openssl
10:22 < Mowee> dazo: alright
10:22 <@dazo> krzee: fun fact ... IBM + Apple had an open conference today about their "partnership" ... but the press was asked to leave, because the guy from Apple were not allowed to talk with the press!
10:24 <@dazo> (it happened today in Norway, in case you try to find some news about it)
10:24 < Mowee> dazo: well it seems that build-* only add --interact parameter to pkitool
10:25 <@dazo> Mowee: maybe you should look at easy-rsa-3 instead ... that's a newer incarnation where a lot of issues have been cleaned up
10:25 < Mowee> I don't understand why clients cannot load their certificates
10:25 <@dazo> https://github.com/OpenVPN/easy-rsa/
10:25 <@vpnHelper> Title: OpenVPN/easy-rsa · GitHub (at github.com)
10:26 -!- ade_b [~Ade@redhat/adeb] has quit [Ping timeout: 244 seconds]
10:27 < Mowee> dazo: is easy-rsa a single file in v3 ?
10:28 <@dazo> Mowee: I dunno ... I've never tried it ... but I know they're working hard on it, and more and more do use it these days
10:33 <@krzee> dazo, hmm not finding anything for apple ibm norway
10:34 <@dazo> krzee: https://translate.google.com/translate?sl=auto&tl=en&js=y&prev=_t&hl=en&ie=UTF-8&u=http%3A%2F%2Fwww.digi.no%2F931028%2Fpressen-kastet-ut-fra-apple-foredrag&edit-text=
10:34 <@vpnHelper> Title: Google Translate (at translate.google.com)
10:35 <@krzee> thanks
10:36 -!- CaTtleyA [~CaTtleyA@185.24.142.82] has quit [Ping timeout: 272 seconds]
10:40 < lkthomas> I am still wondering if GRE is better for point to point or OpenVPN
10:42 <@dazo> completely depends on your need ... GRE does not provide a secure tunnel (encrypted and authenticated connection)
10:42 < lkthomas> in fact all of our traffic already encrypted
10:42 < lkthomas> I heard some kind of offload problem
10:43 < lkthomas> the NIC TCP offload could be utilize using OpenVPN
10:43 < lkthomas> while normal NIC doesn't have GRE offload
10:46 -!- outofbounds [~outofboun@gateway/tor-sasl/outofbounds] has joined #openvpn
10:46 < lkthomas> https://www.google.com.hk/url?sa=t&rct=j&q=&esrc=s&source=web&cd=4&cad=rja&uact=8&ved=0CDMQFjAD&url=http%3A%2F%2Fblog.ipspace.net%2F2012%2F03%2Fdo-we-really-need-stateless-transport.html&ei=udBHVPu3AYbp8gXIxoGYCg&usg=AFQjCNEg-kJvaBU2_OTnoLhZqrktGiE0sQ&bvm=bv.77880786,d.dGc
10:49 -!- DrCode [~DrCode@gateway/tor-sasl/drcode] has quit [Ping timeout: 246 seconds]
10:49 -!- brianblaze420 [~brianblaz@unaffiliated/brianblaze] has quit [Quit: Peace!]
10:53 -!- DrCode [~DrCode@gateway/tor-sasl/drcode] has joined #openvpn
11:01 -!- SCHAAP137 [dorian@77-173-0-137.ip.telfort.nl] has joined #openvpn
11:04 -!- scyld [~scyld@unaffiliated/wasyl] has joined #openvpn
11:05 < scyld> !poodle
11:05 <@vpnHelper> "poodle" is (#1) http://googleonlinesecurity.blogspot.com/2014/10/this-poodle-bites-exploiting-ssl-30.html . OpenVPN uses TLSv1.0, or (with >=2.3.3) optionally TLSv1.2 and is thus not impacted by POODLE. See also: !hardening for some unrelated TLS security options OpenVPN has or (#2) https://www.tinfoilsecurity.com/poodle for a tool for testing your websites
11:07 -!- moparisthebest [~quassel@gateway/tor-sasl/moparisthebest] has quit [Remote host closed the connection]
11:11 -!- ade_b [~Ade@redhat/adeb] has joined #openvpn
11:13 < lkthomas> brb
11:14 -!- moparisthebest [~quassel@gateway/tor-sasl/moparisthebest] has joined #openvpn
11:17 -!- moparisthebest [~quassel@gateway/tor-sasl/moparisthebest] has quit [Remote host closed the connection]
11:20 -!- jzaw [~jzaw@loki.dzki.co.uk] has quit [Ping timeout: 272 seconds]
11:25 -!- jzaw [~jzaw@loki.dzki.co.uk] has joined #openvpn
11:30 -!- Slippern [~Slippern@76.109-247-208.customer.lyse.net] has quit [Ping timeout: 240 seconds]
11:36 -!- Slippern [~Slippern@76.109-247-208.customer.lyse.net] has joined #openvpn
11:45 -!- moparisthebest [~quassel@gateway/tor-sasl/moparisthebest] has joined #openvpn
11:47 -!- moparisthebest [~quassel@gateway/tor-sasl/moparisthebest] has quit [Remote host closed the connection]
11:56 -!- Belliash [znc@asiotec/constitutive/belliash] has joined #openvpn
11:57 -!- Kephael [~Kephael@unaffiliated/kephael] has quit [Read error: Connection reset by peer]
11:57 -!- BtbN [btbn@btbn.de] has quit [Quit: Bye]
11:58 -!- BtbN [btbn@btbn.de] has joined #openvpn
11:58 -!- Kephael [~Kephael@unaffiliated/kephael] has joined #openvpn
12:08 -!- lorens [~lorenzo@213.27.241.114] has quit [Remote host closed the connection]
12:22 -!- ade_b [~Ade@redhat/adeb] has quit [Ping timeout: 272 seconds]
12:28 -!- chrisb [~chrisb@li482-205.members.linode.com] has quit [Ping timeout: 258 seconds]
12:32 -!- moparisthebest [~quassel@gateway/tor-sasl/moparisthebest] has joined #openvpn
12:33 -!- moparisthebest [~quassel@gateway/tor-sasl/moparisthebest] has quit [Remote host closed the connection]
12:35 -!- ade_b [~Ade@redhat/adeb] has joined #openvpn
12:43 -!- ade_b [~Ade@redhat/adeb] has quit [Ping timeout: 272 seconds]
12:47 -!- seba [~seba@kratzbaum.someserver.de] has quit [Excess Flood]
12:52 -!- seba [~seba@kratzbaum.someserver.de] has joined #openvpn
12:58 -!- ade_b [~Ade@redhat/adeb] has joined #openvpn
12:59 -!- ade_b [~Ade@redhat/adeb] has quit [Read error: Connection reset by peer]
13:04 -!- moparisthebest [~quassel@gateway/tor-sasl/moparisthebest] has joined #openvpn
13:12 -!- moparisthebest [~quassel@gateway/tor-sasl/moparisthebest] has quit [Remote host closed the connection]
13:17 -!- moparisthebest [~quassel@gateway/tor-sasl/moparisthebest] has joined #openvpn
13:23 -!- chrisb [~chrisb@li482-205.members.linode.com] has joined #openvpn
13:34 -!- moparisthebest [~quassel@gateway/tor-sasl/moparisthebest] has quit [Ping timeout: 246 seconds]
13:39 < pekster> Mowee: The script itself is a single file, yes. It relies on other project files to do its work though, in particular the openssl config (.cnf) file, and the x509-types/ dir that specify extension attributes to include in signed certs of different types
13:39 -!- moparisthebest [~quassel@gateway/tor-sasl/moparisthebest] has joined #openvpn
13:40 < ender|> any ideas why i get duplicate entries in ifconfig-pool-persist? like this: http://pastebin.com/786Am0U8
14:03 < Eugene> !ipp
14:03 <@vpnHelper> "ipp" is (#1) the option --ifconfig-pool-persist ipp.txt does NOT create static ips or (#2) Note that the entries in this file are treated by OpenVPN as suggestions only, based on past associations between a common name and IP address. They do not guarantee that the given common name will always receive the given IP address. If you want guaranteed assignment, see !iporder and !static
14:03 < Eugene> Because ipp is not a static guarantee, it's a list of assignments which are taken as a suggestion
14:04 < Eugene> If you've got multiple clients with the same name then you'll get dupes(and one will get disconnected, usually)
14:15 -!- dazo is now known as dazo_afk
14:47 -!- marmelade [~opera@dslb-084-063-072-073.084.063.pools.vodafone-ip.de] has joined #openvpn
14:59 -!- marmelade [~opera@dslb-084-063-072-073.084.063.pools.vodafone-ip.de] has left #openvpn []
15:16 -!- CaTtleyA [~CaTtleyA@put92-2-82-66-41-53.fbx.proxad.net] has joined #openvpn
15:31 -!- chrisb [~chrisb@li482-205.members.linode.com] has quit [Ping timeout: 245 seconds]
15:34 -!- scyld [~scyld@unaffiliated/wasyl] has quit [Quit: Wychodzi]
15:35 -!- Fusl is now known as fusl
15:36 -!- fusl is now known as Fusl
15:39 -!- nath_schwarz [~nath_schw@HSI-KBW-078-043-139-201.hsi4.kabel-badenwuerttemberg.de] has joined #openvpn
15:41 -!- chrisb [~chrisb@li482-205.members.linode.com] has joined #openvpn
15:43 -!- mattock is now known as mattock_afk
15:56 -!- gffa [~unknown@unaffiliated/gffa] has quit [Quit: sleep]
15:58 -!- obscurehero [~obscurehe@via.arcis.pw] has quit [Ping timeout: 240 seconds]
15:59 -!- SCHAAP137 [dorian@77-173-0-137.ip.telfort.nl] has quit [Ping timeout: 250 seconds]
16:01 -!- obscurehero [~obscurehe@via.arcis.pw] has joined #openvpn
16:20 < hays> what kind of system specs do i need to achieve >200MBit/s throughput on an openvpn client
16:21 <@syzzer> hays: something with AES-NI instruction set (and then use AES-CBC, instead of the default BF-CBC cipher)
16:22 < hays> hmm
16:22 < hays> i wonder if my router has that
16:22 < hays> syzzer: is there a way to check if a linux machine has that
16:23 <@syzzer> cat /proc/cpuinfo | grep -i aes
16:24 < hays> hmm nope
16:24 <@syzzer> but your router will most likely not have AES-NI, unless you built it yourself with a recent Core i5 or something
16:24 < hays> mips 74k
16:24 < hays> syzzer: do you know how to check that on freebsd by any change
16:24 < hays> chance
16:24 -!- occupant [~null@204.14.158.226] has joined #openvpn
16:24 < occupant> hey is there still no way to push more than one search domain to a client?
16:25 < occupant> I can find mentions of people saying it doesn't work but they're all several years old.
16:25 <@syzzer> nope, not very familiar with freebsd, but i guess there's /proc/cpuinfo equivalent
16:25 < ender|> <Eugene> If you've got multiple clients with the same name then you'll get dupes(and one will get disconnected, usually) <- each client has unique certificate, however some of them are on unstable connections
16:25 <@syzzer> occupant: that I wouldn't know
16:25 -!- debbie10t [~debbie10t@openvpn/community/support/debbie10t] has joined #openvpn
16:26 -!- debbie10t [~debbie10t@openvpn/community/support/debbie10t] has left #openvpn []
16:26 < ender|> i'm not relying on ipp for static IPs, i was just curious why i was getting duplicate entries (without having duplicate-cn enabled)
16:27 < hays> syzzer: would an intel core2quad at 2.4GHz be able to handle it?
16:27 -!- Chais [~Chais@chello062178229110.15.15.vie.surfer.at] has quit [Read error: Connection reset by peer]
16:28 <@syzzer> hays: I don't know for sure, but it might. OpenVPN is single-threaded, so it's all about single core performance (or hardware acceleration, like AES-NI)
16:28 < hays> ok thanks
16:29 <@syzzer> you could experiment a bit with different ciphers (openvpn --show-ciphers)
16:29 <@syzzer> I recall that BF-CBC is not the fastest from the list
16:29 -!- seba [~seba@kratzbaum.someserver.de] has quit [Excess Flood]
16:30 <@syzzer> though make sure you don't use insecure ciphers, like single-DES etc
16:33 -!- seba [~seba@kratzbaum.someserver.de] has joined #openvpn
16:36 -!- salah [~salah@unaffiliated/salah92] has joined #openvpn
16:36 < ljvb> other than tunnelback, any decent OSX client
16:36 -!- Chais [~Chais@chello062178229110.15.15.vie.surfer.at] has joined #openvpn
16:37 < occupant> viscosity, but it's like 20bux
16:37 < occupant> everyone on the apple platforms has their hand out
16:37 < hays> syzzer: any way to find out whats the fastest
16:37 < ljvb> not sure what you mean that by "hands out" you mean they all want it for free?
16:38 < ljvb> also, it's $9 now apparently
16:39 < hays> here's what ive got https://bpaste.net/show/35149bee5cdb
16:39 <@syzzer> hays: sure, set up connection, run iperf, see what's the throughput ;)
16:40 <@syzzer> you could do something like 'time openvpn --test-crypto --secret test.key --cipher AES-256-CBC' for various ciphers, but I don't know how reliable that is
16:42 < ljvb> using AES-CBC with hardware acceleration
16:42 < ljvb> newer intel cpu's support AESNG (I think thats the cpu extension)
16:43 <@syzzer> AES-NI :)
16:43 < ljvb> yeah, thats it lol
16:44 -!- salah [~salah@unaffiliated/salah92] has quit [Quit: leaving]
16:44 < ljvb> took me a while to find a VPS that supports FBSD with newer hardware
16:44 < ljvb> guess I will try viscosity, free 30 day trial
16:45 < ljvb> I was having issues with tunnelback complaining about the openvpn version I could never fix
16:56 -!- hays [~hays@unaffiliated/hays] has quit [Ping timeout: 246 seconds]
16:58 -!- hays [~hays@unaffiliated/hays] has joined #openvpn
17:01 -!- mirco [~mirco@ip-176-198-211-199.hsi05.unitymediagroup.de] has quit [Quit: mirco]
17:01 < hays> it sounds like it may be time to upgrade my router to an actual box
17:01 < hays> maybe with one of the new i3s in it
17:07 < ljvb> s?
17:07 < ljvb> wtf
17:07 < ljvb> random control char
17:07 < ljvb> s13?
17:09 < ljvb> dinner time
17:25 -!- mirco [~mirco@ip-176-198-211-199.hsi05.unitymediagroup.de] has joined #openvpn
17:36 -!- khaldrogox [~anonymous@64.13.138.81] has joined #openvpn
17:40 -!- seventyseven [~debbie10t@openvpn/community/support/debbie10t] has joined #openvpn
17:49 -!- Cyclohexane is now known as Barto
17:50 -!- Barto is now known as Cyclohexane
17:53 -!- mode/#openvpn [+v seventyseven] by ChanServ
17:53 <+seventyseven> join ###openvpn for the dirt ...
17:53 -!- mode/#openvpn [-v seventyseven] by ChanServ
17:53 -!- hays [~hays@unaffiliated/hays] has quit [Read error: Connection reset by peer]
17:53 -!- seventyseven [~debbie10t@openvpn/community/support/debbie10t] has left #openvpn []
17:54 -!- hays [~hays@unaffiliated/hays] has joined #openvpn
17:55 -!- s7r [~s7r@openvpn/user/s7r] has joined #openvpn
17:55 -!- mode/#openvpn [+v s7r] by ChanServ
17:56 -!- mirco [~mirco@ip-176-198-211-199.hsi05.unitymediagroup.de] has quit [Quit: mirco]
17:59 -!- jzaw [~jzaw@loki.dzki.co.uk] has quit [Ping timeout: 265 seconds]
17:59 -!- CaTtleyA [~CaTtleyA@put92-2-82-66-41-53.fbx.proxad.net] has quit [Ping timeout: 272 seconds]
18:05 -!- chrisb [~chrisb@li482-205.members.linode.com] has quit [Ping timeout: 272 seconds]
18:05 -!- CaTtleyA [~CaTtleyA@put92-2-82-66-41-53.fbx.proxad.net] has joined #openvpn
18:13 -!- jzaw [~jzaw@loki.dzki.co.uk] has joined #openvpn
18:25 -!- compressed [~chris@pool-173-76-110-26.bstnma.fios.verizon.net] has joined #openvpn
18:26 < compressed> hi - I’m trying to setup openvpn on google compute engine - I seem to be running into a problem where I can’t load any web sites via the vpn however. traceroute and pings work fine.. Any ideas? Using https://github.com/kylemanna/docker-openvpn
18:26 <@vpnHelper> Title: kylemanna/docker-openvpn · GitHub (at github.com)
18:27 -!- seba [~seba@kratzbaum.someserver.de] has quit [Excess Flood]
18:28 < pekster> If your goal is to redirect traffic, see info and flowcharts:
18:28 < pekster> !redirect
18:28 <@vpnHelper> "redirect" is (#1) to make all inet traffic flow through the vpn, you will need --redirect-gateway (see !def1), as well as IP forwarding (see !ipforward) and NAT (see !nat) enabled on the server. or (#2) you may need to use a different dns server when redirecting gateway, see !dns or !pushdns or (#3) if using ipv6 try: route-ipv6 2000::/3 or (#4) Handy troubleshooting flowchart:
18:28 <@vpnHelper> http://ircpimps.org/redirect.png | http://pekster.sdf.org/misc/redirect.png
18:31 < compressed> ah ok - let me review these
18:31 < compressed> !def1
18:31 <@vpnHelper> "def1" is (#1) used in redirect-gateway, Add the def1 flag to override the default gateway by using 0.0.0.0/1 and 128.0.0.0/1 rather than 0.0.0.0/0. This has the benefit of overriding but not wiping out the original default gateway. or (#2) please see --redirect-gateway in the man page ( !man ) to fully understand or (#3) push "redirect-gateway def1"
18:32 -!- seba [~seba@kratzbaum.someserver.de] has joined #openvpn
18:32 < compressed> thank you for help
18:37 < compressed> !nat
18:37 <@vpnHelper> "nat" is (#1) http://openvpn.net/howto.html#redirect for an explanation of NAT as it applies to openvpn or (#2) http://www.secure-computing.net/wiki/index.php/OpenVPN/FAQ#Traffic_forwarding_doesn.27t_work_when_using_client_specific_access_rules or (#3) dont forget to turn on ip forwarding or (#4) please choose between !linnat !openvznat !winnat and !fbsdnat for specific howto
18:43 -!- compressed [~chris@pool-173-76-110-26.bstnma.fios.verizon.net] has quit [Ping timeout: 250 seconds]
18:44 -!- Komplanar is now known as awsmo
18:45 -!- awsmo is now known as Komplanar
19:05 -!- brianblaze420 [~brianblaz@unaffiliated/brianblaze] has joined #openvpn
19:07 -!- khaldrogox [~anonymous@64.13.138.81] has left #openvpn []
19:12 -!- st5ve [~hays@unaffiliated/hays] has joined #openvpn
19:13 -!- hays [~hays@unaffiliated/hays] has quit [Ping timeout: 246 seconds]
19:17 -!- compressed [~chris@pool-173-76-110-26.bstnma.fios.verizon.net] has joined #openvpn
19:18 < compressed> pekster: your diagram was helpful… unfortunately I made it to the end “it works” but still it’s not exactly working… The strange thing is I can open the url there and even http://checkip.dyndns.org/ but I can’t open github.com for instance
19:18 <@vpnHelper> Title: Current IP Check (at checkip.dyndns.org)
19:18 < compressed> it seems any url that “redirects” me ends up waiting...
19:18 -!- SupaYoshi [Elite9191@gateway/shell/elitebnc/x-mrnlvgihajwaltus] has quit [Ping timeout: 265 seconds]
19:19 < compressed> wget hangs on: “HTTP request sent, awaiting response…”
19:19 < compressed> dns is resolved successfully
19:44 < st5ve> this is interesting... im still maxing out on my vpn at 20mbit with cpu utilization at 155
19:44 < st5ve> 15%
19:49 < st5ve> how do I run this mtu-test thing? is that done client side?
19:54 < st5ve> or do i need it on both client and server
19:55 -!- compressed [~chris@pool-173-76-110-26.bstnma.fios.verizon.net] has quit [Ping timeout: 265 seconds]
20:00 < st5ve> optimal MTU is 1557, so Im guessing that 1500 is OK
20:01 -!- michaelhart [~michaelha@69-165-175-193.dsl.teksavvy.com] has quit [Quit: michaelhart]
20:02 -!- Taftse|Mac [~taftse@unaffiliated/taftse] has quit [Ping timeout: 256 seconds]
20:06 -!- outofbounds [~outofboun@gateway/tor-sasl/outofbounds] has quit []
20:13 < st5ve> i found an article that suggests one major way to get better speed is to increase MTU.. im guessing this won't work if mtu-test is giving 1557 as the optimal mtu size
20:27 < st5ve> also im running 2.2.1 which is the latest on squeeze
20:29 < st5ve> should i be trying to upgrade that?
20:30 -!- axscode1 [~axscode@49.150.219.131] has quit [Ping timeout: 265 seconds]
20:41 -!- st5ve is now known as hays
20:49 -!- almostworking [~almostwor@unaffiliated/almostworking] has joined #openvpn
20:57 <@krzee> yes
20:57 <@krzee> !speed
20:57 <@vpnHelper> "speed" is (#1) Having speed problems? The following suggestions may help. or (#2) OpenVPN is often CPU bound; check utilization, and remember it only uses 1 core (single-threaded) or (#3) Prefer UDP over TCP (see !tcp) or (#4) MTU issues? Send max-size DF packets and watch for fragmentation/delivery issues or (#5) iface txqueuelen often needs to be >100 on fast and/or latent links or (#6)
20:57 <@vpnHelper> latenty/slow links don't magically get better with openvpn or (#7) less likely are issues with bad TCP window scaling or the sliding window; generally, don't 2nd guess TCP (in openvpn or your OS knobs) or (#8) Prefer tun over tap (see !tunortap and !whybridge)
21:03 -!- juztin_ [~juztin_@c-67-186-216-8.hsd1.ut.comcast.net] has joined #openvpn
21:04 -!- APTX [~APTX@unaffiliated/aptx] has quit [Ping timeout: 244 seconds]
21:04 -!- Nyoom [Nyoom@unaffiliated/nyoom] has quit [Ping timeout: 260 seconds]
21:06 -!- DrCode [~DrCode@gateway/tor-sasl/drcode] has quit [Ping timeout: 246 seconds]
21:07 < hays> krzee: yeah cpu utilization is 20% or so but this is on a vps so I think it may be only hitting one core or something
21:07 -!- s7r [~s7r@openvpn/user/s7r] has quit [Remote host closed the connection]
21:07 < hays> what is iface txqueuelen
21:08 -!- moparisthebest [~quassel@gateway/tor-sasl/moparisthebest] has quit [Quit: No Ping reply in 180 seconds.]
21:09 <@krzee> the interface queue length for transferring =]
21:09 < hays> hmm well its 1000
21:10 < hays> i've checked most of those boxes..  i might be stuck with what ive got
21:14 <@krzee> measure with iperf on vpn ip and public ip
21:14 <@krzee> if the vpn is udp, use udp on iperf
21:15 -!- APTX [~APTX@unaffiliated/aptx] has joined #openvpn
21:15 -!- Nyoom [Nyoom@unaffiliated/nyoom] has joined #openvpn
21:17 -!- cyberspace- [20253@ninthfloor.org] has quit [Remote host closed the connection]
21:18 -!- cyberspace- [20253@ninthfloor.org] has joined #openvpn
21:18 -!- moparisthebest [~quassel@gateway/tor-sasl/moparisthebest] has joined #openvpn
21:22 -!- juztin_ [~juztin_@c-67-186-216-8.hsd1.ut.comcast.net] has quit [Remote host closed the connection]
21:25 < hays> krzee: iperf -u -c <server name> ?
21:26 <@krzee> probably, i dont feel like checking the man page im sure you can do it
21:26 -!- michaelhart [~michaelha@192-0-241-148.cpe.teksavvy.com] has joined #openvpn
21:26 < hays> well it gives weird results
21:26 <@krzee> im busy watching a video for an online class im taking
21:26 <@krzee> bbl
21:26 < lkthomas> heh
21:26 < hays> i get 1.05MBits either way
21:26 < hays> but that's much slower than what i actually see
21:26 <@krzee> (surveillance law, free on coursera.org btw)
21:27 <@krzee> you just said you get the same bandwidth over the vpn as not over the vpn using iperf?
21:27 <@krzee> if so, theres nothing to fix
21:27 < hays> yes and its also about a factor of 40 slower than i get when i test it using speedtest.net
21:28 <@krzee> well your connection to your server wont magically get better because you run openvpn ;]
21:28 <@krzee> your server must not be located at the closest speedtest.net server
21:28 <@krzee> bbl
21:28 < hays> so iperf gets me 1Mbit and speedtest gets me 130Mbit
21:28 < hays> something seems out of whack there
21:28 <@krzee> your connection to your server.
21:29 -!- s7r [~s7r@openvpn/user/s7r] has joined #openvpn
21:29 -!- mode/#openvpn [+v s7r] by ChanServ
21:29 -!- DrCode [~DrCode@gateway/tor-sasl/drcode] has joined #openvpn
21:29 -!- Left_Turn [~Left_Turn@unaffiliated/turn-left/x-3739067] has quit [Remote host closed the connection]
21:31 < hays> i don't think that makes sense.
21:31 < hays> if that were the case then iperf would be faster not slower
21:34 < jeev> krzee, the damn ipsec was fine, i just didn't have access to the only allowed machine. fml
21:37 -!- Droolio [~drool@host86-143-190-82.range86-143.btcentralplus.com] has quit [Quit: If you believe in telekinesis, raise my hand.]
21:39 -!- brianblaze420 [~brianblaz@unaffiliated/brianblaze] has quit [Remote host closed the connection]
21:53 -!- mjkr_ [jzhmer@gateway/shell/blinkenshell.org/x-ietuzcfzpkhkklot] has quit [Quit: WeeChat 0.4.2]
22:01 < lkthomas> krzee: http://pastebin.com/M8BNeBau
22:02 < lkthomas> if anyone could help, please have a look
22:02 < lkthomas> sorry that the other side I didn't turn on berb 5
22:02 < lkthomas> verb 5 *
22:03 < lkthomas> I could see the tunnel is up
22:03 < lkthomas> but another point of IP can't be reach
22:10 < lkthomas> anyone ?
22:10 < lkthomas> krzee: you there ?
22:18 < lkthomas> I see
22:18 < lkthomas> now I got some more info
22:18 < lkthomas> I tried to ping from one side to other
22:18 < lkthomas> tcpdump showing packet did flow
22:18 < lkthomas> but no response back
22:23 -!- michaelhart [~michaelha@192-0-241-148.cpe.teksavvy.com] has quit [Quit: michaelhart]
22:49 -!- heraclitus [~heraclitu@unaffiliated/heraclitis] has joined #openvpn
23:03 <@krzee> lkthomas, im reading court docs for awhile, sounds like a firewall issue look at iptables-save and try to fix it
23:03 <@krzee> if im awake in 37 pages ill be back
23:10 < lkthomas> WTF, hmm
23:11 <@krzee> for example if INPUT isnt accept by default, you must allow the tap or tun interface to be allow
23:11 < lkthomas> krzee: I am running pfsense
23:11 < lkthomas> on server side
23:11 -!- SushiDude [~SushiDude@unaffiliated/sushidude] has quit [Ping timeout: 265 seconds]
23:12 <@krzee> i dont use pfsense but i understand its just freebsd so id prolly try the pf manual or use the gui
23:13 <@krzee> bbl
23:13 -!- SushiDude [~SushiDude@unaffiliated/sushidude] has joined #openvpn
23:13 < lkthomas> krzee: thanks
23:13 < lkthomas> krzee: but the problem is that how come keepalive isn't working
23:13 <@krzee> firewall issue would do it, it would reconnect over and over but never actually have a connection
23:14 <@krzee> well depending i guess
23:15 < lkthomas> krzee: problem is that the log didn't say it's reconnect
23:15 <@krzee> it could also just stay connected if the vpn itself was not being messed with by the firewall
23:15 <@krzee> cause keepalives are inside the vpn itself
23:15 <@krzee> not seperate encapsulated traffic
23:15 < lkthomas> krzee: yeah, the most interesting problem is that it doesn't have return traffic
23:15 <@krzee> so like not layer2 packets in your case
23:16 < lkthomas> if no return, shouldn't it be reconnect ?
23:16 <@krzee> thats why i say firewall
23:16 <@krzee> not if the keepalive packets are still going
23:16 <@krzee> the vpn itself has return traffic, just not encapsulated traffic
23:16 < lkthomas> OH I see what you mean
23:16  * krzee points at the topic
23:16 <@krzee> "Your problem is probably firewall, Really"
23:19 < lkthomas> OK, let me have a look, thanks
23:26 <@krzee> !pfsenseipforward
23:26 <@krzee> !factoids search pfsense
23:26 <@vpnHelper> "pfsense" is (#1) dont use the web gui for configuring openvpn, you need to understand the config and logfiles or (#2) http://www.secure-computing.net/wiki/index.php/OpenVPN/pfSense to obtain your config
23:27 <@krzee> hmm
23:27 <@krzee> !factoids search fbsd
23:27 <@vpnHelper> 'fbsdbridge', 'fbsdjail', 'fbsdipforward', and 'fbsdnat'
23:29 <@krzee> pfctl -sall
23:39 -!- ShadniX [dagger@p5481C921.dip0.t-ipconnect.de] has quit [Ping timeout: 250 seconds]
23:39 <@krzee> lkthomas, for the record, the logs at verb 5 would have pointed us to the firewall problem, which is why verb 5 was asked for ;]
23:41 <@krzee> hays, see if you have a better connection to your server with iperf on tcp for some reason, make sure you're testing the internet routable IP not the vpn ip
23:41 -!- ShadniX [dagger@p5481C170.dip0.t-ipconnect.de] has joined #openvpn
23:41 < lkthomas> what does verb 5 line should I focus ?
23:41 <@krzee> hays, if you cant get a good connection with iperf between server and client without the vpn, the vpn will not do much
23:42 <@krzee> [11:11]  <lkthomas> on verb 5, I see a low of RwrW...etc on syslog, it's PING packet right ?
23:42 <@krzee> [11:11]  <dazo> nope ... rWRw indicators are traffic (read/write) on either tunnel or TCP/UDP socket
23:42 <@krzee> [11:12]  <lkthomas> I see
23:42 <@krzee> so you put verb 5 on both sides and do the ping over the vpn, and you should see r's and w's on both sides
23:42 < lkthomas> OH
23:48 < lkthomas> krzee: by the way, does keepalive work only on tun interface ?
23:50 <@krzee> pretty sure it works fine for both, although ive never had a reason to use tap
23:50 < lkthomas> I see, okay
23:50 <@krzee> not a lot of reasons to want remote l2
23:50 < lkthomas> sigh
23:50 <@krzee> i get it, you have one
23:51 <@krzee> multicast iirc
23:51 < lkthomas> worse case for me would be create a new openvpn server
23:51 < lkthomas> spin off from pfsense
23:51 <@krzee> just make rules allowing the vpn device in and out
23:51 -!- Kephael [~Kephael@unaffiliated/kephael] has quit [Read error: Connection reset by peer]
23:51 < lkthomas> krzee: I do,
23:51 < lkthomas> krzee: it's not immediately not working
23:52 <@krzee> and the other device?
23:52 < lkthomas> krzee: tunnel run some time then failed
23:52 < lkthomas> another device firewall already disableed
23:52 <@krzee> what os
23:52 < lkthomas> linux
23:52 <@krzee> iptables-save
23:53 < lkthomas> empty
23:53 <@krzee> lkthomas, how is your ping and mtr when not using it over the vpn?
23:53 <@krzee> any packet loss?
23:53 < lkthomas> sometime yes
23:54 < lkthomas> packet loss I mean
23:54 <@krzee> why are you using tcp?
23:54 < lkthomas> I am testing udp and tcp now
23:54 < lkthomas> both having same issue
23:55 <@krzee> whats your keepalive
23:55 <@krzee> and show me BOTH sides with verb 5
23:55 <@krzee> before showing me, run the ping and have it work
23:55 < lkthomas> as I mention a lot of time, problem appear to be random
23:55 <@krzee> you said it works at first
23:55 <@krzee> ya but you never reproduce it as asked for
23:56 < lkthomas> it just happen sudden
23:56 <@krzee> and you're always logging
23:56 < lkthomas> krzee: give me couple hours more
23:56 < lkthomas> I talk to you tomorrow maybe
23:56 <@krzee> just show me the logs at verb 5 with it pinging correctly
23:56 <@krzee> you dont need hours for that do ya?
23:57 <@krzee> logs from both sides at verb 5
23:58 <@krzee> also use udp and be sure your firewall isnt trying to keepstate on your udp
23:59 < lkthomas> now I see if tops again
23:59 < lkthomas> drops *
23:59 < lkthomas> let me run verb 5
--- Day changed Thu Oct 23 2014
00:00 < lkthomas> Wow
00:00 < lkthomas> wait
00:00 < lkthomas> it looks coming back
00:00 < lkthomas> LOL
00:00 < lkthomas> probably packet loss
00:00 < lkthomas> krzee: on such lousy link, should I use UDP instead of TCP ?
01:07 -!- Nyoom [Nyoom@unaffiliated/nyoom] has quit [Ping timeout: 260 seconds]
01:07 -!- BtbN [btbn@btbn.de] has quit [Ping timeout: 260 seconds]
01:08 -!- JackWinter [~jack@vodsl-11198.vo.lu] has quit [Ping timeout: 260 seconds]
01:10 -!- Haigha [~root@dovahkiin.xomg.net] has quit [Ping timeout: 260 seconds]
01:11 -!- JackWinter_ [~jack@vodsl-11198.vo.lu] has joined #openvpn
01:11 -!- BtbN_ [btbn@btbn.de] has joined #openvpn
01:11 -!- wmp [~wmp@sored/admin/wmp] has quit [Ping timeout: 272 seconds]
01:11 -!- BtbN_ is now known as BtbN
01:13 -!- jgeboski [~jgeboski@unaffiliated/jgeboski] has quit [Ping timeout: 240 seconds]
01:14 -!- aep [~aep@libqxt/developer/aep] has quit [Ping timeout: 272 seconds]
01:14 -!- aep [~aep@libqxt/developer/aep] has joined #openvpn
01:14 -!- mt [mt@unaffiliated/supermat] has quit [Remote host closed the connection]
01:14 -!- jgeboski [~jgeboski@unaffiliated/jgeboski] has joined #openvpn
01:14 -!- mattock_afk is now known as mattock
01:18 -!- CaTtleyA [~CaTtleyA@put92-2-82-66-41-53.fbx.proxad.net] has quit [Quit: Lost terminal]
01:19 -!- mt_ [mt@unaffiliated/supermat] has joined #openvpn
01:32 < lkthomas> just wondering, /30 mask is normal for p2p interface right ?
01:32 -!- Nyoom [Nyoom@unaffiliated/nyoom] has joined #openvpn
01:35 -!- Belliash [znc@asiotec/constitutive/belliash] has left #openvpn []
01:38 -!- jgeboski [~jgeboski@unaffiliated/jgeboski] has quit [Ping timeout: 258 seconds]
01:38 -!- Nyoom [Nyoom@unaffiliated/nyoom] has quit [Ping timeout: 260 seconds]
01:42 -!- Nyoom [Nyoom@unaffiliated/nyoom] has joined #openvpn
01:51 -!- hazardous [~hz@openvpn/user/hazardous] has quit [Ping timeout: 260 seconds]
01:52 -!- heraclitus [~heraclitu@unaffiliated/heraclitis] has quit [Read error: Connection timed out]
01:53 -!- ade_b [~Ade@redhat/adeb] has joined #openvpn
01:53 -!- hazardous [~hz@openvpn/user/hazardous] has joined #openvpn
01:53 -!- mode/#openvpn [+v hazardous] by ChanServ
01:53 -!- r00t^2 [~bts@g.rainwreck.com] has quit [Ping timeout: 272 seconds]
01:55 -!- r00t^2 [~bts@g.rainwreck.com] has joined #openvpn
01:59 -!- ecrist [~ecrist@freebsd/contributor/openvpn.community.support.ecrist] has quit [Ping timeout: 260 seconds]
--- Log closed Thu Oct 23 01:59:17 2014
--- Log opened Thu Oct 23 07:20:29 2014
07:20 -!- ecrist_ [~ecrist@freebsd/contributor/openvpn.community.support.ecrist] has joined #openvpn
07:20 -!- Irssi: #openvpn: Total of 188 nicks [7 ops, 0 halfops, 2 voices, 179 normal]
07:20 -!- mode/#openvpn [+o ecrist_] by ChanServ
07:20 -!- Irssi: Join to #openvpn was synced in 0 secs
07:21 -!- CaTtleyA [~CaTtleyA@185.24.142.82] has quit [Quit: Lost terminal]
07:35 -!- elfixit [~Icedove@42-236.197-178.cust.bluewin.ch] has joined #openvpn
07:36 <@krzee> lkthomas, read what it does.
07:37 <@krzee> lkthomas, sounds like your connection to your server is pretty bad
07:39 <@krzee> what addresses are you pinging to test, btw?
07:47 < lkthomas> krzee: another point of ip
07:47 < lkthomas> it's P2P connection, no iroutes
07:48 < lkthomas> I run BGP on top of it, but that's another thing after connection being established
07:48 < lkthomas> krzee: I am sorry that I still can't reproduce in accurate timer
07:51 -!- michaelhart [~michaelha@69-165-175-193.dsl.teksavvy.com] has joined #openvpn
07:55 < lkthomas> http://openvpn.net/archive/openvpn-users/2005-03/msg00238.html
07:55 <@vpnHelper> Title: Re: [Openvpn-users] One-way ping NO firewall issue (at openvpn.net)
07:55 < lkthomas> something like that
07:55 -!- D-Boy [~D-Boy@unaffiliated/cain] has quit [Excess Flood]
07:58 -!- ayaz [~Ayaz@linuxpakistan/ayaz] has quit [Quit: Textual IRC Client: www.textualapp.com]
08:00 <@krzee> i still think you have a firewall issue, and you may notice the link you sent the guy had no issue, just needed to reboot
08:00 <@krzee> and when someone asks what IP you are pinging, you give them an IP
08:01 <@krzee> you think i should assume you have the right ip after you have asked questions over and over that are in the manual?
08:04 < lkthomas> sure!
08:04 < lkthomas> krzee: hey
08:05 < lkthomas> krzee: it might be China great firewall
08:05 < lkthomas> as I am connecting it to China
08:05 < lkthomas> that kind of firewall so fucked up that you wouldn't notice it at all
08:09 -!- james41382 [~james@unaffiliated/james41382] has quit [Quit: Leaving]
08:14 -!- D-Boy [~D-Boy@unaffiliated/cain] has joined #openvpn
08:15 -!- mjkr [jzhmer@gateway/shell/blinkenshell.org/x-sckqimycmvqsqqcx] has joined #openvpn
08:16 < mjkr> does openvpn support plaintext .pem file as cert or must it be der encoded .crt?
08:22 <@plaisthos> mjkr: pem only
08:24 -!- _bt [~bt@unaffiliated/bt/x-192343] has joined #openvpn
08:26 < mjkr> thank you, plaisthos
08:52 -!- jzaw [~jzaw@loki.dzki.co.uk] has quit [Ping timeout: 260 seconds]
09:01 -!- smellis_werk [~smellis@2001:470:c452:2::9] has joined #openvpn
09:01 -!- mt_ is now known as mt
09:02 < smellis_werk> hey all, I running 2.3.2 and 2.3.4 on windows 7 and getting alot of ping timeouts, but my linux clients connecting to the same server are not having any trouble.  Could someone point me in the right direction concerning trouble shooting the windows clients?
09:02 < smellis_werk> previously, they were working just fine
09:03 < smellis_werk> using tap by the way and the server is VyOS 1.1.0
09:08 -!- elfixit [~Icedove@42-236.197-178.cust.bluewin.ch] has quit [Ping timeout: 244 seconds]
09:19 -!- jzaw [~jzaw@community-wifi.dzki.co.uk] has joined #openvpn
09:37 -!- CaTtleyA [~CaTtleyA@185.24.142.82] has joined #openvpn
09:49 -!- Poster [~poster@cpe-74-140-100-29.swo.res.rr.com] has quit [Read error: Connection reset by peer]
09:54 < cwillu_at_work> smellis_werk, previous to what?
10:22 -!- mjkr [jzhmer@gateway/shell/blinkenshell.org/x-sckqimycmvqsqqcx] has quit [Quit: WeeChat 0.4.2]
10:26 < smellis_werk> cwillu_at_work, just meant that it was working and now suddenly its not
10:26 < smellis_werk> looked at windows updates to see if something there could be causing problems, but it doesn't look like it
10:26 < cwillu_at_work> check your regular connectivity as well
10:27 < cwillu_at_work> i.e., ping with large udp packets to the same host as hosts the vpn, make sure that you're not seeing something network related
10:27 < smellis_werk> that was my first thought, we're seeing this problem on our own test network
10:28 < cwillu_at_work> how much infrastructure is duplicated in that network?
10:28 < smellis_werk> it's the same openvpn server, running on VyOS, just on a different VLAN
10:28 < smellis_werk> wired and wireless
10:30 < cwillu_at_work> well, my usual approach would be to set up a new server on a new box, and check that it doesn't show the problem, and divide and conquer until you've isolated the problem
10:30 < cwillu_at_work> also, did you verify the ping not going through the vpn, with a large packet size and no-fragment set isn't experiencing the same problem?
10:31 < cwillu_at_work> (i.e., ping from client to vpn server)
10:33 < cwillu_at_work> approximately what packet loss percentage are you seeing?
10:34 < smellis_werk> 0% when it's connected
10:34 < cwillu_at_work> (on the server, mtr cli.ent.i.p might be useful)
10:34 < cwillu_at_work> did I misunderstand something there?
10:34 < cwillu_at_work> isn't 0% loss good? ;p
10:34 < cwillu_at_work> oh, ping timeouts
10:34 < smellis_werk> This inactivity timeout happens when I'm on the same segment (i.e. one hop away) from the openvpn server
10:34 < cwillu_at_work> as in, disconnect because traffic isn't going through
10:35 < cwillu_at_work> can you post your client and server configs?
10:35 < cwillu_at_work> and how long does it take to timeout, assuming no traffic?
10:35 < smellis_werk> it varies
10:35 < cwillu_at_work> what order of magnitude
10:36 < smellis_werk> sometimes it will stay up for 10 min sometimes 30 mins
10:36 < smellis_werk> sometimes two minutes
10:36 < smellis_werk> it will disconnect even when I've got traffic flowing over the link, like when my users are browsing shared drives
10:37 -!- gffa [~unknown@unaffiliated/gffa] has joined #openvpn
10:37 < cwillu_at_work> (I have a thing I do where I queue up a bunch of work for the party I'm trying to help to do, even though irc parties routinely drop such packets :p)
10:37 < cwillu_at_work> shared drives could be a misleading test, but we'll leave that possibility for now
10:38 -!- ade_b [~Ade@redhat/adeb] has quit [Ping timeout: 250 seconds]
10:38 -!- CaTtleyA [~CaTtleyA@185.24.142.82] has quit [Quit: Lost terminal]
10:42 < smellis_werk> I'm convinced it's a problem with my windows clients, but I just can't nail it down
10:42 < cwillu_at_work> <cwillu_at_work> can you post your client and server configs?
10:43 < smellis_werk> sure thing, sorry I was working another issue
10:43 < smellis_werk> lol
10:43 -!- Cracker2 [~TTL117@77.95.182.104] has joined #openvpn
10:44 < smellis_werk> http://dpaste.com/29HZ92K
10:44 < smellis_werk> workstation
10:45 < cwillu_at_work> why tcp?
10:45 < smellis_werk> I wanted it to look like HTTPS traffic, has worked well for years
10:45 < cwillu_at_work> I don't think it's the problem, but it can cause some weirdness, tunnelling tcp over tcp
10:46 < smellis_werk> lots of places block everything egressing their network excepts 80 and 443
10:46 < smellis_werk> tcp
10:46 < cwillu_at_work> the windowing and retries from each layer of tcp interact really badly
10:46 < smellis_werk> understood about tcp inside tcp
10:46 < cwillu_at_work> (server config coming?)
10:47 < cwillu_at_work> <server.conf nc cwillu.com 10101 will paste it
10:47 < cwillu_at_work> also, you appear to be mangling the config before posting it
10:48 < cwillu_at_work> are you really that worried about revealing a hostname? ;p
10:48 < smellis_werk> yes, sorry, I have a lot coming at me right now
10:48 < smellis_werk> lol
10:51 < Cracker2> Hi. I've got OpenVPN AS running working fine, which has eth0 and as0t0 interfaces. This server also acts as a NAT for servers sitting behind eth0. How can I make servers behind eth0 to hit clients behind as0t0? I can easily ping client-side network from the server, as it goes through as0t0. However, when server receives ping packets from servers behind eth0, they don't up anywhere as it doesn't
10:51 < Cracker2> reroute it to as0t0. How can I do this with iptables?
10:53 < Cracker2> Don't how to do it correctly, but in summary, packets received from -i eth0 with destination 10.10.0.0/16 should exit through -i as0t0
11:05 -!- khaldrogox [~anonymous@64.13.138.81] has joined #openvpn
11:18 < Eugene> !as
11:18 <@vpnHelper> "as" is Please go to #OpenVPN-AS for help with commercial products from OpenVPN Technologies, including Access Server, Android Connect, etc. Access Server is a commercial product, different from open source OpenVPN
11:21 -!- pushpop [~marc@unaffiliated/pushpop] has joined #openvpn
11:21 < pushpop> anyone know the proper syntax of the ssh command to tunnel vpn traffic through ssh?
11:29 -!- pushpop [~marc@unaffiliated/pushpop] has quit [Ping timeout: 255 seconds]
11:30 -!- khaldrogox [~anonymous@64.13.138.81] has quit [Quit: khaldrogox]
11:31 < Eugene> You want openvpn to be passed through a SSH tunnel?
11:31 < Eugene> The first issue is that openvpn uses UDP, which ssh tunnels don't support
11:48 < cwillu_at_work> well, you can use tcp, but that has other drouble
11:48 < cwillu_at_work> trouble
11:48 < cwillu_at_work> actually
11:49 < cwillu_at_work> Eugene, ssh has support for tun devices now, so the thing to do would be to muck with that
11:50 < Eugene> !tcp
11:50 <@vpnHelper> "tcp" is (#1) Sometimes you cannot avoid tunneling over tcp, but if you can avoid it, DO. http://sites.inka.de/~bigred/devel/tcp-tcp.html Why TCP Over TCP Is A Bad Idea. or (#2) http://www.openvpn.net/papers/BLUG-talk/14.html for a presentation by James Yonan (OpenVPN lead developer) or (#3) if you must use tcp, you likely want --tcp-nodelay
11:50 < Eugene> It still sucks ^
11:51 < cwillu_at_work> I guess, it's still tcp over tcp, just with an extra udp layer
11:52 < Eugene> Though this is really a
11:52 < Eugene> !xy
11:52 <@vpnHelper> "xy" is http://mywiki.wooledge.org/XyProblem -- I want to do X, but I'm asking how to do Y...
11:52  * cwillu_at_work goes to poke Eugene in #bash, and is disappointed he's not there
11:53 < Eugene> What sort of masochist do you take me for
11:53 -!- dazo is now known as dazo_afk
11:53 < cwillu_at_work> one who triggers lines from the bot in #bash
11:54 < shodan45> anyone know of a distro or VM "appliance" that has packages for openvpn compiled with polarssl?
11:54 < Eugene> Nope, none.
11:54 < Eugene> No idea, that is. I don't doubt such a thing exists, but it's foreign to me.
11:54 < Eugene> I just `yum install openvpn` and then have a drink
12:02 < shodan45> Eugene: actually found that openwrt (router distro) has an openvpn+polarssl package: http://downloads.openwrt.org/snapshots/trunk/ar71xx/packages/base/openvpn-polarssl_2.3.4-1_ar71xx.ipk
12:02 < shodan45> but looks like only in their bleeding edge snapshots
12:03 -!- kraussen [~kraussen@194.140.174.26] has quit [Read error: Connection reset by peer]
12:46 -!- mattock_afk is now known as mattock
13:12 -!- mpoole [~mpoole@minotaur.apache.org] has joined #openvpn
13:13 < mpoole> hey, I have a vpn server setup that handles routes for clients to an internal network. I'm trying to forward all traffic for X (external) IP over openvpn so I added a push route in server.conf for that IP
13:13 -!- lev__ [~lev@stipakov.com] has left #openvpn []
13:13 < mpoole> now a traceroute shows traffic tries to go over the vpn
13:13 < mpoole> but it fails to route
13:13 < mpoole> I was wondering if I'm missing something obvious?
13:20 -!- JackWinter_ [~jack@vodsl-11198.vo.lu] has quit [Quit: Konversation terminated!]
13:29 < mpoole> traffic to the LAN routes fine
13:41 -!- mattock is now known as mattock_afk
13:49 -!- pissfrog [~chatzilla@S01060015001ccce2.vs.shawcable.net] has joined #openvpn
13:50 -!- Pyrogerg [~Gregory@67-0-212-234.albq.qwest.net] has joined #openvpn
13:53 -!- mattock_afk is now known as mattock
14:06 < smellis_werk> used --tcp-nodelay server side and haven't seen any inactivity timeouts on my windows machines since
14:14 -!- Kephael [~Kephael@unaffiliated/kephael] has joined #openvpn
14:19 -!- cyberspace- [20253@ninthfloor.org] has quit [Remote host closed the connection]
14:20 -!- cyberspace- [20253@ninthfloor.org] has joined #openvpn
14:24 -!- pissfrog [~chatzilla@S01060015001ccce2.vs.shawcable.net] has quit [Ping timeout: 258 seconds]
14:47 -!- Kephael [~Kephael@unaffiliated/kephael] has quit [Ping timeout: 265 seconds]
14:56 -!- michaelhart [~michaelha@69-165-175-193.dsl.teksavvy.com] has quit [Quit: michaelhart]
15:06 -!- obscurehero [~obscurehe@via.arcis.pw] has quit [Ping timeout: 256 seconds]
15:07 -!- obscurehero [~obscurehe@via.arcis.pw] has joined #openvpn
15:22 -!- NP-Completeass [~NP-Hardas@unaffiliated/np-hardass] has joined #openvpn
15:23 -!- julius_ [~14354s@dslb-092-076-118-210.092.076.pools.vodafone-ip.de] has joined #openvpn
15:23 < julius_> hi
15:25 < julius_> this von config works: http://tny.cz/68d8a48b     but i get problems with some applications. like it was using redirect-gateway but it doesnt.  it should just add another network path to 141.40....      why does it cause proplems with normal internet traffic that goes out to my provider?
15:25 <@vpnHelper> Title: # Konfigurationsdatei für den VPN-Zugang zum Ostfalia Netz client proto... - 68d8a48b (at tny.cz)
15:27 -!- Exagone313 [~exa@ewd.ovh] has quit [Ping timeout: 260 seconds]
15:29 -!- CaTtleyA [~CaTtleyA@put92-2-82-66-41-53.fbx.proxad.net] has joined #openvpn
15:29 -!- Exagone313 [~exa@ewd.ovh] has joined #openvpn
15:31 -!- Kephael [~Kephael@unaffiliated/kephael] has joined #openvpn
15:37 -!- NP-Completeass [~NP-Hardas@unaffiliated/np-hardass] has quit [Quit: WeeChat 0.4.3]
15:52 -!- mattock is now known as mattock_afk
16:25 -!- gffa [~unknown@unaffiliated/gffa] has quit [Quit: sleep]
16:26 -!- Jack007 [~Jack007@unaffiliated/jack007] has left #openvpn []
16:38 -!- smellis_werk [~smellis@2001:470:c452:2::9] has quit [Remote host closed the connection]
17:00 -!- pissfrog [~chatzilla@174.1.110.133] has joined #openvpn
17:02 -!- Gl4di4t0r [~Gl4di4t0r@unaffiliated/gl4di4t0r] has joined #openvpn
17:03 < Gl4di4t0r> Is this correct? http://fileforum.betanews.com/detail/OpenVPN/1132184598/1
17:03 <@vpnHelper> Title: OpenVPN Free Download and Reviews - Fileforum (at fileforum.betanews.com)
17:03 -!- TeePeeDee [~TpD@115-64-78-218.static.tpgi.com.au] has joined #openvpn
17:03 < pissfrog> Gl4di4t0r: you can download the latest client from openvpn.net
17:04 < Gl4di4t0r> pissfrog: but the version on openvpn.net is older
17:04 < Gl4di4t0r> http://openvpn.net/index.php/download/community-downloads.html
17:05 <@vpnHelper> Title: Community Downloads (at openvpn.net)
17:06 < pissfrog> that is weird
17:06 < pissfrog> OpenVPN 2.3.4 -- released on 2014.05.02 (Change Log)
17:06 < pissfrog> that's from the official site
17:06 < pissfrog> same version
17:06 < TeePeeDee> After install in W8.1 Im having a problem tryng to enter details in config :(
17:07 < TeePeeDee> Im geting "Error creating HKLM.Software\OpenVPN-GUI key"
17:09 < pissfrog> i have a site-to-site and a road warrior connections, both fine, all workstations on both sites can access the LAN behind each server, but the road warrior cannot browse the lan behind main server even thought it's connected and the routes are pushed properly
17:12 < resixian> something i'm not understanding, idk if this is vpn-talk or not, feel free to shout me down. i have an openvpn tunnel bridged (using tap0) between two sites. client is running on dd-wrt and server is on pfsense. the server LAN is 10.1.1.0/24 with dhcp from .100-.200. i set the client router to have an ip of 10.1.1.49 and dhcp from 10.1.1.50-69. however, many clients of the client, are issued ip addresses in
17:12 < resixian> the 10.1.1.100 range.. ?
17:13 < resixian> i thought they'd all be from 10.1.1.50-69 (like i've set the dhcp server on my wrt54g to do)
17:14 < pissfrog> no love for people who use ddwrt. do they even update that crap anymore?
17:14 < pissfrog> sorry i know this isn't helping you
17:15 < pissfrog> i'm just stunned that people still use that thing
17:15 < pissfrog> i'd trust the windows firewall more than i trust ddwrt
17:17 < resixian> uh, yeah. they are updating it still.
17:17 < pissfrog> i don't think they are bro
17:18 < pissfrog> i just took out my wrt54g because of that
17:18 < resixian> "no love for people who use ddwrt" , calls me "bro" 3 minutes later... :S
17:18 < pissfrog> :)
17:19 < pissfrog> my router is revision 1.1 and has been on the same release since 2010
17:20 < pissfrog> anyhow, you're hear for other reasons
17:20 < pissfrog> i'm not trying to  burst your bubble
17:21 -!- outofbounds [~outofboun@gateway/tor-sasl/outofbounds] has joined #openvpn
17:21 < Papey> http://www.dd-wrt.com/wiki/index.php/Index:Contribute
17:21 <@vpnHelper> Title: Contribute - DD-WRT Wiki (at www.dd-wrt.com)
17:23 < pissfrog> pfsense is a good choice thou
17:23 < pissfrog> awesome OS
17:24 < Gl4di4t0r> pissfrog: I made a mistake. The latest version is on openvpn.net just like you said :)
17:25 < pissfrog> no worries Gl4di4t0r. it was odd that they've posted it on that site with today's date
17:37 -!- Gl4di4t0r [~Gl4di4t0r@unaffiliated/gl4di4t0r] has left #openvpn ["Leaving"]
17:45 -!- chrisb [~chrisb@li482-205.members.linode.com] has joined #openvpn
17:48 -!- Taftse|Mac [~taftse@unaffiliated/taftse] has quit [Quit: Textual IRC Client: www.textualapp.com]
17:52 -!- seba [~seba@kratzbaum.someserver.de] has quit [Excess Flood]
17:57 -!- seba [~seba@kratzbaum.someserver.de] has joined #openvpn
18:10 -!- Droolio [~drool@host86-143-190-82.range86-143.btcentralplus.com] has quit [Ping timeout: 240 seconds]
18:12 -!- Droolio [~drool@host81-129-9-231.range81-129.btcentralplus.com] has joined #openvpn
18:20 -!- seba [~seba@kratzbaum.someserver.de] has quit [Excess Flood]
18:27 -!- seba [~seba@kratzbaum.someserver.de] has joined #openvpn
18:39 -!- DrCode [~DrCode@gateway/tor-sasl/drcode] has quit [Remote host closed the connection]
18:40 -!- DrCode [~DrCode@gateway/tor-sasl/drcode] has joined #openvpn
18:45 -!- K1rk [~Kirk@5.135.221.149] has joined #openvpn
18:48 -!- CaTtleyA [~CaTtleyA@put92-2-82-66-41-53.fbx.proxad.net] has quit [Ping timeout: 272 seconds]
18:49 < K1rk> Hey all
18:51 -!- julius_ [~14354s@dslb-092-076-118-210.092.076.pools.vodafone-ip.de] has quit [Ping timeout: 256 seconds]
18:53 < K1rk> lol
18:53 -!- james41382 [~james@unaffiliated/james41382] has joined #openvpn
18:53 < K1rk> I think I figured out what I'm doing wrong already.
18:57 < K1rk> Wow I'm an idiot.
18:57 < K1rk> lol I was sleep deprived last night and I set up a VPN daemon for a few Windows machines
18:58 < K1rk> When I was having problems I thought it was because Windows couldn't do tun interfaces, so I changed to tap interface without changing anything else.
18:58 < K1rk> Turned out I was pushing a conflicting static route
18:58 < K1rk> It was weird, the VPN would connect then like nothing would work. XD
18:58 < K1rk> I was blaming Windows because all my other stuff is Linux client
18:58 < K1rk> I got it. :)
18:59 < K1rk> Guess I'll hang around and see if I can help with any questions for awhile.
18:59 -!- Poster [~poster@cpe-74-140-100-29.swo.res.rr.com] has joined #openvpn
19:09 -!- TeePeeDee [~TpD@115-64-78-218.static.tpgi.com.au] has quit [Quit: You're never too old to learn something stupid.]
19:10 -!- NP-Completeass [~NP-Hardas@unaffiliated/np-hardass] has joined #openvpn
19:11 -!- julieeharshaw [~julie@juliekoubova.net] has quit [Remote host closed the connection]
19:13 -!- NP-Completeass [~NP-Hardas@unaffiliated/np-hardass] has quit [Client Quit]
19:14 -!- NP-Completeass [~NP-Hardas@unaffiliated/np-hardass] has joined #openvpn
19:19 -!- heraclitus [~heraclitu@unaffiliated/heraclitis] has joined #openvpn
19:38 -!- Droolio [~drool@host81-129-9-231.range81-129.btcentralplus.com] has quit [Quit: 98% of all constipated people don't give a crap.]
19:44 -!- chrisb [~chrisb@li482-205.members.linode.com] has quit [Ping timeout: 244 seconds]
19:56 -!- shodan45 [~chris@71-15-44-176.dhcp.thbd.la.charter.com] has quit [Quit: Konversation terminated!]
20:00 -!- chrisb [~chrisb@li482-205.members.linode.com] has joined #openvpn
20:15 -!- james41382 [~james@unaffiliated/james41382] has quit [Quit: Leaving]
20:32 -!- mpoole [~mpoole@minotaur.apache.org] has quit [Ping timeout: 265 seconds]
20:33 -!- WinstonSmith [~WinstonSm@unaffiliated/winstonsmith] has quit [Ping timeout: 245 seconds]
20:33 -!- DrCode [~DrCode@gateway/tor-sasl/drcode] has quit [Ping timeout: 246 seconds]
20:33 -!- outofbounds [~outofboun@gateway/tor-sasl/outofbounds] has quit [Ping timeout: 246 seconds]
20:36 -!- moparisthebest [~quassel@gateway/tor-sasl/moparisthebest] has quit [Quit: No Ping reply in 180 seconds.]
20:37 -!- DrCode [~DrCode@gateway/tor-sasl/drcode] has joined #openvpn
20:39 -!- moparisthebest [~quassel@gateway/tor-sasl/moparisthebest] has joined #openvpn
20:39 -!- pissfrog [~chatzilla@174.1.110.133] has quit [Quit: ChatZilla 0.9.91 [Firefox 24.8.1/20140923194127]]
20:43 -!- elfixit [~Icedove@77-58-37-45.dclient.hispeed.ch] has joined #openvpn
20:45 -!- Kniaz [~Kniaz@unaffiliated/kniaz] has joined #openvpn
20:48 -!- heraclitus [~heraclitu@unaffiliated/heraclitis] has quit [Ping timeout: 272 seconds]
21:03 -!- DrCode [~DrCode@gateway/tor-sasl/drcode] has quit [Ping timeout: 246 seconds]
21:06 -!- moparisthebest [~quassel@gateway/tor-sasl/moparisthebest] has quit [Ping timeout: 246 seconds]
21:09 -!- Left_Turn [~Left_Turn@unaffiliated/turn-left/x-3739067] has quit [Remote host closed the connection]
21:12 -!- mpoole [~mpoole@minotaur.apache.org] has joined #openvpn
21:13 -!- james41382 [~james@unaffiliated/james41382] has joined #openvpn
21:15 -!- elfixit [~Icedove@77-58-37-45.dclient.hispeed.ch] has quit [Remote host closed the connection]
21:33 -!- akar [~spot@119.82.227.226] has joined #openvpn
21:54 -!- justinzane [~justinzan@host-69-59-81-105.nctv.com] has quit [Ping timeout: 245 seconds]
22:38 -!- D-Boy [~D-Boy@unaffiliated/cain] has quit [Excess Flood]
22:50 -!- justinzane [~justinzan@67.21.190.3] has joined #openvpn
22:52 -!- heraclitus [~heraclitu@unaffiliated/heraclitis] has joined #openvpn
22:59 -!- D-Boy [~D-Boy@unaffiliated/cain] has joined #openvpn
23:14 -!- Kyosh [~whoa@pool-74-101-225-202.nycmny.fios.verizon.net] has joined #openvpn
23:14 -!- Kyosh [~whoa@pool-74-101-225-202.nycmny.fios.verizon.net] has left #openvpn []
23:40 -!- ShadniX [dagger@p5481C170.dip0.t-ipconnect.de] has quit [Ping timeout: 250 seconds]
23:41 -!- ShadniX [dagger@p5DDFC075.dip0.t-ipconnect.de] has joined #openvpn
23:48 -!- Kephael [~Kephael@unaffiliated/kephael] has quit [Read error: Connection reset by peer]
--- Day changed Fri Oct 24 2014
00:06 -!- chrisb [~chrisb@li482-205.members.linode.com] has quit [Ping timeout: 244 seconds]
00:41 -!- Pyrogerg [~Gregory@67-0-212-234.albq.qwest.net] has quit [Ping timeout: 255 seconds]
00:46 -!- jrg [jrg@unaffiliated/jrg] has joined #openvpn
00:46 < jrg> hm... i am trying to configure a win7 client and keep getting There is a problem in your selection of --ifconfig endpoints
00:46 < jrg> am i missing something here? can someone direct me to a web site that explains this error?
00:52 < jrg> blah. i'm at a loss. :/
00:53 < jrg> ok
00:53  * jrg facepalms
00:53 < jrg> topology = subnet
00:58 < jrg> hm. well.. managed to connect but no traffic :/
01:06 < jrg> wtf
01:16 < jrg> write to TUN/TAP: The data area passed to a system call is too small
01:25 -!- clu5ter [~staff@unaffiliated/clu5ter] has joined #openvpn
01:29 -!- Robr3rd [~robert@c-68-55-201-209.hsd1.md.comcast.net] has joined #openvpn
01:30 < Robr3rd> When trying to start OpenVPN on the client system, I get "--cert fails with {file_path}: No such file or directory". The filepath is valid, though, and I am looking directly at the files. Any suggestions?
01:32 < jrg> ugh. can't seem to figure this out. i'll work on it later i guess
01:47 -!- Netsplit *.net <-> *.split quits: asturel, jrg, NP-Completeass, akp, jeev, AsadH, funnel, thumbs, reventlov, zamba,  (+28 more, use /NETSPLIT to show all of them)
01:54 -!- Pandemic_Force [~Pandemic_@unaffiliated/pandemic-force/x-1349428] has joined #openvpn
01:55 -!- D-Boy [~D-Boy@unaffiliated/cain] has quit [Excess Flood]
01:59 -!- D-Boy [~D-Boy@unaffiliated/cain] has joined #openvpn
02:00 -!- akar [~spot@119.82.227.226] has joined #openvpn
02:00 -!- NP-Completeass [~NP-Hardas@unaffiliated/np-hardass] has joined #openvpn
02:00 -!- Poster [~poster@cpe-74-140-100-29.swo.res.rr.com] has joined #openvpn
02:00 -!- jzaw [~jzaw@community-wifi.dzki.co.uk] has joined #openvpn
02:00 -!- nomad_fr [~nomad_fr@ks397872.ip-192-95-25.net] has joined #openvpn
02:00 -!- ketas [~ketas@92.38.190.90.dyn.estpak.ee] has joined #openvpn
02:00 -!- mete [~mete@91.247.253.160] has joined #openvpn
02:00 -!- dvl [~dvl@freebsd/developer/dvl] has joined #openvpn
02:00 -!- mcp [~mcp@wolk-project.de] has joined #openvpn
02:00 -!- mattock_afk [~mattock@openvpn/corp/admin/mattock] has joined #openvpn
02:00 -!- ahuemer [ahuemer@unaffiliated/ahuemer] has joined #openvpn
02:00 -!- sluckxz [~sluckxz@unaffiliated/sluckxz] has joined #openvpn
02:00 -!- asturel [~asturel@unaffiliated/asturel] has joined #openvpn
02:00 -!- catsup [~d@ps38852.dreamhost.com] has joined #openvpn
02:00 -!- wirehack7 [wirehack7@unaffiliated/wirehack7] has joined #openvpn
02:00 -!- Magiobiwan [IRC@unaffiliated/magiobiwan] has joined #openvpn
02:00 -!- funnel [~funnel@unaffiliated/espiral] has joined #openvpn
02:00 -!- reventlov [~reventlov@unaffiliated/reventlov] has joined #openvpn
02:00 -!- NChief [~nchief@unaffiliated/nchief] has joined #openvpn
02:00 -!- zamba [marius@flage.org] has joined #openvpn
02:00 -!- phreakocious [~phreakoci@recalcitrant.phreakocious.net] has joined #openvpn
02:00 -!- ribasushi [~riba@mujunyku.leporine.io] has joined #openvpn
02:00 -!- vpnHelper [~vpnHelper@openvpn/bot/vpnHelper] has joined #openvpn
02:00 -!- jeev [~j@unaffiliated/jeev] has joined #openvpn
02:00 -!- ServerMode/#openvpn [+oo mattock_afk vpnHelper] by morgan.freenode.net
02:16 -!- jrg [jrg@unaffiliated/jrg] has joined #openvpn
02:16 -!- cyberspace- [20253@ninthfloor.org] has joined #openvpn
02:16 -!- Cracker2 [~TTL117@77.95.182.104] has joined #openvpn
02:16 -!- wmp [~wmp@sored/admin/wmp] has joined #openvpn
02:16 -!- occupant [~null@204.14.158.226] has joined #openvpn
02:16 -!- thesov [~TheSov4@8.40.0.2] has joined #openvpn
02:16 -!- Cultist [~CultOfThe@c-67-175-170-187.hsd1.il.comcast.net] has joined #openvpn
02:16 -!- pythonsnake [~pythonsna@fedora/pythonsnake] has joined #openvpn
02:16 -!- thumbs [1000@unaffiliated/thumbs] has joined #openvpn
02:16 -!- _KaszpiR_ [quasselcor@unaffiliated/kaszpir/x-3157048] has joined #openvpn
02:16 -!- c|oneman [cloneman@1337.montrealdark.com] has joined #openvpn
02:16 -!- AsadH [~AsadH@unaffiliated/asadh] has joined #openvpn
02:16 -!- akar [~spot@119.82.227.226] has quit [Quit: leaving]
02:17 -!- zamba [marius@flage.org] has quit [Max SendQ exceeded]
02:17 -!- cyberspace- [20253@ninthfloor.org] has quit [Max SendQ exceeded]
02:17 -!- funnel [~funnel@unaffiliated/espiral] has quit [Max SendQ exceeded]
02:17 -!- ketas [~ketas@92.38.190.90.dyn.estpak.ee] has quit [Max SendQ exceeded]
02:17 -!- catsup [~d@ps38852.dreamhost.com] has quit [Max SendQ exceeded]
02:18 -!- cyberspace- [20253@ninthfloor.org] has joined #openvpn
02:18 -!- catsup [~d@ps38852.dreamhost.com] has joined #openvpn
02:18 -!- ketas [~ketas@92.38.190.90.dyn.estpak.ee] has joined #openvpn
02:18 -!- zamba [marius@flage.org] has joined #openvpn
02:29 -!- Netsplit *.net <-> *.split quits: asturel, jrg, NP-Completeass, jeev, AsadH, thumbs, reventlov, mcp, Cultist, Magiobiwan,  (+21 more, use /NETSPLIT to show all of them)
02:32 -!- Netsplit over, joins: mattock_afk, catsup, jeev, ribasushi, asturel, dvl
02:32 -!- mete [~mete@91.247.253.160] has joined #openvpn
02:32 -!- Netsplit over, joins: jzaw, nomad_fr, jrg, Cracker2, wmp, occupant, thesov, Cultist, pythonsnake, thumbs (+3 more)
02:32 -!- ServerMode/#openvpn [+o mattock_afk] by morgan.freenode.net
02:33 -!- catsup [~d@ps38852.dreamhost.com] has quit [Max SendQ exceeded]
02:34 -!- catsup [~d@ps38852.dreamhost.com] has joined #openvpn
02:36 -!- Netsplit *.net <-> *.split quits: jzaw, mete, dvl, @mattock_afk, nomad_fr, jeev, ribasushi, asturel
02:37 -!- NP-Completeass [~NP-Hardas@unaffiliated/np-hardass] has joined #openvpn
02:37 -!- Poster [~poster@cpe-74-140-100-29.swo.res.rr.com] has joined #openvpn
02:37 -!- mcp [~mcp@wolk-project.de] has joined #openvpn
02:37 -!- ahuemer [ahuemer@unaffiliated/ahuemer] has joined #openvpn
02:37 -!- sluckxz [~sluckxz@unaffiliated/sluckxz] has joined #openvpn
02:37 -!- wirehack7 [wirehack7@unaffiliated/wirehack7] has joined #openvpn
02:37 -!- Magiobiwan [IRC@unaffiliated/magiobiwan] has joined #openvpn
02:37 -!- reventlov [~reventlov@unaffiliated/reventlov] has joined #openvpn
02:37 -!- NChief [~nchief@unaffiliated/nchief] has joined #openvpn
02:37 -!- phreakocious [~phreakoci@recalcitrant.phreakocious.net] has joined #openvpn
02:37 -!- vpnHelper [~vpnHelper@openvpn/bot/vpnHelper] has joined #openvpn
02:37 -!- ServerMode/#openvpn [+o vpnHelper] by morgan.freenode.net
02:40 -!- Netsplit over, joins: jzaw, nomad_fr
02:40 -!- mete [~mete@91.247.253.160] has joined #openvpn
02:40 -!- Netsplit over, joins: dvl
02:40 -!- mattock [~mattock@openvpn/corp/admin/mattock] has joined #openvpn
02:40 -!- Netsplit over, joins: asturel, ribasushi, jeev
02:40 -!- ServerMode/#openvpn [+o mattock] by morgan.freenode.net
02:40 -!- asturel [~asturel@unaffiliated/asturel] has quit [Max SendQ exceeded]
02:40 -!- ribasushi [~riba@mujunyku.leporine.io] has quit [Max SendQ exceeded]
02:40 -!- asturel [~asturel@unaffiliated/asturel] has joined #openvpn
02:42 -!- Olipro [~Olipro@uncyclopedia/pdpc.21for7.olipro] has quit [Max SendQ exceeded]
02:44 -!- ribasushi [~riba@mujunyku.leporine.io] has joined #openvpn
02:46 -!- Olipro [~Olipro@uncyclopedia/pdpc.21for7.olipro] has joined #openvpn
02:50 -!- CaTtleyA [~CaTtleyA@185.24.142.82] has joined #openvpn
02:53 -!- CaTtleyA [~CaTtleyA@185.24.142.82] has quit [Quit: Lost terminal]
02:56 -!- mjkr [jzhmer@gateway/shell/blinkenshell.org/x-xwmichvinwptyltl] has joined #openvpn
02:57 < mjkr> suppose that i have managed an openvpn connection to a server, and my client is assigned 192.168.192.6 while my server now sits at 192.168.192.1, what is the command to route all my traffic on the linux system to 192.168.192.1?
02:57 < mjkr> redirect-gateway bypass-dhcp in push on the server's conf doesn't work since this is a custom linux system
02:57 < mjkr> so i need route and ip route commands.
02:57 -!- Chais [~Chais@chello062178229110.15.15.vie.surfer.at] has quit [Quit: ZNC - http://znc.in]
02:57 < mjkr> the device of 192.168.192.6 is tun0
02:59 -!- Chais [~Chais@chello062178229110.15.15.vie.surfer.at] has joined #openvpn
03:07 -!- swebb [~swebb@c-71-237-49-232.hsd1.co.comcast.net] has quit [Ping timeout: 240 seconds]
03:18 -!- NP-Completeass [~NP-Hardas@unaffiliated/np-hardass] has quit [Quit: WeeChat 0.4.3]
03:24 -!- mjkr [jzhmer@gateway/shell/blinkenshell.org/x-xwmichvinwptyltl] has quit [Quit: WeeChat 0.4.2]
03:39 -!- CaTtleyA [~CaTtleyA@185.24.142.82] has joined #openvpn
03:51 -!- Left_Turn [~Left_Turn@unaffiliated/turn-left/x-3739067] has joined #openvpn
04:45 -!- ayaz [~Ayaz@linuxpakistan/ayaz] has joined #openvpn
04:53 -!- Netsplit *.net <-> *.split quits: heraclitus, justinzane, hays, Latrina
04:53 -!- Netsplit over, joins: heraclitus, justinzane, hays, Latrina
04:54 -!- hays [~hays@unaffiliated/hays] has quit [Max SendQ exceeded]
04:55 -!- Netsplit *.net <-> *.split quits: jeev, jzaw, mete, dvl, nomad_fr, @mattock
04:55 -!- Latrina [~Latrina@ppp-28-3.26-151.libero.it] has quit [Ping timeout: 246 seconds]
04:56 -!- Netsplit over, joins: jzaw, nomad_fr
04:56 -!- mete [~mete@91.247.253.160] has joined #openvpn
04:56 -!- Netsplit over, joins: @mattock, dvl, jeev
04:56 -!- hays [~hays@unaffiliated/hays] has joined #openvpn
04:58 -!- Netsplit *.net <-> *.split quits: @krzee, _bt, Nothing4You, MatToufoutu, hays, ayaz, dvl, ItsYoda, asturel, phreakocious,  (+143 more, use /NETSPLIT to show all of them)
04:58 -!- Netsplit *.net <-> *.split quits: NucWin, adaptr, MogDog, ShadniX, raeflondon, d10n, aulait, pa, KNERD, Komplanar,  (+4 more, use /NETSPLIT to show all of them)
04:58 -!- Latrina [~Latrina@ppp-28-3.26-151.libero.it] has joined #openvpn
04:59 -!- Netsplit over, joins: hays, jeev, @mattock, dvl, mete, nomad_fr, jzaw, justinzane, heraclitus, supergauntlet (+157 more)
04:59 -!- kossy [a@unaffiliated/kossy] has quit [Max SendQ exceeded]
04:59 -!- kossy [a@unaffiliated/kossy] has joined #openvpn
05:19 -!- swebb [~swebb@c-71-237-49-232.hsd1.co.comcast.net] has joined #openvpn
05:22 -!- DrCode [~DrCode@gateway/tor-sasl/drcode] has joined #openvpn
05:25 -!- jzaw [~jzaw@community-wifi.dzki.co.uk] has quit [Ping timeout: 255 seconds]
05:27 -!- Chais [~Chais@chello062178229110.15.15.vie.surfer.at] has quit [Quit: ZNC - http://znc.in]
05:28 -!- Chais [~Chais@chello062178229110.15.15.vie.surfer.at] has joined #openvpn
05:50 -!- CaTtleyA [~CaTtleyA@185.24.142.82] has quit [Ping timeout: 272 seconds]
05:55 -!- jzaw [~jzaw@loki.dzki.co.uk] has joined #openvpn
05:58 -!- warehouse13 [~Left_Turn@unaffiliated/turn-left/x-3739067] has joined #openvpn
06:01 -!- Left_Turn [~Left_Turn@unaffiliated/turn-left/x-3739067] has quit [Ping timeout: 260 seconds]
06:06 -!- Brando753 [~Brando753@unaffiliated/brando753] has quit [Ping timeout: 265 seconds]
06:20 -!- CaTtleyA [~CaTtleyA@185.24.142.82] has joined #openvpn
06:25 -!- Gabou [~Ga@unaffiliated/gabou] has joined #openvpn
06:25 < Gabou> !welcome
06:25 <@vpnHelper> "welcome" is (#1) Start by stating your goal, such as 'I would like to access the internet over my vpn' || new to IRC? see the link in !ask || we may need !logs and !configs and maybe !interface to help you. || See !howto for beginners. || See !route for lans behind openvpn. || !redirect for sending inet traffic through the server. || Also interesting: !man !/30 !topology !iporder !sample !forum
06:25 <@vpnHelper> !wiki !mitm or (#2) Don't use 192.168.1.0/24 or 192.168.0.0/24 (too much potential for conflict)
06:27 < Gabou> Hi everybody, I'd like to have a configuration to have a VPN between 3 serveurs, each should be able to contact each other through vpn.. Do you have any tutorial? My english is bad on search :P
06:27 < Gabou> D-Boy: hei
06:29 < D-Boy> Gabou: :D
06:29 < D-Boy> still alive ? ^^
06:29 -!- xTz [~xTz@DeathStar.Techn0.eu] has joined #openvpn
06:30 < Gabou> always
06:30 < D-Boy> :)
06:36 -!- julieeharshaw [~julie@juliekoubova.net] has joined #openvpn
06:37 -!- ayaz [~Ayaz@linuxpakistan/ayaz] has quit [Quit: Textual IRC Client: www.textualapp.com]
07:05 -!- ayaz [~Ayaz@linuxpakistan/ayaz] has joined #openvpn
07:15 -!- Daemoen [~quassel@2607:ff68:100:1e:20e:2eff:fee8:e5c5] has joined #openvpn
07:17 -!- Daemoen [~quassel@2607:ff68:100:1e:20e:2eff:fee8:e5c5] has quit [Client Quit]
07:18 -!- Daemoen [~quassel@2607:ff68:100:1e:20e:2eff:fee8:e5c5] has joined #openvpn
07:20 -!- WinstonSmith [~WinstonSm@unaffiliated/winstonsmith] has joined #openvpn
07:33 -!- james41382 [~james@unaffiliated/james41382] has quit [Quit: Leaving]
07:36 -!- james41382 [~james@unaffiliated/james41382] has joined #openvpn
07:39 -!- Droolio [~drool@host86-134-192-89.range86-134.btcentralplus.com] has joined #openvpn
07:40 -!- mad_hatter [~jsmith@rrcs-98-101-112-164.midsouth.biz.rr.com] has joined #openvpn
07:41 -!- moparisthebest [~quassel@gateway/tor-sasl/moparisthebest] has joined #openvpn
07:41 < mad_hatter> hey folks...im new to using openvpn...but when I connect to the vpn of my company remotely, and then begin to do anything I receive this message: WARNING: Received unknown control message: HALT,disconnected due to new connection by same user...any ideas?
07:43 -!- mad_hatter [~jsmith@rrcs-98-101-112-164.midsouth.biz.rr.com] has quit [Read error: Connection reset by peer]
07:46 -!- james41382 [~james@unaffiliated/james41382] has quit [Quit: Leaving]
07:46 -!- mad_hatter [~jsmith@rrcs-98-101-112-164.midsouth.biz.rr.com] has joined #openvpn
07:48 -!- james41382 [~james@unaffiliated/james41382] has joined #openvpn
07:57 -!- mad_hatter [~jsmith@rrcs-98-101-112-164.midsouth.biz.rr.com] has quit [Quit: Leaving]
09:04 -!- Netsplit *.net <-> *.split quits: RaiNerTsuFal, meepmeep, Thermi, cm_
09:04 -!- Netsplit over, joins: meepmeep, Thermi
09:11 -!- elfixit [~Icedove@2001:1620:2777:11:3e97:eff:fe7f:f3ad] has joined #openvpn
09:44 -!- Pyrogerg [~Gregory@205.167.120.206] has joined #openvpn
09:55 -!- arkie [~arkie@unaffiliated/arkie] has quit [Quit: Bye]
09:59 -!- arkie [~arkie@unaffiliated/arkie] has joined #openvpn
10:00 -!- CaTtleyA [~CaTtleyA@185.24.142.82] has quit [Quit: Lost terminal]
10:00 < arkie> start/j #python
10:05 -!- ayaz [~Ayaz@linuxpakistan/ayaz] has quit [Quit: Textual IRC Client: www.textualapp.com]
10:08 -!- Pyrogerg [~Gregory@205.167.120.206] has quit [Read error: Connection reset by peer]
10:09 -!- Pyrogerg [~Gregory@205.167.120.206] has joined #openvpn
10:15 -!- Pyrogerg [~Gregory@205.167.120.206] has quit [Ping timeout: 245 seconds]
10:18 -!- Pyrogerg [~Gregory@205.167.120.206] has joined #openvpn
10:21 -!- dazo_afk is now known as dazo
10:21 -!- Taftse|Mac [~taftse@unaffiliated/taftse] has joined #openvpn
10:30 -!- Pyrogerg [~Gregory@205.167.120.206] has quit [Ping timeout: 260 seconds]
10:31 -!- gffa [~unknown@unaffiliated/gffa] has joined #openvpn
10:41 -!- Pyrogerg [~Gregory@205.167.120.206] has joined #openvpn
10:46 -!- jzaw [~jzaw@loki.dzki.co.uk] has quit [Ping timeout: 244 seconds]
10:56 -!- Teqonix [~quassel@c-174-51-153-217.hsd1.co.comcast.net] has quit [Read error: Connection reset by peer]
10:57 -!- hays [~hays@unaffiliated/hays] has quit [Read error: Connection reset by peer]
10:58 -!- Pyrogerg [~Gregory@205.167.120.206] has quit [Ping timeout: 260 seconds]
10:59 -!- ExtraCarpety [~ExtraCarp@2607:5300:60:a0d::1] has quit [Ping timeout: 258 seconds]
10:59 -!- _FBi [B@Aircrack-NG/User] has quit [Ping timeout: 258 seconds]
10:59 -!- troyt [~troyt@2601:7:6200:1362:44dd:acff:fe85:9c8e] has quit [Ping timeout: 272 seconds]
10:59 -!- krzie [~k@openvpn/community/support/krzee] has joined #openvpn
10:59 -!- mode/#openvpn [+o krzie] by ChanServ
11:00 -!- krzee [~k@openvpn/community/support/krzee] has quit [Read error: Connection reset by peer]
11:00 -!- krzie is now known as krzee
11:00 -!- Lolths [~Lolths@unaffiliated/lolths] has quit [Ping timeout: 240 seconds]
11:00 -!- hays [~hays@unaffiliated/hays] has joined #openvpn
11:01 -!- DArqueBishop [drkbish@tyrande.darquecathedral.org] has quit [Ping timeout: 272 seconds]
11:01 -!- ExtraCarpety [~ExtraCarp@2607:5300:60:a0d::1] has joined #openvpn
11:02 -!- troyt [~troyt@2601:7:6200:1362:44dd:acff:fe85:9c8e] has joined #openvpn
11:03 -!- DArqueBishop [drkbish@tyrande.darquecathedral.org] has joined #openvpn
11:03 -!- Lolths [~Lolths@unaffiliated/lolths] has joined #openvpn
11:05 -!- elfixit [~Icedove@2001:1620:2777:11:3e97:eff:fe7f:f3ad] has quit [Quit: elfixit]
11:41 -!- someone [~someone@chronostasis.net] has quit [Quit: ZNC - http://znc.in]
11:46 -!- SCHAAP137 [dorian@77-173-0-137.ip.telfort.nl] has joined #openvpn
11:51 -!- jzaw [~jzaw@loki.dzki.co.uk] has joined #openvpn
11:58 -!- someone [~someone@chronostasis.net] has joined #openvpn
12:21 -!- Pyrogerg [~Gregory@205.167.120.206] has joined #openvpn
12:27 -!- dazo is now known as dazo_afk
12:29 -!- someone [~someone@chronostasis.net] has quit [Quit: ZNC - http://znc.in]
12:51 -!- almostworking [~almostwor@unaffiliated/almostworking] has quit [Quit: Leaving]
12:56 -!- Chais [~Chais@chello062178229110.15.15.vie.surfer.at] has quit [Read error: Connection reset by peer]
12:59 -!- outofbounds [~outofboun@gateway/tor-sasl/outofbounds] has joined #openvpn
13:06 -!- Chais [~Chais@chello062178229110.15.15.vie.surfer.at] has joined #openvpn
13:52 -!- _FBi [B@Aircrack-NG/User] has joined #openvpn
13:52 < _FBi> I'm all about that bass, 'bout that bass -- No Treble
13:55 -!- mode/#openvpn [+o Eugene] by ChanServ
13:55 -!- _FBi was kicked from #openvpn by Eugene [Extremely poor taste in music]
13:55 -!- _FBi [B@Aircrack-NG/User] has joined #openvpn
13:57 -!- Brando753 [~Brando753@unaffiliated/brando753] has joined #openvpn
14:12 -!- You're now known as ecrist
14:13  * ecrist delicious bass
14:43 <@krzee> lol lol
15:02 -!- s7r [~s7r@openvpn/user/s7r] has joined #openvpn
15:02 -!- mode/#openvpn [+v s7r] by ChanServ
15:30 -!- juztin_ [~juztin_@c-67-186-216-8.hsd1.ut.comcast.net] has joined #openvpn
15:32 -!- juztin_ [~juztin_@c-67-186-216-8.hsd1.ut.comcast.net] has quit [Remote host closed the connection]
15:36 -!- M4dH4TT3r [~M@unaffiliated/m4dh4tt3r] has joined #openvpn
15:44 < M4dH4TT3r> ###hello I just installed $$$openvpn freeradius bridge-utils ### the when trying to do a $$$ cp /usr/share/doc/openvpn-*/sample-config-files/server.conf /etc/openvpn ### the entire tree structure after openvpn seems to be missing, has this been changed in recent releases?
15:46 < M4dH4TT3r> cd etc
15:46 < M4dH4TT3r> lol
15:48 -!- moparisthebest [~quassel@gateway/tor-sasl/moparisthebest] has quit [Remote host closed the connection]
15:49 -!- moparisthebest [~quassel@gateway/tor-sasl/moparisthebest] has joined #openvpn
15:51 < M4dH4TT3r> nm i found it in /usr/share/doc/openvpn/examples/sample-config-files/server.conf
15:57 -!- wmp [~wmp@sored/admin/wmp] has left #openvpn ["Konversation terminated!"]
16:10 -!- heraclitus [~heraclitu@unaffiliated/heraclitis] has quit [Quit: Leaving]
16:21 -!- TonyL [~Tony@unaffiliated/darkg] has quit [Ping timeout: 272 seconds]
16:23 -!- TonyL [~Tony@unaffiliated/darkg] has joined #openvpn
16:28 -!- c0ded [~c0ded@unaffiliated/c0ded] has quit [Remote host closed the connection]
16:28 -!- mattock is now known as mattock_afk
16:30 -!- Chais [~Chais@chello062178229110.15.15.vie.surfer.at] has quit [Ping timeout: 250 seconds]
16:36 <@krzee> !friday
16:36 <@vpnHelper> "friday" is It's Friday, be warned that, due to him working at home, our resident guard-dog, ecrist, is likely already in the bag. Tread carefully.
16:36  * krzee gets popcorn and waits
16:37 -!- Chais [~Chais@chello062178229110.15.15.vie.surfer.at] has joined #openvpn
16:43 -!- almostworking [~almostwor@unaffiliated/almostworking] has joined #openvpn
16:44 -!- almostworking [~almostwor@unaffiliated/almostworking] has left #openvpn []
16:45 -!- APTX [~APTX@unaffiliated/aptx] has quit [Read error: Connection reset by peer]
16:48 -!- APTX [~APTX@unaffiliated/aptx] has joined #openvpn
17:31 -!- someone [~someone@chronostasis.net] has joined #openvpn
17:32 -!- Pyrogerg [~Gregory@205.167.120.206] has quit [Ping timeout: 256 seconds]
17:43 -!- Netsplit *.net <-> *.split quits: justinzane
17:44 -!- Netsplit over, joins: justinzane
17:54 -!- Taftse|Mac [~taftse@unaffiliated/taftse] has quit [Quit: Textual IRC Client: www.textualapp.com]
17:56 <@Eugene> I like that
18:04 -!- Fusl [Fusl@unaffiliated/fusl] has quit [Ping timeout: 245 seconds]
18:11 -!- Fusl [Fusl@unaffiliated/fusl] has joined #openvpn
18:12 -!- _SjG_ [~sjg@173.51.147.34] has joined #openvpn
18:14 < _SjG_> Conceptual question. I have a linux server that I want to connect via OpenVPN to appear as if it's on my LAN. My firewall does OpenVPN. Do I set up the firewall as the OpenVPN Server and the Linux box as the client, or the other way around?
18:16 -!- julieeharshaw [~julie@juliekoubova.net] has quit [Remote host closed the connection]
18:16 -!- Fusl [Fusl@unaffiliated/fusl] has quit [Remote host closed the connection]
18:16 -!- pgicxplzs [~Left_Turn@unaffiliated/turn-left/x-3739067] has joined #openvpn
18:17 -!- julieeharshaw [~julie@juliekoubova.net] has joined #openvpn
18:18 -!- mt [mt@unaffiliated/supermat] has quit [Ping timeout: 272 seconds]
18:19 -!- warehouse13 [~Left_Turn@unaffiliated/turn-left/x-3739067] has quit [Ping timeout: 260 seconds]
18:21 <@Eugene> Your firewall would be the server, yes.
18:21 -!- M4dH4TT3r [~M@unaffiliated/m4dh4tt3r] has quit [Ping timeout: 245 seconds]
18:21 <@Eugene> Do you actually need it "on the LAN"(same L2 broadcast domain), or is "able to route to the LAN" good enough(it usually is)?
18:23 < _SjG_> Eugene: I think I'll need on the same broadcast domain, because there will be SMB traffic that depends on broadcast (if I understand correctly)
18:23 <@Eugene> !wins
18:23 <@vpnHelper> "wins" is http://oreilly.com/catalog/samba/chapter/book/ch07_03.html is a good link for seeing how to run WINS on samba
18:23 <@Eugene> You don't
18:24 < _SjG_> ah, well, in that case, the latter :)
18:24 <@Eugene> That's a common misconception, because of the default behaviour. You can do it just fine with routing, and doing name-resolution via DNS or WINS ;-)
18:24 <@Eugene> !route
18:24 <@vpnHelper> "route" is (#1) http://www.secure-computing.net/wiki/index.php/OpenVPN/Routing or https://community.openvpn.net/openvpn/wiki/RoutedLans (same page mirrored) if you have lans behind openvpn, read it DONT SKIM IT or (#2) READ IT DONT SKIM IT! or (#3) See !tcpip for a basic networking guide or (#4) See !serverlan or !clientlan for steps and troubleshooting flowcharts for LANs behind the server or
18:24 <@vpnHelper> client
18:24 <@Eugene> !serverlan
18:24 <@vpnHelper> "serverlan" is (#1) for a lan behind a server, the server must have ip forwarding enabled (!ipforward), the server needs to push a route for its lan to clients, and the router of the lan the server is on needs a route added to it (!route_outside_openvpn) or (#2) see !route for a better explanation or (#3) Handy troubleshooting flowchart: http://ircpimps.org/serverlan.png |
18:24 <@vpnHelper> http://pekster.sdf.org/misc/serverlan.png
18:24 <@Eugene> Read links, see latte's chart ^
18:24 < _SjG_> ok. Thanks.
18:36 -!- outofbounds [~outofboun@gateway/tor-sasl/outofbounds] has quit [Remote host closed the connection]
18:56 -!- whatevsz [~quassel@2a00:61e0:437e:ea01:8c7:44d:6384:89e4] has joined #openvpn
19:01 -!- Fusl [Fusl@unaffiliated/fusl] has joined #openvpn
19:01 -!- whatevsz [~quassel@2a00:61e0:437e:ea01:8c7:44d:6384:89e4] has quit [Remote host closed the connection]
19:02 -!- whatevsz [~quassel@2a00:61e0:437e:ea01:8c7:44d:6384:89e4] has joined #openvpn
19:06 -!- s7r [~s7r@openvpn/user/s7r] has quit [Ping timeout: 246 seconds]
19:10 -!- s7r [~s7r@openvpn/user/s7r] has joined #openvpn
19:10 -!- mode/#openvpn [+v s7r] by ChanServ
19:21 -!- c0ded [~c0ded@unaffiliated/c0ded] has joined #openvpn
19:51 -!- gffa [~unknown@unaffiliated/gffa] has quit [Quit: sleep]
19:55 -!- Droolio [~drool@host86-134-192-89.range86-134.btcentralplus.com] has quit [Remote host closed the connection]
19:58 -!- Droolio [~drool@host86-134-192-89.range86-134.btcentralplus.com] has joined #openvpn
19:59 -!- Droolio [~drool@host86-134-192-89.range86-134.btcentralplus.com] has quit [Read error: Connection reset by peer]
20:12 -!- Kephael [~Kephael@unaffiliated/kephael] has joined #openvpn
20:15 -!- s7r [~s7r@openvpn/user/s7r] has quit [Quit: Leaving]
20:19 -!- mistermajestic [~mistermaj@109.201.154.211] has quit [Ping timeout: 272 seconds]
20:28 -!- Latrina [~Latrina@ppp-28-3.26-151.libero.it] has quit [Ping timeout: 240 seconds]
20:30 -!- Latrina [~Latrina@ppp-107-18.26-151.libero.it] has joined #openvpn
20:56 -!- pgicxplzs [~Left_Turn@unaffiliated/turn-left/x-3739067] has quit [Remote host closed the connection]
21:16 -!- whatevsz [~quassel@2a00:61e0:437e:ea01:8c7:44d:6384:89e4] has quit [Ping timeout: 260 seconds]
21:56 -!- Mik3C [~miguelc@89.114.47.44] has joined #openvpn
21:57 -!- Mik3C [~miguelc@89.114.47.44] has quit [Client Quit]
22:10 -!- MacGyver [~macgyver@unaffiliated/macgyvernl] has quit [Ping timeout: 272 seconds]
22:38 -!- M4dH4TT3r [~M@unaffiliated/m4dh4tt3r] has joined #openvpn
23:20 -!- rafi [~cyx@unaffiliated/rafi/x-9332275] has joined #openvpn
23:21 < rafi> !welcome
23:21 <@vpnHelper> "welcome" is (#1) Start by stating your goal, such as 'I would like to access the internet over my vpn' || new to IRC? see the link in !ask || we may need !logs and !configs and maybe !interface to help you. || See !howto for beginners. || See !route for lans behind openvpn. || !redirect for sending inet traffic through the server. || Also interesting: !man !/30 !topology !iporder !sample !forum !wiki
23:21 <@vpnHelper> !mitm or (#2) Don't use 192.168.1.0/24 or 192.168.0.0/24 (too much potential for conflict)
23:21 < rafi> !goal
23:21 <@vpnHelper> "goal" is Please clearly state your goal for your vpn: example, I would like to access the lan behind the server , I would like to access the internet over my vpn , I just want a secure connection between 2 computers , etc
23:24 < rafi> I would like to tweak FrootVPN's client configuration so only specific IPs are routed through this service. https://www.frootvpn.com/files/frootvpn.ovpn
23:27 < rafi> I've installed openvpn on my Linux workstation, and was wondering if it's possible with just client configuration?
23:36 -!- cyberspace- [20253@ninthfloor.org] has quit [Ping timeout: 245 seconds]
23:37 -!- cyberspace- [20253@ninthfloor.org] has joined #openvpn
23:40 -!- ShadniX [dagger@p5DDFC075.dip0.t-ipconnect.de] has quit [Ping timeout: 250 seconds]
23:41 -!- ShadniX [dagger@p5DDFED2D.dip0.t-ipconnect.de] has joined #openvpn
23:44 -!- rafi [~cyx@unaffiliated/rafi/x-9332275] has quit [Ping timeout: 245 seconds]
23:46 -!- rafi [~cyx@unaffiliated/rafi/x-9332275] has joined #openvpn
23:51 <@Eugene> rafi - yes; you'd need to switch out the client directive and instead use selective route statements
23:52 <@Eugene> rafi - more to the point however, don't trust freely-available services like this for your security.
23:52 <@Eugene> The recommendation you undoubtedly care across pointing you to this site was deeply misguided from a true security perspective
23:53 < rafi> Thanks Eugene, yes, that's why I want to route only spotify. I'd love to finally see this service
23:53 <@Eugene> The simple fact that the certificate+keypair you're using is freely available(inlined in the .ovpn) means that any attacker can 100% decrypt your traffic
23:53 < rafi> ouch.
23:53 <@Eugene> What you want is a app-specific proxy ;-)
23:53 <@Eugene> Yup.
23:55 < rafi> oh well. spotify's client failed to install. this whole thing is giving me an headache.
23:55 <@Eugene> !xy
23:55 <@vpnHelper> "xy" is http://mywiki.wooledge.org/XyProblem -- I want to do X, but I'm asking how to do Y...
23:55 <@Eugene> What's your goal? To use spotify(a US-only service) from outside the US?
23:56 < rafi> yup
23:56 <@Eugene> Honestly, just get your music the old-fashioned way: steal it. I do.
23:57 < rafi> yeah, i'm a big music lover. but spotify apprently has rare tracks and searching with easy access. very popular. but if you're not US/EU.. the world is very different for you.
23:58 < rafi> I was just wanting a glimpse into the forbidden fruit
23:58 <@Eugene> What you want is a US-based proxy server.
23:58 < rafi> I think spotify works for Europeans as well..
23:59 < rafi> I have a "playground" arch server in the eu.. maybe i should install openvpn
--- Day changed Sat Oct 25 2014
00:01 <@Eugene> Beats me.
00:06 < lkthomas> hey guys
00:07 < lkthomas> for a very lousy link, such as high packet loss link, what options could I make the VPN connection be more reliable ?
00:22 < lkthomas> Eugene: you there ?
00:22 <@Eugene> No, I'm drinking and playing video games
00:22 < lkthomas> ....
00:22 <@Eugene> The best thing you can do for high pocket loss is get a better fucking link
00:22 < lkthomas> Eugene: stop play openvpn games
00:24 -!- elfixit [~Icedove@77-58-37-45.dclient.hispeed.ch] has joined #openvpn
00:44 -!- ShadniX [dagger@p5DDFED2D.dip0.t-ipconnect.de] has quit [Ping timeout: 250 seconds]
00:45 -!- ShadniX [dagger@p5DDFDEFB.dip0.t-ipconnect.de] has joined #openvpn
01:06 -!- rafi [~cyx@unaffiliated/rafi/x-9332275] has left #openvpn ["wee 1.0.1"]
01:15 -!- SCHAAP137 [dorian@77-173-0-137.ip.telfort.nl] has quit [Remote host closed the connection]
01:30 -!- Kephael [~Kephael@unaffiliated/kephael] has quit [Read error: Connection reset by peer]
01:35 -!- mattock_afk is now known as mattock
02:12 -!- D-Boy [~D-Boy@unaffiliated/cain] has quit [Excess Flood]
02:26 -!- mt [mt@unaffiliated/supermat] has joined #openvpn
02:28 -!- rich0 [~quassel@gentoo/developer/rich0] has quit [Remote host closed the connection]
02:30 -!- D-Boy [~D-Boy@unaffiliated/cain] has joined #openvpn
02:40 -!- rich0_ [~quassel@gentoo/developer/rich0] has joined #openvpn
02:59 -!- CaTtleyA [~CaTtleyA@put92-2-82-66-41-53.fbx.proxad.net] has joined #openvpn
03:41 -!- mattock is now known as mattock_afk
03:48 -!- Left_Turn [~Left_Turn@unaffiliated/turn-left/x-3739067] has joined #openvpn
03:52 -!- mattock_afk is now known as mattock
03:55 -!- gffa [~unknown@unaffiliated/gffa] has joined #openvpn
04:10 -!- dx486 [~dx486@unaffiliated/dx486] has joined #openvpn
04:11 -!- mattock is now known as mattock_afk
04:23 -!- mattock_afk is now known as mattock
04:30 -!- iTommix_ [~thomas@p4FEC6BB0.dip0.t-ipconnect.de] has joined #openvpn
04:32 < iTommix_> Hi @ all... my question is not OpenVPN related but VPN in general: i want to connect to my company with VPN... this works... but in our company we have a VPN to an other Server. i want to reach this over my VPN... but it doesnt work... in short: its a VPN over VPN connection. anybody who can give me a hint?
04:41 -!- tristan_1990 [~tristan_1@0543d010.skybroadband.com] has joined #openvpn
04:51 -!- MacGyver [~macgyver@unaffiliated/macgyvernl] has joined #openvpn
04:54 -!- CaTtleyA [~CaTtleyA@put92-2-82-66-41-53.fbx.proxad.net] has quit [Ping timeout: 272 seconds]
05:01 -!- CaTtleyA [~CaTtleyA@put92-2-82-66-41-53.fbx.proxad.net] has joined #openvpn
05:03 -!- rich0_ is now known as rich0
05:16 -!- iTommix_ [~thomas@p4FEC6BB0.dip0.t-ipconnect.de] has quit [Quit: iTommix_]
05:19 -!- tristan_1990 [~tristan_1@0543d010.skybroadband.com] has quit [Remote host closed the connection]
05:37 -!- Latrina [~Latrina@ppp-107-18.26-151.libero.it] has quit [Ping timeout: 272 seconds]
05:37 -!- Latrina [~Latrina@adsl-ull-214-255.45-151.net24.it] has joined #openvpn
05:48 < Cracker2> iTommix_ without what VPN you're using and how it's setup, not really, no hints to give
07:11 -!- keatont [~keatont@ip-66-172-11-126.chunkhost.com] has quit [Ping timeout: 258 seconds]
07:16 -!- keatont [~keatont@keatonstaylor.com] has joined #openvpn
07:20 -!- Cracker2 [~TTL117@77.95.182.104] has quit []
07:24 -!- techwharf [~techwharf@ec2-54-194-62-157.eu-west-1.compute.amazonaws.com] has joined #openvpn
07:24 -!- elfixit [~Icedove@77-58-37-45.dclient.hispeed.ch] has quit [Remote host closed the connection]
07:33 -!- miruoy [~quassel@d51a4ceb0.access.telenet.be] has quit [Ping timeout: 245 seconds]
07:37 < lkthomas> I realize that most of the people talk here during their office hours :P
08:06 -!- Toumasu [~Thunderbi@78-23-25-135.access.telenet.be] has joined #openvpn
08:07 -!- xyo [~xyo@192.52.166.122] has joined #openvpn
08:08 < xyo> (^^)/"
08:11 -!- Toumasu [~Thunderbi@78-23-25-135.access.telenet.be] has quit [Quit: Toumasu]
08:15 < xyo> i need some help with my openvpn config. server.conf: http://pastebin.com/UaHxJKh8 - now when i connect to the vpn server, it works for a few seconds, after that everything times out and the client logs "write UDPv4: Network is unreachable (code=51)" multiple times per second, see http://pastebin.com/x2ZLu40F - if i comment out the line <push "route 195.154.71.xxx
08:15 < xyo> 255.255.255.255 net_gateway">, everything works fine. why doesn't this work? i want to exclude the ip of my dedicated server so all traffic is send over openvpn except when i access my dedi :/
09:02 -!- xyo [~xyo@192.52.166.122] has quit [Ping timeout: 245 seconds]
09:08 -!- xyo [~xyo@95.89.160.53] has joined #openvpn
09:14 -!- Pyrogerg [~Gregory@67-0-212-234.albq.qwest.net] has joined #openvpn
09:14 -!- xyo [~xyo@95.89.160.53] has quit [Read error: Connection reset by peer]
09:17 -!- xyo [~xyo@95.89.160.53] has joined #openvpn
09:22 < xyo> http://neco.so/i/HQA2 noticed that TUN WRITE and UDPv4 READ messages disappeared when the error messages show up
10:00 -!- Kephael [~Kephael@unaffiliated/kephael] has joined #openvpn
10:37 -!- jak2000 [~jak2000@189.244.84.171] has joined #openvpn
11:28 -!- vaskozl [~vasko@c-2ec3a835-74736162.cust.telenor.se] has joined #openvpn
11:28 < vaskozl> I'm trying to get this set up:
11:28 < vaskozl> https://www.frootvpn.com/guides/linuxdebian-19.html
11:28 <@vpnHelper> Title: Guide on OpenVPN for Linux/Debian (at www.frootvpn.com)
11:28 < vaskozl> as soon as I run openvpn configfile
11:28 < vaskozl> and enter the username and password
11:28 < vaskozl> how do I route my browser traffic
11:33 < vaskozl> figured it out
11:33 < vaskozl> sorry
11:33 -!- vaskozl [~vasko@c-2ec3a835-74736162.cust.telenor.se] has left #openvpn []
11:34 -!- rich0_ [~quassel@gentoo/developer/rich0] has joined #openvpn
11:34 -!- rich0_ [~quassel@gentoo/developer/rich0] has quit [Read error: Connection reset by peer]
11:39 -!- rich0 [~quassel@gentoo/developer/rich0] has quit [Ping timeout: 265 seconds]
11:45 -!- Denial [~Denial@host81-151-0-116.range81-151.btcentralplus.com] has quit []
11:48 -!- Denial [~Denial@host81-151-0-116.range81-151.btcentralplus.com] has joined #openvpn
11:49 -!- Slippern [~Slippern@76.109-247-208.customer.lyse.net] has quit [Ping timeout: 250 seconds]
11:52 -!- Slippern [~Slippern@76.109-247-208.customer.lyse.net] has joined #openvpn
12:39 -!- justinzane [~justinzan@67.21.190.3] has quit [Ping timeout: 244 seconds]
12:55 -!- Slippern [~Slippern@76.109-247-208.customer.lyse.net] has quit [Ping timeout: 245 seconds]
12:56 -!- Slippern [~Slippern@76.109-247-208.customer.lyse.net] has joined #openvpn
13:21 -!- xyo [~xyo@95.89.160.53] has quit [Read error: Connection reset by peer]
13:23 -!- xyo [~xyo@192.52.166.122] has joined #openvpn
13:25 -!- moparisthebest [~quassel@gateway/tor-sasl/moparisthebest] has quit [Remote host closed the connection]
13:25 -!- moparisthebest [~quassel@gateway/tor-sasl/moparisthebest] has joined #openvpn
13:39 -!- justinzane [~justinzan@12.172.184.36] has joined #openvpn
13:40 -!- batrick [batrick@nmap/developer/batrick] has quit [Quit: WeeChat 1.0.1]
13:43 -!- moparisthebest [~quassel@gateway/tor-sasl/moparisthebest] has quit [Remote host closed the connection]
13:44 -!- xyo [~xyo@192.52.166.122] has quit [Ping timeout: 244 seconds]
13:45 -!- batrick [batrick@nmap/developer/batrick] has joined #openvpn
13:48 -!- Jon31 [~Jon30@unaffiliated/jon30] has joined #openvpn
13:48 < Jon31> i can't find the windows client on the site... on what page is it?
13:48 -!- DrCode [~DrCode@gateway/tor-sasl/drcode] has quit [Ping timeout: 246 seconds]
13:55 -!- DrCode [~DrCode@gateway/tor-sasl/drcode] has joined #openvpn
13:57 -!- moparisthebest [~quassel@gateway/tor-sasl/moparisthebest] has joined #openvpn
14:01 -!- jzaw [~jzaw@loki.dzki.co.uk] has quit [Excess Flood]
14:03 -!- jzaw [~jzaw@loki.dzki.co.uk] has joined #openvpn
14:10 -!- Exagone313 [~exa@ewd.ovh] has quit [Ping timeout: 260 seconds]
14:13 -!- Exagone313 [~exa@ewd.ovh] has joined #openvpn
14:28 -!- bash124512 [~bash12451@adsl-32.46.190.81.tellas.gr] has joined #openvpn
14:29 -!- bash124512 [~bash12451@adsl-32.46.190.81.tellas.gr] has left #openvpn []
14:57 -!- mattock is now known as mattock_afk
15:16 -!- adamben [~Adam@binpress/adamben] has joined #openvpn
15:16 -!- adamben [~Adam@binpress/adamben] has quit [Client Quit]
15:25 < Jon31> !welcome
15:25 <@vpnHelper> "welcome" is (#1) Start by stating your goal, such as 'I would like to access the internet over my vpn' || new to IRC? see the link in !ask || we may need !logs and !configs and maybe !interface to help you. || See !howto for beginners. || See !route for lans behind openvpn. || !redirect for sending inet traffic through the server. || Also interesting: !man !/30 !topology !iporder !sample !forum
15:25 < Jon31> !goal
15:25 <@vpnHelper> !wiki !mitm or (#2) Don't use 192.168.1.0/24 or 192.168.0.0/24 (too much potential for conflict)
15:25 <@vpnHelper> "goal" is Please clearly state your goal for your vpn: example, I would like to access the lan behind the server , I would like to access the internet over my vpn , I just want a secure connection between 2 computers , etc
15:26 < Jon31> !howto
15:26 <@vpnHelper> "howto" is (#1) OpenVPN comes with a great howto, http://openvpn.net/howto PLEASE READ IT! or (#2) http://www.secure-computing.net/openvpn/howto.php for a mirror
15:27 < Jon31> i ran the windows installer.. but i still don't have openvpn in the command line...
16:38 -!- mistermajestic [~mistermaj@109.201.154.211] has joined #openvpn
17:35 -!- s7r [~s7r@openvpn/user/s7r] has joined #openvpn
17:35 -!- mode/#openvpn [+v s7r] by ChanServ
17:42 -!- SCHAAP137 [dorian@77-173-0-137.ip.telfort.nl] has joined #openvpn
17:47 -!- gffa [~unknown@unaffiliated/gffa] has quit [Quit: sleep]
17:49 -!- s7r [~s7r@openvpn/user/s7r] has quit [Quit: Leaving]
18:36 -!- rich0 [~quassel@gentoo/developer/rich0] has joined #openvpn
18:40 -!- techwharf [~techwharf@ec2-54-194-62-157.eu-west-1.compute.amazonaws.com] has quit [Read error: Connection reset by peer]
18:46 -!- xyo [~xyo@195-154-71-233.rev.poneytelecom.eu] has joined #openvpn
18:50 -!- keatont [~keatont@keatonstaylor.com] has quit [Ping timeout: 255 seconds]
18:55 -!- keatont [~keatont@keatonstaylor.com] has joined #openvpn
19:06 -!- clu5ter [~staff@unaffiliated/clu5ter] has quit [Ping timeout: 260 seconds]
19:07 <@Eugene> I don't know if anybody has mentioned this recently in here, but FUCK IPSEC WITH A RUSTY SPOON
19:08 -!- jgeboski [~jgeboski@unaffiliated/jgeboski] has quit [Ping timeout: 240 seconds]
19:11 -!- keatont [~keatont@keatonstaylor.com] has quit [Ping timeout: 265 seconds]
19:12 -!- jgeboski [~jgeboski@unaffiliated/jgeboski] has joined #openvpn
19:14 -!- clu5ter [~staff@unaffiliated/clu5ter] has joined #openvpn
19:36 -!- keatont [~keatont@keatonstaylor.com] has joined #openvpn
19:52 -!- jzaw [~jzaw@loki.dzki.co.uk] has quit [Ping timeout: 265 seconds]
19:57 -!- jzaw [~jzaw@loki.dzki.co.uk] has joined #openvpn
20:13 -!- DonRichie [~DonRichie@ricl.de] has joined #openvpn
20:30 -!- ItsYoda [Yoda@leader.of.the.coolkidz.club] has quit [Ping timeout: 272 seconds]
20:34 -!- _quadDamage [~EmperorTo@boom.blissfulidiot.com] has joined #openvpn
20:46 -!- `Yoda [Yoda@leader.of.the.coolkidz.club] has joined #openvpn
20:49 -!- CaTtleyA [~CaTtleyA@put92-2-82-66-41-53.fbx.proxad.net] has quit [Ping timeout: 272 seconds]
21:27 -!- `Yoda is now known as Yoda
21:27 -!- Yoda is now known as Guest55386
21:32 -!- elfixit [~Icedove@77-58-37-45.dclient.hispeed.ch] has joined #openvpn
21:45 -!- SCHAAP137 [dorian@77-173-0-137.ip.telfort.nl] has quit [Remote host closed the connection]
21:51 -!- WinstonSmith [~WinstonSm@unaffiliated/winstonsmith] has quit [Ping timeout: 244 seconds]
21:53 -!- WinstonSmith [~WinstonSm@unaffiliated/winstonsmith] has joined #openvpn
22:15 -!- Left_Turn [~Left_Turn@unaffiliated/turn-left/x-3739067] has quit [Remote host closed the connection]
23:08 -!- deed02392 [~deed02392@2001:41d0:2:ab60::1] has quit [Quit: Zai Jian]
23:34 -!- cyberspace- [20253@ninthfloor.org] has quit [Remote host closed the connection]
23:36 -!- cyberspace- [20253@ninthfloor.org] has joined #openvpn
--- Day changed Sun Oct 26 2014
00:00 -!- mirco [~mirco@ip-176-198-211-199.hsi05.unitymediagroup.de] has joined #openvpn
00:22 -!- heraclitus [~heraclitu@unaffiliated/heraclitis] has joined #openvpn
00:24 -!- Pyrogerg [~Gregory@67-0-212-234.albq.qwest.net] has quit [Ping timeout: 256 seconds]
00:30 -!- mirco [~mirco@ip-176-198-211-199.hsi05.unitymediagroup.de] has quit [Quit: mirco]
00:32 -!- elfixit [~Icedove@77-58-37-45.dclient.hispeed.ch] has quit [Ping timeout: 244 seconds]
00:45 -!- ShadniX [dagger@p5DDFDEFB.dip0.t-ipconnect.de] has quit [Ping timeout: 250 seconds]
00:46 -!- ShadniX [dagger@p5DDFCD15.dip0.t-ipconnect.de] has joined #openvpn
01:09 -!- mattock_afk is now known as mattock
01:44 -!- Kephael [~Kephael@unaffiliated/kephael] has quit [Read error: Connection reset by peer]
01:45 -!- WinstonSmith [~WinstonSm@unaffiliated/winstonsmith] has quit [Ping timeout: 265 seconds]
01:47 -!- WinstonSmith [~WinstonSm@unaffiliated/winstonsmith] has joined #openvpn
01:57 -!- CaTtleyA [~CaTtleyA@put92-2-82-66-41-53.fbx.proxad.net] has joined #openvpn
02:11 -!- D-Boy [~D-Boy@unaffiliated/cain] has quit [Excess Flood]
02:18 -!- nsrafk [whois@unaffiliated/nsrafk] has quit [Ping timeout: 258 seconds]
02:19 -!- nsrafk [whois@unaffiliated/nsrafk] has joined #openvpn
02:22 -!- D-Boy [~D-Boy@unaffiliated/cain] has joined #openvpn
03:05 -!- SCHAAP137 [dorian@77-173-0-137.ip.telfort.nl] has joined #openvpn
04:20 -!- catsup [~d@ps38852.dreamhost.com] has quit [Read error: Connection reset by peer]
04:20 -!- catsup [~d@ps38852.dreamhost.com] has joined #openvpn
04:21 -!- jo_sh_ua [~joshua@88.97.63.14] has joined #openvpn
04:29 -!- gffa [~unknown@unaffiliated/gffa] has joined #openvpn
04:35 -!- jo_sh_ua [~joshua@88.97.63.14] has quit [Changing host]
04:35 -!- jo_sh_ua [~joshua@unaffiliated/jo-sh-ua/x-0543518] has joined #openvpn
04:55 -!- BlackBishop [dexter@ipv6.d3xt3r01.tk] has joined #openvpn
04:55 < BlackBishop> PolarSSL: error parsing config private key: PK - Bad input parameters to function
04:56 < BlackBishop> ( using the android app ). It can import the .ovpn just fine it seems, it asks for my key password .. but I get that error message, anyone can tell me what I did wrong ?
05:00 < BlackBishop> !paste
05:00 <@vpnHelper> "paste" is "pastebin" is (#1) please paste anything with more than 5 lines into a pastebin site or (#2) https://gist.github.com is recommended for fewest ads; try fpaste.org or paste.kde.org as backups or (#3) If you're pasting config files, see !configs for grep syntax to remove comments or (#4) gist allows multiple files per paste, useful if you have several files to show
05:00 < BlackBishop> !configs
05:00 <@vpnHelper> "configs" is (#1) please pastebin your client and server configs (with comments removed, you can use `grep -vE '^#|^;|^$' server.conf`), also include which OS and version of openvpn. or (#2) dont forget to include any ccd entries or (#3) on pfSense, see http://www.secure-computing.net/wiki/index.php/OpenVPN/pfSense to obtain your config
05:05 <@syzzer> BlackBishop: you've ran into a bug that I recently fixed
05:06 <@syzzer> (polarssl + password protected private key file)
05:06 <@syzzer> the patch is in the master branch, so the next OpenVPN for Android version will probably include the fix :)
05:16 < BlackBishop> great :)
05:16 < BlackBishop> any place to get a "nightly" build ?
05:19 <@syzzer> I don't think so, but plaisthos is usually pretty fast with updating the app (fix was applied just yesterday)
05:19 -!- Left_Turn [~Left_Turn@unaffiliated/turn-left/x-3739067] has joined #openvpn
05:19 < BlackBishop> Oh well, thanks then :) I'll wait.
05:20 <@syzzer> as a temporary workaround, you could create a pkcs12 file, and password protect that instead of the private key file
05:20 <@syzzer> make sure you remove the password from the private key before creating the pkcs12 in that case
05:20 < BlackBishop> I saw openvpn can "share" the port with apache ( tcp 443 ) .. can it do the same with bind/named on udp 53 ?
05:20 -!- mistermajestic [~mistermaj@109.201.154.211] has quit [Ping timeout: 245 seconds]
05:21 <@syzzer> not sure, but I believe that feature has been broken for a while now anyway. and since it is not used very often, it is not very high on the priority list
05:22 < BlackBishop> it seems to work for me :)
05:22 <@syzzer> really? cool! self-fixing bugs!
05:23 <@syzzer> are you using openvpn 2.3, or some older version shipped with your distro?
05:24 <@syzzer> but that means you actually know more about that feature than I do, so I'm afraid I won't be able to help you any further
05:30 < BlackBishop> well, I have net-misc/openvpn-2.3.4-r1 ( gentoo )
05:34 <@syzzer> no distro-specific patches it seems. apparently not broken at all then :)
05:37 -!- s7r [~s7r@openvpn/user/s7r] has joined #openvpn
05:37 -!- mode/#openvpn [+v s7r] by ChanServ
05:44 < BlackBishop> the reason why I want to passwordprotect the key is that I don't want to save the password .. :D
05:52 -!- rich0 [~quassel@gentoo/developer/rich0] has quit [Read error: Connection reset by peer]
05:54 -!- rich0 [~quassel@gentoo/developer/rich0] has joined #openvpn
05:55 <@syzzer> BlackBishop: wait, I just realized you're using the OpenVPN Connect Android app
05:55 <@syzzer> just switch to 'OpenVPN for Android' and all will work :)
05:56 <@syzzer> Connect is the commercial version by OpenVPN Inc., 'OpenVPN for Android' is the community version
05:57 -!- rich0_ [~quassel@gentoo/developer/rich0] has joined #openvpn
05:59 -!- rich0 [~quassel@gentoo/developer/rich0] has quit [Ping timeout: 255 seconds]
06:05 < BlackBishop> the one from arne schwabe ?
06:05 <@syzzer> yes, that's plaisthos, one of the community devs
06:05 < BlackBishop> thanks :) Trying it out now
06:23 -!- rich0_ [~quassel@gentoo/developer/rich0] has quit [Ping timeout: 255 seconds]
06:23 -!- rich0 [~quassel@gentoo/developer/rich0] has joined #openvpn
06:25 < BlackBishop> https://gist.github.com/d3xt3r01/a98add47c86959e8a20d ( the configs ) .. https://gist.github.com/d3xt3r01/668cc97f6ade09db2cd4 the logs
06:25 <@vpnHelper> Title: server-client openvpn (at gist.github.com)
06:25 < BlackBishop> I'm doing something wrong ..
06:29 -!- halothe23 [~halothe23@freenode/sponsor/halothe23] has quit [Quit: Quit]
06:30 -!- halothe23 [~halothe23@freenode/sponsor/halothe23] has joined #openvpn
06:31 < BlackBishop> the server says "TLS Error: cannot locate HMAC in incoming packet from .. myip" :/
06:32 -!- halothe23 [~halothe23@freenode/sponsor/halothe23] has quit [Client Quit]
06:32 -!- halothe23 [~halothe23@freenode/sponsor/halothe23] has joined #openvpn
06:37 <@syzzer> did you set the 'auth sha384' on both sides?
06:38 <@syzzer> iirc the OpenVPN for Android client does not offer that as an option by default
06:38 < BlackBishop> nope, added now, trying again :D
06:39 <@syzzer> ah, yes, just spotted in the log: "authname = 'SHA1'"
06:43 < BlackBishop> that was it ! :) YEEY.
06:43 <@syzzer> nice :)
06:44 < BlackBishop> yup, working on a tutorial to set up the port sharing .. openvpn + pam_mysql
06:44 < BlackBishop> done setting up the port sharing and openvpn itself .. now pam_mysql ( virtual username+password )
06:47 <@syzzer> ah, sounds cool :)
06:48 < BlackBishop> I usually just set it up fast .. no cipher/auth .. but thought to improve stuff a lil' bit this time .. and write about it ..
06:48 <@syzzer> in the tutorial it is probably better not to advise users to set the 'tls-cipher' option on the server, I've seen to many people spend hours and hours debugging because somehow their tls-cipher settings were off
06:48 -!- MaddinXx [~racksteri@zux221-180-240.adsl.green.ch] has joined #openvpn
06:49 < BlackBishop> yeah, but I'm thinking on improving security ( bettercrypto.org )
06:49 <@syzzer> better use tls-version-min for that :)
06:49 <@syzzer> (and openvpn won't do SSLv3 anyway)
06:50 < BlackBishop> tls-version-min 1.2 ?
06:50 <@syzzer> won't work in all scenarios (e.g. using smartcards, or the windows crypto API), but if it works for the setup it really helps improve security
06:51 < BlackBishop> updated.
06:53 <@syzzer> client config seems to be missing tls-auth?
06:53 < BlackBishop> nope, it has <tls-auth>
06:53 < BlackBishop> ah, damn .. I just noticed the ttags don't show up
07:35 -!- Gabou [~Ga@unaffiliated/gabou] has left #openvpn [" : traP"]
07:40 -!- MaddinXx [~racksteri@zux221-180-240.adsl.green.ch] has quit [Quit: (null)]
07:52 -!- capri [svedrin@elwing.funzt-halt.net] has quit [Ping timeout: 260 seconds]
07:56 -!- hazardous [~hz@openvpn/user/hazardous] has quit [Ping timeout: 260 seconds]
07:56 -!- deranged_user [deranged@unaffiliated/deranged-user/x-2475585] has quit [Ping timeout: 260 seconds]
07:56 -!- pnielsen [pnielsen@2a01:7e00::f03c:91ff:fedf:3a21] has quit [Ping timeout: 260 seconds]
07:56 -!- BtbN [btbn@btbn.de] has quit [Ping timeout: 260 seconds]
07:56 -!- jefferai [sid1300@kde/mitchell] has quit [Ping timeout: 260 seconds]
07:56 -!- jzaw [~jzaw@loki.dzki.co.uk] has quit [Ping timeout: 260 seconds]
07:56 -!- Exagone313 [~exa@ewd.ovh] has quit [Ping timeout: 260 seconds]
07:56 -!- xMopxShell [~xMopxShel@dpedu.io] has quit [Ping timeout: 260 seconds]
07:56 -!- xx7 [~jfo729Nf@freetheshellcodes.net] has quit [Ping timeout: 260 seconds]
07:57 -!- jefferai [sid1300@kde/mitchell] has joined #openvpn
07:57 -!- Exagone313 [~exa@ewd.ovh] has joined #openvpn
07:57 -!- capri [svedrin@2a03:4000:6:306b:5054:60ff:fe8b:cf23] has joined #openvpn
07:57 -!- BtbN [btbn@btbn.de] has joined #openvpn
07:57 -!- xMopxShell [~xMopxShel@dpedu.io] has joined #openvpn
07:57 -!- pnielsen [pnielsen@2a01:7e00::f03c:91ff:fedf:3a21] has joined #openvpn
07:57 -!- deranged_user [deranged@unaffiliated/deranged-user/x-2475585] has joined #openvpn
07:57 -!- hazardous [~hz@openvpn/user/hazardous] has joined #openvpn
07:57 -!- mode/#openvpn [+v hazardous] by ChanServ
07:59 -!- jzaw [~jzaw@loki.dzki.co.uk] has joined #openvpn
08:00 -!- Latrina [~Latrina@adsl-ull-214-255.45-151.net24.it] has quit [Ping timeout: 272 seconds]
08:01 -!- Latrina [~Latrina@adsl-ull-214-255.45-151.net24.it] has joined #openvpn
08:21 -!- Netsplit *.net <-> *.split quits: CaTtleyA
08:26 -!- Netsplit over, joins: CaTtleyA
08:30 -!- asturel_ [~asturel@unaffiliated/asturel] has joined #openvpn
08:36 -!- Pyrogerg [~Gregory@67-0-212-234.albq.qwest.net] has joined #openvpn
08:39 -!- Netsplit *.net <-> *.split quits: moparisthebest, ljvb, +s7r, M4dH4TT3r, DrCode, Latrina, xMopxShell, asturel
08:39 -!- asturel_ is now known as asturel
08:42 -!- jo_sh_ua [~joshua@unaffiliated/jo-sh-ua/x-0543518] has quit [Quit: .]
08:59 -!- c|oneman [cloneman@1337.montrealdark.com] has quit [Ping timeout: 244 seconds]
09:00 -!- AsadH [~AsadH@unaffiliated/asadh] has quit [Ping timeout: 244 seconds]
09:01 -!- c|oneman [cloneman@2605:6400:2:fed5:22:0:3b06:3913] has joined #openvpn
09:01 -!- _KaszpiR_ [quasselcor@unaffiliated/kaszpir/x-3157048] has quit [Ping timeout: 244 seconds]
09:02 -!- reventlov [~reventlov@unaffiliated/reventlov] has quit [Quit: leaving]
09:02 -!- _KaszpiR_ [quasselcor@unaffiliated/kaszpir/x-3157048] has joined #openvpn
09:08 -!- reventlov [~reventlov@unaffiliated/reventlov] has joined #openvpn
09:09 -!- AsadH [~AsadH@unaffiliated/asadh] has joined #openvpn
09:31 -!- ub1quit33_ [~quassel@wifi02.la3.routers.zerolag.com] has joined #openvpn
09:42 -!- JackWinter [~jack@vodsl-11198.vo.lu] has joined #openvpn
09:51 -!- Kephael [~Kephael@unaffiliated/kephael] has joined #openvpn
09:55 -!- dvl [~dvl@freebsd/developer/dvl] has quit [Quit: Ride fast. Take chances.]
09:57 -!- dvl [~dvl@freebsd/developer/dvl] has joined #openvpn
10:23 -!- acovrig [~acovrig@host-216-229-233-5.public.southern.edu] has joined #openvpn
10:24 < acovrig> I’m trying to accomplish a Client-to-Client-LAN VPN (http://pastebin.com/0guB9xRP), the server won’t route 192.168.5.0 over 10.0.4.0 and I’m not sure why.
10:25 -!- ValdikSS [~valdikss@2001:470:dd8a:dead::64f] has joined #openvpn
10:41 -!- ValdikSS [~valdikss@2001:470:dd8a:dead::64f] has quit [Quit: Konversation terminated!]
10:41 -!- ValdikSS [~valdikss@95.215.45.33] has joined #openvpn
11:43 -!- msilv3r [~mike@2601:6:8280:2c5:cdae:f841:18fe:9f1f] has joined #openvpn
11:43 < msilv3r> !welcome
11:43 <@vpnHelper> "welcome" is (#1) Start by stating your goal, such as 'I would like to access the internet over my vpn' || new to IRC? see the link in !ask || we may need !logs and !configs and maybe !interface to help you. || See !howto for beginners. || See !route for lans behind openvpn. || !redirect for sending inet traffic through the server. || Also interesting: !man !/30 !topology !iporder !sample !forum
11:44 <@vpnHelper> !wiki !mitm or (#2) Don't use 192.168.1.0/24 or 192.168.0.0/24 (too much potential for conflict)
11:46 -!- DrCode [~DrCode@gateway/tor-sasl/drcode] has joined #openvpn
11:48 < msilv3r> I've already made a post in the OpenVPN forums (server admin/config) though I was hoping this may be more helpful. Anyone around? The detail of my issue are here: https://forums.openvpn.net/topic17357.html
11:48 <@vpnHelper> Title: OpenVPN Support Forum Outside traffic not working / extremely slow : Configuration (at forums.openvpn.net)
11:54 -!- warehouse13 [~Left_Turn@unaffiliated/turn-left/x-3739067] has joined #openvpn
11:57 -!- Left_Turn [~Left_Turn@unaffiliated/turn-left/x-3739067] has quit [Ping timeout: 245 seconds]
12:08 -!- Thermi [~Thermi@unaffiliated/thermi] has quit [Quit: Meet your opposition - Profane and disciplined - Take back your pride - With a pounding hammer]
12:21 -!- msilv3r [~mike@2601:6:8280:2c5:cdae:f841:18fe:9f1f] has quit [Quit: Leaving]
13:02 -!- eristisk [~eristisk@gateway/tor-sasl/eristisk] has joined #openvpn
13:15 -!- acovrig [~acovrig@host-216-229-233-5.public.southern.edu] has quit [Quit: acovrig]
13:34 -!- Plaidrab [~dbolack@tx-71-53-83-247.dhcp.embarqhsd.net] has joined #openvpn
13:51 -!- Plaidrab [~dbolack@tx-71-53-83-247.dhcp.embarqhsd.net] has quit [Quit: return(0);]
14:09 -!- xMopxShell [~xMopxShel@dpedu.io] has joined #openvpn
14:09 -!- fling [~fling@fsf/member/fling] has quit [Ping timeout: 265 seconds]
14:11 -!- dx486 is now known as dx-away
14:27 < tgm4883> Trying to help a friend use tunnelblick to connect to their Mac to my openvpn server. I see it add the route in the routing table, but it doesn't appear to be sending broadcast traffic over the VPN
14:27 < tgm4883> All my other Linux and Windows clients are working correct with the broadcast traffic, just not this mac
14:28 < tgm4883> Is there something I'm missing here? I don't see the VPN listed in the Mac network priority list, so I can't make it #1
14:30 -!- Teqonix [~quassel@c-174-51-153-217.hsd1.co.comcast.net] has joined #openvpn
14:34 -!- SCHAAP137 [dorian@77-173-0-137.ip.telfort.nl] has quit [Remote host closed the connection]
14:34 -!- Thermi [~Thermi@unaffiliated/thermi] has joined #openvpn
14:52 -!- pgicxplzs [~Left_Turn@unaffiliated/turn-left/x-3739067] has joined #openvpn
14:55 -!- warehouse13 [~Left_Turn@unaffiliated/turn-left/x-3739067] has quit [Ping timeout: 272 seconds]
15:37 -!- jzaw [~jzaw@loki.dzki.co.uk] has quit [Ping timeout: 265 seconds]
16:07 -!- CaTtleyA [~CaTtleyA@put92-2-82-66-41-53.fbx.proxad.net] has quit [Ping timeout: 272 seconds]
16:28 -!- seba [~seba@kratzbaum.someserver.de] has quit [Excess Flood]
16:30 -!- jzaw [~jzaw@community-wifi.dzki.co.uk] has joined #openvpn
16:30 -!- Chais [~Chais@chello062178229110.15.15.vie.surfer.at] has quit [Ping timeout: 265 seconds]
16:32 -!- Illegalviking [~BlackTux@de3x.mullvad.net] has joined #openvpn
16:33 -!- seba [~seba@kratzbaum.someserver.de] has joined #openvpn
16:33 -!- dx-away is now known as dx486
16:36 -!- CaTtleyA [~CaTtleyA@put92-2-82-66-41-53.fbx.proxad.net] has joined #openvpn
16:37 -!- Chais [~Chais@chello062178229110.15.15.vie.surfer.at] has joined #openvpn
16:41 -!- ExtraCarpety [~ExtraCarp@2607:5300:60:a0d::1] has quit [Quit: ZNC - http://znc.in]
16:52 -!- ExtraCarpety [~ExtraCarp@2607:5300:60:a0d::1] has joined #openvpn
17:10 -!- mattock is now known as mattock_afk
17:12 -!- ub1quit33_ [~quassel@wifi02.la3.routers.zerolag.com] has quit [Ping timeout: 265 seconds]
17:25 -!- CaTtleyA [~CaTtleyA@put92-2-82-66-41-53.fbx.proxad.net] has quit [Ping timeout: 272 seconds]
17:25 -!- Illegalviking is now known as TheJoker
17:26 -!- TheJoker is now known as illegalviking
17:30 -!- gffa [~unknown@unaffiliated/gffa] has quit [Quit: sleep]
17:47 -!- CaTtleyA [~CaTtleyA@put92-2-82-66-41-53.fbx.proxad.net] has joined #openvpn
17:52 -!- s7r [~s7r@openvpn/user/s7r] has joined #openvpn
17:52 -!- mode/#openvpn [+v s7r] by ChanServ
18:14 -!- CaTtleyA [~CaTtleyA@put92-2-82-66-41-53.fbx.proxad.net] has quit [Quit: Lost terminal]
18:21 -!- brianblaze420 [~brianblaz@unaffiliated/brianblaze] has joined #openvpn
18:27 -!- Latrina [~Latrina@adsl-ull-214-255.45-151.net24.it] has joined #openvpn
18:39 -!- Chex [sss@swampjax.northnook.ca] has joined #openvpn
19:22 < hydrajump> hi the what's the difference between using easy-rsa and say xca? is it just that the latter provides a GUI?
19:29 -!- basheba [~basheba@gateway/tor-sasl/basheba] has joined #openvpn
19:29 < basheba> I'm stuck :-( ://www.frootvpn.com/guides/linuxdebian-19.html
19:36 -!- basheba [~basheba@gateway/tor-sasl/basheba] has quit [Ping timeout: 246 seconds]
19:43 -!- wiski [~wiski@213-186-246-19.bb.dnainternet.fi] has joined #openvpn
19:43 < wiski> how can i change the default keyring in openvpn?
19:44 < wiski> in my ca.crt file
19:49 -!- debbie10t [~debbie10t@openvpn/community/support/debbie10t] has joined #openvpn
19:56 < wiski> im trying to setup privateinernetaccess vpn
19:56 < wiski> i got it working but i just want to change the keyring
19:56 < wiski> is it even possible?
19:58 -!- brianblaze420 [~brianblaz@unaffiliated/brianblaze] has quit [Quit: Peace!]
20:01 -!- mode/#openvpn [+v debbie10t] by ChanServ
20:02 <+debbie10t> wiski, try /join ###openvpn
20:04 < wiski> oh problem was with gnome-keyring, not with openvpn..
20:04 <+debbie10t> arg
20:04 < wiski> :D
20:05 -!- mode/#openvpn [-v debbie10t] by ChanServ
20:16 -!- ub1quit33_ [~quassel@cpe-23-243-158-241.socal.res.rr.com] has joined #openvpn
20:16 -!- wiski [~wiski@213-186-246-19.bb.dnainternet.fi] has left #openvpn []
20:20 -!- ub1quit33_ [~quassel@cpe-23-243-158-241.socal.res.rr.com] has quit [Ping timeout: 244 seconds]
20:22 < hydrajump> just came across this project https://github.com/infosecsociety/osdt looks like a lot of work was put into the openvpn config settings making it secure
20:22 <@vpnHelper> Title: infosecsociety/osdt · GitHub (at github.com)
20:24 < Neal_> hydrajump: pretty interesting, thanks for sharing :D
20:32 < hydrajump> Neal_: sure no problem. I'm working on an openvpn server deployment and links like that are super useful.
20:34 -!- supergauntlet [~supergaun@unaffiliated/supergauntlet] has quit [Quit: ZNC - http://znc.in]
20:35 -!- mode/#openvpn [+v debbie10t] by ChanServ
20:35 <+debbie10t> hydrajump, i prefer my vpn to be home-grown
20:36 <+debbie10t> but sure .. if it actually works
20:36 -!- james41382 [~james@unaffiliated/james41382] has quit [Quit: Leaving]
20:39 < hydrajump> debbie10t: sure using it as reference not blindly trusting it and deploying without going over the config ;)
20:41 <+debbie10t> hydrajump, i think "blindly" says plenty
20:44 <+debbie10t> quite frankly i dont even trust --server
20:44 < hydrajump> debbie10t: what do you mean with "--server">
20:47 <+debbie10t> hydrajump, --server is a shortcut
20:47 <+debbie10t> shortcuts are always flawed
20:48 <+debbie10t> btw .. i presume you understand OpenVPN ?
20:48 <+debbie10t> --server net mask
20:49 <+debbie10t> *mask .. or other
20:50 < hydrajump> debbie10t: I have some understanding, but by no means an expert.
20:50 -!- s7r [~s7r@openvpn/user/s7r] has quit [Ping timeout: 246 seconds]
20:50 <+debbie10t> hydrajump, it is all documented ..
20:50 -!- s7r [~s7r@openvpn/user/s7r] has joined #openvpn
20:50 -!- mode/#openvpn [+v s7r] by ChanServ
20:51 <+debbie10t> hence forth OPEN vpn
20:52 <+debbie10t> otherwise known as: open vpn
20:52 < lkthomas> guys, when I run UDP, openvpn having like 50% packet loss
20:52 < lkthomas> TCP is less than 1%
21:06 -!- supergauntlet [~supergaun@unaffiliated/supergauntlet] has joined #openvpn
21:08 < hydrajump> does it make sense to put a load balancer in front of multiple openvpn servers?
21:08 <+debbie10t> ###openvpn ..
21:08 < hydrajump> what's the difference between this and that channel?
21:09 <+debbie10t> try it and see
21:09 < hydrajump> Can't I ask these types of questions here?
21:15 < lkthomas> WTF
21:21 -!- NP-Hardass [~NP-Hardas@unaffiliated/np-hardass] has joined #openvpn
21:35 -!- debbie10t [~debbie10t@openvpn/community/support/debbie10t] has quit [Quit: Closing]
22:04 -!- pgicxplzs [~Left_Turn@unaffiliated/turn-left/x-3739067] has quit [Quit: Leaving]
22:11 -!- Robr3rd [~robert@c-68-55-201-209.hsd1.md.comcast.net] has quit [Quit: Leaving]
22:27 -!- fling [~fling@fsf/member/fling] has joined #openvpn
22:42 -!- NP-Hardass [~NP-Hardas@unaffiliated/np-hardass] has quit [Quit: WeeChat 0.4.3]
--- Day changed Mon Oct 27 2014
00:11 -!- Voss [~Voss@unaffiliated/voss] has joined #openvpn
00:11 -!- Voss [~Voss@unaffiliated/voss] has left #openvpn []
00:26 -!- Kniaz [~Kniaz@unaffiliated/kniaz] has quit [Quit: closing IRC]
00:27 -!- justinzane [~justinzan@12.172.184.36] has quit [Ping timeout: 255 seconds]
00:38 -!- justinzane [~justinzan@24.49.207.221] has joined #openvpn
00:43 -!- ShadniX [dagger@p5DDFCD15.dip0.t-ipconnect.de] has quit [Ping timeout: 250 seconds]
00:45 -!- ShadniX [dagger@p5481C454.dip0.t-ipconnect.de] has joined #openvpn
02:13 -!- D-Boy [~D-Boy@unaffiliated/cain] has quit [Excess Flood]
02:16 -!- D-Boy [~D-Boy@unaffiliated/cain] has joined #openvpn
02:20 -!- mattock_afk is now known as mattock
02:30 -!- illegalviking is now known as Illegalviking
02:37 -!- Kephael [~Kephael@unaffiliated/kephael] has quit [Read error: Connection reset by peer]
03:05 -!- mirco [~mirco@ip-176-198-211-199.hsi05.unitymediagroup.de] has joined #openvpn
03:07 -!- s7r [~s7r@openvpn/user/s7r] has quit [Ping timeout: 246 seconds]
03:07 -!- s7r [~s7r@openvpn/user/s7r] has joined #openvpn
03:07 -!- mode/#openvpn [+v s7r] by ChanServ
03:19 -!- CaTtleyA [~CaTtleyA@185.24.142.82] has joined #openvpn
03:58 -!- SushiDude [~SushiDude@unaffiliated/sushidude] has quit [Quit: Quit]
04:01 -!- SushiDude [~SushiDude@unaffiliated/sushidude] has joined #openvpn
04:20 -!- Left_Turn [~Left_Turn@unaffiliated/turn-left/x-3739067] has joined #openvpn
04:48 -!- ayaz [~Ayaz@linuxpakistan/ayaz] has joined #openvpn
04:56 -!- Fazy [junk@fazy.ki.iif.hu] has joined #openvpn
04:56 < Fazy> hy guys
04:56 < Fazy> I run into a problem in a last few days, and actually cannot found any solution to my problem...
04:57 < Fazy> So, I have az ovpn on debian, authenticated from active directory.. the clients use private key and AD user/password auth, which works like a charm, until a last few days
04:58 < Fazy> now, i cannot get any password askin window (also no log on ovpn gui) but in console, it's still ask the credentials, and build a tunnel successfully
04:59 < Fazy> are there anybody, who run in the same, or know the solution
04:59 < Fazy> ?
05:00 -!- r00t^2 [~bts@g.rainwreck.com] has quit [Ping timeout: 272 seconds]
05:01 < Fazy> !welcome
05:01 <@vpnHelper> "welcome" is (#1) Start by stating your goal, such as 'I would like to access the internet over my vpn' || new to IRC? see the link in !ask || we may need !logs and !configs and maybe !interface to help you. || See !howto for beginners. || See !route for lans behind openvpn. || !redirect for sending inet traffic through the server. || Also interesting: !man !/30 !topology !iporder !sample !forum !wiki
05:01 <@vpnHelper> !mitm or (#2) Don't use 192.168.1.0/24 or 192.168.0.0/24 (too much potential for conflict)
05:04 -!- seba [~seba@kratzbaum.someserver.de] has quit [Excess Flood]
05:08 -!- seba [~seba@kratzbaum.someserver.de] has joined #openvpn
05:08 -!- r00t^2 [~bts@g.rainwreck.com] has joined #openvpn
05:13 -!- deranged_user [deranged@unaffiliated/deranged-user/x-2475585] has quit [Changing host]
05:13 -!- deranged_user [deranged@2a00:d880:3:1::5d93:49ba] has joined #openvpn
05:13 -!- dazo_afk is now known as dazo
05:13 -!- deranged_user [deranged@2a00:d880:3:1::5d93:49ba] has quit [Quit: et nos unum sumus]
05:14 -!- deranged_user [deranged@lolnerd.net] has joined #openvpn
05:19 -!- DrCode_ [~DrCode@gateway/tor-sasl/drcode] has joined #openvpn
05:19 -!- DrCode [~DrCode@gateway/tor-sasl/drcode] has quit [Ping timeout: 246 seconds]
05:20 -!- Illegalviking [~BlackTux@de3x.mullvad.net] has quit [Quit: Leaving]
06:05 -!- Brando753 [~Brando753@unaffiliated/brando753] has quit [Ping timeout: 265 seconds]
06:19 -!- capri [svedrin@2a03:4000:6:306b:5054:60ff:fe8b:cf23] has quit [Ping timeout: 260 seconds]
06:26 -!- capri [svedrin@elwing.funzt-halt.net] has joined #openvpn
06:53 -!- Jon31 [~Jon30@unaffiliated/jon30] has quit [Ping timeout: 265 seconds]
07:02 -!- kraftman [~kraftman@host-89-241-156-124.as13285.net] has joined #openvpn
07:02 < kraftman> !goal
07:02 <@vpnHelper> "goal" is Please clearly state your goal for your vpn: example, I would like to access the lan behind the server , I would like to access the internet over my vpn , I just want a secure connection between 2 computers , etc
07:09 -!- techwharf [~techwharf@ec2-54-194-62-157.eu-west-1.compute.amazonaws.com] has joined #openvpn
07:13 < kraftman> high scp traffic seems to kill my openvpn connection after 30 sec, any tips on where to start with diagnosing the issue?
07:14 < kraftman> current setting is keepalive 10 120
07:14 < kraftman> so i figured that probably isnt the problem
07:18 -!- Left_Turn [~Left_Turn@unaffiliated/turn-left/x-3739067] has quit [Ping timeout: 258 seconds]
07:28 -!- seba [~seba@kratzbaum.someserver.de] has quit [Excess Flood]
07:31 -!- seba [~seba@kratzbaum.someserver.de] has joined #openvpn
07:44 -!- Maxel [~Maxel@24-159-207-34.static.roch.mn.charter.com] has joined #openvpn
08:01 < techwharf> kraftman what are openvpn logs saying?
08:03 < kraftman> techwharf: doesnt show anything other than the initial connection, is there some flag to enable verbose logging?
08:03 < kraftman> nvm found it
08:05 < techwharf> yes, you can set "verb n" in config, n = 0 to 11
08:05 < techwharf> try set it to 4 and see what happens when connections drops
08:05 < techwharf> connection drops*
08:06 < kraftman> thanks
08:14 < kraftman> techwharf: says 'Inactivity timeout (--ping-restart), restarting'
08:15 < kraftman> so i guess the transfer is affecting the keepalive pings?
08:15 -!- u0m3__ [~u0m3@92.80.111.131] has joined #openvpn
08:16 -!- Slippern [~Slippern@76.109-247-208.customer.lyse.net] has quit [Ping timeout: 244 seconds]
08:18 -!- u0m3_ [~u0m3@92.80.111.131] has quit [Ping timeout: 265 seconds]
08:19 -!- Slippern [~Slippern@76.109-247-208.customer.lyse.net] has joined #openvpn
08:40 < techwharf> show me your config files(pastebin it). and are you sure this happens on high traffic? otherwise it's fine?
08:43 < kraftman> i ran a fast ping to the other end for about 20 mins with no issues, then tried a couple of transfers which both stopped at 30 sec
08:44 < kraftman> config:
08:44 < kraftman> http://pastebin.com/qhtQimB6
08:46 < kraftman> thats my .conf
08:47 <@krzee> why the cipher changes kraftman?
08:49 < kraftman> no idea sorry, i didnt create this config
08:49 <@krzee> do you control the server??
08:49 < kraftman> yeah
08:49 <@krzee> !speed
08:49 <@vpnHelper> "speed" is (#1) Having speed problems? The following suggestions may help. or (#2) OpenVPN is often CPU bound; check utilization, and remember it only uses 1 core (single-threaded) or (#3) Prefer UDP over TCP (see !tcp) or (#4) MTU issues? Send max-size DF packets and watch for fragmentation/delivery issues or (#5) iface txqueuelen often needs to be >100 on fast and/or latent links or (#6)
08:49 <@vpnHelper> latenty/slow links don't magically get better with openvpn or (#7) less likely are issues with bad TCP window scaling or the sliding window; generally, don't 2nd guess TCP (in openvpn or your OS knobs) or (#8) Prefer tun over tap (see !tunortap and !whybridge)
08:49 <@krzee> prolly one of those issues ^
08:50 <@krzee> one or more*
08:51 <@krzee> !forget speed 4
08:51 <@krzee> !forget speed 4
08:51 <@vpnHelper> Joo got it.
08:51 <@krzee> !forget speed 4
08:51 <@krzee> !forget speed 4
08:51 <@vpnHelper> Joo got it.
08:51 <@krzee> !forget speed 4
08:51 <@krzee> !forget speed 4
08:51 <@vpnHelper> Joo got it.
08:51 <@vpnHelper> Joo got it.
08:51 <@vpnHelper> Joo got it.
08:51 <@vpnHelper> Error: Invalid factoid number.
08:51 < kraftman> ok cheers ill run through thore
08:51 <@krzee> !learn speed as MTU issues? Send max-size DF packets and watch for fragmentation/delivery issues (see !mtu)
08:51 < kraftman> those
08:51 <@vpnHelper> Joo got it.
08:51 <@krzee> !learn speed as iface txqueuelen often needs to be >100 on fast and/or latent links
08:51 <@vpnHelper> Joo got it.
08:51 <@krzee> !learn speed as less likely are issues with bad TCP window scaling or the sliding window; generally, don't 2nd guess TCP (in openvpn or your OS knobs)
08:51 <@vpnHelper> Joo got it.
08:52 <@krzee> !forget speed 3
08:52 <@vpnHelper> Joo got it.
08:52 <@krzee> !learn speed Prefer tun over tap (see !tunortap and !whybridge) and UDP over TCP (see !tcp)
08:52 <@vpnHelper> (learn [<channel>] <key> as <value>) -- Associates <key> with <value>. <channel> is only necessary if the message isn't sent on the channel itself. The word 'as' is necessary to separate the key from the value. It can be changed to another word via the learnSeparator registry value.
08:52 <@krzee> !learn speed as prefer tun over tap (see !tunortap and !whybridge) and UDP over TCP (see !tcp)
08:52 <@vpnHelper> Joo got it.
08:53 <@krzee> !learn speed as if iperf on public ip is also bad, dont expect openvpn to magically make your connection to the server better.
08:53 <@vpnHelper> Joo got it.
08:53 <@krzee> sorry for all the output
08:53 <@krzee> !speed
08:53 <@vpnHelper> "speed" is (#1) Having speed problems? The following suggestions may help. or (#2) OpenVPN is often CPU bound; check utilization, and remember it only uses 1 core (single-threaded) or (#3) MTU issues? Send max-size DF packets and watch for fragmentation/delivery issues (see !mtu) or (#4) iface txqueuelen often needs to be >100 on fast and/or latent links or (#5) less likely are issues with bad TCP
08:53 <@vpnHelper> window scaling or the sliding window; generally, don't 2nd guess TCP (in openvpn or your OS knobs) or (#6) prefer tun over tap (see !tunortap and !whybridge) and UDP over TCP (see !tcp) or (#7) if iperf on public ip is also bad, dont expect openvpn to magically make your connection to the server better.
08:54 -!- Fazy [junk@fazy.ki.iif.hu] has quit []
08:57 < kraftman> !mtu
08:57 <@vpnHelper> "mtu" is (#1) see --mtu-test to learn how to test your MTU settings. Basically you just use --mtu-test in your normal client config or (#2) mtu debugging guide: http://www.secure-computing.net/wiki/index.php/OpenVPN/Troubleshooting
09:03 -!- mirco [~mirco@ip-176-198-211-199.hsi05.unitymediagroup.de] has quit [Quit: mirco]
09:07 -!- Left_Turn [~Left_Turn@unaffiliated/turn-left/x-3739067] has joined #openvpn
09:21 -!- ub1quit33 [~quassel@wifi02.la3.routers.zerolag.com] has joined #openvpn
09:40 -!- eristisk [~eristisk@gateway/tor-sasl/eristisk] has quit [Remote host closed the connection]
09:41 -!- eristisk [~eristisk@gateway/tor-sasl/eristisk] has joined #openvpn
09:53 -!- seba [~seba@kratzbaum.someserver.de] has quit [Excess Flood]
09:57 -!- seba [~seba@kratzbaum.someserver.de] has joined #openvpn
10:04 -!- brianblaze420 [~brianblaz@unaffiliated/brianblaze] has joined #openvpn
10:10 -!- ayaz [~Ayaz@linuxpakistan/ayaz] has quit [Quit: Textual IRC Client: www.textualapp.com]
10:21 -!- elfixit [~Icedove@2001:1620:2777:11:3e97:eff:fe7f:f3ad] has joined #openvpn
10:24 -!- mistermajestic [~mistermaj@109.201.154.211] has joined #openvpn
10:28 -!- s7r [~s7r@openvpn/user/s7r] has quit [Ping timeout: 246 seconds]
10:30 -!- lorens [~lorenzo@213.27.241.114] has joined #openvpn
10:41 -!- moparisthebest [~quassel@gateway/tor-sasl/moparisthebest] has joined #openvpn
10:47 -!- jak2000 [~jak2000@189.244.84.171] has quit [Ping timeout: 255 seconds]
10:55 < thesov> I have a small problem, I setup a openvpn server, but it tries to give everyone who connects the same ip
11:04 -!- justinzane [~justinzan@24.49.207.221] has quit [Ping timeout: 240 seconds]
11:05 < DArqueBishop> Did you set up different certs for each connecting client?
11:11 -!- jzaw [~jzaw@community-wifi.dzki.co.uk] has quit [Ping timeout: 245 seconds]
11:15 -!- justinzane [~justinzan@64.234.62.130] has joined #openvpn
11:16 -!- outofbounds [~outofboun@gateway/tor-sasl/outofbounds] has joined #openvpn
11:17 -!- eristisk [~eristisk@gateway/tor-sasl/eristisk] has quit [Remote host closed the connection]
11:24 -!- jzaw [~jzaw@loki.dzki.co.uk] has joined #openvpn
11:36 -!- CaTtleyA [~CaTtleyA@185.24.142.82] has quit [Quit: Lost terminal]
11:40 -!- Guest55386 [Yoda@leader.of.the.coolkidz.club] has left #openvpn []
11:40 -!- ItsYoda [Yoda@leader.of.the.coolkidz.club] has joined #openvpn
11:43 -!- Kephael [~Kephael@unaffiliated/kephael] has joined #openvpn
11:52 -!- gffa [~unknown@unaffiliated/gffa] has joined #openvpn
11:58 -!- pm3003 [~pierre@unaffiliated/pm3003] has joined #openvpn
11:58 < pm3003> hi everyone!
11:59 < pm3003> Where can I find some help on setting up easy-rsa in order to set up an openvpn server ?
12:01 <@krzee> !easy-rsa
12:01 <@vpnHelper> "easy-rsa" is (#1) easy-rsa is a certificate generation utility. or (#2) Download here: https://github.com/OpenVPN/easy-rsa/downloads or (#3) https://community.openvpn.net/openvpn/wiki/EasyRSA
12:02 <@krzee> link #2 for download newest version, #3 for using it
12:05 -!- Pyrogerg [~Gregory@67-0-212-234.albq.qwest.net] has quit [Read error: Connection reset by peer]
12:05 -!- Pyrogerg [~Gregory@67-0-212-234.albq.qwest.net] has joined #openvpn
12:08 -!- khaldrogox [~anonymous@64.13.138.81] has joined #openvpn
12:09 -!- ItsYoda is now known as `Yoda
12:18 < pm3003> thank you very much, I'm struggling a little since most tutorials are for version 2 and the readme files are not very clear either.
12:29 -!- lorens [~lorenzo@213.27.241.114] has quit [Ping timeout: 245 seconds]
12:29 < thesov> DArqueBishop: no i did not.
12:32 <@krzee> !forget easy-rsa 3
12:32 <@vpnHelper> Joo got it.
12:33 <@krzee> !learn easy-rsa Tutorial here: https://community.openvpn.net/openvpn/wiki/EasyRSA
12:33 <@vpnHelper> (learn [<channel>] <key> as <value>) -- Associates <key> with <value>. <channel> is only necessary if the message isn't sent on the channel itself. The word 'as' is necessary to separate the key from the value. It can be changed to another word via the learnSeparator registry value.
12:33 <@krzee> !learn easy-rsa as Tutorial here: https://community.openvpn.net/openvpn/wiki/EasyRSA
12:33 <@vpnHelper> Joo got it.
12:43 -!- ValdikSS [~valdikss@95.215.45.33] has quit [Quit: Konversation terminated!]
12:49 -!- Pyrogerg [~Gregory@67-0-212-234.albq.qwest.net] has quit [Ping timeout: 265 seconds]
12:58 -!- Brando753 [~Brando753@unaffiliated/brando753] has joined #openvpn
13:06 -!- Pyrogerg [~Gregory@67-0-212-234.albq.qwest.net] has joined #openvpn
13:28 -!- ValdikSS [~valdikss@2001:470:dd8a:dead::64f] has joined #openvpn
13:39 -!- Pyrogerg [~Gregory@67-0-212-234.albq.qwest.net] has quit [Ping timeout: 250 seconds]
14:22 -!- miruoy [~quassel@d51a4ceb0.access.telenet.be] has joined #openvpn
14:38 -!- pm3003 [~pierre@unaffiliated/pm3003] has quit [Remote host closed the connection]
14:43 -!- tgm4883 [uid23806@ubuntu/member/tgm4883] has quit [Ping timeout: 272 seconds]
14:44 -!- XJR-9 [sid2977@pdpc/supporter/active/xjr-9] has quit [Ping timeout: 272 seconds]
14:45 -!- XJR-9 [sid2977@pdpc/supporter/active/xjr-9] has joined #openvpn
14:48 -!- elfixit [~Icedove@2001:1620:2777:11:3e97:eff:fe7f:f3ad] has quit [Quit: elfixit]
14:58 -!- lickalott [~lickalott@127.0.0.1.silentkiller.cc] has joined #openvpn
14:58 < lickalott> guys, i'm having some issues setting up a VPN connection (running openvpn on ubuntu) through the network manager on Fedora.
14:58 < lickalott> does anyone have any experience with this?
14:59 <@Eugene> !ubuntu
14:59 <@vpnHelper> "ubuntu" is dont use network manager!
14:59 <@Eugene> Applies for Fedora, too.
15:01 < lickalott> ok...  whatever the window is that is used to setup a VPN connection through the network settings.
15:01 < lickalott> !Fedora
15:02 < lickalott> i can run it manually via commandline and it works fine.
15:02 < lickalott> seems to be a permissions issue on the local machine "fedora" but I don't know where exactly to start looking.
15:04 -!- brianblaze420 [~brianblaz@unaffiliated/brianblaze] has quit [Quit: Peace!]
15:07 < lickalott> btw: this is from the journalctl.log : Oct 27 13:03:42 localhost.localdomain NetworkManager[1158]: ** Message: Terminated openvpn daemon with PID 22578.
15:08 < lickalott> NetworkManager[1158]
15:30 -!- dazo is now known as dazo_afk
15:32 -!- _SjG_ [~sjg@173.51.147.34] has left #openvpn ["Leaving..."]
15:35 -!- Pyrogerg [~Gregory@67-0-212-234.albq.qwest.net] has joined #openvpn
15:45 -!- xTz [~xTz@DeathStar.Techn0.eu] has quit [Ping timeout: 265 seconds]
15:48 < lickalott> does anyone know what this is: TLS Error: cannot locate HMAC in incoming packet from
15:48 < lickalott> and how I fix it.
15:49 -!- khaldrogox [~anonymous@64.13.138.81] has quit [Quit: khaldrogox]
16:07 -!- ValdikSS [~valdikss@2001:470:dd8a:dead::64f] has quit [Ping timeout: 244 seconds]
16:14 -!- gffa [~unknown@unaffiliated/gffa] has quit [Quit: sleep]
16:17 -!- ValdikSS [~valdikss@2001:470:dd8a:dead::64f] has joined #openvpn
16:24 -!- devios [~devios@184-96-175-84.hlrn.qwest.net] has joined #openvpn
16:45 -!- Pyrogerg [~Gregory@67-0-212-234.albq.qwest.net] has quit [Ping timeout: 265 seconds]
16:54 -!- felon_ [ircN@pool-96-241-215-142.washdc.fios.verizon.net] has joined #openvpn
16:54 < felon_> !welcome
16:54 <@vpnHelper> "welcome" is (#1) Start by stating your goal, such as 'I would like to access the internet over my vpn' || new to IRC? see the link in !ask || we may need !logs and !configs and maybe !interface to help you. || See !howto for beginners. || See !route for lans behind openvpn. || !redirect for sending inet traffic through the server. || Also interesting: !man !/30 !topology !iporder !sample !forum
16:54 <@vpnHelper> !wiki !mitm or (#2) Don't use 192.168.1.0/24 or 192.168.0.0/24 (too much potential for conflict)
16:55 -!- mattock is now known as mattock_afk
16:58 -!- Pyrogerg [~Gregory@205.167.120.206] has joined #openvpn
17:05 -!- Pyrogerg [~Gregory@205.167.120.206] has quit [Ping timeout: 255 seconds]
17:14 -!- shio [marmot@102.188.103.84.rev.sfr.net] has quit [Ping timeout: 244 seconds]
17:32 -!- s7r [~s7r@openvpn/user/s7r] has joined #openvpn
17:32 -!- mode/#openvpn [+v s7r] by ChanServ
17:41 -!- WhiteIntel [~quassel@80-121-102-15.adsl.highway.telekom.at] has joined #openvpn
17:42 < WhiteIntel> hello I have a problem with my ubuntu server client: when I try to connect I get this error: RTNETLINK answers: Network is unreachable
17:42 < WhiteIntel> Mon Oct 27 20:29:06 2014 ERROR: Linux route add command failed: external program exited with error status: 2
17:42 < WhiteIntel> what is wrong here?
17:51 -!- kossy [a@unaffiliated/kossy] has quit [Ping timeout: 258 seconds]
17:55 -!- kossy [a@unaffiliated/kossy] has joined #openvpn
18:00 -!- obscurehero [~obscurehe@via.arcis.pw] has quit [Ping timeout: 258 seconds]
18:01 -!- obscurehero [~obscurehe@via.arcis.pw] has joined #openvpn
18:04 -!- Left_Turn is now known as pgicxplzs
18:10 -!- SlutaTramsa [~SlutaTram@unaffiliated/slutatramsa] has joined #openvpn
18:21 -!- mirco [~mirco@ip-176-198-211-199.hsi05.unitymediagroup.de] has joined #openvpn
18:49 -!- ub1quit33 [~quassel@wifi02.la3.routers.zerolag.com] has quit [Ping timeout: 244 seconds]
18:56 -!- Pyrogerg [~Gregory@205.167.120.206] has joined #openvpn
18:56 -!- RBecker [~RBecker@openvpn/user/RBecker] has joined #openvpn
18:56 -!- mode/#openvpn [+v RBecker] by ChanServ
19:07 -!- Pyrogerg [~Gregory@205.167.120.206] has quit [Ping timeout: 258 seconds]
19:16 -!- outofbounds [~outofboun@gateway/tor-sasl/outofbounds] has quit []
19:24 -!- mirco [~mirco@ip-176-198-211-199.hsi05.unitymediagroup.de] has quit [Quit: mirco]
19:28 -!- bioid- [~bioid@ec2-54-187-167-153.us-west-2.compute.amazonaws.com] has joined #openvpn
19:46 -!- kraftman [~kraftman@host-89-241-156-124.as13285.net] has quit [Read error: Connection reset by peer]
19:46 -!- bioid- [~bioid@ec2-54-187-167-153.us-west-2.compute.amazonaws.com] has left #openvpn []
19:56 -!- GrantK [~GrantK@bolt.sonic.net] has joined #openvpn
20:00 < GrantK> I've a number of 'full' OpenVPN connections between sites.  All working nicely.  On one server, I'd like to set up an additional instance that's available to roaming laptops ONLY for access to the external net.  I.e., NO access to anything ON the server is to be provided to the roaming clients -- well, maybe its nameserver.  I've got reams of docs on getting all the complex/elegant routing up-n-running; is there a good example for 'minimal' access -- just
20:00 < GrantK>  for roaming? (As an alternative, e.g., to one of the commercial VPN services like 'HideMyAss' ...)?
20:27 -!- WhiteIntel [~quassel@80-121-102-15.adsl.highway.telekom.at] has quit [Remote host closed the connection]
20:29 -!- shio [marmot@102.188.103.84.rev.sfr.net] has joined #openvpn
20:41 -!- devios [~devios@184-96-175-84.hlrn.qwest.net] has quit [Quit: Going offline, see ya! (www.adiirc.com)]
20:53 -!- GrantK [~GrantK@bolt.sonic.net] has quit [Quit: GrantK]
20:57 -!- cwillu_at_work [cwillu@cwillu.com] has quit [Ping timeout: 265 seconds]
20:58 -!- cwillu_at_work [cwillu@cwillu.com] has joined #openvpn
21:01 -!- pgicxplzs [~Left_Turn@unaffiliated/turn-left/x-3739067] has quit [Remote host closed the connection]
21:26 -!- james41382 [~james@unaffiliated/james41382] has joined #openvpn
22:02 -!- cerberus [nd@nullify.ca] has joined #openvpn
22:05 -!- WinstonSmith [~WinstonSm@unaffiliated/winstonsmith] has quit [Ping timeout: 272 seconds]
22:13 -!- elfixit [~Icedove@77-58-253-51.dclient.hispeed.ch] has joined #openvpn
22:16 < cerberus> I'm trying to connect to my friends vpn server using openvpn, and by the looks of it http://pastie.org/private/4ikgyz5qgdsmy5mqz2llda its connected, but I cant visit websites, connect to irc, ping, etc.
22:19 -!- zacts- [~AndChat41@freebsd/geek/zacts] has joined #openvpn
22:37 -!- Pyrogerg [~Gregory@67-0-212-234.albq.qwest.net] has joined #openvpn
22:41 -!- WinstonSmith [~WinstonSm@unaffiliated/winstonsmith] has joined #openvpn
22:59 <@krzee> cerberus, you need to talk to the person who runs the server about that
23:29 -!- Kephael [~Kephael@unaffiliated/kephael] has quit [Read error: Connection reset by peer]
23:36 -!- KiNgMaR [ingmar@2001:41d0:2:ba51::1] has quit [Ping timeout: 265 seconds]
23:36 -!- KiNgMaR [ingmar@2001:41d0:2:ba51::1] has joined #openvpn
--- Day changed Tue Oct 28 2014
00:10 -!- lkthomas [~lkthomas@n218250150146.netvigator.com] has left #openvpn []
00:31 -!- zacts- [~AndChat41@freebsd/geek/zacts] has quit [Quit: Bye]
00:42 -!- ShadniX [dagger@p5481C454.dip0.t-ipconnect.de] has quit [Ping timeout: 250 seconds]
00:42 -!- KiNgMaR [ingmar@2001:41d0:2:ba51::1] has quit [Ping timeout: 272 seconds]
00:43 -!- ShadniX [dagger@p5DDFF2FD.dip0.t-ipconnect.de] has joined #openvpn
00:45 -!- KiNgMaR [ingmar@2001:41d0:2:ba51::1] has joined #openvpn
00:53 -!- jackbrown [~se@93-44-41-0.ip95.fastwebnet.it] has joined #openvpn
00:57 -!- Pyrogerg [~Gregory@67-0-212-234.albq.qwest.net] has quit [Ping timeout: 245 seconds]
01:41 -!- ValdikSS [~valdikss@2001:470:dd8a:dead::64f] has quit [Ping timeout: 265 seconds]
01:55 -!- jackbrown [~se@93-44-41-0.ip95.fastwebnet.it] has quit [Quit: Sto andando via]
02:04 -!- mirco [~mirco@ip-176-198-211-199.hsi05.unitymediagroup.de] has joined #openvpn
02:13 -!- D-Boy [~D-Boy@unaffiliated/cain] has quit [Excess Flood]
02:33 -!- D-Boy [~D-Boy@unaffiliated/cain] has joined #openvpn
02:34 -!- dazo_afk is now known as dazo
02:40 -!- ayaz [~Ayaz@linuxpakistan/ayaz] has joined #openvpn
02:55 -!- CaTtleyA [~CaTtleyA@185.24.142.82] has joined #openvpn
03:00 -!- mattock_afk is now known as mattock
03:15 -!- felon_ [ircN@pool-96-241-215-142.washdc.fios.verizon.net] has quit [Ping timeout: 260 seconds]
03:31 -!- ayaz [~Ayaz@linuxpakistan/ayaz] has quit [Ping timeout: 260 seconds]
03:53 -!- lickalott [~lickalott@127.0.0.1.silentkiller.cc] has quit [Ping timeout: 258 seconds]
04:00 -!- mjkr [jzhmer@gateway/shell/blinkenshell.org/x-yxbsmmmhfewyuddd] has joined #openvpn
04:01 < mjkr> does setting tls-suite and cipher to NONE/NULL leak my tls-auth key?
04:01 < mjkr> i meant tls-cipher
04:01 < mjkr> i don't need encryption here since i'm tunneling openvpn over an ssh tunnel, if you are curious.
04:03 -!- ValdikSS [~valdikss@80.70.234.113] has joined #openvpn
04:03 -!- ValdikSS [~valdikss@80.70.234.113] has quit [Client Quit]
04:03 -!- ValdikSS [~valdikss@95.215.45.33] has joined #openvpn
04:03 < mjkr> and by leaking i meant the following case: some rogue client trying to connect to my remote server without an ssh tunnel, -
04:04 <@dazo> mjkr: if you don't need encryption, why do you care if a key would leak?
04:05 <@dazo> but the tls-key is never transferred over the net at all.  It is used to create a signature which is transmitted, and the remote side can then verify the signature based on its copy of the key
04:05 < mjkr> dazo: coz the server's still listening on some port.
04:06 < mjkr> oh, that's very assuring. thank you, dazo!
04:06 <@dazo> however, it is a static key ... so collection enough packets, an attacker might be able to gather enough information to at least provide valid signatures for packet injections
04:06 <@dazo> hmmm .... or maybe not
04:07 < mjkr> well, they aren't gonna collect anything. all openvpn's routed through an ssh tunnel here. my client's config's using localhost for connection, and i am the only client.
04:07 <@dazo> tls-auth is special
04:08 <@dazo> uhm ... that sounds like an awful setup, with TCP-over-TCP-over-TCP .... as SSH uses TCP transport and can only provide TCP tunnels for openvpn
04:08 <@dazo> !tcp
04:08 <@vpnHelper> "tcp" is (#1) Sometimes you cannot avoid tunneling over tcp, but if you can avoid it, DO. http://sites.inka.de/~bigred/devel/tcp-tcp.html Why TCP Over TCP Is A Bad Idea. or (#2) http://www.openvpn.net/papers/BLUG-talk/14.html for a presentation by James Yonan (OpenVPN lead developer) or (#3) if you must use tcp, you likely want --tcp-nodelay
04:08 <@dazo> see #2
04:08 <@dazo> sorry, #1
04:09 -!- mirco [~mirco@ip-176-198-211-199.hsi05.unitymediagroup.de] has quit [Quit: mirco]
04:09 -!- ValdikSS [~valdikss@95.215.45.33] has quit [Ping timeout: 244 seconds]
04:09 < mjkr> erh, can you pm me the plaintext, dazo? i'm currently still configuring the vpn. so routing default through it will break my shell connection.
04:10 <@dazo> it's a longer text, with an image
04:10 < mjkr> my own reasons for using tcp is that the country here's actively blocking openvpn.
04:10 < mjkr> but not ssh, and i am using the port for winrm for the ssh tunnel
04:11 < mjkr> both winrm and ssh are tcp
04:11 < mjkr> and my router's netcat doesn't have "-u"
04:11 < mjkr> otherwise, i would have done l2tp over ssh
04:11 <@dazo> mjkr: the TOR project has a obfuscator which is useful in this scenario ... where OpenVPN can connect to this obfsproxy using SOCKS5
04:12 < mjkr> but wouldn't no-encryption openvpn over ssh provide less overhead?
04:12 <@plaisthos> you could then also use ssh's vpn feature ...
04:12 <@dazo> yeah, that would be better, with the SSH-VPN
04:14 < BtbN> ssh is TCP, so it's bad anyway
04:14 -!- mirco [~mirco@ip-176-198-211-199.hsi05.unitymediagroup.de] has joined #openvpn
04:14 <@dazo> mjkr: the key essence of the TCP-over-TCP issue is that once you get a packet timeout, several of the TCP layers will start re-transmitting packets ... and you'll get a slow tunnel and lots of unneeded packet passing back and forth ... and in your setup, using TCP via an OpenVPN tunnel via TCP over an SSH port forward over TCP ... it will just be an amplifier for these troubles
04:14 <@dazo> BtbN: true, but you reduce the complexity to TCP over TCP, and not TCP over TCP over TCP
04:15 <@plaisthos> dazo: you added one tcp layer too much :)
04:15 <@plaisthos> tcp forward over openssh does not encapsulate tcp in tcp
04:16 <@dazo> plaisthos: if a web browser connects using TCP, gets transferred via OpenVPN which uses TCP transport and then that is port forwarded using SSH - which again uses TCP ... or do I miss something?
04:16 -!- mjkr [jzhmer@gateway/shell/blinkenshell.org/x-yxbsmmmhfewyuddd] has quit [Quit: WeeChat 0.4.2]
04:16 <@plaisthos> dazo: thats right
04:16 -!- mjkr [jzhmer@gateway/shell/blinkenshell.org/x-pdklsoygbrbbwhzx] has joined #openvpn
04:17 <@plaisthos> it sounded like tcp over openvpn tcp over openssh tcp
04:17 < mjkr> the link http://www.openvpn.net/papers/BLUG-talk/14.htm doesn't work, Daemoen
04:17 <@vpnHelper> Title: OpenVPN - Open Source VPN (at www.openvpn.net)
04:17 < mjkr> oops
04:17 < mjkr> sorry Daemoen, intended for dazo
04:17 < mjkr> the page redirects to www.openvpn.net
04:17 <@dazo> mjkr: try #1 instead ... I miss-typed
04:18 <@dazo> http://sites.inka.de/~bigred/devel/tcp-tcp.html
04:18 <@vpnHelper> Title: Why TCP Over TCP Is A Bad Idea (at sites.inka.de)
04:18 <@dazo> mjkr: for obfsproxy ... https://www.torproject.org/projects/obfsproxy-instructions.html.en
04:18 <@vpnHelper> Title: obfsproxy: Installation instructions (at www.torproject.org)
04:19 <@dazo> you don't do the last "starting TOR", but once obfsproxy is running on server and client, you can kick off openvpn using --socks-proxy, connecting to the local obfsproxy instance
04:20 < mjkr> well... if only i can persuade my router company to include obfsproxy...
04:21 <@dazo> mjkr: you install it on your own vpn server ... or you don't use your own vpn server?  (if you have ssh access, you can most likely get obfsproxy running)
04:22 < mjkr> well... the graph on the page does say obfsproxy client...
04:23 <@dazo> <openvpn client>---<obfsproxy client in socks mode>-----|CENSORED NETWORK|-----<obfsproxy server>-----<openvpn server>
04:23 -!- Nyoom [Nyoom@unaffiliated/nyoom] has joined #openvpn
04:27 -!- mjkr [jzhmer@gateway/shell/blinkenshell.org/x-pdklsoygbrbbwhzx] has quit [Quit: WeeChat 0.4.2]
04:28 -!- mjkr [jzhmer@gateway/shell/blinkenshell.org/x-vmwfegfwawwdfpon] has joined #openvpn
04:28 -!- ayaz [~Ayaz@linuxpakistan/ayaz] has joined #openvpn
04:28 < mjkr> the page here https://community.openvpn.net/openvpn/wiki/TrafficObfuscation does require obfsproxy to run on a client, and my client's a vendor-locke-in router...
04:28 <@vpnHelper> Title: TrafficObfuscation – OpenVPN Community (at community.openvpn.net)
04:29 < mjkr> i have no problems running obfsproxy on my server
04:29 <@dazo> where do you run your openvpn client and servers?
04:31 -!- ValdikSS [~valdikss@80.70.234.113] has joined #openvpn
04:34 < mjkr> dazo: the client's a router in my house, while the server's a vps
04:35 <@dazo> put another router in front of it, which you can control fully
04:35 <@dazo> or reflash the firmware to something you can control
04:42 < mjkr> hmm, looks like the bandwidth can manage.
04:42 < mjkr>  but thanks for the advice, dazo
04:50 < mjkr> yeah, bandwidth goes up a lot.
05:03 -!- Denial [~Denial@host81-151-0-116.range81-151.btcentralplus.com] has quit [Ping timeout: 245 seconds]
05:04 -!- Denial [~Denial@host86-136-70-190.range86-136.btcentralplus.com] has joined #openvpn
05:29 -!- WhiteIntel [~quassel@80-121-102-15.adsl.highway.telekom.at] has joined #openvpn
05:29 < WhiteIntel> hello I have a problem with my ubuntu server client: when I try to connect I get this error: RTNETLINK answers: Network is unreachable
05:29 < WhiteIntel> Mon Oct 27 20:29:06 2014 ERROR: Linux route add command failed: external program exited with error status: 2
05:29 < WhiteIntel> what is wrong here?
05:38 -!- r00t^2 [~bts@g.rainwreck.com] has quit [Ping timeout: 245 seconds]
05:39 -!- swiftkey [swiftkey@unaffiliated/swiftkey] has quit [Ping timeout: 272 seconds]
05:46 -!- Left_Turn [~Left_Turn@unaffiliated/turn-left/x-3739067] has joined #openvpn
05:52 -!- lorens [~lorenzo@213.27.241.114] has joined #openvpn
06:02 -!- CaTtleyA [~CaTtleyA@185.24.142.82] has quit [Quit: Lost terminal]
06:14 -!- plaisthos [~arne@openvpn/community/developer/plaisthos] has quit [Ping timeout: 265 seconds]
06:17 -!- plaisthos [~arne@openvpn/community/developer/plaisthos] has joined #openvpn
06:17 -!- mode/#openvpn [+o plaisthos] by ChanServ
06:48 -!- Left_Turn [~Left_Turn@unaffiliated/turn-left/x-3739067] has quit [Ping timeout: 244 seconds]
06:53 -!- brianblaze420 [~brianblaz@unaffiliated/brianblaze] has joined #openvpn
06:57 -!- nemosphere [~nemospher@LAubervilliers-656-01-157-206.w82-127.abo.wanadoo.fr] has joined #openvpn
06:58 < nemosphere> !welcome
06:58 <@vpnHelper> "welcome" is (#1) Start by stating your goal, such as 'I would like to access the internet over my vpn' || new to IRC? see the link in !ask || we may need !logs and !configs and maybe !interface to help you. || See !howto for beginners. || See !route for lans behind openvpn. || !redirect for sending inet traffic through the server. || Also interesting: !man !/30 !topology !iporder !sample !forum
06:58 <@vpnHelper> !wiki !mitm or (#2) Don't use 192.168.1.0/24 or 192.168.0.0/24 (too much potential for conflict)
07:01 -!- Daemoen [~quassel@2607:ff68:100:1e:20e:2eff:fee8:e5c5] has left #openvpn ["irc.exit(true);"]
07:02 -!- lorens [~lorenzo@213.27.241.114] has quit [Remote host closed the connection]
07:06 < nemosphere> hello. I would not disturb anyone or anything but i got a potential very little problem. I just reinstall an LTS ubuntu, from 12.10 to 14.04, and using the same IP, same firewall, and copied the vpn config files. I can't have no response from the web, but i think i receive DNS transactions when i ask an URL.
07:07 < nemosphere> actually i don't know how to look for the answer. I'm pretty sure it's a very little mistake
07:09 < WhiteIntel> hello I have a problem with my ubuntu server client: when I try to connect I get this error: RTNETLINK answers: Network is unreachable
07:09 < WhiteIntel> Mon Oct 27 20:29:06 2014 ERROR: Linux route add command failed: external program exited with error status: 2
07:09 < WhiteIntel> what is wrong here?
07:10 < nemosphere> !paste
07:10 <@vpnHelper> "paste" is "pastebin" is (#1) please paste anything with more than 5 lines into a pastebin site or (#2) https://gist.github.com is recommended for fewest ads; try fpaste.org or paste.kde.org as backups or (#3) If you're pasting config files, see !configs for grep syntax to remove comments or (#4) gist allows multiple files per paste, useful if you have several files to show
07:11 < WhiteIntel> http://paste.ubuntu.com/8718643/
07:13 < nemosphere> !redirect
07:13 <@vpnHelper> "redirect" is (#1) to make all inet traffic flow through the vpn, you will need --redirect-gateway (see !def1), as well as IP forwarding (see !ipforward) and NAT (see !nat) enabled on the server. or (#2) you may need to use a different dns server when redirecting gateway, see !dns or !pushdns or (#3) if using ipv6 try: route-ipv6 2000::/3 or (#4) Handy troubleshooting flowchart:
07:13 <@vpnHelper> http://ircpimps.org/redirect.png | http://pekster.sdf.org/misc/redirect.png
07:16 -!- Droolio [~drool@host86-162-40-230.range86-162.btcentralplus.com] has joined #openvpn
07:18 -!- gagou9 [~gagou9@srv1.durab.fr] has joined #openvpn
07:18 < gagou9> Hello!
07:19 < gagou9> I've been trying to disable SSLv3 on my openVPN instance, under debian wheezy, version from debian repository. I got a "no common cipher" error when trying to connect.
07:19 < gagou9> I couldn't find anything on the internet as everybody says "openVPN is not vulnerable to poodle" [...] "since version 2.2.3"
07:19 < gagou9> and of course, I have 2.2.1
07:20 < ValdikSS> gagou9: OpenVPN don't use SSL, only TLS
07:20 < gagou9> ValdikSS: only as of version 2.2.3 !
07:20 < gagou9> as far as I understand
07:20 < ValdikSS> gagou9: no. OpenVPN used TLS 1.0 and versions from 2.2.3 can use 1.1 and 1.2
07:21 < ValdikSS> !poodle
07:21 <@vpnHelper> "poodle" is (#1) http://googleonlinesecurity.blogspot.com/2014/10/this-poodle-bites-exploiting-ssl-30.html . OpenVPN uses TLSv1.0, or (with >=2.3.3) optionally TLSv1.2 and is thus not impacted by POODLE. See also: !hardening for some unrelated TLS security options OpenVPN has or (#2) https://www.tinfoilsecurity.com/poodle for a tool for testing your websites
07:21 -!- almostworking [~almostwor@unaffiliated/almostworking] has joined #openvpn
07:21 < gagou9> ValdikSS: hmm. goddit better... :)
07:22 < gagou9> !hardening
07:22 <@vpnHelper> "hardening" is https://community.openvpn.net/openvpn/wiki/Hardening
07:22 < gagou9> thanks ValdikSS, I couldn't be sure to trust all these websites...
07:26 -!- gagou9 [~gagou9@srv1.durab.fr] has left #openvpn ["caca boudin"]
07:27 -!- mirco [~mirco@ip-176-198-211-199.hsi05.unitymediagroup.de] has quit [Quit: mirco]
07:32 -!- brianblaze420 [~brianblaz@unaffiliated/brianblaze] has quit [Quit: Peace!]
07:40 -!- mirco [~mirco@ip-176-198-211-199.hsi05.unitymediagroup.de] has joined #openvpn
07:45 -!- r00t^2 [~bts@g.rainwreck.com] has joined #openvpn
07:53 -!- WhiteIntel [~quassel@80-121-102-15.adsl.highway.telekom.at] has quit [Read error: Connection reset by peer]
07:58 -!- d3m0n [~d3m0n@unaffiliated/d3m0n] has joined #openvpn
07:58 < d3m0n> I am having a bit of trouble confing my keys with openvpn, I've double checked to make sure my /etc/openvpn ca.crt is the same as my client ca.crt but my error log shows diffferent key details
08:01 -!- Left_Turn [~Left_Turn@unaffiliated/turn-left/x-3739067] has joined #openvpn
08:02 -!- ayaz [~Ayaz@linuxpakistan/ayaz] has quit [Quit: Textual IRC Client: www.textualapp.com]
08:03 -!- james41382 [~james@unaffiliated/james41382] has quit [Quit: Leaving]
08:05 < d3m0n> where is openvpn default path looking when editing client side config for cert ca.crt?
08:07 -!- james41382 [~james@unaffiliated/james41382] has joined #openvpn
08:10 < nemosphere> d3m0n, i got /etc/openvpn/certs/ca.cert
08:10 -!- mirco [~mirco@ip-176-198-211-199.hsi05.unitymediagroup.de] has quit [Quit: mirco]
08:11 < d3m0n> I am going crazy because I changed my certs and replaced them all but the error if giving me worng key details
08:12 < d3m0n> I just placed mine in /etc/openvpn
08:12 < d3m0n> as per the guide on ubuntu
08:12 -!- warehouse13 [~Left_Turn@unaffiliated/turn-left/x-3739067] has joined #openvpn
08:14 -!- Left_Turn [~Left_Turn@unaffiliated/turn-left/x-3739067] has quit [Ping timeout: 256 seconds]
08:20 -!- cerberus [nd@nullify.ca] has quit [Quit: ZNC - http://znc.in]
08:20 -!- cerberus [nd@nullify.ca] has joined #openvpn
08:24 -!- Slippern [~Slippern@76.109-247-208.customer.lyse.net] has quit [Read error: Connection reset by peer]
08:25 -!- Slippern [~Slippern@76.109-247-208.customer.lyse.net] has joined #openvpn
08:26 < nemosphere> d3m0n, i think you have to follow what is defined in your client.conf file
08:27 -!- brianblaze420 [~brianblaz@unaffiliated/brianblaze] has joined #openvpn
08:27 < nemosphere> ca /etc/openvpn/certs/ca.crt
08:27 -!- mjkr [jzhmer@gateway/shell/blinkenshell.org/x-vmwfegfwawwdfpon] has left #openvpn ["WeeChat 0.4.2"]
08:27 -!- mjkr [jzhmer@gateway/shell/blinkenshell.org/x-vmwfegfwawwdfpon] has joined #openvpn
08:32 -!- nemosphere [~nemospher@LAubervilliers-656-01-157-206.w82-127.abo.wanadoo.fr] has quit [Ping timeout: 256 seconds]
08:33 -!- d3m0n [~d3m0n@unaffiliated/d3m0n] has quit [Ping timeout: 258 seconds]
08:37 -!- Axeman [~axeman3@openvpn/user/axeman] has joined #openvpn
08:37 -!- mode/#openvpn [+v Axeman] by ChanServ
08:39 <+Axeman> so i'm looking to move off openvpn access server to the community - is there an easy way to do this ?
08:42 <+Axeman> and a follow-up - can any openvpn installation support ldap with the ldap auth plugin?
08:42 <+Axeman> i have an asus router with openvpn - would love to get that to handle ldap
08:48 -!- linuxthefish [~ltf@unaffiliated/edmundf] has quit [Ping timeout: 265 seconds]
08:53 -!- linuxthefish [~ltf@unaffiliated/edmundf] has joined #openvpn
09:05 -!- seba [~seba@kratzbaum.someserver.de] has quit [Excess Flood]
09:08 -!- seba [~seba@2001:4d88:3503:c001:216:3eff:fe73:fab7] has joined #openvpn
09:17 -!- pgicxplzs [~Left_Turn@unaffiliated/turn-left/x-3739067] has joined #openvpn
09:17 -!- ub1quit33 [~quassel@wifi02.la3.routers.zerolag.com] has joined #openvpn
09:18 -!- mirco [~mirco@ip-176-198-211-199.hsi05.unitymediagroup.de] has joined #openvpn
09:19 -!- warehouse13 [~Left_Turn@unaffiliated/turn-left/x-3739067] has quit [Ping timeout: 255 seconds]
09:23 -!- s7r [~s7r@openvpn/user/s7r] has quit [Quit: Leaving]
09:31 -!- Pyrogerg [~Gregory@67-0-212-234.albq.qwest.net] has joined #openvpn
09:37 -!- moparisthebest [~quassel@gateway/tor-sasl/moparisthebest] has quit [Ping timeout: 246 seconds]
09:38 <@dazo> Axeman: if the ldap plug-in is available (compiled for the proper distro and architecture), then use OpenVPN should be able to do LDAP auth
09:38 <@dazo> I've never used AS, so I don't know about any difficulties related to migrate to the community version
09:39 <@dazo> (one thing is that there are no admin UI for the community edition)
09:43 < mjkr> how resource-intensive is comp-lzo?
09:43 <@krzee> Axeman, ya i think you'll need help from AS support for that question, even though it sure sounds like this would be the right place, it would require us to actually know something about AS
09:43 < esde> !poodle
09:43 <@vpnHelper> "poodle" is (#1) http://googleonlinesecurity.blogspot.com/2014/10/this-poodle-bites-exploiting-ssl-30.html . OpenVPN uses TLSv1.0, or (with >=2.3.3) optionally TLSv1.2 and is thus not impacted by POODLE. See also: !hardening for some unrelated TLS security options OpenVPN has or (#2) https://www.tinfoilsecurity.com/poodle for a tool for testing your websites
09:43 -!- moparisthebest [~quassel@gateway/tor-sasl/moparisthebest] has joined #openvpn
09:43 < esde> !hardening
09:43 <@vpnHelper> "hardening" is https://community.openvpn.net/openvpn/wiki/Hardening
09:44 <@krzee> mjkr, not very… but you may prefer snappy
09:45 < mjkr> thank you, krzee ... i will check it out.
09:57 -!- APTX [~APTX@unaffiliated/aptx] has quit [Ping timeout: 265 seconds]
10:00 -!- seba [~seba@2001:4d88:3503:c001:216:3eff:fe73:fab7] has quit [Excess Flood]
10:02 -!- seba [~seba@kratzbaum.someserver.de] has joined #openvpn
10:18 < esde> !help
10:18 <@vpnHelper> (help [<plugin>] [<command>]) -- This command gives a useful description of what <command> does. <plugin> is only necessary if the command is in more than one plugin.
10:18 < esde> Looking for link to official OpenVPN client for windows
10:21 < esde> Client i have now is 2.3.2 and it's not compatible
10:26 <@Eugene> !download
10:26 <@vpnHelper> "download" is (#1) http://openvpn.net/index.php/download/community-downloads.html to download openvpn or (#2) OpenVPN's Windows installer now includes OpenVPN GUI. Don't bother with http://openvpn.se anymore or (#3) Don't trust download.com at all. It provides an extremely old version with malware: http://insecure.org/news/download-com-fiasco.html or (#4) in the community version of openvpn (only
10:26 <@vpnHelper> thing supported here) there is no separate download for client/server, it is the same install with different configs
10:28 -!- Denial [~Denial@host86-136-70-190.range86-136.btcentralplus.com] has quit [Ping timeout: 265 seconds]
10:36 < esde> Thank you
10:45 -!- mjkr [jzhmer@gateway/shell/blinkenshell.org/x-vmwfegfwawwdfpon] has quit [Quit: WeeChat 0.4.2]
10:50 -!- warehouse13 [~Left_Turn@unaffiliated/turn-left/x-3739067] has joined #openvpn
10:52 -!- pgicxplzs [~Left_Turn@unaffiliated/turn-left/x-3739067] has quit [Ping timeout: 245 seconds]
10:55 -!- cerberus [nd@nullify.ca] has quit [Remote host closed the connection]
10:57 < thesov> got an issue with openvpn server, it keeps assigning the same ip to all clients
10:58 < thesov> I have the suggested default of 10.8.0.0/24 i get 10.8.0.6 on my first connection, and the same thing for all other attempts to connect
10:59 -!- ej [~ej@cpc7-pool13-2-0-cust108.15-1.cable.virginm.net] has joined #openvpn
11:00 < ej> how can I make openvpn connect faster? It takes about 7 seconds I assume "testing route"s, can I disable that?
11:00 < thesov> pastebin of my server conf http://pastebin.com/duUeMtXH
11:11 -!- ValdikSS [~valdikss@80.70.234.113] has quit [Ping timeout: 272 seconds]
11:17 < esde> Any idea when OpenVPN will release a repo for Ubuntu 14.04 LTS (Trusty Tahr)? Especially since it is the "current" LTS and the OpenVPN version in the Ubuntu repos is 2.3.2....
11:20 < esde> Seems others have expressed similar concerns https://forums.openvpn.net/topic15997.html. Unfortunately, still no news from OpenVPN
11:27 -!- elfixit [~Icedove@77-58-253-51.dclient.hispeed.ch] has quit [Ping timeout: 244 seconds]
11:29 -!- pberis [~Thunderbi@rrcs-24-73-251-230.sw.biz.rr.com] has quit [Quit: pberis]
11:38 -!- dazo is now known as dazo_afk
11:57 -!- seba [~seba@kratzbaum.someserver.de] has quit [Excess Flood]
11:59 -!- gffa [~unknown@unaffiliated/gffa] has joined #openvpn
12:02 -!- seba [~seba@kratzbaum.someserver.de] has joined #openvpn
12:02 -!- warehouse13 [~Left_Turn@unaffiliated/turn-left/x-3739067] has quit [Ping timeout: 272 seconds]
12:25 -!- APTX [~APTX@unaffiliated/aptx] has joined #openvpn
12:26 -!- gffa [~unknown@unaffiliated/gffa] has quit [Read error: Connection reset by peer]
12:42 -!- gffa [~unknown@unaffiliated/gffa] has joined #openvpn
12:48 < thesov> can anyone help me with this duplicate ip problem?
12:49 <+Axeman> does the community edition allow multiple logins?
12:49 < thesov> why wouldnt it...?
12:49 <+Axeman> can i have jsut one login that all my devices share (and access simultaneously?)
12:50 <+Axeman> i am coming from the access server version
12:55 < thesov> ok i figured out the problem i had to add duplicate-cn to my server.
12:58 -!- brianblaze420 [~brianblaz@unaffiliated/brianblaze] has quit [Quit: Peace!]
13:16 <+Axeman> what chnages to the server require a new conf file being issued?
13:39 < thesov> hmm port number changes
13:39 < thesov> and certificate
13:39 < thesov> also IP changes
13:39 -!- Axeman [~axeman3@openvpn/user/axeman] has quit [Ping timeout: 240 seconds]
13:48 -!- Pandemic_Force [~Pandemic_@unaffiliated/pandemic-force/x-1349428] has quit [Ping timeout: 265 seconds]
13:55 -!- Left_Turn [~Left_Turn@unaffiliated/turn-left/x-3739067] has joined #openvpn
14:11 -!- scyld [~scyld@unaffiliated/wasyl] has joined #openvpn
14:34 -!- u0m3 [~u0m3@109.96.132.219] has joined #openvpn
14:36 -!- u0m3__ [~u0m3@92.80.111.131] has quit [Ping timeout: 256 seconds]
14:41 -!- outofbounds [~outofboun@gateway/tor-sasl/outofbounds] has joined #openvpn
14:41 -!- outofbounds [~outofboun@gateway/tor-sasl/outofbounds] has quit [Max SendQ exceeded]
14:51 -!- SJr [~sjr@S0106c43dc7a31386.vf.shawcable.net] has joined #openvpn
14:58 -!- outofbounds [~outofboun@gateway/tor-sasl/outofbounds] has joined #openvpn
15:01 -!- mirco [~mirco@ip-176-198-211-199.hsi05.unitymediagroup.de] has quit [Quit: mirco]
15:09 -!- Nothing4You [N4Y@Nothing4You.w.tf-w.tf] has quit [Quit: Gone...]
15:25 -!- Kephael [~Kephael@unaffiliated/kephael] has joined #openvpn
15:46 -!- mattock is now known as mattock_afk
15:48 -!- tmberg [tmberg@unaffiliated/tmberg] has joined #openvpn
16:12 -!- Pinchiukas [~keps@unaffiliated/pinchiukas] has joined #openvpn
16:13 < Pinchiukas> Why does bridging not scale well?
16:21 -!- Exagone313 [~exa@ewd.ovh] has quit [Quit: see ya!]
16:21 -!- Exagone313 [~exa@ewd.ovh] has joined #openvpn
16:30 -!- eitzei [eitzei@kapsi.fi] has joined #openvpn
16:30 < eitzei> !welcome
16:30 <@vpnHelper> "welcome" is (#1) Start by stating your goal, such as 'I would like to access the internet over my vpn' || new to IRC? see the link in !ask || we may need !logs and !configs and maybe !interface to help you. || See !howto for beginners. || See !route for lans behind openvpn. || !redirect for sending inet traffic through the server. || Also interesting: !man !/30 !topology !iporder !sample !forum
16:30 <@vpnHelper> !wiki !mitm or (#2) Don't use 192.168.1.0/24 or 192.168.0.0/24 (too much potential for conflict)
16:32 -!- Exagone313 [~exa@ewd.ovh] has quit [Quit: see ya!]
16:33 -!- Exagone313 [~exa@ewd.ovh] has joined #openvpn
16:37 -!- Exagone313 [~exa@ewd.ovh] has quit [Client Quit]
16:37 -!- xsamurai [~fahad@unaffiliated/xsamurai] has joined #openvpn
16:39 < eitzei> Hi, I would like to generate second client cert on already running openvpn server but now when I am trying to generate it with './build-key client2' I get message saying I should use 'source vars' and 'clean-all' commands. I am afraid to do that 'clean-all' because that would delete every key, so that doesn't sounds great. Can someone tell what I am doing wrong? Or should I really command that 'clean-all'
16:39 < eitzei> even I want only one more client cert, not to generate every key and cert from start
16:41 -!- Exagone313 [~exa@ewd.ovh] has joined #openvpn
16:42 -!- khaldrogox [~anonymous@vpn.simplyhired.com] has joined #openvpn
16:51 < DArqueBishop> You need to run "source vars" or whatever the equivalent is, but NOT "clean-all".
16:52 < eitzei> Yeah, I have done that like 'pkitool' help says
16:53 < eitzei> Does it matter if openvpn is still running when generating those certs?
16:54 < pekster> Not at all. You can (and secure envnironments should) run manage your PKI on a separate system
16:56 -!- Uber-Ich [~lamphu@216.67.162.235] has joined #openvpn
17:03 < eitzei> Okey
17:10 -!- Uber-Ich [~lamphu@216.67.162.235] has quit [Quit: leaving]
17:11 -!- xsamurai [~fahad@unaffiliated/xsamurai] has left #openvpn []
17:13 -!- khaldrogox [~anonymous@vpn.simplyhired.com] has quit [Quit: khaldrogox]
17:15 -!- WhiteIntel [~quassel@93-82-159-85.adsl.highway.telekom.at] has joined #openvpn
17:15 < WhiteIntel> when there will be a repo for ubuntu 14.04?
17:16 <@plaisthos> openvpn is included in Ubuntu
17:17 < WhiteIntel> yes but the lates version is 2.3.2
17:17 <@plaisthos> just not the most current version but "just" 2.3.2
17:17 <@plaisthos> WhiteIntel: 2.3.2 should be good enough for most setups
17:17 < pekster> Unless you needed TLSv1.2 support, you probably don't need >=2.3.3
17:18 < WhiteIntel> yea I have some big troubles with my client under ubuntu, it sets wrong routes :\
17:18 -!- satdav [uid15780@firefox/community/satdav] has joined #openvpn
17:19 < satdav> Hello their is users kicking up due to you banned irccloud from here
17:19 < satdav> krzee: was it you who banned *!*@gateway/web/*
17:20 < satdav> if so why
17:20 <@plaisthos> WhiteIntel: yes that completely unrelated to the version
17:20 < pekster> There have been historical problems with webusers violating channel policy. There are IRC clients for every major platform, including clients that are free of charge and/or open-source
17:21 -!- occupant [~null@204.14.158.226] has quit [Remote host closed the connection]
17:22 < WhiteIntel> hmm it was my last thinking to solve this problem
17:23 < satdav> Pinchiukas: do you know why that was banned for
17:33 < pekster> Lots of stupid people that can't control themselves. Too many bad webusers ruined it for everyone. A number of channels on this network opt for that policy
17:34 < satdav> can we not of just of banned the irc client
17:34 < satdav> like kiwiirc
17:38 < eitzei> DArqueBishop: I solved my problem. Using sudo wasn't enough so when I tried loggeg as root everything worked just fine. So I guess quite typical user error .D
17:45 -!- gffa [~unknown@unaffiliated/gffa] has quit [Quit: sleep]
17:49 -!- khaldrogox [~anonymous@public-wireless.sc.svcolo.com] has joined #openvpn
18:08 < Pinchiukas> Can anyone tell me the difference between the certificate size/length (in bits) e.g. 1024bit, 2048bit and encryption that's often 128 or 256 bits?
18:12 -!- ub1quit33 [~quassel@wifi02.la3.routers.zerolag.com] has quit [Ping timeout: 256 seconds]
18:15 -!- khaldrogox [~anonymous@public-wireless.sc.svcolo.com] has quit [Quit: khaldrogox]
18:21 -!- khaldrogox [~anonymous@public-wireless.sc.svcolo.com] has joined #openvpn
18:22 < pekster> Pinchiukas: Different encryption schemes that require a different amount of bits for the same level of security protection. There's lots of literature on the topic. Google "asymmetric crypto" vs "symmetric crypto." keypairs (the key + certificate) is public key (asymmetric) and the data encryption is symmetric
18:23 < pekster> There's also an openvpn-focused security page at: !hardening
18:31 < Pinchiukas> I read about asymmetric encryption and have an idea about how it works. I'm just confused about the key/certificate/whatever lengths.
18:34 < pekster> !hardening
18:34 <@vpnHelper> "hardening" is https://community.openvpn.net/openvpn/wiki/Hardening
18:34 < pekster> 2048 is a good value. Use between 3072 and and 4096 if you're paranoid and have done everything else on that list first (as it's probably more worthwhile at that point.) More than 4096 is just a waste, and may break compat
18:35 < pekster> For symmetric, stick with AES or BF ciphers unless you know what you're doing and why
18:37 < pekster> Proper key/password management is generally far more important for all pracical purposes. It doesn't matter how strong the crypto is if you leave your laptop unlocked an unattended for a couple minutes when your attacker could just copy it off your OS
18:55 -!- khaldrogox [~anonymous@public-wireless.sc.svcolo.com] has quit [Quit: khaldrogox]
19:00 -!- WhiteIntel [~quassel@93-82-159-85.adsl.highway.telekom.at] has quit [Remote host closed the connection]
19:06 -!- jzaw [~jzaw@loki.dzki.co.uk] has quit [Ping timeout: 260 seconds]
19:17 -!- jzaw [~jzaw@loki.dzki.co.uk] has joined #openvpn
19:29 -!- warehouse13 [~Left_Turn@unaffiliated/turn-left/x-3739067] has joined #openvpn
19:30 -!- linuxthefish [~ltf@unaffiliated/edmundf] has left #openvpn ["Leaving"]
19:31 -!- Left_Turn [~Left_Turn@unaffiliated/turn-left/x-3739067] has quit [Ping timeout: 245 seconds]
19:34 -!- jzaw [~jzaw@loki.dzki.co.uk] has quit [Ping timeout: 260 seconds]
19:39 -!- ej [~ej@cpc7-pool13-2-0-cust108.15-1.cable.virginm.net] has quit [Ping timeout: 258 seconds]
19:39 -!- jzaw [~jzaw@community-wifi.dzki.co.uk] has joined #openvpn
20:09 -!- ub1quit33_ [~quassel@cpe-23-243-158-241.socal.res.rr.com] has joined #openvpn
20:19 -!- outofbounds [~outofboun@gateway/tor-sasl/outofbounds] has quit []
20:21 -!- pushpop [~marc@unaffiliated/pushpop] has joined #openvpn
20:22 < pushpop> is there a way to tunnel openvpn traffic through a very restrictive firewall that doesnt allow openvpn packs or http proxies?
20:22 -!- pythonsnake [~pythonsna@fedora/pythonsnake] has quit [Ping timeout: 244 seconds]
20:28 -!- justinzane [~justinzan@64.234.62.130] has quit [Ping timeout: 245 seconds]
20:35 -!- elfixit [~Icedove@77-58-253-51.dclient.hispeed.ch] has joined #openvpn
20:49 -!- warehouse13 [~Left_Turn@unaffiliated/turn-left/x-3739067] has quit [Quit: Leaving]
20:49 -!- Left_Turn [~Left_Turn@unaffiliated/turn-left/x-3739067] has joined #openvpn
20:55 <@krzee> pushpop,
20:55 -!- NP-Hardass [~NP-Hardas@unaffiliated/np-hardass] has joined #openvpn
20:55 <@krzee> !obfs
20:55 <@vpnHelper> "obfs" is (#1) if you are looking to obfuscate your traffic to get through a firewall that recognizes and blocks openvpn, try using this proxy: obfsproxy https://www.torproject.org/projects/obfsproxy.html.en to encapsulate your packets in other protocols or (#2) http://community.openvpn.net/openvpn/wiki/TrafficObfuscation or (#3) in client/server mode an admin can know that openvpn is being used. in
20:55 < pushpop> yo
20:55 <@vpnHelper> static-key mode they only know that it is some encrypted data, but not specifically openvpn; however with static-key you lose forward security (!forwardsecurity)
20:56 < pushpop> no other solutions?
20:57 <@krzee> such as?
20:57 <@krzee> nothing really openvpn related… but you can pretty much tunnel over anything
20:58 <@krzee> for example, i've tunneled over icmp / dns before
20:58 <@krzee> if i had to worry about such things id go with obfsproxy
20:58 <@krzee> they exist because of your issue
20:59 <@krzee> namely government firewalls
20:59 <@krzee> like china
21:04 -!- ShadniX [dagger@p5DDFF2FD.dip0.t-ipconnect.de] has quit [Ping timeout: 250 seconds]
21:29 -!- justinzane [~justinzan@host-69-59-81-91.nctv.com] has joined #openvpn
21:36 < pushpop> ok thanks
21:36 < pushpop> just don't like the fact I have to install a client
22:14 -!- pushpop [~marc@unaffiliated/pushpop] has quit [Quit: My MacBook Pro has gone to sleep. ZZZzzz…]
22:19 -!- pythonsnake [~pythonsna@fedora/pythonsnake] has joined #openvpn
22:26 -!- ShadniX [dagger@p5DDFFFE0.dip0.t-ipconnect.de] has joined #openvpn
22:40 -!- satdav [uid15780@firefox/community/satdav] has quit [Quit: Connection closed for inactivity]
22:41 -!- Kephael [~Kephael@unaffiliated/kephael] has quit [Read error: Connection reset by peer]
23:05 -!- Left_Turn [~Left_Turn@unaffiliated/turn-left/x-3739067] has quit [Remote host closed the connection]
23:13 -!- jzaw [~jzaw@community-wifi.dzki.co.uk] has quit [Ping timeout: 245 seconds]
23:15 -!- jzaw [~jzaw@loki.dzki.co.uk] has joined #openvpn
23:17 -!- D-Boy [~D-Boy@unaffiliated/cain] has quit [Excess Flood]
23:21 -!- elfixit [~Icedove@77-58-253-51.dclient.hispeed.ch] has quit [Ping timeout: 250 seconds]
23:34 -!- james41382 [~james@unaffiliated/james41382] has quit [Quit: Leaving]
23:36 -!- james41382 [~james@unaffiliated/james41382] has joined #openvpn
23:44 -!- D-Boy [~D-Boy@unaffiliated/cain] has joined #openvpn
23:45 -!- Pyrogerg [~Gregory@67-0-212-234.albq.qwest.net] has quit [Ping timeout: 265 seconds]
23:49 -!- D-Boy [~D-Boy@unaffiliated/cain] has quit [Excess Flood]
23:52 -!- james41382 [~james@unaffiliated/james41382] has quit [Quit: Leaving]
23:54 -!- james41382 [~james@unaffiliated/james41382] has joined #openvpn
--- Day changed Wed Oct 29 2014
00:18 -!- D-Boy [~D-Boy@unaffiliated/cain] has joined #openvpn
00:34 -!- ShadniX [dagger@p5DDFFFE0.dip0.t-ipconnect.de] has quit [Ping timeout: 250 seconds]
00:35 -!- ShadniX [dagger@p5DDFC5A9.dip0.t-ipconnect.de] has joined #openvpn
00:50 -!- moparisthebest [~quassel@gateway/tor-sasl/moparisthebest] has quit [Quit: No Ping reply in 180 seconds.]
00:53 -!- moparisthebest [~quassel@gateway/tor-sasl/moparisthebest] has joined #openvpn
01:07 -!- NP-Hardass [~NP-Hardas@unaffiliated/np-hardass] has quit [Quit: WeeChat 0.4.3]
01:26 -!- Cultist [~CultOfThe@c-67-175-170-187.hsd1.il.comcast.net] has quit [Ping timeout: 244 seconds]
01:26 -!- Cultist [~CultOfThe@c-67-175-170-187.hsd1.il.comcast.net] has joined #openvpn
01:27 -!- mattock_afk is now known as mattock
02:30 -!- scyld [~scyld@unaffiliated/wasyl] has quit [Quit: Wychodzi]
02:34 -!- Fun [~Fun@unaffiliated/fun] has joined #openvpn
02:34 < Fun> hi
02:35 < Fun> where do I place open vpn conf file
02:35 < Fun> the one I made
02:35 < Fun> ovpn
02:40 < Fun> ???
02:42 -!- ayaz [~Ayaz@linuxpakistan/ayaz] has joined #openvpn
02:42 -!- ayaz [~Ayaz@linuxpakistan/ayaz] has quit [Max SendQ exceeded]
02:43 -!- Fun [~Fun@unaffiliated/fun] has left #openvpn []
02:44 -!- ayaz [~Ayaz@linuxpakistan/ayaz] has joined #openvpn
02:56 -!- u0m3_ [~u0m3@92.80.112.149] has joined #openvpn
02:57 -!- mattock is now known as mattock_afk
02:58 -!- u0m3 [~u0m3@109.96.132.219] has quit [Ping timeout: 256 seconds]
03:11 -!- ahuemer [ahuemer@unaffiliated/ahuemer] has quit [Excess Flood]
03:12 -!- ahuemer [ahuemer@unaffiliated/ahuemer] has joined #openvpn
03:12 -!- ub1quit33_ [~quassel@cpe-23-243-158-241.socal.res.rr.com] has quit [Ping timeout: 265 seconds]
03:13 -!- mattock_afk is now known as mattock
03:40 -!- CaTtleyA [~CaTtleyA@185.24.142.82] has joined #openvpn
03:52 -!- ej [~ej@cpc7-pool13-2-0-cust108.15-1.cable.virginm.net] has joined #openvpn
03:59 -!- BlackBishop [dexter@ipv6.d3xt3r01.tk] has quit [Ping timeout: 265 seconds]
04:28 -!- lorens [~lorenzo@213.27.241.114] has joined #openvpn
04:30 -!- seba [~seba@kratzbaum.someserver.de] has quit [Excess Flood]
04:35 -!- seba [~seba@kratzbaum.someserver.de] has joined #openvpn
04:48 -!- D-Boy [~D-Boy@unaffiliated/cain] has quit [Excess Flood]
04:51 -!- gffa [~unknown@unaffiliated/gffa] has joined #openvpn
04:59 -!- jackbrown [~se@93-44-41-0.ip95.fastwebnet.it] has joined #openvpn
05:00 -!- DrCode_ [~DrCode@gateway/tor-sasl/drcode] has quit [Remote host closed the connection]
05:04 -!- mattock is now known as mattock_afk
05:09 -!- DrCode [~DrCode@gateway/tor-sasl/drcode] has joined #openvpn
05:11 -!- D-Boy [~D-Boy@unaffiliated/cain] has joined #openvpn
05:27 -!- jackbrown [~se@93-44-41-0.ip95.fastwebnet.it] has quit [Quit: Sto andando via]
05:37 -!- ej [~ej@cpc7-pool13-2-0-cust108.15-1.cable.virginm.net] has quit [Ping timeout: 244 seconds]
05:51 -!- dazo_afk is now known as dazo
05:55 -!- mirco [~mirco@ip-176-198-211-199.hsi05.unitymediagroup.de] has joined #openvpn
05:56 -!- mattock_afk is now known as mattock
05:57 -!- TTimoNN [~undefined@tt.cloud.tilaa.com] has joined #openvpn
06:06 -!- TTimoNN [~undefined@tt.cloud.tilaa.com] has quit [Quit: Leaving]
06:18 -!- Left_Turn [~Left_Turn@unaffiliated/turn-left/x-3739067] has joined #openvpn
06:29 -!- warehouse13 [~Left_Turn@unaffiliated/turn-left/x-3739067] has joined #openvpn
06:31 -!- Left_Turn [~Left_Turn@unaffiliated/turn-left/x-3739067] has quit [Ping timeout: 255 seconds]
06:40 -!- jzaw [~jzaw@loki.dzki.co.uk] has quit [Ping timeout: 256 seconds]
06:43 -!- jzaw [~jzaw@loki.dzki.co.uk] has joined #openvpn
06:51 -!- brianblaze420 [~brianblaz@unaffiliated/brianblaze] has joined #openvpn
07:00 -!- lorens [~lorenzo@213.27.241.114] has quit [Remote host closed the connection]
07:01 -!- Droolio [~drool@host86-162-40-230.range86-162.btcentralplus.com] has quit [Ping timeout: 245 seconds]
07:20 -!- Pandemic_Force [~Pandemic_@unaffiliated/pandemic-force/x-1349428] has joined #openvpn
07:44 -!- Pyrogerg [~Gregory@205.167.120.206] has joined #openvpn
07:58 -!- Pyrogerg [~Gregory@205.167.120.206] has quit [Ping timeout: 260 seconds]
08:09 -!- Six6siX [~Devil@jasmine.sammybakar.com] has joined #openvpn
08:11 < _FBi> lol
08:13 -!- warehouse13 [~Left_Turn@unaffiliated/turn-left/x-3739067] has quit [Ping timeout: 265 seconds]
08:18 -!- warehouse13 [~Left_Turn@unaffiliated/turn-left/x-3739067] has joined #openvpn
08:20 -!- jzaw [~jzaw@loki.dzki.co.uk] has quit [Ping timeout: 244 seconds]
08:24 -!- warehouse13 [~Left_Turn@unaffiliated/turn-left/x-3739067] has quit [Ping timeout: 255 seconds]
08:26 -!- Left_Turn [~Left_Turn@unaffiliated/turn-left/x-3739067] has joined #openvpn
08:27 -!- Left_Turn [~Left_Turn@unaffiliated/turn-left/x-3739067] has quit [Max SendQ exceeded]
08:27 -!- jzaw [~jzaw@loki.dzki.co.uk] has joined #openvpn
08:28 -!- Left_Turn [~Left_Turn@unaffiliated/turn-left/x-3739067] has joined #openvpn
08:29 -!- Left_Turn [~Left_Turn@unaffiliated/turn-left/x-3739067] has quit [Max SendQ exceeded]
08:30 -!- Left_Turn [~Left_Turn@unaffiliated/turn-left/x-3739067] has joined #openvpn
08:31 -!- Nothing4You [N4Y@nothing4you.w.tf-w.tf] has joined #openvpn
08:31 -!- Left_Turn [~Left_Turn@unaffiliated/turn-left/x-3739067] has quit [Max SendQ exceeded]
08:31 -!- Left_Turn [~Left_Turn@unaffiliated/turn-left/x-3739067] has joined #openvpn
08:32 -!- elfixit [~Icedove@2001:1620:2777:11:3e97:eff:fe7f:f3ad] has joined #openvpn
08:32 -!- Left_Turn [~Left_Turn@unaffiliated/turn-left/x-3739067] has quit [Max SendQ exceeded]
08:33 -!- ade_b [~Ade@redhat/adeb] has joined #openvpn
08:33 -!- Left_Turn [~Left_Turn@unaffiliated/turn-left/x-3739067] has joined #openvpn
08:40 -!- Pyrogerg [~Gregory@67-0-212-234.albq.qwest.net] has joined #openvpn
08:43 -!- Axeman [~axeman3@openvpn/user/axeman] has joined #openvpn
08:43 -!- mode/#openvpn [+v Axeman] by ChanServ
08:45 <+Axeman> I have openvpn access server running A-OK... can I use that same VM to run community?
08:46 <@krzee> like i think we already said, we have no idea
08:46 <@krzee> we dont know AS at all here
08:46 <@krzee> you need to ask the AS guys
08:46 <@krzee> they have a much better chance of knowing the community version than we have of knowing AS
08:46 <@krzee> !as
08:46 <@vpnHelper> "as" is Please go to #OpenVPN-AS for help with commercial products from OpenVPN Technologies, including Access Server, Android Connect, etc. Access Server is a commercial product, different from open source OpenVPN
08:47 <+Axeman> i was asking about migrating yesterday... and spoke to the -as guys...they said screw migrating, just start from scratch
08:47 -!- MaxFrames [~MaxFrames@unaffiliated/maxframes] has joined #openvpn
08:47 < MaxFrames> hello
08:48 <@krzee> Axeman, there you go
08:48 < MaxFrames> can you tell me the difference between the "for windows xp and above" and "for windows vista and above" builds in the community downloads?
08:48 < DArqueBishop> One supports XP, and one doesn't?
08:48 < DArqueBishop> </smartass>
08:48 < MaxFrames> I have windows 7, so I chose the latter and had issues with it; so I uninstalled it and installed the former, and the problems were gone
08:49 < DArqueBishop> I think the latter supports a newer TAP driver.
08:49 < MaxFrames> the problems being that I could connect to the remote vpn server (tap mode) but I could not actually get on the remote network
08:49 < MaxFrames> in addition, I couldn't disconnect the vpn connection, it stuck on "connected" no matter what
08:50 < MaxFrames> installed the xp and above version, all problems gone
08:50 < MaxFrames> so maybe it is the tap driver isn't it?
08:50 <+Axeman> krzee, tha's 1/2 way there. is there a vm image of community edition anywhere?
08:50 <@krzee> interesting, i dont use windows so i cant give much in the way of useful info, but i think its worth a trac ticket
08:50 <@krzee> !trac
08:50 <@vpnHelper> "trac" is (#1) see https://community.openvpn.net for development information and bug tracker. or (#2) if you have a forum login, use that for trac, its the same database.
08:50 <@krzee> MaxFrames, ^
08:50 < MaxFrames> still, I am surprised that the tap driver in the newer version doesn't work properly
08:51 <@krzee> Axeman, vm image of a single app?  no...
08:51 < MaxFrames> the remote server may also play a role, it's a stripped down openvpn daemon running in an embedded device (dsl router)
08:51 <+Axeman> lol no - but a nice bundled up vm with ubuntu say.
08:51 <@krzee> install ubuntu - install openvpn
08:51 <+Axeman> Or do i need to learn ubuntu?
08:51 <@krzee> o.O
08:52 <@krzee> hell YES you need to learn your os
08:52 < DArqueBishop> I want to say I had problems with the TAP driver in one of my systems before, but it's been a while since I've done a Windows install of OpenVPN so I couldn't say for certain.
08:52 <@krzee> if you choose ubuntu, you should know ubuntu.
08:52 <+Axeman> ubuntu server scares me :'(
08:52 <@krzee> !bestos
08:52 <@vpnHelper> "bestos" is the best os for openvpn is the one you are most comfortable with
08:52 < MaxFrames> am I right that the vista and above version is new? I think I always saw just two installers, x86 and x64 before
08:53 < MaxFrames> now there are four of them, I never noticed the vista> version before
08:53 < MaxFrames> and I always used the xp> version anyway before, never had a problem
08:53 <@krzee> MaxFrames, looks new to me. and the fact you're on win7 and had to use xp version might be useful to the devs to know
08:53 <@krzee> or it might not and they say "ya heres why" and close the ticket
08:54 <@krzee> but i say make the ticket, it cant hurt ;]
08:54 < MaxFrames> I'm a little reluctant because maybe it's the remote server's fault
08:54 < MaxFrames> but still, openvpn should be able to close gracefully, that stuck state sure is no good
08:54 <@krzee> maybe, still doesnt hurt to make the ticket
08:55 <@krzee> i would if i had the experience you're having.
08:55 <@krzee> feedback helps the devs, they cant possibly experience every issue
08:57 -!- krzee changed the topic of #openvpn to: OpenVPN Community Support Channel || PLEASE read entire topic || Current Release: 2.3.5 (28 Oct 2014) || First time? Use !welcome and !goal || Access-Server? /join #openvpn-as || We're not psychic - please !paste your !configs and !logs and a description of the issue  || Your problem is probably firewall, Really || Vulninfo: !heartbleed & !poodle
09:01 <+Axeman> !welcome
09:01 <@vpnHelper> "welcome" is (#1) Start by stating your goal, such as 'I would like to access the internet over my vpn' || new to IRC? see the link in !ask || we may need !logs and !configs and maybe !interface to help you. || See !howto for beginners. || See !route for lans behind openvpn. || !redirect for sending inet traffic through the server. || Also interesting: !man !/30 !topology !iporder !sample !forum
09:01 <@vpnHelper> !wiki !mitm or (#2) Don't use 192.168.1.0/24 or 192.168.0.0/24 (too much potential for conflict)
09:02 <+Axeman> !howto
09:02 <@vpnHelper> "howto" is (#1) OpenVPN comes with a great howto, http://openvpn.net/howto PLEASE READ IT! or (#2) http://www.secure-computing.net/openvpn/howto.php for a mirror
09:04 -!- ub1quit33 [~quassel@cpe-23-243-158-241.socal.res.rr.com] has joined #openvpn
09:08 -!- CaTtleyA [~CaTtleyA@185.24.142.82] has quit [Quit: leaving]
09:11 -!- CaTtleyA [~CaTtleyA@185.24.142.82] has joined #openvpn
09:12 -!- CaTtleyA [~CaTtleyA@185.24.142.82] has quit [Client Quit]
09:12 -!- CaTtleyA [~CaTtleyA@185.24.142.82] has joined #openvpn
09:13 -!- nath_schwarz [~nath_schw@HSI-KBW-078-043-139-201.hsi4.kabel-badenwuerttemberg.de] has quit [Quit: ErrMessage: UserNotFoundException(0x00929e9)]
09:25 -!- MaxFrames [~MaxFrames@unaffiliated/maxframes] has quit [Quit: When two people dream the same dream, it ceases to be an illusion. KVIrc KVIrc Equilibrium 4.2.0, revision: 6190, sources date: 20120701, built on: 2012-07-04 14:48:08 UTC 6190 http://www.kvirc.net]
09:30 <+Axeman> i have an SSL certificate i purchased for access server ... do i still need that for community edition ?
09:31 <@krzee> you should make your own
09:31 <@krzee> !pki
09:31 <@vpnHelper> "pki" is (#1) http://openvpn.net/index.php/open-source/documentation/howto.html#pki for how to make your PKI stuff (ca, and certs) or (#2) Heres a basic rundown of how it works... The server, client, and ca certs are all signed by the same ca.key. The server and client use the ca.crt to check that eachother were signed by the right ca.key. Optionally, the client also checks that the server cert was
09:31 <@vpnHelper> signed specially as a server (see !servercert) or (#3) See !certman for various PKI management frontends
09:31 <@krzee> !forget pki
09:31 <@vpnHelper> Error: 3 factoids have that key.  Please specify which one to remove, or use * to designate all of them.
09:31 <@krzee> !forget pki *
09:31 <@vpnHelper> Joo got it.
09:31 <@krzee> !learn pki as Heres a basic rundown of how it works... The server, client, and ca certs are all signed by the same ca.key. The server and client use the ca.crt to check that eachother were signed by the right ca.key. Optionally, the client also checks that the server cert was signed specially as a server (see !servercert)
09:31 <@vpnHelper> Joo got it.
09:32 <@krzee> !certman
09:32 <@vpnHelper> "certman" is (#1) Various frontends can help you manage your PKI (certs & keys.) !easy-rsa is the officially supported one for OpenVPN. or (#2) Other choices include: !xca, !ssladmin, and probably others online
09:32 <@krzee> !learn pki as See !certman for various PKI management frontends
09:32 <@vpnHelper> Joo got it.
09:32 <@krzee> Axeman, now that you wont be using a browser, not only is there no point to a purchased ca, but its actually not as good
09:33 -!- Kephael [~Kephael@unaffiliated/kephael] has joined #openvpn
09:33 <@krzee> Axeman, this is because your ca will sign every single cert, there is absolutely no reason to be signed by a third party, and if not careful enough you end up with them able to sign certs to join your vpn
09:34 <@krzee> browsers have to ship with a list of trusted CA, in openvpn you will be your own CA and only trust yourself. clients will have a ca.crt to check the server cert and server will have ca.crt to check the client certs.
09:37 <+Axeman> thanks krzee
09:37 <+Axeman> if you couldn't tell already - i am not very smart
09:42 -!- thesov [~TheSov4@8.40.0.2] has quit [Quit: Leaving]
09:42 -!- nath_schwarz [~nath_schw@HSI-KBW-078-043-139-201.hsi4.kabel-badenwuerttemberg.de] has joined #openvpn
09:46 -!- hydrajump [~hydrajump@unaffiliated/hydrajump] has quit [Quit: WeeChat 0.4.3]
09:48 -!- brianblaze420 [~brianblaz@unaffiliated/brianblaze] has quit [Quit: Peace!]
10:03 -!- ayaz [~Ayaz@linuxpakistan/ayaz] has quit [Quit: Textual IRC Client: www.textualapp.com]
10:10 -!- Pyrogerg [~Gregory@67-0-212-234.albq.qwest.net] has quit [Ping timeout: 255 seconds]
10:13 -!- hydrajump [~hydrajump@unaffiliated/hydrajump] has joined #openvpn
10:19 -!- joako [~joako@opensuse/member/joak0] has quit [Ping timeout: 265 seconds]
10:22 -!- Pyrogerg [~Gregory@71-222-182-32.albq.qwest.net] has joined #openvpn
10:22 -!- Pyrogerg [~Gregory@71-222-182-32.albq.qwest.net] has quit [Max SendQ exceeded]
10:23 -!- Pyrogerg [~Gregory@71-222-182-32.albq.qwest.net] has joined #openvpn
10:23 -!- Pyrogerg [~Gregory@71-222-182-32.albq.qwest.net] has quit [Max SendQ exceeded]
10:24 -!- joako [~joako@opensuse/member/joak0] has joined #openvpn
10:37 -!- Pyrogerg [~Gregory@71-222-182-32.albq.qwest.net] has joined #openvpn
10:42 -!- Pyrogerg [~Gregory@71-222-182-32.albq.qwest.net] has quit [Ping timeout: 245 seconds]
10:47 -!- khaldrogox [~anonymous@75-54-228-226.lightspeed.sntcca.sbcglobal.net] has joined #openvpn
10:47 -!- khaldrogox [~anonymous@75-54-228-226.lightspeed.sntcca.sbcglobal.net] has quit [Client Quit]
10:54 <+Axeman> doh - i opted for encrypted volume and realized if i ever need to remote reboot the server, i'll be locked out
11:04 -!- Kniaz [~Kniaz@unaffiliated/kniaz] has joined #openvpn
11:05 <@krzee> ipkvm
11:07 <+Axeman> don't have - but still - everything would be behind FW... so if i'm out of town and fire off a remove reboot. don't do it... Or keep the access server around - connect to tthat, reboot ubuntu, and reconnect.
11:07 <+Axeman> i just redid and took out encryption
11:11 <+Axeman> okay noob time
11:11 <+Axeman> https://community.openvpn.net/openvpn/wiki/OpenvpnSoftwareRepos
11:11 <@vpnHelper> Title: OpenvpnSoftwareRepos – OpenVPN Community (at community.openvpn.net)
11:11 <+Axeman> $ wget -O - https://swupdate.openvpn.net/repos/repo-public.gpg|apt-key add -
11:11 <+Axeman> gives me an error
11:11 <+Axeman> Cannot write to â-â (Success).
11:12 <+Axeman> i tried sudo wget ...
11:22 -!- jackbrown [~se@93-44-41-0.ip95.fastwebnet.it] has joined #openvpn
11:26 -!- mirco [~mirco@ip-176-198-211-199.hsi05.unitymediagroup.de] has quit [Quit: mirco]
11:31 -!- mirco [~mirco@ip-176-198-211-199.hsi05.unitymediagroup.de] has joined #openvpn
11:33 -!- ade_b [~Ade@redhat/adeb] has quit [Ping timeout: 255 seconds]
11:37 -!- CaTtleyA [~CaTtleyA@185.24.142.82] has quit [Ping timeout: 272 seconds]
11:45 -!- krphop [~krphop@watch.out.the.feds.are.rightbehind.us] has joined #openvpn
11:52 -!- Pyrogerg [~Gregory@67-0-212-234.albq.qwest.net] has joined #openvpn
12:26 -!- shio [marmot@102.188.103.84.rev.sfr.net] has quit [Remote host closed the connection]
12:28 -!- justinzane [~justinzan@host-69-59-81-91.nctv.com] has quit [Ping timeout: 272 seconds]
12:30 -!- jackbrown [~se@93-44-41-0.ip95.fastwebnet.it] has quit [Quit: Sto andando via]
12:32 -!- Exagone313 [~exa@ewd.ovh] has quit [Ping timeout: 260 seconds]
12:33 -!- xyo [~xyo@195-154-71-233.rev.poneytelecom.eu] has quit [Quit: bye...]
12:35 -!- shio [marmot@102.188.103.84.rev.sfr.net] has joined #openvpn
12:41 -!- Exagone313 [~exa@ewd.ovh] has joined #openvpn
12:42 -!- justinzane [~justinzan@24.49.184.133] has joined #openvpn
12:44 < esde> Any idea when OpenVPN will release a repo for Ubuntu 14.04 LTS (Trusty Tahr)? Especially since it is the "current" LTS and the OpenVPN version in the Ubuntu repos is 2.3.2....
12:44 < esde> Seems others have expressed similar concerns https://forums.openvpn.net/topic15997.html. Unfortunately, still no news from OpenVPN
12:44 -!- satdav [uid15780@firefox/community/satdav] has joined #openvpn
12:55 -!- justinzane [~justinzan@24.49.184.133] has quit []
12:56 <+Axeman> got past that - now i'm getting this: E: Could not open lock file /var/lib/dpkg/lock - open (13: Permission denied)
12:56 <+Axeman> E: Unable to lock the administration directory (/var/lib/dpkg/), are you root?
12:59 <+Axeman> nvm added a sudo afer the && and it workd
13:00 -!- mirco [~mirco@ip-176-198-211-199.hsi05.unitymediagroup.de] has quit [Quit: mirco]
13:00 < pekster> Axeman: yea, don't run `wget` as root. That's as silly as running firefox as root
13:01 <+Axeman> damn - all this - i feel like just spending the blasted $500 and stickign with commercial version for 5 years
13:01 < pekster> esde: there's no real reason to run >2.3.2, so many distros that value "stable, previously tested" versions won't bump for every one right away
13:02 < pekster> The packages are really just for Windows and distros (and old versions) that have many _year_ old releases, not just ones outdate by a few months with mostly unimportant changes
13:04 -!- mirco [~mirco@ip-176-198-211-199.hsi05.unitymediagroup.de] has joined #openvpn
13:36 <@dazo> esde: OpenVPN doesn't necessarily release production version for distros.  You need to ask the package maintaner in Ubuntu for that
13:36 <+Axeman> error on line 198 of /etc/openvpn/easy-rsa/openssl-1.0.0.cnf
13:36 <+Axeman> 139779246384800:error:0E065068:configuration file routines:STR_COPY:variable has no value:conf_def.c:618:line 198
13:37 <+Axeman> when i go ./build-ca
13:37 <+Axeman> ubuntu 14.04
13:37 <@dazo> grab easy-rsa3 instead
13:37 <@dazo> but it most likely means you've not read the documentation properly
13:38 <+Axeman> me?
13:38 <@dazo> yeah
13:38 <+Axeman> i'm following this: https://help.ubuntu.com/14.04/serverguide/openvpn.html
13:38 <@vpnHelper> Title: OpenVPN (at help.ubuntu.com)
13:39 <@dazo> !howto
13:39 <@vpnHelper> "howto" is (#1) OpenVPN comes with a great howto, http://openvpn.net/howto PLEASE READ IT! or (#2) http://www.secure-computing.net/openvpn/howto.php for a mirror
13:39 <@dazo> that's the official openvpn guides
13:39 <@dazo> the majority of the non-official guides are mostly wrong
13:40 <+Axeman> ooh
13:40 <@dazo> easy-rsa is covered here: http://openvpn.net/index.php/open-source/documentation/howto.html#pki
13:40 <@vpnHelper> Title: HOWTO (at openvpn.net)
13:40 <+Axeman> i thought the ubunutu one, being official form them was the right way to go
13:41 <@dazo> distro guides usually are better, but it's not been verified by anyone outside the openvpn community (we simply can't keep an overview of all those guides, there's too many of them)
13:43 <+Axeman> yeah that sorta makes sense
13:43 <+Axeman> the reason i went with the ubuntu guid was it seemed cleaner - no splitting between "if you are on mac, do this, windows, do that."
13:44 <@dazo> we should probably improve the howto ... it really needs that ... but, nobody have had time to improve it
13:44 <@dazo> Feel free to help out ;-)
13:45 <+Axeman> dude - im so blind - i'm walking face first into brick walls
13:46 <@dazo> one big security error on the Ubuntu guide ... it makes you create the CA on your server ... the CA should ideally be stored only on an offline medium and definitely not on a production server
13:49 <+Axeman> ooh man
13:49 <+Axeman> lol i know those words.
13:50 -!- Pyrogerg [~Gregory@67-0-212-234.albq.qwest.net] has quit [Ping timeout: 265 seconds]
13:51 <+Axeman> im' a windows guy i'm tihnking i should just scrap doing this in ubuntu and do it on a windows vm
13:51 <+Axeman> i can't even follow something simple like this: For PKI management, we will use easy-rsa, a set of scripts which is bundled with OpenVPN 2.2.x and earlier. If you're using OpenVPN 2.3.x, you need to download easy-rsa separately from here.
13:52 <@dazo> Or you could learn how to do things properly in Linux ....
13:52 <@dazo> wget $URL
13:53 <@dazo> that's how to download things from the command line
13:53 <@dazo> my motto is: What is not possible to do from the command line is not worth doing.
13:54 <@dazo> (of course, that excluded earlier Windows versions quite a lot - as most of it was GUI operations.  But powershell and better command line tools have arrvied windows too)
14:02 <+Axeman> lol dazo  i'm not normally afraid of command line
14:02 <+Axeman> but man this has been trying my patience.
14:02 <@dazo> learning new things usually have that effect ;-)
14:03 <+Axeman> especially when i'm stressed out at work - and trying to get this done before going on vacation.
14:03 <+Axeman> you know - so i can get my pr0n, remotely
14:03 <@dazo> bad combination
14:04 <+Axeman> this isn't FOR work - it's just personal
14:08 -!- eristisk [~eristisk@gateway/tor-sasl/eristisk] has joined #openvpn
14:15 <+Axeman> wget https://github.com/OpenVPN/easy-rsa/blob/master/build/build-dist.sh
14:15 <+Axeman> ?
14:15 <@vpnHelper> Title: easy-rsa/build-dist.sh at master · OpenVPN/easy-rsa · GitHub (at github.com)
14:20 -!- Uber-Ich [~lamphu@216.67.162.235] has joined #openvpn
14:20 <@dazo> Axeman: that's a way to download a particular file, yes
14:20 <@dazo> but you'll probably download the HTML file here
14:21 <@dazo> I'd probably recommend you do install git ... and do: git clone git://github.com/OpenVPN/easy-rsa.git
14:34 < esde> I'm referring specifically to this https://community.openvpn.net/openvpn/wiki/OpenvpnSoftwareRepos "(Sorry, no trusty (Ubuntu 14.04) packages available yet. Check back later after builds have been prepared.) "
14:34 <@vpnHelper> Title: OpenvpnSoftwareRepos – OpenVPN Community (at community.openvpn.net)
14:34 < esde> It's been about six months now
14:35 <@dazo> nobody have had time to prepare a build box for it, or have provided one to the community
14:35 < esde> To the tarball!
14:36 -!- Chais [~Chais@chello062178229110.15.15.vie.surfer.at] has quit [Quit: ZNC - http://znc.in]
14:37 -!- Chais [~Chais@chello062178229110.15.15.vie.surfer.at] has joined #openvpn
14:47 <+Axeman> lol
14:47 <+Axeman> he said install git
14:53 <+Axeman> dazo, sudo apt-get install git?
14:54 <@dazo> yeah
14:54 <+Axeman> yeah! fuck yeah!
14:54 <@dazo> I'm no Ubuntu/debian user ... but afair, that's the right syntax
14:55 <+Axeman> how does one DELETE? a dir i just tried rm aand it bitches about being a dir
14:55 <+Axeman> rd ?
14:55 <+Axeman> f it - getting MC
14:56 <+Axeman> done - apt-get install mc
14:56 <+Axeman> ooh yeah
14:56 <+Axeman> who's the man?!
14:57 -!- liriel [~liriel@asia.feralhosting.com] has quit [Quit: bye]
14:57 -!- mirco [~mirco@ip-176-198-211-199.hsi05.unitymediagroup.de] has quit [Remote host closed the connection]
14:58 -!- mirco [~mirco@ip-176-198-211-199.hsi05.unitymediagroup.de] has joined #openvpn
14:58 -!- RaiNerTsuFal [~RaiNerTsu@akita.vtlx.cn] has joined #openvpn
14:59 < esde> Axeman, rm -rf foo/ will forcefully and recursively remove the target dir
15:00 <+Axeman> thanks esde i just ended up installing MC and doing it that way
15:00 <+Axeman> i'm a gui kinda guy
15:00 <+Axeman> lol
15:04 <@dazo> Axeman: 'man' is a useful command .... 'man rm' .... 'man openvpn'
15:05 < pekster> Axeman: Are you just trying to install easyrsa? The tarballs (or .zip if you're on Windows) come as a ready-to-use implementation
15:05 < pekster> You'd need git if you wanted to work on development, or run a later-than-published release version
15:06 <@dazo> we're educating a coming star, pekster! ;-)
15:07 < pekster> esde: Right, and that info was probably from before Debian (finally) built a 2.3.x release for 14.x OS release lines. 2.2.x is somewhat dated now, but any 2.3.x that doesn't have open security issues should be fine
15:08 < pekster> Is there a particular feature you're trying to implement that isn't in 2.3.2? You might open a bugreport with the distro, although building openvpn from source on Linux is quite easy
15:09 <@dazo> I know agi (the Debian maintainer) is pondering on a new release for Jessie these days ... but he's pretty good at backporting needed patches
15:10 <@dazo> but I have no idea if Ubuntu packagers screw that up
15:11 < pekster> About the only thing 2.3.2 isn't good enough for is when your peer _requires_ TLSv1.2 ciphers, and you have to have actively chosen to deny older TLSv1.0-friendly ciphers in order to break <2.3.3
15:11 < esde> That's it TLS ciphers
15:12 < pekster> So either add a TLSv1.0 cipher to your list and allow that version, or demand that all your Debian users compile their own version
15:12 < pekster> Or wait until such a package exists ;)
15:13 <@dazo> pekster: iirc, Ubuntu have modified openssl to disable TLS 1.2 ... is it didn't work well some places
15:14 < pekster> Not in my ubuntu 14.04 they haven't
15:14 < esde> I'm thinking of rolling it myself when I get home, just wanted to check the easier methods of installing the newer version before
15:14 < pekster> `openssl ciphers -V 'TLSv1.2'` works just nicely here
15:14 <@dazo> pekster: somebody pointed me at this one: https://bugs.launchpad.net/ubuntu/+source/openssl/+bug/1256576/
15:14 <@vpnHelper> Title: Bug #1256576 “Ubuntu 12.04 LTS: OpenSSL downlevel version is 1.0...” : Bugs : “openssl” package : Ubuntu (at bugs.launchpad.net)
15:15 <@dazo> comment #4 is just wonderful
15:15 < pekster> Ah, I don't have any 12.04 systems around. Maybe an older buildsystem that broke with "too new" libtool or something, but meh
15:16 <@dazo> ahh, okay ... I realise now that 12.04 is an older version
15:17 < pekster> esde: I don't deal with debian packaging, but compiling if you don't mind installing to /usr/local (or wherever) is really as easy as installing deps (apt-get install build-essential libpam0g-dev liblzo2-dev) and then doing the usual ./configure && make install
15:17 < pekster> Compile takes around 3 minutes or less
15:17 <@dazo> +1
15:17 <+Axeman> man - insteresting
15:17 <@dazo> and the only thing you need from the build tool is src/openvpn/openvpn (the core binary)
15:18 < esde> Great, thank you for the help!
15:18 <@dazo> Axeman: man crash course ... type / ... and then something you want to search for then hit ENTER ... then you can press [n] for next and [p] to go back to the top
15:19 <@dazo> (man is a must to know on *nix platforms)
15:20 < pekster> https://xkcd.com/912/
15:20 <@vpnHelper> Title: xkcd: Manual Override (at xkcd.com)
15:20 <@dazo> lol
15:21 -!- Pyrogerg [~Gregory@205.167.120.206] has joined #openvpn
15:22 <+Axeman> lol coming star my ass dazo
15:22 <+Axeman> i'm sorry but this will be a set it and forget it
15:22 <@dazo> *that* is your loss ;-)
15:23 <+Axeman> lol
15:23 <+Axeman> ain't no body got time fo dat!!
15:24 -!- satdav [uid15780@firefox/community/satdav] has quit [Quit: Connection closed for inactivity]
15:24 <+Axeman> i'm so lost rightnow.
15:25 <+Axeman> so now i nano the conf file?
15:25 <@dazo> nano is a simple text editor
15:26 <@dazo> the conf file can be located wherever, but it's common and usually clever to put it in /etc/openvpn/
15:33 -!- Pyrogerg [~Gregory@205.167.120.206] has quit [Ping timeout: 264 seconds]
15:34 <+Axeman> yeah - before, i nano'd then i got that error - and now i have the new easy-rsa. let's try try again
15:34 <+Axeman> if you HEAR me screaming, it means i gave up
15:34 <+Axeman> /etc/openvpn/easy-rsa/vars ?
15:34 < pekster> If you haven't seen it, there's a walkthough for openvpn you can nearly copy & paste your way through:
15:34 < pekster> !easyrsa
15:34 <@vpnHelper> "easyrsa" is (#1) easy-rsa is a certificate generation utility. or (#2) Download here: https://github.com/OpenVPN/easy-rsa/releases or (#3) Source checkouts available from the github project; current official release download is 2.2.2 with 3.x code in git-master. or (#4) Helpful wiki info about easyrsa at: https://community.openvpn.net/openvpn/wiki/EasyRSA
15:35 < pekster> 3.x has a walkthough on that wiki link (#4) or the linked "howto" page for 2.x
15:35 -!- dazo is now known as dazo_afk
15:35 <+Axeman> let me try that
15:36 <+Axeman> man i've gone down so many rabbit holes today, i should probably just revert this vm and start from scratch
15:39 < esde> Axeman, if you're trying to get server setup so you can connect to it and browse "through" the server, I could offer an "easy setup script". It's default security configuration leaves a lot to be desired, but adding security would be optional. I found it one day and it's been my "testing" script, if i can get server up on a system with the script, I nuke it and do it manually :D
15:39 < esde> http://www.putdispenserhere.com/easy-openvpn-setup-script-for-debian-based-openvz-vps/ if you're interested
15:39 <@vpnHelper> Title: Easy OpenVPN Setup Script for Debian Based OpenVZ VPS | Put Dispenser Here (at www.putdispenserhere.com)
15:39 <+Axeman> that sounds good. let me try that.
15:40 <+Axeman> i am tempted to do this: http://www.turnkeylinux.org/openvpn
15:40 <@vpnHelper> Title: OpenVPN - Open Source VPN solution | TurnKey GNU/Linux (at www.turnkeylinux.org)
15:47 < esde> Axeman, mind a pm?
15:50 <+Axeman> surely
15:52 -!- elfixit [~Icedove@2001:1620:2777:11:3e97:eff:fe7f:f3ad] has quit [Quit: elfixit]
15:53 -!- Pyrogerg [~Gregory@205.167.120.206] has joined #openvpn
16:00 -!- Pyrogerg [~Gregory@205.167.120.206] has quit [Ping timeout: 240 seconds]
16:01 -!- Pyrogerg [~Gregory@205.167.120.206] has joined #openvpn
16:05 -!- Axeman [~axeman3@openvpn/user/axeman] has quit [Ping timeout: 255 seconds]
16:22 -!- mattock is now known as mattock_afk
16:27 -!- Maxel [~Maxel@24-159-207-34.static.roch.mn.charter.com] has quit [Read error: Connection reset by peer]
16:28 -!- Maxel [~Maxel@24-159-207-34.static.roch.mn.charter.com] has joined #openvpn
16:39 -!- Kephael [~Kephael@unaffiliated/kephael] has quit [Read error: Connection reset by peer]
16:50 -!- Pyrogerg_ [~Gregory@205.167.120.206] has joined #openvpn
16:50 -!- Pyrogerg [~Gregory@205.167.120.206] has quit [Read error: Connection reset by peer]
16:54 -!- Pyrogerg_ [~Gregory@205.167.120.206] has quit [Ping timeout: 240 seconds]
16:58 -!- Pyrogerg [~Gregory@205.167.120.206] has joined #openvpn
17:08 -!- Pyrogerg [~Gregory@205.167.120.206] has quit [Ping timeout: 255 seconds]
17:18 -!- Uber-Ich [~lamphu@216.67.162.235] has quit [Quit: leaving]
17:34 -!- satdav [uid15780@firefox/community/satdav] has joined #openvpn
17:40 -!- marklite is now known as markelite
17:42 -!- gffa [~unknown@unaffiliated/gffa] has quit [Quit: sleep]
17:52 < esde> also depends on libssl-dev
18:24 < dvl> Sitting at the girlfriends place, VPN'd to home.  Thanks #OpenVPN.
18:24 < dvl> And yes, yes I can access my TiVo from there...
18:25 -!- mirco [~mirco@ip-176-198-211-199.hsi05.unitymediagroup.de] has quit [Quit: mirco]
18:39 -!- Pyrogerg [~Gregory@205.167.120.206] has joined #openvpn
18:44 -!- Pyrogerg [~Gregory@205.167.120.206] has quit [Ping timeout: 272 seconds]
18:49 -!- Pyrogerg [~Gregory@205.167.120.206] has joined #openvpn
18:53 < satdav> Is their not a quick install for openvpn
18:54 < satdav> Also were is the android code and beta of it
18:59 -!- Pyrogerg [~Gregory@205.167.120.206] has quit [Ping timeout: 255 seconds]
19:10 < dvl> satdav: Not sure why you say where, when I found it in Google Play via a Google search...
19:12 < satdav> Dvl is that not the stable build
19:13 < dvl> satdav: I have no idea.
19:33 -!- s7r [~s7r@openvpn/user/s7r] has joined #openvpn
19:33 -!- mode/#openvpn [+v s7r] by ChanServ
19:43 <@Eugene> !howto
19:43 <@vpnHelper> "howto" is (#1) OpenVPN comes with a great howto, http://openvpn.net/howto PLEASE READ IT! or (#2) http://www.secure-computing.net/openvpn/howto.php for a mirror
19:53 -!- Riviera_ [Riviera@2a03:b0c0:1:d0::10:b001] has joined #openvpn
19:54 < Riviera_> !welcome
19:54 <@vpnHelper> "welcome" is (#1) Start by stating your goal, such as 'I would like to access the internet over my vpn' || new to IRC? see the link in !ask || we may need !logs and !configs and maybe !interface to help you. || See !howto for beginners. || See !route for lans behind openvpn. || !redirect for sending inet traffic through the server. || Also interesting: !man !/30 !topology !iporder !sample !forum
19:54 <@vpnHelper> !wiki !mitm or (#2) Don't use 192.168.1.0/24 or 192.168.0.0/24 (too much potential for conflict)
19:54 -!- moparisthebest [~quassel@gateway/tor-sasl/moparisthebest] has quit [Ping timeout: 246 seconds]
19:54 -!- moparisthebest [~quassel@gateway/tor-sasl/moparisthebest] has joined #openvpn
19:57 < Riviera_> The bot can only be queried in the channel? :)
19:58 <@Eugene> !factoids
19:58 <@vpnHelper> "factoids" is A semi-regularly updated dump of factoids database is available at http://www.secure-computing.net/factoids.php
19:59 < Riviera_> Thanks Eugene! :)
20:05 -!- _0x5eb_ [~seb@seb-hpws2.w1.tele.crt1.net] has quit [Ping timeout: 265 seconds]
20:05 -!- heraclitus [~heraclitu@unaffiliated/heraclitis] has quit [Ping timeout: 250 seconds]
20:06 -!- _0x5eb_ [~seb@seb-hpws2.w1.tele.crt1.net] has joined #openvpn
20:07 -!- roentgen [~none@openvpn/community/support/roentgen] has quit [Remote host closed the connection]
20:08 -!- capri [svedrin@elwing.funzt-halt.net] has quit [Ping timeout: 260 seconds]
20:08 -!- jzaw [~jzaw@loki.dzki.co.uk] has quit [Ping timeout: 265 seconds]
20:09 -!- mt [mt@unaffiliated/supermat] has quit [Ping timeout: 272 seconds]
20:09 -!- _FBi [B@Aircrack-NG/User] has quit [Ping timeout: 244 seconds]
20:10 -!- roentgen [~none@openvpn/community/support/roentgen] has joined #openvpn
20:11 -!- arkie [~arkie@unaffiliated/arkie] has quit [Ping timeout: 240 seconds]
20:17 -!- jzaw [~jzaw@loki.dzki.co.uk] has joined #openvpn
20:17 -!- mt [mt@unaffiliated/supermat] has joined #openvpn
20:23 -!- arkie [~arkie@unaffiliated/arkie] has joined #openvpn
20:25 -!- arkie [~arkie@unaffiliated/arkie] has quit [Client Quit]
20:26 -!- capri [svedrin@elwing.funzt-halt.net] has joined #openvpn
20:28 -!- arkie [~arkie@unaffiliated/arkie] has joined #openvpn
20:39 -!- elfixit [~Icedove@77-58-253-51.dclient.hispeed.ch] has joined #openvpn
20:43 -!- eristisk [~eristisk@gateway/tor-sasl/eristisk] has quit [Ping timeout: 246 seconds]
20:55 -!- eristisk [~eristisk@gateway/tor-sasl/eristisk] has joined #openvpn
20:55 -!- ub1quit33 [~quassel@cpe-23-243-158-241.socal.res.rr.com] has quit [Ping timeout: 255 seconds]
21:08 -!- s7r [~s7r@openvpn/user/s7r] has quit [Remote host closed the connection]
21:20 -!- _FBi [B@Aircrack-NG/User] has joined #openvpn
21:24 -!- satdav [uid15780@firefox/community/satdav] has quit [Quit: Connection closed for inactivity]
22:20 -!- seba [~seba@kratzbaum.someserver.de] has quit [Excess Flood]
22:21 -!- seba [~seba@kratzbaum.someserver.de] has joined #openvpn
22:29 -!- xyo [~xyo@192.52.166.122] has joined #openvpn
22:50 -!- ub1quit33_ [~quassel@cpe-23-243-158-241.socal.res.rr.com] has joined #openvpn
22:56 -!- ub1quit33_ [~quassel@cpe-23-243-158-241.socal.res.rr.com] has quit [Ping timeout: 256 seconds]
23:14 <@krzee> also:
23:14 <@krzee> !msg
23:14 <@vpnHelper> "msg" is (#1) to see vpnHelper's factoids in msg instead of the channel, /msg vpnHelper factoids whatis #openvpn <key> or (#2) so to see !configs in msg, you would type /msg vpnHelper factoids whatis #openvpn configs or (#3) you can also just see !factoids for a link to the full list of what the bot knows
23:16 <@krzee> sif satdev comes back he can get the source at !android
23:17 -!- Left_Turn [~Left_Turn@unaffiliated/turn-left/x-3739067] has quit [Remote host closed the connection]
23:58 -!- joako [~joako@opensuse/member/joak0] has quit [Ping timeout: 255 seconds]
--- Day changed Thu Oct 30 2014
00:04 -!- joako [~joako@opensuse/member/joak0] has joined #openvpn
00:32 -!- SushiDude [~SushiDude@unaffiliated/sushidude] has quit [Quit: Quit]
00:32 -!- elfixit [~Icedove@77-58-253-51.dclient.hispeed.ch] has quit [Remote host closed the connection]
00:32 -!- mt [mt@unaffiliated/supermat] has quit [Ping timeout: 256 seconds]
00:34 -!- ShadniX [dagger@p5DDFC5A9.dip0.t-ipconnect.de] has quit [Ping timeout: 250 seconds]
00:35 -!- ShadniX [dagger@p5DDFC3EC.dip0.t-ipconnect.de] has joined #openvpn
00:35 -!- SushiDude [~SushiDude@unaffiliated/sushidude] has joined #openvpn
00:36 -!- mt [mt@unaffiliated/supermat] has joined #openvpn
02:25 -!- mattock_afk is now known as mattock
03:08 -!- `Yoda [Yoda@leader.of.the.coolkidz.club] has quit [Ping timeout: 244 seconds]
03:13 -!- `Yoda [Yoda@leader.of.the.coolkidz.club] has joined #openvpn
03:20 -!- mirco [~mirco@ip-176-198-211-199.hsi05.unitymediagroup.de] has joined #openvpn
03:28 -!- ade_b [~Ade@redhat/adeb] has joined #openvpn
03:29 -!- ayaz [~Ayaz@linuxpakistan/ayaz] has joined #openvpn
04:32 -!- idl0r [~idl0r@gentoo/developer/idl0r] has joined #openvpn
04:32 < idl0r> hey guys
04:32 < idl0r> i do have a p2p VPN so server and only one client
04:32 < idl0r> in a jai...
04:32 < idl0r> *jail
04:33 < idl0r> the server always dies when the client disconnects because it tries to remove it's ip
04:33 < idl0r> Thu Oct 30 09:24:44 2014 /bin/ip addr del dev tun2 local 10.15.1.1 peer 10.15.1.2
04:33 < idl0r> Thu Oct 30 09:24:44 2014 Linux ip addr del failed: could not execute external program
04:33 < idl0r> can i somehow set it to /dev/null so disable that?
04:33 < idl0r> i don't think it necessary to do that
04:33 < idl0r> so deleting that address
04:45 -!- D-Boy [~D-Boy@unaffiliated/cain] has quit [Excess Flood]
04:56 -!- D-Boy [~D-Boy@unaffiliated/cain] has joined #openvpn
05:00 -!- D-Boy [~D-Boy@unaffiliated/cain] has quit [Excess Flood]
05:04 -!- D-Boy [~D-Boy@unaffiliated/cain] has joined #openvpn
05:34 -!- Shiftos [~shiftos@gateway/tor-sasl/shiftos] has joined #openvpn
05:42 -!- hyper_ch [~hyper_ch@81.4.108.20] has joined #openvpn
05:42 < hyper_ch> hi there, is there a way I can run a script when I stop openvpn?
05:45 -!- CaTtleyA [~CaTtleyA@185.24.142.82] has joined #openvpn
05:45 < Riviera_> hyper_ch: With openvpn --down maybe?
05:45 < hyper_ch> or I just edit the init script and amend the stop section
05:46 < hyper_ch> but trying to find out about --down
05:46 < hyper_ch> actually, I could use both... running scripts at start and at stop
05:47 < Riviera_> --up :)
05:49 < hyper_ch> service openvpn stop
05:49 < hyper_ch> how could I use the --down there
05:50 < hyper_ch> or can I add the down part in the vpn.conf ?
05:50 -!- Left_Turn [~Left_Turn@unaffiliated/turn-left/x-3739067] has joined #openvpn
05:51 < Riviera_> Well, the --down would have to be given when the process was started, not only with a stop action of something like an init script.
05:51 < Riviera_> And sure this can be added to the config file.
05:52 < hyper_ch> but I read you can add the the   "--down" to the config file... so if I add this to the config file then it should execute that command when I run    service openvpn stop?
05:52 < Riviera_> yup
05:52 < hyper_ch> awesome :)
05:56 < hyper_ch> one more thing, openvpn runs as user openvpn... yet the command I need to run on stop must be run by root.... so will that work?
06:06 < hyper_ch> ok, it runs the up/down before uid change... that sounds good....   the example in the man page is like htis:     openvpn --dev tun --port 9999 --verb 4 --ping-restart 10 --up 'echo up' --down 'echo down' --persist-tun --up-restart   --> so in the config I could just do:     down 'some command; some other command; and a third command'?
06:10 < Riviera_> hyper_ch: well depends
06:11 < Riviera_> hyper_ch: --up .. will run before uid change, --down .. won't
06:12 < hyper_ch> so --down won't be run also as root
06:12 < Riviera_> hyper_ch: From the manpage:
06:12 < Riviera_> hyper_ch: About --up:  "Shell command to run after successful TUN/TAP device open (pre --user UID change)."
06:12 < Riviera_> hyper_ch: On --down:  "Note that if you reduce privileges by using --user and/or --group, your --down script will also run at reduced privilege."
06:13 < hyper_ch> so the obvious solution is to not reduce privileges.... what could possibly go wrong
06:14 < Riviera_> 8)
06:14 < Riviera_> hyper_ch: there is this:
06:15 < hyper_ch> well, the chinese factories built in backdoors anyway in my chips... why even bother with a secure system ;)
06:16 < Riviera_> hyper_ch: https://community.openvpn.net/openvpn/browser/plugin/down-root/README?rev=d02a86d37bed69ee3fb63d08913623a86c88da15
06:16 <@vpnHelper> Title: README in plugin/down-root – OpenVPN Community (at community.openvpn.net)
06:17 < hyper_ch> This module will only work on *nix systems, not Windows.
06:17 < hyper_ch> *nix rocks :)
06:18 < Riviera_> Ah, "service openvpn stop" sounded like Linux. :)
06:19 -!- Wulf [~Wulf@unaffiliated/wulf] has joined #openvpn
06:19 < Wulf> Hi
06:19 < Wulf> I set "auth-user-pass-verify /etc/openvpn/users-auth via-env" and the script gets called. But there is no `password' environment variable. What am I doing wrong?
06:21 < hyper_ch> Riviera_: so basicall I just get that down-root.c file, compile it and load it?
06:23 < hyper_ch> even better, ubuntu already provides it:
06:23 < hyper_ch>  apt-file search down-root
06:23 < hyper_ch> openvpn: /usr/lib/openvpn/openvpn-plugin-down-root.so
06:23 -!- warehouse13 [~Left_Turn@unaffiliated/turn-left/x-3739067] has joined #openvpn
06:24 < Riviera_> ah cool
06:24 < Riviera_> (sorry, not constantly checking this window:)
06:24 < hyper_ch> Riviera_: no worries, I do the same... keep drifting between channels and stuff
06:26 -!- Left_Turn [~Left_Turn@unaffiliated/turn-left/x-3739067] has quit [Ping timeout: 265 seconds]
06:30 -!- ayaz [~Ayaz@linuxpakistan/ayaz] has quit [Quit: Textual IRC Client: www.textualapp.com]
07:10 -!- jackbrown [~se@93-44-41-0.ip95.fastwebnet.it] has joined #openvpn
07:21 -!- mirco [~mirco@ip-176-198-211-199.hsi05.unitymediagroup.de] has quit [Quit: mirco]
07:30 -!- mirco [~mirco@ip-176-198-211-199.hsi05.unitymediagroup.de] has joined #openvpn
07:31 < hyper_ch> Riviera_: halp :(
07:31 < hyper_ch> plugin /usr/lib/openvpn/openvpn-plugin-down-root.so "umount -f /mnt/SomeFolder"
07:31 < hyper_ch> Thu Oct 30 13:30:53 2014 us=941007 PLUGIN_INIT: could not load plugin shared object openvpn-plugin-down-root.so: openvpn-plugin-down-root.so: cannot open shared object file: No such file or directory
07:31 < hyper_ch> Thu Oct 30 13:30:53 2014 us=941176 Exiting due to fatal error
07:32 < hyper_ch> but the plugin is there
07:38 -!- warehouse13 [~Left_Turn@unaffiliated/turn-left/x-3739067] has quit [Ping timeout: 264 seconds]
07:41 -!- warehouse13 [~Left_Turn@unaffiliated/turn-left/x-3739067] has joined #openvpn
07:42 < Riviera_> hyper_ch: Hm.
07:42 < Riviera_> hyper_ch: I don't know. :/  Two things that come to mind:
07:43 < Riviera_> hyper_ch: It should be easy enough to trace the process with strace, finding files that it tries to open but can't,
07:43 < Riviera_> hyper_ch: I doubt that this is the case, but maybe worth a try:  Maybe it tries to find the file with the name "umount -f /mnt/SomeFolder", not just "umount".
07:44 < Riviera_> hyper_ch: Removing the quotes or putting that in a script, starting the script instead, or executing something else (for testing) should show if that's the case.
07:49 -!- Pyrogerg [~Gregory@67-0-212-234.albq.qwest.net] has joined #openvpn
07:55 -!- jareth_ [~jareth_@2001:980:e1c0:1:219:66ff:fea0:a502] has quit [Ping timeout: 265 seconds]
07:56 -!- abbe [having@badti.me] has quit [Ping timeout: 265 seconds]
07:56 -!- Nothing4You [N4Y@nothing4you.w.tf-w.tf] has quit [Ping timeout: 265 seconds]
07:56 -!- eristisk [~eristisk@gateway/tor-sasl/eristisk] has quit [Ping timeout: 246 seconds]
07:57 -!- Nothing4You [N4Y@nothing4you.w.tf-w.tf] has joined #openvpn
07:57 -!- eristisk [~eristisk@gateway/tor-sasl/eristisk] has joined #openvpn
07:57 -!- _0x5eb_ [~seb@seb-hpws2.w1.tele.crt1.net] has quit [Ping timeout: 265 seconds]
07:57 -!- _0x5eb_ [~seb@seb-hpws2.w1.tele.crt1.net] has joined #openvpn
07:57 -!- abbe [having@badti.me] has joined #openvpn
07:58 -!- jareth_ [~jareth_@2001:980:e1c0:1:219:66ff:fea0:a502] has joined #openvpn
08:03 < hyper_ch> Riviera_: doesn't it rather sound like it has problems with finding the openvpn-plugin-root.so file?
08:05 -!- fling [~fling@fsf/member/fling] has quit [Ping timeout: 245 seconds]
08:06 < Riviera_> hyper_ch: Maybe, but not necessarily.
08:07 < Riviera_> hyper_ch: Maybe the file itself can't be found (running openvpn in a chroot perhaps?), maybe some other dynamic object file that openvpn-plugin-down-root.so depends on couldn't be found, or maybe the program that you want to run can't be, I don't know, strace would tell you.
08:07 < Riviera_> or, should, that is. :)
08:11 -!- Kniaz [~Kniaz@unaffiliated/kniaz] has quit [Read error: Connection reset by peer]
08:13 -!- ahklerner [~ahklerner@unaffiliated/ahklerner] has joined #openvpn
08:15 < ahklerner> hello, if i run openvpn on port 443, are packet sniffers able to tell that i am making an outbound openvpn connection?
08:16 -!- jackbrown [~se@93-44-41-0.ip95.fastwebnet.it] has quit [Quit: Sto andando via]
08:16 < ahklerner> like openvpn is running at my house on 443 i connect from somewhere else that has strict filtering rules on the firewall
08:17 < hyper_ch> Riviera_: no chroot, aboslute path given
08:17 < ahklerner> would they be able to determine that i am connecting to an openvpn server
08:20 -!- Axeman [~axeman3@openvpn/user/axeman] has joined #openvpn
08:20 -!- mode/#openvpn [+v Axeman] by ChanServ
08:21 < ahklerner> !poodle
08:21 <@vpnHelper> "poodle" is (#1) http://googleonlinesecurity.blogspot.com/2014/10/this-poodle-bites-exploiting-ssl-30.html . OpenVPN uses TLSv1.0, or (with >=2.3.3) optionally TLSv1.2 and is thus not impacted by POODLE. See also: !hardening for some unrelated TLS security options OpenVPN has or (#2) https://www.tinfoilsecurity.com/poodle for a tool for testing your websites
08:25 -!- Axeman [~axeman3@openvpn/user/axeman] has quit [Ping timeout: 240 seconds]
08:26 -!- almostworking [~almostwor@unaffiliated/almostworking] has quit [Ping timeout: 260 seconds]
08:33 -!- Axeman2 [~axeman3@openvpn/user/axeman] has joined #openvpn
08:33 -!- mode/#openvpn [+v Axeman2] by ChanServ
08:49 -!- ahklerner [~ahklerner@unaffiliated/ahklerner] has quit [Quit: Leaving.]
08:50 -!- ahklerner [~ahklerner@unaffiliated/ahklerner] has joined #openvpn
08:50 -!- ahklerner [~ahklerner@unaffiliated/ahklerner] has left #openvpn []
08:51 -!- mirco [~mirco@ip-176-198-211-199.hsi05.unitymediagroup.de] has quit [Quit: mirco]
09:04 -!- ub1quit33_ [~quassel@cpe-23-243-158-241.socal.res.rr.com] has joined #openvpn
09:12 -!- elfixit [~Icedove@77-58-253-51.dclient.hispeed.ch] has joined #openvpn
09:44 < hyper_ch> Riviera_: seems there is a path ittues.... with "echo stop" upon restarting there was no issue... only on shut down
09:49 < Riviera_> i sadly can't test at the moment :/
09:52 < hyper_ch> Riviera_: plugin /usr/lib/openvpn/openvpn-plugin-down-root.so 'umount -f /mnt/MNT-Point'   --> this works
09:53 < Riviera_> well cool then :)
09:53 < Riviera_> because of the different mount point or because of '..' instead of ".."?
09:54 < hyper_ch> because of single quotes
09:54 < hyper_ch> but the docs have double quotes
09:55 < hyper_ch> https://github.com/OpenVPN/openvpn/blob/master/src/plugins/down-root/README.down-root
09:55 <@vpnHelper> Title: openvpn/README.down-root at master · OpenVPN/openvpn · GitHub (at github.com)
09:55 -!- fling [~fling@fsf/member/fling] has joined #openvpn
09:56 < hyper_ch> and you need full path to the .so file if it's not in the include path already or same folder
09:56 < Riviera_> Hm, true, but those I anyway found a bit confusing, because all other docs (not that I checked many) don't use quotation marks at all, and "" are actually interpreted by openvpn, it's iirc part of the configuration file format,
09:56 < hyper_ch> I wonder how to best update the documentation
09:56 < Riviera_> so i don't really know what happens with the single quotes.
09:57 < hyper_ch> with quotes it should take it just as one argument
09:57 < Riviera_> interesting a bit, but too busy to investigate
09:57 < hyper_ch> but there shouldn't be a difference betetween the single and double quotes
09:59 < hyper_ch> if krzee would be here... he could help... :)
10:00 < Riviera_> Try intene staring. :)
10:00 < Riviera_> intense*
10:00 < hyper_ch> isn't he immune to such attacks?
10:01 < Riviera_> Sure, but your time passes by. 8)
10:02 < hyper_ch> well, seems I've finally tricked that 180-second-non-responsive-timeout-during-shutdown
10:02 -!- mirco [~mirco@ip-176-198-211-199.hsi05.unitymediagroup.de] has joined #openvpn
10:08 -!- squinty [~squinty@S01069cd643d2c8a1.du.shawcable.net] has joined #openvpn
10:11 -!- fa7ad [~fa7ad@103.242.219.242] has joined #openvpn
10:12 < fa7ad> how do i set up openvpn + ajenti?
10:14 -!- fa7ad [~fa7ad@103.242.219.242] has left #openvpn ["Leaving"]
10:16 < hyper_ch> what's ajenti?
10:16 < hyper_ch> too late :(
10:19 < Riviera_> google says it's a webserver administration tool, and that it does have some support for openvpn.
10:21 < hyper_ch> google speaks to you? oO
10:31 -!- bluenemo [~bluenemo@unaffiliated/bluenemo] has joined #openvpn
10:32 < bluenemo> hi guys. I'm trying to setup a tun vpn, and keep failing on this problem on the client:  UDPv4 link local (bound): [undef]  my config and output: http://paste.debian.net/hidden/d1cc0254/
10:34 < bluenemo> I disabled the firewall on both sides. when I start the client, the server wil not log anything :(
10:35 < hyper_ch> Thu Oct 30 16:30:20 2014 us=357111 Local Options hash (VER=V4): '41690919'
10:35 < hyper_ch> Thu Oct 30 16:30:20 2014 us=357116 Expected Remote Options hash (VER=V4): '530fdded'
10:35 < hyper_ch> using same openvpn version and correct keys?
10:37 < bluenemo> i'll check the keys again, version is correct
10:38 -!- squinty [~squinty@S01069cd643d2c8a1.du.shawcable.net] has left #openvpn ["Leaving"]
10:39 < hyper_ch> https://forums.openvpn.net/topic10051.html
10:39 <@vpnHelper> Title: OpenVPN Support Forum Cannot Connect--frustrating : Server Administration (at forums.openvpn.net)
10:39 < hyper_ch> sounds like it's a cert issue
10:42 -!- dx486 [~dx486@unaffiliated/dx486] has quit [Ping timeout: 272 seconds]
10:44 < bluenemo> hyper_ch, just checked the certs, everything is ok there. what i absolutely dont get is that the server is not logging anything when the client starts (server is log_level 5)
10:44 < bluenemo> sry verb 5
10:44 < hyper_ch> did you specify a log file?
10:45 < bluenemo> yes
10:46 < hyper_ch> if it doesn't log, you did something wrong
10:46 < hyper_ch> it's as simple as taht
10:46 < bluenemo> it shows when i restart it
10:47 < bluenemo> it just does not show when I restart the client (on the server) :)
10:49 -!- `Yoda [Yoda@leader.of.the.coolkidz.club] has quit [Ping timeout: 272 seconds]
10:49 < hyper_ch> then the client doesn't seem to reach that server
10:50 < bluenemo> it can ping it. firewall on both is also disabled
10:51 < bluenemo> uah found my error m( so stupid.. typo..
10:51 < bluenemo> thank you for your help hydrajump
10:52 < bluenemo> sry, hyper_ch
10:52 < hyper_ch> ain't I awesome? :)
10:57 < hydrajump> haha
11:02 -!- `Yoda [Yoda@leader.of.the.coolkidz.club] has joined #openvpn
11:26 -!- Shiftos [~shiftos@gateway/tor-sasl/shiftos] has quit [Remote host closed the connection]
11:26 -!- DrCode [~DrCode@gateway/tor-sasl/drcode] has quit [Write error: Connection reset by peer]
11:26 -!- moparisthebest [~quassel@gateway/tor-sasl/moparisthebest] has quit [Write error: Connection reset by peer]
11:26 -!- eristisk [~eristisk@gateway/tor-sasl/eristisk] has quit [Write error: Connection reset by peer]
11:27 -!- DrCode [~DrCode@gateway/tor-sasl/drcode] has joined #openvpn
11:27 < hyper_ch> Riviera_: it worked :)
11:27 < hyper_ch> but still, there's one more issue
11:28 -!- eristisk [~eristisk@gateway/tor-sasl/eristisk] has joined #openvpn
11:28 -!- Shiftos [~shiftos@gateway/tor-sasl/shiftos] has joined #openvpn
11:28 -!- moparisthebest [~quassel@gateway/tor-sasl/moparisthebest] has joined #openvpn
11:30 < Riviera_> hyper_ch: ah :)
11:30 < Riviera_> hyper_ch: what'd that be? :)
11:30 < hyper_ch> Riviera_: there's someone pretending to be you in #bash and #curl  :)
11:30 < Riviera_> hyper_ch: yeah well ... :)
11:30 -!- elfixit [~Icedove@77-58-253-51.dclient.hispeed.ch] has quit [Ping timeout: 250 seconds]
11:30 < hyper_ch> well, the probelm is, that linux/kde still has issues with that non-accessible-mount
11:31 < hyper_ch> e.g. if a mount becomes non-responsive, there's a 180 s timeout delay
11:31 < hyper_ch> during which dolphin doesn't work
11:31 < hyper_ch> kde tool bar
11:31 < Riviera_> oh phew, that's nothing i know anything about :/
11:31 < hyper_ch> kde in general etc....
11:31 < hyper_ch> and the same thing during shutdown... because openvpn gets closed before the directy umounted...
11:31 < hyper_ch> hence I have a workaround for shut down
11:31 < hyper_ch> 3minutes is awefully long on ssd ;)
11:32 < hyper_ch> I mean it takes longer to type in my luks password than to actually boot up the rest of the system...
11:36 -!- CaTtleyA [~CaTtleyA@185.24.142.82] has quit [Quit: leaving]
11:43 -!- Axeman2 [~axeman3@openvpn/user/axeman] has quit [Quit: Sorry Gotta Run!]
11:45 -!- Pyrogerg [~Gregory@67-0-212-234.albq.qwest.net] has quit [Ping timeout: 244 seconds]
11:46 -!- bluenemo [~bluenemo@unaffiliated/bluenemo] has quit [Read error: Connection reset by peer]
11:51 -!- gffa [~unknown@unaffiliated/gffa] has joined #openvpn
11:57 -!- esde is now known as utile
11:57 -!- utile is now known as esde
11:57 -!- esde is now known as utile
11:58 -!- utile is now known as esde
12:04 -!- ade_b [~Ade@redhat/adeb] has quit [Ping timeout: 255 seconds]
12:10 < pekster> hyper_ch: Nothing really to do with openvpn on your NFS delay: perhaps read about the 'soft' and 'timeo' options in nfs(5)
12:12 -!- Pyrogerg [~Gregory@67-0-212-234.albq.qwest.net] has joined #openvpn
12:17 < hyper_ch> nfs? using cifs
12:17 < hyper_ch> the problem is not being unable to access the share
12:17 < hyper_ch> the problem is that everything else stalls
12:21 -!- almostworking [~almostwor@unaffiliated/almostworking] has joined #openvpn
12:21 < pekster> Then you either have misconfigured your clients for your desired timeouts, or else there's a bug in your applications or your distro's initsystem
12:22 < hyper_ch> using system defaults
12:22 < pekster> This changes nothing
12:22 < hyper_ch> pekster: https://forum.kde.org/viewtopic.php?f=67&t=95323
12:22 <@vpnHelper> Title: Plasma-desktop freezes on loss of network drive KDE Community Forums (at forum.kde.org)
12:23 < hyper_ch> https://bugs.kde.org/show_bug.cgi?id=184062
12:23 <@vpnHelper> Title: Bug 184062 Places model (e.g. Kickoff) hangs when network/hotplug device not available (at bugs.kde.org)
12:24 < pekster> So go work with the KDE team to get what's an evidently their flaw resolved?
12:24 < hyper_ch> it's been reported since 2009...
12:26 < hyper_ch> nothing more I can do about it than bitch in random irc channels ;)
12:29 <@Eugene> !gigabit
12:29 <@vpnHelper> "gigabit" is https://community.openvpn.net/openvpn/wiki/Gigabit_Networks_Linux for JJK's writeup on getting the most out of openvpn over gigabit
12:30 < hyper_ch> I don't even have 100mbit to my home despite having fiberoptic :(
12:31 < hyper_ch> btw, why is there a tcp maximum segement size when you're using udp?
12:32 -!- mirco [~mirco@ip-176-198-211-199.hsi05.unitymediagroup.de] has quit [Quit: mirco]
12:34 -!- almostworking [~almostwor@unaffiliated/almostworking] has quit [Quit: Leaving]
12:35 -!- almostworking [~almostwor@unaffiliated/almostworking] has joined #openvpn
12:38 -!- gffa [~unknown@unaffiliated/gffa] has quit [Quit: brb]
12:41 <@Eugene> Eh? I was just gettign the link for somebody
12:42 <@Eugene> $DAYJOB boss has finally warmed up to the idea of moving from ipsec to openvpn, thank you $DAEMON
12:48 -!- esde [~esde@unaffiliated/esde] has quit [Quit: ZNC - http://znc.in]
12:59 -!- DrCode [~DrCode@gateway/tor-sasl/drcode] has quit [Ping timeout: 246 seconds]
13:00 -!- eristisk [~eristisk@gateway/tor-sasl/eristisk] has quit [Ping timeout: 246 seconds]
13:00 -!- moparisthebest [~quassel@gateway/tor-sasl/moparisthebest] has quit [Ping timeout: 246 seconds]
13:00 -!- Shiftos [~shiftos@gateway/tor-sasl/shiftos] has quit [Ping timeout: 246 seconds]
13:11 -!- gffa [~unknown@unaffiliated/gffa] has joined #openvpn
13:18 -!- roentgen [~none@openvpn/community/support/roentgen] has quit [Remote host closed the connection]
13:23 -!- roentgen [~none@openvpn/community/support/roentgen] has joined #openvpn
13:24 -!- fling [~fling@fsf/member/fling] has quit [Ping timeout: 255 seconds]
13:31 -!- mirco [~mirco@ip-176-198-211-199.hsi05.unitymediagroup.de] has joined #openvpn
13:58 -!- DrCode [~DrCode@gateway/tor-sasl/drcode] has joined #openvpn
14:02 -!- DrCode [~DrCode@gateway/tor-sasl/drcode] has quit [Excess Flood]
14:03 -!- DrCode [~DrCode@gateway/tor-sasl/drcode] has joined #openvpn
14:03 -!- esde [~esde@unaffiliated/esde] has joined #openvpn
14:09 -!- hyper_ch [~hyper_ch@81.4.108.20] has left #openvpn ["Konversation terminated!"]
14:34 -!- mirco [~mirco@ip-176-198-211-199.hsi05.unitymediagroup.de] has quit [Quit: mirco]
14:50 -!- mirco [~mirco@ip-176-198-211-199.hsi05.unitymediagroup.de] has joined #openvpn
15:46 -!- cassidyslivers [~cassidysl@185.32.221.5] has joined #openvpn
16:05 < KNERD> What was that nify paste site I have been seen people using, which seperates it all into different sections?
16:17 -!- cassidyslivers [~cassidysl@185.32.221.5] has quit [Ping timeout: 265 seconds]
16:18 -!- RaiNerTsuFal [~RaiNerTsu@akita.vtlx.cn] has quit [Quit: Conversation terminated!]
16:19 -!- cassidyslivers [~cassidysl@185.32.221.31] has joined #openvpn
16:27 -!- asturel [~asturel@unaffiliated/asturel] has quit [Ping timeout: 260 seconds]
16:31 -!- mirco [~mirco@ip-176-198-211-199.hsi05.unitymediagroup.de] has quit [Quit: mirco]
16:31 -!- Chais [~Chais@chello062178229110.15.15.vie.surfer.at] has quit [Ping timeout: 244 seconds]
16:33 -!- mirco [~mirco@ip-176-198-211-199.hsi05.unitymediagroup.de] has joined #openvpn
16:37 < KNERD> yeah...found it
16:37 -!- Chais [~Chais@chello062178229110.15.15.vie.surfer.at] has joined #openvpn
16:39 < KNERD> https://gist.github.com/
16:39 <@vpnHelper> Title: Gists (at gist.github.com)
16:41 < KNERD> Okay here it is..trouble on windows 8.1 https://gist.github.com/anonymous/cd873830241c6865cf0a
16:41 <@vpnHelper> Title: OpenVPN Windows ADD Route Trouble: (at gist.github.com)
16:48 < KNERD> yeah this is failing on Windows 7 as well as Windows 8.1
16:57 < DArqueBishop> KNERD: are you running that under OpenVPN-GUI? If so, make sure you're running it as administrator.
16:58 < DArqueBishop> OpenVPN-GUI fails to connect properly if it's not run as administrator.
17:02 -!- RaiNerTsuFal [~RaiNerTsu@akita.vtlx.cn] has joined #openvpn
17:04 < idl0r> Thu Oct 30 17:50:51 2014 SIGTERM[soft,remote-exit] received, process exiting
17:04 < idl0r> how can i stop the *server* from doing that on a client disconnect? :(
17:04 < idl0r> in p2p mode
17:05 < idl0r> the complete daemon will be shutdown
17:05 < KNERD> DArqueBishop: thanks, let me check
17:09 -!- CaTtleyA [~CaTtleyA@put92-2-82-66-41-53.fbx.proxad.net] has joined #openvpn
17:16 < KNERD> DArqueBishop: thanks a bunch..that was it
17:17 < KNERD> but....how can we have multiple configs?
17:20 -!- mattock is now known as mattock_afk
17:22 -!- JackWinter [~jack@vodsl-11198.vo.lu] has quit [Quit: Konversation terminated!]
17:24 -!- JackWinter [~jack@vodsl-11198.vo.lu] has joined #openvpn
17:26 < KNERD> idl0r: i am sure they will want to see your configs
17:26 < KNERD> I don't have that problem.
17:27 < idl0r> KNERD: http://dpaste.com/0T3QWSJ
17:27 < idl0r> KNERD: ip addr del fails in that chroot, that *might* be the reason
17:27 < idl0r> but don't even has to delete that ip at all
17:28 < idl0r> the disconnect-client option doesn't work in p2p mode
17:30 -!- gffa [~unknown@unaffiliated/gffa] has quit [Quit: sleep]
17:33 -!- mirco [~mirco@ip-176-198-211-199.hsi05.unitymediagroup.de] has quit [Quit: mirco]
17:36 -!- rich0 [~quassel@gentoo/developer/rich0] has quit [Remote host closed the connection]
17:37 -!- killher [~munki@unaffiliated/xsamurai] has joined #openvpn
17:38 < killher> Current openvpn setup allows users to connect without passwords
17:39 < killher> I updated a test key with a password but openvpn did not prompt for password
17:40 <@krzee> updated the key with a password?
17:40 < killher> yep
17:40 < DArqueBishop> KNERD: You simply have multiple .ovpn files in the OpenVPN\config directory.
17:40 <@krzee> i think you're talking about encrypting your private key
17:40 < killher> im assuming its a server setting that would require updating ?
17:40 <@krzee> which is different than using openvpn login/passwords
17:40 -!- rich0_ [~quassel@gentoo/developer/rich0] has joined #openvpn
17:41 -!- cassidyslivers [~cassidysl@185.32.221.31] has quit [Quit: Leaving]
17:41 <@krzee> !factoids search change
17:41 <@vpnHelper> 'change-passphrase' and 'changelog'
17:41 < KNERD> DArqueBishop: okay thanks
17:41 <@krzee> !change-passphrase
17:41 <@vpnHelper> "change-passphrase" is see http://openvpn.net/archive/openvpn-users/2005-03/msg00230.html for how to change (or add) a key's passphrase
17:41 < killher> krzee: thanks I did that already
17:41 < killher> but I can still connect without a password prompt
17:41 <@krzee> killher, then openvpn should prompt for the passphrase when it starts
17:41 < KNERD> killher: maybe the keepalive 10 120
17:42 <@krzee> before connecting at all
17:42 <@krzee> killher, stop openvpn and start it again, be sure you are using the encrypted .key file in the openvpn config
17:42 <@krzee> if you did it properly openvpn will not be able to load the key until you enter the passphrase
17:43 <@krzee> it wont even attempt to connect.
17:43 < killher> Is it possible to use the unencrypted on the client side and an encrypted key on the server side
17:43 < killher> I dont want to reissue keys to a bunch of users
17:43 <@krzee> killher, openvpn doesnt even know you encrypt the key or not, its not like you're adding passwords to openvpn itself
17:44 <@krzee> so yes, no other end will know or care, nor will you know or care if they encrypted their private key
17:44 <@krzee> its not for network security its for local security
17:44 < killher> makes sense
17:45 <@krzee> if you have an encrypted private key nobody who stumbles upon it can use it
17:45 < killher> any way to go about user authentication model instead
17:45 <@krzee> yes
17:45 <@krzee> !pwauth
17:45 <@krzee> !authpass
17:45 <@vpnHelper> "authpass" is (#1) please see --auth-user-pass-verify in the manual to learn how to force clients to use passwords in addition to certs or (#2) or to ONLY use passwords (no certs, highly NOT recommended) also use --client-cert-not-required or (#3) and if you want the login name to be used as the common-name for things like ccd entries, use --username-as-common-name
17:45 < killher> krzee: thanks appreciate it
17:45 <@krzee> yw
17:46 <@krzee> but then clients must be updated
17:46 < killher> in the config ?
17:48 <@krzee> cause they'll need to be prompted for the pass, --auth-user-pass
17:48 <@krzee> unless you make pw auth optional, but then why have it
17:48 -!- Latrina [~Latrina@adsl-ull-214-255.45-151.net24.it] has quit [Ping timeout: 272 seconds]
17:49 <@krzee> well actually there is good reasons to, and they are in the manual at --auth-user-pass-optional
17:50 -!- Latrina [~Latrina@ppp-122-11.26-151.libero.it] has joined #openvpn
17:52 -!- JackWinter [~jack@vodsl-11198.vo.lu] has quit [Quit: Konversation terminated!]
17:58 -!- JackWinter [~jack@vodsl-11198.vo.lu] has joined #openvpn
18:00 -!- rich0_ [~quassel@gentoo/developer/rich0] has quit [Ping timeout: 256 seconds]
18:01 -!- rich0_ [~quassel@gentoo/developer/rich0] has joined #openvpn
18:04 < killher> krzee: thanks for the help
18:04 -!- killher [~munki@unaffiliated/xsamurai] has quit [Remote host closed the connection]
18:26 -!- JackWinter [~jack@vodsl-11198.vo.lu] has quit [Quit: Konversation terminated!]
18:28 -!- JackWinter [~jack@vodsl-11198.vo.lu] has joined #openvpn
18:31 -!- Shiftos [~shiftos@gateway/tor-sasl/shiftos] has joined #openvpn
18:49 -!- rich0_ is now known as rich0
19:05 -!- seventyseven [~debbie10t@openvpn/community/support/debbie10t] has joined #openvpn
19:09 -!- seventyseven [~debbie10t@openvpn/community/support/debbie10t] has left #openvpn []
20:01 -!- eristisk [~eristisk@gateway/tor-sasl/eristisk] has joined #openvpn
20:05 -!- satdav [uid15780@firefox/community/satdav] has joined #openvpn
20:30 -!- devdel [~d3vd3l@178.174.210.205] has joined #openvpn
20:35 -!- elfixit [~Icedove@77-58-253-51.dclient.hispeed.ch] has joined #openvpn
20:46 -!- DrCode [~DrCode@gateway/tor-sasl/drcode] has quit [Ping timeout: 246 seconds]
20:49 -!- DrCode [~DrCode@gateway/tor-sasl/drcode] has joined #openvpn
20:52 -!- james41382 [~james@unaffiliated/james41382] has quit [Quit: Leaving]
20:57 -!- james41382 [~james@unaffiliated/james41382] has joined #openvpn
20:59 -!- `Yoda [Yoda@leader.of.the.coolkidz.club] has quit [Ping timeout: 265 seconds]
21:02 -!- `Yoda [Yoda@leader.of.the.coolkidz.club] has joined #openvpn
21:22 -!- DrCode [~DrCode@gateway/tor-sasl/drcode] has quit [Ping timeout: 246 seconds]
21:24 -!- ub1quit33_ [~quassel@cpe-23-243-158-241.socal.res.rr.com] has quit [Ping timeout: 240 seconds]
21:30 -!- Wulf [~Wulf@unaffiliated/wulf] has quit [Ping timeout: 260 seconds]
21:31 -!- Wulf [~Wulf@unaffiliated/wulf] has joined #openvpn
21:46 -!- debbie10t [~debbie10t@openvpn/community/support/debbie10t] has joined #openvpn
21:47 -!- debbie10t [~debbie10t@openvpn/community/support/debbie10t] has left #openvpn []
22:51 -!- warehouse13 [~Left_Turn@unaffiliated/turn-left/x-3739067] has quit [Read error: Connection reset by peer]
23:26 -!- Shiftos [~shiftos@gateway/tor-sasl/shiftos] has quit [Ping timeout: 246 seconds]
23:32 -!- Shiftos [~shiftos@gateway/tor-sasl/shiftos] has joined #openvpn
23:44 -!- satdav [uid15780@firefox/community/satdav] has quit [Quit: Connection closed for inactivity]
23:49 -!- Pyrogerg [~Gregory@67-0-212-234.albq.qwest.net] has quit [Ping timeout: 250 seconds]
23:51 -!- fling [~fling@fsf/member/fling] has joined #openvpn
--- Day changed Fri Oct 31 2014
00:08 -!- ub1quit33 [~quassel@cpe-23-243-158-241.socal.res.rr.com] has joined #openvpn
00:33 -!- ShadniX [dagger@p5DDFC3EC.dip0.t-ipconnect.de] has quit [Ping timeout: 250 seconds]
00:34 -!- ShadniX [dagger@p5DDFF10C.dip0.t-ipconnect.de] has joined #openvpn
01:02 -!- ub1quit33 [~quassel@cpe-23-243-158-241.socal.res.rr.com] has quit [Ping timeout: 244 seconds]
01:20 -!- mattock_afk is now known as mattock
01:38 -!- fling [~fling@fsf/member/fling] has quit [Ping timeout: 255 seconds]
01:57 -!- DrCode [~DrCode@gateway/tor-sasl/drcode] has joined #openvpn
01:59 -!- CaTtleyA [~CaTtleyA@put92-2-82-66-41-53.fbx.proxad.net] has quit [Quit: Lost terminal]
02:06 -!- almostworking [~almostwor@unaffiliated/almostworking] has quit [Quit: Leaving]
02:11 -!- fling [~fling@fsf/member/fling] has joined #openvpn
02:36 -!- mirco [~mirco@ip-176-198-211-199.hsi05.unitymediagroup.de] has joined #openvpn
03:14 -!- ade_b [~Ade@redhat/adeb] has joined #openvpn
04:48 -!- novaflash [~novaflash@openvpn/corp/support/novaflash] has joined #openvpn
04:49 -!- mode/#openvpn [+o novaflash] by ChanServ
04:54 -!- D-Boy [~D-Boy@unaffiliated/cain] has quit [Excess Flood]
04:56 -!- Wulf [~Wulf@unaffiliated/wulf] has left #openvpn []
05:10 -!- D-Boy [~D-Boy@unaffiliated/cain] has joined #openvpn
05:28 -!- almostworking [~almostwor@unaffiliated/almostworking] has joined #openvpn
05:29 -!- elfixit [~Icedove@77-58-253-51.dclient.hispeed.ch] has quit [Remote host closed the connection]
05:33 -!- Left_Turn [~Left_Turn@unaffiliated/turn-left/x-3739067] has joined #openvpn
05:36 -!- n13l [~Daniel@aaa.anect.cz] has joined #openvpn
05:49 -!- ade_b [~Ade@redhat/adeb] has quit [Ping timeout: 244 seconds]
06:17 -!- Left_Turn [~Left_Turn@unaffiliated/turn-left/x-3739067] has quit [Ping timeout: 272 seconds]
06:48 -!- mirco [~mirco@ip-176-198-211-199.hsi05.unitymediagroup.de] has quit [Quit: mirco]
07:25 -!- Left_Turn [~Left_Turn@unaffiliated/turn-left/x-3739067] has joined #openvpn
07:32 -!- mirco [~mirco@ip-176-198-211-199.hsi05.unitymediagroup.de] has joined #openvpn
07:35 -!- CaTtleyA [~CaTtleyA@185.24.142.82] has joined #openvpn
07:41 -!- brianblaze420 [~brianblaz@unaffiliated/brianblaze] has joined #openvpn
07:43 -!- mirco_ [~mirco@ip-176-198-211-199.hsi05.unitymediagroup.de] has joined #openvpn
07:46 -!- mirco [~mirco@ip-176-198-211-199.hsi05.unitymediagroup.de] has quit [Ping timeout: 265 seconds]
07:46 -!- mirco_ is now known as mirco
08:17 -!- elfixit [~Icedove@2001:1620:2777:11:3e97:eff:fe7f:f3ad] has joined #openvpn
08:26 -!- wallbroken [wallbroken@unaffiliated/wallbroken] has joined #openvpn
08:26 < wallbroken> hi
08:26 < wallbroken> how much traffic could a openvpn server manage on a pentium 4?
08:47 <@ecrist> easiest way to figure that out is to try it
09:07 -!- moparisthebest [~quassel@gateway/tor-sasl/moparisthebest] has joined #openvpn
09:36 -!- KaiForce [~chatzilla@107-223-70-10.lightspeed.bcvloh.sbcglobal.net] has joined #openvpn
10:00 <@novaflash> <3 ecrist
10:01 <@ecrist> ?
10:01 <@novaflash> hi
10:02 <@ecrist> howdy
10:08 -!- Kniaz [~Kniaz@unaffiliated/kniaz] has joined #openvpn
10:11 -!- _FBi is now known as ScareFBi
10:13 -!- xsamurai [~fahad@unaffiliated/xsamurai] has joined #openvpn
10:15 -!- xsamurai [~fahad@unaffiliated/xsamurai] has quit [Client Quit]
10:15 -!- xsamurai [~fahad@unaffiliated/xsamurai] has joined #openvpn
10:17 < xsamurai> alright so I have about a 100+ openvpn clients, I have password prompt setup and working upon connection, now how do I force the prompt to show up with auth-user-pass options in the config without having all the clients modify their configs ?
10:20 <@ecrist> you modify the configs
10:20 <@ecrist> that's the only way to do it
10:20 <@ecrist> the client has to know you require a user/pass
10:20 < xsamurai> no way to push that on to them
10:21 -!- jtrucks [jtrucks@freenode/staff/lopsa.foundingmember.jtrucks] has joined #openvpn
10:21 <@ecrist> no
10:22 < xsamurai> alright thanks appreciate it
10:25 <@ecrist> sorry I didn't have a magic bullet for you
10:26 -!- xsamurai [~fahad@unaffiliated/xsamurai] has quit [Ping timeout: 244 seconds]
10:26 < ScareFBi> ecrist, morning
10:26 <@ecrist> howdy
10:27 -!- jtrucks [jtrucks@freenode/staff/lopsa.foundingmember.jtrucks] has quit [Read error: Connection reset by peer]
10:28 -!- jtrucks [jtrucks@freenode/staff/lopsa.foundingmember.jtrucks] has joined #openvpn
10:30 < ScareFBi> ecrist, other than MTU -- do you think OPVN will offer a max speed setting, server side?
10:34 -!- jtrucks [jtrucks@freenode/staff/lopsa.foundingmember.jtrucks] has quit [Read error: Connection reset by peer]
10:35 -!- hays [~hays@unaffiliated/hays] has quit [Ping timeout: 244 seconds]
10:35 <@ecrist> what do you mean?
10:35 -!- jtrucks [jtrucks@freenode/staff/lopsa.foundingmember.jtrucks] has joined #openvpn
10:36 -!- outofbounds [~outofboun@gateway/tor-sasl/outofbounds] has joined #openvpn
10:37 -!- CaTtleyA [~CaTtleyA@185.24.142.82] has quit [Ping timeout: 272 seconds]
10:38 < ScareFBi> I want to limit my account to 10Mpbs
10:38 < ScareFBi> but a user can edit the client conf
10:39 -!- Pyrogerg [~Gregory@205.167.120.206] has joined #openvpn
10:41 -!- jtrucks [jtrucks@freenode/staff/lopsa.foundingmember.jtrucks] has quit [Read error: Connection reset by peer]
10:42 -!- jtrucks [jtrucks@freenode/staff/lopsa.foundingmember.jtrucks] has joined #openvpn
10:48 -!- jtrucks [jtrucks@freenode/staff/lopsa.foundingmember.jtrucks] has quit [Read error: Connection reset by peer]
10:49 -!- jtrucks [jtrucks@freenode/staff/lopsa.foundingmember.jtrucks] has joined #openvpn
10:49 -!- fenris_kcf [~fenris@p579E7872.dip0.t-ipconnect.de] has joined #openvpn
10:50 < fenris_kcf> hy. i read that if i want to enable broadcasts in my VPN, the clients have to add a route. is that possible with a config-entry?
10:53 -!- Pyrogerg_ [~Gregory@205.167.120.206] has joined #openvpn
10:53 -!- Pyrogerg [~Gregory@205.167.120.206] has quit [Read error: Connection reset by peer]
10:55 -!- jtrucks [jtrucks@freenode/staff/lopsa.foundingmember.jtrucks] has quit [Read error: Connection reset by peer]
10:56 -!- jtrucks [jtrucks@freenode/staff/lopsa.foundingmember.jtrucks] has joined #openvpn
10:58 -!- Pyrogerg_ [~Gregory@205.167.120.206] has quit [Ping timeout: 265 seconds]
11:02 -!- jtrucks [jtrucks@freenode/staff/lopsa.foundingmember.jtrucks] has quit [Read error: Connection reset by peer]
11:03 -!- jtrucks [jtrucks@freenode/staff/lopsa.foundingmember.jtrucks] has joined #openvpn
11:07 -!- Pyrogerg [~Gregory@205.167.120.206] has joined #openvpn
11:07 <@ecrist> ScareFBi: you need to do something outside of openvpn to limit that session
11:07 <@ecrist> using another software firewall, or something else
11:09 -!- jtrucks [jtrucks@freenode/staff/lopsa.foundingmember.jtrucks] has quit [Read error: Connection reset by peer]
11:10 -!- jtrucks [jtrucks@freenode/staff/lopsa.foundingmember.jtrucks] has joined #openvpn
11:10 <@ecrist> fenris_kcf: what are you trying to do?
11:11 < fenris_kcf> ecrist: i want to enable playing games through my vpn, that rely on a broadcast in local network sessions
11:11 <@ecrist> for gaming, you likely want tap for the dev
11:12 < fenris_kcf> ecrist: hmm, the vpn already uses tap
11:13 < fenris_kcf> but gamehosters are not listed
11:13 < fenris_kcf> connecting via address works
11:13 < fenris_kcf> could it be another problem?
11:16 -!- jtrucks [jtrucks@freenode/staff/lopsa.foundingmember.jtrucks] has quit [Read error: Connection reset by peer]
11:16 -!- Mik3C [~miguelc@89.114.47.44] has joined #openvpn
11:17 -!- jtrucks [jtrucks@freenode/staff/lopsa.foundingmember.jtrucks] has joined #openvpn
11:17 < fenris_kcf> wireshark shows the broadcasts (should be the entries with destination: 10.20.30.255, right?)
11:17 < fenris_kcf> (these are broadcasts sent from my system)
11:20 <@ecrist> !configs
11:20 <@vpnHelper> "configs" is (#1) please pastebin your client and server configs (with comments removed, you can use `grep -vE '^#|^;|^$' server.conf`), also include which OS and version of openvpn. or (#2) dont forget to include any ccd entries or (#3) on pfSense, see http://www.secure-computing.net/wiki/index.php/OpenVPN/pfSense to obtain your config
11:20 < fenris_kcf> i also receive such packages, so i guess the broadcast is not the problem
11:20 < fenris_kcf> ok, i'll paste it
11:23 -!- jtrucks [jtrucks@freenode/staff/lopsa.foundingmember.jtrucks] has quit [Read error: Connection reset by peer]
11:23 -!- jtrucks [jtrucks@freenode/staff/lopsa.foundingmember.jtrucks] has joined #openvpn
11:27 < fenris_kcf> ecrist: here are the configs: http://pastebin.com/wbQ0uCLw
11:27 < fenris_kcf> btw: it works on linux clients
11:27 < fenris_kcf> so i guess it's a missing config-entry for windows-clients
11:27 < fenris_kcf> or a more common problem with windows clients
11:29 -!- jtrucks [jtrucks@freenode/staff/lopsa.foundingmember.jtrucks] has quit [Read error: Connection reset by peer]
11:30 -!- jtrucks [jtrucks@freenode/staff/lopsa.foundingmember.jtrucks] has joined #openvpn
11:33 -!- mirco [~mirco@ip-176-198-211-199.hsi05.unitymediagroup.de] has quit [Quit: mirco]
11:37 -!- jtrucks [jtrucks@freenode/staff/lopsa.foundingmember.jtrucks] has quit [Read error: Connection reset by peer]
11:37 -!- mirco [~mirco@ip-176-198-211-199.hsi05.unitymediagroup.de] has joined #openvpn
11:37 -!- jtrucks [jtrucks@freenode/staff/lopsa.foundingmember.jtrucks] has joined #openvpn
11:43 < fenris_kcf> it also depends on the game. it work in e.g. widelands, but not in e.g. warcraft3
11:43 -!- jtrucks [jtrucks@freenode/staff/lopsa.foundingmember.jtrucks] has quit [Read error: Connection reset by peer]
11:44 < fenris_kcf> many threads in the net say that the problem could be not having a default route
11:45 <@ecrist> since you're seeing broadcasts, it tells me this isn't an openvpn issue, per se
11:45 <@ecrist> it's an issue with how the game works
11:46 < fenris_kcf> i guess, yes
11:46 < fenris_kcf> sry
11:47 < fenris_kcf> guess the "problem" is known though
11:50 < fenris_kcf> guess my question should be: what is the default route i have to add in order to propagate vpn-broadcasts correctly?
11:50 < fenris_kcf> this thread seems to describe the problem: http://ubuntuforums.org/showthread.php?t=1933072
11:50 <@vpnHelper> Title: warcraft 3 lan (at ubuntuforums.org)
11:52 <@ecrist> fenris_kcf: broadcasts are working correctly
11:53 -!- gffa [~unknown@unaffiliated/gffa] has joined #openvpn
11:57 -!- Pyrogerg [~Gregory@205.167.120.206] has quit [Ping timeout: 264 seconds]
11:58 -!- wallbroken [wallbroken@unaffiliated/wallbroken] has left #openvpn []
12:02 -!- Mik3C [~miguelc@89.114.47.44] has quit [Quit: leaving]
12:14 -!- esde [~esde@unaffiliated/esde] has quit [Ping timeout: 250 seconds]
12:15 -!- liriel [~liriel@asia.feralhosting.com] has joined #openvpn
12:17 -!- justinzane [~justinzan@67.21.190.132] has joined #openvpn
12:20 -!- fenris_kcf is now known as fenris_afk
12:21 < fenris_afk> ok, "route add 255.255.255.255 dev tap0" did it. sry for the inconvenience
12:21 -!- Pyrogerg [~Gregory@mobile-166-171-122-175.mycingular.net] has joined #openvpn
12:21 -!- Pyrogerg [~Gregory@mobile-166-171-122-175.mycingular.net] has quit [Max SendQ exceeded]
12:22 -!- Pyrogerg [~Gregory@mobile-166-171-122-175.mycingular.net] has joined #openvpn
12:22 -!- jtrucks [jtrucks@freenode/staff/lopsa.foundingmember.jtrucks] has joined #openvpn
12:23 -!- jtrucks [jtrucks@freenode/staff/lopsa.foundingmember.jtrucks] has quit [K-Lined]
12:33 -!- Kniaz [~Kniaz@unaffiliated/kniaz] has quit [Quit: closing IRC]
12:34 -!- ub1quit33_ [~quassel@cpe-23-243-158-241.socal.res.rr.com] has joined #openvpn
12:44 -!- Guest27601 [~esde@unaffiliated/esde] has joined #openvpn
12:44 -!- Guest27601 [~esde@unaffiliated/esde] has left #openvpn []
12:53 -!- ckorzhik [~user@46.72.5.164] has joined #openvpn
13:08 -!- moparisthebest [~quassel@gateway/tor-sasl/moparisthebest] has quit [Quit: No Ping reply in 180 seconds.]
13:10 -!- moparisthebest [~quassel@gateway/tor-sasl/moparisthebest] has joined #openvpn
13:16 -!- Pyrogerg [~Gregory@mobile-166-171-122-175.mycingular.net] has quit [Read error: Connection reset by peer]
13:18 -!- L0uk3 [~lukethedr@gateway/tor-sasl/lukethedrifter] has joined #openvpn
13:27 -!- reventlov [~reventlov@unaffiliated/reventlov] has quit [Ping timeout: 258 seconds]
13:28 -!- Pyrogerg [~Gregory@67-0-212-234.albq.qwest.net] has joined #openvpn
13:30 -!- Shiftos [~shiftos@gateway/tor-sasl/shiftos] has quit [Remote host closed the connection]
13:58 -!- esde [~esde@unaffiliated/esde] has joined #openvpn
14:13 -!- brianblaze420 [~brianblaz@unaffiliated/brianblaze] has quit [Quit: Peace!]
14:24 -!- reventlov [~reventlov@unaffiliated/reventlov] has joined #openvpn
14:28 -!- KaiForce [~chatzilla@107-223-70-10.lightspeed.bcvloh.sbcglobal.net] has quit [Quit: ChatZilla 0.9.91 [Firefox 33.0.2/20141027150301]]
14:35 -!- Chais [~Chais@chello062178229110.15.15.vie.surfer.at] has quit [Read error: Connection reset by peer]
14:45 -!- Chais [~Chais@chello062178229110.15.15.vie.surfer.at] has joined #openvpn
14:54 -!- mirco [~mirco@ip-176-198-211-199.hsi05.unitymediagroup.de] has quit [Quit: mirco]
14:57 -!- L0uk3 [~lukethedr@gateway/tor-sasl/lukethedrifter] has quit [Quit: bis später]
14:58 -!- mirco [~mirco@ip-176-198-211-199.hsi05.unitymediagroup.de] has joined #openvpn
15:02 < ScareFBi> ecrist, yup.  But OPVN does that, client side.  Not sure why it's not available server side
15:03 -!- jareth_ [~jareth_@2001:980:e1c0:1:219:66ff:fea0:a502] has quit [Quit: ZNC - http://znc.in]
15:06 -!- jareth_ [~jareth_@2001:980:e1c0:1:219:66ff:fea0:a502] has joined #openvpn
15:14 -!- Komplanar is now known as awsmo
15:19 -!- Pyrogerg [~Gregory@67-0-212-234.albq.qwest.net] has quit [Ping timeout: 264 seconds]
15:21 -!- Pyrogerg [~Gregory@67-0-212-234.albq.qwest.net] has joined #openvpn
15:28 -!- awsmo is now known as Komplanar
16:05 -!- mirco [~mirco@ip-176-198-211-199.hsi05.unitymediagroup.de] has quit [Quit: mirco]
16:19 -!- ckorzhik [~user@46.72.5.164] has quit [Ping timeout: 256 seconds]
16:27 -!- devdel [~d3vd3l@178.174.210.205] has quit []
16:34 -!- nsrafk [whois@unaffiliated/nsrafk] has quit [Remote host closed the connection]
16:35 -!- nsrafk [whois@unaffiliated/nsrafk] has joined #openvpn
16:36 -!- jtrucks [jtrucks@freenode/staff/lopsa.foundingmember.jtrucks] has joined #openvpn
17:58 -!- ckorzhik [~user@46.72.5.164] has joined #openvpn
18:41 -!- jzaw [~jzaw@loki.dzki.co.uk] has quit [Ping timeout: 244 seconds]
18:46 -!- NP-Hardass [~NP-Hardas@unaffiliated/np-hardass] has joined #openvpn
19:12 -!- outofbounds [~outofboun@gateway/tor-sasl/outofbounds] has quit [Remote host closed the connection]
19:17 -!- Pyrogerg [~Gregory@67-0-212-234.albq.qwest.net] has quit [Read error: No route to host]
19:18 -!- Pyrogerg [~Gregory@67-0-212-234.albq.qwest.net] has joined #openvpn
19:41 -!- Pyrogerg [~Gregory@67-0-212-234.albq.qwest.net] has quit [Ping timeout: 244 seconds]
19:46 -!- gffa [~unknown@unaffiliated/gffa] has quit [Quit: sleep]
19:58 -!- jzaw [~jzaw@loki.dzki.co.uk] has joined #openvpn
20:04 -!- shio [marmot@102.188.103.84.rev.sfr.net] has quit [Read error: Connection reset by peer]
20:40 -!- shio [marmot@102.188.103.84.rev.sfr.net] has joined #openvpn
20:59 -!- s7r [~s7r@openvpn/user/s7r] has joined #openvpn
20:59 -!- mode/#openvpn [+v s7r] by ChanServ
21:01 -!- ub1quit33_ [~quassel@cpe-23-243-158-241.socal.res.rr.com] has quit [Ping timeout: 265 seconds]
21:16 -!- CaTtleyA [~CaTtleyA@put92-2-82-66-41-53.fbx.proxad.net] has joined #openvpn
21:51 -!- Pyrogerg [~Gregory@67-0-212-234.albq.qwest.net] has joined #openvpn
21:56 -!- Pyrogerg [~Gregory@67-0-212-234.albq.qwest.net] has quit [Ping timeout: 256 seconds]
22:14 -!- NP-Hardass [~NP-Hardas@unaffiliated/np-hardass] has quit [Ping timeout: 255 seconds]
22:15 -!- ckorzhik [~user@46.72.5.164] has quit [Ping timeout: 256 seconds]
22:15 -!- NP-Hardass [~NP-Hardas@unaffiliated/np-hardass] has joined #openvpn
22:22 -!- jzaw [~jzaw@loki.dzki.co.uk] has quit [Ping timeout: 244 seconds]
22:26 -!- DrMacinyasha [Denham@unaffiliated/drmacinyasha] has left #openvpn []
22:34 -!- fenris_kcf [~fenris@p579E6AC8.dip0.t-ipconnect.de] has joined #openvpn
22:37 -!- fenris_afk [~fenris@p579E7872.dip0.t-ipconnect.de] has quit [Ping timeout: 250 seconds]
22:42 -!- jzaw [~jzaw@community-wifi.dzki.co.uk] has joined #openvpn
22:43 -!- WinstonSmith [~WinstonSm@unaffiliated/winstonsmith] has quit [Ping timeout: 245 seconds]
22:45 -!- WinstonSmith [~WinstonSm@unaffiliated/winstonsmith] has joined #openvpn
23:22 -!- CaTtleyA [~CaTtleyA@put92-2-82-66-41-53.fbx.proxad.net] has quit [Quit: Lost terminal]
23:27 -!- Left_Turn [~Left_Turn@unaffiliated/turn-left/x-3739067] has quit [Ping timeout: 255 seconds]
23:30 -!- CaTtleyA [~CaTtleyA@put92-2-82-66-41-53.fbx.proxad.net] has joined #openvpn
--- Day changed Sat Nov 01 2014
00:28 -!- teksimian [~chatzilla@174-138-223-167.cpe.distributel.net] has joined #openvpn
00:31 -!- ShadniX [dagger@p5DDFF10C.dip0.t-ipconnect.de] has quit [Ping timeout: 250 seconds]
00:34 -!- ShadniX [dagger@p5481DCBE.dip0.t-ipconnect.de] has joined #openvpn
00:35 -!- thumbs [1000@unaffiliated/thumbs] has quit [Ping timeout: 244 seconds]
00:35 -!- thumbs [1000@unaffiliated/thumbs] has joined #openvpn
00:36 < teksimian> hello everyone.  I need some help with a windows 7 client.  I installed openvpn, ran openvpn-gui for weeks happily.  the PC restarted, and now it seems openvpn starts up on its own.  But i can't see it in services or task manager or anywhere else to stop it.
01:01 < teksimian> it actually looks like openvpn-gui is trying to run two concurrent clients somehow and theyre fighting over some route setting.  not sure why this would be. connection drops every couple minutes, and comes back after another couple minutes.
01:02 -!- CaTtleyA [~CaTtleyA@put92-2-82-66-41-53.fbx.proxad.net] has quit [Quit: leaving]
01:04 -!- CaTtleyA [~CaTtleyA@put92-2-82-66-41-53.fbx.proxad.net] has joined #openvpn
01:20 -!- Teqonix [~quassel@c-174-51-153-217.hsd1.co.comcast.net] has quit [Ping timeout: 272 seconds]
01:39 -!- teksimian [~chatzilla@174-138-223-167.cpe.distributel.net] has quit [Ping timeout: 265 seconds]
02:02 -!- teksimian [~chatzilla@174-138-199-84.cpe.distributel.net] has joined #openvpn
02:11 -!- anth_ [~Anthony@c58-109-94-156.randw3.nsw.optusnet.com.au] has joined #openvpn
02:15 < anth_> Hi, I have an issue where i am unable to connect through a restrictive firewall where it gets stuck on waiting, using the osx tunnelblick client and windows openvpn gui client, but while using openvpn connect on my andriod device there is no issue. I am using identical configurations for this.
03:09 <@krzee> anth_, your windows machine probably just needs to disable the windows firewall on the tap adapter
03:11 < fenris_kcf> teksimian: have you looked in "msconfig"?
03:11 < fenris_kcf> (last tab or so)
03:43 < Pinchiukas> 'openssl req' should create a CSR in the -out file? For some reason 'openssl req -config openssl.cnf -x509 -newkey rsa:2048 -nodes -keyout a.key -out a.csr' is creating a certificate. Can anybody tell me why?
03:44 -!- plaisthos [~arne@openvpn/community/developer/plaisthos] has quit [Ping timeout: 260 seconds]
03:49 < Pinchiukas> It was because of the -x509 option, never mind. :)
03:54 -!- gffa [~unknown@unaffiliated/gffa] has joined #openvpn
04:22 -!- Pinchiukas [~keps@unaffiliated/pinchiukas] has left #openvpn []
04:24 -!- rich0_ [~quassel@gentoo/developer/rich0] has joined #openvpn
04:27 -!- rich0 [~quassel@gentoo/developer/rich0] has quit [Ping timeout: 265 seconds]
04:46 -!- D-Boy [~D-Boy@unaffiliated/cain] has quit [Excess Flood]
05:02 -!- ckorzhik [~user@46.72.5.164] has joined #openvpn
05:03 -!- D-Boy [~D-Boy@unaffiliated/cain] has joined #openvpn
05:19 -!- SlutaTramsa [~SlutaTram@unaffiliated/slutatramsa] has quit [Ping timeout: 256 seconds]
05:39 -!- mattock is now known as mattock_afk
05:40 -!- jzaw [~jzaw@community-wifi.dzki.co.uk] has quit [Ping timeout: 272 seconds]
05:48 -!- mirco [~mirco@ip-176-198-211-199.hsi05.unitymediagroup.de] has joined #openvpn
05:50 -!- jotterbot [~jotterbot@203-219-31-250.tpgi.com.au] has joined #openvpn
05:51 -!- jotterbot [~jotterbot@203-219-31-250.tpgi.com.au] has quit [Client Quit]
06:05 -!- jzaw [~jzaw@community-wifi.dzki.co.uk] has joined #openvpn
06:14 -!- plaisthos [~arne@openvpn/community/developer/plaisthos] has joined #openvpn
06:14 -!- mode/#openvpn [+o plaisthos] by ChanServ
06:20 -!- ckorzhik [~user@46.72.5.164] has quit [Ping timeout: 264 seconds]
06:24 -!- Left_Turn [~Left_Turn@unaffiliated/turn-left/x-3739067] has joined #openvpn
06:29 -!- jzaw [~jzaw@community-wifi.dzki.co.uk] has quit [Ping timeout: 250 seconds]
06:35 -!- rich0 [~quassel@gentoo/developer/rich0] has joined #openvpn
06:37 -!- jzaw [~jzaw@community-wifi.dzki.co.uk] has joined #openvpn
06:37 -!- rich0_ [~quassel@gentoo/developer/rich0] has quit [Ping timeout: 265 seconds]
06:50 -!- s7r [~s7r@openvpn/user/s7r] has quit [Quit: Leaving]
06:51 -!- mirco [~mirco@ip-176-198-211-199.hsi05.unitymediagroup.de] has quit [Quit: mirco]
06:52 -!- eristisk [~eristisk@gateway/tor-sasl/eristisk] has quit [Ping timeout: 246 seconds]
07:05 -!- SlutaTramsa [~SlutaTram@unaffiliated/slutatramsa] has joined #openvpn
07:05 -!- eristisk [~eristisk@gateway/tor-sasl/eristisk] has joined #openvpn
07:14 -!- SlutaTramsa [~SlutaTram@unaffiliated/slutatramsa] has quit [Ping timeout: 256 seconds]
07:20 -!- SlutaTramsa [~SlutaTram@unaffiliated/slutatramsa] has joined #openvpn
07:44 -!- pppingme [~pppingme@unaffiliated/pppingme] has quit [Ping timeout: 272 seconds]
07:51 -!- deranged_user [deranged@lolnerd.net] has quit [Quit: et nos unum sumus]
07:51 -!- mpoole [~mpoole@minotaur.apache.org] has quit [Ping timeout: 265 seconds]
07:53 -!- deranged_user [deranged@lolnerd.net] has joined #openvpn
07:54 -!- mpoole [~mpoole@minotaur.apache.org] has joined #openvpn
07:57 -!- Pyrogerg [~Gregory@67-0-212-234.albq.qwest.net] has joined #openvpn
07:58 -!- havingFun [~quassel@unaffiliated/xrosnight] has joined #openvpn
08:08 -!- deranged_user [deranged@lolnerd.net] has quit [Quit: et nos unum sumus]
08:11 -!- deranged_user [deranged@lolnerd.net] has joined #openvpn
08:16 -!- deranged_user [deranged@lolnerd.net] has quit [Quit: et nos unum sumus]
08:19 -!- deranged_user [deranged@lolnerd.net] has joined #openvpn
08:26 -!- jackbrown [~se@93-44-41-0.ip95.fastwebnet.it] has joined #openvpn
08:27 -!- jackbrown [~se@93-44-41-0.ip95.fastwebnet.it] has quit [Read error: Connection reset by peer]
08:45 -!- cyberspace- [20253@ninthfloor.org] has quit [Remote host closed the connection]
08:46 -!- cyberspace- [20253@ninthfloor.org] has joined #openvpn
08:51 -!- DrCode [~DrCode@gateway/tor-sasl/drcode] has quit [Ping timeout: 246 seconds]
08:57 -!- DrCode [~DrCode@gateway/tor-sasl/drcode] has joined #openvpn
09:09 -!- jtrucks [jtrucks@freenode/staff/lopsa.foundingmember.jtrucks] has quit [Remote host closed the connection]
09:10 -!- jtrucks [jtrucks@freenode/staff/lopsa.foundingmember.jtrucks] has joined #openvpn
09:13 -!- x00e [~itch@86.121.149.26] has joined #openvpn
09:18 < x00e> hello guys. I`m trying to set up a openvpn server on a debian 7 install. ovpn version in repos is 2.2.1. Issue is, when I try to build the ca cert (./build-ca), i get this error: "140164236433064:error:0E065068:configuration file routines:STR_COPY:variable has no value:conf_def.c:618:line 139". googleing it didn`t how much. Any tips on what should I do next ?
09:39 -!- Argure [quassel@geonosis.donttrustrobots.nl] has joined #openvpn
09:57 < Argure> Hi :)
09:57 < Argure> I've been trying to route all inet traffic from my laptop to a server. Client is running openvpn 2.3.2-9 (Debian Jessie) through gnome network manager, server is 2.2.1-8+deb7u2 (wheezy); using PKI to connect works fine, but actually routing traffic doesn't work.
09:57 < Argure> Relevant logs and config files: https://gist.github.com/Argure/68de75e7960c3a0bb58e
09:57 <@vpnHelper> Title: client:etc.host.conf (at gist.github.com)
10:12 -!- mirco [~mirco@ip-176-198-211-199.hsi05.unitymediagroup.de] has joined #openvpn
10:16 -!- mattock_afk is now known as mattock
10:17 -!- JackWinter [~jack@vodsl-11198.vo.lu] has quit [Quit: Konversation terminated!]
10:19 -!- JackWinter [~jack@vodsl-11198.vo.lu] has joined #openvpn
10:22 -!- RaiNerTsuFal [~RaiNerTsu@akita.vtlx.cn] has quit [Quit: Conversation terminated!]
10:24 -!- RaiNerTsuFal [~RaiNerTsu@akita.vtlx.cn] has joined #openvpn
10:27 -!- _aeris_ [~aeris@server.imirhil.fr] has joined #openvpn
10:28 -!- Kniaz [~Kniaz@unaffiliated/kniaz] has joined #openvpn
10:29 < _aeris_> hello #openvpn
10:29 < _aeris_> i have some trouble with openvpn this day :(
10:31 < _aeris_> i have an openvpn server, running on 10.0.0.1/24 tun0 udp, a bridge br1 10.0.1.1/24, and a vm bridged on br1 10.0.1.2/24
10:31 < _aeris_> from a vpn client (10.0.0.6/24), i try to access the vm
10:31 < _aeris_> but i have a *lot* of network trouble if i try to do this
10:31 < _aeris_> from the openvpn point of view : http://aeris.imirhil.fr/snif.png
10:32 < _aeris_> from the openvpn client pov : http://aeris.imirhil.fr/snif1.png
10:32 < _aeris_> from the vm pov : http://aeris.imirhil.fr/snif2.png
10:32 < _aeris_> seems there are a lot of tcp out-of-order/retransmission/dup-ack/whatever
10:33 < _aeris_> putting openvpn on the same configuration but on tcp instead udp and all is good
10:33 < _aeris_> what’s the trouble ? :'(
10:34 -!- nath_schwarz [~nath_schw@HSI-KBW-078-043-139-201.hsi4.kabel-badenwuerttemberg.de] has quit [Ping timeout: 258 seconds]
10:54 -!- pa [~pa@unaffiliated/pa] has quit [Read error: Connection reset by peer]
10:55 <@krzee> _aeris_, my first guess is mtu
10:55 <@krzee> !mtu
10:55 <@vpnHelper> "mtu" is (#1) see --mtu-test to learn how to test your MTU settings. Basically you just use --mtu-test in your normal client config or (#2) mtu debugging guide: http://www.secure-computing.net/wiki/index.php/OpenVPN/Troubleshooting
10:55 -!- nath_schwarz [~nath_schw@HSI-KBW-078-043-139-201.hsi4.kabel-badenwuerttemberg.de] has joined #openvpn
10:56 -!- pa [~pa@unaffiliated/pa] has joined #openvpn
10:57 < _aeris_> krzee >
10:57 < _aeris_> ping -M do -c 1 -s 1472 forge
10:57 < _aeris_> PING forge (10.0.1.2) 1472(1500) bytes of data.
10:57 < _aeris_> seems mtu 1500 is ok :(
10:58 < _aeris_> i have a response
11:00 -!- shio [marmot@102.188.103.84.rev.sfr.net] has quit [Disconnected by services]
11:00 -!- shio [marmot@102.188.103.84.rev.sfr.net] has joined #openvpn
11:06 -!- pppingme [~pppingme@unaffiliated/pppingme] has joined #openvpn
11:15 -!- Pinchiukas [~keps@unaffiliated/pinchiukas] has joined #openvpn
11:16 < Pinchiukas> I'm having problems connecting (as a client) from my WinXP VM to my linux OpenVPN. I've tracked it to the fact that it doesn't even try to connect - I tcpdump on the linux box and there are no packets comming from the Windows box IP. Any ideas why this is?
11:17 < Pinchiukas> !paste
11:17 <@vpnHelper> "paste" is "pastebin" is (#1) please paste anything with more than 5 lines into a pastebin site or (#2) https://gist.github.com is recommended for fewest ads; try fpaste.org or paste.kde.org as backups or (#3) If you're pasting config files, see !configs for grep syntax to remove comments or (#4) gist allows multiple files per paste, useful if you have several files to show
11:17 -!- mirco [~mirco@ip-176-198-211-199.hsi05.unitymediagroup.de] has quit [Quit: mirco]
11:18 < Pinchiukas> Here is my config: https://gist.github.com/anonymous/3024deb45b617f380bc5
11:18 <@vpnHelper> Title: gist:3024deb45b617f380bc5 (at gist.github.com)
11:18 -!- x00e [~itch@86.121.149.26] has quit [Read error: Connection reset by peer]
11:21 -!- jackbrown [~se@93-44-41-0.ip95.fastwebnet.it] has joined #openvpn
11:30 -!- jzaw [~jzaw@community-wifi.dzki.co.uk] has quit [Ping timeout: 240 seconds]
11:49 -!- keatont [~keatont@keatonstaylor.com] has quit [Ping timeout: 272 seconds]
11:58 -!- jzaw [~jzaw@community-wifi.dzki.co.uk] has joined #openvpn
12:01 -!- Nyoom [Nyoom@unaffiliated/nyoom] has quit [Max SendQ exceeded]
12:03 -!- keatont [~keatont@keatonstaylor.com] has joined #openvpn
12:08 -!- Nyoom [Nyoom@unaffiliated/nyoom] has joined #openvpn
12:11 -!- havingFun [~quassel@unaffiliated/xrosnight] has quit [Ping timeout: 255 seconds]
12:21 -!- jackbrown [~se@93-44-41-0.ip95.fastwebnet.it] has quit [Quit: Sto andando via]
12:24 -!- havingFun [~quassel@unaffiliated/xrosnight] has joined #openvpn
12:30 -!- scyld [~scyld@unaffiliated/wasyl] has joined #openvpn
12:36 -!- havingFun [~quassel@unaffiliated/xrosnight] has quit [Ping timeout: 256 seconds]
12:47 -!- pppingme [~pppingme@unaffiliated/pppingme] has quit [Ping timeout: 255 seconds]
12:51 -!- scyld [~scyld@unaffiliated/wasyl] has quit [Quit: Wychodzi]
12:53 < KNERD> Pinchiukas: it has no idea of where to connect
12:54 < KNERD> oh..never mind
12:54 < KNERD> tery drooping the directoies
12:55 < KNERD> ca C:\Program Files\OpenVPN\config\ca.crt   and change to "ca ca.crt"
12:55 < KNERD> that is how mine is
12:56 < KNERD> and run as Adminitstrator
13:04 -!- pppingme [~pppingme@unaffiliated/pppingme] has joined #openvpn
13:12 <@krzee> wtf is verb 999
13:12 <@krzee> debug with verb 5
13:12 <@krzee> !winpath
13:12 <@vpnHelper> "winpath" is (#1) Remember on Windows to quote pathnames and use double backslashes, e.g.: "C:\\Program Files\\OpenVPN\\config\\foo.key" or (#2) also, you can use forward slashes to avoid needing double backslashes, but you still need quotes, e.g.: C:/Program Files/OpenVPN/config/foo.key (but surrounded by quotes)
13:14 <@novaflash> verb 999, for when you absolutely need to know EVERYTHING
13:14 <@novaflash> "this is the log program on verb 999 for OpenVPN. I am now going to encode and prepare the second byte: 0. this is the log program on verb 999 for OpenVPN. I am now going to encode and prepare the second byte: 1."
13:16 -!- scyld [~scyld@unaffiliated/wasyl] has joined #openvpn
13:30 <@krzee> lol
13:31 < Pinchiukas> :)
13:31 < Pinchiukas> I didn't know the levels.
13:32 <@krzee> see !winpath above
13:36 -!- mirco [~mirco@ip-176-198-211-199.hsi05.unitymediagroup.de] has joined #openvpn
13:39 -!- c|oneman [cloneman@2605:6400:2:fed5:22:0:3b06:3913] has quit [Ping timeout: 258 seconds]
13:42 -!- c|oneman [cloneman@1337.montrealdark.com] has joined #openvpn
13:43 < Pinchiukas> How can I find out if a certificate is self-signed or not?
13:43 -!- pie_ [~pie_@unaffiliated/pie-/x-0787662] has joined #openvpn
13:44 < pie_> If I revoke a key with easy-rsa with revoke-full, and I create a new key with the same name, will that break it?
13:44 < Pinchiukas> pie_: it shouldn't.
13:45 < pie_> ok
13:45 < pie_> i hope it wont :;P
13:46 < Pinchiukas> It would get a new serial.
13:52 < Pinchiukas> Ok it seems I might have made an ass out of myself. :) I've used the same information for the CA and the user certificate. As I understand that means they both have the same DN. And it looks like OpenVPN treats this as self-signed.
13:54 < KNERD> this is going on FAIL BLOG ;-)
13:55 <@novaflash> and at least 4 people will understand it and laugh :)
14:01 -!- scyld [~scyld@unaffiliated/wasyl] has quit [Ping timeout: 255 seconds]
14:06 < pie_> does openvpn read all keys into memory or something before it drops permissions or something?
14:06 < pie_> everything works fine except for the fact that now that i enabled crl-verify,it gives me a permissions error when i try to connect
14:07 < pie_> it says it doesnt have permissions to read crl.pem but it does afaict
14:07 < Pinchiukas> KNERD, novaflash: did I really fail because of that? :)
14:07 < pie_> its in the same dir as the key/crt files, which is different thant the working directory
14:10 -!- jackbrown [~se@93-44-41-0.ip95.fastwebnet.it] has joined #openvpn
14:12 < pie_> any ideas?
14:13 -!- scyld [~scyld@unaffiliated/wasyl] has joined #openvpn
14:13 < Pinchiukas> pie_: try changing to 777 and see if that helps.
14:14 < Pinchiukas> Either that or verb 999. :)
14:19 < pie_> chmod 777 still didnt work
14:20 < Pinchiukas> Are you sure the user OpenVPN downgrades to has access to cd to the directory that the cert is in? Also, try not downgrading the user.
14:21 < pie_> im pretty sure downgrading is the issue, but then why can it handle authentication? the auth related files are also in said directory
14:22 < Pinchiukas> Well, test it.:)
14:28 < pie_> yes dropping permissions is the issue
14:28 -!- pie_ [~pie_@unaffiliated/pie-/x-0787662] has quit [Excess Flood]
14:28 -!- pie_ [~pie_@unaffiliated/pie-/x-0787662] has joined #openvpn
14:29 < pie_> Pinchiukas: without crl-verify, dropping permisisons works and connectiong works
14:29 < pie_> with crl-verify i get the permissions error
14:29 < Pinchiukas> You can increase verbosity and check the log.
14:30 <@krzee> Pinchiukas,
14:30 <@krzee> !cert-verify
14:30 < pie_> i just realized the problem
14:30 <@krzee> !factoids search cert
14:30 <@vpnHelper> 'servercert', 'certs', 'nocert', 'certverify', 'certinfo', 'cert_chains', 'certfight', 'certpw', and 'certman'
14:30 <@krzee> !certverify
14:30 <@vpnHelper> "certverify" is (#1) verify your certs are signed correctly by running `openssl verify -CAfile <ca.crt> <client.crt>` for client.crt and server.crt or (#2) also make sure you use the same ca.crt on both sides by checking their md5
14:30 < pie_> this is public key crypto
14:30 < pie_> so the server doesnt need to read the client certs or keys
14:30 < pie_> no wait thats wrong
14:31 < Pinchiukas> krzee: I believe this check can say it's ok and it would still not work.
14:31 < pie_> krzee: my certificates are fine afaik
14:31 <@krzee> Pinchiukas, if you check that on both sides, and then check the hash of the ca.crt is the same on both sides, then it will work
14:31 < pie_> as i said, i can connect
14:32 < pie_> (without crl-verify)
14:32 <@krzee> pie_, i wasnt talking to you
14:32 < Pinchiukas> ca.crt is definitely the same.
14:32 < pie_> oh o
14:32 < pie_> k
14:33 <@krzee> pie_, as for you, be sure theres no reason it needs to have elevated priviledges, make sure openvpn can access the script with its lowered priviledges
14:33 <@krzee> things such as chroot might bite ya
14:33 < Pinchiukas> krzee: the reason I'm asking is I get this: "VERIFY ERROR: depth=0, error=self signed certificate: <my DN info>". And the DN info is the same in the CA and the cert. That's why I think it's because of that.
14:33 <@krzee> also note if you're using an os startup script, it might add a chroot or similar without asking you
14:34 <@krzee> Pinchiukas, so you did what i said?
14:34 < pie_> krzee: does openvpn need access to the client public crt/key files? afaict in the config it doesnt
14:34 < Pinchiukas> krzee: did you understand what I said about the check being passed and it still not working? :)
14:35 <@krzee> pie_, it reads them at startup and for rekeying unless you use --persist options
14:35 < pie_> i use persist
14:35 < pie_> so that means if i were to add something on the fly, it wouldnt work without restart?
14:35 <@krzee> Pinchiukas, so you checked both sides and hashed the ca.crt to check? it sounded like you answered without doing what i said
14:36 <@krzee> pie_, add something where on the fly? in the config? to the shell script that is called by tls-verify?
14:36 < Pinchiukas> I got "OK" on both sides but also an error about it being self-signed on the client side.
14:36 < pie_> krzee: err, if i were to add keys while ovpn is running
14:36 < Pinchiukas> And I've signed both server and client certificates with the same command so it can't be self-signed.
14:36 <@krzee> Pinchiukas, and you compared md5 of the ca.crt on both sides?
14:37 < Pinchiukas> I only have a single ca.crt that I copied to both servers.
14:37 <@krzee> that was not my question
14:37 < Pinchiukas> Let me check the contents...
14:37 <@krzee> also not the question
14:37 < pie_> its self explanatory i suppose, after dropping perms openvpn no longer has access to the directory, and due to --persist it still has access to the key files it opened at the beginning, but it reads crl-verify on every connection attempt?
14:37 <@krzee> check the md5 hash.
14:38 <@krzee> i should not have to repeat such simple directions so many times
14:38 < Pinchiukas> krzee: I don't have anything to check the md5sum on the Windows VM.
14:38 <@krzee> pie_, thats what im thinking, yes
14:39 < pie_> Pinchiukas: well there is the md5 in the cert metadata
14:39 <@krzee> !google windows md5 checksum
14:39 <@vpnHelper> Download Microsoft File Checksum Integrity Verifier from Official ...: <http://www.microsoft.com/en-us/download/details.aspx?id=11533>; How to compute the MD5 or SHA-1 cryptographic hash values for a file: <http://support.microsoft.com/kb/889768>; WinMD5 Free - Windows MD5 Utility Freeware: <http://www.winmd5.com/>
14:39 <@krzee> that was hard =/
14:39 <@krzee> pie_, nah i just want him to check the md5 of the file itself, and i suggest that you upgrade from using md5 in the certs itself, sha256 should be fine
14:40 -!- mirco [~mirco@ip-176-198-211-199.hsi05.unitymediagroup.de] has quit [Quit: mirco]
14:40 < pie_> ah ok, idk what the standard scheme is now for hashes :P i know they used md5 a while ago and that its not recommended anymore, so id hope sha25 is used
14:40 < pie_> *256
14:41 <@krzee> if you use easy-rsa for making your certs it should be using sha256 anyways
14:41 < pie_> right
14:41 < Pinchiukas> krzee: ok, I checked and the ca.crt is the same on both servers. Happy?
14:41 <@krzee> unless it's old
14:41 <@krzee> Pinchiukas, sorry for bothering you, i wont try to help you anymore
14:41 < Pinchiukas> Thanks
14:42 <@krzee> did not know it would put you out to follow directions in attempting to help you, instead of continuing to troubleshoot ill ignore so i dont bother you anymore
14:42 < pie_> i think its sha1
14:43 < pie_> krzee: what group/user should i set the owner/group of the key/crt/crl file to?
14:44 <@krzee> should be fine as root since you use the relevant persist options
14:44 <@krzee> i think the problem is accessing the tls-verify script, or running some commands within it
14:45 < pie_> crl-verify
14:45 < pie_> not the same(?)
14:45 <@krzee> remember that to run a script, the openvpn user will need permission=5 on the directory containing the script
14:45 <@krzee> sorry, crl-verify
14:45 < pie_> thats a script?
14:46 <@krzee> no, i was thinking you had said tls-verify for some reason, but the permission stuff is still true
14:46 < pie_> since it doesnt have a persist option i think it gets reread every time?
14:46 <@krzee> crl will be read each time
14:47 <@krzee> or so i think, lemme check the manual too
14:47 <@krzee> its been awhile
14:47 < pie_> wait wait hold on
14:47 < pie_> but it has all +r perms
14:47 < pie_> so it should still be readable!
14:47 <@krzee> it needs to be readable by the openvpn user/group, ya
14:48 < pie_> it should be readable
14:48 <@krzee> whoa i like the dir option
14:48 < pie_> i dont see why it isnt
14:49 <@krzee> pie_, show me ls -la in the dir containing the crl, and show me your config without file comments
14:52 < pie_> krzee: http://pastebin.com/mSg8ifyC
14:53 <@krzee> ok and ls -la /etc/openvpn/keys/
14:55 <@krzee> you understand what ifconfig-noexec  does?
14:55 <@krzee> because i dont see your running a script that would deal with the commands… im wondering how this even works
14:56 <@krzee> …does it work?
14:56 < pie_> sorry one sec
14:56 < pie_> yes
14:56 < pie_> im running it in a freebsd jail :P
14:56 <@krzee> where are you setting the addresses?
14:56 <@krzee> outside of openvpn?
14:57 <@krzee> !fbsdjail
14:57 <@vpnHelper> "fbsdjail" is <thei0s> krzie: if you are interested in the solution: I needed to add to hosts rc.conf the creation of tun0 device, create a special devfs ruleset with tun0 unhiden, configure that it is used in the devfs mount point inside chroot in my jail and specify openvpn --dev tun0 parameter and it seems that this is it... so, thank you for assistance and ideas
14:57 < pie_> theres a "bug" i have been bashing my head about for a long time that i havent been able to figure out yet, for some reason the jail doesnt run the commands to set the ip when i restart it, but it does on boot, but thats a different issue
14:57 < pie_> it works fine
14:58 <@krzee> ok cool
14:58 <@krzee> so you set the address outside of openvpn
14:58 < pie_> this is actually one of my pet projects, but i dont have near enough time to work on it :C openvpn is a big time sink somehow
14:58 < pie_> yeah
14:58 <@krzee> grab that ls -la for me
14:58 < pie_> ls in a sec
14:58 <@krzee> k
14:59 < pie_> krzee: http://pastebin.com/SNvP48ri
15:00 <@krzee> wheres . and ..
15:00 < pie_> i left out the a apparently
15:00 <@krzee> i need them, you can paste it here
15:00 <@krzee> since its only 2 things
15:00 < pie_> found the problem :)
15:00 <@krzee> ;]
15:00 <@krzee> nice
15:00 <@krzee> dir was 700?
15:01 < pie_> 600
15:01 <@krzee> yep
15:01 < pie_> :;P
15:01 <@krzee> 600 is weird for a dir btw
15:03 < pie_> err i have problems with permission numbers still xD 6 is rw right?
15:03 <@krzee> ya but directories need permissions for things to read the files within
15:04 <@krzee> to traverse i mean
15:04 <@krzee> so like if your user dir has a web dir, and you dont let the webserver user have +x on the user dir, the contained web dir will not be accessible even though IT has permissions allowing it
15:05 < pie_> thats exactly why i asked
15:05 < pie_> somehow its still fine though
15:05 < pie_> maybe because im root
15:05 <@krzee> exactly
15:06 <@krzee> you
15:06 < pie_> rather you cant ls it, the files will still be readable/etc if they have those perms
15:06 <@krzee> you'll get it once you play around more while also using a non-root account
15:06 < pie_> i probably did this on purpose thne forgot
15:07 <@krzee> about 10 minutes of testing and i bet you understand it close to perfect ;]
15:08 < pie_> i think i've got it now :P
15:08 <@krzee> nice, good job
15:08 <@krzee> im going to take off, later
15:09 < pie_> ok i take that back
15:09 < pie_> apparently it does need +x
15:13 < pie_> the whole tree going down needs x
15:16 <@krzee> exactly
15:16 <@krzee> +x on a dir allows traversal
15:17 <@krzee> see, just keep playing around with making dirs and seeing what you can do with different permissions, with 2 shells open, 1 as root for chmod and one as user to test
15:17 <@krzee> theres not much to it =]
15:18 < pie_> meh i think im going to try migrating from ezjail to jail.conf
15:19 -!- benvei [~benvei@unaffiliated/benvei] has joined #openvpn
15:19 < pie_> might fix my jail restart issue
15:19 < pie_> i wish there were som tutorials on it :P
15:19 < benvei> hey there. I installed openvpn on my openwrt router, and installed the openvpn client on my w2k8r2 server. Everything works, but if i ping the openvpn server, the first ping doesn
15:19 <@krzee> #freebsd is usually rather active
15:19 < benvei> doesn't work
15:19 < benvei> any idea how to fix this?
15:20 < pie_> krzee: yep but ive never really got any input on this
15:22 < benvei> http://pastebin.com/raw.php?i=jYdC8yh5
15:22 < benvei> this is my config
15:22 -!- dazo_afk [~dazo@openvpn/community/developer/dazo] has quit [Ping timeout: 258 seconds]
15:24 -!- ub1quit33_ [~quassel@cpe-23-243-158-241.socal.res.rr.com] has joined #openvpn
15:25 -!- dazo_afk [~dazo@openvpn/community/developer/dazo] has joined #openvpn
15:25 -!- mode/#openvpn [+o dazo_afk] by ChanServ
15:25 -!- dazo_afk is now known as dazo
15:27 < benvei> i think i solved it by using keepalive
15:29 < benvei> ok, i didn't
15:36 < pie_> does openvpn use procfs?
15:36 < pie_> or fdescfs?
15:38 -!- ub1quit33_ [~quassel@cpe-23-243-158-241.socal.res.rr.com] has quit [Ping timeout: 260 seconds]
15:46 -!- c|oneman [cloneman@1337.montrealdark.com] has quit [Ping timeout: 244 seconds]
15:48 -!- Kephael [~Kephael@unaffiliated/kephael] has joined #openvpn
15:49 -!- benvei [~benvei@unaffiliated/benvei] has quit [Read error: Connection reset by peer]
15:51 -!- hyponic [~DJ@cm-84.210.222.74.getinternet.no] has joined #openvpn
15:52 < hyponic> trying to get openvpn working on my vps. it's on a openvz vps so i have default gateway issues i think. tun is enabled. i am just stuck. can anyone help?
15:52 -!- c|oneman [cloneman@2605:6400:2:fed5:22:0:3b06:3913] has joined #openvpn
15:55 < hyponic> !configs
15:55 <@vpnHelper> "configs" is (#1) please pastebin your client and server configs (with comments removed, you can use `grep -vE '^#|^;|^$' server.conf`), also include which OS and version of openvpn. or (#2) dont forget to include any ccd entries or (#3) on pfSense, see http://www.secure-computing.net/wiki/index.php/OpenVPN/pfSense to obtain your config
16:00 -!- robzil [~robzil--@unaffiliated/robzil] has joined #openvpn
16:01 -!- esde [~esde@unaffiliated/esde] has quit [Remote host closed the connection]
16:02 < robzil> !welcome
16:02 <@vpnHelper> "welcome" is (#1) Start by stating your goal, such as 'I would like to access the internet over my vpn' || new to IRC? see the link in !ask || we may need !logs and !configs and maybe !interface to help you. || See !howto for beginners. || See !route for lans behind openvpn. || !redirect for sending inet traffic through the server. || Also interesting: !man !/30 !topology !iporder !sample !forum
16:02 <@vpnHelper> !wiki !mitm or (#2) Don't use 192.168.1.0/24 or 192.168.0.0/24 (too much potential for conflict)
16:03 < robzil> !redirect
16:03 <@vpnHelper> "redirect" is (#1) to make all inet traffic flow through the vpn, you will need --redirect-gateway (see !def1), as well as IP forwarding (see !ipforward) and NAT (see !nat) enabled on the server. or (#2) you may need to use a different dns server when redirecting gateway, see !dns or !pushdns or (#3) if using ipv6 try: route-ipv6 2000::/3 or (#4) Handy troubleshooting flowchart:
16:03 <@vpnHelper> http://ircpimps.org/redirect.png | http://pekster.sdf.org/misc/redirect.png
16:08 -!- ub1quit33 [~quassel@cpe-23-243-158-241.socal.res.rr.com] has joined #openvpn
16:09 -!- jackbrown [~se@93-44-41-0.ip95.fastwebnet.it] has quit [Ping timeout: 245 seconds]
16:17 -!- esde [~esde@unaffiliated/esde] has joined #openvpn
16:18 -!- Sidewinder [~de@unaffiliated/sidewinder] has joined #openvpn
16:31 -!- Chais [~Chais@chello062178229110.15.15.vie.surfer.at] has quit [Ping timeout: 265 seconds]
16:33 -!- debbie10t [~debbie10t@openvpn/community/support/debbie10t] has joined #openvpn
16:34 -!- mode/#openvpn [+v debbie10t] by ChanServ
16:36 <+debbie10t> why does the forum simply not have a "VPN Provider" Catagory ?
16:37 -!- Chais [~Chais@chello062178229110.15.15.vie.surfer.at] has joined #openvpn
16:39 <+debbie10t> ahh fuk you all .. your a bunch of fkn jokers anyway
16:40 <+debbie10t> Join ###openvpn for the DIRT on openvpn
16:40 -!- debbie10t [~debbie10t@openvpn/community/support/debbie10t] has left #openvpn ["Leaving"]
16:45 -!- Sidewinder [~de@unaffiliated/sidewinder] has quit [Quit: Leaving]
16:48 < robzil> !def1
16:48 <@vpnHelper> "def1" is (#1) used in redirect-gateway, Add the def1 flag to override the default gateway by using 0.0.0.0/1 and 128.0.0.0/1 rather than 0.0.0.0/0. This has the benefit of overriding but not wiping out the original default gateway. or (#2) please see --redirect-gateway in the man page ( !man ) to fully understand or (#3) push "redirect-gateway def1"
16:49 -!- jangerhofer [~jangerho@lloyd-153233.reshall.umich.edu] has joined #openvpn
16:53 -!- Kniaz [~Kniaz@unaffiliated/kniaz] has quit [Read error: Connection reset by peer]
16:56 -!- robzil [~robzil--@unaffiliated/robzil] has quit [Ping timeout: 250 seconds]
17:11 -!- Pinchiukas [~keps@unaffiliated/pinchiukas] has quit [Ping timeout: 256 seconds]
17:12 -!- CaTtleyA [~CaTtleyA@put92-2-82-66-41-53.fbx.proxad.net] has quit [Ping timeout: 272 seconds]
17:27 -!- satdav [uid15780@firefox/community/satdav] has joined #openvpn
17:28 -!- satdav [uid15780@firefox/community/satdav] has left #openvpn []
17:32 -!- D-Boy [~D-Boy@unaffiliated/cain] has quit [Excess Flood]
17:41 -!- ScareFBi is now known as _FBi
17:43 -!- D-Boy [~D-Boy@unaffiliated/cain] has joined #openvpn
17:43 -!- pie_ [~pie_@unaffiliated/pie-/x-0787662] has quit [Excess Flood]
17:43 -!- pie_ [~pie_@unaffiliated/pie-/x-0787662] has joined #openvpn
17:46 -!- ckorzhik [~user@46.72.5.164] has joined #openvpn
17:48 < ckorzhik> hello. Is there way to make some 'roles' to users in such way that they will be able to communicate only to allowed servers in openvpn subnet?
18:06 -!- elfixit [~Icedove@2001:1620:2777:11:3e97:eff:fe7f:f3ad] has quit [Remote host closed the connection]
18:12 -!- anth_ [~Anthony@c58-109-94-156.randw3.nsw.optusnet.com.au] has quit [Ping timeout: 260 seconds]
18:27 -!- rfrf [~rfree@46.246.9.35] has joined #openvpn
18:27 < rfrf> ecrist, or other ops, any special reason why only registered irc accounts can talk here? that's quite annoying
18:28 < rfrf> I use a VPN with config file https://www.frootvpn.com/files/frootvpn.ovpn . After connecting the client, all internet traffic from that computer goes via VPN.   But I can not tell any application to go via eth0 normally
18:29 < rfrf> if I tell application to bind the IP of my eth0 (LAN ip, 192.168...) then it works when openvpn is not running, but when it runs then the applications can not reach internet then
18:30 < rfrf> how to allow apps to bind eth0,  or how to make tun1 that will use regular LAN with gateway 192.168.0.1 and bypassing openvpn
18:30 -!- jangerhofer [~jangerho@lloyd-153233.reshall.umich.edu] has quit [Quit: Leaving...]
18:31 < rfrf> !paste
18:31 <@vpnHelper> "paste" is "pastebin" is (#1) please paste anything with more than 5 lines into a pastebin site or (#2) https://gist.github.com is recommended for fewest ads; try fpaste.org or paste.kde.org as backups or (#3) If you're pasting config files, see !configs for grep syntax to remove comments or (#4) gist allows multiple files per paste, useful if you have several files to show
18:31 -!- jangerhofer [~jangerho@lloyd-153233.reshall.umich.edu] has joined #openvpn
18:32 -!- jangerhofer [~jangerho@lloyd-153233.reshall.umich.edu] has quit [Client Quit]
18:34 -!- Kephael [~Kephael@unaffiliated/kephael] has quit [Read error: Connection reset by peer]
18:34 -!- Kephael [~Kephael@unaffiliated/kephael] has joined #openvpn
18:36 -!- Kephael [~Kephael@unaffiliated/kephael] has quit [Read error: Connection reset by peer]
18:36 -!- Kephael [~Kephael@unaffiliated/kephael] has joined #openvpn
18:42 -!- CaTtleyA [~CaTtleyA@put92-2-82-66-41-53.fbx.proxad.net] has joined #openvpn
18:44 -!- tmberg [tmberg@unaffiliated/tmberg] has left #openvpn []
18:45 < rfrf> could anyone give me a hint?
18:48 -!- ckorzhik [~user@46.72.5.164] has quit [Ping timeout: 256 seconds]
18:48 -!- AlexRussia [~Alex@unaffiliated/alexrussia] has joined #openvpn
18:49 < AlexRussia> hello! Does anybody know how to redirect all traffic by some ip to openvpn interface?(linux)
18:50 -!- jangerhofer [~jangerho@lloyd-153233.reshall.umich.edu] has joined #openvpn
18:51 < rfrf> AlexRussia, funny, I have related by opposing problem
18:51 < rfrf> AlexRussia, I do not, but probably something to do with setting up routing
18:52 < AlexRussia> rfrf: i know, just i am a little noob in routing :/
18:53 -!- Kniaz [~Kniaz@unaffiliated/kniaz] has joined #openvpn
18:53 -!- jangerhofer [~jangerho@lloyd-153233.reshall.umich.edu] has quit [Client Quit]
19:01 -!- akamaru217 [~akamaru21@2601:0:8a80:1064:b876:305b:3c5e:f25a] has joined #openvpn
19:01 -!- fenris_kcf is now known as fenris_afk
19:04 -!- AlexRussia [~Alex@unaffiliated/alexrussia] has quit [Ping timeout: 256 seconds]
19:26 -!- Kniaz [~Kniaz@unaffiliated/kniaz] has quit [Quit: closing IRC]
19:26 -!- Kniaz [~Kniaz@unaffiliated/kniaz] has joined #openvpn
19:28 -!- eristisk [~eristisk@gateway/tor-sasl/eristisk] has quit [Ping timeout: 246 seconds]
19:38 -!- eristisk [~eristisk@gateway/tor-sasl/eristisk] has joined #openvpn
19:41 -!- AlexRussia [~Alex@unaffiliated/alexrussia] has joined #openvpn
19:47 -!- eristisk [~eristisk@gateway/tor-sasl/eristisk] has quit [Ping timeout: 246 seconds]
19:51 -!- AlexRussia [~Alex@unaffiliated/alexrussia] has quit [Ping timeout: 244 seconds]
19:59 -!- jangerhofer [~jangerho@lloyd-153233.reshall.umich.edu] has joined #openvpn
20:03 -!- eristisk [~eristisk@gateway/tor-sasl/eristisk] has joined #openvpn
20:09 -!- gffa [~unknown@unaffiliated/gffa] has quit [Quit: sleep]
20:15 -!- ub1quit33 [~quassel@cpe-23-243-158-241.socal.res.rr.com] has quit [Ping timeout: 256 seconds]
20:19 -!- AlexRussia [~Alex@unaffiliated/alexrussia] has joined #openvpn
20:33 -!- ub1quit33_ [~quassel@cpe-23-243-158-241.socal.res.rr.com] has joined #openvpn
20:44 -!- ub1quit33_ [~quassel@cpe-23-243-158-241.socal.res.rr.com] has quit [Ping timeout: 245 seconds]
20:48 -!- jangerhofer [~jangerho@lloyd-153233.reshall.umich.edu] has quit [Quit: Leaving...]
20:58 -!- felirami [~feli@190.215.162.24] has joined #openvpn
20:58 < felirami> hello guys, i need some help
20:58 < felirami> any of you know what can be the problem? http://pastebin.com/Bw071Jba
21:12 -!- jangerhofer [~jangerho@lloyd-153233.reshall.umich.edu] has joined #openvpn
21:12 -!- batrick [batrick@nmap/developer/batrick] has quit [Quit: WeeChat 1.0.1]
21:15 -!- batrick [batrick@nmap/developer/batrick] has joined #openvpn
21:16 -!- jangerhofer [~jangerho@lloyd-153233.reshall.umich.edu] has quit [Client Quit]
21:19 -!- ub1quit33 [~quassel@cpe-23-243-158-241.socal.res.rr.com] has joined #openvpn
21:41 -!- jangerhofer [~jangerho@lloyd-153233.reshall.umich.edu] has joined #openvpn
22:12 -!- felirami [~feli@190.215.162.24] has quit [Read error: Connection reset by peer]
22:16 -!- techwharf [~techwharf@ec2-54-194-62-157.eu-west-1.compute.amazonaws.com] has quit []
22:21 -!- c|oneman [cloneman@2605:6400:2:fed5:22:0:3b06:3913] has quit [Ping timeout: 258 seconds]
22:22 -!- c|oneman [cloneman@1337.montrealdark.com] has joined #openvpn
22:25 -!- ub1quit33 [~quassel@cpe-23-243-158-241.socal.res.rr.com] has quit [Ping timeout: 272 seconds]
22:35 -!- fenris_kcf [~fenris@p549BCF97.dip0.t-ipconnect.de] has joined #openvpn
22:37 -!- fenris_afk [~fenris@p579E6AC8.dip0.t-ipconnect.de] has quit [Ping timeout: 250 seconds]
23:14 -!- Left_Turn [~Left_Turn@unaffiliated/turn-left/x-3739067] has quit [Remote host closed the connection]
23:25 -!- pie_ [~pie_@unaffiliated/pie-/x-0787662] has quit [Quit: pie_]
23:26 -!- elfixit [~Icedove@77-58-253-51.dclient.hispeed.ch] has joined #openvpn
23:45 -!- Kniaz [~Kniaz@unaffiliated/kniaz] has quit [Quit: closing IRC]
--- Day changed Sun Nov 02 2014
00:11 -!- jackbrown [~se@93-44-41-0.ip95.fastwebnet.it] has joined #openvpn
00:12 -!- jackbrown [~se@93-44-41-0.ip95.fastwebnet.it] has quit [Read error: Connection reset by peer]
00:28 -!- teksimian [~chatzilla@174-138-199-84.cpe.distributel.net] has quit [Quit: ChatZilla 0.9.91 [Firefox 33.0.2/20141027150301]]
00:30 -!- ShadniX [dagger@p5481DCBE.dip0.t-ipconnect.de] has quit [Ping timeout: 250 seconds]
00:31 -!- ShadniX [dagger@p5DDFD8C9.dip0.t-ipconnect.de] has joined #openvpn
00:32 -!- ub1quit33 [~quassel@cpe-23-243-158-241.socal.res.rr.com] has joined #openvpn
00:32 -!- elfixit [~Icedove@77-58-253-51.dclient.hispeed.ch] has quit [Remote host closed the connection]
00:33 -!- havingFun [~quassel@unaffiliated/xrosnight] has joined #openvpn
00:38 -!- ub1quit33 [~quassel@cpe-23-243-158-241.socal.res.rr.com] has quit [Ping timeout: 256 seconds]
01:19 -!- Xgates [~Xgates@unaffiliated/xgates] has joined #openvpn
01:19 < Xgates> hi guys
01:21 < Xgates> I run Openvpn in Linux and today I noticed that if I connect straight into my modem and connect with OpenVPN to a server I can't ping or go online, but if I use a router I can, it works. What's with OpenVPN connectivity and just going straight to a modem, causing this?
01:07 -!- havingFun [~quassel@unaffiliated/xrosnight] has quit [Read error: Connection reset by peer]
01:11 -!- Xgates [~Xgates@unaffiliated/xgates] has quit [Quit: Xgates]
01:13 -!- joako [~joako@opensuse/member/joak0] has quit [Ping timeout: 264 seconds]
01:18 -!- joako [~joako@opensuse/member/joak0] has joined #openvpn
01:35 -!- eristisk [~eristisk@gateway/tor-sasl/eristisk] has quit [Ping timeout: 246 seconds]
01:45 -!- Kephael [~Kephael@unaffiliated/kephael] has quit [Read error: Connection reset by peer]
02:38 -!- gffa [~unknown@unaffiliated/gffa] has joined #openvpn
02:50 -!- ajtag [~ajtag@cpc10-lee211-2-0-cust124.7-1.cable.virginm.net] has joined #openvpn
03:03 -!- akamaru217 [~akamaru21@2601:0:8a80:1064:b876:305b:3c5e:f25a] has quit [Ping timeout: 265 seconds]
03:31 -!- rfrf [~rfree@46.246.9.35] has quit [Ping timeout: 244 seconds]
03:36 -!- ckorzhik [~user@46.72.5.164] has joined #openvpn
04:13 -!- Left_Turn [~Left_Turn@unaffiliated/turn-left/x-3739067] has joined #openvpn
04:19 -!- Latrina [~Latrina@ppp-122-11.26-151.libero.it] has quit [Ping timeout: 244 seconds]
04:20 -!- ckorzhik [~user@46.72.5.164] has quit [Ping timeout: 272 seconds]
04:26 -!- mattock is now known as mattock_afk
05:06 -!- mirco [~mirco@ip-176-198-211-199.hsi05.unitymediagroup.de] has joined #openvpn
05:08 -!- Left_Turn [~Left_Turn@unaffiliated/turn-left/x-3739067] has quit [Ping timeout: 255 seconds]
05:10 -!- ValdikSS [~valdikss@2001:470:28:22f::1000] has joined #openvpn
05:10 < ValdikSS> Hello. Can I use server keys as client keys?
05:10 -!- Latrina [~Latrina@151.56.175.39] has joined #openvpn
05:10 < ValdikSS> How can I disable key type checks in OpenVPN?
05:12 < ValdikSS> I use remote-cert-tls server on both sides but that still doesn't work
05:13 -!- RaiNerTsuFal [~RaiNerTsu@akita.vtlx.cn] has quit [Quit: Conversation terminated!]
05:14 < ValdikSS> *this is for internal use only, I perfectly understand what am I doing*
06:12 -!- mirco [~mirco@ip-176-198-211-199.hsi05.unitymediagroup.de] has quit [Quit: mirco]
06:13 -!- RaiNerTsuFal [~RaiNerTsu@akita.vtlx.cn] has joined #openvpn
06:27 -!- Anodl [~Anodl@p5DC5A532.dip0.t-ipconnect.de] has joined #openvpn
06:27 -!- Anodl [~Anodl@p5DC5A532.dip0.t-ipconnect.de] has left #openvpn []
06:40 -!- fenris_kcf is now known as fenris_afk
06:42 -!- Left_Turn [~Left_Turn@unaffiliated/turn-left/x-3739067] has joined #openvpn
07:18 -!- hyponic [~DJ@cm-84.210.222.74.getinternet.no] has quit [Ping timeout: 244 seconds]
07:32 -!- Kniaz [~Kniaz@unaffiliated/kniaz] has joined #openvpn
07:33 -!- ckorzhik [~user@46.72.5.164] has joined #openvpn
07:53 -!- patrakov [~Thunderbi@2001:470:28:8b0::64f3:6f] has joined #openvpn
08:01 -!- ckorzhik [~user@46.72.5.164] has quit [Ping timeout: 255 seconds]
08:16 -!- Argure [quassel@geonosis.donttrustrobots.nl] has quit [Remote host closed the connection]
08:29 <@krzee> ValdikSS,
08:30 <@krzee>  <ValdikSS> How can I disable key type checks in OpenVPN?
08:30 <@krzee> by not adding them.
08:30 <@krzee> <ValdikSS> I use remote-cert-tls server on both sides but that still doesn't work
08:30 <@krzee> that is *how* you *add* them
08:31 < ValdikSS> krzee: Hrmm. How can I configure OpenVPN server to accept connections only from clients with _server_ key then? It didn't work for me.
08:31 < ValdikSS> krzee: I instantly got unsupported certificate purpose
08:31 <@krzee> the *SAME* server key or another?
08:31 < ValdikSS> krzee: another
08:32 <@krzee> if nothing else you could use --tls-verify
08:33 < ValdikSS> krzee: Imagine I have usual PKI with server and client keys. I want to make internal VPN between servers and not allow clients to connect to it
08:33 <@krzee> i have done such things, i make separate PKI for the servers
08:33 < ValdikSS> krzee: I did this already, too
08:33 <@krzee> and i use separate vpn processes for the infrastructure network
08:34 <@krzee> to me it makes more sense that way
08:34 < ValdikSS> krzee: I just though I can reuse existing PKI
08:34 <@krzee> did you look at tls-verify?
08:35 < ValdikSS> krzee: I just curious why it doesn't work even if I set remote-cert-tls server on both sides, and it still validates certificate purpose as a client
08:35 <@krzee> dont know, but i suppose you did it right so i wanted to help you acheive your goal instead of dwelling on that
08:36  * _FBi hugs krzee 
08:36 < ValdikSS> krzee: I see. Thanks anyway.
08:36 < ValdikSS> krzee: But wait. Why remote-cert-tls has parameters then?
08:36 <@krzee> oh i see, when i said i dont know you thought i was lying
08:36 <@krzee> :-p
08:37 <@krzee> maybe one of the devs will pop in and can answer that
08:37 <@krzee> i have only used that option as intended.
08:37 <@krzee> (and the intention of it is rather clear i suppose)
08:38 <@krzee> i dont see why it would be tied to the mode of operation, but from what you say it seems to be
08:38 <@krzee> instead of worrying about why, i told you another way to achieve your goal which cannot possibly be tied to a mode of operation
08:39 <@krzee> i mean i guess i could look at the code… but so could you ;]
08:39 < ValdikSS> krzee: I mean, if "remote-cert-tls server" validates client certificate and fails if it is not a client, then it is either a bug or a feature and "remote-cert-tls" should be without parameters "client" or "server" at all
08:39 <@krzee> if you think its a bug make a trac ticket
08:39 <@krzee> !trac
08:39 <@vpnHelper> "trac" is (#1) see https://community.openvpn.net for development information and bug tracker. or (#2) if you have a forum login, use that for trac, its the same database.
08:40 < ValdikSS> krzee: I'm still not sure if this is the bug. Maybe that's my misconfiguration somewhere or so
08:40 < ValdikSS> krzee: Anyway, now I have separate PKI and I think I'd stick with it
08:40 -!- almostworking [~almostwor@unaffiliated/almostworking] has quit [Quit: Leaving]
08:40 <@krzee> honestly i think thats better for darknets anyways
08:40 <@krzee> 1 pki for users, 1 for infrastructure
08:41 <@krzee> but if you want to hack it up how you were trying, tls-verify should help
08:42 < ValdikSS> By the way, if anyone is interested, I've made some patches to Easy RSA 3 for IPsec support. You can generate keys for both IPsec and OpenVPN. https://github.com/ValdikSS/easy-rsa-ipsec
08:42 <@vpnHelper> Title: ValdikSS/easy-rsa-ipsec · GitHub (at github.com)
08:44 <@krzee> hey cool, maybe you could talk to pekster and upload that to the official repo
08:44 <@krzee> !easy-rsa
08:44 <@vpnHelper> "easy-rsa" is (#1) easy-rsa is a certificate generation utility. or (#2) Download here: https://github.com/OpenVPN/easy-rsa/downloads or (#3) Tutorial here: https://community.openvpn.net/openvpn/wiki/EasyRSA
08:46 -!- patrakov [~Thunderbi@2001:470:28:8b0::64f3:6f] has left #openvpn []
08:48 < ValdikSS> krzee: I have 2 pull requests for p12-export, but they are not accepted or what
08:49 < ValdikSS> https://github.com/OpenVPN/easy-rsa/pull/46 https://github.com/OpenVPN/easy-rsa/pull/45
08:49 <@krzee> i see, well we just pinged him so hopefully he sees it when he comes in
08:49 <@vpnHelper> Title: Add nopass parameter to export-p12 by ValdikSS · Pull Request #46 · OpenVPN/easy-rsa · GitHub (at github.com)
08:49 <@krzee> either way thank you for contributing your additions =]
08:49 < ValdikSS> krzee: It would be great if it could be accepted to mainline. I'll prepare patches then
08:50 <@krzee> pekster will be the right guy to talk to
08:51 < ValdikSS> krzee: I should thank YOU for creating and maintaining openvpn and everything with it
08:51 -!- Argure_ [argure@geonosis.donttrustrobots.nl] has joined #openvpn
08:51 -!- Argure_ [argure@geonosis.donttrustrobots.nl] has quit [Client Quit]
08:52 <@krzee> i didn't, i just do support ;]
08:52 -!- almostworking [~almostwor@unaffiliated/almostworking] has joined #openvpn
08:54 <@krzee> any thanks to me would be for writing docs, diagrams, scripts, and helping people
08:54 <@krzee> hehe
09:12 -!- fenris_afk is now known as fenris_kcf
09:14 -!- eristisk [~eristisk@gateway/tor-sasl/eristisk] has joined #openvpn
09:16 -!- Taftse|Mac [~taftse@unaffiliated/taftse] has joined #openvpn
09:22 -!- ckorzhik [~user@46.72.5.164] has joined #openvpn
09:27 -!- AlexRussia [~Alex@unaffiliated/alexrussia] has quit [Ping timeout: 240 seconds]
09:31 -!- ub1quit33_ [~quassel@wifi02.la3.routers.zerolag.com] has joined #openvpn
09:32 -!- ValdikSS [~valdikss@2001:470:28:22f::1000] has quit [Read error: Connection reset by peer]
09:33 -!- AlexRussia [~Alex@unaffiliated/alexrussia] has joined #openvpn
09:35 -!- ValdikSS [~valdikss@2001:470:28:22f::1000] has joined #openvpn
10:11 -!- akamaru217 [~akamaru21@2601:0:8a80:1064:b876:305b:3c5e:f25a] has joined #openvpn
10:14 -!- eristisk [~eristisk@gateway/tor-sasl/eristisk] has quit [Remote host closed the connection]
10:19 -!- scyld [~scyld@unaffiliated/wasyl] has quit [Quit: Wychodzi]
10:23 -!- scyld [~scyld@gateway/tor-sasl/wasyl] has joined #openvpn
10:23 -!- eristisk [~eristisk@gateway/tor-sasl/eristisk] has joined #openvpn
10:35 -!- mattock_afk is now known as mattock
10:41 -!- mirco [~mirco@ip-176-198-211-199.hsi05.unitymediagroup.de] has joined #openvpn
11:02 -!- ckorzhik [~user@46.72.5.164] has quit [Ping timeout: 250 seconds]
11:13 -!- obscurehero [~obscurehe@via.arcis.pw] has quit [Ping timeout: 245 seconds]
11:16 -!- Netsplit *.net <-> *.split quits: mistermajestic, scyld, eristisk, DrCode, moparisthebest
11:28 -!- ckorzhik [~user@46.72.5.164] has joined #openvpn
11:44 -!- DrCode [~DrCode@gateway/tor-sasl/drcode] has joined #openvpn
11:45 -!- obscurehero [~obscurehe@via.arcis.pw] has joined #openvpn
11:51 -!- DrCode [~DrCode@gateway/tor-sasl/drcode] has quit [Ping timeout: 246 seconds]
11:51 -!- digilink [~weechat@unaffiliated/digilink] has joined #openvpn
11:53 -!- DrCode [~DrCode@gateway/tor-sasl/drcode] has joined #openvpn
11:54 < digilink> hi.... running Debian Wheezy and my OpenVPN instance has recently just quit working. I have rebooted several times, and I think this may have been caused by a kernel upgrade, but not 100% sure. Upon boot, I am seeing this in dmesg: tun: Unknown symbol ipv6_proxy_select_ident (err 0). Just curious if anyone has seen this and any possible fix action?
11:55 -!- moparisthebest [~quassel@gateway/tor-sasl/moparisthebest] has joined #openvpn
12:00 -!- DrCode [~DrCode@gateway/tor-sasl/drcode] has quit [Ping timeout: 246 seconds]
12:13 -!- jeanbon [~s0d0m@softbank126026253207.bbtec.net] has joined #openvpn
12:13 -!- rich0_ [~quassel@gentoo/developer/rich0] has joined #openvpn
12:15 < jeanbon> Hi everyone. I've got openvpn server on 10MB sym server but download client side is around 60-100kbps. anyway to improve that ?
12:16 -!- digilink [~weechat@unaffiliated/digilink] has left #openvpn ["WeeChat 1.0"]
12:16 -!- rich0 [~quassel@gentoo/developer/rich0] has quit [Ping timeout: 265 seconds]
12:25 < ValdikSS> jeanbon: there is
12:25 < ValdikSS> jeanbon:
12:25 < ValdikSS> sndbuf 393216
12:25 < ValdikSS> rcvbuf 393216
12:25 < ValdikSS> push "sndbuf 393216"
12:25 < ValdikSS> push "rcvbuf 393216"
12:26 -!- Teqonix [~quassel@c-174-51-153-217.hsd1.co.comcast.net] has joined #openvpn
12:28 < jeanbon> thanks? i'll try this now
12:36 -!- keatont [~keatont@keatonstaylor.com] has quit [Ping timeout: 256 seconds]
12:37 < jeanbon> ValdikSS: Thanks, around 150, 200 kbps now.
12:37 < jeanbon> already better
12:37 < ValdikSS> jeanbon: That's pretty slow
12:38 < jeanbon> do you think 270ms latency is too much ? cpu is fine only 8% at peak
12:39 < ValdikSS> jeanbon: So you have high-latency link. Try increasing that values more
12:39 < ValdikSS> jeanbon: like, 655360 or more
12:39 -!- keatont [~keatont@keatonstaylor.com] has joined #openvpn
12:39 < jeanbon> ok
12:41 < ValdikSS> By the way, guys. OpenVPN in Windows doesn't handle a lot of routes well. It is VERY slow at connection and usually fails
12:41 < ValdikSS> I have >3000 routes
12:41 < ValdikSS> It connects more than 3 minutes usually. Everything is more or less fine in Linux and Mac OS
12:50 -!- Kniaz [~Kniaz@unaffiliated/kniaz] has quit [Read error: Connection reset by peer]
12:52 < jeanbon> Cool, i've got 1.4mbps now with 1310720
12:53 < jeanbon> Thanks again ValdikSS, i will try to find the best settings this way.
12:54 < ValdikSS> jeanbon: Please reply here https://community.openvpn.net/openvpn/ticket/461 if you have time
12:54 <@vpnHelper> Title: #461 (Change default sndbuf and rcvbuf values) – OpenVPN Community (at community.openvpn.net)
12:59 < jeanbon> sure will.
13:13 -!- moparisthebest [~quassel@gateway/tor-sasl/moparisthebest] has quit [Remote host closed the connection]
13:17 -!- ValdikSS [~valdikss@2001:470:28:22f::1000] has quit [Read error: Connection reset by peer]
13:18 -!- ValdikSS [~valdikss@2001:470:28:22f::1000] has joined #openvpn
13:25 -!- Robbster [~james@105-237-237-158.access.mtnbusiness.co.za] has joined #openvpn
13:26 < Robbster> !paste
13:26 <@vpnHelper> "paste" is "pastebin" is (#1) please paste anything with more than 5 lines into a pastebin site or (#2) https://gist.github.com is recommended for fewest ads; try fpaste.org or paste.kde.org as backups or (#3) If you're pasting config files, see !configs for grep syntax to remove comments or (#4) gist allows multiple files per paste, useful if you have several files to show
13:27 < Robbster> hi all. Trying to get  openvpn client configured on openwrt to route local lan traffice over vpn. I can get the vpn up (tun0), but then things go bad. access to the internet stops.
13:28 < Robbster> It's almost certainly something very common/simple, but I just can't find it :(
13:43 -!- jangerhofer [~jangerho@lloyd-153233.reshall.umich.edu] has quit [Quit: Leaving...]
13:59 -!- Robbster [~james@105-237-237-158.access.mtnbusiness.co.za] has quit [Quit: Leaving.]
14:01 -!- jangerhofer [~jangerho@lloyd-153233.reshall.umich.edu] has joined #openvpn
14:02 -!- DrCode [~DrCode@gateway/tor-sasl/drcode] has joined #openvpn
14:03 -!- Argure [argure@geonosis.donttrustrobots.nl] has joined #openvpn
14:15 -!- benttail [~benttail@75-27-134-116.lightspeed.austtx.sbcglobal.net] has joined #openvpn
14:17 < benttail> !goal
14:17 <@vpnHelper> "goal" is Please clearly state your goal for your vpn: example, I would like to access the lan behind the server , I would like to access the internet over my vpn , I just want a secure connection between 2 computers , etc
14:18 < benttail> I would like to configure my access server to use a radius server over ipv6. I only get packet not sent, and no ipv6 traffic is generated
14:41 -!- Kephael [~Kephael@unaffiliated/kephael] has joined #openvpn
14:41 -!- mirco [~mirco@ip-176-198-211-199.hsi05.unitymediagroup.de] has quit [Quit: mirco]
14:51 -!- Taftse|Mac [~taftse@unaffiliated/taftse] has quit [Ping timeout: 255 seconds]
15:04 -!- jangerhofer [~jangerho@lloyd-153233.reshall.umich.edu] has left #openvpn ["Linkinus - http://linkinus.com"]
15:09 -!- jeanbon [~s0d0m@softbank126026253207.bbtec.net] has quit [Quit: Quitte]
15:38 -!- Taftse|Mac [~taftse@unaffiliated/taftse] has joined #openvpn
15:42 -!- Uber-Ich [~lamphu@unaffiliated/uber-ich] has joined #openvpn
15:45 -!- scyld [~scyld@gateway/tor-sasl/wasyl] has joined #openvpn
15:46 -!- gffa [~unknown@unaffiliated/gffa] has quit [Quit: sleep]
15:48 -!- jzaw [~jzaw@community-wifi.dzki.co.uk] has quit [Ping timeout: 265 seconds]
15:55 -!- NP-Hardass [~NP-Hardas@unaffiliated/np-hardass] has quit [Quit: WeeChat 0.4.3]
16:00 -!- Uber-Ich [~lamphu@unaffiliated/uber-ich] has quit [Read error: Connection reset by peer]
16:08 -!- james41382 [~james@unaffiliated/james41382] has quit [Read error: Connection reset by peer]
16:23 -!- Taftse|Mac [~taftse@unaffiliated/taftse] has quit [Quit: Textual IRC Client: www.textualapp.com]
16:49 -!- Xgates [~Xgates@unaffiliated/xgates] has joined #openvpn
16:49 -!- jzaw [~jzaw@loki.dzki.co.uk] has joined #openvpn
16:49 < Xgates> hi guys
16:51 < Xgates> I'm using the OpenVPN client from the cmd line in Linux, I noticed that if I connect directly to my modem from the ISP, when I connect to a VPN server, I can't ping or go online, but if I use my router I can ping and go online. Is there something with OpenVPN connecting straight to a modem?
16:51 < Xgates> It's just a basic modem too, not a router/modem...
17:22 -!- ub1quit33_ [~quassel@wifi02.la3.routers.zerolag.com] has quit [Ping timeout: 264 seconds]
17:25 -!- james41382 [~james@unaffiliated/james41382] has joined #openvpn
17:47 -!- NP-Hardass [~NP-Hardas@unaffiliated/np-hardass] has joined #openvpn
17:51 < Xgates> Anyone around can help with this?
18:07 -!- Pyrogerg [~Gregory@67-0-212-234.albq.qwest.net] has quit [Ping timeout: 260 seconds]
18:11 -!- c|oneman [cloneman@1337.montrealdark.com] has quit [Ping timeout: 244 seconds]
18:14 -!- NP-Hardass [~NP-Hardas@unaffiliated/np-hardass] has quit [Quit: WeeChat 0.4.3]
18:20 -!- Xgates [~Xgates@unaffiliated/xgates] has quit [Quit: Xgates]
18:30 -!- thumbs is now known as httpd
18:30 -!- httpd is now known as thumbs
18:30 -!- c|oneman [cloneman@2605:6400:2:fed5:22:0:3b06:3913] has joined #openvpn
18:32 -!- s7r [~s7r@openvpn/user/s7r] has joined #openvpn
18:32 -!- mode/#openvpn [+v s7r] by ChanServ
18:51 -!- juztin_ [~juztin_@c-67-186-216-8.hsd1.ut.comcast.net] has joined #openvpn
18:53 -!- juztin_ [~juztin_@c-67-186-216-8.hsd1.ut.comcast.net] has quit [Remote host closed the connection]
19:02 -!- s7r [~s7r@openvpn/user/s7r] has quit [Ping timeout: 246 seconds]
19:28 -!- Teqonix [~quassel@c-174-51-153-217.hsd1.co.comcast.net] has quit [Read error: Connection reset by peer]
19:28 -!- ckorzhik [~user@46.72.5.164] has quit [Ping timeout: 255 seconds]
19:47 -!- Kniaz [~Kniaz@unaffiliated/kniaz] has joined #openvpn
19:51 -!- ub1quit33_ [~quassel@cpe-23-243-158-241.socal.res.rr.com] has joined #openvpn
20:05 -!- elfixit [~Icedove@77-58-253-51.dclient.hispeed.ch] has joined #openvpn
20:10 -!- ub1quit33_ [~quassel@cpe-23-243-158-241.socal.res.rr.com] has quit [Ping timeout: 265 seconds]
20:59 -!- wlxmhls [~hp@124.65.46.34] has joined #openvpn
21:00 < wlxmhls> hello, can I enable tcp and udp ports simultaneously in one configuration file?
21:10 < wlxmhls> anybody knows?
21:13 -!- keatont [~keatont@keatonstaylor.com] has quit [Ping timeout: 256 seconds]
21:16 -!- wlxmhls [~hp@124.65.46.34] has left #openvpn []
21:20 -!- keatont [~keatont@keatonstaylor.com] has joined #openvpn
21:37 -!- fenris_kcf [~fenris@p549BCF97.dip0.t-ipconnect.de] has quit [Ping timeout: 250 seconds]
22:06 -!- lkthomas [~lkthomas@n218250150146.netvigator.com] has joined #openvpn
22:07 < lkthomas> guys, is it possible to make openvpn do some action such as send out email when tunnel drops ?
22:24 -!- Left_Turn [~Left_Turn@unaffiliated/turn-left/x-3739067] has quit [Quit: Leaving]
22:27 -!- scyld [~scyld@gateway/tor-sasl/wasyl] has quit [Remote host closed the connection]
22:27 -!- scyld [~scyld@gateway/tor-sasl/wasyl] has joined #openvpn
22:54 -!- james41382 [~james@unaffiliated/james41382] has quit [Quit: Leaving]
23:01 -!- Kniaz [~Kniaz@unaffiliated/kniaz] has quit [Read error: Connection reset by peer]
23:11 -!- james41382 [~james@unaffiliated/james41382] has joined #openvpn
23:13 -!- ub1quit33 [~quassel@cpe-23-243-158-241.socal.res.rr.com] has joined #openvpn
23:21 <@Eugene> lkthomas - yes; see SCRIPTING AND ENVIRONMENTAL VARIABLES in the man page.
23:30 -!- ValdikSS [~valdikss@2001:470:28:22f::1000] has quit [Read error: Connection reset by peer]
23:30 -!- ShadniX [dagger@p5DDFD8C9.dip0.t-ipconnect.de] has quit [Ping timeout: 250 seconds]
23:30 < lkthomas> Eugene: will do, thanks
23:32 -!- elfixit [~Icedove@77-58-253-51.dclient.hispeed.ch] has quit [Remote host closed the connection]
23:32 -!- ShadniX [dagger@p5481DDD5.dip0.t-ipconnect.de] has joined #openvpn
--- Day changed Mon Nov 03 2014
00:09 -!- james41382 [~james@unaffiliated/james41382] has quit [Quit: Leaving]
00:30 -!- james41382 [~james@unaffiliated/james41382] has joined #openvpn
00:41 -!- CaTtleyA [~CaTtleyA@put92-2-82-66-41-53.fbx.proxad.net] has quit [Ping timeout: 272 seconds]
00:45 -!- benttail [~benttail@75-27-134-116.lightspeed.austtx.sbcglobal.net] has quit [Ping timeout: 255 seconds]
00:48 -!- mattock is now known as mattock_afk
01:21 -!- troyt [~troyt@2601:7:6200:1362:44dd:acff:fe85:9c8e] has quit [Ping timeout: 265 seconds]
01:27 -!- Taftse|Mac [~taftse@unaffiliated/taftse] has joined #openvpn
01:39 -!- skipperwarlock [~Skipper@97-80-171-90.dhcp.gwnt.ga.charter.com] has joined #openvpn
01:40 < skipperwarlock> !welcome
01:40 <@vpnHelper> "welcome" is (#1) Start by stating your goal, such as 'I would like to access the internet over my vpn' || new to IRC? see the link in !ask || we may need !logs and !configs and maybe !interface to help you. || See !howto for beginners. || See !route for lans behind openvpn. || !redirect for sending inet traffic through the server. || Also interesting: !man !/30 !topology !iporder !sample
01:40 <@vpnHelper> !forum !wiki !mitm or (#2) Don't use 192.168.1.0/24 or 192.168.0.0/24 (too much potential for conflict)
01:40 < skipperwarlock> !route
01:40 <@vpnHelper> "route" is (#1) http://www.secure-computing.net/wiki/index.php/OpenVPN/Routing or https://community.openvpn.net/openvpn/wiki/RoutedLans (same page mirrored) if you have lans behind openvpn, read it DONT SKIM IT or (#2) READ IT DONT SKIM IT! or (#3) See !tcpip for a basic networking guide or (#4) See !serverlan or !clientlan for steps and troubleshooting flowcharts for LANs behind the server
01:40 <@vpnHelper> or client
01:45 -!- rap_wrk [~rap_wrk@unaffiliated/rap-wrk/x-769542] has joined #openvpn
01:53 -!- skipperwarlock [~Skipper@97-80-171-90.dhcp.gwnt.ga.charter.com] has quit [Ping timeout: 265 seconds]
01:56 < rap_wrk> Hi I want to figure out how ipp.txt works.
01:57 < rap_wrk> On the server ipp.txt shows "rap_wrk,10.8.0.4"
01:58 < rap_wrk> and when I connect to the vpn I get an ip of 10.8.0.6
01:59 < rap_wrk> can anyone tell me why there is a sque of 2 between the IP shown in ipp.txt and the address given by the VPN
02:00 < rap_wrk> I notice the same change between ipp.txt and the IP on the client for other conenctions too.
02:00 -!- mirco [~mirco@ip-176-198-211-199.hsi05.unitymediagroup.de] has joined #openvpn
02:03 -!- NP-Hardass [~NP-Hardas@unaffiliated/np-hardass] has joined #openvpn
02:09 -!- NP-Hardass [~NP-Hardas@unaffiliated/np-hardass] has quit [Quit: WeeChat 0.4.3]
02:19 -!- mirco [~mirco@ip-176-198-211-199.hsi05.unitymediagroup.de] has quit [Quit: mirco]
02:20 -!- mirco [~mirco@ip-176-198-211-199.hsi05.unitymediagroup.de] has joined #openvpn
03:03 -!- c|oneman [cloneman@2605:6400:2:fed5:22:0:3b06:3913] has quit [Ping timeout: 258 seconds]
03:10 -!- mirco [~mirco@ip-176-198-211-199.hsi05.unitymediagroup.de] has quit [Quit: mirco]
03:16 -!- troyt [~troyt@2601:7:6200:1362:44dd:acff:fe85:9c8e] has joined #openvpn
03:33 -!- c|oneman [cloneman@2605:6400:2:fed5:22:0:3b06:3913] has joined #openvpn
03:36 -!- ub1quit33 [~quassel@cpe-23-243-158-241.socal.res.rr.com] has quit [Ping timeout: 264 seconds]
03:50 -!- mattock_afk is now known as mattock
03:53 -!- Taftse|Mac [~taftse@unaffiliated/taftse] has quit [Quit: My Mac Mini has gone to sleep. ZZZzzz…]
04:03 -!- D-Boy [~D-Boy@unaffiliated/cain] has quit [Excess Flood]
04:08 -!- Magiobiwan [IRC@unaffiliated/magiobiwan] has quit [Ping timeout: 255 seconds]
04:08 -!- MogDog [MogDog@unaffiliated/mogdog66] has quit [Ping timeout: 250 seconds]
04:11 -!- MogDog [MogDog@unaffiliated/mogdog66] has joined #openvpn
04:15 -!- Magiobiwan [~Magiobiwa@unaffiliated/magiobiwan] has joined #openvpn
04:16 -!- D-Boy [~D-Boy@unaffiliated/cain] has joined #openvpn
04:31 -!- Left_Turn [~Left_Turn@unaffiliated/turn-left/x-3739067] has joined #openvpn
05:02 -!- Shiftos [~shiftos@gateway/tor-sasl/shiftos] has joined #openvpn
05:12 -!- BaNzounet [~ubuntu@ec2-54-72-61-12.eu-west-1.compute.amazonaws.com] has left #openvpn []
05:14 -!- techwharf [~techwharf@ec2-54-194-62-157.eu-west-1.compute.amazonaws.com] has joined #openvpn
05:33 -!- seba [~seba@kratzbaum.someserver.de] has quit [Excess Flood]
05:40 -!- seba [~seba@kratzbaum.someserver.de] has joined #openvpn
06:16 -!- phaidros [~phaidros@ghostshell.subsignal.org] has joined #openvpn
06:18 < phaidros> hi, using tunnelblick on osx 10.7.5 I have an issue, which I am having troubles to debug. tunnelblick connects, gets an IP on tap0, sets interesting routes to different IPs from the vpn subnet, and loses all routes after ~2 seconds. tap0 is stiff there and up, tho I cannot even ping the IP assigned to tap0 anymore .. o.O .. any ideas what might cause such kind of behaviour in tunnelblick/osx?
06:45 -!- DrCode [~DrCode@gateway/tor-sasl/drcode] has quit [Remote host closed the connection]
06:54 -!- DrCode [~DrCode@gateway/tor-sasl/drcode] has joined #openvpn
07:03 < phaidros> ok, I found it: some huawei modem software was interfering woth all network settings, only after removing the whole thing (not only disabling auto startup) tunnelblick started working again
07:04 < phaidros> oh noes, false positive .. still not working :/
07:04 -!- lkthomas [~lkthomas@n218250150146.netvigator.com] has quit [Remote host closed the connection]
07:09 -!- mirco [~mirco@ip-176-198-211-199.hsi05.unitymediagroup.de] has joined #openvpn
07:27 -!- notorious_ [~notorious@81.82.195.68] has joined #openvpn
07:27 -!- c|oneman [cloneman@2605:6400:2:fed5:22:0:3b06:3913] has quit [Ping timeout: 258 seconds]
07:29 -!- c|oneman [cloneman@1337.montrealdark.com] has joined #openvpn
07:33 -!- c|oneman [cloneman@1337.montrealdark.com] has quit [Ping timeout: 244 seconds]
07:33 < phaidros> strange, even after removing all traces of the huawei/modem stuff I still lose the routes shortly after connect: somewhere in between here: http://pastebin.com/33M4KPgD
07:33 < phaidros> thats syslog and I am not sure which means which .. any tunnelblick users here with an idea maybe?
07:36 -!- mgorbach [~mgorbach@pool-108-20-78-135.bstnma.fios.verizon.net] has quit [Ping timeout: 258 seconds]
07:43 -!- mgorbach [~mgorbach@pool-108-20-78-135.bstnma.fios.verizon.net] has joined #openvpn
07:47 -!- elfixit [~Icedove@2001:1620:2777:11:3e97:eff:fe7f:f3ad] has joined #openvpn
07:48 -!- mgorbach [~mgorbach@pool-108-20-78-135.bstnma.fios.verizon.net] has quit [Ping timeout: 256 seconds]
07:51 -!- mgorbach [~mgorbach@pool-108-20-78-135.bstnma.fios.verizon.net] has joined #openvpn
08:14 -!- brianblaze420 [~brianblaz@unaffiliated/brianblaze] has joined #openvpn
08:19 -!- scyld [~scyld@gateway/tor-sasl/wasyl] has quit [Ping timeout: 246 seconds]
08:29 -!- jzaw [~jzaw@loki.dzki.co.uk] has quit [Ping timeout: 256 seconds]
08:31 -!- scyld [~scyld@gateway/tor-sasl/wasyl] has joined #openvpn
08:34 -!- Hoaas [~hoaas@cm-84.215.143.53.getinternet.no] has joined #openvpn
08:36 -!- FreeStyle [~n0w@177.42.132.178] has joined #openvpn
08:37 < FreeStyle> Xchat IrRC fails to connect when VPN connection is on. How can I setup it?
08:37 < FreeStyle> IRC*
08:40 -!- FreeStyle [~n0w@177.42.132.178] has left #openvpn ["Leaving"]
08:48 < Hoaas> Hi, I am having some problems with the windows OpenVPN 64 bit client. I can connect to my router (RT-N66U) just fine over tcp and I get an IP. No error messages in the log. Yet I cannot access much... My ssh-connection to the server is still alive through all this.
08:49 < Hoaas> I can ping ips and get a response, but I don't get any response if I try to telnet to port 80 and similar.
08:50 < Hoaas> And dns does not seem to work. (it all works fine from the android client)
08:51 < Hoaas> Any ideas on what I could look at? :|
08:54 -!- moparisthebest [~quassel@gateway/tor-sasl/moparisthebest] has joined #openvpn
09:03 -!- moparisthebest [~quassel@gateway/tor-sasl/moparisthebest] has quit [Ping timeout: 246 seconds]
09:04 < Hoaas> Ok, I lied. I do get a reponse via telnet on port 80. Not so much in the browser though.
09:06 -!- moparisthebest [~quassel@gateway/tor-sasl/moparisthebest] has joined #openvpn
09:12 -!- moparisthebest [~quassel@gateway/tor-sasl/moparisthebest] has quit [Remote host closed the connection]
09:13 -!- moparisthebest [~quassel@gateway/tor-sasl/moparisthebest] has joined #openvpn
09:15 -!- ShotokanZH [~ShotokanZ@unaffiliated/shotokanzh] has joined #openvpn
09:15 < ShotokanZH> hi guys
09:15 < ShotokanZH> little problem with latest openvpn-as & ubuntu 14.04
09:15 < ShotokanZH> just installed it and it opens the 945 port for like 4-5s
09:16 < ShotokanZH> then it dies
09:16 < ShotokanZH> in logs:
09:16 < ShotokanZH> https://91.121.4.170:943/admin
09:16 < ShotokanZH> (address)
09:16 < ShotokanZH> 2014-11-03 16:17:35+0100 [-] License Info {'concurrent_connections': 2}
09:18 <@ecrist> !as
09:18 <@vpnHelper> "as" is Please go to #OpenVPN-AS for help with commercial products from OpenVPN Technologies, including Access Server, Android Connect, etc. Access Server is a commercial product, different from open source OpenVPN
09:19 <@ecrist> ShotokanZH: that's for you
09:19 < ShotokanZH> ecrist, thnx
09:20 -!- ub1quit33_ [~quassel@wifi02.la3.routers.zerolag.com] has joined #openvpn
09:20 -!- jzaw [~jzaw@community-wifi.dzki.co.uk] has joined #openvpn
09:20 -!- ShotokanZH [~ShotokanZ@unaffiliated/shotokanzh] has left #openvpn ["Leaving"]
09:22 -!- ValdikSS [~valdikss@2001:470:28:22f::1000] has joined #openvpn
09:22 < ValdikSS> Hi! Does openvpn@secure-computing.net still works?
09:24 -!- xyo [~xyo@192.52.166.122] has quit [Quit: bye...]
09:35 -!- wirehack7 [wirehack7@unaffiliated/wirehack7] has quit [Ping timeout: 255 seconds]
09:35 <@ecrist> yes
09:35 -!- ahuemer [ahuemer@unaffiliated/ahuemer] has quit [Ping timeout: 244 seconds]
09:35 -!- wirehack7 [~wirehack7@unaffiliated/wirehack7] has joined #openvpn
09:38 -!- idl0r [~idl0r@gentoo/developer/idl0r] has quit [Ping timeout: 272 seconds]
09:40 -!- moparisthebest [~quassel@gateway/tor-sasl/moparisthebest] has quit [Ping timeout: 246 seconds]
09:40 -!- ahuemer [~ahuemer@unaffiliated/ahuemer] has joined #openvpn
09:40 -!- thebloggu [~thebloggu@brg.eurotux.com] has joined #openvpn
09:42 -!- haasn [~haasn@static.102.126.46.78.clients.your-server.de] has quit [Ping timeout: 250 seconds]
09:42 -!- abbe [having@badti.me] has quit [Ping timeout: 256 seconds]
09:42 -!- abbe [having@badti.me] has joined #openvpn
09:43 < thebloggu> can someone tell me if there's a way to check a connection log?  does openvpn-status.log logs all connections or just the currently active?
09:44 -!- moparisthebest [~quassel@gateway/tor-sasl/moparisthebest] has joined #openvpn
09:46 -!- Shiftos [~shiftos@gateway/tor-sasl/shiftos] has quit [Ping timeout: 246 seconds]
09:47 <@ecrist> thebloggu: just the current connections
09:47 <@ecrist> you'd have to look at the log itself
09:47 <@ecrist> --log
09:47 -!- DrCode [~DrCode@gateway/tor-sasl/drcode] has quit [Ping timeout: 246 seconds]
09:50 < thebloggu> ecrist, and what is the info logged in each connection? user, origin ip, virtual ip and  time?
09:50 -!- moparisthebest [~quassel@gateway/tor-sasl/moparisthebest] has quit [Ping timeout: 246 seconds]
09:50 -!- scyld [~scyld@gateway/tor-sasl/wasyl] has quit [Ping timeout: 246 seconds]
09:56 -!- Shiftos [~shiftos@gateway/tor-sasl/shiftos] has joined #openvpn
10:00 -!- ckorzhik [~user@46.72.27.89] has joined #openvpn
10:05 -!- idl0r [~idl0r@gentoo/developer/idl0r] has joined #openvpn
10:08 -!- Shiftos [~shiftos@gateway/tor-sasl/shiftos] has quit [Ping timeout: 246 seconds]
10:10 < thebloggu> ecrist, btw, doesn't openvpn has wtmp support?
10:36 -!- Nyoom [Nyoom@unaffiliated/nyoom] has left #openvpn ["Leaving"]
10:38 <@ecrist> thebloggu: no wtmp support out the gate
10:38 <@ecrist> to see what's logged, go try it, or read the man page.
10:38 <@ecrist>  :)
10:42 < thebloggu> ecrist, ok, thank you. on a related note, does openvpn support plugins? since the patches to add wtmp support I've seen are old,  I was looking at an easy way to add support without having to change openvpn's source code
10:54 -!- AlexRussia [~Alex@unaffiliated/alexrussia] has quit [Ping timeout: 255 seconds]
11:02 -!- mistermajestic [~mistermaj@109.201.154.211] has joined #openvpn
11:12 -!- gffa [~unknown@unaffiliated/gffa] has joined #openvpn
11:22 -!- AlexRussia [~Alex@unaffiliated/alexrussia] has joined #openvpn
11:22 -!- havingFun [~quassel@unaffiliated/xrosnight] has joined #openvpn
11:24 -!- Taftse|Mac [~taftse@unaffiliated/taftse] has joined #openvpn
11:29 -!- mirco [~mirco@ip-176-198-211-199.hsi05.unitymediagroup.de] has quit [Quit: mirco]
11:34 -!- wirehack7 [~wirehack7@unaffiliated/wirehack7] has quit [Quit: ZNC - http://znc.in]
11:37 -!- wirehack7 [~wirehack7@unaffiliated/wirehack7] has joined #openvpn
11:48 -!- mt [mt@unaffiliated/supermat] has quit [Read error: Connection reset by peer]
11:51 -!- wirehack7 [~wirehack7@unaffiliated/wirehack7] has quit [Ping timeout: 256 seconds]
11:52 -!- havingFun [~quassel@unaffiliated/xrosnight] has quit [Read error: Connection reset by peer]
11:53 -!- mt [mt@unaffiliated/supermat] has joined #openvpn
12:20 -!- moparisthebest [~quassel@unaffiliated/moparisthebest] has joined #openvpn
12:25 -!- Taftse|Mac [~taftse@unaffiliated/taftse] has quit [Quit: My Mac Mini has gone to sleep. ZZZzzz…]
12:25 -!- Kephael [~Kephael@unaffiliated/kephael] has quit [Read error: Connection reset by peer]
12:26 -!- Kephael [~Kephael@unaffiliated/kephael] has joined #openvpn
12:39 <@krzee> !seen krzee
12:39 <@vpnHelper> krzee was last seen in #openvpn 1 day, 3 hours, 44 minutes, and 33 seconds ago: <krzee> hehe
12:39 <@krzee> o.O
12:41 -!- JackWinter [~jack@vodsl-11198.vo.lu] has quit [Quit: Konversation terminated!]
12:45 -!- JackWinter [~jack@vodsl-11198.vo.lu] has joined #openvpn
12:47 -!- mirco [~mirco@ip-176-198-211-199.hsi05.unitymediagroup.de] has joined #openvpn
12:53 -!- miruoy [~quassel@d51a4ceb0.access.telenet.be] has quit [Remote host closed the connection]
13:01 <@dazo> thebloggu: interesting idea ... should be possible to write a plug-in fairly easily to support wtmp
13:02 <@dazo> but I'd probably add it to auth-pam
13:03 < thebloggu> dazo, do you mean extending the auth-pam plugin?
13:03 <@dazo> yeah
13:03 -!- MaddinXx [~racksteri@2a01:2a8:8104:3401:c929:b595:9578:7255] has joined #openvpn
13:03 <@krzee> heh that is an interesting idea
13:04 <@dazo> the reason is that you need write access to /var/log/wtmp ... and iirc, auth-pam has the proper root/openvpn separation already in place
13:04 <@dazo> (and most people who wants wtmp depend on pam or ldap auth)
13:05 <@krzee> sure, makes sense
13:06 < thebloggu> dazo, krzee: hmm ok. do you have any more suggestion (please keep in mind I am beginning with openvpn and not much experienced in C). maybe some starting tips?
13:07 <@dazo> the username field in the struct wtmp requices is also restricted to UT_NAMESIZE (which on Fedora 19, is 32 bytes) ... which means you can't really store anything else than usernames there, which again speaks for auth-pam/auth-ldap usage
13:07 <@dazo> thebloggu: okay ... be ready for fail and trials ;-)  start poking at the the source code, in the src/plugins/auth-pam/auth-pam.c file
13:08 <@dazo> if you are willing to do the dirty work, I'll help you get through
13:09 <@dazo> but you need a working openvpn client/server setup with auth-pam enabled before you can start hacking on auth-pam
13:10 < thebloggu> dazo, sure :) of course. thank you for your help. I'll most probably give it a try
13:10 -!- DrCode [~DrCode@gateway/tor-sasl/drcode] has joined #openvpn
13:11 <@dazo> cool!
13:13 <@dazo> thebloggu: I'll have to warn you though ... auth-pam isn't the easiest plug-in to get started with ... as it does fork out a root process and there are some communication going on between the forked out root privileged process and the non-privileged code running in openvpn via the plug-in ... but if you're willing to learn, it's not black magic or such like :)
13:15 < thebloggu> dazo, sure :) I've got to go for today. I'll probably be around here tomorrow. would you mind if I talk to you in this channel if I need some guidance?
13:15 <@dazo> thebloggu: no prob!
13:16 < thebloggu> dazo, ok, thank you :) bye
13:16 <@dazo> thebloggu: come whenever you're ready!  I can't promise I'll be available always, but I'll respond when I'm around
13:16 < thebloggu> dazo, of course, thanks
13:17 -!- thebloggu [~thebloggu@brg.eurotux.com] has quit [Quit: Leaving]
13:21 -!- Shiftos [~shiftos@gateway/tor-sasl/shiftos] has joined #openvpn
13:22 -!- ckorzhik [~user@46.72.27.89] has quit [Ping timeout: 256 seconds]
13:24 -!- Kephael [~Kephael@unaffiliated/kephael] has quit [Read error: Connection reset by peer]
13:28 -!- cassidyslivers [~cassidysl@185.32.221.21] has joined #openvpn
13:46 -!- jzaw [~jzaw@community-wifi.dzki.co.uk] has quit [Ping timeout: 256 seconds]
13:50 -!- ckorzhik [~user@46.72.27.89] has joined #openvpn
13:52 -!- mirco [~mirco@ip-176-198-211-199.hsi05.unitymediagroup.de] has quit [Quit: mirco]
13:56 -!- jzaw [~jzaw@loki.dzki.co.uk] has joined #openvpn
14:03 -!- nikkopt [~vagina@co1-84-90-103-39.netvisao.pt] has joined #openvpn
14:06 < nikkopt> !welcome
14:06 <@vpnHelper> "welcome" is (#1) Start by stating your goal, such as 'I would like to access the internet over my vpn' || new to IRC? see the link in !ask || we may need !logs and !configs and maybe !interface to help you. || See !howto for beginners. || See !route for lans behind openvpn. || !redirect for sending inet traffic through the server. || Also interesting: !man !/30 !topology !iporder !sample !forum
14:06 <@vpnHelper> !wiki !mitm or (#2) Don't use 192.168.1.0/24 or 192.168.0.0/24 (too much potential for conflict)
14:06 < nikkopt> !howto
14:06 <@vpnHelper> "howto" is (#1) OpenVPN comes with a great howto, http://openvpn.net/howto PLEASE READ IT! or (#2) http://www.secure-computing.net/openvpn/howto.php for a mirror
14:06 < nikkopt> !route
14:06 <@vpnHelper> "route" is (#1) http://www.secure-computing.net/wiki/index.php/OpenVPN/Routing or https://community.openvpn.net/openvpn/wiki/RoutedLans (same page mirrored) if you have lans behind openvpn, read it DONT SKIM IT or (#2) READ IT DONT SKIM IT! or (#3) See !tcpip for a basic networking guide or (#4) See !serverlan or !clientlan for steps and troubleshooting flowcharts for LANs behind the server or
14:06 <@vpnHelper> client
14:34 -!- brianblaze420 [~brianblaz@unaffiliated/brianblaze] has quit [Quit: Peace!]
14:36 < nikkopt> Guys, i installed openvpn server on a openvz vps, so far so good, i can connect to it and browse the web.. i am also running apache on the same server but i can't reach the page by typing "localhost" on the browser while connected tru the vpn.. i'm a newbie in linux/networks.. what am i missing?
14:38 < DArqueBishop> It's because "localhost" will always default to the machine you are currently on.
14:39 < DArqueBishop> If you're connecting to localhost from your client machine, it'll always connect to your client machine whether or not you're connected to the VPN.
14:40 < nikkopt> what about the local ip address of the server? i can only reach the website by typing the external ip
14:40 <@dazo> localhost == 127.0.0.1, which is the box you are currently sitting on
14:40 < DArqueBishop> Check the firewall and Apache settings.
14:43 < nikkopt> what i want to do is block all external access to ports 80 and 443 while i build the website.. but i want to be able to reach it locally.. i tought that by connecting to it tru a vpn would do the trick
14:43 < nikkopt> am i wrong?
14:43 <@dazo> !tcpip
14:43 <@vpnHelper> "tcpip" is http://www.redbooks.ibm.com/redbooks/pdfs/gg243376.pdf See chapter 3.1 for useful basic TCP/IP networking knowledge you should probably know
14:44 <@dazo> nikkopt: read that and learn about IP addresses and routing ... and then you need to learn about firewalling afterwards
14:44 <@dazo> !notovpn
14:44 <@vpnHelper> "notovpn" is (#1) "notopenvpn" is your problem is not about openvpn, and while we try to be helpful, you may have a better chance of finding your answer if you ask your question in a channel related to your problem or (#2) sorry, but we dont care. this channel is only for help with openvpn.
14:45 < nikkopt> ok
14:45 < nikkopt> thanks
14:54 -!- MaddinXx [~racksteri@2a01:2a8:8104:3401:c929:b595:9578:7255] has quit [Quit: (null)]
14:58 -!- ompaul [~ompaul@unaffiliated/ompaul] has joined #openvpn
15:01 -!- scyld [~scyld@gateway/tor-sasl/wasyl] has joined #openvpn
15:02 -!- nikkopt [~vagina@co1-84-90-103-39.netvisao.pt] has quit []
15:03 -!- dazo is now known as dazo_afk
15:04 < ompaul> where this is the case in the client config     ifconfig-push 10.9.0.101 10.9.0.102    what should the ipp.txt show ?
15:08 < ompaul> ok so ipp.txt is a status file
15:08  * ompaul goes to read his server config
15:31 -!- Chais [~Chais@chello062178229110.15.15.vie.surfer.at] has quit [Ping timeout: 244 seconds]
15:33 -!- NP-Hardass [~NP-Hardas@unaffiliated/np-hardass] has joined #openvpn
15:38 -!- Chais [~Chais@chello062178229110.15.15.vie.surfer.at] has joined #openvpn
15:51 < ompaul> ok fixed it - the ifconfig-push was wrong - and I have no idea where the number in ipp.txt came from anyway sorted
16:00 -!- gffa [~unknown@unaffiliated/gffa] has quit [Quit: sleep]
16:11 -!- Pyrogerg [~Gregory@205.167.120.206] has joined #openvpn
16:35 -!- Pyrogerg [~Gregory@205.167.120.206] has quit [Ping timeout: 264 seconds]
16:37 -!- DrCode [~DrCode@gateway/tor-sasl/drcode] has quit [Remote host closed the connection]
16:38 -!- DrCode [~DrCode@gateway/tor-sasl/drcode] has joined #openvpn
16:51 -!- ompaul [~ompaul@unaffiliated/ompaul] has quit [Quit: and zebedee said its time for other stuff]
16:52 -!- Pyrogerg [~Gregory@205.167.120.206] has joined #openvpn
17:04 -!- s7r [~s7r@openvpn/user/s7r] has joined #openvpn
17:04 -!- mode/#openvpn [+v s7r] by ChanServ
17:04 -!- Pyrogerg [~Gregory@205.167.120.206] has quit [Ping timeout: 255 seconds]
17:34 -!- cassidyslivers [~cassidysl@185.32.221.21] has quit [Quit: Leaving]
17:38 -!- ckorzhik [~user@46.72.27.89] has quit [Ping timeout: 255 seconds]
17:48 -!- jzaw [~jzaw@loki.dzki.co.uk] has quit [Ping timeout: 265 seconds]
17:55 -!- pissfrog [~chatzilla@174.1.106.94] has joined #openvpn
18:33 -!- ub1quit33_ [~quassel@wifi02.la3.routers.zerolag.com] has quit [Ping timeout: 264 seconds]
18:38 -!- s7r [~s7r@openvpn/user/s7r] has quit [Quit: Leaving]
18:47 -!- Pyrogerg [~Gregory@205.167.120.206] has joined #openvpn
18:54 -!- Pyrogerg [~Gregory@205.167.120.206] has quit [Ping timeout: 258 seconds]
19:03 -!- Pyrogerg [~Gregory@205.167.120.206] has joined #openvpn
19:11 -!- Pyrogerg_ [~Gregory@205.167.120.206] has joined #openvpn
19:11 -!- Pyrogerg [~Gregory@205.167.120.206] has quit [Read error: Connection reset by peer]
19:17 -!- Pyrogerg_ [~Gregory@205.167.120.206] has quit [Ping timeout: 255 seconds]
19:18 -!- Pyrogerg [~Gregory@205.167.120.206] has joined #openvpn
19:30 -!- c|oneman [cloneman@2605:6400:2:fed5:22:0:3b06:3913] has joined #openvpn
19:37 -!- Pyrogerg [~Gregory@205.167.120.206] has quit [Ping timeout: 244 seconds]
20:02 -!- Kephael [~Kephael@unaffiliated/kephael] has joined #openvpn
20:08 -!- jzaw [~jzaw@loki.dzki.co.uk] has joined #openvpn
20:38 -!- s7r [~s7r@openvpn/user/s7r] has joined #openvpn
20:38 -!- mode/#openvpn [+v s7r] by ChanServ
21:02 -!- pepperoni [~pepperoni@gateway/tor-sasl/pepperoni] has joined #openvpn
21:35 -!- pepperoni [~pepperoni@gateway/tor-sasl/pepperoni] has quit [Disconnected by services]
21:42 -!- mistermajestic [~mistermaj@109.201.154.211] has quit [Changing host]
21:42 -!- mistermajestic [~mistermaj@unaffiliated/mistermajestic] has joined #openvpn
21:45 -!- mistermajestic [~mistermaj@unaffiliated/mistermajestic] has quit []
21:46 -!- mistermajestic [~mistermaj@unaffiliated/mistermajestic] has joined #openvpn
21:50 -!- Xgates [~Xgates@unaffiliated/xgates] has joined #openvpn
21:50 < Xgates> hi guys
21:50 < Xgates> when did OpenVPN start using AES256, what year?
22:01 -!- Pyrogerg [~Gregory@67-0-212-234.albq.qwest.net] has joined #openvpn
22:02 -!- Xgates [~Xgates@unaffiliated/xgates] has quit [Quit: Xgates]
22:11 -!- altker128 [~vr@c-24-61-12-138.hsd1.ma.comcast.net] has joined #openvpn
22:12 -!- Left_Turn [~Left_Turn@unaffiliated/turn-left/x-3739067] has quit [Remote host closed the connection]
22:16 -!- james41382 [~james@unaffiliated/james41382] has quit [Quit: Leaving]
22:20 -!- syzzer [~syzzer@openvpn/community/developer/syzzer] has quit [Ping timeout: 265 seconds]
22:20 -!- james41382 [~james@unaffiliated/james41382] has joined #openvpn
22:21 -!- rich0 [~quassel@gentoo/developer/rich0] has joined #openvpn
22:22 -!- justinzane [~justinzan@67.21.190.132] has quit [Read error: Connection reset by peer]
22:22 -!- justinzane [~justinzan@67.21.190.132] has joined #openvpn
22:23 -!- syzzer [~syzzer@openvpn/community/developer/syzzer] has joined #openvpn
22:23 -!- mode/#openvpn [+o syzzer] by ChanServ
22:24 -!- rich0_ [~quassel@gentoo/developer/rich0] has quit [Ping timeout: 272 seconds]
22:30 < altker128> Hey all.  Anyone here using OpenVPN as a server on a FreeBSD host OS?
22:38 <@Eugene> Several people. This process will likely go quicker if you bother to ask your actual question ;-)
22:41 -!- justinzane [~justinzan@67.21.190.132] has quit [Read error: Connection reset by peer]
22:42 -!- justinzane [~justinzan@67.21.190.132] has joined #openvpn
22:44 -!- Kephael [~Kephael@unaffiliated/kephael] has quit [Read error: Connection reset by peer]
22:49 < altker128> Planning to use OpenVPN on FBSD, single-NIC, would like FBSD to behave as a router, FBSD is external facing (i.e. no firewall).  Just wondering how much work in terms of PF rules and forwarding/NAT will be required on the FBSD side
22:58 -!- Pyrogerg [~Gregory@67-0-212-234.albq.qwest.net] has quit [Ping timeout: 245 seconds]
23:03 <@Eugene> Not a BSD user myself, but I can speak generally about openvpn
23:03 <@Eugene> It presents as a generic tun device; firewall rules are no different than any other interface
23:03 -!- akamaru217 [~akamaru21@2601:0:8a80:1064:b876:305b:3c5e:f25a] has quit [Quit: Leaving]
23:04 <@Eugene> So whatever the pf equivalent of iptables' FORWARD chain is
23:04 < altker128> Yeah
23:04 < altker128> I have it working quite nicely on Linux
23:21 -!- syzzer [~syzzer@openvpn/community/developer/syzzer] has quit [Ping timeout: 265 seconds]
23:22 -!- pissfrog [~chatzilla@174.1.106.94] has quit [Ping timeout: 255 seconds]
23:22 -!- syzzer [~syzzer@openvpn/community/developer/syzzer] has joined #openvpn
23:22 -!- mode/#openvpn [+o syzzer] by ChanServ
23:28 -!- ShadniX [dagger@p5481DDD5.dip0.t-ipconnect.de] has quit [Ping timeout: 250 seconds]
23:31 -!- ShadniX [dagger@p5DDFE2CF.dip0.t-ipconnect.de] has joined #openvpn
23:43 -!- akamaru217 [~akamaru21@2601:0:8a80:1064:4855:de9a:6309:6644] has joined #openvpn
--- Day changed Tue Nov 04 2014
00:02 -!- Shiftos [~shiftos@gateway/tor-sasl/shiftos] has quit [Remote host closed the connection]
00:02 -!- Shiftos [~shiftos@gateway/tor-sasl/shiftos] has joined #openvpn
00:11 < rap_wrk> On the server ipp.txt shows "rap_wrk,10.8.0.4"
00:11 < rap_wrk> and when I connect to the VPN I get an IP of 10.8.0.6
00:11 < rap_wrk> an anyone tell me why there is a skew of 2 between the IP shown in ipp.txt and the address given by the VPN
00:11 < rap_wrk> I notice the same change between ipp.txt and the IP on the client for other connections too.
00:13 -!- RBecker [~RBecker@openvpn/user/RBecker] has quit [Remote host closed the connection]
00:18 -!- Netsplit *.net <-> *.split quits: AlexRussia, Shiftos, scyld, +s7r, DrCode
00:20 -!- RBecker [~RBecker@openvpn/user/RBecker] has joined #openvpn
00:20 -!- mode/#openvpn [+v RBecker] by ChanServ
00:26 -!- Netsplit over, joins: AlexRussia
00:56 <@krzee> rap_wrk,
00:56 <@krzee> !/30
00:56 <@vpnHelper> "/30" is (#1) http://goo.gl/SbKrT5 explains why routed clients each use 4 ips or (#2) you can avoid this behavior with by reading !topology
00:56 <@krzee> but you should also know:
00:56 <@krzee> !ipp
00:56 <@vpnHelper> "ipp" is (#1) the option --ifconfig-pool-persist ipp.txt does NOT create static ips or (#2) Note that the entries in this file are treated by OpenVPN as suggestions only, based on past associations between a common name and IP address. They do not guarantee that the given common name will always receive the given IP address. If you want guaranteed assignment, see !iporder and !static
00:58 <@krzee> altker128, nothing special, pf is pretty easy, you'll probably find #freebsd helpful
00:58 <@krzee> !pfnat
00:58 <@vpnHelper> "pfnat" is nat on <inf> from <subnet/ip> to <subnet/ip> -> <nat_ip>
00:58 <@krzee> !fbsdforward
00:58 <@krzee> !factoids search forward
00:58 <@vpnHelper> 'winipforward', 'linipforward', 'fbsdipforward', 'linportforward', 'osxipforward', 'ipforward', and 'forwardsecurity'
00:58 <@krzee> !fbsdipforward
00:58 <@vpnHelper> "fbsdipforward" is is set gateway_enable="YES" in /etc/rc.conf to enable ip forwarding in freebsd
01:00 < altker128> krzee: Yeah, asking :)
01:01 -!- ValdikSS [~valdikss@2001:470:28:22f::1000] has quit [Ping timeout: 265 seconds]
01:12 < altker128> For random usage, any preference using TCP over UDP for OpenVPN?
01:12 <@krzee> !tcp
01:12 <@vpnHelper> "tcp" is (#1) Sometimes you cannot avoid tunneling over tcp, but if you can avoid it, DO. http://sites.inka.de/~bigred/devel/tcp-tcp.html Why TCP Over TCP Is A Bad Idea. or (#2) http://www.openvpn.net/papers/BLUG-talk/14.html for a presentation by James Yonan (OpenVPN lead developer) or (#3) if you must use tcp, you likely want --tcp-nodelay
01:16 <@krzee> !mitm
01:16 <@vpnHelper> "mitm" is (#1) http://openvpn.net/index.php/documentation/howto.html#mitm to know about stopping Man-in-the-Middle attacks by signing the server cert specially or (#2) use !servercert to generate the server cert manually or use the easy-rsa build-key-server script to build your server certificates or (#3) then use: remote-cert-tls server in the client config
01:20 < altker128> krzee: Do you use FBSD with OpenVPN BTW?
01:20 <@krzee> not that it matters, but yes
01:21 < altker128> OK.  Do you use it behind a firewall?
01:21 <@krzee> are you trying to ask if i will help you with pf?
01:21 < altker128> No.
01:21 <@krzee> then whats your real question
01:21 <@krzee> just ask it
01:21 < altker128> I can figure PF out, I've done it in the past, I've used OpenBSD
01:22 < altker128> Umm, I've never had a server (previously) directly face "the Internets" so I'm a bit concerned about additional (sane) rules to add and if it's necessary.  I don't plan to have any other open ports including SSH.
01:22 <@krzee> !hmac
01:22 <@vpnHelper> "hmac" is (#1) The tls-auth directive adds an additional HMAC signature to all SSL/TLS handshake packets for integrity verification. Any UDP packet not bearing the correct HMAC signature can be dropped without further processing. The tls-auth HMAC signature provides an additional level of security above and beyond that provided by SSL/TLS. or (#2) openvpn --genkey --secret ta.key to make the tls
01:22 <@vpnHelper> static key , in configs: tls-auth ta.key # , 1 for client or 0 for server in the configs
01:23 < altker128> Yes, I'm using HMAC in my currently firewalled setup.
01:23 <@krzee> you can think of tls-auth as a layer7 firewall
01:23 <@krzee> kinda
01:24 < altker128> I'm debating between using a pfSense machine with it's OpenVPN setup (easy to setup, not totally comfortable with security) or doing a minimal FBSD install.
01:24 <@krzee> how did your previous servers connect to the internet?
01:24 < altker128> They're sitting behind a firewall, with the specific port forwarded to OpenVPN.
01:25 < altker128> Perhaps it's a minor difference, but I felt a bit more comfortable with that.
01:25 <@krzee> port forwarded, so on their own 1918 lan subnet?
01:25 < altker128> NAT'd too
01:25 <@krzee> hehe
01:25 <@krzee> so like a home network setup
01:25 < altker128> Yeah
01:26 <@krzee> want a cool thing to play with?
01:26 -!- mirco [~mirco@ip-176-198-211-199.hsi05.unitymediagroup.de] has joined #openvpn
01:26 < altker128> uhhh...that sounds a bit odd :)
01:26 <@krzee> try setting up a transparent freebsd bridge as a firewall
01:27 < altker128> You meant have like dc0 <--> xl0 and sniff between?
01:27 <@krzee> it wont increment the traceroute (invisible) will have no ip address, but will perform all firewall, IDS, IPS
01:27 <@krzee> well didnt mean for sniffing but ya thats an option too
01:28 < altker128> OK, so if I deploy the server, it'd be one NIC to "the Internet", no other ethernet ports used
01:28 <@krzee> but the computers still get the ips from the other side of the bridge, not from the firewall
01:28 <@krzee> well im talking about something for you to play with for fun and learning, not for that setup
01:28 <@krzee> but rather since you have only had networks setup like a home network
01:29 < altker128> Yeah
01:29 < altker128> I guess I'm just trying to figure if I make this Internet facing, what other PF rules / firewall rules might I want
01:29 < altker128> Which is a bit of a rabbit hole to go down.
01:29 <@krzee> its more like this:
01:30 < altker128> Bear in mind, I don't plan to run any other services.
01:30 <@krzee> block everything, allow what you need.
01:30 <@krzee> personally i dont even allow sshd outside of the vpn
01:30 < altker128> Yeah, that's pretty much UDP on whatever VPN traffic I want
01:30 < altker128> err
01:30 < altker128> UDP port blah that I decide on for OpenVPN
01:30 <@krzee> right
01:30 <@krzee> sounds pretty simple.
01:30 <@krzee> not very freebsd specific either
01:31 <@krzee> kinda like "same thing for all os"
01:31 <@krzee> :-p
01:31 < altker128> Yeah, more or less
01:31 < altker128> FBSD using PF makes it even better to be honest
01:31 <@krzee> true enough, pf is nice.
01:52 -!- ValdikSS [~valdikss@95.215.45.33] has joined #openvpn
02:05 -!- altker128 [~vr@c-24-61-12-138.hsd1.ma.comcast.net] has quit [Ping timeout: 255 seconds]
02:12 -!- SushiDude [~SushiDude@unaffiliated/sushidude] has quit [Ping timeout: 244 seconds]
02:14 -!- SushiDude [~SushiDude@unaffiliated/sushidude] has joined #openvpn
02:30 -!- mirco [~mirco@ip-176-198-211-199.hsi05.unitymediagroup.de] has quit [Quit: mirco]
02:39 -!- mirco [~mirco@ip-176-198-211-199.hsi05.unitymediagroup.de] has joined #openvpn
02:41 -!- Taftse|Mac [~taftse@unaffiliated/taftse] has joined #openvpn
02:43 -!- dazo_afk is now known as dazo
02:46 -!- AlexRussia [~Alex@unaffiliated/alexrussia] has quit [Quit: WeeChat 1.1-dev]
02:49 -!- kszarlej [~kszarlej9@doe152.neoplus.adsl.tpnet.pl] has joined #openvpn
02:50 < kszarlej> Hey guys, I have a vpn server and a vpn client configured. I am able to connect to the remote server, and from my desktop I can for example use vnc to this server through vpn address (10.8.0.1) but i cant access its resources \\10.8.0.1
02:50 < kszarlej> what can be wrong?
02:58 -!- phaidros [~phaidros@ghostshell.subsignal.org] has quit [Read error: Connection reset by peer]
03:03 -!- DrSect0r [~DrSect0r@77-175-125-42.FTTH.ispfabriek.nl] has joined #openvpn
03:16 -!- AlexRussia [~Alex@unaffiliated/alexrussia] has joined #openvpn
03:23 -!- Shiftos [~shiftos@127.0.0.1] has joined #openvpn
03:31 -!- AlexRussia [~Alex@unaffiliated/alexrussia] has quit [Quit: WeeChat 1.1-dev]
03:32 -!- AlexRussia [~Alex@unaffiliated/alexrussia] has joined #openvpn
03:33 -!- Shiftos [~shiftos@127.0.0.1] has quit [Read error: Connection reset by peer]
03:43 -!- Shiftos [~shiftos@gateway/tor-sasl/shiftos] has joined #openvpn
03:44 -!- DrCode [~DrCode@gateway/tor-sasl/drcode] has joined #openvpn
03:48 -!- TBJoe [~TBJoe@drms-4d0d8c45.pool.mediaways.net] has joined #openvpn
03:54 -!- mirco [~mirco@ip-176-198-211-199.hsi05.unitymediagroup.de] has quit [Quit: mirco]
03:59 -!- mirco [~mirco@ip-176-198-211-199.hsi05.unitymediagroup.de] has joined #openvpn
04:04 < rap_wrk> !iporder
04:04 <@vpnHelper> "iporder" is (#1) OpenVPN's internal client IP address selection algorithm works as follows: 1 -- Use --client-connect script generated file for static IP (first choice). or (#2) Use --client-config-dir file for static IP (next choice) !static for more info or (#3) Use --ifconfig-pool allocation for dynamic IP (last choice) or (#4) if you use --ifconfig-pool-persist see !ipp
04:04 < rap_wrk> !static
04:04 <@vpnHelper> "static" is (#1) use --ifconfig-push in a ccd entry for a static ip for the vpn client or (#2) example in net30 (default): ifconfig-push 10.8.0.6 10.8.0.5 example in subnet (see !topology) or tap (see !tunortap): ifconfig-push 10.8.0.5 255.255.255.0 or (#3) also see !ccd and !iporder or (#4) with static IPs, limit your --ifconfig-pool to exclude the static range or (#5) See also: !addressing
04:05 -!- D-Boy [~D-Boy@unaffiliated/cain] has quit [Excess Flood]
04:09 < rap_wrk> krzee: Thanks, that makes things much clearer
04:16 -!- D-Boy [~D-Boy@unaffiliated/cain] has joined #openvpn
04:21 -!- kszarlej [~kszarlej9@doe152.neoplus.adsl.tpnet.pl] has quit []
04:29 -!- ckorzhik [~user@46.72.27.89] has joined #openvpn
04:41 -!- ckorzhik [~user@46.72.27.89] has quit [Ping timeout: 240 seconds]
04:42 -!- Left_Turn [~Left_Turn@unaffiliated/turn-left/x-3739067] has joined #openvpn
04:44 -!- Taftse|Mac [~taftse@unaffiliated/taftse] has quit [Quit: My Mac Mini has gone to sleep. ZZZzzz…]
04:49 -!- mattock is now known as mattock_afk
04:55 -!- Latrina [~Latrina@151.56.175.39] has quit [Ping timeout: 264 seconds]
05:00 -!- Latrina [~Latrina@adsl-ull-228-249.45-151.net24.it] has joined #openvpn
05:35 -!- mirco [~mirco@ip-176-198-211-199.hsi05.unitymediagroup.de] has quit [Quit: mirco]
06:44 -!- s7r [~s7r@openvpn/user/s7r] has joined #openvpn
06:44 -!- mode/#openvpn [+v s7r] by ChanServ
06:47 -!- rap_wrk [~rap_wrk@unaffiliated/rap-wrk/x-769542] has quit [Ping timeout: 272 seconds]
06:53 -!- mattock_afk is now known as mattock
07:40 -!- `Yoda [Yoda@leader.of.the.coolkidz.club] has quit [Ping timeout: 244 seconds]
07:44 -!- `Yoda [Yoda@leader.of.the.coolkidz.club] has joined #openvpn
08:11 -!- fabio_ [~fabio@bl18-214-242.dsl.telepac.pt] has joined #openvpn
08:11 < fabio_> hi everyone
08:12 < fabio_> to have a openvpn client, do i need to open firewall?
08:12 < fabio_> via udp
08:12 < fabio_> here's what im doing. i've got an  remote open vpn server
08:13 < fabio_> and i've installed openvpn client on openwrt router
08:13 < fabio_> i want to acces the router trouth the server
08:33 -!- brianblaze420 [~brianblaz@unaffiliated/brianblaze] has joined #openvpn
08:45 -!- thebloggu [~thebloggu@brg.eurotux.com] has joined #openvpn
08:47 -!- Droolio [~drool@host86-162-40-230.range86-162.btcentralplus.com] has joined #openvpn
09:05 < shio> firewall or router?
09:06 < shio> if your client is going to act like a server (with the client-to-client directive), you should also open the port on the client's router
09:39 -!- mode/#openvpn [-b *!*@gateway/web/*] by ecrist
09:40 -!- mode/#openvpn [+b $~a:*!*@gateway/web/*] by ecrist
09:42 -!- mode/#openvpn [-b $~a:*!*@gateway/web/*] by ecrist
09:42 -!- flarn [4b62ce02@gateway/web/freenode/ip.75.98.206.2] has joined #openvpn
09:43 <@ecrist> is this thing on?
09:43 -!- mode/#openvpn [-o ecrist] by ecrist
09:43 < ecrist> is it still on?
09:44 -!- mode/#openvpn [+o ecrist] by ChanServ
09:44 < Ahrotahntee> blocking all web clients?
09:44 -!- mode/#openvpn [-q $~a:*!*@gateway/web/*] by ecrist
09:44 <@ecrist> yes, it's been policy
09:45 -!- mode/#openvpn [-q *!*@gateway/web/*] by ecrist
09:45 <@ecrist> how about now, flarn?
09:45  * flarn taps the mic
09:45 < flarn> Ah ha!
09:46 -!- mode/#openvpn [+q $~a:*!*@gateway/web/*] by ecrist
09:46 <@ecrist> once more?
09:46 <@ecrist> :\
09:46 -!- mode/#openvpn [-q $~a:*!*@gateway/web/*] by ecrist
09:47 <@ecrist> I"ll just leave the ban off until someone comes in and screws it up for everyone again
09:47 < flarn> I will feel terrible if that happens. :)
09:49 < Ahrotahntee> you could add an exclude for flarn specifically
09:49 < Ahrotahntee> if they're the one you want
09:51 -!- elfixit1 [~Icedove@77-58-253-51.dclient.hispeed.ch] has joined #openvpn
09:51 -!- Pyrogerg [~Gregory@67-0-212-234.albq.qwest.net] has joined #openvpn
10:03 -!- mode/#openvpn [+b pants!*@*] by Eugene
10:04 -!- Pyrogerg [~Gregory@67-0-212-234.albq.qwest.net] has quit [Read error: No route to host]
10:04 -!- Pyrogerg [~Gregory@67-0-212-234.albq.qwest.net] has joined #openvpn
10:48 -!- elfixit1 [~Icedove@77-58-253-51.dclient.hispeed.ch] has quit [Quit: elfixit1]
10:48 -!- fabio_ [~fabio@bl18-214-242.dsl.telepac.pt] has quit [Ping timeout: 256 seconds]
11:11 -!- Denial [~Denial@host86-149-248-163.range86-149.btcentralplus.com] has joined #openvpn
11:14 -!- SLAiNTRAX [~SLAiNTRAX@unaffiliated/slaintrax] has joined #openvpn
11:16 < SLAiNTRAX> hello, I'm having issues getting access to a remote lan using openvpn. I'm using openvpn with TUN mode. What I want to do is connect remote from a customer site and be able to access clients on the lan at work without passing all of my traffic through the vpn. Clients are on 10.0.2.0/24 and LAN network is on 10.0.0.0/24
11:18 < SLAiNTRAX> VPN connects fine and gets an IP, but cannot access anything on 10.0.0.0/24
11:18 -!- dazo is now known as dazo_afk
11:21 <@Eugene> !serverlan
11:21 <@vpnHelper> "serverlan" is (#1) for a lan behind a server, the server must have ip forwarding enabled (!ipforward), the server needs to push a route for its lan to clients, and the router of the lan the server is on needs a route added to it (!route_outside_openvpn) or (#2) see !route for a better explanation or (#3) Handy troubleshooting flowchart: http://ircpimps.org/serverlan.png |
11:21 <@vpnHelper> http://pekster.sdf.org/misc/serverlan.png
11:21 <@Eugene> Flowchart time ^
11:22 < SLAiNTRAX> http://i.imgur.com/ukQytmj.png
11:28 < ValdikSS> SLAiNTRAX: What device is this? It looks like IPsec configuration page for me
11:28 < SLAiNTRAX> pfsense
11:29 < ValdikSS> SLAiNTRAX: Are you sure this is OpenVPN?
11:29 < SLAiNTRAX> yep 100%
11:29 < ValdikSS> SLAiNTRAX: Oh sorry, just scrolled down and it is indeed openvpn
11:30 < SLAiNTRAX> makes no sense. I have allowed any openvpn traffic to pass to lan
11:34 < SLAiNTRAX>           0.0.0.0          0.0.0.0      192.168.1.1     192.168.1.40     10
11:34 < SLAiNTRAX>          10.0.0.0    255.255.255.0         10.0.0.1         10.0.2.6     20
11:34 < SLAiNTRAX>          10.0.0.0    255.255.255.0         10.0.2.5         10.0.2.6     20
11:34 < SLAiNTRAX>          10.0.2.0    255.255.255.0         10.0.2.5         10.0.2.6     20
11:40 -!- devops_321 [~shahidpaz@117.253.168.195] has joined #openvpn
11:55 -!- pissfrog [~chatzilla@S01060015001ccce2.vs.shawcable.net] has joined #openvpn
11:56 < pissfrog> !poodle
11:56 <@vpnHelper> "poodle" is (#1) http://googleonlinesecurity.blogspot.com/2014/10/this-poodle-bites-exploiting-ssl-30.html . OpenVPN uses TLSv1.0, or (with >=2.3.3) optionally TLSv1.2 and is thus not impacted by POODLE. See also: !hardening for some unrelated TLS security options OpenVPN has or (#2) https://www.tinfoilsecurity.com/poodle for a tool for testing your websites
11:57 -!- syzzer [~syzzer@openvpn/community/developer/syzzer] has quit [Remote host closed the connection]
12:02 -!- syzzer [~syzzer@openvpn/community/developer/syzzer] has joined #openvpn
12:02 -!- mode/#openvpn [+o syzzer] by ChanServ
12:08 -!- jtrucks [jtrucks@freenode/staff/lopsa.foundingmember.jtrucks] has quit [Remote host closed the connection]
12:09 -!- jtrucks [jtrucks@freenode/staff/lopsa.foundingmember.jtrucks] has joined #openvpn
12:18 -!- Taftse|Mac [~taftse@unaffiliated/taftse] has joined #openvpn
12:23 -!- shivanshu [~shivanshu@unaffiliated/shivanshu] has joined #openvpn
12:23 -!- harshar [~harsh@202.3.77.215] has joined #openvpn
12:24 < harshar> !welcome
12:24 <@vpnHelper> "welcome" is (#1) Start by stating your goal, such as 'I would like to access the internet over my vpn' || new to IRC? see the link in !ask || we may need !logs and !configs and maybe !interface to help you. || See !howto for beginners. || See !route for lans behind openvpn. || !redirect for sending inet traffic through the server. || Also interesting: !man !/30 !topology !iporder !sample !forum
12:24 <@vpnHelper> !wiki !mitm or (#2) Don't use 192.168.1.0/24 or 192.168.0.0/24 (too much potential for conflict)
12:27 < harshar> hi. I am trying to understand what the 'auth-token' directive does. what is its use when not using the management interface?
12:37 <@Eugene> I'm not familiar with an --auth-token directive; only --management <ip> <port> [<pw-file>]
12:43 -!- syzzer [~syzzer@openvpn/community/developer/syzzer] has quit [Ping timeout: 265 seconds]
12:44 < harshar> Eugene, it was introduced in OpenVPN 2.3. https://community.openvpn.net/openvpn/wiki/ChangesInOpenvpn23
12:44 <@vpnHelper> Title: ChangesInOpenvpn23 – OpenVPN Community (at community.openvpn.net)
12:44 < harshar> What is its use case?
12:44 -!- khaldrogox [~anonymous@64.13.138.81] has joined #openvpn
12:45 -!- gffa [~unknown@unaffiliated/gffa] has joined #openvpn
12:46 <@Eugene> !man
12:46 <@vpnHelper> "man" is (#1) For man pages, see http://openvpn.net/index.php/open-source/documentation/manuals/ or (#2) the man pages are your friend! or (#3) Protip: you can search the manpage for a specific --option (with dashes) to find it quicker
12:46 <@Eugene> I've never heard of it; it isn't in the 2.3 man page.
12:46 <@Eugene> So I don't know what to tell you
12:46 <@Eugene> The changlog for alpha1 explains it
12:47 <@Eugene> But I don't know that it actually made it to release ;-)
12:48 -!- syzzer [~syzzer@openvpn/community/developer/syzzer] has joined #openvpn
12:48 -!- mode/#openvpn [+o syzzer] by ChanServ
12:59 -!- liriel [~liriel@asia.feralhosting.com] has quit [Quit: bye]
13:04 -!- thebloggu [~thebloggu@brg.eurotux.com] has quit [Remote host closed the connection]
13:06 -!- mirco [~mirco@ip-176-198-211-199.hsi05.unitymediagroup.de] has joined #openvpn
13:08 -!- liriel [~liriel@asia.feralhosting.com] has joined #openvpn
13:11 -!- syzzer [~syzzer@openvpn/community/developer/syzzer] has quit [Ping timeout: 265 seconds]
13:13 -!- syzzer [~syzzer@openvpn/community/developer/syzzer] has joined #openvpn
13:14 -!- mode/#openvpn [+o syzzer] by ChanServ
13:21 -!- meekatron [~meekatron@ec2-54-171-198-45.eu-west-1.compute.amazonaws.com] has joined #openvpn
13:22 -!- Kottizen [martin@trekweb/supporter/kottizen] has joined #openvpn
13:23 < meekatron> I have a question that will have been asked a thousand times, running my openvpn server on ubuntu 14.04 how can i create .ovpn files easily for clients. Ive searched everywhere and cant seem to find a solution.
13:23 < Kottizen> Hi everyone. I have just downloaded the OpenVPN app for Iphone and I am facing difficulties importing my .ovpn file to it. How do I get the ovpn file to the app? Unfortunately I cannot synchronize my phone via Itunes.
13:23 <@krzee> meekatron, with a text editor
13:23 <@krzee> Kottizen,
13:23 <@krzee> !iphone
13:23 <@vpnHelper> "iphone" is (#1) OpenVPN Connect is now available for iOS in the App Store (see also: !connect) or (#2) https://community.openvpn.net/openvpn/wiki/IOSinline
13:24 < Kottizen> krzee, that's what my .ovpn file looks like. The CA is inline, and the server uses a username/password combination to authenticate users.
13:25 < Kottizen> krzee, unfortunately I get a "read error" in OpenVPN when opening the attached .ovpn file I sent to myself as an email.
13:25 < meekatron> krzee: thought as much. :(
13:27 <@krzee> Kottizen, it doesnt give anything more than "read error" ?
13:28 -!- arist0v-work [~arist0v-w@unaffiliated/arist0v] has joined #openvpn
13:28 < Kottizen> krzee, http://wstaw.org/m/2014/11/04/plasma-desktopoq2674.png
13:28 < Kottizen> krzee, the same file works in Android and Linux.
13:29 < arist0v-work> Hello, i'm planning my openvpn server, and i would like to know wich option did i need to put in the server config file if i wan't manuall set a dhcp server on the vpn server that will provide dhcp to tun0 iface
13:29 <@plaisthos> !inline
13:29 <@vpnHelper> "inline" is (#1) Inline files (e.g. <ca> ... </ca> are supported since OpenVPN 2.1rc1 and documented in the OpenVPN 2.3 man page at https://community.openvpn.net/openvpn/wiki/Openvpn23ManPage#lbAV or (#2) https://community.openvpn.net/openvpn/wiki/IOSinline for a writeup that includes how to use inline certs
13:29 <@plaisthos> Kottizen: see that
13:33 < Kottizen> plaisthos, thank you! If I try another approach, downloading the file via Safari, do you know how I would make it open in OpenVPN? Currently Safari only displays the file web browser, despite me running this to explicitly get it downloaded: http://wklej.org/id/1509430
13:33 <@vpnHelper> Title: Wklejka #1509430 – Wklej.org (at wklej.org)
13:33 -!- Kephael [~Kephael@unaffiliated/kephael] has joined #openvpn
13:34 < Kottizen> Might not be entirely relevant to OpenVPN any more, but still...
13:45 < Kottizen> I think I solved the issue; the .ovpn file accidentally still had a reference to "ca kottvpn.crt". I should have removed that when I added the <ca> tags.
13:53 <@plaisthos> :)
13:53 <@plaisthos> depending on which android app you used that might have lead to problem or not
13:53 < arist0v-work> plaisthos, did you have idea for my case??sorry to disturb
13:54 <@plaisthos> OpenVPN for Android only parses the last ca option
13:54 <@plaisthos> arist0v-work: for tun you cannot use dhcp
13:55 < arist0v-work> plaisthos, but if i use tap it will automaticly access my own network?
13:55 < arist0v-work> plaisthos, is there a way to assign ip based on mac adresse of remote client?
13:55 <@plaisthos> for tap there is server-bridge but that works only with windows clients
13:55 < arist0v-work> with tun
13:55 -!- puskin [~puskin@95.234.58.154] has joined #openvpn
13:56 <@plaisthos> arist0v-work: mac of what?
13:56 <@plaisthos> the tun device has no mac
13:56 < arist0v-work> plaisthos, i will be more explicit
13:56 < arist0v-work> i would like to provide static ip to some client but on the server side
13:57 < arist0v-work> and not based on the client name since i need to allow multiple connection for same user
13:57 < arist0v-work> on the mac adress sorry
13:57 < puskin> hi
13:58 <@plaisthos> what mac address?
13:58 <@plaisthos> of the ethernet device?
13:58 -!- c|oneman [cloneman@2605:6400:2:fed5:22:0:3b06:3913] has quit [Max SendQ exceeded]
13:58 < arist0v-work> yep
13:58 <@plaisthos> of the wifi device?
13:58 < puskin> !git
13:58 <@vpnHelper> "git" is (#1) For the stable git tree: git clone git://git.code.sf.net/p/openvpn/openvpn or (#2) For the development git tree: git://git.code.sf.net/p/openvpn/openvpn-testin or (#3) Browse the git repositories here: http://sourceforge.net/p/openvpn/openvpn-testing/ci/master/tree/ or (#4) See !git-doc how to use git or (#5) git troubles? http://justinhileman.info/article/git-pretty/git-pretty.png
13:58 < arist0v-work> from the client
13:58 <@plaisthos> push-peer-info *might* send that
13:58 -!- c|oneman [cloneman@1337.montrealdark.com] has joined #openvpn
13:58 <@plaisthos> I am not sure
13:59 < arist0v-work> so i can received the mac adresse but can i assign ip from server side based on this?
13:59 <@plaisthos> and then you can if you use  management interface on the server or oepnvpn master with a scrript
13:59 <@plaisthos> but it is probably still not a good idea
14:00 < arist0v-work> how could i do something like that? does it exist a way to do it?
14:00 <@plaisthos> arist0v-work: no :)
14:00 < arist0v-work> arf:-( you can only assign ip from client side then!
14:00 <@plaisthos> you would have to build it yourself
14:01 <@plaisthos> arist0v-work: just give different clients different certificates or usernames
14:01 < arist0v-work> probably what i will have to do!
14:01 < arist0v-work> will jsut work on a different way thank you!
14:04 < arist0v-work> so thank you  ;-)
14:04 -!- arist0v-work [~arist0v-w@unaffiliated/arist0v] has left #openvpn ["Quitte"]
14:28 -!- meekatron [~meekatron@ec2-54-171-198-45.eu-west-1.compute.amazonaws.com] has quit [Ping timeout: 250 seconds]
14:39 -!- brianblaze420 [~brianblaz@unaffiliated/brianblaze] has quit [Quit: Peace!]
14:48 -!- mirco_ [~mirco@ip-176-198-211-199.hsi05.unitymediagroup.de] has joined #openvpn
14:49 -!- mirco [~mirco@ip-176-198-211-199.hsi05.unitymediagroup.de] has quit [Ping timeout: 250 seconds]
14:49 -!- mirco_ is now known as mirco
15:06 -!- puskin [~puskin@95.234.58.154] has quit [Quit: Leaving...]
15:07 -!- Shiftos [~shiftos@gateway/tor-sasl/shiftos] has quit [Ping timeout: 250 seconds]
15:08 -!- Shiftos [~shiftos@gateway/tor-sasl/shiftos] has joined #openvpn
15:12 -!- Kniaz [~Kniaz@unaffiliated/kniaz] has joined #openvpn
15:13 <@Eugene> Great success at $DAYJOB: not only did bossman get convinced that openvpn>ipsec(finally!), we got approval to deploy pfsense instead of custom rolling a CentOS image.
15:13 <@Eugene> Today is a good day
15:15 -!- cassidyslivers [~cassidysl@185.32.221.32] has joined #openvpn
15:20 -!- Taftse|Mac [~taftse@unaffiliated/taftse] has quit [Ping timeout: 265 seconds]
15:34 -!- mattock is now known as mattock_afk
15:51 -!- Kniaz [~Kniaz@unaffiliated/kniaz] has quit [Quit: closing IRC]
15:53 < Thermi> Eugene: OpenVPN better than IPsec? In what use case?
15:53 <@Eugene> In any use case involving my sanity.
15:53 < Thermi> Hahahahaha.
15:54 < Thermi> So you mean, that it's easier for you.
15:54 <@Eugene> I have an unrivalled bubbling hatred for `ip xfrm`
15:56 -!- ahuemer [~ahuemer@unaffiliated/ahuemer] has quit [Max SendQ exceeded]
15:58 -!- ahuemer [ahuemer@unaffiliated/ahuemer] has joined #openvpn
15:59 -!- ahuemer [ahuemer@unaffiliated/ahuemer] has quit [Max SendQ exceeded]
16:00 -!- ahuemer [ahuemer@unaffiliated/ahuemer] has joined #openvpn
16:05 -!- Taftse|Mac [~taftse@unaffiliated/taftse] has joined #openvpn
16:15 -!- Taftse|Mac [~taftse@unaffiliated/taftse] has quit [Ping timeout: 245 seconds]
16:18 -!- Taftse|Mac [~taftse@unaffiliated/taftse] has joined #openvpn
16:26 -!- jzaw [~jzaw@loki.dzki.co.uk] has quit [Ping timeout: 272 seconds]
16:30 -!- ad0nis [ad0nis@unaffiliated/ad0nis] has joined #openvpn
16:32 -!- syzzer [~syzzer@openvpn/community/developer/syzzer] has quit [Ping timeout: 265 seconds]
16:32 < ad0nis> I feel like I have to be missing some simple step in my setup... I am trying to setup an OpenVPN server in bridged mode, and I want all client traffic routed out through the vpn tunnel. I am able to authenticate to the VPN successfully from my linux client, however no traffic passes through the tunnel as far as I can tell (the client's connection still leaves its own default route instead of via its shiny new tap0 interface.) Can anyone help point me in
16:33 -!- cassidyslivers [~cassidysl@185.32.221.32] has quit [Ping timeout: 264 seconds]
16:37 -!- jzaw [~jzaw@loki.dzki.co.uk] has joined #openvpn
16:43 -!- syzzer [~syzzer@openvpn/community/developer/syzzer] has joined #openvpn
16:43 -!- mode/#openvpn [+o syzzer] by ChanServ
16:47 <@Eugene> The first problem is that you're using bridging. You probably don't actually need that.
16:47 <@Eugene> !whybridge
16:47 <@vpnHelper> "whybridge" is (#1) you only bridge if you want layer2 to the lan. if you want layer2 only between vpn nodes then routed tap is enough. if you only want layer3 use tun. or (#2) See this URL for a more in-depth discussion on bridging vs routing: https://community.openvpn.net/openvpn/wiki/BridgingAndRouting or (#3) See also !tunortap
16:48 <@Eugene> Once you've commited to doing routing(which is what "routed out through the vpn tunnel" even implies!) then we have a flowchart for you to follow
16:48 <@Eugene> !redirect
16:48 <@vpnHelper> "redirect" is (#1) to make all inet traffic flow through the vpn, you will need --redirect-gateway (see !def1), as well as IP forwarding (see !ipforward) and NAT (see !nat) enabled on the server. or (#2) you may need to use a different dns server when redirecting gateway, see !dns or !pushdns or (#3) if using ipv6 try: route-ipv6 2000::/3 or (#4) Handy troubleshooting flowchart:
16:48 <@vpnHelper> http://ircpimps.org/redirect.png | http://pekster.sdf.org/misc/redirect.png
16:51 -!- DrSect0r [~DrSect0r@77-175-125-42.FTTH.ispfabriek.nl] has quit [Quit: Leaving]
16:56 -!- gffa [~unknown@unaffiliated/gffa] has quit [Quit: sleep]
17:07 -!- mirco [~mirco@ip-176-198-211-199.hsi05.unitymediagroup.de] has quit [Quit: mirco]
17:09 -!- DrCode [~DrCode@gateway/tor-sasl/drcode] has quit [Remote host closed the connection]
17:10 -!- DrCode [~DrCode@gateway/tor-sasl/drcode] has joined #openvpn
17:11 -!- harshar [~harsh@202.3.77.215] has quit [Ping timeout: 256 seconds]
17:14 -!- NP-Hardass [~NP-Hardas@unaffiliated/np-hardass] has quit [Quit: WeeChat 0.4.3]
17:20 -!- outofbounds [~outofboun@gateway/tor-sasl/outofbounds] has joined #openvpn
17:34 -!- Taftse|Mac [~taftse@unaffiliated/taftse] has quit [Quit: Textual IRC Client: www.textualapp.com]
17:41 -!- khaldrogox [~anonymous@64.13.138.81] has quit [Quit: khaldrogox]
17:45 -!- TBJoe [~TBJoe@drms-4d0d8c45.pool.mediaways.net] has quit [Quit: TBJoe]
17:47 -!- Pyrogerg [~Gregory@67-0-212-234.albq.qwest.net] has quit [Ping timeout: 245 seconds]
17:49 -!- Pyrogerg [~Gregory@67-0-212-234.albq.qwest.net] has joined #openvpn
17:54 -!- Pyrogerg [~Gregory@67-0-212-234.albq.qwest.net] has quit [Ping timeout: 260 seconds]
17:57 -!- outofbounds [~outofboun@gateway/tor-sasl/outofbounds] has quit []
17:57 -!- NP-Hardass [~NP-Hardas@unaffiliated/np-hardass] has joined #openvpn
17:59 -!- NP-Hardass [~NP-Hardas@unaffiliated/np-hardass] has quit [Client Quit]
18:01 -!- SLAiNTRAX [~SLAiNTRAX@unaffiliated/slaintrax] has quit [Ping timeout: 264 seconds]
18:29 -!- pissfrog [~chatzilla@S01060015001ccce2.vs.shawcable.net] has quit [Quit: ChatZilla 0.9.91 [Firefox 24.8.1/20140923194127]]
18:29 -!- Kniaz [~Kniaz@unaffiliated/kniaz] has joined #openvpn
18:44 -!- meekatro2 [~meekatron@ec2-54-171-198-45.eu-west-1.compute.amazonaws.com] has joined #openvpn
18:47 < meekatro2> can anyone point me in the right direction to help dns issues when trying to connect to my openvpn via android. My ubuntu client connection works fine, seems to connect on the android device but wont resolve addresses.
19:07 -!- mt [mt@unaffiliated/supermat] has quit [Read error: Connection reset by peer]
19:09 -!- Fusl [Fusl@unaffiliated/fusl] has quit [Ping timeout: 245 seconds]
19:12 -!- Fusl [Fusl@unaffiliated/fusl] has joined #openvpn
19:12 -!- mt [mt@unaffiliated/supermat] has joined #openvpn
19:16 <@Eugene> Sounds like it isn't setting the DNS servers to one accessible via the tunnel
19:18 -!- NP-Hardass [~NP-Hardas@unaffiliated/np-hardass] has joined #openvpn
19:35 -!- funyun [~funyun@162.219.179.83] has joined #openvpn
19:39 < funyun> hi. how can i have multiple vpns in openvpn on ios. i don't want to run more than one at a time, but i want to have options as to which i choose. any help?
19:40 -!- CaTtleyA [~CaTtleyA@put92-2-82-66-41-53.fbx.proxad.net] has joined #openvpn
19:51 -!- occupant [~null@204.14.158.226] has joined #openvpn
19:54 < occupant> so I had a couple of users get created with zero-length .crts and they can't be revoked
19:54 < occupant> might anyone suggest how I got myself into this situation?
19:58 <@Eugene> Sounds like you bailed out of the cert generation before it was done, so you got a .crt file created, but not actually signed.
19:58 <@Eugene> Take a look at index.txt and see if the cert/key is listed there.
20:00 < occupant> yeah, they're both in the index and listed as valid
20:02 <@Eugene> You should be able to revoke it based upon that, with the proper openssl invocation
20:03 <@Eugene> But if the key/crt has never been handed out(which I suspect is the case), don't bother doing any of it
20:03 <@Eugene> Just create fresh ones
20:03 < occupant> it just complains about how it can't load the zero-length cert
20:03 <@Eugene> Ya, that's because the revoke-full script tries to grab the .crt
20:03 < occupant> yeah, we gave out the keys already but I guess they're worthless without a valid cert ever existing
20:04 < occupant> just create new ones and move on
20:04 <@Eugene> Basically yeah
20:04 <@Eugene> revoking is for when you know a key is in bad hands
20:04 <@Eugene> accidentally no-longer-existing is no problem
20:04 < occupant> well they'll be ex-employees one day but... yeah, it was always broken
20:25 -!- shivanshu [~shivanshu@unaffiliated/shivanshu] has quit [Remote host closed the connection]
20:40 -!- devops_321 [~shahidpaz@117.253.168.195] has quit [Ping timeout: 265 seconds]
20:45 -!- mgorbach [~mgorbach@pool-108-20-78-135.bstnma.fios.verizon.net] has quit [Quit: ZNC - http://znc.in]
20:46 -!- mgorbach [~mgorbach@pool-108-20-78-135.bstnma.fios.verizon.net] has joined #openvpn
20:47 -!- Pyrogerg [~Gregory@67-0-212-234.albq.qwest.net] has joined #openvpn
21:29 -!- L0uk3 [~lukethedr@gateway/tor-sasl/lukethedrifter] has joined #openvpn
21:32 -!- L0uk3 [~lukethedr@gateway/tor-sasl/lukethedrifter] has quit [Client Quit]
21:44 -!- WinstonSmith [~WinstonSm@unaffiliated/winstonsmith] has quit [Ping timeout: 272 seconds]
21:45 -!- WinstonSmith [~WinstonSm@unaffiliated/winstonsmith] has joined #openvpn
21:55 -!- rli [~rli@174.44.3.86] has joined #openvpn
21:59 < rli> I am new to openvpn. can open vpn do following: serverA connect to SeverB by openvpn, and ServerC connect to ServerB by openvpn, then ServerC can access network on ServerA ? any documentation/wiki/howto for this?
22:09 -!- CaTtleyA [~CaTtleyA@put92-2-82-66-41-53.fbx.proxad.net] has quit [Quit: Lost terminal]
22:10 -!- Left_Turn [~Left_Turn@unaffiliated/turn-left/x-3739067] has quit [Remote host closed the connection]
22:19 -!- Pyrogerg [~Gregory@67-0-212-234.albq.qwest.net] has quit [Ping timeout: 260 seconds]
22:20 -!- khaldrogox [~anonymous@vpn.simplyhired.com] has joined #openvpn
22:26 <@Eugene> rli - yeah, totally, it's just routing.
22:27 <@Eugene> !howto
22:27 <@vpnHelper> "howto" is (#1) OpenVPN comes with a great howto, http://openvpn.net/howto PLEASE READ IT! or (#2) http://www.secure-computing.net/openvpn/howto.php for a mirror
22:27 <@Eugene> That covers getting up the basic infrastructure(clients & server all talking together)
22:27 <@Eugene> !route
22:27 <@vpnHelper> "route" is (#1) http://www.secure-computing.net/wiki/index.php/OpenVPN/Routing or https://community.openvpn.net/openvpn/wiki/RoutedLans (same page mirrored) if you have lans behind openvpn, read it DONT SKIM IT or (#2) READ IT DONT SKIM IT! or (#3) See !tcpip for a basic networking guide or (#4) See !serverlan or !clientlan for steps and troubleshooting flowcharts for LANs behind the server or
22:27 <@vpnHelper> client
22:27 <@Eugene> !clientlan
22:27 <@vpnHelper> "clientlan" is (#1) for a lan behind a client, the client must have ip forwarding enabled (!ipforward), the server needs a route to the lan, the server needs to push a route for the lan to clients, the server needs a ccd (!ccd) file for the client with an iroute (!iroute) entry in it, and the router of the lan the client is on needs a route added to it (!route_outside_openvpn) or (#2) see !route for
22:27 <@vpnHelper> a better explanation or (#3) Handy troubleshooting flowchart: http://ircpimps.org/clientlan.png | http://pekster.sdf.org/misc/clientlan.png
22:27 <@Eugene> Then read that document and see the flowchart ^
22:37 -!- khaldrogox [~anonymous@vpn.simplyhired.com] has quit [Quit: khaldrogox]
22:42 -!- khaldrogox [~anonymous@vpn.simplyhired.com] has joined #openvpn
22:51 -!- justinzane [~justinzan@67.21.190.132] has quit [Read error: Connection reset by peer]
22:51 -!- justinzane [~justinzan@67.21.190.132] has joined #openvpn
22:52 -!- c|oneman [cloneman@1337.montrealdark.com] has quit [Ping timeout: 244 seconds]
22:57 -!- c|oneman [cloneman@2605:6400:2:fed5:22:0:3b06:3913] has joined #openvpn
23:03 -!- ahuemer [ahuemer@unaffiliated/ahuemer] has quit [Max SendQ exceeded]
23:05 -!- ahuemer [ahuemer@unaffiliated/ahuemer] has joined #openvpn
23:06 -!- ahuemer [ahuemer@unaffiliated/ahuemer] has quit [Max SendQ exceeded]
23:08 -!- ahuemer [ahuemer@unaffiliated/ahuemer] has joined #openvpn
23:10 -!- ahuemer [ahuemer@unaffiliated/ahuemer] has quit [Max SendQ exceeded]
23:11 -!- ahuemer [ahuemer@unaffiliated/ahuemer] has joined #openvpn
23:27 -!- khaldrogox [~anonymous@vpn.simplyhired.com] has quit [Ping timeout: 265 seconds]
23:28 -!- ShadniX [dagger@p5DDFE2CF.dip0.t-ipconnect.de] has quit [Ping timeout: 250 seconds]
23:28 -!- Kniaz [~Kniaz@unaffiliated/kniaz] has quit [Read error: Connection reset by peer]
23:30 -!- ShadniX [dagger@p5481C049.dip0.t-ipconnect.de] has joined #openvpn
23:32 -!- pppingme [~pppingme@unaffiliated/pppingme] has quit [Quit: Leaving]
23:32 -!- ValdikSS [~valdikss@95.215.45.33] has quit [Ping timeout: 265 seconds]
23:38 < rli> thanks i will read the howto doc and try it
23:39 < rli> \quit
23:39 -!- rli [~rli@174.44.3.86] has quit [Quit: Leaving]
23:44 -!- Kephael [~Kephael@unaffiliated/kephael] has quit [Quit: Leaving]
23:48 -!- khaldrogox [~anonymous@75-54-228-226.lightspeed.sntcca.sbcglobal.net] has joined #openvpn
23:49 -!- pppingme [~pppingme@unaffiliated/pppingme] has joined #openvpn
23:57 -!- NP-Hardass [~NP-Hardas@unaffiliated/np-hardass] has quit [Quit: WeeChat 0.4.3]
--- Day changed Wed Nov 05 2014
00:00 -!- pppingme [~pppingme@unaffiliated/pppingme] has quit [Ping timeout: 265 seconds]
00:03 -!- funyun [~funyun@162.219.179.83] has quit [Quit: Lost terminal]
00:11 -!- Denial [~Denial@host86-149-248-163.range86-149.btcentralplus.com] has quit [Ping timeout: 256 seconds]
00:13 -!- khaldrogox [~anonymous@75-54-228-226.lightspeed.sntcca.sbcglobal.net] has quit [Quit: khaldrogox]
00:14 -!- cloudbud [c65fe2ec@gateway/web/freenode/ip.198.95.226.236] has joined #openvpn
00:14 < cloudbud> i am using windows machine but cant access my open vpn
00:15 < cloudbud> getting error :
00:15 < cloudbud> Wed Nov 05 11:40:11 2014 Cannot open shared secret file 'C:\Program Files\OpenVP N\config\key.txt' for write: Access is denied.   (errno=5) Wed Nov 05 11:40:11 2014 Exiting due to fatal error Press any key to continue...
00:15 < cloudbud> pl help
00:16 -!- pppingme [~pppingme@unaffiliated/pppingme] has joined #openvpn
00:17 -!- tinwhiskers [~rj@unaffiliated/tinwhiskers] has joined #openvpn
00:17 -!- tinwhiskers [~rj@unaffiliated/tinwhiskers] has left #openvpn ["PRIVMSG ##linux :cloudbud: have you tried asking in #openvpn? you may not have noticed but this is ##linux."]
00:18 < cloudbud> Wed Nov 05 11:40:11 2014 Cannot open shared secret file 'C:\Program Files\OpenVP N\config\key.txt' for write: Access is denied.   (errno=5) Wed Nov 05 11:40:11 2014 Exiting due to fatal error Press any key to continue...
00:18 < cloudbud> windows server
00:24 -!- miruss [~miruss@109.86.199.18] has joined #openvpn
00:31 -!- cloudbud [c65fe2ec@gateway/web/freenode/ip.198.95.226.236] has quit [Ping timeout: 246 seconds]
01:16 -!- shivanshu [~shivanshu@unaffiliated/shivanshu] has joined #openvpn
01:28 -!- Mowee [~Mowee@195-154-194-139.rev.poneytelecom.eu] has quit [Ping timeout: 245 seconds]
01:31 -!- Mowee [~Mowee@195-154-194-139.rev.poneytelecom.eu] has joined #openvpn
01:56 -!- plaisthos [~arne@openvpn/community/developer/plaisthos] has quit [Ping timeout: 256 seconds]
01:59 -!- plaisthos [~arne@openvpn/community/developer/plaisthos] has joined #openvpn
01:59 -!- mode/#openvpn [+o plaisthos] by ChanServ
02:02 -!- miruss [~miruss@109.86.199.18] has quit [Quit: =)]
02:09 -!- SushiDude [~SushiDude@unaffiliated/sushidude] has quit [Ping timeout: 265 seconds]
02:11 -!- harshar [~harsh@202.3.77.215] has joined #openvpn
02:11 -!- SushiDude [~SushiDude@unaffiliated/sushidude] has joined #openvpn
02:12 -!- puskin [~puskin@192.167.215.166] has joined #openvpn
02:17 -!- puskin [~puskin@192.167.215.166] has quit [Ping timeout: 255 seconds]
02:22 -!- defswork [~andy@141.0.50.98] has joined #openvpn
02:35 -!- mattock_afk is now known as mattock
02:58 -!- ValdikSS [~valdikss@80.70.234.113] has joined #openvpn
03:01 -!- _FBi [B@Aircrack-NG/User] has quit [Ping timeout: 258 seconds]
03:07 -!- AlexRussia [~Alex@unaffiliated/alexrussia] has quit [Ping timeout: 265 seconds]
03:37 -!- ValdikSS [~valdikss@80.70.234.113] has quit [Ping timeout: 258 seconds]
03:47 -!- pppingme [~pppingme@unaffiliated/pppingme] has quit [Ping timeout: 265 seconds]
03:49 -!- dazo_afk is now known as dazo
04:00 -!- pppingme [~pppingme@unaffiliated/pppingme] has joined #openvpn
04:03 -!- pppingme [~pppingme@unaffiliated/pppingme] has quit [Max SendQ exceeded]
04:04 -!- D-Boy [~D-Boy@unaffiliated/cain] has quit [Excess Flood]
04:08 -!- gffa [~unknown@unaffiliated/gffa] has joined #openvpn
04:09 -!- pppingme [~pppingme@unaffiliated/pppingme] has joined #openvpn
04:10 -!- Left_Turn [~Left_Turn@unaffiliated/turn-left/x-3739067] has joined #openvpn
04:24 -!- D-Boy [~D-Boy@unaffiliated/cain] has joined #openvpn
04:30 -!- DrCode [~DrCode@gateway/tor-sasl/drcode] has quit [Remote host closed the connection]
04:32 -!- mirco [~mirco@ip-176-198-211-199.hsi05.unitymediagroup.de] has joined #openvpn
04:34 -!- DrCode [~DrCode@gateway/tor-sasl/drcode] has joined #openvpn
05:10 -!- DrCode [~DrCode@gateway/tor-sasl/drcode] has quit [Quit: ZNC - http://znc.in]
05:11 -!- DrCode [~DrCode@gateway/tor-sasl/drcode] has joined #openvpn
05:15 -!- DrCode [~DrCode@gateway/tor-sasl/drcode] has quit [Client Quit]
05:40 -!- supergauntlet [~supergaun@unaffiliated/supergauntlet] has quit [Ping timeout: 265 seconds]
05:41 -!- DrCode [~DrCode@gateway/tor-sasl/drcode] has joined #openvpn
05:43 -!- Ice_Strike [~Ice_Strik@84.92.51.164] has joined #openvpn
05:44 < Ice_Strike> I want to install OpenVPN on ubuntu which will connect to a VPN provider.
05:44 -!- DrCode [~DrCode@gateway/tor-sasl/drcode] has quit [Client Quit]
05:45 < Ice_Strike> I want a client on other machine to connect to installed OpenVPN
05:45 < Ice_Strike> is it possible?
05:45 -!- DrCode [~DrCode@gateway/tor-sasl/drcode] has joined #openvpn
05:46 -!- supergauntlet [~supergaun@unaffiliated/supergauntlet] has joined #openvpn
05:49 -!- DrCode [~DrCode@gateway/tor-sasl/drcode] has quit [Remote host closed the connection]
05:51 -!- DrCode [~DrCode@gateway/tor-sasl/drcode] has joined #openvpn
05:52 -!- DrCode [~DrCode@gateway/tor-sasl/drcode] has quit [Remote host closed the connection]
05:52 -!- Voyage [~user1@DSL-202-59-94-188.nexlinx.net.pk] has joined #openvpn
05:52 < Voyage> hi
05:52 < Voyage> my skype calling to a U.S number does not works via my ISP, I have a vps, I plan to make ssh tunnel and do all by that. Is it possible? and will it be of help?
05:56 -!- DrCode [~DrCode@gateway/tor-sasl/drcode] has joined #openvpn
05:58 -!- mirco [~mirco@ip-176-198-211-199.hsi05.unitymediagroup.de] has quit [Quit: mirco]
06:29 <@krzee> Voyage, your question has nothing to do with openvpn
06:35 < Voyage> krzee,  I though you were going to say " install openvpn "
06:37 -!- NP-Hardass [~NP-Hardas@unaffiliated/np-hardass] has joined #openvpn
06:39 <@krzee> well ya probably, i doubt ssh tunnels will work
06:39 <@krzee> they only tunnel tcp, i bet skype uses a bunch of udp
06:40 <@krzee> https://en.wikipedia.org/wiki/Skype_protocol#UDP
06:40 <@krzee> yep
06:40 <@vpnHelper> Title: Skype protocol - Wikipedia, the free encyclopedia (at en.wikipedia.org)
06:43 -!- mattock is now known as mattock_afk
06:44 <@ecrist> most of your real-time stuff is going to use UDP
06:44 < Voyage>  how can I use a tunnel / vpn for skype only and not for other communications?
06:45 <@krzee> thats not how openvpn works, maybe try a real socks proxy instead of ssh tunnels
06:45 <@krzee> or if you trust openvpn more, do what i do...
06:45 <@krzee> run a socks proxy inside the vpn
06:45 < Voyage> how to set up that proxy for skype?
06:45 <@krzee> by configuring skype to use it
06:45 <@ecrist> you can set ssh up to be a socks proxy
06:45 <@krzee> ecrist, tcp only.
06:45 < Voyage> ok
06:45 <@krzee> a REAL socks proxy does udp too, ssh proxy doesnt
06:47 < Voyage> hm
06:47 <@krzee> dante does udp just fine, for example.
06:47 < Voyage> so ssh -D 39101     wont work?
06:47 <@krzee> no, not for udp
06:47 <@krzee> as i said 3 times now...
06:47 < Voyage> hm.
06:47 < Voyage> openvpn is the only thing to do then
06:48 -!- mattock_afk is now known as mattock
06:48 <@krzee> not really, openvpn does not route by app
06:48 <@krzee> you probably want a real socks proxy
06:48 <@krzee> am i on your ignore list or something? i already said all of this
06:48 <@krzee> !routebyapp
06:49 <@vpnHelper> "routebyapp" is (#1) if you want to send only certain apps over the VPN you need to run a socks server on the internal VPN subnet (see !sockd) then get an app like proxifier (windows, osx) or tsocks (linux, BSD) to selectively route traffic over the socks proxy based on port/app/subnet or any combination. or (#2) Alternatively, read up about Policy Routing to make routing decisions based on defined
06:49 <@vpnHelper> policies you set. For Linux, read about !lartc
06:49 < Voyage> krzee,  ok
06:59 -!- Pyrogerg [~Gregory@67-0-212-234.albq.qwest.net] has joined #openvpn
07:06 < Ice_Strike> after creating OpenVPN client in pfsense... the interface OPT1 is missing in  Interfaces->(assign)?
07:06 <@krzee> !pfsense
07:06 <@vpnHelper> "pfsense" is (#1) dont use the web gui for configuring openvpn, you need to understand the config and logfiles or (#2) http://www.secure-computing.net/wiki/index.php/OpenVPN/pfSense to obtain your config
07:23 -!- Voyage [~user1@DSL-202-59-94-188.nexlinx.net.pk] has quit [Ping timeout: 244 seconds]
07:24 -!- AlexRussia [~Alex@unaffiliated/alexrussia] has joined #openvpn
07:40 < meekatro2> can anyone suggest how to solve dns issues with android clients connecting to my vpn? I can connect perfectly through ubuntu. The server is running on a ubuntu image on aws.
07:41 <@plaisthos> meekatro2: if you use openvpn for android and have a high enough log level it will tell you the configured network settings
07:41 <@plaisthos> see what dns server it claims to use
07:41 <@plaisthos> or paste a log
07:46 < meekatro2> plaisthos: cheers i will up the log the log level and give it  a go.
07:50 -!- Pyrogerg [~Gregory@67-0-212-234.albq.qwest.net] has quit [Read error: No route to host]
07:51 -!- meekatro2 [~meekatron@ec2-54-171-198-45.eu-west-1.compute.amazonaws.com] has quit [Ping timeout: 256 seconds]
07:57 -!- meekatron [~meekatron@host86-175-139-119.range86-175.btcentralplus.com] has joined #openvpn
07:57 < Ice_Strike> on Ubuntu, I am using this command to connect to a VPN provider "sudo openvpn Netherlands.ovpn"
07:57 < Ice_Strike> It seem to be working
07:58 < Ice_Strike> however, how to go back to console without disconnecting a VPN connection?
08:05 -!- Pyrogerg [~Gregory@67-0-212-234.albq.qwest.net] has joined #openvpn
08:05 -!- harshar [~harsh@202.3.77.215] has quit [Ping timeout: 250 seconds]
08:05 < meekatron> plaisthos: here is a link to my log when android connects. http://pastebin.com/KzxXnP1Q and a copy of server.conf. I have put bind on my system to try and resolve things so here is a cop of named.conf.options http://pastebin.com/eDQErtEs.
08:06 < meekatron> server.conf http://pastebin.com/wzKh5YPL
08:07 < meekatron> Ice_Strike: try "sudo openvpn Netherlands.ovpn &" not sure if that will work but worth a try
08:12 -!- dvl [~dvl@freebsd/developer/dvl] has quit [Quit: Ride fast. Take chances.]
08:13 <@plaisthos> meekatron: no a log of the client
08:14 <@plaisthos> OpenVPN for Android has a share menu entry in the log window
08:24 -!- xamox [~xamox@c-68-42-242-42.hsd1.mi.comcast.net] has joined #openvpn
08:26 < xamox> What ports do I need to have open on my firewall to use OpenVPN?  I've tested in the lab with external firewall blocking all inbound, and only allowing outbound port 53 (UDP) and 1194 (UDP) and this seemed to work.  But trying to deploy a system where I don't have control of the firewall.  It seems only allowing outbound doesn't work for some reason.  Do I need to allow inbound as well?
08:34 < meekatron> plaisthos: couldnt find the share option on the log file. here is screenshots from log http://goo.gl/E9A70Y :)
08:34 <@vpnHelper> Title: screenshots (at goo.gl)
08:40 -!- eristisk [~eristisk@gateway/tor-sasl/eristisk] has joined #openvpn
08:43 -!- CaTtleyA [~CaTtleyA@185.24.142.82] has joined #openvpn
08:43 < meekatron> damm seems to be more than a dns issue :( just tried googles IP with no joy
08:47 -!- eristisk [~eristisk@gateway/tor-sasl/eristisk] has quit [Ping timeout: 250 seconds]
08:58 -!- eristisk [~eristisk@gateway/tor-sasl/eristisk] has joined #openvpn
09:05 -!- brianblaze420 [~brianblaz@unaffiliated/brianblaze] has joined #openvpn
09:17 -!- mt [mt@unaffiliated/supermat] has quit [Ping timeout: 256 seconds]
09:18 -!- abbe_ [having@badti.me] has joined #openvpn
09:19 -!- batrick [batrick@nmap/developer/batrick] has quit [Ping timeout: 256 seconds]
09:19 -!- SlutaTramsa [~SlutaTram@unaffiliated/slutatramsa] has quit [Ping timeout: 256 seconds]
09:20 -!- abbe [having@badti.me] has quit [Ping timeout: 256 seconds]
09:20 -!- deranged_user [deranged@lolnerd.net] has quit [Ping timeout: 256 seconds]
09:22 -!- SlutaTramsa [~SlutaTram@unaffiliated/slutatramsa] has joined #openvpn
09:23 -!- KaiForce [~chatzilla@107-223-70-10.lightspeed.bcvloh.sbcglobal.net] has joined #openvpn
09:23 -!- deranged_user [deranged@lolnerd.net] has joined #openvpn
09:23 -!- abbe_ is now known as abbe
09:24 -!- mt [mt@unaffiliated/supermat] has joined #openvpn
09:24 -!- meekatron [~meekatron@host86-175-139-119.range86-175.btcentralplus.com] has quit [Ping timeout: 256 seconds]
09:24 < KaiForce> Is OpenVPN-gui working in Win 8.1 or do we still need to do something like:  http://whattheserver.me/billing/knowledgebase/60/Openvpn-Windows-81-How-To.html
09:24 <@vpnHelper> Title: Openvpn Windows 8.1 How To - Knowledgebase - What The Server (at whattheserver.me)
09:25 -!- meekatro1 [~meekatron@host86-175-139-119.range86-175.btcentralplus.com] has joined #openvpn
09:27 -!- outofbounds [~outofboun@gateway/tor-sasl/outofbounds] has joined #openvpn
09:46 -!- batrick [batrick@nmap/developer/batrick] has joined #openvpn
09:49 -!- Pyrogerg [~Gregory@67-0-212-234.albq.qwest.net] has quit [Quit: Textual IRC Client: www.textualapp.com]
09:51 < xamox> Do I need to have inbound ports open on the client to connect to VPN server?
10:03 < DArqueBishop> No. (At least, not in my experience.)
10:11 -!- elfixit1 [~Icedove@77-57-39-82.dclient.hispeed.ch] has joined #openvpn
10:19 -!- meekatro1 [~meekatron@host86-175-139-119.range86-175.btcentralplus.com] has quit [Ping timeout: 265 seconds]
10:20 < KaiForce> xamox: No.
10:20 -!- JackWinter [~jack@vodsl-11198.vo.lu] has quit [Quit: Konversation terminated!]
10:20 < Ice_Strike> Is there a way to exclude website IP address in openvpn config so it will redrect to default gateway?
10:23 -!- JackWinter [~jack@vodsl-11198.vo.lu] has joined #openvpn
10:31 < xamox> KaiForce, I didn't think so but for some reason one of the clients won't connect unless inbound 1194 is open.  If it's closed getting the following error: TLS Error: TLS key negotiation failed to occur within 60 seconds
10:31 -!- JackWinter [~jack@vodsl-11198.vo.lu] has quit [Quit: Konversation terminated!]
10:33 -!- JackWinter [~jack@vodsl-11198.vo.lu] has joined #openvpn
10:35 -!- JackWinter [~jack@vodsl-11198.vo.lu] has quit [Client Quit]
10:36 <+s7r> KaiForce OpenVPN-gui works just fine in windows 8.1
10:36 <+s7r> make sure you run it as administrator if you want it to be able to modify the routing table in Windows
10:36 <+s7r> and make sure you don't have an activator like KMSgui KMSEldi or KMSservice which uses the tun device to create a connection to the licensing server, therefore disconnecting the VPN
10:37 <+s7r> if you face the latter situation, you need to add another tap adapter, rename it to OpenVPN for example and use in the client config dev-node OpenVPN in order for the openvpn instance to use the second adapter
10:37 <+s7r> and you do not need any INBOUND open ports at all on the client side.
10:37 -!- JackWinter [~jack@vodsl-11198.vo.lu] has joined #openvpn
10:47 -!- harshar [~harsh@202.3.77.215] has joined #openvpn
10:48 -!- Kephael [~Kephael@unaffiliated/kephael] has joined #openvpn
10:51 -!- bakhtiya [~me@office.addictivemobility.com] has joined #openvpn
10:52 -!- deranged_user [deranged@lolnerd.net] has quit [Quit: et nos unum sumus]
11:14 -!- CaTtleyA [~CaTtleyA@185.24.142.82] has quit [Quit: Lost terminal]
11:18 -!- AlexRussia [~Alex@unaffiliated/alexrussia] has quit [Quit: WeeChat 1.1-dev]
11:19 -!- AlexRussia [~Alex@unaffiliated/alexrussia] has joined #openvpn
11:22 -!- AlexRussia [~Alex@unaffiliated/alexrussia] has quit [Client Quit]
11:23 -!- AlexRussia [~Alex@unaffiliated/alexrussia] has joined #openvpn
11:34 -!- harshar [~harsh@202.3.77.215] has quit [Ping timeout: 244 seconds]
11:42 < xamox> s7r, okay thanks, I thought that was the case
12:02 -!- _quadDamage [~EmperorTo@boom.blissfulidiot.com] has quit [Read error: Connection reset by peer]
12:03 -!- Poster|x [~poster@cpe-74-140-100-29.swo.res.rr.com] has joined #openvpn
12:03 -!- Poster [~poster@cpe-74-140-100-29.swo.res.rr.com] has quit [Ping timeout: 255 seconds]
12:11 -!- winsoff [~foo@144.35.99.208] has joined #openvpn
12:11 < winsoff> Can the OpenVPN server see what traffic the user is sending?
12:11 < winsoff> Or is it encrypted?
12:11 -!- mattock is now known as mattock_afk
12:16 -!- tpw_rules [tpw_rules@2600:3c03::f03c:91ff:fe93:20aa] has joined #openvpn
12:16 < tpw_rules> i'm having a weird problem. Sometimes, the openvpn process is listed in OSX Activity Monitor as having sent many hundreds of megabytes all at once, mostly if the connection is lost or remade
12:37 < esde> winsoff, i think that's implied.
12:37 < esde> (that the server can see traffic as it passes through)
12:38 < winsoff> But is that traffic easily decrypted by the server?
12:38 < esde> What you're asking is extremely confusing.
12:38 < winsoff> How can I make a connection through a server that cannot have its contents spilled to the relaying server?
12:39 < esde> winsoff, if you use no security, the server can see everything because it is in plaintext.
12:40 < winsoff> So the security of the connection is between me and the other endpoint, right?  We have to employ some sort of TLS?
12:41 < KaiForce> s7r: thanks for the info.  I have a user running into problems.
12:41 < esde> What you're asking is illogical.
12:41 < esde> The security in openvpn assumes you trust the server, if you dont, then why the hell are you using it to begin with?
12:42 <@Eugene> winsoff - openvpn provides an encrypted PtP link from client(s)<-->server. The traffic passing through that tunnel is unmolested by openvpn
12:42 <@Eugene> If it's plaintext then its plaintext.
12:42 < winsoff> Eugene: Oh, okay.  So just to the server.  Therefore, my local router is unable to see the traffic, but outside of my VPN, everything is normal as always.
12:42 < esde> If it's encrypted, server and client can see the plain traffic, but the internet (and everyone else) cannot
12:43 <@Eugene> Once it leaves the tunnel, yes, it's just normal traffic.
12:43 < winsoff> And esde: I just wanted to know if I could configure my server to promise that the server couldn't sniff the traffic of users.  I mean, it sounds ludicrous, but I was just curious.
12:43 <@Eugene> The packets between the client(s) and server are encapsulated, and will appear as UDP:1194(or whatever other port you're using)
12:43 < esde> Thats the thing, the server is all-knowing
12:44 < winsoff> Is there a way to connect to my VPN through a restrictive firewall?
12:44 <@Eugene> !factoids
12:44 <@vpnHelper> "factoids" is A semi-regularly updated dump of factoids database is available at http://www.secure-computing.net/factoids.php
12:44 <@Eugene> We have a fact for it, hang on
12:44 <@Eugene> !obfs
12:44 <@vpnHelper> "obfs" is (#1) if you are looking to obfuscate your traffic to get through a firewall that recognizes and blocks openvpn, try using this proxy: obfsproxy https://www.torproject.org/projects/obfsproxy.html.en to encapsulate your packets in other protocols or (#2) http://community.openvpn.net/openvpn/wiki/TrafficObfuscation or (#3) in client/server mode an admin can know that openvpn is being used. in
12:44 <@vpnHelper> static-key mode they only know that it is some encrypted data, but not specifically openvpn; however with static-key you lose forward security (!forwardsecurity)
12:45 < winsoff> Ah, neat.
12:45 < winsoff> thank you.
12:46 <@dazo> winsoff: each VPN entry/exit point have two sides .... one side (the one going over open Internet) is encrypted (that's the TCP/UDP configuration part of OpenVPN) ... and then there is one local part, which is the TUN/TAP adapter.    On both sides, the TUN/TAP part will be unencrypted and can be observed by a local user on the server, with the right privileges ..... the traffic going over the UDP/TCP connection between the OpenVPN instances
12:46 <@dazo> over the Internet will be encrypted, and thus much harder to decode
12:47 < winsoff> Ah, okay.
12:48 <@dazo> (how hard it is to decode, depends entirely on what kind of cipher is being used, just so that's said too ... choosing --cipher none will remove any encryption)
12:49  * esde loves ciphers
12:49 -!- outofbounds [~outofboun@gateway/tor-sasl/outofbounds] has quit [Remote host closed the connection]
12:55 -!- Kniaz [~Kniaz@unaffiliated/kniaz] has joined #openvpn
13:05 -!- harshar [~harsh@202.3.77.215] has joined #openvpn
13:06 -!- xMopxShell [~xMopxShel@dpedu.io] has quit [Ping timeout: 250 seconds]
13:08 -!- xMopxShell [~xMopxShel@dpedu.io] has joined #openvpn
13:15 -!- brianblaze420 [~brianblaz@unaffiliated/brianblaze] has quit [Quit: Peace!]
13:23 -!- Taftse|Mac [~taftse@unaffiliated/taftse] has joined #openvpn
13:27 -!- mattock_afk is now known as mattock
13:42 -!- nomad_fr [~nomad_fr@ks397872.ip-192-95-25.net] has quit [Remote host closed the connection]
13:50 -!- harshar [~harsh@202.3.77.215] has quit [Quit: Leaving]
13:53 -!- bakhtiya [~me@office.addictivemobility.com] has quit []
14:02 -!- winsoff [~foo@144.35.99.208] has quit [Ping timeout: 258 seconds]
14:20 -!- dimitry7 [dimitry7@26c-002.static.bnc4free.com] has joined #openvpn
14:20 < dimitry7> openvpn adds compression to the data it sends?
14:21 -!- harshar [~harsh@202.3.77.215] has joined #openvpn
14:22 <@dazo> dimitry7: if you add --comp-lzo or --compress to your server+client configs
14:23 < dimitry7> shit!
14:23 < dimitry7> true
14:23 < dimitry7> dazo, better bandwidth usage isnt it?
14:26 <@dazo> dimitry7: depends on the data you transfer ... compressing already compressed data often increases the bandwidth slightly and wastes CPU cycles on nothing
14:26 < dimitry7> dazo, yeah... you are right.
14:26 < dimitry7> Thanks dazo!
14:29 <@dazo> you're welcome!
14:29 -!- mattock is now known as mattock_afk
14:32 -!- dazo is now known as dazo_afk
14:35 -!- Kniaz [~Kniaz@unaffiliated/kniaz] has quit [Ping timeout: 265 seconds]
14:38 -!- Latrina [~Latrina@adsl-ull-228-249.45-151.net24.it] has quit [Ping timeout: 245 seconds]
14:39 -!- NP-Hardass [~NP-Hardas@unaffiliated/np-hardass] has quit [Quit: WeeChat 0.4.3]
14:40 -!- NP-Hardass [~NP-Hardas@unaffiliated/np-hardass] has joined #openvpn
14:40 -!- NP-Hardass [~NP-Hardas@unaffiliated/np-hardass] has quit [Client Quit]
14:40 -!- Latrina [~Latrina@adsl-ull-217-245.45-151.net24.it] has joined #openvpn
14:40 -!- eristisk [~eristisk@gateway/tor-sasl/eristisk] has quit [Ping timeout: 250 seconds]
14:41 -!- eristisk [~eristisk@gateway/tor-sasl/eristisk] has joined #openvpn
14:41 -!- NP-Hardass [~NP-Hardas@unaffiliated/np-hardass] has joined #openvpn
14:55 -!- Taftse|Mac [~taftse@unaffiliated/taftse] has quit [Ping timeout: 245 seconds]
14:57 -!- elfixit1 [~Icedove@77-57-39-82.dclient.hispeed.ch] has quit [Ping timeout: 265 seconds]
14:57 -!- xamox [~xamox@c-68-42-242-42.hsd1.mi.comcast.net] has quit [Quit: Leaving]
15:01 -!- Maxel [~Maxel@24-159-207-34.static.roch.mn.charter.com] has quit [Read error: Connection reset by peer]
15:01 -!- Maxel [~Maxel@24-159-207-34.static.roch.mn.charter.com] has joined #openvpn
15:29 -!- brad_mssw [~brad@shop.monetra.com] has joined #openvpn
15:32 -!- Chais [~Chais@chello062178229110.15.15.vie.surfer.at] has quit [Ping timeout: 244 seconds]
15:36 < brad_mssw> I've got a scenario I'm trying to figure out.  I want to set up an OpenVPN server in routed mode where I drop different users into different subnets (which appears possible via user ccd).  Anyhow, the main question is I want the control over the subnet to subnet access for the different users connecting to eachother to occur via the main firewall and NOT via firewall rules within the openvpn server
15:37 < brad_mssw> I'm thinking of using multiple routing tables for this so it doesn't try to route to what it would otherwise see as a locally connected subnet
15:37 < brad_mssw> but i've never attempted to do something like that before so just wondering if I'm off base
15:38 -!- Chais [~Chais@chello062178229110.15.15.vie.surfer.at] has joined #openvpn
15:40 < brad_mssw> to clarify ... firewall is 10.0.0.1, vpn server is in 10.0.0.55 in 10.0.0.0/24 network, vpn clients will be dropped into 10.0.1.0/24 and 10.0.2.0/24 depending on privilege level...    I want traffic attempting to traverse  10.0.1.0/24 <-> 10.0.2.0/24 to go through 10.0.0.1 rather than direct routing on linux since they're both locally connected subnets
15:43 < brad_mssw> obviously the main firewall will have a static route for 10.0.1.0/24 and 10.0.2.0/24 pointing to 10.0.0.55
15:57 -!- KaiForce [~chatzilla@107-223-70-10.lightspeed.bcvloh.sbcglobal.net] has quit [Quit: ChatZilla 0.9.91 [Firefox 33.0.2/20141027150301]]
15:59 -!- brad_mssw [~brad@shop.monetra.com] has quit [Quit: Leaving]
16:17 -!- harshar [~harsh@202.3.77.215] has quit [Ping timeout: 256 seconds]
16:21 -!- dazo_afk [~dazo@openvpn/community/developer/dazo] has quit [Ping timeout: 258 seconds]
16:25 -!- dazo_afk [~dazo@openvpn/community/developer/dazo] has joined #openvpn
16:25 -!- mode/#openvpn [+o dazo_afk] by ChanServ
16:26 -!- dazo_afk is now known as dazo
16:35 -!- gffa [~unknown@unaffiliated/gffa] has quit [Quit: sleep]
16:37 -!- eristisk [~eristisk@gateway/tor-sasl/eristisk] has quit [Ping timeout: 250 seconds]
16:51 -!- eristisk [~eristisk@gateway/tor-sasl/eristisk] has joined #openvpn
17:05 -!- tpw_rules [tpw_rules@2600:3c03::f03c:91ff:fe93:20aa] has left #openvpn ["Evil will always triumph, because good is dumb."]
17:22 -!- dazo [~dazo@openvpn/community/developer/dazo] has quit [Ping timeout: 244 seconds]
17:24 -!- dazo_afk [~dazo@openvpn/community/developer/dazo] has joined #openvpn
17:24 -!- mode/#openvpn [+o dazo_afk] by ChanServ
17:24 -!- dazo_afk is now known as dazo
17:42 -!- eristisk [~eristisk@gateway/tor-sasl/eristisk] has quit [Ping timeout: 250 seconds]
17:48 -!- eristisk [~eristisk@gateway/tor-sasl/eristisk] has joined #openvpn
17:49 -!- omgonoz [472a90aa@gateway/web/freenode/ip.71.42.144.170] has joined #openvpn
17:49 < omgonoz> I need to override a single route directive that's pushed by the server
17:49 < omgonoz> on the client
17:49 < omgonoz> how would I do that? route-nopull disables all routes that get pushed from the server, iirc.
17:51 -!- eristisk [~eristisk@gateway/tor-sasl/eristisk] has quit [Remote host closed the connection]
17:52 -!- eristisk [~eristisk@gateway/tor-sasl/eristisk] has joined #openvpn
17:59 -!- eristisk [~eristisk@gateway/tor-sasl/eristisk] has quit [Ping timeout: 250 seconds]
18:01 -!- eristisk [~eristisk@gateway/tor-sasl/eristisk] has joined #openvpn
18:02 -!- omgonoz [472a90aa@gateway/web/freenode/ip.71.42.144.170] has quit [Quit: Page closed]
18:09 -!- eristisk [~eristisk@gateway/tor-sasl/eristisk] has quit [Ping timeout: 250 seconds]
18:09 -!- eristisk [~eristisk@gateway/tor-sasl/eristisk] has joined #openvpn
18:32 -!- Kniaz [~Kniaz@unaffiliated/kniaz] has joined #openvpn
19:02 -!- brianblaze420 [~brianblaz@unaffiliated/brianblaze] has joined #openvpn
19:21 -!- jotterbot [~jotterbot@103.4.236.30] has joined #openvpn
19:53 -!- Kniaz is now known as xk0tx
19:53 -!- xk0tx is now known as Kniaz
21:05 -!- tregeagle [~tregeagle@2001:44b8:3190:6700:4431:bbbf:4711:4c50] has joined #openvpn
21:08 -!- r00t^2 [~bts@g.rainwreck.com] has quit [Quit: i don’t know why i think pressing ctrl-c harder will help.]
21:13 -!- r00t^2 [~bts@g.rainwreck.com] has joined #openvpn
21:23 < tregeagle> Hooray! After two days I my client is talking to my openvpn server.... but it still is not working :(
21:23 -!- jotterbot [~jotterbot@103.4.236.30] has left #openvpn []
21:24 < tregeagle> I can ping/ssh between server and client but nothing gets passed onto the outside world
21:24 < tregeagle> my conf files are: http://paste.is/6368/
21:25 <+s7r> tregeagle add in your server config the following line:
21:25 <+s7r> push "redirect-gateway def1 bypass-dhcp"
21:25 < tregeagle> the fw rules are currently wide open: http://paste.is/6369/
21:26 < tregeagle> thx, ok...
21:27 <+s7r> restart the openvpn instance on the server and see if it works
21:28 <+s7r> if you are considering privacy, make sure you use the proper dns servers in your openvpn server /etc/resolv.conf file
21:29 < tregeagle> thanks I will. What is the def1 referring to? the server fails to restart with that line added
21:30 <+s7r> you can always install your own DNS resolver like unbound (a light weight server for Debian) and add this line in the server conf push "dhcp-option DNS 10.8.0.1" where you substitute the ip address with your vpn's server IP address
21:31 <+s7r> you do have the IPtables nat / masquarade rules and everything right ?
21:33 < tregeagle> the iptables are what's confusing me.
21:34 <+s7r> def1 -- Use this flag to override the default gateway by using 0.0.0.0/1 and 128.0.0.0/1 rather than 0.0.0.0/0. This has the benefit of overriding but not wiping out the original default gateway.
21:35 <+s7r> are you on Debian at least?
21:36 < tregeagle> yes both machines are running wheezy :)
21:37 <+s7r> that's swell. because of this i will help you
21:37 <+s7r> type on the server
21:37 <+s7r> echo 1 > /proc/sys/net/ipv4/ip_forward
21:37 <+s7r> iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -j SNAT --to-source your PUBLIC IP of the server
21:37 <+s7r> substitute 10.8.0.0 with your vpn subnet if different
21:37 <+s7r> then do
21:38 <+s7r> iptables-save > /etc/iptables.rules
21:38 <+s7r> edit with nano /etc/rc.local file and add BEFORE exit 0 line the following:
21:38 <+s7r> iptables-restore /etc/iptables.rules
21:38 <+s7r> this will make sure your iptables persist after a reboot
21:39 -!- Left_Turn [~Left_Turn@unaffiliated/turn-left/x-3739067] has quit [Remote host closed the connection]
21:39 <+s7r> you can do much more with iptables, limiting, blocking ports, redirecting, etc. but this is just what you need to route the traffic for the clients on the server
21:39 <+s7r> gotto run, have 3 more hours to sleep :) hope you get it fixed
21:39 <+s7r> c ya
21:40 < tregeagle> thanks for your help s7r
21:40 < tregeagle> I'll see what I can do with what you've given me
21:43 -!- brianblaze420 [~brianblaz@unaffiliated/brianblaze] has quit [Remote host closed the connection]
22:01 -!- james41382 [~james@unaffiliated/james41382] has quit [Quit: Leaving]
22:07 -!- james41382 [~james@unaffiliated/james41382] has joined #openvpn
22:32 -!- Kephael [~Kephael@unaffiliated/kephael] has quit [Quit: Leaving]
23:27 -!- ShadniX [dagger@p5481C049.dip0.t-ipconnect.de] has quit [Ping timeout: 250 seconds]
23:28 -!- ShadniX [dagger@p5DDFF531.dip0.t-ipconnect.de] has joined #openvpn
23:33 -!- SushiDude [~SushiDude@unaffiliated/sushidude] has quit [Ping timeout: 272 seconds]
23:34 -!- SushiDude [~SushiDude@unaffiliated/sushidude] has joined #openvpn
23:57 -!- tregeagle [~tregeagle@2001:44b8:3190:6700:4431:bbbf:4711:4c50] has quit [Quit: Ex-Chat]
--- Day changed Thu Nov 06 2014
00:19 -!- Kniaz [~Kniaz@unaffiliated/kniaz] has quit [Read error: Connection reset by peer]
00:23 -!- tregeagle [~tregeagle@2001:44b8:3190:6700:4127:8152:988:ee8] has joined #openvpn
00:44 -!- mattock_afk is now known as mattock
01:23 -!- rich0 [~quassel@gentoo/developer/rich0] has quit [Quit: No Ping reply in 180 seconds.]
01:24 -!- rich0 [~quassel@gentoo/developer/rich0] has joined #openvpn
01:29 -!- AlexRussia [~Alex@unaffiliated/alexrussia] has quit [Ping timeout: 255 seconds]
02:05 -!- bacon| [marom@unaffiliated/cowbacon] has joined #openvpn
02:07 < bacon|> Hello, I'm completely new to OpenVPN. I want to disable password authentication so users can only authenticate with certs (similar to sshkey auth only). Is this possible with OpenVPN? If so, whats the relevant config?
02:12 -!- SushiDude [~SushiDude@unaffiliated/sushidude] has quit [Ping timeout: 244 seconds]
02:14 -!- SushiDude [~SushiDude@unaffiliated/sushidude] has joined #openvpn
02:23 -!- harshar [~harsh@202.3.77.215] has joined #openvpn
02:43 -!- puskin [~puskin@95.234.58.154] has joined #openvpn
02:44 -!- puskin [~puskin@95.234.58.154] has quit [Client Quit]
02:46 -!- flarn [4b62ce02@gateway/web/freenode/ip.75.98.206.2] has quit [Ping timeout: 246 seconds]
02:50 -!- harshar [~harsh@202.3.77.215] has quit [Ping timeout: 240 seconds]
02:54 -!- Latrina [~Latrina@adsl-ull-217-245.45-151.net24.it] has quit [Ping timeout: 258 seconds]
02:55 -!- Latrina [~Latrina@adsl-ull-247-184.50-151.net24.it] has joined #openvpn
03:36 -!- _0x5eb_ [~seb@seb-hpws2.w1.tele.crt1.net] has quit [Ping timeout: 265 seconds]
03:52 -!- oodles [~oodles@bob.tdbfusion.com] has joined #openvpn
04:00 < oodles> morning all, I’m running an openvpn host using openvpn-as and would appreciate it if someone could help me with implementing a post_auth script for the first time
04:01 < oodles> I’ve taken the one from here http://openvpn.net/images/scripts/pas.py and modified it to just contain the ad group to openvpn matching but I don’t seem to be able to install it using the following command: ./sacli -a -k auth.module.post_auth.script --value_file=ConfigPut
04:01 < oodles> ERROR: unknown command 'auth.module.post_auth.script': util/options:79,sagent/sacli:832,<string>:1,sagent/sagent_entry:58,sagent/sacli:837,util/options:79,sagent/sacli:832,util/error:61,util/error:44
04:02 < oodles> any assistance would be greatfully received
04:05 -!- D-Boy [~D-Boy@unaffiliated/cain] has quit [Excess Flood]
04:08 -!- D-Boy [~D-Boy@unaffiliated/cain] has joined #openvpn
04:16 < tregeagle> Just wanted to thank s7r for the help earlier. Everything is now hunky-dory :)
04:24 -!- havingFun [~quassel@unaffiliated/xrosnight] has joined #openvpn
04:26 -!- havingFun is now known as xrosnight
04:45 -!- AlexRussia [~Alex@unaffiliated/alexrussia] has joined #openvpn
04:51 -!- xrosnight [~quassel@unaffiliated/xrosnight] has quit [Remote host closed the connection]
04:58 -!- DrCode [~DrCode@gateway/tor-sasl/drcode] has quit [Remote host closed the connection]
04:59 -!- s7r_p [~s7r@openvpn/user/s7r] has joined #openvpn
04:59 -!- mode/#openvpn [+v s7r_p] by ChanServ
04:59 -!- s7r [~s7r@openvpn/user/s7r] has quit [Remote host closed the connection]
05:02 -!- DrCode [~DrCode@gateway/tor-sasl/drcode] has joined #openvpn
05:07 -!- ShotokanZH [~ShotokanZ@unaffiliated/shotokanzh] has joined #openvpn
05:07 < ShotokanZH> hi there
05:07 -!- _0x5eb_ [~seb@seb-hpws2.w1.tele.crt1.net] has joined #openvpn
05:10 < ShotokanZH> anyone knows a webscript (php?) i can load in nginx to configure openvpn via web?
05:10 < ShotokanZH> please don't point out #openvpn-as, it does not work.
05:11 -!- rooth [tomte@stuck.in.the.basement.at.fritzl.nu] has quit [Ping timeout: 265 seconds]
05:23 -!- tregeagle [~tregeagle@2001:44b8:3190:6700:4127:8152:988:ee8] has quit [Quit: Ex-Chat]
05:27 -!- Left_Turn [~Left_Turn@unaffiliated/turn-left/x-3739067] has joined #openvpn
05:30 -!- DrCode [~DrCode@gateway/tor-sasl/drcode] has quit [Remote host closed the connection]
05:32 -!- DrCode [~DrCode@gateway/tor-sasl/drcode] has joined #openvpn
05:35 -!- DrCode [~DrCode@gateway/tor-sasl/drcode] has quit [Remote host closed the connection]
05:36 -!- DrCode [~DrCode@gateway/tor-sasl/drcode] has joined #openvpn
05:41 < DrCode> hi all
05:41 < DrCode> can I use openvpn dev tun with tcp ?
05:50 -!- oodles [~oodles@bob.tdbfusion.com] has quit [Quit: oodles]
06:11 -!- moparisthebest [~quassel@unaffiliated/moparisthebest] has quit [Ping timeout: 255 seconds]
06:15 -!- moparisthebest [~quassel@gateway/tor-sasl/moparisthebest] has joined #openvpn
06:41 <+s7r_p> DrCode no, you can use it with udp too
06:42 <+s7r_p> tun vs. tap has other differences... but both can carry both tcp and udp transfer protocols
06:42 -!- s7r_p is now known as s7r
06:43 -!- newbsduser [~bsd@unaffiliated/newbsduser] has joined #openvpn
06:43 -!- meekatro2 [~meekatron@ec2-54-72-11-206.eu-west-1.compute.amazonaws.com] has joined #openvpn
06:44 < newbsduser> hello, how can i detect or confirm key files are valid or not? i have a lot of key files but i dont know which of them are valid or not
06:44 < meekatro2> if i add this line to me server.conf will it force my clients to use my server dns " push "dhcp-option DNS 10.8.93.1"
06:44 < newbsduser> on my openvpn server
06:59 -!- meekatro2 [~meekatron@ec2-54-72-11-206.eu-west-1.compute.amazonaws.com] has quit [Ping timeout: 272 seconds]
07:19 -!- deranged_user [deranged@lolnerd.net] has joined #openvpn
07:31 -!- deranged_user [deranged@lolnerd.net] has quit [Quit: et nos unum sumus]
07:31 -!- deranged_user [Jess@lolnerd.net] has joined #openvpn
07:33 < DrCode> thankyou
07:38 -!- NP-Hardass [~NP-Hardas@unaffiliated/np-hardass] has quit [Ping timeout: 264 seconds]
07:46 -!- james41382_ [~james@unaffiliated/james41382] has joined #openvpn
07:49 -!- james41382 [~james@unaffiliated/james41382] has quit [Ping timeout: 245 seconds]
08:02 -!- dvl [~dvl@freebsd/developer/dvl] has joined #openvpn
08:22 -!- u0m3_ [~u0m3@92.80.112.149] has quit [Read error: Connection reset by peer]
08:32 < ShotokanZH> !pleaseAnyoneActLikeABotAndLinkMeADecentFirstInstallGuide.
08:34 < DArqueBishop> !howto
08:34 <@vpnHelper> "howto" is (#1) OpenVPN comes with a great howto, http://openvpn.net/howto PLEASE READ IT! or (#2) http://www.secure-computing.net/openvpn/howto.php for a mirror
08:34 < DArqueBishop> That's pretty much what I used when I first implemented OpenVPN.
08:34 < ShotokanZH> DArqueBishop, thank you little bot
08:35 < ShotokanZH> DArqueBishop, !if you have it please link a web-configurator too. (not openvpn-as)
08:36 < DArqueBishop> Sorry, not familiar with one.
08:47 < ShotokanZH> DArqueBishop, nice bot, here take a cookie
09:00 -!- james41382_ [~james@unaffiliated/james41382] has quit [Ping timeout: 255 seconds]
09:18 -!- dazo is now known as dazo_afk
09:27 -!- almostworking [~almostwor@unaffiliated/almostworking] has quit [Ping timeout: 255 seconds]
09:33 -!- ValdikSS [~valdikss@2001:470:dd8a:dead::64f] has joined #openvpn
09:38 -!- u0m3 [~u0m3@92.80.107.91] has joined #openvpn
09:42 -!- flarn [4b62ce02@gateway/web/freenode/ip.75.98.206.2] has joined #openvpn
09:55 -!- newbsduser [~bsd@unaffiliated/newbsduser] has quit [Ping timeout: 255 seconds]
10:18 -!- gffa [~unknown@unaffiliated/gffa] has joined #openvpn
10:27 -!- brianblaze420 [~brianblaz@unaffiliated/brianblaze] has joined #openvpn
10:30 -!- havingFun [~quassel@unaffiliated/xrosnight] has joined #openvpn
10:30 -!- brad_mssw [~brad@shop.monetra.com] has joined #openvpn
10:31 < brad_mssw> is it possible to use ccds for groups rather than per-user?  Say based off of posix groups?
10:33 -!- Latrina [~Latrina@adsl-ull-247-184.50-151.net24.it] has quit [Ping timeout: 258 seconds]
10:40 -!- almostworking [~almostwor@unaffiliated/almostworking] has joined #openvpn
10:44 -!- eristisk [~eristisk@gateway/tor-sasl/eristisk] has quit [Ping timeout: 250 seconds]
10:50 -!- Latrina [~Latrina@adsl-ull-28-181.50-151.net24.it] has joined #openvpn
10:59 < brad_mssw> i'm thinking since I'm using username-as-common-name, I should maybe just use a client-connect script and then do a group lookup on the username to figure out what pool to put them in.  However, I guess that means I'll need to do my own pool management for each subnet, but that shouldn't be a huge deal.
11:06 -!- Argure [argure@geonosis.donttrustrobots.nl] has quit [Remote host closed the connection]
11:12 -!- havingFun [~quassel@unaffiliated/xrosnight] has quit [Ping timeout: 255 seconds]
11:19 -!- DrCode [~DrCode@gateway/tor-sasl/drcode] has quit [Remote host closed the connection]
11:21 -!- flarn [4b62ce02@gateway/web/freenode/ip.75.98.206.2] has quit [Ping timeout: 246 seconds]
11:23 -!- DrCode [~DrCode@gateway/tor-sasl/drcode] has joined #openvpn
11:23 -!- DrCode [~DrCode@gateway/tor-sasl/drcode] has quit [Remote host closed the connection]
11:25 -!- DrCode [~DrCode@gateway/tor-sasl/drcode] has joined #openvpn
11:27 -!- DrCode [~DrCode@gateway/tor-sasl/drcode] has quit [Remote host closed the connection]
11:32 -!- DrCode [~DrCode@gateway/tor-sasl/drcode] has joined #openvpn
11:34 -!- Ice_Strike [~Ice_Strik@84.92.51.164] has quit [Disconnected by services]
11:35 -!- DrCode [~DrCode@gateway/tor-sasl/drcode] has quit [Remote host closed the connection]
11:39 -!- DrCode [~DrCode@gateway/tor-sasl/drcode] has joined #openvpn
11:43 -!- NP-Hardass [~NP-Hardas@unaffiliated/np-hardass] has joined #openvpn
11:47 -!- Taftse|Mac [~taftse@unaffiliated/taftse] has joined #openvpn
11:50 -!- NP-Hardass [~NP-Hardas@unaffiliated/np-hardass] has quit [Ping timeout: 245 seconds]
11:54 <@Eugene> That'd be my suggestion, yup.
12:03 -!- ad0nis [ad0nis@unaffiliated/ad0nis] has left #openvpn []
12:09 -!- NP-Hardass [~NP-Hardas@unaffiliated/np-hardass] has joined #openvpn
12:09 -!- eristisk [~eristisk@gateway/tor-sasl/eristisk] has joined #openvpn
12:17 -!- eristisk [~eristisk@gateway/tor-sasl/eristisk] has quit [Ping timeout: 250 seconds]
12:31 -!- khaldrogox [~anonymous@64.13.138.81] has joined #openvpn
12:39 -!- eristisk [~eristisk@gateway/tor-sasl/eristisk] has joined #openvpn
12:39 -!- havingFun [~quassel@unaffiliated/xrosnight] has joined #openvpn
12:45 -!- eristisk [~eristisk@gateway/tor-sasl/eristisk] has quit [Ping timeout: 250 seconds]
13:05 -!- DrCode [~DrCode@gateway/tor-sasl/drcode] has quit [Remote host closed the connection]
13:09 -!- DrCode [~DrCode@gateway/tor-sasl/drcode] has joined #openvpn
13:09 -!- elfixit [~Icedove@2001:1620:2777:11:3e97:eff:fe7f:f3ad] has quit [Quit: elfixit]
13:15 -!- DrCode [~DrCode@gateway/tor-sasl/drcode] has quit [Remote host closed the connection]
13:17 -!- DrCode [~DrCode@gateway/tor-sasl/drcode] has joined #openvpn
13:18 -!- DrCode [~DrCode@gateway/tor-sasl/drcode] has quit [Remote host closed the connection]
13:20 -!- DrCode [~DrCode@gateway/tor-sasl/drcode] has joined #openvpn
13:21 -!- DrCode [~DrCode@gateway/tor-sasl/drcode] has quit [Remote host closed the connection]
13:22 -!- DrCode [~DrCode@gateway/tor-sasl/drcode] has joined #openvpn
13:22 -!- DrCode [~DrCode@gateway/tor-sasl/drcode] has quit [Remote host closed the connection]
13:24 -!- DrCode [~DrCode@gateway/tor-sasl/drcode] has joined #openvpn
13:26 -!- DrCode [~DrCode@gateway/tor-sasl/drcode] has quit [Remote host closed the connection]
13:26 -!- DrCode [~DrCode@gateway/tor-sasl/drcode] has joined #openvpn
13:27 -!- DrCode [~DrCode@gateway/tor-sasl/drcode] has quit [Remote host closed the connection]
13:31 -!- DrCode [~DrCode@gateway/tor-sasl/drcode] has joined #openvpn
13:31 -!- DrCode [~DrCode@gateway/tor-sasl/drcode] has quit [Remote host closed the connection]
13:34 -!- khaldrogox [~anonymous@64.13.138.81] has quit [Quit: khaldrogox]
13:38 -!- DrCode [~DrCode@gateway/tor-sasl/drcode] has joined #openvpn
13:38 -!- DrCode [~DrCode@gateway/tor-sasl/drcode] has quit [Remote host closed the connection]
13:40 -!- DrCode [~DrCode@gateway/tor-sasl/drcode] has joined #openvpn
13:41 -!- DrCode [~DrCode@gateway/tor-sasl/drcode] has quit [Remote host closed the connection]
13:42 -!- DrCode [~DrCode@gateway/tor-sasl/drcode] has joined #openvpn
13:43 -!- DrCode [~DrCode@gateway/tor-sasl/drcode] has quit [Remote host closed the connection]
13:46 -!- DrCode [~DrCode@gateway/tor-sasl/drcode] has joined #openvpn
13:46 -!- DrCode [~DrCode@gateway/tor-sasl/drcode] has quit [Remote host closed the connection]
13:48 -!- DrCode [~DrCode@gateway/tor-sasl/drcode] has joined #openvpn
13:49 -!- DrCode [~DrCode@gateway/tor-sasl/drcode] has quit [Remote host closed the connection]
13:51 -!- DrCode [~DrCode@gateway/tor-sasl/drcode] has joined #openvpn
13:53 < DrCode> hi all
13:53 < DrCode> can I run openvpn server has dev tun and openvpn client has dev tap?
13:54 < DrCode> I have windows,linux clients and android devices?
13:56 -!- DrSect0r [~DrSect0r@77-175-125-42.FTTH.ispfabriek.nl] has joined #openvpn
14:08 -!- khaldrogox [~anonymous@64.13.138.81] has joined #openvpn
14:14 -!- mattock is now known as mattock_afk
14:22 <@syzzer> DrCode: no, you can't
14:23 <@syzzer> both sides must either be tun (layer 3) or tap (layer 2), otherwise they won't be able to talk
14:23 <@syzzer> and prefer tun over tap if you don't know what you need
14:25 -!- khaldrogox [~anonymous@64.13.138.81] has quit [Quit: khaldrogox]
14:31 -!- Chais [~Chais@chello062178229110.15.15.vie.surfer.at] has quit [Read error: Connection reset by peer]
14:35 -!- khaldrogox [~anonymous@64.13.138.81] has joined #openvpn
14:35 -!- Cydrobolt [~cydrobolt@fedora/cydrobolt] has joined #openvpn
14:35 < Cydrobolt> Hello
14:36 < Cydrobolt> !welcome
14:36 <@vpnHelper> "welcome" is (#1) Start by stating your goal, such as 'I would like to access the internet over my vpn' || new to IRC? see the link in !ask || we may need !logs and !configs and maybe !interface to help you. || See !howto for beginners. || See !route for lans behind openvpn. || !redirect for sending inet traffic through the server. || Also interesting: !man !/30 !topology !iporder !sample !forum
14:36 <@vpnHelper> !wiki !mitm or (#2) Don't use 192.168.1.0/24 or 192.168.0.0/24 (too much potential for conflict)
14:36 < Cydrobolt> !goal
14:36 <@vpnHelper> "goal" is Please clearly state your goal for your vpn: example, I would like to access the lan behind the server , I would like to access the internet over my vpn , I just want a secure connection between 2 computers , etc
14:36 < Cydrobolt> I would like to access my OpenVPN server through port 443 and have the traffic get routed out.
14:37 < Cydrobolt> It currently denies connecitons to 443
14:37 < Cydrobolt> connections**
14:37 < Cydrobolt> I flushed iptable configs and it still doesn't work
14:40 -!- brianblaze420 [~brianblaz@unaffiliated/brianblaze] has quit [Quit: Peace!]
14:40 -!- Chais [~Chais@chello062178229110.15.15.vie.surfer.at] has joined #openvpn
14:42 < Cydrobolt> I can provide the logs if needed
14:43 <@Eugene> OpenVPN listens on UDP:1194 by default
14:44 <@Eugene> YOu can modify this behaviour with the --proto and --port directives, but be aware that TCP listening is not recommended if avoidable
14:44 <@Eugene> !tcp
14:44 <@vpnHelper> "tcp" is (#1) Sometimes you cannot avoid tunneling over tcp, but if you can avoid it, DO. http://sites.inka.de/~bigred/devel/tcp-tcp.html Why TCP Over TCP Is A Bad Idea. or (#2) http://www.openvpn.net/papers/BLUG-talk/14.html for a presentation by James Yonan (OpenVPN lead developer) or (#3) if you must use tcp, you likely want --tcp-nodelay
14:44 < Cydrobolt> How do I make it listen on TCP:443?
14:44 <@Eugene> !man
14:44 <@vpnHelper> "man" is (#1) For man pages, see http://openvpn.net/index.php/open-source/documentation/manuals/ or (#2) the man pages are your friend! or (#3) Protip: you can search the manpage for a specific --option (with dashes) to find it quicker
14:44 <@Eugene> Set those options in your server config, and the appropriate ones in your client
14:44 < Cydrobolt> I have to use 443 as 1194 is blocked at the location I need to use my VPN at
14:45 <@Eugene> Yeah, that happens.
14:45 < Cydrobolt> Is it possible to use both ports?
14:47 < DrCode> thank you
14:47 < Cydrobolt> What would I put in my config if I wanted to listen on 443 TCP?
14:47 < DrCode> windows can work with tun?
14:48 < Cydrobolt> I added "port 443", but I'm not sure if that will work
14:50 -!- Chais [~Chais@chello062178229110.15.15.vie.surfer.at] has quit [Read error: Connection reset by peer]
14:55 <@syzzer> DrCode: yes, windows works just fine with tun
14:55 <@syzzer> I know, the TAP-driver naming is confusing :)
14:56 < DrCode> ok
14:57 < DrCode> thankyou
14:59 -!- havingFun is now known as xrosnight
15:00 -!- Chais [~Chais@chello062178229110.15.15.vie.surfer.at] has joined #openvpn
15:00 < Cydrobolt> Anyone still here?
15:07 -!- Taftse|Mac [~taftse@unaffiliated/taftse] has quit [Quit: My Mac Mini has gone to sleep. ZZZzzz…]
15:08 -!- Taftse|Mac [~taftse@unaffiliated/taftse] has joined #openvpn
15:16 -!- scyld [~scyld@gateway/tor-sasl/wasyl] has joined #openvpn
15:19 -!- tbenson [~tbenson@c-50-131-82-204.hsd1.ca.comcast.net] has joined #openvpn
15:23 < tbenson> I noticed that the default ruleset on OpenVPN Access Server is not secured properly. Since it appears to use Ubuntu I would normally expect /etc/iptables/rules.v4 to exist, but it doesn’t. So how do I fix the rules properly?
15:26 < tbenson> Or can anyone tell me where the default iptables rules are stored for OpenVPN AS since they are not in /etc/iptables ?
15:30 < BtbN> This channel is not about OpenVPN AS.
15:45 <@syzzer> !as
15:45 <@vpnHelper> "as" is Please go to #OpenVPN-AS for help with commercial products from OpenVPN Technologies, including Access Server, Android Connect, etc. Access Server is a commercial product, different from open source OpenVPN
15:48 <@krzee> g'day
15:52 -!- havingFun [~quassel@unaffiliated/xrosnight] has joined #openvpn
15:53 -!- xrosnight [~quassel@unaffiliated/xrosnight] has quit [Ping timeout: 264 seconds]
15:56 -!- khaldrogox [~anonymous@64.13.138.81] has quit [Quit: khaldrogox]
15:57 -!- Argure [quasselcor@geonosis.donttrustrobots.nl] has joined #openvpn
15:59 -!- havingFun [~quassel@unaffiliated/xrosnight] has quit [Remote host closed the connection]
16:00 -!- havingFun [~quassel@unaffiliated/xrosnight] has joined #openvpn
16:03 -!- _FBi [B@Aircrack-NG/User] has joined #openvpn
16:04 -!- DrSect0r [~DrSect0r@77-175-125-42.FTTH.ispfabriek.nl] has quit [Read error: Connection reset by peer]
16:10 -!- brad_mssw [~brad@shop.monetra.com] has quit [Quit: Leaving]
16:17 -!- `Yoda [Yoda@leader.of.the.coolkidz.club] has quit [Quit: YourBNC - (https://yourbnc.co.uk)]
16:23 < _FBi> !tor
16:25 -!- `Yoda [Yoda@gateway/shell/yourbnc/x-szwauayjorledkga] has joined #openvpn
16:25 <+s7r> _FBi what are you trying to do? :)
16:26 < _FBi> I heard whoppix had a neat vpn plus tor write up
16:26 < _FBi> I wasn't sure if the same was here
16:26 <+s7r> whoppix?
16:26 <+s7r> define VPN  + Tor...
16:26 < _FBi> old old old distro
16:26 < _FBi> I'm square s7r :)
16:26 < _FBi> I'll google more
16:27 <+s7r> okay
16:27 < _FBi> short: me -> VPN -> TOR
16:28 <+s7r> that is not the way you want to do it. it's always better BRIDGE (obfuscated if you need)
16:29 <+s7r> you -> VPN -> Tor == bad for security and anonymity
16:30 < _FBi> how so?
16:30 < _FBi> security ie: exit node sniffing, isn't a large concern
16:31 <+s7r> Tor over VPN is a bad idea. but anyway if you want to do it, you just run the vpn and connect to Tor after that, via the vpn
16:31 <+s7r> what more help do you need?
16:33 -!- Pyrogerg [~Gregory@gpenne3bc.nmsu.edu] has joined #openvpn
16:35 -!- warehouse13 [~Left_Turn@unaffiliated/turn-left/x-3739067] has joined #openvpn
16:35 -!- gffa [~unknown@unaffiliated/gffa] has quit [Quit: sleep]
16:36 < _FBi> I don't think you're licensed haha.
16:37 -!- Left_Turn [~Left_Turn@unaffiliated/turn-left/x-3739067] has quit [Ping timeout: 245 seconds]
16:37 <+s7r> lol?
16:39 < _FBi> off topic, do you know how to check a banlist of channel?
16:42 <@krzee>  /bans
16:42 <@krzee> i mean /ban
16:44 <@krzee> or /mode +b
16:54 -!- occupant [~null@204.14.158.226] has quit [Remote host closed the connection]
16:55 -!- mistermajestic [~mistermaj@unaffiliated/mistermajestic] has quit []
17:03 -!- Taftse|Mac [~taftse@unaffiliated/taftse] has quit [Quit: Textual IRC Client: www.textualapp.com]
17:09 -!- wkd [~wkd@75.46.172.54] has joined #openvpn
17:13 -!- rooth [tomte@stuck.in.the.basement.at.fritzl.nu] has joined #openvpn
17:19 < wkd> I am having a huge amount of trouble trying access openvpn from outside the lan, it's connecting from within easily only if I use TC.. can someone take a look at my iptables --list output and configs to see whats wrong?
17:19 < wkd> iptables: http://pastebin.com/index/3LnfEh45
17:19 < wkd> server config: http://pastebin.com/ihV9uwyP
17:19 < wkd> http://pastebin.com/N9hkLeYu
17:20 < wkd> last one is client
17:20 < wkd> I also just noticed I cant browse the internet through the client while connected
17:20 -!- mistermajestic [~mistermaj@unaffiliated/mistermajestic] has joined #openvpn
17:25 < wkd> I commented out push redirect-gateway.... and I now have internet access on the client
17:27 <@Eugene> !redirect
17:27 <@vpnHelper> "redirect" is (#1) to make all inet traffic flow through the vpn, you will need --redirect-gateway (see !def1), as well as IP forwarding (see !ipforward) and NAT (see !nat) enabled on the server. or (#2) you may need to use a different dns server when redirecting gateway, see !dns or !pushdns or (#3) if using ipv6 try: route-ipv6 2000::/3 or (#4) Handy troubleshooting flowchart:
17:27 <@vpnHelper> http://ircpimps.org/redirect.png | http://pekster.sdf.org/misc/redirect.png
17:28 -!- hatchet [~wkd@188.sub-70-211-65.myvzw.com] has joined #openvpn
17:29 -!- hatchet [~wkd@188.sub-70-211-65.myvzw.com] has quit [Client Quit]
17:31 -!- wkd [~wkd@75.46.172.54] has quit [Ping timeout: 250 seconds]
17:32 < rooth> d#1 (.50) --> server (.1) <-- d#2 (.51)     tap0/bridge tunnel.  Ping from server to #1 & server to #2 works sometimes. However, I get host unreachable and then see ICMP redirects from #2 about the route to #1 and vice versa.
17:32 < rooth> 10.253.15.51 > 10.253.15.1: ICMP host 10.253.15.50 unreachable, length 92
17:33 < rooth> from tcpdump -i br0 -v on server.
17:34 < rooth> What I'm apparently too stupid to understand is why d#2 (.51) interfers with a packet from server (.1) to d#1 (.50).
17:35 < rooth> or even see it.
17:35 < rooth> Or is it just because it sees an ARP-request?
17:36 -!- wkd [~wkd@75.46.172.54] has joined #openvpn
17:36 < wkd> !paste
17:36 <@vpnHelper> "paste" is "pastebin" is (#1) please paste anything with more than 5 lines into a pastebin site or (#2) https://gist.github.com is recommended for fewest ads; try fpaste.org or paste.kde.org as backups or (#3) If you're pasting config files, see !configs for grep syntax to remove comments or (#4) gist allows multiple files per paste, useful if you have several files to show
17:37 < wkd> !configs
17:37 <@vpnHelper> "configs" is (#1) please pastebin your client and server configs (with comments removed, you can use `grep -vE '^#|^;|^$' server.conf`), also include which OS and version of openvpn. or (#2) dont forget to include any ccd entries or (#3) on pfSense, see http://www.secure-computing.net/wiki/index.php/OpenVPN/pfSense to obtain your config
17:37 < wkd> !logs
17:37 <@vpnHelper> "logs" is (#1) please pastebin your logfiles from both client and server with verb set to 4 (only use 5 if asked) or (#2) In the Windows client(OpenVPN-GUI) right-click the status icon and pick View Log or (#3) In the OS X client(Tunnelblick) right-click it and select Copy log text to clipboard or (#4) if you dont know how to find your logs, see !logfile
17:38 -!- wkd [~wkd@75.46.172.54] has quit [Client Quit]
17:41 -!- eristisk [~eristisk@gateway/tor-sasl/eristisk] has joined #openvpn
17:47 -!- wkd [~wkd@75.46.172.54] has joined #openvpn
17:50 < wkd> https://gist.github.com/anonymous/940ea971bb4e75d31469
17:50 <@vpnHelper> Title: gist:940ea971bb4e75d31469 (at gist.github.com)
17:51 < wkd> thats all my logs and configs per the channel specs... the issue is I can't access the server from the outside
17:52 < wkd> on the lan it's only accessible with TCP
17:52 < wkd> anybody care to take a look?
17:55 -!- tbenson [~tbenson@c-50-131-82-204.hsd1.ca.comcast.net] has quit [Quit: tbenson]
18:08 <@krzee> wkd, open the vpn port in your firewall
18:09 -!- NP-Hardass [~NP-Hardas@unaffiliated/np-hardass] has quit [Ping timeout: 265 seconds]
18:11 -!- mgorbach [~mgorbach@pool-108-20-78-135.bstnma.fios.verizon.net] has quit [Ping timeout: 256 seconds]
18:11 -!- CaTtleyA [~CaTtleyA@put92-2-82-66-41-53.fbx.proxad.net] has joined #openvpn
18:11 -!- wkd [~wkd@75.46.172.54] has quit [Ping timeout: 265 seconds]
18:17 -!- CaTtleyA [~CaTtleyA@put92-2-82-66-41-53.fbx.proxad.net] has quit [Quit: leaving]
18:23 -!- NP-Hardass [~NP-Hardas@unaffiliated/np-hardass] has joined #openvpn
18:23 -!- mgorbach [~mgorbach@pool-108-20-78-135.bstnma.fios.verizon.net] has joined #openvpn
18:25 -!- mgorbach [~mgorbach@pool-108-20-78-135.bstnma.fios.verizon.net] has quit [Excess Flood]
18:25 -!- mgorbach [~mgorbach@pool-108-20-78-135.bstnma.fios.verizon.net] has joined #openvpn
18:29 -!- NP-Hardass [~NP-Hardas@unaffiliated/np-hardass] has quit [Ping timeout: 265 seconds]
18:40 -!- eristisk [~eristisk@gateway/tor-sasl/eristisk] has quit [Remote host closed the connection]
18:40 -!- eristisk [~eristisk@gateway/tor-sasl/eristisk] has joined #openvpn
18:43 -!- NP-Hardass [~NP-Hardas@unaffiliated/np-hardass] has joined #openvpn
18:48 -!- almostworking [~almostwor@unaffiliated/almostworking] has quit [Quit: Leaving]
18:58 -!- capri [svedrin@elwing.funzt-halt.net] has quit [Ping timeout: 260 seconds]
18:58 -!- mt [mt@unaffiliated/supermat] has quit [Remote host closed the connection]
19:01 -!- capri [svedrin@elwing.funzt-halt.net] has joined #openvpn
19:02 -!- mt [mt@unaffiliated/supermat] has joined #openvpn
19:09 -!- kisak [~kisak@unaffiliated/kisak] has joined #openvpn
19:20 -!- jgeboski [~jgeboski@unaffiliated/jgeboski] has quit [Quit: Leaving]
19:20 -!- jgeboski [~jgeboski@unaffiliated/jgeboski] has joined #openvpn
19:21 < _FBi> <krzee> or /mode +b  |  Thanks!
19:21 <@krzee> np
19:27 -!- Mowee [~Mowee@195-154-194-139.rev.poneytelecom.eu] has quit [Ping timeout: 272 seconds]
19:28 -!- scyld [~scyld@gateway/tor-sasl/wasyl] has quit [Remote host closed the connection]
19:28 -!- elfixit [~Icedove@77-58-253-51.dclient.hispeed.ch] has joined #openvpn
19:28 -!- scyld [~scyld@gateway/tor-sasl/wasyl] has joined #openvpn
19:28 -!- Mowee [~Mowee@195-154-194-139.rev.poneytelecom.eu] has joined #openvpn
20:23 -!- Kniaz [~Kniaz@unaffiliated/kniaz] has joined #openvpn
20:39 -!- havingFun [~quassel@unaffiliated/xrosnight] has quit [Ping timeout: 272 seconds]
20:44 -!- Pyrogerg [~Gregory@gpenne3bc.nmsu.edu] has quit [Quit: Textual IRC Client: www.textualapp.com]
20:48 -!- james41382 [~james@unaffiliated/james41382] has joined #openvpn
21:07 -!- _0x5eb_ [~seb@seb-hpws2.w1.tele.crt1.net] has quit [Ping timeout: 265 seconds]
21:12 -!- _0x5eb_ [~seb@seb-hpws2.elen.ucl.ac.be] has joined #openvpn
21:19 <@krzee> !linnat
21:19 <@vpnHelper> "linnat" is (#1) for a basic iptables NAT where 10.8.0.x is the vpn network: iptables -t nat -I POSTROUTING -s 10.8.0.0/24 -o eth0 -j MASQUERADE or (#2) to choose what IP address to NAT as, you can use iptables -t nat -I POSTROUTING -o eth0 -j SNAT --to <IP ADDRESS> or (#3) http://netfilter.org/documentation/HOWTO//NAT-HOWTO.html for more info or (#4) openvz see !openvzlinnat
21:34 -!- NP-Hardass [~NP-Hardas@unaffiliated/np-hardass] has quit [Ping timeout: 264 seconds]
21:38 -!- kisak [~kisak@unaffiliated/kisak] has left #openvpn []
21:49 -!- opalraava [~ircuser@2a01:7c8:aaae:18d:5054:ff:fe92:38da] has joined #openvpn
22:16 -!- warehouse13 [~Left_Turn@unaffiliated/turn-left/x-3739067] has quit [Ping timeout: 258 seconds]
22:39 -!- NP-Hardass [~NP-Hardas@unaffiliated/np-hardass] has joined #openvpn
23:27 -!- ShadniX [dagger@p5DDFF531.dip0.t-ipconnect.de] has quit [Ping timeout: 250 seconds]
23:28 -!- ShadniX [dagger@p57941C7B.dip0.t-ipconnect.de] has joined #openvpn
23:32 -!- elfixit [~Icedove@77-58-253-51.dclient.hispeed.ch] has quit [Remote host closed the connection]
--- Day changed Fri Nov 07 2014
00:04 -!- james41382 [~james@unaffiliated/james41382] has quit [Quit: Leaving]
00:14 -!- james41382 [~james@unaffiliated/james41382] has joined #openvpn
00:28 -!- mattock_afk is now known as mattock
00:57 -!- ValdikSS [~valdikss@2001:470:dd8a:dead::64f] has quit [Ping timeout: 265 seconds]
01:04 -!- NP-Hardass [~NP-Hardas@unaffiliated/np-hardass] has quit [Ping timeout: 265 seconds]
01:10 -!- mattock is now known as mattock_afk
01:20 -!- mattock_afk is now known as mattock
01:40 -!- Taftse|Mac [~taftse@unaffiliated/taftse] has joined #openvpn
02:21 -!- mirco [~mirco@ip-176-198-211-199.hsi05.unitymediagroup.de] has joined #openvpn
03:03 -!- scyld [~scyld@gateway/tor-sasl/wasyl] has quit [Ping timeout: 250 seconds]
03:13 -!- Shiftos [~shiftos@gateway/tor-sasl/shiftos] has quit [Ping timeout: 250 seconds]
03:14 -!- ValdikSS [~valdikss@80.70.234.113] has joined #openvpn
03:17 -!- shivanshu [~shivanshu@unaffiliated/shivanshu] has quit [Remote host closed the connection]
03:17 -!- Shiftos [~shiftos@gateway/tor-sasl/shiftos] has joined #openvpn
03:25 -!- ValdikSS [~valdikss@80.70.234.113] has quit [Quit: Konversation terminated!]
03:27 -!- ValdikSS [~valdikss@80.70.234.113] has joined #openvpn
03:29 -!- _0x5eb_ [~seb@seb-hpws2.elen.ucl.ac.be] has quit [Quit: Goodbye!]
03:33 -!- _0x5eb_ [~seb@seb-hpws2.w1.tele.crt1.net] has joined #openvpn
03:34 -!- mistermajestic [~mistermaj@unaffiliated/mistermajestic] has quit [Ping timeout: 250 seconds]
03:53 -!- D-Boy [~D-Boy@unaffiliated/cain] has quit [Excess Flood]
03:53 -!- Taftse|Mac [~taftse@unaffiliated/taftse] has quit [Quit: My Mac Mini has gone to sleep. ZZZzzz…]
04:05 -!- DrCode [~DrCode@gateway/tor-sasl/drcode] has quit [Ping timeout: 250 seconds]
04:08 -!- DrSect0r [~DrSect0r@77-175-125-42.FTTH.ispfabriek.nl] has joined #openvpn
04:09 -!- DrCode [~DrCode@gateway/tor-sasl/drcode] has joined #openvpn
04:11 -!- havingFun [~quassel@unaffiliated/xrosnight] has joined #openvpn
04:12 -!- D-Boy [~D-Boy@unaffiliated/cain] has joined #openvpn
04:12 -!- dazo_afk is now known as dazo
04:13 -!- scyld [~scyld@gateway/tor-sasl/wasyl] has joined #openvpn
04:17 -!- havingFun [~quassel@unaffiliated/xrosnight] has quit [Ping timeout: 244 seconds]
04:30 -!- Left_Turn [~Left_Turn@unaffiliated/turn-left/x-3739067] has joined #openvpn
04:33 -!- havingFun [~quassel@unaffiliated/xrosnight] has joined #openvpn
04:34 -!- mirco [~mirco@ip-176-198-211-199.hsi05.unitymediagroup.de] has quit [Quit: mirco]
04:37 -!- stppnwlf [~steppen_w@pjmb.net] has joined #openvpn
04:38 < stppnwlf> hello all ! I'm trying to install a setup {Ethernet bridging, Windows client, Linux Server}, but although I receive traffic on linux (and sent by windows), windows doesn't receive anything on its tap interface... and I don't know where to enquire next :( Any idea ?
04:39 < stppnwlf> !welcome
04:39 <@vpnHelper> "welcome" is (#1) Start by stating your goal, such as 'I would like to access the internet over my vpn' || new to IRC? see the link in !ask || we may need !logs and !configs and maybe !interface to help you. || See !howto for beginners. || See !route for lans behind openvpn. || !redirect for sending inet traffic through the server. || Also interesting: !man !/30 !topology !iporder !sample !forum
04:39 <@vpnHelper> !wiki !mitm or (#2) Don't use 192.168.1.0/24 or 192.168.0.0/24 (too much potential for conflict)
04:40 -!- mirco [~mirco@ip-176-198-211-199.hsi05.unitymediagroup.de] has joined #openvpn
04:44 -!- Shiftos [~shiftos@gateway/tor-sasl/shiftos] has quit [Quit: Volcanic Activity]
04:44 -!- Shiftos [~shiftos@gateway/tor-sasl/shiftos] has joined #openvpn
04:45 < idl0r> Fri Nov  7 10:45:23 2014 SIGTERM[soft,remote-exit] received, process exiting
04:46 < idl0r> that makes me crazy
04:46 < idl0r> wtf is it stopping the daemon on the server side if the *client* disconnects? :(
04:56 -!- havingFun [~quassel@unaffiliated/xrosnight] has quit [Remote host closed the connection]
05:01 -!- Shiftos [~shiftos@gateway/tor-sasl/shiftos] has quit [Quit: Volcanic Activity]
05:01 -!- Shiftos [~shiftos@gateway/tor-sasl/shiftos] has joined #openvpn
05:07 -!- Shiftos [~shiftos@gateway/tor-sasl/shiftos] has quit [Remote host closed the connection]
05:07 -!- Shiftos [~shiftos@gateway/tor-sasl/shiftos] has joined #openvpn
05:13 -!- Kottizen [martin@trekweb/supporter/kottizen] has left #openvpn []
05:28 -!- mirco [~mirco@ip-176-198-211-199.hsi05.unitymediagroup.de] has quit [Quit: mirco]
05:30 -!- jdmf [~jdmf@91.198.201.28] has joined #openvpn
05:33 -!- mirco [~mirco@ip-176-198-211-199.hsi05.unitymediagroup.de] has joined #openvpn
05:41 -!- mirco [~mirco@ip-176-198-211-199.hsi05.unitymediagroup.de] has quit [Quit: mirco]
05:42 -!- WinstonSmith [~WinstonSm@unaffiliated/winstonsmith] has quit [Ping timeout: 264 seconds]
05:57 -!- jdmf [~jdmf@91.198.201.28] has quit [Quit: Bye.]
06:01 -!- Latrina [~Latrina@adsl-ull-28-181.50-151.net24.it] has quit [Ping timeout: 256 seconds]
06:04 -!- Brando753 [~Brando753@unaffiliated/brando753] has quit [Ping timeout: 265 seconds]
06:05 -!- Latrina [~Latrina@adsl-ull-176-187.50-151.net24.it] has joined #openvpn
06:15 -!- Brando753 [~Brando753@unaffiliated/brando753] has joined #openvpn
06:18 -!- Six6siX [~Devil@jasmine.sammybakar.com] has quit [Ping timeout: 265 seconds]
06:23 -!- AlexRussia [~Alex@unaffiliated/alexrussia] has quit [Ping timeout: 250 seconds]
06:23 -!- shivanshu [~shivanshu@unaffiliated/shivanshu] has joined #openvpn
06:37 -!- AlexRussia [~Alex@unaffiliated/alexrussia] has joined #openvpn
06:41 -!- ValdikSS [~valdikss@80.70.234.113] has quit [Ping timeout: 258 seconds]
06:56 -!- nath_schwarz [~nath_schw@HSI-KBW-078-043-139-201.hsi4.kabel-badenwuerttemberg.de] has quit [Ping timeout: 244 seconds]
06:57 -!- nath_schwarz [~nath_schw@HSI-KBW-078-043-139-201.hsi4.kabel-badenwuerttemberg.de] has joined #openvpn
07:21 -!- moparisthebest [~quassel@gateway/tor-sasl/moparisthebest] has quit [Ping timeout: 250 seconds]
07:26 -!- moparisthebest [~quassel@unaffiliated/moparisthebest] has joined #openvpn
07:27 -!- james41382 [~james@unaffiliated/james41382] has quit [Quit: Leaving]
07:30 -!- elfixit [~Icedove@2001:1620:2777:11:3e97:eff:fe7f:f3ad] has joined #openvpn
07:41 -!- Kniaz [~Kniaz@unaffiliated/kniaz] has quit [Read error: Connection reset by peer]
07:41 -!- james41382 [~james@unaffiliated/james41382] has joined #openvpn
07:54 -!- outofbounds [~outofboun@gateway/tor-sasl/outofbounds] has joined #openvpn
07:58 -!- Latrina [~Latrina@adsl-ull-176-187.50-151.net24.it] has quit [Ping timeout: 244 seconds]
08:00 -!- Latrina [~Latrina@151.56.185.68] has joined #openvpn
08:07 -!- stppnwlf [~steppen_w@pjmb.net] has left #openvpn []
08:28 -!- mete [~mete@91.247.253.160] has quit [Ping timeout: 255 seconds]
08:30 -!- mete [~mete@91.247.253.160] has joined #openvpn
08:32 -!- cyberspace- [20253@ninthfloor.org] has quit [Remote host closed the connection]
08:32 -!- lorens [~lorens@213.27.241.114] has joined #openvpn
08:34 -!- cyberspace- [20253@ninthfloor.org] has joined #openvpn
08:43 -!- brianblaze420 [~brianblaz@unaffiliated/brianblaze] has joined #openvpn
08:49 -!- ahuemer is now known as blackbit
08:57 -!- ghoti [~paul@hq.experiencepoint.com] has joined #openvpn
09:04 < ghoti> So...  I seem to be having trouble setting a static route for connected clients.  Clients are assigned an IP in 10.1.5.0/24, and need a static route set upon connect to get to 10.1.1.0/24.
09:05 < ghoti> I can make this work with 'push "route 10.1.1.0 255.255.255.0 10.1.5.1"' in a ccd/user, but how can I make that global, so I don't require the ccd?
09:22 -!- deviantintegral [~deviantin@drupal.org/user/71291/view] has joined #openvpn
09:27 < deviantintegral> are there debian / ubuntu source packages available anywhere? I'd like to test a patch, but I don't see any docs with a deb-src url
09:53 -!- xamox [~xamox@c-68-42-242-42.hsd1.mi.comcast.net] has joined #openvpn
09:53 -!- NP-Hardass [~NP-Hardas@unaffiliated/np-hardass] has joined #openvpn
09:54 < xamox> Is it possible to use an ovpn file from the command line?  I've seen gui tools that let me import and I know I can run openvpn --config but I would like to put it in something like clienf.conf so it loads everytime, or do I have to break things apart manually?
09:55 < ShotokanZH> xamox, i've made a script that does:
09:56 < ShotokanZH> sudo tmux new -c "openvpn --config my.ovpn"
09:56 < ShotokanZH> and i call it like ./openvscript
09:56 < ShotokanZH> end of the story
09:57 < xamox> That's fine and dandy, but I would prefer it uses something like client.conf so that init.d runs it and monitors it.  If that's not possible looks like I may just have to script it to break it apart into separate files then
09:59 < ShotokanZH> xamox, mv openvscript client.conf *troll*
09:59 -!- mattock is now known as mattock_afk
10:00 -!- NP-Hardass [~NP-Hardas@unaffiliated/np-hardass] has quit [Ping timeout: 256 seconds]
10:09 -!- Pyrogerg [~Gregory@gpenne3bc.nmsu.edu] has joined #openvpn
10:11 -!- negev [~mark@77.155.238.178.in-addr.arpa] has joined #openvpn
10:12 < negev> hi, i have followed the instructions here: https://openvpn.net/index.php/open-source/documentation/howto.html#pki  to generate certificates and keys for client and server, but i'm unable to start the client. i get this when trying to start it: http://pastebin.com/2jnVAyFr
10:12 <@vpnHelper> Title: HOWTO (at openvpn.net)
10:13 -!- wkd [~wkd@75.46.172.54] has joined #openvpn
10:15 < negev> what does "Cannot load private key file client.key: error:0906D06C:lib(9):func(109):reason(108)" mean?
10:17 <@dazo> negev: what does the log lines around this error say?  (pastebin please!)
10:17 < negev> see above :) http://pastebin.com/2jnVAyFr
10:17 <@dazo> duh :)
10:17 <@dazo> negev: your answer is in line 6 ;-)
10:18 <@dazo> (to understand even better, the log must be --verb 4)
10:18 < negev> the key doesn't have a password though
10:19 <@dazo> then the key file is corrupt or of the wrong format
10:20 < negev> it doesn't look corrupt to me, and it was generated using the easy-rsa scripts
10:20 <@dazo> (ensure it's PEM formatted if using --key)
10:20 -!- NP-Hardass [~NP-Hardas@unaffiliated/np-hardass] has joined #openvpn
10:21 <@dazo> negev: try:  openssl rsa -in $KEYFILE
10:21 < negev> i'm not using --key, it's referenced in the config file like this: http://pastebin.com/JWwr1n65
10:22 < negev> that just spat out an RSA version of the key
10:22 <@dazo> you are using --key ....  line 7
10:22 <@dazo> so openssl rsa -in client.key  results in the same output?
10:22 <@dazo> as client.key?
10:22 < negev> no it's different
10:23 <@dazo> that's the error
10:23 < negev> same error if i use the output as the key though
10:23 <@dazo> add 'verb 4' to the config and pastebin the complete log
10:24 < negev> http://pastebin.com/9zvDKhHn
10:25 < ShotokanZH> guys, nobody can answer me on #openvpn-as so i'll try asking there, because i don't know if it's openvpn-as related, or just openvpn related
10:26 <@dazo> ShotokanZH: if you use openvpn-as, it is #openvpn-as who can answer ... here we only support the community edition
10:26 <@dazo> be patient
10:26 < ShotokanZH> dazo, but i don't know if it's something related to openvpn too :)
10:27 <@dazo> (or send a support ticket via the customer portal)
10:27 < ShotokanZH> my openvpn-as server (fresh install) has port # 914 to 921 , open. is it something openvpn usually use?
10:27 <@krzee> !as
10:27 <@vpnHelper> "as" is Please go to #OpenVPN-AS for help with commercial products from OpenVPN Technologies, including Access Server, Android Connect, etc. Access Server is a commercial product, different from open source OpenVPN
10:27 -!- ShotokanZH was kicked from #openvpn by dazo [go to #openvpn-as]
10:27 <@krzee> why do they never listen
10:27 -!- ShotokanZH [~ShotokanZ@unaffiliated/shotokanzh] has joined #openvpn
10:27 <@krzee> lol
10:27 <@dazo> :)
10:27 < ShotokanZH> krzee, i asked if "it's something openvpn usually use"?
10:28 < negev> is there a way to make openvpn 2.3 just use static keys rather than certificates?  i've spent hours on this already and i just want it to work :|
10:28 <@dazo> ShotokanZH: no it is not ... It is openvpn-as specific
10:28 <@krzee> there is no AS question that will relate to community openvpn
10:29 <@krzee> unless its a general networking question, in which case this is still not the place
10:29 <@dazo> negev: yes, but there's something odd with your key ... I'd try to regenerate the keys and certs .... PKI is far more safer than static --secret
10:29 <@krzee> :D
10:29 < ShotokanZH> dazo, thank you.
10:29 < negev> dazo: i've regenerated them about 25 times already trying to solve this :/
10:30 <@dazo> negev: can you try to use easy-rsa3 instead?
10:30 <@dazo> (it's an big improvement from easy-rsa2
10:30 <@dazo> )
10:30 < negev> ok looks like macports has that so ill try it, thanks
10:31 < negev> surely it's just calling openssl genrsa though..
10:31 <@dazo> negev: here's a quick-start for easy-rsa3 https://github.com/OpenVPN/easy-rsa/blob/master/README.quickstart.md
10:31 <@vpnHelper> Title: easy-rsa/README.quickstart.md at master · OpenVPN/easy-rsa · GitHub (at github.com)
10:31 <@dazo> negev: but easy-rsa2 can be very picky about some of the configuration details ... and it sometimes behaves odd
10:33 <@krzee> theres also
10:33 <@krzee> !easy-rsa
10:33 <@vpnHelper> "easy-rsa" is (#1) easy-rsa is a certificate generation utility. or (#2) Download here: https://github.com/OpenVPN/easy-rsa/downloads or (#3) Tutorial here: https://community.openvpn.net/openvpn/wiki/EasyRSA
10:33 <@krzee> the wiki tutorial
10:34 <@dazo> oh cool!  more docs!  easy-rsa-3 is really moving forward faster nowadays :)
10:34  * krzee points at pekster
10:35 < negev> ok so easy-rsa3 created the key with a password, which openvpn now prompts me for before then giving the same error message as before :|
10:35 <@krzee> !change-passphrase
10:35 <@vpnHelper> "change-passphrase" is see http://openvpn.net/archive/openvpn-users/2005-03/msg00230.html for how to change (or add) a key's passphrase
10:35 <@dazo> negev: this honestly sounds more and more like a silly pebkac ;-)
10:36 < negev> wut?
10:36 <@krzee> problem exists between keyboard and computer :-p
10:36 < negev> ok the password i used is "password"
10:36 < negev> i think i know how to type that
10:36 <@dazo> negev: again, openssl rsa -in $KEYFILE will always be a good reference point .... otherwise it might be a broken openvpn build
10:36 < negev> the password works correctly if i do that
10:38 <@dazo> negev: what does 'openssl version' give you?
10:38 < negev> 0.9.8za 5 Jun 2014
10:38 <@dazo> okay ... your openvpn installation uses 1.0.1j ...
10:38 <@dazo> and easy-rsa will probably also use 0.9.8za
10:38 < negev> i have 1.0.1j 15 Oct 2014 also from macports
10:39 <@dazo> could be some defaults which have changed .... so getting easy-rsa to use the same openssl version might be a good idea
10:39 < pekster> easyrsa v3 should work with both (and currently it's a bug if it doesn't.)
10:39 < pekster> See also the `set-rsa-pass` command to change your password
10:39 < pekster> ./easyrsa help set-rsa-pass
10:40 < negev> i tried stripping the password from the key and using the decoded result with openvpn, same error
10:40 < negev> also openssl -in $KEYFILE gives the same result regardless of which openssl version i use
10:40 <@dazo> pekster, do you have time to take over?  you might understand these tweaks better than I do
10:40 <@dazo> negev: pekster is one of the easy-rsa-3 developers
10:41 < pekster> A bit; I've got an erand before lunch, but let's go until I have to take off :)
10:41 < negev> it's unclear from the easyrsa3 source at the moment which openssl version it's using (this is the macport i have)
10:41 < pekster> easyrsa (both the "older" v2 and v3) uses whatever your $PATH provides
10:41 < negev> i would guess it just uses the path, which would be the osx version, so i guess i could override that
10:41 <@krzee> oh hey pekster did you see the changes a guy made to make easyrsa3 work for ipsec too?
10:41 < pekster> It should work with both 0.9.x and 1.0.x. What exactly are you seeing that's the issue
10:42 < pekster> krzee: Yea, still need to test it against 0.9.x to make sure nothing obscene breaks (stupid ssl version differences.) I'm not quite sure why that's needed since just pressing enter uses a blank (ie: doesn't use one) password for the .p12
10:43 < pekster> The friendly-name should be an easy one though. I'm not opposed to a nopass option, but 3.1 might revamp password features to support pipes, files, etc
10:43 -!- wkd [~wkd@75.46.172.54] has quit [Ping timeout: 265 seconds]
10:43 < pekster> If I can beat 0.9.x into submission.. :(
10:43 <@krzee> gotchya
10:43 < negev> tried with the macports openssl (1.0. whatever), same result :(
10:44 <@krzee> !certverify
10:44 <@vpnHelper> "certverify" is (#1) verify your certs are signed correctly by running `openssl verify -CAfile <ca.crt> <client.crt>` for client.crt and server.crt or (#2) also make sure you use the same ca.crt on both sides by checking their md5
10:44 < pekster> negev: So, at key generation time you can choose to encrypt or not encrypt the key. set-rsa-pass can change whatever you have set to a different password, including none
10:44 <@krzee> if they work with that, then they can be considered working and the problem is elsewhere
10:44 < pekster> negev: What do you have no, and what are you trying to do? Just remove the private key encryption completely?
10:45 -!- Taftse|Mac [~taftse@unaffiliated/taftse] has joined #openvpn
10:50 <@krzee> !strip-passphrase
10:50 <@vpnHelper> "strip-passphrase" is see http://blog.lib.umn.edu/silvi003/codenotes/2008/08/how_to_strip_a_passphrase_from.html to learn how to strip a passphrase from a key file
10:50 <@krzee> :D
10:50 < negev> pekster: i just want to use openvpn between two machines, and for some reason no matter how i generate the cert/keypair i can't start the client
10:50 <@krzee> !configs
10:50 <@vpnHelper> "configs" is (#1) please pastebin your client and server configs (with comments removed, you can use `grep -vE '^#|^;|^$' server.conf`), also include which OS and version of openvpn. or (#2) dont forget to include any ccd entries or (#3) on pfSense, see http://www.secure-computing.net/wiki/index.php/OpenVPN/pfSense to obtain your config
10:50 < negev> i know how to strip passwords from keys, i said earlier that i tried that and got the same result
10:51 <@dazo> krzee: http://pastebin.com/JWwr1n65 + http://pastebin.com/9zvDKhHn ... that's what the core issue
10:51 <@dazo> it doesn't yet connect to server, due to failures with the key file ... so server side isn't important right now
10:51 < negev> server side starts up fine.. with keys generated using the same easy-rsa
10:52 < pekster> Looks like it doesn't like the password given to decrypt the key
10:52 < negev> main difference is the server is ubuntu and client is macos using openvpn2 from macports
10:52 < pekster> What is the ASCII banner on your key file? `head -n1 client.pem` ?
10:52 < pekster> (ie: NOT your key, just the header)
10:52 < negev> if it's encrypted, it's: -----BEGIN ENCRYPTED PRIVATE KEY-----
10:53 < pekster> Right, but you won't ever get that error on line 225 of your log with an unencrypted key
10:53 < negev> if not encrypted, it's: -----BEGIN RSA PRIVATE KEY-----
10:53 <@krzee> be sure that client.crt and client.key are the NOT encrypted copies
10:53 < pekster> That means openvpn cannot decrypt your key file with thet password provided to the program
10:53 <@krzee> err .key i mean
10:53 < negev> they're not.. trust me, i've been generating openssl keypairs for many years, i can tell the difference
10:53 <@krzee> of course .crt isnt encrypted its public :D
10:54 <@krzee> openvpn --version
10:54 < pekster> Then try it again without an encrypted key. The logs show that it is encrypted and was not given a bad password
10:54 < negev> OpenVPN 2.3.4 x86_64-apple-darwin14.0.0 [SSL (OpenSSL)] [LZO] [MH] [IPv6] built on Nov  7 2014
10:54 < negev> pekster: i get that message whatever i use, even if the file is definitely not encrypted
10:54 < negev> it doesn't prompt for a password if it's not encrypted, it just goes straight to that error
10:55 <@krzee> well you got me
10:55 < negev> if it is encrypted, i get a password prompt, enter the password that i've already separately confirmed is correct (and which is "password" ... ) and i get the same error
10:55 < pekster> Not the file you think it is? I'd highly recommend you use either --cd or full paths in your file statements
10:56 < negev> can't be that, because as i just said, if i swap it out for the encrypted one i get a password prompt
10:56 <@krzee> and im also on  OpenVPN 2.3.4 x86_64-apple-darwin
10:56 < negev> maybe the macport is broken?
10:56 <@krzee> oh maybe
10:56 <@krzee> i use tunnelblick
10:57 <@krzee> if you want from source, try just making it from source
10:57 < pekster> You can check `ldd` to see which openssl your openvpn is linkedk against
10:57 < negev> i guess i could try compiling it from source
10:57 <@krzee> then if that works, you know the problem
10:57 < pekster> Maybe try to see if that openssl has some problem reading the RSA key
10:57 < pekster> (if you get an openssl CLI utility -- if it's a lib only you can't do that test w/out writing some C to grok the key)
10:57 < negev> i could strace it i guess
10:58 < pekster> Anything silly with your key? Not using something non-standard like >4096 bit RSA or something?
10:58 <@krzee> id just test from source
10:58 < negev> well mac doesn't have strace but dtruss gives the same kind of result
10:58 < negev> pekster: nope nothing i can see
10:58 <@dazo> if this is test keys ... maybe it could be pastebinned and more can try it?
10:59 < negev> http://pastebin.com/2gZpu4Aw
10:59 < negev> password is "password"
10:59 < negev> cert: http://pastebin.com/JL2KZBJm
11:00 <@dazo> negev: if you can pastebin the cert and the ca.crt too, I'll verify everything on my local openvpn build
11:00 -!- wkd [~wkd@75.46.172.49] has joined #openvpn
11:00 < negev> ca.crt: http://pastebin.com/TNpgx4yP
11:00  * dazo will not try to connect to your servers ;-)
11:01 < negev> you won't be able to anyway there's nothing set up yet :)
11:01 < pekster> dazo: Rumor has it 1.1.1.1 isn't accepting connections anyway :P
11:01 <@krzee> take down the server while giving out the keys
11:01 <@krzee> oh ya that too
11:01 <@krzee> haha
11:01 < negev> pekster: i changed that in the pastebin for privacy
11:01 < negev> this is all way more effort that i feel is justified for what i'm doing
11:01 < negev> setting up an openvpn server that will only ever accept connections from one ip address
11:01 <@krzee> just test from source
11:01  * dazo didn't check the --remote statement in the config :)
11:01 < negev> static keys would probably do fine
11:02 <@krzee> it'll take you all of 3 minutes
11:02 <@dazo> negev: got the client cert as well?
11:02 < negev> see above
11:02 < negev> [16:59] < negev> cert: http://pastebin.com/JL2KZBJm
11:02 < negev> krzee: it's been 2 hours so far and still doesn't work
11:02 <@dazo> oh, sorry!
11:03 < pekster> hold on, why does the log complain about 'client.pem' and your config has 'client.key' ?
11:03 < negev> pekster: i changed it once or twice while messsing around
11:03 <@krzee> negev, you tried compiling from source without macports 2 hours ago?
11:03 < negev> client.pem has the unencrypted version
11:04 < negev> krzee: no not yet
11:04 < negev> i meant total time trying to make this work
11:04 <@krzee> lol @ 2 hours
11:04 < negev> technically macports compiles from source anyway though
11:04 <@krzee> my first setup took me a week
11:04 < negev> the last time i used openvpn it took about 30mins
11:04 < negev> but that was just with static keys
11:04 < negev> it really doesn't need to be this complicated
11:04 <@dazo> negev: my openvpn build starts perfectly using your key ... no issues with password or anything
11:05 < negev> is yours from macports too?
11:05 < pekster> negev: Loading that private key works just fine here, on openvpn 2.3.2 w/ openssl 1.0.1f. I have to leave for a bit, but I can test on a fBSD 9.x VM when I'm back that has a 0.9.x openssl
11:05 <@dazo> negev: openvpn --dev tun --remote localhost --nobind --proto udp --tls-client --key client.key --ca ca.crt --cert client.crt --verb 4
11:05 <@dazo> (it didn't get a connection, naturally)
11:05 < pekster> Same with 2.3.4
11:05  * pekster has to pop out for a bit
11:05 < negev> just tried that same cmdline, same error :| wtf
11:06 <@krzee> i have macports, but i dont see why i would test the macports version instead of you testing the non-macports version… it's your issue and all
11:06 < wkd> I am having problems accessing the openvpn server on my lan from an outside connection, I have no problem connecting to it locally if I use TCP... udp breaks the tls handshake for some reason... I have issued the commands at the top the gist post for testing... I included all the client and server logs, configs iptables and routes.. can someone take a look at this please? https://gist.github.com/anonymous/270baa2d1d4aff0ecd79
11:06 <@vpnHelper> Title: gist:270baa2d1d4aff0ecd79 (at gist.github.com)
11:06 <@krzee> (i have macports, not openvpn from macports)
11:06 < negev> ok ok ill compile it from source
11:07 <@dazo> negev: sounds quite a lot like a broken openvpn build now :(
11:07 < negev> yeah
11:07  * dazo tested against 2.3.2 and OpenVPN 2.3_git [git:dev/systemd-echo/191d3602d9ebc4da+]
11:08 <@dazo> (the latter one is a bleeding edge build with some experimental features, which is not related to SSL at all)
11:08 <@dazo> !udp
11:08 <@dazo> !tcp
11:08 <@vpnHelper> "tcp" is (#1) Sometimes you cannot avoid tunneling over tcp, but if you can avoid it, DO. http://sites.inka.de/~bigred/devel/tcp-tcp.html Why TCP Over TCP Is A Bad Idea. or (#2) http://www.openvpn.net/papers/BLUG-talk/14.html for a presentation by James Yonan (OpenVPN lead developer) or (#3) if you must use tcp, you likely want --tcp-nodelay
11:09 <@dazo> hmm ... didn't say as much as I expected :)
11:09 <@dazo> wkd: some isps sucks and udp won't work unfortunately
11:10 < wkd> its breaking it locally over the lan.. maybe the router?
11:11 <@dazo> uhm ... locally?  then you're probably having a different challenge
11:11 <@dazo> please re-paste things more properly
11:11 <@dazo> !configs
11:11 <@vpnHelper> "configs" is (#1) please pastebin your client and server configs (with comments removed, you can use `grep -vE '^#|^;|^$' server.conf`), also include which OS and version of openvpn. or (#2) dont forget to include any ccd entries or (#3) on pfSense, see http://www.secure-computing.net/wiki/index.php/OpenVPN/pfSense to obtain your config
11:12 <@dazo> I get confused by all the comments of the example configs
11:12 <@krzee> totally
11:12 <@krzee> 100 lines of comments for 10 lines of relevance
11:12 < wkd> oops.. one sec
11:12 <@dazo> wkd: both server and client configs, please
11:13 -!- ShotokanZH [~ShotokanZ@unaffiliated/shotokanzh] has left #openvpn ["this.channel.quit();"]
11:13 <@dazo> next thing ... please reproduce without --mute and with --verb 4
11:13 <@krzee> i lost my scroll, but is this the same question i answered yesterday?
11:13 <@krzee> i answered *some* question of wkd's
11:13 <@krzee> then his client exited a few minutes later and i had no reply
11:15 < wkd> sorry krzee I was on a laptop running over my cell phone to try to connect from the outside and it kept dropping my internet, I brought my monitor for the server today so I'll be able to test on that while talking on here today
11:15 <@krzee> dazo, do you have scrollback?
11:15 <@krzee> the answer for wkd is above if you do, i dont remember it :D
11:15  * dazo double checks
11:16 <@dazo> <krzee> [01:08:35] wkd, open the vpn port in your firewall
11:16 <@dazo> <krzee> [04:19:47] !linnat
11:16 <@krzee> linnat was for me
11:16 <@krzee> ya wkd, open the vpn in your firewall, you have those lines commented out in the firewall setup script
11:17 <@dazo> okay, that's all I see ... but the firewall seems to be opened in the pastebin from today
11:17 <@krzee> didnt check if those commented lines were good, but thats definitely an issue
11:17 <@dazo> (in fact, it's completely open right now)
11:17 <@krzee> oh ok, the privious pastebin had it bad
11:17 <@krzee> previous*
11:17 <@dazo> a slightly small step in the right direction :)
11:18 <@krzee> yep, gotta take 'em 1 at a time
11:18 <@dazo> :)
11:26 -!- kenyon [kenyon@darwin.kenyonralph.com] has quit [Quit: rebooting]
11:28 -!- kenyon [kenyon@darwin.kenyonralph.com] has joined #openvpn
11:36 -!- xamox [~xamox@c-68-42-242-42.hsd1.mi.comcast.net] has quit [Quit: Leaving]
11:43 < wkd> https://gist.github.com/anonymous/e9d9348a9e8d2b5d2b13
11:43 <@vpnHelper> Title: gist:e9d9348a9e8d2b5d2b13 (at gist.github.com)
11:43 < wkd> openvpn didn't produce a log when the client tried to connect
11:45 < wkd> I put the server conf, client conf, client log on verb 4 without mute, server ifconfig, and windows client print route in there
11:52 -!- gffa [~unknown@unaffiliated/gffa] has joined #openvpn
11:55 -!- Kniaz [~Kniaz@unaffiliated/kniaz] has joined #openvpn
11:56 -!- lorens [~lorens@213.27.241.114] has quit [Remote host closed the connection]
11:58 <@dazo> wkd: Fri Nov 07 09:28:25 2014 us=454056 TCP: connect to [AF_INET]75.46.172.49:1194 failed, will try again in 5 seconds: The system tried to join a dri$
11:58 <@dazo> that's the error
11:58 <@dazo> your client is not able to access the openvpn server ... why?  I dunno
11:59 <@dazo> telnet 75.46.172.49 1194
11:59 <@dazo> Trying 75.46.172.49...
11:59 <@dazo> telnet: connect to address 75.46.172.49: Connection refused
12:00 <@dazo> something is blocking access
12:00 < wkd> is it blocking http?
12:00 <@dazo> wkd: telnet 75.46.172.49 1194
12:01 <@dazo> I cannot get a connection to your openvpn port ... you've configured openvpn to use port 1194 (the default port, if not set)
12:02 <@dazo> wkd: pastebin the output of iptables-save
12:03 < wkd> https://gist.github.com/anonymous/9d505c3d1fc96e42b982
12:03 <@vpnHelper> Title: gist:9d505c3d1fc96e42b982 (at gist.github.com)
12:10 < wkd> maybe it has something to do with services iRedMail installed... some secondary firewall or something?
12:12 <@dazo> wkd: and the output of 'netstat -lnptua'  (presuming you're on Linux)
12:12 <@dazo> duh, of course you are on linux ... iptables
12:18 < wkd> https://gist.github.com/anonymous/fd55efc89984e5836e50
12:18 <@vpnHelper> Title: gist:fd55efc89984e5836e50 (at gist.github.com)
12:22 < wkd> I had pptp setup and working, after I installed iRedMail pptp also seemed to get blocked
12:22 -!- Droolio [~drool@host86-162-40-230.range86-162.btcentralplus.com] has quit [Ping timeout: 258 seconds]
12:31 -!- elfixit [~Icedove@2001:1620:2777:11:3e97:eff:fe7f:f3ad] has quit [Remote host closed the connection]
12:35 -!- notorious_ [~notorious@81.82.195.68] has quit [Quit: Konversation terminated!]
12:41 <@dazo> wkd: well, I have no idea .... openvpn is present and listens to port 1194 ... tcptraceroute to your box works fine until hitting your IP, then an RST, ACK message comes - which is a rejection
12:41 <@dazo> but your iptables rules indicates that it should be completely open
12:44 < pekster> tcpdump (or targetless iptables rule, aka poor-man-tcpdump) and see if it's hitting the host. If it is, it's the server doing something screwy (SELinux, or similar?) If not, something before your server drops it
12:44 <@dazo> a lot of other services answers ...
12:46 -!- scyld [~scyld@gateway/tor-sasl/wasyl] has quit [Quit: Wychodzi]
12:48 < wkd> .49 is the first of 3 static ip's configured on the box at eth0... when I configured the ips with the isp they asked what I'd be doing with it to see how to setup them up... the lady on the phone asked if I needed them outside the network.. I had no idea what she meant but she didn't go with that option... would that have something to do with it?
12:49 < wkd> I'm downloading windump right now
12:49 < pekster> wireshark.org
12:49 <@dazo> you need to run it on your vpn server
12:49 < pekster> But yea, if this is a Linux server, you do this there
12:49 < wkd> oo
12:49 < wkd> ok
12:51 < wkd> 10:51:24.884103 IP atr-nv.com.4 > 189.sub-70-211-72.myvzw.com.2906: Flags [R.], seq 0, ack 2178357169, win 0, length 0
12:51 < wkd> it shows the connection is coming in
12:52 <@dazo> ehh nope
12:52 < wkd> ?
12:53 <@dazo> it shows somebody tried to connect to your port 2906 ... but nothing more ... not if there was a response
12:53 <@dazo> tcpdump -n port 1194
12:53 <@dazo> that will tell you if anything on port 1194 gets through ... and then should also see an answer back
12:53 < pekster> `tcpdump -pni eth0 tcp port 1194` might be better
12:53 < pekster> !tcpdump
12:53 <@vpnHelper> "tcpdump" is (#1) tcpdump is a great troubleshooting tool (Wireshark or the tshark.exe CLI tools for Windows.) To start, try a syntax like `tcpdump -pni ifWhatever` or (#2) You can also add filters to the command, like 'icmp' or 'udp port 1194' and the like. Consult the tcpdump docs for details.
12:53 <@dazo> yeah
12:54 < wkd> the client is trying nothing is showing up on port 1194
12:54 <@dazo> exactly
12:54 < pekster> Right. See above. Something *upstream* of your server rejects it
12:54 < pekster> Go fix that device, or file a request with your network ops
12:55 < wkd> router likely?
12:55 < pekster> If you're on RFC1918, yes. If not, they're being stupid (and standards-violating) and masquerading your IP in the process
12:56 < pekster> If you are on RFC1918, you don't have direct Internet access in the first place
12:56  * dazo just had a look at the iredadmin-pro admin ... very surprised they can sell that for $800 ...
12:58 < wkd> guess I'll go to bestbuy pick up a netgear throw dd-wrt and setup the ppoe passthrough and see if that works
12:58 <@dazo> or install openwrt instead?
12:58 <@dazo> dd-wrt is crap
12:58 <@dazo> (at least on the security side)
13:00 <@dazo> !dd-wrt
13:00 <@vpnHelper> "dd-wrt" is (#1) While some users have success with dd-wrt, the build system isn't very accessible to users and there have been security issues with the distro. Consider carefully if this is the platform you want to use for OpenVPN or (#2) Firewall oopsie : http://www.dd-wrt.com/phpBB2/viewtopic.php?t=35783 or (#3) more issues: http://www.dd-wrt.com/phpBB2/viewtopic.php?t=84536
13:01 < wkd> I'll go with the open-wrt... lol
13:03 -!- brianblaze420 [~brianblaz@unaffiliated/brianblaze] has quit [Ping timeout: 244 seconds]
13:18 < negev> Options error: specify only one of --tls-server, --tls-client, or --secret
13:18 < negev> the only one i'm specifying is secret :|
13:19 < negev> ah, apparently "client" means --tls-client
13:22 < deviantintegral> syzzer: ping
13:22 <@syzzer> deviantintegral: what's up?
13:23 < negev> how do i configure a server to use static keys?  it doesn't seem to want me to use the "server" directive with "secret"
13:24 < deviantintegral> syzzer: thanks for your quick work on #473. Are there debian source packages anywhere? I figured I could at least validate your patch on my end.
13:24 <@syzzer> negev: that's correct, static keys only allow one-to-one connections
13:24 <@syzzer> no client/server
13:24 < negev> ah it's ifconfig i need
13:25 <@syzzer> deviantintegral: you're welcome. If I write shiny new bugs I try to fix them quickly ;)
13:26 < deviantintegral> lol
13:26 <@syzzer> I don't see any source packages on swupdate.openvpn.net, but I don't maintain that repo
13:27 <@syzzer> mattock_afk might know more
13:28 <@syzzer> but building openvpn just for testing is quite easy, just do a git clone, autoreconf -vi, ./configure, make
13:28 <@syzzer> (and in this case, a git am to apply the patch)
13:29 < deviantintegral> yeah, ok. Last time I built OpenVPN from source had to be 5+ years ago. As long as that's close enough to the debian build process, it's fine by me
13:30 <@syzzer> the packages have a few different configure flags, but a basic ./configure should be very close to the packages, yes.
13:31 < deviantintegral> ok, thanks!
13:35 -!- elfixit [~Icedove@2001:1620:2777:11:3e97:eff:fe7f:f3ad] has joined #openvpn
14:00 -!- james41382 [~james@unaffiliated/james41382] has quit [Read error: Connection reset by peer]
14:01 -!- james41382_ [~james@unaffiliated/james41382] has joined #openvpn
14:53 -!- dazo is now known as dazo_afk
15:08 -!- Taftse|Mac [~taftse@unaffiliated/taftse] has quit [Quit: My Mac Mini has gone to sleep. ZZZzzz…]
15:12 < wkd> got open-wrt flashed... brb
15:12 -!- wkd [~wkd@75.46.172.49] has quit [Quit: Leaving]
15:25 -!- Taftse|Mac [~taftse@unaffiliated/taftse] has joined #openvpn
15:29 -!- Chais [~Chais@chello062178229110.15.15.vie.surfer.at] has quit [Read error: Connection reset by peer]
15:29 -!- mistermajestic [~mistermaj@unaffiliated/mistermajestic] has joined #openvpn
15:38 -!- Chais [~Chais@chello062178229110.15.15.vie.surfer.at] has joined #openvpn
15:40 -!- negev [~mark@77.155.238.178.in-addr.arpa] has quit [Quit: Lost terminal]
15:45 -!- outofbounds [~outofboun@gateway/tor-sasl/outofbounds] has quit [Ping timeout: 250 seconds]
15:49 -!- Kniaz [~Kniaz@unaffiliated/kniaz] has quit [Quit: closing IRC]
16:02 -!- wkd [~wkd@75.46.172.49] has joined #openvpn
16:02 -!- harshar [~harsh@202.3.77.215] has joined #openvpn
16:16 -!- outofbounds [~outofboun@gateway/tor-sasl/outofbounds] has joined #openvpn
16:19 < wkd> earlier I opened up iptables with the commands found at the top of https://gist.github.com/anonymous/e9d9348a9e8d2b5d2b13 how would I revert back to the iptables-save file?
16:19 <@vpnHelper> Title: gist:e9d9348a9e8d2b5d2b13 (at gist.github.com)
16:36 -!- mirco [~mirco@ip-176-198-211-199.hsi05.unitymediagroup.de] has joined #openvpn
16:40 < pekster> wkd: via iptables-restore(8)
16:40 < pekster> Just feed it a valid restore file on stdin and that ruleset will replace your current one (though only for tables the ruleset defines)
16:42 < wkd> cool thank you
16:48 -!- wkd [~wkd@75.46.172.49] has quit [Quit: Leaving]
16:48 -!- Taftse|Mac [~taftse@unaffiliated/taftse] has quit [Quit: Textual IRC Client: www.textualapp.com]
16:55 -!- Chais [~Chais@chello062178229110.15.15.vie.surfer.at] has quit [Read error: Connection reset by peer]
17:00 -!- mirco [~mirco@ip-176-198-211-199.hsi05.unitymediagroup.de] has quit [Quit: mirco]
17:03 -!- Chais [~Chais@chello062178229110.15.15.vie.surfer.at] has joined #openvpn
17:09 -!- gffa [~unknown@unaffiliated/gffa] has quit [Quit: sleep]
17:16 -!- mirco [~mirco@ip-176-198-211-199.hsi05.unitymediagroup.de] has joined #openvpn
17:24 -!- harshar [~harsh@202.3.77.215] has quit [Ping timeout: 265 seconds]
17:51 -!- DrSect0r [~DrSect0r@77-175-125-42.FTTH.ispfabriek.nl] has quit [Quit: Leaving]
17:52 -!- NP-Hardass [~NP-Hardas@unaffiliated/np-hardass] has quit [Ping timeout: 240 seconds]
18:11 -!- mgorbach [~mgorbach@pool-108-20-78-135.bstnma.fios.verizon.net] has quit [Ping timeout: 264 seconds]
18:19 -!- mgorbach [~mgorbach@pool-108-20-78-135.bstnma.fios.verizon.net] has joined #openvpn
18:24 -!- mgorbach [~mgorbach@pool-108-20-78-135.bstnma.fios.verizon.net] has quit [Ping timeout: 245 seconds]
18:24 -!- mirco [~mirco@ip-176-198-211-199.hsi05.unitymediagroup.de] has quit [Quit: mirco]
18:26 -!- mgorbach [~mgorbach@pool-108-20-78-135.bstnma.fios.verizon.net] has joined #openvpn
18:29 -!- mgorbach [~mgorbach@pool-108-20-78-135.bstnma.fios.verizon.net] has quit [Excess Flood]
18:30 -!- NP-Hardass [~NP-Hardas@unaffiliated/np-hardass] has joined #openvpn
18:31 -!- tony1 [~tony1@cpe-66-66-6-48.rochester.res.rr.com] has joined #openvpn
18:31 -!- outofbounds [~outofboun@gateway/tor-sasl/outofbounds] has quit []
18:33 < tony1> I an using openvpn for android on my phone and I keep getting disconnected every 15 seconds. is there some setting to make it more stable?
18:34 < tony1> it works fine with wifi connection
18:39 <@Eugene> At a guess, you've got --ping-restart set way too low, or are using TCP, or something similarly absured
18:39 <@Eugene> But since you haven't shown us any type of configs or logs, we have no idea
18:51 < tony1> I will pull the config's tomorrow and post back. where is --ping-restart I dont see it in the app I will look to see if it is a server option
18:52 -!- NP-Hardass [~NP-Hardas@unaffiliated/np-hardass] has quit [Ping timeout: 265 seconds]
18:52 < tony1> I am using udp.
18:57 <@Eugene> Often done on the server, yeah
18:59 < tony1> well thanks for the help. I will put together the requested information. take care
19:06 -!- NP-Hardass [~NP-Hardas@unaffiliated/np-hardass] has joined #openvpn
19:21 -!- pekster [~rewt@openvpn/community/support/pekster] has quit [Ping timeout: 272 seconds]
19:21 -!- MogDog [MogDog@unaffiliated/mogdog66] has quit [Ping timeout: 244 seconds]
19:21 -!- keatont [~keatont@keatonstaylor.com] has quit [Ping timeout: 244 seconds]
19:21 -!- Pandemic_Force [~Pandemic_@unaffiliated/pandemic-force/x-1349428] has quit [Ping timeout: 244 seconds]
19:21 -!- jrg [jrg@unaffiliated/jrg] has quit [Ping timeout: 244 seconds]
19:21 -!- dazo_afk [~dazo@openvpn/community/developer/dazo] has quit [Ping timeout: 244 seconds]
19:21 -!- n13l [~Daniel@aaa.anect.cz] has quit [Ping timeout: 244 seconds]
19:21 -!- Argure [quasselcor@geonosis.donttrustrobots.nl] has quit [Read error: Connection reset by peer]
19:22 -!- MogDog66 [MogDog@unaffiliated/mogdog66] has joined #openvpn
19:22 -!- jrg [jrg@unaffiliated/jrg] has joined #openvpn
19:22 -!- MogDog66 is now known as MogDog
19:23 -!- Argure [argure@geonosis.donttrustrobots.nl] has joined #openvpn
19:23 -!- Pandemic_Force [~Pandemic_@unaffiliated/pandemic-force/x-1349428] has joined #openvpn
19:29 -!- altker128 [~vr@c-24-61-12-138.hsd1.ma.comcast.net] has joined #openvpn
19:30 < altker128> I'm curious if anyone here has any comments on PPTP.  Currently I use OpenVPN, but PPTP is supported in most OSes.
19:30 < altker128> (out of the box)
19:30 -!- unixninja92 [~unixninja@whirlpool.stdnt.hampshire.edu] has joined #openvpn
19:35 -!- Kniaz [~Kniaz@unaffiliated/kniaz] has joined #openvpn
19:35 -!- hightower4 [~hightower@213.147.97.222] has joined #openvpn
19:37 -!- pekster [~rewt@openvpn/community/support/pekster] has joined #openvpn
19:42 -!- NP-Hardass [~NP-Hardas@unaffiliated/np-hardass] has quit [Ping timeout: 240 seconds]
19:47 -!- tony1 [~tony1@cpe-66-66-6-48.rochester.res.rr.com] has left #openvpn ["WeeChat 1.0"]
19:49 <@Eugene> !pptp
19:49 <@vpnHelper> "pptp" is (#1) PPTP is known to be a faulty protocol. The designers of the protocol, Microsoft, recommend not to use it due to the inherent risks. Lots of people use PPTP anyway due to ease of use, but that doesn't mean it is any less hazardous. The maintainers of PPTP Client and Poptop recommend using OpenVPN (SSL based) or IPSec instead. http://pptpclient.sourceforge.net/protocol-security.phtml to
19:49 <@vpnHelper> read about why to not use pptp or (#2) Why not to use it: http://en.wikipedia.org/wiki/Pptp#Security or (#3) https://www.cloudcracker.com/blog/2012/07/29/cracking-ms-chap-v2/
19:50 <@Eugene> !l2tp
19:50 < altker128> OK, that's enough for me :)
19:50 -!- s7r [~s7r@openvpn/user/s7r] has quit [Quit: Leaving]
19:50 <@Eugene> Hm, thought we had one on that proto too
19:59 -!- elfixit1 [~Icedove@77-58-253-51.dclient.hispeed.ch] has joined #openvpn
20:08 -!- justinzane [~justinzan@67.21.190.132] has quit []
20:19 -!- Kniaz [~Kniaz@unaffiliated/kniaz] has quit [Quit: closing IRC]
20:21 -!- phuzion [~phuzion@ipv6.irc.teh-server.com] has joined #openvpn
20:38 -!- _0x5eb_ [~seb@seb-hpws2.w1.tele.crt1.net] has quit [Ping timeout: 244 seconds]
20:43 -!- _0x5eb_ [~seb@seb-hpws2.elen.ucl.ac.be] has joined #openvpn
22:11 -!- Left_Turn [~Left_Turn@unaffiliated/turn-left/x-3739067] has quit [Remote host closed the connection]
22:12 -!- NP-Hardass [~NP-Hardas@unaffiliated/np-hardass] has joined #openvpn
22:44 -!- eristisk [~eristisk@gateway/tor-sasl/eristisk] has quit [Ping timeout: 250 seconds]
23:04 -!- eristisk [~eristisk@gateway/tor-sasl/eristisk] has joined #openvpn
23:05 -!- akamaru [~akamaru21@2601:0:8a80:1064:b876:305b:3c5e:f25a] has joined #openvpn
23:06 -!- troyt [~troyt@2601:7:6200:1362:44dd:acff:fe85:9c8e] has quit [Ping timeout: 265 seconds]
23:08 -!- akamaru217 [~akamaru21@2601:0:8a80:1064:4855:de9a:6309:6644] has quit [Ping timeout: 265 seconds]
23:09 -!- troyt [~troyt@2601:7:6200:1362:44dd:acff:fe85:9c8e] has joined #openvpn
23:17 -!- james41382__ [~james@unaffiliated/james41382] has joined #openvpn
23:20 -!- james41382_ [~james@unaffiliated/james41382] has quit [Ping timeout: 265 seconds]
23:26 -!- ShadniX [dagger@p57941C7B.dip0.t-ipconnect.de] has quit [Ping timeout: 250 seconds]
23:27 -!- james41382 [~james@unaffiliated/james41382] has joined #openvpn
23:27 -!- james41382__ [~james@unaffiliated/james41382] has quit [Ping timeout: 265 seconds]
23:28 -!- ShadniX [dagger@p57941C55.dip0.t-ipconnect.de] has joined #openvpn
23:30 -!- james41382_ [~james@unaffiliated/james41382] has joined #openvpn
23:32 -!- elfixit1 [~Icedove@77-58-253-51.dclient.hispeed.ch] has quit [Remote host closed the connection]
23:33 -!- james41382 [~james@unaffiliated/james41382] has quit [Ping timeout: 240 seconds]
23:41 -!- james41382__ [~james@unaffiliated/james41382] has joined #openvpn
23:43 -!- james41382 [~james@unaffiliated/james41382] has joined #openvpn
23:44 -!- james41382_ [~james@unaffiliated/james41382] has quit [Ping timeout: 255 seconds]
23:46 -!- james41382_ [~james@unaffiliated/james41382] has joined #openvpn
23:47 -!- james41382__ [~james@unaffiliated/james41382] has quit [Ping timeout: 256 seconds]
23:50 -!- james41382 [~james@unaffiliated/james41382] has quit [Ping timeout: 245 seconds]
--- Day changed Sat Nov 08 2014
00:29 -!- Pyrogerg [~Gregory@gpenne3bc.nmsu.edu] has quit [Ping timeout: 258 seconds]
01:09 -!- james41382_ [~james@unaffiliated/james41382] has quit [Quit: Leaving]
01:15 -!- james41382 [~james@unaffiliated/james41382] has joined #openvpn
02:06 -!- altker128 [~vr@c-24-61-12-138.hsd1.ma.comcast.net] has quit [Ping timeout: 255 seconds]
02:15 -!- gffa [~unknown@unaffiliated/gffa] has joined #openvpn
02:26 -!- Eugene [eugene@kashpureff.org] has quit [Quit: ZNC - http://znc.sourceforge.net]
02:26 -!- Eugene [eugene@kashpureff.org] has joined #openvpn
02:27 -!- Eugene [eugene@kashpureff.org] has quit [Client Quit]
02:28 -!- Eugene [eugene@rfc1918.ninja] has joined #openvpn
03:06 -!- mirco [~mirco@ip-176-198-211-199.hsi05.unitymediagroup.de] has joined #openvpn
03:49 -!- ghoti [~paul@hq.experiencepoint.com] has quit [Read error: Connection reset by peer]
03:50 -!- ghoti [~paul@hq.experiencepoint.com] has joined #openvpn
03:51 -!- D-Boy [~D-Boy@unaffiliated/cain] has quit [Excess Flood]
04:00 -!- mirco [~mirco@ip-176-198-211-199.hsi05.unitymediagroup.de] has quit [Quit: mirco]
04:09 -!- mirco [~mirco@ip-176-198-211-199.hsi05.unitymediagroup.de] has joined #openvpn
04:13 -!- D-Boy [~D-Boy@unaffiliated/cain] has joined #openvpn
04:22 -!- Taftse|Mac [~taftse@unaffiliated/taftse] has joined #openvpn
05:00 -!- harshar [~harsh@202.3.77.215] has joined #openvpn
05:07 -!- Left_Turn [~Left_Turn@unaffiliated/turn-left/x-3739067] has joined #openvpn
05:45 -!- jdmf [~jdmf@78.156.100.202] has joined #openvpn
05:46 -!- jdmf [~jdmf@78.156.100.202] has quit [Max SendQ exceeded]
05:47 -!- jdmf [~jdmf@78.156.100.202] has joined #openvpn
05:48 -!- jdmf [~jdmf@78.156.100.202] has quit [Max SendQ exceeded]
05:48 -!- jdmf [~jdmf@78.156.100.202] has joined #openvpn
05:49 -!- jdmf [~jdmf@78.156.100.202] has quit [Max SendQ exceeded]
05:50 -!- jdmf [~jdmf@78.156.100.202] has joined #openvpn
05:50 -!- jdmf [~jdmf@78.156.100.202] has quit [Max SendQ exceeded]
05:51 -!- jdmf [~jdmf@78.156.100.202] has joined #openvpn
05:51 -!- jdmf [~jdmf@78.156.100.202] has quit [Max SendQ exceeded]
05:52 -!- jdmf [~jdmf@78.156.100.202] has joined #openvpn
05:53 -!- jdmf [~jdmf@78.156.100.202] has quit [Max SendQ exceeded]
05:53 -!- jdmf [~jdmf@78.156.100.202] has joined #openvpn
05:54 -!- jdmf [~jdmf@78.156.100.202] has quit [Max SendQ exceeded]
05:55 -!- jdmf [~jdmf@78.156.100.202] has joined #openvpn
05:56 -!- jdmf [~jdmf@78.156.100.202] has quit [Max SendQ exceeded]
05:56 -!- jdmf [~jdmf@78.156.100.202] has joined #openvpn
06:00 -!- Left_Turn [~Left_Turn@unaffiliated/turn-left/x-3739067] has quit [Ping timeout: 256 seconds]
06:20 -!- harshar [~harsh@202.3.77.215] has quit [Ping timeout: 272 seconds]
06:24 -!- kurbel [~kurbel@medi-inf.org] has joined #openvpn
06:24 < kurbel> hey guys
06:25 < kurbel> i have a problem with my openvpn setup
06:25 < kurbel> i run a server on FreeBSd 10 (pfSense)
06:25 < kurbel> and my client will alwasy crash with the message
06:25 < kurbel> 'Sat Nov  8 13:16:12 2014 us=904072 Assertion failed at crypto.c:174'
06:25 < kurbel> any ideas how to fix that?
06:27 -!- mirco [~mirco@ip-176-198-211-199.hsi05.unitymediagroup.de] has quit [Quit: mirco]
06:58 -!- mattock_afk is now known as mattock
07:10 -!- harshar [~harsh@202.3.77.215] has joined #openvpn
07:16 -!- Toumasu [~Thunderbi@78-23-25-135.access.telenet.be] has joined #openvpn
07:16 -!- Left_Turn [~Left_Turn@unaffiliated/turn-left/x-3739067] has joined #openvpn
07:18 -!- Toumasu [~Thunderbi@78-23-25-135.access.telenet.be] has quit [Client Quit]
08:12 -!- DrSect0r [~DrSect0r@77-175-125-42.FTTH.ispfabriek.nl] has joined #openvpn
08:18 -!- jzaw [~jzaw@loki.dzki.co.uk] has quit [Ping timeout: 265 seconds]
08:57 -!- DrCode [~DrCode@gateway/tor-sasl/drcode] has quit [Remote host closed the connection]
08:57 -!- DrCode [~DrCode@gateway/tor-sasl/drcode] has joined #openvpn
09:02 -!- Pyrogerg [~Gregory@207.109.140.1] has joined #openvpn
09:18 -!- CaTtleyA [~CaTtleyA@put92-2-82-66-41-53.fbx.proxad.net] has joined #openvpn
09:25 -!- jrg [jrg@unaffiliated/jrg] has left #openvpn []
09:25 -!- james41382_ [~james@unaffiliated/james41382] has joined #openvpn
09:29 -!- james41382 [~james@unaffiliated/james41382] has quit [Ping timeout: 265 seconds]
09:44 -!- harshar [~harsh@202.3.77.215] has quit [Ping timeout: 240 seconds]
09:54 -!- Pyrogerg [~Gregory@207.109.140.1] has quit [Ping timeout: 260 seconds]
09:57 -!- Riviera_ [Riviera@2a03:b0c0:1:d0::10:b001] has quit [K-Lined]
10:06 -!- Pyrogerg [~Gregory@192.67.133.200] has joined #openvpn
10:11 -!- jzaw [~jzaw@loki.dzki.co.uk] has joined #openvpn
10:24 -!- harshar [~harsh@202.3.77.215] has joined #openvpn
10:26 -!- Kephael [~Kephael@unaffiliated/kephael] has joined #openvpn
11:07 -!- mgorbach [~mgorbach@pool-108-20-78-135.bstnma.fios.verizon.net] has joined #openvpn
11:10 -!- soapee01 [~soapee01@65-36-104-170.dyn.grandenetworks.net] has quit [Read error: Connection reset by peer]
11:14 -!- jackbrown [~se@93-44-41-0.ip95.fastwebnet.it] has joined #openvpn
11:16 -!- mgorbach [~mgorbach@pool-108-20-78-135.bstnma.fios.verizon.net] has quit [Ping timeout: 250 seconds]
11:24 -!- mgorbach [~mgorbach@pool-108-20-78-135.bstnma.fios.verizon.net] has joined #openvpn
11:26 -!- jackbrown [~se@93-44-41-0.ip95.fastwebnet.it] has quit [Quit: Sto andando via]
11:28 -!- jackbrown [~se@93-44-41-0.ip95.fastwebnet.it] has joined #openvpn
11:36 -!- almostworking [~almostwor@unaffiliated/almostworking] has joined #openvpn
12:09 -!- elfixit1 [~Icedove@77-58-253-51.dclient.hispeed.ch] has joined #openvpn
12:11 -!- tony1 [~tony1@cpe-66-66-6-48.rochester.res.rr.com] has joined #openvpn
12:13 -!- Latrina [~Latrina@151.56.185.68] has quit [Ping timeout: 265 seconds]
12:15 -!- Latrina [~Latrina@adsl-ull-221-197.50-151.net24.it] has joined #openvpn
12:16 < tony1> I trying to setup open vpn on my phone and I keep getting disconnected every 10 seconds. the phone is using android 4.4.2 stock verizion rom, no root. if I use foxfi to create a hot spot and connect my nexus 7 the connection is very stable. does anyone have an idea how to make the vpn staple on the phone?
12:18 < tony1> the nexus is using android 4.4.4 and is very stable when using the phone as a wifi access point with foxfi
12:20 < tony1> my guess is that the stock verizion android 4.4.2 has some issues. not sure if someone has a info on how to get it to work though
12:21 < tony1> the phone is a LG G3 if that matters?
12:24 -!- mgorbach [~mgorbach@pool-108-20-78-135.bstnma.fios.verizon.net] has quit [Quit: ZNC - http://znc.in]
12:24 -!- swebb [~swebb@c-71-237-49-232.hsd1.co.comcast.net] has quit [Ping timeout: 255 seconds]
12:25 -!- mgorbach [~mgorbach@pool-108-20-78-135.bstnma.fios.verizon.net] has joined #openvpn
12:30 -!- s7r [~s7r@openvpn/user/s7r] has joined #openvpn
12:30 -!- mode/#openvpn [+v s7r] by ChanServ
12:44 <@krzee> tony1, you using udp or tcp?
12:45 < tony1> krzee: udp
12:46 <@krzee> !logs
12:46 <@vpnHelper> "logs" is (#1) please pastebin your logfiles from both client and server with verb set to 4 (only use 5 if asked) or (#2) In the Windows client(OpenVPN-GUI) right-click the status icon and pick View Log or (#3) In the OS X client(Tunnelblick) right-click it and select Copy log text to clipboard or (#4) if you dont know how to find your logs, see !logfile
12:55 < tony1> krzee: I vpn server is very stable with wifi and my laptop. http://pastebin.com/P60MWpK0
12:57 < tony1> krzee: it's like its stuck in a loop...disconnect / reconnect
12:59 <@krzee> thats one side, wheres the other?
13:00 < tony1> krzee: ok let me try to find it.....
13:00 <@krzee> you havnt looked at your server log while trying to debug?
13:03 < tony1> krzee: well the server always works. like I said if I use foxfi as a hot spot everything will work fine with my tablet
13:03 < tony1> you want syslog right?
13:03 <@krzee> !logfile
13:03 <@vpnHelper> "logfile" is (#1) If you want logging you can easily just specify your own logfile with: log /path/to/logfile or (#2) openvpn will log to syslog if started in daemon mode, but without any log-redirection options, openvpn sends output to stdout. or (#3) verb 3 is good for everyday usage, verb 5 for debugging. see --daemon --log and --verb in the manual (!man) for more info
13:04 <@krzee> and you need to look at both sides when you debug your vpn, im not questioning whether your server is working or not
13:06 < tony1> http://pastebin.com/tQtAEqp3
13:09 <@krzee> Nov  8 13:08:17 vpn ovpn-server[2064]: MULTI: new connection by client 'tony02' will cause previous active sessions by this client to be dropped.
13:10 <@krzee> you have the same certs being run by 2 clients
13:10 <@krzee> so they battle back and forth
13:10 <@krzee> make new certs for each user and this problem will fix itself
13:11 < tony1> krzee: there is only one user
13:11 <@krzee> you sure? sounds like maybe the laptop is using the same certs
13:12 < tony1> I have the same certs on a tablet and on the phone. they are not used at the same time
13:12 <@krzee> 70.195.129.68 and 70.195.130.91 are both connecting with the same certs
13:12 <@krzee> back and forth
13:13 <@krzee> stop putting the same certs on multiple devices and you wont have to deal with stuff like this
13:14 <@krzee> hah 70.195.132.31 is connecting to it too
13:14 <@krzee> your log shows 3 different ips connecting with the same certs within 5min
13:14 < tony1> I wonder if the phone keeps changing it's ip causing the problem
13:15 <@krzee> same subnet, could be
13:15 <@krzee> if so, --float will fix it
13:15 <@krzee> i think plaisthos was working on android --float stuff recently, not sure what specifically though
13:16 < tony1> --float goes in the server config?
13:17 < tony1> it makes sense what you are saying for some reason connection drops phone gets a new ip drops and gets a new ip with an endless loop
13:17 < pekster> I thought float wasn't working (or wasn't until very recently) in anything but p2p mode
13:18 <@krzee> pekster, could be the case, where i use it happens to be in p2p mode
13:21 -!- mistermajestic [~mistermaj@unaffiliated/mistermajestic] has quit [Ping timeout: 272 seconds]
13:23 < tony1> well at least I can use foxfi and create a hot spot and my tablet will connect with a stable connection. it would be nice if my phone would do the same for the times my tablet is not at hand
13:24 < pekster> Are you using --ping / --ping-restart (or the "helper" --keepalive)?
13:25 < pekster> Could be your mobile ISP times out UDP sessions very quickly
13:25 < pekster> If the client times out, it'll attempt a reconnect and you'll see the duplicate client disconnect warning in your server logs
13:26 < pekster> (times out or gets an ICMP error on stream it's using)
13:27 < tony1> pekster: let me look
13:28 < pekster> remember that those can be pushed too
13:31 < tony1> keepalive 10 120
13:32 < tony1> maybe I should try duplicate-cn in server.conf
13:32 < tony1> ?>
13:32 < pekster> The client won't normally time out due to loss of connection until 120 seconds
13:33 < pekster> that won't do any good since this is your only client; you _want_ it to kill the old session when a new one comes in
13:34 < pekster> (duplicate-cn would just keep the defunct one around until 4 minutes has gone by and then it'll get torn down anyway)
13:36 < tony1> I am at a loss. a google search shows other people with the same problem but I could not find a hint on how to fix it
13:36 < pekster> What's the exact client-side error during disconnect?
13:37 < tony1> I don't see a disconnect error
13:37 < pekster> Then it's not disconnecting or you're not logging
13:37 < pekster> !logs
13:37 <@vpnHelper> "logs" is (#1) please pastebin your logfiles from both client and server with verb set to 4 (only use 5 if asked) or (#2) In the Windows client(OpenVPN-GUI) right-click the status icon and pick View Log or (#3) In the OS X client(Tunnelblick) right-click it and select Copy log text to clipboard or (#4) if you dont know how to find your logs, see !logfile
13:40 < tony1> http://pastebin.com/P60MWpK0 http://pastebin.com/tQtAEqp3
13:41 -!- akamaru [~akamaru21@2601:0:8a80:1064:b876:305b:3c5e:f25a] has quit [Quit: Leaving]
13:41 < pekster> line 347, the process got a USR1 signal asking it to restart
13:42 < pekster> Oh, probably not your latest connection though
13:43 < pekster> Yea, same thing on (and around) line 924. Something sent the openvpn process a USR1 signal (hard signal, not a "soft" timeout event generated internally) and that's why openvpn reconnects
13:44 < pekster> plaisthos might know more, but I think that would have to be something user (or that another process) caused to happen
13:45 -!- swebb [~swebb@8.36.226.184] has joined #openvpn
13:55 < tony1> at least I can make a vpn connection with my tablet through my phone. It would be nice if the phone would connect. I will keep trying. thanks for the help. I will hang out for a while in case someone else has an idea.
13:56 < tony1> probably something with verizion
13:57 < pekster> That, or the phone is switching to some 'power-saving' mode, and the API controlling the VPN notices and attempts to SIGUSR1 (restart) the VPN to "reconnect" it after the "loss" of data service
13:58 -!- tbenson [~tbenson@c-50-131-82-204.hsd1.ca.comcast.net] has joined #openvpn
13:59 -!- techwharf [~techwharf@ec2-54-194-62-157.eu-west-1.compute.amazonaws.com] has quit []
14:03 -!- Taftse|Mac [~taftse@unaffiliated/taftse] has quit [Quit: My Mac Mini has gone to sleep. ZZZzzz…]
14:03 < tony1> I have battery saver off. this is a new phone to me. my last phone was so old it would not run openvpn
14:14 -!- jdmf [~jdmf@78.156.100.202] has quit [Quit: Bye.]
14:14 -!- jdmf [~jdmf@78.156.100.202] has joined #openvpn
14:16 -!- tony1 [~tony1@cpe-66-66-6-48.rochester.res.rr.com] has quit [Ping timeout: 265 seconds]
14:26 -!- harshar [~harsh@202.3.77.215] has quit [Ping timeout: 245 seconds]
14:27 -!- elfixit1 [~Icedove@77-58-253-51.dclient.hispeed.ch] has quit [Ping timeout: 256 seconds]
14:30 -!- tony1 [~tony1@cpe-66-66-6-48.rochester.res.rr.com] has joined #openvpn
14:36 -!- jackbrown [~se@93-44-41-0.ip95.fastwebnet.it] has quit [Quit: Sto andando via]
15:05 -!- kossy [a@unaffiliated/kossy] has quit [Ping timeout: 258 seconds]
15:07 -!- c|oneman [cloneman@2605:6400:2:fed5:22:0:3b06:3913] has quit [Ping timeout: 258 seconds]
15:08 -!- c|oneman [cloneman@1337.montrealdark.com] has joined #openvpn
15:12 -!- dx486 [~dx486@unaffiliated/dx486] has joined #openvpn
15:13 -!- Chais [~Chais@chello062178229110.15.15.vie.surfer.at] has quit [Quit: ZNC - http://znc.in]
15:13 -!- harshar [~harsh@202.3.77.215] has joined #openvpn
15:13 -!- kossy [a@unaffiliated/kossy] has joined #openvpn
15:16 -!- Chais [~Chais@chello062178229110.15.15.vie.surfer.at] has joined #openvpn
15:18 -!- kossy [a@unaffiliated/kossy] has quit [Ping timeout: 258 seconds]
15:25 -!- kossy [a@unaffiliated/kossy] has joined #openvpn
15:31 -!- james41382__ [~james@unaffiliated/james41382] has joined #openvpn
15:34 -!- james41382_ [~james@unaffiliated/james41382] has quit [Ping timeout: 245 seconds]
15:40 < tony1> I have connected my LG G3 with a wireless connection to my local LAN and my connection is stable. I wonder if the problem I am having is related to 4G?
15:41 < tony1> just a thought
15:46 -!- mattock is now known as mattock_afk
15:49 -!- AlexRussia [~Alex@unaffiliated/alexrussia] has quit [Ping timeout: 256 seconds]
15:49 < tony1> I should have said i connected my LG G3 to my VPN from my local LAN and my connection is stable
16:00 -!- AlexRussia [~Alex@unaffiliated/alexrussia] has joined #openvpn
16:20 -!- tbenson [~tbenson@c-50-131-82-204.hsd1.ca.comcast.net] has quit [Quit: tbenson]
16:25 < Eugene> !linipforward
16:25 <@vpnHelper> "linipforward" is (#1) echo 1 > /proc/sys/net/ipv4/ip_forward for a temp solution (til reboot) or set net.ipv4.ip_forward = 1 in sysctl.conf for perm solution or (#2) chmod +x /etc/rc.d/rc.ip_forward for perm solution in slackware or (#3) you also must allow forwarding in your forward chain in iptables. iptables -I FORWARD -i tun+ -j ACCEPT
16:33 -!- shivanshu [~shivanshu@unaffiliated/shivanshu] has quit [Ping timeout: 260 seconds]
16:47 -!- Taftse|Mac [~taftse@unaffiliated/taftse] has joined #openvpn
16:48 -!- pppingme [~pppingme@unaffiliated/pppingme] has quit [Ping timeout: 265 seconds]
16:49 -!- DrSect0r [~DrSect0r@77-175-125-42.FTTH.ispfabriek.nl] has quit [Read error: Connection reset by peer]
16:58 < tony1> well i do believe I figured out my problem with android vpn. (with the help from you guys) for some reason my phone keeps getting a new IP address when I connect to the vpn. so it seems to me that either verison see's that I am on a vpn and changes my ip or for some reason when using the vpn client the radio disconnects. I will call verison tomorrow or monday and see what they say
17:01 -!- Slippern [~Slippern@76.109-247-208.customer.lyse.net] has quit [Ping timeout: 250 seconds]
17:08 -!- Slippern [~Slippern@76.109-247-208.customer.lyse.net] has joined #openvpn
17:11 < Eugene> "You're using a VPN for tethering? That'll be an extra $20/mo"
17:13 -!- pppingme [~pppingme@unaffiliated/pppingme] has joined #openvpn
17:15 < tony1> Eugene: not tethering per say but using the android vpn client to connect my phone through 4g/3g to the vpn
17:15 < Eugene> Right, but try telling that to the VZ service drone
17:16 < tony1> Eugene: so your saying to use the vpn client on 4G is an extra charge?
17:16 < Eugene> If I know Verizon there's an extra charge for sneezing
17:16 < tony1> lol
17:16 -!- gardar [~gardar@bnc.giraffi.net] has quit [Ping timeout: 245 seconds]
17:17 < tony1> Eugene: well ill look into it. at least I can connect my tablet with foxfi and connect that way no problem
17:18 -!- gardar [~gardar@bnc.giraffi.net] has joined #openvpn
17:18 -!- Taftse|Mac [~taftse@unaffiliated/taftse] has quit [Quit: Textual IRC Client: www.textualapp.com]
17:19 < tony1> i did not even think about an extra charge to use a vpn client.
17:21 < tony1> sounds about right though, I make the connection I can see a server on my lan then I am disconnected with a new IP and then im stuck in an endless loop
17:43 -!- harshar [~harsh@202.3.77.215] has quit [Ping timeout: 260 seconds]
17:58 -!- Poster|x [~poster@cpe-74-140-100-29.swo.res.rr.com] has quit [Read error: Connection reset by peer]
17:58 -!- mpoole [~mpoole@minotaur.apache.org] has quit [Ping timeout: 265 seconds]
17:58 -!- Poster [~poster@cpe-74-140-100-29.swo.res.rr.com] has joined #openvpn
18:02 -!- phunyguy [vortex@unaffiliated/phunyguy] has quit [Ping timeout: 265 seconds]
18:02 -!- cwillu_at_work [cwillu@cwillu.com] has quit [Ping timeout: 265 seconds]
18:03 -!- nsrafk [whois@unaffiliated/nsrafk] has quit [Ping timeout: 265 seconds]
18:03 -!- clu5ter [~staff@unaffiliated/clu5ter] has quit [Ping timeout: 265 seconds]
18:03 -!- mpoole [~mpoole@minotaur.apache.org] has joined #openvpn
18:04 -!- clu5ter [~staff@unaffiliated/clu5ter] has joined #openvpn
18:04 -!- phunyguy [vortex@unaffiliated/phunyguy] has joined #openvpn
18:05 -!- nsrafk [whois@unaffiliated/nsrafk] has joined #openvpn
18:05 -!- cwillu_at_work [cwillu@cwillu.com] has joined #openvpn
18:24 -!- brianblaze420 [~brianblaz@unaffiliated/brianblaze] has joined #openvpn
18:34 -!- JackWinter [~jack@vodsl-11198.vo.lu] has quit [Read error: Connection reset by peer]
18:48 -!- gffa [~unknown@unaffiliated/gffa] has quit [Quit: sleep]
19:14 -!- justinzane [~justinzan@67.21.190.132] has joined #openvpn
19:29 -!- akamaru217 [~akamaru21@2601:0:8a80:1064:8c67:9bb1:5104:f78c] has joined #openvpn
19:34 -!- NP-Hardass [~NP-Hardas@unaffiliated/np-hardass] has quit [Ping timeout: 245 seconds]
19:41 -!- pppingme [~pppingme@unaffiliated/pppingme] has quit [Ping timeout: 258 seconds]
19:44 -!- pppingme [~pppingme@unaffiliated/pppingme] has joined #openvpn
19:44 -!- pppingme [~pppingme@unaffiliated/pppingme] has quit [Max SendQ exceeded]
20:04 -!- pppingme [~pppingme@unaffiliated/pppingme] has joined #openvpn
20:09 -!- hightower4 [~hightower@213.147.97.222] has quit [Ping timeout: 265 seconds]
20:26 -!- CaTtleyA [~CaTtleyA@put92-2-82-66-41-53.fbx.proxad.net] has quit [Ping timeout: 272 seconds]
20:27 -!- Pyrogerg [~Gregory@192.67.133.200] has quit [Ping timeout: 244 seconds]
20:33 -!- pppingme [~pppingme@unaffiliated/pppingme] has quit [Ping timeout: 272 seconds]
20:46 -!- pppingme [~pppingme@unaffiliated/pppingme] has joined #openvpn
21:38 -!- rich0_ [~quassel@gentoo/developer/rich0] has joined #openvpn
21:39 -!- Left_Turn [~Left_Turn@unaffiliated/turn-left/x-3739067] has quit [Remote host closed the connection]
21:41 -!- rich0 [~quassel@gentoo/developer/rich0] has quit [Ping timeout: 265 seconds]
22:15 -!- Pyrogerg [~Gregory@gpenne3bc.nmsu.edu] has joined #openvpn
22:52 -!- mistermajestic [~mistermaj@unaffiliated/mistermajestic] has joined #openvpn
23:06 -!- harshar [~harsh@202.3.77.215] has joined #openvpn
23:24 -!- ShadniX [dagger@p57941C55.dip0.t-ipconnect.de] has quit [Ping timeout: 250 seconds]
23:27 -!- ShadniX [dagger@p5DDFE941.dip0.t-ipconnect.de] has joined #openvpn
23:50 -!- brianblaze420 [~brianblaz@unaffiliated/brianblaze] has quit [Quit: Peace!]
--- Day changed Sun Nov 09 2014
00:12 -!- Kephael [~Kephael@unaffiliated/kephael] has quit [Read error: Connection reset by peer]
00:38 -!- james41382 [~james@unaffiliated/james41382] has joined #openvpn
00:46 -!- james41382 [~james@unaffiliated/james41382] has quit [Quit: Leaving]
00:47 -!- james41382__ [~james@unaffiliated/james41382] has quit [Quit: Leaving]
01:11 -!- D-Boy [~D-Boy@unaffiliated/cain] has quit [Ping timeout: 245 seconds]
01:51 -!- mattock_afk is now known as mattock
02:12 -!- james41382 [~james@unaffiliated/james41382] has joined #openvpn
02:13 < james41382> I am trying to configure OpenVPN as a client on my router so all traffic goes out through the VPN.
02:15 < james41382> !script
02:15 <@vpnHelper> "script" is See SCRIPTING AND ENVIRONMENTAL VARIALBES in the manual for a list of places that scripts can hook into openvpn. Online reference at: https://community.openvpn.net/openvpn/wiki/Openvpn23ManPage#lbAR
02:23 -!- james41382_ [~james@unaffiliated/james41382] has joined #openvpn
02:23 -!- james41382 [~james@unaffiliated/james41382] has quit [Read error: Connection reset by peer]
02:36 -!- james41382_ [~james@unaffiliated/james41382] has quit [Ping timeout: 260 seconds]
02:47 -!- harshar [~harsh@202.3.77.215] has quit [Ping timeout: 250 seconds]
03:20 -!- shivanshu [~shivanshu@unaffiliated/shivanshu] has joined #openvpn
03:41 -!- harshar [~harsh@202.3.77.215] has joined #openvpn
03:53 -!- raidz [~raidz@openvpn/corp/admin/andrew] has quit [Ping timeout: 245 seconds]
03:53 -!- raidz [~raidz@openvpn/corp/admin/andrew] has joined #openvpn
03:53 -!- mode/#openvpn [+o raidz] by ChanServ
03:54 -!- mattock [~mattock@openvpn/corp/admin/mattock] has quit [Ping timeout: 255 seconds]
03:54 -!- gffa [~unknown@unaffiliated/gffa] has joined #openvpn
03:56 -!- c0ded [~c0ded@unaffiliated/c0ded] has left #openvpn []
03:56 -!- c0ded [~c0ded@unaffiliated/c0ded] has joined #openvpn
03:59 -!- mattock [~mattock@openvpn/corp/admin/mattock] has joined #openvpn
04:00 -!- mode/#openvpn [+o mattock] by ChanServ
04:03 -!- raidz is now known as raidz_away
04:03 -!- raidz_away is now known as raidz
04:20 -!- catsup [~d@ps38852.dreamhost.com] has quit [Remote host closed the connection]
04:21 -!- catsup [~d@ps38852.dreamhost.com] has joined #openvpn
04:38 -!- Left_Turn [~Left_Turn@unaffiliated/turn-left/x-3739067] has joined #openvpn
04:52 -!- kossy [a@unaffiliated/kossy] has quit [Ping timeout: 258 seconds]
04:54 -!- kossy [a@unaffiliated/kossy] has joined #openvpn
05:12 -!- harshar [~harsh@202.3.77.215] has quit [Ping timeout: 265 seconds]
05:18 -!- jackbrown [~se@93-44-41-0.ip95.fastwebnet.it] has joined #openvpn
05:37 -!- almostworking [~almostwor@unaffiliated/almostworking] has quit [Ping timeout: 250 seconds]
05:45 -!- Taftse|Mac [~taftse@unaffiliated/taftse] has joined #openvpn
06:36 -!- ShadniX [dagger@p5DDFE941.dip0.t-ipconnect.de] has quit [Quit: Bye.]
06:37 -!- ShadniX [~ShadniX@p5DDFE941.dip0.t-ipconnect.de] has joined #openvpn
06:43 -!- JackWinter [~jack@vodsl-11198.vo.lu] has joined #openvpn
06:48 -!- jackbrown [~se@93-44-41-0.ip95.fastwebnet.it] has quit [Ping timeout: 250 seconds]
07:26 -!- DrSect0r [~DrSect0r@77-175-125-42.FTTH.ispfabriek.nl] has joined #openvpn
07:31 -!- almostworking [~almostwor@unaffiliated/almostworking] has joined #openvpn
07:34 -!- newlex [~nullx@unaffiliated/newlex] has joined #openvpn
07:34 < newlex> !welcome
07:34 <@vpnHelper> "welcome" is (#1) Start by stating your goal, such as 'I would like to access the internet over my vpn' || new to IRC? see the link in !ask || we may need !logs and !configs and maybe !interface to help you. || See !howto for beginners. || See !route for lans behind openvpn. || !redirect for sending inet traffic through the server. || Also interesting: !man !/30 !topology !iporder !sample !forum
07:34 <@vpnHelper> !wiki !mitm or (#2) Don't use 192.168.1.0/24 or 192.168.0.0/24 (too much potential for conflict)
07:40 -!- br4ndon [~br4ndon@mic92-6-82-227-94-156.fbx.proxad.net] has joined #openvpn
07:42 -!- br4ndon [~br4ndon@mic92-6-82-227-94-156.fbx.proxad.net] has quit [Read error: Connection reset by peer]
07:42 -!- almostworking [~almostwor@unaffiliated/almostworking] has quit [Quit: Leaving]
07:43 -!- almostworking [~almostwor@unaffiliated/almostworking] has joined #openvpn
07:58 -!- Taftse|Mac [~taftse@unaffiliated/taftse] has quit [Ping timeout: 250 seconds]
08:12 -!- harshar [~harsh@202.3.77.215] has joined #openvpn
08:18 -!- DrSect0r [~DrSect0r@77-175-125-42.FTTH.ispfabriek.nl] has quit [Quit: Leaving]
08:48 -!- iveevue [~na@unaffiliated/iveevue] has joined #openvpn
08:49 < iveevue> Am I correct in thinking that adding a "config /etc/openvpn/foo" to the top of bar.conf will load all options in foo first, then load any options in bar.conf?
09:00 -!- ValdikSS [~valdikss@95.215.45.33] has joined #openvpn
09:00 < ValdikSS> Hello guys. I know, this is not the appropriate channel to ask this question, but maybe someone knows some kind of script/application/daemon for policy routing/multiwan configuration in Linux with IPv6 support?
09:12 -!- harshar [~harsh@202.3.77.215] has quit [Ping timeout: 255 seconds]
09:14 -!- harshar [~harsh@202.3.77.215] has joined #openvpn
09:24 -!- mcp [~mcp@wolk-project.de] has quit [Quit: ZNC - http://znc.sourceforge.net]
09:26 < iveevue> No-one around?
09:33 -!- ub1quit33_ [~quassel@wifi02.la3.routers.zerolag.com] has joined #openvpn
09:39 -!- Jeroen52 [~Jeroen@milkyway.jeroendeneef.com] has quit [Quit: Updating Quassel Core]
09:43 -!- iveevue [~na@unaffiliated/iveevue] has quit [Ping timeout: 264 seconds]
09:43 -!- iveevue [~na@unaffiliated/iveevue] has joined #openvpn
09:49 -!- harshar [~harsh@202.3.77.215] has quit [Ping timeout: 255 seconds]
10:02 -!- Latrina [~Latrina@adsl-ull-221-197.50-151.net24.it] has quit [Ping timeout: 245 seconds]
10:03 -!- mcp [~mcp@wolk-project.de] has joined #openvpn
10:03 -!- Latrina [~Latrina@151.56.185.145] has joined #openvpn
10:05 -!- Jeroen52 [~Jeroen@milkyway.jeroendeneef.com] has joined #openvpn
10:10 -!- NP-Hardass [~NP-Hardas@unaffiliated/np-hardass] has joined #openvpn
10:21 -!- Pyrogerg [~Gregory@gpenne3bc.nmsu.edu] has quit [Ping timeout: 240 seconds]
10:23 < pekster> ValdikSS: LARTC is a good resource, and policy routing is loosely on-topic in #Netfilter too
10:23 < pekster> !lartc
10:23 <@vpnHelper> "lartc" is LARTC is the de-facto guide to policy routing and QoS (tc, or traffic control) on Linux. http://lartc.org/howto/ . Policy routing in Ch. 4, QoS in Ch. 9. Start at the beginning if you're new to advanced routing on Linux
10:24 < pekster> iveevue: Yes.
10:24 < iveevue> If so, does a definition in the latter file override one from the former?
10:24 < pekster> Yup, besides "stackable" options (like --push)
10:24 < iveevue> Thanks
10:29 < iveevue> pekster, does the config line need to use an absolute path ? e.g. /etc/openvpn/foo or just foo?
10:33 -!- NP-Hardass [~NP-Hardas@unaffiliated/np-hardass] has quit [Ping timeout: 272 seconds]
10:34 -!- Kephael [~Kephael@unaffiliated/kephael] has joined #openvpn
10:37 -!- deranged_user [Jess@lolnerd.net] has quit [Quit: et nos unum sumus]
10:37 -!- deranged_user [Jess@lolnerd.net] has joined #openvpn
10:43 -!- jackbrown [~se@93-44-41-0.ip95.fastwebnet.it] has joined #openvpn
10:47 -!- iveevue [~na@unaffiliated/iveevue] has quit [Ping timeout: 265 seconds]
10:49 -!- NP-Hardass [~NP-Hardas@unaffiliated/np-hardass] has joined #openvpn
10:52 -!- harshar [~harsh@202.3.77.215] has joined #openvpn
11:09 -!- Pyrogerg [~Gregory@192.67.133.200] has joined #openvpn
11:09 < ValdikSS> pekster: I know how to configure all this, but I'd like to have an application or script to automatize this
11:11 -!- NP-Hardass [~NP-Hardas@unaffiliated/np-hardass] has quit [Ping timeout: 245 seconds]
11:12 -!- _0x5eb_ [~seb@seb-hpws2.elen.ucl.ac.be] has quit [Quit: Goodbye!]
11:15 -!- _0x5eb_ [~seb@seb-hpws2.w1.tele.crt1.net] has joined #openvpn
11:35 -!- raidz is now known as raidz_away
11:38 -!- mattock [~mattock@openvpn/corp/admin/mattock] has quit [Ping timeout: 265 seconds]
12:06 -!- james41382 [~james@unaffiliated/james41382] has joined #openvpn
12:10 -!- tony1 [~tony1@cpe-66-66-6-48.rochester.res.rr.com] has quit [Quit: WeeChat 1.0]
12:18 -!- raidz_away [~raidz@openvpn/corp/admin/andrew] has quit [Ping timeout: 265 seconds]
12:21 -!- jdmf [~jdmf@78.156.100.202] has quit [Ping timeout: 255 seconds]
12:29 -!- x00e [~itch@5-12-52-140.residential.rdsnet.ro] has joined #openvpn
12:37 < x00e> Hello
12:40 -!- mattock [~mattock@openvpn/corp/admin/mattock] has joined #openvpn
12:40 -!- mode/#openvpn [+o mattock] by ChanServ
12:40 -!- james41382_ [~james@unaffiliated/james41382] has joined #openvpn
12:41 -!- raidz [~raidz@openvpn/corp/admin/andrew] has joined #openvpn
12:41 -!- mode/#openvpn [+o raidz] by ChanServ
12:41 -!- james41382 [~james@unaffiliated/james41382] has quit [Read error: Connection reset by peer]
12:48 -!- james41382_ [~james@unaffiliated/james41382] has quit [Quit: Leaving]
13:27 -!- jackbrown [~se@93-44-41-0.ip95.fastwebnet.it] has quit [Quit: Sto andando via]
13:29 -!- fenris_kcf [~fenris@p579E6735.dip0.t-ipconnect.de] has joined #openvpn
13:29 < fenris_kcf> hy. what could be the reason for error 10049 ("The requested address is not valid in its context.")?
13:34 -!- nutron [~nutron@unaffiliated/nutron] has quit [Quit: I must go eat my cheese!]
13:36 < fenris_kcf> ok, it was the clients darn firewall …
13:55 -!- james41382 [~james@unaffiliated/james41382] has joined #openvpn
14:07 -!- Pyrogerg [~Gregory@192.67.133.200] has quit [Ping timeout: 255 seconds]
14:18 -!- x00e [~itch@5-12-52-140.residential.rdsnet.ro] has quit [Quit: Leaving]
14:28 -!- tony1 [~tony1@cpe-66-66-6-48.rochester.res.rr.com] has joined #openvpn
14:37 -!- mattock is now known as mattock_afk
14:47 -!- NP-Hardass [~NP-Hardas@unaffiliated/np-hardass] has joined #openvpn
14:54 -!- NP-Hardass [~NP-Hardas@unaffiliated/np-hardass] has quit [Ping timeout: 260 seconds]
14:56 -!- james41382_ [~james@unaffiliated/james41382] has joined #openvpn
14:56 -!- james41382_ [~james@unaffiliated/james41382] has quit [Read error: Connection reset by peer]
14:58 -!- james41382__ [~james@unaffiliated/james41382] has joined #openvpn
14:59 -!- james41382 [~james@unaffiliated/james41382] has quit [Ping timeout: 245 seconds]
15:02 -!- ValdikSS [~valdikss@95.215.45.33] has quit [Quit: Konversation terminated!]
15:17 -!- jp- [~jp@unaffiliated/jp-] has joined #openvpn
15:17 < jp-> !welcome
15:17 <@vpnHelper> "welcome" is (#1) Start by stating your goal, such as 'I would like to access the internet over my vpn' || new to IRC? see the link in !ask || we may need !logs and !configs and maybe !interface to help you. || See !howto for beginners. || See !route for lans behind openvpn. || !redirect for sending inet traffic through the server. || Also interesting: !man !/30 !topology !iporder !sample !forum !wiki
15:17 <@vpnHelper> !mitm or (#2) Don't use 192.168.1.0/24 or 192.168.0.0/24 (too much potential for conflict)
15:18 -!- fenris_kcf [~fenris@p579E6735.dip0.t-ipconnect.de] has quit [Read error: Connection reset by peer]
15:21 -!- newlex [~nullx@unaffiliated/newlex] has left #openvpn []
15:22 < jp-> anyone have an idea or an example of how to script auth-user-pass-verify on a windows host using local accounts, not against active directory? i've seen plenty for authenticating against a domain.
15:24 -!- james41382_ [~james@unaffiliated/james41382] has joined #openvpn
15:25 -!- james41382 [~james@unaffiliated/james41382] has joined #openvpn
15:26 -!- s7r [~s7r@openvpn/user/s7r] has quit [Ping timeout: 250 seconds]
15:27 -!- Taftse|Mac [~taftse@unaffiliated/taftse] has joined #openvpn
15:28 -!- s7r [~s7r@openvpn/user/s7r] has joined #openvpn
15:28 -!- mode/#openvpn [+v s7r] by ChanServ
15:28 -!- james41382__ [~james@unaffiliated/james41382] has quit [Ping timeout: 265 seconds]
15:33 -!- Chais [~Chais@chello062178229110.15.15.vie.surfer.at] has quit [Ping timeout: 265 seconds]
15:38 -!- Chais [~Chais@84.115.101.170] has joined #openvpn
15:51 -!- james41382 [~james@unaffiliated/james41382] has quit [Quit: Leaving]
15:51 -!- james41382_ [~james@unaffiliated/james41382] has quit [Quit: Leaving]
15:52 -!- gffa [~unknown@unaffiliated/gffa] has quit [Quit: sleep]
16:04 -!- Chais [~Chais@84.115.101.170] has quit [Ping timeout: 264 seconds]
16:09 -!- Chais [~Chais@84.115.101.170] has joined #openvpn
16:10 -!- jonquest [~jp@unaffiliated/jp-] has joined #openvpn
16:12 -!- jp- [~jp@unaffiliated/jp-] has quit [Read error: Connection reset by peer]
16:25 -!- jonquest [~jp@unaffiliated/jp-] has quit [Quit: outa here]
16:27 -!- jp- [~jp@unaffiliated/jp-] has joined #openvpn
16:32 -!- harshar [~harsh@202.3.77.215] has quit [Ping timeout: 250 seconds]
16:38 < tony1> Eugene: you here? anyway I posted yesterday about trying to create a vpn tunnel over 4G with verison wireless. tec support said that 10.8.0.* is leaking from the tunnel and that is why I am having disconnect problems. i hope that makes sense to someone
16:38 < Eugene> Nope.
16:38 < Eugene> Your routes are buggered
16:41 < tony1> well i don't know enough to tell them waht to do. they have told me that they do not block VPN data
16:41 < tony1> *what
16:42 < Eugene> !configs
16:42 <@vpnHelper> "configs" is (#1) please pastebin your client and server configs (with comments removed, you can use `grep -vE '^#|^;|^$' server.conf`), also include which OS and version of openvpn. or (#2) dont forget to include any ccd entries or (#3) on pfSense, see http://www.secure-computing.net/wiki/index.php/OpenVPN/pfSense to obtain your config
16:44 -!- NP-Hardass [~NP-Hardas@unaffiliated/np-hardass] has joined #openvpn
16:45 < tony1> tec said he was doing a trace and niticed 10.8.0.* leaking
16:50 < tony1> http://pastebin.com/eqixbWqy
16:52 < tony1> i dont see how 10.8.0.14 could be leaving the tunnel
16:53 < tony1> he said 10.8 was leaving the domain
16:53 < tony1> anyway I am doing my best to transfer the information
16:53 < tony1> that was given to me
16:55 < tony1> the connection is very stable over wifi, a 4G connection lasts about 15 seconds and then is disconnected
16:56 < tony1> and then reconnects in an endless loop
17:04 -!- DrCode [~DrCode@gateway/tor-sasl/drcode] has quit [Ping timeout: 250 seconds]
17:05 -!- Shiftos [~shiftos@gateway/tor-sasl/shiftos] has quit [Ping timeout: 250 seconds]
17:05 -!- s7r [~s7r@openvpn/user/s7r] has quit [Ping timeout: 250 seconds]
17:05 -!- eristisk [~eristisk@gateway/tor-sasl/eristisk] has quit [Ping timeout: 250 seconds]
17:06 -!- Mowee [~Mowee@195-154-194-139.rev.poneytelecom.eu] has quit [Ping timeout: 250 seconds]
17:11 -!- Mowee [~Mowee@195-154-194-139.rev.poneytelecom.eu] has joined #openvpn
17:13 -!- NP-Hardass [~NP-Hardas@unaffiliated/np-hardass] has quit [Ping timeout: 245 seconds]
17:24 -!- nath_schwarz [~nath_schw@HSI-KBW-078-043-139-201.hsi4.kabel-badenwuerttemberg.de] has quit [Quit: ErrMessage: UserNotFoundException(0x00929e9)]
17:30 -!- Kephael [~Kephael@unaffiliated/kephael] has quit [Read error: Connection reset by peer]
17:31 -!- Kephael [~Kephael@unaffiliated/kephael] has joined #openvpn
17:56 -!- NP-Hardass [~NP-Hardas@unaffiliated/np-hardass] has joined #openvpn
18:02 -!- ub1quit33_ [~quassel@wifi02.la3.routers.zerolag.com] has quit [Ping timeout: 255 seconds]
18:05 -!- Taftse|Mac [~taftse@unaffiliated/taftse] has quit [Quit: Textual IRC Client: www.textualapp.com]
18:32 -!- Zune [~Zune@93-161-219-103-dynamic.dk.customer.tdc.net] has quit [Ping timeout: 240 seconds]
18:39 -!- Zune [~Zune@93-161-219-103-dynamic.dk.customer.tdc.net] has joined #openvpn
18:51 -!- resixian [~akira@unaffiliated/resixian] has quit [Ping timeout: 258 seconds]
19:05 -!- resixian [~akira@unaffiliated/resixian] has joined #openvpn
19:34 -!- m4573rm1nd [~m4573rm1n@68.118.48.13] has joined #openvpn
19:37 -!- m4573rm1nd [~m4573rm1n@68.118.48.13] has quit [Remote host closed the connection]
19:47 -!- winsoff [~foo@66.205.210.40] has joined #openvpn
19:47 < winsoff> !obfus
19:47 < winsoff> !factoids
19:47 <@vpnHelper> "factoids" is A semi-regularly updated dump of factoids database is available at http://www.secure-computing.net/factoids.php
19:47 < winsoff> !forwardsecurity
19:47 <@vpnHelper> "forwardsecurity" is (#1) in server/client mode with certs your key renegotiates (changes) every hour (by default), so if someone captures your traffic, and then gets your key, they can only decrypt the traffic within the timeframe since last renegotiation or (#2) in ptp mode (static key) you do not have this, so if someone gets your key they can decrypt ANY past traffic that they captured
20:04 -!- NP-Hardass [~NP-Hardas@unaffiliated/np-hardass] has quit [Ping timeout: 250 seconds]
20:17 -!- elfixit1 [~Icedove@77-58-253-51.dclient.hispeed.ch] has joined #openvpn
20:22 -!- DrCode [~DrCode@gateway/tor-sasl/drcode] has joined #openvpn
20:30 -!- DrCode [~DrCode@gateway/tor-sasl/drcode] has quit [Ping timeout: 250 seconds]
20:38 -!- DrCode [~DrCode@gateway/tor-sasl/drcode] has joined #openvpn
20:39 -!- NP-Hardass [~NP-Hardas@unaffiliated/np-hardass] has joined #openvpn
21:03 -!- Pinchiukas [~keps@unaffiliated/pinchiukas] has joined #openvpn
21:03 < Pinchiukas> Can anybody explain to me how "remote-cert-tls server" helps to prevent mitm?
21:05 -!- ExtraCarpety [~ExtraCarp@2607:5300:60:a0d::1] has quit [Ping timeout: 258 seconds]
21:05 -!- Eugene [eugene@rfc1918.ninja] has quit [Ping timeout: 265 seconds]
21:05 -!- `Yoda [Yoda@gateway/shell/yourbnc/x-szwauayjorledkga] has quit [Ping timeout: 265 seconds]
21:07 -!- rich0_ is now known as rich0
21:20 < winsoff> Pinchiukas, in general, a remote certificate authority prevents MITM by being able to have a third party validate the authenticity of a certificate.
21:21 < winsoff> Without trusted certificate authorities, it falls apart.
21:22 -!- winsoff [~foo@66.205.210.40] has quit [Quit: Network Departure]
21:23 < Pinchiukas> Was he really talking about the option I mentioned?
21:25 < Pinchiukas> Looking at the description it looks like that OpenVPN only makes sure the remote side has a cert marked for being a server. How would that increase security?
21:25 < pekster> Pinchiukas: By preventing a client from pretentending it is a server a hijacking other client connections
21:28 -!- ExtraCarpety [~ExtraCarp@2607:5300:60:a0d::1] has joined #openvpn
21:30 < Pinchiukas> pekster: I'm sorry I don't understand how such a setup would work. Can you tell me in more detail?
21:30 -!- Eugene [eugene@rfc1918.ninja] has joined #openvpn
21:31 -!- `Yoda [~Yoda@gateway/shell/yourbnc/x-ukjywgsrvmvsfsoj] has joined #openvpn
21:31 < pekster> Pinchiukas: CA signs certs for a server (S) and 2 clients (Alice and Eve.) Eve is evil, and is able to act as a network MITM against Alice. If you do not have your clients check that they're connecting to an _authorized_ server, nothing stops Eve from presenting her (valid) client cert to Alice, claiming Eve is in fact the server
21:33 < pekster> Same reason your web client rejects TLS connections unless the server has the same flag enabled, 'TLS Web Server'
21:34 < Pinchiukas> You mean Eve can use the CA cert (which is public) to impersonate the server?
21:34 < pekster> No, her own
21:35 < pekster> You can't "use" a public key to prove identity unless you also hold the private key
21:35 < pekster> And it's not impersonating the server so much as "pretending to be a server" while claiming Eve is in fact Eve
21:36 < Pinchiukas> It seems I had an assumption that both the server and the client certificates had to be signed by the same CA. Don't know why. :)
21:36 < Pinchiukas> While in reality the server and the client can have their own separate CA+cert/key sets, right?
21:36 < pekster> They almost always are, but that's not the issue here (and they need not be with openvpn, but such use-cases are very small)
21:37 < pekster> That has nothing to do with your original question
21:37 < pekster> The threat is that clients can attack *other* clients, all signed by a single CA
21:37 < pekster> You stop this by signing certs properly and having clients verify they're talking to a system presenting a cert that is designated as a server
21:38 < pekster> If you don't do that, you can't stop authenticated (but not 'server-authorized') nodes from hijacking other client connections
21:38 < Pinchiukas> Can't Eve create hew own cert that'd be "designated as a server"?
21:38 < pekster> Not without the CA private key
21:38 < pekster> If Eve has that, it's game over anyway and you need to start over completely
21:38 < pekster> !intro-to-pki
21:38 <@vpnHelper> "intro-to-pki" is For an intro to PKI basics, see: https://github.com/OpenVPN/easy-rsa/blob/v3.0.0-rc1/doc/Intro-To-PKI.md
21:39 < Pinchiukas> I seem to be missing some part of this puzzle. :)
21:39 < Pinchiukas> I understand PKI in the perspective of how it works in the website context but I guess this is a bit different.
21:39 < pekster> Apparently. You might also read up on the general distinction between authentication and authorization. The feature you ask about is to prevent an authenticated client from acting as an authorized server (because it's not)
21:41 < pekster> Alice can very incorrectly connect to the authenticated Eve client, thinking that it is a secure connection to a server, but this would be a security problem because Eve is not authorized to act as a server
21:41 < pekster> Eve isn't pretending it's our Server, Eve is claiming "Hi, I'm Eve and I'm your server." That's obviously bad if Alice then sends Eve protected information, such as passwords
21:42 < Eugene> the risk is really overblown in most situations, imo. but it doesn't hurt
21:43 < Eugene> Because eve needs to compromise Server in such a way that it doesn't get root access but can still MITM Bob and Alice
21:43 < pekster> server compromise isn't necessary, only network access to Alice's traffic
21:44 < Eugene> The chances are good that if Eve is compromised (whether by attack or malicious user), they will also have control of Server anyway
21:44 < pekster> (wifi hack, cafe, angry co-worker that ARP/NDP-spoofs to get the password and get the other co-worker fired, etc)
21:44 < pekster> control of server is meaningless here
21:44 < Eugene> control of the connection to sever
21:45 < Eugene> But if you can't trust Eve why did you issue them a cert?
21:45 < Eugene> But this is getting into meta trust
21:46 < pekster> Degrees of trust. I generally trust my browser to do a reasonable job of keeping me safe, but I don't run it as root
21:47 < Pinchiukas> Do the server and client certs have to be signed by the same CA?
21:47 < pekster> No, but it's considered quite an advanced setup not to
21:48 < pekster> There's no reason to do that unless you have very exotic needs and know why you're doing it
21:49 < pekster> Somewhat more common might be a single CA and multiple sub-CAs (say, different divisions of a company where autonomous teams were each responsible for issuing/maintaining credentials for servers vs clients.)
21:49 < Pinchiukas> Ok, in that case, what would prevent Eve from using her own CA and create whatever cert she wants? Or would that also require that I set up my client in an exotic "I know what I'm doing" way?
21:49 < pekster> End-users should *NEVER* (ever, ever) have access to thte CA
21:49 < Pinchiukas> You mean the private key?
21:49 < pekster> Yes
21:49 < Pinchiukas> But the server has to.
21:50 < pekster> What's that got to do with a client?
21:50 < Pinchiukas> Nothing :)
21:50 < pekster> You need to re-read the "The CA" section of the link I posted
21:50 < pekster> Only a CA can sign certificates, and end-users (clients, and even your sever) should not ever have that power
21:51 < Pinchiukas> Sorry, that was a dumb thing to say.
21:52 < Pinchiukas> Anyway, the client does make an assumption that the servers cert is signed by the same CA as his own cert? To break this assumption I'd have to add some configuration to the client, correct?
21:52 < pekster> No such assumption is made, no
21:54 < pekster> OpenVPN only cares that 1) the --ca file can be used to validate the certificate (and possible intermediate CA-bundle) supplied by the remote end, and 2) that the --key and --cert be part of the same keypair
21:54 < pekster> Beyond that, go nuts inventing as complex a PKI as suits your needs
21:55 < Pinchiukas> Ah, so if I use --ca, *then* it makes the assumption that the server cert is signed by the same CA?
21:57 < Eugene> I use a root CA and a chain supplied by the clients with an intermediary. I also verify that they have the eku for IPsec Tunnel or Client (close enough, really)
21:57 < Eugene> I have separate intermediates that don't sign using those EKUs, for other things in my infra
21:58 < Eugene> HTTPS and RDP certs, mostly
21:58 < Eugene> anything publicly facing uses a commercial cert
21:59 < pekster> Not the "same" CA as your client, no
21:59 < pekster> The server must be signed by the same CA as the client has specified in its --ca directive
21:59 < pekster> The client must be signed by the same CA as the server has specified in its --ca directive
21:59 < Eugene> A given instance verifies the remote --cert against it's local --ca, but not it's own cert
21:59 < Pinchiukas> Ah, ok.
22:00 < Pinchiukas> Now things start making sense. :)
22:01 < pekster> Eugene: Revocation gets interesting then :P
22:01 < pekster> Although most ovpn setups I've seen don't even try handling server-side revocation anyway, so I guess that's not a loss from the status-quo
22:05 < Eugene> yeah just clients
22:05 < Eugene> Most of my instances are signed with both EKUs anyway....
22:07 -!- Shiftos [~shiftos@gateway/tor-sasl/shiftos] has joined #openvpn
22:11 < Pinchiukas> So basically if I check if the server is using a cert of type 'server', I don't trust the clients not to abuse their (client) certs.
22:11 < pekster> Yup, that's the extent of it
22:11 < Pinchiukas> But if I've only ever signed a single server and a single client CA, I can consider myself safe.
22:12 < Pinchiukas> s/CA//
22:12 < Pinchiukas> s/CA/cert/ even :)
22:12 < Pinchiukas> It looks like I'm tired.
22:12 < pekster> Sure, but you give up saftey if you ever have that client cert compromized, properly revoked (and CRL published to the server) as you can never be sure that compromized client cert isn't used to MITM your client
22:13 < pekster> You could update CRLs on the client, but in practice that's rarely done
22:13 < Eugene> just don't issue certs to people other than yourself
22:13 -!- james41382 [~james@unaffiliated/james41382] has joined #openvpn
22:13 < pekster> Far easier to use the "proper" protection upfront
22:13 < Eugene> which covers 90% of cases
22:13 < pekster> 'eh, still doens't help in a cert compromise
22:13 < Pinchiukas> Well yeah and what Eugene said. :)
22:14 < pekster> So, 1) don't trust anyone but yourself, 2) don't become a (possibly unknowing) victim. Easy!
22:14 < Pinchiukas> If I'm the only one who's using the CA, I'm good. If I'm giving other people certs I'm pretty much giving them permission to eavesdrop.
22:14 < Eugene> if they've compromised one end (root) they probably got your ssh keys and thus the other end
22:14 < Eugene> sooooo
22:15 < Pinchiukas> So yeah I guess it's still a good idea to designate the server cert as a server cert. :)
22:15 < Pinchiukas> Thanks for clearing that up, guys!
22:15 < pekster> https://xkcd.com/1121/
22:15 <@vpnHelper> Title: xkcd: Identity (at xkcd.com)
22:16 -!- Left_Turn [~Left_Turn@unaffiliated/turn-left/x-3739067] has quit [Ping timeout: 244 seconds]
22:16 < Pinchiukas> haha
22:17 -!- prettyrobots [~prettyrob@do.inputrc.com] has quit [Quit: ZNC - http://znc.in]
22:20 < Pinchiukas> What's different between --remote-cert-tls and --ns-cert-type? Different x509v3 extensions or something?
22:20 < pekster> Yea, and the "Netscape" junk is deprecated
22:21 < Pinchiukas> By "Netscape" you're referring to ns-cert-type?
22:21 < pekster> Yup, it was an extension created by Netscape (yes, back from the Netscape Navigator days)
22:22 < pekster> Unless you absolutely cannot avoid using it, use the standardized TLS extensions
22:22 < Eugene> I don't like how much of a pain it is to use a x509 comment field
22:23 < Eugene> But that's x509 for you
22:25 < Pinchiukas> If I already have x509v1 certs generates I guess I could use tls-remote and still be secure?
22:25 -!- Kephael [~Kephael@unaffiliated/kephael] has quit [Quit: Leaving]
22:25 < Pinchiukas> *generated
22:25 < Eugene> Verify based on a static CN? Sure
22:26 < Pinchiukas> Yeah
22:28 < pekster> You can wildcard that too, allowing multiple servers in that scheme if needed. Though you should use --verify-x509-name to avoid problems in future openvpn versiosn
22:28 < Pinchiukas> Cool!
22:28 < pekster> Read that option in the manpage if you want wildcarding for the syntax needed
22:28 < Pinchiukas> Though I guess it'd be good to learn how to generate proper certs.
22:29 < pekster> any of the 3 frontends mentioned here should do it for you out-of-the-box:
22:29 < pekster> !certman
22:29 <@vpnHelper> "certman" is (#1) Various frontends can help you manage your PKI (certs & keys.) !easy-rsa is the officially supported one for OpenVPN. or (#2) Other choices include: !xca, !ssladmin, and probably others online
22:30 < pekster> As Eugene noted, X.509 and PKI in general is quite the rabbit hole of standards, implementations, and updates over the years
22:30 < Pinchiukas> I'm doing this using openssl commands - I want to learn how this stuff works internally. :)
22:33 < Eugene> I like XCA
22:58 -!- swo_0sh [~swo0sh@p5498E8C9.dip0.t-ipconnect.de] has joined #openvpn
22:59 < swo_0sh> hey there! i was wondering if there is a openvpn release which is smaller than the 1.1mb package on the openvpn page
22:59 < swo_0sh> maybe someone would know and give me a hint to get a vpn implementatin as small as possible
23:02 < Eugene> !xy
23:02 <@vpnHelper> "xy" is http://mywiki.wooledge.org/XyProblem -- I want to do X, but I'm asking how to do Y...
23:05 -!- tapout [~tapout@unaffiliated/tapout] has joined #openvpn
23:07 < swo_0sh> that was not helpfull
23:07 -!- swo_0sh [~swo0sh@p5498E8C9.dip0.t-ipconnect.de] has quit [Quit: Verlassend]
23:09 -!- tapout [~tapout@unaffiliated/tapout] has quit [Client Quit]
23:09 -!- tapout [~tapout@unaffiliated/tapout] has joined #openvpn
23:11 -!- swo_0sh [~swo0sh@p5498E8C9.dip0.t-ipconnect.de] has joined #openvpn
23:17 -!- mattock_afk is now known as mattock
23:25 -!- ShadniX [~ShadniX@p5DDFE941.dip0.t-ipconnect.de] has quit [Ping timeout: 250 seconds]
23:26 -!- swo_0sh [~swo0sh@p5498E8C9.dip0.t-ipconnect.de] has left #openvpn ["Verlassend"]
23:26 -!- swo_0sh [~swo0sh@p5498E8C9.dip0.t-ipconnect.de] has joined #openvpn
23:26 -!- ShadniX [dagger@p5DDFC41F.dip0.t-ipconnect.de] has joined #openvpn
23:29 -!- lotuspsychje [~lotuspsyc@145.129.118.133] has joined #openvpn
23:32 -!- elfixit1 [~Icedove@77-58-253-51.dclient.hispeed.ch] has quit [Ping timeout: 244 seconds]
23:33 -!- Shiftos_ [~shiftos@gateway/tor-sasl/shiftos] has joined #openvpn
23:34 < swo_0sh> !xy
23:34 <@vpnHelper> "xy" is http://mywiki.wooledge.org/XyProblem -- I want to do X, but I'm asking how to do Y...
23:34 -!- swo_0sh [~swo0sh@p5498E8C9.dip0.t-ipconnect.de] has left #openvpn ["Verlassend"]
23:36 -!- Shiftos [~shiftos@gateway/tor-sasl/shiftos] has quit [Ping timeout: 250 seconds]
23:36 -!- Shiftos_ is now known as Shiftos
23:44 -!- lotuspsychje [~lotuspsyc@145.129.118.133] has left #openvpn ["Ik ga weg"]
--- Day changed Mon Nov 10 2014
00:13 -!- james41382_ [~james@unaffiliated/james41382] has joined #openvpn
00:14 -!- james41382 [~james@unaffiliated/james41382] has quit [Ping timeout: 255 seconds]
00:25 -!- sara2010 [b45c9d15@gateway/web/freenode/ip.180.92.157.21] has joined #openvpn
00:25 < sara2010> anyone there
00:29 -!- harshar [~harsh@202.3.77.215] has joined #openvpn
00:32 < sara2010> http://pastebin.centos.org/13631/
00:59 -!- NP-Completeass [~NP-Hardas@unaffiliated/np-hardass] has joined #openvpn
00:59 -!- NP-Completeass [~NP-Hardas@unaffiliated/np-hardass] has quit [Client Quit]
01:01 -!- NP-Completeass [~NP-Hardas@unaffiliated/np-hardass] has joined #openvpn
01:06 -!- harshar [~harsh@202.3.77.215] has quit [Ping timeout: 244 seconds]
01:12 -!- c|oneman [cloneman@1337.montrealdark.com] has quit [Ping timeout: 244 seconds]
01:13 -!- c|oneman [cloneman@2605:6400:2:fed5:22:0:3b06:3913] has joined #openvpn
01:28 -!- harshar [~harsh@202.3.77.215] has joined #openvpn
01:29 < sara2010> any one help me
01:38 -!- liriel [~liriel@asia.feralhosting.com] has quit [Ping timeout: 264 seconds]
01:41 -!- sara2010 [b45c9d15@gateway/web/freenode/ip.180.92.157.21] has quit [Disconnected by services]
01:43 -!- liriel [~liriel@asia.feralhosting.com] has joined #openvpn
01:59 -!- harshar [~harsh@202.3.77.215] has quit [Ping timeout: 255 seconds]
02:05 -!- mirco [~mirco@ip-176-198-211-199.hsi05.unitymediagroup.de] has joined #openvpn
03:06 -!- jdmf [~jdmf@91.198.201.28] has joined #openvpn
03:15 -!- fps [~tapas@fps.io] has joined #openvpn
03:24 -!- ketas [~ketas@92.38.190.90.dyn.estpak.ee] has quit [Read error: Connection reset by peer]
03:24 -!- ketas [~ketas@92-38-190-90.dyn.estpak.ee] has joined #openvpn
03:29 -!- hexeditme [5b4b4d46@gateway/web/freenode/ip.91.75.77.70] has joined #openvpn
03:30 < hexeditme> hi guys i am trying to push route from the vpn server to the client, i can ping the server using the pushed network but i cant ping anything else on the network, ip forwarding is enabled
03:30 < hexeditme> if u guys need any more info let me know please
03:32 < fps> hexeditme: i can't help, since i'm a ovpn noob
03:33 < fps> but check the /topic
03:34 < hexeditme> !paste
03:34 <@vpnHelper> "paste" is "pastebin" is (#1) please paste anything with more than 5 lines into a pastebin site or (#2) https://gist.github.com is recommended for fewest ads; try fpaste.org or paste.kde.org as backups or (#3) If you're pasting config files, see !configs for grep syntax to remove comments or (#4) gist allows multiple files per paste, useful if you have several files to show
04:04 < hexeditme> if i am using openvpn TCP protocol and then from the VPN i used an application that uses UDP protocol does the VPN implements the TCP on the UDP (i have no idea how to delever this question properly)
04:09 -!- Shiftos [~shiftos@gateway/tor-sasl/shiftos] has quit [Remote host closed the connection]
04:09 -!- Shiftos [~shiftos@gateway/tor-sasl/shiftos] has joined #openvpn
04:10 -!- Esya [~zncuser@195-154-90-140.rev.poneytelecom.eu] has joined #openvpn
04:14 < hexeditme> ok i'll try to explain more (if i am connecting to my network using TCP and in my network i have a VOIP server that uses UDP protocol so i connect to it using my softphone client, is the TCP connection going to effect the UDP inside of the tunnel ?) so is the UDP going to function as a TCP ?
04:15 < hexeditme> i tried my best explaining >.<"
04:30 -!- ValdikSS [~valdikss@80.70.234.113] has joined #openvpn
04:30 < ValdikSS> Hello! Could someone please check if IPv6 DNS pushing works in Windows
04:36 -!- hexeditme [5b4b4d46@gateway/web/freenode/ip.91.75.77.70] has quit [Ping timeout: 246 seconds]
04:39 -!- harshar [~harsh@202.3.77.215] has joined #openvpn
04:48 -!- syzzer [~syzzer@openvpn/community/developer/syzzer] has quit [Ping timeout: 260 seconds]
05:05 -!- Left_Turn [~Left_Turn@unaffiliated/turn-left/x-3739067] has joined #openvpn
05:11 -!- harshar [~harsh@202.3.77.215] has quit [Ping timeout: 272 seconds]
05:11 -!- syzzer [~syzzer@openvpn/community/developer/syzzer] has joined #openvpn
05:11 -!- mode/#openvpn [+o syzzer] by ChanServ
05:18 -!- syzzer [~syzzer@openvpn/community/developer/syzzer] has quit [Ping timeout: 260 seconds]
05:26 -!- syzzer [~syzzer@openvpn/community/developer/syzzer] has joined #openvpn
05:26 -!- mode/#openvpn [+o syzzer] by ChanServ
05:27 -!- mirco [~mirco@ip-176-198-211-199.hsi05.unitymediagroup.de] has quit [Quit: mirco]
05:27 -!- mirco [~mirco@ip-176-198-211-199.hsi05.unitymediagroup.de] has joined #openvpn
05:36 -!- lorens [~lorens@213.27.241.114] has joined #openvpn
06:07 -!- cheesenbiscuts [~cheesenbi@118.101.238.169] has joined #openvpn
06:07 < cheesenbiscuts> Hi Everybody!
06:09 < ValdikSS> Guys, how do I debug openvpn plugins? I have radiusplugin which crashes each ~10 hours. It worked fine with debian 7 32-bit, openvpn 2.3.2 and radiusplugin from cvs. Right now I have debian 7 64-bit, openvpn 2.3.4 and radiusplugin compiled with debug symbols. It crashes openvpn in a strange way that one process still remains in the read() call, and one (that one which handles tun/tap adapter and connections) crashes. It doesn't generate core file (
06:09 < ValdikSS> ulimit -c unlimited). It doesn't show anything with gdb
06:09 < ValdikSS> Program received signal SIGTERM, Terminated.
06:09 < ValdikSS> [Switching to Thread 0x7ffff7f49700 (LWP 4304)]
06:09 < ValdikSS> 0x00007ffff74d7ac0 in __read_nocancel () at ../sysdeps/unix/syscall-template.S:81
06:09 < ValdikSS> 81      ../sysdeps/unix/syscall-template.S: No such file or directory.
06:09 < ValdikSS> (gdb) generate-core-file
06:09 < ValdikSS> Couldn't get registers: No such process.
06:09 < ValdikSS> (gdb) set logging file my_back_trace.txt
06:09 < ValdikSS> (gdb) thread apply all bt full
06:09 < ValdikSS> Cannot find new threads: generic error
06:10 < ValdikSS> There is no messages in log with default verbose. Right now I'm running it with verb 7, let's see when it crashes again.
06:11 -!- elfixit [~Icedove@2001:1620:2777:11:3e97:eff:fe7f:f3ad] has quit [Remote host closed the connection]
06:11 -!- elfixit [~Icedove@2001:1620:2018:11:863a:4bff:fe93:6310] has joined #openvpn
06:15 -!- Poster [~poster@cpe-74-140-100-29.swo.res.rr.com] has quit [Ping timeout: 250 seconds]
06:35 -!- mirco [~mirco@ip-176-198-211-199.hsi05.unitymediagroup.de] has quit [Quit: mirco]
06:46 -!- ValdikSS [~valdikss@80.70.234.113] has quit [Ping timeout: 260 seconds]
06:48 -!- Popsikle [~popsikle@pool-108-27-211-233.nycmny.fios.verizon.net] has joined #openvpn
06:53 -!- ValdikSS [~valdikss@80.70.234.113] has joined #openvpn
07:04 -!- mirco [~mirco@ip-176-198-211-199.hsi05.unitymediagroup.de] has joined #openvpn
07:04 -!- cheesenbiscuts [~cheesenbi@118.101.238.169] has quit [Remote host closed the connection]
07:05 -!- brianblaze420 [~brianblaz@unaffiliated/brianblaze] has joined #openvpn
07:06 -!- CaTtleyA [~CaTtleyA@185.24.142.82] has joined #openvpn
07:18 -!- harshar [~harsh@202.3.77.215] has joined #openvpn
07:22 -!- Mowee [~Mowee@195-154-194-139.rev.poneytelecom.eu] has quit [Ping timeout: 245 seconds]
07:29 -!- Mowee [~Mowee@195-154-194-139.rev.poneytelecom.eu] has joined #openvpn
07:41 -!- ValdikSS [~valdikss@80.70.234.113] has quit [Ping timeout: 250 seconds]
08:06 -!- Shiftos [~shiftos@gateway/tor-sasl/shiftos] has quit [Remote host closed the connection]
08:07 -!- Shiftos [~shiftos@gateway/tor-sasl/shiftos] has joined #openvpn
08:13 -!- AlexRussia [~Alex@unaffiliated/alexrussia] has quit [Ping timeout: 250 seconds]
08:24 -!- tormen [~me@188.165.109.34] has joined #openvpn
08:25 < tormen> Hi. Why does openvpn LISTEN on a local port when I initiate an outgoing UDP vpn connection from my client to the server ?
08:25 < tormen> As I am NATed this port can't anyway never be reached ...
08:26 < tormen> Is there hence any way to close it ? (prevent it from opening) (without iptables)
08:26 < tormen> ... I tried google but did find nothing. Probably a dumb question. Help would be really appreciated. Thanks in advance !!
08:39 -!- AlexRussia [~Alex@unaffiliated/alexrussia] has joined #openvpn
08:43 -!- jdmf [~jdmf@91.198.201.28] has quit [Quit: Bye.]
08:45 -!- brianblaze420 [~brianblaz@unaffiliated/brianblaze] has quit [Quit: Peace!]
08:52 -!- goldkatze [~nobody@unaffiliated/goldkatze] has joined #openvpn
09:17 -!- Poster [~poster@cpe-74-140-100-29.swo.res.rr.com] has joined #openvpn
09:24 -!- ub1quit33_ [~quassel@wifi02.la3.routers.zerolag.com] has joined #openvpn
09:29 -!- brianblaze420 [~brianblaz@unaffiliated/brianblaze] has joined #openvpn
09:34 -!- deranged_user [Jess@lolnerd.net] has quit [Quit: et nos unum sumus]
09:38 -!- tormen [~me@188.165.109.34] has quit [Ping timeout: 250 seconds]
09:38 < defswork> interesting question
09:39 < defswork> not sure how he intended to receive data
09:40 -!- elfixit1 [~Icedove@2001:1620:2777:11:3e97:eff:fe7f:f3ad] has joined #openvpn
09:41 -!- goldkatze [~nobody@unaffiliated/goldkatze] has quit []
09:43 -!- elfixit [~Icedove@2001:1620:2018:11:863a:4bff:fe93:6310] has quit [Ping timeout: 272 seconds]
09:46 -!- Pyrogerg [~Gregory@67-0-212-234.albq.qwest.net] has joined #openvpn
09:52 -!- almostworking [~almostwor@unaffiliated/almostworking] has quit [Ping timeout: 255 seconds]
09:52 -!- almostworking [~almostwor@unaffiliated/almostworking] has joined #openvpn
10:00 -!- outofbounds [~outofboun@gateway/tor-sasl/outofbounds] has joined #openvpn
10:01 -!- lorens [~lorens@213.27.241.114] has quit [Ping timeout: 264 seconds]
10:06 -!- soapee01 [~soapee01@65-36-104-170.dyn.grandenetworks.net] has joined #openvpn
10:13 -!- moparisthebest [~quassel@unaffiliated/moparisthebest] has quit [Ping timeout: 272 seconds]
10:17 -!- moparisthebest [~quassel@gateway/tor-sasl/moparisthebest] has joined #openvpn
10:25 -!- havingFun [~quassel@unaffiliated/xrosnight] has joined #openvpn
10:29 -!- moeyebus [~moebius_e@unaffiliated/moebius-eye/x-4065625] has joined #openvpn
10:29 < moeyebus> Hi
10:30 < moeyebus> I'm using easy-rsa 2.0 to generate a client key and cert
10:30 < moeyebus> And the crt is blank...
10:30 < moeyebus> Why is that?
10:30 < moeyebus> I've reproduced this a few times now.
10:44 -!- havingFun_ [~quassel@unaffiliated/xrosnight] has joined #openvpn
10:45 -!- havingFun [~quassel@unaffiliated/xrosnight] has quit [Ping timeout: 255 seconds]
10:45 -!- lorens [~lorens@88.198.190.189] has joined #openvpn
10:46 -!- lorens [~lorens@88.198.190.189] has quit [Remote host closed the connection]
10:52 -!- tormen [~me@188.165.109.34] has joined #openvpn
10:52 < tormen>  HI. Is there any way to avoid having a UDP port LISTEN client-side on an outgoing openvpn connection ? ... It seems strange that the client listens as I am mostly anyways NAT'ed there is no use in this ...
10:56 -!- CaTtleyA [~CaTtleyA@185.24.142.82] has quit [Remote host closed the connection]
10:57 -!- havingFun_ [~quassel@unaffiliated/xrosnight] has quit [Quit: No Ping reply in 180 seconds.]
10:57 -!- havingFun [~quassel@unaffiliated/xrosnight] has joined #openvpn
11:03 < cwillu_at_work> tormen, udp doesn't have connections
11:03 < cwillu_at_work> you wouldn't be able to receive any data from the server you're connecting to if there wasn't a listening socket
11:05 -!- Slippern [~Slippern@76.109-247-208.customer.lyse.net] has quit [Ping timeout: 245 seconds]
11:06 -!- gffa [~unknown@unaffiliated/gffa] has joined #openvpn
11:08 < cwillu_at_work> tormen, so in the case of nat, once you've bound a socket to some remote host:port, any other host can now send packets to the listening socket (modulo some complications)
11:08 -!- havingFun_ [~quassel@unaffiliated/xrosnight] has joined #openvpn
11:09 < cwillu_at_work> http://en.wikipedia.org/wiki/UDP_hole_punching
11:09 <@vpnHelper> Title: UDP hole punching - Wikipedia, the free encyclopedia (at en.wikipedia.org)
11:09 -!- havingFun [~quassel@unaffiliated/xrosnight] has quit [Ping timeout: 258 seconds]
11:24 < tormen> cwillu_at_work: THANKS !!
11:24 < tormen> :)
11:24 < tormen> cwillu_at_work: sorry: I didn't mean to shout: Thanks !! :))
11:25 -!- mirco [~mirco@ip-176-198-211-199.hsi05.unitymediagroup.de] has quit [Quit: mirco]
11:43 -!- mirco [~mirco@ip-176-198-211-199.hsi05.unitymediagroup.de] has joined #openvpn
11:44 -!- harshar [~harsh@202.3.77.215] has quit [Remote host closed the connection]
11:56 -!- mirco [~mirco@ip-176-198-211-199.hsi05.unitymediagroup.de] has quit [Quit: mirco]
11:58 -!- Kephael [~Kephael@unaffiliated/kephael] has joined #openvpn
12:10 -!- brianblaze420 [~brianblaz@unaffiliated/brianblaze] has quit [Quit: Peace!]
12:23 -!- Taftse|Mac [~taftse@unaffiliated/taftse] has joined #openvpn
12:23 -!- shio [marmot@102.188.103.84.rev.sfr.net] has quit [Disconnected by services]
12:23 -!- shio [marmot@102.188.103.84.rev.sfr.net] has joined #openvpn
12:34 -!- Slippern [~Slippern@76.109-247-208.customer.lyse.net] has joined #openvpn
12:49 -!- havingFun [~quassel@unaffiliated/xrosnight] has joined #openvpn
12:50 -!- havingFun_ [~quassel@unaffiliated/xrosnight] has quit [Ping timeout: 250 seconds]
12:51 -!- brianblaze420 [~brianblaz@unaffiliated/brianblaze] has joined #openvpn
12:52 -!- tormen [~me@188.165.109.34] has quit [Remote host closed the connection]
13:46 -!- Neal_ [neal@felix.ineal.me] has quit [Quit: brb system upgrade]
13:46 -!- Pyrogerg [~Gregory@67-0-212-234.albq.qwest.net] has quit [Ping timeout: 265 seconds]
13:48 -!- Hoaas [~hoaas@cm-84.215.143.53.getinternet.no] has quit [Ping timeout: 245 seconds]
13:52 -!- Neal_ [neal@felix.ineal.me] has joined #openvpn
13:52 -!- Neal_ [neal@felix.ineal.me] has quit [Remote host closed the connection]
13:54 -!- Neal_ [neal@felix.ineal.me] has joined #openvpn
13:54 -!- havingFun [~quassel@unaffiliated/xrosnight] has quit [Ping timeout: 250 seconds]
13:56 -!- havingFun [~quassel@unaffiliated/xrosnight] has joined #openvpn
13:57 -!- viztro [~viztro@eq48.fdo-may.ubiobio.cl] has joined #openvpn
14:08 -!- roentgen [~none@openvpn/community/support/roentgen] has quit [Remote host closed the connection]
14:08 -!- ckorzhik [~user@176.194.3.27] has joined #openvpn
14:10 < ckorzhik> hello. Does somebody use openvpn on Centos7/Redhat7? There are scripts for getting DNS from server (client-up and client-down), but they just change /etc/resolv.conf. If I understand correctly, this
14:10 < ckorzhik> file is not used by system now.
14:10 < ckorzhik> so, is there script which use nmcli?
14:12 -!- havingFun_ [~quassel@unaffiliated/xrosnight] has joined #openvpn
14:12 < Eugene> I do; I don't use those scripts, though
14:12 -!- havingFun [~quassel@unaffiliated/xrosnight] has quit [Ping timeout: 244 seconds]
14:12 < Eugene> IMO fucking around with resolv.conf or any of the rest of it is a pointless pain in the ass. Just put your records in the public DNS system, and use 127.0.0.1+8.8.8.8 and call it a day.
14:13 < Eugene> RFC1918 addresses should of course be defined at your border gateway resolvers, and only resolved internally.\
14:16 -!- mattock is now known as mattock_afk
14:26 -!- xamox [~xamox@c-68-42-242-42.hsd1.mi.comcast.net] has joined #openvpn
14:27 < xamox> Is it possible to connect to multiple OpenVPN servers (have multiple tun devices) using client.conf, or is that only able to point to a single machine and then I have to use something like openvpn --config blah.ovpn instead?
14:31 -!- roentgen [~none@openvpn/community/support/roentgen] has joined #openvpn
14:36 -!- havingFun [~quassel@unaffiliated/xrosnight] has joined #openvpn
14:37 -!- havingFun_ [~quassel@unaffiliated/xrosnight] has quit [Ping timeout: 244 seconds]
14:39 <@ecrist> you can have one config and pass --remote to each, if you like
14:40 -!- havingFun_ [~quassel@unaffiliated/xrosnight] has joined #openvpn
14:41 -!- havingFun [~quassel@unaffiliated/xrosnight] has quit [Ping timeout: 250 seconds]
14:43 < xamox> Okay, thanks
14:44 <@ecrist> just remember that everything in the config is just a --something option
14:46 -!- havingFun [~quassel@unaffiliated/xrosnight] has joined #openvpn
14:46 -!- havingFun_ [~quassel@unaffiliated/xrosnight] has quit [Ping timeout: 264 seconds]
14:48 -!- brianblaze420 [~brianblaz@unaffiliated/brianblaze] has quit [Quit: Peace!]
14:55 -!- havingFun_ [~quassel@unaffiliated/xrosnight] has joined #openvpn
14:55 -!- havingFun [~quassel@unaffiliated/xrosnight] has quit [Ping timeout: 256 seconds]
14:59 < phuzion> Anyone know of a relatively comprehensive guide on properly setting iptables firewall rules for OpenVPN purposes? I have a VPS that I want to use as a VPN server, and I need to be able to access the internet using that VPS's connection from any device that is on the VPN subnet.
15:07 -!- gffa [~unknown@unaffiliated/gffa] has quit [Quit: sleep]
15:08 < Eugene> !iptables
15:08 <@vpnHelper> "iptables" is (#1) To test if netfilter ("iptables rules") are your problem, disable all rules with an ACCEPT policy. See https://github.com/QueuingKoala/netfilter-samples/tree/master/reset-rules for a script to do this. or (#2) See also the manpage section on firewalls at this link: https://community.openvpn.net/openvpn/wiki/Openvpn23ManPage#lbBG or (#3) These are just the basics to get you started
15:08 <@vpnHelper> as firewall design is beyond this channel's scope; you can also see #netfilter
15:09 < Eugene> The link at #2 will get you the basic rules needed for a standard redirect scenario(which is what you're asking about)
15:20 -!- Popsikle [~popsikle@pool-108-27-211-233.nycmny.fios.verizon.net] has quit [Remote host closed the connection]
15:30 < phuzion> Eugene: Thanks a bunch
15:36 -!- keatont [~keatont@keatonstaylor.com] has joined #openvpn
15:43 -!- havingFun [~quassel@unaffiliated/xrosnight] has joined #openvpn
15:43 -!- havingFun_ [~quassel@unaffiliated/xrosnight] has quit [Ping timeout: 256 seconds]
15:43 -!- Pyrogerg [~Gregory@205.167.120.206] has joined #openvpn
15:47 -!- clu5ter [~staff@unaffiliated/clu5ter] has quit [Ping timeout: 272 seconds]
15:49 -!- clu5ter [~staff@unaffiliated/clu5ter] has joined #openvpn
15:58 -!- xamox [~xamox@c-68-42-242-42.hsd1.mi.comcast.net] has quit [Quit: Leaving]
16:01 -!- havingFun_ [~quassel@unaffiliated/xrosnight] has joined #openvpn
16:01 -!- havingFun_ [~quassel@unaffiliated/xrosnight] has quit [Remote host closed the connection]
16:02 -!- havingFun [~quassel@unaffiliated/xrosnight] has quit [Ping timeout: 264 seconds]
16:02 -!- havingFun [~quassel@unaffiliated/xrosnight] has joined #openvpn
16:18 -!- Pyrogerg [~Gregory@205.167.120.206] has quit [Ping timeout: 250 seconds]
16:20 -!- Denial [~Denial@host86-134-250-172.range86-134.btcentralplus.com] has joined #openvpn
16:22 -!- Pyrogerg [~Gregory@205.167.120.206] has joined #openvpn
16:27 -!- havingFun is now known as xrosnight
16:40 < pekster> phuzion: See:
16:40 < pekster> !redirect
16:40 <@vpnHelper> "redirect" is (#1) to make all inet traffic flow through the vpn, you will need --redirect-gateway (see !def1), as well as IP forwarding (see !ipforward) and NAT (see !nat) enabled on the server. or (#2) you may need to use a different dns server when redirecting gateway, see !dns or !pushdns or (#3) if using ipv6 try: route-ipv6 2000::/3 or (#4) Handy troubleshooting flowchart:
16:40 <@vpnHelper> http://ircpimps.org/redirect.png | http://pekster.sdf.org/misc/redirect.png
16:40 -!- ckorzhik [~user@176.194.3.27] has quit [Ping timeout: 250 seconds]
16:53 -!- Taftse|Mac [~taftse@unaffiliated/taftse] has quit [Quit: Textual IRC Client: www.textualapp.com]
17:00 -!- Pyrogerg [~Gregory@205.167.120.206] has quit [Ping timeout: 255 seconds]
17:55 -!- ub1quit33_ [~quassel@wifi02.la3.routers.zerolag.com] has quit [Ping timeout: 264 seconds]
18:30 -!- bashusr [~bashusr@unaffiliated/bashusr] has joined #openvpn
18:31 -!- aulait [~irenacob@li629-190.members.linode.com] has quit [Excess Flood]
18:34 -!- aulait [~irenacob@li629-190.members.linode.com] has joined #openvpn
18:43 -!- Pyrogerg [~Gregory@205.167.120.206] has joined #openvpn
18:44 -!- s7r [~s7r@openvpn/user/s7r] has joined #openvpn
18:44 -!- mode/#openvpn [+v s7r] by ChanServ
18:49 -!- Pyrogerg [~Gregory@205.167.120.206] has quit [Ping timeout: 272 seconds]
19:07 -!- blackbit [ahuemer@unaffiliated/ahuemer] has quit [Excess Flood]
19:08 -!- blackbit [ahuemer@unaffiliated/ahuemer] has joined #openvpn
19:13 -!- obscurehero [~obscurehe@via.arcis.pw] has quit [Ping timeout: 240 seconds]
19:19 -!- obscurehero [~obscurehe@via.arcis.pw] has joined #openvpn
19:24 -!- obscurehero [~obscurehe@via.arcis.pw] has quit [Ping timeout: 250 seconds]
19:29 -!- obscurehero [~obscurehe@via.arcis.pw] has joined #openvpn
19:32 -!- bashusr [~bashusr@unaffiliated/bashusr] has quit [Quit: ZNC - http://znc.in]
19:33 -!- bashusr [~bashusr@unaffiliated/bashusr] has joined #openvpn
19:36 -!- outofbounds [~outofboun@gateway/tor-sasl/outofbounds] has quit []
19:36 -!- obscurehero [~obscurehe@via.arcis.pw] has quit [Ping timeout: 272 seconds]
19:38 -!- obscurehero [~obscurehe@via.arcis.pw] has joined #openvpn
19:45 -!- obscurehero [~obscurehe@via.arcis.pw] has quit [Ping timeout: 245 seconds]
19:51 -!- obscurehero [~obscurehe@via.arcis.pw] has joined #openvpn
19:54 -!- Exagone313 [~exa@ewd.ovh] has quit [Ping timeout: 260 seconds]
19:56 -!- bashusr [~bashusr@unaffiliated/bashusr] has quit [Ping timeout: 260 seconds]
19:56 -!- mete [~mete@91.247.253.160] has quit [Ping timeout: 260 seconds]
19:56 -!- bashusr [~bashusr@unaffiliated/bashusr] has joined #openvpn
19:56 -!- obscurehero [~obscurehe@via.arcis.pw] has quit [Ping timeout: 265 seconds]
19:56 -!- s7r [~s7r@openvpn/user/s7r] has quit [Quit: Leaving]
19:56 -!- kenyon [kenyon@darwin.kenyonralph.com] has quit [Ping timeout: 291 seconds]
19:56 -!- capri [svedrin@elwing.funzt-halt.net] has quit [Ping timeout: 291 seconds]
19:56 -!- ender| [krneki@2a01:260:4094:1:42:42:42:42] has quit [Ping timeout: 261 seconds]
19:57 -!- Latrina [~Latrina@151.56.185.145] has quit [Ping timeout: 257 seconds]
19:57 -!- mgorbach [~mgorbach@pool-108-20-78-135.bstnma.fios.verizon.net] has quit [Ping timeout: 257 seconds]
19:57 -!- SlutaTramsa [~SlutaTram@unaffiliated/slutatramsa] has quit [Ping timeout: 257 seconds]
19:57 -!- BtbN [btbn@btbn.de] has quit [Ping timeout: 257 seconds]
19:59 -!- Latrina [~Latrina@151.56.185.145] has joined #openvpn
20:00 -!- mgorbach [~mgorbach@pool-108-20-78-135.bstnma.fios.verizon.net] has joined #openvpn
20:01 -!- obscurehero [~obscurehe@via.arcis.pw] has joined #openvpn
20:02 -!- BtbN [btbn@btbn.de] has joined #openvpn
20:04 -!- Exagone313 [~exa@ewd.ovh] has joined #openvpn
20:06 -!- SlutaTramsa [~SlutaTram@unaffiliated/slutatramsa] has joined #openvpn
20:06 -!- capri [svedrin@elwing.funzt-halt.net] has joined #openvpn
20:07 < Pinchiukas> Can anybody tell me why in the table in https://openvpn.net/index.php/open-source/documentation/howto.html#mitm, there are multiple lines per client and server?
20:07 <@vpnHelper> Title: HOWTO (at openvpn.net)
20:10 -!- unixninja92 [~unixninja@whirlpool.stdnt.hampshire.edu] has quit [Ping timeout: 264 seconds]
20:11 -!- unixninja92 [~unixninja@whirlpool.stdnt.hampshire.edu] has joined #openvpn
20:47 -!- elfixit [~Icedove@77-58-253-51.dclient.hispeed.ch] has joined #openvpn
21:02 -!- Raku_ [~Raku@user-105n21p.cable.mindspring.com] has joined #openvpn
21:39 -!- Raku_ [~Raku@user-105n21p.cable.mindspring.com] has quit [Quit: You were eaten by a grue!]
21:40 -!- xrosnight [~quassel@unaffiliated/xrosnight] has quit [Read error: Connection reset by peer]
21:47 -!- marky [~m@unaffiliated/rbx] has joined #openvpn
21:47 < marky> hi
21:49 -!- ub1quit33_ [~quassel@cpe-23-243-158-241.socal.res.rr.com] has joined #openvpn
21:57 -!- ub1quit33_ [~quassel@cpe-23-243-158-241.socal.res.rr.com] has quit [Ping timeout: 272 seconds]
22:01 -!- ub1quit33_ [~quassel@cpe-23-243-158-241.socal.res.rr.com] has joined #openvpn
22:07 -!- MacGyver [~macgyver@unaffiliated/macgyvernl] has quit [Ping timeout: 244 seconds]
22:08 -!- crus [crusader@CPE-121-211-80-56.hhui5.cht.bigpond.net.au] has joined #openvpn
22:10 -!- Left_Turn [~Left_Turn@unaffiliated/turn-left/x-3739067] has quit [Read error: Connection reset by peer]
22:56 -!- hightower4 [~hightower@213.147.97.222] has joined #openvpn
23:17 -!- justinzane [~justinzan@67.21.190.132] has quit []
23:24 -!- ShadniX [dagger@p5DDFC41F.dip0.t-ipconnect.de] has quit [Ping timeout: 250 seconds]
23:25 -!- ShadniX [dagger@p5DDFF24B.dip0.t-ipconnect.de] has joined #openvpn
23:32 -!- elfixit [~Icedove@77-58-253-51.dclient.hispeed.ch] has quit [Remote host closed the connection]
23:35 < c0ded> rawr
23:39 -!- AlexRussia [~Alex@unaffiliated/alexrussia] has quit [Ping timeout: 244 seconds]
23:55 -!- marky [~m@unaffiliated/rbx] has left #openvpn []
23:59 -!- mattock_afk is now known as mattock
--- Day changed Tue Nov 11 2014
00:26 -!- Kephael [~Kephael@unaffiliated/kephael] has quit [Quit: Leaving]
00:30 -!- ub1quit33_ [~quassel@cpe-23-243-158-241.socal.res.rr.com] has quit [Read error: Connection reset by peer]
01:15 -!- BtbN [btbn@btbn.de] has quit [Ping timeout: 275 seconds]
01:16 -!- jzaw [~jzaw@loki.dzki.co.uk] has quit [Ping timeout: 275 seconds]
01:17 -!- MatToufoutu [~MaT@unaffiliated/mattoufoutu] has quit [Ping timeout: 275 seconds]
01:18 -!- r00t^2 [~bts@g.rainwreck.com] has quit [Remote host closed the connection]
01:20 -!- Exagone313 [~exa@ewd.ovh] has quit [Ping timeout: 455 seconds]
01:22 -!- MatToufoutu [~MaT@unaffiliated/mattoufoutu] has joined #openvpn
01:28 -!- pnielsen [pnielsen@2a01:7e00::f03c:91ff:fedf:3a21] has quit [Quit: No Ping reply in 180 seconds.]
01:29 -!- jdmf [~jdmf@91.198.201.28] has joined #openvpn
01:38 -!- rooth [tomte@stuck.in.the.basement.at.fritzl.nu] has quit [Write error: Broken pipe]
01:43 -!- Taftse|Mac [~taftse@unaffiliated/taftse] has joined #openvpn
01:49 -!- Netsplit *.net <-> *.split quits: capri, zamba, SlutaTramsa
01:53 -!- Netsplit over, joins: SlutaTramsa
01:55 -!- BtbN [btbn@btbn.de] has joined #openvpn
01:56 -!- pnielsen [pnielsen@2a01:7e00::f03c:91ff:fedf:3a21] has joined #openvpn
01:57 -!- capri [svedrin@elwing.funzt-halt.net] has joined #openvpn
02:14 -!- zamba [marius@flage.org] has joined #openvpn
02:14 -!- ender| [krneki@2a01:260:4094:1:42:42:42:42] has joined #openvpn
02:21 -!- Exagone313 [~exa@ewd.ovh] has joined #openvpn
02:25 -!- deranged_user [Jess@lolnerd.net] has joined #openvpn
02:38 -!- Zune [~Zune@93-161-219-103-dynamic.dk.customer.tdc.net] has quit [Ping timeout: 255 seconds]
02:48 -!- lorens [~lorens@213.27.241.114] has joined #openvpn
02:53 -!- heraclitus [~heraclitu@unaffiliated/heraclitis] has joined #openvpn
03:47 -!- kef [~kef@matrix.fullmotion.de] has joined #openvpn
03:49 -!- MacGyver [~macgyver@unaffiliated/macgyvernl] has joined #openvpn
03:53 < kef> hey guys. has anybody actually tried to configure a vpn-on-demand profile for iOS using the iPhone Configuration Utility, as per the documentation at https://docs.openvpn.net/docs/openvpn-connect/openvpn-connect-ios-faq.html?
03:53 <@vpnHelper> Title: OpenVPN Connect iOS FAQ (at docs.openvpn.net)
03:55 < kef> I'm having the hardest time doing just that. I'm using "net.openvpn.OpenVPN-Connect.vpnplugin" as identifier, but when I quit/reopen the configuration utility overwrites what i selected as connection type and replaces it by openvpn, thus overriding all my custom entered values for ca, dev, tls-server etc...
03:55 < kef> *it overwrites
04:01 -!- Zune [~Zune@93-161-219-237-dynamic.dk.customer.tdc.net] has joined #openvpn
04:07 -!- AlexRussia [~Alex@unaffiliated/alexrussia] has joined #openvpn
04:22 -!- lorens [~lorens@213.27.241.114] has quit [Remote host closed the connection]
04:25 -!- Slippern [~Slippern@76.109-247-208.customer.lyse.net] has quit [Ping timeout: 244 seconds]
04:35 -!- arkie [~arkie@unaffiliated/arkie] has quit [Quit: Bye]
04:36 -!- Denial [~Denial@host86-134-250-172.range86-134.btcentralplus.com] has quit [Ping timeout: 272 seconds]
04:40 -!- arkie [~arkie@unaffiliated/arkie] has joined #openvpn
04:45 -!- Left_Turn [~Left_Turn@unaffiliated/turn-left/x-3739067] has joined #openvpn
05:17 -!- rich0_ [~quassel@gentoo/developer/rich0] has joined #openvpn
05:20 -!- rich0 [~quassel@gentoo/developer/rich0] has quit [Ping timeout: 250 seconds]
05:42 -!- Netsplit *.net <-> *.split quits: Exagone313
05:48 -!- Left_Turn [~Left_Turn@unaffiliated/turn-left/x-3739067] has quit [Ping timeout: 245 seconds]
06:06 -!- BtbN [btbn@btbn.de] has quit [Quit: Bye]
06:10 -!- BtbN [btbn@btbn.de] has joined #openvpn
06:22 -!- almostworking [~almostwor@unaffiliated/almostworking] has quit [Ping timeout: 255 seconds]
06:28 -!- viztro [~viztro@eq48.fdo-may.ubiobio.cl] has quit [Ping timeout: 258 seconds]
06:31 -!- Netsplit over, joins: Exagone313
06:38 -!- AlexRussia [~Alex@unaffiliated/alexrussia] has quit [Ping timeout: 250 seconds]
06:53 -!- brianblaze420 [~brianblaz@unaffiliated/brianblaze] has joined #openvpn
06:58 -!- Left_Turn [~Left_Turn@unaffiliated/turn-left/x-3739067] has joined #openvpn
07:11 -!- blackbit [ahuemer@unaffiliated/ahuemer] has quit [Quit: blackbit]
07:12 -!- ahuemer [ahuemer@unaffiliated/ahuemer] has joined #openvpn
07:12 -!- AlexRussia [~Alex@unaffiliated/alexrussia] has joined #openvpn
07:12 -!- ahuemer is now known as blackbit
07:14 -!- blackbit [ahuemer@unaffiliated/ahuemer] has quit [Client Quit]
07:14 -!- ahuemer [ahuemer@unaffiliated/ahuemer] has joined #openvpn
07:18 -!- ahuemer is now known as blackbit
07:19 -!- michaelhart [~michaelha@192-0-241-148.cpe.teksavvy.com] has joined #openvpn
07:20 -!- theptr [~theptr@d54c134d8.access.telenet.be] has joined #openvpn
07:21 < theptr> hi, i use a 14.04lts headless ubuntu server . i installed a openvpn server on it and now i want to connect my windows machine but openvpn client needs a .ovpn and i dont have it could someone help me
07:22 < theptr> i used this guide for the server side : https://help.ubuntu.com/14.04/serverguide/openvpn.html
07:22 <@vpnHelper> Title: OpenVPN (at help.ubuntu.com)
07:23 < theptr> vpnHelper, ?
07:47 -!- almostworking [~almostwor@unaffiliated/almostworking] has joined #openvpn
08:00 -!- deranged_user [Jess@lolnerd.net] has quit [Ping timeout: 265 seconds]
08:02 < phuzion> theptr: vpnHelper is a bot. Try the sample configuration file found at the end of this page, and modify it to suit your needs: https://openvpn.net/index.php/open-source/documentation/howto.html#examples
08:02 <@vpnHelper> Title: HOWTO (at openvpn.net)
08:03 -!- deranged_user [Jess@lolnerd.net] has joined #openvpn
08:05 < theptr> phuzion, thanks
08:08 -!- Kephael [~Kephael@unaffiliated/kephael] has joined #openvpn
08:17 -!- Exagone313 [~exa@ewd.ovh] has quit [Excess Flood]
08:18 -!- Exagone313 [~exa@ewd.ovh] has joined #openvpn
08:21 -!- Exagone313 [~exa@ewd.ovh] has quit [Excess Flood]
08:22 -!- Exagone313 [~exa@ewd.ovh] has joined #openvpn
08:25 -!- Exagone313 [~exa@ewd.ovh] has quit [Client Quit]
08:25 -!- Exagone313 [~exa@ewd.ovh] has joined #openvpn
08:37 -!- theptr [~theptr@d54c134d8.access.telenet.be] has quit [Quit: Leaving]
09:00 -!- lorens [~lorens@213.27.241.114] has joined #openvpn
09:02 -!- hightower4 [~hightower@213.147.97.222] has quit [Ping timeout: 250 seconds]
09:05 -!- brianblaze420 [~brianblaz@unaffiliated/brianblaze] has quit [Quit: Peace!]
09:11 -!- moparisthebest [~quassel@gateway/tor-sasl/moparisthebest] has quit [Ping timeout: 250 seconds]
09:11 -!- outofbounds [~outofboun@gateway/tor-sasl/outofbounds] has joined #openvpn
09:13 -!- Latrina [~Latrina@151.56.185.145] has quit [Ping timeout: 255 seconds]
09:14 -!- Latrina [~Latrina@151.56.175.232] has joined #openvpn
09:14 -!- dazo [~dazo@openvpn/community/developer/dazo] has joined #openvpn
09:14 -!- mode/#openvpn [+o dazo] by ChanServ
09:17 -!- Exagone313 [~exa@ewd.ovh] has quit [Quit: see ya!]
09:17 -!- Exagone313 [~exa@ewd.ovh] has joined #openvpn
09:24 -!- moparisthebest [~quassel@unaffiliated/moparisthebest] has joined #openvpn
09:24 -!- Exagone313 [~exa@ewd.ovh] has quit [Quit: see ya!]
09:24 -!- Exagone313 [znc@ewd.ovh] has joined #openvpn
09:31 -!- Exagone313 [znc@ewd.ovh] has quit [Quit: see ya!]
09:31 -!- Exagone313 [exa@ewd.ovh] has joined #openvpn
09:35 -!- lorens [~lorens@213.27.241.114] has quit [Ping timeout: 258 seconds]
09:35 -!- ub1quit33_ [~quassel@wifi02.la3.routers.zerolag.com] has joined #openvpn
09:35 -!- Irssi: #openvpn: Total of 196 nicks [9 ops, 0 halfops, 2 voices, 185 normal]
09:45 -!- Slippern [~Slippern@76.109-247-208.customer.lyse.net] has joined #openvpn
09:58 -!- Latrina [~Latrina@151.56.175.232] has quit [Ping timeout: 264 seconds]
10:02 -!- NP-Hardass [~NP-Hardas@unaffiliated/np-hardass] has quit [Ping timeout: 265 seconds]
10:22 -!- moparisthebest [~quassel@unaffiliated/moparisthebest] has quit [Ping timeout: 255 seconds]
10:23 < Pinchiukas> Can anybody tell me why in the table in https://openvpn.net/index.php/open-source/documentation/howto.html#mitm, there are multiple lines per client and server?
10:23 <@vpnHelper> Title: HOWTO (at openvpn.net)
10:27 <@ecrist> regarding key usage?
10:28 -!- moparisthebest [~quassel@unaffiliated/moparisthebest] has joined #openvpn
10:37 -!- NP-Hardass [~NP-Hardas@unaffiliated/np-hardass] has joined #openvpn
10:39 -!- brianblaze420 [~brianblaz@unaffiliated/brianblaze] has joined #openvpn
10:40 -!- nvdpl [~textual@proxy.teleaudio.pl] has joined #openvpn
10:54 -!- AlexRussia [~Alex@unaffiliated/alexrussia] has quit [Ping timeout: 256 seconds]
10:56 -!- outofbounds [~outofboun@gateway/tor-sasl/outofbounds] has quit [Ping timeout: 250 seconds]
10:58 -!- NP-Hardass [~NP-Hardas@unaffiliated/np-hardass] has quit [Ping timeout: 244 seconds]
11:17 -!- CaTtleyA [~CaTtleyA@put92-2-82-66-41-53.fbx.proxad.net] has joined #openvpn
11:27 -!- Maxel [~Maxel@24-159-207-34.static.roch.mn.charter.com] has quit [Quit: Leaving]
11:29 -!- viztro [~viztro@eq48.fdo-may.ubiobio.cl] has joined #openvpn
11:29 -!- Maxel [~Maxel@24-159-207-34.static.roch.mn.charter.com] has joined #openvpn
11:34 -!- gffa [~unknown@unaffiliated/gffa] has joined #openvpn
11:37 -!- jackbrown [~se@93-44-41-0.ip95.fastwebnet.it] has joined #openvpn
11:37 -!- AlexRussia [~Alex@unaffiliated/alexrussia] has joined #openvpn
11:39 -!- alexwh [~awh@81.4.125.59] has joined #openvpn
11:43 -!- Pyrogerg [~Gregory@67-0-212-234.albq.qwest.net] has joined #openvpn
11:45 -!- Exagone313 [exa@ewd.ovh] has quit [Ping timeout: 301 seconds]
11:51 -!- Exagone313 [exa@ewd.ovh] has joined #openvpn
11:57 -!- Argure [argure@geonosis.donttrustrobots.nl] has quit [Remote host closed the connection]
11:58 -!- Envil [~meep@95.211.26.40] has joined #openvpn
12:11 < Pinchiukas> ecrist: yes?
12:11 -!- jackbrown [~se@93-44-41-0.ip95.fastwebnet.it] has quit [Quit: Sto andando via]
12:12 <@ecrist> what's the question?
12:12 <@ecrist> multiple key usage extensions are needed/allowed for each type of certificate
12:12 <@ecrist> seems pretty self-explanitory to me
12:14 < Pinchiukas> So do I use digitalSignature or keyAgreement on a client?
12:14 < Pinchiukas> Or both?
12:14 <@ecrist> both
12:15 < Pinchiukas> So why the first two lines then?
12:17 <@ecrist> I suggest, if you actually care, you read RFC3280
12:17 <@ecrist> page 41-ish
12:25 -!- NP-Hardass [~NP-Hardas@unaffiliated/np-hardass] has joined #openvpn
12:31 -!- rich0_ is now known as rich0
12:46 -!- wkd [~wkd@75.46.172.54] has joined #openvpn
12:47 < wkd> I'm having an issue with openvpn and samba, I use the samba over openvpn for about an hour and then I get a microsoft network error saying it can't map the network drive because it's already in use... as soon as I reconnect the openvpn it works instantly.. anyone know any reason this would happen?
12:48 < wkd> says the local device name is already in use
12:52 -!- br4ndon [~br4ndon@mic92-6-82-227-94-156.fbx.proxad.net] has joined #openvpn
12:56 -!- nvdpl [~textual@proxy.teleaudio.pl] has quit [Quit: ZZZzzz…]
12:57 -!- br4ndon [~br4ndon@mic92-6-82-227-94-156.fbx.proxad.net] has quit [Quit: br4ndon]
12:58 -!- br4ndon [~br4ndon@mic92-6-82-227-94-156.fbx.proxad.net] has joined #openvpn
12:59 -!- CaTtleyA [~CaTtleyA@put92-2-82-66-41-53.fbx.proxad.net] has quit [Ping timeout: 272 seconds]
13:11 -!- robsco [~robsco@cpc10-hers4-2-0-cust224.6-3.cable.virginm.net] has joined #openvpn
13:17 -!- alexwh is now known as awh
13:17 -!- awh is now known as netarg
13:18 -!- netarg is now known as alexwh
13:21 < robsco> I'm having severe trouble getting 2 clients working and accessing the LANs behind them.  followed the docs, etc. and all is well with 1, but not the other, my subnets are all technically OK but I may be finding an edge case...
13:22 < robsco> I have 2 clients, physically on 172.30.0.126 and 172.30.0.127
13:22 < robsco> each client runs a collection of VMs, I've decided to put the VMs on 172.30.1.0/25 (for the first client) and 172.30.1.128/25 (on the 2nd client)
13:23 < robsco> I want the VMs to route via the client, to the VMS server, and out onto the LAN the vpn server runs on
13:23 -!- br4ndon [~br4ndon@mic92-6-82-227-94-156.fbx.proxad.net] has quit [Quit: br4ndon]
13:24 < robsco> this works for one, but not the other, if i disable one client, the other works.  configs on both clients are identical
13:24 < robsco> if someone has a spare 5 mins I'd sure apprciate it, spent 2 days on this so far :-/
13:26 < robsco> http://paste.scsys.co.uk/438810
13:29 -!- hydrajump [~hydrajump@unaffiliated/hydrajump] has quit [Ping timeout: 255 seconds]
13:32 -!- NP-Hardass [~NP-Hardas@unaffiliated/np-hardass] has quit [Ping timeout: 265 seconds]
13:34 -!- wkd [~wkd@75.46.172.54] has quit [Ping timeout: 240 seconds]
13:39 -!- Chiyo [Chiyo@pdpc/supporter/active/chiyo] has joined #openvpn
13:39 -!- papna [~papna@python/site-packages/papna] has joined #openvpn
13:39 -!- papna [~papna@python/site-packages/papna] has left #openvpn []
13:39 -!- Chiyo [Chiyo@pdpc/supporter/active/chiyo] has left #openvpn []
13:43 -!- NP-Hardass [~NP-Hardas@unaffiliated/np-hardass] has joined #openvpn
13:45 -!- shadowhawk100 [0c6a56e6@gateway/web/cgi-irc/kiwiirc.com/ip.12.106.86.230] has joined #openvpn
13:46 < shadowhawk100> Hey guys... I can't seem to get the silent installer to work properly anymore... It installs everything silently instead of the components that I choose...
13:47 -!- mattock is now known as mattock_afk
13:47 < shadowhawk100> Has the commandline changed with the version updates? I know the gui installer has changed a bit
13:47 < shadowhawk100> My command is:
13:48 < Eugene> Are you using the same cert on both clients?
13:48 < shadowhawk100> openvpn-install-2.3.5-I602-i686.exe /S /SELECT_SHORTCUTS=0 /SELECT_SERVICE=1 /SELECT_TAP=0 /SELECT_ASSOCIATIONS=1 /SELECT_OPENSSL_UTILITIES=0 /SELECT_EASYRSA=0 /SELECT_PATH=1 /SELECT_OPENSLLDLLS=1 /SELECT_LZ0DLLS=1 /SELECT_PKCS11DLLS=1
13:49 < shadowhawk100> the cert to remove the warning about trusting the OpenVPN publishers?
13:49 < shadowhawk100> yes it is the same
13:49 < shadowhawk100> And I don't get that warning
13:50 < shadowhawk100> Oh sorry... I copied the command that I've been playing around with to try and get it working
13:50 -!- mirco [~mirco@ip-176-198-211-199.hsi05.unitymediagroup.de] has joined #openvpn
13:50 < shadowhawk100> The args are actually:
13:51 < shadowhawk100> "/S /SELECT_SHORTCUTS=0 /SELECT_OPENVPN=1 /SELECT_SERVICE=1 /SELECT_TAP=0 /SELECT_OPENVPNGUI=0 /SELECT_ASSOCIATIONS=1 /SELECT_OPENSSL_UTILITIES=0 /SELECT_EASYRSA=0 /SELECT_PATH=1 /SELECT_OPENSSLDLLS=1 /SELECT_LZODLLS=1 /SELECT_PKCS11DLLS=1"
13:51 < shadowhawk100> And I'm still getting GUI and TAP
13:55 -!- DrCode [~DrCode@gateway/tor-sasl/drcode] has quit [Ping timeout: 250 seconds]
14:01 -!- DrCode [~DrCode@gateway/tor-sasl/drcode] has joined #openvpn
14:05 -!- NP-Hardass [~NP-Hardas@unaffiliated/np-hardass] has quit [Ping timeout: 244 seconds]
14:15 -!- tbenson [~tbenson@c-50-131-82-204.hsd1.ca.comcast.net] has joined #openvpn
14:28 -!- c|oneman [cloneman@2605:6400:2:fed5:22:0:3b06:3913] has left #openvpn ["Textual IRC Client: www.textualapp.com"]
14:45 -!- alexwh [~awh@81.4.125.59] has quit [Changing host]
14:45 -!- alexwh [~awh@unaffiliated/alexwh] has joined #openvpn
14:46 -!- alexwh [~awh@unaffiliated/alexwh] has quit [Quit: Quitting]
14:47 -!- alexwh [~alexwh@unaffiliated/alexwh] has joined #openvpn
14:52 -!- NP-Hardass [~NP-Hardas@unaffiliated/np-hardass] has joined #openvpn
14:53 -!- ub1quit33_ [~quassel@wifi02.la3.routers.zerolag.com] has quit [Remote host closed the connection]
14:54 -!- ub1quit33 [~quassel@wifi02.la3.routers.zerolag.com] has joined #openvpn
14:57 -!- brianblaze420 [~brianblaz@unaffiliated/brianblaze] has quit [Quit: Peace!]
15:09 -!- NP-Hardass [~NP-Hardas@unaffiliated/np-hardass] has quit [Ping timeout: 245 seconds]
15:12 -!- Pyrogerg [~Gregory@67-0-212-234.albq.qwest.net] has quit [Read error: Connection reset by peer]
15:13 -!- Pyrogerg [~Gregory@67-0-212-234.albq.qwest.net] has joined #openvpn
15:39 -!- NP-Hardass [~NP-Hardas@unaffiliated/np-hardass] has joined #openvpn
15:40 -!- tbenson [~tbenson@c-50-131-82-204.hsd1.ca.comcast.net] has quit [Quit: tbenson]
15:40 -!- hydrajump [~hydrajump@unaffiliated/hydrajump] has joined #openvpn
15:46 -!- elfixit1 [~Icedove@2001:1620:2777:11:3e97:eff:fe7f:f3ad] has quit [Remote host closed the connection]
15:48 -!- heraclitus [~heraclitu@unaffiliated/heraclitis] has quit [Ping timeout: 255 seconds]
15:59 < shadowhawk100> Does anyone know how to pull a current list of Silent OpenVPN Install switches? The list at http://justcheckingonall.wordpress.com/2013/03/11/command-line-installation-of-openvpn/ doesn't seem to be working anymore
15:59 < shadowhawk100> Or where the code for building the OpenVPN Windows package is... maybe it can be found in there
16:07 -!- elfixit [~Icedove@77-58-253-51.dclient.hispeed.ch] has joined #openvpn
16:10 -!- opalraava [~ircuser@2a01:7c8:aaae:18d:5054:ff:fe92:38da] has left #openvpn []
16:24 -!- Envil [~meep@95.211.26.40] has quit [Remote host closed the connection]
16:31 -!- Taftse|Mac [~taftse@unaffiliated/taftse] has quit [Quit: Textual IRC Client: www.textualapp.com]
16:34 -!- gffa [~unknown@unaffiliated/gffa] has quit [Quit: sleep]
16:38 -!- almostworking [~almostwor@unaffiliated/almostworking] has quit [Ping timeout: 265 seconds]
16:39 -!- almostworking [~almostwor@unaffiliated/almostworking] has joined #openvpn
16:42 -!- khaldrogox [~anonymous@64.13.138.81] has joined #openvpn
17:03 -!- almostworking [~almostwor@unaffiliated/almostworking] has quit [Quit: Leaving]
17:03 -!- almostworking [~almostwor@unaffiliated/almostworking] has joined #openvpn
17:21 < shadowhawk100> Looks like it was a good old fashioned extra set of quotes in the batch install script... thanks anyways :p
17:24 -!- NP-Hardass [~NP-Hardas@unaffiliated/np-hardass] has quit [Ping timeout: 265 seconds]
17:32 -!- Popsikle [~popsikle@pool-108-27-211-233.nycmny.fios.verizon.net] has joined #openvpn
17:40 -!- Chais [~Chais@84.115.101.170] has quit [Ping timeout: 240 seconds]
17:40 -!- Popsikle [~popsikle@pool-108-27-211-233.nycmny.fios.verizon.net] has quit [Remote host closed the connection]
17:40 -!- Popsikle [~popsikle@pool-108-27-211-233.nycmny.fios.verizon.net] has joined #openvpn
17:46 -!- Chais [~Chais@80.110.97.57] has joined #openvpn
17:55 -!- Chais [~Chais@80.110.97.57] has quit [Ping timeout: 244 seconds]
17:57 -!- Popsikle [~popsikle@pool-108-27-211-233.nycmny.fios.verizon.net] has quit [Remote host closed the connection]
17:57 -!- Popsikle [~popsikle@pool-108-27-211-233.nycmny.fios.verizon.net] has joined #openvpn
17:59 -!- CaTtleyA [~CaTtleyA@put92-2-82-66-41-53.fbx.proxad.net] has joined #openvpn
18:01 -!- Popsikle [~popsikle@pool-108-27-211-233.nycmny.fios.verizon.net] has quit [Ping timeout: 255 seconds]
18:04 -!- s7r [~s7r@openvpn/user/s7r] has joined #openvpn
18:05 -!- mode/#openvpn [+v s7r] by ChanServ
18:08 -!- elfixit [~Icedove@77-58-253-51.dclient.hispeed.ch] has quit [Quit: elfixit]
18:14 -!- michaelhart [~michaelha@192-0-241-148.cpe.teksavvy.com] has quit [Quit: michaelhart]
18:17 -!- ub1quit33 [~quassel@wifi02.la3.routers.zerolag.com] has quit [Ping timeout: 264 seconds]
18:19 -!- tbenson [~tbenson@c-50-131-82-204.hsd1.ca.comcast.net] has joined #openvpn
18:25 -!- mirco [~mirco@ip-176-198-211-199.hsi05.unitymediagroup.de] has quit [Quit: mirco]
18:30 -!- tbenson [~tbenson@c-50-131-82-204.hsd1.ca.comcast.net] has quit [Quit: tbenson]
18:39 -!- Chais [~Chais@80.110.97.57] has joined #openvpn
18:39 -!- shadowhawk100 [0c6a56e6@gateway/web/cgi-irc/kiwiirc.com/ip.12.106.86.230] has quit []
18:55 -!- NP-Hardass [~NP-Hardas@unaffiliated/np-hardass] has joined #openvpn
19:05 -!- NP-Hardass [~NP-Hardas@unaffiliated/np-hardass] has quit [Quit: WeeChat 0.4.3]
19:05 -!- NP-Hardass [~NP-Hardas@unaffiliated/np-hardass] has joined #openvpn
19:08 -!- brianblaze420 [~brianblaz@unaffiliated/brianblaze] has joined #openvpn
19:17 -!- michaelhart [~michaelha@192-0-241-148.cpe.teksavvy.com] has joined #openvpn
19:24 -!- dazo is now known as dazo_afk
19:27 -!- michaelhart [~michaelha@192-0-241-148.cpe.teksavvy.com] has quit [Quit: michaelhart]
19:34 -!- khaldrogox [~anonymous@64.13.138.81] has quit [Quit: khaldrogox]
19:37 -!- Popsikle [~popsikle@pool-108-27-211-233.nycmny.fios.verizon.net] has joined #openvpn
19:39 -!- lchill [~lchill@nyc-333.nycbit.com] has joined #openvpn
19:45 -!- NP-Hardass [~NP-Hardas@unaffiliated/np-hardass] has quit [Ping timeout: 256 seconds]
19:55 -!- NP-Hardass [~NP-Hardas@unaffiliated/np-hardass] has joined #openvpn
20:08 -!- NP-Hardass [~NP-Hardas@unaffiliated/np-hardass] has quit [Ping timeout: 255 seconds]
20:18 -!- Popsikle [~popsikle@pool-108-27-211-233.nycmny.fios.verizon.net] has quit [Remote host closed the connection]
20:35 -!- akamaru217 [~akamaru21@2601:0:8a80:1064:8c67:9bb1:5104:f78c] has quit [Quit: Leaving]
20:45 -!- akamaru217 [~akamaru21@2601:0:8a80:1064:1d46:8473:1820:aca5] has joined #openvpn
20:54 -!- Popsikle [~popsikle@pool-108-27-211-233.nycmny.fios.verizon.net] has joined #openvpn
21:17 -!- CaTtleyA [~CaTtleyA@put92-2-82-66-41-53.fbx.proxad.net] has quit [Ping timeout: 272 seconds]
21:24 -!- Left_Turn [~Left_Turn@unaffiliated/turn-left/x-3739067] has quit [Remote host closed the connection]
21:31 -!- jp- [~jp@unaffiliated/jp-] has left #openvpn ["Textual IRC Client: www.textualapp.com"]
21:35 -!- Popsikle [~popsikle@pool-108-27-211-233.nycmny.fios.verizon.net] has quit [Remote host closed the connection]
21:41 -!- brianblaze420 [~brianblaz@unaffiliated/brianblaze] has quit [Quit: Peace!]
22:33 -!- NP-Hardass [~NP-Hardas@unaffiliated/np-hardass] has joined #openvpn
23:07 -!- Pinchiukas [~keps@unaffiliated/pinchiukas] has quit [Ping timeout: 244 seconds]
23:15 -!- akamaru [~akamaru21@2601:0:8a80:1064:1d46:8473:1820:aca5] has joined #openvpn
23:17 -!- akamaru217 [~akamaru21@2601:0:8a80:1064:1d46:8473:1820:aca5] has quit [Ping timeout: 244 seconds]
23:22 -!- ShadniX [dagger@p5DDFF24B.dip0.t-ipconnect.de] has quit [Ping timeout: 250 seconds]
23:23 -!- ShadniX [dagger@p5481CDA5.dip0.t-ipconnect.de] has joined #openvpn
23:25 -!- mirco [~mirco@ip-176-198-211-199.hsi05.unitymediagroup.de] has joined #openvpn
23:30 -!- mirco [~mirco@ip-176-198-211-199.hsi05.unitymediagroup.de] has quit [Ping timeout: 250 seconds]
23:39 -!- HexEditMe [566251c8@gateway/web/freenode/ip.86.98.81.200] has joined #openvpn
23:51 < HexEditMe> i am facing a problem when tring to ping a PC on the routed network i can ping the server 10.0.0.1 but not any other devices on that network (http://pastebin.com/R4KbeRmZ) those are my configuration files, server is running on debian wheezy 7 (ip forwarding is enabled)
23:55 -!- HexEditMe [566251c8@gateway/web/freenode/ip.86.98.81.200] has quit [Quit: Page closed]
23:56 -!- HexEditMe [5b4b4d3e@gateway/web/freenode/ip.91.75.77.62] has joined #openvpn
23:59 -!- mattock_afk is now known as mattock
--- Day changed Wed Nov 12 2014
00:00 -!- Popsikle [~popsikle@pool-108-27-211-233.nycmny.fios.verizon.net] has joined #openvpn
00:09 -!- pekster [~rewt@openvpn/community/support/pekster] has quit [Ping timeout: 265 seconds]
00:20 -!- Popsikle [~popsikle@pool-108-27-211-233.nycmny.fios.verizon.net] has quit [Remote host closed the connection]
00:21 -!- Kephael [~Kephael@unaffiliated/kephael] has quit [Read error: Connection reset by peer]
00:23 -!- altker128 [~vr@18.111.29.84] has joined #openvpn
00:24 < altker128> Hey all.  Perhaps a silly question, but let me ask none the less.  I have a pFSense machine doing firewall and OpenVPN.  I'd like for the OpenVPN IP to be in the same subnet as the LAN , so I've setup OpenVPN to give out IPs in the same subnet, just separated.  OpenVPN clients can ping gateway, get on to internet, but not ping LAN clients.  Is this to be expected?
00:24 -!- pekster [~rewt@openvpn/community/support/pekster] has joined #openvpn
00:26 < altker128> I am using tun, not tap.  It feels like to do what I want (same IP range) then I'd need tap, which would incurr a performance hit, etc.
00:29 -!- hexeditme_ [56622d26@gateway/web/freenode/ip.86.98.45.38] has joined #openvpn
00:29 -!- akamaru [~akamaru21@2601:0:8a80:1064:1d46:8473:1820:aca5] has quit [Read error: Connection reset by peer]
00:31 -!- HexEditMe [5b4b4d3e@gateway/web/freenode/ip.91.75.77.62] has quit [Ping timeout: 246 seconds]
00:37 -!- akamaru217 [~akamaru21@2601:0:8a80:1064:e470:a238:a290:efaf] has joined #openvpn
00:45 -!- hexeditme_ [56622d26@gateway/web/freenode/ip.86.98.45.38] has quit [Quit: Page closed]
00:50 -!- TyrfingMjolnir [~Tyrfing@118.189.1.18] has joined #openvpn
00:50 -!- altker128 [~vr@18.111.29.84] has quit [Ping timeout: 258 seconds]
00:51 < TyrfingMjolnir> How can I configure myVPN connection to run all traffic to youtube via the VPN, while all other traffic go from my whereever I m at?
00:54 < TyrfingMjolnir> How can I configure my VPN connection to run all traffic to youtube via the VPN, while all other traffic go from my computer where ever I m at?
00:58 -!- HexEditMe [5b4b4d46@gateway/web/freenode/ip.91.75.77.70] has joined #openvpn
01:06 -!- CaTtleyA [~CaTtleyA@put92-2-82-66-41-53.fbx.proxad.net] has joined #openvpn
01:06 -!- CaTtleyA [~CaTtleyA@put92-2-82-66-41-53.fbx.proxad.net] has quit [Client Quit]
01:15 -!- altker128 [~vr@18.111.29.84] has joined #openvpn
01:18 -!- SlutaTramsa [~SlutaTram@unaffiliated/slutatramsa] has quit [Ping timeout: 244 seconds]
01:37 -!- HexEditMe [5b4b4d46@gateway/web/freenode/ip.91.75.77.70] has quit [Quit: Page closed]
01:39 -!- SlutaTramsa [~SlutaTram@unaffiliated/slutatramsa] has joined #openvpn
01:48 -!- Taftse|Mac [~taftse@unaffiliated/taftse] has joined #openvpn
01:50 -!- jdmf [~jdmf@91.198.201.28] has quit [Quit: Bye.]
01:51 -!- altker128 [~vr@18.111.29.84] has quit [Ping timeout: 256 seconds]
01:52 -!- jdmf [~jdmf@m188-150-237-31.cust.tele2.no] has joined #openvpn
01:55 -!- JackWinter [~jack@vodsl-11198.vo.lu] has quit [Quit: Konversation terminated!]
01:56 -!- jdmf [~jdmf@m188-150-237-31.cust.tele2.no] has quit [Read error: Connection reset by peer]
01:56 -!- JackWinter [~jack@vodsl-11198.vo.lu] has joined #openvpn
01:56 -!- jdmf [~jdmf@m188-150-237-31.cust.tele2.no] has joined #openvpn
01:57 -!- jdmf [~jdmf@m188-150-237-31.cust.tele2.no] has quit [Max SendQ exceeded]
01:58 -!- jdmf [~jdmf@m188-150-237-31.cust.tele2.no] has joined #openvpn
02:03 -!- jdmf [~jdmf@m188-150-237-31.cust.tele2.no] has quit [Quit: Bye.]
02:14 -!- jdmf [~jdmf@91.198.201.28] has joined #openvpn
02:15 -!- Latrina [~Latrina@ppp-219-41.26-151.libero.it] has joined #openvpn
02:21 -!- nvdpl [~textual@proxy.teleaudio.pl] has joined #openvpn
02:23 -!- nvdpl_ [~textual@proxy.teleaudio.pl] has joined #openvpn
02:25 -!- nvdpl [~textual@proxy.teleaudio.pl] has quit [Ping timeout: 256 seconds]
02:26 -!- nomad_fr [~nomad_fr@ks397872.ip-192-95-25.net] has joined #openvpn
03:02 -!- Poster [~poster@cpe-74-140-100-29.swo.res.rr.com] has quit [Remote host closed the connection]
03:02 -!- CaTtleyA [~CaTtleyA@185.24.142.82] has joined #openvpn
03:10 -!- akurilin [~alex@208.185.21.146] has joined #openvpn
03:11 -!- lorens [~lorens@213.27.241.114] has joined #openvpn
03:13 < akurilin> quick question: what are some good IP ranges to use for one's VPNs? I'm currently using 10.0.0/24, 10.0.1/24 for two production subnets and 10.8.0/24 for vpn client machines
03:13 < akurilin> but I remember folks recommending possibly using other ranges altogetehr
03:14 -!- Champi [Champi@damn.e-leet.be] has quit [Ping timeout: 245 seconds]
03:19 -!- jophish [~quassel@2a00-5300-0-2-0-0-0-1fe.ipv6ptr.net] has joined #openvpn
03:19 < jophish> Yo yo yo
03:19 < jophish> I'm having trouble getting openvpn to work with Windows 10
03:20 -!- hexeditme [5b4b4d3e@gateway/web/freenode/ip.91.75.77.62] has joined #openvpn
03:22 -!- sluckxz [~sluckxz@unaffiliated/sluckxz] has quit [Ping timeout: 255 seconds]
03:24 < hexeditme> Hello, I am facing a problem pinging a host on a "routed" network, I can ping the server on that host but I cant ping anything else on there, IP Forwarding is enabled, firewall is disabled (for testing) and those is my configuration files (http://pastebin.com/R4KbeRmZ) I am using debian wheezy 7 x64 if you guys need any more info please let me know
03:28 -!- JackWinter [~jack@vodsl-11198.vo.lu] has quit [Quit: Konversation terminated!]
03:29 -!- JackWinter [~jack@vodsl-11198.vo.lu] has joined #openvpn
03:29 < jophish> I can get a fake ethernet connection with TAP_Windows Adapter V9
03:34 < jophish> OpenVPN seems to think that everything is ok
03:34 < jophish> ah, it's working now
03:37 -!- CaTtleyA [~CaTtleyA@185.24.142.82] has quit [Remote host closed the connection]
03:41 < moeyebus> I still have the same problem.
03:41 < moeyebus> When I generate the client crt, it's empty.
03:41 < moeyebus> with easy-rsa
03:42 -!- s7r [~s7r@openvpn/user/s7r] has quit [Remote host closed the connection]
03:43 -!- deranged_user is now known as Jess
03:43 -!- Jess is now known as Guest18376
03:47 -!- Guest18376 [Jess@lolnerd.net] has left #openvpn []
03:47 -!- deranged_user [Jess@lolnerd.net] has joined #openvpn
03:48 < moeyebus> I did things in that order:
03:48 < moeyebus> source ./vars
03:48 < moeyebus> ./clean-all
03:48 < moeyebus> ./build-ca
03:48 < moeyebus> ./build-key-server myserver
03:48 < moeyebus> ./build-key myclient
04:04 < Mowee> Diffie Hellman part ?
04:14 -!- TyrfingMjolnir [~Tyrfing@118.189.1.18] has quit [Ping timeout: 244 seconds]
04:21 -!- mirco [~mirco@ip-176-198-211-199.hsi05.unitymediagroup.de] has joined #openvpn
04:22 < moeyebus> I did it after all this.
04:23 < moeyebus> I don't think the dh1024.pem file is needed for client key generation.
04:23 < moeyebus> I found the reason why it doesn't work :
04:23 < moeyebus> I put exactly the same info while generating server keys and client keys.
04:24 < moeyebus> It works fine now.
04:24 -!- Champi [Champi@damn.e-leet.be] has joined #openvpn
04:43 -!- hexeditme [5b4b4d3e@gateway/web/freenode/ip.91.75.77.62] has quit [Quit: Page closed]
04:43 -!- Left_Turn [~Left_Turn@unaffiliated/turn-left/x-3739067] has joined #openvpn
04:50 -!- gffa [~unknown@unaffiliated/gffa] has joined #openvpn
05:09 -!- mirco [~mirco@ip-176-198-211-199.hsi05.unitymediagroup.de] has quit [Quit: mirco]
05:31 -!- tchiwam [~tchiwam@194.177.246.182] has joined #openvpn
05:33 < tchiwam> Good morning, I guess this is where people who run out of ideas on how to configure their VPN end up after going trough google :) I'm no different
05:41 -!- voidDotClass [~ali@ec2-54-191-50-245.us-west-2.compute.amazonaws.com] has joined #openvpn
05:42 < voidDotClass> when i connect thru openvpn --config myFile.ovpn , it asks me for my username & password. is there a way to specify the username & pw with the openvpn command?
05:42 < voidDotClass> i basically just want to write a bash script which i'll call and it'll call openvpn --config for me, and also provide the u&pw
05:42 < voidDotClass> so i can just invoke the script and it'll connect to vpn for me
05:48 -!- voidDotClass [~ali@ec2-54-191-50-245.us-west-2.compute.amazonaws.com] has quit [Ping timeout: 265 seconds]
06:00 -!- moeyebus [~moebius_e@unaffiliated/moebius-eye/x-4065625] has left #openvpn []
06:00 -!- moeyebus [~moebius_e@unaffiliated/moebius-eye/x-4065625] has joined #openvpn
06:17 -!- Argure [quasselcor@geonosis.donttrustrobots.nl] has joined #openvpn
06:21 -!- mirco [~mirco@ip-176-198-211-199.hsi05.unitymediagroup.de] has joined #openvpn
06:27 -!- dazo_afk is now known as dazo
06:28 -!- almostworking [~almostwor@unaffiliated/almostworking] has quit [Ping timeout: 250 seconds]
06:38 -!- almostworking [~almostwor@unaffiliated/almostworking] has joined #openvpn
06:40 -!- mirco [~mirco@ip-176-198-211-199.hsi05.unitymediagroup.de] has quit [Quit: mirco]
07:03 -!- moparisthebest [~quassel@unaffiliated/moparisthebest] has quit [Ping timeout: 245 seconds]
07:07 -!- moparisthebest [~quassel@unaffiliated/moparisthebest] has joined #openvpn
07:12 -!- rooth_ [tomte@stuck.in.the.basement.at.fritzl.nu] has joined #openvpn
07:23 -!- NP-Hardass [~NP-Hardas@unaffiliated/np-hardass] has quit [Ping timeout: 250 seconds]
07:39 -!- D-Boy [~D-Boy@unaffiliated/cain] has joined #openvpn
07:52 -!- Popsikle [~popsikle@pool-108-27-211-233.nycmny.fios.verizon.net] has joined #openvpn
07:59 -!- hexeditme [0233467d@gateway/web/freenode/ip.2.51.70.125] has joined #openvpn
07:59 -!- Poster [~poster@cpe-74-140-100-29.swo.res.rr.com] has joined #openvpn
08:00 < hexeditme> Hello, I am facing a problem pinging a host on a "routed" network, I can ping the server on that host but I cant ping anything else on there, IP Forwarding is enabled, firewall is disabled (for testing) and those is my configuration files (http://pastebin.com/R4KbeRmZ) I am using debian wheezy 7 x64 if you guys need any more info please let me know
08:09 -!- michaelhart [~michaelha@69-165-175-193.dsl.teksavvy.com] has joined #openvpn
08:24 -!- mirco [~mirco@ip-176-198-211-199.hsi05.unitymediagroup.de] has joined #openvpn
08:28 -!- lorens [~lorens@213.27.241.114] has quit [Ping timeout: 245 seconds]
08:36 -!- mirco [~mirco@ip-176-198-211-199.hsi05.unitymediagroup.de] has quit [Ping timeout: 258 seconds]
08:38 -!- seba [~seba@kratzbaum.someserver.de] has quit [Excess Flood]
08:41 -!- rich0_ [~quassel@gentoo/developer/rich0] has joined #openvpn
08:44 -!- seba [~seba@kratzbaum.someserver.de] has joined #openvpn
08:45 -!- rich0 [~quassel@gentoo/developer/rich0] has quit [Ping timeout: 240 seconds]
08:59 -!- BlackBishop [dexter@ipv6.d3xt3r01.tk] has joined #openvpn
09:19 -!- pa [~pa@unaffiliated/pa] has quit [Ping timeout: 272 seconds]
09:25 -!- hazardous [~hz@openvpn/user/hazardous] has quit [Ping timeout: 265 seconds]
09:29 -!- hazardous [~hz@openvpn/user/hazardous] has joined #openvpn
09:29 -!- mode/#openvpn [+v hazardous] by ChanServ
09:34 -!- pa [~pa@unaffiliated/pa] has joined #openvpn
09:37 -!- Lolths [~Lolths@unaffiliated/lolths] has quit [Ping timeout: 258 seconds]
09:39 -!- Lolths [~Lolths@unaffiliated/lolths] has joined #openvpn
09:51 -!- AlexRussia [~Alex@unaffiliated/alexrussia] has quit [Ping timeout: 264 seconds]
09:53 <@dazo> !configs
09:53 <@vpnHelper> "configs" is (#1) please pastebin your client and server configs (with comments removed, you can use `grep -vE '^#|^;|^$' server.conf`), also include which OS and version of openvpn. or (#2) dont forget to include any ccd entries or (#3) on pfSense, see http://www.secure-computing.net/wiki/index.php/OpenVPN/pfSense to obtain your config
09:53 <@dazo> hexeditme: ^^ ... read #1 very carefully
10:04 -!- brianblaze420 [~brianblaz@unaffiliated/brianblaze] has joined #openvpn
10:06 -!- nvdpl_ [~textual@proxy.teleaudio.pl] has quit [Quit: ZZZzzz…]
10:06 -!- nvdpl [~textual@proxy.teleaudio.pl] has joined #openvpn
10:07 -!- nvdpl [~textual@proxy.teleaudio.pl] has quit [Max SendQ exceeded]
10:07 -!- KaiForce [~chatzilla@107-223-70-10.lightspeed.bcvloh.sbcglobal.net] has joined #openvpn
10:17 -!- outofbounds [~outofboun@gateway/tor-sasl/outofbounds] has joined #openvpn
10:19 -!- Kephael [~Kephael@unaffiliated/kephael] has joined #openvpn
10:19 -!- AlexRussia [~Alex@unaffiliated/alexrussia] has joined #openvpn
10:37 -!- wtiger [~chatzilla@31.7.60.219] has joined #openvpn
10:38 < wtiger> Hi everyone
10:38 < wtiger> I'm new to vpns, but I understand that it can help me connect securely to public wifis
10:39 < wtiger> How can I set up openvpn on my mac??
10:40 -!- Pip0 [~quassel@132.170.175.255] has joined #openvpn
10:51 -!- NP-Hardass [~NP-Hardas@unaffiliated/np-hardass] has joined #openvpn
10:53 < Eugene> !osx
10:53 <@vpnHelper> "osx" is (#1) Tunnelblick includes everything you need to run OpenVPN on OS X. https://code.google.com/p/tunnelblick/ or (#2) Viscosity is another OpenVPN client for OS X, but it is commercial. http://www.thesparklabs.com/viscosity/
10:53 < Eugene> !howto
10:53 <@vpnHelper> "howto" is (#1) OpenVPN comes with a great howto, http://openvpn.net/howto PLEASE READ IT! or (#2) http://www.secure-computing.net/openvpn/howto.php for a mirror
10:59 -!- Pip0 [~quassel@132.170.175.255] has quit [Ping timeout: 265 seconds]
11:08 -!- nvdpl [~textual@proxy.teleaudio.pl] has joined #openvpn
11:08 -!- nvdpl [~textual@proxy.teleaudio.pl] has quit [Max SendQ exceeded]
11:09 -!- nvdpl [~textual@proxy.teleaudio.pl] has joined #openvpn
11:14 -!- elfixit [~Icedove@2001:1620:2018:11:863a:4bff:fe93:6310] has joined #openvpn
11:15 -!- D-Boy [~D-Boy@unaffiliated/cain] has quit [Excess Flood]
11:17 -!- wtiger [~chatzilla@31.7.60.219] has quit [Ping timeout: 245 seconds]
11:19 -!- khaldrogox [~anonymous@64.13.138.81] has joined #openvpn
11:20 -!- altker128 [~vr@c-24-61-12-138.hsd1.ma.comcast.net] has joined #openvpn
11:21 < altker128> Hey all.  Is it possible with tun-mode to have OpenVPN IPs in the same subnet as IPs on the normal LAN?
11:22 -!- D-Boy [~D-Boy@unaffiliated/cain] has joined #openvpn
11:24 < tchiwam> push "dhcp-option DNS 172.20.0.1" seems not to work very well, any other suggestion to force the use of a DNS when the VPN is on ?
11:26 -!- khaldrogox [~anonymous@64.13.138.81] has quit [Quit: khaldrogox]
11:29 -!- outofbounds [~outofboun@gateway/tor-sasl/outofbounds] has quit []
11:35 -!- khaldrogox [~anonymous@64.13.138.81] has joined #openvpn
11:39 -!- _aeris_ [~aeris@server.imirhil.fr] has left #openvpn ["Konversation terminated!"]
11:41 -!- joako [~joako@opensuse/member/joak0] has quit [Ping timeout: 265 seconds]
11:46 -!- joako [~joako@opensuse/member/joak0] has joined #openvpn
11:51 -!- DrCode [~DrCode@gateway/tor-sasl/drcode] has quit [Remote host closed the connection]
11:52 -!- DrCode [~DrCode@gateway/tor-sasl/drcode] has joined #openvpn
11:52 -!- DrCode [~DrCode@gateway/tor-sasl/drcode] has quit [Remote host closed the connection]
11:56 -!- D-Boy [~D-Boy@unaffiliated/cain] has quit [Excess Flood]
11:56 -!- DrCode [~DrCode@gateway/tor-sasl/drcode] has joined #openvpn
12:14 -!- mattock is now known as mattock_afk
12:14 -!- D-Boy [~D-Boy@unaffiliated/cain] has joined #openvpn
12:18 -!- Envil [~meep@95.211.26.40] has joined #openvpn
12:22 -!- nvdpl [~textual@proxy.teleaudio.pl] has quit [Quit: ZZZzzz…]
12:40 -!- jdmf [~jdmf@91.198.201.28] has quit [Quit: Bye.]
12:46 <@dazo> altker128: generally, I'd say: No that's not possible.  To be honest, it's not really worth the effort trying to do that.  Do proper routing and firewalling and you most likely have covered most use-cases
12:48 <@dazo> altker128: *if* you still want the same subnet as the LAN ... then bridging is the best way to go (which requires TAP).  But I've been on this channel for 4-5 years or so, and people ask often about bridging.  But I've only experienced 3-4 scenarios where bridging was the really the right and proper solution.
12:57 -!- hexfury [~hexfury@ec2-54-224-91-139.compute-1.amazonaws.com] has joined #openvpn
12:57 -!- s7r [~s7r@openvpn/user/s7r] has joined #openvpn
12:57 -!- mode/#openvpn [+v s7r] by ChanServ
13:10 -!- `Yoda [~Yoda@gateway/shell/yourbnc/x-ukjywgsrvmvsfsoj] has quit [Quit: YourBNC - (https://yourbnc.co.uk)]
13:11 -!- `Yoda [~Yoda@2607:5300:60:1ba8::3] has joined #openvpn
13:12 -!- rich0_ is now known as rich0
13:24 -!- nvdpl [~textual@89-67-140-170.dynamic.chello.pl] has joined #openvpn
13:32 < hexfury> I feel like I am missing something obvious.  I have a client (me) connected to a VPN.  The VPN server is running a second VPN tunnel to another region.  Boxes in each region can see each, other, client cannot see boxes in second region.
13:36 -!- altker128 [~vr@c-24-61-12-138.hsd1.ma.comcast.net] has quit [Ping timeout: 250 seconds]
13:36 < DArqueBishop> Are you pushing a route from the VPN server to your client for the second region?
13:37 < hexfury> yes, push "route 10.1.0.0 255.255.0.0"
13:37 -!- mirco [~mirco@tmo-100-185.customers.d1-online.com] has joined #openvpn
13:37 < hexfury> first region is 10.0.0.0, second is 10.1.0.0
13:38 -!- Pyrogerg [~Gregory@67-0-212-234.albq.qwest.net] has quit [Ping timeout: 255 seconds]
13:39 < DArqueBishop> Is there a route for the second region boxes to reach the VPN subnet?
13:39 < DArqueBishop> Oh, wait, you answered that.
13:41 < hexfury> I'm making a pastie of the configs
13:43 -!- dazo is now known as dazo_afk
13:45 < hexfury> http://pastie.org/private/ref9udeyjsrlvkvbcsqoq
13:45 < hexfury> That's the two vpn configs
13:49 -!- lchill [~lchill@nyc-333.nycbit.com] has quit [Ping timeout: 256 seconds]
13:53 < hexfury> Do I need to do something with iroutes?
13:59 -!- julieeharshaw [~julie@juliekoubova.net] has quit [Remote host closed the connection]
14:01 -!- julieeharshaw [~julie@juliekoubova.net] has joined #openvpn
14:05 -!- jdmf [~jdmf@82.194.215.14] has joined #openvpn
14:06 -!- jdmf [~jdmf@82.194.215.14] has quit [Max SendQ exceeded]
14:07 -!- jdmf [~jdmf@82.194.215.14] has joined #openvpn
14:25 < DArqueBishop> hexfury: add "client-to-client" to your server's OpenVPN config.
14:36 -!- almostworking [~almostwor@unaffiliated/almostworking] has quit [Ping timeout: 250 seconds]
14:39 -!- AlexRussia [~Alex@unaffiliated/alexrussia] has quit [Ping timeout: 250 seconds]
14:39 -!- elfixit [~Icedove@2001:1620:2018:11:863a:4bff:fe93:6310] has quit [Quit: elfixit]
14:42 -!- mirco [~mirco@tmo-100-185.customers.d1-online.com] has quit [Quit: mirco]
14:45 -!- AlexRussia [~Alex@unaffiliated/alexrussia] has joined #openvpn
14:52 -!- nvdpl [~textual@89-67-140-170.dynamic.chello.pl] has quit [Quit: ZZZzzz…]
14:59 -!- nvdpl [~textual@89-67-140-170.dynamic.chello.pl] has joined #openvpn
15:11 < hexfury> Did that, no help ; ;
15:13 -!- jdmf [~jdmf@82.194.215.14] has quit [Quit: Bye.]
15:16 -!- almostworking [~almostwor@unaffiliated/almostworking] has joined #openvpn
15:17 -!- almostworking [~almostwor@unaffiliated/almostworking] has quit [Remote host closed the connection]
15:18 -!- almostworking [~almostwor@unaffiliated/almostworking] has joined #openvpn
15:53 -!- nvdpl [~textual@89-67-140-170.dynamic.chello.pl] has quit [Quit: ZZZzzz…]
15:53 -!- michaelhart [~michaelha@69-165-175-193.dsl.teksavvy.com] has quit [Quit: michaelhart]
16:05 -!- br4ndon [~br4ndon@mic92-6-82-226-128-64.fbx.proxad.net] has joined #openvpn
16:06 -!- brianblaze420 [~brianblaz@unaffiliated/brianblaze] has quit [Ping timeout: 245 seconds]
16:11 -!- mirco [~mirco@tmo-101-80.customers.d1-online.com] has joined #openvpn
16:18 -!- gffa [~unknown@unaffiliated/gffa] has quit [Quit: sleep]
16:24 -!- r00t^2 [~bts@g.rainwreck.com] has joined #openvpn
16:29 -!- Envil [~meep@95.211.26.40] has quit [Remote host closed the connection]
16:33 -!- Pyrogerg [~Gregory@205.167.120.206] has joined #openvpn
16:34 -!- exiex [~eiex@93.125.126.255] has joined #openvpn
16:34 < exiex> hi man's , can anybody help me? i have a slow performance with openvpn linux server and openvpn windows client
16:37 < exiex> slow with a lot of http requests
16:37 < exiex> and channel speed
16:38 -!- rich0_ [~quassel@gentoo/developer/rich0] has joined #openvpn
16:40 -!- rich0 [~quassel@gentoo/developer/rich0] has quit [Ping timeout: 264 seconds]
16:42 -!- Pyrogerg [~Gregory@205.167.120.206] has quit [Ping timeout: 244 seconds]
16:43 -!- Pyrogerg [~Gregory@205.167.120.206] has joined #openvpn
16:56 -!- exiex [~eiex@93.125.126.255] has quit [Ping timeout: 258 seconds]
16:57 -!- Pyrogerg [~Gregory@205.167.120.206] has quit [Ping timeout: 255 seconds]
17:32 -!- elfixit [~Icedove@77-58-253-51.dclient.hispeed.ch] has joined #openvpn
17:38 -!- Taftse|Mac [~taftse@unaffiliated/taftse] has quit [Quit: Textual IRC Client: www.textualapp.com]
17:47 -!- br4ndon [~br4ndon@mic92-6-82-226-128-64.fbx.proxad.net] has quit [Quit: br4ndon]
18:05 -!- jareth_ [~jareth_@2001:980:e1c0:1:219:66ff:fea0:a502] has quit [Ping timeout: 244 seconds]
18:12 -!- novaflash is now known as novaflash_away
18:22 -!- michaelhart [~michaelha@162.223.50.231] has joined #openvpn
18:28 -!- michaelhart [~michaelha@162.223.50.231] has quit [Quit: michaelhart]
18:35 -!- Phillies [mussolini@2605:6400:2:fed5:22:f5b1:7740:1597] has joined #openvpn
18:40 < Phillies> is it possible to route outgoing traffic thru openvpn and still allow incoming ssh connections to you box     right now it seems to break the tunnel whenever i connect ssh and it seems to drop the retrys
18:40 < Phillies> whenever i connect vpn*
18:45 -!- khaldrogox [~anonymous@64.13.138.81] has quit [Quit: khaldrogox]
18:48 < pekster> Phillies: You need one of: 1) policy routing to correctly multihome as you intend, or 2) run the ssh server on a different system from the one you're establishing the VPN on (VMs work well for this many times) or 3) use a proxy (eg: SOCKS5) and proxify your client applications to use a proxy across the VPN
19:17 -!- almostworking [~almostwor@unaffiliated/almostworking] has quit [Quit: Leaving]
19:18 < Phillies> pekster,   thank you
19:18 < Phillies> getting it routed now
19:19 < Phillies> hopefully works
19:21 < pekster> !factoids search policy
19:21 <@vpnHelper> 'policy' and 'redirect-policy'
19:21 < pekster> !policy
19:21 <@vpnHelper> "policy" is (#1) http://openvpn.net/howto.html#policy for Configuring client-specific rules and access policies or (#2) http://www.secure-computing.net/wiki/index.php/OpenVPN/FAQ#Traffic_forwarding_doesn.27t_work_when_using_client_specific_access_rules for a lil writeup by mario or (#3) dynamic OpenVPN policy github project: https://github.com/QueuingKoala/openvpn-dynamic
19:21 < pekster> Nope, none of that
19:21 < pekster> Ah, the other one:
19:21 < pekster> !redirect-policy
19:21 <@vpnHelper> "redirect-policy" is If you are using --redirect-gateway and wish to maintain external access to the same system, you need Policy Routing. If using Linux, see !lartc for reading on the subject. Note that this is a somewhat advanced networking topic.
19:21 < pekster> Phillies: ^ see that
19:25 -!- almostworking [~almostwor@unaffiliated/almostworking] has joined #openvpn
19:47 -!- u0m3 [~u0m3@92.80.107.91] has quit [Read error: Connection reset by peer]
19:47 -!- seba [~seba@kratzbaum.someserver.de] has quit [Excess Flood]
19:47 -!- s7r [~s7r@openvpn/user/s7r] has quit [Remote host closed the connection]
19:51 -!- jareth_ [~jareth_@2001:980:e1c0:1:219:66ff:fea0:a502] has joined #openvpn
19:52 -!- seba [~seba@kratzbaum.someserver.de] has joined #openvpn
19:52 -!- s7r [~s7r@openvpn/user/s7r] has joined #openvpn
19:52 -!- mode/#openvpn [+v s7r] by ChanServ
20:03 -!- s7r [~s7r@openvpn/user/s7r] has quit [Remote host closed the connection]
20:04 -!- nsrafk [whois@unaffiliated/nsrafk] has quit [Remote host closed the connection]
20:06 -!- nsrafk [whois@unaffiliated/nsrafk] has joined #openvpn
20:16 -!- novaflash_away is now known as novaflash
20:16 -!- krzee [~k@openvpn/community/support/krzee] has quit [Ping timeout: 244 seconds]
20:16 -!- s7r [~s7r@openvpn/user/s7r] has joined #openvpn
20:16 -!- mode/#openvpn [+v s7r] by ChanServ
20:19 -!- krzee [~k@openvpn/community/support/krzee] has joined #openvpn
20:19 -!- mode/#openvpn [+o krzee] by ChanServ
20:24 -!- s7r [~s7r@openvpn/user/s7r] has quit [Ping timeout: 250 seconds]
20:25 -!- s7r [~s7r@openvpn/user/s7r] has joined #openvpn
20:25 -!- mode/#openvpn [+v s7r] by ChanServ
20:36 -!- krzee [~k@openvpn/community/support/krzee] has quit [Ping timeout: 244 seconds]
20:38 -!- krzee [~k@openvpn/community/support/krzee] has joined #openvpn
20:38 -!- mode/#openvpn [+o krzee] by ChanServ
20:42 -!- mirco [~mirco@tmo-101-80.customers.d1-online.com] has quit [Quit: mirco]
20:51 -!- Droolio [~drool@host109-148-173-191.range109-148.btcentralplus.com] has joined #openvpn
21:13 -!- elfixit [~Icedove@77-58-253-51.dclient.hispeed.ch] has quit [Quit: elfixit]
21:16 -!- Denial [~Denial@81.141.8.23] has joined #openvpn
21:49 -!- s7r [~s7r@openvpn/user/s7r] has quit [Remote host closed the connection]
22:06 -!- akamaru217 [~akamaru21@2601:0:8a80:1064:e470:a238:a290:efaf] has quit [Read error: Connection reset by peer]
22:06 -!- akamaru217 [~akamaru21@2601:0:8a80:1064:e470:a238:a290:efaf] has joined #openvpn
22:07 -!- Argure [quasselcor@geonosis.donttrustrobots.nl] has quit [Remote host closed the connection]
22:08 -!- XJR-9_ [sid2977@pdpc/supporter/active/xjr-9] has joined #openvpn
22:08 -!- XJR-9 [sid2977@pdpc/supporter/active/xjr-9] has quit [Killed (leguin.freenode.net (Nickname regained by services))]
22:08 -!- XJR-9_ is now known as XJR-9
22:09 -!- pekster_ [~rewt@openvpn/community/support/pekster] has joined #openvpn
22:10 -!- s7r [~s7r@openvpn/user/s7r] has joined #openvpn
22:10 -!- mode/#openvpn [+v s7r] by ChanServ
22:11 -!- Left_Turn [~Left_Turn@unaffiliated/turn-left/x-3739067] has quit [Remote host closed the connection]
22:12 -!- Zimsky-- [~alice@unaffiliated/zimsky] has joined #openvpn
22:12 -!- mt_ [mt@unaffiliated/supermat] has joined #openvpn
22:12 -!- jareth_ [~jareth_@2001:980:e1c0:1:219:66ff:fea0:a502] has quit [Ping timeout: 272 seconds]
22:12 -!- markelite [croftworth@gateway/shell/yourbnc/x-nxukbvacbpvqsqkz] has quit [Ping timeout: 272 seconds]
22:12 -!- busch [~busch@datenschleuder.com] has quit [Ping timeout: 272 seconds]
22:12 -!- SlutaTramsa [~SlutaTram@unaffiliated/slutatramsa] has quit [Ping timeout: 272 seconds]
22:12 -!- pekster [~rewt@openvpn/community/support/pekster] has quit [Ping timeout: 272 seconds]
22:12 -!- batrick [batrick@nmap/developer/batrick] has quit [Ping timeout: 272 seconds]
22:12 -!- _FBi [B@Aircrack-NG/User] has quit [Ping timeout: 272 seconds]
22:12 -!- `Yoda [~Yoda@2607:5300:60:1ba8::3] has quit [Ping timeout: 272 seconds]
22:12 -!- troyt [~troyt@2601:7:6200:1362:44dd:acff:fe85:9c8e] has quit [Ping timeout: 272 seconds]
22:12 -!- mt [mt@unaffiliated/supermat] has quit [Ping timeout: 272 seconds]
22:12 -!- krzee [~k@openvpn/community/support/krzee] has quit [Ping timeout: 272 seconds]
22:12 -!- ender| [krneki@2a01:260:4094:1:42:42:42:42] has quit [Ping timeout: 272 seconds]
22:12 -!- Neal_ [neal@felix.ineal.me] has quit [Ping timeout: 272 seconds]
22:12 -!- moeyebus [~moebius_e@unaffiliated/moebius-eye/x-4065625] has quit [Ping timeout: 272 seconds]
22:12 -!- kef [~kef@matrix.fullmotion.de] has quit [Ping timeout: 272 seconds]
22:12 -!- pa [~pa@unaffiliated/pa] has quit [Ping timeout: 272 seconds]
22:12 -!- Zimsky [~alice@unaffiliated/zimsky] has quit [Ping timeout: 272 seconds]
22:12 -!- BladedThesis [~BladedThe@2001:1af8:4010:a027:3::] has quit [Ping timeout: 272 seconds]
22:12 -!- NP-Completeass [~NP-Hardas@unaffiliated/np-hardass] has quit [Ping timeout: 272 seconds]
22:12 -!- tamazaki_ [~tamazaki@95.85.35.109] has quit [Ping timeout: 272 seconds]
22:12 -!- Argure [argure@geonosis.donttrustrobots.nl] has joined #openvpn
22:12 -!- krzee [~k@openvpn/community/support/krzee] has joined #openvpn
22:12 -!- mode/#openvpn [+o krzee] by ChanServ
22:12 -!- Magiobiwan [~Magiobiwa@unaffiliated/magiobiwan] has quit [Ping timeout: 272 seconds]
22:13 -!- `Yoda [~Yoda@2607:5300:60:1ba8::3] has joined #openvpn
22:14 -!- NP-Completeass [~NP-Hardas@unaffiliated/np-hardass] has joined #openvpn
22:14 -!- moeyebus [~moebius_e@unaffiliated/moebius-eye/x-4065625] has joined #openvpn
22:14 -!- Neal_ [neal@felix.ineal.me] has joined #openvpn
22:14 -!- kef [~kef@matrix.fullmotion.de] has joined #openvpn
22:14 -!- SlutaTramsa [~SlutaTram@unaffiliated/slutatramsa] has joined #openvpn
22:15 -!- troyt [~troyt@2601:7:6200:1362:44dd:acff:fe85:9c8e] has joined #openvpn
22:17 -!- marklite [croftworth@gateway/shell/yourbnc/x-vpdoanpfclolcxdd] has joined #openvpn
22:17 -!- Magiobiwan [IRC@unaffiliated/magiobiwan] has joined #openvpn
22:21 -!- ender| [krneki@2a01:260:4094:1:42:42:42:42] has joined #openvpn
22:22 -!- james41382_ [~james@unaffiliated/james41382] has quit [Quit: Leaving]
22:22 -!- batrick [~batrick@nmap/developer/batrick] has joined #openvpn
22:22 -!- james41382 [~james@unaffiliated/james41382] has joined #openvpn
22:24 -!- pa [~pa@unaffiliated/pa] has joined #openvpn
22:28 -!- almostworking [~almostwor@unaffiliated/almostworking] has quit [Quit: Leaving]
22:42 -!- zoredache [~zoredache@pdpc/supporter/professional/zoredache] has joined #openvpn
22:54 -!- s7r [~s7r@openvpn/user/s7r] has quit [Remote host closed the connection]
22:56 -!- s7r [~s7r@openvpn/user/s7r] has joined #openvpn
22:56 -!- mode/#openvpn [+v s7r] by ChanServ
22:59 -!- zoredache [~zoredache@pdpc/supporter/professional/zoredache] has quit [Remote host closed the connection]
22:59 < Phillies> pekster_,    thanks for the help  i managed to get itworking
23:00 -!- zoredache [~zoredache@pdpc/supporter/professional/zoredache] has joined #openvpn
23:12 -!- arkie [~arkie@unaffiliated/arkie] has quit [Quit: Bye]
23:15 -!- arkie [~arkie@unaffiliated/arkie] has joined #openvpn
23:18 -!- ShadniX_ [dagger@p5DDFDAB3.dip0.t-ipconnect.de] has joined #openvpn
23:20 -!- zoredache [~zoredache@pdpc/supporter/professional/zoredache] has quit [Remote host closed the connection]
23:22 -!- ShadniX [dagger@p5481CDA5.dip0.t-ipconnect.de] has quit [Ping timeout: 250 seconds]
23:22 -!- ShadniX_ is now known as ShadniX
23:27 -!- zoredache [~zoredache@pdpc/supporter/professional/zoredache] has joined #openvpn
23:36 -!- AlexRussia [~Alex@unaffiliated/alexrussia] has quit [Ping timeout: 255 seconds]
23:55 -!- altker128 [~vr@c-24-61-12-138.hsd1.ma.comcast.net] has joined #openvpn
23:57 < altker128> dazo_afk: Hey, thanks for the response.  The idea was to keep the IP pool the same between internal and external  ; as long as OpenVPN is running on the gateway machine, then one does not incurr extra network packet routing between an openvpn server and the router.  But if the OpenVPN server is a separate machine on the network, any traffic that's LAN-bound will end up hitting the LAN interface a lot.
--- Day changed Thu Nov 13 2014
00:02 -!- altker128 [~vr@c-24-61-12-138.hsd1.ma.comcast.net] has quit [Ping timeout: 255 seconds]
00:25 -!- pekster_ is now known as pekster
00:33 -!- Kephael [~Kephael@unaffiliated/kephael] has quit [Read error: Connection reset by peer]
00:38 -!- kenyon [kenyon@darwin.kenyonralph.com] has joined #openvpn
00:56 -!- s7r [~s7r@openvpn/user/s7r] has quit [Remote host closed the connection]
00:58 -!- s7r [~s7r@openvpn/user/s7r] has joined #openvpn
00:58 -!- mode/#openvpn [+v s7r] by ChanServ
01:26 -!- jdmf [~jdmf@91.198.201.28] has joined #openvpn
01:34 -!- mirco [~mirco@tmo-101-23.customers.d1-online.com] has joined #openvpn
02:02 -!- Taftse|Mac [~taftse@unaffiliated/taftse] has joined #openvpn
02:13 -!- ernini [~reni@145-24-145-247.dyn.hro.nl] has joined #openvpn
02:13 < ernini> hi all, i'm seeing more and more segfaults with v2.3.4,  error 14 in libaudit.so.1.0.0, anyone have ideas? i really need to restart openvpn then it doesn't respawn
02:17 <@syzzer> ernini: what openvpn version? which os? installing from the os repos, or building openvpn on your own?
02:18 <@syzzer> afaik openvpn by default does not link to libaudit
02:26 < ernini> syzzer: openvpn 2.3.4-3 on debian
02:26 < ernini> its from a debian package
02:26 < ernini> any change i can disable the audit functionality in config? or make it respawn when segfaulting?
02:26 < ernini> because the 'parent' openvpn process is still alive
02:32 < ernini> ow thats not really the parent, but when i restart openvpn, there is 2 processes with the same parameters, then after a while it segfaults on libaudit, but the other process is still alive
02:39 -!- mirco [~mirco@tmo-101-23.customers.d1-online.com] has quit [Quit: mirco]
02:42 -!- nvdpl [~textual@proxy.teleaudio.pl] has joined #openvpn
02:43 -!- CaTtleyA [~CaTtleyA@185.24.142.82] has joined #openvpn
03:02 -!- TyrfingMjolnir [~Tyrfing@118.189.1.18] has joined #openvpn
03:40 -!- AlexRussia [~Alex@unaffiliated/alexrussia] has joined #openvpn
03:49 -!- GoldenGlovez [~GG@78.129.218.25] has quit [Quit: Eh...]
03:49 -!- Left_Turn [~Left_Turn@unaffiliated/turn-left/x-3739067] has joined #openvpn
03:51 -!- GoldenGlovez [~GG@78.129.218.25] has joined #openvpn
03:57 -!- crus` [crusader@CPE-121-211-80-56.hhui5.cht.bigpond.net.au] has joined #openvpn
03:57 -!- crus [crusader@CPE-121-211-80-56.hhui5.cht.bigpond.net.au] has quit [Ping timeout: 245 seconds]
04:06 -!- BlackBishop [dexter@ipv6.d3xt3r01.tk] has left #openvpn []
04:13 -!- TyrfingMjolnir [~Tyrfing@118.189.1.18] has quit [Ping timeout: 240 seconds]
04:14 -!- deranged_user [Jess@lolnerd.net] has quit [Ping timeout: 265 seconds]
04:15 -!- dazo_afk is now known as dazo
04:16 -!- deranged_user [Jess@lolnerd.net] has joined #openvpn
04:18 -!- seba [~seba@kratzbaum.someserver.de] has quit [Excess Flood]
04:19 <@dazo> ernini: it doesn't make sense that openvpn pulls in libaudit at all ... openvpn does not include code which would depend on that at all ... do you use any plug-ins?  Otherwise it's another library openvpn depends on which links in libaudit ... but I have no idea what it would be
04:21 -!- seba [~seba@kratzbaum.someserver.de] has joined #openvpn
04:25 -!- nvdpl [~textual@proxy.teleaudio.pl] has quit [Ping timeout: 256 seconds]
04:27 < ernini> dazo: oke thanks, i filed a debian bug report
04:27 < ernini> dazo: uhm i make use of pam
04:28 < ernini> i can imagine that pam is using libaudit
04:29 -!- nvdpl [~textual@proxy.teleaudio.pl] has joined #openvpn
04:32 <@dazo> ernini: you're right ... auth-pam links in libaudit ... it might as well be a bug in auth-pam too then, as plug-ins are capable of crashing the openvpn daemon
04:32 < ernini> dazo: yeh i can imagine, thanks!
04:32 <@dazo> ernini: can you manage to grab a gdb backtrace of such a crash?
04:36 < ernini> dazo: i might be yes, let me search on how gdb works, also i cannot get the segfault on demand, but it happens sometimes right after a user logs in
04:37 <@dazo> ernini: gdb --pid $(pidof openvpn) ... then do: continue .... and when the crash happens, you can do: bt
04:37 < ernini> oke i will run that in screen, thanks!
04:37 <@dazo> or ... if you enable core dumps (ulimit -c unlimited) before starting openvpn
04:38 <@dazo> gdb /usr/sbin/openvpn $COREFILE .... then you can do 'bt' instantly
04:40 < ernini> oke enabled core dumps, and now waiting for the segfault, thanks for the directions
04:41 <@dazo> yw!
04:44 -!- D-Boy [~D-Boy@unaffiliated/cain] has quit [Excess Flood]
04:52 -!- Fun [~Fun1@unaffiliated/fun] has joined #openvpn
04:53 < Fun> hello
04:54 < Fun> TLS_ERROR: BIO read tls_read_plaintext error: error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed
04:54 < Fun> however I set open vpn to use passwd auth only
04:54 < Fun> so how can I fix this error?
05:00 <@dazo> !configs
05:00 <@vpnHelper> "configs" is (#1) please pastebin your client and server configs (with comments removed, you can use `grep -vE '^#|^;|^$' server.conf`), also include which OS and version of openvpn. or (#2) dont forget to include any ccd entries or (#3) on pfSense, see http://www.secure-computing.net/wiki/index.php/OpenVPN/pfSense to obtain your config
05:07 -!- nvdpl [~textual@proxy.teleaudio.pl] has quit [Quit: ZZZzzz…]
05:12 -!- D-Boy [~D-Boy@unaffiliated/cain] has joined #openvpn
05:41 -!- joako [~joako@opensuse/member/joak0] has quit [Ping timeout: 255 seconds]
05:43 -!- blackbit [ahuemer@unaffiliated/ahuemer] has left #openvpn []
05:47 -!- joako [~joako@opensuse/member/joak0] has joined #openvpn
06:02 -!- nvdpl [~textual@proxy.teleaudio.pl] has joined #openvpn
06:09 -!- joako [~joako@opensuse/member/joak0] has quit [Ping timeout: 245 seconds]
06:15 -!- joako [~joako@opensuse/member/joak0] has joined #openvpn
06:23 -!- ayaz [~Ayaz@linuxpakistan/ayaz] has joined #openvpn
06:34 -!- moparisthebest [~quassel@unaffiliated/moparisthebest] has quit [Ping timeout: 244 seconds]
06:41 -!- moparisthebest [~quassel@unaffiliated/moparisthebest] has joined #openvpn
06:47 -!- unixninja92 [~unixninja@whirlpool.stdnt.hampshire.edu] has quit [Quit: No Ping reply in 180 seconds.]
06:47 -!- unixninja92 [~unixninja@whirlpool.stdnt.hampshire.edu] has joined #openvpn
06:50 -!- Fun [~Fun1@unaffiliated/fun] has quit [Quit: Leaving.]
07:05 -!- viztro [~viztro@eq48.fdo-may.ubiobio.cl] has quit [Ping timeout: 264 seconds]
07:09 -!- moparisthebest [~quassel@unaffiliated/moparisthebest] has quit [Ping timeout: 244 seconds]
07:13 -!- moparisthebest [~quassel@gateway/tor-sasl/moparisthebest] has joined #openvpn
07:29 -!- KaiForce [~chatzilla@107-223-70-10.lightspeed.bcvloh.sbcglobal.net] has quit [Quit: ChatZilla 0.9.91 [Firefox 33.0.2/20141027150301]]
07:30 -!- almostworking [~almostwor@unaffiliated/almostworking] has joined #openvpn
07:38 -!- Poster [~poster@cpe-74-140-100-29.swo.res.rr.com] has quit [Ping timeout: 265 seconds]
07:39 -!- Popsikle [~popsikle@pool-108-27-211-233.nycmny.fios.verizon.net] has quit [Remote host closed the connection]
07:40 < hexeditme> dazo: i am sorry, here is the new paste http://pastebin.com/uagJruR2 (my problem was i cant ping/reach other hosts on 10.0.0.0/24) but i can reach 10.0.0.1
07:42 -!- TyrfingMjolnir [~Tyrfing@cm191.iota111.maxonline.com.sg] has joined #openvpn
07:45 -!- ayaz [~Ayaz@linuxpakistan/ayaz] has quit [Quit: Textual IRC Client: www.textualapp.com]
08:01 -!- nvdpl [~textual@proxy.teleaudio.pl] has quit [Quit: ZZZzzz…]
08:03 -!- HSKW [~HSKW@host183-181-dynamic.56-79-r.retail.telecomitalia.it] has joined #openvpn
08:04 < HSKW> i 've an access point wr54g with tomato firmware, i use it with no WAN port, only to do simple switch-access point.. now i would to setup an vpn connection, and i have done this guide: http://www.howtogeek.com/60774/connect-to-your-home-network-from-anywhere-with-openvpn-and-tomato/  the client and server (tomato) are connected but i cant surf on the web or ping other device on lan.  can anyone he
08:04 <@vpnHelper> Title: Connect to Your Home Network From Anywhere with OpenVPN and Tomato (at www.howtogeek.com)
08:04 < HSKW> help me?
08:07 < HSKW> i dont know how to config the routing
08:19 < tchiwam> facepalm of the day .... delete ca.key after generating 10 keys and providing them to the clients ...
08:20 < HSKW> Tomato v1.28.8754 ND USB vpn3.6 root@unknown:/tmp/home/root# iptables -L -t nat Chain PREROUTING (policy ACCEPT) target     prot opt source               destination DROP       all  --  anywhere             192.168.2.0/24  Chain POSTROUTING (policy ACCEPT) target     prot opt source               destination MASQUERADE  all  --  anywhere             anywhere  Chain OUTPUT (policy ACCEPT) target
08:30 -!- moparisthebest [~quassel@gateway/tor-sasl/moparisthebest] has quit [Ping timeout: 250 seconds]
08:32 -!- elfixit [~Icedove@2001:1620:2018:11:863a:4bff:fe93:6310] has joined #openvpn
08:36 -!- moparisthebest [~quassel@unaffiliated/moparisthebest] has joined #openvpn
08:37 -!- elfixit1 [~Icedove@2001:1620:2777:11:3e97:eff:fe7f:f3ad] has joined #openvpn
08:39 -!- elfixit [~Icedove@2001:1620:2018:11:863a:4bff:fe93:6310] has quit [Ping timeout: 272 seconds]
08:47 <@dazo> !serverlan
08:47 <@vpnHelper> "serverlan" is (#1) for a lan behind a server, the server must have ip forwarding enabled (!ipforward), the server needs to push a route for its lan to clients, and the router of the lan the server is on needs a route added to it (!route_outside_openvpn) or (#2) see !route for a better explanation or (#3) Handy troubleshooting flowchart: http://ircpimps.org/serverlan.png |
08:47 <@vpnHelper> http://pekster.sdf.org/misc/serverlan.png
08:47 <@dazo> hexeditme: ^^^
08:48 -!- hyper_ch [~hyper_ch@81.4.108.20] has joined #openvpn
08:48 -!- rich0_ is now known as rich0
08:48 < hyper_ch> hmmmm, can I create an empty crl.pem file and already add it to the openvpn server config?
08:48 < hyper_ch> so that later I can just replace it?
08:49 <@dazo> hyper_ch: I don't think so .... maybe use the 'dir' flag to --crl-verify ? and put the crls as files in that dir?
08:50 <@dazo> ouch ... --crl-verify $DIR dir did something slightly different :/
08:50 < hyper_ch> I just spin up a test vpn to see if it errors
08:50 < hyper_ch> or is there a config checker?
08:51 <@dazo> nope, no checker
08:52 -!- nvdpl [~textual@proxy.teleaudio.pl] has joined #openvpn
08:52 -!- ub1quit33 [~quassel@cpe-23-243-158-241.socal.res.rr.com] has joined #openvpn
08:53 <@dazo> hexeditme: what most people forget when accessing LAN behind server is the return route ... otherwise !serverlan provides useful hints what to check (esp. the flowchart in #4)
08:53 < hyper_ch> dazo: empty clr.pem doesn't work
08:54 <@dazo> hyper_ch: revoke a "fake" certificate?  (a real certificate never being used, just for the purpose of generating a CRL)
08:54 < hyper_ch> you mean creating a dummy cert
08:55 < hyper_ch> and then revoking that?
08:55 <@dazo> yeah
08:55 < hyper_ch> could do that
08:55 < hyper_ch> although, having a revoking dir would be much better
08:55 < hyper_ch> then I could just copy revoked certs in it
08:55 <@dazo> yeah, but read the openvpn man page carefully, esp. the last paragraph for --crl-verify
08:56 <@dazo> so the directory approach is not a signed revocation list, which CRLs are
08:57 < hyper_ch> ok, I have multipl certs in a the keys dir of easy-rsa
08:57 < hyper_ch> now I revoke one use full-revoke script
08:57 < hyper_ch> it will create the clr.pem file
08:58 < hyper_ch> now if I revoked a second cert
08:58 < hyper_ch> will it add the new one to the clr.pem also or how does it work?
08:58 <@dazo> it will generate a new crl.pem file, with all revoked certificates
08:59 -!- u0m3 [~u0m3@92.80.107.91] has joined #openvpn
08:59 < hyper_ch> interesting
08:59 < hyper_ch> thx
08:59 -!- u0m3 [~u0m3@92.80.107.91] has quit [Read error: Connection reset by peer]
08:59 <@dazo> openssl crl -noout -text -in $CRL
08:59 <@dazo> that'll dump the contents of the CRL file in a more readable manner
09:01 < hyper_ch> ?im on the openvpn man page but I can't find --crl-verify
09:01 -!- u0m3 [~u0m3@92.80.107.91] has joined #openvpn
09:02 <@dazo> https://community.openvpn.net/openvpn/wiki/Openvpn22ManPage ... I can see it here ... and here: https://community.openvpn.net/openvpn/wiki/Openvpn23ManPage
09:02 <@vpnHelper> Title: Openvpn22ManPage – OpenVPN Community (at community.openvpn.net)
09:02 < hyper_ch> I search for  clr-verify but no hit shows up
09:03 <@dazo> hmmm ... which distro?
09:03 < hyper_ch> https://community.openvpn.net/openvpn/wiki/Openvpn23ManPage
09:03 <@vpnHelper> Title: Openvpn23ManPage – OpenVPN Community (at community.openvpn.net)
09:03 <@dazo> hyper_ch: try search for crl-verify instead of clr-verify ;-)
09:03 < hyper_ch> oh dang :)
09:04 <@dazo> Certificate Revocation List ;-)
09:04 < hyper_ch> ah
09:05 < hyper_ch> ok, that now also works with empty crl.pem file
09:05 <@dazo> but I don't think it will work when you update the crl.pem file from an empty one to one with contents
09:05 <@dazo> I believe I tried doing that many years ago, and failing badly
09:06 < hyper_ch> well, I have the directive now in ovpn.... so I just need to replace it and restart openvpn to be sure
09:06 <@dazo> right, that'll workd!
09:06 < hyper_ch> restarting ovpn also has the benefit that all clients need to reconnect
09:06 <@dazo> s/d//
09:06 < hyper_ch> and then they'll get immediately checked
09:06 <@dazo> true!
09:07 < hyper_ch> never needed to revoke certs before
09:07 < hyper_ch> but now I'm handing out a test cert
09:07 < hyper_ch> and want to revoke it later
09:09 <@dazo> you're definitively set for that now :)
09:11 < hyper_ch> strange... revoking certs resulted in an error
09:11 < hyper_ch> error 23 at 0 depth lookup:certificate revoked
09:11 < hyper_ch> the openssl crl -noout -text -in crl.pem file shows it however
09:31 -!- joako [~joako@opensuse/member/joak0] has quit [Ping timeout: 265 seconds]
09:31 < hyper_ch> btw, did you get a protective case or flip cover and does qi still work?=
09:31 < hyper_ch> wrong channel
09:32 -!- brianblaze420 [~brianblaz@unaffiliated/brianblaze] has joined #openvpn
09:35 -!- joako [~joako@opensuse/member/joak0] has joined #openvpn
09:39 -!- Popsikle [~popsikle@rrcs-24-103-41-59.nyc.biz.rr.com] has joined #openvpn
09:40 -!- Chais [~Chais@80.110.97.57] has quit [Read error: Connection reset by peer]
09:48 -!- Pyrogerg [~Gregory@192.67.133.200] has joined #openvpn
09:48 -!- Chais [~Chais@80.110.97.57] has joined #openvpn
09:48 -!- moparisthebest [~quassel@unaffiliated/moparisthebest] has quit [Ping timeout: 258 seconds]
09:52 -!- moparisthebest [~quassel@gateway/tor-sasl/moparisthebest] has joined #openvpn
09:54 -!- JackWinter [~jack@vodsl-11198.vo.lu] has quit [Quit: Konversation terminated!]
09:55 -!- HSKW [~HSKW@host183-181-dynamic.56-79-r.retail.telecomitalia.it] has quit [Ping timeout: 255 seconds]
09:56 -!- JackWinter [~jack@vodsl-11198.vo.lu] has joined #openvpn
10:09 -!- KaiForce [~chatzilla@107-223-70-10.lightspeed.bcvloh.sbcglobal.net] has joined #openvpn
10:10 < hyper_ch> seems it didn't really like an empty crl file :(
10:18 -!- mt_ is now known as mt
10:23 -!- cyberspace- [20253@ninthfloor.org] has quit [Read error: Connection reset by peer]
10:24 -!- cyberspace- [20253@ninthfloor.org] has joined #openvpn
10:25 -!- Chais [~Chais@80.110.97.57] has quit [Read error: Connection reset by peer]
10:34 -!- Chais [~Chais@80.110.97.57] has joined #openvpn
10:36 -!- Chais [~Chais@80.110.97.57] has quit [Read error: Connection reset by peer]
10:38 -!- nvdpl [~textual@proxy.teleaudio.pl] has quit [Quit: ZZZzzz…]
10:38 -!- CaTtleyA [~CaTtleyA@185.24.142.82] has quit [Remote host closed the connection]
10:39 -!- joako [~joako@opensuse/member/joak0] has quit [Ping timeout: 255 seconds]
10:39 -!- moparisthebest [~quassel@gateway/tor-sasl/moparisthebest] has quit [Ping timeout: 250 seconds]
10:44 -!- moparisthebest [~quassel@unaffiliated/moparisthebest] has joined #openvpn
10:45 -!- joako [~joako@opensuse/member/joak0] has joined #openvpn
10:46 -!- Chais [~Chais@80.110.97.57] has joined #openvpn
11:03 -!- jdmf [~jdmf@91.198.201.28] has quit [Quit: Bye.]
11:04 -!- Popsikle [~popsikle@rrcs-24-103-41-59.nyc.biz.rr.com] has quit [Ping timeout: 272 seconds]
11:11 -!- khaldrogox [~anonymous@64.13.138.81] has joined #openvpn
11:16 -!- Popsikle [~popsikle@rrcs-24-103-41-59.nyc.biz.rr.com] has joined #openvpn
11:33 -!- moparisthebest [~quassel@unaffiliated/moparisthebest] has quit [Ping timeout: 264 seconds]
11:36 -!- moparisthebest [~quassel@gateway/tor-sasl/moparisthebest] has joined #openvpn
11:38 -!- nvdpl [~textual@proxy.teleaudio.pl] has joined #openvpn
11:38 -!- nvdpl [~textual@proxy.teleaudio.pl] has quit [Client Quit]
11:42 -!- BladedThesis [~BladedThe@2001:1af8:4010:a027:3::] has joined #openvpn
11:57 -!- krzee [~k@openvpn/community/support/krzee] has quit [Excess Flood]
11:57 -!- krzee [~k@openvpn/community/support/krzee] has joined #openvpn
11:57 -!- mode/#openvpn [+o krzee] by ChanServ
11:57 -!- SushiDude [~SushiDude@unaffiliated/sushidude] has quit [Quit: Quit]
11:58 -!- SushiDude [~SushiDude@unaffiliated/sushidude] has joined #openvpn
12:03 -!- moparisthebest [~quassel@gateway/tor-sasl/moparisthebest] has quit [Ping timeout: 250 seconds]
12:05 -!- dazo is now known as dazo_afk
12:07 -!- teknoprep [~chris.raw@cpe-static-bluecloudcons-rtr.cmts.eph.ptd.net] has joined #openvpn
12:07 < teknoprep> hi all
12:07 -!- SushiDude [~SushiDude@unaffiliated/sushidude] has quit [Ping timeout: 265 seconds]
12:07 < teknoprep> having a hell of a time creating an openvpn site-to-site tunnel
12:07 -!- moparisthebest [~quassel@unaffiliated/moparisthebest] has joined #openvpn
12:07 < teknoprep> i keep getting these errors ---  TLS Error: Unroutable control packet received from [AF_INET] (si=3 op=P_CONTROL_V1)   ----------    VERIFY ERROR: depth=1, error=self signed certificate in certificate chain:   --------------   TLS_ERROR: BIO read tls_read_plaintext error: error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed
12:08 < teknoprep> these are self signed certs
12:08 -!- SushiDude [~SushiDude@unaffiliated/sushidude] has joined #openvpn
12:08 < teknoprep> from my understanding i have to use on the passive side.... The ca.crt / remote-crt / remote-key / remote-dh files on the passive side
12:09 < teknoprep> of the active server
12:10 < teknoprep> on the active server i use the .. ca.crt / remote-crt / remote-key files of the passive side
12:10 < teknoprep> is this correct ?
12:10 -!- gffa [~unknown@unaffiliated/gffa] has joined #openvpn
12:15 -!- zoredache [~zoredache@pdpc/supporter/professional/zoredache] has quit [Remote host closed the connection]
12:16 -!- WhiteIntel [~quassel@212-197-136-204.adsl.highway.telekom.at] has joined #openvpn
12:31 -!- khaldrogox [~anonymous@64.13.138.81] has quit [Quit: khaldrogox]
12:32 -!- khaldrogox [~anonymous@64.13.138.81] has joined #openvpn
12:32 -!- nvdpl [~textual@89-67-140-170.dynamic.chello.pl] has joined #openvpn
12:35 -!- zoredache [~zoredache@pdpc/supporter/professional/zoredache] has joined #openvpn
12:39 -!- elfixit1 [~Icedove@2001:1620:2777:11:3e97:eff:fe7f:f3ad] has quit [Quit: elfixit1]
12:42 -!- khaldrogox [~anonymous@64.13.138.81] has quit [Quit: khaldrogox]
12:44 -!- khaldrogox [~anonymous@64.13.138.81] has joined #openvpn
13:01 -!- DrSect0r [~DrSect0r@77-175-125-42.FTTH.ispfabriek.nl] has joined #openvpn
13:08 -!- Chais [~Chais@80.110.97.57] has quit [Ping timeout: 256 seconds]
13:10 -!- jdmf [~jdmf@82.194.215.14] has joined #openvpn
13:24 -!- raidz is now known as raidz_away
13:27 -!- nvdpl [~textual@89-67-140-170.dynamic.chello.pl] has quit [Ping timeout: 240 seconds]
13:30 -!- nvdpl [~textual@proxy.teleaudio.pl] has joined #openvpn
13:33 -!- s7r [~s7r@openvpn/user/s7r] has quit [Ping timeout: 250 seconds]
13:37 -!- raidz_away is now known as raidz
13:40 -!- s7r [~s7r@openvpn/user/s7r] has joined #openvpn
13:40 -!- mode/#openvpn [+v s7r] by ChanServ
13:45 -!- gffa [~unknown@unaffiliated/gffa] has quit [Quit: quit]
13:45 -!- s7r [~s7r@openvpn/user/s7r] has quit [Ping timeout: 250 seconds]
13:47 -!- raidz is now known as raidz_away
13:48 -!- s7r [~s7r@openvpn/user/s7r] has joined #openvpn
13:48 -!- mode/#openvpn [+v s7r] by ChanServ
13:58 -!- elfixit [~Icedove@77-58-253-51.dclient.hispeed.ch] has joined #openvpn
14:01 -!- CaTtleyA [~CaTtleyA@put92-2-82-66-41-53.fbx.proxad.net] has joined #openvpn
14:22 -!- Mike-- [mad@mx.probie.nl] has joined #openvpn
14:25 -!- teknoprep [~chris.raw@cpe-static-bluecloudcons-rtr.cmts.eph.ptd.net] has left #openvpn ["Leaving"]
14:27 -!- nvdpl [~textual@proxy.teleaudio.pl] has quit [Quit: ZZZzzz…]
14:33 -!- HSKW [~HSKW@host183-181-dynamic.56-79-r.retail.telecomitalia.it] has joined #openvpn
14:33 < HSKW> hello i need help
14:33 < HSKW> i've setted an tomato router with this guide: http://www.howtogeek.com/60774/connect-to-your-home-network-from-anywhere-with-openvpn-and-tomato/
14:33 <@vpnHelper> Title: Connect to Your Home Network From Anywhere with OpenVPN and Tomato (at www.howtogeek.com)
14:34 -!- hyper_ch [~hyper_ch@81.4.108.20] has left #openvpn ["Konversation terminated!"]
14:35 -!- br4ndon [~br4ndon@mic92-6-82-226-128-64.fbx.proxad.net] has joined #openvpn
14:39 -!- elfixit [~Icedove@77-58-253-51.dclient.hispeed.ch] has quit [Quit: elfixit]
14:40 -!- RaiNerTsuFal [~RaiNerTsu@akita.vtlx.cn] has quit [Quit: Conversation terminated!]
14:43 -!- RaiNerTsuFal [~RaiNerTsu@akita.vtlx.cn] has joined #openvpn
14:44 -!- dx486 [~dx486@unaffiliated/dx486] has left #openvpn ["Leaving"]
14:48 -!- nvdpl [~textual@89-67-140-170.dynamic.chello.pl] has joined #openvpn
14:48 -!- jdmf [~jdmf@82.194.215.14] has quit [Quit: Bye.]
14:51 -!- br4ndon [~br4ndon@mic92-6-82-226-128-64.fbx.proxad.net] has quit [Quit: br4ndon]
14:54 -!- HSKW [~HSKW@host183-181-dynamic.56-79-r.retail.telecomitalia.it] has quit []
14:55 -!- Kephael [~Kephael@unaffiliated/kephael] has joined #openvpn
15:31 -!- brianblaze420 [~brianblaz@unaffiliated/brianblaze] has quit [Quit: Peace!]
15:37 -!- GoldenGlovez [~GG@78.129.218.25] has quit [Quit: Eh...]
15:46 -!- wkd [~wkd@75.46.172.54] has joined #openvpn
15:51 -!- Chais [~Chais@80.110.97.57] has joined #openvpn
15:56 -!- nvdpl [~textual@89-67-140-170.dynamic.chello.pl] has quit [Quit: ZZZzzz…]
15:57 -!- KaiForce [~chatzilla@107-223-70-10.lightspeed.bcvloh.sbcglobal.net] has quit [Quit: ChatZilla 0.9.91 [Firefox 33.1/20141106120505]]
15:58 -!- Denial [~Denial@81.141.8.23] has quit [Ping timeout: 250 seconds]
15:59 -!- DrSect0r [~DrSect0r@77-175-125-42.FTTH.ispfabriek.nl] has quit [Read error: Connection reset by peer]
16:00 -!- CaTtleyA [~CaTtleyA@put92-2-82-66-41-53.fbx.proxad.net] has quit [Ping timeout: 272 seconds]
16:01 -!- mirco [~mirco@ip-176-198-211-199.hsi05.unitymediagroup.de] has joined #openvpn
16:06 -!- Denial [~Denial@81.141.8.23] has joined #openvpn
16:15 -!- mirco [~mirco@ip-176-198-211-199.hsi05.unitymediagroup.de] has quit [Quit: mirco]
16:20 -!- k5tux [~k5tux@joust.bluecows.com] has joined #openvpn
16:21 < k5tux> Experiencing a problem where traffic stops flowing after 30 seconds connectivity.  This is a previously working configuration...does this sound typical of anything I should look at?  pfSense is where I'm getting OpenVPN from.
16:23 <@krzee> could you have 2 clients with the same certs?
16:24 < k5tux> krzee: pfSense doesn't show any other connections except mine.
16:24 <@krzee> !pfsense
16:24 <@vpnHelper> "pfsense" is (#1) dont use the web gui for configuring openvpn, you need to understand the config and logfiles or (#2) http://www.secure-computing.net/wiki/index.php/OpenVPN/pfSense to obtain your config
16:32 < k5tux> krzee: Thanks, there is another client connecting with the same cert.
16:32 <@krzee> there ya go =]
16:32 <@krzee> no problem
16:34 -!- khaldrogox [~anonymous@64.13.138.81] has quit [Quit: khaldrogox]
16:37 -!- moparisthebest [~quassel@unaffiliated/moparisthebest] has quit [Ping timeout: 250 seconds]
16:40 -!- moparisthebest [~quassel@gateway/tor-sasl/moparisthebest] has joined #openvpn
16:41 -!- kmyst [~eric@74.193.224.197] has joined #openvpn
16:43 < kmyst> i wanted to setup a vpn for remote access but is it possible to do it across three LANs and three routers?
16:44 <@ecrist> sure
16:45 < kmyst> ecrist: i've done it before when i had just one network to worry about but my mind twisted like a pretzel on this configuration
16:45 <@ecrist> !goal
16:45 <@vpnHelper> "goal" is Please clearly state your goal for your vpn: example, I would like to access the lan behind the server , I would like to access the internet over my vpn , I just want a secure connection between 2 computers , etc
16:45 <@ecrist> !diagram
16:45 <@vpnHelper> "diagram" is You can use a site such as http://gliffy.com to create a network diagram as well as programs such as Visio, Dia, or OmniGraffle
16:46 < wkd> I'm trying to edit pages in my www through samba which is accessed over openvpn, I've set the chgrp and owner to www-data and set chmod to 775, added a user to group www-data... if I set the permission 000 I can't access it accross samba, if I set it 775 I can access but it won't save the edited work... any ideas on what I'm doing wrong?
16:46 < wkd> id shows the user as part of www-data
16:46 <@ecrist> wkd: this has absolutely nothing to do with openvpn
16:47 < wkd> well I guess thats one elimination...
16:50 <@ecrist> ping krzee - you around?
16:51 <@krzee> pong
16:51 <@krzee> sup bro
16:51 <@ecrist> i need your help writing an iptables ruleset
16:52 <@ecrist> for the book
16:59 -!- pa [~pa@unaffiliated/pa] has quit [Ping timeout: 245 seconds]
17:01 < kmyst> ecrist: ok how bout this?: http://www.gliffy.com/go/publish/image/6483435/L.png
17:01 <@ecrist> ok, so what's the problem?
17:02 < kmyst> goal would be to access the 192.168.3.0 network clients and maybe the 192.168.1.0 network clients and the other 192.168.2.0 is just an intermediary nothing on it
17:02 < kmyst> well do i set up a tunnel for each network?
17:02 <@ecrist> where's your openvpn server?
17:03 < kmyst> on the router 192.168.1.1
17:03 <@ecrist> your router isn't on the diagram
17:03 <@ecrist> this seems simple enought
17:03 < kmyst> yes it is, upper left
17:04 <@ecrist> first off, you really should change the IP addressing
17:04 <@ecrist> !1918
17:04 <@vpnHelper> "1918" is (#1) RFC1918 makes three unique netblocks available for private use: 10.0.0.0/8, 172.16.0.0/12, and 192.168.0.0/16 or (#2) see also: http://en.wikipedia.org/wiki/Private_network or http://www.faqs.org/rfcs/rfc1918.html or (#3) Too lazy to find your own subnet? Try this one: http://scarydevilmonastery.net/subnet.cgi or (#4) See !5737 for addresses to use for examples and documentation
17:05 < kmyst> what's wrong with it?
17:05 -!- Taftse|Mac [~taftse@unaffiliated/taftse] has quit [Quit: Textual IRC Client: www.textualapp.com]
17:06 <@ecrist> if you have VPN clients that connect from home and small business networks, you're likely to run into IP space collisions, since most home/small office routers use the 192.168.[01].0/24 IP ranges
17:07 < kmyst> ah yeah
17:07 -!- pa [~pa@unaffiliated/pa] has joined #openvpn
17:08 < kmyst> so my problem is conceptually i'm ok accessing anything on the first lan but do i site to site from there to router #2's vpn server then again to #3?
17:12 -!- Popsikle [~popsikle@rrcs-24-103-41-59.nyc.biz.rr.com] has quit [Ping timeout: 244 seconds]
17:17 <@ecrist> no
17:17 <@ecrist> you just need to pass routes for 192.168.0.0/24 and 192.168.3.0/24
17:18 <@ecrist> then you'll either need to NAT the VPN traffic, or teach your other two network segments how to route your VPN IP ranges
17:19 -!- soapee01 [~soapee01@65-36-104-170.dyn.grandenetworks.net] has quit [Ping timeout: 255 seconds]
17:21 -!- soapee01 [~soapee01@65-36-104-170.dyn.grandenetworks.net] has joined #openvpn
17:28 -!- CaTtleyA [~CaTtleyA@put92-2-82-66-41-53.fbx.proxad.net] has joined #openvpn
17:33 < kmyst> oh! that's simple then :)
17:33 < kmyst> guess i was waaaay overthinking it!
17:35 -!- soapee01 [~soapee01@65-36-104-170.dyn.grandenetworks.net] has quit [Ping timeout: 255 seconds]
17:37 -!- wkd [~wkd@75.46.172.54] has quit [Quit: Leaving]
17:38 -!- soapee01 [~soapee01@65-36-104-170.dyn.grandenetworks.net] has joined #openvpn
17:41 <@krzee> kmyst, have a read here:
17:41 <@krzee> !route
17:41 <@vpnHelper> "route" is (#1) http://www.secure-computing.net/wiki/index.php/OpenVPN/Routing or https://community.openvpn.net/openvpn/wiki/RoutedLans (same page mirrored) if you have lans behind openvpn, read it DONT SKIM IT or (#2) READ IT DONT SKIM IT! or (#3) See !tcpip for a basic networking guide or (#4) See !serverlan or !clientlan for steps and troubleshooting flowcharts for LANs behind the server or client
17:42 <@krzee> i actually documented 3 lans being connected
17:42 <@krzee> which seems to be EXACTLY what you're doing (rare that it matches so perfect, but i guess it has to happen sometimes)
17:43 < kmyst> krzee: wow cool :) exactly what i'm up to!
17:48 -!- NP-Hardass [~NP-Hardas@unaffiliated/np-hardass] has quit [Quit: WeeChat 0.4.3]
18:00 -!- ub1quit33 [~quassel@cpe-23-243-158-241.socal.res.rr.com] has quit [Remote host closed the connection]
18:02 -!- WhiteIntel [~quassel@212-197-136-204.adsl.highway.telekom.at] has quit [Remote host closed the connection]
18:06 -!- kmyst [~eric@74.193.224.197] has quit [Quit: home time]
18:16 -!- moparisthebest [~quassel@gateway/tor-sasl/moparisthebest] has quit [Ping timeout: 250 seconds]
18:16 -!- moparisthebest [~quassel@unaffiliated/moparisthebest] has joined #openvpn
18:48 -!- elfixit [~Icedove@77-58-253-51.dclient.hispeed.ch] has joined #openvpn
18:50 -!- Xgates [~Xgates@unaffiliated/xgates] has joined #openvpn
18:50 < Xgates> hi guys
18:51 < Xgates> anyone Linux users in the house? KDE & Gnome don't have option to change the tls-cipher, is the ta.key related to the tls-cipher?
19:03 < Eugene> Many of us. We all say not to use network-manager
19:03 < Eugene> Because of bullshit like this
19:04 < Eugene> And no, it's not related
19:04 <@ecrist> Xgates: for full program features, you really should use a config file and run OpenVPN from an init script, or from the command line yourself.
19:04 < Eugene> tls-cipher deals with the agrred-upon crypto algorithm; ta.key is either a --tls-auth key, or the mate to your --cert, usually.
19:05 < Eugene> And yeah, recommended way is via an init script / systemctl service you can stop/start as-needed
19:05 < Xgates> I'm a geek I know all the ways, but thanks...
19:05 < Xgates> just trying to figure out then in KDE & Gnome it's going to use a tls-cipher?
19:06 < Eugene> And we're saying that the NetworkManager tool you're referring to here doesn't do that, because it blows goats.
19:07 < Xgates> I don't understand how it can make a connection if the cipher is not being used, I assumed the server is not going to all the connection then?
19:07 < Xgates> to all/allow...
19:07 <@ecrist> the ciphers have to match
19:07 < Eugene> TLS handshake will happen, but they won't come to an agreement about the data channel
19:07 < Eugene> So the tunnel is up, but the data sent down it is garbage
19:08 < Xgates> I personally use the cli, but I help end-users who are using it with KDE, or Gnome...
19:08 < Xgates> hmm but again, if the cipher isn't there or matching, I assumed that mean the handshake isn't going to happen and it fails..
19:08 < Xgates> odd
19:12 <@ecrist> have you tried it?
19:12 <@ecrist> read the server log?
19:13 < Xgates> well when I put up tutorials for the end-users yes I tested out in KDE & Gnome...
19:14 < Xgates> I'm on the client side/end user, no server logs on my end to read...
19:15 < Xgates> I never really gave this much thought and networking and openvpn aren't my strongest points, but this seems really stupid if this can be used without the tls-ciphers... hmm
19:17 -!- NP-Hardass [~NP-Hardas@unaffiliated/np-hardass] has joined #openvpn
19:20 -!- arkie [~arkie@unaffiliated/arkie] has quit [Ping timeout: 245 seconds]
19:27 <@ecrist> well, if you're writing tutorials for users, you sure as hell should be testing those tutorials to ensure they work.
19:28 < Xgates> Of course hehe
19:28 < Xgates> it works, I'm just wondering what the deal is without a tls-cipher setting is all?
19:29 <@ecrist> it's going to use the defaults
19:29 <@ecrist> or negotiate
19:30 < Xgates> so the network manager is just going to look at it only on the server side and make the connection? I just thought on the client side a tls cipher had to be set?
19:30 < Xgates> I mean that's the typical thing done...
19:36 <@ecrist> who said it's typical?
19:38 < Xgates> in a .ovpn config file if the server uses the Standard you have 3 security options listed;
19:38 < Xgates> auth sha512
19:38 < Xgates> cipher AES-256-CBC
19:38 < Xgates> tls-cipher TLS-DHE-RSA-WITH-AES-256-CBC-SHA
19:38 < Xgates> that's the typical I'm talking...
19:38 < Xgates> the tls-cipher is suppose to be listed in the .conf/.ovpn
19:40 <@ecrist> no
19:40 <@ecrist> there are defaults
19:41 < Xgates> there are basically 7 differnt tls-ciphers, so how is there going to be a default?
19:41 < Xgates> Well I'd imagine if the server doesn't set one, there there is this so called default being used, or nothing being used...
19:42 < Xgates> I'm only talking about what an Admin sets on the server, then gives out the .conf/.ovpn to the client side, this is then listed in that client side what is being used...
19:42 < Xgates> then again to be honest, I've never tried running a config with no tls-cipher option to see if it would make a connection
19:44 < Xgates> ok I stand corrected, I just tested this, I always assumed those security options the 3 I pasted have to be listed in the config
19:44 < Xgates> hmm
19:45 < Xgates> I just commented out the tls-cipher and it connected to the server...
19:45 < Xgates> hmm
19:46 <@ecrist> !man
19:46 <@vpnHelper> "man" is (#1) For man pages, see http://openvpn.net/index.php/open-source/documentation/manuals/ or (#2) the man pages are your friend! or (#3) Protip: you can search the manpage for a specific --option (with dashes) to find it quicker
19:46 <@ecrist> I'm not a dummy, just an asshole.
19:47 < Xgates> ok cipher can't be commented out, I just tested it and it wouldn't connect...
19:47 <@ecrist> it depends on the server settings
19:47 < Xgates> ahh I always assumed the tls-cipher has to be listed in the config to make the hand shake...
19:47 < Xgates> hmm
19:48 < Xgates> well I'm just on the client-side, helping out a bit for end-users, so I don't have control over the server side of things, but they gave me the client config with those 3 security options, so I just assumed they all had to be in it...
19:52 <@ecrist> generally, we only support server admins here.
19:53 < Xgates> no worries... it's all good
19:54 -!- NP-Hardass [~NP-Hardas@unaffiliated/np-hardass] has quit [Quit: WeeChat 0.4.3]
19:55 < Xgates> thanks for the time guys
19:55 -!- Xgates [~Xgates@unaffiliated/xgates] has quit [Quit: Xgates]
20:08 -!- AlexRussia [~Alex@unaffiliated/alexrussia] has quit [Quit: WeeChat 1.1-dev]
20:24 -!- AlexRussia [~Alex@unaffiliated/alexrussia] has joined #openvpn
20:48 -!- james41382 [~james@unaffiliated/james41382] has quit [Read error: Connection reset by peer]
20:53 -!- james41382 [~james@unaffiliated/james41382] has joined #openvpn
20:57 -!- Popsikle [~popsikle@pool-108-27-211-233.nycmny.fios.verizon.net] has joined #openvpn
21:19 -!- TyrfingMjolnir [~Tyrfing@cm191.iota111.maxonline.com.sg] has quit [Quit: Searching for Waimea]
21:23 -!- Droolio [~drool@host109-148-173-191.range109-148.btcentralplus.com] has quit [Ping timeout: 265 seconds]
21:26 -!- NP-Hardass [~NP-Hardas@unaffiliated/np-hardass] has joined #openvpn
21:38 -!- NP-Hardass [~NP-Hardas@unaffiliated/np-hardass] has quit [Quit: WeeChat 0.4.3]
21:43 -!- mistermajestic [~mistermaj@unaffiliated/mistermajestic] has quit [Ping timeout: 255 seconds]
21:45 -!- Gman32 [~Gman32@2607:2200:0:3400::5616:cdbc] has quit [Ping timeout: 265 seconds]
21:45 -!- shivanshu [~shivanshu@unaffiliated/shivanshu] has quit [Ping timeout: 265 seconds]
21:46 -!- shivanshu [~shivanshu@unaffiliated/shivanshu] has joined #openvpn
21:46 -!- Brando753 [~Brando753@unaffiliated/brando753] has quit [Ping timeout: 265 seconds]
21:47 -!- Brando753 [~Brando753@unaffiliated/brando753] has joined #openvpn
21:51 -!- Gman32 [~Gman32@2607:2200:0:3400::5616:cdbc] has joined #openvpn
22:10 -!- Left_Turn [~Left_Turn@unaffiliated/turn-left/x-3739067] has quit [Remote host closed the connection]
22:14 -!- Popsikle [~popsikle@pool-108-27-211-233.nycmny.fios.verizon.net] has quit [Remote host closed the connection]
22:23 -!- TyrfingMjolnir [~Tyrfing@118.189.1.18] has joined #openvpn
22:25 -!- Popsikle [~popsikle@pool-108-27-211-233.nycmny.fios.verizon.net] has joined #openvpn
23:00 -!- Kephael [~Kephael@unaffiliated/kephael] has quit [Read error: Connection reset by peer]
23:21 -!- ShadniX [dagger@p5DDFDAB3.dip0.t-ipconnect.de] has quit [Ping timeout: 250 seconds]
23:22 -!- ShadniX [dagger@p5481D3D9.dip0.t-ipconnect.de] has joined #openvpn
--- Day changed Fri Nov 14 2014
00:24 -!- nullm0dem [~brian@ip98-185-16-100.rn.hr.cox.net] has joined #openvpn
00:26 -!- arkie [~arkie@unaffiliated/arkie] has joined #openvpn
00:27 -!- plaisthos [~arne@openvpn/community/developer/plaisthos] has quit [Ping timeout: 244 seconds]
00:30 -!- plaisthos [~arne@openvpn/community/developer/plaisthos] has joined #openvpn
00:30 -!- mode/#openvpn [+o plaisthos] by ChanServ
00:47 -!- Pyrogerg [~Gregory@192.67.133.200] has quit [Ping timeout: 250 seconds]
00:50 -!- nullm0dem [~brian@ip98-185-16-100.rn.hr.cox.net] has quit [Ping timeout: 265 seconds]
00:58 -!- Pyrogerg [~Gregory@192.67.133.200] has joined #openvpn
01:00 -!- rooth_ is now known as rooth
01:07 -!- jdmf [~jdmf@91.198.201.28] has joined #openvpn
01:13 -!- CaTtleyA [~CaTtleyA@put92-2-82-66-41-53.fbx.proxad.net] has quit [Quit: Lost terminal]
01:14 -!- Popsikle [~popsikle@pool-108-27-211-233.nycmny.fios.verizon.net] has quit []
01:44 -!- Taftse|Mac [~taftse@unaffiliated/taftse] has joined #openvpn
01:46 -!- iokill [~dave@pippin.sigma-star.at] has joined #openvpn
01:54 -!- Chais [~Chais@80.110.97.57] has quit [Ping timeout: 250 seconds]
01:56 -!- Chais [~Chais@80.110.97.57] has joined #openvpn
01:57 -!- nvdpl [~textual@proxy.teleaudio.pl] has joined #openvpn
01:57 -!- nvdpl [~textual@proxy.teleaudio.pl] has quit [Max SendQ exceeded]
01:58 -!- nvdpl [~textual@proxy.teleaudio.pl] has joined #openvpn
02:23 -!- Chais [~Chais@80.110.97.57] has quit [Read error: Connection reset by peer]
02:33 -!- Chais [~Chais@80.110.97.57] has joined #openvpn
03:25 -!- TyrfingMjolnir [~Tyrfing@118.189.1.18] has quit [Quit: Searching for Waimea]
03:46 -!- Chais [~Chais@80.110.97.57] has quit [Read error: Connection reset by peer]
03:55 -!- Chais [~Chais@80.110.97.57] has joined #openvpn
04:09 -!- jrg [jrg@unaffiliated/jrg] has joined #openvpn
04:11 -!- mattock_afk is now known as mattock
04:13 -!- TyrfingMjolnir [~Tyrfing@cm191.iota111.maxonline.com.sg] has joined #openvpn
04:40 -!- CaTtleyA [~CaTtleyA@185.24.142.82] has joined #openvpn
04:43 -!- D-Boy [~D-Boy@unaffiliated/cain] has quit [Excess Flood]
04:48 -!- Chais [~Chais@80.110.97.57] has quit [Ping timeout: 255 seconds]
04:53 -!- Left_Turn [~Left_Turn@unaffiliated/turn-left/x-3739067] has joined #openvpn
05:03 -!- D-Boy [~D-Boy@unaffiliated/cain] has joined #openvpn
05:08 -!- elfixit [~Icedove@77-58-253-51.dclient.hispeed.ch] has quit [Quit: elfixit]
05:49 -!- jzaw [~jzaw@loki.dzki.co.uk] has joined #openvpn
06:08 -!- jdmf [~jdmf@91.198.201.28] has quit [Quit: Bye.]
06:36 -!- Maxel [~Maxel@24-159-207-34.static.roch.mn.charter.com] has quit [Read error: Connection reset by peer]
06:37 -!- Maxel [~Maxel@24-159-207-34.static.roch.mn.charter.com] has joined #openvpn
07:08 -!- elfixit [~Icedove@2001:1620:2777:11:3e97:eff:fe7f:f3ad] has joined #openvpn
07:14 -!- elfixit [~Icedove@2001:1620:2777:11:3e97:eff:fe7f:f3ad] has quit [Remote host closed the connection]
07:25 -!- jdmf [~jdmf@m188-150-237-31.cust.tele2.no] has joined #openvpn
07:26 -!- jdmf [~jdmf@m188-150-237-31.cust.tele2.no] has quit [Max SendQ exceeded]
07:27 -!- jdmf [~jdmf@m188-150-237-31.cust.tele2.no] has joined #openvpn
07:41 -!- GoldenGlovez [~GG@78.129.218.25] has joined #openvpn
07:42 -!- jdmf [~jdmf@m188-150-237-31.cust.tele2.no] has quit [Quit: Bye.]
07:46 -!- JackWinter [~jack@vodsl-11198.vo.lu] has quit [Quit: Konversation terminated!]
07:51 -!- Chais [~Chais@80.110.97.57] has joined #openvpn
07:58 -!- Chais [~Chais@80.110.97.57] has quit [Ping timeout: 250 seconds]
08:00 -!- Chais [~Chais@80.110.97.57] has joined #openvpn
08:00 -!- Chais [~Chais@80.110.97.57] has quit [Read error: Connection reset by peer]
08:06 -!- moparisthebest [~quassel@unaffiliated/moparisthebest] has quit [Ping timeout: 240 seconds]
08:09 -!- JackWinter [~jack@vodsl-11198.vo.lu] has joined #openvpn
08:10 -!- Chais [~Chais@80.110.97.57] has joined #openvpn
08:10 -!- moparisthebest [~quassel@gateway/tor-sasl/moparisthebest] has joined #openvpn
08:13 -!- Irssi: #openvpn: Total of 201 nicks [9 ops, 0 halfops, 3 voices, 189 normal]
08:26 -!- AlexRussia [~Alex@unaffiliated/alexrussia] has quit [Ping timeout: 272 seconds]
08:32 -!- dazo_afk is now known as dazo
08:32 -!- AlexRussia [~Alex@unaffiliated/alexrussia] has joined #openvpn
08:45 -!- Chais [~Chais@80.110.97.57] has quit [Read error: Connection reset by peer]
08:47 -!- nvdpl [~textual@proxy.teleaudio.pl] has quit [Quit: ZZZzzz…]
08:47 -!- Latrina [~Latrina@ppp-219-41.26-151.libero.it] has quit [Ping timeout: 240 seconds]
08:50 -!- Latrina [~Latrina@adsl-ull-57-221.50-151.net24.it] has joined #openvpn
08:52 -!- Chais [~Chais@80.110.97.57] has joined #openvpn
09:00 -!- moparisthebest [~quassel@gateway/tor-sasl/moparisthebest] has quit [Remote host closed the connection]
09:01 -!- moparisthebest [~quassel@unaffiliated/moparisthebest] has joined #openvpn
09:11 -!- hexeditme [0233467d@gateway/web/freenode/ip.2.51.70.125] has quit [Ping timeout: 246 seconds]
09:24 -!- Pinchiukas [~keps@unaffiliated/pinchiukas] has joined #openvpn
09:40 -!- CaTtleyA [~CaTtleyA@185.24.142.82] has quit [Quit: Lost terminal]
09:44 -!- Pinchiukas [~keps@unaffiliated/pinchiukas] has quit [Ping timeout: 250 seconds]
09:47 -!- mattock is now known as mattock_afk
09:58 -!- DrSect0r [~DrSect0r@77-175-125-42.FTTH.ispfabriek.nl] has joined #openvpn
10:04 -!- Wulf [~Wulf@unaffiliated/wulf] has joined #openvpn
10:04 < Wulf> Hi
10:04 < Wulf> Nov 15 05:02:54 ftp ovpn-vpc[10988]: TLS: soft reset sec=0 bytes=95216/0 pkts=1390/0
10:04 < Wulf> is that automatic rekeying, or should I be worried?
10:13 <@ecrist> normal, don't worry about it
10:13 -!- mattock_afk is now known as mattock
10:17 < Wulf> okay
10:19 -!- Kephael [~Kephael@unaffiliated/kephael] has joined #openvpn
10:23 -!- unixninja92_ [~unixninja@whirlpool.stdnt.hampshire.edu] has joined #openvpn
10:24 -!- unixninja92 [~unixninja@whirlpool.stdnt.hampshire.edu] has quit [Read error: Connection reset by peer]
10:37 -!- nvdpl [~textual@proxy.teleaudio.pl] has joined #openvpn
10:43 -!- nvdpl [~textual@proxy.teleaudio.pl] has quit [Quit: ZZZzzz…]
10:43 -!- nvdpl [~textual@proxy.teleaudio.pl] has joined #openvpn
10:44 -!- nvdpl [~textual@proxy.teleaudio.pl] has quit [Max SendQ exceeded]
10:44 -!- nvdpl [~textual@proxy.teleaudio.pl] has joined #openvpn
10:47 -!- marlinc [~marlinc@ip1.weert.li.nl.cvo-technologies.com] has joined #openvpn
10:48 -!- nvdpl [~textual@proxy.teleaudio.pl] has quit [Client Quit]
11:04 -!- syzzer [~syzzer@openvpn/community/developer/syzzer] has quit [Remote host closed the connection]
11:05 -!- almostworking [~almostwor@unaffiliated/almostworking] has quit [Quit: Leaving]
11:06 -!- syzzer [~syzzer@openvpn/community/developer/syzzer] has joined #openvpn
11:06 -!- mode/#openvpn [+o syzzer] by ChanServ
11:21 -!- hexeditme [6deb30af@gateway/web/freenode/ip.109.235.48.175] has joined #openvpn
11:22 -!- mistermajestic [~mistermaj@unaffiliated/mistermajestic] has joined #openvpn
11:23 < hexeditme> dazo: i give up, can u help me with this
11:25 < hexeditme> on the LAN there are 2 boxs i wanna connect to them, 1 of them worked cuz it did it automaticly using network-manager, but on the other box i have to do it manually
11:26 < hexeditme> if i give it default gw 10.0.0.1 ok it works, but the other interface doesnt work which is the interface that connects the box to the internet
11:28 < hexeditme> so i tried doing some this like this http://www.cyberciti.biz/tips/configuring-static-routes-in-debian-or-red-hat-linux-systems.html
11:28 <@vpnHelper> Title: Configure Static Routes In Debian or Red Hat Enterprise Linux - nixCraft (at www.cyberciti.biz)
11:28 < hexeditme> still didnt work
11:29 -!- dazo is now known as dazo_afk
11:34 -!- Chais [~Chais@80.110.97.57] has quit [Read error: Connection reset by peer]
11:42 -!- syzzer [~syzzer@openvpn/community/developer/syzzer] has quit [Remote host closed the connection]
11:42 -!- khaldrogox [~anonymous@64.13.138.81] has joined #openvpn
11:44 -!- Chais [~Chais@80.110.97.57] has joined #openvpn
11:46 -!- mattock is now known as mattock_afk
11:51 -!- JackWinter [~jack@vodsl-11198.vo.lu] has quit [Quit: Konversation terminated!]
11:52 -!- s7r [~s7r@openvpn/user/s7r] has quit [Remote host closed the connection]
11:55 -!- DrSect0r [~DrSect0r@77-175-125-42.FTTH.ispfabriek.nl] has quit [Quit: Leaving]
11:55 -!- DrSect0r [~DrSect0r@77-175-125-42.FTTH.ispfabriek.nl] has joined #openvpn
12:00 -!- gffa [~unknown@unaffiliated/gffa] has joined #openvpn
12:15 -!- almostworking [~almostwor@unaffiliated/almostworking] has joined #openvpn
12:22 -!- syzzer [~syzzer@openvpn/community/developer/syzzer] has joined #openvpn
12:22 -!- mode/#openvpn [+o syzzer] by ChanServ
12:25 -!- JackWinter [~jack@vodsl-11198.vo.lu] has joined #openvpn
12:41 -!- syzzer [~syzzer@openvpn/community/developer/syzzer] has quit [Ping timeout: 265 seconds]
12:44 -!- Kephael [~Kephael@unaffiliated/kephael] has quit [Read error: Connection reset by peer]
12:47 -!- AlexRussia [~Alex@unaffiliated/alexrussia] has quit [Quit: WeeChat 1.1-dev]
12:48 -!- AlexRussia [~Alex@unaffiliated/alexrussia] has joined #openvpn
12:57 -!- syzzer [~syzzer@openvpn/community/developer/syzzer] has joined #openvpn
12:57 -!- mode/#openvpn [+o syzzer] by ChanServ
12:58 -!- Chais [~Chais@80.110.97.57] has quit [Ping timeout: 250 seconds]
13:06 -!- nvdpl [~textual@proxy.teleaudio.pl] has joined #openvpn
13:11 -!- shinydog [~almostwor@unaffiliated/almostworking] has joined #openvpn
13:12 -!- nvdpl [~textual@proxy.teleaudio.pl] has quit [Quit: Quit...]
13:13 -!- jdmf [~jdmf@78.156.100.202] has joined #openvpn
13:23 -!- Brando753 [~Brando753@unaffiliated/brando753] has quit [Ping timeout: 250 seconds]
13:23 -!- RBecker [~RBecker@openvpn/user/RBecker] has quit [Ping timeout: 258 seconds]
13:24 -!- shinydog [~almostwor@unaffiliated/almostworking] has quit [Quit: Leaving]
13:25 -!- almostworking [~almostwor@unaffiliated/almostworking] has quit [Quit: Leaving]
13:27 -!- RBecker [~RBecker@openvpn/user/RBecker] has joined #openvpn
13:27 -!- mode/#openvpn [+v RBecker] by ChanServ
13:29 -!- DrSect0r [~DrSect0r@77-175-125-42.FTTH.ispfabriek.nl] has quit [Read error: Connection reset by peer]
13:32 -!- Brando753 [~Brando753@unaffiliated/brando753] has joined #openvpn
13:34 -!- mt [mt@unaffiliated/supermat] has quit [Remote host closed the connection]
13:37 -!- mt [mt@unaffiliated/supermat] has joined #openvpn
13:41 < esde> ubuntu 14.04 server, openvpn in stock repos is old and crusty. i've got the source for openvpn 2.3.5, and i've run configure, make, make install. openvpn installed okay, but i don't see it installed as a service (terminology?). how do i install openvpn so that i can control it with "service openvpn start|restart|stop|reload|"? Sorry for the awkward question, I don't have a lot of experience building/compiling things (so far I only do it when i need to)
13:42 -!- Six6siX [~Devil@jasmine.sammybakar.com] has joined #openvpn
13:49 -!- Brando753 [~Brando753@unaffiliated/brando753] has quit [Ping timeout: 265 seconds]
13:56 -!- net125mp [~Home@unaffiliated/net125mp] has joined #openvpn
13:57 < net125mp> i cant get openvpn to install from .tar to save my life
13:57 < net125mp> i get no errors
13:57 < net125mp> I installed libpam0g and liblz02-dev and ssl-dev
13:57 < net125mp> i run ./configure make install and all goes well
13:57 < net125mp> nothing works afterwords though
13:57 < net125mp> there is no ./openvpn in the directory
13:58 < esde> net125mp, can you please give https://rurounijones.github.io/blog/2009/03/17/how-to-ask-for-help-on-irc/ a quick once-over and then provide some more details, please?
13:58 <@vpnHelper> Title: How to ask for help on IRC - RJ's Notes (at rurounijones.github.io)
13:58 < esde> *-please (too many pleases)
13:59 < net125mp> esde: Sure, after downloading OpenVPN from https://openvpn.net/index.php/open-source/downloads.html   ... the tarbal via wget onto my Kali linux machine which is debian wheezy based, I proceeded to unzip and untar the package and ran ./configure make make install after I installed the needed dependencies
13:59 <@vpnHelper> Title: Downloads (at openvpn.net)
13:59 < net125mp> No errors occur, but nothign occurs after that for me to be able to use openvpn
14:00 -!- tchiwam [~tchiwam@194.177.246.182] has quit [Quit: Lost terminal]
14:00 < esde> if you type openvpn --version what happens?
14:00 < net125mp> /usr/sbin/openvpn  no such file or directory
14:01 < esde> which openvpn
14:01 < net125mp> 2.3.5 i think
14:01 < esde> sorry
14:01 < esde> that wasn't a question can you please run that command
14:01 < net125mp> /usr/local/sbin/openvpn
14:01 < net125mp> :)
14:03 < esde>  /usr/local/sbin/openvpn --version
14:03 < net125mp> 2.3.2
14:03 < net125mp> awesome
14:03 < net125mp> i just need to cd to that directory.
14:04 < net125mp> does it usually install to that location?
14:05 < esde> that's not awesome
14:05 < net125mp> ?
14:05 < esde> if you want 2.3.5, that is
14:05 < net125mp> nah 2.3.2 is fine
14:06 < esde> are you sure? 2.3.2 = SSL 3.0
14:06 < net125mp> pooodle
14:06 < esde> Bingo was its name-o
14:08 -!- Chais [~Chais@80.110.97.57] has joined #openvpn
14:08 -!- Brando753 [~Brando753@unaffiliated/brando753] has joined #openvpn
14:15 -!- khaldrogox [~anonymous@64.13.138.81] has quit [Quit: khaldrogox]
14:16 < pekster> esde: Nope
14:16 < pekster> !poodle
14:16 <@vpnHelper> "poodle" is (#1) http://googleonlinesecurity.blogspot.com/2014/10/this-poodle-bites-exploiting-ssl-30.html . OpenVPN uses TLSv1.0, or (with >=2.3.3) optionally TLSv1.2 and is thus not impacted by POODLE. See also: !hardening for some unrelated TLS security options OpenVPN has or (#2) https://www.tinfoilsecurity.com/poodle for a tool for testing your websites
14:16 < esde> I'm sorry is 2.3.2 not lower than >=2.3.3
14:16 < esde> ?
14:16 < pekster> No published openvpn version has ever been vulnerable to POODLE
14:17 < pekster> Heartbleed is a different story, but that's based on your local OS openssl version, not openvpn. Thus the fix is to obtain a binary patch from your OS vendor or recompile openssl yourself
14:17 < pekster> !heartbleed
14:17 <@vpnHelper> "heartbleed" is (#1) only affects OpenSSL 1.0.1 through 1.0.1f. Does not affect polarssl or (#2) if running vuln openssl then both client and server keys not protected by tls-auth should be considered compromised. or (#3) android 4.1.2_r1 is the first one to have -DOPENSSL_NO_HEARTBEATS and it is still in master. android 4.1 and 4.1.1 are probably affected. or (#4)
14:17 <@vpnHelper> https://community.openvpn.net/openvpn/wiki/heartbleed or (#5) http://xkcd.com/1354/
14:17 < pekster> Unless you're on Windows. Then OpenVPN bundles openssl, so you need an up-to-date one to protect yourself
14:17 -!- Chais [~Chais@80.110.97.57] has quit [Ping timeout: 255 seconds]
14:18 < esde> Perhaps I misunderstand. I thought SSL 3.0 was vulnerable, as a rule. So that I'm using SSL 3.0 with OpenVPN 2.3.2, I'm not vulnerable? I am confused.
14:18 < esde> Ahh. 2.3.2 has TLS 1.0
14:19 < esde> (it's been a long week)
14:22  * esde takes a loooooong sip of coffee and pours a cup for everyone else
14:23 -!- jdmf [~jdmf@78.156.100.202] has quit [Quit: Bye.]
14:26 <@ecrist> esde: OpenVPN has only ever used TLS, afaik
14:27 -!- khaldrogox [~anonymous@64.13.138.81] has joined #openvpn
14:28 -!- khaldrogox [~anonymous@64.13.138.81] has quit [Client Quit]
14:32 -!- Chais [~Chais@80.110.97.57] has joined #openvpn
14:33 -!- hexeditme [6deb30af@gateway/web/freenode/ip.109.235.48.175] has quit [Ping timeout: 246 seconds]
14:48 -!- mirco [~mirco@p4FE08230.dip0.t-ipconnect.de] has joined #openvpn
14:58 -!- Chais [~Chais@80.110.97.57] has quit [Read error: Connection reset by peer]
15:01 -!- reventlov is now known as Reventlov
15:03 < esde> I've got openvpn 2.3.5 installed from source, but when i run sudo service openvpn status, it returns unrecognized service. how do i install openvpn as a service on a debian based system?
15:07 < esde> Perhaps I should mention, running openvpn as "openvpn" is fine. I'm only having problems with using openvpn as a service
15:22 < Eugene> The same way you install anything as a service on a debian based system: with an init script
15:27 < esde> Nice and sharp, thanks.
15:38 -!- Pinchiukas [~keps@unaffiliated/pinchiukas] has joined #openvpn
15:40 < Pinchiukas> So can anyone tell me why there are several options for "key usage" in https://openvpn.net/index.php/open-source/documentation/howto.html#mitm ?
15:40 <@vpnHelper> Title: HOWTO (at openvpn.net)
15:47 -!- hexeditme [0233467d@gateway/web/freenode/ip.2.51.70.125] has joined #openvpn
15:52 -!- mirco [~mirco@p4FE08230.dip0.t-ipconnect.de] has quit [Quit: mirco]
16:05 -!- Pinchiukas [~keps@unaffiliated/pinchiukas] has quit [Ping timeout: 244 seconds]
16:32 -!- mattock_afk is now known as mattock
16:37 -!- Guest59886 [~sector@unaffiliated/p-trust] has joined #openvpn
16:37 -!- Guest59886 [~sector@unaffiliated/p-trust] has left #openvpn []
16:38 -!- p-trust [~sector@unaffiliated/p-trust] has joined #openvpn
16:38 < p-trust> hi
16:38 < p-trust> trying to make openvpn daemon listen on ipv6 port
16:38 < p-trust> ipv6 address*
16:39 -!- gffa [~unknown@unaffiliated/gffa] has quit [Quit: sleep]
16:39 < p-trust> with: local fe80::5400:ff:fe02:b4c4
16:39 < p-trust> Fri Nov 14 22:35:17 2014 RESOLVE: Cannot resolve host address: fe80::5400:ff:fe02:b4c4 The specified host is unknown.
16:39 < p-trust> this host is in ifconfig and working
16:40 < p-trust> i suppose --listen doesn't support ipv6 ?
16:42 < p-trust> ok , solved with setting 'proto' from 'tcp-server' to 'tcp6-server'
16:42 < hexeditme> i got it working ^^ finally
16:44 < p-trust> !poodle
16:44 <@vpnHelper> "poodle" is (#1) http://googleonlinesecurity.blogspot.com/2014/10/this-poodle-bites-exploiting-ssl-30.html . OpenVPN uses TLSv1.0, or (with >=2.3.3) optionally TLSv1.2 and is thus not impacted by POODLE. See also: !hardening for some unrelated TLS security options OpenVPN has or (#2) https://www.tinfoilsecurity.com/poodle for a tool for testing your websites
16:44 < p-trust> !configs
16:44 <@vpnHelper> "configs" is (#1) please pastebin your client and server configs (with comments removed, you can use `grep -vE '^#|^;|^$' server.conf`), also include which OS and version of openvpn. or (#2) dont forget to include any ccd entries or (#3) on pfSense, see http://www.secure-computing.net/wiki/index.php/OpenVPN/pfSense to obtain your config
17:04 -!- mattock is now known as mattock_afk
17:08 -!- Taftse|Mac [~taftse@unaffiliated/taftse] has quit [Quit: Textual IRC Client: www.textualapp.com]
17:13 < kef> !hardening
17:13 <@vpnHelper> "hardening" is https://community.openvpn.net/openvpn/wiki/Hardening
18:09 -!- Rene [~Rene@tigger.hertell.com] has joined #openvpn
18:09 < Rene> good evening all!
18:11 < Rene> could someone be so kind and help me finding a guide on how to forward traffic with iptables between vpn-clients using the tap-interface, but without using client-to-client. I need to restrict some clients from getting to some clients..
18:23 < Eugene> !iptables
18:23 <@vpnHelper> "iptables" is (#1) To test if netfilter ("iptables rules") are your problem, disable all rules with an ACCEPT policy. See https://github.com/QueuingKoala/netfilter-samples/tree/master/reset-rules for a script to do this. or (#2) See also the manpage section on firewalls at this link: https://community.openvpn.net/openvpn/wiki/Openvpn23ManPage#lbBG or (#3) These are just the basics to get you started
18:23 <@vpnHelper> as firewall design is beyond this channel's scope; you can also see #netfilter
18:25 < pekster> See also:
18:25 < pekster> !dynamic
18:25 < pekster> !factoids search dynamic
18:25 <@vpnHelper> "dynamicfirewall" is to learn how to modify the firewall based on which client has which ip, please read --learn-address in the manpage (!man)
18:25 < pekster> !policy
18:25 <@vpnHelper> "policy" is (#1) http://openvpn.net/howto.html#policy for Configuring client-specific rules and access policies or (#2) http://www.secure-computing.net/wiki/index.php/OpenVPN/FAQ#Traffic_forwarding_doesn.27t_work_when_using_client_specific_access_rules for a lil writeup by mario or (#3) dynamic OpenVPN policy github project: https://github.com/QueuingKoala/openvpn-dynamic
18:25 < pekster> Rene: Possibly my project at (#3) may be of interest
18:26 < pekster> Or if you can get away with a static ruleset, that's easier. dynamic integration gets tricky
18:29 < Rene> pekster: i don't nee dynamic, because all clients have pre-defined ip:s
18:32 < Rene> everything i found til now is for tun.. i found nothing yet for tap :-(
18:33 < zoredache> Just because I am vaguely curious.  Why are you using tap?
18:34 -!- Exagone313 [exa@ewd.ovh] has quit [Ping timeout: 260 seconds]
18:38 < Rene> zoredache: i have understood that tap is better when mixing with linux/windows networks. I have at home and my offoce 3 different subnets behind 3 clients..
18:39 < Rene> zoredache: and when i first configured openvpn ages ago, tap was the only setup that i managed to get to work
18:40 < zoredache> A routed (tun) network is usually prefered.  AFAIK unless you are using really old clients you should almost always being using a routed network.
18:41 -!- almostworking [~almostwor@unaffiliated/almostworking] has joined #openvpn
18:45 < Rene> zoredache: hmm.. i have to test it out how that would work out..
18:46 < zoredache> Anyway, if you don't switch and stick with tap mode then just remeber that you are dealing with a **bridge** which means you need to look at the layer 2 filtering tools ebtables.
18:46 -!- Chais [~Chais@80.110.97.57] has joined #openvpn
18:47 -!- Exagone313 [exa@ewd.ovh] has joined #openvpn
18:57 -!- triplicate [~triplicat@ip68-226-30-174.tc.ph.cox.net] has joined #openvpn
19:15 <+hazardous> i have something stupid i want to ask and unsure if it's possible in a sane way
19:16 <+hazardous> i have a unbutu system with 3 ipv4 and a windows server, i want to give the windows server one of the ubuntu box's ips
19:16 <+hazardous> 1:1 nat, direct passthrough, i don't know
19:17 <+hazardous> but i need the ability that source ips are retained and passed through to the windows box
19:17 <+hazardous> is this possible with bridging or routing?
19:18 <+hazardous> basically i just want to be able to use an ipv4 from server1 on server2, forwarding everything, not individual ports, and "enduser real ip" passed through, using the default nat thing (routing?) all of the ips are some internal ip, dunno if there's  some kind of fake masquerade thing h ave to flip
19:22 < Rene> 		
19:22 < Rene> uhh.. complete fail with trying to make tun work..
19:22 < Rene> can't find any windows/samba shares anymore
19:22 < Rene> also dropped my vpn-connection to my irssi-proxy :-)
19:27 -!- elfixit [~Icedove@77-58-253-51.dclient.hispeed.ch] has joined #openvpn
19:48 -!- warehouse13 [~Left_Turn@unaffiliated/turn-left/x-3739067] has joined #openvpn
19:50 -!- Left_Turn [~Left_Turn@unaffiliated/turn-left/x-3739067] has quit [Ping timeout: 250 seconds]
20:06 -!- s7r [~s7r@openvpn/user/s7r] has joined #openvpn
20:06 -!- mode/#openvpn [+v s7r] by ChanServ
20:13 -!- ajtag [~ajtag@cpc10-lee211-2-0-cust124.7-1.cable.virginm.net] has quit [Ping timeout: 245 seconds]
20:50 -!- _FBi [B@Aircrack-NG/User] has joined #openvpn
20:51 -!- Pyrogerg [~Gregory@192.67.133.200] has quit [Ping timeout: 258 seconds]
20:55 -!- resixian [~akira@unaffiliated/resixian] has quit [Remote host closed the connection]
20:59 -!- soapee01 [~soapee01@65-36-104-170.dyn.grandenetworks.net] has quit [Ping timeout: 250 seconds]
21:10 -!- soapee01 [~soapee01@65-36-104-170.dyn.grandenetworks.net] has joined #openvpn
21:29 -!- NP-Hardass [~NP-Hardas@unaffiliated/np-hardass] has joined #openvpn
21:58 -!- soapee01 [~soapee01@65-36-104-170.dyn.grandenetworks.net] has quit [Ping timeout: 250 seconds]
22:01 -!- soapee01 [~soapee01@65-36-104-170.dyn.grandenetworks.net] has joined #openvpn
22:06 -!- NP-Hardass [~NP-Hardas@unaffiliated/np-hardass] has quit [Quit: WeeChat 0.4.3]
22:14 -!- redGod [~travisbre@207-172-237-197.c3-0.atw-ubr5.atw.pa.cable.rcn.com] has joined #openvpn
22:22 -!- warehouse13 [~Left_Turn@unaffiliated/turn-left/x-3739067] has quit [Remote host closed the connection]
22:26 -!- redGod [~travisbre@207-172-237-197.c3-0.atw-ubr5.atw.pa.cable.rcn.com] has quit [Ping timeout: 265 seconds]
22:27 -!- p-trust [~sector@unaffiliated/p-trust] has quit [Quit: Leaving]
23:07 -!- haasn [~haasn@static.102.126.46.78.clients.your-server.de] has joined #openvpn
23:18 -!- ShadniX [dagger@p5481D3D9.dip0.t-ipconnect.de] has quit [Ping timeout: 250 seconds]
23:20 -!- ShadniX [dagger@p5481D3E9.dip0.t-ipconnect.de] has joined #openvpn
--- Day changed Sat Nov 15 2014
01:18 -!- mattock_afk is now known as mattock
02:02 -!- cheesenbiscuts [~cheesenbi@175.142.77.227] has joined #openvpn
02:03 -!- mattock is now known as mattock_afk
02:14 < cheesenbiscuts> Hi Everybody
02:15 < cheesenbiscuts> I'm having a strange issue with OpenVPN running a DD-WRT router that wasn't there before.
02:16 < cheesenbiscuts> The openvpn client connects to the openvpn server fine and everything works - I can get to the internet and to the LAN through the server
02:17 < cheesenbiscuts> the problem is that my network interface isn't showing up as having a default gateway, but when I check my routing table, there's on there for the OpenVPN server.
02:17 < cheesenbiscuts> The server is DD-WRT OpenVPN and the client is a win7 pc.
02:51 < cheesenbiscuts> nevermind, I found the answer, it's got to do with using the 'redirect-default-gateway def1' option.
02:52 -!- Poster [~poster@cpe-74-140-100-29.swo.res.rr.com] has joined #openvpn
02:52 < cheesenbiscuts> it adds another route to your route-list but the tap interface doesn't get a default-gateway. it's only cosmetic though.
03:00 -!- akamaru217 [~akamaru21@2601:0:8a80:1064:e470:a238:a290:efaf] has quit [Ping timeout: 265 seconds]
03:17 -!- mattock_afk is now known as mattock
03:46 -!- gffa [~unknown@unaffiliated/gffa] has joined #openvpn
03:53 -!- dazo_afk is now known as dazo
03:56 -!- net125mp [~Home@unaffiliated/net125mp] has quit [Quit: Leaving.]
04:10 -!- `Yoda [~Yoda@2607:5300:60:1ba8::3] has quit [Changing host]
04:10 -!- `Yoda [~Yoda@unaffiliated/itsyoda] has joined #openvpn
04:20 -!- s7r [~s7r@openvpn/user/s7r] has quit [Ping timeout: 250 seconds]
04:21 -!- s7r [~s7r@openvpn/user/s7r] has joined #openvpn
04:21 -!- mode/#openvpn [+v s7r] by ChanServ
04:29 -!- Taftse|Mac [~taftse@unaffiliated/taftse] has joined #openvpn
04:29 -!- Left_Turn [~Left_Turn@unaffiliated/turn-left/x-3739067] has joined #openvpn
04:31 < AlexRussia> hello! Does android app is FOSS?
04:34 < AlexRussia> oh, this one? https://code.google.com/p/ics-openvpn/source/checkout
04:34 <@vpnHelper> Title: Source Checkout - ics-openvpn - Openvpn for Android 4.0+ - Google Project Hosting (at code.google.com)
04:35 <@plaisthos> AlexRussia: yeah that opensource
04:37 < AlexRussia> plaisthos: so, what is this https://play.google.com/store/apps/details?id=net.openvpn.openvpn ? @_@
04:45 -!- D-Boy [~D-Boy@unaffiliated/cain] has quit [Excess Flood]
04:58 <@plaisthos> AlexRussia: official client
05:00 -!- D-Boy [~D-Boy@unaffiliated/cain] has joined #openvpn
05:18 -!- Taftse|Mac [~taftse@unaffiliated/taftse] has quit [Ping timeout: 244 seconds]
05:21 -!- Taftse|Mac [~taftse@unaffiliated/taftse] has joined #openvpn
05:24 -!- mattock is now known as mattock_afk
05:33 -!- dazo is now known as dazo_afk
05:35 -!- Slippern [~Slippern@76.109-247-208.customer.lyse.net] has quit [Read error: Connection reset by peer]
05:36 -!- Slippern [~Slippern@76.109-247-208.customer.lyse.net] has joined #openvpn
05:51 -!- jzaw [~jzaw@loki.dzki.co.uk] has quit [Excess Flood]
05:52 -!- jzaw [~jzaw@loki.dzki.co.uk] has joined #openvpn
05:54 -!- jzaw [~jzaw@loki.dzki.co.uk] has quit [Excess Flood]
05:56 -!- jzaw [~jzaw@loki.dzki.co.uk] has joined #openvpn
06:12 -!- mt [mt@unaffiliated/supermat] has quit [Remote host closed the connection]
06:14 -!- mt [mt@unaffiliated/supermat] has joined #openvpn
06:18 -!- dazo_afk is now known as dazo
06:23 -!- mattock_afk is now known as mattock
07:01 -!- eristisk [~eristisk@gateway/tor-sasl/eristisk] has joined #openvpn
07:04 -!- elfixit [~Icedove@77-58-253-51.dclient.hispeed.ch] has quit [Quit: elfixit]
07:06 -!- Pyrogerg [~Gregory@192.67.133.200] has joined #openvpn
07:12 -!- TyrfingMjolnir [~Tyrfing@cm191.iota111.maxonline.com.sg] has quit [Ping timeout: 255 seconds]
07:15 -!- warehouse13 [~Left_Turn@unaffiliated/turn-left/x-3739067] has joined #openvpn
07:17 -!- Left_Turn [~Left_Turn@unaffiliated/turn-left/x-3739067] has quit [Ping timeout: 258 seconds]
07:21 < AlexRussia> plaisthos: ...@_@
07:23 -!- cheesenbiscuts [~cheesenbi@175.142.77.227] has quit [Remote host closed the connection]
07:29 -!- james41382 [~james@unaffiliated/james41382] has quit [Quit: Leaving]
07:42 -!- james41382 [~james@unaffiliated/james41382] has joined #openvpn
07:58 <@plaisthos> AlexRussia: OpenVPN Coperation Client vs OpenVPN Community client
08:04 < AlexRussia> plaisthos: o.0, what's different?
08:14 -!- tony1 [~tony1@cpe-66-66-6-48.rochester.res.rr.com] has left #openvpn ["WeeChat 1.0.1"]
08:25 -!- eristisk [~eristisk@gateway/tor-sasl/eristisk] has quit [Remote host closed the connection]
09:02 -!- JackWinter [~jack@vodsl-11198.vo.lu] has quit [Quit: Konversation terminated!]
09:16 -!- rich0 [~quassel@gentoo/developer/rich0] has quit [Ping timeout: 244 seconds]
09:19 -!- ketas [~ketas@92-38-190-90.dyn.estpak.ee] has quit [Ping timeout: 245 seconds]
09:24 -!- rich0 [~quassel@gentoo/developer/rich0] has joined #openvpn
09:44 -!- dazo is now known as dazo_afk
10:09 -!- robsco [~robsco@cpc10-hers4-2-0-cust224.6-3.cable.virginm.net] has quit [Ping timeout: 264 seconds]
10:11 -!- JackWinter [~jack@vodsl-11198.vo.lu] has joined #openvpn
10:15 -!- s7r [~s7r@openvpn/user/s7r] has quit [Remote host closed the connection]
10:15 -!- s7r [~s7r@openvpn/user/s7r] has joined #openvpn
10:15 -!- mode/#openvpn [+v s7r] by ChanServ
10:17 -!- JackWinter [~jack@vodsl-11198.vo.lu] has quit [Quit: Konversation terminated!]
10:29 -!- Varazir [~mircwars@c-94-255-128-92.cust.bredband2.com] has quit [Quit: leaving]
10:39 -!- k5tux [~k5tux@joust.bluecows.com] has quit [Ping timeout: 245 seconds]
10:56 -!- ketas [ketas@ketas6-sixxs.si.pri.ee] has joined #openvpn
10:58 -!- Kephael [~Kephael@unaffiliated/kephael] has joined #openvpn
11:08 -!- james41382 [~james@unaffiliated/james41382] has quit [Quit: Leaving]
11:14 -!- eristisk [~eristisk@gateway/tor-sasl/eristisk] has joined #openvpn
11:14 -!- james41382 [~james@unaffiliated/james41382] has joined #openvpn
11:14 -!- dazo_afk is now known as dazo
11:20 < idl0r> http://dpaste.com/2HW16AV - why does the *daemon* do a shutdown when the *client* disconnects (so e.g. OpenVPN-Connect (android))
11:21 < idl0r> SIGTERM[soft,remote-exit] received, process exiting
11:24 -!- JackWinter [~jack@vodsl-11198.vo.lu] has joined #openvpn
11:27 -!- james41382 [~james@unaffiliated/james41382] has quit [Quit: Leaving]
11:28 -!- Slippern [~Slippern@76.109-247-208.customer.lyse.net] has quit [Read error: Connection reset by peer]
11:29 -!- Slippern [~Slippern@76.109-247-208.customer.lyse.net] has joined #openvpn
11:35 -!- james41382 [~james@unaffiliated/james41382] has joined #openvpn
11:39 -!- mattock is now known as mattock_afk
11:46 -!- dazo is now known as dazo_afk
11:50 < Wulf> idl0r: https://forums.openvpn.net/topic17423.html  or is that your own thread?
11:50 <@vpnHelper> Title: OpenVPN Support Forum Openvpn connect iOS causing server to exit on disconnect : OpenVPN Connect (iOS) (at forums.openvpn.net)
11:52 < idl0r> Wulf: no, that's not my thread
11:53 < idl0r> i already use 2.3.4 and keepalive so that's not it id's say
11:54 < Wulf> idl0r: looks pretty similar to me
11:55 < idl0r> that patch might work but i am not familar with the openvpn sources so a statement from upstream would be good first
12:11 -!- JackWinter [~jack@vodsl-11198.vo.lu] has quit [Quit: Konversation terminated!]
12:27 -!- seventyseven [~debbie10t@openvpn/community/support/debbie10t] has joined #openvpn
12:48 -!- APTX [~APTX@unaffiliated/aptx] has quit [Ping timeout: 265 seconds]
12:48 -!- TonyL [~Tony@unaffiliated/darkg] has quit [Ping timeout: 265 seconds]
12:48 -!- ernini [~reni@145-24-145-247.dyn.hro.nl] has quit [Ping timeout: 265 seconds]
12:49 -!- jefferai [sid1300@kde/mitchell] has quit [Ping timeout: 265 seconds]
12:50 -!- troyt [~troyt@2601:7:6200:1362:44dd:acff:fe85:9c8e] has quit [Ping timeout: 265 seconds]
12:50 -!- jefferai [sid1300@kde/mitchell] has joined #openvpn
12:50 -!- jtrucks_ [jtrucks@freenode/staff/lopsa.foundingmember.jtrucks] has joined #openvpn
12:51 -!- APTX [~APTX@unaffiliated/aptx] has joined #openvpn
12:51 -!- TonyL [~Tony@unaffiliated/darkg] has joined #openvpn
12:52 -!- troyt [~troyt@2601:7:6200:1362:44dd:acff:fe85:9c8e] has joined #openvpn
12:54 -!- r00t^2 [~bts@g.rainwreck.com] has quit [Ping timeout: 245 seconds]
12:54 -!- DArqueBishop [drkbish@tyrande.darquecathedral.org] has quit [Ping timeout: 245 seconds]
12:54 -!- mgorbach [~mgorbach@pool-108-20-78-135.bstnma.fios.verizon.net] has quit [Ping timeout: 245 seconds]
12:54 -!- swebb [~swebb@8.36.226.184] has quit [Ping timeout: 245 seconds]
12:55 -!- jtrucks [jtrucks@freenode/staff/lopsa.foundingmember.jtrucks] has quit [Ping timeout: 600 seconds]
12:55 -!- mgorbach [~mgorbach@pool-108-20-78-135.bstnma.fios.verizon.net] has joined #openvpn
12:56 -!- swebb [~swebb@8.36.226.184] has joined #openvpn
12:57 -!- moeyebus_ [~moebius_e@unaffiliated/moebius-eye/x-4065625] has joined #openvpn
12:57 -!- phuzion_ [~phuzion@ipv6.irc.teh-server.com] has joined #openvpn
12:58 -!- zalami_ [~realnameo@unaffiliated/zalami] has joined #openvpn
12:59 -!- ghoti_ [~paul@hq.experiencepoint.com] has joined #openvpn
13:00 -!- Pyrogerg_ [~Gregory@192.67.133.200] has joined #openvpn
13:00 -!- moeyebus [~moebius_e@unaffiliated/moebius-eye/x-4065625] has quit [Ping timeout: 265 seconds]
13:00 -!- Pandemic_Force [~Pandemic_@unaffiliated/pandemic-force/x-1349428] has quit [Ping timeout: 265 seconds]
13:00 -!- XJR-9 [sid2977@pdpc/supporter/active/xjr-9] has quit [Ping timeout: 265 seconds]
13:00 -!- Pyrogerg [~Gregory@192.67.133.200] has quit [Ping timeout: 265 seconds]
13:00 -!- SushiDude [~SushiDude@unaffiliated/sushidude] has quit [Ping timeout: 265 seconds]
13:00 -!- SlutaTramsa [~SlutaTram@unaffiliated/slutatramsa] has quit [Ping timeout: 265 seconds]
13:00 -!- deranged_user [Jess@lolnerd.net] has quit [Ping timeout: 265 seconds]
13:00 -!- mpoole [~mpoole@minotaur.apache.org] has quit [Ping timeout: 265 seconds]
13:00 -!- dimitry7 [dimitry7@26c-002.static.bnc4free.com] has quit [Ping timeout: 265 seconds]
13:00 -!- DonRichie [~DonRichie@ricl.de] has quit [Ping timeout: 265 seconds]
13:00 -!- meepmeep [meepmeep@end.of.cylind.re] has quit [Ping timeout: 265 seconds]
13:00 -!- TonyL [~Tony@unaffiliated/darkg] has quit [Ping timeout: 265 seconds]
13:00 -!- APTX [~APTX@unaffiliated/aptx] has quit [Ping timeout: 265 seconds]
13:00 -!- pekster [~rewt@openvpn/community/support/pekster] has quit [Ping timeout: 265 seconds]
13:00 -!- nsrafk [whois@unaffiliated/nsrafk] has quit [Ping timeout: 265 seconds]
13:00 -!- BtbN [btbn@btbn.de] has quit [Ping timeout: 265 seconds]
13:00 -!- MacGyver [~macgyver@unaffiliated/macgyvernl] has quit [Ping timeout: 265 seconds]
13:00 -!- capri [svedrin@elwing.funzt-halt.net] has quit [Ping timeout: 265 seconds]
13:00 -!- Mowee [~Mowee@195-154-194-139.rev.poneytelecom.eu] has quit [Ping timeout: 265 seconds]
13:00 -!- ghoti [~paul@hq.experiencepoint.com] has quit [Ping timeout: 265 seconds]
13:00 -!- Esya [~zncuser@195-154-90-140.rev.poneytelecom.eu] has quit [Ping timeout: 265 seconds]
13:00 -!- K1rk [~Kirk@5.135.221.149] has quit [Ping timeout: 265 seconds]
13:00 -!- phuzion [~phuzion@ipv6.irc.teh-server.com] has quit [Ping timeout: 265 seconds]
13:00 -!- zalami [~realnameo@unaffiliated/zalami] has quit [Ping timeout: 265 seconds]
13:00 -!- warehouse13 [~Left_Turn@unaffiliated/turn-left/x-3739067] has quit [Ping timeout: 265 seconds]
13:00 -!- kenyon [kenyon@darwin.kenyonralph.com] has quit [Ping timeout: 265 seconds]
13:00 -!- ender| [krneki@2a01:260:4094:1:42:42:42:42] has quit [Ping timeout: 265 seconds]
13:01 -!- K1rk [~Kirk@5.135.221.149] has joined #openvpn
13:01 -!- nsrafk [whois@unaffiliated/nsrafk] has joined #openvpn
13:02 -!- MacGyver [~macgyver@unaffiliated/macgyvernl] has joined #openvpn
13:02 -!- APTX [~APTX@unaffiliated/aptx] has joined #openvpn
13:03 -!- TonyL [~Tony@unaffiliated/darkg] has joined #openvpn
13:03 -!- Pandemic_Force [~Pandemic_@unaffiliated/pandemic-force/x-1349428] has joined #openvpn
13:03 -!- deranged_user [Jess@lolnerd.net] has joined #openvpn
13:03 -!- mpoole [~mpoole@minotaur.apache.org] has joined #openvpn
13:04 -!- DonRichie [~DonRichie@ricl.de] has joined #openvpn
13:04 -!- BtbN [btbn@btbn.de] has joined #openvpn
13:04 -!- meepmeep [meepmeep@end.of.cylind.re] has joined #openvpn
13:05 -!- SushiDude [~SushiDude@unaffiliated/sushidude] has joined #openvpn
13:05 -!- KiNgMaR [ingmar@2001:41d0:2:ba51::1] has quit [Ping timeout: 265 seconds]
13:05 -!- c0ded [~c0ded@unaffiliated/c0ded] has quit [Ping timeout: 265 seconds]
13:05 -!- syzzer [~syzzer@openvpn/community/developer/syzzer] has quit [Ping timeout: 265 seconds]
13:05 -!- Haigha [~root@dovahkiin.xomg.net] has quit [Ping timeout: 265 seconds]
13:05 -!- SlutaTramsa [~SlutaTram@unaffiliated/slutatramsa] has joined #openvpn
13:06 -!- phuzion_ is now known as phuzion
13:06 -!- KiNgMaR [ingmar@2001:41d0:2:ba51::1] has joined #openvpn
13:07 -!- kenyon [kenyon@darwin.kenyonralph.com] has joined #openvpn
13:07 -!- capri [svedrin@elwing.funzt-halt.net] has joined #openvpn
13:07 -!- pekster [~rewt@openvpn/community/support/pekster] has joined #openvpn
13:07 -!- ender| [krneki@2a01:260:4094:1:42:42:42:42] has joined #openvpn
13:08 -!- c0ded [~c0ded@unaffiliated/c0ded] has joined #openvpn
13:09 -!- ketas [ketas@ketas6-sixxs.si.pri.ee] has quit [Excess Flood]
13:09 -!- Mowee [~Mowee@195-154-194-139.rev.poneytelecom.eu] has joined #openvpn
13:09 -!- ketas [~ketas@159-211-191-90.dyn.estpak.ee] has joined #openvpn
13:10 -!- Haigha [~root@dovahkiin.xomg.net] has joined #openvpn
13:10 -!- warehouse13 [~Left_Turn@unaffiliated/turn-left/x-3739067] has joined #openvpn
13:10 -!- XJR-9 [sid2977@pdpc/supporter/active/xjr-9] has joined #openvpn
13:12 -!- james41382 [~james@unaffiliated/james41382] has quit [Quit: Leaving]
13:13 -!- james41382 [~james@unaffiliated/james41382] has joined #openvpn
13:14 -!- fling [~fling@fsf/member/fling] has quit [Ping timeout: 250 seconds]
13:18 -!- Mowee [~Mowee@195-154-194-139.rev.poneytelecom.eu] has quit [Ping timeout: 240 seconds]
13:19 -!- JackWinter [~jack@vodsl-11198.vo.lu] has joined #openvpn
13:19 -!- Pyrogerg [~Gregory@192.67.133.200] has joined #openvpn
13:20 -!- Pyrogerg_ [~Gregory@192.67.133.200] has quit [Ping timeout: 255 seconds]
13:21 -!- bashusr [~bashusr@unaffiliated/bashusr] has quit [Ping timeout: 255 seconds]
13:21 -!- dvl [~dvl@freebsd/developer/dvl] has quit [Ping timeout: 255 seconds]
13:21 -!- Reventlov [~reventlov@unaffiliated/reventlov] has quit [Ping timeout: 255 seconds]
13:21 -!- jeev [~j@unaffiliated/jeev] has quit [Ping timeout: 255 seconds]
13:22 -!- triplicate [~triplicat@ip68-226-30-174.tc.ph.cox.net] has quit [Ping timeout: 255 seconds]
13:22 -!- moparisthebest [~quassel@unaffiliated/moparisthebest] has quit [Ping timeout: 255 seconds]
13:22 -!- rich0_ [~quassel@gentoo/developer/rich0] has joined #openvpn
13:23 -!- SJr [~sjr@S0106c43dc7a31386.vf.shawcable.net] has quit [Ping timeout: 255 seconds]
13:23 -!- rich0 [~quassel@gentoo/developer/rich0] has quit [Ping timeout: 255 seconds]
13:23 -!- obscurehero [~obscurehe@via.arcis.pw] has quit [Ping timeout: 255 seconds]
13:23 -!- aulait [~irenacob@li629-190.members.linode.com] has quit [Ping timeout: 255 seconds]
13:23 -!- Reventlov [~reventlov@unaffiliated/reventlov] has joined #openvpn
13:23 -!- moparisthebest [~quassel@gateway/tor-sasl/moparisthebest] has joined #openvpn
13:23 -!- obscurehero [~obscurehe@via.arcis.pw] has joined #openvpn
13:24 -!- Mowee [~Mowee@195-154-194-139.rev.poneytelecom.eu] has joined #openvpn
13:24 -!- bashusr [~bashusr@unaffiliated/bashusr] has joined #openvpn
13:25 -!- JackWinter [~jack@vodsl-11198.vo.lu] has quit [Quit: Konversation terminated!]
13:26 -!- SJr [~sjr@S0106c43dc7a31386.vf.shawcable.net] has joined #openvpn
13:29 < Neal_> iMessage on my Mac doesn't work when I connect to my OpenVPN server. How can I debug this?
13:30 -!- jeev [~j@unaffiliated/jeev] has joined #openvpn
13:34 < idl0r> Wulf: actually that's even a DoS
13:34 < idl0r> hm
13:36 < Wulf> idl0r: do you know how I could trigger it in my setup?
13:38 < idl0r> Wulf: use my config (server) and http://dpaste.com/2RM0S5V for the client
13:38 < idl0r> then just hit the disconnect button on android
13:38 < idl0r> no idea about ios
13:39 < Wulf> idl0r: got no android nor ios. I mean without changing the server config.
13:40 < idl0r> no idea then
13:40 < idl0r> i never had such issues before
13:40 < idl0r> just since i wanted to setup my android with openvpn
13:40 < idl0r> i'd have to read the sources :(
13:40 < Wulf> idl0r: did you try setting up a multi-client server, i.e. "mode server"?
13:41 < idl0r> no
13:50 -!- aulait [~irenacob@li629-190.members.linode.com] has joined #openvpn
13:55 -!- DrCode [~DrCode@gateway/tor-sasl/drcode] has quit [Remote host closed the connection]
13:55 -!- DrCode [~DrCode@gateway/tor-sasl/drcode] has joined #openvpn
13:57 -!- crus [crusader@CPE-121-211-80-56.hhui5.cht.bigpond.net.au] has joined #openvpn
13:57 -!- zalami [~realnameo@unaffiliated/zalami] has joined #openvpn
13:58 -!- phuzion_ [~phuzion@ipv6.irc.teh-server.com] has joined #openvpn
14:00 -!- Wulf4 [~Wulf@unaffiliated/wulf] has joined #openvpn
14:02 -!- APTX_ [~APTX@unaffiliated/aptx] has joined #openvpn
14:03 -!- Neal|ZNC [neal@felix.ineal.me] has joined #openvpn
14:05 -!- Netsplit *.net <-> *.split quits: AlexRussia, jzaw, _0x5eb_, jefferai, seba, crus`, zalami_, Phillies, phuzion, Neal_,  (+5 more, use /NETSPLIT to show all of them)
14:05 -!- Netsplit over, joins: seba
--- Log closed Sat Nov 15 14:11:01 2014
--- Log opened Sat Nov 15 14:16:25 2014
14:16 -!- ecrist [~ecrist@freebsd/contributor/openvpn.community.support.ecrist] has joined #openvpn
14:16 -!- Irssi: #openvpn: Total of 180 nicks [6 ops, 0 halfops, 3 voices, 171 normal]
14:16 -!- mode/#openvpn [+o ecrist] by ChanServ
14:16 -!- Irssi: Join to #openvpn was synced in 2 secs
14:16 -!- keatont [~keatont@keatonstaylor.com] has joined #openvpn
14:17 -!- Reventlov [~reventlov@unaffiliated/reventlov] has joined #openvpn
14:17 -!- dazo_afk [~dazo@openvpn/community/developer/dazo] has joined #openvpn
14:18 -!- mode/#openvpn [+o dazo_afk] by ChanServ
14:18 -!- dazo_afk is now known as dazo
14:19 -!- aep [~aep@libqxt/developer/aep] has joined #openvpn
14:19 -!- zoredache [~zoredache@pdpc/supporter/professional/zoredache] has quit [Ping timeout: 258 seconds]
14:24 -!- zoredache [~zoredache@pdpc/supporter/professional/zoredache] has joined #openvpn
14:32 -!- tapout [~tapout@unaffiliated/tapout] has joined #openvpn
14:32 -!- ExtraCarpety [~ExtraCarp@2607:5300:60:a0d::1] has joined #openvpn
14:34 -!- kossy [~a@unaffiliated/kossy] has joined #openvpn
14:36 -!- jrg [jrg@unaffiliated/jrg] has joined #openvpn
14:39 -!- jrg is now known as jrg_
14:39 -!- jrg_ is now known as jrg
14:39 -!- troyt [~troyt@2601:7:6200:1362:44dd:acff:fe85:9c8e] has joined #openvpn
14:40 -!- Neal|ZNC is now known as Neal_
14:40 -!- jrg [jrg@unaffiliated/jrg] has left #openvpn []
14:42 -!- yeik [~jeff@2601:b:5a00:1291:f970:eb9b:7656:c02d] has joined #openvpn
14:43 < yeik> So, I have a question. Someone told me openvpn is just ipsec basically with a UDP header/encapsulation in user space instead of kernel. is that true?
14:44 < pekster> Nope
14:44 < pekster> !notcompat
14:44 <@vpnHelper> "notcompat" is (#1) IPsec, PPTP, & L2TP are _not_ compatible with OpenVPN. OpenVPN uses SSL whereas PPTP and IPSEC use their own protocols and therefore cannot be compatible. or (#2) OpenVPN connects only to OpenVPN
14:44 < yeik> I didn't think so.
14:45 < pekster> It is primarily in userspace (AES-NI is the possible exception, if the kernel, openssl, and openvpn were built with the necessary support and your hardware can do it)
14:45 < pekster> Otherwise everything until it hits your network cards is in userland
14:45 < yeik> So, what is a good device to use for vpn tunnels using openvpn, i want some site-to-site setup. I noticed though with a client installed, one of my boxes went up to over 25% cpu usage (quad core) when i was doing one scp file copy.
14:45 < pekster> The rest is bunk though
14:46 < pekster> If CPU is your bottleneck _and_ you actually need faster speeds than this bottleneck (remember, openvpn still has to send the data over a real link at some point) then buy hardware with AES-NI support
14:47 < pekster> That'll let you offload AES crypto to the CPU rather than force software to deal with it, moving the bottleneck somewhere else (possibly I/O or context switching.) This only works with AES ciphers, and BF is the openvpn-default, so you'll want to change that
14:48 < yeik> is there a decent open source router that has it built in with AES-NI support? I think the cipher i am using cipher TLSv1/SSLv3 DHE-RSA-AES256-SHA, 1024 bit RSA
14:48 < pekster> And openvpn is single-threaded, so 25% of 4 cores is effectively loading up 1 core, capping out likely on the crypto
14:48 < pekster> TLS is different
14:48 < pekster> This is the data encryption only; TLS cipher-suite has about nothing to do with data transfer speeds and even CPU usage
14:48 < yeik> then it is the BF-CBC
14:48 < yeik> 128 bit key
14:48 < pekster> Right. Switch to an AES cipher there if you have AES-NI support; if you don't have that, BF will probably be sligihtly faster
14:49 -!- JackWinter [~jack@vodsl-11198.vo.lu] has joined #openvpn
14:49 < yeik> ok. So like a newer intel proc with AES built in.
14:49 < pekster> Yup. For intel stuff, their ark.intel.com website can tell you what chips support it
14:49 < yeik> I am not sure the openvpn server that is in place has support for AES-NI.
14:50 < yeik> is there any router boxes that support it?
14:50 < pekster> It's an openssl thing; it's quite rare to see openvpn built without that support
14:50 < pekster> ie: if your OS provides AES-NI support for _openssl_ (and the CPU supports it) then you get it
14:50 < yeik> Well, the interface doesn't give an option to choose the cipher
14:50 < pekster> "interface" ?
14:50 < yeik> right, the openvpn server is set up on Zentyal, on a hardware box (I am not sure of the specs atm)
14:50 < pekster> NFI; ask them
14:51 < yeik> That is my next stop.
14:51 < pekster> Yea. We can really only provide help for people on their own hardware, able to configure openvpn directly. Anything else is limited to theory, not application
14:51 < yeik> I just wanted to stop in and learn how openvpn works, and the ciphers, best settings, etc.
14:52 < pekster> Yup. "theory" ;)
14:52 < yeik> would it make a difference on a device if it was client vs a site-to-site setup?
14:52 < pekster> Nope, the basic encryption is still the same, and seems to be your limiting factor
14:53 < yeik> good to know.
14:53 < pekster> multi-client mode requires the use of TLS (where as the p2p mode can optionall use it, but need not if you'd rather do fully static crypto: see !static for that.)
14:53 < pekster> But TLS isn't in the direct path of data traffic, just for the control traffic
14:53 < yeik> !static
14:53 <@vpnHelper> "static" is (#1) use --ifconfig-push in a ccd entry for a static ip for the vpn client or (#2) example in net30 (default): ifconfig-push 10.8.0.6 10.8.0.5 example in subnet (see !topology) or tap (see !tunortap): ifconfig-push 10.8.0.5 255.255.255.0 or (#3) also see !ccd and !iporder or (#4) with static IPs, limit your --ifconfig-pool to exclude the static range or (#5) See also: !addressing
14:53 < pekster> Erm, not that
14:53 < pekster> !factoids search static
14:53 <@vpnHelper> 'static', 'static_key_details', 'dlink_static_route', 'static-key', and 'statickey'
14:53 < pekster> !statickey
14:53 <@vpnHelper> "statickey" is (#1) you can use static keys by using --secret </path/to/key> or (#2) static keys only work for ptp links, not client/server. They also do not provide forward encryption. A forward-secure encryption scheme (such as openvpn uses with certs) protects secret keys from exposure by evolving the keys with time. or (#3) see !forwardsecurity for more info
14:53 < pekster> ^ that
14:54 < yeik> ahh ok. yeah that makes sense. is that what some might mark as a shared secret?
14:54 < pekster> Yup, that static-key mode is describing symmetric encryption with a PSK
14:55 < pekster> (pre-shared-key)
14:55 < pekster> ie: if that is ever compromised, not only is the security worthless, but attackers who captured traffic in the past can decrypt it
14:55 < pekster> forward-secrecy protects against that
14:56 < yeik> Right. Because each connection generates a new handshake and hash* (not the right word for what im thinking of I think) for the time the connection is open.
14:56 < pekster> Mostly, but openvpn rotates symmetric keys as well, and secures their generation with a DHE handshake
14:57 < pekster> On a related note, you only get PFS with a DHE/ECDHE TLS mode (and ECDHE doesn't exist yet)
14:57 < pekster> !hardening
14:57 <@vpnHelper> "hardening" is https://community.openvpn.net/openvpn/wiki/Hardening
14:58 < yeik> Great. This is helpful.
14:59 < yeik> so the cipher, BF-CBC is the default because it is slightly faster or considered more secure?
14:59 < pekster> faster in software
15:00 < yeik> isn't a lot of hardware adding AES built in though? or is it mostly intel chips?
15:00 < pekster> BF is about on-par with AES for the same keysize used; this said, BF, like AES, is a somewhat older cipher by modern standards (the author is a bit surprised it's as popular given newer versions, like his twofish)
15:00 < pekster> Depends if they offer support for AES-NI (aka "New Extensions")
15:00 < pekster> "New Instructions" rather
15:01 < yeik> BF short for blowfish. I did read that, doesn't blowfish have known security issues?
15:01 < yeik> that is why he is surprised people still use it IIRC
15:02 < pekster> Not effectively, no. Plenty of info on cryptanalysis
15:02 < pekster> RC4 has far worse problems and that's still supported on many SSL sites, including banks
15:03 < pekster> BF isn't great in the face of weak keys, but that's not really news
15:05 < pekster> Also, if you'll be pushing a ton of data (more than ~4 GiB/hr) over the VPN, consider setting a --reneg-bytes value at or below that point. I should probably update that hardening page to include that recommendation
15:05 < pekster> That applies a bit more with BF than other ciphers, but it's in general a good recommendation
15:06 < yeik> that is on the server or client?
15:06 < pekster> Either, and it's convenient to put it on the server only so you can update it later without redeploying configs to clients
15:06 < pekster> If either side initiates a rekey it forces them both to do it
15:07 < pekster> (exception being if you want to *increase* or remove the limits. But that's usually silly)
15:08 < yeik> and if I need to change the cipher, that is done server side only, clients auto negotiate the cipher
15:08 < pekster> No negotiation of --cipher today either
15:08 < pekster> --tls-cipher is negotiated per the usual TLS rules (and is thus best to include on both ends)
15:09 < yeik> so that has to be set up in the client and server config?
15:09 < pekster> Yup
15:09 < pekster> --cipher has to, and it's wise to match --tls-cipher changes between endpoints but isn't strictly required
15:09 -!- mode/#openvpn [+v seventyseven] by ChanServ
15:11 < yeik> cool. So if I need to make these changes I will probably want to set up another openvpn server on a different port so I don't have to push new configs to everybody else
15:13 < pekster> If you still need to support old configs, yes
15:13 < pekster> fwiw, if you have multiple clients, you can possibly improve aggregate throughput by load balancing clients to multiple backend servers, although any single server will only consume up to a single core
15:13 < yeik> Would you suggest Openvpn over ipsec for a site-to-site setup that is static?
15:14 < pekster> Either works; depends on your needs/goals really. IPSec is in the kernel, so your throughput is higher, and it's supported some places where openvpn isn't. The drawbacks include a bit more complex setup, typically, and they don't have as many modern features
15:14 < pekster> Also, IPSec sucks in the face of NAT
15:15 < pekster> (yes, there's NAT-T, but that's also rather painful)
15:16 < yeik> well, it would be at the firewall level on both boxes so it shouldn't be doing any NAT traversal. I actually have only had my first experience with VPN this week. I have used cisco vpn clients before but never this depth with any vpn
15:17 < yeik> I think we have less than 25 people connecting with openvpn. I should look and see the cpu usage on the box that is set up to see if we are hitting limits with it.
15:18 < pekster> If you are consider one of A) AES-NI hardware, B) multiple openvpn instances (servers) to load-balance clients, or C) IPSec
15:18 < yeik> Would there be any latency differences with openvpn vs ipsec?
15:18 < pekster> Or A+B ;)
15:18 < pekster> Not practically, no
15:19 < yeik> any theoretical limitation with AES-NI where I would want to configure both multiple instances and AES-NI vs just AES-NI
15:19 < yeik> Cool.
15:19 < pekster> In theory, sure, if you still cap out the openvpn thread. That's unlikely to pose an issue before other things do
15:20 < yeik> is the lzo compression much benefit? or will that add to cpu usage?
15:20 < pekster> Namely context switching, in which case you either need a higher pMTU (not practical over the public 'net) or IPSec
15:20 < pekster> lzo comp adds to CPU usage in a bid to save bandwidth
15:20 < pekster> Depends on where you bottleneck is, but it's best to turn it off with CPU-limitations
15:20 < yeik> and that has to be off on both ends as well right?
15:20 < pekster> IIRC you need to set comp-lzo explicitly for it to be pushed, but then your server can control that setting client side
15:21 < yeik> Is there a list of options that I can turn on, from the client side that would help improve things?
15:21 < pekster> Not really; --push in the manpage has a list, although it's possibly incomplete
15:22 < pekster> basically it's just --comp-lzo and --cipher that are of interest to the client
15:23 < pekster> If you really want, you can even push different comp-lzo settings to different clients, though that's not generally interesting
15:24 < yeik> hmm, strange. i did try removing the --comp-lzo on one config and it never seemed to set up a proper connection.
15:24 < yeik> (client side)
15:24 < pekster> Default is adaptive
15:25 < pekster> If you dosn't have any such directive, it can't be pushed
15:25 < pekster> Thus best to set whatever you want explicitly, and optionally push it later
15:25 < pekster> And with that, I'm out for a bit; things to do, places to be
15:25 < yeik> excellent, thanks for your time, it has helped a lot.
15:25 < pekster> good luck, and someone else might have more suggestions if you need more info (or $future_me)
15:28 <+seventyseven> also .. worth reading the manual
15:30 < yeik> Yeah, i just haven't had time. I was asked to look into site-to-site options and everything else was already set up. using clients
15:45 -!- fling [~fling@fsf/member/fling] has joined #openvpn
16:07 -!- yeik [~jeff@2601:b:5a00:1291:f970:eb9b:7656:c02d] has quit [Ping timeout: 265 seconds]
16:16 -!- jrg [jrg@unaffiliated/jrg] has joined #openvpn
16:32 -!- elfixit [~Icedove@77-58-253-51.dclient.hispeed.ch] has joined #openvpn
16:36 -!- JackWinter_ [~jack@vodsl-11198.vo.lu] has joined #openvpn
16:36 -!- JackWinter [~jack@vodsl-11198.vo.lu] has quit [Ping timeout: 255 seconds]
16:41 -!- dvl [~dvl@freebsd/developer/dvl] has joined #openvpn
16:44 -!- dazo is now known as dazo_afk
16:56 -!- mattock_afk is now known as mattock
17:08 -!- unixninja92_ is now known as unixninja92
17:21 -!- JackWinter_ [~jack@vodsl-11198.vo.lu] has quit [Ping timeout: 265 seconds]
17:23 -!- JackWinter [~jack@vodsl-11198.vo.lu] has joined #openvpn
17:39 -!- mattock is now known as mattock_afk
17:42 -!- JackWinter_ [~jack@vodsl-11198.vo.lu] has joined #openvpn
17:45 -!- JackWinter [~jack@vodsl-11198.vo.lu] has quit [Ping timeout: 255 seconds]
18:05 -!- gffa [~unknown@unaffiliated/gffa] has quit [Quit: sleep]
18:22 -!- seventyseven is now known as debbie10t
18:27 -!- juztin_ [~juztin_@c-67-186-216-8.hsd1.ut.comcast.net] has joined #openvpn
18:33 -!- Strum [~Strum@139.216.176.37] has joined #openvpn
18:34 < Strum> hi
18:34 <+debbie10t> nwhoops
18:37 -!- debbie10t is now known as seventyseven
18:45 -!- AlexRussia [~Alex@unaffiliated/alexrussia] has quit [Read error: Connection reset by peer]
18:45 -!- AlexRussia_ [~Alex@unaffiliated/alexrussia] has joined #openvpn
19:09 -!- warehouse13 is now known as Left_Turn
19:14 -!- juztin_ [~juztin_@c-67-186-216-8.hsd1.ut.comcast.net] has quit [Remote host closed the connection]
19:14 -!- SJr [~sjr@S0106c43dc7a31386.vf.shawcable.net] has quit [Quit: ZNC - http://znc.sourceforge.net]
19:18 -!- SJr [~sjr@S0106c43dc7a31386.vf.shawcable.net] has joined #openvpn
19:35 -!- s7r [~s7r@openvpn/user/s7r] has quit [Ping timeout: 250 seconds]
19:41 -!- s7r [~s7r@openvpn/user/s7r] has joined #openvpn
19:41 -!- mode/#openvpn [+v s7r] by ChanServ
19:42 -!- joako [~joako@opensuse/member/joak0] has quit [Ping timeout: 245 seconds]
19:47 -!- joako [~joako@opensuse/member/joak0] has joined #openvpn
20:09 -!- SJr [~sjr@S0106c43dc7a31386.vf.shawcable.net] has quit [Quit: ZNC - http://znc.sourceforge.net]
20:11 -!- Wulf4 [~Wulf@unaffiliated/wulf] has quit [Ping timeout: 272 seconds]
20:13 -!- SJr [~sjr@S0106c43dc7a31386.vf.shawcable.net] has joined #openvpn
20:13 -!- Wulf [~Wulf@unaffiliated/wulf] has joined #openvpn
20:30 -!- s7r [~s7r@openvpn/user/s7r] has quit [Quit: Leaving]
21:12 -!- Strum [~Strum@139.216.176.37] has left #openvpn ["Closing Window"]
21:24 -!- jgeboski [~jgeboski@unaffiliated/jgeboski] has quit [Quit: Leaving]
21:25 -!- jgeboski [~jgeboski@unaffiliated/jgeboski] has joined #openvpn
22:03 -!- lotuspsychje [~lotuspsyc@145.129.118.91] has joined #openvpn
22:06 -!- segin [~Kirn@unaffiliated/segin] has joined #openvpn
22:06 < segin> Hello, I generated some keys using the 'easy-rsa' scripts, but the Android client rejects with: OpenVPN core error: PolarSSL: error parsing ca certificate : PK-Key algorithm is unsupported (only RSA and EC are supported)
22:08 < pekster> You might try the open-source android client that links openssl (not polarssl.) This said, easyrsa (both the older 2.x and newer 3.x codebases) do not support anything except rsa and ec certs, and current openvpn requires rsa anyway
22:09 < segin> yeah, they're RSA certs
22:09 -!- lotuspsychje [~lotuspsyc@145.129.118.91] has left #openvpn ["Ik ga weg"]
22:10 < pekster> I can take a look at the public CA component if you'd like to verify it looks sane; feel free to drop a base-64 "PEM" encoded version to a pastebin somewhere
22:11 < segin> okay, one minuite
22:12 < segin> pekster: http://pastebin.com/7thE2NS0
22:15 < pekster> That's not a CA certificate; it's a server cert
22:15 < pekster> According to the error message, it's looking for a server cert. This said, the validation doesn't make much sense in that context
22:15 < pekster> looking for a CA cert, rather
22:17 < segin> whoops, sorry
22:17 < segin> and I found the issue, had the wrong ca.crt on my SD card
22:20 -!- Left_Turn [~Left_Turn@unaffiliated/turn-left/x-3739067] has quit [Remote host closed the connection]
22:22 -!- canada4663 [~canada466@cpe-173-172-182-206.tx.res.rr.com] has joined #openvpn
22:22 -!- canada4663 [~canada466@cpe-173-172-182-206.tx.res.rr.com] has left #openvpn ["Leaving..."]
23:14 -!- yeik [~jeff@2601:b:5a00:d02:c114:134c:72ee:f086] has joined #openvpn
23:14 < yeik> !poodle
23:14 <@vpnHelper> "poodle" is (#1) http://googleonlinesecurity.blogspot.com/2014/10/this-poodle-bites-exploiting-ssl-30.html . OpenVPN uses TLSv1.0, or (with >=2.3.3) optionally TLSv1.2 and is thus not impacted by POODLE. See also: !hardening for some unrelated TLS security options OpenVPN has or (#2) https://www.tinfoilsecurity.com/poodle for a tool for testing your websites
23:14 < yeik> !heartbleed
23:14 <@vpnHelper> "heartbleed" is (#1) only affects OpenSSL 1.0.1 through 1.0.1f. Does not affect polarssl or (#2) if running vuln openssl then both client and server keys not protected by tls-auth should be considered compromised. or (#3) android 4.1.2_r1 is the first one to have -DOPENSSL_NO_HEARTBEATS and it is still in master. android 4.1 and 4.1.1 are probably affected. or (#4)
23:14 <@vpnHelper> https://community.openvpn.net/openvpn/wiki/heartbleed or (#5) http://xkcd.com/1354/
23:15 -!- joako [~joako@opensuse/member/joak0] has quit [Ping timeout: 265 seconds]
23:19 -!- ShadniX [dagger@p5481D3E9.dip0.t-ipconnect.de] has quit [Ping timeout: 250 seconds]
23:21 -!- ShadniX [dagger@p57941137.dip0.t-ipconnect.de] has joined #openvpn
23:21 -!- joako [~joako@opensuse/member/joak0] has joined #openvpn
23:32 -!- elfixit [~Icedove@77-58-253-51.dclient.hispeed.ch] has quit [Ping timeout: 245 seconds]
23:36 -!- akamaru217 [~akamaru21@2601:0:8a80:1064:b876:305b:3c5e:f25a] has joined #openvpn
23:48 -!- james41382_ [~james@unaffiliated/james41382] has joined #openvpn
23:50 -!- james41382 [~james@unaffiliated/james41382] has quit [Ping timeout: 256 seconds]
--- Day changed Sun Nov 16 2014
00:00 -!- lxsameer [~lxsameer@unaffiliated/lxsameer] has joined #openvpn
00:02 -!- Gman32 [~Gman32@2607:2200:0:3400::5616:cdbc] has quit [Read error: Connection reset by peer]
00:02 < lxsameer> hey guys, openvpn server keep dropping my packets because of bad source. but I added the suitable route in my config and ccd , file
00:02 < lxsameer> what can it be ?
00:09 -!- segin [~Kirn@unaffiliated/segin] has left #openvpn []
00:20 -!- Kephael_ [~Kephael@unaffiliated/kephael] has quit [Read error: Connection reset by peer]
00:34 -!- lxsameer [~lxsameer@unaffiliated/lxsameer] has quit [Ping timeout: 264 seconds]
00:46 -!- lxsameer [~lxsameer@unaffiliated/lxsameer] has joined #openvpn
00:48 < lxsameer> how can i fix this error http://dpaste.com/2YA34W2
00:54 < lxsameer> RBecker: ^
01:18 -!- lxsameer [~lxsameer@unaffiliated/lxsameer] has quit [Ping timeout: 258 seconds]
02:28 -!- gffa [~unknown@unaffiliated/gffa] has joined #openvpn
03:18 -!- cwillu_at_work [cwillu@cwillu.com] has quit [Ping timeout: 265 seconds]
03:19 -!- mattock_afk is now known as mattock
03:25 -!- Pyrogerg [~Gregory@192.67.133.200] has quit [Ping timeout: 255 seconds]
03:54 -!- fling [~fling@fsf/member/fling] has left #openvpn []
03:58 -!- dazo_afk is now known as dazo
04:06 -!- ade_b [~Ade@redhat/adeb] has joined #openvpn
04:07 -!- jackbrown [~se@93-44-41-0.ip95.fastwebnet.it] has joined #openvpn
04:07 -!- ade_b [~Ade@redhat/adeb] has quit [Remote host closed the connection]
04:16 -!- Left_Turn [~Left_Turn@unaffiliated/turn-left/x-3739067] has joined #openvpn
04:38 -!- Taftse|Mac [~taftse@unaffiliated/taftse] has joined #openvpn
04:44 -!- D-Boy [~D-Boy@unaffiliated/cain] has quit [Excess Flood]
04:57 -!- dazo is now known as dazo_afk
05:16 -!- D-Boy [~D-Boy@unaffiliated/cain] has joined #openvpn
05:17 -!- Wulf [~Wulf@unaffiliated/wulf] has left #openvpn []
05:29 -!- AlexRussia_ is now known as AlexRussia
05:39 -!- jackbrown [~se@93-44-41-0.ip95.fastwebnet.it] has quit [Ping timeout: 244 seconds]
05:39 -!- Gman32 [~Gman32@2607:2200:0:3400::5616:cdbc] has joined #openvpn
05:40 -!- Left_Turn [~Left_Turn@unaffiliated/turn-left/x-3739067] has quit [Ping timeout: 264 seconds]
05:58 -!- dazo_afk is now known as dazo
06:01 -!- Left_Turn [~Left_Turn@unaffiliated/turn-left/x-3739067] has joined #openvpn
06:31 -!- AlexRussia [~Alex@unaffiliated/alexrussia] has quit [Ping timeout: 245 seconds]
06:38 -!- AlexRussia [~Alex@unaffiliated/alexrussia] has joined #openvpn
06:42 -!- jackbrown [~se@93-44-41-0.ip95.fastwebnet.it] has joined #openvpn
06:49 -!- jackbrown [~se@93-44-41-0.ip95.fastwebnet.it] has quit [Remote host closed the connection]
07:15 -!- Pyrogerg [~Gregory@gpenne3bc.nmsu.edu] has joined #openvpn
07:22 -!- dazo is now known as dazo_afk
07:23 -!- VlperX [~VlperX@60-240-168-120.static.tpgi.com.au] has joined #openvpn
07:26 -!- dazo_afk is now known as dazo
07:27 -!- AlexRussia [~Alex@unaffiliated/alexrussia] has quit [Ping timeout: 255 seconds]
07:30 -!- alexwh_ is now known as alexwh
07:31 -!- rich0 [~quassel@gentoo/developer/rich0] has quit [Ping timeout: 240 seconds]
07:32 -!- rich0 [~quassel@gentoo/developer/rich0] has joined #openvpn
07:34 -!- AlexRussia [~Alex@unaffiliated/alexrussia] has joined #openvpn
07:54 -!- VlperX [~VlperX@60-240-168-120.static.tpgi.com.au] has quit [Quit: Adios]
08:19 -!- jackbrown [~se@93-44-41-0.ip95.fastwebnet.it] has joined #openvpn
08:43 -!- dazo is now known as dazo_afk
08:43 -!- mattock is now known as mattock_afk
09:10 -!- marklite [croftworth@gateway/shell/yourbnc/x-bkelpltpeyqghdej] has quit [Ping timeout: 272 seconds]
09:11 -!- litewait [4476b304@gateway/web/freenode/ip.68.118.179.4] has joined #openvpn
09:14 -!- ib54003 [~ib54003@fedora/ib54003] has joined #openvpn
09:14 < ib54003> hey can someone help me to setup up a openvpn connection ?
09:14 < litewait> Noob to openvpn, I just wanted to verify I can create an openvpn server that routes traffic for ONLY a specific set of IP blocks out to the internet.  The requirement is when a client is connected to the openvpn server these certain IP blocks are routed through it to the internet.
09:16 < litewait> So if sample.com resolves to so IP in the 54.12.202.0/16 range I can route just that traffic through the openvpn server.
09:19 -!- syzzer [~syzzer@openvpn/community/developer/syzzer] has joined #openvpn
09:19 -!- mode/#openvpn [+o syzzer] by ChanServ
09:19 -!- marklite [croftworth@gateway/shell/yourbnc/x-ukaaxwtagvpswmug] has joined #openvpn
09:35 -!- hyper_ch [~hyper_ch@81.4.108.20] has joined #openvpn
09:35 -!- hyper_ch [~hyper_ch@81.4.108.20] has left #openvpn ["Konversation terminated!"]
09:43 -!- jackbrown [~se@93-44-41-0.ip95.fastwebnet.it] has quit [Ping timeout: 255 seconds]
09:45 -!- litewait [4476b304@gateway/web/freenode/ip.68.118.179.4] has quit [Quit: Page closed]
09:54 -!- Chais [~Chais@80.110.97.57] has quit [Ping timeout: 240 seconds]
10:05 -!- DonRichie [~DonRichie@ricl.de] has quit [Ping timeout: 264 seconds]
10:08 -!- DonRichie [~DonRichie@ricl.de] has joined #openvpn
10:12 -!- Cydrobolt [~cydrobolt@fedora/cydrobolt] has quit [Ping timeout: 245 seconds]
10:13 -!- Chais [~Chais@80.110.97.57] has joined #openvpn
10:20 -!- JackWinter_ [~jack@vodsl-11198.vo.lu] has quit [Quit: Konversation terminated!]
10:22 -!- JackWinter [~jack@vodsl-11198.vo.lu] has joined #openvpn
10:24 -!- jackbrown [~se@93-44-41-0.ip95.fastwebnet.it] has joined #openvpn
10:32 -!- DonRichie [~DonRichie@ricl.de] has quit [Ping timeout: 265 seconds]
10:33 -!- DonRichie [~DonRichie@ricl.de] has joined #openvpn
10:58 -!- DonRichie [~DonRichie@ricl.de] has quit [Ping timeout: 258 seconds]
11:01 -!- DonRichie [~DonRichie@ricl.de] has joined #openvpn
11:14 -!- eristisk [~eristisk@gateway/tor-sasl/eristisk] has quit [Ping timeout: 250 seconds]
11:25 -!- AlexRussia [~Alex@unaffiliated/alexrussia] has quit [Quit: WeeChat 1.1-dev]
11:26 -!- AlexRussia [~Alex@unaffiliated/alexrussia] has joined #openvpn
11:31 -!- eristisk [~eristisk@gateway/tor-sasl/eristisk] has joined #openvpn
11:32 -!- seba [~seba@kratzbaum.someserver.de] has quit [Ping timeout: 272 seconds]
11:34 -!- jackbrown [~se@93-44-41-0.ip95.fastwebnet.it] has quit [Quit: Sto andando via]
11:39 -!- Pyrogerg [~Gregory@gpenne3bc.nmsu.edu] has quit [Ping timeout: 255 seconds]
11:48 -!- eristisk [~eristisk@gateway/tor-sasl/eristisk] has quit [Ping timeout: 250 seconds]
11:55 -!- seba [~seba@kratzbaum.someserver.de] has joined #openvpn
12:03 -!- jackbrown [~se@93-44-41-0.ip95.fastwebnet.it] has joined #openvpn
12:05 -!- jackbrown [~se@93-44-41-0.ip95.fastwebnet.it] has quit [Remote host closed the connection]
12:10 -!- eristisk [~eristisk@gateway/tor-sasl/eristisk] has joined #openvpn
12:16 -!- seba [~seba@kratzbaum.someserver.de] has quit [Ping timeout: 258 seconds]
12:21 -!- benighted [~adam@dhcp-1c-7e-e5-45-5c-af.cpe.wightman.ca] has joined #openvpn
12:25 -!- seba [~seba@kratzbaum.someserver.de] has joined #openvpn
13:04 -!- seba [~seba@kratzbaum.someserver.de] has quit [Ping timeout: 258 seconds]
13:05 -!- seba [~seba@kratzbaum.someserver.de] has joined #openvpn
13:11 -!- seba [~seba@kratzbaum.someserver.de] has quit [Ping timeout: 272 seconds]
13:16 -!- seba [~seba@kratzbaum.someserver.de] has joined #openvpn
13:25 -!- seba [~seba@kratzbaum.someserver.de] has quit [Ping timeout: 258 seconds]
13:29 -!- seba [~seba@kratzbaum.someserver.de] has joined #openvpn
13:35 -!- AlexRussia [~Alex@unaffiliated/alexrussia] has quit [Quit: WeeChat 1.1-dev]
13:36 -!- AlexRussia [~Alex@unaffiliated/alexrussia] has joined #openvpn
13:55 -!- jackbrown [~se@93-44-41-0.ip95.fastwebnet.it] has joined #openvpn
13:59 -!- kryo_ [~kryo@ip223.ip-5-135-108.eu] has joined #openvpn
13:59 < kryo_> does openvpn work with windows?
14:00 < kryo_> trying to set up pptpd and i can't get it to connect to the internet
14:01 < Eugene> !pptp
14:01 <@vpnHelper> "pptp" is (#1) PPTP is known to be a faulty protocol. The designers of the protocol, Microsoft, recommend not to use it due to the inherent risks. Lots of people use PPTP anyway due to ease of use, but that doesn't mean it is any less hazardous. The maintainers of PPTP Client and Poptop recommend using OpenVPN (SSL based) or IPSec instead. http://pptpclient.sourceforge.net/protocol-security.phtml to
14:01 <@vpnHelper> read about why to not use pptp or (#2) Why not to use it: http://en.wikipedia.org/wiki/Pptp#Security or (#3) https://www.cloudcracker.com/blog/2012/07/29/cracking-ms-chap-v2/
14:01 < Eugene> !notovpn
14:01 <@vpnHelper> "notovpn" is (#1) "notopenvpn" is your problem is not about openvpn, and while we try to be helpful, you may have a better chance of finding your answer if you ask your question in a channel related to your problem or (#2) sorry, but we dont care. this channel is only for help with openvpn.
14:01 < Eugene> Pptp has nothing to do with openvpn
14:01 < kryo_> lol hi Eugene
14:02 < kryo_> it most definitely does have something to do with openvpn
14:02 < Eugene> I respectfully disagree
14:02 < kryo_> they're both vpn protocols or something
14:02 < kryo_> they're definitely related :P
14:02 < kryo_> anyway, the pptpd channel on freenode has no one in it
14:03 < Eugene> in the same way that candy and a steak are both foods, theyre related
14:03 < kryo_> yup :P
14:03 < kryo_> anyway i'd be happy to switch to openvpn
14:04 < Eugene> We still won't know anything about it or help with it
14:04 < Eugene> !goal
14:04 <@vpnHelper> "goal" is Please clearly state your goal for your vpn: example, I would like to access the lan behind the server , I would like to access the internet over my vpn , I just want a secure connection between 2 computers , etc
14:04 < kryo_> windows doesn't seem to have an openvpn client though
14:04 < Eugene> Not native, no
14:04 < Eugene> !download
14:04 <@vpnHelper> "download" is (#1) http://openvpn.net/index.php/download/community-downloads.html to download openvpn or (#2) OpenVPN's Windows installer now includes OpenVPN GUI. Don't bother with http://openvpn.se anymore or (#3) Don't trust download.com at all. It provides an extremely old version with malware: http://insecure.org/news/download-com-fiasco.html or (#4) in the community version of openvpn (only
14:04 <@vpnHelper> thing supported here) there is no separate download for client/server, it is the same install with different configs
14:04 < kryo_> i want to tunnel all data over the vpn
14:05 < Eugene> !redirect
14:05 <@vpnHelper> "redirect" is (#1) to make all inet traffic flow through the vpn, you will need --redirect-gateway (see !def1), as well as IP forwarding (see !ipforward) and NAT (see !nat) enabled on the server. or (#2) you may need to use a different dns server when redirecting gateway, see !dns or !pushdns or (#3) if using ipv6 try: route-ipv6 2000::/3 or (#4) Handy troubleshooting flowchart:
14:05 <@vpnHelper> http://ircpimps.org/redirect.png | http://pekster.sdf.org/misc/redirect.png
14:05 < Eugene> !howto
14:05 <@vpnHelper> "howto" is (#1) OpenVPN comes with a great howto, http://openvpn.net/howto PLEASE READ IT! or (#2) http://www.secure-computing.net/openvpn/howto.php for a mirror
14:06 < Eugene> Start with the howto, then work your way through the redirect bit
14:06 -!- AlexRussia is now known as Micro_AC_DC
14:07 -!- james41382_ [~james@unaffiliated/james41382] has quit [Quit: Leaving]
14:07 < kryo_> i have a tutorial for setting up openvpn server
14:08 < kryo_> ircpimps.org does not resolve
14:09 <@ecrist> ruhroh
14:09 <@ecrist> ecrist@honeybadger:~-> host ircpimps.org
14:09 <@ecrist> ircpimps.org has address 66.181.8.149
14:09 <@ecrist> ircpimps.org mail is handled by 10 mail.secure-computing.net.
14:10 -!- james41382 [~james@unaffiliated/james41382] has joined #openvpn
14:10 <@ecrist> sems to work for me
14:10 < kryo_> it times out from my desktop
14:10 < kryo_> o_O
14:10 < kryo_> Pinging ircpimps.org [66.181.8.149] with 32 bytes of data:
14:11 < kryo_> Request timed out.
14:11 <@ecrist> well, that's different from not resolving
14:11 < kryo_> i guess so
14:12 <@ecrist> krzee: your shits broke
14:12 -!- Irssi: #openvpn: Total of 193 nicks [9 ops, 0 halfops, 3 voices, 181 normal]
14:12 < Eugene> It's been broke for a while; I figured nobody cared.
14:13 <@ecrist> krzee might not know it's broken.
14:13 <@ecrist> I host his DNS, so that's why I jumped on the resolving claim
14:13 <@ecrist> I don't host his web server, though.
14:14 <+hazardous> can i ask dumb question here
14:14 <+hazardous> been trying to figure this out for a while
14:14 <@ecrist> it's never stopped you before, hazardous 
14:14 <+hazardous> <3
14:15 <+hazardous> is there any way i can portforward, or forward an ip entirely to an openvpn client, retaining any connecting source ip's
14:15 -!- jackbrown [~se@93-44-41-0.ip95.fastwebnet.it] has quit [Ping timeout: 250 seconds]
14:15 <@ecrist> what?
14:15 <+hazardous> i need to tunnel an ip from one box to another for ddos mitigation
14:15 <+hazardous> but also need to retain the original connecting user's ip
14:15 <+hazardous> instead of having it show as the openvpn server's nat ip or whatever
14:16 <@ecrist> that's just basic routing
14:17 <@ecrist> if you only want to route a specific IP, and keep everything else, you'll need to do policy routing, and that's quite a bit more advanced.
14:18 <@ecrist> really, if the DDOS is due to pure number of packets/requests to the IP, that interface is still going to be saturated
14:20 <+hazardous> nah, it's just a simple udp flood which upstream resolves on the protected ip
14:20 -!- Kephael [~Kephael@unaffiliated/kephael] has joined #openvpn
14:21 -!- u0m3 [~u0m3@92.80.107.91] has quit [Ping timeout: 244 seconds]
14:22 <+hazardous> so i should snat/dnat to/from the connected ovpn client's static ip and it should 'just work'?
14:22 <@ecrist> you can't stop the UDP flood unless you go upstream
14:22 <+hazardous> the upstream does take care of it
14:23 <@ecrist> then what are you trying to do?
14:23 <+hazardous> forward a port from a box in one protected dc to another where there is no rpotection
14:24 -!- u0m3 [~u0m3@92.80.107.91] has joined #openvpn
14:25 <@ecrist> I'm having a difficult time grasping what, exactly you're trying to do.  
14:25  * ecrist needs more rum
14:28 -!- marlinc [~marlinc@ip1.weert.li.nl.cvo-technologies.com] has quit [Ping timeout: 250 seconds]
14:34 -!- seba [~seba@kratzbaum.someserver.de] has quit [Ping timeout: 272 seconds]
14:35  * seventyseven pours ecrist a Very Large Captain Moprgans
14:35 <+seventyseven> snat/dnaty ..
14:35 <+seventyseven> not gonna help
14:35 <+seventyseven> iptables
14:36 <@ecrist> seventyseven: I'm guessing, based solely on spelling, you've had your share. ;)
14:36 <+seventyseven> and then some ;)
14:36 <+seventyseven> but seriously
14:37 -!- ib54003 [~ib54003@fedora/ib54003] has quit [Ping timeout: 256 seconds]
14:37 <+seventyseven> client-snat/dnat is going to make eff all differnece
14:38 -!- marlinc [~marlinc@ip1.weert.li.nl.cvo-technologies.com] has joined #openvpn
14:39 -!- seba [~seba@kratzbaum.someserver.de] has joined #openvpn
14:48 -!- Micro_AC_DC is now known as AlexRussia
14:48 -!- marlinc [~marlinc@ip1.weert.li.nl.cvo-technologies.com] has quit [Ping timeout: 260 seconds]
14:52 -!- seba [~seba@kratzbaum.someserver.de] has quit [Ping timeout: 258 seconds]
14:54 -!- marlinc [~marlinc@ip1.weert.li.nl.cvo-technologies.com] has joined #openvpn
14:57 -!- seba [~seba@kratzbaum.someserver.de] has joined #openvpn
15:01 -!- cz20xx [~cz20xx@ec2-54-85-86-66.compute-1.amazonaws.com] has joined #openvpn
15:03 -!- eristisk [~eristisk@gateway/tor-sasl/eristisk] has quit [Remote host closed the connection]
15:04 < cz20xx> I have a tap+bridge setup to access a private network remotely. Switched from a tun setup because ARP resolution wasn't working as needed in order for me to telnet to a switch on the aforementioned private net. This all works well and good, except pinging and ssh'ing to the LAN's gateway doesn't work for the first five minutes or so of the VPN connection.
15:05 < cz20xx> my local machine gets request/replies from ARP for where the romeote gateway is supposed to be, but still can't ping it. On the remote machine (the openvpn server) there are two entries for the same mac in the ARP table. One for the LAN interface and one for the tap interface. Did I mess this up? Reaching all other remote hosts on the network works as it should.
15:07 -!- seba [~seba@kratzbaum.someserver.de] has quit [Ping timeout: 258 seconds]
15:12 -!- marlinc [~marlinc@ip1.weert.li.nl.cvo-technologies.com] has quit [Ping timeout: 250 seconds]
15:13 -!- seba [~seba@kratzbaum.someserver.de] has joined #openvpn
15:21 -!- seba [~seba@kratzbaum.someserver.de] has quit [Ping timeout: 258 seconds]
15:24 < yeik> interesting
15:24 -!- seba [~seba@kratzbaum.someserver.de] has joined #openvpn
15:31 <+seventyseven> firewall ...
15:38 -!- seba [~seba@kratzbaum.someserver.de] has quit [Ping timeout: 265 seconds]
15:49 -!- seba [~seba@kratzbaum.someserver.de] has joined #openvpn
16:03 -!- seba [~seba@kratzbaum.someserver.de] has quit [Ping timeout: 258 seconds]
16:05 -!- gffa [~unknown@unaffiliated/gffa] has quit [Quit: sleep]
16:08 < kryo_> what IPs do i need to change in the openvpn.conf file?
16:08 < kryo_> i'm trying to set up redirect-gateway
16:09 -!- seba [~seba@kratzbaum.someserver.de] has joined #openvpn
16:11 -!- TyrfingMjolnir [~Tyrfing@cm191.iota111.maxonline.com.sg] has joined #openvpn
16:12 -!- marlinc [~marlinc@ip1.weert.li.nl.cvo-technologies.com] has joined #openvpn
16:20 <+seventyseven> kryo_, server or client ?
16:21 < kryo_> server
16:21 <+seventyseven> well #1 you do not redirect a server gateway
16:21 < kryo_> "Add the following directive to the server configuration file:
16:22 < kryo_> push "redirect-gateway def1""
16:22 < kryo_> that's from openvpn.net :P
16:22 <+seventyseven> !factiod search "redirect"
16:22 <+seventyseven> lol
16:22 < kryo_> !factoid search "redirect"
16:22 < kryo_> :S
16:22 <+seventyseven> just a hunch ...
16:23 <+seventyseven> but yeah
16:23 <+seventyseven> push "redirect-gateway def1"
16:23 <+seventyseven> normal and works .. so wassup ?
16:23 <+seventyseven> not working for yah
16:23 < kryo_> i added that, restarted openvpn
16:24 < kryo_> now when i connect i get no internet
16:24 <+seventyseven> do you habe ip forwarding eanbled on you server ?
16:24 < kryo_> i think so
16:24 <+seventyseven> !ip-forward
16:24 <+seventyseven> !help
16:24 <@vpnHelper> (help [<plugin>] [<command>]) -- This command gives a useful description of what <command> does. <plugin> is only necessary if the command is in more than one plugin.
16:24 -!- seba [~seba@kratzbaum.someserver.de] has quit [Ping timeout: 272 seconds]
16:25 <+seventyseven> !nat
16:25 <@vpnHelper> "nat" is (#1) http://openvpn.net/howto.html#redirect for an explanation of NAT as it applies to openvpn or (#2) http://www.secure-computing.net/wiki/index.php/OpenVPN/FAQ#Traffic_forwarding_doesn.27t_work_when_using_client_specific_access_rules or (#3) dont forget to turn on ip forwarding or (#4) please choose between !linnat !openvznat !winnat and !fbsdnat for specific howto
16:25 <+seventyseven> !ipforwarding
16:25 < kryo_> i ran this command: iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o eth0 -j MASQUERADE
16:25 < kryo_> but i have a feeling 10.8.0.0 is the wrong subnet
16:26 <+seventyseven> !you ran into it ? ... so you don't understand it ..
16:26 < kryo_> i found it and pasted it into my terminal :P
16:26 <+seventyseven> that sounds like a great plan .. =]
16:26 < kryo_> :P
16:27 < kryo_> looking at it, it should redirect traffic from 10.8.0.0/24 to eth0
16:27 <+seventyseven> i pasted a jpeg of lucy liu into my server ,, it was not happy
16:27 -!- ib54003 [~ib54003@fedora/ib54003] has joined #openvpn
16:27 -!- ib54003 [~ib54003@fedora/ib54003] has quit [Client Quit]
16:27 < kryo_> i think that's what i want to do
16:27 <+seventyseven> i think my server is a bit gay
16:28 < kryo_> nonsesne
16:28 <+seventyseven> nonce
16:28 < kryo_> :P
16:29 <+seventyseven> ..
16:29 < kryo_> anyway i connect and i'm assigned this ip: 10.8.0.6
16:29 <+seventyseven> so .. did you paste your configs
16:29 <+seventyseven> 10.8.0.6 is a good ip
16:29 < kryo_> it doesn't seem to be redirecting though
16:30 <+seventyseven> can you ping the server on 10.8.0.1 ?
16:30 < kryo_> oh wait
16:30 < kryo_> it's my dns
16:30 <+seventyseven> waiting ....
16:30 <+seventyseven> fkn DNS
16:31 < kryo_> shouldn't this work? http://pastebin.com/qu4Jd1dg
16:32 <+seventyseven> what you think that is all you need ?
16:32 <+seventyseven> what about NAT
16:32 <+seventyseven> and firewall
16:32 <+seventyseven> and routing
16:33 < kryo_> here's the whole config..? http://pastebin.com/aSJSYKe2
16:33 -!- seba [~seba@kratzbaum.someserver.de] has joined #openvpn
16:33 < kryo_> the problem is definitely with dns though
16:33 <+seventyseven> your config file is wrong
16:34 <+seventyseven> see --server in the manual
16:34 <+seventyseven> https://community.openvpn.net/openvpn/wiki/Openvpn23ManPage
16:34 <@vpnHelper> Title: Openvpn23ManPage – OpenVPN Community (at community.openvpn.net)
16:36  * seventyseven does a mahussive Rum Burp
16:36 <+seventyseven> rum and fkn coke
16:37 < kryo_> wish i could do linux while drunk
16:37 < kryo_> :P
16:37 <+seventyseven> you are missing the --server option in your config
16:37 <+seventyseven> take a look at the example server config for your distro
16:38 <+seventyseven> yes .. i am drunk
16:38 <+seventyseven> but i can do this shit standing on my head in pile of pooh
16:38 <+seventyseven> and often do
16:38 < kryo_> same with me and php
16:38 <+seventyseven> then strap you fkn brain in and do it right
16:39 -!- marlinc [~marlinc@ip1.weert.li.nl.cvo-technologies.com] has quit [Ping timeout: 260 seconds]
16:39 < kryo_> linux is very unfamiliar and strange to me
16:39 <+seventyseven> it has nothing to do with linux
16:39 <+seventyseven> your server config is wrong
16:40 <+seventyseven> it is missing the SERVER parameter
16:40 < kryo_> setting up config files by reading the man page?
16:40 <+seventyseven> openvpn will setup the routing for you
16:40 <+seventyseven> OMFG
16:40 < kryo_> no other OS makes you pour through pages of crap to set up your thingy
16:40 <+seventyseven> --server
16:40 <+seventyseven> https://community.openvpn.net/openvpn/wiki/Openvpn23ManPage
16:40 <@vpnHelper> Title: Openvpn23ManPage – OpenVPN Community (at community.openvpn.net)
16:41 < kryo_> i'm looking at that page
16:41 < Eugene> !howto
16:41 <@vpnHelper> "howto" is (#1) OpenVPN comes with a great howto, http://openvpn.net/howto PLEASE READ IT! or (#2) http://www.secure-computing.net/openvpn/howto.php for a mirror
16:41 < Eugene> !refund
16:41 <@vpnHelper> "refund" is If you are not satisfied with the GPL openvpn, or the support provided by the volunteers of #openvpn, you are entitled to a full refund of the purchase price and are invited to use another VPN solution. Elsewhere.
16:41 <+seventyseven> Bollox!
16:41 < Eugene> If you can't be bothered to read, we can't be bothered to help
16:41 <+seventyseven> https://community.openvpn.net/openvpn/wiki/Openvpn23ManPage#lbAH
16:41 <@vpnHelper> Title: Openvpn23ManPage – OpenVPN Community (at community.openvpn.net)
16:41 < kryo_> thanks Eugene
16:41 < kryo_> i'm reading
16:41 < kryo_> just not too happy about it
16:41 <+seventyseven> !eugenekay
16:41 <@vpnHelper> "eugenekay" is right because EugeneKay is always right.
16:41 <+seventyseven> See that !
16:41 < kryo_> the whole "config files" experience that is
16:41 < Eugene> Welcome to *nix
16:42 -!- elfixit [~Icedove@77-58-253-51.dclient.hispeed.ch] has joined #openvpn
16:42 <+seventyseven> !eugenekay
16:42 <@vpnHelper> "eugenekay" is right because EugeneKay is always right.
16:42 < kryo_> i've been around for a couple years :P
16:42 < Eugene> seventyseven - chill, br0
16:42 <+seventyseven> couple more reading the help files and you might pas the test
16:42 < kryo_> so --server is a cli arg
16:42 <+seventyseven> what !!!!!!!
16:42 < kryo_> isn't it?
16:42 <+seventyseven> omfg ...
16:43 <+seventyseven> --server
16:43 <+seventyseven> rtfm
16:43 < Eugene> !--
16:43 <@vpnHelper> "--" is OpenVPN allows any option to be placed either on the command line or in a configuration file. Though all command line options are preceded by a double-leading-dash ("--"), this prefix is usually omitted when an option is placed in a configuration file.
16:43 <+seventyseven> https://community.openvpn.net/openvpn/wiki/Openvpn23ManPage#lbAH
16:43 <@vpnHelper> Title: Openvpn23ManPage – OpenVPN Community (at community.openvpn.net)
16:43 <+seventyseven> and that includes the link to SERVER
16:44 < kryo_> can i put "server network netmask" right in my config
16:44 < kryo_> and that will do it?
16:44 <+seventyseven> it will help
16:44 <+seventyseven> btw ..
16:44 <+seventyseven> i have tourettes
16:44 <+seventyseven> wankawankawanka
16:44 -!- mode/#openvpn [+o Eugene] by ChanServ
16:44 < kryo_> wait should the ip be 10.8.0.0?
16:44 <@Eugene> Go sober up
16:44 -!- mode/#openvpn [+q seventyseven!*@*] by Eugene
16:44 < kryo_> lol
16:44 <+seventyseven> ppp
16:44 < kryo_> rekt
16:45 -!- mode/#openvpn [-v seventyseven] by Eugene
16:45 <@Eugene> Helps if I do that, I guess
16:45 < kryo_> orr not
16:45 < kryo_> there
16:45 < kryo_> fixed
16:45 <@Eugene> kryo_ - 10.8.0.0/24 is the default subnet used in the oepnvpn docs. You can use anything you want
16:45 <@Eugene> !rfc1918
16:45 <@vpnHelper> "rfc1918" is "1918" is (#1) RFC1918 makes three unique netblocks available for private use: 10.0.0.0/8, 172.16.0.0/12, and 192.168.0.0/16 or (#2) see also: http://en.wikipedia.org/wiki/Private_network or http://www.faqs.org/rfcs/rfc1918.html or (#3) Too lazy to find your own subnet? Try this one: http://scarydevilmonastery.net/subnet.cgi
16:45 < kryo_> i'm just wondering if it needs to be my external ip
16:45 -!- mode/#openvpn [+v seventyseven] by ChanServ
16:45 <@Eugene> No; that's for the internal on-vpn subnet hat is handed out to clients on the tun interface
16:45 <+seventyseven> ^^
16:46 < kryo_> hmmm ok
16:46 <+seventyseven> please excuse me eugene ...
16:46 <+seventyseven> i man the forums 24/7 ..
16:46 < kryo_> Options error: --server already defines an ifconfig-pool, so you can't also specify --ifconfig-pool explicitly
16:47 < kryo_> seventyseven: y u break my config? :P
16:47 <@Eugene> A fairly self-explanatory error ;-)
16:47 <+seventyseven> me and michael
16:47 <+seventyseven> kyro, your config was wrong
16:47 <@Eugene> seventyseven - yes, and right now you're being drunk at newbs on IRC. Chill it a bit, eh?
16:48 <+seventyseven> i am chilled
16:48 <@Eugene> Also I'm out of (good) rum. :-|
16:48 < kryo_> IT WORKS
16:48 < kryo_> AHAAHAHAAA YUES
16:49 <+seventyseven> if i could i would .. my rum is 120% proof and costs a bomb .. but i am not drinking it cos this is not a special occasion
16:49 < kryo_> oh
16:49 < kryo_> not anymore
16:49 <+seventyseven> not at all
16:50 < kryo_> C:\Users\Kale>ping google.com
16:50 < kryo_> Ping request could not find host google.com. Please check the name and try again.
16:50 <+seventyseven> the problem is is #1 your config is wrong cos it is missing the basic --server parameter
16:50 <+seventyseven> #2 you obviously have not read the manual
16:50 <+seventyseven> that was me being polite
16:51 < kryo_> i added "server 10.8.0.0 255.255.255.0" and removed ifconfig-pool 10.8.0.4 10.8.0.255
16:51 -!- juztin_ [~juztin_@c-67-186-216-8.hsd1.ut.comcast.net] has joined #openvpn
16:51 <+seventyseven> can i be less polite please ?
16:52 < kryo_> if i took the time to read the manual for every unix tool i ever had to deal with, i would be 85 before i had a working server
16:52 <+seventyseven> kryo_,  do you want to know the answer by me or do you prefer a more polite person explain
16:52 < kryo_> be as impolite as you want :D
16:53 <+seventyseven> eugene .. he asked for it ......
16:53 <+seventyseven> !eugenekay
16:53 <@vpnHelper> "eugenekay" is right because EugeneKay is always right.
16:53 <+seventyseven>  see above
16:54 <+seventyseven> i am gonna wait a couple of mins to let these guys decide what they prefer
16:54 < kryo_> o_O
16:54 <+seventyseven> kryo_, if you want to know the join ###openvpn
16:54 < kryo_> lol triple hashtag
16:56 -!- elfixit [~Icedove@77-58-253-51.dclient.hispeed.ch] has quit [Quit: elfixit]
16:58 -!- Taftse|Mac [~taftse@unaffiliated/taftse] has quit [Quit: Textual IRC Client: www.textualapp.com]
17:00 -!- juztin_ [~juztin_@c-67-186-216-8.hsd1.ut.comcast.net] has quit [Remote host closed the connection]
17:00 -!- warehouse13 [~Left_Turn@unaffiliated/turn-left/x-3739067] has joined #openvpn
17:02 -!- Left_Turn [~Left_Turn@unaffiliated/turn-left/x-3739067] has quit [Ping timeout: 264 seconds]
17:05 <+seventyseven> ###openvpn ... the solution
17:14 -!- lachesis [~lachesis@unaffiliated/lachesis] has joined #openvpn
17:15 < lachesis> is there some way that openvpn could be issuing icmp reject packets for port 53 udp?
17:15 < lachesis> i'm watching traffic on the tun0 and br0 (default route to internet) interfaces on the server with tcpdump, and i see the packets only on the tun0 side
17:18 < lachesis> when i try to access port 53 on any host, i get "23:11:31.777025 IP 1.2.3.4 > 10.30.0.6: ICMP 1.2.3.4 udp port 53 unreachable, length 53"
17:18 < lachesis> this is with iptables completely disabled (default policy accept for everything) on the vpn host
17:19 < lachesis> the vpn client is android
17:20 < lachesis> not sure how that could matter, though
17:27 <+seventyseven> i was just helping this guy
17:27 <+seventyseven> but then he told me
17:27 <+seventyseven> he does not have access to the server/router
17:27 <+seventyseven> good job i did not SWAER about it here
17:27 <+seventyseven> $£^*&£(^*
17:30 < lachesis> ug what on earth could be causing this icmp bs?
17:30  * seventyseven lights up a fkn dooby
17:31 -!- mode/#openvpn [-v seventyseven] by ChanServ
17:37 -!- dvl [~dvl@freebsd/developer/dvl] has quit [Quit: Ride fast. Take chances.]
17:37 -!- dvl [~dvl@freebsd/developer/dvl] has joined #openvpn
17:40 -!- seba [~seba@kratzbaum.someserver.de] has quit [Ping timeout: 258 seconds]
17:48 -!- aep [~aep@libqxt/developer/aep] has quit [Ping timeout: 245 seconds]
18:00 -!- marlinc [~marlinc@ip1.weert.li.nl.cvo-technologies.com] has joined #openvpn
18:05 -!- K1rk [~Kirk@5.135.221.149] has quit [Ping timeout: 250 seconds]
18:06 -!- aep [~aep@libqxt/developer/aep] has joined #openvpn
18:08 -!- K1rk [~Kirk@equinox.epecweb.com] has joined #openvpn
18:11 -!- aep [~aep@libqxt/developer/aep] has quit [Ping timeout: 256 seconds]
18:14 -!- aep [~aep@libqxt/developer/aep] has joined #openvpn
18:22 -!- marlinc [~marlinc@ip1.weert.li.nl.cvo-technologies.com] has quit [Ping timeout: 250 seconds]
18:27 -!- marlinc [~marlinc@ip1.weert.li.nl.cvo-technologies.com] has joined #openvpn
18:32 -!- ExtraCarpety [~ExtraCarp@2607:5300:60:a0d::1] has quit [Quit: ZNC - http://znc.in]
18:33 -!- seba [~seba@kratzbaum.someserver.de] has joined #openvpn
18:34 -!- ExtraCarpety [~ExtraCarp@2607:5300:60:a0d::1] has joined #openvpn
18:57 -!- marlinc [~marlinc@ip1.weert.li.nl.cvo-technologies.com] has quit [Ping timeout: 256 seconds]
19:03 -!- marlinc [~marlinc@ip1.weert.li.nl.cvo-technologies.com] has joined #openvpn
19:12 -!- kryo_ [~kryo@ip223.ip-5-135-108.eu] has left #openvpn []
19:19 -!- kryo_ [~kryo@ip223.ip-5-135-108.eu] has joined #openvpn
19:21 < kryo_> does anyone else's openvpn have trouble connecting to 2 things at once?
19:21 < kryo_> seems like if i try to load 2 things at once one of them times out
19:25 -!- juztin_ [~juztin_@c-67-186-216-8.hsd1.ut.comcast.net] has joined #openvpn
19:26 -!- akamaru217 [~akamaru21@2601:0:8a80:1064:b876:305b:3c5e:f25a] has quit [Read error: Connection reset by peer]
19:30 < kryo_> could it have been because i was connecting with 2 different computers using the same .key and .crt?
19:30 -!- mode/#openvpn [+v seventyseven] by ChanServ
19:31 <+seventyseven> kryo_, routing
19:33 < kryo_> wyt
19:33 < kryo_> wut
19:33 -!- TyrfingMjolnir [~Tyrfing@cm191.iota111.maxonline.com.sg] has quit [Quit: Searching for Waimea]
19:34 < kryo_> seventyseven: how in the world am i supposed to understand what you mean by "routing"
19:34 -!- akamaru217 [~akamaru21@2601:0:8a80:1064:f881:b511:13ef:44e4] has joined #openvpn
19:36 <+seventyseven> ky, do you understand what routing means
19:36 <+seventyseven> ky jelly
19:36 <+seventyseven> lol
19:36 <+seventyseven> ban hammer === in my face
19:37 < kryo_> no really
19:37 < kryo_> not really
19:37 < kryo_> it's a rather broad term
19:43 <+seventyseven> broad term .. like you not posting any details about your setup ..
19:43 <+seventyseven> broad terms
19:43 <+seventyseven> i would just ban you
19:43 < yeik> routing is actually rather simple, but can be overwhelming if you don't understand.
19:43 <+seventyseven> ^^ what yiek said
19:44 <+seventyseven> yeik ..
19:44 < yeik> hello seventyseven
19:44 <+seventyseven> please dont
19:44  * yeik ??
19:44 <+seventyseven> i am well ready to make even the most innocent flower crumble
19:45  * yeik shrugs.
19:45 <+seventyseven> if i was a mod .. you wouls ALL get the KICK BAN
19:46 < yeik> if thats how you feel, then you should leave. Most people that come here are here to help others and don't mind helping someone learn
19:46 <+seventyseven> lol
19:47 -!- mode/#openvpn [+b seventyseven!*@*] by Eugene
19:47 <@Eugene> Dude, I told you earlier, chill.
19:47 <+seventyseven> do you wanna be a mod on the forum ?
19:47 -!- mode/#openvpn [-v seventyseven] by Eugene
19:47 <@Eugene> Don't push your luck.
19:48 -!- mode/#openvpn [+v seventyseven] by ChanServ
19:48 -!- juztin_ [~juztin_@c-67-186-216-8.hsd1.ut.comcast.net] has quit [Remote host closed the connection]
19:48 <+seventyseven> if i may ...
19:48 <@Eugene> No, you may not.
19:48 <+seventyseven> may i ask why not ?
19:49 <@Eugene> Because this is out of line and I'm just not in a mood to deal with it. Clean up or fuck off.
19:50 < kryo_> o_O
19:50 <@Eugene> kryo_ - connecting with 2 clients using the same cert will cause problems, yes
19:50 <@Eugene> !dupe
19:50 <@vpnHelper> "dupe" is (#1) see --duplicate-cn in the manual (!man) to see how to allow multiple clients to use the same key (NOT recommended) or (#2) instead, use !pki to make a cert for each user
19:50 < kryo_> thanks Eugene
19:50 <+seventyseven> should i also not help omn the forum ?
19:50 < kryo_> i think that's what was causing my issue
19:50 -!- seventyseven was kicked from #openvpn by Eugene [Pushing your luck]
19:51  * yeik thanks eugene
19:51 <@Eugene> Usually our community volunteers are nicer drunk ;-)
19:53 -!- juztin_ [~juztin_@c-67-186-216-8.hsd1.ut.comcast.net] has joined #openvpn
19:57 -!- juztin_ [~juztin_@c-67-186-216-8.hsd1.ut.comcast.net] has quit [Remote host closed the connection]
19:58  * yeik laughs
19:58 < yeik> you mean nicer drunks right?
19:59 <@Eugene> Nicer drunk than sober
19:59 <@Eugene> Take me, for instance. I'm tired of annoying drunk people, because I'm sober right now.
19:59  * yeik smirks
19:59 < yeik> I am always sober, and pretty nice, i think, most of the time/
19:59 <@Eugene> Ain't pissed me off yet.
20:00 < yeik> So, why is BF the default if so much hardware coming out with AES-NI built in?
20:01 <@Eugene> Are we talking about --cipher?
20:01 < pekster> Backwards-compat, for one. Changing things like that will break everone's config who hasn't specified one, which is a lot
20:01 <@Eugene> Because the defaults don't get changed
20:01 < pekster> ie: it can only be done on major point-releases, and that's a big deal
20:01 <@Eugene> Similar story with --topology subnet. It ought to be the default, but it isn't.
20:01 < pekster> If you do have AES-NI, you're free to change it yourself, but many people don't have such hardware, and embedded devices still have very spotty support for this
20:02  * Eugene makes a note to unban the drunk in an hour or three
20:03 < yeik> you can time your ban's can't you?
20:03 < yeik> ok. that makes sense.
20:03 < yeik> hmm. i might have to look at --topology subnet
20:03 < pekster> !topology
20:03 <@vpnHelper> "topology" is (#1) it is possible to avoid the !/30 behavior if you use 2.1+ with the option: topology subnet This will end up being default in later versions. or (#2) Clients will receive addresses ending in .2, .3, .4, etc, instead of being divided into 2-host subnets. or (#3) details and examples at: https://community.openvpn.net/openvpn/wiki/Topology
20:03 < pekster> #3 is helpful
20:06 -!- phuzion_ is now known as phuzion
20:06  * yeik hmms.
20:06 < yeik> so it is more of a route than a nat?
20:07 <@Eugene> No, sadly.
20:07 <@Eugene> About the timing, that is.
20:07 < pekster> That one's been an on-again/off-again pain here anyway
20:08 < yeik> yeah, sounds like it won't change anytime soon then.
20:08 < pekster> I'm guessing the drugs didn't help either
20:11 -!- elfixit [~Icedove@77-58-253-51.dclient.hispeed.ch] has joined #openvpn
20:11 < yeik> So, what would you people suggest for a good site-to-site solution with low latency and high throughput?
20:12 < pekster> AES-NI hardware and some AES --cipher option, although BF or non-AES-NI hardware will be fine if you're not limited by the CPU for your allowed bandwidth. Tune --comp-lzo too; if you're pushing CPU limits, turn that off as you'll just hinder performance
20:13 -!- varsisstudio [~varsis@S0106b8c75dcf7f18.ed.shawcable.net] has joined #openvpn
20:13 < varsisstudio> Hello
20:13 < pekster> IPSec is an alternative if you don't have AES-NI available (and you'll realistically need it on both ends); IPSec does the encryption in the kernel, so there's no CPU bottleneck
20:13 < pekster> Well, there is, it'
20:14 < pekster> it's just less noticable
20:14 < yeik> so, an atom proc d525, using over 50% cpu when I connected with my linux box, pushing close to 5 MB/s
20:15 < yeik> that box was using a fair amount of cpu as well.
20:15 < yeik> would that be a concern when you have multiple people using the tunnel?
20:17  * Eugene drugs pekster 
20:18 < yeik> why would the encryption on the kernel make a difference vs the user space? is it more efficient? i thought it was a different cipher...
20:18 <@Eugene> No, doesn't matter at all
20:18 <@Eugene> You still need to perform the crypto somewhere
20:18 -!- debbie10t [~debbie10t@openvpn/community/support/debbie10t] has joined #openvpn
20:18 < yeik> so is ipsec using a more efficient crypto?
20:19 <@Eugene> Not really, no. It's just a different algo, or the same algo, different implementation
20:20 < varsisstudio> !welcome !goal I have a desktop machine that is connected to an VPN using openvpn, is there a way to allow say ssh access to the machine from any ip (I did manage to view the incoming requests on the machine) However the outgoing packets are redirected through the vpn, and well never resolve the request. I am using Mac Os X 10.10 with BSD packet filter. I tried a few approaches by using pf, but was unsuccessful. Does
20:20 < varsisstudio> anyone have some suggestions or ways I can open up a port/forward a port to go through the default interface not the tunnel interface.
20:26 < pekster> Different implementation primarily (IPSec can also use AES as data transport crypto.) But it's implemented in kernel-space, not user-space
20:26 < yeik> hmm, ok.
20:28 < pekster> varsisstudio: You either need to set up policy routing (read about 'route-to' in pf.conf(5)) or run the ssh server and the client that is setting (or pulling) --redirect-gateway
20:30 < pekster> And reply-too
20:30 < pekster> to*
20:36 < varsisstudio> @pekset I am not sure --redirect-gateway is what I am looking for, from what I have read it causes all packets to be routed through the VPN. But The route-to and reply-to looks like exactly what I need. I will dig into these and report back.
20:37 < pekster> route-to/reply-to are part of how you set up policy routing in PF. You need this if you want to redirect "some, but not all" of your traffic as you're effectively turning into a multi-homed host
20:37 < pekster> Alternatively, don't run the ssh server and the openvpn client with redirection on the same host
20:38 -!- _FBi [B@Aircrack-NG/User] has joined #openvpn
20:39 < yeik> varsisstudio, maybe you need a hairpin nat. are you using the dns name or the ip address to ssh?
20:39 < varsisstudio> I don't think running them on a different host will work for me.
20:39 < varsisstudio> I am using the IP address to ssh
20:41 < pekster> VMs, or literally different hosts do this
20:42 < pekster> And yes, that will work just fine because the routing tables will be separate
20:42 < pekster> IP or DNS or tolken-ring-ethernet all work with this layout
20:42 -!- TyrfingMjolnir [~Tyrfing@118.189.1.18] has joined #openvpn
20:44 -!- yeik [~jeff@2601:b:5a00:d02:c114:134c:72ee:f086] has quit [Ping timeout: 258 seconds]
20:44 < varsisstudio> I am going to try out using PF and see where I can get with this.
20:49 -!- moparisthebest [~quassel@gateway/tor-sasl/moparisthebest] has quit [Remote host closed the connection]
20:50 -!- moparisthebest [~quassel@unaffiliated/moparisthebest] has joined #openvpn
20:55 -!- TyrfingMjolnir [~Tyrfing@118.189.1.18] has quit [Quit: Searching for Waimea]
21:01 -!- joako [~joako@opensuse/member/joak0] has quit [Ping timeout: 255 seconds]
21:01 -!- TyrfingMjolnir [~Tyrfing@118.189.1.18] has joined #openvpn
21:03 -!- mode/#openvpn [+v debbie10t] by ChanServ
21:03 -!- debbie10t [~debbie10t@openvpn/community/support/debbie10t] has left #openvpn ["Leaving"]
21:08 -!- joako [~joako@opensuse/member/joak0] has joined #openvpn
21:10 -!- Shiftos [~shiftos@gateway/tor-sasl/shiftos] has quit [Ping timeout: 250 seconds]
21:16 -!- Shiftos [~shiftos@gateway/tor-sasl/shiftos] has joined #openvpn
21:27 -!- varsisstudio [~varsis@S0106b8c75dcf7f18.ed.shawcable.net] has quit [Remote host closed the connection]
21:37 -!- james41382_ [~james@unaffiliated/james41382] has joined #openvpn
21:37 -!- james41382 [~james@unaffiliated/james41382] has quit [Read error: Connection reset by peer]
21:42 -!- joako [~joako@opensuse/member/joak0] has quit [Ping timeout: 255 seconds]
21:47 -!- joako [~joako@opensuse/member/joak0] has joined #openvpn
21:51 -!- TyrfingMjolnir [~Tyrfing@118.189.1.18] has quit [Ping timeout: 240 seconds]
22:06 -!- phunyguy [vortex@unaffiliated/phunyguy] has quit [Remote host closed the connection]
22:07 -!- phunyguy [vortex@unaffiliated/phunyguy] has joined #openvpn
22:12 -!- NP-Hardass [~NP-Hardas@unaffiliated/np-hardass] has joined #openvpn
22:18 -!- warehouse13 [~Left_Turn@unaffiliated/turn-left/x-3739067] has quit [Ping timeout: 272 seconds]
22:37 -!- mode/#openvpn [-q seventyseven!*@*] by Eugene
22:37 -!- mode/#openvpn [-q *!*@openvpn/community/support/debbie10t] by Eugene
22:37 -!- mode/#openvpn [-b seventyseven!*@*] by Eugene
22:59 -!- crus [crusader@CPE-121-211-80-56.hhui5.cht.bigpond.net.au] has quit [Read error: Connection reset by peer]
23:17 -!- ShadniX [dagger@p57941137.dip0.t-ipconnect.de] has quit [Ping timeout: 250 seconds]
23:19 -!- ShadniX [dagger@p57941965.dip0.t-ipconnect.de] has joined #openvpn
23:50 -!- jackbrown [~se@93-44-41-0.ip95.fastwebnet.it] has joined #openvpn
--- Day changed Mon Nov 17 2014
00:33 -!- Kephael [~Kephael@unaffiliated/kephael] has quit [Read error: Connection reset by peer]
00:46 -!- jackbrown [~se@93-44-41-0.ip95.fastwebnet.it] has quit [Ping timeout: 255 seconds]
00:49 -!- Chais [~Chais@80.110.97.57] has quit [Ping timeout: 255 seconds]
00:52 -!- Chais [~Chais@80.110.97.57] has joined #openvpn
01:30 -!- benighted [~adam@dhcp-1c-7e-e5-45-5c-af.cpe.wightman.ca] has quit [Quit: Leaving]
01:56 -!- phunyguy [vortex@unaffiliated/phunyguy] has quit [Ping timeout: 258 seconds]
01:59 -!- Taftse|Mac [~taftse@unaffiliated/taftse] has joined #openvpn
02:05 -!- erratic [~erratic@erratic.paigeat.info] has joined #openvpn
02:07 -!- someone [~someone@chronostasis.net] has quit [Quit: ZNC - http://znc.in]
02:11 -!- joako [~joako@opensuse/member/joak0] has quit [Ping timeout: 265 seconds]
02:16 -!- joako [~joako@opensuse/member/joak0] has joined #openvpn
02:20 -!- phunyguy [vortex@unaffiliated/phunyguy] has joined #openvpn
02:29 -!- cwillu_at_work [cwillu@cwillu.com] has joined #openvpn
02:30 -!- mattock_afk is now known as mattock
02:51 -!- ValdikSS [~valdikss@80.70.234.113] has joined #openvpn
03:05 -!- AlexRussia [~Alex@unaffiliated/alexrussia] has quit [Ping timeout: 255 seconds]
03:12 -!- AlexRussia [~Alex@unaffiliated/alexrussia] has joined #openvpn
03:44 -!- moeyebus_ is now known as moeyebus
03:47 -!- xTz [~xTz@DeathStar.Techn0.eu] has joined #openvpn
03:49 -!- mattock is now known as mattock_afk
04:03 -!- ShiroNeko [~MrHeisenb@ip-178-202-128-89.hsi09.unitymediagroup.de] has joined #openvpn
04:04 -!- CaTtleyA [~CaTtleyA@185.24.142.82] has joined #openvpn
04:04 < ShiroNeko> hello, about ipv6; if have a prefix 2001:1234:5678:9836::/64, my main router is not my openvpn-server. what ipv6-address can i use as transfer address for my vpn?
04:05 -!- shio [marmot@102.188.103.84.rev.sfr.net] has quit []
04:17 -!- dazo_afk is now known as dazo
04:25 -!- ValdikSS [~valdikss@80.70.234.113] has quit [Ping timeout: 255 seconds]
04:27 -!- ValdikSS [~valdikss@2001:470:28:22f::1004] has joined #openvpn
04:27 -!- ValdikSS [~valdikss@2001:470:28:22f::1004] has left #openvpn []
04:28 -!- ValdikSS [~valdikss@2001:470:28:22f::1004] has joined #openvpn
04:31 -!- ValdikSS [~valdikss@2001:470:28:22f::1004] has quit [Client Quit]
04:34 -!- ValdikSS [~valdikss@2001:470:28:22f::1004] has joined #openvpn
05:06 -!- Left_Turn [~Left_Turn@unaffiliated/turn-left/x-3739067] has joined #openvpn
05:13 -!- warehouse13 [~Left_Turn@unaffiliated/turn-left/x-3739067] has joined #openvpn
05:15 -!- Left_Turn [~Left_Turn@unaffiliated/turn-left/x-3739067] has quit [Ping timeout: 244 seconds]
05:19 -!- ValdikSS [~valdikss@2001:470:28:22f::1004] has quit [Quit: Konversation terminated!]
05:22 -!- JackWinter [~jack@vodsl-11198.vo.lu] has quit [Quit: Konversation terminated!]
05:26 -!- JackWinter [~jack@vodsl-11198.vo.lu] has joined #openvpn
05:30 -!- jackbrown [~se@93-44-41-0.ip95.fastwebnet.it] has joined #openvpn
05:47 -!- JackWinter [~jack@vodsl-11198.vo.lu] has quit [Quit: Konversation terminated!]
05:49 -!- JackWinter [~jack@vodsl-11198.vo.lu] has joined #openvpn
06:04 -!- Fusl [Fusl@unaffiliated/fusl] has quit [Ping timeout: 245 seconds]
06:07 -!- plaisthos [~arne@openvpn/community/developer/plaisthos] has quit [Ping timeout: 265 seconds]
06:10 -!- Fusl [Fusl@unaffiliated/fusl] has joined #openvpn
06:12 -!- mattock_afk is now known as mattock
06:28 -!- hexeditme [0233467d@gateway/web/freenode/ip.2.51.70.125] has quit [Quit: Page closed]
06:34 -!- shio [marmot@102.188.103.84.rev.sfr.net] has joined #openvpn
06:40 -!- s7r [~s7r@openvpn/user/s7r] has joined #openvpn
06:40 -!- mode/#openvpn [+v s7r] by ChanServ
06:44 -!- lorens [~lorens@213.27.241.114] has joined #openvpn
06:45 -!- lorens [~lorens@213.27.241.114] has quit [Remote host closed the connection]
06:51 -!- lorens [~lorens@213.27.241.114] has joined #openvpn
06:52 -!- lorens [~lorens@213.27.241.114] has quit [Remote host closed the connection]
06:52 -!- xTz [~xTz@DeathStar.Techn0.eu] has quit [Ping timeout: 245 seconds]
06:52 -!- moparisthebest [~quassel@unaffiliated/moparisthebest] has quit [Ping timeout: 255 seconds]
07:14 -!- marlinc [~marlinc@ip1.weert.li.nl.cvo-technologies.com] has quit [Ping timeout: 260 seconds]
07:18 -!- someone [~someone@chronostasis.net] has joined #openvpn
07:26 -!- Pyrogerg [~Gregory@67-0-212-234.albq.qwest.net] has joined #openvpn
07:42 -!- Chais [~Chais@80.110.97.57] has quit [Ping timeout: 240 seconds]
07:42 -!- Pyrogerg [~Gregory@67-0-212-234.albq.qwest.net] has quit [Ping timeout: 258 seconds]
07:44 -!- Chais [~Chais@80.110.97.57] has joined #openvpn
07:46 -!- AlexRussia [~Alex@unaffiliated/alexrussia] has quit [Ping timeout: 240 seconds]
07:50 -!- brianblaze420 [~brianblaz@unaffiliated/brianblaze] has joined #openvpn
07:52 -!- robscow [~robsco@wimbledon.brainboxdigital.com] has joined #openvpn
07:53 < robscow> when setting up access between lans on either side of the tunney, do i need to worry about iptables and masquerading?  I'm assuming I need to allow FORWARD between the physical and tun devices?  both ways round?
07:53 -!- AlexRussia [~Alex@unaffiliated/alexrussia] has joined #openvpn
07:54 < robscow> I don't want to set up masquerading needlessly
07:59 -!- benighted [~adam@dhcp-1c-7e-e5-45-5c-af.cpe.wightman.ca] has joined #openvpn
08:21 <@ecrist> robscow: if you don't have conflicting network addresses, should be no need for it
08:23 < robscow> conflicting how?  I have a lot, vpn server on 10.71.3.0/24 physical.  ovpn setup to us 10.91.3.0/24.  a client on 172.30.1./24 and another client on 192.168.1.0/24  I want all to be able to talk to eachother
08:24 <@ecrist> conflicting as conflicting
08:24 < robscow> i'm happy with setting up the routes, but not sure what i should/need to do with iptables
08:24 <@ecrist> afaik, nothing
08:24 <@ecrist> unless you're wanting to filter traffic
08:24 < robscow> so the vpn server does all the nat'ing etc if it needs to?
08:25 <@ecrist> no
08:25 <@ecrist> it does no NAT
08:25 < robscow> ok
08:25 <@ecrist> it creates secure tunnels between end points and provides routing between connected peers and their networks, if configured
08:25 <@ecrist> !route
08:25 <@vpnHelper> "route" is (#1) http://www.secure-computing.net/wiki/index.php/OpenVPN/Routing or https://community.openvpn.net/openvpn/wiki/RoutedLans (same page mirrored) if you have lans behind openvpn, read it DONT SKIM IT or (#2) READ IT DONT SKIM IT! or (#3) See !tcpip for a basic networking guide or (#4) See !serverlan or !clientlan for steps and troubleshooting flowcharts for LANs behind the server or
08:25 <@ecrist> !iroute
08:25 <@vpnHelper> client
08:25 <@vpnHelper> "iroute" is does not bypass or alter the kernel's routing table, it allows openvpn to know it should handle the routing when the kernel points to it but the network is not one that openvpn knows about. This is only needed when connecting a LAN which is behind a client, and therefor belongs in a ccd entry. Also see !route and !ccd
08:26 -!- AlexRussia [~Alex@unaffiliated/alexrussia] has quit [Quit: WeeChat 1.1-dev]
08:27 -!- AlexRussia [~Alex@unaffiliated/alexrussia] has joined #openvpn
08:28 < robscow> thanks, got a feeling i've been overcomplicating things for years
08:29 -!- noecc [~irc@unaffiliated/noecc] has joined #openvpn
08:30 -!- mattock is now known as mattock_afk
08:31 < benighted> hey all, just finished this tutorial and trying to connect to my ovpn server for the first time. Currently from one of the clients I created I'm running 'openvpn --config /path/to/Client1.ovpn , and it's failing on timeout.
08:34 < benighted> this* http://readwrite.com/2014/04/11/building-a-raspberry-pi-vpn-part-two-creating-an-encrypted-client-side
08:45 -!- jackbrown [~se@93-44-41-0.ip95.fastwebnet.it] has quit [Ping timeout: 244 seconds]
08:46 -!- TyrfingMjolnir [~Tyrfing@cm191.iota111.maxonline.com.sg] has joined #openvpn
08:49 -!- elfixit [~Icedove@77-58-253-51.dclient.hispeed.ch] has quit [Ping timeout: 245 seconds]
08:49 -!- jackbrown [~se@93-44-41-0.ip95.fastwebnet.it] has joined #openvpn
08:51 -!- _0x5eb_ [~seb@seb-hpws2.w1.tele.crt1.net] has quit [Quit: Goodbye!]
08:52 -!- DArqueBishop [~drkbish@2601:e:2480:7800:2e41:38ff:fe87:dd90] has joined #openvpn
08:53 <@krzee> ecrist, ya i finally got a replacement server up for that, i just havnt configured the webserver on it or anything
08:54 <@krzee> too much going on lately, havnt had much time for computer fun
08:54 < robscow> it appears I do need to have FORWARD rules in iptables on my client to allow the lans to talk to eachother
08:54 <@krzee> robscow, unless you use client-to-client, yes
08:54 <@krzee> !c2c
08:54 < robscow> i get Destination Host Prohibited otherwise
08:54 <@vpnHelper> "c2c" is "client-to-client" is with this option packets from 1 client to another are routed inside the server process. without it packets leave the server process, hit the kernel (firewall, routing table) and if allowed by firewall and routed back to server process, they go to the client. you use this option when you do not want to use selective firewall rules on what clients can access things behind
08:54 <@vpnHelper> other clients
08:55 < robscow> i am using client-to-client
08:55 <@krzee> oh so you mean a server lan?
08:56 <@krzee> you'll need ip forwarding on every node with a lan behind it, and also on the server (if no lan) if not using c2c
08:56 <@krzee> but ya if the server has a lan then even with c2c you need ip forwarding
08:57 -!- TyrfingMjolnir [~Tyrfing@cm191.iota111.maxonline.com.sg] has quit [Quit: Searching for Waimea]
08:57 <@krzee> basically, you need ip forwarding any time a packet goes out a different interface than it goes in
08:57 < robscow> ip_forwarding is enabled, and I'm using c2c.  i've done everything with the routes as documented, but a machine behind one of the clients can't ping the physical vpn server ip
08:58 <@krzee> !serverlan
08:58 <@vpnHelper> "serverlan" is (#1) for a lan behind a server, the server must have ip forwarding enabled (!ipforward), the server needs to push a route for its lan to clients, and the router of the lan the server is on needs a route added to it (!route_outside_openvpn) or (#2) see !route for a better explanation or (#3) Handy troubleshooting flowchart: http://ircpimps.org/serverlan.png |
08:58 <@vpnHelper> http://pekster.sdf.org/misc/serverlan.png
08:58 <@krzee> !clientlan
08:58 <@vpnHelper> "clientlan" is (#1) for a lan behind a client, the client must have ip forwarding enabled (!ipforward), the server needs a route to the lan, the server needs to push a route for the lan to clients, the server needs a ccd (!ccd) file for the client with an iroute (!iroute) entry in it, and the router of the lan the client is on needs a route added to it (!route_outside_openvpn) or (#2) see !route for
08:58 <@vpnHelper> a better explanation or (#3) Handy troubleshooting flowchart: http://ircpimps.org/clientlan.png | http://pekster.sdf.org/misc/clientlan.png
08:58 <@krzee> follow both flowcharts
08:58 <@krzee> tell me where you get stuck, unless it helps you fix it without help
08:58 <@krzee> use the sdf.org links
08:58 <@krzee> not the ircpimps.org links, since my server is down =[
09:00 -!- _0x5eb_ [~seb@seb-hpws2.w1.tele.crt1.net] has joined #openvpn
09:05 -!- TyrfingMjolnir [~Tyrfing@cm191.iota111.maxonline.com.sg] has joined #openvpn
09:05 -!- jackbrown [~se@93-44-41-0.ip95.fastwebnet.it] has quit [Quit: Sto andando via]
09:05 -!- NP-Hardass [~NP-Hardas@unaffiliated/np-hardass] has quit [Ping timeout: 255 seconds]
09:07 <@ecrist> krzee: ok
09:08 <@krzee> robscow, did you use the flowcharts?
09:08 < robscow> aye going through them now
09:08 < robscow> i have both setups at once
09:08 <@krzee> yep, thats why you need to use both
09:09 -!- Poster [~poster@cpe-74-140-100-29.swo.res.rr.com] has quit [Ping timeout: 240 seconds]
09:09 <@krzee> when you're done with both ill have another test or 2
09:09 <@krzee> but first just run the tests it gives you
09:09 -!- AFreitas_ [~afreitas@bl15-108-12.dsl.telepac.pt] has joined #openvpn
09:09 -!- wallydz [~wallydz@shout.ptn.re] has joined #openvpn
09:09 <@krzee> it'll cover just about everything
09:09 < wallydz> Hello ,
09:10 < robscow> where am I to be running http://pekster.sdf.org/misc/serverlan.png from?
09:10 < wallydz> i was googling about how many concurent user on same openvpn server and what server specification
09:10 <@krzee> a vpn client
09:10 < robscow> k
09:10 < wallydz> any one have good keywords to use? :P
09:10 <@krzee> robscow, then after you do both tests, go ahead and run it again from a lan machine behind the vpn client
09:11 < robscow> aye
09:11 <@krzee> robscow, but dont get ahead of yourself, run it all from the vpn client first
09:11 -!- Pyrogerg [~Gregory@67-0-212-234.albq.qwest.net] has joined #openvpn
09:11 <@krzee> wallydz, common question, i have not seen a very good answer
09:11 < robscow> so serverlan part is fine
09:11 <@krzee> robscow, now do clientlan
09:11 -!- TyrfingMjolnir [~Tyrfing@cm191.iota111.maxonline.com.sg] has quit [Quit: Searching for Waimea]
09:13 < wallydz> 2000 user per server for 8 cores 8 threads 8 GIGA ram
09:13 < robscow> unable to ping client lan ip from server.  /proc/sys/net/ipv4/ip_forward on client is 1
09:14 < robscow> iptables on client turned off, just to be sure
09:14 < robscow> oh hang on, ignore me for a bit
09:14 <@ecrist> krzee: I could host ircpimps for you temporarily, if you want.
09:15 <@krzee> thanks i probably would have taken you up on that a month or 2 ago, but as i have the server up now just waiting for me to configure it, i'll just get off my butt one of these days and do it
09:16 <@krzee> wallydz, important for you to know that each openvpn instance will only run on a single cpu core.
09:17 <@krzee> but you may run 8 instances if you like, on different ip:port:proto (or maybe 7 and leave one open for other stuff, up to you as a sysadmin)
09:17 <@krzee> openvpn is single threaded, so you will not be using all 8 cores with a single server process
09:18 -!- TyrfingMjolnir [~Tyrfing@cm191.iota111.maxonline.com.sg] has joined #openvpn
09:18 < robscow> i have 2 clients on the same lan, physically 172.30.0.126 and 172.30.127.  I 'm going to have a few VMs on each of those clients, 172.30.0.126 will have VMs in the subnet 172.30.1.0/25 and 172.30.0.127 will have VMS on 172.30.1.128/25.  this is my problem
09:19 -!- noecc [~irc@unaffiliated/noecc] has quit [Ping timeout: 264 seconds]
09:19 < robscow> the client lan is 172.30.0.0/22
09:19 <@krzee> each hop just needs to get its next hop correct for each subnet
09:20 < robscow> i i just want route and push route 172.30.0.0 255.255.252.0 in the server conf?
09:20 < robscow> then each subnet for the VMs in the ccd?
09:22 <@krzee> im still waiting to hear what doesnt work
09:23 <@krzee> the larger subnet is fine in --route/--iroute since its all coming over the same vpn client
09:23 < robscow> server unable to ping client lan
09:24 <@krzee> does the client run on the router for its lan?
09:25 < robscow> nope
09:25 <@krzee> does the router for the clients lan have a route for the vpn subnet using the lan ip of the vpn client as the gateway?
09:25 <@krzee> !route_outside_ovpn
09:25 <@vpnHelper> "route_outside_ovpn" is "route_outside_openvpn" is (#1) If your server is not the default gateway for the LAN, you will need to add routes to your gateway. See ROUTES TO ADD OUTSIDE OPENVPN in !route or (#2) Here are 2 diagrams that explain how this works: http://www.secure-computing.net/wiki/index.php/Graph http://i.imgur.com/BM9r1.png
09:25 < robscow> no, i can't modify that router on the lans
09:25 < robscow> http://paste.scsys.co.uk/442572
09:25 < robscow> is that correct?
09:25 <@krzee> then you need to add routes directly to the lan machines
09:26 < robscow> manual routes?  no pushing, etc?
09:26 <@krzee> lan machines, not vpn machines
09:26 <@krzee> your vpn server can ping the client's lan ip, right?
09:26 < robscow> no it can't even do that right now
09:27 <@krzee> then you messed up in telling me the problem
09:27 <@krzee> the flowchart has THAT before what you said
09:27 <@krzee> theres a reason i use the flowcharts, it asks you what i would ask you, in the order i would ask you
09:27 < robscow> that's the bit I'm at
09:28 <@krzee> so lets try this again
09:28 <@krzee> where do you get stuck in the flowchart?
09:28 < robscow> "can you pinjg the lan ip of the client"
09:29 <@krzee> ok, does the client have ip forwarding enabled?
09:29 < robscow> yup, i'm just trying the iroute with the full subnet first, will see if that works
09:29 -!- AFreitas_ [~afreitas@bl15-108-12.dsl.telepac.pt] has left #openvpn []
09:30 < robscow> now I can ping the lan ip
09:30 <@krzee> well you did follow !route, didnt you?
09:31 < robscow> yes. if I have one clients ccd/iroute for the whole subnet i'm fine, but i want 2 clients to act separately, and hvae their own subnet each
09:31 <@krzee> 2 clients on the same lan?
09:31 <@krzee> why?
09:31 < robscow> redundancy
09:32 <@krzee> using a routing protocol?
09:32 <@krzee> like rip/ospf?
09:32 < robscow> no, nothing that low level, not for routing, just if one machine blows up
09:32 <@krzee> how do you expect to get redundancy from it?
09:32 < robscow> i want the 2 machines to be pretty much identical
09:32 < robscow> both a client to my vpn
09:32 < robscow> and both holding a set of VMs
09:33 -!- joako [~joako@opensuse/member/joak0] has quit [Ping timeout: 255 seconds]
09:33 <@krzee> oh like 2 seperate networks entirelty
09:33 <@krzee> entirely*
09:34 <@krzee> but doing the same general job, so you can access either one
09:34 < robscow> in a way yeah.  they both sit on 172.30.0.0/22  but i want each to have a /25 subnet
09:34 < robscow> yes
09:34 < robscow> the small subnet for the VMs they hold
09:34 < robscow> i thought if i use 172.30.1.0/25 and 172.30.1.128/25, that would keep it sane
09:35 <@krzee> do you need to also route to anything outside the /25's ?
09:35 <@krzee> since a /22 is much bigger than 2 /25's
09:35 < robscow> no, i don't even need to get to the lan ip of the clients
09:35 <@krzee> then just setup everything as 2 /25's
09:35 < robscow> just to that /25 that's hold on the client
09:35 <@krzee> well but wait
09:36 < robscow> i'm sure i've tried that
09:36 <@krzee> you may need to be able to route to the clients lan ip too
09:36 <@krzee> also im not sure about your virtualization software
09:36 < robscow> i don't really need to, since it's only the VMs I'm interested in.
09:37 <@krzee> it could be an issue and need special shit to allow the routing
09:37 < robscow> yeah i'll cross that bridge when i get to it :)
09:37 <@krzee> probably best if you could give the same machine which runs the virt software an ip in that /25 to test with
09:37 < robscow> yeah not too easy tho
09:37 <@krzee> thats not a bridge you can cross later unless you can isolate it, which you need to do
09:38 <@krzee> which is my idea of getting an ip from that /25 onto the machine
09:38 < robscow> right now a VM on the clients can acc the server LAN ip
09:38 <@krzee> outside of the virtual environment
09:38 < robscow> but not the rest of the server LAN
09:38 -!- joako [~joako@opensuse/member/joak0] has joined #openvpn
09:38 <@krzee> is the server the router for its subnet?
09:38 < robscow> nope not on that lan
09:39 <@krzee> then you need to add a route to its router for all foreign networks that are on vpn clients, and the vpn subnet, with the gateway as the lan ip of the server
09:39 <@krzee> same thing i said above, but now for the server side ;]
09:40 -!- xTz [~xTz@DeathStar.Techn0.eu] has joined #openvpn
09:40 < robscow> if i can't modify the router on the server LAN subnet, do i need to add a static route to all clients on the lan?  I can do that easily enough
09:41 <@krzee> you dont control routers ANYWHERE in your setup?
09:41 <@krzee> what are you working on dude?
09:41 <@krzee> lol
09:41 <@krzee> and yes.
09:41 < robscow> :)
09:42 < robscow> well i do, but they're cisco switches, and I'm not too keen on fiddling with them
09:42 <@krzee> switches != routers
09:42 < robscow> right, ok, got that part working now, testing from a VM, to a machine in the servers LAN
09:42 <@krzee> and adding a route to a cisco router is not much different than adding it in linux or windows
09:42 <@krzee> or osx
09:43 < ShiroNeko> about IPv6 and OpenVPN. My VPN-Server is not my Main Router. I have a prefix 2001:1234:4567:9836:21a:4dff:fe45:9a30/64, Servers IPv6: 2001:1234:4567:9836:21a:4dff:fe45:9a30/64 and Main Routers IPv6: 2001:4dd0:ff00:1836::2. wich ipv6 address can i use for my VPN, and how do i push routes, that my VPN is used for alle IPv6 Traffic?
09:43 <@krzee> or just about anything else really
09:43 <@krzee> !redirect
09:43 <@vpnHelper> "redirect" is (#1) to make all inet traffic flow through the vpn, you will need --redirect-gateway (see !def1), as well as IP forwarding (see !ipforward) and NAT (see !nat) enabled on the server. or (#2) you may need to use a different dns server when redirecting gateway, see !dns or !pushdns or (#3) if using ipv6 try: route-ipv6 2000::/3 or (#4) Handy troubleshooting flowchart:
09:43 <@vpnHelper> http://ircpimps.org/redirect.png | http://pekster.sdf.org/misc/redirect.png
09:43 < ShiroNeko> Main Routers IPv6 2001:1234:5678:1836::2
09:43 < robscow> aye, well that bits working ok now
09:43 <@krzee> ShiroNeko, see #3 ^
09:43 < robscow> but this is with only 1 client on that client LAN
09:44 <@krzee> ShiroNeko, ipv6 hurts my eyes so that all i can give ya
09:44 < ShiroNeko> krzee: unfortunally i do need ipv6 on my vpn tunnel
09:45 <@krzee> cool, im not saying theres anything wrong with it, just saying all i got for you is a push route for redirecting over it
09:46 < robscow> could my problem be seen as NOT a clientlan problem?  and do it with static routes instead?
09:46 < ShiroNeko> push "route-ipv6 2000::/3" is in my config, but still no ipv6 connectivity. have configured my VPNs IP as 2001:1234:5678:9900::/64
09:47 < ShiroNeko> so my sixxs prefix is 2001:1234:5678:9836::/64 and my VPN prefix is 2001:1234:5678:9900::/64, maybe there is my error
09:54 <@krzee> robscow, i dont understand your question… are you asking if you can pretend its not a lan behind your vpn client?
09:55 < robscow> I really don't know yet
09:56 < robscow> i'm just trying to think how best to do this to get to the VMs from my server LAN
09:56 < robscow> I've tried setting the routes with the smaller subnets, that the client isn't physically on
09:57 < robscow> that ain't working
10:01 -!- ShiroNeko [~MrHeisenb@ip-178-202-128-89.hsi09.unitymediagroup.de] has quit [Quit: leaving]
10:03 < robscow> doing a traceroute from the vpn server to a vm on the client, shows a hop getting to the vpn-ip on the client
10:03 < robscow> but then nothing
10:05 <@krzee> get the virtualization out of your setup
10:05 <@krzee> then get routing working
10:05 < robscow> ok
10:05 <@krzee> then add the virtualization stuff
10:05 < robscow> aye
10:05 <@krzee> i suggested that 30min ago btw
10:05 <@krzee> :D
10:07 <@Eugene> Yawn
10:07 <@krzee> sup Eugene hows it going
10:07 < robscow> but i only have 2 clients on that lan, it's the whole "small subnet" issue that's causing the problems
10:07 <@Eugene> Regretting it being 8AM
10:07 <@krzee> nice hostname
10:07 <@Eugene> Thanks
10:25 <@krzee> you in cali Eugene?
10:25 <@Eugene> Seattle
10:26 <@krzee> oh werd
10:26 <@krzee> just asking cause i hit cali often
10:26 <@Eugene> I'm sorry to hear that
10:26 < benighted> hey all - in this tutorial it has the tunnel ip setup as 10.8.0.x, if I'm behind a router with VPN passthru enabled do I still need to setup a static route for that traffic, so 10.8.0.x is redirected to the WAN ip of the router?
10:27 <@krzee> ehh?
10:27 < benighted> I can ping the openvpn server wan ip from the client, but can't get a handshake
10:27 < benighted> http://readwrite.com/2014/04/11/building-a-raspberry-pi-vpn-part-two-creating-an-encrypted-client-side
10:28 <@krzee> benighted, a) you dont need "vpn passthrough" on your router, b) what is your goal?
10:28 <@krzee> !goal
10:28 <@vpnHelper> "goal" is Please clearly state your goal for your vpn: example, I would like to access the lan behind the server , I would like to access the internet over my vpn , I just want a secure connection between 2 computers , etc
10:28 -!- CaTtleyA [~CaTtleyA@185.24.142.82] has quit [Quit: Lost terminal]
10:28 <@krzee> benighted, cant say i want to read your walkthrough, so i wont be doing that
10:29 <@krzee> you saying you cant establish the vpn connection?
10:29 <@krzee> it just times out?
10:30 < benighted> krzee: not intended, just added context for what I have configured - I can't establish, it times out. I've checked the logs on both sides without much success as of yet. I'm trying to access the lan behind server and internet for wlan proxy connection
10:31 <@krzee> !timeout
10:31 <@vpnHelper> "timeout" is if you see TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity) then your problem is likely one of the following: either the server isnt running, your client is connecting to the wrong ip/port/protocol, the server's firewall/nat has an issue, or the client's isp blocks it
10:33 <@krzee> !forget timeout
10:33 <@vpnHelper> Joo got it.
10:33 <@krzee> !learn timeout as if you see TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity) then your problem is likely one of the following: either the server isnt running, your client is connecting to the wrong ip/port/protocol, the server's firewall/nat has an issue, or one of the ISPs blocks it
10:33 <@vpnHelper> Joo got it.
10:34 < benighted> nice
10:38 < benighted> well confirmed the service is running, client is trying to connect on UDP port 1194 to the correct WAN IP address
10:40 <@krzee> is the server directly connected to the internet?
10:42 -!- Poster [~poster@cpe-74-140-100-29.swo.res.rr.com] has joined #openvpn
10:43 < benighted> no, NAT'd
10:44 <@krzee> so check the nat / firewalls
10:44 -!- mattock_afk is now known as mattock
10:46 -!- moparisthebest [~quassel@unaffiliated/moparisthebest] has joined #openvpn
10:55 -!- marlinc [~marlinc@ip1.weert.li.nl.cvo-technologies.com] has joined #openvpn
11:00 -!- khaldrogox [~anonymous@64.13.138.81] has joined #openvpn
11:07 -!- mistermajestic [~mistermaj@unaffiliated/mistermajestic] has quit [Ping timeout: 240 seconds]
11:19 -!- s7r [~s7r@openvpn/user/s7r] has quit [Remote host closed the connection]
11:34 -!- u0m3_ [~u0m3@92.80.107.91] has joined #openvpn
11:37 -!- u0m3 [~u0m3@92.80.107.91] has quit [Ping timeout: 258 seconds]
11:38 -!- marlinc [~marlinc@ip1.weert.li.nl.cvo-technologies.com] has quit [Ping timeout: 250 seconds]
11:43 -!- marlinc [~marlinc@ip1.weert.li.nl.cvo-technologies.com] has joined #openvpn
11:54 <@krzee> !easy-rsa
11:54 <@vpnHelper> "easy-rsa" is (#1) easy-rsa is a certificate generation utility. or (#2) Download here: https://github.com/OpenVPN/easy-rsa/downloads or (#3) Tutorial here: https://community.openvpn.net/openvpn/wiki/EasyRSA
12:01 -!- hyper_ch [~hyper_ch@81.4.108.20] has joined #openvpn
12:02 < hyper_ch> good evening
12:32 -!- brianblaze420 [~brianblaz@unaffiliated/brianblaze] has quit [Quit: Peace!]
12:33 -!- plaisthos [~arne@openvpn/community/developer/plaisthos] has joined #openvpn
12:33 -!- mode/#openvpn [+o plaisthos] by ChanServ
12:37 -!- brianblaze420 [~brianblaz@unaffiliated/brianblaze] has joined #openvpn
12:38 <@Eugene> Welcome, to zombocom
12:39 < hyper_ch> krzee: tested now pass with a few things and also set up a git repo on github... looks all nice
12:41 <@krzee> git repo?  it stores stuff remotely?
12:41 <@krzee> hahah
12:41 <@Eugene> It stores it in the clown
12:41 < hyper_ch> krzee: no, it can use git if you want
12:42 < hyper_ch> meaning you can conveniently sync the files
12:42 < hyper_ch> if you do "pass git init" it will make a commit of each change ;)
12:42 <@krzee> got ya
12:42 < hyper_ch> the qt interface only can show the stored data though
12:43 < hyper_ch> and the cli is simple to use
12:43 < hyper_ch> I like it this far
12:43 < hyper_ch> it's simple but works
12:43 < hyper_ch> question is, how do I get git onto Android
12:45 -!- khaldrogox [~anonymous@64.13.138.81] has quit [Quit: khaldrogox]
12:45 <@Eugene> I told you already, foo
12:48 < hyper_ch> Eugene: you didn't tell me... you were just mean /me cries
12:50 -!- marlinc [~marlinc@ip1.weert.li.nl.cvo-technologies.com] has quit [Ping timeout: 256 seconds]
12:53 -!- Pyrogerg [~Gregory@67-0-212-234.albq.qwest.net] has quit [Ping timeout: 256 seconds]
12:55 -!- marlinc [~marlinc@ip1.weert.li.nl.cvo-technologies.com] has joined #openvpn
13:08 <@plaisthos> If you want a openvpn git version just install my client :P
13:09 < hyper_ch> plaisthos: nah, I want plain git on android ;)
13:09 < hyper_ch> and gpg and pass
13:11 <@plaisthos> iirc github has a client
13:11 <@plaisthos> but don't know if that works with other repos
13:11 < hyper_ch> yeah, I'll check on the weekend
13:11 -!- ghoti_ [~paul@hq.experiencepoint.com] has quit [Ping timeout: 245 seconds]
13:19 -!- b3d0u1n [~none@static-194-251-132-188.sadecehosting.net] has joined #openvpn
13:20 < b3d0u1n> Every once in a while -- say every couple days my connection goes down for a while.  OpenVPN does not try to reconnect -- or at least quits at somee point whe this happens.  How can I make it attempt to reconnect infinitely?
13:21 <@ecrist> 1
13:21 <@ecrist> !retry
13:22 <@ecrist> --resolv-retrt
13:22 <@ecrist> by default it's set to retry forever, though.
13:22 < b3d0u1n> So just delete the value that's there for that (5)?
13:22 <@ecrist> yes
13:23 < b3d0u1n> Delete the resolv-retry live completely, or just the value ?
13:23 <@ecrist> the line
13:23 < b3d0u1n> thanks
13:25 -!- b3d0u1n [~none@static-194-251-132-188.sadecehosting.net] has quit [Quit: [BX] THE BEATINGS WILL CONTINUE UNTIL MORALE IMPROVES]
13:39 -!- jtrucks_ is now known as jtrucks
13:40 -!- RaiNerTsuFal [~RaiNerTsu@akita.vtlx.cn] has quit [Quit: Conversation terminated!]
13:43 -!- Pyrogerg [~Gregory@205.167.120.206] has joined #openvpn
13:44 -!- RaiNerTsuFal [~RaiNerTsu@akita.vtlx.cn] has joined #openvpn
13:49 < wallydz> hello its again me ! :D anyone have some keyword to use on google to find some article , tests about deploying large scale openvpn?
13:50 <@ecrist> wot?
13:50 < hyper_ch> "deploy large scale openvpn"
13:50 < wallydz> tried that already :P
13:50 < hyper_ch> define large scale openvpn
13:51 < wallydz> 5000 user per server
13:51 <@ecrist> you can't do that on a single instnace
13:51 <@ecrist> ~250 is the limit
13:51 < hyper_ch> he probably doesn't mean concurrently
13:51 <@Eugene> !scale
13:51 <@vpnHelper> "scale" is (#1) OpenVPN has no hard limits built in, but it is not recommended to run much more than 100 clients per process. or (#2) Also remember that it is single-threaded, so your throughput will be limited by the speed your CPU can do the crypto. or (#3) Both of these issues can be handled by running multiple server instances(on several IPs or ports) and having clients round-robin between them
13:51 <@ecrist> 200 is more realistic
13:51 < wallydz> i can run multi process on diffrence port
13:51 <@ecrist> yes, you can
13:51 <@Eugene> Patches to the factoid are welcome ;-)
13:52 < wallydz> but 250 per instance its like 20 instance lol
13:52 <@ecrist> yeah
13:53 <@ecrist> it's a locking/thread limit
13:53 <@ecrist> you *can* do more, but you shouldn't
13:53 < wallydz> no i will just keep the recommended limit
13:53 < wallydz> and add servers if needed
13:53 -!- kryo_ [~kryo@ip223.ip-5-135-108.eu] has quit [Quit: ARGHHH IT'S THE NETSPLIT!]
13:56 < wallydz> ecrist sorry to disturb again i found this https://forums.openvpn.net/topic11683.html the guy who talk about running 2000 client on some vm is he serious or it was just a joke
13:56 <@vpnHelper> Title: OpenVPN Support Forum How many openvpn clients can connect to openvpn server? : Testing branch (at forums.openvpn.net)
14:01 -!- Pyrogerg [~Gregory@205.167.120.206] has quit [Ping timeout: 255 seconds]
14:09 -!- almostworking [~almostwor@unaffiliated/almostworking] has quit [Quit: Leaving]
14:14 -!- s7r [~s7r@openvpn/user/s7r] has joined #openvpn
14:14 -!- mode/#openvpn [+v s7r] by ChanServ
14:27 -!- marlinc [~marlinc@ip1.weert.li.nl.cvo-technologies.com] has quit [Ping timeout: 260 seconds]
14:30 < wallydz> !cluster
14:30 < wallydz> he dont know :(
14:31 -!- ValdikSS [~valdikss@95.215.45.33] has joined #openvpn
14:31 -!- varsisstudio [44b33841@gateway/web/freenode/ip.68.179.56.65] has joined #openvpn
14:32 -!- justinzane [~justinzan@67.21.190.132] has joined #openvpn
14:36 -!- marlinc [~marlinc@ip1.weert.li.nl.cvo-technologies.com] has joined #openvpn
14:42 -!- mattock is now known as mattock_afk
14:43 -!- marlinc [~marlinc@ip1.weert.li.nl.cvo-technologies.com] has quit [Read error: Connection reset by peer]
14:46 -!- varsisstudio [44b33841@gateway/web/freenode/ip.68.179.56.65] has quit [Quit: Page closed]
14:46 -!- almostworking [~almostwor@unaffiliated/almostworking] has joined #openvpn
14:46 -!- marlinc [~marlinc@ip1.weert.li.nl.cvo-technologies.com] has joined #openvpn
14:52 -!- brianblaze420 [~brianblaz@unaffiliated/brianblaze] has quit [Quit: Peace!]
14:53 -!- Taftse|Mac [~taftse@unaffiliated/taftse] has quit [Quit: Textual IRC Client: www.textualapp.com]
14:54 -!- mistermajestic [~mistermaj@unaffiliated/mistermajestic] has joined #openvpn
14:55 <@ecrist> wallydz: best I can offer is try it
14:55 <@ecrist> if it doesn't work right, start limiting connections
14:56 < wallydz> yeap good idea thx ecrist
14:58 -!- cwillu_at_work [cwillu@cwillu.com] has quit [Remote host closed the connection]
15:05 -!- varsisstudio [44b33841@gateway/web/freenode/ip.68.179.56.65] has joined #openvpn
15:07 -!- varsisstudio [44b33841@gateway/web/freenode/ip.68.179.56.65] has quit [Client Quit]
15:24 -!- almostworking [~almostwor@unaffiliated/almostworking] has quit [Remote host closed the connection]
15:27 -!- almostworking [~almostwor@unaffiliated/almostworking] has joined #openvpn
15:29 -!- jackbrown [~se@93-44-41-0.ip95.fastwebnet.it] has joined #openvpn
15:35 -!- Pyrogerg [~Gregory@205.167.120.206] has joined #openvpn
15:47 -!- TyrfingMjolnir [~Tyrfing@cm191.iota111.maxonline.com.sg] has quit [Ping timeout: 256 seconds]
15:54 -!- hyper_ch [~hyper_ch@81.4.108.20] has left #openvpn ["Konversation terminated!"]
16:00 -!- WhiteIntel [~quassel@88-117-127-38.adsl.highway.telekom.at] has joined #openvpn
16:01 < WhiteIntel> Hello, I have an ubuntu openvpn client (working fine), I configured a static route on my router, to access the vpn network over the client, but it is not working. The routing works fine, so what else do I have to check on my openvpn client?
16:08 -!- shivanshu [~shivanshu@unaffiliated/shivanshu] has quit [Ping timeout: 250 seconds]
16:09 -!- shivanshu [~shivanshu@unaffiliated/shivanshu] has joined #openvpn
16:10 -!- benighted [~adam@dhcp-1c-7e-e5-45-5c-af.cpe.wightman.ca] has quit [Quit: Leaving]
16:12 -!- soapee01 [~soapee01@65-36-104-170.dyn.grandenetworks.net] has quit [Ping timeout: 244 seconds]
16:15 <@dazo> !serverlan
16:15 <@vpnHelper> "serverlan" is (#1) for a lan behind a server, the server must have ip forwarding enabled (!ipforward), the server needs to push a route for its lan to clients, and the router of the lan the server is on needs a route added to it (!route_outside_openvpn) or (#2) see !route for a better explanation or (#3) Handy troubleshooting flowchart: http://ircpimps.org/serverlan.png |
16:15 <@vpnHelper> http://pekster.sdf.org/misc/serverlan.png
16:15 <@dazo> !clientlan
16:15 <@vpnHelper> "clientlan" is (#1) for a lan behind a client, the client must have ip forwarding enabled (!ipforward), the server needs a route to the lan, the server needs to push a route for the lan to clients, the server needs a ccd (!ccd) file for the client with an iroute (!iroute) entry in it, and the router of the lan the client is on needs a route added to it (!route_outside_openvpn) or (#2) see !route for a
16:15 <@vpnHelper> better explanation or (#3) Handy troubleshooting flowchart: http://ircpimps.org/clientlan.png | http://pekster.sdf.org/misc/clientlan.png
16:15 <@dazo> WhiteIntel: ^^
16:16 < WhiteIntel> sorry you got me wrong: the client is able to communicate with the servers lan, but: in the network where the vpn client is running, I want to access the vpn server´s lan from an other client in my personal lan over the vpn client^^
16:17 -!- jackbrown [~se@93-44-41-0.ip95.fastwebnet.it] has quit [Quit: Sto andando via]
16:18 <@dazo> ahh, okay ... probably iroute missing on the server
16:20 <@dazo> WhiteIntel: if you use tcpdump on the server side .... check if traffic from your LAN reaches first the tun/tap interface and then is forwarded further to your server side LAN
16:21 <@dazo> if you see the traffic going out on the server lan ... you might be missing the return route from the server lan to your client lan via the VPN
16:21 <@dazo> (that's a server lan configuration issue)
16:29 -!- WhiteIntel [~quassel@88-117-127-38.adsl.highway.telekom.at] has quit [Ping timeout: 240 seconds]
16:29 -!- almostworking [~almostwor@unaffiliated/almostworking] has quit [Ping timeout: 255 seconds]
16:54 -!- khaldrogox [~anonymous@64.13.138.81] has joined #openvpn
16:56 -!- Pyrogerg [~Gregory@205.167.120.206] has quit [Ping timeout: 255 seconds]
17:11 -!- marklite is now known as markelite
17:15 -!- micah [~micah@debian/developer/micah] has joined #openvpn
17:17 < micah> when I set the option 'fragment 1400' on the server (and the client also uses it), I'm no longer able to even ping the gateway, why is that?
17:35 -!- dazo is now known as dazo_afk
17:42 -!- khaldrogox [~anonymous@64.13.138.81] has quit [Quit: khaldrogox]
18:21 -!- marlinc [~marlinc@ip1.weert.li.nl.cvo-technologies.com] has quit [Ping timeout: 260 seconds]
18:23 -!- SJr [~sjr@S0106c43dc7a31386.vf.shawcable.net] has quit [Ping timeout: 255 seconds]
18:24 -!- elfixit [~Icedove@77-58-253-51.dclient.hispeed.ch] has joined #openvpn
18:26 -!- novaflash is now known as novaflash_away
18:36 -!- gardar [~gardar@bnc.giraffi.net] has quit [Ping timeout: 264 seconds]
18:44 -!- SJr [~sjr@S0106c43dc7a31386.vf.shawcable.net] has joined #openvpn
18:46 -!- debbie10t [~debbie10t@openvpn/community/support/debbie10t] has joined #openvpn
18:48 < debbie10t> ###
18:48 < debbie10t> banned on -devel ?
18:49 < debbie10t> what a crock ..
18:50 -!- SJr [~sjr@S0106c43dc7a31386.vf.shawcable.net] has quit [Ping timeout: 255 seconds]
18:57 -!- debbie10t [~debbie10t@openvpn/community/support/debbie10t] has left #openvpn ["Leaving"]
19:01 -!- gardar [~gardar@bnc.giraffi.net] has joined #openvpn
19:15 -!- joako [~joako@opensuse/member/joak0] has quit [Ping timeout: 258 seconds]
19:19 -!- marlinc [~marlinc@ip1.weert.li.nl.cvo-technologies.com] has joined #openvpn
19:19 -!- NP-Hardass [~NP-Hardas@unaffiliated/np-hardass] has joined #openvpn
19:20 -!- joako [~joako@opensuse/member/joak0] has joined #openvpn
19:22 -!- novaflash_away is now known as novaflash
19:27 -!- MogDog [MogDog@unaffiliated/mogdog66] has quit [Ping timeout: 264 seconds]
19:28 -!- akurilin [~alex@208.185.21.146] has quit [Ping timeout: 264 seconds]
19:28 -!- Magiobiwan [IRC@unaffiliated/magiobiwan] has quit [Ping timeout: 256 seconds]
19:28 -!- ValdikSS [~valdikss@95.215.45.33] has quit [Read error: Connection reset by peer]
19:29 -!- akurilin [~alex@208.185.21.146] has joined #openvpn
19:29 -!- MogDog [MogDog@unaffiliated/mogdog66] has joined #openvpn
19:33 -!- Magiobiwan [IRC@unaffiliated/magiobiwan] has joined #openvpn
19:40 -!- TyrfingMjolnir [~Tyrfing@cm191.iota111.maxonline.com.sg] has joined #openvpn
20:05 -!- elfixit [~Icedove@77-58-253-51.dclient.hispeed.ch] has quit [Quit: elfixit]
20:15 -!- krzie [d876ef17@openvpn/community/support/krzee] has joined #openvpn
20:15 -!- mode/#openvpn [+o krzie] by ChanServ
20:15 <@krzie> !factoids search linksys
20:15 <@vpnHelper> No keys matched that query.
20:16 <@krzie> !factoids search router
20:16 <@vpnHelper> "router" is if you are using one of those hacked up linksys linux routers, and you are not logging... dont expect help until you turn on logging so you can post them
20:16 <@krzie> !factoids search static
20:16 <@vpnHelper> 'static', 'static_key_details', 'dlink_static_route', 'static-key', and 'statickey'
20:16 <@krzie> !dlink_static_route
20:16 <@vpnHelper> "dlink_static_route" is http://lizzi555.dyndns.org/655/StaticRoute.html for the workaround for issues adding static route into d-link router with A3 firmware
20:20 -!- krzie [d876ef17@openvpn/community/support/krzee] has quit [Quit: Page closed]
20:27 -!- TyrfingMjolnir [~Tyrfing@cm191.iota111.maxonline.com.sg] has quit [Quit: Searching for Waimea]
20:28 -!- felirami [uid46106@gateway/web/irccloud.com/x-qvrtaimvdkjbawod] has joined #openvpn
20:28 < felirami> !welcome
20:28 <@vpnHelper> "welcome" is (#1) Start by stating your goal, such as 'I would like to access the internet over my vpn' || new to IRC? see the link in !ask || we may need !logs and !configs and maybe !interface to help you. || See !howto for beginners. || See !route for lans behind openvpn. || !redirect for sending inet traffic through the server. || Also interesting: !man !/30 !topology !iporder !sample !forum
20:28 <@vpnHelper> !wiki !mitm or (#2) Don't use 192.168.1.0/24 or 192.168.0.0/24 (too much potential for conflict)
20:33 -!- felirami [uid46106@gateway/web/irccloud.com/x-qvrtaimvdkjbawod] has left #openvpn []
21:06 -!- NP-Hardass [~NP-Hardas@unaffiliated/np-hardass] has quit [Quit: WeeChat 0.4.3]
22:19 -!- warehouse13 [~Left_Turn@unaffiliated/turn-left/x-3739067] has quit [Ping timeout: 255 seconds]
23:16 -!- ShadniX [dagger@p57941965.dip0.t-ipconnect.de] has quit [Ping timeout: 250 seconds]
23:16 -!- irc_smirk [48f4aa6a@gateway/web/freenode/ip.72.244.170.106] has joined #openvpn
23:16 < irc_smirk> hello
23:16 < irc_smirk> can someoen explain what benefit openvpn has
23:16 < irc_smirk> does it hide your IP?
23:17 -!- ShadniX [dagger@p5481D88F.dip0.t-ipconnect.de] has joined #openvpn
23:19 < irc_smirk> hello?
23:28 -!- varsisstudio [~varsisstu@104.207.136.9] has joined #openvpn
23:32 -!- AlexRussia [~Alex@unaffiliated/alexrussia] has quit [Quit: WeeChat 1.1-dev]
23:32 < varsisstudio> Anyone good with bsd's pf? I am trying to have my desktop connected to a vpn via client and be allowed to have a service running such as ssh or filesharing ect...
23:33 < varsisstudio> (I looked into route-to,reply-to but I could not find much for documentation on these mostly just the docs in the man pages)
23:39 -!- CivisUS [~CivisUS@208.80.0.1] has joined #openvpn
23:40 < CivisUS> Hello, I am pulling my hair out trying to figure this problem out. I have an OpenVPN Server setup and I am trying to connect a Linux  client. The client connects fine and I can access the subnets I configured, however I cannot access the client from any of the subnets I configured. If I pull the client up on my mac or my windows PC I can access it just fine. Anyone smarter than I have any thoughts?
23:51 -!- irc_smirk [48f4aa6a@gateway/web/freenode/ip.72.244.170.106] has quit [Ping timeout: 246 seconds]
23:59 <@Eugene> Sounds like a textbook firewall problem
--- Day changed Tue Nov 18 2014
00:14 < CivisUS> On which node? I don't have a firewall enabled on the Linux client. And if it was a server problem then wouldn't I see the same problem from the Mac client?
00:45 -!- u0m3_ [~u0m3@92.80.107.91] has quit [Read error: Connection reset by peer]
00:45 -!- u0m3_ [~u0m3@92.80.107.91] has joined #openvpn
00:56 -!- TyrfingMjolnir [~Tyrfing@118.189.1.18] has joined #openvpn
01:07 -!- mattock_afk is now known as mattock
01:23 -!- crus` [~crusader@CPE-121-211-80-56.hhui5.cht.bigpond.net.au] has joined #openvpn
01:52 -!- u0m3 [~u0m3@92.80.100.69] has joined #openvpn
01:53 -!- Taftse|Mac [~taftse@unaffiliated/taftse] has joined #openvpn
01:54 -!- u0m3_ [~u0m3@92.80.107.91] has quit [Ping timeout: 255 seconds]
02:09 -!- Chais [~Chais@80.110.97.57] has quit [Quit: ZNC - http://znc.in]
02:10 -!- Chais [~Chais@80.110.97.57] has joined #openvpn
02:37 -!- RBecker [~RBecker@openvpn/user/RBecker] has quit [Remote host closed the connection]
02:41 -!- hyper_ch [~hyper_ch@81.4.108.20] has joined #openvpn
02:42 -!- RBecker [~RBecker@openvpn/user/RBecker] has joined #openvpn
02:42 -!- mode/#openvpn [+v RBecker] by ChanServ
02:42 < hyper_ch> krzee: converting my stuff now to that password manager... setup a small git repo on my home server :)
02:42 -!- ValdikSS [~valdikss@2001:470:28:22f::1004] has joined #openvpn
02:49 < pppingme> CivisUS if only one client exhibits the issue, then its something on that client, the symptoms you describe just scream firewall, especially considering other clients don't have the issue
03:17 -!- s7r [~s7r@openvpn/user/s7r] has quit [Ping timeout: 250 seconds]
03:17 -!- s7r_k [~s7r@openvpn/user/s7r] has joined #openvpn
03:17 -!- mode/#openvpn [+v s7r_k] by ChanServ
03:17 -!- xTz [~xTz@DeathStar.Techn0.eu] has quit [Ping timeout: 264 seconds]
03:23 -!- u0m3_ [~u0m3@92.80.65.59] has joined #openvpn
03:24 -!- u0m3 [~u0m3@92.80.100.69] has quit [Ping timeout: 244 seconds]
03:54 -!- jzaw [~jzaw@loki.dzki.co.uk] has quit [Excess Flood]
03:57 -!- jzaw [~jzaw@loki.dzki.co.uk] has joined #openvpn
04:02 -!- AlexRussia [~Alex@unaffiliated/alexrussia] has joined #openvpn
04:10 -!- TyrfingMjolnir [~Tyrfing@118.189.1.18] has quit [Ping timeout: 255 seconds]
04:19 < hyper_ch> Eugene: found a solution for git/pass on droid :)
04:32 -!- shivanshu [~shivanshu@unaffiliated/shivanshu] has quit [Remote host closed the connection]
04:35 -!- Shiftos [~shiftos@gateway/tor-sasl/shiftos] has quit [Remote host closed the connection]
04:35 -!- Shiftos [~shiftos@gateway/tor-sasl/shiftos] has joined #openvpn
04:41 -!- D-Boy [~D-Boy@unaffiliated/cain] has quit [Excess Flood]
04:41 -!- shivanshu [~shivanshu@unaffiliated/shivanshu] has joined #openvpn
04:45 -!- RBecker [~RBecker@openvpn/user/RBecker] has quit [Ping timeout: 240 seconds]
04:52 -!- jspiros [jspiros@ip-212-017.oberlin.net] has joined #openvpn
04:52 < jspiros> I have a script that I would like to run once my connection is finished configuration and is now working
04:53 < jspiros> if I do it manually, it works fine if I wait for "Initialization Sequence Completed"
04:53 -!- D-Boy [~D-Boy@unaffiliated/cain] has joined #openvpn
04:53 < jspiros> and then run it manually
04:53 < jspiros> but, if I try using route-up or up options to have openvpn run it for me, it doesn't seem to work
04:53 < jspiros> for whatever reason, even if it's the very last thing run by my route-up script (I am using a route-up script to do some routing configuration), it doesn't seem to work
04:54 -!- CaTtleyA [~CaTtleyA@185.24.142.82] has joined #openvpn
04:54 < jspiros> and by "doesn't seem to work", I mean, my script tries to access things over the vpn connection, and times out
04:54 -!- ValdikSS [~valdikss@2001:470:28:22f::1004] has quit [Read error: Connection reset by peer]
04:54 < jspiros> my best guess, and mind you I am not an expert at this, is that the routing tables aren't "flushed" or made active or something until after the route-up script exits, and "Initialization Sequence Completed" is printed...
04:55 < jspiros> anyway, any suggestions would be appreciated :)
04:55 < jspiros> I'm at the point where I'm considering writing my script as a wrapper to ovpn that just waits until it sees "Initialization Sequence Completed" in its output and then runs the code I care about, but that seems a bit silly
04:57 -!- ValdikSS [~valdikss@2001:470:28:22f::1004] has joined #openvpn
05:06 -!- RBecker [~RBecker@openvpn/user/RBecker] has joined #openvpn
05:06 -!- mode/#openvpn [+v RBecker] by ChanServ
05:09 -!- ACKNAK [~regolith@79.133.97.154] has joined #openvpn
05:11 -!- s7r_k is now known as s7r
05:12 -!- Left_Turn [~Left_Turn@unaffiliated/turn-left/x-3739067] has joined #openvpn
05:28 -!- gffa [~unknown@unaffiliated/gffa] has joined #openvpn
05:29 -!- Left_Turn [~Left_Turn@unaffiliated/turn-left/x-3739067] has quit [Ping timeout: 250 seconds]
05:37 -!- Lolths [~Lolths@unaffiliated/lolths] has quit [Ping timeout: 265 seconds]
05:38 -!- Lolths [~Lolths@unaffiliated/lolths] has joined #openvpn
05:39 -!- havingFun [~quassel@unaffiliated/xrosnight] has joined #openvpn
05:40 -!- havingFun is now known as xrosnight
05:53 -!- AlexRussia [~Alex@unaffiliated/alexrussia] has quit [Quit: WeeChat 1.1-dev]
05:55 -!- elfixit [~Icedove@77-58-253-51.dclient.hispeed.ch] has joined #openvpn
05:56 -!- AlexRussia [~Alex@unaffiliated/alexrussia] has joined #openvpn
06:01 -!- AlexRussia [~Alex@unaffiliated/alexrussia] has quit [Ping timeout: 272 seconds]
06:01 -!- AlexRussia [~Alex@unaffiliated/alexrussia] has joined #openvpn
06:02 < hyper_ch> krzee: ha, I got "pass" to work on my android... basically I had to install lil debian to get a debian chroot... be sure to use testing release as stable doesn't have pass in the repos yet for arm
06:03 < hyper_ch> then install git pass, initialize the pass directory
06:03 < hyper_ch> copy over your gpg key to the chroot
06:03 < hyper_ch> and then just clone the repo :)
06:03 -!- TyrfingMjolnir [~Tyrfing@167.220.226.4] has joined #openvpn
06:04 < hyper_ch> tried to get to run gpg-agent also but that didn't work
06:05 -!- Left_Turn [~Left_Turn@unaffiliated/turn-left/x-3739067] has joined #openvpn
06:10 -!- TyrfingMjolnir [~Tyrfing@167.220.226.4] has quit [Ping timeout: 255 seconds]
06:18 -!- busch [~busch@datenschleuder.com] has joined #openvpn
06:24 -!- TyrfingMjolnir [~Tyrfing@167.220.226.4] has joined #openvpn
06:31 -!- TyrfingMjolnir [~Tyrfing@167.220.226.4] has quit [Quit: Searching for Waimea]
06:32 -!- TyrfingMjolnir [~Tyrfing@167.220.226.4] has joined #openvpn
06:37 -!- TyrfingMjolnir [~Tyrfing@167.220.226.4] has quit [Client Quit]
06:38 -!- TyrfingMjolnir [~Tyrfing@167.220.226.4] has joined #openvpn
06:40 -!- Latrina [~Latrina@adsl-ull-57-221.50-151.net24.it] has quit [Ping timeout: 255 seconds]
06:42 -!- moparisthebest [~quassel@unaffiliated/moparisthebest] has quit [Remote host closed the connection]
06:42 -!- moparisthebest [~quassel@unaffiliated/moparisthebest] has joined #openvpn
06:42 -!- Latrina [~Latrina@151.56.175.30] has joined #openvpn
06:44 -!- TyrfingMjolnir [~Tyrfing@167.220.226.4] has quit [Ping timeout: 256 seconds]
06:48 -!- debbie10t [~debbie10t@unaffiliated/m10t] has joined #openvpn
06:52 -!- nvdpl [~textual@proxy.teleaudio.pl] has joined #openvpn
06:59 -!- lorens [~lorens@213.27.241.114] has joined #openvpn
07:06 -!- lorens [~lorens@213.27.241.114] has quit [Ping timeout: 245 seconds]
07:08 -!- u0m3_ [~u0m3@92.80.65.59] has quit [Ping timeout: 265 seconds]
07:12 -!- Fiouz [~Fiouz@2001:bc8:3068::dead:beef] has joined #openvpn
07:20 -!- _0x5eb_ [~seb@seb-hpws2.w1.tele.crt1.net] has quit [Ping timeout: 265 seconds]
07:25 -!- u0m3 [~u0m3@92.80.93.157] has joined #openvpn
07:28 -!- _0x5eb_ [~seb@seb-hpws2.w1.tele.crt1.net] has joined #openvpn
07:28 -!- Latrina [~Latrina@151.56.175.30] has quit [Ping timeout: 255 seconds]
07:29 -!- Pyrogerg [~Gregory@67-0-212-234.albq.qwest.net] has joined #openvpn
07:30 -!- Latrina [~Latrina@adsl-ull-113-193.50-151.net24.it] has joined #openvpn
08:06 -!- u0m3_ [~u0m3@92.80.86.86] has joined #openvpn
08:07 -!- u0m3 [~u0m3@92.80.93.157] has quit [Ping timeout: 255 seconds]
08:46 -!- dazo_afk is now known as dazo
09:17 -!- ValdikSS [~valdikss@2001:470:28:22f::1004] has quit [Ping timeout: 265 seconds]
09:19 -!- MatToufoutu [~MaT@unaffiliated/mattoufoutu] has quit [Ping timeout: 250 seconds]
09:25 -!- MatToufoutu [~MaT@unaffiliated/mattoufoutu] has joined #openvpn
09:26 <@Eugene> hyper_ch - shiny! Still insane, but hey, your device ;-)
09:29 < hyper_ch> it's good to have debian on your phone...
09:29 < hyper_ch> and giting it all works fine
09:35 -!- brianblaze420 [~brianblaz@unaffiliated/brianblaze] has joined #openvpn
09:50 -!- ACKNAK [~regolith@79.133.97.154] has quit [Quit: Leaving]
10:01 -!- noecc [~irc@unaffiliated/noecc] has joined #openvpn
10:08 -!- noecc [~irc@unaffiliated/noecc] has left #openvpn ["pax"]
10:14 -!- nvdpl [~textual@proxy.teleaudio.pl] has quit [Quit: ZZZzzz…]
10:16 -!- nvdpl [~textual@proxy.teleaudio.pl] has joined #openvpn
10:16 -!- nvdpl [~textual@proxy.teleaudio.pl] has quit [Max SendQ exceeded]
10:17 -!- nvdpl [~textual@proxy.teleaudio.pl] has joined #openvpn
10:17 -!- nvdpl [~textual@proxy.teleaudio.pl] has quit [Max SendQ exceeded]
10:18 -!- nvdpl [~textual@proxy.teleaudio.pl] has joined #openvpn
10:18 -!- JZA [Elite11306@gateway/shell/elitebnc/x-hjsljohvgmtqdkkq] has joined #openvpn
10:18 -!- JZA [Elite11306@gateway/shell/elitebnc/x-hjsljohvgmtqdkkq] has left #openvpn ["Konversation terminated!"]
10:30 -!- justinzane [~justinzan@67.21.190.132] has quit [Remote host closed the connection]
10:30 -!- justinzane [~justinzan@67.21.190.132] has joined #openvpn
10:34 -!- nvdpl [~textual@proxy.teleaudio.pl] has quit [Quit: ZZZzzz…]
10:45 -!- justinzane [~justinzan@67.21.190.132] has quit [Remote host closed the connection]
10:45 -!- justinzane [~justinzan@67.21.190.132] has joined #openvpn
10:46 -!- barbababa [~barbababa@a88-115-205-61.elisa-laajakaista.fi] has joined #openvpn
10:48 -!- Karou [~smuxi@unaffiliated/karou] has joined #openvpn
10:48 < Karou> yooo
10:49 < hyper_ch> seems your "o" key is broken
10:50 < Karou> lol
10:54 -!- JackWinter [~jack@vodsl-11198.vo.lu] has quit [Quit: Konversation terminated!]
10:54 -!- JackWinter [~jack@vodsl-11198.vo.lu] has joined #openvpn
10:55 < Karou> anyways, i've got a debian server at home, I'm looking to setup a ovpn server so i can tunnel all of my internet traffic through it
10:55 < hyper_ch> sounds like a good idea
10:59 < Karou> so all i need to add to the standard config is server-bridge
10:59 < Karou> yeah?
10:59 -!- khaldrogox [~anonymous@64.13.138.81] has joined #openvpn
11:00 < hyper_ch> if all clients should have rerouted all traffic through you, you just use
11:00 < hyper_ch> !def1
11:00 <@vpnHelper> "def1" is (#1) used in redirect-gateway, Add the def1 flag to override the default gateway by using 0.0.0.0/1 and 128.0.0.0/1 rather than 0.0.0.0/0. This has the benefit of overriding but not wiping out the original default gateway. or (#2) please see --redirect-gateway in the man page ( !man ) to fully understand or (#3) push "redirect-gateway def1"
11:00 < hyper_ch> no idea what you mean with server bridge
11:00 < hyper_ch> !confgen
11:00 <@vpnHelper> "confgen" is (#1) http://www.doeshosting.com/code/openvpn-confgen.tgz for the bash config generator or (#2) you can use svn co http://www.secure-computing.net/svn/trunk/openvpn-confgen/ or (#3) you must run this in bash
11:03 < Karou> push "redirect-gateway"
11:03 < Karou> yeah?
11:03 < hyper_ch> yes, that will add default routes to the clients
11:03 < hyper_ch> which will push all traffic through the vpn
11:09 -!- cwillu_at_work [cwillu@cwillu.com] has joined #openvpn
11:10 < hyper_ch> Karou: something like this:  http://paste.debian.net/132353/
11:12 < hyper_ch> although I think line 29 could be omited
11:14 -!- Karou [~smuxi@unaffiliated/karou] has quit [Ping timeout: 245 seconds]
11:22 -!- JackWinter [~jack@vodsl-11198.vo.lu] has quit [Quit: Konversation terminated!]
11:23 -!- JackWinter [~jack@vodsl-11198.vo.lu] has joined #openvpn
11:23 -!- JackWinter [~jack@vodsl-11198.vo.lu] has quit [Client Quit]
11:23 -!- JackWinter [~jack@vodsl-11198.vo.lu] has joined #openvpn
11:25 -!- JackWinter [~jack@vodsl-11198.vo.lu] has quit [Client Quit]
11:25 -!- JackWinter [~jack@vodsl-11198.vo.lu] has joined #openvpn
11:28 -!- CaTtleyA [~CaTtleyA@185.24.142.82] has quit [Quit: Lost terminal]
11:34 -!- ValdikSS [~valdikss@95.215.45.33] has joined #openvpn
11:38 -!- Karou [~smuxi@unaffiliated/karou] has joined #openvpn
11:38 < Karou> so
11:38 < Karou> uh
11:38 < Karou> can i make it so i don't need any authentication?
11:38 < Karou> nothing secure is going through the network
11:38 < hyper_ch> authentication?
11:38 < hyper_ch> just make client certs without password
11:39 < Karou> but
11:39 < Karou> that takes time
11:39 < Karou> XD
11:39 < Karou> meh
11:39 < hyper_ch> how many certs do you need to create?
11:39 < Karou> i'll fire up easy rsa again
11:39 < Karou> 1
11:39 < Karou> lol
11:39 < hyper_ch> easy-rsa makes it quick
11:39 < hyper_ch> well, you need server cert I think
11:39 < hyper_ch> well, maybe not
11:39 < hyper_ch> not sure
11:44 < debbie10t> Follow this:
11:44 < debbie10t> http://openvpn.net/index.php/open-source/documentation/miscellaneous/78-static-key-mini-howto.html
11:44 <@vpnHelper> Title: Static Key Mini-HOWTO (at openvpn.net)
11:44 < debbie10t> and remove the key
11:44 < debbie10t> clear text
11:47 -!- almostworking [~almostwor@unaffiliated/almostworking] has joined #openvpn
12:01 < Karou> okay
12:01 < Karou> one last thing
12:02 < Karou> my server starts, but doesn't allow connections from ips outside of 192.168.1.*
12:02 < Karou> how do i get around that?
12:04 -!- shio [marmot@102.188.103.84.rev.sfr.net] has quit [Disconnected by services]
12:04 -!- shio [marmot@102.188.103.84.rev.sfr.net] has joined #openvpn
12:04 < debbie10t> did you check you firewall .....
12:04 < Karou> yeah
12:05 < _FBi> what device is it on?
12:05 < Karou> _FBi what do you mean?
12:05 < _FBi> external IP device?
12:05 < Karou> yeah
12:05 < _FBi> are you ising IPv6 to connect?
12:05 < Karou> no
12:05 < Karou> also its failing at the tls handshake
12:06 < _FBi> server is tls 0 and clients are tls 1
12:07 -!- jackbrown [~se@93-44-41-0.ip95.fastwebnet.it] has joined #openvpn
12:07 < debbie10t> still sounds like a firewall .. did u forward the right port for your server ?
12:08 < _FBi> ^
12:08 < _FBi> it does sound like a firewall issue
12:09 < Karou> idk, last time i had some weird fucky problem
12:11 < _FBi> well, unfuck yourself haha
12:11 < Karou> i had a server running ages
12:11 < Karou> aog*
12:11 < Karou> ago
12:11 < Karou> ;-;
12:11 < Karou> school
12:11 < Karou> my mind
12:11 < Karou> don't mix
12:12 < debbie10t> do you know how to forward the server port ?
12:12 < Karou> debbie10t: yes
12:13 < Karou> i've been doing server admin for like 5 years
12:13 < debbie10t> so did you check your firewall log to see that it is forwarding the incoming packets to the server ?
12:13 < Karou> mhmm
12:14 < debbie10t> did you run wireshark or tcpdump to see the incoming packet ?
12:16 < debbie10t> is it proto tcp or udp ?
12:20 < _FBi> iptables -T or -L  whatever one tells you the rules that are set
12:25 -!- jackbrown [~se@93-44-41-0.ip95.fastwebnet.it] has quit [Quit: Sto andando via]
12:35 -!- CivisUS [~CivisUS@208.80.0.1] has quit [Quit: Textual IRC Client: www.textualapp.com]
12:36 -!- khaldrogox [~anonymous@64.13.138.81] has quit [Ping timeout: 258 seconds]
12:37 -!- marlinc [~marlinc@ip1.weert.li.nl.cvo-technologies.com] has quit [Ping timeout: 256 seconds]
12:41 -!- khaldrogox [~anonymous@66-87-119-111.pools.spcsdns.net] has joined #openvpn
12:42 -!- Karou [~smuxi@unaffiliated/karou] has quit [Ping timeout: 255 seconds]
12:42 -!- Pyrogerg [~Gregory@67-0-212-234.albq.qwest.net] has quit [Ping timeout: 245 seconds]
12:43 -!- CivisUS [~CivisUS@73.3.189.197] has joined #openvpn
12:43 -!- marlinc [~marlinc@ip1.weert.li.nl.cvo-technologies.com] has joined #openvpn
12:44 -!- elfixit [~Icedove@77-58-253-51.dclient.hispeed.ch] has quit [Ping timeout: 272 seconds]
12:45 -!- khaldrogox [~anonymous@66-87-119-111.pools.spcsdns.net] has quit [Read error: Connection reset by peer]
12:46 -!- khaldrogox [~anonymous@64.13.138.81] has joined #openvpn
12:47 -!- Pyrogerg [~Gregory@67-0-212-234.albq.qwest.net] has joined #openvpn
12:58 -!- nvdpl [~textual@89-67-140-170.dynamic.chello.pl] has joined #openvpn
12:58 -!- nvdpl [~textual@89-67-140-170.dynamic.chello.pl] has quit [Max SendQ exceeded]
13:00 -!- nvdpl [~textual@89-67-140-170.dynamic.chello.pl] has joined #openvpn
13:01 -!- AlexRussia [~Alex@unaffiliated/alexrussia] has quit [Ping timeout: 245 seconds]
13:01 -!- jackbrown [~se@93-44-41-0.ip95.fastwebnet.it] has joined #openvpn
13:03 -!- AlexRussia [~Alex@unaffiliated/alexrussia] has joined #openvpn
13:03 -!- c0ded [~c0ded@unaffiliated/c0ded] has quit [Ping timeout: 272 seconds]
13:08 -!- Pyrogerg [~Gregory@67-0-212-234.albq.qwest.net] has quit [Ping timeout: 256 seconds]
13:15 -!- shio [marmot@102.188.103.84.rev.sfr.net] has quit [Disconnected by services]
13:15 -!- shio [marmot@102.188.103.84.rev.sfr.net] has joined #openvpn
13:20 < esde> sudo iptables -t nat -L to list all nat rules
13:20 < hyper_ch> krzee: ecrist: dazo:  https://www.schneier.com/blog/archives/2014/11/a_new_free_ca.html
13:20 <@vpnHelper> Title: Schneier on Security: A New Free CA (at www.schneier.com)
13:20 < debbie10t> iptables-save .. surely
13:21 < esde> RE: SSL Cert's https://bugzilla.mozilla.org/show_bug.cgi?id=647959
13:22 <@vpnHelper> Title: 647959 Add Honest Achmed's root certificate (at bugzilla.mozilla.org)
13:22 <@dazo> hyper_ch: nice!  However, how is it with their CA certs?  When will they be implemented in all the browsers?
13:22 <@plaisthos> I like honest Achmed! :)
13:22 < esde> "Arriving Summer 2015"
13:23 < esde> still a ways off
13:23 <@dazo> ecrist: hahaha!  Organizational type: Individual (Achmed, and possibly his cousin Mustafa, who knows a bit about computers).
13:23 < hyper_ch> dazo: not sure, but the names behind it - EFF, Mozilla, Cicso, Akamai, Michi. Uni sounds like it'll be added to the browsers soon
13:24 -!- marlinc [~marlinc@ip1.weert.li.nl.cvo-technologies.com] has quit [Ping timeout: 260 seconds]
13:24 <@dazo> hyper_ch: once they do ... then this is really a cool thing!  As long as they can handle cert signing better than DigiCert ;-)
13:24 <@dazo> or do I mix digicert with another digi-something?  (it was a dutch company at least)
13:25 -!- Pyrogerg [~Gregory@67-0-212-234.albq.qwest.net] has joined #openvpn
13:25 < hyper_ch> dazo: well, just found the article and bookmarked it :) thought it might be of interest :)
13:25 <@dazo> DigiNotar!
13:25 <@dazo> :)
13:25 < hyper_ch> well, it'll go live next summer...
13:26 <@dazo> once it does .... :)
13:26 < hyper_ch> dazo: https://letsencrypt.org/howitworks/technology/
13:26 <@vpnHelper> Title: Technology (at letsencrypt.org)
13:26 < hyper_ch> can you read that and explain it to me? :)
13:29 < esde> .
13:31 -!- marlinc [~marlinc@ip1.weert.li.nl.cvo-technologies.com] has joined #openvpn
13:38 -!- marlinc [~marlinc@ip1.weert.li.nl.cvo-technologies.com] has quit [Ping timeout: 256 seconds]
13:44 -!- marlinc [~marlinc@ip1.weert.li.nl.cvo-technologies.com] has joined #openvpn
13:44 -!- khaldrogox [~anonymous@64.13.138.81] has quit [Quit: khaldrogox]
13:50 -!- khaldrogox [~anonymous@64.13.138.81] has joined #openvpn
13:59 <@dazo> hyper_ch: sorry, my brain capacity is too low now to completely grasp it ... but there's an rfc draft too https://github.com/letsencrypt/acme-spec
13:59 <@vpnHelper> Title: letsencrypt/acme-spec · GitHub (at github.com)
14:00 <@dazo> (text + html files uploaded too)
14:10 < hyper_ch> dazo: but but but... you're almost as knowledgable as krzee :)
14:10 < hyper_ch> how can you say brain-overflow?
14:10 <@dazo> hyper_ch: let me emphasize "almost" ;-)
14:10 -!- khaldrogox [~anonymous@64.13.138.81] has quit [Quit: khaldrogox]
14:50 -!- khaldrogox [~anonymous@64.13.138.81] has joined #openvpn
14:59 -!- mattock is now known as mattock_afk
15:02 -!- D-Boy [~D-Boy@unaffiliated/cain] has quit [Ping timeout: 240 seconds]
15:05 -!- jackbrown [~se@93-44-41-0.ip95.fastwebnet.it] has quit [Quit: Sto andando via]
15:09 -!- brianblaze420 [~brianblaz@unaffiliated/brianblaze] has quit [Quit: Peace!]
15:28 -!- D-Boy [~D-Boy@unaffiliated/cain] has joined #openvpn
15:35 <@krzee> lol
15:37 < hyper_ch> krzee is awake
15:38 -!- Latrina [~Latrina@adsl-ull-113-193.50-151.net24.it] has quit [Ping timeout: 264 seconds]
15:39 -!- Latrina [~Latrina@ppp-176-14.26-151.libero.it] has joined #openvpn
15:55 -!- nvdpl [~textual@89-67-140-170.dynamic.chello.pl] has quit [Quit: ZZZzzz…]
16:10 -!- nvdpl [~textual@89-67-140-170.dynamic.chello.pl] has joined #openvpn
16:10 -!- nvdpl [~textual@89-67-140-170.dynamic.chello.pl] has quit [Client Quit]
16:14 -!- Taftse|Mac [~taftse@unaffiliated/taftse] has quit [Quit: Textual IRC Client: www.textualapp.com]
16:37 -!- RBecker [~RBecker@openvpn/user/RBecker] has quit [Ping timeout: 256 seconds]
16:48 -!- RBecker [~RBecker@openvpn/user/RBecker] has joined #openvpn
16:48 -!- mode/#openvpn [+v RBecker] by ChanServ
17:07 -!- brianblaze420 [~brianblaz@unaffiliated/brianblaze] has joined #openvpn
17:14 -!- hyper_ch [~hyper_ch@81.4.108.20] has quit [Ping timeout: 244 seconds]
17:16 -!- hyper_ch [~hyper_ch@81.4.108.20] has joined #openvpn
17:21 -!- c0ded [~c0ded@unaffiliated/c0ded] has joined #openvpn
17:23 -!- c0ded [~c0ded@unaffiliated/c0ded] has left #openvpn []
17:23 -!- c0ded [~c0ded@unaffiliated/c0ded] has joined #openvpn
17:39 -!- debbie10t [~debbie10t@unaffiliated/m10t] has left #openvpn ["Leaving"]
17:51 -!- Droolio [~drool@host109-148-173-191.range109-148.btcentralplus.com] has joined #openvpn
17:56 -!- dazo is now known as dazo_afk
18:03 -!- gffa [~unknown@unaffiliated/gffa] has quit [Quit: sleep]
18:24 -!- justinzane [~justinzan@67.21.190.132] has quit [Remote host closed the connection]
18:24 -!- justinzane [~justinzan@67.21.190.132] has joined #openvpn
18:38 -!- akamaru217 [~akamaru21@2601:0:8a80:1064:f881:b511:13ef:44e4] has quit [Read error: Connection reset by peer]
18:49 -!- ValdikSS [~valdikss@95.215.45.33] has quit [Ping timeout: 240 seconds]
18:52 -!- akamaru217 [~akamaru21@2601:0:8a80:1064:589:97ab:f9d4:de4e] has joined #openvpn
19:00 -!- khaldrogox [~anonymous@64.13.138.81] has left #openvpn []
19:30 -!- akamaru217 [~akamaru21@2601:0:8a80:1064:589:97ab:f9d4:de4e] has quit [Read error: Connection reset by peer]
19:48 -!- akamaru217 [~akamaru21@2601:0:8a80:1064:b500:6f76:7d93:afb9] has joined #openvpn
19:51 -!- brianblaze420 [~brianblaz@unaffiliated/brianblaze] has quit [Remote host closed the connection]
19:54 -!- s7r [~s7r@openvpn/user/s7r] has quit [Quit: Leaving]
19:59 < _FBi> !tor
20:04 <@krzee> _FBi, whats your question?
20:04 <@krzee> tor is pretty unrelated to openvpn...
20:04 < _FBi> dumb person question hah
20:06 <@krzee> its ok, fire away
20:06 <@krzee> nobody else asking anything...
20:07 < _FBi> I would like a server to run tor, so when I connect to OpenVPN I'm on TOR outgoing
20:08 <@krzee> 2 separate issues
20:08 < _FBi> dang
20:08 <@krzee> if the server defaults its outbound traffic over tor, then it should work
20:08 <@krzee> i said 2 separate issues, not that it cant be done
20:08 <@krzee> just gotta make sure the outbound traffic goes over tor, then route the client through it
20:08 < _FBi> haha, and not that I won't try blindlessly
20:09 <@krzee> ive never setup tor on a server so i dont know how it'll work really
20:09 < _FBi> me either
20:09 < _FBi> I'm basically going to torify it... hopefully I'm using the term correctly
20:09 < _FBi> I'll let you know how I make out
20:09 <@krzee> also, blindlessly?
20:09 < _FBi> maybe sign you a cert to my new mother russian server haha
20:09 <@krzee> :D
20:10 <@krzee> maybe? :-p
20:10 < _FBi> :(
20:10 < _FBi> if it works out
20:10 < _FBi> other wise, what's the point lol
20:11 <@krzee> well seeing as i have 5 russian nodes currently, i guess you have a point
20:11 <@krzee> haha
20:11 < _FBi> chaining?
20:12 <@krzee> nah a user i helped long ago hooked me up with an account
20:12 < _FBi> nice of him
20:12 <@krzee> his service has like 7 russian nodes, i have 5 i dont use anywhere
20:13 < _FBi> I just bought one, they mailed me amy root password....  I was thinking 'the fuck
20:13 < _FBi> no, I'll install my own OS thanks
20:13 <@krzee> bought one what?
20:14 < _FBi> RU server
20:14 <@krzee> oh nice
20:44 -!- james41382_ [~james@unaffiliated/james41382] has quit [Read error: Connection reset by peer]
20:45 -!- james41382_ [~james@unaffiliated/james41382] has joined #openvpn
21:28 -!- james41382_ [~james@unaffiliated/james41382] has quit [Ping timeout: 264 seconds]
21:40 -!- james41382 [~james@unaffiliated/james41382] has joined #openvpn
22:01 -!- Matir [~matir@ubuntu/member/matir] has quit [Ping timeout: 245 seconds]
22:07 -!- misterma_ [~mistermaj@unaffiliated/mistermajestic] has joined #openvpn
22:08 -!- Matir [~matir@ubuntu/member/matir] has joined #openvpn
22:09 -!- Left_Turn [~Left_Turn@unaffiliated/turn-left/x-3739067] has quit [Remote host closed the connection]
22:10 -!- mistermajestic [~mistermaj@unaffiliated/mistermajestic] has quit [Ping timeout: 264 seconds]
22:19 -!- Droolio [~drool@host109-148-173-191.range109-148.btcentralplus.com] has quit [Ping timeout: 244 seconds]
22:43 -!- TyrfingMjolnir [~Tyrfing@118.189.1.18] has joined #openvpn
22:43 -!- CivisUS [~CivisUS@73.3.189.197] has quit [Quit: Textual IRC Client: www.textualapp.com]
22:47 -!- BladedThesis [~BladedThe@2001:1af8:4010:a027:3::] has quit [Ping timeout: 272 seconds]
22:55 -!- BladedThesis [~BladedThe@2001:1af8:4010:a027:3::] has joined #openvpn
23:03 -!- Pyrogerg [~Gregory@67-0-212-234.albq.qwest.net] has quit [Ping timeout: 240 seconds]
23:15 -!- ShadniX [dagger@p5481D88F.dip0.t-ipconnect.de] has quit [Ping timeout: 250 seconds]
23:18 -!- ShadniX [dagger@p5481CC90.dip0.t-ipconnect.de] has joined #openvpn
--- Day changed Wed Nov 19 2014
00:16 -!- mattock_afk is now known as mattock
00:18 -!- jrg [jrg@unaffiliated/jrg] has left #openvpn []
00:25 -!- DonRichie [~DonRichie@ricl.de] has quit [Ping timeout: 240 seconds]
00:27 -!- DonRichie [~DonRichie@ricl.de] has joined #openvpn
00:44 -!- ValdikSS [~valdikss@95.215.45.33] has joined #openvpn
00:46 -!- crus` [~crusader@CPE-121-211-80-56.hhui5.cht.bigpond.net.au] has quit [Quit: ( www.nnscript.com :: NoNameScript 4.22 :: www.esnation.com )]
00:54 -!- SushiDude [~SushiDude@unaffiliated/sushidude] has quit [Ping timeout: 272 seconds]
01:46 -!- ade_b [~Ade@redhat/adeb] has joined #openvpn
01:46 -!- Taftse|Mac [~taftse@unaffiliated/taftse] has joined #openvpn
01:49 < hyper_ch> so, I freed myself now from LastPass
01:50 < _FBi> oh
01:51 < hyper_ch> well, I was told about password-store the other day... player around with it a bit... even made it sync with android (had to install  lil'debian though)...
02:05 -!- Taftse|Mac [~taftse@unaffiliated/taftse] has quit [Quit: Textual IRC Client: www.textualapp.com]
02:17 -!- Poster [~poster@cpe-74-140-100-29.swo.res.rr.com] has quit [Remote host closed the connection]
02:21 -!- jackbrown [~se@93-44-41-0.ip95.fastwebnet.it] has joined #openvpn
02:30 -!- AlexRussia [~Alex@unaffiliated/alexrussia] has quit [Ping timeout: 245 seconds]
02:44 -!- AlexRussia [~Alex@unaffiliated/alexrussia] has joined #openvpn
02:48 -!- jspiros [jspiros@ip-212-017.oberlin.net] has left #openvpn []
02:51 -!- ayaz [~Ayaz@linuxpakistan/ayaz] has joined #openvpn
03:15 -!- jackbrown [~se@93-44-41-0.ip95.fastwebnet.it] has quit [Quit: Sto andando via]
03:22 -!- nvdpl [~textual@proxy.teleaudio.pl] has joined #openvpn
03:24 -!- nvdpl [~textual@proxy.teleaudio.pl] has quit [Client Quit]
03:25 -!- capri [svedrin@elwing.funzt-halt.net] has quit [Remote host closed the connection]
03:31 -!- capri [svedrin@elwing.funzt-halt.net] has joined #openvpn
03:42 -!- nullie [~nullie@li732-95.members.linode.com] has joined #openvpn
03:43 < nullie> !welcome
03:43 <@vpnHelper> "welcome" is (#1) Start by stating your goal, such as 'I would like to access the internet over my vpn' || new to IRC? see the link in !ask || we may need !logs and !configs and maybe !interface to help you. || See !howto for beginners. || See !route for lans behind openvpn. || !redirect for sending inet traffic through the server. || Also interesting: !man !/30 !topology !iporder !sample !forum
03:43 <@vpnHelper> !wiki !mitm or (#2) Don't use 192.168.1.0/24 or 192.168.0.0/24 (too much potential for conflict)
03:43 < nullie> !paste
03:43 <@vpnHelper> "paste" is "pastebin" is (#1) please paste anything with more than 5 lines into a pastebin site or (#2) https://gist.github.com is recommended for fewest ads; try fpaste.org or paste.kde.org as backups or (#3) If you're pasting config files, see !configs for grep syntax to remove comments or (#4) gist allows multiple files per paste, useful if you have several files to show
03:44 < nullie> !route
03:44 <@vpnHelper> "route" is (#1) http://www.secure-computing.net/wiki/index.php/OpenVPN/Routing or https://community.openvpn.net/openvpn/wiki/RoutedLans (same page mirrored) if you have lans behind openvpn, read it DONT SKIM IT or (#2) READ IT DONT SKIM IT! or (#3) See !tcpip for a basic networking guide or (#4) See !serverlan or !clientlan for steps and troubleshooting flowcharts for LANs behind the server or
03:44 <@vpnHelper> client
03:51 < nullie> Hello. I want to forward all my traffic via remote gateway. I have this config on local site: https://gist.github.com/anonymous/ae53d343f985bc81b0b9 . I
03:51 <@vpnHelper> Title: gist:ae53d343f985bc81b0b9 (at gist.github.com)
03:51 < nullie> 'm using openvpn gui on windows. "route" directives don't seem to work. What should I do?
03:53 < nullie> with log and public config https://gist.github.com/anonymous/984d244aef261a82b099
03:54 <@vpnHelper> Title: Local client log (at gist.github.com)
03:57 -!- nvdpl [~textual@proxy.teleaudio.pl] has joined #openvpn
04:01 -!- nvdpl [~textual@proxy.teleaudio.pl] has quit [Client Quit]
04:07 -!- JackWinter [~jack@vodsl-11198.vo.lu] has quit [Quit: Konversation terminated!]
04:09 -!- Left_Turn [~Left_Turn@unaffiliated/turn-left/x-3739067] has joined #openvpn
04:12 -!- JackWinter [~jack@vodsl-11198.vo.lu] has joined #openvpn
04:13 -!- JackWinter [~jack@vodsl-11198.vo.lu] has quit [Remote host closed the connection]
04:16 -!- JackWinter [~jack@vodsl-11198.vo.lu] has joined #openvpn
04:17 -!- TyrfingMjolnir [~Tyrfing@118.189.1.18] has quit [Ping timeout: 240 seconds]
04:22 < _FBi> in the manual for OpenVPN you have user nobody group nobody, but it should be user nobody group nogroup
04:22 < _FBi> boom, I helped!
04:25 -!- hyper_ch [~hyper_ch@81.4.108.20] has left #openvpn ["Konversation terminated!"]
04:28 < nullie> nobody should be group of user nobody
04:29 < nullie> but it's nogroup, heh
04:32 -!- SlutaTramsa [~SlutaTram@unaffiliated/slutatramsa] has left #openvpn ["Leaving"]
04:34 -!- val3ntin [~Valentin@ipservice-092-210-026-153.092.210.pools.vodafone-ip.de] has joined #openvpn
04:35 < val3ntin> !welcome
04:35 <@vpnHelper> "welcome" is (#1) Start by stating your goal, such as 'I would like to access the internet over my vpn' || new to IRC? see the link in !ask || we may need !logs and !configs and maybe !interface to help you. || See !howto for beginners. || See !route for lans behind openvpn. || !redirect for sending inet traffic through the server. || Also interesting: !man !/30 !topology !iporder !sample !forum
04:35 <@vpnHelper> !wiki !mitm or (#2) Don't use 192.168.1.0/24 or 192.168.0.0/24 (too much potential for conflict)
04:36 < val3ntin> !howto
04:36 <@vpnHelper> "howto" is (#1) OpenVPN comes with a great howto, http://openvpn.net/howto PLEASE READ IT! or (#2) http://www.secure-computing.net/openvpn/howto.php for a mirror
04:39 < val3ntin> !route
04:39 <@vpnHelper> "route" is (#1) http://www.secure-computing.net/wiki/index.php/OpenVPN/Routing or https://community.openvpn.net/openvpn/wiki/RoutedLans (same page mirrored) if you have lans behind openvpn, read it DONT SKIM IT or (#2) READ IT DONT SKIM IT! or (#3) See !tcpip for a basic networking guide or (#4) See !serverlan or !clientlan for steps and troubleshooting flowcharts for LANs behind the server or
04:39 <@vpnHelper> client
04:40 < val3ntin> !tcpip
04:40 <@vpnHelper> "tcpip" is http://www.redbooks.ibm.com/redbooks/pdfs/gg243376.pdf See chapter 3.1 for useful basic TCP/IP networking knowledge you should probably know
04:46 -!- D-Boy [~D-Boy@unaffiliated/cain] has quit [Excess Flood]
04:50 -!- Left_Turn [~Left_Turn@unaffiliated/turn-left/x-3739067] has quit [Ping timeout: 256 seconds]
04:53 -!- D-Boy [~D-Boy@unaffiliated/cain] has joined #openvpn
04:54 -!- JackWinter [~jack@vodsl-11198.vo.lu] has quit [Quit: Konversation terminated!]
04:56 -!- JackWinter [~jack@vodsl-11198.vo.lu] has joined #openvpn
05:27 -!- Left_Turn [~Left_Turn@unaffiliated/turn-left/x-3739067] has joined #openvpn
05:44 -!- MatToufoutu [~MaT@unaffiliated/mattoufoutu] has quit [Ping timeout: 264 seconds]
05:54 -!- dazo_afk is now known as dazo
06:01 -!- MatToufoutu [~MaT@unaffiliated/mattoufoutu] has joined #openvpn
06:20 -!- RBecker [~RBecker@openvpn/user/RBecker] has quit [Ping timeout: 250 seconds]
06:25 -!- xrosnight [~quassel@unaffiliated/xrosnight] has quit [Remote host closed the connection]
06:26 -!- havingFun [~quassel@unaffiliated/xrosnight] has joined #openvpn
06:28 -!- RBecker [~RBecker@openvpn/user/RBecker] has joined #openvpn
06:28 -!- mode/#openvpn [+v RBecker] by ChanServ
06:31 -!- SushiDude [~SushiDude@unaffiliated/sushidude] has joined #openvpn
06:54 -!- ayaz [~Ayaz@linuxpakistan/ayaz] has quit [Quit: Textual IRC Client: www.textualapp.com]
06:56 -!- jackbrown [~se@93-44-41-0.ip95.fastwebnet.it] has joined #openvpn
07:09 -!- james41382 [~james@unaffiliated/james41382] has quit [Quit: Leaving]
07:12 -!- james41382 [~james@unaffiliated/james41382] has joined #openvpn
07:14 -!- gffa [~unknown@unaffiliated/gffa] has joined #openvpn
07:15 -!- RBecker [~RBecker@openvpn/user/RBecker] has quit [Ping timeout: 255 seconds]
07:22 -!- RBecker [~RBecker@openvpn/user/RBecker] has joined #openvpn
07:22 -!- mode/#openvpn [+v RBecker] by ChanServ
07:22 -!- ib54003 [~ib54003@fedora/ib54003] has joined #openvpn
07:22 < ib54003> hey is how can i create a 4096 bit ta.key with openvpn?
07:23 < esde> 1sec
07:24 < esde> I'd like to know too, but never found an answer. I'm hunting for an answer now
07:24 < ib54003> ok
07:24 -!- brianblaze420 [~brianblaz@unaffiliated/brianblaze] has joined #openvpn
07:25 -!- CaTtleyA [~CaTtleyA@185.24.142.82] has joined #openvpn
07:28 < esde> everything i can find just shows "openvpn --genkey --secret ta.key" and I'm not finding anything that shows how to specify bit size :(
07:29 < ib54003> esde: me too  ;)
07:30 < esde> type openvpn --help  and look at "Generate a random key (only for non-TLS static key encryption mode):" there aren't any options for bit size :(
07:31 < esde> Maybe someone else can chime in with another way to generate a key that is larger than 2048 bits
07:38 < ib54003> ok
07:42 < esde> I might have found something useful
07:42 -!- james41382_ [~james@unaffiliated/james41382] has joined #openvpn
07:42 < esde> look at /etc/ssl/openssl.conf around line 106
07:42 < esde> on mine default bits is 2048, which is the size of ta.key
07:43 < esde> maybe edit that to the desired size, run the command to generate ta.key again, and ?????? PROFIT
07:43 -!- jackbrown [~se@93-44-41-0.ip95.fastwebnet.it] has quit [Ping timeout: 244 seconds]
07:46 -!- james41382 [~james@unaffiliated/james41382] has quit [Ping timeout: 272 seconds]
07:52 < ib54003> what is the most secure cipher at the moment TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384?
07:55 -!- jackbrown [~se@93-44-41-0.ip95.fastwebnet.it] has joined #openvpn
08:00 < pekster> !hardening
08:00 <@vpnHelper> "hardening" is https://community.openvpn.net/openvpn/wiki/Hardening
08:00 < pekster> ib54003: See that
08:00 -!- markelite [croftworth@gateway/shell/yourbnc/x-ukaaxwtagvpswmug] has quit [Ping timeout: 272 seconds]
08:03 < ib54003> ok so no support for " Today, OpenVPN does not support TLS-ECDHE-* or more exotic cipher-suites as there is no elliptic curve support currently. "
08:03 < ib54003> right?
08:03 < ib54003> so the most secure cipher at the moment should be TLS-DHE-RSA-WITH-AES-256-GCM-SHA384?
08:09 < esde> That's how I read it
08:11 <@plaisthos> epends if you trust eliptic curve or tradiotional RSA more
08:12 <@plaisthos> if you use the master version you have EC support
08:15 < ib54003> how can i define the cipher in the config file? (TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384)
08:16 -!- marklite [croftworth@gateway/shell/yourbnc/x-jhbojlzwwrldpcmb] has joined #openvpn
08:16 < esde> you can't define that as "cipher"
08:16 < esde> just as "tls-cipher"
08:17 < esde> but it sounds like you'd need to build from source to get that functionality
08:18 < ib54003> i don't think so
08:18 < ib54003> openvpn --show-tls
08:18 < ib54003> Available TLS Ciphers,
08:18 < ib54003> listed in order of preference:
08:18 < ib54003> TLS-ECDHE-RSA-WITH-AES-256-GCM-SHA384
08:22 < esde> What version of openvpn are you running?
08:23 -!- bewees [~philipp@46.115.7.111] has joined #openvpn
08:23 < esde> im on 2.3.5 and that cipher is at the top for me too, now that i check
08:24 -!- mattock is now known as mattock_afk
08:25 < ib54003> 2.3.2
08:26 < esde> Only way to know for sure is to give it a shot! :)
08:28 < bewees> hi
08:29 < bewees> can i setup openvpn using VMs? (Just want to learn how openvpn works)
08:29 < ib54003> its not working for me if i set--tls-cipher TLS-ECDHE-RSA-WITH-AES-256-GCM-SHA384
08:29 <@plaisthos> ib54003: yeah
08:29 <@plaisthos> you probably need master for that
08:29 < esde> bewees, yeah definietly
08:29 <@plaisthos> tls-ciphers lists all ciphers known to polar/oepnssl
08:30 < esde> definitely*
08:30 < ib54003> ok
08:30 < bewees> esde, Good to know thanks
08:30 < bewees> My VMs eth0 is 192.168.10.20/24. In /etc/openvpn/tun0.conf I would not write 192.168.10.20, but an IP from a different subnet?
08:31 < esde> why tun0.conf?
08:31 < esde> If you're going off of a guide, can you please link it?
08:31 < bewees> esde, I follow debian's openvpn documentation: https://wiki.debian.org/OpenVPN#Installation
08:31 <@vpnHelper> Title: OpenVPN - Debian Wiki (at wiki.debian.org)
08:31 < esde> right
08:32 < esde> like 10.8.0.0
08:32 < bewees> Thanks I try that
08:32 < esde> wait one
08:33 < esde> that guide doesn't discuss tls auth at all
08:33 < esde> see !hardening for details on how to enable tls-auth too. it'll provide more security than the configuration in that guide
08:34 < bewees> !hardening
08:34 <@vpnHelper> "hardening" is https://community.openvpn.net/openvpn/wiki/Hardening
08:34 < esde> oh and tls-cipher :)
08:35 < esde> oh crap it did, it just calls it staic.key. im sorry.
08:35 < esde> :(
08:35 < esde> im used to seeing ta.key
08:42 < bewees> Hm, how can I verify that my client now gets the ip 10.9.8.2
08:43 < bewees> I tried to ssh to another VM and checked the connected IP with `who -a` but that shows not 10.9.8.2, but the VMs switch IP
08:43 -!- ib54003 [~ib54003@fedora/ib54003] has left #openvpn ["Verlassend"]
08:47 -!- lavamind [~jcharaoui@206.167.119.5] has joined #openvpn
08:50 -!- jackbrown [~se@93-44-41-0.ip95.fastwebnet.it] has quit [Ping timeout: 245 seconds]
08:50 -!- bewees [~philipp@46.115.7.111] has quit [Ping timeout: 240 seconds]
08:51 -!- bewees [~philipp@46.115.178.29] has joined #openvpn
08:51 < bewees> Sorry disconnected. Did you read my last message?
08:51 < lavamind> hello, setting up an openvpn server in routing mode on Debian, works great on other Debian systems but can't ping 10.8.0.1 when using Mac or Windows
08:52 < lavamind> however if I add a the redirect-gateway option, then the other platforms work
08:53 < lavamind> the firewall is completely disabled, also :p
08:53 < bewees> I tried to capture also icmp packets on the second VM send by my Host and the second VM again doesn't receive the packets from 10.9.8.2, but from 192.168.10.100 (switch ip) :S
08:54 -!- mirco [~mirco@ip-176-198-211-199.hsi05.unitymediagroup.de] has joined #openvpn
08:56 < lavamind> server conf: http://paste.debian.net/132523/ -- client conf: http://paste.debian.net/132525/
09:00 -!- Poster [~poster@cpe-74-140-100-29.swo.res.rr.com] has joined #openvpn
09:01 -!- ub1quit33 [~quassel@cpe-23-243-158-241.socal.res.rr.com] has joined #openvpn
09:03 -!- bewees [~philipp@46.115.178.29] has quit [Ping timeout: 244 seconds]
09:08 -!- xTz [~xTz@DeathStar.Techn0.eu] has joined #openvpn
09:12 -!- bewees [~philipp@46.115.178.29] has joined #openvpn
09:14 -!- s7r [~s7r@openvpn/user/s7r] has joined #openvpn
09:14 -!- mode/#openvpn [+v s7r] by ChanServ
09:17 < bewees> What is the localegateway_IP?
09:17 < bewees> "ip route add VPNSERVER_IP via LOCALGATEWAY_IP dev eth0  proto static"
09:21 <@ecrist> it's whatever your local gateway is
09:26 < bewees> Hm, I assume my local gateway is my vde switch 192.168.10.100 then
09:29 < bewees> Host{usb0(DHCP IP to android AP for internet 192.168.42.139);tap1(192.168.10.101); tap0(192.168.10.100; vde_switch(node1(192.168.10.10; openvpn client tun0 10.9.8.3); node2(192.168.10.20; openvpn server tun0 10.9.8.1))}
09:30 < bewees> openvpn server is setup on node2 and client is on node1. I tried to send icmp packets to tap0 on the Host, but the ip is not from the openvpn server but the eth0 NIC from node1
09:46 -!- bewees [~philipp@46.115.178.29] has quit [Ping timeout: 244 seconds]
09:53 -!- kirin` [telex@gateway/shell/anapnea.net/x-yzttsggppffrnkks] has joined #openvpn
09:54 < val3ntin> Hi, do you know why I get on openvpn client "Bad LZO decompression header byte: 0
09:54 < val3ntin> " ?
09:54 <@ecrist> sounds like one end is expecting LZO, and the other doesn't use it
09:57 < val3ntin> @ecrist it's weird because on the Windows client I can connect, and only on the Ubuntu client I get this error
09:58 -!- misterma_ [~mistermaj@unaffiliated/mistermajestic] has quit []
10:00 -!- nvdpl [~textual@89-67-140-170.dynamic.chello.pl] has joined #openvpn
10:00 -!- nvdpl [~textual@89-67-140-170.dynamic.chello.pl] has quit [Max SendQ exceeded]
10:01 -!- nvdpl [~textual@89-67-140-170.dynamic.chello.pl] has joined #openvpn
10:05 -!- andi [~andi@unaffiliated/fr00d] has joined #openvpn
10:05 <@ecrist> does the ubuntu client have lzo enabled?
10:06 < andi> Hi, do I need to think of anything special when I like to connect a Windows 7 openvpn client to a openvpn server which uses a server-bridge setup?
10:06 < andi> I'm able to connect the client but I'm unable to ping any host within the vpn.
10:08 < val3ntin> @ecrist yes, both clients have comp-lzo enabled
10:12 -!- nvdpl [~textual@89-67-140-170.dynamic.chello.pl] has quit [Quit: ZZZzzz…]
10:12 < nullie> esde, you don't need 2048bit shared key
10:13 < nullie> esde, it's not asymmetric cryptography
10:13 < esde> waaaaaat
10:16 -!- CaTtleyA [~CaTtleyA@185.24.142.82] has quit [Ping timeout: 272 seconds]
10:17 < nullie> preshared key is like password, even 256 bit will take forever to guess
10:18 -!- CaTtleyA [~CaTtleyA@185.24.142.82] has joined #openvpn
10:18 < nullie> on the other hand, hmm
10:18 < nullie> openvpn doesn't use it like password, okay
10:20 -!- CaTtleyA [~CaTtleyA@185.24.142.82] has quit [Client Quit]
10:27 < lavamind> andi, I have a similar problem using a routed setup
10:27 < lavamind> andi, if I push redirect-gateway option, it works...
10:28 < lavamind> are you able to ping the VPN server itself, ie. ping 10.8.0.1
10:38 -!- Kephael [~Kephael@unaffiliated/kephael] has joined #openvpn
10:44 -!- ade_b [~Ade@redhat/adeb] has quit [Ping timeout: 240 seconds]
10:46 -!- Uber-Ich [~anakata@unaffiliated/uber-ich] has joined #openvpn
10:48 < andi> My problem was a client version problem. I just installed the newest client and everything is working.
10:59 < lavamind> I'm using 2.2.1 as server and 2.3.5 as client
11:00 < Uber-Ich> Has anyone ever heard of their ISP blocking openvpn connections?
11:04 -!- brianblaze420 [~brianblaz@unaffiliated/brianblaze] has quit [Quit: Peace!]
11:16 -!- wkd [~wkd@75.46.172.54] has joined #openvpn
11:17 < wkd> I'm having a problem I can't figure out, openvpn is assigning both clients in the office the same ip address, it's just for a laptop and desktop for the same user so I just used one cert for both clients.. how to I change that?
11:22 < pekster> !dupe
11:22 <@vpnHelper> "dupe" is (#1) see --duplicate-cn in the manual (!man) to see how to allow multiple clients to use the same key (NOT recommended) or (#2) instead, use !pki to make a cert for each user
11:22 < pekster> Best not to share keypairs, although you can if you really want. Separate certs allows you to revoke just one if a single device is lost/compromised, so there's a benefit too
11:24 < wkd> I will definitely do something about that soon... does the cert have anything to do with the ip being assigned?
11:24 -!- havingFun [~quassel@unaffiliated/xrosnight] has quit [Ping timeout: 258 seconds]
11:25 < pekster> No, but if you didn't read/follow the info above, you'll kick the first client off when a dupe connects and default allocation uses the first-free IP in the pool
11:25 < pekster> That, or you're doing !static IP config and used a duplicate IP there
11:28 -!- nvdpl [~textual@89-67-140-170.dynamic.chello.pl] has joined #openvpn
11:28 -!- Pyrogerg [~Gregory@205.167.120.206] has joined #openvpn
11:29 < wkd> I didn't set it up to assign static, so I'm guessing the duplicate is kicking the user off thats probably with once or twice a day my samba mount disconnects and I have to reconnect openvpn
11:31 < wkd> I remember seeing a flag during setup for allowing duplicate certs... probably something i should of switched for this setup
11:36 -!- wkd [~wkd@75.46.172.54] has quit [Ping timeout: 240 seconds]
11:50 -!- brianblaze420 [~brianblaz@unaffiliated/brianblaze] has joined #openvpn
11:50 -!- noecc [~irc@unaffiliated/noecc] has joined #openvpn
12:06 -!- zeam [~Zeam@rrcs-97-78-113-36.se.biz.rr.com] has joined #openvpn
12:16 -!- Uber-Ich [~anakata@unaffiliated/uber-ich] has quit [Quit: leaving]
12:20 -!- wkd [~wkd@75.46.172.54] has joined #openvpn
12:30 -!- Braziercustoms [~jbrazier@providenceindustrial.com] has joined #openvpn
12:32 < lavamind> hello, setting up an openvpn server in routing mode on Debian, works great on other Debian systems but can't ping 10.8.0.1 when using Mac or Windows, although they work if I push the redirect-gateway option (server conf: http://paste.debian.net/132523/, client conf: http://paste.debian.net/132525/) -- thanks!
12:35 < Braziercustoms> Hi, I am using openvpn --config [file]    but I want to do it remotely.. however I am connected to my direct IP via port 5909.. how can I do this without being disconected?  running on linux mint
12:36 -!- zeam [~Zeam@rrcs-97-78-113-36.se.biz.rr.com] has left #openvpn []
12:37 -!- mistermajestic [~mistermaj@unaffiliated/mistermajestic] has joined #openvpn
12:44 < DArqueBishop> lavamind: posting a log excerpt from one of the afflicted clients would help as well.
12:47 < lavamind> DArqueBishop, will do, thanks
12:47 <@dazo> !logs
12:47 <@vpnHelper> "logs" is (#1) please pastebin your logfiles from both client and server with verb set to 4 (only use 5 if asked) or (#2) In the Windows client(OpenVPN-GUI) right-click the status icon and pick View Log or (#3) In the OS X client(Tunnelblick) right-click it and select Copy log text to clipboard or (#4) if you dont know how to find your logs, see !logfile
12:48 -!- phunyguy [vortex@unaffiliated/phunyguy] has quit [Changing host]
12:48 -!- phunyguy [vortex@ubuntu/member/phunguy] has joined #openvpn
12:49 <@dazo> Braziercustoms: if you cut the branch you're sitting on, you will fall down, no matter how you cut the branch.  You need to sit on the part of the branch which is not going to fall down.
12:51 < Braziercustoms> ok.. I didn't know if I could tell it to leave a specific port open or what..
12:51 -!- phunyguy [vortex@ubuntu/member/phunguy] has quit [Changing host]
12:51 -!- phunyguy [vortex@ubuntu/member/phunyguy] has joined #openvpn
12:51 < Braziercustoms> dazo, openvpn is new to me :/
12:52 <@dazo> Braziercustoms: VPN is kind of like a (virtual) network cable ... when kill it, you unplug the virtual cable
12:52 -!- Pyrogerg [~Gregory@205.167.120.206] has quit [Ping timeout: 245 seconds]
12:53 < Braziercustoms> dazo, I see lport and other port options, but didn't know how they were used..
12:54 <@dazo> that defines which ports are being used when it connects to the remote side, or which ports to listen to (server side)
12:54 <@krzee> !vpn
12:54 <@vpnHelper> "vpn" is http://openvpn.net/index.php/open-source/faq/75-general/293-what-is-the-principle-behind-openvpn-tunnels.html for a basic rundown of what a vpn is
12:55  * dazo remembers probably only 1/10 of the stuff vpnHelper knows ....
12:55  * krzee pets vpnHelper 
12:56 <@krzee> muhaha
12:56 <@dazo> :)
12:58 < Braziercustoms> dazo, :/ ok.. I understand what vpn is, I just didn't know if you could set it up to still use local ports for other connections..
12:58 < Braziercustoms> lol @ krzee
12:58 -!- mirco [~mirco@ip-176-198-211-199.hsi05.unitymediagroup.de] has quit [Quit: mirco]
12:59 <@dazo> you can ... but it sounded like you wanted to restart the connection you where connected through, which would break your possibilities to fix issues
12:59 <@dazo> (unless you have another entrance available)
13:01 < Braziercustoms> dazo, no, but can I start the vpn connection, leaving my current connection intact?
13:01 <@dazo> you can start as many openvpn connections you want on separate ports in parallel, yes ... but the tunnels (--ifconfig) should have different subnets, to avoid routing conflicts
13:02 <@dazo> --ifconfig or --server statements, that is
13:05 <@krzee> Braziercustoms, if you're asking if it will redirect your internet over the vpn, it depends on your config
13:05 <@krzee> if using redirect-gateway, yes
13:06 < Braziercustoms> dazo, ah man.. I know how to do some things with separate networks, and using virtual net adapters, but using vpn also, idk...
13:06 <@krzee> Braziercustoms,
13:06 <@krzee> !goal
13:06 <@vpnHelper> "goal" is Please clearly state your goal for your vpn: example, I would like to access the lan behind the server , I would like to access the internet over my vpn , I just want a secure connection between 2 computers , etc
13:06 <@dazo> Braziercustoms: basically ... one openvpn process == one tun/tap adapter == one subnet
13:07 <@dazo> (tun/tap adapters are virtual network adapters)
13:08 < Braziercustoms> krzee GOAL: to start vpn service for p2p, without losing my remote connection to the server on port 5909, or still be able to re-connect after starting openvpn.
13:09 < Braziercustoms> dazo, ah.. so im confused bout one thing..
13:09 <@krzee> sdoes the new connection  you're going to make redirect its gateway?
13:09 < Braziercustoms> dazo I have two net adapters. if I don't specify which one is it starting on?
13:10 <@krzee> Braziercustoms, you may, with --local
13:10 <@dazo> Braziercustoms: --dev tun or --dev tap will automatically create the virtual adapter
13:10 <@krzee> otherwise it starts on * but you may have issues using other adapters unless in linux and using --multihome
13:10 <@krzee> otherwise it'll always respond via default route
13:10 < Braziercustoms> krzee, gateway redirect, I'm not sure, let me check the config..
13:10 <@krzee> Braziercustoms, post the config
13:11 <@krzee> (no commented lines)
13:14 < Braziercustoms> krzee, yes, gateway redirect.
13:16 < Braziercustoms> krzee http://pastebin.com/NKnyCVHt
13:16 <@krzee> then it will break your connection
13:16 <@krzee> the only way to stop that is policy routing
13:16 <@krzee> !fatoids search route
13:16 <@krzee> !factoids search route
13:16 <@vpnHelper> 'winroute', 'iroute', 'router', 'dlink_static_route', 'external_routes', 'route_override', 'splitroute', 'route_outside_openvpn', 'route_outside_ovpn', 'routebyapp', 'route', 'ppp_defaultroute', and 'route-nopull'
13:17 <@krzee> !splitroute
13:17 <@vpnHelper> "splitroute" is (#1) https://forums.openvpn.net/topic7175.html to see how to add a second routing table so you can use --redirect-gateway AND still serve things to the internet or (#2) see !route_override for how to override --redirect-gateway for a certain subnet
13:22 < Braziercustoms> dazo, krzee, thanks for your help... that will point me in the direction I need, but I will have to look later. gotta get back to work.. I will probably be back around before its over lol!
13:23 <@dazo> Braziercustoms: get a copy of the openvpn 2 cookbook
13:23 <@dazo> !book
13:23 <@vpnHelper> "book" is http://www.packtpub.com/openvpn-2-cookbook/book check out JJK's awesome cookbook for openvpn 2!
13:28 -!- nvdpl [~textual@89-67-140-170.dynamic.chello.pl] has quit [Ping timeout: 256 seconds]
13:30 < Braziercustoms> dazo, ok thank you.
13:31 -!- nvdpl [~textual@proxy.teleaudio.pl] has joined #openvpn
13:37 -!- Braziercustoms [~jbrazier@providenceindustrial.com] has quit [Quit: Leaving]
14:10 -!- brianblaze420 [~brianblaz@unaffiliated/brianblaze] has quit [Read error: Connection reset by peer]
14:28 -!- Geheim49 [~CVO@5ED65A8A.cm-7-7b.dynamic.ziggo.nl] has joined #openvpn
14:28 < Geheim49> !welcome
14:28 <@vpnHelper> "welcome" is (#1) Start by stating your goal, such as 'I would like to access the internet over my vpn' || new to IRC? see the link in !ask || we may need !logs and !configs and maybe !interface to help you. || See !howto for beginners. || See !route for lans behind openvpn. || !redirect for sending inet traffic through the server. || Also interesting: !man !/30 !topology !iporder !sample !forum
14:28 <@vpnHelper> !wiki !mitm or (#2) Don't use 192.168.1.0/24 or 192.168.0.0/24 (too much potential for conflict)
14:29 < Geheim49> !goal
14:29 <@vpnHelper> "goal" is Please clearly state your goal for your vpn: example, I would like to access the lan behind the server , I would like to access the internet over my vpn , I just want a secure connection between 2 computers , etc
14:30 -!- johnfg [johnfg@host-174-45-122-178.bzm-mt.client.bresnan.net] has joined #openvpn
14:30 -!- pppingme [~pppingme@unaffiliated/pppingme] has quit [Ping timeout: 250 seconds]
14:30 < johnfg> hi folks
14:30 < johnfg> On a brand new install of centos 7, I just installed openvpn server & client.
14:30 < johnfg> My main openvpn server is debian, but debian's not as up to date as centos.
14:31 < johnfg> How from centos do I connect to the debian openvpn server?
14:31 < johnfg> Also, I don't seem to have client.ovpn.
14:33 < Geheim49> Hello, I have a VPN server. With 2 config files. 1 is for server management and 1 for internet access. The server management needs to go over eth0 and the internet access config needs to go over eth1. But it always wants to go over eth0.
14:35 -!- pppingme [~pppingme@unaffiliated/pppingme] has joined #openvpn
14:42 < _FBi> !learn
14:42 <@vpnHelper> Error: You don't have the factoids.learn capability. If you think that you should have this capability, be sure that you are identified before trying again. The 'whoami' command can tell you if you're identified.
14:44 < johnfg> _FBi: Was that for me?
14:44 < _FBi> hehI doubt it, unless it applies
14:45 < _FBi> I just got here, I can't see any chat about !learn
14:45 < johnfg> From gentoo and win7, I simply edit and put client.conf in the correct spot, but not sure with centos.
14:45 < johnfg> _FBi: I didn't think so, but wanted to be sure :-)
14:47 < _FBi> is someone helping you, if not what is the question?
14:48 < johnfg> _FBi: No, no one's helping.
14:48 < johnfg> On a brand new install of centos 7, I just installed openvpn server & client.
14:48 < johnfg> My main openvpn server is debian, but debian's not as up to date as centos.
14:49 < johnfg> How from centos do I connect to the debian openvpn server?
14:49 < johnfg> From gentoo and win7, I simply edit and put client.conf in the correct spot, but not sure with centos.
14:49 < johnfg> _FBi: That's the recap.
14:50 < _FBi> I don't see why there would be a difference?
14:50 < _FBi> I use debian for all my servers.  I compile OpenVPN instead of apt-get install
14:52 -!- dazo is now known as dazo_afk
14:57 < _FBi> johnfg, having any issues?
15:01 -!- supergauntlet is now known as boypussy
15:04 < esde> 0_o
15:05 < johnfg> I do too, but the latest openvpn is openvpn-as, and the centos client is a bit different too.
15:05 < johnfg> _FBi: Are you running access server on debian wheezy?
15:06 < _FBi> negative
15:06 < _FBi> !as
15:06 <@vpnHelper> "as" is Please go to #OpenVPN-AS for help with commercial products from OpenVPN Technologies, including Access Server, Android Connect, etc. Access Server is a commercial product, different from open source OpenVPN
15:08 -!- Neal_ [neal@felix.ineal.me] has quit [Remote host closed the connection]
15:08 -!- Neal_ [neal@felix.ineal.me] has joined #openvpn
15:08 < johnfg> Ah, I see.  btw...what version are you running?  On my wheezy box, it's 2.1.3.
15:10 < esde> ouch
15:10 < esde> current is 2.3.5
15:13 -!- wkd [~wkd@75.46.172.54] has quit [Ping timeout: 264 seconds]
15:17 < _FBi> esde, my I learn factoids ?
15:18 < _FBi> I just [finally!!] got all my Russian VPN traffic/clients to now go through TOR
15:21 -!- u0m3_ [~u0m3@92.80.86.86] has quit [Read error: Connection reset by peer]
15:22 -!- u0m3_ [~u0m3@92.80.86.86] has joined #openvpn
15:25 -!- u0m3__ [~u0m3@92.80.86.86] has joined #openvpn
15:28 -!- cyberspace- [20253@ninthfloor.org] has quit [Remote host closed the connection]
15:28 -!- u0m3_ [~u0m3@92.80.86.86] has quit [Ping timeout: 256 seconds]
15:30 -!- cyberspace- [20253@ninthfloor.org] has joined #openvpn
15:41 -!- Geheim49 [~CVO@5ED65A8A.cm-7-7b.dynamic.ziggo.nl] has quit [Ping timeout: 256 seconds]
15:42 -!- nvdpl [~textual@proxy.teleaudio.pl] has quit [Quit: ZZZzzz…]
15:45 -!- Geheim49 [~CVO@5ED65A8A.cm-7-7b.dynamic.ziggo.nl] has joined #openvpn
15:56 -!- Pyrogerg [~Gregory@205.167.120.206] has joined #openvpn
15:56 < zoredache> johnfg: how did you get 2.1.3 on wheezy I wonder.  Wheezy includes 2.2.1 in the main repos, and 2.3.2 is available in the wheezy-backports repo.
15:58 -!- gffa [~unknown@unaffiliated/gffa] has quit [Remote host closed the connection]
16:23 -!- Gman32 [~Gman32@2607:2200:0:3400::5616:cdbc] has quit [Excess Flood]
16:23 -!- Gman32 [~Gman32@2607:2200:0:3400::5616:cdbc] has joined #openvpn
16:31 -!- Geheim49 [~CVO@5ED65A8A.cm-7-7b.dynamic.ziggo.nl] has left #openvpn []
16:52 -!- val3ntin [~Valentin@ipservice-092-210-026-153.092.210.pools.vodafone-ip.de] has quit [Quit: Leaving]
17:01 -!- alexw [~textual@unaffiliated/alexw] has joined #openvpn
17:01 < alexw> OpenVPN AS vs OpenVPN what's the difference?
17:02 -!- Pyrogerg [~Gregory@205.167.120.206] has quit [Ping timeout: 256 seconds]
17:03 -!- Pyrogerg [~Gregory@205.167.120.206] has joined #openvpn
17:14 -!- Pyrogerg [~Gregory@205.167.120.206] has quit [Ping timeout: 244 seconds]
17:14 < zoredache> !as
17:14 <@vpnHelper> "as" is Please go to #OpenVPN-AS for help with commercial products from OpenVPN Technologies, including Access Server, Android Connect, etc. Access Server is a commercial product, different from open source OpenVPN
17:15 -!- juztin__ [~juztin_@c-67-186-216-8.hsd1.ut.comcast.net] has joined #openvpn
17:15 -!- juztin__ [~juztin_@c-67-186-216-8.hsd1.ut.comcast.net] has quit [Remote host closed the connection]
17:15 -!- juztin__ [~juztin_@c-67-186-216-8.hsd1.ut.comcast.net] has joined #openvpn
17:16 -!- erratic [~erratic@erratic.paigeat.info] has quit [Ping timeout: 258 seconds]
17:19 -!- marlinc [~marlinc@ip1.weert.li.nl.cvo-technologies.com] has quit [Ping timeout: 260 seconds]
17:20 -!- lavamind [~jcharaoui@206.167.119.5] has quit [Quit: Leaving]
17:30 -!- erratic [~erratic@erratic.paigeat.info] has joined #openvpn
18:21 -!- juztin__ [~juztin_@c-67-186-216-8.hsd1.ut.comcast.net] has quit [Remote host closed the connection]
18:24 -!- varsisstudio [~varsisstu@104.207.136.9] has quit [Remote host closed the connection]
18:26 -!- varsisstudio [~varsisstu@104.207.136.9] has joined #openvpn
18:32 < varsisstudio> Hello, I have a machine which has openvpn client, but I would like to be able to ssh into my machine,access file sharing ect through the local ip not the VPN ip. It is a mac, running PF (BSD) I Was told to look into route-to and reply-to but I could not find much about these features other then the man pages, I tried a few different configurations but unable to get it working.
18:32 < varsisstudio> Can anyone help me build a set of rules that will work? (PS if you replied to me the other day my client would only log so much time so I might of not been able to read your response.)
18:42 -!- juztin__ [~juztin_@c-67-186-216-8.hsd1.ut.comcast.net] has joined #openvpn
18:45 <@krzee> varsisstudio, you probably want #pf or #openbsd
18:46 <@krzee> we support openvpn here, your question is unrelated to openvpn but rather is just about pf
18:46 < varsisstudio> krzee I will try pf out.
19:04 -!- juztin__ [~juztin_@c-67-186-216-8.hsd1.ut.comcast.net] has quit [Remote host closed the connection]
19:18 -!- u0m3__ [~u0m3@92.80.86.86] has quit [Read error: Connection reset by peer]
19:53 -!- havingFun [~quassel@unaffiliated/xrosnight] has joined #openvpn
19:56 -!- jzaw [~jzaw@loki.dzki.co.uk] has quit [Excess Flood]
19:58 -!- jzaw [~jzaw@loki.dzki.co.uk] has joined #openvpn
20:05 -!- ub1quit33 [~quassel@cpe-23-243-158-241.socal.res.rr.com] has quit [Ping timeout: 272 seconds]
20:24 -!- ub1quit33 [~quassel@cpe-23-243-158-241.socal.res.rr.com] has joined #openvpn
20:26 -!- almostworking [~almostwor@unaffiliated/almostworking] has quit [Read error: Connection reset by peer]
20:26 -!- almostworking [~almostwor@unaffiliated/almostworking] has joined #openvpn
20:41 -!- alexw [~textual@unaffiliated/alexw] has quit [Quit: My MacBook Pro has gone to sleep. ZZZzzz…]
20:44 -!- alexw [~textual@unaffiliated/alexw] has joined #openvpn
20:44 -!- TyrfingMjolnir [~Tyrfing@203.117.37.234] has joined #openvpn
20:59 -!- TyrfingMjolnir [~Tyrfing@203.117.37.234] has quit [Quit: Searching for Waimea]
21:00 -!- TyrfingMjolnir [~Tyrfing@203.117.37.234] has joined #openvpn
21:02 -!- alexw [~textual@unaffiliated/alexw] has quit [Quit: Textual IRC Client: www.textualapp.com]
21:02 -!- TyrfingMjolnir [~Tyrfing@203.117.37.234] has quit [Read error: No route to host]
21:12 -!- TyrfingMjolnir [~Tyrfing@118.189.1.18] has joined #openvpn
21:20 -!- varsisstudio [~varsisstu@104.207.136.9] has quit [Read error: Connection reset by peer]
21:30 -!- acovrig [~acovrig@host-216-229-233-5.public.southern.edu] has joined #openvpn
21:30 < acovrig> Is there a SIG I can give the openvpn process (server) to have it update the openvpn-status.log?
21:35 -!- varsisstudio [~varsisstu@104.207.136.87] has joined #openvpn
21:44 -!- varsisstudio [~varsisstu@104.207.136.87] has quit [Read error: Connection reset by peer]
21:45 -!- varsisstudio [~varsisstu@104.207.136.21] has joined #openvpn
21:53 <@krzee> check the signals section of the manual
21:53 <@krzee> !man
21:53 <@vpnHelper> "man" is (#1) For man pages, see http://openvpn.net/index.php/open-source/documentation/manuals/ or (#2) the man pages are your friend! or (#3) Protip: you can search the manpage for a specific --option (with dashes) to find it quicker
22:04 -!- yeik [~jeff@2601:b:5a00:d02:cc81:62ab:3644:2841] has joined #openvpn
22:06 -!- Left_Turn [~Left_Turn@unaffiliated/turn-left/x-3739067] has quit [Remote host closed the connection]
22:29 -!- marlinc [~marlinc@ip1.weert.li.nl.cvo-technologies.com] has joined #openvpn
22:39 -!- Latrina [~Latrina@ppp-176-14.26-151.libero.it] has quit [Ping timeout: 258 seconds]
22:41 -!- Latrina [~Latrina@ppp-44-53.26-151.libero.it] has joined #openvpn
22:44 -!- yeik [~jeff@2601:b:5a00:d02:cc81:62ab:3644:2841] has quit [Quit: Leaving]
22:52 -!- kenyon [kenyon@darwin.kenyonralph.com] has quit [Ping timeout: 272 seconds]
22:53 -!- kenyon [kenyon@darwin.kenyonralph.com] has joined #openvpn
22:53 -!- james41382_ [~james@unaffiliated/james41382] has quit [Quit: Leaving]
23:00 -!- fixi [~fixi@2a00:dcc0:eda:88:50:192:7e8b:8091] has joined #openvpn
23:00 < fixi> hey
23:00 < fixi> is anyone around? :)
23:02 < fixi> could someone please help me with setting up a bridge between two openvpn networks?
23:07 -!- kirin` [telex@gateway/shell/anapnea.net/x-yzttsggppffrnkks] has quit [Ping timeout: 250 seconds]
23:08 -!- varsisstudio [~varsisstu@104.207.136.21] has quit [Quit: Lingo: www.lingoirc.com]
23:08 -!- mistermajestic [~mistermaj@unaffiliated/mistermajestic] has quit [Ping timeout: 272 seconds]
23:10 -!- varsisstudio [~varsisstu@S0106b8c75dcf7f18.ed.shawcable.net] has joined #openvpn
23:14 -!- ShadniX [dagger@p5481CC90.dip0.t-ipconnect.de] has quit [Ping timeout: 250 seconds]
23:15 -!- varsisstudio [~varsisstu@S0106b8c75dcf7f18.ed.shawcable.net] has quit [Ping timeout: 255 seconds]
23:15 -!- kirin` [telex@gateway/shell/anapnea.net/x-obkhoqsdtyyngtkd] has joined #openvpn
23:17 -!- ShadniX [dagger@p5DDFF18B.dip0.t-ipconnect.de] has joined #openvpn
23:20 -!- james41382 [~james@unaffiliated/james41382] has joined #openvpn
23:24 -!- james41382 [~james@unaffiliated/james41382] has quit [Client Quit]
23:24 -!- havingFun_ [~quassel@unaffiliated/xrosnight] has joined #openvpn
23:24 -!- havingFun [~quassel@unaffiliated/xrosnight] has quit [Ping timeout: 250 seconds]
23:30 -!- acovrig_ [~acovrig@host-216-229-233-5.public.southern.edu] has joined #openvpn
23:33 -!- acovrig [~acovrig@host-216-229-233-5.public.southern.edu] has quit [Ping timeout: 240 seconds]
23:38 -!- acovrig_ [~acovrig@host-216-229-233-5.public.southern.edu] has quit [Read error: Connection reset by peer]
23:45 -!- Kephael [~Kephael@unaffiliated/kephael] has quit [Read error: Connection reset by peer]
23:57 <@krzee> fixi, are you saying you have 2 lans and you want them to be able to access eachother?
23:57 -!- varsisstudio [~varsisstu@108.61.101.134] has joined #openvpn
23:59 -!- ValdikSS [~valdikss@95.215.45.33] has quit [Remote host closed the connection]
--- Day changed Thu Nov 20 2014
00:05 -!- moseph [jaxwell@some-other-doma.in] has joined #openvpn
00:07 -!- moseph [jaxwell@some-other-doma.in] has left #openvpn ["Leaving"]
00:11 -!- mattock_afk [~mattock@openvpn/corp/admin/mattock] has quit [Ping timeout: 244 seconds]
00:13 -!- mattock [~mattock@openvpn/corp/admin/mattock] has joined #openvpn
00:13 -!- mode/#openvpn [+o mattock] by ChanServ
00:18 -!- shivanshu [~shivanshu@unaffiliated/shivanshu] has quit [Remote host closed the connection]
00:35 -!- zoredache [~zoredache@pdpc/supporter/professional/zoredache] has quit [Ping timeout: 256 seconds]
00:39 -!- zoredache [~zoredache@pdpc/supporter/professional/zoredache] has joined #openvpn
00:52 -!- havingFun_ [~quassel@unaffiliated/xrosnight] has quit [Remote host closed the connection]
00:53 -!- havingFun [~quassel@unaffiliated/xrosnight] has joined #openvpn
01:19 -!- AlexRussia [~Alex@unaffiliated/alexrussia] has quit [Ping timeout: 245 seconds]
01:33 -!- ub1quit33 [~quassel@cpe-23-243-158-241.socal.res.rr.com] has quit [Ping timeout: 264 seconds]
01:36 -!- ub1quit33_ [~quassel@cpe-23-243-158-241.socal.res.rr.com] has joined #openvpn
01:47 -!- aulait [~irenacob@li629-190.members.linode.com] has quit [Excess Flood]
01:49 -!- aulait [~irenacob@li629-190.members.linode.com] has joined #openvpn
01:56 -!- Denial [~Denial@81.141.8.23] has quit [Ping timeout: 240 seconds]
02:07 -!- dazo_afk is now known as dazo
02:12 -!- moeyebus [~moebius_e@unaffiliated/moebius-eye/x-4065625] has quit [Quit: ZNC - http://znc.in]
02:14 -!- luvlinuxos [~luvlinuxo@2604:2000:dea1:e500:e885:a55:529e:7ced] has joined #openvpn
02:17 < nullie> any ideas why "route" directives don't work on my windows machine?
02:17 < nullie> or is it for server only?
02:20 <@Eugene> Route can be specified on both ends
02:20 -!- Mowee [~Mowee@195-154-194-139.rev.poneytelecom.eu] has quit [Quit: = "Leaving"]
02:20 <@Eugene> But the destination of that route(LAN behind the server, typically) has to know to send the traffic for the VPN back to the server somehow
02:20 <@Eugene> !serverlan
02:20 <@vpnHelper> "serverlan" is (#1) for a lan behind a server, the server must have ip forwarding enabled (!ipforward), the server needs to push a route for its lan to clients, and the router of the lan the server is on needs a route added to it (!route_outside_openvpn) or (#2) see !route for a better explanation or (#3) Handy troubleshooting flowchart: http://ircpimps.org/serverlan.png |
02:20 <@vpnHelper> http://pekster.sdf.org/misc/serverlan.png
02:20 <@Eugene> !route
02:20 <@vpnHelper> "route" is (#1) http://www.secure-computing.net/wiki/index.php/OpenVPN/Routing or https://community.openvpn.net/openvpn/wiki/RoutedLans (same page mirrored) if you have lans behind openvpn, read it DONT SKIM IT or (#2) READ IT DONT SKIM IT! or (#3) See !tcpip for a basic networking guide or (#4) See !serverlan or !clientlan for steps and troubleshooting flowcharts for LANs behind the server or
02:20 <@vpnHelper> client
02:20 <@Eugene> Some reading for ya
02:20 < nullie> Eugene, I know. I just don't see changes in routing table
02:20 <@Eugene> Well that's because Windows sucks ass.
02:21 <@Eugene> Are you running it as Admin?
02:21 <@Eugene> !logs
02:21 <@vpnHelper> "logs" is (#1) please pastebin your logfiles from both client and server with verb set to 4 (only use 5 if asked) or (#2) In the Windows client(OpenVPN-GUI) right-click the status icon and pick View Log or (#3) In the OS X client(Tunnelblick) right-click it and select Copy log text to clipboard or (#4) if you dont know how to find your logs, see !logfile
02:22 < nullie> interesting... so I need to run openvpn as adminstrator
02:22 -!- Taftse|Mac [~taftse@unaffiliated/taftse] has joined #openvpn
02:30 -!- N3oXid [~n3oxid@231.227.31.93.rev.sfr.net] has joined #openvpn
02:30 < N3oXid> Hello everyone.
02:31 < N3oXid> I'm looking for help regarding an issue with the client-to-client connectity.
02:31 < N3oXid> connectivity
02:34 < N3oXid> Server: Debian testing, openvpn 2.3.4-4 | Client1: Windows 8.1 x64, OpenVPN 2.3.5 x86_64-w64-mingw32 | Client2: Windows 7 x64, OpenVPN 2.3.5 x86_64-w64-mingw32
02:34 < N3oXid> Dev tun for all with client-to-client directive on the server side.
02:35 < N3oXid> I can ping the server from both clients but cannot ping a client from another.
02:35 -!- luvlinuxos [~luvlinuxo@2604:2000:dea1:e500:e885:a55:529e:7ced] has quit [Quit: Leaving]
02:36 < N3oXid> No filtering issue detected.
02:38 -!- ub1quit33_ [~quassel@cpe-23-243-158-241.socal.res.rr.com] has quit [Ping timeout: 255 seconds]
02:40 <@dazo> !c2c
02:40 <@vpnHelper> "c2c" is "client-to-client" is with this option packets from 1 client to another are routed inside the server process. without it packets leave the server process, hit the kernel (firewall, routing table) and if allowed by firewall and routed back to server process, they go to the client. you use this option when you do not want to use selective firewall rules on what clients can access things behind
02:40 <@vpnHelper> other clients
02:42 < N3oXid> Thanks for the tip. However, should I be able to see ICMP echo, sent by a client to another client, on the server with a tcpdump?
02:44 <@dazo> N3oXid: hmmm ... no, not really ... you should see some encrypted traffic on your NIC with a public IP, but not on the tun/tap adapter
02:46 < N3oXid> Ok. And if I can see packets sent on the correct tun/tap interface on the first client and nothing on the destination one, what does it mean?
02:49 < N3oXid> Ok it works...
02:51 < N3oXid> In fact I though I should see clear packets through the server. I was not either able to see incoming packets on the client with Wireshark but after disabling the firewall on this client, it starts working.
02:51 < N3oXid> Thanks for your help.
02:52 <@dazo> yw!
03:00 -!- ryao [~ryao@gentoo/developer/ryao] has joined #openvpn
03:03 -!- nvdpl [~textual@proxy.teleaudio.pl] has joined #openvpn
03:04 < ryao> I have having an issue with OpenVPN's UDP transport behind a NAT where it stops working semi-randomly, but the distribution is biased toward the first minute of operation. Looking at the packets on the server side with tcpdump in one instance showed that the UDP packets are coming from port 6291 and then 5ms afterward, start coming from port 3305. All traffic over the tunnel dies at that point. Looking at the packets on the client side showed no ...
03:04 < ryao> ... change until the timeout hit, when it will bind to a different UDP port and try communicating, which does not work. Later, the connection dies.
03:05 < ryao> There is a triple NAT here... I have a NAT setup with iptables on the OpenVPN server. The client is behind a carrier NAT and also a home router NAT.
03:05 -!- johnfg [johnfg@host-174-45-122-178.bzm-mt.client.bresnan.net] has quit [Read error: Connection reset by peer]
03:05 < ryao> Does anyone have any ideas?
03:05 < BtbN> Fix your NAT
03:05 -!- johnfg [johnfg@host-174-45-122-178.bzm-mt.client.bresnan.net] has joined #openvpn
03:08 < ryao> BtbN: I cannot.
03:09 < ryao> Are there any settings that I can use to detect/correct this condition on the fly?
03:09 < ryao> BtbN: By the way, it should be said that this is the carrier NAT...
03:10 < BtbN> If the source port is randomly changed by the NAT, the "connection" is lost
03:10 < ryao> Also... I guess the server side NAT really only applies to the tunnel, so it is just a double nat in terms of connectivity to the server daemon.
03:10 < BtbN> it should be imediately re-established, but for the moment, it's gone
03:10 < ryao> BtbN: Is there a way to detect and recover quickly? I am not seeing that happen.
03:11 < BtbN> The client will keep trying to reconnect, unless you told it not to
03:12 < ryao> I am using networkmanager-openvpn, so I do not have strong control over the settings, although I can hard code it into the software via patches.
03:12 -!- ade_b [~Ade@redhat/adeb] has joined #openvpn
03:13 -!- nvdpl [~textual@proxy.teleaudio.pl] has quit [Ping timeout: 264 seconds]
03:15 -!- nvdpl [~textual@proxy.teleaudio.pl] has joined #openvpn
03:26 < ryao> This is how it is being run with my patches: /usr/sbin/openvpn --remote remote-host --comp-lzo --nobind --dev tun --proto udp --fast-io --port 1194 --cipher CIPHER --auth HASH --auth-nocache --tls-auth /path/to/ta 1 --syslog nm-openvpn --script-security 2 --up /usr/libexec/nm-openvpn-service-openvpn-helper --up-restart --persist-key --persist-tun --management 127.0.0.1 1194 --management-query-passwords --route-noexec --ifconfig-noexec --client --ca ...
03:26 < ryao> ... /path/to/ca --cert /path/to/cert --key /path/to/key --remote-cert-tls server
03:26 < ryao> Sensitive information has been censored.
03:28 < ryao> I wonder if --no-bind might be the problem...
03:28 -!- N3oXid [~n3oxid@231.227.31.93.rev.sfr.net] has quit []
03:37 -!- Fun [~Fun1@unaffiliated/fun] has joined #openvpn
03:38 < Fun> hi
03:38 < Fun> where is win com edition?
03:38 < Fun> I dowload and its commercial
03:38 < Fun> much crazy
03:38 -!- TyrfingMjolnir [~Tyrfing@118.189.1.18] has quit [Ping timeout: 250 seconds]
03:41 < Fun> https://openvpn.net/index.php/open-source/downloads.html
03:41 <@vpnHelper> Title: Downloads (at openvpn.net)
03:41 < Fun> installs commercial!
03:53 -!- AlexRussia [~Alex@unaffiliated/alexrussia] has joined #openvpn
03:57 -!- moeyebus [~moebius_e@unaffiliated/moebius-eye/x-4065625] has joined #openvpn
04:20 -!- Fun [~Fun1@unaffiliated/fun] has quit [Ping timeout: 264 seconds]
04:23 -!- bewees [~philipp@46.114.55.141] has joined #openvpn
04:26 < bewees> Hi, if I set Node1 (10.9.8.3) is my vpn client and Node2 (10.9.8.1) is my vpn server, I should then be able to ssh from Node1 to Node2 right?  http://www.gliffy.com/go/publish/image/6549507/L.png
04:26 < bewees> s/is/as/
04:47 -!- D-Boy [~D-Boy@unaffiliated/cain] has quit [Excess Flood]
04:56 -!- jzaw [~jzaw@loki.dzki.co.uk] has quit [Excess Flood]
04:56 -!- D-Boy [~D-Boy@unaffiliated/cain] has joined #openvpn
04:57 -!- jzaw [~jzaw@loki.dzki.co.uk] has joined #openvpn
05:15 -!- dusted [~dusted@190-162-191-90.dyn.estpak.ee] has joined #openvpn
05:16 < dusted> Hmm, I know how to issue a client certificate with time-limited validity.. Would there be a way to have a connection-count-limited validity? (ie: you can connect with it only once)
05:17 -!- elfixit [~Icedove@nl9x.mullvad.net] has joined #openvpn
05:30 < bewees> Is the local_gateway of Node1 192.168.10.100? http://www.gliffy.com/go/publish/image/6549507/L.png
05:30 < bewees> Is local gateway the same as default gateway?
05:35 < bewees> And VPN_Server IP is 192.168.10.20 or 10.9.8.1? http://www.gliffy.com/go/publish/6549507
05:35 < bewees> http://www.gliffy.com/go/publish/image/6549507/L.png
05:40 -!- bewees is now known as bewees3
05:40 -!- bewees [~AndChat74@46.114.55.141] has joined #openvpn
05:46 -!- bewees3 [~philipp@46.114.55.141] has quit [Ping timeout: 264 seconds]
05:47 -!- bewees [~AndChat74@46.114.55.141] has quit [Ping timeout: 240 seconds]
05:55 -!- Slippern [~Slippern@76.109-247-208.customer.lyse.net] has quit [Read error: Connection reset by peer]
05:57 -!- Slippern [~Slippern@76.109-247-208.customer.lyse.net] has joined #openvpn
05:57 -!- shivanshu [~shivanshu@unaffiliated/shivanshu] has joined #openvpn
05:59 <@dazo> dusted: no, certificates knows nothing about how many times they've been used.  You can however write --client-connect script which can log the times a certificate have been used (using the tls_digest_0 variable, which is the certificate fingerprint)
06:02 <@dazo> ryao: some routers/firewalls does break UDP traffic ... you can try to send more frequent --ping packets, to see if it lets the connection stay open ... otherwise, you're forced to switch to TCP
06:03 <@dazo> ryao: --no-bind is not the problem ... that only tells openvpn to not use the same port number for the local end (for example 1194) and instead use a "random" port
06:05 <@plaisthos> ryao: we have a peer id patch that solves this issue, but that code is still experimental
06:06 <@plaisthos> and requires patching client and server
06:09 -!- Left_Turn [~Left_Turn@unaffiliated/turn-left/x-3739067] has joined #openvpn
06:16 <@dazo> syzzer: just began thinking of certificate hashes .... x509_get_sha1_hash() ... how will that behave on certificates with sha2 hashes?
06:16 <@dazo> Both openssl and polarssl implementations seems to extract this info from internal structures
06:19 < dusted> dazo, ah, that's an idea, thank you! :)
06:19 <@dazo> syzzer: I'll repost the questions on -devel instead :)
06:20  * dazo realised he was on #openvpn not #openvpn-devel :)
06:32 -!- Slippern [~Slippern@76.109-247-208.customer.lyse.net] has quit [Read error: Connection reset by peer]
06:35 -!- Slippern [~Slippern@76.109-247-208.customer.lyse.net] has joined #openvpn
06:38 <@plaisthos> dazo: I guess it will just continue to work
06:38 <@plaisthos> but that is openssl so who knows ....
06:52 -!- Latrina [~Latrina@ppp-44-53.26-151.libero.it] has quit [Ping timeout: 255 seconds]
06:52 -!- mgorbach [~mgorbach@pool-108-20-78-135.bstnma.fios.verizon.net] has quit [Ping timeout: 272 seconds]
06:53 -!- brianblaze420 [~brianblaz@unaffiliated/brianblaze] has joined #openvpn
06:55 -!- Latrina [~Latrina@adsl-ull-20-244.45-151.net24.it] has joined #openvpn
06:55 -!- mgorbach [~mgorbach@pool-108-20-78-135.bstnma.fios.verizon.net] has joined #openvpn
06:56 -!- barbababa [~barbababa@a88-115-205-61.elisa-laajakaista.fi] has quit [Remote host closed the connection]
07:00 -!- val3ntin [~val3ntin@ipservice-092-210-026-153.092.210.pools.vodafone-ip.de] has joined #openvpn
07:07 -!- bewees [~philipp@46.114.40.108] has joined #openvpn
07:10 -!- bewees [~philipp@46.114.40.108] has quit [Disconnected by services]
07:11 -!- bewees [~philipp@46.114.31.87] has joined #openvpn
07:12 < bewees> Hi, I'm following debian openvpn tutorial and I have to add now routes on the vpn client. What IP is meant with 'VPNSERVER_IP': 1) eth0 192.168.10.20 or 2) tun0 10.9.8.1 on the server? See: http://www.gliffy.com/go/publish/image/6549507/L.png
07:21 -!- ValdikSS [~valdikss@2001:470:28:22f::1004] has joined #openvpn
07:28 -!- nvdpl [~textual@proxy.teleaudio.pl] has quit [Quit: ZZZzzz…]
07:28 -!- mgorbach [~mgorbach@pool-108-20-78-135.bstnma.fios.verizon.net] has quit [Ping timeout: 255 seconds]
07:31 -!- mgorbach [~mgorbach@pool-108-20-78-135.bstnma.fios.verizon.net] has joined #openvpn
07:45 < _FBi> woohoo
07:45 < _FBi> I mean whoa
07:45 < _FBi> bewees, have you tried the OpenVPN tutorial?
07:47 < bewees> _FBi, Can you provide me a link, there are so many links on openvpn's doc page https://openvpn.net/index.php/open-source/documentation/howto.html
07:47 <@vpnHelper> Title: HOWTO (at openvpn.net)
07:48 < _FBi> that's the one
07:48 < _FBi> fairly straight forward
07:48 < bewees> Oh, the links are only paragraph links
07:49 < _FBi> buh?
07:50 -!- noecc [~irc@unaffiliated/noecc] has left #openvpn ["pax"]
07:53 < esde> >only paragraph links. wat
07:54 < _FBi> ^
07:57 <@krzee> also your gliffy doesnt do anything as far as telling us what you want
07:57 <@krzee> which is generally the point of making a diagram
07:58 < bewees> https://openvpn.net/index.php/open-source/documentation/howto.html#vpntype                 where #vpntype is a paragraph link
07:58 <@vpnHelper> Title: HOWTO (at openvpn.net)
07:59 -!- noecc [~irc@unaffiliated/noecc] has joined #openvpn
07:59 <@krzee> so you are saying you want more links inside the howto so you dont have to learn whats in the howto just skim to the link you want?
08:00 < _FBi> it's a pretty good read -- OTHER THAN THE ERRORS I POINTED OUT YESTERDAY
08:00 <@krzee> pointed out or made a trac ticket for?
08:01 < bewees> krzee, No, I said those are just paragraph link. I thought those are links to other tutorial. "<bewees> _FBi, Can you provide me a link, there are so many links on openvpn's doc page https://openvpn.net/index.php/open-source/documentation/howto.html
08:01 < bewees> < " which confused me
08:01 <@vpnHelper> Title: HOWTO (at openvpn.net)
08:01 <@krzee> !howto
08:01 <@vpnHelper> "howto" is (#1) OpenVPN comes with a great howto, http://openvpn.net/howto PLEASE READ IT! or (#2) http://www.secure-computing.net/openvpn/howto.php for a mirror
08:01 <@krzee> that goes to the same page
08:01 <@krzee> read the whole thing.
08:03 < _FBi> krzee, # Downgrade privileges after initialization (non-Windows only)
08:03 < _FBi> ;user nobody
08:03 < _FBi> ;group nobody
08:03 <@krzee> _FBi, did you not understand what i said?
08:03 < _FBi> I'd rather just complain
08:04 <@krzee> <krzee> pointed out or made a trac ticket for?
08:04 <@krzee> that does not mean "show me"
08:04 <@krzee> in fact depending on your answer, next statement is:  "make a trac ticket, or you did nothing"
08:04 < _FBi> lol
08:04 < _FBi> the second
08:05 <@krzee> so there you go, you did nothing.
08:05 -!- Pyrogerg [~Gregory@67-0-212-234.albq.qwest.net] has joined #openvpn
08:06 < _FBi> before commenting on it.  it should be group nogroup  correct?
08:06 < _FBi> Debian has no group nobody
08:07 <@krzee> _FBi, LOL
08:07 <@krzee> so thats only for debian now?
08:07 <@krzee> try a real os :-p
08:07 < _FBi> s my d
08:07 <@krzee> thats not even a bug, you'll never find something that matches everywhere
08:07 <@krzee> if the user cant figure out the issue, they dont deserve a computer
08:07 < _FBi> well, I am on a Win7 box right now * Puts on cool guy shades *
08:08 < _FBi> I figured it was different from OS to OS, so I didn't do anything more
08:09 <@krzee> it is, so how is that an ERROR?
08:09 < _FBi> it's not spoon feeding me
08:09 <@krzee> !spoonfeeding
08:09 <@vpnHelper> "spoonfeeding" is http://www.mp3car.com/the-faq-emporium/53368-faq-what-is-spoon-feeding.html
08:09 < _FBi> you do know I'm the center of the universe, right?
08:10 <@krzee> watch out the black hole is swallowing you
08:11 < _FBi> it's okay, I'll just restart
08:12 < _FBi> http://www.deathandtaxesmag.com/196001/big-bang-breakthrough-indicates-infinite-number-of-universes-exist/
08:12 <@krzee> all conjecture for now
08:15  * _FBi takes his spoon and goes to bed
08:15 < _FBi> night guys
08:15 <@krzee> later man
08:16 <@krzee> nite? where you visiting?
08:16 < _FBi> nigth shift
08:16 <@krzee> oh
08:27 -!- deviantintegral [~deviantin@drupal.org/user/71291/view] has quit [Excess Flood]
08:28 -!- deviantintegral [~deviantin@drupal.org/user/71291/view] has joined #openvpn
08:32 < robscow> i'm having a bit of bother accessing the client lan but it's only with iptables, i have a forward rule on the client, between tun0 and virbr0 (bridge for a collection of VMs on the machine) both ways, but i can only ping the lan ips of the client when iptables isn't running
08:34 < robscow> then again ignore me, seems iptables needed a bit of time to kick in
08:45  * esde kicks iptables
08:59 -!- ValdikSS [~valdikss@2001:470:28:22f::1004] has quit [Ping timeout: 265 seconds]
09:00 -!- ub1quit33 [~quassel@cpe-23-243-158-241.socal.res.rr.com] has joined #openvpn
09:09 < bewees> Hm, I read the VPN documentation, but Im still not sure what IP to use in 'ip route add VPNSERVER_IP via LOCALGATEWAY_IP dev eth0  proto static' for VPNSERVER_IP' and LOCALGATEWAY
09:09 < bewees> I tried: ip route add 10.9.8.1 via 192.168.10.20 dev eth0 proto static  but that doesnt work because "RTNETLINK answers: File exists"
09:19 < bewees> http://www.gliffy.com/go/publish/image/6549507/L.png
09:20 < bewees> (Can't ping from 10.9.8.1 from Node1 nor 10.9.83 from Node2)
09:20 < bewees> to Node1*
09:20 < bewees> * (Can't ping to 10.9.8.1 from Node1 nor to 10.9.83 from Node2)
09:33 -!- eristisk [~eristisk@gateway/tor-sasl/eristisk] has joined #openvpn
09:34 -!- nvdpl [~textual@proxy.teleaudio.pl] has joined #openvpn
09:40 -!- Brando753 [~Brando753@unaffiliated/brando753] has quit [Ping timeout: 265 seconds]
09:42 -!- Brando753 [~Brando753@unaffiliated/brando753] has joined #openvpn
09:46 -!- u0m3 [~u0m3@92.80.86.86] has joined #openvpn
09:51 -!- brianblaze420 [~brianblaz@unaffiliated/brianblaze] has quit [Quit: Peace!]
09:51 -!- noecc [~irc@unaffiliated/noecc] has quit [Ping timeout: 265 seconds]
09:53 -!- mistermajestic [~mistermaj@unaffiliated/mistermajestic] has joined #openvpn
10:09 -!- ade_b [~Ade@redhat/adeb] has quit [Ping timeout: 256 seconds]
10:12 -!- NucWin [~nucwin@unaffiliated/nucwin] has left #openvpn []
10:16 -!- eristisk [~eristisk@gateway/tor-sasl/eristisk] has quit [Ping timeout: 250 seconds]
10:28 -!- noecc [~irc@unaffiliated/noecc] has joined #openvpn
10:29 <@dazo> ecrist: krzee: Eugene: Have you guys seen this one?  http://thread.gmane.org/gmane.network.openvpn.user/35399  .... please spread the word, as we need input if we need to keep --disable-ssl  .... otherwise we'll kick it out in 2.4
10:29 <@vpnHelper> Title: Gmane Loom (at thread.gmane.org)
10:30 <@Eugene> Is that a build flag ?
10:32 <@dazo> Eugene: yeah
10:32 <@Eugene> I can't imagine anybody seriously missing that one, except maybe the Debianites
10:33 <@Eugene> Or that one Gentoo lunatic(there's always one...)
10:33 <@dazo> heh ... probably true :)
10:39 -!- eristisk [~eristisk@gateway/tor-sasl/eristisk] has joined #openvpn
10:39 -!- Popsikle [~popsikle@67.110.154.218.ptr.us.xo.net] has joined #openvpn
10:45 -!- dazo is now known as dazo_afk
10:52 -!- bewees [~philipp@46.114.31.87] has quit [Ping timeout: 255 seconds]
10:52 -!- brianblaze420 [~brianblaz@unaffiliated/brianblaze] has joined #openvpn
10:55 -!- jzaw [~jzaw@loki.dzki.co.uk] has quit [Ping timeout: 265 seconds]
10:56 -!- Popsikle [~popsikle@67.110.154.218.ptr.us.xo.net] has quit [Remote host closed the connection]
11:08 -!- nvdpl [~textual@proxy.teleaudio.pl] has quit [Quit: ZZZzzz…]
11:30 -!- eristisk [~eristisk@gateway/tor-sasl/eristisk] has quit [Remote host closed the connection]
11:35 -!- Xapht [8e88e3df@gateway/web/freenode/ip.142.136.227.223] has joined #openvpn
11:35 -!- jzaw [~jzaw@loki.dzki.co.uk] has joined #openvpn
11:37 -!- johnfg [johnfg@host-174-45-122-178.bzm-mt.client.bresnan.net] has quit [Quit: Lost terminal]
11:59 -!- NP-Completeass [~NP-Hardas@unaffiliated/np-hardass] has quit [Quit: WeeChat 0.4.3]
12:03 -!- johnfg [johnfg@host-174-45-122-178.bzm-mt.client.bresnan.net] has joined #openvpn
12:04 < johnfg> Trying to get openvpn 2.3.5 client to connect.  Here's the error I'm getting: https://dpaste.de/3rhM
12:05 < zoredache> what do yousee on the server?
12:09 -!- johnfg [johnfg@host-174-45-122-178.bzm-mt.client.bresnan.net] has quit [Read error: Connection reset by peer]
12:09 -!- johnfg [johnfg@host-174-45-122-178.bzm-mt.client.bresnan.net] has joined #openvpn
12:14 -!- ValdikSS [~valdikss@95.215.45.33] has joined #openvpn
12:15 < johnfg> zoredache: I'll check, just a sec.
12:29 -!- Xapht [8e88e3df@gateway/web/freenode/ip.142.136.227.223] has quit [Ping timeout: 246 seconds]
12:30 < johnfg> zoredache: Here's from the server: https://dpaste.de/VfMF
12:30 < johnfg> Took me a while to fix something that I saw.
12:31 < zoredache> --> `174.45.122.178:42880 TLS_ERROR: BIO read tls_read_plaintext error: error:140890B2:SSL routines:SSL3_GET_CLIENT_CERTIFICATE:no certificate returned`
12:31 < zoredache> Have you defined a key/cert on your client?
12:43 < johnfg> ya
12:44 < johnfg> Do you want to see my client.conf?
12:46 < zoredache> sure, might be useful to see the server config as well.
12:48 -!- NP-Completeass [~NP-Hardas@unaffiliated/np-hardass] has joined #openvpn
12:48 -!- NP-Hardass [~NP-Hardas@unaffiliated/np-hardass] has joined #openvpn
12:54 < johnfg> http://pastebin.centos.org/14016/ client.
12:55 < johnfg> here's the server: http://pastebin.centos.org/14021/
12:56 < johnfg> When you see the /etc/openvpn/ccd in server.conf, that directory and the proper files are there.
13:05 < johnfg> zoredache: See anything out of whack in the conf files?
13:07 < zoredache> How did you generate your cert for your client?
13:08 < zoredache> From your server log `VERIFY ERROR: depth=0, error=unable to get local issuer certificate:` Your client and server were generated from the same CA right?
13:10 < johnfg> yes.
13:11 < johnfg> zoredache: I first did source ./vars, then ran, build-key client4.
13:11 < johnfg> Then I copied the files to the centos machine.
13:19 -!- Kephael [~Kephael@unaffiliated/kephael] has joined #openvpn
13:23 -!- dusted [~dusted@190-162-191-90.dyn.estpak.ee] has quit [Quit: Leaving]
13:30 -!- eristisk [~eristisk@gateway/tor-sasl/eristisk] has joined #openvpn
13:31 < johnfg> I have the debian openvpn server working fine with clients on gentoo and 2 win7 boxes.  Not sure what I'm missing here.
13:33 -!- Pip [~Pip__@unaffiliated/pip] has joined #openvpn
13:34 < Pip> Hello, I want to know how to configure the firewall.sh file in openvpn package to fit my VPN service on Linux
13:34 -!- noecc [~irc@unaffiliated/noecc] has quit [Remote host closed the connection]
13:35 < Pip> Because when I run the openvpn service with client.conf in /etc/openvpn/ which there is a firewall line in it. I get output like "Bad argument ....." in terminal
13:37 < Pip> For example, there is a line in firewall.sh file: PRIVATE=10.3.0.0/24
13:37 -!- khaldrogox [~anonymous@64.13.138.81] has joined #openvpn
13:38 < Pip> But from iptables -L I see there are lines like PRIVATE=10.3.0/24, but from output of iptables -L there are lines like DROP       all  --  10.0.0.0/8           anywhere
13:38 < Pip> I mean why isn't 10.3.0.0/8?
13:54 -!- Pyrogerg [~Gregory@67-0-212-234.albq.qwest.net] has quit [Ping timeout: 264 seconds]
13:58 -!- Chex [sss@swampjax.northnook.ca] has quit [Quit: Changing server]
13:59 -!- ChexFun [~Chex@swampjax.northnook.ca] has joined #openvpn
13:59 < eristisk> &join #python
14:00 -!- ChexFun is now known as Chex-
14:04 -!- NP-Hardass [~NP-Hardas@unaffiliated/np-hardass] has quit [Quit: WeeChat 0.4.3]
14:05 -!- NP-Hardass [~NP-Hardas@unaffiliated/np-hardass] has joined #openvpn
14:09 -!- johnfg [johnfg@host-174-45-122-178.bzm-mt.client.bresnan.net] has quit [Quit: leaving]
14:10 -!- elfixit [~Icedove@nl9x.mullvad.net] has quit [Ping timeout: 240 seconds]
14:16 -!- brianblaze420 [~brianblaz@unaffiliated/brianblaze] has quit [Quit: Peace!]
14:18 -!- Pyrogerg [~Gregory@205.167.120.206] has joined #openvpn
14:21 -!- MadTBone [~MadTBone@128.59.37.113] has joined #openvpn
14:22 -!- Pyrogerg [~Gregory@205.167.120.206] has quit [Ping timeout: 250 seconds]
14:35 -!- jzaw [~jzaw@loki.dzki.co.uk] has quit [Ping timeout: 265 seconds]
14:40 -!- Pyrogerg [~Gregory@205.167.120.206] has joined #openvpn
14:52 -!- khaldrogox [~anonymous@64.13.138.81] has quit [Quit: khaldrogox]
15:00 -!- mattock is now known as mattock_afk
15:00 -!- quup [~ppp@unaffiliated/quup] has joined #openvpn
15:01 < quup> hi, looking for some hardware. Want something with two ethernet ports that can serve as an OpenVPN client and handle 100/100Mbit with AES-CBC-256
15:02 -!- Cydrobolt [~cydrobolt@fedora/cydrobolt] has joined #openvpn
15:02 < Cydrobolt> Hello
15:02 < Cydrobolt> Can anyone help me with bad source address from client [192.168.1.5], packet dropped
15:02 < Cydrobolt>  error
15:03 < Cydrobolt> I'm on the latest version of openvpn on Fedora x64
15:03 < Cydrobolt> I'm trying to route my phone's internet through the VN
15:04 < Cydrobolt> i can connect but i get no internet
15:19 -!- Left_Turn [~Left_Turn@unaffiliated/turn-left/x-3739067] has quit [Ping timeout: 255 seconds]
15:23 -!- mikjaer [~mikjaer@127-0-0-1.dk] has joined #openvpn
15:26 -!- khaldrogox [~anonymous@64.13.138.81] has joined #openvpn
15:33 -!- nvdpl [~textual@89-67-140-170.dynamic.chello.pl] has joined #openvpn
15:36 -!- aep [~aep@libqxt/developer/aep] has quit [Ping timeout: 244 seconds]
15:38 -!- seba [~seba@kratzbaum.someserver.de] has quit [Ping timeout: 272 seconds]
15:39 -!- aep [~aep@libqxt/developer/aep] has joined #openvpn
15:43 -!- CLG_CEO_ [4446f0f7@gateway/web/freenode/ip.68.70.240.247] has joined #openvpn
15:44 -!- seba [~seba@kratzbaum.someserver.de] has joined #openvpn
15:49 -!- nvdpl [~textual@89-67-140-170.dynamic.chello.pl] has quit [Quit: ZZZzzz…]
15:53 < CLG_CEO_> I have asked this on the forums, but the admin-approved posting thing is preventing any sort of timely dialogue. I have a Windows 8.1 machine I am using as "server." I want to connect to it, using the VPN from remote locations, to access a shared folder that the software our company uses depends on. I have set up server and client profiles, both of which connect. I can ping either from either, with no problem. However, the client s
15:53 < CLG_CEO_> I don't know how to show the config files on here.
16:07 < CLG_CEO_> Can anyone see/hear me and help me?
16:13 -!- Left_Turn [~Left_Turn@unaffiliated/turn-left/x-3739067] has joined #openvpn
16:21 -!- CLG_CEO_ [4446f0f7@gateway/web/freenode/ip.68.70.240.247] has quit [Quit: Page closed]
16:28 -!- nvdpl [~textual@proxy.teleaudio.pl] has joined #openvpn
16:35 -!- val3ntin [~val3ntin@ipservice-092-210-026-153.092.210.pools.vodafone-ip.de] has quit [Quit: Leaving]
16:49 -!- Chex- is now known as Chex
16:50 -!- Pyrogerg_ [~Gregory@205.167.120.203] has joined #openvpn
16:51 -!- akamaru217 [~akamaru21@2601:0:8a80:1064:b500:6f76:7d93:afb9] has quit [Ping timeout: 258 seconds]
16:53 -!- Pyrogerg [~Gregory@205.167.120.206] has quit [Ping timeout: 264 seconds]
16:57 < pekster> Cydrobolt: Read/follow this procedure (helpful flowchart is most helpful)
16:57 < pekster> !reaadirect
16:57 < pekster> !redirect
16:57 <@vpnHelper> "redirect" is (#1) to make all inet traffic flow through the vpn, you will need --redirect-gateway (see !def1), as well as IP forwarding (see !ipforward) and NAT (see !nat) enabled on the server. or (#2) you may need to use a different dns server when redirecting gateway, see !dns or !pushdns or (#3) if using ipv6 try: route-ipv6 2000::/3 or (#4) Handy troubleshooting flowchart:
16:57 <@vpnHelper> http://ircpimps.org/redirect.png | http://pekster.sdf.org/misc/redirect.png
16:58 < pekster> Cydrobolt: Also, that error simply means your client is making a bad source decision by attempting to use a completely bogus IP over the VPN link. You'd have to tcpdump traffic to see what application/protocol is behaving baldy and fix it
16:58 < pekster> VPN server drops it, just as your ISP would drop traffic if you tried to send from 203.0.113.8
16:58 < pekster> s/would/should/
17:05 -!- Gman32 [~Gman32@2607:2200:0:3400::5616:cdbc] has quit [Excess Flood]
17:06 -!- Gman32 [~Gman32@2607:2200:0:3400::5616:cdbc] has joined #openvpn
17:07 < Cydrobolt> mmh, okay
17:07 < Cydrobolt> pekster, it just randomly started working, btw
17:07 < Cydrobolt> I have no idea what I did, but now it works ;/
17:07 < Cydrobolt> after many failed attempts
17:07 -!- Pip [~Pip__@unaffiliated/pip] has left #openvpn ["Leaving"]
17:07 -!- AlexRussia [~Alex@unaffiliated/alexrussia] has quit [Ping timeout: 240 seconds]
17:09 -!- Latrina [~Latrina@adsl-ull-20-244.45-151.net24.it] has quit [Ping timeout: 250 seconds]
17:11 -!- Latrina [~Latrina@ppp-229-3.26-151.libero.it] has joined #openvpn
17:11 -!- Taftse|Mac [~taftse@unaffiliated/taftse] has quit [Quit: Textual IRC Client: www.textualapp.com]
17:11 -!- AlexRussia [~Alex@unaffiliated/alexrussia] has joined #openvpn
17:28 -!- khaldrogox [~anonymous@64.13.138.81] has quit [Quit: khaldrogox]
17:35 -!- Latrina [~Latrina@ppp-229-3.26-151.libero.it] has quit [Ping timeout: 258 seconds]
17:36 < Cydrobolt> So I was reading https://community.openvpn.net/openvpn/wiki/IPv6
17:36 <@vpnHelper> Title: IPv6 – OpenVPN Community (at community.openvpn.net)
17:37 < Cydrobolt> and it tells me to add the "server-ipv6 2001:db8:0:123::/64" directive
17:37 < Cydrobolt> What exactly is the address referring to?
17:37 -!- Latrina [~Latrina@ppp-169-7.26-151.libero.it] has joined #openvpn
17:37 < Cydrobolt> Should I replace the 2001:db8:0:123::/64 with my own IP?
17:53 -!- varsisstudio [~varsisstu@108.61.101.134] has quit [Ping timeout: 258 seconds]
18:07 -!- mlariv [~mlariv@cpe-065-190-171-209.nc.res.rr.com] has joined #openvpn
18:10 -!- mlariv [~mlariv@cpe-065-190-171-209.nc.res.rr.com] has quit []
18:12 -!- eristisk [~eristisk@gateway/tor-sasl/eristisk] has quit [Ping timeout: 250 seconds]
18:12 -!- Pyrogerg_ [~Gregory@205.167.120.203] has quit [Ping timeout: 264 seconds]
18:17 -!- robscow [~robsco@wimbledon.brainboxdigital.com] has quit [Ping timeout: 255 seconds]
18:38 -!- warehouse13 [~Left_Turn@unaffiliated/turn-left/x-3739067] has joined #openvpn
18:40 -!- Left_Turn [~Left_Turn@unaffiliated/turn-left/x-3739067] has quit [Ping timeout: 240 seconds]
18:41 -!- pgicxplzs [~Left_Turn@unaffiliated/turn-left/x-3739067] has joined #openvpn
18:43 -!- warehouse13 [~Left_Turn@unaffiliated/turn-left/x-3739067] has quit [Ping timeout: 258 seconds]
18:50 < Chex> is dd-wrt the lol-sumer router firmware of choice for good V4/V6 tunneling?
18:51 < Chex> I am upgrading an old WRT4Gs to it now.
18:51 -!- mistermajestic [~mistermaj@unaffiliated/mistermajestic] has quit [Remote host closed the connection]
19:11 < pekster> Chex: Ah, you're here too. We have a factoid for the nonsense that is dd-wrt:
19:11 < pekster> !dd-wrt
19:11 <@vpnHelper> "dd-wrt" is (#1) While some users have success with dd-wrt, the build system isn't very accessible to users and there have been security issues with the distro. Consider carefully if this is the platform you want to use for OpenVPN or (#2) Firewall oopsie : http://www.dd-wrt.com/phpBB2/viewtopic.php?t=35783 or (#3) more issues: http://www.dd-wrt.com/phpBB2/viewtopic.php?t=84536
19:13 < pekster> Also:
19:13 < pekster> !openwrt
19:13 <@vpnHelper> "openwrt" is In OpenWRT, the easiest way to supply configs with the stock init is to use the `option config /path/to/your/openvpn.conf` in your UCI stanza. This allows you to maintain a standard config file that OpenWRT can launch for you.
19:18 -!- eristisk [~eristisk@gateway/tor-sasl/eristisk] has joined #openvpn
19:30 -!- Pyrogerg [~Gregory@67-0-212-234.albq.qwest.net] has joined #openvpn
19:45 -!- haasn [~haasn@static.102.126.46.78.clients.your-server.de] has quit [Quit: haasn]
19:46 -!- mistermajestic [~mistermaj@unaffiliated/mistermajestic] has joined #openvpn
19:47 -!- Pyrogerg [~Gregory@67-0-212-234.albq.qwest.net] has quit [Ping timeout: 256 seconds]
19:48 -!- TyrfingMjolnir [~Tyrfing@cm191.iota111.maxonline.com.sg] has joined #openvpn
20:05 -!- haasn [~haasn@static.102.126.46.78.clients.your-server.de] has joined #openvpn
20:20 -!- Latrina [~Latrina@ppp-169-7.26-151.libero.it] has quit [Ping timeout: 245 seconds]
20:23 -!- Latrina [~Latrina@ppp-4-32.26-151.libero.it] has joined #openvpn
20:28 -!- karzon_ [~karzon@wnpgmb1204w-ds01-74-253.dynamic.mtsallstream.net] has joined #openvpn
20:29 < karzon_> !welcome
20:29 <@vpnHelper> "welcome" is (#1) Start by stating your goal, such as 'I would like to access the internet over my vpn' || new to IRC? see the link in !ask || we may need !logs and !configs and maybe !interface to help you. || See !howto for beginners. || See !route for lans behind openvpn. || !redirect for sending inet traffic through the server. || Also interesting: !man !/30 !topology !iporder !sample !forum
20:29 <@vpnHelper> !wiki !mitm or (#2) Don't use 192.168.1.0/24 or 192.168.0.0/24 (too much potential for conflict)
20:30 < karzon_> I have a problem with traffic stopping accross my vpn tunnel after a set time. changing keep alive values change how long it takes to stop working. I need advice.
20:32 < karzon_> !goal
20:32 <@vpnHelper> "goal" is Please clearly state your goal for your vpn: example, I would like to access the lan behind the server , I would like to access the internet over my vpn , I just want a secure connection between 2 computers , etc
20:33 < karzon_> allo
20:36 < karzon_> !paste
20:36 <@vpnHelper> "paste" is "pastebin" is (#1) please paste anything with more than 5 lines into a pastebin site or (#2) https://gist.github.com is recommended for fewest ads; try fpaste.org or paste.kde.org as backups or (#3) If you're pasting config files, see !configs for grep syntax to remove comments or (#4) gist allows multiple files per paste, useful if you have several files to show
20:37 < karzon_> !configs
20:37 <@vpnHelper> "configs" is (#1) please pastebin your client and server configs (with comments removed, you can use `grep -vE '^#|^;|^$' server.conf`), also include which OS and version of openvpn. or (#2) dont forget to include any ccd entries or (#3) on pfSense, see http://www.secure-computing.net/wiki/index.php/OpenVPN/pfSense to obtain your config
20:50 -!- havingFun [~quassel@unaffiliated/xrosnight] has quit [Ping timeout: 240 seconds]
20:51 -!- Latrina [~Latrina@ppp-4-32.26-151.libero.it] has quit [Ping timeout: 240 seconds]
20:52 -!- havingFun [~quassel@unaffiliated/xrosnight] has joined #openvpn
20:52 -!- Latrina [~Latrina@ppp-30-63.26-151.libero.it] has joined #openvpn
21:00 < karzon_> any one have a few minutes to help with a connection dropping issue?
21:01 -!- havingFun [~quassel@unaffiliated/xrosnight] has quit [Ping timeout: 264 seconds]
21:02 < pekster> Without logs, I can tell you "soemthing has terminated the connection"
21:04 -!- havingFun [~quassel@unaffiliated/xrosnight] has joined #openvpn
21:04 -!- CLG_CEO_ [~CLG_CEO_@cablepool5-247.wkybb.net] has joined #openvpn
21:05 < karzon_> fair enough
21:05 < pekster> !logs
21:05 <@vpnHelper> "logs" is (#1) please pastebin your logfiles from both client and server with verb set to 4 (only use 5 if asked) or (#2) In the Windows client(OpenVPN-GUI) right-click the status icon and pick View Log or (#3) In the OS X client(Tunnelblick) right-click it and select Copy log text to clipboard or (#4) if you dont know how to find your logs, see !logfile
21:07 < karzon_> Server http://ur1.ca/iu7ca
21:07 <@vpnHelper> Title: #152673 Fedora Project Pastebin (at ur1.ca)
21:09 < pekster> Yea, logs at 'verb 0' are basically worthless for any real debugging. The client is generally the first end to register a disconnect due to timeout (due to the ping-timeout being half as large by default with --keepalive) but that's a silly choice of log level in the face of problems
21:09 < pekster> !verb
21:09 <@vpnHelper> "verb" is (#1) verb command is for setting log verbosity, see --verb in the manual (!man) for more info or (#2) verb 5 is good for finding firewall problems, verb 4 for troubleshooting anything else, and 3 is good for every day usage. or (#3) Anything more than 5 is for developer debugging only
21:09 < karzon_> client http://ur1.ca/iu7cs
21:09 <@vpnHelper> Title: #152674 Fedora Project Pastebin (at ur1.ca)
21:10 < pekster> Configs appear sane enough
21:11 < karzon_> server keep alive is 10 120 connection works for exactly 120s. if i change to 10 300, it works for exactly 300s. after 300 seconds of not working it starts working again.
21:11 < pekster> Again with the logs
21:11 < pekster> You have "some problem" currently
21:11 < karzon_> haha
21:20 -!- karzon_ [~karzon@wnpgmb1204w-ds01-74-253.dynamic.mtsallstream.net] has quit [Ping timeout: 244 seconds]
21:22 -!- karzon_ [~karzon@wnpgmb1204w-ds01-74-253.dynamic.mtsallstream.net] has joined #openvpn
21:23 -!- Pyrogerg [~Gregory@67-0-212-234.albq.qwest.net] has joined #openvpn
21:23 < karzon_> !logfile
21:23 <@vpnHelper> "logfile" is (#1) If you want logging you can easily just specify your own logfile with: log /path/to/logfile or (#2) openvpn will log to syslog if started in daemon mode, but without any log-redirection options, openvpn sends output to stdout. or (#3) verb 3 is good for everyday usage, verb 5 for debugging. see --daemon --log and --verb in the manual (!man) for more info
21:25 -!- mrtux [~stallman@unaffiliated/mrtux] has joined #openvpn
21:27 < mrtux> Hello. i have an openvpn server running on my gentoo box and it was working earlier
21:27 < mrtux> however after I finally set up iptables on my gentoo box I'm unable to connect
21:27 < mrtux> I've forwarded the udp port for openvpn
21:32 < CLG_CEO_> Hello All! I have a strange problem. First of all, I am attempting to do a simple file share over OpenVPN to remote computers. I am using Windows 8.1 as a server, and the clients use either 7 or 8.1. I have set up the server and clients, established connection, and I can ping each one from the other, yet I still can't see the shared folder.
21:32 < CLG_CEO_> The server config is http://ur1.ca/iu7g2, the client config is http://ur1.ca/iu7gc.
21:32 <@vpnHelper> Title: ur1 Generator (at ur1.ca)
21:33 < CLG_CEO_> !welcome
21:33 <@vpnHelper> "welcome" is (#1) Start by stating your goal, such as 'I would like to access the internet over my vpn' || new to IRC? see the link in !ask || we may need !logs and !configs and maybe !interface to help you. || See !howto for beginners. || See !route for lans behind openvpn. || !redirect for sending inet traffic through the server. || Also interesting: !man !/30 !topology !iporder !sample !forum
21:33 <@vpnHelper> !wiki !mitm or (#2) Don't use 192.168.1.0/24 or 192.168.0.0/24 (too much potential for conflict)
21:33 < karzon_> .
21:35 -!- TyrfingMjolnir [~Tyrfing@cm191.iota111.maxonline.com.sg] has quit [Quit: Searching for Waimea]
21:39 < karzon_> @pekster are you still around? i have those logs
21:40 < karzon_> Client http://ur1.ca/iu7j4 Server http://ur1.ca/iu7jb
21:40 -!- TyrfingMjolnir [~Tyrfing@cm191.iota111.maxonline.com.sg] has joined #openvpn
21:40 <@vpnHelper> Title: #152680 Fedora Project Pastebin (at ur1.ca)
21:41 < karzon_> Server http://ur1.ca/iu7jb
21:41 <@vpnHelper> Title: #152681 Fedora Project Pastebin (at ur1.ca)
21:43 -!- CLG_CEO_ [~CLG_CEO_@cablepool5-247.wkybb.net] has quit [Quit:  HydraIRC -> http://www.hydrairc.com <-]
21:43 -!- CLG_CEO_ [~CLG_CEO_@cablepool5-247.wkybb.net] has joined #openvpn
21:44 < CLG_CEO_> !configs
21:44 <@vpnHelper> "configs" is (#1) please pastebin your client and server configs (with comments removed, you can use `grep -vE '^#|^;|^$' server.conf`), also include which OS and version of openvpn. or (#2) dont forget to include any ccd entries or (#3) on pfSense, see http://www.secure-computing.net/wiki/index.php/OpenVPN/pfSense to obtain your config
21:44 < pekster> karzon_: You sent your openvpn process a SIGINT and it terminated on your request. See lines 320 and 329 of your logs
21:44 < pekster> client-side
21:44 < karzon_> @pekster Nevermind. thanks for you time though. I fingered it out.
21:44 -!- Pyrogerg [~Gregory@67-0-212-234.albq.qwest.net] has quit [Ping timeout: 244 seconds]
21:45 < CLG_CEO_> !goal
21:45 <@vpnHelper> "goal" is Please clearly state your goal for your vpn: example, I would like to access the lan behind the server , I would like to access the internet over my vpn , I just want a secure connection between 2 computers , etc
21:46 < karzon_> CLG_CEO - are you trying to connect to share by name or IP?
21:50 < CLG_CEO_> I'm using the ip //10.8.0.1. Verbatim, I go to start, run, and type //10.8.0.1. I get an error telling me thst the network location cannot be found, but of course windows diag doesn't id a problem
21:51 < karzon_> isn't 10.8.0.1 the internal tunnel address?
21:51 < karzon_> I would assume the share would be tied to a lan address, not tunnel server
21:52 < CLG_CEO_> That's the internal address of my server. Someone was helping me on the forums, and told me to attempt to connect to thst ip rather than the internal ip
21:52 -!- havingFun_ [~quassel@unaffiliated/xrosnight] has joined #openvpn
21:52 < CLG_CEO_> Correction: 10.8.0.1 is the vpn address of the server
21:52 < karzon_> yes the vpn tunnel address
21:53 -!- havingFun [~quassel@unaffiliated/xrosnight] has quit [Ping timeout: 244 seconds]
21:53 < karzon_> your client also has tunnel subnet address...something like 10.8.0.4
21:53 < CLG_CEO_> Right. Sorry I'm not an it guy in the least bit
21:53 -!- havingFun_ is now known as xrosnight
21:53 < karzon_> share resource is probably on Lan address....like 192.x.x.x or 10.x.x.x
21:53 < karzon_> etc
21:53 < CLG_CEO_> Client is 10.8.0.3 for the client I'm testing with
21:54 < CLG_CEO_> Right lan ip for server is 173.29.0.9
21:54 < karzon_> so share should be \\LANIPoffileserver
21:54 < karzon_> so \\173.29.0.9\sharename
21:55 < pekster> 172.29.0.9 I hope (unless you're Mediacom Corp)
21:55 < CLG_CEO_> Okay that might be my problem. Just to confirm, I should map network drive to lan ip. I'll try that.
21:55 < CLG_CEO_> Right 172 typo lol using my phone for irc
21:56 < karzon_> yes. definitly lan ip.
21:57 < mrtux> alright i fixed my issue with openvpn not working, i put it on port 443/tcp and it connects
21:58 -!- CLG_CEO_ [~CLG_CEO_@cablepool5-247.wkybb.net] has quit [Quit: CLG_CEO_]
21:58 < mrtux> but iptables is now blocking internet access but the internal network works
21:58 -!- CLG_CEO_ [~CLG_CEO_@cablepool5-247.wkybb.net] has joined #openvpn
21:59 < _FBi> so it's working ;)
21:59 < mrtux> _FBi: but not to the outside world like it used to do
22:00 < _FBi> are you trying to tunnel/forward your info outward
22:00 < mrtux> I'm trying to tunnel
22:00 < mrtux> here's the iptables settings and my openvpn config https://pastee.org/nxuu4
22:00 < _FBi> is ipv4 forward set to 1
22:00 < mrtux> one sec
22:01 < mrtux> yes
22:01 -!- pgicxplzs [~Left_Turn@unaffiliated/turn-left/x-3739067] has quit [Remote host closed the connection]
22:01 < _FBi> Q: Why are you not using TLS?
22:01 < mrtux> dunno
22:02 -!- xrosnight [~quassel@unaffiliated/xrosnight] has quit [Quit: No Ping reply in 180 seconds.]
22:02 -!- TyrfingMjolnir [~Tyrfing@cm191.iota111.maxonline.com.sg] has quit [Quit: Searching for Waimea]
22:02 < _FBi> and group nobody works for you?  * glars at krzee *
22:02 -!- havingFun [~quassel@unaffiliated/xrosnight] has joined #openvpn
22:02 < mrtux> using the gentoo default config
22:03 < mrtux> of course modifed
22:03 < mrtux> to an extent
22:03 -!- havingFun [~quassel@unaffiliated/xrosnight] has quit [Remote host closed the connection]
22:04 < _FBi> shouldn't you uncomment redirecet gateway?
22:04 < mrtux> i'll be back in 5 minutes
22:04 < mrtux> i'll try that
22:05 < mrtux> enabled and it doesn't work
22:05 < mrtux> no internet
22:05 -!- TyrfingMjolnir [~Tyrfing@cm191.iota111.maxonline.com.sg] has joined #openvpn
22:06 < _FBi> push "redirect-gateway def1 bypass-dhcp"
22:06 -!- karzon_ [~karzon@wnpgmb1204w-ds01-74-253.dynamic.mtsallstream.net] has quit [Ping timeout: 264 seconds]
22:08 < _FBi> mrtux, ping me when you're back
22:10 -!- boypussy [~supergaun@unaffiliated/supergauntlet] has quit [Quit: ZNC - http://znc.in]
22:11 -!- Pyrogerg [~Gregory@67-0-212-234.albq.qwest.net] has joined #openvpn
22:12 -!- supergauntlet [~supergaun@unaffiliated/supergauntlet] has joined #openvpn
22:13 -!- TyrfingMjolnir [~Tyrfing@cm191.iota111.maxonline.com.sg] has quit [Ping timeout: 272 seconds]
22:17 < mrtux> _FBi: I'm back
22:18 -!- tbenson [~tbenson@c-50-131-82-204.hsd1.ca.comcast.net] has joined #openvpn
22:45 -!- mrtux [~stallman@unaffiliated/mrtux] has quit [Quit: WeeChat 0.4.3]
22:47 -!- mrtux [~stallman@unaffiliated/mrtux] has joined #openvpn
23:13 -!- ShadniX [dagger@p5DDFF18B.dip0.t-ipconnect.de] has quit [Ping timeout: 250 seconds]
23:14 -!- TyrfingMjolnir [~Tyrfing@cm191.iota111.maxonline.com.sg] has joined #openvpn
23:15 -!- ShadniX [dagger@p5481D46D.dip0.t-ipconnect.de] has joined #openvpn
23:30 -!- Kephael [~Kephael@unaffiliated/kephael] has quit [Quit: Leaving]
23:34 -!- CLG_CEO_ [~CLG_CEO_@cablepool5-247.wkybb.net] has left #openvpn []
23:35 -!- CLG_CEO_ [~CLG_CEO_@cablepool5-247.wkybb.net] has joined #openvpn
23:35 -!- CLG_CEO_ [~CLG_CEO_@cablepool5-247.wkybb.net] has left #openvpn []
23:48 -!- ValdikSS [~valdikss@95.215.45.33] has quit [Ping timeout: 258 seconds]
--- Day changed Fri Nov 21 2014
00:17 -!- mistermajestic [~mistermaj@unaffiliated/mistermajestic] has quit [Ping timeout: 245 seconds]
00:32 -!- eristisk [~eristisk@gateway/tor-sasl/eristisk] has quit [Ping timeout: 250 seconds]
00:46 -!- SushiDude [~SushiDude@unaffiliated/sushidude] has quit [Ping timeout: 258 seconds]
00:47 -!- james41382 [~james@unaffiliated/james41382] has joined #openvpn
00:48 -!- SushiDude [~SushiDude@unaffiliated/sushidude] has joined #openvpn
01:00 -!- tbenson [~tbenson@c-50-131-82-204.hsd1.ca.comcast.net] has quit [Quit: tbenson]
01:01 -!- tbenson [~tbenson@c-50-131-82-204.hsd1.ca.comcast.net] has joined #openvpn
01:07 -!- erratic [~erratic@erratic.paigeat.info] has quit [Ping timeout: 258 seconds]
01:15 -!- nvdpl [~textual@proxy.teleaudio.pl] has quit [Quit: ZZZzzz…]
01:46 -!- Taftse|Mac [~taftse@unaffiliated/taftse] has joined #openvpn
01:58 -!- mattock_afk is now known as mattock
02:04 -!- ade_b [~Ade@redhat/adeb] has joined #openvpn
02:06 -!- N77 [~N@unaffiliated/n77] has joined #openvpn
02:06 < N77> hello
02:09 < N77> could someone give me an advice. What is the correct way to solve an issue with two client certificates with the same name? I've accidentally created certificate with name that already exists and overwrite the old one in directory "keys", but it seems that old one still can be used to connect to the server.
02:14 -!- akamaru217 [~akamaru21@2601:0:8a80:1064:b876:305b:3c5e:f25a] has joined #openvpn
02:17 -!- akamaru217 [~akamaru21@2601:0:8a80:1064:b876:305b:3c5e:f25a] has quit [Read error: Connection reset by peer]
02:27 -!- akamaru217 [~akamaru21@2601:0:8a80:1064:1124:cb22:538:84b2] has joined #openvpn
02:28 -!- ValdikSS [~valdikss@2001:470:28:22f::1004] has joined #openvpn
02:30 -!- quup [~ppp@unaffiliated/quup] has left #openvpn []
02:50 -!- Fudge [~Rob@static-71-241-229-94.washdc.fios.verizon.net] has joined #openvpn
02:50 < Fudge> hi
02:53 -!- Droolio [~drool@host86-143-240-221.range86-143.btcentralplus.com] has joined #openvpn
02:54 < Fudge> hi need some help please
02:54 < Fudge> a client is getting this
02:54 < Fudge> Fri Nov 21 19:51:40 2014 TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity)
02:54 < Fudge> Fri Nov 21 19:51:40 2014 TLS Error: TLS handshake failed
03:12 -!- tbenson [~tbenson@c-50-131-82-204.hsd1.ca.comcast.net] has quit [Quit: tbenson]
03:17 -!- nvdpl [~textual@proxy.teleaudio.pl] has joined #openvpn
03:22 -!- elfixit [~Icedove@nl9x.mullvad.net] has joined #openvpn
03:24 -!- halothe23 [~halothe23@freenode/sponsor/halothe23] has quit [Read error: Connection reset by peer]
03:34 -!- ub1quit33 [~quassel@cpe-23-243-158-241.socal.res.rr.com] has quit [Ping timeout: 272 seconds]
04:05 -!- nvdpl [~textual@proxy.teleaudio.pl] has quit [Quit: ZZZzzz…]
04:08 -!- Exagone313 [exa@ewd.ovh] has quit [Ping timeout: 260 seconds]
04:11 -!- Exagone313 [exa@ewd.ovh] has joined #openvpn
04:13 -!- dazo_afk is now known as dazo
04:40 -!- JackWinter [~jack@vodsl-11198.vo.lu] has quit [Quit: Konversation terminated!]
04:42 -!- JackWinter [~jack@vodsl-11198.vo.lu] has joined #openvpn
04:48 -!- D-Boy [~D-Boy@unaffiliated/cain] has quit [Excess Flood]
04:57 -!- nvdpl [~textual@89-67-140-170.dynamic.chello.pl] has joined #openvpn
04:59 -!- xTz [~xTz@DeathStar.Techn0.eu] has quit [Ping timeout: 264 seconds]
04:59 -!- D-Boy [~D-Boy@unaffiliated/cain] has joined #openvpn
05:05 -!- Left_Turn [~Left_Turn@unaffiliated/turn-left/x-3739067] has joined #openvpn
05:05 -!- Chais [~Chais@80.110.97.57] has quit [Read error: Connection reset by peer]
05:25 -!- nvdpl [~textual@89-67-140-170.dynamic.chello.pl] has quit [Quit: ZZZzzz…]
05:46 -!- Shiftos [~shiftos@gateway/tor-sasl/shiftos] has quit [Remote host closed the connection]
05:58 -!- axelm7 [~axelm7@181.169.18.26] has joined #openvpn
06:00 < axelm7> hi, does anyone have a tutorial explaining how to switch from Access Server to OpenVPN community version. My AS renewal is up soon and they are asking for 900 dollars this time. License cost went up from 6 to 9.60 dollars per year per user.
06:01 <@plaisthos> I don't know of any
06:01 < axelm7> I need to export all the users and certs from one system to the other
06:01 <@plaisthos> there are a lot of tutorial how to set up OpenVPN community version from scratch though
06:02 < axelm7> plus set up the necessary config params
06:02 <@plaisthos> yeah sure, read the guides to setup OpenVPN
06:03 -!- Fusl [Fusl@unaffiliated/fusl] has quit [Ping timeout: 245 seconds]
06:03 -!- Slippern [~Slippern@76.109-247-208.customer.lyse.net] has quit [Ping timeout: 240 seconds]
06:03 < axelm7> I am familiar with setting up OpenVPN community. I just need to know the tricks to move from AS to Community
06:04 <@plaisthos> so?
06:04 <@plaisthos> most people here don't know anything about the AS version
06:04 <@plaisthos> and are only familiar with the community version
06:04 < axelm7> If I ask this question on the AS board, I'll get banned for sure
06:04 -!- Fusl [Fusl@unaffiliated/fusl] has joined #openvpn
06:04 -!- Slippern [~Slippern@76.109-247-208.customer.lyse.net] has joined #openvpn
06:05 <@plaisthos> probably not
06:05 < axelm7> I thought someone here might have done this before or it's documented somewhere
06:05 -!- ub1quit33_ [~quassel@cpe-23-243-158-241.socal.res.rr.com] has joined #openvpn
06:05 <@plaisthos> they will probably politely tell you that they do not support you when you doing this
06:06 <@plaisthos> But I am not aware of any guide that tells you how to convert AS to community
06:06 <@plaisthos> at the end it comes down to cost again
06:07 <@plaisthos> what  is cheaper
06:07 <@plaisthos> license costs or the extra amount of work and support
06:13 < axelm7> I am really satisfied with AS, but a 60% increment is a bit steep
06:17 <@dazo> axelm7: the AS server is quite advanced, and has a lot of techniques built in to also tackle scaling.  The OpenVPN binary the community is behind basically is just one of many components in the OpenVPN AS product
06:17 <@dazo> So moving from AS to the community edition will require some work, depending on your config
06:19 <@plaisthos> axelm7: maybe complain/talk to their sales
06:22 < axelm7> The reason I chose AS was failover. I had two boxes and AS would save me if hardware failed or I needed to service the OS.
06:23 < axelm7> Now I've moved both nodes to a HiVelocity's cloud and I'm not worried about hardware anymore. OS updates are still an issue though.
06:27 < axelm7> their support is pretty good too
06:34 -!- elfixit [~Icedove@nl9x.mullvad.net] has quit [Ping timeout: 255 seconds]
06:36 -!- fu3l [fu3l@unaffiliated/fu3l] has joined #openvpn
06:41 -!- fu3l [fu3l@unaffiliated/fu3l] has quit []
06:45 -!- ValdikSS [~valdikss@2001:470:28:22f::1004] has quit [Read error: Connection reset by peer]
07:04 -!- ValdikSS [~valdikss@2001:470:28:22f::1004] has joined #openvpn
07:21 -!- jackbrown [~se@93-44-41-0.ip95.fastwebnet.it] has joined #openvpn
07:22 -!- halothe23 [~halothe23@freenode/sponsor/halothe23] has joined #openvpn
07:36 -!- ade_b [~Ade@redhat/adeb] has quit [Ping timeout: 240 seconds]
07:48 -!- ub1quit33_ [~quassel@cpe-23-243-158-241.socal.res.rr.com] has quit [Ping timeout: 240 seconds]
07:53 -!- torax [torax@kapsi.fi] has joined #openvpn
07:54 < torax> Hey, Does openvpn client reconnect using another server if first server goes offline. I have three remote in client config
07:55 < torax> and resolv-retry infinite
07:55 <@plaisthos> yes
07:55 <@plaisthos> but it first retries that server after disconnect
07:56 < torax> is the default timeout sane or should I modify it?
07:57 -!- ShotokanZH [~ShotokanZ@unaffiliated/shotokanzh] has joined #openvpn
07:57 < ShotokanZH> hi guys
07:58 < ShotokanZH> free alternatives to openvpn-as? ^^
07:58 <@plaisthos> as in?
07:59 <@plaisthos> simple vpn sure
07:59 <@plaisthos> openvpn community
07:59 <@plaisthos> powerful management solution for your VPN?
07:59 < ShotokanZH> plaisthos, a simple web configurator for openvpn :)
08:00 <@plaisthos> There might be serveral
08:00 <@plaisthos> iirc pfsense comes with one
08:00 <@plaisthos> for example
08:00 < ShotokanZH> thx
08:01 <@plaisthos> but you have to google
08:01 <@plaisthos> or maybe someone on the channel might know one
08:07 -!- Pyrogerg [~Gregory@67-0-212-234.albq.qwest.net] has quit [Ping timeout: 245 seconds]
08:08 -!- APTX_ [~APTX@unaffiliated/aptx] has quit [Ping timeout: 272 seconds]
08:11 -!- APTX [~APTX@unaffiliated/aptx] has joined #openvpn
08:14 -!- jackbrown [~se@93-44-41-0.ip95.fastwebnet.it] has quit [Ping timeout: 272 seconds]
08:14 -!- busch [~busch@datenschleuder.com] has quit [Ping timeout: 272 seconds]
08:15 -!- phuzion [~phuzion@ipv6.irc.teh-server.com] has quit [Read error: Connection reset by peer]
08:15 -!- phuzion [~phuzion@ipv6.irc.teh-server.com] has joined #openvpn
08:15 -!- _FBi [B@Aircrack-NG/User] has quit [Ping timeout: 272 seconds]
08:16 -!- capri [svedrin@elwing.funzt-halt.net] has quit [Ping timeout: 272 seconds]
08:16 -!- Fiouz [~Fiouz@2001:bc8:3068::dead:beef] has quit [Ping timeout: 272 seconds]
08:16 -!- plaisthos [~arne@openvpn/community/developer/plaisthos] has quit [Ping timeout: 272 seconds]
08:16 -!- mt [mt@unaffiliated/supermat] has quit [Ping timeout: 272 seconds]
08:17 -!- Fiouz [~Fiouz@2001:bc8:3068::dead:beef] has joined #openvpn
08:17 -!- capri [svedrin@elwing.funzt-halt.net] has joined #openvpn
08:18 -!- mt [mt@unaffiliated/supermat] has joined #openvpn
08:20 -!- axelm7 [~axelm7@181.169.18.26] has left #openvpn []
08:26 -!- Pyrogerg [~Gregory@205.167.120.201] has joined #openvpn
08:31 -!- plaisthos [~arne@openvpn/community/developer/plaisthos] has joined #openvpn
08:31 -!- mode/#openvpn [+o plaisthos] by ChanServ
08:50 -!- Denial [~Denial@81.141.8.23] has joined #openvpn
08:53 -!- jackbrown [~se@93-44-41-0.ip95.fastwebnet.it] has joined #openvpn
08:59 -!- DrCode [~DrCode@gateway/tor-sasl/drcode] has quit [Remote host closed the connection]
09:00 -!- DrCode [~DrCode@gateway/tor-sasl/drcode] has joined #openvpn
09:15 -!- brianblaze420 [~brianblaz@unaffiliated/brianblaze] has joined #openvpn
09:20 -!- ValdikSS [~valdikss@2001:470:28:22f::1004] has quit [Ping timeout: 265 seconds]
09:22 -!- Olipro [~Olipro@uncyclopedia/pdpc.21for7.olipro] has quit [Ping timeout: 256 seconds]
09:24 -!- jackbrown [~se@93-44-41-0.ip95.fastwebnet.it] has quit [Ping timeout: 264 seconds]
09:30 -!- shivanshu [~shivanshu@unaffiliated/shivanshu] has quit [Remote host closed the connection]
09:32 -!- mistermajestic [~mistermaj@unaffiliated/mistermajestic] has joined #openvpn
09:56 -!- yegorich [d5d163ca@gateway/web/freenode/ip.213.209.99.202] has joined #openvpn
09:58 < yegorich> Hi! configure.ac has an option password-save and in the description is stated "default=yes", but action-if-not-given is enable_password_save="no". What is the desired behavoir?
10:02 <@plaisthos> you cannot save the password
10:03 <@plaisthos> that configure just disable some options in openvpn
10:04 -!- Latrina [~Latrina@ppp-30-63.26-151.libero.it] has quit [Ping timeout: 264 seconds]
10:06 -!- Latrina [~Latrina@ppp-13-19.26-151.libero.it] has joined #openvpn
10:07 < yegorich> @plaisthos: description is contradictory: default should then be "no"
10:08 < yegorich> because, when I compile without this option given to configure script, it is also not enabled
10:08 <@plaisthos> yegorich: that may be
10:09 <@plaisthos> I would have too look into it
10:09 < yegorich> Should I submit a patch or you would make it yourself=
10:09 < yegorich> OK, thanks
10:09 <@plaisthos> yegorich: you can make a patch and submit it
10:09 < yegorich> OK will do
10:09 <@plaisthos> but I am not 100% sure if it worth keeping that option at all
10:10 <@plaisthos> i.e. always yes could be fine too
10:10 < yegorich> What is better GitHub or mailig list?
10:11 < yegorich> We're using this option btw
10:11 <@plaisthos> mailing list
10:11 < yegorich> This is why I came upon this configuration issu
10:11 <@plaisthos> yegorich: disabling password-save?
10:11 < yegorich> No, enabling
10:12 < yegorich> I was just curoius, why is it disabled, if defualt value is "yes"
10:13 -!- N77 [~N@unaffiliated/n77] has quit [Ping timeout: 240 seconds]
10:19 -!- nvdpl [~textual@89-67-140-170.dynamic.chello.pl] has joined #openvpn
10:21 -!- Latrina [~Latrina@ppp-13-19.26-151.libero.it] has quit [Ping timeout: 240 seconds]
10:26 -!- Kephael [~Kephael@unaffiliated/kephael] has joined #openvpn
10:28 -!- jackbrown [~se@93-44-41-0.ip95.fastwebnet.it] has joined #openvpn
10:43 <@plaisthos> yegorich: everyone builds it with no
10:43 <@plaisthos> that what I meant with keeping the option at all
10:43 <@plaisthos> instead it might be agreeable to just remove the configuration and always compile password saving in
10:44 < yegorich> @plaisthos: I agrre with this
10:44 < yegorich> waiting for your patch then
10:45 -!- yegorich [d5d163ca@gateway/web/freenode/ip.213.209.99.202] has quit [Quit: Page closed]
10:49 -!- nvdpl [~textual@89-67-140-170.dynamic.chello.pl] has quit [Quit: ZZZzzz…]
10:52 -!- mrtux [~stallman@unaffiliated/mrtux] has quit [Read error: Connection reset by peer]
10:55 -!- mrtux [~stallman@unaffiliated/mrtux] has joined #openvpn
11:00 -!- nvdpl [~textual@proxy.teleaudio.pl] has joined #openvpn
11:00 -!- Popsikle [~popsikle@67.110.154.218.ptr.us.xo.net] has joined #openvpn
11:08 -!- foertel [~foertel@ip1f10036e.dynamic.kabel-deutschland.de] has joined #openvpn
11:08 < foertel> mornin
11:09 < foertel> getting: Nov 21 17:49:44 wlanFabrik-gw01 ovpn-gastfunkbox[1471]: PLUGIN_INIT: could not load plugin shared object /usr/lib/openvpn/openvpn-auth-pam.so: /usr/lib/openvpn/openvpn-auth-pam.so: cannot open shared object file: No such file or directory
11:10 < foertel> even though the specified file is there :-/
11:12 -!- marlinc [~marlinc@ip1.weert.li.nl.cvo-technologies.com] has quit [Ping timeout: 260 seconds]
11:13 < foertel> strike that :D
11:13 < foertel> autocompletion hit me ... will figure that out
11:16 -!- johnfg [johnfg@host-174-45-122-178.bzm-mt.client.bresnan.net] has joined #openvpn
11:17 < johnfg> I regenerated the client for my centos box, but am still getting the error about the TLS handshake failed.
11:17 < johnfg> Both win7 and gentoo boxes are connected to the debian openvpn server with no problems.
11:18 -!- NP-Hardass [~NP-Hardas@unaffiliated/np-hardass] has quit [Read error: Connection reset by peer]
11:18 -!- marlinc [~marlinc@ip1.weert.li.nl.cvo-technologies.com] has joined #openvpn
11:24 -!- ShotokanZH [~ShotokanZ@unaffiliated/shotokanzh] has left #openvpn ["this.channel.quit();"]
11:28 -!- ice9 [~ice9@gateway/tor-sasl/ice9] has joined #openvpn
11:28 -!- NP-Hardass [~NP-Hardas@unaffiliated/np-hardass] has joined #openvpn
11:32 < johnfg> Ok, this is weird.  I stopped openvpn on gentoo.  I copied those client files, viz. client1.crt and client1.key to centos.  Ran openvpn client.conf, using client1 and voila, I have a vpn.
11:32 < johnfg> Any idea why that client works while the newly generated client does not?
11:35 -!- foertel [~foertel@ip1f10036e.dynamic.kabel-deutschland.de] has left #openvpn []
11:42 < ice9> whats wrong in these rules, I can connecto VPN but can't route traffic: https://gist.github.com/anonymous/f732c3d3c9535941acf0
11:42 <@vpnHelper> Title: gist:f732c3d3c9535941acf0 (at gist.github.com)
11:48 -!- jackbrown [~se@93-44-41-0.ip95.fastwebnet.it] has quit [Quit: Sto andando via]
11:50 -!- eristisk [~eristisk@gateway/tor-sasl/eristisk] has joined #openvpn
12:18 -!- ValdikSS [~valdikss@95.215.45.33] has joined #openvpn
12:19 -!- nvdpl [~textual@proxy.teleaudio.pl] has quit [Quit: ZZZzzz…]
12:22 -!- deranged_user [Jess@lolnerd.net] has quit [Quit: et nos unum sumus]
12:28 -!- dazo is now known as dazo_afk
12:29 -!- deranged_user [Jess@lolpurr.net] has joined #openvpn
12:29 -!- johnfg [johnfg@host-174-45-122-178.bzm-mt.client.bresnan.net] has quit [Quit: leaving]
12:41 -!- nvdpl [~textual@proxy.teleaudio.pl] has joined #openvpn
12:41 -!- nvdpl [~textual@proxy.teleaudio.pl] has quit [Max SendQ exceeded]
12:41 -!- nvdpl [~textual@proxy.teleaudio.pl] has joined #openvpn
12:45 -!- Guest25174 [~Fun1@unaffiliated/fun] has joined #openvpn
12:46 -!- Guest25174 [~Fun1@unaffiliated/fun] has left #openvpn []
12:46 -!- Fun [~Fun1@unaffiliated/fun] has joined #openvpn
12:46 < Fun> he
12:47 < Fun> issue arisen
12:47 < Fun> error creating HKLM Software OpenVPN GUI Key
12:47 < Fun> such bs
12:48 < Fun> https://forums.openvpn.net/topic13836.html
12:48 <@vpnHelper> Title: OpenVPN Support Forum [Solved] error when launching the software : Scripting and Customizations (at forums.openvpn.net)
12:48 < Fun> wtf where is solution!!!
12:48 < Fun> lol
12:49 < Fun> fixed wnen run as admin
12:49 < Fun> :D
12:49 < Fun> fuck that nice one
12:49 -!- Fun [~Fun1@unaffiliated/fun] has left #openvpn []
13:09 -!- Popsikle [~popsikle@67.110.154.218.ptr.us.xo.net] has quit [Remote host closed the connection]
13:10 -!- jackbrown [~se@93-44-41-0.ip95.fastwebnet.it] has joined #openvpn
13:20 -!- ub1quit33_ [~quassel@cpe-23-243-158-241.socal.res.rr.com] has joined #openvpn
13:22 -!- warehouse13 [~Left_Turn@unaffiliated/turn-left/x-3739067] has joined #openvpn
13:25 -!- Left_Turn [~Left_Turn@unaffiliated/turn-left/x-3739067] has quit [Ping timeout: 264 seconds]
13:38 -!- eristisk [~eristisk@gateway/tor-sasl/eristisk] has quit [Remote host closed the connection]
13:40 -!- marklite is now known as markelite
14:03 -!- busch [~busch@datenschleuder.com] has joined #openvpn
14:06 -!- akamaru217 [~akamaru21@2601:0:8a80:1064:1124:cb22:538:84b2] has quit [Read error: Connection reset by peer]
14:08 -!- eristisk [~eristisk@gateway/tor-sasl/eristisk] has joined #openvpn
14:09 -!- nvdpl [~textual@proxy.teleaudio.pl] has quit [Quit: Quit...]
14:13 -!- abbe is now known as thijk
14:13 -!- thijk is now known as abbe
14:17 -!- fun [~Fun@unaffiliated/fun] has joined #openvpn
14:17 < fun> when I use openvpn
14:17 < fun> it says hostname = client ip
14:17 < fun> ip=server ip
14:17 < fun> weird
14:28 -!- Denial [~Denial@81.141.8.23] has quit [Ping timeout: 255 seconds]
14:31 < fun> FlushIpNetTable failed on interface [60]
14:32 < fun> why
14:32 < fun> how to fix it?>
14:33 < fun> anyone?
14:33 < fun> wake uo? :D
14:33 < fun> wake up!
14:34 -!- jackbrown [~se@93-44-41-0.ip95.fastwebnet.it] has quit [Ping timeout: 272 seconds]
14:34 -!- Exagone313 [exa@ewd.ovh] has quit [Ping timeout: 260 seconds]
14:42 < fun> wtf are u idling here fore
14:56 -!- brianblaze420 [~brianblaz@unaffiliated/brianblaze] has quit [Quit: Peace!]
15:00 < fun> :)
15:06 < fun> stupid lurkers
15:06 < fun> why dont u quit
15:06 < fun> lol
15:06 < fun> who is talking here?
15:14 -!- Faux_Pas [~quassel@static-72-89-243-31.nycmny.fios.verizon.net] has joined #openvpn
15:16 < Faux_Pas> How do I set up a (Linux) VPN client such that only a certain set of domain names gets accessed through the VPN?
15:17 < fun> no idea
15:17 < fun> :D
15:17 < fun> some setting?
15:17 < Faux_Pas> hahaha
15:17 < Faux_Pas> "you probly wanna just edit some config file or something"
15:18 < fun> I admit I am pissed off
15:18 < fun> since for 30 min
15:18 < fun> no one talked here
15:18 < fun> but me!!!
15:18 < fun> :D
15:18 < Faux_Pas> Ah.
15:18 < fun> RBecker:  how da fuck u got voice here
15:18 < fun> I sense some rooms run by same lurkers
15:18 < Faux_Pas> Well, I hope you find the answers you seek.
15:18 <+RBecker> fun: by having an openvpn/user cloak
15:18 < fun> yes I will pay someone :D
15:19 < Faux_Pas> !goal
15:19 <@vpnHelper> "goal" is Please clearly state your goal for your vpn: example, I would like to access the lan behind the server , I would like to access the internet over my vpn , I just want a secure connection between 2 computers , etc
15:20 < Faux_Pas> !goal I would like to access one site over my VPN
15:20 < Faux_Pas> !welcome
15:20 <@vpnHelper> "welcome" is (#1) Start by stating your goal, such as 'I would like to access the internet over my vpn' || new to IRC? see the link in !ask || we may need !logs and !configs and maybe !interface to help you. || See !howto for beginners. || See !route for lans behind openvpn. || !redirect for sending inet traffic through the server. || Also interesting: !man !/30 !topology !iporder !sample !forum
15:20 <@vpnHelper> !wiki !mitm or (#2) Don't use 192.168.1.0/24 or 192.168.0.0/24 (too much potential for conflict)
15:20 < fun> I dont think u can use open vpn to filter sites
15:20 < fun> u need webfilter
15:20 < fun> imo
15:20 < Faux_Pas> !howto
15:20 <@vpnHelper> "howto" is (#1) OpenVPN comes with a great howto, http://openvpn.net/howto PLEASE READ IT! or (#2) http://www.secure-computing.net/openvpn/howto.php for a mirror
15:21 < fun> fck howto
15:21 < fun> :d
15:21 < fun> what is this chat foir?
15:21 < fun> for
15:21 < Faux_Pas> ¯\_(ツ)_/¯
15:22 < fun> ok I know why
15:22 < fun> they want people to suffer
15:22 < fun> instead of giving aswer
15:22 < fun> answer
15:22 < fun> fck that
15:22 < fun> enjoy u sado maso channel
15:22 -!- fun [~Fun@unaffiliated/fun] has left #openvpn []
15:22 < ice9> is it a must to make FORWARD -j ACCEPT?
15:29 -!- Droolio [~drool@host86-143-240-221.range86-143.btcentralplus.com] has quit [Quit: Error closing Trouser.zip - Replace floppy and retry?]
15:51 -!- jzaw [~jzaw@loki.dzki.co.uk] has joined #openvpn
15:53 -!- akamaru217 [~akamaru21@2601:0:8a80:1064:dc9f:b90e:6a45:bb91] has joined #openvpn
16:00 -!- _FBi [B@Aircrack-NG/User] has joined #openvpn
16:04 -!- ice9 [~ice9@gateway/tor-sasl/ice9] has quit [Quit: Leaving.]
16:15 -!- Faux_Pas [~quassel@static-72-89-243-31.nycmny.fios.verizon.net] has quit [Remote host closed the connection]
16:31 -!- akamaru217 [~akamaru21@2601:0:8a80:1064:dc9f:b90e:6a45:bb91] has quit [Quit: Leaving]
16:57 -!- ub1quit33_ [~quassel@cpe-23-243-158-241.socal.res.rr.com] has quit [Ping timeout: 255 seconds]
17:03 -!- gffa [~unknown@unaffiliated/gffa] has joined #openvpn
17:11 -!- akamaru217 [~akamaru21@2601:0:8a80:1064:7836:e562:d8a6:5105] has joined #openvpn
17:18 -!- ice9 [~ice9@gateway/tor-sasl/ice9] has joined #openvpn
17:19 < ice9> i'm routing traffic through tap, DNS is working but i can't connect to any destination in the internet, ping gives destination unreachable
17:19 < ice9> enabled ip_forwarding and add iptables rule for nat
17:19 < pekster> Check/follow this, especially the helpful flowchart:
17:19 < pekster> !redirect
17:19 <@vpnHelper> "redirect" is (#1) to make all inet traffic flow through the vpn, you will need --redirect-gateway (see !def1), as well as IP forwarding (see !ipforward) and NAT (see !nat) enabled on the server. or (#2) you may need to use a different dns server when redirecting gateway, see !dns or !pushdns or (#3) if using ipv6 try: route-ipv6 2000::/3 or (#4) Handy troubleshooting flowchart:
17:19 <@vpnHelper> http://ircpimps.org/redirect.png | http://pekster.sdf.org/misc/redirect.png
17:20 -!- mattock is now known as mattock_afk
17:20 < pekster> Also, best to use tun (not tap) for that; you don't need Ethernet frame support for this
17:23 -!- Taftse|Mac [~taftse@unaffiliated/taftse] has quit [Quit: Textual IRC Client: www.textualapp.com]
17:24 < ice9> pekster: i switched to tun and i get this in the client log just after connection  write to TUN/TAP : Invalid argument (code=22)
17:26 < ice9> sorry my fault its working now
17:35 < ice9> if i'm disconnected and reconnecting again it doesn't work because the server see  the first session is still active
17:35 < ice9> and i'm allowing 1 connection at a time
17:36 < pekster> !dupe
17:36 <@vpnHelper> "dupe" is (#1) see --duplicate-cn in the manual (!man) to see how to allow multiple clients to use the same key (NOT recommended) or (#2) instead, use !pki to make a cert for each user
17:36 < pekster> By default the most-recently-connected connection will kick the others off
17:38 < ice9> i'm not duplicating connections and there is only one client with it's own cert
17:38 < ice9> and the recent connection doesn't kill the previous
17:38 < ice9> i have to restart the openvpn srever
17:39 < pekster> logs would help
17:39 < pekster> !logs
17:39 <@vpnHelper> "logs" is (#1) please pastebin your logfiles from both client and server with verb set to 4 (only use 5 if asked) or (#2) In the Windows client(OpenVPN-GUI) right-click the status icon and pick View Log or (#3) In the OS X client(Tunnelblick) right-click it and select Copy log text to clipboard or (#4) if you dont know how to find your logs, see !logfile
17:39 < pekster> The server will most certainly tell you if you reconnected before the original connection was terminated
17:40 -!- ub1quit33_ [~quassel@cpe-23-243-158-241.socal.res.rr.com] has joined #openvpn
17:45 -!- Chais [~Chais@80.110.97.57] has joined #openvpn
17:49 < pekster> Your client logs don't show any succesful connection by your client, and your server appears to be rejecting it becuase you already have a maximum of 1 client connected
17:50 < pekster> This means you cannot connect again until it times-out your client; this probably isn't what you want, unless you want artificial delays reconnecting after timeouts
17:50 < ice9> there was a successful connection before this log then i disconnected and tried to reconnect
17:51 < pekster> Then showing me incomplete logs leads to incomplete inforamtion from me
17:51 < ice9> sorry i i'll try to catch it again
17:51 < pekster> The rest of my points are quite valid, and since there's nothing in that server log about a client timeout, the client is still considered connected
17:52 < pekster> lines 12, 22, 32, and 43
17:52 < pekster> 42*
17:52 < pekster> "Hi can I connect?" *server-ignores* "Hi, can I connect now?"...
17:54 < ice9> so i should set keepalive to lower values, currently 10 60
17:54 < ice9> ?
17:55 -!- Pyrogerg [~Gregory@205.167.120.201] has quit [Ping timeout: 264 seconds]
17:55 < pekster> That means the server will consider a lost client valid for 120 seconds after the last authenticated packet from the client
17:55 < pekster> Either wait that long, reduce your server-side timeout value, or allow more than 1 connection so a reconnecting client automatically terminates the old session
17:56 < ice9> cool
17:56 < pekster> The last option is probably what you want, but depends on your needs
17:56 < pekster> And how you're using the keypairs for clients
17:57 < ice9> what is the difference between connecting via openvpn cmd from cmdline and using gnome NetworkManager?
17:58 < pekster> The latter is a frontend that has traditionally done an awful job of explaining what it's actually doing or giving users good control over what happens
17:58 < pekster> But it's "pretty"
17:58 < pekster> !gui
17:58 <@vpnHelper> "gui" is (#1) The only official GUI is the OpenVPN-GUI for Windows (see https://community.openvpn.net/openvpn/wiki/OpenVPN-GUI .) While there are other 3rd party GUIs, they may cause unexpected issues or (#2) If you're having problems starting OpenVPN through an unoffiical GUI, try launching it on the command line; if that works, the GUI is your problem
17:59 < ice9> hehe that's right :D
18:00 < ice9> pekster: thank you very much you were very helpful :)
18:01 < ice9> what does this warning mean? "No server certificate verification method has been enabled"
18:01 < pekster> !mitm
18:01 <@vpnHelper> "mitm" is (#1) http://openvpn.net/index.php/documentation/howto.html#mitm to know about stopping Man-in-the-Middle attacks by signing the server cert specially or (#2) use !servercert to generate the server cert manually or use the easy-rsa build-key-server script to build your server certificates or (#3) then use: remote-cert-tls server in the client config
18:01 < pekster> It's a mitigation to prevent 2 authorized clients from possibly attacking one-another
18:01 < pekster> (or 2 servers for that matter, but you're probably doing it wrong if that's a serious security risk)
18:04 -!- ub1quit33_ [~quassel@cpe-23-243-158-241.socal.res.rr.com] has quit [Ping timeout: 250 seconds]
18:05 < ice9> how long have you been working with openvpn?
18:15 -!- ub1quit33_ [~quassel@cpe-23-243-158-241.socal.res.rr.com] has joined #openvpn
18:34 -!- Kephael [~Kephael@unaffiliated/kephael] has quit [Read error: Connection reset by peer]
18:36 -!- ub1quit33_ [~quassel@cpe-23-243-158-241.socal.res.rr.com] has quit [Quit: No Ping reply in 180 seconds.]
18:38 -!- ub1quit33_ [~quassel@cpe-23-243-158-241.socal.res.rr.com] has joined #openvpn
18:49 -!- ice9 [~ice9@gateway/tor-sasl/ice9] has quit [Quit: Leaving.]
18:50 -!- Droolio [~drool@host86-143-240-221.range86-143.btcentralplus.com] has joined #openvpn
18:52 -!- NP-Hardass [~NP-Hardas@unaffiliated/np-hardass] has quit [Quit: WeeChat 0.4.3]
18:53 -!- NP-Hardass [~NP-Hardas@unaffiliated/np-hardass] has joined #openvpn
19:04 -!- ub1quit33_ [~quassel@cpe-23-243-158-241.socal.res.rr.com] has quit [Ping timeout: 264 seconds]
19:12 < pekster> Since the 2.0.9 days
19:12 < pekster> And the tor user has gone anyway
19:39 < mrtux>  hey, i'm trying to get ipv6 to work on my openvpn server.
19:39 < mrtux> openvpn seems to give my phone a v6 ip and i can ping it
19:39 < mrtux> but it's not connecting to the internet
19:46 < pekster> Have a copy of your server config on a pastebin yet?
19:51 < mrtux> pekster: sure hang on
19:52 < mrtux> https://pastee.org/4ej6w
19:53 < pekster> mrtux: How are you routing the /112 on line 36 routed to your ovpn server?
19:53 < mrtux> i have no idea
19:54 < pekster> Then that's a problem, because you need the traffic to be accepted by your upstream, and be routed replies to the outbound traffic your VPN clients send so IP actually works
19:54 < mrtux> yes
19:54 < pekster> Why'd you use a network if you don't know where it came from?
19:55 < pekster> Is this part of a larger block you're routed? You can't use on-link address for this
19:55 < mrtux> Ipv6 kind of confuses me
19:55 < mrtux> I'm not sure what I need to set
19:55 < pekster> It's the same as IPv4; you can't route to your own downstream networks that which you're not routed
19:55 < pekster> And until you describe your network allocation and routing from your ISP (network provider) above you, I can't either
19:56 < mrtux> I'm given a /112 from my vps provider and I'd like to use one of the ips for it
19:57 < pekster> What OS is this?
19:57 < pekster> (the server)
19:57 < mrtux> Gentoo linux
19:57 < pekster> I'll need to see `ip a` then
19:58 < mrtux> one minute, ip isn't installed for some odd reason
19:58 < pekster> Try `/sbin/ip a`
19:59 < mrtux> nope
19:59 < pekster> oh, gentoo, yea, they (still) don't include that by default. As cool as the 2.4 kernel was, we're past it now
19:59 < mrtux> I need to install it, forgot which package it is
19:59 < pekster> Should be a fast emerge though
19:59 < pekster> iproute2
19:59 < pekster> sys-apps/iproute2
19:59 < mrtux> also sadly my VPS (which is openvz) is on kernel 2.6.32
19:59 < pekster> Yes, still much newer than 2.4
20:00 < mrtux> so I don't know if that would cause any issues or not
20:00 < pekster> iproute2 (and modern Linux networking) were introduced then
20:00 < pekster> No, it works fine
20:00 < mrtux> ok
20:00 < pekster> Get in the last 15 years and use sane tooling
20:00 < pekster> !ifconfig_linux
20:00 <@vpnHelper> "ifconfig_linux" is Avoid use of 'ifconfig' and 'route' commands on modern Linux distros. It's old, deprecated, and often misleading/wrong. Use the 'ip a' and 'ip r' commands instead. More info: http://inai.de/2008/0219-ifconfig-sucks.php
20:00 -!- Netsplit *.net <-> *.split quits: nullie, pppingme, deviantintegral, phunyguy, Reventlov, SushiDude, Neal_, akurilin, gffa, AlexRussia,  (+21 more, use /NETSPLIT to show all of them)
20:00 < mrtux> iproute2 is compiling right now
20:01 < pekster> Yea. I'm still annoyed that's not in a stage3, but I've stopped beating that drum. Easy enough to install I guess
20:01 < mrtux> https://pastee.org/gyhvb
20:03 < pekster> You can't use that /112 for the VPN; it's already consumed for your on-link venet0 adapter (looks like your uplink.) ie: 2001:1b40:5000:ff3::24:0/112 is _already_ used; all you can do with that network (all 65,535 IPs on it) is put up to that many secondary IPs on your host. You need a network _routed_ to you over that interface
20:03 < mrtux> alright.
20:04 < pekster> You should ask them for a routed deligation; a /64 works if you plan to carve out /112's out of it, but really they shouldn't have a problem giving you a /56 if you ask
20:04 < mrtux> I don't think I can get a /64
20:04 < pekster> THen they're fucking idiots
20:05 < pekster> RFC6177 days you should be able to get something around a /56 without issue. Find a company that doesn't screw customers over
20:05 < pekster> says*
20:05 < mrtux> well i pay nothing out of my pocket for this so
20:05 < pekster> I could give you some frozen leaves from the street for nothing too ;)
20:06 < mrtux> should I use a tunnel broker like sixxs?
20:07 < pekster> I suppose. Seems really broken to do that when you have native IPv6, but yours is apparently crippled. I'd ask for a routed (again, _routed_ is critical here. a /64 on-link is just as worthless for you) deligation first
20:07 < mrtux> or is there a way I can just use a single ip6 address for all the hosts connected to the vpn?
20:07 < pekster> If they refuse, you can tunnel, with the usual hassles that come with that: extra hassle, sub-1500-MTU, and you need to route all your v6 through them (latency, if they go down you do, etc)
20:07 < pekster> Don't do that. NAT-Overload is a Very Bad Thing™
20:08 < mrtux> alright
20:08 < pekster> You need a company willing to sell you network access, not a glorified webhost
20:09 < pekster> Or a tunnel I suppose (either HE or sixxs will happily give you a routed /48 on request)
20:09 < mrtux> is there any reason why I _need_ a /64? I don't quite see how I'd need more than 65535 ips for a vpn server
20:09 < pekster> You don't; you need a *ROUTED* deligation
20:09 < pekster> Your /112 is on-link
20:09 < mrtux> Ah
20:09 < pekster> And really, you don't get routed anything less than a /64
20:10 < pekster> /64 == 1 LAN in SLAAC, so no one messes with less than that, except clueless idiots (like your "VPS" -- not even a VPS since it looks like OpenVZ, which is a glorified chroot platform)
20:10 < pekster> You gotta wonder what else they screw up if they can't get the basics right. Lots of clueless people holding their hands out for money in this market though
20:11 -!- NP-Hardass [~NP-Hardas@unaffiliated/np-hardass] has joined #openvpn
20:11 < pekster> The summary in RFC6177 is pretty clear they they shouldn't be holding you back like this. But hey, your choice where to look for hosting
20:11 < mrtux> I see. I'm not paying anything for this vps though, it's hosted by a friend
20:12 < pekster> Sure. However you end up with a routed network (yes, technically you could get a /112 routed to you, but might as well make it a /64 at least, or a /56 if you can so you can expand later if you want. Say more VPNs or w/e.)
20:12 < pekster> You can do that by 1) requesting it, 2) use a tunnel broker, or 3) switch hosting
20:12 < pekster> There are some really awful hacks to do proxy-NDP, but that's so broken and I've no interest in making stupid work
20:14 < mrtux> alright
20:16 < mrtux> I guess I'll just keep this ipv4-only for now unless I decide to use a tunnel broker
20:17 < pekster> Yea. Think of OpenVPN as a router; a border router has the network it's connected to the rest of the world with, and the internal networks. You need _unique_ addressing, and you don't have another network to use for this
20:17 < pekster> ie: basic routing. OpenVPN can't route what you don't have to begin with
20:18 < mrtux> makes sense. i'm still learning about networking (if you couldn't tell already)
20:18 < mrtux> thanks for your time
20:19 < pekster> Sure. And if you do end up getting them to do the right (and proper) thing by giving you at minimum a routed /64, the rest is pretty easy. Basically just update the address to use a /112 in that range, turn on IPv6 routing, and presumably a firewall
20:20 < mrtux> ok
20:29 -!- akurilin [~alex@208.185.21.146] has joined #openvpn
20:32 -!- rich0 [~quassel@gentoo/developer/rich0] has joined #openvpn
20:32 -!- lachesis [~lachesis@unaffiliated/lachesis] has joined #openvpn
20:32 -!- ExtraCarpety [~ExtraCarp@2607:5300:60:a0d::1] has joined #openvpn
20:32 -!- phunyguy [vortex@ubuntu/member/phunyguy] has joined #openvpn
20:32 -!- DArqueBishop [~drkbish@2601:e:2480:7800:2e41:38ff:fe87:dd90] has joined #openvpn
20:32 -!- cwillu_at_work [cwillu@cwillu.com] has joined #openvpn
20:32 -!- c0ded [~c0ded@unaffiliated/c0ded] has joined #openvpn
20:32 -!- Neal_ [neal@felix.ineal.me] has joined #openvpn
20:32 -!- deviantintegral [~deviantin@drupal.org/user/71291/view] has joined #openvpn
20:32 -!- Cydrobolt [~cydrobolt@fedora/cydrobolt] has joined #openvpn
20:32 -!- Gman32 [~Gman32@2607:2200:0:3400::5616:cdbc] has joined #openvpn
20:32 -!- SushiDude [~SushiDude@unaffiliated/sushidude] has joined #openvpn
20:32 -!- phuzion [~phuzion@ipv6.irc.teh-server.com] has joined #openvpn
20:32 -!- _FBi [B@Aircrack-NG/User] has joined #openvpn
20:32 -!- akamaru217 [~akamaru21@2601:0:8a80:1064:7836:e562:d8a6:5105] has joined #openvpn
20:32 -!- Droolio [~drool@host86-143-240-221.range86-143.btcentralplus.com] has joined #openvpn
20:32 -!- AlexRussia [~Alex@unaffiliated/alexrussia] has joined #openvpn
20:32 -!- kirin` [telex@gateway/shell/anapnea.net/x-obkhoqsdtyyngtkd] has joined #openvpn
20:32 -!- pppingme [~pppingme@unaffiliated/pppingme] has joined #openvpn
20:32 -!- dvl [~dvl@freebsd/developer/dvl] has joined #openvpn
20:32 -!- alexwh [~alexwh@unaffiliated/alexwh] has joined #openvpn
20:32 -!- Netsplit *.net <-> *.split quits: AlexRussia, pppingme, dvl, kirin`, alexwh
20:33 -!- nullie [~nullie@li732-95.members.linode.com] has joined #openvpn
20:33 -!- moparisthebest [~quassel@unaffiliated/moparisthebest] has joined #openvpn
20:33 -!- Reventlov [~reventlov@unaffiliated/reventlov] has joined #openvpn
20:33 -!- Argure [argure@geonosis.donttrustrobots.nl] has joined #openvpn
20:40 -!- Netsplit *.net <-> *.split quits: nullie, moparisthebest, Reventlov, Argure
20:40 -!- phunyguy [vortex@ubuntu/member/phunyguy] has quit [Max SendQ exceeded]
20:40 -!- Cydrobolt [~cydrobolt@fedora/cydrobolt] has quit [Max SendQ exceeded]
20:41 -!- phunyguy [vortex@ubuntu/member/phunyguy] has joined #openvpn
20:41 -!- kossy [a@unaffiliated/kossy] has joined #openvpn
20:41 -!- tapout [~tapout@unaffiliated/tapout] has joined #openvpn
20:41 -!- Netsplit over, joins: AlexRussia, kirin`, pppingme, dvl, alexwh
20:42 -!- Cydrobolt [~cydrobolt@fedora/cydrobolt] has joined #openvpn
20:42 -!- kirin` [telex@gateway/shell/anapnea.net/x-obkhoqsdtyyngtkd] has quit [Max SendQ exceeded]
20:46 -!- nullie [~nullie@li732-95.members.linode.com] has joined #openvpn
20:46 -!- moparisthebest [~quassel@unaffiliated/moparisthebest] has joined #openvpn
20:46 -!- Reventlov [~reventlov@unaffiliated/reventlov] has joined #openvpn
20:46 -!- Argure [argure@geonosis.donttrustrobots.nl] has joined #openvpn
20:46 -!- Chex [~Chex@swampjax.northnook.ca] has joined #openvpn
20:52 -!- kirin` [telex@gateway/shell/anapnea.net/x-dhespcitxstmjaqi] has joined #openvpn
21:10 < zoredache> speaking of v6.  Can you go IPv6 only with OpenVPN 2.3 or is IPv4 still required?
21:14 -!- justinzane [~justinzan@67.21.190.132] has quit []
21:38 -!- warehouse13 [~Left_Turn@unaffiliated/turn-left/x-3739067] has quit [Remote host closed the connection]
21:57 -!- akamaru217 [~akamaru21@2601:0:8a80:1064:7836:e562:d8a6:5105] has quit [Quit: Leaving]
21:59 < pekster> zoredache: v4 still required inside the tunnel due to how client association happens today. You're free to run the transport over native of course
21:59 < pekster> In practice all this means is you assign a dummy v4 IP to the client, even if you don't intend to use it
22:11 -!- wallydz [~wallydz@shout.ptn.re] has quit [Ping timeout: 265 seconds]
22:11 -!- bacon| [marom@unaffiliated/cowbacon] has quit [Ping timeout: 240 seconds]
22:11 -!- DrCode [~DrCode@gateway/tor-sasl/drcode] has quit [Ping timeout: 250 seconds]
22:12 -!- micah [~micah@debian/developer/micah] has quit [Ping timeout: 265 seconds]
22:13 -!- bacon| [marom@unaffiliated/cowbacon] has joined #openvpn
22:13 -!- Matir [~matir@ubuntu/member/matir] has quit [Ping timeout: 265 seconds]
22:13 -!- Matir [~matir@ubuntu/member/matir] has joined #openvpn
22:16 -!- DrCode [~DrCode@gateway/tor-sasl/drcode] has joined #openvpn
22:46 -!- Pyrogerg [~Gregory@67-0-212-234.albq.qwest.net] has joined #openvpn
22:46 -!- Kephael [~Kephael@unaffiliated/kephael] has joined #openvpn
23:04 -!- Kephael [~Kephael@unaffiliated/kephael] has quit [Read error: Connection reset by peer]
23:10 -!- akamaru217 [~akamaru21@2601:0:8a80:1064:d984:6933:71a9:4fff] has joined #openvpn
23:14 -!- ShadniX [dagger@p5481D46D.dip0.t-ipconnect.de] has quit [Ping timeout: 250 seconds]
23:15 -!- ShadniX [dagger@p57941E22.dip0.t-ipconnect.de] has joined #openvpn
--- Day changed Sat Nov 22 2014
00:22 -!- varsisstudio [~varsisstu@104.207.136.120] has joined #openvpn
00:40 -!- DrCode [~DrCode@gateway/tor-sasl/drcode] has quit [Remote host closed the connection]
00:46 -!- NP-Hardass [~NP-Hardas@unaffiliated/np-hardass] has quit [Ping timeout: 272 seconds]
00:58 -!- mistermajestic [~mistermaj@unaffiliated/mistermajestic] has quit []
00:58 -!- mistermajestic [~mistermaj@unaffiliated/mistermajestic] has joined #openvpn
01:04 -!- NP-Hardass [~NP-Hardas@unaffiliated/np-hardass] has joined #openvpn
01:14 -!- mistermajestic [~mistermaj@unaffiliated/mistermajestic] has quit []
01:18 < Fudge> is this the wrong place to ask iptables questions for openvpn?
01:30 < Fudge> how can I specify my password as a client using the client.conf
01:38 -!- almostworking [~almostwor@unaffiliated/almostworking] has quit [Ping timeout: 255 seconds]
01:50 -!- jackbrown [~se@93-44-41-0.ip95.fastwebnet.it] has joined #openvpn
02:40 -!- mattock_afk is now known as mattock
02:45 -!- gffa [~unknown@unaffiliated/gffa] has joined #openvpn
02:52 -!- jackbrown [~se@93-44-41-0.ip95.fastwebnet.it] has quit [Quit: Sto andando via]
02:58 -!- AlexRussia [~Alex@unaffiliated/alexrussia] has quit [Ping timeout: 255 seconds]
03:29 < Fudge> ok i thought i needed tap but will tun allow a couple of friends to join my vpn and appear to be clients on our network? none of us want to tunnel normal internet traffic through the vpn
03:29 < Fudge> really struggling to understand
03:37 <@syzzer> Fudge: yes, tun can do that too, but you need to set up routing
03:38 <@syzzer> !tap
03:38 <@vpnHelper> "tap" is (#1) "bridge" is (#1) http://openvpn.net/index.php/documentation/faq.html#bridge1, or (#2) http://openvpn.net/index.php/documentation/miscellaneous/ethernet-bridging.html, or (#3) Bridging looks like a good choice to people who don't know how to set up IP routing, but to learn routing is generally far better., or (#4) useful for windows sharing (without wins server) and LAN gaming, anything
03:38 <@vpnHelper> where the protocol uses MAC addresses instead of IP addresses. or (#2) For tun/tap and route/bridge comparing, see https://community.openvpn.net/openvpn/wiki/BridgingAndRouting
04:05 -!- ValdikSS [~valdikss@95.215.45.33] has quit [Read error: Connection reset by peer]
04:05 -!- ValdikSS [~valdikss@2001:470:dd8a:dead::64f] has joined #openvpn
04:09 < Fudge> syzzer:  my head is hurting, do yo uhave time to let me exlain what im doing and make a suggestion?
04:10 < Fudge> links im reading say to use bridge-start and stop scripts but im currently doing it from my interfaces file, I can pastebin some stuff?
04:12 <@syzzer> yes, that is ok. I don't have much time, but if I can't help you out, someone else lateron might :)
04:12 < Fudge> I have fibre going into my ubunu server which eth0=world eth1=lan, have a br0 which brdiges tap0 to eth1
04:12 < Fudge> thanks so much mate
04:12 < Fudge> interfaces http://paste.ubuntu.com/9169182/
04:13 < Fudge> dycp-server http://paste.ubuntu.com/9169183/
04:13 < Fudge> openvpn server http://paste.ubuntu.com/9169201/
04:14 < Fudge> current log http://paste.ubuntu.com/9169216/
04:14 <@syzzer> if you're bridging eth1 to tap0, you should just put IP addresses on br0, not on eth1
04:16 < Fudge> did i mention this is my gateway?
04:16 <@syzzer> yes, you did
04:16 < Fudge> eth1 is the chp server and gateway, eth0 binds to my isp
04:16 < Fudge> ah
04:16 <@syzzer> ah, well, not explicitly, but I got it from the context ;)
04:16 < Fudge> sorry for seeming dense then, i dont quite understand what you mean then
04:16 < Fudge> :)
04:18 <@syzzer> if you bridge interfaces, you don't really use the underlying interfaces anymore, but you use the bridge-interface
04:18 < Fudge> i also have a strong suspicion that it might be iptables not forwarding or allowing something, I have not  grasped its use much as yet
04:18 <@syzzer> but let's take one step back, what do you want to achieve? why do you need bridging?
04:19 < Fudge> good question, i have a couple of friends and we want our servers to be connected for a local network and file sharing etc
04:19 < Fudge> but dont want to use each other as gateways, which is what i thought tun was
04:20 -!- ice9 [~ice9@gateway/tor-sasl/ice9] has joined #openvpn
04:20 <@syzzer> file sharing as in windows file sharing, without a domain? or ftp/scp (i.e. something same that doesn't need ethernet broadcasts)?
04:20 < Fudge> ubuntu boxes
04:20 <@syzzer> no, tun is just 'layer 3', tap is 'layer 2'.
04:21 < Fudge> also you may have noticed that I am trying to use the same subnet, but 10.10.10.100-150 for my vpn
04:21 < ice9> i'm routing traffic through tap, my IP is 10.8.0.6 and the remote tap is inet addr:10.8.0.1  P-t-P:10.8.0.2,   i want to ssh to same server from inside the vpn not going through the internet
04:21 < ice9> but i can't ping any of these ip's
04:22 < Fudge> thats kidn of what we are trying to achieve
04:22 < Fudge> same subnet may hae routing issues though?
04:23 < Fudge> I get a sore head trying to nut this out syzzer
04:24 <@syzzer> if you're bridging you probably want to be in the same subnet, but if you're routing ('tun') you create a separate subnet for the vpn
04:25 < Fudge> ah right so on the right track with that part
04:25 < Fudge> would it help you to see my iptables rules?
04:26 < Fudge> to see how badly ive messed sh** up
04:26 < ice9> correcting my previous post its tun not tap
04:26 < Fudge> if you still ahve a little time left ofc
04:26 < Fudge> gateway redirect ice9 ?
04:26 <@syzzer> there should not be much iptables involved if you're using tap
04:26 < ice9> Fudge: yes redirect-gateway def1
04:27 <@syzzer> ice9: the flowchart might help you out:
04:27 <@syzzer> !redirect
04:27 <@vpnHelper> "redirect" is (#1) to make all inet traffic flow through the vpn, you will need --redirect-gateway (see !def1), as well as IP forwarding (see !ipforward) and NAT (see !nat) enabled on the server. or (#2) you may need to use a different dns server when redirecting gateway, see !dns or !pushdns or (#3) if using ipv6 try: route-ipv6 2000::/3 or (#4) Handy troubleshooting flowchart:
04:27 <@vpnHelper> http://ircpimps.org/redirect.png | http://pekster.sdf.org/misc/redirect.png
04:27 < Fudge> syzzer:  iptables-save piped to a pastebin?
04:28 <@syzzer> (not hat you necessarily want redirect, but it might help troubleshooting)
04:28 < ice9> i'm using already redirect gateway, nat and ip forwarding and everything is working fine but i need to ssh the same server that's hosting the vpn from inside the vpn
04:28 < ice9> i can't ping it's tun ip
04:28 < Fudge> wouldnt that be the route then?
04:29 < Fudge> syzzer:  http://paste.ubuntu.com/9169439/
04:30 <@syzzer> ice9: that is weird. Could it be that you're firewall is blocking incoming ping/ssh from the vpn interface?
04:31 < ice9> i will cehck
04:31 <@syzzer> Fudge: I can see you're head is hurting :p you don't want any MASQUERADE on your tap0
04:33 <@syzzer> I'll have to leave soon, but let's just get back to the concepts to see if that helps with the head hurting
04:34 <@syzzer> bridging interfaces to a single interface basically means that you ask the kernel to act as an ethernet switch between those interfaces
04:35 <@syzzer> the br0 interface is connected to that 'switch'
04:35 < Fudge> yep
04:35 < Fudge> ok ill see about removing
04:35 <@syzzer> so everything you do on the bridge should be done on br0, not on the underlying interfaces
04:35 < Fudge> im not even really sure what MASQUERADE does
04:35 <@syzzer> basically, 'NAT'
04:36 < Fudge> thanks mate, appreciate your help
04:37 -!- Taftse|Mac [~taftse@unaffiliated/taftse] has joined #openvpn
04:40 -!- D-Boy [~D-Boy@unaffiliated/cain] has quit [Excess Flood]
04:41 < Fudge> trying toiptables -L to find the rule
04:43 < ice9> Fudge: i'm allowing INPUT to SSH without specifying an interface
04:47 < Fudge> syzzer:  just another question slightly unrealated, I also have a client setup I am testing from out of my lan. but I do not know how to specify the password when it is running from teh client.conf
04:48 < ice9> syzzer: i'm allowing INPUT to SSH without specifying an interface
04:49 <@syzzer> ice9: this is where I don't know the details anymore, but I recall something about rules not being applied if the interface comes up after setting the iptables rules...
04:50 <@syzzer> Fudge: which password? the private key password/
04:50 < Fudge> yes syzzer
04:51 <@syzzer> openvpn should just ask you on the command line
04:51 < ice9> I see that tor's traffic is bypassing the traffic routing over the vpn
04:51 < Fudge> syzzer:  im starting it with service openvpn start and it sees the client.conf in /etc/openvpn/
04:53 < Fudge> howtogeek the  beginners guide to iptables is really good
04:54 <@syzzer> in that case you should use --askpass
04:55 < Fudge> can you specify that in the client.conf?
04:55 <@syzzer> yes
04:55 <@syzzer> either you force it to ask for the password during boot, or you put the password in a file (but then you could just as well remove the password from your private key)
04:56 <@syzzer> 'man openvpn' explains it quite well
04:57 < Fudge> will look
05:04 -!- D-Boy [~D-Boy@unaffiliated/cain] has joined #openvpn
05:05  * Fudge falls over
05:05 < ice9> when forwarding tun to eth0, should i also forward the opposite too?
05:07 -!- Netsplit *.net <-> *.split quits: tapout, rich0, kossy, _FBi, varsisstudio, ExtraCarpety, DArqueBishop, phuzion, akamaru217, Neal_,  (+8 more, use /NETSPLIT to show all of them)
05:08 <@syzzer> ice9: depends on what you mean by 'forwarding'. if you enable forwarding in your kernel, it should just forward back and forth
05:08 < Fudge> have to comment persist tap in the ovn file fo rit to work
05:08 <@syzzer> let's, I think vpnhelper has an entry on that too
05:09 <@syzzer> !forwarding
05:09 <@syzzer> !forward
05:09 <@syzzer> or not...
05:09 < ice9> syzzer: forwarding is enabled in the kernel but i mean the iptables FORWARD rule
05:09 < ice9> -A FORWARD -i tun0 -o eth0 -s 10.8.0.0/24 -m conntrack --ctstate NEW -j ACCEPT
05:10 -!- Netsplit over, joins: varsisstudio, akamaru217, Droolio, _FBi, phuzion, SushiDude, Gman32, deviantintegral, Neal_, c0ded (+5 more)
05:10 -!- lachesis [~lachesis@unaffiliated/lachesis] has quit [Max SendQ exceeded]
05:10 <@syzzer> ah, ok, that just allows forwarding of new connections, the other side should have something similar, but with just established,related (iirc)
05:10 -!- lachesis [~lachesis@unaffiliated/lachesis] has joined #openvpn
05:10 -!- Netsplit over, joins: tapout
05:10 -!- Netsplit over, joins: kossy
05:11 -!- Netsplit *.net <-> *.split quits: Argure, nullie, Reventlov, moparisthebest
05:11 -!- phunyguy [vortex@ubuntu/member/phunyguy] has joined #openvpn
05:11 < ice9> so if i want tun to access lo, do i have to create such FORWARD rule?
05:12 <@syzzer> no, afaik you shouldn't
05:13 <@syzzer> but you might want to try your question again in a few hours, when the real network experts wake up ;)
05:13 -!- Netsplit over, joins: Reventlov, nullie, moparisthebest, Argure
05:13 < ice9> :) thanks a lot for helping
05:13 < ice9> but you are good too btw
05:14 <@syzzer> thank :) actually I'm a crypto guy pretending to understand networking a bit ;)
05:14 < ice9> what do you do in crypto?
05:14 <@syzzer> developing openvpn :)
05:14 < ice9> nice
05:15 < ice9> so you are the guy who protect us
05:15 < ice9> or the other one who installs backdoor :D , kidding
05:16 < Fudge> lmao
05:17 < ice9> syzzer: so what do you think is the best ciphers , i'm not defining any in the config files, just the cert,key,dh
05:18 <@syzzer> I'd advice to use AES-256-CBC
05:18 <@syzzer> and auth SHA256
05:18 < ice9> would this affect the speed much?
05:19 <@syzzer> on modern hardware (supporting AES-NI), AES is hardware accelerated.
05:19 <@syzzer> so that would actually both improve speed and performance
05:19 <@syzzer> on older hardware, it would cost a bit of throughput, in that case you could fall back to AES-128-CBC
05:20 < ice9> should i set them in both client and server configs?
05:20 <@syzzer> but be aware that you need to specify cipher and auth in *all* configs (both client and server)
05:21 < Fudge> syzzer:  if i on my lan nmap for udp ports should i see openvpn open on 1194
05:21 <@syzzer> depends on how you configured your server
05:22 <@syzzer> if you set 'local <ext ip>' in your config, you should not
05:22 <@syzzer> also, if you'
05:22 <@syzzer> aargh
05:22 < ice9> whats this "DPv4 link local: [undef]"
05:23 <@syzzer> if you're using udp and tls-auth (which you should!) nmap won't find anything
05:23 < ice9> ^U
05:23 < Fudge> i have local ip of my gateway
05:24 <@syzzer> I'm not 100% sure on what it would do for UDP without tls-auth, I don't think nmap will find anything without using nmap plugins
05:24 < Fudge> TLS Error: cannot locate HMAC in incoming packet from [AF_INET]203.173.31.160:1194
05:25 <@syzzer> sounds like you cipher/auth, or tls-auth settings do not match
05:26 < Fudge> have to be same in client and server right?
05:26 <@syzzer> cipher/auth have to be yes
05:26 <@syzzer> tls-auth needs a key-direction, which is '0' for one end, and '1' for the other end
05:28 < ice9> is there a way to verify that all my traffic is really routed through the vpn?
05:28 < Fudge> does ta.key get copied to the client as well?
05:28 <@syzzer> ice9: use tcpdump or perhaps traceroute
05:29 <@syzzer> Fudge: yes, all servers and clients need the same ta.key
05:30 < ice9> something really strange, does flash bypass vpn??
05:30 <@syzzer> it should not
05:31 < ice9> when i goto speedtest.net i see my local IP no the VPN one
05:31 <@syzzer> your routing rules define what goes over the vpn
05:31 <@syzzer> then your internet traffic is not routed over the vpn
05:32 < ice9> on other sites like ifconfig.me i get the VPNs  IP
05:32 < ice9> even curl from the terminal works fine
05:35 <@syzzer> ice9: that is really weird. maybe some stale old route?
05:36 <@syzzer> but have to go now
05:36 < ice9> syzzer: ok see you soon
05:36 <@syzzer> good luck with the setup, keep hammering at it and you will succeed ;)
05:37 < ice9> thanks
05:37 < Fudge> thanks for the help syzzer  tc
05:41 -!- ice9 [~ice9@gateway/tor-sasl/ice9] has quit [Quit: Leaving.]
05:47 < Fudge> TLS Error: incoming packet authentication failed from [AF_INET]58.6.100.48:51334
05:48 -!- ice9 [~ice9@gateway/tor-sasl/ice9] has joined #openvpn
05:48 -!- Left_Turn [~Left_Turn@unaffiliated/turn-left/x-3739067] has joined #openvpn
05:57 -!- ice9 [~ice9@gateway/tor-sasl/ice9] has quit [Ping timeout: 250 seconds]
06:38 -!- Left_Turn [~Left_Turn@unaffiliated/turn-left/x-3739067] has quit [Ping timeout: 258 seconds]
06:39 -!- akamaru [~akamaru21@2601:0:8a80:1064:d984:6933:71a9:4fff] has joined #openvpn
06:41 -!- akamaru217 [~akamaru21@2601:0:8a80:1064:d984:6933:71a9:4fff] has quit [Ping timeout: 258 seconds]
06:43 -!- unixninja92 [~unixninja@whirlpool.stdnt.hampshire.edu] has quit [Read error: Connection reset by peer]
06:44 -!- unixninja92 [~unixninja@whirlpool.stdnt.hampshire.edu] has joined #openvpn
07:21 -!- Left_Turn [~Left_Turn@unaffiliated/turn-left/x-3739067] has joined #openvpn
07:54 -!- ib54003 [~ib54003@fedora/ib54003] has joined #openvpn
07:54 < ib54003> hey i windows do not show the netbios name over openvpn
07:54 < ib54003> how can i fix it?
07:55 -!- linuxaddicts [~linuxgeek@103.5.132.51] has joined #openvpn
07:56 < linuxaddicts> hi, i have a query on openvpn connect
07:57 < linuxaddicts> i have installed the openvpn connect on windows 8. is it possible to connect to multiple vpn's?
07:58 < linuxaddicts> in the community edition i know it is possible, however i did not find anything for openvpn connect. could anyone please help?
07:59 -!- eristisk [~eristisk@gateway/tor-sasl/eristisk] has quit [Ping timeout: 250 seconds]
08:09 -!- Droolio [~drool@host86-143-240-221.range86-143.btcentralplus.com] has quit [Quit: Another day, another shaving accident.]
08:11 -!- AlexRussia [~Alex@unaffiliated/alexrussia] has joined #openvpn
08:19 -!- havingFun [~quassel@unaffiliated/xrosnight] has joined #openvpn
08:25 < ib54003> hey my samba shares are extremly slow "i am using tun and a tcp port" are there any settings t speed them uop?
08:25 < ib54003> *up?
08:48 -!- almostworking [~almostwor@unaffiliated/almostworking] has joined #openvpn
08:50 -!- Latrina [~Latrina@ppp-43-40.26-151.libero.it] has joined #openvpn
08:52 -!- ice9 [~ice9@gateway/tor-sasl/ice9] has joined #openvpn
08:52 < ice9> can the openvpn survive DPI?
08:56 -!- elfixit [~Icedove@p5B13A183.dip0.t-ipconnect.de] has joined #openvpn
08:57 < nullie> dpi?
09:03 -!- Latrina [~Latrina@ppp-43-40.26-151.libero.it] has quit [Ping timeout: 245 seconds]
09:04 -!- Latrina [~Latrina@adsl-ull-138-214.50-151.net24.it] has joined #openvpn
09:16 -!- Mike-- [mad@mx.probie.nl] has quit []
09:16 -!- Latrina [~Latrina@adsl-ull-138-214.50-151.net24.it] has quit [Ping timeout: 256 seconds]
09:17 -!- Latrina [~Latrina@adsl-ull-173-242.45-151.net24.it] has joined #openvpn
09:17 -!- julieeharshaw [~julie@juliekoubova.net] has quit [Remote host closed the connection]
09:19 -!- julieeharshaw [~julie@juliekoubova.net] has joined #openvpn
09:19 -!- jackbrown [~se@93-44-41-0.ip95.fastwebnet.it] has joined #openvpn
09:39 -!- RBecker [~RBecker@openvpn/user/RBecker] has quit [Ping timeout: 265 seconds]
09:48 -!- RBecker [~RBecker@openvpn/user/RBecker] has joined #openvpn
09:48 -!- mode/#openvpn [+v RBecker] by ChanServ
10:04 -!- brianblaze420 [~brianblaz@unaffiliated/brianblaze] has joined #openvpn
10:07 -!- ib54003 [~ib54003@fedora/ib54003] has quit [Ping timeout: 240 seconds]
10:19 -!- ib54003 [~ib54003@fedora/ib54003] has joined #openvpn
10:24 -!- Pyrogerg [~Gregory@67-0-212-234.albq.qwest.net] has quit [Ping timeout: 255 seconds]
10:27 < hydrajump> hi
10:28 < hydrajump> do I have to build openvpn myself to get 2.3.5 on ubuntu 14.04?
10:32 -!- marlinc [~marlinc@ip1.weert.li.nl.cvo-technologies.com] has quit [Ping timeout: 250 seconds]
10:42 < pekster> hydrajump: Yup, though it's not that hard. This said, 2.3.2 is probably fine for most people; did you need some feature tht was only in a newer version?
10:44 -!- Popsikle [~popsikle@pool-108-27-211-233.nycmny.fios.verizon.net] has joined #openvpn
10:46 < ib54003> is there a way to improve the speed my samba shares which are connected over vpn?
10:47 < pekster> tcp over tcp is best avoided for performance reasons
10:47 < pekster> !tcp
10:47 <@vpnHelper> "tcp" is (#1) Sometimes you cannot avoid tunneling over tcp, but if you can avoid it, DO. http://sites.inka.de/~bigred/devel/tcp-tcp.html Why TCP Over TCP Is A Bad Idea. or (#2) http://www.openvpn.net/papers/BLUG-talk/14.html for a presentation by James Yonan (OpenVPN lead developer) or (#3) if you must use tcp, you likely want --tcp-nodelay
10:49 < ib54003> currently i use tcp
10:49 < ib54003> so i can improve speed when i use udp?
10:50 < pekster> "Depends." Why would you use inferior encapsulation protocols if you don't need them?
10:50 -!- marlinc [~marlinc@ip1.weert.li.nl.cvo-technologies.com] has joined #openvpn
10:50 < ib54003> isn't it more secure ?
10:50 < pekster> Hope
10:50 < pekster> Nope*
10:51 < pekster> Security is provided by the cryptography, which has nothing at all to do with your transport protocoll
10:51 < ib54003> pekster: ok thx i will try udp ;)
10:52 -!- linuxaddicts [~linuxgeek@103.5.132.51] has quit [Ping timeout: 255 seconds]
10:54 < ib54003> pekster: maybe you can also help me .. i can't the netbiosname of my
10:54 < ib54003> samba share isn't working
10:54 < ib54003> do you know how to fix it?
11:00 < pekster> Set up DNS properly (dnsmasq is often fine at smaller sites)
11:00 < pekster> There's WINS, but really, that's just a hack for not doing DNS right in the first place
11:00 < pekster> And it means you need a WINS server then. The open-source Samba project can run one, but then you need to support that, or I suppose spend lots of money on a Windows Server
11:01 < pekster> Or use hosts files, or IPs. Plenty of options
11:02 < ib54003> i can't use ip i my TV only supports only list samba shares with a netbiosname and
11:02 < ib54003> i can't connect by ip
11:03 -!- Popsikle [~popsikle@pool-108-27-211-233.nycmny.fios.verizon.net] has quit [Remote host closed the connection]
11:03 < pekster> I'm 1) quite sure that's not true (DNS merely resolves the name to an IP, and I'm quite sure your TV didn't re-invent transport protocols over raw Ethernet to serve you TV. go packet dump if you don't believe me)
11:04 < pekster> IP != resolving names by DNS, because you _still_ provide the resource name to the destination that way
11:04 -!- jackbrown [~se@93-44-41-0.ip95.fastwebnet.it] has quit [Ping timeout: 255 seconds]
11:04 < hydrajump> pekster: hi no I just read this "This is an old point release and you should in general use OpenVPN 2.3.4 instead." and thought why not use the latest version, but if I'm going to have to compile myself I guess I'll have to stick to what is in apt until 14.04 gets a package in the openvpn repo
11:05 < pekster> Whatever is easier for you
11:05 < pekster> 2.3.2 is still fine to use; you won't get the most bleeding edge features in the latest release, but unless you needed TLSv1.2 or something, it won't matter
11:07 < ib54003> pekster: yes its true its an ugly device and the interface didn't allow me to enter IPP
11:07 < ib54003> *IP
11:07  * pekster shrugs
11:08 < pekster> dhcp reservation will fix that so you _do_ know the IP. Or consider a bridged tap setup with openvpn due to your stupid device. That's more complex since it requires you to handle the brdige setup and addresing correctly between the VPN and your existing network
11:08 < pekster> dhcp reservation and a dnsmasq instance that uses your hosts file is really all you need here. But go nuts with bridging if you really think that's "easier"
11:12 -!- jackbrown [~se@93-44-41-0.ip95.fastwebnet.it] has joined #openvpn
11:13 -!- elfixit [~Icedove@p5B13A183.dip0.t-ipconnect.de] has quit [Ping timeout: 240 seconds]
11:15 < ice9> can the vpn really prevent the deep packet inspection?
11:16 < pekster> That's not a useful question; what is it you actually want to know?
11:17 < pekster> You don't "prevent" something that happens on a network you don't control
11:17 < pekster> That's like asking if I lock my doors, can you still get out
11:17 < pekster> (of your own home)
11:18 < ice9> I mean if the ISP uses DPI to inspect traffic and do MiTM,  can they still do it on VPN?
11:18 -!- Pyrogerg [~Gregory@205.167.120.206] has joined #openvpn
11:19 < pekster> Not if you've correctly set up your security, no
11:19 < pekster> DPI has nothing to do with breaking security; DPI is used to identify certain types of traffic and act on them (such as dropping them, rejecting them, or slowing them down)
11:19 < pekster> Security recommendation on the other hand are at:
11:19 < pekster> !hardening
11:19 <@vpnHelper> "hardening" is https://community.openvpn.net/openvpn/wiki/Hardening
11:23 < ice9> i see, now the other concern is how  to trust a vps provider to host your vpn! if not using private server
11:23 -!- TonyL [~Tony@unaffiliated/darkg] has quit [Max SendQ exceeded]
11:23 -!- Pyrogerg [~Gregory@205.167.120.206] has quit [Ping timeout: 272 seconds]
11:24 -!- TonyL [~Tony@unaffiliated/darkg] has joined #openvpn
11:24 -!- Kephael [~Kephael@unaffiliated/kephael] has joined #openvpn
11:26 -!- Pyrogerg [~Gregory@205.167.120.201] has joined #openvpn
11:26 < pekster> Realistically, you can't, at least not entierly. Not really a problem unique to openvpn though
11:30 -!- ice9 [~ice9@gateway/tor-sasl/ice9] has quit [Ping timeout: 250 seconds]
11:31 -!- ice9 [~ice9@gateway/tor-sasl/ice9] has joined #openvpn
11:32 < ice9> I set "tls-cipher TLS-DHE-RSA-WITH-AES-256-CBC-SHA256"  but got during connection:
11:32 < ice9> TLS_ERROR: BIO read tls_read_plaintext error: error:140830B5:SSL routines:SSL3_CLIENT_HELLO:no ciphers available
11:32 < ice9> TLS Error: TLS object -> incoming plaintext read error
11:32 < ice9> TLS Error: TLS handshake failed
11:32 < ice9> server and client both has this cipher --show-tls
11:35 < pekster> Copies of configs would help, sans-comments/whitespace:
11:35 < pekster> !configs
11:35 <@vpnHelper> "configs" is (#1) please pastebin your client and server configs (with comments removed, you can use `grep -vE '^#|^;|^$' server.conf`), also include which OS and version of openvpn. or (#2) dont forget to include any ccd entries or (#3) on pfSense, see http://www.secure-computing.net/wiki/index.php/OpenVPN/pfSense to obtain your config
11:36 < hydrajump> -/buffer 20
11:36 < hydrajump> opps
11:40 -!- mgorbach [~mgorbach@pool-108-20-78-135.bstnma.fios.verizon.net] has quit [Ping timeout: 245 seconds]
11:43 -!- mgorbach [~mgorbach@pool-108-20-78-135.bstnma.fios.verizon.net] has joined #openvpn
11:47 < pekster> ice9: Same openvpn version? I think older versions required to use the openssl cipher-suite name, not the IANA one
11:47 < pekster> Although that should have resulted in a warning/error on startup too I think, if that was the problem
11:48 -!- unixninja92_ [~unixninja@whirlpool.stdnt.hampshire.edu] has joined #openvpn
11:48 -!- mgorbach [~mgorbach@pool-108-20-78-135.bstnma.fios.verizon.net] has quit [Ping timeout: 256 seconds]
11:48 -!- unixninja92 [~unixninja@whirlpool.stdnt.hampshire.edu] has quit [Ping timeout: 240 seconds]
11:51 -!- mgorbach [~mgorbach@pool-108-20-78-135.bstnma.fios.verizon.net] has joined #openvpn
12:07 -!- mgorbach [~mgorbach@pool-108-20-78-135.bstnma.fios.verizon.net] has quit [Quit: ZNC - http://znc.in]
12:07 -!- mgorbach [~mgorbach@pool-108-20-78-135.bstnma.fios.verizon.net] has joined #openvpn
12:10 -!- Mike-- [mad@84.245.27.194] has joined #openvpn
12:11 -!- tbenson [~tbenson@c-50-131-82-204.hsd1.ca.comcast.net] has joined #openvpn
12:33 -!- mgorbach [~mgorbach@pool-108-20-78-135.bstnma.fios.verizon.net] has quit [Ping timeout: 256 seconds]
12:35 -!- mgorbach [~mgorbach@pool-108-20-78-135.bstnma.fios.verizon.net] has joined #openvpn
12:38 -!- ib54003 [~ib54003@fedora/ib54003] has quit [Quit: Verlassend]
13:10 -!- ice9 [~ice9@gateway/tor-sasl/ice9] has quit [Quit: Leaving.]
13:10 -!- ice9 [~ice9@gateway/tor-sasl/ice9] has joined #openvpn
13:11 < ice9> pekster: the same conf you saw,  sometimes traffic routing works and sometimes not!  currently it isn't
13:51 -!- APTX [~APTX@unaffiliated/aptx] has quit [Ping timeout: 265 seconds]
14:00 -!- APTX [~APTX@unaffiliated/aptx] has joined #openvpn
14:07 -!- bashusr [~bashusr@unaffiliated/bashusr] has quit [Ping timeout: 272 seconds]
14:13 -!- ice9 [~ice9@gateway/tor-sasl/ice9] has quit [Quit: Leaving.]
14:19 -!- jackbrown [~se@93-44-41-0.ip95.fastwebnet.it] has quit [Ping timeout: 264 seconds]
14:23 -!- jackbrown [~se@93-44-41-0.ip95.fastwebnet.it] has joined #openvpn
15:11 -!- unixninja92_ is now known as unixninja92
15:13 -!- bashusr [~bashusr@unaffiliated/bashusr] has joined #openvpn
15:20 -!- mattock is now known as mattock_afk
15:21 -!- bashusr [~bashusr@unaffiliated/bashusr] has quit [Ping timeout: 245 seconds]
15:27 -!- tbenson [~tbenson@c-50-131-82-204.hsd1.ca.comcast.net] has quit [Quit: tbenson]
15:30 -!- mattock_afk is now known as mattock
15:30 -!- Slippern [~Slippern@76.109-247-208.customer.lyse.net] has quit [Read error: Connection reset by peer]
15:31 -!- Slippern [~Slippern@76.109-247-208.customer.lyse.net] has joined #openvpn
15:48 -!- tbenson [~tbenson@c-50-131-82-204.hsd1.ca.comcast.net] has joined #openvpn
16:04 -!- RBecker [~RBecker@openvpn/user/RBecker] has quit [Ping timeout: 250 seconds]
16:13 -!- RBecker [~RBecker@openvpn/user/RBecker] has joined #openvpn
16:13 -!- mode/#openvpn [+v RBecker] by ChanServ
16:20 -!- jackbrown [~se@93-44-41-0.ip95.fastwebnet.it] has quit [Ping timeout: 256 seconds]
16:21 -!- gffa [~unknown@unaffiliated/gffa] has quit [Quit: sleep]
16:37 -!- mgorbach [~mgorbach@pool-108-20-78-135.bstnma.fios.verizon.net] has quit [Quit: ZNC - http://znc.in]
16:45 -!- mgorbach [~mgorbach@pool-108-20-78-135.bstnma.fios.verizon.net] has joined #openvpn
16:49 -!- RBecker [~RBecker@openvpn/user/RBecker] has quit [Ping timeout: 272 seconds]
16:56 -!- Thermi [~Thermi@unaffiliated/thermi] has quit [Quit: Meet your opposition - Profane and disciplined - Take back your pride - With a pounding hammer]
17:00 -!- RBecker [~RBecker@openvpn/user/RBecker] has joined #openvpn
17:00 -!- mode/#openvpn [+v RBecker] by ChanServ
17:06 -!- Thermi [~Thermi@unaffiliated/thermi] has joined #openvpn
17:20 -!- RBecker [~RBecker@openvpn/user/RBecker] has quit [Ping timeout: 258 seconds]
17:25 -!- mgorbach [~mgorbach@pool-108-20-78-135.bstnma.fios.verizon.net] has quit [Ping timeout: 264 seconds]
17:26 -!- mgorbach [~mgorbach@pool-108-20-78-135.bstnma.fios.verizon.net] has joined #openvpn
17:33 -!- JackWinter [~jack@vodsl-11198.vo.lu] has quit [Ping timeout: 256 seconds]
17:37 -!- julieeharshaw [~julie@juliekoubova.net] has quit [Ping timeout: 240 seconds]
17:38 -!- RBecker [~RBecker@openvpn/user/RBecker] has joined #openvpn
17:38 -!- mode/#openvpn [+v RBecker] by ChanServ
17:38 -!- julieeharshaw [~julie@juliekoubova.net] has joined #openvpn
17:39 -!- Olipro [~Olipro@uncyclopedia/pdpc.21for7.olipro] has joined #openvpn
17:54 < Fudge> any cahcne someone could please give me an idea about these errors? http://paste.ubuntu.com/9183420/
17:55 < Fudge> chance I mean
17:57 < pekster> Line 50, looks like the cert doesn't have the right attributes
17:57 < pekster> nsCertType is deprcated, but can still be used if the server is signed with it. See:
17:57 < pekster> !mitm
17:57 <@vpnHelper> "mitm" is (#1) http://openvpn.net/index.php/documentation/howto.html#mitm to know about stopping Man-in-the-Middle attacks by signing the server cert specially or (#2) use !servercert to generate the server cert manually or use the easy-rsa build-key-server script to build your server certificates or (#3) then use: remote-cert-tls server in the client config
17:58 < pekster> You probably don't want to require that a 'server' cert connect to your server
17:58 < pekster> You should require a client cert if you add that restriction from the server, and ideally use --remote-cert-tls instead
17:58 < Fudge> in server and client conf?
18:00 < pekster> Right, but the client should test that it's getting a server-cert from the remote, and the server should test that it's getting a client-cert
18:01 < Fudge> server.conf http://paste.ubuntu.com/9183553/
18:02 < pekster> Line 4 is wrong; you should either omit it completely, or require a _client_ cert
18:03 < pekster> What you've said is "I want my server to reject all connections unless I issued a *server* certificate to a connecting client." This doesn't make sense
18:03 < Fudge> and client.conf http://paste.ubuntu.com/9183583/
18:03 < Fudge> okie :D
18:03 < Fudge> same in cleint, happy to remove it
18:03 < pekster> Have you already set up the bridge in your server OS?
18:04 < Fudge> client is a bit all over the place as i have some values in there to try and figure out how to specify the passphrase running openvpn as a service
18:04 < pekster> Keep them in for better security; just change line 4 in the server as I've listed
18:04 < Fudge> yep pretty sure
18:04 < pekster> What OS?
18:04 < Fudge> nterfaces http://paste.ubuntu.com/9183605/
18:04 < Fudge> ubuntu, this is a gateway
18:05 < pekster> Sure. Does tap0 get created correctly at OS startup? If not, you should verify that tap0 is correctly added to br0 when openvpn starts up
18:06 < pekster> Normally openvpn dynmically creates the interface, and I'm not sure the OS will add it as a bridge member to br0 like that unless tap0 is created at system startup
18:06 < pekster> And if you have your OS do that, you might need to explicitly tell openvpn to use tap0; you'll need to verify that. Check with `brctl` after VPN startup to confirm it looks right
18:06 < pekster> Otherwise it looks okay
18:07 < pekster> Oh, not quite; your client isn't pulling any details
18:07 < Fudge> yep once openvpn starts tap0 exists
18:07 < pekster> Change line 1 to `client` (or you'll need several other directives to mimic that behavior)
18:07 < pekster> Not just exist; is it _part_ of the bridge?
18:07 < pekster> If not, you haven't correctly created a bridge server-side
18:08 < pekster> `brctl show br0`
18:08 < pekster> This is one of several reasons we don't recommend bridging here unless you actually need non-IP Ethernet frame transport
18:10 < Fudge> bridge name     bridge id               STP enabled     interfaces
18:10 < Fudge> br0             can't get info No such device
18:11 < Fudge> ah now the client is working better
18:11 < Fudge> well it asked for the pass this time
18:11 < Fudge> Bad LZO decompression header byte: 1
18:13 < Fudge> cani  confirm you suggested in server.conf  remote-cert-tls client
18:13 < pekster> Yup
18:13 < Fudge> and   in client.conf remote-cert-tls server
18:13 < pekster> Your comp-lzo directive should match identically between configs or be removed completely
18:13 < pekster> Yes again on the remote-cert-tls bits
18:14 < Fudge> oh it wasnt in the client
18:15 < pekster> How do you not have br0? Again, you _cannot_ create a working bridged VPN on the server if you don't have a bridge set up to begin with
18:15 < pekster> !tunortap
18:15 <@vpnHelper> "tunortap" is (#1) you ONLY want tap if you need to pass layer2 traffic over the vpn (traffic destined for a MAC address). If you are using IP traffic you want tun. or (#2) and if your reason for wanting tap is windows shares, see !wins or use DNS or (#3) remember layer2 has no security, arp poisoning works over tap vpns or (#4) lan gaming? use tap! or (#5) Normal Android/iOS devices (not
18:15 <@vpnHelper> rooted/jailbroken) support only tun
18:15 < pekster> and:
18:15 < pekster> !whybridge
18:15 <@vpnHelper> "whybridge" is (#1) you only bridge if you want layer2 to the lan. if you want layer2 only between vpn nodes then routed tap is enough. if you only want layer3 use tun. or (#2) See this URL for a more in-depth discussion on bridging vs routing: https://community.openvpn.net/openvpn/wiki/BridgingAndRouting or (#3) See also !tunortap
18:15 < Fudge> think its working
18:16 < pekster> Can you ping a server-side device, like the gateway at .254?
18:34 -!- Taftse|Mac [~taftse@unaffiliated/taftse] has quit [Quit: Textual IRC Client: www.textualapp.com]
18:38 -!- tbenson [~tbenson@c-50-131-82-204.hsd1.ca.comcast.net] has quit [Quit: tbenson]
18:42 -!- Pyrogerg [~Gregory@205.167.120.201] has quit [Ping timeout: 256 seconds]
18:53 -!- kirin` [telex@gateway/shell/anapnea.net/x-dhespcitxstmjaqi] has quit [Ping timeout: 240 seconds]
19:00 -!- tbenson [~tbenson@c-50-131-82-204.hsd1.ca.comcast.net] has joined #openvpn
19:04 -!- kirin` [telex@gateway/shell/anapnea.net/x-aqorrjselhxymmoo] has joined #openvpn
19:05 -!- Mike-- [mad@84.245.27.194] has quit [Read error: Connection reset by peer]
19:19 < Fudge> sorry fo rdelay, will try
19:20 < Fudge> From 10.10.10.100 icmp_seq=6 Destination Host Unreachable
19:23 -!- Cultist [~CultOfThe@c-67-175-170-187.hsd1.il.comcast.net] has quit [Ping timeout: 255 seconds]
19:24 -!- Cultist [~CultOfThe@c-67-175-170-187.hsd1.il.comcast.net] has joined #openvpn
19:27 < pekster> Right, sounds to me like your bridge still isn't set up properly
19:27 < pekster> Really I'd recommend you not bridge unless you actually require OSI L2 (read: Ethernet frame) transport
19:27 < pekster> No bridging to worry about, just standard routing
19:30 < Fudge> would that still allow for us to be on a combined network as bridging would do
19:31 < pekster> No. Do you have a specific need for that?
19:31 < pekster> You can route between multiple networks for IP traffic, which is usually everything you'd want to do remotely anyway
19:42 -!- isaaclw [~isaac@c-24-125-75-6.hsd1.va.comcast.net] has joined #openvpn
19:43 < isaaclw> where's the best place to ask questions about network-manager's openvpn in ubuntu?
19:43 < Fudge> i guess thats how we just want it setup
19:43 -!- Ranieri_ [~Ranieri_@38.108.87.20] has joined #openvpn
19:43 -!- Ranieri_ [~Ranieri_@38.108.87.20] has left #openvpn ["Leaving"]
19:44 < isaaclw> I connected to a vpn via network-manager in ubutnu 14.04 (laptop) and when I disconnected the search server is still listed, and nothing is resolving.
19:45 < isaaclw> I've had this problem before, and I've solved it by manually deleting /etc/resolv.conf and filling in the details I need. However I'd like to do it the "flexible" way so that I can move my laptop around a bit more. it seems like network-manager and the dns tools that are in the newer version aren't updating my resolv.conf file appropriately
19:46 < pekster> Need to talk to the maintainer of the package running the client-side code to do that
19:46 < pekster> Which is the #ubuntu or whever the network-manager folks hang out at
19:46 < pekster> OpenVPN does not touch your resolver on Linux/Unix, so it's entierly up to your own scripts to do what you want. Since you're using someone else's frontend/scripts, you need to ask them and file bugs as necessary
19:47 < pekster> !pushdns
19:47 <@vpnHelper> "pushdns" is (#1) push dhcp-option DNS a.b.c.d to push dns to the client or (#2) For pushing DNS to a Windows client, see: !windns or (#3) Unix-alikes are required to process the env-var in an --up script; read about --dhcp-option in the manpage or (#4) For distros that use resolvconf(8) you can try the pull-resolv-conf script under the contrib/ source dir
19:47 < pekster> That's (#3) above
19:47 < pekster> IIRC n-m tries to magically integrate with resolvconf via dbus, making it very hard to debug where/why things break
19:48 < isaaclw> "magical" integration is nice while it works :/
19:48 < pekster> Fudge: That's a silly reason for making your server-side network setup more complex, but it's your environment I guess. The complexity is why it's breaking for you now, and you need to fix your OS bridge config before pinging other resources will work
19:49 < Fudge> pekster:  appreciate your help and advice mate
19:49 < pekster> Fix the bridge and it should all just work though
19:54 < isaaclw> fwiw: http://askubuntu.com/questions/320921/having-dns-issues-when-connected-to-a-vpn-in-ubuntu-13-04/321850#321850 << saw this earlier and somehow missed it. this fixed it for me.
19:54 <@vpnHelper> Title: Having DNS Issues when connected to a VPN in Ubuntu 13.04 - Ask Ubuntu (at askubuntu.com)
19:55 -!- isaaclw [~isaac@c-24-125-75-6.hsd1.va.comcast.net] has left #openvpn []
20:12 < Fudge> any suggestions how to fix the bridge :$
20:13 < Fudge> do clients need a bridged  interface  in itnerfaces too?
20:14 < pekster> No. You need to fix your apparent complete lack of the bridge you claim to have configured
20:14 < pekster> no br0 means you don't have a bridge, at least by thta name
20:15 < pekster> You ought to fix that. Consult your distro docs and/or interfaces(5) for details
20:15  * Fudge nods
20:15 < pekster> A bridge is just a fancy term for a software switch; your "ports" aren't connected, which is as useful as a switch with the same problem
20:16 < Fudge> yep
20:17 < Fudge> there was something in a /etc/default/ script I had to specify the bridge in i tihnk but i cant remember or find it
20:19 < Fudge> think i was thinking of isc-dhcp3-server but that is unrealted
20:35 -!- warehouse13 [~Left_Turn@unaffiliated/turn-left/x-3739067] has joined #openvpn
20:37 -!- Left_Turn [~Left_Turn@unaffiliated/turn-left/x-3739067] has quit [Ping timeout: 244 seconds]
20:46 -!- Pyrogerg [~Gregory@67-0-212-234.albq.qwest.net] has joined #openvpn
20:47 -!- s7r [~s7r@openvpn/user/s7r] has quit [Remote host closed the connection]
20:47 -!- s7r [~s7r@openvpn/user/s7r] has joined #openvpn
20:47 -!- mode/#openvpn [+v s7r] by ChanServ
20:51 -!- superteece [~superteec@2604:180:1:16e::7da4] has joined #openvpn
20:53 < superteece> !welcome
20:53 <@vpnHelper> "welcome" is (#1) Start by stating your goal, such as 'I would like to access the internet over my vpn' || new to IRC? see the link in !ask || we may need !logs and !configs and maybe !interface to help you. || See !howto for beginners. || See !route for lans behind openvpn. || !redirect for sending inet traffic through the server. || Also interesting: !man !/30 !topology !iporder !sample !forum
20:53 <@vpnHelper> !wiki !mitm or (#2) Don't use 192.168.1.0/24 or 192.168.0.0/24 (too much potential for conflict)
20:54 < superteece> !goal I would like to access the internet through my VPN.
20:54 < superteece> !goal
20:54 <@vpnHelper> "goal" is Please clearly state your goal for your vpn: example, I would like to access the lan behind the server , I would like to access the internet over my vpn , I just want a secure connection between 2 computers , etc
20:54 < superteece> !redirect
20:54 <@vpnHelper> "redirect" is (#1) to make all inet traffic flow through the vpn, you will need --redirect-gateway (see !def1), as well as IP forwarding (see !ipforward) and NAT (see !nat) enabled on the server. or (#2) you may need to use a different dns server when redirecting gateway, see !dns or !pushdns or (#3) if using ipv6 try: route-ipv6 2000::/3 or (#4) Handy troubleshooting flowchart:
20:54 <@vpnHelper> http://ircpimps.org/redirect.png | http://pekster.sdf.org/misc/redirect.png
20:55 < superteece> !def1
20:55 <@vpnHelper> "def1" is (#1) used in redirect-gateway, Add the def1 flag to override the default gateway by using 0.0.0.0/1 and 128.0.0.0/1 rather than 0.0.0.0/0. This has the benefit of overriding but not wiping out the original default gateway. or (#2) please see --redirect-gateway in the man page ( !man ) to fully understand or (#3) push "redirect-gateway def1"
21:11 -!- akamaru [~akamaru21@2601:0:8a80:1064:d984:6933:71a9:4fff] has quit [Quit: Leaving]
21:15 < superteece> !nat
21:15 <@vpnHelper> "nat" is (#1) http://openvpn.net/howto.html#redirect for an explanation of NAT as it applies to openvpn or (#2) http://www.secure-computing.net/wiki/index.php/OpenVPN/FAQ#Traffic_forwarding_doesn.27t_work_when_using_client_specific_access_rules or (#3) dont forget to turn on ip forwarding or (#4) please choose between !linnat !openvznat !winnat and !fbsdnat for specific howto
21:15 < superteece> !openvznat
21:15 <@vpnHelper> "openvznat" is (#1) a user reported success with this command: iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -j SNAT --to <PUBLIC-IP> or (#2) someone else got it working with: iptables -t nat -A POSTROUTING -s <vpn_subnet>/<netmask> -o eth<public> -j SNAT --to <public ip>
21:29 < superteece> Ok server is pushing redirect-gateway and nat is turned on but my client still cannot surf the web. Ideas? Inspiration? What should I look at next?
21:38 -!- Pyrogerg [~Gregory@67-0-212-234.albq.qwest.net] has quit [Ping timeout: 255 seconds]
21:40 -!- akamaru217 [~akamaru21@2601:0:8a80:1064:6008:2825:2cd5:127a] has joined #openvpn
22:08 < superteece> and now it's all borked
22:08 < superteece> lucky for me I believe in backups :)
22:09 -!- warehouse13 [~Left_Turn@unaffiliated/turn-left/x-3739067] has quit [Remote host closed the connection]
22:17 -!- Pyrogerg [~Gregory@67-0-212-234.albq.qwest.net] has joined #openvpn
22:22 < superteece> So yeah access server breaks me :(
22:22 -!- james41382_ [~james@unaffiliated/james41382] has joined #openvpn
22:25 -!- james41382 [~james@unaffiliated/james41382] has quit [Ping timeout: 264 seconds]
22:34 -!- superteece [~superteec@2604:180:1:16e::7da4] has quit [Quit: ZNC - http://znc.in]
22:44 -!- superteece [~superteec@2604:180:1:16e::7da4] has joined #openvpn
23:12 -!- ShadniX [dagger@p57941E22.dip0.t-ipconnect.de] has quit [Ping timeout: 250 seconds]
23:13 -!- ShadniX [dagger@p5DDFF909.dip0.t-ipconnect.de] has joined #openvpn
23:39 -!- tbenson [~tbenson@c-50-131-82-204.hsd1.ca.comcast.net] has quit [Quit: tbenson]
23:51 -!- superteece [~superteec@2604:180:1:16e::7da4] has quit [Quit: ZNC - http://znc.in]
23:52 -!- tbenson [~tbenson@c-50-131-82-204.hsd1.ca.comcast.net] has joined #openvpn
23:54 -!- superteece [~superteec@2604:180:1:16e::7da4] has joined #openvpn
23:55 -!- Kephael [~Kephael@unaffiliated/kephael] has quit [Read error: Connection reset by peer]
--- Day changed Sun Nov 23 2014
00:00 -!- brianblaze420 [~brianblaz@unaffiliated/brianblaze] has quit [Ping timeout: 265 seconds]
00:09 -!- Popsikle [~popsikle@pool-108-27-211-233.nycmny.fios.verizon.net] has joined #openvpn
00:27 -!- RBecker [~RBecker@openvpn/user/RBecker] has quit [Ping timeout: 264 seconds]
00:28 -!- Popsikle [~popsikle@pool-108-27-211-233.nycmny.fios.verizon.net] has quit []
00:37 -!- RBecker [~RBecker@openvpn/user/RBecker] has joined #openvpn
00:38 -!- mode/#openvpn [+v RBecker] by ChanServ
00:58 -!- cheesenbiscuts [~cheesenbi@175.142.77.227] has joined #openvpn
00:58 < cheesenbiscuts> Hi Everybody
00:59 < cheesenbiscuts> I normally don't use authentication on my OpenVPN server implementations but I must for this Mikrotik configuration.
01:00 < cheesenbiscuts> Why is is when I set the 'auth-user-pass pass.cfg', create an pass.cfg file with two lines with the username and password and run the configuration on my client I'm still prompted for a password (only)?
01:12 -!- havingFun is now known as xrosnight
01:17 < ryao> I am visiting family in China and I want to establish a VPN into the US. The peering links used by BGP for packets between China Unicom and Verizon are saturated and other direct links to the US appear to also be saturated. The link between China and Japan seems to be unsaturated. I could setup a VPN server in Japan and call it a day, but I would like to have an extra hop to the US where I do a L3 version of virtual private ethernet. Can I do this ...
01:17 < ryao> ... with a single OpenVPN daemon or do I need two?
02:18 -!- Shiftos [~shiftos@gateway/tor-sasl/shiftos] has joined #openvpn
02:21 -!- jackbrown [~se@93-44-41-0.ip95.fastwebnet.it] has joined #openvpn
02:21 -!- jackbrown [~se@93-44-41-0.ip95.fastwebnet.it] has quit [Read error: Connection reset by peer]
02:26 -!- NP-Hardass [~NP-Hardas@unaffiliated/np-hardass] has quit [Read error: Connection reset by peer]
02:27 -!- NP-Hardass [~NP-Hardas@unaffiliated/np-hardass] has joined #openvpn
03:11 -!- gffa [~unknown@unaffiliated/gffa] has joined #openvpn
03:23 -!- shivanshu [~shivanshu@unaffiliated/shivanshu] has joined #openvpn
03:32 -!- shio [marmot@102.188.103.84.rev.sfr.net] has quit [Ping timeout: 264 seconds]
03:40 -!- tbenson [~tbenson@c-50-131-82-204.hsd1.ca.comcast.net] has quit [Quit: tbenson]
03:42 -!- cheesenbiscuts [~cheesenbi@175.142.77.227] has quit [Remote host closed the connection]
03:51 -!- shio [marmot@62.188.103.84.rev.sfr.net] has joined #openvpn
04:10 -!- halothe23 [~halothe23@freenode/sponsor/halothe23] has quit [Quit: Quit]
04:20 -!- catsup [~d@ps38852.dreamhost.com] has quit [Remote host closed the connection]
04:20 -!- halothe23 [~halothe23@freenode/sponsor/halothe23] has joined #openvpn
04:21 -!- catsup [~d@ps38852.dreamhost.com] has joined #openvpn
04:23 -!- ib54003 [~ib54003@fedora/ib54003] has joined #openvpn
04:25 < ib54003> hrm... when i use udp instead of tcp my samba shares are slower then with tcp why?
04:25 < ib54003> i thought it was the other way?
04:35 -!- fragtion [~dems@srv.webintuitive.co.za] has joined #openvpn
04:45 -!- halothe23 [~halothe23@freenode/sponsor/halothe23] has quit [Quit: Quit]
04:48 -!- halothe23 [~halothe23@freenode/sponsor/halothe23] has joined #openvpn
04:50 -!- D-Boy [~D-Boy@unaffiliated/cain] has quit [Excess Flood]
05:08 -!- fragtion [~dems@srv.webintuitive.co.za] has quit [Quit: Leaving]
05:10 -!- D-Boy [~D-Boy@unaffiliated/cain] has joined #openvpn
05:18 -!- Taftse|Mac [~taftse@unaffiliated/taftse] has joined #openvpn
05:30 -!- Left_Turn [~Left_Turn@unaffiliated/turn-left/x-3739067] has joined #openvpn
05:44 -!- Mike-- [mad@mx.probie.nl] has joined #openvpn
05:44 < Mike--> !heartbleed
05:44 <@vpnHelper> "heartbleed" is (#1) only affects OpenSSL 1.0.1 through 1.0.1f. Does not affect polarssl or (#2) if running vuln openssl then both client and server keys not protected by tls-auth should be considered compromised. or (#3) android 4.1.2_r1 is the first one to have -DOPENSSL_NO_HEARTBEATS and it is still in master. android 4.1 and 4.1.1 are probably affected. or (#4)
05:44 <@vpnHelper> https://community.openvpn.net/openvpn/wiki/heartbleed or (#5) http://xkcd.com/1354/
05:44 < Mike--> !poodle
05:44 <@vpnHelper> "poodle" is (#1) http://googleonlinesecurity.blogspot.com/2014/10/this-poodle-bites-exploiting-ssl-30.html . OpenVPN uses TLSv1.0, or (with >=2.3.3) optionally TLSv1.2 and is thus not impacted by POODLE. See also: !hardening for some unrelated TLS security options OpenVPN has or (#2) https://www.tinfoilsecurity.com/poodle for a tool for testing your websites
05:54 -!- lastaid [5899061d@gateway/web/freenode/ip.88.153.6.29] has joined #openvpn
06:00 < lastaid> hello
06:01 < lastaid> i am having a internet provider that doesnt give me ipv4, or very rarely
06:04 < lastaid> i do have  server though, could i use openvpn to tunnel into ipv4 land from ipv6?
06:07 -!- ice9 [~ice9@gateway/tor-sasl/ice9] has joined #openvpn
06:08 < ice9> the gateway 10.8.0.1 is not reachable!
06:08 < ice9> i'm using tun, ip_forward is enabled, and nat,FORWARD are set, and i cant connect fine
06:08 < ice9> this is my route table https://gist.github.com/anonymous/098ebd23227c98f0db9e
06:09 <@vpnHelper> Title: gist:098ebd23227c98f0db9e (at gist.github.com)
06:25 < ib54003> when i use udp instead of tcp my samba shares are slower then with tcp why?
06:53 -!- DrCode [~DrCode@gateway/tor-sasl/drcode] has joined #openvpn
07:12 -!- ice9 [~ice9@gateway/tor-sasl/ice9] has quit [Quit: Leaving.]
07:12 -!- ice9 [~ice9@gateway/tor-sasl/ice9] has joined #openvpn
07:16 -!- ice9 [~ice9@gateway/tor-sasl/ice9] has quit [Ping timeout: 250 seconds]
07:24 -!- Slippern [~Slippern@76.109-247-208.customer.lyse.net] has quit [Read error: Connection reset by peer]
07:24 -!- Slippern [~Slippern@76.109-247-208.customer.lyse.net] has joined #openvpn
07:32 < superteece> I've followed the steps here, pushing redirect-gateway, ip-forwarding is on, I can ping 10.8.0.1, 8.8.8.8, and www.google.com. But my public IP still shows as my ISP assigned IP.
07:35 -!- Kerberos76 [~Kerberos7@107.182.184.234.16clouds.com] has joined #openvpn
07:36 -!- elfixit [~Icedove@p5B13B695.dip0.t-ipconnect.de] has joined #openvpn
07:37 -!- Vasily555 [~Stanford@85.172.183.185] has joined #openvpn
07:37 < Vasily555> hello, I have openvpn server installed on windows, how can I move it to linux with certificates
07:39 < superteece> I followed the steps here: https://openvpn.net/index.php/open-source/documentation/howto.html
07:39 <@vpnHelper> Title: HOWTO (at openvpn.net)
07:40 < superteece> You can probably do the same just omitting the cert generation steps and reuse the ones you have.
07:40 < superteece> Though, after following those steps I have a VPN that I can connect to but not route through. I'm still troubleshooting that.
07:51 < Vasily555> superteece: eerrmmm.. I just throw the ca.crt?
07:52 < superteece> Idk to be honest
07:53 < superteece> Can a CA be reused? I'd search around for VPN migration
07:54 < Kerberos76> might be a bit off-topic, but does anyone know a good pfsense/openvpn tutorial? I have a pfSense firewall and would like to setup an openvpn (maybe access server) to route through for ip geolocation purposes
07:55 < superteece> No sorry, I can't even get mine to route :)
07:55 < pekster> superteece: PKI is fine unless your CA private key is compromised
07:55 -!- Vasily555 [~Stanford@85.172.183.185] has quit []
07:56 < pekster> Ideally don't store your PKI bits (particularly the CA key) on your VPN server, but some people do anyway out of convenience
07:56 < superteece> pekster maybe that's for Vasily555?
07:56 < pekster> Oh, indeed it is, and it's moot now I guess :P
07:57 < superteece> :)
07:59 < superteece> !welcome
07:59 <@vpnHelper> "welcome" is (#1) Start by stating your goal, such as 'I would like to access the internet over my vpn' || new to IRC? see the link in !ask || we may need !logs and !configs and maybe !interface to help you. || See !howto for beginners. || See !route for lans behind openvpn. || !redirect for sending inet traffic through the server. || Also interesting: !man !/30 !topology !iporder !sample !forum
07:59 <@vpnHelper> !wiki !mitm or (#2) Don't use 192.168.1.0/24 or 192.168.0.0/24 (too much potential for conflict)
08:00 < superteece> !howto
08:00 <@vpnHelper> "howto" is (#1) OpenVPN comes with a great howto, http://openvpn.net/howto PLEASE READ IT! or (#2) http://www.secure-computing.net/openvpn/howto.php for a mirror
08:00 < superteece> !redirect
08:00 <@vpnHelper> "redirect" is (#1) to make all inet traffic flow through the vpn, you will need --redirect-gateway (see !def1), as well as IP forwarding (see !ipforward) and NAT (see !nat) enabled on the server. or (#2) you may need to use a different dns server when redirecting gateway, see !dns or !pushdns or (#3) if using ipv6 try: route-ipv6 2000::/3 or (#4) Handy troubleshooting flowchart:
08:00 <@vpnHelper> http://ircpimps.org/redirect.png | http://pekster.sdf.org/misc/redirect.png
08:01 -!- Vasily555 [~Stanford@85.172.183.185] has joined #openvpn
08:01 < Vasily555> I can't find easy-rsa directory on ubuntu
08:02 <@krzee> !easy-rsa
08:02 <@vpnHelper> "easy-rsa" is (#1) easy-rsa is a certificate generation utility. or (#2) Download here: https://github.com/OpenVPN/easy-rsa/downloads or (#3) Tutorial here: https://community.openvpn.net/openvpn/wiki/EasyRSA
08:02 < superteece> So, working through the flowchart I'm at, "Your VPN did not add routes correctly." Ideas?
08:02 < Vasily555> shouldn't it come with openvpn?
08:02 <@krzee> Vasily555, no
08:03 < superteece> no it doesn't with 2.3+
08:03 <@krzee> superteece, which flowchart?  sorry i just popped in
08:03 < Vasily555> krzee: can I apt-get it?
08:03 <@krzee> Vasily555, ask your repo (apt-cache search)
08:03 < superteece> Vasily555: see here https://openvpn.net/index.php/open-source/documentation/howto.html#pki
08:04 <@vpnHelper> Title: HOWTO (at openvpn.net)
08:04 < pekster> Vasily555: sure, but if you're intending to migrate rather than replace your old PKI infrastructure, you'll also want to copy your old pki directory in
08:04 <@krzee> the howto was updated??
08:04 <@krzee> superteece, thats old
08:04 < superteece> ohh, I followed it :)
08:04 <@krzee> superteece, he should see the links my bot gave him
08:04 < superteece> k
08:04 <@krzee> superteece, then you used an old easy-rsa
08:05 <@krzee> superteece, so which flowchart are you currently trying to use?
08:05 < superteece> From vpnHelper: http://pekster.sdf.org/misc/redirect.png
08:05 <@krzee> ahh redirect
08:05 < Vasily555> what is pki directory?
08:06 <@krzee> superteece, ok so you can ping google.com
08:06 < superteece> yes
08:06 < Vasily555> c:\Program Files\OpenVPN\easy-rsa\
08:06 <@krzee> but the link shows your normal IP
08:06 < superteece> yes
08:06 < Vasily555> c:\Program Files\OpenVPN\easy-rsa\keys
08:06 <@krzee> show me your client log
08:06 <@krzee> verb 4
08:06 < Vasily555> on windows all keys are there
08:06 <@krzee> Vasily555, is ca.key there?
08:07 < Vasily555> yes
08:07 <@krzee> then thats your pki directory, where you made all your certs
08:07 <@krzee> because ca.key never moves if you did it right
08:07 <@krzee> its ONLY used for signing certs
08:07 < Vasily555> ok, then where do I throw it linux to migrate the server
08:07 <@krzee> it is TOTALLY unrelated to migrating your server
08:08 < Vasily555> oops then
08:08 <@krzee> do you know how pki works?
08:08 < pekster> The OpenVPN server doesn't need your PKI. This said, you should not lose your PKI or you _will_ have to start all over
08:08 < pekster> Some info that may help you:
08:08 < pekster> !intro-to-pki
08:08 <@vpnHelper> "intro-to-pki" is For an intro to PKI basics, see: https://github.com/OpenVPN/easy-rsa/blob/v3.0.0-rc1/doc/Intro-To-PKI.md
08:08 <@krzee> !pki
08:08 <@vpnHelper> "pki" is (#1) Heres a basic rundown of how it works... The server, client, and ca certs are all signed by the same ca.key. The server and client use the ca.crt to check that eachother were signed by the right ca.key. Optionally, the client also checks that the server cert was signed specially as a server (see !servercert) or (#2) See !certman for various PKI management frontends
08:08 <@krzee> !learn pki as also see !intro-to-pki
08:08 <@vpnHelper> Joo got it.
08:09 < Vasily555> What I need is move OpenVPN server from Windows to Linux
08:09 < pekster> Copy your configs and the files it references
08:09 < pekster> That's it
08:09 < superteece> sorry, what's the location of the client log? I looked in /etc/openvpn
08:09 <@krzee> !logfile
08:09 <@vpnHelper> "logfile" is (#1) If you want logging you can easily just specify your own logfile with: log /path/to/logfile or (#2) openvpn will log to syslog if started in daemon mode, but without any log-redirection options, openvpn sends output to stdout. or (#3) verb 3 is good for everyday usage, verb 5 for debugging. see --daemon --log and --verb in the manual (!man) for more info
08:09 -!- novaflash is now known as novaflash_away
08:11 < Vasily555> krzee: so how do I move?
08:11 < pekster> Vasily555: By reading what I said above and asking for clarification if you did not understand
08:11 < pekster> 08:09:12 < pekster> Copy your configs and the files it references
08:11 < pekster> 08:09:13 < pekster> That's it
08:11 <@krzee> taking the files that are on the old server, and putting them onto the new server
08:11 <@krzee> ^ that
08:11 <@krzee> both things pekster said
08:12 <@krzee> generally if pekster says something hes right about it… he makes a habit of that
08:13 < superteece> So you want to see my syslog?
08:13 < Vasily555> here is the list of files in config folder in windows
08:13 < Vasily555> http://www.nomorepasting.com/getpaste.php?pasteid=39835
08:13 < pekster> Probably just your server config, plus the PKI the server needs (so, ca.crt, server.crt, server.key, dh.pem) and possibly any of the following optional bits: ta.key (used with --tls-auth) and any 'ccd' files
08:13 <@krzee> superteece, go make a --log /path/to/file
08:13 <@krzee> reconnect, get me logfile
08:13 < Vasily555> and in config/keys are all the keys for clients
08:14 < pekster> Vasily555: Right. Copy all of that (the .log and .txt files aren't important) and send them to your other server
08:14 < Vasily555> which dir ?
08:14 < Vasily555> which dir on linux
08:14 <@krzee> facepalm
08:15 < pekster> Anywhere you'd like, but if you expect ubuntu's initscript to use them, it has to be under /etc/openvpn/
08:15 < pekster> And the config must be *.conf, so the extension needs to get changed
08:15 < Vasily555> pekster: yeah, that's what I meant :) thanks
08:15 < pekster> Fix any absolute pathnames in the config file too
08:15 < Vasily555> and then restart openvpn daemon?
08:16 < pekster> If that's how you want to launch it, sure
08:18 < Vasily555> In linux do I have to use double // in paths?
08:18 < Vasily555> "C:\\Program Files\\OpenVPN\\config\\server.crt"
08:18 < superteece> Options error: You must define TUN/TAP device (--dev)
08:18 < superteece> Use --help for more information.
08:19 < superteece> that's the only log enry
08:19 < pekster> No, that's windows stupidity because backslashes are an escape character in the C language
08:19 < pekster> fwiw, you can also use single _forward_ slashes in Windows ;)
08:19 <@krzee> superteece, well there you go, you never even got openvpn running
08:19 <@krzee> which means you FAILED at the flowchart
08:19 < superteece> but I can ping 10.8.0.1
08:19 <@krzee> very first question.
08:19 <@krzee> not with THAT config
08:20 <@krzee> you might be on another vpn
08:20 <@krzee> with that same address (in which case fix one)
08:20 < superteece> I'm literally pingiing it right now
08:20 <@krzee> did you kill openvpn before trying to get me the log?
08:20 < superteece> I created the log and restarted the service
08:21 <@krzee> how many .conf files are in your /etc/openvpn ?
08:21 < superteece> one
08:21 < superteece> wait, two
08:21 <@krzee> well thats not the log of the vpn you are pinging.
08:21 < superteece> client.conf and update-resolv-conf
08:21 <@krzee> .conf != -conf
08:21 < superteece> true
08:22 < superteece> I was just typing that, lol
08:22 < superteece> so one
08:22 <@krzee> stop openvpn
08:22 <@krzee> start it without the os scripts
08:22 <@krzee> so openvpn /path/to/config
08:23 <@krzee> !configs
08:23 <@vpnHelper> "configs" is (#1) please pastebin your client and server configs (with comments removed, you can use `grep -vE '^#|^;|^$' server.conf`), also include which OS and version of openvpn. or (#2) dont forget to include any ccd entries or (#3) on pfSense, see http://www.secure-computing.net/wiki/index.php/OpenVPN/pfSense to obtain your config
08:23 <@krzee> just show me the client config
08:23 <@krzee> for now at least
08:23 <@krzee> also show me ls -l /etc/openvpn/
08:24 < superteece> This was a little more descriptive on the startup: Sun Nov 23 07:23:18 2014 ERROR: Cannot ioctl TUNSETIFF tun: Operation not permitted (errno=1)
08:24 < superteece> Sun Nov 23 07:23:18 2014 Exiting due to fatal error
08:25 < superteece> ohh, stupid me
08:25 < Vasily555> I did service openvpn restart
08:25 < Vasily555> how do I know everything went ok? :)
08:25 < pekster> logs
08:25 < pekster> !logfile
08:25 <@vpnHelper> "logfile" is (#1) If you want logging you can easily just specify your own logfile with: log /path/to/logfile or (#2) openvpn will log to syslog if started in daemon mode, but without any log-redirection options, openvpn sends output to stdout. or (#3) verb 3 is good for everyday usage, verb 5 for debugging. see --daemon --log and --verb in the manual (!man) for more info
08:26 <@krzee> superteece, im still concerned with you getting ping from the vpn ip too
08:26 <@krzee> you need to find out whats responding to that ping
08:26 < Vasily555> pekster: where is syslog?
08:26 < superteece> Sure, I'm working on getting you the .conf
08:27 < pekster> Vasily555: Wherever your userland syslog daemon sends it
08:27 <@krzee> Vasily555, you're expected to know how to use the computer you're running openvpn on
08:27 < pekster> Consult your system documentation. Usually under /var/log/ on Unix-alikes, but that's entierly under the control of whoever maintains that OS
08:27 <@krzee> or just use #1 and make your own logfile
08:28 < superteece> client.conf: http://pastebin.com/SPfZWRm7
08:29 < Vasily555> http://www.nomorepasting.com/getpaste.php?pasteid=39836 does this log say server started ok?
08:29 <@krzee> superteece, ok now do this:  ps auxw|grep vpn
08:30 <@krzee> !as
08:30 <@vpnHelper> "as" is Please go to #OpenVPN-AS for help with commercial products from OpenVPN Technologies, including Access Server, Android Connect, etc. Access Server is a commercial product, different from open source OpenVPN
08:30 <@krzee> Vasily555, we dont even support AS here
08:30 <@krzee> you're in the wrong channel bro, its in the /topic =]
08:31 <@krzee> !no_as
08:31 <@vpnHelper> "no_as" is (#1) go to http://openvpn.net/index.php/access-server/support-center.html for support with access server (see !AS to know about access server) or (#2) not only do we not know AS here, but even if we did we would be tainting the professional level of support included in AS by supporting it here. it comes with REAL support. we are just users helping users around here
08:31 < Vasily555> AS is different? omg the I think I have installed openvpn next to AS
08:31 < superteece> http://pastebin.com/eTMZgDD7
08:31 < pekster> Vasily555: If you intended to use the actual OpenVPN (not the non-free commercial wrapper with their own value-add and support structure) you downloaded the wrong thing
08:31 < Vasily555> because I did apt-get install openvpn
08:31 <@krzee> and there nobody will tell you "you're expected to know how to use the computer you're running openvpn on"
08:32 <@krzee> oh haha
08:32 < pekster> That's the right Debian package for the GPL openvpn, yes. Sounds like you managed to also install AS
08:32 < Vasily555> pekster: no, it was already there
08:33 < pekster> Well then _someone_ installed it
08:33 < Vasily555> yes, it is a vps
08:33 <@krzee> so which did you want?  AS uses opensource openvpn with some patches, and aims to please users and companies who want real support and dont especially need to learn networking / security / their os internals
08:33 < Vasily555> I chose a openvpn template when I was getting the vps
08:33 <@krzee> whereas to use the opensource one you do need to learn those things
08:33 < Vasily555> and was wondering where it is
08:33 < Vasily555> I want to remove AS :)
08:34 <@krzee> !download
08:34 -!- Kephael [~Kephael@unaffiliated/kephael] has joined #openvpn
08:34 <@vpnHelper> "download" is (#1) http://openvpn.net/index.php/download/community-downloads.html to download openvpn or (#2) OpenVPN's Windows installer now includes OpenVPN GUI. Don't bother with http://openvpn.se anymore or (#3) Don't trust download.com at all. It provides an extremely old version with malware: http://insecure.org/news/download-com-fiasco.html or (#4) in the community version of openvpn (only
08:34 <@vpnHelper> thing supported here) there is no separate download for client/server, it is the same install with different configs
08:34 < pekster> If you did `apt-get install oepnvpn` you already have openvpn though; you just _also_ have AS setup by the sysadmin of the VPS
08:34 <@krzee> ohhh right
08:34 <@krzee> i get it now
08:34 < pekster> You basically want to remove, or at least stop from starting, the AS junk
08:34 < superteece> krzee: http://pastebin.com/eTMZgDD7
08:34 < pekster> krzee: Yea, sounds like some canned "VPN solution" vendor thing
08:35 < pekster> "VPN on a stick"
08:35 < Vasily555> pekster: I would remove it completely, I thought it is a usual ovpn :)
08:35 <@krzee> superteece, wtf is all that openvpn-ssl ?
08:35 <@krzee> openvpn-openssl
08:35 < superteece> no idea
08:35 <@krzee> oh god you have openvpnas too
08:35 <@krzee> hahah
08:36 <@krzee> why do weird problems always come out of nowhere together
08:36 <@krzee> are you guys using the same vps provider?
08:36 < pekster> Because marketing.
08:36 < Vasily555> I did apt-get remove openvpb-as :)
08:36 -!- NP-Hardass [~NP-Hardas@unaffiliated/np-hardass] has quit [Ping timeout: 264 seconds]
08:37 <@krzee> superteece, do you mean to be running AS?
08:37 <@krzee> !no_as
08:37 <@vpnHelper> "no_as" is (#1) go to http://openvpn.net/index.php/access-server/support-center.html for support with access server (see !AS to know about access server) or (#2) not only do we not know AS here, but even if we did we would be tainting the professional level of support included in AS by supporting it here. it comes with REAL support. we are just users helping users around here
08:37 < Vasily555> I don't see openvpn logs in /var/log
08:37 < superteece> nope
08:37 <@krzee> superteece, what vps provider are you using?
08:37 < pekster> Vasily555: Depends on 1) what log directives are in your config files, and 2) if you aren't logging to a logfile and your init daemon is using syslg, it depends on your syslog config
08:38 < superteece> ramnode, though I had to install openvpn myself.
08:38 < pekster> Vasily555: Easiest is to write to a define logfile (use --log /some/where/to/log/openvpn.log). Otherwise if you want syslog to work, read rsyslog.conf(5) and ask #ubuntu if you need help configuring it
08:39 <@krzee> Vasily555, are you using ramnode?
08:39 < superteece> I did install AS, but it is turned off. And as far a I know I only installed it on the server because I thought it was just a graphical admin tool.
08:39 <@krzee> superteece, doesnt look all that turned off from your ps output :D
08:39 -!- ice9 [~ice9@gateway/tor-sasl/ice9] has joined #openvpn
08:40 < superteece> I'm removing it from both
08:41 < pekster> !learn manref as If you are given a reference that looks like this: "openvpn(8)" this is a manpage you can read with the command: `man 8 openvpn`. On Windows, see !man for the OpenVPN manpages in web-accessible form
08:42 <@vpnHelper> Joo got it.
08:42 < Vasily555> I didn't understand anything of what you said, but I know that the server is running OK!! :)))
08:42 < pekster> !learn manref as If you're new to manpages, type `man man` to read how they work
08:42 <@vpnHelper> Joo got it.
08:42 <@krzee> !man
08:42 <@vpnHelper> "man" is (#1) For man pages, see http://openvpn.net/index.php/open-source/documentation/manuals/ or (#2) the man pages are your friend! or (#3) Protip: you can search the manpage for a specific --option (with dashes) to find it quicker
08:42 < superteece> Now? http://pastebin.com/38sy51wS
08:42 < pekster> Yea, I figured separate entries was better than a giant paragraph
08:43 -!- Taftse|Mac [~taftse@unaffiliated/taftse] has quit [Ping timeout: 256 seconds]
08:43 <@krzee> ya i guess its rare people come here and dont at least pretend to know the manpages
08:43 <@krzee> hehe
08:43 < pekster> It happens, or folks haven't seen the old-as-dirt nomenclature before
08:45 < superteece> krzee: new output: http://pastebin.com/38sy51wS
08:46 <@krzee> ok so you still have openvpn running twice
08:46 <@krzee> and whats /usr/bin/vpn-unlimited-daemon ?
08:47 < superteece> that's a different VPN service I was goofing off with but it's not connected
08:48 <@krzee> stop it from running as well
08:49 < superteece> done
08:49 <@krzee> show me new output
08:50 <@krzee> (kill both openvpns)
08:51 < superteece> http://pastebin.com/JG6rkw81
08:51 < superteece> alot cleaner now
08:51 < superteece> (empty)
08:51 <@krzee> good
08:52 <@krzee> ok now, get me that logfile
08:52 < superteece> Once you set --log <location> does it continually update or do you have to re-run the --log command each time you want to pull it?
08:53 <@krzee> !--
08:53 <@vpnHelper> "--" is OpenVPN allows any option to be placed either on the command line or in a configuration file. Though all command line options are preceded by a double-leading-dash ("--"), this prefix is usually omitted when an option is placed in a configuration file.
08:55 < superteece> so I can just add "log path/to/log" at the end of client.conf?
08:55 < superteece> because nothing new is in the log
08:55 <@krzee> log /path/to/log
08:55 <@krzee> noth path/
08:56 <@krzee> yes it will append
08:56 <@krzee> rm the logfile before you start openvpn
08:56 <@krzee> to make it easier to get what you want to paste me
08:56 < pekster> Sort of; --log wipes out the file each instance startup, --log-append will preserve the last logs and append from there
08:56 <@krzee> oh right ^
08:56 <@krzee> so i guess he doesnt need to rm it then
08:57 <@krzee> it'll do that for him
08:57 < superteece> so add "log-append /path/to/log"?
08:57 <@krzee> no
08:57 <@krzee> but if you dont believe its updating, rm it first
08:57 < superteece> k
08:57 <@krzee> if it doesnt show up, we know theres something going on
08:57 <@krzee> show me ls -l /etc/openvpn/
08:59 < superteece> ok I rm'd the file, re-ran "sudo openvpn --log /path/to/log" the file re-appeared and still only says "Options error: You must define TUN/TAP device (--dev)
08:59 < superteece> Use --help for more information."
09:00 < superteece> ls output: http://pastebin.com/S7C9jgLG
09:02 <@krzee> well ya
09:02 < superteece> to be clear, you wanted that log output with the service stopped?
09:02 <@krzee> you didnt give it the config :-p
09:02 <@krzee> haha
09:02 <@krzee> sudo openvpn --log /path/to/log --config /etc/openvpn/client.conf
09:04 < superteece> ok
09:04 < superteece> http://pastebin.com/ZF4UmUcg
09:05 <@krzee> line 17 got cut off
09:05 <@krzee> cat the file then paste it
09:05 <@krzee> instead of using nano of whatever you had
09:06 < superteece> Sun Nov 23 08:03:01 2014 PUSH: Received control message: 'PUSH_REPLY,route 10.8.0.1,topology net30,ping 10,ping-restart 120,ifconfig 10.8.0.6 10.8.0.5'
09:07 <@krzee> and what is the second question in the flowchart?
09:07 < superteece> http://pastebin.com/XCTffNvQ
09:08 < superteece> I thought is was, is it not and how do you see it?
09:08 < superteece> Also, I thought the server pushed the redirect
09:08 <@krzee> !push
09:08 <@vpnHelper> "push" is usage: push <command> , goes in the server config and makes the command act as if it was in the client config, can be used in ccd entries
09:08 <@krzee> it CAN
09:08 <@krzee> i see it is not because the client config would show it in line 17
09:09 <@krzee> thats all the pushed stuff
09:09 <@krzee> client log*
09:09 -!- ice9 [~ice9@gateway/tor-sasl/ice9] has quit [Ping timeout: 250 seconds]
09:10 < superteece> ohh wow
09:10 < superteece> I swear I thoguht I uncommented that line
09:10 < superteece> just remove the ; right?
09:10 <@krzee> when using the flowchart do not guess, or remember, but instead check.
09:10 <@krzee> yes
09:11 <@krzee> you dont have to push it, but you can
09:11 <@krzee> it can also just go direct in the client config
09:11 <@krzee> up to you
09:11 < superteece> I would like to try that first because I have mulitple clients. One change easier than many :)
09:12 <@krzee> so long as you always want everyone to have that
09:12 <@krzee> then users come in going "how do i disable redirect-gateway? my server pushes it to me"
09:14 -!- elfixit [~Icedove@p5B13B695.dip0.t-ipconnect.de] has quit [Quit: elfixit]
09:15 < superteece> ok it seems to work now because it kills my ability to browse
09:15 < superteece> :)
09:16 <@krzee> !redirect
09:16 <@vpnHelper> "redirect" is (#1) to make all inet traffic flow through the vpn, you will need --redirect-gateway (see !def1), as well as IP forwarding (see !ipforward) and NAT (see !nat) enabled on the server. or (#2) you may need to use a different dns server when redirecting gateway, see !dns or !pushdns or (#3) if using ipv6 try: route-ipv6 2000::/3 or (#4) Handy troubleshooting flowchart:
09:16 <@vpnHelper> http://ircpimps.org/redirect.png | http://pekster.sdf.org/misc/redirect.png
09:16 < superteece> yup, I'll start at the top again
09:16 < superteece> thanks for your help
09:16 <@krzee> yw
09:16 <@krzee> !linipforward
09:16 <@vpnHelper> "linipforward" is (#1) echo 1 > /proc/sys/net/ipv4/ip_forward for a temp solution (til reboot) or set net.ipv4.ip_forward = 1 in sysctl.conf for perm solution or (#2) chmod +x /etc/rc.d/rc.ip_forward for perm solution in slackware or (#3) you also must allow forwarding in your forward chain in iptables. iptables -I FORWARD -i tun+ -j ACCEPT
09:16 -!- Vasily555 [~Stanford@85.172.183.185] has quit []
09:16 <@krzee> and show me iptables-save
09:16 <@krzee> we're already getting there, may as well just finish up
09:17 <@krzee> unless you have some disturbingly ugly auto-generated firewall or something :D
09:20 < superteece> iptables from the server, right?
09:20 <@krzee> right
09:20 < superteece> http://pastebin.com/Ys9y6EM4
09:20 <@krzee> !linnat
09:20 <@vpnHelper> "linnat" is (#1) for a basic iptables NAT where 10.8.0.x is the vpn network: iptables -t nat -I POSTROUTING -s 10.8.0.0/24 -o eth0 -j MASQUERADE or (#2) to choose what IP address to NAT as, you can use iptables -t nat -I POSTROUTING -o eth0 -j SNAT --to <IP ADDRESS> or (#3) http://netfilter.org/documentation/HOWTO//NAT-HOWTO.html for more info or (#4) openvz see !openvzlinnat
09:21 <@krzee> iptables -t nat -I POSTROUTING -s 10.8.0.0/24 -o eth0 -j MASQUERADE     assuming eth0 is your internet interface
09:21 < superteece> !openvzlinnat
09:21 <@krzee> oh i see
09:21 <@krzee> !openvzlinnat
09:22 < superteece> it didn't talk to me :(
09:22 <@krzee> !factoids search vz
09:22 <@vpnHelper> 'openvz' and 'openvznat'
09:22 <@krzee> !openvznat
09:22 <@vpnHelper> "openvznat" is (#1) a user reported success with this command: iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -j SNAT --to <PUBLIC-IP> or (#2) someone else got it working with: iptables -t nat -A POSTROUTING -s <vpn_subnet>/<netmask> -o eth<public> -j SNAT --to <public ip>
09:22 <@krzee> !openvz
09:22 <@vpnHelper> "openvz" is (#1) http://wiki.openvz.org/VPN_via_the_TUN/TAP_device to learn bout openvz specific stuff with regards to openvpn or (#2) It is usually less painful to switch to a host with better virtualization technology, eg KVM or Xen
09:22 < superteece> great....
09:22 <@krzee> !forget linnat 4
09:22 <@vpnHelper> Error: Invalid factoid number.
09:23 <@krzee> o.O
09:23 < superteece> I chose openvz over kvm cause it was $2 cheaper, lol
09:23 <@krzee> !linnat
09:23 <@vpnHelper> "linnat" is (#1) for a basic iptables NAT where 10.8.0.x is the vpn network: iptables -t nat -I POSTROUTING -s 10.8.0.0/24 -o eth0 -j MASQUERADE or (#2) to choose what IP address to NAT as, you can use iptables -t nat -I POSTROUTING -o eth0 -j SNAT --to <IP ADDRESS> or (#3) http://netfilter.org/documentation/HOWTO//NAT-HOWTO.html for more info or (#4) openvz see !openvzlinnat
09:23 <@krzee> !forget linnat 4
09:23 <@vpnHelper> Error: Invalid factoid number.
09:23 <@krzee> !forget linnat 3
09:23 <@vpnHelper> Joo got it.
09:23 <@krzee> !linnat
09:23 <@vpnHelper> "linnat" is (#1) for a basic iptables NAT where 10.8.0.x is the vpn network: iptables -t nat -I POSTROUTING -s 10.8.0.0/24 -o eth0 -j MASQUERADE or (#2) to choose what IP address to NAT as, you can use iptables -t nat -I POSTROUTING -o eth0 -j SNAT --to <IP ADDRESS>
09:23 <@krzee> !learn linnat as http://netfilter.org/documentation/HOWTO//NAT-HOWTO.html for more info
09:23 <@vpnHelper> Joo got it.
09:24 <@krzee> !learn openvz see !openvznat
09:24 <@vpnHelper> (learn [<channel>] <key> as <value>) -- Associates <key> with <value>. <channel> is only necessary if the message isn't sent on the channel itself. The word 'as' is necessary to separate the key from the value. It can be changed to another word via the learnSeparator registry value.
09:24 <@krzee> !learn openvz as see !openvznat
09:24 <@vpnHelper> Joo got it.
09:24 <@krzee> grr
09:24 < superteece> :)
09:24 <@krzee> !forget openvz 3
09:24 <@vpnHelper> Joo got it.
09:24 < pekster> Ah, openvz, the glorified chroot wrapper
09:24 <@krzee> !learn linnat as openvz see !openvznat
09:25 <@vpnHelper> Joo got it.
09:25 -!- ub1quit33 [~quassel@wifi02.la3.routers.zerolag.com] has joined #openvpn
09:26 <@krzee> superteece, show me ifconfig -a
09:26 < superteece> server?
09:26 <@krzee> yes
09:27 < superteece> http://pastebin.com/2S97DcSZ
09:28 <@krzee> iptables -t nat -I POSTROUTING -s 10.8.0.0/24 -j SNAT --to 167.88.113.230
09:28 <@krzee> try that
09:28 < superteece> did it, iptables -L is still empty
09:28 <@krzee> wait wait
09:28 < pekster> -L is horrible; don't use it
09:29 <@krzee> who said iptables -L ?>?
09:29 < superteece> k
09:29 <@krzee> i said iptables-save
09:29 <@krzee> <krzee> and show me iptables-save
09:29 < superteece> sorry, I looked up iptables commands and it said to use that
09:29 < pekster> Whatever said that was wrong :P
09:29 < pekster> (or at least misinformed and misleading)
09:30 < superteece> http://pastebin.com/LbcZAZfD
09:31 < pekster> You almost always want to include -o with a SNAT or MASQUERADE rule
09:31 <@krzee> pekster, almost always
09:31 <@krzee> openvz being one of those times
09:32 < pekster> Did openvz break that too? FFS..
09:33 <@krzee> superteece, cat /proc/sys/net/ipv4/ip_forward
09:33 < superteece> 1
09:33 <@krzee> ok back to the flowchart
09:34 < superteece> 1 is yes, right?
09:35 <@krzee> yes
09:36 < superteece> how do I check if NAT is enabled?
09:36 <@krzee> it is
09:36 <@krzee> you're doing the flowchart in order, right?
09:37 < superteece> Yeah but you asked me about ip forwarding after NAT
09:37 <@krzee> but that means you can ping 8.8.8.8 while on the vpn now?
09:37 < superteece> on sec
09:37 <@krzee> i mean cant*
09:38 <@krzee> every time you use the flowchart you must start over
09:38 < pekster> fwiw, pretty sure the SNAT will hide the server IP from the clients when it initiates connections (say, server pinging the client.) Extra fun when the client then attempts to route it over the Internet instead
09:38 <@krzee> so ping vpn server ip
09:38 <@krzee> etc
09:39 <@krzee> interesting, i think you're right
09:40 < pekster> And it breaks server-side port-forwarding for clients, if that's a possible addition in the future
09:40 <@krzee> another -s ! 10.8.0.1 ?
09:40 < pekster> No, just -o. I'd be very surprised if that didn't work
09:40 <@krzee> did you look at his ifconfig -a?
09:40 <@krzee> his only public ip is an alias
09:40 <@krzee> 0:0
09:40 < pekster> superteece: Can you pastebin `ip a` please?
09:41 < pekster> aliases aren't interfaces. You use the *interface* in Netfilte
09:41 < pekster> !ifconfig_linux
09:41 <@vpnHelper> "ifconfig_linux" is Avoid use of 'ifconfig' and 'route' commands on modern Linux distros. It's old, deprecated, and often misleading/wrong. Use the 'ip a' and 'ip r' commands instead. More info: http://inai.de/2008/0219-ifconfig-sucks.php
09:41 < superteece> I can ping 10.8.0.1, 8.8.8.8, and www.google.com -- but I can't browse to any site to see my public IP
09:41 <@krzee> this is what happens when a freebsd user supports linux :D
09:41 < pekster> venet0 or whatever is the interface. :0 is an arcaic way the 2.4 (yes, Linux 2.4) kernel had to do to support multiple IPs
09:42 < pekster> Well, BSDs actually maintained their ifconfig and kernel ioctls. Linux just up and replaced them, and users still cling to decade-old nomenclature for fear of something new
09:42 < pekster> Plus, all the zero's on the tun devices are just stupid ;)
09:42 < superteece> ip a: http://pastebin.com/duTZW0Ue
09:43 < pekster> superteece: Yea, add this to your SNAT rule, before the -j part: `-o venet0`
09:43 <@krzee> superteece,     curl ifconfig.me/ip
09:43 < pekster> Not that you must _replace_ that rule (not add another one beneath it)
09:43 < pekster> Note that*
09:44 < pekster> krzee: "aliases" in Linux work just like on BSD, and if the non-ancient tools are used, they're attached properly to the interface in display mode too. The :<int> suffix is just an indication the old tooling was used
09:44 < superteece> I have to install curl. How do I add to the rule?
09:45 < pekster> Easiest way? Run `iptables-save > /tmp/fw.rules`, edit that file as I said above, then do `iptables-restore < /tmp/fw.rules`
09:45 < superteece> curl ifconfig.me/ip output is my VPS ip
09:45 <@krzee> pekster, not sure why those were the openvz rules needed before, but people definitely had issues with -o and since i've never used openvz i just gave the bot the solutions when people finally got it going
09:45 <@krzee> but it was long ago
09:45 < pekster> My guess is users also had no clue how aliases worked, or had any idea that ifconfig was the wrong tool
09:45 <@krzee> so hopefully whatever it was is better now
09:46 <@krzee> superteece, while running that on the client, right?
09:46 < pekster> ifname:0 is not an interface (although ifname.0 would be VLAN0 on ifname..)
09:46 < superteece> ohh no
09:46 < superteece> ok, on the client is also shows the VPS ip :)
09:48 -!- troyt [~troyt@2601:7:6200:1362:44dd:acff:fe85:9c8e] has quit [Ping timeout: 265 seconds]
09:49 < superteece> ok I added the -o venet0 part, do I need to restart any services?
09:49 <@krzee> show iptables-save again
09:50 <@krzee> !forget openvznat *
09:50 < superteece> http://pastebin.com/dBqt0vWn
09:50 <@vpnHelper> Joo got it.
09:50 <@krzee> !forget linnat 4
09:50 <@vpnHelper> Joo got it.
09:51 <@krzee> you did not restore the new rules
09:52 < superteece> what was that command? I've lost it
09:55 <@krzee>  <pekster> Easiest way? Run `iptables-save > /tmp/fw.rules`, edit that file as I said above, then do `iptables-restore < /tmp/fw.rules`'
10:00 < superteece> ok
10:00 < superteece> http://pastebin.com/JP4Wj9Yi
10:03 < superteece> interesting to note, perhaps. Now I can ping all three AND remain connected to IRC (it's connecting to an IP not Domain) but I cannot browse to www.google.com
10:04 < superteece> On both clients as evidenced by this message
10:05 < superteece> so some type of DNS issue? But if so how can I ping www.google.com?
10:06 -!- RGamma [~RGamma@ip-84-118-23-37.unity-media.net] has joined #openvpn
10:10 < superteece> ok yeah, I can browse to gogole via their IP but not domain.
10:10 < superteece> I tried modifying the server.conf to push DNS settings (OpenDNS is the default) and same result.
10:11 < superteece> and google search for What is my IP DOES now show my VPS IP
10:11 < superteece> so it's all so close....
10:14 < superteece> This guy is having the same issue with no resolution posted yet: http://serverfault.com/questions/631829/openvpn-connects-and-access-to-ip-works-but-not-url-in-browser
10:14 <@vpnHelper> Title: dns - OpenVPN connects and access to ip works but not url in browser - Server Fault (at serverfault.com)
10:16 <@krzee> superteece, cat /etc/resolv.conf
10:17 < superteece> it has Google's DNS servers: cat nameserver 8.8.8.8
10:17 < superteece> nameserver 8.8.4.4
10:22 <@krzee> what dns does your server use?
10:24 < superteece> is that not what is shown in the nameserver cat? Or do you mean the openvpn? It is set for OpenDNS
10:26 <@krzee> well at first i thought it was obvious i meant client
10:27 <@krzee> so if that was the server, what is the client?
10:29 < superteece> ok client is set for 127.0.0.1
10:29 < pekster> !opendns
10:29 <@vpnHelper> "opendns" is You should avoid using OpenDNS for pushed DNS servers as they violate spec and send you to ad/search domains for mistyped URLs. Use GoogleDNS instead. See !dns for more info.
10:30 < superteece> ok
10:30 < pekster> Also,
10:30 < pekster> !pushdns
10:30 <@vpnHelper> "pushdns" is (#1) push dhcp-option DNS a.b.c.d to push dns to the client or (#2) For pushing DNS to a Windows client, see: !windns or (#3) Unix-alikes are required to process the env-var in an --up script; read about --dhcp-option in the manpage or (#4) For distros that use resolvconf(8) you can try the pull-resolv-conf script under the contrib/ source dir
10:30 < pekster> Client is ubuntu or some such? n-m uses dnsmasq via dbus so "127.0.0.1" is actually "however the hell dbus anad its inputs asked your DNS to be configured"
10:30 < hydrajump> hi is the purpose of easy-rsa to simplify creating a PKI for openvpn? Is it just a wrapper for openssl commands, so in other words there is nothing openvpn specific about that project?
10:31 < pekster> hydrajump: Effectively, yes. Easy-RSA is designed to work well with OpenVPN, but you can (and many people do) use it to manage PKI for other uses too
10:32 < hydrajump> pekster: cool. On the github repo I see that the latest release is 2.x and master is 3.x. Would you advise against using 3.x as it is not released yet?
10:33 < pekster> I use 3.x, and it's fairly stable; I'm actually poking today at one of the main release blockers which is a subtle config parsing issue
10:33 < pekster> I wrote most of the code, so if you find bugs, poke me or file an issue repor
10:33 < pekster> +t
10:33 < superteece> should I even be using pushdns?
10:33 < hydrajump> oh cool. You work at OpenVPN?
10:34 <@krzee> easy-rsa isnt made by openvpn technologies
10:34 < pekster> No. I work on Open-source code in addition to my dayjob
10:35 < hydrajump> right. I'll download easy-rsa and try out the master branch ;)
10:36 < pekster> Sure. -rc2 is basically the same as master, and I'm currently (until a formal release anyway) planning to keep master usable
10:37 < pekster> After that it'll become bleeding-edge development. Need more mainteneance branches on that since I plan to mix things up moving forward, mostly due to stupid openssl version differences (and now we've got LibreSSL in the mix too.. makes life interesting)
10:37 < hydrajump> btw the tutorials I've seen online that use easy-rsa or even plain openssl commands on the **same** server as the openvpn server, that's just bad security practice isn't it? the files generated by easy-rsa should be kept encrypted offline, right other that for instance the client, server crts etc that need to be deployed?
10:38 < pekster> superteece: Probably, but that only "works" on Windows clients; Linux/Unix requires client-side scripts, as listed in !pushdns output
10:38 < pekster> hydrajump: It is bad practice, but people do it out of convenience anyway. Security recommendations available here:
10:38 < pekster> !hardening
10:38 <@vpnHelper> "hardening" is https://community.openvpn.net/openvpn/wiki/Hardening
10:38 < superteece> ok
10:39 <@krzee> superteece, just try google dns on the client for now
10:39 < superteece> I turned off DNS push and now I can browse... but Google thinks I'm in china....
10:39 <@krzee> ahh there you go
10:39 < superteece> what's my IP shows my vps IP
10:39 -!- RGamma [~RGamma@ip-84-118-23-37.unity-media.net] has quit [Read error: Connection reset by peer]
10:39 <@plaisthos> pekster: mobile clients (iOS/Android) also take the pushed DNS servers
10:40 < superteece> so weird...my VPS in in seatle
10:40 < superteece> Seattle
10:40 < pekster> Right, forgot about that. They do the magic for you there too
10:42 -!- RGamma [~RGamma@ip-84-118-23-37.unity-media.net] has joined #openvpn
10:42 < superteece> How do you setup the push DNS on a mobile device? Is it like (#3) Unix-alikes are required to process the env-var in an --up script
10:43 <@krzee> superteece, plaisthos literally JUST answered that ^
10:43 < superteece> the magic statement?
10:43 -!- RGamma [~RGamma@ip-84-118-23-37.unity-media.net] has quit [Read error: Connection reset by peer]
10:43 < pekster> Basically the client doe it for you internally, so you don't need to worry about it
10:43 < pekster> does*
10:43 <@krzee> "<plaisthos> pekster: mobile clients (iOS/Android) also take the pushed DNS servers"
10:44 < hydrajump> once I've put together a server and client config for openvpn and hopefully they work can I ask for a config review?
10:44 < pekster> So handling is required, but that handling is done by the client application on the phone
10:44 < superteece> Ok
10:44 < pekster> hydrajump: Sure, easiest is a pastebin to the configs, minus comments/whitespace (we've got grep syntax in !configs if you like lazy copy/pasting)
10:44 -!- RGamma [~RGamma@ip-84-118-23-37.unity-media.net] has joined #openvpn
10:45 < hydrajump> pekster: hehe ok I'll do that. Be great to get feedback on what can be improved or what's bad ;)
10:45 < hydrajump> buffer 20
10:45 < hydrajump> opps
10:48 < superteece> hmm, I'm a  little concerned about google thinking I'm in Hong Kong
10:49 < pekster> geoip isn't perfect; there's your search buzzword to do all the reading you'd like
10:56 -!- tbenson [~tbenson@c-50-131-82-204.hsd1.ca.comcast.net] has joined #openvpn
11:05 -!- ice9 [~ice9@gateway/tor-sasl/ice9] has joined #openvpn
11:13 -!- ib54003 [~ib54003@fedora/ib54003] has quit [Quit: Verlassend]
11:14 < superteece> Alright, so I re-enabled pushdns on server, added allow-pull-fqdn to the client.conf and restarted all the openvpns
11:14 < superteece> it works
11:14 < superteece> It thinks I'm in Hong Kong still, but it works.
11:15 < superteece> Thank you for the past 5ish hours of help!
11:38 -!- ib54003 [~ib54003@fedora/ib54003] has joined #openvpn
11:39 < ib54003> hey if i use upd my samba shares are slower then with tcp?  why ???
11:40 < ib54003> i thought it would be different?
11:40 < ib54003> https://community.openvpn.net/openvpn/wiki/Gigabit_Networks_Linux
11:40 <@vpnHelper> Title: Gigabit_Networks_Linux – OpenVPN Community (at community.openvpn.net)
11:41 < ib54003> yes thats what i mean
11:41 < ib54003> its completly different.... what is written ...
11:42 < BtbN> TCP over TCP is highly inefficient and should only be used when UDP doesn't work. So always use UDP.
11:43 < ib54003> BtbN: yes your right but why is are my samba share extremly slow when i use udp?
11:43 < BtbN> no idea
11:44 < ib54003> BtnN: when i use tcp the spead is higher
11:44 < ib54003> *speed
11:44 < ib54003> i use:tun-mtu 48000 --fragment 0 --mssfix 0
11:44 < ib54003> is this good ?
11:47 < BtbN> That's a crazy high mtu.
11:47 < BtbN> even way exceeds jumbo frames
11:47 < ib54003> thats what the text says " When using the AES-256 cipher there is huge performance gain. The optimal MTU value now is 48000 bytes, but overall performance increased by a factor of 2 for nearly all MTU sizes. "
11:48 < BtbN> Well, an ethernet cable only has a mtu of 1500.
11:48 < pekster> And that's silly if your link doesn't actually support an MTU of 48kB.
11:48 < ib54003> ok so i should use what mtu?
11:48 < pekster> cable has nothing to do with it; the MTU of every (yes, every!) single network between you and your target matter though
11:49 < pekster> ib54003: Do you have reason to believe the native path-MTU of your client-server connection is 48000?
11:49 < BtbN> I wouldn't specify it at all, the default should be fine.
11:49 -!- AngryNapkin [~Eighty@97-90-144-70.static.mtpk.ca.charter.com] has joined #openvpn
11:49 < pekster> If you don't, yea, leave things at defaults unless you also have MTU issues (in which case you'd most likely need to _reduce_ the effective MTU due to broken pMTUd)
11:50 < ib54003> mh ...
11:50 < pekster> Giant transport MTUs mean that they must get split by openvpn, and _that_ in turn means that if the 33rd packet in the sequence is lost, all 33 of them must be retransmitted
11:51 < ib54003> ok here is are my configs
11:51 < ib54003> server.conf: http://ur1.ca/iv7zz
11:51 <@vpnHelper> Title: #153309 Fedora Project Pastebin (at ur1.ca)
11:51 < pekster> udp is usually faster unless you have problems with udp; maybe you've behind some awful QoS or for some reason have packet loss that TCP is correcting
11:52 < ib54003> client.config : http://ur1.ca/iv80u
11:52 <@vpnHelper> Title: #153311 Fedora Project Pastebin (at ur1.ca)
11:52 < pekster> 303 lines, most of it comments :(
11:52 < ib54003> smb.conf : http://fpaste.org/153313/41676506/
11:52 < pekster> !configs
11:52 <@vpnHelper> "configs" is (#1) please pastebin your client and server configs (with comments removed, you can use `grep -vE '^#|^;|^$' server.conf`), also include which OS and version of openvpn. or (#2) dont forget to include any ccd entries or (#3) on pfSense, see http://www.secure-computing.net/wiki/index.php/OpenVPN/pfSense to obtain your config
11:52 < pekster> Grep for you there
11:53 < AngryNapkin> Got a problem hoping someone can resolve. I have version 2.3.2-I006-i686 installed on two machines. Identical configs, etc. One is a windows 8 machine, the other a windows xp sp3. Windows 8 will connect fine and work. Windows xp will give a balloon message "connected with Ip address 192.x.x.x", but the tap interface is receiving a 169.x.x.x IP. DHCP is running. Any ideas?
11:54 < pekster> AngryNapkin: Play with the --ip-win32 option. And then go upgrade to an OS that still gets security patches
11:56 < AngryNapkin> pekster: yeah I am not happy about this having XP on it, but its for a co-worker and this is all they have. Honestly, Im tempted to not bether to figure this out and just inform them it doesnt work, you cannot use this laptop. :)
11:56 < pekster> Plenty of Linux or BSD distros are supported for years at a cost of $0 ;)
11:57 < AngryNapkin> Dont have the patience to teach them something new. It has crossed my mind though.
11:58 < AngryNapkin> they have a hard time knowing when to single click and double click a mouse. Not my ideal student for a new OS.
11:59 < pekster> So giving them software that is no longer receiving security updates is a service to them? :\
12:01 < pekster> But, suit yourself. You might look at ebay for OEM or upgrade options, though you have to be a bit careful about fakes (MS is usually willing to replace them at no charge, but it's a dance to mail the fakes in.) Or just go buy one at a store. The OS isn't free, and should probably be replaced every 5-10 years anyway
12:01 < AngryNapkin> to save me loads of headache time....yup
12:01 < pekster> Gotta pay the "MS tax" if you use/sell/support their junk
12:02 < AngryNapkin> They were considering getting a newer comp. this was to be a temporary thing, but I know people and what they call temporary. Temporary is never temporary unless its broken.
12:03 < pekster> fwiw, I'm pretty sure ovpn development isn't even considering support of XP in releases, so keep that in mind too
12:03 < pekster> That's also "fine until it's not" from a security standpoint
12:07 -!- jackbrown [~se@93-44-41-0.ip95.fastwebnet.it] has joined #openvpn
12:11 < AngryNapkin> New OS or not, security up dates or not, it doesnt stop people from clicking stupid links and helping the malicious people out.
12:15 -!- troyt [~troyt@2601:7:6200:1362:44dd:acff:fe85:9c8e] has joined #openvpn
--- Log closed Sun Nov 23 12:19:00 2014
--- Log opened Mon Nov 24 06:47:14 2014
06:47 -!- ecrist_ [~ecrist@freebsd/contributor/openvpn.community.support.ecrist] has joined #openvpn
06:47 -!- Irssi: #openvpn: Total of 195 nicks [9 ops, 0 halfops, 3 voices, 183 normal]
06:47 -!- mode/#openvpn [+o ecrist_] by ChanServ
06:47 -!- Irssi: Join to #openvpn was synced in 1 secs
07:10 < kef> Is there a way in OpenVPN Connect (iOS) to increase log verbosity? I'm having issues connecting to a dual stack ipv6 tcp socket, whereas connecting to a dual stack ipv6 udp socket works just fine...
07:11 -!- taylorbyte2013 [~cyberninj@139.218.237.26] has joined #openvpn
07:16 -!- Slippern [~Slippern@76.109-247-208.customer.lyse.net] has quit [Read error: Connection reset by peer]
07:17 -!- Slippern [~Slippern@76.109-247-208.customer.lyse.net] has joined #openvpn
07:25 -!- kenyon [kenyon@darwin.kenyonralph.com] has quit [Ping timeout: 265 seconds]
07:27 -!- kenyon [kenyon@darwin.kenyonralph.com] has joined #openvpn
07:27 < sled> My problem is: I have a Linux gateway which opens a openvpn with a remote server. The remote server is the default gateway of the Linux machine.
07:27 < sled> the client PC sends ping requests to a host in the Internet, and replies are flowing back until the Linux gateway's tun0 interface. tcpdump shows that the destination of replies is the IP of the client PC, locally attached and visible. But packets are not forwarded to it. How can I do ?
07:29 -!- joako [~joako@opensuse/member/joak0] has quit [Ping timeout: 265 seconds]
07:31 -!- joako [~joako@opensuse/member/joak0] has joined #openvpn
07:35 -!- brianblaze420 [~brianblaz@unaffiliated/brianblaze] has joined #openvpn
07:39 -!- sled [~sled@195.176.51.46] has quit [Quit: Lost terminal]
07:41 -!- ice9 [~ice9@gateway/tor-sasl/ice9] has joined #openvpn
07:41 < ice9> is it possible in the future to have compression algorithm to get much less data size than the comp-lzo?
07:42 <@krzee> sure, we even have snappy now
07:43 <@krzee> not sure if it gets size much lower, but its supposed to be more efficient
07:43 < ice9> where can i have a look?
07:43 <@krzee> (which could mean same size less cycles)
07:44 <@krzee> https://code.google.com/p/lz4/
07:44 <@vpnHelper> Title: lz4 - Extremely Fast Compression algorithm - Google Project Hosting (at code.google.com)
07:45 <@krzee> https://code.google.com/p/snappy/
07:45 <@vpnHelper> Title: snappy - A fast compressor/decompressor - Google Project Hosting (at code.google.com)
07:46 <@krzee> http://code.google.com/p/snappy/source/browse/trunk/README
07:46 <@vpnHelper> Title: README - snappy - A fast compressor/decompressor - Google Project Hosting (at code.google.com)
07:47 <@krzee> https://en.wikipedia.org/wiki/Snappy_(software)
07:47 <@krzee> looks like it aims for speed not size
07:48 <@syzzer> and there
07:48 <@syzzer> aargh
07:48 <@syzzer> lz4 in master
07:50 < ice9> but currently openvpn only supports lzo right?
07:50 <@syzzer> yes, 2.3 only does lzo
07:51 <@syzzer> but 2.4 will have more fancy compression :)
07:51 <@krzee> although some would call master "current"
07:51 < ice9> nice is that in the near future?
07:53 -!- jackbrown [~se@93-44-41-0.ip95.fastwebnet.it] has quit [Quit: Sto andando via]
08:04 <@krzee> http://www.theguardian.com/technology/2014/nov/21/e-cigarettes-malware-computers?CMP=share_btn_tw
08:04 <@vpnHelper> Title: Health warning: Now e-cigarettes can give you malware | Technology | The Guardian (at www.theguardian.com)
08:20 <@syzzer> ice9: 2.4 will be released "when it's done", I expect in a couple of months or so
08:31 -!- Faux_Pas [~quassel@static-72-89-243-31.nycmny.fios.verizon.net] has joined #openvpn
08:31 -!- AlexRussia [~Alex@unaffiliated/alexrussia] has quit [Ping timeout: 265 seconds]
08:48 -!- ub1quit33_ [~quassel@wifi02.la3.routers.zerolag.com] has joined #openvpn
08:59 -!- AlexRussia [~Alex@unaffiliated/alexrussia] has joined #openvpn
09:07 -!- ice9 [~ice9@gateway/tor-sasl/ice9] has quit [Quit: Leaving.]
09:09 -!- TyrfingMjolnir [~Tyrfing@116.89.111.191] has joined #openvpn
09:13 -!- taylorbyte2013 [~cyberninj@139.218.237.26] has quit [Ping timeout: 240 seconds]
09:17 < hydrajump> by default you have to supply a config path when starting openvpn, right? e.g. openvpn --config /etc/openvpn/server.conf ?
09:18 < hydrajump> I thought the daemon would look for config files in the /etc/openvpn dir by default if `--config` was not supplied
09:18 <@krzee> yes, if --config is the ONLY option you can drop --config and just give the config
09:18 <@krzee> no, your OS startup script may do that, openvpn has no default dir
09:18 <@krzee> or file, or anything
09:19 -!- elfixit [~Icedove@77-58-253-51.dclient.hispeed.ch] has joined #openvpn
09:19 <@krzee> it'll think you're giving all options via -- commandline unless you give it a config
09:19 < hydrajump> ok thanks
09:19 <@krzee> np
09:20 -!- elfixit [~Icedove@77-58-253-51.dclient.hispeed.ch] has quit [Client Quit]
09:21 < hydrajump> another thing I'm not entirely sure about. If my openvpn server only has one ethernet adapter, e.g. eth0 on a cloud server. If my openvpn server is bound to that adapter can I establish a VPN connection to eth0 and **then** reach other servers I have in the same subnet or does the server need to ethernet adapters?
09:21 -!- taylorbyte2013 [~cyberninj@139.218.237.26] has joined #openvpn
09:21 < hydrajump> s/to/two
09:30 -!- Pyrogerg [~Gregory@205.167.120.201] has joined #openvpn
09:30 -!- ValdikSS [~valdikss@2001:470:28:22f::1004] has quit [Ping timeout: 265 seconds]
09:33 <@krzee> hydrajump, does not need 2
09:36 -!- s7r [~s7r@openvpn/user/s7r] has quit [Quit: Leaving]
09:39 -!- lenwe [~lenwe@83.142.186.166] has joined #openvpn
09:40 -!- lenwe [~lenwe@83.142.186.166] has quit [Quit: lenwe]
09:42 -!- lenwe [~lenwe@83.142.186.166] has joined #openvpn
09:42 < lenwe> !welcome
09:42 <@vpnHelper> "welcome" is (#1) Start by stating your goal, such as 'I would like to access the internet over my vpn' || new to IRC? see the link in !ask || we may need !logs and !configs and maybe !interface to help you. || See !howto for beginners. || See !route for lans behind openvpn. || !redirect for sending inet traffic through the server. || Also interesting: !man !/30 !topology !iporder !sample !forum
09:42 <@vpnHelper> !wiki !mitm or (#2) Don't use 192.168.1.0/24 or 192.168.0.0/24 (too much potential for conflict)
09:43 < lenwe> !goal
09:43 <@vpnHelper> "goal" is Please clearly state your goal for your vpn: example, I would like to access the lan behind the server , I would like to access the internet over my vpn , I just want a secure connection between 2 computers , etc
09:45 < lenwe> !config
09:45 <@vpnHelper> (config <name> [<value>]) -- If <value> is given, sets the value of <name> to <value>. Otherwise, returns the current value of <name>. You may omit the leading "supybot." in the name if you so choose.
09:45 -!- AlexRussia [~Alex@unaffiliated/alexrussia] has quit [Ping timeout: 264 seconds]
09:49 -!- You're now known as ecrist
09:49 -!- AlexRussia [~Alex@unaffiliated/alexrussia] has joined #openvpn
09:50 -!- brianblaze420 [~brianblaz@unaffiliated/brianblaze] has quit [Ping timeout: 272 seconds]
09:50 < lenwe> Hi there, I'm currently configuring multiple clients -> tcp server on dev tun and ran into new for me issue. Some of the clients works fine, some of them has virtual address mangled - it's shifted to the right by one octet and the first one is replaced by some random numer. Because of that, server learns for these clients 3-5 invalid addresses, so return packets are then dropped by the client. Does anybody
09:50 < lenwe> have an idea how to debug this problem?
09:51 < lenwe> I'm running OpenVPN 2.3.2-4 on CentOS 7 with radiusplugin.so or openvpn-plugin-auth-pam.so plugin.
09:55 -!- cwillu_at_work [cwillu@cwillu.com] has joined #openvpn
10:09 -!- noecc [~irc@unaffiliated/noecc] has joined #openvpn
10:16 -!- ghormoon [~ghormoon@ghorland.net] has joined #openvpn
10:18 < ghormoon> hi, is it possible to find somewhere how long were/will be releases supported (i.e. how long they get security fixes)? Ididn't manage to google that up (I search that for 2.0 now, but I'd like to know the others too when I'm searching for it to have reference)
10:19 < BtbN> As far as i'm aware there are no long term release series.
10:20 <@krzee> we just move forward mostly
10:20 <@krzee> so i dont really get the question
10:20 < BtbN> Distros will propably still backport security fixes into older versions though
10:20 <@krzee> is your question about openvpn?
10:21 < BtbN> I think he means something like Ubuntu 12.04 still getting updates. Just that OpenVPN isn't released that way. There is only the latest version, which moves forward constantly.
10:23 <@krzee> ghormoon, if thats your question you will want to ask the channel related to your distro
10:23 < ghormoon> I'll be given a server, which currently runs 2.0.9 and in the docs there's written they don't want 2.1/2.2/2.3 so I'm asking, if there will be 2.0.10+ in case of some security issue or not
10:23 < BtbN> no
10:23 < ghormoon> openvpn is installed manually there
10:24 <@krzee> no when 2.1 came out 2.0 was done, you need to upgrade that crazy oldness
10:24 <@krzee> im sure the openssl its linked to is very very insecure too
10:24 < ghormoon> and for now, is 2.0.9 safe? (I didn't google up any, just to be sure)
10:24 < BtbN> No, it's not. Upgrade that.
10:24 <@krzee> no, i cannot imagine a world where its linked to a safe openssl
10:24 < ghormoon> hm, I'll check openssl when I'll have the access
10:24 < BtbN> Well, OpenSSL isn't that important for openvpn
10:25 <@krzee> hahah
10:25 < BtbN> Doesn't it only use libcrypto?
10:25 <@krzee> ghormoon, dont bother, it is not safe.
10:25 < ghormoon> krzee: openssl is managed fhrough package manager, most likely
10:26 <@krzee> doesnt matter, openvpn was built with the libs from old openssl
10:26 < ghormoon> hm, I'd expect it to call openssl, good to know
10:27 < BtbN> OpenVPN itself had quite a few vulnerabilities since 2.0. You realy need to upgrade that.
10:27 -!- taylorbyte2013 [~cyberninj@139.218.237.26] has quit [Read error: Connection reset by peer]
10:27 <@krzee> plus i bet the pki is hashed with md5
10:27 <@krzee> i bet i bet
10:28 < BtbN> 3 Remote Code Executing vulnerabilities in that version, gotcha. Get rid of it asapö
10:28 -!- taylorbyte2013 [~cyberninj@139.218.237.26] has joined #openvpn
10:28 < ghormoon> BtbN: any exact place you pull that info from? I'd like to have link so I can give them reason
10:28 < BtbN> http://www.cvedetails.com/vulnerability-list/vendor_id-3278/Openvpn.html
10:28 <@vpnHelper> Title: Openvpn : Security vulnerabilities (at www.cvedetails.com)
10:29 <@krzee> https://openvpn.net/index.php/open-source/documentation/change-log/changelog-20x.html
10:29 <@vpnHelper> Title: OpenVPN 2.0.x (at openvpn.net)
10:29 <@krzee> oh no ignore my link
10:31 < ghormoon> I've found changelog, but that's not a thing that will say that the latest version is broken :)
10:31 <@krzee> oh and you can probably be shellshocked via openvpn if running scripts
10:31 -!- Kephael [~Kephael@unaffiliated/kephael] has joined #openvpn
10:31 <@krzee> since you probably have vuln shells too
10:31 < ghormoon> bash was updated there afaik, I'll check
10:32 <@krzee> with the whole "no update" policy
10:32 <@krzee> you telling me they updated bash THAT recently and still have openvpn 2.0.9?
10:32 < BtbN> I don't even see the point of discussing this. Update or trash that thing.
10:32 <@krzee> seriously
10:32 < ghormoon> well, at least the documentation says that, I don't have login on the machine yet
10:32 <@krzee> whose documentation
10:32 < ghormoon> these who were doing that before me
10:33 <@krzee> you working in a mental hospital?
10:33 < ghormoon> there's explicitly said that 2.1 and 2.2 Only bring features we don't use" and 2.3 is "too new"
10:34 < ghormoon> I just needed a link saying it's broken in case someone complains that I've updated it
10:34 < ghormoon> that's all
10:35 < ghormoon> that cve list should be enough I think
10:35 <@krzee> CVE-2005-3393
10:36 <@krzee> vuln to a bug that was found in 2005 and fixed in 2008
10:37 <@krzee> and hmac doesnt even help because thats leaked too, known for a year CVE-2013-2061
10:38 <@krzee> im not sure if thats the cve for the leaked hmac or not, but there was a bug for that
10:44 < ghormoon> that should be enough, thanks :) I don't expect them to resist, just to have at least one argument in case they ask why
10:50 <@krzee> https://community.openvpn.net/openvpn#Announcements
10:50 <@vpnHelper> Title: OpenVPN Community (at community.openvpn.net)
10:51 <@krzee> and you're right having openssl built in static is for windows and embedded i guess
10:53 -!- Taftse|Mac [~taftse@unaffiliated/taftse] has joined #openvpn
10:55 -!- Olipro [~Olipro@uncyclopedia/pdpc.21for7.olipro] has quit [Ping timeout: 256 seconds]
10:58 -!- lenwe [~lenwe@83.142.186.166] has quit [Ping timeout: 250 seconds]
11:04 < hydrajump> why would I get this error "Options error: --secret fails with 'static.key': No such file or directory" if there is such a file in the same dir as the server.conf?
11:04 -!- gffa [~unknown@unaffiliated/gffa] has joined #openvpn
11:06 < hydrajump> does the path to static.key need to be an absolute path?
11:06 <@krzee> if not using --chroot, it will look in the dir you are in when you run openvpn
11:06 <@krzee> if using some OS scripts, it may have default dirs
11:07 <@krzee> in some linux that is /etc/openvpn/   in windows its program files\openvpn\config or conf or whatever
11:07 < hydrajump> ah I see.
11:07 <@krzee> but openvpn itself has no dir it looks in, so using full paths is a good idea
11:08 <@krzee> note theres also --cd
11:09 <@krzee> instead of adding a full path to many places you can use a --cd to the dir where they all are (earlier in the config than the filenames)
11:10 < hydrajump> ok
11:10 < hydrajump> question about openssl. I have this when i start openvpn "OpenVPN 2.3.2 x86_64-pc-linux-gnu [SSL (OpenSSL)] [LZO] [EPOLL] [PKCS11] [eurephia] [MH] [IPv6] built on Feb  4 2014"
11:11 < hydrajump> and openssl is not installed on this system. Does this version of openvpn have openssl statically compiled and that's why it works without openssl on the system?
11:12 -!- TyrfingMjolnir [~Tyrfing@116.89.111.191] has quit [Quit: Searching for Waimea]
11:13 <@krzee> hydrajump, locate openssl
11:13 <@krzee> type that
11:13 < hydrajump> krzee: empty
11:14 < hydrajump> i can install it via apt
11:14 <@krzee> what are you on?
11:14 < hydrajump> this is ubuntu 14.04 in a Docker image
11:17 < hydrajump> apparently it doesn't come with openssl. I was just curious as my understanding is that openssl is what OpenVPN uses for all the encryption/decryption. If it is not on the system does OpenVPN still work as `[SSL (OpenSSL)]` is in the output, e.g. "bundled" with openvpn that is in apt?
11:18 <@krzee> ya i guess its static if not linked
11:18 <@krzee> only 2 options
11:18 <@krzee> hehe
11:18 <@krzee> if it has symbols you can see with nm whats static
11:18 <@krzee> if linked, ldd
11:18 < hydrajump> hmm so as the version of openvpn is 2.3.2 from Feb 4, then the version of openssl it comes with is vulnerable to heartbleed?
11:19 <@krzee> err if dynamically linked*
11:19 <@krzee> guess so
11:19 < hydrajump> that sucks. so then I have to compile openvpn myself :(
11:19 <@krzee> did you run locate as root?
11:19 < hydrajump> yes
11:20 <@krzee> why not just use apt-get to upgrade it?
11:20 <@krzee> since you said you can install openssl via apt
11:20 < hydrajump> krzee: so if I install openssl via apt openvpn will use the system version instead of the version it came with?
11:20 < hydrajump> is that how it works?
11:21 <@krzee> not sure, depends on the packagers
11:21 <@krzee> show me openssl --version
11:21 <@krzee> err
11:21 <@krzee> openvpn --version
11:21 < hydrajump> is there a way to get the version of openssl that openvpn is currently using somehow?
11:22 < hydrajump> https://gist.github.com/anonymous/26985ad8200acca67363
11:22 <@vpnHelper> Title: gist:26985ad8200acca67363 (at gist.github.com)
11:23 <@krzee> enable_static=yes
11:24 -!- NP-Hardass [~NP-Hardas@unaffiliated/np-hardass] has quit [Quit: WeeChat 0.4.3]
11:24 < hydrajump> so whatever version of openssl existed at the time that package of openvpn was created, is what openvpn is using..and even if I install a newer system version it won't be used?
11:27 < hydrajump> libssl.so.1.0.0 => /lib/x86_64-linux-gnu/libssl.so.1.0.0 (0x00007f9392bc2000)
11:28 <@krzee> im not sure what apt will do, if you build it manually you get to choose what it does
11:29 < hydrajump> krzee: http://serverfault.com/questions/591246/verify-openvpn-is-no-longer-vulnerable-to-heartbleed
11:29 <@vpnHelper> Title: Verify OpenVPN is no longer vulnerable to Heartbleed - Server Fault (at serverfault.com)
11:30 < hydrajump> apparently that answer says the openssl version statically compiled with openvpn is ok
11:32 <@krzee> cool
11:34 < hydrajump> i wish the latest version was available, e.g. 2.3.5 in apt, but apparently a package does not exiset in the openvpn apt repo yet.
11:34 <@krzee> check if another repo has it
11:34 < hydrajump> Not sure I'm comfortable building openvpn myself in addtion to configuring it for use.
11:35 < hydrajump> https://community.openvpn.net/openvpn/wiki/OpenvpnSoftwareRepos "Sorry, no trusty (Ubuntu 14.04) packages available yet."
11:35 <@vpnHelper> Title: OpenvpnSoftwareRepos – OpenVPN Community (at community.openvpn.net)
11:45 < hydrajump> oh maybe I can install the saucy version on trusty
11:50 -!- ValdikSS [~valdikss@95.215.45.33] has joined #openvpn
12:08 -!- ayaka [~ayaka@27.151.1.138] has joined #openvpn
12:08 < ayaka> I have a problem with static key
12:08 < ayaka> I can't keep connection while there is no data being transformed
12:09 -!- Latrina [~Latrina@adsl-ull-173-242.45-151.net24.it] has quit [Ping timeout: 244 seconds]
12:09 < ayaka> persist-key and persist-tun don't work
12:11 <@krzee> use a keepalive
12:11 -!- Latrina [~Latrina@ppp-71-44.26-151.libero.it] has joined #openvpn
12:11 <@krzee> (on both sides)
12:14 < ayaka> yes, but it is strange, the normal key way doesn't need that
12:14 < ayaka> why static key need it?
12:28 -!- APTX [~APTX@unaffiliated/aptx] has quit [Read error: Connection reset by peer]
12:35 -!- APTX [~APTX@unaffiliated/aptx] has joined #openvpn
12:36 < ayaka> krzee, thank you
12:36 -!- khaldrogox [~anonymous@64.13.138.81] has joined #openvpn
12:36 <@krzee> the normal way should also have a keepalive
12:38 -!- brianblaze420 [~brianblaz@unaffiliated/brianblaze] has joined #openvpn
12:51 <@Eugene> !download
12:51 <@vpnHelper> "download" is (#1) http://openvpn.net/index.php/download/community-downloads.html to download openvpn or (#2) OpenVPN's Windows installer now includes OpenVPN GUI. Don't bother with http://openvpn.se anymore or (#3) Don't trust download.com at all. It provides an extremely old version with malware: http://insecure.org/news/download-com-fiasco.html or (#4) in the community version of openvpn (only
12:51 <@vpnHelper> thing supported here) there is no separate download for client/server, it is the same install with different configs
12:51 <@Eugene> That factoid could probably use a shortening
13:02 -!- jackbrown [~se@93-44-41-0.ip95.fastwebnet.it] has joined #openvpn
13:03 -!- ghormoon [~ghormoon@ghorland.net] has quit [Ping timeout: 256 seconds]
13:03 -!- ghormoon [~ghormoon@ghorland.net] has joined #openvpn
13:39 -!- almostworking [~almostwor@unaffiliated/almostworking] has joined #openvpn
13:48 <@ecrist> Eugene: nobody's stopping you. 
13:48 <@Eugene> !whoami
13:48 <@vpnHelper> I don't recognize you.
13:48 <@Eugene> You sure about that? ;-)
13:48 <@ecrist> tell me what you want it to say and I'll fix it directly
13:48 <@ecrist> !whoami
13:48 <@vpnHelper> ecrist
13:48 <@ecrist> oooh
13:48 <@Eugene> I'd just nuke 2 & 3
13:48 <@ecrist> I don't think i have any access thought
13:48 <@Eugene> Hahaha
13:49 <@Eugene> Fookin bot
13:49 <@ecrist> !factoids delete download 3
13:50 <@plaisthos> openvpn.se is extremely odl ...
13:51 <@ecrist> !download
13:51 <@vpnHelper> "download" is (#1) http://openvpn.net/index.php/download/community-downloads.html to download openvpn or (#2) in the community version of openvpn (only thing supported here) there is no separate download for client/server, it is the same install with different configs
13:51 <@ecrist> better?
13:52 <@Eugene> Ya
14:09 -!- noecc [~irc@unaffiliated/noecc] has left #openvpn ["pax"]
14:12 <@dazo> Eugene: you do know we added that one not that long ago ... because people actually downloaded that crapishly old version?
14:12 <@dazo> (not that long ago 2 years or so)
14:12 <@Eugene> I did not know that
14:13 <@dazo> some people are surprisingly stupid ....
14:13 <@dazo> (not you, but people who dowload ancient versions and expects it to work)
14:14 <@Eugene> Something something split it into an !old
14:14 <@dazo> fair enough
14:14 <@Eugene> I just think it's poor form to have a wall-of-text
14:15 <@dazo> yeah ... stupid users won't even read all of it and still complain
14:16 <@dazo> But we've also had reports about openvpn downloads from download.com  .... with the malware crap they added ... that's probably 3 years ago, dunno if that's changed since then
14:16 <@dazo> s/malware/crapware/
14:17  * Eugene shrugs
14:17 <@Eugene> This is just like, my opinion, man.
14:49 -!- dazo is now known as dazo_afk
14:51 -!- gffa [~unknown@unaffiliated/gffa] has quit [Quit: sleep]
15:00 < hydrajump> is there a convention for where to place certs and keys on servers/clients? E.g. if the server.conf goes in /etc/openvpn/ does the ca.crt,server.crt and server.key and dh.pem all go there as well?
15:03 < hydrajump> btw pekster awesome job on easy-rsa v3. Very easy to use and your instructions and explanations in the various MD files are great!
15:05 -!- DonRichie [~DonRichie@ricl.de] has quit [Ping timeout: 256 seconds]
15:08 < ValdikSS> pekster: Hi! Please check out my pull requests
15:08 -!- D-Boy [~D-Boy@unaffiliated/cain] has quit [Excess Flood]
15:14 -!- brianblaze420 [~brianblaz@unaffiliated/brianblaze] has quit [Quit: Peace!]
15:20 < pekster> ValdikSS: Yea, that friendly name change looks fine; that and an unrelated fix for LibreSSL will go in this afternoon
15:21 < pekster> ValdikSS: The export pass thing is doable, but odd; if you just press [enter] at the password prompt it already exports a pkcs12 without a password, and batch callers can't (currently, maybe for 3.1) set a password at all
15:21 < ValdikSS> pekster: actually i've made a fork with ipsec support so the keys works with OpenVPN and IPsec
15:22 < ValdikSS> pekster: https://github.com/ValdikSS/easy-rsa-ipsec
15:22 <@vpnHelper> Title: ValdikSS/easy-rsa-ipsec · GitHub (at github.com)
15:23 < ValdikSS> pekster: if it is OK to merge, i'll prepare patches
15:24 -!- D-Boy [~D-Boy@unaffiliated/cain] has joined #openvpn
15:24 < pekster> I can pull/merge right from your feature-branch (there's no ugly rebasing needed, so it looks clean enough.) I'm wondering more about 5df1c56 -- besides avoiding making the user press enter, I don't see it actually does anything
15:25 < pekster> Or did that change the behavior when -batch was passed to openssl too?
15:25 < ValdikSS> pekster: no, you're right
15:25 < pekster> fwiw, I'm aiming to make password selection both more flexible and more batch-friendly in a future release, but openssl 0.9.x and 1.0.x do things vastly differently, making that a bit of a nightmare :\
15:26 < ValdikSS> pekster: so what about ipsec support?
15:26 -!- mattock is now known as mattock_afk
15:26 < ValdikSS> pekster: https://github.com/ValdikSS/easy-rsa-ipsec/commit/4b44d8125d96f49fd777ffb228d10e149ad4ffcf
15:26 <@vpnHelper> Title: IPsec support: · 4b44d81 · ValdikSS/easy-rsa-ipsec · GitHub (at github.com)
15:26 < ValdikSS> pekster: https://github.com/ValdikSS/easy-rsa-ipsec/commit/fdce36dc32e11b768bafe3c175ce5fa0b0a81896
15:26 <@vpnHelper> Title: Add client san DNS equals to CN for EAP-TLS · fdce36d · ValdikSS/easy-rsa-ipsec · GitHub (at github.com)
15:27 < hydrajump> I'm looking at various openvpn server configs and even looking at the latest sample configs here https://github.com/OpenVPN/openvpn/blob/master/sample/sample-keys/gen-sample-keys.sh
15:27 <@vpnHelper> Title: openvpn/gen-sample-keys.sh at master · OpenVPN/openvpn · GitHub (at github.com)
15:28 < pekster> Those most likely should not go into 'client' and 'server' types -- most people using things like "Bob Client" do not intend that to be a FQDN used for DNS authentication
15:28 < pekster> The idea of x509-types is that specialized types get their own nomenclature, which is exactly the intent for things like ipsec
15:28 < hydrajump> it seems that 4096 RSA keys are the most secure and I wonder why the DH params file is only generated with 2048 bits and not the same 4096. Can someone explain pls?
15:29 -!- niklas_e [~niklas@176.10.248.228] has joined #openvpn
15:29 < pekster> ValdikSS: So, the idea being let's figure out what is needed for ipsec (looks like you've done most of the hard work there already) and then sign with, for example: `./easyrsa sign-req ipsec-client some-client-request-name`
15:29 < niklas_e> is there any way to store the user and password so openvpn will use it automaticly?
15:29 < ValdikSS> pekster: most IPsec implementation requires SAN DNS to be real DNS which you're connecting to. Like, if you have a key with wrong SAN DNS, it just won't connect
15:29 < ValdikSS> pekster: you can't even connect by IP for example
15:31 < pekster> Yes, but you've edited the "basic, vainilla, not-IPSec-specific 'client'" type.
15:32 < ValdikSS> pekster: so I'd better to create individual files for that?
15:32 < pekster> Surely openvpn users don't want subjectAltName=DNS:Bob Johnson in their certs
15:32 < pekster> (or whoever else)
15:32 < pekster> Yes, exactly. Best to copy x509-types/client to x509-types/ipsec-client
15:32 < ValdikSS> pekster: >Surely openvpn users don't want subjectAltName=DNS:Bob Johnson in their certs
15:32 < ValdikSS> why?
15:32 -!- khaldrogox [~anonymous@64.13.138.81] has quit [Quit: khaldrogox]
15:33 < pekster> Becuase "BOb Johnson" is not a DNS name -- for one you can't even have spaces in names :P
15:33 < ValdikSS> I use it for IPsec and this is the only reliable way to authenticate client
15:33 < pekster> Yes, and IPSec is not the only use-case of easy-rsa
15:34 < hydrajump> ok found an answer http://security.stackexchange.com/questions/47204/dh-parameters-recommended-size it seems that for dh 2048 bits is recommended
15:34 <@vpnHelper> Title: diffie hellman - DH parameters recommended size? - Information Security Stack Exchange (at security.stackexchange.com)
15:34 < pekster> Basic usage of x509-types is documented here: https://github.com/OpenVPN/easy-rsa/blob/master/doc/EasyRSA-Advanced.md#advanced-extension-handling
15:34 <@vpnHelper> Title: easy-rsa/EasyRSA-Advanced.md at master · OpenVPN/easy-rsa · GitHub (at github.com)
15:35 < pekster> hydrajump: Your DH size should be at least as large as your X.509 keypair size, otherwise you're effectively reducing the security of the DH handshake
15:35 < ValdikSS> pekster: I can create certificate with spaces in SAN DNS without any problems
15:35 < ValdikSS> pekster: I know this is not correct but it works
15:36 < pekster> Yes, I know it "works." So do the gargabe easyrsa v2 made everyone put in their certs demadning you provide your Country, State, Locality, Organization, and Organizational Unit
15:37 < ValdikSS> pekster: I mean, it's the only reliable way to make it work with IPsec
15:37 < ValdikSS> pekster: it won't work without SAN DNS at all
15:37 < pekster> Yes. So sign your certs with the right type that you add support for
15:37 -!- niklas_e [~niklas@176.10.248.228] has quit [Quit: Leaving]
15:38 < ValdikSS> pekster: What should I do to include this in mainline? Just split it into another type?
15:38 < pekster> I gave you exdample syntax above, and linked you to the advanced readme document explaining your exact use-case/need. I'm happy to merge support in to support ipsec, but I'm not willing to do "wrong" things so "it happens to work for a particular use-case"
15:38 < pekster> Yes
15:38 < hydrajump> pekster: so if my rsa key size is 4096 the dh params should also be 4096?
15:39 < pekster> hydrajump: Should be, yes. You can use smaller DH sizes, but there's little point in wasting time on larger private keys then
15:39 < pekster> ValdikSS: In IPSec, would anyone ever set the CN to something not the FQDN?
15:40 < pekster> ie: can your CN be arbitrary so long as the subjectAltName is correct?
15:40 < hydrajump> pekster: ah that's why you only have the one --keysize option for easy-rsa. Thanks I didn't know that. Seems that the examples I've seen online don't follow this practice. Too bad there is so much misinformation online.
15:40 < ValdikSS> pekster: Server keys should use FQDN and client keys may use anything. I use usernames
15:40 < ValdikSS> pekster: >can your CN be arbitrary so long
15:41 < ValdikSS> pekster: I don't know, should be checked
15:41 < hydrajump> this should really be updated then to illustrate the secure approach https://github.com/OpenVPN/openvpn/blob/master/sample/sample-keys/gen-sample-keys.sh#L70
15:41 <@vpnHelper> Title: openvpn/gen-sample-keys.sh at master · OpenVPN/openvpn · GitHub (at github.com)
15:41 < ValdikSS> pekster: actually I was wrong with SAN DNS. It's not explicit for client but it didn't work without it in Windows Phone if I recall correctly
15:43 < pekster> ValdikSS: Hmm, k. Maybe I need to put a bit of thought into this then. Re-using the REQ_CN for an ipsec-client cert-signing-type is effectivly saying "whatever the client has supplied in their request for the CN is literally the DNS FQDN of this node"
15:43 < pekster> ValdikSS: Do you happen to have RFC handy for required and/or recommended practices? If not, I'll see if I can dig some up tonight
15:44 < ValdikSS> pekster: Sorry, I don't. There are some helpful guys in #strongswan
15:44 < pekster> I'm not trying to make this harder, but I'd rather not hard-code defaults that don't make sense, forcing them on everyone
15:44 < pekster> ( or rather, everyone using client-ipsec types)
15:44 < pekster> Sure. I'll ping them if I get stuck, but my google-fu with RFC is pretty good :)
15:45 < ValdikSS> pekster: I perfectly understand. My solution may not be perfect but I tried a lot and this settings are works for a variety of devices for me
15:46 < ValdikSS> pekster: I'm not even sure if it is RFC-compliant
15:46 < pekster> Yea, having something that works to base on is a huge help since I don't really have the time and interest in checking device diversity like you've done
15:46 < ValdikSS> pekster: I mean, it's surely not right to set SAN DNS to something with spaces and symbols but it works
15:46 < pekster> Yea. You said things broke if it didn't have the SAN?
15:47 < ValdikSS> pekster: only on Windows Phone if I remember correctly
15:47 < pekster> Figures..
15:47 < pekster> Wonder if there's a security vulnerability lying there :P
15:48 < ValdikSS> pekster: actually it's recommended to use email address but it's bound to only one server then
15:48 < ValdikSS> pekster: like if you create client key username@server.fqdn then it can connect only to server.fqdn and not server2.fqdn
15:48 < ValdikSS> pekster: there is not such problems with SAN DNS
15:48 < pekster> That's in theory what a SAN is supposed to be used for too
15:49 < pekster> For instance, a cert for voip.example.net might have SAN:DNS for backup-voip.example.net if the primary/backup share a keypair that is issued as valid for both
15:49 <@Eugene> Took me a minute to realize you meant SubjectAltName, not Storage Area Network.....
15:49 < pekster> But here again, I don't know what the spec on IPSec says about that yet; they might leave it up to vendor implementations
15:50 -!- khaldrogox [~anonymous@64.13.138.81] has joined #openvpn
15:50 <@Eugene> I was about to go into a big shpiel about Fiber Channel addressing
15:50 < ValdikSS> pekster: https://wiki.strongswan.org/projects/strongswan/wiki/IOS_%28Apple%29/38
15:50 <@vpnHelper> Title: iOS - Apple iPhone/iPad... and Mac OS X Interoperability - IOS (Apple) - strongSwan - strongSwan - IKEv2/IPsec VPN for Linux, Android, FreeBSD, Mac OS X, Windows (at wiki.strongswan.org)
15:51 < ValdikSS> pekster: Certificate requirements for iOS interoperability
15:51 < ValdikSS> pekster: So it's iOS then
15:52 < ValdikSS> pekster: Sorry I should leave for a 30min
15:52 < pekster> np, you've provided helpful resources already
15:54 < pekster> hydrajump: Re sample keys, maybe, but those are _sample_ keys only. Users generating keys for production (or anything non-test really) ought to use more formal procedures
15:54 < pekster> That entire script is "bad practice" since it keeps all the private keys in one place. But again, this is fine/expected for testing
15:57 < hydrajump> pekster: since easy-rsa v3 password protects the private keys. In the server and client configs do I need to specify each key's pass for openvpn to be able to use them?
15:58 < hydrajump> so in server.conf `key server.key` do I need to supply the pass to the key?
16:03 < pekster> Yes, or provide it programatically via the management interface (see management.txt.) If you're doing automated connections, such as daemon-based server startup, you usually use unencrypted keys
16:03 -!- ValdikSS [~valdikss@95.215.45.33] has quit [Read error: Connection reset by peer]
16:03 < pekster> So, either generate it unencrypted, or decrypt it in the location where the instance is expecting it
16:04 < pekster> This is no different than how a webserver works
16:06 -!- ValdikSS [~valdikss@2001:470:dd8a:dead::64f] has joined #openvpn
16:13 -!- jackbrown [~se@93-44-41-0.ip95.fastwebnet.it] has quit [Ping timeout: 255 seconds]
16:17 < hydrajump> ok I understand
16:35 -!- nutron [~nutron@unaffiliated/nutron] has joined #openvpn
16:41 < taylorbyte2013> i can't ping through my openvpn tunnel. was wondering if the versions of openvpn have to match i have 4.10.8 on the client and 4.10.7 on the server?
16:46 -!- akamaru217 [~akamaru21@2601:0:8a80:1064:6008:2825:2cd5:127a] has quit [Quit: Leaving]
16:47 -!- Taftse|Mac [~taftse@unaffiliated/taftse] has quit [Quit: Textual IRC Client: www.textualapp.com]
16:50 < pekster> taylorbyte2013: No clue what you have. The latest OpenVPN is 2.3.5, released 28 Oct, 2014
16:53 < taylorbyte2013> pekster: sorry i read the wrong package names the client is 2.3.4 and the server is 2.2.2
16:54 < pekster> That'll work; you'll be unable to use certain features that are only in 2.3.x (such as IPv6 inside the VPN tunnel, and TLSv1.2, offered starting in 2.3.3) but otherwise the versions will generally play nice
16:54 < taylorbyte2013> pekster: ok cool
16:55 -!- elfixit [~Icedove@77-58-253-51.dclient.hispeed.ch] has joined #openvpn
16:56 < taylorbyte2013> the server is working with other routers running 2.2.2. i copied the configs off one of the working routers to the new 2.3.4 one and generated new certificates. everything looks right just can't ping.
16:57 < pekster> If it's connected and doesn't die (and you're using/pulling --keepalive or its expansion and do not get disconnected after the timeout periods) then you almost certainly have a firewall problem
16:58 -!- DonRichie [~DonRichie@ricl.de] has joined #openvpn
16:59 < taylorbyte2013> pekster: i also cleared iptables and tried iptables -A INPUT -i tun+ -j ACCEPT
17:03 < pekster> Best start with !configs and !logs if you're having basic connectivity troubles
17:07 -!- DonRichie [~DonRichie@ricl.de] has quit [Remote host closed the connection]
17:08 -!- akamaru217 [~akamaru21@2601:0:8a80:1064:cd2:a78:e492:3a7] has joined #openvpn
17:09 -!- DonRichie [~DonRichie@ricl.de] has joined #openvpn
17:09 < pekster> ValdikSS: If you're playing along at home, the rather long/dry RFCs that appear to be point here are RFC4809 and RFC4945. The former is an "informational" document, and the latter, published in 2007, is a "proposed standard." No wonder this whole mess is clear as dry mud
17:12 < taylorbyte2013> pekster: https://bpaste.net/show/ed2bea7c7d2a
17:13 -!- TyrfingMjolnir [~Tyrfing@116.89.111.191] has joined #openvpn
17:16 < pekster> taylorbyte2013: Don't se --comp-lzo to the value of '0' (I've no clue if that's even valid without digging in sources, but the documentation says to use yes, no, or adaptive. comp-lzo settings should explicitly match between peers (and then optionally be pushed from the server after that)
17:17 -!- elfixit [~Icedove@77-58-253-51.dclient.hispeed.ch] has quit [Quit: elfixit]
17:17 < pekster> Also, does your client _remain_ connected for 2 minutes? (120 seconds?) Your logs (which aren't from a fresh startup OR at --verb 4, by the way) seem to indicate it timed out
17:21 < taylorbyte2013> pekster: i had to change comp_lzo to no for the new openvpn because it complained that it wasnt a yes no ore adaptive.   it seems to be doing [server] Inactivity timeout (--ping-restart), restarting every 2 mins
17:21 -!- shio [marmot@62.188.103.84.rev.sfr.net] has quit [Ping timeout: 264 seconds]
17:21 -!- brianblaze420 [~brianblaz@unaffiliated/brianblaze] has joined #openvpn
17:21 < pekster> Right. But you're using an unspecified value of '0'
17:22 < taylorbyte2013> on the 2.2.2 version
17:22 < pekster> line 77. Consult the manpage for valid options
17:22 < taylorbyte2013> how do i push the server comp_lzo setting like you mentioned earlier?
17:23 < pekster> Don't worry about that; you don't want to do that here
17:23 < pekster> (you'd do it via --push, or more practicaly in a ccd or --client-connect script. Save the advanced dynamic per-client option overrides for when you know what/why you need that)
17:24 < pekster> Line 77 is still wrong. 2.2.2 did not document support for the '0' option there either
17:24 < pekster> !man
17:24 <@vpnHelper> "man" is (#1) For man pages, see http://openvpn.net/index.php/open-source/documentation/manuals/ or (#2) the man pages are your friend! or (#3) Protip: you can search the manpage for a specific --option (with dashes) to find it quicker
17:28 -!- taylorbyte2013 [~cyberninj@139.218.237.26] has quit [Read error: Connection reset by peer]
17:29 -!- taylorbyte2013 [~cyberninj@139.218.237.26] has joined #openvpn
17:40 < taylorbyte2013> pekster: anyway i changed the comp_lzo to yes on both and its still timing out every 2 mins
17:44 < pekster> Did you restart both instances after the change? (most config changes require a restart to implement.) Also, does the client listed 'initialization sequence completed' before it dies?
17:57 -!- akamaru217 [~akamaru21@2601:0:8a80:1064:cd2:a78:e492:3a7] has quit [Ping timeout: 258 seconds]
17:58 < taylorbyte2013> pekster: yep restarted both. stop and start actually to make sure. and the client does say "Initialization Sequence Completed" then next line in the log is "[server] Inactivity timeout (--ping-restart), restarting"
18:01 < pekster> It means keepalive traffic isn't getting through from the server to the client after connection, possibly due to an agressive firewall between the native path of the endpoints, or a routing problem created by VPN setup (but you don't appear to be pushing any routes across)
18:02 < pekster> You don't have something silly like a 10/8 network at either end, right?
18:07 < taylorbyte2013> i have /30
18:08 < taylorbyte2013> the vpn is working with 2 other routers
18:09 -!- khaldrogox [~anonymous@64.13.138.81] has quit [Quit: khaldrogox]
18:11 < taylorbyte2013> the /30 addresses are what the vpn is tunneling through
18:11 < pekster> huh? 10.0.0.1 is part of 10.0.0.0/30??
18:13 < zoredache> perhaps he is taloking about a topology net30?
18:13 < pekster> What's the topology here, and it is a bit odd you're using RFC1918, and such a common network at that (this will effectively break if you try to access or route across another 10.0.0.0/X network, and that's a pretty popular network. If you can gaurentee no collisions, that's a non-issue
18:14 < pekster> it's topology subnet in the configs, so I don't get where a /30 comes into play. Feels to me like either a network addressing overlap, or a badly configure firewall, possibly not handling state properly
18:14 < pekster> Though with keepalives every 10 seconds, firewalls "should" be smart enough not to reject traffic between the client and whatever 10.0.0.1 is
18:19 < taylorbyte2013> topology is:  (tun0(10.10.0.1/24) server-router 10.0.0.1/24) > (10.0.0.2/24 router 10.0.1.13/30) > (10.0.1.14/30 router 10.0.1.17/30) > (10.0.1.18/30 client-router tun0(10.10.0.6/24))
18:20 < taylorbyte2013> both end routers can ping each other and the client-router can get internet
18:20 < taylorbyte2013> i just want to lower the hops with openvpn
18:20 < pekster> Strictly speaking, the client gets whatever IP the server gives it (if you're trying to do static client IP with ccd, you should exclude it from the implicit pool)
18:21 < taylorbyte2013> ipp.txt?
18:21 < pekster> But the topology looks okay (I'm a bit confused about your goals, but that's not important)
18:21 < pekster> That's a 'suggestion' only
18:22 -!- ub1quit33_ [~quassel@wifi02.la3.routers.zerolag.com] has quit [Ping timeout: 255 seconds]
18:22 < pekster> It'll probably stay persistent, but it's like DHCP pool history; if it's not currently assigned to a client, it's fair game to be given out again. Probably OK here
18:22 < taylorbyte2013> i added a line into the ipp.txt file from the begining "10.0.1.18,10.10.0.6"   should i have let openvpn do it by itself ?
18:23 < pekster> Won't matter; the effect is the same, although openvpn would give out .2 (first pool IP) by default
18:23 < pekster> You've just set a different default recommendation for that client
18:23 < pekster> Is there anything in that ccd/ dir?
18:23 < taylorbyte2013> nothing
18:24 < pekster> Full logs of the connection attempt (we'll start with the client -- might be useful to see/have the server's side too if that's not revealing) from VPN startup to disconnect would help
18:24 < pekster> At --verb 4 (not 3)
18:25 < pekster> It'll likely be a couple-hundred lines
18:31 < taylorbyte2013> client log: https://bpaste.net/show/84df9835854f i had to use --verb 9   4 wasnt much different to what i had
18:32 < taylorbyte2013> my connection for irc is going through a vpn to that same server so if restart it ill drop out for a bit
18:34 -!- akamaru217 [~akamaru21@2601:0:8a80:1064:c166:3485:9a93:efdb] has joined #openvpn
18:36 -!- Pyrogerg [~Gregory@205.167.120.201] has quit [Ping timeout: 256 seconds]
18:46 -!- Denial [~Denial@81.141.8.23] has joined #openvpn
18:57 < pekster> ValdikSS: I opened issue #49 and added some info to it. I'll have a branch of my own shortly for you to try out the core requirements I've listed from RFC4945, and perhaps you can see if they work on some of your infrastructure? Notably the proposed standard suggets to omit eKu entierly, or use a specific OID that isn't included in the earlier patches (that seems to be from a 1998 standard that's been abandonded)
18:57 -!- Pyrogerg [~Gregory@67-0-212-234.albq.qwest.net] has joined #openvpn
19:09 < hydrajump> the `tls-auth` key is generated via openvpn and not easy-rsa, right?
19:11 < hydrajump> just curious why all other keys are generated with easy-rsa and not the tls-auth one?
19:13 -!- TyrfingMjolnir [~Tyrfing@116.89.111.191] has quit [Quit: Searching for Waimea]
19:22 < pekster> hydrajump: Right. tls-auth uses a key that is openvpn-specific (2048 bits in size, which isn't related to X.509 at all, but 4 * 512 bits, supporting up to 4 unique keys (each side, plus each direction) for hashing methods that use up to 512 bits (eg: whirlpool)
19:22 < pekster> Alternatively --tls-auth can use "any other formatted file" and will hash it, but it's best not to do that (and IIRC, that support might be getting deprecated and/or going away at some point)
19:24 < hydrajump> pekster: thanks for explaining. So does my openvpn server need to be completely configured before I can generate that key or is the key generation not dependent on the specific openvpn server config? I.e. can the key be created with the same version of openvpn but on another system?
19:24 < pekster> ValdikSS: See how this works for you: https://github.com/QueuingKoala/easyrsa3/tree/ipsec-rfc4945 (commit 448ee27 specifically.) You'll need to generate the request such as with: `./easyrsa --subject-alt-name="DNS:ipsec.example.net" gen-req ipsec-server-1`
19:24 <@vpnHelper> Title: QueuingKoala/easyrsa3 at ipsec-rfc4945 · GitHub (at github.com)
19:25 < pekster> Oh, and sign with `./easyrsa sign-req ipsec ipsec-server-1` to use the modified extensions
19:28 < pekster> hydrajump: Anything openvpn that supports 'version 2' of that key format is fine (it'll say so in the header.) That is a share-secret, so you'll need to transport it over a secure link to all your peers
19:29 < hydrajump> pekster: ok you mentioned version 2 but in the ta key header it says "-----BEGIN OpenVPN Static key V1-----"
19:29 < hydrajump> this was generated with 2.3.5
19:29 < pekster> Oh, that's current I guess
19:30 < pekster> dunno what the old format was, but there was something less-than-2048 (which is an issue if you do need all the bits)
19:31 < hydrajump> ok no worries just checking ;)
19:34 -!- almostworking [~almostwor@unaffiliated/almostworking] has quit [Quit: Leaving]
19:34 < pekster> Back to 2.1.0 it's that same 2048 V1 (and earlier isn't in git, so I'm too lazy to go find it.) So, anything in the last 7 years is fine ;)
19:36 < hydrajump> thanks for looking pekster!
19:41 -!- Pyrogerg [~Gregory@67-0-212-234.albq.qwest.net] has quit [Ping timeout: 245 seconds]
19:56 -!- james41382 [~james@unaffiliated/james41382] has joined #openvpn
19:58 -!- almostworking [~almostwor@unaffiliated/almostworking] has joined #openvpn
20:05 -!- pekster [~rewt@openvpn/community/support/pekster] has quit [Ping timeout: 272 seconds]
20:07 -!- KNERD [~KNERD@23.227.189.101] has quit [Ping timeout: 240 seconds]
20:08 -!- elfixit [~Icedove@77-58-253-51.dclient.hispeed.ch] has joined #openvpn
20:29 -!- TyrfingMjolnir [~Tyrfing@bb220-255-167-138.singnet.com.sg] has joined #openvpn
20:30 < hydrajump> on this page https://community.openvpn.net/openvpn/wiki/Hardening it says " The 0/1 value is arbitrary and must be the opposite between peers (or omitted entirely.)" in reference to the --tls-auth option
20:30 <@vpnHelper> Title: Hardening – OpenVPN Community (at community.openvpn.net)
20:30 < hydrajump> if the 0/1 is omitted you don't get the full benefit of 4 keys, but instead only 2 are used right?
20:33 -!- james41382_ [~james@unaffiliated/james41382] has joined #openvpn
20:33 -!- james41382 [~james@unaffiliated/james41382] has quit [Read error: Connection reset by peer]
20:35 -!- KNERD [~KNERD@23.227.189.101] has joined #openvpn
20:40 < hydrajump> is the `cipher AES-256-GCM` option supported?
20:44 -!- cloudbud [c65fe2ec@gateway/web/freenode/ip.198.95.226.236] has left #openvpn []
20:45 -!- TyrfingMjolnir [~Tyrfing@bb220-255-167-138.singnet.com.sg] has quit [Quit: Searching for Waimea]
20:47 -!- pekster [~rewt@openvpn/community/support/pekster] has joined #openvpn
20:50 -!- elfixit [~Icedove@77-58-253-51.dclient.hispeed.ch] has quit [Quit: elfixit]
20:57 < _FBi> is it true ovpn works on computers now?
21:10 -!- Droolio [~drool@host86-143-240-221.range86-143.btcentralplus.com] has joined #openvpn
21:46 -!- brianblaze420 [~brianblaz@unaffiliated/brianblaze] has quit [Quit: Peace!]
21:56 -!- Pyrogerg [~Gregory@67-0-212-234.albq.qwest.net] has joined #openvpn
21:57 -!- Left_Turn [~Left_Turn@unaffiliated/turn-left/x-3739067] has quit [Remote host closed the connection]
22:27 -!- DrCode [~DrCode@gateway/tor-sasl/drcode] has quit [Ping timeout: 250 seconds]
22:58 -!- pekster [~rewt@openvpn/community/support/pekster] has quit [Ping timeout: 265 seconds]
23:00 -!- Pyrogerg [~Gregory@67-0-212-234.albq.qwest.net] has quit [Ping timeout: 255 seconds]
23:04 -!- havingFun [~quassel@unaffiliated/xrosnight] has joined #openvpn
23:08 -!- pekster [~rewt@openvpn/community/support/pekster] has joined #openvpn
23:09 -!- Six6siX [~Devil@jasmine.sammybakar.com] has quit [Ping timeout: 240 seconds]
23:12 -!- ShadniX [dagger@p5481D66E.dip0.t-ipconnect.de] has quit [Ping timeout: 250 seconds]
23:13 -!- ShadniX [dagger@p5481D08C.dip0.t-ipconnect.de] has joined #openvpn
23:16 -!- Six6siX [~Devil@jasmine.sammybakar.com] has joined #openvpn
23:56 -!- kirin` [telex@gateway/shell/anapnea.net/x-aqorrjselhxymmoo] has quit [Ping timeout: 264 seconds]
23:57 -!- kirin` [telex@gateway/shell/anapnea.net/x-aiqhdmvagxandgnr] has joined #openvpn
--- Day changed Tue Nov 25 2014
00:57 -!- mattock_afk is now known as mattock
01:19 -!- AlexRussia [~Alex@unaffiliated/alexrussia] has quit [Ping timeout: 272 seconds]
01:32 -!- yegorich [d5d163ca@gateway/web/freenode/ip.213.209.99.202] has joined #openvpn
01:37 -!- almostworking [~almostwor@unaffiliated/almostworking] has quit [Quit: Leaving]
01:37 -!- Kephael [~Kephael@unaffiliated/kephael] has quit [Quit: Leaving]
01:39 -!- jackbrown [~se@93-44-41-0.ip95.fastwebnet.it] has joined #openvpn
02:02 -!- jrg [jrg@unaffiliated/jrg] has joined #openvpn
02:34 -!- jackbrown [~se@93-44-41-0.ip95.fastwebnet.it] has quit [Ping timeout: 272 seconds]
02:37 -!- kokel [~quassel@www.kokelnet.de] has joined #openvpn
02:49 -!- ayaka [~ayaka@27.151.1.138] has left #openvpn ["离开"]
02:49 -!- kokel [~quassel@www.kokelnet.de] has quit [Remote host closed the connection]
02:51 -!- kokel [~quassel@kenneth.kokelnet.de] has joined #openvpn
02:59 -!- shio [marmot@62.188.103.84.rev.sfr.net] has joined #openvpn
03:10 -!- shivanshu [~shivanshu@unaffiliated/shivanshu] has quit [Remote host closed the connection]
03:44 -!- ValdikSS [~valdikss@2001:470:dd8a:dead::64f] has quit [Read error: Connection reset by peer]
03:52 -!- AlexRussia [~Alex@unaffiliated/alexrussia] has joined #openvpn
04:09 -!- dazo_afk is now known as dazo
04:11 -!- MogDog is now known as Laika
04:11 -!- Laika is now known as MogDog
04:33 -!- shivanshu [~shivanshu@unaffiliated/shivanshu] has joined #openvpn
04:36 -!- ade_b [~Ade@redhat/adeb] has joined #openvpn
04:52 -!- BaNzounet [~ubuntu@ec2-54-72-61-12.eu-west-1.compute.amazonaws.com] has joined #openvpn
04:52 < BaNzounet> Hey guys!
04:53 < BaNzounet> When I'm trying to launch openvpn I get this error : Cannot load certificate file /etc/openvpn/keys/vpn-gateway.crt: ... Not found
04:53 < BaNzounet> and indeed the file is not there
04:53 < BaNzounet> But I can't find how to create it
04:53 -!- havingFun [~quassel@unaffiliated/xrosnight] has quit [Remote host closed the connection]
04:53 < BaNzounet> What am I missing?
04:54 -!- havingFun [~quassel@unaffiliated/xrosnight] has joined #openvpn
05:11 -!- Left_Turn [~Left_Turn@unaffiliated/turn-left/x-3739067] has joined #openvpn
06:15 -!- ValdikSS [~valdikss@lv1.pvpn.pw] has joined #openvpn
06:21 -!- jackbrown [~se@93-44-41-0.ip95.fastwebnet.it] has joined #openvpn
06:44 -!- ckorzhik [~user@176.194.0.157] has joined #openvpn
06:54 -!- ckorzhik [~user@176.194.0.157] has quit [Read error: Connection reset by peer]
06:54 -!- jackbrown [~se@93-44-41-0.ip95.fastwebnet.it] has quit [Ping timeout: 255 seconds]
06:57 <@dazo> BaNzounet: using chroot?
06:57 <@dazo> BaNzounet: or are the permissions correct?
06:57 <@dazo> (including on all the directories the whole way through)
07:08 -!- AlexRussia [~Alex@unaffiliated/alexrussia] has quit [Ping timeout: 258 seconds]
07:16 < BaNzounet> dazo: My bad, I just realize that the vpn-gateway was the name of the server keys
07:16 < BaNzounet> I was using an old ansible roles to create that server
07:24 -!- phunyguy [vortex@ubuntu/member/phunyguy] has quit [Excess Flood]
07:27 -!- phunyguy [vortex@ubuntu/member/phunyguy] has joined #openvpn
07:30 -!- brianblaze420 [~brianblaz@unaffiliated/brianblaze] has joined #openvpn
07:36 -!- AlexRussia [~Alex@unaffiliated/alexrussia] has joined #openvpn
07:43 -!- noecc [~irc@unaffiliated/noecc] has joined #openvpn
07:45 -!- u0m3 [~u0m3@92.80.86.86] has quit [Read error: Connection reset by peer]
07:45 -!- u0m3 [~u0m3@92.80.86.86] has joined #openvpn
07:57 < hydrajump> does it make sense to use `remote-cert-tls client` in the server config to check the clients connecting are in fact clients?
07:59 -!- ade_b [~Ade@redhat/adeb] has quit [Remote host closed the connection]
08:05 < BtbN> You give all your clients the same cert, or you have multiple with the same name?
08:06 < BtbN> It won't hurt, but i also don't think it is too usefull. If someone connects with a non client cert, and you didn't create one, you are in trouble anyway
08:08 -!- havingFun_ [~quassel@unaffiliated/xrosnight] has joined #openvpn
08:09 -!- havingFun [~quassel@unaffiliated/xrosnight] has quit [Ping timeout: 255 seconds]
08:11 < hydrajump> BtbN: no each client has a unique cert.
08:12 -!- u0m3 [~u0m3@92.80.86.86] has quit [Ping timeout: 265 seconds]
08:19 -!- Pyrogerg [~Gregory@67-0-212-234.albq.qwest.net] has joined #openvpn
08:23 -!- rooth [tomte@stuck.in.the.basement.at.fritzl.nu] has quit [Ping timeout: 264 seconds]
08:23 -!- brianblaze420 [~brianblaz@unaffiliated/brianblaze] has quit [Quit: Peace!]
08:28 -!- u0m3 [~u0m3@92.80.86.86] has joined #openvpn
08:29 -!- Pyrogerg_ [~Gregory@67-0-212-234.albq.qwest.net] has joined #openvpn
08:29 -!- Pyrogerg [~Gregory@67-0-212-234.albq.qwest.net] has quit [Read error: Connection reset by peer]
08:35 -!- Kephael [~Kephael@unaffiliated/kephael] has joined #openvpn
08:36 -!- Pyrogerg_ [~Gregory@67-0-212-234.albq.qwest.net] has quit [Ping timeout: 240 seconds]
08:38 -!- havingFun_ [~quassel@unaffiliated/xrosnight] has quit [Remote host closed the connection]
08:40 -!- havingFun [~quassel@unaffiliated/xrosnight] has joined #openvpn
08:49 -!- Pyrogerg [~Gregory@67-0-212-234.albq.qwest.net] has joined #openvpn
09:06 -!- brianblaze420 [~brianblaz@unaffiliated/brianblaze] has joined #openvpn
09:08 -!- havingFun_ [~quassel@unaffiliated/xrosnight] has joined #openvpn
09:09 -!- havingFun [~quassel@unaffiliated/xrosnight] has quit [Ping timeout: 245 seconds]
09:09 < hydrajump> the default `keepalive 10 120` looking at the manpage it the example there is `keepalive 10 60`. In the first setting a ping is sent every 10 seconds, but the connection is considered dead if no ping is received in 240 seconds right?
09:14 -!- ub1quit33_ [~quassel@wifi02.la3.routers.zerolag.com] has joined #openvpn
09:16 <@dazo> hydrajump: if actually makes sense to check for the certificate usage if you have a strict CA regime where openvpn servers only have server certs and openvpn clients only have client certs .... this goes in particular if you have many distributed servers and clients .... if one server gets compromised, it can connect to another server as a client using the server certificate.
09:16 <@dazo> But if you only have (and plan to only have) one server, then it doesn't matter much
09:17 < hydrajump> dazo: thanks for explaining!
09:18 < hydrajump> dazo: can you help me out with my cipher and keepalove questions pls?
09:18 <@dazo> however, on the clients it makes more sense (to check in the client config if it is a server cert) .... otherwise another client can use its client certificate to become a server, which again can be used in a MITM attack
09:18 -!- Zimsky-- [~alice@unaffiliated/zimsky] has quit [Ping timeout: 255 seconds]
09:18 <@dazo> But if you check against usage flags, or if you check against certificate CN or fingerprints/digests ... that does much of the same
09:20 <@dazo> regarding ciphers ... I don't think AES-256-GCM is supported in any 2.3 release ... syzzer knows more about it, as he is our crypto expert :)
09:21 < hydrajump> hehe ok was just doing some research and read that CBC ciphers should be avoided and as I saw in the openvpn docs that `TLS-DHE-RSA-WITH-AES-256-GCM-SHA384` is available I thought if I set `cipher to AES-256-GCM and auth sha384` that would be the most secure
09:22 <@dazo> hydrajump: I know syzzer is looking at AEAD/GSM for OpenVPN, and he has some code for it but he isn't too happy about the performance yet
09:23 <@dazo> hydrajump: it is coming, and we've decided this should appear in OpenVPN 2.4
09:23 -!- Pyrogerg [~Gregory@67-0-212-234.albq.qwest.net] has quit [Ping timeout: 264 seconds]
09:23 < hydrajump> dazo: cool! I'll use `AES-256-CBC and sha384` for now.
09:24 -!- Kephael [~Kephael@unaffiliated/kephael] has quit [Read error: Connection reset by peer]
09:24 <@dazo> hydrajump: yeah ... I don't remember now if the EC support on the control channel works in 2.3, but it should work in our 'git master branch'
09:26 -!- Zimsky [~alice@unaffiliated/zimsky] has joined #openvpn
09:26 < hydrajump> I'm no crypto expert and I haven't used elliptical curves yet and I believe I read they are not supported everywhere, so I thought I'd stick to RSA for now.
09:39 -!- noecc [~irc@unaffiliated/noecc] has quit [Ping timeout: 258 seconds]
09:44 -!- taylorbyte2013 [~cyberninj@139.218.237.26] has quit [Ping timeout: 264 seconds]
09:45 -!- Pyrogerg [~Gregory@205.167.120.206] has joined #openvpn
09:46 -!- taylorbyte2013 [~cyberninj@139.218.237.26] has joined #openvpn
09:46 -!- noecc [~irc@unaffiliated/noecc] has joined #openvpn
10:09 -!- yegorich [d5d163ca@gateway/web/freenode/ip.213.209.99.202] has quit [Ping timeout: 246 seconds]
10:09 <@syzzer>  hydrajump there's nothing wrong with AES-256-CBC as cipher in OpenVPN
10:09 <@syzzer> the nice this about GCM is primarily that it can be more efficient
10:10 <@syzzer> in TLS it's a different story, since they screwed up their protocol in such a way that CBC becomes more dangerous to use
10:10 <@syzzer> if you want to know more, read about MAC-then-encrypt (tls) vs encrypt-then-MAC (openvpn)
10:11 <@krzee> fell asleep last night watching videos from law class on executive order 12333, im lucky i didnt have nightmares
10:11 <@syzzer> (and about that efficiency, I have a working AES-GCM implementation for openpvn, but I screwed something up and made it *slower* instead of faster... so I need to find some time to investigate and fix first ;)
10:12 <@syzzer> krzee: lol. i have no clue what executive order 12333 is supposed to be, but I can imagine falling asleep while watching something like that :p
10:13 <@krzee> its how the US justifies sniffing the world
10:13 <@krzee> https://en.wikipedia.org/wiki/Executive_Order_12333
10:13 <@vpnHelper> Title: Executive Order 12333 - Wikipedia, the free encyclopedia (at en.wikipedia.org)
10:14 <@krzee> Impact[edit]
10:14 <@krzee> Executive Order 12333 has been regarded by the American intelligence community as a fundamental document authorizing the expansion of data collection activities.[9] The document has been employed by the National Security Agency as legal authorization for its secret systematic collection of unencrypted information flowing through the data centers of internet communications giants Google and Yahoo.[9]
10:14 <@syzzer> heh, was just reading that page indeed, it's one of the reasons for openvpn I guess ;)
10:15 <@krzee> certainly a good reason to use it
10:15 -!- elfixit [~Icedove@77-57-39-82.dclient.hispeed.ch] has joined #openvpn
10:18 < hydrajump> syzzer: ok I was reading something on cloudflare's blog about it and they recommended staying away from CBC but from what you've said it's a different story with openvpn ;)
10:21 <@syzzer> in the case of cloudflare, that has very likely to do with TLS doing CBC wrong :)
10:23 <@krzee> syzzer, if you happen to be interested in us law i can tgz all the videos from class for you later
10:23 <@krzee> its a REALLY REALLY good class, from stanford law school
10:24 <@krzee> class = surveillance law
10:24 <@krzee> covers national and international
10:27 <@krzee> theres some interesting issues, such as the fact that passwords may not be compelled from you, but biometrics may and have no legal protection
10:27 <@krzee> should legally be the same with a private key (unencrypted)
10:27 <@krzee> of course if said private key is encrypted, then theres a password and its protected
10:27 <@syzzer> krzee: this one: https://www.coursera.org/course/surveillance ?
10:27 <@vpnHelper> Title: Coursera (at www.coursera.org)
10:27 <@krzee> yes.
10:28 < hydrajump> krzee: yeah there was recently a case I believe in the US where someone was obligated to unlock their iPhone with touch ID, but had they used a pass instead they wouldn't have had to give it up
10:28 < hydrajump> pretty crazy
10:28 <@krzee> in the "something you have, something you know, something you are" of security, only the "something you know" is legally protected
10:28 <@krzee> hydrajump, yes exactly
10:29 -!- khaldrogox [~anonymous@64.13.138.81] has joined #openvpn
10:29 <@syzzer> I like to refer to this post for people using finger prints as authentication methods:
10:29 <@syzzer> http://blog.dustinkirkland.com/2013/10/fingerprints-are-user-names-not.html
10:29 <@vpnHelper> Title: From the Canyon Edge: Fingerprints are Usernames, not Passwords (at blog.dustinkirkland.com)
10:30 <@krzee> theres also facial recognition unlock
10:30 <@krzee> not protected.
10:30 <@krzee> retinal scan, etc etc
10:32 <@syzzer> although the underlying thing is very much the same ('grant access to private data'), I do have to agree that using 'public' data (fingerprints, retina scan, etc) is quite different from using 'private' information (passwords, pins
10:33 <@krzee> yep
10:33 <@krzee> they look at it like this:  is it like a safe with a key, or a safe with a combination?
10:33 -!- Latrina [~Latrina@ppp-71-44.26-151.libero.it] has quit [Quit: ZNC - http://znc.in]
10:33 <@syzzer> but thanks for the recommendation, I did spot it some time ago, but if you say it's really good I might give it a try
10:33 <@krzee> if its like a safe with a key, they compell, if its like a combination they cannot
10:34 -!- almostworking [~almostwor@unaffiliated/almostworking] has joined #openvpn
10:34 <@syzzer> but if you've hidden the key, you don't have to tell where ;)
10:34 <@krzee> it is, the teacher is a unique person in that he has his law degree from stanford and is currently getting his phd in computer science
10:34 <@krzee> syzzer, in their analogy you do i guess
10:34 < hydrajump> syzzer: hehe but if you use your retina...you're kinda screwed
10:35 <@syzzer> krzee: really? but that's something I *know*?
10:35 <@krzee> the teacher is also involved in privacy projects, as seen by his wikipedia entry
10:36 <@krzee> syzzer, well its a really tough area of law, even for lawyers… tech and law collide
10:36 <@krzee> not a ton of us are lawyers, not a ton of them are geeks
10:36 <@krzee> really great to learn from someone who actually understands both at a *stanford* level
10:37 <@krzee> im sure you've heard of stanford no matter where you're from
10:37 <@krzee> (i dont actually remember where you're from)
10:40 -!- Latrina [~Latrina@ppp-237-58.26-151.libero.it] has joined #openvpn
10:45 -!- jackbrown [~se@93-44-41-0.ip95.fastwebnet.it] has joined #openvpn
10:47 -!- novaflash_away is now known as novaflash
10:48 <@krzee> syzzer, their analogy has nothing to do with "something you know" that was something i said.  they say "is the lock like a lock that takes a key or a combination lock?"
10:54 -!- Latrina [~Latrina@ppp-237-58.26-151.libero.it] has quit [Ping timeout: 258 seconds]
10:56 -!- Latrina [~Latrina@adsl-ull-144-216.50-151.net24.it] has joined #openvpn
11:00 -!- gffa [~unknown@unaffiliated/gffa] has joined #openvpn
11:04 -!- Taftse|Mac [~taftse@unaffiliated/taftse] has joined #openvpn
11:11 <@syzzer> krzee: from the netherlands, but I visited standford in 2009, and did their "Crypto I" coursera course (which is really good too!)
11:11 <@syzzer> *stanford
11:15 <@krzee> oh awesome!
11:15 <@krzee> i will have to take that too
11:24 -!- Kniaz [~Kniaz@unaffiliated/kniaz] has joined #openvpn
11:42 -!- havingFun [~quassel@unaffiliated/xrosnight] has joined #openvpn
11:43 -!- havingFun_ [~quassel@unaffiliated/xrosnight] has quit [Remote host closed the connection]
12:08 -!- jackbrown [~se@93-44-41-0.ip95.fastwebnet.it] has quit [Ping timeout: 255 seconds]
12:11 -!- u0m3 [~u0m3@92.80.86.86] has quit [Ping timeout: 250 seconds]
12:40 -!- Kephael [~Kephael@unaffiliated/kephael] has joined #openvpn
12:43 -!- khaldrogox [~anonymous@64.13.138.81] has quit [Quit: khaldrogox]
12:48 -!- khaldrogox [~anonymous@64.13.138.81] has joined #openvpn
13:01 -!- u0m3 [~u0m3@92.80.86.86] has joined #openvpn
13:22 -!- someone [~someone@sonoshee.chronostasis.net] has quit [Ping timeout: 250 seconds]
13:27 -!- someone [~someone@sonoshee.chronostasis.net] has joined #openvpn
13:39 -!- sexyboy [~sexyboy@unaffiliated/sexyboy] has joined #openvpn
13:40 < sexyboy> hey, so i'm getting a openvpn erro 'tun_prop_error ifconfig addresses are not in the same /30 subnet' on my ios device, all other clients i have work well
13:41 < sexyboy> i'm using the OpenVPN Connect client
13:46 < BtbN> Try a subnet topology
13:55 < sexyboy> how do i do that?
14:09 -!- mattock is now known as mattock_afk
14:14 < sexyboy> this sounds like a bug in this client
14:14 < sexyboy> is OpenVPN Connect officiall?
14:15 -!- brianblaze420 [~brianblaz@unaffiliated/brianblaze] has quit [Quit: Peace!]
14:15 <@dazo> sexyboy: OpenVPN Connect is the official closed-source version provided by OpenVPN Technologies
14:15 <@dazo> !as
14:15 <@vpnHelper> "as" is Please go to #OpenVPN-AS for help with commercial products from OpenVPN Technologies, including Access Server, Android Connect, etc. Access Server is a commercial product, different from open source OpenVPN
14:16 < sexyboy> okay, thanks
14:34 -!- noecc [~irc@unaffiliated/noecc] has left #openvpn ["pax"]
14:42 -!- Droolio [~drool@host86-143-240-221.range86-143.btcentralplus.com] has quit [Quit: The more people I meet, the more I like my dog.]
14:50 -!- u0m3 [~u0m3@92.80.86.86] has quit [Ping timeout: 272 seconds]
14:55 -!- Kniaz [~Kniaz@unaffiliated/kniaz] has quit [Quit: closing IRC]
15:05 <@novaflash> i wasn't able to help him either. looks like a misconfiguration to me somewhere in the configuration file either on the client or the server - not sure which. advised him to try access server and connect to that with openvpn connect, and compare the client configurations, learn from that, maybe copy or avoid certain settings.
15:05 <@novaflash> openvpn connect should be able to connect to an open source server but if there's a fault in the config that it trips over...
15:07 < sexyboy> well i connect using linux/windows and osx community clients with no issues
15:09 < sexyboy> but okay, thanks
15:09 -!- D-Boy [~D-Boy@unaffiliated/cain] has quit [Excess Flood]
15:09 -!- sexyboy [~sexyboy@unaffiliated/sexyboy] has left #openvpn []
15:10 -!- elfixit [~Icedove@77-57-39-82.dclient.hispeed.ch] has quit [Ping timeout: 245 seconds]
15:25 -!- D-Boy [~D-Boy@unaffiliated/cain] has joined #openvpn
15:28 -!- dazo is now known as dazo_afk
15:34 < hydrajump> the keepalive directive is only for the server-side, right?
15:43 -!- Denial [~Denial@81.141.8.23] has quit [Ping timeout: 240 seconds]
15:45 <@novaflash> --keepalive n m
15:45 <@novaflash> A helper directive designed to simplify the expression of --ping and --ping-restart in server mode configurations.
15:45 <@novaflash> so, i would assume so
15:46 -!- Denial [~Denial@81.141.8.23] has joined #openvpn
16:15 -!- u0m3 [~u0m3@92.80.86.86] has joined #openvpn
16:24 < hydrajump> ok thanks novaflash.
16:25 < hydrajump> I'm trying to troubleshoot my openvpn server and client configs. Is is possible to telnet to an openvpn server to check on basic connectivity?
16:26 < hydrajump> I keep seeing this error on the client https://gist.github.com/anonymous/e188a29f6c93ac270750
16:26 <@vpnHelper> Title: gist:e188a29f6c93ac270750 (at gist.github.com)
16:26 < hydrajump> but nothing happening on the server. I wonder if the error is misleading and is due to not being able to reach the openvpn server
16:28 < hydrajump> it does say this in the client logs "Connection is reachable. Starting connection attempt."
16:31 -!- moeyebus [~moebius_e@unaffiliated/moebius-eye/x-4065625] has quit [Quit: ZNC - http://znc.in]
16:34 < pekster> Your pastebin isn't an error; it's informational
16:34 < pekster> If your server (at --verb 4) does not include the message 'Initial packet received from ...' then you haven't even made the initial connection yet
16:36 < hydrajump> pekster: ok the last message (verb 4) on the server is "Initialization Sequence Completed"
16:36 < hydrajump> so I have some connection issue somewhere
16:37 < hydrajump> ah
16:45 < hydrajump> ok now I'm getting somewhere. "initial packet" but failing on tls so I need to figure that out
16:55 < hydrajump> now I have another error https://gist.githubusercontent.com/anonymous/39771c3f1eb76be250d1/raw/a86e2fe269ee1806d4fafd912ed174b596e31a27/gistfile1.txt
16:56 < hydrajump> the permissions on the crl.pem are -rw------- 1 root root  980 Nov 25 16:22 crl.pem
16:57 < hydrajump> It the same as the other certs/keys in that dir
16:57 < hydrajump> hmm maybe it has a password
16:59 < hydrajump> no it does not get a pass after looking through easy-rsa
17:00 < hydrajump> ok disabling crl-verify got a connection working.
17:01 < pekster> It can't even open your file, much less process it
17:01 < pekster> Bad path or permissions leading up to it perhaps? If you downgrade permission you need the crl to be readable (and it's not confidential)
17:04 -!- ub1quit33_ [~quassel@wifi02.la3.routers.zerolag.com] has quit [Quit: No Ping reply in 180 seconds.]
17:05 < hydrajump> pekster: I checked the path and it in /etc/openvpn/pki/crl.pem. I downgrade using --user nobody and --group nogroup.
17:05 < hydrajump> I checked the permission on /etc/openvpn and it's owned by root:root
17:06 < pekster> Then you cannot set your CRL with such restrictive permissions
17:06 -!- ub1quit33_ [~quassel@wifi02.la3.routers.zerolag.com] has joined #openvpn
17:06 < pekster> 644 at minimum, or owned by nogroup and 644
17:06 < pekster> You also need either --persist-key or the key readable by 'nobody' (or worse, everyone.) Both of the latter options are probably horrible
17:07 < hydrajump> i have persist-key and persist-tun
17:07 < pekster> That doesn't help your CRL
17:07 < pekster> The CRL is consulted EVERY time a client connects, and your reduced-permission process is unable to read it; the error is quite correct that your CRL can't be read
17:07 < hydrajump> so I will change the permission on crl.pem. I just copied the file as was generated by easy-rsa. I wrongly assumed the default permissions worked
17:08 < pekster> Default permissions are intentionally restrictive in the PKI
17:08 < hydrajump> ok that makes sense and now I know
17:08 < hydrajump> I understand
17:09 < pekster> The only critically-important things to keep a secret are the private keys (CA key in particular, but really all of them) and the tls-auth key. Everything else can be considered public
17:10 < pekster> fwiw, if you do later revoke a cert and update the CRL, simply replacing the file suffices to prevent connections (no server restart needed, but only if you generated a CRL initially. Otherwise you'd need a restart to start using one)
17:12 -!- gffa [~unknown@unaffiliated/gffa] has quit [Quit: sleep]
17:20 < hydrajump> cool yeah I read that about the CRL somewhere and that's why I generated one right away with easy-rsa
17:22 < hydrajump> so my server and client configs seem to be working. I just need to figure out why the client can't access other machines on the openvpn server's subnet eventhough I push a route to the client and strip the comments and ask for a review/feedback :D
17:23 < hydrajump> looking at this https://community.openvpn.net/openvpn/wiki/257-can-an-openvpn-server-be-set-up-on-a-machine-with-a-single-nic
17:23 <@vpnHelper> Title: 257-can-an-openvpn-server-be-set-up-on-a-machine-with-a-single-nic – OpenVPN Community (at community.openvpn.net)
17:25 < hydrajump> "you need to add an internal LAN route to the LAN gateway" I guess this is what i need to do.
17:36 -!- akamaru217 [~akamaru21@2601:0:8a80:1064:c166:3485:9a93:efdb] has quit [Quit: Leaving]
17:36 < hydrajump> pekster: i'm not entirely sure how to add this route. Can you please help?
17:37 < hydrajump> in my server.conf I have this `push "route 172.31.0.0 255.255.0.0"`
17:37 -!- u0m3 [~u0m3@92.80.86.86] has quit [Ping timeout: 240 seconds]
17:38 < hydrajump> so clients should be able to route to 172.31.0.0. What am I missing as it is currently not working, e.g I can't ssh to 172.31.7.63
17:39 < hydrajump> traceroute shows that it hits the openvpn server ` 1  10.8.0.1 (10.8.0.1)`
17:40 < hydrajump> so the openvpn server needs a `route 10.8.0.0 255.255.255.0` ?
17:48 -!- akamaru217 [~akamaru21@2601:0:8a80:1064:c166:3485:9a93:efdb] has joined #openvpn
17:58 -!- Taftse|Mac [~taftse@unaffiliated/taftse] has quit [Quit: Textual IRC Client: www.textualapp.com]
18:04 < hydrajump> ok seem to have solved it by add `iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o eth0 -j MASQUERADE
18:04 < hydrajump> to the openvpn server iptables
18:31 -!- bazhang [~bazhang@unaffiliated/bazhang] has joined #openvpn
18:32 -!- bazhang [~bazhang@unaffiliated/bazhang] has left #openvpn ["Leaving"]
18:42 -!- khaldrogox [~anonymous@64.13.138.81] has quit [Quit: khaldrogox]
18:58 -!- s7r [~s7r@openvpn/user/s7r] has joined #openvpn
18:58 -!- mode/#openvpn [+v s7r] by ChanServ
18:58 -!- virtualizado [b3eb1d2a@gateway/web/freenode/ip.179.235.29.42] has joined #openvpn
18:59 < virtualizado> i need help with openvpn on kde debian jessie 64 bits, i am noob in linux and i don't know what logs i must paste. My problem is probably DNS, because i can log and ping but can't browse. WHat logs shall i paste for help here in this case?
19:00 < virtualizado> i am googling for 3 days and did not find a solution
19:02 < virtualizado> problem also persists with turning off firewall ufw
19:03 -!- squinty [~squinty@S01069cd643d2c8a1.du.shawcable.net] has joined #openvpn
19:03 -!- squinty [~squinty@S01069cd643d2c8a1.du.shawcable.net] has left #openvpn ["Leaving"]
19:04 -!- xTz [~xTz@DeathStar.Techn0.eu] has quit [Ping timeout: 244 seconds]
19:06 < virtualizado> er... noone here?
19:09 < virtualizado> #debian brasil
19:12 -!- Pyrogerg [~Gregory@205.167.120.206] has quit [Ping timeout: 264 seconds]
19:14 -!- u0m3 [~u0m3@92.80.86.86] has joined #openvpn
19:16 -!- virtualizado [b3eb1d2a@gateway/web/freenode/ip.179.235.29.42] has quit [Ping timeout: 246 seconds]
19:23 < pekster> hydrajump: Don't NAT between two RFC1918 networks you control; your server-side  LAN gateway needs to know how to route to the VPN subnet via the VPN server (which is effectively an IP gateway)
19:23 < pekster> And obviously the LAN router's firewall needs to permit the traffic
19:26 -!- ub1quit33_ [~quassel@wifi02.la3.routers.zerolag.com] has quit [Ping timeout: 265 seconds]
19:47 -!- pppingme [~pppingme@unaffiliated/pppingme] has quit [Ping timeout: 255 seconds]
19:52 -!- pppingme [~pppingme@unaffiliated/pppingme] has joined #openvpn
19:54 -!- virtualizado [~eduarda@179.235.29.42] has joined #openvpn
19:54 < virtualizado> can someone help me? http://pastebin.com/136bcH6V
19:56 < pekster> We can realistically only support people who control both ends (server and client.) You might try reading the bot's info here about !pushdns as I suspect this is your issue
19:56 < pekster> Or try GoogleDNS. Otherwise go ask the admin of the server you're using
19:56 < virtualizado> but is with ANY SERVER!!!
19:56 < pekster> I KNOW!!!!!
19:57 < virtualizado> omg, if you can't help me ghere, noone can!
19:57 < pekster> So, your ISP DNS doesn't usually act as an open recursor/forwarder for people off the domain
19:57 < pekster> Knowing this, and that your routes get adjusted, the conclusion should be ovvious
19:57 < pekster> obvious. If not, blindly follow my suggestion
19:57 < virtualizado> well, in windows, mint, and ubuntu, i connect with no problems
19:58  * pekster gives up
19:58 < virtualizado> just on debian i have this problem
19:58 < pekster> Probably becuase you didn't read the reference I gave you that's handled "magically" for you on your other OS
19:58 < virtualizado> a DNS problem.
19:58 < virtualizado> but i googled 3 DAYS and coudn't solve
19:58 < virtualizado> 3 days
19:58 < pekster> !welcome
19:58 <@vpnHelper> "welcome" is (#1) Start by stating your goal, such as 'I would like to access the internet over my vpn' || new to IRC? see the link in !ask || we may need !logs and !configs and maybe !interface to help you. || See !howto for beginners. || See !route for lans behind openvpn. || !redirect for sending inet traffic through the server. || Also interesting: !man !/30 !topology !iporder !sample !forum
19:58 < pekster> !explain
19:58 <@vpnHelper> !wiki !mitm or (#2) Don't use 192.168.1.0/24 or 192.168.0.0/24 (too much potential for conflict)
19:58 < virtualizado> i am spanking my own face already
19:59 < pekster> So, go spank yourself agian for not reading the ONE reference I gave you here
19:59 < pekster> 19:56:34 < pekster> We can realistically only support people who control both ends (server and client.) You might try reading the bot's info here about !pushdns as I suspect this is your issue
19:59 < pekster> I'm not pasting that a 3rd time
19:59 < virtualizado> i know, but with vpn, we use vpn DNS
19:59 < virtualizado> not my ISP
20:00 < virtualizado> !pushdns
20:00 < pekster> So you're using a script you wrote or installed that handles the enviornmental variables you don't seem to know about?
20:00 <@vpnHelper> "pushdns" is (#1) push dhcp-option DNS a.b.c.d to push dns to the client or (#2) For pushing DNS to a Windows client, see: !windns or (#3) Unix-alikes are required to process the env-var in an --up script; read about --dhcp-option in the manpage or (#4) For distros that use resolvconf(8) you can try the pull-resolv-conf script under the contrib/ source dir
20:00 -!- s7r [~s7r@openvpn/user/s7r] has quit [Quit: Leaving]
20:01 < virtualizado> i found all those options on google, in forums peoiple getting help with open vpn
20:01 < virtualizado> i don't even know how to mount something on linux
20:01 < virtualizado> i spent 3 days on googlew
20:01 < pekster> So go set google DNS and be done with it
20:01 < virtualizado> trying to edit and keeping the .old options
20:01 < pekster> "Magic." Which I also suggested above
20:01 < pekster> I'm guessing googling for "google dns" and "how to set DNS in debian linux" would be good places to start
20:02 < virtualizado> in place of my ISP? but in that file it says i should not edit manually
20:02 < pekster> Then go write a script to parse the env-vars as explained above
20:02 < pekster> Whatever sounds easier to you
20:02 < virtualizado> #     DO NOT EDIT THIS FILE BY HAND -- YOUR CHANGES WILL BE OVERWRITTEN
20:02 < virtualizado> is in this file you mean? /etc/resolv.conf ?
20:03 < pekster> I mean you look up how to do this properly for your OS. Go ask #debian if you need basic help configuring your system resolver
20:03 < virtualizado> i can edit it as a root?
20:03 < virtualizado> i went debian, they sent me here
20:03 < virtualizado> noone knows openvpn there :( please help must be something simple
20:03 < pekster> Then they're either idiots, or more likely, you did as bad of a job explaining to them what you need
20:03 < pekster> This is not openvpn related at all\
20:04 < pekster> I'm telling you to set your OS system-wide resolver to google DNS. This has absoutely nothing to do with openvpn
20:04 < virtualizado> tehy got even agry with me asking again
20:04 < virtualizado> no, i insisted, they said me to come here or ubuntu
20:04 < virtualizado> i went to ubuntu first, they almost ripped my head
20:04 < pekster> I can see why.
20:04 < virtualizado> telling to go back to debian
20:05 < virtualizado> !pushdns
20:05 <@vpnHelper> "pushdns" is (#1) push dhcp-option DNS a.b.c.d to push dns to the client or (#2) For pushing DNS to a Windows client, see: !windns or (#3) Unix-alikes are required to process the env-var in an --up script; read about --dhcp-option in the manpage or (#4) For distros that use resolvconf(8) you can try the pull-resolv-conf script under the contrib/ source dir
20:09 -!- u0m3 [~u0m3@92.80.86.86] has quit [Read error: Connection reset by peer]
20:10 < virtualizado> when we connect to openvpn, we want to CHANGE our normal dns, right? i want the normal dns without vpn and the VPN DNS in openvpn. Making this solution will do this?
20:10 < pekster> Google is usable everywhere
20:10 < virtualizado> is slow in my country
20:10 < pekster> type: `time dig @8.8.8.8 freenode.net`
20:11 < pekster> (no backticks)
20:11 < virtualizado> time dig @8.8.8.8 freenode.net
20:11 < pekster> In a terminal..
20:11 < pekster> It'll tell you how "slow" googleDNS is
20:11 < pekster> (I'm betting not slow at all)
20:11 -!- u0m3 [~u0m3@92.80.86.86] has joined #openvpn
20:11 < virtualizado> Query time: 203 msec
20:13 < pekster> Hmm, k. If your local resolver is significantly faster, stick with it I guess, and deal with swapping it out (or scripting that to google DNS anyway) when you connect to the VPN
20:13 < pekster> All openvpn does is expose the info in env-vars; it's up to your distro's shipped packaging or your own devices to script it. There's some contrib/ script openvpn ships with, but that may require adjustment for your site
20:14 < pekster> Then again, 1/5th a second still isn't horrible
20:16 < virtualizado> ok, i understood.
20:16 < virtualizado> so, to be like in mint, i must look for a script to change dns
20:16 < virtualizado> thanks, 1 more step ahead for me
20:16 < virtualizado> i apreciate your help
20:16 < pekster> Right. Maybe use the script that !pushdns noted as an idea of how it's supposed to work
20:16 < virtualizado> sorry for my bad english
20:17 < pekster> If you use resolvconf(8) (that's a manpage reference, and DNS manager daemon) it may provide some help
20:17 < virtualizado> to tell the truth, i almost did not understand nothing from it
20:17 < virtualizado> what is a manpage?
20:17 < pekster> `man 8 resolvconf`
20:17 < pekster> If you're new to manpages, `man man` explains manpages
20:18 < virtualizado> i see. i am just a lawyer from third world, need some security, thats why i installed linux debian and am trying to do this
20:19 < virtualizado> but don't understand too much from the system.
20:19 < pekster> Sure, it's just that resolvconf isn't exactly "simple." Setting GoogleDNS is, so even if it takes 203ms, that's far easier
20:19 < pekster> Less work for you
20:19 < pekster> https://duckduckgo.com/?q=how+to+set+DNS+in+Debian
20:19 <@vpnHelper> Title: how to set DNS in Debian at DuckDuckGo (at duckduckgo.com)
20:19 < virtualizado> trying that now. 8.8.8.8 and 8.8.4.4
20:20 < pekster> Yea. Probably not in /etc/resolv.conf, but in whatever way debian should have that set
20:21 < virtualizado> changeDNS is a security measure good for me, right? we are being attacked by a communist government in power.
20:21 < pekster> Yes, otherwise if you do not change your DNS, you're "securely" asking your ISP DNS for details, but it seems like it's coming from somewhere else
20:21 < pekster> Probably not what you wanted
20:21 < pekster> You need to use GoogleDNS so it goes somewhere that is willing to talk to you over the VPN. Google is.
20:22 < virtualizado> in mint i did DNS leak tests
20:22 < pekster> (or any other DNS of your choice)
20:22 < virtualizado> http://ip-check.info/?lang=en and here, since we have some fingerprint that dns can get
20:22 <@vpnHelper> Title: IP check (at ip-check.info)
20:22 < pekster> There are more subtle ways you can be attacked as well, but that's more of a topic for ##security -- we mostly just deal with openvpn here
20:22 < pekster> Tor might be something to consider too
20:23 < virtualizado> i have too. but if you use tor here, even with bridges, you get monitored.
20:23 < pekster> Yea
20:23 < virtualizado> and JONDONFOX is a even better browser to use with tor
20:24 < virtualizado> but i saw people getting arrested after using tor and whonix here.
20:24 < virtualizado> interpol helps the government
20:24 < pekster> Tor recommends their Tor Browser Bundle. I've seen a lot of badly configured setups that don't offer security due to user's mistakes
20:24 < virtualizado> they arerested people using tor on linux, so...
20:24 < virtualizado> not so safe
20:24 < pekster> OpenVPN is fingerprintable too
20:25 < pekster> They won't know whwat you're doing, but if someone with enough resources cares, they can find out that it's OpenVPN
20:25 < virtualizado> yes, but atracts less atention than tor. tor is already broken.
20:25 < pekster> Tor isn't broken, although bad use of it or side-channel attacks may make it seem that way
20:25 < pekster> Perhaps tor is unusable for some of those political or social reasons though
20:26 < virtualizado> well, they are finding even computer university students that used tor on linux, with low human behavior errors
20:26 < virtualizado> they say is broken
20:26 < virtualizado> just in first world countries they do not expose that
20:26 < pekster> Using tor properly is surprisingly hard (and I work in a network and security field)
20:27 < virtualizado> just for using tor the ISPs send you to special ip numbers
20:27 < virtualizado> and we can not change ips anymore
20:27 < virtualizado> our ip
20:28 < hydrajump> pekster: unfortunately I'm running on AWS and I can't add a route within my network their to the VPN server.
20:29 < virtualizado> i did read all tor manuals and pages and recomendations and forums, tails forums, whonix forums
20:29 < pekster> hydrajump: In a VPC? I'm sure they support static routing for that, but I've only dabbled a bit in the VPC bits of EC2
20:29 < hydrajump> pekster: yeah VPC. let me double check I tried earlier but it didn't work.
20:30 < pekster> NAT works if it's something you don't want to deal with, although it has the obvious drawback of uni-directional initiation (you can't go from the server-side LAN to the VPN clients without more NAT)
20:30 < pekster> Well, that's the fix anyway (add a route and permit traffic from the LAN to the VPN network routed via the on-link VPN server)
20:30 < hydrajump> pekster: yeah I don't like the NAT solution.
20:30 < pekster> If you can do that, great. If not, hack around it with NAT
20:31 < virtualizado> i did read A LOT, and people call patrick from whonix a noob for making whonix with nat instead of bridged network.
20:32 < pekster> Both are horrible unless you know very specifically why you need them
20:32 < virtualizado> but i don't understand perfectly the reasons
20:32 < pekster> Routing and firewalls is the way to go
20:32 < pekster> But I'm not informed about that project, so there may be "reasons"
20:34 < virtualizado> whonix is a virtualbox as a router/firewall and with a virtual network and you install ANOTHER virtualvox "desktop" to navigate and will only see the WHONIX GATEWAY internal ip so even if someone have direct acess with a trojan or something to your machine, they can't discover your real ip
20:35 < virtualizado> so you can even format a windows machine inside whonix protected network and they will only see ONE internal ip, from the whonix gateway machine.
20:36 < virtualizado> and whonix gateway is a debian kde without browser just to avoid people misusing it
20:37 < pekster> Yes, yes, and there's issues of validating authenticity, the extra packages installed, etc, etc
20:37 < virtualizado> well, but VIRTUALBOX is from ORACLE, and oracle CEO supports openly the nsa spying thing
20:37 < pekster> Again, ##security is more on-topic for details of that; I've no interest in that project currently
20:37 < virtualizado> i understand
20:41 < virtualizado> must OPENVPN use ICMP REDIRECTS?
20:41 < pekster> Nope, that's entierly unrelated to openvpn
20:41 < virtualizado> my config is with a NO
20:42 < virtualizado> ok
20:42 < pekster> That's up to your router's settings and your OSes to accept them or not
20:43 < virtualizado> # Uncomment this to allow this host to route packets between interfaces => so, i leave this same way too?
20:52 -!- eristisk [~eristisk@gateway/tor-sasl/eristisk] has joined #openvpn
21:12 -!- virtualizado [~eduarda@179.235.29.42] has quit [Ping timeout: 265 seconds]
21:57 -!- brianblaze420 [~brianblaz@unaffiliated/brianblaze] has joined #openvpn
22:04 -!- havingFun_ [~quassel@unaffiliated/xrosnight] has joined #openvpn
22:05 -!- havingFun [~quassel@unaffiliated/xrosnight] has quit [Ping timeout: 272 seconds]
22:19 -!- Left_Turn [~Left_Turn@unaffiliated/turn-left/x-3739067] has quit [Remote host closed the connection]
22:25 -!- brianblaze420 [~brianblaz@unaffiliated/brianblaze] has quit [Quit: Peace!]
22:45 -!- Shiftos [~shiftos@gateway/tor-sasl/shiftos] has quit [Ping timeout: 250 seconds]
22:47 -!- NP-Hardass [~NP-Hardas@unaffiliated/np-hardass] has joined #openvpn
22:48 -!- Shiftos [~shiftos@gateway/tor-sasl/shiftos] has joined #openvpn
23:09 -!- ShadniX [dagger@p5481D08C.dip0.t-ipconnect.de] has quit [Ping timeout: 250 seconds]
23:11 -!- ShadniX [dagger@p5481DE4F.dip0.t-ipconnect.de] has joined #openvpn
23:18 -!- tbenson [~tbenson@c-50-131-82-204.hsd1.ca.comcast.net] has joined #openvpn
23:24 -!- NP-Hardass [~NP-Hardas@unaffiliated/np-hardass] has quit [Quit: WeeChat 0.4.3]
--- Day changed Wed Nov 26 2014
00:33 -!- cyberspace- [20253@ninthfloor.org] has quit [Read error: Connection reset by peer]
00:34 -!- ValdikSS [~valdikss@lv1.pvpn.pw] has quit [Ping timeout: 264 seconds]
00:34 -!- cyberspace- [20253@ninthfloor.org] has joined #openvpn
01:04 -!- Kephael [~Kephael@unaffiliated/kephael] has quit [Quit: Leaving]
01:05 -!- u0m3 [~u0m3@92.80.86.86] has quit [Ping timeout: 264 seconds]
01:16 -!- mattock_afk is now known as mattock
01:39 -!- mattock is now known as mattock_afk
01:40 -!- seba [~seba@kratzbaum.someserver.de] has quit [Excess Flood]
01:45 -!- seba [~seba@kratzbaum.someserver.de] has joined #openvpn
01:53 -!- Taftse|Mac [~taftse@unaffiliated/taftse] has joined #openvpn
01:55 -!- tbenson [~tbenson@c-50-131-82-204.hsd1.ca.comcast.net] has quit [Quit: tbenson]
01:57 -!- tbenson [~tbenson@c-50-131-82-204.hsd1.ca.comcast.net] has joined #openvpn
01:58 -!- mattock_afk is now known as mattock
01:59 -!- mirco [~mirco@ip-176-198-211-199.hsi05.unitymediagroup.de] has joined #openvpn
01:59 -!- mirco [~mirco@ip-176-198-211-199.hsi05.unitymediagroup.de] has quit [Client Quit]
02:00 -!- mirco [~mirco@ip-176-198-211-199.hsi05.unitymediagroup.de] has joined #openvpn
02:11 < esde> !configs
02:11 <@vpnHelper> "configs" is (#1) please pastebin your client and server configs (with comments removed, you can use `grep -vE '^#|^;|^$' server.conf`), also include which OS and version of openvpn. or (#2) dont forget to include any ccd entries or (#3) on pfSense, see http://www.secure-computing.net/wiki/index.php/OpenVPN/pfSense to obtain your config
02:47 -!- ayaz [~Ayaz@linuxpakistan/ayaz] has joined #openvpn
02:53 -!- AlexRussia [~Alex@unaffiliated/alexrussia] has quit [Quit: WeeChat 1.1-dev]
02:54 -!- bewees [~philipp@46.114.35.180] has joined #openvpn
03:06 -!- ValdikSS [~valdikss@80.70.234.113] has joined #openvpn
03:07 -!- syzzer [~syzzer@openvpn/community/developer/syzzer] has quit [Ping timeout: 265 seconds]
03:17 -!- moeyebus [~moebius_e@unaffiliated/moebius-eye/x-4065625] has joined #openvpn
03:22 -!- syzzer [~syzzer@openvpn/community/developer/syzzer] has joined #openvpn
03:22 -!- mode/#openvpn [+o syzzer] by ChanServ
03:30 -!- plaisthos [~arne@openvpn/community/developer/plaisthos] has quit [Remote host closed the connection]
03:31 -!- plaisthos [~arne@openvpn/community/developer/plaisthos] has joined #openvpn
03:31 -!- mode/#openvpn [+o plaisthos] by ChanServ
03:38 -!- syzzer [~syzzer@openvpn/community/developer/syzzer] has quit [Ping timeout: 265 seconds]
03:41 -!- thumbs [1000@unaffiliated/thumbs] has quit [Ping timeout: 264 seconds]
03:46 -!- syzzer [~syzzer@openvpn/community/developer/syzzer] has joined #openvpn
03:46 -!- mode/#openvpn [+o syzzer] by ChanServ
03:49 -!- tbenson [~tbenson@c-50-131-82-204.hsd1.ca.comcast.net] has quit [Quit: tbenson]
03:50 -!- seba [~seba@kratzbaum.someserver.de] has quit [Excess Flood]
03:55 -!- seba [~seba@kratzbaum.someserver.de] has joined #openvpn
04:10 -!- syzzer [~syzzer@openvpn/community/developer/syzzer] has quit [Ping timeout: 265 seconds]
04:14 -!- ValdikSS [~valdikss@80.70.234.113] has quit [Ping timeout: 255 seconds]
04:15 -!- ValdikSS [~valdikss@185.61.149.121] has joined #openvpn
04:26 -!- Droolio [~drool@host86-143-240-221.range86-143.btcentralplus.com] has joined #openvpn
04:33 -!- Shiftos [~shiftos@gateway/tor-sasl/shiftos] has quit [Remote host closed the connection]
04:33 -!- Shiftos_ [~shiftos@gateway/tor-sasl/shiftos] has joined #openvpn
04:33 -!- bewees [~philipp@46.114.35.180] has quit [Ping timeout: 255 seconds]
04:33 -!- Shiftos_ is now known as Shiftos
04:42 -!- dazo_afk is now known as dazo
04:45 -!- syzzer [~syzzer@openvpn/community/developer/syzzer] has joined #openvpn
04:45 -!- mode/#openvpn [+o syzzer] by ChanServ
04:54 -!- Left_Turn [~Left_Turn@unaffiliated/turn-left/x-3739067] has joined #openvpn
05:05 -!- thumbs [1000@unaffiliated/thumbs] has joined #openvpn
05:30 -!- rich0 [~quassel@gentoo/developer/rich0] has quit [Remote host closed the connection]
05:36 -!- rich0_ [~quassel@gentoo/developer/rich0] has joined #openvpn
05:38 -!- syzzer [~syzzer@openvpn/community/developer/syzzer] has quit [Ping timeout: 265 seconds]
05:44 -!- syzzer [~syzzer@openvpn/community/developer/syzzer] has joined #openvpn
05:45 -!- mode/#openvpn [+o syzzer] by ChanServ
05:53 -!- jackbrown [~se@93-44-41-0.ip95.fastwebnet.it] has joined #openvpn
05:58 -!- Reventlov [~reventlov@unaffiliated/reventlov] has quit [Remote host closed the connection]
06:03 -!- reventlov [~reventlov@unaffiliated/reventlov] has joined #openvpn
06:05 -!- Brando753 [~Brando753@unaffiliated/brando753] has quit [Ping timeout: 250 seconds]
06:08 -!- eristisk [~eristisk@gateway/tor-sasl/eristisk] has quit [Remote host closed the connection]
06:09 -!- syzzer [~syzzer@openvpn/community/developer/syzzer] has quit [Ping timeout: 265 seconds]
06:11 -!- havingFun_ [~quassel@unaffiliated/xrosnight] has quit [Remote host closed the connection]
06:14 -!- Nothing4You [N4Y@nothing4you.w.tf-w.tf] has quit [Quit: Gone...]
06:26 -!- jackbrown [~se@93-44-41-0.ip95.fastwebnet.it] has quit [Ping timeout: 255 seconds]
06:28 -!- syzzer [~syzzer@openvpn/community/developer/syzzer] has joined #openvpn
06:28 -!- mode/#openvpn [+o syzzer] by ChanServ
06:37 -!- Nothing4You [N4Y@nothing4you.w.tf-w.tf] has joined #openvpn
06:41 -!- arkie [~arkie@unaffiliated/arkie] has quit [Ping timeout: 256 seconds]
06:42 -!- arkie [~arkie@unaffiliated/arkie] has joined #openvpn
06:50 -!- syzzer [~syzzer@openvpn/community/developer/syzzer] has quit [Ping timeout: 265 seconds]
06:55 -!- CaTtleyA [~CaTtleyA@185.24.142.82] has joined #openvpn
06:56 -!- CaTtleyA [~CaTtleyA@185.24.142.82] has quit [Client Quit]
06:57 -!- CaTtleyA [~CaTtleyA@185.24.142.82] has joined #openvpn
06:58 -!- gffa [~unknown@unaffiliated/gffa] has joined #openvpn
07:04 -!- Pyrogerg [~Gregory@67-0-212-234.albq.qwest.net] has joined #openvpn
07:10 -!- syzzer [~syzzer@openvpn/community/developer/syzzer] has joined #openvpn
07:10 -!- mode/#openvpn [+o syzzer] by ChanServ
07:17 -!- Brando753 [~Brando753@unaffiliated/brando753] has joined #openvpn
07:20 -!- eristisk [~eristisk@gateway/tor-sasl/eristisk] has joined #openvpn
07:22 -!- deranged_user is now known as deranged
07:28 -!- jackbrown [~se@93-44-41-0.ip95.fastwebnet.it] has joined #openvpn
07:30 -!- u0m3 [~u0m3@92.80.86.86] has joined #openvpn
07:33 -!- syzzer [~syzzer@openvpn/community/developer/syzzer] has quit [Remote host closed the connection]
07:41 -!- lorens [~lorens@213.27.241.114] has joined #openvpn
07:45 -!- syzzer [~syzzer@openvpn/community/developer/syzzer] has joined #openvpn
07:45 -!- mode/#openvpn [+o syzzer] by ChanServ
07:46 -!- Pyrogerg [~Gregory@67-0-212-234.albq.qwest.net] has quit [Ping timeout: 250 seconds]
07:52 -!- mattock is now known as mattock_afk
07:54 -!- noecc [~irc@unaffiliated/noecc] has joined #openvpn
07:57 -!- elfixit [~Icedove@2001:1620:2777:11:3e97:eff:fe7f:f3ad] has joined #openvpn
07:58 -!- lorens [~lorens@213.27.241.114] has quit [Ping timeout: 250 seconds]
08:08 -!- jackbrown [~se@93-44-41-0.ip95.fastwebnet.it] has quit [Ping timeout: 255 seconds]
08:09 -!- syzzer [~syzzer@openvpn/community/developer/syzzer] has quit [Ping timeout: 265 seconds]
08:11 -!- mattock_afk is now known as mattock
08:15 -!- plaisthos [~arne@openvpn/community/developer/plaisthos] has quit [Ping timeout: 258 seconds]
08:15 -!- plaisthos [~arne@openvpn/community/developer/plaisthos] has joined #openvpn
08:16 -!- mode/#openvpn [+o plaisthos] by ChanServ
08:18 -!- phuzion [~phuzion@ipv6.irc.teh-server.com] has quit [Ping timeout: 258 seconds]
08:19 -!- phuzion [~phuzion@ipv6.irc.teh-server.com] has joined #openvpn
08:22 -!- syzzer [~syzzer@openvpn/community/developer/syzzer] has joined #openvpn
08:22 -!- mode/#openvpn [+o syzzer] by ChanServ
08:27 -!- syzzer [~syzzer@openvpn/community/developer/syzzer] has quit [Ping timeout: 265 seconds]
08:28 -!- Gman32 [~Gman32@2607:2200:0:3400::5616:cdbc] has quit [Ping timeout: 258 seconds]
08:28 -!- brianblaze420 [~brianblaz@unaffiliated/brianblaze] has joined #openvpn
08:29 -!- Gman32 [~Gman32@2607:2200:0:3400::5616:cdbc] has joined #openvpn
08:33 -!- syzzer [~syzzer@openvpn/community/developer/syzzer] has joined #openvpn
08:33 -!- mode/#openvpn [+o syzzer] by ChanServ
08:34 -!- miruss [~miruss@109.86.199.18] has joined #openvpn
08:34 < miruss> hi
08:35 < miruss> support ECC in openvpn?
08:36 < miruss> ECC = elliptic curve cryptography
08:38 -!- Gman32 [~Gman32@2607:2200:0:3400::5616:cdbc] has quit [Ping timeout: 258 seconds]
08:39 -!- Gman32 [~Gman32@2607:2200:0:3400::5616:cdbc] has joined #openvpn
08:41 -!- Pyrogerg [~Gregory@67-0-212-234.albq.qwest.net] has joined #openvpn
08:45 -!- nath_schwarz [~nath_schw@HSI-KBW-134-3-105-146.hsi14.kabel-badenwuerttemberg.de] has joined #openvpn
08:48 -!- phunyguy [vortex@ubuntu/member/phunyguy] has quit [Ping timeout: 258 seconds]
08:49 -!- phuzion [~phuzion@ipv6.irc.teh-server.com] has quit [Ping timeout: 258 seconds]
08:50 -!- phuzion [~phuzion@ipv6.irc.teh-server.com] has joined #openvpn
08:51 -!- ValdikSS [~valdikss@185.61.149.121] has quit [Ping timeout: 250 seconds]
08:55 -!- phunyguy [vortex@ubuntu/member/phunyguy] has joined #openvpn
08:55 -!- phunyguy [vortex@ubuntu/member/phunyguy] has quit [Read error: Connection reset by peer]
08:56 -!- syzzer [~syzzer@openvpn/community/developer/syzzer] has quit [Remote host closed the connection]
08:57 -!- phunyguy [vortex@ubuntu/member/phunyguy] has joined #openvpn
09:13 -!- Gman32 [~Gman32@2607:2200:0:3400::5616:cdbc] has quit [Ping timeout: 258 seconds]
09:17 -!- Gman32 [~Gman32@2607:2200:0:3400::5616:cdbc] has joined #openvpn
09:20 -!- Latrina [~Latrina@adsl-ull-144-216.50-151.net24.it] has quit [Ping timeout: 256 seconds]
09:21 -!- lorens [~lorens@213.27.241.114] has joined #openvpn
09:21 -!- Latrina [~Latrina@ppp-247-15.26-151.libero.it] has joined #openvpn
09:25 -!- ub1quit33 [~quassel@wifi02.la3.routers.zerolag.com] has joined #openvpn
09:26 -!- lorens [~lorens@213.27.241.114] has quit [Ping timeout: 272 seconds]
09:38 -!- syzzer [~syzzer@openvpn/community/developer/syzzer] has joined #openvpn
09:38 -!- mode/#openvpn [+o syzzer] by ChanServ
09:45 -!- syzzer [~syzzer@openvpn/community/developer/syzzer] has quit [Ping timeout: 265 seconds]
09:45 -!- lorens [~lorens@213.27.241.114] has joined #openvpn
09:48 -!- Gman32 [~Gman32@2607:2200:0:3400::5616:cdbc] has quit [Ping timeout: 258 seconds]
09:50 -!- Gman32 [~Gman32@2607:2200:0:3400::5616:cdbc] has joined #openvpn
09:51 -!- Kephael [~Kephael@unaffiliated/kephael] has joined #openvpn
10:18 -!- mistermajestic [~mistermaj@unaffiliated/mistermajestic] has joined #openvpn
10:21 -!- CaTtleyA [~CaTtleyA@185.24.142.82] has quit [Quit: Lost terminal]
10:22 -!- moparisthebest [~quassel@unaffiliated/moparisthebest] has quit [Ping timeout: 240 seconds]
10:26 -!- moparisthebest [~quassel@gateway/tor-sasl/moparisthebest] has joined #openvpn
10:38 -!- syzzer [~syzzer@openvpn/community/developer/syzzer] has joined #openvpn
10:38 -!- mode/#openvpn [+o syzzer] by ChanServ
10:39 -!- ayaz [~Ayaz@linuxpakistan/ayaz] has quit [Quit: Textual IRC Client: www.textualapp.com]
10:40 -!- khaldrogox [~anonymous@64.13.138.81] has joined #openvpn
10:40 -!- superteece [~superteec@2604:180:1:16e::7da4] has left #openvpn ["Leaving for some reason or another."]
10:44 -!- s7r [~s7r@openvpn/user/s7r] has joined #openvpn
10:44 -!- mode/#openvpn [+v s7r] by ChanServ
10:49 -!- khaldrogox [~anonymous@64.13.138.81] has quit [Quit: khaldrogox]
10:52 -!- ryao [~ryao@gentoo/developer/ryao] has quit [Ping timeout: 255 seconds]
10:53 -!- ryao [~ryao@gentoo/developer/ryao] has joined #openvpn
10:56 -!- brianblaze420 [~brianblaz@unaffiliated/brianblaze] has quit [Ping timeout: 272 seconds]
10:58 -!- ryao [~ryao@gentoo/developer/ryao] has quit [Ping timeout: 255 seconds]
10:59 -!- ryao [~ryao@gentoo/developer/ryao] has joined #openvpn
11:00 -!- syzzer [~syzzer@openvpn/community/developer/syzzer] has quit [Ping timeout: 265 seconds]
11:03 -!- jgeboski [~jgeboski@unaffiliated/jgeboski] has quit [Quit: Leaving]
11:03 -!- jgeboski [~jgeboski@unaffiliated/jgeboski] has joined #openvpn
11:03 -!- elfixit [~Icedove@2001:1620:2777:11:3e97:eff:fe7f:f3ad] has quit [Ping timeout: 272 seconds]
11:15 -!- Latrina [~Latrina@ppp-247-15.26-151.libero.it] has quit [Ping timeout: 245 seconds]
11:17 -!- Latrina [~Latrina@adsl-ull-137-245.45-151.net24.it] has joined #openvpn
11:20 -!- fixi [~fixi@2a00:dcc0:eda:88:50:192:7e8b:8091] has left #openvpn []
11:29 -!- Latrina [~Latrina@adsl-ull-137-245.45-151.net24.it] has quit [Ping timeout: 272 seconds]
11:29 -!- Latrina [~Latrina@151.56.171.182] has joined #openvpn
11:30 -!- JackWinter [~jack@vodsl-11198.vo.lu] has joined #openvpn
11:34 -!- fin [~fin@unaffiliated/le0] has joined #openvpn
11:39 -!- brianblaze420 [~brianblaz@unaffiliated/brianblaze] has joined #openvpn
11:42 -!- fin [~fin@unaffiliated/le0] has quit [Quit: Leaving]
11:43 -!- lorens [~lorens@213.27.241.114] has quit [Remote host closed the connection]
11:46 -!- syzzer [~syzzer@openvpn/community/developer/syzzer] has joined #openvpn
11:46 -!- mode/#openvpn [+o syzzer] by ChanServ
11:47 < hydrajump> question on ubuntu if you have openvpn start on boot with a client.conf, then there is no GUI feedback on connection status for the user, right?
12:00 < zoredache> not usually
12:00 < zoredache> I am sure someone could pretty easily develop an app that looked at a `--management` socket and reported the status.
12:04 -!- ylluminate [~ylluminat@108.61.101.140] has joined #openvpn
12:05 -!- syzzer [~syzzer@openvpn/community/developer/syzzer] has quit [Ping timeout: 265 seconds]
12:06 -!- NP-Hardass [~NP-Hardas@unaffiliated/np-hardass] has joined #openvpn
12:06 -!- Latrina [~Latrina@151.56.171.182] has quit [Ping timeout: 256 seconds]
12:07 -!- Latrina [~Latrina@151.56.177.112] has joined #openvpn
12:11 -!- syzzer [~syzzer@openvpn/community/developer/syzzer] has joined #openvpn
12:11 -!- mode/#openvpn [+o syzzer] by ChanServ
12:14 < hydrajump> ok thanks zoredache
12:25 -!- syzzer [~syzzer@openvpn/community/developer/syzzer] has quit [Ping timeout: 265 seconds]
12:27 < hydrajump> on one ubuntu client I get the following error when connecting to my server `TLS_ERROR: BIO read tls_read_plaintext error: error:140740B5:SSL routines:SSL23_CLIENT_HELLO:no ciphers available`
12:28 < hydrajump> The same client.conf works on another different OS.
12:28 < hydrajump> Is it due to different openssl versions on the two systems not supporting the same ciphers?
12:28 < hydrajump> the ubuntu client is older
12:31 -!- syzzer [~syzzer@openvpn/community/developer/syzzer] has joined #openvpn
12:31 -!- mode/#openvpn [+o syzzer] by ChanServ
12:31 -!- seba [~seba@kratzbaum.someserver.de] has quit [Excess Flood]
12:33 -!- seba [~seba@kratzbaum.someserver.de] has joined #openvpn
12:44 -!- ub1quit33 [~quassel@wifi02.la3.routers.zerolag.com] has quit [Quit: No Ping reply in 180 seconds.]
12:46 -!- ub1quit33 [~quassel@wifi02.la3.routers.zerolag.com] has joined #openvpn
12:47 -!- ylluminate [~ylluminat@108.61.101.140] has quit [Quit: Bye!]
12:48 -!- syzzer [~syzzer@openvpn/community/developer/syzzer] has quit [Ping timeout: 265 seconds]
12:57 -!- mirco [~mirco@ip-176-198-211-199.hsi05.unitymediagroup.de] has quit [Ping timeout: 264 seconds]
13:00 -!- mirco [~mirco@ip-176-198-211-199.hsi05.unitymediagroup.de] has joined #openvpn
13:02 -!- phuzion [~phuzion@ipv6.irc.teh-server.com] has quit [Quit: Adios y'all]
13:02 -!- Faux_Pas [~quassel@static-72-89-243-31.nycmny.fios.verizon.net] has quit [Remote host closed the connection]
13:04 -!- phuzion [~phuzion@ipv6.irc.teh-server.com] has joined #openvpn
13:11 -!- noecc [~irc@unaffiliated/noecc] has left #openvpn ["pax"]
13:27 -!- s7r [~s7r@openvpn/user/s7r] has quit [Ping timeout: 250 seconds]
13:28 -!- Shiftos [~shiftos@gateway/tor-sasl/shiftos] has quit [Ping timeout: 250 seconds]
13:28 -!- syzzer [~syzzer@openvpn/community/developer/syzzer] has joined #openvpn
13:28 -!- mode/#openvpn [+o syzzer] by ChanServ
13:29 -!- s7r [~s7r@openvpn/user/s7r] has joined #openvpn
13:29 -!- mode/#openvpn [+v s7r] by ChanServ
13:30 -!- Shiftos [~shiftos@gateway/tor-sasl/shiftos] has joined #openvpn
13:33 -!- syzzer [~syzzer@openvpn/community/developer/syzzer] has quit [Ping timeout: 265 seconds]
13:39 -!- wkd [~wkd@75.46.172.52] has joined #openvpn
13:42 -!- syzzer [~syzzer@openvpn/community/developer/syzzer] has joined #openvpn
13:42 -!- mode/#openvpn [+o syzzer] by ChanServ
13:46 -!- mirco [~mirco@ip-176-198-211-199.hsi05.unitymediagroup.de] has quit [Ping timeout: 256 seconds]
13:53 -!- wkd [~wkd@75.46.172.52] has quit [Quit: Leaving]
14:01 -!- Shiftos [~shiftos@gateway/tor-sasl/shiftos] has quit [Remote host closed the connection]
14:04 -!- syzzer [~syzzer@openvpn/community/developer/syzzer] has quit [Ping timeout: 265 seconds]
14:06 -!- phuzion [~phuzion@ipv6.irc.teh-server.com] has quit [Ping timeout: 258 seconds]
14:07 -!- mirco [~mirco@ip-176-198-211-199.hsi05.unitymediagroup.de] has joined #openvpn
14:07 -!- syzzer [~syzzer@openvpn/community/developer/syzzer] has joined #openvpn
14:07 -!- mode/#openvpn [+o syzzer] by ChanServ
14:08 -!- BtbN [btbn@btbn.de] has quit [Ping timeout: 258 seconds]
14:08 -!- phuzion [~phuzion@ipv6.irc.teh-server.com] has joined #openvpn
14:08 -!- Gman32 [~Gman32@2607:2200:0:3400::5616:cdbc] has quit [Ping timeout: 258 seconds]
14:08 -!- BtbN [btbn@btbn.de] has joined #openvpn
14:09 -!- Gman32 [~Gman32@2607:2200:0:3400::5616:cdbc] has joined #openvpn
14:12 -!- Shiftos [~shiftos@gateway/tor-sasl/shiftos] has joined #openvpn
14:14 -!- Latrina [~Latrina@151.56.177.112] has quit [Ping timeout: 240 seconds]
14:15 -!- Latrina [~Latrina@ppp-35-19.26-151.libero.it] has joined #openvpn
14:26 -!- mistermajestic [~mistermaj@unaffiliated/mistermajestic] has quit [Ping timeout: 264 seconds]
14:26 -!- dazo is now known as dazo_afk
14:30 -!- Latrina [~Latrina@ppp-35-19.26-151.libero.it] has quit [Ping timeout: 255 seconds]
14:31 -!- Latrina [~Latrina@adsl-ull-238-252.45-151.net24.it] has joined #openvpn
14:36 -!- Latrina [~Latrina@adsl-ull-238-252.45-151.net24.it] has quit [Ping timeout: 256 seconds]
14:50 -!- syzzer [~syzzer@openvpn/community/developer/syzzer] has quit [Ping timeout: 265 seconds]
14:55 -!- ValdikSS [~valdikss@185.61.149.121] has joined #openvpn
15:09 -!- D-Boy [~D-Boy@unaffiliated/cain] has quit [Excess Flood]
15:15 -!- Latrina [~Latrina@ppp-144-3.26-151.libero.it] has joined #openvpn
15:16 -!- D-Boy [~D-Boy@unaffiliated/cain] has joined #openvpn
15:16 -!- eristisk [~eristisk@gateway/tor-sasl/eristisk] has quit [Ping timeout: 250 seconds]
15:22 -!- brianblaze420 [~brianblaz@unaffiliated/brianblaze] has quit [Quit: Peace!]
15:24 -!- Latrina [~Latrina@ppp-144-3.26-151.libero.it] has quit [Ping timeout: 245 seconds]
15:25 -!- Latrina [~Latrina@adsl-ull-238-213.50-151.net24.it] has joined #openvpn
15:26 -!- NP-Hardass [~NP-Hardas@unaffiliated/np-hardass] has quit [Ping timeout: 245 seconds]
15:34 -!- AlexRussia [~Alex@unaffiliated/alexrussia] has joined #openvpn
15:38 -!- phuzion_ [~phuzion@ipv6.irc.teh-server.com] has joined #openvpn
15:38 -!- phuzion [~phuzion@ipv6.irc.teh-server.com] has quit [Read error: Connection reset by peer]
15:44 -!- Naeblis [~Naeblis@unaffiliated/naeblis] has joined #openvpn
15:44 < Naeblis> !welcome
15:44 <@vpnHelper> "welcome" is (#1) Start by stating your goal, such as 'I would like to access the internet over my vpn' || new to IRC? see the link in !ask || we may need !logs and !configs and maybe !interface to help you. || See !howto for beginners. || See !route for lans behind openvpn. || !redirect for sending inet traffic through the server. || Also interesting: !man !/30 !topology !iporder !sample !forum
15:44 <@vpnHelper> !wiki !mitm or (#2) Don't use 192.168.1.0/24 or 192.168.0.0/24 (too much potential for conflict)
15:45 < Naeblis> !howto
15:45 <@vpnHelper> "howto" is (#1) OpenVPN comes with a great howto, http://openvpn.net/howto PLEASE READ IT! or (#2) http://www.secure-computing.net/openvpn/howto.php for a mirror
15:45 < Naeblis> <_<
15:46 < Naeblis> So it seems like setting all this up is an arduous task.
15:51 -!- eristisk [~eristisk@gateway/tor-sasl/eristisk] has joined #openvpn
15:53 < zoredache> yes and no.  If you have a strong understanding of networking and PKI, it is pretty easy.
15:54 -!- mirco [~mirco@ip-176-198-211-199.hsi05.unitymediagroup.de] has quit [Quit: mirco]
15:55 < Naeblis> They can be quite a bit different in theory and practice.
15:56 < Naeblis> So you'll have to qualify "strong understanding".
15:56 < Naeblis> is there no tool/script that does the base setup automatically?
15:56 < Naeblis> so I just have to interactively provide any necessary details
15:56 -!- gffa [~unknown@unaffiliated/gffa] has quit [Quit: sleep]
15:58 < zoredache> Sure pay for OpenVPN-AS.
15:59 < zoredache> There might be some wizards online that would give you a simplistic config.  I have also seen integrated GUIs in some appliance style routers...
15:59 -!- syzzer [~syzzer@openvpn/community/developer/syzzer] has joined #openvpn
15:59 -!- mode/#openvpn [+o syzzer] by ChanServ
16:00 < zoredache> But OpenVPN is an extremely versatile tool with lots of different uses.  I highly doubt any GUI could totally encompas what you can do with it.
16:12 -!- mattock is now known as mattock_afk
16:13 -!- u0m3_ [~u0m3@92.80.92.93] has joined #openvpn
16:14 -!- phuzion_ [~phuzion@ipv6.irc.teh-server.com] has quit [Ping timeout: 258 seconds]
16:16 -!- u0m3 [~u0m3@92.80.86.86] has quit [Ping timeout: 244 seconds]
16:17 -!- phuzion [~phuzion@ipv6.irc.teh-server.com] has joined #openvpn
16:18 -!- Naeblis [~Naeblis@unaffiliated/naeblis] has left #openvpn ["Textual IRC Client: www.textualapp.com"]
16:23 -!- Pandemic_Force [~Pandemic_@unaffiliated/pandemic-force/x-1349428] has quit [Ping timeout: 244 seconds]
16:27 -!- Pandemic_Force [~Pandemic_@unaffiliated/pandemic-force/x-1349428] has joined #openvpn
16:28 -!- mirco [~mirco@ip-176-198-211-199.hsi05.unitymediagroup.de] has joined #openvpn
16:30 -!- mirco [~mirco@ip-176-198-211-199.hsi05.unitymediagroup.de] has quit [Client Quit]
16:50 -!- u0m3_ [~u0m3@92.80.92.93] has quit [Ping timeout: 258 seconds]
16:55 -!- eristisk [~eristisk@gateway/tor-sasl/eristisk] has quit [Ping timeout: 250 seconds]
17:00 -!- NP-Hardass [~NP-Hardas@unaffiliated/np-hardass] has joined #openvpn
17:00 -!- eristisk [~eristisk@gateway/tor-sasl/eristisk] has joined #openvpn
17:05 -!- sireebob [sireebob@unaffiliated/sireebob] has joined #openvpn
17:05 < sireebob> !welcome
17:05 <@vpnHelper> "welcome" is (#1) Start by stating your goal, such as 'I would like to access the internet over my vpn' || new to IRC? see the link in !ask || we may need !logs and !configs and maybe !interface to help you. || See !howto for beginners. || See !route for lans behind openvpn. || !redirect for sending inet traffic through the server. || Also interesting: !man !/30 !topology !iporder !sample !forum
17:05 <@vpnHelper> !wiki !mitm or (#2) Don't use 192.168.1.0/24 or 192.168.0.0/24 (too much potential for conflict)
17:06 < sireebob> !goal
17:06 <@vpnHelper> "goal" is Please clearly state your goal for your vpn: example, I would like to access the lan behind the server , I would like to access the internet over my vpn , I just want a secure connection between 2 computers , etc
17:06 -!- taylorbyte2013 [~cyberninj@139.218.237.26] has quit [Read error: Connection reset by peer]
17:08 < sireebob> i'd like to route specific domains over my VPN, dynamically. i was thinking there may be a way to do this by using dnsmasq to have those domains resolved to my VPN server's IP address, but i'm not sure where i would go from there.
17:08 < sireebob> "dynamically" means without knowing their IP addresses ahead of time.
17:10 < sireebob> it's not strictly openvpn-related and i don't even know if it's possible, but i thought i would ask.
17:10 -!- JackWinter [~jack@vodsl-11198.vo.lu] has quit [Quit: Konversation terminated!]
17:12 -!- JackWinter [~jack@vodsl-11198.vo.lu] has joined #openvpn
17:28 < zoredache> Generally you can't do that.
17:29 < zoredache> What kind of clients?
17:30 < zoredache> If Linux then you can do is setup something like squid as a proxy, and then use ACLs within squid to control the outgoing IP address.  Then setup `ip rule` so that some traffic uses one route table, and some uses another...
17:30 -!- hive-mind [pranq@2001:0:53aa:64c:30db:ab9:bcca:66c4] has joined #openvpn
17:30 < zoredache> It can get extremely convoluted.
17:32 < sireebob> i found something that might work that involves haproxy. it works by stacking up false dns resolutions in an address range, all of which point to the same server (but with different ips). then you route that entire false subnet. i've seen a similar thing done with tor.
17:34 < sireebob> (the program keeps a map of which ip address in the faux range routes to which site. the vpn computer will actually need to be assigned each address in the range, it looks like.)
17:35 < zoredache> But anyway, nothing like that exists within the OpenVPN itself.  Anything beyond standard destination based routing needs to be managed by another tool.
17:37 < sireebob> thank you!
17:46 -!- Taftse|Mac [~taftse@unaffiliated/taftse] has quit [Quit: Textual IRC Client: www.textualapp.com]
17:59 -!- mistermajestic [~mistermaj@unaffiliated/mistermajestic] has joined #openvpn
18:03 -!- unixninja92_ [~unixninja@whirlpool.stdnt.hampshire.edu] has joined #openvpn
18:04 -!- unixninja92 [~unixninja@whirlpool.stdnt.hampshire.edu] has quit [Ping timeout: 272 seconds]
18:04 -!- NP-Hardass [~NP-Hardas@unaffiliated/np-hardass] has quit [Ping timeout: 245 seconds]
18:06 -!- _KaszpiR_ [quasselcor@unaffiliated/kaszpir/x-3157048] has quit [Ping timeout: 240 seconds]
18:07 -!- APTX [~APTX@unaffiliated/aptx] has quit [Ping timeout: 265 seconds]
18:07 -!- _KaszpiR_ [quasselcor@unaffiliated/kaszpir/x-3157048] has joined #openvpn
18:09 -!- syzzer [~syzzer@openvpn/community/developer/syzzer] has quit [Ping timeout: 265 seconds]
18:09 -!- miruss [~miruss@109.86.199.18] has quit [Quit: =)]
18:10 -!- unixninja92 [~unixninja@whirlpool.stdnt.hampshire.edu] has joined #openvpn
18:11 -!- unixninja92_ [~unixninja@whirlpool.stdnt.hampshire.edu] has quit [Read error: Connection reset by peer]
18:12 -!- akamaru217 [~akamaru21@2601:0:8a80:1064:c166:3485:9a93:efdb] has quit [Quit: Leaving]
18:13 -!- ub1quit33 [~quassel@wifi02.la3.routers.zerolag.com] has quit [Ping timeout: 256 seconds]
18:14 -!- _KaszpiR_ [quasselcor@unaffiliated/kaszpir/x-3157048] has quit [Quit: No Ping reply in 180 seconds.]
18:14 -!- _KaszpiR_ [quasselcor@unaffiliated/kaszpir/x-3157048] has joined #openvpn
18:14 -!- APTX [~APTX@unaffiliated/aptx] has joined #openvpn
18:16 -!- unixninja92_ [~unixninja@whirlpool.stdnt.hampshire.edu] has joined #openvpn
18:16 -!- NP-Hardass [~NP-Hardas@unaffiliated/np-hardass] has joined #openvpn
18:17 -!- unixninja92 [~unixninja@whirlpool.stdnt.hampshire.edu] has quit [Ping timeout: 255 seconds]
18:21 -!- unixninja92_ [~unixninja@whirlpool.stdnt.hampshire.edu] has quit [Ping timeout: 264 seconds]
18:22 -!- NP-Hardass [~NP-Hardas@unaffiliated/np-hardass] has quit [Quit: WeeChat 0.4.3]
18:23 -!- NP-Hardass [~NP-Hardas@unaffiliated/np-hardass] has joined #openvpn
18:25 -!- u0m3 [~u0m3@92.80.68.195] has joined #openvpn
18:26 -!- syzzer [~syzzer@openvpn/community/developer/syzzer] has joined #openvpn
18:26 -!- mode/#openvpn [+o syzzer] by ChanServ
18:39 -!- NP-Hardass [~NP-Hardas@unaffiliated/np-hardass] has quit [Ping timeout: 256 seconds]
19:00 -!- u0m3 [~u0m3@92.80.68.195] has quit [Read error: Connection reset by peer]
19:01 -!- u0m3 [~u0m3@92.80.68.195] has joined #openvpn
19:20 -!- mistermajestic [~mistermaj@unaffiliated/mistermajestic] has quit []
19:20 -!- mistermajestic [~mistermaj@unaffiliated/mistermajestic] has joined #openvpn
19:35 -!- elfixit [~Icedove@77-58-253-51.dclient.hispeed.ch] has joined #openvpn
19:43 < c0ded> deaded irc
19:52 -!- Sparks [~Sparks@fedora/CAcert.Sparks] has joined #openvpn
20:10 -!- taylorbyte2013 [~cyberninj@139.218.237.26] has joined #openvpn
20:27 -!- moparisthebest [~quassel@gateway/tor-sasl/moparisthebest] has quit [Ping timeout: 250 seconds]
20:33 -!- moparisthebest [~quassel@unaffiliated/moparisthebest] has joined #openvpn
20:49 -!- Zimsky [~alice@unaffiliated/zimsky] has quit [Ping timeout: 240 seconds]
20:50 -!- Zimsky [~alice@unaffiliated/zimsky] has joined #openvpn
21:06 -!- akamaru217 [~akamaru21@2601:0:8a80:1064:f49a:b256:41ef:91b3] has joined #openvpn
21:23 -!- u0m3 [~u0m3@92.80.68.195] has quit [Read error: Connection reset by peer]
21:23 -!- u0m3 [~u0m3@92.80.68.195] has joined #openvpn
21:28 -!- u0m3 [~u0m3@92.80.68.195] has quit [Read error: Connection reset by peer]
21:39 -!- Left_Turn [~Left_Turn@unaffiliated/turn-left/x-3739067] has quit [Remote host closed the connection]
22:09 -!- MogDog66 [MogDog@unaffiliated/mogdog66] has joined #openvpn
22:09 -!- MogDog [MogDog@unaffiliated/mogdog66] has quit [Ping timeout: 264 seconds]
22:09 -!- mikjaer [~mikjaer@127-0-0-1.dk] has quit [Ping timeout: 264 seconds]
22:09 -!- liriel [~liriel@asia.feralhosting.com] has quit [Ping timeout: 264 seconds]
22:09 -!- obscurehero [~obscurehe@via.arcis.pw] has quit [Ping timeout: 264 seconds]
22:09 -!- hexfury [~hexfury@ec2-54-224-91-139.compute-1.amazonaws.com] has quit [Ping timeout: 264 seconds]
22:09 -!- elfixit [~Icedove@77-58-253-51.dclient.hispeed.ch] has quit [Remote host closed the connection]
22:10 -!- obscurehero [~obscurehe@via.arcis.pw] has joined #openvpn
22:10 -!- MogDog66 is now known as MogDog
22:10 -!- liriel [~liriel@asia.feralhosting.com] has joined #openvpn
22:10 -!- Droolio [~drool@host86-143-240-221.range86-143.btcentralplus.com] has quit [Read error: Connection reset by peer]
22:18 < KNERD> groovy
22:19 -!- Trab [~Trab@cpe-98-155-91-155.hawaii.res.rr.com] has joined #openvpn
22:19 -!- Trab [~Trab@cpe-98-155-91-155.hawaii.res.rr.com] has left #openvpn []
22:20 < KNERD> If you have a server set up on a LAN (..do you have to do anything on server side config file about NAT?  It seems I am losing packets
22:20 < KNERD> of course accessing from WAN
22:20 -!- Droolio [~drool@host86-143-240-221.range86-143.btcentralplus.com] has joined #openvpn
22:21 < _FBi> what
22:21 < KNERD> Client - WAN-  - > LAN -> SERVER
22:22 < KNERD> somewhere along there I am losing packets..maybe due to NAT issue
22:23 < _FBi> server logs say anything?
22:23 < KNERD> not the OpenVPN ones
22:24 < KNERD> just the servies going through OpenVPN
22:24 < KNERD> I don thave this problem if server is set up on public IP
22:24 < _FBi> could your LAN routing suck?
22:26 -!- GuidovanPossum [~chatzilla@wsip-184-176-140-204.ph.ph.cox.net] has joined #openvpn
22:27 < GuidovanPossum> !goal
22:27 <@vpnHelper> "goal" is Please clearly state your goal for your vpn: example, I would like to access the lan behind the server , I would like to access the internet over my vpn , I just want a secure connection between 2 computers , etc
22:27 < GuidovanPossum> !goal secure
22:27 < GuidovanPossum> !welcome
22:27 <@vpnHelper> "welcome" is (#1) Start by stating your goal, such as 'I would like to access the internet over my vpn' || new to IRC? see the link in !ask || we may need !logs and !configs and maybe !interface to help you. || See !howto for beginners. || See !route for lans behind openvpn. || !redirect for sending inet traffic through the server. || Also interesting: !man !/30 !topology !iporder !sample
22:27 <@vpnHelper> !forum !wiki !mitm or (#2) Don't use 192.168.1.0/24 or 192.168.0.0/24 (too much potential for conflict)
22:27 < KNERD> well...i  would not know if the routing sucks
22:28 -!- Pyrogerg [~Gregory@67-0-212-234.albq.qwest.net] has quit [Ping timeout: 244 seconds]
22:28 < KNERD> i clearly have a connection, so I really don't know
22:30 < KNERD> !route
22:30 <@vpnHelper> "route" is (#1) http://www.secure-computing.net/wiki/index.php/OpenVPN/Routing or https://community.openvpn.net/openvpn/wiki/RoutedLans (same page mirrored) if you have lans behind openvpn, read it DONT SKIM IT or (#2) READ IT DONT SKIM IT! or (#3) See !tcpip for a basic networking guide or (#4) See !serverlan or !clientlan for steps and troubleshooting flowcharts for LANs behind the server or client
22:30 < _FBi> maybe put your verbose needs to be turned up?
22:30 < KNERD> it's set to 3
22:35 -!- phuzion [~phuzion@ipv6.irc.teh-server.com] has quit [Quit: No Ping reply in 180 seconds.]
22:35 -!- phuzion [~phuzion@ipv6.irc.teh-server.com] has joined #openvpn
22:36 -!- clu5ter [~staff@unaffiliated/clu5ter] has quit [Ping timeout: 256 seconds]
22:37 -!- clu5ter [~staff@unaffiliated/clu5ter] has joined #openvpn
22:39 < KNERD> I am guessing maybe I need to put a "push :route <public ip address>"  route <public ip address>?
22:41 < KNERD> !tcpip
22:41 <@vpnHelper> "tcpip" is http://www.redbooks.ibm.com/redbooks/pdfs/gg243376.pdf See chapter 3.1 for useful basic TCP/IP networking knowledge you should probably know
22:44 < KNERD> worthless
22:45 -!- Latrina [~Latrina@adsl-ull-238-213.50-151.net24.it] has quit [Ping timeout: 256 seconds]
22:48 -!- Latrina [~Latrina@ppp-20-6.26-151.libero.it] has joined #openvpn
22:56 < KNERD> _FBi: thanksz! I got it
22:56 < KNERD> topology subnet  push "route 192.168.0.0 255.255.255.0"
22:56 < _FBi> woohoo
23:06 -!- GuidovanPossum [~chatzilla@wsip-184-176-140-204.ph.ph.cox.net] has quit [Ping timeout: 245 seconds]
23:07 -!- sireebob [sireebob@unaffiliated/sireebob] has left #openvpn []
23:10 -!- ShadniX [dagger@p5481DE4F.dip0.t-ipconnect.de] has quit [Ping timeout: 250 seconds]
23:11 -!- ShadniX [dagger@p5481DA10.dip0.t-ipconnect.de] has joined #openvpn
23:32 -!- RingtailedFox [~FoxFoxFox@d24-57-5-172.home.cgocable.net] has joined #openvpn
23:33 < RingtailedFox> hey, guys... would OpenVPN allow me to say, add my grandfather's computer to my home network so it shows up in Network Places, or would i need software like Log Me In Hamachi/
23:37 < KNERD> openVPN creates its own network
23:37 < KNERD> you would have to bridge the connection
23:42 < RingtailedFox> ohhh
23:52 -!- Zune [~Zune@188-180-61-96-dynamic.dk.customer.tdc.net] has quit [Ping timeout: 255 seconds]
23:58 -!- AlexRussia [~Alex@unaffiliated/alexrussia] has quit [Quit: WeeChat 1.1-dev]
--- Day changed Thu Nov 27 2014
00:23 -!- mattock_afk is now known as mattock
00:28 -!- phunyguy [vortex@ubuntu/member/phunyguy] has quit [Quit: ZNC - http://znc.in]
00:32 -!- phunyguy [vortex@ubuntu/member/phunyguy] has joined #openvpn
01:03 -!- wlxmhls [~hp@124.65.46.34] has joined #openvpn
01:04 < wlxmhls> hello gays, openvpn server has two virtual IPs assigned, ex. 192.168.0.1 and 192.168.0.2. why there are two vIPs here? what are they used for?
01:09 < KNERD> no gay people here
01:10 < KNERD> one is machine..another gateway I think
01:16 -!- Latrina [~Latrina@ppp-20-6.26-151.libero.it] has quit [Ping timeout: 258 seconds]
01:18 -!- Latrina [~Latrina@adsl-ull-190-209.50-151.net24.it] has joined #openvpn
01:19 -!- mirco [~mirco@ip-176-198-211-199.hsi05.unitymediagroup.de] has joined #openvpn
01:24 -!- Latrina [~Latrina@adsl-ull-190-209.50-151.net24.it] has quit [Ping timeout: 255 seconds]
01:25 -!- Latrina [~Latrina@ppp-32-4.26-151.libero.it] has joined #openvpn
01:34 -!- taylorbyte2013 [~cyberninj@139.218.237.26] has quit [Ping timeout: 264 seconds]
01:48 -!- Taftse|Mac [~taftse@unaffiliated/taftse] has joined #openvpn
01:51 <@Eugene> !/30
01:51 <@vpnHelper> "/30" is (#1) http://goo.gl/SbKrT5 explains why routed clients each use 4 ips or (#2) you can avoid this behavior with by reading !topology
01:51 <@Eugene> wlxmhls ^ is this the behaviour you're referring to?
01:56 < wlxmhls> yes, thank you all. I found it here: https://community.openvpn.net/openvpn/wiki/Topology and http://openvpn.net/index.php/open-source/faq/77-server/273-qifconfig-poolq-option-use-a-30-subnet-4-private-ip-addresses-per-client-when-used-in-tun-mode.html
01:56 <@vpnHelper> Title: Topology – OpenVPN Community (at community.openvpn.net)
01:58 < wlxmhls> sorry. I typed error word. it is 'guys', NOT 'gays'.
01:59 -!- taylorbyte2013 [~cyberninj@139.218.237.26] has joined #openvpn
02:03 -!- Latrina [~Latrina@ppp-32-4.26-151.libero.it] has quit [Ping timeout: 256 seconds]
02:03 -!- Latrina [~Latrina@adsl-ull-191-248.45-151.net24.it] has joined #openvpn
02:06 -!- fin [~fin@unaffiliated/le0] has joined #openvpn
02:10 -!- Zimsky [~alice@unaffiliated/zimsky] has quit [Ping timeout: 245 seconds]
02:12 -!- Zimsky [~alice@unaffiliated/zimsky] has joined #openvpn
02:24 -!- troyt [~troyt@2601:7:6200:1362:44dd:acff:fe85:9c8e] has quit [Ping timeout: 258 seconds]
02:42 -!- akamaru217 [~akamaru21@2601:0:8a80:1064:f49a:b256:41ef:91b3] has quit [Read error: Connection reset by peer]
02:43 -!- ValdikSS [~valdikss@185.61.149.121] has quit [Ping timeout: 240 seconds]
02:54 -!- akamaru217 [~akamaru21@2601:0:8a80:1064:452c:5edb:8b18:ecbe] has joined #openvpn
02:59 -!- dazo_afk is now known as dazo
03:00 -!- akamaru217 [~akamaru21@2601:0:8a80:1064:452c:5edb:8b18:ecbe] has quit [Read error: Connection reset by peer]
03:05 -!- phuzion [~phuzion@ipv6.irc.teh-server.com] has quit [Ping timeout: 258 seconds]
03:07 -!- phuzion [~phuzion@ipv6.irc.teh-server.com] has joined #openvpn
03:12 -!- Pandemic_Force [~Pandemic_@unaffiliated/pandemic-force/x-1349428] has quit [Ping timeout: 258 seconds]
03:12 -!- havingFun [~quassel@unaffiliated/xrosnight] has joined #openvpn
03:13 -!- Pandemic_Force [~Pandemic_@unaffiliated/pandemic-force/x-1349428] has joined #openvpn
03:14 -!- phunyguy [vortex@ubuntu/member/phunyguy] has quit [Ping timeout: 258 seconds]
03:14 -!- havingFun is now known as xrosnight
03:19 -!- phunyguy [vortex@ubuntu/member/phunyguy] has joined #openvpn
03:28 -!- AlexRussia [~Alex@unaffiliated/alexrussia] has joined #openvpn
03:30 -!- akamaru217 [~akamaru21@2601:0:8a80:1064:88c0:a26c:a19f:2d76] has joined #openvpn
03:31 -!- phunyguy [vortex@ubuntu/member/phunyguy] has quit [Ping timeout: 258 seconds]
03:34 -!- wlxmhls [~hp@124.65.46.34] has quit [Quit: Leaving.]
03:35 -!- phunyguy [vortex@ubuntu/member/phunyguy] has joined #openvpn
03:43 -!- badon [~badon@pdpc/supporter/active/badon] has joined #openvpn
03:44 -!- phunyguy [vortex@ubuntu/member/phunyguy] has quit [Ping timeout: 258 seconds]
03:49 -!- CaTtleyA [~CaTtleyA@185.24.142.82] has joined #openvpn
03:51 -!- phunyguy [vortex@ubuntu/member/phunyguy] has joined #openvpn
03:52 -!- phunyguy [vortex@ubuntu/member/phunyguy] has quit [Excess Flood]
03:56 -!- phuzion_ [~phuzion@ipv6.irc.teh-server.com] has joined #openvpn
03:56 -!- phuzion [~phuzion@ipv6.irc.teh-server.com] has quit [Ping timeout: 258 seconds]
03:57 -!- phunyguy [vortex@ubuntu/member/phunyguy] has joined #openvpn
03:58 -!- s7r [~s7r@openvpn/user/s7r] has quit [Remote host closed the connection]
04:07 -!- CaTtleyA [~CaTtleyA@185.24.142.82] has quit [Ping timeout: 272 seconds]
04:12 -!- ayaz [~Ayaz@linuxpakistan/ayaz] has joined #openvpn
04:14 < ayaz> Hullo. I was wondering if it was possible to make OpenVPN daemon on Windows to break down the logs it create in files day-wise, such that for every day it created a different log file.
04:16 -!- phunyguy [vortex@ubuntu/member/phunyguy] has quit [Ping timeout: 258 seconds]
04:17 < badon> How to do I configure an OpenVPN client to route specific IP's directly, instead of over the VPN connection?
04:17 -!- phuzion_ [~phuzion@ipv6.irc.teh-server.com] has quit [Read error: Connection reset by peer]
04:17 -!- phuzion [~phuzion@ipv6.irc.teh-server.com] has joined #openvpn
04:19 < badon> Even better, is it possible to insist that some processes are never routed over the VPN, regardless of destination IP?
04:20 -!- phunyguy [vortex@ubuntu/member/phunyguy] has joined #openvpn
04:21 -!- phunyguy [vortex@ubuntu/member/phunyguy] has quit [Excess Flood]
04:22 -!- phunyguy [vortex@ubuntu/member/phunyguy] has joined #openvpn
04:23 -!- Left_Turn [~Left_Turn@unaffiliated/turn-left/x-3739067] has joined #openvpn
04:23 -!- Latrina [~Latrina@adsl-ull-191-248.45-151.net24.it] has quit [Ping timeout: 256 seconds]
04:26 -!- Latrina [~Latrina@adsl-ull-106-252.45-151.net24.it] has joined #openvpn
04:32 <@dazo> ayaz: No, that's not possible.  OpenVPN does not have built-in support for log rotation.
04:34 <@dazo> badon: you can use the net_gateway keyword in the --route statements .... --route 1.2.3.4 255.255.255.255 net_gateway
04:34 <@dazo> that will route 1.2.3.4 via the local gateway and not the VPN
04:34 <@dazo> !routebyapp
04:34 <@vpnHelper> "routebyapp" is (#1) if you want to send only certain apps over the VPN you need to run a socks server on the internal VPN subnet (see !sockd) then get an app like proxifier (windows, osx) or tsocks (linux, BSD) to selectively route traffic over the socks proxy based on port/app/subnet or any combination. or (#2) Alternatively, read up about Policy Routing to make routing decisions based on defined
04:34 <@vpnHelper> policies you set. For Linux, read about !lartc
04:35 <@dazo> !route_override
04:35 <@vpnHelper> "route_override" is (#1) https://forums.openvpn.net/viewtopic.php?f=15&t=7161 for how to override --redirect-gateway for a certain subnet or (#2) to see how to make it so the client will still reply to requests to its public ip over the internet and not the vpn see !splitroute
04:35 < badon> dazo: OK, it looks like I'm on the right track. I've got Proxifier, but it's effective for the OPPOSITE of what I'm trying to achieve.
04:35 <@dazo> !splitroute
04:35 <@vpnHelper> "splitroute" is (#1) https://forums.openvpn.net/topic7175.html to see how to add a second routing table so you can use --redirect-gateway AND still serve things to the internet or (#2) see !route_override for how to override --redirect-gateway for a certain subnet
04:38 <@dazo> badon: Another way to do it is to setup a SOCKS proxy on the VPN server side, so you just add that proxy server to the apps you want to go over the tunnel .... I don't know if you use --redirect-gateway.  It sounds like you do, so considering not using that may also be an alternative and explicitly route what is supposed to go via the tunnel
04:38 <@dazo> (not using --redirect-gateway is actually implicit taking the SOCKS proxy approach)
04:39 < badon> dazo: I want EVERYTHING to go over OpenVPN, except a few specific IP's or a few specific processes/apps. I think the net_gateway approach might be the right one.
04:39 <@dazo> goodie!  it sounds so then :)
04:39 < ayaz> dazo: I see, thanks. I have solutions for log-rotation, but all of them require me to restart OpenVPN, which is a problem. I was wondering whether perhaps there was a way to do it without having to restart OpenVPN, but I don't think there is.
04:39 < badon> dazo: Yeah, I'm going to read up on that, and do an experiment to see if it works. Thanks for pointing me in the right direction!
04:40 < badon> ayaz: Just make a Python script to chop up your log.
04:40 < badon> I believe the technical term is "chunk" :)
04:41 < ayaz> badon: Yes, I thought about that. But for some reason, on windows, it doesn't let you save that file unless the process, accessing it has quit (which in this case is the OpenVPN daemon).
04:42 < ayaz> Which is rather problematic.
04:42 < badon> ayaz: Could you do it in parallel? You should be able read the OpenVPN log, and create your daily chunks in different files without needing to interrupt anything on the actual, original log.
04:43 < ayaz> badon: Yes, of course, that I could do. However, the original log file will continue to grow and grow, which is not very desirable.
04:44 < badon> Right.
04:44 < ayaz> One some of my servers, it has got GBs big.
04:44 < badon> Hmm, maybe you can intercept the write operations from OpenVPN?
04:44 < badon> I'm not sure how to do that though.
04:45 < badon> ayaz: Instead of ripping apart OpenVPN, it might be better to request a feature enhancement, and then submit a patch that implements it.
04:45 < ayaz> I think that would be a good idea.
04:45 < badon> Then you can have OpenVPN do it, instead of using hack-job glue code.
04:45 -!- phuzion [~phuzion@ipv6.irc.teh-server.com] has quit [Ping timeout: 258 seconds]
04:46 < badon> ayaz: Huge logs are a problem, so I think your patch would be welcomed by a lot of people.
04:47 -!- rich0_ [~quassel@gentoo/developer/rich0] has quit [Quit: No Ping reply in 180 seconds.]
04:47 < ayaz> I'm going to look into that.
04:47 < badon> In the meantime, you can continue using your version of OpenVPN with your new logging features, while you wait for it to be formally accepted into OpenVPN.
04:48 < badon> That's probably the best way to do it, without wasting effort on something that can't be integrated into OpenVPN.
04:48 -!- rich0 [~quassel@gentoo/developer/rich0] has joined #openvpn
04:48 < badon> The programming effort is probably similar, so you get more bang per hour of dev time.
04:49 -!- phuzion [~phuzion@ipv6.irc.teh-server.com] has joined #openvpn
04:52 -!- rich0 [~quassel@gentoo/developer/rich0] has quit [Client Quit]
04:53 -!- rich0 [~quassel@gentoo/developer/rich0] has joined #openvpn
05:06 < badon> dazo: My initial test of the net_gateway keyword worked perfectly, thanks! I think this is the solution I need.
05:06 -!- lorens [~lorens@213.27.241.114] has joined #openvpn
05:06 <@dazo> cool!
05:16 -!- phunyguy [vortex@ubuntu/member/phunyguy] has quit [Ping timeout: 258 seconds]
05:19 -!- phunyguy [vortex@ubuntu/member/phunyguy] has joined #openvpn
05:27 < badon> dazo: I just finished implementing my solution fully, and your suggestion has completely resolved all issues. Before, I was getting weird looping connections where the VPN would go through the proxy, and then the proxy would try to go through the VPN, haha.
05:28 < badon> Now the proxy is privileged, and only gets a direct connection, without getting erroneously routed over the VPN.
05:38 -!- Latrina [~Latrina@adsl-ull-106-252.45-151.net24.it] has quit [Ping timeout: 250 seconds]
05:39 -!- Latrina [~Latrina@ppp-94-0.26-151.libero.it] has joined #openvpn
05:44 -!- Latrina [~Latrina@ppp-94-0.26-151.libero.it] has quit [Ping timeout: 264 seconds]
05:46 -!- Latrina [~Latrina@adsl-ull-115-190.50-151.net24.it] has joined #openvpn
05:47 -!- phunyguy [vortex@ubuntu/member/phunyguy] has quit [Ping timeout: 258 seconds]
05:49 -!- phunyguy [vortex@ubuntu/member/phunyguy] has joined #openvpn
05:57 -!- phunyguy [vortex@ubuntu/member/phunyguy] has quit [Ping timeout: 258 seconds]
06:02 -!- lorens [~lorens@213.27.241.114] has quit [Remote host closed the connection]
06:05 -!- Latrina [~Latrina@adsl-ull-115-190.50-151.net24.it] has quit [Ping timeout: 256 seconds]
06:07 -!- phunyguy [vortex@ubuntu/member/phunyguy] has joined #openvpn
06:07 -!- Latrina [~Latrina@adsl-ull-140-220.50-151.net24.it] has joined #openvpn
06:08 -!- phunyguy [vortex@ubuntu/member/phunyguy] has quit [Excess Flood]
06:08 -!- phunyguy [vortex@ubuntu/member/phunyguy] has joined #openvpn
06:11 -!- CaTtleyA [~CaTtleyA@185.24.142.82] has joined #openvpn
06:17 -!- phunyguy [vortex@ubuntu/member/phunyguy] has quit [Ping timeout: 258 seconds]
06:17 -!- Latrina [~Latrina@adsl-ull-140-220.50-151.net24.it] has quit [Ping timeout: 255 seconds]
06:18 -!- phunyguy [vortex@ubuntu/member/phunyguy] has joined #openvpn
06:18 -!- Latrina [~Latrina@adsl-ull-239-178.50-151.net24.it] has joined #openvpn
06:22 -!- Kephael [~Kephael@unaffiliated/kephael] has quit [Read error: Connection reset by peer]
06:22 -!- ValdikSS [~valdikss@185.61.149.121] has joined #openvpn
06:33 -!- nomad_fr [~nomad_fr@ks397872.ip-192-95-25.net] has left #openvpn ["WeeChat 1.0.1"]
06:37 -!- Esya [~zncuser@195-154-90-140.rev.poneytelecom.eu] has joined #openvpn
06:47 -!- nvdpl [~textual@proxy.teleaudio.pl] has joined #openvpn
06:52 -!- JackWinter [~jack@vodsl-11198.vo.lu] has quit [Quit: Konversation terminated!]
06:52 -!- brianblaze420 [~brianblaz@unaffiliated/brianblaze] has joined #openvpn
06:53 -!- phunyguy [vortex@ubuntu/member/phunyguy] has quit [Ping timeout: 258 seconds]
06:54 -!- JackWinter [~jack@vodsl-11198.vo.lu] has joined #openvpn
06:56 -!- phunyguy [vortex@ubuntu/member/phunyguy] has joined #openvpn
06:56 -!- JackWinter [~jack@vodsl-11198.vo.lu] has quit [Client Quit]
06:56 -!- JackWinter [~jack@vodsl-11198.vo.lu] has joined #openvpn
07:00 -!- mirco [~mirco@ip-176-198-211-199.hsi05.unitymediagroup.de] has quit [Remote host closed the connection]
07:01 -!- mirco [~mirco@ip-176-198-211-199.hsi05.unitymediagroup.de] has joined #openvpn
07:01 -!- Kephael [~Kephael@unaffiliated/kephael] has joined #openvpn
07:35 -!- uskerine [~a@80.30.158.182] has joined #openvpn
07:35 < uskerine> hi
07:35 < uskerine> I am following: http://openvpn.net/index.php/open-source/documentation/miscellaneous/78-static-key-mini-howto.html  to create a site-to-site shared key tunnel
07:35 <@vpnHelper> Title: Static Key Mini-HOWTO (at openvpn.net)
07:35 < uskerine> the mini-howto says: Server configuration file
07:35 < uskerine> where is such file?
07:44 <@ecrist> you need to create it
07:56 < uskerine> I did, now I am trying to get /dev/net/tun available on ubuntu 12.04
07:56 < uskerine> it seems that 12.04.5 breaks /dev/net/tun
08:07 -!- eristisk [~eristisk@gateway/tor-sasl/eristisk] has quit [Ping timeout: 250 seconds]
08:08 -!- Pyrogerg [~Gregory@67-0-212-234.albq.qwest.net] has joined #openvpn
08:17 -!- phunyguy [vortex@ubuntu/member/phunyguy] has quit [Ping timeout: 258 seconds]
08:20 -!- phunyguy [vortex@ubuntu/member/phunyguy] has joined #openvpn
08:25 -!- lorens [~lorens@213.27.241.114] has joined #openvpn
08:26 -!- ayaz [~Ayaz@linuxpakistan/ayaz] has quit [Quit: Textual IRC Client: www.textualapp.com]
08:27 -!- deviantintegral [~deviantin@drupal.org/user/71291/view] has quit [Quit: ZNC - http://znc.in]
08:27 -!- deviantintegral [~deviantin@drupal.org/user/71291/view] has joined #openvpn
08:30 -!- phunyguy [vortex@ubuntu/member/phunyguy] has quit [Ping timeout: 258 seconds]
08:32 -!- nvdpl [~textual@proxy.teleaudio.pl] has quit [Quit: Quit...]
08:32 -!- phunyguy [vortex@ubuntu/member/phunyguy] has joined #openvpn
08:43 -!- lachesis [~lachesis@unaffiliated/lachesis] has quit [Ping timeout: 258 seconds]
08:47 -!- Ringtailed-Fox [~FoxFoxFox@d24-57-5-172.home.cgocable.net] has joined #openvpn
08:48 -!- lachesis [~lachesis@unaffiliated/lachesis] has joined #openvpn
08:50 -!- RingtailedFox [~FoxFoxFox@d24-57-5-172.home.cgocable.net] has quit [Ping timeout: 272 seconds]
08:56 -!- Pyrogerg [~Gregory@67-0-212-234.albq.qwest.net] has quit [Ping timeout: 264 seconds]
08:58 < hydrajump> I need some advice pls. I'm doing some testing on my openvpn server config which is version 2.3.5 and I have 2 different ubuntu clients that I'm testing connecting to the server. both clients have the same version of openvpn 2.3.5, but unfortunately one client is older and thus an older version of openssl.
08:58 < hydrajump> https://gist.githubusercontent.com/anonymous/775451a7f479850ba472/raw/74feea86a1a907f587b0872c0059af7c5c26fa52/gistfile1.txt
08:58 < hydrajump> the top info is for the old client, bottom newer client.
08:59 < hydrajump> both will connect tot he server, but it seems that the older client can only use tls 1. Is the older client's connection to the openvpn server insecure?
09:08 <@dazo> hydrajump: any tls 1.x protocols are fairly safe to use ... tls 1.1 and 1.2 have support for better ciphers, but openvpn can't really take the full benefit of that currently ... so from an openvpn point of view, tls 1.0 is still safe
09:09 < hydrajump> dazo: that's great to hear. Only issue I guess is that the older client's openssl version seems to be vulnerable to openssl and can't be updated to a newer version without updating the dist. Won't that effect the security of the openvpn connection?
09:09 <@dazo> hydrajump: in your case ... the box using tls 1.2 have a safer _control channel_ than 1.0 ... but the tunnelled data most likely uses the same cipher
09:10 <@dazo> but it's really not much to be worried about
09:10 < hydrajump> both the client and server have `cipher AES-256-CBC auth SHA384
09:11 -!- xrosnight [~quassel@unaffiliated/xrosnight] has quit [Remote host closed the connection]
09:11 < hydrajump> but the old client seems to connect with `DHE-RSA-AES256-SHA` and the newer one with `DHE-RSA-AES256-GCM-SHA384`
09:12 <@dazo> that is the _Control_channel_ ... not the data channel where your tunnel data passes through
09:12 < hydrajump> oh so they would both be using `cipher AES-256-CBC auth SHA384 ` for the data channel?
09:12 <@dazo> the control channel is the part where openvpn server/client agrees on which keys (not cipher, but a temporary encryption key) and other config settings
09:13 <@dazo> yeah
09:13 <@dazo> The fun begins when we can support AES256-GCM-SHA384 on the data channel (the tunnelled data) ... which openvpn currently cannot do.  And of course adding EC to the control channel, which is possible to do now, but I've not dug into how to really do it ... it might be you actually need a bleeding edge version (git master) to be able to use that.
09:14 -!- Pyrogerg [~Gregory@67-0-212-234.albq.qwest.net] has joined #openvpn
09:14 -!- eristisk [~eristisk@gateway/tor-sasl/eristisk] has joined #openvpn
09:14 < hydrajump> ok
09:20 < hydrajump> dazo: it would be awesome if you could please look at my server/client configs (they are working) and suggest any improvements https://gist.github.com/anonymous/1f1d7a88f01d68b4ca2a
09:20 <@vpnHelper> Title: client.conf (at gist.github.com)
09:21 < hydrajump> everyone else can provide feedback as well ;)
09:21 <@dazo> do you have many clients connecting to your server?
09:22 < hydrajump> no this is for < 10
09:23 < hydrajump> most likely < 5 actually
09:23 < _FBi> morning gents
09:23 < hydrajump> mornign
09:23 < hydrajump> morning
09:24 <@dazo> okay, then --reneg-sec is fine ... otherwise that could give you some latency spikes across all clients regularly ... renegotiations have that impact unfortunately ... but with < 5 clients, that's probably not a big deal
09:24 <@dazo> I'd remove everything which is default from configs ... like hand-window and tran-window
09:25 < hydrajump> dazo: oh ok I believe the default was 3600 for reneg-sec. Would you suggest that I keep that instead?
09:25 <@dazo> reneg-sec is 3600 by default (each hour) ... but with few clients, 30 minutes is most likely fine
09:26 < hydrajump> I reduced it because I thought it improved security. Is that correct?
09:27 -!- phunyguy [vortex@ubuntu/member/phunyguy] has quit [Ping timeout: 258 seconds]
09:27 <@dazo> To get less predictability on when this happens, I'd probably use --reneg-bytes and/or --reneg-pkts instead  ...  have a renegotiation after 50-100MB of bytes
09:27 <@dazo> (it depends on much data you transport through the tunnel)
09:28 -!- jgeboski [~jgeboski@unaffiliated/jgeboski] has quit [Ping timeout: 240 seconds]
09:29 -!- phunyguy [vortex@ubuntu/member/phunyguy] has joined #openvpn
09:29 < hydrajump> so you mean instead of a specific period of time where an attacker might see a pattern of the key renegotiation, by setting an amount of data, it would make that pattern much harder to see?
09:30 -!- clu5ter [~staff@unaffiliated/clu5ter] has quit [Ping timeout: 265 seconds]
09:31 -!- phuzion [~phuzion@ipv6.irc.teh-server.com] has quit [Ping timeout: 258 seconds]
09:33 < _FBi> seems like it would be the same to me, but what do I know
09:33 -!- havingFun [~quassel@unaffiliated/xrosnight] has joined #openvpn
09:34 -!- phunyguy [vortex@ubuntu/member/phunyguy] has quit [Ping timeout: 258 seconds]
09:37 -!- Pyrogerg [~Gregory@67-0-212-234.albq.qwest.net] has quit [Ping timeout: 255 seconds]
09:38 -!- phunyguy [vortex@ubuntu/member/phunyguy] has joined #openvpn
09:41 < hydrajump> dazo: is there anything else you would change/add?
09:43 <@dazo> hydrajump: nah, if it fits your needs, then it's good enough ... you have tls-auth, which is one of the features which really should be included on new setups ... except of that, it's fairly straight forward
09:44 < hydrajump> ok sound good. There are some things in my server/client configs that I'm unsure of. First you suggested removing any settings that are the same as default, so I'll do that in both.
09:47 < hydrajump> in server.conf `keepalive 10 120` in the manpage it's `10 60` but in the sample server.conf it's `10 120`.
09:47 <@dazo> hydrajump: the general rule of thumb is to have as few options in the config as possible while still having the features/functionality you want ... and then to fully understand each option you add in the config file ... then you won't fail when you need to fix issues later on
09:47 < hydrajump> In the former that would mean that there is a ping every 10 sec and if no reply in 240 sec, restart the conenction?
09:48 -!- phunyguy [vortex@ubuntu/member/phunyguy] has quit [Ping timeout: 258 seconds]
09:48 < hydrajump> dazo: that's good advice.
09:48 <@dazo> --keepalive is usually just needed in the server config
09:48 < hydrajump> I've gone through the manpage multiple times as I was putting together my configs. Trying to pick out and set the options as best I can
09:50 -!- phunyguy [vortex@ubuntu/member/phunyguy] has joined #openvpn
09:53 -!- Pyrogerg [~Gregory@67-0-212-234.albq.qwest.net] has joined #openvpn
10:00 -!- phunyguy [vortex@ubuntu/member/phunyguy] has quit [Ping timeout: 258 seconds]
10:01 -!- Pyrogerg [~Gregory@67-0-212-234.albq.qwest.net] has quit [Ping timeout: 264 seconds]
10:04 < hydrajump> dazo: my `tran-window 300` is 5 min instead of the default 1 hour. Again I did this for security. The hand-window was default 60 so I removed that config option. Is tran-window too small?
10:05 <@dazo> those options are not primarily for security.  They are more to workaround issues related to horrible/unstable links
10:06 < hydrajump> oh then maybe I should not reduce it as I've done
10:06 <@dazo> James (the OpenVPN creator) considers most of the default values to be safe and in many cases relatively conservative
10:08 -!- phunyguy [vortex@ubuntu/member/phunyguy] has joined #openvpn
10:09 -!- jgeboski [~jgeboski@unaffiliated/jgeboski] has joined #openvpn
10:09 -!- phuzion [~phuzion@ipv6.irc.teh-server.com] has joined #openvpn
10:12 < hydrajump> ok
10:12 < hydrajump> sometimes looking at the manpage it is difficult to know for me anyway if an option needs to exist on both server and client
10:12 -!- havingFun is now known as xrosnight
10:16 < hydrajump> nevermind my last comment. I've removed reneg-sec, tran-window and hand-window from the client config and just setting reneg-sec on the server as it will override the client's 1 hour default setting.
10:16 -!- Pyrogerg [~Gregory@67-0-212-234.albq.qwest.net] has joined #openvpn
10:16 <@dazo> hydrajump: iirc, generally as few options as possible should be used in client config, but connection related options (--remote, --proto, --dev, --fragment, --cipher, --tls-cipher, etc) needs to be the same on both sides
10:16 <@dazo> and what can be pushed from the server should be pushed
10:16 <@dazo> (which option which can be pushed are listed in --push)
10:17 <@dazo> and then the rest usually goes into the server config
10:19 -!- Slippern [~Slippern@76.109-247-208.customer.lyse.net] has quit [Read error: Connection reset by peer]
10:21 -!- Slippern [~Slippern@76.109-247-208.customer.lyse.net] has joined #openvpn
10:24 -!- Pyrogerg [~Gregory@67-0-212-234.albq.qwest.net] has quit [Ping timeout: 272 seconds]
10:24 -!- CaTtleyA [~CaTtleyA@185.24.142.82] has quit [Quit: Lost terminal]
10:32 -!- dazo is now known as dazo_afk
10:42 < pekster> hydrajump: One note on the --reneg-* options is that if you wish to increase TTL on the symmetric keys, you should set `--reneg-sec 0` on the client, otherwise a higher value on the server won't matter; a key renegotiation is caused when either side reaches ones of the --reneg-* limits
10:43 -!- cwillu_at_work [cwillu@cwillu.com] has quit [Ping timeout: 258 seconds]
10:43 -!- Ringtailed-Fox [~FoxFoxFox@d24-57-5-172.home.cgocable.net] has quit [Read error: Connection reset by peer]
10:46 -!- Pyrogerg [~Gregory@67-0-212-234.albq.qwest.net] has joined #openvpn
10:46 -!- Pyrogerg [~Gregory@67-0-212-234.albq.qwest.net] has quit [Max SendQ exceeded]
10:47 -!- Pyrogerg [~Gregory@67-0-212-234.albq.qwest.net] has joined #openvpn
10:56 -!- eristisk [~eristisk@gateway/tor-sasl/eristisk] has quit [Remote host closed the connection]
11:01 -!- Pyrogerg [~Gregory@67-0-212-234.albq.qwest.net] has quit [Ping timeout: 258 seconds]
11:15 -!- phunyguy [vortex@ubuntu/member/phunyguy] has quit [Ping timeout: 258 seconds]
11:19 < hydrajump> pekster: right I saw that in the man page. If one reneg is lower than default 3600 than only one side needs it I believe
11:20 < pekster> Yup
11:20 -!- xrosnight [~quassel@unaffiliated/xrosnight] has quit [Ping timeout: 255 seconds]
11:23 -!- phunyguy [vortex@ubuntu/member/phunyguy] has joined #openvpn
11:29 -!- gffa [~unknown@unaffiliated/gffa] has joined #openvpn
11:30 -!- havingFun [~quassel@unaffiliated/xrosnight] has joined #openvpn
11:35 -!- phunyguy [vortex@ubuntu/member/phunyguy] has quit [Ping timeout: 258 seconds]
11:38 -!- phunyguy [vortex@ubuntu/member/phunyguy] has joined #openvpn
11:39 -!- dusted [~dusted@190-162-191-90.dyn.estpak.ee] has joined #openvpn
11:41 -!- havingFun_ [~quassel@unaffiliated/xrosnight] has joined #openvpn
11:41 -!- havingFun [~quassel@unaffiliated/xrosnight] has quit [Ping timeout: 245 seconds]
11:42 < hydrajump> ok so I've cleaned up server/client configs https://gist.github.com/anonymous/3ed30693247bb3f5a41c
11:42 <@vpnHelper> Title: client.conf (at gist.github.com)
11:43 < hydrajump> pekster: would you mind taking a look as well please
11:44 -!- phunyguy [vortex@ubuntu/member/phunyguy] has quit [Ping timeout: 258 seconds]
11:45 -!- lorens [~lorens@213.27.241.114] has quit [Remote host closed the connection]
11:45 < pekster> I'd duplicate --tran-window on the client too, otherwise looks good. The reason for that is a key the server considers expired could still be used by the client
11:45 < pekster> You might be able to push that one; you'd need to try it and see if the client logs complain
11:47 < pekster> Oh, and you probably shouldn't be using --user and --group on the client (or you should exit on timeouts, not restart as --keepalive on the server pushes to the client by default.)
11:47 -!- havingFun [~quassel@unaffiliated/xrosnight] has joined #openvpn
11:48 < pekster> Otherwise it's possible the server hands the client new connection info, which 'nobody' will be unable to correctly set on the interface
11:48 -!- phunyguy [vortex@ubuntu/member/phunyguy] has joined #openvpn
11:48 -!- havingFun_ [~quassel@unaffiliated/xrosnight] has quit [Ping timeout: 264 seconds]
11:50 < hydrajump> thanks for looking pekster! regarding tran-window I thought 3600 (default) was too high to keep the old keys. could I reduce the 5 minute window more or is it ok as is?
11:51 < pekster> 1h (3600) is the default, but you want both sides to agree on how long encryption keys are valid for
11:52 < hydrajump> ok I understand. I'll add tran-window to the client config right away.
11:52 < pekster> --reneg-* determines how often to re-key the data channel keys, and --tran-window sets a limit on how long the old ones are valid. Realistically the defaults are fine; an attacker having "2 hours" instead of "1 hour" to brute force your symmetric keys won't help
11:53 < pekster> 5 minutes is probably fine though, unless it takes more than that for the X.509 handshake to complete.
11:53 < pekster> The idea is to avoid a situation where packet loss or an otherwise congested link interferes with the X.509 handshake long enough that the old data keys expire, because then VPN traffic stops working
11:54 < hydrajump> I read yesterday that you mentioned you work in network security field. I don't, so am I being too paranoid in changing that value?
11:54 -!- kryo__ [~effigy@96.50.81.226] has joined #openvpn
11:55 < kryo__> does anyone know an iptables rule to change the SNAT of all openvpn traffic to a specific IP?
11:55 < pekster> If I set that (I frequently don't) I'll typically use 15 minutes as a compromise. It would matter more if you set really high --reneg-* time limits, or set no time limit and rotated keys on data usage alone
11:56 < pekster> So yea, I wouldn't worry too much about it. Maybe set it somewhere between 5-15 if you're willing to ever-so-slightly decrease an attack vector on weak symmetric keys at the expense of possible connection interruption with a bad link. Quite frankly it doesn't matter that much ;)
11:57 < pekster> kryo__: See
11:57 <@plaisthos> hydrajump: you are probably too paranoid
11:57 < pekster> !linnat
11:57 <@vpnHelper> "linnat" is (#1) for a basic iptables NAT where 10.8.0.x is the vpn network: iptables -t nat -I POSTROUTING -s 10.8.0.0/24 -o eth0 -j MASQUERADE or (#2) to choose what IP address to NAT as, you can use iptables -t nat -I POSTROUTING -o eth0 -j SNAT --to <IP ADDRESS> or (#3) http://netfilter.org/documentation/HOWTO//NAT-HOWTO.html for more info
11:57 -!- Pyrogerg [~Gregory@67-0-212-234.albq.qwest.net] has joined #openvpn
11:57 < kryo__> i'm currently using this: iptables -t nat -A POSTROUTING -o eth0:0 -s 10.8.0.0/24 -j SNAT --to x.x.public.ip
11:57 < kryo__> it doesn't work..
11:57 <@plaisthos> OpenVPN is already paranoid by chaning the encryption key every 3600s
11:57 < pekster> kryo__: eth0:0 is _not_ an interface
11:58 < pekster> kryo__: Read this link:
11:58 < pekster> !ifconfig_linux
11:58 <@vpnHelper> "ifconfig_linux" is Avoid use of 'ifconfig' and 'route' commands on modern Linux distros. It's old, deprecated, and often misleading/wrong. Use the 'ip a' and 'ip r' commands instead. More info: http://inai.de/2008/0219-ifconfig-sucks.php
11:58 < hydrajump> pekster: thanks for humoring my paranoia :P On your a advice I've increased it to 15min on both sides.
11:58 < kryo__> pekster do i just change it to eth0?
11:58 < pekster> Right
11:58 < kryo__> o_O
11:58 < pekster> eth0:0 is the stupid old and broken way the 2.4 (yes, 2.4) Linux kernel did networking. ifconfig is a rotting pile of garbage and you ought to use ip which sets secondary IPs directly on the interface like modern OSes do
11:59 < pekster> On Linux, anyway. BSDs maintained their userland tooling, Linux userlands just replaced it with new ones
11:59 < _FBi> hmm I use eth0, I should probably change that oo
11:59 < _FBi> too
12:00 < pekster> eth0:0 isn't an interface (although if you're truely insane, you can set that _as_ your interface name, which won't be an alias in that case. Don't ever do that.)
12:00 < _FBi> oic
12:00 < pekster> Or better yet, stop using ifconfig in the first place and you'll just get >1 IP on eth0 as you expect
12:01 < _FBi> I was reading the debian manpage, they say to use eth0:0 for virtual stuff
12:01 < _FBi> /etc/network/interfaces
12:01 < pekster> Maybe their network config is equally old and refuses change over the last decade
12:01 < pekster> I don't use debian for advanced networking, so I wouldn't know
12:01 < _FBi> I'm not advanced, so I wouldn't know either haha
12:01 < pekster> BSD or a Linux distro that offers modern tooling would be my choice there
12:02 < hydrajump> pekster: the other issue you brought up in my configs is that my client uses --user --group. So those settings are reserved for the server side only?
12:02 < _FBi> if it ain't broken -- don't fix it.  if it's broken, it's a feature
12:02 < hydrajump> s/reserved/used
12:02 < _FBi> hydrajump, I believe so, yes
12:03 -!- fin [~fin@unaffiliated/le0] has quit [Quit: Leaving]
12:03 < pekster> hydrajump: Basically, yes. If you're very tricky and clever, you can use static addresssing (see !static) on the server for your client, or exit on timeouts (won't reconnect automatically) or risk things breaking if you do neither
12:03 < pekster> Or maybe have all the interface setting and route stuff offloaded to a suid binary or something. But that's way too much complexity, once again for almost no practical gain
12:03 < kryo__> still doesn't work: iptables -t nat -I POSTROUTING -o eth0 -s 10.8.0.0/24 -j SNAT --to 23.92.public.ip
12:04 < hydrajump> pekster: yeah I'm not looking to be tricky or clever with this :P I'll remove the client side settings.
12:04 < pekster> kryo__: Check hitcounters to make sure it's actually matching. Or maybe you didn't follow some of the other basic routing setup you need to have
12:04 < kryo__> it looks exactly like the SNAT example except for the -s
12:04 < pekster> !redirect
12:04 <@vpnHelper> "redirect" is (#1) to make all inet traffic flow through the vpn, you will need --redirect-gateway (see !def1), as well as IP forwarding (see !ipforward) and NAT (see !nat) enabled on the server. or (#2) you may need to use a different dns server when redirecting gateway, see !dns or !pushdns or (#3) if using ipv6 try: route-ipv6 2000::/3 or (#4) Handy troubleshooting flowchart:
12:04 <@vpnHelper> http://ircpimps.org/redirect.png | http://pekster.sdf.org/misc/redirect.png
12:04 < pekster> flowchart is helpful
12:05 < kryo__> hitcounters?
12:05 < pekster> `iptables-save -c`
12:05 < hydrajump> pekster: and in that case `persist-key persist-tun` don't have any use on the client either, right? Those settings are used with you downgrade privileges
12:05 < kryo__> pekster want me to paste this to you.. or
12:05 < pekster> You should check your hitcounters to see if the rule you added is getting matched
12:06 < pekster> Or paste it if you have no idea how Netfilter works and want me to look. FWIW, there's also #Netfilter which offers help specific to Netfilter
12:06 < kryo__> [0:0] -A POSTROUTING -s 10.8.0.0/24 -o eth0 -j SNAT --to-source 23.92.public.ip
12:06 < pekster> So it's not matching any packets
12:06 < pekster> My guess is you don't have routing enabled. Follow the flowchart I linked
12:06 < kryo__> that ip_forwarding thing is = 1
12:07 < kryo__> it works fine if i set masquerade globally
12:07 < _FBi> !quote
12:07 -!- ExtraCarpety [~ExtraCarp@2607:5300:60:a0d::1] has quit [Ping timeout: 258 seconds]
12:07 < pekster> Just pastebin your whole ruleset
12:07 < pekster> Probably a firewall issue (forget to allow it on the filter table?)
12:08 < kryo__> my ruleset is about 200 lines long...
12:08 < kryo__> thanks to firewalld
12:08 < pekster> Ugh, so this is some stupidly insane frontend you have no idea how it works? :\
12:08 < pekster> You're probably better off asking wherever you get help with that frontend then
12:08 < kryo__> lol
12:08 < _FBi> heh
12:08 < pekster> I can look at the raw rules, but the problem will likely mean nothing to you if you don't maintain your own ruleset
12:09 < _FBi> or punch simple holes through it
12:09 < pekster> You must allow forwarded traffic. See the helpful flowchart listed in the first /TOPIC link of #Netfilter (first URL IIRC)
12:09 < pekster> That'll show you what tables/chains packets hit. If you don't allow packets to be forwarded, they'll never pass through to the nat/POSTROUTING table
12:09 -!- ExtraCarpety [~ExtraCarp@2607:5300:60:a0d::1] has joined #openvpn
12:09 < pekster> How you do that correctly in your silly frontend is up to its configuration
12:10 < kryo__> if you can just give me raw iptables rules i can use those
12:11 < pekster> :(. You should be loading _rulesets_, not rule :\
12:11 < kryo__> http://pastebin.com/FNBK5fdF
12:11 < pekster> "commands" are a horrible way to actually set up a production system because each command 1) dumps the current entire rulest, 2) adds your single rule into a temporary ruleset, and 3) loads it back
12:11 < pekster> DOn't ever use -L
12:12 < kryo__> hmm
12:12 < pekster> It's stupid, omits tables not specified, loads tables you specified that weren't previously loaded, omits critical info, and displays it in a hard to read format
12:12 < pekster> Use the command I asked for
12:12 < kryo__> which one?
12:12 < _FBi> whole crap
12:12 < pekster> 12:05:14 < pekster> `iptables-save -c`
12:12 < pekster> _all_ of it
12:12 < kryo__> oh..
12:13 < kryo__> http://pastebin.com/TmPyXv17
12:13 < kryo__> size: 12.13KB
12:13 < kryo__> >_<
12:13 < pekster> That is one fucking ugly ruleset
12:13 < hydrajump> so it seems in the manpage for openvpn that there is a client.conf example (under <connection>) that has both persist-key and persist-tun options for the client as well, but not the --user and --group as you mentioned pekster. If I understand correctly the persist options are still useful to avoid re-reading the keys on client restart and not closing the tun device?
12:14 < _FBi> ACCEPT     udp  --  anywhere             anywhere             udp dpt:openvpn ctstate NEW   that's crazy haha
12:14 < hydrajump> pekster: hehe
12:14 < pekster> You have lots of references to aliases in your ruleset. YOu should fix that (it's wrong)
12:15 < kryo__> yeah i've been using eth0:0
12:15 < kryo__> :1 ect
12:15 < kryo__> but if they can all be replaced by eth0 then i can fix right away
12:16 < pekster> Go fix the FORWARD* chains. You're apparently not allowing traffic from thet VPN network out, and since line 246 has an implicity DROP, it's not allowed
12:16 < pekster> How you do that depends on your frontend, or go muck one putting the permit above that point in oen fo the *6* chains that do it
12:16 < pekster> Where it should go I've NFI, because that's a horrible complex and insane ruleset
12:17  * pekster throws firewalld on shitlist of things never to use in the future
12:18 < kryo__> the only thing that confuses me is that everything works if i just run $ firewall-cmd --add-masquerade
12:18 < _FBi> I don't see why you need so many crazy rules.  I'm not expert though :/
12:18 < pekster> hydrajump: Generally, the only reason to use --persist-tun is to support --user/--group. You probably dont need either of the persist options otherwise
12:18 < kryo__> there are like 7 "zones", which each need a bunch of setup
12:18 < pekster> _FBi: It's a stupid frontend designed for people who would rather configure something "easier" and never learn to run a firewall properly
12:19 < pekster> And yes, they generate the most complex, chain-deep rulesets you'll ever see for seemingly simple tasks
12:19 < _FBi> I'm really basic though.  open ports I need, drop everything else
12:20 < _FBi> I had TOR on my VPN server.  So my OPVN would go through TOR on the end   Client -> VPN -> TOR   .  probably the most advanced thing I've done
12:22 < pekster> For instance, all the rules on line 238-257 of that ruleset are 100% worthles in the current configuration. They could all be replaced with a single REJECT rule on filter/FORWARD to the same net effect. But the frontend creates in "in case" you later configure it to do something useful with those chains
12:22 < pekster> "go to this chain." "it's empty, so come back." Go to this other chain." It's empty, so come back..."
12:24 < pekster> kryo__: Right, that frontend is doing "lots of things", likely including configuring filter properly. tl;dr here is go ask your frontend program folks how to do this
12:24 < pekster> Or ask #Netfilter how to set up a firewall properly from scratch (they don't like frontends either)
12:24 < hydrajump> pekster: thanks!
12:24 < pekster> My guess; a 20 line ruleset would do what you want
12:26 < hydrajump> btw the crl-verify option on a client does that make sense if what would be revoked is a client cert and the client config only connects to a server?
12:26 -!- Pyrogerg [~Gregory@67-0-212-234.albq.qwest.net] has quit [Ping timeout: 265 seconds]
12:26 < kryo__> yeah pekster i'm sure it would
12:26 < hydrajump> or is it useful on a client if you have multiple openvpn servers?
12:26 < kryo__> i'm only using firewalld cause i decided to try out the "fedora way"
12:26 < kryo__> i'm trying out different distros for my first 5 years of using linux
12:26 < pekster> hydrajump: That's only useful if you revoke a server cert when the PKI itself is still safe. To use that effectively you need some way to deploy updated CRLs to clients
12:27 < hydrajump> pekster: right which is difficult
12:28 < pekster> Yea, you need some out-of-band way to do that. OCSP could be used, but then clients need some script to check it (and logic to decide what to do if the responder is down.) Plus you'd need to manage the OCSP responder service
12:28 < pekster> OCSP used instead of (or in addition I suppose) to the CRL
12:28 < pekster> Easiest is to ignore it; if your server is compromised you likely have bigger problemsm
12:28 < hydrajump> yep you're right!
12:29 < pekster> It would matter more if you maintained a cluster of servers, such that a comprimise in 1 didn't necessarily mean the rest were a lost cause
12:29 < hydrajump> as dazo_afk mentioned to me earlier. Do you push as much as possible to the clients, for instance you mentioned trying to push the tran-window option.
12:29 < pekster> I dunno if that works; if it does, go for it, otherwise mirror it on the client
12:30 < pekster> It makes changing them in the future as easy as updating the server and restarting it. Otherwise you must redeploy configs
12:30 < hydrajump> I see.
12:32 < hydrajump> and when you specify a `push comp-lzo` for instance does it set the option on the server then push to clients?
12:33 < hydrajump> you don't need to specify it for the server as well, e.g. `comp-lzo     push "comp-lzo`
12:33 < kryo__> pekster the SNAT rule is now working, but only if i turn on global masquerade as well
12:34 < kryo__> left is masquerade off, right is masquerade on: https://www.diffchecker.com/uv1ajsfq
12:34 <@vpnHelper> Title: Saved diff uv1ajsfq - Diff Checker (at www.diffchecker.com)
12:34 < kryo__> global masquerade is causing my problem
12:35 < kryo__> i think it has something to do with line 155: -A FWDO_public_allow -j ACCEPT
12:35 < kryo__> *195
12:46 -!- mgorbach [~mgorbach@pool-108-20-78-135.bstnma.fios.verizon.net] has quit [Quit: ZNC - http://znc.in]
12:48 -!- mgorbach [~mgorbach@pool-108-20-78-135.bstnma.fios.verizon.net] has joined #openvpn
12:50 < pekster> Yea, I'm not really interested in debugging your frontend tool
12:51 < pekster> hydrajump: to push --comp-lzo, you should set a value on the clients that match the server, but then optionally push a different value such as with a ccd or --client-connect script
12:54 < dusted> How can I generate a certificate which will only work with a specific username ?
12:55 < pekster> You'd need a script to compare the CN from the cert against the provided username
12:55 < pekster> !scripts
12:55 < hydrajump> pekster: I understand the values need to match. I just wasn't sure if I remove the `comp-lzo` option from my current client config so that I can push it instead to make changes easier later on.. does just having `push --comp-lzo` enough on the server side, or I also need to **set** it on the server with another comp-lzo?
12:55 <@vpnHelper> "scripts" is "script" is See SCRIPTING AND ENVIRONMENTAL VARIALBES in the manual for a list of places that scripts can hook into openvpn. Online reference at: https://community.openvpn.net/openvpn/wiki/Openvpn23ManPage#lbAR
12:55 < pekster> dusted: either --client-connect or --auth-user-pass-verify should get the common_name env-var
12:56 < dusted> pekster, cool!
12:56 < dusted> I'll look into it
12:57 < pekster> hydrajump: Just read --comp-lzo in the manpage. It explains exactly what I said (3rd paragraph)
12:59 < hydrajump> ok
13:00 < hydrajump> pekster: thanks I understand now ;)
13:01 -!- xMopxShell [~xMopxShel@dpedu.io] has quit [Ping timeout: 255 seconds]
13:05 < dusted> wow, that was way easier than I had feared :D Thanks pekster :)
13:06 -!- xMopxShell [~xMopxShel@dpedu.io] has joined #openvpn
13:14 -!- brianblaze420 [~brianblaz@unaffiliated/brianblaze] has quit [Quit: Peace!]
13:15 -!- Pyrogerg [~Gregory@67-0-212-234.albq.qwest.net] has joined #openvpn
13:16 -!- brianblaze420 [~brianblaz@unaffiliated/brianblaze] has joined #openvpn
13:17 < hydrajump> pekster: `'PUSH_REPLY,comp-lzo,route 172.31.0.0 255.255.0.0,tran-window 900,route-gateway 10.8.0.1,topology subnet,ping 10,ping-restart 60,ifconfig 10.8.0.2 255.255.255.0' (status=1)
13:17 < hydrajump> looks like pushing `tran-window` worked
13:17 < pekster> Right, but the client may still error out on applying them
13:17 < pekster> That's just a raw list of what's pushed; errors parsing them would appear after that
13:17 < pekster> You can push unpushable (or even bogus) things, but the client will refuse to do useful things with them
13:18 < pekster> Might need --verb 4 for that (I forget offhand what the loglevel of that would be)
13:18 < hydrajump> ok so errors would show on the client. let me check with verb 4
13:21 -!- cwillu_at_work [cwillu@cwillu.com] has joined #openvpn
13:28 < hydrajump> pekster: ok found it `ptions error: option 'tran-window' cannot be used in this context ([PUSH-OPTIONS])`
13:28 < hydrajump> so it can't be pushed
13:33 -!- almostworking [~almostwor@unaffiliated/almostworking] has quit [Quit: Leaving]
13:36 -!- brianblaze420 [~brianblaz@unaffiliated/brianblaze] has quit [Quit: Peace!]
13:43 -!- Rene [~Rene@tigger.hertell.com] has left #openvpn []
13:44 -!- Pyrogerg [~Gregory@67-0-212-234.albq.qwest.net] has quit [Ping timeout: 255 seconds]
13:57 -!- phuzion [~phuzion@ipv6.irc.teh-server.com] has quit [Ping timeout: 258 seconds]
13:59 -!- phuzion [~phuzion@ipv6.irc.teh-server.com] has joined #openvpn
14:01 -!- phunyguy [vortex@ubuntu/member/phunyguy] has quit [Ping timeout: 258 seconds]
14:01 -!- phunyguy [vortex@ubuntu/member/phunyguy] has joined #openvpn
14:09 -!- kryo__ [~effigy@96.50.81.226] has quit []
14:11 < hydrajump> I found this quite interesting from mozilla's TLS recommendations "AES 128 is preferred to AES 256. There has been [discussions] on whether AES256 extra security was worth the cost, and the result is far from obvious. At the moment, AES128 is preferred, because it provides good security, is really fast, and seems to be more resistant to timing attacks."
14:13 < pekster> That's fairly old news, and hasn't realistically impacted the threat surfface: https://www.schneier.com/blog/archives/2009/07/another_new_aes.html
14:13 <@vpnHelper> Title: Schneier on Security: Another New AES Attack (at www.schneier.com)
14:14 < pekster> Not that whenever they talk about reduce-round exploits, they're using a crippled version of the cipher for demonstration purposes
14:14 -!- u0m3 [~u0m3@92.80.68.195] has joined #openvpn
14:16 < hydrajump> "And for new applications I suggest that people don't use AES-256. AES-128 provides more than enough security margin for the forseeable future. But if you're already using AES-256, there's no reason to change."
14:17 < pekster> And that's a 5-year old recommendation
14:17 < hydrajump> right yeah saw that
14:17 < hydrajump> the mozilla one though was updated 19 Nov 2014
14:17 < pekster> Take it with a grain of salt, and find more current crypto-analysis if you want to get into it. ##crypto might have more in-depth pointers too
14:18 < hydrajump> ok just wanted to share and hear some thoughts. Not ready to get into crypt :P
14:18 < pekster> tl;dr is that AES & Blowfish do have weaknesses, but none of them come close to providing realistic attacks when used properly
14:19 < pekster> You can get far better security by properly managing your private key components, considering rotating them at reasonable intervals (2-5 years isn't a bad idea,) and looking at openvpn features like --reneg-bytes to limit how much raw data any key can be used to encrypt
14:21 -!- phunyguy [vortex@ubuntu/member/phunyguy] has quit [Ping timeout: 258 seconds]
14:27 -!- phunyguy [vortex@ubuntu/member/phunyguy] has joined #openvpn
14:27 -!- phunyguy [vortex@ubuntu/member/phunyguy] has quit [Excess Flood]
14:28 < hydrajump> pekster: the last thing you mentioned `--reneg-bytes`. I believe dazo_afk said something about using that instead of --reneg-sec
14:29 < pekster> Yea, the idea being it's more useful from a security standpoint to rotate symmetric keys based on how much they've been used to encrypt, not how long they've been in use. In many cases, this allows a lightly-used key to remain valid much longer, reducing load (CPU and network) caused by re-keys
14:29 < hydrajump> so instead of renegotiating new keys every 30 mins. they would reneg after say 100MB.
14:30 < pekster> Right. The value of the transport depends on how fast your links are; 100M would be far too small over fast links, where keys could end up rotated every few minutes under load. That might be fine for lower-speed links though
14:30 < pekster> 1-4G might be a more sane value over Internet transport
14:31 < hydrajump> I like this idea.
14:32 < hydrajump> you would set --reneg-sec=0 on both server and client and than configure the `reneg-bytes`?
14:32 < pekster> Yea
14:32 < pekster> And bytes could be applied just at the server, allowing you to change it later
14:32 < hydrajump> applied and pushed?
14:32 < pekster> (when the server demands a re-key, it applies equally to the client)
14:32 < pekster> No, just ignored entierly on the client
14:33 < hydrajump> ah ok
14:33 < hydrajump> so now I just need to determine a suitable amount of bytes
14:34 -!- phunyguy [vortex@ubuntu/member/phunyguy] has joined #openvpn
14:34 < hydrajump> you mentioned 1-4G over internet. If the use case is connecting to the openvpn server to access Windows Remote Desktop Services, e.g. only thing sent across the tunnel are KVM, 1-4G might be too high?
14:34 < pekster> Nah
14:35 < pekster> It just lets the VPN sit mostly-idle longer
14:35 < pekster> 1G should be fine here
14:35 < pekster> (if you stay connected for days/weeks a time, you might only see 1 rekey per week, if that)
14:35 < hydrajump> clients will disconnect every day
14:35 < pekster> The only reason to also apply for instance a once/day rekey would be so cert and CRLs are checked more frequently
14:36 < pekster> In practice that's not an issue because you can kick a connected client off after revoking and updating the CRL
14:36 < pekster> (see --management and management.txt)
14:37 < hydrajump> so if a client disconnects everyday and let's say doesn't reach the 1G data usage, than essentially each time the client connects that initial key is what will be used?
14:38 < hydrajump> 1 key/day with 1G reneg-bytes setting essentially?
14:39 < pekster> Yup
14:39 < pekster> (unless >1G was transported. Say file/printer sharing over RDP)
14:39 < hydrajump> ah yeah printer sharing will happen of course. forgot that
14:42 -!- u0m3 [~u0m3@92.80.68.195] has quit [Ping timeout: 244 seconds]
14:44 < hydrajump> so like this
14:44 < hydrajump> reneg-sec 0
14:44 < hydrajump> reneg-bytes 1000000000
14:44 < hydrajump> on server and just `reneg-sec 0` on client otherwise the client will reneg-sec 3600
14:44 < pekster> That's it
14:45 < hydrajump> pekster: you're the man! Thanks for being super helpful and explaining! I've learnt many new things ;)
14:45 -!- reventlov is now known as Reventlov
14:49 -!- teme [~Francesco@87.18.181.197] has joined #openvpn
14:49 < teme> !welcome
14:49 <@vpnHelper> "welcome" is (#1) Start by stating your goal, such as 'I would like to access the internet over my vpn' || new to IRC? see the link in !ask || we may need !logs and !configs and maybe !interface to help you. || See !howto for beginners. || See !route for lans behind openvpn. || !redirect for sending inet traffic through the server. || Also interesting: !man !/30 !topology !iporder !sample !forum !wiki
14:49 <@vpnHelper> !mitm or (#2) Don't use 192.168.1.0/24 or 192.168.0.0/24 (too much potential for conflict)
14:49 < teme> !route
14:49 <@vpnHelper> "route" is (#1) http://www.secure-computing.net/wiki/index.php/OpenVPN/Routing or https://community.openvpn.net/openvpn/wiki/RoutedLans (same page mirrored) if you have lans behind openvpn, read it DONT SKIM IT or (#2) READ IT DONT SKIM IT! or (#3) See !tcpip for a basic networking guide or (#4) See !serverlan or !clientlan for steps and troubleshooting flowcharts for LANs behind the server or client
14:50 < teme> !serveròlan
14:50 < teme> !serverlan
14:50 <@vpnHelper> "serverlan" is (#1) for a lan behind a server, the server must have ip forwarding enabled (!ipforward), the server needs to push a route for its lan to clients, and the router of the lan the server is on needs a route added to it (!route_outside_openvpn) or (#2) see !route for a better explanation or (#3) Handy troubleshooting flowchart: http://ircpimps.org/serverlan.png |
14:50 <@vpnHelper> http://pekster.sdf.org/misc/serverlan.png
14:51 -!- phunyguy [vortex@ubuntu/member/phunyguy] has quit [Ping timeout: 258 seconds]
14:51 < teme> hello
14:51 < teme> I have one problem with my first vpn configuration
14:52 < teme> the lan of my client see the lan of my server
14:52 < teme> the lan of my server doesn't see the lan of my client
14:52 < pekster> You need !clientlan for that
14:52 < teme> is it right?
14:52 < teme> ok
14:52 < teme> !clientlan
14:52 <@vpnHelper> "clientlan" is (#1) for a lan behind a client, the client must have ip forwarding enabled (!ipforward), the server needs a route to the lan, the server needs to push a route for the lan to clients, the server needs a ccd (!ccd) file for the client with an iroute (!iroute) entry in it, and the router of the lan the client is on needs a route added to it (!route_outside_openvpn) or (#2) see !route for a
14:52 < pekster> If that's what you want anyway
14:53 <@vpnHelper> better explanation or (#3) Handy troubleshooting flowchart: http://ircpimps.org/clientlan.png | http://pekster.sdf.org/misc/clientlan.png
14:54 -!- phunyguy [vortex@ubuntu/member/phunyguy] has joined #openvpn
14:54 < teme> !ipforward
14:54 <@vpnHelper> "ipforward" is (#1) ip forwarding is needed any time you want packets to flow from 1 interface to another, so from tun to eth, eth to tun, tun to tun, etc etc. it must be enabled in the kernel AND allowed in the firewall or (#2) please choose between !linipforward !winipforward !osxipforward and !fbsdipforward
14:55 < teme> !linipforward
14:55 <@vpnHelper> "linipforward" is (#1) echo 1 > /proc/sys/net/ipv4/ip_forward for a temp solution (til reboot) or set net.ipv4.ip_forward = 1 in sysctl.conf for perm solution or (#2) chmod +x /etc/rc.d/rc.ip_forward for perm solution in slackware or (#3) you also must allow forwarding in your forward chain in iptables. iptables -I FORWARD -i tun+ -j ACCEPT
14:58 < teme> pekster, I think I have done everything
14:58 < teme> but don't work :(
14:58 < pekster> configs from both openvpn systems would be a start, including the server's ccd file for the client.
14:58 < pekster> !configs
14:58 <@vpnHelper> "configs" is (#1) please pastebin your client and server configs (with comments removed, you can use `grep -vE '^#|^;|^$' server.conf`), also include which OS and version of openvpn. or (#2) dont forget to include any ccd entries or (#3) on pfSense, see http://www.secure-computing.net/wiki/index.php/OpenVPN/pfSense to obtain your config
14:58 < pekster> Mind the bit about scraping off the blanks/comments
15:05 -!- phunyguy [vortex@ubuntu/member/phunyguy] has quit [Quit: ZNC - http://znc.in]
15:05 < teme> pekster, this is my pastebin: http://pastebin.com/eM1yaQgL
15:11 < pekster> fwiw, opendns is best avoided:
15:11 < pekster> !opendns
15:11 <@vpnHelper> "opendns" is You should avoid using OpenDNS for pushed DNS servers as they violate spec and send you to ad/search domains for mistyped URLs. Use GoogleDNS instead. See !dns for more info.
15:11 -!- D-Boy [~D-Boy@unaffiliated/cain] has quit [Excess Flood]
15:11 < pekster> You can't give the server's IP to a client. You also should properly reduce your pool range to issue static IPs to clients. See: !static for more info
15:12 -!- D-Boy [~D-Boy@unaffiliated/cain] has joined #openvpn
15:12 < pekster> Your netmask on line 45 is wrong
15:12 < pekster> Also, be careful with common networks like 10.0.0/24 and 192.168.1/24 because they're used all over the place, and if you have a conflict with any other involved network (including networks you don't control, like the wifi cafe's LAN range) it'll cause issues
15:13 < pekster> line 44 is also worthless; you've already pushed that network on line 33
15:14 < pekster> line 27 should omit the gateway (the route needs to send it locally to the openvpn process, not "to" the client)
15:15 < teme> ok I modify it
15:15 < teme> link 26 is right? 172.17.0.0 or 172.17.0.1?
15:16 < pekster> This isn't wrong (but might not be what you want) when you omit pushing a route for 10.0.0.0/24 -- this means any other client that connects will not be pushed a route to reach that network
15:16 < pekster> yes, 26 is fine, but ought to be adjusted if you're using static addressing (again, see !static)
15:16 < teme> !static
15:16 <@vpnHelper> "static" is (#1) use --ifconfig-push in a ccd entry for a static ip for the vpn client or (#2) example in net30 (default): ifconfig-push 10.8.0.6 10.8.0.5 example in subnet (see !topology) or tap (see !tunortap): ifconfig-push 10.8.0.5 255.255.255.0 or (#3) also see !ccd and !iporder or (#4) with static IPs, limit your --ifconfig-pool to exclude the static range or (#5) See also: !addressing
15:16 < pekster> Not properly limiting the pool range leaves the possible failure mode where a different client is issued the static IP, and then the static client connects where they both use the same address.
15:17 < pekster> That's #4/#5 above
15:17 < teme> pekster, my home ip is 192.168.1.x, my work ip is 10.0.0.x
15:17 < teme> I can't change it
15:17 < pekster> Horrible choices for a work network, btw
15:17 < pekster> (effectively breaking if anyone tries to connect over 10.0.0/24, popular on many DSL router/modems)
15:18 < teme> the vpn from my work to my home work perfectly
15:18 < pekster> Whatever, the point is clearly lost
15:18 < teme> the vpn from my home to my work, if I use 172.17.0.2, work
15:18 -!- mrtux [~stallman@unaffiliated/mrtux] has quit [Read error: Connection reset by peer]
15:19 < teme> if I ping from my home 10.0.0.197 (one client on my work), doesn't work (I have modify advanced router on my router)
15:21 -!- mt [mt@unaffiliated/supermat] has quit [Ping timeout: 272 seconds]
15:21 -!- mrtux [~stallman@unaffiliated/mrtux] has joined #openvpn
15:22 -!- kokel [~quassel@kenneth.kokelnet.de] has quit [Remote host closed the connection]
15:23 -!- mt [mt@unaffiliated/supermat] has joined #openvpn
15:24 -!- mattock is now known as mattock_afk
15:25 -!- kokel [~quassel@kenneth.kokelnet.de] has joined #openvpn
15:36 < pekster> You have _two_ routers involved (plus the two openvpn systems.) The !clientlan info you said you followed tells you to add a return route for your home LAN to your server-side router
15:36 < pekster> And obviously set its firewalls to permit the traffic
15:36 < pekster> So, routing+firewalls on all 4 of those systems must be properly configured
15:37 < pekster> If you insist you've set a return-route for 192.168.1.0/24 via the server-VPN server, go trace the flow of packets with capture utilities (tcpdump or w/e)
15:37 -!- Dan39 [~ddan39@unaffiliated/dan39] has joined #openvpn
15:37 -!- mattock_afk is now known as mattock
15:37 < pekster> return-route on the server-side LAN gateway (your work)
15:37 < Dan39> im following guide to setup openvpn. i used easy-rsa and finished, but i am missing the ta.key file. when was ta.key suppose to be created?
15:38 < pekster> Dan39: `openvpn --genkey --secret ta.key` (it's not easy-rsa or X.509 specific)
15:38 < pekster> That has to be shared between all involved nodes, over a pre-existing secure link (ssh or such)
15:38 < Dan39> ok thanks
15:39 < Dan39> i guess i should have run that line of the config
15:39 < Dan39> err i mean guide
15:40 < Dan39> it sounded like they meant it was optional, and i thought that --secret option was referencing a file that should already exist, not what was being created <_<
15:40 < Dan39> if you get what i mean haha
15:40 < pekster> It is optional, but not if you intend to use that feature; it's "extra protection" on top of TLS
15:40 < Dan39> sure why not :D
15:40 <@Eugene> I AM THE GATEKEEPER. ARE YOU THE KEYMASTER?
15:41 <@Eugene> that's how --tls-auth works
15:41 < Dan39> hey, ill cross streams, watch out!
15:42 <@Eugene> Hm I bet it's possible (with a patch or a separate proxy daemon) to run multiple openvpn instances on a single port, splitting them by --tls-auth keys
15:43 <@Eugene> I can't think of a use case for it though
15:43 < pekster> Doesn't work due to data-channel multiplexing
15:43 < pekster> It might after the client-id patch the devs are working on though
15:43 <@Eugene> Even though each packet is authed?
15:44 < pekster> Rigiht; that's why float is busted today
15:44 <@Eugene> server side?
15:44 < pekster> There's no way to associated the encrypted traffic with a client, it's all based on the tupple
15:44 < pekster> Now I suppose that tupple could be split out somehow, but you'd need to get into threading the instances, or have some fronttend do the relaying
15:45 < pekster> Think a relayd addition that did key off the tls-auth key, and then kept that tupple routed to the right server, for instance
15:45 <@Eugene> Weird. client-id is to remove all need for --ifconfig, right? Assign clients a unique id that isn't an IP or a MAC
15:45 < pekster> That might be doable, but not strictly in openvpn today given the muxing
15:45 <@Eugene> that'd take a total rewrite
15:46 <@Eugene> or at least make more sense
15:46 < pekster> ifconfig isn't needed today; you can open a raw connection and not assign any addressing (think tap that only ever does raw Ethernet frames)
15:46 < Dan39> ifconfig!? blasphemy! use ip!
15:46 < pekster> You get the same thing if you exhaust your --ifconfig-pool on the server; a client will connect, but not be given any IP becuase none are available
15:46 < pekster> Dan39: Yes, on Linux. But the openvpn option is still called --ifconfig, even when compiled with --enable-iproute2
15:46 -!- teme [~Francesco@87.18.181.197] has quit [Quit: Leaving]
15:47 <@Eugene> --ifconfig != 'ifconfig'
15:47  * Dan39 grumbles about hard to remember `ip` syntax format
15:47 < Dan39> ah
15:47  * pekster grumbles about people using decade-old 2.4-kernel-era network userland tools
15:47 <@Eugene> It ends up calling 'ip' on most systems, but the option name is legacy
15:47 < Dan39> ifconfig commands were so easy to remember :P
15:47 < pekster> Actually no, it's still using ifconfig unless that option is passed
15:47 <@Eugene> Really?
15:48 <@Eugene> my recall of logs from 2.3 from the other day mentioned ip
15:48 < Dan39> pekster: funny thing is some people say that same thing about using iw now instead of iwconfig, BUT certain cards only work well with iwconfig :P
15:48 < pekster> Yup. To fix it autoconf needs some logic to figure out if a usable iproute2 header is available
15:48 < Dan39> my netbook is one of those cases
15:48 <@Eugene> Maybe i had the option, i forget
15:48 < pekster> Different game here. iproute2 uses new kerneln ioctl's, ifconfig can't
15:48 < pekster> !ifconfig_linux
15:48 <@vpnHelper> "ifconfig_linux" is Avoid use of 'ifconfig' and 'route' commands on modern Linux distros. It's old, deprecated, and often misleading/wrong. Use the 'ip a' and 'ip r' commands instead. More info: http://inai.de/2008/0219-ifconfig-sucks.php
15:49 <@Eugene> If only Linus could be bothered to break userland tools :-p
15:49 < pekster> Simple as ripping out the old API
15:49 <@Eugene> Yeah but he's pathological about not breaking things
15:50 <@Eugene> That's why the old tools still exist
15:50 < pekster> Fun fact; net-utils `netstat` is official deprecated, but `ifconfig` is not (despite ip(8) having far better docs than the ss(8) netstat replacement)
15:50 < Dan39> ummm
15:50 <@Eugene> and why ext4 exists instead of patching ext3 or 2
15:50 < Dan39> what is the new netstat?
15:50 < pekster> ss. Like I mentioned
15:50 < pekster> "socket stats"
15:51 < Dan39> yep, looks like crap
15:51 < Dan39> :p
15:51 <@Eugene> I want sock stats
15:51 < Dan39> netstat ftw
15:51 <@Eugene> They keep escaping
15:51 < Dan39> -apn better be the same :P
15:51 < pekster> Enjoy Sim City 2000 too? Civilization 3? :D
15:51 <@Eugene> CHANGE IS BAD etc
15:51 < Dan39> i like change, i like new
15:51 < pekster> In fact, screw Ethernet; the token ring folks had it right
15:51 < Dan39> but not new that sucks
15:52 < pekster> IPv6? Fuck that. IPv4 with classful addressing ruled
15:52 < pekster> etc
15:52 <@Eugene> I want IPv5
15:52 < Dan39> lol
15:52 < Dan39> why is the ss output impossible the read... >_<
15:52 <@Eugene> !cuz
15:53 <@Eugene> What do we not have that here
15:53 <@Eugene> dafuq
15:53 < pekster> !learn cuz as Because that's the way it is. Patches welcome.
15:53 <@vpnHelper> Joo got it.
15:53 < Dan39> im sure behind the scenes ss is awesome
15:53 < Dan39> just copy the netstat text format :p
15:53 <@Eugene> I use "because fuck/screw you, that's why", depending upon company
15:54 < pekster> !factoids search screw
15:54 <@vpnHelper> No keys matched that query.
15:54 < pekster> !factoids search fuck
15:54 <@vpnHelper> No keys matched that query.
15:54 < pekster> bot is still broken; appending --values breaks in certain cases :\
15:54 < Dan39> seriously
15:54 < pekster> !factoids
15:54 <@vpnHelper> "factoids" is A semi-regularly updated dump of factoids database is available at http://www.secure-computing.net/factoids.php
15:55 < pekster> !forget cuz
15:55 <@vpnHelper> Joo got it.
15:55 < pekster> !learn cuz as [why]
15:55 <@vpnHelper> Joo got it.
15:55 < pekster> !cuz
15:55 <@vpnHelper> "cuz" is "why" is because screw you, that's why.
15:55 <@Eugene> oh we had that one
15:55 < pekster> Ironically, that's the failed --values case
15:55 < pekster> !factoids search --values screw
15:55 <@vpnHelper> 'why' and 'cuz'
15:55 <@Eugene> hahaha
15:55 < pekster> huh?
15:55 < pekster> Fails in PM but not in-channel
15:55 < pekster> But it doesn't fail in PM for other search terms
15:55 < pekster> Ugh
15:55 -!- SushiDude [~SushiDude@unaffiliated/sushidude] has quit [Quit: Quit]
15:55 <@Eugene> Because there's a separate db for each channel
15:56 < pekster> No, I know
15:56 < pekster> /msg vpnHelper factoids search #openvpn --values screw
15:56 < pekster> that fails. Replace with fuck and it works
15:56 < pekster> It's been doing that since forever; I forgot it works in channel. tl;dr: spam more
15:56 <@Eugene> supybot is kinda crap. maybe I'll get around to importing the database to a gitinfo instance
15:56 <@Eugene> It even has a decent web interface
15:58 -!- cesurasean [~cesurasea@c-71-207-227-197.hsd1.al.comcast.net] has joined #openvpn
15:58 < cesurasean> hey guys. when openvpn connects, my internet is lost on my vps server.
15:58 < cesurasean> why is that?
15:58 < cesurasean> i used openvpn client.conf, and everything looks good.
15:59 -!- SushiDude [~SushiDude@unaffiliated/sushidude] has joined #openvpn
16:00 < pekster> WAG: you're using or pulling --redirect-gateway and it's doing exactly what you asked. You can't respond to externally-initiated connections doing that
16:00 < pekster> Read up on policy routing to correct that, or just don't --redirect-gateway on systems you need to allow external connections from
16:01 < cesurasean> so when --redirect-gateway is used, the connection from the outside world drops?
16:01 < pekster> (ie: two servers, or a real form of virtualization)
16:01 < pekster> No
16:01 < pekster> It doesn't drop: it's routed over the VPN
16:01 < cesurasean> well, im trying to chain vpns.
16:01 < pekster> (then rejected)
16:01 < cesurasean> what is the best way to do this?
16:01 < pekster> Read up on advanced policy routing, or manage your routes smarter
16:01 < cesurasean> do you mind helping me?
16:02 < cesurasean> have hit my head on this for months now. but youre making sense of it so far.
16:03 < pekster> I think it's rather a silly thing to do in the first place, and doesn't really offer any form of security
16:04 < pekster> Consider manually setting two /1 route-overrides on the first-level, then four /2 routes on the 2nd, etc
16:04 < pekster> Read about --route-nopull, --route-noexec, and --route-up
16:04 -!- Taftse|Mac [~taftse@unaffiliated/taftse] has quit [Quit: Textual IRC Client: www.textualapp.com]
16:04 < cesurasean> ok
16:04 < pekster> Plus policy routing if you need to accept connections from the outside still
16:04 < pekster> !lartc
16:04 <@vpnHelper> "lartc" is LARTC is the de-facto guide to policy routing and QoS (tc, or traffic control) on Linux. http://lartc.org/howto/ . Policy routing in Ch. 4, QoS in Ch. 9. Start at the beginning if you're new to advanced routing on Linux
16:04 < pekster> (assuming Linux)
16:05 -!- mattock is now known as mattock_afk
16:05 < cesurasean> is there a way to use --redirect-gateway, and also allow outside connections?
16:05 < cesurasean> an easy fix?
16:05 -!- SushiDude [~SushiDude@unaffiliated/sushidude] has quit [Quit: Quit]
16:07 -!- Reventlov [~reventlov@unaffiliated/reventlov] has quit [Quit: leaving]
16:07 -!- reventlov [~reventlov@unaffiliated/reventlov] has joined #openvpn
16:08 -!- SushiDude [~SushiDude@unaffiliated/sushidude] has joined #openvpn
16:08 -!- reventlov is now known as Reventlov
16:10 -!- mikjaer_ [~mikjaer@127-0-0-1.dk] has joined #openvpn
16:12 < mikjaer_> I have a perfectly working setup running between one mikrotik router and one linux server, now i cloned the config from the mikrotik router to another one and as far as i can se the configs are identical - but one of the routers fails with TLS Error and the other doesnt. Any idea on where to look for a solution to this?
16:12 < hydrajump> is there any difference between an .ovpn file and a .conf file? I couldn't see anything in the How-to other than reference to Windows with the former.
16:13 < hydrajump> mikjaer_: maybe the mikrotik's have different versions?
16:13 < hydrajump> different firmware?
16:14 < mikjaer_> i did'nt tjek that ... i bought them togehter, but i'll tjek now - thanks
16:15 -!- mikjaer_ is now known as mikjaer
16:17 < cesurasean> no one here has ever chained a vpn?
16:18 < pekster> cesurasean: "easy"? No. Policy routing is an advanced networking concept that requires a strong understanding how routing works, and knowledge/skill with Linux userland tools to enact this
16:18 < mikjaer> hydrajump: no they are excatly the same ... what does TLS Error normally imply?
16:19 < pekster> hydrajump: .conf is standard on Unix/Linuxes. Windows associates .ovpn with the openvpn binary
16:19 <@Eugene> !ovpn
16:19 <@vpnHelper> "ovpn" is (#1) OpenVPN GUI will load config files with a .ovpn extension when double-clicked. or (#2) this is the same config file format as the standard .conf , just renamed to prevent extension collisions on Windows
16:19 < mikjaer> Will a config-transplant move clone the MAC Adresses as well?
16:19 <@Eugene> I was smart and used the bot
16:19 < pekster> !forget ovpn 2
16:19 <@vpnHelper> Joo got it.
16:19 <@Eugene> Hey fuck you
16:20 < pekster> !learn ovpn as this is the same config file format as the standard .conf, just renamed to allow Windows to associate it with the openvpn program
16:20 <@vpnHelper> Joo got it.
16:20 < pekster> collisions have nothing to do with it
16:20 <@Eugene> I didn't write it, just use it
16:20 < pekster> openvpn at the CLI works just fine if you call your config .exe or .jpg
16:20 < hydrajump> thanks pekster Eugene
16:21 < hydrajump> the iOS OpenVPN Connect app also requires the file extension to be .ovpn, right?
16:21 < pekster> No clue; That's an entierly separate codebase, so it could do anything
16:21 < hydrajump> that's what I'm trying to get working now with my client.conf
16:21 < pekster> !android
16:21 <@vpnHelper> "android" is (#1) an open source OpenVPN client for ICS is available in Google Play, look for OpenVPN for Android. FAQ is here: http://code.google.com/p/ics-openvpn/wiki/FAQ or (#2) Direct Play link: https://play.google.com/store/apps/details?id=de.blinkt.openvpn or (#3) Old (pre-ICS) device? See: !android-old or (#4) You can get the apk directly from http://plai.de/android/
16:21 < hydrajump> !iphone
16:21 <@vpnHelper> "iphone" is (#1) OpenVPN Connect is now available for iOS in the App Store (see also: !connect) or (#2) https://community.openvpn.net/openvpn/wiki/IOSinline
16:21 < hydrajump> !connect
16:21 <@vpnHelper> "connect" is (#1) OpenVPN Connect is part of the commercial, non-free (non-GPL) corporate offering; see #openvpn-as for help with these. For the community-maintained GPL OpenVPN, see !download for download links, !android for GPL-openvpn on Android, or !howto for the beginner how-to guide or (#2) https://forums.openvpn.net/post34969.html#p34969 or (#3) the source is here:
16:21 < pekster> Oh, iOS, yea, stuck with that then
16:21 <@vpnHelper> http://staging.openvpn.net/openvpn3/ except for the portion that may not be released because of NDA with apple (for its vpn API)
16:24 < _FBi> !iphone
16:24 <@vpnHelper> "iphone" is (#1) OpenVPN Connect is now available for iOS in the App Store (see also: !connect) or (#2) https://community.openvpn.net/openvpn/wiki/IOSinline
16:24 < _FBi> now if I'd scrolled up 10 lines... lol
16:36 < hydrajump> to ask iOS Connect app questions I need to ask on #openvpn-as ?
16:36 < hydrajump> !welcome
16:36 <@vpnHelper> "welcome" is (#1) Start by stating your goal, such as 'I would like to access the internet over my vpn' || new to IRC? see the link in !ask || we may need !logs and !configs and maybe !interface to help you. || See !howto for beginners. || See !route for lans behind openvpn. || !redirect for sending inet traffic through the server. || Also interesting: !man !/30 !topology !iporder !sample !forum
16:36 <@vpnHelper> !wiki !mitm or (#2) Don't use 192.168.1.0/24 or 192.168.0.0/24 (too much potential for conflict)
16:37 -!- eristisk [~eristisk@gateway/tor-sasl/eristisk] has joined #openvpn
16:37 -!- Pyrogerg [~Gregory@67-0-212-234.albq.qwest.net] has joined #openvpn
16:42 -!- AlexRussia [~Alex@unaffiliated/alexrussia] has quit [Ping timeout: 240 seconds]
16:47 < cesurasean> pekster, you mind giving me a moment?
16:47 < cesurasean> if you sourceforge vpnchains, there is a script....
16:47 < cesurasean> the script seems to connect, but then it disconnects me from ssh.
16:47 < cesurasean> any ideas?
16:55 -!- AlexRussia [~Alex@unaffiliated/alexrussia] has joined #openvpn
16:59 -!- Pyrogerg [~Gregory@67-0-212-234.albq.qwest.net] has quit [Ping timeout: 244 seconds]
17:00 < cesurasean> why does route 208.69.56.227 255.255.255.255 0.0.0.0 not work in my config of openvpn?
17:12 < cesurasean> having trouble getting SNAT to work.
17:12 < cesurasean> still getting my own ip once the vpn is connected.
17:12 < badon> I have many config lines that look this: route 1.2.3.4 255.255.255.255 net_gateway. Is there a way to list all of those into a commandline?
17:13 -!- gffa [~unknown@unaffiliated/gffa] has quit [Quit: sleep]
17:14 < badon> I assume I use --route, but I'm not sure how to delimit more than one route.
17:14 < badon> --route 1.2.3.4 255.255.255.255 net_gateway --route 5.6.7.8 255.255.255.255 net_gateway
17:15 < badon> Maybe that?
17:17 -!- AlexRussia [~Alex@unaffiliated/alexrussia] has quit [Ping timeout: 240 seconds]
17:17 < cesurasean> i still dont understand why --redirect-gateway stops ssh access.
17:17 < cesurasean> or how its fixed.
17:17 < cesurasean> thats my real issue.
17:19 < pekster> simple: ssh goes from some public IP (let's call it 203.0.113.3) to your server. ssh server gets it, tries to reply. 203.0.113.3 is looked up in the routing table, and it matches the 128/1 route, via the VPN. Server sends it to the VPN endpoint. VPN gets it, and is willing to route it out, with the NAT involved in RFC1918 VPN IP space; let's call this NAT'd IP 192.0.2.234. The original system at 203.0.113.3 gets a packet from ...
17:19 < pekster> ... 192.0.2.234, which is notablely NOT the IP of your ssh server, and says "WTF, I didn't ask this host to talk"
17:19 < pekster> Broken
17:19 < pekster> You fix it by learning the advanced concept of policy routing
17:19 < pekster> !factoids search policy
17:19 <@vpnHelper> 'policy' and 'redirect-policy'
17:19 < pekster> !redirect-policy
17:19 <@vpnHelper> "redirect-policy" is If you are using --redirect-gateway and wish to maintain external access to the same system, you need Policy Routing. If using Linux, see !lartc for reading on the subject. Note that this is a somewhat advanced networking topic.
17:20 < pekster> !policy
17:20 <@vpnHelper> "policy" is (#1) http://openvpn.net/howto.html#policy for Configuring client-specific rules and access policies or (#2) http://www.secure-computing.net/wiki/index.php/OpenVPN/FAQ#Traffic_forwarding_doesn.27t_work_when_using_client_specific_access_rules for a lil writeup by mario or (#3) dynamic OpenVPN policy github project: https://github.com/QueuingKoala/openvpn-dynamic
17:20 < pekster> Grr, I had a wiki page for this I think
17:20 < pekster> !route-by-app
17:20 < pekster> cesurasean: see above for the reason it's broken. You have asymmetric routing, aka "triangle routing"
17:20 < pekster> !routebyapp
17:20 <@vpnHelper> "routebyapp" is (#1) if you want to send only certain apps over the VPN you need to run a socks server on the internal VPN subnet (see !sockd) then get an app like proxifier (windows, osx) or tsocks (linux, BSD) to selectively route traffic over the socks proxy based on port/app/subnet or any combination. or (#2) Alternatively, read up about Policy Routing to make routing decisions based on defined
17:20 <@vpnHelper> policies you set. For Linux, read about !lartc
17:21 <@krzee> i thought policies still had to be subnet based
17:21 <@krzee> or maybe even port
17:21 < pekster> Nope
17:22 <@krzee> !lartc
17:22 <@vpnHelper> "lartc" is LARTC is the de-facto guide to policy routing and QoS (tc, or traffic control) on Linux. http://lartc.org/howto/ . Policy routing in Ch. 4, QoS in Ch. 9. Start at the beginning if you're new to advanced routing on Linux
17:22 < pekster> Netfilter can filter on literally anything you want, you mark it, and iprule is able to match the fwmark
17:22 <@krzee> ahh ok so its all in the firewall
17:22 < pekster> ie: you can filter on anything you can craft a rule for, including state, etc
17:22 < pekster> Well, the marking is
17:22 < pekster> The routing is not part of the firewall per se, but uses info supplied by the firewall engine
17:22 <@krzee> right marking what table to use
17:22 -!- AlexRussia [~Alex@unaffiliated/alexrussia] has joined #openvpn
17:22 < pekster> Yup. Same thing PF can do, and PF is using different kernel components too (just controlled in one place)
17:23 <@krzee> in bsd i just started it with setfib
17:23 <@krzee> you setfib when you start the app, then it uses the table you setfib to
17:24 < pekster> Close, but IIRC still not quite the same since you want all outbound traffic _except_ certain bits to go over the VPN
17:24 < pekster> Not just what you strictly route via the VPN (ie: sourced from an IP on the VPN's adapter)
17:24 < pekster> Everything else, such as `fetch <whatever>` you want to go over the VPN in that case
17:24 <@krzee> you could redirect gateway and then setfib to a different routing table with orig gateway on those certain apps
17:25 < pekster> sshd? Probably not what you intended either
17:25 < pekster> Unless you strictly don't want sshd to accept connections via the VPN
17:25 < pekster> If you do, messing with FIB won't work as intended
17:25 <@krzee> ok ya im not talking about that
17:25 < pekster> route-to / reply-to get what you want though, with equally flexible config as marks/ip-rule in Linux
17:26 < pekster> And you don't have to mess with launching apps in just the right way then
17:26 <@krzee> im talking about the desire of !routebyapp
17:26 < pekster> Things work as flexibly as you can design a ruleset for
17:26 <@krzee> not straight up policy routing in gernel
17:26 <@krzee> generl*
17:26 <@krzee> grr, general
17:27 < pekster> Linux can split things out similarly by using a dedicated uid/gid, and keying off that in policy. Or containers, but that's a bit more like jails
17:27 < pekster> In the end, right task for the job, and there's often >1 way to get the same job done, with different strenghts/drawbacks
17:28 <@krzee> yep
17:29 < pekster> Is setfib smart enough to handle things like inbound ICMP errors? ie, do you know if that keys off the state engine?
17:29 < pekster> ie: established ssh (or w/e) session, then remote end sends a param-problem ICMP, or host-unreach or whatever; does that get sent to the socket holder in the app?
17:30 < pekster> (and by remote end I could just as easily mean a router in between them)
17:31 <@krzee> not sure, but i have run openvpn with it plenty to have vpn connections (inbound as well as outbound) going over second link
17:31 < pekster> Right, but failing to accept icmp correctly turns your apps running there into a broken host :\
17:31 <@krzee> of course now i use --mutlihome in linux on an openwrt so i dont have to have 2 vpn subnets =]
17:32 < pekster> fwiw, that's a popular mistake to those new to Netfilter too
17:32 <@krzee> pekster, ya, i dunno
17:32 < pekster> ANd IPv6 firewall admins who haven't a clue (including some US gov't sites, one of which I access often)
17:33 < pekster> They block icmpv6-too-big, so <1500 MTU clients break. But the whole world uses 1500, right? :x
17:37 < pekster> cesurasean: https://community.openvpn.net/openvpn/wiki/Concepts-PolicyRouting-Linux
17:37 <@vpnHelper> Title: Concepts-PolicyRouting-Linux – OpenVPN Community (at community.openvpn.net)
17:39 < pekster> krzee: Yea, openwrt rules for some of this. My needs require busybox to have the `ip` applet (I could use a full-blown iproute2 package, but so much wasted flash for that..)
17:39 < pekster> Kernel does the routing stuff already, but without userland tools to interface it's all wasted
17:39 <@krzee> i have iproute2, instead i choose to ditch the web interface
17:39 <@krzee> to me thats the wasted space =]
17:40 < pekster> Oh, I drop that too
17:40 < pekster> No room for iproute2, just the busybox ip applet on my 4MB flash unit
17:40 < pekster> In return I get toys like mtr, tcpdump, etc
17:40 <@krzee> ya im 4mb too, with all of the above
17:40 < pekster> In rare cases bb ip isn't enough, but it's fine for routing tables, routing rules, and tc
17:41 <@krzee> lil cheapo tp-link
17:41 < pekster> Oh, and tun/tap, etc
17:42 <@krzee> and there was a nice guide for how to turn the built in switch into vlans so basically a 5 port router with no switch or as many network ports and a switch of the leftover
17:42 < pekster> Or more with trunking
17:42 <@krzee> hella handy though
17:42 < pekster> I've done several deployemnts on openwrt using at least 3 networks and tagging
17:42 < pekster> Though one old unit I worked on had a hardware limit of 16 VLANs
17:42 < pekster> Guess they could only spare 5 bits for the VLAN ID :P
17:43 < pekster> Erm, 32 VLANs I guess
17:43 <@krzee> ya this is 2 physical lans, an admin port which i dont actually use ever, and a few vpn clients/servers
17:43 < pekster> The software was happy to try and tag VLAN200; it never got sent out by the switch :\
17:44 < pekster> Well, it wasn't network number, but the goal was to interface with an existing network that used VLANs including 200. We found an alternate solution
17:44 < pekster> VLAN 1/2 worked fine, just made the phones we were deploying need a special "not in-house" config
17:45 < pekster> Ideally we'd have liked to drop one of the ports onto native 200, but it wasn't meant to be. Stupid broadcom limitations (funny how often I've said that about them)
17:48 -!- wlxmhls [~hp@124.65.46.34] has joined #openvpn
18:13 -!- cesurasean [~cesurasea@c-71-207-227-197.hsd1.al.comcast.net] has quit [Ping timeout: 240 seconds]
18:13 -!- u0m3 [~u0m3@92.80.68.195] has joined #openvpn
18:13 -!- mirco [~mirco@ip-176-198-211-199.hsi05.unitymediagroup.de] has quit [Quit: mirco]
18:22 < hydrajump> I spoke with someone on another channel who suggested port forwarding from udp 53 to udp 1194, e.g. the former is open to the public. The person said that a it would result in less attempts at scanning the openvpn server and b) it would most likely allow accessing the server from the majority of networks you may be on.
18:22 < hydrajump> Any thoughts on this?
18:23 < pekster> tls-auth prevents "scanning" anyway (so does 1194 unless they "scan" with openvpn or their own code that mimics an openvpn connection)
18:23 < pekster> Snake-oil advice at best
18:24 < pekster> if you want (b) features, just NAT that port in too
18:24 < pekster> Problem solved
18:25 < hydrajump> hehe ok to port 53. I don't understand the NAT to allow accessing 1194 if blocked by the network you may be on
18:25 < pekster> Stupid sites that permit 53 outbound but "blocK" other things
18:26 < pekster> Just pay for a mobile internet plan if it's that critical you access resources elsewhere
18:26 < hydrajump> oh one more thing regarding the tls-auth preventing scanning...so then there is no need for say fail2ban as you might do with a public SSH port?
18:26 < pekster> fail2ban is a huge waste on CPU, and has been shown to be tricked in a variety of cases, possibly to DoS other IPs
18:26 < pekster> ie: if I know what IP you're on, I can get fail2ban to ban you instead of me by playing with my rDNS
18:27 < hydrajump> ouch
18:27 < hydrajump> didn't know that
18:27 < hydrajump> you just stick to iptables then with some clever rules?
18:28 < pekster> you secure applications so it's a non issue. I run ssh on a port besides 22 to avoid log/connection spam (it all but goes away.) I secure it by allowing only public auth externally; that prevents any serious attacker (who can find the alt port anyway) from getting in
18:28 < pekster> tls-auth drops *ALL* traffic unless it has the key or has already been authenticated
18:29 < pekster> Why would you also run (marginally useful) blocking software on top of this? It's like you're trying to invent problems that suddenly require you to use all these other solutions
18:30 < hydrajump> what you're saying makes perfect sense and makes life easier by not having to maintain/configure extra systems.
18:30 < pekster> Or worry about keeping up on the latest flaws in said systems
18:31 < pekster> The less you run the better, especially when it's just a glorified python program that looks for regex in log files
18:31 < pekster> (which is why it's so easy to trick if you control rDNS and know a bit about your target)
18:32 < hydrajump> so because of tls-auth with openvpn dropping *ALL* traffic unless you have the key, changing port from 1194 to 1180 would not matter, but with SSH you don't have that same mechanism so switching to 2222 would prevent log/connection attempts?
18:32 -!- Pyrogerg [~Gregory@67-0-212-234.albq.qwest.net] has joined #openvpn
18:32 < pekster> ssh is tcp, much different than UDP in the first place
18:32 < hydrajump> true
18:33 < pekster> tcp ports are easy to scan (they respond by poking them.) no-reply on UDP either means there's a firewall, or the service ignored you
18:33 < pekster> Plus I hate seeing 50,000 log attempts when I really only wanted to see what failed at 10PM last night that caused some failure
18:34 < pekster> I don't care at all that 203.0.113.8 tried 50k times to log into ssh, and was denied all 50k of them becauase I don't accept keyboard-interactive
18:39 < hydrajump> I had to google `AllowedAuthentications   keyboard-interactive
18:39 < hydrajump> that is if enabled
18:40 < hydrajump> PasswordAuthentication no is what you mean, right?
18:45 -!- elfixit [~Icedove@77-58-253-51.dclient.hispeed.ch] has joined #openvpn
18:59 -!- Pyrogerg [~Gregory@67-0-212-234.albq.qwest.net] has quit [Ping timeout: 256 seconds]
19:17 -!- Pyrogerg [~Gregory@67-0-212-234.albq.qwest.net] has joined #openvpn
19:22 -!- Pyrogerg [~Gregory@67-0-212-234.albq.qwest.net] has quit [Ping timeout: 264 seconds]
20:07 -!- eristisk [~eristisk@gateway/tor-sasl/eristisk] has quit [Ping timeout: 250 seconds]
20:20 -!- eristisk [~eristisk@gateway/tor-sasl/eristisk] has joined #openvpn
20:23 -!- james41382__ [~james@unaffiliated/james41382] has joined #openvpn
20:24 -!- ValdikSS [~valdikss@185.61.149.121] has quit [Read error: Connection reset by peer]
20:24 -!- JackWinter [~jack@vodsl-11198.vo.lu] has quit [Excess Flood]
20:24 -!- JackWinter [~jack@vodsl-11198.vo.lu] has joined #openvpn
20:24 -!- james41382_ [~james@unaffiliated/james41382] has quit [Read error: Connection reset by peer]
20:24 -!- Cydrobolt [~cydrobolt@fedora/cydrobolt] has quit [Ping timeout: 265 seconds]
20:25 -!- pppingme [~pppingme@unaffiliated/pppingme] has quit [Excess Flood]
20:26 -!- capri [svedrin@elwing.funzt-halt.net] has quit [Ping timeout: 265 seconds]
20:26 -!- pppingme [~pppingme@unaffiliated/pppingme] has joined #openvpn
20:27 -!- capri [svedrin@elwing.funzt-halt.net] has joined #openvpn
20:44 < Dan39> is this true exactly as it reads when setting tls-auth? from man, "The direction parameter requires that file contains a 2048 bit key"
20:45 < Dan39> i was going to try with only 1024 bit...
20:48 -!- akamaru [~akamaru21@67.191.183.251] has joined #openvpn
20:51 -!- akamaru217 [~akamaru21@2601:0:8a80:1064:88c0:a26c:a19f:2d76] has quit [Ping timeout: 258 seconds]
20:56 -!- akamaru217 [~akamaru21@2601:0:8a80:1064:a163:467a:f5e4:3b6] has joined #openvpn
20:58 -!- akamaru [~akamaru21@67.191.183.251] has quit [Ping timeout: 255 seconds]
21:06 -!- phunyguy [vortex@ubuntu/member/phunyguy] has joined #openvpn
21:06 -!- Left_Turn [~Left_Turn@unaffiliated/turn-left/x-3739067] has quit [Remote host closed the connection]
21:08 < pekster> Dan39: How did you end up with a 1024 bit key? That's from a super old openvpn version. If you _do_ have something from the dark ages of openvpn, just regnerate to get 2048: `openvpn --genkey --secret ta.key`
21:09 < Dan39> lol i picked 1024...
21:09 < pekster> You don't pick..
21:09 < pekster> You sure you don't mean X.509 key size?
21:09 < pekster> --tls-auth is completely different
21:09 < pekster> (also, 1024 is considered somewhat weak for X.509 anyway)
21:09 < Dan39> cuz crappy hardware and i dont really need this to be that secure
21:09 < pekster> okay. But --tls-auth is not x.509
21:10 < Dan39> maybe im talking about wrong thing..
21:10 < Dan39> i have a
21:10 < Dan39> dh1024.pem
21:10 < pekster> The file reads -----BEGIN OpenVPN Static key V1-----
21:10 < pekster> that's a DH param file
21:11 < pekster> Has nothing to do wtih --tls-auth
21:11 < Dan39> ok :)
21:11 < pekster> --tls-auth should be used with a tls-auth key, generated with the command I gave you above
21:11 < Dan39> nvm then... you are right, # 2048 bit OpenVPN static key
21:11 < pekster> And yes, it should be 2048 bits, which is generated all the way back to openvpn 2.1.0 (at least -- git doens't have older versions to test with easily)
21:12 -!- akamaru [~akamaru21@2601:0:8a80:1064:14d5:230f:df9a:bb30] has joined #openvpn
21:14 -!- akamaru217 [~akamaru21@2601:0:8a80:1064:a163:467a:f5e4:3b6] has quit [Ping timeout: 258 seconds]
21:14 < badon> I have many config lines that look this: route 1.2.3.4 255.255.255.255 net_gateway. Is there a way to list all of those into a commandline? I assume I use --route, but I'm not sure how to delimit more than one route.
21:15 < badon> --route 1.2.3.4 255.255.255.255 net_gateway --route 5.6.7.8 255.255.255.255 net_gateway
21:15 < badon> Maybe that?
21:16 <@krzee> !--
21:16 <@vpnHelper> "--" is OpenVPN allows any option to be placed either on the command line or in a configuration file. Though all command line options are preceded by a double-leading-dash ("--"), this prefix is usually omitted when an option is placed in a configuration file.
21:16 -!- akamaru217 [~akamaru21@2601:0:8a80:1064:bc25:300f:a1d8:6f8c] has joined #openvpn
21:17 <@krzee> so yes
21:18 < pekster> Yes that, although don't use IP space from the debogon project or GmbH
21:19 < pekster> !factoids search clever
21:19 <@vpnHelper> No keys matched that query.
21:19 < pekster> !factoids search --values clever
21:19 <@vpnHelper> 'bridging', '5737', and 'topsecret'
21:19 < pekster> !5737
21:19 <@vpnHelper> "5737" is Clever readers may attempt to use RFC5737 to represent arbitrary public IPs one wishes to hide; unclever attempts may be ignored with prejudice.
21:19 -!- akamaru [~akamaru21@2601:0:8a80:1064:14d5:230f:df9a:bb30] has quit [Ping timeout: 258 seconds]
21:23 -!- graud [~adam@69.196.8.34] has joined #openvpn
21:23 < badon> krzee: OK, so I need to use multiple instances of --route, do I understand that correctly?
21:24 < graud> hi all, my client is connecting to the server. but the client cannot curl any site when connected to the vpn. i think i need some iptables magic?
21:25 < pekster> graud:
21:25 < pekster> !oal
21:26 < pekster> !goal
21:26 <@vpnHelper> "goal" is Please clearly state your goal for your vpn: example, I would like to access the lan behind the server , I would like to access the internet over my vpn , I just want a secure connection between 2 computers , etc
21:38 -!- troyt [~troyt@2601:7:6200:1362:44dd:acff:fe85:9c8e] has joined #openvpn
21:42 -!- graud [~adam@69.196.8.34] has quit [Ping timeout: 272 seconds]
21:46 <@krzee> badon, yes, like in your example
22:06 < Dan39> dam, i had a feeling i should have looked at my phone before setting this all up :|  i dont think these types provided by default work with openvpn...
22:08 < Dan39> anyone have experience connecting to openvpn server with android?
22:08 -!- elfixit [~Icedove@77-58-253-51.dclient.hispeed.ch] has quit [Quit: elfixit]
22:09 < Dan39> looks like there is an app for it... i wonder how well it works vs the built-in, since my phone already sucks :(
22:17 < Dan39> how the hell do i create the openvpn profile file? :|
22:18 < Dan39> i need a windows pc? seriously?
22:18 < Dan39> this is epic lame
22:20 < Dan39> ok maybe not needed
22:20 < Dan39> client.conf may be the same thing...
22:21 < Dan39> nope dont think so haha
22:21 <@krzee> get it working from a computer, then just import the working config into "openvpn for android"
22:22 < Dan39> ok so its just a normal config file?
22:22 <@krzee> before you import it, yes
22:22 < Dan39> but it has the keys within the files i think...
22:22 <@krzee> after, it has inline keys and stuff, but still yes
22:22 < Dan39> not "OpenVPN Connect"?
22:22 <@krzee> nah use openvpn for android
22:22 <@krzee> by arne schwab
22:23 < Dan39> maybe i will just get pptp or ipsec setup... :\
22:23 <@krzee> go for it
22:23 < Dan39> now i dont want to haha...
22:24 <@krzee> *shrug* good luck
22:24 < Dan39> lol thanks
22:25 < Dan39> why not openvpn connect?
22:26 -!- Droolio [~drool@host86-143-240-221.range86-143.btcentralplus.com] has quit [Ping timeout: 264 seconds]
22:26 <@krzee> just my recommendation
22:26 <@krzee> they should both work
22:26 <@krzee> !connect
22:26 <@vpnHelper> "connect" is (#1) OpenVPN Connect is part of the commercial, non-free (non-GPL) corporate offering; see #openvpn-as for help with these. For the community-maintained GPL OpenVPN, see !download for download links, !android for GPL-openvpn on Android, or !howto for the beginner how-to guide or (#2) https://forums.openvpn.net/post34969.html#p34969 or (#3) the source is here:
22:26 <@vpnHelper> http://staging.openvpn.net/openvpn3/ except for the portion that may not be released because of NDA with apple (for its vpn API)
22:27 <@krzee> !android
22:27 <@vpnHelper> "android" is (#1) an open source OpenVPN client for ICS is available in Google Play, look for OpenVPN for Android. FAQ is here: http://code.google.com/p/ics-openvpn/wiki/FAQ or (#2) Direct Play link: https://play.google.com/store/apps/details?id=de.blinkt.openvpn or (#3) Old (pre-ICS) device? See: !android-old or (#4) You can get the apk directly from http://plai.de/android/
22:29 <@krzee> openvpn for android is the version released by the community (specifically plaisthos) , from the normal GPL openvpn.  Connect is a total re-write of openvpn (client only) in c++, basically only exists because apple has weaksauce rules regarding GPL code in their iphone store thing
22:29 < Dan39> total weaksauce
22:52 -!- Kephael [~Kephael@unaffiliated/kephael] has quit [Read error: Connection reset by peer]
23:04 -!- akamaru217 [~akamaru21@2601:0:8a80:1064:bc25:300f:a1d8:6f8c] has quit [Quit: Leaving]
23:08 -!- ShadniX [dagger@p5481DA10.dip0.t-ipconnect.de] has quit [Ping timeout: 250 seconds]
23:11 -!- ShadniX [dagger@p57941915.dip0.t-ipconnect.de] has joined #openvpn
23:31 -!- AlexRussia [~Alex@unaffiliated/alexrussia] has quit [Quit: WeeChat 1.1-dev]
23:42 -!- mikjaer [~mikjaer@127-0-0-1.dk] has left #openvpn []
--- Day changed Fri Nov 28 2014
00:34 -!- havingFun_ [~quassel@unaffiliated/xrosnight] has joined #openvpn
00:35 -!- havingFun [~quassel@unaffiliated/xrosnight] has quit [Ping timeout: 264 seconds]
00:39 -!- Fuusko [~Fuusko@h-234-229.a216.priv.bahnhof.se] has joined #openvpn
00:39 < Fuusko> hello, what outgoing ports do I need to open to establish connection to a ovpn server?
00:41 < Fuusko> I am trying to block all traffic except that within the vpn and to do this I want to block all outgoing ports but those needed for the ovpn connection.
00:42 -!- wlxmhls [~hp@124.65.46.34] has quit [Ping timeout: 272 seconds]
00:43 -!- wlxmhls [~hp@124.65.46.34] has joined #openvpn
00:43 < Fuusko> I get "Error: Connection activation failed: the connection attempt timed out."
00:45 < Fuusko> According to my vpn provider they use 1194-1201 which I have opened as TCP and UDP, also tried to open 443 but that didn't help so I seem to be missing some port. Anyone here know which?
00:51 -!- u0m3 [~u0m3@92.80.68.195] has quit [Ping timeout: 240 seconds]
01:09 -!- mattock_afk is now known as mattock
01:27 -!- ValdikSS [~valdikss@185.61.149.121] has joined #openvpn
01:48 -!- havingFun_ is now known as xrosnight
02:24 -!- Taftse|Mac [~taftse@unaffiliated/taftse] has joined #openvpn
02:26 -!- clu5ter [~staff@unaffiliated/clu5ter] has joined #openvpn
02:32 -!- dusted [~dusted@190-162-191-90.dyn.estpak.ee] has quit [Quit: Leaving]
02:37 -!- rooth [tomte@stuck.in.the.basement.at.fritzl.nu] has joined #openvpn
02:38 < rooth> Morning, does anyone know if a ta.key could be included in a .p12-container?
02:58 -!- bewees [~philipp@46.115.162.188] has joined #openvpn
02:58 < bewees> hi
03:02 < bewees> I setup an openvpn server and client in my network 192.168.10.0/24. The openvpn subnet is 10.8.0.0/24. I want to route all traffic from the client through the server VPN. I followed the steps from openvpn doc: https://openvpn.net/index.php/open-source/documentation/howto.html#redirect  , but if I access the webserver on a system within the network 192.168.10.0/24 from the openvpn client it still shows the clients IP and not the servers IP. What am I miss
03:02 < bewees> ing? I just added "push "redirect-gateway def1" in server.conf and did `iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o eth0 -j MASQUERADE` for openvpn servers nat table. Maybe I have to also configure something on the client too?
03:02 <@vpnHelper> Title: HOWTO (at openvpn.net)
03:06 -!- kef [~kef@matrix.fullmotion.de] has quit [Quit: Quit]
03:06 -!- kef [~kef@matrix.fullmotion.de] has joined #openvpn
03:08 -!- jackbrown [~se@93-44-41-0.ip95.fastwebnet.it] has joined #openvpn
03:08 -!- fin [~fin@unaffiliated/le0] has joined #openvpn
03:09 -!- kef [~kef@matrix.fullmotion.de] has quit [Client Quit]
03:10 -!- kef_ [~kef@matrix.fullmotion.de] has joined #openvpn
03:24 -!- Fuusko [~Fuusko@h-234-229.a216.priv.bahnhof.se] has quit []
03:31 -!- wlxmhls [~hp@124.65.46.34] has quit [Quit: Leaving.]
03:31 < bewees> It worked. I had to add this rule on the client `ip route add 192.168.10.101 via 10.8.0.6 dev tun0` where 192.168.10.101 is the webserver's IP
03:35 < bewees> Changing the default route through 10.8.0.6 was not sufficient, because the client's eth0 subnet is 192.168.10.0/24, thus client connections to 192.168.10.0/24 did not go through the default route, but through: 192.168.10.0/24 dev eth0  proto kernel  scope link  src 192.168.10.10
03:44 -!- Droolio [~drool@host86-134-192-232.range86-134.btcentralplus.com] has joined #openvpn
03:45 -!- mistermajestic [~mistermaj@unaffiliated/mistermajestic] has quit [Ping timeout: 250 seconds]
03:47 -!- ayaz [~Ayaz@linuxpakistan/ayaz] has joined #openvpn
03:49 -!- kef_ is now known as kef
04:00 -!- hive-mind [pranq@2001:0:53aa:64c:30db:ab9:bcca:66c4] has quit [Ping timeout: 258 seconds]
04:08 -!- bewees [~philipp@46.115.162.188] has quit [Ping timeout: 240 seconds]
04:14 -!- hive-mind [pranq@2001:0:53aa:64c:30db:ab9:bcca:66c4] has joined #openvpn
04:15 -!- jackbrown [~se@93-44-41-0.ip95.fastwebnet.it] has quit [Quit: Sto andando via]
04:25 -!- AlexRussia [~Alex@unaffiliated/alexrussia] has joined #openvpn
04:33 -!- u0m3 [~u0m3@92.80.68.195] has joined #openvpn
04:35 -!- Left_Turn [~Left_Turn@unaffiliated/turn-left/x-3739067] has joined #openvpn
04:48 -!- ayaz [~Ayaz@linuxpakistan/ayaz] has quit [Read error: Connection reset by peer]
05:21 -!- gffa [~unknown@unaffiliated/gffa] has joined #openvpn
05:27 -!- badon [~badon@pdpc/supporter/active/badon] has quit [Ping timeout: 250 seconds]
05:34 -!- badon [~badon@pdpc/supporter/active/badon] has joined #openvpn
05:41 -!- novaflash is now known as novaflash_away
05:43 -!- Left_Turn [~Left_Turn@unaffiliated/turn-left/x-3739067] has quit [Ping timeout: 255 seconds]
05:50 -!- bewees [~philipp@46.114.32.100] has joined #openvpn
05:52 -!- brophat [~brophat@134.173.203.118] has joined #openvpn
05:53 < brophat> to choose udp or tcp for the vpn what does that mean?
05:53 < brophat> where is it that I am choosing to use udp or tcp?
06:05 -!- brophat [~brophat@134.173.203.118] has left #openvpn ["Leaving"]
06:15 -!- CaTtleyA [~CaTtleyA@185.24.142.82] has joined #openvpn
06:17 -!- someone [~someone@sonoshee.chronostasis.net] has quit [Ping timeout: 272 seconds]
06:26 -!- u0m3 [~u0m3@92.80.68.195] has quit [Read error: Connection reset by peer]
06:39 -!- havingFun [~quassel@unaffiliated/xrosnight] has joined #openvpn
06:40 -!- xrosnight [~quassel@unaffiliated/xrosnight] has quit [Ping timeout: 265 seconds]
06:42 -!- Left_Turn [~Left_Turn@unaffiliated/turn-left/x-3739067] has joined #openvpn
06:58 -!- lorens [~lorens@213.27.241.114] has joined #openvpn
06:59 -!- uskerine [~a@80.30.158.182] has quit [Remote host closed the connection]
07:06 -!- lorens [~lorens@213.27.241.114] has quit [Ping timeout: 264 seconds]
07:07 -!- bewees [~philipp@46.114.32.100] has quit [Ping timeout: 272 seconds]
07:19 -!- havingFun_ [~quassel@unaffiliated/xrosnight] has joined #openvpn
07:20 -!- havingFun [~quassel@unaffiliated/xrosnight] has quit [Ping timeout: 265 seconds]
07:24 -!- lxusrbin [~lxusrbin@2a01:4a0:40:6100::64] has joined #openvpn
07:27 -!- Latrina [~Latrina@adsl-ull-239-178.50-151.net24.it] has quit [Ping timeout: 256 seconds]
07:30 -!- Latrina [~Latrina@adsl-ull-222-191.50-151.net24.it] has joined #openvpn
07:30 -!- lorens [~lorens@213.27.241.114] has joined #openvpn
07:36 -!- brianblaze420 [~brianblaz@unaffiliated/brianblaze] has joined #openvpn
07:40 -!- lorens [~lorens@213.27.241.114] has quit [Ping timeout: 264 seconds]
07:49 -!- havingFun_ [~quassel@unaffiliated/xrosnight] has quit [Remote host closed the connection]
07:54 -!- havingFun [~quassel@unaffiliated/xrosnight] has joined #openvpn
08:24 -!- napnap [~napnap@95-141-110-114.as16211.net] has joined #openvpn
08:24 -!- jackbrown [~se@93-44-41-0.ip95.fastwebnet.it] has joined #openvpn
08:40 -!- dusted [~dusted@152.115.62.134] has joined #openvpn
08:41 < dusted> Hmm, when a client connects with an invalid certificate (expired, revoked or the client-connect script returns nonzero), I see clearly in the server log what happens, however, the client does not seem to understand it, and will just keep trying.. Any way to have the server terminate the connection? even better, send a message to the client before doing so ?
08:44 < BtbN> It does. Doesn't stop the client from retrying though.
08:44 < napnap> Hi all, I had a fully functionnal Openvpn server, but now client can connect to the openvpn server but ping(and other things) are impossible... I don't understand why...I've checked lmany things whithout success
08:44 < napnap> This is some infos : http://pastebin.fr/37627
08:49 -!- dusted [~dusted@152.115.62.134] has quit [Ping timeout: 272 seconds]
09:04 -!- trumee [~parul@c-98-199-151-246.hsd1.tx.comcast.net] has joined #openvpn
09:06 < trumee> I haven an openvpn server sitting in a lan behind an openwrt router. I have client-to-client working fine for my vpn clients. However, the vpn clients are unable to ping my router. any idea why?
09:08 -!- deviantintegral [~deviantin@drupal.org/user/71291/view] has quit [Quit: ZNC - http://znc.in]
09:10 -!- deviantintegral [~deviantin@drupal.org/user/71291/view] has joined #openvpn
09:10 -!- trumee [~parul@c-98-199-151-246.hsd1.tx.comcast.net] has quit [Read error: Connection reset by peer]
09:11 -!- trumee [~parul@c-98-199-151-246.hsd1.tx.comcast.net] has joined #openvpn
09:13 -!- mistermajestic [~mistermaj@unaffiliated/mistermajestic] has joined #openvpn
09:22 -!- jackbrown [~se@93-44-41-0.ip95.fastwebnet.it] has quit [Ping timeout: 265 seconds]
09:30 -!- liriel [~liriel@asia.feralhosting.com] has quit [Ping timeout: 255 seconds]
09:32 -!- liriel [~liriel@asia.feralhosting.com] has joined #openvpn
09:34 -!- phunyguy [vortex@ubuntu/member/phunyguy] has quit [Ping timeout: 258 seconds]
09:37 -!- CaTtleyA [~CaTtleyA@185.24.142.82] has quit [Quit: Lost terminal]
09:37 -!- esde [~esde@unaffiliated/esde] has quit [Quit: .]
09:37 -!- Gman32 [~Gman32@2607:2200:0:3400::5616:cdbc] has quit [Ping timeout: 258 seconds]
09:38 < trumee> the deatils are at http://pastebin.com/15ew886K
09:38 -!- Gman32 [~Gman32@2607:2200:0:3400::5616:cdbc] has joined #openvpn
09:39 < trumee> Line 35 shows that my VPN server is not forwarding the requests from the router to the remote vpn client.
09:44 -!- phunyguy [vortex@ubuntu/member/phunyguy] has joined #openvpn
09:45 -!- dusted [~dusted@152.115.62.134] has joined #openvpn
09:54 -!- Pyrogerg [~Gregory@67-0-212-234.albq.qwest.net] has joined #openvpn
09:57 -!- phunyguy [vortex@ubuntu/member/phunyguy] has quit [Ping timeout: 258 seconds]
09:57 -!- someone [~someone@sonoshee.chronostasis.net] has joined #openvpn
09:58 -!- phunyguy [vortex@ubuntu/member/phunyguy] has joined #openvpn
09:59 -!- dusted [~dusted@152.115.62.134] has quit [Ping timeout: 244 seconds]
10:15 -!- Kephael [~Kephael@unaffiliated/kephael] has joined #openvpn
10:19 -!- napnap [~napnap@95-141-110-114.as16211.net] has quit [Ping timeout: 272 seconds]
10:43 -!- esde [~esde@unaffiliated/esde] has joined #openvpn
10:46 -!- JackWinter [~jack@vodsl-11198.vo.lu] has quit [Quit: Konversation terminated!]
10:49 -!- JackWinter [~jack@vodsl-11198.vo.lu] has joined #openvpn
10:51 < KNERD> trumee: "patse has been removed"
10:52 < trumee> KNERD: here you go, http://pastebin.com/GxieNVp8
10:54 < KNERD> i have foudn when the openvpn server is sitting on a LAN you need to add 2 lines to the server.conf file for remote clients ont he WAN to work properly
10:56 < KNERD> push "route 192.168.1.0 255.255.255.0" (or what the LAN is)
10:56 < KNERD> pology subnet
10:56 < KNERD> ooops.. topology subnet
11:00 < trumee> KNERD: thanks for your help. It is resolved now. My vpn client (my android phone) was set to use ipv6 in the APN. As soon as i changed it to ipv4 it is working now
11:02 < KNERD> oh..ok
11:03 < KNERD> you stil need those lines..i fooudn while the client could connect and all..the server was not revceiving packets to the service it was connecting to, ceausde it to drop the connections
11:04 < trumee> KNERD: yes, i did have those lines in the server config.
11:04 < KNERD> oh..good and groovy
11:10 -!- Gman32 [~Gman32@2607:2200:0:3400::5616:cdbc] has quit [Ping timeout: 258 seconds]
11:12 -!- Gman32 [~Gman32@2607:2200:0:3400::5616:cdbc] has joined #openvpn
11:13 -!- Gman32 [~Gman32@2607:2200:0:3400::5616:cdbc] has quit [Excess Flood]
11:13 -!- Gman32 [~Gman32@2607:2200:0:3400::5616:cdbc] has joined #openvpn
11:22 -!- fin [~fin@unaffiliated/le0] has quit [Quit: Leaving]
11:45 -!- elfixit [~Icedove@77-57-39-82.dclient.hispeed.ch] has joined #openvpn
11:55 -!- clu5ter [~staff@unaffiliated/clu5ter] has quit [Ping timeout: 260 seconds]
11:59 -!- clu5ter [~staff@unaffiliated/clu5ter] has joined #openvpn
12:08 -!- u0m3 [~u0m3@92.80.68.195] has joined #openvpn
12:17 -!- phuzion [~phuzion@ipv6.irc.teh-server.com] has quit [Quit: No Ping reply in 180 seconds.]
12:18 -!- phuzion [~phuzion@ipv6.irc.teh-server.com] has joined #openvpn
12:32 -!- novaflash_away is now known as novaflash
12:38 -!- u0m3 [~u0m3@92.80.68.195] has quit [Read error: Connection reset by peer]
13:04 -!- hasselmm [~mathias@p20030046096F2500E8EE197DA23109A7.dip0.t-ipconnect.de] has joined #openvpn
13:06 < hasselmm> why would openvpn configure my linux client to use tap0 instead of tap1, as specified in the configuration file via "dev tap1"?
13:07 < hasselmm> problem is, that tap0 already is used for another vpn
13:38 -!- capri [svedrin@elwing.funzt-halt.net] has quit [Quit: ZNC - http://znc.sourceforge.net]
13:46 -!- hasselmm [~mathias@p20030046096F2500E8EE197DA23109A7.dip0.t-ipconnect.de] has quit [Ping timeout: 265 seconds]
13:54 -!- eristisk [~eristisk@gateway/tor-sasl/eristisk] has quit [Remote host closed the connection]
14:38 -!- brianblaze420 [~brianblaz@unaffiliated/brianblaze] has quit [Quit: Peace!]
14:49 -!- xtalion [~nnscript@24.98.40.21] has joined #openvpn
14:49 < xtalion> !paste
14:49 <@vpnHelper> "paste" is "pastebin" is (#1) please paste anything with more than 5 lines into a pastebin site or (#2) https://gist.github.com is recommended for fewest ads; try fpaste.org or paste.kde.org as backups or (#3) If you're pasting config files, see !configs for grep syntax to remove comments or (#4) gist allows multiple files per paste, useful if you have several files to show
14:51 < xtalion> can anybody here help me out with setting up 2 tunnels to separate openvpn access servers on one windows machine?
14:55 -!- elfixit [~Icedove@77-57-39-82.dclient.hispeed.ch] has quit [Quit: elfixit]
14:56 -!- Droolio [~drool@host86-134-192-232.range86-134.btcentralplus.com] has quit [Quit: I'm not schizophrenic, I hate everybody, so I was told.]
15:00 -!- xtalion [~nnscript@24.98.40.21] has quit [Quit: ( www.nnscript.com :: NoNameScript 4.22 :: www.esnation.com )]
15:09 -!- pcdummy [~pcdummy@unaffiliated/pcdummy] has joined #openvpn
15:11 -!- D-Boy [~D-Boy@unaffiliated/cain] has quit [Excess Flood]
15:12 -!- D-Boy [~D-Boy@unaffiliated/cain] has joined #openvpn
15:23 -!- zamba [marius@flage.org] has quit [Ping timeout: 265 seconds]
15:51 -!- zamba [marius@flage.org] has joined #openvpn
16:02 < Dan39> wow i actually got it working :D
16:02 < Dan39> is 93ms lag from US to france thru openvpn good?
16:05 <@Eugene> Depends where in the US, but sounds about right with the speed of light
16:05 < Dan39> yo fucking Eugene just calculated that shit off the top of his head!
16:07 < Dan39> a bit high actually, if calculated without many losses hehe
16:07 <@Eugene> Well, I know that the speed in fiber is about 100mi/ms, so yeah.
16:08 < Dan39> depends on the fiber i guess
16:08 <@Eugene> Fiber is ~30% slower than vacuum ;-0
16:08 <@Eugene> ;-)
16:08 < Dan39> i dont remember exactly, but i did a course on fiber optics, and we used that number often
16:09  * Dan39 googles away :D
16:10 < Dan39> index of refraction, yep :D
16:10 <@Eugene> My number is probably not quite right; that's just what I have memorized for estimations
16:10 < Dan39> that was one of my favorite courses
16:10 < Dan39> i enjoy the basic trig and some of the hands on stuff
16:11 < Dan39> polishing the fiber ends and looking at them with magnifying glass thingy
16:11 <@Eugene> I can barely do a RJ45; fuck that noise.
16:11 < Dan39> haha
16:11 < Dan39> i found it funny that single-mode fiber is the better one, vs multi-mode
16:18 < Dan39> openvpn is adding about 3-4ms to the ping time. that sounds pretty good to me
16:18 -!- elfixit [~Icedove@77-57-39-82.dclient.hispeed.ch] has joined #openvpn
16:20 < Dan39> hmm, so adding removing comp-lzo actually makes the ping time INCREASE :O
16:20 < Dan39> err
16:20 < Dan39> removing
16:21 <@Eugene> See also --tcp-nodelay
16:22 -!- elfixit [~Icedove@77-57-39-82.dclient.hispeed.ch] has quit [Client Quit]
16:22 < Dan39> im kind of surprised adding compression is making the ping time lower, why is this?
16:22 <@Eugene> I've never dug around that section of code, but my guess is that comp-lzo interacts with the above
16:29 -!- havingFun [~quassel@unaffiliated/xrosnight] has quit [Ping timeout: 264 seconds]
16:29 -!- u0m3 [~u0m3@92.80.68.195] has joined #openvpn
16:32 -!- eristisk [~eristisk@gateway/tor-sasl/eristisk] has joined #openvpn
16:33 < Dan39> now i just need to copy this file over to phone, and success :D
16:34 < Dan39> hmm
16:36 -!- gffa [~unknown@unaffiliated/gffa] has quit [Quit: sleep]
16:49 -!- miruss [~miruss@109.86.199.18] has joined #openvpn
16:53 -!- mistermajestic [~mistermaj@unaffiliated/mistermajestic] has quit [Ping timeout: 250 seconds]
17:30 -!- romanparish [~roman@romanparish.net] has joined #openvpn
17:31 < romanparish> question..    I have a webserver and a openvpn server on the same VPS.. when i connect to the VPN and attempt to go to the website on the same server it shows my REAL ip now the VPN ip... any idea why?
17:31 < romanparish> is it because it cannot route itself?
17:38 < cwillu_at_work> define "go to the website"
17:52 -!- AlexRussia [~Alex@unaffiliated/alexrussia] has quit [Quit: WeeChat 1.1-dev]
17:53 -!- AlexRussia [~Alex@unaffiliated/alexrussia] has joined #openvpn
18:01 < cwillu_at_work> romanparish, how are you going to the website?
18:10 -!- AlexRussia [~Alex@unaffiliated/alexrussia] has quit [Quit: WeeChat 1.1-dev]
18:11 -!- AlexRussia [~Alex@unaffiliated/alexrussia] has joined #openvpn
18:14 -!- miruss [~miruss@109.86.199.18] has quit [Quit: =)]
18:25 -!- Taftse|Mac [~taftse@unaffiliated/taftse] has quit [Quit: Textual IRC Client: www.textualapp.com]
19:07 -!- eristisk [~eristisk@gateway/tor-sasl/eristisk] has quit [Ping timeout: 250 seconds]
19:22 -!- eristisk [~eristisk@gateway/tor-sasl/eristisk] has joined #openvpn
19:30 < romanparish> cwillu_at_work: regular ip/domainm
19:54 -!- phunyguy [vortex@ubuntu/member/phunyguy] has quit [Ping timeout: 258 seconds]
19:56 -!- cwillu_at_work [cwillu@cwillu.com] has quit [Ping timeout: 258 seconds]
20:04 -!- cwillu_at_work [cwillu@cwillu.com] has joined #openvpn
20:04 -!- phunyguy [vortex@ubuntu/member/phunyguy] has joined #openvpn
20:06 < Dan39> must i use different set of certs for another client? or can i use same ones again? this is only to temporarily test
20:09 < Dan39> o looks like the logs have told me my answer hehe " new connection by client 'phone' will cause previous active sessions by this client to be dropped.  Remember to use the --duplicate-cn option if you want multiple clients using the same certificate or username to concurrently connect."
20:10 -!- mistermajestic [~mistermaj@unaffiliated/mistermajestic] has joined #openvpn
20:12 < Dan39> now i just need to figure out how to allow connections thru the VPN to access internet haha
20:12 < Dan39> o wait i should finish the setup guide <_,
20:17 -!- phunyguy [vortex@ubuntu/member/phunyguy] has quit [Remote host closed the connection]
20:22 -!- phunyguy [vortex@ubuntu/member/phunyguy] has joined #openvpn
20:46 -!- elfixit [~Icedove@77-58-253-51.dclient.hispeed.ch] has joined #openvpn
21:15 -!- eristisk [~eristisk@gateway/tor-sasl/eristisk] has quit [Ping timeout: 250 seconds]
21:16 -!- eristisk [~eristisk@gateway/tor-sasl/eristisk] has joined #openvpn
21:35 < Dan39> i have home network behind standard home router with NAT, network is the really common 192.168.1.0/24
21:35 < Dan39> so i have added to my server config: push "route 192.168.1.0 255.255.255.0"
21:36 < Dan39> on the client, a remote server, the vpn starts fine. i can ping my 10.8.0.1 and the server pc's ip 192.168.1.13 successfully
21:37 < Dan39> but pinging other computers on home network from client does not work
21:38 < Dan39> on pc running server i can ping 192.168.1.4 successfully, but on the client i can not
21:39 < Dan39> hmm i may have missed a part
21:39 < Dan39> the howto says "Next, you must set up a route on the server-side LAN gateway to route the VPN client subnet (10.8.0.0/24) to the OpenVPN server (this is only necessary if the OpenVPN server and the LAN gateway are different machines)."
21:39 < Dan39> how do i do this?
21:40 < Dan39> or i also read about using iptables MASQUERADE, this sounds like the situation hehe
21:41 < Dan39> im guessing trying to ping 192.168.1.4 from 10.8.0.6, stuff is getting sent to 192.168.1.4 but then it only knows to reply by sending to gateway which is my home router? so id have to setup a route for 10.8.0.0/24 to be sent to server pc?
21:41 < Dan39> hmm
21:41 -!- Left_Turn [~Left_Turn@unaffiliated/turn-left/x-3739067] has quit [Remote host closed the connection]
21:51 < Dan39> im trying iptables, lets see :D
21:51 < Dan39> SUCCESS!
21:51 < Dan39> thanks for the help guys
21:52 -!- eristisk [~eristisk@gateway/tor-sasl/eristisk] has quit [Remote host closed the connection]
21:53 < Dan39> hmm having dns go thru vpn would be good for that test haha
21:53 < Dan39> i ping google and get 240ms ping
21:53 < Dan39> looking at IPs, it is pinging the france IPs
21:54 < Dan39> so its going back n forth >_<
21:54 < Dan39> host google.com at home returns completely different set of IPs hehe
21:59 < Dan39> lol @ ping data... !"#$%&'()*+,-./01234567
21:59 < Dan39> ive never seen that before...
22:00 < Dan39> i wonder how they decided what to send lol
22:04 < romanparish>  ok.. I have OpenVPN running and it is working properly. But.... If i attempt to access the
22:05 < romanparish>                      webserver localed on the same VPS it shows my real IP .. any idea why?
22:05 < romanparish> located
22:16 < Dan39> so you have VPS, with vpn server, and webserver, and then vpn client at home. you connect client to server, and then access web thru vpn and it shows your home ip?
22:17 < Dan39> is this a NATed home network? does it show your external IP or like 192.168.1.2?
22:18 < Dan39> i suspect since the vpn is on same server as webserver that it would see IPs of everything thru the vpn server
22:18 < Dan39> you will have to route the vpn server traffic, maybe do same as i did with iptables masquerade, that might work
22:21 < Dan39> romanparish: hello!?
22:21 < Dan39> it helps if you reply
22:24 < Dan39> if it is your webserver tho, why does it matter? lol
22:25 < romanparish> hey
22:25 < romanparish> im vpn'd but if i visit the webserver with.com it showreal ip at home
22:28 < Dan39> did you read anything i just said?
22:28 < Dan39> im gonna vpn your face soon
22:30 < Dan39> romanparish: just answer this question... what is the IP that the webserver is showing? just paste half of it
22:32 < Dan39> hello!?
22:32 < Dan39> romanparish: hello!?
22:32 < romanparish> dude chill
22:32 < romanparish> lol
22:32 < Dan39> im chill
22:32 < Dan39> :)
22:32 < romanparish> the vpn works fine
22:32 < Dan39> >_<
22:33 < romanparish> its just when i attempt to access the webserver through vpn at the domain level it shows my regular ip
22:33 < Dan39> the vpn working fine doesnt mean things are routed properly at the server
22:33 < Dan39> but typing in the IP for the webserver is different?
22:35 < romanparish> no
22:35 < romanparish> if it is the real server ip no
22:35 < Dan39> ...
22:35 < romanparish> if it is the openvpn gateway then yes
22:36 < Dan39> i give up lol, sorry
22:36 < Dan39> dont understand what you got going on here
22:36 < Dan39> are you trying to hide the webserver's IP or your IP? >_,
22:43 -!- romanparish [~roman@romanparish.net] has left #openvpn []
22:44 < Dan39> seriousy... :|
22:53 -!- romanparish [~roman@romanparish.net] has joined #openvpn
22:55 < romanparish> damnit
22:56 < romanparish> Dan39: you still awake
23:00 < Dan39> yes
23:00 < Dan39> for a minute or so
23:08 -!- ShadniX [dagger@p57941915.dip0.t-ipconnect.de] has quit [Ping timeout: 250 seconds]
23:09 < romanparish> Dan39: plain and simple.  If i log into my VPN on my VPS and visit the webserver on my VPS through the VPN it shows my real ip not the VPS ip
23:09 < Dan39> sounds correct
23:09 < romanparish> but.. if i visit any other site such as google.com etc it shows my VPS it
23:09 < Dan39> sounds right
23:10 < Dan39> thats how it would work with just a simple vpn setup
23:10 -!- ShadniX [dagger@p5DDFEEEE.dip0.t-ipconnect.de] has joined #openvpn
23:11 < Dan39> romanparish: so do you really want your webserver not to see your home ip? why does that matter if it is your webserver? :P
23:11 < romanparish> because im trying to  deny all and allow VPS ip
23:12 < romanparish> if the webserver sees my home IP it blocks it
23:12 < romanparish> i need it to pull my VPS ip
23:12 < romanparish> so the access is granted..
23:12 < Dan39> using a vpn just for that seems pretty dumb
23:12 < Dan39> cant you just have a login for website?
23:13 < Dan39> or put the site on a random port or something...
23:14 < Dan39> i bet there is a better solution than using vpn, i just cant think of it atm :P
23:15 < Dan39> romanparish: but if you really want just try the iptables masquerade
23:15 < Dan39> this is the example provided: iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o eth0 -j MASQUERADE
23:16 < Dan39> you may have to adjust the ip range and interface
23:17 < Dan39> try it first just like that. i suspect you may need to change/remove the -o eth0 since it will be going over localhost
23:19 < Dan39> that is to be run on the server btw
23:23 < romanparish> i have ran that
23:23 < Dan39> and....
23:23 < romanparish> well another version
23:23 < romanparish> Chain FORWARD (policy ACCEPT 0 packets, 0 bytes) pkts bytes target     prot opt in     out     source               destination
23:23 < romanparish> 20641 2287K ACCEPT     all  --  *      *       192.168.88.0/24      0.0.0.0/0
23:23 < Dan39> thats not right
23:23 < Dan39> iptables -t nat -nvL
23:24 < Dan39> and whats with the source IP? that is a local net IP, not a real IP
23:24 < romanparish> 2908  167K SNAT       all  --  *      *       192.168.88.0/24      0.0.0.0/0            to:104.131.2.229 0     0 SNAT       all  --  *      *       192.168.88.0/24      0.0.0.0/0            to:104.131.2.229
23:25 < Dan39> wrong
23:25 < Dan39> so what is your end goal here, so only you can access your webserver securely from anywhere?
23:25 < romanparish> yes
23:26 < Dan39> i think what you may want to do is something like this: http://cs.uccs.edu/~cs526/secureWebAccess/secureWebAccess.htm
23:26 <@vpnHelper> Title: Secure web access with client certificate (at cs.uccs.edu)
23:26 < Dan39> you setup webserver to use ssl, private CA, and require valid pub keys
23:26 < Dan39> similar to the CA/key setup you did for openvpn
23:27 < Dan39> another link http://security.stackexchange.com/questions/37897/possible-to-limit-server-connections-to-clients-with-a-specific-certificate
23:27 <@vpnHelper> Title: ssl - Possible to limit server connections to clients with a specific certificate? - Information Security Stack Exchange (at security.stackexchange.com)
23:27 < Dan39> im going to bed
23:27 < Dan39> peace
23:27 < Dan39> if you want to just try the vpn, try the iptables like i said
23:28 < romanparish> ok
23:28 < romanparish> iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o eth0 -j MASQUERADE
23:28 < Dan39> iptables -t nat -A POSTROUTING -s Your.VPN.Subnet/24 -j MASQUERADE
23:28 < Dan39> if you didnt change from the default then yes 10.8.0.0
23:29 < romanparish> testing now
23:29 < Dan39> should probably remove whatever the hell you added to iptables before lol
23:33 < romanparish> yea
23:33 < romanparish> so
23:33 < romanparish> now it shows my real ip on all sites
23:33 < Dan39> any luck? lol
23:33 < Dan39> >_<
23:34 -!- elfixit [~Icedove@77-58-253-51.dclient.hispeed.ch] has quit [Ping timeout: 255 seconds]
23:34 < romanparish> screw it
23:34 < romanparish> it is late
23:34 < Dan39> haha
23:34 < Dan39> yes it is
23:49 < romanparish> yup VPN is too too much
23:49 < romanparish> lol
23:49 < romanparish> i use ssh tun now
23:49 < romanparish> but.. wanted a better way
--- Day changed Sat Nov 29 2014
00:26 -!- u0m3_ [~u0m3@92.80.68.195] has joined #openvpn
00:30 -!- moparsthbest [~quassel@gateway/tor-sasl/moparisthebest] has joined #openvpn
00:30 -!- cyberspace- [20253@ninthfloor.org] has quit [Disconnected by services]
00:31 -!- cyberspace- [20253@ninthfloor.org] has joined #openvpn
00:34 -!- shivanshu_ [~shivanshu@104.131.8.15] has joined #openvpn
00:37 -!- Netsplit *.net <-> *.split quits: u0m3, dvl, moparisthebest, catsup, zamba, shivanshu, shio
00:37 -!- shivanshu_ is now known as shivanshu
00:40 -!- zamba [marius@flage.org] has joined #openvpn
00:48 -!- havingFun [~quassel@unaffiliated/xrosnight] has joined #openvpn
01:59 -!- havingFun [~quassel@unaffiliated/xrosnight] has quit [Quit: No Ping reply in 180 seconds.]
02:00 -!- havingFun [~quassel@unaffiliated/xrosnight] has joined #openvpn
03:02 -!- dvl [~dvl@znc.unixathome.org] has joined #openvpn
03:33 -!- aulait [~irenacob@li629-190.members.linode.com] has quit [Remote host closed the connection]
03:37 -!- shio [marmot@62.188.103.84.rev.sfr.net] has joined #openvpn
03:41 -!- aulait [~irenacob@li629-190.members.linode.com] has joined #openvpn
03:46 -!- JackWinter [~jack@vodsl-11198.vo.lu] has quit [Quit: Konversation terminated!]
03:49 -!- Left_Turn [~Left_Turn@unaffiliated/turn-left/x-3739067] has joined #openvpn
03:54 -!- JackWinter [~jack@vodsl-11198.vo.lu] has joined #openvpn
04:02 -!- AlexRussia [~Alex@unaffiliated/alexrussia] has quit [Ping timeout: 272 seconds]
04:05 -!- akamaru217 [~akamaru21@2601:0:8a80:1064:cd93:dda7:566a:5b37] has joined #openvpn
04:18 -!- mattock is now known as mattock_afk
04:20 -!- mattock_afk is now known as mattock
04:28 -!- Gman32 [~Gman32@2607:2200:0:3400::5616:cdbc] has quit [Ping timeout: 258 seconds]
04:31 -!- Gman32 [~Gman32@2607:2200:0:3400::5616:cdbc] has joined #openvpn
04:43 -!- dvl [~dvl@znc.unixathome.org] has quit [Changing host]
04:43 -!- dvl [~dvl@freebsd/developer/dvl] has joined #openvpn
05:10 -!- Chais [~Chais@80.110.97.57] has quit [Ping timeout: 255 seconds]
05:16 -!- Chais [~Chais@chello062178229110.15.15.vie.surfer.at] has joined #openvpn
05:24 -!- Taftse|Mac [~taftse@unaffiliated/taftse] has joined #openvpn
05:25 -!- phunyguy [vortex@ubuntu/member/phunyguy] has quit [Ping timeout: 258 seconds]
05:34 -!- phunyguy [vortex@ubuntu/member/phunyguy] has joined #openvpn
05:39 -!- AlexRussia [~Alex@unaffiliated/alexrussia] has joined #openvpn
05:45 -!- Reventlov [~reventlov@unaffiliated/reventlov] has quit [Quit: leaving]
05:45 -!- Reventlov [~Reventlov@unaffiliated/reventlov] has joined #openvpn
05:49 -!- AlexRussia [~Alex@unaffiliated/alexrussia] has quit [Ping timeout: 245 seconds]
05:51 -!- AlexRussia [~Alex@unaffiliated/alexrussia] has joined #openvpn
05:51 -!- Chais [~Chais@chello062178229110.15.15.vie.surfer.at] has quit [Read error: Connection reset by peer]
05:56 -!- AlexRussia [~Alex@unaffiliated/alexrussia] has quit [Ping timeout: 265 seconds]
06:00 -!- Chais [~Chais@chello062178229110.15.15.vie.surfer.at] has joined #openvpn
06:07 -!- AlexRussia [~Alex@unaffiliated/alexrussia] has joined #openvpn
06:11 -!- AlexRussia [~Alex@unaffiliated/alexrussia] has quit [Ping timeout: 244 seconds]
06:25 -!- medum [kevin@108.161.125.43] has joined #openvpn
06:28 -!- AlexRussia [~Alex@unaffiliated/alexrussia] has joined #openvpn
06:31 -!- Cyclohexane [~cyclohexa@unaffiliated/cyclohexane] has quit [Remote host closed the connection]
06:32 -!- Cyclohexane [~cyclohexa@unaffiliated/cyclohexane] has joined #openvpn
06:48 -!- u0m3_ [~u0m3@92.80.68.195] has quit [Ping timeout: 264 seconds]
07:18 -!- ShadniX [dagger@p5DDFEEEE.dip0.t-ipconnect.de] has quit [Quit: Bye.]
07:19 -!- shivanshu [~shivanshu@104.131.8.15] has quit [Changing host]
07:19 -!- shivanshu [~shivanshu@unaffiliated/shivanshu] has joined #openvpn
07:20 -!- Denial [~Denial@81.141.8.23] has quit []
07:20 -!- ShadniX [~ShadniX@p5DDFEEEE.dip0.t-ipconnect.de] has joined #openvpn
07:27 -!- Cyclohexane [~cyclohexa@unaffiliated/cyclohexane] has quit [Ping timeout: 256 seconds]
07:38 -!- JackWinter [~jack@vodsl-11198.vo.lu] has quit [Quit: Konversation terminated!]
07:40 -!- JackWinter [~jack@vodsl-11198.vo.lu] has joined #openvpn
07:47 -!- ShadniX [~ShadniX@p5DDFEEEE.dip0.t-ipconnect.de] has quit [Quit: Bye.]
07:47 -!- JackWinter [~jack@vodsl-11198.vo.lu] has quit [Quit: Konversation terminated!]
07:48 -!- ShadniX [dagger@p5DDFEEEE.dip0.t-ipconnect.de] has joined #openvpn
07:50 -!- AlexRussia [~Alex@unaffiliated/alexrussia] has quit [Ping timeout: 250 seconds]
07:51 -!- JackWinter [~jack@vodsl-11198.vo.lu] has joined #openvpn
07:52 -!- AlexRussia [~Alex@unaffiliated/alexrussia] has joined #openvpn
07:55 -!- havingFun [~quassel@unaffiliated/xrosnight] has quit [Ping timeout: 265 seconds]
08:03 -!- romanparish [~roman@romanparish.net] has left #openvpn []
08:14 -!- havingFun [~quassel@unaffiliated/xrosnight] has joined #openvpn
08:50 -!- Pyrogerg [~Gregory@67-0-212-234.albq.qwest.net] has quit [Ping timeout: 244 seconds]
08:55 -!- havingFun_ [~quassel@unaffiliated/xrosnight] has joined #openvpn
08:56 -!- havingFun [~quassel@unaffiliated/xrosnight] has quit [Ping timeout: 245 seconds]
10:07 -!- Kerberos76 [~Kerberos7@107.182.184.234.16clouds.com] has joined #openvpn
10:12 -!- trumee [~parul@c-98-199-151-246.hsd1.tx.comcast.net] has quit [Quit: ZNC - http://znc.sourceforge.net]
10:36 -!- Roelke [~Roelke@hostserv.nl] has joined #openvpn
10:37 < Roelke> hey guys
10:37 < Roelke> my problem is probably in my firewall, but i don't know where ;)
10:37 < Roelke> i want to reach the devices behind my client from the server
10:38 < Roelke> i've posted all relevant information & configs here :  http://gathering.tweakers.net/forum/list_messages/1614797
10:38 <@vpnHelper> Title: [openvpn] subnet achter de client bereiken - Netwerken - GoT (at gathering.tweakers.net)
10:46 -!- almostworking [~almostwor@unaffiliated/almostworking] has joined #openvpn
11:27 -!- eristisk [~eristisk@gateway/tor-sasl/eristisk] has joined #openvpn
11:55 -!- JackWinter [~jack@vodsl-11198.vo.lu] has quit [Quit: Konversation terminated!]
11:56 -!- JackWinter [~jack@vodsl-11198.vo.lu] has joined #openvpn
12:00 < KNERD> i don't do dutch
12:04 < Roelke> it's only for the config and iptables
12:17 -!- havingFun [~quassel@unaffiliated/xrosnight] has joined #openvpn
12:17 -!- havingFun_ [~quassel@unaffiliated/xrosnight] has quit [Ping timeout: 240 seconds]
12:22 < KNERD> Roelke: maybe try adding this in the server config      --> topology subnet
12:24 < KNERD> and : push "route 192.168.1.0 255.255.255.0" (or what the LAN is)
12:26 -!- rich0 [~quassel@gentoo/developer/rich0] has quit [Quit: No Ping reply in 180 seconds.]
12:27 -!- rich0 [~quassel@gentoo/developer/rich0] has joined #openvpn
12:31 -!- EI [~noddq2@103.11.49.176] has joined #openvpn
12:35 -!- zoredache [~zoredache@pdpc/supporter/professional/zoredache] has quit [Remote host closed the connection]
12:37 -!- JackWinter [~jack@vodsl-11198.vo.lu] has quit [Quit: Konversation terminated!]
12:39 < EI> !welcome
12:39 <@vpnHelper> "welcome" is (#1) Start by stating your goal, such as 'I would like to access the internet over my vpn' || new to IRC? see the link in !ask || we may need !logs and !configs and maybe !interface to help you. || See !howto for beginners. || See !route for lans behind openvpn. || !redirect for sending inet traffic through the server. || Also interesting: !man !/30 !topology !iporder !sample !forum !wiki
12:39 <@vpnHelper> !mitm or (#2) Don't use 192.168.1.0/24 or 192.168.0.0/24 (too much potential for conflict)
12:39 < EI> !ask
12:39 <@vpnHelper> "ask" is (#1) don't ask to ask, just ask your question please, see this link for how to get help on IRC: http://workaround.org/getting-help-on-irc or (#2) See also, How to ask questions the smart way here: http://catb.org/~esr/faqs/smart-questions.html or (#3) if you had asked your question this might be an answer instead of a message from the bot about how to ask questions on IRC :)
12:44 -!- iokill [~dave@pippin.sigma-star.at] has quit [Ping timeout: 256 seconds]
12:45 < pekster> Roelke: Follow/review the info here, especially the flowchart:
12:45 < pekster> !clientlan
12:45 <@vpnHelper> "clientlan" is (#1) for a lan behind a client, the client must have ip forwarding enabled (!ipforward), the server needs a route to the lan, the server needs to push a route for the lan to clients, the server needs a ccd (!ccd) file for the client with an iroute (!iroute) entry in it, and the router of the lan the client is on needs a route added to it (!route_outside_openvpn) or (#2) see !route
12:45 <@vpnHelper> for a better explanation or (#3) Handy troubleshooting flowchart: http://ircpimps.org/clientlan.png | http://pekster.sdf.org/misc/clientlan.png
12:45 -!- JackWinter [~jack@vodsl-11198.vo.lu] has joined #openvpn
12:45 -!- aulait [~irenacob@li629-190.members.linode.com] has quit [Ping timeout: 264 seconds]
12:54 < EI> anyone here able to code a OpenVPN client just like private tunnnel ? for mac/win/android/ios
12:54 <@plaisthos> EI: yes
12:54 <@plaisthos> for Android
12:57 -!- mgorbach [~mgorbach@pool-108-20-78-135.bstnma.fios.verizon.net] has quit [Quit: ZNC - http://znc.in]
12:59 -!- mgorbach [~mgorbach@pool-108-20-78-135.bstnma.fios.verizon.net] has joined #openvpn
13:05 -!- ketas [~ketas@159-211-191-90.dyn.estpak.ee] has quit [Ping timeout: 264 seconds]
13:07 -!- havingFun [~quassel@unaffiliated/xrosnight] has quit [Remote host closed the connection]
13:26 -!- JackWinter [~jack@vodsl-11198.vo.lu] has quit [Quit: Konversation terminated!]
13:31 -!- aulait [~irenacob@li629-190.members.linode.com] has joined #openvpn
13:45 -!- warehouse13 [~Left_Turn@unaffiliated/turn-left/x-3739067] has joined #openvpn
13:47 -!- Left_Turn [~Left_Turn@unaffiliated/turn-left/x-3739067] has quit [Ping timeout: 258 seconds]
14:06 -!- u0m3 [~u0m3@92.80.68.195] has joined #openvpn
14:19 -!- u0m3 [~u0m3@92.80.68.195] has quit [Ping timeout: 272 seconds]
14:53 -!- Jactive [~KyZNC@192.3.196.103] has joined #openvpn
15:00 -!- JackWinter [~jack@vodsl-11198.vo.lu] has joined #openvpn
15:01 -!- D-Boy [~D-Boy@unaffiliated/cain] has quit [Excess Flood]
15:07 -!- almostworking [~almostwor@unaffiliated/almostworking] has quit [Quit: Leaving]
15:17 -!- D-Boy [~D-Boy@unaffiliated/cain] has joined #openvpn
15:39 -!- ketas [ketas@ketas6-sixxs.si.pri.ee] has joined #openvpn
15:45 -!- Jactive is now known as Jactive|OFF
15:47 -!- Jactive|OFF is now known as Jactive
15:49 -!- eristisk [~eristisk@gateway/tor-sasl/eristisk] has quit [Remote host closed the connection]
16:06 -!- Jactive is now known as Jactive|OFF
16:19 -!- BtbN_ [btbn@btbn.de] has joined #openvpn
16:23 -!- marlinc [~marlinc@ip1.weert.li.nl.cvo-technologies.com] has quit [Ping timeout: 260 seconds]
16:26 -!- Netsplit *.net <-> *.split quits: BtbN, MatToufoutu
16:26 -!- BtbN_ is now known as BtbN
16:26 -!- Netsplit over, joins: MatToufoutu
16:48 -!- eristisk [~eristisk@gateway/tor-sasl/eristisk] has joined #openvpn
16:49 -!- elfixit [~Icedove@77-58-253-51.dclient.hispeed.ch] has joined #openvpn
17:33 -!- mistermajestic [~mistermaj@unaffiliated/mistermajestic] has quit [Ping timeout: 256 seconds]
17:43 -!- ender| [krneki@2a01:260:4094:1:42:42:42:42] has quit [Quit: A common mistake that people make when trying to design something completely foolproof is to underestimate the ingenuity of complete fools. 	-- Douglas Adams]
18:11 -!- pppingme [~pppingme@unaffiliated/pppingme] has quit [Quit: Leaving]
18:16 -!- pppingme [~pppingme@unaffiliated/pppingme] has joined #openvpn
18:20 < Roelke> !ipforward
18:20 <@vpnHelper> "ipforward" is (#1) ip forwarding is needed any time you want packets to flow from 1 interface to another, so from tun to eth, eth to tun, tun to tun, etc etc. it must be enabled in the kernel AND allowed in the firewall or (#2) please choose between !linipforward !winipforward !osxipforward and !fbsdipforward
18:20 < Roelke> !fbsipforward
18:21 < Roelke> !fbsdipforward
18:21 <@vpnHelper> "fbsdipforward" is is set gateway_enable="YES" in /etc/rc.conf to enable ip forwarding in freebsd
18:21 < Roelke>  !linipforward
18:21 -!- mattock is now known as mattock_afk
18:23 -!- ender| [krneki@2a01:260:4094:1:42:42:42:42] has joined #openvpn
18:30 < Roelke> !linipforward
18:30 <@vpnHelper> "linipforward" is (#1) echo 1 > /proc/sys/net/ipv4/ip_forward for a temp solution (til reboot) or set net.ipv4.ip_forward = 1 in sysctl.conf for perm solution or (#2) chmod +x /etc/rc.d/rc.ip_forward for perm solution in slackware or (#3) you also must allow forwarding in your forward chain in iptables. iptables -I FORWARD -i tun+ -j ACCEPT
18:41 -!- akamaru217 [~akamaru21@2601:0:8a80:1064:cd93:dda7:566a:5b37] has quit [Read error: Connection reset by peer]
18:53 -!- akamaru217 [~akamaru21@2601:0:8a80:1064:51d0:2071:2a09:5739] has joined #openvpn
19:11 -!- elfixit [~Icedove@77-58-253-51.dclient.hispeed.ch] has quit [Ping timeout: 264 seconds]
19:46 -!- UncleKiwi [~UncleKiwi@ip-118-90-67-126.xdsl.xnet.co.nz] has joined #openvpn
19:47 -!- pgicxplzs [~Left_Turn@unaffiliated/turn-left/x-3739067] has joined #openvpn
19:49 < UncleKiwi> hey there can I use openvpn on a mikrotik router where I have several windows clients connecting in with different usernames and passwords but also having some reqirement of a digital cert ( client cert ) also ?
19:50 -!- warehouse13 [~Left_Turn@unaffiliated/turn-left/x-3739067] has quit [Ping timeout: 250 seconds]
19:52 < UncleKiwi> i know that the Sophos UTM does an awesome job of this
19:52 < UncleKiwi> using OpenVPN
19:57 < UncleKiwi> ok... so is there any nice way to use an OpenVPN server in a windows AD environment ?
19:58 < UncleKiwi> ~book
20:00 < UncleKiwi> i dont want to use the stupid windows client or server - tips anyone ?
20:02 -!- UncleKiwi [~UncleKiwi@ip-118-90-67-126.xdsl.xnet.co.nz] has left #openvpn []
20:11 -!- Shiftos [~shiftos@gateway/tor-sasl/shiftos] has quit [Ping timeout: 250 seconds]
20:11 -!- Shiftos [~shiftos@gateway/tor-sasl/shiftos] has joined #openvpn
20:17 -!- UncleKiwi [~UncleKiwi@ip-118-90-67-126.xdsl.xnet.co.nz] has joined #openvpn
20:18 -!- UncleKiwi [~UncleKiwi@ip-118-90-67-126.xdsl.xnet.co.nz] has left #openvpn []
20:21 -!- Taftse|Mac [~taftse@unaffiliated/taftse] has quit [Quit: Textual IRC Client: www.textualapp.com]
20:43 -!- NP-Hardass [~NP-Hardas@unaffiliated/np-hardass] has joined #openvpn
21:02 -!- u0m3 [~u0m3@92.80.68.195] has joined #openvpn
21:11 < esde> ~8 minutes. nice,
21:20 -!- AlexRussia [~Alex@unaffiliated/alexrussia] has quit [Ping timeout: 240 seconds]
21:28 -!- NP-Hardass [~NP-Hardas@unaffiliated/np-hardass] has quit [Ping timeout: 272 seconds]
21:44 -!- EI [~noddq2@103.11.49.176] has quit [Remote host closed the connection]
21:48 -!- AlexRussia [~Alex@unaffiliated/alexrussia] has joined #openvpn
21:57 -!- pgicxplzs [~Left_Turn@unaffiliated/turn-left/x-3739067] has quit [Remote host closed the connection]
22:01 -!- taylorbyte2013 [~cyberninj@139.218.237.26] has quit [Remote host closed the connection]
22:21 -!- AlexRussia [~Alex@unaffiliated/alexrussia] has quit [Ping timeout: 240 seconds]
22:22 -!- AlexRussia [~Alex@unaffiliated/alexrussia] has joined #openvpn
23:07 -!- ShadniX [dagger@p5DDFEEEE.dip0.t-ipconnect.de] has quit [Ping timeout: 250 seconds]
23:08 -!- ShadniX [dagger@p5481C7A0.dip0.t-ipconnect.de] has joined #openvpn
23:35 -!- markelite [croftworth@gateway/shell/yourbnc/x-jhbojlzwwrldpcmb] has quit [Ping timeout: 265 seconds]
23:56 -!- r00t^2 [~bts@g.rainwreck.com] has joined #openvpn
23:59 -!- markelite [croftworth@gateway/shell/yourbnc/x-ibphokeuzelzcrpz] has joined #openvpn
--- Day changed Sun Nov 30 2014
00:05 -!- james41382 [~james@unaffiliated/james41382] has joined #openvpn
00:05 -!- james41382__ [~james@unaffiliated/james41382] has quit [Read error: Connection reset by peer]
00:24 -!- unixninja92 [~unixninja@whirlpool.stdnt.hampshire.edu] has joined #openvpn
00:38 -!- Kephael [~Kephael@unaffiliated/kephael] has quit [Quit: Leaving]
01:12 -!- Mike-- [mad@mx.probie.nl] has quit [Read error: Connection reset by peer]
02:23 -!- tekk [~me@93.93.135.50] has quit [Ping timeout: 256 seconds]
02:40 -!- AlexRussia [~Alex@unaffiliated/alexrussia] has quit [Ping timeout: 245 seconds]
02:55 -!- jackbrown [~se@93-44-41-0.ip95.fastwebnet.it] has joined #openvpn
03:08 -!- AlexRussia [~Alex@unaffiliated/alexrussia] has joined #openvpn
03:17 -!- SamanthaD [~SamanthaD@unaffiliated/samanthad] has joined #openvpn
03:26 < SamanthaD> How do I show the IP addresses of all attached devices? I have another router connected via ethernet and I need to know its IP address so I can ssh into it.
03:34 -!- SamanthaD [~SamanthaD@unaffiliated/samanthad] has quit [Quit: Leaving]
03:34 -!- SamanthaD [~SamanthaD@unaffiliated/samanthad] has joined #openvpn
03:35 < SamanthaD> sorry about the disconnect, I got out-of-sync with my VPN
03:42 -!- Gellert [~gellert@gellert.gellert.gellert.gellert.gellert.gellert.gellert.pro] has joined #openvpn
03:42 < Gellert> hello
03:44 < Gellert> so i have two openvpn clients on win8/win7 (x64) on the win8 everything goes ok, and on the win7 machine if i start to surf some webpages like gmail ping stops until the side load in, what is the problem with the win7 machine? :) I've tried to google around a bit, but i dont have any clue so far
03:45 < SamanthaD> 'ping stops until the side load in'?
03:45 < Gellert> yea, after i hite enter on gmail.com the ping i started before browsing goes "request timeout"
03:46 < Gellert> i hit the enter*
03:46 < SamanthaD> and the VPN disconnects?
03:46 < Gellert> nope
03:47 < SamanthaD> Gellert: paste your openvpn.conf please
03:50 < Gellert> http://pastebin.com/C9ME8BZD
03:51 < SamanthaD> and the logs?
03:51 < Gellert> there is no error in the log
03:52 < SamanthaD> is there /anything/ in the log?
03:52 < Gellert> also the down/up speed is okay too
03:52 < Gellert> you mean error?
03:54 < Gellert> and as i said on the win8 machine everything goes on, the two windows machine using the same internet
03:54 < Gellert> goes on fine*
03:58 -!- jackbrown [~se@93-44-41-0.ip95.fastwebnet.it] has quit [Ping timeout: 272 seconds]
04:06 < nullie> do you run openvpn client as administrator?
04:08 < Gellert> yes
04:23 -!- SamanthaD [~SamanthaD@unaffiliated/samanthad] has quit [Quit: Leaving]
04:27 -!- car [~car@101.98.146.222] has joined #openvpn
04:29 -!- Left_Turn [~Left_Turn@unaffiliated/turn-left/x-3739067] has joined #openvpn
04:33 -!- UncleKiwi [~UncleKiwi@ip-118-90-67-126.xdsl.xnet.co.nz] has joined #openvpn
04:34 < UncleKiwi> !welcome
04:34 <@vpnHelper> "welcome" is (#1) Start by stating your goal, such as 'I would like to access the internet over my vpn' || new to IRC? see the link in !ask || we may need !logs and !configs and maybe !interface to help you. || See !howto for beginners. || See !route for lans behind openvpn. || !redirect for sending inet traffic through the server. || Also interesting: !man !/30 !topology !iporder !sample !forum
04:34 <@vpnHelper> !wiki !mitm or (#2) Don't use 192.168.1.0/24 or 192.168.0.0/24 (too much potential for conflict)
04:36 < UncleKiwi> !goal
04:36 <@vpnHelper> "goal" is Please clearly state your goal for your vpn: example, I would like to access the lan behind the server , I would like to access the internet over my vpn , I just want a secure connection between 2 computers , etc
04:37 -!- UncleKiwi [~UncleKiwi@ip-118-90-67-126.xdsl.xnet.co.nz] has left #openvpn []
04:44 -!- gffa [~unknown@unaffiliated/gffa] has joined #openvpn
04:58 -!- mattock_afk is now known as mattock
05:00 -!- eristisk [~eristisk@gateway/tor-sasl/eristisk] has quit [Ping timeout: 250 seconds]
05:04 -!- kokel [~quassel@kenneth.kokelnet.de] has quit [Quit: kokel]
05:06 -!- kokel [~quassel@kenneth.kokelnet.de] has joined #openvpn
05:17 -!- havingFun [~quassel@unaffiliated/xrosnight] has joined #openvpn
05:18 -!- havingFun is now known as xrosnight
05:35 -!- Jactive|OFF is now known as Jactive
05:40 -!- Taftse|Mac [~taftse@unaffiliated/taftse] has joined #openvpn
05:56 < ValdikSS> pekster: https://github.com/QueuingKoala/easyrsa3/commit/448ee272f5f500facef9cdc9b9711bfeaf82e55c
05:56 <@vpnHelper> Title: Initial certificate policy support for IKE/IPSec per RFC4945 · 448ee27 · QueuingKoala/easyrsa3 · GitHub (at github.com)
05:56 < ValdikSS> pekster: Is this just an initial commit?
05:59 -!- car [~car@101.98.146.222] has quit [Ping timeout: 240 seconds]
06:10 -!- Jactive is now known as Jactive|OFF
06:55 -!- Zimsky [~alice@unaffiliated/zimsky] has quit [Ping timeout: 240 seconds]
06:57 -!- Orbixx [~orbixx@freenode/sponsor/orbixx] has joined #openvpn
06:58 -!- Zimsky [~alice@unaffiliated/zimsky] has joined #openvpn
07:07 -!- AlexRussia [~Alex@unaffiliated/alexrussia] has quit [Ping timeout: 250 seconds]
07:09 -!- AlexRussia [~Alex@unaffiliated/alexrussia] has joined #openvpn
07:42 -!- phunyguy [vortex@ubuntu/member/phunyguy] has quit [Ping timeout: 258 seconds]
07:46 -!- elfixit [~Icedove@77-58-253-51.dclient.hispeed.ch] has joined #openvpn
07:47 -!- phunyguy [vortex@ubuntu/member/phunyguy] has joined #openvpn
07:47 -!- Jactive|OFF is now known as Jactive
07:47 -!- Jactive is now known as Jactive|OFF
08:02 -!- xrosnight [~quassel@unaffiliated/xrosnight] has quit [Quit: No Ping reply in 180 seconds.]
08:03 -!- havingFun [~quassel@unaffiliated/xrosnight] has joined #openvpn
08:07 -!- Jactive|OFF is now known as Jactive
08:53 -!- Chais [~Chais@chello062178229110.15.15.vie.surfer.at] has quit [Quit: ZNC - http://znc.in]
08:54 -!- Chais [~Chais@chello062178229110.15.15.vie.surfer.at] has joined #openvpn
09:26 < pekster> ValdikSS: Depends on what else needs tweaking :P
09:27 < pekster> I think that's all that's required to make RFC4945-compliant certificates; the now is does this "play nice" with the varied implementations you've been using
09:27 < pekster> the question now*
09:27 < ValdikSS> pekster: do I need any special parameters to generate keys?
09:28 < ValdikSS> pekster: I mean, to use ipsec x509-type?
09:28 < pekster> keys? No. You'll want to add --subject-alt-name="whatever" when calling gen-req, and then sign with the 'ipsec' type (not a 'client' or 'server')
09:29 < pekster> Well, even the subjectAltName thing is technically optional per that RFC, but you seemed to indicate that it's all-but-required with the implementations you're using
09:29 < ValdikSS> pekster: I'll try it now and reply in 10 minutes
09:34 -!- mt [mt@unaffiliated/supermat] has quit [Remote host closed the connection]
09:40 < ValdikSS> pekster: Mac OS X appears to require the hostname/address in subjectAltName. To support versions before 10.7.4 the certificate must contain the iKEIntermediate extended key usage flag.
09:40 < pekster> That IKE Intermediate thing is from a 1999 standard that isn't actively used anywhere :(
09:40 < ValdikSS> pekster: extendedKeyUsage = serverAuth,1.3.6.1.5.5.8.2.2
09:40 < pekster> serverauth isn't required at all per RFC
09:41 < pekster> This sounds like a horrible regression on MacOS's part..
09:41 < ValdikSS> pekster: https://wiki.strongswan.org/projects/strongswan/wiki/Win7CertReq
09:41 <@vpnHelper> Title: Win7CertReq - strongSwan - strongSwan - IKEv2/IPsec VPN for Linux, Android, FreeBSD, Mac OS X, Windows (at wiki.strongswan.org)
09:41 < ValdikSS> pekster:
09:41 < pekster> That's not a satndards document
09:41 < ValdikSS> Your gateway certificate must have:
09:41 < ValdikSS>     An Extended Key Usage flag explicitly allowing the certificate to be used for authentication purposes. The serverAuth EKU having the OID 1.3.6.1.5.5.7.3.1 (often called TLS Web server authentication) will do that.
09:42 < ValdikSS> pekster: I know.
09:42 < pekster> RFC4945 specifically _disrecommends_ any setting of EKU at all for maximum compatibility
09:42 < pekster> I'm very keen on supporting the largest array of devices, and if an older MacOS version is broken, then IMO the best course of action is documenting Mac's stupidity and the work-around
09:43 < pekster> per: RFC4945 5.1.3.12: ExtendedKeyUsage
09:43 < pekster> "The CA SHOULD NOT include the ExtendedKeyUsage (EKU) extension in certificates for use with IKE.  Note that there were three IPsec-related object identifiers in EKU that were assigned in 1999."
09:44 < pekster> That's well over a decade ago. If OSes can't be bothered to move past 1999, I'm quite frankly not willing to worry about breaking them
09:46 < ValdikSS> pekster: But we should include EKU with ServerAuth for OpenVPN
09:46 < pekster> IPSec is not OpenVPN. That's why the x509-types offer different options
09:47 < pekster> I'm not going out of my way to violate standards recommendations so that "one cert magically works with everything all possible consumes want." This is an impossible task, and I'm aiming to support, out of the box, the most reasonable and likely to function certificate options
09:48 < pekster> Should certain users be using oudated, broken, or exotic systems, the simple fix is a local modification to support the goofy software
09:48 < pekster> http://tools.ietf.org/html/rfc4945#section-5.1.3
09:48 <@vpnHelper> Title: RFC 4945 - The Internet IP Security PKI Profile of IKEv1/ISAKMP, IKEv2, and PKIX (at tools.ietf.org)
09:52 < pekster> So, my take-away from that section is 1) if KU is set, it must have at least one (or both) of digitalSignature or nonRepudation; 2) should the IKE policy require it, subjectAltName must have the expected entry (DNS name, IP, etc); 3) we ought to (but are not today) marking the CA extension as critical. 5.1.3.9 indicates that implementations should reject those without this flag, but don't mention about rejecting presense without the ...
09:52 < pekster> ... critical flag
09:52 < pekster> and 4) EKU is a complicated mess, specifically noting that if such broken implementations exist, ADDITIONAL extensions are required to be present in the certificate
09:53 -!- Komplanar [~Komplanar@46.22.223.200] has quit [Quit: leaving]
09:53 < pekster> So basically, that wiki page you linked is at least 7 years out of date with respect to standards :\
09:53 < ValdikSS> pekster: yes, you're right.
09:54 < ValdikSS> pekster: Basically, my idea was to use easy-rsa for generating PKI which works with both openvpn and ipsec at the same time
09:54 -!- Komplanar [~Komplanar@46.22.223.200] has joined #openvpn
09:54 < ValdikSS> pekster: I don't know if it is correct but I definitely need this for my own needs
09:54 < pekster> Ah, You're probably going to need to carefully construct certs that are valid for both then. I do suspect that IKE Intermediate nonsense isn't actually required
09:55 < ValdikSS> pekster: Note: the serverAuth and iKEIntermediate extended key usage flags are not required for authentication with an iOS client, but will allow Windows 7 and (older) Mac OS X clients to authenticate using the same server certificate.
09:56 < ValdikSS> pekster: Mac OS X appears to require the hostname/address in subjectAltName. To support versions before 10.7.4 the certificate must contain the iKEIntermediate extended key usage flag.
09:56 < pekster> Yes, yes. Then that will have to be specificlly enabled
09:57 < pekster> I also dropped OOTB support for nsCertType too; same story there. It's "supported" if you enable it (as are your extensions.) It's not going to get changed just because a specific use-case needs it. I can't by magic support every use case without some modification to configs
09:57 < ValdikSS> pekster: In my repository, I have working easy-rsa which generates openvpn and ipsec usable pki
09:57 -!- Kephael [~Kephael@unaffiliated/kephael] has joined #openvpn
09:58 < pekster> I know. And you violate standards recommendations. I am *not* going to merge your setup as-is
09:58 < ValdikSS> pekster: I understand.
09:59 < pekster> I'm fairly confident my new branch works as well, at least on conforming systems
09:59 < pekster> Seems you did confirm that, except for OS X < 10.7.4, which reamains broken
09:59 < ValdikSS> pekster: I'm not sure that I understand what is >but will allow Windows 7 and (older) Mac OS X clients to authenticate using the same server certificate.
09:59 < pekster> So, 10.7 users can simply upgrade. 10.6 (is that even supported upstream? by Apple?) are hosed because of the use of non-standard extensions
10:00 < ValdikSS> pekster: what does it mean "the same server certificate"?
10:00 < ValdikSS> Without client certificate?
10:00 -!- BtbN [btbn@btbn.de] has quit [Ping timeout: 258 seconds]
10:00 < pekster> From reading RFC, it seems client-side DNS (or IP, rfc822Name, etc) isn't usually used to validate the client
10:01 < ValdikSS> pekster: it is used for example if you use EAP-TLS after IKE
10:01 -!- BtbN [btbn@btbn.de] has joined #openvpn
10:02 < pekster> In which case you should conform with 5.1.3.12 of the RFC
10:02 -!- mt [mt@unaffiliated/supermat] has joined #openvpn
10:02 < pekster> You're not including extensions that you MUST
10:02 < pekster> (RFC language)
10:02 < pekster> And even then, it's NOT RECOMMENDED [sic]
10:03 < pekster> Specificlly, read the bit beginning with "If a certificate is intended to be used with both IDE and other applications, ..."
10:03 < pekster> IKE*
10:05 -!- mjkr [741ff569@gateway/web/freenode/ip.116.31.245.105] has joined #openvpn
10:06 -!- ExtraCarpety [~ExtraCarp@2607:5300:60:a0d::1] has quit [Quit: ZNC - http://znc.in]
10:06 < pekster> fwiw, 10.7 is unsupported as of Nov 23, and 10.6 for far longer
10:07 < pekster> Just like users of XP, it's time for them to upgrade
10:07 < mjkr> ipsec support in x509 is just a single eku over tls server certs.
10:07 < Thermi> I think having an extra switch to generate compliant certificates for use in IKE isn't going to make anybody mad
10:07 < Thermi> Having KU, EKU, OIDs and SAN set in a single certificate should work, I think.
10:08 < pekster> I'm not violating standards recommendations (if not standards themselves) to support an _unsupported_ version of OS X
10:08 < mjkr> for a newbie, just look up the eku oid and plug it in and you get compliance. no need to do it on easy-rss
10:08 < mjkr> s/rss/rsa
10:09 < ValdikSS> Thermi: Should we use extendedKeyUsage at all?
10:09 < pekster> mjkr: You see that RFC section? It's not "just a single" EKU extension: it's at least 3 of them, as ValdikSS is citing
10:10 < ValdikSS> Thermi: Is it still necessary to use ikeIntermediate?
10:10 < Thermi> For that OSX version, yes. Otherwise it's not.
10:10 < pekster> Apparently the super-broken "IKE Intermediate" is required (can't even find where that's referenced in standards documents -- it's old as dirt now.), as well as tlsServerAuth (for another "application requirement" near as I can tell,) *plus* you have to support RFC4945 by adding one of the mandatory requirements if you violate the recommendation to avoid EKU at all
10:10 < ValdikSS> pekster: I see no problem in dropping old mac os x support
10:10 < ValdikSS> Thermi: is it required for Windows 7?
10:11 < mjkr> ike intermediate on windows force-points the server to the valid cert with the eku assigned
10:11 < Thermi> As far as I can see, it's not.
10:11 < mjkr> it's something desirable
10:11 < pekster> mjkr: huh? That's the entity certificate, which is already provided by the peer; why would it need to be "pointed" to a certificate the remote is providing? This makes no sense
10:12 < ValdikSS> Thermi: https://wiki.strongswan.org/projects/strongswan/wiki/Win7CertReq
10:12 <@vpnHelper> Title: Win7CertReq - strongSwan - strongSwan - IKEv2/IPsec VPN for Linux, Android, FreeBSD, Mac OS X, Windows (at wiki.strongswan.org)
10:12 < ValdikSS> Thermi: >An Extended Key Usage flag explicitly allowing the certificate to be used for authentication purposes.
10:12 < pekster> That's a fucked up MS standard
10:12 < ValdikSS> Thermi: Is it really required?
10:12 < pekster> http://www.alvestrand.no/objectid/1.3.6.1.5.5.8.2.2.html
10:13 <@vpnHelper> Title: OID description for 1.3.6.1.5.5.8.2.2 - IPSEC Protection (at www.alvestrand.no)
10:13 < mjkr> say, there's a man in the middle that checks on the certs sent between two peers, and then i can falsify various name fields do make his job difficult.
10:13 < Thermi> ValdikSS: Are you asking about EKU or ikeIntermediate now? I'm confused
10:13 < ValdikSS> Thermi: right now about EKU
10:13 < ValdikSS> Thermi: because http://tools.ietf.org/html/rfc4945#section-5.1.3
10:13 < pekster> mjkr: You can't edit data in a signed certificate without breaking the hash function. Unless I'm missing something, this is snake-oil security
10:13 <@vpnHelper> Title: RFC 4945 - The Internet IP Security PKI Profile of IKEv1/ISAKMP, IKEv2, and PKIX (at tools.ietf.org)
10:13 < mjkr> i can put stuff like two microsoft.com in the name field and force ikeintermediate on for my peers
10:13 < ValdikSS> Thermi: >The CA SHOULD NOT include the ExtendedKeyUsage (EKU) extension
10:14 < Thermi> I have no first hand experience with that, as I never got that to work with Windows 7. I heard of people having working setups and those had serverAuth set
10:14 < mjkr> pekster: yep, but you can falsify name field for ca cert too. some censorship firewall here does only name checking without crytographic verification.
10:15 < mjkr> it's practecably better if you just visit some gov tls sites, and falsity their names for your server and ca cert chain
10:15 < pekster> mjkr: Thankfully section 6 in that RFC discusses how to validate certificates to avoid that
10:15 < pekster> If that's your concern, stop using oudated bogus Microsoft standards to "fix" it -- stop trusting every CA on the planet
10:15 < mjkr> they don't have the computing resource to verify each and every cert. that's why they are currently doing name checking only
10:15  * pekster shrugs
10:16 < pekster> If you don't want to trust other CAs, then don't. THis has zero to do with a pointless standard
10:16 -!- llg [~llg@car75-1-81-57-12-114.fbx.proxad.net] has joined #openvpn
10:16 -!- AlexRussia [~Alex@unaffiliated/alexrussia] has quit [Ping timeout: 240 seconds]
10:17 < llg> !welcome
10:17 <@vpnHelper> "welcome" is (#1) Start by stating your goal, such as 'I would like to access the internet over my vpn' || new to IRC? see the link in !ask || we may need !logs and !configs and maybe !interface to help you. || See !howto for beginners. || See !route for lans behind openvpn. || !redirect for sending inet traffic through the server. || Also interesting: !man !/30 !topology !iporder !sample !forum !wiki
10:17 <@vpnHelper> !mitm or (#2) Don't use 192.168.1.0/24 or 192.168.0.0/24 (too much potential for conflict)
10:17 < pekster> mjkr: validation requirements: http://tools.ietf.org/html/rfc3280#section-6
10:17 < mjkr> and for windows you can do certificate pinning now in emet
10:17 <@vpnHelper> Title: RFC 3280 - Internet X.509 Public Key Infrastructure Certificate and Certificate Revocation List (CRL) Profile (at tools.ietf.org)
10:17 < mjkr> pekster: it all depends on the computing resource allocated to the firewall
10:18 -!- AlexRussia [~Alex@unaffiliated/alexrussia] has joined #openvpn
10:18 < pekster> no, it doesn't. You can't maigicly break hashes just becuase you throw hardware at the problem
10:18 < pekster> This is abslutely nonsense
10:18 < mjkr> nope, it isn't breaking hashes
10:18 -!- AlexRussia [~Alex@unaffiliated/alexrussia] has quit [Client Quit]
10:18 < mjkr> say i can just put VeriSign <blah> in the ca cn field.
10:19 < pekster> This doesn't work if the endpoint trusts only a specific CA
10:19 < mjkr> and then issue myself a <x>.microsoft.com and <y>.microsoft.com cert
10:19 < pekster> You CANNOT USE A DIFFERNET CA to sign a certificate, EVEN IF YOU PUT THE SAME CN IN IT
10:19 -!- AlexRussia [~Alex@unaffiliated/alexrussia] has joined #openvpn
10:19 < Thermi> Trust is created by the signatures, not by the names.
10:19 < pekster> Yes, that
10:19 < mjkr> i can't, but as long the first x few letters of the cn matches, it's gonna fool the application firewall that only checks the name, but not the  signature.
10:20 < Thermi> Stop referring to a broken firewall.
10:20 < Thermi> If you're MITMing SSL traffic, you're doing things wrong anyway.
10:20 < Thermi> (That's the only case I can think of where you actually need to verify lots of certs in one place)
10:20 < pekster> The only way TLS MITM works if you your client blindly accepts a "valid" cert from a compromised global CA that the client also trusts
10:21 < Thermi> ^
10:21 < pekster> And if that's the case, there's nothing outside of perhaps DANE to save you, and THAT is easily stopped by facist government by outright blocking of DNSSEC
10:21 < ValdikSS> pekster: What our goal: 1) follow the standards 2) make it work with wide range of OSes and devices?
10:21 < pekster> Game over, do not pass go
10:21 < pekster> ValdikSS: I supporto a range of *updated* OSes. Apple hasn't supported 10.6 in years, and neither will I
10:21 < mjkr> (it's not mitm'ing, it's presenting to the application firewall some ipsec traffic that's between <x>.microsoft.com and <y>.microsoft.com with certs signed by verisign.)
10:22 < Thermi> So?
10:22 < ValdikSS> pekster: I'm also against supporting outdates OSes
10:22 < Thermi> It's the job of the endpoint to do verification.
10:22 < ValdikSS> pekster: But what about up-to-date devices?
10:22 < mjkr> (and i know they just check the cn and san fields, period, for now)
10:22 < pekster> YOu've given me no indication that following RFC4945's recommendations breaks anything but apple 10.6 (as an updated, but no longer supported 10.7 works fine, as do newer versions.) So, RFC4945 certs work everywhere, right? MS, iOS, Macs, and Android. Yes?
10:23 < pekster> mjkr: Don't care. If this "application firewall" can't follow standards, it's not important
10:23 < pekster> And if it's terminating IPSec, it's acting as a MITM and I'm not going to make its job easy either. If it's broken and can't key off actual signatures/fingerprints, then it's also broken beyond fixing. Don't care about that either
10:23 < ValdikSS> pekster: We should add SAN DNS in every server certificate
10:24 < pekster> It's not required, and in many cases you don't want to give that away (ie: openvpn.) Don't give away more info to your attacker than you need to
10:24 < pekster> It's not going in "every" cert, no. If you need it for IPSec, by all means, add it in. If you need it to support a webserver with >1 DNS name, by all menas, add it in
10:25 < ValdikSS> pekster: I'm talking about IPsec
10:25 < pekster> mjkr: ref: RFC3280 6.1 if you're concerend about certificate path validiation. They talk about limiting to known-paths there.
10:26 < pekster> http://tools.ietf.org/html/rfc3280#section-6.1
10:26 <@vpnHelper> Title: RFC 3280 - Internet X.509 Public Key Infrastructure Certificate and Certificate Revocation List (CRL) Profile (at tools.ietf.org)
10:26 < pekster> ValdikSS: Even then, it's not strictly required; it depends on the IKE policy. You could use rfc822Name, or IP, or a couple other options. Or not even use it at all. "IPSec" by itself doesn't actually require subjectAltName
10:27 < ValdikSS> pekster: I'm talking about interoperability. Windows requires it, Mac OS requires it
10:27 < pekster> Go add it then. What's the problem?
10:27 < pekster> This is supported, and documented today
10:28 -!- AlexRussia [~Alex@unaffiliated/alexrussia] has quit [Ping timeout: 250 seconds]
10:29 < pekster> ./easyrsa --subject-alt-name="DNS:server2.ipsec.example.net" gen-req server2.ipsec.example.net nopass
10:30 < pekster> Supported, and RFC4945 compliant. subjectAltName in the PKCS#10 request, and so long as the signing CA adds in the RFC4945-required bits should work on >=Win-Vista and Apple, yes?
10:30 < pekster> If you _also_ openvpn inter-op, add the openvpn required bits as well as the RFC4945 required componenets (you're required by spec to add additional EKU as I've already covered for such exotic multi-use purposes)
10:31 < pekster> If I've missed something here let me know, but that should be all you need
10:39 -!- mjkr [741ff569@gateway/web/freenode/ip.116.31.245.105] has quit [Ping timeout: 246 seconds]
10:40 < pekster> ValdikSS: Or are you saying Win7 will _reject_ a cert created as above with DNS:name.e.c and the current `ipsec` x509-type on my devel branch? (this would mean Win7 does not follow the standards on this, though "could be made" to comply in an acceptable, but non-recommended way)
10:41 < pekster> At the very least your EKU is standards-violating by not including kp-ipsecIKE: http://oid-info.com/get/1.3.6.1.5.5.7.3.17
10:41 <@vpnHelper> Title: OID repository - {iso(1) identified-organization(3) dod(6) internet(1) security(5) mechanisms(5) pkix(7) kp(3) id-kp-ipsecIKE(17)} (at oid-info.com)
10:41 < pekster> Again, per RFC4945
10:41 < pekster> If you do use EKU, you MUST [sic] include kp-ipsecIKE (or anyExtendedKeyUsage; probably not what you intended) plus whatever kp-ip used by these other application needs
10:42 < ValdikSS> pekster: no, it will work, but it requires SAN
10:43 < ValdikSS> pekster: I mean, should we allow to create cerificates without SAN?
10:43 < pekster> Yes. If you need subjectAltName, you must ask fo rit
10:44 < pekster> The most common use-case of easy-rsa has no use for SAN, and it encourages leaking of site information by supplying needless details. Users that need it will know this upfront and should add it. At best, an "IKE server friendly" or "My webserver request needs to support multiple DNS domains and/or IPs" wrapper script could be added into contrib/ that will wrap the calls and add in SAN after prompting for it
10:45 < pekster> I also don't include C, ST, L, O, or OU by default in a DN either, for the same reason. "Someone" might need that, and they're free to enable it
10:48 < ValdikSS> pekster: Should keyPurposeID be added in both server and client certs or only in client?
10:49 < pekster> Per RFC4945 sec. 5.1.3.12, "If a certificate is intended to be used with both IKE and other applications, and one of the other applications requires use of an EKU value, then such certificates MUST contain either the keyPurposeID id-kp-ipsecIKE or anyExtendedKeyUsage [5], as well as the keyPurposeID values associated with the other applications."
10:50 < pekster> So, either omit EKU completely, or add "whatever else you need" in addition to one of the 2 mandatory values listed
10:51 < pekster> This is not recommended (as CAs "SHOULD NOT" [sic] be doing this in the first place.) Should they need to in support of other applications, this is the optional way a CA "MAY" [sic] do this
10:52 -!- jackbrown [~se@93-44-52-189.ip95.fastwebnet.it] has joined #openvpn
10:52 -!- u0m3 [~u0m3@92.80.68.195] has quit [Read error: Connection reset by peer]
10:53 -!- joako [~joako@opensuse/member/joak0] has quit [Ping timeout: 255 seconds]
10:59 -!- joako [~joako@opensuse/member/joak0] has joined #openvpn
11:04 -!- jackbrown [~se@93-44-52-189.ip95.fastwebnet.it] has quit [Read error: Connection reset by peer]
11:04 -!- jackbrown [~se@93-44-52-189.ip95.fastwebnet.it] has joined #openvpn
11:07 -!- llg [~llg@car75-1-81-57-12-114.fbx.proxad.net] has quit [Quit: a+]
11:11 -!- Jactive is now known as Zaphkiel_Dalet
11:28 -!- ValdikSS [~valdikss@185.61.149.121] has quit [Quit: Konversation terminated!]
11:37 -!- AlexRussia [~Alex@unaffiliated/alexrussia] has joined #openvpn
11:38 -!- phunyguy [vortex@ubuntu/member/phunyguy] has quit [Ping timeout: 258 seconds]
11:43 -!- jackbrown [~se@93-44-52-189.ip95.fastwebnet.it] has quit [Quit: Sto andando via]
11:43 -!- jackbrown [~se@93-44-52-189.ip95.fastwebnet.it] has joined #openvpn
11:43 -!- phunyguy [vortex@ubuntu/member/phunyguy] has joined #openvpn
11:49 -!- phunyguy [vortex@ubuntu/member/phunyguy] has quit [Ping timeout: 258 seconds]
11:53 -!- phunyguy [vortex@ubuntu/member/phunyguy] has joined #openvpn
12:12 -!- niklas_e [~niklas@176.10.248.227] has joined #openvpn
12:12 < niklas_e> can you do so a game doesn't use openvpn?
12:15 <@krzee> the easy way is if theres a predictable subnet and you just override the route for it
12:16 <@krzee> otherwise, you need to use policy routing or similar
12:16 <@krzee> depending on the os
12:17 -!- Strogg [~jean@unaffiliated/strogg] has joined #openvpn
12:17 < Strogg> 'lo 'lo
12:18 < niklas_e> aha, useing gentoo
12:18 <@krzee> !routebyapp
12:18 <@vpnHelper> "routebyapp" is (#1) if you want to send only certain apps over the VPN you need to run a socks server on the internal VPN subnet (see !sockd) then get an app like proxifier (windows, osx) or tsocks (linux, BSD) to selectively route traffic over the socks proxy based on port/app/subnet or any combination. or (#2) Alternatively, read up about Policy Routing to make routing decisions based on defined
12:18 <@vpnHelper> policies you set. For Linux, read about !lartc
12:18 <@krzee> !lartc
12:18 <@vpnHelper> "lartc" is LARTC is the de-facto guide to policy routing and QoS (tc, or traffic control) on Linux. http://lartc.org/howto/ . Policy routing in Ch. 4, QoS in Ch. 9. Start at the beginning if you're new to advanced routing on Linux
12:18 <@krzee> that ^
12:18 < Strogg> I'm trying to setup openvpn to create a tunnel between my home network and my colo.. and then have only one of my boxes on the network go through the tunnel.  should something like http://tldp.org/HOWTO/Adv-Routing-HOWTO/lartc.rpdb.simple.html work for setting this up?
12:18 <@vpnHelper> Title: Simple source policy routing (at tldp.org)
12:18 <@krzee> basically, you mark the stuff in the firewall and have it use your second routing table
12:19 < pekster> I thought I linked my writeup into one of those..
12:19 < Strogg> oooh.. it sounds like someone else is doing what I'm doing
12:19 <@krzee> oh sweet i didnt know you made a writeup
12:19 < pekster> niklas_e: Maybe https://community.openvpn.net/openvpn/wiki/Concepts-PolicyRouting-Linux
12:19 <@vpnHelper> Title: Concepts-PolicyRouting-Linux – OpenVPN Community (at community.openvpn.net)
12:19 <@krzee> !learn lartc as there is also a writeup on policy routing at https://community.openvpn.net/openvpn/wiki/Concepts-PolicyRouting-Linux
12:19 <@vpnHelper> Joo got it.
12:20 <@krzee> excellent
12:20 < pekster> That's just one implementation example: you may need to vary that using the LARTC-provided information if you need to do something slightly different
12:20 < niklas_e> Thanks
12:21 < Strogg> are ip marks the way to go to setup source based routing?  I just want all traffic from one box to go through the vpn
12:21 < Strogg> s/vpn/tunnel/
12:22 < Gellert> hello! http://pastebin.com/C9ME8BZD ,  so i have two openvpn clients on win8/win7 (x64) on the win8 everything goes ok, and on the win7 machine if i start to surf some webpages like gmail, ping goes very high like 3-5k and request timeout, after the site successfully loaded the ping goes back to normal. anyone any tip what is the problem?
12:22 < Gellert> (there is no error in the log)
12:23 < pekster> Strogg: Sure, easiest is to _not_ redirect all traffic (ie: don't clobber 0/0, or use 0/1 and 128/1 routes) but instead mark traffic you do wish to handle differently, then direct that to a secondary table using the same method
12:23 < pekster> You can do it eiter way and simply invert the logic of applying the marks, or invert the matching of the mark with: ip rule add not fwmark ...
12:24 < Strogg> erghhh.. I think it's my firewall.. lol
12:24  * Strogg is reading your wiki
12:24  * Strogg tests
12:26 < Strogg> something like "iptables -A FORWARD -i eth1 -o tap0 -j ACCEPT" is what I want, right?  since my tunnel device is tap0?
12:26 < pekster> Best not to route across tap; use tun for that instead
12:26 < Strogg> Oh.  hrmm
12:26 < pekster> Otherwise, "possibly, yes." -A appends, so it depends on what rules occur before that point
12:27  * Strogg switches everythig to tun0
12:27 < pekster> Also best to properly load rulesets with iptables-restore(8) and not runtime console commands or worse yet, "scripts"
12:27 < Strogg> yeah.. I just wanna get everything working, and then I'll add it to my init scripts
12:28 < pekster> Sure. Most distros (except Debian, who's too busy fighting with themselves) ship an init that's basically just a glorified wrapper to iptables-restore
12:28 -!- niklas_e [~niklas@176.10.248.227] has quit [Quit: Leaving]
12:31 < Strogg> "A TAP device is a virtual ethernet adapter, while a TUN device is a virtual point-to-point IP link."
12:31 < Strogg> doesn't that mean I want to use a tap?
12:32 < pekster> !tunortap
12:32 <@vpnHelper> "tunortap" is (#1) you ONLY want tap if you need to pass layer2 traffic over the vpn (traffic destined for a MAC address). If you are using IP traffic you want tun. or (#2) and if your reason for wanting tap is windows shares, see !wins or use DNS or (#3) remember layer2 has no security, arp poisoning works over tap vpns or (#4) lan gaming? use tap! or (#5) Normal Android/iOS devices (not
12:32 <@vpnHelper> rooted/jailbroken) support only tun
12:32 < pekster> Do you need to send raw Ethernet frames that aren't IP packets, or need multicast/broadcast?
12:33 < Strogg> hrmmmmmm ok.  so then I do want tun.  hrmm
12:52 -!- jackbrown [~se@93-44-52-189.ip95.fastwebnet.it] has quit [Read error: Connection reset by peer]
12:53 -!- jackbrown [~se@93-44-52-189.ip95.fastwebnet.it] has joined #openvpn
12:54 < Strogg> hrmmm running openvpn is telling me "Options error: specify only one of --tls-server, --tls-client, or --secret", but I'm only using secret in my config file
12:57 < pekster> Probably adding helper-directives that are an amalgamation of many options
12:57 < pekster> --client or --server in particular (see those in the manpage for how the expand)
12:57 < Strogg> hrmmm k, thanks
12:58 -!- jackbrown [~se@93-44-52-189.ip95.fastwebnet.it] has quit [Client Quit]
12:59 < Strogg> hrmmmm ok.. tun0 device created.. link established
13:02 < Strogg>           inet addr:172.16.1.1  P-t-P:172.16.1.2  Mask:255.255.255.255
13:02 < Strogg> woot!
13:04 < pekster> Might consider coming past the 90's and avoiding net-tools too. iproute2 has replaced it on Linux
13:05 < pekster> !ifconfig_linux
13:05 <@vpnHelper> "ifconfig_linux" is Avoid use of 'ifconfig' and 'route' commands on modern Linux distros. It's old, deprecated, and often misleading/wrong. Use the 'ip a' and 'ip r' commands instead. More info: http://inai.de/2008/0219-ifconfig-sucks.php
13:05 < pekster> It's likely to get you into trouble if you get further into advanced networking on Linux
13:05 < Strogg> true.. I've been setting up the routing with iproute2
13:05 -!- jackbrown [~se@93-44-52-189.ip95.fastwebnet.it] has joined #openvpn
13:05 < Strogg> but old habits.. I keep looking at status with route and ifconfig.. heh
13:06 < pekster> Easy fix for ksh-style shells: alias ifconfig='echo "ifconfig is deprecated. Use ip command instead. Run /sbin/ifconfig if you MUST use ifconfig now"'
13:06 < Strogg> good idea
13:13 < Strogg> hrmmm I wonder if I need to stop using -j MASQUERADE and start using -j SNAT
13:14 -!- ayaka [~ayaka@ayaka-2-pt.tunnel.tserv21.tor1.ipv6.he.net] has joined #openvpn
13:15 < Strogg> so.. general order of things is 1) run openvpn on remote and local to setup the tun0 interface.  make sure both remote and local show a PtP connection (for me, it's between 172.16.1.1 and 172.16.1.2)
13:15 < Strogg> 2) follow http://tldp.org/HOWTO/Adv-Routing-HOWTO/lartc.rpdb.simple.html to setup your source routing
13:15 <@vpnHelper> Title: Simple source policy routing (at tldp.org)
13:15 < ayaka> I have try to use keep-alive to keep a static key connection be hold, but it doesn't work I connection will become http://fpaste.org/155329/14173749/
13:16 < Strogg> 3) make sure the firewall isn't getting in the way.  Is there anything else I'm missing?
13:16 < ayaka> without ip assign with it, it dead. I have to restart the openvpn process
13:17 -!- jackbrown [~se@93-44-52-189.ip95.fastwebnet.it] has quit [Quit: Sto andando via]
13:25 -!- eristisk [~eristisk@gateway/tor-sasl/eristisk] has joined #openvpn
13:27 < pekster> Strogg: A full implementation requires a bit more, because 'host unreachable' or similar errors require that the router associate the outbound ICMP error with the prior connection. Otherwise you'll send such an error out the physical interface, not the VPN interface
13:28 < Strogg> when I do "ip route add 0/0 via 172.16.1.1 dev tun0 table 200".. is 172.16.1.1 supposed to be my ip for local endpoint of the tunnel, or is that supposed to be the ip of the remote endpoint?
13:28 < pekster> This is why I mark things arriving per interface, then key off the fwmark in the route decision. The basic example you linked works for all cases except when the router itself is the actual source of a packet (which really only happens for ICMP errors)
13:28 -!- jackbrown [~se@93-44-52-189.ip95.fastwebnet.it] has joined #openvpn
13:28 < Strogg> pekster: hrmmmmm ok
13:29 < pekster> Your endpoint, butu you can just route into the tun device
13:29 -!- jackbrown [~se@93-44-52-189.ip95.fastwebnet.it] has quit [Read error: Connection reset by peer]
13:29 < pekster> ie: ip route add 0/0 dev tun0   # works as expected
13:29 < Strogg> make sense, ok
13:29  * Strogg flushes and re-adds
13:29 < pekster> A tun device merely has an IP on it as a convenience, and as a way to source packets "from" itself to somewhere -- the only addressing you need is "this end" vs "that end"
13:30 < pekster> !addressing
13:30 <@vpnHelper> "addressing" is For information about IP addressing in OpenVPN, see: https://community.openvpn.net/openvpn/wiki/Concepts-Addressing
13:30 < pekster> p2p examples are near the end
13:32 < pekster> Oh, or non-server has a blurb at the top, actually
13:32 < Roelke> pekster: i've followed the flowchart, and i'm stuck ad adding routes to the client / server to reach each other
13:32 < Roelke> i've followed some guides on the internet, but without result
13:33 < pekster> Adding routes is as simple as adding an entry to the device's FIB tables
13:33 < pekster> (this is device/OS specific)
13:34 < pekster> You mean the gateway of your client LAN? If so, you'll need to consult its documentation
13:34 < Roelke> i've a Tomato router with a Lan on 192.168.1.x
13:35 < Roelke> and a VPN tunnel on 10.8.0.2
13:35 < pekster> That is, for the record, a horrible choice of network if you're routing it (best to avoid common netwnorks to prevent collisions, expecially since you're using the #1 most popular RFC1918 network on the planet)
13:35 < pekster> For !clientlan support, you need to route the VPN range _back_ to the VPN server on your gateway at 192.168.1/24
13:35 < pekster> (and naturally, its firewall needs to permit this.)
13:36 < Roelke> ok
13:36 < Roelke> !clientlan
13:36 <@vpnHelper> "clientlan" is (#1) for a lan behind a client, the client must have ip forwarding enabled (!ipforward), the server needs a route to the lan, the server needs to push a route for the lan to clients, the server needs a ccd (!ccd) file for the client with an iroute (!iroute) entry in it, and the router of the lan the client is on needs a route added to it (!route_outside_openvpn) or (#2) see !route for
13:36 <@vpnHelper> a better explanation or (#3) Handy troubleshooting flowchart: http://ircpimps.org/clientlan.png | http://pekster.sdf.org/misc/clientlan.png
13:36 < Roelke> i've added an iroute entry to my ccd
13:37 < Roelke> and a route + push route in the server config
13:38 < pekster> This isn't for openvpn
13:38 < pekster> It's for your _LAN_ gateway. THe router on your client-side LAN network
13:38 < pekster> (sounds like your dd-wrt.) Routing requires that you control and be able to correctly configure all involved routers in the path of packets you're routing
13:38 < Roelke> tomato is dd-wrt based
13:39 < pekster> So add a route to it? Or have you correctly configured it?
13:39 < pekster> Easy to test with a traceroute on a non-VPN system on the clienet-LAN by doing a traceroute to 10.8.0.1; if you can't trace or ping to that, it's incorrectly setup
13:41 < Roelke> that is working
13:41 < Roelke> i've broke it by adding a route from 192.168.1.0 to 10.8.0.2
13:42 < pekster> You don't do that; you add the route *without* a gateway to the openvpn server config, push it if other clients need it, and configure it as an *iroute* in the ccd file
13:43 < pekster> Do not attempt to "directly" route to the client IP; that is incorrect
13:44 < pekster> From the server side, the packet flow goes: {server-LAN} -> {openvpn-server-host} -> {openvpn-process} -> {openvpn-iroute} -> {client-defined-by-iroute} -> {openvpn-encrypt} -> {openvpn-transport-to-vpn-client}
13:44 < pekster> In other words, boxes #2 and #3 in the !clientlan flowchart
13:45 < Roelke> i've both added an iroute in the ccd
13:45 < Roelke> and a route in the server conf
13:45 < pekster> You've done something wrong with the route you listed
13:46 < pekster> What is the business about thet 102.168.1.0 to 10.8.0.2; that's screwey
13:46 < pekster> How/where/why did you do that?
13:46 < Roelke> on the client
13:46 < Roelke> and it was broken after that, so i've rebooted and starting again now
13:46 < pekster> The VPN client? No, it _ALREADY_ had a route to 192.168.1.0 -- that's your own client-LAN
13:47 < pekster> Better yet
13:47 < pekster> !configs
13:47 <@vpnHelper> "configs" is (#1) please pastebin your client and server configs (with comments removed, you can use `grep -vE '^#|^;|^$' server.conf`), also include which OS and version of openvpn. or (#2) dont forget to include any ccd entries or (#3) on pfSense, see http://www.secure-computing.net/wiki/index.php/OpenVPN/pfSense to obtain your config
13:47 < pekster> Then describe anything else you've managed to do in the routing that is not in your pastebin links
13:47 < Roelke> i was busy doing that
13:48 < pekster> And do tell me you're using something else for your server-LAN network
13:50 < Roelke> http://pastebin.com/pmPAd08Y
13:50 < Roelke> server config
13:50 < Roelke> ccd /client
13:50 < Roelke> http://pastebin.com/6CNaT3qA
13:51 < Roelke> client config
13:51 < Roelke> http://pastebin.com/rb96kQwe
13:54 < pekster> What's the server-side LAN network?
13:55 < pekster> And does the client have _both_ the 192.168.1/24 and 172.19.3/24 networks behind it?
13:56 < Roelke> no only 192.168.1 / 24
13:57 < pekster> ccd line 2 can go away then. I'm also not sure why you're redirecting all Internt-bound traffic over the VPN on the client (client config like 14)
13:58 < pekster> Otherwise, the config seems okay. (you're using no crypto, and `verb 6` is worthless -- stick to 5 if you can't connect, or 4 for good verbose debug logs otherwise)
13:58 < Roelke> i've routed all internet trough the VPN to test
13:58 < Roelke> it's working
13:58 < pekster> Is the server on a network other than 192.168.1/24?
13:58 < Roelke> yes, it's a VPS
13:58 < Roelke> so it's directly connected trough the internet
13:59 < Roelke> * to
13:59 < pekster> With the VPN on the client running, can another computer (besides the VPN client or your gateway) ping the client's VPN IP?
13:59 < pekster> Probably 10.8.0.2, but it depends on whatever it was issued
14:00 < pekster> To clarify, a computer on the _client_ LAN network
14:00 < Roelke> from my computer (192.168.1.36) i can ping both 10.8.0.1 and 10.8.0.2
14:01 < pekster> Then routing is working as expected
14:01 < pekster> Anything else is a firewall problem
14:01 -!- jackbrown [~se@93-44-52-189.ip95.fastwebnet.it] has joined #openvpn
14:01 -!- bluenemo [~bluenemo@unaffiliated/bluenemo] has joined #openvpn
14:02 < Roelke> iptables server : http://pastebin.com/cb2ttrSq
14:02 < pekster> Horrible way to show your rules; never use -L like that: https://github.com/QueuingKoala/fn-netfilter/wiki#paste
14:03 < pekster> And before you blindly paste rules, what isn't working?
14:03 < pekster> A client-side LAN system can reach the VPN server; this demonstrates that your !clientlan setup is working exactly as intended
14:03 < Roelke> ok
14:05 < Roelke> http://pastebin.com/ANhGHRQ0
14:05 < Roelke> iptables servers in the way i'ts on Github
14:06 < pekster> line 7 is incorrect; SNAT (and MASQUERADE) should always be filtered by the -o rule
14:06 < pekster> Change that to read: -A POSTROUTING -s 10.8.0.0/24 -o <YOUR_WAN_IFACE_HERE> -j SNAT ...
14:07 < pekster> What you've done is used your public IP to source traffic going across the VPN, for which the far-client will attempt to use the public Internet path to reply, which creates a case of "triangle routing"
14:07 < pekster> The server rightfully rejects the bogus packet that arrived on an interface it wasn't expecting
14:08 < pekster> Or better yet, just remove the rule on line 7 because what you have on line 8 does the same thing
14:09 -!- bluenemo [~bluenemo@unaffiliated/bluenemo] has quit [Quit: Verlassend]
14:10 -!- jackbrown [~se@93-44-52-189.ip95.fastwebnet.it] has quit [Quit: Sto andando via]
14:10 < Roelke> how to remove that rule ? changing -A to -D does not work ?
14:12 < pekster> iptables-save > some-file.rules
14:12 < pekster> Then edit your rules
14:12 < pekster> Then: iptables-restore < some-file.rules
14:12 < pekster> You should be loading your rules through the same method on boot anyway (or what your distro provides during init, which is usually the same thing)
14:13 < Roelke> i know
14:13 < Roelke> but i want first have it working
14:13 < pekster> Then remove the bogus rules
14:13 < Roelke> the tomato (dd-wrt) routing is also not saving anything atm
14:13 < Roelke> router
14:14 < pekster> That's just used to send the VPN network back to the VPN server; it's otherwise not involved
14:15 < pekster> Your firewall ruleset is also Yet Another broken host on the Internet. You should at minimum accept the mandatory ICMP errors, and really just use stateful firewalling
14:15 < pekster> Although line 17 in the pastebin you gave makes it all moot anyway I suppose
14:16 < Roelke> http://pastebin.com/ksifBLrS
14:16 < pekster> Line 19 turns you into an open proxy for your local network
14:16 < pekster> (line 18 in that last paste)
14:16 < Roelke> ok
14:16 < pekster> Sure, now firewalls-permitting, you should be able to reach client-side LAN resources
14:17 < Roelke> nope
14:17 < Roelke> still not
14:17 < pekster> See where a trace dies
14:18 < Roelke> http://pastebin.com/1p5RaURd
14:18 < Roelke> weird, it's going outside
14:18 < pekster> patebin `ip r`
14:19 < Roelke> ?
14:20 < Roelke> ip route show ?
14:23 < pekster> As in, at a console, you type: ip r
14:23 < pekster> And it spews output. Paste it.
14:23 -!- Shiftos [~shiftos@gateway/tor-sasl/shiftos] has quit [Remote host closed the connection]
14:24 < pekster> Same thing as ip route show. Also the same as ip r s. Also the same as ip ro show. ip(8) for why
14:25 -!- medum [kevin@108.161.125.43] has quit [Ping timeout: 265 seconds]
14:26 < Roelke> ok
14:26 < Roelke> i've added :  ip route add 192.168.1.0/24 dev tun0
14:27 < pekster> You shouldn't need to add it; the fact that you seem to need that means your server config line 41 isn't working
14:27 < pekster> I wnated to see your table before you messed with it :\
14:27 < pekster> now openvpn probably won't remove the route and we can't see why it's broken in the first place
14:27 < pekster> Please remove that route, then we might as well just restart your server-side vpn instance at this point
14:28 < pekster> _then_ see if that route is there. If it's not, that needs to be fixed, and not by hacking it in place
14:28 < Roelke> before i messed with it : http://pastebin.com/p1EAvcp4
14:28 < pekster> That's not the output I asked for; that's your link output
14:28 < Roelke> http://pastebin.com/qpqRFcP5
14:29 -!- jackbrown [~se@93-44-52-189.ip95.fastwebnet.it] has joined #openvpn
14:29 < pekster> Yea, missing 192.168.1.0/24 route. That should get created with the VPN comes up, unless there was an error doing so
14:30 < pekster> So, with the manual route you added _removed_ and the VPN disabled, start the VPN back up. Check for the route per your server config, and if it's missing, we'll need logs to see why it failed to add
14:30 < pekster> Your server config ( at http://pastebin.com/pmPAd08Y ) line 41 sets that route and it should get added
14:31 < Roelke> http://pastebin.com/MqKba3Vy
14:31 < Roelke> i've seen some warning, fix that ?
14:32 < pekster> Ah yes, line 289-290. Add `--route-gateway 10.8.0.1` due to what's effectively a bug
14:32 < Roelke> behind route ?
14:32 < pekster> The warning on line 285 is because you've disabled encryption; your packets are authenticated but sent in cleartext
14:32 < pekster> No, that is a directive all by itself
14:32 < pekster> !--
14:32 <@vpnHelper> "--" is OpenVPN allows any option to be placed either on the command line or in a configuration file. Though all command line options are preceded by a double-leading-dash ("--"), this prefix is usually omitted when an option is placed in a configuration file.
14:33 -!- eristisk [~eristisk@gateway/tor-sasl/eristisk] has quit [Ping timeout: 250 seconds]
14:33 < Roelke> i know, i've disabled encryption to be sure that there were no issues with that
14:34 < Strogg> hrmmmmm I think I know why my stuff isn't working.
14:34 < Roelke> but can i add route-gateway 10.8.0.1 to my config ?
14:34 < Strogg> it's the private IPs on my local lan.
14:34 < pekster> Roelke: Yes, put it anywhere in the server config. That will fix your missing route
14:35 < Roelke> ok route is added now
14:35 < Roelke> i can reach 192.168.1.1 now :)
14:36 < Roelke> but not 192.168.1.36 (my desktop)
14:36 < pekster> If 192.168.1.36 can still reach 10.8.0.1, you have a firewall problem somewhere
14:36 < pekster> (probably the desktop or the client-side LAN gateway, though it could be the VPN client too)
14:39 < Roelke> yes i can reach 10.8.0.1
14:40 < Roelke> and in a traceroute it ends on 10.8.0.2
14:40 < Roelke> i think it's the client lan gateway
14:40 < pekster> Yup, most likely (it would be odd for the vpn client to allow to reach 192.168.1.1 but not other devices on the same LAN)
14:41 < pekster> The gateway must allow the traffic you're attempting to forward in both directions; you've only allowed it in the outbound direction
14:42 < pekster> Or possibly ended up NATting it by mistake on the outbound leg (a tcpdump of a ping from the desktop to the vpn server should show the client's IP, not the gateway's)
14:42 < Roelke> i think it's the gateway
14:43 < pekster> All of what I just said would mean a misconfiguration of the firewall on your LAN gateway, yes.
14:48 < Roelke> ok, do you want to check the iptables, can't find anything special (but i'm not very good in iptables ;))
14:48 < Roelke> ?
14:49 < pekster> If this is created with some frontend tool, I'm not overly intersted in fixing it; you should ask support from the vendor of your frontend for that
14:49 < pekster> If you maintain your own firewall rules, go for it, but frontends write the most ugly rules
14:50 -!- jackbrown [~se@93-44-52-189.ip95.fastwebnet.it] has quit [Quit: Sto andando via]
14:50 < Roelke> http://pastebin.com/cLCRH3Xc
14:50 < Roelke> some are from the frontend, but most of it are VPN rules
14:51 < pekster> what is br0? Your LAN?
14:51 < Roelke> yep
14:51 < pekster> Don't hairpin NAT like you have on line 10
14:52 < pekster> (if you want to reach services on yoru public IP from the LAN, better to use Split-DNS for that, or IPv6)
14:52 < Roelke> ok, remove it ?
14:52 < pekster> Yes, and whatever on earth is doing such stupidity
14:54 < Roelke> nice, it's working! :D
14:55 < Roelke> thanks for all your help :)
14:55 < pekster> You ought to fix your poor server-side firewall, but that's not openvpn-related at this point
14:56 < pekster> (it's broken regarding ICMP errors, and far too permissive on both the inbound and forward legs)
14:56 < Roelke> i'm going to read some more about iptables, and fix it
14:56 < Roelke> thanks for your advice :)
14:56 < pekster> Fair enough. The #Netfilter /TOPIC has good reading material linked in their first URL. The TPR PDF is useful
15:01 < Roelke> going to read some more about it
15:14 -!- D-Boy [~D-Boy@unaffiliated/cain] has quit [Excess Flood]
15:18 -!- jackbrown [~se@93-44-52-189.ip95.fastwebnet.it] has joined #openvpn
15:33 -!- D-Boy [~D-Boy@unaffiliated/cain] has joined #openvpn
15:40 -!- Dan39 [~ddan39@unaffiliated/dan39] has quit [Quit: reboooot... lets see how fast, eh?]
15:50 -!- jackbrown [~se@93-44-52-189.ip95.fastwebnet.it] has quit [Read error: Connection reset by peer]
15:50 -!- jackbrown [~se@93-44-52-189.ip95.fastwebnet.it] has joined #openvpn
15:54 -!- br4ndon [~br4ndon@mic92-6-82-226-128-64.fbx.proxad.net] has joined #openvpn
15:55 -!- jackbrown [~se@93-44-52-189.ip95.fastwebnet.it] has quit [Read error: Connection reset by peer]
15:55 -!- jackbrown [~se@93-44-52-189.ip95.fastwebnet.it] has joined #openvpn
15:56 -!- gffa [~unknown@unaffiliated/gffa] has quit [Quit: sleep]
15:57 -!- jackbrown [~se@93-44-52-189.ip95.fastwebnet.it] has quit [Read error: Connection reset by peer]
15:58 -!- Zaphkiel_Dalet is now known as Zaphkiel_Dalet|O
16:00 -!- mattock is now known as mattock_afk
16:16 -!- mattock_afk is now known as mattock
16:39 -!- havingFun_ [~quassel@unaffiliated/xrosnight] has joined #openvpn
16:40 -!- havingFun [~quassel@unaffiliated/xrosnight] has quit [Ping timeout: 272 seconds]
16:48 -!- mattock is now known as mattock_afk
16:49 -!- br4ndon [~br4ndon@mic92-6-82-226-128-64.fbx.proxad.net] has quit [Quit: br4ndon]
16:49 -!- varsisstudio [~varsisstu@104.207.136.120] has quit [Quit: Lingo: www.lingoirc.com]
16:50 -!- Taftse|Mac [~taftse@unaffiliated/taftse] has quit [Quit: Textual IRC Client: www.textualapp.com]
16:56 -!- havingFun_ [~quassel@unaffiliated/xrosnight] has quit [Ping timeout: 264 seconds]
17:05 -!- havingFun [~quassel@unaffiliated/xrosnight] has joined #openvpn
17:37 -!- ShadniX [dagger@p5481C7A0.dip0.t-ipconnect.de] has quit [Ping timeout: 250 seconds]
17:55 -!- ShadniX [dagger@p57941DBE.dip0.t-ipconnect.de] has joined #openvpn
18:01 -!- Shiftos [~shiftos@gateway/tor-sasl/shiftos] has joined #openvpn
18:01 -!- elfixit [~Icedove@77-58-253-51.dclient.hispeed.ch] has quit [Quit: elfixit]
18:04 -!- elfixit [~Icedove@77-58-253-51.dclient.hispeed.ch] has joined #openvpn
18:04 -!- elfixit [~Icedove@77-58-253-51.dclient.hispeed.ch] has quit [Client Quit]
18:04 -!- brianblaze420 [~brianblaz@unaffiliated/brianblaze] has joined #openvpn
18:07 -!- s7r [~s7r@openvpn/user/s7r] has joined #openvpn
18:07 -!- mode/#openvpn [+v s7r] by ChanServ
18:19 -!- Shiftos [~shiftos@gateway/tor-sasl/shiftos] has quit [Ping timeout: 250 seconds]
18:20 -!- havingFun_ [~quassel@unaffiliated/xrosnight] has joined #openvpn
18:21 -!- havingFun [~quassel@unaffiliated/xrosnight] has quit [Ping timeout: 265 seconds]
18:25 -!- Shiftos [~shiftos@gateway/tor-sasl/shiftos] has joined #openvpn
18:40 -!- alexw [~textual@unaffiliated/alexw] has joined #openvpn
18:57 -!- s7r [~s7r@openvpn/user/s7r] has quit [Quit: Leaving]
19:13 -!- bkolden [~bkolden@cpe-108-184-220-70.socal.res.rr.com] has joined #openvpn
19:20 -!- alexw [~textual@unaffiliated/alexw] has quit [Quit: Textual IRC Client: www.textualapp.com]
20:09 -!- havingFun [~quassel@unaffiliated/xrosnight] has joined #openvpn
20:09 -!- havingFun_ [~quassel@unaffiliated/xrosnight] has quit [Ping timeout: 265 seconds]
20:16 -!- zalami [~realnameo@unaffiliated/zalami] has quit [Ping timeout: 240 seconds]
20:20 -!- zalami [~realnameo@unaffiliated/zalami] has joined #openvpn
21:05 -!- brianblaze420 [~brianblaz@unaffiliated/brianblaze] has quit [Quit: Peace!]
21:09 -!- elfixit [~Icedove@77-58-253-51.dclient.hispeed.ch] has joined #openvpn
21:11 -!- zalami [~realnameo@unaffiliated/zalami] has quit [Ping timeout: 250 seconds]
21:12 -!- zalami [~realnameo@unaffiliated/zalami] has joined #openvpn
21:32 -!- Sparks [~Sparks@fedora/CAcert.Sparks] has left #openvpn []
21:41 -!- Left_Turn [~Left_Turn@unaffiliated/turn-left/x-3739067] has quit [Remote host closed the connection]
23:21 -!- mistermajestic [~mistermaj@unaffiliated/mistermajestic] has joined #openvpn
23:31 -!- elfixit [~Icedove@77-58-253-51.dclient.hispeed.ch] has quit [Remote host closed the connection]
--- Day changed Mon Dec 01 2014
00:03 -!- ShadniX [dagger@p57941DBE.dip0.t-ipconnect.de] has quit [Ping timeout: 250 seconds]
00:05 -!- ShadniX [dagger@p57941C99.dip0.t-ipconnect.de] has joined #openvpn
00:14 -!- Kephael [~Kephael@unaffiliated/kephael] has quit [Quit: Leaving]
00:50 -!- Kerberos76 [~Kerberos7@107.182.184.234.16clouds.com] has quit [Ping timeout: 258 seconds]
00:51 -!- mattock_afk is now known as mattock
02:45 -!- jackbrown [~se@93-44-52-189.ip95.fastwebnet.it] has joined #openvpn
02:47 -!- Taftse|Mac [~taftse@unaffiliated/taftse] has joined #openvpn
03:05 -!- fin [~fin@unaffiliated/le0] has joined #openvpn
03:37 -!- d3m0n [~d3m0n@unaffiliated/d3m0n] has joined #openvpn
03:42 -!- ValdikSS [~valdikss@185.61.149.121] has joined #openvpn
03:59 -!- badon [~badon@pdpc/supporter/active/badon] has quit [Remote host closed the connection]
04:06 -!- jackbrown [~se@93-44-52-189.ip95.fastwebnet.it] has quit [Read error: Connection reset by peer]
04:06 -!- jackbrown [~se@93-44-52-189.ip95.fastwebnet.it] has joined #openvpn
04:17 -!- jackbrown [~se@93-44-52-189.ip95.fastwebnet.it] has quit [Read error: Connection reset by peer]
04:18 -!- jackbrown [~se@93-44-52-189.ip95.fastwebnet.it] has joined #openvpn
04:28 -!- jackbrown [~se@93-44-52-189.ip95.fastwebnet.it] has quit [Quit: Sto andando via]
04:32 -!- jackbrown [~se@93-44-52-189.ip95.fastwebnet.it] has joined #openvpn
04:34 -!- wigyori [wigyori@bodega.szopobode.hu] has joined #openvpn
04:38 -!- badon [~badon@pdpc/supporter/active/badon] has joined #openvpn
04:42 -!- ValdikSS [~valdikss@185.61.149.121] has quit [Quit: Konversation terminated!]
04:49 -!- jackbrown [~se@93-44-52-189.ip95.fastwebnet.it] has quit [Read error: Connection reset by peer]
05:03 -!- havingFun is now known as xrosnight
05:08 -!- defswork [~andy@141.0.50.98] has quit [Quit: Ex-Chat]
05:17 -!- Left_Turn [~Left_Turn@unaffiliated/turn-left/x-3739067] has joined #openvpn
05:23 -!- d3m0n [~d3m0n@unaffiliated/d3m0n] has quit []
05:32 -!- mattock is now known as mattock_afk
05:43 -!- jackbrown [~se@93-44-52-189.ip95.fastwebnet.it] has joined #openvpn
05:45 -!- Chais [~Chais@chello062178229110.15.15.vie.surfer.at] has quit [Ping timeout: 264 seconds]
05:46 -!- cae- [~cae@ip-178-201-254-32.hsi08.unitymediagroup.de] has joined #openvpn
05:50 -!- Chais [~Chais@chello062178229110.15.15.vie.surfer.at] has joined #openvpn
05:53 -!- hyper_ch [~hyper_ch@81.4.108.20] has joined #openvpn
05:53 < hyper_ch> just read about https://forums.openvpn.net/topic17625.html
05:53 <@vpnHelper> Title: OpenVPN Support Forum Critical denial of service vulnerability in OpenVPN servers : Announcements (at forums.openvpn.net)
06:03 <@plaisthos> hyper_ch: yes
06:03 < hyper_ch> that sounds bad
06:03 <@plaisthos> and that is all publicly available information we have at the moment
06:10 < hyper_ch> so it's only the server that's affected?
06:13 -!- qzio [~qzio@forskningsavd/qzio] has joined #openvpn
06:16 -!- lfx [~lfx@self-aware.evilmachines.net] has joined #openvpn
06:23 -!- mattock_afk is now known as mattock
06:25 -!- phre4k [~phre4k@HSI-KBW-46-237-208-199.hsi.kabel-badenwuerttemberg.de] has joined #openvpn
06:26 < phre4k> hey, dumb question: if I use routed mode, my client gets an IP like 10.8.0.10 but still can connect to the clients/servers in the network 192.168.1.0/24 where the OpenVPN server is located? Or do I have to set up the internal gateway as next hop?
06:26 -!- dazo_afk is now known as dazo
06:27 -!- akira [~touya@unaffiliated/touya] has joined #openvpn
06:28 -!- scelestic [~unknown@fugumod/member/scelestic] has joined #openvpn
06:30 <@syzzer> hyper_ch: yes, server only
06:35 -!- havingFun [~quassel@unaffiliated/xrosnight] has joined #openvpn
06:35 -!- xrosnight [~quassel@unaffiliated/xrosnight] has quit [Ping timeout: 244 seconds]
06:36 < scelestic> I understand probably no one wants or can answer this at this time, but is that DoS bug fix related to a crypto lib? (ie, when running openvpn with polarssl should i have to worry about updates?)
06:48 -!- jackbrown [~se@93-44-52-189.ip95.fastwebnet.it] has quit [Read error: Connection reset by peer]
06:50 -!- eristisk [~eristisk@gateway/tor-sasl/eristisk] has joined #openvpn
07:01 -!- grrrrr [gr@rikos.org] has joined #openvpn
07:03 -!- ayaka [~ayaka@ayaka-2-pt.tunnel.tserv21.tor1.ipv6.he.net] has left #openvpn ["离开"]
07:03 -!- keytoaster [~tobias@gentoo/developer/keytoaster] has joined #openvpn
07:09 -!- Latrina [~Latrina@adsl-ull-222-191.50-151.net24.it] has quit [Ping timeout: 258 seconds]
07:12 -!- Latrina [~Latrina@ppp-171-34.26-151.libero.it] has joined #openvpn
07:12 -!- Standbye [3e996107@fedora/petreu] has joined #openvpn
07:12 -!- jackbrown [~se@93-44-52-189.ip95.fastwebnet.it] has joined #openvpn
07:31 -!- ThiefMaster [thief@unaffiliated/thiefmaster] has joined #openvpn
07:31 < ThiefMaster> any details about the 2.3.6 security fix? i.e. is the vulnerable version able to crash the whole machine or just a simple DoS in openvpn?
07:34 <@plaisthos> scelestic: if openssl or polarssl had a vulnerability they probably would announce that instead of OpenVPN project, right? :)
07:37 -!- Standbye [3e996107@fedora/petreu] has left #openvpn []
07:40 <@plaisthos> ThiefMaster: at the moment only informatin available is in the announcements
07:43 -!- phunyguy [vortex@ubuntu/member/phunyguy] has quit [Ping timeout: 258 seconds]
07:43 < scelestic> plaisthos: very good point :)
07:44 < scelestic> (still, could have been)
07:48 -!- phunyguy [vortex@ubuntu/member/phunyguy] has joined #openvpn
07:53 -!- hyper_ch [~hyper_ch@81.4.108.20] has left #openvpn ["Konversation terminated!"]
07:57 -!- moparsthbest [~quassel@gateway/tor-sasl/moparisthebest] has quit [Ping timeout: 250 seconds]
08:03 -!- moparisthebest [~quassel@unaffiliated/moparisthebest] has joined #openvpn
08:12 -!- nonickn [~torkun@unaffiliated/ms-/x-8800476] has joined #openvpn
08:12 < nonickn> !welcome
08:12 <@vpnHelper> "welcome" is (#1) Start by stating your goal, such as 'I would like to access the internet over my vpn' || new to IRC? see the link in !ask || we may need !logs and !configs and maybe !interface to help you. || See !howto for beginners. || See !route for lans behind openvpn. || !redirect for sending inet traffic through the server. || Also interesting: !man !/30 !topology !iporder !sample !forum
08:12 <@vpnHelper> !wiki !mitm or (#2) Don't use 192.168.1.0/24 or 192.168.0.0/24 (too much potential for conflict)
08:13 < nonickn> !ask
08:13 <@vpnHelper> "ask" is (#1) don't ask to ask, just ask your question please, see this link for how to get help on IRC: http://workaround.org/getting-help-on-irc or (#2) See also, How to ask questions the smart way here: http://catb.org/~esr/faqs/smart-questions.html or (#3) if you had asked your question this might be an answer instead of a message from the bot about how to ask questions on IRC :)
08:14 -!- mistermajestic [~mistermaj@unaffiliated/mistermajestic] has quit [Ping timeout: 250 seconds]
08:14 < nonickn> !howto
08:14 <@vpnHelper> "howto" is (#1) OpenVPN comes with a great howto, http://openvpn.net/howto PLEASE READ IT! or (#2) http://www.secure-computing.net/openvpn/howto.php for a mirror
08:19 -!- phunyguy [vortex@ubuntu/member/phunyguy] has quit [Ping timeout: 258 seconds]
08:19 -!- AlexRussia [~Alex@unaffiliated/alexrussia] has quit [Ping timeout: 245 seconds]
08:20 -!- phunyguy [vortex@ubuntu/member/phunyguy] has joined #openvpn
08:25 -!- AlexRussia [~Alex@unaffiliated/alexrussia] has joined #openvpn
08:26 -!- phunyguy [vortex@ubuntu/member/phunyguy] has quit [Ping timeout: 258 seconds]
08:30 -!- ade_b [~Ade@redhat/adeb] has joined #openvpn
08:30 -!- AlexRussia [~Alex@unaffiliated/alexrussia] has quit [Ping timeout: 272 seconds]
08:33 -!- AlexRussia [~Alex@unaffiliated/alexrussia] has joined #openvpn
08:34 -!- phunyguy [vortex@ubuntu/member/phunyguy] has joined #openvpn
08:37 -!- brianblaze420 [~brianblaz@unaffiliated/brianblaze] has joined #openvpn
08:38 -!- AlexRussia [~Alex@unaffiliated/alexrussia] has quit [Ping timeout: 250 seconds]
08:38 -!- nonickn [~torkun@unaffiliated/ms-/x-8800476] has quit [Ping timeout: 264 seconds]
08:38 -!- ade_b [~Ade@redhat/adeb] has quit [Quit: Too sexy for his shirt]
08:40 -!- shio [marmot@62.188.103.84.rev.sfr.net] has quit [Read error: Connection reset by peer]
08:43 -!- shio [marmot@62.188.103.84.rev.sfr.net] has joined #openvpn
08:46 -!- fred`` [fred@earthli.ng] has joined #openvpn
08:48 -!- ade_b [~Ade@redhat/adeb] has joined #openvpn
08:48 -!- grummel [~christian@static.115.36.9.176.clients.your-server.de] has joined #openvpn
08:49 -!- havingFun [~quassel@unaffiliated/xrosnight] has quit [Remote host closed the connection]
08:53 -!- ade_b [~Ade@redhat/adeb] has quit [Read error: Connection reset by peer]
08:54 -!- phre4k [~phre4k@HSI-KBW-46-237-208-199.hsi.kabel-badenwuerttemberg.de] has quit [Ping timeout: 240 seconds]
08:55 -!- eristisk [~eristisk@gateway/tor-sasl/eristisk] has quit [Ping timeout: 250 seconds]
09:01 -!- Pyrogerg [~Gregory@67-0-212-234.albq.qwest.net] has joined #openvpn
09:02 -!- jgeboski [~jgeboski@unaffiliated/jgeboski] has quit [Quit: Leaving]
09:02 -!- jgeboski [~jgeboski@unaffiliated/jgeboski] has joined #openvpn
09:05 -!- ValdikSS [~valdikss@185.61.149.121] has joined #openvpn
09:05 < ValdikSS> Hello guys
09:06 < ValdikSS> So what's about this new security issue? Is it affecting only OpenVPN server which dies, or the whole system?
09:06 < ValdikSS> Is it something more than DoS?
09:08 < ValdikSS> mattock
09:11 -!- eristisk [~eristisk@gateway/tor-sasl/eristisk] has joined #openvpn
09:16 -!- eristisk [~eristisk@gateway/tor-sasl/eristisk] has quit [Ping timeout: 250 seconds]
09:17 -!- eristisk [~eristisk@gateway/tor-sasl/eristisk] has joined #openvpn
09:18 < ThiefMaster> apparently they don't give out more information :/
09:19 <@mattock> ValikSS: it's server-side DoS
09:19 <@mattock> more details will follow in a few hours, when the fixed version is out
09:22 < ValdikSS> mattock: thanks, I'll wait
09:23 <@krzee> https://community.openvpn.net/openvpn/wiki/SecurityAnnouncement-97597e732b
09:23 <@vpnHelper> Title: SecurityAnnouncement-97597e732b – OpenVPN Community (at community.openvpn.net)
09:29 -!- brianblaze420 [~brianblaz@unaffiliated/brianblaze] has quit [Quit: Peace!]
09:35 < ThiefMaster> tbh, this still doesn't answer the question if it affects more than just the openvpn process
09:36 -!- elanthia [~elanthia@elanthia.nl] has joined #openvpn
09:36 < ThiefMaster> which, for a dos, is pretty much the important question. because if it can be used to nuke the server i'd be much more inclined to disable openvpn until the fix - but if it just breaks openvpn.. well, not a big deal for a small private vpn
09:38 -!- warehouse13 [~Left_Turn@unaffiliated/turn-left/x-3739067] has joined #openvpn
09:41 -!- Left_Turn [~Left_Turn@unaffiliated/turn-left/x-3739067] has quit [Ping timeout: 264 seconds]
09:42 < scelestic> we'll have to wait and see, my compile machine is ready :)
09:42 -!- fin [~fin@unaffiliated/le0] has quit [Quit: Leaving]
09:44 <@krzee> ThiefMaster, it tells you around when it will be released, along with details
09:44 <@krzee> im aware it doesnt give the details.
09:45 <@krzee> im looking forward to hearing it all too
09:45 < ThiefMaster> i really don't understand why this kind of information is being withheld. it doesn't really make it easier for people to exploit it... but people would feel safer for sure if they knew that the worst that can happen is someone breaking their openvpn daemon
09:45 <@krzee> Mon Dec  1 15:45:42 UTC 2014
09:45 <@krzee> keep the panties on for 2 hours
09:45 -!- elfixit [~Icedove@2001:1620:2777:11:3e97:eff:fe7f:f3ad] has joined #openvpn
09:46 <@krzee> its not like they're saying they need a year, a couple hours to work on the problem before wasting their time explaining it is NOT asking for too much
09:48 -!- AlexRussia [~Alex@unaffiliated/alexrussia] has joined #openvpn
09:49 <@krzee> i know i prefer those who understand it most spend their time right now fixing the problem so we can roll out the new release, THEN make a writeup so we can learn about it / share it
09:49 <@krzee> as opposed to making the writeup, THEN fixing it… which would make no sense
09:49 -!- mattock is now known as mattock_afk
09:53 <@plaisthos> ThiefMaster: yes it does make it easier for people to exploit
09:54 <@plaisthos> often when you hear the one line description of an exploit or the circumstances which allow the exploit to be used and are familiar with the software you have a pretty idea where to look
09:55 <@plaisthos> look at heartbleed
09:56 <@plaisthos> "The (1) TLS and (2) DTLS implementations in OpenSSL 1.0.1 before 1.0.1g do not properly handle Heartbeat Extension packets, which allows remote attackers to obtain sensitive information from process memory via crafted packets that trigger a buffer over-read, as demonstrated by reading private keys, related to d1_both.c and t1_lib.c, aka the Heartbleed bug."
09:56 <@plaisthos> is the CVE description
09:59 <@plaisthos> with even the first sentence, most security people would have found an exploit
10:00 -!- masterkorp [~masterkor@static.85-10-196-211.clients.your-server.de] has joined #openvpn
10:00 < masterkorp> Hello
10:00 <@krzee> greetings
10:08 -!- ade_b [~Ade@redhat/adeb] has joined #openvpn
10:13 -!- gffa [~unknown@unaffiliated/gffa] has joined #openvpn
10:14 -!- ValdikSS [~valdikss@185.61.149.121] has quit [Quit: Konversation terminated!]
10:15 -!- mediumok [~chatzilla@217.197.0.40] has joined #openvpn
10:18 -!- hackruu [~hackru@213.232.243.233] has joined #openvpn
10:25 -!- exceion [~ryan@fbi.computer] has joined #openvpn
10:28 < exceion> Anyone shed some light on https://forums.openvpn.net/topic17625.html  ie: more details?
10:28 <@vpnHelper> Title: OpenVPN Support Forum Critical denial of service vulnerability in OpenVPN servers : Announcements (at forums.openvpn.net)
10:38 <@dazo> exceion: more information will come in the coming hours, coordinated by Samuli and the OpenVPN company
10:43 < exceion> sounds delightful , thanks
10:47 -!- mistermajestic [~mistermaj@unaffiliated/mistermajestic] has joined #openvpn
10:48 -!- cwillu_at_work [cwillu@cwillu.com] has quit [Ping timeout: 258 seconds]
10:53 -!- ade_b [~Ade@redhat/adeb] has quit [Quit: Too sexy for his shirt]
10:57 -!- eristisk [~eristisk@gateway/tor-sasl/eristisk] has quit [Ping timeout: 250 seconds]
11:00 -!- mattock_afk is now known as mattock
11:00 -!- cwillu_at_work [cwillu@cwillu.com] has joined #openvpn
11:07 -!- hammerzeit [~spank@76.72.174.116] has joined #openvpn
11:07 < hammerzeit> !welcome
11:07 <@vpnHelper> "welcome" is (#1) Start by stating your goal, such as 'I would like to access the internet over my vpn' || new to IRC? see the link in !ask || we may need !logs and !configs and maybe !interface to help you. || See !howto for beginners. || See !route for lans behind openvpn. || !redirect for sending inet traffic through the server. || Also interesting: !man !/30 !topology !iporder !sample !forum
11:07 <@vpnHelper> !wiki !mitm or (#2) Don't use 192.168.1.0/24 or 192.168.0.0/24 (too much potential for conflict)
11:08 -!- hackruu [~hackru@213.232.243.233] has quit [Remote host closed the connection]
11:08 -!- ValdikSS [~valdikss@185.61.149.121] has joined #openvpn
11:14 -!- michaelhart [~michaelha@69-165-175-193.dsl.teksavvy.com] has joined #openvpn
11:15 -!- Protected [Join@from.myshelter.net] has joined #openvpn
11:16 -!- elfixit [~Icedove@2001:1620:2777:11:3e97:eff:fe7f:f3ad] has quit [Remote host closed the connection]
11:30 -!- Slippern [~Slippern@76.109-247-208.customer.lyse.net] has quit [Ping timeout: 244 seconds]
11:32 -!- Slippern [~Slippern@76.109-247-208.customer.lyse.net] has joined #openvpn
11:33 -!- cwillu_at_work [cwillu@cwillu.com] has quit [Ping timeout: 258 seconds]
11:37 -!- cae- [~cae@ip-178-201-254-32.hsi08.unitymediagroup.de] has quit [Ping timeout: 256 seconds]
11:39 -!- Kephael [~Kephael@unaffiliated/kephael] has joined #openvpn
11:39 -!- mediumok [~chatzilla@217.197.0.40] has quit [Quit: ChatZilla 0.9.91 [Firefox 33.1/20141106120505]]
11:39 -!- cae- [~cae@ip-178-201-254-32.hsi08.unitymediagroup.de] has joined #openvpn
11:39 -!- sascha5- [~sas@genco2.schumann.net] has joined #openvpn
11:44 -!- cwillu_at_work [cwillu@cwillu.com] has joined #openvpn
11:45 -!- brianblaze420 [~brianblaz@unaffiliated/brianblaze] has joined #openvpn
11:46 -!- hammerzeit [~spank@76.72.174.116] has quit [Quit: brb]
11:52 -!- zoredache [~zoredache@pdpc/supporter/professional/zoredache] has joined #openvpn
11:56 -!- cae- [~cae@ip-178-201-254-32.hsi08.unitymediagroup.de] has quit [Ping timeout: 272 seconds]
11:59 < ValdikSS> Can't wait!
12:02 -!- Q_Continuum [~qlaras@li292-181.members.linode.com] has joined #openvpn
12:03 < Protected> I've been here for literally minutes and it's not out yet? Appaling!
12:03 -!- Protected [Join@from.myshelter.net] has quit [Disconnected by services]
12:03 -!- Prott [Join@bl12-3-230.dsl.telepac.pt] has joined #openvpn
12:03 -!- Prott is now known as Protected
12:04 -!- sakaru [~quassel@me.slashsrv.com] has joined #openvpn
12:04 -!- AlexRussia is now known as AlexFromNowhere
12:07 -!- razor [~razor@wopr.technobabble.dk] has joined #openvpn
12:10 <@syzzer> the wiki page will probably be updated with more information shortly, but for those who really can't wait, the commit in question has just been published: https://github.com/OpenVPN/openvpn/commit/c5590a6
12:10 <@vpnHelper> Title: Drop too-short control channel packets instead of asserting out. · c5590a6 · OpenVPN/openvpn · GitHub (at github.com)
12:10 -!- hartman2x [~hartman@cpe-74-134-75-235.swo.res.rr.com] has joined #openvpn
12:11 -!- krzee changed the topic of #openvpn to: OpenVPN Community Support Channel || PLEASE read entire topic || Current Release: 2.3.6 (1 Dec 2014) || First time? Use !welcome and !goal || Access-Server? /join #openvpn-as || We're not psychic - please !paste your !configs and !logs and a description of the issue  || Your problem is probably firewall, Really || Vulninfo: !heartbleed !poodle !ovpnuke
12:11 -!- ValdikSS [~valdikss@185.61.149.121] has quit [Ping timeout: 264 seconds]
12:12 -!- `Kevin [~kevin@ec2-54-236-80-113.compute-1.amazonaws.com] has joined #openvpn
12:12 -!- T-One [506e50e7@gateway/web/freenode/ip.80.110.80.231] has joined #openvpn
12:12 < hartman2x> !ovpnuke
12:13 <@krzee> not there yet
12:13 <@krzee> waiting for the writeup to be posted still
12:13 <@plaisthos> You can crash the server from the client
12:13 < hartman2x> Sorry, I got all antsy in my pantsy
12:13 <@plaisthos> if the client is authenticated
12:13 < pekster> At least it's an authenticated-attack vector only (could be worse..)
12:14 <@plaisthos> and it is dos only
12:14 <@plaisthos> not remote execution or information disclosure
12:14 < hartman2x> just the vpn server, not the box itself?
12:14 <@dazo> correct
12:14 < exceion> Is this just for 2.3.5 or 2.3.2 as well
12:14 <@dazo> just ovpn
12:14 < hartman2x> that's great news
12:14 <@dazo> exceion: all versions before 2.3.6
12:15 < exceion> Thanks
12:15 <@krzee> !learn ovpnuke as https://community.openvpn.net/openvpn/wiki/SecurityAnnouncement-97597e732b for info on CVE-2014-8104 which is a DOS that allows a client to crash an openvpn server running openvpn before 2.3.6
12:15 <@vpnHelper> Joo got it.
12:15 <@krzee> hopefully that page will have more info in a min, ill say something when it does
12:15 < T-One> hi guys, should i worry about the 2.3.5 bugfix? we have a shitload of AS installations in our company, do i have to work tonight?
12:15 < T-One> ah, thanks krzee
12:16 < T-One> i wait
12:16 <@krzee> T-One, definitely update your server to 2.3.6, clients wont need it
12:16 < pekster> If your clients are all trusted it "might" be less of an issue
12:16 <@krzee> should be nice and easy because it only effects servers
12:16 <@plaisthos> krzee: shouldn't that be ovpnnuke?
12:17 <@krzee> i liked ovpnuke :D
12:17 < pekster> Open Virtual Private Nuke
12:17 <@plaisthos> :)
12:18 < pekster> Really the only use-case I see that being truely 'drop everything and fix it' would be vendors allowing not-entierly-trusted clients to connect (read: ovpn as a service model)
12:19 -!- mediumok [~chatzilla@217.197.0.40] has joined #openvpn
12:20 <@syzzer> also, you can spot the (...) who killed your server in your server logs, so you can just revoke his certificate to prevent him/her from doing it again :)
12:21 -!- eristisk [~eristisk@gateway/tor-sasl/eristisk] has joined #openvpn
12:21 <@dazo> given that you have client cert authentication enabled ...
12:21 <@dazo> (not using --client-cert-not-required)
12:21 -!- shadok [~muaddib@unaffiliated/shadok] has joined #openvpn
12:22 -!- k4v_ [~k4v@95.90.205.247] has joined #openvpn
12:22 < k4v_> !ovpnuke
12:22 <@vpnHelper> "ovpnuke" is https://community.openvpn.net/openvpn/wiki/SecurityAnnouncement-97597e732b for info on CVE-2014-8104 which is a DOS that allows a client to crash an openvpn server running openvpn before 2.3.6
12:23 -!- ValdikSS [~valdikss@185.61.149.121] has joined #openvpn
12:24 < ValdikSS> Sorry, my internet connection was lost. Did I miss something from :03?
12:24 < ValdikSS> Are there any public channel logs?
12:24 -!- jackbrown [~se@93-44-52-189.ip95.fastwebnet.it] has quit [Quit: Sto andando via]
12:24 -!- Kephael_ [~Kephael@unaffiliated/kephael] has joined #openvpn
12:24 -!- Kephael [~Kephael@unaffiliated/kephael] has quit [Read error: Connection reset by peer]
12:25 <@syzzer> wiki seems to be updated a minute ago: https://community.openvpn.net/openvpn/wiki/SecurityAnnouncement-97597e732b
12:25 <@vpnHelper> Title: SecurityAnnouncement-97597e732b – OpenVPN Community (at community.openvpn.net)
12:26 < ValdikSS> Yes, thanks!
12:26 -!- hoppel [~sascha@gtso-4db05a0c.pool.mediaWays.net] has joined #openvpn
12:32 < ValdikSS> Sooo does authentification means TLS authentification and not full authentification?
12:33 < ValdikSS> I.e. can the server be crashed if user/pass authentification is used with TLS certificates and the attacker was TLS-authenticated but not user/pass authenticated?
12:33 < pekster> No. Only a fully authenticated client can launch the DoS attack. If you trust your clients not to take down your server, there's no real rush (do it when you next can)
12:33 <@syzzer> ValdikSS: good point. tls-authenticated is sufficient for the attack
12:33 <@syzzer> it's basically 'as soon as the control channel has been set up' (which is after the tls handshake succeeded)
12:34 < ValdikSS> syzzer: I see. That's pretty funny because a lot of commertial VPN providers use user/pass authentication with per-client or shared TLS keys
12:34 <@syzzer> uh-uh
12:35 < pekster> syzzer: hmm, that's calling key_method_2_read() as well in that case?
12:36 <@syzzer> pekster: did not explicitly verify, let me check
12:36 -!- nomad_fr [~nomad_fr@ks397872.ip-192-95-25.net] has joined #openvpn
12:37 < pekster> Might be the case, I just saw the that called only from the one place in tls_process() -- maybe it's in both paths (after auth with x.509 only, but before then with tls-auth used)
12:38 -!- cae- [~cae@ip-178-201-254-32.hsi08.unitymediagroup.de] has joined #openvpn
12:41 -!- cpt-oblivious [~quassel@freebsd/user/cpt-oblivious] has joined #openvpn
12:42 <@syzzer> tls-auth is even before the handshake, so definately after tls-auth
12:43 < pekster> Right, but I'm not sure that routine is called to decrypt tls-auth secured control packets. Might be easiest to ask the debugger to break rather than try to figure out what path gets called (I'm about to try that now)
12:44 <@syzzer> and user/pass is sent in the same message as the key negotiation, so yes, a client can exploit this without supplying a valid user/pass combination
12:44 < pekster> Oh, without certs in that case, k
12:45 <@syzzer> yes, so an attacker needs valid certs (unless the server uses --client-cert-not-required) and the tls-auth key (if the server uses tls-auth)
12:50 -!- AlexFromNowhere is now known as AlexRussia
12:55 < busch> Is the swupdate.openvpn.net repository still on 2.3.5?
12:56 < busch> (I did "aptitude update && aptitude safe-upgrade && openvpn --version" and i am still on 2.3.5)
12:59 < `Kevin> busch: looks like it
12:59 < `Kevin>  curl http://swupdate.openvpn.net/apt/dists/wheezy/main/binary-amd64/Packages | egrep 'Package:|Version:'
13:02 -!- jackbrown [~se@93-44-52-189.ip95.fastwebnet.it] has joined #openvpn
13:09 < Q_Continuum> Ok, since its an authenticated client only bug...I'm not going to worry. All my "users" are "devices" that I control.
13:11 -!- Pyrogerg [~Gregory@67-0-212-234.albq.qwest.net] has quit [Ping timeout: 256 seconds]
13:11 -!- ValdikSS [~valdikss@185.61.149.121] has quit [Read error: Connection reset by peer]
13:12 -!- ValdikSS [~valdikss@185.61.149.121] has joined #openvpn
13:13 <@krzee> the link in !ovpnuke is updated
13:13 < busch> `Kevin: Update is in the repository in now live
13:14 < `Kevin> indeed ;)
13:15 -!- justinzane [~justinzan@67.21.190.132] has joined #openvpn
13:17 < busch> !ovpnuke
13:17 <@vpnHelper> "ovpnuke" is https://community.openvpn.net/openvpn/wiki/SecurityAnnouncement-97597e732b for info on CVE-2014-8104 which is a DOS that allows an authenticated client to crash an openvpn server running openvpn before 2.3.6
13:19 -!- Q_Continuum [~qlaras@li292-181.members.linode.com] has left #openvpn []
13:29 -!- T-One [506e50e7@gateway/web/freenode/ip.80.110.80.231] has quit [Quit: Page closed]
13:35 -!- Pyrogerg [~Gregory@205.167.120.206] has joined #openvpn
13:37 -!- lev__ [~lev@stipakov.com] has joined #openvpn
13:41 -!- architekt [archi@i.love.coding4.coffee] has joined #openvpn
13:41 < architekt> !ovpnuke
13:41 <@vpnHelper> "ovpnuke" is https://community.openvpn.net/openvpn/wiki/SecurityAnnouncement-97597e732b for info on CVE-2014-8104 which is a DOS that allows an authenticated client to crash an openvpn server running openvpn before 2.3.6
13:49 -!- Reventlov [~Reventlov@unaffiliated/reventlov] has quit [Excess Flood]
13:50 -!- Reventlov [~Reventlov@unaffiliated/reventlov] has joined #openvpn
13:54 < Roelke> pekster: is het possible to find out which software adds an iptables rule ?
13:54 < Roelke> there is an incorrect rule added @ startup
13:57 -!- Protected [Join@bl12-3-230.dsl.telepac.pt] has quit [Disconnected by services]
13:57 -!- Protected [Join@from.myshelter.net] has joined #openvpn
13:58 -!- jackbrown [~se@93-44-52-189.ip95.fastwebnet.it] has quit [Quit: Sto andando via]
14:05 -!- jackbrown [~se@93-44-52-189.ip95.fastwebnet.it] has joined #openvpn
14:08 -!- eristisk [~eristisk@gateway/tor-sasl/eristisk] has quit [Ping timeout: 250 seconds]
14:14 -!- gffa [~unknown@unaffiliated/gffa] has quit [Quit: quit]
14:21 -!- CivisUS [~CivisUS@208.80.0.1] has joined #openvpn
14:35 -!- NP-Hardass [~NP-Hardas@unaffiliated/np-hardass] has joined #openvpn
14:45 -!- brianblaze420 [~brianblaz@unaffiliated/brianblaze] has quit [Quit: Peace!]
14:52 -!- jackbrown [~se@93-44-52-189.ip95.fastwebnet.it] has quit [Quit: Sto andando via]
15:13 -!- D-Boy [~D-Boy@unaffiliated/cain] has quit [Excess Flood]
15:20 -!- ketas- [~ketas@159-211-191-90.dyn.estpak.ee] has joined #openvpn
15:20 -!- akamaru217 [~akamaru21@2601:0:8a80:1064:51d0:2071:2a09:5739] has quit [Ping timeout: 258 seconds]
15:21 -!- Poster|x [~poster@cpe-74-140-100-29.swo.res.rr.com] has joined #openvpn
15:21 -!- wkd [~wkd@75.46.172.54] has joined #openvpn
15:24 -!- hive-mind [pranq@2001:0:53aa:64c:30db:ab9:bcca:66c4] has quit [Disconnected by services]
15:24 -!- Pyrogerg_ [~Gregory@205.167.120.201] has joined #openvpn
15:24 -!- hive-mind [pranq@2001:0:53aa:64c:30db:ab9:bcca:66c4] has joined #openvpn
15:25 < wkd> I'm trying to turn a tunneled vpn into a bridged vpn to use programs on the network that use multicast.. the eth0 device has a static ip and, I'm looking at the table at the top here: http://openvpn.net/index.php/open-source/documentation/miscellaneous/76-ethernet-bridging.html#linuxscript ..when I define the local ip netmask and broadcast how would i do that since they are not local ranges?
15:25 <@vpnHelper> Title: Ethernet Bridging (at openvpn.net)
15:26 -!- Orbixx_ [~orbixx@freenode/sponsor/orbixx] has joined #openvpn
15:29 -!- `Nothing4You [N4Y@nothing4you.w.tf-w.tf] has joined #openvpn
15:29 -!- michaelhart [~michaelha@69-165-175-193.dsl.teksavvy.com] has quit [Quit: michaelhart]
15:30 -!- elfixit [~Icedove@77-58-253-51.dclient.hispeed.ch] has joined #openvpn
15:32 -!- akamaru217 [~akamaru21@2601:0:8a80:1064:bc30:151d:2d5b:9108] has joined #openvpn
15:33 -!- D-Boy [~D-Boy@unaffiliated/cain] has joined #openvpn
15:34 -!- hartman2x [~hartman@cpe-74-134-75-235.swo.res.rr.com] has left #openvpn []
15:35 -!- Netsplit *.net <-> *.split quits: clu5ter, mistermajestic, Six6siX, jzaw, Orbixx, _0x5eb_, ketas, seba, pppingme, Poster,  (+9 more, use /NETSPLIT to show all of them)
15:35 -!- `Nothing4You is now known as Nothing4You
15:35 -!- Netsplit over, joins: deranged
15:35 -!- Netsplit over, joins: seba
15:36 -!- Netsplit over, joins: pppingme
15:54 -!- sakaru [~quassel@me.slashsrv.com] has left #openvpn ["http://quassel-irc.org - Chat comfortably. Anywhere."]
15:59 -!- plaisthos [~arne@openvpn/community/developer/plaisthos] has quit [Ping timeout: 272 seconds]
16:00 -!- wkd [~wkd@75.46.172.54] has quit [Ping timeout: 252 seconds]
16:05 -!- mattock is now known as mattock_afk
16:08 -!- plaisthos [~arne@openvpn/community/developer/plaisthos] has joined #openvpn
16:08 -!- mode/#openvpn [+o plaisthos] by ChanServ
16:16 -!- khaldrogox [~anonymous@64.13.138.81] has joined #openvpn
16:17 -!- APTX [~APTX@unaffiliated/aptx] has joined #openvpn
16:29 -!- Six6siX [~Devil@jasmine.sammybakar.com] has joined #openvpn
16:33 -!- ender| [krneki@foo.eternallybored.org] has joined #openvpn
16:34 -!- liriel [~liriel@asia.feralhosting.com] has joined #openvpn
16:35 < pekster> Roelke: Best not to give root access to programs doing things you don't want
16:40 -!- akamaru217 [~akamaru21@2601:0:8a80:1064:bc30:151d:2d5b:9108] has quit [Read error: Connection reset by peer]
16:41 -!- Poster|x is now known as Poster
16:41 -!- shadok [~muaddib@unaffiliated/shadok] has quit [Ping timeout: 258 seconds]
16:41 -!- akamaru217 [~akamaru21@67.191.183.251] has joined #openvpn
16:42 -!- hoppel [~sascha@gtso-4db05a0c.pool.mediaWays.net] has quit [Ping timeout: 240 seconds]
16:43 -!- hoppel [~sascha@p50803FF7.dip0.t-ipconnect.de] has joined #openvpn
16:43 -!- pcdummy [~pcdummy@unaffiliated/pcdummy] has quit [Remote host closed the connection]
16:45 -!- dougquaid [~dougquaid@pool-96-247-192-249.clppva.fios.verizon.net] has joined #openvpn
16:46 -!- Haigha [~root@dovahkiin.xomg.net] has joined #openvpn
16:47 < dougquaid> I saw the post about the denial of service bug on the forum. Is there anyplace that documents it in more detail? In particular, what symptoms does the bug exhibit so I could tell if I was being effected by it
16:47 -!- dazo is now known as dazo_afk
16:51 -!- hoppel [~sascha@p50803FF7.dip0.t-ipconnect.de] has quit [Ping timeout: 245 seconds]
16:51 -!- razor [~razor@wopr.technobabble.dk] has left #openvpn ["Leaving..."]
16:52 -!- hoppel [~sascha@gtso-4db05a0c.pool.mediaWays.net] has joined #openvpn
16:54 -!- elfixit [~Icedove@77-58-253-51.dclient.hispeed.ch] has quit [Quit: elfixit]
16:55 < pekster> dougquaid:
16:55 < pekster> !ovpnuke
16:55 <@vpnHelper> "ovpnuke" is https://community.openvpn.net/openvpn/wiki/SecurityAnnouncement-97597e732b for info on CVE-2014-8104 which is a DOS that allows an authenticated client to crash an openvpn server running openvpn before 2.3.6
16:56 < pekster> It's a DoS, so it crashes the server; that alone should be obvious enough to detect
17:00 -!- syzzer [~syzzer@openvpn/community/developer/syzzer] has joined #openvpn
17:00 <@Eugene> Something something --tls-auth, right?
17:00 -!- mode/#openvpn [+o syzzer] by ChanServ
17:00 < dougquaid> pekster: Thanks
17:00 -!- _0x5eb_ [~seb@seb-hpws2.w1.tele.crt1.net] has joined #openvpn
17:01 -!- KiNgMaR [ingmar@2001:41d0:2:ba51::1] has quit [Ping timeout: 272 seconds]
17:05 -!- Papey [~Papey@ks3364303.kimsufi.com] has quit [Ping timeout: 250 seconds]
17:14 -!- Papey [~Papey@ks3364303.kimsufi.com] has joined #openvpn
17:16 -!- syzzer [~syzzer@openvpn/community/developer/syzzer] has quit [Remote host closed the connection]
17:27 -!- seba [~seba@kratzbaum.someserver.de] has quit [Ping timeout: 258 seconds]
17:28 -!- Shiftos [~shiftos@gateway/tor-sasl/shiftos] has quit [Ping timeout: 250 seconds]
17:31 -!- Shiftos [~shiftos@gateway/tor-sasl/shiftos] has joined #openvpn
17:33 -!- Shiftos [~shiftos@gateway/tor-sasl/shiftos] has quit [Remote host closed the connection]
17:36 < Strogg> !welcome
17:36 <@vpnHelper> "welcome" is (#1) Start by stating your goal, such as 'I would like to access the internet over my vpn' || new to IRC? see the link in !ask || we may need !logs and !configs and maybe !interface to help you. || See !howto for beginners. || See !route for lans behind openvpn. || !redirect for sending inet traffic through the server. || Also interesting: !man !/30 !topology !iporder !sample !forum
17:36 <@vpnHelper> !wiki !mitm or (#2) Don't use 192.168.1.0/24 or 192.168.0.0/24 (too much potential for conflict)
17:37 < Strogg> hrmm those don't work in /msg, I guess?
17:37 < Strogg> !route
17:37 <@vpnHelper> "route" is (#1) http://www.secure-computing.net/wiki/index.php/OpenVPN/Routing or https://community.openvpn.net/openvpn/wiki/RoutedLans (same page mirrored) if you have lans behind openvpn, read it DONT SKIM IT or (#2) READ IT DONT SKIM IT! or (#3) See !tcpip for a basic networking guide or (#4) See !serverlan or !clientlan for steps and troubleshooting flowcharts for LANs behind the server or
17:37 <@vpnHelper> client
17:40 -!- seba [~seba@kratzbaum.someserver.de] has joined #openvpn
17:42 < Strogg> ok.. I'm not sure where to start, and I keep going in circles in my config.. so.. here goes.. maybe someone can point me the right way
17:44 < Strogg> I've got a box on a public IP that's outside my network.. I have one box that's inside my private network.  I'd like that one box to go through the tunnel, and use the outside host as it's gateway to the internet
17:44 < Strogg> the trick is, that the box inside my network can't run openvpn, so I'm gonna be running it on my router, and I want my box to go through my router, tunnel to the outside box, and then go to the outside world
17:45 < Strogg> I've got the tun link between my router and the host working and I can ping back and forth
17:45 < Strogg> where do I go from here?
17:47 < Strogg> I was thinking.. I could setup a second private network.. say 172.16.1.0/24.. and then have my outside host do SNAT to mask my network addresses
17:47 < Strogg> does that seem reasonable?
17:52 < esde> quick question,  i installed 2.3.5 from source, in order to install 2.3.6 can i go through the same steps i used to install 2.3.5? do i need to uninstall the old 2.3.5 package somehow or will just installing the new version overwrite the old version?
17:54 < pekster> esde: Same procedure is fine; a `make install` will simply replace the files you installed originally
17:55 < esde> thank you! :)
17:57 -!- KiNgMaR [ingmar@2001:41d0:2:ba51::1] has joined #openvpn
17:57 -!- hoppel [~sascha@gtso-4db05a0c.pool.mediaWays.net] has quit [Ping timeout: 264 seconds]
17:58 -!- tamiko [~tamiko@gentoo/developer/tamiko] has joined #openvpn
17:59 -!- eristisk [~eristisk@gateway/tor-sasl/eristisk] has joined #openvpn
18:00 -!- Shiftos [~shiftos@gateway/tor-sasl/shiftos] has joined #openvpn
18:01 -!- alexw [~textual@unaffiliated/alexw] has joined #openvpn
18:08 -!- Taftse|Mac [~taftse@unaffiliated/taftse] has quit [Ping timeout: 240 seconds]
18:10 -!- Taftse|Mac [~taftse@unaffiliated/taftse] has joined #openvpn
18:11 -!- alexw [~textual@unaffiliated/alexw] has quit [Quit: Textual IRC Client: www.textualapp.com]
18:15 -!- brianblaze420 [~brianblaz@unaffiliated/brianblaze] has joined #openvpn
18:19 -!- texsantos [~tex@c-68-58-222-147.hsd1.sc.comcast.net] has joined #openvpn
18:19 < texsantos> OpenVpn Gui (community edition) is code yes?
18:19 < texsantos> *C Code.
18:21 < pekster> Yup
18:21 < pekster> !gui
18:21 <@vpnHelper> "gui" is (#1) The only official GUI is the OpenVPN-GUI for Windows (see https://community.openvpn.net/openvpn/wiki/OpenVPN-GUI .) While there are other 3rd party GUIs, they may cause unexpected issues or (#2) If you're having problems starting OpenVPN through an unoffiical GUI, try launching it on the command line; if that works, the GUI is your problem
18:22 < texsantos> If it's windows does that mean it's some freaky "visual C" or "C# or some crazyness or straight up C?
18:23 < pekster> Just C, with the usual trash that come along with Windows C APIs
18:24 -!- syzzer [~syzzer@openvpn/community/developer/syzzer] has joined #openvpn
18:24 -!- mode/#openvpn [+o syzzer] by ChanServ
18:29 -!- pgicxplzs [~Left_Turn@unaffiliated/turn-left/x-3739067] has joined #openvpn
18:30 -!- khaldrogox [~anonymous@64.13.138.81] has quit [Quit: khaldrogox]
18:31 -!- eristisk [~eristisk@gateway/tor-sasl/eristisk] has quit [Remote host closed the connection]
18:31 < texsantos> thx pekster++
18:31 -!- warehouse13 [~Left_Turn@unaffiliated/turn-left/x-3739067] has quit [Ping timeout: 264 seconds]
18:48 -!- XJR-9 [sid2977@pdpc/supporter/active/xjr-9] has quit [Ping timeout: 272 seconds]
18:51 -!- XJR-9 [sid2977@pdpc/supporter/active/xjr-9] has joined #openvpn
18:52 < ValdikSS> I've made an exploit and it works :)
18:52 < texsantos> mad sploits and cracks yo
18:52 < ValdikSS> texsantos: supa skillz 9000
18:53 < texsantos> werd bruh
18:53 -!- BladedThesis [~BladedThe@2001:1af8:4010:a027:3::] has quit [Ping timeout: 272 seconds]
18:54 < texsantos> i've been dickin' with POODLEs all day.  Can't seem to turn them off.
18:54 < texsantos> vunerable poodles.
19:05 -!- BladedThesis [~BladedThe@2001:1af8:4010:a027:3::] has joined #openvpn
19:07 -!- c0ded [~c0ded@unaffiliated/c0ded] has quit [Ping timeout: 258 seconds]
19:10 -!- c0ded [~c0ded@unaffiliated/c0ded] has joined #openvpn
19:15 < ValdikSS> By the way, pekster, syzzer, there is a chance I saw this bug in the wild about 1 month ago. I set up 5 fresh debian x86_64 servers, set up OpenVPN on it, ran it in different time and they crashed twice in the approximately same time
19:16 < ValdikSS> I though that's because I never used 64-bit version of OpenVPN with 64-bit radiusplugin and there may be something with the build
19:16 < ValdikSS> I rebuilt openvpn and radiusplugin and everything worked stable from that time
19:17 < ValdikSS> I saw 3 crashes overall without any coredumps or errors. There were 3 or 4 crashes overall. After the first two crashes, I ran OpenVPN in gdb until it crashed and got literally nothing
19:17 < ValdikSS> (that's probably because of OpenVZ)
19:22 -!- Pyrogerg_ [~Gregory@205.167.120.201] has quit [Ping timeout: 256 seconds]
19:41 -!- ValdikSS [~valdikss@185.61.149.121] has quit [Ping timeout: 256 seconds]
19:43 -!- ValdikSS [~valdikss@185.61.149.121] has joined #openvpn
20:07 -!- Pyrogerg [~Gregory@67-0-212-234.albq.qwest.net] has joined #openvpn
20:13 -!- Taftse|Mac [~taftse@unaffiliated/taftse] has quit [Quit: Textual IRC Client: www.textualapp.com]
20:37 -!- Pyrogerg [~Gregory@67-0-212-234.albq.qwest.net] has quit [Ping timeout: 272 seconds]
20:41 -!- GuidovanPossum [~chatzilla@46.246.124.19] has joined #openvpn
20:58 -!- Pyrogerg [~Gregory@67-0-212-234.albq.qwest.net] has joined #openvpn
21:02 -!- RowdyChildren [~rowdychil@unaffiliated/rowdychildren] has joined #openvpn
21:02 < RowdyChildren> !poodle
21:02 <@vpnHelper> "poodle" is (#1) http://googleonlinesecurity.blogspot.com/2014/10/this-poodle-bites-exploiting-ssl-30.html . OpenVPN uses TLSv1.0, or (with >=2.3.3) optionally TLSv1.2 and is thus not impacted by POODLE. See also: !hardening for some unrelated TLS security options OpenVPN has or (#2) https://www.tinfoilsecurity.com/poodle for a tool for testing your websites
21:03 -!- RowdyChildren [~rowdychil@unaffiliated/rowdychildren] has left #openvpn ["Leaving"]
21:05 -!- Lolths [~Lolths@unaffiliated/lolths] has quit [Ping timeout: 256 seconds]
21:07 -!- Lolths [~Lolths@unaffiliated/lolths] has joined #openvpn
21:18 -!- elfixit [~Icedove@77-58-253-51.dclient.hispeed.ch] has joined #openvpn
21:18 -!- michaelhart [~michaelha@192-0-241-148.cpe.teksavvy.com] has joined #openvpn
21:46 -!- GuidovanPossum [~chatzilla@46.246.124.19] has quit [Ping timeout: 264 seconds]
21:46 -!- TonyL [~Tony@unaffiliated/darkg] has quit [Max SendQ exceeded]
21:47 -!- TonyL [~Tony@unaffiliated/darkg] has joined #openvpn
21:51 -!- ketas- is now known as ketas
22:08 -!- pgicxplzs [~Left_Turn@unaffiliated/turn-left/x-3739067] has quit [Remote host closed the connection]
22:20 -!- Orbixx_ [~orbixx@freenode/sponsor/orbixx] has quit [Ping timeout: 265 seconds]
22:22 -!- Orbixx [~orbixx@freenode/sponsor/orbixx] has joined #openvpn
22:38 -!- d3m0n [~d3m0n@unaffiliated/d3m0n] has joined #openvpn
22:40 -!- brianblaze420 [~brianblaz@unaffiliated/brianblaze] has quit [Quit: Peace!]
22:48 < d3m0n> Hey guys, I can't get general web browsing access for some reason. I have another server running OpenVPN with pretty much the same settings that wrok fine (CentOS) but this is Ubuntu. I can connect fine just no web browsing access. Incoming config file...
22:49 < d3m0n> CLIENT: http://pastebin.com/9xtdpLvT SERVER: http://pastebin.com/3u5j2wsP CLIENT IPCONFIG: http://pastebin.com/vv5cY5Fs SERVER FIREWALL RULES: http://pastebin.com/jKGUQqXn
22:50 < d3m0n> Redacted obvious information
22:56 -!- elfixit [~Icedove@77-58-253-51.dclient.hispeed.ch] has quit [Quit: elfixit]
22:59 < d3m0n> Followed this: http://openvpn.net/index.php/open-source/documentation/howto.html#redirect
22:59 <@vpnHelper> Title: HOWTO (at openvpn.net)
23:00 -!- michaelhart [~michaelha@192-0-241-148.cpe.teksavvy.com] has quit [Quit: michaelhart]
23:06 <@krzee> d3m0n, the openvpn howto told you to set tun-mtu mssfix and whatnot?
23:06 <@krzee> did you troubleshoot something to find you needed those?
23:07 <@krzee> or (my guess) did you find them on some random config from google and decide to use them?
23:07 < d3m0n> That was apart of a tutorial I followed form my previous vpn
23:07 <@krzee> remove them
23:08 < d3m0n> That was actually added in hopes of making it work, I used the example config and edited to my settings but still no go
23:08 <@krzee> then pastebin iptables-save
23:08 < d3m0n> I have iptables-persistent
23:09 < d3m0n> one sec
23:10 <@krzee> also remove reneg
23:11 <@krzee> in fact you broke your connection by adding that to only 1 side
23:11 <@krzee> you should read about EVERY option you use in the manual
23:11 < d3m0n> http://pastebin.com/8r0mPKLx
23:11 <@krzee> so you know what they do
23:11 <@krzee> your server config is pretty broken due to added options
23:12 <@krzee> omg your firewall too lol
23:13 < d3m0n> Seems pretty forward to me? http://pastebin.com/QC8WqUJZ
23:13 <@krzee> did you see your output of iptables-save?
23:13 <@krzee> thats what your active rules are
23:13 <@krzee> which are obviously NOT the same as your lil script
23:14 < d3m0n> Even after reruning the script (which contains iptables -F) has that with iptables-save
23:15 <@krzee> because iptables -F doesnt flush all your nat table i guess, you should be using iptables-save / iptables-restore imo
23:15 <@krzee> !iptables
23:15 <@vpnHelper> "iptables" is (#1) To test if netfilter ("iptables rules") are your problem, disable all rules with an ACCEPT policy. See https://github.com/QueuingKoala/netfilter-samples/tree/master/reset-rules for a script to do this. or (#2) See also the manpage section on firewalls at this link: https://community.openvpn.net/openvpn/wiki/Openvpn23ManPage#lbBG or (#3) These are just the basics to get you started
23:15 <@vpnHelper> as firewall design is beyond this channel's scope; you can also see #netfilter
23:15 <@krzee> !linnat
23:15 <@vpnHelper> "linnat" is (#1) for a basic iptables NAT where 10.8.0.x is the vpn network: iptables -t nat -I POSTROUTING -s 10.8.0.0/24 -o eth0 -j MASQUERADE or (#2) to choose what IP address to NAT as, you can use iptables -t nat -I POSTROUTING -o eth0 -j SNAT --to <IP ADDRESS> or (#3) http://netfilter.org/documentation/HOWTO//NAT-HOWTO.html for more info
23:15 <@krzee> !linipforward
23:15 <@vpnHelper> "linipforward" is (#1) echo 1 > /proc/sys/net/ipv4/ip_forward for a temp solution (til reboot) or set net.ipv4.ip_forward = 1 in sysctl.conf for perm solution or (#2) chmod +x /etc/rc.d/rc.ip_forward for perm solution in slackware or (#3) you also must allow forwarding in your forward chain in iptables. iptables -I FORWARD -i tun+ -j ACCEPT
23:15 <@krzee> cat /proc/sys/net/ipv4/ip_forward
23:16 <@krzee> what is the output
23:16 < d3m0n> Ok i cleaned up my firewall
23:17 < d3m0n> refresehd the nat
23:17 < d3m0n> "1"
23:17 <@krzee> show me another iptables-save
23:17 <@krzee> also, can your connected client ping 8.8.8.8?
23:18 < d3m0n> http://pastebin.com/K0tuFKWu
23:18 -!- Pyrogerg [~Gregory@67-0-212-234.albq.qwest.net] has quit [Ping timeout: 264 seconds]
23:18 < d3m0n> After resetting it with the script now it's rejecting my connect
23:18 <@krzee> then maybe you should open the vpn port
23:19 <@krzee> also wtf are you doing with keeping state on udp?
23:19 <@krzee> especially when not keeping state on your tcp connections
23:19 <@krzee> let me guess, another copy from a web tutorial?
23:20 <@krzee> and with the accepting of estabished connections last
23:20 <@krzee> lol lol
23:21 -!- Pyrogerg [~Gregory@67-0-212-234.albq.qwest.net] has joined #openvpn
23:29 <@krzee> so ya, you have a bit of extra stuff to remove from your server config, and definitely need to fix your firewall config
23:48 -!- Kephael_ [~Kephael@unaffiliated/kephael] has quit [Read error: Connection reset by peer]
--- Day changed Tue Dec 02 2014
00:01 -!- ShadniX [dagger@p57941C99.dip0.t-ipconnect.de] has quit [Ping timeout: 250 seconds]
00:04 -!- ShadniX [dagger@p5481C643.dip0.t-ipconnect.de] has joined #openvpn
00:11 -!- mattock_afk is now known as mattock
00:12 < d3m0n> krzee I asked a colleague about rule placement, he said he believe it was irrelevant, suppose he was wrong
00:18 -!- duoi [duoi@unaffiliated/duoi] has joined #openvpn
00:19 < duoi> hi all. would anyone know how big (in kb/bytes) the initial openvpn connection handshake is?
00:19 <@Eugene> tcpdump is your friend
00:21 < duoi> Eugene, i dont have openvpn installed atm, which is why i'm hoping someone here could help shed some light on it
00:21 <@Eugene> I can't be bothered to dump a handshake myself, and I don't know the number off the top of my head
00:21 <@Eugene> So it's a whole bunch of people who jsut can't be arsed
00:22 < d3m0n> krzee: http://wiki.centos.org/HowTos/Network/IPTables
00:22 <@vpnHelper> Title: HowTos/Network/IPTables - CentOS Wiki (at wiki.centos.org)
00:23 < d3m0n> maybe contact centos about established being last
00:36 < d3m0n> How this looking: http://pastebin.com/JGtfD8jc
00:44 -!- Maxels [~Maxel@24-159-207-34.static.roch.mn.charter.com] has joined #openvpn
00:47 -!- Maxel [~Maxel@24-159-207-34.static.roch.mn.charter.com] has quit [Ping timeout: 264 seconds]
00:50 -!- NP-Hardass [~NP-Hardas@unaffiliated/np-hardass] has quit [Quit: WeeChat 0.4.3]
01:19 -!- AlexRussia [~Alex@unaffiliated/alexrussia] has quit [Quit: WeeChat 1.1-dev]
01:32 -!- hyper_ch [~hyper_ch@81.4.108.20] has joined #openvpn
01:33 < hyper_ch> hi there, I have a strange issue. OpenVPN has established a connection however ipconfig in windows 8.1 doesn't show it
01:43 -!- u0m3 [~u0m3@92.80.68.195] has joined #openvpn
01:49 -!- k4v_ [~k4v@95.90.205.247] has quit [Ping timeout: 245 seconds]
01:54 -!- bkolden [~bkolden@cpe-108-184-220-70.socal.res.rr.com] has quit [Quit: Leaving]
01:54 -!- joako [~joako@opensuse/member/joak0] has quit [Quit: quit]
01:56 -!- joako [~joako@opensuse/member/joak0] has joined #openvpn
01:56 -!- Zimsky [~alice@unaffiliated/zimsky] has quit [Quit: por que no los dos]
02:01 -!- u0m3 [~u0m3@92.80.68.195] has quit [Read error: Connection reset by peer]
02:02 -!- u0m3 [~u0m3@92.80.68.195] has joined #openvpn
02:03 -!- ribasushi [~riba@mujunyku.leporine.io] has quit [Ping timeout: 240 seconds]
02:06 -!- ribasushi [~riba@mujunyku.leporine.io] has joined #openvpn
02:06 -!- ayaz [~Ayaz@linuxpakistan/ayaz] has joined #openvpn
02:13 -!- u0m3 [~u0m3@92.80.68.195] has quit [Read error: Connection reset by peer]
02:13 -!- u0m3 [~u0m3@92.80.68.195] has joined #openvpn
02:18 -!- Zimsky [~alice@unaffiliated/zimsky] has joined #openvpn
02:20 < hyper_ch> time to recompile openvpn then
02:45 -!- Latrina [~Latrina@ppp-171-34.26-151.libero.it] has quit [Ping timeout: 258 seconds]
02:47 -!- Latrina [~Latrina@adsl-ull-213-252.45-151.net24.it] has joined #openvpn
02:52 -!- Latrina [~Latrina@adsl-ull-213-252.45-151.net24.it] has quit [Remote host closed the connection]
02:55 -!- Latrina [~Latrina@adsl-ull-213-252.45-151.net24.it] has joined #openvpn
03:01 -!- Gellert [~gellert@gellert.gellert.gellert.gellert.gellert.gellert.gellert.pro] has quit [Quit: byez]
03:02 -!- badon [~badon@pdpc/supporter/active/badon] has quit [Ping timeout: 250 seconds]
03:03 -!- badon [~badon@pdpc/supporter/active/badon] has joined #openvpn
03:15 -!- jackbrown [~se@93-44-68-248.ip96.fastwebnet.it] has joined #openvpn
03:18 -!- scelestic [~unknown@fugumod/member/scelestic] has left #openvpn []
03:22 -!- bone_idol [~bone_idol@apple.rat.burntout.org] has joined #openvpn
03:23 < bone_idol> Hi.  I have a openvpn server with a number of client sites connecting back to it over openvpn tunnels
03:23 < bone_idol> we have static routes configured on the openvpn server pointing back to the remote sites.
03:24 < bone_idol> but when the openvpn server daemon restarts, we lose the tun/tap interfaces on the server, and the kernel drops the static routes.
03:24 < bone_idol> Which is a chore because then I have to manually add them back again.
03:25 < bone_idol> I wonder what a better way to add the routes back to the remote LAN's would be ?
03:31 < hyper_ch> how do those routes work?
03:31 < hyper_ch> individual per client?
03:33 < bone_idol> there is an openwrt router at each site, with openvpn client on in it.  The openvpn server has routes back to the remote sites LAN
03:33 < bone_idol> they are static routes.
03:34 < bone_idol> the tun/tap interfaces on the server drop when the openvpn daemon restarts and I lose the static routes.
03:34  * bone_idol notes in the man page  the --up and --up-restart options
03:35 < bone_idol> which looks like it might solve my problem.
03:35 < hyper_ch> pretty sure they do
03:35 < hyper_ch> btw, upgrade your openvpn
03:35 < hyper_ch> if you didn't since yesterday 18h UTC
03:36 < bone_idol> Thats why it restarted today at 06:20 today ;-)  Debian fixed it for me.
03:39 -!- jackbrown [~se@93-44-68-248.ip96.fastwebnet.it] has quit [Quit: Sto andando via]
03:41 < hyper_ch> :) good luck with the rest
03:41 -!- jackbrown [~se@93-44-68-248.ip96.fastwebnet.it] has joined #openvpn
03:42 -!- Slippern [~Slippern@76.109-247-208.customer.lyse.net] has quit [Ping timeout: 240 seconds]
03:47 -!- Gellert [~gellert@gellert.gellert.gellert.gellert.gellert.gellert.gellert.pro] has joined #openvpn
03:47 < Gellert> yo
03:47 < Gellert> any vpn expert here? :P
03:48 -!- ayaz [~Ayaz@linuxpakistan/ayaz] has quit [Quit: Textual IRC Client: www.textualapp.com]
03:50 < Gellert> no one :( ?
03:51 < bone_idol> !ovpnuke
03:51 <@vpnHelper> "ovpnuke" is https://community.openvpn.net/openvpn/wiki/SecurityAnnouncement-97597e732b for info on CVE-2014-8104 which is a DOS that allows an authenticated client to crash an openvpn server running openvpn before 2.3.6
03:51 -!- dazo_afk is now known as dazo
03:54 <@plaisthos> Gellert:
03:54 <@plaisthos> !ask
03:54 <@vpnHelper> "ask" is (#1) don't ask to ask, just ask your question please, see this link for how to get help on IRC: http://workaround.org/getting-help-on-irc or (#2) See also, How to ask questions the smart way here: http://catb.org/~esr/faqs/smart-questions.html or (#3) if you had asked your question this might be an answer instead of a message from the bot about how to ask questions on IRC :)
03:58 < Gellert> plaisthos: :)
04:01 < Gellert> so i have two machine , win8 and win7, x64 both, openvpn 2.3.6 client both, ovpn config is the same, every hardware is the same, when i start to load a website on win8 (IE or chrome) ping is stabile 5-6ms, but when i do the same on win7, when i hit enter on chrome/ie, ping goes to 3-5k and 3-4 request timeout, after the loaded in, ping goes back to normal 5-6ms.
04:01 < Gellert> there is no firewall, no antivirus
04:02 < Gellert> there is no error server/client side, on verb 5
04:03 < Gellert> plaisthos: waiting for your answer bro'
04:10 -!- deranged [Jess@lolpurr.net] has quit [Ping timeout: 258 seconds]
04:17 < Gellert> really?
04:17 < Gellert> no one?
04:17 < Gellert> no idea? :(
04:20 < hyper_ch> sounds like you should upgrade your win8 to win8
04:20 < hyper_ch> win7 to win8
04:22 < Gellert> no way
04:22 < Gellert> i can't do that
04:24 -!- u0m3 [~u0m3@92.80.68.195] has quit [Read error: Connection reset by peer]
04:24 -!- deranged [Jess@lolpurr.net] has joined #openvpn
04:28 -!- deranged [Jess@lolpurr.net] has quit [Excess Flood]
04:29 < hyper_ch> well, another option would be to upgrate do Linux
04:31 -!- deranged [Jess@lolpurr.net] has joined #openvpn
04:32 < Gellert> no
04:32 < Gellert> nooooooo
04:32 < Gellert> hyper_ch: be serious bro
04:32 < hyper_ch> I am serious
04:32 -!- thenyck [~micele@194.95.62.114] has joined #openvpn
04:33 < Gellert> i can operate only with win7
04:33 < Gellert> :)
04:33 < Gellert> on this machine
04:33 < hyper_ch> I'm pretty sure you have also the skills to run linux
04:34 < Gellert> i have bro
04:34 < Gellert> i have
04:34 < Gellert> but i cant afford dat
04:34 < Gellert> on this pc
04:34 -!- deranged [Jess@lolpurr.net] has quit [Read error: Connection reset by peer]
04:35 -!- svg [~svg@hydargos.ginsys.net] has joined #openvpn
04:35 -!- jackbrown [~se@93-44-68-248.ip96.fastwebnet.it] has quit [Remote host closed the connection]
04:38 < thenyck> hey there. I encounter a problem which I'm not able to solve and hope to find some help. I got an openvpn server on 10.11.0.1 with all "regular" openvpn clients given a 10.11.0.X address, all servers a 10.10.0.* address via ccd and a second group of defined users given addresses in 10.12.1.* also via ccd. for the clinets given a 10.10.0.* or 10.12.1.* everything works fine. For the "regular clients" given addresse in 10.11.0.* however, i encounter a strange
04:38 < thenyck> Tue Dec  2 11:28:55 2014 /sbin/ip addr add dev tun0 10.11.0.15/24 broadcast 10.11.0.255
04:38 < thenyck> Tue Dec  2 11:28:55 2014 /sbin/ip route add 10.10.0.0/24 via 10.11.0.1
04:38 < thenyck> Tue Dec  2 11:28:55 2014 /sbin/ip route add 10.11.0.0/24 via 10.11.0.1
04:38 < thenyck> RTNETLINK answers: File exists
04:38 < thenyck> Tue Dec  2 11:28:55 2014 ERROR: Linux route add command failed: external program exited with error status: 2
04:38 < thenyck> Tue Dec  2 11:28:55 2014 /sbin/ip route add 10.12.1.0/24 via 10.11.0.1
04:38 < thenyck> meaning the route to 10.11. won't be set. Hoever, the client can reach all other clients in 10.11.0.*
04:40 < thenyck> which is fine. But no i want to push an additional route using 10.11.0.221 as hop. something like
04:40 < thenyck> push route "10.20.0.0 255.255.255.0 10.10.0.221"
04:40 < thenyck> this of course fails for the 10.11.0.* clients
04:40 < thenyck> Tue Dec  2 11:28:55 2014 /sbin/ip route add 10.20.0.0/24 via 10.10.0.221
04:40 < thenyck> RTNETLINK answers: Network is unreachable
04:41 -!- adaptr [~jgeilman@unaffiliated/adaptr] has quit [Ping timeout: 250 seconds]
04:41 < thenyck> for clients in the other two networks (10.12.1.* and 10.10.0.*) this works fine...
04:41 < thenyck> Tue Dec  2 10:44:38 2014 /usr/bin/ip addr add dev tun0 10.12.1.1/6 broadcast 255.255.255.253
04:41 < thenyck> Tue Dec  2 10:44:38 2014 /usr/bin/ip route add 10.10.0.0/24 via 10.11.0.1
04:41 < thenyck> Tue Dec  2 10:44:38 2014 /usr/bin/ip route add 10.11.0.0/24 via 10.11.0.1
04:41 < thenyck> Tue Dec  2 10:44:38 2014 /usr/bin/ip route add 10.12.1.0/24 via 10.11.0.1
04:41 < thenyck> Tue Dec  2 10:44:38 2014 /usr/bin/ip route add 10.20.0.0/24 via 10.10.0.221
04:41 < thenyck> what am i missing? any help appreciated...
04:41 -!- Taftse|Mac [~taftse@unaffiliated/taftse] has joined #openvpn
04:42 -!- svg [~svg@hydargos.ginsys.net] has left #openvpn []
04:43 < Gellert> hyper_ch: any idea? :P
04:43 < hyper_ch> Gellert: I already gave you two ideas
04:44 -!- adaptr [~jgeilman@unaffiliated/adaptr] has joined #openvpn
04:47 < Gellert> hyper_ch: i cant do anything with your 2 ideas :D
04:47 -!- [1]Kiwi [~Kiwi@ip-118-90-67-126.xdsl.xnet.co.nz] has joined #openvpn
04:47 < [1]Kiwi> hey people
04:47 < Gellert> hey kiwi
04:48 < [1]Kiwi> im trying to use a windows client to connect to a ovpn server and im not haivng much joy
04:48 < [1]Kiwi> Hey Gellert
04:48 < hyper_ch> [1]Kiwi: why not?
04:48 < [1]Kiwi> Im using a mikrotik router to run the server
04:49 < [1]Kiwi> http://wiki.mikrotik.com/wiki/Manual:Interface/OVPN#Summary
04:49 <@vpnHelper> Title: Manual:Interface/OVPN - MikroTik Wiki (at wiki.mikrotik.com)
04:49 < [1]Kiwi> i have followed this useful setup thingy
04:49 < [1]Kiwi> im trying to make it work with the windows client
04:50 < [1]Kiwi> i probably should test it with a linux client but for some reason I cant install it
04:50 < hyper_ch> !configs
04:50 <@vpnHelper> "configs" is (#1) please pastebin your client and server configs (with comments removed, you can use `grep -vE '^#|^;|^$' server.conf`), also include which OS and version of openvpn. or (#2) dont forget to include any ccd entries or (#3) on pfSense, see http://www.secure-computing.net/wiki/index.php/OpenVPN/pfSense to obtain your config
04:50 < [1]Kiwi> i tried yum install openvpn
04:50 < hyper_ch> you have the epel repos?
04:51 < [1]Kiwi> nah i guess i need that
04:52 < [1]Kiwi> i wonder if openvpn can intergrate googleauthenicator
04:52 < [1]Kiwi> that would be cool
04:52 < hyper_ch> I have no idea what that is
04:53 < [1]Kiwi> its kind of a free second factor system
04:53 < [1]Kiwi> for authentication
04:53 < [1]Kiwi> its quite cool
04:53 < hyper_ch> I fail to see the coolnes of that
04:54 -!- Left_Turn [~Left_Turn@unaffiliated/turn-left/x-3739067] has joined #openvpn
04:54 < [1]Kiwi> how do you mean hyper_ch
04:54 < [1]Kiwi> ?
04:54 < hyper_ch> [11:53] <[1]Kiwi> its quite cool
04:54 < hyper_ch> [11:53] <hyper_ch> I fail to see the coolnes of that
04:55 < [1]Kiwi> ok its useful i guess by adding a second factor
04:55 < [1]Kiwi> to an authentication process
04:55 < hyper_ch> I fail to see the benefit of that
04:56 < [1]Kiwi> maybe it makes it more tricky for a person to get unauthorised access
04:56 < [1]Kiwi> ?
04:56 < [1]Kiwi> client certs are probably just as good is that your point ?
04:57 < hyper_ch> yes
04:57 < [1]Kiwi> nice :)
04:57 < [1]Kiwi> yeah they are good
04:57 < [1]Kiwi> thats why im making an effort to learn this stuff
04:57 < hyper_ch> just follow the openvpn howto
04:58 < [1]Kiwi> ok thanks
04:59 < ThiefMaster> the major drawback of 2FA for something like VPN is that is requires manual intervention
04:59 < ThiefMaster> probably not what you usually want
04:59 < hyper_ch> [1]Kiwi: https://openvpn.net/index.php/open-source/documentation/howto.html
04:59 <@vpnHelper> Title: HOWTO (at openvpn.net)
05:00 < [1]Kiwi> i guess i kind of feel that its more secure in that you have to have the smartphone to authenticate
05:00 < [1]Kiwi> but really if someone else gets the QR code when you load it also they have the keys
05:02 < [1]Kiwi> maybe having the client cert plus 2FA
05:04 < ThiefMaster> sounds like overkill :)
05:04 < [1]Kiwi> probably
05:04 < [1]Kiwi> haha
05:04 < ThiefMaster> if people have access to your PC you are fucked anyway. they could just MITM you locally and use your 2FA code for their own connection. you wouldn't be able to connect in that case but they might have access long enough to do stuff
05:05 < hyper_ch> ThiefMaster: FDE helps with access to the comp
05:06 < [1]Kiwi> whats FDE ?
05:06 < hyper_ch> full disk encryption
05:07 < hyper_ch> (helps against physical access)
05:07 < [1]Kiwi> its anoying on a server because ya have to enter the pass at boot
05:07 < hyper_ch> where's the problem there?
05:07 < hyper_ch> that's simple on debian
05:08 < [1]Kiwi> I guess if its baremetal and i dont have physical access and i reboot it
05:08 < [1]Kiwi> whats the answer in debian ?
05:08 < hyper_ch> still fail to see the problem (on debian)
05:09 < [1]Kiwi> i dont use debian
05:09 < [1]Kiwi> ubuntu server a few years back crashed too much for me
05:09 -!- d3m0n [~d3m0n@unaffiliated/d3m0n] has quit []
05:10 < hyper_ch> http://www.howtoforge.com/remotely-unlock-fully-encrypted-debian-squeeze
05:10 <@vpnHelper> Title: Remotely Unlock Fully Encrypted Debian Squeeze | HowtoForge - Linux Howtos and Tutorials (at www.howtoforge.com)
05:10 < hyper_ch> since squeeze it's been easy on debain
05:10 < hyper_ch> also, a lot of hosts offer some kind of vnc even for boot and stuff
05:10 < [1]Kiwi> nice thanks for that
05:38 -!- BtbN [btbn@btbn.de] has quit [Quit: Bye]
05:39 -!- BtbN [btbn@btbn.de] has joined #openvpn
05:55 < [1]Kiwi> WARNING: No server certificate verification method has been enabled.
05:55 < [1]Kiwi> im wondering what this mean s
05:56 < [1]Kiwi> im getting this error when trying to connect on the linux client to the Mikrotik router
05:57 < hyper_ch> sounds like you didn't follow the howto on the openvpn page
05:57 < [1]Kiwi> yeah i was just following that example i pasted in
05:58 < [1]Kiwi> but tried it using the linux client like in the example
05:58 < [1]Kiwi> but it doesnt seem to work
05:59 < hyper_ch> you didn't usea easy-rsa's build-key-server for the server and seems you might be lacking the ns-cert-type server in the client config
06:00 < hyper_ch> following the openvpn howto will take care of that
06:00 < [1]Kiwi> thanks kyper_ch
06:00 < [1]Kiwi> thanks hyper_ch
06:09 -!- AlexRussia [~Alex@unaffiliated/alexrussia] has joined #openvpn
06:21 -!- ThiefMaster [thief@unaffiliated/thiefmaster] has left #openvpn []
06:33 -!- ade_b [~Ade@redhat/adeb] has joined #openvpn
06:34 -!- jackbrown [~se@93-44-68-248.ip96.fastwebnet.it] has joined #openvpn
06:39 -!- qzio [~qzio@forskningsavd/qzio] has left #openvpn []
06:42 -!- seba [~seba@kratzbaum.someserver.de] has quit [Excess Flood]
06:46 -!- seba [~seba@kratzbaum.someserver.de] has joined #openvpn
06:47 -!- michaelhart [~michaelha@192-0-241-148.cpe.teksavvy.com] has joined #openvpn
07:04 -!- brianblaze420 [~brianblaz@unaffiliated/brianblaze] has joined #openvpn
07:18 -!- AlexRussia [~Alex@unaffiliated/alexrussia] has quit [Quit: WeeChat 1.1-dev]
07:19 -!- AlexRussia [~Alex@unaffiliated/alexrussia] has joined #openvpn
07:24 -!- DArqueBishop [~drkbish@2601:e:2480:7800:2e41:38ff:fe87:dd90] has quit [Ping timeout: 258 seconds]
07:26 -!- DArqueBishop [~drkbish@2601:e:2480:7800:2e41:38ff:fe87:dd90] has joined #openvpn
07:31 -!- seba [~seba@kratzbaum.someserver.de] has quit [Excess Flood]
07:31 -!- seba [~seba@kratzbaum.someserver.de] has joined #openvpn
07:43 < [1]Kiwi> VERIFY ERROR: depth=1, error=certificate is not yet valid: CN=myCa
07:43 < [1]Kiwi> i dont know why im getting this
07:43 < [1]Kiwi> error
07:43 < [1]Kiwi> i know the first time my clock was out
07:44 < hyper_ch> just use easy-rsa to create the certs
07:44 < [1]Kiwi> ok so the ones that are being made in the Mikrotik are not good ?
07:45 < hyper_ch> I told you already twice to follow the openvpn howto
07:45 < [1]Kiwi> ok
07:48 -!- fin [~fin@unaffiliated/le0] has joined #openvpn
07:56 < jackbrown> hello
07:56 < jackbrown> could anyone help me to fix VPN leaks ?  I didn't find any instructions for linux here https://www.dnsleaktest.com/how-to-fix-a-dns-leak.html
07:56 <@vpnHelper> Title: DNS leak test (at www.dnsleaktest.com)
08:01 -!- Protected [Join@from.myshelter.net] has quit [Quit: Gone.]
08:15 -!- [1]Kiwi [~Kiwi@ip-118-90-67-126.xdsl.xnet.co.nz] has quit [Quit:  HydraIRC -> http://www.hydrairc.com <- Organize your IRC]
08:24 -!- shio [marmot@62.188.103.84.rev.sfr.net] has quit [Ping timeout: 240 seconds]
08:27 -!- jackbrown [~se@93-44-68-248.ip96.fastwebnet.it] has quit [Ping timeout: 255 seconds]
08:29 -!- jackbrown [~se@93-44-68-248.ip96.fastwebnet.it] has joined #openvpn
08:37 -!- moparisthebest [~quassel@unaffiliated/moparisthebest] has quit [Ping timeout: 264 seconds]
08:41 -!- moparisthebest [~quassel@gateway/tor-sasl/moparisthebest] has joined #openvpn
08:43 -!- Left_Turn [~Left_Turn@unaffiliated/turn-left/x-3739067] has quit [Ping timeout: 250 seconds]
08:50 -!- shio [marmot@62.188.103.84.rev.sfr.net] has joined #openvpn
09:00 -!- phunyguy [vortex@ubuntu/member/phunyguy] has quit [Ping timeout: 258 seconds]
09:05 -!- u0m3 [~u0m3@92.80.68.195] has joined #openvpn
09:06 -!- phunyguy [vortex@ubuntu/member/phunyguy] has joined #openvpn
09:19 -!- jackbrown [~se@93-44-68-248.ip96.fastwebnet.it] has quit [Ping timeout: 250 seconds]
09:22 -!- blaubarschbube [~adads@nat.hamburg.contentfleet.com] has joined #openvpn
09:22 -!- phunyguy [vortex@ubuntu/member/phunyguy] has quit [Ping timeout: 258 seconds]
09:22 < blaubarschbube> hi. i have an issue with easy-rsa. assuming i need two certs, one for servers and one for clients and both having the same CN (possible when i delete index.txt inbetween) how is it possible to sign both certs with the same key?
09:27 <@krzee> why do you believe you need the same CN?
09:27 <@krzee> each CN must be unique.
09:29 < blaubarschbube> i want to use it in bacula. bacula has server component as well as client components on th same host. furthermore bacula wants the CN to be the exact host name. and in addition to that in bacula is only one single key configurable
09:30 < blaubarschbube> so i need two certs (one server, one client) signed with the same key and having the same cn
09:31 <@krzee> bacula shouldnt care about the vpn internals
09:31 <@krzee> i dont use it, but i would suspect it simply connects to a given host
09:31 <@krzee> your openvpn setup does not want them to have the same cn.
09:32 < hyper_ch> krzee, now that you're here... ;)
09:32 <@krzee> sup hyper
09:32 < hyper_ch> have you created SSL certs for apache with SANs?
09:32 -!- phunyguy [vortex@ubuntu/member/phunyguy] has joined #openvpn
09:32 < DArqueBishop> In fact (correct me if I'm wrong, krzee) not only does the server and client need to have different CNs, every client needs to have their own CN or else you're going to end up with clients knocking each other off when they connect.
09:32 <@krzee> hyper_ch, no.
09:32 < hyper_ch> awwwww
09:32 <@krzee> DArqueBishop, you are correct.
09:33 < hyper_ch> want to create ssl certs that lisen on      sub.domain.tld  and  vpn-sub.domain.tld at the same time ;)
09:33 <@krzee> *sub.domain.tld
09:33 < hyper_ch> listen = make browser no output an error
09:34 < hyper_ch> how do I create wildcard certs than?
09:34 < hyper_ch> well, I chose the easy route to prefexi eveything with  vpn-  ;)
09:34 <@krzee> !google how do I create wildcard certs
09:34 <@vpnHelper> CSR Creation | Create Certificate Signing Request (CSR) - DigiCert: <https://www.digicert.com/csr-creation.htm>; What is a Wildcard SSL certificate? | GoDaddy Help | GoDaddy ...: <http://support.godaddy.com/help/article/567/what-is-a-wildcard-ssl-certificate>; Generating IIS 7 CSRs (Certificate Signing Requests) | GoDaddy ...: <http://support.godaddy.com/help/article/4800/generating-iis-7-csrs-
09:34 <@vpnHelper> certificate-signing-requests>
09:35 < hyper_ch> vpnHelper's google-fu isn't strong enough
09:35 -!- flyingkiwi [~kiwi@2a02:2028:1016::2] has joined #openvpn
09:36 <@krzee> actually i think you would find your answer on the first link
09:37 <@krzee> but it would require reading it
09:37 < hyper_ch> let's test your hypothesis
09:37 < hyper_ch> reading? you're kidding me, right?
09:37 <@krzee> i know i know
09:37  * novaflash looks oddly at hyper_ch
09:37 <@novaflash> krzee, what is this word 'reading'?
09:38 < hyper_ch> novaflash: reading is an ancient term that was made obsolete with the advent of radio and tv ;)
09:38 <@novaflash> huh. really. i bet you just made that word up.
09:39 <@novaflash> like 'documentation' and 'learning'
09:39 < hyper_ch> I think it's of latin or greek origin
09:39 <@novaflash> your lies are most transparant...
09:40 -!- Slippern [~Slippern@76.109-247-208.customer.lyse.net] has joined #openvpn
09:44 -!- elfixit [~Icedove@77-57-39-82.dclient.hispeed.ch] has joined #openvpn
09:46 <@krzee> hyper_ch, you saw ovpnuke right?
09:46 < hyper_ch> krzee: yes, I'm avoid subscriber to fefe's blog :)
09:47 < hyper_ch> http://blog.fefe.de/?ts=aa829218
09:47 <@vpnHelper> Title: Fefes Blog (at blog.fefe.de)
09:47 <@krzee> i didnt know you're german
09:47 < hyper_ch> I'm not
09:48 <@novaflash> *points to ch*
09:48 <@novaflash> that got anything to do with it?
09:48 < hyper_ch> yes
09:48 <@novaflash> yay i smarts
09:48 <@novaflash> it's because i have been learning and read- oh shit
09:48 <@krzee> ch speak german?
09:48 < hyper_ch> as krzee isn't the average USian he knows, that CH does not stand for China
09:49 <@novaflash> CH is for Crikey, Holland!
09:49 < hyper_ch> ch speak a lot of languages.... 6 native ones, 4 official ones
09:49 <@krzee> omg
09:49 <@krzee> you speak all 10?
09:49 < hyper_ch> well, it's 6 natives ones
09:49 < hyper_ch> among those, 4 are officially used
09:50 -!- phunyguy [vortex@ubuntu/member/phunyguy] has quit [Ping timeout: 258 seconds]
09:50 <@krzee> well
09:50 < hyper_ch> only 3 of those
09:50 <@krzee> how many do you speak?
09:50 < hyper_ch> 6 in total
09:50 <@krzee> damn thats cool
09:50 <@krzee> i only soeak 2
09:50 <@krzee> speak*
09:50 < hyper_ch> English and US-english?
09:50 <@krzee> US-english and spanish
09:50 -!- phunyguy [vortex@ubuntu/member/phunyguy] has joined #openvpn
09:50 < hyper_ch> well, with spanish italian isn't too hard anymore
09:51 < hyper_ch> and also french
09:51 <@plaisthos> novaflash: and everyone knows every Dutch person speaks German!
09:51 < hyper_ch> and latin
09:51 <@novaflash> ja richtig! sehr gut
09:51 <@novaflash> ich bin ein berliner
09:51 -!- nonickn [~torkun@unaffiliated/ms-/x-8800476] has joined #openvpn
09:51  * hyper_ch noms novaflash
09:51 <@novaflash> ouch
09:51 <@plaisthos> hyper_ch: are Switzerdütsch and German counted as one or two?
09:52 <@novaflash> that... *snigger* ...bytes
09:52 <@novaflash>  /ultra lame joke level 9000
09:52 < hyper_ch> plaisthos: there's no swiss german... there are a couple of different dialects
09:52 <@novaflash> isn't it called something like High German or something?
09:52 <@novaflash> Hoch Deutsch or whatever?
09:52 < hyper_ch> http://www.entrup-haselbach.de/sites/default/files/imagecache/product_zoom/sites/default/files/images/products/4228_berliner_0.jpg
09:52 <@plaisthos> yes, Hochdeutsch
09:52 < hyper_ch> yes, the written language is high german
09:52 < hyper_ch> in daily live we all use our dialects
09:53 < hyper_ch> some of which are really hard to understand
09:53 <@novaflash> that's getting closer to dutch already, people being high, language high, nice
09:53 < hyper_ch> btw, how's the new king doing?
09:53 <@plaisthos> it is like  Received Pronunciation in English
09:53 <@krzee> im good thank you
09:54 <@krzee> hyper_ch, and how are you?
09:54 <@plaisthos> I think he meant the Dutch king :)
09:54 <@krzee> oh i see
09:54 < hyper_ch> plaisthos: that's what krzee also refers to ;)
09:55 <@novaflash> i guess he's doing okay
09:55 <@novaflash> i pray to him every day, of course
09:55 <@novaflash> just like all the british people do to their queen
09:55 < hyper_ch> haven't heard of a rebellion this far ;)
09:56 <@novaflash> he's too cool for rebellion
09:56 <@novaflash> he'd be like, hey nice party, what are we fighting for again?
09:56 <@krzee> i spent a weekend in netherlands and a few hours at a bar in germany… i should go actually check out europe some time
09:56 <@novaflash> krzee: oktoberfest
09:56 -!- fixxxermet [~lopan@vps.gnulnx.net] has joined #openvpn
09:56 < hyper_ch> krzee: have you seen Eurotrip?
09:56 <@krzee> of course
09:57 < hyper_ch> then you've seen it all
09:57 <@krzee> haha
09:57 -!- phunyguy [vortex@ubuntu/member/phunyguy] has quit [Remote host closed the connection]
10:01 -!- phunyguy [~vortex@ubuntu/member/phunyguy] has joined #openvpn
10:01 < hyper_ch> oh... also, you've seen Hostel, right?
10:01 <@krzee> hahah
10:01 <@krzee> right
10:02 -!- mistermajestic [~mistermaj@unaffiliated/mistermajestic] has joined #openvpn
10:02 < hyper_ch> that sums up Europe pretty much ;)
10:06 -!- plaisthos [~arne@openvpn/community/developer/plaisthos] has quit [Ping timeout: 258 seconds]
10:07 -!- Gman32 [~Gman32@2607:2200:0:3400::5616:cdbc] has quit [Ping timeout: 258 seconds]
10:07 < hyper_ch> krzee: also, if you come to Europe, it's good to say you're Canadian ;)
10:08 <@krzee> shit i was in vietnam earlier this year
10:08 -!- Gman32 [~Gman32@2607:2200:0:3400::5616:cdbc] has joined #openvpn
10:08 < hyper_ch> never been there
10:10 < hyper_ch> so time to hunt for some food
10:10 -!- eristisk [~eristisk@gateway/tor-sasl/eristisk] has joined #openvpn
10:10 -!- plaisthos [~arne@openvpn/community/developer/plaisthos] has joined #openvpn
10:10 -!- mode/#openvpn [+o plaisthos] by ChanServ
10:11 -!- lev__ [~lev@stipakov.com] has quit [Remote host closed the connection]
10:12 -!- BtbN [btbn@btbn.de] has quit [Ping timeout: 258 seconds]
10:14 -!- BtbN [btbn@btbn.de] has joined #openvpn
10:14 -!- brianblaze420 [~brianblaz@unaffiliated/brianblaze] has quit [Remote host closed the connection]
10:16 -!- brianblaze420 [~brianblaz@unaffiliated/brianblaze] has joined #openvpn
10:17 -!- kirin` [telex@gateway/shell/anapnea.net/x-aiqhdmvagxandgnr] has quit [Ping timeout: 250 seconds]
10:21 -!- kirin` [telex@gateway/shell/anapnea.net/x-bycsmpjmjhzqaqvg] has joined #openvpn
10:24 -!- elfixit [~Icedove@77-57-39-82.dclient.hispeed.ch] has quit [Quit: elfixit]
10:26 -!- kirin` [telex@gateway/shell/anapnea.net/x-bycsmpjmjhzqaqvg] has quit [Ping timeout: 245 seconds]
10:29 -!- kirin` [telex@gateway/shell/anapnea.net/x-sqncytpfbgubzijw] has joined #openvpn
10:30 -!- Left_Turn [~Left_Turn@unaffiliated/turn-left/x-3739067] has joined #openvpn
10:31 -!- almostworking [~almostwor@unaffiliated/almostworking] has joined #openvpn
10:36 -!- kirin` [telex@gateway/shell/anapnea.net/x-sqncytpfbgubzijw] has quit [Read error: Connection reset by peer]
10:37 -!- ade_b [~Ade@redhat/adeb] has quit [Quit: Too sexy for his shirt]
10:37 -!- kirin` [telex@gateway/shell/anapnea.net/x-hjekwwqtnmeopyna] has joined #openvpn
10:38 -!- Whoopie [Whoopie@unaffiliated/whoopie] has joined #openvpn
10:39 < Whoopie> Hi, could someone please point me to the openvpn 2.2.3 release? I can't find it under http://swupdate.openvpn.org/community/releases/
10:39 <@vpnHelper> Title: Index of /community/releases/ (at swupdate.openvpn.org)
10:39 < Whoopie> Thanks!
10:42 -!- lev__ [~lev@stipakov.fi] has joined #openvpn
10:42 -!- kirin` [telex@gateway/shell/anapnea.net/x-hjekwwqtnmeopyna] has quit [Ping timeout: 252 seconds]
10:44 -!- kirin` [telex@gateway/shell/anapnea.net/x-fhzkuurtnnaslfcy] has joined #openvpn
10:46 < thenyck> hey there. if got one question. how do i allow ccd clients in a different subnet to ping/ssh the vpn gateway?
10:52 -!- kirin` [telex@gateway/shell/anapnea.net/x-fhzkuurtnnaslfcy] has quit [Read error: Connection reset by peer]
10:53 -!- kirin` [telex@gateway/shell/anapnea.net/x-xbafgirukgivchqm] has joined #openvpn
10:53 < hyper_ch> Whoopie: why do you want such an old release?
10:53 -!- thenyck [~micele@194.95.62.114] has quit [Quit: Leaving.]
10:54 < Whoopie> hyper_ch: personally, I use 2.3.6, but in our project freetz.org, we support both versions right now.
10:54 < Whoopie> and I'd like to update it because of the security fix.
10:54 < hyper_ch> oh, freetz :) nice
10:54 < hyper_ch> had it on my old fritzbox
10:58 -!- shadok [~muaddib@unaffiliated/shadok] has joined #openvpn
10:59 -!- kirin` [telex@gateway/shell/anapnea.net/x-xbafgirukgivchqm] has quit [Ping timeout: 245 seconds]
10:59 -!- gffa [~unknown@unaffiliated/gffa] has joined #openvpn
10:59 <@novaflash> hyper_ch: was that still stable enough and such?
11:00 < hyper_ch> I liked the fritzbox
11:01 -!- kirin` [telex@gateway/shell/anapnea.net/x-znaitkknqifuhaac] has joined #openvpn
11:02 <@novaflash> i love fritz boxes
11:02 <@novaflash> but i am not so sure about trying out freetz
11:02 <@novaflash> worried it may make it less stable
11:03 < hyper_ch> worked really fine
11:03 <@novaflash> so did it really add that much more functionality?
11:03 < hyper_ch> yes
11:04 < hyper_ch> especially dnsmasq
11:05 <@novaflash> so, for like network boot and such?
11:06 < hyper_ch> http://freetz.org/wiki/packages
11:06 <@vpnHelper> Title: packages – Freetz (at freetz.org)
11:06 < hyper_ch> although I didn't try openvpn on it
11:06 -!- eristisk [~eristisk@gateway/tor-sasl/eristisk] has quit [Ping timeout: 250 seconds]
11:07 < Whoopie> hyper_ch: thanks ;-)
11:07 -!- Droolio [~drool@host86-182-194-209.range86-182.btcentralplus.com] has joined #openvpn
11:07 < Whoopie> so I added a patch for 2.2.3 to fix the CVE. But still interested in the new tarball.
11:07 < hyper_ch> Whoopie: but why you still want to provide 2.2.3?
11:08 < Whoopie> hyper_ch: honestly, I can't remember. One of our devs asked for it.
11:08 < hyper_ch> :)
11:08 < hyper_ch> there were so many nice additions in 2.3
11:08 -!- kirin` [telex@gateway/shell/anapnea.net/x-znaitkknqifuhaac] has quit [Read error: Connection reset by peer]
11:08 -!- kirin` [telex@gateway/shell/anapnea.net/x-pfivllkwjkhvaqqo] has joined #openvpn
11:09 -!- brianblaze420 [~brianblaz@unaffiliated/brianblaze] has quit [Quit: Peace!]
11:09 < hyper_ch> dang, client-to-client was added in 2.2
11:14 -!- kirin` [telex@gateway/shell/anapnea.net/x-pfivllkwjkhvaqqo] has quit [Ping timeout: 252 seconds]
11:20 -!- u0m3 [~u0m3@92.80.68.195] has quit [Ping timeout: 264 seconds]
11:21 -!- fin [~fin@unaffiliated/le0] has quit [Quit: Leaving]
11:23 -!- elfixit [~Icedove@77-57-39-82.dclient.hispeed.ch] has joined #openvpn
11:27 <@dazo> hyper_ch: client-to-client was added in 2.0, iirc
11:27 < hyper_ch> 2.2 iirc :)
11:28 <@dazo> according to 'git blame' client-to-client is mentioned in the SVN import from 2005, which is basically the starting point for the 2.1 development branch
11:28 <@dazo> (hence 2.0)
11:29 < hyper_ch> oh
11:29 < hyper_ch> ok
11:30 -!- lbft [~lbft@unaffiliated/lbft] has quit [Ping timeout: 255 seconds]
11:30 <@dazo> (it might have been somewhere in the early 2.1 development phase, as it's the first commit from the BETA21 SVN branch)
11:32 < hyper_ch> we... no new major version for 10 years....
11:32 <@dazo> 2004.04.10 -- Version 2.0-test20
11:32 <@dazo> * Added an option --client-to-client
11:32 <@dazo> well, I wouldn't say that
11:33 <@dazo> IPv6 support is one of the really big things in 2.3
11:33 < hyper_ch> still at 2.x :)
11:33 -!- lbft [~lbft@unaffiliated/lbft] has joined #openvpn
11:33 <@dazo> that's just a version number, that's irrelevant to what features comes in ... 2.0->2.1 is major release, 2.1->2.2 as well, and 2.2->2.3
11:34 <@dazo> 3.x will be a complete re-write of the openvpn code base ... so that's more like a "generation" tracking
11:34 < hyper_ch> I see
11:34 <@novaflash> we don't like change. we are traditionalist. we'd go back a version number if we could.
11:35 <@novaflash> new version: openvpn 1.2!
11:35 <@dazo> 2.2 is the smallest major release we've done, feature wise ... that release is basically pushing out a lot of community patches
11:37 <@dazo> 2.3 had a lot of goodies, IPv6 and PolarSSL support being the biggest ones, plus a more flexible plug-in API ... most of them listed here: https://community.openvpn.net/openvpn/wiki/ChangesInOpenvpn23#OpenVPN2.3-alpha1
11:37 <@vpnHelper> Title: ChangesInOpenvpn23 – OpenVPN Community (at community.openvpn.net)
11:37 < hyper_ch> I don't believe in IPv6 :)
11:37 < hyper_ch> and I've heard PolarSSL now a few times the last 24h
11:37 <@dazo> well, some people don't believe in the future, so that's understandable :)
11:37 < hyper_ch> but haven't heard of it before
11:38 <@dazo> PolarSSL is a relatively new SSL library, but with a code base which is possible to read without being half-insane/half-genius and worrying about eye cancer
11:39 <@dazo> however, it lacks several features found in OpenSSL ... plus the massive production testing which OpenSSL have achieved over all these years
11:39 < hyper_ch> quantum physics is also simple to a phyicisit
11:39 < _FBi> dazo, do you know much about the OPVN dos?  If it's only 4 bytes you can send -- there wouldn't be enough room for OPcode to do anything useful, other than Denial of Service, no?
11:39 < hyper_ch> well, the massive testing didn't help much with heartbleed
11:41 <@dazo> _FBi: that's right ... before this last fix ... if the received packet was too short, it would do an assert(), which would basically kill the openvpn process
11:41 <@dazo> _FBi: So, with such a small packet, it would not be possible to do anything else than just a DoS
11:42 <@dazo> hyper_ch: well, the same can be said about our latest CVE release ... it's been in the code since the early days, but nobody got the clever idea to test this until quite recently .... and Heartbleed was basically a similar issue, nobody tried that until they discovered that issue
11:42 <@dazo> any software you run can have similar issues as well
11:42 < _FBi> I'm trying to think of ways 4 bytes could do anything, or how to exploit the assert() .  I draw a blank
11:43 <@dazo> _FBi: right ... afair the code, the assert() will not make openvpn parse the packet further, it will just do a cotrolled shut-down and exit, disregarding whatever those 4 bytes may contain
11:50 < _FBi> what if those bytes were no operation... and there was a lot of them
11:51 < _FBi> I guess that makes it bigger than 4 bytes
11:51 < _FBi> lol
11:51 <@dazo> yeah ;-)
11:51 <@dazo> that's a very different attack vector :)
11:51 <@dazo> but sure, it would be interesting to dig into that path
11:52 < _FBi> but it's still bigger than 4 bytes, so it doesn't matter
11:52 < _FBi> what happens when more than 4 bytes are sent?
11:53 <@dazo> I'd recommend you to pull down the 2.3 source code and produce the doxygen docs ... this might actually be covered quite well there
11:54 <@dazo> but it would generally start parsing the packet then
11:55 <@dazo> but at this stage, it first parses a kind of a header, with an op-code, and then it decrypts the packet.
11:58 -!- deranged [Jess@lolpurr.net] has joined #openvpn
12:00 -!- Kephael [~Kephael@unaffiliated/kephael] has joined #openvpn
12:03 -!- svm_invictvs [~patricktw@unaffiliated/svminvictvs/x-938456] has joined #openvpn
12:03 < svm_invictvs> Hello
12:04 < svm_invictvs> So I'm having trouble with my openvpn.  I can connect to the openVPN server, and when it connets everythig is fine
12:04 < svm_invictvs> however, I can't actaullyt alk to anything on the network
12:04 -!- deranged [Jess@lolpurr.net] has quit [Ping timeout: 258 seconds]
12:20 < ValdikSS> Actually, I crashed frootvpn yesterday with that bug
12:20 < ValdikSS> the whole thing!
12:22 -!- exceion [~ryan@fbi.computer] has left #openvpn []
12:24 -!- Shiftos [~shiftos@gateway/tor-sasl/shiftos] has quit [Ping timeout: 250 seconds]
12:30 -!- Shiftos [~shiftos@gateway/tor-sasl/shiftos] has joined #openvpn
12:31 -!- ValdikSS [~valdikss@185.61.149.121] has quit [Ping timeout: 264 seconds]
12:32 < hyper_ch> !configs > svm_invictvs
12:32 < hyper_ch> krzee: awwwww... bot can't highlight the recipient?
12:33 < hyper_ch> !configs
12:33 <@vpnHelper> "configs" is (#1) please pastebin your client and server configs (with comments removed, you can use `grep -vE '^#|^;|^$' server.conf`), also include which OS and version of openvpn. or (#2) dont forget to include any ccd entries or (#3) on pfSense, see http://www.secure-computing.net/wiki/index.php/OpenVPN/pfSense to obtain your config
12:34 <@dazo> svm_invictvs: ^^^ + have you set up routing? + have you setup proper return routing? + have you configured your firewalls accordingly?
12:35 < svm_invictvs> hyper_ch: Yeah, I have.
12:36 < svm_invictvs> hyper_ch: It used to work without any issues.
12:36 <@dazo> what did you change?
12:36 < hyper_ch> hyper_ch ... dazo.... both names are too similar :)
12:36 <@dazo> :)
12:40 < svm_invictvs> dazo: I think the IP address range of the VPN vs the "main" network.
12:40 < svm_invictvs> the VPN is on 10.0.1.0/24 and the internal network is 10.0.0.0/24
12:41 < svm_invictvs> And I do have some very open (probalby too open) routing rules
12:41 <@dazo> ehm .... you think what?  Your IP ranges changed? .... and routing rules cannot be too open or too closed.  routing tables can only be correct or wrong
12:42 <@dazo> firewall settings can be too open or too narrow
12:52 -!- elfixit [~Icedove@77-57-39-82.dclient.hispeed.ch] has quit [Ping timeout: 264 seconds]
13:11 -!- nonickn [~torkun@unaffiliated/ms-/x-8800476] has quit [Ping timeout: 244 seconds]
13:20 -!- jackbrown [~se@93-44-68-248.ip96.fastwebnet.it] has joined #openvpn
13:21 -!- deranged [Jess@lolpurr.net] has joined #openvpn
13:32 -!- jackbrown [~se@93-44-68-248.ip96.fastwebnet.it] has quit [Quit: Sto andando via]
13:35 -!- ValdikSS [~valdikss@185.61.149.121] has joined #openvpn
13:41 -!- snappy [nipnop@unaffiliated/snappy] has joined #openvpn
13:42 -!- warehouse13 [~Left_Turn@unaffiliated/turn-left/x-3739067] has joined #openvpn
13:43 < snappy> This is less of an openvpn question and more to do with Linux specifically. Is there a way to route traffic to an openvpn gw (+nat) by using iptables/netfilter rules and probably policy based routing? Specifically: I want to match traffic that is destined to LDAP servers (dport 389) to forward packets (and NAT) via $OPENVPN_GW_IP
13:44 -!- Left_Turn [~Left_Turn@unaffiliated/turn-left/x-3739067] has quit [Ping timeout: 256 seconds]
13:59 < esde> yes
14:04 < hyper_ch> it sux to ask questions with only four possible, one word answers ;)
14:04 < Poster> snappy: You're going to want to look at iproute2 and probably the -j MARK target in the mangle table
14:05 <@ecrist> snappy: that's simply a port forward
14:05 < hyper_ch> Poster: he nevers asked on how to do it... just if it's possible
14:06 < Poster> :(
14:06 < hyper_ch> ;)
14:07 -!- brianblaze420 [~brianblaz@unaffiliated/brianblaze] has joined #openvpn
14:13 -!- Pyrogerg [~Gregory@67-0-212-234.albq.qwest.net] has quit [Ping timeout: 244 seconds]
14:16 -!- Gman32 [~Gman32@2607:2200:0:3400::5616:cdbc] has quit [Ping timeout: 258 seconds]
14:16 -!- Gman32 [~Gman32@2607:2200:0:3400::5616:cdbc] has joined #openvpn
14:29 -!- Taftse|Mac [~taftse@unaffiliated/taftse] has quit [Ping timeout: 255 seconds]
14:29 -!- svm_invictvs [~patricktw@unaffiliated/svminvictvs/x-938456] has quit [Ping timeout: 258 seconds]
14:34 -!- phuzion [~phuzion@ipv6.irc.teh-server.com] has quit [Ping timeout: 258 seconds]
14:35 -!- phuzion [~phuzion@ipv6.irc.teh-server.com] has joined #openvpn
14:36 -!- Gman32 [~Gman32@2607:2200:0:3400::5616:cdbc] has quit [Ping timeout: 258 seconds]
14:36 -!- Gman32 [~Gman32@2607:2200:0:3400::5616:cdbc] has joined #openvpn
14:36 -!- moparisthebest [~quassel@gateway/tor-sasl/moparisthebest] has quit [Quit: No Ping reply in 180 seconds.]
14:38 -!- Pyrogerg [~Gregory@205.167.120.206] has joined #openvpn
14:39 -!- moparisthebest [~quassel@unaffiliated/moparisthebest] has joined #openvpn
14:46 -!- EugeneKay [eugene@2600:3c01::3f:101] has joined #openvpn
14:47 -!- Gman32 [~Gman32@2607:2200:0:3400::5616:cdbc] has quit [Ping timeout: 258 seconds]
14:50 -!- Gman32 [~Gman32@2607:2200:0:3400::5616:cdbc] has joined #openvpn
14:52 -!- Eugene [eugene@rfc1918.ninja] has quit [Quit: ZNC - http://znc.sourceforge.net]
14:52 -!- EugeneKay is now known as Eugene
14:59 -!- pgicxplzs [~Left_Turn@unaffiliated/turn-left/x-3739067] has joined #openvpn
15:01 -!- warehouse13 [~Left_Turn@unaffiliated/turn-left/x-3739067] has quit [Ping timeout: 240 seconds]
15:04 -!- mattock is now known as mattock_afk
15:14 -!- D-Boy [~D-Boy@unaffiliated/cain] has quit [Excess Flood]
15:22 -!- badon [~badon@pdpc/supporter/active/badon] has quit [Ping timeout: 250 seconds]
15:26 -!- D-Boy [~D-Boy@unaffiliated/cain] has joined #openvpn
15:28 -!- brianblaze420 [~brianblaz@unaffiliated/brianblaze] has quit [Quit: Peace!]
15:32 -!- joako [~joako@opensuse/member/joak0] has quit [Ping timeout: 255 seconds]
15:33 -!- phuzion is now known as nodly
15:33 -!- eristisk [~eristisk@gateway/tor-sasl/eristisk] has joined #openvpn
15:33 -!- nodly is now known as phuzion
15:37 -!- mediumok [~chatzilla@217.197.0.40] has quit [Quit: ChatZilla 0.9.91 [Firefox 33.1/20141106120505]]
15:38 -!- joako [~joako@opensuse/member/joak0] has joined #openvpn
15:44 -!- Vahid [97e8b8b8@gateway/web/freenode/ip.151.232.184.184] has joined #openvpn
15:44 -!- badon [~badon@pdpc/supporter/active/badon] has joined #openvpn
15:45 < Vahid> Hi guys, I config openvpn server in centos 6.5 VPS, in android needs client.ovpn file but I don't know where the .ovpn file is! can you help me ?
15:46 < Vahid> I have this files: server.conf  server.crt  server.key ca.crt  dh2048.pem but there is no .ovpn :(
15:49 < Vahid> anybody active here ?
15:50 < Vahid> I have client.conf too
15:52 -!- CivisUS [~CivisUS@208.80.0.1] has quit [Quit: Textual IRC Client: www.textualapp.com]
16:01 -!- hive-mind [pranq@2001:0:53aa:64c:30db:ab9:bcca:66c4] has quit [Ping timeout: 258 seconds]
16:02 < zoredache> You need to create one.  An ovpn file is just a client configuration file.
16:02 < zoredache> You provide all the required directives appropriate to your server.
16:08 -!- hive-mind [pranq@2001:0:53aa:64c:30db:ab9:bcca:66c4] has joined #openvpn
16:10 < Vahid> I got it ;-)
16:10 < Vahid> Thanks myself :D bye
16:11 -!- Vahid [97e8b8b8@gateway/web/freenode/ip.151.232.184.184] has quit [Quit: Page closed]
16:24 -!- mistermajestic [~mistermaj@unaffiliated/mistermajestic] has quit [Ping timeout: 264 seconds]
16:32 -!- svm_invictvs [~patricktw@unaffiliated/svminvictvs/x-938456] has joined #openvpn
16:32 -!- gffa [~unknown@unaffiliated/gffa] has quit [Quit: sleep]
16:42 -!- mistermajestic [~mistermaj@unaffiliated/mistermajestic] has joined #openvpn
16:56 -!- Pyrogerg [~Gregory@205.167.120.206] has quit [Ping timeout: 252 seconds]
16:56 -!- cae- [~cae@ip-178-201-254-32.hsi08.unitymediagroup.de] has quit [Ping timeout: 252 seconds]
16:57 -!- shio [marmot@62.188.103.84.rev.sfr.net] has quit [Ping timeout: 252 seconds]
16:58 -!- Pyrogerg [~Gregory@205.167.120.201] has joined #openvpn
16:59 -!- dvl [~dvl@freebsd/developer/dvl] has quit [Ping timeout: 252 seconds]
16:59 -!- almostworking [~almostwor@unaffiliated/almostworking] has quit [Ping timeout: 252 seconds]
17:01 -!- shio [marmot@62.188.103.84.rev.sfr.net] has joined #openvpn
17:01 -!- akamaru [~akamaru21@2601:0:8a80:1064:b876:305b:3c5e:f25a] has joined #openvpn
17:02 -!- pgicxplzs [~Left_Turn@unaffiliated/turn-left/x-3739067] has quit [Ping timeout: 252 seconds]
17:05 -!- akamaru217 [~akamaru21@67.191.183.251] has quit [Ping timeout: 252 seconds]
17:07 -!- almostworking [~almostwor@unaffiliated/almostworking] has joined #openvpn
17:09 < hydrajump> maybe an odd question but I have an openvpn server setup to **not** do full tunnelling. Instead of pushing DNS servers to the clients is it possible to push a single FQDN, eg. rds.example.com resolves to 10.1.20.24 ?
17:09 -!- hyper_ch [~hyper_ch@81.4.108.20] has left #openvpn ["Konversation terminated!"]
17:12 -!- cae- [~cae@ip-178-201-254-32.hsi08.unitymediagroup.de] has joined #openvpn
17:13 -!- pgicxplzs [~Left_Turn@unaffiliated/turn-left/x-3739067] has joined #openvpn
17:16 < hydrajump> a solution might be to simply add a hostname entry to /etc/hosts
17:21 -!- Pyrogerg [~Gregory@205.167.120.201] has quit [Ping timeout: 256 seconds]
17:45 <@dazo> !splitdns
17:45 <@vpnHelper> "splitdns" is (#1) see http://www.thekelleys.org.uk/dnsmasq/doc.html for dnsmasq, which will let you do split-dns setups or (#2) "dnsmasq" is http://rob0.nodns4.us/dnsmasq.html for a writeup on how to handle DNS for lans shared with !route
17:45 <@dazo> hydrajump: ^^^
17:47 < pekster> Keep in mind unless you know the DNS resolution is happening on a system you control, you've got no gaurentee your view of "somehost.example.net" matches another PC on the Internet; things like geo-DNS, or even lag time in DNS prpogation can result in different people getting different results. That's even more true of CDNs that may have thousands of hosts for a single name
17:48 < pekster> The only reliable way to direct application-level traffic over a VPN is to use an application-level gateway, which in terms of http traffic would be a web proxy
17:48 -!- michaelhart [~michaelha@192-0-241-148.cpe.teksavvy.com] has quit [Quit: michaelhart]
17:57 -!- Fudge [~Rob@static-71-241-229-94.washdc.fios.verizon.net] has left #openvpn ["irsii"]
18:17 -!- Gl4di4t0r [~Gl4di4t0r@unaffiliated/gl4di4t0r] has joined #openvpn
18:22 < Gl4di4t0r> is it necessary to use a TAP when runnin openvpn under Linux?
18:23 -!- elfixit [~Icedove@77-58-253-51.dclient.hispeed.ch] has joined #openvpn
18:24 -!- kirin` [telex@gateway/shell/anapnea.net/x-wyghasibpdftpagz] has joined #openvpn
18:24 < snappy> Gl4di4t0r: depends on thte use case, but you need either tun or tap.
18:25 < Gl4di4t0r> snappy: tun?
18:27 -!- elfixit [~Icedove@77-58-253-51.dclient.hispeed.ch] has quit [Ping timeout: 244 seconds]
18:32 -!- eristisk [~eristisk@gateway/tor-sasl/eristisk] has quit [Ping timeout: 250 seconds]
18:38 -!- eristisk [~eristisk@gateway/tor-sasl/eristisk] has joined #openvpn
18:43 < hydrajump> dazo: pekster thanks!
18:46 -!- brianblaze420 [~brianblaz@unaffiliated/brianblaze] has joined #openvpn
18:47 -!- hive-mind [pranq@2001:0:53aa:64c:30db:ab9:bcca:66c4] has quit [Ping timeout: 258 seconds]
18:48 <@dazo> Gl4di4t0r: tun is preferred ... and required if you want to use android clients
18:48 <@dazo> !tunortap
18:48 <@vpnHelper> "tunortap" is (#1) you ONLY want tap if you need to pass layer2 traffic over the vpn (traffic destined for a MAC address). If you are using IP traffic you want tun. or (#2) and if your reason for wanting tap is windows shares, see !wins or use DNS or (#3) remember layer2 has no security, arp poisoning works over tap vpns or (#4) lan gaming? use tap! or (#5) Normal Android/iOS devices (not
18:48 <@vpnHelper> rooted/jailbroken) support only tun
18:49 < Gl4di4t0r> dazo: so why does the windows openvpn client use tap?
18:50 <@dazo> Gl4di4t0r: that's a long story ... but the TAP device in Windows supports tun as well
18:50 <@dazo> Gl4di4t0r: In Windows the virtual adapter needs to look and behave like a physical NIC ... and TAP adapters does exactly that
18:51 <@dazo> Gl4di4t0r: Windows doesn't have an API which other oSes does to provide tun devices directly
18:51 < Gl4di4t0r> I see
18:54 -!- hive-mind [pranq@2001:0:53aa:64c:30db:ab9:bcca:66c4] has joined #openvpn
19:00 -!- dazo is now known as dazo_afk
19:07 -!- misterma_ [~mistermaj@unaffiliated/mistermajestic] has joined #openvpn
19:07 -!- misterma_ [~mistermaj@unaffiliated/mistermajestic] has quit [Client Quit]
19:09 -!- misterma_ [~mistermaj@unaffiliated/mistermajestic] has joined #openvpn
19:09 -!- misterma_ [~mistermaj@unaffiliated/mistermajestic] has quit [Client Quit]
19:10 -!- mistermajestic [~mistermaj@unaffiliated/mistermajestic] has quit [Ping timeout: 264 seconds]
19:10  * _FBi Chants " Tun or Tap... Tun or Tap... "
19:22 -!- dvl [~dvl@freebsd/developer/dvl] has joined #openvpn
19:22 < dvl> BTW, well done on the handling of the vuln yesterday. Very clearly explained.
19:28 -!- AndrewAu [cb5750e2@gateway/web/freenode/ip.203.87.80.226] has joined #openvpn
19:29 < AndrewAu> Hello. I have installed OpenVPN Community server and managed to get a client connecting successfully (IP assigned). However, I cannot access any of the LAN resources. I am really stumped by this as I did add the push route ... command. I then tried bridging mode but just gave up. Can anyone provide a simple guide, example, or something that lets (VPN Client) -> (VPN Server) -> (LAN Resources) work ? Thank you
19:30 < _FBi> !howto
19:30 <@vpnHelper> "howto" is (#1) OpenVPN comes with a great howto, http://openvpn.net/howto PLEASE READ IT! or (#2) http://www.secure-computing.net/openvpn/howto.php for a mirror
19:31 < AndrewAu> I've checked that out and that's how I got up and running (thanks!) but I'm either missing something obvious or something subtle because it just doesn't let me ping/connect to LAN clients in my office as a VPN client. I'd assume this is a typical use case but can't seem to find a tutorial for it.
19:53 -!- shadok [~muaddib@unaffiliated/shadok] has quit [Ping timeout: 250 seconds]
19:53 -!- lxusrbin [~lxusrbin@2a01:4a0:40:6100::64] has quit [Ping timeout: 265 seconds]
19:54 -!- lxusrbin [~lxusrbin@2a01:4a0:40:6100::64] has joined #openvpn
19:55 -!- AlexRussia [~Alex@unaffiliated/alexrussia] has quit [Ping timeout: 255 seconds]
19:55 -!- Thermi [~Thermi@unaffiliated/thermi] has quit [Ping timeout: 256 seconds]
19:59 -!- AndrewAu [cb5750e2@gateway/web/freenode/ip.203.87.80.226] has quit [Ping timeout: 246 seconds]
20:00 -!- Thermi [~Thermi@unaffiliated/thermi] has joined #openvpn
20:15 -!- brianblaze420 [~brianblaz@unaffiliated/brianblaze] has quit [Quit: Peace!]
20:30 -!- Gl4di4t0r [~Gl4di4t0r@unaffiliated/gl4di4t0r] has quit [Quit: Gl4di4t0r]
20:54 -!- mgorbach [~mgorbach@pool-108-20-78-135.bstnma.fios.verizon.net] has quit [Ping timeout: 250 seconds]
20:55 -!- svm_invictvs [~patricktw@unaffiliated/svminvictvs/x-938456] has quit [Ping timeout: 264 seconds]
20:58 -!- mgorbach [~mgorbach@pool-108-20-78-135.bstnma.fios.verizon.net] has joined #openvpn
21:02 -!- u0m3 [~u0m3@92.80.68.195] has joined #openvpn
21:17 -!- svm_invictvs [~patricktw@unaffiliated/svminvictvs/x-938456] has joined #openvpn
21:21 -!- pgicxplzs [~Left_Turn@unaffiliated/turn-left/x-3739067] has quit [Remote host closed the connection]
21:30 -!- Fun [~Fun@unaffiliated/fun] has joined #openvpn
21:30 < Fun> hello
21:30 -!- mistermajestic [~mistermaj@unaffiliated/mistermajestic] has joined #openvpn
21:30 < Fun> open vpn client gets stuck
21:30 < Fun> when it failts to get tls handshake
21:30 < Fun> later it just stucks
21:54 -!- mgorbach [~mgorbach@pool-108-20-78-135.bstnma.fios.verizon.net] has quit [Ping timeout: 245 seconds]
21:57 -!- mgorbach [~mgorbach@pool-108-20-78-135.bstnma.fios.verizon.net] has joined #openvpn
22:02 -!- Kephael [~Kephael@unaffiliated/kephael] has quit [Read error: Connection reset by peer]
22:10 -!- AlexRussia [~Alex@unaffiliated/alexrussia] has joined #openvpn
22:17 -!- texsantos [~tex@c-68-58-222-147.hsd1.sc.comcast.net] has quit [Read error: Connection reset by peer]
22:19 -!- Pyrogerg [~Gregory@67-0-212-234.albq.qwest.net] has joined #openvpn
22:21 -!- ryao [~ryao@gentoo/developer/ryao] has quit [Ping timeout: 272 seconds]
22:23 -!- moonkid [~anonymous@108-242-212-69.lightspeed.hstntx.sbcglobal.net] has joined #openvpn
22:24 -!- ryao [~ryao@gentoo/developer/ryao] has joined #openvpn
22:25 -!- svm_invictvs [~patricktw@unaffiliated/svminvictvs/x-938456] has quit [Ping timeout: 256 seconds]
22:56 -!- Fun [~Fun@unaffiliated/fun] has quit [Remote host closed the connection]
22:58 -!- moonkid [~anonymous@108-242-212-69.lightspeed.hstntx.sbcglobal.net] has quit [Quit: moonkid]
23:36 -!- Zaphkiel_Dalet|O [~KyZNC@192.3.196.103] has quit [Ping timeout: 245 seconds]
23:44 -!- moonkid [~anonymous@70-138-177-225.lightspeed.hstntx.sbcglobal.net] has joined #openvpn
--- Day changed Wed Dec 03 2014
00:00 -!- ShadniX [dagger@p5481C643.dip0.t-ipconnect.de] has quit [Ping timeout: 250 seconds]
00:01 -!- ShadniX [dagger@p5481C948.dip0.t-ipconnect.de] has joined #openvpn
00:20 -!- svm_invictvs [~patricktw@unaffiliated/svminvictvs/x-938456] has joined #openvpn
00:21 -!- ValdikSS [~valdikss@185.61.149.121] has quit [Quit: Konversation terminated!]
00:46 -!- bone_ido1 [~bone_idol@apple.rat.burntout.org] has joined #openvpn
00:47 -!- zamba [marius@flage.org] has quit [Ping timeout: 258 seconds]
00:47 -!- bone_idol [~bone_idol@apple.rat.burntout.org] has quit [Ping timeout: 258 seconds]
00:56 -!- mattock_afk is now known as mattock
01:11 -!- SushiDude [~SushiDude@unaffiliated/sushidude] has quit [Ping timeout: 258 seconds]
01:14 -!- svm_invictvs [~patricktw@unaffiliated/svminvictvs/x-938456] has quit [Ping timeout: 264 seconds]
01:14 -!- zamba [marius@flage.org] has joined #openvpn
01:14 -!- SushiDude [~SushiDude@unaffiliated/sushidude] has joined #openvpn
01:24 -!- AlexRussia [~Alex@unaffiliated/alexrussia] has quit [Quit: WeeChat 1.1-dev]
01:29 -!- d3m0n [~d3m0n@unaffiliated/d3m0n] has joined #openvpn
01:30 < d3m0n> Hey guys, I am still having trouble getting internet access via openvpn. My client connects but I cannot ping my DNS (8.8.8.8). Here's my configs and outputs: http://pastebin.com/xabhibc7 Any suggestions would be appreciated.
01:51 -!- Droolio [~drool@host86-182-194-209.range86-182.btcentralplus.com] has quit [Ping timeout: 256 seconds]
01:53 -!- Slippern [~Slippern@76.109-247-208.customer.lyse.net] has quit [Read error: Connection reset by peer]
01:54 -!- Slippern [~Slippern@76.109-247-208.customer.lyse.net] has joined #openvpn
02:05 -!- fin [~fin@unaffiliated/le0] has joined #openvpn
02:10 -!- moonkid [~anonymous@70-138-177-225.lightspeed.hstntx.sbcglobal.net] has quit [Quit: moonkid]
02:16 -!- d3m0n [~d3m0n@unaffiliated/d3m0n] has quit []
02:38 -!- ade_b [~Ade@redhat/adeb] has joined #openvpn
03:41 -!- gffa [~unknown@unaffiliated/gffa] has joined #openvpn
03:46 -!- TonyL [~Tony@unaffiliated/darkg] has quit [Max SendQ exceeded]
03:46 -!- TonyL [~Tony@unaffiliated/darkg] has joined #openvpn
04:00 -!- Left_Turn [~Left_Turn@unaffiliated/turn-left/x-3739067] has joined #openvpn
04:32 -!- ValdikSS [~valdikss@185.61.149.121] has joined #openvpn
04:40 -!- dazo_afk is now known as dazo
04:48 -!- Left_Turn [~Left_Turn@unaffiliated/turn-left/x-3739067] has quit [Ping timeout: 252 seconds]
04:55 -!- Left_Turn [~Left_Turn@unaffiliated/turn-left/x-3739067] has joined #openvpn
04:55 -!- ValdikSS [~valdikss@185.61.149.121] has quit [Quit: Konversation terminated!]
05:04 -!- akamaru [~akamaru21@2601:0:8a80:1064:b876:305b:3c5e:f25a] has quit [Read error: Connection reset by peer]
05:04 -!- akamaru [~akamaru21@2601:0:8a80:1064:b876:305b:3c5e:f25a] has joined #openvpn
05:16 -!- eristisk [~eristisk@gateway/tor-sasl/eristisk] has quit [Ping timeout: 250 seconds]
05:16 -!- badon [~badon@pdpc/supporter/active/badon] has quit [Ping timeout: 250 seconds]
05:20 -!- Shiftos [~shiftos@gateway/tor-sasl/shiftos] has quit [Ping timeout: 250 seconds]
05:40 -!- cyberspace- [20253@ninthfloor.org] has quit [Remote host closed the connection]
05:42 -!- cyberspace- [20253@ninthfloor.org] has joined #openvpn
05:45 -!- Chais [~Chais@chello062178229110.15.15.vie.surfer.at] has quit [Ping timeout: 264 seconds]
05:45 -!- akamaru [~akamaru21@2601:0:8a80:1064:b876:305b:3c5e:f25a] has quit [Read error: Connection reset by peer]
05:45 -!- akamaru [~akamaru21@2601:0:8a80:1064:b876:305b:3c5e:f25a] has joined #openvpn
05:50 -!- Chais [~Chais@chello062178229110.15.15.vie.surfer.at] has joined #openvpn
06:44 -!- akamaruu [~akamaru21@2601:0:8a80:1064:b876:305b:3c5e:f25a] has joined #openvpn
06:47 -!- akamaru [~akamaru21@2601:0:8a80:1064:b876:305b:3c5e:f25a] has quit [Ping timeout: 258 seconds]
06:48 -!- ketas [~ketas@159-211-191-90.dyn.estpak.ee] has quit [Read error: Connection reset by peer]
06:48 -!- ketas [~ketas@159-211-191-90.dyn.estpak.ee] has joined #openvpn
07:02 -!- AlexRussia [~Alex@unaffiliated/alexrussia] has joined #openvpn
07:06 -!- konradb [kb@unaffiliated/konradb] has quit [Ping timeout: 245 seconds]
07:15 -!- brianblaze420 [~brianblaz@unaffiliated/brianblaze] has joined #openvpn
07:23 -!- Henryabcd [~Henryabcd@pD9E0A4A7.dip0.t-ipconnect.de] has joined #openvpn
07:25 -!- TonyL [~Tony@unaffiliated/darkg] has quit [Max SendQ exceeded]
07:27 -!- Henryabcd [~Henryabcd@pD9E0A4A7.dip0.t-ipconnect.de] has quit [Quit: Leaving]
07:27 -!- Henryabcd [~Henryabcd@pD9E0A4A7.dip0.t-ipconnect.de] has joined #openvpn
08:05 -!- hyper_ch [~hyper_ch@81.4.108.20] has joined #openvpn
08:05 < hyper_ch> hmmm, just tried to use keysize of 4096 but I'm not successful with that
08:05 < hyper_ch> are there known issues?
08:10 < hyper_ch> it seems there's a timeout after 60 seconds
08:14 <@syzzer> hyper_ch: keysize 4096 *should* work
08:14 < hyper_ch> syzzer: wasn't lucky :(
08:14 <@syzzer> (RSA key, I assume)
08:14 < hyper_ch> yes
08:17 <@syzzer> the timeout just means the other end did not accept the connection, so at that other end there should be a more descriptive error msg
08:17 -!- moparisthebest [~quassel@unaffiliated/moparisthebest] has quit [Ping timeout: 250 seconds]
08:18 < hyper_ch> syzzer: well, I revert back to 2048 then
08:18 -!- BigShip [~mael@unaffiliated/bigship] has joined #openvpn
08:19 < BigShip> Configured OpenVPN on linux. Wondering what permission settings I should set the keys to (e.g. chmod 600)?
08:22 < esde> that's in the docs somewhere let me see if i can find it
08:24 < esde> Look for Key Files https://openvpn.net/index.php/open-source/documentation/howto.html#pki
08:24 <@vpnHelper> Title: HOWTO (at openvpn.net)
08:24 < esde> I am not sure if I'm doing it properly but I've got the certificates and keys set to 600 and owned by openvpn (non-root user running openvpn)
08:25 -!- moparisthebest [~quassel@unaffiliated/moparisthebest] has joined #openvpn
08:26 -!- shadok [~muaddib@unaffiliated/shadok] has joined #openvpn
08:27 < BigShip> ty
08:30 -!- BigShip [~mael@unaffiliated/bigship] has left #openvpn []
08:52 -!- elfixit [~Icedove@2001:1620:2018:11:5e51:4fff:fec8:5b90] has joined #openvpn
08:52 -!- noecc [~irc@unaffiliated/noecc] has joined #openvpn
08:56 -!- Pyrogerg [~Gregory@67-0-212-234.albq.qwest.net] has quit [Ping timeout: 256 seconds]
09:07 -!- ade_b [~Ade@redhat/adeb] has quit [Remote host closed the connection]
09:14 < dvl> krzee: btw, a well handled vuln disclosure IMHO.  Thanks.
09:17 <@krzee> dvl, i can take no credit =]
09:17 < dvl> krzee: OK.  I saw you here, and you handled the impatient punters well.
09:18 <@krzee> ahh thanks
09:18 <@krzee> i kind of feel the bug was mis-classified as critical, what do you think?
09:19 < dvl> Since it can be a DOS, yes.
09:19 -!- mnikikj [~crvenazve@95.180.242.40] has joined #openvpn
09:20 <@krzee> a dos, non exploitable, and only vuln to those with access (so long as you use certs)
09:20 < mnikikj> Hello im trying to install and configure openvpn but i cant can anyone explain me how to set up and install pleasE?
09:20 <@krzee> when i hear critical i think remote code execution
09:20 <@krzee> !howto
09:20 <@vpnHelper> "howto" is (#1) OpenVPN comes with a great howto, http://openvpn.net/howto PLEASE READ IT! or (#2) http://www.secure-computing.net/openvpn/howto.php for a mirror
09:21 < dvl> krzee:  for me, it's not critical, but to a hosting service, yes, it has the potential to take all their customers off line..?
09:21 <@krzee> one could argue that ANY bug is critical for someone
09:21 <@krzee> "critical" should be critical for all, or most, not just some use case (totally just my opinion here)
09:22 -!- mnikikj [~crvenazve@95.180.242.40] has quit [Quit: Leaving]
09:22 -!- ade_b [~Ade@redhat/adeb] has joined #openvpn
09:27 -!- TonyL [~Tony@unaffiliated/darkg] has joined #openvpn
09:28 -!- dazo is now known as dazo_afk
09:36 -!- Pyrogerg [~Gregory@205.167.120.201] has joined #openvpn
09:38 -!- noecc [~irc@unaffiliated/noecc] has quit [Ping timeout: 244 seconds]
09:39 < hyper_ch> krzee: is there a reason 4096 keys are a problem for openvpn?
09:40 <@krzee> they are fine
10:00 -!- Gl4di4t0r [~Gl4di4t0r@unaffiliated/gl4di4t0r] has joined #openvpn
10:16 < shadok> is there a way to connect a windows client without installing java? i just found out the new client seems to require it
10:17 < shadok> and fyi the link to the client is to a plain http file and not over ssl, it seems pretty dangerous to me
10:18 < shadok> the ssl link works but redirects to https://www.privatetunnel.com/index.php/index.php/client-download which contains the plain http too
10:18 <@vpnHelper> Title: Private Tunnel - Your Private Tunnel to the Internet (at www.privatetunnel.com)
10:18 < hyper_ch> krzee: it didn't work for me :(
10:18 < shadok> hyper_ch: what's in your logs
10:18 < shadok> ?
10:18 < hyper_ch> reverted already back to the 2048 keys
10:19 < shadok> your logs are still here :)
10:19 < hyper_ch> no
10:19 < BtbN> shadok, this is #openvpn, not #privatetunnel
10:21 < shadok> BtbN: that wasn't clear to me, does that mean the old ovpn client for windows doesn't exist anymore?
10:22 -!- mirco_ [~mirco@ip-176-198-211-199.hsi05.unitymediagroup.de] has joined #openvpn
10:25 < shadok> BtbN: ok, i just found the download for the client (not the privatetunnel one), thanks
10:26 -!- dazo_afk is now known as dazo
10:28 -!- Kephael [~Kephael@unaffiliated/kephael] has joined #openvpn
10:29 -!- ade_b [~Ade@redhat/adeb] has quit [Quit: Too sexy for his shirt]
10:31 < shadok> but same remarks for this page https://openvpn.net/index.php/open-source/downloads.html , the downloads are served in plain http even though the download link works on ssl
10:31 <@vpnHelper> Title: Downloads (at openvpn.net)
10:39 -!- svm_invictvs [~patricktw@unaffiliated/svminvictvs/x-938456] has joined #openvpn
10:39 -!- geosmin [~geosmin@207.244.76.170] has joined #openvpn
10:39 < geosmin> so this is probably a stupid question, but if my phone and laptop are connected through openvpn to a vpn provider i can't seem to be able to locally ssh from one to the other, is there a way to fix this?
10:43 -!- hyper_ch [~hyper_ch@81.4.108.20] has left #openvpn ["Konversation terminated!"]
10:45 -!- noecc [~irc@unaffiliated/noecc] has joined #openvpn
10:47 -!- Maxels [~Maxel@24-159-207-34.static.roch.mn.charter.com] has quit [Read error: Connection reset by peer]
10:47 -!- Maxel [~Maxel@24-159-207-34.static.roch.mn.charter.com] has joined #openvpn
10:47 <@krzee> geosmin,
10:47 <@krzee> !splitroute
10:47 <@vpnHelper> "splitroute" is (#1) https://forums.openvpn.net/topic7175.html to see how to add a second routing table so you can use --redirect-gateway AND still serve things to the internet or (#2) see !route_override for how to override --redirect-gateway for a certain subnet
10:48 <@krzee> your response traffic is going out the vpn now
10:54 < geosmin> thanks!
10:56 -!- svm_invictvs [~patricktw@unaffiliated/svminvictvs/x-938456] has quit [Ping timeout: 264 seconds]
10:57 < geosmin> hmm
10:57 < geosmin> looking at the first couple solutions this only seems to work if the local ip is static, mine changes quite often as i move from place to place
11:05 -!- MadTBone [~MadTBone@128.59.37.113] has quit [Read error: Connection reset by peer]
11:07 -!- elfixit [~Icedove@2001:1620:2018:11:5e51:4fff:fec8:5b90] has quit [Ping timeout: 272 seconds]
11:13 -!- geosmin [~geosmin@207.244.76.170] has quit [Ping timeout: 255 seconds]
11:24 -!- Henryabcd [~Henryabcd@pD9E0A4A7.dip0.t-ipconnect.de] has quit [Read error: Connection timed out]
11:25 -!- mirco_ [~mirco@ip-176-198-211-199.hsi05.unitymediagroup.de] has quit [Remote host closed the connection]
11:25 -!- Henryabcd [~Henryabcd@pD9E0A4A7.dip0.t-ipconnect.de] has joined #openvpn
11:25 -!- ade_b [~Ade@redhat/adeb] has joined #openvpn
11:25 -!- mirco_ [~mirco@ip-176-198-211-199.hsi05.unitymediagroup.de] has joined #openvpn
11:31 -!- MadTBone [~MadTBone@128.59.37.113] has joined #openvpn
11:33 -!- superboot [~agentgasm@unaffiliated/superboot] has joined #openvpn
11:35 < superboot> Hi all. I have a openvpn setup using the how-to on the website. I am now trying to add an Android phone as a client. I've installed the cirtificates into the phone, and setup the connection configuration. However, when I connect, Android prompts me for a username and password, which the openvpn setup is not even using for auth. How can I add username/password auth to my openvpn setup on top of my PKI auth?
11:37 -!- Shiftos [~shiftos@gateway/tor-sasl/shiftos] has joined #openvpn
11:38 -!- fin [~fin@unaffiliated/le0] has quit [Disconnected by services]
11:39 -!- fin_ [~fin@unaffiliated/le0] has joined #openvpn
11:44 < superboot> How can I add username/password auth to an openvpn setup?
11:50 -!- svm_invictvs [~patricktw@unaffiliated/svminvictvs/x-938456] has joined #openvpn
12:04 <@dazo> superboot: look at --auth-user-pass-verify if you want a script based setup ... otherwise there are several alternatives using --plugin (auth-pam, auth-ldap, radius, eurephia)
12:11 -!- fullstop [~fullstop@107.170.53.155] has joined #openvpn
12:11 < fullstop> Hi all.  In the management interface, where do I get a client id from?
12:12 -!- akamaruu [~akamaru21@2601:0:8a80:1064:b876:305b:3c5e:f25a] has quit [Ping timeout: 258 seconds]
12:12 < fullstop> If I enable "bytecount" I can see the byte counters periodically, as expected
12:12 < fullstop> but I don't know how to map from the client id to a given client
12:13 -!- akamaruu [~akamaru21@67.191.183.251] has joined #openvpn
12:15 < pekster> fullstop: Not sure about your goals, but I have a project that can track session information, including periodic updates to the traffic counters openvpn keeps that might be useful. It uses the status file which supplies the client CN along with the available stats: https://github.com/QueuingKoala/openvpn-db-log
12:15 <@vpnHelper> Title: QueuingKoala/openvpn-db-log · GitHub (at github.com)
12:16 < fullstop> pekster: possibly something similar
12:16 < fullstop> It just seems kind of silly to require client ID for all of these commands without a reasonable way to get one
12:17 < superboot> dazo: Thanks for getting back to me. I just realized that on the openvpn website they state that it is not compatable with L2TP/IPsec VPNs, and that is all Android supports. :( Oh well.
12:17 < pekster> Commands like 'kill' or the like simply take the client CN, or IIRC the IP/port tupple as well
12:17 < fullstop> bytecounter was what I was looking for
12:18 <@dazo> superboot: "OpenVPN for Android" is the community version for, well, Android
12:18 < fullstop> surely there must be a way to get it by cn or something similar
12:18 < fullstop> I'm surprised that it's not in "status"
12:19 <@dazo> fullstop: depends on which status version you're using .... not that I remember if byte counters are there
12:19 < fullstop> Looks like there are in both status and status 3
12:20 -!- brianblaze420 [~brianblaz@unaffiliated/brianblaze] has quit [Read error: Connection reset by peer]
12:20 < fullstop> maybe I can get enough from status
12:25 -!- jackbrown [~se@93-44-68-248.ip96.fastwebnet.it] has joined #openvpn
12:25 -!- jackbrown [~se@93-44-68-248.ip96.fastwebnet.it] has quit [Max SendQ exceeded]
12:26 -!- brianblaze420 [~brianblaz@unaffiliated/brianblaze] has joined #openvpn
12:26 -!- jackbrown [~se@93-44-68-248.ip96.fastwebnet.it] has joined #openvpn
12:31 -!- Taftse|Mac [~taftse@unaffiliated/taftse] has joined #openvpn
12:35 -!- Droolio [~drool@host86-182-194-209.range86-182.btcentralplus.com] has joined #openvpn
12:54 -!- ade_b [~Ade@redhat/adeb] has quit [Quit: Too sexy for his shirt]
13:03 -!- moeyebus [~moebius_e@unaffiliated/moebius-eye/x-4065625] has quit [Ping timeout: 258 seconds]
13:06 -!- moeyebus [~moebius_e@unaffiliated/moebius-eye/x-4065625] has joined #openvpn
13:29 -!- jackbrown [~se@93-44-68-248.ip96.fastwebnet.it] has quit [Quit: Sto andando via]
13:32 -!- Gl4di4t0r [~Gl4di4t0r@unaffiliated/gl4di4t0r] has quit [Read error: Connection reset by peer]
13:38 -!- AlexRussia [~Alex@unaffiliated/alexrussia] has quit [Quit: WeeChat 1.1-dev]
13:39 -!- AlexRussia [~Alex@unaffiliated/alexrussia] has joined #openvpn
13:49 -!- pseudo [~pseudo@65.204.49.74] has joined #openvpn
13:50 < pseudo> what might i do to debug a problem with an openvpn bridge setup? i can connect and ping the openvpn host, but if i try to ping any other host on the network it fails. running tcpdump i can see that arp requests are being broadcast, but no response is ever given.
13:51 -!- MastaG [5655fe87@gateway/web/freenode/ip.86.85.254.135] has joined #openvpn
13:53 < pseudo> nevermind. figured it out.
13:53 < MastaG> I'm running OpenVPN 2.3.2 on Ubuntu linux, with a very basic configuration (everything is default), but I cannot ping tun0 from the same server.. should that be expected behavior?
13:54 < pseudo> needed to allow promiscuous mode on the esxi box
13:55 -!- pseudo [~pseudo@65.204.49.74] has quit [Quit: leaving]
13:57 < MastaG> it's all basic (almost complete copy-paste from the wiki): http://pastebin.com/UcFmvB3y
13:57 < MastaG> it's my server.conf, routing table and all interfaces
13:58 < MastaG> So the server should be able to ping it's own tun0 interface right?
13:59 < MastaG> there is no iptables modules loaded in the kernel, no nf_*, iptables* or xt_* modules
14:07 < MastaG> ahhh
14:07 < MastaG> sysctl was the problem
14:08 -!- lachesis [~lachesis@unaffiliated/lachesis] has quit [Ping timeout: 258 seconds]
14:13 -!- lachesis [~lachesis@unaffiliated/lachesis] has joined #openvpn
14:26 -!- mattock is now known as mattock_afk
14:27 -!- mirco_ [~mirco@ip-176-198-211-199.hsi05.unitymediagroup.de] has quit [Remote host closed the connection]
14:28 -!- mirco_ [~mirco@ip-176-198-211-199.hsi05.unitymediagroup.de] has joined #openvpn
14:51 -!- dazo is now known as dazo_afk
15:14 -!- D-Boy [~D-Boy@unaffiliated/cain] has quit [Excess Flood]
15:15 -!- MastaG [5655fe87@gateway/web/freenode/ip.86.85.254.135] has quit [Quit: Page closed]
15:21 -!- brianblaze420 [~brianblaz@unaffiliated/brianblaze] has quit [Quit: Peace!]
15:22 -!- D-Boy [~D-Boy@unaffiliated/cain] has joined #openvpn
15:24 -!- ValdikSS [~valdikss@185.61.149.121] has joined #openvpn
15:40 -!- AlexRussia [~Alex@unaffiliated/alexrussia] has quit [Ping timeout: 252 seconds]
15:48 -!- AlexRussia [~Alex@unaffiliated/alexrussia] has joined #openvpn
16:03 -!- moonkid [~anonymous@99-103-56-12.lightspeed.hstntx.sbcglobal.net] has joined #openvpn
16:10 -!- Exagone313 [exa@ewd.ovh] has joined #openvpn
16:11 -!- gffa [~unknown@unaffiliated/gffa] has quit [Quit: sleep]
16:12 -!- NP-Hardass [~NP-Hardas@unaffiliated/np-hardass] has joined #openvpn
16:14 -!- ValdikSS [~valdikss@185.61.149.121] has quit [Read error: Connection reset by peer]
16:14 -!- ValdikSS [~valdikss@185.61.149.121] has joined #openvpn
16:17 -!- _0x5eb_ [~seb@seb-hpws2.w1.tele.crt1.net] has quit [Ping timeout: 272 seconds]
16:18 -!- warehouse13 [~Left_Turn@unaffiliated/turn-left/x-3739067] has joined #openvpn
16:21 -!- Left_Turn [~Left_Turn@unaffiliated/turn-left/x-3739067] has quit [Ping timeout: 272 seconds]
16:22 -!- _0x5eb_ [~seb@seb-hpws2.w1.tele.crt1.net] has joined #openvpn
16:42 -!- jkli [~jkli@95.211.196.209] has joined #openvpn
16:43 < jkli> hi guys
16:43 < jkli> whenever i openvpn on centos, it routes ALL traffic through the tunnel
16:43 < jkli> I run a webserver, vnc server and ssh server, so I'd like them to not be affected, any idea?
16:44 -!- lfx [~lfx@self-aware.evilmachines.net] has quit [Ping timeout: 272 seconds]
16:44 < jkli> basically my computer --VNC--> server --> VPN --> bittorrent traffic
16:44 < jkli> is there any way to set it up that it only routes bittorrent traffic through the vpn?
16:58 -!- troyt [~troyt@2601:7:6200:1362:44dd:acff:fe85:9c8e] has quit [Ping timeout: 258 seconds]
17:13 -!- in4mer [32a172cc@gateway/web/freenode/ip.50.161.114.204] has joined #openvpn
17:13 < in4mer> packet filtering question, anyone game?
17:15 -!- Taftse|Mac [~taftse@unaffiliated/taftse] has quit [Quit: Textual IRC Client: www.textualapp.com]
17:16 < in4mer> well, here goes. if it strikes your fancy..  I've got an openvpn server/client set up on a net topology.  authed, everything's working fine
17:16 < in4mer> client can ping server and vice versa
17:16 < in4mer> i've set up quagga on top of them, and converged them with ospf
17:16 < in4mer> routes are all great
17:17 < in4mer> but openvpn is filtering the packets that aren't destined for the tun0 IPs
17:17 < in4mer> i haven't been using openvpn to push routes as I'm not using per-client configs, and i will have a different netblock behind each client
17:19 < in4mer> pings from -server hit tun0, but never make it to client
17:19 < in4mer> pings from -client hit both tun0, but never make it to FORWARD
17:19 < in4mer> packet counts for FORWARD stay at 0
17:23 < pekster> in4mer: You either need to teach openvpn about the networks behind the servers (via --iroute) or use tap. --iroute is only processed on client-connect, so it's not suitable for dynamic routing where the path could vary between several VPN clients, but _might_ possibly be suitable with some extra magic to leave a static --iroute configured, and dynamiclly send it to the server-IP on the VPN subnet OpenVPN is using
17:24 < pekster> In a routed setup, --iroute is required so it knows about the network-to-VPN-client association; if it doesn't have that, it drops strange looking packets
17:28 < in4mer> mrph
17:28 < in4mer> the problem is that the routes behind a given connection may change at any point
17:29 < in4mer> is iroute basically a filter specification, or does it also alter the direction that packets wind up going?
17:30 < in4mer> can i assign duplicate iroute statements to multiple connections and not have it wreck the kernel routes?
17:30 < pekster> No
17:30 < pekster> Either use tap, or tell openvpn about a static route. This is completely separate from your OS routing table, so it doesn't matter one bit until the openvpn process gets a packet
17:31 < in4mer> if i'm serving multiple clients that have the same iroute, will it get confused?
17:31 < in4mer> using tap kinda defeats the purpose of routing i think
17:31 < in4mer> but i appreciate the suggestion
17:31 < pekster> Yup, don't do that (it might possibly work if only 1 client with a duplicate route ever connects at once, but it's really best not to try that either)
17:31 < in4mer> ugh
17:31 < in4mer> i was really hoping to not having to use openswan
17:32 < pekster> So don't; try the solution I suggested
17:32 < in4mer> well, let me run my use case by you and see if you find possible objection
17:32 < in4mer> are you familiar with ospf?
17:33 < pekster> Yup, which is why I suggested (for the 3rd time now) a tap VPN, ie: OSI Layer-2
17:33 < pekster> No iroutes involved; just treat it like any other Etherent interface
17:33 < in4mer> k
17:33 < pekster> !tunortap
17:33 <@vpnHelper> "tunortap" is (#1) you ONLY want tap if you need to pass layer2 traffic over the vpn (traffic destined for a MAC address). If you are using IP traffic you want tun. or (#2) and if your reason for wanting tap is windows shares, see !wins or use DNS or (#3) remember layer2 has no security, arp poisoning works over tap vpns or (#4) lan gaming? use tap! or (#5) Normal Android/iOS devices (not
17:33 <@vpnHelper> rooted/jailbroken) support only tun
17:34 -!- tamiko [~tamiko@gentoo/developer/tamiko] has left #openvpn []
17:34 < pekster> The performance overhead is negligable unless you've got some serious misconfiguration on your secured VPN LAN, and so are the security concerns with tap as long as your VPN endpoints are trusted
17:34 < in4mer> heh
17:35 < in4mer> maybe i'm crazy, but i'm going to be using pairs of these to link VPC /16s across all AWS regions
17:36 < in4mer> maybe i can tap to a fake interface
17:36 < pekster> huh?
17:37 < pekster> 1) tap VPN 2) ospf over it 3) you're done. What's the deal with a "fake" interface? `modprobe dummy` ??
17:37 < in4mer> hmmm i'm probably thinking something about the implementation that isn't the case
17:39 < in4mer> but i don't want to have layer 2 for an AWS subnet redistributed over WAN
17:41 < pekster> You route over it
17:42 < pekster> Are you really worried about the extra 18 bytes per packet of lost bandwidth?
17:47 < pekster> $work uses ospf over tap to connect 3 sites currently, and it works wonderfully; we'll cap out our office broadband with the traffic, so it's plenty fast as long as you have semi-decent hardware doing the encryption (or throw AES-NI acceleration at the problem)
17:48 < pekster> If you have openvpn set up currently, just change it to tap and your ospf should just start working, provided it's set up right
17:50 < in4mer> i'm worried about all the other shit i'm going to have on that segment
17:50 < pekster> You'll only have VPN systems on that segment
17:50 < pekster> Why would you issue security credentials (certs, in most openvpn setups) to systems you're "worried" about?
17:51 < in4mer> do i want to have to spawn some random broadcast segment just to deal with openvpn trying to solve two problems in a single layer?  no
17:51 < pekster> I'm not talking about bridging; I'm talking about the same Ethernet config that pretty much every router on the planetn uses
17:51 < pekster> planet*
17:52 < pekster> So /30's that are commonly used as interlinks at ISP-to-customer peering points in datacenters are a "problem" now? Can you elaborate more on why?
17:52 < in4mer> perhaps we're talking about two different things?
17:52 < pekster> Set up a VPN, and *ONLY* the VPN system (as in, NOTHING ELSE besides the VPN _server_ and VPN _clients_ you have personally authorized) will ever be on that network segment
17:52 < in4mer> well, i'm going to be connecting at least 3 regions, probably up to five in the next six months
17:52 < pekster> You can now route across them as a backend
17:53 < in4mer> and sending bandwidth out of a region costs money.  i'm not going to double my bandwidth costs by using some form of hub & spoke; my intent is to have a L2L between all configured regions
17:53 < in4mer> which obviously won't fit in a /30
17:54 < pekster> OpenVPN is not peer-to-peer: you can't ever have 2 clients directly sending to each other using just a single VPN instance
17:54 < in4mer> ugh i was just looking forward to being able to deal with this across point-to-point
17:54 < pekster> You could spawn a bunch of /30 taps though (technically you can config the taps as PtP if you'd rather, though the difference is negligable.)
17:54 -!- NP-Hardass [~NP-Hardas@unaffiliated/np-hardass] has quit [Ping timeout: 245 seconds]
17:54 < pekster> PtP has just 2 endpoints, so you can't ever connect more than 2 hosts in such a setup
17:54 < in4mer> yes, i saw the /30 stuff
17:55 < pekster> net30? No, that's broken
17:55 < pekster> !addressing
17:55 <@vpnHelper> "addressing" is For information about IP addressing in OpenVPN, see: https://community.openvpn.net/openvpn/wiki/Concepts-Addressing
17:55 < pekster> s/broken/worthless/
17:55 < in4mer> which is what's particularly annoying about openvpn needing a route to send packets to an interface that's ptp
17:55 < pekster> dude, tap fixes that. That's not your issue.
17:56 < jkli> how do i prevent vpn from rerouting ALL traffic via vpn?
17:56 < jkli> just want traffic from certain ports to be rerouted
17:56 < in4mer> cert auth allows me to sidestep a whole mess of config problems.  if it weren't for the filtering for packets sent down a ptp link, this would all work
17:56 < in4mer> ok
17:56 < pekster> jkli: Don't reroute all your traffic over the VPN; this is not the default mode of operation, so you'd have to have configured your server to push that to the client, or your client to do it
17:56 < Eugene> !routebyapp
17:56 <@vpnHelper> "routebyapp" is (#1) if you want to send only certain apps over the VPN you need to run a socks server on the internal VPN subnet (see !sockd) then get an app like proxifier (windows, osx) or tsocks (linux, BSD) to selectively route traffic over the socks proxy based on port/app/subnet or any combination. or (#2) Alternatively, read up about Policy Routing to make routing decisions based on defined
17:56  * in4mer shrugs
17:56 <@vpnHelper> policies you set. For Linux, read about !lartc
17:57 < pekster> in4mer: again, tap makes this work. Don't bridge, but use L2. There's literally no difference for you besides an extra 18 bytes per packet, and the fact that ospf works
17:57 < in4mer> wish there was a way to just disable the internal routing/filtering
17:57 < jkli> pekster when I run >> openvpn config.ovpn     it shuts down all my ssh vnc and httpd sessions
17:57 < in4mer> ok
17:57 < pekster> in4mer: Yes, there is. Use tap.
17:57 < in4mer> yet another learning experience..
17:57 < pekster> Not sure what's so hard to grasp about that
17:57 < in4mer> that i haven't done it yet
17:57 < jkli> im connecting from my server -> vpn -> internet, but want my webserver etc. to stay unaffected
17:59 < DArqueBishop> jkli: I'm going to go out on a limb and say that if your VPN provider is pushing that to you, you're SOL.
17:59 < DArqueBishop> Maybe try running BitTorrent on a virtual machine?
17:59 < pekster> jkli: Sounds to me like you don't control the server (we usually deal with/help admins of their own systems here, so explaining this upfront rather than making us guess would save much time)
17:59 < pekster> https://community.openvpn.net/openvpn/wiki/Concepts-PolicyRouting-Linux
17:59 <@vpnHelper> Title: Concepts-PolicyRouting-Linux – OpenVPN Community (at community.openvpn.net)
17:59 < pekster> Read that
17:59 <@syzzer> in4mer: if you're looking for mesh networking, tinc might be interesting for you
18:00 < in4mer> kthx, i'll google it
18:00 < Eugene> pekster, I dunno if I've ever mentioned this, but you're a bigger man than I.
18:00 < pekster> Eugene: I'd get more pissy if I didn't have a wiki page to link ;)
18:00 < jkli> i control the server, i just use a vpn provider (vpn server) that i dont control
18:00 < Eugene> !beer
18:00 <@vpnHelper> "beer" is what's for dinner (and occasionally breakfast)
18:00 < pekster> jkli: Yes, exactly. You do not control the server
18:00 < pekster> Just the client
18:00 < pekster> !both
18:00 <@vpnHelper> "both" is If you do not control both ends of the link (server and client) then there is not much we can do to help you. Please talk to your network admin instead.
18:01 < jkli> dont i just have to edit a line in the config file?
18:01 < pekster> However, I helpfully linked you to some routing information since you have asked a question that touches on fairly advanced networking concepts
18:01 < Eugene> "my server" != "openvpn --server"
18:01 < pekster> Nope, multiple routing tables and dual-homed networking is very much an advanced concept
18:01 < pekster> It's not that much unlike what core routers on the Internet do, just on a smaller scale and more easily-defined routing decisions
18:02 < jkli> i control the client, since it is running ony my local machine and is openvpn client self compiled
18:02 < jkli> i believe i pretty much just have to change a line in the config file
18:03 < jkli> to prevent all traffic from being rerouted
18:03 < pekster> You believe wrong. Funny how you keep insisting that even after I link you the magic answer
18:03 < DArqueBishop> jkli: you do not control the VPN server, which is forcing the routing policy. In other words, your belief is mistaken.
18:04 < jkli> no, i can disable rerouting on my mac client
18:04 < jkli> so this routing is not forced
18:05 < pekster> Then don't route 0/0 (or the more useful/common 0/1 & 128/1) routes over the VPN. Problem solved. Or do it and policy route your physical-ingress traffic back out over that link
18:05 < jkli> im just trying to replicate the same behaviour on my linux
18:05 < pekster> Did you even read the resource I linked you to?
18:05 < pekster> http://catb.org/~esr/faqs/smart-questions.html#lesser
18:05 <@vpnHelper> Title: How To Ask Questions The Smart Way (at catb.org)
18:06 < pekster> You appear not to have read my earlier link. Go read that. Then read my earlier link that gives you nearly copy/pastable routing setup
18:06 < pekster> jkli: In case you've been too busy whining about how "simple" your not-so-simple problem is to read what I gave you before, here it is again:
18:06 < pekster> 17:59:37 < pekster> https://community.openvpn.net/openvpn/wiki/Concepts-PolicyRouting-Linux
18:06 <@vpnHelper> Title: Concepts-PolicyRouting-Linux – OpenVPN Community (at community.openvpn.net)
18:06 < pekster> 17:59:40 < pekster> Read that
18:07 < jkli> im reading it
18:08 -!- AlexRussia [~Alex@unaffiliated/alexrussia] has quit [Ping timeout: 256 seconds]
18:10 < jkli> in other words it's not a trivial problem
18:12 < pekster> Right. The steps to implement a proper solution aren't that bad, but it requires a bit of knowledge. Obviously the simple solution is to not run services that need to be externally-visible on the same host you tunnel all outbound Internet traffic on
18:13 -!- AlexRussia [~Alex@unaffiliated/alexrussia] has joined #openvpn
18:15 -!- toxicz [~kevin@unaffiliated/heathawkap/x-7904563] has joined #openvpn
18:16 < toxicz> not having much luck in the -as channel today so maybe you guys can help
18:16 < toxicz> my mac running  10.10.1, with a static ip, gets its resolv.conf deleted every time i disconnect from my as servers
18:17 < toxicz> and my servers aren't pushing dns changes
18:17 < toxicz> i am using the openvpn connect app, i have tried the latest and a couple others
18:17 < toxicz> different user accounts
18:17 < toxicz> i even reinstalled my mac mini
18:17 < toxicz> i didn't used to do this either
18:18 < toxicz> any ideas?
18:18 < toxicz> if i have dhcp running on the mac it works fine
18:19 -!- tchiwam [~tchiwam@194.177.246.182] has joined #openvpn
18:23 -!- AlexRussia [~Alex@unaffiliated/alexrussia] has quit [Ping timeout: 258 seconds]
18:28 -!- Pyrogerg [~Gregory@205.167.120.201] has quit [Ping timeout: 244 seconds]
18:32 -!- Henryabcd [~Henryabcd@pD9E0A4A7.dip0.t-ipconnect.de] has quit [Ping timeout: 264 seconds]
18:38 < r00t^2> toxicz: have you tried TunnelBlick instead?
18:40 < toxicz> r00t^2, if tunnelblick does work, how does that help fix openvpn connect? I am concerned i might have other users run into the same problem :\
18:40 < in4mer> pekster: thanks for the help
18:42 -!- in4mer [32a172cc@gateway/web/freenode/ip.50.161.114.204] has quit [Quit: Connection reset by lipgloss]
18:42 -!- jkli [~jkli@95.211.196.209] has quit [Ping timeout: 250 seconds]
18:43 < toxicz> r00t^2, so i just ran tunnelblick and it did not wipe out my resolv.conf on disconnect
18:44 < r00t^2> time to file a bug with openvpn connect then. :)
18:45 < r00t^2> but tunnelblick's generally the more popular (dare i say, preferred) ovpn client on mac os x
18:46 < toxicz> from a business point of view the connect version is preferred, we bundle it with custom installers etc, or they login to the as and get everything they need from the server
18:46 < toxicz> tunnelblick is clunky but functional
18:48 < r00t^2> tunnelblick is opensource, so you could always change and brand it if needed. i can't speak on experience about openvpn connect
18:51 < tchiwam> Hello everyone, I need a bit of help, I have a remote site on ADSL, then a VPN server in the cloud with a fixed IP. Some of the instruments should route everything trough the VPN to get that fixed IP, and most of the other instruments can just use the ADSL... I made rt_table, marked the packets and made the routing. I can reach the VPN server and tracepath shows it goes there, but I don't get any return...
18:54 < esde> tchiwam, good evening! have you enabled forwarding on the server?
18:54 < esde> !forwarding
18:55 < esde> I dont know the triggers but if you'd like the traffic to go through the server you'll need to enable ip forwarding first. Enable IP forward ## sudo sed -i 's|#net.ipv4.ip_forward=1|net.ipv4.ip_forward=1|' /etc/sysctl.conf
18:55 < esde> and also # sudo sysctl -w net.ipv4.ip_forward=1 to enable forwarding immediately
18:56 < tchiwam> esde: forwarding on both remote site (vpn client) and on the VPN server in the cloud. Both can ping everything within the vpn
18:57 < esde> hmm have you setup the firewall?
18:58 < esde> # iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o eth0 -j SNAT --to (eth/venet ip)
18:58 < esde> is what works for me
18:58 < tchiwam> Yep I did, I even dumped it. tried with SNAT and Masquerade on the remote site and on the cloud server, both without success... actually wondering what is the best strategy on that one.
18:58 < toxicz> r00t^2, so back many many version, it works fine, so its definitely a bug with connect
18:59 < esde> !configs
18:59 <@vpnHelper> "configs" is (#1) please pastebin your client and server configs (with comments removed, you can use `grep -vE '^#|^;|^$' server.conf`), also include which OS and version of openvpn. or (#2) dont forget to include any ccd entries or (#3) on pfSense, see http://www.secure-computing.net/wiki/index.php/OpenVPN/pfSense to obtain your config
18:59 < esde> can you pastebin your configs pls?
18:59 < tchiwam> #iptables -t nat -A POSTROUTING -o tun0 -s 172.20.0.110/32 -j SNAT --to 172.18.10.9   The IP of the client side of the P-t-P
18:59 < tchiwam> Where is you favourite pastebin sir ?
18:59 < esde> pastebin.com is fine
19:00 < pekster> toxicz: I only skimmed the backlog, but tunnelblick is fully able to deploy "read to use" configs with the .app (the 'installer') and it works great
19:00 < pekster> Check their documentation if that's something you'd like further information on; they make it pretty easy
19:00 < pekster> ready* to use, that is
19:00 < r00t^2> pekster: do you have any third-party docs on that?
19:00 < toxicz> pekster, dont worry about it, im not trying to bash tunnelblick, just stating we have reasons for using the provided client
19:00 < esde> when i write my iptables rules, i usually use eth0 for adapter and eth0 ip, can you create a rule with eth0 settings instead and try it?
19:01 < pekster> r00t^2: 3rd party? They have "first-party" docs on that on their project website ;)
19:01 < pekster> r00t^2: Link #2 here:
19:01 < pekster> https://duckduckgo.com/?q=tunnelblick+deploy
19:01 <@vpnHelper> Title: tunnelblick deploy at DuckDuckGo (at duckduckgo.com)
19:01 < r00t^2> pekster: i know, i meant in addition to, hehe :) i've seen the project's docs, i think
19:02 < tchiwam> esde: which confis 1st ... iptables or the vpns ?
19:02 < pekster> The docs were plenty complete for me to form a deployment for around a dozen Macs last I used it
19:02 < esde> iptables
19:06 -!- AlexRussia [~Alex@unaffiliated/alexrussia] has joined #openvpn
19:06 < tchiwam> esde:  To start with  http://pastebin.com/m3eyCF7q
19:07 < pekster> Yuck. https://github.com/QueuingKoala/fn-netfilter/wiki#paste
19:07 < esde> holy iptables
19:07 < esde> i gotta run for dinner, good luck!!
19:07 < tchiwam> :D
19:07  * pekster might look if you pastebin actual rules, not a shell script
19:09 < tchiwam> Ill turn the stuff on, so Ill move my stuff to the next machine...
19:12 < tchiwam> That's the remote site (vpn client side) http://pastebin.com/g4uxphHL
19:12  * pekster ignores that too
19:13 < pekster> The reason why at my Netfilter FAQ linked above
19:19 < tchiwam> Reading a clever link :)
19:21 -!- jkli [~jkli@46.246.116.78] has joined #openvpn
19:21 -!- toxicz [~kevin@unaffiliated/heathawkap/x-7904563] has quit [Quit: This computer has gone to sleep]
19:23 < tchiwam> http://pastebin.com/qGJMfMPt Should be more in line with the mind of the experts here present. But I'll try again at the Netfilter guys. Thank for the enlightenment of iptables-save -c
19:24 -!- elfixit [~Icedove@77-58-253-51.dclient.hispeed.ch] has joined #openvpn
19:25 < tchiwam> I was hopeing that a openvpn switch somewhere didn't allow the forwarding of packets to masquerade. I know the Client 2 client is enabled just in case.
19:25 < pekster> For bonus points, kick the net-tools habbit on Linux too ;)
19:25 < pekster> It "works", right up until it doesn't when you do advanced networking
19:25 < tchiwam> I started to use ip route and all today ...
19:26 < tchiwam> trouble is I'm stuck with Centos 5 and Centos 6 and kernel 2.6.xxx
19:26 < pekster> So, the SNAT on line 19, what's the goal there? You won't be able to source from a LAN (or other) host behind that VPN node bound for a destination over the VPN with that
19:27 < pekster> Good news; iproute2 was introduced during the 2.2 kernel and widely available starting with 2.4 ;)
19:27 < pekster> 2.6 is "old news" for iproute2 :P
19:28 < tchiwam> That was my lame try to masquerade and then send trough the VPN. But it was obviously not working. And it's a remnant of my failure
19:28 < pekster> You're trying to do what here? Provide client-VPN-LAN-side access to the VPN server? The server's LAN?
19:30 < pekster> Also, .9 is a worthless IP; the client gets assigned a PtP (which come from the center of a /30 due to 7-year-old no-longer-applies Windows support.) That's not the client's VPN IP, and it's unwise to hardcode any dynamic IP into your firewall
19:31 < tchiwam> Server is a cloud computer fixed IP . We have an ADSL and some of the streams need to have a fixed IP for some restrictive AL, so the plan was to set the gateway for those instruments.
19:31 < tchiwam> Well that ip is fixed, but I'd love to make it dynamic again
19:32 < pekster> instruments? As in you know the client-side devices that should have all (?) their traffic sent out via this other link?
19:32 < tchiwam> yep
19:32 < pekster> And no need for them to receive uninitiated inbound requests?
19:32 < tchiwam> Exact only outbound
19:33 < tchiwam> And we can't make a VPN connection directly to them as they are not ours....
19:33 < pekster> You shouldn't need NAT at all so long as you add a route/iroute of the client-side LAN networks on your VPN server config. You effectively want:
19:33 < pekster> !clientlan
19:33 <@vpnHelper> "clientlan" is (#1) for a lan behind a client, the client must have ip forwarding enabled (!ipforward), the server needs a route to the lan, the server needs to push a route for the lan to clients, the server needs a ccd (!ccd) file for the client with an iroute (!iroute) entry in it, and the router of the lan the client is on needs a route added to it (!route_outside_openvpn) or (#2) see !route
19:33 <@vpnHelper> for a better explanation or (#3) Handy troubleshooting flowchart: http://ircpimps.org/clientlan.png | http://pekster.sdf.org/misc/clientlan.png
19:34 < pekster> tchiwam: Once you have the !clientlan stuff working (flowchart is most helpful here) you can redirect their traffic over the VPN with routing rules on your LAN gateway, routing them across the VPN based on their source IP
19:35 < jkli> is there some friendly good readable book on linux and networking?
19:35 < jkli> it has always annoyed me to see all the linguals about networking and not understanding most of them
19:35 < pekster> jkli: For advanced stuff, LARTC is one of the de-facto informative sources:
19:35 < pekster> !lartc
19:35 <@vpnHelper> "lartc" is (#1) LARTC is the de-facto guide to policy routing and QoS (tc, or traffic control) on Linux. http://lartc.org/howto/ . Policy routing in Ch. 4, QoS in Ch. 9. Start at the beginning if you're new to advanced routing on Linux or (#2) there is also a writeup on policy routing at https://community.openvpn.net/openvpn/wiki/Concepts-PolicyRouting-Linux
19:36 < pekster> jkli: Also, the "froentux.net" iptables (really Netfilter) tutorial is pretty good, although slightly dated. Nearly all of the information that site has is still valid though, just with a few updates (the 'state' module has been replaced by 'conntrack' that does the same thing, for instance)
19:36 < pekster> frozentux.net, rather. That howto is linked in the first URL in the #Netfilter channel topic
19:37 < jkli> 2nd link is down
19:37 < jkli> ah typo
19:41 < pekster> tchiwam: You might also glance at that policy-routing concept wiki too. It's not quite what you need, but doing redirection like that "completely properly" ideally means you'll mark (Netfilter marks) your special-device traffic and route based on the mark, not the IP. Even though it has nearly the same effect, it'll mean correct handling of ICMP errors if your VPN client, acting as a router, generates any from the traffic
19:42 < pekster> The concept of marking is pretty straight forward; you'd just need to apply marks for forwarded traffic (so use mangle/FORWARD to apply the ctmark) that comes from your target devices, then route that via the VPN
19:44 < pekster> Oh, mind the bit about rp_filter too; that applies to you
19:45 < tchiwam> Yep, that works rather well from the flow chart point of view. So far I corrected the .252 mask in server.conf to .0 mask.
19:46 < pekster> !net30
19:46 <@vpnHelper> "net30" is "/30" is (#1) http://openvpn.net/index.php/documentation/faq.html#slash30 explains why routed clients each use 4 ips, or (#2) you can avoid this behavior with by reading !topology
19:46 < pekster> No need for net30 unless you really need to support Windows clients over 7 years out of date
19:47 < tchiwam> pekster: Image science worl with 15 yo + instruments ...
19:47 < pekster> VPN clients
19:48 < tchiwam> I've read it and I so wanted to go away from the net30
19:48 < tchiwam> HUmm...
19:48 < pekster> !topology
19:48 <@vpnHelper> "topology" is (#1) it is possible to avoid the !/30 behavior if you use 2.1+ with the option: topology subnet This will end up being default in later versions. or (#2) Clients will receive addresses ending in .2, .3, .4, etc, instead of being divided into 2-host subnets. or (#3) details and examples at: https://community.openvpn.net/openvpn/wiki/Topology
19:49 < pekster> Examples at the wiki. Basically just change the topology and updated any static IP references to use the IP+mask (not the two PtP IPs)
19:51 < tchiwam> Thanks, Ill migrate this thing and try again
20:12 < tchiwam> pekster: the rp_filter thing should I disable them echo 0>/proc/... or is there a safer middle ground ?
20:14 < pekster> 0 disables it, 1 is strict, and 2 is "loose" mode, what you usually want for policy routing setps on the non-default egress interfaces
20:15 < pekster> If you're planning as I suggested by using a modified gateway on a seconday routing table, the VPN interface needs loose-mode rp_filter (or it *and* the "all" value) disabled, otherwise it will reject Internet-source traffic returning for your devices
20:18 < tchiwam> I already tested by disabling it so the values are still there. Let's see how much I can change the network without borking everything. Ill have to push the many routes in the ccd... my next step
20:19 < pekster> You can be lazy and supernet too as long as you won't have a conflict by overlapping networks
20:20 < pekster> aka "route aggregation"
20:23 -!- Dan39 [~ddan39@unaffiliated/dan39] has joined #openvpn
20:27 < tchiwam> We have an IP allocation that is unique :)
20:28 < tchiwam> in our little bubble that is
20:38 < tchiwam> !! shaved 25ms ?? From net30 to subnet shaved 25ms from the ping ?
20:42 < pekster> That shouldn't matter one bit
20:48 -!- Shiftos [~shiftos@gateway/tor-sasl/shiftos] has quit [Remote host closed the connection]
20:52 < tchiwam> On this sir I will thank you very much. this is a face palm day... And you all can have a laugh I forgot one rp_filter on one interface, the one I was testing on...
20:54 -!- jkli [~jkli@46.246.116.78] has left #openvpn []
20:57 < pekster> You should only need it on 1 when using loose mode
20:57 < pekster> (or at most the number of interfaces you're accepting traffic on that don't match the primary FIB)
20:57 < pekster> Remember, it's the highest value between the interface of the arriving traffic and the "all" value
21:06 -!- svm_invictvs [~patricktw@unaffiliated/svminvictvs/x-938456] has quit [Ping timeout: 245 seconds]
21:12 < tchiwam> Yup, it's now stricter and still working. knock on wood. Now I'm wondering if I can push the rt_tables 210 vpn from the ccd push "..." or make a rule-tun0 route-tun0 on my clientlan router (uglier I think ?)
21:14 -!- Pyrogerg [~Gregory@67-0-212-234.albq.qwest.net] has joined #openvpn
21:14 < pekster> Read up on --route-noexec and --route-up if you want to not automatically apply the routes you get and do some scripting with the pushed routes instead
21:16 < tchiwam> I simply want the marked traffic route prefered to the vpn, then if the vpn is down, got to the normal gateway. Thanks for the hint. Ideally it should be in the ccd.
21:17 -!- shadok [~muaddib@unaffiliated/shadok] has quit [Ping timeout: 252 seconds]
21:18 < pekster> You can add/remove either the copying of ctmark to fwmark (thus not acting on packets) or add/remove the routing rule when the vpn comes up/down
21:18 < pekster> !scripts
21:18 <@vpnHelper> "scripts" is "script" is See SCRIPTING AND ENVIRONMENTAL VARIALBES in the manual for a list of places that scripts can hook into openvpn. Online reference at: https://community.openvpn.net/openvpn/wiki/Openvpn23ManPage#lbAR
21:18 < pekster> The up/down stuff is useful, as might be --down-pre and --up-restart
21:19 < pekster> Should be mostly self-explanatory, although the hint I'll give you upfront is that --up-restart _also_ calls --down for restart
21:19 < tchiwam> I'm reading the man page on those, very interesting indeed
21:25 -!- JesusLovesDoge [~Fun@unaffiliated/fun] has joined #openvpn
21:25 < JesusLovesDoge> hi
21:25 -!- warehouse13 [~Left_Turn@unaffiliated/turn-left/x-3739067] has quit [Remote host closed the connection]
21:26 < JesusLovesDoge> open vpn leakes ip
21:26 < JesusLovesDoge> seems windows issue?
21:26 -!- AlexRussia [~Alex@unaffiliated/alexrussia] has quit [Ping timeout: 244 seconds]
21:27 -!- Pyrogerg [~Gregory@67-0-212-234.albq.qwest.net] has quit [Read error: No route to host]
21:27 -!- Pyrogerg [~Gregory@67-0-212-234.albq.qwest.net] has joined #openvpn
21:30 < JesusLovesDoge> http://pastebin.com/NK9iT5Q7
21:30 < JesusLovesDoge> errors
21:31 -!- moonkid [~anonymous@99-103-56-12.lightspeed.hstntx.sbcglobal.net] has quit [Quit: moonkid]
21:31 < JesusLovesDoge> route fails
21:31 < JesusLovesDoge> for some reason
21:33 -!- AlexRussia [~Alex@unaffiliated/alexrussia] has joined #openvpn
21:35 < JesusLovesDoge> AlexRussia: any ideas?
21:35 < JesusLovesDoge> why openvpn wont add route
21:35 < JesusLovesDoge> I can give u e penis pump
21:35 < JesusLovesDoge> if u help :D
21:39 < AlexRussia> JesusLovesDoge: oh, sorry?
21:40 < JesusLovesDoge> http://pastebin.com/NK9iT5Q7
21:40 < JesusLovesDoge> some errors
21:40 < JesusLovesDoge> maybe you know how to fix them?
21:41 < JesusLovesDoge> main issue seems to be windows refusing to add route
21:41 < _FBi> what if you run as admin?
21:41 < JesusLovesDoge> same idea
21:41 < JesusLovesDoge> going to try now
21:41 < _FBi> I'm out good night
21:43 < JesusLovesDoge> lovely works
21:43 < JesusLovesDoge> I wonder how it can work with 0 admin privileges
21:45 < JesusLovesDoge> AlexRussia: can I also make some installer for win with my own config?
21:59 -!- almostworking [~almostwor@unaffiliated/almostworking] has quit [Quit: Leaving]
22:03 -!- DougLashz [~dal@gateway/tor-sasl/douglashz] has joined #openvpn
22:03 < DougLashz> In Ubuntu, how can I increase the timeout for connecting to a VPN?
22:05 < AlexRussia> JesusLovesDoge: i guess, you can, just change default configs as you want
22:14 < JesusLovesDoge> then have to recompile installed
22:14 < JesusLovesDoge> :D
22:14 -!- Moonlightning [~blackl@unaffiliated/moonlightning] has joined #openvpn
22:20 <@krzee> !winrollup
22:20 <@krzee> !win_rollup
22:20 <@vpnHelper> "win_rollup" is please see http://www.secure-computing.net/wiki/index.php/OpenVPN/HowTo_for_Windows_2 for dazo's writeup on making unattended windows installers for openvpn
22:32 < Eugene> Now I want a fruit rollup
22:32 < Eugene> You bastard
22:34 < DougLashz> "$ nmcli con up uuid <uuid> --timeout 9999999999" still results in "Error: Connection activation failed: the connection attempt timed out." after about half a minute
22:34 < DougLashz> right before that error notice is "state: VPN connecting (getting IP configuration) (4)"
22:40 -!- rudi_s [~simon@ruderich.eu] has joined #openvpn
22:45 -!- elfixit [~Icedove@77-58-253-51.dclient.hispeed.ch] has quit [Quit: elfixit]
22:52 <@krzee> nmcli? but why?
22:53 <@krzee> we support openvpn here
22:53 <@krzee> get it working without network manager with our help, then if you need network manager help they have a support team too
22:53 <@krzee> !netman
22:53 <@vpnHelper> "netman" is (#1) if you are using network manager for linux to configure your vpn, dont! http://openvpn.net/archive/openvpn-users/2008-01/msg00046.html to read the same thing from the author of the openvpn 2 cookbook on the mail list or (#2) Have OpenVPN working but not NetworkManager? Ask the n-m folks for help: http://projects.gnome.org/NetworkManager/
22:57 < DougLashz> krzee: okay, thanks. I thought nmcli was using openvpn somehow the way the GUI's Network Connections can
22:57 < DougLashz> krzee: lemme see if I can figure out anything for openvpn on the CLI..
23:04 -!- xMopxShell [~xMopxShel@dpedu.io] has quit [Ping timeout: 258 seconds]
23:04 -!- Cultist [~CultOfThe@c-67-175-170-187.hsd1.il.comcast.net] has quit [Ping timeout: 258 seconds]
23:05 < DougLashz> krzee: cool, didn't know it was as easy as   $ openvpn foobar.ovpn
23:05 -!- MogDog [MogDog@unaffiliated/mogdog66] has quit [Ping timeout: 258 seconds]
23:05 -!- nath_schwarz [~nath_schw@HSI-KBW-134-3-105-146.hsi14.kabel-badenwuerttemberg.de] has quit [Ping timeout: 258 seconds]
23:05 -!- MogDog [MogDog@unaffiliated/mogdog66] has joined #openvpn
23:05 < DougLashz> krzee: nmcli gives me a timeout failure, but openvpn gives me AUTH_FAILED control message
23:05 < DougLashz> krzee: I guess that means incorrect u/p ?
23:06 -!- joako [~joako@opensuse/member/joak0] has quit [Ping timeout: 256 seconds]
23:07 -!- nath_schwarz [~nath_schw@HSI-KBW-134-3-105-146.hsi14.kabel-badenwuerttemberg.de] has joined #openvpn
23:07 -!- xMopxShell [~xMopxShel@dpedu.io] has joined #openvpn
23:09 -!- mgorbach [~mgorbach@pool-108-20-78-135.bstnma.fios.verizon.net] has quit [Ping timeout: 258 seconds]
23:09 -!- mgorbach [~mgorbach@pool-108-20-78-135.bstnma.fios.verizon.net] has joined #openvpn
23:09 -!- Kephael [~Kephael@unaffiliated/kephael] has quit [Quit: Leaving]
23:10 -!- KNERD [~KNERD@23.227.189.101] has quit [Ping timeout: 258 seconds]
23:11 -!- arkie [~arkie@unaffiliated/arkie] has quit [Ping timeout: 258 seconds]
23:11 -!- KNERD [~KNERD@23.227.189.101] has joined #openvpn
23:11 -!- arkie [~arkie@unaffiliated/arkie] has joined #openvpn
23:12 -!- joako [~joako@opensuse/member/joak0] has joined #openvpn
23:40 -!- AlexRussia [~Alex@unaffiliated/alexrussia] has quit [Quit: WeeChat 1.1-dev]
--- Day changed Thu Dec 04 2014
00:00 -!- ShadniX [dagger@p5481C948.dip0.t-ipconnect.de] has quit [Ping timeout: 250 seconds]
00:01 -!- ShadniX [dagger@p5DDFC94A.dip0.t-ipconnect.de] has joined #openvpn
00:04 -!- mirco_ [~mirco@ip-176-198-211-199.hsi05.unitymediagroup.de] has quit [Quit: mirco_]
00:04 -!- JesusLovesDoge [~Fun@unaffiliated/fun] has quit [Ping timeout: 252 seconds]
00:36 -!- ValdikSS [~valdikss@185.61.149.121] has quit [Quit: Konversation terminated!]
02:03 -!- svm_invictvs [~patricktw@unaffiliated/svminvictvs/x-938456] has joined #openvpn
02:26 -!- jackbrown [~se@93-44-68-248.ip96.fastwebnet.it] has joined #openvpn
02:27 -!- Henryabcd [~Henryabcd@pD9E0853B.dip0.t-ipconnect.de] has joined #openvpn
02:27 -!- Henryabcd [~Henryabcd@pD9E0853B.dip0.t-ipconnect.de] has quit [Read error: Connection reset by peer]
02:27 -!- Henryabcd [~Henryabcd@pD9E0853B.dip0.t-ipconnect.de] has joined #openvpn
02:29 -!- dazo_afk is now known as dazo
02:29 -!- ade_b [~Ade@redhat/adeb] has joined #openvpn
02:30 -!- CaTtleyA [~CaTtleyA@185.24.142.82] has joined #openvpn
02:33 -!- mattock_afk is now known as mattock
02:37 -!- ValdikSS [~valdikss@185.61.149.121] has joined #openvpn
02:47 -!- jackbrown [~se@93-44-68-248.ip96.fastwebnet.it] has quit [Ping timeout: 255 seconds]
02:48 -!- svm_invictvs [~patricktw@unaffiliated/svminvictvs/x-938456] has quit [Ping timeout: 256 seconds]
03:05 -!- someone [~someone@sonoshee.chronostasis.net] has quit [Ping timeout: 255 seconds]
03:11 -!- AlexRussia [~Alex@unaffiliated/alexrussia] has joined #openvpn
03:13 -!- mattock is now known as mattock_afk
03:16 -!- flyingkiwi [~kiwi@2a02:2028:1016::2] has quit [Ping timeout: 272 seconds]
03:34 -!- mattock_afk is now known as mattock
03:53 -!- akamaruu [~akamaru21@67.191.183.251] has quit [Ping timeout: 240 seconds]
04:18 -!- akamaru217 [~akamaru21@2601:0:8a80:1064:90f1:c8cd:8c49:4346] has joined #openvpn
04:24 -!- Henryabcd [~Henryabcd@pD9E0853B.dip0.t-ipconnect.de] has quit [Quit: Leaving]
04:41 -!- someone [~someone@sonoshee.chronostasis.net] has joined #openvpn
05:06 -!- shadok [~muaddib@unaffiliated/shadok] has joined #openvpn
05:07 -!- Left_Turn [~Left_Turn@unaffiliated/turn-left/x-3739067] has joined #openvpn
05:16 -!- d3lphi [~d3lphi@unaffiliated/d3lphi] has joined #openvpn
05:17 < d3lphi> hello all. Is it generally a good idead to enable LZO compression on my openvpn server and openvpn client configuration when using DSL (upstream of ovpn server is 5MBit/s, and downstream 100MBit/s) ?
05:33 -!- Shiftos [~shiftos@gateway/tor-sasl/shiftos] has joined #openvpn
05:34 -!- flyingkiwi [~kiwi@2a02:2028:1016::2] has joined #openvpn
05:35 < flyingkiwi> !ovpnuke
05:35 <@vpnHelper> "ovpnuke" is https://community.openvpn.net/openvpn/wiki/SecurityAnnouncement-97597e732b for info on CVE-2014-8104 which is a DOS that allows an authenticated client to crash an openvpn server running openvpn before 2.3.6
05:36 < d3lphi> anyone ? ==> Is it generally a good idead to enable LZO compression on my openvpn server and openvpn client configuration when using DSL (upstream of ovpn server is 5MBit/s, and downstream 100MBit/s) ?
05:38 -!- Left_Turn [~Left_Turn@unaffiliated/turn-left/x-3739067] has quit [Ping timeout: 250 seconds]
05:39 -!- jackbrown [~se@93-44-68-248.ip96.fastwebnet.it] has joined #openvpn
05:44 <@dazo> d3lphi: depends on the traffic you mostly pass over the tunnel ... if it's hard to compress (jpg, mpg, gz/xz/b2/zip/rar files, etc), then it is somewhat wasting of CPU cycles .... but if you have a broad variety of data, it can often improve tunnel performance somewhat
06:01 < ValdikSS> krzee: can we learn vpnHelper about low default values of sndbuf and recvbuf?
06:15 <@syzzer> ValdikSS: did you do research on those?
06:16 <@syzzer> ie, do you have numbers on performance for various values?
06:16 < ValdikSS> syzzer: https://community.openvpn.net/openvpn/ticket/461
06:16 <@vpnHelper> Title: #461 (Change default sndbuf and rcvbuf values) – OpenVPN Community (at community.openvpn.net)
06:17 -!- AlexRussia [~Alex@unaffiliated/alexrussia] has quit [Ping timeout: 272 seconds]
06:17 < ValdikSS> syzzer: It insreased my WAN-VPN connection over WiFi from ~17Mbit/s up to 50Mbit/s (maximum internet speed)
06:18 <@syzzer> ah, I see. very interesting!
06:18 < ValdikSS> syzzer: and it seems that in Windows it doesn't set it to 64k and uses system default!
06:18 <@syzzer> still performance on windows is pretty bad compared to the unixes...
06:18 < ValdikSS> syzzer: with the default OpenVPN GUI client. If you use console client, it sets 64K buffers
06:19 < ValdikSS> syzzer: that's why most of the custom VPN GUIs are slow
06:20 < ValdikSS> syzzer: I push "sndbuf 393216"; push "rcvbuf 393216" to all the VPN clients
06:20 <@syzzer> ah, this is the thing cron2 was referring to at the community meeting!
06:21 <@syzzer> good find
06:22 <@syzzer> ValdikSS: do you feel comfortable creating a patch to make openvpn use system defaults? my guess is that it would be accepted pretty quickly
06:23 < ValdikSS> syzzer: sure, but I'm afraid this could break something
06:23 < ValdikSS> syzzer: I mean, I suppose it was added there for a reason
06:23 < ValdikSS> syzzer: But I can't find any reason actually
06:24 <@syzzer> my best guess is what cron2 says in the ticket, "for historical reasons"
06:24 <@syzzer> and since you're using it with (I guess?) quite a number of clients, that's good indication it won't break many setups
06:27 -!- moparisthebest [~quassel@unaffiliated/moparisthebest] has quit [Ping timeout: 272 seconds]
06:30 < ValdikSS> syzzer: I just push increased buffer parameters to clients
06:30 < ValdikSS> syzzer: I'll prepare patch on this weekend
06:30 <@syzzer> oh, you mean code-wise? we'll review and test you patch before committing anything :)
06:31 -!- moparisthebest [~quassel@gateway/tor-sasl/moparisthebest] has joined #openvpn
06:31 <@syzzer> ValdikSS: thanks!
06:41 -!- Left_Turn [~Left_Turn@unaffiliated/turn-left/x-3739067] has joined #openvpn
06:44 -!- jackbrown [~se@93-44-68-248.ip96.fastwebnet.it] has quit [Ping timeout: 244 seconds]
06:59 -!- superboot [~agentgasm@unaffiliated/superboot] has quit [Quit: leaving]
08:05 -!- Henryabcd [~Henryabcd@pD9E0853B.dip0.t-ipconnect.de] has joined #openvpn
08:12 < d3lphi> dazo: is there a way I can test ? I'd like to benchmark the performance when I use either LZO disabled or enabled.
08:12 <@dazo> d3lphi: it again depends on the data you primarily want to send over the tunnel ... so download that data end see what goes faster
08:16 -!- nonickn [~torkun@unaffiliated/ms-/x-8800476] has joined #openvpn
08:19 -!- Henryabcd [~Henryabcd@pD9E0853B.dip0.t-ipconnect.de] has quit [Quit: Leaving]
08:20 < d3lphi> dazo: you mean I enable LZO compression on server+client config and download from client some data that is lying on server side and measure the time ? And then repeat this process with LZO disabled ?
08:20 <@dazo> yes, that is exactly how performance testing is done
08:25 -!- elfixit [~Icedove@2001:1620:2777:11:e5b4:9766:22d9:76e3] has joined #openvpn
08:25 -!- elanthia [~elanthia@elanthia.nl] has left #openvpn []
08:30 <@plaisthos> Dec  4 15:28:49 hermes ovpn-udp[30427]: peer 0 floated from 80.187.100.229:26999 to [AF_INET]131.234.246.134:1194
08:30 <@plaisthos> wrong chan
08:41 -!- ValdikSS [~valdikss@185.61.149.121] has quit [Quit: Konversation terminated!]
08:50 -!- Pyrogerg [~Gregory@67-0-212-234.albq.qwest.net] has quit [Ping timeout: 256 seconds]
09:00 -!- Shiftos [~shiftos@gateway/tor-sasl/shiftos] has quit [Remote host closed the connection]
09:00 -!- Shiftos [~shiftos@gateway/tor-sasl/shiftos] has joined #openvpn
09:12 -!- Droolio [~drool@host86-182-194-209.range86-182.btcentralplus.com] has quit [Quit: Apart from that Mrs Kennedy, how was the parade?]
09:18 -!- Droolio [~drool@host86-182-194-209.range86-182.btcentralplus.com] has joined #openvpn
09:26 -!- Pyrogerg [~Gregory@205.167.120.201] has joined #openvpn
09:34 -!- elfixit [~Icedove@2001:1620:2777:11:e5b4:9766:22d9:76e3] has quit [Remote host closed the connection]
09:35 -!- nonickn [~torkun@unaffiliated/ms-/x-8800476] has quit [Quit: Leaving]
09:37 -!- fin_ [~fin@unaffiliated/le0] has quit [Quit: Leaving]
09:38 -!- dazo is now known as dazo_afk
09:40 -!- moonkid [~anonymous@99-103-56-12.lightspeed.hstntx.sbcglobal.net] has joined #openvpn
09:50 -!- AlexRussia [~Alex@unaffiliated/alexrussia] has joined #openvpn
10:11 -!- AlexRussia [~Alex@unaffiliated/alexrussia] has quit [Ping timeout: 264 seconds]
10:12 -!- abbe_ [having@badti.me] has joined #openvpn
10:13 -!- abbe [having@badti.me] has quit [Disconnected by services]
10:13 -!- abbe_ is now known as abbe
10:14 -!- krzie [~k@openvpn/community/support/krzee] has joined #openvpn
10:14 -!- mode/#openvpn [+o krzie] by ChanServ
10:16 -!- pnielsen_ [pnielsen@2a01:7e00::f03c:91ff:fedf:3a21] has joined #openvpn
10:17 -!- Wolfbutt [~Jeroen@milkyway.jeroendeneef.com] has joined #openvpn
10:18 -!- AsadH [~AsadH@unaffiliated/asadh] has quit [Ping timeout: 265 seconds]
10:18 -!- Nothing4You [N4Y@nothing4you.w.tf-w.tf] has quit [Ping timeout: 265 seconds]
10:18 -!- MacGyver [~macgyver@unaffiliated/macgyvernl] has quit [Ping timeout: 265 seconds]
10:18 -!- krzee [~k@openvpn/community/support/krzee] has quit [Ping timeout: 265 seconds]
10:18 -!- `Yoda [~Yoda@unaffiliated/itsyoda] has quit [Ping timeout: 265 seconds]
10:18 -!- pnielsen [pnielsen@2a01:7e00::f03c:91ff:fedf:3a21] has quit [Ping timeout: 265 seconds]
10:18 -!- roentgen [~none@openvpn/community/support/roentgen] has quit [Ping timeout: 265 seconds]
10:18 -!- Jeroen52 [~Jeroen@milkyway.jeroendeneef.com] has quit [Ping timeout: 265 seconds]
10:18 -!- idl0r [~idl0r@gentoo/developer/idl0r] has quit [Ping timeout: 265 seconds]
10:18 -!- Brando753 [~Brando753@unaffiliated/brando753] has quit [Ping timeout: 265 seconds]
10:18 -!- _bt [~bt@unaffiliated/bt/x-192343] has quit [Ping timeout: 265 seconds]
10:19 -!- krzie is now known as krzee
10:19 -!- Brando753-o_O_o [~Brando753@unaffiliated/brando753] has joined #openvpn
10:19 -!- roentgen [~none@openvpn/community/support/roentgen] has joined #openvpn
10:19 -!- MacGyver [~macgyver@unaffiliated/macgyvernl] has joined #openvpn
10:20 -!- Brando753-o_O_o is now known as Brando753
10:22 -!- idl0r [~idl0r@gentoo/developer/idl0r] has joined #openvpn
10:22 -!- Shiftos [~shiftos@gateway/tor-sasl/shiftos] has quit [Ping timeout: 250 seconds]
10:23 -!- CaTtleyA [~CaTtleyA@185.24.142.82] has quit [Quit: Lost terminal]
10:24 -!- Nothing4You [N4Y@nothing4you.w.tf-w.tf] has joined #openvpn
10:24 -!- Henryabcd [~Henryabcd@pD9E0853B.dip0.t-ipconnect.de] has joined #openvpn
10:28 -!- `Yoda [~Yoda@unaffiliated/itsyoda] has joined #openvpn
10:28 -!- Shiftos [~shiftos@gateway/tor-sasl/shiftos] has joined #openvpn
10:30 -!- ade_b [~Ade@redhat/adeb] has quit [Quit: Too sexy for his shirt]
10:32 -!- d3lphi [~d3lphi@unaffiliated/d3lphi] has left #openvpn []
10:33 -!- gffa [~unknown@unaffiliated/gffa] has joined #openvpn
10:35 -!- AsadH [~AsadH@unaffiliated/asadh] has joined #openvpn
10:39 -!- fullstop [~fullstop@107.170.53.155] has left #openvpn ["Leaving"]
10:45 -!- akamaru217 [~akamaru21@2601:0:8a80:1064:90f1:c8cd:8c49:4346] has quit [Read error: Connection reset by peer]
10:45 -!- akamaru217 [~akamaru21@2601:0:8a80:1064:90f1:c8cd:8c49:4346] has joined #openvpn
10:47 -!- Henryabcd [~Henryabcd@pD9E0853B.dip0.t-ipconnect.de] has quit [Quit: Leaving]
10:56 -!- Pyrogerg [~Gregory@205.167.120.201] has quit [Ping timeout: 250 seconds]
10:56 -!- gffa_ [~unknown@unaffiliated/gffa] has joined #openvpn
10:57 -!- svm_invictvs [~patricktw@unaffiliated/svminvictvs/x-938456] has joined #openvpn
10:59 -!- JackWinter [~jack@vodsl-11198.vo.lu] has quit [Remote host closed the connection]
11:02 -!- JackWinter [~jack@vodsl-11198.vo.lu] has joined #openvpn
11:02 -!- ade_b [~Ade@redhat/adeb] has joined #openvpn
11:04 -!- Taftse|Mac [~taftse@unaffiliated/taftse] has joined #openvpn
11:11 -!- DArqueBishop [~drkbish@2601:e:2480:7800:2e41:38ff:fe87:dd90] has quit [Ping timeout: 258 seconds]
11:12 -!- Netsplit *.net <-> *.split quits: gffa
11:13 -!- havingFun [~quassel@unaffiliated/xrosnight] has joined #openvpn
11:15 -!- havingFun is now known as xrosnight
11:17 -!- K1rk [~Kirk@equinox.epecweb.com] has joined #openvpn
11:39 -!- khaldrogox [~anonymous@64.13.138.81] has joined #openvpn
11:39 -!- Pyrogerg [~Gregory@205.167.120.206] has joined #openvpn
11:50 -!- JackWinter [~jack@vodsl-11198.vo.lu] has quit [Quit: Konversation terminated!]
11:52 -!- JackWinter [~jack@vodsl-11198.vo.lu] has joined #openvpn
11:53 -!- JackWinter [~jack@vodsl-11198.vo.lu] has quit [Client Quit]
11:55 -!- JackWinter [~jack@vodsl-11198.vo.lu] has joined #openvpn
12:06 -!- NP-Hardass [~NP-Hardas@unaffiliated/np-hardass] has joined #openvpn
12:11 -!- AlexRussia [~Alex@unaffiliated/alexrussia] has joined #openvpn
12:18 -!- mistermajestic [~mistermaj@unaffiliated/mistermajestic] has quit [Ping timeout: 255 seconds]
12:21 -!- svm_invictvs [~patricktw@unaffiliated/svminvictvs/x-938456] has quit [Ping timeout: 245 seconds]
12:31 -!- ade_b [~Ade@redhat/adeb] has quit [Ping timeout: 260 seconds]
12:33 -!- svm_invictvs [~patricktw@unaffiliated/svminvictvs/x-938456] has joined #openvpn
12:38 -!- edigaryev [~edigaryev@unaffiliated/edigaryev] has joined #openvpn
12:49 -!- khaldrogox [~anonymous@64.13.138.81] has quit [Quit: khaldrogox]
12:50 -!- khaldrogox [~anonymous@64.13.138.81] has joined #openvpn
12:54 -!- grendal_prime [~sgraham@173-166-255-77-stockton.hfc.comcastbusiness.net] has joined #openvpn
12:54 < grendal_prime> hey guys is there a way..to specify a particular interface to use?
12:55 < grendal_prime> I mean i guess more what i want to know is on a client side, what is best practice for selecting a second route or gateway.
13:00 < Eugene> It sounds like you're talking about split routing
13:00 < Eugene> !lartc
13:00 <@vpnHelper> "lartc" is (#1) LARTC is the de-facto guide to policy routing and QoS (tc, or traffic control) on Linux. http://lartc.org/howto/ . Policy routing in Ch. 4, QoS in Ch. 9. Start at the beginning if you're new to advanced routing on Linux or (#2) there is also a writeup on policy routing at https://community.openvpn.net/openvpn/wiki/Concepts-PolicyRouting-Linux
13:09 <@ecrist> grendal_prime: can you be more specific, if Eugene is off-base?
13:09 <@ecrist> you could need routing metrics
13:09  * Eugene needs a beer
13:10 -!- ratmav [~ratmav@208-104-234-136.rh4.cm.dyn.comporium.net] has joined #openvpn
13:10 < Eugene> But the medication I'm on already has me feeling hungover :-(
13:10 < ratmav> hi, i heard about the recent openvpn vulnerabilty
13:10 <@ecrist> the best cure for a hangover is another beer
13:10 < Eugene> !ovpnuke
13:10 <@vpnHelper> "ovpnuke" is https://community.openvpn.net/openvpn/wiki/SecurityAnnouncement-97597e732b for info on CVE-2014-8104 which is a DOS that allows an authenticated client to crash an openvpn server running openvpn before 2.3.6
13:10 < ratmav> https://forums.openvpn.net/topic17625.html
13:10 <@vpnHelper> Title: OpenVPN Support Forum Critical denial of service vulnerability in OpenVPN servers : Announcements (at forums.openvpn.net)
13:10 < ratmav> i'm currently using openvpnas, do i need to upgrade to get the patch?
13:10 < Eugene> That's what we know about it ^
13:10 <@ecrist> what's your question, ratmav 
13:11 < Eugene> Yes, but this isn't #openvpn-as. There's info about that in the link from the bot, too. ;-)
13:11 <@ecrist> yes, you need to upgrade.  it's listed in the security announcement listed, above.  1.0.11 or something
13:11 < ratmav> sounds good. will head to openvpn-as. thanks all
13:11 <@ecrist> I know the last part is .11+
13:12 -!- Eugene [eugene@2600:3c01::3f:101] has quit [Quit: ZNC - http://znc.sourceforge.net]
13:12 -!- ratmav [~ratmav@208-104-234-136.rh4.cm.dyn.comporium.net] has left #openvpn []
13:13 -!- Pyrogerg [~Gregory@205.167.120.206] has quit [Ping timeout: 272 seconds]
13:14 -!- Eugene [eugene@2600:3c01::3f:101] has joined #openvpn
13:18 -!- khaldrogox [~anonymous@64.13.138.81] has quit [Quit: khaldrogox]
13:19 -!- khaldrogox [~anonymous@64.13.138.81] has joined #openvpn
13:20 -!- Pyrogerg [~Gregory@205.167.120.201] has joined #openvpn
13:46 -!- AlexRussia [~Alex@unaffiliated/alexrussia] has quit [Ping timeout: 265 seconds]
13:50 -!- AlexRussia [~Alex@unaffiliated/alexrussia] has joined #openvpn
14:02 -!- JackWinter [~jack@vodsl-11198.vo.lu] has quit [Excess Flood]
14:02 -!- JackWinter [~jack@vodsl-11198.vo.lu] has joined #openvpn
14:42 -!- noecc [~irc@unaffiliated/noecc] has quit [Ping timeout: 252 seconds]
14:49 -!- mattock is now known as mattock_afk
14:57 -!- Henryabcd [~Henryabcd@pD9E0853B.dip0.t-ipconnect.de] has joined #openvpn
15:09 -!- DArqueBishop [~drkbish@2601:e:2480:7800:2e41:38ff:fe87:dd90] has joined #openvpn
15:14 -!- Pyrogerg [~Gregory@205.167.120.201] has quit [Ping timeout: 250 seconds]
15:15 -!- D-Boy [~D-Boy@unaffiliated/cain] has quit [Excess Flood]
15:16 -!- jackbrown [~se@93-44-68-248.ip96.fastwebnet.it] has joined #openvpn
15:19 -!- Thermi [~Thermi@unaffiliated/thermi] has quit [Quit: Meet your opposition - Profane and disciplined - Take back your pride - With a pounding hammer]
15:23 -!- Thermi [~Thermi@unaffiliated/thermi] has joined #openvpn
15:28 -!- Shiftos [~shiftos@gateway/tor-sasl/shiftos] has quit [Ping timeout: 250 seconds]
15:30 -!- Shiftos [~shiftos@gateway/tor-sasl/shiftos] has joined #openvpn
15:34 -!- AlexRussia [~Alex@unaffiliated/alexrussia] has quit [Ping timeout: 258 seconds]
15:34 -!- D-Boy [~D-Boy@unaffiliated/cain] has joined #openvpn
15:36 -!- AlexRussia [~Alex@unaffiliated/alexrussia] has joined #openvpn
15:36 -!- Henryabcd [~Henryabcd@pD9E0853B.dip0.t-ipconnect.de] has quit [Quit: Leaving]
15:44 -!- troyt [~troyt@c-24-10-220-108.hsd1.ut.comcast.net] has joined #openvpn
15:45 -!- mattock_afk is now known as mattock
15:45 -!- DougLashz [~dal@gateway/tor-sasl/douglashz] has quit [Ping timeout: 250 seconds]
15:51 -!- gffa_ [~unknown@unaffiliated/gffa] has quit [Quit: sleep]
15:53 -!- akamaru217 [~akamaru21@2601:0:8a80:1064:90f1:c8cd:8c49:4346] has quit [Ping timeout: 258 seconds]
15:56 -!- mistermajestic [~mistermaj@unaffiliated/mistermajestic] has joined #openvpn
15:59 -!- mattock is now known as mattock_afk
16:04 < tchiwam> When running route-up script is there a way to see the stdout somewhere verbose is already at 5 ?
16:05  * tchiwam facepalm... probably need to run as root and not nobody
16:06 < tchiwam> Gah and the user is changed after that script...
16:11 -!- khaldrogox [~anonymous@64.13.138.81] has quit [Quit: khaldrogox]
16:13 -!- khaldrogox [~anonymous@64.13.138.81] has joined #openvpn
16:16 -!- jackbrown [~se@93-44-68-248.ip96.fastwebnet.it] has quit [Quit: Sto andando via]
16:22 -!- DougLashz [~dal@gateway/tor-sasl/douglashz] has joined #openvpn
16:24 -!- AlexRussia [~Alex@unaffiliated/alexrussia] has quit [Quit: WeeChat 1.1-dev]
16:26 -!- AlexRussia [~Alex@unaffiliated/alexrussia] has joined #openvpn
16:35 -!- DougLashz [~dal@gateway/tor-sasl/douglashz] has quit [Ping timeout: 250 seconds]
16:36 -!- xrosnight [~quassel@unaffiliated/xrosnight] has quit [Quit: No Ping reply in 180 seconds.]
16:37 -!- havingFun [~quassel@unaffiliated/xrosnight] has joined #openvpn
16:40 -!- AlexRussia [~Alex@unaffiliated/alexrussia] has quit [Ping timeout: 260 seconds]
16:47 -!- troyt [~troyt@c-24-10-220-108.hsd1.ut.comcast.net] has quit [Ping timeout: 244 seconds]
16:50 -!- AlexRussia [~Alex@unaffiliated/alexrussia] has joined #openvpn
16:55 < pekster> tchiwam: Yea that, although you can consider the suid bit or sudo for specialized elevation needs
16:56 < hydrajump> would it be a bad idea to monitor whether my openvpn server is up using an external service such as pingdom? will it work if I have tls-auth enabled?
16:56 -!- AlexRussia [~Alex@unaffiliated/alexrussia] has quit [Ping timeout: 250 seconds]
16:56 < hydrajump> just wondering what i can do to monitor port 1194 from outside my network
16:58 < pekster> If you make the VPN server IP routable you can simply ping it
16:59 < hydrajump> pekster: isn't the server IP routable by default being exposed to the internet?
16:59 < pekster> The UDP port won't respond unless it gets an openvpn connection packet, and even then it'll ignore it if you use tls-auth and the request isn't properly signed
16:59 < pekster> No. You use firewalls to avoid being "directly exposed"
17:00 < hydrajump> but port 1194 udp has to be exposed to the internet, everything else can be blocked
17:00 < pekster> Then you'll be unable to test "anything else" besides an actual VPN connection
17:01 < hydrajump> ok so what you're saying is I'd need to open up another port for an icmp to be allowed to the server
17:02 < pekster> ICMP is its own protocol. I'm suggesting that if your VPN space is (or can be made to be) routable by whatever source you're testing from, do that and a simple ping suffices. Doesn't even need to go over the VPN
17:02 < pekster> If you don't use public IP space that might pose an issue, although if you dual-stack the VPN inner addressing with IPv6, you can use your GUA IPv6 IP
17:03 < hydrajump> ok not using IPv6 at all.
17:03 < pekster> A tunnel broker can fix that, and solve your visibility problem
17:03 < pekster> (come to think of it, that's a pretty darn good reason IPv4 actually poses a limitation. "Real world" and all)
17:04 < pekster> That or go investigate NRPE or something and set up some remote-access to perform whatever operational checks you determine are necessary
17:04 < pekster> Personally I think a ping is a lot less intrusive, especially if you don't own or trust the external service
17:04 < hydrajump> not sure how to do this `VPN space is (or can be made to be) routable by whatever     │ aulait
17:04 < hydrajump>                         | source you're testing from`
17:04 < hydrajump> opps. yes ping is sufficient for my needs
17:05 < pekster> By routing it and allowing it in your firewall
17:05 < pekster> If you use RFC1918 you effectively cannot do this over the Intenet (though maybe you can bastardize some NAT to forward the ICMP echo-request in)
17:05 < pekster> Use one of those 3 solutions. Or decide it's too much hasle and don't do anything
17:06 < hydrajump> hmm.. so my vpn server is on AWS. Is directly IP addressable on port udp 1194 only for now.
17:06 < pekster> No, the _VPN_ IP
17:06 < hydrajump> firewall provided by security group and iptables (soon) as backup on the openvpn server.
17:06 < tchiwam> pekster: I just found that my route-up.sh is not doing a single thing...
17:06 < pekster> Your OpenVPN tun-side addresing. Unless you have been allocated a _routable_ IPv4 block, you are not able to use more than 1 public IP
17:06 < pekster> tchiwam: Forget --script-security?
17:07 < tchiwam> 3 system
17:07 -!- Kephael [~Kephael@unaffiliated/kephael] has joined #openvpn
17:07 < pekster> 'system' isn't used in 2.3
17:07 < hydrajump> ah ok so 10.8.0.1 if using the openvpn docs IP cidr
17:07 < pekster> If it's even accepted, it's ignored
17:08 < hydrajump> ok thanks pekster I'll see what I can do.
17:08 < pekster> hydrajump: Right, you're using RFC1918 which by definition is not publicly routable. So 1) use IPv6 which is globally routable, 2) do evil forms of NAT on an inbound ping (thus giving up the ability to check if that IP is really alive) or 3) look at NRPE or related options
17:08 < pekster> Or 4) do nothing
17:08 -!- AlexRussia [~Alex@unaffiliated/alexrussia] has joined #openvpn
17:09 < tchiwam> The more I play with my network the more ipv6 is attractive...
17:09 < hydrajump> I understand. Btw openvpn doesn't do any heartbeating?
17:10 < hydrajump> so it could send heartbeats instead and if it stops it's down
17:10 < pekster> tchiwam: Try throwing a simple 'touch /tmp/route-was-executed' in the script to see if it's getting executed. If openvpn >=2.3.0 even accepts that 'system' argument in 2.3, it's entierly ignored. Otherwise, check the script a bit more carefully, maybe exiting non-zero if any single command fails
17:10 < pekster> hydrajump: see --ping and --ping-exit/--ping-timeout
17:10 < pekster> Also:
17:10 < pekster> !keepalive
17:10 <@vpnHelper> "keepalive" is (#1) see --keepalive in the manual for how to make clients retry connecting if they get disconnected. or (#2) basically it is a wrapper for managing --ping and --ping-restart in server/client mode or (#3) if you use this, don't use --tls-exit and also avoid --single-session and --inactive or (#4) Also beware of --auth-nocache for automated reconnects
17:11 < pekster> But those are for _connected_ endpoints
17:11 < pekster> You can read about the management interface too (see: management.txt in the source distribution) if you want to write an API around command/response features
17:11 < hydrajump> pekster: right I use keepalive on the server. I meant heartbeat to an external source for instance.
17:11 < pekster> Nope
17:11 < hydrajump> ok
17:12 < pekster> Plenty of options to do that yourself though
17:12 < pekster> (the 3 I gave you, or go write an API consumer and do "whatever you can program it to do" instead)
17:12 < tchiwam> Both up and down are touched ...
17:12 < pekster> Then the script is getting executed, and IIRC all STDERR from the scripts is shown in the logs at >=4 verb
17:13 < pekster> It should whine on nonzero exit too
17:13 < tchiwam> Already at 5 :)
17:13 < pekster> 5 is only useful for firewall issues due to the per-packet character printing, and more than that is for debugging only
17:13 < pekster> (C debugging)
17:17 -!- AlexRussia [~Alex@unaffiliated/alexrussia] has quit [Quit: WeeChat 1.1-dev]
17:17 < tchiwam> I've added this echo route-up.sh 1>&2 in the script and it doesn't show
17:18 -!- moparisthebest [~quassel@gateway/tor-sasl/moparisthebest] has quit [Remote host closed the connection]
17:18 -!- AlexRussia [~Alex@unaffiliated/alexrussia] has joined #openvpn
17:20 -!- moparisthebest [~quassel@unaffiliated/moparisthebest] has joined #openvpn
17:20 < tchiwam> and the script runs fine by hand...
17:23 < tchiwam> http://pastebin.com/DMpL2Ycd   Probably going to show how dumb I am once more. I had another script with functions this morning but now I went back to simple.
17:31 -!- AlexRussia [~Alex@unaffiliated/alexrussia] has quit [Ping timeout: 245 seconds]
17:34 -!- AlexRussia [~Alex@unaffiliated/alexrussia] has joined #openvpn
17:39 -!- mistermajestic [~mistermaj@unaffiliated/mistermajestic] has quit [Ping timeout: 244 seconds]
17:40 < tchiwam> Well now I guess why it's not working 'ip route show table 4' returns an empty string...
17:53 -!- mistermajestic [~mistermaj@unaffiliated/mistermajestic] has joined #openvpn
17:53 -!- duoi [duoi@unaffiliated/duoi] has quit [Read error: Connection reset by peer]
18:04 -!- Henryabcd [~Henryabcd@pD9E0853B.dip0.t-ipconnect.de] has joined #openvpn
18:08 -!- Taftse|Mac [~taftse@unaffiliated/taftse] has quit [Quit: Textual IRC Client: www.textualapp.com]
18:08 -!- zalami [~realnameo@unaffiliated/zalami] has quit [Ping timeout: 256 seconds]
18:09 -!- AlexRussia [~Alex@unaffiliated/alexrussia] has quit [Quit: WeeChat 1.1-dev]
18:10 -!- AlexRussia [~Alex@unaffiliated/alexrussia] has joined #openvpn
18:11 -!- zalami [~realnameo@unaffiliated/zalami] has joined #openvpn
18:13 < tchiwam> Well now I guess why it's not working 'ip route show table 4' returns an empty string... I simply can't touch anything except the main routing table ...
18:14 -!- DougLashz [~dal@gateway/tor-sasl/douglashz] has joined #openvpn
18:20 < tchiwam> !?!?!? Script security was hardcoded in the init script ?? I bet the command line argument overrides the config file arguments
18:28 -!- khaldrogox [~anonymous@64.13.138.81] has quit [Quit: khaldrogox]
18:28 -!- alanjf [~ajf@unaffiliated/alanjf] has joined #openvpn
18:30 < alanjf> I have OpenVPN running on a Linux server in as tap0 for a bridge with two clients connecting, so a totle of three sites (server and two clients.) Each site is bridged to their respective LANs creating one large LAN all in the same /16 subnet.
18:31 < alanjf> I also have client-to-client in my server.conf. But what I can't figure out is how ot filter certain traffic going from clientA to clientB (it seems to get past ebtables and iptables.)
18:32 < alanjf> The traffic I'm trying to filter is DHCP (UDP 67 and 68), as each site has their own DHCP servers and I need to prevent cross talk.
18:33 < alanjf> The following rules prevents DHCP from the server's side from going to to any of the clients and vice-versa:
18:33 < alanjf> ebtables -A INPUT   -i tap0 -p ipv4 --ip-protocol udp --ip-destination-port 67:68 -j DROP
18:33 < alanjf> ebtables -A INPUT   -i tap0 -p ipv4 --ip-protocol udp --ip-source-port 67:68 -j DROP
18:33 -!- Shiftos [~shiftos@gateway/tor-sasl/shiftos] has quit [Ping timeout: 250 seconds]
18:34 < alanjf> But nodes on clientA's side can sometimes get DHCP responses from the DHCP server on clientB's side and vice versa.
18:34 < alanjf> I thought I might have to also add ebtables -A FOWARD rules mirroring the above two, but that doesn't prevent it.
18:35 < alanjf> (And no I cannot use a tun style VPN here.)
18:39 -!- Shiftos [~shiftos@gateway/tor-sasl/shiftos] has joined #openvpn
18:41 -!- DougLashz [~dal@gateway/tor-sasl/douglashz] has left #openvpn []
18:58 -!- Henryabcd [~Henryabcd@pD9E0853B.dip0.t-ipconnect.de] has quit [Quit: Leaving]
19:16 -!- edigaryev [~edigaryev@unaffiliated/edigaryev] has quit [Quit: Leaving]
19:19 -!- An_Ony_Moose [~linus@static.3.75.76.144.clients.your-server.de] has joined #openvpn
19:19 < An_Ony_Moose> Is there a way to specify an up script in the config file?
19:23 -!- brianblaze420 [~brianblaz@unaffiliated/brianblaze] has joined #openvpn
19:25 -!- akamaru217 [~akamaru21@2601:0:8a80:1064:1176:99f2:8404:4f7a] has joined #openvpn
19:25 -!- moonkid [~anonymous@99-103-56-12.lightspeed.hstntx.sbcglobal.net] has quit [Quit: moonkid]
19:26 < Eugene> YOu mean, like --up?
19:31 -!- BadboyKAS [BadboyKAS@gateway/shell/yourbnc/x-ojspbaodikrsidue] has joined #openvpn
19:31 < BadboyKAS> !welcome
19:31 <@vpnHelper> "welcome" is (#1) Start by stating your goal, such as 'I would like to access the internet over my vpn' || new to IRC? see the link in !ask || we may need !logs and !configs and maybe !interface to help you. || See !howto for beginners. || See !route for lans behind openvpn. || !redirect for sending inet traffic through the server. || Also interesting: !man !/30 !topology !iporder !sample !forum
19:31 <@vpnHelper> !wiki !mitm or (#2) Don't use 192.168.1.0/24 or 192.168.0.0/24 (too much potential for conflict)
19:32 < BadboyKAS> !wiki
19:32 <@vpnHelper> "wiki" is (#1) http://www.secure-computing.net/wiki/index.php/OpenVPN for the Unofficial wiki or (#2) https://community.openvpn.net/openvpn/wiki for the Official wiki
19:32 < BadboyKAS> !howto
19:32 <@vpnHelper> "howto" is (#1) OpenVPN comes with a great howto, http://openvpn.net/howto PLEASE READ IT! or (#2) http://www.secure-computing.net/openvpn/howto.php for a mirror
19:33 < BadboyKAS> !goal
19:33 <@vpnHelper> "goal" is Please clearly state your goal for your vpn: example, I would like to access the lan behind the server , I would like to access the internet over my vpn , I just want a secure connection between 2 computers , etc
19:34 < BadboyKAS> I want to access the internet over my vpn
19:34 < BadboyKAS> as a bouncer or have my computer behind the vpn so any internet traffic is logged as the vpn's ip
19:34 < BadboyKAS> just for web browsing nothing more
19:37 < BadboyKAS> is this a vpn server app
19:37 -!- Cultist [~CultOfThe@67.175.170.187] has joined #openvpn
19:37 < BadboyKAS> or is this a free vpn server
19:37 < BadboyKAS> not sure what to make of this
19:38 < BadboyKAS> from my understanding this is a program to create vpn
19:38 < An_Ony_Moose> Eugene: yep
19:38 < Eugene> You uh, just specify it?
19:38 < Eugene> !--
19:38 <@vpnHelper> "--" is OpenVPN allows any option to be placed either on the command line or in a configuration file. Though all command line options are preceded by a double-leading-dash ("--"), this prefix is usually omitted when an option is placed in a configuration file.
19:38 < An_Ony_Moose> oh right
19:38 < An_Ony_Moose> didn't get that bit :) thanks!
19:38 < Eugene> Having a "duh" moment? :-p
19:39 < Eugene> (It happens)
19:39 < Eugene> BadboyKAS - openvpn is a lot of things; at its core it is a software package to create secure point-to-point tunnels.
19:39 < An_Ony_Moose> not particularly, I just didn't realise that exactly the same options can be defined via the command line and the config file
19:39 < Eugene> You'll indeed want to start with the howto linked by the bot above
19:39 < Eugene> !redirect
19:39 <@vpnHelper> "redirect" is (#1) to make all inet traffic flow through the vpn, you will need --redirect-gateway (see !def1), as well as IP forwarding (see !ipforward) and NAT (see !nat) enabled on the server. or (#2) you may need to use a different dns server when redirecting gateway, see !dns or !pushdns or (#3) if using ipv6 try: route-ipv6 2000::/3 or (#4) Handy troubleshooting flowchart:
19:39 <@vpnHelper> http://ircpimps.org/redirect.png | http://pekster.sdf.org/misc/redirect.png
19:39 -!- Komplanar [~Komplanar@46.22.223.200] has quit [Ping timeout: 250 seconds]
19:39 -!- Komplanar [~Komplanar@46.22.223.200] has joined #openvpn
19:40 -!- Pyrogerg [~Gregory@67-0-250-17.albq.qwest.net] has joined #openvpn
19:40 < Eugene> Once you've got the basic conenction going from that, start setting up this stuff to have your client(desk/laptop/whatever) send its traffic through the vpn, and then out from the server to the internet
19:41 < Eugene> There will be a bit of learning, it's not an instant thing like other packages claim to be ;-)
20:02 -!- DrCode [~DrCode@gateway/tor-sasl/drcode] has joined #openvpn
20:07 < tchiwam> HAh ! Found the devil... PATH is not set in the bash, so I neet to /sbin/ip route ...
20:09 -!- APTX [~APTX@unaffiliated/aptx] has quit [Quit: No Ping reply in 180 seconds.]
20:12 -!- svm_invictvs [~patricktw@unaffiliated/svminvictvs/x-938456] has quit [Ping timeout: 245 seconds]
20:13 -!- APTX [~APTX@unaffiliated/aptx] has joined #openvpn
20:16 -!- akamaru217 [~akamaru21@2601:0:8a80:1064:1176:99f2:8404:4f7a] has quit [Read error: Connection reset by peer]
20:16 -!- Left_Turn [~Left_Turn@unaffiliated/turn-left/x-3739067] has quit [Ping timeout: 240 seconds]
20:19 -!- HanSooloo [~HanSooloo@pool-96-255-139-19.washdc.fios.verizon.net] has joined #openvpn
20:21 -!- havingFun_ [~quassel@unaffiliated/xrosnight] has joined #openvpn
20:21 -!- havingFun [~quassel@unaffiliated/xrosnight] has quit [Ping timeout: 240 seconds]
20:32 -!- grendal_prime [~sgraham@173-166-255-77-stockton.hfc.comcastbusiness.net] has quit [Quit: Ex-Chat]
20:36 -!- BadboyKAS [BadboyKAS@gateway/shell/yourbnc/x-ojspbaodikrsidue] has left #openvpn []
21:01 < HanSooloo> hello everyone .. seeing "EVENT: CORE_ERROR option_error: option 'ca' (6) must have exactly one parameter [ERR]" in OpenVPN iOS client .. using inline CA definition .. any idea why this may be happening?
21:01 < HanSooloo> iOS device log: https://gist.github.com/HanSooloo/d0438a35014def4ef7c4
21:01 <@vpnHelper> Title: OpenVPN iOS log with CA error (at gist.github.com)
21:01 < HanSooloo> iOS provisioning payload: https://gist.github.com/HanSooloo/1f4e5665662a25f306f7
21:01 <@vpnHelper> Title: iOS OVPN configuration payload (at gist.github.com)
21:02 -!- shadok [~muaddib@unaffiliated/shadok] has quit [Ping timeout: 240 seconds]
21:09 < Dan39> HanSooloo: i think something is wrong with the way the ca string is. like the \\n maybe isnt the proper way to do a newline, did you add those?
21:12 < HanSooloo> Dan39:  I found that way of configuring the CA from some forum posts .. this used to work with the previous version of the iOS client, but now it doesn't .. don't know what changed
21:12 < HanSooloo> I even tried the '\n' literal to no avail
21:12 < HanSooloo> what is confusing is the message: " ... must have exaclty one parameter" .. making it sound like I am providing multiple parameters
21:12 < Dan39> can you try just typing a newline into the file without \n?
21:12 < HanSooloo> is it not liking the stacked CA definition maybe?
21:13 < Dan39> HanSooloo: exactly one may mean 0 also
21:13 < HanSooloo> will try it
21:13 < HanSooloo> good suggestion
21:13 < Dan39> trying to search on google
21:13 < Dan39> xml pretty much just sucks tbh :P
21:14 < HanSooloo> heh .. agreed .. not for humans :-)
21:15 < Dan39> did you try a regular \n?
21:15 < Dan39> no '' or double \\...?
21:16 < Dan39> but first just try simplying hitting enter to put a real newline into file haha
21:16 < HanSooloo> that is known not to work
21:16 < Dan39> really.. :
21:16 < Dan39> what a crappy config file
21:16 < HanSooloo> the CA string needs to be enclosed inside <ca> tags
21:16 < HanSooloo> that's iOS enterprise provisioning for you :-)
21:18 < Dan39> HanSooloo: can you import a regular .ovpn file?
21:19 < Dan39> that uses standard config syntax with much more forgiving in-line it seems
21:19 < HanSooloo> haven't tried that, since that doesn't help with my use case
21:19 < Dan39> https://docs.openvpn.net/docs/openvpn-connect/openvpn-connect-ios-faq.html
21:19 <@vpnHelper> Title: OpenVPN Connect iOS FAQ (at docs.openvpn.net)
21:19 < HanSooloo> I need OTA provisioning
21:20 < Dan39> o
21:20 < Dan39> :|
21:20 < HanSooloo> if the iOS developer were here, they could let us know why/when that error is thrown
21:20 < HanSooloo> it just feels very ambigious
21:21 < Dan39> what iOS app is this?
21:21 < Dan39> i dont use iOS :P
21:22 < HanSooloo> ha .. it's called OpenVPN Connect .. the iOS version of the OpenVPN client
21:23 < Dan39> no idea how that works with OTA stuff
21:23 < Dan39> or even how any OTA stuff is done at all haha
21:23 -!- svm_invictvs [~patricktw@unaffiliated/svminvictvs/x-938456] has joined #openvpn
21:23 < Dan39> good luck
21:23 < HanSooloo> thx
21:24 -!- svm_invictvs [~patricktw@unaffiliated/svminvictvs/x-938456] has quit [Client Quit]
21:43 -!- syzzer [~syzzer@openvpn/community/developer/syzzer] has quit [Ping timeout: 272 seconds]
21:44 -!- syzzer [~syzzer@openvpn/community/developer/syzzer] has joined #openvpn
21:44 -!- mode/#openvpn [+o syzzer] by ChanServ
21:48 -!- Kephael [~Kephael@unaffiliated/kephael] has quit [Read error: Connection reset by peer]
22:10 -!- HanSooloo [~HanSooloo@pool-96-255-139-19.washdc.fios.verizon.net] has quit [Quit: HanSooloo]
22:10 -!- HanSooloo [~HanSooloo@pool-96-255-139-19.washdc.fios.verizon.net] has joined #openvpn
22:13 -!- brianblaze420 [~brianblaz@unaffiliated/brianblaze] has quit [Quit: Peace!]
23:02 < pekster> HanSooloo: "provisioning" has zero to do whith what you describe
23:02 < pekster> !inline
23:02 <@vpnHelper> "inline" is (#1) Inline files (e.g. <ca> ... </ca> are supported since OpenVPN 2.1rc1 and documented in the OpenVPN 2.3 man page at https://community.openvpn.net/openvpn/wiki/Openvpn23ManPage#lbAV or (#2) https://community.openvpn.net/openvpn/wiki/IOSinline for a writeup that includes how to use inline certs
23:04 < pekster> Connect is also a completely separate codebase so you're not likely to find developers here who know much about it (though it is apparently rather recently been made available under the GPLv3, or at least the bits that aren't covered by Apple's wonderful NDA)
23:04 < pekster> !connect
23:04 <@vpnHelper> "connect" is (#1) OpenVPN Connect is part of the commercial, non-free (non-GPL) corporate offering; see #openvpn-as for help with these. For the community-maintained GPL OpenVPN, see !download for download links, !android for GPL-openvpn on Android, or !howto for the beginner how-to guide or (#2) https://forums.openvpn.net/post34969.html#p34969 or (#3) the source is here:
23:04 <@vpnHelper> http://staging.openvpn.net/openvpn3/ except for the portion that may not be released because of NDA with apple (for its vpn API)
23:33 -!- troyt [~troyt@c-24-10-220-108.hsd1.ut.comcast.net] has joined #openvpn
--- Day changed Fri Dec 05 2014
00:00 -!- ShadniX [dagger@p5DDFC94A.dip0.t-ipconnect.de] has quit [Ping timeout: 250 seconds]
00:01 -!- ShadniX [dagger@p5481C949.dip0.t-ipconnect.de] has joined #openvpn
00:15 -!- Moonlightning [~blackl@unaffiliated/moonlightning] has quit [Quit: The Nightmares will Collide. And become a Dream. <3]
00:34 -!- troyt [~troyt@c-24-10-220-108.hsd1.ut.comcast.net] has quit [Ping timeout: 244 seconds]
00:37 -!- MogDog [MogDog@unaffiliated/mogdog66] has quit [Ping timeout: 264 seconds]
00:37 -!- lachesis [~lachesis@unaffiliated/lachesis] has quit [Quit: ZNC - http://znc.in]
00:37 -!- MogDog [MogDog@unaffiliated/mogdog66] has joined #openvpn
00:40 -!- Komplanar [~Komplanar@46.22.223.200] has quit [Ping timeout: 250 seconds]
00:40 -!- Komplanar [~Komplanar@46.22.223.200] has joined #openvpn
00:40 -!- lachesis [~lachesis@unaffiliated/lachesis] has joined #openvpn
00:51 -!- ketas [~ketas@159-211-191-90.dyn.estpak.ee] has quit [Ping timeout: 264 seconds]
00:54 -!- Komplanar [~Komplanar@46.22.223.200] has quit [Ping timeout: 250 seconds]
00:59 -!- Komplanar [~Komplanar@46.22.223.200] has joined #openvpn
01:11 -!- NP-Hardass [~NP-Hardas@unaffiliated/np-hardass] has quit [Ping timeout: 258 seconds]
01:13 -!- Komplanar [~Komplanar@46.22.223.200] has quit [Ping timeout: 250 seconds]
01:13 -!- Komplanar [~Komplanar@46.22.223.200] has joined #openvpn
01:13 -!- mattock_afk is now known as mattock
01:24 -!- AlexRussia [~Alex@unaffiliated/alexrussia] has quit [Quit: WeeChat 1.1-dev]
01:29 -!- u0m3_ [~u0m3@109.96.153.17] has joined #openvpn
01:32 -!- u0m3 [~u0m3@92.80.68.195] has quit [Ping timeout: 250 seconds]
01:38 -!- badon [~badon@pdpc/supporter/active/badon] has joined #openvpn
01:42 -!- andi [~andi@unaffiliated/fr00d] has quit [Ping timeout: 255 seconds]
01:44 -!- Slippern [~Slippern@76.109-247-208.customer.lyse.net] has quit [Ping timeout: 240 seconds]
01:46 -!- Slippern [~Slippern@76.109-247-208.customer.lyse.net] has joined #openvpn
01:54 -!- akamaru217 [~akamaru21@2601:0:8a80:1064:2d59:9cd1:bd7a:3247] has joined #openvpn
01:56 -!- andi [~andi@unaffiliated/fr00d] has joined #openvpn
02:29 -!- ayaz [~Ayaz@linuxpakistan/ayaz] has joined #openvpn
02:54 -!- ketas [~ketas@181-208-191-90.dyn.estpak.ee] has joined #openvpn
03:00 -!- alanjf [~ajf@unaffiliated/alanjf] has quit [Read error: Connection reset by peer]
03:07 -!- arkie [~arkie@unaffiliated/arkie] has quit [Ping timeout: 245 seconds]
03:08 -!- arkie [~arkie@unaffiliated/arkie] has joined #openvpn
03:13 -!- Taftse|Mac [~taftse@unaffiliated/taftse] has joined #openvpn
03:39 -!- bewees [~philipp@46.114.55.175] has joined #openvpn
03:41 < bewees> Hi, is openvpn packet encapsulation looking like this?: ethernet_frame(udp(tcp(payload_encrypted by ssl?)))?
03:42 -!- akamaru217 [~akamaru21@2601:0:8a80:1064:2d59:9cd1:bd7a:3247] has quit [Ping timeout: 258 seconds]
03:50 -!- bewees [~philipp@46.114.55.175] has left #openvpn ["Leaving"]
03:50 -!- bewees [~philipp@46.114.55.175] has joined #openvpn
03:55 -!- Left_Turn [~Left_Turn@unaffiliated/turn-left/x-3739067] has joined #openvpn
04:11 -!- dazo_afk is now known as dazo
04:58 -!- bewees [~philipp@46.114.55.175] has quit [Ping timeout: 258 seconds]
05:03 -!- Latrina [~Latrina@adsl-ull-213-252.45-151.net24.it] has quit [Ping timeout: 256 seconds]
05:04 -!- shadok [~muaddib@unaffiliated/shadok] has joined #openvpn
05:05 -!- Latrina [~Latrina@ppp-154-8.26-151.libero.it] has joined #openvpn
05:12 -!- ayaz [~Ayaz@linuxpakistan/ayaz] has quit [Quit: Textual IRC Client: www.textualapp.com]
05:17 -!- edigaryev [~edigaryev@unaffiliated/edigaryev] has joined #openvpn
05:38 -!- DrCode [~DrCode@gateway/tor-sasl/drcode] has quit [Ping timeout: 250 seconds]
05:39 -!- DrCode [~DrCode@gateway/tor-sasl/drcode] has joined #openvpn
05:44 -!- Chais [~Chais@chello062178229110.15.15.vie.surfer.at] has quit [Ping timeout: 264 seconds]
05:50 -!- Chais [~Chais@chello062178229110.15.15.vie.surfer.at] has joined #openvpn
05:54 < hydrajump> is iperf a good way to measure the performance from an openvpn client to the openvpn server? I have a user complaining that it is "slow" and I'm not experiencing the same. Will  iperf across the tunnel provide useful info to determine if the bottleneck is the tunnel itself?
05:58 < ghormoon> at least it's good start :) if iperf will go poorly, then the problem is between those machines :)
06:00 < ghormoon> just carefull if the client is windows, I had problems with some ports of iperf, hey gave like 10mbit on gbit network :D
06:02 -!- bewees [~philipp@46.115.184.185] has joined #openvpn
06:06 < hydrajump> ghormoon: do you have a recommended iperf for windows you can share?
06:07 -!- akamaru217 [~akamaru21@2601:0:8a80:1064:e1ce:4f29:1a4e:36e2] has joined #openvpn
06:07 < ghormoon> hydrajump: I don't remember which one was the problematic one and I don't have the machine at hand, sorry
06:08 < ghormoon> just test it first locally on LAN to see if it measures ok
06:08 < hydrajump> ok thanks for the heads up!
06:09 < ghormoon> I think there was some standalone (non cygwin/etc) which worked well, but I don't have any windows machine to confirm that now
06:13 < ghormoon> btw don't rely only on bandwith, if that is ok, there still may be high latency ... or depends what you're accessing on it, often "slow internet" is just problem with dns or something :)
06:19 -!- someone [~someone@sonoshee.chronostasis.net] has quit [Ping timeout: 250 seconds]
06:32 < hydrajump> ghormoon: ok i'll start with iperf testing and then go from there. yeah "slow internet" is difficult to diagnose when the user is a complete tech imbecile.
06:43 -!- noecc [~irc@unaffiliated/noecc] has joined #openvpn
07:02 -!- brianblaze420 [~brianblaz@unaffiliated/brianblaze] has joined #openvpn
07:13 -!- lxusrbin [~lxusrbin@2a01:4a0:40:6100::64] has quit [Quit: leaving]
07:20 -!- someone [~someone@sonoshee.chronostasis.net] has joined #openvpn
07:21 -!- bewees [~philipp@46.115.184.185] has quit [Remote host closed the connection]
07:45 -!- Pyrogerg [~Gregory@67-0-250-17.albq.qwest.net] has quit [Read error: No route to host]
07:46 -!- Pyrogerg [~Gregory@67-0-250-17.albq.qwest.net] has joined #openvpn
07:51 -!- elfixit [~Icedove@2001:1620:2777:11:a1a8:91ca:e4ea:e343] has joined #openvpn
07:53 -!- Pyrogerg [~Gregory@67-0-250-17.albq.qwest.net] has quit [Ping timeout: 264 seconds]
07:54 < An_Ony_Moose> The up and down scripts in my config don't seem to be getting called. How can I be sure? (I have set script-security to 2)
07:54 < An_Ony_Moose> (I'm trying to use the update-resolv-conf script)
07:58 -!- Pyrogerg [~Gregory@67-0-250-17.albq.qwest.net] has joined #openvpn
08:03 -!- moparisthebest [~quassel@unaffiliated/moparisthebest] has quit [Ping timeout: 272 seconds]
08:06 -!- CaTtleyA [~CaTtleyA@185.24.142.82] has joined #openvpn
08:06 -!- moparisthebest [~quassel@gateway/tor-sasl/moparisthebest] has joined #openvpn
08:09 -!- lxusrbin [~lxusrbin@2001:1608:10:145::256] has joined #openvpn
08:11 -!- AlexRussia [~Alex@unaffiliated/alexrussia] has joined #openvpn
08:55 < _FBi> An_Ony_Moose, would running openvpn in debug and non daemon show you this?
09:00 -!- Pyrogerg [~Gregory@67-0-250-17.albq.qwest.net] has quit [Ping timeout: 252 seconds]
09:08 -!- Denial [~Denial@81.141.5.232] has joined #openvpn
09:22 -!- Pyrogerg [~Gregory@205.167.120.206] has joined #openvpn
09:39 -!- CaTtleyA [~CaTtleyA@185.24.142.82] has quit [Quit: Lost terminal]
09:42 -!- HanSooloo [~HanSooloo@pool-96-255-139-19.washdc.fios.verizon.net] has quit [Quit: HanSooloo]
09:44 -!- havingFun [~quassel@unaffiliated/xrosnight] has joined #openvpn
09:44 -!- havingFun_ [~quassel@unaffiliated/xrosnight] has quit [Ping timeout: 250 seconds]
09:45 -!- D-Boy [~D-Boy@unaffiliated/cain] has quit [Excess Flood]
09:46 < tchiwam> An_Ony_Moose: Check this a simple echo Hello >>/tmp/script.log Then make sure you put the full path for each commands, and #!/bin/bash / sh has to be there.
09:46 -!- lab2 [~LAB2@host154-148-static.99-5-b.business.telecomitalia.it] has joined #openvpn
09:46 < lab2> hi all
09:47 < tchiwam> I've had the same problem yesterday, then make sure Selinux is allowing you to execute the scripts. verbose level 4 will show you stderr of the commands
09:47 < lab2> I have a problem with open vpn server not routing traffic to lan behind openvpn client
09:47 < An_Ony_Moose> _FBi tchiwam: Got it working
09:47 < An_Ony_Moose> Thanks!
09:48 < tchiwam> I still can't get the Environment variables to work si I've hard coded everything. ei: $route_vpn_gateway return ""
09:48 < lab2> computers behind openvpn client can reach computers behind openvpn server
09:49 < lab2> can you help me understanding where the problem is
09:49 < An_Ony_Moose> Now another problem... The server is pushing the wrong information, it's setting "ifconfig 10.8.0.6 10.8.0.5". I'm not sure exactly what that means but as a result it seems that the gateway on the client is being set to 10.8.0.5 (rather than 10.8.0.1). What could be causing this?
09:49 < tchiwam> net30 topology instead of subnet topology, I had that trouble too
09:50 < An_Ony_Moose> also, is it possible to use both TCP and UDP without running multiple instances of the openvpn server?
09:53 -!- D-Boy [~D-Boy@unaffiliated/cain] has joined #openvpn
09:59 < lab2> no one can help me?
10:00 -!- havingFun [~quassel@unaffiliated/xrosnight] has quit [Ping timeout: 245 seconds]
10:00 -!- havingFun_ [~quassel@unaffiliated/xrosnight] has joined #openvpn
10:00 -!- Henryabcd [~Henryabcd@pD9E0B727.dip0.t-ipconnect.de] has joined #openvpn
10:02 < An_Ony_Moose> lab2: Have you set up forwarding?
10:03 < lab2> An_Ony_Moose, on client yes, on server ip4_forward has been set to 1
10:03 < lab2> but i believe there is something wrong with traffic forwarding in term of IP
10:04 < lab2> server eth0 has 192.168.1.10 and tun0 172.17.0.1
10:04 < lab2> client eth0 10.0.0.187 and tun0 172.17.0.2
10:04 < lab2> from 10.0.0.187 i can ping 192.168.1.10
10:05 < lab2> from 192.168.1.10 i can't ping 10.0.0.187
10:05 < lab2> but i can ping 172.17.0.2
10:07 < lab2> :(
10:07 < lab2> i feel that i'm near to solve the problem but i can't :'(
10:13 < An_Ony_Moose> lab2: what's your FORWARD chain in iptables look like?
10:15 < lab2> Chain FORWARD (policy ACCEPT)
10:15 < lab2> target     prot opt source               destination
10:15 < lab2> ACCEPT     all  --  anywhere             anywhere             state RELATED,ESTABLISHED
10:16 < An_Ony_Moose> lab2: you'll need to add rules to allow new forwarded connections
10:17 < lab2> in my case?
10:18 < An_Ony_Moose> lab2: something like iptables -A --source 192.168.1.0/24 --dest 10.0.0.0/24 -j ACCEPT
10:18 < An_Ony_Moose> and the same but with the nets switched around
10:20 < An_Ony_Moose> wait no
10:20 < lab2> it gives me bad argument error
10:21 < lab2> Bad argument `192.168.1.0/24'
10:21 < An_Ony_Moose> wait
10:22 < An_Ony_Moose> then what you actually want is for the *client* to forward stuff it gets from the *server*
10:22 < lab2> so the problem is on the client
10:22 < lab2> ?
10:22 < An_Ony_Moose> you want to access 10.0.0.0/24 from 192.168.1.10?
10:23 < lab2> yes
10:23 < An_Ony_Moose> uuuh
10:23 < An_Ony_Moose> That would mean setting up the server's routing table to route 10.0.0.0 via 172.17.0.2
10:24 < An_Ony_Moose> and the client to allow forwarding
10:24 < An_Ony_Moose> I don't know where you'd set up that routing stuff
10:24 < An_Ony_Moose> plus all that I said might be wrong, I'm not 100% sure of myself :P
10:24 < lab2> to help you understand the situation
10:25 < lab2> i can give the routing tables of server
10:25 < lab2> root@debian:~# route
10:25 < lab2> Kernel IP routing table
10:25 < lab2> Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
10:25 < lab2> default         192.168.1.1     0.0.0.0         UG    0      0        0 eth0
10:25 < lab2> 10.0.0.0        172.17.0.1      255.255.255.0   UG    0      0        0 tun0
10:25 < lab2> 172.17.0.0      *               255.255.255.0   U     0      0        0 tun0
10:25 < lab2> 192.168.1.0     *               255.255.255.0   U     0      0        0 eth0
10:26 < lab2> and this is the one of the client
10:27 < lab2> root@debian:~# route
10:27 < lab2> Kernel IP routing table
10:27 < lab2> Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
10:27 < lab2> default         172.17.0.1      128.0.0.0       UG    0      0        0 tun0
10:27 < lab2> default         10.0.0.1        0.0.0.0         UG    0      0        0 eth0
10:27 < lab2> 10.0.0.0        *               255.255.255.0   U     0      0        0 eth0
10:27 < lab2> host206-181-dyn 10.0.0.1        255.255.255.255 UGH   0      0        0 eth0
10:27 < lab2> 128.0.0.0       172.17.0.1      128.0.0.0       UG    0      0        0 tun0
10:27 < lab2> 172.17.0.0      *               255.255.255.0   U     0      0        0 tun0
10:27 < lab2> 192.168.1.0     172.17.0.1      255.255.255.0   UG    0      0        0 tun0
10:27 < lab2> (sorry for all those lines of messages)
10:29 < lab2> and this is the iptables chain forward of client
10:29 < lab2> Chain FORWARD (policy ACCEPT)
10:29 < lab2> target     prot opt source               destination
10:30 <@ecrist> lab2: please quit pasting into the channel
10:30 <@ecrist> use a pastebin
10:31 < lab2> sorry
10:34 < _FBi> !pastebin
10:34 <@vpnHelper> "pastebin" is (#1) please paste anything with more than 5 lines into a pastebin site or (#2) https://gist.github.com is recommended for fewest ads; try fpaste.org or paste.kde.org as backups or (#3) If you're pasting config files, see !configs for grep syntax to remove comments or (#4) gist allows multiple files per paste, useful if you have several files to show
10:35 -!- michaelhart [~michaelha@69-165-175-193.dsl.teksavvy.com] has joined #openvpn
10:38 -!- Henryabcd [~Henryabcd@pD9E0B727.dip0.t-ipconnect.de] has quit [Ping timeout: 252 seconds]
10:41 -!- havingFun_ [~quassel@unaffiliated/xrosnight] has quit [Ping timeout: 245 seconds]
10:41 < lab2> I have execute this command (iptables -A FORWARD -j ACCEPT) on client but the problem is the same
10:42 -!- alanjf [~ajf@unaffiliated/alanjf] has joined #openvpn
10:44 < alanjf> [tap/bridge] [client-to-client] Does anyone know how to filter traffic between clients with iptables/ebtables? We need the fully bridged setup but would like to prevent DHCP from crossing over between the three sites (server and two clients.)
10:45 < alanjf> I can use a ebtables -A INPUT rules to prevent it between any client and the server, but I can't seem to prevent it between the clients, even with ebtables -A FORWARD rules.
10:46 < alanjf> What am I missing here?
10:57 <@dazo> alanjf: I'm sorry for being sceptical, but before I'll provide any clues ... why do you need bridging?
10:57 < alanjf> We need it for several reasons.
10:58 <@dazo> https://community.openvpn.net/openvpn/wiki/BridgingAndRouting
10:58 <@vpnHelper> Title: BridgingAndRouting – OpenVPN Community (at community.openvpn.net)
10:58 < alanjf> There are certain protocols that cannot be routed so easily (or at all) as well as other reasons. You may assume it has to be this way.
10:59 <@dazo> which protocols?
11:00 < alanjf> dazo: Again please assume it has to be that way. I really don't see why so many people feel the need to question this instead of just assuming that one might have legitimate reasons.
11:00 <@dazo> Then don't assume any help from me.
11:00 < alanjf> ?
11:00 < alanjf> Why does it matter?
11:01 <@dazo> Out of a 1000 bridging questions on this channel 1-2 are the valid bridge use cases.
11:02 -!- khaldrogox [~anonymous@64.13.138.81] has joined #openvpn
11:02 < lab2> other suggestions for my problem?
11:02 < alanjf> I assure you we have out reasons and they are perfectly valid. All I need to know is how to filter traffic between clients.
11:03 <@dazo> alanjf: check out #netfilter .. they're the ip/ebtables gururs
11:03 < alanjf> s/out/our/
11:03 < alanjf> dazo: But this isn't a plain netfilter question, it is more specific to openvpn.
11:04 <@dazo> when it comes to filtering out Ethernet frames, #netfilter is the proper place ... in TAP mode, the virtual adapter behaves like a normal NIC and openvpn only forwards the Ethernet frames to the remote site
11:04 <@dazo> (with encryption, naturally)
11:05 <@dazo> lab2: iptables -A FORWARD -j ACCEPT can work, if your your forward chain is empty.  Otherwise you may need -I FORWARD instead  - *but* that opens up forwarding completely between all networks passing on your box
11:05 < alanjf> dazo: I can filter just fine with ebtables what is going between the server and any given client. But it seems it can't touch traffic going client to client.
11:06 < alanjf> Does this have to do with how the client-to-client directive works?
11:06 <@dazo> alanjf: that's right, if you use --client-to-client ... then the packets only passes internally in the OpenVPN server and gets passed out ... it never hits the kernel at all
11:07 < alanjf> Ok, if I remove that directive, then clients (machines at that site) can only talk to the server but not to another client's site.
11:07 < lab2> dazo what do you mean for completely forward? Only for clients that use as gateway the vpn clien/server, right?
11:08 < alanjf> I'm not sure how I could route that manually.
11:09 -!- APTX [~APTX@unaffiliated/aptx] has quit [Ping timeout: 265 seconds]
11:09 <@dazo> lab2: your forward rule does not have any restrictions ... how much access VPN clients may have, completely depends on where in your network infrastructure your openvpn server sits
11:11 < lab2> dazo, I have tried -I FORWARD on client and on server, but does't work
11:11 <@dazo> !logs
11:11 <@vpnHelper> "logs" is (#1) please pastebin your logfiles from both client and server with verb set to 4 (only use 5 if asked) or (#2) In the Windows client(OpenVPN-GUI) right-click the status icon and pick View Log or (#3) In the OS X client(Tunnelblick) right-click it and select Copy log text to clipboard or (#4) if you dont know how to find your logs, see !logfile
11:11 <@dazo> !config
11:11 <@vpnHelper> (config <name> [<value>]) -- If <value> is given, sets the value of <name> to <value>. Otherwise, returns the current value of <name>. You may omit the leading "supybot." in the name if you so choose.
11:11 <@dazo> !configs
11:11 <@vpnHelper> "configs" is (#1) please pastebin your client and server configs (with comments removed, you can use `grep -vE '^#|^;|^$' server.conf`), also include which OS and version of openvpn. or (#2) dont forget to include any ccd entries or (#3) on pfSense, see http://www.secure-computing.net/wiki/index.php/OpenVPN/pfSense to obtain your config
11:11 <@dazo> and read those carefully ...
11:13 -!- Fusl [Fusl@unaffiliated/fusl] has quit [Ping timeout: 245 seconds]
11:13 < alanjf> Was that to me or lab2?
11:13 <@dazo> to lab2
11:14 < alanjf> ok
11:14 <@dazo> alanjf: how to route Ethernet frames is not related to openvpn at all ... at this point openvpn does exactly as instructed
11:14 <@dazo> (tunnel works, passes frames to the kernel ... then it's kernel stuff)
11:16 < alanjf> dazo: Ok, fair enough, but I've searched endlessly about how one would manually route in order to pretty much replicate what client-to-client allows but there doesn't seem to be anything about that. I've searched using site:openvpn.net and such as well as general searches.
11:16 < alanjf> That is why I'm finally asking here. I didn't come here first.
11:17 -!- mrtux [~stallman@unaffiliated/mrtux] has quit [Ping timeout: 244 seconds]
11:22 -!- edigaryev [~edigaryev@unaffiliated/edigaryev] has left #openvpn ["Leaving"]
11:23 < alanjf> dazo: So yes it may come down to beign a netfilter (ebtables/iptables/et-al) question, it still is applicable here as there may be some openvpn specific influences or traits that might still be at play or that one would need to be aware of that someone in the general netfilter channel might not be aware of.
11:24 < alanjf> Sort of like asking about 4x4 suspension setups in an off orad shop instead of a regular general auto service station.
11:25 <@dazo> No, this has really nothing to do with openvpn ... when the Ethernet frame is passed from OpenVPN to the TAP adapter, it has done all it can do.  From there the kernel picks it up and passes it to the applications expecting them or routing it somewhere else ... if no routing is set up or no applications picks it up, it is dropped
11:26 <@dazo> if you want to use --client-to-client with TAP + filtering ... then you need to hack on openvpn to implement that filtering, as such filtering does not exist (it exists somewhat of a packet filter, but only for TCP/IP packets)
11:27 < alanjf> But it does have to do with OpenVPN. OpenVPN prevents client to client communication when client-to-client is off. We're also not talking about machines that use the server as a gateway, since it's bridge based. And it all comes in and out one single adapter (tap0.)
11:27 -!- lab2 [~LAB2@host154-148-static.99-5-b.business.telecomitalia.it] has quit [Quit: Leaving]
11:27 <@dazo> *sigh*
11:27 < alanjf> I just don't know how to tell it to send traffic oen from client site to the other the way client-to-client does.
11:28 <@dazo> alanjf: please ignore me for now ... and wait for what others have to say
11:28 < alanjf> I'm not ignoring you.
11:30 < alanjf> dazo: I do value what people like your self have to say and appreciate the knowledge you share.
11:41 < flyingkiwi> alanjf, dazo is right so far. client-to-client is implemented in openvpn. if you remove this, than the frames are injected into the kernel, as it would happen with an usual received frame. the problem you have without client-to-client is: the bridge driver will *not* send an ethernet frame back to its originated port (say tap0) - but this it, what you "need".
11:41 < flyingkiwi> alanjf, you may consider giving proxy arp a try
11:42 < alanjf> ok
11:42 < alanjf> thanks
11:43 < `Kevin> whats wrong with the server routing instead of a bridge implementation in this scenario :|
11:43 < alanjf> What is so wrong with briding when one needs it?
11:44 < alanjf> I have nothing against routing but if one needs bridging then why is that such a problem?
11:44 < `Kevin> somtimes it is fine, but in this case it is just causing another problem
11:44 <@dazo> Out of a 1000 bridging questions on this channel 1-2 are the valid bridge use cases .... that's the core problem.  Too many people believe bridging is easier.  It is not.
11:45 < alanjf> Ok, granted, but some of us have legitimate reasons to be using it.
11:46 < `Kevin> additionally bridging with filtering seems rather hacky I do not get the design at all why filter a segment that is supposed to be trusted
11:46 < `Kevin> alanjf: perhaps you have your reasons it just doesnt make sense without us knowing
11:47 <@dazo> +1
11:47 < alanjf> `Kevin: Why is it hacky? I honestly don't see how it's different than filtering normally on a LAN, seeing as briding is supposed to create one big lan.
11:49 < `Kevin> alanjf: I do not login to a multilayer switch to create filters in layer 2 but I will create filters for routes between...
11:49 < `Kevin> its very rare...
11:50 < `Kevin> to see such imo
11:50 -!- Lolths [~Lolths@unaffiliated/lolths] has quit [Ping timeout: 245 seconds]
11:51 < `Kevin> if nodes need to be filtered from other nodes then they shouldnt be on the same LAN period, ARP and such isnt designed for that
11:52 < `Kevin> its possible via hacks.
11:53 < alanjf> `Kevin: They need to be on the same LAN, that's the whole point of bridging. But at the same time, there is some very certain traffic that I would like to control. Isn't that the whole point of a firewall?
11:53 -!- hsmiths [~hsmiths@cpe-76-174-20-247.socal.res.rr.com] has joined #openvpn
11:54 < `Kevin> make two different vpn setups and split it out, put what needs to be on a bridge on a bridge, route+filter everything else
11:54 -!- alexwh [~alexwh@unaffiliated/alexwh] has left #openvpn ["Leaving"]
11:55 < `Kevin> if the application or design is broken to not allow that then you have a lot of work to figure out how to make it work as you need
11:56 < `Kevin> the point of a firewall is technically/traditionally L3 and above
11:56 < `Kevin> minor L2
11:56 < `Kevin> L2 is not in all FWs
11:56 < alanjf> But it is why the likes of ebtables exists is it not?
11:58 < `Kevin> just because it exists doesn't mean its a proper solution
11:59 < `Kevin> like I said, if you need it do it, we have helped as much as we can thou, dig into what flyingkiwi  was saying
12:00 < alanjf> I get that. I think it's also important to forget that not every scenario is going to match up with the "textbook" guidelines.
12:00 < `Kevin> my issue with this, say you do get it working... one other engineer goes to touch it the whole thing is going to blow up because only a single guy knows what is going on
12:01 < `Kevin> that or everytime oyu add something its breaks something else or just doesnt work
12:01 < `Kevin> its constant tinkering
12:01 < `Kevin> its not how ethernet is supposed to work
12:01 < `Kevin> im done ;P
12:03 < alanjf> But in a case like this where you absolutely need full bridging, and the only thing you really want to filter is DHCP traffic in order to allow each site's dhcpd to continue to function for their respective sites (just like they do when the bridge is down) then it doesn't seem unreasonable.
12:05 -!- ImDevinC [~ImDevinC@c-174-53-221-119.hsd1.mn.comcast.net] has joined #openvpn
12:05 < alanjf> Maybe it's better to accept that there are many possible scenarios that might be more legitimate than one might think rather than just defaulting to the jaded view tha nany such scario must be ultimately wrong. I used to be of the latter too, so I know how it is.
12:06 < ImDevinC> Hey all! I have a windows 2012 server that functions as my DHCP and DNS server. normally it works fine, however I want to setup a bridged connection and when I bridge the TAP connection and the ethernet connection, and then apply the proper static IP information, my server no longer gets online. Any ideas?
12:12 -!- khaldrogox [~anonymous@64.13.138.81] has quit [Quit: khaldrogox]
12:13 -!- gffa [~unknown@unaffiliated/gffa] has joined #openvpn
12:17 -!- tharkun [~0@unaffiliated/tharkun] has joined #openvpn
12:17 < tharkun> Good $DATE does openvpn have an implementation for Windows 8?
12:17 <@ecrist> yes
12:18 <@ecrist> the package available on the openvpn site should work.
12:21 -!- troyt [~troyt@2601:7:6201:96c1:44dd:acff:fe85:9c8e] has joined #openvpn
12:23 -!- leobut [~leobut@unaffiliated/leobut] has joined #openvpn
12:25 < leobut> Is it true that openvpn looks for a .sh file that matches the .conf file's name when starting? I can't seem to find anything in https://community.openvpn.net/openvpn/wiki/Openvpn23ManPage about it.
12:25 <@vpnHelper> Title: Openvpn23ManPage – OpenVPN Community (at community.openvpn.net)
12:27 <@dazo> leobut: ehm ... that does not sound correct ... but what is it you really are asking?
12:28 < leobut> dazo: Exactly what I said. I could have sworn that, say, you have /etc/openvpn/foo.conf, it would look for /etc/openvpn/foo.sh on start?
12:29 < leobut> I ask because I saw this one one of my IT client's servers, where it has a single line: openvpn --mktun --dev tap0
12:29 <@dazo> leobut: what would be in  /etc/openvpn/foo.sh ?
12:29 < leobut> See my last line.
12:29 <@dazo> okay ... that may be a init.d script thing, specific for your distro
12:29 < leobut> I'm trying to figure out why that's there instead of in a --up script
12:30 <@dazo> --mktun can not be called from an --up script
12:30 <@dazo> --mktun must be run *before* openvpn opens any connection ... however, --mktun shouldn't be needed at all
12:30 < leobut> dazo: Are you sure? I'm pretty sure I saw it in a sample up script for briding in the openvpn site.
12:30 <@dazo> if not provided, openvpn will create tun/tap device on the fly
12:31 <@dazo> leobut: I know the source code of openvpn quite well in these areas
12:31 <@dazo> bridging is something completely different ... where --up scripts is used to do other things
12:32 < leobut> Ah, this is where I saw that: https://openvpn.net/index.php/open-source/documentation/miscellaneous/76-ethernet-bridging.html
12:32 <@vpnHelper> Title: Ethernet Bridging (at openvpn.net)
12:32 < leobut> But that's for when errecting the bridge, not --up
12:32 <@dazo> right
12:33 <@dazo> When bridging is used, the tap devices must exist before it can be bridged, so it's prepared for openvpn later on
12:34 < leobut> Right
12:36 -!- APTX [~APTX@unaffiliated/aptx] has joined #openvpn
12:44 -!- mrtux [~stallman@unaffiliated/mrtux] has joined #openvpn
12:45 -!- Fusl [Fusl@unaffiliated/fusl] has joined #openvpn
12:53 -!- Henryabcd [~Henryabcd@pD9E0B727.dip0.t-ipconnect.de] has joined #openvpn
12:58 -!- hsmiths [~hsmiths@cpe-76-174-20-247.socal.res.rr.com] has left #openvpn []
13:01 -!- ghormoon [~ghormoon@ghorland.net] has quit [Ping timeout: 255 seconds]
13:01 -!- ImDevinC [~ImDevinC@c-174-53-221-119.hsd1.mn.comcast.net] has quit [Quit: ImDevinC]
13:03 -!- ghormoon [~ghormoon@ghorland.net] has joined #openvpn
13:06 -!- AlexRussia [~Alex@unaffiliated/alexrussia] has quit [Quit: WeeChat 1.1-dev]
13:08 -!- AlexRussia [~Alex@unaffiliated/alexrussia] has joined #openvpn
13:15 -!- Fusl [Fusl@unaffiliated/fusl] has quit [Ping timeout: 245 seconds]
13:17 -!- mrtux [~stallman@unaffiliated/mrtux] has quit [Ping timeout: 244 seconds]
13:19 -!- elfixit [~Icedove@2001:1620:2777:11:a1a8:91ca:e4ea:e343] has quit [Ping timeout: 272 seconds]
13:20 -!- mrtux [~stallman@unaffiliated/mrtux] has joined #openvpn
13:21 -!- Fusl [Fusl@unaffiliated/fusl] has joined #openvpn
13:42 < pekster> leobut: You have 2 options for bridging. Well, 3, if you count the best option of "don't use bridging unless you actually need it" (read !tunortap from the bot to see if you really need it.)
13:43 < pekster> leobut: Otherwise, a VPN bridge requires the tap device as a bridge member. You can do that one of 2 ways: Option 1) set up the bridge _and_ the tap device before hand, and bridge the tap device to the bridge. This works best from your distro init. 2) create just the bridge and the physical interface as a member when your OS comes up, and then have openvpn dynamically attached the ephemeral tap device to the bridge in an --up script
13:46 -!- brianblaze420 [~brianblaz@unaffiliated/brianblaze] has quit [Quit: Peace!]
13:49 -!- Poster [~poster@cpe-74-140-100-29.swo.res.rr.com] has quit [Ping timeout: 264 seconds]
13:49 -!- Poster [~poster@cpe-74-140-100-29.swo.res.rr.com] has joined #openvpn
14:04 -!- NP-Completeass [~NP-Hardas@unaffiliated/np-hardass] has quit [Quit: WeeChat 0.4.3]
14:08 -!- NP-Hardass [~NP-Hardas@unaffiliated/np-hardass] has joined #openvpn
14:11 -!- Nivex [~kjotte@atlantis.home.nivex.net] has joined #openvpn
14:13 -!- Henryabcd [~Henryabcd@pD9E0B727.dip0.t-ipconnect.de] has quit [Quit: Leaving]
14:15 < Nivex> I'm trying to set up a tun-ipv6 with both link-local and ULA addressing, but when I have multiple ifconfig-ipv6 lines, it doesn't add both. Last line wins.
14:15 < Nivex> Is the only way around this a custom script?
14:23 -!- Glar [~Glar@2a01:e35:2e1f:d80:8447:b590:8ce8:95e8] has joined #openvpn
14:25 < Glar> Hello.Noob in networking here, but no choice.  Is it possible to have two VPN interface on the same gateway, each VPN tunnel having its own subnetwork ? (vpn #1 => 192.168.0.x & vpn #2 => 192.168.1.x) ?
14:26 < zoredache> If by 'gateway' you mean server or VPN host, then yes you can have multiple VPN configurations running on a server.
14:27 < Glar> Thank you for your answer. I will use a host running with pfsense
14:30 < Glar> Can you tell me, roughly, what kind of config / service I have to set up ? (I will rtfm after that)
14:32 <@dazo> Glar: yes, that is possible ... by using --dev tun, the tun device gets automatically different tun numbers .... or use --dev tun0 and --dev tun1 in separate configs ... so you need two openvpn processes running in parallel with differen configs
14:32 <@dazo> so get one tunnel functional .... duplicate that config, modify --dev and --ifconfig/--server options ... and you have your second tunnel
14:34 < Glar> great
14:34 < Glar> thank you :)
14:35 <@dazo> Nivex: that is the expected behaviour ... ULA addresses should be given automatically on TAP devices by the kernel (but we recommend using TUN + routing instead, where ULA is not used, only the ifconfig-ipv6 assigned address)
14:36 < Nivex> yes, I am trying to use TUN not TAP
14:36 < Nivex> I need an fe80:: on the interface for ospfv3 to work, but would also like the fdXX::
14:38 < Nivex> and for clarity fe80:: is link local, fdXX:: is ULA
14:38 <@dazo> duh ... right, I thought link-local now ... but you need link-local in addition?  Or just the ULA?
14:40 <@dazo> Nivex: I'd recommend you to mail openvpn-users ML on this one ... the guy who implemented IPv6 support in OpenVPN pays attention to that list and is usually quick to reply on IPv6 related stuff
14:40 < Nivex> ok, thanks.
14:40 <@dazo> I don't believe there's any immediate plans for built-in ULA support ... but who knows ....
14:40 -!- AlexRussia [~Alex@unaffiliated/alexrussia] has quit [Ping timeout: 250 seconds]
14:41 < Nivex> just the ability to have multiple ifconfig-ipv6 directives take would be huge
14:41 < Nivex> then I can assign what I need
14:41 <@dazo> do you need ULA only on the client side?
14:41 < Nivex> this is a point-to-point tunnel
14:42 <@dazo> I have not played with ospf at all ... so I don't quite know how that works
14:43 <@dazo> p2p tunnels usually have just one IP address on each side ... hence my question
14:44 < Nivex> most IPv6 things assume there will always be a link-local (fe80::) and additional global/ULA addresses as needed
14:44 <@dazo> right
14:45 < Nivex> so for now I've manually assigned the fe80:: with ifconfig-ipv6 and it works just fine
14:46 <@dazo> right ... then the workaround is probably an --up script
14:46 < Nivex> the desire for having a global in addition is mostly consistency with other interfaces, notably so traceroutes come back with sanity
14:52 -!- dazo is now known as dazo_afk
15:05 -!- Droolio [~drool@host86-182-194-209.range86-182.btcentralplus.com] has quit [Quit: Use contraceptives at every conceivable occasion.]
15:08 -!- AlexRussia [~Alex@unaffiliated/alexrussia] has joined #openvpn
15:15 -!- D-Boy [~D-Boy@unaffiliated/cain] has quit [Excess Flood]
15:17 -!- mattock is now known as mattock_afk
15:21 -!- michaelhart [~michaelha@69-165-175-193.dsl.teksavvy.com] has quit [Quit: michaelhart]
15:26 -!- D-Boy [~D-Boy@unaffiliated/cain] has joined #openvpn
15:37 -!- mattock_afk is now known as mattock
15:40 -!- ylluminate [~ylluminat@209.222.7.234] has joined #openvpn
15:49 -!- mattock is now known as mattock_afk
16:01 -!- Glar [~Glar@2a01:e35:2e1f:d80:8447:b590:8ce8:95e8] has quit [Ping timeout: 260 seconds]
16:03 -!- jackbrown [~se@93-44-68-248.ip96.fastwebnet.it] has joined #openvpn
16:27 -!- KaaK [~Kevin@wsip-98-188-52-104.ks.ks.cox.net] has joined #openvpn
16:27 < KaaK> any AWS VPC gurus in here? In a VPC subnet, must all traffic in that subnet originate FROM that subnet?
16:28 < KaaK>  e.g. given a subnet of 10.0.0.0/24, could a packet with a src field of 5.0.0.1/24 be passed on that network?
16:28 < KaaK> i've got a VPN setup -- when I NAT it, it works just fine, but if I attempt to route it, I see the packet leaving out my AWS interface, and then dissappear ...
16:30 < zoredache> The thing you have to ask your self, is how are you expecting the packets to know how to get back?
16:34 < KaaK> there is a route informing memebers of 10.0.0.0/24 about how to reach the 5.0.0.0/24 network
16:36 < KaaK> i can even ping members of 5.0.0.0/24 from anywhere in the 10.0.0.0/24 network ... just the otherway around -- things disappear once they leave the 5.0.0.0/24 <> 10.0.0.0/24 router
16:39 -!- Henryabcd [~Henryabcd@pD9E0B727.dip0.t-ipconnect.de] has joined #openvpn
16:41 < KaaK> additionally, if i ping the router itself over the VPN (i.e. no forwarding to EXTERNAL hosts), everything works fine ...
16:45 -!- michaelhart [~michaelha@192-0-241-148.cpe.teksavvy.com] has joined #openvpn
16:53 -!- troyt [~troyt@2601:7:6201:96c1:44dd:acff:fe85:9c8e] has quit [Ping timeout: 258 seconds]
17:03 -!- jackbrown [~se@93-44-68-248.ip96.fastwebnet.it] has quit [Ping timeout: 265 seconds]
17:05 -!- Henryabcd [~Henryabcd@pD9E0B727.dip0.t-ipconnect.de] has quit [Quit: Leaving]
17:08 -!- gffa [~unknown@unaffiliated/gffa] has quit [Quit: sleep]
17:14 < pekster> Nivex: Yea, --ifconfig (as well as use of --ifconfig-push on a server with dynamic client IPs) will only work with a single IP. A --route-up script might be a fine place to handle extra IPs, and you can even push them from a server by using --push "setenv-safe ip6_ip1 2001:db8:abcd::1234/64"  # or something similar
17:17 < Nivex> i've used --up scripts before with script-security 2. was just hoping to not have to go back.
17:19 -!- Pyrogerg [~Gregory@205.167.120.206] has quit [Quit: Textual IRC Client: www.textualapp.com]
17:22 < pekster> Sure. Normally >1 IP isn't really necessary, but is if it's part of your design requirement (ULA+GUA on the PtP endpoint.) You could just use GUA of course, but presumably ULA is there so you can have unchanging internal addressing or similar
17:24 < pekster> PtP works just fine like that, because openvpn isn't actually validating the IP as PtP simply means "send packets to the other end." If you use tun in multi-server, each extra IP on a client requires a defined --iroute in a ccd file on the server too
17:24 < pekster> s/multi-server/multi-client/
17:32 -!- Taftse|Mac [~taftse@unaffiliated/taftse] has quit [Quit: Textual IRC Client: www.textualapp.com]
17:42 -!- mistermajestic [~mistermaj@unaffiliated/mistermajestic] has quit [Ping timeout: 250 seconds]
17:49 -!- badon [~badon@pdpc/supporter/active/badon] has quit [Quit: Leaving]
17:49 -!- AlexRussia [~Alex@unaffiliated/alexrussia] has quit [Ping timeout: 240 seconds]
17:53 -!- mistermajestic [~mistermaj@unaffiliated/mistermajestic] has joined #openvpn
17:54 -!- badon [~badon@pdpc/supporter/active/badon] has joined #openvpn
17:55 -!- leobut [~leobut@unaffiliated/leobut] has quit []
18:10 -!- badon [~badon@pdpc/supporter/active/badon] has quit [Quit: Leaving]
18:17 -!- AlexRussia [~Alex@unaffiliated/alexrussia] has joined #openvpn
18:20 -!- badon [~badon@pdpc/supporter/active/badon] has joined #openvpn
18:25 -!- tharkun [~0@unaffiliated/tharkun] has quit [Ping timeout: 258 seconds]
18:27 -!- r00t^2 [~bts@g.rainwreck.com] has quit [Read error: Connection reset by peer]
18:31 -!- troyt [~troyt@2601:7:6202:211:44dd:acff:fe85:9c8e] has joined #openvpn
18:33 -!- r00t^2 [~bts@g.rainwreck.com] has joined #openvpn
19:00 -!- jzaw [~jzaw@2001:8b0:7:0:5054:ff:fe8e:3b24] has joined #openvpn
19:01 -!- Fusl [Fusl@unaffiliated/fusl] has quit [Ping timeout: 245 seconds]
19:02 -!- mrtux [~stallman@unaffiliated/mrtux] has quit [Ping timeout: 244 seconds]
19:29 < Nivex> I think there's been some confusion. LL != ULA. Let's throw ULA out of the conversation.
19:30 < Nivex> When you bring link up on an Ethernet interface, you have a LL address without doing anything.
19:31 < Nivex> Some things expect to see this to do link ICMP to set other things up
19:31 < Nivex> in my case, OSPF needs it to exchange routes.
19:32 < Nivex> So what would be ideal is if the tun could have a LL and a non-LL address on it, much like a tap but without the Ethernet overhead
19:32 < pekster> You probably want a tap device then
19:32 < pekster> Is the 18 bytes per packet really an issue?
19:32 < pekster> That's a 1.2% drop in performance, ARPs and such notwithstanding
19:32 < Nivex> manually running 'ip addr add ... dev tun0' also works
19:32 < pekster> (by packet header, anyway. Possibly less if you use lzo)
19:33 < pekster> Oh, right, since your're on PtP
19:33 < pekster> That won't wnork in P2MP (server w/ multi-client)
19:33 < Nivex> ah, so it's that way for consistency between ptp and ptmp?
19:33 < pekster> PtP just means "make any packets I send into this device magically appear on the far side" -- IPs are a mere convenience
19:34 < pekster> So you don't even need an IP at all if all your software understands this and doesn't need one. That's rare in practice, so you put IPs on PtP devices so you can use them like any other "real" interface
19:36 < pekster> A server configured as a P2MP instance (ie: not --mode p2p) with tun will reject packets to peers unless either A) that peer sources packets from an IP it was provided by the server, or B) the openvpn server has been configured with an --iroute statement. --iroute is something provided by a ccd (see: !ccd) file, or a --client-connect script that effectively does the same thing (with scripting potential)
19:36 < pekster> Configured in tap, and openvpn has no such restriction since it's delivering Ethernet frames, not IP packets
19:37 < pekster> You really only lose the 18 bytes per packet, and even then possibly less if you use lzo compression. There's the usual ARP and broadcast traffic, but if you're routing over it, the performance hit tends to be negligable
19:38 < Nivex> and you can trunk VLANs over it :)
19:38 < pekster> IIRC OpenVPN won't do 802.1Q today
19:39 < pekster> In practice that's rarely an issue since you can do routed-tap just fine, then let routing on the recieving end deal with where/how to send the packets in further, tagging onto the actual network as required
19:41 < Nivex> so apparently I just think about weird sh^Htuff :)
19:42 < pekster> It's come up before, but usually with really obscene bridged setups for inadequately explained reasons
19:42 < pekster> We tend to discourage people from using bridging here, but routed tap is a fine solution when network-local multicast or broadcast is involved
19:45 < Nivex> alrighty. this has been most informative.
20:00 -!- Fusl [Fusl@unaffiliated/fusl] has joined #openvpn
20:01 -!- mrtux_ [~stallman@unaffiliated/mrtux] has joined #openvpn
20:02 -!- mrtux_ is now known as mrtux
20:06 -!- u0m3 [~u0m3@109.96.153.17] has joined #openvpn
20:07 -!- u0m3 [~u0m3@109.96.153.17] has quit [Read error: Connection reset by peer]
20:35 -!- mistermajestic [~mistermaj@unaffiliated/mistermajestic] has quit []
21:18 -!- Left_Turn [~Left_Turn@unaffiliated/turn-left/x-3739067] has quit [Read error: Connection reset by peer]
21:32 -!- SoCo_cpp [~SoCo_cpp@gateway/tor-sasl/sococpp/x-48425895] has joined #openvpn
21:34 < SoCo_cpp> I'm trying to connect to my OpenVPN server. Previously using OpenVPN's Windows client, I was only required 3 certificates to connect the CA cert , the user cert, and the user key. I'm trying to connect to the same server with Gadmin on linux, and it is additionally requiring DH Key and TA Key. Are these keys I generated when making the previous keys and are stuck without?
21:35 -!- shadok [~muaddib@unaffiliated/shadok] has quit [Ping timeout: 258 seconds]
21:37 -!- SoCo_cpp [~SoCo_cpp@gateway/tor-sasl/sococpp/x-48425895] has quit [Remote host closed the connection]
22:32 -!- michaelhart [~michaelha@192-0-241-148.cpe.teksavvy.com] has quit [Quit: michaelhart]
22:56 -!- zamba [marius@flage.org] has quit [Ping timeout: 250 seconds]
22:57 -!- AlexRussia [~Alex@unaffiliated/alexrussia] has quit [Ping timeout: 265 seconds]
23:24 -!- ValdikSS [~valdikss@185.61.149.121] has joined #openvpn
23:25 -!- AlexRussia [~Alex@unaffiliated/alexrussia] has joined #openvpn
23:37 -!- Eugene [eugene@2600:3c01::3f:101] has quit [Quit: ZNC - http://znc.sourceforge.net]
23:37 -!- Eugene [eugene@kashpureff.org] has joined #openvpn
23:58 -!- ShadniX [dagger@p5481C949.dip0.t-ipconnect.de] has quit [Ping timeout: 250 seconds]
--- Day changed Sat Dec 06 2014
00:00 -!- ShadniX [dagger@p5481C60B.dip0.t-ipconnect.de] has joined #openvpn
00:03 -!- AlexRussia [~Alex@unaffiliated/alexrussia] has quit [Ping timeout: 250 seconds]
00:29 -!- mattock_afk is now known as mattock
01:11 -!- AlexRussia [~Alex@unaffiliated/alexrussia] has joined #openvpn
01:13 -!- Whoopie [Whoopie@unaffiliated/whoopie] has quit [Quit: Proxy shutdown]
01:16 -!- ylluminate [~ylluminat@209.222.7.234] has quit [Quit: Bye!]
01:32 -!- ylluminate [~ylluminat@108.61.50.109] has joined #openvpn
01:35 -!- ylluminate [~ylluminat@108.61.50.109] has quit [Client Quit]
02:20 -!- kirin` [telex@gateway/shell/anapnea.net/x-wyghasibpdftpagz] has quit [Ping timeout: 244 seconds]
02:24 -!- kirin` [telex@gateway/shell/anapnea.net/x-ovpfokmzjdawuzue] has joined #openvpn
03:28 -!- shivanshu [~shivanshu@unaffiliated/shivanshu] has quit [Remote host closed the connection]
03:44 -!- gffa [~unknown@unaffiliated/gffa] has joined #openvpn
05:07 -!- Taftse|Mac [~taftse@unaffiliated/taftse] has joined #openvpn
05:23 -!- Left_Turn [~Left_Turn@unaffiliated/turn-left/x-3739067] has joined #openvpn
--- Log opened Sat Dec 06 21:53:34 2014
21:53 -!- ecrist [~ecrist@freebsd/contributor/openvpn.community.support.ecrist] has joined #openvpn
21:53 -!- Irssi: #openvpn: Total of 202 nicks [7 ops, 0 halfops, 2 voices, 193 normal]
21:53 -!- Irssi: Join to #openvpn was synced in 0 secs
21:53 -!- mode/#openvpn [+o ecrist] by ChanServ
21:54 -!- shadok [~muaddib@unaffiliated/shadok] has quit [Ping timeout: 250 seconds]
22:03 -!- Shiftos [~shiftos@gateway/tor-sasl/shiftos] has joined #openvpn
22:05 -!- Shiftos [~shiftos@gateway/tor-sasl/shiftos] has quit [Remote host closed the connection]
22:17 -!- AlexRussia [~Alex@unaffiliated/alexrussia] has joined #openvpn
22:20 < hydrajump> !goal
22:20 < hydrajump> hmm still not working
22:53 -!- kirin` [telex@gateway/shell/anapnea.net/x-ovpfokmzjdawuzue] has quit [Ping timeout: 250 seconds]
22:54 -!- kirin` [telex@gateway/shell/anapnea.net/x-eitntjrcjwqreisn] has joined #openvpn
22:57 -!- ValdikSS [~valdikss@185.61.149.121] has joined #openvpn
22:59 -!- Shiftos [~shiftos@gateway/tor-sasl/shiftos] has joined #openvpn
23:07 -!- u0m3_ [~u0m3@109.96.153.17] has quit [Read error: Connection reset by peer]
23:07 < Dan39> hey :)
23:07 -!- keatont [~keatont@keatonstaylor.com] has quit [Ping timeout: 256 seconds]
23:07 -!- u0m3_ [~u0m3@109.96.153.17] has joined #openvpn
23:13 -!- keatont [~keatont@keatonstaylor.com] has joined #openvpn
23:20 -!- keatont [~keatont@keatonstaylor.com] has quit [Ping timeout: 245 seconds]
23:33 -!- Kephael_ [~Kephael@unaffiliated/kephael] has quit [Quit: Leaving]
23:47 -!- DrCode [~DrCode@gateway/tor-sasl/drcode] has joined #openvpn
23:58 -!- ShadniX [dagger@p5481C60B.dip0.t-ipconnect.de] has quit [Ping timeout: 250 seconds]
--- Day changed Sun Dec 07 2014
00:00 -!- ShadniX [dagger@p5DDFE079.dip0.t-ipconnect.de] has joined #openvpn
00:05 <@krzee> here he comes
00:05 <@krzee> o/
00:05 -!- vpnHelper [~vpnHelper@openvpn/bot/vpnHelper] has joined #openvpn
00:05 -!- mode/#openvpn [+o vpnHelper] by ChanServ
00:06 <@krzee> !whoami
00:06 <@vpnHelper> support
00:06 <@krzee> werd
00:47 -!- james41382 [~james@unaffiliated/james41382] has joined #openvpn
02:01 -!- jefferai [sid1300@kde/mitchell] has quit [Ping timeout: 272 seconds]
02:06 -!- someone [~someone@sonoshee.chronostasis.net] has quit [Ping timeout: 264 seconds]
02:13 -!- jefferai [sid1300@kde/mitchell] has joined #openvpn
02:18 -!- Zimsky [~alice@unaffiliated/zimsky] has quit [Ping timeout: 245 seconds]
02:29 -!- Zimsky [~alice@unaffiliated/zimsky] has joined #openvpn
02:54 -!- DrCode [~DrCode@gateway/tor-sasl/drcode] has quit [Ping timeout: 250 seconds]
02:58 -!- gffa [~unknown@unaffiliated/gffa] has joined #openvpn
02:59 -!- DrCode [~DrCode@gateway/tor-sasl/drcode] has joined #openvpn
03:28 -!- NP-Hardass [~NP-Hardas@unaffiliated/np-hardass] has quit [Ping timeout: 245 seconds]
03:35 -!- vahid [~vahid@151.232.184.184] has joined #openvpn
03:43 < vahid> Hi, I use openvpn to bypass internet censorship but I feel low speen in openvpn. when I compare to SSH -D -O command, openvpn really is slow. It's my client conf: http://paste.ubuntu.com/9409552/ and this one is Server conf: http://paste.ubuntu.com/9409574/
03:45 <@syzzer> vahid: try using udp instead of tcp. tcp-over-tcp has issues
03:45 <@syzzer> !tcp
03:45 <@vpnHelper> "tcp" is (#1) Sometimes you cannot avoid tunneling over tcp, but if you can avoid it, DO. http://sites.inka.de/~bigred/devel/tcp-tcp.html Why TCP Over TCP Is A Bad Idea. or (#2) http://www.openvpn.net/papers/BLUG-talk/14.html for a presentation by James Yonan (OpenVPN lead developer) or (#3) if you must use tcp, you likely want --tcp-nodelay
03:46 < vahid> I don't like tcp too, but UDP not work here :-/
03:51 <@syzzer> I don't see any other direct causes in your config (but others here might). My best guess is that there's a lot of delay on your connection, causing tcp issues, or someone along the connection in throttling you.
03:51 < vahid> syzzer, u mean I should user udp in server and tcp in client ?!
03:51 <@syzzer> as an experiment, you could try using port 22 or 80
03:52 <@syzzer> no, server and client always need to use the same protocol
03:52 < vahid> ok
04:05 -!- hive-mind [pranq@2001:0:53aa:64c:30db:ab9:bcca:66c4] has quit [Ping timeout: 258 seconds]
04:07 -!- hive-mind [pranq@2001:0:53aa:64c:30db:ab9:bcca:66c4] has joined #openvpn
04:14 -!- Left_Turn [~Left_Turn@unaffiliated/turn-left/x-3739067] has joined #openvpn
04:28 -!- catsup [~d@ps38852.dreamhost.com] has joined #openvpn
04:53 -!- vahid [~vahid@151.232.184.184] has quit [Ping timeout: 250 seconds]
05:14 -!- cae- [~cae@ip-178-201-254-32.hsi08.unitymediagroup.de] has quit [Read error: Connection reset by peer]
05:15 -!- cae- [~cae@ip-178-201-254-32.hsi08.unitymediagroup.de] has joined #openvpn
05:24 -!- Taftse|Mac [~taftse@unaffiliated/taftse] has joined #openvpn
05:34 -!- mattock_afk is now known as mattock
05:46 -!- Chais [~Chais@chello062178229110.15.15.vie.surfer.at] has quit [Ping timeout: 250 seconds]
05:47 -!- jefferai [sid1300@kde/mitchell] has quit [Remote host closed the connection]
05:51 -!- Chais [~Chais@chello062178229110.15.15.vie.surfer.at] has joined #openvpn
05:56 < hydrajump> morning
06:08 -!- warehouse13 [~Left_Turn@unaffiliated/turn-left/x-3739067] has joined #openvpn
06:08 < hydrajump> !dnsmasq
06:08 <@vpnHelper> "dnsmasq" is http://rob0.nodns4.us/dnsmasq.html for a writeup on how to handle DNS for lans shared with !route
06:09 -!- Left_Turn [~Left_Turn@unaffiliated/turn-left/x-3739067] has quit [Ping timeout: 264 seconds]
06:09 < hydrajump> !dns
06:09 <@vpnHelper> "dns" is (#1) Level3 open recursive DNS server at 4.2.2.[1-6] or (#2) Google open recursive DNS server at 8.8.8.8 / 8.8.4.4 or (#3) you might be looking for !pushdns
06:09 < hydrajump> !pushdns
06:09 <@vpnHelper> "pushdns" is (#1) push dhcp-option DNS a.b.c.d to push dns to the client or (#2) For pushing DNS to a Windows client, see: !windns or (#3) Unix-alikes are required to process the env-var in an --up script; read about --dhcp-option in the manpage or (#4) For distros that use resolvconf(8) you can try the pull-resolv-conf script under the contrib/ source dir
06:13 < hydrajump> when I setup dnsmasq on my openvpn server and used `push "dhcp-option DNS 10.8.0.1"` that overrides the client's DNS settings. Is there a way to just "add" the extra DNS entry during client connection?
06:13 -!- dnyMT [~dnyMT@c106-36.i05-27.onvol.net] has joined #openvpn
06:14 < dnyMT> Hi guys, I'm trying to set-up a cluster running on a vpn network, (i'm using openvpn) - I seem to be having issues with setting up virtual IPs (ips which will hop to another node in case of failure), would anyone know if there is some additional setup to enable this?
06:22 -!- jefferai [sid1300@kde/mitchell] has joined #openvpn
06:24 -!- knob [~knob@199.27.101.98] has joined #openvpn
06:24 -!- AlexRussia [~Alex@unaffiliated/alexrussia] has quit [Ping timeout: 250 seconds]
06:24 < knob> Good morning all.  I am trying to connect a client to an openvpn server I have.  It is showing failed.
06:24 < knob> I setup the verbosity level in the client to 9
06:25 < knob> I believe the error is the last two lines, where it states: Error: private key password verification failed
06:25 < knob> and before that:::     Cannot load private key file /etc/openvpn/CLIENT-ID.key:
06:25 < knob> Any idea... what I am doing wrong?
06:25 < knob> I did not set a password for the keys when I created them.
06:27 < dnyMT> knob, did you update the client.conf to point to the right .key and .cert files?
06:27 < knob> Yes Sir
06:27 < knob> I have it open in front of me... I checked the paths... file name
06:28 -!- AlexRussia [~Alex@unaffiliated/alexrussia] has joined #openvpn
06:28 < dnyMT> if you execute..# touch /etc/openvpn/CLIENT-ID.key
06:28 < dnyMT> does it return something?
06:28 < knob> running now...
06:29 < knob> It returned... as if it had created it... let me check what it did
06:29 < dnyMT> now what do u have in this directory? /etc/openvpn/
06:30 < knob> I have the original   CLIENT-ID.key        (because it is the same size as the backup I just copied)
06:30 < knob> I did run   touch /etc/openvpn/CLIENT-IDa.key               and it created that file, zero size
06:30 < dnyMT> none of them are sero byte files right?
06:30 < knob> No sir... the original  CLIENT-ID.key  is 1.1K
06:31 < knob> I am stumped because I was trying to do it with  client-id-1.key        didn't work... I thought maybe I put a password.  So I created a new client-id-2.key, not password 100% sure... and same error.
06:35 < dnyMT> did you try testing your private key?
06:37 < knob> No... not sure. how to do that.  Googling now.
06:37 < dnyMT> i'll give the the command :)
06:37 < knob> awesome! Thank you !
06:37 < dnyMT> openssl rsa -in /etc/openvpn/CLIENT-ID.key -check
06:37 < dnyMT> dont paste the output here!
06:37 < knob> kk... running now
06:38 < knob> It returned unable to load Private Key
06:38 < knob> Expecting: ANY PRIVATE KEY
06:39 < dnyMT> perfect
06:39 < knob> 0_X
06:39 < dnyMT> you key is not good :)
06:39 < knob> haha
06:39 < knob> ok
06:40 < knob> alright... well, that helps... at least now I have direction
06:40 < knob> On the server that I created the key, what I did was               source vars
06:40 < knob> and then I ran   ./build-key client-id
06:40 < knob> say,   ./build-key client-id5
06:41 < knob> then I would copy off the keys, and drop them into the client
06:43 < dnyMT> brb in about 5mins I'll go iver the keygen with you if you're still here
06:44 < knob> ok dnyMT thanks... I will be here
06:50 < knob> dnyMT, I think I got it!  Going to test now
06:50 < knob> I have very nice notes on how to do stuff.   Well, I messed up my notes on a part
06:50 < knob> I copied   client-id3.csr           to   client-id3.key
06:50 < knob> Going to try now as it should
06:50 < knob> will report back in 5
06:52 -!- jefferai [sid1300@kde/mitchell] has quit [Ping timeout: 258 seconds]
06:58 < dnyMT> bk
06:59 < dnyMT> knob, managed?
07:00 < knob> YES!!!!!!!!!!
07:00 < knob> Just did it now
07:00 < knob> it was dad
07:00 < knob> hahaha... not dad... *that
07:00 < knob> haha
07:00 < knob> Yes Sir... thank you very much dnyMT
07:00 < knob> I have notes on how to do stuff... I find it saves me a lot of time and frustration.  Well, I messed up that line for the key.    I was copying over                   client-id3.csr        to client-id3.key
07:01 < knob> and... after that... I thought it was a key
07:01 < knob> I just loaded everything up... working as it should!
07:01 < knob> We have the tunnel up now!
07:01 < knob> ftp
07:01 < knob> ftw
07:01 < knob> =D
07:03 < dnyMT> :) well done
07:04 -!- Chais [~Chais@chello062178229110.15.15.vie.surfer.at] has quit [Quit: ZNC - http://znc.in]
07:05 < knob> Thanks for your help dnyMT ... very much appreciated!! :)
07:05 < dnyMT> yw
07:06 -!- Chais [~Chais@chello062178229110.15.15.vie.surfer.at] has joined #openvpn
07:33 -!- shadok [~muaddib@unaffiliated/shadok] has joined #openvpn
07:43 -!- jefferai [sid1300@kde/mitchell] has joined #openvpn
08:13 < dnyMT> Hi guys, is there any reason why arping would fail when using the tun0 interface? -- error message "arping: unknown physical layer type 0xfffe"
08:18 -!- GrayTShirt [~GrayTShir@funtoo/core/GrayTShirt] has joined #openvpn
08:25 -!- knob [~knob@199.27.101.98] has quit [Quit: Leaving]
08:29 -!- Reventlov [~Reventlov@unaffiliated/reventlov] has quit [Quit: leaving]
08:30 -!- Reventlov [~Reventlov@unaffiliated/reventlov] has joined #openvpn
08:32 -!- AlexRussia [~Alex@unaffiliated/alexrussia] has quit [Ping timeout: 264 seconds]
08:48 -!- XVision [~NA@89.184.82.149] has joined #openvpn
08:48 -!- moparisthebest [~quassel@unaffiliated/moparisthebest] has quit [Ping timeout: 240 seconds]
08:56 -!- jdmf [~jdmf@91.198.201.28] has joined #openvpn
08:59 -!- Kniaz [~Kniaz@unaffiliated/kniaz] has joined #openvpn
08:59 -!- AlexRussia [~Alex@unaffiliated/alexrussia] has joined #openvpn
09:07 < XVision> I try to setup a chain between two servers, I manage to get the connection setup fine, there is no error in the log files, but i cannot ping from the tun+ so when connecting the client, there is obviously no traffic possible
09:07 < XVision> What is the best way to find out where it go wrong?
09:13 -!- moparisthebest [~quassel@gateway/tor-sasl/moparisthebest] has joined #openvpn
09:31 -!- moonkid [~anonymous@cpe-70-115-204-207.stx.res.rr.com] has joined #openvpn
09:34 -!- Kniaz [~Kniaz@unaffiliated/kniaz] has quit [Quit: closing IRC]
09:42 -!- Kephael [~Kephael@unaffiliated/kephael] has joined #openvpn
09:48 -!- moparisthebest [~quassel@gateway/tor-sasl/moparisthebest] has quit [Ping timeout: 250 seconds]
09:51 -!- moparisthebest [~quassel@unaffiliated/moparisthebest] has joined #openvpn
10:14 -!- ub1quit33_ [~quassel@cpe-23-243-158-241.socal.res.rr.com] has joined #openvpn
10:19 -!- Tausen [~Tausen@tausen.org] has joined #openvpn
10:19 -!- XVision [~NA@89.184.82.149] has quit []
10:21 -!- moonkid [~anonymous@cpe-70-115-204-207.stx.res.rr.com] has quit [Quit: moonkid]
10:38 -!- shivanshu [~shivanshu@unaffiliated/shivanshu] has joined #openvpn
10:39 < Tausen> Hi! Probably a noob question, please bear with me. I have a bridged openvpn server running, and I'm from the client trying to connect to a machine on the lan behind the server. Is there any way to achieve this without adding a static route in the network router?
10:48 -!- trumee [~parul@2601:e:1580:799::c64] has joined #openvpn
10:54 -!- trumee [~parul@2601:e:1580:799::c64] has quit [Ping timeout: 258 seconds]
10:59 -!- XVision [~NA@89.184.82.149] has joined #openvpn
10:59 -!- ub1quit33_ [~quassel@cpe-23-243-158-241.socal.res.rr.com] has quit [Remote host closed the connection]
10:59 < XVision> anyone around on the sunday? i try setup 2 vpn servers, but i like to chain them and allow a single connection to both.
10:59 < XVision> need some help with it.
11:00 <@krzee> if you had stayed i was ready to help about half an hour ago ;]
11:01 <@krzee> !route
11:01 <@vpnHelper> "route" is (#1) http://www.secure-computing.net/wiki/index.php/OpenVPN/Routing or https://community.openvpn.net/openvpn/wiki/RoutedLans (same page mirrored) if you have lans behind openvpn, read it DONT SKIM IT or (#2) READ IT DONT SKIM IT! or (#3) See !tcpip for a basic networking guide or (#4) See !serverlan or !clientlan for steps and troubleshooting flowcharts for LANs behind the server or client
11:01 <@krzee> you need to understand that VERY well, and tcpdump will be your only friend during troubleshooting
11:01 < XVision> ok
11:01 <@krzee> for the context of iroute, i use the word "lan" but its really ANY ip behind a client that is not in the vpn subnet
11:03 < XVision> let me read the article about route - but if the setup works in different environment, i doubt the routes have been configured wrong
11:04 <@krzee> well thats really the only special thing about your setup
11:04 -!- ub1quit33 [~quassel@cpe-23-243-158-241.socal.res.rr.com] has joined #openvpn
11:04 <@krzee> and i suspect you already have ping working from each endpoint to the next
11:05 < XVision> i cannot ping over the tun+ interface no
11:05 <@krzee> but since you give NO detail about your problem… that's what i got for ya
11:05 <@krzee> you cant ping from the client to the server?
11:05 < XVision> client to server yes
11:05 < XVision> server to server no
11:05 <@krzee> no such thing
11:05 <@krzee> one will need a client on the same machine to connect to the other server
11:05 -!- Shiftos [~shiftos@gateway/tor-sasl/shiftos] has quit [Ping timeout: 250 seconds]
11:06 < XVision> krzee, let me copy some of the setup for you to get an idea, sorry for not being clear
11:06 <@krzee> !diagram
11:06 <@vpnHelper> "diagram" is You can use a site such as http://gliffy.com to create a network diagram as well as programs such as Visio, Dia, or OmniGraffle
11:06 <@krzee> when you say chain i think of:
11:06 <@krzee> !google secure-computing vpnchains
11:07 <@vpnHelper> OpenVPN/VpnChains - Secure Computing Wiki: <https://www.secure-computing.net/wiki/index.php/OpenVPN/VpnChains>; How to Chain VPNs for Complete Anonymity « Null Byte: <http://null-byte.wonderhowto.com/how-to/chain-vpns-for-complete-anonymity-0131368/>; Is this VPN chaining or VPN nesting? Is it better than TOR ...: <http://www.wilderssecurity.com/threads/is-this-vpn-chaining-or-vpn-nesting-is-
11:07 <@vpnHelper> it-better-than-tor.275888/>
11:07 <@krzee> link #1
11:07 <@krzee> (i wrote it)
11:07 <@krzee> oh looks like that server may not be up
11:09 -!- SushiDude [~SushiDude@unaffiliated/sushidude] has quit [Quit: Quit]
11:09 -!- SushiDude [~SushiDude@unaffiliated/sushidude] has joined #openvpn
11:11 -!- Shiftos [~shiftos@gateway/tor-sasl/shiftos] has joined #openvpn
11:15 -!- Shiftos [~shiftos@gateway/tor-sasl/shiftos] has quit [Ping timeout: 250 seconds]
11:18 < Tausen> What kind of configuration does it require to from the client access the lan behind the server when using a bridged setup? All the resources I find seem to apply to the routed approach
11:18 -!- SushiDude [~SushiDude@unaffiliated/sushidude] has quit [Quit: Quit]
11:18 -!- SushiDude [~SushiDude@unaffiliated/sushidude] has joined #openvpn
11:19 <@krzee> why you bridging?
11:20 < XVision> this is option, i not want client to bridge, when they connect to certain port, it will bridge automatic, else it is single connection
11:20 < XVision> servA:
11:20 < XVision> openvpn.conf: http://pastie.org/private/iuryb8j7gec1o5jawbakq
11:20 < XVision> tunnel.conf: http://pastie.org/private/p4rswnlsuzqqggdcqqhglg
11:20 < XVision> route.sh:
11:20 < XVision> servB:
11:20 < XVision> openvpn.conf: http://pastie.org/private/jen0wchnxcvpvorcq6oagq
11:20 < XVision> tunnel.conf: http://pastie.org/private/z3zhboykkub0vtgxalrxa
11:21 < XVision> route info: http://pastie.org/private/4su0oxanu0kconvmnlgxa
11:21 < XVision> brb, i gotta take phonecall
11:23 -!- Shiftos [~shiftos@gateway/tor-sasl/shiftos] has joined #openvpn
11:23 < Tausen> krzee, as far as I understand (please correct if I'm wrong), I have to add a static route in my network router otherwise - and my router does not support it. Was hoping bridging would work without it
11:28 <@krzee> how many machines in the lan will be accessed?
11:28 <@krzee> what OS is the server?
11:28 <@krzee> and no, bridging is not the right choice for what you want to do
11:30 < Tausen> ah, dammit
11:30 < Tausen> linux server
11:30 -!- trumee [~parul@2601:e:1580:799::c64] has joined #openvpn
11:30 < Tausen> ideally a couple of servers and a bunch of workstations, but most importantly just ~5 servers
11:31 <@krzee> heres the order of preference in my opinion: add route in router, add route in lan machine, NAT the vpn subnet to the lan on the server, use an option in openvpn to nat it
11:31 <@krzee> idealy you simply add a route
11:32 -!- brianblaze420 [~brianblaz@unaffiliated/brianblaze] has joined #openvpn
11:33 < Tausen> so since I cannot add a static route, my best option is to add some routes on each machine on the lan?
11:33 <@krzee> the last 2 are:
11:33 <@krzee> well that depends on number of machines in the lan
11:33 <@krzee> if that is too much of a burdon, you can NAT
11:33 <@krzee> !nathack
11:33 <@vpnHelper> "nathack" is see https://community.openvpn.net/openvpn/wiki/NatHack for info on how to solve the problem when you need !route_outside_ovpn but cant add a route to the gateway or the lan machines
11:35 < XVision> krzee: back
11:35 <@krzee> XVision, did you make a diagram?
11:35 <@krzee> configs mean nothing when i have no idea what you even want
11:35 < Tausen> krzee, interesting.. thank you!
11:36 < XVision> minute, i will do that right now
11:36 <@krzee> Tausen, yw
11:36 < XVision> not a drawing expert, but ok ;)
11:36 <@krzee> XVision,
11:36 <@krzee> !diagram
11:36 <@vpnHelper> "diagram" is You can use a site such as http://gliffy.com to create a network diagram as well as programs such as Visio, Dia, or OmniGraffle
11:36 < XVision> ok
11:39 < XVision> basically in words, i have 2 servers, i want a client to be able to: connect to serverA on default openvpn port, connect to serverB on default openvpn port, connect to serverA on special port - this will create chain like client -> serverA -> serverB
11:39 <@krzee> and what happens in this chain?
11:39 <@krzee> you access the internet from serverB?
11:39 <@krzee> you can simply access both machines over the vpn?
11:40 < XVision> in the chain, serverB provides the internet
11:41 < XVision> so is the end point server
11:41 < XVision> there is no need for serverB -> serverA chain
11:41 < XVision> so the single connection to each server, works fine, already tested
11:41 < XVision> now i am testing the chain where serverB should provide the internet
11:41 < XVision> you see the config files for that
11:42 < XVision> but i think my setup is wrong, because if i bridge this way, then there will always be bridge between A and B - so I cannot connect to server A seperate anymore
11:43 < XVision> that, and also the fact that the bridge not work yet ;)
11:48 <@krzee> i think the way i would do it is to setup a server on serverB, have a client on serverA connect to it. setup a server on serverA with routing to the new serverB subnet. Then run another openvpn server only listening on the new ServerB vpn ip
11:48 <@krzee> then the client would connect to serverA with 1 config, and then ServerB through serverA with another config
11:49 <@krzee> with --remote on the second config being an internal IP
11:50 < XVision> yes, so with my current setup, the two servers will always be connected
11:50 < XVision> i know that is not what i want, but it is good to have this first working i think
11:51 <@krzee> with the one i said you only setup a normal !linnat on the inner VPN
11:51 < XVision> how i get the link with the gliffy?
11:51 < XVision> i draw some
11:52 < XVision> but how to get the link to give you?
11:52 <@krzee> theres a link somewhere, i remember it being easy
11:52 <@krzee> anyways i got the idea
11:52 <@krzee> and gave my version of what i would do
11:52 <@krzee> http://webcache.googleusercontent.com/search?q=cache:PWTNhGeiSgcJ:https://www.secure-computing.net/wiki/index.php/OpenVPN/VpnChains+&cd=3&hl=en&ct=clnk
11:52 <@vpnHelper> Title: OpenVPN/VpnChains - Secure Computing Wiki (at webcache.googleusercontent.com)
11:53 < XVision> http://www.gliffy.com/go/publish/6717589
11:53 < XVision> it stil try connect to secure-computing.net
11:54 < XVision> oh wait, opening somewhat now
11:54 < XVision> by the way, what physically happen, if a client, first connect to serverA then create 2nd tun and create to serverB ?
11:54 <@krzee> if i did not already understand, that diagram would be confusing as hell lol
11:55 < XVision> haha :)
11:55 <@krzee> physically?
11:55 < XVision> i know
11:55 <@krzee> bits flow through cables?
11:55 < XVision> hehe, which direction?
11:55 <@krzee> eletricity or light
11:55 <@krzee> both
11:56 < XVision> does the client create a chain, or is traffic just go through serverB?
11:56 -!- cstk421 [~cstk421@173-14-40-57-Michigan.hfc.comcastbusiness.net] has joined #openvpn
11:56 <@krzee> no idea what you are saying
11:56 <@krzee> but i really dont help with vpn chaining
11:56 <@krzee> so im going to lay down and watch a movie
11:56 <@krzee> good luck =]
11:56 < XVision> you are right, thank you for pointing me to the article
11:56 < XVision> and enjoy the movie
11:56 < cstk421> is there a way to have "bridge" setup via tap and still allow IOS devices to connect to the openvpn server ?
11:56 < cstk421> since they dont support tap ?
11:57 <@krzee> cstk421, i think there is tap emulation if jailbroken, but really you should evaulate why you are using tap in the first place
11:57 -!- ub1quit33 [~quassel@cpe-23-243-158-241.socal.res.rr.com] has quit [Ping timeout: 244 seconds]
11:57 <@krzee> its usually not needed.
11:57 < cstk421> well in my example i need my ios devices to be able to hit the local pbx server
11:57 <@krzee> you dont need tap for that
11:58 <@krzee> !tunortap
11:58 <@vpnHelper> "tunortap" is (#1) you ONLY want tap if you need to pass layer2 traffic over the vpn (traffic destined for a MAC address). If you are using IP traffic you want tun. or (#2) and if your reason for wanting tap is windows shares, see !wins or use DNS or (#3) remember layer2 has no security, arp poisoning works over tap vpns or (#4) lan gaming? use tap! or (#5) Normal Android/iOS devices (not
11:58 <@vpnHelper> rooted/jailbroken) support only tun
11:58 < cstk421> i have tun setup now but i am having issues routing between subnets
11:58 <@krzee> subnet behind the server or behind the client?
11:59 < cstk421> well not sure.  if i understand correctly i can "push" the subnet of my LAN via openvpn to my client.  I have done that part.  the issue i think i havent figured out is having my LAN know the route back to the openvpn subnet .  is that right ?
11:59 <@krzee> subnet behind the server or behind the client?
11:59 < cstk421> i dont understand the question sorry
11:59 -!- ub1quit33_ [~quassel@cpe-23-243-158-241.socal.res.rr.com] has joined #openvpn
11:59 <@krzee> server LAN?
12:00 -!- mattock is now known as mattock_afk
12:00 <@krzee> there is a lan you want to access...
12:00 < cstk421> yes
12:00 < cstk421> would my topology help ?
12:00 <@krzee> does a machine in that LAN have an openvpn server or client process running?
12:00 < cstk421> openvpn server yes
12:00 <@krzee> ok
12:00 <@krzee> !serverlan
12:01 <@vpnHelper> "serverlan" is (#1) for a lan behind a server, the server must have ip forwarding enabled (!ipforward), the server needs to push a route for its lan to clients, and the router of the lan the server is on needs a route added to it (!route_outside_openvpn) or (#2) see !route for a better explanation or (#3) Handy troubleshooting flowchart: http://ircpimps.org/serverlan.png |
12:01 <@vpnHelper> http://pekster.sdf.org/misc/serverlan.png
12:01 <@krzee> follow the flowchart on the last link
12:01 <@krzee> it is the questions we sit here asking people all day
12:01 <@krzee> instead of asking them 1 by 1, it will ask them and you will tell us where you get stuck
12:02 < cstk421> ok working through it now
12:02 < cstk421> thx
12:08 -!- jdmf [~jdmf@91.198.201.28] has quit [Quit: Bye.]
12:09 < cstk421> ok so the part im failing on now is the "ip forwarding " apparently
12:09 < cstk421> i cant ping the lan ip of the server
12:11 <@krzee> what os is your server?
12:14 < cstk421> windows
12:14 < cstk421> ok i got ip forwarding up now
12:14 < cstk421> i can hit the lan of the server
12:14 <@krzee> ok
12:14 <@krzee> keep going
12:14 < cstk421> cant hit the lan gateway or any other devices though
12:15 < cstk421> i think im to the point that i need to add the route to the vpn subnet in the router of the lan
12:15 <@krzee> !route_outside_ovpn
12:15 <@vpnHelper> "route_outside_ovpn" is "route_outside_openvpn" is (#1) If your server is not the default gateway for the LAN, you will need to add routes to your gateway. See ROUTES TO ADD OUTSIDE OPENVPN in !route or (#2) Here are 2 diagrams that explain how this works: http://www.secure-computing.net/wiki/index.php/Graph http://i.imgur.com/BM9r1.png
12:29 -!- _0x5eb_ [~seb@seb-hpws2.w1.tele.crt1.net] has quit [Excess Flood]
12:30 -!- moparisthebest [~quassel@unaffiliated/moparisthebest] has quit [Ping timeout: 264 seconds]
12:30 -!- _0x5eb_ [~seb@seb-hpws2.w1.tele.crt1.net] has joined #openvpn
12:31 < cstk421> so where i am stuck is adding the route back to the vpn server from the LAN
12:31 < cstk421> i have a cisco 1841 on the LAN that the server sits on
12:31 < cstk421> i gave the LAN facing interface a secondary ip on the same subnet as the clients of the vpn but still cant ping between them
12:32 < cstk421> am i missing a route i need ?
12:33 <@krzee> i never said to give it another ip
12:34 <@krzee> !route
12:34 <@vpnHelper> "route" is (#1) http://www.secure-computing.net/wiki/index.php/OpenVPN/Routing or https://community.openvpn.net/openvpn/wiki/RoutedLans (same page mirrored) if you have lans behind openvpn, read it DONT SKIM IT or (#2) READ IT DONT SKIM IT! or (#3) See !tcpip for a basic networking guide or (#4) See !serverlan or !clientlan for steps and troubleshooting flowcharts for LANs behind the server or client
12:34 <@krzee> goto second link in #1 and read *routes outside openvpn*
12:34 < cstk421> ok
12:35 -!- moparisthebest [~quassel@gateway/tor-sasl/moparisthebest] has joined #openvpn
12:39 <@krzee> after you add your route you'll change 5. into 10.10.2.1 checks its routing table, has a route for 10.8.0.0/24, and sends the traffic to the vpn server (10.8.0.1 and 10.10.2.10)
12:43 -!- mattock_afk is now known as mattock
12:51 < cstk421> so im trying to grasp the 2 items in the config i am seeing.  1 sais "Push routes to allow clients to to reach subnets behind the server" and the other "has subnets behind the client" .  in my case i have subnets behind the server i need access to. so the only push route i need is that subnet i need access to correct ? or am i still not understanding which area i need to look at.
13:15 -!- cstk421 [~cstk421@173-14-40-57-Michigan.hfc.comcastbusiness.net] has quit []
13:17 -!- NP-Hardass [~NP-Hardas@unaffiliated/np-hardass] has joined #openvpn
13:31 -!- Shiftos [~shiftos@gateway/tor-sasl/shiftos] has quit [Ping timeout: 250 seconds]
13:32 -!- Shiftos [~shiftos@gateway/tor-sasl/shiftos] has joined #openvpn
13:32 -!- busch [~busch@datenschleuder.com] has quit [Ping timeout: 272 seconds]
13:40 -!- Moonlightning [~blackl@unaffiliated/moonlightning] has joined #openvpn
13:41 -!- RGamma [~RGamma@ip-84-118-23-37.unity-media.net] has quit [Read error: Connection reset by peer]
13:41 < Moonlightning> In 'Control Channel: TLSv1.2, cipher TLSv1/SSLv3 DHE-RSA-AES256-GCM-SHA384, 4096 bit RSA', what exactly does 'TLSv1/SSLv3' mean? What is TLS 1.0 being used for?
13:42 -!- RGamma [~RGamma@ip-84-118-23-37.unity-media.net] has joined #openvpn
13:42 -!- michaelhart [~michaelha@192-0-241-148.cpe.teksavvy.com] has joined #openvpn
14:09 -!- elfixit [~Icedove@77-58-253-51.dclient.hispeed.ch] has joined #openvpn
14:15 -!- RGamma [~RGamma@ip-84-118-23-37.unity-media.net] has quit [Read error: Connection reset by peer]
14:21 -!- mattock is now known as mattock_afk
14:33 -!- RGamma [~RGamma@ip-84-118-23-37.unity-media.net] has joined #openvpn
14:38 -!- cstk421 [~cstk421@99-20-229-203.lightspeed.brhmmi.sbcglobal.net] has joined #openvpn
14:41 -!- ub1quit33_ [~quassel@cpe-23-243-158-241.socal.res.rr.com] has quit [Ping timeout: 255 seconds]
14:42 -!- ub1quit33_ [~quassel@cpe-23-243-158-241.socal.res.rr.com] has joined #openvpn
14:45 -!- cstk421 [~cstk421@99-20-229-203.lightspeed.brhmmi.sbcglobal.net] has quit [Ping timeout: 264 seconds]
14:48 -!- cstk421 [~cstk421@173-14-40-57-Michigan.hfc.comcastbusiness.net] has joined #openvpn
14:50 < cstk421> using TUN can a client get dhcp from the same network as the vpn server ?
14:50 < cstk421> or is that only a bridge function ?
14:56 -!- seba [~seba@kratzbaum.someserver.de] has quit [Excess Flood]
14:56 -!- seba [~seba@kratzbaum.someserver.de] has joined #openvpn
15:00 -!- gffa [~unknown@unaffiliated/gffa] has quit [Quit: sleep]
15:06 -!- moonkid [~anonymous@cpe-70-115-204-207.stx.res.rr.com] has joined #openvpn
15:06 < XVision> i make a setup in vmware to understand routing and iptables some better: http://pastie.org/private/ds3m5ighr2y1hrea1szzmw
15:07 < XVision> pretty basic, but 2 NIC's - it is confusing me a bit
15:07 < XVision> iptables i setup so far: http://pastie.org/private/11m6jd63ch0nleagnavsdq
15:07 < XVision> so just one server, two NIC's, one client
15:08 -!- michaelhart [~michaelha@192-0-241-148.cpe.teksavvy.com] has quit [Quit: michaelhart]
15:16 -!- D-Boy [~D-Boy@unaffiliated/cain] has quit [Excess Flood]
15:27 -!- s7r [~s7r@openvpn/user/s7r] has joined #openvpn
15:27 -!- mode/#openvpn [+v s7r] by ChanServ
15:33 -!- D-Boy [~D-Boy@unaffiliated/cain] has joined #openvpn
15:34 -!- RGamma [~RGamma@ip-84-118-23-37.unity-media.net] has quit [Read error: Connection reset by peer]
15:35 -!- RGamma [~RGamma@ip-84-118-23-37.unity-media.net] has joined #openvpn
15:39 -!- troyt [~troyt@2601:7:6202:211:44dd:acff:fe85:9c8e] has quit [Remote host closed the connection]
15:53 -!- moonkid [~anonymous@cpe-70-115-204-207.stx.res.rr.com] has quit [Quit: moonkid]
16:05 -!- troyt [~troyt@2601:7:6202:211:44dd:acff:fe85:9c8e] has joined #openvpn
16:08 -!- D-Boy [~D-Boy@unaffiliated/cain] has quit [Excess Flood]
16:19 -!- RGamma [~RGamma@ip-84-118-23-37.unity-media.net] has quit [Read error: Connection reset by peer]
16:19 -!- RGamma [~RGamma@ip-84-118-23-37.unity-media.net] has joined #openvpn
16:19 -!- someone [~someone@sonoshee.chronostasis.net] has joined #openvpn
16:24 -!- D-Boy [~D-Boy@unaffiliated/cain] has joined #openvpn
16:31 -!- NP-Hardass [~NP-Hardas@unaffiliated/np-hardass] has quit [Quit: WeeChat 0.4.3]
16:41 -!- Gaming4JC [~Gaming4JC@unaffiliated/gaming4jc] has joined #openvpn
16:42 -!- cstk421 [~cstk421@173-14-40-57-Michigan.hfc.comcastbusiness.net] has quit [Remote host closed the connection]
16:42 < Gaming4JC> Is anyone else aware of the Arch Linux (and OpenWRT?) routing bug
16:42 < Gaming4JC> I tried compiling the lastest build and the server pushes the routing table but the routing doesn't take affect
16:42 -!- zoredache [~zoredache@pdpc/supporter/professional/zoredache] has quit [Ping timeout: 240 seconds]
16:43 < Gaming4JC> meaning you're connected to the VPN but the route doesn't take affect so your connection remains through ISP instead of PVN
16:43 < Gaming4JC> VPN *
16:43 < Gaming4JC> :/
16:43 < Gaming4JC> some one else reported it as well but I'm not sure if an officail bug has been filed
16:45 -!- zoredache [~zoredache@pdpc/supporter/professional/zoredache] has joined #openvpn
16:46 < Gaming4JC> seems to be a client side bug, perhaps something with iproute2, since nettools was depreciated.
16:46 < Gaming4JC> I remember it working in 2.3.3
16:46 -!- nutron [~nutron@unaffiliated/nutron] has quit [Remote host closed the connection]
16:53 -!- Gaming4JC [~Gaming4JC@unaffiliated/gaming4jc] has quit [Quit: Are you a good person? Find Out! NeedGod.com]
16:59 -!- someone [~someone@sonoshee.chronostasis.net] has quit [Ping timeout: 260 seconds]
17:16 -!- someone [~someone@sonoshee.chronostasis.net] has joined #openvpn
17:45 -!- Taftse|Mac [~taftse@unaffiliated/taftse] has quit [Quit: Textual IRC Client: www.textualapp.com]
17:49 -!- Henryabcd [~Henryabcd@pD9E0BB96.dip0.t-ipconnect.de] has joined #openvpn
17:56 -!- Chais [~Chais@chello062178229110.15.15.vie.surfer.at] has quit [Quit: ZNC - http://znc.in]
17:57 -!- Chais [~Chais@chello062178229110.15.15.vie.surfer.at] has joined #openvpn
17:59 -!- Chais [~Chais@chello062178229110.15.15.vie.surfer.at] has quit [Client Quit]
18:01 -!- Chais [~Chais@chello062178229110.15.15.vie.surfer.at] has joined #openvpn
18:06 -!- ub1quit33_ [~quassel@cpe-23-243-158-241.socal.res.rr.com] has quit [Ping timeout: 244 seconds]
18:10 -!- elfixit [~Icedove@77-58-253-51.dclient.hispeed.ch] has quit [Quit: elfixit]
18:20 -!- moonkid [~anonymous@cpe-70-115-204-207.stx.res.rr.com] has joined #openvpn
18:33 -!- Henryabcd [~Henryabcd@pD9E0BB96.dip0.t-ipconnect.de] has quit [Quit: Leaving]
18:50 -!- Fun [~Fun@unaffiliated/fun] has joined #openvpn
19:00 -!- NP-Hardass [~NP-Hardas@unaffiliated/np-hardass] has joined #openvpn
19:01 < Fun> how I can use opevpn without admin pass?
19:01 < Fun> ]:D
19:01 < Fun> any ideas?
19:08 < Fun> http://openvpn.se/files/howto/openvpn-howto_run_openvpn_as_nonadmin.html
19:08 <@vpnHelper> Title: HowTo Run OpenVPN as a non-admin user in Windows (at openvpn.se)
19:08 < Fun> hupl
19:08 < Fun> :D
19:15 < Fun> :)
19:22 -!- NP-Hardass [~NP-Hardas@unaffiliated/np-hardass] has quit [Quit: WeeChat 0.4.3]
20:23 -!- moparisthebest [~quassel@gateway/tor-sasl/moparisthebest] has quit [Remote host closed the connection]
20:27 -!- moparisthebest [~quassel@unaffiliated/moparisthebest] has joined #openvpn
20:38 -!- Numline1 [~anakonda@ymir.visionary.sk] has joined #openvpn
20:39 < Numline1> Hello guys, I'm having some trouble with OpenVPN configuration. I've tried to configure it as gaming VPN, similar to Hamachi. However, games are still scanning primary network adapters instead of OpenVPN adapter. Is there any way to forward all network from primary network adapter to OpenVPN?
20:40 < Numline1> push "redirect-gateway def1" seems to do the trick, partially
20:41 < Numline1> however once a device connects to server when redirect-gateway is enabled, it loses all internet connectivity
20:47 < Fun> hmmm
20:48 < Fun> maybe direct tunnel?
20:48 < Fun> as simple as that
20:50 -!- brianblaze420 [~brianblaz@unaffiliated/brianblaze] has quit [Quit: Peace!]
21:02 -!- NP-Hardass [~NP-Hardas@unaffiliated/np-hardass] has joined #openvpn
21:02 < Numline1> Fun, well, would direct tunnel forward all traffic?
21:03 < Numline1> Because what I have now is pushed gateway
21:03 < Numline1> but I don't think it's working
21:03 < Numline1> however I've just used push DNS option
21:03 < Numline1> and it seems my PC is now doing DNS queries through the server
21:03 < Numline1> but the traffic is still local
21:03 < Numline1> according to my IP
21:03 < Fun> did u run is as Administrator?
21:04 < Fun> the open vpn thingy
21:04 < Fun> if not it may not work
21:04 < Fun> occam razor :D
21:04 < Numline1> I don't think I did, let me try that
21:05 < Fun> hehe
21:05 < Numline1> Fun, you are a god :D Not fully yet though
21:05 < XVision> i make a setup in vmware to understand routing and iptables some better: http://pastie.org/private/ds3m5ighr2y1hrea1szzmw
21:05 < Numline1> My internet is no longer working
21:05 < Numline1> So it means that Chrome is trying to go through OpenVPN
21:05 < XVision> pretty basic, but 2 NIC's - it is confusing me a bit
21:05 < XVision> iptables i setup so far: http://pastie.org/private/11m6jd63ch0nleagnavsdq
21:06 < XVision> so just one server, two NIC's, one client
21:06 < Fun> Numline1:  yes it would do so
21:06 < Fun> check your routes setup
21:06 < Fun> in terminal
21:07 < Numline1> Fun, if you mean on client's side, it does no longer resolve any hostnames
21:07 < Numline1> so maybe I fcked up DNS setting
21:08 < Fun> what are you trying to do? :)
21:08 < Fun> end goal
21:08 < Numline1> Fun, correct me if I'm wrong, but when I have this: push "dhcp-option DNS 10.8.0.1"
21:08 < Numline1> and this server is not running DNS, will it use DNS of this server or is client trying to use it as DNS?
21:08 < Numline1> well, end goal
21:09 < Numline1> I'm trying to set up some LAN game servers
21:09 < Numline1> similar to what Hamachi used to be
21:09 < Numline1> However the problem is that many games scan Windows's primary network adapter
21:09 < Numline1> and ignore OpenVPN virtual one
21:10 < Fun> ignore tap then?
21:10 < Numline1> so I'm trying to force everything to go through VPN
21:10 < Fun> I see
21:10 < Fun> try to disable main windows network adapter
21:10 < Numline1> I'm not sure if this is the right approach, but as far as me and networking go
21:10 < Fun> for a moment
21:10 < Fun> see if it helps
21:10 < Fun> I think not
21:10 < Fun> :D
21:10 < Numline1> Can't do that really, because I'll lose network connectivity
21:10 < Fun> yes
21:10 < Numline1> which means I'll lose connection to openvpn server
21:11 < Fun> do u know ips u want to use?
21:11 < Fun> thinks
21:11 < Fun> it should work out of box
21:11 < Fun> seems like dns issue maybe
21:11 < Numline1> I'm not sure which ips you mean
21:12 < Fun> I usually have very simple configs
21:12 < Numline1> of the game server? It'll be one of the clients
21:12 < Fun> and they work
21:12 < Fun> hmm
21:12 < Numline1> well, it worked for some people
21:12 < Fun> if u set stuff right all connections will got via vpn
21:12 < Numline1> however for some people it had priroty shifted to main eth adapter
21:12 < Numline1> yup, that's what I'm trying to do
21:12 < Fun> linux ok I am windows hehe
21:13 < Numline1> Well, so am I :)
21:13 < Numline1> Actually, server is LInux
21:13 < Numline1> clients are windows
21:13 < Numline1> let me just try to set up different DNS servers
21:13 < Fun> http://pastebin.com/wDS4uvxK
21:14 < Fun> u got just this?
21:14 < Fun> plus keys
21:14 < Fun> or more?
21:15 < Numline1> Fun, pretty much. I think I've figured it out though
21:15 < Fun> :)
21:15 < Numline1> I have what you have + push settings for gateway and DNS
21:15 < Fun> so delete those hehe
21:15 < Numline1> What I did is I changed the DNS settings to Google DNS
21:15 < Numline1> and it works now, I have my servers IP now :)
21:15 < Fun> hehe
21:15 < Fun> here u go
21:15 < Fun> such amaze
21:15 < Numline1> thank you good sir :)
21:16 < Fun> :)
21:16 < XVision> Anyone could help me perhaps? :)
21:16 < Numline1> it was the run as administrator thingy
21:16 < Fun> yes
21:16 < Fun> Numline1: I wonder if it can work without admin
21:16 < Fun> as some people dont know their workstation admin pass lo
21:17 < Numline1> XVision, I'm checking your config right now, what seems to be the problem? Are you trying to set up two NICs to use one VPN?
21:17 < Numline1> Fun, I don't think it will, it seems to need admin access to change adapter's settings
21:17 < Numline1> it seems to be able to connect and use DHCP, but as far as routing goes...
21:18 < Fun> yes seems so
21:18 < Fun> hehe alas yes it wont add routes
21:18 < Fun> I tried already
21:18 < XVision> I have vmware setup with CentOS server - one NIC for NAT and one NIC for hosting-only network - then i have windows 7 client, with only the hosting-only network
21:18 < XVision> bascially windows 7 have no internet, but need use vpn connection
21:18 < XVision> the tried config i pasted
21:19 < XVision> NAT is on 192.168.107.0/24
21:19 < XVision> Host-Only is on 192.168.22.0/24
21:20 < XVision> On the Windows 7 I do get assigned ip 10.10.30.6 - but no gateway
21:20 < XVision> in the serverlog i find:
21:20 < XVision> "bad source address from client, packet dropped"
21:20 -!- Fun [~Fun@unaffiliated/fun] has left #openvpn []
21:21 < Numline1> XVision, so centos works ok
21:21 < Numline1> and Windows doesn't get gateway from server, right?
21:21 < Numline1> it seems you're actually having the same problem as I did
21:21 < Numline1> try running the client on the Windows client as administrator
21:21 < XVision> moment
21:22 < XVision> no still same bad source address from client
21:23 < XVision> i think i have way too many routes
21:24 < XVision> also, in ccd directory i put client, is say: ifconfig-push 10.10.30.101 255.255.255.0
21:24 < XVision> but the windows 7 not get this ip address
21:24 < Numline1> and the openvpn server is running on the centos virtual machine?
21:24 < XVision> yes
21:24 < Numline1> and are these to virtual servers in some NAT connection?
21:25 < XVision> yea
21:25 < Numline1> so you can ping the CentOS from the Windows, right?
21:25 < XVision> yes
21:25 < XVision> and back
21:25 < Numline1> okay, hmm
21:26 < Numline1> and on the CentOS VPN config
21:26 < Numline1> do you have this there? push "redirect-gateway def1"
21:26 < Numline1> I have something similar set up - http://openvpn.net/index.php/open-source/documentation/howto.html#redirect
21:26 <@vpnHelper> Title: HOWTO (at openvpn.net)
21:26 < Numline1> this is what you need to set up in the centos VPN config
21:26 < Numline1> push gateway
21:26 < Numline1> routing rules
21:27 < Numline1> and possibly DNS rules as well
21:27 < Numline1> then run the Windows client as administrator and it should work
21:30 -!- alexw [~textual@unaffiliated/alexw] has joined #openvpn
21:33 < XVision> setup is like this: http://www.gliffy.com/go/publish/6721219
21:33 < XVision> excuse my silly drawing skills
21:33 < Numline1> yup
21:34 < XVision> in between the host and internet you will have to imagine my router
21:34 < Numline1> it should work with my conenction
21:34 < Numline1> my configuration*
21:34 < XVision> can you maybe upload your conf and routing tables?
21:34 < Numline1> yup
21:34 < XVision> so i can take them as guideline
21:35 -!- warehouse13 [~Left_Turn@unaffiliated/turn-left/x-3739067] has quit [Remote host closed the connection]
21:35 < XVision> also the iptables as need some masquerade on some network ranges?
21:40 < Numline1> XVision, this is my config on server (Ubuntu, it may be different on CentOS) - http://pastebin.com/pqb1gU2E
21:40 < Numline1> yes, you need to echo 1 to the ip forward thingy
21:40 < XVision> ok let me have a look
21:40 < Numline1> and set up iptables forward
21:40 < Numline1> as in the tutorial I posted
21:41 < Numline1> if you're not using certificate authentication, you can easily ignore that part
21:41 < Numline1> of my config
21:41 < Numline1> push "redirect-gateway def1"
21:41 < Numline1>  
21:41 < Numline1> push "dhcp-option DNS 8.8.8.8"
21:41 < Numline1> push "dhcp-option DNS 8.8.4.4"
21:41 < Numline1> this is the important part
21:41 < Numline1> it pushes your server as gateway to the client and Google DNS as default DNS
21:41 < Numline1> server 10.8.0.0 255.255.255.0 is IP address range
21:41 < XVision> why you have proto udp and tcp both?
21:41 < Numline1> yup
21:42 < XVision> first thing i notice
21:42 < Numline1> I'm not sure if it works on both right now
21:42 < Numline1> or just one of them
21:42 < XVision> ok
21:42 < XVision> :)
21:42 < Numline1> but it somehow works
21:42 < Numline1> :)
21:43 < XVision> ok, well i have the config about the same, just minor difference that i now removed
21:44 < XVision> let's see
21:44 < Numline1> as I said, those 3 pushes are important :)
21:45 < XVision> yes but i had them already
21:45 < Numline1> okay
21:45 < Numline1> don'f forget to run the iptables rule on your server
21:46 < Numline1> from what I was able to google out, it may be the problem
21:46 < XVision> i run this: iptables -t nat -A POSTROUTING -s 10.8.0.0/16 -i eth1 -j MASQUERADE
21:47 < Numline1> I found this: iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o eth0 -j MASQUERADE
21:47 < Numline1> -o vs -i
21:47 < Numline1> also, do you have eth0 or 1?
21:47 < XVision> both
21:47 < Numline1> It should be executed on the adapter where you're running OpenVPN
21:47 < Numline1> I believe
21:48 < XVision> and have -o it was typo
21:48 < Numline1> okay
21:48 -!- alexw [~textual@unaffiliated/alexw] has quit [Remote host closed the connection]
21:49 < Numline1> XVision, did you do this? echo 1 > /proc/sys/net/ipv4/ip_forward
21:49 < XVision> yea
21:49 < Numline1> also maybe try to run the iptables -F
21:49 < Numline1> and then try that iptables rule on eth0
21:49 < Numline1> if it doesn't work, try eth1
21:49 < Numline1> but run iptables -F before that
21:49 < Numline1> it should flush your iptables
21:49 < XVision> yes also did that
21:50 < XVision> but i have 192.168.22.0 and 192.168.107.0 network
21:50 < XVision> i think that is the issue
21:51 < Numline1> hmm, well as long as your Windows client is getting the IP from the CentOS server, that should be configured correctly
21:51 < Numline1> which one is which?
21:51 < Numline1> 22.0 is internet and 107.0 is bridge/NAT?
21:52 < XVision> 22.0 is the 'internal network'
21:52 < XVision> the 107.0 is NAT and goes through the host to the internet
21:52 < XVision> 22.0 = eth1
21:52 < XVision> 107.0 = eth0
21:52 < XVision> i should have put that in the diagram sorry
21:52 < Numline1> I see
21:52 < Numline1> no pro
21:52 < Numline1> *prob
21:53 < Numline1> maybe you should run the iptables rule on eth0
21:53 < Numline1> I'm not really sure how that works, I may be little out of my depth here, sorry
21:53 < XVision> yea im trying now
21:53 < XVision> np, thanks for your help bro
21:54 < Numline1> no problem sir
21:54 < Numline1> XVision, I found this in examples - http://pastebin.com/KVs7ZKCR
21:54 < Numline1> maybe it's what you're looking for
21:54 < Numline1> it's from server's openvpn config
21:55 < XVision> yea i must use something like that
21:55 < XVision> 'something like that' :)
21:56 < Numline1> yea :D
21:56 < Numline1> I'm pretty sure there's someone able to help you, either here or on forums
22:17 -!- james41382 [~james@unaffiliated/james41382] has quit [Read error: Connection reset by peer]
22:17 -!- james41382 [~james@unaffiliated/james41382] has joined #openvpn
22:27 -!- DrCode [~DrCode@gateway/tor-sasl/drcode] has quit [Ping timeout: 250 seconds]
22:38 < XVision> anyone can help me with this setup? : http://www.gliffy.com/go/publish/6721219
22:48 -!- shadok [~muaddib@unaffiliated/shadok] has quit [Ping timeout: 265 seconds]
23:05 -!- moonkid [~anonymous@cpe-70-115-204-207.stx.res.rr.com] has quit [Quit: moonkid]
23:07 -!- c0ded [~c0ded@unaffiliated/c0ded] has quit [Ping timeout: 258 seconds]
23:20 -!- c0ded [~c0ded@unaffiliated/c0ded] has joined #openvpn
23:27 -!- c0ded [~c0ded@unaffiliated/c0ded] has quit [Ping timeout: 258 seconds]
23:38 -!- c0ded [~c0ded@unaffiliated/c0ded] has joined #openvpn
23:43 -!- c0ded [~c0ded@unaffiliated/c0ded] has quit [Ping timeout: 258 seconds]
23:56 -!- ShadniX [dagger@p5DDFE079.dip0.t-ipconnect.de] has quit [Ping timeout: 250 seconds]
23:58 < XVision> anyone awake yet? :)
23:59 -!- ShadniX [dagger@p5DDFD407.dip0.t-ipconnect.de] has joined #openvpn
23:59 < torax> Yes, but it its too early in the morning for thinking :D
23:59 -!- Nivex [~kjotte@atlantis.home.nivex.net] has left #openvpn []
--- Day changed Mon Dec 08 2014
00:12 < XVision> torax: tell me about it, all night been thinking, on sunday night arghhh
00:13 -!- Dan39 [~ddan39@unaffiliated/dan39] has quit [Ping timeout: 272 seconds]
00:13 -!- c0ded [~c0ded@unaffiliated/c0ded] has joined #openvpn
00:13 < XVision> for anyone where coffee is started to work: i manage now to connect, but log show MULTI: bad source address from client, packet dropped
00:13 < XVision> so some routes are not pushed, or some iptable rule is wrong
00:13 < XVision> must be something like that
00:14 <@krzee> !iroute
00:14 -!- Dan39 [~ddan39@unaffiliated/dan39] has joined #openvpn
00:14 <@vpnHelper> "iroute" is does not bypass or alter the kernel's routing table, it allows openvpn to know it should handle the routing when the kernel points to it but the network is not one that openvpn knows about. This is only needed when connecting a LAN which is behind a client, and therefor belongs in a ccd entry. Also see !route and !ccd
00:14 < XVision> yes, i have iroute in client dir
00:14 <@krzee> that error is when something sends packets down the tunnel with an unknown address
00:14 < XVision> just not sure if i push all the right ip ranges really, need some eye opener
00:15 <@krzee> the server declines to deal with it because it wont be able to return packets to it without an iroute
00:15 < XVision> yes i read about that, i followed an exact example
00:15 <@krzee> well, thats what the error means.
00:15 < XVision> forums.openvpn.net/topic12170.html
00:15 <@krzee> as explained in !route
00:15 < XVision> nicely written i must say
00:16 < torax> XVision: I´m trying to figure out why testing setup works, but seemingly similiar setup in production fails
00:16 <@krzee> torax, whats your issue
00:16 < XVision> torax: at least you have the testing setup working, you are one step ahead of me! :)
00:18 < XVision> according to this scheme: http://www.gliffy.com/go/publish/6721219 -> iroute in client: iroute 192.168.22.0 255.255.255.0
00:18 < XVision> but why am i doing this?
00:18 < XVision> the server know this ip range
00:18 < XVision> client is connecting over it
00:18 <@krzee> well whats the address in the error
00:19 <@krzee> since you removed that part when showing the error...
00:19 < XVision> 192.168.22.50
00:19 < XVision> and other is ipv6 address
00:19 <@krzee> then your iroute isnt being read
00:19 <@krzee> show the server log file
00:20 <@krzee> verb 4
00:22 < XVision> http://pastie.org/private/fuzb5v2ndun4ytmeywojg
00:22 < torax> krzee: Client connects to server via openvpn and from there to another server via ipsec, this works fine in testing, but not in production. I´m just trying to verify now that I really have similiar setup in both places.
00:23 < torax> tcpdump -i tun0 gives, "ip-10-9-0-1.eu-west-1.compute.internal > ip-10-9-0-6.eu-west-1.compute.internal: ICMP host ip-10-9-0-5.eu-west-1.compute.internal unreachable - admin prohibited, length 80"
00:23 <@krzee> fe80::8c72:3caf:afd7:22f1
00:23 <@krzee> XVision, something is passing traffic over the tunnel with source address of fe80::8c72:3caf:afd7:22f1
00:24 <@krzee> that is the traffic being dropped… some misconfigured app
00:24 <@krzee> spewing crap
00:24 < XVision>  i open IE
00:24 < XVision> that is all i did
00:24 <@krzee> well some app on your machine is spewing ipv6 sourced crap
00:24 <@krzee> not likely ie
00:25 <@krzee> you can safely ignore it, or figure out whats spewing ipv6 crap and fix it
00:25 < XVision> well it only happen when i open IE to some url
00:25 <@krzee> *shrug* thats what it is
00:25 < XVision> ping to 8.8.8.8 give transmit failed: general failure
00:27 < XVision> ok, the ipv6 is crap yes
00:28 <@krzee> but no multi error on the ping to 8.8.8.8
00:28 <@krzee> different problems
00:28 < XVision> yes
00:28 < XVision> i see some errors about adding and deleting routes in the log
00:29 < XVision> well not erros, but operation not permitted
00:31 <@krzee> thats definitely an error, unless its when you're stopping openvpn
00:32 < XVision> yes it is when im stopping
00:32 < XVision> ..
00:32 <@krzee> and why are you using iroute 192.168.22.0 255.255.255.0
00:33 <@krzee> thats not a lan behind your client
00:33 <@krzee> i wonder if that can actually break your setup
00:33 <@krzee> im not sure, but i know its wrong
00:33 < XVision> should i put 192.168.107.0 ?
00:33 <@krzee> you need to understand what iroute is
00:34 < XVision> the client in my setup have no LAN behind it
00:34 < XVision> only the server have
00:35 -!- c0ded [~c0ded@unaffiliated/c0ded] has quit [Ping timeout: 258 seconds]
00:35 <@krzee> then you dont need an iroute
00:35 < XVision> ok
00:36 < XVision> btw, the bad source address shit come to log when client connect, so when the openvpn create the connection
00:36 < XVision> i know i can ignore it, but just saying
00:36 <@krzee> its a misconfigured app on your computer
00:37 <@krzee> i know you want to talk about it, but just saying
00:37 < XVision> :) haha
00:37 < XVision> i think it is vmware
00:38 < XVision> removed the iroute - now still the main problem remains, what route/iptable am i missing
00:40 < XVision> so for my understanding, client connect on 192.168.22.0 network, vpn create 10.10.10.0 network - now server get internet from 192.168.107.0 network
00:41 < XVision> i understand my own setup right?
00:43 < XVision> can it have to do with 'promiscuous mode'?
00:43 < XVision> i am just reading about it, hardly understanding yet what it means
00:45 < XVision> communities.vmware.com/message/934617
00:45 < XVision> no idea if it has anything to do with my setup problem, but just mentioning
00:45 <@krzee> i dont follow, nor do i really want to
00:46 <@krzee> trying to chain is very advanced
00:46 <@krzee> you are expected to be a networking ninja before you do it
00:46 <@krzee> (imho)
00:46 <@krzee> thats why when you read my vpnchains doc i just give my findings, not an attempt to help you do it
00:46 < XVision> well, i basically just try setup an openvpn server and client on vmware
00:47 <@krzee> well ya i expect issues
00:47 <@krzee> haha
00:47 < XVision> i added 2 NIC's because i not see how else it would work
00:47 <@krzee> youd prolly want vmware support
00:47 < XVision> Ok, so i better take my old laptop and install some server there?
00:47 <@krzee> you trying to connect 1 vm to another via vpn, is what you're saying… right?
00:47 < XVision> yes
00:48 <@krzee> lol
00:48 < XVision> is that not the way to test things?
00:48 <@krzee> i mean i cant promise it wont work… but i dont expect it to
00:48 < XVision> i do all testing in vmware really
00:49 <@krzee> it can probably be done with the right tweaking in vmware i guess, but i would have no clue what that is
00:49 <@krzee> seems to be unnecessary to fix as well
00:50 <@krzee> adding complexity for a testbed
00:51 < XVision> ok, so you suggest, i take my laptop, get it connected and just use a physical server and client to make my test setup, to get rid of the complications with vmware network
00:51 < XVision> right?
00:52 < XVision> and then im probably already on the right way with my current setup i guess, because i was litterally following the guidelines in the tutorial, except for the iroute
00:52 <@krzee> yep
00:53 < XVision> ok, i will let you know if it worked - i know you want to know
00:53 <@krzee> haha
01:07 -!- tapout [~tapout@unaffiliated/tapout] has quit [Ping timeout: 258 seconds]
01:11 -!- Kephael [~Kephael@unaffiliated/kephael] has quit [Read error: Connection reset by peer]
01:12 -!- tapout [~tapout@unaffiliated/tapout] has joined #openvpn
01:18 < torax> I cant reach pushed route from openvpn client, netstat -i tun0: http://pastebin.com/SPmSfbn0
01:24 -!- zoredache [~zoredache@pdpc/supporter/professional/zoredache] has quit [Ping timeout: 240 seconds]
01:29 -!- zoredache [~zoredache@pdpc/supporter/professional/zoredache] has joined #openvpn
01:38 <@krzee> 1 side is dns the other side scrubbed, why even show us
01:38 <@krzee> haha
01:38 <@krzee> i still dont get what the problem is
01:38 -!- c0ded [~c0ded@unaffiliated/c0ded] has joined #openvpn
01:44 -!- Tausen [~Tausen@tausen.org] has left #openvpn ["Leaving"]
01:46 -!- mattock_afk is now known as mattock
01:46 -!- Shiftos [~shiftos@gateway/tor-sasl/shiftos] has quit [Ping timeout: 250 seconds]
01:47 -!- eaglelinux [~eaglelinu@213.207.38.192] has joined #openvpn
01:47 < eaglelinux> hello
01:47 < eaglelinux> why openvpn allow only /30 network for connectivity ?
01:49 -!- Shiftos [~shiftos@gateway/tor-sasl/shiftos] has joined #openvpn
01:59 <@krzee> !topology
01:59 <@vpnHelper> "topology" is (#1) it is possible to avoid the !/30 behavior if you use 2.1+ with the option: topology subnet This will end up being default in later versions. or (#2) Clients will receive addresses ending in .2, .3, .4, etc, instead of being divided into 2-host subnets. or (#3) details and examples at: https://community.openvpn.net/openvpn/wiki/Topology
02:02 < torax> krzee: That didnt look like dns traffic to me. The ip is "obfuscated" but I the real ip address is not important. The problem is that I cant connect to that server which ip address is shown as 123.123.123.123, I have 'push "route 123.123.123.123 255.255.255.255"' in server.conf
02:03 <@krzee> not dns traffic
02:03 <@krzee> you used tcpdump without -n
02:03 <@krzee> so it did dns resolution
02:03 < torax> ah, sorry
02:04 <@krzee> and the obfuscation matters
02:04 <@krzee> its an internet routable ip?
02:05 < torax> Yes, my bad for not pointing that out. It is internet routable ip
02:05 <@krzee> so did you configure NAT and ip forwarding just like if you were using redirect-gateway?
02:06 < torax> Yes, and I have similiar setup in testing envrinonment, just cant figure out how it differs from this one. Surely it should work, but I must have missed something
02:07 < torax> I was thinking that you might have noticed something from the tcpdump
02:12 -!- XVision [~NA@89.184.82.149] has quit []
02:19 -!- ayaz [~Ayaz@linuxpakistan/ayaz] has joined #openvpn
02:21 < ayaz> Hello. There's a new build of OpenVPN for Windows available that fixes the issue that can cause DoS. I am wondering whether it will be sufficient to only copy the files in the bin folder and replace it with the files on existing systems, or whether it will cause any issues? I know it does not cause issues as I have tested it out. I want to be sure I am not missing out on anything by doing it.
02:41 -!- ValdikSS [~valdikss@185.61.149.121] has quit [Ping timeout: 264 seconds]
02:48 <@syzzer> ayaz: should work, yes.
02:49 < ayaz> Thanks
03:01 -!- brutser [~none@d51A48718.access.telenet.be] has joined #openvpn
03:01 < brutser> Hi guys!
03:02 < brutser> http://www.server-world.info/en/note?os=CentOS_5&p=openvpn
03:02 <@vpnHelper> Title: CentOS 5 - VPN Server - Install / Configure OpenVPN : Server World (at www.server-world.info)
03:02 < brutser> The only part I need some help with is: "By the way, it's neccesary to set some settings on your router for NAT/Port forwarding. The used protocol and listening port by default on VPN server is UDP/1194. Speaking on an example on here, requests to 1194 with UDP from internet is needed to forward to 10.0.0.60:1194 in LAN. "
03:03 < brutser> I don't understand what to make
03:03 < brutser> Everything else he have in example
03:14 -!- Moonlightning [~blackl@unaffiliated/moonlightning] has quit [Read error: Connection reset by peer]
03:14 -!- Moonlightning [~blackl@unaffiliated/moonlightning] has joined #openvpn
03:25 -!- Cultist [~CultOfThe@67.175.170.187] has quit [Ping timeout: 255 seconds]
03:25 -!- Taftse|Mac [~taftse@unaffiliated/taftse] has joined #openvpn
03:29 -!- dazo_afk is now known as dazo
03:39 < flyingkiwi> brutser, is your VPN server "behind" a NATing router?
03:39 < flyingkiwi> brutser, or does your VPN server have a "public ip address"?
03:49 -!- AlexRussia [~Alex@unaffiliated/alexrussia] has quit [Ping timeout: 252 seconds]
03:49 < brutser> I have a router for internet
03:49 < brutser> so NATing router yes
03:49 < brutser> Not internet IP
04:13 -!- Cultist [~CultOfThe@67.175.170.187] has joined #openvpn
04:17 -!- AlexRussia [~Alex@unaffiliated/alexrussia] has joined #openvpn
04:22 -!- le0 [~le0@unaffiliated/le0] has joined #openvpn
04:39 < eaglelinux> hello
04:39 < eaglelinux> please, can anybody help to nat open-vpn pool to public IP in mikrotik
04:39 < eaglelinux> ?
04:41 < eaglelinux> also, how to change openvpn limitation of /30 network to /24
05:04 -!- _0x5eb_ [~seb@seb-hpws2.w1.tele.crt1.net] has quit [Ping timeout: 244 seconds]
05:14 -!- _0x5eb_ [~seb@seb-hpws2.elen.ucl.ac.be] has joined #openvpn
05:22 -!- ketas [~ketas@181-208-191-90.dyn.estpak.ee] has quit [Ping timeout: 265 seconds]
05:26 <@plaisthos> eaglelinux:
05:26 <@plaisthos> !subnet
05:26 <@vpnHelper> "subnet" is (#1) http://www.subnet-calculator.com/ or http://en.wikipedia.org/wiki/Subnetwork or (#2) Want a random subnet generator? See: !randomsubnet or (#3) You may be looking for !toplogy
05:26 <@plaisthos> err
05:26 <@plaisthos> !topology
05:26 <@vpnHelper> "topology" is (#1) it is possible to avoid the !/30 behavior if you use 2.1+ with the option: topology subnet This will end up being default in later versions. or (#2) Clients will receive addresses ending in .2, .3, .4, etc, instead of being divided into 2-host subnets. or (#3) details and examples at: https://community.openvpn.net/openvpn/wiki/Topology
05:27 <@plaisthos> and
05:27 <@plaisthos> !nat
05:27 <@vpnHelper> "nat" is (#1) http://openvpn.net/howto.html#redirect for an explanation of NAT as it applies to openvpn or (#2) http://www.secure-computing.net/wiki/index.php/OpenVPN/FAQ#Traffic_forwarding_doesn.27t_work_when_using_client_specific_access_rules or (#3) dont forget to turn on ip forwarding or (#4) please choose between !linnat !openvznat !winnat and !fbsdnat for specific howto
06:32 -!- AlexRussia [~Alex@unaffiliated/alexrussia] has quit [Ping timeout: 252 seconds]
06:45 -!- zoredache [~zoredache@pdpc/supporter/professional/zoredache] has quit [Ping timeout: 245 seconds]
06:48 -!- zoredache [~zoredache@pdpc/supporter/professional/zoredache] has joined #openvpn
06:59 -!- Droolio [~drool@host86-182-194-209.range86-182.btcentralplus.com] has joined #openvpn
07:01 -!- AlexRussia [~Alex@unaffiliated/alexrussia] has joined #openvpn
07:07 < hydrajump> hi if I push a local DNS server, e.g. dnsmasq installed on the same openvpn server to the clients. Is there a way to not override whatever DNS servers the client already have configured?
07:08 -!- Shiftos [~shiftos@gateway/tor-sasl/shiftos] has quit [Ping timeout: 250 seconds]
07:10 -!- Left_Turn [~Left_Turn@unaffiliated/turn-left/x-3739067] has joined #openvpn
07:15 -!- Shiftos [~shiftos@gateway/tor-sasl/shiftos] has joined #openvpn
07:16 -!- brianblaze420 [~brianblaz@unaffiliated/brianblaze] has joined #openvpn
07:18 <@plaisthos> !dns
07:18 <@vpnHelper> "dns" is (#1) Level3 open recursive DNS server at 4.2.2.[1-6] or (#2) Google open recursive DNS server at 8.8.8.8 / 8.8.4.4 or (#3) you might be looking for !pushdns
07:18 <@plaisthos> !pushdns
07:18 <@vpnHelper> "pushdns" is (#1) push dhcp-option DNS a.b.c.d to push dns to the client or (#2) For pushing DNS to a Windows client, see: !windns or (#3) Unix-alikes are required to process the env-var in an --up script; read about --dhcp-option in the manpage or (#4) For distros that use resolvconf(8) you can try the pull-resolv-conf script under the contrib/ source dir
07:19 <@plaisthos> !learn pushdns Mobile Client like OpenVPN for Android and OpenVPN Connect will happily accept push dhcp-option
07:19 <@vpnHelper> (learn [<channel>] <key> as <value>) -- Associates <key> with <value>. <channel> is only necessary if the message isn't sent on the channel itself. The word 'as' is necessary to separate the key from the value. It can be changed to another word via the learnSeparator registry value.
07:19 <@plaisthos> !learn pushdns as Mobile Client like OpenVPN for Android and OpenVPN Connect will happily accept push dhcp-option
07:19 <@vpnHelper> Joo got it.
07:19 <@plaisthos> !pushdns
07:19 <@vpnHelper> "pushdns" is (#1) push dhcp-option DNS a.b.c.d to push dns to the client or (#2) For pushing DNS to a Windows client, see: !windns or (#3) Unix-alikes are required to process the env-var in an --up script; read about --dhcp-option in the manpage or (#4) For distros that use resolvconf(8) you can try the pull-resolv-conf script under the contrib/ source dir or (#5) Mobile Client like OpenVPN for
07:19 <@vpnHelper> Android and OpenVPN Connect will happily accept push dhcp-option
07:24 -!- michaelhart [~michaelha@69-165-175-193.dsl.teksavvy.com] has joined #openvpn
07:31 -!- Ahrotahntee [~ahrotahnt@unaffiliated/ahrotahntee] has quit [Remote host closed the connection]
07:37 -!- GrayTShirt [~GrayTShir@funtoo/core/GrayTShirt] has quit [Quit: Leaving]
07:55 -!- shadok [~muaddib@unaffiliated/shadok] has joined #openvpn
07:57 -!- _bt [~bt@unaffiliated/bt/x-192343] has joined #openvpn
08:04 -!- moparisthebest [~quassel@unaffiliated/moparisthebest] has quit [Ping timeout: 250 seconds]
08:10 -!- moparisthebest [~quassel@gateway/tor-sasl/moparisthebest] has joined #openvpn
08:22 -!- elfixit [~Icedove@2001:1620:2777:11:78f3:ca44:f93c:5c2a] has joined #openvpn
08:32 -!- le0 [~le0@unaffiliated/le0] has quit [Quit: Leaving]
08:32 -!- ketas [ketas@ketas6-sixxs.si.pri.ee] has joined #openvpn
08:33 < hydrajump> plaisthos: hi not sure how to do it differently that I  have it setup.
08:33 < hydrajump> so that the client's DNS servers are not overriding, but added to
08:41 <@plaisthos> hydrajump: clients generally only ask the first DNS server
08:41 <@plaisthos> so adding additional dns server has almost no benefit
08:48 < hydrajump> plaisthos: ah ok
08:49 < hydrajump> i'm not doing full tunneling as it's not required for this particular use case. hmm much harder than I thought to push a single hostname from the vpn subnet to the clients
08:50 < hydrajump> basically clients connect to vpn.example.com. once they are connected I'd like them to connect via RDP to rdp.example.com which is a server behind the vpn server. at the moment i'm having to setup the clients with a fixed IP to the rdp server rather than the hostname.
08:55 -!- ValdikSS [~valdikss@host-24-158-66-217.spbmts.ru] has joined #openvpn
09:00 < nullie> hydrajump, push route to this host
09:01 -!- ValdikSS [~valdikss@host-24-158-66-217.spbmts.ru] has quit [Ping timeout: 272 seconds]
09:01 < hydrajump> nullie: like this `push "route rdp.example.com 10.32.0.44"`?
09:01 < hydrajump> i tried that and it didn't work
09:02 < nullie> hydrajump, you can't just assign 10.32.0.44 to rdp.example.com ?
09:03 < nullie> as in, generic dns
09:03 < nullie> globally visible
09:03 < hydrajump> nullie: sorry don't understand how you mean.
09:04 < nullie> hydrajump, actually have rdp.example.com resolve to 10.32.0.44 on all dns servers?
09:05 < nullie> have to, bbl
09:05  * plaisthos agrees with nullie 
09:05 <@plaisthos> if you use a globally valid dns name that probably works best
09:06 -!- ub1quit33 [~quassel@cpe-23-243-158-241.socal.res.rr.com] has joined #openvpn
09:06 < hydrajump> nullie: plaisthos what you're saying is basically register rdp.example.com in the same dns server as vpn.example.com?
09:08 <@plaisthos> no
09:08 <@plaisthos> maybe
09:08 <@plaisthos> don't know you dns setup
09:08 <@plaisthos> but yes if a client can resolve vpn.example.com with using your dns
09:09 <@plaisthos> in the same it should be able to resolve rdp.example.com
09:09 <@plaisthos> even if that ip point to a private ip
09:12 < hydrajump> plaisthos: ok the DNS server that resolves vpn.example.com is a hosted DNS service, e.g. DNSEasy. I thought about creating a second A record for rdp.example.com there, but when I googled I read that it is bad to host private IP ranges in public DNS.
09:12 < hydrajump> it would solves my problem easily.
09:13 -!- Denial [~Denial@81.141.2.111] has joined #openvpn
09:18 <@plaisthos> hydrajump: Yeah it may not be the best pratice but usually works best
09:18 <@plaisthos> otherwise you have to use your DNS server for everything the client does while connected to the VPN
09:19 <@plaisthos> pick your poison :)
09:22 < hydrajump> plaisthos: i understand. i think as it's just one internal address I'll just host it on the public dns
09:23 < hydrajump> plaisthos:  nullie thanks guys!
09:32 -!- ade_b [~Ade@redhat/adeb] has joined #openvpn
10:09 -!- ValdikSS [~valdikss@185.61.149.121] has joined #openvpn
10:10 -!- mistermajestic [~mistermaj@unaffiliated/mistermajestic] has joined #openvpn
10:57 -!- Henryabcd [~Henryabcd@pD9E0ABFC.dip0.t-ipconnect.de] has joined #openvpn
10:58 -!- novaflash_away is now known as novaflash
11:02 < KaaK> is it possible to make the log-append option write to a file as a non-root user?
11:03 -!- ayaz [~Ayaz@linuxpakistan/ayaz] has quit [Quit: Textual IRC Client: www.textualapp.com]
11:04 < KaaK> ive got an odd situation where I am not the admin on the machine an openvpn client will be running
11:04 < KaaK> but I still need access to the logs for troubleshooting potential issues
11:15 -!- gffa [~unknown@unaffiliated/gffa] has joined #openvpn
11:17 <@dazo> KaaK: that userid just need write privileges to the log file + probably write access to the directory it resides in, then it should work
11:17 <@dazo> so, basic chmod / setfacl operations
11:24 < KaaK> dazo, thanks! i'll give it a shot
11:28 <@dazo> KaaK: but ... you need to be root to be able to start openvpn.  It can connect and do everything a non-privileged user can, *except* creating a tun/tap device and adding network routes ... so I believe this will be your biggest problem, not the log files
11:37 < Eugene> !unpriv
11:37 <@vpnHelper> "unpriv" is see https://community.openvpn.net/openvpn/wiki/UnprivilegedUser for a write-up by EugeneKay on how to run OpenVPN without root/admin permissions.
11:37 < Eugene> Because I hate myself
11:59 -!- elfixit [~Icedove@2001:1620:2777:11:78f3:ca44:f93c:5c2a] has quit [Quit: elfixit]
12:01 < KaaK> Eugene, I did indeed find that link -- It's quite useful, but it mentions nothing of logs (my current issue)
12:01 < Eugene> Yes, it does.
12:02 < Eugene> Specifically, it has you set up /var/log/openvpn, owned by openvpn:openvpn, and then use --log to put logs into that dir.
12:02 < Eugene> But reading is hard.
12:02 < KaaK> Eugene, whoops -- sorry, I stand corrected
12:03 < Eugene> That guide also assumes the CentOS6 init script; I'm far too lazy to figure it out under systemd
12:03 < KaaK> my situation is kind of shitty -- its a hosted machine and the admin will never give me nice sudo wrappers for `ip` and friends
12:04 < Eugene> My advice? Get a better machine.
12:04 < KaaK> would love to, but it is unfortunatly not possible... im just playing the cards ive got currently delt
12:05 < KaaK> the daemon will run as root, and the admin will use the ovpn config i hand off (after they check it) -- As such, im stuck with root running the daemon, but I need (and belive i have found) a method of getting access to the log
12:06 < KaaK> for troubleshooting purposes
12:07 < KaaK> its a co-location machine that has physical access to an important router -- i'm using ovpn to build a tunnel between the server farm and my resrouces in AWS
12:07 < KaaK> which is the shitty context i am referring to
12:26 -!- ade_b [~Ade@redhat/adeb] has quit [Ping timeout: 250 seconds]
12:32 -!- eaglelinux-02 [~eaglelinu@213.207.43.231] has joined #openvpn
12:32 < eaglelinux-02> hello
12:32 < eaglelinux-02> how to share
12:32 < eaglelinux-02> internet over vpn
12:32 < eaglelinux-02> in mikrotik
12:32 < eaglelinux-02> ?
12:36 <@dazo> !goal
12:36 <@vpnHelper> "goal" is Please clearly state your goal for your vpn: example, I would like to access the lan behind the server , I would like to access the internet over my vpn , I just want a secure connection between 2 computers , etc
12:37 -!- Droolio [~drool@host86-182-194-209.range86-182.btcentralplus.com] has quit [Quit: This message has been cruelly tested on cute little furry animals.]
12:40 < eaglelinux-02> I want to nat openvpn pool to wan IP ,that's all, so I want to share internet over OPENVPN clients
12:41 < dougquaid> Which binary should I use for Windows 7 and Windows 8? On the downloads page there are two options, XP and later as well as Vista and later
12:42 < eaglelinux-02> dougquaid, you will use "XP and later as well as Vista and later"
12:42 < eaglelinux-02> vpnHelper, it is possible ?
12:43 < dougquaid> eaglelinux-02: vpnHelper is a bot, it only responds to a set list of commands
12:44 < eaglelinux-02> dazo, it's that possible ?
12:44 <@dazo> eaglelinux-02: yes, that is possible
12:44 <@dazo> !redirect
12:44 <@vpnHelper> "redirect" is (#1) to make all inet traffic flow through the vpn, you will need --redirect-gateway (see !def1), as well as IP forwarding (see !ipforward) and NAT (see !nat) enabled on the server. or (#2) you may need to use a different dns server when redirecting gateway, see !dns or !pushdns or (#3) if using ipv6 try: route-ipv6 2000::/3 or (#4) Handy troubleshooting flowchart:
12:44 <@vpnHelper> http://ircpimps.org/redirect.png | http://pekster.sdf.org/misc/redirect.png
12:55 -!- Henryabcd [~Henryabcd@pD9E0ABFC.dip0.t-ipconnect.de] has quit [Quit: Leaving]
12:55 -!- mattock_ [~mattock@openvpn/corp/admin/mattock] has joined #openvpn
12:55 -!- mode/#openvpn [+o mattock_] by ChanServ
13:05 <@dazo> dougquaid: If you use the -I6?? installers, we'd appreciate feedback on those ... as they're designed for newer Windows versions with a brand new TAP driver
13:22 -!- mattock_ [~mattock@openvpn/corp/admin/mattock] has quit [Quit: IRC for Sailfish 0.8]
14:45 -!- eaglelinux-02 [~eaglelinu@213.207.43.231] has quit [Ping timeout: 258 seconds]
14:49 < ValdikSS> Hi!
14:49 < ValdikSS> Is there any reason that Control Packet is limited to 100 bytes?
14:50 < ValdikSS> I have 3000+ routes to push to client and it could do it up to 5 minutes
14:52 -!- ValdikSS [~valdikss@185.61.149.121] has quit [Quit: Konversation terminated!]
15:01 < zoredache> 3000 routes to push?  Wow, are you sure you can do any summarization or something else?
15:06 -!- mattock is now known as mattock_afk
15:09 -!- brianblaze420 [~brianblaz@unaffiliated/brianblaze] has quit [Quit: Peace!]
15:21 -!- Taftse|Mac [~taftse@unaffiliated/taftse] has quit [Ping timeout: 256 seconds]
15:23 -!- gffa [~unknown@unaffiliated/gffa] has quit [Quit: sleep]
15:27 -!- kloeri [~kloeri@freenode/staff/exherbo.kloeri] has joined #openvpn
15:29 -!- cae- [~cae@ip-178-201-254-32.hsi08.unitymediagroup.de] has quit [Quit: WeeChat 0.3.8]
15:30 < ender|> ...and here i thought that pushing 7 routes was a lot
15:43 < Numline1> What's up guys. Could any of you help me to follow up on an issue I've had yesterday
15:44 < Numline1> Basically, I'm trying to set up gaming LAN VPN
15:44 < Numline1> I have tap adapter for that, Linux server and several Windows clients
15:44 < Numline1> All works fine, except some people can't see games on VPN LAN in their multiplayer clients
15:45 < Numline1> However when we physically connect to the same router, we see each other, but with the local IP, not VPN IP
15:45 <@dazo> Numline1: could it be firewall issues on those clients where Windows don't allow broadcast traffic from the VPN as it is identified as a public network?
15:46 < Numline1> There's this one specific case, when I can see my friend and his VPN IP but he can't see me. Gateway is set up
15:46 < Numline1> dazo, firewalls turned off on all clients :(
15:47 <@dazo> I'd double check and compare the network traffic between working clients and failing clients ... using wireshark or similar tools
15:47 < Numline1> Basically, all our traffic is going through VPN, but this friend of mine can't see my (or anyone elses) games
15:47 < Numline1> I think it's all encrypted
15:47 < Numline1> I think it's just routing issue
15:47 <@dazo> if you use wireshark on the tap adapter, you'll see the plain-text data
15:48 <@dazo> it is a routing issue if the routing tables are different on working and non-working clients
15:48 -!- michaelhart [~michaelha@69-165-175-193.dsl.teksavvy.com] has quit [Quit: michaelhart]
15:54 -!- D-Boy [~D-Boy@unaffiliated/cain] has quit [Excess Flood]
16:09 -!- RBecker [~RBecker@openvpn/user/RBecker] has quit [Ping timeout: 265 seconds]
16:16 < Numline1> dazo, sorry for delay, I've just fixed it
16:16 < Numline1> turns out that discovery packets are being sent via eth with lowest metric
16:16 < Numline1> so I just need to do netsh int ip set int "Ethernet 2" metric=5
16:16 < Numline1> and it works ok
16:17 -!- RBecker [~RBecker@openvpn/user/RBecker] has joined #openvpn
16:17 -!- mode/#openvpn [+v RBecker] by ChanServ
16:18 -!- drsmooth [~drsmooth@c-24-22-147-233.hsd1.wa.comcast.net] has joined #openvpn
16:19 -!- D-Boy [~D-Boy@unaffiliated/cain] has joined #openvpn
16:23 < drsmooth> howdy all.. trying to bridge lan and vpn client using https://community.openvpn.net/openvpn/wiki/OpenVPNBridging.  CentOS6 w/ openvpn v2.2.2.1
16:23 < drsmooth> it really doesn't seem to like the "up up.sh" directive
16:26 -!- alexw [~textual@unaffiliated/alexw] has joined #openvpn
16:27 <@dazo> drsmooth: control question: Why do you want to bridge?
16:27 < drsmooth> duh nvm
16:28 < drsmooth> dazo: LAN has no default gateway so no way to route hosts to vpn clients
16:28 < drsmooth> sovled: chmod +x up.sh and include full path to brctl...ugh
16:29 -!- Henryabcd [~Henryabcd@pD9E0ABFC.dip0.t-ipconnect.de] has joined #openvpn
16:29 <@dazo> uhm ... that's just an inherently wrong argument and a misunderstanding of what routing tables can do
16:29 < drsmooth> dazo: ok give it to me
16:30 < drsmooth> dazo: keep im mind that hosts on LAN segment are not under my control and config changes there are not an option
16:30 -!- moparisthebest [~quassel@gateway/tor-sasl/moparisthebest] has quit [Remote host closed the connection]
16:30 -!- badon [~badon@pdpc/supporter/active/badon] has quit [Write error: Connection reset by peer]
16:30 -!- Shiftos [~shiftos@gateway/tor-sasl/shiftos] has quit [Remote host closed the connection]
16:30 -!- s7r [~s7r@openvpn/user/s7r] has quit [Write error: Connection reset by peer]
16:30 -!- moparisthebest [~quassel@unaffiliated/moparisthebest] has joined #openvpn
16:31 <@dazo> you need to give me more to go on ... f.ex. how can you have a LAN having a gateway without Internet access and still use OpenVPN?
16:31 -!- s7r [~s7r@openvpn/user/s7r] has joined #openvpn
16:31 -!- mode/#openvpn [+v s7r] by ChanServ
16:31 <@dazo> This is a pretty standard routing setup ... https://community.openvpn.net/openvpn/wiki/BridgingAndRouting#Usingrouting
16:31 <@vpnHelper> Title: BridgingAndRouting – OpenVPN Community (at community.openvpn.net)
16:33 <@dazo> further iproute2 can setup routing tables using only device (that is not an IP address, such as: ip route 192.168.0.0/24 dev tap0)
16:35 < drsmooth> dazo: so you're suggesting masquerading the vpn client addresses?  I could do that i suppose.
16:36 <@dazo> drsmooth: if you look at the top of that wiki page I pointed you at, there's a list of reasons why bridging and TAP mode is discouraged
16:37 < drsmooth> dazo: i'm aware of those, yes
16:37 <@dazo> a few, but very few, reasons are valid for bridging ... your case might be in the greyish areas ... but I think you'll get a far better tunnel if you can avoid bridging
16:37 < drsmooth> dazo: fair enough.  I'll start over :(
16:38 -!- badon [~badon@pdpc/supporter/active/badon] has joined #openvpn
16:45 -!- brutser [~none@d51A48718.access.telenet.be] has quit []
16:55 -!- Kephael [~Kephael@unaffiliated/kephael] has joined #openvpn
17:26 < Numline1> guys one more question
17:26 < Numline1> if I decide not to use key authentication
17:26 < Numline1> and choose mysql or pam authentication
17:26 < Numline1> will the connection be encrypted?
17:26 < esde> !harden
17:27 < esde> !hardening
17:28 <@vpnHelper> "hardening" is https://community.openvpn.net/openvpn/wiki/Hardening
17:28 < Numline1> ty ^
17:43 <@dazo> Numline1: using --tls-client/--tls-server or --secret will encrypt the tunnel.  However using --tls-server/--tls-client is always a good idea.  You can however use that without client certificates, by providing the --ca inline in the config file and --client-cert-not-required in the server config
17:43 <@dazo> together with username/password auth
17:44 < Numline1> thanks, that'll help
17:46 <@dazo> Using just --secret will only give you a static encryption ... while --tls-server/--tls-client will renegotiate temporary encryption keys and mau also provide (P)FS
17:46 <@dazo> s/mau/may/
17:55 -!- dazo is now known as dazo_afk
18:02 -!- drsmooth [~drsmooth@c-24-22-147-233.hsd1.wa.comcast.net] has quit [Quit: Leaving.]
18:08 -!- Henryabcd [~Henryabcd@pD9E0ABFC.dip0.t-ipconnect.de] has quit [Quit: Leaving]
18:21 -!- Fun [~Fun@unaffiliated/fun] has joined #openvpn
18:21 < Fun> :)
18:21 < Fun> heya
18:21 < Fun> who here made custom open vpn clients?
18:21 < Fun> for windows
18:34 -!- AlexRussia [~Alex@unaffiliated/alexrussia] has quit [Ping timeout: 244 seconds]
18:40 -!- keatont [~keatont@keatonstaylor.com] has joined #openvpn
18:46 -!- unfy [~Miranda@wsip-184-185-82-30.om.om.cox.net] has joined #openvpn
18:50 < Eugene> !win_rollup
18:50 <@vpnHelper> "win_rollup" is please see http://www.secure-computing.net/wiki/index.php/OpenVPN/HowTo_for_Windows_2 for dazo's writeup on making unattended windows installers for openvpn
18:53 < Fun> cool
18:53 -!- s7r [~s7r@openvpn/user/s7r] has quit [Quit: Leaving]
18:57 -!- michaelhart [~michaelha@192-0-241-148.cpe.teksavvy.com] has joined #openvpn
18:57 -!- dvl [~dvl@freebsd/developer/dvl] has quit [Quit: Ride fast. Take chances.]
18:59 -!- dvl [~dvl@freebsd/developer/dvl] has joined #openvpn
18:59 -!- ub1quit33 [~quassel@cpe-23-243-158-241.socal.res.rr.com] has quit [Ping timeout: 265 seconds]
19:02 -!- AlexRussia [~Alex@unaffiliated/alexrussia] has joined #openvpn
19:07 -!- michaelhart [~michaelha@192-0-241-148.cpe.teksavvy.com] has quit [Quit: michaelhart]
19:12 -!- AlexRussia [~Alex@unaffiliated/alexrussia] has quit [Ping timeout: 264 seconds]
19:15 -!- ub1quit33 [~quassel@cpe-23-243-158-241.socal.res.rr.com] has joined #openvpn
19:19 -!- michaelhart [~michaelha@192-0-241-148.cpe.teksavvy.com] has joined #openvpn
19:26 -!- NP-Hardass [~NP-Hardas@unaffiliated/np-hardass] has quit [Ping timeout: 264 seconds]
19:39 -!- AlexRussia [~Alex@unaffiliated/alexrussia] has joined #openvpn
19:43 < Fun> hi AlexRussia
19:44 < Fun> how are you?
19:44 < Fun> :D
19:44 < Fun> I am going to Russia soon!
19:44 < Fun> :D
19:50 -!- troyt [~troyt@2601:7:6202:211:44dd:acff:fe85:9c8e] has quit [Ping timeout: 258 seconds]
20:11 -!- NP-Hardass [~NP-Hardas@unaffiliated/np-hardass] has joined #openvpn
20:12 -!- michaelhart [~michaelha@192-0-241-148.cpe.teksavvy.com] has quit [Quit: michaelhart]
20:30 -!- troyt [~troyt@2601:7:6202:211:44dd:acff:fe85:9c8e] has joined #openvpn
20:38 -!- AlexRussia [~Alex@unaffiliated/alexrussia] has quit [Ping timeout: 245 seconds]
20:38 -!- MadTBone [~MadTBone@128.59.37.113] has quit [Quit: Leaving]
21:03 -!- troyt [~troyt@2601:7:6202:211:44dd:acff:fe85:9c8e] has quit [Remote host closed the connection]
21:05 -!- AlexRussia [~Alex@unaffiliated/alexrussia] has joined #openvpn
21:43 -!- badon [~badon@pdpc/supporter/active/badon] has quit [Disconnected by services]
21:43 -!- badon_ [~badon@pdpc/supporter/active/badon] has joined #openvpn
21:43 -!- badon_ is now known as badon
21:50 -!- AsadH [~AsadH@unaffiliated/asadh] has quit [Ping timeout: 258 seconds]
21:54 -!- AsadH [~AsadH@unaffiliated/asadh] has joined #openvpn
21:59 -!- alexw [~textual@unaffiliated/alexw] has quit [Remote host closed the connection]
22:07 < Numline1> Hey again guys. I'm trying to push "metric" to client via this command push "route 0.0.0.0 0.0.0.0 vpn_gateway 25"
22:07 < Numline1> And it works great, however I'm unable to set metric below 20, it seems to be the limit, however I can set it via Windows to even lower values
22:07 -!- Left_Turn [~Left_Turn@unaffiliated/turn-left/x-3739067] has quit [Remote host closed the connection]
22:07 < Numline1> I appreciate any help
22:07 < Numline1> thanks
22:15 -!- shadok [~muaddib@unaffiliated/shadok] has quit [Ping timeout: 252 seconds]
22:20 -!- ub1quit33 [~quassel@cpe-23-243-158-241.socal.res.rr.com] has quit [Ping timeout: 256 seconds]
22:33 -!- AlexRussia [~Alex@unaffiliated/alexrussia] has quit [Ping timeout: 264 seconds]
22:37 < Fun> its trick to get help
22:37 < Fun> what is metric?
22:37 < Fun> time it take to switch?
22:37 < Fun> or what
22:38 -!- troyt [~troyt@2601:7:6202:211:44dd:acff:fe85:9c8e] has joined #openvpn
22:42 < pekster> Numline1: Works just fine here pushing a metric. Check your logs at --verb 4, and you'll see a line similar to: "/sbin/ip route add 203.0.113.0/25 via 10.8.8.2 metric 3" (possibly with ifconfig if you didn't build openvpn to avoid the decade-old net-tools calls.)
22:42 < pekster> Chances are you have some frontend screwing things up
22:43 -!- Fun [~Fun@unaffiliated/fun] has left #openvpn []
22:43 -!- kontaxis [~kontaxis@dyn-160-39-57-60.dyn.columbia.edu] has joined #openvpn
22:43 < pekster> Or if it's windows, all bets might be off. Maybe read about the --ip-win32 and --route-method options
22:44 -!- kontaxis [~kontaxis@dyn-160-39-57-60.dyn.columbia.edu] has quit [Client Quit]
22:45 -!- alexw [~textual@unaffiliated/alexw] has joined #openvpn
22:46 -!- ub1quit33 [~quassel@cpe-23-243-158-241.socal.res.rr.com] has joined #openvpn
22:53 -!- moparisthebest [~quassel@unaffiliated/moparisthebest] has quit [Ping timeout: 245 seconds]
23:00 -!- AlexRussia [~Alex@unaffiliated/alexrussia] has joined #openvpn
23:01 < Numline1> pekster, clients are unfortunatelly Windows
23:01 < Numline1> and I think it's using "route" command to set the metric
23:02 < Numline1> it seems that 20 is limit because it's 100Mbit connection, which, according to some documentation, is default for non-gbit network
23:02 < Numline1> so once I connect my primary nic to 1Gbit, it'll have higher metric, which I don't want :(
23:09 -!- ub1quit33 [~quassel@cpe-23-243-158-241.socal.res.rr.com] has quit [Ping timeout: 264 seconds]
23:25 -!- Kephael [~Kephael@unaffiliated/kephael] has quit [Quit: Leaving]
23:28 -!- Shiftos [~shiftos@gateway/tor-sasl/shiftos] has joined #openvpn
23:36 -!- troyt [~troyt@2601:7:6202:211:44dd:acff:fe85:9c8e] has quit [Ping timeout: 258 seconds]
23:53 -!- troyt [~troyt@2601:7:6202:211:44dd:acff:fe85:9c8e] has joined #openvpn
23:55 -!- ShadniX [dagger@p5DDFD407.dip0.t-ipconnect.de] has quit [Ping timeout: 250 seconds]
23:56 -!- ShadniX [dagger@p5481C861.dip0.t-ipconnect.de] has joined #openvpn
--- Day changed Tue Dec 09 2014
00:07 -!- troyt [~troyt@2601:7:6202:211:44dd:acff:fe85:9c8e] has quit [Ping timeout: 258 seconds]
00:12 -!- xMopxShell [~xMopxShel@dpedu.io] has quit [Ping timeout: 272 seconds]
00:12 -!- Six6siX [~Devil@jasmine.sammybakar.com] has quit [Ping timeout: 272 seconds]
00:12 -!- pekster [~rewt@openvpn/community/support/pekster] has quit [Ping timeout: 272 seconds]
00:13 -!- xMopxShell [~xMopxShel@davepedu.com] has joined #openvpn
00:13 -!- Six6siX [~Devil@jasmine.sammybakar.com] has joined #openvpn
00:13 -!- troyt [~troyt@2601:7:6202:211:44dd:acff:fe85:9c8e] has joined #openvpn
00:14 -!- pekster [~rewt@openvpn/community/support/pekster] has joined #openvpn
00:20 -!- troyt [~troyt@2601:7:6202:211:44dd:acff:fe85:9c8e] has quit [Ping timeout: 258 seconds]
00:25 -!- unfy [~Miranda@wsip-184-185-82-30.om.om.cox.net] has quit [Quit: Miranda IM! Smaller, Faster, Easier. http://miranda-im.org]
00:27 -!- troyt [~troyt@2601:7:6202:211:44dd:acff:fe85:9c8e] has joined #openvpn
00:28 -!- rooth [tomte@stuck.in.the.basement.at.fritzl.nu] has quit [Ping timeout: 244 seconds]
00:47 -!- tapout [~tapout@unaffiliated/tapout] has quit [Ping timeout: 258 seconds]
00:52 -!- tapout [~tapout@unaffiliated/tapout] has joined #openvpn
00:56 -!- mattock_afk is now known as mattock
01:01 -!- vahid_ [~vahid@151.232.184.184] has joined #openvpn
01:02 < vahid_> Hi there again ;-) How should I use --tcp-nodelay switch ? I tried in clinet with this command: "sudo openvpn client.conf --tcp-nodelay" not work.  this Error: Options error: I'm trying to parse "client.conf" as an --option parameter but I don't see a leading '--'
01:03 -!- alexw [~textual@unaffiliated/alexw] has quit [Remote host closed the connection]
01:05 < vahid_> I changed the command to this:  sudo openvpn --tcp-nodelay client.conf but there is a new Error: Assertion failed at helper.c:537 //  Exiting due to fatal error
01:14 -!- Shiftos [~shiftos@gateway/tor-sasl/shiftos] has quit [Remote host closed the connection]
01:15 -!- pppingme [~pppingme@unaffiliated/pppingme] has quit [Ping timeout: 240 seconds]
01:17 -!- pppingme [~pppingme@unaffiliated/pppingme] has joined #openvpn
01:23 -!- AlexRussia [~Alex@unaffiliated/alexrussia] has quit [Quit: WeeChat 1.1-dev]
02:10 -!- dazo_afk is now known as dazo
02:14 <@plaisthos> vahid_: which version are you using?
02:14 < vahid_> client or server ?
02:15 <@plaisthos> the one throwing the assertion :)
02:15 -!- zoredache [~zoredache@pdpc/supporter/professional/zoredache] has quit [Ping timeout: 244 seconds]
02:15 <@plaisthos> that should be openvp --tcp-nodelay --config client.conf
02:15 <@plaisthos> but I would like to look what fails there
02:15 < vahid_> OpenVPN 2.3.6 I'm on Arch news version ;-)
02:17 -!- Shiftos [~shiftos@gateway/tor-sasl/shiftos] has joined #openvpn
02:18 <@plaisthos> hm that function just asserts if you are not running the server
02:18 <@plaisthos> strange
02:19 < vahid_> this command changed noting: openvp --tcp-nodelay --config client.conf
02:19 -!- CaTtleyA [~CaTtleyA@185.24.142.82] has joined #openvpn
02:19 < vahid_> same error
02:19 <@plaisthos> yes
02:19 < vahid_> [vahid@Acer openvpn]$ sudo openvpn --tcp-nodelay --config client.conf
02:19 < vahid_> Tue Dec  9 11:49:06 2014 us=176396 Assertion failed at helper.c:537
02:20 <@plaisthos> try openvpn --socket-flags TCP_NODELAY
02:21 < vahid_> I added te --dev tun switch and waiting...
02:22 -!- dougquaid [~dougquaid@pool-96-247-192-249.clppva.fios.verizon.net] has quit [Ping timeout: 250 seconds]
02:22 < vahid_> http://paste.ubuntu.com/9438585/
02:23 -!- jdmf [~jdmf@91.198.201.28] has joined #openvpn
02:34 <@dazo> plaisthos: Why do we have that assert in helper_tcp_nodelay()? ... that looks like a bad idea to me.  Why not just set o->sockflags |= SF_TCP_NODELAY there instead?
02:35 <@dazo> however ... setting TCP_NODELAY on a UDP socket isn't going to fly either
02:36 <@dazo> vahid_: can you please try to add --proto tcp-client  ?
02:36 < vahid_> sure
02:38 < vahid_> Options error: --nobind doesn't make sense unless used with --remote
02:39 < vahid_> I run this comand: sudo openvpn --proto tcp-client --dev tun client.conf
02:40 <@dazo> vahid_: right ... try adding --remote localhost
02:41 <@dazo> I just want to see what happens when it passes the code which sets TCP_NO_DELAY
02:41 -!- Taftse|Mac [~taftse@unaffiliated/taftse] has joined #openvpn
02:41 < vahid_> Options error: remote: port number associated with host localhost is out of range
02:41 <@plaisthos> dazo: cause --tcp-nodelay is a server only option which translates to socket-flags TCP_NODELAY and push "socket-flags TCP_NODELAY"
02:42 <@dazo> plaisthos: fair enough, but why restrict it to server only?  Especially when clients can do "socket-flags TCP_NODELAY" independently
02:42 <@plaisthos> dazo: yeah it is broken :)
02:42 <@plaisthos> dazo: I created a trac issue so we fix it sooner or later
02:42 < vahid_> It's gone break my hearth too :D
02:43 < vahid_> plaisthos, It's openvpn issue? or mine config?
02:49 <@plaisthos> vahid_: OpenVPN issue but it does not affect you
02:52 -!- Shiftos [~shiftos@gateway/tor-sasl/shiftos] has quit [Ping timeout: 250 seconds]
02:58 -!- Shiftos [~shiftos@gateway/tor-sasl/shiftos] has joined #openvpn
03:04 < vahid_> If i downgrade openvpn in client, may I have tcp-nodelay option ? UDP port blocked in my country and tcp is slow.
03:07 -!- LnxBil [~LnxBil@p5099afb6.dip0.t-ipconnect.de] has joined #openvpn
03:07 < LnxBil> Hi everybody.
03:08 < LnxBil> I have multiple remotes and I am forced to use tcp at the moment. If the first attempt to connect fails, I got a SIGTERM and my openvpn connection dies. Is there a way to prohibit this? Accoding to manual, connect-retry should step in, shouldn't it?
03:08 < LnxBil> s/connection/process/
03:09 < LnxBil> Version is 2.2.1, Debian Wheezy
03:09 -!- Shiftos [~shiftos@gateway/tor-sasl/shiftos] has quit [Ping timeout: 250 seconds]
03:10 <@plaisthos> vahid_: tcp-flags TCP_NODELAY on the client is what tcp-nodelay does
03:12 -!- Moonlightning [~blackl@unaffiliated/moonlightning] has quit [Read error: Connection reset by peer]
03:12 -!- Shiftos [~shiftos@gateway/tor-sasl/shiftos] has joined #openvpn
03:13 -!- Moonlightning [~blackl@unaffiliated/moonlightning] has joined #openvpn
03:15 < vahid_> plainthos, so, why it's not works for me?
03:17 < vahid_> Tue Dec  9 12:46:50 2014 NOTE: setsockopt TCP_NODELAY=1 failed
03:17 <@dazo> vahid_: there is an issue with the code, so --tcp-nodelay have never worked on clients.  *But* what --tcp-nodelay in reality does, is just --socket-flags TCP_NODELAY
03:17 <@dazo> however, TCP_NODELAY is only allowed on TCP sockets ... so you must have set --proto tcp-client before adding the --socket-flags
03:20 <@plaisthos> vahid_: see dazos explaination
03:21 <@plaisthos> LnxBil: why is your client getting a SIGTERM?
03:21 <@plaisthos> LnxBil: look in the logs
03:21 <@dazo> vahid_: the alternative is to use --tcp-nodelay on your server ... and the server will set TCP_NODELAY on itself and push "socket-flags TCP_NODELAY" to the client as well ... and this is what --tcp-nodelay was supposed to be, a helper "macro"
03:23 < vahid_> I did'nt changed server but i will. connection will be rest: http://paste.ubuntu.com/9439136/
03:25 <@plaisthos> that is expected
03:25 <@plaisthos> if you don't have protocol/port matching on client/server it will not work
03:29 <@dazo> plaisthos: just tried a few things with git master .... and I can't manage to use --tcp-nodelay in client mode at all .... "Options error: --tcp-nodelay requires --mode server"
03:29 -!- zoredache [~zoredache@pdpc/supporter/professional/zoredache] has joined #openvpn
03:30 <@dazo> ahh ... and that happens when I remove the assert(0), so my mistake ;-)
03:30 <@plaisthos> dazo: ah ... so it is already fixed in -master
03:30 <@dazo> plaisthos: nope, not completely
03:32 <@plaisthos> dazo: wait, we give the error only if you remove the assert?
03:32 <@dazo> yeah
03:32 <@dazo> options:2113
03:32 <@dazo>       if (options->server_flags & SF_TCP_NODELAY_HELPER)
03:32 <@dazo> 	msg (M_USAGE, "--tcp-nodelay requires --mode server");
03:32 <@dazo> this is some dumb-f**ked code path ...
03:33 <@dazo> well, actually what I did was this:
03:33 <@dazo> -         ASSERT (0);
03:33 <@dazo> +         o->sockflags |= SF_TCP_NODELAY;
03:36 <@dazo> plaisthos: I think we should rip out that msg(M_USAGE...) error ... and allow people to be stupid (by only setting --tcp-nodelay on the client) ... because they can already do it with --socket-flags anyway
03:37 <@dazo> adding --tcp-nodelay on both client and server won't fail ... and only on server will also do the right thing anyway
03:40 <@plaisthos> dazo: Or change it into a warning
03:40 <@dazo> fair enough ... I'll post a proposal to the ML in a few minutes
03:41 <@plaisthos> "Warning: setting tcp-nodelay on the client side will not affect the server. To have TCP_NODELAY in both direction use tcp-nodelay in the server configuration"
03:42  * dazo copies that text :)
03:45 <@plaisthos> than fix direction to directions
03:48 -!- vahid_ [~vahid@151.232.184.184] has quit [Ping timeout: 245 seconds]
03:49 <@dazo> plaisthos: http://fpaste.org/157894/18573141/ ... any comments before I send the patch to the ML?
03:50 <@plaisthos> code style dictates space after msg iirc
03:50 <@dazo> duh ... right!
03:50 <@plaisthos> and in one you added the space before \n and in the third line after \n :)
03:51 <@plaisthos> don't know what is right though
03:51 <@dazo> not mixed at least, that'll make cron2 grumpy! :-P
03:51 -!- vahid_ [~vahid@151.232.184.184] has joined #openvpn
03:52 < vahid_> What's this mean: 2014 us=371201 bugs/151.232.184.184:45080 MULTI: bad source address from client [192.168.1.51], packet dropped
03:52 < vahid_> bugs is my certificate file name ;-)
03:52 <@plaisthos> dazo: and you can add that it closes trac ticket 489
03:52 <@dazo> will do!
03:54 -!- Shiftos [~shiftos@gateway/tor-sasl/shiftos] has quit [Remote host closed the connection]
03:56 < vahid_> I hava push "redirect-gateway def1 bypass-dhcp" and push "dhcp-option DNS 208.67.222.222" but I can't resolve the web pages in Client anymore :-/
03:56 <@dazo> vahid_: do you route 208.67.222.222" via the tunnel?
03:57 < vahid_> I don't understand
03:57 < vahid_> I have that option in server.conf file
03:57 <@plaisthos> vahid_: probably wrong dns server
03:57 <@plaisthos> or dns server not working anymore with dns
03:57 < vahid_> It worked 1h ago !
03:58 < vahid_> so should I change it to 8.8.8.8 ?
04:00 <@plaisthos> or any other dns server you trust
04:04 -!- vahid_ [~vahid@151.232.184.184] has quit [Ping timeout: 258 seconds]
04:05 < LnxBil> plaisthos: Read timeout expired: Operation now in progress (using socks proxy)
04:08 < LnxBil> plaisthos: Everything works as expected if I use udp. On timeout, the next remote will be connected, etc. Yet with TCP on the first read timeout, the whole process stops and I to start OpenVPN by hand
04:12 <@plaisthos> LnxBil: can you post the log?
04:12 <@plaisthos> that should not happen?
04:49 -!- andi [~andi@unaffiliated/fr00d] has quit [Ping timeout: 240 seconds]
04:59 -!- ValdikSS [~valdikss@185.61.149.121] has joined #openvpn
04:59 < ValdikSS> Hello!
04:59 < ValdikSS> Could someone please test OpenVPN with the following patch which should fix sndbuf and rcvbuf issue? I'm running my laptop from battery and don't want to waste battery power on compiling
05:00 < ValdikSS> https://gist.github.com/ValdikSS/b11aa8a7dbe185413bd8
05:00 <@vpnHelper> Title: OpenVPN sndbuf/rcvbuf fix (at gist.github.com)
05:05 -!- plaisthos [~arne@openvpn/community/developer/plaisthos] has quit [Ping timeout: 272 seconds]
05:06 < ValdikSS> https://community.openvpn.net/openvpn/ticket/461#comment:10
05:06 <@vpnHelper> Title: #461 (Change default sndbuf and rcvbuf values) – OpenVPN Community (at community.openvpn.net)
05:08 -!- plaisthos [~arne@openvpn/community/developer/plaisthos] has joined #openvpn
05:08 -!- mode/#openvpn [+o plaisthos] by ChanServ
05:12 -!- APTX [~APTX@unaffiliated/aptx] has quit [Ping timeout: 240 seconds]
05:14 -!- Left_Turn [~Left_Turn@unaffiliated/turn-left/x-3739067] has joined #openvpn
05:14 -!- APTX [~APTX@unaffiliated/aptx] has joined #openvpn
05:20 -!- ValdikSS [~valdikss@185.61.149.121] has quit [Ping timeout: 244 seconds]
05:34 -!- jdmf [~jdmf@91.198.201.28] has quit [Quit: Bye.]
05:34 -!- shadok [~muaddib@unaffiliated/shadok] has joined #openvpn
05:42 -!- Chais [~Chais@chello062178229110.15.15.vie.surfer.at] has quit [Read error: Connection reset by peer]
05:51 -!- Chais [~Chais@chello062178229110.15.15.vie.surfer.at] has joined #openvpn
06:00 -!- Left_Turn [~Left_Turn@unaffiliated/turn-left/x-3739067] has quit [Ping timeout: 264 seconds]
06:10 -!- Shiftos [~shiftos@gateway/tor-sasl/shiftos] has joined #openvpn
06:14 -!- hive-mind [pranq@2001:0:53aa:64c:30db:ab9:bcca:66c4] has quit [Ping timeout: 244 seconds]
06:21 -!- hive-mind [pranq@2001:0:53aa:64c:30db:ab9:bcca:66c4] has joined #openvpn
06:29 -!- ValdikSS [~valdikss@80.70.234.113] has joined #openvpn
06:33 -!- Left_Turn [~Left_Turn@unaffiliated/turn-left/x-3739067] has joined #openvpn
06:52 -!- michaelhart [~michaelha@69-165-175-193.dsl.teksavvy.com] has joined #openvpn
07:22 -!- noecc [~irc@unaffiliated/noecc] has left #openvpn ["pax"]
07:31 < LnxBil> plaisthos: http://paste.debian.net/hidden/911a8b6a/
07:35 <@plaisthos> hm
07:35 <@plaisthos> that should not be a sigterm
07:35 <@plaisthos> do you have options in the config file that remap signals?
07:39 < LnxBil> No, simple config http://paste.debian.net/hidden/a206a160/
07:45 <@plaisthos> okay that is strange
07:47 < LnxBil> exactly
07:47 -!- moparisthebest [~quassel@gateway/tor-sasl/moparisthebest] has joined #openvpn
07:49 -!- ValdikSS [~valdikss@80.70.234.113] has quit [Quit: Konversation terminated!]
07:52 -!- jzaw [~jzaw@loki.dzki.co.uk] has quit [Ping timeout: 258 seconds]
07:57 <@dazo> LnxBil: have you pasted your config anywhere?
07:58 <@dazo> duh!
07:59 <@dazo> LnxBil: found it ... sorry ... can you pastebin logs with verb 4?  I'd like to see the PUSH messages from the server
08:01 < LnxBil> dazo: Server is not responding, thats the problem here.
08:02 <@dazo> aha ....
08:02 < LnxBil> with UDP, if the server does not answer in time, the next entry is used. I want the same with TCP
08:03 <@dazo> hmmm ... well, then actually --verb 9 could provide some more details
08:03 -!- AlexRussia [~Alex@unaffiliated/alexrussia] has joined #openvpn
08:05 < LnxBil> dazo: Nothing new after "TCP port read timeout expired", only free's
08:06 -!- mirco [~mirco@ip-176-198-211-199.hsi05.unitymediagroup.de] has joined #openvpn
08:07 -!- jareth_ [~jareth_@2001:980:e1c0:1:219:66ff:fea0:a502] has joined #openvpn
08:07 <@dazo> LnxBil: could you please try to upgrade to a newer openvpn version?  just so we're not hunting a bug we've fixed (but not noticed or forgotten we've fixed)
08:07 <@dazo> 2.3.6 is the latest and greatest
08:07 <@dazo> btw ... seeing server side logs would also help
08:07 < LnxBil> dazo: Again, Server is down
08:08 <@dazo> so you're trying to connect to a non-responsive server?
08:08 < LnxBil> dazo: There is no server. I want that TCP would behave like UDP and connect to the next remote in config
08:08 <@dazo> okay, I thought it was that the server didn't respond
08:09 < LnxBil> My problem is that I have 3 remotes and if the first is down, it does not connect to the second and it quits. That's bad. UDP gets a timeout and tried the next forever
08:09 <@dazo> fair enough
08:10 < LnxBil> so once started with UDP, the openvpn process will continously reconnect on error, tcp exits immediately. I want to know it I only don't get the manual right or if this is desired behaviour
08:10 < LnxBil> Unfortunately, I am currently forced to use TCP, socks server does not forward udp traffic
08:12 <@dazo> okay, I can reproduce this on latest git master
08:12 <@dazo> plaisthos: it happens when using --socks-proxy
08:13 < LnxBil> correct
08:13 <@dazo> and the socks-proxy cannot connect
08:13 -!- elfixit [~Icedove@2001:1620:2018:11:5e51:4fff:fec8:5b90] has joined #openvpn
08:13 < LnxBil> dazo: yes. If I start the server, it works without a flaw
08:14 <@dazo> LnxBil: try adding --socks-proxy-retry
08:15 <@dazo>  --socks-proxy-retry
08:15 <@dazo>         Retry indefinitely on Socks proxy errors.   If  a
08:15 <@dazo>         Socks  proxy  error  occurs,  simulate  a SIGUSR1
08:15 <@dazo>         reset.
08:18 < LnxBil> Now it retries yes, I'm capturing packets to see if it tries all remotes (no indidaction on log)
08:18 <@dazo> LnxBil: it might be that you need to use connection blocks actually
08:19 <@dazo> <connection>
08:19 <@dazo> remote xxxxx
08:19 <@dazo> socks-proxy yyyy pppp
08:19 <@dazo> </connection>
08:19 <@dazo> instead of socks-proxy as a single statement and multiple remote lines
08:20 < LnxBil> I'll try. At the moment it tries only the first entry repeatedly
08:20 <@plaisthos> dazo: that does not make a difference
08:20 -!- elfixit [~Icedove@2001:1620:2018:11:5e51:4fff:fec8:5b90] has quit [Ping timeout: 272 seconds]
08:20 <@dazo> plaisthos: obviously :)
08:20 <@plaisthos> trust me, I know that code :P
08:21 <@dazo> you mean connection blocks?
08:21 <@dazo> or what are we taking about?
08:21 <@plaisthos> dazo: the whole remote parsing stuff
08:21 <@plaisthos> if you have a proxy remotes are converted to connection internally
08:21 <@dazo> ahh, okay, that's what I wasn't sure of
08:22 <@dazo> so with socks failing, it doesn't traverse the remotes
08:22  * dazo need to run
08:23 -!- dazo is now known as dazo_afk
08:30 -!- shadok [~muaddib@unaffiliated/shadok] has quit [Quit: Konversation terminated!]
08:30 -!- Exagone313 [exa@ewd.ovh] has quit [Ping timeout: 260 seconds]
08:36 -!- Exagone313 [exa@ewd.ovh] has joined #openvpn
08:38 -!- akamaru217 [~akamaru21@2601:0:8a80:1064:e1ce:4f29:1a4e:36e2] has quit [Quit: Leaving]
08:50 -!- AlexRussia [~Alex@unaffiliated/alexrussia] has quit [Ping timeout: 250 seconds]
08:53 -!- AlexRussia [~Alex@unaffiliated/alexrussia] has joined #openvpn
08:54 -!- brianblaze420 [~brianblaz@unaffiliated/brianblaze] has joined #openvpn
08:57 < LnxBil> One way to fix this would be to skip to the next remote if socks-proxy-retry is present. 'random-remote' does also not work in this context, maybe because the connection is not reinitiated on a SIGUSR1, is it?
08:58 -!- masterkorp [~masterkor@static.85-10-196-211.clients.your-server.de] has left #openvpn ["WeeChat 0.3.8"]
08:59 -!- ub1quit33_ [~quassel@cpe-23-243-158-241.socal.res.rr.com] has joined #openvpn
09:07 <@plaisthos> random remote shuffles the remotes at the start of openvpn iirc
09:15 -!- Latrina [~Latrina@ppp-154-8.26-151.libero.it] has quit [Ping timeout: 258 seconds]
09:18 -!- Latrina [~Latrina@ppp-196-31.26-151.libero.it] has joined #openvpn
09:19 -!- SnApO [~snapo@catv-133-030.tbwil.ch] has joined #openvpn
09:20 -!- shadok [~muaddib@unaffiliated/shadok] has joined #openvpn
09:21 < SnApO> hey guys... i did setup my first vpn server with open vpn, created cert for the client, can connect to it and surf on the internet with it and all client can communicate to each other. The problem now is i want to be able that only a specific ip range goes thrue openvpn instead of the whole traffic. is something like this possible
09:21 < SnApO> ?
09:29 <@plaisthos> see route
09:30 <@plaisthos> and don't set a defualt gw
09:31 < SnApO> so just removeing the redirect-gw would do it?
09:32 < SnApO> will try playing with that option.... thanks for the hint
09:45 -!- SnApO [~snapo@catv-133-030.tbwil.ch] has quit []
10:34 -!- ade_b [~Ade@redhat/adeb] has joined #openvpn
10:38 -!- chunt_6817 [~drsmooth@li604-190.members.linode.com] has joined #openvpn
10:38 -!- CaTtleyA [~CaTtleyA@185.24.142.82] has quit [Quit: Lost terminal]
10:57 -!- brayn [~brayn@86.107.61.126] has joined #openvpn
10:58 -!- james41382 [~james@unaffiliated/james41382] has quit [Ping timeout: 244 seconds]
10:58 < brayn> Morning! Should the openvpn server local IP address be in the same subnet as the "server" config option?
10:59 < brayn> !logs
10:59 <@vpnHelper> "logs" is (#1) please pastebin your logfiles from both client and server with verb set to 4 (only use 5 if asked) or (#2) In the Windows client(OpenVPN-GUI) right-click the status icon and pick View Log or (#3) In the OS X client(Tunnelblick) right-click it and select Copy log text to clipboard or (#4) if you dont know how to find your logs, see !logfile
10:59 < brayn> !configs
10:59 <@vpnHelper> "configs" is (#1) please pastebin your client and server configs (with comments removed, you can use `grep -vE '^#|^;|^$' server.conf`), also include which OS and version of openvpn. or (#2) dont forget to include any ccd entries or (#3) on pfSense, see http://www.secure-computing.net/wiki/index.php/OpenVPN/pfSense to obtain your config
11:03 < DArqueBishop> In most (all?) cases, no.
11:05 -!- ade_b [~Ade@redhat/adeb] has quit [Ping timeout: 252 seconds]
11:05 < brayn> DArqueBishop: OK, makes sense
11:08 < brayn> Is there any thing special that I should do while launching a OpenVPN instance in Amazon VPC? I've set it up in a public subnet with access in the Security Group
11:13 < DArqueBishop> I've never ran OpenVPN in an Amazon VPS, so I couldn't tell you.
11:13 -!- ubercrypt [~pdota@104.156.240.140] has joined #openvpn
11:20 < KaaK> brayn, just make sure udp 1194 (or whatever you are using) is in your security group
11:24 < KaaK> brayn, actually, I have had issues with packets that have source addresses foreign to the subnet they are in. e.g. A packet with IP source 5.0.0.1/24 in a VPC subnet of 10.0.0.0/24 doesn't appear to get anywhere in the network
11:24 < KaaK> I've always had to NAT traffic INTO a VPC subnet
11:25 < KaaK> such that the packet has a source address native to the subnet it is in once it appears on the subnet
11:30 -!- ImDevinC [~ImDevinC@c-174-53-221-119.hsd1.mn.comcast.net] has joined #openvpn
11:33 < brayn> KaaK: I have the port in my SG. I've also enabled all traffic to the VPN instance and the thing is I'm still getting a timeout when trying to connect remotely (form my PC, through the internet)
11:33 < ImDevinC> Are there issues using push “redirect-gateway def1” on Windows servers running OpenVPN? I can connect to my VPN just fine, but cannot get my traffic to route through the network properly.
11:34 < KaaK> what does your VPC look like? You've got an internet gateway? You've got a routing table using that gateway? You've got your routing table associated to your subnet? You've got a public IP for your instance?
11:35 < KaaK> also, do you have source/dest. check disabled on your instance?
11:36 < brayn> KaaK: I have a public and a private subnet + some subnets for RDS. I have a public GW. The VPN instance is in the public subnet which has its routing table set to the IGW. The subnet in the "server" config is a different subnet entirely
11:36 < brayn> KaaK: I don't know about source/dest. I'll have a look now
11:37 < brayn> KaaK: Was not disabled. I kate it it should be, right? :/
11:38 < KaaK> brayn, you should read up on it and understand it first -- but yes
11:38 -!- ubercrypt [~pdota@104.156.240.140] has quit [Quit: ubercrypt]
11:38 < brayn> KaaK: Disabled it and retried connecting. Still no luck
11:39 < brayn> This is the actual error I'm getting http://pastebin.com/8GVSGY20
11:40 < brayn> Initially I though maybe traffic is going through the NAT instance, but I've checked in the routing table and it looks like it should go throigh the IGW
11:41 < KaaK> brayn, Run some simple UDP server on your port in question. From outside your VPC, use a tool like nmap to probe this port. Once you isolate any network traversal issues, then I'd move on to VPN
11:42 < brayn> KaaK: That does sound like a good idea. Any tips on what I could run on that port? I've tried nmap and it shows the port now as 'filtered'
11:42 < KaaK> it is very difficult to isolate if this is a AWS/VPC issue, or if it is a config issue
11:42 -!- ImDevinC [~ImDevinC@c-174-53-221-119.hsd1.mn.comcast.net] has quit [Ping timeout: 255 seconds]
11:42 < KaaK> brayn, TFTP
11:43 < brayn> KaaK: Sure, makes sense. One last thing. I've used this to setup the VPC https://aws.amazon.com/marketplace/pp/B00H03HMLA/ref=srh_res_product_title?ie=UTF8&sr=0-3&qid=1418133268957
11:43 <@vpnHelper> Title: OpenVPN - Open Source VPN solution on AWS Marketplace (at aws.amazon.com)
11:44 < KaaK> brayn, I've always gone off of an ubuntu instance -- so i can't really comment towards that AMI
11:45 < brayn> After the initial config I haven't setup anything else regarding to routing (in iptables for example). As you can't see I don't have that much experience with OpenVPN so I don't know if any exatra configuration is reqired
11:48 -!- jzaw [~jzaw@loki.dzki.co.uk] has joined #openvpn
11:49 -!- ImDevinC [~ImDevinC@c-174-53-221-119.hsd1.mn.comcast.net] has joined #openvpn
11:50 < pekster> ImDevinC: Resources for redirecting traffic:
11:50 < pekster> !redirect
11:50 <@vpnHelper> "redirect" is (#1) to make all inet traffic flow through the vpn, you will need --redirect-gateway (see !def1), as well as IP forwarding (see !ipforward) and NAT (see !nat) enabled on the server. or (#2) you may need to use a different dns server when redirecting gateway, see !dns or !pushdns or (#3) if using ipv6 try: route-ipv6 2000::/3 or (#4) Handy troubleshooting flowchart:
11:50 <@vpnHelper> http://ircpimps.org/redirect.png | http://pekster.sdf.org/misc/redirect.png
11:51 < ImDevinC> pekster: thanks
11:52 < KaaK> brayn, http://pastebin.com/45dCT7B2 -- this is my client/server config that I currently use successfully in AWS VPC
11:53 < ImDevinC> Now to switch networks again to test this… brb
11:53 -!- ImDevinC [~ImDevinC@c-174-53-221-119.hsd1.mn.comcast.net] has left #openvpn []
11:53 < pekster> KaaK: Unles you are "Syrian Telecommunication Est" you should not be using anything in the 5.0.0/15 network
11:54 < pekster> !1918
11:54 <@vpnHelper> "1918" is (#1) RFC1918 makes three unique netblocks available for private use: 10.0.0.0/8, 172.16.0.0/12, and 192.168.0.0/16 or (#2) see also: http://en.wikipedia.org/wiki/Private_network or http://www.faqs.org/rfcs/rfc1918.html or (#3) Too lazy to find your own subnet? Try this one: http://scarydevilmonastery.net/subnet.cgi or (#4) See !5737 for addresses to use for examples and documentation
11:54 < brayn> KaaK, pekster: Thanks, looking at it now.
11:57 -!- ImDevinC [~ImDevinC@c-174-53-221-119.hsd1.mn.comcast.net] has joined #openvpn
11:58 < ImDevinC> pekster: I was able to reach the bottom right section, and ended up at the “Your VPN did not add routes correctly”. Any tips on where to start looking? Currently I have no push routes turned on, as OpenVPN doesn’t handle my DHCP addressing of the clients that connect, I would like my normal server to handle that
11:59 < KaaK> pekster, typically I stick to it -- but often get frustrated looking through tons of 10, 172, 192 networks.
11:59 < brayn> KaaK: Mine looks somewhat different http://pastebin.com/g9f4GLTx
12:02 < KaaK> brayn, yours is significantly more complicated -- which isn't bad -- just not great for troubleshooting. I'd start with a bare-essentials config, then work your way up from there
12:04 < pekster> a changeroot into where your keys are keept seems rather odd (so now if someone owns your server, you've also just likely compromized all your issued private keys too and would need to re-issue them? Sounds like a bad plan if that's also your CA)
12:05 < KaaK> inline certs and keys are very convenient -- no paths to screw up. also chroots _can_ be notoriously hard to troubleshoot. Also, drop the gateway redirects -- they can also be persnickety.
12:05 < pekster> If you want a chroot, put it somewhere less insane
12:05 < KaaK> again, once you get a simple tunnel up, start adding your requirements from there
12:08 < brayn> OK, thaks for the advice. I wanted to set this up in a hurry and went with the default that AMI provided. But it doesn't look like a good idea now so I'll thake it from the beginning and get through it step by step
12:09 < pekster> oh even more fun; they've applied crappy security for all users of their product. Fun :)
12:09 < pekster> Then again, when it's called a "turnkey" security appliance you've got to wonder
12:13 < brayn> pekster: Serves me right for trying to get securty work done in a hurry
12:16 < pekster> !hardening
12:16 <@vpnHelper> "hardening" is https://community.openvpn.net/openvpn/wiki/Hardening
12:18 -!- Kephael [~Kephael@unaffiliated/kephael] has joined #openvpn
12:21 < brayn> thanks
12:24 -!- ValdikSS [~valdikss@185.61.149.121] has joined #openvpn
12:40 -!- gffa [~unknown@unaffiliated/gffa] has joined #openvpn
12:46 < ImDevinC> I'm using the following config files, and I can connect to my OpenVPN server without issue. However when I connect, my external IP address doesn't change. Any help would be greatly appreciated. Server: pastebin.com/Cvj5hhkX Client: pastebin.com/Q40vDz2S
12:58 -!- ImDevinC [~ImDevinC@c-174-53-221-119.hsd1.mn.comcast.net] has quit [Quit: ImDevinC]
12:58 -!- NP-Hardass [~NP-Hardas@unaffiliated/np-hardass] has quit [Ping timeout: 258 seconds]
13:11 -!- cyberspace- [20253@ninthfloor.org] has quit [Remote host closed the connection]
13:12 -!- cyberspace- [20253@ninthfloor.org] has joined #openvpn
13:14 < zoredache> using push "redirect-gateway def1" doesn't make sense on a client.  push is about pushing configuration from a server to client.
13:15 < zoredache> Though you have this being pushed from your server so the above probably doesn't matter.
13:16 < DArqueBishop> Might help to remove it from the client and see if that helps.
13:30 -!- akira is now known as vespiiary
13:30 -!- vespiiary is now known as touya
13:35 -!- KNERD [~KNERD@23.227.189.101] has quit [Ping timeout: 244 seconds]
13:44 -!- Shiftos [~shiftos@gateway/tor-sasl/shiftos] has quit [Ping timeout: 250 seconds]
13:45 -!- Shiftos [~shiftos@gateway/tor-sasl/shiftos] has joined #openvpn
13:46 -!- Left_Turn [~Left_Turn@unaffiliated/turn-left/x-3739067] has quit [Quit: Leaving]
14:04 -!- KNERD [~KNERD@23.227.189.101] has joined #openvpn
14:10 -!- s7r [~s7r@openvpn/user/s7r] has joined #openvpn
14:10 -!- mode/#openvpn [+v s7r] by ChanServ
14:17 -!- brayn [~brayn@86.107.61.126] has quit [Quit: Lost terminal]
14:38 -!- mattock is now known as mattock_afk
14:47 -!- joder [~ircap@unaffiliated/joder] has joined #openvpn
14:47 < joder> !welcome
14:47 <@vpnHelper> "welcome" is (#1) Start by stating your goal, such as 'I would like to access the internet over my vpn' || new to IRC? see the link in !ask || we may need !logs and !configs and maybe !interface to help you. || See !howto for beginners. || See !route for lans behind openvpn. || !redirect for sending inet traffic through the server. || Also interesting: !man !/30 !topology !iporder !sample !forum
14:47 < joder> !goal
14:47 <@vpnHelper> !wiki !mitm or (#2) Don't use 192.168.1.0/24 or 192.168.0.0/24 (too much potential for conflict)
14:47 <@vpnHelper> "goal" is Please clearly state your goal for your vpn: example, I would like to access the lan behind the server , I would like to access the internet over my vpn , I just want a secure connection between 2 computers , etc
14:48 < joder> Anyone around?
14:48 < joder> looking to get some help to connect an android client and a dd-wrt router
14:49 < joder> gettin VERIFY OK: depth=-
14:49 < joder> error rending cert
14:50 < joder> TCP recv error: Connection reset by peer
14:50 < joder> Transport Error: Transport error on xxxxxxxxx: NETWORK_RECV_ERROR
14:50 < joder> On my android OpenVPN app
15:00 -!- AlexRussia [~Alex@unaffiliated/alexrussia] has quit [Quit: WeeChat 1.1-dev]
15:02 -!- AlexRussia [~Alex@unaffiliated/alexrussia] has joined #openvpn
15:02 -!- AlexRussia [~Alex@unaffiliated/alexrussia] has quit [Client Quit]
15:03 -!- AlexRussia [~Alex@unaffiliated/alexrussia] has joined #openvpn
15:05 -!- brianblaze420 [~brianblaz@unaffiliated/brianblaze] has quit [Quit: Peace!]
15:07 -!- alexw [~textual@unaffiliated/alexw] has joined #openvpn
15:09 -!- NP-Hardass [~NP-Hardas@unaffiliated/np-hardass] has joined #openvpn
15:14 < alanjf> My friend posted this: gofundme.com/ika0ek
15:35 -!- ade_b [~Ade@redhat/adeb] has joined #openvpn
15:42 -!- Left_Turn [~Left_Turn@unaffiliated/turn-left/x-3739067] has joined #openvpn
15:55 -!- michaelhart [~michaelha@69-165-175-193.dsl.teksavvy.com] has quit [Quit: michaelhart]
15:55 -!- D-Boy [~D-Boy@unaffiliated/cain] has quit [Excess Flood]
15:56 -!- joder [~ircap@unaffiliated/joder] has quit [Ping timeout: 265 seconds]
15:58 -!- D-Boy [~D-Boy@unaffiliated/cain] has joined #openvpn
16:03 -!- ValdikSS [~valdikss@185.61.149.121] has quit [Read error: Connection reset by peer]
16:03 -!- ValdikSS [~valdikss@185.61.149.121] has joined #openvpn
16:05 -!- yoavz [yoavz@yoavz.net] has quit [Ping timeout: 240 seconds]
16:06 -!- keytoaster [~tobias@gentoo/developer/keytoaster] has quit [Ping timeout: 240 seconds]
16:07 -!- blaubarschbube [~adads@nat.hamburg.contentfleet.com] has quit [Ping timeout: 245 seconds]
16:08 -!- yoavz [yoavz@yoavz.net] has joined #openvpn
16:11 -!- Henryabcd [~Henryabcd@pD9E0A1BF.dip0.t-ipconnect.de] has joined #openvpn
16:13 -!- gffa [~unknown@unaffiliated/gffa] has quit [Quit: sleep]
16:18 -!- NP-Hardass [~NP-Hardas@unaffiliated/np-hardass] has quit [Ping timeout: 256 seconds]
16:19 -!- ade_b [~Ade@redhat/adeb] has quit [Ping timeout: 244 seconds]
16:19 -!- alexw [~textual@unaffiliated/alexw] has quit [Quit: My MacBook Pro has gone to sleep. ZZZzzz…]
16:35 -!- elfixit [~Icedove@77-58-253-51.dclient.hispeed.ch] has joined #openvpn
16:37 -!- Henryabcd [~Henryabcd@pD9E0A1BF.dip0.t-ipconnect.de] has quit [Quit: Leaving]
16:42 -!- Left_Turn [~Left_Turn@unaffiliated/turn-left/x-3739067] has quit [Quit: Leaving]
16:42 -!- alexw [~textual@unaffiliated/alexw] has joined #openvpn
16:44 -!- joder [~ircap@unaffiliated/joder] has joined #openvpn
16:48 -!- alexw [~textual@unaffiliated/alexw] has quit [Quit: My MacBook Pro has gone to sleep. ZZZzzz…]
16:50 -!- drew726 [0435816a@gateway/web/freenode/ip.4.53.129.106] has joined #openvpn
16:53 -!- alexw [~textual@unaffiliated/alexw] has joined #openvpn
16:54 -!- s7r_r [~s7r@openvpn/user/s7r] has joined #openvpn
16:54 -!- mode/#openvpn [+v s7r_r] by ChanServ
16:54 -!- alexw [~textual@unaffiliated/alexw] has quit [Client Quit]
16:54 -!- s7r [~s7r@openvpn/user/s7r] has quit [Ping timeout: 250 seconds]
16:56 -!- shio [marmot@62.188.103.84.rev.sfr.net] has quit [Ping timeout: 264 seconds]
16:58 -!- mirco [~mirco@ip-176-198-211-199.hsi05.unitymediagroup.de] has quit [Quit: mirco]
17:00 -!- kenyon [kenyon@darwin.kenyonralph.com] has quit [K-Lined]
17:02 -!- kenyon [kenyon@darwin.kenyonralph.com] has joined #openvpn
17:11 -!- michaelhart [~michaelha@192-0-241-148.cpe.teksavvy.com] has joined #openvpn
17:12 -!- shio [marmot@62.188.103.84.rev.sfr.net] has joined #openvpn
17:16 -!- s7r_r is now known as s7r
17:27 -!- michaelhart [~michaelha@192-0-241-148.cpe.teksavvy.com] has quit [Quit: michaelhart]
17:35 -!- joder [~ircap@unaffiliated/joder] has quit [Ping timeout: 258 seconds]
17:37 -!- elfixit [~Icedove@77-58-253-51.dclient.hispeed.ch] has quit [Remote host closed the connection]
17:38 -!- Taftse|Mac [~taftse@unaffiliated/taftse] has quit [Quit: Textual IRC Client: www.textualapp.com]
17:41 -!- NP-Hardass [~NP-Hardas@unaffiliated/np-hardass] has joined #openvpn
17:51 -!- NP-Hardass [~NP-Hardas@unaffiliated/np-hardass] has quit [Ping timeout: 245 seconds]
17:53 -!- shio [marmot@62.188.103.84.rev.sfr.net] has quit [Ping timeout: 264 seconds]
17:57 -!- Droolio [~drool@host86-182-194-209.range86-182.btcentralplus.com] has joined #openvpn
18:05 -!- NP-Hardass [~NP-Hardas@unaffiliated/np-hardass] has joined #openvpn
18:09 -!- chunt_6817 [~drsmooth@li604-190.members.linode.com] has quit []
18:17 -!- alexw [~textual@unaffiliated/alexw] has joined #openvpn
18:18 -!- littlebearz [~littlebea@209-195-75-100.cpe.distributel.net] has joined #openvpn
18:23 -!- nath_schwarz [~nath_schw@HSI-KBW-134-3-105-146.hsi14.kabel-badenwuerttemberg.de] has quit [Ping timeout: 250 seconds]
18:28 -!- shio [marmot@62.188.103.84.rev.sfr.net] has joined #openvpn
18:32 -!- alexw [~textual@unaffiliated/alexw] has quit [Quit: My MacBook Pro has gone to sleep. ZZZzzz…]
18:35 -!- alexw [~textual@unaffiliated/alexw] has joined #openvpn
18:39 -!- nath_schwarz [~nath_schw@HSI-KBW-134-3-105-146.hsi14.kabel-badenwuerttemberg.de] has joined #openvpn
18:46 -!- zoredache [~zoredache@pdpc/supporter/professional/zoredache] has quit [Ping timeout: 256 seconds]
18:52 -!- drew726 [0435816a@gateway/web/freenode/ip.4.53.129.106] has quit [Quit: Page closed]
18:57 -!- zoredache [~zoredache@pdpc/supporter/professional/zoredache] has joined #openvpn
18:59 -!- shadok_ [~muaddib@unaffiliated/shadok] has joined #openvpn
19:02 -!- shadok [~muaddib@unaffiliated/shadok] has quit [Ping timeout: 265 seconds]
19:04 -!- brianblaze420 [~brianblaz@unaffiliated/brianblaze] has joined #openvpn
19:06 -!- alexw [~textual@unaffiliated/alexw] has quit [Quit: My MacBook Pro has gone to sleep. ZZZzzz…]
19:12 -!- alexw [~textual@unaffiliated/alexw] has joined #openvpn
19:14 -!- alexw [~textual@unaffiliated/alexw] has quit [Client Quit]
19:15 -!- alexw [~textual@unaffiliated/alexw] has joined #openvpn
19:16 -!- alexw [~textual@unaffiliated/alexw] has quit [Client Quit]
19:20 -!- alexw [~textual@unaffiliated/alexw] has joined #openvpn
19:37 -!- NP-Hardass [~NP-Hardas@unaffiliated/np-hardass] has quit [Ping timeout: 256 seconds]
19:38 -!- elfixit [~Icedove@77-58-253-51.dclient.hispeed.ch] has joined #openvpn
19:39 -!- NP-Hardass [~NP-Hardas@unaffiliated/np-hardass] has joined #openvpn
19:42 -!- alexw [~textual@unaffiliated/alexw] has quit [Quit: My MacBook Pro has gone to sleep. ZZZzzz…]
19:59 -!- NP-Hardass [~NP-Hardas@unaffiliated/np-hardass] has quit [Ping timeout: 265 seconds]
20:14 -!- alexw [~textual@unaffiliated/alexw] has joined #openvpn
20:30 -!- alexw [~textual@unaffiliated/alexw] has quit [Quit: My MacBook Pro has gone to sleep. ZZZzzz…]
20:33 -!- alexw [~textual@unaffiliated/alexw] has joined #openvpn
20:41 -!- alexw [~textual@unaffiliated/alexw] has quit [Quit: My MacBook Pro has gone to sleep. ZZZzzz…]
20:44 -!- ub1quit33_ [~quassel@cpe-23-243-158-241.socal.res.rr.com] has quit [Ping timeout: 265 seconds]
20:58 -!- brianblaze420 [~brianblaz@unaffiliated/brianblaze] has quit [Remote host closed the connection]
20:59 -!- zoredache [~zoredache@pdpc/supporter/professional/zoredache] has quit [Ping timeout: 240 seconds]
21:14 -!- AlexRussia [~Alex@unaffiliated/alexrussia] has quit [Ping timeout: 252 seconds]
21:23 -!- u0m3_ [~u0m3@109.96.153.17] has quit [Read error: Connection reset by peer]
21:23 -!- Kephael [~Kephael@unaffiliated/kephael] has quit [Read error: Connection reset by peer]
21:34 -!- u0m3 [~u0m3@109.96.153.17] has joined #openvpn
21:35 -!- u0m3 [~u0m3@109.96.153.17] has quit [Read error: Connection reset by peer]
21:35 -!- u0m3 [~u0m3@109.96.153.17] has joined #openvpn
21:35 -!- NP-Hardass [~NP-Hardas@unaffiliated/np-hardass] has joined #openvpn
21:38 -!- s7r [~s7r@openvpn/user/s7r] has quit [Remote host closed the connection]
21:38 -!- s7r [~s7r@openvpn/user/s7r] has joined #openvpn
21:38 -!- mode/#openvpn [+v s7r] by ChanServ
21:39 -!- zoredache [~zoredache@pdpc/supporter/professional/zoredache] has joined #openvpn
21:42 -!- AlexRussia [~Alex@unaffiliated/alexrussia] has joined #openvpn
22:13 -!- hazardous [~hz@openvpn/user/hazardous] has quit [Ping timeout: 250 seconds]
22:20 -!- hazardous [~hz@openvpn/user/hazardous] has joined #openvpn
22:20 -!- mode/#openvpn [+v hazardous] by ChanServ
22:23 -!- phreakocious [~phreakoci@recalcitrant.phreakocious.net] has quit [Ping timeout: 255 seconds]
22:23 -!- shadok_ [~muaddib@unaffiliated/shadok] has quit [Ping timeout: 244 seconds]
22:26 -!- phreakocious [~phreakoci@recalcitrant.phreakocious.net] has joined #openvpn
22:32 -!- alexw [~textual@unaffiliated/alexw] has joined #openvpn
23:04 <@krzee> joder, have you used that exact config with a normal computer?
23:05 <@krzee> or are you testing the PKI and server / client configs in the same shot?
23:05 -!- alexw [~textual@unaffiliated/alexw] has quit [Quit: My MacBook Pro has gone to sleep. ZZZzzz…]
23:06 <@krzee> alanjf, what does that spam have to do with this channel?
23:06 -!- alexw [~textual@unaffiliated/alexw] has joined #openvpn
23:07 <@krzee> i mean good luck to your friend, but not cool to spam help channels with some dude trying to solicit $ for a trip
23:09 -!- alexw [~textual@unaffiliated/alexw] has quit [Client Quit]
23:32 -!- vAd0r [~IceChat9@unaffiliated/vad0r] has joined #openvpn
23:38 -!- AlexRussia [~Alex@unaffiliated/alexrussia] has quit [Ping timeout: 252 seconds]
23:41 -!- alexw [~textual@unaffiliated/alexw] has joined #openvpn
23:42 < _FBi> I'd like people to give me month for stuffs
23:42 -!- akamaru217 [~akamaru21@2601:0:8a80:1064:48c7:eb90:fd31:2c40] has joined #openvpn
23:55 -!- ShadniX [dagger@p5481C861.dip0.t-ipconnect.de] has quit [Ping timeout: 250 seconds]
23:56 -!- ShadniX [dagger@p5481CD26.dip0.t-ipconnect.de] has joined #openvpn
23:59 -!- alexw [~textual@unaffiliated/alexw] has quit [Quit: Textual IRC Client: www.textualapp.com]
--- Day changed Wed Dec 10 2014
00:06 -!- AlexRussia [~Alex@unaffiliated/alexrussia] has joined #openvpn
00:11 -!- akamaru [~akamaru21@2601:0:8a80:1064:5155:d61c:6113:e38f] has joined #openvpn
00:13 -!- akamaru217 [~akamaru21@2601:0:8a80:1064:48c7:eb90:fd31:2c40] has quit [Ping timeout: 258 seconds]
00:29 -!- AlexRussia [~Alex@unaffiliated/alexrussia] has quit [Quit: WeeChat 1.1-dev]
00:31 -!- AlexRussia [~Alex@unaffiliated/alexrussia] has joined #openvpn
00:35 -!- SushiDude [~SushiDude@unaffiliated/sushidude] has quit [Ping timeout: 260 seconds]
00:35 -!- elfixit [~Icedove@77-58-253-51.dclient.hispeed.ch] has quit [Ping timeout: 245 seconds]
00:38 -!- SushiDude [~SushiDude@unaffiliated/sushidude] has joined #openvpn
00:39 -!- ValdikSS [~valdikss@185.61.149.121] has quit [Quit: Konversation terminated!]
00:45 < LnxBil> plaisthos: 'random-remote' could also be triggered on SIGUSR1 to solve my problem. I checked without socks server that TCP tried to connect to the next remote if it fails to connect. So, maybe one should think about changing the socks code in such a way that it honors multiple remotes and tries to connect to the next one instead of loop indefinitely on the same remote
00:52 < alanjf> krzee: Sorry, I'm just trying to help him and his family out. They don't have a lot of funds and they have some family abroad that si ill so they don't know if they'll ever get to see them.
00:53 < alanjf> krzee: This is kind of a last ditch sort of thing.
00:53 -!- doop [~doop@colostomy.club] has joined #openvpn
00:54 < alanjf> They are some of the kindest people I've ever known so it really sucks to see them in this sort of situation. they aren't really computer people though so I've been trying to help out in that department.
00:56 -!- AlexRussia [~Alex@unaffiliated/alexrussia] has quit [Ping timeout: 245 seconds]
01:03  * Eugene krzee 
01:05 -!- AlexRussia [~Alex@unaffiliated/alexrussia] has joined #openvpn
01:25 -!- AlexRussia [~Alex@unaffiliated/alexrussia] has quit [Quit: WeeChat 1.1-dev]
01:35 -!- ade_b [~Ade@redhat/adeb] has joined #openvpn
01:40 -!- ade_b [~Ade@redhat/adeb] has quit [Ping timeout: 272 seconds]
02:02 -!- mirco [~mirco@ip-176-198-211-199.hsi05.unitymediagroup.de] has joined #openvpn
02:02 -!- le0 [~le0@unaffiliated/le0] has joined #openvpn
02:04 -!- vAd0r [~IceChat9@unaffiliated/vad0r] has quit [Ping timeout: 244 seconds]
02:07 -!- mirco [~mirco@ip-176-198-211-199.hsi05.unitymediagroup.de] has quit [Read error: Connection reset by peer]
02:10 -!- mirco [~mirco@ip-176-198-211-199.hsi05.unitymediagroup.de] has joined #openvpn
02:11 -!- Taftse|Mac [~taftse@unaffiliated/taftse] has joined #openvpn
02:33 -!- ValdikSS [~valdikss@185.61.149.121] has joined #openvpn
03:19 -!- Poster [~poster@cpe-74-140-100-29.swo.res.rr.com] has quit [Read error: Connection reset by peer]
03:40 -!- vAd0r [~IceChat9@unaffiliated/vad0r] has joined #openvpn
03:54 -!- alanjf [~ajf@unaffiliated/alanjf] has quit [Read error: Connection reset by peer]
04:15 -!- u0m3 [~u0m3@109.96.153.17] has quit [Read error: Connection reset by peer]
04:15 -!- u0m3 [~u0m3@109.96.153.17] has joined #openvpn
04:26 < LnxBil> plaisthos: finaly I got UDP socks and now it works as expected with rotating remotes. Therefore, the aforementioned problem is TCP-only.
04:27 -!- dazo_afk is now known as dazo
04:54 -!- gffa [~unknown@unaffiliated/gffa] has joined #openvpn
05:07 -!- Left_Turn [~Left_Turn@unaffiliated/turn-left/x-3739067] has joined #openvpn
05:28 < kef> is --fragment not supported on iOS?
06:48 -!- mattock_afk is now known as mattock
07:02 -!- james41382 [~james@unaffiliated/james41382] has joined #openvpn
07:12 < esde> when i run openvpn --genkey --secret ta.key, the output is 2048bit, is there a way to set a larger size?
07:14 < esde> would openssl dhparam -out ta.key 4096, accomplish the goal?
07:20 -!- brianblaze420 [~brianblaz@unaffiliated/brianblaze] has joined #openvpn
07:27 -!- michaelhart [~michaelha@69-165-175-193.dsl.teksavvy.com] has joined #openvpn
07:28 <@krzee> esde, was there something that made you think ta.key was a dhparams file?
07:28 <@krzee> and if it were, why would openvpn have --genkey ?
07:29 < esde> no, i realized they arent the same thing once i hit enter
07:29 <@krzee> you're building this file for tls-auth, right?
07:30 < esde> yes, i've got my system up and running with it now. i am curious if i could generate a larger ta.key and if so, how
07:30 < esde> (tls-auth that is)
07:31 <@krzee> thing is, it wouldnt matter
07:31 <@krzee> once you learn how that file is used, you'll see why
07:32 < esde> is there an faq question or something that addresses that? I'd like to learn more about it
07:32 <@krzee> trying to find it
07:34 <@krzee> http://openvpn.net/index.php/open-source/faq/77-server/327-changed-hex-bytes-in-the-static-key-the-key-still-connects-to-a-remote-peer-using-the-original-key.html
07:34 <@vpnHelper> Title: Changed hex bytes in the static key, the key still connects to a remote peer using the original key. (at openvpn.net)
07:34 < esde> iirc dh2048.pem (for example) should be the >= the size of the certs and keys (rather than disproportionately smaller), but ta.key can be just 2048 regardless of the size of the keys and certs, if i am understanding correctly
07:35 <@krzee> a hmac signature is totallyh unrelated to the rest of the crypto
07:35 <@krzee> its simply a packet integrity check
07:35 <@krzee> unrelated to actual crypto, it's simply a hash
07:36 <@krzee> not for hiding whats in the data, simply for verifying the packet.
07:41 < esde> in the example, not data from the file is used (with default params). after reading the summary, I'm using SHA512 and a stronger cipher, and I don't have to worry about creating a larger ta.key because there's already enough data in the file for the things it needs to be used for?
07:41 < esde> *a lot
07:41 < esde> *not a lot of
07:41 <@krzee> right
07:42 -!- Poster [~poster@cpe-74-140-100-29.swo.res.rr.com] has joined #openvpn
07:42 < esde> TIL, thank you krzee
07:42 <@krzee> a larger file would do nothing for you
07:42 <@krzee> np
07:42 <@krzee> your cipher is unrelated, fyi
07:50 < esde> the cipher their referring to in the example is tls-cipher?
07:50 < esde> *they're
07:50 <@krzee> its static key
07:50 <@krzee> aka no RSA
07:51 -!- shadok_ [~muaddib@unaffiliated/shadok] has joined #openvpn
07:51 -!- rich0 [~quassel@gentoo/developer/rich0] has quit [Ping timeout: 244 seconds]
07:51 < esde> :/ i'm getting a little lost. I understand what you're saying, but I'm not "picking up" what you just said.
07:52 <@krzee> ok so in openvpn you *can* use RSA certificates, but you dont have to
07:52 <@krzee> for a simple 1-1 connection (no server with clients, just a ptp link) you can use --secret to point to a static key file
07:53 <@krzee> and if you do, it will use the same type of file as tls-auth uses
07:54 <@krzee> if you use RSA then that file is 100% unrelated to cipher
07:54 <@krzee> if you use that file as your static key, then it is used.
07:55 <@krzee> !statickey
07:55 <@vpnHelper> "statickey" is (#1) you can use static keys by using --secret </path/to/key> or (#2) static keys only work for ptp links, not client/server. They also do not provide forward encryption. A forward-secure encryption scheme (such as openvpn uses with certs) protects secret keys from exposure by evolving the keys with time. or (#3) see !forwardsecurity for more info
07:56 < esde> in my case im using an RSA cipher for tls-cipher. so that file is being used for HMAC and nothing else? but if i had a connection like you described, the file would be used for cipher and hmac?
07:56 <@krzee> i already know you dont use that file as a static key, since you mentioned DH and certs, neither of which exist in a setup which uses statickey
07:56 -!- mcp [~mcp@wolk-project.de] has quit [Remote host closed the connection]
07:56 <@krzee> the file gets used how your config says.
07:57 <@krzee> you only use the file in your tls-auth statement, so thats the only place it gets used
07:57 -!- rich0 [~quassel@gentoo/developer/rich0] has joined #openvpn
07:57 <@krzee> bbl
07:59 < esde> thank you for the info and time
08:00 <@krzee> np =]
08:10 -!- littlebearz [~littlebea@209-195-75-100.cpe.distributel.net] has quit [Read error: Connection reset by peer]
08:42 -!- u0m3 [~u0m3@109.96.153.17] has quit [Ping timeout: 256 seconds]
08:44 -!- mcp [~mcp@wolk-project.de] has joined #openvpn
08:46 -!- Kephael [~Kephael@unaffiliated/kephael] has joined #openvpn
08:55 -!- u0m3 [~u0m3@109.96.153.17] has joined #openvpn
09:00 -!- Eagleman [~Eagleman@546BC778.cm-12-4d.dynamic.ziggo.nl] has joined #openvpn
09:05 -!- sickn3ss [~sickn3ss@unaffiliated/sickn3ss] has joined #openvpn
09:05 -!- _0x5eb_ [~seb@seb-hpws2.elen.ucl.ac.be] has quit [Ping timeout: 245 seconds]
09:07 -!- Shiftos [~shiftos@gateway/tor-sasl/shiftos] has quit [Remote host closed the connection]
09:07 -!- Shiftos [~shiftos@gateway/tor-sasl/shiftos] has joined #openvpn
09:20 -!- Eagleman [~Eagleman@546BC778.cm-12-4d.dynamic.ziggo.nl] has quit [Quit: Bye!]
09:21 -!- Andrew_Ryan [~Andrew_Ry@546BC778.cm-12-4d.dynamic.ziggo.nl] has joined #openvpn
09:31 -!- Andrew_Ryan is now known as Eagleman
09:32 -!- Eagleman [~Andrew_Ry@546BC778.cm-12-4d.dynamic.ziggo.nl] has quit [Quit: Bye!]
09:33 -!- Eagleman [~Eagleman@546BC778.cm-12-4d.dynamic.ziggo.nl] has joined #openvpn
09:34 -!- Eagleman [~Eagleman@546BC778.cm-12-4d.dynamic.ziggo.nl] has quit [Client Quit]
09:34 -!- Eagleman [~Eagleman@546BC778.cm-12-4d.dynamic.ziggo.nl] has joined #openvpn
09:37 -!- Eagleman [~Eagleman@546BC778.cm-12-4d.dynamic.ziggo.nl] has quit [Client Quit]
09:38 -!- Eagleman [~Eagleman@546BC778.cm-12-4d.dynamic.ziggo.nl] has joined #openvpn
09:52 -!- kokel [~quassel@kenneth.kokelnet.de] has quit [Remote host closed the connection]
09:54 -!- kokel [~quassel@kenneth.kokelnet.de] has joined #openvpn
09:56 -!- Eagleman [~Eagleman@546BC778.cm-12-4d.dynamic.ziggo.nl] has quit [Quit: Bye!]
09:56 -!- Eagleman [~Eagleman@546BC778.cm-12-4d.dynamic.ziggo.nl] has joined #openvpn
09:57 <@dazo> esde: (reading scrollback) ... the reason --genkey produces only 2048 bytes is that it is used for symmetric encryption.  And that secret actually carries 4 x 512bits keys (iirc).  Currently the strongest symmetric ciphers OpenVPN supports is only 256bits ... which is really a strong key
09:58 <@dazo> When you compare 256 bytes symmetric with 2048 bits RSA ... you're starting to compare oranges and apples.  Because the RSA key is an asymmetric key, as you derive a public key out of the private key
09:59 <@dazo> In 2003 RSA Security estimated a 3072bits RSA key to equivalent in "cipher strength" to a 128 bits symmetric key
10:00 -!- Eagleman [~Eagleman@546BC778.cm-12-4d.dynamic.ziggo.nl] has quit [Client Quit]
10:01 -!- Eagleman [~Eagleman@546BC778.cm-12-4d.dynamic.ziggo.nl] has joined #openvpn
10:01 <@dazo> I also see you referenced 'openssl dhparam' ... and that operation does not create a key.  It finds a large prime number which will be used during the Diffie-Hellman key exchange.
10:03 <@dazo> When you use TLS mode, the client and server negotiates a temporary key, using the public key stored in the certificates and this dhparam file (--dh option in OpenVPN) ... when they have shared enough information over the wire (without transferring the actual key), the data channel in OpenVPN is symmetrically encrypted using this temporary key
10:03 <@dazo> And with --reneg-* options set, OpenVPN will replace this temporary key on a regular basis.
10:04 < esde> dazo, symmetric ciphers are what krzee was describing in their example earlier?
10:05 <@dazo> When you just use --secret and remove the TLS related stuff (--ca, --key, --cert, --dh), then the data channel will be symmetrically encrypted using only that static key which will never be replaced until you manually replaces the --secret files
10:06 <@dazo> esde, yes, when krzee told you about !statickey, that is a pure symmetric encryption without any key rotation
10:06 < esde> ok
10:06 < esde> !reneg
10:06 <@vpnHelper> "reneg" is (#1) by default (in client/server mode) openvpn will renegotiate the tls key hourly. this can be adjusted with the --reneg option or (#2) this should not be disabled as it is important for !forwardsecurity
10:07 <@dazo> client/server mode == TLS mode
10:10 <@dazo> [cool fact] NIST key management guidelines further suggest that 15360-bit RSA keys are equivalent in strength to 256-bit symmetric keys (https://en.wikipedia.org/wiki/Key_size#Asymmetric_algorithm_key_lengths)
10:10 <@vpnHelper> Title: Key size - Wikipedia, the free encyclopedia (at en.wikipedia.org)
10:12 -!- lachesis [~lachesis@unaffiliated/lachesis] has quit [Ping timeout: 272 seconds]
10:13 -!- lachesis [~lachesis@unaffiliated/lachesis] has joined #openvpn
10:14 -!- Eagleman [~Eagleman@546BC778.cm-12-4d.dynamic.ziggo.nl] has quit [Quit: Bye!]
10:15 -!- Eagleman [~Eagleman@546BC778.cm-12-4d.dynamic.ziggo.nl] has joined #openvpn
10:21 -!- u0m3 [~u0m3@109.96.153.17] has quit [Read error: Connection reset by peer]
10:28 < KaaK> quick question -- by default, will a client or server daemon exit if an authentication error occurs?
10:29 < KaaK> and what configuration options (if any) control this behavior?
10:29 < KaaK> specifically in TLS client/server mode
10:36 -!- Eagleman [~Eagleman@546BC778.cm-12-4d.dynamic.ziggo.nl] has quit [Quit: Bye!]
10:37 -!- Eagleman [~Eagleman@546BC778.cm-12-4d.dynamic.ziggo.nl] has joined #openvpn
10:48 <@dazo> KaaK: for server side, it depends on configuration (look at --single-session in the man page).  For the client side, it should exit
10:48 <@dazo> (by authentication, I interpreted that as username/password authentication)
10:51 < KaaK> dazo, if it matters, i'm more geared towards TLS trust errors. Key/cert/CA/...
10:51 <@dazo> okay, iirc, the client will try to reconnect automatically in the case where certificate authentication fails, unless --tls-exit is used in the client config
10:52 < KaaK> i recognize the potential security issue, but can this exit behavior be overridden for a client? Such that it just keeps attempting to authenticate (via TLS) until the error can be corrected (if it can be)
10:52 <@dazo> by not using --tls-exit, the client will try to reconnect automatically, iirc ... it's a long time since I've seen that
10:53 <@dazo> (my certs have been "in order" for some time :))
10:53  * dazo brb
10:54 < KaaK> ahh, great -- i have little control of a client that I have running in a co-location center. Basically, I want the client to run not matter what, as if it exits, my tunnel will be down and I will have wait till they act on their end to address it
11:12 -!- Denial [~Denial@81.141.2.111] has quit []
11:12 -!- eristisk [~eristisk@gateway/tor-sasl/eristisk] has joined #openvpn
11:13 <@dazo> KaaK: if your server becomes unavailable, then it should re-connect automatically.  I have such a setup on three of my VPN clients ... so I do restart the server from time to time, and after a few minutes, the tunnel is re-established.  However, I do use --keepalive in the server config, which is helpful to trigger re-connects
11:14 -!- Denial [~Denial@81.141.2.111] has joined #openvpn
11:14 -!- Denial [~Denial@81.141.2.111] has quit [Remote host closed the connection]
11:16 -!- Denial [~Denial@81.141.2.111] has joined #openvpn
11:28 -!- ValdikSS [~valdikss@185.61.149.121] has quit [Read error: Connection reset by peer]
11:28 -!- ValdikSS [~valdikss@185.61.149.121] has joined #openvpn
11:51 -!- dvl [~dvl@freebsd/developer/dvl] has quit [Quit: Ride fast. Take chances.]
11:51 -!- Orbixx [~orbixx@freenode/sponsor/orbixx] has quit [Ping timeout: 260 seconds]
11:54 -!- dvl [~dvl@freebsd/developer/dvl] has joined #openvpn
11:55 -!- Orbixx [~orbixx@freenode/sponsor/orbixx] has joined #openvpn
11:58 -!- u0m3 [~u0m3@109.96.153.17] has joined #openvpn
12:16 -!- Orbixx [~orbixx@freenode/sponsor/orbixx] has quit [Ping timeout: 265 seconds]
12:16 -!- Eagleman [~Eagleman@546BC778.cm-12-4d.dynamic.ziggo.nl] has quit [Quit: Bye!]
12:17 -!- Eagleman [~Eagleman@546BC778.cm-12-4d.dynamic.ziggo.nl] has joined #openvpn
12:17 -!- Komplanar [~Komplanar@46.22.223.200] has quit [Quit: leaving]
12:21 -!- Haseo [~Haseo@aufrinfo.net] has joined #openvpn
12:24 -!- Eagleman [~Eagleman@546BC778.cm-12-4d.dynamic.ziggo.nl] has quit [Quit: Bye!]
12:24 -!- Droolio [~drool@host86-182-194-209.range86-182.btcentralplus.com] has quit [Quit: If you believe in telekinesis, raise my hand.]
12:25 -!- Eagleman [~Eagleman@546BC778.cm-12-4d.dynamic.ziggo.nl] has joined #openvpn
12:31 -!- Orbixx [~orbixx@freenode/sponsor/orbixx] has joined #openvpn
12:41 -!- Olivier [~Olivier@unaffiliated/olivier] has joined #openvpn
12:55 <@krzee> dazo, i feel like what you just said should be made into a link on community. but im not sure what to name it or how to make it flow
12:56 <@krzee> but you explained it very well
12:57 <@krzee> dazo, "NIST key management guidelines further suggest that 15360-bit RSA keys are equivalent in strength to 256-bit symmetric keys"    does that mean 15360bit RSA has been tested and thought to still be strong?  i been unwilling to go beyond 4096bit RSA because im unsure of how much testing the crypto ninjas had done on RSA with huge bitsizes
12:59 <@dazo> krzee: the NIST statement is probably more or less a guestimate ... it might be they've hacked on some tools to measure it, but 256 bits symmetric keys are known to be rock solid - as long as the algorithm used is solid
13:00 -!- mattock is now known as mattock_afk
13:01 <@dazo> krzee: regarding the static key vs. pki keys ... that's more or less a couple of faq items, I guess
13:04 -!- ylluminate [~ylluminat@108-61-57-43ch.openskytelcom.net] has joined #openvpn
13:05 < pekster> Things get more fun when you evaluate ciphers, such as the paper that showed AES-256 (this might have been wrt. TLS specifically, I'm not sure now) offers security on-par with AES-128 anyway
13:05 <@dazo> true
13:09 <@krzee> very interesting
13:09 <@krzee> never saw that paper
13:10 <@krzee> wrt TLS as in keys generated on WRT, or just WRT using it?
13:10 <@krzee> cause i know those lil embedded devices have had randomness issues (facthacks with djb)
13:12 < pekster> AES in general (again, not sure if it was _all_ AES, or AES used in TLS specifically.) It had to do with the best cryptoanalysis on the varying rounds each length of the cipher had
13:17 < Gellert> cső kokel
13:17 < Gellert> cső
13:19 -!- michaelhart [~michaelha@69-165-175-193.dsl.teksavvy.com] has quit [Quit: michaelhart]
13:25 -!- mirco [~mirco@ip-176-198-211-199.hsi05.unitymediagroup.de] has quit [Quit: mirco]
13:27 -!- jackbrown [~se@93-44-68-248.ip96.fastwebnet.it] has joined #openvpn
13:32 -!- michaelhart [~michaelha@69-165-175-193.dsl.teksavvy.com] has joined #openvpn
13:36 -!- _0x5eb_ [~seb@seb-hpws2.w1.tele.crt1.net] has joined #openvpn
13:41 < kokel> Gellert, ?
13:43 -!- khaldrogox [~anonymous@64.13.138.81] has joined #openvpn
13:44 <@dazo> krzee, syzzer:  If you could review these points and provide feedback, they could be implemented into a FAQ regarding OpenVPN and ciphers ... http://fpaste.org/158477/14182406/raw/
13:46  * pekster wonders what the "same key file can be use[d] for both" bit is getting at -- you'd never use both at once (as that's not a valid config), and the 4 keys are because rx/tx * 2 directions
13:47 -!- marl_scot [~matt@cpc2-dumb5-2-0-cust823.20-3.cable.virginm.net] has joined #openvpn
13:48 < pekster> syzzer might know more, but my understanding was the 512 bit size comes from the length of the digest (not the cipher) and 512 is neecessary today with eg: whrilpool
13:49 < marl_scot> hi folks, am trying to setup a bridge connection for thew first time, my ip range is 192.168.8.x on both ends, i am sitting at my server, trying to access machines on the client (client is actually an openvz server with guests on 192.168.8.x) i have an openvpn connection just now as routed but want to bridge, anyone able to help me? what other info is needed?
13:51 <@dazo> marl_scot: why do you want to bridge?
13:51 < marl_scot> oh, and just to complicate things, if posible i would like to keep the bridging to just this client (as other clients i connect from only require routed access)
13:51 < marl_scot> have just moved the client machine from my house to a datacenter and dont want to have to change all the addresses in the guests
13:52 <@dazo> marl_scot: ever heard about routing?
13:52 <@dazo> https://community.openvpn.net/openvpn/wiki/BridgingAndRouting
13:52 <@vpnHelper> Title: BridgingAndRouting – OpenVPN Community (at community.openvpn.net)
13:52 < Gellert> kokel: I'M IN LOVE WITH YOU
13:53 -!- mode/#openvpn [+o Eugene] by ChanServ
13:53 -!- Gellert was kicked from #openvpn by Eugene [I'm in love with a sandwich]
13:53 <@dazo> lol
13:54 <@krzee> haha
13:54 < marl_scot> ok, so general opinion is to change my IP range at the client side and route everything?
13:55 <@dazo> marl_scot: that's one way to do it, and in the long term, the most easy solution ... little maintenance and rock solid
13:55 < marl_scot> ok :(
13:56 -!- eaglelinux-02 [~eaglelinu@213.207.43.231] has joined #openvpn
13:56 < eaglelinux-02> how to setup openvpn pool /24
13:57 <@dazo> marl_scot: of course, you can do other tricks, like port NAT on the client side network too, and getting the port NATed traffic tunnelled to the data centre ... but this requires far more tweaking and is prone to failures when the network expands on either side
13:57 < eaglelinux-02> because tap limit that to /30
13:57 <@dazo> !/30
13:57 <@vpnHelper> "/30" is (#1) http://goo.gl/SbKrT5 explains why routed clients each use 4 ips or (#2) you can avoid this behavior with by reading !topology
13:57 < marl_scot> ok, so local machine (server) is 192.168.8.x, openvpn is over 10.9.0.1 (server) to 10.9.0.14 (client) on server run : route add 10.91.0.0 netmask 255.255.255.0 gw 10.9.0.1 ?
13:57 <@dazo> marl_scot: that last option is to bridge ... which really creates a bottle neck in your network and is a can full of ugly and troublesome warms
13:58 <@dazo> s/warms/worms/
13:58 <@dazo> marl_scot: yeah, something like that
13:58 <@dazo> marl_scot: where do you have the openvpn server?  locally in your LAN or at the DC?
13:59 < marl_scot> server is local pc
13:59 < marl_scot> result from above route : route: netmask 000000ff doesn't make sense with host route
13:59 <@dazo> you can instruct openvpn to set up the routes automatically when it connects
13:59 <@dazo> How experienced are you with routing?
14:00 < marl_scot> not great! hence having to ask in here :9
14:00 <@dazo> okay ... can I please ask you to read chapter 3 (iirc) in the book referenced in !tcpip ?
14:00 <@dazo> !tcpip
14:00 <@vpnHelper> "tcpip" is http://www.redbooks.ibm.com/redbooks/pdfs/gg243376.pdf See chapter 3.1 for useful basic TCP/IP networking knowledge you should probably know
14:00 < marl_scot> think i understand the basics, tell linux that you want addresses in this range pushed through that interface
14:00 <@dazo> it will provide you with the basics of understanding routing
14:01 <@dazo> and no matter bridging or not ... routing is something you really need to understand when doing VPNs
14:01 -!- u0m3 [~u0m3@109.96.153.17] has quit [Read error: Connection reset by peer]
14:02 -!- u0m3 [~u0m3@109.96.153.17] has joined #openvpn
14:03 < marl_scot> thanks will read that first, then come back :)
14:04 <@dazo> please do!
14:04 <@dazo> :)
14:05 <@krzee> dazo, "So if that key file is lost,"  i would s/lost/stolen/
14:06  * dazo adds "or stolen" :)
14:06 <@krzee> "lost" may be = i accidently rm
14:06 <@krzee> im not worried about losing my key, im worried about someone finding it
14:06 <@dazo> ahh, fair enough
14:07 <@dazo> I actually meant lost as "put in a USB stick which I can't find again"
14:07 <@krzee> backups are for lost items, crypto is for found items ;]
14:07 <@dazo> hehe
14:08 <@dazo> "which is stolen or otherwise lost control over" ... would that be more accurate?
14:08 <@krzee> are there actually statistical analysis tools that do that?!
14:08 <@krzee> thats kind of awesome
14:08 <@krzee> ^ yep
14:09 -!- ValdikSS [~valdikss@185.61.149.121] has quit [Read error: Connection reset by peer]
14:09 <@dazo> I don't know of anything concrete, other than it would not surprise me at all ... you have rainbow tables for hashing, so similar tools would probably be used for cracking encryption
14:10 <@dazo> I believe I've read about such analysis, but I don't recall any particular paper right now
14:10 <@krzee> gotchya, id be interested in playing with such tools
14:10 <@krzee> and their awesome power
14:11 <@dazo> I do remember it was hard, took at lot of CPU power and still took time :)
14:11 <@dazo> (except for known broken ciphers, of course)
14:11 <@krzee> ahh, so more of a nation-state attack than a bored krzee attack
14:11 <@dazo> yeah
14:11 <@dazo> nation state attack == nsa ... coincidence? ;-)
14:11 <@krzee> hahahaha
14:11 <@krzee> thats great
14:13 <@dazo> I imagine some high level managers discussing this "We need something more subtle than Nation State Attack", "yeah, something like National Security Agency!", "oh cool! I like that! It even has Agency in it!" :-P
14:14 <@dazo> and so the rumours start .... ;-)
14:14 -!- NP-Hardass [~NP-Hardas@unaffiliated/np-hardass] has quit [Ping timeout: 265 seconds]
14:14 <@krzee> all i know is "TAO" is the dopest name for an attack group
14:14 <@krzee> you KNOW those guys deliberated over their name
14:14 <@dazo> hehehe ... yeah!
14:15 <@krzee> hell i bet half of them (at least) used to be in attack groups online
14:15 <@krzee> like back in the 90s
14:15 <@dazo> at least these days, yeah
14:16 <@dazo> many arrested and convicted, but got nice treatment if they promised to instead (voice with authority saying) "serve our Great Country in more meaningful way"
14:17 <@krzee> haha i heard the voice get deep while i read
14:17 <@dazo> ;-)
14:18 -!- Synced [~Synced@unaffiliated/synced] has joined #openvpn
14:18 < Synced> Hello
14:18 -!- NP-Hardass [~NP-Hardas@unaffiliated/np-hardass] has joined #openvpn
14:18 < Synced> How would one forward a port from the VPN client to the VPN server?
14:19 <@krzee> was given the day to work from home to migrate data and ill ive done is pickup meet with some girls and talk here… so ill bbiaf after i get some work done
14:19 <@dazo> Synced: by using routes?
14:19 < Synced> dazo: Yes, but how?
14:19 < Synced> I've tried google + the manual
14:19 < Synced> but I can't seem to get it
14:19 <@krzee> forward a port?  id say with firewall software
14:19 <@dazo> Synced: do you know anything about network routing at all?
14:19 < Synced> dazo: yes
14:19 < Synced> I do
14:20 <@dazo> Synced: okay, look up --route in the openvpn man page
14:20 -!- brianblaze420 [~brianblaz@unaffiliated/brianblaze] has quit [Quit: Peace!]
14:20 < Synced> I have configured iptables to work perfectly fine with openvpn
14:20 < Synced> just can't seem to get it working with forwarding ports to the server from the client
14:20 <@dazo> Synced: if you only want just one single port ... you need to look into SNAT/DNAT in iptables
14:20 <@krzee> !factoids search nat
14:20 <@vpnHelper> 'nat', 'pfnat', 'freebsdnat', 'bsdnat', 'donate', 'winnat', 'nathack', 'fbsdnat', 'openbsdnat', 'obsdnat', and 'linnat'
14:20 < Synced> Yeah, I read that on stackexchange
14:20 -!- ValdikSS [~valdikss@185.61.149.121] has joined #openvpn
14:21 <@dazo> but generally people want to access a machine over the VPN, regardless of the port number
14:21 <@krzee> hmm there was a dnat in there once upon a time
14:21 <@krzee> !factoids search port
14:21 <@vpnHelper> 'linportforward', 'port-share', and 'ipv6_transport'
14:21 <@krzee> guess not
14:21 <@krzee> !factoids search --values dnat'
14:21 <@vpnHelper> No keys matched that query.
14:21 <@krzee> !factoids search --values dnat
14:21 <@vpnHelper> 'freebsdnat', 'bsdnat', 'linportforward', 'openbsdnat', 'nat', and 'frozentux'
14:21 <@dazo> SNAT and DNAT is actually almost the same ... Source NAT vs Destination NAT
14:22 <@dazo> depends if you do it inbound or outbound
14:22 <@krzee> !linportforward
14:22 <@vpnHelper> "linportforward" is (#1) to forward port 80 tcp to a vpn client, use this (replacing <SERVERIP> with the real ip of the server, and <VPNIP> with the clients VPN ip) or (#2) iptables -t nat -A PREROUTING -i eth0 -d <SERVERIP> -p tcp --dport 80 -j DNAT --to <VPNIP> or (#3) iptables -A FORWARD -m state --state NEW,ESTABLISHED,RELATED -i eth0 -p tcp --dport 80 -j ACCEPT
14:22  * krzee pets vpnHelper 
14:22 < Synced> I see ..
14:22 < Synced> I take it that <VPNIP> is the client's internal VPN IP right?
14:23 <@krzee> i told someone rtfm and gave him tfm, and he came back and said that worked for him
14:23 <@krzee> so i taught vpnHelper about it
14:23 <@krzee> Synced, if you read the whole thing from vpnHelper you know the answer to that
14:23 <@dazo> :)
14:23 < Synced> the clients VPN ip
14:23 < Synced> yes
14:23 < Synced> It's just to confirm my statement :)
14:24 -!- Wolfbutt [~Jeroen@milkyway.jeroendeneef.com] has quit [Ping timeout: 272 seconds]
14:24 <@dazo> I don't know if you read #1 carefully enough the first time ;-)
14:25  * dazo decides to call it a day and get home
14:25 <@krzee> oh ya im supposed to be working too :D
14:25  * krzee afk
14:26 -!- dazo is now known as dazo_afk
14:26 -!- Jeroen52 [~Jeroen@milkyway.jeroendeneef.com] has joined #openvpn
14:27 < Synced> Alright, only had to change the interface to venet0
14:27 < Synced> thanks alot krzee and dazo!
14:27 <@krzee> np
14:33 -!- sepeck [~sepeck@drupal.org/user/5195/view] has joined #openvpn
14:33 -!- sepeck [~sepeck@drupal.org/user/5195/view] has left #openvpn []
14:39 -!- jackbrown [~se@93-44-68-248.ip96.fastwebnet.it] has quit [Ping timeout: 265 seconds]
14:40 < KaaK> when using easyrsa, why are certs assigned auto-incrementing serial numbers? how is that useful in a PKI?
14:47 < esde> https://tools.ietf.org/html/rfc5280#section-4.1.2.2
14:47 <@vpnHelper> Title: RFC 5280 - Internet X.509 Public Key Infrastructure Certificate and Certificate Revocation List (CRL) Profile (at tools.ietf.org)
14:49 <@ecrist> KaaK: Easy-RSA isn't the one assigned the serial number
14:49 <@ecrist> it's OpenSSL
14:50 <@ecrist> and if you weren't aware of that, how do you feel knowledgeable enough to pose criticism?
14:52 < KaaK> ecrist, dont put words in my mouth -- its not criticism. simple curiosity
14:53 < KaaK> esde, thanks, reading it now
14:58 <@ecrist> no words were put in your mouth.
15:10 -!- scyld [~scyld@gateway/tor-sasl/wasyl] has joined #openvpn
15:10 < KaaK> written in then -- i'm confused how you pulled `criticism` out of my original question. There is zero need to take a simple question -- asked in curiosity -- and turn it back on the asker in a demeaning way.
15:19 -!- moparisthebest [~quassel@gateway/tor-sasl/moparisthebest] has quit [Remote host closed the connection]
15:37 -!- michaelhart [~michaelha@69-165-175-193.dsl.teksavvy.com] has quit [Quit: michaelhart]
15:50 -!- vahid [~vahid@151.232.184.184] has joined #openvpn
15:51 < vahid> Hi, I used openvpn to bypass internet censoring. I connected successfully. But not web browsing. I have this error in Server side: MULTI: bad source address from client [192.168.1.200], packet dropped
15:52 < vahid> server conf file: http://paste.ubuntu.com/9467646/
15:54 < DArqueBishop> Why did you add bypass-dhcp to the redirect-gateway parameter?
15:54 -!- vahid [~vahid@151.232.184.184] has quit [Read error: Connection reset by peer]
15:54 < DArqueBishop> ... never mind.
15:54 -!- D-Boy [~D-Boy@unaffiliated/cain] has quit [Excess Flood]
15:55 -!- vahid [~vahid@151.232.184.184] has joined #openvpn
15:55 < DArqueBishop> vahid: why did you add bypass-dhcp to the redirect-gateway parameter?
15:55 < vahid> and It's my client config file: http://paste.ubuntu.com/9467672/
15:56 < vahid> I just uncomment !
15:56 < vahid> I didn't changed.
15:56 < vahid> for web browsing.
15:57 < vahid> I suposed it shoud be active.
15:57 < DArqueBishop> I would imagine you don't need bypass-dhcp.
15:57 < DArqueBishop> Also, is IP forwarding set up and an iptables rule configured for NAT on the server?
15:58 < vahid> Yes ip forwardin for ipv4 is 1 and iptables complitly disabled
15:59 < DArqueBishop> Uh, if you're expecting your OpenVPN server to send all your traffic out, you need an iptables rule to enable NAT for the VPN.
16:00 < vahid> I'm new in iptables, Is it hard ?
16:00 < DArqueBishop> Not really.
16:00 < DArqueBishop> The HOWTO has most of the info you need.
16:00 < DArqueBishop> !howto
16:00 <@vpnHelper> "howto" is (#1) OpenVPN comes with a great howto, http://openvpn.net/howto PLEASE READ IT! or (#2) http://www.secure-computing.net/openvpn/howto.php for a mirror
16:01 < pekster> You probably want:
16:01 < pekster> !redirect
16:01 <@vpnHelper> "redirect" is (#1) to make all inet traffic flow through the vpn, you will need --redirect-gateway (see !def1), as well as IP forwarding (see !ipforward) and NAT (see !nat) enabled on the server. or (#2) you may need to use a different dns server when redirecting gateway, see !dns or !pushdns or (#3) if using ipv6 try: route-ipv6 2000::/3 or (#4) Handy troubleshooting flowchart:
16:01 <@vpnHelper> http://ircpimps.org/redirect.png | http://pekster.sdf.org/misc/redirect.png
16:01 < pekster> krzee: https://www.schneier.com/blog/archives/2009/07/another_new_aes.html
16:01 <@vpnHelper> Title: Schneier on Security: Another New AES Attack (at www.schneier.com)
16:02 < vahid> THANKS :)
16:03 < pekster> KaaK: Do open a bug on that. pseudo-random serials might be a small security advantage, but the reality is that it's so unlikely to make a difference in almost all use-cases
16:03 -!- sickn3ss [~sickn3ss@unaffiliated/sickn3ss] has quit [Quit: Textual IRC Client: www.textualapp.com]
16:04 < vahid> openvpn.net is blocked for me, but I will find a way. thanks agian.
16:05 < pekster> vahid: In addition to the normal redirection, be sure you're resolving DNS over the tunnel to a neutral DNS server (like google DNS)
16:05 < pekster> !googledns
16:05 < pekster> !factoids search google
16:05 <@vpnHelper> "googleauth" is http://securityskittles.wordpress.com/2012/03/14/two-factor-authentication-for-openvpn-on-centos-using-google-authenticator/
16:06 < pekster> !learn googledns as Google DNS offers global recursive nameserves for your use: 8.8.8.8 and 8.8.4.4 (IPv6: 2001:4860:4860::8888 & 2001:4860:4860::8844)
16:06 <@vpnHelper> Joo got it.
16:06 < vahid> LOL wordpress.com blocked here too. I think I have to find TOR fist.
16:06 -!- gffa [~unknown@unaffiliated/gffa] has quit [Quit: sleep]
16:06 < pekster> !learn googledns as https://developers.google.com/speed/public-dns
16:06 <@vpnHelper> Joo got it.
16:06 < pekster> Oh, taht wordpress link wasn't intended for you (skip that if you'd like)
16:07 < vahid> ok
16:07 < pekster> I've learned not to seach with the bot in privmsg because the bot goes insane and lies.
16:09 -!- jefferai [sid1300@kde/mitchell] has quit [Ping timeout: 258 seconds]
16:09 <@syzzer> dazo_afk, pekster: the only reason for AES-256 is quantum computers
16:09 -!- trumee [~parul@2601:e:1580:799::c64] has quit [Ping timeout: 258 seconds]
16:09 -!- TonyL [~Tony@unaffiliated/darkg] has quit [Ping timeout: 258 seconds]
16:09 < pekster> Well, and "even more shitty key schedules" ;)
16:09 <@krzee> thanks pekster! now that i read that link i remember i knew of that long ago (probably from his blog) but i had forgotten
16:10 -!- jefferai [sid1300@kde/mitchell] has joined #openvpn
16:10 <@syzzer> AES-128 is perfectly secure (as far as we know), but quantum computers reduce the search space by a factor of two
16:10 -!- TonyL [~Tony@unaffiliated/darkg] has joined #openvpn
16:10 -!- Eugene [eugene@kashpureff.org] has quit [Ping timeout: 258 seconds]
16:10 -!- XJR-9 [sid2977@pdpc/supporter/active/xjr-9] has quit [Ping timeout: 258 seconds]
16:10 < pekster> At this point it's all accademic anyway since no one can break AES-<anything> without having additional information, such as a side-channel attack
16:10 < vahid> I'm really tierd. facebook blocked, twitter blocked, some part of G+ blocked, worldpress blocked, bloger blocked, dev.google blocked from google, hmm...
16:10 < DArqueBishop> pekster: one of these days I need to create a reference list for all of vpnHelper's commands. ;-)
16:10 <@syzzer> so whereas AES-128 would not be safe in the post-quantum world, AES-256 is.
16:10 -!- akamaruu [~akamaru21@2601:0:8a80:1064:5155:d61c:6113:e38f] has joined #openvpn
16:10 <@krzee> DArqueBishop,
16:11 <@krzee> !factoids
16:11 <@vpnHelper> "factoids" is A semi-regularly updated dump of factoids database is available at http://www.secure-computing.net/factoids.php
16:11 -!- D-Boy [~D-Boy@unaffiliated/cain] has joined #openvpn
16:11 -!- Eugene [eugene@kashpureff.org] has joined #openvpn
16:11 -!- XJR-9 [sid2977@pdpc/supporter/active/xjr-9] has joined #openvpn
16:11 < DArqueBishop> Good to know. :-)
16:11 -!- akamaru [~akamaru21@2601:0:8a80:1064:5155:d61c:6113:e38f] has quit [Ping timeout: 258 seconds]
16:11 -!- trumee [~parul@2601:e:1580:799::c64] has joined #openvpn
16:13 < pekster> And really, if $your_country's scary TLA wants your data, it's usually faster/easier/cheaper/more-reliable to send a black ops team in anyway ;)
16:13 < pekster> easier than cracking keys. Attacking weak security is even easier (Bluffdale, anyway?)
16:14 < vahid> lol correct!
16:15 <@syzzer> dazo_afk: re lost/stolen, I prefer to use 'compromised'. And I consider a key compromised as soon as I have reason to believe someone *could* have had access to it.
16:15 -!- Gellert [~gellert@gellert.gellert.gellert.gellert.gellert.gellert.gellert.pro] has joined #openvpn
16:15 < Gellert> Eugene: you're the guy from the WALKING dead?
16:15 -!- vahid [~vahid@151.232.184.184] has quit [Quit: Leaving]
16:15 < Eugene> No.
16:23 < Gellert> Eugene: okay
16:35 -!- eaglelinux-02 [~eaglelinu@213.207.43.231] has quit [Quit: Leaving]
16:43 -!- scyld [~scyld@gateway/tor-sasl/wasyl] has quit [Quit: Wychodzi]
16:51 -!- busch [~busch@datenschleuder.com] has joined #openvpn
17:00 -!- cwillu_at_work [cwillu@cwillu.com] has quit [Ping timeout: 258 seconds]
17:02 -!- Exagone313 [exa@ewd.ovh] has quit [Ping timeout: 260 seconds]
17:04 -!- Exagone313 [exa@ewd.ovh] has joined #openvpn
17:16 -!- Shiftos [~shiftos@gateway/tor-sasl/shiftos] has quit [Ping timeout: 250 seconds]
17:18 -!- ketas- [~ketas@65-38-190-90.dyn.estpak.ee] has joined #openvpn
17:19 -!- michaelhart [~michaelha@192-0-241-148.cpe.teksavvy.com] has joined #openvpn
17:20 -!- ketas [ketas@ketas6-sixxs.si.pri.ee] has quit [Ping timeout: 258 seconds]
17:22 -!- Exagone313 [exa@ewd.ovh] has quit [Ping timeout: 260 seconds]
17:23 -!- michaelhart [~michaelha@192-0-241-148.cpe.teksavvy.com] has quit [Client Quit]
17:24 -!- Taftse|Mac [~taftse@unaffiliated/taftse] has quit [Quit: Textual IRC Client: www.textualapp.com]
17:31 -!- alexw [~textual@unaffiliated/alexw] has joined #openvpn
17:34 -!- mpoole [~mpoole@minotaur.apache.org] has quit [Ping timeout: 244 seconds]
17:42 -!- Exagone313 [exa@ewd.ovh] has joined #openvpn
17:42 -!- cwillu_at_work [cwillu@cwillu.com] has joined #openvpn
17:44 -!- fred`` [fred@earthli.ng] has quit [Ping timeout: 256 seconds]
17:47 -!- michaelhart [~michaelha@192-0-241-148.cpe.teksavvy.com] has joined #openvpn
17:47 -!- michaelhart [~michaelha@192-0-241-148.cpe.teksavvy.com] has quit [Client Quit]
17:53 -!- fred`` [fred@earthli.ng] has joined #openvpn
18:00 -!- SGold [~Stan@cpe-075-190-172-138.carolina.res.rr.com] has joined #openvpn
18:00 -!- Shiftos [~shiftos@gateway/tor-sasl/shiftos] has joined #openvpn
18:06 -!- Left_Turn [~Left_Turn@unaffiliated/turn-left/x-3739067] has quit [Quit: Leaving]
18:09 -!- khaldrogox [~anonymous@64.13.138.81] has quit [Quit: khaldrogox]
18:13 -!- SGold [~Stan@cpe-075-190-172-138.carolina.res.rr.com] has quit [Ping timeout: 265 seconds]
18:32 -!- RaiNerTsuFal [~RaiNerTsu@akita.vtlx.cn] has quit [Ping timeout: 256 seconds]
18:34 -!- u0m3 [~u0m3@109.96.153.17] has quit [Ping timeout: 250 seconds]
18:54 -!- DonRichie [~DonRichie@ricl.de] has quit [Remote host closed the connection]
18:54 -!- DonRichie [~DonRichie@ricl.de] has joined #openvpn
18:59 -!- Exagone313 [exa@ewd.ovh] has quit [Ping timeout: 260 seconds]
19:09 -!- Left_Turn [~Left_Turn@unaffiliated/turn-left/x-3739067] has joined #openvpn
19:13 -!- mpoole [~mpoole@minotaur.apache.org] has joined #openvpn
19:16 -!- s7r [~s7r@openvpn/user/s7r] has quit [Quit: Leaving]
19:17 -!- Exagone313 [~exa@ewd.ovh] has joined #openvpn
19:18 -!- alexw [~textual@unaffiliated/alexw] has quit [Quit: My MacBook Pro has gone to sleep. ZZZzzz…]
19:19 -!- alexw [~textual@unaffiliated/alexw] has joined #openvpn
19:42 -!- alexw [~textual@unaffiliated/alexw] has quit [Quit: My MacBook Pro has gone to sleep. ZZZzzz…]
19:53 -!- alexw [~textual@unaffiliated/alexw] has joined #openvpn
19:58 -!- Left_Turn [~Left_Turn@unaffiliated/turn-left/x-3739067] has quit [Read error: Connection reset by peer]
20:23 -!- alexw [~textual@unaffiliated/alexw] has quit [Quit: My MacBook Pro has gone to sleep. ZZZzzz…]
20:59 -!- Netsplit *.net <-> *.split quits: fred``, Thermi, Nothing4You
20:59 -!- DonRichie [~DonRichie@ricl.de] has quit [Ping timeout: 264 seconds]
21:00 -!- DonRichie [~DonRichie@ricl.de] has joined #openvpn
21:05 -!- Netsplit over, joins: fred``, Thermi, Nothing4You
21:06 -!- shadok_ [~muaddib@unaffiliated/shadok] has quit [Read error: Connection reset by peer]
21:24 -!- alexw [~textual@unaffiliated/alexw] has joined #openvpn
21:38 -!- michaelhart [~michaelha@192-0-241-148.cpe.teksavvy.com] has joined #openvpn
21:44 -!- AlexRussia [~Alex@unaffiliated/alexrussia] has joined #openvpn
22:44 -!- michaelhart [~michaelha@192-0-241-148.cpe.teksavvy.com] has quit [Quit: michaelhart]
23:26 -!- Olivier [~Olivier@unaffiliated/olivier] has quit [Ping timeout: 252 seconds]
23:50 -!- alexw [~textual@unaffiliated/alexw] has quit [Remote host closed the connection]
23:55 -!- ShadniX [dagger@p5481CD26.dip0.t-ipconnect.de] has quit [Ping timeout: 250 seconds]
23:56 -!- ShadniX [dagger@p5481C54A.dip0.t-ipconnect.de] has joined #openvpn
--- Day changed Thu Dec 11 2014
00:10 -!- ValdikSS [~valdikss@185.61.149.121] has quit [Quit: Konversation terminated!]
00:37 -!- mattock_afk is now known as mattock
00:44 -!- AlexRussia [~Alex@unaffiliated/alexrussia] has quit [Ping timeout: 250 seconds]
00:47 -!- AlexRussia [~Alex@unaffiliated/alexrussia] has joined #openvpn
01:01 -!- mattock is now known as mattock_afk
01:03 -!- Netsplit *.net <-> *.split quits: fred``, Thermi, Nothing4You
01:08 -!- Netsplit over, joins: fred``, Thermi, Nothing4You
01:13 -!- mattock_afk is now known as mattock
01:16 -!- dazo_afk is now known as dazo
01:17 -!- DrCode [~DrCode@gateway/tor-sasl/drcode] has joined #openvpn
01:37 -!- Kephael [~Kephael@unaffiliated/kephael] has quit [Read error: Connection reset by peer]
01:47 -!- alanjf [~ajf@unaffiliated/alanjf] has joined #openvpn
01:50 -!- eristisk [~eristisk@gateway/tor-sasl/eristisk] has quit [Ping timeout: 250 seconds]
01:50 -!- DrCode [~DrCode@gateway/tor-sasl/drcode] has quit [Ping timeout: 250 seconds]
01:50 -!- Shiftos [~shiftos@gateway/tor-sasl/shiftos] has quit [Ping timeout: 250 seconds]
01:54 -!- mattock is now known as mattock_afk
02:01 -!- ketas- is now known as ketas
02:06 -!- DrCode [~DrCode@gateway/tor-sasl/drcode] has joined #openvpn
02:09 -!- Shiftos [~shiftos@gateway/tor-sasl/shiftos] has joined #openvpn
02:26 -!- mattock_afk is now known as mattock
02:26 -!- Poster [~poster@cpe-74-140-100-29.swo.res.rr.com] has quit [Remote host closed the connection]
02:28 -!- ValdikSS [~valdikss@185.61.149.121] has joined #openvpn
02:29 -!- mirco [~mirco@ip-176-198-211-199.hsi05.unitymediagroup.de] has joined #openvpn
02:34 -!- mirco [~mirco@ip-176-198-211-199.hsi05.unitymediagroup.de] has quit [Read error: Connection reset by peer]
02:35 -!- mirco [~mirco@ip-176-198-211-199.hsi05.unitymediagroup.de] has joined #openvpn
02:36 -!- ylluminate [~ylluminat@108-61-57-43ch.openskytelcom.net] has quit [Ping timeout: 245 seconds]
02:41 -!- le0 [~le0@unaffiliated/le0] has quit [Quit: Leaving]
02:43 -!- KiNgMaR [ingmar@2001:41d0:2:ba51::1] has quit [Ping timeout: 272 seconds]
02:45 -!- busch [~busch@datenschleuder.com] has quit [Ping timeout: 272 seconds]
02:47 -!- Shiftos [~shiftos@gateway/tor-sasl/shiftos] has quit [Ping timeout: 250 seconds]
02:54 -!- Shiftos [~shiftos@gateway/tor-sasl/shiftos] has joined #openvpn
02:56 -!- ValdikSS [~valdikss@185.61.149.121] has quit [Ping timeout: 245 seconds]
03:14 -!- plaisthos [~arne@openvpn/community/developer/plaisthos] has quit [Remote host closed the connection]
03:18 -!- DrCode [~DrCode@gateway/tor-sasl/drcode] has quit [Ping timeout: 250 seconds]
03:19 -!- vAd0r [~IceChat9@unaffiliated/vad0r] has quit [Read error: Connection reset by peer]
03:20 -!- DrCode [~DrCode@gateway/tor-sasl/drcode] has joined #openvpn
03:21 -!- plaisthos [~arne@openvpn/community/developer/plaisthos] has joined #openvpn
03:21 -!- mode/#openvpn [+o plaisthos] by ChanServ
03:24 -!- Taftse|Mac [~taftse@unaffiliated/taftse] has joined #openvpn
03:34 -!- DrCode [~DrCode@gateway/tor-sasl/drcode] has quit [Ping timeout: 250 seconds]
03:36 -!- ValdikSS [~valdikss@95.215.45.33] has joined #openvpn
03:38 -!- DrCode [~DrCode@gateway/tor-sasl/drcode] has joined #openvpn
03:44 -!- lkeijser [~me@fedora/lkeijser] has joined #openvpn
03:44 < lkeijser> morning
03:45 < kef> is there a way to hide a lamp object the final render in blender/cycles? (but still using it for lighting)
03:45 < lkeijser> upgraded to the latest Fedora yesterday and now some of my connections no longer work: VERIFY ERROR: depth=0, error=certificate signature failure
03:45 < lkeijser> any ideas?
03:48 < kef> (sorry, wrong buffer)
04:00 -!- lkeijser [~me@fedora/lkeijser] has quit [Quit: 420 reasons to quit]
04:03 -!- Chais [~Chais@chello062178229110.15.15.vie.surfer.at] has quit [Ping timeout: 252 seconds]
04:06 -!- zoredache [~zoredache@pdpc/supporter/professional/zoredache] has quit [Ping timeout: 272 seconds]
04:10 -!- Chais [~Chais@chello062178229110.15.15.vie.surfer.at] has joined #openvpn
04:12 <@dazo> lkeijser most likely users certificates with MD5 hashes
04:12 <@dazo> s/users/uses/
04:19 -!- Exagone313 [~exa@ewd.ovh] has quit [Ping timeout: 260 seconds]
04:37 -!- Left_Turn [~Left_Turn@unaffiliated/turn-left/x-3739067] has joined #openvpn
04:43 -!- zoredache [~zoredache@pdpc/supporter/professional/zoredache] has joined #openvpn
05:01 -!- DrCode [~DrCode@gateway/tor-sasl/drcode] has quit [Ping timeout: 250 seconds]
05:04 -!- DrCode [~DrCode@gateway/tor-sasl/drcode] has joined #openvpn
05:40 -!- mattock is now known as mattock_afk
05:42 -!- Chais [~Chais@chello062178229110.15.15.vie.surfer.at] has quit [Read error: Connection reset by peer]
05:51 -!- Chais [~Chais@chello062178229110.15.15.vie.surfer.at] has joined #openvpn
05:52 -!- trumee [~parul@2601:e:1580:799::c64] has quit [Read error: Connection reset by peer]
05:53 -!- trumee [~parul@2601:e:1580:799::c64] has joined #openvpn
06:01 -!- Fusl [Fusl@unaffiliated/fusl] has quit [Ping timeout: 245 seconds]
06:01 -!- mrtux [~stallman@unaffiliated/mrtux] has quit [Ping timeout: 265 seconds]
06:13 -!- pppingme [~pppingme@unaffiliated/pppingme] has quit [Ping timeout: 258 seconds]
06:14 -!- pppingme [~pppingme@unaffiliated/pppingme] has joined #openvpn
06:14 -!- akamaru217 [~akamaru21@2601:0:8a80:1064:b876:305b:3c5e:f25a] has joined #openvpn
06:15 -!- akamaruu [~akamaru21@2601:0:8a80:1064:5155:d61c:6113:e38f] has quit [Ping timeout: 258 seconds]
06:26 -!- CaTtleyA [~CaTtleyA@185.24.142.82] has joined #openvpn
06:41 -!- CaTtleyA [~CaTtleyA@185.24.142.82] has quit [Quit: Lost terminal]
07:02 -!- mattock_afk is now known as mattock
07:12 -!- CaTtleyA [~CaTtleyA@185.24.142.82] has joined #openvpn
07:18 -!- michaelhart [~michaelha@69-165-175-193.dsl.teksavvy.com] has joined #openvpn
07:23 -!- goldkatze [~nobody@unaffiliated/goldkatze] has joined #openvpn
07:35 -!- shadok [~muaddib@unaffiliated/shadok] has joined #openvpn
07:36 -!- trumee [~parul@2601:e:1580:799::c64] has quit [Quit: ZNC - http://znc.sourceforge.net]
07:39 -!- trumee [~parul@2601:e:1580:799::c64] has joined #openvpn
07:42 < esde> !ovpnuke
07:42 <@vpnHelper> "ovpnuke" is https://community.openvpn.net/openvpn/wiki/SecurityAnnouncement-97597e732b for info on CVE-2014-8104 which is a DOS that allows an authenticated client to crash an openvpn server running openvpn before 2.3.6
07:53 -!- Moonlightning [~blackl@unaffiliated/moonlightning] has quit [Read error: Connection reset by peer]
07:53 -!- Moonlightning [~blackl@unaffiliated/moonlightning] has joined #openvpn
07:53 -!- Moonlightning [~blackl@unaffiliated/moonlightning] has quit [Client Quit]
08:04 -!- ertyu [~chatzilla@62-210-193-154.rev.poneytelecom.eu] has joined #openvpn
08:05 < ertyu> hello everyone
08:06 < ertyu> what are the file need to been generate for ssl connexion with openvpn ?
08:11 < ertyu> anyone ?
08:17 < esde> !ask
08:17 <@vpnHelper> "ask" is (#1) don't ask to ask, just ask your question please, see this link for how to get help on IRC: http://workaround.org/getting-help-on-irc or (#2) See also, How to ask questions the smart way here: http://catb.org/~esr/faqs/smart-questions.html or (#3) if you had asked your question this might be an answer instead of a message from the bot about how to ask questions on IRC :)
08:23 -!- le0 [~le0@unaffiliated/le0] has joined #openvpn
08:35 -!- kryo_ [~effigy@96.50.81.226] has joined #openvpn
08:38 < kryo_> hi anyone able to help me with the following error? "The data area passed to a system call is too small. (code=122)"
08:40 < esde> https://forums.openvpn.net/topic8084.html
08:40 <@vpnHelper> Title: OpenVPN Support Forum openvpn 2.2 issue : Off Topic, Related (at forums.openvpn.net)
08:40 < esde> see last response
08:40 < esde> might be useful
08:44 < kryo_> no comp-lzo directive in either config...
08:45 <@krzee> !configs
08:45 <@vpnHelper> "configs" is (#1) please pastebin your client and server configs (with comments removed, you can use `grep -vE '^#|^;|^$' server.conf`), also include which OS and version of openvpn. or (#2) dont forget to include any ccd entries or (#3) on pfSense, see http://www.secure-computing.net/wiki/index.php/OpenVPN/pfSense to obtain your config
08:46 <@plaisthos> perhaps tun vs tap
08:46 < kryo_> oh wait i'm blind
08:47 < kryo_> removed comp-lzo, that fixed the error 122 but i still can't access the internet :\
08:54 -!- kef [~kef@matrix.fullmotion.de] has quit [Ping timeout: 272 seconds]
08:56 < esde> forwarding enabled on the server?
08:56 < esde> !forwarding
08:56 < esde> !forward
08:56 < esde> !somefactoidexplaininghowtoforward
08:57 < esde> !ipforward
08:57 <@vpnHelper> "ipforward" is (#1) ip forwarding is needed any time you want packets to flow from 1 interface to another, so from tun to eth, eth to tun, tun to tun, etc etc. it must be enabled in the kernel AND allowed in the firewall or (#2) please choose between !linipforward !winipforward !osxipforward and !fbsdipforward
08:57 -!- brianblaze420 [~brianblaz@unaffiliated/brianblaze] has joined #openvpn
08:57 < esde> BAM
09:01 -!- dazo is now known as dazo_afk
09:01 < kryo_> yeah
09:02 < kryo_> net.ipv4.ip_forward = 1
09:03 < esde> try this (assuming debian) sudo sysctl -w net.ipv4.ip_forward=1
09:05 < esde> after that, this works for me on debian kvm "sudo iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o eth0 -j SNAT --to (eth0 ip)" but if on openvz, replace with the venet00 (or whatever venet it is)
09:07 < kryo_> wow that actually worked
09:07 < kryo_> (the iptables rule)
09:07 < kryo_> thanks very much esde
09:07 < esde> yw
09:07 -!- kef [~kef@matrix.fullmotion.de] has joined #openvpn
09:08 -!- kryo_ [~effigy@96.50.81.226] has quit []
09:15 -!- toli_ [~toli@d51a4cc08.access.telenet.be] has joined #openvpn
09:15 < esde> i love how Art of the Problem on YouTube explains crypto
09:19 < toli_> guys I am about to connect 300 PC's tp a new openvpn server, they will all use the same key certificte, as we are not going to do makethis for each pc. the question is how can I identify the connected players if they all use the server key?
09:22 < shadok> toli_: i don't think you have a way to be sure, that's why you should have made a client cert for each pc
09:22 < shadok> toli_: and remember that anyone with a copy of the key can connect too because you can't enable the duplicate-cn check
09:23 < toli_> I see
09:23 < toli_> thank you shadok
09:26 < shadok> np but are you sure you don't want client certs? generating them could be tricky because you have to make sure your /dev/random entropy is high before making a new one but it's way more secure that way than using only one cert, if one machine is compromised you'll have to redistribute new keys anyway
09:26  * esde plugs haveged
09:26 < esde> http://www.issihosts.com/haveged/
09:26 <@vpnHelper> Title: haveged - a simple entropy daemon (at www.issihosts.com)
09:27 < shadok> esde: i didn't know about that, reading right now
09:27 < toli_> I will use client certificates
09:27 < esde> $ cat /proc/sys/kernel/random/entropy_avail 4067. dat entropy
09:28 -!- ub1quit33 [~quassel@cpe-23-243-158-241.socal.res.rr.com] has joined #openvpn
09:29 < shadok> esde: i'm having a hard time understanding how you can generate "several hundreds of megabits per second" crypto-secure bits from a low source of entropy, looking at the whitepapers now
09:30 < shadok> toli_: use something like puppet to distribute those certs if possible, that would be much easier to renew them
09:35 -!- Kephael [~Kephael@unaffiliated/kephael] has joined #openvpn
09:41 < shadok> esde: from what i just read about it i'm not really at ease with haveged honestly, i'd prefer generating the keys in the standard way even if it takes time to do it
09:50 -!- KaiForce [~chatzilla@107-223-70-10.lightspeed.bcvloh.sbcglobal.net] has joined #openvpn
09:51 < esde> "Run-time testing provides assurance of correct haveged operation. The run-time test suite is modeled upon the AIS-31 specification of the German Common Criteria body, BIS. This specification is typically applied to hardware devices, requiring formal certification and mandated  start-up  and continuous operational testing. Because haveged runs on many different hardware platforms, certification cannot be a goal, but the AIS-31 test suite provides the means
09:51 < esde>  to assess haveged output with the same operational tests applied to certified hardware devices." and more information to be had at http://manpages.ubuntu.com/manpages/utopic/man8/haveged.8.html
09:51 <@vpnHelper> Title: Ubuntu Manpage: haveged - Generate random numbers and feed linux random device. (at manpages.ubuntu.com)
09:53 < shadok> i saw that but there is no real cryptanalysis of their scheme and i have more trust in the linux kernel implementation
09:55 < shadok> and you can add some entropy to urandom if needed (take a few picture with a webcam, hash them with a decent algorithm as sha2 and write them to urandom)
09:56 < esde> im aware of video-entropyd and audio-entropyd :)
09:57 < esde> *video_entropyd audio_entropyd
09:57 < shadok> esde: i was not until now ^^
09:59 < shadok> anyway this page from haveged devs (www.issihosts.com/haveged/ais31.html down, use google cache) has some strange sentences: "Early experimentation with AIS-31 attempted to fit haveged into AIS-31 as a sort of emulated TRNG. The tick counter data captured during the processor flutter measurements was run through AIS procedure B. Most samples failed all tests! On this data, test8 averaged approximately 6 bits of entropy per byte. However injecting the
09:59 < shadok> data into haveged always produced output that passed the procedure B tests. "
09:59 < esde> im not an academic cryptologist, that's basically greek to me
09:59 < shadok> it's pretty trivial to pass those tests *after* for an output, not so for an input
10:01 < shadok> they are saying that the input to haveged (the data which is collected) doesn't pass the test but the output does, that's standard for any decent prng and doesn't prove anything regarding the quality of their output
10:03 < esde> here's a paper on HAVEGE, what haveged replaced https://www.irisa.fr/caps/projects/hipsor/publications/havege-tomacs.pdf
10:06 -!- Moonlightning [~blackl@unaffiliated/moonlightning] has joined #openvpn
10:09 -!- toli_ [~toli@d51a4cc08.access.telenet.be] has quit [Quit: Leaving]
10:14 -!- ValdikSS [~valdikss@95.215.45.33] has quit [Ping timeout: 256 seconds]
10:22 -!- Kephael_ [~Kephael@unaffiliated/kephael] has joined #openvpn
10:22 -!- Kephael_ [~Kephael@unaffiliated/kephael] has quit [Remote host closed the connection]
10:40 -!- goldkatze [~nobody@unaffiliated/goldkatze] has quit []
11:13 -!- ratdeptrai [~deptrai@99-183-228-80.lightspeed.livnmi.sbcglobal.net] has joined #openvpn
11:13 -!- CaTtleyA [~CaTtleyA@185.24.142.82] has quit [Quit: Lost terminal]
11:16 -!- Anoniem4l [~Anoniem4l@unaffiliated/anoniem4l] has joined #openvpn
11:16 < Anoniem4l> !welcome
11:16 <@vpnHelper> "welcome" is (#1) Start by stating your goal, such as 'I would like to access the internet over my vpn' || new to IRC? see the link in !ask || we may need !logs and !configs and maybe !interface to help you. || See !howto for beginners. || See !route for lans behind openvpn. || !redirect for sending inet traffic through the server. || Also interesting: !man !/30 !topology !iporder !sample !forum
11:16 <@vpnHelper> !wiki !mitm or (#2) Don't use 192.168.1.0/24 or 192.168.0.0/24 (too much potential for conflict)
11:18 < Anoniem4l> On an OpenVZ linux machine, cat: /dev/net/tun: Operation not permitted <-- does that ensure me it's my VPN provider's fault?
11:19 -!- jrg [jrg@unaffiliated/jrg] has quit [Ping timeout: 258 seconds]
11:20 < esde> Anoniem4l, wiki.openvz.org/VPN_via_the_TUN/TAP_device
11:21 < esde> your hosting provider may need to enable tun for you
11:23 < esde> when you see this output, you are good to go "cat: /dev/net/tun: File descriptor in bad state"
11:27 < _FBi> which is why OpenVZ hosts kinda suck.  Not too many allow Tun devices
11:28 < ratdeptrai> I have an existing OpenVPN instance running on server/desktops/laptops all are GNU/Linux. Now want to add an Android device.
11:28 < ratdeptrai> What is the easiest way to get an openvpn binary running on Android, presumably hard-coded config-file like the others. I see a couple of apps listed in F-droid repo, but I guess I'd rather openvpn not be bound up with some GUI, unless it's just a little driver to start/stop it. Any suggestions?
11:28 -!- le0 [~le0@unaffiliated/le0] has quit [Quit: Leaving]
11:30 < ratdeptrai> I see a page in the _forums_ with FAQ on "OpenVPN connect for android" but I didn't see any indication where to find it, or even what exactly it is.
11:31 < lev__> ratdeptrai: have you seen https://code.google.com/p/ics-openvpn/
11:31 <@vpnHelper> Title: ics-openvpn - Openvpn for Android 4.0+ - Google Project Hosting (at code.google.com)
11:32 -!- mattock is now known as mattock_afk
11:32  * ratdeptrai looks at ice-openvpn, not sure why search engines didn't find it for me before...
11:33 -!- JyZyXEL [~foo@a88-112-64-166.elisa-laajakaista.fi] has joined #openvpn
11:34 < JyZyXEL> is it possible to route only some traffic trough a openvpn connection, based on TCP port numbers?
11:34 -!- Poster [~poster@cpe-74-140-100-29.swo.res.rr.com] has joined #openvpn
11:35 < Dan39> JyZyXEL: sure i think so with iptables. but if you have specific applications you may be able to tell them to use the vpn interface, that would be easier
11:35 < Dan39> on *nix many things have a bind address or interface in the config
11:36 <@plaisthos> ratdeptrai: OpenVPN Connect has the FAQ in app iirc
11:36 < ratdeptrai> JyZyXEL: assuming you have the Linux kernel, you need to use both iptables and iproute2, but it can be done. Keep in mind though, if those packets then exit the far side of the VPN into the Internet, the other side of that connection will probably need to route its packets back through the same VPN.
11:37 < ratdeptrai> JyZyXEL: this is most easily accomplished by masquerading them on the way out.
11:39 < JyZyXEL> ah good point the need for masquerading
11:39 < Dan39> thought that was a given :P
11:40 < Dan39> it is in the intro setup
11:40 < JyZyXEL> ratdeptrai: so i would mark the packets with iptables and then add some routing rules based on marks
11:40 <@plaisthos> ratdeptrai: ics-oepnvpn is opensource
11:40 < ratdeptrai> JyZyXEL: correct, but those routing "rules" will typically be in another routing *table*.
11:40 <@plaisthos> if you respect the GPL you can modify it to have a hard coded config
11:41 <@plaisthos> (or pay the author to have a non GPL license)
11:41 -!- Anoniem4l [~Anoniem4l@unaffiliated/anoniem4l] has quit [Quit: say wat]
11:42 < ratdeptrai> plaisthos: I'd just as soon stick with free-software only. So what is the "difference" between OpenVPN Connect and ics-ovpn? Is OVPNC proprietary?
11:42 -!- Anoniem4l [~Anoniem4l@unaffiliated/anoniem4l] has joined #openvpn
11:42 <@plaisthos> *sigh* I need to write a FAQ for that
11:42 < ratdeptrai> I just want the lightest-weight solution possible. I really don't want openvpn to be combined with a GUI "app" using the Android API.
11:43 <@plaisthos> ratdeptrai: without root?
11:43 < Dan39> how old is your phone that you have to worry about that ratdeptrai ?
11:43 < ratdeptrai> rooted
11:43 < Eugene> The problem with that goal is that that's the only way to do it under AOSP without modifying the system
11:43 < Dan39> i have a rather old phone and use OpenVPN for Android just fine, got it from play store
11:43 < ratdeptrai> Phone is less than a day old, Nexus 5.
11:43 < ratdeptrai> But I generally don't run more than I have to, on any computer.
11:43 <@plaisthos> ratdeptrai: you can probably use openvpn compiled for that
11:44 <@plaisthos> but on android 4.4 and 5.0 a native openvpn may screw up routing table/ipconfig
11:44 < ratdeptrai> Hmmm, this sounds more complex than I had hoped. :-p
11:45 < JyZyXEL> i think an alternative solution would be to run a SOCKS server that connects to the internet trough the openvpn tunnel and then have all the applications i need to go trough the VPN use socks
11:48 <@plaisthos> ratdeptrai: why don't you just use OpenVPN for Android?
11:48 -!- Latrina [~Latrina@ppp-196-31.26-151.libero.it] has quit [Ping timeout: 245 seconds]
11:50 -!- Latrina [~Latrina@151.56.173.101] has joined #openvpn
11:50 < ratdeptrai> plaisthos: because I don't even know what that is. The GooglePlay page for "OpenVPN Connect" says that it's the "official" OpenVPN for Android. The OpenVPN.net website, when I click on the "For Your Android" link, gives me the GooglePlay page for "Private Tunnel VPN for Android". And in e.g. F-droid, I see a couple of other OpenVPN apps.
11:52 < esde> OpenVPN connect works fine here
11:52 < ratdeptrai> I just want the most vanilla, open-source port of OpenVPN to Android. Whatever's easiest, I guess.
11:54 <@plaisthos> ratdeptrai: Whatever that means :)
11:54 < ratdeptrai> Yes, apparently not a well-defined term! :-)
11:54 <@plaisthos> ratdeptrai: if you don't want a command line OpenVPN binary that is probably OpenVPN for Android
11:55 <@plaisthos> it uses a almost not patched OpenVPN binary
11:56 < DArqueBishop> If OpenVPN Connect for Android is anything like OpenVPN Connect for iOS, it'll probably do everything you need to (unless you need bridging).
11:57 -!- jrg [jrg@unaffiliated/jrg] has joined #openvpn
11:59 < ratdeptrai> plaisthos: "OpenVPN for Android" == "ics-openvpn", is this true? I think I was confused.
11:59 <@plaisthos> ratdeptrai: yes
12:00 < ratdeptrai> Ah, my head is spinning a little slower now...
12:00 <@plaisthos> ics-openvpn is just the repository and google code name
12:00 < ratdeptrai> Got it.
12:00 <@plaisthos> de.blinkt.openvpn is the package name ;)
12:00 <@plaisthos> and OpenVpn for Android is the confusing human readable name :P
12:01 < ratdeptrai> This is the first time I ever had a mobile-computer, it's proving a little more difficult to use than most!
12:02 < esde> whats the difference in net.openvpn.openvpn and de.blinkt.openvpn? why would one use one or the other?
12:09 < hydrajump> after having put my openvpn server into production for ~1 week everything is working awesome except a minor glitch I'm noticing. When I first connect to the server and the tunnel is established almost immediately the tunnel is disconnected and reconnected. THis happens always on first connection. I don't see anything wrong in the logs other than "Dec 11 19:05:49: [server] Inactivity timeout (--ping-restart),
12:09 < hydrajump> restarting
12:10 < esde> anyone? im generally curious why anyone would need an app other than OpenVPN connect..
12:11 <@plaisthos> esde: give me a minute ;P
12:12 < esde> "Lollipop only: Allow/disallow apps to use VPN" i can see that being a useful feature, at least
12:12 < esde> (in OpenVPN for android)
12:12 <@plaisthos> :)
12:13 <@plaisthos> you certainly don't get that which a native oepnvpn binary
12:13 < esde> i didnt even think of the functionality until i saw it listed in his changelog
12:14 < esde> ohhhhhhhhhhhhhhhhhh
12:14 < esde> hi there. ;(
12:14 < esde> * (;
12:16 -!- Anoniem4l [~Anoniem4l@unaffiliated/anoniem4l] has quit [Quit: say wat]
12:16 -!- Anoniem4l [~Anoniem4l@unaffiliated/anoniem4l] has joined #openvpn
12:18 < snappy> curious, am i understanding this correctly, but android can sandbox apps in a vpn?
12:18 <@plaisthos> snappy: android uses freaky policy based routing
12:18 <@plaisthos>  :)
12:18 < snappy> ahhh
12:18 < snappy> i thought it might have been using namespaces or something
12:19 <@plaisthos> no
12:19 <@plaisthos> since each app has its own uid
12:19 <@plaisthos> it does policy based routing per uid
12:19 < snappy> i think the mosh guys were toying with some interesting ideas of sandbox socks proxy (via ssh) using network namespaces
12:19 < snappy> ohhh wow, that's actually really cool
12:20 <@plaisthos> https://code.google.com/p/ics-openvpn/wiki/FAQ#Differences_between_the_OpenVPN_Android_clients
12:20 <@vpnHelper> Title: FAQ - ics-openvpn - Openvpn for Android 4.0+ - Google Project Hosting (at code.google.com)
12:20 <@plaisthos> there is your answer for the difference between the clients
12:22 < snappy> the uid-per-app paradigm is quite clever now that i think about it
12:24 < ratdeptrai> plaisthos: thanks a lot, that is very helpful!!!
12:24 < esde> OpenVPN connect for android source is not open?
12:25 <@plaisthos> ratdeptrai: no
12:25 <@plaisthos> it is closed source
12:25 < ratdeptrai> plaisthos: I think you meant to direct that to esde, but actually it was one of my questions too.
12:26 <@plaisthos> the OpenVPN C++ core is open source
12:26 <@plaisthos> but not really released
12:26 <@plaisthos> http://staging.openvpn.net/openvpn3/
12:26 <@vpnHelper> Title: OpenVPN 3 (at staging.openvpn.net)
12:26 <@plaisthos> To confused matters even more, you can build ics-openvpn with this C++ library :D
12:26 < ratdeptrai> Also interesting about that Android UID-per-process -> per-app policy-based routing. I've done something similar before on GNU/Linux boxes, essentially what JyZyXEL was proposing, but per-app rather than based on TCP ports.
12:26 < esde> i understand the iOS app being closed source, but i don't see why the Android app would be closed :/
12:27 < JyZyXEL> ratdeptrai: the ip route rules or socks?
12:27 < ratdeptrai> JyZyXEL: ip route rules
12:28 <@plaisthos> there are least 15 apps that use ics-openvpn source code and totally disrepect the license
12:28 <@plaisthos>  btw. a ip rule/ip table show dump from a Nexus9 device http://pastebin.com/kZcDVJM1
12:29 < snappy> plaisthos:  are these all those branded bullshit vpn software dealios?
12:29 < ratdeptrai> JyZyXEL: if you decide against the SOCKS solution, you _can_ do the iptables/iproute2 method which will work nicely based on TCP ports or anything else that you can specify in iptables, which is almost anything.
12:30 < snappy> its a bloody landmine looking for information on openvpn & android because of all these commercial vpn services
12:30 < JyZyXEL> yeah, im already doing packet marking on my firewall
12:30 <@plaisthos> snappy: yea many of them
12:30 < snappy> 90% of the internet is wrong
12:30 <@plaisthos> some of them actually respect the license
12:30 <@plaisthos> and some are not OpenVPN based
12:31 < JyZyXEL> ratdeptrai: i am however really scared of adding ip route tables and rules, i just know im gonna end up dropping my internet connection while messing with that stuff :p
12:31 <@plaisthos> and one is violating strongswan license instead of openvpn :D
12:31 < ratdeptrai> JyZyXEL: yes, it's not something you want to try on a remote machine over ssh, unless you have someone there to reboot it! ;-)
12:33 < ratdeptrai> JyZyXEL: it's not that bad, I have been meaning to write up a how-to on it for the better part of a decade... but the SOCKS idea is probably more turn-key.
12:34 < JyZyXEL> ratdeptrai: with the socks idea i probably only need to configure dante to use the openvpn's tunnel devices as the interface?
12:35 -!- ValdikSS [~valdikss@185.61.149.121] has joined #openvpn
12:36 < snappy> SInce there's some discussion about socks/openvpn, i've been tackling a little problem myself.
12:38 < snappy> I want to tunnel outgoing ldap traffic (tcp dport 389) off to a relay server (running linux), such that it appears to originate from the relay server. I was thinking of using SOCKS, but the ldap tools don't have inherent support for SOCKS - so i would need to do some socksify gymnastics to get that to work. Alternatively, I could setup an openvpn tunnel (that doesn't have a default route), and (somehow) use
12:38 < snappy> policy based routing to route over openvpn.
12:38 < snappy> Wondering if anyone has thoughts on this.
12:41 < ratdeptrai> JyZyXEL: I don't have much experience with SOCKS, but that sounds like a good first step.
12:41 < ratdeptrai> snappy: more or less the same problem as JyZyXEL
12:42 < JyZyXEL> don't know if some kind of masquerade will be needed
12:44 < ratdeptrai> snappy, JyZyXEL: If you're willing to do the initial set-up to get multiple iproute2 tables set up (and rules to send packets to the "route via OpenVPN tunnel" table based on iptables-mark), you then have all the power of iptables to decide which type of traffic to route which way.
12:44 < snappy> that'll do the trick for me.
12:44 < ratdeptrai> JyZyXEL: in any case, you almost certainly need to masquerade them on the far side before egress.
12:44 < snappy> my only other concern is the persistence of the openvpn tunnel and reconnecting if it fails, but from personal experience, openvpn client is pretty damn robust about this
12:45 < JyZyXEL> ratdeptrai: i was talking about needing masq in the SOCKS solution
12:45 < ratdeptrai> The only problem is if there's nothing about the packets themselves to determine how you want them routed, e.g. two different instances of the same program generate the same kind of traffic, but one instance should be routed one way, one instance the other way. That's where the Android/ratdeptrai per-process-UID solution is useful.
12:47 < ratdeptrai> JyZyXEL: yeah, I'm not sure about SOCKS, maybe not.
12:50 < ratdeptrai> snappy: is your ldap software robust enough to re-establish its TCP connection in case it is reset? Otherwise, you'll probably have the same problem after loss of connectivity regardless of which solution you use.
12:50 -!- akamaru [~akamaru21@2601:0:8a80:1064:b876:305b:3c5e:f25a] has joined #openvpn
12:53 -!- akamaru217 [~akamaru21@2601:0:8a80:1064:b876:305b:3c5e:f25a] has quit [Ping timeout: 258 seconds]
12:54 < snappy> ratdeptrai: not sure yet, i'd like to say yes, but i'm not hopeful (proprietary software)
12:55 < snappy> hm, just thinking, another option is to dockerfy the app, and initiate openvpn from the docker itself
12:55 < snappy> that'll avoid having to deal with iptables/pbr (well shift it to the docker env)
12:57 -!- ValdikSS [~valdikss@185.61.149.121] has quit [Read error: Connection reset by peer]
12:58 < ratdeptrai> snappy: I'm not familiar with docker, is that one of those newfangled "container" doohickeys? If so, you might be able to get it done that way but it will more or less be the same solution, done in a more complex way from the kernel's perspective, but perhaps in a simpler way from your perspective if the docker set-up software has an easy option for that.
12:59 < snappy> yeah, its the same solution essentially
13:00 < snappy> ideally it'd hide the complexity, but i thinking through (and sorry for thinking out loud in this chnanel) -- its probably the same amount of complexity, because ultimately i still want to only vpnify TCP traffic for a speciifc port and nothing else
13:01 < snappy> and that just requires adding the right iptables + policy based routing stuff
13:01 < snappy> anyway, thanks for letting me bounce these ideas, got a few ideas i can test
13:02 -!- justinzane [~justinzan@67.21.190.132] has joined #openvpn
13:06 < ratdeptrai> snappy: good luck. If you decide to do the pbr and want to make the iproute2 and iptables entries yourself, one source of info: search "multihome linux" -- what you essentially have is a multihome setup, but one of the "homes" is the VPN.
13:06 < ratdeptrai> ... I really need to write up that howto one of these days ...
13:06 < snappy> actually i was thinking the same -- i actually do this on my home router (not specifically for this scenario)
13:07 < snappy> i was in here a few months ago trying to get openvpn working on my amazon firetv, it sort of worked, but instead just pushed openvpn to run on my (openwrt) wifi router -- used PBR so only the android device would go over the tunnel
13:07 < snappy> I think firetv purposely disabled/removed the vpnservice stuff
13:08 -!- Fusl [Fusl@unaffiliated/fusl] has joined #openvpn
13:08 < ratdeptrai> Yeah, OpenWRT really rocks for home-router.
13:08 < esde> \m/ pfsense
13:09 -!- ValdikSS [~valdikss@185.61.149.121] has joined #openvpn
13:10 < ratdeptrai> esde: no doubt it's good, but the thing is, I run Linux on the desktop & server, and I want to be able to use the same code on all boxes, including kernel-specific system-calls.
13:12 < ratdeptrai> ... and, does it run on little plastic boxes with e.g. 8MB of RAM?
13:13 < esde> >with e.g. 8MB of RAM? huh?
13:15 < ratdeptrai> Well, I run OpenWRT including OpenVPN on a little MIPS box with 16MB.  I guess I'm off by a factor of 2.
13:16 < ratdeptrai> (but only 4MB of flash)
13:16 < esde> Im not sure if it will or not. I know there are plenty of builds of pfsense for different hardware achitectures
13:16 < esde> * architectures
13:16 -!- brallan [~brallan@186.176.89.59] has joined #openvpn
13:16 -!- brallan [~brallan@186.176.89.59] has left #openvpn []
13:16 < ratdeptrai> Anyhow, it's all good, I'm sure they're both great solutions.
13:17 < esde> I had to abandon routing on my consumer devices when the processor kept choking on the throughput. now im using pfsense as my router, and the old router as a WAP and everything is working wonderfully
13:17 -!- P4 [~p4@unaffiliated/p4] has joined #openvpn
13:20 -!- lev__ [~lev@stipakov.fi] has quit [Remote host closed the connection]
13:20 < P4> Hello. I'm trying to ./pkitool <clientname> to generalte client key and cert but the cert each time is 0 size long. what could be wrong? cannot connect without a cert
13:22 < P4> my goal is just to setup debian-clients (e.g. OpenVPN 2.2.1 x86_64) to debian-server (OpenVPN 2.3.4 i586-pc-linux-gnu) VPN connections
13:23 -!- grrrrr [gr@rikos.org] has left #openvpn []
13:24 -!- ValdikSS [~valdikss@185.61.149.121] has quit [Ping timeout: 255 seconds]
13:37 -!- pie_ [~pie_@unaffiliated/pie-/x-0787662] has joined #openvpn
13:38 < pie_> what kind of bandwidth could i expect on this?: http://wiki.openwrt.org/toh/tp-link/tl-wr710n
13:42 -!- lev__ [~lev@stipakov.fi] has joined #openvpn
13:42 <@ecrist> all of it
13:42 < pie_> ALL THE BANDWIDTH
13:43 <@ecrist> afaik TP-Link has a good reputation.  
13:43 <@ecrist> unless someone here actually runs it with openwrt and openvpn, we can't *really* answer your questions
13:44 < pie_> yeah, its good in my experience, but i dont have a lot of experience
13:46 < esde> ive used DD-WRT with WNDR4000 and had terrible issues with bottlenecking (using openvpn)
13:49 < pie_> guy in #openwrt said to expect 2-3MBit/s, which is ok for my applications i guess
13:49 < pie_> thats like 2-300kilobytes/s?
13:50 < esde> 3Mb = 375KB
13:50 < esde> 2Mb = 250KB
13:51 -!- elfixit [~Icedove@mail.mousonturm.de] has joined #openvpn
13:54 -!- elfixit [~Icedove@mail.mousonturm.de] has quit [Remote host closed the connection]
14:03 -!- Olivier [~Olivier@unaffiliated/olivier] has joined #openvpn
14:13 -!- pie_ [~pie_@unaffiliated/pie-/x-0787662] has quit [Ping timeout: 260 seconds]
14:20 -!- reiffert [~thomas@mail.reifferscheid.org] has joined #openvpn
14:20 < reiffert> !bm
14:20 < reiffert> !nm
14:20 < reiffert> vpnHelper: !nm
14:20 < reiffert> !factoids search nm
14:20 <@vpnHelper> No keys matched that query.
14:20 < reiffert> !factoids search networkmanager
14:20 <@vpnHelper> No keys matched that query.
14:21 < reiffert> !factoids search -values manager
14:21 <@vpnHelper> (factoids search [<channel>] [--values] [--{regexp} <value>] [<glob> ...]) -- Searches the keyspace for keys matching <glob>. If --regexp is given, it associated value is taken as a regexp and matched against the keys. If --values is given, search the value space instead of the keyspace.
14:21 < reiffert> !factoids search -value manager
14:21 <@vpnHelper> (factoids search [<channel>] [--values] [--{regexp} <value>] [<glob> ...]) -- Searches the keyspace for keys matching <glob>. If --regexp is given, it associated value is taken as a regexp and matched against the keys. If --values is given, search the value space instead of the keyspace.
14:21 < reiffert> krzee: vpnHelper broke
14:21 < reiffert> !factois search ubuntu
14:21 < reiffert> !factoids search ubuntu
14:21 <@vpnHelper> "ubuntu" is dont use network manager!
14:21 -!- reiffert [~thomas@mail.reifferscheid.org] has left #openvpn []
14:22 < An_Ony_Moose> Is there a way to change the behaviour that the server pushes (lower bound of IP pool)-1 as the gateway (i.e. specify what the IP should be?)
14:31 -!- P4 [~p4@unaffiliated/p4] has left #openvpn ["WeeChat 1.0.1"]
14:44 -!- ValdikSS [~valdikss@185.61.149.121] has joined #openvpn
14:45 -!- michaelhart [~michaelha@69-165-175-193.dsl.teksavvy.com] has quit [Quit: michaelhart]
15:11 -!- brianblaze420 [~brianblaz@unaffiliated/brianblaze] has quit [Quit: Peace!]
15:11 -!- liriel [~liriel@asia.feralhosting.com] has quit [Excess Flood]
15:12 -!- liriel [~liriel@asia.feralhosting.com] has joined #openvpn
15:37 -!- mirco [~mirco@ip-176-198-211-199.hsi05.unitymediagroup.de] has quit [Quit: mirco]
15:43 -!- michaelhart [~michaelha@192-0-241-148.cpe.teksavvy.com] has joined #openvpn
15:47 -!- michaelhart [~michaelha@192-0-241-148.cpe.teksavvy.com] has quit [Client Quit]
16:05 -!- KaiForce [~chatzilla@107-223-70-10.lightspeed.bcvloh.sbcglobal.net] has quit [Quit: ChatZilla 0.9.91 [Firefox 33.1/20141106120505]]
16:11 -!- D-Boy [~D-Boy@unaffiliated/cain] has quit [Excess Flood]
16:11 -!- eristisk [~eristisk@gateway/tor-sasl/eristisk] has joined #openvpn
16:16 -!- D-Boy [~D-Boy@unaffiliated/cain] has joined #openvpn
16:29 -!- Shiftos [~shiftos@gateway/tor-sasl/shiftos] has quit [Ping timeout: 250 seconds]
16:33 < Eugene> Sure. Use --ifconfig and friends instead of the --server shortcut
16:34 -!- Shiftos [~shiftos@gateway/tor-sasl/shiftos] has joined #openvpn
16:35 -!- lev__ [~lev@stipakov.fi] has quit [Quit: leaving]
17:08 -!- RBecker [~RBecker@openvpn/user/RBecker] has quit [Ping timeout: 255 seconds]
17:13 -!- michaelhart [~michaelha@192-0-241-148.cpe.teksavvy.com] has joined #openvpn
17:13 -!- michaelhart [~michaelha@192-0-241-148.cpe.teksavvy.com] has quit [Client Quit]
17:14 < An_Ony_Moose> Eugene: haven't managed to figure out how to set the gateway IP though...
17:15 < Eugene> route-gateway
17:15 < Eugene> Or in your --route, the [gateway] parameter
17:19 -!- Taftse|Mac [~taftse@unaffiliated/taftse] has quit [Ping timeout: 240 seconds]
17:20 -!- RBecker [~RBecker@openvpn/user/RBecker] has joined #openvpn
17:20 -!- mode/#openvpn [+v RBecker] by ChanServ
17:25 -!- elfixit [~Icedove@mail.mousonturm.de] has joined #openvpn
17:38 -!- Shiftos [~shiftos@gateway/tor-sasl/shiftos] has quit [Remote host closed the connection]
17:40 -!- shivanshu [~shivanshu@unaffiliated/shivanshu] has quit [Remote host closed the connection]
17:48 < An_Ony_Moose> Eugene: I'll try that, thanks
17:55 <@krzee> i know reiffert isnt here anymore, but in case anyone was wondering why his commands failed, the help message shows you need 2 dashes in front of values --values, and he was using 1 -values
17:55 <@krzee> !factoids search --values manager
17:55 <@vpnHelper> 'ubuntu', 'netman', 'win2k8', and 'netman'
17:56 -!- tchiwam [~tchiwam@194.177.246.182] has quit [Quit: Lost terminal]
17:58 -!- badon [~badon@pdpc/supporter/active/badon] has quit [Read error: Connection reset by peer]
17:59 -!- badon [~badon@pdpc/supporter/active/badon] has joined #openvpn
18:00 -!- Shiftos [~shiftos@gateway/tor-sasl/shiftos] has joined #openvpn
18:47 -!- AlexRussia [~Alex@unaffiliated/alexrussia] has quit [Quit: WeeChat 1.1-dev]
18:48 -!- AlexRussia [~Alex@unaffiliated/alexrussia] has joined #openvpn
18:51 -!- AWeSomeAo [~Christian@ipb21bbaf7.dynamic.kabel-deutschland.de] has joined #openvpn
18:51 < AWeSomeAo> !welcome
18:51 <@vpnHelper> "welcome" is (#1) Start by stating your goal, such as 'I would like to access the internet over my vpn' || new to IRC? see the link in !ask || we may need !logs and !configs and maybe !interface to help you. || See !howto for beginners. || See !route for lans behind openvpn. || !redirect for sending inet traffic through the server. || Also interesting: !man !/30 !topology !iporder !sample !forum
18:51 <@vpnHelper> !wiki !mitm or (#2) Don't use 192.168.1.0/24 or 192.168.0.0/24 (too much potential for conflict)
18:53 < AWeSomeAo> Hi. I am trying to find out, what the max MTU is inside my OpenVPN tunnel. I am Tunnelling OpenVPN through OpenVPN (yes, it's ugly) and I want the second tunnel to be as efficient as possible
18:53 < AWeSomeAo> pinging with specific parameters and traceroute --mtu don't show any help, as it seems there is a layer that automatically fragments
18:54 < AWeSomeAo> I reduced the mtu of the second tunnel a lot and it immediately increased my performance, but I would like to increase it to the maximum value
18:55 < AWeSomeAo> Tunnel is tun UDP/IP
18:58 -!- mirco [~mirco@ip-176-198-211-199.hsi05.unitymediagroup.de] has joined #openvpn
19:00 -!- elfixit [~Icedove@mail.mousonturm.de] has quit [Ping timeout: 250 seconds]
19:03 -!- mirco [~mirco@ip-176-198-211-199.hsi05.unitymediagroup.de] has quit [Read error: Connection reset by peer]
19:12 -!- kokel [~quassel@kenneth.kokelnet.de] has quit [Ping timeout: 260 seconds]
19:15 -!- kokel [~quassel@kenneth.kokelnet.de] has joined #openvpn
19:20 -!- u0m3 [~u0m3@109.96.153.17] has joined #openvpn
19:22 -!- ub1quit33 [~quassel@cpe-23-243-158-241.socal.res.rr.com] has quit [Remote host closed the connection]
19:54 -!- Fun [~Fun@unaffiliated/fun] has joined #openvpn
20:00 -!- AWeSomeAo [~Christian@ipb21bbaf7.dynamic.kabel-deutschland.de] has quit [Quit: Lost terminal]
20:01 -!- cwillu_at_work [cwillu@cwillu.com] has quit [Ping timeout: 258 seconds]
20:34 -!- Eugene is now known as Fuyeme
21:02 -!- havingFun [~quassel@unaffiliated/xrosnight] has joined #openvpn
21:04 -!- havingFun is now known as xrosnight
21:21 -!- Left_Turn [~Left_Turn@unaffiliated/turn-left/x-3739067] has quit [Remote host closed the connection]
21:31 -!- shadok [~muaddib@unaffiliated/shadok] has quit [Ping timeout: 252 seconds]
21:37 -!- Fun [~Fun@unaffiliated/fun] has quit [Ping timeout: 264 seconds]
21:48 -!- alanjf [~ajf@unaffiliated/alanjf] has quit [Read error: Connection timed out]
22:21 -!- badon [~badon@pdpc/supporter/active/badon] has quit [Read error: Connection reset by peer]
22:22 -!- badon [~badon@pdpc/supporter/active/badon] has joined #openvpn
22:44 -!- RBecker [~RBecker@openvpn/user/RBecker] has quit [Ping timeout: 260 seconds]
22:53 -!- RBecker [~RBecker@openvpn/user/RBecker] has joined #openvpn
22:53 -!- mode/#openvpn [+v RBecker] by ChanServ
23:39 -!- ValdikSS [~valdikss@185.61.149.121] has quit [Ping timeout: 260 seconds]
23:41 -!- AlexRussia [~Alex@unaffiliated/alexrussia] has quit [Ping timeout: 264 seconds]
23:42 -!- Fuyeme is now known as Eugene
23:43 -!- AlexRussia [~Alex@unaffiliated/alexrussia] has joined #openvpn
23:52 -!- ShadniX [dagger@p5481C54A.dip0.t-ipconnect.de] has quit [Ping timeout: 250 seconds]
23:53 -!- ShadniX [dagger@p5481C02D.dip0.t-ipconnect.de] has joined #openvpn
--- Day changed Fri Dec 12 2014
00:00 -!- SushiDude [~SushiDude@unaffiliated/sushidude] has quit [Quit: Quit]
00:04 -!- SushiDude [~SushiDude@unaffiliated/sushidude] has joined #openvpn
00:12 -!- AlexRussia [~Alex@unaffiliated/alexrussia] has quit [Ping timeout: 256 seconds]
00:12 -!- alanjf [~ajf@unaffiliated/alanjf] has joined #openvpn
00:45 -!- havingFun [~quassel@unaffiliated/xrosnight] has joined #openvpn
00:46 -!- xrosnight [~quassel@unaffiliated/xrosnight] has quit [Ping timeout: 265 seconds]
00:46 -!- AlexRussia [~Alex@unaffiliated/alexrussia] has joined #openvpn
01:17 -!- Kephael [~Kephael@unaffiliated/kephael] has quit [Quit: Leaving]
01:29 -!- shivanshu [~shivanshu@unaffiliated/shivanshu] has joined #openvpn
02:04 -!- james41382_ [~james@unaffiliated/james41382] has joined #openvpn
02:12 -!- havingFun [~quassel@unaffiliated/xrosnight] has quit [Quit: No Ping reply in 180 seconds.]
02:13 -!- havingFun [~quassel@unaffiliated/xrosnight] has joined #openvpn
02:14 -!- Netsplit *.net <-> *.split quits: dvl, james41382, mpoole
02:15 -!- Netsplit over, joins: mpoole
02:38 -!- mirco [~mirco@ip-176-198-211-199.hsi05.unitymediagroup.de] has joined #openvpn
02:43 -!- mirco [~mirco@ip-176-198-211-199.hsi05.unitymediagroup.de] has quit [Read error: Connection reset by peer]
02:44 -!- mirco [~mirco@ip-176-198-211-199.hsi05.unitymediagroup.de] has joined #openvpn
02:45 -!- u0m3 [~u0m3@109.96.153.17] has quit [Read error: Connection reset by peer]
03:02 -!- ValdikSS [~valdikss@80.70.234.113] has joined #openvpn
03:07 -!- dazo_afk is now known as dazo
03:09 -!- eristisk [~eristisk@gateway/tor-sasl/eristisk] has quit [Remote host closed the connection]
03:09 -!- Taftse|Mac [~taftse@unaffiliated/taftse] has joined #openvpn
03:09 -!- eristisk [~eristisk@gateway/tor-sasl/eristisk] has joined #openvpn
03:20 -!- ValdikSS [~valdikss@80.70.234.113] has quit [Quit: Konversation terminated!]
03:21 -!- ValdikSS [~valdikss@185.61.149.121] has joined #openvpn
03:23 -!- Pandemic_Force_ [~Pandemic_@unaffiliated/pandemic-force/x-1349428] has joined #openvpn
03:24 -!- Pandemic_Force [~Pandemic_@unaffiliated/pandemic-force/x-1349428] has quit [Ping timeout: 244 seconds]
03:28 -!- Pandemic_Force_ [~Pandemic_@unaffiliated/pandemic-force/x-1349428] has quit [Quit: Bye!]
03:29 -!- Pandemic_Force [~Pandemic_@unaffiliated/pandemic-force/x-1349428] has joined #openvpn
03:46 -!- mattock_afk is now known as mattock
03:47 -!- lev__ [~lev@stipakov.fi] has joined #openvpn
04:02 -!- lev__ [~lev@stipakov.fi] has quit [Quit: leaving]
04:03 -!- lev__ [~lev@stipakov.fi] has joined #openvpn
04:12 -!- ertyu [~chatzilla@62-210-193-154.rev.poneytelecom.eu] has quit [Quit: ChatZilla 0.9.91 [Firefox 32.0.3/20140924083558]]
04:22 -!- plaisthos [~arne@openvpn/community/developer/plaisthos] has quit [Quit: foo!]
04:26 < lev__> Hello, am I supposed to do anything special to make my Linux box favor ipv6 over ipv4? I got ipv6 address from OpenVPN (don't have it on eth0) and able to ping/browse IPv6 hosts/sites, however getaddrinfo() first returns ipv4 and then ipv6 addresses. I am aware of gai.conf, but to my understanding by default it makes Linux favor ipv6, however it does not happen.
04:45 -!- shadok [~muaddib@unaffiliated/shadok] has joined #openvpn
04:48 -!- ValdikSS [~valdikss@185.61.149.121] has quit [Ping timeout: 244 seconds]
04:53 -!- _0x5eb_ [~seb@seb-hpws2.w1.tele.crt1.net] has quit [Ping timeout: 244 seconds]
05:02 -!- u0m3 [~u0m3@109.96.153.17] has joined #openvpn
05:08 -!- Left_Turn [~Left_Turn@unaffiliated/turn-left/x-3739067] has joined #openvpn
05:29 -!- _0x5eb_ [~seb@seb-hpws2.elen.ucl.ac.be] has joined #openvpn
05:40 -!- Left_Turn [~Left_Turn@unaffiliated/turn-left/x-3739067] has quit [Ping timeout: 250 seconds]
05:48 -!- u0m3 [~u0m3@109.96.153.17] has quit [Ping timeout: 245 seconds]
05:57 -!- plaisthos [~arne@openvpn/community/developer/plaisthos] has joined #openvpn
05:57 -!- mode/#openvpn [+o plaisthos] by ChanServ
05:58 < lev__> answering own question: gai's priority is: ipv6, ipv4, "6to4". Since I have ipv6 over vpn tunnel, I have to make "6to4" priority over "ipv4". Done by uncommenting "label fc00::/7" in gai.conf and setting its value to "1".
06:07 -!- havingFun_ [~quassel@unaffiliated/xrosnight] has joined #openvpn
06:07 -!- havingFun [~quassel@unaffiliated/xrosnight] has quit [Ping timeout: 258 seconds]
06:20 -!- Left_Turn [~Left_Turn@unaffiliated/turn-left/x-3739067] has joined #openvpn
06:37  * plaisthos was absent
06:37 <@plaisthos> lev__: there is a RFC about that
06:53 -!- LnxBil [~LnxBil@p5099afb6.dip0.t-ipconnect.de] has quit [Quit: leaving]
06:55 -!- WhiteIntel [~quassel@2001:628:2010:22:e5a4:1977:6461:1f41] has joined #openvpn
06:56 < WhiteIntel> is it possible to push a dns server for one specific domain to a client?
06:57 -!- badon [~badon@pdpc/supporter/active/badon] has quit [Ping timeout: 245 seconds]
07:01 -!- michaelhart [~michaelha@192-0-241-148.cpe.teksavvy.com] has joined #openvpn
07:09 -!- brianblaze420 [~brianblaz@unaffiliated/brianblaze] has joined #openvpn
07:10 -!- badon [~badon@pdpc/supporter/active/badon] has joined #openvpn
07:15 <@ecrist> WhiteIntel: no
07:16 <@krzee> no but its possible to use dnsmasq to handle 1 domain and forward the rest to another NS
07:16 <@krzee> !splitroute
07:16 <@vpnHelper> "splitroute" is (#1) https://forums.openvpn.net/topic7175.html to see how to add a second routing table so you can use --redirect-gateway AND still serve things to the internet or (#2) see !route_override for how to override --redirect-gateway for a certain subnet
07:16 <@krzee> errr
07:16 <@krzee> i mean
07:16 <@krzee> !splitdns
07:16 <@vpnHelper> "splitdns" is (#1) see http://www.thekelleys.org.uk/dnsmasq/doc.html for dnsmasq, which will let you do split-dns setups or (#2) "dnsmasq" is http://rob0.nodns4.us/dnsmasq.html for a writeup on how to handle DNS for lans shared with !route
07:16 <@krzee> ignore !splitroute :D
07:20 -!- u0m3 [~u0m3@109.96.153.17] has joined #openvpn
07:32 < WhiteIntel> ok and for what is the option push "dhcp-option DOMAIN my.at;" or push "dhcp-option DOMAIN-SEARCH mysearch2.example.com"; ?
07:33 <@krzee> the option in resolv.conf
07:34 <@krzee> The resolv.conf file typically contains directives with the default search domain or domains; used for FQDN completion when no domain suffix is supplied as part of the query. It also contains a list of IP addresses of nameservers available to a host.
07:35 <@krzee> http://en.wikipedia.org/wiki/Resolv.conf#Contents_and_location
07:35 <@vpnHelper> Title: resolv.conf - Wikipedia, the free encyclopedia (at en.wikipedia.org)
07:54 -!- seba [~seba@kratzbaum.someserver.de] has quit [Excess Flood]
07:55 -!- seba [~seba@kratzbaum.someserver.de] has joined #openvpn
08:01 -!- u0m3 [~u0m3@109.96.153.17] has quit [Read error: Connection reset by peer]
08:15 -!- WhiteIntel [~quassel@2001:628:2010:22:e5a4:1977:6461:1f41] has quit [Ping timeout: 265 seconds]
08:22 -!- APTX [~APTX@unaffiliated/aptx] has quit [Ping timeout: 240 seconds]
08:25 -!- APTX [~APTX@unaffiliated/aptx] has joined #openvpn
08:45 -!- NP-Hardass [~NP-Hardas@unaffiliated/np-hardass] has quit [Ping timeout: 255 seconds]
08:56 -!- dvl [~dvl@freebsd/developer/dvl] has joined #openvpn
09:09 -!- Kephael [~Kephael@unaffiliated/kephael] has joined #openvpn
09:15 -!- shadok [~muaddib@unaffiliated/shadok] has quit [Quit: Konversation terminated!]
09:18 -!- chicken_soup [~quassel@98.192.44.235] has joined #openvpn
09:19 -!- plaisthos [~arne@openvpn/community/developer/plaisthos] has quit [Quit: foo!]
09:20 -!- plaisthos [~arne@openvpn/community/developer/plaisthos] has joined #openvpn
09:20 -!- mode/#openvpn [+o plaisthos] by ChanServ
09:23 -!- Popsikle [~popsikle@rrcs-24-103-53-46.nyc.biz.rr.com] has joined #openvpn
09:40 -!- dnyMT [~dnyMT@c106-36.i05-27.onvol.net] has quit [Ping timeout: 240 seconds]
09:48 -!- u0m3 [~u0m3@109.96.153.17] has joined #openvpn
10:16 -!- Moonlightning [~blackl@unaffiliated/moonlightning] has quit [Quit: The Nightmares will Collide. And become a Dream. <3]
10:29 -!- MaxFrames [~MaxFrames@unaffiliated/maxframes] has joined #openvpn
10:29 < MaxFrames> hello
10:30 < MaxFrames> any idea why the "vista and later" x64 version of the community package will NOT work  on my win7 x64 machine (tap driver shows up with exclamation mark in device manager) whereas the "xp and later" version of the same package works?
10:30 < MaxFrames> on a different win7 x64 machine, the former version does work
10:30 < MaxFrames> one difference is the network adapter, and another difference is that on this machine I have vmware player installed
10:50 -!- MaxFrames [~MaxFrames@unaffiliated/maxframes] has quit [Quit: When two people dream the same dream, it ceases to be an illusion. KVIrc KVIrc Equilibrium 4.2.0, revision: 6190, sources date: 20120701, built on: 2012-07-04 14:48:08 UTC 6190 http://www.kvirc.net]
10:53 -!- mattock is now known as mattock_afk
11:06 -!- rich0_ [~quassel@gentoo/developer/rich0] has joined #openvpn
11:08 -!- ub1quit33_ [~quassel@cpe-23-243-158-241.socal.res.rr.com] has joined #openvpn
11:09 -!- rich0 [~quassel@gentoo/developer/rich0] has quit [Ping timeout: 264 seconds]
11:23 -!- rich0_ is now known as rich0
11:32 -!- fandi [~fandi@101.255.36.66] has joined #openvpn
11:39 -!- michaelhart [~michaelha@192-0-241-148.cpe.teksavvy.com] has quit [Ping timeout: 244 seconds]
11:46 -!- gffa [~unknown@unaffiliated/gffa] has joined #openvpn
11:50 -!- fandi [~fandi@101.255.36.66] has left #openvpn ["Leaving"]
11:53 -!- djacob [~IceChat9@pool-71-246-17-183.phlapa.fios.verizon.net] has joined #openvpn
11:54 < djacob> is anyone here using openvpn with yealink pbx phones?
12:19 -!- elfixit [~Icedove@mail.mousonturm.de] has joined #openvpn
12:22 -!- elfixit [~Icedove@mail.mousonturm.de] has quit [Remote host closed the connection]
12:24 -!- Mathuin [jmt@osuosl/staff/mathuin] has joined #openvpn
12:25 < Mathuin> I am using a Chromebook and OpenVPN works fine with my certs, with one issue:  I cannot restrict the traffic that goes through the tunnel to specific networks.  All the traffic is routed through the tunnel, which is bad.  Help?
12:25 -!- DrCode [~DrCode@gateway/tor-sasl/drcode] has quit [Ping timeout: 250 seconds]
12:25 < Mathuin> (I'm totally fine with being sent to another channel, as long as you can tell me which one to go to.)
12:32 -!- DrCode [~DrCode@gateway/tor-sasl/drcode] has joined #openvpn
12:34 -!- RaiNerTsuFal [~RaiNerTsu@akita.vtlx.cn] has joined #openvpn
12:35 -!- AlexRussia [~Alex@unaffiliated/alexrussia] has quit [Ping timeout: 258 seconds]
13:00 < DArqueBishop> Mathuin: do you have control over the OpenVPN server?
13:01 -!- brianblaze420 [~brianblaz@unaffiliated/brianblaze] has quit [Ping timeout: 240 seconds]
13:03 -!- AlexRussia [~Alex@unaffiliated/alexrussia] has joined #openvpn
13:04 -!- Gellert [~gellert@gellert.gellert.gellert.gellert.gellert.gellert.gellert.pro] has left #openvpn []
13:07 -!- eristisk [~eristisk@gateway/tor-sasl/eristisk] has quit [Remote host closed the connection]
13:19 <@krzee> Mathuin, stop using redirect-gateway and only redirect networks you want to go over the vpn, or if you want to redirect everything *except* a couple networks, then:
13:19 <@krzee> !route_override
13:19 <@vpnHelper> "route_override" is (#1) https://forums.openvpn.net/viewtopic.php?f=15&t=7161 for how to override --redirect-gateway for a certain subnet or (#2) to see how to make it so the client will still reply to requests to its public ip over the internet and not the vpn see !splitroute
13:24 < Mathuin> krzee: I'm not intentionally using redirect-gateway, I'm using a GUI on a Chromebook. :-)
13:24 < Mathuin> !splitroute
13:24 <@vpnHelper> "splitroute" is (#1) https://forums.openvpn.net/topic7175.html to see how to add a second routing table so you can use --redirect-gateway AND still serve things to the internet or (#2) see !route_override for how to override --redirect-gateway for a certain subnet
13:24 <@krzee> well we only support openvpn
13:24 < Mathuin> DArqueBishop: I can ask for some changes on the OpenVPN server.
13:24 < DArqueBishop> !both
13:24 <@vpnHelper> "both" is If you do not control both ends of the link (server and client) then there is not much we can do to help you. Please talk to your network admin instead.
13:24 < Mathuin> I know you only support OpenVPN, which is why I said I was fine being sent somewhere else as long as you know where to go.
13:25 <@krzee> and redirect-gateway may be getting pushed from the server
13:25 < Mathuin> DArqueBishop: My network admin is in the room doing other stuff, I can pass something along if you can tell me what to pass.
13:25 < Mathuin> krzee: I will ask about redirect-gateway
13:25 <@krzee> Mathuin, no idea bout a chromebook gui help channel
13:25 < Mathuin> krzee: thanks!
13:25 <@krzee> np
13:25 -!- Mathuin [jmt@osuosl/staff/mathuin] has left #openvpn []
13:45 -!- masterkorp [~masterkor@static.85-10-196-211.clients.your-server.de] has joined #openvpn
13:45 < masterkorp> hello
13:45 < masterkorp> How can I use SOCK4 in OpenVPN ?
13:45 < masterkorp> http://safesrv.net/setup-openvpn-with-obfsproxy-on-ubuntu/
13:45 <@vpnHelper> Title: Obfuscate your OpenVPN traffic using Obfsproxy (at safesrv.net)
13:46 < masterkorp> i am trying to do this
13:46 < masterkorp> Fri Dec 12 19:46:02 2014 socks_handshake: TCP port read timeout expired: Operation now in progress (errno=115)
13:46 < masterkorp> but i always get this
13:46 < masterkorp> i think its because openvpn only supports socks5 is that correct ?
13:47 -!- u0m3 [~u0m3@109.96.153.17] has quit [Ping timeout: 264 seconds]
13:47 -!- Netsplit *.net <-> *.split quits: RaiNerTsuFal, fred``, Thermi, Nothing4You
13:47 < masterkorp> http://tor.software.tech.answers.ninja/post/693
13:47 < masterkorp> related
13:47 <@vpnHelper> Title: OpenVPN + obfsproxy + obfs3 on Windows? - Tor (at tor.software.tech.answers.ninja)
13:47 < masterkorp> any ideas ?
13:55 -!- moparisthebest [~quassel@gateway/tor-sasl/moparisthebest] has joined #openvpn
13:57 -!- mirco [~mirco@ip-176-198-211-199.hsi05.unitymediagroup.de] has quit [Quit: mirco]
13:57 -!- Thermi [~Thermi@unaffiliated/thermi] has joined #openvpn
14:01 -!- Netsplit over, joins: Nothing4You
14:03 -!- havingFun_ [~quassel@unaffiliated/xrosnight] has quit [Ping timeout: 240 seconds]
14:04 -!- havingFun [~quassel@unaffiliated/xrosnight] has joined #openvpn
14:04 -!- NP-Hardass [~NP-Hardas@unaffiliated/np-hardass] has joined #openvpn
14:09 -!- NP-Hardass [~NP-Hardas@unaffiliated/np-hardass] has quit [Client Quit]
14:25 -!- NP-Hardass [~NP-Hardas@unaffiliated/np-hardass] has joined #openvpn
14:28 -!- zoredache [~zoredache@pdpc/supporter/professional/zoredache] has quit [Ping timeout: 250 seconds]
14:29 -!- Thermi [~Thermi@unaffiliated/thermi] has quit [Quit: Meet your opposition - Profane and disciplined - Take back your pride - With a pounding hammer]
14:30 -!- Thermi [~Thermi@unaffiliated/thermi] has joined #openvpn
14:35 -!- dazo is now known as dazo_afk
14:36 -!- RBecker [~RBecker@openvpn/user/RBecker] has quit [Ping timeout: 245 seconds]
14:45 -!- RBecker [~RBecker@openvpn/user/RBecker] has joined #openvpn
14:45 -!- mode/#openvpn [+v RBecker] by ChanServ
14:52 -!- ub1quit33_ [~quassel@cpe-23-243-158-241.socal.res.rr.com] has quit [Read error: Connection reset by peer]
14:58 -!- havingFun [~quassel@unaffiliated/xrosnight] has quit [Remote host closed the connection]
15:07 -!- zoredache [~zoredache@pdpc/supporter/professional/zoredache] has joined #openvpn
15:09 -!- eristisk [~eristisk@gateway/tor-sasl/eristisk] has joined #openvpn
15:21 -!- Popsikle [~popsikle@rrcs-24-103-53-46.nyc.biz.rr.com] has quit [Remote host closed the connection]
15:26 -!- eristisk [~eristisk@gateway/tor-sasl/eristisk] has quit [Ping timeout: 250 seconds]
15:38 -!- eristisk [~eristisk@gateway/tor-sasl/eristisk] has joined #openvpn
15:44 -!- RaiNerTsuFal [~RaiNerTsu@akita.vtlx.cn] has joined #openvpn
15:47 -!- fred`` [fred@earthli.ng] has joined #openvpn
16:11 -!- D-Boy [~D-Boy@unaffiliated/cain] has quit [Excess Flood]
16:36 -!- eristisk [~eristisk@gateway/tor-sasl/eristisk] has quit [Ping timeout: 250 seconds]
16:42 -!- D-Boy [~D-Boy@unaffiliated/cain] has joined #openvpn
16:57 -!- dvl [~dvl@freebsd/developer/dvl] has quit [Quit: Ride fast. Take chances.]
16:57 -!- dvl [~dvl@freebsd/developer/dvl] has joined #openvpn
17:18 -!- mistermajestic [~mistermaj@unaffiliated/mistermajestic] has quit [Ping timeout: 240 seconds]
17:24 -!- mistermajestic [~mistermaj@unaffiliated/mistermajestic] has joined #openvpn
17:37 -!- brianblaze420 [~brianblaz@unaffiliated/brianblaze] has joined #openvpn
17:42 -!- JaniceKitten [j4jackj@need.sleep.caffeinet.uk.to] has joined #openvpn
17:42 -!- JaniceKitten [j4jackj@need.sleep.caffeinet.uk.to] has left #openvpn []
17:57 -!- gffa [~unknown@unaffiliated/gffa] has quit [Quit: sleep]
18:15 -!- Taftse|Mac [~taftse@unaffiliated/taftse] has quit [Quit: Textual IRC Client: www.textualapp.com]
18:51 -!- shio [marmot@62.188.103.84.rev.sfr.net] has quit [Disconnected by services]
18:51 -!- shio [marmot@62.188.103.84.rev.sfr.net] has joined #openvpn
18:56 -!- eaglelinux [~eaglelinu@213.207.38.192] has quit [Ping timeout: 255 seconds]
19:09 -!- trumee [~parul@2601:e:1580:799::c64] has quit [Quit: ZNC - http://znc.sourceforge.net]
19:12 -!- trumee [~parul@2601:e:1580:799::c64] has joined #openvpn
19:18 -!- trumee [~parul@2601:e:1580:799::c64] has quit [Quit: ZNC - http://znc.sourceforge.net]
19:18 -!- badon [~badon@pdpc/supporter/active/badon] has quit [Quit: Leaving]
19:21 -!- trumee [~parul@2601:e:1580:799::c64] has joined #openvpn
19:38 -!- eristisk [~eristisk@gateway/tor-sasl/eristisk] has joined #openvpn
19:56 -!- jareth_ [~jareth_@2001:980:e1c0:1:219:66ff:fea0:a502] has quit [Ping timeout: 260 seconds]
20:13 -!- ratdeptrai [~deptrai@99-183-228-80.lightspeed.livnmi.sbcglobal.net] has quit [Ping timeout: 264 seconds]
20:17 -!- ratdeptrai [~deptrai@99-183-228-80.lightspeed.livnmi.sbcglobal.net] has joined #openvpn
20:22 -!- ratdeptrai [~deptrai@99-183-228-80.lightspeed.livnmi.sbcglobal.net] has quit [Ping timeout: 245 seconds]
20:26 -!- Moonlightning [~blackl@unaffiliated/moonlightning] has joined #openvpn
20:30 -!- ratdeptrai [~deptrai@99-183-228-80.lightspeed.livnmi.sbcglobal.net] has joined #openvpn
20:42 -!- NP-Hardass [~NP-Hardas@unaffiliated/np-hardass] has quit [Ping timeout: 256 seconds]
21:31 -!- NP-Hardass [~NP-Hardas@unaffiliated/np-hardass] has joined #openvpn
22:00 -!- Left_Turn [~Left_Turn@unaffiliated/turn-left/x-3739067] has quit [Remote host closed the connection]
22:47 -!- Kephael [~Kephael@unaffiliated/kephael] has quit [Read error: Connection reset by peer]
23:52 -!- ShadniX [dagger@p5481C02D.dip0.t-ipconnect.de] has quit [Ping timeout: 250 seconds]
23:53 -!- ShadniX [dagger@p5DDFF6E7.dip0.t-ipconnect.de] has joined #openvpn
--- Day changed Sat Dec 13 2014
01:02 -!- jareth_ [~jareth_@2001:980:e1c0:1:219:66ff:fea0:a502] has joined #openvpn
01:23 -!- brianblaze420 [~brianblaz@unaffiliated/brianblaze] has quit [Quit: Peace!]
01:44 -!- mattock_afk is now known as mattock
01:55 -!- havingFun [~quassel@unaffiliated/xrosnight] has joined #openvpn
01:56 -!- havingFun is now known as xrosnight
02:18 -!- Poster [~poster@cpe-74-140-100-29.swo.res.rr.com] has quit [Remote host closed the connection]
02:43 -!- mattock is now known as mattock_afk
03:10 -!- xrosnight [~quassel@unaffiliated/xrosnight] has quit [Ping timeout: 264 seconds]
03:16 -!- Latrina [~Latrina@151.56.173.101] has quit [Ping timeout: 265 seconds]
03:17 -!- ratdeptrai [~deptrai@99-183-228-80.lightspeed.livnmi.sbcglobal.net] has quit [Quit: Leaving.]
03:20 -!- Latrina [~Latrina@adsl-ull-217-190.50-151.net24.it] has joined #openvpn
03:28 -!- Latrina [~Latrina@adsl-ull-217-190.50-151.net24.it] has quit [Ping timeout: 260 seconds]
03:30 -!- Latrina [~Latrina@adsl-ull-171-179.50-151.net24.it] has joined #openvpn
03:37 -!- havingFun [~quassel@unaffiliated/xrosnight] has joined #openvpn
03:44 -!- chicken_soup [~quassel@98.192.44.235] has quit [Quit: No Ping reply in 180 seconds.]
04:01 -!- Left_Turn [~Left_Turn@unaffiliated/turn-left/x-3739067] has joined #openvpn
04:14 -!- grummel [~christian@static.115.36.9.176.clients.your-server.de] has quit [Quit: WeeChat 1.0.1]
04:29 -!- gffa [~unknown@unaffiliated/gffa] has joined #openvpn
05:21 -!- rich0_ [~quassel@gentoo/developer/rich0] has joined #openvpn
05:22 -!- rich0 [~quassel@gentoo/developer/rich0] has quit [Ping timeout: 244 seconds]
05:24 -!- Taftse|Mac [~taftse@unaffiliated/taftse] has joined #openvpn
05:27 -!- rich0_ is now known as rich0
05:46 -!- Henryabcd [~Henryabcd@pD9E0A55B.dip0.t-ipconnect.de] has joined #openvpn
05:57 -!- s7r [~s7r@openvpn/user/s7r] has joined #openvpn
05:57 -!- mode/#openvpn [+v s7r] by ChanServ
06:26 -!- jzaw [~jzaw@loki.dzki.co.uk] has quit [Quit: really? must I leave? aw pls let me stay!]
06:31 -!- droid909 [~droid909@unaffiliated/droid909] has joined #openvpn
06:32 < droid909> guys, can anyone suggest a cheap but working VPS for openvpn?
06:32 < droid909> somewhere in europe
06:38 -!- jzaw [~jzaw@loki.dzki.co.uk] has joined #openvpn
06:49 -!- Henryabcd [~Henryabcd@pD9E0A55B.dip0.t-ipconnect.de] has quit [Read error: Connection timed out]
07:02 < droid909> nevermind
07:02 -!- droid909 [~droid909@unaffiliated/droid909] has left #openvpn []
07:05 -!- xMopxShell [~xMopxShel@davepedu.com] has quit [Ping timeout: 244 seconds]
07:23 -!- Y0sh1 [~Y0sh1@unaffiliated/y0sh1] has joined #openvpn
07:24 -!- JaniceKitten [j4jackj@need.sleep.caffeinet.uk.to] has joined #openvpn
07:24 < JaniceKitten> Hi guyzes
07:24 < JaniceKitten> And girls
07:24 < JaniceKitten> And non-binary folk
07:25 < JaniceKitten> So... I'm going to pastebin some stuff describing my issue..
07:25 < JaniceKitten> !paste
07:25 <@vpnHelper> "paste" is "pastebin" is (#1) please paste anything with more than 5 lines into a pastebin site or (#2) https://gist.github.com is recommended for fewest ads; try fpaste.org or paste.kde.org as backups or (#3) If you're pasting config files, see !configs for grep syntax to remove comments or (#4) gist allows multiple files per paste, useful if you have several files to show
07:28 < JaniceKitten> Wait ok...
07:34 < JaniceKitten> !configs
07:34 <@vpnHelper> "configs" is (#1) please pastebin your client and server configs (with comments removed, you can use `grep -vE '^#|^;|^$' server.conf`), also include which OS and version of openvpn. or (#2) dont forget to include any ccd entries or (#3) on pfSense, see http://www.secure-computing.net/wiki/index.php/OpenVPN/pfSense to obtain your config
07:44 < JaniceKitten> !welcome
07:44 <@vpnHelper> "welcome" is (#1) Start by stating your goal, such as 'I would like to access the internet over my vpn' || new to IRC? see the link in !ask || we may need !logs and !configs and maybe !interface to help you. || See !howto for beginners. || See !route for lans behind openvpn. || !redirect for sending inet traffic through the server. || Also interesting: !man !/30 !topology !iporder !sample
07:44 <@vpnHelper> !forum !wiki !mitm or (#2) Don't use 192.168.1.0/24 or 192.168.0.0/24 (too much potential for conflict)
07:44 < JaniceKitten> Yeah... so my goal is I'd like to access the IPv6 internet over my VPN.
07:44 < JaniceKitten> !howto
07:44 <@vpnHelper> "howto" is (#1) OpenVPN comes with a great howto, http://openvpn.net/howto PLEASE READ IT! or (#2) http://www.secure-computing.net/openvpn/howto.php for a mirror
07:58 -!- james41382_ [~james@unaffiliated/james41382] has quit [Ping timeout: 255 seconds]
07:58 < Y0sh1> thats something i should do soon too :)
08:38 -!- AlexRussia [~Alex@unaffiliated/alexrussia] has quit [Ping timeout: 250 seconds]
08:40 -!- AlexRussia [~Alex@unaffiliated/alexrussia] has joined #openvpn
08:45 -!- jzaw [~jzaw@loki.dzki.co.uk] has quit [Quit: really? must I leave? aw pls let me stay!]
09:06 -!- jzaw [~jzaw@loki.dzki.co.uk] has joined #openvpn
09:08 -!- Argure [quasselcor@geonosis.donttrustrobots.nl] has quit [Remote host closed the connection]
09:08 -!- Argure [quasselcor@geonosis.donttrustrobots.nl] has joined #openvpn
09:09 -!- Argure [quasselcor@geonosis.donttrustrobots.nl] has quit [Remote host closed the connection]
09:11 -!- Argure [quasselcor@geonosis.donttrustrobots.nl] has joined #openvpn
09:12 -!- Argure [quasselcor@geonosis.donttrustrobots.nl] has quit [Remote host closed the connection]
09:12 -!- Argure [quasselcor@geonosis.donttrustrobots.nl] has joined #openvpn
10:22 -!- AlexRussia [~Alex@unaffiliated/alexrussia] has quit [Ping timeout: 256 seconds]
10:27 -!- elfixit [~Icedove@mail.mousonturm.de] has joined #openvpn
10:29 -!- elfixit [~Icedove@mail.mousonturm.de] has quit [Remote host closed the connection]
10:50 -!- mazde [a4d71362@gateway/web/freenode/ip.164.215.19.98] has joined #openvpn
10:51 < mazde> Hi. Is openVPN providing a socks address ?
10:59 < mazde> Hello ?
11:14 -!- mattock_afk is now known as mattock
11:14 -!- ValdikSS [~valdikss@185.61.149.121] has joined #openvpn
11:21 -!- Tausen [~Tausen@tausen.org] has joined #openvpn
11:25 -!- Tausen [~Tausen@tausen.org] has left #openvpn ["Leaving"]
11:27 -!- _FBi [B@Aircrack-NG/User] has quit [Ping timeout: 258 seconds]
11:27 < esde> not sure if pertinent but
11:28 < esde> !sockd
11:28 <@vpnHelper> "sockd" is if you want !routebyapp you can use this dante config www.ircpimps.org/sockd.conf but BE SURE TO ONLY RUN THIS ON THE INTERNAL VPN IP! otherwise you will be an open proxy. that config has no security because its expected to run inside openvpn
11:32 -!- xMopxShell [~xMopxShel@davepedu.com] has joined #openvpn
11:32 < esde> ircpimps.org is down apparently
11:56 -!- Vasily555 [~Stanford@178.34.247.199] has joined #openvpn
11:56 < Vasily555> Hello, I am trying to achieve stability with OpenVPN
11:58 < Vasily555> I have a OpenVPN network with multiple computers and sometimes one of the computers becomes unavailable.
11:58 < Vasily555> I look at it and see that the network adapter is up, the computer has the VPN IP but there are errors in the log
11:58 < Vasily555> here is the log http://www.nomorepasting.com/getpaste.php?pasteid=39848
11:59 < Vasily555> Can someone tell me what is wrong?
12:00 -!- trumee [~parul@2601:e:1580:799::c64] has quit [Read error: No route to host]
12:06 -!- trumee [~parul@2601:e:1580:799::c64] has joined #openvpn
12:06 -!- moparisthebest [~quassel@gateway/tor-sasl/moparisthebest] has quit [Remote host closed the connection]
12:12 -!- Vasily555 [~Stanford@178.34.247.199] has quit []
12:15 -!- trumee [~parul@2601:e:1580:799::c64] has quit [Read error: Connection reset by peer]
12:19 -!- mazde [a4d71362@gateway/web/freenode/ip.164.215.19.98] has quit [Quit: Page closed]
12:19 -!- trumee [~parul@2601:e:1580:799::c64] has joined #openvpn
12:32 -!- trumee [~parul@2601:e:1580:799::c64] has quit [Read error: Permission denied]
12:33 < Eugene> Not if you don't hang around for the answer
12:34 < nullie> he's connection isn't stable yet
12:34 < Eugene> Clearly.
12:36 -!- trumee [~parul@2601:e:1580:799::c64] has joined #openvpn
12:41 -!- trumee [~parul@2601:e:1580:799::c64] has quit [Quit: ZNC - http://znc.sourceforge.net]
12:47 -!- trumee [~parul@c-98-201-76-226.hsd1.tx.comcast.net] has joined #openvpn
12:52 -!- elfixit [~Icedove@mail.mousonturm.de] has joined #openvpn
12:54 -!- elfixit [~Icedove@mail.mousonturm.de] has quit [Remote host closed the connection]
12:54 -!- trumee [~parul@c-98-201-76-226.hsd1.tx.comcast.net] has quit [Quit: ZNC - http://znc.sourceforge.net]
12:57 -!- trumee [~parul@2601:e:1580:799::c64] has joined #openvpn
13:05 -!- ylluminate [~ylluminat@66.55.144.250] has joined #openvpn
13:12 -!- moparisthebest [~quassel@gateway/tor-sasl/moparisthebest] has joined #openvpn
13:17 -!- Kephael [~Kephael@unaffiliated/kephael] has joined #openvpn
13:18 -!- moparisthebest [~quassel@gateway/tor-sasl/moparisthebest] has quit [Ping timeout: 250 seconds]
13:19 -!- fred`` [fred@earthli.ng] has quit [Ping timeout: 252 seconds]
13:22 -!- moparisthebest [~quassel@unaffiliated/moparisthebest] has joined #openvpn
13:22 -!- JackWinter [~jack@vodsl-11198.vo.lu] has quit [Quit: Konversation terminated!]
13:26 <@ecrist> most people don't know how to IRC
13:28 -!- JackWinter [~jack@vodsl-11198.vo.lu] has joined #openvpn
13:28 -!- fred`` [fred@earthli.ng] has joined #openvpn
13:55 < hydrajump> !init
13:55 < hydrajump> !goal
13:55 <@vpnHelper> "goal" is Please clearly state your goal for your vpn: example, I would like to access the lan behind the server , I would like to access the internet over my vpn , I just want a secure connection between 2 computers , etc
13:56 < hydrajump> !init.d
13:56 < hydrajump> am I missing something after installing 2.3.6 via the official openvpn repo using apt on Ubuntu 14.04 that it doesn't start on boot?
13:56 < hydrajump> this is using a client.conf
13:57 < hydrajump> I'd like openvpn to start the connection as soon as the network connection is available and keep it up
14:02 < Eugene> I'm not totally sure if 14.04 is using systemd or init scripts, but the basic gist is that you need to enable the service
14:02 < Eugene> `chkconfig openvpn on` or `systemctl enable openvpn@<conf-file-name>`
14:02 < Eugene> (not an Ubuntu user, so....)
14:08 -!- james41382 [~james@unaffiliated/james41382] has joined #openvpn
14:09 < hydrajump> looks like i found the issue
14:11 < hydrajump> it was failing due to a path to pki files was changed and not in config
14:20 -!- Y0sh1 [~Y0sh1@unaffiliated/y0sh1] has quit [Excess Flood]
14:20 -!- james41382 [~james@unaffiliated/james41382] has quit [Ping timeout: 244 seconds]
14:21 -!- Y0sh1 [~Y0sh1@unaffiliated/y0sh1] has joined #openvpn
14:25 -!- ylluminate [~ylluminat@66.55.144.250] has quit [Quit: Bye!]
14:35 -!- wigyori [wigyori@bodega.szopobode.hu] has quit [Ping timeout: 272 seconds]
14:48 -!- mattock [~mattock@openvpn/corp/admin/mattock] has left #openvpn []
15:18 -!- Kephael [~Kephael@unaffiliated/kephael] has quit [Read error: Connection reset by peer]
15:20 -!- Kephael [~Kephael@unaffiliated/kephael] has joined #openvpn
15:41 -!- jerrcs [jeremy@dogpound.sliqua.com] has joined #openvpn
15:48 -!- shinydog [~almostwor@unaffiliated/almostworking] has joined #openvpn
16:00 -!- Orbixx [~orbixx@freenode/sponsor/orbixx] has quit [Remote host closed the connection]
16:23 -!- Henryabcd [~Henryabcd@pD9E0A55B.dip0.t-ipconnect.de] has joined #openvpn
16:50 -!- D-Boy [~D-Boy@unaffiliated/cain] has quit [Excess Flood]
16:58 -!- Y0sh1 [~Y0sh1@unaffiliated/y0sh1] has quit [Ping timeout: 245 seconds]
17:00 -!- Y0sh1 [~Y0sh1@unaffiliated/y0sh1] has joined #openvpn
17:02 -!- moparisthebest [~quassel@unaffiliated/moparisthebest] has quit [Ping timeout: 245 seconds]
17:06 -!- moparisthebest [~quassel@gateway/tor-sasl/moparisthebest] has joined #openvpn
17:12 -!- j4janicej [jack@janice-laptop.umbrellix.tk] has joined #openvpn
17:12 -!- D-Boy [~D-Boy@unaffiliated/cain] has joined #openvpn
17:13 -!- j4janicej is now known as Janicekitty
17:21 -!- Taftse|Mac [~taftse@unaffiliated/taftse] has quit [Quit: Textual IRC Client: www.textualapp.com]
17:32 -!- s7r [~s7r@openvpn/user/s7r] has quit [Ping timeout: 250 seconds]
17:49 -!- s7r [~s7r@openvpn/user/s7r] has joined #openvpn
17:49 -!- mode/#openvpn [+v s7r] by ChanServ
18:02 -!- gffa [~unknown@unaffiliated/gffa] has quit [Quit: sleep]
18:37 -!- Henryabcd [~Henryabcd@pD9E0A55B.dip0.t-ipconnect.de] has quit [Quit: Leaving]
19:40 -!- squinty [~squinty@S01069cd643d2c8a1.du.shawcable.net] has joined #openvpn
20:12 -!- s7r [~s7r@openvpn/user/s7r] has quit [Quit: Leaving]
20:28 -!- shinydog [~almostwor@unaffiliated/almostworking] has quit [Quit: Leaving]
20:34 -!- D-Boy [~D-Boy@unaffiliated/cain] has quit [Excess Flood]
20:51 -!- D-Boy [~D-Boy@unaffiliated/cain] has joined #openvpn
21:06 -!- NP-Hardass [~NP-Hardas@unaffiliated/np-hardass] has quit [Quit: WeeChat 0.4.3]
21:10 -!- Left_Turn [~Left_Turn@unaffiliated/turn-left/x-3739067] has quit [Remote host closed the connection]
21:14 -!- Kephael [~Kephael@unaffiliated/kephael] has quit [Quit: Leaving]
21:38 -!- AsadH [~AsadH@unaffiliated/asadh] has quit [Ping timeout: 244 seconds]
21:38 -!- lbft [~lbft@unaffiliated/lbft] has quit [Ping timeout: 244 seconds]
21:39 -!- lbft [~lbft@unaffiliated/lbft] has joined #openvpn
21:46 -!- AsadH [~AsadH@unaffiliated/asadh] has joined #openvpn
21:47 -!- idl0r [~idl0r@gentoo/developer/idl0r] has quit [Ping timeout: 240 seconds]
21:47 -!- alanjf [~ajf@unaffiliated/alanjf] has quit [Ping timeout: 240 seconds]
21:47 -!- MogDog [MogDog@unaffiliated/mogdog66] has quit [Ping timeout: 240 seconds]
21:47 -!- nullie [~nullie@li732-95.members.linode.com] has quit [Ping timeout: 240 seconds]
21:48 -!- ender| [krneki@foo.eternallybored.org] has quit [Ping timeout: 240 seconds]
21:52 -!- moparisthebest [~quassel@gateway/tor-sasl/moparisthebest] has quit [Ping timeout: 250 seconds]
21:53 -!- nullie [~nullie@linode.nullie.name] has joined #openvpn
21:56 -!- moparisthebest [~quassel@unaffiliated/moparisthebest] has joined #openvpn
21:56 -!- MogDog [MogDog@unaffiliated/mogdog66] has joined #openvpn
22:01 -!- ender| [krneki@2a01:260:4094:1:42:42:42:42] has joined #openvpn
22:02 -!- idl0r [~idl0r@gentoo/developer/idl0r] has joined #openvpn
22:06 -!- almostworking [~almostwor@unaffiliated/almostworking] has joined #openvpn
22:25 -!- badon [~badon@pdpc/supporter/active/badon] has joined #openvpn
22:50 -!- Shiftos [~shiftos@gateway/tor-sasl/shiftos] has quit [Remote host closed the connection]
22:51 -!- Shiftos [~shiftos@gateway/tor-sasl/shiftos] has joined #openvpn
22:52 -!- moparisthebest [~quassel@unaffiliated/moparisthebest] has quit [Ping timeout: 250 seconds]
22:55 -!- moparisthebest [~quassel@gateway/tor-sasl/moparisthebest] has joined #openvpn
22:59 -!- akamaru [~akamaru21@2601:0:8a80:1064:b876:305b:3c5e:f25a] has quit [Ping timeout: 258 seconds]
23:13 -!- akamaru217 [~akamaru21@2601:0:8a80:1064:b876:305b:3c5e:f25a] has joined #openvpn
23:15 -!- joako [~joako@opensuse/member/joak0] has quit [Ping timeout: 255 seconds]
23:18 -!- Cultist [~CultOfThe@67.175.170.187] has quit [Ping timeout: 244 seconds]
23:20 -!- adaptr [~jgeilman@unaffiliated/adaptr] has quit [Ping timeout: 244 seconds]
23:23 -!- someone [~someone@sonoshee.chronostasis.net] has quit [Ping timeout: 244 seconds]
23:29 -!- dazo_afk [~dazo@openvpn/community/developer/dazo] has quit [Ping timeout: 244 seconds]
23:29 -!- jrg [jrg@unaffiliated/jrg] has quit [Ping timeout: 244 seconds]
23:30 -!- Netsplit *.net <-> *.split quits: lev__, aep, hive-mind, kef, _bt, moparisthebest, bone_idol, nsrafk, Moonlightning, Nothing4You,  (+133 more, use /NETSPLIT to show all of them)
23:30 -!- djacob [~IceChat9@pool-71-246-17-183.phlapa.fios.verizon.net] has quit [Ping timeout: 244 seconds]
23:30 -!- Six6siX [~Devil@jasmine.sammybakar.com] has quit [Ping timeout: 244 seconds]
23:30 -!- tapout [~tapout@unaffiliated/tapout] has quit [Max SendQ exceeded]
23:30 -!- kossy [a@unaffiliated/kossy] has quit [Max SendQ exceeded]
23:31 -!- nomad_fr [~nomad_fr@ks397872.ip-192-95-25.net] has quit [Ping timeout: 244 seconds]
23:31 -!- esde [~esde@unaffiliated/esde] has quit [Ping timeout: 244 seconds]
23:31 -!- fixxxermet [~lopan@vps.gnulnx.net] has quit [Ping timeout: 244 seconds]
23:32 -!- Netsplit *.net <-> *.split quits: dvl, phreakocious, cz20xx, thumbs, phunyguy, liriel, yoavz, aulait, NChief, jtrucks,  (+11 more, use /NETSPLIT to show all of them)
23:46 -!- Netsplit *.net <-> *.split quits: Matir
23:48 -!- Dr_Disk [~Deception@66.55.150.182] has joined #openvpn
23:48 -!- Netsplit over, joins: ryao, NChief, novaflash, jeev, cz20xx, thumbs, deviantintegral, aulait, phunyguy, mgorbach (+10 more)
23:48 -!- Six6siX [~Devil@jasmine.sammybakar.com] has joined #openvpn
23:48 -!- jrg [jrg@unaffiliated/jrg] has joined #openvpn
23:48 -!- badaptr [~jgeilman@unaffiliated/adaptr] has joined #openvpn
23:48 -!- Netsplit over, joins: akamaru217, moparisthebest, Shiftos, badon, almostworking, idl0r, ender|, MogDog, nullie, AsadH (+12 more)
23:48 -!- ServerMode/#openvpn [+oo novaflash vpnHelper] by morgan.freenode.net
23:49 -!- Netsplit over, joins: jareth_, ShadniX, Moonlightning, eristisk, mistermajestic, RaiNerTsuFal, zoredache, +RBecker, Thermi, Nothing4You (+110 more)
23:49 -!- TonyL [~Tony@unaffiliated/darkg] has quit [Max SendQ exceeded]
23:49 -!- tapout [~tapout@unaffiliated/tapout] has joined #openvpn
23:49 -!- kossy [a@unaffiliated/kossy] has joined #openvpn
23:49 -!- TonyL [~Tony@unaffiliated/darkg] has joined #openvpn
23:52 -!- ShadniX [dagger@p5DDFF6E7.dip0.t-ipconnect.de] has quit [Ping timeout: 250 seconds]
23:53 -!- Matir [~matir@ubuntu/member/matir] has joined #openvpn
23:54 -!- ShadniX [dagger@p5481C72A.dip0.t-ipconnect.de] has joined #openvpn
23:55 -!- havingFun [~quassel@unaffiliated/xrosnight] has quit [Remote host closed the connection]
23:55 -!- Matir [~matir@ubuntu/member/matir] has quit [Ping timeout: 244 seconds]
23:56 -!- Matir [~matir@ubuntu/member/matir] has joined #openvpn
23:57 -!- DArqueBishop [~drkbish@2601:e:2480:7800:2e41:38ff:fe87:dd90] has quit [Ping timeout: 258 seconds]
--- Day changed Sun Dec 14 2014
00:00 -!- Netsplit *.net <-> *.split quits: lev__, hive-mind, kef, aep, _bt, moparisthebest, bone_idol, nsrafk, Moonlightning, Nothing4You,  (+156 more, use /NETSPLIT to show all of them)
00:00 -!- kossy [a@unaffiliated/kossy] has quit [Max SendQ exceeded]
00:01 -!- Netsplit over, joins: Matir, ShadniX, Dr_Disk, ryao, NChief, @novaflash, jeev, cz20xx, thumbs, deviantintegral (+156 more)
00:01 -!- tapout [~tapout@unaffiliated/tapout] has quit [Max SendQ exceeded]
00:01 -!- TonyL [~Tony@unaffiliated/darkg] has quit [Max SendQ exceeded]
00:02 -!- TonyL [~Tony@unaffiliated/darkg] has joined #openvpn
00:02 -!- tapout [~tapout@unaffiliated/tapout] has joined #openvpn
00:02 -!- kossy [a@unaffiliated/kossy] has joined #openvpn
00:05 -!- DArqueBishop [~drkbish@2601:e:2480:7800:2e41:38ff:fe87:dd90] has joined #openvpn
01:06 -!- Dr_Disk [~Deception@66.55.150.182] has quit [Ping timeout: 272 seconds]
01:31 -!- squinty [~squinty@S01069cd643d2c8a1.du.shawcable.net] has quit [Remote host closed the connection]
01:33 -!- aulait [~irenacob@li629-190.members.linode.com] has quit [Remote host closed the connection]
01:35 -!- aulait [~irenacob@li629-190.members.linode.com] has joined #openvpn
01:44 -!- pekster [~rewt@openvpn/community/support/pekster] has joined #openvpn
02:32 -!- ribasushi [~riba@mujunyku.leporine.io] has quit [Ping timeout: 264 seconds]
02:35 -!- ribasushi [~riba@mujunyku.leporine.io] has joined #openvpn
03:24 -!- someone [~someone@sonoshee.chronostasis.net] has joined #openvpn
03:27 -!- D-Boy [~D-Boy@unaffiliated/cain] has quit [Excess Flood]
03:41 -!- Mike-- [mad@mx.probie.nl] has joined #openvpn
03:45 -!- D-Boy [~D-Boy@unaffiliated/cain] has joined #openvpn
04:33 -!- Left_Turn [~Left_Turn@unaffiliated/turn-left/x-3739067] has joined #openvpn
04:40 -!- Shiftos [~shiftos@gateway/tor-sasl/shiftos] has quit [Remote host closed the connection]
04:41 -!- Shiftos [~shiftos@gateway/tor-sasl/shiftos] has joined #openvpn
04:55 -!- gffa [~unknown@unaffiliated/gffa] has joined #openvpn
05:13 -!- moparisthebest [~quassel@gateway/tor-sasl/moparisthebest] has quit [Read error: Connection reset by peer]
05:15 -!- moparisthebest [~quassel@unaffiliated/moparisthebest] has joined #openvpn
05:18 -!- elfixit [~Icedove@mail.mousonturm.de] has joined #openvpn
05:21 -!- Taftse|Mac [~taftse@unaffiliated/taftse] has joined #openvpn
05:31 -!- Reventlov [~Reventlov@unaffiliated/reventlov] has quit [Quit: leaving]
05:31 -!- Reventlov [~Reventlov@unaffiliated/reventlov] has joined #openvpn
05:46 -!- almostworking [~almostwor@unaffiliated/almostworking] has quit [Quit: Leaving]
07:12 -!- Y0sh1 [~Y0sh1@unaffiliated/y0sh1] has quit [Excess Flood]
07:12 -!- Y0sh1 [~Y0sh1@unaffiliated/y0sh1] has joined #openvpn
07:17 -!- eristisk [~eristisk@gateway/tor-sasl/eristisk] has quit [Ping timeout: 250 seconds]
07:22 -!- ikkeT [~ikke@62.237.43.150] has joined #openvpn
07:23 < ikkeT> I've been trying to setup openvpn on my rt56u router and different clients with intermediate CA. I don't succeed getting connection
07:23 < ikkeT> anyone know if I should place ca-chain file as ca cert on both server and client?
07:23 < ikkeT> or just on client?
07:24 < ikkeT> it keeps looping after this: [UNDEF] Inactivity timeout (--ping-restart), restarting
07:37 -!- elfixit [~Icedove@mail.mousonturm.de] has quit [Ping timeout: 258 seconds]
07:38 < ikkeT> the reason doesn't seem to be wether there is chain file on server, it can be only server cert
07:39 < ikkeT> it verifies all the certs, (VERIFY=OK) but then restarts with such timeout message
07:41 <@syzzer> !logs
07:41 <@vpnHelper> "logs" is (#1) please pastebin your logfiles from both client and server with verb set to 4 (only use 5 if asked) or (#2) In the Windows client(OpenVPN-GUI) right-click the status icon and pick View Log or (#3) In the OS X client(Tunnelblick) right-click it and select Copy log text to clipboard or (#4) if you dont know how to find your logs, see !logfile
07:43 <@syzzer> ikkeT: hard so say anything without more information, logs could help find the issue
07:44 < ikkeT> syzzer, this is the only "warning looking" message: UDPv4 link local: [undef]
07:44 < ikkeT> otherwise there is no error or anything until that
07:47 <@syzzer> still, it usually helps a lot to see the logs
07:51 -!- Henryabcd [~Henryabcd@pD9E08DDB.dip0.t-ipconnect.de] has joined #openvpn
07:53 < ikkeT> i'll come back with logs a bit later, need to go now
08:08 -!- Y0sh1 [~Y0sh1@unaffiliated/y0sh1] has quit [Changing host]
08:08 -!- Y0sh1 [~Y0sh1@TiP01.theinternets.nl] has joined #openvpn
08:09 -!- Y0sh1 [~Y0sh1@TiP01.theinternets.nl] has quit [Quit: OK, Doei!]
08:10 -!- Y0sh1 [~Y0sh1@TiP01.theinternets.nl] has joined #openvpn
08:10 -!- Y0sh1 [~Y0sh1@TiP01.theinternets.nl] has quit [Excess Flood]
08:10 -!- M4dH4TT3r [~M@unaffiliated/m4dh4tt3r] has joined #openvpn
08:10 -!- Y0sh1 [~Y0sh1@TiP01.theinternets.nl] has joined #openvpn
08:10 -!- Y0sh1 [~Y0sh1@TiP01.theinternets.nl] has quit [Excess Flood]
08:10 < M4dH4TT3r> i screwed something up...
08:11 -!- Y0sh1 [~Y0sh1@TiP01.theinternets.nl] has joined #openvpn
08:11 < M4dH4TT3r> started openvpn and it killed my ssh connections
08:12 < M4dH4TT3r> im guessing ccause i had it listen on the same ip?
08:14 <@syzzer> probably because your ssh connections were then routed over your vpn
08:17 < M4dH4TT3r> how do i set this up in ms?
08:17 < M4dH4TT3r> for the client
08:19 <@syzzer> remove the 'redirect-gateway' line from your vpn config
08:19 <@syzzer> (client config)
08:20 <@syzzer> that will only route traffic specifically meant for the network behind the vpn over the vpn, instead of *everything*
08:20 <@syzzer> but, you should realize that means your regular internet traffic is no longer going over the VPN connection
08:23 < M4dH4TT3r> ya
08:29 < M4dH4TT3r> ok when the openvpn server started it apparently killed all other use of the interface...
08:29 < M4dH4TT3r> gonna reboot it because i think openvpn has to be manually started
08:33 -!- masterkorp [~masterkor@static.85-10-196-211.clients.your-server.de] has left #openvpn ["WeeChat 0.3.8"]
08:40 < M4dH4TT3r> ok help me out here had to go to the dev and stop the openvpn server
08:40 < M4dH4TT3r> got ssh and other stuff back
08:40 < M4dH4TT3r> i will cp server.conf
08:42 < M4dH4TT3r> paste.debian.net/136506/
08:44 -!- arkie [~arkie@unaffiliated/arkie] has quit [Quit: Bye]
08:45 < M4dH4TT3r> syzzer ?
08:48 -!- arkie [~arkie@unaffiliated/arkie] has joined #openvpn
08:56 -!- Y0sh1 [~Y0sh1@TiP01.theinternets.nl] has quit [Quit: OK, Doei!]
08:58 -!- Y0sh1 [~Y0sh1@TiP01.theinternets.nl] has joined #openvpn
08:58 -!- Y0sh1 [~Y0sh1@TiP01.theinternets.nl] has quit [Excess Flood]
09:02 -!- Y0sh1 [~Y0sh1@TiP01.theinternets.nl] has joined #openvpn
09:19 -!- ValdikSS [~valdikss@185.61.149.121] has quit [Read error: Connection reset by peer]
09:21 -!- elfixit [~Icedove@mail.mousonturm.de] has joined #openvpn
09:24 -!- ub1quit33 [~quassel@cpe-23-243-158-241.socal.res.rr.com] has joined #openvpn
09:24 -!- clmbr3 [~b3rt@adsl-184-39-10-135.clt.bellsouth.net] has joined #openvpn
09:31 <@syzzer> M4dH4TT3r: I don't see anything weird in the config, it should not make your server unreachable. Perhaps overlapping IP ranges? Is your client within the same 192.168.0.0 range as your VPN?
09:32 <@syzzer> (well, I do see something weird, "DES-EDE3-CBC". Why would you use that cipher? Nut that is unrelated to your problem...)
09:46 -!- Kephael [~Kephael@unaffiliated/kephael] has joined #openvpn
09:53 -!- Chais [~Chais@chello062178229110.15.15.vie.surfer.at] has quit [Quit: ZNC - http://znc.in]
09:55 -!- Chais [~Chais@chello062178229110.15.15.vie.surfer.at] has joined #openvpn
10:04 < M4dH4TT3r> yes
10:04 < M4dH4TT3r> i like 3des whats wrong with it?
10:06 < M4dH4TT3r> doing something else on box atm, will try changing ip range after
10:08 <@syzzer> nothing wrong with 3DES yet, but it is sort of best practice to use AES whenever available
10:09 <@syzzer> so if you choose to not use the default (BF), you should probably choose AES. Especially if you're using modern hardware, since that offers hardware acceleration of AES.
10:19 -!- james41382 [~james@unaffiliated/james41382] has joined #openvpn
10:20 -!- elfixit [~Icedove@mail.mousonturm.de] has quit [Ping timeout: 245 seconds]
10:23 -!- ExtraCarpety [~ExtraCarp@2607:5300:60:a0d::1] has joined #openvpn
10:26 -!- Y0sh1 [~Y0sh1@TiP01.theinternets.nl] has quit [Excess Flood]
10:26 -!- Y0sh1 [~Y0sh1@TiP01.theinternets.nl] has joined #openvpn
10:45 -!- ValdikSS [~valdikss@185.61.149.121] has joined #openvpn
10:59 -!- Y0sh1 [~Y0sh1@TiP01.theinternets.nl] has quit [Excess Flood]
11:00 -!- Y0sh1 [~Y0sh1@TiP01.theinternets.nl] has joined #openvpn
11:11 -!- Y0sh1 [~Y0sh1@TiP01.theinternets.nl] has quit [Excess Flood]
11:12 -!- Y0sh1 [~Y0sh1@TiP01.theinternets.nl] has joined #openvpn
11:15 < M4dH4TT3r> k making note of it for wake...
11:16 -!- Y0sh1 [~Y0sh1@TiP01.theinternets.nl] has quit [Client Quit]
11:17 -!- Y0sh1 [~Y0sh1@TiP01.theinternets.nl] has joined #openvpn
11:17 -!- Y0sh1 [~Y0sh1@TiP01.theinternets.nl] has quit [Client Quit]
11:17 -!- Y0sh1 [~Y0sh1@TiP01.theinternets.nl] has joined #openvpn
11:45 -!- ub1quit33 [~quassel@cpe-23-243-158-241.socal.res.rr.com] has quit [Ping timeout: 250 seconds]
11:53 -!- jackbrown [~se@93-44-68-248.ip96.fastwebnet.it] has joined #openvpn
12:02 -!- jackbrown [~se@93-44-68-248.ip96.fastwebnet.it] has quit [Quit: Sto andando via]
12:10 -!- vriska [~user@86.123.52.188] has joined #openvpn
12:11 < vriska> I am connected to the server.com openvpn server. can I somehow connect to server.com:22 via the openvpn tunnel?
12:17 < vriska> duh. I can connect to openvpn_peer:22 (10.8.0.1) and it works
12:17 < vriska> thanks anyway!
12:17 -!- vriska [~user@86.123.52.188] has quit [Quit: ERC Version 5.3 (IRC client for Emacs)]
12:32 -!- Janicekitty [jack@janice-laptop.umbrellix.tk] has quit [Ping timeout: 258 seconds]
12:34 -!- benoliver999 [~ben@2001:41d0:a:1fb5::] has joined #openvpn
12:35 < benoliver999> !welcome
12:35 <@vpnHelper> "welcome" is (#1) Start by stating your goal, such as 'I would like to access the internet over my vpn' || new to IRC? see the link in !ask || we may need !logs and !configs and maybe !interface to help you. || See !howto for beginners. || See !route for lans behind openvpn. || !redirect for sending inet traffic through the server. || Also interesting: !man !/30 !topology !iporder !sample
12:35 <@vpnHelper> !forum !wiki !mitm or (#2) Don't use 192.168.1.0/24 or 192.168.0.0/24 (too much potential for conflict)
12:36 < benoliver999> Is there a way I can get openvpn to wait for a conneciton before starting? I'm running it on Arch under systemd.
12:37 < benoliver999> I put a couple of restart lines in the systemd conf file but it didn't wrk
12:37 < benoliver999> work*
12:39 < benoliver999> !redirect
12:39 <@vpnHelper> "redirect" is (#1) to make all inet traffic flow through the vpn, you will need --redirect-gateway (see !def1), as well as IP forwarding (see !ipforward) and NAT (see !nat) enabled on the server. or (#2) you may need to use a different dns server when redirecting gateway, see !dns or !pushdns or (#3) if using ipv6 try: route-ipv6 2000::/3 or (#4) Handy troubleshooting flowchart:
12:39 <@vpnHelper> http://ircpimps.org/redirect.png | http://pekster.sdf.org/misc/redirect.png
12:42 -!- ub1quit33 [~quassel@cpe-23-243-158-241.socal.res.rr.com] has joined #openvpn
12:45 < benoliver999> Actually it's just after suspend that I'm having trouble
12:45 < benoliver999> Seems to work fine on boot
12:46 -!- Henryabcd [~Henryabcd@pD9E08DDB.dip0.t-ipconnect.de] has quit [Quit: Leaving]
13:16 -!- brianblaze420 [~brianblaz@unaffiliated/brianblaze] has joined #openvpn
13:28 -!- james41382 [~james@unaffiliated/james41382] has quit [Quit: Leaving]
13:43 -!- hiyo [~Puppy@unaffiliated/hiyo] has joined #openvpn
13:43 < hiyo> !welcome
13:43 <@vpnHelper> "welcome" is (#1) Start by stating your goal, such as 'I would like to access the internet over my vpn' || new to IRC? see the link in !ask || we may need !logs and !configs and maybe !interface to help you. || See !howto for beginners. || See !route for lans behind openvpn. || !redirect for sending inet traffic through the server. || Also interesting: !man !/30 !topology !iporder !sample !forum !wiki
13:43 <@vpnHelper> !mitm or (#2) Don't use 192.168.1.0/24 or 192.168.0.0/24 (too much potential for conflict)
13:44 < hiyo> !goal use stunnel (SSL tunnel) with openvpn
13:44 -!- Y0sh1 [~Y0sh1@TiP01.theinternets.nl] has quit [Excess Flood]
13:44 -!- Y0sh1 [~Y0sh1@TiP01.theinternets.nl] has joined #openvpn
13:45 < hiyo> I have been half successful in setting up a system that allows me to access OpenVPN using an SSL tunnel (stunnel) but when I do connect, it will do so successfully but DNS will not work. I can not go anywhere on the internet after connecting
13:56 -!- akamaru [~akamaru21@67.191.183.251] has joined #openvpn
14:00 -!- akamaru217 [~akamaru21@2601:0:8a80:1064:b876:305b:3c5e:f25a] has quit [Ping timeout: 265 seconds]
14:10 < ikkeT> any idea why I get this with intermediate CA:
14:10 < ikkeT> VERIFY ERROR: depth=2, error=self signed certificate in certificate chain:
14:10 < ikkeT> that's true, it's self signed, but what's wrong with it?
14:11 < ikkeT> openssl verifies ok both the cert for server, and the intermediate CA against my own CA
14:11 < ikkeT> which is self signed
14:11 < ikkeT> what can lead to this?
14:13 -!- badaptr is now known as adaptr
14:21 < ikkeT> solved \o/ copy paste error in cert
14:35 -!- hiyo [~Puppy@unaffiliated/hiyo] has quit [Ping timeout: 245 seconds]
14:58 -!- Henryabcd [~Henryabcd@pD9E08DDB.dip0.t-ipconnect.de] has joined #openvpn
15:01 -!- JaniceKitten is now known as Janicekitty
15:26 -!- JackWinter [~jack@vodsl-11198.vo.lu] has quit [Quit: Konversation terminated!]
15:28 -!- JackWinter [~jack@vodsl-11198.vo.lu] has joined #openvpn
16:09 -!- Shiftos [~shiftos@gateway/tor-sasl/shiftos] has quit [Remote host closed the connection]
16:10 < Janicekitty> hi
16:11 < Janicekitty> !goal
16:11 < Janicekitty> lolo
16:11 <@vpnHelper> "goal" is Please clearly state your goal for your vpn: example, I would like to access the lan behind the server , I would like to access the internet over my vpn , I just want a secure connection between 2 computers , etc
16:11 -!- Shiftos [~shiftos@gateway/tor-sasl/shiftos] has joined #openvpn
16:29 -!- Janicekitty is now known as TheBlueMonkey
16:29 -!- TheBlueMonkey is now known as JaniceKitty
16:38 -!- Y0sh1 [~Y0sh1@TiP01.theinternets.nl] has quit [Quit: OK, Doei!]
16:38 -!- Y0sh1 [~Y0sh1@TiP01.theinternets.nl] has joined #openvpn
16:38 -!- Y0sh1 [~Y0sh1@TiP01.theinternets.nl] has quit [Excess Flood]
16:39 -!- Y0sh1 [~Y0sh1@TiP01.theinternets.nl] has joined #openvpn
16:39 -!- Y0sh1 [~Y0sh1@TiP01.theinternets.nl] has quit [Client Quit]
16:39 -!- Y0sh1 [~Y0sh1@TiP01.theinternets.nl] has joined #openvpn
16:39 -!- Y0sh1 [~Y0sh1@TiP01.theinternets.nl] has quit [Client Quit]
16:40 -!- Y0sh1 [~Y0sh1@TiP01.theinternets.nl] has joined #openvpn
16:45 -!- c0ded [~c0ded@unaffiliated/c0ded] has quit [Ping timeout: 258 seconds]
16:50 -!- Taftse|Mac [~taftse@unaffiliated/taftse] has quit [Quit: Textual IRC Client: www.textualapp.com]
16:53 -!- Popsikle [~popsikle@pool-108-27-211-233.nycmny.fios.verizon.net] has joined #openvpn
16:55 -!- akamaru217 [~akamaru21@2601:0:8a80:1064:7977:ec37:23c2:8d74] has joined #openvpn
16:56 -!- akamaru [~akamaru21@67.191.183.251] has quit [Ping timeout: 258 seconds]
17:02 -!- c0ded [~c0ded@unaffiliated/c0ded] has joined #openvpn
17:09 -!- c0ded [~c0ded@unaffiliated/c0ded] has quit [Ping timeout: 258 seconds]
17:13 -!- gffa [~unknown@unaffiliated/gffa] has quit [Quit: sleep]
17:18 -!- toothe [~quassel@unaffiliated/toothe] has joined #openvpn
17:19 < toothe> i downloaded easy_rsa, but it doesn't seem to contain init-config, vars, or clean-all.
17:26 -!- AbrahamLinksys [~srfbgs4@50.23.113.215] has joined #openvpn
17:27 < pekster> New version has new docs:
17:27 < pekster> !easyrsa
17:27 <@vpnHelper> "easyrsa" is (#1) easy-rsa is a certificate generation utility. or (#2) Download here: https://github.com/OpenVPN/easy-rsa/releases or (#3) Source checkouts available from the github project; current official release download is 2.2.2 with 3.x code in git-master. or (#4) Helpful wiki info about easyrsa at: https://community.openvpn.net/openvpn/wiki/EasyRSA
17:27 < pekster> #4 has links to the corresponding procedures
17:27  * toothe checks...
17:29 < AbrahamLinksys> I'm trying to configure openvpn without networkmanager from the command line. I got it working once, other times it creates a tun adapter but nothing happens, other times it does create a tun adapter and doesn't connect, etc. I'm using Arch Linux and PIA for my VPN. I downloaded the configuration files and extracted them to /etc/openvpn, then copied the .opvn configuration file to server.conf and started it using systemctl start
17:29 < AbrahamLinksys> openvpn@server.service which worked the first time, now I can't connect anymore. I've tried removing all of the config files, and reinstalling openvpn with no luck. Can anyone help with this?
17:34 < toothe> this is slightly confusing lol
17:37 < AbrahamLinksys> Sorry, I'm using openvpn from the commandline, I extracted the openvpn configuration files my VPN provider provides to /etc/openvpn, after that I created a file with my username and password in /root/.pia, then I edited the .openvpn file to load the creditentials from there, after that I copied the .ovpn file to server.conf (still inside /etc/openvpn) and started openvpn with that config file using systemctl
17:38 < AbrahamLinksys> It worked properly the first time, after that it stopped working and wouldn't create a tun adapter at times, other times it would, but wouldn't connect and I'm not sure how to solve this.
17:39 < AbrahamLinksys> Before I used Network Manager, but I'm using this on a headless server and want it to be as minimal as possible (network manager has a lot of bloated dependancies)
17:40 < AbrahamLinksys> Basically I'm wondering how to run openvpn from the commandline without any other programs such as network manager but I'm probably not doing to properly
17:40 < AbrahamLinksys> I'm using Private Internet Access (sorry for the spam)
17:54 -!- alanjf [~ajf@unaffiliated/alanjf] has joined #openvpn
18:03 -!- JackWinter [~jack@vodsl-11198.vo.lu] has quit [Excess Flood]
18:03 -!- JackWinter [~jack@vodsl-11198.vo.lu] has joined #openvpn
18:06 -!- ub1quit33 [~quassel@cpe-23-243-158-241.socal.res.rr.com] has quit [Ping timeout: 244 seconds]
18:10 < toothe> so, I did build-ca, and it asks me to sign a request.
18:10 < toothe> the problem is, I don't have a request to sign -- and I don't see anyinstructions that talk about that in the HOWTO
18:22 -!- Popsikle [~popsikle@pool-108-27-211-233.nycmny.fios.verizon.net] has quit [Remote host closed the connection]
18:26 -!- Henryabcd [~Henryabcd@pD9E08DDB.dip0.t-ipconnect.de] has quit [Quit: Leaving]
18:27 -!- c0ded [~c0ded@unaffiliated/c0ded] has joined #openvpn
18:36 < pekster> toothe: Then you missed step 2) that you can almost blindly copy and paste, correcting the rather obvious UNIQUE_SERVER_SHORT_NAME ane UNIQUE_CLIENT_SHORT_NAME with, as you might have guessed, unique names for your server and client
18:37  * toothe checks...
18:37 < pekster> If that's confusing, it's a wiki, so please feel free to add additional notes if you feel it requires further elaboration
18:37 < toothe> is that init-pki ?
18:38 < toothe> or is that build-ca?
18:38 < pekster> "On each server system, generate a keypair and request. Normally these are left unencrypted by using the "nopass" argument since servers usually start up without any password input. This generates an unencrypted key, so protect its access and file permissions carefully. "
18:38 < pekster> So, on each of your server systems, you download/extra/run the command
18:38 < toothe> i must be on a different page than you
18:38 < pekster> https://community.openvpn.net/openvpn/wiki/EasyRSA3-OpenVPN-Howto
18:38 <@vpnHelper> Title: EasyRSA3-OpenVPN-Howto – OpenVPN Community (at community.openvpn.net)
18:38 < toothe> i am...
18:38 < pekster> For v3. v2 is completely different and full of much old-school behavior
18:40 < toothe> okay, iw as on a different page, which is why I missed that step :-)
18:40 < toothe> thanks
18:47 -!- _FBi [~B@Aircrack-NG/User] has joined #openvpn
19:07 <@ecrist> evening, folks
19:13 -!- ShadniX [dagger@p5481C72A.dip0.t-ipconnect.de] has quit [Ping timeout: 250 seconds]
19:14 -!- ShadniX [dagger@p5481C72A.dip0.t-ipconnect.de] has joined #openvpn
19:17  * _FBi tips hat
19:20 -!- Zimsky [~alice@unaffiliated/zimsky] has quit [Ping timeout: 272 seconds]
19:22 -!- Zimsky [~alice@unaffiliated/zimsky] has joined #openvpn
19:26  * JaniceKitty tips her fedora
19:32 -!- Zimsky [~alice@unaffiliated/zimsky] has quit [Ping timeout: 260 seconds]
19:32 <@ecrist> this channel is quiet tonight.
19:32 <@ecrist> anyone in here enjoy shooting at long-ish distances?
19:33 -!- Zimsky [~alice@unaffiliated/zimsky] has joined #openvpn
19:33 < _FBi> 5.56 only touchs 300 with me behind it
19:33 -!- s7r [~s7r@openvpn/user/s7r] has joined #openvpn
19:33 -!- mode/#openvpn [+v s7r] by ChanServ
19:34 <@ecrist> hah
19:35 <@ecrist> I do this fun "competition" out to 500 yards with some folks.  So foggy today we couldn't see our 500 yard target
19:35 < _FBi> I bet you shot anyway!
19:35 <@ecrist> I run .270 on a Rem 700.  I still flinch, which is stupid, but I carry ~6" groups at 500 yards
19:36 < _FBi> everything I do is metres ;)
19:36 <@ecrist> we rolled 500 back to the 300, but we shot out to 400, which was still so hard to see it took ~20 minutes for each group to fire their three rounds
19:36 <@ecrist> There's a couple guys in our group that will hold .223 to 1" at 500 yards
19:37 < _FBi> I have a brand new .308, which I've never fired. 5.56 AR, SKS, 22-250, .22 x2, 30-30, and few hand guns :/
19:37 < _FBi> ecrist, yea, some really ninjas out there
19:37 <@ecrist> new guy showed up today using factory .223 SPBT from Remmington and kept a 3" group at 400
19:38 < _FBi> BT is the way to go
19:38 <@ecrist> I want to build a .308 specifically to go far - 1000 yards.  I'll be happy when my hunting rifle (the .270) and I are more consistent.  my kids want to get into this, too.  looking to get thema  youth model .243 or 22-250
19:39 -!- Zimsky [~alice@unaffiliated/zimsky] has quit [Ping timeout: 245 seconds]
19:39 < _FBi> 22-250 is great.
19:40 < _FBi> little kick, loud sound... makes it feel like a real rifle
19:40 < _FBi> I love my SR22 rifle, too
19:40 <@ecrist> I'm by no means anything close to "good" at this yet.  I know which reticle to use, and how to hold over and/or use the dials on my scope.  Not really an expert on BC, windage/etc yet
19:41 < _FBi> I don't use zoom :/
19:41 < _FBi> I'm just starting to use optics :/
19:41 <@ecrist> I've got a Leupold VX-3 with boone & crocket that I finally really demonstrated I understand today.  my flinching keeps my groups wide, but the reticle did it's job.  Didn't have to touch the dials once and hit paper every time.
19:42 <@ecrist> On my AR, I'm crazy accurate with iron sights.  I blame the Army.
19:42 < _FBi> possibly try a trigger job.  It's hard to stage or flinch when all it does is go bang
19:42 -!- Zimsky [~alice@unaffiliated/zimsky] has joined #openvpn
19:47 < _FBi> I have a model 19 with a trigger job...  the best trigger I've ever felt
19:48 < _FBi> I bought my .308 to be a distance shooter.  Savage Law Enforcement Model 10, Heavy Barrel
19:48 < _FBi> incredibly disappointed in it.  (Haven't fired it, that might change)  I should have bought the 700...
19:55 -!- AbrahamLinksys [~srfbgs4@50.23.113.215] has quit [Ping timeout: 260 seconds]
19:56 -!- james41382 [~james@unaffiliated/james41382] has joined #openvpn
20:15 <@ecrist> my 700 is an XCR II which comes with an adustable trigger.  I just need to spend time on the range and adjust the damn thing
20:15 <@ecrist> my buddy had a match trigger that has two stages/triggers.  one set trigger.  the second fires the weapon, and breaks like glass. soooo smooth
20:38 -!- badon [~badon@pdpc/supporter/active/badon] has quit [Quit: Leaving]
21:31 -!- brianblaze420 [~brianblaz@unaffiliated/brianblaze] has quit [Remote host closed the connection]
21:41 -!- Left_Turn [~Left_Turn@unaffiliated/turn-left/x-3739067] has quit [Remote host closed the connection]
21:43 -!- Kephael [~Kephael@unaffiliated/kephael] has quit [Read error: Connection reset by peer]
21:54 -!- clmbr3 [~b3rt@adsl-184-39-10-135.clt.bellsouth.net] has quit []
22:40 -!- badon [~badon@pdpc/supporter/active/badon] has joined #openvpn
22:58 -!- touya is now known as TemplateTroll
23:08 -!- Viiruzoh [~Viiruzoh@186-92-151-17.genericrev.cantv.net] has joined #openvpn
23:09 -!- DrewbieDoo [~DrewbieDo@pool-96-241-202-210.washdc.fios.verizon.net] has joined #openvpn
23:10 < _FBi> ecrist, I've played with one of those before.  Neat.  I hear good things about the X-Trigger, if that's what you have.  I have the AccuTrigger (or whatever the hell) Savage uses instead.
23:11 < _FBi> I don't have a glass on my Savage, still sitting with the tags on it :/
23:12 -!- Viiruzoh [~Viiruzoh@186-92-151-17.genericrev.cantv.net] has quit []
23:16 -!- TemplateTroll is now known as TrollTemplate
23:17 -!- DrewbieDoo [~DrewbieDo@pool-96-241-202-210.washdc.fios.verizon.net] has quit [Quit: Leaving]
23:18 < M4dH4TT3r> protecting socket fd 4 ?
23:51 -!- ShadniX [dagger@p5481C72A.dip0.t-ipconnect.de] has quit [Ping timeout: 250 seconds]
23:52 -!- ShadniX [dagger@p5481C615.dip0.t-ipconnect.de] has joined #openvpn
--- Day changed Mon Dec 15 2014
00:26 -!- BtbN [btbn@btbn.de] has quit [Ping timeout: 260 seconds]
00:26 -!- jzaw [~jzaw@loki.dzki.co.uk] has quit [Ping timeout: 260 seconds]
00:26 -!- hive-mind [pranq@2001:0:53aa:64c:30db:ab9:bcca:66c4] has quit [Ping timeout: 260 seconds]
00:27 -!- BtbN [btbn@btbn.de] has joined #openvpn
00:28 -!- hive-mind [pranq@2001:0:53aa:64c:30db:ab9:bcca:66c4] has joined #openvpn
00:51 -!- D-Boy [~D-Boy@unaffiliated/cain] has quit [Excess Flood]
00:54 -!- ValdikSS [~valdikss@185.61.149.121] has quit [Quit: Konversation terminated!]
01:00 -!- D-Boy [~D-Boy@unaffiliated/cain] has joined #openvpn
01:08 -!- Taftse|Mac [~taftse@unaffiliated/taftse] has joined #openvpn
01:11 -!- Y0sh1 [~Y0sh1@TiP01.theinternets.nl] has quit [Excess Flood]
01:11 -!- Y0sh1 [~Y0sh1@TiP01.theinternets.nl] has joined #openvpn
01:24 -!- mattock_afk [~mattock@openvpn/corp/admin/mattock] has joined #openvpn
01:24 -!- mode/#openvpn [+o mattock_afk] by ChanServ
01:24 -!- mattock_afk is now known as mattock
01:30 -!- mirco_ [~mirco@ip-176-198-211-199.hsi05.unitymediagroup.de] has joined #openvpn
02:58 -!- s7r [~s7r@openvpn/user/s7r] has quit [Ping timeout: 250 seconds]
02:58 -!- s7r_m [~s7r@openvpn/user/s7r] has joined #openvpn
02:58 -!- mode/#openvpn [+v s7r_m] by ChanServ
03:04 -!- toothe [~quassel@unaffiliated/toothe] has quit [Remote host closed the connection]
03:10 -!- ayaz [~Ayaz@linuxpakistan/ayaz] has joined #openvpn
03:14 -!- Kephael [~Kephael@unaffiliated/kephael] has joined #openvpn
03:14 -!- ValdikSS [~valdikss@95.215.45.33] has joined #openvpn
03:20 -!- elfixit [~Icedove@mail.mousonturm.de] has joined #openvpn
03:30 -!- xTz [~xTz@77.238.81.110] has joined #openvpn
04:13 -!- nomad_fr [~nomad_fr@ks397872.ip-192-95-25.net] has joined #openvpn
04:29 -!- mirco_ [~mirco@ip-176-198-211-199.hsi05.unitymediagroup.de] has quit [Remote host closed the connection]
04:29 -!- elfixit [~Icedove@mail.mousonturm.de] has quit [Ping timeout: 245 seconds]
04:30 -!- mirco_ [~mirco@ip-176-198-211-199.hsi05.unitymediagroup.de] has joined #openvpn
04:37 -!- Left_Turn [~Left_Turn@unaffiliated/turn-left/x-3739067] has joined #openvpn
04:38 -!- ayaz [~Ayaz@linuxpakistan/ayaz] has quit [Quit: My MacBook Pro has gone to sleep. ZZZzzz…]
04:44 -!- ayaz [~Ayaz@linuxpakistan/ayaz] has joined #openvpn
04:44 -!- ayaz [~Ayaz@linuxpakistan/ayaz] has quit [Max SendQ exceeded]
04:55 -!- gffa [~unknown@unaffiliated/gffa] has joined #openvpn
05:26 -!- Henryabcd [~Henryabcd@pD9E0B55B.dip0.t-ipconnect.de] has joined #openvpn
05:34 -!- rich0 [~quassel@gentoo/developer/rich0] has quit [Read error: Connection reset by peer]
05:35 -!- rich0 [~quassel@gentoo/developer/rich0] has joined #openvpn
05:46 -!- Chais [~Chais@chello062178229110.15.15.vie.surfer.at] has quit [Ping timeout: 265 seconds]
05:51 -!- Chais [~Chais@chello062178229110.15.15.vie.surfer.at] has joined #openvpn
06:06 -!- Kephael [~Kephael@unaffiliated/kephael] has quit [Ping timeout: 265 seconds]
06:08 -!- rich0 [~quassel@gentoo/developer/rich0] has quit [Ping timeout: 265 seconds]
06:08 -!- rich0 [~quassel@gentoo/developer/rich0] has joined #openvpn
06:51 -!- james41382 [~james@unaffiliated/james41382] has quit [Quit: Leaving]
07:06 -!- brianblaze420 [~brianblaz@unaffiliated/brianblaze] has joined #openvpn
07:30 -!- moparisthebest [~quassel@unaffiliated/moparisthebest] has quit [Ping timeout: 265 seconds]
07:34 -!- moparisthebest [~quassel@gateway/tor-sasl/moparisthebest] has joined #openvpn
08:19 -!- ValdikSS [~valdikss@95.215.45.33] has quit [Quit: Konversation terminated!]
08:28 -!- shadok [~muaddib@unaffiliated/shadok] has joined #openvpn
08:33 -!- Henryabcd [~Henryabcd@pD9E0B55B.dip0.t-ipconnect.de] has quit [Quit: Leaving]
08:58 -!- ub1quit33 [~quassel@cpe-23-243-158-241.socal.res.rr.com] has joined #openvpn
09:10 -!- Argure [quasselcor@geonosis.donttrustrobots.nl] has quit [Ping timeout: 260 seconds]
09:10 -!- Argure [quasselcor@geonosis.donttrustrobots.nl] has joined #openvpn
09:31 -!- Gabou [~Ga@unaffiliated/gabou] has joined #openvpn
09:32 < Gabou> Hi everybody, I have a VPN working for routing everything through it, the problem (if it's a problem) is that all my ipv6 trafic isn't routed through the VPN, any idea?
09:32 < Gabou> !paste
09:32 <@vpnHelper> "paste" is "pastebin" is (#1) please paste anything with more than 5 lines into a pastebin site or (#2) https://gist.github.com is recommended for fewest ads; try fpaste.org or paste.kde.org as backups or (#3) If you're pasting config files, see !configs for grep syntax to remove comments or (#4) gist allows multiple files per paste, useful if you have several files to show
09:32 < Gabou> client : http://0bin.net/paste/vJbihAImAuHtVPh3#qPGMfYpU39anMFSXv+QHwW7KS0Urdk9xf1YHeM4FSPy
09:33 < Gabou> server : http://0bin.net/paste/3LEOQbACoyZIl1BH#4kFI09MbFegZJKogXSc-HGbEndZUwkD7aJxkpMaveL7
09:35 < Gabou> ipv6 isn't well documented, i've found this: https://community.openvpn.net/openvpn/wiki/IPv6
09:35 <@vpnHelper> Title: IPv6 – OpenVPN Community (at community.openvpn.net)
09:35 < Gabou> can I use the same ipv6 address from the examples?
09:43 -!- ghormoon [~ghormoon@ghorland.net] has quit [Remote host closed the connection]
10:08 -!- noecc [~irc@unaffiliated/noecc] has joined #openvpn
10:20 -!- Denial [~Denial@81.141.2.111] has quit []
10:20 -!- cwillu_at_work [cwillu@cwillu.com] has joined #openvpn
10:22 <@krzee> Gabou, you own that ipv6 ip range from the examples?
10:23 <@krzee> i dont use ipv6 so i cant really help you with it, but i do know you need to use an ipv6 ip range that is routed to you
10:23 < Gabou> oh okay
10:23 < Gabou> that's explain a lot :p
10:37 -!- TrollTemplate is now known as touya
10:38 -!- deraps [~ubuntu@ec2-50-18-158-69.us-west-1.compute.amazonaws.com] has joined #openvpn
10:43 -!- alnkpa [~alnkpa@2001:1a50:11:0:5f:8f:acc3:1] has joined #openvpn
10:48 < alnkpa> ! welcome
10:48 <@vpnHelper> "welcome" is (#1) Start by stating your goal, such as 'I would like to access the internet over my vpn' || new to IRC? see the link in !ask || we may need !logs and !configs and maybe !interface to help you. || See !howto for beginners. || See !route for lans behind openvpn. || !redirect for sending inet traffic through the server. || Also interesting: !man !/30 !topology !iporder !sample !forum
10:48 <@vpnHelper> !wiki !mitm or (#2) Don't use 192.168.1.0/24 or 192.168.0.0/24 (too much potential for conflict)
10:48 < alnkpa> !welcome
10:48 <@vpnHelper> "welcome" is (#1) Start by stating your goal, such as 'I would like to access the internet over my vpn' || new to IRC? see the link in !ask || we may need !logs and !configs and maybe !interface to help you. || See !howto for beginners. || See !route for lans behind openvpn. || !redirect for sending inet traffic through the server. || Also interesting: !man !/30 !topology !iporder !sample !forum
10:48 <@vpnHelper> !wiki !mitm or (#2) Don't use 192.168.1.0/24 or 192.168.0.0/24 (too much potential for conflict)
10:49 < alnkpa> !goal
10:49 <@vpnHelper> "goal" is Please clearly state your goal for your vpn: example, I would like to access the lan behind the server , I would like to access the internet over my vpn , I just want a secure connection between 2 computers , etc
10:49 < alnkpa> !paste
10:49 <@vpnHelper> "paste" is "pastebin" is (#1) please paste anything with more than 5 lines into a pastebin site or (#2) https://gist.github.com is recommended for fewest ads; try fpaste.org or paste.kde.org as backups or (#3) If you're pasting config files, see !configs for grep syntax to remove comments or (#4) gist allows multiple files per paste, useful if you have several files to show
10:52 <@krzee> alnkpa, whats the goal?
10:57 < alnkpa> sorry. was just preparing my question: I want to connect to a PC my uni provided. I was given .ovpn files + ca.crt + .key. when running openvpn I get the error: "ERROR: Cannot open TUN/TAP dev /dev/net/tun: No such device (errno=19)" which is wrong: /dev/net/tun exists. I'm running arch linux.
10:58 <@krzee> you root?
10:58 < nullie> alnkpa, ls -l /dev/net/tun
10:59 < alnkpa> krzee, ran it with sudo
10:59 < alnkpa> nullie, crw-rw-rw- 1 root root 10, 200 Dec  4 08:18 /dev/net/tun
10:59 <@krzee> modprobe tun
10:59 < nullie> alnkpa, did you restart after last kernel upgrade?
11:00 <@krzee> ooo i didnt think of that one ^
11:01 < alnkpa> nullie, that might be it
11:01 <@krzee> you inside a VPS?
11:02 < alnkpa> brb, restarting
11:07 < alnkpa> indeed the restart solved it. thx nullie and krzee!
11:15 <@krzee> nullie++
11:21 < deraps> could someone tell me which file the google auth 2fa seeds are stored in?  i assume one of the .db files in the etc/db dir ?
11:23 <@krzee> not i, i only support openvpn
11:23 <@krzee> it's on topic though, maybe someone else will know
11:25 < deraps> i'm looking to do a transparent failover to a backup site by dns. the backup site has ldap already working...just need to know which file to rsync over to allow the users' 2fa to continue working.  i'll dig around some more in the docs
11:26 -!- Denial [~Denial@81.141.2.111] has joined #openvpn
11:28 -!- nath_schwarz [~nath_schw@HSI-KBW-134-3-105-146.hsi14.kabel-badenwuerttemberg.de] has quit [Ping timeout: 265 seconds]
11:32 < pekster> deraps: that's either some script or plugin add-on, or the commercial "access server" product that's a licensed wrapper around openvpn
11:33 < deraps> oh...yes, this is for access server. is there another channel for that?
11:33 < deraps> if so, sorry for the confusion :D
11:33  * pekster points to /topic
11:33  * deraps facepalms
11:33 -!- nath_schwarz [~nath_schw@HSI-KBW-134-3-105-146.hsi14.kabel-badenwuerttemberg.de] has joined #openvpn
11:34 < deraps> thanks, i'll show myself out. heh
11:34 -!- deraps [~ubuntu@ec2-50-18-158-69.us-west-1.compute.amazonaws.com] has left #openvpn []
11:35 -!- shadok [~muaddib@unaffiliated/shadok] has quit [Read error: Connection reset by peer]
11:35 -!- ValdikSS [~valdikss@185.61.149.121] has joined #openvpn
11:37 -!- AlexRussia [~Alex@unaffiliated/alexrussia] has joined #openvpn
11:37 < AlexRussia> hey, folks, does openvpn have integraion with systemd?
11:37 < AlexRussia> Not for  holywar, just ask
11:40 < Gabou> krzee: my vps provider only allow me 32 ips so i don't have any block.. how can I get ipv6 to work with few ipv6 addresses?
11:41 < _FBi> routing
11:43 < pekster> You can't route with that few. Slap your criminally-braindead network provider with RFC6177, or find someone who has a clue how IPv6 works
11:44 < _FBi> morning pekster
12:02 -!- shadok [~muaddib@unaffiliated/shadok] has joined #openvpn
12:02 -!- Gabou [~Ga@unaffiliated/gabou] has left #openvpn [" : traP"]
12:06 < Eugene> AlexRussia - `openvpn` itself doesn't care how its executed; the openvpn package provided by epel for EL7 has systemd integration; other distro packages may vary.
12:08 -!- brianblaze420 [~brianblaz@unaffiliated/brianblaze] has quit [Quit: Peace!]
12:12 < AlexRussia> Eugene: EL7?
12:12 < Eugene> Enterprise Linux 7 / CentOS7
12:12 < AlexRussia> Eugene: oh, can you send me package/sources if available?
12:12 < AlexRussia> package source i mean
12:13 < Eugene> EPEL provides srpms
12:13 < AlexRussia> Eugene: i am just on Arch
12:13 < AlexRussia> srpms?
12:13 < Eugene> "source RPM"
12:13 < Eugene> Because I'm feeling generous: http://dl.fedoraproject.org/pub/epel/7/SRPMS/repoview/openvpn.html
12:13 <@vpnHelper> Title: RepoView: "Fedora EPEL 7 - SRPMS" (at dl.fedoraproject.org)
12:13 < Eugene> And google "srpm extract" for what to do with that
12:14 < AlexRussia> Eugene: i guess, is just some kind of archive, you don't?
12:14 < AlexRussia> Eugene: like zip, gz...
12:14 < Eugene> Yes, it's a rpm ;-)
12:14 < Eugene> Which is even a standards-defined format
12:14 < AlexRussia> :D
12:17 -!- Kephael [~Kephael@unaffiliated/kephael] has joined #openvpn
12:43 -!- pythonsnake [~pythonsna@fedora/pythonsnake] has quit [Ping timeout: 250 seconds]
12:44 -!- adaptr [~jgeilman@unaffiliated/adaptr] has quit [Ping timeout: 264 seconds]
12:49 -!- alanjf [~ajf@unaffiliated/alanjf] has quit [Read error: No route to host]
12:54 < JaniceKitty> Hi
13:12 -!- pythonsnake [~pythonsna@fedora/pythonsnake] has joined #openvpn
13:17 < AlexRussia> Eugene: have i see you before?
13:17 < Eugene> Probably.
13:18 < AlexRussia> why do you think so?
13:18 < Eugene> !eugenekay
13:18 <@vpnHelper> "eugenekay" is right because EugeneKay is always right.
13:18 < AlexRussia> ???
13:21 -!- adaptr [~jgeilman@unaffiliated/adaptr] has joined #openvpn
13:38 < _FBi> heh
14:06 -!- mete [~mete@91.247.253.160] has quit [Ping timeout: 256 seconds]
14:14 -!- mete [~mete@91.247.253.160] has joined #openvpn
14:30 -!- Netsplit *.net <-> *.split quits: jgeboski, Champi, `Kevin, julieeharshaw, nlb, fps, TheEternalAbyss, torax
14:31 -!- Netsplit over, joins: jgeboski, `Kevin, julieeharshaw, torax, fps, TheEternalAbyss, nlb
14:31 -!- Netsplit over, joins: Champi
14:37 -!- fps [~tapas@fps.io] has left #openvpn []
14:39 < Eugene> !configs
14:40 <@vpnHelper> "configs" is (#1) please pastebin your client and server configs (with comments removed, you can use `grep -vE '^#|^;|^$' server.conf`), also include which OS and version of openvpn. or (#2) dont forget to include any ccd entries or (#3) on pfSense, see http://www.secure-computing.net/wiki/index.php/OpenVPN/pfSense to obtain your config
15:01 -!- Thermi [~Thermi@unaffiliated/thermi] has quit [Ping timeout: 245 seconds]
15:01 -!- shivanshu [~shivanshu@unaffiliated/shivanshu] has quit [Ping timeout: 245 seconds]
15:02 -!- Zimsky [~alice@unaffiliated/zimsky] has quit [Ping timeout: 245 seconds]
15:02 -!- wej [~j@2001:1af8:4010:a027:21::4e] has joined #openvpn
15:03 -!- s7r_m is now known as s7r
15:04 -!- Zimsky [~alice@unaffiliated/zimsky] has joined #openvpn
15:05 -!- D-Boy [~D-Boy@unaffiliated/cain] has quit [Excess Flood]
15:05 < wej> !welcome
15:05 <@vpnHelper> "welcome" is (#1) Start by stating your goal, such as 'I would like to access the internet over my vpn' || new to IRC? see the link in !ask || we may need !logs and !configs and maybe !interface to help you. || See !howto for beginners. || See !route for lans behind openvpn. || !redirect for sending inet traffic through the server. || Also interesting: !man !/30 !topology !iporder !sample !forum !wiki
15:05 <@vpnHelper> !mitm or (#2) Don't use 192.168.1.0/24 or 192.168.0.0/24 (too much potential for conflict)
15:05 < wej> hello. i've got a problem with openvpn. what i want to do is connect to a vpn and let openvpn set the default gateway, but it refuses to do that, because there previously was no default gateway. how can i tell openvpn to set the default gateway, no matter if there was one previously?
15:06 -!- Thermi [~Thermi@unaffiliated/thermi] has joined #openvpn
15:07 < zoredache> That is odd, sure seems like it should be able to add a gateway just fine.  What error do you get?
15:08 -!- shivanshu [~shivanshu@unaffiliated/shivanshu] has joined #openvpn
15:09 < wej> zoredache: it tells me "unable to redirect default gateway-- Cannot read current default gateway from system"
15:09 < wej> which is true - there is no default gateway, but is not what i want
15:10 < zoredache> hrm.. I would be tempted to just use def1 instead.
15:10 < wej> def1?
15:11 < zoredache> redirect-gateway def1.  It creates two /1 routes instead of trying to change the default route.
15:11 < wej> oh, i see
15:11 -!- D-Boy [~D-Boy@unaffiliated/cain] has joined #openvpn
15:12 < wej> do i have to do that on the server side?
15:13 < zoredache> you do it in wherever you had your `redirect-gateway` option set.  If you were pushing that from the server then change the server. If you specified it in your client config, change your client config.
15:15 < wej> mh, i can't change the server configuration, but i haven't configured it on the client side :/
15:16 < zoredache> well just try adding it client side then?
15:17 < wej> good call, i guess it is worth a try. thanks
15:23 -!- mattock is now known as mattock_afk
15:28 < wej> it seems redirect-gateway always tries to delete the existing default gateway and fails when there is none, no matter what :/
15:31 < wej> maybe i can script something with the --route-up option
15:38 -!- ghormoon [~ghormoon@ghorland.net] has joined #openvpn
16:02 < wej> ok, solved it. using an external shell script with the --route-up option and setting the default route from there to $route_vpn_gateway solved the problem
16:04 -!- Netsplit *.net <-> *.split quits: RaiNerTsuFal, fred``
16:06 -!- moparisthebest [~quassel@gateway/tor-sasl/moparisthebest] has quit [Ping timeout: 250 seconds]
16:07 -!- moparisthebest [~quassel@unaffiliated/moparisthebest] has joined #openvpn
16:13 -!- wej [~j@2001:1af8:4010:a027:21::4e] has quit [Ping timeout: 258 seconds]
16:16 -!- wej [~j@2001:1af8:4010:a027:21::4e] has joined #openvpn
16:21 -!- Netsplit over, joins: RaiNerTsuFal
16:42 -!- wej [~j@2001:1af8:4010:a027:21::4e] has quit [Ping timeout: 258 seconds]
16:47 -!- wej [~j@2001:1af8:4010:a027:21::4e] has joined #openvpn
17:27 -!- Papey [~Papey@ks3364303.kimsufi.com] has quit [Ping timeout: 272 seconds]
17:36 -!- Papey [~Papey@ks3364303.kimsufi.com] has joined #openvpn
17:37 -!- AlexRussia [~Alex@unaffiliated/alexrussia] has quit [Ping timeout: 264 seconds]
17:44 -!- kef [~kef@matrix.fullmotion.de] has quit [Ping timeout: 260 seconds]
17:44 -!- Nothing4You [N4Y@nothing4you.w.tf-w.tf] has quit [Ping timeout: 260 seconds]
17:44 -!- BtbN [btbn@btbn.de] has quit [Ping timeout: 260 seconds]
17:45 -!- gffa [~unknown@unaffiliated/gffa] has quit [Quit: sleep]
17:45 -!- abbe_ [having@badti.me] has joined #openvpn
17:45 -!- kokel [~quassel@kenneth.kokelnet.de] has quit [Ping timeout: 260 seconds]
17:45 -!- abbe [having@badti.me] has quit [Ping timeout: 260 seconds]
17:45 -!- kef_ [~kef@matrix.fullmotion.de] has joined #openvpn
17:46 -!- BtbN [btbn@btbn.de] has joined #openvpn
17:46 -!- abbe_ is now known as abbe
17:46 -!- Nothing4You [N4Y@nothing4you.w.tf-w.tf] has joined #openvpn
17:46 -!- kokel [~quassel@kenneth.kokelnet.de] has joined #openvpn
17:47 -!- Papey [~Papey@ks3364303.kimsufi.com] has quit [Ping timeout: 255 seconds]
17:55 -!- Papey [~Papey@ks3364303.kimsufi.com] has joined #openvpn
17:55 -!- syzzer [~syzzer@openvpn/community/developer/syzzer] has quit [Ping timeout: 265 seconds]
17:56 -!- syzzer [~syzzer@openvpn/community/developer/syzzer] has joined #openvpn
17:56 -!- mode/#openvpn [+o syzzer] by ChanServ
18:00 -!- Taftse|Mac [~taftse@unaffiliated/taftse] has quit [Quit: Textual IRC Client: www.textualapp.com]
18:14 -!- pppingme [~pppingme@unaffiliated/pppingme] has quit [Ping timeout: 260 seconds]
18:16 -!- kef_ is now known as kef
18:21 -!- alanjf [~ajf@unaffiliated/alanjf] has joined #openvpn
18:22 < alanjf> Is there a way to specify which key(s) can be used to connect to an openvpn server?
18:23 < alanjf> Like run multiple instances, each one only serving a specific client (for bridging purposes) so the CA and server cert/key can be share among all the instances instead of having to generate and keep track of multiple sets?
18:30 < raeflondon> alanjf: if you're running multiple instances, you could just have them all share a common ca. The clients can all use the same cert on multiple instances, or you can use --duplicate-cn with one instance
18:32 < pekster> alanjf: Read about --client-connect. That can act based on the client's common_name
18:32 < pekster> !scripts
18:32 <@vpnHelper> "scripts" is "script" is See SCRIPTING AND ENVIRONMENTAL VARIALBES in the manual for a list of places that scripts can hook into openvpn. Online reference at: https://community.openvpn.net/openvpn/wiki/Openvpn23ManPage#lbAR
18:33 -!- pppingme [~pppingme@unaffiliated/pppingme] has joined #openvpn
18:43 <@ecrist> alanjf: yes, give me a moment, you can do what you want without a script
18:45 <@ecrist> see --ccd-exclusive
18:45 <@ecrist> basically, if a user's CCD entry doesn't exist, it doesn't allow the user to connect
18:46 <@ecrist> sort of a poor-man's client-connect script to check CN on certificates.
18:46 <@ecrist> the CCD entry can be an empty file, so just a simple "touch <cn>" is sufficient.
18:47 < alanjf> ecrist: Thanks. Though what about using: tls-verify "./verify-cn clientA" in one conf and tls-verify "./verify-cn clientB" in the other?
18:47 <@ecrist> sure
18:47 <@ecrist> but that does what I just described, and doesn't require a restart of the vpn process
18:47 < alanjf> ah
18:48 < alanjf> Thank you.
19:18 -!- s7r [~s7r@openvpn/user/s7r] has quit [Quit: Leaving]
19:32 < pekster> (provided you have --client-config-dir in your config already. This is a wise thing to do anyway, just like providing a CRL even if you don't have any revoked certs. Yet.)
19:47 -!- justinzane [~justinzan@67.21.190.132] has quit []
19:50 -!- justinzane [~justinzan@67.21.190.132] has joined #openvpn
19:51 -!- justinzane [~justinzan@67.21.190.132] has quit [Client Quit]
19:51 -!- toothe [~mongolian@unaffiliated/toothe] has joined #openvpn
19:52 -!- justinzane [~justinzan@67.21.190.132] has joined #openvpn
19:53 < toothe> I setup easyrsa's with a cert from the client, server and CA, but I cna't seem to properly configure openvpn. Can someone please send me a guide that explains how to setup openvpn.conf? I've done this in the past, but this guide is not working anymore: http://openvpn.net/index.php/open-source/documentation/howto.html#examples
19:53 <@vpnHelper> Title: HOWTO (at openvpn.net)
19:56 < pekster> The howto explains the config. If you're having issues with a config, what you'll really need to do is pastebin your configs (without comments please, there's grep syntax for that below) and the output of any errors from your logs. Read this for info:
19:56 < pekster> !configs
19:56 <@vpnHelper> "configs" is (#1) please pastebin your client and server configs (with comments removed, you can use `grep -vE '^#|^;|^$' server.conf`), also include which OS and version of openvpn. or (#2) dont forget to include any ccd entries or (#3) on pfSense, see http://www.secure-computing.net/wiki/index.php/OpenVPN/pfSense to obtain your config
19:56 < pekster> !logs
19:56 <@vpnHelper> "logs" is (#1) please pastebin your logfiles from both client and server with verb set to 4 (only use 5 if asked) or (#2) In the Windows client(OpenVPN-GUI) right-click the status icon and pick View Log or (#3) In the OS X client(Tunnelblick) right-click it and select Copy log text to clipboard or (#4) if you dont know how to find your logs, see !logfile
19:57 < pekster> toothe: ^
19:58 < toothe> oh, pardon.
20:05 < toothe> oh, its telling me I didn't define a DH file. Where/how do I Get one?
20:05 < pekster> easyrsa (both versions) have a command for this, or use openssl to do it because it's a stand-alone file
20:06 < pekster> !dh
20:06 <@vpnHelper> "dh" is (#1) build-dh from easy-rsa and option dh in ssl-admin, creates a file which is a prime number the size of bits you defined (1024 default) which is used in the diffie-hellman algorithm to provide a method to negotiate a secure connection over an insecure channel. just one of the layers of encryption available to you in your VPN or (#2) openssl gendh [numbits]
20:06 < pekster> If you use the openssl command in (#2) you should use the bit-size of your largest keypair generated. 2048 is the current default
20:07 -!- Kephael [~Kephael@unaffiliated/kephael] has quit [Read error: Connection reset by peer]
20:17 -!- DrCode [~DrCode@gateway/tor-sasl/drcode] has quit [Ping timeout: 250 seconds]
20:19 -!- elfixit [~Icedove@77-58-253-51.dclient.hispeed.ch] has joined #openvpn
20:21 -!- zalami is now known as Saxophone
20:21 -!- Saxophone is now known as Salamander
20:21 -!- Salamander is now known as SalamanderFood
20:22 -!- DrCode [~DrCode@gateway/tor-sasl/drcode] has joined #openvpn
20:28 -!- shadok [~muaddib@unaffiliated/shadok] has quit [Ping timeout: 260 seconds]
21:07 -!- cyberspace- [20253@ninthfloor.org] has quit [Read error: Connection reset by peer]
21:08 -!- cyberspace- [20253@ninthfloor.org] has joined #openvpn
21:15 -!- elfixit [~Icedove@77-58-253-51.dclient.hispeed.ch] has quit [Ping timeout: 256 seconds]
21:20 -!- elfixit [~Icedove@77-58-253-51.dclient.hispeed.ch] has joined #openvpn
21:40 -!- elfixit [~Icedove@77-58-253-51.dclient.hispeed.ch] has quit [Ping timeout: 250 seconds]
21:41 -!- Left_Turn [~Left_Turn@unaffiliated/turn-left/x-3739067] has quit [Remote host closed the connection]
21:45 -!- nath_schwarz [~nath_schw@HSI-KBW-134-3-105-146.hsi14.kabel-badenwuerttemberg.de] has quit [Ping timeout: 264 seconds]
21:48 -!- nath_schwarz [~nath_schw@HSI-KBW-134-3-105-207.hsi14.kabel-badenwuerttemberg.de] has joined #openvpn
22:28 -!- elfixit [~Icedove@77-58-253-51.dclient.hispeed.ch] has joined #openvpn
22:30 -!- james41382 [~james@unaffiliated/james41382] has joined #openvpn
22:36 -!- kenyon [kenyon@darwin.kenyonralph.com] has quit [Ping timeout: 244 seconds]
22:36 -!- Jeroen52 [~Jeroen@milkyway.jeroendeneef.com] has quit [Ping timeout: 244 seconds]
22:37 -!- kenyon [kenyon@darwin.kenyonralph.com] has joined #openvpn
22:39 -!- Jeroen52 [~Jeroen@milkyway.jeroendeneef.com] has joined #openvpn
23:13 -!- toothe [~mongolian@unaffiliated/toothe] has quit [Quit: leaving]
23:32 -!- elfixit [~Icedove@77-58-253-51.dclient.hispeed.ch] has quit [Remote host closed the connection]
23:49 -!- ShadniX [dagger@p5481C615.dip0.t-ipconnect.de] has quit [Ping timeout: 250 seconds]
23:51 -!- ShadniX [dagger@p5DDFF8B6.dip0.t-ipconnect.de] has joined #openvpn
23:57 -!- hasB4K [~hasB4K@unaffiliated/hasb4k] has joined #openvpn
23:57 < hasB4K> Hi
--- Day changed Tue Dec 16 2014
00:01 < hasB4K> I was wondering, is there a way to configure a OpenVPN for redirecting the connection for users only? For example I have a service on my personnal computer that runs with a specific user, I would like to see all inputs and outputs network connection use the connection of my OpenVPN config
00:01 < hasB4K> only for this user. (Not sure if I'm clear...)
00:22 -!- mattock_afk is now known as mattock
00:26 -!- gr3yR0n1n [~gr3yR0n1n@c-174-52-62-40.hsd1.ut.comcast.net] has joined #openvpn
00:37 -!- gr3yR0n1n [~gr3yR0n1n@c-174-52-62-40.hsd1.ut.comcast.net] has quit [Ping timeout: 255 seconds]
00:46 -!- DrCode [~DrCode@gateway/tor-sasl/drcode] has quit [Remote host closed the connection]
00:47 -!- DrCode [~DrCode@gateway/tor-sasl/drcode] has joined #openvpn
00:48 -!- akamaru217 [~akamaru21@2601:0:8a80:1064:7977:ec37:23c2:8d74] has quit [Ping timeout: 265 seconds]
00:50 -!- akamaru217 [~akamaru21@2601:0:8a80:1064:59e5:5f3f:3c52:e553] has joined #openvpn
00:58 -!- elfixit [~Icedove@77-58-253-51.dclient.hispeed.ch] has joined #openvpn
01:09 -!- Pandemic_Force [~Pandemic_@unaffiliated/pandemic-force/x-1349428] has quit [Ping timeout: 258 seconds]
01:14 -!- Pandemic_Force [~Pandemic_@unaffiliated/pandemic-force/x-1349428] has joined #openvpn
01:20 -!- almostworking [~almostwor@unaffiliated/almostworking] has joined #openvpn
01:41 -!- ValdikSS [~valdikss@185.61.149.121] has quit [Ping timeout: 264 seconds]
02:08 -!- flyingkiwi [~kiwi@2a02:2028:1016::2] has quit [Ping timeout: 258 seconds]
02:08 -!- wej [~j@2001:1af8:4010:a027:21::4e] has quit [Ping timeout: 272 seconds]
02:10 -!- Taftse|Mac [~taftse@unaffiliated/taftse] has joined #openvpn
02:13 -!- wej [~j@2001:1af8:4010:a027:21::4e] has joined #openvpn
02:21 -!- CaTtleyA [~CaTtleyA@185.24.142.82] has joined #openvpn
02:29 -!- gffa [~unknown@unaffiliated/gffa] has joined #openvpn
02:40 -!- Latrina [~Latrina@adsl-ull-171-179.50-151.net24.it] has quit [Ping timeout: 255 seconds]
02:48 -!- cwillu_at_work [cwillu@cwillu.com] has quit [Ping timeout: 258 seconds]
02:50 -!- Zimsky [~alice@unaffiliated/zimsky] has quit [Ping timeout: 256 seconds]
02:55 -!- Zimsky [~alice@unaffiliated/zimsky] has joined #openvpn
02:58 -!- aulait [~irenacob@li629-190.members.linode.com] has quit [Excess Flood]
03:11 -!- aulait [~irenacob@li629-190.members.linode.com] has joined #openvpn
03:22 -!- ub1quit33 [~quassel@cpe-23-243-158-241.socal.res.rr.com] has quit [Ping timeout: 265 seconds]
03:29 -!- hasB4K [~hasB4K@unaffiliated/hasb4k] has quit [Quit: This is not a quit message.]
03:31 -!- elfixit [~Icedove@77-58-253-51.dclient.hispeed.ch] has quit [Remote host closed the connection]
03:40 -!- mirco_ [~mirco@ip-176-198-211-199.hsi05.unitymediagroup.de] has quit [Quit: mirco_]
03:47 -!- seba [~seba@kratzbaum.someserver.de] has quit [Excess Flood]
03:49 -!- seba [~seba@kratzbaum.someserver.de] has joined #openvpn
04:06 -!- mirco_ [~mirco@tmo-110-211.customers.d1-online.com] has joined #openvpn
04:08 -!- mirco_ [~mirco@tmo-110-211.customers.d1-online.com] has quit [Client Quit]
04:13 -!- hasB4K [~hasB4K@unaffiliated/hasb4k] has joined #openvpn
04:25 -!- Left_Turn [~Left_Turn@unaffiliated/turn-left/x-3739067] has joined #openvpn
04:26 -!- mattock is now known as mattock_afk
04:39 -!- shadok [~muaddib@unaffiliated/shadok] has joined #openvpn
04:46 -!- ValdikSS [~valdikss@80.70.234.113] has joined #openvpn
04:50 -!- Latrina [~Latrina@adsl-ull-132-251.45-151.net24.it] has joined #openvpn
05:17 -!- wej [~j@2001:1af8:4010:a027:21::4e] has quit [Ping timeout: 258 seconds]
05:17 -!- mattock_afk is now known as mattock
05:22 -!- wej [~j@2001:1af8:4010:a027:21::4e] has joined #openvpn
05:24 -!- stf [~stf@i53876FD5.versanet.de] has joined #openvpn
05:28 < stf> Is it been known, if there a way to test the clients openvpn connection is established by calling a website of a server, which is connected to the public by internet and intranet by openvpn?
05:33 -!- Y0sh1 [~Y0sh1@TiP01.theinternets.nl] has quit [Excess Flood]
05:33 -!- Y0sh1 [~Y0sh1@TiP01.theinternets.nl] has joined #openvpn
05:40 -!- ValdikSS [~valdikss@80.70.234.113] has quit [Quit: Konversation terminated!]
05:40 -!- mirco_ [~mirco@ip-176-198-211-199.hsi05.unitymediagroup.de] has joined #openvpn
05:58 -!- wej [~j@2001:1af8:4010:a027:21::4e] has left #openvpn ["WeeChat 1.0.1"]
06:14 -!- pnielsen_ [pnielsen@2a01:7e00::f03c:91ff:fedf:3a21] has quit [Ping timeout: 260 seconds]
06:16 -!- XJR-9 [sid2977@pdpc/supporter/active/xjr-9] has quit [Ping timeout: 260 seconds]
06:16 -!- stf [~stf@i53876FD5.versanet.de] has quit [Ping timeout: 260 seconds]
06:16 -!- STF [~stf@i53876fd5.versanet.de] has joined #openvpn
06:16 -!- almostworking [~almostwor@unaffiliated/almostworking] has quit [Ping timeout: 260 seconds]
06:19 -!- XJR-9 [sid2977@pdpc/supporter/active/xjr-9] has joined #openvpn
06:21 -!- kokel [~quassel@kenneth.kokelnet.de] has quit [Ping timeout: 260 seconds]
06:29 -!- almostworking [~almostwor@unaffiliated/almostworking] has joined #openvpn
06:31 -!- Netsplit *.net <-> *.split quits: ender|, BtbN, ryao, Thermi, Synced
06:36 -!- Netsplit over, joins: BtbN
06:36 -!- pnielsen [pnielsen@2a01:7e00::f03c:91ff:fedf:3a21] has joined #openvpn
06:42 -!- kokel [~quassel@kenneth.kokelnet.de] has joined #openvpn
06:49 -!- Thermi [~Thermi@unaffiliated/thermi] has joined #openvpn
07:04 -!- mirco_ [~mirco@ip-176-198-211-199.hsi05.unitymediagroup.de] has quit [Remote host closed the connection]
07:05 -!- mirco_ [~mirco@ip-176-198-211-199.hsi05.unitymediagroup.de] has joined #openvpn
07:08 -!- Netsplit *.net <-> *.split quits: Thermi
07:44 -!- flyingkiwi [~kiwi@nat.hamburg.contentfleet.com] has joined #openvpn
07:52 -!- jackbrown [~se@93-44-68-248.ip96.fastwebnet.it] has joined #openvpn
07:59 -!- Y0sh1 [~Y0sh1@TiP01.theinternets.nl] has quit [Excess Flood]
07:59 -!- Y0sh1 [~Y0sh1@TiP01.theinternets.nl] has joined #openvpn
08:27 -!- Argure_ [argure@geonosis.donttrustrobots.nl] has joined #openvpn
08:30 -!- Netsplit *.net <-> *.split quits: arkie, Argure, K1rk, GoldenGlovez, Brando753, Shiftos, nullie, pa, BaNzounet, M4dH4TT3r,  (+3 more, use /NETSPLIT to show all of them)
08:30 -!- Netsplit over, joins: nullie
08:30 -!- __FBi [~B@Aircrack-NG/User] has joined #openvpn
08:31 -!- Netsplit over, joins: swebb
08:33 -!- Brando753 [~Brando753@unaffiliated/brando753] has joined #openvpn
08:37 -!- pa [~pa@unaffiliated/pa] has joined #openvpn
08:49 -!- jackbrown [~se@93-44-68-248.ip96.fastwebnet.it] has quit [Ping timeout: 244 seconds]
08:51 -!- Y0sh1 [~Y0sh1@TiP01.theinternets.nl] has quit [Excess Flood]
08:51 -!- Y0sh1 [~Y0sh1@TiP01.theinternets.nl] has joined #openvpn
09:03 -!- ub1quit33_ [~quassel@cpe-23-243-158-241.socal.res.rr.com] has joined #openvpn
09:03 -!- jareth_ [~jareth_@2001:980:e1c0:1:219:66ff:fea0:a502] has quit [Ping timeout: 272 seconds]
09:15 -!- jackbrown [~se@93-44-68-248.ip96.fastwebnet.it] has joined #openvpn
09:16 -!- jareth_ [~jareth_@bak.project-treadstone.nl] has joined #openvpn
09:17 -!- K1rk [~Kirk@5.135.221.149] has joined #openvpn
09:17 -!- K1rk [~Kirk@5.135.221.149] has quit [Max SendQ exceeded]
09:18 -!- K1rk [~Kirk@equinox.epecweb.com] has joined #openvpn
09:22 -!- badon [~badon@pdpc/supporter/active/badon] has quit [Disconnected by services]
09:22 -!- badon_ [~badon@pdpc/supporter/active/badon] has joined #openvpn
09:22 -!- badon_ is now known as badon
09:26 -!- DrCode [~DrCode@gateway/tor-sasl/drcode] has joined #openvpn
09:27 -!- Shiftos [~shiftos@gateway/tor-sasl/shiftos] has joined #openvpn
09:38 -!- STF [~stf@i53876fd5.versanet.de] has quit [Ping timeout: 265 seconds]
09:38 -!- Synced [~Synced@unaffiliated/synced] has joined #openvpn
09:46 -!- jackbrown [~se@93-44-68-248.ip96.fastwebnet.it] has quit [Quit: Sto andando via]
09:49 -!- Denial [~Denial@81.141.2.111] has quit []
09:51 -!- Denial [~Denial@81.141.2.111] has joined #openvpn
09:52 -!- cwillu_at_work [cwillu@cwillu.com] has joined #openvpn
10:04 -!- gffa [~unknown@unaffiliated/gffa] has quit [Read error: Connection reset by peer]
10:31 -!- gffa [~unknown@unaffiliated/gffa] has joined #openvpn
10:41 <@krzee> https://www.coursera.org/course/crypto
10:41 <@vpnHelper> Title: Coursera (at www.coursera.org)
10:42 <@krzee> free crypto class from stanford, i will be joining the class and i invite everybody to join us =]
10:42 -!- moparisthebest [~quassel@unaffiliated/moparisthebest] has quit [Ping timeout: 250 seconds]
10:42 -!- Kephael [~Kephael@unaffiliated/kephael] has joined #openvpn
10:44 -!- gr3yR0n1n [~gr3yR0n1n@ip65-46-60-254.z60-46-65.customer.algx.net] has joined #openvpn
10:46 -!- moparisthebest [~quassel@unaffiliated/moparisthebest] has joined #openvpn
10:50 -!- CaTtleyA [~CaTtleyA@185.24.142.82] has quit [Quit: Lost terminal]
10:51 -!- Argure_ is now known as Argure
11:02 -!- Y0sh1 [~Y0sh1@TiP01.theinternets.nl] has quit [Excess Flood]
11:02 -!- Y0sh1 [~Y0sh1@TiP01.theinternets.nl] has joined #openvpn
11:33 -!- Kephael [~Kephael@unaffiliated/kephael] has quit [Read error: Connection reset by peer]
11:33 -!- ender| [krneki@2a01:260:4094:1:42:42:42:42] has joined #openvpn
11:41 -!- gr3yR0n1n [~gr3yR0n1n@ip65-46-60-254.z60-46-65.customer.algx.net] has quit [Ping timeout: 258 seconds]
11:44 -!- gr3yR0n1n [~gr3yR0n1n@ip65-46-60-254.z60-46-65.customer.algx.net] has joined #openvpn
11:53 -!- KaaK [~Kevin@wsip-98-188-52-104.ks.ks.cox.net] has quit [Remote host closed the connection]
12:12 -!- s7r [~s7r@openvpn/user/s7r] has joined #openvpn
12:12 -!- mode/#openvpn [+v s7r] by ChanServ
12:12 -!- Kephael [~Kephael@unaffiliated/kephael] has joined #openvpn
12:16 -!- Y0sh1 [~Y0sh1@TiP01.theinternets.nl] has quit [Excess Flood]
12:16 -!- s7r [~s7r@openvpn/user/s7r] has quit [Ping timeout: 250 seconds]
12:17 -!- Y0sh1 [~Y0sh1@TiP01.theinternets.nl] has joined #openvpn
12:17 -!- Y0sh1 [~Y0sh1@TiP01.theinternets.nl] has quit [Excess Flood]
12:17 -!- Shiftos [~shiftos@gateway/tor-sasl/shiftos] has quit [Ping timeout: 250 seconds]
12:17 -!- s7r [~s7r@openvpn/user/s7r] has joined #openvpn
12:17 -!- mode/#openvpn [+v s7r] by ChanServ
12:17 -!- Y0sh1 [~Y0sh1@TiP01.theinternets.nl] has joined #openvpn
12:17 -!- Y0sh1 [~Y0sh1@TiP01.theinternets.nl] has quit [Excess Flood]
12:18 -!- Y0sh1 [~Y0sh1@TiP01.theinternets.nl] has joined #openvpn
12:18 -!- Y0sh1 [~Y0sh1@TiP01.theinternets.nl] has quit [Excess Flood]
12:18 -!- s7r [~s7r@openvpn/user/s7r] has quit [Client Quit]
12:18 -!- Y0sh1 [~Y0sh1@TiP01.theinternets.nl] has joined #openvpn
12:18 -!- Y0sh1 [~Y0sh1@TiP01.theinternets.nl] has quit [Excess Flood]
12:19 -!- Y0sh1 [~Y0sh1@TiP01.theinternets.nl] has joined #openvpn
12:19 -!- Y0sh1 [~Y0sh1@TiP01.theinternets.nl] has quit [Excess Flood]
12:19 -!- Y0sh1 [~Y0sh1@TiP01.theinternets.nl] has joined #openvpn
12:19 -!- Y0sh1 [~Y0sh1@TiP01.theinternets.nl] has quit [Excess Flood]
12:20 -!- s7r [~s7r@openvpn/user/s7r] has joined #openvpn
12:20 -!- mode/#openvpn [+v s7r] by ChanServ
12:20 -!- Y0sh1 [~Y0sh1@TiP01.theinternets.nl] has joined #openvpn
12:20 -!- Y0sh1 [~Y0sh1@TiP01.theinternets.nl] has quit [Excess Flood]
12:21 -!- Y0sh1 [~Y0sh1@TiP01.theinternets.nl] has joined #openvpn
12:21 -!- Y0sh1 [~Y0sh1@TiP01.theinternets.nl] has quit [Excess Flood]
12:21 -!- Y0sh1 [~Y0sh1@TiP01.theinternets.nl] has joined #openvpn
12:21 -!- Y0sh1 [~Y0sh1@TiP01.theinternets.nl] has quit [Excess Flood]
12:22 -!- Y0sh1 [~Y0sh1@TiP01.theinternets.nl] has joined #openvpn
12:22 -!- Y0sh1 [~Y0sh1@TiP01.theinternets.nl] has quit [Excess Flood]
12:22 -!- Y0sh1 [~Y0sh1@TiP01.theinternets.nl] has joined #openvpn
12:22 -!- Y0sh1 [~Y0sh1@TiP01.theinternets.nl] has quit [Excess Flood]
12:23 -!- Y0sh1 [~Y0sh1@TiP01.theinternets.nl] has joined #openvpn
12:23 -!- Y0sh1 [~Y0sh1@TiP01.theinternets.nl] has quit [Excess Flood]
12:23 -!- Y0sh1 [~Y0sh1@TiP01.theinternets.nl] has joined #openvpn
12:23 -!- Y0sh1 [~Y0sh1@TiP01.theinternets.nl] has quit [Excess Flood]
12:24 -!- Y0sh1 [~Y0sh1@TiP01.theinternets.nl] has joined #openvpn
12:24 -!- Y0sh1 [~Y0sh1@TiP01.theinternets.nl] has quit [Excess Flood]
12:25 -!- Y0sh1 [~Y0sh1@TiP01.theinternets.nl] has joined #openvpn
12:25 -!- Y0sh1 [~Y0sh1@TiP01.theinternets.nl] has quit [Excess Flood]
12:25 -!- Y0sh1 [~Y0sh1@TiP01.theinternets.nl] has joined #openvpn
12:25 -!- Y0sh1 [~Y0sh1@TiP01.theinternets.nl] has quit [Excess Flood]
12:26 -!- Y0sh1 [~Y0sh1@TiP01.theinternets.nl] has joined #openvpn
12:26 -!- Y0sh1 [~Y0sh1@TiP01.theinternets.nl] has quit [Excess Flood]
12:26 -!- Y0sh1 [~Y0sh1@TiP01.theinternets.nl] has joined #openvpn
12:26 -!- Y0sh1 [~Y0sh1@TiP01.theinternets.nl] has quit [Excess Flood]
12:27 -!- Y0sh1 [~Y0sh1@TiP01.theinternets.nl] has joined #openvpn
12:27 -!- Y0sh1 [~Y0sh1@TiP01.theinternets.nl] has quit [Excess Flood]
12:27 -!- jackbrown [~se@93-44-68-248.ip96.fastwebnet.it] has joined #openvpn
12:27 -!- Shiftos [~shiftos@gateway/tor-sasl/shiftos] has joined #openvpn
12:27 -!- Y0sh1 [~Y0sh1@TiP01.theinternets.nl] has joined #openvpn
12:27 -!- Y0sh1 [~Y0sh1@TiP01.theinternets.nl] has quit [Excess Flood]
12:28 -!- Y0sh1 [~Y0sh1@TiP01.theinternets.nl] has joined #openvpn
12:28 -!- Y0sh1 [~Y0sh1@TiP01.theinternets.nl] has quit [Excess Flood]
12:28 -!- Y0sh1 [~Y0sh1@TiP01.theinternets.nl] has joined #openvpn
12:28 -!- Y0sh1 [~Y0sh1@TiP01.theinternets.nl] has quit [Excess Flood]
12:29 -!- Y0sh1 [~Y0sh1@TiP01.theinternets.nl] has joined #openvpn
12:29 -!- Y0sh1 [~Y0sh1@TiP01.theinternets.nl] has quit [Excess Flood]
12:29 -!- Y0sh1 [~Y0sh1@TiP01.theinternets.nl] has joined #openvpn
12:29 -!- Y0sh1 [~Y0sh1@TiP01.theinternets.nl] has quit [Excess Flood]
12:30 -!- Y0sh1 [~Y0sh1@TiP01.theinternets.nl] has joined #openvpn
12:30 -!- Y0sh1 [~Y0sh1@TiP01.theinternets.nl] has quit [Excess Flood]
12:31 -!- Y0sh1 [~Y0sh1@TiP01.theinternets.nl] has joined #openvpn
12:31 -!- Y0sh1 [~Y0sh1@TiP01.theinternets.nl] has quit [Excess Flood]
12:31 -!- Y0sh1 [~Y0sh1@TiP01.theinternets.nl] has joined #openvpn
12:31 -!- Y0sh1 [~Y0sh1@TiP01.theinternets.nl] has quit [Excess Flood]
12:32 -!- Y0sh1 [~Y0sh1@TiP01.theinternets.nl] has joined #openvpn
12:32 -!- Y0sh1 [~Y0sh1@TiP01.theinternets.nl] has quit [Excess Flood]
12:33 -!- Y0sh1 [~Y0sh1@TiP01.theinternets.nl] has joined #openvpn
12:33 -!- Y0sh1 [~Y0sh1@TiP01.theinternets.nl] has quit [Excess Flood]
12:33 -!- Y0sh1 [~Y0sh1@TiP01.theinternets.nl] has joined #openvpn
12:33 -!- Y0sh1 [~Y0sh1@TiP01.theinternets.nl] has quit [Excess Flood]
12:34 -!- Y0sh1 [~Y0sh1@TiP01.theinternets.nl] has joined #openvpn
12:34 -!- Y0sh1 [~Y0sh1@TiP01.theinternets.nl] has quit [Excess Flood]
12:34 -!- Y0sh1 [~Y0sh1@TiP01.theinternets.nl] has joined #openvpn
12:34 -!- Y0sh1 [~Y0sh1@TiP01.theinternets.nl] has quit [Excess Flood]
12:35 -!- Y0sh1 [~Y0sh1@TiP01.theinternets.nl] has joined #openvpn
12:35 -!- Y0sh1 [~Y0sh1@TiP01.theinternets.nl] has quit [Excess Flood]
12:35 -!- Y0sh1 [~Y0sh1@TiP01.theinternets.nl] has joined #openvpn
12:35 -!- Y0sh1 [~Y0sh1@TiP01.theinternets.nl] has quit [Excess Flood]
12:35 -!- moparisthebest [~quassel@unaffiliated/moparisthebest] has quit [K-Lined]
12:36 -!- Y0sh1 [~Y0sh1@TiP01.theinternets.nl] has joined #openvpn
12:36 -!- Y0sh1 [~Y0sh1@TiP01.theinternets.nl] has quit [Excess Flood]
12:36 -!- moparisthebest [~quassel@gateway/tor-sasl/moparisthebest] has joined #openvpn
12:37 -!- Y0sh1 [~Y0sh1@TiP01.theinternets.nl] has joined #openvpn
12:37 -!- Y0sh1 [~Y0sh1@TiP01.theinternets.nl] has quit [Excess Flood]
12:37 -!- Y0sh1 [~Y0sh1@TiP01.theinternets.nl] has joined #openvpn
12:37 -!- Y0sh1 [~Y0sh1@TiP01.theinternets.nl] has quit [Excess Flood]
12:38 -!- Y0sh1 [~Y0sh1@TiP01.theinternets.nl] has joined #openvpn
12:38 -!- Y0sh1 [~Y0sh1@TiP01.theinternets.nl] has quit [Excess Flood]
12:38 -!- Y0sh1 [~Y0sh1@TiP01.theinternets.nl] has joined #openvpn
12:38 -!- Y0sh1 [~Y0sh1@TiP01.theinternets.nl] has quit [Excess Flood]
12:39 -!- Y0sh1 [~Y0sh1@TiP01.theinternets.nl] has joined #openvpn
12:39 -!- Y0sh1 [~Y0sh1@TiP01.theinternets.nl] has quit [Excess Flood]
12:39 -!- Y0sh1 [~Y0sh1@TiP01.theinternets.nl] has joined #openvpn
12:39 -!- Y0sh1 [~Y0sh1@TiP01.theinternets.nl] has quit [Excess Flood]
12:40 -!- Y0sh1 [~Y0sh1@TiP01.theinternets.nl] has joined #openvpn
12:40 -!- Y0sh1 [~Y0sh1@TiP01.theinternets.nl] has quit [Excess Flood]
12:41 -!- Y0sh1 [~Y0sh1@TiP01.theinternets.nl] has joined #openvpn
12:41 -!- Y0sh1 [~Y0sh1@TiP01.theinternets.nl] has quit [Excess Flood]
12:42 -!- Y0sh1 [~Y0sh1@TiP01.theinternets.nl] has joined #openvpn
12:42 -!- Y0sh1 [~Y0sh1@TiP01.theinternets.nl] has quit [Excess Flood]
12:42 -!- Y0sh1 [~Y0sh1@TiP01.theinternets.nl] has joined #openvpn
12:43 -!- Y0sh1 [~Y0sh1@TiP01.theinternets.nl] has quit [Client Quit]
12:53 -!- jackbrown [~se@93-44-68-248.ip96.fastwebnet.it] has quit [Quit: Sto andando via]
13:30 -!- ub1quit33_ [~quassel@cpe-23-243-158-241.socal.res.rr.com] has quit [Remote host closed the connection]
13:30 -!- ub1quit33 [~quassel@cpe-23-243-158-241.socal.res.rr.com] has joined #openvpn
13:31 -!- ub1quit33 [~quassel@cpe-23-243-158-241.socal.res.rr.com] has quit [Read error: Connection reset by peer]
13:34 -!- ub1quit33_ [~quassel@cpe-23-243-158-241.socal.res.rr.com] has joined #openvpn
13:38 -!- ub1quit33_ [~quassel@cpe-23-243-158-241.socal.res.rr.com] has quit [Remote host closed the connection]
13:38 -!- Fun [~Fun@unaffiliated/fun] has joined #openvpn
13:38 < Fun> hi
13:38 < Fun> where I can find open vpn tap driver?
13:38 < Fun> for 64 windows
13:39 < Fun> ok solved
13:39 -!- Fun [~Fun@unaffiliated/fun] has left #openvpn []
13:42 -!- ub1quit33 [~quassel@cpe-23-243-158-241.socal.res.rr.com] has joined #openvpn
14:11 -!- ender| [krneki@2a01:260:4094:1:42:42:42:42] has quit [Ping timeout: 272 seconds]
14:19 -!- ShadniX [dagger@p5DDFF8B6.dip0.t-ipconnect.de] has quit [Quit: Bye.]
14:20 -!- Orbixx [~orbixx@freenode/sponsor/orbixx] has joined #openvpn
14:21 -!- ShadniX [~ShadniX@p5DDFF8B6.dip0.t-ipconnect.de] has joined #openvpn
14:23 -!- ender| [krneki@2a01:260:4094:1:42:42:42:42] has joined #openvpn
14:26 -!- ShadniX [~ShadniX@p5DDFF8B6.dip0.t-ipconnect.de] has quit [Quit: Bye.]
14:26 -!- ShadniX [dagger@p5DDFF8B6.dip0.t-ipconnect.de] has joined #openvpn
14:31 -!- gr3yR0n1n [~gr3yR0n1n@ip65-46-60-254.z60-46-65.customer.algx.net] has quit [Ping timeout: 256 seconds]
14:43 -!- flyingkiwi [~kiwi@nat.hamburg.contentfleet.com] has quit [Ping timeout: 258 seconds]
14:45 -!- gr3yR0n1n [~gr3yR0n1n@ip65-46-60-254.z60-46-65.customer.algx.net] has joined #openvpn
14:45 -!- gr3yR0n1n [~gr3yR0n1n@ip65-46-60-254.z60-46-65.customer.algx.net] has quit [Client Quit]
14:49 -!- gr3yR0n1n [~gr3yR0n1n@ip65-46-60-254.z60-46-65.customer.algx.net] has joined #openvpn
14:55 -!- gr3yR0n1n [~gr3yR0n1n@ip65-46-60-254.z60-46-65.customer.algx.net] has quit [Ping timeout: 240 seconds]
14:56 -!- gr3yR0n1n [~gr3yR0n1n@ip65-46-60-254.z60-46-65.customer.algx.net] has joined #openvpn
15:00 -!- Fun [~Fun@unaffiliated/fun] has joined #openvpn
15:01 -!- Kephael [~Kephael@unaffiliated/kephael] has quit [Read error: Connection reset by peer]
15:04 -!- D-Boy [~D-Boy@unaffiliated/cain] has quit [Excess Flood]
15:08 -!- mattock is now known as mattock_afk
15:16 -!- gr3yR0n1n [~gr3yR0n1n@ip65-46-60-254.z60-46-65.customer.algx.net] has quit [Read error: Connection reset by peer]
15:22 -!- flyingkiwi [~kiwi@nat.hamburg.contentfleet.com] has joined #openvpn
15:22 -!- D-Boy [~D-Boy@unaffiliated/cain] has joined #openvpn
15:38 -!- SilentKoala [~AD4@backdoor.openslowly.com] has joined #openvpn
15:41 -!- Exagone313 [exa@ewd.ovh] has joined #openvpn
15:42 -!- seba [~seba@kratzbaum.someserver.de] has quit [Excess Flood]
15:43 -!- seba [~seba@kratzbaum.someserver.de] has joined #openvpn
15:48 -!- gr3yR0n1n [~gr3yR0n1n@50-202-191-94-static.hfc.comcastbusiness.net] has joined #openvpn
16:06 -!- Fun [~Fun@unaffiliated/fun] has quit [Quit: Leaving.]
16:15 -!- Kephael [~Kephael@unaffiliated/kephael] has joined #openvpn
16:36 -!- Y0sh1 [~Y0sh1@TiP01.theinternets.nl] has joined #openvpn
16:39 -!- Y0sh1 [~Y0sh1@TiP01.theinternets.nl] has quit [Client Quit]
16:40 -!- SilentKoala [~AD4@backdoor.openslowly.com] has quit [Quit: Leaving]
16:43 -!- Y0sh1 [~Y0sh1@TiP01.theinternets.nl] has joined #openvpn
17:00 -!- __FBi is now known as _FBi
17:05 -!- RBecker [~RBecker@openvpn/user/RBecker] has quit [Ping timeout: 250 seconds]
17:15 -!- RBecker [~RBecker@openvpn/user/RBecker] has joined #openvpn
17:15 -!- mode/#openvpn [+v RBecker] by ChanServ
17:27 -!- parallelJ [sid49148@gateway/web/irccloud.com/x-izfkfeldbbknzods] has joined #openvpn
17:27 -!- Moonlightning [~blackl@unaffiliated/moonlightning] has quit [Read error: Connection reset by peer]
17:28 -!- Moonlightning [~blackl@unaffiliated/moonlightning] has joined #openvpn
17:28 < parallelJ> Hello all.   Is it frowned upon to ask for help in here?
17:28 -!- Moonlightning [~blackl@unaffiliated/moonlightning] has quit [Client Quit]
17:30 < KNERD> yep it sure is
17:30 < KNERD> this is a sports only talk channel
17:31 < KNERD> How about them Cowboys!??
17:32 < parallelJ> roger that.  I asked my question in openvpn-as
17:34 < parallelJ> !welcome
17:34 <@vpnHelper> "welcome" is (#1) Start by stating your goal, such as 'I would like to access the internet over my vpn' || new to IRC? see the link in !ask || we may need !logs and !configs and maybe !interface to help you. || See !howto for beginners. || See !route for lans behind openvpn. || !redirect for sending inet traffic through the server. || Also interesting: !man !/30 !topology !iporder !sample !forum
17:34 <@vpnHelper> !wiki !mitm or (#2) Don't use 192.168.1.0/24 or 192.168.0.0/24 (too much potential for conflict)
17:49 -!- gffa [~unknown@unaffiliated/gffa] has quit [Quit: sleep]
18:01 -!- Taftse|Mac [~taftse@unaffiliated/taftse] has quit [Quit: Textual IRC Client: www.textualapp.com]
18:08 -!- s7r [~s7r@openvpn/user/s7r] has quit [Remote host closed the connection]
18:10 -!- syzzer [~syzzer@openvpn/community/developer/syzzer] has quit [Ping timeout: 265 seconds]
18:11 -!- syzzer [~syzzer@openvpn/community/developer/syzzer] has joined #openvpn
18:11 -!- mode/#openvpn [+o syzzer] by ChanServ
18:38 -!- badon [~badon@pdpc/supporter/active/badon] has quit [Quit: Leaving]
19:11 -!- ub1quit33 [~quassel@cpe-23-243-158-241.socal.res.rr.com] has quit [Read error: Connection reset by peer]
19:14 -!- ub1quit33_ [~quassel@cpe-23-243-158-241.socal.res.rr.com] has joined #openvpn
19:18 -!- DrCode [~DrCode@gateway/tor-sasl/drcode] has quit [Ping timeout: 250 seconds]
19:22 -!- MogDog is now known as Laika
19:22 -!- Laika is now known as MogDog
19:26 -!- DrCode [~DrCode@gateway/tor-sasl/drcode] has joined #openvpn
19:42 -!- ub1quit33_ [~quassel@cpe-23-243-158-241.socal.res.rr.com] has quit [Read error: Connection reset by peer]
19:46 -!- james41382 [~james@unaffiliated/james41382] has quit [Quit: Leaving]
20:08 -!- gr3yR0n1n [~gr3yR0n1n@50-202-191-94-static.hfc.comcastbusiness.net] has quit []
20:32 -!- justinzane [~justinzan@67.21.190.132] has quit [Ping timeout: 250 seconds]
20:43 -!- shadok [~muaddib@unaffiliated/shadok] has quit [Ping timeout: 255 seconds]
20:51 -!- sand3r [~user@unaffiliated/sand3r] has joined #openvpn
20:51 < sand3r> hi how to restart openvpn server?
20:53 < sand3r> service openvpn restart
20:53 < sand3r> right?
20:58 -!- sand3r [~user@unaffiliated/sand3r] has quit [Ping timeout: 264 seconds]
21:01 -!- rich0_ [~quassel@gentoo/developer/rich0] has joined #openvpn
21:03 -!- rich0 [~quassel@gentoo/developer/rich0] has quit [Ping timeout: 255 seconds]
21:30 -!- systmkor [~systmkor@unaffiliated/systmkor] has joined #openvpn
21:35 -!- Left_Turn [~Left_Turn@unaffiliated/turn-left/x-3739067] has quit [Remote host closed the connection]
22:02 -!- james41382 [~james@unaffiliated/james41382] has joined #openvpn
22:30 -!- Kephael [~Kephael@unaffiliated/kephael] has quit [Read error: Connection reset by peer]
22:45 -!- hasB4K [~hasB4K@unaffiliated/hasb4k] has quit [Remote host closed the connection]
22:47 -!- hasB4K [~hasB4K@unaffiliated/hasb4k] has joined #openvpn
22:57 -!- ikkeT [~ikke@62.237.43.150] has quit [Ping timeout: 258 seconds]
22:58 -!- pythonsnake [~pythonsna@fedora/pythonsnake] has quit [Ping timeout: 258 seconds]
23:01 -!- Zimsky [~alice@unaffiliated/zimsky] has quit [Ping timeout: 258 seconds]
23:01 -!- Zimsky [~alice@unaffiliated/zimsky] has joined #openvpn
23:01 -!- ecrist [~ecrist@freebsd/contributor/openvpn.community.support.ecrist] has quit [Ping timeout: 258 seconds]
--- Log closed Tue Dec 16 23:01:54 2014
--- Log opened Wed Dec 17 10:53:06 2014
10:53 -!- ecrist [~ecrist@freebsd/contributor/openvpn.community.support.ecrist] has joined #openvpn
10:53 -!- Irssi: #openvpn: Total of 206 nicks [6 ops, 0 halfops, 2 voices, 198 normal]
10:53 -!- mode/#openvpn [+o ecrist] by ChanServ
10:53 -!- Irssi: Join to #openvpn was synced in 2 secs
11:00 -!- CaTtleyA [~CaTtleyA@185.24.142.82] has quit [Quit: Lost terminal]
11:17 < eryiop> i would like to know what openssl to with openvpn?
11:17 < eryiop> i would like to know what openssl do with openvpn?
11:19 < pekster> eryiop: openvpn is the default encryption library for openvpn, although there's recent support for PolarSSL as the backend too
11:19 < pekster> That is, OpenSSL is the default encryption library
11:19 < pekster> OpenSSL also forms the backend for some of the !pki utilities for cert management
11:21 < eryiop> how to list all openvpn users on openvpn server ?
11:21 < eryiop> if so
11:21 < eryiop> how to list all openvpn users on openvpn server ?
11:23 -!- le0 [~le0@unaffiliated/le0] has quit [Quit: Leaving]
11:29 < eryiop> do you get my question ?
11:29 < eryiop> if you are openssl how the users sign with openvpn server ?
11:30 < eryiop> if you are using openssl how the users sign with openvpn server ?
11:30 < eryiop> get ?
11:43 -!- ska [~skatinolo@unaffiliated/ska] has joined #openvpn
11:43 < ska> I'm exporting an openvpn config setup into debian, but there is a verify-x509-name that is not recognized by the debian openvpn package.
11:48 -!- elfixit [~Icedove@2001:1620:2018:11:5e51:4fff:fec8:5b90] has quit [Ping timeout: 272 seconds]
11:54 < tdm4> !hardening
11:54 <@vpnHelper> "hardening" is https://community.openvpn.net/openvpn/wiki/Hardening
11:58 -!- tdm4 [~tdm4@5751d40e.skybroadband.com] has left #openvpn []
12:01 < eryiop> anyone there ?
12:06 -!- Gabou [~Ga@unaffiliated/gabou] has joined #openvpn
12:07 < Gabou> Hello everybody, i've been running openvpn and i think i've found a bug with a friend, we have checked client side and server side of confs and it still gives the wrong ipv6 address (/112 block)
12:08 < Gabou> if you tell it to give a client the address    2001:db8:a1:b2:c3:d4:e5:fff
12:08 < Gabou> then it will actually give it this address     2001:db8:a1:b2:c3:d4:e6:ff
12:13 <@ecrist> !bugs
12:13 <@vpnHelper> "bugs" is https://community.openvpn.net/openvpn if we tell you that you found a bug. go there, open an account, and file a bug report in trac (your forum login is good for the trac too)
12:13 <@ecrist> Gabou: can you share your configs, please?
12:14 < Gabou> okay
12:14 <@ecrist> also, your logs from both sides
12:18 < Gabou> ecrist
12:18 < Gabou> log server : http://0bin.net/paste/s+ClW7aAugoYx1gJ#Vn89MmhOzSFC+8y64tkdCxIpF8+QASqkguvqNU6SByL
12:18 < Gabou> config server http://0bin.net/paste/aASAbNeW4I0iDitH#XO-6J6/YaroHNnDuq6DIoTlZo+QorhpVyyyip0TDb4/
12:19 < Gabou> config client http://0bin.net/paste/ASxDH94z+pOv2JEr#CLaXaAEvnWKH+nar21cf2Zd7QXSdPLtLTT1kl1t1wzt
12:19 < Gabou> you clearly see i set server-ipv6 2a00:1768:1003:151:236:14:80:ff00/112
12:19 < Gabou> and it gives me 2a00:1768:1003:151:236:14:81:f00/112 2a00:1768:1003:151:236:14:80:ff01
12:22  * ecrist reads
12:22 < Gabou> on server config file, and on push part of log
12:26 < pekster> Gabou: Might be related to this issue: http://article.gmane.org/gmane.network.openvpn.devel/8989 . That patch might work (don't know if it still applies to -master) but there are larger issues I ought to resolve rather than trying to get that merged into the project as it is now
12:26 <@vpnHelper> Title: Gmane -- IPv6 pool and handling CIDR masks (at article.gmane.org)
12:26 -!- busch [~busch@datenschleuder.com] has quit [Ping timeout: 272 seconds]
12:26 <@ecrist> Gabou: The IPs technically fall within the address range.
12:27 <@ecrist> anything after the 0080: is part of the /112 address space.
12:27 < pekster> Ah, yea. I didn't read very carefully.. Carry on :)
12:28 < Gabou> ecrist: ew
12:29 < Gabou> i've missed something then?
12:29 <@ecrist> Gabou: apparently
12:30 <@ecrist> there *is* a bug in IPv6 CIDR handling, but I really think you should just let things go if they work.  the addresses are in the range specified.
12:31 < Gabou> 2a00:1768:1003:151:236:14:80:0/112   is   2a00:1768:1003:151:236:14:80:0000   to   2a00:1768:1003:151:236:14:80:ffff      inclusive.
12:31 <@ecrist> better yet, Gabou, follow the standard and don't subnet below a /64
12:32 < Gabou> I just wanted to use an ipv6 VPN capable with a KVM vm where the provider offers me /112 range
12:34 -!- busch [~busch@datenschleuder.com] has joined #openvpn
12:35 < Gabou> Aaron | did he even look at your pasted addresses (what you put in the file, and what the server gave you instead) ?
12:36 < Gabou> Aaron | if he did, he would have noticed that the 0080 became 0081.
12:36 < Gabou> Aaron | ^ paste those 2 lines too.
12:36 <@ecrist> yeah, I missed it.  Mea Culpa
12:36 <@ecrist> wtf is Aaron?
12:37 <@ecrist> and who is doling out /112's?
12:37 < Gabou> So anyway, what can I do to make ipv6 working?
12:37 < Gabou> edis.at
12:38 <@ecrist> Follow RFC 4291
12:39 <@ecrist> see if your problem goes away
12:44 < Gabou> okay
12:44 < Gabou> i'll do that
12:44 < Gabou> have a good night
12:44 < Gabou> :-)
12:44 -!- Gabou [~Ga@unaffiliated/gabou] has left #openvpn [" : traP"]
12:44 <@ecrist> if it doesn't work
12:44 <@ecrist> create a trac ticket
12:46 -!- plaisthos [~arne@openvpn/community/developer/plaisthos] has quit [Ping timeout: 258 seconds]
13:47 -!- ender| [krneki@2a01:260:4094:1:42:42:42:42] has quit [Ping timeout: 258 seconds]
13:48 -!- ender| [krneki@2a01:260:4094:1:42:42:42:42] has joined #openvpn
13:57 <@krzee> wassup ecrist!
13:57 -!- Poster [~poster@cpe-74-140-100-29.swo.res.rr.com] has joined #openvpn
14:02 -!- Olivier [~Olivier@unaffiliated/olivier] has quit [Ping timeout: 272 seconds]
14:09 <@ecrist> waaasssssssuuuuuuuuuP?
14:09 <@krzee> nada bro
14:09 <@krzee> how you been?
14:09 <@ecrist> busy
14:10 <@ecrist> sometime tonight you're email might get bumpy
14:10 <@ecrist> your*
14:10 <@krzee> dns will be ok?
14:10 <@ecrist> yes
14:10 <@krzee> cool =]
14:10 <@ecrist> DNS is on token and troy
14:10 <@ecrist> token-black and troy.mcclure
14:11 <@krzee> if you get a chance while working on email, try to give me the option to select a range of mails in webmail, and i'll clean out my inboxes
14:11 <@ecrist> email is on tweak - I'm migrating tweak to a new host, and moving some of it's services to troy.mcclure
14:11 <@krzee> i didnt even know about troy
14:11 <@ecrist> troy is secondary DNS, that's all it's done
14:11 <@krzee> nice
14:11 <@ecrist> it's in Raleigh, NC
14:11 <@ecrist> it'll be secondary DNS and backup MX
14:11 <@ecrist> the others are all in Dallas
14:11 <@krzee> i have some more servers up again, so if you need me to do something (terciary dns or whatever) just let me know
14:12 <@krzee> i also have no issue with giving you root on one (fbsd 10)
14:12 <@krzee> (LA, physically very close to 1 whilshire)
14:13 -!- Dan39 [~ddan39@unaffiliated/dan39] has left #openvpn ["WeeChat 1.0.1"]
14:20 -!- Olivier [~Olivier@unaffiliated/olivier] has joined #openvpn
14:25 -!- ska [~skatinolo@unaffiliated/ska] has left #openvpn ["Leaving"]
14:28 -!- ender| [krneki@2a01:260:4094:1:42:42:42:42] has quit [Ping timeout: 258 seconds]
14:41 -!- ender| [krneki@2a01:260:4094:1:42:42:42:42] has joined #openvpn
14:42 -!- text [~text@unaffiliated/text] has joined #openvpn
15:18 -!- SushiDude [~SushiDude@unaffiliated/sushidude] has quit [Ping timeout: 258 seconds]
15:18 -!- plaisthos [~arne@openvpn/community/developer/plaisthos] has joined #openvpn
15:19 -!- mode/#openvpn [+o plaisthos] by ChanServ
15:49 -!- justinzane [~justinzan@67.21.190.132] has quit []
17:06 -!- moparisthebest [~quassel@gateway/tor-sasl/moparisthebest] has quit [Ping timeout: 250 seconds]
17:08 -!- moparisthebest [~quassel@unaffiliated/moparisthebest] has joined #openvpn
17:09 -!- Papey [~Papey@ks3364303.kimsufi.com] has quit [Read error: Connection reset by peer]
17:12 -!- Papey [~Papey@ks3364303.kimsufi.com] has joined #openvpn
17:17 -!- gffa [~unknown@unaffiliated/gffa] has quit [Quit: sleep]
17:19 -!- D-Boy [~D-Boy@unaffiliated/cain] has joined #openvpn
17:28 -!- phunyguy [~vortex@ubuntu/member/phunyguy] has quit [Remote host closed the connection]
17:31 -!- phunyguy [~vortex@ubuntu/member/phunyguy] has joined #openvpn
17:41 -!- Taftse|Mac [~taftse@unaffiliated/taftse] has quit [Quit: Textual IRC Client: www.textualapp.com]
17:42 -!- cwillu_at_work [cwillu@cwillu.com] has quit [Ping timeout: 258 seconds]
17:47 -!- cwillu_at_work [cwillu@cwillu.com] has joined #openvpn
17:56 -!- Pyrogerg [~Gregory@205.167.120.206] has quit [Ping timeout: 245 seconds]
17:57 -!- svm_invictvs [~patricktw@unaffiliated/svminvictvs/x-938456] has joined #openvpn
17:57 < svm_invictvs> hello
17:57 < Eugene> yawn
17:57 < svm_invictvs> what does net_gateway mean in the push routes section?
18:14 -!- vayne [589906f1@gateway/web/cgi-irc/kiwiirc.com/ip.88.153.6.241] has quit [Ping timeout: 256 seconds]
18:15 -!- DrCode [~DrCode@gateway/tor-sasl/drcode] has quit [Ping timeout: 250 seconds]
18:16 -!- Fusl [Fusl@unaffiliated/fusl] has quit [Ping timeout: 245 seconds]
18:17 -!- DrCode [~DrCode@gateway/tor-sasl/drcode] has joined #openvpn
18:17 -!- Fusl [Fusl@unaffiliated/fusl] has joined #openvpn
18:19 <@ecrist> svm_invictvs: it means the IP that should be pushed to that as the gateway address (i.e. next hop) for that route
18:21 -!- vayne [58990634@gateway/web/cgi-irc/kiwiirc.com/ip.88.153.6.52] has joined #openvpn
18:24 -!- Shiftos [~shiftos@gateway/tor-sasl/shiftos] has quit [Remote host closed the connection]
18:34 -!- Shiftos [~shiftos@gateway/tor-sasl/shiftos] has joined #openvpn
18:46 -!- Olivier [~Olivier@unaffiliated/olivier] has quit [Ping timeout: 245 seconds]
19:04 -!- danrik [~danrik@unaffiliated/ddsss] has joined #openvpn
19:04 < danrik> how to pass env params into openvpn?
19:08 -!- doop [~doop@colostomy.club] has quit [Quit: ZNC - http://znc.in]
19:11 -!- doop [~doop@colostomy.club] has joined #openvpn
19:20 <@ecrist> what are you trying to do?
19:22 -!- danrik [~danrik@unaffiliated/ddsss] has quit [Quit: Leaving]
19:24 -!- cwillu_at_work [cwillu@cwillu.com] has quit [Ping timeout: 258 seconds]
19:33 -!- sireebob [sireebob@unaffiliated/sireebob] has joined #openvpn
19:36 < sireebob> !welcome
19:36 <@vpnHelper> "welcome" is (#1) Start by stating your goal, such as 'I would like to access the internet over my vpn' || new to IRC? see the link in !ask || we may need !logs and !configs and maybe !interface to help you. || See !howto for beginners. || See !route for lans behind openvpn. || !redirect for sending inet traffic through the server. || Also interesting: !man !/30 !topology !iporder !sample !forum
19:36 <@vpnHelper> !wiki !mitm or (#2) Don't use 192.168.1.0/24 or 192.168.0.0/24 (too much potential for conflict)
19:40 -!- Pyrogerg [~Gregory@67-0-250-17.albq.qwest.net] has joined #openvpn
19:40 < sireebob> I'm running an OpenVPN server over UDP and one of my client devices is an Android phone. When there's a connection disruption, it doesn't seem to be able to recover from it... It has to reach its keepalive period and reconnect. The reconnection process is time- and battery-consuming with my cell service. Are there any suggestions to improve the ability of OpenVPN to recover from these situations, rather than require a reconnect? Is it possible?
19:40 < KNERD> Anyone ever had issues connecting to a server behind a router, despite the router setup to forward the connections of 1194 to the server?
19:41 < sireebob> KNERD: Are you making sure to use the same protocol (UDP/TCP) on both sides? Have you tried verifying the port is actually accessible remotely?
19:41 <@ecrist> which android client are you using?
19:41 < sireebob> OpenVPN for Android (de.blinkt.openvpn)
19:42 -!- danrik [~danrik@unaffiliated/ddsss] has joined #openvpn
19:42 < sireebob> There's an option called "float" which I thought might help. Supposedly it allows the client or server to change IP addresses mid-connection.
19:43 < sireebob> (It does not help. I even recompiled openvpn on the server with the "Peer-id" patch, and same for the Android client.)
19:43 < sireebob> (Patch is here: https://community.openvpn.net/openvpn/ticket/49 )
19:43 <@vpnHelper> Title: #49 (--float does not work with --server) – OpenVPN Community (at community.openvpn.net)
19:44 <@ecrist> sireebob: have you tried the OpenVPN Connect client?
19:44 < sireebob> No, but I can do that.
19:44 < KNERD> sireebob: of course it is the same protcol..i have set up this same exact configuration 6 other times..now I am doing it through a Linksys and Buffalo routers and cannot connect. I even switched to TCP..same result. an nmap scan shows the port open (filtered) on the router
19:45 < sireebob> Open (filtered)?
19:45 < sireebob> I'm not particularly familiar with nmap so those sound like opposites to me.
19:45 <@ecrist> KNERD: openvpn should just work if the router is set up correctly
19:46 < sireebob> The issues are definitely with connecting, period, rather than authenticating? You receive no response from the server?
19:46 < KNERD> ecrist: openvpn is not the problem. I cannot even get a connection
19:46 < KNERD> no response
19:46 < sireebob> If you try a random port with nmap instead of the openvpn port, do you get the same result?
19:46 < KNERD> iP tables shows -A INPUT -p udp -m udp --dport 1194 -j ACCEPT
19:47 <@ecrist> KNERD: then
19:47 <@ecrist> !notovpn
19:47 <@vpnHelper> "notovpn" is (#1) "notopenvpn" is your problem is not about openvpn, and while we try to be helpful, you may have a better chance of finding your answer if you ask your question in a channel related to your problem or (#2) sorry, but we dont care. this channel is only for help with openvpn.
19:47 < KNERD> netI know that
19:47 < KNERD> i am seeing if anyone else has this issue too..thanks
19:48 <@ecrist> what router are you using?
19:48 < KNERD> A Buffalo and Linksys
19:49 <@ecrist> why two of them?
19:50 < danrik> so - both md5 and sha1 are considered insecure for TLS certs?
19:50 < danrik> So then what should I use?
19:50 <@ecrist> danrik: sha256 at least
19:50 < danrik> ecrist, and then? what's better?
19:50 < danrik> ecrist, what would u use?
19:50 < KNERD> 2 difference machines
19:51 <@ecrist> KNERD: I'm starting to have a hard time grasping exactly what you're doing
19:52 < KNERD> just trying to connect to OpenVPN server which sits behind a router
19:52 < KNERD> on a L:AN
19:52 <@ecrist> you say that, but then you have two machines and two separate routers
19:53 < sireebob> Well, so far nobody has said, "Yes, I have that problem."
19:53 < sireebob> I would suggest confirming that you can get *any* port forwarded and working.
19:53 <@ecrist> sireebob++
19:54 < KNERD> yes...other ports are working such as SSH port forwarding
19:54 <@ecrist> then what did you do wrong?
19:54 < sireebob> Wait... SSH port forwarding is not the same thing...
19:55 < sireebob> For all we know, that just means you can SSH to your router, but doesn't mean ports are *forwarded* properly. (Two different chains in iptables)
19:55 < KNERD> how is it not the same? ROuter telling to forward SSH port 22 to port 22 on LAN machine
19:56 < sireebob> OK, that's fine, but it's confusing to say "SSH port forwarding" because that's a different thing.
19:56 < KNERD> Nothing done wrong from what I can see.. I spent grueling hours on how to set up OpenVPN server and clients. I have repeated the steps I have made 7 times, and 2 are which site behind routers
19:57 <@ecrist> KNERD: not sure what to tell you.  This isn't realy an XYZrouter channel.
19:57 < sireebob> KNERD: It's just that receiving *no response* suggests a more fundamental problem, totally unrelated to OpenVPN as you said so yourself.
19:58 < KNERD> okay then..thanks
19:58 < sireebob> You could try asking in ##networking maybe.
19:58 < KNERD> but as I mentioned I was just seeing if another had the same problem
19:59 < sireebob> That's true, I shouldn't have assumed you wanted any assistance.
20:08 <@ecrist> ping krzee 
20:19 < _FBi> MITM ARP table poison - PONG ecrist
20:37 -!- text [~text@unaffiliated/text] has quit [Read error: Connection reset by peer]
21:42 < vayne> Hey guys, I want to connect to the internet over my LAN VPN, just to test some stuff. I installed OpenVPN on my local linux machine and my windows machine. I then started the server (on linux) with "openvpn --dev tun1 --ifconfig 10.9.8.1 10.9.8.2", and connected the client (on windows) with "openvpn --remote SERVER_IP --dev tun1 --ifconfig 10.9.8.2
21:42 < vayne>  10.9.8.1". The connection got established just fine, and I can ping the server from the client. But when I check for networks it says "Access type: No internet access", which is not what I want. What am I doing wrong?
21:50 -!- danrik [~danrik@unaffiliated/ddsss] has quit [Quit: Leaving]
21:50 -!- Left_Turn [~Left_Turn@unaffiliated/turn-left/x-3739067] has quit [Remote host closed the connection]
21:54 < _FBi> !forwarding
21:54 < _FBi> !forward
21:55 -!- shadok [~muaddib@unaffiliated/shadok] has quit [Ping timeout: 265 seconds]
21:55 -!- svm_invictvs [~patricktw@unaffiliated/svminvictvs/x-938456] has quit [Ping timeout: 264 seconds]
22:06 < vayne> _FBi:Uhm...? xD
22:10 -!- borked [~eyer@31.185.158.55] has joined #openvpn
22:10 < borked> Hi. I appear to be having a slight issue using my openvpn.... The client connects without a hitch, but once connected there isn't any usable connectivity(ie: the interwebs). Remote service has IP forwarding enabled, and suggested iptables rules in place. The client can ping the VPN via the tunnel, but pinging itself over the tunnel appears to occur over localhost, deduced by reply time(0.160ms - 0.193ms).  The VPN can ping the client, through the tunnel. The V
22:10 < borked> Any suggestions?
22:36 -!- ub1quit33 [~quassel@cpe-23-243-158-241.socal.res.rr.com] has quit [Ping timeout: 272 seconds]
23:01 -!- svm_invictvs [~patricktw@unaffiliated/svminvictvs/x-938456] has joined #openvpn
23:04 < _FBi> !howto
23:04 <@vpnHelper> "howto" is (#1) OpenVPN comes with a great howto, http://openvpn.net/howto PLEASE READ IT! or (#2) http://www.secure-computing.net/openvpn/howto.php for a mirror
23:04 -!- ub1quit33 [~quassel@cpe-23-243-158-241.socal.res.rr.com] has joined #openvpn
23:05 < _FBi> vayne, http://openvpn.net/index.php/open-source/documentation/howto.html#redirect
23:05 <@vpnHelper> Title: HOWTO (at openvpn.net)
23:06 -!- svm_invictvs [~patricktw@unaffiliated/svminvictvs/x-938456] has quit [Ping timeout: 244 seconds]
23:30 -!- vayne [58990634@gateway/web/cgi-irc/kiwiirc.com/ip.88.153.6.52] has quit [Quit: http://www.kiwiirc.com/ - A hand crafted IRC client]
23:31 -!- vayne [58990634@gateway/web/cgi-irc/kiwiirc.com/ip.88.153.6.52] has joined #openvpn
23:32 < vayne> _FBi: Thanks! It works now! The next step would be, I want some specific applications to not use the VPN connection (games, for example), how do I do that? Can I exclude applications somehow, or maybe do I have to exclude the ports they are using?
23:34 -!- svm_invictvs [~patricktw@unaffiliated/svminvictvs/x-938456] has joined #openvpn
23:36 -!- mattock_afk [~mattock@openvpn/corp/admin/mattock] has joined #openvpn
23:36 -!- mode/#openvpn [+o mattock_afk] by ChanServ
23:36 -!- mattock_afk is now known as mattock
23:42 -!- vayne [58990634@gateway/web/cgi-irc/kiwiirc.com/ip.88.153.6.52] has quit [Quit: http://www.kiwiirc.com/ - A hand crafted IRC client]
23:47 -!- ShadniX [dagger@p5481D9BC.dip0.t-ipconnect.de] has quit [Ping timeout: 250 seconds]
23:49 -!- ShadniX [dagger@p5481C470.dip0.t-ipconnect.de] has joined #openvpn
23:57 -!- arkie [~arkie@unaffiliated/arkie] has joined #openvpn
--- Day changed Thu Dec 18 2014
00:59 -!- D-Boy [~D-Boy@unaffiliated/cain] has quit [Quit: Sayônara]
01:05 -!- D-Boy [~D-Boy@unaffiliated/cain] has joined #openvpn
01:27 -!- jdmf [~jdmf@78.156.100.202] has joined #openvpn
01:34 -!- svm_invictvs [~patricktw@unaffiliated/svminvictvs/x-938456] has quit [Ping timeout: 240 seconds]
02:25 -!- Taftse|Mac [~taftse@unaffiliated/taftse] has joined #openvpn
02:28 -!- mirco [~mirco@ip-176-198-211-199.hsi05.unitymediagroup.de] has joined #openvpn
02:31 -!- svm_invictvs [~patricktw@unaffiliated/svminvictvs/x-938456] has joined #openvpn
02:36 -!- svm_invictvs [~patricktw@unaffiliated/svminvictvs/x-938456] has quit [Ping timeout: 264 seconds]
02:44 -!- CaTtleyA [~CaTtleyA@185.24.142.82] has joined #openvpn
03:03 -!- CaTtleyA [~CaTtleyA@185.24.142.82] has quit [Remote host closed the connection]
03:37 -!- ub1quit33 [~quassel@cpe-23-243-158-241.socal.res.rr.com] has quit [Quit: No Ping reply in 180 seconds.]
03:39 -!- ub1quit33_ [~quassel@cpe-23-243-158-241.socal.res.rr.com] has joined #openvpn
04:17 -!- Left_Turn [~Left_Turn@unaffiliated/turn-left/x-3739067] has joined #openvpn
04:23 -!- vayne [58990634@gateway/web/cgi-irc/kiwiirc.com/ip.88.153.6.52] has joined #openvpn
04:24 < vayne> Not nessecerily just a vpn question, but I figured people here should now about this. Is there a way on windows to route based on the port instead of based on the ip? I figured out how to exclude some IPs from using the vpn connection, but can I exclude ports?
04:26 -!- mattock is now known as mattock_afk
04:32 <@krzee> !route_by_app
04:33 <@krzee> !factoids search app
04:33 <@vpnHelper> "routebyapp" is (#1) if you want to send only certain apps over the VPN you need to run a socks server on the internal VPN subnet (see !sockd) then get an app like proxifier (windows, osx) or tsocks (linux, BSD) to selectively route traffic over the socks proxy based on port/app/subnet or any combination. or (#2) Alternatively, read up about Policy Routing to make routing decisions based on defined
04:33 <@vpnHelper> policies you set. For Linux, read about !lartc
04:33 <@krzee> something like that maybe… otherwise no
05:08 -!- SushiDude [~SushiDude@unaffiliated/sushidude] has joined #openvpn
05:16 -!- M4dH4TT3r [~M@unaffiliated/m4dh4tt3r] has joined #openvpn
05:18 -!- gffa [~unknown@unaffiliated/gffa] has joined #openvpn
05:36 -!- mirco [~mirco@ip-176-198-211-199.hsi05.unitymediagroup.de] has quit [Remote host closed the connection]
05:36 -!- mattock_afk is now known as mattock
05:37 -!- mirco [~mirco@ip-176-198-211-199.hsi05.unitymediagroup.de] has joined #openvpn
05:40 -!- typ [~quassel@unaffiliated/typ] has joined #openvpn
05:43 < typ> i'm running openwrt barrier breaker altough i gues it's unrelated. how would i accomplish my vpn sub to access the lan sub? i assume i have to push a route
05:44 < typ> i tried "list 'push' 'route 192.168.10.0 255.255.255.0'" but i'm unable to access the entire net, just the gw, the router itself, through the  lan ip
06:52 -!- shadok [~muaddib@unaffiliated/shadok] has joined #openvpn
06:52 -!- eryiop [~chatzilla@195-154-82-165.rev.poneytelecom.eu] has quit [Remote host closed the connection]
06:52 -!- cosinus [~ec2-user@ec2-54-194-237-2.eu-west-1.compute.amazonaws.com] has joined #openvpn
06:53 < cosinus> hi guys, i need a tip or slap (or both)
06:53 < cosinus> http://pastebin.com/Ap7e1FNR
06:54 < cosinus> all seem to be fine (tried on 3 different machines: rhel / debian)
06:54 < cosinus> but it's *not working*
06:54 < cosinus> i see only udp packets being send and no answer
06:54 < cosinus> iptables are flushed
06:54 < cosinus> wtf
06:55 < cosinus> tried on different networks too
06:58 < cosinus> "Your problem is probably firewall, Really"
06:58 < cosinus> lulz
06:58 < cosinus> i wish
07:14 -!- james41382 [~james@unaffiliated/james41382] has joined #openvpn
07:15 -!- gffa [~unknown@unaffiliated/gffa] has quit [Quit: quit]
07:18 < borked> From that data there it's a little difficult to ascertain the error, let alone the cause. Can be more precise with "not working" ?  How do you see only UDP sent? don't you need iptables rules to forward the traffic from the VPN's subnet to the server's NIC? woulda thought flushing would remove this..  Also even defaulting chains to ACCEPT can result in denial, might be sensible to have some -m state --state RELATED,ESTABLISHED -j ACCEPT somewhere, possibly INP
07:21 -!- elfixit [~Icedove@2001:1620:2777:11:2ceb:13bb:5dff:a63e] has joined #openvpn
07:36 < cosinus> well you are right, the information i've given are poor
07:36 < cosinus> i just discovered that it's running fine on windows 7 host (virtual machine running on the same linux host i play with)
07:36 < cosinus> interesting
07:41 -!- jrg [jrg@unaffiliated/jrg] has left #openvpn []
07:43 < borked> does imply something like firewall...
07:50 < M4dH4TT3r> can anyone help me fix openvpn?
07:51 < M4dH4TT3r> it starts ok but i can never connect to it
07:52 < M4dH4TT3r> i always get "protecting socket fd 4" on the client
07:54 < cosinus> borked: it's dns (still need to figured out how to fix it but dns for sure)
07:54 < cosinus> thanks for the help
08:00 < cosinus> M4dH4TT3r: reas topic friend, you need to provide more stuff...
08:01 < cosinus> *read
08:01 < M4dH4TT3r> ok what "stuff" you want?
08:01 < cosinus> it's all in topic
08:02 < cosinus> !configs
08:02 <@vpnHelper> "configs" is (#1) please pastebin your client and server configs (with comments removed, you can use `grep -vE '^#|^;|^$' server.conf`), also include which OS and version of openvpn. or (#2) dont forget to include any ccd entries or (#3) on pfSense, see http://www.secure-computing.net/wiki/index.php/OpenVPN/pfSense to obtain your config
08:02 < cosinus> etc
08:07 -!- daguz [~leo@208-1-63-46.celito.net] has joined #openvpn
08:08 -!- Pyrogerg [~Gregory@67-0-250-17.albq.qwest.net] has quit [Ping timeout: 244 seconds]
08:09 < M4dH4TT3r> http://paste.debian.net/137260 client config is just android app "openvpn for android 0.6.26" with imported ca/client certs and client key + un/pw w/ lzo compression
08:10 < M4dH4TT3r> where does openvpn store logs?
08:12 < M4dH4TT3r> cosinus?
08:20 -!- Pyrogerg [~Gregory@67-0-250-17.albq.qwest.net] has joined #openvpn
08:20 < borked> depends on system you'd run it on, I expect myne in /var/log/openvpn.log - is also possible to specify this in the config...
08:21 < M4dH4TT3r> yeah thats where i expected mine to be too
08:21 < M4dH4TT3r> on deb
08:23 < borked> cosinus:  Does the VPN push a DNS server(possibly try explicitly defining in config)? maybe DHCP on local router or w/e "corrects" it after...
08:24 < cosinus> borked: i've just put public dns servers manually and it's fine
08:24 < borked> M4dH4TT3r:  review config, should specify... if not, could try specify...   If no /var/log/openvpn.log  maybe in dmesg?
08:24 < cosinus> this is commercial vpn and they don't push dns servers obviously - which is bad
08:25 < cosinus> = no linux client
08:25 < borked> Commercial VPN?  they don't have support?
08:25 < cosinus> well they have
08:25 < cosinus> but they told me to create a ticket :P
08:25 < borked> you poor thing, how could you possibly cope...  I'm sure there's therapy...
08:26 < cosinus> no mads please
08:26 -!- Pyrogerg [~Gregory@67-0-250-17.albq.qwest.net] has quit [Ping timeout: 272 seconds]
08:33 < M4dH4TT3r> there sorry it took a sec
08:34 < M4dH4TT3r> had to specify where to log in server.conf and make/chown the log file to append to
08:35 < M4dH4TT3r> then just restarted the service so it'd log something
08:35 < M4dH4TT3r> http://paste.debian.net/137266/
08:37 < M4dH4TT3r> ok let me do another paste of that
08:37 < borked> Generally doesn't look poor at a casual glance. Might be more useful to try connecting client...
08:37 < M4dH4TT3r> http://paste.debian.net/137268/
08:38 < M4dH4TT3r> yeah thats the new paste
08:38 < M4dH4TT3r> code=111 ?
08:45 < borked> Heh, I've no clue on that err code...  the " read UDPv4 [ECONNREFUSED|ECONNREFUSED]: Connection refused " possibly some sort of key/cert-based issue? /etc/openvpn/ accurate pathing?  appears active refusal, maybe firewall....
08:49 < borked> Seems "111 is just the ECONNREFUSED error code value from underlying socket connect() syscall."   Likely firewall...
08:49 < M4dH4TT3r> i am running fail2ban
08:50 < M4dH4TT3r> but not iptables.up.rules
08:51 < M4dH4TT3r> how can i tell which digest im using
08:53 -!- almostworking [~almostwor@unaffiliated/almostworking] has quit [Quit: Leaving]
08:54 < M4dH4TT3r> nm
08:54 < borked> unless fail2ban is set to review teh openvpn log it'll be of little consequence, unless the IP in use has tripped some other trap...  iptables -L  should confirm current payload...  if not done already, maybe the POSTROUTING rules? lack of might result in refusal...
08:55 -!- rooth [tomte@stuck.in.the.basement.at.fritzl.nu] has joined #openvpn
08:58 -!- borked [~eyer@31.185.158.55] has quit [Remote host closed the connection]
08:59 < M4dH4TT3r> still getting on the client "Protecting socket fd 4"
08:59 -!- borked [~eyer@31.185.158.55] has joined #openvpn
09:00 -!- va [~filler@ares08.inai.de] has joined #openvpn
09:03 < va> openvpn has an undocumented "nopool" argument for the --server option. What is it for?
09:03 < M4dH4TT3r> http://paste.debian.net/137276
09:04 < M4dH4TT3r> default
09:05 < borked> Thu Dec 18 07:02:20 2014 /sbin/ifconfig tun0 0.0.0.0 SIOCSIFADDR: Operation not permitted SIOCSIFFLAGS: Operation not permitted
09:05 < borked> Lack of privs on service?
09:05 < va> service on linux?
09:05 < M4dH4TT3r> borked: http://paste.debian.net/137277/ and no i havent setup fail2ban for the vpn
09:06 < borked> I've only seen tht err from users, when they don't have permissions to utilise ifconfig unprivileged
09:07 < borked> Service does....  Doesn't matter on what/where....
09:07 -!- Pyrogerg [~Gregory@205.167.120.206] has joined #openvpn
09:08 < va> borked: network configuration is generally privileged, and users are not.
09:08 -!- cesurasean [~cesurasea@c-71-207-227-197.hsd1.al.comcast.net] has joined #openvpn
09:08 < cesurasean> hello.
09:08 < cesurasean> is anyone around?
09:08 < M4dH4TT3r> any advice borked?
09:08 < va> cesurasean: you are.
09:08 < cesurasean> im trying to chain vpns still, and can't seem to get it to work.
09:08 < cesurasean> any thoughts?
09:08 < cesurasean> kick myself in the face?
09:09 < borked> M4dH4TT3r:  What of iptables -t nat -L   ?
09:09 < borked> Should be needing something akin: SNAT       all  --  10.8.0.0/24          anywhere            to:{NIC IP}
09:10 < borked> cesurasean:  How attempted to chain?  And if going to kick self in face, do the good thing and youtube it for common mirth
09:10 < cesurasean> has anyone here actually chained a vpn system together?
09:10 < M4dH4TT3r> can't initalizee -nat table does not exist
09:10 < cesurasean> well, when my vpns connect, it kicks me off the SSH connection! someone told me this is normal.
09:10 < borked> possible part of your problem....
09:10 < M4dH4TT3r> how do i fixx?
09:11 < borked> I seem to be able to SSH to the same machine I'm using as VPN - although the traffic doesn't seem to pass down the tunnel to get there
09:11 < cesurasean> someone told me all of the data is being redirected over the vpn, and no longer the route used to SSH with.
09:11 < va> M4dH4TT3r: ask your administrator to run that.
09:11 < va> cesurasean: precisely.
09:11 < cesurasean> so,
09:11 < cesurasean> how do i control the box if SSH disconnects?
09:11 < M4dH4TT3r> va: run that
09:13 < va> cesurasean: reconnect.
09:13 < cesurasean> va, it won't reconnect.
09:13 < cesurasean> im having to reboot the server to gain control again.
09:14 < borked> M4dH4TT3r:  Is an odd error, can be more precise with it? What's changed since the last time the service had started? it didn't have that error then...
09:15 < M4dH4TT3r> yeah it did
09:15 < M4dH4TT3r> since install
09:15 < DArqueBishop> If you don't need to redirect all traffic through the VPN, remove "push 'redirect-gateway def1'" from your server config.
09:17 < M4dH4TT3r> thats ;
09:18 < borked> M4dH4TT3r:  Possibly something seriously wrong with your install/kernel/iptables....  Should have NAT table..  I've never not had one. Didn't see that err( SIOCSIFADDR: Operation not permitted) in previous pastes...  Suggests isn't fabricating the tunnel...
09:19 < M4dH4TT3r> so what can i do to fix it?
09:20 < va> become root, first of all
09:21 < M4dH4TT3r> been that ;)
09:21 < borked>  My bad it is there...  Almost certain to be cause of issues...  Unsure why is unable to fabricate tunnel, other than lack of permissions. SEL?   Lack of NAT will present a serious obstical in routing traffic from the VPN's subnet to the NIC, and back again
09:22 < va> M4dH4TT3r: stuck on some VPS crap host?
09:22 < M4dH4TT3r> so what should i do?
09:22 < M4dH4TT3r> no va
09:22 < M4dH4TT3r> local
09:23 -!- cesurasean [~cesurasea@c-71-207-227-197.hsd1.al.comcast.net] has quit [Remote host closed the connection]
09:25 -!- svm_invictvs [~patricktw@unaffiliated/svminvictvs/x-938456] has joined #openvpn
09:36 < M4dH4TT3r> borked: i tweaked a few things now this http://paste.debian.net/137280
09:38 -!- gffa [~unknown@unaffiliated/gffa] has joined #openvpn
09:38 < borked> Back to firewall refusal... possibly something to do with lack of NAT table...
09:38 < M4dH4TT3r> how do i get a nat table?
09:40 < borked> I've never not had one. Kinda is there when iptables rolls out of box, normally. unsure of possible options when compiling kernel from top of head, but might be possible to make it not have one, but should involve going out of your way to achieves.....
09:45 < M4dH4TT3r> have to update my kernel did some digging and my kernel is out of date but was rolled out without the nat tables
09:50 < borked> As it's been ~12hrs since I last asked, I'll try again...
09:50 < borked>  I appear to be having a slight issue using my openvpn.... The client connects without a hitch, but once connected there isn't any usable connectivity(ie: the interwebs). Remote service has IP forwarding enabled, and suggested iptables rules in place. The client can ping the VPN via the tunnel, but pinging itself over the tunnel appears to occur over localhost, deduced by reply time(0.160ms - 0.193ms).  The VPN can ping the client, through the tunnel. The VPN 
09:50 < borked> Any suggestions?
10:01 -!- djacob [~IceChat9@pool-71-246-17-183.phlapa.fios.verizon.net] has joined #openvpn
10:04 < M4dH4TT3r> borked is ip forwarding enabled on the client?
10:06 < M4dH4TT3r> nope upgraded the kernal and updated/upgraded everything and still no nat
10:06 < borked> client shouldn't need... only server... Client gets pushed routes via DHCP, usually, and the VPN takes place of default gateway....
10:09 < M4dH4TT3r> my client has it as an option, i mean the client has multiple routes it can choose from, have you tried with another client to eliminate the client being the problem?
10:11 -!- johnfg [johnfg@host-174-45-122-178.bzm-mt.client.bresnan.net] has joined #openvpn
10:11 < johnfg> hi folks
10:11 < johnfg> I'm having some trouble, not with openvpn per se, but with getting it to start on centos 7.
10:12 < borked> M4dH4TT3r:  What kernel version? Where obtained from? I'm really unused to a lack of NAT...   as to trying from another client, with the packet capture on the remote end confirming replies never leave the machine, doesn't it strike you as a touch futile?
10:12 < borked> johnfg:  Any particular error?
10:15 -!- Jharrott [~IceChat77@pool-71-114-222-4.hstntx.dsl-w.verizon.net] has joined #openvpn
10:15 < johnfg> the version I've installed is from epel7, and it's: 2.3.6-1.el7
10:15 < johnfg> borked: Sorry, I was getting the version, so couldn't answer yours.
10:16 < johnfg> borked: When I run: `systemctl start openvpn@.service`, it returns: Failed to issue method call: Unit name openvpn@.service is not valid.
10:18 < borked> not possibly the best syntax, but try: service openvpn start   ...  Issue is likely the specified service (openvpn@.service) is possibly called something else... ergo fails match...
10:18 < johnfg> borked: Tried and failed earlier, but I'll give you the error.
10:19 -!- vayne [58990634@gateway/web/cgi-irc/kiwiirc.com/ip.88.153.6.52] has quit [Quit: http://www.kiwiirc.com/ - A hand crafted IRC client]
10:20 < johnfg> Redirecting to /bin/systemctl start  openvpn.service. Failed to issue method call: Unit openvpn.service failed to load: No such file or directory.
10:20 < johnfg> borked: That's the error(s).
10:21 < M4dH4TT3r> borked a touch but i dont see you having a lot of options t this point
10:28 < borked> johnfg:  I woulda expected an entry in /etc/systemd  - But I've not played with 7 yet.  To assume it's all present, then https://wiki.archlinux.org/index.php/Systemd#Writing_unit_files  might assist in manually fabricating systemctl service entry
10:28 <@vpnHelper> Title: systemd - ArchWiki (at wiki.archlinux.org)
10:46 < Jharrott> Hello I am new to the chat room and openvpn I built a openvpn server on ubuntu and i am having problems with the routing i have my client connected.
10:47 < M4dH4TT3r> borked: Linux hostname 3.12.34+ #727 bPREEMPT Sat Dec 13 15:25:45 GMT armv61 GNU/Linux
10:47 <@plaisthos> M4dH4TT3r: openvpn for android does store its log only mmemory
10:48 < M4dH4TT3r> whats that?
10:48 -!- elfixit [~Icedove@2001:1620:2777:11:2ceb:13bb:5dff:a63e] has quit [Quit: elfixit]
10:49 < Jharrott> when i try to ping something on my network i see the pings reach the vpn server but they do not get out of it here is a pastebin with my config's http://pastebin.com/DYXhNWH0
11:00 -!- Kephael [~Kephael@unaffiliated/kephael] has joined #openvpn
11:02 -!- swebb [~swebb@8.36.226.184] has quit [Ping timeout: 240 seconds]
11:13 < borked> Jharrott:  from paste, server ifconfig:
11:13 < borked> tun0      Link encap:UNSPEC  HWaddr 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00            
11:13 < borked> inet addr:172.18.12.1  P-t-P:172.18.12.2  Mask:255.255.255.255
11:13 < borked>                       ^  Shouldn't that be 10.200.0.1  ?
11:13 < borked> As in, in openvpn.conf, server 10.200.0.1 255.255.255.0   as opposed to the server 172.18.12.0 255.255.255.0  you've used
11:14 -!- swebb [~swebb@8.36.226.184] has joined #openvpn
11:15 < borked> hmm, no, 10.200.0.0/24 appears to be internal LAN?
11:17 < borked> ping 10.200.6.1  should ping the server, outside the tunnel...  Lack of response suggests firewall...
11:17 < Jharrott> i did not think the ip range we used for the clients made any differance
11:18 < borked> ping 172.18.12.1   should ping the server, from inside the tunnel...  using the server to ping the client's tunnelled IP would check for transport in that direction..
11:18 < Jharrott> this was the default in the example config i used so i left it
11:19 < Jharrott> i can ping 172.18.12.1
11:19 < Jharrott> from the client
11:20 < Jharrott> i will try pinging the client from the server
11:20 < Jharrott> my concern was i never see the ping leaving the server going out to the network
11:22 < Jharrott> i can not ping 172.18.12.6 (the client IP ) from the server
11:24 < borked> if it's not f/w, for pinging 10.200.6.1 then it'll be there's no applicable route from 10.200.0.0/24 -> 172.18.12.1  ...  and why pings don't return via.  The lack of transport from server -> client could be client side firewall, or needs NAT rules on server to provide transport from the tunnel to the NIC's IP
11:30 < Jharrott> thanks i will look at this
11:30 -!- Pyrogerg [~Gregory@205.167.120.206] has quit [Read error: Connection reset by peer]
11:31 -!- Pyrogerg [~Gregory@205.167.120.206] has joined #openvpn
11:31 < djacob> borked : his machine has no firewall on it
11:32 < borked> I like the way you can deduce the options his kernel was compiled with from the supplied data. Indeed it is a skill.
11:32 < djacob> borked : he works for me and i built the machine
11:32 < djacob> :)
11:33 < djacob> wasnt trying to be cocky, just saw window and readup and was trying to help
11:33 -!- timmmaaaayyy [~timmmaaaa@207.224.126.188] has joined #openvpn
11:33 < borked> well... w/o iptables, how was you planning on utilising NAT?
11:34 < timmmaaaayyy> on a new install (ubuntu), did all the scripts move?  i don't have a "/usr/share/doc/openvpn/examples/easy-rsa/2.0" folder containing clean-all and the build key scripts
11:34 < Eugene> easy-rsa is a separate package nowadays
11:35 < djacob> borked : to be honest i dont know, Jharrott and I are just trying to learn this and following a bunch of tutorials we see online and just cant get it working, i have not seen anything regarding iptables online in the tuts i have been reading.
11:35 < djacob> maybe were doing it all wrong
11:35 < timmmaaaayyy> oh thanks Eugene
11:35 < djacob> thats why we hopped in here hopefully to get some direction and guidance :)
11:36 -!- Pyrogerg [~Gregory@205.167.120.206] has quit [Ping timeout: 240 seconds]
11:36 < borked> they(tuts) should all feature some methodology for providing transport from teh tunnel to the IP... Usually NAT, provided by mangle rules with iptables  IIRC, unless using an OpenVZ container, then that seems to require SNAT
11:37 < djacob> let me google openvpn and iptables and check it out from there
11:38 < djacob> that might be the little bit of guidance we need
11:38 < djacob> thank you , we will check it out and get back to you all
11:38 < Jharrott> thanks for the help borked
11:39 < borked> For example, http://openvpn.net/index.php/open-source/documentation/howto.html  suggests: iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o eth0 -j MASQUERADE
11:39 <@vpnHelper> Title: HOWTO (at openvpn.net)
11:39 -!- timmmaaaayyy [~timmmaaaa@207.224.126.188] has left #openvpn ["Leaving..."]
11:39 < borked> masquerade, not mangle... my bad.... Begins with "m", what more d'ya wants...
11:57 -!- mirco [~mirco@ip-176-198-211-199.hsi05.unitymediagroup.de] has quit [Quit: mirco]
12:01 < M4dH4TT3r> hmm trying to use this box as a client but only have option of a cisco vpn?
12:01 < djacob> borked : its working now, thank you for your assistance
12:03 < Jharrott> thanks borked
12:08 -!- Jharrott [~IceChat77@pool-71-114-222-4.hstntx.dsl-w.verizon.net] has quit [Ping timeout: 264 seconds]
12:11 < M4dH4TT3r> how the hell is this box online...
12:11 < M4dH4TT3r> lmao
12:11  * M4dH4TT3r doesnt have any idea seeing as interfaces is blank...
12:21 -!- Pyrogerg [~Gregory@205.167.120.203] has joined #openvpn
12:27 -!- jmacdonald [~jmacdonal@drmons0544w-156034184068.dhcp-dynamic.FibreOp.ns.bellaliant.net] has joined #openvpn
12:30 < jmacdonald> is openvpn from inside china to outside china blocked en masse?
12:32 < M4dH4TT3r> posibly the port, you might try configuring the server to use a common port like 80
12:33 < jmacdonald> word.
12:40 -!- mete [~mete@91.247.253.160] has quit [Ping timeout: 255 seconds]
12:43 -!- gbti [~chatzilla@unaffiliated/gbit] has joined #openvpn
12:45 < gbti> Hello, I'm wondering if is possible to make a windows 7 openvpn client route the VPN connection to another computers?
12:47 < gbti> A windows substitute for /proc/sys/net/ipv4/ip_forward
12:52 < gbti> I guess I found it
12:55 -!- gbti [~chatzilla@unaffiliated/gbit] has quit [Quit: ChatZilla 0.9.91 [Firefox 34.0/20141125180439]]
13:34 <@plaisthos> !nat
13:34 <@vpnHelper> "nat" is (#1) http://openvpn.net/howto.html#redirect for an explanation of NAT as it applies to openvpn or (#2) http://www.secure-computing.net/wiki/index.php/OpenVPN/FAQ#Traffic_forwarding_doesn.27t_work_when_using_client_specific_access_rules or (#3) dont forget to turn on ip forwarding or (#4) please choose between !linnat !openvznat !winnat and !fbsdnat for specific howto
13:34 <@plaisthos> hm
13:34 <@plaisthos> !routing
13:34 -!- Pyrogerg [~Gregory@205.167.120.203] has quit [Ping timeout: 272 seconds]
13:34 <@plaisthos> !winnat
13:34 <@vpnHelper> "winnat" is (#1) http://www.windowsnetworking.com/articles_tutorials/NAT_Windows_2003_Setup_Configuration.html for a guide on setting up NAT in windows or (#2) http://www.nanodocumet.com/?p=14 for windows XP or (#3) https://community.openvpn.net/openvpn/wiki/NatOverWindows2008 for 2k8
13:34 <@plaisthos> not sure if there is routing explained in there too
13:34 <@plaisthos> but that would be my starting point
13:35 -!- Pyrogerg [~Gregory@205.167.120.206] has joined #openvpn
13:36 -!- jmacdonald [~jmacdonal@drmons0544w-156034184068.dhcp-dynamic.FibreOp.ns.bellaliant.net] has left #openvpn ["Textual IRC Client: www.textualapp.com"]
13:39 -!- shivanshu [~shivanshu@unaffiliated/shivanshu] has quit [Remote host closed the connection]
13:48 -!- Pyrogerg [~Gregory@205.167.120.206] has quit [Ping timeout: 245 seconds]
14:14 -!- noecc [~irc@unaffiliated/noecc] has left #openvpn ["pax"]
14:29 -!- dzosh [~dzosh@151.249.105.36] has joined #openvpn
14:29 < dzosh> hello guys.. my ca.crt just expired and all my clients are connecting with expired ca.crt.. is there any way how to solve this just on server and without need to update clients certificates ?
14:30 < KNERD> Okay...I got an openvpn install on a a server which sits behind a router on a LAN. After the initial setup an application was sending requests to a service on it  The service would keep kicking the client connection because it was not receiving a response from it.After some research I found out I needed to add these 2 lines...:topology subnet andpush "route 192.168.1.0 255.255.255.0"  in which the
14:30 < KNERD> the problem was solved,
14:30 < KNERD> However now the timeouts are occuring again..
14:31 < borked> dzosh:  Think only way is to get ca.key to clients... and other applicable...  best I can think for automation, is to pick clients emails from DB and provide instructions...
14:31 < KNERD> here is my server config http://pastebin.com/81uzB4Uq
14:32 < dzosh> borked: you mean ca.crt right ?
14:32 < dzosh> borked: ca.key should be on save place on server :)
14:32 < borked> heh, well spotted
14:35 < borked> KNERD:  can gain insight on the timeout, as in at which point in the transaction is occurring?
14:37 < KNERD> the client application sends a requet to the service, after which it initially accept, but then kicks the client from the connection after 12 seconds because it has not received a response from the client (not the OpenVPN connection)
14:39 < borked> from such a statement I would postulate the problem resides within the client, somewhere...  maybe logs on that side would be of use...  consider watching the packet stream for teh conversation in question, might yields some clues...
14:41 -!- mete [~mete@91.247.253.160] has joined #openvpn
14:42 < KNERD> borked: no..as this does not occur on non OpenVPN connections, nor on OpenVPN connections in which the server sitting on a public IP address
14:46 -!- jrg [jrg@unaffiliated/jrg] has joined #openvpn
14:49 < borked> something in the routing table mayhaps? OpenVPN server on same subnet as an existing gateway? Nothing interesting in the log(s)? either side... to do with the VPN or the misgiven service.
14:51 < KNERD> as I metnioned this time out was occuring before until I aded those 2 lines in the server.conf. It was working fine for 2 weeks now then all of a sudden it is timing out again with no changes made. Nothing in any logs to suggest why
14:57 < borked> if worked good for 2x week, then there has to be something different now... Possibly something that changed right before it happened, but maybe something that'd maybe need to wait for the service to restart...  Logs go back two weeks? should do... if it's really absolutely nothing has changed with teh software config, versions, etc then maybe some point in between, A faulty router/switch mayhaps, tho it's not usually so selective with manefestation... Has to b
14:59 -!- Pyrogerg [~Gregory@205.167.120.206] has joined #openvpn
15:03 < KNERD> perhaps a routing issue since that is what was the cause before
15:06 -!- D-Boy [~D-Boy@unaffiliated/cain] has quit [Excess Flood]
15:06 < KNERD> I think I will try a different client
15:06 -!- D-Boy [~D-Boy@unaffiliated/cain] has joined #openvpn
15:07 < KNERD> meaning rather than OpenVPN GUI
15:18 -!- donileo [~adonis@100sdl30m3.codetel.net.do] has joined #openvpn
15:19 < donileo> hey everyone..how do i optimize openvpn for ios.. particularly im talking about the tun-mtu, fragment and mssfix options
15:20 < donileo> i see a lot of people setting tun-mtu 1500, mssfix 1400.. etc. are those the best settings?
15:29 -!- rooth [tomte@stuck.in.the.basement.at.fritzl.nu] has quit [Quit: brb]
15:29 < borked> "best" would be w/e the client is using(it tends to be teh server what specifies to client) as the Maximum Transmission Size define what it will accept to be as big as a valid "sentance" in the conversation is.. MSSFIX would define the point at which the server suggests to the client it should reduce it sentance size to avoid fragmenting packets...
15:31 < borked> for most users, I'd imagine default settings to be reasonably sane, tho specific hardware/softwares will vary with peak performance values...  1500 is common MTU for wireless for example..
15:35 -!- donileo [~adonis@100sdl30m3.codetel.net.do] has quit [Read error: Connection reset by peer]
15:44 -!- donileo [~adonis@100sdl30m3.codetel.net.do] has joined #openvpn
15:44 < donileo> hmm
15:45 < donileo> are tun-mtu 1500 and mssfix 1400 the defaults?
15:49 -!- donileo [~adonis@100sdl30m3.codetel.net.do] has quit [Read error: Connection reset by peer]
16:07 -!- adaptr [~jgeilman@unaffiliated/adaptr] has quit [Ping timeout: 250 seconds]
16:10 -!- adaptr [~jgeilman@unaffiliated/adaptr] has joined #openvpn
16:12 -!- kenyon [kenyon@darwin.kenyonralph.com] has quit [Quit: leaving]
16:16 -!- kenyon [kenyon@darwin.kenyonralph.com] has joined #openvpn
16:29 -!- badon [~badon@pdpc/supporter/active/badon] has joined #openvpn
16:32 -!- bashusr [~bashusr@unaffiliated/bashusr] has joined #openvpn
16:45 -!- Pyrogerg [~Gregory@205.167.120.206] has quit [Ping timeout: 265 seconds]
16:57 -!- Kephael_ [~Kephael@unaffiliated/kephael] has joined #openvpn
17:02 -!- cyberspace- [20253@ninthfloor.org] has quit [Disconnected by services]
17:03 -!- aulait [~irenacob@li629-190.members.linode.com] has quit [Ping timeout: 245 seconds]
17:03 -!- Kephael [~Kephael@unaffiliated/kephael] has quit [Ping timeout: 245 seconds]
17:03 -!- phunyguy [~vortex@ubuntu/member/phunyguy] has quit [Ping timeout: 245 seconds]
17:03 -!- moparisthebest [~quassel@unaffiliated/moparisthebest] has quit [Ping timeout: 245 seconds]
17:03 -!- moparsthbest [~quassel@gateway/tor-sasl/moparisthebest] has joined #openvpn
17:03 -!- cyberspace- [20253@ninthfloor.org] has joined #openvpn
17:06 -!- phunyguy [~vortex@ubuntu/member/phunyguy] has joined #openvpn
17:09 -!- aulait [~irenacob@li629-190.members.linode.com] has joined #openvpn
17:31 < borked>  I appear to be having a slight issue using my openvpn.... The client connects without a hitch, but once connected there isn't any usable connectivity(ie: the interwebs). Remote service has IP forwarding enabled, and suggested iptables rules in place. The client can ping the VPN via the tunnel, but pinging itself over the tunnel appears to occur over localhost, deduced by reply time(0.160ms - 0.193ms).  The VPN can ping the client, through the tunnel. The VPN 
17:31 < borked> Any suggestions?
17:43 -!- Y0sh1 [~Y0sh1@TiP01.theinternets.nl] has quit [Quit: OK, Doei!]
17:52 -!- Taftse|Mac [~taftse@unaffiliated/taftse] has quit [Quit: Textual IRC Client: www.textualapp.com]
17:53 < zoredache> well what does a traceroute show?
17:53 < zoredache> check to Interenet resources.. Where does it fail?  that is what you need to check.
18:17 -!- elfixit [~Icedove@77-58-253-51.dclient.hispeed.ch] has joined #openvpn
18:18 -!- gffa [~unknown@unaffiliated/gffa] has quit [Quit: sleep]
18:37 < borked> Traceroute fails @ VPN gateway IP...
18:39 < borked> In a manner not too dissimilar to: http://dpaste.com/078FS5V
18:45 < zoredache> As the topic suggests it is probably the firewall then...
18:46 < zoredache> Either your VPN server isn't permitting the traffic, or it may not be natting the traffic when it needs to.
18:51 -!- jrg [jrg@unaffiliated/jrg] has left #openvpn []
18:57 < borked> Wjoopsie. Retard-based error. I setup the SNAT to venet0:0 insteado venet0(sure that's how I'd had it setup before, clearly not)
18:57 < borked> Cheers anyhay.
18:57 < borked> *Whoopsie
18:58 < pekster> Yea. https://github.com/QueuingKoala/fn-netfilter/wiki#int
18:58 <@vpnHelper> Title: Home · QueuingKoala/fn-netfilter Wiki · GitHub (at github.com)
18:58 < pekster> Also, that means whatever backend API you're using is too stupid to put the IP on venet0 (but OpenVZ is full of so much stupid anyway, so that's "expected.")
18:59 < borked> Um, Backend API for?
18:59 < pekster> Addressing and routing. ie: what Linux has had for well over 10 years now
19:00 < pekster> ifconfig (on Linux) is a rotting pile of shit
19:00 < borked> lol
19:45 -!- svm_invictvs [~patricktw@unaffiliated/svminvictvs/x-938456] has quit [Ping timeout: 264 seconds]
20:19 -!- johnfg [johnfg@host-174-45-122-178.bzm-mt.client.bresnan.net] has left #openvpn []
20:30 -!- bashusr [~bashusr@unaffiliated/bashusr] has quit [Ping timeout: 258 seconds]
20:31 < borked> You mention "whatever backend API you're using" and your link suggests use of "modern ip command" - Where would one go about adjusting how openvpn utilises such?  My guessed @ /etc/sysconfig/network-scripts/ifup-tunnel but appears to be: if [ -n "$MTU" ]; then   /sbin/ip link set "$DEVICE" mtu "$MTU" fi
20:31 < borked> Or would it be futile in attempting to counteract such a "rotting pile"....  Or outside of my control 'cause is established by host(yeah, it's a cheap n nasty VPS, but with OpenVZ, you prolly already knew that)...
20:32 -!- bashusr [~bashusr@unaffiliated/bashusr] has joined #openvpn
20:52 -!- moparsthbest [~quassel@gateway/tor-sasl/moparisthebest] has quit [Ping timeout: 250 seconds]
20:55 -!- moparisthebest [~quassel@unaffiliated/moparisthebest] has joined #openvpn
20:58 -!- Left_Turn [~Left_Turn@unaffiliated/turn-left/x-3739067] has quit [Quit: Leaving]
21:12 -!- trumee [~parul@2601:e:1580:799::c64] has quit [Read error: Connection reset by peer]
21:13 -!- trumee [~parul@2601:e:1580:799:624:5684:b42:5b00] has joined #openvpn
21:26 -!- ilk [~Ilk_en@unaffiliated/ilk] has joined #openvpn
21:35 -!- svm_invictvs [~patricktw@unaffiliated/svminvictvs/x-938456] has joined #openvpn
21:40 -!- hazardous [~hz@openvpn/user/hazardous] has quit [Ping timeout: 245 seconds]
21:43 -!- hazardous [~hz@openvpn/user/hazardous] has joined #openvpn
21:43 -!- mode/#openvpn [+v hazardous] by ChanServ
21:49 -!- almostworking [~almostwor@unaffiliated/almostworking] has joined #openvpn
22:02 -!- shadok [~muaddib@unaffiliated/shadok] has quit [Ping timeout: 245 seconds]
22:05 -!- Pyrogerg [~Gregory@67-0-250-17.albq.qwest.net] has joined #openvpn
22:22 -!- ilk [~Ilk_en@unaffiliated/ilk] has quit [Quit: reboot]
22:52 -!- Pyrogerg [~Gregory@67-0-250-17.albq.qwest.net] has quit [Quit: Textual IRC Client: www.textualapp.com]
23:04 -!- borked [~eyer@31.185.158.55] has quit [Ping timeout: 244 seconds]
23:20 -!- Kephael_ [~Kephael@unaffiliated/kephael] has quit [Read error: Connection reset by peer]
23:26 -!- svm_invictvs [~patricktw@unaffiliated/svminvictvs/x-938456] has quit [Ping timeout: 255 seconds]
23:32 -!- svm_invictvs [~patricktw@unaffiliated/svminvictvs/x-938456] has joined #openvpn
23:37 -!- svm_invictvs [~patricktw@unaffiliated/svminvictvs/x-938456] has quit [Ping timeout: 250 seconds]
23:48 -!- ShadniX [dagger@p5481C470.dip0.t-ipconnect.de] has quit [Ping timeout: 250 seconds]
23:49 -!- ShadniX [dagger@p5481C7D8.dip0.t-ipconnect.de] has joined #openvpn
23:56 -!- almostworking [~almostwor@unaffiliated/almostworking] has quit [Quit: Leaving]
--- Day changed Fri Dec 19 2014
00:37 -!- almostworking [~almostwor@unaffiliated/almostworking] has joined #openvpn
01:06 -!- clktmr [~timur@2a02:908:e672:cee0:c685:8ff:fe25:512] has joined #openvpn
01:06 < clktmr> !welcome
01:06 <@vpnHelper> "welcome" is (#1) Start by stating your goal, such as 'I would like to access the internet over my vpn' || new to IRC? see the link in !ask || we may need !logs and !configs and maybe !interface to help you. || See !howto for beginners. || See !route for lans behind openvpn. || !redirect for sending inet traffic through the server. || Also interesting: !man !/30 !topology !iporder !sample !forum
01:06 <@vpnHelper> !wiki !mitm or (#2) Don't use 192.168.1.0/24 or 192.168.0.0/24 (too much potential for conflict)
01:07 < clktmr> !goal
01:07 <@vpnHelper> "goal" is Please clearly state your goal for your vpn: example, I would like to access the lan behind the server , I would like to access the internet over my vpn , I just want a secure connection between 2 computers , etc
01:12 -!- jgeboski [~jgeboski@unaffiliated/jgeboski] has quit [Quit: Leaving]
01:13 -!- jgeboski [~jgeboski@unaffiliated/jgeboski] has joined #openvpn
01:17 < clktmr> So I have a problem with my openvpn server which has a dynamic IP. Everything works fine except the 24h IP change. After the IP change the clients try to reconnect, but they can't reach any host because the routes are set to redirect everything to tun0, although it's not connected. On a connection loss without IP change the clients just reconnect. I am using UDP btw. Any ideas?
01:17 < clktmr> Thanks in advance
01:19 < clktmr> !paste
01:19 <@vpnHelper> "paste" is "pastebin" is (#1) please paste anything with more than 5 lines into a pastebin site or (#2) https://gist.github.com is recommended for fewest ads; try fpaste.org or paste.kde.org as backups or (#3) If you're pasting config files, see !configs for grep syntax to remove comments or (#4) gist allows multiple files per paste, useful if you have several files to show
01:25 < clktmr> my client log: http://pastebin.com/dp7Zgjmj
01:30 < clktmr> my client config: http://pastebin.com/rtTrxFBP
01:31 < clktmr> my version: OpenVPN 2.3.2 x86_64-pc-linux-gnu [SSL (OpenSSL)] [LZO] [EPOLL] [PKCS11] [eurephia] [MH] [IPv6] built on Feb  4 2014
01:42 -!- jdmf [~jdmf@78.156.100.202] has quit [Quit: Bye.]
01:42 -!- Taftse|Mac [~taftse@unaffiliated/taftse] has joined #openvpn
02:10 -!- CaTtleyA [~CaTtleyA@185.24.142.82] has joined #openvpn
02:31 < ghormoon> hi, any idea why I get auth_failed, when the script verify does nothing (or only exit 0)? I'm trying to run as simmilar config as possible from one server, but that one authenticated to AD and I need to disable that for testing ...
02:33 -!- svm_invictvs [~patricktw@unaffiliated/svminvictvs/x-938456] has joined #openvpn
02:39 -!- svm_invictvs [~patricktw@unaffiliated/svminvictvs/x-938456] has quit [Ping timeout: 264 seconds]
02:48 -!- M4dH4TT3r [~M@unaffiliated/m4dh4tt3r] has quit [Quit: Leaving]
02:53 < ghormoon> nvm, solved, it needed #!/bin/sh, even tough it was runnable from bash :)
03:12 -!- nomad_fr [~nomad_fr@ks397872.ip-192-95-25.net] has quit [Quit: WeeChat 1.0.1]
03:13 -!- nomad_fr [~nomad_fr@ks397872.ip-192-95-25.net] has joined #openvpn
03:27 -!- nomad_fr [~nomad_fr@ks397872.ip-192-95-25.net] has quit [Quit: WeeChat 1.0.1]
03:27 -!- nomad_fr [~nomad_fr@ks397872.ip-192-95-25.net] has joined #openvpn
03:38 -!- ub1quit33_ [~quassel@cpe-23-243-158-241.socal.res.rr.com] has quit [Ping timeout: 272 seconds]
03:39 -!- ub1quit33_ [~quassel@cpe-23-243-158-241.socal.res.rr.com] has joined #openvpn
03:41 -!- M4dH4TT3r [~M4dH4TT3r@unaffiliated/m4dh4tt3r] has joined #openvpn
03:42 < M4dH4TT3r> please get rid of +r
03:42 < M4dH4TT3r> it makes connecting here an unnecessary additional task
03:50 -!- gffa [~unknown@unaffiliated/gffa] has joined #openvpn
03:52 -!- elfixit [~Icedove@77-58-253-51.dclient.hispeed.ch] has quit [Remote host closed the connection]
04:05 -!- Y0sh1 [~Y0sh1@TiP01.theinternets.nl] has joined #openvpn
04:26 -!- badon [~badon@pdpc/supporter/active/badon] has quit [Disconnected by services]
04:26 -!- badon_ [~badon@pdpc/supporter/active/badon] has joined #openvpn
04:26 -!- badon_ is now known as badon
04:30 < BtbN> M4dH4TT3r, i'd assume this channel beeing +r is absolutely intended.
04:30 < BtbN> Spambots usualy don't register.
04:31 < BtbN> Every single client supports authenticating with nickserv or even via sasl
04:39 -!- Left_Turn [~Left_Turn@unaffiliated/turn-left/x-3739067] has joined #openvpn
04:42 -!- trumee [~parul@2601:e:1580:799:624:5684:b42:5b00] has quit [Read error: Connection reset by peer]
04:42 -!- trumee [~parul@2601:e:1580:799:624:5684:b42:5b00] has joined #openvpn
04:54 < M4dH4TT3r> BtbN: most spambots ive seen absolutely do register as registration not only gets them into hundreds more places but is rather trivial to do, yes they support authenticating but most join the chan before auto authenticating
04:55 < M4dH4TT3r> in the case of +r on this chan i had to manually join after auto authentication
04:57 < va> no, that would be +R
04:57 < va> (seems like they've renamed that mode since)
04:58 < va> What is needed is +b $~a rather than +r
04:58 -!- skypce [~custom@pc-181-154-239-201.cm.vtr.net] has joined #openvpn
04:58 < skypce> hello all
04:58 < skypce> i have a problem with openvpn 2.33
04:58 < va> skypce: no doubt.
04:58 < va> Keep it.
04:59 < skypce> say you must define tun/tap device
04:59 < skypce> modprobe has tun enabled
04:59 < skypce> i dont know
04:59 < skypce> i was made a openvpn --mktun --dev tun0
04:59 < skypce> but problem persist
04:59 < skypce> dev tun is present in client.conf
05:01 < M4dH4TT3r> lmao va you really gotta lrn to be nice to newcomers lmao
05:05 < va> lmao M4dH4TT3r newcomers really need to learn how to describe a bug lmao.
05:08 < M4dH4TT3r> usually when entering a slow chan for the first time it is customary to make a passing statement of interest as there are many chans full of people but no one ever there
05:08 -!- dzosh [~dzosh@151.249.105.36] has left #openvpn []
05:12 < va> No, the requested custom is to state the problem as concise but information-laden as possible, and then await responses for the same reason that you would never write an e-mail to a mailing list saying "anyone there?"
05:14 < va> something like https://workaround.org/getting-help-on-irc is a start
05:14 <@vpnHelper> Title: Getting help on IRC | workaround.org (at workaround.org)
05:15 -!- Left_Turn [~Left_Turn@unaffiliated/turn-left/x-3739067] has quit [Ping timeout: 258 seconds]
05:38 -!- Shiftos [~shiftos@gateway/tor-sasl/shiftos] has quit [Remote host closed the connection]
05:38 -!- Shiftos [~shiftos@gateway/tor-sasl/shiftos] has joined #openvpn
05:45 -!- Chais [~Chais@chello062178229110.15.15.vie.surfer.at] has quit [Ping timeout: 264 seconds]
05:47 -!- skypce [~custom@pc-181-154-239-201.cm.vtr.net] has quit [Ping timeout: 245 seconds]
05:52 -!- Chais [~Chais@chello062178229110.15.15.vie.surfer.at] has joined #openvpn
06:23 -!- svm_invictvs [~patricktw@unaffiliated/svminvictvs/x-938456] has joined #openvpn
06:26 -!- skypce [~custom@pc-181-154-239-201.cm.vtr.net] has joined #openvpn
06:26 < skypce> hello all
06:26 < skypce> when i run openvpn with --client parameter
06:27 < skypce> it returns
06:27 < skypce> openvpn you must define tun/tap device (--dev)
06:27 < skypce> what can be the problem?
06:28 -!- svm_invictvs [~patricktw@unaffiliated/svminvictvs/x-938456] has quit [Ping timeout: 244 seconds]
06:33 -!- BtbN [btbn@btbn.de] has quit [Quit: Bye]
06:34 -!- BtbN [btbn@btbn.de] has joined #openvpn
06:38 -!- Left_Turn [~Left_Turn@unaffiliated/turn-left/x-3739067] has joined #openvpn
06:43 -!- rich0_ is now known as rich0
06:45 -!- Brando753 [~Brando753@unaffiliated/brando753] has quit [Ping timeout: 265 seconds]
06:46 -!- ghormoon [~ghormoon@ghorland.net] has quit [Ping timeout: 255 seconds]
06:47 -!- clktmr [~timur@2a02:908:e672:cee0:c685:8ff:fe25:512] has quit [Quit: clktmr]
06:47 -!- Brando753 [~Brando753@unaffiliated/brando753] has joined #openvpn
06:48 -!- ghormoon [~ghormoon@ghorland.net] has joined #openvpn
06:55 -!- shivanshu [~shivanshu@unaffiliated/shivanshu] has joined #openvpn
06:57 < skypce> hey
06:57 < skypce> how can i back to console when openvpn is ready?
06:57 < skypce> after
06:57 < skypce> of
07:16 -!- skypce [~custom@pc-181-154-239-201.cm.vtr.net] has quit [Ping timeout: 264 seconds]
07:29 -!- nath_schwarz [~nath_schw@HSI-KBW-134-3-105-207.hsi14.kabel-badenwuerttemberg.de] has quit [Ping timeout: 240 seconds]
07:30 -!- ub1quit33_ [~quassel@cpe-23-243-158-241.socal.res.rr.com] has quit [Ping timeout: 250 seconds]
07:32 -!- nath_schwarz [~nath_schw@HSI-KBW-134-3-105-207.hsi14.kabel-badenwuerttemberg.de] has joined #openvpn
07:33 -!- trumee [~parul@2601:e:1580:799:624:5684:b42:5b00] has quit [Read error: Connection reset by peer]
07:34 -!- trumee [~parul@2601:e:1580:799:624:5684:b42:5b00] has joined #openvpn
07:39 -!- svm_invictvs [~patricktw@unaffiliated/svminvictvs/x-938456] has joined #openvpn
07:44 -!- svm_invictvs [~patricktw@unaffiliated/svminvictvs/x-938456] has quit [Ping timeout: 258 seconds]
07:44 -!- shadok [~muaddib@unaffiliated/shadok] has joined #openvpn
08:03 -!- spyro1248 [~ian@87.113.160.229] has joined #openvpn
08:03 < spyro1248> hi folks
08:04 < spyro1248> Im having some trouble with a forticlient setup - can I use openvpn to talk to this thing?
08:07 -!- svm_invictvs [~patricktw@unaffiliated/svminvictvs/x-938456] has joined #openvpn
08:12 -!- svm_invictvs [~patricktw@unaffiliated/svminvictvs/x-938456] has quit [Ping timeout: 240 seconds]
08:37 -!- Henryabcd [~Henryabcd@pD9E0837A.dip0.t-ipconnect.de] has joined #openvpn
08:39 -!- Henryabcd [~Henryabcd@pD9E0837A.dip0.t-ipconnect.de] has quit [Client Quit]
08:46 <@ecrist> spyro1248: no
08:47 <@ecrist> also, I strongly suggest throwing your fortiguard device in the trash
08:47 <@ecrist> or using it to craft something nice, like a piece of burning firewood, or a chopping block
08:48 -!- _quadDamage [~EmperorTo@boom.blissfulidiot.com] has joined #openvpn
08:56 < spyro1248> rats. that wasnt what I was hoping for.
08:56 < spyro1248> I wonder if I can use it to beat corporate IT round the head with.
08:57 < spyro1248> ecrist: any idea if its compatible with *anything* else
08:57 < spyro1248> ?
08:58 <@krzee> got a robo3d printer :D
09:06 <@ecrist> spyro1248: no
09:06 <@ecrist> generally, VPN software will only be compatible with the same at the remote end.
09:08 < va> IPsec has greater interoperability
09:29 -!- Kephael [~Kephael@unaffiliated/kephael] has joined #openvpn
09:30 -!- Henryabcd [~Henryabcd@pD9E0837A.dip0.t-ipconnect.de] has joined #openvpn
09:41 -!- spyro1248 [~ian@87.113.160.229] has quit [Quit: Lost terminal]
10:10 -!- CaTtleyA [~CaTtleyA@185.24.142.82] has quit [Quit: Lost terminal]
10:12 -!- elfixit [~Icedove@2001:1620:2777:11:1811:b814:50c1:1f4c] has joined #openvpn
10:23 -!- esde [~esde@unaffiliated/esde] has joined #openvpn
10:23 -!- D-Boy [~D-Boy@unaffiliated/cain] has quit [Excess Flood]
10:42 -!- D-Boy [~D-Boy@unaffiliated/cain] has joined #openvpn
11:19 -!- MatToufoutu [~MaT@unaffiliated/mattoufoutu] has quit [Ping timeout: 250 seconds]
11:21 -!- Henryabcd [~Henryabcd@pD9E0837A.dip0.t-ipconnect.de] has quit [Quit: Leaving]
11:21 -!- Henryabcd [~Henryabcd@pD9E0837A.dip0.t-ipconnect.de] has joined #openvpn
11:23 -!- Henryabcd [~Henryabcd@pD9E0837A.dip0.t-ipconnect.de] has quit [Client Quit]
11:41 -!- MatToufoutu [~MaT@unaffiliated/mattoufoutu] has joined #openvpn
12:13 -!- jackbrown [~se@93-44-68-248.ip96.fastwebnet.it] has joined #openvpn
12:39 -!- jackbrown [~se@93-44-68-248.ip96.fastwebnet.it] has quit [Ping timeout: 256 seconds]
13:03 -!- akamaru [~akamaru21@2601:0:8a80:1064:b876:305b:3c5e:f25a] has joined #openvpn
13:04 -!- mattock [~mattock@openvpn/corp/admin/mattock] has left #openvpn []
13:07 -!- hazard0us [~hz@openvpn/user/hazardous] has joined #openvpn
13:07 -!- mode/#openvpn [+v hazard0us] by ChanServ
13:07 -!- rich0_ [~quassel@gentoo/developer/rich0] has joined #openvpn
13:08 -!- gffa_ [~unknown@unaffiliated/gffa] has joined #openvpn
13:08 -!- swebb [~swebb@8.36.226.184] has quit [Ping timeout: 244 seconds]
13:08 -!- syzzer [~syzzer@openvpn/community/developer/syzzer] has quit [Ping timeout: 244 seconds]
13:08 -!- gffa [~unknown@unaffiliated/gffa] has quit [Ping timeout: 244 seconds]
13:08 -!- hazardous [~hz@openvpn/user/hazardous] has quit [Ping timeout: 244 seconds]
13:08 -!- pythonsnake [~pythonsna@fedora/pythonsnake] has quit [Ping timeout: 244 seconds]
13:08 -!- akamaru217 [~akamaru21@2601:0:8a80:1064:59e5:5f3f:3c52:e553] has quit [Ping timeout: 244 seconds]
13:08 -!- moparisthebest [~quassel@unaffiliated/moparisthebest] has quit [Ping timeout: 244 seconds]
13:08 -!- plaisthos [~arne@openvpn/community/developer/plaisthos] has quit [Ping timeout: 244 seconds]
13:08 -!- hive-mind [pranq@2001:0:53aa:64c:30db:ab9:bcca:66c4] has quit [Ping timeout: 244 seconds]
13:08 -!- rich0 [~quassel@gentoo/developer/rich0] has quit [Ping timeout: 244 seconds]
13:08 -!- pnielsen [pnielsen@2a01:7e00::f03c:91ff:fedf:3a21] has quit [Ping timeout: 244 seconds]
13:08 -!- Jeroen52 [~Jeroen@milkyway.jeroendeneef.com] has quit [Ping timeout: 244 seconds]
13:08 -!- hazard0us is now known as hazardous
13:08 -!- Jeroen52 [~Jeroen@milkyway.jeroendeneef.com] has joined #openvpn
13:09 -!- syzzer [~syzzer@openvpn/community/developer/syzzer] has joined #openvpn
13:09 -!- mode/#openvpn [+o syzzer] by ChanServ
13:09 -!- pnielsen [pnielsen@2a01:7e00::f03c:91ff:fedf:3a21] has joined #openvpn
13:10 -!- moparisthebest [~quassel@unaffiliated/moparisthebest] has joined #openvpn
13:10 -!- pythonsnake [~pythonsna@fedora/pythonsnake] has joined #openvpn
13:20 -!- swebb [~swebb@8.36.226.184] has joined #openvpn
13:22 -!- nath_schwarz [~nath_schw@HSI-KBW-134-3-105-207.hsi14.kabel-badenwuerttemberg.de] has quit [Ping timeout: 255 seconds]
13:23 -!- nath_schwarz [~nath_schw@HSI-KBW-134-3-105-207.hsi14.kabel-badenwuerttemberg.de] has joined #openvpn
13:36 -!- elfixit [~Icedove@2001:1620:2777:11:1811:b814:50c1:1f4c] has quit [Ping timeout: 272 seconds]
13:37 -!- s7r [~s7r@openvpn/user/s7r] has joined #openvpn
13:37 -!- mode/#openvpn [+v s7r] by ChanServ
13:55 -!- akamaru [~akamaru21@2601:0:8a80:1064:b876:305b:3c5e:f25a] has quit [Ping timeout: 258 seconds]
13:56 -!- akamaru [~akamaru21@2601:0:8a80:1064:b876:305b:3c5e:f25a] has joined #openvpn
14:17 -!- gffa_ is now known as gffa
14:46 -!- lxusrbin [~lxusrbin@2001:1608:10:145::256] has quit [Ping timeout: 272 seconds]
14:51 -!- Pyrogerg [~Gregory@205.167.120.206] has joined #openvpn
15:46 -!- svm_invictvs [~patricktw@unaffiliated/svminvictvs/x-938456] has joined #openvpn
15:49 -!- SushiDude [~SushiDude@unaffiliated/sushidude] has quit [Ping timeout: 258 seconds]
16:05 < svm_invictvs> is it possible to push static routes through openVPN by DNS?
16:06 -!- SushiDude [~SushiDude@unaffiliated/sushidude] has joined #openvpn
16:06 < svm_invictvs> http://mysticpaste.com/view/LR7SYpqlui;jsessionid=1m4hor3ak47hoxioof5sofa4n?2
16:06 < svm_invictvs> For example, I want to route all traffic to google.com through the VPN, (but nothing else)
16:06 < svm_invictvs> Is that correct?
16:06 < svm_invictvs> I found that mentioned on a forum post
16:21 -!- TonyL [~Tony@unaffiliated/darkg] has quit [Max SendQ exceeded]
16:23 -!- TonyL [~Tony@unaffiliated/darkg] has joined #openvpn
16:51 -!- va [~filler@ares08.inai.de] has left #openvpn []
16:56 -!- SushiDude [~SushiDude@unaffiliated/sushidude] has quit [Ping timeout: 258 seconds]
17:04 -!- slikts [~slikts@wikipedia/reinis] has joined #openvpn
17:05 -!- SushiDude [~SushiDude@unaffiliated/sushidude] has joined #openvpn
17:23 -!- akamaru [~akamaru21@2601:0:8a80:1064:b876:305b:3c5e:f25a] has quit [Read error: Connection reset by peer]
17:26 -!- plaisthos [~arne@openvpn/community/developer/plaisthos] has joined #openvpn
17:26 -!- mode/#openvpn [+o plaisthos] by ChanServ
17:47 -!- svm_invictvs [~patricktw@unaffiliated/svminvictvs/x-938456] has quit [Ping timeout: 256 seconds]
17:47 -!- svm_invictvs [~patricktw@unaffiliated/svminvictvs/x-938456] has joined #openvpn
17:53 -!- svm_invictvs [~patricktw@unaffiliated/svminvictvs/x-938456] has quit [Ping timeout: 265 seconds]
17:56 -!- Taftse|Mac [~taftse@unaffiliated/taftse] has quit [Quit: Textual IRC Client: www.textualapp.com]
18:00 -!- keatont [~keatont@keatonstaylor.com] has quit [Ping timeout: 240 seconds]
18:04 -!- Pyrogerg [~Gregory@205.167.120.206] has quit [Ping timeout: 264 seconds]
18:06 -!- KNERD [~KNERD@23.227.189.101] has quit [Ping timeout: 272 seconds]
18:15 -!- keatont [~keatont@keatonstaylor.com] has joined #openvpn
18:58 < zoredache> !welcome
18:58 <@vpnHelper> "welcome" is (#1) Start by stating your goal, such as 'I would like to access the internet over my vpn' || new to IRC? see the link in !ask || we may need !logs and !configs and maybe !interface to help you. || See !howto for beginners. || See !route for lans behind openvpn. || !redirect for sending inet traffic through the server. || Also interesting: !man !/30 !topology !iporder !sample !forum
18:58 <@vpnHelper> !wiki !mitm or (#2) Don't use 192.168.1.0/24 or 192.168.0.0/24 (too much potential for conflict)
18:59 < zoredache> !ask
18:59 <@vpnHelper> "ask" is (#1) don't ask to ask, just ask your question please, see this link for how to get help on IRC: http://workaround.org/getting-help-on-irc or (#2) See also, How to ask questions the smart way here: http://catb.org/~esr/faqs/smart-questions.html or (#3) if you had asked your question this might be an answer instead of a message from the bot about how to ask questions on IRC :)
18:59 < zoredache> !logs
18:59 <@vpnHelper> "logs" is (#1) please pastebin your logfiles from both client and server with verb set to 4 (only use 5 if asked) or (#2) In the Windows client(OpenVPN-GUI) right-click the status icon and pick View Log or (#3) In the OS X client(Tunnelblick) right-click it and select Copy log text to clipboard or (#4) if you dont know how to find your logs, see !logfile
19:09 -!- KaiForce [~chatzilla@107-223-70-10.lightspeed.bcvloh.sbcglobal.net] has joined #openvpn
19:10 -!- KaiForce [~chatzilla@107-223-70-10.lightspeed.bcvloh.sbcglobal.net] has quit [Client Quit]
19:10 -!- KaiForce [~chatzilla@107-223-70-10.lightspeed.bcvloh.sbcglobal.net] has joined #openvpn
19:10 -!- KaiForce [~chatzilla@107-223-70-10.lightspeed.bcvloh.sbcglobal.net] has quit [Client Quit]
19:11 -!- KaiForce [~chatzilla@107-223-70-10.lightspeed.bcvloh.sbcglobal.net] has joined #openvpn
19:19 -!- akamaru217 [~akamaru21@2601:0:8a80:1064:2849:dc3e:29:6966] has joined #openvpn
19:20 -!- gffa [~unknown@unaffiliated/gffa] has quit [Quit: sleep]
19:36 -!- Brando753 [~Brando753@unaffiliated/brando753] has quit [Ping timeout: 250 seconds]
19:43 -!- Brando753 [~Brando753@unaffiliated/brando753] has joined #openvpn
19:45 -!- Brando753 [~Brando753@unaffiliated/brando753] has quit [Excess Flood]
19:53 -!- Brando753 [~Brando753@unaffiliated/brando753] has joined #openvpn
19:54 -!- svm_invictvs [~patricktw@unaffiliated/svminvictvs/x-938456] has joined #openvpn
19:54 -!- Brando753 [~Brando753@unaffiliated/brando753] has quit [Excess Flood]
19:56 -!- akamaru217 [~akamaru21@2601:0:8a80:1064:2849:dc3e:29:6966] has quit [Quit: Leaving]
20:03 -!- akamaru217 [~akamaru21@2601:0:8a80:1064:2ce7:3d22:f750:7a2] has joined #openvpn
20:07 -!- Brando753 [~Brando753@unaffiliated/brando753] has joined #openvpn
20:08 -!- akamaru217 [~akamaru21@2601:0:8a80:1064:2ce7:3d22:f750:7a2] has quit [Read error: Connection reset by peer]
20:09 -!- KNERD [~KNERD@64.31.22.134] has joined #openvpn
20:13 -!- kirin` [telex@gateway/shell/anapnea.net/x-eitntjrcjwqreisn] has quit [Ping timeout: 272 seconds]
20:13 -!- akamaru217 [~akamaru21@2601:0:8a80:1064:e573:6f74:2bc2:40e2] has joined #openvpn
20:15 -!- kirin` [~kirin`@gateway/shell/anapnea.net/x-dbknkqzrsyoljwug] has joined #openvpn
20:49 -!- trumee [~parul@2601:e:1580:799:624:5684:b42:5b00] has quit [Read error: Connection reset by peer]
20:51 -!- trumee [~parul@2601:e:1580:799:624:5684:b42:5b00] has joined #openvpn
20:57 -!- trumee [~parul@2601:e:1580:799:624:5684:b42:5b00] has quit [Read error: Connection reset by peer]
20:57 -!- trumee [~parul@2601:e:1580:799:624:5684:b42:5b00] has joined #openvpn
20:57 -!- redpill [~redpill@unaffiliated/redpill] has joined #openvpn
21:01 -!- trumee [~parul@2601:e:1580:799:624:5684:b42:5b00] has quit [Read error: Connection reset by peer]
21:01 -!- trumee [~parul@2601:e:1580:799:624:5684:b42:5b00] has joined #openvpn
21:07 -!- Left_Turn [~Left_Turn@unaffiliated/turn-left/x-3739067] has quit [Remote host closed the connection]
21:37 -!- Brando753 [~Brando753@unaffiliated/brando753] has quit [Ping timeout: 265 seconds]
21:46 -!- Cultist [~CultOfThe@67.175.170.187] has joined #openvpn
21:48 -!- Brando753 [~Brando753@unaffiliated/brando753] has joined #openvpn
21:49 -!- moparisthebest [~quassel@unaffiliated/moparisthebest] has quit [Remote host closed the connection]
22:02 -!- Brando753 [~Brando753@unaffiliated/brando753] has quit [Ping timeout: 265 seconds]
22:26 -!- Brando753 [~Brando753@unaffiliated/brando753] has joined #openvpn
22:26 -!- shadok [~muaddib@unaffiliated/shadok] has quit [Ping timeout: 264 seconds]
22:47 -!- Brando753 [~Brando753@unaffiliated/brando753] has quit [Ping timeout: 265 seconds]
22:49 -!- Brando753 [~Brando753@unaffiliated/brando753] has joined #openvpn
23:08 -!- Brando753 [~Brando753@unaffiliated/brando753] has quit [Ping timeout: 250 seconds]
23:22 -!- Brando753 [~Brando753@unaffiliated/brando753] has joined #openvpn
23:24 -!- Brando753 [~Brando753@unaffiliated/brando753] has quit [Excess Flood]
23:34 -!- Brando753 [~Brando753@unaffiliated/brando753] has joined #openvpn
23:46 -!- ShadniX [dagger@p5481C7D8.dip0.t-ipconnect.de] has quit [Ping timeout: 250 seconds]
23:47 -!- ShadniX [dagger@p5DDFD992.dip0.t-ipconnect.de] has joined #openvpn
23:57 -!- james41382_ [~james@unaffiliated/james41382] has joined #openvpn
23:57 -!- james41382 [~james@unaffiliated/james41382] has quit [Read error: Connection reset by peer]
--- Day changed Sat Dec 20 2014
00:26 -!- DrCode [~DrCode@gateway/tor-sasl/drcode] has quit [Remote host closed the connection]
00:27 -!- DrCode [~DrCode@gateway/tor-sasl/drcode] has joined #openvpn
00:49 -!- svm_invictvs [~patricktw@unaffiliated/svminvictvs/x-938456] has quit [Ping timeout: 250 seconds]
00:52 -!- svm_invictvs [~patricktw@unaffiliated/svminvictvs/x-938456] has joined #openvpn
00:59 -!- svm_invictvs [~patricktw@unaffiliated/svminvictvs/x-938456] has quit [Ping timeout: 250 seconds]
01:01 -!- svm_invictvs [~patricktw@unaffiliated/svminvictvs/x-938456] has joined #openvpn
01:04 -!- mete [~mete@91.247.253.160] has quit [Ping timeout: 258 seconds]
01:06 -!- mete [~mete@91.247.253.160] has joined #openvpn
01:08 -!- JackWinter_ [~jack@vodsl-11198.vo.lu] has joined #openvpn
01:08 -!- snappy [nipnop@unaffiliated/snappy] has quit [Ping timeout: 258 seconds]
01:09 -!- JackWinter [~jack@vodsl-11198.vo.lu] has quit [Remote host closed the connection]
01:10 -!- kossy [a@unaffiliated/kossy] has quit [Ping timeout: 258 seconds]
01:11 -!- trumee [~parul@2601:e:1580:799:624:5684:b42:5b00] has quit [Ping timeout: 258 seconds]
01:11 -!- someone [~someone@sonoshee.chronostasis.net] has quit [Ping timeout: 258 seconds]
01:11 -!- kossy [a@unaffiliated/kossy] has joined #openvpn
01:12 -!- TonyL [~Tony@unaffiliated/darkg] has quit [Ping timeout: 258 seconds]
01:12 -!- ExtraCarpety [~ExtraCarp@2607:5300:60:a0d::1] has quit [Ping timeout: 258 seconds]
01:12 -!- almostworking [~almostwor@unaffiliated/almostworking] has quit [Ping timeout: 258 seconds]
01:12 -!- lachesis [~lachesis@unaffiliated/lachesis] has quit [Ping timeout: 258 seconds]
01:12 -!- M4dH4TT3r [~M4dH4TT3r@unaffiliated/m4dh4tt3r] has quit [Ping timeout: 258 seconds]
01:12 -!- djacob [~IceChat9@pool-71-246-17-183.phlapa.fios.verizon.net] has quit [Ping timeout: 258 seconds]
01:13 -!- akamaru217 [~akamaru21@2601:0:8a80:1064:e573:6f74:2bc2:40e2] has quit [Ping timeout: 258 seconds]
01:13 -!- c0ded [~c0ded@unaffiliated/c0ded] has quit [Ping timeout: 258 seconds]
01:13 -!- almostworking [~almostwor@unaffiliated/almostworking] has joined #openvpn
01:14 -!- M4dH4TT3r [~M4dH4TT3r@unaffiliated/m4dh4tt3r] has joined #openvpn
01:15 -!- troyt [~troyt@2601:7:6202:211:44dd:acff:fe85:9c8e] has quit [Ping timeout: 258 seconds]
01:15 -!- Eugene [eugene@kashpureff.org] has quit [Ping timeout: 258 seconds]
01:15 -!- JaniceKitty [j4jackj@need.sleep.caffeinet.uk.to] has quit [Ping timeout: 258 seconds]
01:16 -!- lachesis [~lachesis@unaffiliated/lachesis] has joined #openvpn
01:16 -!- kossy [a@unaffiliated/kossy] has quit [Excess Flood]
01:16 -!- DArqueBishop [~drkbish@2601:e:2480:7800:2e41:38ff:fe87:dd90] has quit [Ping timeout: 258 seconds]
01:16 -!- deranged [Jess@lolpurr.net] has quit [Ping timeout: 258 seconds]
01:17 -!- kenyon [kenyon@darwin.kenyonralph.com] has quit [Ping timeout: 258 seconds]
01:17 -!- kenyon [kenyon@darwin.kenyonralph.com] has joined #openvpn
01:19 -!- troyt [~troyt@2601:7:6202:211:44dd:acff:fe85:9c8e] has joined #openvpn
01:19 -!- Kephael [~Kephael@unaffiliated/kephael] has quit [Read error: Connection reset by peer]
01:21 -!- lachesis [~lachesis@unaffiliated/lachesis] has quit [Ping timeout: 258 seconds]
01:21 -!- deranged [Jess@lolpurr.net] has joined #openvpn
01:22 -!- lachesis [~lachesis@unaffiliated/lachesis] has joined #openvpn
01:23 -!- kossy [~a@unaffiliated/kossy] has joined #openvpn
01:24 -!- j4jackj [j4jackj@need.sleep.caffeinet.uk.to] has joined #openvpn
01:26 -!- kossy [~a@unaffiliated/kossy] has quit [Excess Flood]
01:27 -!- trumee [~parul@2601:e:1580:799:624:5684:b42:5b00] has joined #openvpn
01:28 -!- troyt [~troyt@2601:7:6202:211:44dd:acff:fe85:9c8e] has quit [Ping timeout: 258 seconds]
01:29 -!- trumee [~parul@2601:e:1580:799:624:5684:b42:5b00] has quit [Excess Flood]
01:30 -!- Neal_ [neal@felix.ineal.me] has quit [Ping timeout: 258 seconds]
01:31 -!- lachesis [~lachesis@unaffiliated/lachesis] has quit [Ping timeout: 258 seconds]
01:32 -!- trumee [~parul@2601:e:1580:799:624:5684:b42:5b00] has joined #openvpn
01:32 -!- Neal_ [neal@felix.ineal.me] has joined #openvpn
01:32 -!- DArqueBishop [~drkbish@2601:e:2480:7800:2e41:38ff:fe87:dd90] has joined #openvpn
01:32 -!- ExtraCarpety [~ExtraCarp@2607:5300:60:a0d::1] has joined #openvpn
01:33 -!- troyt [~troyt@2601:7:6202:211:44dd:acff:fe85:9c8e] has joined #openvpn
01:33 -!- Eugene [eugene@kashpureff.org] has joined #openvpn
01:33 -!- kossy [a@unaffiliated/kossy] has joined #openvpn
01:33 -!- TonyL [~Tony@unaffiliated/darkg] has joined #openvpn
01:34 -!- lachesis [~lachesis@unaffiliated/lachesis] has joined #openvpn
01:37 -!- c0ded [~c0ded@unaffiliated/c0ded] has joined #openvpn
01:46 -!- moparisthebest [~quassel@gateway/tor-sasl/moparisthebest] has joined #openvpn
01:46 -!- moparisthebest [~quassel@gateway/tor-sasl/moparisthebest] has quit [Remote host closed the connection]
01:47 -!- james41382_ [~james@unaffiliated/james41382] has quit [Quit: Leaving]
02:02 -!- moparisthebest [~quassel@unaffiliated/moparisthebest] has joined #openvpn
02:09 -!- svm_invictvs [~patricktw@unaffiliated/svminvictvs/x-938456] has quit [Ping timeout: 256 seconds]
02:22 -!- unfy [~Miranda@wsip-184-185-82-30.om.om.cox.net] has joined #openvpn
02:24 < unfy> i'll be needing to replace the CA and Server crt's ... apparently the system in use is going to live beyond the original 10 year lifetime.  the level of trust on the system is terribly important, but i'm not seeing a way to generate a new CA / Server crt that can still work with existing certificates etc
02:30 -!- DrCode [~DrCode@gateway/tor-sasl/drcode] has quit [Ping timeout: 250 seconds]
02:32 -!- DrCode [~DrCode@gateway/tor-sasl/drcode] has joined #openvpn
02:58 -!- someone [~someone@sonoshee.chronostasis.net] has joined #openvpn
03:04 -!- svm_invictvs [~patricktw@unaffiliated/svminvictvs/x-938456] has joined #openvpn
03:10 -!- svm_invictvs [~patricktw@unaffiliated/svminvictvs/x-938456] has quit [Ping timeout: 272 seconds]
03:51 < slikts> any examples of a server setup with absolute minimal overhead for running games?
03:52 < slikts> I was using a TLS enabled setup before, and it seemed to work OK, but I was wondering if ther's a more optimal way
03:53 < slikts> i.e., I want to route game traffic through my server
03:54 < pekster> unfy: Right, a new root CA by definition cannot validate certs signed with a different CA; the CA is the only way endpoints have to validate a client
03:54 < pekster> s/client/peer
03:55 < pekster> unfy: You can, however, run 2 VPN servers to effect a rollover (so you can migrate clients to a new CA with validity lifetimes that suit your needs.) That'll involve separate networks for openvpn, although if you're under 50% address utilization you can just split what you have now in half
03:56 < unfy> the multi server setup seems to be the way to do it from a 'most simplistic way' ... but ... not so happy with that
03:56 < pekster> Note that I'm referring to openvpn instances, not actual OSes
03:57 < unfy> i already run about 3 instances for different segmentation stuff as well
03:58 < unfy> slikts: the easyrsa setup in the howto should be able to get you going.  there will be some ip addressing stuff that would be a bit 'hmmm' though
03:58 < pekster> slikts: openvpn isn't really going to cause much latency for your use-case (as games don't usually push all that much bandwidth, just packets.) This means the crypto overhead is fairly small
03:59 < pekster> TLS doesn't have any impact on the perforamnce of the data channel, just the initial negotiation and re-keys, and even re-keys aren't that critical since symmetric keys (used to encrypt your data packets) remain valid by default for an hour to allow for TLS re-key failures
04:00 < pekster> You could play with turning encryption off completely at a loss of privacy protection. Same for the hash signatures (though if you do that too now someone can actually alter your data, not just spy on it)
04:00 < pekster> I doubt it'll be any real performance gain though
04:00 < slikts> pekster: every ms counts in the case of games
04:00 < unfy> with just trying to get things to migrate, using `build-inter` and build-server-key stuff, i've gotten to the point where the new server crt/key works, but if i attempt to use the new ca.crt in server.conf i'm getting error=self signed certificate in certificate chain
04:01 < slikts> anyway, thanks, I'll look into it
04:01 < slikts> found out that my vps doesn't have the tun kernel module, so I may not even be able to use openvpn
04:01 < unfy> slik: with prediction or timestamping, the delay can be kind of mitigated.  see also: quakeworld or half-life based games
04:01 < pekster> slikts: Are you _redirecting_ your traffic using openvpn as a secure proxy to some external game service, or are you trying to allow other people to connect to your PC/LAN that will serve the games?
04:02 < pekster> A real VPS lets you build your own kernel modules
04:02 < pekster> If you're referring to OpenVZ or similar container/jail offerings, these are not a proper VPS, but a glorified chroot that you do not have actual root to (they just fake it to look like you do)
04:02 < slikts> pekster: I'm redirecting all traffic through the server
04:03 < pekster> Yea, so you biggest hit isn't even openvpn; it's the dozens of ms the Internet is causing you
04:04 < pekster> If this is so you can host games, you'll cut your latency in about half (give or take depending on exact conditions and delays) by runnign thet VPN server at the same network as  your game server
04:04 < slikts> my friend has an unstable connection to the game servers, and it seems that his connection to the server was better, so I want to have him try playing through a vpn
04:04 < slikts> pekster: it's not for hosting local games
04:04 < pekster> That reaks of misconfiguration somewhere
04:04 < slikts> it reeks of an overselling isp
04:05 < pekster> Why would the VPN be any better? Unless you suspect they're de-prioritizing the game traffic but will NOT do that for the VPN traffic
04:05 < pekster> But that's for you to figure out ;)
04:06 < pekster> VPN's aren't magic, and they don't add magic bandwidth (an actually add a few bytes to the transport, though lzo can sometimes mitigate this)
04:06 < slikts> pekster: because it may be taking a less saturated route
04:06 < pekster> slikts: Oh, also, consider testing with the lzo compression off since that's likely to add a slightly delay for the potential gain of compression; this is probably not useful here
04:07 < slikts> for instance, it used to be that my isp had terrible foreign speeds, but my vps (located in the same country) had excellent speeds, so I just used a vpn
04:07 < pekster> Maybe; that depends on what peering this crappy/oversold ISP has, and only holds true if there are >1 egress paths before the horrible service is encountered
04:07 < slikts> because my home connection was very fast as long as it was in the same country
04:07 < pekster> At any rate, trying to "optimize" openvpn is a bit premature at this stage
04:08 < pekster> 1) make it work. 2) make it work right. 3) make it work well. Until you do 1-2, don't worry about 3 so much
04:09 < slikts> I've had it working before, so I was just wondering if there's a better way
04:09 -!- slikts [~slikts@wikipedia/reinis] has quit [Remote host closed the connection]
04:11 -!- slikts [~slikts@wikipedia/reinis] has joined #openvpn
04:11 < pekster> So sure, test the vpn-client to vpn-server (ignore the game stuff for latency testing openvpn changes) and try a few of the suggestions above
04:12 < pekster> Maybe collect a several-minute average stat run (or a few) for reference, try turning off data crypto and/or lzo compression, and see if/how-much difference it makes
04:12 < slikts> (I was disconnected for a bit; enabling tun/tap required a reboot)
04:12 < pekster> TLS is fine, and you can safely ignore that for testing this (it won't have any effect on your tests)
04:13 < slikts> oh crap, irssi is glitchy with screen-256colors $TERM :/
04:13 -!- slikts [~slikts@wikipedia/reinis] has quit [Client Quit]
04:14 -!- slikts [~slikts@wikipedia/reinis] has joined #openvpn
04:15 < pekster> make sense?
04:15 < slikts> yes, thanks
04:15 < pekster> The openvpn directives of interest here are: --cipher, --auth, and --comp-lzo
04:17 < pekster> Oh, and one last suggestion would be to verify that if you send a tun-device-MTU-max packet with DF set that it does not fragment over the tunnel; that'll cause latency in the face of packet loss due to necessary retransmit of both data packets for the higher-level game (TCP or gaurenteed-delivery model) traffic
04:17 < pekster> your ping tool can do that (read its docs) and tcpdump or similar the egress as you ping
04:25 -!- Left_Turn [~Left_Turn@unaffiliated/turn-left/x-3739067] has joined #openvpn
04:49 < unfy> my head may be popping, but i may... be... getting around to what's up.
04:53 -!- svm_invictvs [~patricktw@unaffiliated/svminvictvs/x-938456] has joined #openvpn
04:58 -!- svm_invictvs [~patricktw@unaffiliated/svminvictvs/x-938456] has quit [Ping timeout: 264 seconds]
05:08 -!- unfy [~Miranda@wsip-184-185-82-30.om.om.cox.net] has quit [Quit: Miranda IM! Smaller, Faster, Easier. http://miranda-im.org]
05:28 -!- Shiftos [~shiftos@gateway/tor-sasl/shiftos] has quit [Ping timeout: 250 seconds]
05:28 -!- Shiftos [~shiftos@gateway/tor-sasl/shiftos] has joined #openvpn
05:29 -!- gffa [~unknown@unaffiliated/gffa] has joined #openvpn
05:41 -!- syzzer [~syzzer@openvpn/community/developer/syzzer] has quit [Ping timeout: 244 seconds]
05:42 -!- syzzer [~syzzer@openvpn/community/developer/syzzer] has joined #openvpn
05:42 -!- mode/#openvpn [+o syzzer] by ChanServ
06:34 -!- clktmr [~timur@aftr-37-201-229-93.unity-media.net] has joined #openvpn
06:42 -!- svm_invictvs [~patricktw@unaffiliated/svminvictvs/x-938456] has joined #openvpn
06:47 -!- elfixit [~Icedove@77-58-253-51.dclient.hispeed.ch] has joined #openvpn
06:47 -!- svm_invictvs [~patricktw@unaffiliated/svminvictvs/x-938456] has quit [Ping timeout: 255 seconds]
06:47 -!- clktmr [~timur@aftr-37-201-229-93.unity-media.net] has left #openvpn []
07:10 -!- rich0_ is now known as rich0
07:15 -!- shadok [~muaddib@unaffiliated/shadok] has joined #openvpn
07:31 < slikts> I'm trying to route traffic through my server, and I can connect to it fine, but the traffic isn't routed
07:32 < slikts> I have `push "redirect-gateway def1 bypass-dhcp"` in the server config, and I used `iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o eth0 -j MASQUERADE`
07:33 < slikts> I can ping 10.8.0.1 from the client, but that's it
07:33 < slikts> how can I find out if the iptables rules are working?
07:33 < slikts> everything else seems to be
07:34 < pekster> !redirect
07:34 <@vpnHelper> "redirect" is (#1) to make all inet traffic flow through the vpn, you will need --redirect-gateway (see !def1), as well as IP forwarding (see !ipforward) and NAT (see !nat) enabled on the server. or (#2) you may need to use a different dns server when redirecting gateway, see !dns or !pushdns or (#3) if using ipv6 try: route-ipv6 2000::/3 or (#4) Handy troubleshooting flowchart:
07:34 <@vpnHelper> http://ircpimps.org/redirect.png | http://pekster.sdf.org/misc/redirect.png
07:35 < slikts> !nat
07:35 <@vpnHelper> "nat" is (#1) http://openvpn.net/howto.html#redirect for an explanation of NAT as it applies to openvpn or (#2) http://www.secure-computing.net/wiki/index.php/OpenVPN/FAQ#Traffic_forwarding_doesn.27t_work_when_using_client_specific_access_rules or (#3) dont forget to turn on ip forwarding or (#4) please choose between !linnat !openvznat !winnat and !fbsdnat for specific howto
07:35 < slikts> I have ip forwarding on
07:35 < slikts> !openvznat
07:35 < slikts> hum...
07:35 < pekster> !ping
07:35 <@vpnHelper> pong
07:35 < pekster> !openvznat
07:36 < pekster> cute
07:36 < pekster> !openvz
07:36 <@vpnHelper> "openvz" is (#1) http://wiki.openvz.org/VPN_via_the_TUN/TAP_device to learn bout openvz specific stuff with regards to openvpn or (#2) It is usually less painful to switch to a host with better virtualization technology, eg KVM or Xen
07:36 < pekster> !search --values openvz
07:36 <@vpnHelper> (search <word>) -- Searches for <word> in the current configuration variables.
07:36 < pekster> !search openvz --values
07:36 <@vpnHelper> (search <word>) -- Searches for <word> in the current configuration variables.
07:36 < pekster> !search openvz
07:36 <@vpnHelper> There were no matching configuration variables.
07:38 < slikts> !nat
07:38 <@vpnHelper> "nat" is (#1) http://openvpn.net/howto.html#redirect for an explanation of NAT as it applies to openvpn or (#2) http://www.secure-computing.net/wiki/index.php/OpenVPN/FAQ#Traffic_forwarding_doesn.27t_work_when_using_client_specific_access_rules or (#3) dont forget to turn on ip forwarding or (#4) please choose between !linnat !openvznat !winnat and !fbsdnat for specific howto
07:39 < slikts> this page is empty: https://secure-computing.net/wiki/index.php/OpenVPN/FAQ
07:40 < pekster> openvz is basically just Linux in a chroot
07:40 < pekster> !linnat
07:40 <@vpnHelper> "linnat" is (#1) for a basic iptables NAT where 10.8.0.x is the vpn network: iptables -t nat -I POSTROUTING -s 10.8.0.0/24 -o eth0 -j MASQUERADE or (#2) to choose what IP address to NAT as, you can use iptables -t nat -I POSTROUTING -o eth0 -j SNAT --to <IP ADDRESS> or (#3) http://netfilter.org/documentation/HOWTO//NAT-HOWTO.html for more info
07:40 < pekster> And really, OS & networking basics are things you need a handle on to use openvpn properly anyway
07:41 < pekster> NAT in "the usual" way for RFC1918 behind a router in this case
07:41 < pekster> (NAT overload on the transition, and accepting stateful traffic back in)
07:41 < slikts> well, as I said, I have the iptables -t nat -I POSTROUTING -s 10.8.0.0/24 -o eth0 -j MASQUERADE
07:41 < slikts> rule
07:41 < pekster> That's not a rule; that's a shell command
07:41 < pekster> https://github.com/QueuingKoala/fn-netfilter/wiki#paste
07:42 < slikts> well, whatever, I used that command and it shows up if I use iptables-save
07:43 < pekster> Cute. Now that says nothing about the *rest* of your ruleset. I can either review your ruleset, or you can assert that your netfilter configuration is correct and then you're done and it's all working
07:43 < pekster> Since pings work and you have evidently enabled IP forwarding, this leaves just the firewall/NAT config as the likely reason for failure. If you're comfortable fixing that yourself, then this is probably all you need. So go do it ;)
07:45 < slikts> there are no other rules
07:45 < slikts> http://paste.debian.net/137505/
07:46 < slikts> I even added it twice to be sure
07:51 < pekster> seems to be sane enough, although you omitted the hitcounters
07:51 -!- shadok [~muaddib@unaffiliated/shadok] has quit [Quit: Konversation terminated!]
08:02 -!- jareth_ [~jareth_@bak.project-treadstone.nl] has quit [Read error: Connection reset by peer]
08:02 < pekster> slikts: Did you check those hitcounters? Does the NAT rule increment?
08:06 -!- eitzei [eitzei@kapsi.fi] has quit [Quit: WeeChat 1.0]
08:06 -!- torax [torax@kapsi.fi] has quit [Quit: torax]
08:16 -!- Pyrogerg [~Gregory@67-0-250-17.albq.qwest.net] has joined #openvpn
08:40 -!- elfixit [~Icedove@77-58-253-51.dclient.hispeed.ch] has quit [Ping timeout: 272 seconds]
09:21 < Eagleman> How do i allow multiple users to connect on the same username BUT on a different certificate?
09:39 < slikts> pekster: this is the iptables-save -c output: http://paste.debian.net/137521/
09:40 < slikts> it seems to stay at 0
09:47 -!- Kephael [~Kephael@unaffiliated/kephael] has joined #openvpn
09:48 -!- james41382 [~james@unaffiliated/james41382] has joined #openvpn
09:49 < slikts> turns out it was because MASQUERADE doesn't work in openvz (or smth)
10:06 -!- slikts [~slikts@wikipedia/reinis] has quit [Quit: leaving]
10:20 -!- j4jackj is now known as JaniceKitty
10:22 -!- x5eb [~seb@seb-hpws2.w1.tele.crt1.net] has joined #openvpn
10:22 -!- unixninja92_ [~unixninja@whirlpool.stdnt.hampshire.edu] has joined #openvpn
10:22 -!- Argure_ [argure@geonosis.donttrustrobots.nl] has joined #openvpn
10:24 -!- slikts [~slikts@wikipedia/reinis] has joined #openvpn
10:30 -!- ribasushi_ [~riba@mujunyku.leporine.io] has joined #openvpn
10:30 -!- Netsplit *.net <-> *.split quits: Argure, ikkeT, mistermajestic, DonRichie, _0x5eb_, MatToufoutu, nomad_fr, Synced, touya, unixninja92,  (+3 more, use /NETSPLIT to show all of them)
10:30 -!- ribasushi_ is now known as ribasushi
10:33 -!- kirin` [~kirin`@gateway/shell/anapnea.net/x-dbknkqzrsyoljwug] has quit [Disconnected by services]
10:34 -!- kirin` [telex@gateway/shell/anapnea.net/session] has joined #openvpn
10:34 -!- rich0_ [~quassel@gentoo/developer/rich0] has joined #openvpn
10:34 -!- almostworking [~almostwor@unaffiliated/almostworking] has quit [Ping timeout: 245 seconds]
10:34 -!- AsadH [~AsadH@unaffiliated/asadh] has quit [Ping timeout: 265 seconds]
10:34 -!- jefferai [sid1300@kde/mitchell] has quit [Ping timeout: 265 seconds]
10:34 -!- abbe [having@badti.me] has quit [Ping timeout: 265 seconds]
10:34 -!- MogDog [MogDog@unaffiliated/mogdog66] has quit [Ping timeout: 265 seconds]
10:34 -!- xMopxShell [~xMopxShel@davepedu.com] has quit [Ping timeout: 265 seconds]
10:34 -!- badon [~badon@pdpc/supporter/active/badon] has quit [Ping timeout: 265 seconds]
10:34 -!- sireebob [sireebob@unaffiliated/sireebob] has quit [Ping timeout: 265 seconds]
10:34 -!- Left_Turn [~Left_Turn@unaffiliated/turn-left/x-3739067] has quit [Ping timeout: 265 seconds]
10:34 -!- kokel [~quassel@kenneth.kokelnet.de] has quit [Ping timeout: 265 seconds]
10:34 -!- idl0r [~idl0r@gentoo/developer/idl0r] has quit [Ping timeout: 265 seconds]
10:34 -!- jerrcs [jeremy@dogpound.sliqua.com] has quit [Ping timeout: 265 seconds]
10:34 -!- APTX [~APTX@unaffiliated/aptx] has quit [Ping timeout: 265 seconds]
10:34 -!- syzzer [~syzzer@openvpn/community/developer/syzzer] has quit [Ping timeout: 265 seconds]
10:34 -!- JaniceKitty [j4jackj@need.sleep.caffeinet.uk.to] has quit [Ping timeout: 265 seconds]
10:34 -!- kenyon [kenyon@darwin.kenyonralph.com] has quit [Ping timeout: 265 seconds]
10:34 -!- rich0 [~quassel@gentoo/developer/rich0] has quit [Ping timeout: 265 seconds]
10:34 -!- alanjf [~ajf@unaffiliated/alanjf] has quit [Ping timeout: 265 seconds]
10:34 -!- Nothing4You [N4Y@nothing4you.w.tf-w.tf] has quit [Ping timeout: 265 seconds]
10:34 -!- Haseo [~Haseo@aufrinfo.net] has quit [Ping timeout: 265 seconds]
10:34 -!- Numline1 [~anakonda@ymir.visionary.sk] has quit [Ping timeout: 265 seconds]
10:34 -!- _bt [~bt@unaffiliated/bt/x-192343] has quit [Ping timeout: 265 seconds]
10:34 -!- MacGyver [~macgyver@unaffiliated/macgyvernl] has quit [Ping timeout: 265 seconds]
10:34 -!- abbe_ [having@badti.me] has joined #openvpn
10:34 -!- james41382 [~james@unaffiliated/james41382] has quit [Ping timeout: 258 seconds]
10:35 -!- MogDog [MogDog@unaffiliated/mogdog66] has joined #openvpn
10:37 -!- xMopxShell [~xMopxShel@davepedu.com] has joined #openvpn
10:37 -!- jefferai [sid1300@kde/mitchell] has joined #openvpn
10:37 -!- Netsplit *.net <-> *.split quits: pnielsen, Jeroen52
10:37 -!- kokel [~quassel@kenneth.kokelnet.de] has joined #openvpn
10:38 -!- Netsplit over, joins: pnielsen
10:38 -!- AsadH [~AsadH@unaffiliated/asadh] has joined #openvpn
10:38 -!- Pandemic_Force_ [~Pandemic_@unaffiliated/pandemic-force/x-1349428] has joined #openvpn
10:38 -!- j4jackj [j4jackj@need.sleep.caffeinet.uk.to] has joined #openvpn
10:39 -!- sireebob [sireebob@unaffiliated/sireebob] has joined #openvpn
10:40 -!- D-Boy [~D-Boy@unaffiliated/cain] has quit [Excess Flood]
10:40 -!- j4jackj is now known as JaniceKitty
10:40 -!- kirin` [telex@gateway/shell/anapnea.net/session] has quit [Ping timeout: 245 seconds]
10:40 -!- not_phunyguy [~vortex@ubuntu/member/phunyguy] has joined #openvpn
10:41 -!- kirin` [telex@gateway/shell/anapnea.net/session] has joined #openvpn
10:41 -!- Nothing4You [N4Y@nothing4you.w.tf-w.tf] has joined #openvpn
10:42 -!- Shiftos [~shiftos@gateway/tor-sasl/shiftos] has quit [Ping timeout: 250 seconds]
10:42 -!- Netsplit *.net <-> *.split quits: K1rk, Brando753, +s7r, swebb, phunyguy, DrCode
10:42 -!- not_phunyguy is now known as phunyguy
10:42 -!- Matir_ [~matir@ubuntu/member/matir] has joined #openvpn
10:43 -!- Olivier [~Olivier@unaffiliated/olivier] has joined #openvpn
10:43 -!- shio [marmot@62.188.103.84.rev.sfr.net] has quit [Ping timeout: 255 seconds]
10:43 -!- liriel [~liriel@asia.feralhosting.com] has quit [Ping timeout: 255 seconds]
10:43 -!- Matir [~matir@ubuntu/member/matir] has quit [Ping timeout: 255 seconds]
10:43 -!- yoavz [yoavz@yoavz.net] has quit [Ping timeout: 255 seconds]
10:43 -!- doop [~doop@colostomy.club] has quit [Ping timeout: 255 seconds]
10:43 -!- phreakocious [~phreakoci@recalcitrant.phreakocious.net] has quit [Ping timeout: 255 seconds]
10:43 -!- cz20xx [~cz20xx@ec2-54-85-86-66.compute-1.amazonaws.com] has quit [Ping timeout: 255 seconds]
10:43 -!- phreakocious_ [~phreakoci@recalcitrant.phreakocious.net] has joined #openvpn
10:43 -!- Left_Turn [~Left_Turn@unaffiliated/turn-left/x-3739067] has joined #openvpn
10:44 -!- doop [~doop@107.150.8.22] has joined #openvpn
10:45 -!- x5eb [~seb@seb-hpws2.w1.tele.crt1.net] has quit [Ping timeout: 265 seconds]
10:45 -!- Netsplit *.net <-> *.split quits: Orbixx, Exagone313
10:45 -!- Kephael_ [~Kephael@unaffiliated/kephael] has joined #openvpn
10:45 -!- s7r [~s7r@openvpn/user/s7r] has joined #openvpn
10:45 -!- mode/#openvpn [+v s7r] by ChanServ
10:45 -!- Brando753 [~Brando753@unaffiliated/brando753] has joined #openvpn
10:45 -!- Kephael [~Kephael@unaffiliated/kephael] has quit [Ping timeout: 244 seconds]
10:45 -!- Netsplit *.net <-> *.split quits: Pandemic_Force
10:45 -!- badon [~badon@pdpc/supporter/active/badon] has joined #openvpn
10:45 -!- almostworking [~almostwor@unaffiliated/almostworking] has joined #openvpn
10:45 -!- _0x5eb_ [~seb@seb-hpws2.w1.tele.crt1.net] has joined #openvpn
10:46 -!- MatToufoutu [~MaT@unaffiliated/mattoufoutu] has joined #openvpn
10:46 -!- Netsplit over, joins: Exagone313
10:46 -!- DrCode [~DrCode@gateway/tor-sasl/drcode] has joined #openvpn
10:46 -!- APTX [~APTX@unaffiliated/aptx] has joined #openvpn
10:48 -!- Orbixx [~orbixx@freenode/sponsor/orbixx] has joined #openvpn
10:48 -!- bone_idol [~bone_idol@apple.rat.burntout.org] has joined #openvpn
10:49 -!- MacGyver [~macgyver@sog.polvanaubel.com] has joined #openvpn
10:49 -!- Haseo [~Haseo@aufrinfo.net] has joined #openvpn
10:49 -!- syzzer [~syzzer@2001:610:697::12] has joined #openvpn
10:49 -!- m01 [~quassel@2a02:2658:1011:1::2:4044] has joined #openvpn
10:49 -!- Jeroen52 [~Jeroen@milkyway.jeroendeneef.com] has joined #openvpn
10:50 -!- syzzer [~syzzer@2001:610:697::12] has quit [Changing host]
10:50 -!- syzzer [~syzzer@openvpn/community/developer/syzzer] has joined #openvpn
10:50 -!- mode/#openvpn [+o syzzer] by ChanServ
10:51 -!- kirin` [telex@gateway/shell/anapnea.net/session] has quit [Changing host]
10:51 -!- kirin` [telex@gateway/shell/anapnea.net/x-oopshfxfeeqqckdx] has joined #openvpn
10:57 -!- K1rk [~Kirk@5.135.221.149] has joined #openvpn
11:01 -!- idl0r [~idl0r@gentoo/developer/idl0r] has joined #openvpn
11:02 -!- D-Boy [~D-Boy@unaffiliated/cain] has joined #openvpn
11:02 -!- s7r [~s7r@openvpn/user/s7r] has quit [Remote host closed the connection]
11:02 -!- DrCode [~DrCode@gateway/tor-sasl/drcode] has quit [Remote host closed the connection]
11:03 -!- s7r [~s7r@openvpn/user/s7r] has joined #openvpn
11:03 -!- mode/#openvpn [+v s7r] by ChanServ
11:03 -!- Shiftos [~shiftos@gateway/tor-sasl/shiftos] has joined #openvpn
11:03 -!- DrCode [~DrCode@gateway/tor-sasl/drcode] has joined #openvpn
11:11 -!- droid909 [~droid909@unaffiliated/droid909] has joined #openvpn
11:11 < droid909> how do i find out openvpn version installed??
11:11 < droid909> openvpn -v or -V doesn't work
11:12 <@syzzer> droid909: openvpn --version
11:13 < droid909> ohh
11:13 < droid909> syzzer: thanks
11:16 -!- phunyguy [~vortex@ubuntu/member/phunyguy] has quit [Remote host closed the connection]
11:17 -!- phunyguy [~vortex@ubuntu/member/phunyguy] has joined #openvpn
11:20 -!- shio [marmot@62.188.103.84.rev.sfr.net] has joined #openvpn
11:27 -!- Eagleman [~Eagleman@546BC778.cm-12-4d.dynamic.ziggo.nl] has quit [Ping timeout: 255 seconds]
11:46 -!- droid909 [~droid909@unaffiliated/droid909] has left #openvpn []
11:50 -!- james41382 [~james@unaffiliated/james41382] has joined #openvpn
11:55 -!- james41382 [~james@unaffiliated/james41382] has quit [Quit: Leaving]
11:58 -!- seba [~seba@kratzbaum.someserver.de] has quit [Ping timeout: 272 seconds]
12:04 -!- aep [~aep@libqxt/developer/aep] has quit [Quit: ZNC - http://znc.in]
12:05 -!- aep [~aep@libqxt/developer/aep] has joined #openvpn
12:19 -!- slikts [~slikts@wikipedia/reinis] has quit [Quit: leaving]
12:25 -!- Eagleman [~Eagleman@546BC778.cm-12-4d.dynamic.ziggo.nl] has joined #openvpn
12:51 -!- deranged [Jess@lolpurr.net] has quit [Quit: et nos unum sumus]
12:52 -!- Thermi [~Thermi@unaffiliated/thermi] has joined #openvpn
12:59 -!- seba [~seba@kratzbaum.someserver.de] has joined #openvpn
13:03 -!- abbe_ is now known as abbe
13:13 -!- jareth_ [~jareth_@bak.project-treadstone.nl] has joined #openvpn
13:14 -!- keatont [~keatont@keatonstaylor.com] has quit [Ping timeout: 256 seconds]
13:17 -!- keatont [~keatont@keatonstaylor.com] has joined #openvpn
13:31 -!- Pyrogerg [~Gregory@67-0-250-17.albq.qwest.net] has quit [Ping timeout: 250 seconds]
13:38 -!- Shiftos [~shiftos@gateway/tor-sasl/shiftos] has quit [Remote host closed the connection]
13:45 -!- D-Boy [~D-Boy@unaffiliated/cain] has quit [Excess Flood]
14:07 -!- D-Boy [~D-Boy@unaffiliated/cain] has joined #openvpn
14:08 -!- keatont [~keatont@keatonstaylor.com] has quit [Ping timeout: 258 seconds]
14:15 -!- keatont [~keatont@keatonstaylor.com] has joined #openvpn
14:37 -!- sebrk [~sebrk@gw-zl5.erkor-oc.cz] has joined #openvpn
14:38 < sebrk> !welcome
14:38 <@vpnHelper> "welcome" is (#1) Start by stating your goal, such as 'I would like to access the internet over my vpn' || new to IRC? see the link in !ask || we may need !logs and !configs and maybe !interface to help you. || See !howto for beginners. || See !route for lans behind openvpn. || !redirect for sending inet traffic through the server. || Also interesting: !man !/30 !topology !iporder !sample !forum
14:38 <@vpnHelper> !wiki !mitm or (#2) Don't use 192.168.1.0/24 or 192.168.0.0/24 (too much potential for conflict)
14:38 < sebrk> !route
14:38 <@vpnHelper> "route" is (#1) http://www.secure-computing.net/wiki/index.php/OpenVPN/Routing or https://community.openvpn.net/openvpn/wiki/RoutedLans (same page mirrored) if you have lans behind openvpn, read it DONT SKIM IT or (#2) READ IT DONT SKIM IT! or (#3) See !tcpip for a basic networking guide or (#4) See !serverlan or !clientlan for steps and troubleshooting flowcharts for LANs behind the server or client
14:39 < sebrk> !goal
14:39 <@vpnHelper> "goal" is Please clearly state your goal for your vpn: example, I would like to access the lan behind the server , I would like to access the internet over my vpn , I just want a secure connection between 2 computers , etc
14:41 < sebrk> I want to access all my services on a LAN behind a OpenVPN server. For this I need broadcasting to work hence I try to set up a bridged VPN. I am able to ping the server from the client, and the client from the server. But there it ends. So I figure there is probably some routing that I'm doing wrong. Also the OpenVPN-server is hosted inside a VirtualBox VM.
14:42 < sebrk> what is up with: "Don't use 192.168.1.0/24 or 192.168.0.0/24 (too much potential for conflict)"
14:43 < sebrk> That is two different subnets?
14:43 < sebrk> !wiki
14:43 <@vpnHelper> "wiki" is (#1) http://www.secure-computing.net/wiki/index.php/OpenVPN for the Unofficial wiki or (#2) https://community.openvpn.net/openvpn/wiki for the Official wiki
14:45 -!- ender| [krneki@2a01:260:4094:1:42:42:42:42] has quit [Quit: What language do deaf people think in?]
14:45 < pekster> sebrk: So you don't want to use those common ranges (or the popular /24's in 10/8 either!) because if you ever try to connect to your LAN _from_ a different network that _also_ uses these common ranges, it won't work due to overlapping networks
14:45 < pekster> We also have a flowchart just for your setup:
14:46 < pekster> !serverlan
14:46 <@vpnHelper> "serverlan" is (#1) for a lan behind a server, the server must have ip forwarding enabled (!ipforward), the server needs to push a route for its lan to clients, and the router of the lan the server is on needs a route added to it (!route_outside_openvpn) or (#2) see !route for a better explanation or (#3) Handy troubleshooting flowchart: http://ircpimps.org/serverlan.png |
14:46 <@vpnHelper> http://pekster.sdf.org/misc/serverlan.png
14:46 < sebrk> ah pekster right
14:46 < pekster> sebrk: Oh, and broadcasts too? I'm curious what you need that support for, but yes, that'll need to be bridged
14:46 < pekster> Or possibly routed-tap if you only need broadcasts between the VPN clients and (possibly) the server
14:46 < sebrk> pekster: bonjour services and Steam In Home discovery
14:47 < pekster> :(
14:47 < sebrk> not happy?
14:47 < pekster> Yea, go with bridged tap then; it's just a bit more complex to configure since you need to handle the bridging and assign OpenVPN an address range that is _exclude_ from DHCP and static use locally that it will pass out to clients
14:47 < pekster> You cannot use the server-side DHCP unless you're well-aware of the routing dragons that lurk there, so just don't do that
14:48 < sebrk> You mean the bridge cannot get a dhcp address?
14:48 < sebrk> !route_outside_openvpn
14:48 <@vpnHelper> "route_outside_openvpn" is (#1) If your server is not the default gateway for the LAN, you will need to add routes to your gateway. See ROUTES TO ADD OUTSIDE OPENVPN in !route or (#2) Here are 2 diagrams that explain how this works: http://www.secure-computing.net/wiki/index.php/Graph http://i.imgur.com/BM9r1.png
14:49 < pekster> sebrk: Yea, don't bother with that flowchart; it's for routed setups. If you're going tap, that won't apply
14:49 < sebrk> OK. Anyway, so I can ping the server from client, and client from server but that is about it...
14:49 < pekster> Simply connecting to the VPN will give you the /24 route. However, you do _not_ want to use the server-side LAN's DHCP server, but rather have OpenVPN acting as a "special, VPN-only DHCP-server" that it fully controls
14:50 < pekster> Can you pastebin your server-config (no comments/blanks please: see !paste for grep syntax to remove those.)
14:50 < sebrk> So I have a router with a DHCP that assigns a static address to the bridge device.
14:50 < pekster> Yes, but you can't use that for VPN-issued IPs
14:50 < pekster> (ie: your VPN clients)
14:50 < sebrk> even if its outside the DHCP range?
14:51 < sebrk> the client does get an IP assigned
14:51 < pekster> Then that's fine; it's outside the DHCp range :)
14:51 < sebrk> yeah
14:51 < sebrk> ok hold on
14:51 < pekster> YOu just cannot "assign" it from the server-side DHCP server. Make sense?
14:51 < sebrk> yes I remember having bypass-dhcp in there if that is what you mean
14:51 < pekster> No, not that
14:51 < pekster> Just paste a config and I'll clarify that you've done things correctly from that
14:52 < sebrk> yes
14:52 < pekster> You do not need any --redirect-gateway here; your need are all on-link
14:52 < sebrk> dont get mad at the subnet range now. I do know it is suboptimal. In this case though I know that I don't have conflicting subnets :)
14:52 < sebrk> http://pastebin.com/nyqZm2Mq
14:53 < sebrk> I'm going to change that
14:53 < pekster> blanks are sort-of OK; it's all the dozens of comments lines that I hate ;)
14:53 < sebrk> :)
14:54 < pekster> So, remove lines 17-20; you don't want any of those
14:54 < sebrk> oh
14:54 < pekster> Set line 36 to `verb 4` -- verb 5 is only to print per-packet characters in the logs for firewall problems, and >5 is for developers with debugging enabled during openvpn compiling
14:54 < sebrk> ok
14:55 < pekster> So, onto addressing: is it correct that your openvpn server is statically configured (DHCP reservation or true static) with the IP 192.168.0.4/24, and the IPs ending .220 through .230 are _excluded_ from that network's DHCP server for local clients?
14:56 < sebrk> yes
14:56 < sebrk> that is 100% correct. IP ranging actually ends at 200 and the server (br0) has 192.168.0.4 reserved
14:57 < pekster> Perfect, that's all correct then. Finally, does the --up script (line 38 in the paste) take care of dynamically figuring out the tun device used and add it to br0 (via brctl addif or similar) ?
14:57 < pekster> fwiw, you won't need line 39 as the tap device is destroyed automatically when the openvpn terminates
14:57 < sebrk> http://pastebin.com/nm4ftdfd
14:58 < sebrk> so to answer your last question, yes that was the intention
14:59 < sebrk> So should I be good to go? I think this connection will drop if I start the VPN
14:59 < sebrk> I'll be back as someone famoulsy said once
15:01 < sebrk> pekster: so without 17-20 I get no routes I guess
15:01 < sebrk> what happens is that it connects but the client IP outbound IP remains the same (which Tunnelblick then warns about)
15:02 < sebrk> apart from that nothing else has changed
15:05 < sebrk> pekster: ?
15:06 < pekster> sebrk: line 6 in that script is not needed and ifconfig on Linix is a rotting pile of shit. So remove that line and do not replace it. And then stop using decade-old utilities: https://github.com/QueuingKoala/fn-netfilter/wiki/net-tools
15:06 <@vpnHelper> Title: net tools · QueuingKoala/fn-netfilter Wiki · GitHub (at github.com)
15:07 < pekster> sebrk: Your goal did not include redirecting traffic. Tunnelblick will not "warn" if your outbound IP "does not change" by defaeult
15:08 < pekster> You stated you needed server-side LAN access, and with the changes I mentioned above, this should now work, _provided_ that you never connect from the server-side address range. You really ought to fix that range to one less common (see !randomsubnet to calculate a random one)
15:08 < sebrk> Yeah well you are right, I dont need forwarding as of now
15:08 < sebrk> even though I've set it to 1
15:09 < pekster> If you do want that later, bring back the use of --redirect-gateway and, possibly, --push "dhcp-option dns .."
15:09 < sebrk> but I think send all traffic through VPN would be good
15:09 < sebrk> OK
15:09 < sebrk> but the result remains the same: can ping server, and server can ping client but nothing else
15:09 < pekster> Please also note !pushdns for actually using the pushed DNS info (some OSes require scripts, namely Linux and *BSD. Tunnelblick _might_ do that for you depending on config)
15:10 < pekster> Show me `brctl show` from your server after VPN startup?
15:10 < pekster> And `ip addr` while we're ad it
15:10 -!- deranged [Jess@sciurus.net] has joined #openvpn
15:10 < sebrk> alright
15:10 < pekster> Oh, hang on, script is wrong
15:11 < pekster> Hardcode br0 into line 7; openvpn will never return the bridge as a param
15:11 < sebrk> oh!
15:11 < pekster> Do this instead: DEV=$1 MTU=$2
15:11 < pekster> Then replace $BR with br0 (or w/e it is)
15:12 < sebrk> ok gonna try now
15:12 < pekster> yea, that'll require a server-side restart of openvpn
15:12 < sebrk> bridge name	bridge id		STP enabled	interfaces
15:12 < sebrk> br0		8000.080027e6a54a	no		eth0
15:13 < sebrk> http://pastebin.com/58GUh4L8
15:13 < sebrk> that is after the last changes
15:13 < pekster> no tap0 as a member on br0? Either you didn't restart the server instance, or the addition of the member interface failed
15:13 < pekster> Addressing looks fine though
15:14 < sebrk> yeah tap0 has disappeared
15:14 < sebrk> was there before though
15:15 < pekster> Should be all you need then
15:15 < sebrk> uhm... tap0 is gone
15:15 < pekster> Then openvpn is not running
15:15 < sebrk> and connection with it
15:15 < sebrk> yes it is
15:15 < pekster> Restart it then; your `ip addr` output shows you have no tap devices at all
15:16 < sebrk> it disappeared after removing the lines in up.sh
15:17 < pekster> You will _always_ see a tapX device in `ip a` with a tap VPN unless the VPN has terminated or tailed to start
15:18 < pekster> If up.sh returns nonzero exit (ie: bridge addition to br0 failed) this is a fatal error and openvpn will terminate (thus not be running)
15:18 < sebrk> see if I reset the ip.sh to what it was before tap0 shows up
15:19 < pekster> You cannot add a device to the bridge "tap0"
15:19 < sebrk> http://pastebin.com/Eqp3QrKK
15:19 < sebrk> that is with my original up.sh
15:19 < pekster> `brctl help` is pretty clear about syntax, and $1 to UP is NOT the bridge (it does not know about your bridge at all)
15:19 < pekster> no it's not
15:20 < sebrk> yes it is
15:20 < pekster> That's your INTERFACE output
15:20 < pekster> Which is motably not valid shell code
15:20 < sebrk> oh sorry
15:21 < sebrk> I mean that is the result running my original up.sh
15:21 < sebrk> running ip addr afterwards that is
15:21 < sebrk> changing up.sh as you suggested removed tap0
15:22 < pekster> Then you did something wrong. Use this instead:
15:22 < pekster> https://paste.kde.org/pkwaffhzz
15:23 < pekster> All you want that script to do is join the tap device openvpn is using to the bridge. Do not mess with promisc as Linux does this for you, automatically (and ifconfig is 20th century legacy.) OpenVPN also already sets the interface as "up" too
15:24 -!- doop [~doop@107.150.8.22] has quit [Quit: ZNC - http://znc.in]
15:24 < sebrk> the result of using that script: http://pastebin.com/L23ZrfDw
15:25 < pekster> Show me full log output from the server, at --verb 4, during startup
15:25 -!- doop [~doop@colostomy.club] has joined #openvpn
15:26 < pekster> no tap0 means it's not created (or since destroyed) so this has zero to do with your up script unless it is failing. Logs will help show this
15:26 < sebrk> like so: openvpn --verb 4
15:27 < pekster> You have `verb 4` in your config, right? That's fine, just `openvpn --config /your/config/here.conf`
15:27 < pekster> It'll spray around 300 lines to STDOUT, or add --log openvpn.log to the CLI
15:28 < pekster> sebrk: Oh, you need --script-security 2
15:29 < sebrk> http://pastebin.com/VfkQT8CU
15:29 < sebrk> that is the end of the log
15:29 < pekster> Yup. Openvpn is *NOT* running, despite your statement that it was
15:29 < pekster> If you have an openvpn process, it's not from that config
15:29 < pekster> (no openvpn == no tap/tun device)
15:30 < pekster> add that, directive, and use my up.sh script. Should magically work
15:30 < sebrk> Yes, I was previously starting/restarting the server with the "service" command
15:30 < pekster> For now, don't do that; get it working from the CLI first
15:30 < pekster> Then add in the distro-specific junk as a polishing touch
15:31 < sebrk> and the output was always:
15:31 < sebrk> * Stopping virtual private network daemon(s)...                                 *   Stopping VPN 'server'                                               [ OK ]
15:31 < sebrk>  * Starting virtual private network daemon(s)...                                 *   Autostarting VPN 'server'
15:31 < pekster> That has zero to do with openvpn
15:31 < pekster> If you need help with your distro init, please ask them
15:31 < sebrk> ok hold on
15:32 < sebrk>  sudo openvpn --config server.conf --script-security 2
15:32 < sebrk> that command exited cleanly, no output
15:33 < sebrk> however no device :(
15:33 < pekster> Exiting is bad
15:33 < sebrk> pekster: Sat Dec 20 22:33:29 2014 us=737142 /etc/openvpn/up.sh br0 tap0 1500 1574   init
15:33 < sebrk> device br0 is a bridge device itself; can't enslave a bridge device to a bridge device.
15:33 < pekster> It means failure. Go review your logs (whevere you sent logs to)
15:35 < pekster> https://paste.kde.org/ponk9l5td
15:35 < pekster> That demonstrates that `brctl addif <bridge_name> <device_to_bridge> is correct syntax. Did you reverse the arguments?
15:36 < sebrk> No I copy pasted your script
15:36 < pekster> Oh, it is using br0? hum?
15:37 < pekster> That's.. unique. Change it to $2 I guess
15:37 < sebrk> br0		8000.080027e6a54a	no		eth0
15:37 < sebrk> thats how my brctl show looks
15:37 < pekster> Yes, yes, change $1 in the --up to $2 -- you can see from the openvpn logs it's passing br0 as the first argument, but the manpage doesn't call for this :\. NFI where that comes from
15:38 < pekster> Unless this is now your silly distro init adding its own magic, that seems.. strange indeed
15:38 -!- mdorenka [~marcel@unaffiliated/mdorenka] has joined #openvpn
15:39 < mdorenka> hi guys, i have an ipv6 internet connection and i want to connect into my local network (ipv4) using openvpn via tcp. is there a good howto on how to do this?
15:39 < mdorenka> or .. is there a howto in general? ;)
15:40 < pekster> mdorenka: See !howto, and to route into your server-side LAN, see: !serverlan
15:40 < mdorenka> !welcome
15:40 < sebrk> pekster: so it started now
15:40 <@vpnHelper> "welcome" is (#1) Start by stating your goal, such as 'I would like to access the internet over my vpn' || new to IRC? see the link in !ask || we may need !logs and !configs and maybe !interface to help you. || See !howto for beginners. || See !route for lans behind openvpn. || !redirect for sending inet traffic through the server. || Also interesting: !man !/30 !topology !iporder !sample !forum
15:40 <@vpnHelper> !wiki !mitm or (#2) Don't use 192.168.1.0/24 or 192.168.0.0/24 (too much potential for conflict)
15:40 < mdorenka> okay thanks :) @ pekster
15:40 < mdorenka> !howto
15:40 <@vpnHelper> "howto" is (#1) OpenVPN comes with a great howto, http://openvpn.net/howto PLEASE READ IT! or (#2) http://www.secure-computing.net/openvpn/howto.php for a mirror
15:40 < mdorenka> !serverlan
15:40 <@vpnHelper> "serverlan" is (#1) for a lan behind a server, the server must have ip forwarding enabled (!ipforward), the server needs to push a route for its lan to clients, and the router of the lan the server is on needs a route added to it (!route_outside_openvpn) or (#2) see !route for a better explanation or (#3) Handy troubleshooting flowchart: http://ircpimps.org/serverlan.png |
15:40 <@vpnHelper> http://pekster.sdf.org/misc/serverlan.png
15:40 < pekster> mdorenka: The one bit of advice I'll give you out the door is that for transport-over-v6 you'll need --proto udp6. Otherwise the howto should be enough to get up started
15:41 < mdorenka> okay thanks :)
15:41 < sebrk> with logs: http://pastebin.com/iczPRCRK
15:41 < sebrk> but ip addr shows no tap0 device on server
15:41 < sebrk> client does connect though... I'm clueless :)
15:41 < sebrk> sorry ip addr does show tap0
15:42 < sebrk> but client cannot ping anything now
15:42 < pekster> huh? that makes no sense at all. Almost as if these are 2 different servers
15:42 < sebrk> nono it was ifconfig that didnt show tap0
15:42 < sebrk> ip addr does
15:42 < pekster> Do NOT USE ifconfig
15:42 < sebrk> ok I will not
15:43 < pekster> Does `ip` report the devie as up? It should IIRC, but maybe it needs to be told to (I try to avoid bridging because it is more complex, and generally unnecessary)
15:43 < pekster> device*
15:45 < sebrk> just ip?
15:45 < pekster> Yea, no such manual up necessary; I just tested this locally
15:45 < pekster> `ip a`
15:45 < sebrk> state DOWN
15:46 < sebrk> wait
15:46 < sebrk> wasnt connected
15:46 -!- troyt [~troyt@2601:7:6202:211:44dd:acff:fe85:9c8e] has quit [Ping timeout: 258 seconds]
15:49 < pekster> Yes, exactly. Openvpn _will_ set it as UP when you connect
15:49 < pekster> If you're still having problems, I want a ful log
15:49 < pekster> All 300-some lines of it, and _not_ launched from your distro init
15:49 -!- ender| [krneki@2a01:260:4094:1:42:42:42:42] has joined #openvpn
15:49 < pekster> (connect the server to the tap device. ie: does not fail to launch)
15:50 -!- sebrk [~sebrk@gw-zl5.erkor-oc.cz] has quit [Ping timeout: 272 seconds]
15:54  * pekster hates bridging for just this reason. So full of needless complexity, all to get around vendors trying to "prevent" users from sharing media across networks :(
15:57 -!- troyt [~troyt@2601:7:6202:211:44dd:acff:fe85:9c8e] has joined #openvpn
15:58 < mdorenka> can i route traffic from an incomming ovpn connection to an outgoing ovpn connection?
15:58 < ender|> yes
15:58 < mdorenka> perfect :)
15:58 < pekster> Openvpn is "just a software router" with some extra security features
15:58 < mdorenka> but i guess that will take some iptables-magic?
15:58 < pekster> Just routing
15:59 < ender|> no, just routing
15:59 < pekster> Maybe NAT if you're involving RFC1918 and NAT-Overload, but this is exactly the same as if you used RFC1918 without openvpn
15:59 < pekster> So, with openvpn in a routed setup, you quite literally "route in the traditional way"
15:59 < ender|> i've got traffic routed this way somewhere: site A <--openvpn--> site B <--ipSec--> site C
15:59 -!- ross` [~ross@spam.im] has joined #openvpn
15:59 < ender|> (i wouldn't recommend doing that to anybody, but it does work)
16:00 < ross`> can someone help me, i don't know why but on windows if i do route PRINT it shows that it is routing via 10.0.2.2 (local network) and then 10.1.0.1 (VPN)
16:00 < ross`> how can i get it to stop routing through the primary connection
16:01 < ross`> so that it properly routes via vpn as primary
16:01 < pekster> "as primary" ?
16:01 < pekster> !goal
16:01 <@vpnHelper> "goal" is Please clearly state your goal for your vpn: example, I would like to access the lan behind the server , I would like to access the internet over my vpn , I just want a secure connection between 2 computers , etc
16:01 < ross`> as primary route
16:01 < ross`> i'm trying to route traffic through my masquerading openvpn
16:02 < pekster> Then you want to read/follow this info, especially the useful flowchart:
16:02 < pekster> !redirect
16:02 <@vpnHelper> "redirect" is (#1) to make all inet traffic flow through the vpn, you will need --redirect-gateway (see !def1), as well as IP forwarding (see !ipforward) and NAT (see !nat) enabled on the server. or (#2) you may need to use a different dns server when redirecting gateway, see !dns or !pushdns or (#3) if using ipv6 try: route-ipv6 2000::/3 or (#4) Handy troubleshooting flowchart:
16:02 <@vpnHelper> http://ircpimps.org/redirect.png | http://pekster.sdf.org/misc/redirect.png
16:02 < ross`> yes i have that
16:02 < pekster> So where are you stuck?
16:02 < ross`> you don't seem to be understanding me
16:02 < ross`> the problem is on my client not my server
16:02 < pekster> That flowchart is for *everything*
16:02 < ross`> the client windows 7 route PRINT has 0.0.0.0 via gateway 10.0.2.2(local)
16:03 < pekster> Yes. this is becuase:
16:03 < pekster> !def1
16:03 < ross`> and then another line 0.0.0.0 via gateway 10.1.0.1 (VPN)
16:03 <@vpnHelper> "def1" is (#1) used in redirect-gateway, Add the def1 flag to override the default gateway by using 0.0.0.0/1 and 128.0.0.0/1 rather than 0.0.0.0/0. This has the benefit of overriding but not wiping out the original default gateway. or (#2) please see --redirect-gateway in the man page ( !man ) to fully understand or (#3) push "redirect-gateway def1"
16:03 < ross`> i do that on client in windows?
16:03 < pekster> ross`: You should always use def1 to --redirect-gateway unless you are 100% sure of what you're doing. It adds two /1 routes (0/1 and 128/1)
16:03 < pekster> No, you follow the bloody flowchart
16:03 < ross`> i have that line in server for this user config
16:03 < ross`> wait
16:03 < ross`> which config file server or client side
16:03 < ross`> do i use this def1
16:04 < pekster> Either, although the FLOWCHART I keep telling you to read clearly shows you push the redirect-gatway from the server
16:04 < ross`> okay, and i'm telling you i did that
16:04 < ross`> and it adds the route line on my client
16:04 < ross`> but it is underneath the local route
16:04 < pekster> You should get 2 route lines, one for 0/1 and another for 128/1
16:04 < pekster> Yes, did you read !def1 above? This OVERRIDES your default route
16:05 < pekster> Did you try a tracert from Windows? If not, I suggest you do that now
16:05 < pekster> `tracert 8.8.8.8`
16:05 < ross`> ifconfig-push 10.1.0.2 255.255.255.0
16:05 < ross`> push "redirect-gateway def1"
16:05 < ross`> that is on my server
16:05 < pekster> For further info, please read about --redirect-gateway in the manpage:
16:05 < pekster> !man
16:05 < ross`> for this node
16:05 <@vpnHelper> "man" is (#1) For man pages, see http://openvpn.net/index.php/open-source/documentation/manuals/ or (#2) the man pages are your friend! or (#3) Protip: you can search the manpage for a specific --option (with dashes) to find it quicker
16:05 < ross`> look, you seem to think i havn't read the manual
16:05 < ross`> i have the lines you are talking about on server side
16:05 < ross`> it's adding the route
16:05 < ross`> but not workign as intended
16:05 < ross`> that is why i am here for help
16:05 < pekster> Okay, then say so :)
16:06 < pekster> You seemed to complain that it was not replacing your default route, which is expected and normal
16:06 < ross`> yes
16:06 < ross`> but i have those 2 lines
16:06 < pekster> Please pastebin your serrver and client configs, without comments/blanks:
16:06 < pekster> !configs
16:06 <@vpnHelper> "configs" is (#1) please pastebin your client and server configs (with comments removed, you can use `grep -vE '^#|^;|^$' server.conf`), also include which OS and version of openvpn. or (#2) dont forget to include any ccd entries or (#3) on pfSense, see http://www.secure-computing.net/wiki/index.php/OpenVPN/pfSense to obtain your config
16:06 < ross`> what i'm trying to ask is
16:06 < ross`> do i need to put anything in my client config to get this working
16:07 < ross`> because i have it in the server config and it is adding the route
16:07 < ross`> but not making it default
16:07 < pekster> Yes, this is normal
16:07 < pekster> I've told you this
16:07 < pekster> If you want help, I need configs. If you don't want to paste them, then that's fine, but I can't help
16:08 < ross`> normal doesn't tell tell me if i need to edit the client config with route information as well as the server config for the client.
16:08 < pekster> No, it's pushed. (this is what --push does... obviously)
16:08 < ross`> okay, that's what i thought.
16:08 < pekster> CLient needs --client or --pull, and a whole bunch of other things standard to making it go
16:08 < ross`> this is why this is really really confusing me
16:09 < ross`> because i have the exact line i need on server config for this node
16:09 < ross`> and it adds the route, but doesn't make it primary
16:09 < ross`> and you are telling me that is normal
16:09 < pekster> Configs or I don't care dude
16:09 -!- sebrk [~sebrk@gw-zl5.erkor-oc.cz] has joined #openvpn
16:09 < sebrk> sorry pekster, still there?
16:09 < pekster> Yup. I had some lines for you before you pined out
16:10 < pekster> sebrk: https://paste.kde.org/pxbpbtdd0
16:10 < sebrk> ok I think I missed them
16:10 < sebrk> I here it comes
16:11 < pekster> Missing tap0 (again, in the real `ip a` and not this shitty ifconfig stuff) or tap0 as DOWN means openvpn has not properly connected to the tap device
16:12 < sebrk> https://paste.kde.org/pqeecxw9q
16:13 < sebrk> I restarted everything just now
16:13 < sebrk> state is till DOWN on tap0
16:13 < sebrk> log above
16:13 < pekster> Oh, why are you passing br0 in via the up-script?. I mean, you can do that, but thten the device is $2. Better yet, use the openvpn env-var $dev for this
16:14 < pekster> (as shown in 'SCRIPTING AND ENVIRONMENTAL VARIALBES' [sic] in the manpage.) Or shift all your args by 1 for this
16:14 < pekster> And no need for down; just get rid of it
16:14 < pekster> tap0 goes away automatically on down by default
16:15 < pekster> And you didn't remove the other lines I told you to
16:15 < pekster> Log lines 238 through 241 show this. Please remove them
16:15 < pekster> (as I asked earlier, and as you said you did)
16:15 < sebrk> so just up.sh no argument?
16:16 < pekster> (hm, or keep them in if you want redirection. I just thought those were gonig away for now. MMight be okay I suppose)
16:16 < sebrk> and then: /sbin/brctl addif br0 "$1"
16:16 < pekster> Yes. ALthough I'd recommend you make that the cleaner/less-likey-to-break: /sbin/brctl addif br0 "$dev"
16:16 < pekster> $1 works so long as you are not goign to screw up argument ordering by pushing another arg and shifting the standard script argument ordering
16:17 < sebrk> ok using dev now
16:17 < pekster> So, pick 1. *either* pass the bridge in via $1 by way of the invocation of the --up directive in your config (adjusting args the rest of thte way) *or* do it in the script
16:17 < sebrk> should I get rid of the down script?
16:17  * pekster missed that in your configs becuase it's a bit non-standard
16:18 < pekster> Yea, or just comment it out for now
16:18 < sebrk> ok
16:18 < sebrk> all done
16:18 < sebrk> retry?
16:18 < pekster> Those logs should have left tap0 there until you killed the process though
16:18 < pekster> Yea, give it another go
16:19 < ross`> do i have to name the vpn something specific for the windows gui to automatically load it
16:19 < pekster> ross`: WIndows info at:
16:19 < pekster> !gui
16:19 <@vpnHelper> "gui" is (#1) The only official GUI is the OpenVPN-GUI for Windows (see https://community.openvpn.net/openvpn/wiki/OpenVPN-GUI .) While there are other 3rd party GUIs, they may cause unexpected issues or (#2) If you're having problems starting OpenVPN through an unoffiical GUI, try launching it on the command line; if that works, the GUI is your problem
16:19 < ross`> i have config/ross.ovpn
16:19 < pekster> In <Openvpn_install> path? THat's correct, and openvpn's GUI tray icon will use that
16:19 < pekster> Screenshots for you at the (#1) wiki link above ross`
16:20 -!- liriel [~liriel@asia.feralhosting.com] has joined #openvpn
16:20 < ross`> idk why but i can't get openvpn.exe to run now
16:20 -!- sebrk [~sebrk@gw-zl5.erkor-oc.cz] has quit [Read error: Connection reset by peer]
16:21 < ross`> like at all
16:21 < pekster> Forget to run as admin?
16:21 < ross`> from powershell or by opening a config with it
16:21 < ross`> nope
16:21 < pekster> GUI needs to be run with admin privs
16:21 < pekster> openvpn.exe --version should always report version info
16:21 < pekster> Even as a non-admin. If you can't "run" openvpn like that, your install may be corrupt
16:21 < ross`> it was working a few minutes ago just fine
16:22 < ross`> and i didn't change anything
16:23 < ross`> could this def1 not overriding have anything to do with using virtualbox
16:23 -!- sebrk [~sebrk@gw-zl5.erkor-oc.cz] has joined #openvpn
16:23 < sebrk> sorry pekster, got disconnected
16:23 < ross`> i'd like to think i know how to use openvpn, although i've always used it on linux client
16:23 < sebrk> state still DOWN was my last entry
16:24 < ross`> no matter what i do it has 2 0.0.0.0 routes with the vpn being secondary
16:24 < pekster> def1 adds in a 0/1 and 128/1 route as I said earlier ross`. If you need help confirming this is working right, I need configs, and probably some client-side interface output. I asked for configs earlier and I am 100% unable to help you with specific questions without them
16:24 < pekster> Yes, this is WHAT YOU ARE DOING WITH DEF1 ross`. For the 3rd fucking time.
16:24 < ross`> could this have anything to do with the fact i'm using virtualbox
16:24 < pekster> No.
16:24 < ross`> well i showed you my def1 line
16:24 < pekster> !configs
16:24 < ross`> which is working because it adds the route
16:24 <@vpnHelper> "configs" is (#1) please pastebin your client and server configs (with comments removed, you can use `grep -vE '^#|^;|^$' server.conf`), also include which OS and version of openvpn. or (#2) dont forget to include any ccd entries or (#3) on pfSense, see http://www.secure-computing.net/wiki/index.php/OpenVPN/pfSense to obtain your config
16:25 < ross`> google and microsoft technet won't tell me how to remove a single route
16:25 < ross`> they only show me that i can do route delete 0.0.0.0
16:25 < pekster> Do not do that
16:25 < ross`> but i can't delete 0.0.0.0 via gateway
16:25 < pekster> You wnat your 0/0 to stay
16:25 < pekster> No, you do not want that. Do not do it
16:26 < ross`> i need to remove 0.0.0.0 via 10.0.2.2
16:26 < pekster> 0/1 and 128/1 overrides your default route without wiping it out
16:26 < pekster> No, you don't
16:26 < ross`> well how can i do it
16:26 < ross`> how can i remove one 0.0.0.0 route without removing the other
16:26 < ross`> i've done it a million times in linux
16:26 < pekster> This is not related to openvpn. I don't care to help you do it
16:26 < pekster> !notovpn
16:26 <@vpnHelper> "notovpn" is (#1) "notopenvpn" is your problem is not about openvpn, and while we try to be helpful, you may have a better chance of finding your answer if you ask your question in a channel related to your problem or (#2) sorry, but we dont care. this channel is only for help with openvpn.
16:27 < ross`> route del 0.0.0.0 via 10.0.2.2
16:27 < pekster> THis is 100% unrelated to your goal of redirecting internet traffic over the VPN. If you need help with Windows, go to a windows-specific mailing list
16:27 < ross`> doesn't work on windows
16:27 < ross`> let me ask you a question, openvpn configuration is operating system independent correct
16:27 < sebrk> I'm going to bed, pekster thank you for your help. I hope to find you here tomorrow to continue this adventure maybe?
16:27 < pekster> Then I need configs. Provide them or you will not be chatting here for a while
16:27 < mdorenka> when i put the .conf file in the openvpn directory in debian, will it autostart my server?
16:27 < pekster> sebrk: Sure, I've got some familyh stuff, but I'll be around
16:27 < mdorenka> it does for client connections
16:28 < sebrk> ok godnite everyone!
16:28 < ross`> let me ask you a question, openvpn configuration is operating system independent correct
16:28 < pekster> ross`: Yes. And your two /1 routes will be added reegardless of OS, provided the running process has admin rights
16:28 < ross`> Thank you :)
16:28 -!- sebrk [~sebrk@gw-zl5.erkor-oc.cz] has quit [Quit: Leaving...]
16:28 < pekster> ross`: Do not repeat yourself like that again or I will +q or +b you for a while. It's rude
16:28 < ross`> then the problem isn't my config as i've been saying, beacuse on linux it sets the openvpn route as primary :)
16:28 < pekster> That means you're not using/pushing def1
16:29 < ross`> the problem is either windows 7 ultimate, or virtualbox
16:29 < pekster> Nope, because I do win7 in VBox myself and def1 works fine
16:29 < ross`> pekster: i am pushing def1
16:29 < pekster> It adds in the two /1 routes, which override, without replacing the default route (aka 0/1)
16:29 < ross`> i'd show you my config but i use a ccd style server organization
16:29 < ross`> push "redirect-gateway def1"
16:29 < pekster> Yea, so 0/0 should stay your *local* gateway. But this route is not used due to the more specific /1 route
16:29 < ross`> this is the ONLY push i have anywhere
16:30 < pekster> It's very important not to wipe out the default gateway because then openvpn "fights" with DHCP clients, and this randomly breaks your redirection
16:30 < ross`> okay
16:30 < ross`> is that push line i gave you the correct one
16:30 < pekster> Yes, provided you've configured your client correctly
16:31 < ross`> Yeah, my client configuration has worked fine on four linux laptops
16:31 < ross`> updates routes perfectly and everything
16:31 < ross`> for some reason it's not doing it on windows, and it's not a permission error i don't think
16:31 < pekster> "I once won the lottery. So now I know I can win the lottery every time I play." This is flawed logic, but feel free to stand by it..
16:31 < ross`> the reason why i don't think it's a permission error is because the first time i did this from a powershell without admin rights
16:32 < ross`> and openvpn.exe gave me a route update error
16:32 < ross`> and then i ran it as administrator and redid the process
16:32 < pekster> Withoput !configs and !logs you have done something wrong
16:32 < ross`> and it did this
16:32 -!- shivanshu [~shivanshu@unaffiliated/shivanshu] has quit [Remote host closed the connection]
16:32 < ross`> where it just doesn't set as primary, but does add the route
16:32 < pekster> GO fix it, or give us what we need to help you. Or go away and do neither.
16:36 < ross`> http://scpb.in/serenity-ross.ovpn
16:36 < ross`> http://scpb.in/server.conf
16:38 < ross`> client-config-dir ccd
16:38 < pekster> Can I see the ccd file for that client too?
16:38 < ross`> as you can see i use a ccd
16:38 < ross`> and i gave you the entire thing here before
16:38 < ross`> http://scpb.in/ccd-ross
16:38 < pekster> Not in the last 5000 lines of my logs you haven't
16:39 < pekster> Don't push a staitc IP like that with a full pool range
16:39 < pekster> !static
16:39 <@vpnHelper> "static" is (#1) use --ifconfig-push in a ccd entry for a static ip for the vpn client or (#2) example in net30 (default): ifconfig-push 10.8.0.6 10.8.0.5 example in subnet (see !topology) or tap (see !tunortap): ifconfig-push 10.8.0.5 255.255.255.0 or (#3) also see !ccd and !iporder or (#4) with static IPs, limit your --ifconfig-pool to exclude the static range or (#5) See also: !addressing
16:40 < pekster> If you do want to push a static IP to a client, expand the --server directive so your pool *excludes* the static ranges. Otherwise you end up with a very likely race condition where the client gets assigned IP that's assigned already to another client; this is even more likely for you since that IP is the first one the pool will attempt to issue
16:40 < pekster> In other words, it is effectivly an error to use --ifconfig-push (in ccd or or --client-connect) with --server.
16:40 < ross`> Everyone is pushed an independent static ip address and only uses 1 node per vpn user
16:40 < ross`> noted that it is bad practice.
16:40 < ross`> It's not why route isn't working
16:41 < ross`> please help me with that and i'll worry about the bad practice later
16:41 < pekster> Logs from the client would be the next step
16:41 < ross`> ..
16:41 < pekster> --verb 4 (5 is fine, but normally you don't want that unless you're having trouble connecting)
16:41 < pekster> You said you have a route.exe error. If I can't see it, I can't tell you what's wrong
16:41 < pekster> !logs
16:41 <@vpnHelper> "logs" is (#1) please pastebin your logfiles from both client and server with verb set to 4 (only use 5 if asked) or (#2) In the Windows client(OpenVPN-GUI) right-click the status icon and pick View Log or (#3) In the OS X client(Tunnelblick) right-click it and select Copy log text to clipboard or (#4) if you dont know how to find your logs, see !logfile
16:41 < ross`> i have no route.exe error
16:42 < pekster> Then it's working fine.
16:42 < ross`> it just shows that def1 isn't working and the def1 push isn't making the route via 10.1.0.1 primary
16:42 < ross`> the primary route is 0.0.0.0 via 10.0.2.2 (local)
16:42 < pekster> Yes, normal
16:42 < pekster> Show me `route print -4` from the client after connect please
16:42 < ross`> you keep saying that
16:42 < pekster> I will show you what def1 does
16:42 < pekster> Paste the route output
16:43 < ross`> how do i do route print -4 > outfile
16:43 < ross`> in windows
16:43 < pekster> route print -4 > outfile
16:43 < ross`> k
16:47 < ross`> http://scpb.in/route
16:47 < ross`> sorry that took so long
16:47 < ross`> had to setup a windows share to get the file
16:47 < ross`> from vm
16:47 < ross`> as you can see, it's adding the route
16:47 < ross`> it's just not adding it as the first primary one
16:48 -!- gffa [~unknown@unaffiliated/gffa] has quit [Quit: sleep]
16:51 < ross`> pekster: SO since the configuration file isn't the problem, what is?
16:52 < pekster> Nothing is the problem with your routes. Note metric 20 for 0/1 and 128/1
16:52 < pekster> This overrides routing decisions for "all of the Internet" *without* replacing 0/0. If you don't understand this, you need to review your basic networking (or go find a book of class you can take)
16:53 < pekster> That looks 100% normal and expected. Your configs are correct, and your routing table is clearly correct
16:55 < pekster> You may wish to consider pushing (or defining locally on your client) the --push "dhcp-option 8.8.8.8" directive as well
16:55 < ross`> then what doesn't make sense is how it's not returning anything
16:55 < ross`> :D
16:55 < ross`> but i guess i'll try to figure that out
16:55 < pekster> Then perhaps you screwed up the routing or firewall on your server
16:56 < pekster> Again, flowchart helps you through every step
16:56 < ross`> iptables is fine, but yeah i'll look
16:56 < pekster> Where are you stick on the flowchart?
16:56 < pekster> stuck*
17:00 < ross`> http://scpb.in/iptables-save
17:00 < ross`> looks fine to me, always has worked on linux
17:00 < ross`> ipv4 routing enabled
17:00 < pekster> Can you use `iptables-save -c` to show hitcounters too?
17:01 < ross`> :INPUT ACCEPT [1650:155047]
17:01 < ross`> :INPUT ACCEPT [1720:161362]
17:01 < pekster> rule hit counters
17:01 < ross`> it's going up
17:01 < pekster> These are POLICY counters
17:01 < ross`> :PREROUTING ACCEPT [65:4374]
17:01 < ross`> :POSTROUTING ACCEPT [56:3491]
17:01 < ross`> :OUTPUT ACCEPT [56:3491]
17:01 < ross`> is that what you want?
17:01 < pekster> No
17:01 < ross`> oh..
17:01 < ross`> i know what you want
17:01 < ross`> they are all [0:0] right now
17:01 < pekster> I want RULE hitcounters. Stop ignoring everything I ask for as you've done the last hour please
17:01 < ross`> [0:0] -A POSTROUTING -s 10.1.0.0/24 -o eth0 -j MASQUERADE
17:02 < pekster> I want to see all of them
17:02 < pekster> Stop spoonffeeding me shit one like at a time
17:02 < pekster> line*
17:02 < ross`> http://scpb.in/ipsc
17:03 < pekster> Yea, so you're not even passing anything on the FORWARD chain. Check sysctl forwarding with: `sysctl net.ipv4.ip_forward`
17:03 < ross`> root@serenity:/etc/firewall# cat /proc/sys/net/ipv4/ip_forward
17:03 < ross`> 1
17:04 < ross`> net.ipv4.ip_forward = 1
17:04 < pekster> Try to run `tcpdump -pni tun0 icmp` on the server, then do `ping 8.8.8.8` from your client
17:04 < ross`> nothing on both sides
17:05 < ross`> this is weird now
17:05 < ross`> Is there anything else that openvpn.exe uses that i need to give administrator permissions
17:05 < ross`> besides openvpn.exe
17:05 < pekster> Curious. Leave the tcpdunp running, but ping 10.1.0.1 from the client?
17:05 < pekster> Nope, just openvpn.exe
17:06 < ross`> curious
17:06 < ross`> icmp is having issues
17:06 < ross`> http://10.1.0.1 gives me the apache2 default vhost tho
17:07 < pekster> If pings are broken with that firewall config, you have more basic problems
17:07 < ross`> could virtualbox be getting in the way?
17:08 < ross`> this must be clientside
17:08 < pekster> You're not duplicating 10.1.0.0/24 anywhere in your topolgoy, are you?
17:08 < ross`> either openvpn or the network gateway at my connection
17:08 < pekster> That is *only* used within the VPN, right?
17:08 < ross`> pekster: nope
17:08 < ross`> correct
17:08 < ross`> i use 10.0.0.x locally
17:09 < ross`> icmp not working is bizarre
17:09 < pekster> Not being able to ping the VPN server means you didn't even get to step 1 in the redirect flowchart
17:09 < ross`> i thought that was working
17:09 < ross`> why can they not ping eachother..
17:09 < pekster> Try tcpdumping eth0 for the VPN traffic. Looks like you're using tcp/1194, so: tcpdump -pni eth0 tcp port 1194
17:10 < pekster> When you ping, the 4 pings from windows should each show up in that dupmp. Do not count the keepalive traffic that happens ever ~10 seconds
17:10 < pekster> every*
17:10 < ross`> spooky
17:10 < ross`> nothing
17:10 < ross`> but i can still http://10.1.0.1
17:11 < ross`> hmm
17:11 < ross`> this sounds like an isp issue
17:11 < pekster> If loading that page (do a shift-reload to avoid cached copies) and see nothing on tcp/1194 on the server, this means you're not connected to that server
17:12 < ross`> but i am connected to that server
17:12 < ross`> oh nvm
17:12 < pekster> Not on tcp/1194 you aren't, and that's what the client is configured for. Did you check server-side logs?
17:12 < ross`> it was cached
17:12 < ross`> now the question is, how did it work before if i had it cached
17:12 < ross`> :D
17:12 < pekster> k. reaload of the page shows tcp traffic for openvpn transport now?
17:13 < ross`> no
17:13 < ross`> nothing
17:13 < ross`> oh
17:13 < ross`> openvpn.exe has some errors resolving the domain name now
17:13 < pekster> You probably failed to take my DNS advice above
17:13 < ross`> no need to use 8.8.8.8
17:13 < ross`> 10.1.0.1 is a dns server
17:14 < pekster> But windows doesn't know to use it
17:14 < pekster> Push it via:
17:14 < pekster> !pushdns
17:14 <@vpnHelper> "pushdns" is (#1) push dhcp-option DNS a.b.c.d to push dns to the client or (#2) For pushing DNS to a Windows client, see: !windns or (#3) Unix-alikes are required to process the env-var in an --up script; read about --dhcp-option in the manpage or (#4) For distros that use resolvconf(8) you can try the pull-resolv-conf script under the contrib/ source dir or (#5) Mobile Client like OpenVPN for
17:14 <@vpnHelper> Android and OpenVPN Connect will happily accept push dhcp-option
17:14 < ross`> oh
17:14 < ross`> in ccd right?
17:14 < pekster> You're using your old DNS, which is presumably off-link, then redirecting it over the VPN due to the matching /1 routes
17:14 < pekster> ccd or global config; either works
17:14 < pekster> ccd means no restart on the server needed though
17:14 < ross`> pushdns 10.1.0.1
17:14 < ross`> ?
17:14 < pekster> (but means you need it for *all* ccd files
17:15 < pekster> No, read (#1) above more carefully
17:15 < ross`> push dhcp-option 10.1.0.1
17:15 < pekster> Oh, need quotes. that needs to get fixed
17:15 < ross`> push dhcp-option DNS 10.1.0.1
17:15 < ross`> which one?
17:15 < pekster> Should be: push "dhcp-option DNS 10.1.0.1" if you want to use that as DNS
17:16 < ross`> how do i kill a powershell program
17:16 < pekster> And remember, on Linux/BSD clients you need special scripts for that to work (works fine on Windows, and Tunnelblick on MacOS though)
17:16 < ross`> like openvpn.exe running in powershell
17:16 < pekster> No idea: ##windows might know
17:16 < ross`> tried ctrl+{c,d} alt+f4
17:16 < pekster> IIRC F4 stops openvpn
17:16 < pekster> At least in cmd.exe
17:17 < pekster> You can probably terminate openvpn.exe through task manager too
17:17 < ross`> restarting openvpn
17:18 < pekster> Not being able to ping the server from your client is a rather big concern though. Are you ignoring pings? `sysctl net.ipv4.icmp_echo_ignore_all` can tell you
17:18 < ross`> yay..
17:18 < ross`> everything is fine
17:18 < ross`> i'm not sure what i did or what happened
17:18 < ross`> technically i ddin't change anything :D
17:18 < ross`> weirdness
17:18 < ross`> thanks for your help
17:18 < ross`> and tolerating my frustration
17:19 < pekster> Glad you got it working. In the future, don't fight with the experts (who you're asking for help) when we need information. That, combined with some minor rudeness earlier got you close to a ban or quiet. But again, glad it worked out
17:22 < ross`> Do you know how i can get virtualbox resolution higher than 1400x1050
17:22 < ross`> do i need to give it more video memory
17:24 < pekster> Dunno; I think I left defaults and can do 1600x1200 fullscreen and seamless mode, although my defaults are set for 27MB vRAM in vBox
17:25 < pekster> The UI says "invalid settings detected" if I reduce it to 26MB
17:25 < pekster> ymmv
17:26 < ross`> i forgot you can resize scale it
17:26 < ross`> i got it working fine
17:26 -!- mdorenka [~marcel@unaffiliated/mdorenka] has quit [Ping timeout: 258 seconds]
17:26 < pekster> yup. Need client-tools installed in the VM for that, but it works pretty well
17:26 < pekster> One of the few good things Oracle does these-days :P
17:27 < pekster> Of course, they just bought all the awesome-sause from Sun Microsystems anyway..
17:28 < ross`> yeah i installed it
17:28 < ross`> just wasn't thinking
17:28 < ross`> Have you ever played diablo2?
17:41 -!- jdmf [~jdmf@78.156.100.202] has joined #openvpn
17:42 -!- droid909 [~droid909@unaffiliated/droid909] has joined #openvpn
17:43 < droid909> guyz i start my openvpn server.conf and it outpust nothing ...
17:43 -!- mirco [~mirco@ip-176-198-211-199.hsi05.unitymediagroup.de] has joined #openvpn
17:43 < droid909> and gives me commant promt
17:43 < droid909> where can i see logs or something
17:44 < droid909> it outputs*
17:45 -!- mode/#openvpn [+v pekster] by ChanServ
17:45 <+pekster> droid909: See:
17:45 <+pekster> !logs
17:45 <@vpnHelper> "logs" is (#1) please pastebin your logfiles from both client and server with verb set to 4 (only use 5 if asked) or (#2) In the Windows client(OpenVPN-GUI) right-click the status icon and pick View Log or (#3) In the OS X client(Tunnelblick) right-click it and select Copy log text to clipboard or (#4) if you dont know how to find your logs, see !logfile
17:45 <+pekster> Oh, rather, see this droid909 to find where your logs actually go:
17:45 <+pekster> !logfile
17:45 <@vpnHelper> "logfile" is (#1) If you want logging you can easily just specify your own logfile with: log /path/to/logfile or (#2) openvpn will log to syslog if started in daemon mode, but without any log-redirection options, openvpn sends output to stdout. or (#3) verb 3 is good for everyday usage, verb 5 for debugging. see --daemon --log and --verb in the manual (!man) for more info
17:46 < droid909> hmm
17:46 < droid909> i guess i need to add verb to my server.conf
17:47 < droid909> i set it to 5
17:47 < droid909> still no output to stout
17:47 < droid909> just command prompt
17:47 <+pekster> grep log server.conf
17:47 <+pekster> You're probably using a log redirection as explained in !logfile
17:48 <+pekster> In fact, this is smarter: grep -E '(log|syslog|daemon)' server.conf
17:50 < droid909> pekster: i had a type in the path to the keys
17:50 < droid909> pekster: thank you
17:50 < droid909> tupo
17:50 < droid909> typo :)
17:51 -!- Synced [~Synced@unaffiliated/synced] has joined #openvpn
17:54 -!- badon [~badon@pdpc/supporter/active/badon] has quit [Disconnected by services]
17:54 -!- badon_ [~badon@pdpc/supporter/active/badon] has joined #openvpn
17:54 -!- badon_ is now known as badon
18:00 -!- Shiftos [~shiftos@gateway/tor-sasl/shiftos] has joined #openvpn
18:01 -!- Henryabcd [~Henryabcd@pD9E0B035.dip0.t-ipconnect.de] has joined #openvpn
18:48 -!- Henryabcd [~Henryabcd@pD9E0B035.dip0.t-ipconnect.de] has quit [Quit: Leaving]
18:48 -!- badon [~badon@pdpc/supporter/active/badon] has quit [Disconnected by services]
18:48 -!- badon_ [~badon@pdpc/supporter/active/badon] has joined #openvpn
18:48 -!- badon_ is now known as badon
18:52 -!- anthony25 [~anthony@149.154.84.176] has joined #openvpn
18:53 < anthony25> hello
18:54 < anthony25> I have an operational openvpn server running as server bridge, but I don't know why, clients cannot get any IP from the DHCP server with dhcpcd or networkmanager
18:55 < anthony25> dhclient works, but not dhcpcd
18:55 <+pekster> Don't do that unless you're an expert fully aware of the problems by giving out a router DHCP-option to an off-link VPN client that becomes multihomed
18:55 <+pekster> First things first: why are you bridging? You shouldn't need to do that, as explained in this factoid:
18:55 <+pekster> !tunortap
18:55 <@vpnHelper> "tunortap" is (#1) you ONLY want tap if you need to pass layer2 traffic over the vpn (traffic destined for a MAC address). If you are using IP traffic you want tun. or (#2) and if your reason for wanting tap is windows shares, see !wins or use DNS or (#3) remember layer2 has no security, arp poisoning works over tap vpns or (#4) lan gaming? use tap! or (#5) Normal Android/iOS devices (not
18:55 <@vpnHelper> rooted/jailbroken) support only tun
18:55 < anthony25> because I want the clients to be in my lan
18:56 <+pekster> To what end?
18:56 <+pekster> !goal
18:56 <@vpnHelper> "goal" is Please clearly state your goal for your vpn: example, I would like to access the lan behind the server , I would like to access the internet over my vpn , I just want a secure connection between 2 computers , etc
18:56 < anthony25> and I trust the clients because... they are my devices :p
18:56 <+pekster> You do _not_ need to bridge to access server-side LAN resources
18:56 <+pekster> So again, why do you think you need to bridge?
18:56 <+pekster> You also do _not_ need to bridge for the server-side LAN to initiate traffic to your VPN clients
18:57 < anthony25> 1/ because I don't want to route anything, so clients can access to the LAN, and can be target by the LAN too
18:57 <+pekster> So, no multicast/broacast needs. Route normally
18:58 < anthony25> 2/ I would like to setup an IPv6 tunnel, dual stack (with IPv4)
18:58 <+pekster> You do not need to route "to the Internet", just route betwen your VPN LAN and your server-side physical LAN
18:58 < anthony25> and I have a /64
18:58 <+pekster> Yes, you can dual-stack fine in OpenVPN too
18:58 <+pekster> Just assign the VPN network a /64 (or even a /112 works fine if you'd like)
19:00 < anthony25> yeah but I can't assign the same /64 for the VPN network than my actual /64, no ?
19:00 <+pekster> No, but you should have a routed block (something like a /56 from your ISP, or you can easily ask them for one)
19:00 <+pekster> RFC6177 says so
19:01 <+pekster> That gives you "256 unique /64 networks" you can allocate as you see fit. One of them for the VPN, for instance
19:01 < anthony25> yep, I know
19:02 <+pekster> OpenVPN is happy to use a /112, and this is fine so long as you do not need to route that to a further-downstream LAN with SLAAC, but be aware older debian releases (openvpn 2.2.x) with the "early developer preview IPv6 patches" only work with a /64. OpenVPN >=2.3.0 will work with smaller networks too when official support was introduced
19:03 <+pekster> Thus, use of /64's for maximum compatibility is recommended
19:03 < anthony25> so, for you, in which cases does the TAP is useful ?
19:03 <+pekster> tap is only ever useful for connections requiring broadcast or multicast traffic over the link
19:03 <+pekster> eg: OSPF, IPX, WOL, etc
19:04 < anthony25> ok I see
19:04 <+pekster> Do you have such a protocol requiring non-IP raw Ethernet frame protocols?
19:04 < anthony25> nope, not now
19:04 <+pekster> The reason we discourage bridging (strongly) here is that it's far more complex due to the OS and distro-specific issues involved
19:04 <+pekster> It's really much harder to set up as a result
19:05 < anthony25> well it was already setup for me, but I wanted to add the ipv6 support
19:05 < anthony25> but I see your point
19:05 <+pekster> Be very careful doing something like RAs over a bridged VPN; there lurk lots of dragons there, similar to the DHCP (v4) issues with the default gateway
19:06 <+pekster> It's far better to have a routed setup where openvpn manages the IPs itself to issue to clients, then route into your LANs at either end as required
19:07 <+pekster> Even if you _do_ decide to use tap (for some awful broadcasat protocol you must have) then it's still better to have openvpn manage its own pool that is reserved for the VPN
19:07 < anthony25> actually, a L2 bridging was easier for me, because for example my laptop has the same IP if I am at home, or outside (connected with my VPN)
19:07 <+pekster> ie: separate from the DHCP pool
19:07 <+pekster> Dynamic DNS (or just DNS zones, like your-pc.vpn.yourdomain.com) usually solve that
19:08 <+pekster> But yes, I see where that could potentially be an advantage in some setups
19:08 <+pekster> Just do not try and use your server-side DHCP server. Unless you're 100% confident that you know what I mean when I say that pushing a default server-side LAN router in the dhcp reply to thet VPN client is usually a bad idea
19:08 <+pekster> Let OpenVPN manage the IPs issue to VPN clients and you'll be much happier
19:09 < anthony25> ok, thank you !
19:09 < anthony25> I will look at a tun solution for ipv6
19:09 <+pekster> fwiw, tap can issue IPs itself (via openvpn) thus ignoring the DHCP server, if you really want to go that route
19:09 < anthony25> it seems more "experimental" as a server-bridge than for ipv4
19:10 <+pekster> So, you "can" make bridging work. It's just less-trivial
19:10 < anthony25> yep
19:10 <+pekster> Well, in a tap setup, openvpn is basically a "fancy switch" that delivers Etherent frames. You can do basically anything Ethernet can, although no 802.1Q or more exotic support exists today
19:11 <+pekster> IPv6 should work just fine, but handling RAs and such can get.. tricky
19:11 < anthony25> I know, and it works
19:11 <+pekster> Might require some ebtables magic if you ever connect from a site that also has IPv6 RAs on the client-end
19:11 < anthony25> except than there is an option in ipv4 for server-bridge that can define the IP range
19:11 <+pekster> Far better to issue the IPs from openvpn on tap
19:11 <+pekster> Yes, exactly: you should use that, and not server-side DHCP/RA/DHCPv6
19:12 < anthony25> so I don't need to get access to my DHCP
19:12 < anthony25> but
19:12 < anthony25> it's not ipv6 compatible, no ?
19:13 <+pekster> Hmm, maybe not..
19:13 <+pekster> I haven't tried the traditional "routed options" with IPv6 using a tap configuration
19:13 <+pekster> ie: --tun-ipv6, --ifconfig-ipv6, --ifconfig-ipv6-pool, etc
19:14 <+pekster> It might work, but maybe this is a good reason to consider switching to a routed setup anyway ;). But feel free to see if that works on tap
19:15 < anthony25> yep, that's why I thought about switching to tun for ipv6
19:15 <+pekster> IPv6 is all about routing anyway :P
19:15 < anthony25> and for example, ifconfig-ipv6-pool only works with "server-ipv6"
19:16 <+pekster> (or at least, it is when your ISP follows RFC6177 and gives you a sane prefix)
19:16 <+pekster> Ah, then that precludes use with tap, yes
19:16 <+pekster> But remember, --server-ipv6 is just a "convenience function" -- you may well need to expand it
19:16 <+pekster> That option, just like --server, is only valid in a routed setup
19:16 <+pekster> The expanded directives "might" work in tap
19:17 <+pekster> ie: --server is invalid, but you do not need to use --server-bridge to create a bridge (that too is just a "convenience function" that implies many others)
19:17 < anthony25> hum, I see
19:19 < anthony25> but stop, you almost convinced me to use tun, and then you tell me more about the potential possibility to do it with tap :p
19:20 <+pekster> Right. Use tun unless you have a very good reason to make your life more complicated
19:21 <+pekster> open-source is about choice, and letting you shoot yourself in the foot if it's what you really want. Maybe you're into that S&M stuff; I won't judge too much ;)
19:21 < anthony25> just for the curiosity, I will try to make it works with tap, but I think that the "final" configuration will be tun
19:21 < anthony25> haha
19:21 <+pekster> There are valid uses for tap, although "usually" tun, or possibly routed-tap, is a better choice
19:21 <+pekster> For instance, if the only reason for tap is OSPF, routed-tap is probably the best option
19:22 <+pekster> ie: tap is just used for the VPN link, then you route it like a classic Ethernet link from there (think old-school /30's in IPv4)
19:22 < anthony25> I see
19:22 < anthony25> but that reason is still valid with ipv6 ?
19:23 <+pekster> Yes, because OSPF still uses link-local multicast (the v6-version of broadcast) to do OSPF, and similar protoocol use-cases
19:23 < anthony25> ooohh ok
19:24 <+pekster> So that comes back to my description earlier of "tap is best avoided unless you need such exotic protocol support"
19:24 <+pekster> (or have other, equally "exotic" needs)
19:25 -!- redpill [~redpill@unaffiliated/redpill] has quit [Ping timeout: 264 seconds]
19:25 <+pekster> All said, it's only extra setup headache on the server. Bridges, reduced security, distro-specific network/firewall/OS config,e tc
19:25 <+pekster> And maybe being careful with things like DHCP/RA
19:27 -!- redpill [~redpill@unaffiliated/redpill] has joined #openvpn
19:27 < anthony25> ok thank you about all these explainations !
19:28 <+pekster> Sure. And all my poking fun of tap aside, the only wrong solution is a poorly-planned one
19:31 -!- abbe is now known as abbe_
19:32 -!- abbe_ is now known as abbe
19:39 -!- trumee [~parul@2601:e:1580:799:624:5684:b42:5b00] has quit [Read error: Connection reset by peer]
19:40 -!- trumee [~parul@2601:e:1580:799:624:5684:b42:5b00] has joined #openvpn
19:41 -!- trumee [~parul@2601:e:1580:799:624:5684:b42:5b00] has quit [Client Quit]
19:43 -!- mirco [~mirco@ip-176-198-211-199.hsi05.unitymediagroup.de] has quit [Quit: mirco]
19:44 -!- trumee [~parul@2601:e:1580:799::c64] has joined #openvpn
19:51 < droid909> guys, if i want to use my client.conf with ios device i just rename it to client.ovpn?
19:52 <+pekster> !inline
19:52 <@vpnHelper> "inline" is (#1) Inline files (e.g. <ca> ... </ca> are supported since OpenVPN 2.1rc1 and documented in the OpenVPN 2.3 man page at https://community.openvpn.net/openvpn/wiki/Openvpn23ManPage#lbAV or (#2) https://community.openvpn.net/openvpn/wiki/IOSinline for a writeup that includes how to use inline certs
19:52 <+pekster> See (#2) above droid909 ^
19:53 -!- anthony25 [~anthony@149.154.84.176] has quit [Ping timeout: 272 seconds]
19:54 < droid909> pekster: thank you
19:54 -!- kirin` [telex@gateway/shell/anapnea.net/x-oopshfxfeeqqckdx] has quit [Ping timeout: 245 seconds]
20:01 -!- Exagone313 is now known as Exagone314
20:02 -!- Exagone314 is now known as Exagone313
20:04 -!- kirin` [telex@gateway/shell/anapnea.net/x-thqpmbuekyllfrny] has joined #openvpn
20:22 < droid909> pekster: i don't understand what to put in 'BEGIN OpenVPN Static key V1-'
20:24 < droid909> pekster: ahh i don't need that
20:24 <+pekster> That's for --tls-auth or --static
20:29 -!- Denial [~Denial@81.141.2.111] has quit [Ping timeout: 240 seconds]
20:33 -!- kossy [a@unaffiliated/kossy] has quit [Ping timeout: 258 seconds]
20:36 -!- kossy [a@unaffiliated/kossy] has joined #openvpn
20:48 < droid909> pekster: have this error EVENT: CORE_ERROR PolarSSL: error parsing ca certificate : X509 - The CRT/CRL/CSR format is invalid, e.g. different type expected [ERR]
20:54 < droid909> pekster: other linux box can connect ok
20:54 < droid909> pekster: but my ios device gives me this ..
21:00 -!- Left_Turn [~Left_Turn@unaffiliated/turn-left/x-3739067] has quit [Remote host closed the connection]
21:11 < droid909> pekster: damn i tried everything, same error
21:11 < droid909> anyone?
21:11 <+pekster> If it can connect using the _exact_ same client config (with the same inline cert bits and all) it might be a limitation of polarssl
21:11 <+pekster> Is the CA using any special options?
21:12 <+pekster> fwiw, openssl is the default for openvpn; apparently the OpenVPN Connect product (which is a 100% different codebase, not the normal openvpn) is having issues parsing it
21:12 <+pekster> Possibly specific to polarssl
21:12 <+pekster> Might be worth reviewing your CA cert; just take the <ca> ... </ca> text, save it to a file, and do this on it: openssl x509 -noout -text -in your_saved_ca.crt
21:16 < droid909> pekster: your command worked
21:16 < droid909> pekster: and it gave me the info
21:17 <+pekster> So that means it's at least a valid X.509 cert (which openssl is willing to read)
21:17 <+pekster> For some reason polarssl thinks the "foramt is invalid." Care to paste either/both the base64-cert of the decoded text?
21:17 < droid909> pekster: i used your command on the openvpn server, on ios i don't have cli ...
21:18 <+pekster> Right, that's fine so long as it's the exact same text your iOS device is using
21:18 < droid909> yup exact same
21:19 < droid909> pekster: you want your command output? what should i change before pasting it to public?
21:20 <+pekster> You don't need to change anything; certificates are public. But paste _just_ the ---BEGIN CERTIFICATE--- stuff for your CA
21:20 <+pekster> Your key and tls-auth keys are indeed private
21:20 <+pekster> base64 (the encoded text) is fine
21:21 < droid909> pekster: so, not the output right? just the ca.crt?
21:21 <+pekster> Yea
21:22 <+pekster> From the actual inline file you're using
21:22 <+pekster> ie: I want everything between the <ca> and </ca> lines
21:22 <+pekster> I'd just like to see if there's anything notable or exotic about the cert you're using that might confuse PolarSSL
21:23 < droid909> pekster: http://pastebin.com/KZ8xQvDa
21:23 -!- akamaru217 [~akamaru21@2601:0:8a80:1064:b876:305b:3c5e:f25a] has joined #openvpn
21:25 <+pekster> All looks pretty standard to me
21:25 < droid909> pekster: EVENT: CORE_ERROR PolarSSL: error parsing ca certificate : X509 - The CRT/CRL/CSR format is invalid,  e.g. different type expected [ERR]
21:26 < droid909> pekster: maybe i have to set type?
21:26 <+pekster> No, that's implied from the <ca> (it's processed as a CA X.509 cert.) PolarSSL just can't grok it, evidently
21:28 <+pekster> I'm not sure I have the necessary polarssl lib version, but let me see if it's trivial for me to build against polarssl to see if I can reproduce that locally; I'm a bit curious now
21:28 < droid909> pekster: i used to have it working a year ago or so, maybe it is the new version 'bug' ... https://www.apptweak.com/openvpn-connect/iphone-ipad/netherlands/app-marketing-app-store-optimization-aso/reviews-ratings/latest/latest-version/590379981
21:29 < droid909> it working == connection an ios device to an openvpn
21:30 < droid909> pekster: i can paste the full client.ovpn file if it helps, removing the private parts...
21:31 <+pekster> That won't be necessary; it'll either parse the ca or won't, which is the important part here (assuming I can get my polarssl library to an acceptable version on this host)
21:45 -!- supergauntlet is now known as boypussy
21:46 <+pekster> bwahaha: OpenVPN 2.3.6 x86_64-unknown-linux-gnu [SSL (PolarSSL)] [LZO] [EPOLL] [MH] [IPv6] built on Dec 20 2014
21:48 < droid909> pekster: ok i now i have another error, don't know when it changed: EVENT: CORE_ERROR PolarSSL: error parsing config private key : PK - Invalid key tag or value : ASN1 - ASN1 tag was of an unexpected value [ERR]          but after i added this to my config: setenv CLIENT_CERT 0     it actualy started to connect but connection timeout ...    i read this https://www.privateinternetaccess.com/forum/discussion/951/openvpn-on-ios/p4
21:48 <@vpnHelper> Title: OpenVPN on iOS - Page 4 - Privacy Online Forums (at www.privateinternetaccess.com)
21:50 <+pekster> syzzer: By the way, awesome build system. My distro ships "too new" polarssl for openvpn 2.3, but your cmake system and docs were handy to install my own local copy elsewhere
21:54 <+pekster> droid909: fwiw, that cert seems to parse fine with openvpn 2.3.6 linked against polarssl 1.2.12 (latest public releases of both)
22:02 <+pekster> No idea about that CLIENT_CERT business; that's the commercial Connect product voodoo that's not community maintained
22:02 <+pekster> Seems you need that when you don't have a client-side keypair, perhaps
22:03 <+pekster> If you're using client keypairs, you probably need that enabled, but you'd need to ask the corporate folks that maintain the Connect client (or the forums or whatever other suppport mechanisms)
22:12 < droid909> pekster: after modifing files copying stuff i finaly managed to work it
22:12 < droid909> pekster: don't know
22:12 < esde> https://gist.github.com/gitutile/5e9640a43f245d52af4d works for android (and iOS iirc)
22:12 <@vpnHelper> Title: client.ovpn (at gist.github.com)
22:12 < droid909> pekster: maybe i'm just too sleepy
22:12 < droid909> pekster: thank you for your help
22:13 < droid909> pekster: i'm sorry that the error was my typo somewhere or something like that
22:13 < esde> the app wants the config slightly different than you'd expect. I had the same issue my first time
22:46 -!- Pandemic_Force_ [~Pandemic_@unaffiliated/pandemic-force/x-1349428] has quit [Quit: Bye!]
22:46 -!- Pandemic_Force [~Pandemic_@unaffiliated/pandemic-force/x-1349428] has joined #openvpn
22:54 -!- alanjf [~ajf@unaffiliated/alanjf] has joined #openvpn
22:58 -!- Shiftos [~shiftos@gateway/tor-sasl/shiftos] has quit [Remote host closed the connection]
22:58 -!- Shiftos [~shiftos@gateway/tor-sasl/shiftos] has joined #openvpn
23:45 -!- ShadniX [dagger@p5DDFD992.dip0.t-ipconnect.de] has quit [Ping timeout: 250 seconds]
23:48 -!- ShadniX [dagger@p5DDFD478.dip0.t-ipconnect.de] has joined #openvpn
--- Day changed Sun Dec 21 2014
00:19 -!- Kephael_ [~Kephael@unaffiliated/kephael] has quit [Quit: Leaving]
00:33 -!- yoavz [yoavz@yoavz.net] has joined #openvpn
00:40 -!- yoavz [yoavz@yoavz.net] has quit [Ping timeout: 240 seconds]
00:40 -!- jefferai [sid1300@kde/mitchell] has quit [Ping timeout: 240 seconds]
00:42 -!- jefferai [sid1300@kde/mitchell] has joined #openvpn
00:45 -!- yoavz [yoavz@yoavz.net] has joined #openvpn
03:52 -!- anthony25 [~anthony25@ip-113.net-82-216-82.rev.numericable.fr] has joined #openvpn
04:00 -!- shio [marmot@62.188.103.84.rev.sfr.net] has quit [Read error: Connection reset by peer]
04:01 -!- shio [marmot@62.188.103.84.rev.sfr.net] has joined #openvpn
04:20 -!- catsup [~d@ps38852.dreamhost.com] has quit [Read error: Connection reset by peer]
04:20 -!- catsup [~d@ps38852.dreamhost.com] has joined #openvpn
04:21 -!- catsup [~d@ps38852.dreamhost.com] has quit [Read error: Connection reset by peer]
04:22 -!- catsup [d@ps38852.dreamhost.com] has joined #openvpn
04:36 -!- sebrk [~sebrk@gw-zl5.erkor-oc.cz] has joined #openvpn
04:37 < sebrk> pekster: you there?
04:37 -!- Left_Turn [~Left_Turn@unaffiliated/turn-left/x-3739067] has joined #openvpn
04:40 -!- gffa [~unknown@unaffiliated/gffa] has joined #openvpn
04:51 -!- Henryabcd [~Henryabcd@pD9E0BF63.dip0.t-ipconnect.de] has joined #openvpn
04:58 -!- Henryabcd [~Henryabcd@pD9E0BF63.dip0.t-ipconnect.de] has quit [Quit: Leaving]
05:02 -!- sebrk [~sebrk@gw-zl5.erkor-oc.cz] has quit [Read error: Connection reset by peer]
05:06 -!- funyun [~funyun@162.219.176.106] has joined #openvpn
05:06 < funyun> hi. which cipher offers the best speed?
05:08 -!- Reventlov [~Reventlov@unaffiliated/reventlov] has quit [Ping timeout: 272 seconds]
05:10 -!- funyun [~funyun@162.219.176.106] has quit [Client Quit]
05:12 -!- Reventlov [~Reventlov@unaffiliated/reventlov] has joined #openvpn
05:25 -!- hyper_ch [~hyper_ch@81.4.108.20] has joined #openvpn
05:26 -!- sebrk [~sebrk@c83-248-255-12.bredband.comhem.se] has joined #openvpn
05:26 < hyper_ch> hmmmmm, if I use tls-auth in openvpn, what effect will it have on performance?
05:27 < sebrk> I have a weird issue with my bridged VPN. I can conntect, and I am able to surf through it. I can ping the server but nothing else on the lan. Which is my ultimate goal. Any idea what is wrong?
05:28 < sebrk> packets seem to get to the router but are dropped/not forwarded to the LAN machine
05:28 < hyper_ch> also, what cipher would you recommend nowadays? Blowfish? AES-256-CBC? something else?
05:29 -!- shivanshu [~shivanshu@unaffiliated/shivanshu] has joined #openvpn
05:29 < sebrk> s/router/server
05:36 -!- sebrk [~sebrk@c83-248-255-12.bredband.comhem.se] has quit [Ping timeout: 264 seconds]
05:44 -!- sebrk [~sebrk@c83-248-255-12.bredband.comhem.se] has joined #openvpn
05:47 -!- Chais [~Chais@chello062178229110.15.15.vie.surfer.at] has quit [Ping timeout: 240 seconds]
05:49 < sebrk> my ARP requests seems to die on tap0
05:52 -!- Chais [~Chais@chello062178229110.15.15.vie.surfer.at] has joined #openvpn
05:52 < sebrk> on br0 I see both echo request and reply
05:53 < sebrk> routing issue?
05:55 < sebrk> well now I can ping the server and the router on LAN side... but nothing else
06:05 < hyper_ch> https://openvpn.net/index.php/open-source/documentation/howto.html#scope
06:05 <@vpnHelper> Title: HOWTO (at openvpn.net)
06:08 -!- sebrk [~sebrk@c83-248-255-12.bredband.comhem.se] has quit [Read error: Connection reset by peer]
06:12 -!- sebrk [~sebrk@c83-248-255-12.bredband.comhem.se] has joined #openvpn
06:13 < sebrk> hyper_ch: I use a bridged VPN though so I should get it "for free"
06:14 < sebrk> it just acts really weird
06:15 < sebrk> I see all these ARP requests on br0 but no answer
06:18 < sebrk> but then again, I can't ping from other hosts on LAN to VPN client either, except from the server
06:18 < sebrk> it is like all routes are messed up
06:19 < esde> !goal
06:19 <@vpnHelper> "goal" is Please clearly state your goal for your vpn: example, I would like to access the lan behind the server , I would like to access the internet over my vpn , I just want a secure connection between 2 computers , etc
06:20 < sebrk> My goal is to have a bridged VPN where I can use services on the LAN.
06:20 < sebrk> A secondary goal is to be able to use the internet through the VPN (this is achieved)
06:21 < sebrk> I am able to ping server and the router/gateway on LAN fro
06:21 < sebrk> m client
06:21 < sebrk> although pinging the router/gateway seems to be somewhat arbitrary
06:24 < sebrk> I can see these on server br0: ARP, Request who-has 192.168.0.3 tell 192.168.0.220
06:24 < sebrk> but no answer
06:24 < esde> !bridging
06:24 <@vpnHelper> "bridging" is (#1) Using bridges is either completely stupid or clever. It is stupid if you do it because you think it is easier. It is clever if you're a network knowledgeable person who understands networking very well and knows why routing won't fit for you or (#2) See also https://community.openvpn.net/openvpn/wiki/BridgingAndRouting
06:24 < sebrk> yeah, bridging is my only option though
06:24 < sebrk> I need support for broadcasts
06:25 -!- catsup [d@ps38852.dreamhost.com] has quit [Ping timeout: 264 seconds]
06:34 -!- sebrk [~sebrk@c83-248-255-12.bredband.comhem.se] has quit [Ping timeout: 265 seconds]
06:37 -!- 7JTABT3RP [d@ps38852.dreamhost.com] has joined #openvpn
06:37 -!- sebrk [~sebrk@c83-248-255-12.bredband.comhem.se] has joined #openvpn
06:38 -!- sebrk [~sebrk@c83-248-255-12.bredband.comhem.se] has quit [Client Quit]
06:41 -!- 7JTABT3RP [d@ps38852.dreamhost.com] has quit [Ping timeout: 245 seconds]
06:42 -!- catsup [d@ps38852.dreamhost.com] has joined #openvpn
06:46 -!- shio [marmot@62.188.103.84.rev.sfr.net] has quit [Ping timeout: 245 seconds]
06:53 -!- shio [marmot@62.188.103.84.rev.sfr.net] has joined #openvpn
06:59 -!- mirco_ [~mirco@ip-176-198-211-199.hsi05.unitymediagroup.de] has joined #openvpn
07:14 -!- jsin [~jsin@unaffiliated/jsin] has joined #openvpn
07:15 -!- Shiftos [~shiftos@gateway/tor-sasl/shiftos] has quit [Remote host closed the connection]
07:15 -!- Denial [~Denial@81.141.2.205] has joined #openvpn
07:15 -!- Shiftos [~shiftos@gateway/tor-sasl/shiftos] has joined #openvpn
07:19 -!- jsin [~jsin@unaffiliated/jsin] has quit [Quit: jsin]
08:25 -!- Veverak [~Squirrel@ip-89-102-104-133.net.upcbroadband.cz] has joined #openvpn
08:25 < Veverak> hi folks
08:25 < Veverak> anybody some experience with debugging upnp service over openvpn?
08:26 < Veverak> setup: two machines, one vpn server, one vpn client, no bridging
08:27 < Veverak> both of the machines got service that uses upnp for local discovery... but they weren't able to contact each other trought the vpn
08:27 <+pekster> Veverak: Won't work; uPnP uses multicast group membership, requiring bridging (or possibly routed-tap if your uPnP server and client are both on the VPN)
08:29 < Veverak> pekster: so, migrating to tap could work?
08:29 < Veverak> second question when I am doing stuff with vpn
08:30 < Veverak> I once had problem that when I tried to show the client the network behind the server, while the client was on the server, it resulted in nonworking connection to other places.. (no internet) does it ring a bell for some wrong setup on my side?
08:30 <+pekster> Yes tap, but if the upnp listener (the server) is on the LAN (and not running openvpn itself) then you'll specifically need to set up a bridged VPN, which is a bit more involved since you must handle the OS/distro-specific bridging and network setup, plus coordinate IP space such that the VPN server has its own pool that is *not* used by the DHCP server on the LAN
08:31 < Veverak> yeah
08:31 < Veverak> that's not problem
08:31 < Veverak> I can handle the fact that upnpn listeners have to be on machine with vpn connection
08:31 < Veverak> :)
08:32 <+pekster> Bridging can get around that if you're willing to set it up (it's not all that hard, just more crap to worry about getting set up properly)
08:32 < Veverak> yeah
08:32 < Veverak> well, first things first
08:32 < Veverak> can I just rewrite tun to tap or should I worry about something?
08:32 <+pekster> Verify you haven't duplicated networks between the remote and server side (even including common networks a wifi cafes or other networks you don't control, for example)
08:32 <+pekster> Are you trying to set up routed tap, or bridging?
08:33 <+pekster> Just making a tun VPN into tap is pretty trivial, and this lets broadcasts work, but *only* within the VPN. To get the broadcasts onto a LAN at either end (VPN server or VPN client) requires bridging
08:33 <+pekster> We also have !serverlan which is for setting up a routed (either tun, or routed-tap) configuration for access to server-LAN resources
08:34 < Veverak> well, I am happy with broadcasting working only within VPN
08:34 <+pekster> Okay, that's fine; you can bridge later if requirements change, but it's really best to avoid that unless it's a requirement
08:35 < Veverak> ok
08:35 < hyper_ch> hmmmmm, if I use tls-auth in openvpn, what effect will it have on performance?
08:35 < hyper_ch> also, what cipher would you recommend nowadays? Blowfish? AES-256-CBC? something else?
08:36 <+pekster> hyper_ch: AES is good for AES-NI hardware (crypto-acceleration) at either 128/256 bits, although BF is usually slightly faster in pure CPU, so depends on your hardware. tls-auth has next to no performance on the data of the VPN because it's used only for the control channel
08:36 < hyper_ch> then I think I should switch to aes for the desktop computers
08:37 <+pekster> In fact, it has zero performance impact of the data speed/delay itself (just the TLS handshake, which is only really noticable during first connect, and we're taking small bits of ms, not even seconds here)
08:37 < hyper_ch> and stick with bf for the cell phones/voip
08:37 <+pekster> Yea, that's the way to go unless your mobile devices have AES-NI support
08:37 <@plaisthos> AES-NI equivalent
08:37 <@plaisthos> AES-NI is strictly intel ;)
08:37 <@plaisthos> err IA32 and AMD64
08:38 < hyper_ch> nah, I juse use the vpn tunnel for the cell phones to connect to my pbx... that way I only have to open one port ;)
08:38 <@plaisthos> iirc ios has aes cpu offload
08:38 <@plaisthos> and of course the rare android x86 with intel and aes-ni
08:38 < hyper_ch> who uses i* devices anyway?
08:38 <+pekster> It's a very pretty walled garden, but it's still walled :P
08:39 <@plaisthos> apperently newer arm cores have similar algorithms
08:40 < hyper_ch> I wonder if I should also got for tls-auth for the cell phones
08:40 < hyper_ch> guess I'll just give it a test
08:40 < hyper_ch> also I could switch from 3G to LTE... I've heard it has less latency
08:44 < Veverak> fuuu
08:44  * Veverak switched to tap
08:44 < Veverak> and well, I've got tap interface on my vpn server
08:45 < hyper_ch> tun <3
08:45 < Veverak> but mu client just doesn't connect
08:45 < Veverak> more like, it shows no error
08:45 < Veverak> and yet there is no tap on my client :/
08:45 <+pekster> Set your logs to --verb 4 and you'll get lots of logs
08:45 <+pekster> See !logs and !logfile and maybe !verb
08:46 < Veverak> verb 4 :/
08:51 < Veverak> done :)
08:59 -!- ub1quit33_ [~quassel@cpe-23-243-158-241.socal.res.rr.com] has joined #openvpn
08:59 -!- ampsix [uid26275@gateway/web/irccloud.com/x-arexsipmihlwrtna] has joined #openvpn
09:01 -!- mdorenka [~marcel@unaffiliated/mdorenka] has joined #openvpn
09:27 -!- hemlis [~hemlis@gateway/tor-sasl/hemlis] has joined #openvpn
09:27 < hemlis> hello
09:28 < hemlis> I want to know hwo to add a sh script to openvpn conf file to kill an app when it disconnects
09:28 < hemlis> !configs
09:28 <@vpnHelper> "configs" is (#1) please pastebin your client and server configs (with comments removed, you can use `grep -vE '^#|^;|^$' server.conf`), also include which OS and version of openvpn. or (#2) dont forget to include any ccd entries or (#3) on pfSense, see http://www.secure-computing.net/wiki/index.php/OpenVPN/pfSense to obtain your config
09:30 < hyper_ch> hemlis: https://github.com/OpenVPN/openvpn/blob/master/src/plugins/down-root/README.down-root
09:30 <@vpnHelper> Title: openvpn/README.down-root at master · OpenVPN/openvpn · GitHub (at github.com)
09:30 < hyper_ch> and I have this in my client.conf:   plugin /usr/lib/openvpn/openvpn-plugin-down-root.so 'umount -f /mnt/jl_cifs'
09:31 < hyper_ch> so you could maybe enter a:  killall APPNAME
09:31 < hemlis> hyper_ch: ok but is it possible without this plugin ?
09:31 < hyper_ch> hemlis: no
09:31 < hemlis> hyper_ch: why not ? are not there any up and down scripts ?
09:32 < hemlis> post-disconnect script ?
09:32 < hyper_ch> did you read teh README?
09:32 < hyper_ch> well, it's possible without this plugin
09:32 < hyper_ch> it just makes it easier
09:41 < hemlis> hyper_ch: do you know about tunnelblick ?
09:45 < hemlis> Can anyone help me put a sh script in openvpn configuration file so that it kills an app on failure or disconnect ??
09:49 -!- Denial [~Denial@81.141.2.205] has quit [Ping timeout: 250 seconds]
09:52 < mdorenka> how can i specify the name of the interface that should be uses for openvpn connections?
09:53 -!- james41382 [~james@unaffiliated/james41382] has joined #openvpn
09:54 < hyper_ch> hemlis: already told you how to do it...
09:54 -!- yang [yang@freenode/sponsor/fsf.member.yang] has joined #openvpn
09:54 < hyper_ch> mdorenka: I don't think you can
09:55 < hemlis> hyper_ch: you did not tell me a way to do it .. also which client.conf are you talking about ? Openvpn or tunnelblick
09:55 < mdorenka> uhm but what if i have two connections, how can i determine which connection runs on which interface?
09:55 < hyper_ch> hemlis: yes, I did tell you a way to do it
09:55 < hyper_ch> hemlis: you just have to read
09:55 < hyper_ch> mdorenka: does it matter over which connection it runs?
09:56 < hyper_ch> I assume it'll select the one with the default gateway
09:56 < hyper_ch> I mean default routing
09:56 < mdorenka> yup it is relevant for firewalling reasons ;)
09:56 < hyper_ch> but not sure though
09:57 < mdorenka> btw already found it
09:57 < mdorenka> on linux you just define it with "dev tun123"
09:57 < mdorenka> instead of "dev tun"
09:58 < hyper_ch> you mean multiple vpn connections?
09:59 < hyper_ch> I thought you had two or more ethernet connections and wanted to bind openvpn to a specific one :)
09:59 <+pekster> You can name interfaces too, like tun_serviceA or tun_personal , etc
10:00 <+pekster> Limit of 15 characters, IIRC
10:00 -!- mode/#openvpn [-o pekster] by ChanServ
10:00 -!- mode/#openvpn [-v pekster] by ChanServ
10:01 < mdorenka> ah cool .) ty
10:01 < mdorenka> but numbering is more than sufficient
10:05 < hyper_ch> naming the tun devices.... hmmm... intersting
10:06 < hyper_ch> I actually might make use of that :)
10:06 < hyper_ch> thx pekster
10:15 < hemlis> hyper_ch: when I load that plugin in my .ovpn file it gives me a fatal error
10:16 < hyper_ch> hemlis: enable logs
10:18 < hemlis> hyper_ch: I did it
10:18 < hemlis> it works
10:18 < hemlis> hyper_ch: but man what if we have to add more commands ?
10:19 < hyper_ch> I'm pretty sure you can come up with a solution
10:19 < hyper_ch> if not, just read the README again
10:20 < hemlis> hyper_ch: can we tell me how to add a sh script instead of command ?
10:20 < hemlis> I would add more commands to it
10:20 < hyper_ch> what's a sh script?
10:21 < hemlis> shell script
10:21 < hemlis> .sh
10:21 < hemlis> executable
10:21 -!- KaiForce [~chatzilla@107-223-70-10.lightspeed.bcvloh.sbcglobal.net] has quit [Quit: ChatZilla 0.9.91 [Firefox 34.0.5/20141126041045]]
10:21 < hyper_ch> dash? bash? zsh? ...?
10:22 < hemlis> bash
10:22 < hyper_ch> how do you run a bash script?
10:23 < hemlis> ./script.sh
10:24 < hemlis> first chmod +x script.sh
10:24 < hyper_ch> and what will that command actually do?
10:24 < hemlis> run whatever is inside script.sh
10:24 < hemlis> for example
10:24 < hyper_ch> why not run it just like script.sh?
10:25 < hemlis> kill $(pgrep Transmission)
10:25 < hemlis> hyper_ch: what if I had to kill Transmission hexchat and firefox all at once when VPN fails
10:25 < hemlis> only a .sh can help me
10:26 < hyper_ch> you lack some serious fundamentals regarding shell scripts
10:26 < hyper_ch> why not run it just like script.sh?
10:26 < mdorenka> how do i tell openvpn to listen on ipv6 tcp port 41071 ?
10:27 < hyper_ch> "user@local: ~$  script.sh"
10:27 < hyper_ch> why won't that work?
10:27 < hemlis> hyper_ch: what do you mean ? why are you making fun of my thoughts ?
10:27 < hemlis> ./script.sh
10:28 < hemlis> hyper_ch: how can I give whole path and then ./script.sh
10:28 < hyper_ch> hemlis: I'm not making fun of your thoughts. I'm just clearing up some misunderstandings
10:28 < hemlis> is it possible ?
10:28 < hemlis> hyper_ch: we need to do ./script.sh to run the script
10:28 < hyper_ch> hemlis: why   ./script.sh and not just   script.sh ?
10:28 < hyper_ch> mdorenka: you set the port and tcp in the server config
10:29 < hyper_ch> and it should listen to ipv4 and ipv6... I don't think you can specifiy that with openvpn but never really bothered to check
10:30 < hemlis> hyper_ch: I don't understand we run scripts with ./ only
10:30 < hemlis> I don't know
10:30 < hyper_ch> what does   ./   mean?
10:30 < hyper_ch> you never thought about it but this question or rather answer will probably solve all the other problems you're having ;)
10:31 < hemlis> hyper_ch: current dir ?
10:31 < hyper_ch> mdorenka: port 41071
10:31 < hyper_ch> mdorenka: proto tcp
10:31 < hyper_ch> in server config
10:31 < mdorenka> why do i have to define it for udp then? (udp vs udp6)
10:31 < hyper_ch> hemlis: that's right
10:32 < hemlis> hyper_ch: now kindly tell me the problem i am having ?
10:32 < hyper_ch> the problem? not the answer?
10:32 < hemlis> hyper_ch: answer ya
10:32 < hyper_ch> if ./ is current path, how would you run a script that's in a different path?
10:33 < mdorenka> and why is there tcp6-server for proto?
10:33 < hemlis> hyper_ch: but you don't get it
10:33 < hyper_ch> mdorenka: I don't have ipv6 so I never looked into it
10:33 < hemlis> hyper_ch: script is in /Downloads
10:33 < hemlis> and plugin is elsewhere
10:33 < hyper_ch> hemlis: I do get it
10:33 < hemlis> so what to do now
10:33 < hemlis> hyper_ch: plugin /Applications/Tunnelblick.app/Contents/Resources/openvpn/openvpn-2.3.6/openvpn-down-root.so ‘/Downloads/Protection/downit.sh’
10:33 < hemlis> don't work
10:34 < hyper_ch> hemlis: what error?
10:34 < hyper_ch> ls -al /Downloads/Protection/downit.sh
10:35 < hemlis> hyper_ch: it don't work
10:35 < hyper_ch> hemlis: what doesn't work?
10:35 < hemlis> but when I do ./downit.sh in terminal it works
10:35 < hemlis> Tramission won't close
10:35 < hemlis> when it disconnects
10:35 < hyper_ch> does your user have the same environment as root?
10:36 < hyper_ch> is the script run by openvpn at all?
10:36 < hyper_ch> is the script buggy?
10:36 < hyper_ch> so many places where it can go wrong
10:36 < hyper_ch> "it doesn't work" doesn't mean anything
10:38 < hemlis> hyper_ch: simple command works
10:38 < hemlis> but .sh don't
10:38 < hemlis> hyper_ch: can you help me ?
10:38 < hemlis> script is not buggy
10:38 < hemlis> when i run it it work
10:38 < hyper_ch> doesn't mean it's not buggy
10:39 < hyper_ch> give me logs and errors
10:39 < hyper_ch> ls -al /Downloads/Protection/downit.sh
10:39 < hemlis> ok
10:39 < hyper_ch> also cron isn't using the same environment as your user
10:40 < hyper_ch> if cron scripts won't work, usually it's buggy script that are dependant on user environment
10:40 -!- D-Boy [~D-Boy@unaffiliated/cain] has quit [Excess Flood]
10:42 < hyper_ch> also, after the shebang line, add this:    exec 1>> /tmp/downit.log 2>&1
10:42 < hyper_ch> also, there's no need to query me with private messages
10:42 < hemlis> ok
10:44 < hyper_ch> and as third line add:  echo "Running downit"
10:47 < hyper_ch> and I assume that you actually have a proper shebang line
10:48 < hemlis> hyper_ch: I think you assume I am a pro
10:48 < hemlis> I am just trying to get it to work here
10:48 < hyper_ch> what's the first line of the script?
10:49 < hemlis> hyper_ch: I got it to work with help from bash peeps
10:49 < hemlis> thanks for plugin
10:49 < hemlis> is there a similar plugin for start up things ?
10:49 < hemlis> to execute an app when it connects ?
10:53 < hyper_ch> if up
10:53 < hyper_ch> you can run stuff when the interface goes up
10:53 < hyper_ch> never used it though
10:55 < hemlis> ok
10:55 < hemlis> it is not required only
10:56 < hemlis> you are correct
10:56 -!- pnielsen [pnielsen@2a01:7e00::f03c:91ff:fedf:3a21] has quit [Remote host closed the connection]
10:56 < hemlis> hyper_ch: are you a student ?
10:56 < hyper_ch> no
10:57 < hemlis> then ?
10:57 < hemlis> what do you do for a living ?
10:57 < hyper_ch> you wouldn't believe me anyway
10:57 < hyper_ch> so no point in saying
10:58 < hemlis> NSA ?
10:58 < hemlis> Freeze! FBI!
10:58 < hyper_ch> s/saying/telling/
10:58 < hemlis> You have no right but to stay quiet
10:59 < hemlis> hyper_ch: tell me ?
11:00 < hyper_ch> I fail to see a reason why I should as I won't be believed anyway
11:00 < hemlis> Tell me meh, I believe ya
11:01 < hyper_ch> and I don't see why it matters
11:02 < hemlis> are you the Anonymous ?
11:02 < hemlis> or Snowden ?
11:02 < hemlis> who the heck are ya meh ?
11:02 < hyper_ch> just someone who uses openvpn
11:02 < hemlis> hehe
11:02 < hyper_ch> and irc - obviously
11:03 < hemlis> are you a nice girl ?
11:03 < hemlis> are you nixie pixel ?
11:03 < hemlis> don't be shy
11:03 < hyper_ch> I can be whatever you want
11:03 < hemlis> I knew it
11:03 < hemlis> you are an alien meh
11:03 < hemlis> so Roswell wasn't a gimmick finally
11:04 < hemlis> hyper_ch: I am the Anonymous, don't mess around
11:04 < hemlis> bye thanks for bugging and helping
11:04 -!- hemlis [~hemlis@gateway/tor-sasl/hemlis] has left #openvpn ["See ya.."]
11:05 -!- D-Boy [~D-Boy@unaffiliated/cain] has joined #openvpn
11:30 -!- mdorenka [~marcel@unaffiliated/mdorenka] has quit [Ping timeout: 244 seconds]
12:36 -!- yang [yang@freenode/sponsor/fsf.member.yang] has left #openvpn ["Free yourself with Free Software, join www.FSF.org"]
12:41 -!- mt [mt@unaffiliated/supermat] has left #openvpn ["WeeChat 1.1-dev"]
13:13 -!- rich0_ is now known as rich0
13:17 -!- s7r_l [~s7r@openvpn/user/s7r] has joined #openvpn
13:17 -!- mode/#openvpn [+v s7r_l] by ChanServ
13:20 -!- s7r [~s7r@openvpn/user/s7r] has quit [Ping timeout: 250 seconds]
13:40 -!- s7r_l is now known as s7r
13:50 -!- sebrk [~sebrk@c83-248-255-12.bredband.comhem.se] has joined #openvpn
13:51 < sebrk> pekster: old chap, are you there? I've made some progress
14:05 < sebrk> My goal is to have a bridged setup where I can access resources on the LAN behind VPN server. As of now I can ping the server and sometimes the gateway on LAN but nothing else. I can see ARP requests on br0 for other hosts but that is about it. Any idea what is wrong? I can also surf the internet through the VPN.
14:08 < sebrk> I dont get why I can ping the gateway on the LAN but nothing else
14:16 -!- DracoDan [~no@pool-108-56-153-176.washdc.fios.verizon.net] has joined #openvpn
14:16 -!- sebrk [~sebrk@c83-248-255-12.bredband.comhem.se] has quit [Quit: Linkinus - http://linkinus.com]
14:17 < DracoDan> I'm trying to deploy the openVPN virtual appliance in vsphere.  When I go to deploy it I get a bunch of warnings, should I worry about that?
14:19 < DracoDan> the warnings: http://postimg.org/image/6h1u5lnhb/
14:19 <@vpnHelper> Title: View image: openvpn ova warnings (at postimg.org)
14:19 -!- sebrk [~sebrk@c83-248-255-12.bredband.comhem.se] has joined #openvpn
14:22 -!- Shiftos [~shiftos@gateway/tor-sasl/shiftos] has quit [Remote host closed the connection]
14:47 < BtbN> Try the vmware channel for questions about vmware.
14:50 < DracoDan> huh? It's a question specific to the OpenVPN appliance
14:51 < DracoDan> I've deployed tons of OVA/OVFs with no warnings
14:51 < DracoDan> actually, looks like I need to ask in #openvpn-as actually...
14:51 < BtbN> What is "the OpenVPN appliance"?
14:52 < BtbN> Never heard of that before.
14:52 < DracoDan> https://openvpn.net/index.php/access-server/download-openvpn-as-vm/469-deploying-openvpn-access-server-from-an-ovf-template-in-vmware-esxi-environment.html
14:52 <@vpnHelper> Title: Deploying OpenVPN Access Server from an OVF Template in VMWare ESXi Environment (at openvpn.net)
14:52 < DracoDan> appliances are self-contained servers that are built to quickly provide a service
14:53 < BtbN> Yeah, looks like AS stuff
14:53 < DracoDan> you usually just have to set IP and login info
14:53 -!- sebrk [~sebrk@c83-248-255-12.bredband.comhem.se] has quit [Ping timeout: 245 seconds]
15:19 -!- shio [marmot@62.188.103.84.rev.sfr.net] has quit [Read error: Connection reset by peer]
15:24 -!- lxusrbin [~lxusrbin@han.solo.atw0rk.net] has joined #openvpn
15:38 -!- cyberspace- [20253@ninthfloor.org] has quit [Ping timeout: 256 seconds]
15:38 -!- cyberspace- [20253@ninthfloor.org] has joined #openvpn
15:59 -!- nutron [~nutron@unaffiliated/nutron] has joined #openvpn
16:20 -!- DracoDan [~no@pool-108-56-153-176.washdc.fios.verizon.net] has quit []
16:24 -!- mrdigital|mac [~MrDigital@216-15-74-116.c3-0.drf-ubr1.atw-drf.pa.cable.rcn.com] has joined #openvpn
16:24 < mrdigital|mac> hi i am having an issue configuring  OpenVPN on linux
16:24 < mrdigital|mac> root@ReadyNAS:/etc/openvpn# iptables -A INPUT -p udp -m state --state NEW -m udp --dport 1194 -j ACCEPT
16:24 < mrdigital|mac> iptables: No chain/target/match by that name.
16:25 < mrdigital|mac> does anyone know what that error means?
16:40 < hyper_ch> it says what it means
16:49 < BtbN> is -m state finaly gone?
17:00 -!- rahoul [~nicolas@181.165.138.146] has joined #openvpn
17:01 -!- Olivier [~Olivier@unaffiliated/olivier] has quit [Quit: reboot]
17:20 -!- rahoul [~nicolas@181.165.138.146] has quit [Read error: Connection reset by peer]
17:22 -!- mrdigital|mac [~MrDigital@216-15-74-116.c3-0.drf-ubr1.atw-drf.pa.cable.rcn.com] has quit [Quit: (null)]
18:00 -!- Shiftos [~shiftos@gateway/tor-sasl/shiftos] has joined #openvpn
18:23 -!- ampsix [uid26275@gateway/web/irccloud.com/x-arexsipmihlwrtna] has quit [Quit: Connection closed for inactivity]
18:33 -!- abbe_ [having@badti.me] has joined #openvpn
18:34 -!- BtbN [btbn@btbn.de] has quit [Ping timeout: 258 seconds]
18:36 -!- kokel [~quassel@kenneth.kokelnet.de] has quit [Ping timeout: 258 seconds]
18:36 -!- abbe [having@badti.me] has quit [Ping timeout: 258 seconds]
18:36 -!- BtbN [btbn@btbn.de] has joined #openvpn
18:37 -!- kokel [~quassel@kenneth.kokelnet.de] has joined #openvpn
18:37 -!- abbe_ is now known as abbe
18:48 -!- Shiftos [~shiftos@gateway/tor-sasl/shiftos] has quit [Remote host closed the connection]
18:48 -!- Shiftos [~shiftos@gateway/tor-sasl/shiftos] has joined #openvpn
19:04 -!- james41382 [~james@unaffiliated/james41382] has quit [Ping timeout: 245 seconds]
19:26 -!- gffa [~unknown@unaffiliated/gffa] has quit [Quit: sleep]
19:48 -!- Fusl [Fusl@unaffiliated/fusl] has quit [Quit: Contact: http://hallowe.lt/]
19:49 -!- Pyrogerg [~Gregory@172-15-68-220.lightspeed.austtx.sbcglobal.net] has joined #openvpn
19:52 -!- Pyrogerg [~Gregory@172-15-68-220.lightspeed.austtx.sbcglobal.net] has quit [Read error: Connection reset by peer]
19:52 -!- Pyrogerg_ [~Gregory@172-15-68-220.lightspeed.austtx.sbcglobal.net] has joined #openvpn
20:16 < Eugene> !fail2ban
20:16 <@vpnHelper> "fail2ban" is in linux you can replace fail2ban without the background process with something like: iptables -A INPUT -m tcp -p tcp --dport 22 -m hashlimit --hashlimit-name ssh --hashlimit-upto 5/minute --hashlimit-mode srcip --hashlimit-srcmask 24 -j ACCEPT
20:23 -!- Fusl [Fusl@unaffiliated/fusl] has joined #openvpn
21:32 -!- Pyrogerg_ [~Gregory@172-15-68-220.lightspeed.austtx.sbcglobal.net] has quit [Ping timeout: 240 seconds]
22:02 -!- Left_Turn [~Left_Turn@unaffiliated/turn-left/x-3739067] has quit [Remote host closed the connection]
22:18 -!- tapout [~tapout@unaffiliated/tapout] has quit [Ping timeout: 258 seconds]
22:18 -!- ampsix [uid26275@gateway/web/irccloud.com/x-gtafprnzbwkpcaea] has joined #openvpn
22:31 -!- tapout [~tapout@unaffiliated/tapout] has joined #openvpn
22:38 -!- james41382 [~james@unaffiliated/james41382] has joined #openvpn
22:49 -!- Kephael [~Kephael@unaffiliated/kephael] has joined #openvpn
22:58 -!- DougLashz [~dal@gateway/tor-sasl/douglashz] has joined #openvpn
22:58 < DougLashz> I'm using openvpn on Ubuntu as an ordinary plain Jane enduser. By default, in the terminal, am I supposed to use sudo?
22:59 < DougLashz> And is it okay just to use openvpn that way? Or are there any huge disadvantages I should be aware of?
23:03 -!- Maxels [~Maxel@24-159-207-34.static.roch.mn.charter.com] has joined #openvpn
23:03 -!- Kephael_ [~Kephael@unaffiliated/kephael] has joined #openvpn
23:04 -!- Kephael [~Kephael@unaffiliated/kephael] has quit [Read error: Connection reset by peer]
23:05 -!- cpt-oblivious [~quassel@freebsd/user/cpt-oblivious] has quit [Read error: Connection reset by peer]
23:06 -!- lev__ [~lev@stipakov.fi] has quit [Ping timeout: 245 seconds]
23:06 -!- ub1quit33_ [~quassel@cpe-23-243-158-241.socal.res.rr.com] has quit [Quit: No Ping reply in 180 seconds.]
23:06 -!- Maxel [~Maxel@24-159-207-34.static.roch.mn.charter.com] has quit [Ping timeout: 245 seconds]
23:08 -!- ub1quit33_ [~quassel@cpe-23-243-158-241.socal.res.rr.com] has joined #openvpn
23:08 -!- tapout [~tapout@unaffiliated/tapout] has quit [Ping timeout: 258 seconds]
23:09 -!- julieeharshaw [~julie@juliekoubova.net] has quit [Ping timeout: 240 seconds]
23:11 -!- keatont [~keatont@keatonstaylor.com] has quit [Ping timeout: 245 seconds]
23:11 -!- nsrafk [whois@unaffiliated/nsrafk] has quit [Ping timeout: 245 seconds]
23:11 -!- tapout [~tapout@unaffiliated/tapout] has joined #openvpn
23:12 -!- nsrafk [whois@unaffiliated/nsrafk] has joined #openvpn
23:12 -!- julieeharshaw [~julie@juliekoubova.net] has joined #openvpn
23:21 < Eugene> DougLashz - are you trying to ask what UID/GID openvpn should be run under?
23:22 < DougLashz> Eugene: I think so. I hardly know anything about UIDs and GIDs. I basically want to know if I, as an ordinary enduser on my personal machine, should run it as sudo
23:23 < Eugene> The short answer is "Yes". It needs to be able to do some things that require root
23:23 < Eugene> The properest way to do it would be to put your config file into /etc/openvpn/, and utilize `service openvpn start/stop`
23:24 < Eugene> So it won't be dependent upon your terminal session.
23:25 < Eugene> It's generally accepted that openvpn doesn't have any remote-code-execution problems, but if you're really paranoid you can look up the --user and --group config directives, which will "drop permission" once the startup is done.
23:26 < DougLashz> Eugene: Thanks! That was really helpful
23:27 < DougLashz> Eugene: How does 'service openvpn start/stop' know which .ovpn file to use if there's more than one in /etc/openvpn/ ?
23:27 < Eugene> It runs all of them
23:28 < Eugene> I don't know if this applies to Ubuntu, but `systemctl start openvpn@<config-name>` works under CentOS7.
23:31 < Eugene> Also note that the .ovpn extension is specific to Windows. Normally its .conf
23:32 < DougLashz> Eugene: I copied the configuration file over to /etc/openvpn/ and ran 'service openvpn start'
23:32 < DougLashz> Eugene: it started a vpn daemon and that's it. So what do I do next?
23:33 < Eugene> Do whatever you would normally do.
23:33 < Eugene> The logging will be redirected to /var/log/syslog(I think? I forget Ubuntu)
23:33 < Eugene> You can verify the tunnel is up by looking at `ip addr show` output, and noting the tun device
23:40 -!- DougLashz [~dal@gateway/tor-sasl/douglashz] has quit [Ping timeout: 250 seconds]
23:45 -!- ShadniX [dagger@p5DDFD478.dip0.t-ipconnect.de] has quit [Ping timeout: 250 seconds]
23:46 -!- ShadniX [dagger@p5481D14D.dip0.t-ipconnect.de] has joined #openvpn
--- Day changed Mon Dec 22 2014
00:06 -!- tapout [~tapout@unaffiliated/tapout] has quit [Ping timeout: 258 seconds]
00:06 -!- DougLashz [~dal@gateway/tor-sasl/douglashz] has joined #openvpn
00:07 -!- tapout [~tapout@unaffiliated/tapout] has joined #openvpn
00:12 < DougLashz> re
00:15 -!- hyper_ch [~hyper_ch@81.4.108.20] has left #openvpn ["Konversation terminated!"]
00:20 < DougLashz> Eugene: thanks for all the help :) that was progress for sure
00:20 -!- DougLashz [~dal@gateway/tor-sasl/douglashz] has quit [Quit: Leaving.]
00:54 -!- Kephael_ [~Kephael@unaffiliated/kephael] has quit [Quit: Leaving]
01:10 -!- tapout [~tapout@unaffiliated/tapout] has quit [Ping timeout: 258 seconds]
01:16 -!- ub1quit33_ [~quassel@cpe-23-243-158-241.socal.res.rr.com] has quit [Ping timeout: 245 seconds]
01:17 -!- tapout [~tapout@unaffiliated/tapout] has joined #openvpn
01:40 -!- Lolths [~Lolths@unaffiliated/lolths] has joined #openvpn
01:47 -!- lxusrbin [~lxusrbin@han.solo.atw0rk.net] has quit [Quit: leaving]
02:05 -!- lxusrbin [~lxusrbin@han.solo.atw0rk.net] has joined #openvpn
02:11 -!- mattock_afk [~mattock@openvpn/corp/admin/mattock] has joined #openvpn
02:11 -!- mode/#openvpn [+o mattock_afk] by ChanServ
02:11 -!- mattock_afk is now known as mattock
02:15 -!- Lolths [~Lolths@unaffiliated/lolths] has quit [Ping timeout: 256 seconds]
02:54 -!- shio [marmot@62.188.103.84.rev.sfr.net] has joined #openvpn
03:33 -!- ampsix [uid26275@gateway/web/irccloud.com/x-gtafprnzbwkpcaea] has quit [Quit: Connection closed for inactivity]
03:47 -!- halothe23 [~halothe23@freenode/sponsor/halothe23] has quit [Quit: Quit]
03:47 -!- halothe23 [~halothe23@freenode/sponsor/halothe23] has joined #openvpn
03:52 -!- Left_Turn [~Left_Turn@unaffiliated/turn-left/x-3739067] has joined #openvpn
04:06 -!- ib54003 [~ib54003@fedora/ib54003] has joined #openvpn
04:16 < ib54003> hey how can i force openvpn i am running (2.3.6) to use the cipher TLS-DHE-RSA-WITH-AES-256-GCM-SHA384??
04:16 < ib54003> i already tried to set tls-cipher TLS-DHE-RSA-WITH-AES-256-GCM-SHA38
04:17 < ib54003> but i get an error ... http://ur1.ca/j6zm5
04:17 <@vpnHelper> Title: #161987 Fedora Project Pastebin (at ur1.ca)
04:22 -!- solars [~solars@83.175.75.64] has joined #openvpn
04:23 -!- s7r [~s7r@openvpn/user/s7r] has quit [Ping timeout: 250 seconds]
04:23 < solars> hi, I have configured openvpn according to http://wiki.ubuntuusers.de/OpenVPN, it's on a machine inside my home network. if I want to connect from outside, can anyone tell me what to change (ports to fwd?) on my router?
04:23 -!- Shiftos [~shiftos@gateway/tor-sasl/shiftos] has quit [Ping timeout: 250 seconds]
04:24 -!- s7r [~s7r@openvpn/user/s7r] has joined #openvpn
04:24 -!- mode/#openvpn [+v s7r] by ChanServ
04:29 -!- s7r [~s7r@openvpn/user/s7r] has quit [Ping timeout: 250 seconds]
04:37 -!- defswork [~andy@141.0.50.98] has joined #openvpn
04:49 -!- DrCode [~DrCode@gateway/tor-sasl/drcode] has quit [Ping timeout: 250 seconds]
04:57 -!- shio [marmot@62.188.103.84.rev.sfr.net] has quit [Read error: Connection reset by peer]
04:59 -!- Champi [Champi@damn.e-leet.be] has quit [Ping timeout: 240 seconds]
05:00 -!- jareth_ [~jareth_@bak.project-treadstone.nl] has quit [Ping timeout: 240 seconds]
05:00 -!- xTz [~xTz@77.238.81.110] has quit [Ping timeout: 240 seconds]
05:02 -!- Champi [Champi@damn.e-leet.be] has joined #openvpn
05:06 -!- jareth_ [~jareth_@bak.project-treadstone.nl] has joined #openvpn
05:09 < solars> working
05:12 < solars> hmm does anyone know why this fails? https://gist.github.com/solars/22695d3f77a1c5bcc3ef
05:12 <@vpnHelper> Title: gist:22695d3f77a1c5bcc3ef (at gist.github.com)
05:14 < solars> I copied the generated client files (key, crt, csr)
05:21 -!- badon [~badon@pdpc/supporter/active/badon] has quit [Disconnected by services]
05:21 -!- badon_ [~badon@pdpc/supporter/active/badon] has joined #openvpn
05:21 -!- badon_ is now known as badon
05:28 -!- badon [~badon@pdpc/supporter/active/badon] has quit [Ping timeout: 272 seconds]
05:31 -!- ib54003 [~ib54003@fedora/ib54003] has quit [Ping timeout: 244 seconds]
05:32 -!- badon [~badon@pdpc/supporter/active/badon] has joined #openvpn
05:32 -!- s7r [~s7r@openvpn/user/s7r] has joined #openvpn
05:33 -!- mode/#openvpn [+v s7r] by ChanServ
05:46 -!- lev__ [~lev@stipakov.fi] has joined #openvpn
06:18 -!- Shiftos [~shiftos@gateway/tor-sasl/shiftos] has joined #openvpn
06:20 -!- shio [marmot@62.188.103.84.rev.sfr.net] has joined #openvpn
06:22 -!- gffa [~unknown@unaffiliated/gffa] has joined #openvpn
06:48 -!- DrCode [~DrCode@gateway/tor-sasl/drcode] has joined #openvpn
06:52 -!- DrCode [~DrCode@gateway/tor-sasl/drcode] has quit [Excess Flood]
06:53 -!- DrCode [~DrCode@gateway/tor-sasl/drcode] has joined #openvpn
07:02 -!- hyper_ch [~hyper_ch@81.4.108.20] has joined #openvpn
07:02 < hyper_ch> krzee: http://wikileaks.org/cia-travel/
07:02 <@vpnHelper> Title: CIA Travel Advice To Operatives (at wikileaks.org)
08:00 -!- mattock is now known as mattock_afk
08:03 -!- james41382 [~james@unaffiliated/james41382] has quit [Ping timeout: 265 seconds]
08:19 -!- mattock_afk is now known as mattock
09:03 -!- xTz [~xTz@77.238.81.110] has joined #openvpn
09:03 < xTz> !tls-verify
09:04 < hyper_ch> do you mean tls-auth?
09:05 < xTz> nope, this one I got. but in the hardening section I find those 2:
09:05 < xTz> - Use the tls-remotedirective on the client to accept/reject the server connection based on the common name of the server certificate.
09:06 < xTz> - Use a tls-verifyscript or plugin to accept/reject the server connection based on a custom test of the server certificate's embedded X509 subject details.
09:06 -!- ub1quit33_ [~quassel@cpe-23-243-158-241.socal.res.rr.com] has joined #openvpn
09:06 < hyper_ch> ah :)
09:06 < xTz> !tls-remote
09:06 < hyper_ch> good luck, never used that
09:07 -!- Kephael [~Kephael@unaffiliated/kephael] has joined #openvpn
09:07 < xTz> Please note: This option is immediately deprecated. It is only implemented to make the transition to the new formatting less intrusive. It will be removed either in OpenVPN v2.4 or v2.5. So please make sure you use the --verify-x509-name option instead of --tls-remote as soon as possible and update your scripts where necessary.
09:07 < xTz> I think I found the answer :)
09:08 < hyper_ch> since you haven't implemented this yet on your setup, you'll go directly ot the --verify-x509-name version, right?
09:12 < xTz> Right
09:29 -!- Shiftos [~shiftos@gateway/tor-sasl/shiftos] has quit [Remote host closed the connection]
09:29 -!- Shiftos [~shiftos@gateway/tor-sasl/shiftos] has joined #openvpn
09:31 -!- Faux_Pas [~quassel@static-72-89-243-31.nycmny.fios.verizon.net] has joined #openvpn
09:40 -!- mistermajestic [~mistermaj@unaffiliated/mistermajestic] has joined #openvpn
10:10 -!- solars [~solars@83.175.75.64] has quit [Ping timeout: 272 seconds]
10:31 -!- elfixit [~Icedove@2001:1620:2018:11:5e51:4fff:fec8:5b90] has joined #openvpn
10:37 -!- jkli [~jkli@95.211.196.215] has joined #openvpn
10:37 < jkli> hi guys
10:37 < jkli> any germans here?
10:37 < hyper_ch> no
10:37 < jkli> I guess
10:38 < jkli> im having trouble understanding the nobind parameter in the config file
10:38 < jkli> i use a paid vpn service and have their openvpn config file here
10:38 < jkli> but i only want to bind openvpn to port 1149
10:38 < jkli> so that only applications using port 1149 are going through the vpn tunnel
10:39 < jkli> do i set that up with the "bind" parameter? and if yes, how
10:39 < jkli> the thing is, i run a webserver on port 80 and dont want its traffic to go through the vpn tunnel as well
10:47 < jkli> when i kill the process openvpn, will the tunnel automatically close and the network traffic return to normal?
10:54 -!- Burgundy [~burgundy@188.25.139.62] has joined #openvpn
11:03 < jkli> nobody?
11:11 -!- jkli [~jkli@95.211.196.215] has quit []
11:17 -!- rhin0k [~rhinok@109.101.232.200] has joined #openvpn
11:17 < rhin0k> !welcome
11:17 <@vpnHelper> "welcome" is (#1) Start by stating your goal, such as 'I would like to access the internet over my vpn' || new to IRC? see the link in !ask || we may need !logs and !configs and maybe !interface to help you. || See !howto for beginners. || See !route for lans behind openvpn. || !redirect for sending inet traffic through the server. || Also interesting: !man !/30 !topology !iporder !sample !forum
11:17 <@vpnHelper> !wiki !mitm or (#2) Don't use 192.168.1.0/24 or 192.168.0.0/24 (too much potential for conflict)
11:18 < rhin0k> !man
11:18 <@vpnHelper> "man" is (#1) For man pages, see http://openvpn.net/index.php/open-source/documentation/manuals/ or (#2) the man pages are your friend! or (#3) Protip: you can search the manpage for a specific --option (with dashes) to find it quicker
11:18 < Burgundy> !configs
11:18 <@vpnHelper> "configs" is (#1) please pastebin your client and server configs (with comments removed, you can use `grep -vE '^#|^;|^$' server.conf`), also include which OS and version of openvpn. or (#2) dont forget to include any ccd entries or (#3) on pfSense, see http://www.secure-computing.net/wiki/index.php/OpenVPN/pfSense to obtain your config
11:21 -!- bruxC [~bruxC@66.63.84.178] has joined #openvpn
11:32 -!- moparisthebest [~quassel@unaffiliated/moparisthebest] has quit [Ping timeout: 272 seconds]
11:38 -!- sireebob [sireebob@unaffiliated/sireebob] has quit [Ping timeout: 258 seconds]
11:38 -!- moparisthebest [~quassel@gateway/tor-sasl/moparisthebest] has joined #openvpn
11:40 -!- D-Boy [~D-Boy@unaffiliated/cain] has quit [Excess Flood]
11:43 -!- sireebob [sireebob@unaffiliated/sireebob] has joined #openvpn
11:45 -!- khaldrogox [~anonymous@64.13.138.81] has joined #openvpn
11:46 < rhin0k> !goal
11:46 <@vpnHelper> "goal" is Please clearly state your goal for your vpn: example, I would like to access the lan behind the server , I would like to access the internet over my vpn , I just want a secure connection between 2 computers , etc
11:47 < rhin0k> !goal I would like to access the lan behind the server
11:54 -!- elfixit [~Icedove@2001:1620:2018:11:5e51:4fff:fec8:5b90] has quit [Ping timeout: 272 seconds]
11:55 -!- deranged [Jess@sciurus.net] has quit [Quit: et nos unum sumus]
11:56 -!- swebb [~swebb@8.36.226.184] has joined #openvpn
12:02 -!- Shiftos [~shiftos@gateway/tor-sasl/shiftos] has quit [Remote host closed the connection]
12:03 -!- s7r [~s7r@openvpn/user/s7r] has quit [Quit: Leaving]
12:06 -!- cyberspace- [20253@ninthfloor.org] has quit [Remote host closed the connection]
12:06 -!- KaiForce [~chatzilla@107-223-70-10.lightspeed.bcvloh.sbcglobal.net] has joined #openvpn
12:08 -!- cyberspace- [20253@ninthfloor.org] has joined #openvpn
12:10 -!- deranged [Jess@sciurus.net] has joined #openvpn
12:11 -!- D-Boy [~D-Boy@unaffiliated/cain] has joined #openvpn
12:18 -!- jkli [~jkli@brln-d9ba45ed.pool.mediaWays.net] has joined #openvpn
12:33 -!- Cultist [~CultOfThe@67.175.170.187] has left #openvpn ["Leaving"]
12:35 < Synced> !goal I would like to access the internet over my vpn
12:40 < DArqueBishop> !redirect
12:40 <@vpnHelper> "redirect" is (#1) to make all inet traffic flow through the vpn, you will need --redirect-gateway (see !def1), as well as IP forwarding (see !ipforward) and NAT (see !nat) enabled on the server. or (#2) you may need to use a different dns server when redirecting gateway, see !dns or !pushdns or (#3) if using ipv6 try: route-ipv6 2000::/3 or (#4) Handy troubleshooting flowchart:
12:40 <@vpnHelper> http://ircpimps.org/redirect.png | http://pekster.sdf.org/misc/redirect.png
12:44 < Burgundy> Hello! I set up a OpenVPN server in a google cloud VM instance, I can ping/traceroute through it, I even tested and can telnet to a website's 80 port through it, but can't browse through it, I can't explain the behavior, here is a lot of details about the setup http://pastebin.com/Sj7YJPi3.
12:44 < Burgundy> Any help is appreciated.
12:50 < DArqueBishop> Burgundy: !pushdns
12:50 < DArqueBishop> Er.
12:50 < Burgundy> let's see
12:50 < Burgundy> !pushdns
12:50 <@vpnHelper> "pushdns" is (#1) push dhcp-option DNS a.b.c.d to push dns to the client or (#2) For pushing DNS to a Windows client, see: !windns or (#3) Unix-alikes are required to process the env-var in an --up script; read about --dhcp-option in the manpage or (#4) For distros that use resolvconf(8) you can try the pull-resolv-conf script under the contrib/ source dir or (#5) Mobile Client like OpenVPN for
12:50 <@vpnHelper> Android and OpenVPN Connect will happily accept push dhcp-option
12:50 < DArqueBishop> Burgundy: are you telnetting to the website's IP address or domain name?
12:51 < Burgundy> DArqueBishop: any of it works, also tried with a static DNS for the client connection
12:51 < jkli> is it possible to bind a vpn to only one port and not redirect all traffic through the vpn?
12:52 < DArqueBishop> jkli: no.
12:53 < DArqueBishop> Rather, what you're asking for will at best be very difficult if your OpenVPN server is not under your control and is forcing a redirect gateway, and at worst not possible.
12:53  * DArqueBishop waits for the experts to tell him he's wrong.
12:53 < DArqueBishop> But as for as the "only one port" thing, it doesn't work like that.
12:53 < jkli> then what is nobind / bind used for?
12:56 < DArqueBishop> I believe (and I could very well be wrong) that bind just has OpenVPN tied to a specific local address, if your machine has more than one.
12:56 < jkli> ah
12:56 < DArqueBishop> For example, if you have multiple interfaces like 192.168.1.1 and 10.0.01, "bind 10.0.0.1" would make OpenVPN listen only on 10.0.0.1.
12:57 < DArqueBishop> In any event, what you're asking is for OpenVPN to act like a proxy server.
12:59 < jkli> i think i just found a solution
12:59 < jkli> it is like what you described, marking incoming and outgoing packets
13:08 -!- R1ck [~rick@vps04.totaal.net] has joined #openvpn
13:14 -!- heraclitus [~phobos@unaffiliated/heraclitis] has joined #openvpn
13:14 < heraclitus> anyone have a definitive guide for setting up openvpn on tails?
13:15 < heraclitus> !help
13:15 <@vpnHelper> (help [<plugin>] [<command>]) -- This command gives a useful description of what <command> does. <plugin> is only necessary if the command is in more than one plugin.
13:15 < heraclitus> !help socks-proxy
13:15 <@vpnHelper> Error: There is no command "socksproxy".
13:15 < heraclitus> !list
13:15 <@vpnHelper> Admin, BadWords, Channel, ChannelLogger, Config, Factoids, FloodPrevent, Google, Misc, Owner, Relay, Seen, Services, User, Weather, and Web
13:17 -!- D-Boy [~D-Boy@unaffiliated/cain] has quit [Excess Flood]
13:18 < hyper_ch> tails?
13:18 < heraclitus> yeah, the torproject's operating sysetm
13:18 < heraclitus> trying to configure ME > TOR > VPN
13:18 < hyper_ch> !howto > heraclitus
13:19 < hyper_ch> damn
13:19 < hyper_ch> !howto
13:19 <@vpnHelper> "howto" is (#1) OpenVPN comes with a great howto, http://openvpn.net/howto PLEASE READ IT! or (#2) http://www.secure-computing.net/openvpn/howto.php for a mirror
13:22 < heraclitus> yeah, I've read and implemented several client and server instances with openvpn... this particular type of configuration isn't 'standard'
13:23 -!- D-Boy [~D-Boy@unaffiliated/cain] has joined #openvpn
13:39 -!- Reventlov [~Reventlov@unaffiliated/reventlov] has quit [Ping timeout: 240 seconds]
13:50 -!- Reventlov [~Reventlov@unaffiliated/reventlov] has joined #openvpn
13:53 < droid909> heraclitus: ME > TOR > VPN > TOR > VPN > TOR
13:53 < droid909> heraclitus: :)
13:58 < heraclitus> would love to see your configuration, droid909
13:59 < esde> and latency
13:59 < esde> !socks
14:00 < esde> vpnHelper, is kill?
14:00 < Eugene> And ease with which somebody can associate your traffic pattern with you IP
14:01 -!- khaldrogox [~anonymous@64.13.138.81] has quit [Quit: khaldrogox]
14:01 < Eugene> Excessive path length means more opportunities for somebody to identify your traffic from its bit-pattern
14:02 < Eugene> Then there's the fact that the US Gov't runs a substantial quantity of Tor exit nodes
14:02 < Eugene> But hey, what do I know?
14:02 < esde> links to support the claim? "the fact that the US Gov't runs a substantial quantity of Tor exit nodes"
14:02 < hyper_ch> do tell us what you know
14:03 < heraclitus> ^
14:03 -!- KaaK [~Kevin@wsip-72-205-198-77.ks.ks.cox.net] has joined #openvpn
14:03 < heraclitus> was just getting ready to ask the same question
14:03 < hyper_ch> esde: silk road
14:03 < Eugene> whois the IPs
14:03 < Eugene> Dig through a layer or two of shell companies and hosting records
14:04 < esde> If it were that easy, I'd expect someone to have put together some academic paper showing their findings in order to help the community at large.
14:04 < heraclitus> ^
14:04 < heraclitus> and presented at 3c or defcon
14:04  * Eugene shrugs
14:04 < Eugene> Believe me, or don't. Doesn't matter, everything is sniffed anyway
14:05 < esde> The latter point I'll agree with.
14:05 < Eugene> If you think running it through $NETWORK will get rid of the sniffing you're on better drugs than I
14:06 < heraclitus> you actually make a valid point, methinks
14:07 < Eugene> The only question is how much $AGENCY cares about what you're doing. SHort of googling for BOMB WHITE HOUSE OBAMA ISLAM you aren't going to appear on many radars
14:07 < heraclitus> shit, I google that everyday
14:08 < Eugene> Oh noes!
14:08 < esde> .... scaremail
14:09 < Eugene> The opposite, really: nobody cares about your github commits.
14:09 -!- hyper_ch [~hyper_ch@81.4.108.20] has left #openvpn ["Konversation terminated!"]
14:10 < Eugene> Is it a good idea to get universal crypto? Yup, sure is. TLS everything
14:10 < heraclitus> i disagree Eugene, I think that agencies like the NSA commonly use github to discover vulnerabilities before they are corrected, or while they're in the process of being patched
14:10 < heraclitus> yes, encrypt the planet :)
14:11  * esde agrees with heraclitus on the github point
14:11 < esde> everything nice and neatly documented for them (in some cases)
14:11 < Eugene> Hahah, documentation
14:11 < Eugene> You /are/ on good drugs
14:11 < heraclitus> #I think this does this // k go
14:17 < heraclitus> anyway, my interest in such a configuration is primarily academic, with some possible practical applications for a project a friend has been working on.
14:26 -!- KaiForce [~chatzilla@107-223-70-10.lightspeed.bcvloh.sbcglobal.net] has quit [Quit: ChatZilla 0.9.91.1 [Firefox 34.0.5/20141126041045]]
14:34 -!- rhin0k [~rhinok@109.101.232.200] has quit []
14:55 -!- deranged [Jess@sciurus.net] has quit [Ping timeout: 244 seconds]
14:58 -!- bruxC [~bruxC@66.63.84.178] has quit [Quit: Leaving]
14:58 -!- deranged [Jess@sciurus.net] has joined #openvpn
15:00 -!- bruxC [~bruxC@66.63.84.178] has joined #openvpn
15:05 -!- deranged [Jess@sciurus.net] has quit [Ping timeout: 258 seconds]
15:06 -!- jkli [~jkli@brln-d9ba45ed.pool.mediaWays.net] has quit [Quit: Computer has gone to sleep.]
15:11 -!- deranged [Jess@sciurus.net] has joined #openvpn
15:12 -!- jkli [~jkli@brln-d9ba45ed.pool.mediaWays.net] has joined #openvpn
15:16 -!- deranged [Jess@sciurus.net] has quit [Ping timeout: 244 seconds]
15:18 -!- deranged [Jess@sciurus.net] has joined #openvpn
15:23 -!- justinzane [~justinzan@67.21.190.132] has joined #openvpn
15:23 -!- deranged [Jess@sciurus.net] has quit [Ping timeout: 265 seconds]
15:23 -!- jkli [~jkli@brln-d9ba45ed.pool.mediaWays.net] has quit [Quit: Computer has gone to sleep.]
15:24 -!- deranged [Jess@sciurus.net] has joined #openvpn
15:25 -!- bruxC [~bruxC@66.63.84.178] has quit [Quit: Leaving]
15:26 -!- xp99 [~chatzilla@184.71.174.42] has joined #openvpn
15:27 < xp99> hello
15:27 < xp99> is it possible to have different configurations based on the ip address the client is connecting from?
15:30 < Burgundy> I wonder if anybody's managed to set up a tunnel through an openvpn in google cloud, I'm still having issues with mine
15:33 -!- james41382 [~james@unaffiliated/james41382] has joined #openvpn
15:38 -!- Reventlov [~Reventlov@unaffiliated/reventlov] has quit [Quit: leaving]
15:38 -!- Reventlov [~Reventlov@unaffiliated/reventlov] has joined #openvpn
15:45 -!- RBecker [~RBecker@openvpn/user/RBecker] has quit [Ping timeout: 256 seconds]
15:49 -!- droid909 [~droid909@unaffiliated/droid909] has quit [Quit: leaving]
15:50 -!- deranged [Jess@sciurus.net] has quit [Ping timeout: 258 seconds]
15:53 -!- khaldrogox [~anonymous@64.13.138.81] has joined #openvpn
15:56 -!- xp99 [~chatzilla@184.71.174.42] has quit [Quit: ChatZilla 0.9.91 [Firefox 34.0.5/20141126041045]]
16:01 < Burgundy> I can ping/traceroute through it, telnet through it, yet the only site I can visit and get a result from is checkip.dyndns.org, maybe due to the size of the response, any other site does not load, browser hangs at "waiting for"
16:02 < Burgundy> if anybody can be of help, here's more info http://pastebin.com/Sj7YJPi3
16:05 -!- RBecker [~RBecker@openvpn/user/RBecker] has joined #openvpn
16:06 -!- mode/#openvpn [+v RBecker] by ChanServ
16:09 -!- cpt-oblivious [~quassel@freebsd/user/cpt-oblivious] has joined #openvpn
16:14 -!- kenyon [kenyon@darwin.kenyonralph.com] has joined #openvpn
16:14 -!- deranged [Jess@sciurus.net] has joined #openvpn
16:19 -!- deranged [Jess@sciurus.net] has quit [Ping timeout: 265 seconds]
17:21 -!- rhollan [~rhollan@173-10-78-121-BusName-Washington.hfc.comcastbusiness.net] has joined #openvpn
17:21 < rhollan> How can I route locally-generated traffic over the VPN? I don't want redirect-gateway since most of the traffic outbound should go through the local ISP
17:30 -!- KaaK [~Kevin@wsip-72-205-198-77.ks.ks.cox.net] has quit [Ping timeout: 264 seconds]
17:32 < Eugene> !routebyapp
17:32 <@vpnHelper> "routebyapp" is (#1) if you want to send only certain apps over the VPN you need to run a socks server on the internal VPN subnet (see !sockd) then get an app like proxifier (windows, osx) or tsocks (linux, BSD) to selectively route traffic over the socks proxy based on port/app/subnet or any combination. or (#2) Alternatively, read up about Policy Routing to make routing decisions based on defined
17:32 <@vpnHelper> policies you set. For Linux, read about !lartc
17:34 < esde> secure-computing.net down? :(
17:34 < esde> NOPE
17:34 < esde> typo'd
17:34 < rhollan> No, it's much simpler than that. I have a router that servers several  nets on each interface: DMZ, SECure, and LAN. Most of the traffic arriving on those net with the exception of some subnets in each goes over the non-VPN link to the WAN. That part is working: I can use ip rule and ip route to set up a vpn routing table based on source IP. But I can't get LOCALLY GENERATED traffic on the router (like DNS looku
17:34 < rhollan> ps) to go over the VPN unless I make it the default route
17:35 < esde> !redirect
17:35 <@vpnHelper> "redirect" is (#1) to make all inet traffic flow through the vpn, you will need --redirect-gateway (see !def1), as well as IP forwarding (see !ipforward) and NAT (see !nat) enabled on the server. or (#2) you may need to use a different dns server when redirecting gateway, see !dns or !pushdns or (#3) if using ipv6 try: route-ipv6 2000::/3 or (#4) Handy troubleshooting flowchart:
17:35 <@vpnHelper> http://ircpimps.org/redirect.png | http://pekster.sdf.org/misc/redirect.png
17:35 < esde> Burgundy ^
17:35 < esde> check the flowchart
17:36 < esde> ... i wasn't trolling, usually the host the image is at is not down...
17:36 < rhollan> redirect gateware routes ALL traffic arriving at the router, or locally generated over the VPN. The VPN here is the exception route, rather than the normal one. I don't want to have to make the normal routes the exception.
17:36 < pekster> rhollan: Right. Reverse your logic; set the egress you want the local system to use as the default route on the main table, then send other networks/hosts/whatever to the other one via secondary tables
17:36 < esde> rhollan, that wasnt for you :)
17:36 < rhollan> pekster: that's exatly what I want to avoid: the VPN isn't the common route for external traffic
17:37 < pekster> I'd highly recommend you use connmark too as a router, otherwise you'll effectively break ICMP by spraying it over the wrong interface (ICMP your router returns on routed connections with issues, like param-problem or ttl-expired, etc)
17:37 < esde> I was trying to offer Burgundy something to check out to help them troubleshoot
17:37 < pekster> rhollan: You can't have it both ways. You can't both want to send to a gateway and not want that; you need definable policies
17:38 < pekster> rhollan: And what do you mean "external" traffic exactly? How can you want the local system to send to the VPN but not want things going "externally" to do that? Isn't local system going to "not the local network" by definition external?
17:39 < rhollan> I have definable policies! I have three nets: 10.0.1.0/24, 10.0.2.0/24, and 10.0.3.0/24. Within each .1-.15 are servers, .240-.245 are routers (just the one actually), and .16-.31 should route over the VPN. That's easy. So I make a vpn table for them. Easy. Trouble is I want LOCALLY originated traffic on the router to use the VPN by default.
17:39 < pekster> Then set it as the default gateway on the main table rhollan. This does exactly what you want, "by default."
17:40 < pekster> Can you define what "non-default" _locally_ generated traffic you do _not_ want over the VPN? Your use of the word "default" suggests there is some but you still haven't clearly explained what/why
17:40 < rhollan> Right, but then I need to make exceptions for the NON-VPN-routed traffic from my three LANs. Is there no other way?
17:40 < pekster> The 'local' tables should do that
17:40 < pekster> Check `ip rule show` and `ip route show table local` for instance
17:40 < rhollan> All locally-generated traffic should go over the VPN. Some traffic from the LANs should go over the VPN
17:41 < rhollan> I looked at that, but can I put default routes in the local table?
17:41 < pekster> Right, so default gateway on the router via the VPN link, then you do `ip rule ..` to route from your LANs to some other egress
17:41 < pekster> local table is _only_ supposed to be for _locally_ attached networks
17:41 < pekster> Don't use it for other things to avoid unnpleasantness
17:42 < pekster> And yes, you will need iprule stanzas for your LANs. So what? This gets you exactly what you want, and you're complaining about the need for a secondary routing table and 3 rules?
17:42  * pekster does not see the problem
17:43 < pekster> You can even use the iif and/or from qualifiers in `ip rule`, though consider conntrack for ICMP. See this example for some ideas on syntax:
17:43 < pekster> !routebyapp
17:43 <@vpnHelper> "routebyapp" is (#1) if you want to send only certain apps over the VPN you need to run a socks server on the internal VPN subnet (see !sockd) then get an app like proxifier (windows, osx) or tsocks (linux, BSD) to selectively route traffic over the socks proxy based on port/app/subnet or any combination. or (#2) Alternatively, read up about Policy Routing to make routing decisions based on defined
17:43 <@vpnHelper> policies you set. For Linux, read about !lartc
17:43 < pekster> Erm, not that. This:
17:43 < pekster> !lartc
17:43 <@vpnHelper> "lartc" is (#1) LARTC is the de-facto guide to policy routing and QoS (tc, or traffic control) on Linux. http://lartc.org/howto/ . Policy routing in Ch. 4, QoS in Ch. 9. Start at the beginning if you're new to advanced routing on Linux or (#2) there is also a writeup on policy routing at https://community.openvpn.net/openvpn/wiki/Concepts-PolicyRouting-Linux
17:43 < pekster> Link at #2
17:46 < rhollan> Meh. I know I can do it that way. I wanted the VPN rules for the locally attached networks to be EXCEPTIONS rather than the other way around. I find it strange that traffic originating on the local system HAS to go through the default gateway. There does not appear to be a "from local table vpn" form, or equivalent.
17:47 < pekster> Then add a higher priority rule
17:47 < pekster> The issue is that the IP for the outbound data is decided based on the route
17:48 < rhollan> More importantly, some LAN hosts should NEVER go over the VPN. This way there is an interval between the VPN coming up, and changing the default gateway, and routing exceptions for LAN traffic taking hold, where some traffic can go over the VPN when it shouldn't, though I think if I change the default route in a route-up script at the right time, I can avoid that race.
17:48 < pekster> Play with `ip route get` maybe to see what the kernel will do for certain destination IPs, for instance
17:48 < Burgundy> esde: I just picked up your message and link to the flowchart, not sure it applies to the issues I'm having, I kinda gave up
17:49 < pekster> rhollan: Firewalls stop traffic going where it shouldn't; I highly recommend you run a good firewall on any router
17:49 < pekster> Not really an openvpn problem at that point, just basic network practice
17:49 < rhollan> it's not the destination, it's the source that determines whether to VPN or not. I can use ip rule from the various subnets on the LAN, but apparently I can't use it "from local"
17:50 < rhollan> basically I have two egress interfaces: non-vpn and vpn tunnel
17:50 < Burgundy> my scenario goes all the way to the  does blabla site show your correct ip, yet I know the routes are set properly, I can traceroute through the tunnel, I can telnet through the tunnel, I can't get websites to load through the tunnel
17:50 < pekster> No, you can't. And you're not really hearing what I have to say, so stay in your world if you like. I told you that the source address for non-explicitly-bound (see bind(2)) egress will be *sourced* based on the routing table's return (see `ip route get`) of the *destination*
17:51 < pekster> Do with that information what you will.
17:51 -!- anthony25 [~anthony25@ip-113.net-82-216-82.rev.numericable.fr] has quit [Ping timeout: 246 seconds]
17:53 < pekster> Brando753: Maybe read !pushdns ?
17:53 < rhollan> But I can select WHICH routing table to use via "ip rule from <net>/<size> table <name>" so the source IP address (not the address of the interface the traffic will egress on the router) determines the routing table to use. But is there no way to use such a rule for traffic originating on the router it self to pick the right routing table?
17:54 < Burgundy> pekster: was that for me or for Brando753?:)
17:54 < pekster> rhollan: Nope. You can't do that. Either bind(2) *every* outbound connection, or referse the logic and have 3 `ip rule add ... from EACHNET/CIDR lookup SOME_TABLE` junk
17:54 < pekster> reverse*
17:55 < Burgundy> pekster: in case it was for me, I checked that already, both by checking resolving through the tunnel and setting static DNS servers for the vpn connection
17:55 < rhollan> Sigh. I was hoping to avoid the logic that way, but if that's the only way, then so be it. Thanks.
17:56 < pekster> rhollan: Or optionally, add a higher-priority ip rule to *another* table, but then you're basically just replacing a numbered/named table with the default table, which seems silly
17:57 < pekster> Could mark traffic to go not over the VPN too. Follow the premise in my linked connmark on the wiki I linked you, then try something like `ip rule add not fwmark 0x100 lookup not_vpn` or similar
17:58 < rhollan> No, I guess I'll do it this way. I am just surprised that there is no way to specify "traffic originating locally" for "ip rule add from..." commands I would think 127.0.0.1 would work, but  no.
17:58 -!- jkli [~jkli@brln-d9ba45ed.pool.mediaWays.net] has joined #openvpn
17:58 < pekster> Why would 127.0.0.1 be how you source to the 'net? NOthing can route back to that..
17:58 < rhollan> I guess my problem is not knowing how to specify "traffic originating locally"
17:58 < pekster> (after all, I have my *own* 127/8)
17:59 < pekster> Right. Default route is usually for that. Or more specifically, "the first matching routing entry as the eligible tables are consulted in assending preference and match validity order"
17:59 < rhollan> 127.0.0.1 is where the traffic COMES FROM: originating on the local system. If I am routing from the attached interfaces, it's easy: there's a source address that determines routing table to use, that determines egress interface, that determines source address going out of the router (I NAT on egress interfaces).
17:59 < pekster> Get clever with connmark/ctmark if you have more exotic needs
17:59 < pekster> No, no it's not
18:00 < pekster> GO type `ip route get 8.8.8.8` (googleDNS)
18:00 < pekster> Please note that it's very obviously not sourced from 127.0.0.1. 127/8 is *only* (only ever, period, no exceptions) for traffic both originationg and bound locally
18:00 -!- Shiftos [~shiftos@gateway/tor-sasl/shiftos] has joined #openvpn
18:00 < pekster> Basically, you're issue isn't the VPNs or the routing table, but some basic routing fundamentals
18:01 < pekster> your*
18:01 < rhollan> I think the overloading of "sourced" is causing confusion here: A) where the traffic comes from vs. B) which interface it goes out of and what IP address it carries.
18:01 < pekster> Traffic is not sourced from 127/8 unless it is also going to 127/8. Very simple
18:02 < rhollan> Then were is traffic sourced "from" if it orignates on the router itself? It doesn't have a source address since it hasn't egressed an interface yet.
18:02 < pekster> https://upload.wikimedia.org/wikipedia/commons/thumb/3/37/Netfilter-packet-flow.svg/2000px-Netfilter-packet-flow.svg.png
18:02 < pekster> From whatever the best match in the routing table says
18:02 < pekster> If you want to change this GO FIX YOUR ROUTING TABLES
18:03 < pekster> FFS dude, I gave you the command that queries this very information
18:03 -!- khaldrogox [~anonymous@64.13.138.81] has quit [Quit: khaldrogox]
18:03 < pekster> 18:00:02 < pekster> GO type `ip route get 8.8.8.8` (googleDNS) <-- there it is again if you figured you already knew best and skipped it
18:04 < rhollan> That tells me what interface it goes out of, based on the routing table selected. The routing table is selected based on where it comes from. The "from" clause of the ip add rule from... command wants a cidr. There is no cidr for locally originated traffic.
18:04  * pekster gives up
18:04 < pekster> Go take a networking class or something
18:04 < pekster> !101
18:04 <@vpnHelper> "101" is This channel is not a '101' replacement for any of the following topics or others: Networking, Firewalls, Routing, Your OS, Security, etc etc
18:04  * esde hands pekster a beer
18:07 < rhollan> It just seems silly that I can define exceptions for non-VPN traffic after my default route is set to go over the VPN, but not the other way around.
18:07 < pekster> You can. Pick the ACTUAL source
18:07 < pekster> The one ip route get returns
18:07 < pekster> The one after "src" in case you're still ignoring the obvious here
18:08 < pekster> rhollan: This should be blindly obvious from this example: https://paste.kde.org/pjovoaxyz
18:11 < rhollan> But that will change the route to 8.8.8.8 (in this case), for ALL sources. I just want it changed for traffic originating on the router, you know, like for a DNS or NTP lookup.
18:11 < rhollan> And, I already tried that.
18:11 < pekster> Right. It's an example to show that 127/8 as a source is nonsense
18:12 < pekster> https://www.youtube.com/watch?v=ENXvZ9YRjbo
18:12 <@vpnHelper> Title: Weezer - Say It Aint So - YouTube (at www.youtube.com)
18:12 < rhollan> I guess I will have to live with making the default route over the VPN and add exceptions for the non-vpn traffic. Sigh.
18:12 < pekster> Just blindly mark in mangle somewhere and key off fwmark
18:13 < rhollan> I could do that if I know how to specify "traffic originating on THIS host"
18:13 < pekster> mark in mangle/PREROUTING and key off the fwmark
18:13 < rhollan> Apparently I can only specify traffic originating from "other than this host" in all it's detailed glory
18:13 < pekster> Problem solved
18:14 < pekster> -A PREROUTING -i <each_source_iface_in_its_own_rule> -j MARK --set-mark 0x100>
18:14 < pekster> ip rule add fwmark 0x100 lookup 100
18:14 < pekster> ip route add default via <wherever> table 100
18:14 < pekster> Done.
18:15 < pekster> Now that breaks ICMP, so go do it right with conntrack and --restore-mark, probably
18:16 < pekster> #Netfilter is probably more on-topic if you're in need of this level of help
18:18 -!- jkli [~jkli@brln-d9ba45ed.pool.mediaWays.net] has quit []
18:18 -!- jkli [~jkli@brln-d9ba45ed.pool.mediaWays.net] has joined #openvpn
18:30 -!- `Kevin [~kevin@ec2-54-236-80-113.compute-1.amazonaws.com] has quit [Remote host closed the connection]
18:33 -!- kristijonas [~kristijon@78-56-42-111.static.zebra.lt] has joined #openvpn
18:34 -!- rhollan [~rhollan@173-10-78-121-BusName-Washington.hfc.comcastbusiness.net] has quit [Read error: Connection reset by peer]
18:34 < kristijonas> hello, i'm a newbie in networking and openvpn, but I managed to connect client and router through tun0 (using static key), but now i want all client traffic to be forwarded to the server.
18:35 -!- Poster [~poster@cpe-74-140-100-29.swo.res.rr.com] has quit [Ping timeout: 250 seconds]
18:36 < pekster> Sounds like you want:
18:36 < pekster> !redirect
18:37 <@vpnHelper> "redirect" is (#1) to make all inet traffic flow through the vpn, you will need --redirect-gateway (see !def1), as well as IP forwarding (see !ipforward) and NAT (see !nat) enabled on the server. or (#2) you may need to use a different dns server when redirecting gateway, see !dns or !pushdns or (#3) if using ipv6 try: route-ipv6 2000::/3 or (#4) Handy troubleshooting flowchart:
18:37 <@vpnHelper> http://ircpimps.org/redirect.png | http://pekster.sdf.org/misc/redirect.png
18:38 < kristijonas> !def1
18:38 <@vpnHelper> "def1" is (#1) used in redirect-gateway, Add the def1 flag to override the default gateway by using 0.0.0.0/1 and 128.0.0.0/1 rather than 0.0.0.0/0. This has the benefit of overriding but not wiping out the original default gateway. or (#2) please see --redirect-gateway in the man page ( !man ) to fully understand or (#3) push "redirect-gateway def1"
18:39 < kristijonas> pekster, that's way to difficult,I was reading an article on Debian Wiki page. But it didnt work out.
19:13 -!- gffa [~unknown@unaffiliated/gffa] has quit [Quit: sleep]
19:23 -!- Shiftos [~shiftos@gateway/tor-sasl/shiftos] has quit [Remote host closed the connection]
19:24 -!- Shiftos [~shiftos@gateway/tor-sasl/shiftos] has joined #openvpn
19:29 -!- kristijonas [~kristijon@78-56-42-111.static.zebra.lt] has quit [Remote host closed the connection]
20:01 -!- troyt [~troyt@2601:7:6202:211:44dd:acff:fe85:9c8e] has quit [Ping timeout: 258 seconds]
20:18 -!- troyt [~troyt@2601:7:6202:211:44dd:acff:fe85:9c8e] has joined #openvpn
20:34 -!- trumee [~parul@2601:e:1580:799::c64] has quit [Read error: Connection reset by peer]
20:38 -!- trumee [~parul@2601:e:1580:799:624:5684:b42:5b00] has joined #openvpn
20:52 -!- trumee [~parul@2601:e:1580:799:624:5684:b42:5b00] has quit [Quit: ZNC - http://znc.sourceforge.net]
20:55 -!- trumee [~parul@2601:e:1580:799::c64] has joined #openvpn
21:29 -!- Left_Turn [~Left_Turn@unaffiliated/turn-left/x-3739067] has quit [Remote host closed the connection]
21:33 -!- Pinchiukas [~keps@unaffiliated/pinchiukas] has joined #openvpn
21:38 -!- ub1quit33_ [~quassel@cpe-23-243-158-241.socal.res.rr.com] has quit [Ping timeout: 244 seconds]
21:41 -!- jkli [~jkli@brln-d9ba45ed.pool.mediaWays.net] has quit [Quit: Computer has gone to sleep.]
21:56 -!- moparisthebest [~quassel@gateway/tor-sasl/moparisthebest] has quit [Ping timeout: 250 seconds]
22:01 -!- moparisthebest [~quassel@unaffiliated/moparisthebest] has joined #openvpn
22:54 -!- moparisthebest [~quassel@unaffiliated/moparisthebest] has quit [Ping timeout: 245 seconds]
22:58 -!- Kephael [~Kephael@unaffiliated/kephael] has quit [Read error: Connection reset by peer]
23:00 -!- moparisthebest [~quassel@gateway/tor-sasl/moparisthebest] has joined #openvpn
23:45 -!- ShadniX [dagger@p5481D14D.dip0.t-ipconnect.de] has quit [Ping timeout: 250 seconds]
23:46 -!- ShadniX [dagger@p5481DEC2.dip0.t-ipconnect.de] has joined #openvpn
--- Day changed Tue Dec 23 2014
00:48 < bashusr> hi, can someone help me out with port forwarding? I have a host to host VPN connection (10.8.0.1 <-> 10.8.0.2) and I want all of 10.8.0.1 port 80 traffic to be forwarded to 10.8.0.2... i think i got 10.8.0.1 setup correctly, but i can't figure out how to tell traffic on 10.8.0.2 to be sent over the VPN, here is a pastebin of my config http://pastebin.com/Cu8CPJVB
00:49 <@krzee> !factoids search --values dnat
00:49 <@vpnHelper> 'freebsdnat', 'bsdnat', 'linportforward', 'openbsdnat', 'nat', and 'frozentux'
00:50 <@krzee> !linportforward
00:50 <@vpnHelper> "linportforward" is (#1) to forward port 80 tcp to a vpn client, use this (replacing <SERVERIP> with the real ip of the server, and <VPNIP> with the clients VPN ip) or (#2) iptables -t nat -A PREROUTING -i eth0 -d <SERVERIP> -p tcp --dport 80 -j DNAT --to <VPNIP> or (#3) iptables -A FORWARD -m state --state NEW,ESTABLISHED,RELATED -i eth0 -p tcp --dport 80 -j ACCEPT
00:50 <@krzee> your openvpn config will not be relevant
00:50 <@krzee> at least not to your question
00:51 < bashusr> krzee, yeah, my config is for iptables, my vpn is working just fine
00:52 < bashusr> i can ping and locally reach port 80 on 10.8.0.2 from 10.8.0.1
00:53 <@krzee> why the MASQUERADE?
00:54 < bashusr> i don't need that? i'm trying to connect from 10.8.0.1's internet ip addr?
00:55 < bashusr> if i don't use masquerade, won't that make all clients see the private 10.8.0.2 ip addy and not work?
00:56 <@krzee> no idea
00:56 <@krzee> hehe
00:56 < bashusr> :(
00:56  * bashusr bangs away some more... if anyone knows, please help!
00:56 <@krzee> your question is actually unrelated to openvpn
00:56 < bashusr> i'll try #iptables
00:56 <@krzee> you should probably ask in #netfilter
00:56 < bashusr> or that
00:56 <@krzee> yep ^
00:56 < bashusr> thanks
00:56 <@krzee> well #iptables will take you to #netfilter
00:56 <@krzee> channel forward ;]
00:56 < bashusr> har har har
01:02 <@krzee> i assume all you need is what the bot told you
01:02 <@krzee> because someone else asked this before, and when they found the answer and got it working i added their solution to the bot
01:11 -!- almostworking [~almostwor@unaffiliated/almostworking] has quit [Quit: Leaving]
01:15 -!- intricate [~xach@unaffiliated/intricate] has joined #openvpn
01:15 < bashusr> krzee, i think that solution may only work when you are fowarding all your traffic through the VPN server
01:16 < bashusr> when the default gateway is still the remote gateway, i think what you have is packets coming in via VPN and then going out through the gateway and just being dropped because the gateway doesn't recognize the TCP session
01:17 -!- mirco_ [~mirco@ip-176-198-211-199.hsi05.unitymediagroup.de] has quit [Remote host closed the connection]
01:18 -!- intricate [~xach@unaffiliated/intricate] has quit [Remote host closed the connection]
01:19 <@krzee> and i think the packets get NAT'ed to the vpn client, come back, and get sent back to the target
01:19 <@krzee> because of the magic of nat
01:19 <@krzee> anyways, he had your EXACT goal and thats what he did.
01:19 -!- mirco [~mirco@ip-176-198-211-199.hsi05.unitymediagroup.de] has joined #openvpn
02:30 -!- heraclitus [~phobos@unaffiliated/heraclitis] has quit [Quit: Leaving]
02:34 -!- deranged [Jess@sciurus.net] has joined #openvpn
02:44 -!- sireebob [sireebob@unaffiliated/sireebob] has quit [Ping timeout: 258 seconds]
02:52 -!- sireebob [sireebob@unaffiliated/sireebob] has joined #openvpn
03:07 -!- c0ded [~c0ded@unaffiliated/c0ded] has quit [Ping timeout: 258 seconds]
03:19 -!- jkli [~jkli@x2f74f3e.dyn.telefonica.de] has joined #openvpn
03:20 -!- jkli [~jkli@x2f74f3e.dyn.telefonica.de] has quit [Client Quit]
03:22 -!- intricate [~xach@unaffiliated/intricate] has joined #openvpn
03:23 -!- intricate [~xach@unaffiliated/intricate] has quit [Read error: Connection reset by peer]
03:49 -!- intricate [~xach@unaffiliated/intricate] has joined #openvpn
04:00 -!- c0ded [~c0ded@unaffiliated/c0ded] has joined #openvpn
04:01 -!- c0ded [~c0ded@unaffiliated/c0ded] has left #openvpn []
04:01 -!- c0ded [~c0ded@unaffiliated/c0ded] has joined #openvpn
04:05 -!- Six6siX [~Devil@jasmine.sammybakar.com] has joined #openvpn
04:47 -!- Left_Turn [~Left_Turn@unaffiliated/turn-left/x-3739067] has joined #openvpn
05:02 < xTz> guys, since 2.3.2, is the ccd/DEFAULT file still valid?
05:03 < xTz> It doesn't seem to work with me
05:03 < xTz> !DEFAULT
05:03 <@vpnHelper> (default <name>) -- Returns the default value of the configuration variable <name>.
05:26 -!- intricate [~xach@unaffiliated/intricate] has quit [Ping timeout: 258 seconds]
05:47 -!- Chais [~Chais@chello062178229110.15.15.vie.surfer.at] has quit [Ping timeout: 245 seconds]
05:52 -!- Chais [~Chais@chello062178229110.15.15.vie.surfer.at] has joined #openvpn
06:07 -!- sebrk [~sebrk@c83-248-255-12.bredband.comhem.se] has joined #openvpn
06:10 < sebrk> Hello everybody. My goal is to setup a bridged VPN (done) and to access LAN services through Bonjour. Currently this works but only one way, i.e. LAN hosts can see my VPN-connected host services but not the other way around. I'm guessing this is an iptables issue really. I'm a noob at that. Could anyone assist me on a iptables filter that would work
06:19 -!- jkli [~jkli@x2f74f3e.dyn.telefonica.de] has joined #openvpn
06:25 -!- Netsplit *.net <-> *.split quits: _FBi, jdmf, @mattock, +hazardous, sireebob, someone, pppingme, daguz, jeev, AsadH,  (+52 more, use /NETSPLIT to show all of them)
06:25 -!- Netsplit over, joins: julieeharshaw, Pandemic_Force, kirin`
06:25 -!- kirin` [telex@gateway/shell/anapnea.net/x-thqpmbuekyllfrny] has quit [Max SendQ exceeded]
06:26 -!- c0ded [~c0ded@unaffiliated/c0ded] has joined #openvpn
06:26 -!- sireebob [sireebob@unaffiliated/sireebob] has joined #openvpn
06:26 -!- mirco [~mirco@ip-176-198-211-199.hsi05.unitymediagroup.de] has joined #openvpn
06:26 -!- trumee [~parul@2601:e:1580:799::c64] has joined #openvpn
06:26 -!- troyt [~troyt@2601:7:6202:211:44dd:acff:fe85:9c8e] has joined #openvpn
06:26 -!- kenyon [kenyon@darwin.kenyonralph.com] has joined #openvpn
06:26 -!- swebb [~swebb@8.36.226.184] has joined #openvpn
06:26 -!- mattock [~mattock@openvpn/corp/admin/mattock] has joined #openvpn
06:26 -!- shivanshu [~shivanshu@unaffiliated/shivanshu] has joined #openvpn
06:26 -!- jefferai [sid1300@kde/mitchell] has joined #openvpn
06:26 -!- akamaru217 [~akamaru21@2601:0:8a80:1064:b876:305b:3c5e:f25a] has joined #openvpn
06:26 -!- APTX [~APTX@unaffiliated/aptx] has joined #openvpn
06:26 -!- JaniceKitty [j4jackj@need.sleep.caffeinet.uk.to] has joined #openvpn
06:26 -!- AsadH [~AsadH@unaffiliated/asadh] has joined #openvpn
06:26 -!- xMopxShell [~xMopxShel@davepedu.com] has joined #openvpn
06:26 -!- lachesis [~lachesis@unaffiliated/lachesis] has joined #openvpn
06:26 -!- TonyL [~Tony@unaffiliated/darkg] has joined #openvpn
06:26 -!- Eugene [eugene@kashpureff.org] has joined #openvpn
06:26 -!- ExtraCarpety [~ExtraCarp@2607:5300:60:a0d::1] has joined #openvpn
06:26 -!- DArqueBishop [~drkbish@2601:e:2480:7800:2e41:38ff:fe87:dd90] has joined #openvpn
06:26 -!- Neal_ [neal@felix.ineal.me] has joined #openvpn
06:26 -!- KNERD [~KNERD@64.31.22.134] has joined #openvpn
06:26 -!- plaisthos [~arne@openvpn/community/developer/plaisthos] has joined #openvpn
06:26 -!- pekster [~rewt@openvpn/community/support/pekster] has joined #openvpn
06:26 -!- `Yoda [Yoda@unaffiliated/itsyoda] has joined #openvpn
06:26 -!- phuzion [~phuzion@ipv6.irc.teh-server.com] has joined #openvpn
06:26 -!- krzee [~k@openvpn/community/support/krzee] has joined #openvpn
06:26 -!- moeyebus [~moebius_e@unaffiliated/moebius-eye/x-4065625] has joined #openvpn
06:26 -!- Gman32 [~Gman32@2607:2200:0:3400::5616:cdbc] has joined #openvpn
06:26 -!- ServerMode/#openvpn [+ooo mattock plaisthos krzee] by kornbluth.freenode.net
06:26 -!- MogDog [MogDog@unaffiliated/mogdog66] has joined #openvpn
06:26 -!- someone [~someone@sonoshee.chronostasis.net] has joined #openvpn
06:26 -!- mete [~mete@91.247.253.160] has joined #openvpn
06:26 -!- nath_schwarz [~nath_schw@HSI-KBW-134-3-105-207.hsi14.kabel-badenwuerttemberg.de] has joined #openvpn
06:26 -!- pythonsnake [~pythonsna@fedora/pythonsnake] has joined #openvpn
06:26 -!- hazardous [~hz@openvpn/user/hazardous] has joined #openvpn
06:26 -!- zalami [~realnameo@unaffiliated/zalami] has joined #openvpn
06:26 -!- Zimsky [~alice@unaffiliated/zimsky] has joined #openvpn
06:26 -!- ServerMode/#openvpn [+v hazardous] by kornbluth.freenode.net
06:26 -!- Chex [~Chex@swampjax.northnook.ca] has joined #openvpn
06:26 -!- Guest36588 [~staff@2606:df00:2::15e2:8242] has joined #openvpn
06:27 -!- yoavz [yoavz@yoavz.net] has joined #openvpn
06:27 -!- doop [~doop@colostomy.club] has joined #openvpn
06:27 -!- phunyguy [~vortex@ubuntu/member/phunyguy] has joined #openvpn
06:27 -!- daguz [~leo@208-1-63-46.celito.net] has joined #openvpn
06:27 -!- Schrottfresse [~quassel@schrottfresse.de] has joined #openvpn
06:27 -!- _FBi [~B@Aircrack-NG/User] has joined #openvpn
06:27 -!- pppingme [~pppingme@unaffiliated/pppingme] has joined #openvpn
06:27 -!- dvl [~dvl@freebsd/developer/dvl] has joined #openvpn
06:27 -!- vpnHelper [~vpnHelper@openvpn/bot/vpnHelper] has joined #openvpn
06:27 -!- mgorbach [~mgorbach@pool-108-20-78-135.bstnma.fios.verizon.net] has joined #openvpn
06:27 -!- deviantintegral [~deviantin@drupal.org/user/71291/view] has joined #openvpn
06:27 -!- thumbs [1000@unaffiliated/thumbs] has joined #openvpn
06:27 -!- jeev [~j@unaffiliated/jeev] has joined #openvpn
06:27 -!- novaflash [~novaflash@openvpn/corp/support/novaflash] has joined #openvpn
06:27 -!- NChief [~nchief@unaffiliated/nchief] has joined #openvpn
06:27 -!- ServerMode/#openvpn [+oo vpnHelper novaflash] by kornbluth.freenode.net
06:27 -!- pythonsnake [~pythonsna@fedora/pythonsnake] has quit [Max SendQ exceeded]
06:27 -!- troyt [~troyt@2601:7:6202:211:44dd:acff:fe85:9c8e] has quit [Max SendQ exceeded]
06:27 -!- `Yoda [Yoda@unaffiliated/itsyoda] has quit [Max SendQ exceeded]
06:27 -!- c0ded [~c0ded@unaffiliated/c0ded] has quit [Max SendQ exceeded]
06:27 -!- lachesis [~lachesis@unaffiliated/lachesis] has quit [Max SendQ exceeded]
06:27 -!- TonyL [~Tony@unaffiliated/darkg] has quit [Max SendQ exceeded]
06:27 -!- jefferai [sid1300@kde/mitchell] has quit [Max SendQ exceeded]
06:27 -!- swebb [~swebb@8.36.226.184] has quit [Max SendQ exceeded]
06:27 -!- xMopxShell [~xMopxShel@davepedu.com] has quit [Max SendQ exceeded]
06:27 -!- Gman32 [~Gman32@2607:2200:0:3400::5616:cdbc] has quit [Max SendQ exceeded]
06:27 -!- Chex [~Chex@swampjax.northnook.ca] has quit [Max SendQ exceeded]
06:27 -!- tapout [~tapout@unaffiliated/tapout] has joined #openvpn
06:27 -!- lachesis [~lachesis@unaffiliated/lachesis] has joined #openvpn
06:27 -!- Gman32 [~Gman32@2607:2200:0:3400::5616:cdbc] has joined #openvpn
06:27 -!- troyt [~troyt@2601:7:6202:211:44dd:acff:fe85:9c8e] has joined #openvpn
06:27 -!- sebrk is now known as sebrk|away
06:27 -!- jefferai [sid1300@kde/mitchell] has joined #openvpn
06:28 -!- sebrk|away [~sebrk@c83-248-255-12.bredband.comhem.se] has quit [Quit: Leaving...]
06:28 -!- pythonsnake1 [~pythonsna@fedora/pythonsnake] has joined #openvpn
06:28 -!- RBecker [~RBecker@openvpn/user/RBecker] has joined #openvpn
06:28 -!- jdmf [~jdmf@78.156.100.202] has joined #openvpn
06:28 -!- liriel [~liriel@asia.feralhosting.com] has joined #openvpn
06:28 -!- unixninja92_ [~unixninja@whirlpool.stdnt.hampshire.edu] has joined #openvpn
06:28 -!- ServerMode/#openvpn [+v RBecker] by kornbluth.freenode.net
06:28 -!- kossy [a@unaffiliated/kossy] has joined #openvpn
06:29 -!- Chex [~Chex@swampjax.northnook.ca] has joined #openvpn
06:29 -!- c0ded [~c0ded@unaffiliated/c0ded] has joined #openvpn
06:32 -!- swebb [~swebb@8.36.226.184] has joined #openvpn
06:56 -!- jefferai is now known as jefferai_
07:00 -!- gffa [~unknown@unaffiliated/gffa] has joined #openvpn
07:14 -!- Pyrogerg [~Gregory@172-15-68-220.lightspeed.austtx.sbcglobal.net] has joined #openvpn
07:25 -!- punkdali [~paul@c-98-254-44-131.hsd1.fl.comcast.net] has joined #openvpn
07:28 -!- Pyrogerg [~Gregory@172-15-68-220.lightspeed.austtx.sbcglobal.net] has quit [Ping timeout: 272 seconds]
08:06 -!- KaaK [~Kevin@wsip-72-205-198-77.ks.ks.cox.net] has joined #openvpn
08:15 -!- moparisthebest [~quassel@gateway/tor-sasl/moparisthebest] has quit [Ping timeout: 250 seconds]
08:21 -!- moparisthebest [~quassel@unaffiliated/moparisthebest] has joined #openvpn
08:21 -!- redpill [~redpill@unaffiliated/redpill] has quit [Ping timeout: 265 seconds]
08:23 -!- Slippern [~Slippern@76.109-247-208.customer.lyse.net] has quit [Read error: Connection reset by peer]
08:26 -!- Slippern [~Slippern@76.109-247-208.customer.lyse.net] has joined #openvpn
08:30 -!- Slippern [~Slippern@76.109-247-208.customer.lyse.net] has quit [Read error: Connection reset by peer]
08:32 -!- Slippern [~Slippern@76.109-247-208.customer.lyse.net] has joined #openvpn
09:01 -!- ub1quit33_ [~quassel@cpe-23-243-158-241.socal.res.rr.com] has joined #openvpn
09:27 -!- rfizzle [~textual@ec2-54-173-101-14.compute-1.amazonaws.com] has joined #openvpn
09:28 < rfizzle> Does anyone happen to know how to set up routing so the VPN Clients are accessible from the private network on the VPN server side?
09:35 < KaaK> rfizzle, does your (server-side) private network's default gateway have a route directing VPN network traffic to your VPN server? e.g. ip route add <VPN NET> via <VPN SERVER IP>
09:35 < KaaK> and the other side of your question is do your VPN clients know how to pass traffic to the private network?
09:35 -!- rfizzle [~textual@ec2-54-173-101-14.compute-1.amazonaws.com] has quit [Ping timeout: 240 seconds]
09:39 -!- rfizzle [~textual@70.114.194.87] has joined #openvpn
09:47 -!- rfizzle [~textual@70.114.194.87] has quit [Ping timeout: 265 seconds]
09:54 < jkli> is it possible to bind pptp to a port?
09:55 -!- Kniaz [~Kniaz@unaffiliated/kniaz] has joined #openvpn
10:01 -!- phuzion [~phuzion@ipv6.irc.teh-server.com] has left #openvpn ["See ya"]
10:08 < Eugene> !notovpn
10:08 <@vpnHelper> "notovpn" is (#1) "notopenvpn" is your problem is not about openvpn, and while we try to be helpful, you may have a better chance of finding your answer if you ask your question in a channel related to your problem or (#2) sorry, but we dont care. this channel is only for help with openvpn.
10:17 -!- bakhtiya [~me@office.addictivemobility.com] has joined #openvpn
10:25 -!- D-Boy [~D-Boy@unaffiliated/cain] has quit [Excess Flood]
10:28 < xTz> lol @ Eugene :)
10:34 -!- rfizzle [~textual@ec2-54-173-101-14.compute-1.amazonaws.com] has joined #openvpn
10:41 -!- D-Boy [~D-Boy@unaffiliated/cain] has joined #openvpn
10:44 -!- Thermi [~Thermi@unaffiliated/thermi] has quit [Ping timeout: 252 seconds]
10:47 -!- Thermi [~Thermi@unaffiliated/thermi] has joined #openvpn
10:51 -!- sebrk [~sebrk@c83-248-255-12.bredband.comhem.se] has joined #openvpn
10:51 < sebrk> Hello everybody. My goal is to setup a bridged VPN (done) and to access LAN services through Bonjour. Currently this works but only one way, i.e. LAN hosts can see my VPN-connected host services but not the other way around. I'm guessing this is an iptables issue really. I'm a noob at that. Could anyone assist me on a iptables filter that would work
11:03 <@krzee> rfizzle,
11:03 <@krzee> !serverlan
11:03 <@vpnHelper> "serverlan" is (#1) for a lan behind a server, the server must have ip forwarding enabled (!ipforward), the server needs to push a route for its lan to clients, and the router of the lan the server is on needs a route added to it (!route_outside_openvpn) or (#2) see !route for a better explanation or (#3) Handy troubleshooting flowchart: http://ircpimps.org/serverlan.png |
11:03 <@vpnHelper> http://pekster.sdf.org/misc/serverlan.png
11:07 < sebrk> does bonjour use ipv6?
11:07 < sebrk> maybe that is the catch
11:08 <@krzee> hes bridging, it doesnt care about layer3
11:08 <@krzee> oh thats you
11:08 -!- Shiftos [~shiftos@gateway/tor-sasl/shiftos] has quit [Ping timeout: 250 seconds]
11:09 <@krzee> if you think its an ip protocol why did you bridge?
11:09 <@krzee> it might be, i dont use it, but if it is then you dont need a bridge
11:09 <@krzee> !whybridge
11:09 <@vpnHelper> "whybridge" is (#1) you only bridge if you want layer2 to the lan. if you want layer2 only between vpn nodes then routed tap is enough. if you only want layer3 use tun. or (#2) See this URL for a more in-depth discussion on bridging vs routing: https://community.openvpn.net/openvpn/wiki/BridgingAndRouting or (#3) See also !tunortap
11:13 -!- Shiftos [~shiftos@gateway/tor-sasl/shiftos] has joined #openvpn
11:19 -!- rfizzle [~textual@ec2-54-173-101-14.compute-1.amazonaws.com] has quit [Ping timeout: 272 seconds]
11:19 -!- khaldrogox [~anonymous@64.13.138.81] has joined #openvpn
11:24 < sebrk> I think I found the issue
11:25 < pekster> bonjour might be doing broadcast/multicast to do "service discovery" and such
11:25 < sebrk> Tunnelblick doesnt flush the mDNSResponder cache simply because it thinks it is not running. And rightly so, mDNSResoinder was replaced by discoveryd in Yosemite.
11:25 < sebrk> This should probably be reported to Tunnelblick devs
11:26 < sebrk> flushing the cache makes everything work again: sudo discoveryutil mdnsflushcache
11:27 < sebrk> do they have an open issue tracker?
11:27 -!- jkli [~jkli@x2f74f3e.dyn.telefonica.de] has quit [Quit: Computer has gone to sleep.]
11:28 < sebrk> yup: https://code.google.com/p/tunnelblick/source/browse/trunk/tunnelblick/client.up.tunnelblick.sh?r=2870 line 1058
11:28 <@vpnHelper> Title: client.up.tunnelblick.sh - tunnelblick - OpenVPN GUI for Mac OS X - Google Project Hosting (at code.google.com)
11:28 -!- aulait [~irenacob@li629-190.members.linode.com] has quit [Remote host closed the connection]
11:31 -!- aulait [~irenacob@li629-190.members.linode.com] has joined #openvpn
11:32 -!- Shiftos [~shiftos@gateway/tor-sasl/shiftos] has quit [Ping timeout: 250 seconds]
11:34 -!- Shiftos [~shiftos@gateway/tor-sasl/shiftos] has joined #openvpn
11:36 -!- enclyp [~tms@128.204.195.225] has joined #openvpn
11:41 -!- sebrk [~sebrk@c83-248-255-12.bredband.comhem.se] has quit [Quit: Linkinus - http://linkinus.com]
11:45 -!- icebrain [~andre@a79-168-142-169.cpe.netcabo.pt] has joined #openvpn
11:47 < icebrain> can I ask a question about openvpn-gui here? I've installed the x86_64 version on Windows 8(.1?) and copied the .ovpn and .cer/crt/key files to C:\Program Files\OpenVPN\config, but the application doesn't seem to detect them
11:47 < icebrain> it just sits there, grey, and the menu only has the proxy / language settings & about menu
11:49 < pekster> icebrain: Did you also have a 32-bit copy before? IIRC it pulls from different registry views, each with their own idea of where the config is
11:49 < pekster> Or try exiting/restarting the GUI, perhaps. Also helpful might be the wiki page:
11:49 < pekster> !gui
11:49 <@vpnHelper> "gui" is (#1) The only official GUI is the OpenVPN-GUI for Windows (see https://community.openvpn.net/openvpn/wiki/OpenVPN-GUI .) While there are other 3rd party GUIs, they may cause unexpected issues or (#2) If you're having problems starting OpenVPN through an unoffiical GUI, try launching it on the command line; if that works, the GUI is your problem
11:49 < icebrain> pekster: hum. yes, I had a 32-bit copy. But the keys on the registry seem correct
11:50 < pekster> My point is if your shortcut/autostart/whatever is using 32-bit, that's the wrong path
11:50 < pekster> Default is 'Program Files (x86)' unless changed at install time
11:50 < icebrain> pekster: oh, no, I even tried launching it from the new directory, Program Files\OpenVPN\bin
11:51 < icebrain> the previous version was in Program Files (x86), yes, but I launched the new one
11:52 < pekster> The GUI? Sould be fine then. Double-check the openvpn-GUI registry entry for the config key points to the expected config path. Otherwise try a cmd "run as admin" and verify a 'dir' shows files in your config. Windows has some silly file-overlay thing wrt UAC
11:52 < pekster> That's my laundry list of ideas
11:52 < icebrain> pekster: registory seems fine. I'll try that cmd tip, thanks
11:52 < icebrain> still, weird
12:02 -!- Pinchiukas [~keps@unaffiliated/pinchiukas] has left #openvpn []
12:03 < Eagleman> How do i allow multiple users to connect on the same username BUT on a different certificate?
12:34 -!- rhollan [~rhollan@173-10-78-121-BusName-Washington.hfc.comcastbusiness.net] has joined #openvpn
12:35 -!- sebrk [~sebrk@c83-248-255-12.bredband.comhem.se] has joined #openvpn
12:35 -!- xMopxShell [~xMopxShel@davepedu.com] has joined #openvpn
12:35 -!- rhollan [~rhollan@173-10-78-121-BusName-Washington.hfc.comcastbusiness.net] has quit [Read error: Connection reset by peer]
12:37 < sebrk> damn it didnt help. Weird, old computer running Mavericks on LAN is able to see my VPN connected Yosemite macbook but not the other way around, except for direct IP. They do have different mDNS daemons though. Seems like my client doesnt use tap0 but en0 for local still.
12:37 -!- jkli [~jkli@x2f74f3e.dyn.telefonica.de] has joined #openvpn
12:46 -!- xMopxShell [~xMopxShel@davepedu.com] has quit [Quit: ZNC - http://znc.in]
12:47 -!- xMopxShell [~xMopxShel@davepedu.com] has joined #openvpn
13:01 -!- r00t^2 [~bts@g.rainwreck.com] has quit [Ping timeout: 264 seconds]
13:01 -!- r00t^2 [~bts@g.rainwreck.com] has joined #openvpn
13:02 -!- enclyp [~tms@128.204.195.225] has quit [Quit: Lost terminal]
13:06 -!- instabin_ [d0438f21@gateway/web/freenode/ip.208.67.143.33] has joined #openvpn
13:06 < instabin_> Hello
13:07 < instabin_> Im having a problem with through put on my vpn Im only getting about 10mbps when testing with iperf
13:07 -!- Kephael [~Kephael@unaffiliated/kephael] has joined #openvpn
13:08 < instabin_> Im using PFSense 2.1.5 for the server and the client is windows 7 x64
13:08 -!- daguz [~leo@208-1-63-46.celito.net] has left #openvpn []
13:11 < ender|> what are you running pfSense on?
13:22 -!- sebrk [~sebrk@c83-248-255-12.bredband.comhem.se] has quit [Ping timeout: 258 seconds]
13:23 -!- redpill [~redpill@unaffiliated/redpill] has joined #openvpn
13:28 -!- khaldrogox [~anonymous@64.13.138.81] has quit [Quit: khaldrogox]
13:36 -!- mattock is now known as mattock_afk
14:04 -!- lokote_jones [~lokote_jo@199.59.56.47] has joined #openvpn
14:04 < lokote_jones> !welcome
14:04 <@vpnHelper> "welcome" is (#1) Start by stating your goal, such as 'I would like to access the internet over my vpn' || new to IRC? see the link in !ask || we may need !logs and !configs and maybe !interface to help you. || See !howto for beginners. || See !route for lans behind openvpn. || !redirect for sending inet traffic through the server. || Also interesting: !man !/30 !topology !iporder !sample
14:04 <@vpnHelper> !forum !wiki !mitm or (#2) Don't use 192.168.1.0/24 or 192.168.0.0/24 (too much potential for conflict)
14:07 < lokote_jones> I would like to access the internet over my vpn that is located on my vps. I can connect using tunnelblick from my mac to my vpn. However, I have no internet connection once I connect.
14:07 < lokote_jones> !logs
14:07 <@vpnHelper> "logs" is (#1) please pastebin your logfiles from both client and server with verb set to 4 (only use 5 if asked) or (#2) In the Windows client(OpenVPN-GUI) right-click the status icon and pick View Log or (#3) In the OS X client(Tunnelblick) right-click it and select Copy log text to clipboard or (#4) if you dont know how to find your logs, see !logfile
14:07 < lokote_jones> !configs
14:07 <@vpnHelper> "configs" is (#1) please pastebin your client and server configs (with comments removed, you can use `grep -vE '^#|^;|^$' server.conf`), also include which OS and version of openvpn. or (#2) dont forget to include any ccd entries or (#3) on pfSense, see http://www.secure-computing.net/wiki/index.php/OpenVPN/pfSense to obtain your config
14:10 < lokote_jones> !interface
14:10 <@vpnHelper> "interface" is (#1) paste interface configuration from both client and server, while being disconnected and when beeing connected. Be sure to also add the routing tables for both situations from client and from server or (#2) For Windows: iface: 'ipconfig /all' routing: 'route print' (add -4 or -6 for just IPv4 or v6) or (#3) For Unix: iface: 'ifconfig -a' routing: 'netstat -rn' or (#4) For
14:10 <@vpnHelper> Linux: iface: 'ip a' routing: 'ip r' (use ip -6 for IPv6 routes)
14:16 -!- ampsix [uid26275@gateway/web/irccloud.com/x-uizaajbtamuiznkd] has joined #openvpn
14:19 -!- doopz [~doopz@ppp-55-41.grapevine.net.au] has joined #openvpn
14:42 -!- ub1quit33_ [~quassel@cpe-23-243-158-241.socal.res.rr.com] has quit [Ping timeout: 244 seconds]
14:57 -!- `Yoda [Yoda@unaffiliated/itsyoda] has joined #openvpn
15:21 -!- jkli [~jkli@x2f74f3e.dyn.telefonica.de] has quit [Quit: Computer has gone to sleep.]
15:22 < Eagleman> How do i allow multiple users to connect on the same username BUT on a different certificate?
15:24 -!- khaldrogox [~anonymous@64.13.138.81] has joined #openvpn
15:28 -!- redpill [~redpill@unaffiliated/redpill] has quit [Ping timeout: 240 seconds]
15:30 < instabin_> ender|: I is a new supermicro atom c2570 with 16gb ecc ddr3 1600 and a samsung ssd
15:30 < instabin_> ender|: Im sorry its an atom c2758
15:31 -!- redpill [~redpill@unaffiliated/redpill] has joined #openvpn
15:34 -!- ub1quit33_ [~quassel@cpe-23-243-158-241.socal.res.rr.com] has joined #openvpn
15:36 -!- redpill [~redpill@unaffiliated/redpill] has quit [Ping timeout: 240 seconds]
15:36 -!- redpill [~redpill@unaffiliated/redpill] has joined #openvpn
15:38 -!- khaldrogox [~anonymous@64.13.138.81] has quit [Quit: khaldrogox]
15:44 -!- ub1quit33_ [~quassel@cpe-23-243-158-241.socal.res.rr.com] has quit [Read error: Connection reset by peer]
15:46 -!- ub1quit33_ [~quassel@cpe-23-243-158-241.socal.res.rr.com] has joined #openvpn
15:49 -!- Latrina [~Latrina@adsl-ull-132-251.45-151.net24.it] has quit [Ping timeout: 272 seconds]
15:50 -!- Latrina [~Latrina@adsl-ull-86-215.50-151.net24.it] has joined #openvpn
16:12 -!- problame [~problame@delta.cschwarz.com] has joined #openvpn
16:12 < problame> hi, what is the recommended rsa key size?
16:13 < problame> 4096 is taking forever to generate the DH parameter...
16:13 < lokote_jones> Can anyone help me with my connection setup? http://pastebin.com/bSZhn634 I want to be able to use the internet while connected to the VPN.
16:14 -!- moeyebus [~moebius_e@unaffiliated/moebius-eye/x-4065625] has quit [Ping timeout: 258 seconds]
16:16 -!- moeyebus [~moebius_e@unaffiliated/moebius-eye/x-4065625] has joined #openvpn
16:24 <@syzzer> lokote_jones: use 2048 for 'generally considered secure', 3072 for 'slightly paranoid' and 4096 for 'tin foil hat' ;)
16:26 < Eugene> 4096? Hardly tin foil hat
16:27 < Eugene> 32768, now we're getting somewhere
16:27 < lokote_jones> @syzzer Is that why I cannot access the internet?
16:28 <@syzzer> Eugene: nope, 32768 rsa is just stupid :p
16:28 <@syzzer> the next is djb
16:28 <@syzzer> aargh
16:28 < Eugene> I'm not even the resident tin-foil-hatter
16:29 <@syzzer> elliptic curve crypto using public curves, like djb's is tin foil hat (and actually quite sane at the same time)
16:29 <@syzzer> lokote_jones: sorry, meant problame
16:30 <@syzzer> problame: see above ;)
16:30 < Eugene> I automatically assume that people using three-letter handles are pretentious fuckwits
16:31 < Eugene> Including everybody's favorite circle-jerk pedophilia supporter, Stallman.
16:32 <@syzzer> http://cr.yp.to/djb.html
16:33 < Eugene> http://badcryp.to/ ;-)
16:33 < Eugene> Heh, I screwed up the vhost on that, sec
16:34 <@syzzer> "This Connection is Untrusted" :')
16:34 < Eugene> Yeah, bad forward
16:34 <@syzzer> lokote_jones: are you trying to route all your traffic over the vpn/
16:34 < lokote_jones> Yes I am syzzer.
16:34 < lokote_jones> Is there a way to fix my issue?
16:35 < Eugene> Oh wow, I don't even have that domain configured in my DNS master. How the hell is it resolving
16:35 < Eugene> Whatever, don't care enough to fix it right now
16:35 -!- jkli [~jkli@x2f74f3e.dyn.telefonica.de] has joined #openvpn
16:35 <@syzzer> I'm not sure, tunnelblick seems to route your traffic over the vpn connection, so I'd expect the problem to be at the server side
16:36 < lokote_jones> I am certain it is server side. But I don't know where. I have ports open and did iptables stuff. No errors in the logs. Just don't know where to look next.
16:36 <@syzzer> how do you test your internet connectivity?
16:36 < lokote_jones> I connect, it throws an error that there is no internet, and I can't view any websites while connected to the vpn.
16:37 < lokote_jones> However, my vpn connection does not disconnect. So I can use terminal to my VPN.
16:38 <@syzzer> the pastebin contains two client configs but no server config, was that your intention?
16:38 < lokote_jones> No it wasn't.
16:39 <@syzzer> server config would be nice to see ;)
16:39 <@syzzer> ah, wait, no, I wasn't looking properly
16:40 <@syzzer> my bad
16:41 < lokote_jones> I thought it was there. But if not, I remade the paste bin with the server config at the top.
16:41 < lokote_jones> http://pastebin.com/e76UBwSa
16:42 <@syzzer> there's two times a 'push redirect-gateway' in your server config, but I don't think that is your problem and otherwise it look okay
16:42 <@syzzer> so probably some routing issue
16:42 < lokote_jones> iptable routing issues?
16:42 <@syzzer> yes
16:43 < lokote_jones> Is there a way I could show you the iptable routing?
16:43 < lokote_jones> iptables -Lh right?
16:43 <@syzzer> there is this helpful flowchart around here somewhere, but I always forget the command
16:43 <@syzzer> !routing
16:43 < esde> !redirect
16:43 < lokote_jones> !routing
16:43 <@vpnHelper> "redirect" is (#1) to make all inet traffic flow through the vpn, you will need --redirect-gateway (see !def1), as well as IP forwarding (see !ipforward) and NAT (see !nat) enabled on the server. or (#2) you may need to use a different dns server when redirecting gateway, see !dns or !pushdns or (#3) if using ipv6 try: route-ipv6 2000::/3 or (#4) Handy troubleshooting flowchart:
16:43 <@vpnHelper> http://ircpimps.org/redirect.png | http://pekster.sdf.org/misc/redirect.png
16:43 < lokote_jones> !redirect
16:43 <@vpnHelper> "redirect" is (#1) to make all inet traffic flow through the vpn, you will need --redirect-gateway (see !def1), as well as IP forwarding (see !ipforward) and NAT (see !nat) enabled on the server. or (#2) you may need to use a different dns server when redirecting gateway, see !dns or !pushdns or (#3) if using ipv6 try: route-ipv6 2000::/3 or (#4) Handy troubleshooting flowchart:
16:43 <@vpnHelper> http://ircpimps.org/redirect.png | http://pekster.sdf.org/misc/redirect.png
16:44 <@syzzer> esde: thanks!
16:44 < esde> np
16:44 < esde> also make sure ipv4 forward is enable
16:44 < lokote_jones> ipv4 forward is enabled.
16:44 < esde> and did you add an iptables rule?
16:45 < lokote_jones> http://pastebin.com/2pAKEBdc
16:45 < lokote_jones> Those are my rules.
16:45 < Burgundy> !nat
16:45 <@vpnHelper> "nat" is (#1) http://openvpn.net/howto.html#redirect for an explanation of NAT as it applies to openvpn or (#2) http://www.secure-computing.net/wiki/index.php/OpenVPN/FAQ#Traffic_forwarding_doesn.27t_work_when_using_client_specific_access_rules or (#3) dont forget to turn on ip forwarding or (#4) please choose between !linnat !openvznat !winnat and !fbsdnat for specific howto
16:45 < esde> explain lines 27 and 28 pls
16:46 < lokote_jones> I was following this https://community.openvpn.net/openvpn/wiki/BridgingAndRouting  when putting those together. Are they wrong?
16:46 <@vpnHelper> Title: BridgingAndRouting – OpenVPN Community (at community.openvpn.net)
16:48 < lokote_jones> My local lan is 192.168.0.13 for my IP, so I opened the 192.168 to the TUN device. Or am I pants on head retarted and read that wrong?
16:49 < esde> you're correct that you're incorrect, if that makes sense
16:49 < lokote_jones> Do you know what I might need to do to fix that?
16:50 < esde> you need a rule to get local private network traffic (10.8.0.0 in this case) out to the internet and back
16:50 < esde> sudo iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o eth0 -j SNAT --to (eth0 ip)
16:50 < esde> try that
16:50 < esde> you might need to remove lines 27 and 28 first though
16:51 < esde> presumable 192.168.0.13 is your lan ip address, if that's the case, you don't need to put any 192.168 addresses in your serverside configuration at all
16:52 < esde> *y
16:53 < esde> s/eth0/venet0 IIRC
16:54 -!- problame [~problame@delta.cschwarz.com] has quit [Remote host closed the connection]
16:56 -!- problame [~problame@delta.cschwarz.com] has joined #openvpn
16:56 < lokote_jones> I added the line you gave me and removed the other two lines. Still nothing.
16:58 < esde> !goal
16:58 <@vpnHelper> "goal" is Please clearly state your goal for your vpn: example, I would like to access the lan behind the server , I would like to access the internet over my vpn , I just want a secure connection between 2 computers , etc
16:58 < lokote_jones> Goal - I would like to be able to access the internet while connected to my VPN.
16:59 < esde> In order to show the VPN's IP address while connected to the openvpn server and browsing?
16:59 < lokote_jones> Correct.
17:00 < esde> cat /proc/sys/net/ipv4/ip_forward
17:00 < esde> run that pls to see if ipv4 is enabled currently
17:00 < esde> 0 = no 1 = yes
17:00 -!- jkli [~jkli@x2f74f3e.dyn.telefonica.de] has quit [Quit: Computer has gone to sleep.]
17:00 < lokote_jones> It has a 1
17:01 < esde> please type sudo iptables -t nat -L
17:02 < lokote_jones> http://pastebin.com/qZemPHJx
17:02 < esde> ahh
17:02 < esde> sudo iptables -t nat -D PREROUTING 1, then list the rules and repeat until you only see the SNAT rule
17:03 < lokote_jones> Index of deletion too big?
17:03 < esde> erm
17:03 < esde> 1sec
17:06 < esde> POSTROTUING
17:06 < esde> *ROUTING
17:07 < lokote_jones> Ok. Got it. That is the only one there now. SNAT.
17:07 -!- Faux_Pas [~quassel@static-72-89-243-31.nycmny.fios.verizon.net] has quit [Ping timeout: 244 seconds]
17:09 < lokote_jones> Nope. The internet still doesn't work. It says my VPN is not configured correctly. Hmmm.
17:09 < esde> what is saying that?
17:10 < lokote_jones> Tunnelblick
17:10 < esde> what is that
17:10 < lokote_jones> The client I use for connecting to the VPN.
17:10 < esde> ohhh
17:10 < esde> ok
17:11 < esde> ok remove that rule and try this one in it's place iptables -t nat -A POSTROUTING -j MASQUERADE
17:11 < esde> it may be a re-hash of a rule you already had, but it's worth a shot
17:12 < lokote_jones> esde: WHOOOO!!!!!! It works!
17:12 < esde> :D
17:12 < lokote_jones> Whats my ip shows my VPN now and I have internet!
17:13 < esde> !harden
17:13 < esde> !hardening
17:13 <@vpnHelper> "hardening" is https://community.openvpn.net/openvpn/wiki/Hardening
17:13 < esde> ^ next step.
17:14 < lokote_jones> esde: Thanks a bunch again!
17:14 < esde> Also, I'd ditch the BF cipher for AES-256 and add AUTH 512 to both server and client configs also (but that's just me, you may have specific reasons for choosing the settings you chose)
17:15 < esde> such redundant
17:15 < esde> many also
17:16 <@syzzer> I'd recommend to use SHA256 instead of SHA512 actually, saves you 32 bytes overhead per packet and is just as strong for all practical purposes :)
17:16 < ender|> <syzzer> lokote_jones: use 2048 for 'generally considered secure', 3072 for 'slightly paranoid' and 4096 for 'tin foil hat' ;) <- how secret do those dh parameters have to be? i noticed that pfSense seems to just ship them pre-generated
17:17 <@syzzer> dh parameters do not need to be secret at all
17:17 <@syzzer> your rsa private key needs to be secret
17:17 < ender|> yeah, i know about those
17:17 < esde> i think he means ta.key
17:17 < esde> ?
17:17 < ender|> no
17:17 < ender|> dh2048.pem
17:18 < esde> does not have to be private
17:18 < esde> you could give it to Tom Dick and Harry
17:18 < ender|> that's exactly what pfsense does
17:18 < esde> can you elaborate further?
17:18 <@syzzer> there's even standardized DH parameters, which are used by webservers etc
17:19 < ender|> ok
17:20 < esde> http://openvpn.net/archive/openvpn-users/2004-11/msg00530.html
17:20 <@vpnHelper> Title: Re: [Openvpn-users] what are DH parameters for (at openvpn.net)
17:20 <@syzzer> I actually considered adding default params to openvpn too, but it's not really worth starting the discussion over, as ecdh willl soon take over anyway
17:21 -!- m01 [~quassel@2a02:2658:1011:1::2:4044] has quit [Quit: No Ping reply in 180 seconds.]
17:23 <@syzzer> time to get to bed, good night everyone!
17:23 -!- ampsix [uid26275@gateway/web/irccloud.com/x-uizaajbtamuiznkd] has quit [Quit: Connection closed for inactivity]
17:23 -!- JaniceKitty [j4jackj@need.sleep.caffeinet.uk.to] has quit [Read error: Connection reset by peer]
17:26 < esde> night
17:31 -!- Shiftos [~shiftos@gateway/tor-sasl/shiftos] has quit [Remote host closed the connection]
17:33 -!- jkli [~jkli@x2f74f3e.dyn.telefonica.de] has joined #openvpn
17:35 -!- h3nrique [~h3nrique@187.18.164.24] has joined #openvpn
17:39 < h3nrique> Anyone there have use one host to connect with many vpn and concentrate all out connection of network in this host?
17:57 < esde> !goal
17:57 <@vpnHelper> "goal" is Please clearly state your goal for your vpn: example, I would like to access the lan behind the server , I would like to access the internet over my vpn , I just want a secure connection between 2 computers , etc
18:00 -!- j4jackj [janice@need.sleep.caffeinet.uk.to] has joined #openvpn
18:00 -!- Shiftos [~shiftos@gateway/tor-sasl/shiftos] has joined #openvpn
18:01 -!- dvl [~dvl@freebsd/developer/dvl] has quit [Quit: Ride fast. Take chances.]
18:01 -!- j4jackj is now known as JaniceKitty
18:03 < h3nrique> I just want redirect all traffic of some ips to use the host that is used to connect the vpn
18:04 < h3nrique> I have 3 host in my network, 1 is used to connect with 6 vpn and the other 2 is used as mail/app server
18:05 < h3nrique> the hosts mail/app server need access some other hosts that only the vpn host can connect
18:05 -!- jkli [~jkli@x2f74f3e.dyn.telefonica.de] has quit []
18:07 < h3nrique> I put route rules in mail/app host some rules to use the vpn host to access the other hosts in vpn and see the package redirect  in vpn host..
18:08 < h3nrique> the problem is that the package can't return to mail/app host..
18:09 < h3nrique> i've allowed masquerade to each network, bu the package can't return
18:10 < h3nrique> but when i use the vpn host to send packages to other hosts in vpn, the package return
18:15 -!- problame [~problame@delta.cschwarz.com] has quit [Remote host closed the connection]
18:16 -!- problame [~problame@delta.cschwarz.com] has joined #openvpn
18:18 -!- dvl [~dvl@freebsd/developer/dvl] has joined #openvpn
18:25 -!- badon [~badon@pdpc/supporter/active/badon] has quit [Disconnected by services]
18:25 -!- badon_ [~badon@pdpc/supporter/active/badon] has joined #openvpn
18:25 -!- badon_ is now known as badon
18:36 -!- RBecker [~RBecker@openvpn/user/RBecker] has quit [Ping timeout: 252 seconds]
18:38 -!- RBecker [~RBecker@openvpn/user/RBecker] has joined #openvpn
18:38 -!- mode/#openvpn [+v RBecker] by ChanServ
18:48 -!- shivanshu [~shivanshu@unaffiliated/shivanshu] has quit [Remote host closed the connection]
18:50 -!- alexw [~textual@unaffiliated/alexw] has joined #openvpn
18:50 -!- alexw [~textual@unaffiliated/alexw] has left #openvpn []
18:51 -!- problame [~problame@delta.cschwarz.com] has quit [Remote host closed the connection]
18:53 -!- problame [~problame@delta.cschwarz.com] has joined #openvpn
18:53 -!- bashusr [~bashusr@unaffiliated/bashusr] has quit [Read error: Connection reset by peer]
18:53 -!- bashusr [~bashusr@unaffiliated/bashusr] has joined #openvpn
19:25 -!- gffa [~unknown@unaffiliated/gffa] has quit [Quit: sleep]
19:37 -!- h3nrique [~h3nrique@187.18.164.24] has quit [Quit: Leaving]
19:38 -!- james41382 [~james@unaffiliated/james41382] has quit [Ping timeout: 250 seconds]
19:42 < Synced> !goal
19:42 <@vpnHelper> "goal" is Please clearly state your goal for your vpn: example, I would like to access the lan behind the server , I would like to access the internet over my vpn , I just want a secure connection between 2 computers , etc
19:42 < Synced> !goal "I would like to access the internet over my vpn"
19:42 < Synced> Does this command even work? :s
19:42 < esde> Synced, you would like to access the internet over the vpn, correct?
19:43 < Synced> no I can already do that
19:43 < Synced> I just wondered what the bot would say
19:43 < Synced> haha
19:43 < esde> ah
19:43 < esde> doesn't work like that
19:43 < Synced> oh
20:17 < instabin_> Hello
20:19 < esde> hi
20:21 < instabin_> Any Ideas Running PFSense on an Intel Atom C2758 16GB DDR3 1600 ECC Samsung SSD Internet Connection 50 Symmetrical . Windows 7 Core I7 with 64GB ram Client 105 down and 20 up. OpenVPN connection test at 10MBPS with IPerf
20:21 < instabin_> 50MBPS
20:22 < esde> something is bottlenecking
20:22 < esde> also MB != Mb
20:33 -!- james41382 [~james@unaffiliated/james41382] has joined #openvpn
20:35 < instabin_> esde: Yes I know MB is byte Mb is bit
20:36 -!- elfixit [~Icedove@77-58-253-51.dclient.hispeed.ch] has joined #openvpn
20:39 < instabin_> Also the network adaptor is an intel  x520 with one 10GBase-SR and one 10GBase-LR transceiver
20:44 < esde> there is ##pfsense and ##hardware
20:46 -!- instabin_ [d0438f21@gateway/web/freenode/ip.208.67.143.33] has quit [Ping timeout: 246 seconds]
20:49 -!- instabin_ [d0438f21@gateway/web/freenode/ip.208.67.143.33] has joined #openvpn
20:50 < instabin_> I changed the Openvpn connection from UDP to TCP and the 10Mbps limit was lifted It now connects at the full connection speed
21:15 -!- bashusr [~bashusr@unaffiliated/bashusr] has quit [Read error: Connection reset by peer]
21:16 -!- dvl [~dvl@freebsd/developer/dvl] has quit [Remote host closed the connection]
21:17 -!- bashusr [~bashusr@unaffiliated/bashusr] has joined #openvpn
21:18 -!- dvl [~dvl@freebsd/developer/dvl] has joined #openvpn
21:22 -!- dvl [~dvl@freebsd/developer/dvl] has quit [Client Quit]
21:24 -!- dvl [~dvl@freebsd/developer/dvl] has joined #openvpn
21:25 -!- bashusr [~bashusr@unaffiliated/bashusr] has quit [Read error: Connection reset by peer]
21:25 -!- bashusr [~bashusr@unaffiliated/bashusr] has joined #openvpn
21:25 -!- dvl [~dvl@freebsd/developer/dvl] has quit [Client Quit]
21:27 -!- bashusr [~bashusr@unaffiliated/bashusr] has quit [Read error: Connection reset by peer]
21:27 -!- dvl [~dvl@freebsd/developer/dvl] has joined #openvpn
21:29 -!- bashusr [~bashusr@unaffiliated/bashusr] has joined #openvpn
21:29 -!- bashusr [~bashusr@unaffiliated/bashusr] has quit [Read error: Connection reset by peer]
21:33 -!- bashusr [~bashusr@unaffiliated/bashusr] has joined #openvpn
21:33 -!- bashusr [~bashusr@unaffiliated/bashusr] has quit [Read error: Connection reset by peer]
21:33 -!- bashusr [~bashusr@unaffiliated/bashusr] has joined #openvpn
21:34 -!- bashusr [~bashusr@unaffiliated/bashusr] has quit [Read error: Connection reset by peer]
21:36 -!- Left_Turn [~Left_Turn@unaffiliated/turn-left/x-3739067] has quit [Remote host closed the connection]
21:37 -!- bashusr [~bashusr@unaffiliated/bashusr] has joined #openvpn
21:43 -!- dvl [~dvl@freebsd/developer/dvl] has quit [Quit: Ride fast. Take chances.]
21:45 -!- dvl [~dvl@freebsd/developer/dvl] has joined #openvpn
22:02 -!- james41382 [~james@unaffiliated/james41382] has quit [Ping timeout: 240 seconds]
22:13 -!- ampsix [uid26275@gateway/web/irccloud.com/x-dhbofdwkbzuohbkw] has joined #openvpn
22:28 <@krzee> !tell _FBi [tcp]
22:28 < _FBi> spam! :D
23:27 < M4dH4TT3r> ok how am i supposed to assign the firewall rule for 1194?
23:28 < M4dH4TT3r> just doing it in webmin
23:34 -!- elfixit [~Icedove@77-58-253-51.dclient.hispeed.ch] has quit [Ping timeout: 245 seconds]
23:43 -!- ShadniX [dagger@p5481DEC2.dip0.t-ipconnect.de] has quit [Ping timeout: 250 seconds]
23:44 <@krzee> M4dH4TT3r, openvpn doesnt have firewall rules, nor does openvpn have webmin
23:44 <@krzee> !notovpn
23:44 <@vpnHelper> "notovpn" is (#1) "notopenvpn" is your problem is not about openvpn, and while we try to be helpful, you may have a better chance of finding your answer if you ask your question in a channel related to your problem or (#2) sorry, but we dont care. this channel is only for help with openvpn.
23:44 -!- ShadniX [dagger@p5DDFFCD0.dip0.t-ipconnect.de] has joined #openvpn
23:44 < M4dH4TT3r> krzee get a life or stfu either way im satisfied...
23:45 <@krzee> alrighty then
23:45 -!- mode/#openvpn [+b *!*@unaffiliated/m4dh4tt3r] by krzee
23:45 -!- M4dH4TT3r was kicked from #openvpn by krzee [M4dH4TT3r]
23:49 < _FBi> lol :)
--- Day changed Wed Dec 24 2014
00:44 -!- akamaru217 [~akamaru21@2601:0:8a80:1064:b876:305b:3c5e:f25a] has quit [Read error: Connection reset by peer]
00:45 -!- Kephael [~Kephael@unaffiliated/kephael] has quit [Read error: Connection reset by peer]
00:56 -!- mirco [~mirco@ip-176-198-211-199.hsi05.unitymediagroup.de] has quit [Quit: mirco]
01:08 -!- akamaru217 [~akamaru21@2601:0:8a80:1064:61ca:fca0:1318:3274] has joined #openvpn
01:14 -!- ub1quit33_ [~quassel@cpe-23-243-158-241.socal.res.rr.com] has quit [Ping timeout: 256 seconds]
02:06 -!- aulait [~irenacob@li629-190.members.linode.com] has quit [Ping timeout: 258 seconds]
02:12 -!- aulait [~irenacob@li629-190.members.linode.com] has joined #openvpn
02:24 -!- bashusr [~bashusr@unaffiliated/bashusr] has quit [Ping timeout: 265 seconds]
02:25 -!- bashusr [~bashusr@unaffiliated/bashusr] has joined #openvpn
02:25 -!- mistermajestic [~mistermaj@unaffiliated/mistermajestic] has quit [Ping timeout: 245 seconds]
02:37 -!- bashusr [~bashusr@unaffiliated/bashusr] has quit [Read error: Connection reset by peer]
02:39 -!- bashusr [~bashusr@unaffiliated/bashusr] has joined #openvpn
02:54 -!- ayaz [~Ayaz@linuxpakistan/ayaz] has joined #openvpn
02:56 -!- lfx [~lfx@self-aware.evilmachines.net] has joined #openvpn
02:56 -!- bashusr [~bashusr@unaffiliated/bashusr] has quit [Read error: Connection reset by peer]
02:57 -!- bashusr [~bashusr@unaffiliated/bashusr] has joined #openvpn
03:06 -!- jackbrown [~se@93-44-68-248.ip96.fastwebnet.it] has joined #openvpn
03:24 -!- bashusr [~bashusr@unaffiliated/bashusr] has quit [Read error: Connection reset by peer]
03:26 -!- Left_Turn [~Left_Turn@unaffiliated/turn-left/x-3739067] has joined #openvpn
03:26 -!- KaaK [~Kevin@wsip-72-205-198-77.ks.ks.cox.net] has quit [Ping timeout: 244 seconds]
03:27 -!- julieeharshaw [~julie@juliekoubova.net] has quit [Ping timeout: 244 seconds]
03:29 -!- julieeharshaw [~julie@juliekoubova.net] has joined #openvpn
03:29 -!- bashusr [~bashusr@unaffiliated/bashusr] has joined #openvpn
03:29 -!- Pandemic_Force [~Pandemic_@unaffiliated/pandemic-force/x-1349428] has quit [Ping timeout: 244 seconds]
03:31 -!- bashusr [~bashusr@unaffiliated/bashusr] has quit [Read error: Connection reset by peer]
03:34 -!- jackbrown [~se@93-44-68-248.ip96.fastwebnet.it] has quit [Ping timeout: 244 seconds]
03:34 -!- Latrina [~Latrina@adsl-ull-86-215.50-151.net24.it] has quit [Ping timeout: 244 seconds]
03:36 -!- bashusr [~bashusr@unaffiliated/bashusr] has joined #openvpn
03:36 -!- Pandemic_Force [~Pandemic_@unaffiliated/pandemic-force/x-1349428] has joined #openvpn
03:37 -!- lokote_jones [~lokote_jo@199.59.56.47] has quit [Ping timeout: 244 seconds]
03:37 -!- Latrina [~Latrina@adsl-ull-86-215.50-151.net24.it] has joined #openvpn
03:38 -!- lokote_jones [~lokote_jo@199.59.56.47] has joined #openvpn
03:40 -!- bashusr [~bashusr@unaffiliated/bashusr] has quit [Read error: Connection reset by peer]
03:45 -!- bashusr [~bashusr@unaffiliated/bashusr] has joined #openvpn
03:48 -!- moeyebus [~moebius_e@unaffiliated/moebius-eye/x-4065625] has left #openvpn []
03:50 -!- bashusr [~bashusr@unaffiliated/bashusr] has quit [Read error: Connection reset by peer]
03:52 -!- Latrina [~Latrina@adsl-ull-86-215.50-151.net24.it] has quit [Ping timeout: 272 seconds]
03:54 -!- KNERD [~KNERD@64.31.22.134] has quit [Ping timeout: 258 seconds]
03:55 -!- RBecker [~RBecker@openvpn/user/RBecker] has quit [Excess Flood]
03:55 -!- Latrina [~Latrina@adsl-ull-67-243.45-151.net24.it] has joined #openvpn
03:55 -!- bashusr [~bashusr@unaffiliated/bashusr] has joined #openvpn
03:57 -!- RBecker [~RBecker@openvpn/user/RBecker] has joined #openvpn
03:57 -!- mode/#openvpn [+v RBecker] by ChanServ
04:00 -!- bashusr [~bashusr@unaffiliated/bashusr] has quit [Read error: Connection reset by peer]
04:05 -!- bashusr [~bashusr@unaffiliated/bashusr] has joined #openvpn
04:09 -!- bashusr [~bashusr@unaffiliated/bashusr] has quit [Read error: Connection reset by peer]
04:14 -!- bashusr [~bashusr@unaffiliated/bashusr] has joined #openvpn
05:11 -!- mattock_afk is now known as mattock
05:12 -!- mattock is now known as mattock_afk
05:38 -!- novae [~novae@unaffiliated/novae] has joined #openvpn
05:40 -!- Shiftos [~shiftos@gateway/tor-sasl/shiftos] has quit [Ping timeout: 250 seconds]
05:47 -!- Shiftos [~shiftos@gateway/tor-sasl/shiftos] has joined #openvpn
05:49 -!- Damjanko [~hmsck@46.29.1.253] has joined #openvpn
05:49 -!- Damjanko [~hmsck@46.29.1.253] has quit [Remote host closed the connection]
05:55 -!- badon [~badon@pdpc/supporter/active/badon] has quit [Disconnected by services]
05:55 -!- badon_ [~badon@pdpc/supporter/active/badon] has joined #openvpn
05:56 -!- badon_ is now known as badon
06:03 -!- gffa [~unknown@unaffiliated/gffa] has joined #openvpn
06:16 -!- ayaz [~Ayaz@linuxpakistan/ayaz] has quit [Quit: Textual IRC Client: www.textualapp.com]
06:38 -!- shivanshu [~shivanshu@unaffiliated/shivanshu] has joined #openvpn
06:52 -!- moparisthebest [~quassel@unaffiliated/moparisthebest] has quit [Ping timeout: 245 seconds]
07:00 -!- moparisthebest [~quassel@gateway/tor-sasl/moparisthebest] has joined #openvpn
07:11 -!- icebrain [~andre@a79-168-142-169.cpe.netcabo.pt] has quit [Ping timeout: 264 seconds]
07:35 -!- doopz [~doopz@ppp-55-41.grapevine.net.au] has quit [Quit: Leaving]
07:53 -!- bruxC [~bruxC@66.63.84.178] has joined #openvpn
07:54 -!- bruxC [~bruxC@66.63.84.178] has quit [Client Quit]
07:55 -!- moparisthebest [~quassel@gateway/tor-sasl/moparisthebest] has quit [Ping timeout: 250 seconds]
07:57 -!- bruxC [~bruxC@66.63.84.178] has joined #openvpn
08:01 -!- moparisthebest [~quassel@unaffiliated/moparisthebest] has joined #openvpn
08:03 -!- ampsix [uid26275@gateway/web/irccloud.com/x-dhbofdwkbzuohbkw] has quit [Quit: Connection closed for inactivity]
08:24 -!- jgeboski [~jgeboski@unaffiliated/jgeboski] has quit [Ping timeout: 240 seconds]
08:25 -!- Guest36588 [~staff@2606:df00:2::15e2:8242] has quit [Ping timeout: 272 seconds]
08:26 -!- jgeboski [~jgeboski@unaffiliated/jgeboski] has joined #openvpn
08:30 -!- clu5ter [~staff@unaffiliated/clu5ter] has joined #openvpn
08:44 -!- Faux_Pas [~quassel@static-72-89-243-31.nycmny.fios.verizon.net] has joined #openvpn
08:49 -!- tobinski_ [~tobinski@x2f5640f.dyn.telefonica.de] has joined #openvpn
08:55 -!- tobinski_ [~tobinski@x2f5640f.dyn.telefonica.de] has quit [Quit: Leaving]
08:55 -!- tobinski [~tobinski@x2f5640f.dyn.telefonica.de] has joined #openvpn
08:59 < instabin_> !ovpnuke
08:59 <@vpnHelper> "ovpnuke" is https://community.openvpn.net/openvpn/wiki/SecurityAnnouncement-97597e732b for info on CVE-2014-8104 which is a DOS that allows an authenticated client to crash an openvpn server running openvpn before 2.3.6
08:59 < instabin_> !poodle
08:59 <@vpnHelper> "poodle" is (#1) http://googleonlinesecurity.blogspot.com/2014/10/this-poodle-bites-exploiting-ssl-30.html . OpenVPN uses TLSv1.0, or (with >=2.3.3) optionally TLSv1.2 and is thus not impacted by POODLE. See also: !hardening for some unrelated TLS security options OpenVPN has or (#2) https://www.tinfoilsecurity.com/poodle for a tool for testing your websites
08:59 -!- ub1quit33 [~quassel@cpe-23-243-158-241.socal.res.rr.com] has joined #openvpn
09:10 -!- tobinski___ [~tobinski@x2f5640f.dyn.telefonica.de] has joined #openvpn
09:18 -!- shio [marmot@62.188.103.84.rev.sfr.net] has quit [Remote host closed the connection]
09:27 -!- nefilim [~Adium@c-76-21-8-77.hsd1.ca.comcast.net] has joined #openvpn
09:28 -!- GNUtoo-irssi [~GNUtoo@mek33-3-82-230-169-239.fbx.proxad.net] has joined #openvpn
09:28 -!- tobinski [~tobinski@x2f5640f.dyn.telefonica.de] has quit [Quit: Leaving]
09:29 < nefilim> !welcome
09:29 <@vpnHelper> "welcome" is (#1) Start by stating your goal, such as 'I would like to access the internet over my vpn' || new to IRC? see the link in !ask || we may need !logs and !configs and maybe !interface to help you. || See !howto for beginners. || See !route for lans behind openvpn. || !redirect for sending inet traffic through the server. || Also interesting: !man !/30 !topology !iporder !sample !forum
09:29 <@vpnHelper> !wiki !mitm or (#2) Don't use 192.168.1.0/24 or 192.168.0.0/24 (too much potential for conflict)
09:29 < GNUtoo-irssi> hi, is it possible to have multiples services(openvpn, apache) on the same port, given that I've a public NS server?
09:30 < GNUtoo-irssi> I've only one IP address
09:30 <@krzee> same ip same port, no
09:30 < GNUtoo-irssi> the goal is to have ssl, and openvpn on the same port
09:30 < GNUtoo-irssi> ok
09:30 < GNUtoo-irssi> so I need ssllh
09:30 < GNUtoo-irssi> thanks
09:30 <@krzee> well same ip same port different protocol sure
09:30 < GNUtoo-irssi> I was wondering if there was something like http 1.1 for openvpn
09:30 <@krzee> so openvpn could do it
09:30 < GNUtoo-irssi> ok
09:30 <@krzee> (1 for udp, 1 for tcp)
09:30 <@krzee> but apache is tcp only, so no
09:31 < GNUtoo-irssi> ok
09:31 < GNUtoo-irssi> so I'll do it with ssl-lh
09:31 < GNUtoo-irssi> community/sslh: SSL/SSH/OpenVPN/XMPP/tinc port multiplexer
09:31 <@krzee> oh wait i get the question now
09:31 < GNUtoo-irssi> ok
09:31 <@krzee> you mean can you run openvpn and apache on the same port
09:31 < GNUtoo-irssi> I've an NS server, so I'd like to do:
09:31 <@krzee> both on tcp 443?
09:31 <@krzee> !port-share
09:31 < GNUtoo-irssi> vpn.gnutoo.privatedns.org -> openvpn on port 443 tcp
09:31 <@vpnHelper> "port-share" is When run in TCP server mode, share the OpenVPN port with another application, such as an HTTPS server. If OpenVPN senses a connection to its port which is using a non-OpenVPN protocol, it will proxy the connection to the server at host:port. Currently only designed to work with HTTP/HTTPS, though it would be theoretically possible to extend to other protocols such as ssh. Not
09:31 <@vpnHelper> implemented on Windows.
09:32 < GNUtoo-irssi> www.gnutoo.privagedns.org -> https
09:32 <@krzee> nah you dont need help from dns
09:32 <@krzee> openvpn can sense the connection is for openvpn or not
09:32 < GNUtoo-irssi> ok
09:32 <@krzee> and can forward the connection to the new https port
09:32 < GNUtoo-irssi> If DNS do work, I'll go for the DNS:
09:33 <@krzee> thats not how it works
09:33 < GNUtoo-irssi> 1) I've already a working DNS NS server
09:33 < GNUtoo-irssi> 2) it's way more flexible
09:33 <@krzee> the dns dont matter
09:33 <@krzee> more flexible!?!?
09:33 <@krzee> you dont get what im saying
09:33 < GNUtoo-irssi> but else I'll use openvpn or sslh
09:33 < GNUtoo-irssi> I now do
09:33 < GNUtoo-irssi> I understand how the openvpn trick works more or less
09:33 <@krzee> you can point either at either dns, if the connection is ACTUALLY FOR openvpn then it goes to openvpn, if the connection is NOT FOR openvpn then it goes direct to apache
09:34 < GNUtoo-irssi> but I was unsure if some DNS trick could work too
09:34 <@krzee> no, and even if there was a dns trick it would be utterly pointless
09:34 < GNUtoo-irssi> yes, I perfectly understand that
09:34 < GNUtoo-irssi> I also do understand how sslh work
09:34 <@krzee> because the openvpn way handles it regardless
09:34 < GNUtoo-irssi> ok
09:34 -!- Faux_Pas [~quassel@static-72-89-243-31.nycmny.fios.verizon.net] has quit [Quit: http://quassel-irc.org - Chat comfortably. Anywhere.]
09:34 < GNUtoo-irssi> thanks a lot
09:35 <@krzee> np
09:35 < GNUtoo-irssi> The issue is that the sslh or openvpn approach doesn't scale well
09:35 < GNUtoo-irssi> but I'll use it anyway
09:35 < GNUtoo-irssi> a better approach would probably be using ipv6
09:35 < GNUtoo-irssi> since I've a range for it
09:35 < GNUtoo-irssi> *I've a range of ipv6
09:36 < GNUtoo-irssi> thanks
09:36 < GNUtoo-irssi> I'll look at the openvpn and sslh approach first
09:36 < nefilim> the openvpn page mentions many improvements in the 2.3.x series .. how does that differ from the 2.0.11 access server ? does 2.3.x refer to the community edition?
09:36 < GNUtoo-irssi> because perfection is the enemy of good
09:36 < GNUtoo-irssi> thanks a lot!
09:40 <@krzee> nefilim, exactly
09:41 <@krzee> 2.3.x is community, which whatever version of AS they are on is made from
09:41 <@krzee> we know little to nothing about AS here, but there is a help channel that deals with it
09:41 <@krzee> !no_as
09:41 <@vpnHelper> "no_as" is (#1) go to http://openvpn.net/index.php/access-server/support-center.html for support with access server (see !AS to know about access server) or (#2) not only do we not know AS here, but even if we did we would be tainting the professional level of support included in AS by supporting it here. it comes with REAL support. we are just users helping users around here
09:41 <@krzee> !as
09:41 <@vpnHelper> "as" is Please go to #OpenVPN-AS for help with commercial products from OpenVPN Technologies, including Access Server, Android Connect, etc. Access Server is a commercial product, different from open source OpenVPN
09:42 < nefilim> ah ok thanks. does anyone use community edition with AWS?
09:43 <@krzee> many people do
09:43 < nefilim> what is the advantage of using the community edition over the AS AMI?
09:43 < esde> cheaper?
09:44 <@krzee> ^
09:44 < nefilim> :)
09:44 <@krzee> i would say the question is backwards
09:44 < nefilim> haha ok
09:44 <@krzee> the advantages of AS over community would be paid support, no need to become a networking ninja
09:44 <@krzee> nice lil gui
09:45 <@krzee> instant windows deployment or something like that
09:45 <@krzee> stuff that takes expertise to do yourself
09:45 < nefilim> speaking of networking ninja, is anyone doing DNS forwarding and using split dns view with AWS? (route53 or self hosted bind)
09:45 <@krzee> totally doesnt sound like a openvpn question
09:46 <@krzee> but bind views can do it, or dnsmasq makes it easier probably
09:46 <@krzee> !splitdns
09:46 <@vpnHelper> "splitdns" is (#1) see http://www.thekelleys.org.uk/dnsmasq/doc.html for dnsmasq, which will let you do split-dns setups or (#2) "dnsmasq" is http://rob0.nodns4.us/dnsmasq.html for a writeup on how to handle DNS for lans shared with !route
09:47 < nefilim> yea thats one way to do it, another is for the openvpn client to change the client dns to point to whatever was supplied from the vpnd
09:47 <@krzee> i think thats part of the writeup in #2
09:47 <@krzee> each lan handles its own dns and dnsmasq forwards to each one
09:48 < nefilim> i'll read through thanks
09:48 <@krzee> np
10:05 -!- mistermajestic [~mistermaj@unaffiliated/mistermajestic] has joined #openvpn
10:12 -!- Kephael [~Kephael@unaffiliated/kephael] has joined #openvpn
10:24 -!- shio [marmot@62.188.103.84.rev.sfr.net] has joined #openvpn
10:26 -!- D-Boy [~D-Boy@unaffiliated/cain] has quit [Excess Flood]
10:33 -!- D-Boy [~D-Boy@unaffiliated/cain] has joined #openvpn
10:37 -!- allos_nerelin [~allos_ner@187.66.225.41] has joined #openvpn
10:53 -!- s7r [~s7r@openvpn/user/s7r] has joined #openvpn
10:53 -!- mode/#openvpn [+v s7r] by ChanServ
11:04 -!- Kniaz [~Kniaz@unaffiliated/kniaz] has quit [Quit: closing IRC]
11:13 -!- lokote_jones [~lokote_jo@199.59.56.47] has quit [Ping timeout: 244 seconds]
11:19 -!- bruxC [~bruxC@66.63.84.178] has quit [Quit: Leaving]
11:40 -!- ljvb [~jason@us.vps.vanbrecht.com] has joined #openvpn
11:45 -!- ljvb [~jason@us.vps.vanbrecht.com] has quit [Quit: reboot]
11:47 -!- ljvb [~jason@us.vps.vanbrecht.com] has joined #openvpn
11:47 < ljvb> meh.. openvpn over airplane wifi == miserable experience..
11:49 < ljvb> well.. I guess technically any vpn over airplane wifi sucks..
11:52 -!- ljvb [~jason@us.vps.vanbrecht.com] has quit [Quit: reboot]
11:53 < esde> >airplane wifi sucks
11:53 < esde> fixed
12:13 -!- punkdali [~paul@c-98-254-44-131.hsd1.fl.comcast.net] has left #openvpn []
12:22 <@krzee> a low mtu may fix that somewhat
12:22 <@krzee> but ya, airplane wifi sucks
12:32 < Eugene> No fix for latency
12:33 <@krzee> and extreme jitter
13:32 -!- julius_ [~julius_@p3EE2A119.dip0.t-ipconnect.de] has joined #openvpn
13:32 < julius_> hi
13:34 -!- julius_ [~julius_@p3EE2A119.dip0.t-ipconnect.de] has left #openvpn ["Leaving"]
13:34 -!- pppingme [~pppingme@unaffiliated/pppingme] has quit [Quit: Leaving]
13:36 -!- allos_nerelin [~allos_ner@187.66.225.41] has quit []
13:44 -!- HeavyBrain64 [~chatzilla@host135-212-dynamic.17-79-r.retail.telecomitalia.it] has joined #openvpn
13:44 -!- HeavyBrain64 [~chatzilla@host135-212-dynamic.17-79-r.retail.telecomitalia.it] has left #openvpn []
13:45 -!- HeavyBrain64 [~chatzilla@host135-212-dynamic.17-79-r.retail.telecomitalia.it] has joined #openvpn
13:47 -!- HeavyBrain64 [~chatzilla@host135-212-dynamic.17-79-r.retail.telecomitalia.it] has quit [Client Quit]
13:48 -!- HeavyBrain64 [~chatzilla@host135-212-dynamic.17-79-r.retail.telecomitalia.it] has joined #openvpn
13:50 < HeavyBrain64>  /msg NickServ identify topfield
13:50 -!- HeavyBrain64 [~chatzilla@host135-212-dynamic.17-79-r.retail.telecomitalia.it] has quit [Client Quit]
13:51 -!- HeavyBrain64 [~chatzilla@host135-212-dynamic.17-79-r.retail.telecomitalia.it] has joined #openvpn
13:51 -!- HeavyBrain64 [~chatzilla@host135-212-dynamic.17-79-r.retail.telecomitalia.it] has left #openvpn []
13:55 -!- HeavyBrain64 [~chatzilla@host135-212-dynamic.17-79-r.retail.telecomitalia.it] has joined #openvpn
14:00 -!- HeavyBrain64 [~chatzilla@host135-212-dynamic.17-79-r.retail.telecomitalia.it] has left #openvpn []
14:05 <@ecrist> credit goes to _quadDamage, but this is cute
14:05 <@ecrist> traceroute -I -m 120 xmas.futile.net
14:07 -!- moeyebus [~moebius_e@unaffiliated/moebius-eye/x-4065625] has joined #openvpn
14:07 -!- moeyebus [~moebius_e@unaffiliated/moebius-eye/x-4065625] has quit [Excess Flood]
14:08 -!- moeyebus [~moebius_e@unaffiliated/moebius-eye/x-4065625] has joined #openvpn
14:25 < esde> :D
14:25 < esde> HO HO HO
14:25 -!- HeavyBrain64 [~chatzilla@host135-212-dynamic.17-79-r.retail.telecomitalia.it] has joined #openvpn
14:27 -!- HeavyBrain64 [~chatzilla@host135-212-dynamic.17-79-r.retail.telecomitalia.it] has left #openvpn []
14:34 -!- badon [~badon@pdpc/supporter/active/badon] has quit [Quit: Leaving]
14:59 -!- badon [~badon@pdpc/supporter/active/badon] has joined #openvpn
15:13 -!- ValdikSS [~valdikss@92.42.31.58] has joined #openvpn
15:25 -!- jdmf [~jdmf@78.156.100.202] has quit [Quit: Bye.]
15:31 -!- mistermajestic [~mistermaj@unaffiliated/mistermajestic] has quit [Ping timeout: 245 seconds]
15:33 -!- CGML [~CGML@unaffiliated/cgml] has joined #openvpn
15:35 < CGML> Here's an Easy-RSA question (let me know if this is the wrong channel for it): Easy-RSA 2.2.2 from https://github.com/OpenVPN/easy-rsa/releases was signed by key ID 0x390D0D0E.  Is that okay?
15:35 <@vpnHelper> Title: Releases · OpenVPN/easy-rsa · GitHub (at github.com)
15:36 < CGML> I ask because it doesn't match the key mentioned on https://github.com/OpenVPN/easy-rsa/tree/master/release-keys.
15:37 < pekster> CGML: I'll add a note to that effect, but the pre-3.x components were signed with a different key, yes
15:37 < CGML> Thank you!
15:38 < pekster> Unless github is trying to MITM you, you're fairly safe just downloading over https anyway, but the gpg keys are there for added protection for those wishing for it
15:38 < CGML> OK.
15:38 < pekster> (nice to know someone actually checks these things though!)
15:38 < CGML> (Gotta watch those tricky GitHubbers!)
15:39 < CGML> Ha, I'd just hate to use malware to generate a certificate authority.  :)
15:39 < pekster> Yea, I think about that when bootstrapping anything (OS, package to build my OS or security software, etc)
15:40 < pekster> If you haven't read it, you'd enjoy the Thompson compiler trap
15:40 < CGML> I did enjoy hearing about it!
15:47 < esde> that's amazing
15:49 -!- sandfly [~debbie10t@unaffiliated/m10t] has joined #openvpn
15:53 -!- sandfly is now known as debbie10t
15:53 -!- debbie10t is now known as sandfly
15:54 -!- mistermajestic [~mistermaj@unaffiliated/mistermajestic] has joined #openvpn
16:06 -!- warehouse13 [~Left_Turn@unaffiliated/turn-left/x-3739067] has joined #openvpn
16:07 -!- Left_Turn [~Left_Turn@unaffiliated/turn-left/x-3739067] has quit [Ping timeout: 250 seconds]
16:34 -!- ValdikSS [~valdikss@92.42.31.58] has quit [Ping timeout: 240 seconds]
16:38 -!- ValdikSS [~valdikss@185.61.149.121] has joined #openvpn
17:02 -!- tobinski___ [~tobinski@x2f5640f.dyn.telefonica.de] has quit [Ping timeout: 256 seconds]
17:33 -!- james41382 [~james@unaffiliated/james41382] has joined #openvpn
18:05 -!- DrCode [~DrCode@gateway/tor-sasl/drcode] has quit [Ping timeout: 250 seconds]
18:06 -!- ub1quit33 [~quassel@cpe-23-243-158-241.socal.res.rr.com] has quit [Remote host closed the connection]
18:06 -!- DrCode [~DrCode@gateway/tor-sasl/drcode] has joined #openvpn
18:21 -!- james41382 [~james@unaffiliated/james41382] has quit [Quit: Leaving]
18:24 -!- james41382 [~james@unaffiliated/james41382] has joined #openvpn
18:48 -!- pgicxplzs [~Left_Turn@unaffiliated/turn-left/x-3739067] has joined #openvpn
18:51 -!- warehouse13 [~Left_Turn@unaffiliated/turn-left/x-3739067] has quit [Ping timeout: 244 seconds]
19:10 -!- james41382 [~james@unaffiliated/james41382] has quit [Quit: Leaving]
19:10 -!- james41382 [~james@unaffiliated/james41382] has joined #openvpn
19:14 -!- james41382 [~james@unaffiliated/james41382] has quit [Client Quit]
19:16 -!- james41382 [~james@unaffiliated/james41382] has joined #openvpn
19:16 -!- bashusr [~bashusr@unaffiliated/bashusr] has left #openvpn ["Ex-Chat"]
19:25 -!- sireebob is now known as christmascookie
19:27 -!- gffa [~unknown@unaffiliated/gffa] has quit [Quit: sleep]
19:41 -!- Kniaz [~Kniaz@unaffiliated/kniaz] has joined #openvpn
21:01 -!- sandfly [~debbie10t@unaffiliated/m10t] has quit [Quit: Closing]
21:34 -!- instabin_ [d0438f21@gateway/web/freenode/ip.208.67.143.33] has quit [Ping timeout: 246 seconds]
21:37 -!- instabin [ae3609aa@gateway/web/freenode/ip.174.54.9.170] has joined #openvpn
21:45 -!- keatont [~keatont@keatonstaylor.com] has joined #openvpn
21:54 -!- pgicxplzs [~Left_Turn@unaffiliated/turn-left/x-3739067] has quit [Remote host closed the connection]
22:55 -!- Kephael [~Kephael@unaffiliated/kephael] has quit [Quit: Leaving]
23:18 -!- Latrina [~Latrina@adsl-ull-67-243.45-151.net24.it] has quit [Ping timeout: 255 seconds]
23:20 -!- Brando753 [~Brando753@unaffiliated/brando753] has quit [Ping timeout: 250 seconds]
23:21 -!- Latrina [~Latrina@adsl-ull-67-243.45-151.net24.it] has joined #openvpn
23:25 -!- Brando753 [~Brando753@unaffiliated/brando753] has joined #openvpn
23:38 -!- moparisthebest [~quassel@unaffiliated/moparisthebest] has quit [Ping timeout: 265 seconds]
23:40 -!- Schrottfresse [~quassel@schrottfresse.de] has quit [Ping timeout: 255 seconds]
23:43 -!- ShadniX [dagger@p5DDFFCD0.dip0.t-ipconnect.de] has quit [Ping timeout: 250 seconds]
23:44 -!- ShadniX [dagger@p579416D9.dip0.t-ipconnect.de] has joined #openvpn
23:44 -!- moparisthebest [~quassel@gateway/tor-sasl/moparisthebest] has joined #openvpn
23:55 -!- akamaru217 [~akamaru21@2601:0:8a80:1064:61ca:fca0:1318:3274] has quit [Ping timeout: 258 seconds]
23:59 -!- ampsix [uid26275@gateway/web/irccloud.com/x-jiezzhtlebfiquex] has joined #openvpn
23:59 -!- akamaru217 [~akamaru21@2601:0:8a80:1064:1c21:bf7e:10c2:c25] has joined #openvpn
--- Day changed Thu Dec 25 2014
00:01 -!- james41382 [~james@unaffiliated/james41382] has quit [Ping timeout: 250 seconds]
00:05 -!- Zimsky [~alice@unaffiliated/zimsky] has quit [Ping timeout: 240 seconds]
00:10 -!- Zimsky [~alice@unaffiliated/zimsky] has joined #openvpn
00:39 -!- pppingme [~pppingme@unaffiliated/pppingme] has joined #openvpn
00:51 -!- nefilim [~Adium@c-76-21-8-77.hsd1.ca.comcast.net] has quit [Quit: Leaving.]
01:44 -!- Zimsky [~alice@unaffiliated/zimsky] has quit [Ping timeout: 240 seconds]
01:53 -!- Zimsky [~alice@unaffiliated/zimsky] has joined #openvpn
03:44 -!- Argure_ is now known as Evargureen
04:20 -!- mistermajestic [~mistermaj@unaffiliated/mistermajestic] has quit [Ping timeout: 250 seconds]
04:23 -!- Left_Turn [~Left_Turn@unaffiliated/turn-left/x-3739067] has joined #openvpn
05:00 -!- badon [~badon@pdpc/supporter/active/badon] has quit [Ping timeout: 258 seconds]
05:43 -!- edward [~edward@4angle.com] has joined #openvpn
05:47 -!- Chais [~Chais@chello062178229110.15.15.vie.surfer.at] has quit [Ping timeout: 244 seconds]
05:52 -!- gffa [~unknown@unaffiliated/gffa] has joined #openvpn
05:53 -!- Chais [~Chais@chello062178229110.15.15.vie.surfer.at] has joined #openvpn
05:56 -!- GNUtoo-irssi [~GNUtoo@mek33-3-82-230-169-239.fbx.proxad.net] has quit [Ping timeout: 252 seconds]
06:03 -!- ampsix [uid26275@gateway/web/irccloud.com/x-jiezzhtlebfiquex] has quit [Quit: Connection closed for inactivity]
06:21 -!- Opt1musPr1me [~Opt1musPr@151.74.135.159] has joined #openvpn
06:39 < esde> merry christmas!
06:44 -!- havingFun [~quassel@unaffiliated/xrosnight] has joined #openvpn
06:47 -!- kaawee [~user@dslb-094-222-131-047.094.222.pools.vodafone-ip.de] has joined #openvpn
06:48 < kaawee> Hello! How can I prevent OpenVPN traffic sniffers sniffing at a OpenVPN server (which is in server mode) to conclude that one openvpn client is the same as the same openvpn client connecting last time?
06:54 < esde> !obfsproxy
06:54 <@vpnHelper> "obfsproxy" is (#1) For a writeup on using obfsproxy with OpenVPN see https://syria.hacktivist.me/?p=148 or (#2) See also !obfs. The link to TrafficObfuscation also contains a setup example
06:54 < esde> maybe?
06:56 < kaawee> "404 - Content Not Found"
07:09 < kaawee> hm, obfsproxy looks interesting, but it seems that its intention is to pass DPI filters, not to actually hide the traffic which openvpn generates when using X.509 certificates
07:24 <@ecrist> kaawee: what do you mean?
07:24 <@ecrist> what are you trying to do?
07:25 <@ecrist> You're trying to connect to an OpenVPN server twice, and don't want the openvpn server to know?
07:26 < kaawee> ecrist: no, I want to prevent the X.509 certificates to be read by a sniffer
07:26 -!- Brando753 [~Brando753@unaffiliated/brando753] has quit [Ping timeout: 265 seconds]
07:26 < kaawee> ecrist: the data going over the wire should be indistinguishable from random noise (which of course is distinguishable from expected patterns, but this is ok in my case)
07:27 < kaawee> ecrist: having access to the data between clients and server, the attacker should not be able to distinguish which client is connecting and identify these clients over time
07:29 <@ecrist> !pfs
07:29 <@ecrist> kaawee: you need to set up tls-auth on the server and clients
07:30 <@ecrist> openvpn --genkey --secret /path/to/pfs.key
07:30 <@ecrist> then, on the server, add tls-auth /path/to/pfs.key 0
07:30 <@ecrist> on the client, add tls-auth /path/to/pfs.key 1
07:31 <@ecrist> the tls-auth key can be embedding in the config in-line with the  <tls-auth> flag
07:31 -!- Brando753 [~Brando753@unaffiliated/brando753] has joined #openvpn
07:32 < kaawee> ecrist: but this does not prevent an attacker who passively reads the traffic to distinguish which client is connecting, does it?
07:32 <@ecrist> sure it does
07:33 <@ecrist> with tls-auth, the entire packet is encrypted with a shared key
07:33 <@ecrist> if you don't have the shared key, everything is unreadable
07:35 <@ecrist> kaawee: really, if you're so worried about such things, you should try it out yourself.
07:35 < kaawee> ecrist: but the documentation of "tls-auth" says "--tls-auth does this by signing every TLS control channel packet with an HMAC signature", it does not say that it actually encrypts these packets
07:35 <@ecrist> if the openvpn server is compromised, an attacker is going to be able to decrypt all the traffic anyhow
07:35 -!- R1ck [~rick@vps04.totaal.net] has left #openvpn []
07:37 < kaawee> sure, but I'm talking about wiretappers, not attackers with physical access to the server
07:37 <@ecrist> why do you care?  if they're trying to correlate traffic, they have your IP, and that alone is enough to generate a pattern
07:38 -!- havingFun [~quassel@unaffiliated/xrosnight] has quit [Read error: Connection reset by peer]
07:39 -!- havingFun [~quassel@unaffiliated/xrosnight] has joined #openvpn
07:43 < kaawee> ecrist: yes, but when I'm using X.509 certificates which scream "O=SomeOrganization C=SomeCountry UID=johndoe", then it is trivial to determine for every wiretapper to determine that the given IP address is actually used by johndoe
07:45 <@ecrist> to my understanding, that's not exposed.
07:45 < kaawee> so the X.509 certificates are, unlike TLS in general, exchanged in an encrypted fashion?
07:46 <@ecrist> openvpn uses TLS
07:46 <@ecrist> and, looking at a real packet dump I generated just now, they're encrypted
07:46 <@ecrist> the client sends TLS hello
07:46 <@ecrist> server responds with it's own hello
07:47 <@ecrist> the client hello contains acceptable encryption formats, heartbeat, etc
07:48 <@ecrist> server responds with it's public certificate, and the cipher squite it's choses
07:49 <@ecrist> everything after that is encrypted
07:49 <@ecrist> no where is the client CN visible
07:50 <@ecrist> and that's all straight TLS 1.0
07:50 < kaawee> ah... so the server's certificate is transmitted in cleartext, but the client's certificate is not transmitted in cleartext?
07:50 <@ecrist> correct
07:51 < kaawee> subtle asymmetry...
07:51 <@ecrist> once the client and server have negotiated encryption, and the client has the server pub key, no reason for anything else to go unencrypted
07:51 <@ecrist> kaawee: this is generally how all public key exchanges go
07:52 <@ecrist> same with a web browser session.  browser sends hello, server replice, says encrypt stuff, here's my pub key and allowed ciphers
07:52 <@ecrist> browser says, cool, I generated a quick pub key for you, here.
07:52 <@ecrist> boom, it's all encrypted after that
07:52 <@ecrist> if you're going to dig and ask so many questions about th is stuff, you should really invest in tcpdump and wireshark
07:53 <@ecrist> or maybe read the RFCs
07:53 < kaawee> sure
07:54 < kaawee> I was worried exactly because I've seen cleartext certificates in TLS wireshark dumps
07:54 <@ecrist> so, you read but didn't actually understnad
07:57 < kaawee> well, yes... the ideal aim would be to also prevent the server from needing to show its X.509 certificate in an unencrypted way
07:58 <@ecrist> just use pre-shared static keys, then
07:59 -!- Opt1musPr1me [~Opt1musPr@151.74.135.159] has quit [Quit: Leaving]
07:59 <@ecrist> or, you know, don't put "johndoe" or whatever you feel is sensitive in the certificate
07:59 -!- Brando753 [~Brando753@unaffiliated/brando753] has quit [Ping timeout: 250 seconds]
08:01 < kaawee> ecrist: at least this graphic http://upload.wikimedia.org/wikipedia/commons/a/ae/SSL_handshake_with_two_way_authentication_with_certificates.svg shows that the TLS client certificate is sent to the server before an encrypted connection is established
08:02 < kaawee> ecrist: well, this basically pushes the encryption of the X.509 certificate onto the X.509 certificate generation process, and for this, I believe, there are no well-established standards to do so
08:03 <@ecrist> where does that graphic show the client certificate unencrypted?
08:04 <@ecrist> also, try it yourself, look at an actual packet dump
08:05 <@ecrist> don't depend on some picture created by some lonely PFY
08:05 < kaawee> it implies that the encryption only starts at the "change to encrypted connection with MS as key", or the drawing is not detailed enough in this respect
08:06 <@ecrist> I can't seem to stress this enough.  Read the RFC (2246, 4346, 5246)
08:06 <@ecrist> actually look at traffic and see what is exposed.
08:07 <@ecrist> unless you're a toddler, then keep looking at the pretty pictures
08:08 <@ecrist> the "change to ecrypted..." is for the data stream, not counting the TLS handshake
08:08 <@ecrist> as I stated earlier, there's no reason to send the pub key or certificate unencrypted once the client has the server pub key
08:08 <@ecrist> also, don't put sensitive data in your certificate
08:08 -!- Brando753 [~Brando753@unaffiliated/brando753] has joined #openvpn
08:09 <@ecrist> instead of setting your CN to "Super Sekrit Retard Factory" set it to something mundane like "These are not the droids you're looking for"
08:11 < kaawee> sure, there is no reason to do so, but as far as I glimpsed RFC5246, I do not see any encryption within the TLS handshake protocol itself (and if there was encryption, there would need to be somehow an agreement on which symmetric key and which encryption method to be used in order to encrypt the handshake)
08:12 -!- kaawee was kicked from #openvpn by ecrist [ffs, pay attention man]
08:27 < JaniceKitty> ecrist, o.o
08:39 -!- kaawee [~user@dslb-094-222-131-047.094.222.pools.vodafone-ip.de] has joined #openvpn
08:46 -!- Brando753 [~Brando753@unaffiliated/brando753] has quit [Ping timeout: 265 seconds]
08:47 -!- Brando753 [~Brando753@unaffiliated/brando753] has joined #openvpn
08:48 < kaawee> ecrist: I've just re-verified my previous statements about TLS using "openssl s_client" as well as "openssl s_server" and observing their traffic using wireshark, and indeed both server certificate and client certificate are transmitted in cleartext, unfortunately
09:01 -!- james41382 [~james@unaffiliated/james41382] has joined #openvpn
09:07 -!- Brando753 [~Brando753@unaffiliated/brando753] has quit [Ping timeout: 250 seconds]
09:13 -!- james41382 [~james@unaffiliated/james41382] has quit [Quit: Leaving]
09:15 -!- Brando753 [~Brando753@unaffiliated/brando753] has joined #openvpn
09:23 -!- kaawee [~user@dslb-094-222-131-047.094.222.pools.vodafone-ip.de] has quit [Quit: Konversation terminated!]
09:23 -!- kaawee [~user@dslb-094-222-131-047.094.222.pools.vodafone-ip.de] has joined #openvpn
09:36 -!- Pyrogerg [~Gregory@172-15-68-220.lightspeed.austtx.sbcglobal.net] has joined #openvpn
09:50 -!- kaawee [~user@dslb-094-222-131-047.094.222.pools.vodafone-ip.de] has quit [Ping timeout: 250 seconds]
10:00 -!- kaawee [~user@ip-90-186-3-234.web.vodafone.de] has joined #openvpn
10:03 -!- kaawee_ [~user@ip-90-186-0-13.web.vodafone.de] has joined #openvpn
10:05 -!- mistermajestic [~mistermaj@unaffiliated/mistermajestic] has joined #openvpn
10:07 -!- kaawee [~user@ip-90-186-3-234.web.vodafone.de] has quit [Ping timeout: 250 seconds]
10:07 -!- kaawee_ [~user@ip-90-186-0-13.web.vodafone.de] has quit [Ping timeout: 250 seconds]
10:17 -!- Pyrogerg [~Gregory@172-15-68-220.lightspeed.austtx.sbcglobal.net] has quit [Ping timeout: 255 seconds]
10:43 -!- D-Boy [~D-Boy@unaffiliated/cain] has quit [Excess Flood]
10:44 -!- D-Boy [~D-Boy@unaffiliated/cain] has joined #openvpn
11:01 -!- queeq [~queeq@unaffiliated/queeq] has joined #openvpn
11:20 -!- RaiNerTsuFal [~RaiNerTsu@akita.vtlx.cn] has quit [Quit: Conversation terminated!]
11:20 -!- Kephael [~Kephael@unaffiliated/kephael] has joined #openvpn
11:28 -!- RaiNerTsuFal [~RaiNerTsu@akita.vtlx.cn] has joined #openvpn
12:05 -!- havingFun_ [~quassel@unaffiliated/xrosnight] has joined #openvpn
12:05 -!- havingFun [~quassel@unaffiliated/xrosnight] has quit [Ping timeout: 240 seconds]
12:28 -!- dognip [~dognip@134.sub-70-192-20.myvzw.com] has joined #openvpn
12:35 < dognip> Hello all. I have a new ASUS RT-N66U router (DD-WRT v24-sp2 (05/27/13) big (SVN revision 21676)) that I am trying to accomplish two goals with: 1.) Use it as a client bridge tethering my wifi from my android phone to the other devices in my house (laptops, samsung smart TV). 2.) Connect to my HMA VPN account so I can trick my TV into thinking I'm in the UK or europe (for netflix and some sports
12:35 < dognip> streaming). I have been able to setup the router as a client bridge and successfully share my phones internet connection to all other devices. In doing so, however, I can no longer set it up according to the HMA VPN router instructions (the very first step (Setup > WAN connection type : disabled) is now disabled and I can't use PPTP or L2Tp so I've tried several methods provided by HMA for
12:35 < dognip> OpenVPN. Can anyone give me some insight into this? I am going to be AFK for the next few hours (christmas party) but would appreciate any and all help. Is it not possible as a client bridge but perhaps as a bridge repeater? Thanks, and happy holidays.
12:49 -!- troyt [~troyt@2601:7:6202:211:44dd:acff:fe85:9c8e] has quit [Ping timeout: 258 seconds]
12:59 < queeq> dognip: I don't quite understand your scheme. Your router connects to your android over wifi, right?
13:00 < queeq> The easiest way I see here is to use openvpn client on android
13:02 < queeq> I use this one: https://play.google.com/store/apps/details?id=de.blinkt.openvpn
13:19 -!- queeq [~queeq@unaffiliated/queeq] has quit [Quit: Leaving]
13:44 -!- troyt [~troyt@2601:7:6202:211:44dd:acff:fe85:9c8e] has joined #openvpn
14:02 -!- havingFun_ [~quassel@unaffiliated/xrosnight] has quit [Ping timeout: 256 seconds]
14:08 -!- havingFun [~quassel@unaffiliated/xrosnight] has joined #openvpn
14:13 -!- havingFun [~quassel@unaffiliated/xrosnight] has quit [Ping timeout: 258 seconds]
14:24 -!- SushiDude [~SushiDude@unaffiliated/sushidude] has quit [Ping timeout: 256 seconds]
14:26 -!- SushiDude [~SushiDude@unaffiliated/sushidude] has joined #openvpn
14:28 -!- warehouse13 [~Left_Turn@unaffiliated/turn-left/x-3739067] has joined #openvpn
14:29 -!- Left_Turn [~Left_Turn@unaffiliated/turn-left/x-3739067] has quit [Ping timeout: 256 seconds]
14:32 -!- big3_brother [~big3_brot@191.7.9.139] has joined #openvpn
14:32 < big3_brother> I can pay for a vpn throught pokerstars credits. Can someone setup one for me?
14:33 < big3_brother> I pay now
14:36 -!- big3_brother [~big3_brot@191.7.9.139] has quit [Quit: Leaving]
14:37 -!- warehouse13 [~Left_Turn@unaffiliated/turn-left/x-3739067] has quit [Ping timeout: 265 seconds]
14:57 -!- havingFun [~quassel@unaffiliated/xrosnight] has joined #openvpn
15:02 -!- havingFun [~quassel@unaffiliated/xrosnight] has quit [Ping timeout: 256 seconds]
15:03 -!- havingFun [~quassel@unaffiliated/xrosnight] has joined #openvpn
15:03 -!- kaawee_ [~user@p200300406F55B295267703FFFEAA1630.dip0.t-ipconnect.de] has joined #openvpn
15:03 -!- garyserj [~garyserj@82-69-82-248.dsl.in-addr.zen.co.uk] has joined #openvpn
15:04 < garyserj> !welcome
15:04 <@vpnHelper> "welcome" is (#1) Start by stating your goal, such as 'I would like to access the internet over my vpn' || new to IRC? see the link in !ask || we may need !logs and !configs and maybe !interface to help you. || See !howto for beginners. || See !route for lans behind openvpn. || !redirect for sending inet traffic through the server. || Also interesting: !man !/30 !topology !iporder !sample !forum
15:04 <@vpnHelper> !wiki !mitm or (#2) Don't use 192.168.1.0/24 or 192.168.0.0/24 (too much potential for conflict)
15:04 < garyserj> !goal
15:04 <@vpnHelper> "goal" is Please clearly state your goal for your vpn: example, I would like to access the lan behind the server , I would like to access the internet over my vpn , I just want a secure connection between 2 computers , etc
15:04 < garyserj> !howto
15:04 <@vpnHelper> "howto" is (#1) OpenVPN comes with a great howto, http://openvpn.net/howto PLEASE READ IT! or (#2) http://www.secure-computing.net/openvpn/howto.php for a mirror
15:09 -!- havingFun is now known as xrosnight
15:15 -!- s7r [~s7r@openvpn/user/s7r] has quit [Ping timeout: 250 seconds]
15:15 -!- kaawee_ [~user@p200300406F55B295267703FFFEAA1630.dip0.t-ipconnect.de] has quit [Ping timeout: 265 seconds]
15:33 -!- xrosnight [~quassel@unaffiliated/xrosnight] has quit [Ping timeout: 240 seconds]
16:35 -!- Left_Turn [~Left_Turn@unaffiliated/turn-left/x-3739067] has joined #openvpn
17:18 -!- redpill [~redpill@unaffiliated/redpill] has quit [Ping timeout: 245 seconds]
17:25 < JaniceKitty> ! /30
17:25 <@vpnHelper> "/30" is (#1) http://goo.gl/SbKrT5 explains why routed clients each use 4 ips or (#2) you can avoid this behavior with by reading !topology
17:30 -!- tobinski [~tobinski@x2f5a80f.dyn.telefonica.de] has joined #openvpn
17:35 -!- kenyon [kenyon@darwin.kenyonralph.com] has quit [Quit: upgrading to ext4]
17:46 < dognip> !welcome
17:46 <@vpnHelper> "welcome" is (#1) Start by stating your goal, such as 'I would like to access the internet over my vpn' || new to IRC? see the link in !ask || we may need !logs and !configs and maybe !interface to help you. || See !howto for beginners. || See !route for lans behind openvpn. || !redirect for sending inet traffic through the server. || Also interesting: !man !/30 !topology !iporder !sample !forum
17:46 <@vpnHelper> !wiki !mitm or (#2) Don't use 192.168.1.0/24 or 192.168.0.0/24 (too much potential for conflict)
17:47 < dognip> Hello all. I have a new ASUS RT-N66U router (DD-WRT v24-sp2 (05/27/13) big (SVN revision 21676)) that I am trying to accomplish two goals with: 1.) Use it as a client bridge tethering my wifi from my android phone to the other devices in my house (laptops, samsung smart TV). 2.) Connect to my HMA VPN account so I can trick my TV into thinking I'm in the UK or europe (for netflix and some sports
17:47 < dognip> streaming). I have been able to setup the router as a client bridge and successfully share my phones internet connection to all other devices. In doing so, however, I can no longer set it up according to the HMA VPN router instructions (the very first step (Setup > WAN connection type : disabled) is now disabled and I can't use PPTP or L2Tp so I've tried several methods provided by HMA for
17:47 < dognip> OpenVPN. Can anyone give me some insight into this? I would appreciate any and all help. Is it not possible as a client bridge but perhaps as a bridge repeater? Thanks, and happy holidays.
17:47 -!- kaawee_ [~user@dslb-094-222-131-047.094.222.pools.vodafone-ip.de] has joined #openvpn
18:04 -!- dognip [~dognip@134.sub-70-192-20.myvzw.com] has quit [Read error: Connection reset by peer]
18:09 -!- tobinski [~tobinski@x2f5a80f.dyn.telefonica.de] has quit [Read error: Connection reset by peer]
18:10 -!- tobinski [~tobinski@x2f5a80f.dyn.telefonica.de] has joined #openvpn
18:11 -!- dognip [~dognip@79.sub-70-192-18.myvzw.com] has joined #openvpn
18:13 -!- kenyon [kenyon@darwin.kenyonralph.com] has joined #openvpn
18:15 -!- dognip [~dognip@79.sub-70-192-18.myvzw.com] has quit [Ping timeout: 256 seconds]
18:30 -!- trumee [~parul@2601:e:1580:799::c64] has quit [Remote host closed the connection]
18:31 -!- trumee [~parul@2601:e:1580:799::c64] has joined #openvpn
19:04 -!- gffa [~unknown@unaffiliated/gffa] has quit [Quit: sleep]
19:13 -!- Zimsky [~alice@unaffiliated/zimsky] has quit [Ping timeout: 240 seconds]
19:14 -!- tobinski [~tobinski@x2f5a80f.dyn.telefonica.de] has quit [Quit: Leaving]
19:16 -!- Zimsky [~alice@unaffiliated/zimsky] has joined #openvpn
19:34 < alanjf> Merry Christmas!
20:16 -!- elfixit [~Icedove@77-58-253-51.dclient.hispeed.ch] has joined #openvpn
20:29 -!- lbft_ [~lbft@unaffiliated/lbft] has joined #openvpn
20:31 -!- Maxels_ [~Maxel@24-159-207-34.static.roch.mn.charter.com] has joined #openvpn
20:34 -!- zoredache_ [~zoredache@pdpc/supporter/professional/zoredache] has joined #openvpn
20:35 -!- phreakocious [~phreakoci@recalcitrant.phreakocious.net] has joined #openvpn
20:49 -!- Netsplit *.net <-> *.split quits: meepmeep, zoredache, phreakocious_, hasB4K, justinzane, Papey, lbft, Maxels, ross`, alanjf
20:49 -!- lbft_ is now known as lbft
21:05 -!- ljvb [~jason@us.vps.vanbrecht.com] has joined #openvpn
21:27 -!- ampsix [uid26275@gateway/web/irccloud.com/x-skffvjkkgjmgogwi] has joined #openvpn
21:57 -!- kaawee_ [~user@dslb-094-222-131-047.094.222.pools.vodafone-ip.de] has quit [Ping timeout: 265 seconds]
22:13 -!- Left_Turn [~Left_Turn@unaffiliated/turn-left/x-3739067] has quit [Ping timeout: 240 seconds]
22:30 <@krzee> if dognip returns, let him know it's probably his NAT rules
22:31 -!- garyserj [~garyserj@82-69-82-248.dsl.in-addr.zen.co.uk] has quit [Ping timeout: 245 seconds]
22:43 < jeev> sup krz
22:49 <@krzee> sup pimpin
22:50 < jeev> i'm one sick individual
22:51 < jeev> bored all day, ton of work to do.
22:51 < jeev> wait till night to do it.
22:52 <@krzee> i work better at night
22:54 < jeev> me too i guess
22:54 < jeev> i'm going to start binding +1/-1 ips of my asterisk servers, monitoring 5060, sending command to main pbx's to firewall
22:54 < jeev> sick of stupid attempts
22:54 < jeev> they'll never get through
22:58 <@krzee> actually a pretty damn good idea
22:58 <@krzee> bonus points for honeypotting +1/-1 ip to see what's tried, and repeating it back to whatever machine is trying to get you
22:59 <@krzee> odds are its a worm and you get tons of new servers
22:59 <@krzee> i should prolly have said that in msg :D
23:07 < jeev> lol
23:07 < jeev> just wish stupid asterisk would display ips of failed attempts in the log
23:07 < jeev> it should show connection from.. not what they're spoofing
23:14 <@krzee> spoofing? i would assume they'd be using their real ips since they desire a response
23:15 < jeev> yea but asterisk passes through the invite
23:16 < jeev> or the via actually
23:16 < jeev> one of them, the more important one, never comes through
23:17 -!- Kephael [~Kephael@unaffiliated/kephael] has quit [Read error: Connection reset by peer]
23:18 <@krzee> oh lol they spoof and invite you to an ip, so if they succeeded you connect to them?
23:38 < jeev> somethin like that
23:38 < jeev> you reply or terminate a call and reply to the specific ip
23:38 <@krzee> right a sip invite, i gotchya
23:39 < jeev> 188.138.74.68.5097 > me.sip: [udp sum ok] SIP, length: 413
23:39 < jeev> deviantintegral: SIP/2.0/UDP 62.75.212.215:5097;branch=z9hG4bK-3872757181;rport
23:39 < jeev> From: "sipvicious"<sip:100@1.1.1.1>;tag=6330323231373364313363340133313232363030313737
23:40 < jeev> keatont: "sipvicious"<sip:100@1.1.1.1>
23:40 < jeev> in this case, it was already filtered i think, i don't see the log it generated in asterisk
23:40 < jeev> i'm completely blocking 188/8
23:40 < jeev> but rather than seeing 188.138 in asterisk, i'll probably see my own freakin ip.
23:40 < jeev> it's in inside job i tell ya
23:41 -!- ShadniX [dagger@p579416D9.dip0.t-ipconnect.de] has quit [Ping timeout: 250 seconds]
23:44 -!- ShadniX [dagger@p5481DDD7.dip0.t-ipconnect.de] has joined #openvpn
--- Day changed Fri Dec 26 2014
00:47 -!- havingFun [~quassel@unaffiliated/xrosnight] has joined #openvpn
01:22 -!- havingFun_ [~quassel@unaffiliated/xrosnight] has joined #openvpn
01:23 -!- havingFun [~quassel@unaffiliated/xrosnight] has quit [Ping timeout: 240 seconds]
01:29 -!- ValdikSS [~valdikss@185.61.149.121] has quit [Ping timeout: 244 seconds]
01:58 -!- someone [~someone@sonoshee.chronostasis.net] has quit [Ping timeout: 240 seconds]
02:21 -!- Papey [~Papey@ks3364303.kimsufi.com] has joined #openvpn
02:31 -!- kenyon [kenyon@darwin.kenyonralph.com] has quit [Quit: rebooting]
03:15 -!- havingFun_ [~quassel@unaffiliated/xrosnight] has quit [Ping timeout: 272 seconds]
03:37 -!- moeyebus [~moebius_e@unaffiliated/moebius-eye/x-4065625] has left #openvpn []
03:45 -!- Latrina [~Latrina@adsl-ull-67-243.45-151.net24.it] has quit [Ping timeout: 250 seconds]
03:48 -!- ValdikSS [~valdikss@185.61.149.121] has joined #openvpn
04:29 -!- JyZyXEL [~foo@a88-112-64-166.elisa-laajakaista.fi] has left #openvpn []
04:33 -!- kenyon [kenyon@darwin.kenyonralph.com] has joined #openvpn
05:19 -!- Left_Turn [~Left_Turn@unaffiliated/turn-left/x-3739067] has joined #openvpn
05:31 -!- shio [marmot@62.188.103.84.rev.sfr.net] has quit [Ping timeout: 240 seconds]
05:40 -!- sascha5- [~sas@genco2.schumann.net] has left #openvpn []
05:47 -!- kaawee_ [~user@dslb-094-222-148-038.094.222.pools.vodafone-ip.de] has joined #openvpn
06:00 -!- Latrina [~Latrina@adsl-ull-112-243.45-151.net24.it] has joined #openvpn
06:07 -!- shio [marmot@6.121.101.84.rev.sfr.net] has joined #openvpn
06:19 -!- elfixit [~Icedove@77-58-253-51.dclient.hispeed.ch] has quit [Ping timeout: 256 seconds]
06:25 -!- kaawee_ [~user@dslb-094-222-148-038.094.222.pools.vodafone-ip.de] has quit [Quit: Konversation terminated!]
06:46 -!- u0m3 [~u0m3@92.80.125.247] has joined #openvpn
06:54 -!- elfixit [~Icedove@2001:1620:2018:11:5e51:4fff:fec8:5b90] has joined #openvpn
08:13 -!- ampsix [uid26275@gateway/web/irccloud.com/x-skffvjkkgjmgogwi] has quit [Quit: Connection closed for inactivity]
08:31 <@syzzer> ecrist: just noticed your conversation with kaawee, he is right that the certificates are exchanged in plain text, even when using tls-auth
08:31 <@syzzer> tls-auth just adds authentication, not encryption (though that would actually be quite trivial to add)
08:31 <@krzee> sure, hence "public" key
08:34 <@syzzer> more than just the public key: also the cert, which can give quite a bit away on your identity. I can follow his though, think of "I'm sitting in a coffee shop and don't want to reveal my identity to sniffers on that network"
08:35 -!- Evargureen is now known as Argure
08:35 <@krzee> when i make my certs i dont put my identity in them, since they are public
08:35 <@krzee> so i mean… if you dont like it, dont do it...
08:35 <@krzee> im sure that same guy does not walk around with a name tag on his shirt at that coffee shop
08:38 <@syzzer> yes, but not everyone (not even each openvpn server admin) has control over the ca that is used
08:41 <@krzee> are you thinking of somehow hiding the crt info during the connection? i must admit i thought this *had* to be public
08:42 <@syzzer> not hiding to the server, but hiding to any mitm
08:42 <@syzzer> would be as simple as enabling encryption for 'tls-auth'
08:43 <@syzzer> current code does not support it, but it would be not very hard to do
08:43 <@krzee> another layer of crypto is always welcome in my eyes
08:43 <@krzee> but wouldnt that be using the same key to encrypt multiple items?
08:44 <@syzzer> yes, it would not be perfect
08:45 <@krzee> ive already made it far enough in the crypto I preview site to know thats a no no ;]
08:45 <@syzzer> the trick here is using a random IV
08:46 <@krzee> (awesome class btw!)
08:51 -!- problame [~problame@delta.cschwarz.com] has quit [Remote host closed the connection]
08:53 -!- problame [~problame@delta.cschwarz.com] has joined #openvpn
09:08 -!- Shiftos [~shiftos@gateway/tor-sasl/shiftos] has quit [Remote host closed the connection]
09:11 -!- elfixit [~Icedove@2001:1620:2018:11:5e51:4fff:fec8:5b90] has quit [Ping timeout: 272 seconds]
09:13 <@krzee> syzzer, wouldn't the iv need to repeat at some point?
09:16 <@krzee> im not trying to correct you, but rather to learn from you (i think you know that, but worth saying)
09:33 -!- Kephael [~Kephael@unaffiliated/kephael] has joined #openvpn
09:57 <@syzzer> krzee: (yes, i know) the IV does not need to repeat, but it might, and repeating IVs is typically bad
09:57 <@syzzer> but using AES, you'll have 128-bit IVs, and 2^128 is, well, a lot
09:58 <@syzzer> so the change on repeating IVs is negligible
09:59 -!- KaaK [~Kevin@wsip-72-205-198-77.ks.ks.cox.net] has joined #openvpn
10:00 <@syzzer> (but the IV is the catch for adding encryption to tls-auth, as it will add 16 bytes of overhead to each tls packet for 128-bit IVs)
10:07 <@krzee> i see
10:44 -!- D-Boy [~D-Boy@unaffiliated/cain] has quit [Excess Flood]
10:46 -!- D-Boy [~D-Boy@unaffiliated/cain] has joined #openvpn
11:05 -!- ValdikSS [~valdikss@185.61.149.121] has quit [Ping timeout: 245 seconds]
11:20 -!- problame [~problame@delta.cschwarz.com] has quit [Remote host closed the connection]
11:22 -!- problame [~problame@delta.cschwarz.com] has joined #openvpn
11:37 -!- Argure [argure@geonosis.donttrustrobots.nl] has left #openvpn ["If you have a /quit message that people will see, you're doing IRC wrong."]
11:37 -!- Argure [argure@geonosis.donttrustrobots.nl] has joined #openvpn
11:38 -!- Argure [argure@geonosis.donttrustrobots.nl] has left #openvpn [" "]
12:33 -!- eddq [~edu@178.62.62.250] has joined #openvpn
12:33 < eddq> !goal
12:33 <@vpnHelper> "goal" is Please clearly state your goal for your vpn: example, I would like to access the lan behind the server , I would like to access the internet over my vpn , I just want a secure connection between 2 computers , etc
12:33 < eddq> !welcome
12:33 <@vpnHelper> "welcome" is (#1) Start by stating your goal, such as 'I would like to access the internet over my vpn' || new to IRC? see the link in !ask || we may need !logs and !configs and maybe !interface to help you. || See !howto for beginners. || See !route for lans behind openvpn. || !redirect for sending inet traffic through the server. || Also interesting: !man !/30 !topology !iporder !sample !forum !wiki
12:33 <@vpnHelper> !mitm or (#2) Don't use 192.168.1.0/24 or 192.168.0.0/24 (too much potential for conflict)
12:34 < eddq> !route
12:34 <@vpnHelper> "route" is (#1) http://www.secure-computing.net/wiki/index.php/OpenVPN/Routing or https://community.openvpn.net/openvpn/wiki/RoutedLans (same page mirrored) if you have lans behind openvpn, read it DONT SKIM IT or (#2) READ IT DONT SKIM IT! or (#3) See !tcpip for a basic networking guide or (#4) See !serverlan or !clientlan for steps and troubleshooting flowcharts for LANs behind the server or client
12:36 < eddq> !howto
12:36 <@vpnHelper> "howto" is (#1) OpenVPN comes with a great howto, http://openvpn.net/howto PLEASE READ IT! or (#2) http://www.secure-computing.net/openvpn/howto.php for a mirror
12:43 < eddq> How do I view that diagnosing diagram about connection issues?
12:47 -!- Veverak is now known as TwistedHater
12:47 -!- TwistedHater is now known as Veverak
12:55 -!- boypussy is now known as supergauntlet
13:00 < eddq> !clientlan
13:00 <@vpnHelper> "clientlan" is (#1) for a lan behind a client, the client must have ip forwarding enabled (!ipforward), the server needs a route to the lan, the server needs to push a route for the lan to clients, the server needs a ccd (!ccd) file for the client with an iroute (!iroute) entry in it, and the router of the lan the client is on needs a route added to it (!route_outside_openvpn) or (#2) see !route for a
13:00 <@vpnHelper> better explanation or (#3) Handy troubleshooting flowchart: http://ircpimps.org/clientlan.png | http://pekster.sdf.org/misc/clientlan.png
13:05 < eddq> !serverlan
13:05 <@vpnHelper> "serverlan" is (#1) for a lan behind a server, the server must have ip forwarding enabled (!ipforward), the server needs to push a route for its lan to clients, and the router of the lan the server is on needs a route added to it (!route_outside_openvpn) or (#2) see !route for a better explanation or (#3) Handy troubleshooting flowchart: http://ircpimps.org/serverlan.png |
13:05 <@vpnHelper> http://pekster.sdf.org/misc/serverlan.png
13:07 -!- eddq [~edu@178.62.62.250] has quit [Quit: leaving]
13:12 <@syzzer> !redirect
13:12 <@vpnHelper> "redirect" is (#1) to make all inet traffic flow through the vpn, you will need --redirect-gateway (see !def1), as well as IP forwarding (see !ipforward) and NAT (see !nat) enabled on the server. or (#2) you may need to use a different dns server when redirecting gateway, see !dns or !pushdns or (#3) if using ipv6 try: route-ipv6 2000::/3 or (#4) Handy troubleshooting flowchart:
13:12 <@vpnHelper> http://ircpimps.org/redirect.png | http://pekster.sdf.org/misc/redirect.png
13:13 <@syzzer> oh, eddq is gone already
13:19 -!- pekster [~rewt@openvpn/community/support/pekster] has quit [Ping timeout: 258 seconds]
13:26 -!- instabin [ae3609aa@gateway/web/freenode/ip.174.54.9.170] has quit [Ping timeout: 246 seconds]
13:56 -!- pekster [~rewt@openvpn/community/support/pekster] has joined #openvpn
14:10 -!- gffa [~unknown@unaffiliated/gffa] has joined #openvpn
14:17 -!- elfixit [~Icedove@77-58-253-51.dclient.hispeed.ch] has joined #openvpn
14:52 -!- CaTtleyA [~CaTtleyA@plb95-9-78-241-235-51.fbx.proxad.net] has joined #openvpn
14:52 -!- CaTtleyA [~CaTtleyA@plb95-9-78-241-235-51.fbx.proxad.net] has quit [Client Quit]
15:25 -!- Maxels_ [~Maxel@24-159-207-34.static.roch.mn.charter.com] has quit [Ping timeout: 265 seconds]
15:27 -!- ValdikSS [~valdikss@185.61.149.121] has joined #openvpn
15:28 -!- jkli [~jkli@brln-d9bfe45a.pool.mediaways.net] has joined #openvpn
15:53 -!- ampsix [uid26275@gateway/web/irccloud.com/x-ujotyfqxiysghpnn] has joined #openvpn
15:57 -!- DArqueBishop [~drkbish@2601:e:2480:7800:2e41:38ff:fe87:dd90] has quit [Ping timeout: 258 seconds]
15:58 -!- DArqueBishop [~drkbish@2601:e:2480:7800:2e41:38ff:fe87:dd90] has joined #openvpn
16:06 -!- CaTtleyA [~CaTtleyA@plb95-9-78-241-235-51.fbx.proxad.net] has joined #openvpn
16:14 -!- obscurehero [~obscurehe@via.arcis.pw] has quit [Ping timeout: 256 seconds]
16:16 -!- obscurehero [~obscurehe@via.arcis.pw] has joined #openvpn
16:16 -!- deranged [Jess@sciurus.net] has quit [Ping timeout: 265 seconds]
16:16 -!- ikke-t [~ikke@62.237.43.150] has joined #openvpn
16:17 -!- deranged [Jess@sciurus.net] has joined #openvpn
16:25 -!- alanjf [~ajf@unaffiliated/alanjf] has joined #openvpn
17:03 -!- jkli [~jkli@brln-d9bfe45a.pool.mediaways.net] has quit [Quit: Computer has gone to sleep.]
17:31 -!- Denial [~Denial@81.141.3.116] has joined #openvpn
18:01 -!- Shiftos [~shiftos@gateway/tor-sasl/shiftos] has joined #openvpn
18:05 -!- anthony25 [~anthony25@ip-136.net-81-220-249.rev.numericable.fr] has joined #openvpn
18:09 -!- tazz [~gaurav@triband-mum-120.60.175.23.mtnl.net.in] has joined #openvpn
18:09 < tazz> !welcome
18:09 <@vpnHelper> "welcome" is (#1) Start by stating your goal, such as 'I would like to access the internet over my vpn' || new to IRC? see the link in !ask || we may need !logs and !configs and maybe !interface to help you. || See !howto for beginners. || See !route for lans behind openvpn. || !redirect for sending inet traffic through the server. || Also interesting: !man !/30 !topology !iporder !sample !forum !wiki
18:09 <@vpnHelper> !mitm or (#2) Don't use 192.168.1.0/24 or 192.168.0.0/24 (too much potential for conflict)
18:09 < tazz> !goal
18:09 <@vpnHelper> "goal" is Please clearly state your goal for your vpn: example, I would like to access the lan behind the server , I would like to access the internet over my vpn , I just want a secure connection between 2 computers , etc
18:28 -!- Denial [~Denial@81.141.3.116] has quit [Ping timeout: 240 seconds]
18:33 -!- badon [~badon@pdpc/supporter/active/badon] has joined #openvpn
18:36 -!- RaiNerTsuFal [~RaiNerTsu@akita.vtlx.cn] has quit [Ping timeout: 252 seconds]
18:51 -!- Left_Turn [~Left_Turn@unaffiliated/turn-left/x-3739067] has quit [Ping timeout: 264 seconds]
19:00 -!- james41382 [~james@unaffiliated/james41382] has joined #openvpn
19:07 -!- gffa [~unknown@unaffiliated/gffa] has quit [Quit: sleep]
19:14 -!- elfixit [~Icedove@77-58-253-51.dclient.hispeed.ch] has quit [Ping timeout: 265 seconds]
19:29 -!- pcdummy [~pcdummy@unaffiliated/pcdummy] has joined #openvpn
19:32 -!- christmascookie is now known as baubholes
19:34 -!- KavanS [~quassel@LINBIT/KavanS] has joined #openvpn
20:01 -!- anthony25 [~anthony25@ip-136.net-81-220-249.rev.numericable.fr] has quit [Ping timeout: 246 seconds]
20:09 -!- pcdummy [~pcdummy@unaffiliated/pcdummy] has quit [Remote host closed the connection]
20:12 -!- badon [~badon@pdpc/supporter/active/badon] has quit [Ping timeout: 244 seconds]
20:26 -!- Lolths [~Lolths@unaffiliated/lolths] has joined #openvpn
20:33 -!- jkli [~jkli@brln-d9bfe45a.pool.mediaways.net] has joined #openvpn
20:39 -!- Brando753 [~Brando753@unaffiliated/brando753] has quit [Read error: Connection reset by peer]
20:40 -!- Brando753 [~Brando753@unaffiliated/brando753] has joined #openvpn
21:47 -!- Shiftos [~shiftos@gateway/tor-sasl/shiftos] has quit [Ping timeout: 250 seconds]
21:50 -!- elfixit [~Icedove@77-58-253-51.dclient.hispeed.ch] has joined #openvpn
21:55 -!- Shiftos [~shiftos@gateway/tor-sasl/shiftos] has joined #openvpn
22:13 -!- norkle [~norkle@unaffiliated/norkle] has joined #openvpn
22:29 -!- jkli [~jkli@brln-d9bfe45a.pool.mediaways.net] has quit [Ping timeout: 250 seconds]
22:45 -!- elfixit [~Icedove@77-58-253-51.dclient.hispeed.ch] has quit [Quit: elfixit]
23:33 -!- ampsix [uid26275@gateway/web/irccloud.com/x-ujotyfqxiysghpnn] has quit [Quit: Connection closed for inactivity]
23:40 -!- ShadniX [dagger@p5481DDD7.dip0.t-ipconnect.de] has quit [Ping timeout: 250 seconds]
23:42 -!- ShadniX [dagger@p5DDFF7C4.dip0.t-ipconnect.de] has joined #openvpn
--- Day changed Sat Dec 27 2014
00:32 -!- Shiftos [~shiftos@gateway/tor-sasl/shiftos] has quit [Ping timeout: 250 seconds]
00:38 -!- Shiftos [~shiftos@gateway/tor-sasl/shiftos] has joined #openvpn
00:48 -!- Kephael [~Kephael@unaffiliated/kephael] has quit [Quit: Leaving]
01:56 -!- norkle [~norkle@unaffiliated/norkle] has quit [Read error: Connection reset by peer]
02:09 -!- Lolths [~Lolths@unaffiliated/lolths] has quit [Ping timeout: 264 seconds]
02:31 -!- pppingme [~pppingme@unaffiliated/pppingme] has quit [Quit: Leaving]
02:38 -!- pppingme [~pppingme@unaffiliated/pppingme] has joined #openvpn
03:14 -!- jkli [~jkli@brln-4d0cdd29.pool.mediaWays.net] has joined #openvpn
03:19 -!- jkli [~jkli@brln-4d0cdd29.pool.mediaWays.net] has quit [Ping timeout: 250 seconds]
04:04 -!- CaTtleyA [~CaTtleyA@plb95-9-78-241-235-51.fbx.proxad.net] has quit [Ping timeout: 272 seconds]
04:37 -!- tazz_ [~gaurav@triband-mum-120.60.195.129.mtnl.net.in] has joined #openvpn
04:40 -!- tazz [~gaurav@triband-mum-120.60.175.23.mtnl.net.in] has quit [Ping timeout: 255 seconds]
04:55 -!- Envil [~meep@95.211.26.40] has joined #openvpn
05:04 -!- badon [~badon@pdpc/supporter/active/badon] has joined #openvpn
05:32 -!- gffa [~unknown@unaffiliated/gffa] has joined #openvpn
05:43 -!- tobinski [~tobinski@x2f5fcd7.dyn.telefonica.de] has joined #openvpn
05:46 -!- Left_Turn [~Left_Turn@unaffiliated/turn-left/x-3739067] has joined #openvpn
05:47 -!- Chais [~Chais@chello062178229110.15.15.vie.surfer.at] has quit [Ping timeout: 265 seconds]
05:52 -!- Chais [~Chais@chello062178229110.15.15.vie.surfer.at] has joined #openvpn
06:07 -!- CaTtleyA [~CaTtleyA@plb95-9-78-241-235-51.fbx.proxad.net] has joined #openvpn
06:20 -!- james41382_ [~james@unaffiliated/james41382] has joined #openvpn
06:20 -!- james41382 [~james@unaffiliated/james41382] has quit [Read error: Connection reset by peer]
06:32 -!- markelite [croftworth@gateway/shell/yourbnc/x-ibphokeuzelzcrpz] has quit [Quit: I shall return...]
07:19 -!- marl_scot [~matt@cpc2-dumb5-2-0-cust823.20-3.cable.virginm.net] has quit [Quit: Leaving]
07:27 -!- eddq [~edu@178.62.62.250] has joined #openvpn
07:42 < eddq> !paste
07:42 <@vpnHelper> "paste" is "pastebin" is (#1) please paste anything with more than 5 lines into a pastebin site or (#2) https://gist.github.com is recommended for fewest ads; try fpaste.org or paste.kde.org as backups or (#3) If you're pasting config files, see !configs for grep syntax to remove comments or (#4) gist allows multiple files per paste, useful if you have several files to show
07:42 < eddq> !configs
07:42 <@vpnHelper> "configs" is (#1) please pastebin your client and server configs (with comments removed, you can use `grep -vE '^#|^;|^$' server.conf`), also include which OS and version of openvpn. or (#2) dont forget to include any ccd entries or (#3) on pfSense, see http://www.secure-computing.net/wiki/index.php/OpenVPN/pfSense to obtain your config
07:51 -!- markelite [croftworth@gateway/shell/yourbnc/x-prquuakoeiqwuipb] has joined #openvpn
08:06 -!- Y0sh1 [~Y0sh1@TiP01.theinternets.nl] has quit [Quit: OK, Doei!]
08:07 -!- Y0sh1 [~Y0sh1@TiP01.theinternets.nl] has joined #openvpn
08:13 -!- eddq [~edu@178.62.62.250] has quit [Ping timeout: 245 seconds]
08:18 -!- CaTtleyA [~CaTtleyA@plb95-9-78-241-235-51.fbx.proxad.net] has quit [Ping timeout: 272 seconds]
09:36 -!- warehouse13 [~Left_Turn@unaffiliated/turn-left/x-3739067] has joined #openvpn
09:36 -!- Left_Turn [~Left_Turn@unaffiliated/turn-left/x-3739067] has quit [Ping timeout: 244 seconds]
09:45 -!- tobinski_ [~tobinski@x2f5fcd7.dyn.telefonica.de] has joined #openvpn
09:48 -!- tobinski [~tobinski@x2f5fcd7.dyn.telefonica.de] has quit [Ping timeout: 244 seconds]
09:54 -!- ice9 [~ice9@unaffiliated/ice9] has joined #openvpn
09:55 < ice9> vpn was working for long time normally, suddenly I was unable to connect due to handshake error, and sometimes it connects but it run extremely slow, I haven't changed anything in the configuration.  could this be an attack?
10:02 < pekster> It could also be sunspots, bad ISP, cable modem on the fritz, or aliens. Logs containing the actual error would be far more useful
10:03 -!- CGML [~CGML@unaffiliated/cgml] has quit [Quit: No Ping reply in 180 seconds.]
10:03 < Veverak> k
10:04 < ice9> pekster: right but sorry I don't have the log, it's overritten when the the connection succeeded , but it was about TLS handshake failed;  now I'm not getting this error but why the connection is extremely slow
10:04 < ice9> and the cables are fine and I tested others, it's the same ISP that was used before when it worked normally
10:05 < pekster> The reasonf for failure matters here
10:05 < pekster> Without
10:05 < pekster> !logs
10:05 <@vpnHelper> "logs" is (#1) please pastebin your logfiles from both client and server with verb set to 4 (only use 5 if asked) or (#2) In the Windows client(OpenVPN-GUI) right-click the status icon and pick View Log or (#3) In the OS X client(Tunnelblick) right-click it and select Copy log text to clipboard or (#4) if you dont know how to find your logs, see !logfile
10:05 < pekster> and
10:05 < pekster> !configs
10:05 <@vpnHelper> "configs" is (#1) please pastebin your client and server configs (with comments removed, you can use `grep -vE '^#|^;|^$' server.conf`), also include which OS and version of openvpn. or (#2) dont forget to include any ccd entries or (#3) on pfSense, see http://www.secure-computing.net/wiki/index.php/OpenVPN/pfSense to obtain your config
10:05 -!- CGML [~CGML@unaffiliated/cgml] has joined #openvpn
10:06 < pekster> There's not much we can do but guess. Could be a lightening strike too -- I had one of those cause all sorts of problems on my NICs years back..
10:06 < pekster> http://pekster.sdf.org/misc/nic-lightening.txt
10:07 < pekster> RX was fine, just threw a stack trace on TX. Not a fun day.
10:40 -!- xTz [~xTz@77.238.81.110] has quit [Ping timeout: 250 seconds]
10:44 -!- D-Boy [~D-Boy@unaffiliated/cain] has quit [Excess Flood]
11:04 -!- roentgen [~none@openvpn/community/support/roentgen] has quit [Quit: No Ping reply in 180 seconds.]
11:07 -!- roentgen [~none@openvpn/community/support/roentgen] has joined #openvpn
11:07 -!- james41382_ [~james@unaffiliated/james41382] has quit [Ping timeout: 255 seconds]
11:15 -!- D-Boy [~D-Boy@unaffiliated/cain] has joined #openvpn
11:18 -!- ice9 [~ice9@unaffiliated/ice9] has quit [Quit: Leaving.]
11:23 -!- ice9 [~ice9@unaffiliated/ice9] has joined #openvpn
11:25 -!- DrCode [~DrCode@gateway/tor-sasl/drcode] has quit [Ping timeout: 250 seconds]
11:27 -!- james41382 [~james@unaffiliated/james41382] has joined #openvpn
11:32 -!- DrCode [~DrCode@gateway/tor-sasl/drcode] has joined #openvpn
11:37 -!- zalami [~realnameo@unaffiliated/zalami] has quit [Ping timeout: 240 seconds]
11:38 -!- zalami [~realnameo@unaffiliated/zalami] has joined #openvpn
12:22 -!- AlexRussia [~Alex@unaffiliated/alexrussia] has joined #openvpn
12:23 -!- james41382 [~james@unaffiliated/james41382] has quit [Quit: Leaving]
12:25 -!- james41382 [~james@unaffiliated/james41382] has joined #openvpn
12:27 -!- Kephael [~Kephael@unaffiliated/kephael] has joined #openvpn
12:29 -!- james41382 [~james@unaffiliated/james41382] has quit [Client Quit]
12:44 -!- Poster [~poster@cpe-74-140-100-29.swo.res.rr.com] has joined #openvpn
12:52 -!- james41382 [~james@unaffiliated/james41382] has joined #openvpn
13:08 -!- jefferai_ is now known as jefferai
13:20 -!- Burgundy [~burgundy@188.25.139.62] has quit [Ping timeout: 244 seconds]
13:43 -!- tobinski [~tobinski@x2f5fcd7.dyn.telefonica.de] has joined #openvpn
13:46 -!- tobinski_ [~tobinski@x2f5fcd7.dyn.telefonica.de] has quit [Ping timeout: 272 seconds]
13:52 -!- yoavz [yoavz@yoavz.net] has quit [Ping timeout: 255 seconds]
13:53 -!- yoavz [yoavz@yoavz.net] has joined #openvpn
13:56 -!- tazz_ is now known as tazz
13:58 -!- james41382 [~james@unaffiliated/james41382] has quit [Ping timeout: 244 seconds]
14:00 -!- james41382 [~james@unaffiliated/james41382] has joined #openvpn
14:02 -!- hyper_ch [~hyper_ch@81.4.108.20] has joined #openvpn
14:02 < hyper_ch> krzee: https://play.google.com/store/apps/details?id=de.srlabs.snoopsnitch
14:02 -!- nsrafk [whois@unaffiliated/nsrafk] has quit [Ping timeout: 276 seconds]
14:41 -!- nsrafk [whois@unaffiliated/nsrafk] has joined #openvpn
14:58 -!- james41382 [~james@unaffiliated/james41382] has quit [Ping timeout: 245 seconds]
15:16 -!- tobinski_ [~tobinski@x2f5fcd7.dyn.telefonica.de] has joined #openvpn
15:19 -!- tobinski [~tobinski@x2f5fcd7.dyn.telefonica.de] has quit [Ping timeout: 240 seconds]
15:39 -!- yoavz [yoavz@yoavz.net] has quit [Remote host closed the connection]
15:40 -!- yoavz [yoavz@yoavz.net] has joined #openvpn
15:46 -!- Shiftos [~shiftos@gateway/tor-sasl/shiftos] has quit [Remote host closed the connection]
16:32 -!- james41382 [~james@unaffiliated/james41382] has joined #openvpn
16:39 -!- RaiNerTsuFal [~RaiNerTsu@akita.vtlx.cn] has joined #openvpn
16:41 -!- AlexRussia [~Alex@unaffiliated/alexrussia] has quit [Ping timeout: 240 seconds]
17:21 -!- KjetilK [~kjetil@ti0071a400-3057.bb.online.no] has joined #openvpn
17:23 -!- GuidovanPossum [~chatzilla@wsip-184-176-140-204.ph.ph.cox.net] has joined #openvpn
17:36 -!- liriel [~liriel@asia.feralhosting.com] has quit [Ping timeout: 252 seconds]
17:40 -!- liriel [~liriel@asia.feralhosting.com] has joined #openvpn
17:46 -!- DrCode [~DrCode@gateway/tor-sasl/drcode] has quit [Remote host closed the connection]
17:47 -!- DrCode [~DrCode@gateway/tor-sasl/drcode] has joined #openvpn
17:49 -!- tobinski_ [~tobinski@x2f5fcd7.dyn.telefonica.de] has quit [Quit: Leaving]
17:58 -!- tekk [~me@185.17.149.149] has joined #openvpn
18:02 -!- jkli [~jkli@brln-4d0cdd29.pool.mediaWays.net] has joined #openvpn
18:07 -!- Shiftos [~shiftos@gateway/tor-sasl/shiftos] has joined #openvpn
18:13 -!- ice9 [~ice9@unaffiliated/ice9] has left #openvpn ["PART #social-engineer :PART #kde :ISON MattHardcastle tty0x80 pheas mattst88"]
18:19 -!- pppingme [~pppingme@unaffiliated/pppingme] has quit [Remote host closed the connection]
18:23 -!- pppingme [~pppingme@unaffiliated/pppingme] has joined #openvpn
18:48 -!- GuidovanPossum [~chatzilla@wsip-184-176-140-204.ph.ph.cox.net] has left #openvpn []
19:00 -!- jkli [~jkli@brln-4d0cdd29.pool.mediaWays.net] has quit [Quit: Computer has gone to sleep.]
19:46 -!- tazz_ [~gaurav@triband-mum-120.60.195.129.mtnl.net.in] has joined #openvpn
19:49 -!- tazz [~gaurav@triband-mum-120.60.195.129.mtnl.net.in] has quit [Ping timeout: 255 seconds]
19:53 -!- ki7rw [~quassel@216.75.116.100] has joined #openvpn
20:01 -!- ki7rw [~quassel@216.75.116.100] has quit [Remote host closed the connection]
20:03 -!- ki7rw [~quassel@216.75.116.100] has joined #openvpn
20:04 -!- Envil [~meep@95.211.26.40] has quit [Remote host closed the connection]
20:04 < ki7rw> i'm trying to setup openvpn CA on ubuntu 14.04 but not having much success: http://pastebin.com/a9Ha6E3a
20:07 < ki7rw> i believe that i have followed the openvpn howto step by step
20:07 < pekster> No, don't do PKI things as root. Not only is it really bad practice, but the way you're doing it nukes your environment after each call, which is ironcially what sourcing the 'vars' file in the 2.x series of easy-rsa is attempting to do in the first place
20:08 < pekster> Copy all of the PKI files to a directory a user account runs. I'd recommend a dedicated 'pki' account with protected filesystem access, but your own account works as much as you trust its security
20:08 < pekster> Nope, you failed step 1. You never expored the required environment
20:09 < pekster> You 1) became root (really bad idea for PKI!!!), ran a script that exported some variables, and then terminated, along with the environment. Back to step 0, in other words. Then you went onto step 2. Whopsie..
20:09 < pekster> Either become root for all of it (since that's apparently what you seem to want, despite how bad of an idea it is), or do what I just suggested earlieri and do this all as a normal user
20:21 <+hazardous> is there a way to force a specific interface with openvpn? i have multiple tunnels on one machine simultaneously, can i force 'noc-1' to always use 'tap-windows adapter v9' and 'noc-2' to always use tap-windows adapter v9 #2?
20:24 < pekster> See --dev-node in the manpage
20:25 -!- burp_ [~quassel@ns337126.ip-188-165-218.eu] has joined #openvpn
20:25 < burp_> !welcome
20:25 <@vpnHelper> "welcome" is (#1) Start by stating your goal, such as 'I would like to access the internet over my vpn' || new to IRC? see the link in !ask || we may need !logs and !configs and maybe !interface to help you. || See !howto for beginners. || See !route for lans behind openvpn. || !redirect for sending inet traffic through the server. || Also interesting: !man !/30 !topology !iporder !sample !forum
20:25 <@vpnHelper> !wiki !mitm or (#2) Don't use 192.168.1.0/24 or 192.168.0.0/24 (too much potential for conflict)
20:25 <+hazardous> 'dev-node node' is usable in a config right
20:25 <+hazardous> thx
20:25 < burp_> !topology
20:25 <@vpnHelper> "topology" is (#1) it is possible to avoid the !/30 behavior if you use 2.1+ with the option: topology subnet This will end up being default in later versions. or (#2) Clients will receive addresses ending in .2, .3, .4, etc, instead of being divided into 2-host subnets. or (#3) details and examples at: https://community.openvpn.net/openvpn/wiki/Topology
20:32 < ki7rw> pekster: got it done as root before i saw your post
20:33  * ki7rw is a rookie at this
20:33 -!- ki7rw [~quassel@216.75.116.100] has quit [Remote host closed the connection]
20:38 -!- gffa [~unknown@unaffiliated/gffa] has quit [Quit: sleep]
20:59 -!- ki7rw [~quassel@216.75.116.100] has joined #openvpn
21:12 -!- NChief [~nchief@unaffiliated/nchief] has quit [Quit: kreft]
21:53 -!- Fusl [Fusl@unaffiliated/fusl] has quit [Remote host closed the connection]
21:55 -!- warehouse13 [~Left_Turn@unaffiliated/turn-left/x-3739067] has quit [Quit: Leaving]
22:09 -!- airking [~airking@unaffiliated/dylan] has joined #openvpn
22:10 < airking> So I'm trying to connect to ramvpn using openVPN, I've got the connection working, but all of my traffic isn't being tunneled
22:11 -!- Fusl [Fusl@unaffiliated/fusl] has joined #openvpn
22:37 -!- baubholes is now known as GluttonousGertru
22:38 < esde> !redirect
22:38 <@vpnHelper> "redirect" is (#1) to make all inet traffic flow through the vpn, you will need --redirect-gateway (see !def1), as well as IP forwarding (see !ipforward) and NAT (see !nat) enabled on the server. or (#2) you may need to use a different dns server when redirecting gateway, see !dns or !pushdns or (#3) if using ipv6 try: route-ipv6 2000::/3 or (#4) Handy troubleshooting flowchart:
22:38 <@vpnHelper> http://ircpimps.org/redirect.png | http://pekster.sdf.org/misc/redirect.png
23:06 -!- Kephael [~Kephael@unaffiliated/kephael] has quit [Read error: Connection reset by peer]
23:07 -!- JaniceKitty is now known as AnonGirl
23:27 -!- ki7rw [~quassel@216.75.116.100] has quit [Remote host closed the connection]
23:40 -!- ShadniX [dagger@p5DDFF7C4.dip0.t-ipconnect.de] has quit [Ping timeout: 250 seconds]
23:42 -!- ShadniX [dagger@p5481C87E.dip0.t-ipconnect.de] has joined #openvpn
--- Day changed Sun Dec 28 2014
00:03 -!- Shiftos [~shiftos@gateway/tor-sasl/shiftos] has quit [Ping timeout: 250 seconds]
00:06 -!- Shiftos [~shiftos@gateway/tor-sasl/shiftos] has joined #openvpn
02:12 -!- u0m3_ [~u0m3@109.96.129.138] has joined #openvpn
02:15 -!- u0m3 [~u0m3@92.80.125.247] has quit [Ping timeout: 252 seconds]
03:28 < tazz_> !wiki
03:28 <@vpnHelper> "wiki" is (#1) http://www.secure-computing.net/wiki/index.php/OpenVPN for the Unofficial wiki or (#2) https://community.openvpn.net/openvpn/wiki for the Official wiki
03:36 -!- GluttonousGertru is now known as baubles
03:38 -!- tazz [~gaurav@triband-mum-120.60.182.181.mtnl.net.in] has joined #openvpn
03:40 -!- tazz_ [~gaurav@triband-mum-120.60.195.129.mtnl.net.in] has quit [Ping timeout: 244 seconds]
04:05 < hyper_ch> why is the unofficial wiki in first place?
04:19 -!- catsup [d@ps38852.dreamhost.com] has quit [Read error: Connection reset by peer]
04:20 -!- catsup [d@ps38852.dreamhost.com] has joined #openvpn
04:23 -!- Left_Turn [~Left_Turn@unaffiliated/turn-left/x-3739067] has joined #openvpn
04:23 -!- albech [~Thunderbi@83-88-190-198-static.dk.customer.tdc.net] has joined #openvpn
04:32 < albech> I wish to create a bridge between my current location which already
04:33 < albech> ^ please ignore
04:37 < hyper_ch> I'm excellent at ignoring things
05:11 -!- Shiftos [~shiftos@gateway/tor-sasl/shiftos] has quit [Ping timeout: 250 seconds]
05:12 -!- tobinski [~tobinski@x2f5f425.dyn.telefonica.de] has joined #openvpn
05:17 -!- Shiftos [~shiftos@gateway/tor-sasl/shiftos] has joined #openvpn
05:26 -!- pekster [~rewt@openvpn/community/support/pekster] has quit [Ping timeout: 258 seconds]
05:27 -!- Left_Turn [~Left_Turn@unaffiliated/turn-left/x-3739067] has quit [Ping timeout: 245 seconds]
05:38 -!- Left_Turn [~Left_Turn@unaffiliated/turn-left/x-3739067] has joined #openvpn
05:52 -!- mattock_afk is now known as mattock
06:15 -!- pekster [~rewt@openvpn/community/support/pekster] has joined #openvpn
06:19 -!- gffa [~unknown@unaffiliated/gffa] has joined #openvpn
06:21 -!- cpt-oblivious [~quassel@freebsd/user/cpt-oblivious] has quit [Ping timeout: 245 seconds]
06:53 -!- Kniaz1 [~Kniaz@unaffiliated/kniaz] has joined #openvpn
06:55 -!- Kniaz [~Kniaz@unaffiliated/kniaz] has quit [Ping timeout: 240 seconds]
08:20 -!- tobinski_ [~tobinski@x2f5f425.dyn.telefonica.de] has joined #openvpn
08:23 -!- tobinski [~tobinski@x2f5f425.dyn.telefonica.de] has quit [Ping timeout: 250 seconds]
09:01 -!- 5EXABZOTZ [~quassel@cpe-23-243-158-241.socal.res.rr.com] has joined #openvpn
09:15 -!- cpt-oblivious [~quassel@freebsd/user/cpt-oblivious] has joined #openvpn
09:15 -!- u0m3_ [~u0m3@109.96.129.138] has quit [Read error: Connection reset by peer]
09:17 -!- mattock is now known as mattock_afk
09:18 -!- dob1 [~d@dynamic-adsl-78-12-174-21.clienti.tiscali.it] has joined #openvpn
09:19 -!- u0m3 [~u0m3@92.80.71.115] has joined #openvpn
09:20 < dob1> hi, when a client needs to connects to some services of another clients the data is always transferred via the openvpn server?
09:21 < dob1> or it is possible a direct client-to-client connection?
09:34 < hyper_ch> direct client-to-client isn't support as of now IIRC
09:34 < hyper_ch> although krzee said he has some ideas how to achieve that
09:41 -!- esde [~esde@unaffiliated/esde] has quit [Quit: .]
09:48 -!- albech [~Thunderbi@83-88-190-198-static.dk.customer.tdc.net] has quit [Quit: albech]
09:51 -!- mirco [~mirco@ip-176-198-211-199.hsi05.unitymediagroup.de] has joined #openvpn
09:56 -!- mirco [~mirco@ip-176-198-211-199.hsi05.unitymediagroup.de] has quit [Client Quit]
10:02 -!- urbanizator [53342d00@gateway/web/cgi-irc/kiwiirc.com/ip.83.52.45.0] has joined #openvpn
10:06 -!- urbanizator [53342d00@gateway/web/cgi-irc/kiwiirc.com/ip.83.52.45.0] has quit [Client Quit]
10:08 -!- urbanizator [53342d00@gateway/web/cgi-irc/kiwiirc.com/ip.83.52.45.0] has joined #openvpn
10:13 < dob1> hyper_ch, i see, thanks
10:16 -!- urbanizator [53342d00@gateway/web/cgi-irc/kiwiirc.com/ip.83.52.45.0] has quit [Quit: http://www.kiwiirc.com/ - A hand crafted IRC client]
10:29 -!- D-Boy [~D-Boy@unaffiliated/cain] has quit [Excess Flood]
10:29 -!- D-Boy [~D-Boy@unaffiliated/cain] has joined #openvpn
11:01 -!- julieeharshaw [~julie@juliekoubova.net] has quit [Ping timeout: 245 seconds]
11:04 -!- julieeharshaw [~julie@juliekoubova.net] has joined #openvpn
11:11 -!- dob1 [~d@dynamic-adsl-78-12-174-21.clienti.tiscali.it] has quit [Quit: Leaving]
11:21 -!- esde [~esde@unaffiliated/esde] has joined #openvpn
11:23 -!- julieeharshaw [~julie@juliekoubova.net] has quit [Ping timeout: 250 seconds]
11:24 -!- julieeharshaw [~julie@juliekoubova.net] has joined #openvpn
11:33 -!- ki7rw [~quassel@216.75.116.100] has joined #openvpn
11:33 < ki7rw> why is it that some devices can't see the router with ssid broadcast disabled? my son's nabi 2 says it's out of range
11:33 < ki7rw> oops
11:33 < ki7rw> is it a good idea to use the gadmin gui to setup openvpn?
11:35 < hyper_ch> why even disable ssid?
11:40 < ki7rw> security reasons
11:40 < esde> ki7rw, cli is always best. because you'll learn what everything means. with a gui it's just creating the same thing, but sometimes in a wrong way. YMMV ultimately
11:41 -!- james41382 [~james@unaffiliated/james41382] has quit [Quit: Leaving]
11:41 < ki7rw> esde: just trying to figure out easy ways to do this
11:45 < esde> the easiest way would be cli, there's a wonderful how-to dense with information
11:45 < ki7rw> besides i keep getting this error message when launching the gadmin-openvpn-server gui even though i installed it after getting the error message: Error: Bridge-utils does not seem to be installed.
11:45 < esde> !howto
11:45 <@vpnHelper> "howto" is (#1) OpenVPN comes with a great howto, http://openvpn.net/howto PLEASE READ IT! or (#2) http://www.secure-computing.net/openvpn/howto.php for a mirror
11:46 < ki7rw> esde: i've been using that howto but it appears to be out-of-date
11:46 -!- tekk [~me@185.17.149.149] has quit [Quit: ZNC - http://znc.in]
11:47 < ki7rw> esde: this doesn't work and is from the howto: . ./vars
11:48 < esde> theres good help in here, from people a lot more intelligible than me :)
11:50 < ki7rw> source vars works but i had to do <sudo su> in order to get past it to ./clean-all
11:51 < pekster> Or don't do it as root. PKI does not require root access
11:52 < pekster> (storing it in /usr/share/easy-rsa probably does, but folks who know what they're doing try not to run things needlessly as root. Last I checked, the `cp` and `rsync` commands were good for copying files)
11:53 < pekster> Doing things via `sudo` or `su -c` runs a *single* command in the environment, then destroys that environment. Same thing as 1) opening up a terminal, 2) becomming root, 3) setting some env-vars, 4) closing the terminal, 5) opening another terminal, 6) becoming root again, 7) wondering "why" your env-vars are now gone
11:54 < esde> i doubt it's best practice, but i do all the pki stuff after sudo su, then exit when im done. i use the sudo command to elevate and set ownership to openvpn (non-root user) and set more restrictive permissions on the directories and key/cert files
11:57 < pekster> keys don't need to be non-root readable; see --persist key to allow them to be stored in RAM and not read by anything other than root. Same principle as apache's keys
11:58 < esde> ive gotta go, but i'd like to find out more about this another time
11:58 < pekster> Further recommendations at !hardening on the wiki
12:13 -!- plaisthos [~arne@openvpn/community/developer/plaisthos] has quit [Quit: foo!]
12:14 -!- plaisthos [~arne@openvpn/community/developer/plaisthos] has joined #openvpn
12:14 -!- mode/#openvpn [+o plaisthos] by ChanServ
12:20 -!- Kephael [~Kephael@unaffiliated/kephael] has joined #openvpn
12:24 -!- Pyrogerg [~Gregory@67-0-250-17.albq.qwest.net] has joined #openvpn
12:26 -!- deranged [Jess@sciurus.net] has quit [Ping timeout: 265 seconds]
12:27 -!- deranged [Jess@sciurus.net] has joined #openvpn
12:28 -!- Schrottfresse [~quassel@schrottfresse.de] has joined #openvpn
12:29 -!- Haigha [~root@dovahkiin.xomg.net] has quit [Remote host closed the connection]
12:30 -!- Haigha [~root@dovahkiin.xomg.net] has joined #openvpn
12:31 -!- Haigha [~root@dovahkiin.xomg.net] has quit [Client Quit]
12:34 -!- Haigha [~root@dovahkiin.xomg.net] has joined #openvpn
12:52 -!- Shiftos [~shiftos@gateway/tor-sasl/shiftos] has quit [Remote host closed the connection]
13:18 < ki7rw> pekster: they probably should update the howto
13:18 -!- tekk [~me@185.17.149.149] has joined #openvpn
13:21 < hyper_ch> ki7rw: how would disabling the SSID improve security?
13:24 <@krzee> would not hurt security, but would not make anything more secure either
13:24 < hyper_ch> when you see a terrorist, just close your eyes and the terrorist is gone :)
13:25 < hyper_ch> krzee: read the news about 31C3?
13:25 -!- redpill [~redpill@unaffiliated/redpill] has joined #openvpn
13:25 <@krzee> news about it?
13:25 <@krzee> i usually just wait for it to end and download every video from a mirror
13:26 <@krzee> then i basically post-attend it remotely
13:27 < hyper_ch> fingerprints and iris scans are useless for security.... snoopersnitch to find out how much is being messed with SS7... even bank-/creditcard ships aren't secure - too many way to circumvent stuff
13:27 <@plaisthos> we all doomed [tm]
13:27 < hyper_ch> I gotta put stock android on my nexus for to test snoopersnitch
13:28 < hyper_ch> plaisthos: you're doomed to die the moment you're conceived
13:28 <@plaisthos> hyper_ch: DOOOOOOOOOOOOOOM
13:28 <@plaisthos> hyper_ch: https://www.youtube.com/watch?v=fqcn_TPu4qQ
13:28 <@vpnHelper> Title: Gir - The Doom Song - YouTube (at www.youtube.com)
13:29 <@krzee> fingerprints and iris scans are completely unprotected by law as well
13:30 <@krzee> whereas you may not be legally compelled for your passwords in usa, they can totally take your biometrics
13:30 < hyper_ch> well, they copied Von der Leyen's fingerprints just by taking a few pics ;)
13:30 < hyper_ch> she's Germany's defense minister IIRC
13:30 <@krzee> damn, nice cameras
13:31 < hyper_ch> you don't even need good cameras it seems
13:31 < hyper_ch> the heise article said something about 10megapixel range... and 200mm object from a few meters away
13:31 <@krzee> snoopsnitch is cool, i cant wait til cyanogenmod supports it
13:31 < hyper_ch> 200mm thingy...
13:31 < hyper_ch> so you saw the snoopsnitch link that I posted to you?
13:32 <@plaisthos> hyper_ch: yes, you right, she is the one wanting to make the Bundeswehr more family friendly
13:32 < hyper_ch> tried it on my OnePlus One which comes with CM as stock.. but it didn't work
13:32 < hyper_ch> aber denkt doch an die Kinder...
13:32 < hyper_ch> some austrian guy made the Bundeswher more family friendly a couple of decades back ;)
13:33 <@krzee> hyper_ch, same
13:33 <@plaisthos> I don't think that guys introduced kindergardens to the Bundeswher ;)
13:34 < hyper_ch> but he did introduce the Bundeswehr to the Kinder ;) HJugend.....
13:34 <@plaisthos> (german http://www.spiegel.de/politik/deutschland/von-der-leyen-eroeffnet-erste-kinderkrippe-der-bundeswehr-a-968988.html)
13:34 <@vpnHelper> Title: Von der Leyen eröffnet erste Kinderkrippe der Bundeswehr - SPIEGEL ONLINE (at www.spiegel.de)
13:34 < hyper_ch> krzee: you also got a oneplus one?
13:34 <@plaisthos> hyper_ch: ah yes
13:34 <@krzee> yep
13:34 < hyper_ch> I like it
13:34 <@krzee> i love it
13:34 < hyper_ch> much improvement over the N4
13:34 < hyper_ch> great battery life
13:34 -!- james41382 [~james@unaffiliated/james41382] has joined #openvpn
13:34 < hyper_ch> I did get myself a qi charger pad to stick between the phone and the flipcover
13:35 <@krzee> the non removeable battery is the 1 thing id change
13:35 < hyper_ch> so I can use my Qi Chargers
13:35 < hyper_ch> got some really cool panasonic qi chargers form Nippon
13:35 <@plaisthos> Qi charging is really cool
13:35 <@plaisthos> too sad that the Nexus 9 dropped that
13:36 < hyper_ch> krzee: running openvpn and sip over it all day long, mostly with wifi, doing some stuff on it.... and battery is only like 25% used at the end of the day
13:36 < hyper_ch> nexus has no qi anyomre?
13:36 <@krzee> very cool!
13:36 <@krzee> although you'll get huge difference over wifi than lte
13:36 < hyper_ch> plaisthos: you could get a qi charging mat though... if you use it with some sort of cover
13:36 < hyper_ch> krzee: difference?
13:36 <@krzee> better set it to run only over wifi if possible lol
13:37 <@krzee> ya man over lte you'll kill that battery
13:37 < hyper_ch> I did... using llama
13:37 < hyper_ch> when in the car, wifi get turned off... bluetooth gets activated
13:37 < hyper_ch> etc
13:38 < hyper_ch> I also got accustomed to the size now
13:38 <@krzee> nice, i like tasker for that sort of thing
13:39 <@krzee> which i also use to send myself pics of any failed attempts to unlock my phone
13:39 < hyper_ch> haven't heard of tasker
13:39 < hyper_ch> in llama you can define zones
13:39 <@krzee> it can pretty much do anything
13:39 < hyper_ch> zones are recognized by cell towers around you
13:39 < hyper_ch> and you set actions when you leave/enter zones
13:39 <@krzee> cool
13:40  * krzee controls your zone with a cell site
13:40 < hyper_ch> I finally also noticed, that since KitKat you can have now a different screen unlock password than encryption password
13:40 <@krzee> yep i noticed that awhile back
13:40 < hyper_ch> and you never told me...
13:40 <@krzee> so i set a screen passphrase before encrypting
13:40 < hyper_ch> btw, also changed from Dalvik to Art
13:41 <@krzee> then change the screen lock after
13:41 < hyper_ch> you can also change encryption password
13:41 <@krzee> sorry didnt know you didnt know
13:41 <@krzee> ya, but i figured easier to change screen lock
13:41 <@krzee> so i encrypted with a passphrase then changed the screenlock
13:45 < hyper_ch> works both ways :)
13:45 <@plaisthos> hyper_ch: no n9 has no qi anymore, the n6 however has qi
13:46 < hyper_ch> plaisthos: even my n4 has qi.... strange about the n9
13:46 <@plaisthos> yeah
13:48 < hyper_ch> krzee: plaisthos:  my OPO in the flipcover... bought a qi charging mat and put it in between :) now the microusb is also protected from dust and stuff
13:48 < hyper_ch> http://images.sjau.ch/img/ba00ac62.jpg
13:48 <@krzee> supercool
13:48 <@krzee> how much was the qi stuff?
13:48 <@plaisthos> hyper_ch: nice :)
13:48 < hyper_ch> I let the cable have a bit leeway, so that I can un- replug it
13:48 < hyper_ch> krzee: the mat was like $9.- + lots of shpping to europe
13:49 < hyper_ch> the panasonic charger that I got is rather expensive from Nippon
13:49 <@plaisthos> my xperia z1c has no qi but a dock where you just the phone into
13:49 < hyper_ch> I like that one because it's cool and auto-adjusting the charging position
13:49 <@plaisthos> it is not qi but almost as good
13:49 < hyper_ch> https://www.youtube.com/watch?v=EUpr6JkP5ow  got two of them - both in white... one for home and one for office
13:49 <@vpnHelper> Title: Panasonic QE--TM101 QI charger review - YouTube (at www.youtube.com)
13:50 <@krzee> can you put multiple devices on it?
13:51 < hyper_ch> no, you'll see at about 54 seconds... there's a caddy inside that puts the charger to the right spot
13:52 < hyper_ch> there are cheaper qi chargers though :)
13:56 < KjetilK> !welcome
13:56 <@vpnHelper> "welcome" is (#1) Start by stating your goal, such as 'I would like to access the internet over my vpn' || new to IRC? see the link in !ask || we may need !logs and !configs and maybe !interface to help you. || See !howto for beginners. || See !route for lans behind openvpn. || !redirect for sending inet traffic through the server. || Also interesting: !man !/30 !topology !iporder !sample !forum
13:56 <@vpnHelper> !wiki !mitm or (#2) Don't use 192.168.1.0/24 or 192.168.0.0/24 (too much potential for conflict)
13:57 < KjetilK> !paste
13:57 <@vpnHelper> "paste" is "pastebin" is (#1) please paste anything with more than 5 lines into a pastebin site or (#2) https://gist.github.com is recommended for fewest ads; try fpaste.org or paste.kde.org as backups or (#3) If you're pasting config files, see !configs for grep syntax to remove comments or (#4) gist allows multiple files per paste, useful if you have several files to show
14:04 < KjetilK> !route
14:04 <@vpnHelper> "route" is (#1) http://www.secure-computing.net/wiki/index.php/OpenVPN/Routing or https://community.openvpn.net/openvpn/wiki/RoutedLans (same page mirrored) if you have lans behind openvpn, read it DONT SKIM IT or (#2) READ IT DONT SKIM IT! or (#3) See !tcpip for a basic networking guide or (#4) See !serverlan or !clientlan for steps and troubleshooting flowcharts for LANs behind the server or
14:04 <@vpnHelper> client
14:05 < ki7rw> hyper_ch: unless i'm missing something, they won't know the AP is there if the ssid isn't broadcasted
14:06 < hyper_ch> if the SSID isn't broadcasted, how can you connect to it? it's just not visibly broadcaset
14:07 <@krzee> it is only the beacon packets not transmitted
14:09 <@krzee> anybody passively sniffing sees everything they need
14:11 < KjetilK> !serverlan
14:11 <@vpnHelper> "serverlan" is (#1) for a lan behind a server, the server must have ip forwarding enabled (!ipforward), the server needs to push a route for its lan to clients, and the router of the lan the server is on needs a route added to it (!route_outside_openvpn) or (#2) see !route for a better explanation or (#3) Handy troubleshooting flowchart: http://ircpimps.org/serverlan.png |
14:11 <@vpnHelper> http://pekster.sdf.org/misc/serverlan.png
14:19 < KjetilK> ah, now it works! Thanks, mr. Bot :-)
14:33 < KjetilK> I spoke too soon, I wasn't on the network I thought I was
14:34 < KjetilK> Anyway, my goal is to reach the open ports on the LAN from the clients on the VPN
14:35 < KjetilK> Here's my pastes: https://gist.github.com/kjetilk/19a886965e630807058a
14:35 <@vpnHelper> Title: OpenVPN logs (at gist.github.com)
14:35 < KjetilK> I'm quite sure it is a routing problem at this point
14:36 < KjetilK> I have everything in 172.22.0.0/16
14:36 < KjetilK> if I manually add a route
14:36 < KjetilK> ip route add 172.22.8.2 via 172.22.128.5
14:37 < KjetilK> then I get the desired result for that box
14:37 < KjetilK> but simply doing
14:37 < KjetilK> push "route 172.22.0.0 255.255.0.0"
14:37 < KjetilK> doesn't so
14:38 < KjetilK> so, I suppose the main question is whether it is a Bad Idea to have the VPN in the 172.22.0.0/16 in the first place?
14:51 < pekster> Check your client logs for issues adding the pushed route
14:52 < pekster> You can push a supernet route like that just fine so long as the client doesn't have another conflicting (ie: overlapping) more specific route than the /16. For instance, any client-side physical LAN network smaller than that in the same range breaks stuff
14:55 < KjetilK> pekster, OK
14:55 < KjetilK> likely breaking stuff by connection timeouts and stuff?
14:55 < pekster> No, breaking as in "the usual rules of routing apply" (ie: shortest match wins)
14:55 < KjetilK> ok
14:55 < pekster> Say the client is on 172.22.8.0/24 -- that kind of thing
14:58 < KjetilK> ok, so now I push
14:58 < KjetilK> push "route 172.22.0.0 255.255.128.0"
14:58 < KjetilK> push "route 172.22.192.0 255.255.192.0"
14:58  * KjetilK hopes two-line paste is ok
14:58 < KjetilK> the vlan is for wlan clients, btw
14:59 < KjetilK> s/vlan/vpn/
15:00 < KjetilK> so, that should exclude the wlan clients, that are in 172.22.160.0/19 and the and vpn clients, that are in 172.22.128.0/19
15:00 < KjetilK> hmmm
15:03 < KjetilK> but it doesn't seem like those routes are added at all: http://pastebin.com/gWVyqnHp
15:04 < KjetilK> and I get timeouts, could that mean, I'm routing traffic away from the server?
15:11 < pekster> Ping timeout after 120 seconds means the client did not get any keepalive packets in that time (usually points to a connection problem after startup.) You're not connecting to your server via an IP that you're pushing a route for, are you?
15:13 < KjetilK> I thought not, but I suppose this indicates otherwise...
15:14 < KjetilK> I think my private DNS is a bit messed up, possibly...
15:17 < pekster> If your server is accessed via an IP you push a route for, this would cause issues. You're basically saying to send the encapsulated VPN traffic via the VPN (which you can't do.) If you're already "inside" your network you probably don't need to push a route to "get inside." If you have some goofy reason for trying to push that supernet anyway, you'll need _another_ host-route (IPv4 /32) routed via the net_gateway -- see --route in ...
15:17 < pekster> ... the manpage for details
15:19 < KjetilK> ok
15:19 < KjetilK> I think I nailed it now
15:20 < KjetilK> the problem is that I have assigned several IPs for the router box in the network, which also hosts the VPN server
15:20 < KjetilK> one for each interface
15:20 < esde> http://youtu.be/LzkUNR5sYQs?t=29s
15:20 <@vpnHelper> Title: Hand Puppet - Progressive Commercial - YouTube (at youtu.be)
15:21 < KjetilK> and dnsmasq is managing these IPs, and what happened was that when I wrote the name of this host in my client config, it resolved to 172.22.8.1 which was in the push
15:22 < KjetilK> when I entered the IP address 172.22.160.1 in the client config, it worked
15:23 < KjetilK> but the real fix here would be to make sure the DNS server responds with the right IP for the interface...
15:36 -!- ValdikSS [~valdikss@185.61.149.121] has quit [Ping timeout: 255 seconds]
15:48 -!- tobinski___ [~tobinski@x2f5f425.dyn.telefonica.de] has joined #openvpn
15:49 < KjetilK> hah, there exists a feature that wasn't documented in my dnsmasq config example to do that, localise-queries :-)
15:51 -!- tobinski_ [~tobinski@x2f5f425.dyn.telefonica.de] has quit [Ping timeout: 264 seconds]
16:23 -!- u0m3 [~u0m3@92.80.71.115] has quit [Read error: Connection reset by peer]
16:34 -!- u0m3 [~u0m3@92.80.71.115] has joined #openvpn
16:44 < KjetilK> I know the example config says I have to run on different port numbers if I want to run several instances on the same machine, but just to check, it doesn't suffice to run on different local IPs?
17:04 -!- Pyrogerg [~Gregory@67-0-250-17.albq.qwest.net] has quit [Ping timeout: 244 seconds]
17:12 -!- urbanizator [53342d00@gateway/web/cgi-irc/kiwiirc.com/ip.83.52.45.0] has joined #openvpn
17:12 < urbanizator> !welcome
17:12 <@vpnHelper> "welcome" is (#1) Start by stating your goal, such as 'I would like to access the internet over my vpn' || new to IRC? see the link in !ask || we may need !logs and !configs and maybe !interface to help you. || See !howto for beginners. || See !route for lans behind openvpn. || !redirect for sending inet traffic through the server. || Also interesting: !man !/30 !topology !iporder !sample
17:12 <@vpnHelper> !forum !wiki !mitm or (#2) Don't use 192.168.1.0/24 or 192.168.0.0/24 (too much potential for conflict)
17:13 < urbanizator> !route
17:13 <@vpnHelper> "route" is (#1) http://www.secure-computing.net/wiki/index.php/OpenVPN/Routing or https://community.openvpn.net/openvpn/wiki/RoutedLans (same page mirrored) if you have lans behind openvpn, read it DONT SKIM IT or (#2) READ IT DONT SKIM IT! or (#3) See !tcpip for a basic networking guide or (#4) See !serverlan or !clientlan for steps and troubleshooting flowcharts for LANs behind the server or
17:13 <@vpnHelper> client
17:14 < urbanizator> !tcpip
17:14 <@vpnHelper> "tcpip" is http://www.redbooks.ibm.com/redbooks/pdfs/gg243376.pdf See chapter 3.1 for useful basic TCP/IP networking knowledge you should probably know
17:14 < urbanizator> !serverlan
17:14 <@vpnHelper> "serverlan" is (#1) for a lan behind a server, the server must have ip forwarding enabled (!ipforward), the server needs to push a route for its lan to clients, and the router of the lan the server is on needs a route added to it (!route_outside_openvpn) or (#2) see !route for a better explanation or (#3) Handy troubleshooting flowchart: http://ircpimps.org/serverlan.png |
17:14 <@vpnHelper> http://pekster.sdf.org/misc/serverlan.png
17:14 < urbanizator> !ipforward
17:14 <@vpnHelper> "ipforward" is (#1) ip forwarding is needed any time you want packets to flow from 1 interface to another, so from tun to eth, eth to tun, tun to tun, etc etc. it must be enabled in the kernel AND allowed in the firewall or (#2) please choose between !linipforward !winipforward !osxipforward and !fbsdipforward
17:22 -!- urbanizator [53342d00@gateway/web/cgi-irc/kiwiirc.com/ip.83.52.45.0] has quit [Quit: http://www.kiwiirc.com/ - A hand crafted IRC client]
17:27 -!- urbanizator [53342d00@gateway/web/cgi-irc/kiwiirc.com/ip.83.52.45.0] has joined #openvpn
17:27 < urbanizator> !linforward
17:27 < urbanizator> !linforward
17:27 < urbanizator> !ipforward
17:27 <@vpnHelper> "ipforward" is (#1) ip forwarding is needed any time you want packets to flow from 1 interface to another, so from tun to eth, eth to tun, tun to tun, etc etc. it must be enabled in the kernel AND allowed in the firewall or (#2) please choose between !linipforward !winipforward !osxipforward and !fbsdipforward
17:27 < urbanizator> !linforward
17:28 < urbanizator> !linipforward
17:28 <@vpnHelper> "linipforward" is (#1) echo 1 > /proc/sys/net/ipv4/ip_forward for a temp solution (til reboot) or set net.ipv4.ip_forward = 1 in sysctl.conf for perm solution or (#2) chmod +x /etc/rc.d/rc.ip_forward for perm solution in slackware or (#3) you also must allow forwarding in your forward chain in iptables. iptables -I FORWARD -i tun+ -j ACCEPT
17:28 < urbanizator> !configs
17:28 <@vpnHelper> "configs" is (#1) please pastebin your client and server configs (with comments removed, you can use `grep -vE '^#|^;|^$' server.conf`), also include which OS and version of openvpn. or (#2) dont forget to include any ccd entries or (#3) on pfSense, see http://www.secure-computing.net/wiki/index.php/OpenVPN/pfSense to obtain your config
17:29 < urbanizator> !goal
17:29 <@vpnHelper> "goal" is Please clearly state your goal for your vpn: example, I would like to access the lan behind the server , I would like to access the internet over my vpn , I just want a secure connection between 2 computers , etc
17:30 < urbanizator> What is the difference between an openvpn access server and a non-access server?
17:32 < urbanizator> !howto
17:32 <@vpnHelper> "howto" is (#1) OpenVPN comes with a great howto, http://openvpn.net/howto PLEASE READ IT! or (#2) http://www.secure-computing.net/openvpn/howto.php for a mirror
17:32 < urbanizator> !logs
17:32 <@vpnHelper> "logs" is (#1) please pastebin your logfiles from both client and server with verb set to 4 (only use 5 if asked) or (#2) In the Windows client(OpenVPN-GUI) right-click the status icon and pick View Log or (#3) In the OS X client(Tunnelblick) right-click it and select Copy log text to clipboard or (#4) if you dont know how to find your logs, see !logfile
17:41 -!- urbanizator [53342d00@gateway/web/cgi-irc/kiwiirc.com/ip.83.52.45.0] has quit [Quit: http://www.kiwiirc.com/ - A hand crafted IRC client]
17:42 -!- urbanizator [53342d00@gateway/web/cgi-irc/kiwiirc.com/ip.83.52.45.0] has joined #openvpn
17:43 < urbanizator> !clientlan
17:43 <@vpnHelper> "clientlan" is (#1) for a lan behind a client, the client must have ip forwarding enabled (!ipforward), the server needs a route to the lan, the server needs to push a route for the lan to clients, the server needs a ccd (!ccd) file for the client with an iroute (!iroute) entry in it, and the router of the lan the client is on needs a route added to it (!route_outside_openvpn) or (#2) see
17:43 <@vpnHelper> !route for a better explanation or (#3) Handy troubleshooting flowchart: http://ircpimps.org/clientlan.png | http://pekster.sdf.org/misc/clientlan.png
17:44 < urbanizator> !iroute
17:44 <@vpnHelper> "iroute" is does not bypass or alter the kernel's routing table, it allows openvpn to know it should handle the routing when the kernel points to it but the network is not one that openvpn knows about. This is only needed when connecting a LAN which is behind a client, and therefor belongs in a ccd entry. Also see !route and !ccd
17:49 -!- urbanizator [53342d00@gateway/web/cgi-irc/kiwiirc.com/ip.83.52.45.0] has quit [Quit: http://www.kiwiirc.com/ - A hand crafted IRC client]
17:52 -!- urbanizator [53342d00@gateway/web/cgi-irc/kiwiirc.com/ip.83.52.45.0] has joined #openvpn
17:52 < urbanizator> Is there someone here?
18:01 -!- Shiftos [~shiftos@gateway/tor-sasl/shiftos] has joined #openvpn
18:04 -!- tobinski___ [~tobinski@x2f5f425.dyn.telefonica.de] has quit [Quit: Leaving]
18:07 -!- urbanizator [53342d00@gateway/web/cgi-irc/kiwiirc.com/ip.83.52.45.0] has quit [Quit: http://www.kiwiirc.com/ - A hand crafted IRC client]
18:10 -!- MogDog [MogDog@unaffiliated/mogdog66] has quit [Quit: Server shutdown]
18:11 -!- MogDog [MogDog@unaffiliated/mogdog66] has joined #openvpn
18:40 -!- u0m3 [~u0m3@92.80.71.115] has quit [Read error: Connection reset by peer]
18:44 -!- u0m3 [~u0m3@92.80.85.161] has joined #openvpn
18:58 -!- gffa [~unknown@unaffiliated/gffa] has quit [Quit: sleep]
19:04 -!- 5EXABZOTZ [~quassel@cpe-23-243-158-241.socal.res.rr.com] has quit [Ping timeout: 250 seconds]
19:47 -!- dvl [~dvl@freebsd/developer/dvl] has quit [Quit: Ride fast. Take chances.]
19:49 -!- dvl [~dvl@freebsd/developer/dvl] has joined #openvpn
20:05 -!- TonyL [~Tony@unaffiliated/darkg] has joined #openvpn
20:29 -!- xTz [~xTz@77.238.81.110] has joined #openvpn
20:53 -!- esde [~esde@unaffiliated/esde] has quit [Quit: .]
20:53 -!- dougy [~dbh@ool-4351dc63.dyn.optonline.net] has joined #openvpn
20:53 < dougy> hello lads
20:55 -!- dougy [~dbh@ool-4351dc63.dyn.optonline.net] has quit [Quit: leaving]
20:57 -!- Dougy [~dhaber@65.98.6.46] has joined #openvpn
20:58 -!- esde [~esde@unaffiliated/esde] has joined #openvpn
21:09 -!- xTz [~xTz@77.238.81.110] has quit [Ping timeout: 255 seconds]
21:13 < Eugene> Welcoem!
21:14 < Dougy> hello hello
21:14 < Dougy> i have not come around here in a while
21:18 < Eugene> So you haven't
21:19 < Dougy> :)
21:27  * Dougy waves at krzee
21:35 -!- Left_Turn [~Left_Turn@unaffiliated/turn-left/x-3739067] has quit [Quit: Leaving]
21:36 < jeev> boo
21:36 < jeev> dougerous
21:46 < Dougy> hi jeev
21:47 -!- u0m3_ [~u0m3@92.80.103.197] has joined #openvpn
21:49 -!- u0m3 [~u0m3@92.80.85.161] has quit [Ping timeout: 252 seconds]
21:52 < _FBi> ello doug, we've been waiting
21:54 < Dougy> hihi
21:54 -!- Dougy [~dhaber@65.98.6.46] has quit [Changing host]
21:54 -!- Dougy [~dhaber@unaffiliated/dougy] has joined #openvpn
21:57 -!- L0uk3 [~lukethedr@unaffiliated/lukethedrifter] has joined #openvpn
21:57 < _FBi> I don't thinkk we've met D
21:57 < _FBi> :D
21:58 < Dougy> i do not come around much these days
21:58 < Dougy> but i founded the forum for the project
21:58 < Dougy> of course, would have never been successful without ecrist or krzee
21:59 < _FBi> Im a Sagitarious
22:01 -!- L0uk3 [~lukethedr@unaffiliated/lukethedrifter] has quit [Client Quit]
22:05 < _FBi> I see my attempt at humor has failed *Frowny Face*
22:29 -!- akamaru217 [~akamaru21@2601:0:8a80:1064:1c21:bf7e:10c2:c25] has quit [Ping timeout: 258 seconds]
22:48 -!- Kephael [~Kephael@unaffiliated/kephael] has quit [Read error: Connection reset by peer]
23:38 -!- ShadniX [dagger@p5481C87E.dip0.t-ipconnect.de] has quit [Ping timeout: 250 seconds]
23:39 -!- ShadniX [dagger@p5DDFD763.dip0.t-ipconnect.de] has joined #openvpn
23:54 -!- atom138 [ac381454@gateway/web/freenode/ip.172.56.20.84] has joined #openvpn
23:54 < atom138> !welcome
23:54 <@vpnHelper> "welcome" is (#1) Start by stating your goal, such as 'I would like to access the internet over my vpn' || new to IRC? see the link in !ask || we may need !logs and !configs and maybe !interface to help you. || See !howto for beginners. || See !route for lans behind openvpn. || !redirect for sending inet traffic through the server. || Also interesting: !man !/30 !topology !iporder !sample !forum
23:54 <@vpnHelper> !wiki !mitm or (#2) Don't use 192.168.1.0/24 or 192.168.0.0/24 (too much potential for conflict)
--- Day changed Mon Dec 29 2014
00:11 < atom138> !howto
00:11 <@vpnHelper> "howto" is (#1) OpenVPN comes with a great howto, http://openvpn.net/howto PLEASE READ IT! or (#2) http://www.secure-computing.net/openvpn/howto.php for a mirror
00:28 <@krzee> werd dougy
00:28 -!- mode/#openvpn [+v Dougy] by krzee
00:29 <@krzee> hows it going
00:30 -!- james41382_ [~james@unaffiliated/james41382] has joined #openvpn
00:33 -!- james41382 [~james@unaffiliated/james41382] has quit [Ping timeout: 250 seconds]
00:34 -!- atom138 [ac381454@gateway/web/freenode/ip.172.56.20.84] has quit [Quit: Page closed]
00:38 -!- hyper_ch [~hyper_ch@81.4.108.20] has left #openvpn ["Konversation terminated!"]
01:36 -!- redpill [~redpill@unaffiliated/redpill] has quit [Remote host closed the connection]
01:56 -!- u0m3__ [~u0m3@92.80.103.197] has joined #openvpn
01:58 -!- badon [~badon@pdpc/supporter/active/badon] has quit [Disconnected by services]
01:58 -!- badon_ [~badon@pdpc/supporter/active/badon] has joined #openvpn
01:58 -!- badon_ is now known as badon
02:00 -!- keatont [~keatont@keatonstaylor.com] has quit [Ping timeout: 252 seconds]
02:00 -!- dvl [~dvl@freebsd/developer/dvl] has quit [Ping timeout: 252 seconds]
02:00 -!- tekk [~me@185.17.149.149] has quit [Ping timeout: 252 seconds]
02:00 -!- u0m3_ [~u0m3@92.80.103.197] has quit [Ping timeout: 252 seconds]
02:00 -!- Schrottfresse [~quassel@schrottfresse.de] has quit [Ping timeout: 252 seconds]
02:00 -!- ljvb [~jason@us.vps.vanbrecht.com] has quit [Ping timeout: 252 seconds]
02:01 -!- unixninja92 [~unixninja@whirlpool.stdnt.hampshire.edu] has joined #openvpn
02:01 -!- mattock_afk is now known as mattock
02:02 -!- unixninja92_ [~unixninja@whirlpool.stdnt.hampshire.edu] has quit [Read error: Connection reset by peer]
02:03 -!- keatont [~keatont@keatonstaylor.com] has joined #openvpn
02:37 -!- tazz_ [~gaurav@triband-mum-120.60.204.104.mtnl.net.in] has joined #openvpn
02:40 -!- tazz [~gaurav@triband-mum-120.60.182.181.mtnl.net.in] has quit [Ping timeout: 255 seconds]
03:04 -!- moparisthebest [~quassel@gateway/tor-sasl/moparisthebest] has quit [Ping timeout: 250 seconds]
03:06 -!- moparisthebest [~quassel@unaffiliated/moparisthebest] has joined #openvpn
03:14 -!- tekk [~me@185.17.149.149] has joined #openvpn
03:39 -!- havingFun [~quassel@unaffiliated/xrosnight] has joined #openvpn
03:40 -!- tazz_ [~gaurav@triband-mum-120.60.204.104.mtnl.net.in] has quit [Read error: Connection reset by peer]
03:40 -!- tazz_ [~gaurav@triband-mum-120.60.204.104.mtnl.net.in] has joined #openvpn
03:40 -!- havingFun is now known as xrosnight
03:47 -!- mattock is now known as mattock_afk
03:48 < KjetilK> I know the example config says I have to run on different port numbers if I want to run several instances on the same machine, but just to check, it doesn't suffice to run on different local IPs?
03:54 <@syzzer> KjetilK: that will work just fine too
03:56 -!- Reventlov [~Reventlov@unaffiliated/reventlov] has quit [Quit: leaving]
03:56 -!- Reventlov [~Reventlov@unaffiliated/reventlov] has joined #openvpn
03:57 < KjetilK> syzzer, ok, cool, I'll try it
04:05 -!- tobinski [~tobinski@x2f581d0.dyn.telefonica.de] has joined #openvpn
04:18 <@krzee> KjetilK, you  must specify which IP you are binding to in that case ^ --local will help
04:20 <@krzee> also when you use the vpn on the ip from isp that is not your default route, you will need policy routing to make this work
04:20 <@krzee> good luck to ya =]
04:20  * KjetilK nods
04:20 < KjetilK> thanks! :-)
04:20 <@krzee> np
04:20 <@krzee> sleep time &
04:35 -!- Left_Turn [~Left_Turn@unaffiliated/turn-left/x-3739067] has joined #openvpn
04:53 -!- tazz_ [~gaurav@triband-mum-120.60.204.104.mtnl.net.in] has quit [Read error: Connection reset by peer]
04:53 -!- tazz_ [~gaurav@triband-mum-120.60.204.104.mtnl.net.in] has joined #openvpn
05:26 -!- elfixit [~Icedove@2001:67c:20a1:1192:5e51:4fff:fec8:5b90] has joined #openvpn
05:30 -!- elfixit [~Icedove@2001:67c:20a1:1192:5e51:4fff:fec8:5b90] has quit [Ping timeout: 244 seconds]
05:43 -!- tazz [~gaurav@triband-mum-120.60.204.104.mtnl.net.in] has joined #openvpn
05:44 -!- gffa [~unknown@unaffiliated/gffa] has joined #openvpn
05:45 -!- tazz_ [~gaurav@triband-mum-120.60.204.104.mtnl.net.in] has quit [Ping timeout: 240 seconds]
05:46 -!- Chais [~Chais@chello062178229110.15.15.vie.surfer.at] has quit [Ping timeout: 245 seconds]
05:46 -!- tazz [~gaurav@triband-mum-120.60.204.104.mtnl.net.in] has quit [Read error: Connection reset by peer]
05:46 -!- tazz [~gaurav@triband-mum-120.60.204.104.mtnl.net.in] has joined #openvpn
05:53 -!- Chais [~Chais@chello062178229110.15.15.vie.surfer.at] has joined #openvpn
05:54 -!- tazz [~gaurav@triband-mum-120.60.204.104.mtnl.net.in] has quit [Ping timeout: 244 seconds]
07:15 -!- pipi- [~pipi-@unaffiliated/pipi-] has joined #openvpn
07:16 <+Dougy> oop
07:16 <+Dougy> krzee: it goes
07:26 -!- ayaz [~Ayaz@linuxpakistan/ayaz] has joined #openvpn
07:28 -!- moparisthebest [~quassel@unaffiliated/moparisthebest] has quit [Ping timeout: 264 seconds]
07:35 -!- moparisthebest [~quassel@gateway/tor-sasl/moparisthebest] has joined #openvpn
08:37 -!- d10n [~d10n@unaffiliated/d10n] has quit [Ping timeout: 250 seconds]
08:38 -!- d10n [~d10n@unaffiliated/d10n] has joined #openvpn
08:45 -!- james41382_ [~james@unaffiliated/james41382] has quit [Ping timeout: 244 seconds]
08:48 -!- dvl [~dvl@freebsd/developer/dvl] has joined #openvpn
08:58 -!- Pyrogerg [~Gregory@67-0-250-17.albq.qwest.net] has joined #openvpn
09:01 -!- ub1quit33 [~quassel@cpe-23-243-158-241.socal.res.rr.com] has joined #openvpn
09:15 -!- KaaK [~Kevin@wsip-72-205-198-77.ks.ks.cox.net] has quit [Remote host closed the connection]
09:36 -!- Pyrogerg [~Gregory@67-0-250-17.albq.qwest.net] has quit [Ping timeout: 244 seconds]
09:38 -!- Kephael [~Kephael@unaffiliated/kephael] has joined #openvpn
09:47 -!- ayaz [~Ayaz@linuxpakistan/ayaz] has quit [Quit: Textual IRC Client: www.textualapp.com]
10:04 -!- Dougy [~dhaber@unaffiliated/dougy] has quit [Changing host]
10:04 -!- Dougy [~dhaber@openvpn/community/support/Dougy] has joined #openvpn
10:04 -!- ServerMode/#openvpn [+v Dougy] by asimov.freenode.net
10:05 -!- problame [~problame@delta.cschwarz.com] has quit [Remote host closed the connection]
10:09 -!- problame [~problame@2a01:4f8:201:4108:3:5:0:1] has joined #openvpn
10:39 -!- ValdikSS [~valdikss@185.61.149.121] has joined #openvpn
10:46 -!- D-Boy [~D-Boy@unaffiliated/cain] has quit [Excess Flood]
10:50 -!- D-Boy [~D-Boy@unaffiliated/cain] has joined #openvpn
10:53 -!- someone [~someone@sonoshee.chronostasis.net] has joined #openvpn
10:59  * Dougy yawns
11:02 -!- ki7rw [~quassel@216.75.116.100] has quit [Remote host closed the connection]
11:03 < esde> !configs
11:03 <@vpnHelper> "configs" is (#1) please pastebin your client and server configs (with comments removed, you can use `grep -vE '^#|^;|^$' server.conf`), also include which OS and version of openvpn. or (#2) dont forget to include any ccd entries or (#3) on pfSense, see http://www.secure-computing.net/wiki/index.php/OpenVPN/pfSense to obtain your config
11:25 -!- nath_schwarz [~nath_schw@HSI-KBW-134-3-105-207.hsi14.kabel-badenwuerttemberg.de] has quit [Quit: ErrMessage: UserNotFoundException(0x00929e9)]
11:27 -!- moparisthebest [~quassel@gateway/tor-sasl/moparisthebest] has quit [Quit: No Ping reply in 180 seconds.]
11:28 -!- nath_schwarz [~nath_schw@HSI-KBW-134-3-105-207.hsi14.kabel-badenwuerttemberg.de] has joined #openvpn
11:30 -!- moparisthebest [~quassel@unaffiliated/moparisthebest] has joined #openvpn
11:38 -!- baubles [sireebob@unaffiliated/sireebob] has quit [Ping timeout: 258 seconds]
11:43 -!- sireebob [sireebob@unaffiliated/sireebob] has joined #openvpn
12:12 -!- Kephael_ [~Kephael@unaffiliated/kephael] has joined #openvpn
12:18 -!- unixninja92_ [~unixninja@whirlpool.stdnt.hampshire.edu] has joined #openvpn
12:21 -!- xrosnight [~quassel@unaffiliated/xrosnight] has quit [Remote host closed the connection]
12:22 -!- tekku [~me@185.17.149.149] has joined #openvpn
12:25 -!- keatont [~keatont@keatonstaylor.com] has quit [Ping timeout: 264 seconds]
12:27 -!- Netsplit *.net <-> *.split quits: Kephael, cpt-oblivious, tekk, unixninja92
12:27 -!- Kephael__ [~Kephael@unaffiliated/kephael] has joined #openvpn
12:29 -!- Kephael_ [~Kephael@unaffiliated/kephael] has quit [Read error: Connection reset by peer]
12:29 -!- Zimsky [~alice@unaffiliated/zimsky] has quit [Ping timeout: 255 seconds]
12:29 -!- james41382 [~james@unaffiliated/james41382] has joined #openvpn
12:29 -!- Zimsky [~alice@unaffiliated/zimsky] has joined #openvpn
12:31 -!- Shiftos [~shiftos@gateway/tor-sasl/shiftos] has quit [Remote host closed the connection]
12:31 -!- unixninja92_ [~unixninja@whirlpool.stdnt.hampshire.edu] has quit [Ping timeout: 250 seconds]
12:32 -!- Netsplit over, joins: unixninja92
12:36 -!- ki7rw [~quassel@216.75.116.100] has joined #openvpn
12:39 -!- havingFun [~quassel@unaffiliated/xrosnight] has joined #openvpn
12:42 -!- julius_ [~julius_@p3EE282A8.dip0.t-ipconnect.de] has joined #openvpn
12:42 < julius_> hi
12:44 < julius_> for a openvpn client that gets send "redirect-gateway" i need a route entry so that this client can also act as a router.  current routing looks like this: http://tny.cz/443b7132          i had this route entry once before, but i forgot it :( its just one simple route that points to the vpn server....
12:44 <@vpnHelper> Title: 0.0.0.0 10.8.33.9 128.0.0.0 UG 0 0 0 tun0 0.0.0.0... - 443b7132 (at tny.cz)
12:44 < julius_> but how would it look like?
12:44 -!- mattock_afk is now known as mattock
12:50 -!- Pyrogerg [~Gregory@67-0-250-17.albq.qwest.net] has joined #openvpn
12:57 -!- alanjf [~ajf@unaffiliated/alanjf] has quit [Read error: Connection reset by peer]
12:58 -!- alanjf [~ajf@unaffiliated/alanjf] has joined #openvpn
13:05 -!- Pyrogerg [~Gregory@67-0-250-17.albq.qwest.net] has quit [Ping timeout: 256 seconds]
13:24 -!- moparisthebest [~quassel@unaffiliated/moparisthebest] has quit [Ping timeout: 244 seconds]
13:30 -!- moparisthebest [~quassel@gateway/tor-sasl/moparisthebest] has joined #openvpn
13:49 -!- alanjf [~ajf@unaffiliated/alanjf] has quit [Read error: Connection reset by peer]
14:01 -!- alanjf [~ajf@unaffiliated/alanjf] has joined #openvpn
14:11 -!- u0m3__ [~u0m3@92.80.103.197] has quit [Ping timeout: 265 seconds]
14:49 -!- mattock is now known as mattock_afk
15:22 -!- unfy [~Miranda@wsip-184-185-82-30.om.om.cox.net] has joined #openvpn
15:23 < unfy> if a server gets upgraded from 2.0.x to 2.3.x  --- will 2.0.x clients have any problem connecting ?
15:23 -!- KavanS [~quassel@LINBIT/KavanS] has quit [Ping timeout: 244 seconds]
15:24 <+Dougy> unfy: 3.0?
15:25 < unfy> 3wha? no ?
15:25 <+Dougy> oh
15:25 < unfy> there is no 3.0?
15:25 <+Dougy> i completely misread what you said
15:25 <+Dougy> you said .2.3.x not 3.x
15:25 <+Dougy> Sorry
15:25 < unfy> ah :D np :D
15:26 <+Dougy> I am not sure specifically between 2.0.x to 2.3.x, but if the server is a newer version generally speaking there is no issue
15:26 < unfy> i've got ~1000 clients, don't wanna rock the boat when doing out a staged roll out etc
15:26 <+Dougy> A tip you could do, especially if you are running it in a VM, is snapshot the VPN system so you can roll it back in a second
15:26 < unfy> nope, not in a VM
15:26 <+Dougy> you could dd the vpn box
15:26 <+Dougy> to another (or a vm)
15:26 <+Dougy> and tes
15:26 <+Dougy> t
15:27 <+Dougy> I <3 virtual machines. I dont have a single dedicated physical box any more
15:27 < unfy> i've got some extra test hardware duplicates hanging around that i've been doing other stuff on, am in the process of getting it 2.3.x-ified etc, was just wondering if there were hidden gotcha's etc
15:28 <+Dougy> I have to be honest, as ironic as it is that my vhost says support staff, and I have +v here
15:28 <+Dougy> I am really rusty with openvpn
15:28 <+Dougy> I havent really touched it in several years
15:28 <+Dougy> :X
15:28 <+Dougy> just started to get back into the swing literally yesterday
15:28 < unfy> obviously i've not done much in ages either (2.0 to 2.3 heh)
15:29 < unfy> but selfsigned CA crt is gonna die, need to do sweeping upgrades... figured i'd get other stuff updated as well etc
15:31 <+Dougy> 1000 clients on a single server?
15:32 < unfy> indeed.  there's not much traffic.... and client<>client is disabled ... so it's not so bad
15:33 <+Dougy> IMO, your question you are posing is a perfect  reason why it's "bad"
15:33 -!- seba [~seba@kratzbaum.someserver.de] has quit [Excess Flood]
15:34 < unfy> if the server that is hosting the vpn goes bai bai, then a lot of other stuff goes bai bai.  the hosting server is actively backed up and other such stuff so a hot swap is easy enough etc.
15:34 < unfy> load average: 0.30, 0.24, 0.40  <- and the load aint much
15:35 <+Dougy> yes yes
15:35 <+Dougy> but if you want to do rolled out upgrades, for example
15:35 <+Dougy> perfect case as to why single server is bad idea
15:36 < unfy> restructuring is something i wouldn't mind doing - but is not an option.
15:38 -!- seba [~seba@kratzbaum.someserver.de] has joined #openvpn
15:40 -!- ivanalejandro0 [~quassel@litio.gnucleo.net] has joined #openvpn
15:42 -!- james41382 [~james@unaffiliated/james41382] has quit [Quit: Leaving]
15:44 < ivanalejandro0> Hello, I'm trying to use a verified openvpn version in a script using `git verify-tag v2.3.6`, but the tag is not signed by any of the keys listed on http://openvpn.net/index.php/open-source/documentation/sig.html ... The signature is from "Gert Doering gert@space.net", key id: 65514975 ... Maybe that signature needs to be added to the signatures page?
15:44 < ivanalejandro0> Is there a better way that I could use to verify a version.
15:44 <@vpnHelper> Title: File Signatures (at openvpn.net)
15:48 <+Dougy> unfy: fair enough
15:50 <+Dougy> unfy: i would set up a vm or two to test it at least then, hehe
15:50 < unfy> testing on the extra / copy hardware atm :D
15:54 <+Dougy> there ya go
15:54 <+Dougy> <3 VM's
16:03 <+Dougy> man
16:03 <+Dougy> so many things to moderate on this darn forum
16:03 <+Dougy> lol
16:05 < unfy> not seeing any probs with 2.0 -> 2.3 on server side
16:05 <+Dougy> if you are not a member of our forum, i recommend you come join
16:05 <+Dougy> !forums
16:05 <+Dougy> !forum
16:05 <@vpnHelper> "forum" is (#1) The official OpenVPN support forum is available at http://forums.openvpn.net or (#2) you can join #OpenVPN-Forum to see the forum-feed announcements if you want to.
16:05 <+Dougy> :D
16:09 -!- deranged [Jess@sciurus.net] has quit [Ping timeout: 265 seconds]
16:09 < unfy> nah, i rarely have any problems with openvpn etc ... :D
16:10 < unfy> as in, i NEVER have problems <3
16:10 <+Dougy> :>
16:10 <+Dougy> but you can help others!
16:10  * Dougy pets the forums
16:12  * Dougy hammers away at the moderation queue
16:12 <+Dougy> getting there
16:12  * Dougy punches krzee
16:12 < unfy> well, i'll be sticking around here for a while to offer any help he can, but i imagine in an hour or two i'll be gone :D
16:12 -!- deranged [Jess@sciurus.net] has joined #openvpn
16:14 <+Dougy> unfy: well you can always visit tomorrow
16:14 <+Dougy> the door is open
16:14 < unfy> indeed
16:15 < unfy> but, i'm usually far too busy at work to hang out etc
16:15 < unfy> right now - i'm doing openvpn related stuff, so i'm here discussing openvpn related whatever.  in a day or two i no longer will be :P
16:15 <+Dougy> what do you do?
16:17 < unfy> originally while here ? game coding.  then i starting writing bare metal device drivers.  after those were solid, i've gone on to net coding.  now i do net & db & sys admin.  i occaissionally do some network coding (mostly C) and other odds and ends
16:17 <+Dougy> coding eh
16:17 <+Dougy> bless you coders
16:17  * Dougy hates it
16:17 < unfy> in the coming month or two i'll be doing some atmel avr stuff for a USB IO board we'll be doing.
16:18 <+Dougy> sounds interesting
16:18 <+Dougy> big sw dev company huh
16:18 < unfy> i'm not a huge fan of the net / db / sys admin stuff... but it is what it is
16:18 < unfy> nah, we're tiny
16:18 <+Dougy> ah
16:19 < unfy> i think we're less than 20 employees at the moment
16:20 <+Dougy> oh ok
16:20 <+Dougy> where abouts
16:20 < unfy> nebraska
16:20 <+Dougy> ah the boonies
16:20 < unfy> >_>
16:23 -!- Pyrogerg [~Gregory@67-0-250-17.albq.qwest.net] has joined #openvpn
16:26 <+Dougy> unfy: hehehehe
16:26 <+Dougy> i kind of wish i was in the boonies
16:28 < unfy> i wouldn't call it the boonies, but it's definitely not the rat race that is Cali.  (shudders quietly to himself)
16:28 < unfy> ruh roh
16:29 < unfy> did the server side update, no clients connecting O_o
16:30 -!- seba [~seba@kratzbaum.someserver.de] has quit [Excess Flood]
16:30 -!- Pyrogerg [~Gregory@67-0-250-17.albq.qwest.net] has quit [Ping timeout: 240 seconds]
16:30 < unfy> ok, they did.  just staggered and stuff.  good good
16:34 -!- seba [~seba@kratzbaum.someserver.de] has joined #openvpn
16:34 -!- mrdigital|mac [~MrDigital@216-15-74-116.c3-0.drf-ubr1.atw-drf.pa.cable.rcn.com] has joined #openvpn
16:35 < mrdigital|mac> !welcome
16:35 <@vpnHelper> "welcome" is (#1) Start by stating your goal, such as 'I would like to access the internet over my vpn' || new to IRC? see the link in !ask || we may need !logs and !configs and maybe !interface to help you. || See !howto for beginners. || See !route for lans behind openvpn. || !redirect for sending inet traffic through the server. || Also interesting: !man !/30 !topology !iporder !sample
16:35 <@vpnHelper> !forum !wiki !mitm or (#2) Don't use 192.168.1.0/24 or 192.168.0.0/24 (too much potential for conflict)
16:36 < mrdigital|mac> can someone help me create a OpenVPN on a debian based system?
16:36 <+Dougy> !howto
16:36 <@vpnHelper> "howto" is (#1) OpenVPN comes with a great howto, http://openvpn.net/howto PLEASE READ IT! or (#2) http://www.secure-computing.net/openvpn/howto.php for a mirror
16:36 < mrdigital|mac> read that
16:37 <+Dougy> !goa
16:37 <+Dougy> !goal
16:37 <@vpnHelper> "goal" is Please clearly state your goal for your vpn: example, I would like to access the lan behind the server , I would like to access the internet over my vpn , I just want a secure connection between 2 computers , etc
16:37 -!- Pyrogerg [~Gregory@67-0-250-17.albq.qwest.net] has joined #openvpn
16:37 < mrdigital|mac> oh yeah My Goal is to create a VPN to access LAN stuff from outside
16:37 < mrdigital|mac> i need to have a local IP for it to work
16:38 <+Dougy> so you want to access your home or office from the road
16:38 <+Dougy> correct?
16:38 < mrdigital|mac> Yes
16:38 <+Dougy> how about this
16:38 <+Dougy> https://stavrovski.net/blog/how-to-install-and-set-up-openvpn-in-debian-7-wheezy
16:38 <@vpnHelper> Title: How to install and set-up OpenVPN in Debian 7 (Wheezy) | Stavrovski.Net (at stavrovski.net)
16:38 <+Dougy> quick easy google found this
16:38 < mrdigital|mac> right i get stuck on the Device
16:38 < pekster> We have a handy flowchart for your needs:
16:38 < mrdigital|mac> Part ... i want to connect an iOS device
16:38 < pekster> !serverlan
16:38 <@vpnHelper> "serverlan" is (#1) for a lan behind a server, the server must have ip forwarding enabled (!ipforward), the server needs to push a route for its lan to clients, and the router of the lan the server is on needs a route added to it (!route_outside_openvpn) or (#2) see !route for a better explanation or (#3) Handy troubleshooting flowchart: http://ircpimps.org/serverlan.png |
16:38 <@vpnHelper> http://pekster.sdf.org/misc/serverlan.png
16:39 <+Dougy> mrdigital|mac: ah, you said iOS
16:39 <+Dougy> I'm out
16:39 < mrdigital|mac> also i  tried following one guide
16:39 < unfy> ios erf
16:39 < mrdigital|mac> but the iptables failed
16:39 < mrdigital|mac> to create
16:39 <+Dougy> actually
16:39 <+Dougy> this debian guide i linked looks great
16:39  * Dougy bookmarks
16:39 < mrdigital|mac> the server i want to use is ReadyNas Version of Debian
16:39 < unfy> it does look like a nice quick and easy guide, doug
16:40 < mrdigital|mac> that guide is the same one i followed
16:40 < mrdigital|mac> i get to the iptables part and it fails to make it
16:41 < unfy> does the iptables command simply not run, or ?
16:41 < mrdigital|mac> one second let me log into the machine via SSH
16:41 < mrdigital|mac> and re run it so i can get it
16:41 < mrdigital|mac> its been a few days since i tried this
16:41 < unfy> if it's lenghthy i'm sure paste bin or similar would be appreciated.
16:41 < mrdigital|mac> its ot
16:41 < mrdigital|mac> not
16:42 -!- julius_ [~julius_@p3EE282A8.dip0.t-ipconnect.de] has left #openvpn ["Leaving"]
16:42 <+Dougy> !configs
16:42 <@vpnHelper> "configs" is (#1) please pastebin your client and server configs (with comments removed, you can use `grep -vE '^#|^;|^$' server.conf`), also include which OS and version of openvpn. or (#2) dont forget to include any ccd entries or (#3) on pfSense, see http://www.secure-computing.net/wiki/index.php/OpenVPN/pfSense to obtain your config
16:42 <+Dougy> the gist is.. pastebin
16:43 < mrdigital|mac> root@ReadyNAS:~# iptables -A INPUT -p udp -m state --state NEW -m udp --dport 1194 -j ACCEPT
16:43 < mrdigital|mac> iptables: No chain/target/match by that name.
16:43 <+Dougy> Brooklyn:175 Ardsley Loop 5 Patients with Ebloa like symptoms. Recent travel to Africa,
16:43 <+Dougy> oh wrong chan, but none the less, arg
16:44 < pekster> mrdigital|mac: The only thing that's not builtin in that rule is the 'state' module -- did you not build your kernel with support for it? Also, state is deprecated upstream, replaced with the 'conntrack' module'
16:45 < pekster> Best to use `… -m conntrack --ctstate NEW …` instead
16:45 < pekster> Or just omit it entierly; you don't need to worry about just accepting things in ctstate NEW, and you should have a stateful rule earlier (usually the very first) in your INPUT chain anyway
16:45 -!- james41382 [~james@unaffiliated/james41382] has joined #openvpn
16:46 < unfy> the fact that it looks like he doesn't have an INPUT chain is... weird ?
16:46 < pekster> That's a a builtin chain, unless the kernel was compiled without support for the filter table completely (seems highly unlikely)
16:48 < mrdigital|mac> nat is not built into the kernel
16:48 < pekster> Usually they're modules that get autoloaded
16:48 < unfy> mrd: whatcha get with an " iptables -L -n | grep -i chain "  ?
16:49 < unfy> should be like Chain INPUT, Chain FORWARD, Chain OUTPUT, etc
16:49 < pekster> Ugh, don't use -L: it's norrible. https://github.com/QueuingKoala/fn-netfilter/wiki#why-to-avoid-iptables--l
16:49 <@vpnHelper> Title: Home · QueuingKoala/fn-netfilter Wiki · GitHub (at github.com)
16:49 < pekster> horrible*
16:49 < mrdigital|mac> the 3 you said
16:49 < mrdigital|mac> input, output forward
16:49 < unfy> capitalization might be important ?
16:49 < pekster> mrdigital|mac: `iptables -m conntrack -h` should spew some stuff ending in a 'conntrack match options:' section
16:50 < pekster> If so, use conntrack. the 'state' module is deprecated, although IIRC it's quite rare to omit it completely these-days due to legacy junk "depending" on it
16:53 < unfy> digital: if your input/etc chains aren't all uppercase, make the guide's iptables lines match the case sensitivity of what you got
16:53 < pekster> INPUT is _always_ in caps: it's a builtin
16:53 < pekster> You can never not (double-negative there) have INPUT if you have the filter table loaded
16:54 < mrdigital|mac> thry are all uppercase
16:54 < pekster> input would be a user-defined chain and worthless unless referenced from a builtin
16:54 < mrdigital|mac> but it also doesnt have NAT configured
16:54 < unfy> only the nat line bombs ?
16:54 < mrdigital|mac> yeah
16:54 < mrdigital|mac> im upto that line
16:57 < pekster> mrdigital|mac: Missing kernel support for the NAT table? You can verify it exists with `iptables-save -t nat`
16:57 < mrdigital|mac> iptables-save v1.4.14: Cannot initialize: Table does not exist (do you need to insmod?)
16:58 < pekster> Did you forget to include the module when you built your kernel?
16:58 < pekster> Or is this some "fake root, chroot container VM service" vendor that doesn't give you real access to your host?
16:58 -!- RandIter [sid32215@gateway/web/irccloud.com/x-icylpmczmdvodfvx] has joined #openvpn
16:58 < mrdigital|mac> i didnt built the kernel
16:58 < mrdigital|mac> its a ReadyNAS
16:59 < unfy> i used interface based forwarding instead of any nat stuff for my setup...
16:59 < pekster> Then they didn't built that support into it; you'd need to obtain the kernel module if you wnat to do NAT. But you don't need NAT for your stated goal of reaching LAN network devices from a roaming client
16:59 < pekster> mrdigital|mac: Did you see the flowchart I linked? NAT is not needed, and I highly suggest you read the flowchart
16:59 < unfy> (iptables -A FORWARD -i tun0 -o eth1 ... etc)
17:00 < mrdigital|mac> pekster: i cant even get to step 1 of it
17:01 < pekster> Pinging the VPN server? Then you need to fix your VPN before you try to do IP forwarding across it. Did you have (decommented) configs posted somewhere?
17:01 -!- Pyrogerg [~Gregory@67-0-250-17.albq.qwest.net] has quit [Ping timeout: 265 seconds]
17:02 < unfy> ie: something like: http://pastebin.com/Epb5C2Uh
17:03 < pekster> Line 3 is worthless becuase it won't ever not matching things matched by line 4
17:05 < pekster> And by configs I meant !configs. Netfilter rulesets should only ever be shown with `iptables-save -c` (or you're omitting critical information. Scripts are, notablely, not rulesets
17:06 -!- Pyrogerg [~Gregory@67-0-250-17.albq.qwest.net] has joined #openvpn
17:06 < mrdigital|mac> !configs
17:06 <@vpnHelper> "configs" is (#1) please pastebin your client and server configs (with comments removed, you can use `grep -vE '^#|^;|^$' server.conf`), also include which OS and version of openvpn. or (#2) dont forget to include any ccd entries or (#3) on pfSense, see http://www.secure-computing.net/wiki/index.php/OpenVPN/pfSense to obtain your config
17:06 < mrdigital|mac> one second
17:11 -!- Pyrogerg [~Gregory@67-0-250-17.albq.qwest.net] has quit [Ping timeout: 240 seconds]
17:14 -!- u0m3 [~u0m3@92.80.98.219] has joined #openvpn
17:15 < mrdigital|mac> ok followed another  howto for ReadyNas
17:15 < mrdigital|mac> i seem to be getting connection refused on ports
17:21 < unfy> as in when the openvpn client attempts to connect to the openvpn server ?
17:23 -!- u0m3 [~u0m3@92.80.98.219] has quit [Ping timeout: 264 seconds]
17:23 < mrdigital|mac> no i did a port scan to see if its visiable online
17:26 < pekster> 1) don't use tcp, 2) in UDP you won't get a reply unless you send an openvpn packet (and I'm guessing your "port scanner" isn't doing this.) 3) even with tcp or an "openvpn-aware port scanner" it will STILL be ignored by openvpn if you use --tls-auth and don't have a matching HMAC key
17:26 < pekster> This is why I asked for configs. 3 times, in fact. We can't help if we don't see what you've done; fairly straight-forward really
17:30 < mrdigital|mac> ok i kinda got a modified version of openvpn working
17:30 < mrdigital|mac> all ports are open etc
17:30 -!- Kephael__ [~Kephael@unaffiliated/kephael] has quit [Read error: Connection reset by peer]
17:30 -!- Kephael_ [~Kephael@unaffiliated/kephael] has joined #openvpn
17:30 < mrdigital|mac> but iPhone Says not responding
17:30 -!- RandIter [sid32215@gateway/web/irccloud.com/x-icylpmczmdvodfvx] has left #openvpn []
17:31 < mrdigital|mac> got it
17:31 -!- sand3r [~user@unaffiliated/sand3r] has joined #openvpn
17:31 < sand3r> hi
17:31 < sand3r> i am using debian linux
17:31 < sand3r> 7
17:31 < sand3r> and openvpn
17:31 < sand3r> should i run "openvpn --config "hereitcomes.conf" as root?
17:31 < sand3r> or should i run "su openvpn --config "hereitcomes.cong" as user?
17:32 < sand3r> my question is, should i run openvpn as root or as su?
17:35 < pekster> sand3r: You'll need to run openvpn as root for things like routes and address configuration to work properly (or be very clever about elevating those through the script hooks.) How you launch openvpn as root is up to you
17:36 < sand3r> pekster: so i could not run it as sudo?
17:36 < pekster> Your syntax for su is wrong though; read su(1) for details, and in particular note that -c is only acceptable for commands that do not need a controlling TTY; maybe you were thinking of sudo?
17:36 < pekster> You do not run things "as" sudo
17:36 < pekster> (unless you have a user named sudo, but that would be.. odd)
17:36 < pekster> sudo is a command to run another command in the context of another user, which is generally root
17:36 < sand3r> pekster sudo = temporary root.
17:36 < sand3r> ?
17:37 < pekster> No. Manpage of sudo explains what it is in the very first line
17:37 < pekster> NAME sudo, sudoedit — execute a command as another user
17:37 < pekster> Ref: sudo(8)
17:37  * esde personally, i name all my non root users sudo :P
17:38 < pekster> I once had the misfortune to work with an appliance that managed to rename the root account to 'admin' :\
17:38 < esde> that's annoying
17:38 < mrdigital|mac> has anyone gotten multicasting and bonjour to work over vpn?
17:38 < sand3r> pekster: so how should i run openvpn? as root or su? but no sudo?
17:38 < pekster> mrdigital|mac: You'll need tap for multicast to work since it requires L2 broadcasts (LL Ethernet frames)
17:38 < sand3r> :/
17:39 < sand3r> get confused
17:39 < pekster> sand3r: Run it as root, "however you'd like to obtain that level of execution."
17:39 < mrdigital|mac> has anyone used softether which is a modified OpenVPN?
17:41 < sand3r> pekster: k thanks
17:42 < sand3r> pekster: but if you run sudo, you would login as root
17:42 < sand3r> and if you run sudo userhere, you login as "userhere"
17:42 < sand3r> so if there is no first line. you login as root :)
17:42 < mrdigital|mac> 2 layer broadcasts you mean?
17:43 < pekster> Yup. Multicast cannot work over a Layer 3 link, which is what tun is
17:43 < pekster> tun is IP encapsulation, while tap is Etherent encapsulation
17:43 < sand3r> some people also says:
17:43 -!- he_bgb5 [~puppy@98.206.248.96] has joined #openvpn
17:43 < sand3r> You should only run root where there are either permissions that  require more than sudo. Or changes that can't be made without  the root account. Like you may not have write permissions for  certain partitions and sudo won't end up working. Or when you  drop into a shell from recovery mode it becomes root.
17:43 < sand3r> Running root permanently is a security hole.
17:44 < sand3r> thats why i asked about running openvpn as root
17:44 < sand3r> but i trust you pekster :) i guess
17:44 < pekster> And I explained why it's required. Read about the --user or --group options to downgrade permission, but be aware you effectively cannot do this as a client unless you either 1) can absoutely gaurentee the server will not issue another IP to the client on reconnect, or 2) exit fatally on connection problems
17:45 < pekster> doing neither as a client will eventually break things. Doing it as a server is a bit more straight-forward; in both cases --persist-key and --persist-tun are required; there's your manapge reading on the subject
17:47 < mrdigital|mac> will l2tp work?
17:48 < pekster> !notcompat
17:48 <@vpnHelper> "notcompat" is (#1) IPsec, PPTP, & L2TP are _not_ compatible with OpenVPN. OpenVPN uses SSL whereas PPTP and IPSEC use their own protocols and therefore cannot be compatible. or (#2) OpenVPN connects only to OpenVPN
17:48 < mrdigital|mac> i know its not compate
17:48 < mrdigital|mac> compat but will l2tp work for bonjour/multicast?
17:49 < esde> interesting stuff regarding VPN's http://www.spiegel.de/international/germany/inside-the-nsa-s-war-on-internet-security-a-1010361.html interesting openvpn was not mentioned (though I didn't click through and read the PDF's in their entirety)
17:49 <@vpnHelper> Title: Inside the NSA's War on Internet Security - SPIEGEL ONLINE (at www.spiegel.de)
17:49 -!- tobinski [~tobinski@x2f581d0.dyn.telefonica.de] has quit [Quit: Leaving]
17:49 < he_bgb5> hello all
17:49 < pekster> I'd presume so, but I don't know all that much about its OSI L2 features (and I tend to stay away from Microsoft-branded protocols in general on principle unless I have reason to do otherwise)
17:50 -!- novae [~novae@unaffiliated/novae] has quit [Ping timeout: 245 seconds]
17:51 < sand3r> pekster: thanks!
17:51 < pekster> esde: Not really anything "new" from a security standpoint, but it's "in the news" again. Just the usual FUD about weak security being attacked and people deemed "interesting enough" also attacked via side-channel methods. Same stuff that's been going on for decades ;)
17:51 < mrdigital|mac> using iphone OPVPN app can it do tap?
17:52 < esde> I found the note about SecurityKiss interesting
17:52 <@plaisthos> no
17:52 < pekster> Nope, the mobile apps (both the community maintained Android one, and the corporate-backed Connect client) can only use tun
17:52 < esde> "According to an NSA document dating from late 2009, the agency was processing 1,000 requests an hour to decrypt VPN connections. This number was expected to increase to 100,000 per hour by the end of 2011. The aim was for the system to be able to completely process "at least 20 percent" of these requests, meaning the data traffic would have to be decrypted and reinjected."
17:52 < mrdigital|mac> damn so otherwords this wont work
17:53 < sand3r> pekster: are you recommend to chain vpns?
17:53 < pekster> Nope
17:53 < esde> such processing power
17:53 < sand3r> host -> vpn1 -> vpn2
17:53 < pekster> Set your VPN up right the _first_ time
17:54 < sand3r> pekster: why not?
17:54 < esde> took me a while to learn that ^
17:54 < pekster> Because it's pointless
17:54 < sand3r> pekster: what do you mean by "set it up right"?
17:54 < esde> make it work, then start adding stuff
17:55 < pekster> esde: Sure, broken protocols are broken. In equally obvious news, MS LM hashes are weak, and MSCHAPv2 has been known week for decades now :P
17:55 < pekster> www.cloudcracker.com
17:55 < sand3r> esde: ok
17:55 < pekster> 1 hour and $100 can gaurentee broken PPTP (when used with MS-CHAPv2, which is the most common deployment)
17:55 < pekster> your local $govt_agency can surely do it faster than that
17:56 < sand3r> pekster: i gonna quote this:
17:56 < sand3r> Permissions can still be altered with sudo. But with OpenVPN is  no more a program then another. I'm just not to familiar with  that program.
17:56 < esde> Yes, I'm aware broken services are vulnerable. I was (wrongly, apparently) assuming they had found some way to exploit newer encryption algorithms
17:56 < sand3r> If servers ran root permanently they'd all be compromised.
17:56 < esde> *encryption algorithms
17:56 < sand3r> Maybe he meant to use root to alter permissions. For that  specific period.
17:57 < he_bgb5> Can anyone help? Looking to start a subscription to a VPN or SSH, etc. Just looking for some advice. Not sure where to begin...?
17:57 < esde> Why not roll your own?
17:57 < esde> A VPS and some time is all it takes. usually the vps is cheaper than a paid VPN service
17:58 < he_bgb5> ok
17:58 < he_bgb5> what is the difference?
17:58 < esde> paid VPN service, they host and maintain openvpn server
17:58 < esde> roll your own, you control and maintain the openvpn server
17:59 < he_bgb5> hahaha lost! Roll?
17:59 < esde> do it yourself?
17:59 < sand3r> As using sudo restricts a few privileges whereas su doesn't.
17:59 -!- novae [~novae@unaffiliated/novae] has joined #openvpn
17:59 < sand3r> http://www.howtogeek.com/111479/htg-explains-whats-the-difference-between-sudo-su/
18:00 < esde> plus you could do more with the VPS down the road if you wanted, like learn how to program or host your own web services/app/etc
18:00 < pekster> Maybe you're looking for ##security sand3r? It's assumed people using OpenVPN are familiar with their OS and security/Unix basics
18:00 -!- Shiftos [~shiftos@gateway/tor-sasl/shiftos] has joined #openvpn
18:01 < he_bgb5> sand3r, ty. esde ty. Any links would be appreciated. Needing to use Tor and was told to use a vpn through VB over an ssh???
18:01 < sand3r> If the modifications can be made just using sudo it's ideal. If  the modifications can be made using su change what you need then  exit the root user.
18:02 < esde> not familiar with the setup you described but there's an official how to (tutorials and other third party guides are generally discouraged)
18:02 < esde> !howto
18:02 <@vpnHelper> "howto" is (#1) OpenVPN comes with a great howto, http://openvpn.net/howto PLEASE READ IT! or (#2) http://www.secure-computing.net/openvpn/howto.php for a mirror
18:03 < he_bgb5> I will read it TY all.
18:03 < esde> !goal
18:03 <@vpnHelper> "goal" is Please clearly state your goal for your vpn: example, I would like to access the lan behind the server , I would like to access the internet over my vpn , I just want a secure connection between 2 computers , etc
18:03 < esde> if you state your goal more clearly, maybe someone will offer help
18:03 < he_bgb5> ah
18:03 < he_bgb5> ok
18:04 < he_bgb5> I have Comcast as ISP...need say more
18:04 < he_bgb5> hahaha
18:04 < esde> I know your pain
18:04 < he_bgb5> I'd like to start my own 'private' ISP please...
18:05 -!- james41382 [~james@unaffiliated/james41382] has quit [Ping timeout: 258 seconds]
18:05 -!- ki7rw [~quassel@216.75.116.100] has quit [Remote host closed the connection]
18:06 < sand3r> he_bgb5: yw
18:06 < he_bgb5> yw <--?
18:06 < he_bgb5> new
18:07 < esde> what do you mean by "start my own 'private' ISP"? please elaborate
18:08 < sand3r> you welcome
18:11 < he_bgb5> If I had my own ISP I wouldn't care who used it and for what...
18:12 < he_bgb5> sand3r, got it :)
18:14 < he_bgb5> My 19 yr old niece suffered a spinal cord injury and needs medication only sold overseas. I was told a vpn could help....
18:14 < he_bgb5> !goal get meds without feds
18:14 -!- ValdikSS [~valdikss@185.61.149.121] has quit [Ping timeout: 258 seconds]
18:17 -!- sand3r [~user@unaffiliated/sand3r] has quit [Ping timeout: 250 seconds]
18:19 < esde> sounds like you want to route traffic through the vpn
18:22 < he_bgb5> ok?
18:23 < he_bgb5> esde reading now the difference between vpn&vps.
18:24 < he_bgb5> Do I need to purchase VPS space to upload Tor onto. Then connect to it through vpn?
18:24 < he_bgb5> so confusing
18:24 < esde> why do you need tor?
18:25 < he_bgb5> I have purchased a privatized domain but have no idea what to do next.
18:25 < esde> why do you need a domain?
18:25 < he_bgb5> Apparently the medication she needs is found on Tor...
18:26 < esde> you could use tor without needing anything more than your hardware and an internet connection (comcast)
18:26 < esde> but this isnt the place for tor discussion, really
18:26 < he_bgb5> comcast reports Tor use.
18:26 < he_bgb5> i agree
18:27 < he_bgb5> so basically I would need to start a VPN before ISP, correct?
18:28 < esde> if you're going to go through your VPN to access tor, you'll need to be sure your VPS/VPN provider allows tor
18:28 < he_bgb5> ok.ty.
18:29 < esde> not the protocol per se, but many hosting providers forbid the use of tor due to abuse
18:30 < he_bgb5> I've heard its sketchy. Thats why I ask
18:31 -!- mrdigital|mac [~MrDigital@216-15-74-116.c3-0.drf-ubr1.atw-drf.pa.cable.rcn.com] has quit [Quit: (null)]
18:31 < he_bgb5> esde can we talk private?
18:32 < esde> tor isnt sketchy in the least, it's very useful. however, (small) select groups of people may choose to use it for nefarious or otherwise questionable reasons, but tor itself is neat
18:32 < esde> bad time, about to start dinner very soon
18:32 < he_bgb5> how can we chat later? New to IRC.
18:34 < esde> shoot me a PM, if you're on later i'll reply
18:36 <+Dougy> 19:13:10        he_bgb5 | !goal get meds without feds
18:36 <+Dougy> ouch
18:39 < he_bgb5> Dougy, yeah tell me about it. Trying to help my niece by any means necessary.
18:40 <+Dougy> i cant ever encourage breaking federal law, especially as a rep of the openvpn project
18:40 <+Dougy> but unofficially
18:40 <+Dougy> you are a good man
18:40 < he_bgb5> ty
18:41 < he_bgb5> My sister has no idea how to even turn a computer on, let alone this intricate.
18:42 < he_bgb5> I'm a newbie by your guys' standards. I'm in awe of the knowledge.
18:56 -!- ub1quit33 [~quassel@cpe-23-243-158-241.socal.res.rr.com] has quit [Ping timeout: 244 seconds]
19:33 -!- unfy [~Miranda@wsip-184-185-82-30.om.om.cox.net] has quit [Quit: Miranda IM! Smaller, Faster, Easier. http://miranda-im.org]
19:45 -!- ub1quit33 [~quassel@cpe-23-243-158-241.socal.res.rr.com] has joined #openvpn
19:55 < novae> Is it possible to have two tunnels on the one tun?
19:57 < esde> i think it is, but i've never looked at it or tried
19:57 < pekster> Nope, one instance eats a device each
19:58 < pekster> For tun that shouldn't ever be a problem since you can juat as easily route between multiple instances
19:58 < pekster> Same with tap, with any bridging needs handled by your OS in "the usual" way
19:58 < pekster> (or don't bridge at all and route, also in the usual way. That's preferred unless you need a single broadcast domain anyway)
19:58 < esde> can a user create more tun/taps?
19:59 < pekster> Just add --dev tun_vpn1 # etc to your configs
20:00 < pekster> Or specific numbers, or don't do anything, just `--dev tun` and openvpn will pick the next free integer
20:00 < novae> Hmm, that's a pitty as i want to setup a "fully connected" VPN topology but can't find a way to do it without assigning each node multiple IPs
20:02 < pekster> You mean like a mesh/star topology? Using PtP you can always have the notion of a particular destination referred to by the same IP in such a setup, though the sources would be different for each. Routing over a toplogy like that gets tricky if you want to support partial breaks (you'd need some OSPF or similar magic to handle that)
20:02 < novae> Hmm, i guess like a star/mesh, each node would be connected to every other node.
20:03 < novae> But i don't want to route across multiple VPN hops as connection speed is an issue for some of the nodes.
20:04 < pekster> That makes the job easier then. You can just slap a bunch of PtP VPNs together (and yes, PtP addressing works with TLS too if you want the forward-secrecy benefits)
20:05 < pekster> You'll need to pick arbitrary "serve" vs "client" designations during the TLS handshakes, but otherwise PtP can be stateless, and you can even have the "connecting" side act as a TLS-server for the handshake if you really want (though that's a bit non-standard, it's a valid config)
20:05 < pekster> ie: both ends can have a 'remote' statement
20:08 < novae> so i can have multiple PtP links from the same VPN IP? Such as "ifconfig 10.0.0.1 10.0.0.2" and "ifconfig 10.0.0.1 10.0.0.3"?
20:09 -!- james41382 [~james@unaffiliated/james41382] has joined #openvpn
20:11 < novae> pekster: ^
20:17 < pekster> No, don't do that, but "every" node could (and probably should, in such a setup) refer to the "far" peer with the same IP
20:17 < pekster> That way, no matter what system you're on, you'd always reach "Node A" at the IP 10.0.0.1, for instance
20:18 < pekster> Works well if you stick that in a DNS zone too, like node-a.vpn.yourdomain.net
20:32 -!- gffa [~unknown@unaffiliated/gffa] has quit [Quit: sleep]
20:47 -!- ki7rw [~quassel@216.75.116.100] has joined #openvpn
20:48 -!- ki7rw [~quassel@216.75.116.100] has quit [Remote host closed the connection]
21:01 -!- KavanS [~quassel@LINBIT/KavanS] has joined #openvpn
21:10 -!- toothe [~mongolian@unaffiliated/toothe] has joined #openvpn
21:10 < toothe> I'm having a bit of trouble with openvpn to route IPv6. It seems that my endpoint doesn't seem to route ipv6 traffic.
21:12 < novae> pekster: being able to put this in a DNS zone was why i was doing all this :)
21:18 -!- Left_Turn [~Left_Turn@unaffiliated/turn-left/x-3739067] has quit [Remote host closed the connection]
21:23 < novae> pekster: something like this? I don't know "how to" address the other P2P links. This should be straight forward and for some reason my head is in the wrong space to work it out.
21:23 < novae> http://pastebin.com/LnnntkZq
21:25 < novae> wait, this wrong too. this one: http://pastebin.com/zC7EYRkz
21:27 < he_bgb5> what is the best website for sharing images/screenshots over IRC?
21:28 < he_bgb5> pastebin.com is no good!!!
21:28 <+Dougy> imgur is good for screenshots
21:28 <+Dougy> if its legal
21:33 <+Dougy> miso soup nom nom
21:34 < he_bgb5> Dougy ty again
21:35 < he_bgb5> please post a link to imgur
21:36 < he_bgb5> I was using pastebin and someone said they were receiving porn shts instead of screenshots!!
21:36 <+Dougy> www.imgur.com
21:36 <+Dougy> for images
21:45 -!- teksimian [~chatzilla@216-58-84-54.cpe.distributel.net] has joined #openvpn
21:48 < Eugene> vomitb.in is best bin
21:48 -!- lachesis [~lachesis@unaffiliated/lachesis] has quit [Ping timeout: 258 seconds]
21:54 -!- lachesis [~lachesis@unaffiliated/lachesis] has joined #openvpn
21:59 < novae> So how do i address these point to point interfaces? http://pastebin.com/zC7EYRkz
22:14 -!- Pyrogerg [~Gregory@67-0-250-17.albq.qwest.net] has joined #openvpn
22:20 -!- Pyrogerg [~Gregory@67-0-250-17.albq.qwest.net] has quit [Ping timeout: 272 seconds]
22:36 -!- Kephael_ [~Kephael@unaffiliated/kephael] has quit [Quit: Leaving]
22:38 -!- he_bgb5 [~puppy@98.206.248.96] has quit [Remote host closed the connection]
23:37 -!- ShadniX [dagger@p5DDFD763.dip0.t-ipconnect.de] has quit [Ping timeout: 250 seconds]
23:40 -!- ShadniX [dagger@p5DDFC16C.dip0.t-ipconnect.de] has joined #openvpn
23:41 -!- ub1quit33 [~quassel@cpe-23-243-158-241.socal.res.rr.com] has quit [Ping timeout: 272 seconds]
23:51 -!- Anoniem4l [~Anoniem4l@unaffiliated/anoniem4l] has quit [Quit: say wat]
23:52 -!- Anoniem4l [~Anoniem4l@unaffiliated/anoniem4l] has joined #openvpn
--- Day changed Tue Dec 30 2014
00:12 -!- Anoniem4l [~Anoniem4l@unaffiliated/anoniem4l] has quit [Quit: say wat]
00:12 -!- r00t^2_ [~bts@g.rainwreck.com] has joined #openvpn
00:13 -!- Anoniem4l [~Anoniem4l@unaffiliated/anoniem4l] has joined #openvpn
00:13 -!- r00t^2 [~bts@g.rainwreck.com] has quit [Ping timeout: 240 seconds]
00:15 -!- Anoniem4l [~Anoniem4l@unaffiliated/anoniem4l] has quit [Client Quit]
00:16 -!- Anoniem4l [~Anoniem4l@unaffiliated/anoniem4l] has joined #openvpn
00:21 -!- r00t^2_ is now known as r00t^2
00:58 -!- Anoniem4l [~Anoniem4l@unaffiliated/anoniem4l] has quit [Quit: say wat]
00:59 -!- Anoniem4l [~Anoniem4l@unaffiliated/anoniem4l] has joined #openvpn
01:10 -!- Leper_ [6cc885e9@gateway/web/freenode/ip.108.200.133.233] has joined #openvpn
01:10 < Leper_> Hello, OpenVPN question. Is there multithreaded option for generating keys when using ./build-dh [like -j in gcc]? A pointer is appreciated :D
01:11 -!- Leper_ [6cc885e9@gateway/web/freenode/ip.108.200.133.233] has left #openvpn []
01:12 <@krzee> 1 minute, thats why i like the webchat ban
01:29 -!- D-Boy [~D-Boy@unaffiliated/cain] has quit [Excess Flood]
01:33 -!- D-Boy [~D-Boy@unaffiliated/cain] has joined #openvpn
01:51 -!- ayaz [~Ayaz@linuxpakistan/ayaz] has joined #openvpn
02:29 -!- Shiftos [~shiftos@gateway/tor-sasl/shiftos] has quit [Remote host closed the connection]
03:24 -!- kossy [a@unaffiliated/kossy] has quit [Ping timeout: 258 seconds]
03:26 -!- kossy [a@unaffiliated/kossy] has joined #openvpn
03:27 -!- AsadH [~AsadH@unaffiliated/asadh] has quit [Ping timeout: 258 seconds]
03:31 -!- AsadH [~AsadH@unaffiliated/asadh] has joined #openvpn
04:15 -!- cyberspace- [20253@ninthfloor.org] has quit [Remote host closed the connection]
04:16 -!- cyberspace- [20253@ninthfloor.org] has joined #openvpn
04:19 -!- badon [~badon@pdpc/supporter/active/badon] has quit [Quit: Leaving]
04:22 -!- cpt-oblivious [~quassel@freebsd/user/cpt-oblivious] has joined #openvpn
04:24 -!- toothe [~mongolian@unaffiliated/toothe] has quit [Quit: leaving]
04:40 -!- ValdikSS [~valdikss@185.61.149.121] has joined #openvpn
04:40 -!- tobinski [~tobinski@x2f60bda.dyn.telefonica.de] has joined #openvpn
04:49 -!- supergauntlet is now known as boypussy
05:01 -!- Left_Turn [~Left_Turn@unaffiliated/turn-left/x-3739067] has joined #openvpn
05:05 -!- badon [~badon@pdpc/supporter/active/badon] has joined #openvpn
05:09 -!- typ [~quassel@unaffiliated/typ] has quit [Remote host closed the connection]
05:14 -!- typ [~quassel@unaffiliated/typ] has joined #openvpn
05:31 -!- gffa [~unknown@unaffiliated/gffa] has joined #openvpn
06:19 -!- badon [~badon@pdpc/supporter/active/badon] has quit [Disconnected by services]
06:19 -!- badon_ [~badon@pdpc/supporter/active/badon] has joined #openvpn
06:20 -!- badon_ is now known as badon
06:33 -!- unixninja92 [~unixninja@whirlpool.stdnt.hampshire.edu] has quit [Ping timeout: 255 seconds]
07:05 -!- KavanS [~quassel@LINBIT/KavanS] has quit [Write error: Connection reset by peer]
07:22 -!- ValdikSS [~valdikss@185.61.149.121] has quit [Ping timeout: 240 seconds]
07:24 -!- mattock_afk is now known as mattock
07:56 -!- havingFun [~quassel@unaffiliated/xrosnight] has quit [Remote host closed the connection]
08:08 -!- u0m3 [~u0m3@92.80.67.140] has joined #openvpn
08:47 -!- rich0 [~quassel@gentoo/developer/rich0] has quit [Remote host closed the connection]
08:48 -!- ub1quit33_ [~quassel@cpe-23-243-158-241.socal.res.rr.com] has joined #openvpn
08:49 -!- rich0 [~quassel@gentoo/developer/rich0] has joined #openvpn
08:54 -!- samael [~earendil@multivac.valis-e.com] has joined #openvpn
08:54 < samael> hello
08:58 < samael> i need to push a specific static route to a single client. should i add route or iroute to its cdd? i just rtfm but i'm still a bit confused
09:00 -!- cwillu_at_work [~cwillu@cwillu.com] has joined #openvpn
09:03 < samael> nvm, solved it.
09:11 -!- DrCode [~DrCode@gateway/tor-sasl/drcode] has quit [Remote host closed the connection]
09:12 -!- DrCode [~DrCode@gateway/tor-sasl/drcode] has joined #openvpn
09:38 -!- rich0 [~quassel@gentoo/developer/rich0] has quit [Ping timeout: 264 seconds]
09:41 -!- rich0 [~quassel@gentoo/developer/rich0] has joined #openvpn
09:57 -!- Kephael [~Kephael@unaffiliated/kephael] has joined #openvpn
10:01 -!- jackbrown [~se@93-44-68-248.ip96.fastwebnet.it] has joined #openvpn
10:09 -!- s7r [~s7r@openvpn/user/s7r] has joined #openvpn
10:09 -!- mode/#openvpn [+v s7r] by ChanServ
10:16 <@krzee> samael, push route in the ccd
10:16 <@krzee> !iroute
10:16 <@vpnHelper> "iroute" is does not bypass or alter the kernel's routing table, it allows openvpn to know it should handle the routing when the kernel points to it but the network is not one that openvpn knows about. This is only needed when connecting a LAN which is behind a client, and therefor belongs in a ccd entry. Also see !route and !ccd
10:18 -!- badon [~badon@pdpc/supporter/active/badon] has quit [Disconnected by services]
10:18 -!- badon_ [~badon@pdpc/supporter/active/badon] has joined #openvpn
10:18 -!- badon_ is now known as badon
10:19 -!- DrCode [~DrCode@gateway/tor-sasl/drcode] has quit [Ping timeout: 250 seconds]
10:19  * Dougy pokes krzee
10:20 <+Dougy> what up
10:21 -!- jackbrown [~se@93-44-68-248.ip96.fastwebnet.it] has quit [Quit: Sto andando via]
10:24 -!- DrCode [~DrCode@gateway/tor-sasl/drcode] has joined #openvpn
10:56 -!- ngharo [~ngharo@nexus.sypherz.com] has joined #openvpn
11:00 < ngharo> Greetings! is remote-random valid inside a <connection> block?
11:00 < ngharo> i want to try a random list of UDP remotes, then only if that fails, continue on to a 443:TCP connection block
11:04 -!- alphazulu [~alphazulu@rrcs-108-169-175-50.central.biz.rr.com] has joined #openvpn
11:05 < alphazulu> i have openvpn gui setup and connected on a win8.1 system yet i'm noticing that my web browsing is not going through the vpn
11:10 < DArqueBishop> !configs
11:10 <@vpnHelper> "configs" is (#1) please pastebin your client and server configs (with comments removed, you can use `grep -vE '^#|^;|^$' server.conf`), also include which OS and version of openvpn. or (#2) dont forget to include any ccd entries or (#3) on pfSense, see http://www.secure-computing.net/wiki/index.php/OpenVPN/pfSense to obtain your config
11:12 -!- ayaz [~Ayaz@linuxpakistan/ayaz] has quit [Quit: Textual IRC Client: www.textualapp.com]
11:38 -!- atyoung [~darkwurm@gateway/tor-sasl/darkwurm] has joined #openvpn
11:44 -!- xTz [~xTz@DeathStar.Techn0.eu] has joined #openvpn
12:35 -!- cpt-oblivious [~quassel@freebsd/user/cpt-oblivious] has quit [Read error: Connection reset by peer]
12:36 -!- alphazulu [~alphazulu@rrcs-108-169-175-50.central.biz.rr.com] has quit [Ping timeout: 250 seconds]
12:37 -!- catsup [d@ps38852.dreamhost.com] has quit [Ping timeout: 244 seconds]
12:38 -!- catsup [d@ps38852.dreamhost.com] has joined #openvpn
12:43 -!- catsup [d@ps38852.dreamhost.com] has quit [Ping timeout: 265 seconds]
12:44 -!- catsup [d@ps38852.dreamhost.com] has joined #openvpn
12:44 -!- atyoung [~darkwurm@gateway/tor-sasl/darkwurm] has quit [Remote host closed the connection]
12:49 -!- catsup [d@ps38852.dreamhost.com] has quit [Ping timeout: 272 seconds]
12:50 -!- catsup [d@ps38852.dreamhost.com] has joined #openvpn
12:55 -!- catsup [d@ps38852.dreamhost.com] has quit [Ping timeout: 265 seconds]
12:55 -!- catsup [d@ps38852.dreamhost.com] has joined #openvpn
13:00 -!- Kniaz1 is now known as Kniaz
13:00 -!- catsup [d@ps38852.dreamhost.com] has quit [Ping timeout: 250 seconds]
13:01 -!- catsup [d@ps38852.dreamhost.com] has joined #openvpn
13:06 -!- catsup [d@ps38852.dreamhost.com] has quit [Ping timeout: 245 seconds]
13:07 -!- catsup [d@ps38852.dreamhost.com] has joined #openvpn
13:08 -!- polygraphed [~polygraph@188.95.51.94] has joined #openvpn
13:08 -!- polygraphed [~polygraph@188.95.51.94] has left #openvpn []
13:12 -!- catsup [d@ps38852.dreamhost.com] has quit [Ping timeout: 255 seconds]
13:13 -!- catsup [d@ps38852.dreamhost.com] has joined #openvpn
13:19 -!- catsup [d@ps38852.dreamhost.com] has quit [Ping timeout: 272 seconds]
13:19 -!- catsup [d@ps38852.dreamhost.com] has joined #openvpn
13:23 -!- Anoniem4l [~Anoniem4l@unaffiliated/anoniem4l] has quit [Quit: say wat]
13:24 -!- Anoniem4l [~Anoniem4l@unaffiliated/anoniem4l] has joined #openvpn
13:24 -!- catsup [d@ps38852.dreamhost.com] has quit [Ping timeout: 264 seconds]
13:25 -!- catsup [d@ps38852.dreamhost.com] has joined #openvpn
13:28 -!- atyoung [~darkwurm@gateway/tor-sasl/darkwurm] has joined #openvpn
13:30 -!- catsup [d@ps38852.dreamhost.com] has quit [Ping timeout: 250 seconds]
13:31 -!- catsup [d@ps38852.dreamhost.com] has joined #openvpn
13:36 -!- catsup [d@ps38852.dreamhost.com] has quit [Ping timeout: 255 seconds]
13:36 -!- catsup [d@ps38852.dreamhost.com] has joined #openvpn
13:42 -!- catsup [d@ps38852.dreamhost.com] has quit [Ping timeout: 264 seconds]
13:42 -!- catsup [d@ps38852.dreamhost.com] has joined #openvpn
13:47 -!- catsup [d@ps38852.dreamhost.com] has quit [Ping timeout: 256 seconds]
13:48 -!- catsup [d@ps38852.dreamhost.com] has joined #openvpn
13:52 -!- catsup [d@ps38852.dreamhost.com] has quit [Ping timeout: 240 seconds]
13:53 -!- catsup [d@ps38852.dreamhost.com] has joined #openvpn
13:58 -!- catsup [d@ps38852.dreamhost.com] has quit [Ping timeout: 244 seconds]
13:59 -!- catsup [d@ps38852.dreamhost.com] has joined #openvpn
14:02 -!- kdu [~kdu@109.174.174.98] has joined #openvpn
14:04 -!- catsup [d@ps38852.dreamhost.com] has quit [Ping timeout: 256 seconds]
14:04 -!- lattera [~lattera@73.173.99.185] has joined #openvpn
14:05 < lattera> by default, the easy-rsa 2.0 scripts distributed with openvpn create x509 certs with sha1... is there a way to change that to use sha-256 or sha-512?
14:05 -!- catsup [d@ps38852.dreamhost.com] has joined #openvpn
14:05 < esde> I didn't realize that, and am also interested
14:07 -!- kdu [~kdu@109.174.174.98] has quit [Ping timeout: 258 seconds]
14:07 < lattera> ah, here we go: https://bugzilla.redhat.com/show_bug.cgi?id=1046519
14:07 <@vpnHelper> Title: Bug 1046519 SHA256 should be used instead SHA1 (at bugzilla.redhat.com)
14:07 -!- ki7rw [~quassel@216.75.116.100] has joined #openvpn
14:24 -!- bacon| [marom@unaffiliated/cowbacon] has quit [Ping timeout: 256 seconds]
14:26 < BtbN> easyrsa isn't distributed with OpenVPN for quite a while now
14:27 < atyoung> You can generate certs on your own with openssl
14:28 < atyoung> just add -sha256 to the line no biggy
14:29 < atyoung> Google is your friend as far as syntax is concerned.
14:40 -!- alphazulu [~alphazulu@rrcs-108-169-175-50.central.biz.rr.com] has joined #openvpn
14:41 -!- mattock is now known as mattock_afk
14:41 < alphazulu> i put the route-method exe stuff in the client config yet the primary default route is still the wireless adapter, meaning web traffic is still not going through the VPN
14:42 < alphazulu> oddly when i use WinMTR I can see the pings routed through the VPN
14:42 < alphazulu> the route metric of the wireless adapter is 30 and that of the VPN interface is 532
14:52 -!- julius_ [~julius_@p3EE283B4.dip0.t-ipconnect.de] has joined #openvpn
14:52 < julius_> hi
14:52 < julius_> could you guys take a look at this:; https://forums.openvpn.net/topic17849.html           its about using a client that got redirect-gateway active as router
14:52 <@vpnHelper> Title: OpenVPN Support Forum redirect-gateway client as router : Server Administration (at forums.openvpn.net)
14:53 < julius_> you dont have to answer there, here is fine
15:28 -!- alanjf [~ajf@unaffiliated/alanjf] has quit [Read error: Connection reset by peer]
15:37 -!- KeatonT [~keatont@keatonstaylor.com] has joined #openvpn
15:39 -!- ivanalejandro0 [~quassel@litio.gnucleo.net] has left #openvpn ["http://quassel-irc.org - Chat comfortably. Anywhere."]
15:52 -!- mistermajestic [~mistermaj@unaffiliated/mistermajestic] has quit []
15:53 -!- mistermajestic [~mistermaj@unaffiliated/mistermajestic] has joined #openvpn
16:52 -!- mazde [a4d71362@gateway/web/freenode/ip.164.215.19.98] has joined #openvpn
16:52 < mazde> Hello, I want to use IPtables to forward OpenVPN to a port, how can I do that ?
17:01 -!- alphazulu [~alphazulu@rrcs-108-169-175-50.central.biz.rr.com] has quit [Quit: alphazulu]
17:11 < novae> Can anyone help with addressing these point to point interfaces? http://pastebin.com/zC7EYRkz As per a discussion with pekster yesterday i want each node to have a single VPN address that all of the other nodes can communicate with it on.
17:12 -!- svm_invictvs [~svm_invic@unaffiliated/svminvictvs/x-938456] has joined #openvpn
17:13 < svm_invictvs> So if I use redirect-gateway the documentation says that will route all traffic through the VPN correct?
17:14 < svm_invictvs> But from what I read ,there's ways to have more fine-grained control correct?
17:25 -!- RBecker [~RBecker@openvpn/user/RBecker] has quit [Ping timeout: 244 seconds]
17:26 -!- ValdikSS [~valdikss@185.61.149.121] has joined #openvpn
17:33 -!- RBecker [~RBecker@openvpn/user/RBecker] has joined #openvpn
17:33 -!- mode/#openvpn [+v RBecker] by ChanServ
17:36 -!- pentanol [~Unknown@unaffiliated/pentanol] has joined #openvpn
17:37 < pentanol> hello, I'm using openvpn and can't ping from the server local client networks. I make PUSH route in server configuration, but this didn't work. From client I can ping servers local networks.
17:37 < pentanol> http://pastebin.ca/2894920
17:37 < pentanol> 172.28.1.1 172.28.1.2 server tun ip's
17:37 < pentanol> 172.28.1.5 172.28.1.6 client tun ip's
17:45 <+Dougy> hi
17:45  * Dougy reads
17:45 <+Dougy> so you are going server -> client subnet un successfully
17:45 <+Dougy> but client -> server subnet is fine?
17:47 -!- badon [~badon@pdpc/supporter/active/badon] has quit [Quit: Leaving]
17:47 -!- tobinski [~tobinski@x2f60bda.dyn.telefonica.de] has quit [Quit: Leaving]
17:48 < esde> might be helpful for understanding his goal http://pastebin.com/raw.php?i=FUr826N6
17:48 <+Dougy> esde: hm?
17:49 < esde> the logs from when he originally was working with pekste r on the issue
17:49 <+Dougy> different nick thenn
17:49 < esde> i need sleep
17:49 < esde> holy crap, sorry for the derail
17:51 < novae> esde: Thanks for that, i'd lost the history :)
17:52 < pentanol> Dougy client -> server is fine
17:52 < pentanol> server -> client is fail
17:52 < esde> glad it was helpful in some capacity! :)
17:52  * Dougy pets esde
17:52 <+Dougy> pentanol: firewall
17:52 <+Dougy> return route
17:52 < pentanol> no
17:53 <+Dougy> if it works one way and not the other, something is blocking it
17:53 < pentanol> iptables accepts all in all chains
17:53 <+Dougy> return route?
17:53 <+Dougy> what do the routing tables look like, is it correct?
17:53 < pentanol> what's return route?
17:53 <+Dougy> i would assume your VPN is not going right to the server in question
17:53 <+Dougy> but rather to say, the firewall
17:54 < pentanol> I think so
17:54 <+Dougy> or a vpn appliance
17:54 < pentanol> I do the same as on client
17:54 <+Dougy> If you can go server -> device -> client but not client -> device -> server, or vice versa
17:54 <+Dougy> sounds like one way doesnt have a route to the other
17:54 < pentanol> vpn software the same on openwrt the same firmware on the same router models
17:55 <+Dougy> so it's openwrt<->openwrt
17:55 < pentanol> yes
17:55 <+Dougy> can you access the server from openwrt on client side
17:55 < pentanol> from the server I can't.but from client I can
17:56 <+Dougy> soserver side WRT can't access client side device
17:56 <+Dougy> correct?
17:56 <+Dougy> what happens when you run a trace to client IP address? what's the trace look like
17:56 <+Dougy> from the server
17:59 < pentanol> Dougy from server I can fing client tun address 172.28.1.6, but can't ping network behinde the vpn
17:59 < pentanol> ping*
18:00 <+Dougy> lets see the routing tables from both WRT devices
18:00 <+Dougy> pastebin them and redact any public ip's
18:00 < pekster> Ugh.
18:00 < pentanol> route added the same way client as server
18:00 < pentanol> hm
18:00 < esde> flowcharts are fun :)
18:00 < pekster> !5737
18:00 <@vpnHelper> "5737" is Clever readers may attempt to use RFC5737 to represent arbitrary public IPs one wishes to hide; unclever attempts may be ignored with prejudice.
18:01 <+Dougy> pekster: ?
18:01 < pentanol> http://pastebin.ca/2894920
18:01 < pekster> Encouraging people to hide IPs only leads to major headaches troubleshotting as users tend to do it wrong more often than not
18:02 < pekster> It's actually quite hard to do it in a way that does not alter the information provided
18:02 <+Dougy> pekster: what's wrong with doing <<snip>> to hide a publlc IP
18:02 <+Dougy> lol
18:02 <+Dougy> if its a public ip in an item, it probably has nno us here
18:03  * Dougy rubs his chin
18:03 < pekster> Sorry no. It has lots of use sinc incorrectly attempting to route encapsulating traffic over the VPN, for instance, has lots of issues
18:03 <+Dougy> fair enough
18:03 < pekster> But I'm not going to explain all the ways I have personally seen such things
18:03 <+Dougy> that was good enough
18:03 <+Dougy> i digress
18:04 <+Dougy> pentanol: so 192.168.64.0/24 is the server side?
18:04 <+Dougy> and 32.0/24 is client side?
18:04 < pekster> fwiw, same thing encouraging people to hide DNS names too (consider foo.local and an mdns resolver)
18:05 < pekster> pentanol: Have you seen !clientlan? If not, it has a series of steps the determine where your issue is
18:05 < pekster> flowchart is most helpful
18:06 <+Dougy> i haven't seen it, but i haven't been here in long time
18:06 <+Dougy> !clientlan
18:06 <@vpnHelper> "clientlan" is (#1) for a lan behind a client, the client must have ip forwarding enabled (!ipforward), the server needs a route to the lan, the server needs to push a route for the lan to clients, the server needs a ccd (!ccd) file for the client with an iroute (!iroute) entry in it, and the router of the lan the client is on needs a route added to it (!route_outside_openvpn) or (#2) see !route for
18:06 <@vpnHelper> a better explanation or (#3) Handy troubleshooting flowchart: http://ircpimps.org/clientlan.png | http://pekster.sdf.org/misc/clientlan.png
18:06 <+Dougy> haha ircpimps still exists
18:06 < pekster> It's been down for a while; I set up a mirror when it was still marginally accessible
18:07 <+Dougy> he has no route push in his server config
18:07 <+Dougy> :)
18:07 < esde> looks down from here :/
18:08 < pekster> FYI, netstat is deprecated on Linux. Best to use tools that have been maintained the last 12 years instead. https://github.com/QueuingKoala/fn-netfilter/wiki#avoid
18:08 <@vpnHelper> Title: Home · QueuingKoala/fn-netfilter Wiki · GitHub (at github.com)
18:08 < pekster> !learn net-tools as
18:08 <@vpnHelper> Joo got it.
18:08 < pekster> :\
18:08 < pekster> !forget net-tools
18:08 <@vpnHelper> Joo got it.
18:09 < pekster> !learn net-tools as https://github.com/QueuingKoala/fn-netfilter/wiki#avoid
18:09 <@vpnHelper> Joo got it.
18:09 <+Dougy> i am lazy
18:09 <+Dougy> i still use ifconfig a lot
18:09  * Dougy is learning ip now
18:09 < pekster> As the "listed here" link explains, that works right up until it doesn't
18:09 <+Dougy> i boookmarked that
18:09 <+Dougy> thank you kindly
18:09 < pekster> Also, welcome to the 21st century on Linux ;)
18:09 <+Dougy> hey
18:10  * Dougy strokes his neckbeard and pats his red hat 6 boxes
18:11 <+Dougy> 1999 mang
18:11 -!- DrCode [~DrCode@gateway/tor-sasl/drcode] has quit [Remote host closed the connection]
18:12 -!- DrCode [~DrCode@gateway/tor-sasl/drcode] has joined #openvpn
18:13 < novae> pekster: How do i number these interfaces to give each "node" a unique IP thats addressable by each of the other nodes? I can't seem to work it out without using the same IP across multiple PtP interfaces http://pastebin.com/zC7EYRkz
18:23 < pekster> novae: Define the peer IP the same on all "other" systems when referring to 'node-A'
18:26 < pekster> eg: node-B configures its connection to node-A as '--ifconfig 10.8.0.2 10.8.0.1'. Node-C (also to node-A) uses '--ifconfig 10.8.0.3 10.8.0.1'
18:26 < pekster> etc
18:30 < pekster> Probably best to pick the 'local' addressing in a completely different subnet actually
18:30 < pekster> --ifconfig 10.9.0.1 10.8.0.1, for instance
18:31 < pekster> Addresses are completely arbitrary and basically meaingles in PtP -- the only purpose they serve is to apply a conveinent way to express "shove data down this tube that only goes to 1 place"
18:33 < novae> So something like this? http://pastebin.com/F677FTAA
18:35 < pekster> Sure, but you don't need to try so hard not to overlap the local IPs universally
18:35 < pekster> They only need to be unique from the view of each system, not globally (unlike the peering IP)
18:39 < novae> I know, but from a management point of view it makes more sense.
18:39 -!- gffa [~unknown@unaffiliated/gffa] has quit [Quit: sleep]
18:40 < pekster> Sure, it won't hurt, and RFC1918 is nearly limitless
18:41 < Zimsky> >nearly
18:45 < pekster> If you run out of 10/8 doing PtP you're doing it very wrong. ULA can fix that though ;)
18:54 -!- cpt-oblivious [~quassel@freebsd/user/cpt-oblivious] has joined #openvpn
18:55 -!- badon [~badon@pdpc/supporter/active/badon] has joined #openvpn
19:00 -!- DrCode [~DrCode@gateway/tor-sasl/drcode] has quit [Ping timeout: 250 seconds]
19:03 -!- atyoung [~darkwurm@gateway/tor-sasl/darkwurm] has quit [Ping timeout: 250 seconds]
19:04 -!- atyoung [~darkwurm@gateway/tor-sasl/darkwurm] has joined #openvpn
19:06 -!- DrCode [~DrCode@gateway/tor-sasl/drcode] has joined #openvpn
19:08 -!- troyt [~troyt@2601:7:6202:211:44dd:acff:fe85:9c8e] has quit [Ping timeout: 258 seconds]
19:24 -!- svm_invictvs [~svm_invic@unaffiliated/svminvictvs/x-938456] has quit [Read error: Connection reset by peer]
19:36 -!- troyt [~troyt@2601:7:6202:211:44dd:acff:fe85:9c8e] has joined #openvpn
19:39 -!- s7r [~s7r@openvpn/user/s7r] has quit [Quit: Leaving]
20:15 -!- mazde [a4d71362@gateway/web/freenode/ip.164.215.19.98] has quit [Ping timeout: 246 seconds]
20:25 -!- teksimian [~chatzilla@216-58-84-54.cpe.distributel.net] has quit [Ping timeout: 258 seconds]
20:51 -!- Denial [~Denial@81.141.3.116] has joined #openvpn
20:51 -!- moparisthebest [~quassel@gateway/tor-sasl/moparisthebest] has quit [Ping timeout: 250 seconds]
20:54 -!- moparisthebest [~quassel@unaffiliated/moparisthebest] has joined #openvpn
20:58 -!- Kniaz [~Kniaz@unaffiliated/kniaz] has quit [Read error: Connection reset by peer]
20:59 -!- pentanol [~Unknown@unaffiliated/pentanol] has quit [Quit: leaving]
21:00 -!- moparisthebest [~quassel@unaffiliated/moparisthebest] has quit [Ping timeout: 256 seconds]
21:03 -!- moparisthebest [~quassel@gateway/tor-sasl/moparisthebest] has joined #openvpn
21:11 -!- ki7rw [~quassel@216.75.116.100] has quit [Remote host closed the connection]
21:13 -!- ub1quit33_ [~quassel@cpe-23-243-158-241.socal.res.rr.com] has quit [Ping timeout: 255 seconds]
21:43 -!- trumee [~parul@2601:e:1580:799::c64] has quit [Quit: ZNC - http://znc.sourceforge.net]
21:43 -!- ljvb [~jason@us.vps.vanbrecht.com] has joined #openvpn
21:46 -!- trumee [~parul@2601:e:1580:799::c64] has joined #openvpn
21:56 -!- Left_Turn [~Left_Turn@unaffiliated/turn-left/x-3739067] has quit [Ping timeout: 245 seconds]
22:05 -!- RBecker [~RBecker@openvpn/user/RBecker] has quit [Ping timeout: 244 seconds]
22:18 -!- RBecker [~RBecker@openvpn/user/RBecker] has joined #openvpn
22:18 -!- mode/#openvpn [+v RBecker] by ChanServ
22:39 -!- jgeboski [~jgeboski@unaffiliated/jgeboski] has quit [Quit: Leaving]
22:40 -!- jgeboski [~jgeboski@unaffiliated/jgeboski] has joined #openvpn
22:49 -!- jgeboski [~jgeboski@unaffiliated/jgeboski] has quit [Quit: Leaving]
22:49 -!- jgeboski [~jgeboski@unaffiliated/jgeboski] has joined #openvpn
22:53 -!- Kephael [~Kephael@unaffiliated/kephael] has quit [Quit: Leaving]
23:36 -!- ShadniX [dagger@p5DDFC16C.dip0.t-ipconnect.de] has quit [Ping timeout: 250 seconds]
23:37 -!- ShadniX [dagger@p5DDFE63F.dip0.t-ipconnect.de] has joined #openvpn
23:44 -!- ub1quit33 [~quassel@cpe-23-243-158-241.socal.res.rr.com] has joined #openvpn
23:58 -!- RBecker [~RBecker@openvpn/user/RBecker] has quit [Ping timeout: 250 seconds]
--- Day changed Wed Dec 31 2014
00:15 -!- RBecker [~RBecker@openvpn/user/RBecker] has joined #openvpn
00:15 -!- mode/#openvpn [+v RBecker] by ChanServ
00:41 -!- lattera [~lattera@73.173.99.185] has quit [Ping timeout: 240 seconds]
01:43 -!- D-Boy [~D-Boy@unaffiliated/cain] has quit [Excess Flood]
01:43 -!- D-Boy [~D-Boy@unaffiliated/cain] has joined #openvpn
01:48 -!- jrg [jrg@unaffiliated/jrg] has joined #openvpn
02:00 -!- svm_invictvs [~svm_invic@unaffiliated/svminvictvs/x-938456] has joined #openvpn
02:00 < svm_invictvs> With Windows7, I need to disable the firewall right?
02:05 -!- Anoniem4l [~Anoniem4l@unaffiliated/anoniem4l] has quit [Ping timeout: 256 seconds]
02:07 -!- Anoniem4l [~Anoniem4l@unaffiliated/anoniem4l] has joined #openvpn
02:26 < svm_invictvs> Why must OpenVPN drive me nuts ><
03:09 -!- swebb [~swebb@8.36.226.184] has quit [Ping timeout: 245 seconds]
03:16 -!- svm_invictvs [~svm_invic@unaffiliated/svminvictvs/x-938456] has quit [Read error: Connection reset by peer]
03:20 -!- arkie [~arkie@unaffiliated/arkie] has quit [Ping timeout: 250 seconds]
03:22 -!- arkie [~arkie@unaffiliated/arkie] has joined #openvpn
03:24 -!- swebb [~swebb@8.36.226.184] has joined #openvpn
03:34 -!- tekku [~me@185.17.149.149] has quit [Ping timeout: 245 seconds]
03:39 -!- ub1quit33 [~quassel@cpe-23-243-158-241.socal.res.rr.com] has quit [Ping timeout: 272 seconds]
03:40 -!- ub1quit33_ [~quassel@cpe-23-243-158-241.socal.res.rr.com] has joined #openvpn
04:06 -!- ub1quit33_ [~quassel@cpe-23-243-158-241.socal.res.rr.com] has quit [Ping timeout: 258 seconds]
04:17 -!- Left_Turn [~Left_Turn@unaffiliated/turn-left/x-3739067] has joined #openvpn
04:42 -!- D-Boy [~D-Boy@unaffiliated/cain] has quit [Ping timeout: 272 seconds]
04:55 -!- gffa [~unknown@unaffiliated/gffa] has joined #openvpn
05:01 < julius_> hi
05:01 < julius_> could you guys take a look at this:; https://forums.openvpn.net/topic17849.html           its about using a client that got redirect-gateway active as router
05:01 <@vpnHelper> Title: OpenVPN Support Forum redirect-gateway client as router : Server Administration (at forums.openvpn.net)
05:37 -!- D-Boy [~D-Boy@unaffiliated/cain] has joined #openvpn
05:41 -!- SushiDude [~SushiDude@unaffiliated/sushidude] has quit [Ping timeout: 258 seconds]
05:48 -!- SushiDude [~SushiDude@unaffiliated/sushidude] has joined #openvpn
05:48 -!- Chais [~Chais@chello062178229110.15.15.vie.surfer.at] has quit [Ping timeout: 272 seconds]
05:53 -!- Chais [~Chais@chello062178229110.15.15.vie.surfer.at] has joined #openvpn
06:09 -!- MrSavage [~MrSavage@unaffiliated/mrsavage] has joined #openvpn
06:09 < MrSavage> I'm having issues setting up openvpn on debian
06:09 < MrSavage> I followed this guide here https://www.digitalocean.com/community/tutorials/how-to-setup-and-configure-an-openvpn-server-on-debian-6
06:09 <@vpnHelper> Title: How to Setup and Configure an OpenVPN Server on Debian 6 | DigitalOcean (at www.digitalocean.com)
06:09 < MrSavage> but I'm getting Starting virtual private network daemon: serverSIOCSIFADDR: No such device
06:09 < MrSavage> whenever i restart openvpn
06:18 < MrSavage> I only copied /usr/share/doc/openvpn/examples/sample-config-files/server.conf into my /etc/openvpn
06:42 < julius_>  MrSavage did you edit the file?
06:43 < MrSavage> julius_: i just uncommented the group and user and the log
06:43 < julius_> im no expert, but could you paste the config?
06:43 < julius_> on tny.cz for example
06:43 < MrSavage> sure
06:44  * julius_ this is my good dead for today
06:45 < MrSavage> julius_: http://sprunge.us/JijU
06:45 < MrSavage> i don't understand what ethernet bridging is
06:46 < julius_> you dont need that for a tun setup as far as i know
06:46 < julius_> i dont know about it, and my openvpn works
06:48 < julius_> how many times did you restart openvpn?
06:48 < MrSavage> loads
06:49 < julius_> ok
06:49 < MrSavage> this is my log file http://sprunge.us/eGYC
06:50 < julius_> ah, just googling for logging...one sec
06:50 < julius_> Note: Cannot open TUN/TAP dev /dev/net/tun:
06:51 < julius_> try: modprobe tun
06:52 < MrSavage> julius_: ERROR: could not insert 'tun': Unknown symbol in module, or unknown parameter (see dmesg)
06:52 < julius_> there you go
06:52 < MrSavage> so how do i fix that?
06:52 < julius_> fix that and youre fine
06:52 < MrSavage> how do i fix it? lol
06:52 < julius_> did you try a self build kernel?
06:52 < MrSavage> no
06:52 < MrSavage> hold on let me ask my provider's channel
06:52 < julius_> wait
06:53 < julius_> oh, this is a virtual machine you didnt install?
06:53 < MrSavage> i just picked their list of distros
06:53 < julius_> ah
06:53 < MrSavage> they don't let me customize the kernel, just what architecture
06:53 < julius_> most cheap vpn providers dont provide you with the tun module
06:54 < julius_> because of the kind of virtualization it doesnt work
06:55 < julius_> you have to google if your kind of virtualization does even support the tun device
06:56 < MrSavage> thanks for the help
06:56 < MrSavage> apparently i'm using a crappy old kernel
06:57 < MrSavage> what does modprobe do?
06:57 < julius_> it loads a module into the kernel
06:57 < MrSavage> ah
06:57 < julius_> code that you might need, but not always
06:57 < MrSavage> to be honest i'm thinking of changing VPNs because of this
06:57 < MrSavage> I mean VPSs
06:57 < julius_> i ran into the same problem
06:58 < julius_> if you were from germany i would suggest hetzner
06:58 < julius_> as a vps provider
06:59 < MrSavage> canada here :P
07:00 < julius_> hm, your whois says helsinki
07:00 < MrSavage> what?
07:00 < MrSavage> what do you mean?
07:00 < julius_> you can right click on your name and try "whois"
07:00 < julius_> its a irc think
07:00 < julius_> thing
07:00 < MrSavage> oh, that's because i requested a hostmask block
07:00 < MrSavage> so that might be the reason
07:01 < MrSavage> what is NL?
07:03 < julius_> Neatherlands
07:03 < julius_> holland
07:07 -!- Reventlov [~Reventlov@unaffiliated/reventlov] has quit [Quit: leaving]
07:07 -!- Reventlov [~Reventlov@unaffiliated/reventlov] has joined #openvpn
07:18 < MrSavage> julius_: how would i decipher that? :S
07:18 -!- SushiDude [~SushiDude@unaffiliated/sushidude] has quit [Ping timeout: 258 seconds]
07:18 < MrSavage> also does openVPN work for games and other protocols beside HTTP?
07:27 < esde> yes
07:28 < esde> not sure why anyone would be under the impression that it would only work with one protocol
07:29 -!- arkie [~arkie@unaffiliated/arkie] has quit [Ping timeout: 240 seconds]
07:32 -!- arkie [~arkie@unaffiliated/arkie] has joined #openvpn
07:34 < MrSavage> Also is it possible to have only 1 client be able to use the VPN as a proxy to the web while other clients can only connect to eachother?
07:34 < MrSavage> @ esde
07:34 < esde> !goal
07:34 <@vpnHelper> "goal" is Please clearly state your goal for your vpn: example, I would like to access the lan behind the server , I would like to access the internet over my vpn , I just want a secure connection between 2 computers , etc
07:35 < MrSavage> I want 1 client to access the itnernet over the VPN, while other clients can connect to eachother
07:35 < MrSavage> so the 2nd being like hamachi
07:39 < esde> !clientlan
07:39 <@vpnHelper> "clientlan" is (#1) for a lan behind a client, the client must have ip forwarding enabled (!ipforward), the server needs a route to the lan, the server needs to push a route for the lan to clients, the server needs a ccd (!ccd) file for the client with an iroute (!iroute) entry in it, and the router of the lan the client is on needs a route added to it (!route_outside_openvpn) or (#2) see !route for a
07:39 <@vpnHelper> better explanation or (#3) Handy troubleshooting flowchart: http://ircpimps.org/clientlan.png | http://pekster.sdf.org/misc/clientlan.png
07:46 < MrSavage> esde: so is that possible?
07:46 < MrSavage> to have a clientlan and a proxy just for 1 client?
07:55 < MrSavage> esde: how do i setup the VPN so that my client can access the internet over the VPN?
07:55 < esde> !ipforward
07:55 <@vpnHelper> "ipforward" is (#1) ip forwarding is needed any time you want packets to flow from 1 interface to another, so from tun to eth, eth to tun, tun to tun, etc etc. it must be enabled in the kernel AND allowed in the firewall or (#2) please choose between !linipforward !winipforward !osxipforward and !fbsdipforward
07:56 < MrSavage> !linipforward
07:56 <@vpnHelper> "linipforward" is (#1) echo 1 > /proc/sys/net/ipv4/ip_forward for a temp solution (til reboot) or set net.ipv4.ip_forward = 1 in sysctl.conf for perm solution or (#2) chmod +x /etc/rc.d/rc.ip_forward for perm solution in slackware or (#3) you also must allow forwarding in your forward chain in iptables. iptables -I FORWARD -i tun+ -j ACCEPT
07:57 < MrSavage> I have no idea what i'm reading
07:57 < MrSavage> esde: can't you just use push "redirect-gateway def1"?
08:00 < esde> !basic
08:00 <@vpnHelper> "basic" is if you do not understand basic networking, you probably should not be administrating a vpn... you should understand the basics of routing / firewalls first
08:05 < MrSavage> it's only for me
08:05 < MrSavage> and everyone has to start from somewhere
08:06 < MrSavage> i'm not planning to understand routing just to get a simple setup working for openvpn
08:08 -!- moparisthebest [~quassel@gateway/tor-sasl/moparisthebest] has quit [Ping timeout: 250 seconds]
08:09 < esde> Then you're looking for help in the wrong place
08:09 < MrSavage> asking help for openvpn on #openvpn is the wrong place?
08:10 < esde> >i'm not planning to understand routing. In this case, yes.
08:10 < MrSavage> i am following your guides exactly
08:10 < MrSavage> so yes
08:11 < esde> I've got to get back to work, good luck!
08:13 -!- moparisthebest [~quassel@unaffiliated/moparisthebest] has joined #openvpn
08:25 -!- MrsSavage [~MrSavage@unaffiliated/mrsavage] has joined #openvpn
08:27 < julius_> yes, i solved my openvpn crisis
08:27 -!- MrSavage [~MrSavage@unaffiliated/mrsavage] has quit [Ping timeout: 265 seconds]
08:27 < julius_> read a true success story: https://forums.openvpn.net/post48033.html#p48033
08:27 <@vpnHelper> Title: OpenVPN Support Forum redirect-gateway client as router : Server Administration (at forums.openvpn.net)
08:27 -!- lfx [~lfx@self-aware.evilmachines.net] has quit [Ping timeout: 272 seconds]
08:41 -!- bruxC [~bruxC@66.63.84.178] has joined #openvpn
08:41 -!- bruxC [~bruxC@66.63.84.178] has quit [Read error: Connection reset by peer]
08:45 -!- DrSavage [~MrSavage@unaffiliated/mrsavage] has joined #openvpn
08:47 -!- MrsSavage [~MrSavage@unaffiliated/mrsavage] has quit [Ping timeout: 240 seconds]
08:49 <@krzee> julius_,
08:49 <@krzee> !iroute
08:49 <@vpnHelper> "iroute" is does not bypass or alter the kernel's routing table, it allows openvpn to know it should handle the routing when the kernel points to it but the network is not one that openvpn knows about. This is only needed when connecting a LAN which is behind a client, and therefor belongs in a ccd entry. Also see !route and !ccd
08:49 <@krzee> are you routing a lan from the client to the vpn network?
08:50 -!- DrSavage is now known as MrSavage
08:51 <@krzee> someone just lost his doctorate
08:54 -!- MrSavage [~MrSavage@unaffiliated/mrsavage] has quit [Ping timeout: 240 seconds]
08:55 -!- Novice201y [~lubuntu@aelk138.neoplus.adsl.tpnet.pl] has joined #openvpn
08:56 -!- MrSavage [~MrSavage@unaffiliated/mrsavage] has joined #openvpn
08:57 -!- ub1quit33_ [~quassel@cpe-23-243-158-241.socal.res.rr.com] has joined #openvpn
08:58 < Novice201y> Hi. I'm trying to establish basic tunel between Windows 8.1 and Ubuntu 14.10, but on both sides I receive "failed to obtain options consistency info from peer" - I allow VPN on Window's firewall (and even turned off for a moment) - the same effect.
09:00 -!- RBecker [~RBecker@openvpn/user/RBecker] has quit [Ping timeout: 245 seconds]
09:06 <@krzee> post logs with verb 5
09:06 -!- mattock_afk is now known as mattock
09:10 <+Dougy> yawn
09:10 <+Dougy> hi Matir_
09:10 <+Dougy> er mattock
09:10 <+Dougy> tab key rawr
09:10 < julius_> krzee, yes
09:10 < julius_> krzee, at leat one machine
09:11  * Dougy fires up the forums to go moderate things
09:11 <+Dougy> julius_ | read a true success story: https://forums.openvpn.net/post48033.html#p48033
09:11 <@vpnHelper> Title: OpenVPN Support Forum redirect-gateway client as router : Server Administration (at forums.openvpn.net)
09:11 <+Dougy> the forums! yay
09:11 -!- pdkl [~manjao-kd@unaffiliated/pdkl] has joined #openvpn
09:11 <+Dougy> makes me feel good
09:11 <@krzee> julius_, ok cool, then iroute is needed for those clients' ccd entries =]
09:11 < julius_> Dougy, well...i had so many questions...but that one works!
09:12 <+Dougy> hello krzee
09:12 < julius_> krzee, it looks like its working...gotta play around with iptables
09:12 <@krzee> julius_, years ago dougy helped found the forums, he likes seeing them used ;]
09:12 < julius_> how old are you guys?
09:12 <@krzee> Dougy, so much traffic on the forums now that we can no longer have vpnHelper monitor it
09:12 <+Dougy> julius_: 22
09:12 <+Dougy> krzee: i went in over the last few day and cleaned house in the moderation queue
09:12 <@krzee> been in here helping 7 to 8 years
09:13 <@krzee> (i assumed thats what you meant)
09:13 <+Dougy> krzee: i am planning to attempt to become regular around htere once again
09:13 <+Dougy> at least semi regular
09:13 < julius_> Dougy, nice...im 32
09:14 < julius_> forums are a good idea for openvpn
09:14 < julius_> most questions are kinda complex
09:14 <+Dougy> i was amazed one didnt exist
09:14 <+Dougy> so i started one in 2008 and got krzee and ecrist to come on board
09:14 <+Dougy> and they made it happen
09:15 < julius_> well, every bigger open source project got a forum nowadays
09:15 <@krzee> there was a time when this channel had like 10 people and no ops
09:15 <+Dougy> lol
09:15 < julius_> and google indexes very well...so its a nice thing
09:15 <+Dougy> krzee: who needs ops?
09:15 <@krzee> Dougy, channels with spam
09:15 <@krzee> (which we had, cause no ops)
09:16 < julius_> krzee, if you help about 8 years here...how old are you?
09:16 <+Dougy> krzee: thats true
09:16 <+Dougy> cant believe in over 6 years i dont even have 300 posts on my own forums
09:16 <+Dougy> "my own", sorry, needs quotes
09:16 <@krzee> julius_, not very far in age from you
09:16 <+Dougy> julius_: krzee is practically encrypted in aes-256
09:17 <+Dougy> julius_: took me years to find out even what part of the world he hails from
09:17 < julius_> hehe
09:17 < julius_> doesnt mattet , just curious
09:17 <+Dougy> he's an old fart though don't let him fool ya
09:17 <@krzee> been on irc since the early 90s
09:17 < julius_> can i ask a network related question that has nothing todo with openvpn?
09:17 <@krzee> before there was a freenode ;]
09:17 -!- SushiDude [~SushiDude@unaffiliated/sushidude] has joined #openvpn
09:18 < julius_> cant believe there exists a time without freenode
09:18 <+Dougy> julius_: i probably won't be able to answer it even if the ops say it's ok
09:18 <@krzee> julius_, you can, but we may forward you to the proper channel
09:18 < julius_> its just a thought
09:18  * Dougy pets his +
09:18 <+Dougy> i feel special now
09:19 -!- mode/#openvpn [+v krzee] by krzee
09:19 -!- mode/#openvpn [-o krzee] by krzee
09:19 <+Dougy> why would you do that
09:19 <+Dougy> ops is great
09:19 <+Dougy> :P
09:20 <+Dougy> krzee: maybe we should make a different channel to have vpnhelper forum spam?
09:20 < julius_> let me upload a picture
09:20 <+krzee> i did, theres too much output for irc
09:20 <+Dougy> oh my god i nearly just soiled myself
09:20  * Dougy opens a window
09:20 <+krzee> hes still in #OpenVPN-forum
09:20 <+krzee> but no longer announcing
09:20 <+Dougy> ah
09:21 <+Dougy> wow this is ba
09:21 <+Dougy> d
09:21 <+Dougy> krzee: do you ever approve forum posts or no?
09:21 <+krzee> very very rarely now
09:21 <+Dougy> theres a few in the queue i dont know what to do with
09:21 <+Dougy> threads
09:21 <+krzee> since it stopped being linked to irc
09:22 <+krzee> just do what you can, others will get the other stuff ;]
09:23 <+Dougy> alright
09:24 < julius_> crap, uploading a simple picture takes ages
09:24 <+Dougy> ij ust dont know whether to approve them. cant tell if they are relevant or applicable
09:24  * Dougy rubs chin
09:25 <+Dougy> krzee: i am elated to see it has grown so much
09:25 <+Dougy> 17,400 members
09:25 <+Dougy> wow
09:25 <+Dougy> beautiful
09:27 < julius_> oh, im out of time. need to get ready
09:28 < julius_> have a good new year guys
09:28 <+Dougy> you too
09:28 <+Dougy> cheers
09:28 < julius_> how do you say "to get good into the new year" ?
09:28 <+krzee> you too, happy newyear
09:28 <+krzee> "happy newyear"
09:28 < julius_> ok, im not a native english speaker....
09:28 < julius_> my irc bouncer will keep you company ;)
09:29 <+krzee> espanol tampoco?
09:30 <+Dougy> se habla?
09:31 <+Dougy> i was just looking at the list o fpeople in here
09:31 <+Dougy>  and i saw the nick boypussy
09:31 <+Dougy> LOL
09:31 <+Dougy> i do not want to know where that comes from
09:33 < Novice201y> WrWrWrWrWrWrWrWrWWWW - from Ubuntu's side
09:34 <+krzee> just WWWW after?
09:34 <+krzee> or more r following?
09:35 -!- mode/#openvpn [+o Dougy] by ecrist
09:35 < Novice201y> 4
09:35 < Novice201y> WrWrWrWrWrWrWrWrWWWWWWWWWWWWWWWWWWWWWWWed Dec 31 16:34:43 2014 us=705508 NOTE: failed to obtain options consistency info from peer -- this could occur if the remote peer is running a version of OpenVPN before 1.5-beta8 or if there is a network connectivity problem, and will not necessarily prevent OpenVPN from running (0 bytes received from peer, 0 bytes authenticated data channel traffic) -- you can disable the options consistency check
09:35 < Novice201y> WWWWW
09:37 <+krzee> !configs
09:37 <@vpnHelper> "configs" is (#1) please pastebin your client and server configs (with comments removed, you can use `grep -vE '^#|^;|^$' server.conf`), also include which OS and version of openvpn. or (#2) dont forget to include any ccd entries or (#3) on pfSense, see http://www.secure-computing.net/wiki/index.php/OpenVPN/pfSense to obtain your config
09:37 <+krzee> and show iptables-save from ubuntu
09:37 <+krzee> you said you disabled the windows firewall right?  it needs to be disabled on the tap device
09:38 -!- tihmstar [~tihmstar@ip-88-153-126-142.hsi04.unitymediagroup.de] has joined #openvpn
09:39 < tihmstar> !welcom
09:39 < tihmstar> hi
09:39 <+krzee> hey
09:39 <+krzee> !welcome
09:39 <@vpnHelper> "welcome" is (#1) Start by stating your goal, such as 'I would like to access the internet over my vpn' || new to IRC? see the link in !ask || we may need !logs and !configs and maybe !interface to help you. || See !howto for beginners. || See !route for lans behind openvpn. || !redirect for sending inet traffic through the server. || Also interesting: !man !/30 !topology !iporder !sample !forum
09:39 <@vpnHelper> !wiki !mitm or (#2) Don't use 192.168.1.0/24 or 192.168.0.0/24 (too much potential for conflict)
09:40 -!- pdkl [~manjao-kd@unaffiliated/pdkl] has quit [Quit: Konversation terminated!]
09:40 -!- trumee [~parul@2601:e:1580:799::c64] has quit [Quit: ZNC - http://znc.sourceforge.net]
09:41 < tihmstar> i'm kinda new to vpn and i'd like to setup a connection to one of my servers through vpn.
09:41 < tihmstar> Basicall here's the setup:
09:41 < tihmstar> i have a server at home and openwrt on my router. i want to be able to access this one server through vpn insted of port forwarding from my iphone
09:41 -!- SushiDude [~SushiDude@unaffiliated/sushidude] has quit [Ping timeout: 245 seconds]
09:41 <+krzee> !serverlan
09:41 < Novice201y> krzee: http://paste.ubuntu.com/9650985/ from tap
09:42 <@vpnHelper> "serverlan" is (#1) for a lan behind a server, the server must have ip forwarding enabled (!ipforward), the server needs to push a route for its lan to clients, and the router of the lan the server is on needs a route added to it (!route_outside_openvpn) or (#2) see !route for a better explanation or (#3) Handy troubleshooting flowchart: http://ircpimps.org/serverlan.png |
09:42 <@vpnHelper> http://pekster.sdf.org/misc/serverlan.png
09:42 < tihmstar> also i want to be able to redirect my iphone traffic though my vpn/home internet.
09:42 < tihmstar> how would i do that?
09:42 <+krzee> Novice201y, other side?
09:43 < tihmstar> i was able to setup once a basic vpn and could connect my phone to it, but neither could i access the server, nor my phone's traffic was routed through the vpn :/
09:43 -!- trumee [~parul@2601:e:1580:799::c64] has joined #openvpn
09:44 -!- MrSavage [~MrSavage@unaffiliated/mrsavage] has quit [Remote host closed the connection]
09:45 < DArqueBishop> tihmstar: you may want to look at what krzee/vpnHelper just posted.
09:45 < Novice201y> krzee: http://paste.ubuntu.com/9651004
09:47 <+krzee> Novice201y, so you are making a layer2 ptp setup?
09:47 < tihmstar> thanks, i'm gonna setup the basic vpn again at first. gonna tell you guys if i have problems :)
09:47 <+krzee> Novice201y, is there a reason you are using tap?
09:48 < Novice201y> krzee: I just installed OpenVPN on Windows, that's all. I use tap because it's more versatile AFAIK
09:48 <+krzee> well tap is layer2
09:48 <+krzee> !tunortap
09:48 <@vpnHelper> "tunortap" is (#1) you ONLY want tap if you need to pass layer2 traffic over the vpn (traffic destined for a MAC address). If you are using IP traffic you want tun. or (#2) and if your reason for wanting tap is windows shares, see !wins or use DNS or (#3) remember layer2 has no security, arp poisoning works over tap vpns or (#4) lan gaming? use tap! or (#5) Normal Android/iOS devices (not
09:48 <@vpnHelper> rooted/jailbroken) support only tun
09:49 <+krzee> and try using ifconfig ptp style since you're running a ptp setup
09:49 <+krzee> ifconfig 10.3.0.1 10.3.0.2
09:49 <+krzee> ifconfig 10.3.0.2 10.3.0.1 on other side
09:51 < Novice201y> krzee: Checking...
09:54 < Novice201y> krzee: And "tun-mtu 1500" should be uncommented on server?
09:54 <+krzee> nah dont adjust that stuff unless you have a reason and know what it is
09:55 < Novice201y> krzee: Now Ubuntu says: "WWWWWWWWWWWWWWWWWWW"
09:55 <+krzee> sounds like a firewall issue
09:55 <+krzee> iptables-save in ubuntu
09:56 < Novice201y> krzee: I turned off fwall on Ubuntu machine.
09:56 <+krzee> cool, iptables-save in ubuntu
09:56 <+krzee> hah
09:56 <+krzee> and go make sure the tap adapter is disabled in your windows firewall
10:03 < Novice201y> krzee: I did iptables-save but no log has been saved in visited directory. No firewall runs on Windows machine.
10:04 <+krzee> iptables-save > firewall.txt
10:04 <+krzee> now you have firewall.txt in your current dir
10:05 <+krzee> Novice201y, note that your antivirus may filter the tap device as well
10:05 -!- parallelJ [sid49148@gateway/web/irccloud.com/x-izfkfeldbbknzods] has quit [Ping timeout: 272 seconds]
10:06 -!- ValdikSS [~valdikss@185.61.149.121] has quit [Quit: Konversation terminated!]
10:06 -!- jefferai [sid1300@kde/mitchell] has quit [Ping timeout: 272 seconds]
10:06 -!- XJR-9 [sid2977@pdpc/supporter/active/xjr-9] has quit [Ping timeout: 272 seconds]
10:07 -!- jefferai [sid1300@kde/mitchell] has joined #openvpn
10:07 -!- XJR-9 [sid2977@pdpc/supporter/active/xjr-9] has joined #openvpn
10:10 < Novice201y> krzee: Maybe I should have mentioned that Ubuntu machine is connected to the internet by router?
10:11 <+krzee> nah
10:11 <+krzee> you should post the full logs though
10:11 <+krzee> need to know if they ever even connect
10:12 <+krzee> if they do, then its local firewall, theres many apps for windows that could be doing it
10:15 < Novice201y> krzee: Windows: http://www.paste.ubuntu.com/9651140
10:15 -!- tihmstar [~tihmstar@ip-88-153-126-142.hsi04.unitymediagroup.de] has quit [Read error: Connection reset by peer]
10:18 <+krzee> and other side...
10:18 <+krzee> i dont think you're getting a connection at all, check this stuff:
10:18 <+krzee> !timeout
10:18 <@vpnHelper> "timeout" is if you see TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity) then your problem is likely one of the following: either the server isnt running, your client is connecting to the wrong ip/port/protocol, the server's firewall/nat has an issue, or one of the ISPs blocks it
10:19 <+krzee> (errors look different in statickey mode)
10:24 -!- tihmstar [~tihmstar@ip-88-153-126-142.hsi04.unitymediagroup.de] has joined #openvpn
10:28 -!- Novice201y [~lubuntu@aelk138.neoplus.adsl.tpnet.pl] has quit [Ping timeout: 258 seconds]
10:32 < tihmstar> Thanks you guys, i got everything working. i guess that image was all i needed :D /cc krzee DArqueBishop
10:37 <+krzee> glad it helped =]
10:42 -!- tihmstar [~tihmstar@ip-88-153-126-142.hsi04.unitymediagroup.de] has quit [Read error: Connection reset by peer]
10:46 -!- Kniaz [~Kniaz@unaffiliated/kniaz] has joined #openvpn
10:48 -!- Novice201y [~lubuntu@bkk147.neoplus.adsl.tpnet.pl] has joined #openvpn
10:48 < Novice201y> krzee: I even turned off fwall on router - the same error exists.
10:49 <+krzee> check the NAT, sure you can reach the server at the right port?
10:49 <+krzee> the server is behind a nat i think you said...
10:49 -!- tihmstar [~tihmstar@ip-88-153-126-142.hsi04.unitymediagroup.de] has joined #openvpn
10:50 < Novice201y> Server is connected to Internet by usb-modem
10:50 < Novice201y> Server on Windows
10:50 < Novice201y> Client is a Ubuntu machine behind router
10:51 -!- tihmstar [~tihmstar@ip-88-153-126-142.hsi04.unitymediagroup.de] has left #openvpn []
10:56 -!- bruxC [~bruxC@c-76-118-3-138.hsd1.ma.comcast.net] has joined #openvpn
11:07 -!- mattock is now known as mattock_afk
11:14 < Novice201y> Hi. Ma ktoś doświadczenie z stawianiem klienta OpenVPN na Ubuntu?
11:14 < Novice201y> Sorry, wrong channel ;)
11:28 -!- Novice201y [~lubuntu@bkk147.neoplus.adsl.tpnet.pl] has quit [Ping timeout: 258 seconds]
11:28 -!- marlinc [~marlinc@ip1.weert.li.nl.cvo-technologies.com] has joined #openvpn
12:05 -!- AlexRussia [~Alex@unaffiliated/alexrussia] has joined #openvpn
12:08 -!- ub1quit33_ [~quassel@cpe-23-243-158-241.socal.res.rr.com] has quit [Ping timeout: 258 seconds]
12:11 -!- julius_ [~julius_@p3EE283B4.dip0.t-ipconnect.de] has quit [Ping timeout: 272 seconds]
12:13 -!- julius_ [~julius_@p3EE284E4.dip0.t-ipconnect.de] has joined #openvpn
12:28 -!- ub1quit33_ [~quassel@cpe-23-243-158-241.socal.res.rr.com] has joined #openvpn
12:42 -!- Y0sh1 [~Y0sh1@TiP01.theinternets.nl] has quit [Ping timeout: 272 seconds]
12:44 -!- Y0sh1 [~Y0sh1@TiP01.theinternets.nl] has joined #openvpn
13:00 -!- Novice201y [~lubuntu@bkk147.neoplus.adsl.tpnet.pl] has joined #openvpn
13:01 < Novice201y> Hi. I run OpenVPN Access Server on VPS's Ubuntu 12.04 and want to limit TLS version that accessing /admin via https will try something higher that SSL3.
13:02 -!- havingFun [~quassel@unaffiliated/xrosnight] has joined #openvpn
13:03 -!- Anoniem4l [~Anoniem4l@unaffiliated/anoniem4l] has quit [Quit: say wat]
13:04 -!- Anoniem4l [~Anoniem4l@unaffiliated/anoniem4l] has joined #openvpn
13:04 < DArqueBishop> !AS
13:04 <@vpnHelper> "AS" is Please go to #OpenVPN-AS for help with commercial products from OpenVPN Technologies, including Access Server, Android Connect, etc. Access Server is a commercial product, different from open source OpenVPN
13:04 -!- havingFun is now known as xrosnight
13:04 -!- Anoniem4l [~Anoniem4l@unaffiliated/anoniem4l] has quit [Client Quit]
13:05 -!- Anoniem4l [~Anoniem4l@unaffiliated/anoniem4l] has joined #openvpn
13:05 -!- Novice201y [~lubuntu@bkk147.neoplus.adsl.tpnet.pl] has quit [Ping timeout: 250 seconds]
13:23 -!- Novice201y [~lubuntu@afqc57.neoplus.adsl.tpnet.pl] has joined #openvpn
13:23 < Novice201y> Hi. I run OpenVPN Access Server on VPS's Ubuntu 12.04 and want to limit TLS version that accessing /admin via https will try something higher that SSL3.
13:28 -!- mistermajestic [~mistermaj@unaffiliated/mistermajestic] has quit [Ping timeout: 256 seconds]
13:28 -!- Anoniem4l [~Anoniem4l@unaffiliated/anoniem4l] has quit [Quit: say wat]
13:28 -!- Anoniem4l [~Anoniem4l@unaffiliated/anoniem4l] has joined #openvpn
13:30 -!- Anoniem4l [~Anoniem4l@unaffiliated/anoniem4l] has quit [Client Quit]
13:30 -!- Anoniem4l [~Anoniem4l@unaffiliated/anoniem4l] has joined #openvpn
13:47 -!- Latrina [~Latrina@adsl-ull-112-243.45-151.net24.it] has quit [Ping timeout: 265 seconds]
13:50 -!- Latrina [~Latrina@ppp-111-3.26-151.libero.it] has joined #openvpn
13:54 < Eugene> !as
13:54 <@vpnHelper> "as" is Please go to #OpenVPN-AS for help with commercial products from OpenVPN Technologies, including Access Server, Android Connect, etc. Access Server is a commercial product, different from open source OpenVPN
14:00 -!- AlexRussia [~Alex@unaffiliated/alexrussia] has quit [Ping timeout: 255 seconds]
14:04 < Novice201y> Eugene: Thanks
14:07 -!- AlexRussia [~Alex@unaffiliated/alexrussia] has joined #openvpn
14:16 -!- AlexRussia [~Alex@unaffiliated/alexrussia] has quit [Ping timeout: 244 seconds]
14:18 -!- AlexRussia [~Alex@unaffiliated/alexrussia] has joined #openvpn
14:25 -!- Novice201y [~lubuntu@afqc57.neoplus.adsl.tpnet.pl] has quit [Ping timeout: 265 seconds]
14:49 -!- ub1quit33_ [~quassel@cpe-23-243-158-241.socal.res.rr.com] has quit [Read error: Connection reset by peer]
14:51 -!- ub1quit33_ [~quassel@cpe-23-243-158-241.socal.res.rr.com] has joined #openvpn
15:00 < esde> !beer
15:00 <@vpnHelper> "beer" is what's for dinner (and occasionally breakfast)
15:03 < esde> this might be a less than quality question, but will openvpn ever be multi-threaded? (im not asking because I feel i need it or it's needed, just out of curiosity)
15:08 < DArqueBishop> I'm sorry, but that factoid reminded me of this commercial...
15:08 < DArqueBishop> https://www.youtube.com/watch?v=T5aE0sRhbKk
15:08 <@vpnHelper> Title: Shiner | Pairings - YouTube (at www.youtube.com)
15:22 -!- jackbrown [~se@93-44-68-248.ip96.fastwebnet.it] has joined #openvpn
15:24 -!- jackbrown [~se@93-44-68-248.ip96.fastwebnet.it] has quit [Client Quit]
16:06 -!- moparisthebest [~quassel@unaffiliated/moparisthebest] has quit [Ping timeout: 265 seconds]
16:11 -!- moparisthebest [~quassel@gateway/tor-sasl/moparisthebest] has joined #openvpn
16:28 -!- mattock [~mattock@openvpn/corp/admin/mattock] has joined #openvpn
16:28 -!- mode/#openvpn [+o mattock] by ChanServ
16:33 -!- APTX_ [~APTX@unaffiliated/aptx] has joined #openvpn
16:34 -!- jgeboski- [~jgeboski@unaffiliated/jgeboski] has joined #openvpn
16:34 -!- Netsplit *.net <-> *.split quits: jgeboski, trumee, troyt, kossy
16:34 -!- Netsplit *.net <-> *.split quits: @mattock_afk, +krzee, tapout, `Yoda, ExtraCarpety, problame, Eugene, DArqueBishop, AnonGirl, Neal_,  (+9 more, use /NETSPLIT to show all of them)
16:34 -!- APTX_ is now known as APTX
16:35 -!- Netsplit over, joins: liriel
16:35 -!- jgeboski- is now known as jgeboski
16:36 -!- j4jackj [janice@need.sleep.caffeinet.uk.to] has joined #openvpn
16:38 -!- shio [marmot@6.121.101.84.rev.sfr.net] has quit [Ping timeout: 250 seconds]
16:38 -!- j4jackj is now known as AnonGirl
16:46 -!- moparisthebest [~quassel@gateway/tor-sasl/moparisthebest] has quit [Ping timeout: 250 seconds]
16:48 -!- kenyon [kenyon@darwin.kenyonralph.com] has joined #openvpn
16:48 -!- moparisthebest [~quassel@unaffiliated/moparisthebest] has joined #openvpn
16:48 -!- sireebob [sireebob@unaffiliated/sireebob] has joined #openvpn
16:48 -!- Neal_ [neal@felix.ineal.me] has joined #openvpn
16:48 -!- problame [~problame@2a01:4f8:201:4108:3:5:0:1] has joined #openvpn
16:48 -!- shio [marmot@6.121.101.84.rev.sfr.net] has joined #openvpn
16:49 -!- lachesis [~lachesis@unaffiliated/lachesis] has joined #openvpn
16:49 -!- Gman32 [~Gman32@2607:2200:0:3400::5616:cdbc] has joined #openvpn
16:49 -!- trumee [~parul@2601:e:1580:799::c64] has joined #openvpn
16:49 -!- `Yoda [~Yoda@unaffiliated/itsyoda] has joined #openvpn
16:49 -!- troyt [~troyt@2601:7:6202:211:44dd:acff:fe85:9c8e] has joined #openvpn
16:50 -!- TonyL [~Tony@unaffiliated/darkg] has joined #openvpn
16:50 -!- DArqueBishop [~drkbish@2601:e:2480:7800:2e41:38ff:fe87:dd90] has joined #openvpn
16:52 -!- krzee [~k@openvpn/community/support/krzee] has joined #openvpn
16:52 -!- mode/#openvpn [+o krzee] by ChanServ
16:52 -!- Eugene [eugene@kashpureff.org] has joined #openvpn
16:52 -!- SushiDude [~SushiDude@unaffiliated/sushidude] has joined #openvpn
17:00 -!- MrSavage [~MrSavage@unaffiliated/mrsavage] has joined #openvpn
17:02 -!- samael [~earendil@multivac.valis-e.com] has quit [Ping timeout: 252 seconds]
17:10 -!- c0ded [~c0ded@unaffiliated/c0ded] has joined #openvpn
17:26 -!- MrSavage [~MrSavage@unaffiliated/mrsavage] has quit [Ping timeout: 250 seconds]
17:41 -!- MrSavage [~MrSavage@unaffiliated/mrsavage] has joined #openvpn
18:10 -!- Kephael [~Kephael@unaffiliated/kephael] has joined #openvpn
18:18 -!- ub1quit33_ [~quassel@cpe-23-243-158-241.socal.res.rr.com] has quit [Ping timeout: 256 seconds]
18:21 -!- atyoung [~darkwurm@gateway/tor-sasl/darkwurm] has quit [Remote host closed the connection]
18:23 -!- atyoung [~darkwurm@gateway/tor-sasl/darkwurm] has joined #openvpn
18:29 -!- Denial [~Denial@81.141.3.116] has quit [Ping timeout: 244 seconds]
18:29 -!- Denial [~Denial@81.141.3.116] has joined #openvpn
18:33 -!- Orbixx_ [~orbixx@freenode/sponsor/orbixx] has joined #openvpn
18:35 -!- BtbN_ [btbn@btbn.de] has joined #openvpn
18:36 -!- Netsplit *.net <-> *.split quits: BtbN, Orbixx, Exagone313
18:36 -!- BtbN_ is now known as BtbN
18:47 -!- Netsplit over, joins: Exagone313
18:47 < MrSavage> Is there a way that you can connect to an openvpn server to have a lan with other clients but they use their own connection for accessing the internet?
18:49 < MrSavage> !clientlan
18:49 <@vpnHelper> "clientlan" is (#1) for a lan behind a client, the client must have ip forwarding enabled (!ipforward), the server needs a route to the lan, the server needs to push a route for the lan to clients, the server needs a ccd (!ccd) file for the client with an iroute (!iroute) entry in it, and the router of the lan the client is on needs a route added to it (!route_outside_openvpn) or (#2) see !route
18:49 <@vpnHelper> for a better explanation or (#3) Handy troubleshooting flowchart: http://ircpimps.org/clientlan.png | http://pekster.sdf.org/misc/clientlan.png
18:50 < MrSavage> http://ircpimps.org/clientlan.png this link is broken
18:51 < esde> hence the mirror
18:51 < Eugene> Yup, that's why there's two.
18:51 -!- aulait [~irenacob@li629-190.members.linode.com] has quit [Remote host closed the connection]
18:51 < MrSavage> Eugene: also is it possible to do what i want?
18:52 < Eugene> Sure
18:52 < Eugene> !route
18:52 <@vpnHelper> "route" is (#1) http://www.secure-computing.net/wiki/index.php/OpenVPN/Routing or https://community.openvpn.net/openvpn/wiki/RoutedLans (same page mirrored) if you have lans behind openvpn, read it DONT SKIM IT or (#2) READ IT DONT SKIM IT! or (#3) See !tcpip for a basic networking guide or (#4) See !serverlan or !clientlan for steps and troubleshooting flowcharts for LANs behind the server or
18:52 <@vpnHelper> client
18:52 < Eugene> Just push routes to the LAN that you want to grant access to
18:52 < Eugene> !redirect
18:52 <@vpnHelper> "redirect" is (#1) to make all inet traffic flow through the vpn, you will need --redirect-gateway (see !def1), as well as IP forwarding (see !ipforward) and NAT (see !nat) enabled on the server. or (#2) you may need to use a different dns server when redirecting gateway, see !dns or !pushdns or (#3) if using ipv6 try: route-ipv6 2000::/3 or (#4) Handy troubleshooting flowchart:
18:52 <@vpnHelper> http://ircpimps.org/redirect.png | http://pekster.sdf.org/misc/redirect.png
18:52 < Eugene> And don't do that(which 99% of "blog guides" tell you to do)
18:53 < Eugene> Because they assume that's what you want because they're idiots
18:53 < MrSavage> hahahah
18:53 < MrSavage> Eugene: also do you requirean account to use openvpn?
18:54 < MrSavage> I was looking at some youtube vids for windows
18:54 < Eugene> Noo?
18:54 < Eugene> !download
18:54 <@vpnHelper> "download" is (#1) http://openvpn.net/index.php/download/community-downloads.html to download openvpn or (#2) in the community version of openvpn (only thing supported here) there is no separate download for client/server, it is the same install with different configs
18:54 < Eugene> Make sure you're not confusing OpenVPN with the Access-Server product, which is based upon it(and funds the development thereof)
18:55 -!- aulait [~irenacob@li629-190.members.linode.com] has joined #openvpn
18:55 < MrSavage> ah
18:58 < MrSavage> Eugene: I also notice that my openvpn started automatically and ran my client.config, how does openvpn know what config file to run?
18:58 < MrSavage> does it remember from using openvpn --config?
18:58 < Eugene> Depends what OS you're using it on
18:58 < MrSavage> ubuntu
18:58 < Eugene> `service openvpn start` will auto-run an instance for each .conf it finds in /etc/openvpn/
18:59 < MrSavage> oh?
18:59 < MrSavage> interesting
18:59 < Eugene> Unless you mean the networkmanager thing, which will just fuck shit up constantly because it hates you
18:59 < MrSavage> huh?
18:59 < Eugene> The GUI dialog thingy
18:59 < MrSavage> never used it
18:59 < Eugene> Good. It sucks.
18:59 < MrSavage> lol
19:01 -!- sandfly [~debbie10t@unaffiliated/m10t] has joined #openvpn
19:01 < MrSavage> Eugene: also how would i test if openvpn is working properly for my clients if i'm hosting it on my desktop?
19:02 < MrSavage> and if i try to setup a client lan, would people have to type the 10.8.0.1 IP to connect or can they use my broadcasted IP?
19:02 < Eugene> What exactly do you mean by "my clients" ?
19:02 < Eugene> Generally your desktop /is/ the client
19:03 < Eugene> Are you trying to set up a virtual LAN(for gaming?) so your desktop can be accessed remotely?
19:03 < MrSavage> Eugene: I'm wanting to run openVPN on my desktop so other people can connect to my virtual LAN and then have better ping/latency
19:03 < MrSavage> kinda]
19:04 < Eugene> openvpn won't make anything about ping better by itself ;-)
19:04 < Eugene> That's up to the internet, to get the packets from A-->B
19:04 < MrSavage> Eugene: it will help with Risk of Rain due to crappy net code
19:04 < MrSavage> i believe
19:04 < Eugene> So, yes, this is a game thing
19:04 < MrSavage> yep
19:04 < Eugene> Cool
19:05 < Eugene> So, good news: you don't even need routing. Just a basic tunnel setup
19:05 < MrSavage> oh?
19:05 < Eugene> !subnet
19:05 <@vpnHelper> "subnet" is (#1) http://www.subnet-calculator.com/ or http://en.wikipedia.org/wiki/Subnetwork or (#2) Want a random subnet generator? See: !randomsubnet or (#3) You may be looking for !toplogy
19:05 < Eugene> I am, thanks bot
19:05 < Eugene> !topology
19:05 <@vpnHelper> "topology" is (#1) it is possible to avoid the !/30 behavior if you use 2.1+ with the option: topology subnet This will end up being default in later versions. or (#2) Clients will receive addresses ending in .2, .3, .4, etc, instead of being divided into 2-host subnets. or (#3) details and examples at: https://community.openvpn.net/openvpn/wiki/Topology
19:06 < Eugene> With that set ^ you will get(in effect) a private LAN in the subnet you specify(10.8.0.0/24 being the default used by the documentation)
19:06 < Eugene> So your clients will appear as 10.8.0.2, 10.8.0.3, etc
19:07 < Eugene> There isn't anything built-in for name resolving, so you'll just use the IP addresses
19:07 < Eugene> (or set up WINS, if you really wnat to....)
19:07 < MrSavage> Eugene: but then they would have to type 10.8.0.1 to connect to me right?
19:07 < Eugene> Yup.
19:08 < MrSavage> Eugene: what if they typed my actual IP?
19:08 < Eugene> Your "What is my IP" public IP? THey'll get whatever is listening on that
19:08 < Eugene> I'm assuming you have a generic NAT router behind a DSL/Cable modem
19:08 -!- `Yoda is now known as Yoder
19:10 < MrSavage> yeah
19:10 < MrSavage> Eugene: what does that mean they'll get whatever is listening on that?
19:10 < MrSavage> does it mean it will route through the LAN and not outside it?
19:10 < Eugene> It's the same as if you didn't have openvpn involved at all
19:11 < MrSavage> Eugene: how can i make it so that openvpn will be used with the public IP?
19:11 < MrSavage> my clients are lazy and stupid so
19:11 < Eugene> You forward openvpn(UDP:1194) to your desktop
19:11 < Eugene> Clients conenct to that public IP:port with openvpn
19:11 < Eugene> Then they start the game and conenct to 10.8.0.1
19:13 < MrSavage> yeah they'll get confused about using 10.8.0.1 or my pubic IP
19:14 < Eugene> Get smarter clients ;-)
19:16 < MrSavage> if only
19:17 < MrSavage> Eugene: but don't you find these virtual lans help with lag sometimes or ping?
19:17 < MrSavage> due to how a game was made?
19:17  * Eugene shrugs
19:17 < Eugene> I don't game over mine :-p
19:19 < xTz> happy new year guys
19:19 < MrSavage> also if I use openVPN to connect like a proxy and access the internet over the host, will some hops be skipped?
19:19 < MrSavage> Happy new years
19:20 < MrSavage> still 10:20 here
19:20 < xTz> did anyone ever achieved generatin 8192kbit cert and how long did it take?
19:20 < MrSavage> err 8:20
19:20 < xTz> takes like more than a week now on Soekris net6501 with a 1ghz atom and OpenBSD and has been running for >24 hrs on a 3.4 ghz xeon and gentoo
19:20 < xTz> 8192bit*
19:22 < xTz> in comparison, 4kbit took 3 hrs on the soekris and 58 min. on the gentoo box
19:22 < xTz> talking about dhparam generation here
19:27 < Eugene> Don't do cert work on soekrises, heh
19:28 < Eugene> Realistically, you should mayyyybe using 8192 or 16384 for your CA. 4096 or even 2048 is fine for server.key+dh
19:28 < esde> mmmmm 16384
19:28 < Eugene> If you're truly paranoid(and even I'm not) you could push the limits to 64k ;-)
19:28 < Eugene> I don't know where openssl starts to vomit; all the cool kids are switching to ECDSA anyway.
19:29 < esde> is it advisable to generate all the PKI stuff on a more powerful machine and transfer it over?
19:31 < Eugene> That's how I do it with Soekrii, yup.
19:32 < esde> does openvpn support ecdsa?
19:33 < esde> ah "Today, OpenVPN does not support TLS-ECDHE-* or more exotic cipher-suites as there is no elliptic curve support currently."
19:35 < esde> and since my firewall is pfsense, i shouldn't expect to see support from them anytime soon :(
19:44 -!- gffa [~unknown@unaffiliated/gffa] has quit [Quit: sleep]
20:11 < Thermi> The time it takes to generate a certificate or private key is generally influenced by the amount of entropy that is available
20:12 < Thermi> Running an entropy gathering daemon like haveged greatly accelerates generating private keys and generally everything that requires large amounts of entropy.
20:34 -!- warehouse13 [~Left_Turn@unaffiliated/turn-left/x-3739067] has joined #openvpn
20:36 -!- Left_Turn [~Left_Turn@unaffiliated/turn-left/x-3739067] has quit [Ping timeout: 265 seconds]
20:40 -!- RBecker [~RBecker@openvpn/user/RBecker] has joined #openvpn
20:40 -!- mode/#openvpn [+v RBecker] by ChanServ
20:49 -!- ub1quit33 [~quassel@cpe-23-243-158-241.socal.res.rr.com] has joined #openvpn
21:18 -!- ub1quit33 [~quassel@cpe-23-243-158-241.socal.res.rr.com] has quit [Ping timeout: 272 seconds]
21:46 -!- sandfly [~debbie10t@unaffiliated/m10t] has quit [Quit: Closing]
21:55 -!- warehouse13 [~Left_Turn@unaffiliated/turn-left/x-3739067] has quit [Remote host closed the connection]
22:11 -!- Daniii [~Dani@expopremier.com] has joined #openvpn
22:12 < Daniii> !ovpnuke
22:12 <@vpnHelper> "ovpnuke" is https://community.openvpn.net/openvpn/wiki/SecurityAnnouncement-97597e732b for info on CVE-2014-8104 which is a DOS that allows an authenticated client to crash an openvpn server running openvpn before 2.3.6
22:13 < Daniii> !poodle
22:13 <@vpnHelper> "poodle" is (#1) http://googleonlinesecurity.blogspot.com/2014/10/this-poodle-bites-exploiting-ssl-30.html . OpenVPN uses TLSv1.0, or (with >=2.3.3) optionally TLSv1.2 and is thus not impacted by POODLE. See also: !hardening for some unrelated TLS security options OpenVPN has or (#2) https://www.tinfoilsecurity.com/poodle for a tool for testing your websites
22:13 < Daniii> !hardening
22:13 <@vpnHelper> "hardening" is https://community.openvpn.net/openvpn/wiki/Hardening
22:13 < Daniii> anyone managed to patch openvpn to support AEAD ciphers ?
22:14 < esde> I'm trying to get 2.3.6 setup. I ran ./configure, make, and sudo make install. Then copied /etc/init.d/openvpn from a running 2.3.6 over and set permissions to 755 and ran sudo update-rc.d openvpn defaults. now when i run sudo service openvpn status, there is no output, it just returns to a new line. :(
22:14 < esde> if i run openvpn --version, it returns the correct version information
22:16 < esde> http://termbin.com/o799 is the init.d script im using
22:17 < esde> I'm used to seeing "OpenVPN is starting" or "OpenVPN is running" when i run start and status, respectively
22:18 < Daniii> try update-rc.d openvpn enable
22:19 < esde> thanks, I got this output http://pastebin.com/GSv3HFPB
22:19 < esde> looking for more info now
22:52 -!- RBecker [~RBecker@openvpn/user/RBecker] has quit [Ping timeout: 264 seconds]
22:56 -!- RBecker [~RBecker@openvpn/user/RBecker] has joined #openvpn
22:56 -!- mode/#openvpn [+v RBecker] by ChanServ
23:01 < esde> Happy new year!
23:10 < Daniii> happy winter solstice
23:17 -!- Daniii is now known as ColdFeet
23:28 -!- ljvb [~jason@us.vps.vanbrecht.com] has quit [Ping timeout: 250 seconds]
23:29 -!- almostworking [~almostwor@unaffiliated/almostworking] has joined #openvpn
23:36 -!- ShadniX [dagger@p5DDFE63F.dip0.t-ipconnect.de] has quit [Ping timeout: 250 seconds]
23:37 -!- ShadniX [dagger@p579416B4.dip0.t-ipconnect.de] has joined #openvpn